Malware Analysis Report

2025-01-22 19:48

Sample ID 240601-nnvd9scb28
Target ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20
SHA256 ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20

Threat Level: Known bad

The file ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20 was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

xmrig

XMRig Miner payload

Cobaltstrike

Xmrig family

Cobaltstrike family

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 11:33

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 11:33

Reported

2024-06-01 11:35

Platform

win7-20240508-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\hbIphxY.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\hbEIaap.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\DUTJTzR.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\OFOUWtg.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\FernKRV.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\xvXFzjL.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\HtVZlXe.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\QtFqLYm.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\hAKCWtv.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\cCUcSdo.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\YQBjmgp.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\FnINxgE.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\YSeYTsA.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\yhlmKdw.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\Vuhtkcm.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\tVBwLRF.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\KLYivic.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\kcAnWhn.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\GriFaZh.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\qqITEfC.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\WoYjZNh.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\FnINxgE.exe
PID 2216 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\FnINxgE.exe
PID 2216 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\FnINxgE.exe
PID 2216 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\xvXFzjL.exe
PID 2216 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\xvXFzjL.exe
PID 2216 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\xvXFzjL.exe
PID 2216 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\YSeYTsA.exe
PID 2216 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\YSeYTsA.exe
PID 2216 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\YSeYTsA.exe
PID 2216 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\yhlmKdw.exe
PID 2216 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\yhlmKdw.exe
PID 2216 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\yhlmKdw.exe
PID 2216 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\KLYivic.exe
PID 2216 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\KLYivic.exe
PID 2216 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\KLYivic.exe
PID 2216 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\HtVZlXe.exe
PID 2216 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\HtVZlXe.exe
PID 2216 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\HtVZlXe.exe
PID 2216 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\QtFqLYm.exe
PID 2216 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\QtFqLYm.exe
PID 2216 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\QtFqLYm.exe
PID 2216 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\kcAnWhn.exe
PID 2216 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\kcAnWhn.exe
PID 2216 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\kcAnWhn.exe
PID 2216 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\hbIphxY.exe
PID 2216 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\hbIphxY.exe
PID 2216 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\hbIphxY.exe
PID 2216 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\hbEIaap.exe
PID 2216 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\hbEIaap.exe
PID 2216 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\hbEIaap.exe
PID 2216 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\GriFaZh.exe
PID 2216 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\GriFaZh.exe
PID 2216 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\GriFaZh.exe
PID 2216 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\DUTJTzR.exe
PID 2216 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\DUTJTzR.exe
PID 2216 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\DUTJTzR.exe
PID 2216 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\OFOUWtg.exe
PID 2216 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\OFOUWtg.exe
PID 2216 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\OFOUWtg.exe
PID 2216 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\Vuhtkcm.exe
PID 2216 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\Vuhtkcm.exe
PID 2216 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\Vuhtkcm.exe
PID 2216 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\qqITEfC.exe
PID 2216 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\qqITEfC.exe
PID 2216 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\qqITEfC.exe
PID 2216 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\hAKCWtv.exe
PID 2216 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\hAKCWtv.exe
PID 2216 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\hAKCWtv.exe
PID 2216 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\cCUcSdo.exe
PID 2216 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\cCUcSdo.exe
PID 2216 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\cCUcSdo.exe
PID 2216 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\tVBwLRF.exe
PID 2216 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\tVBwLRF.exe
PID 2216 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\tVBwLRF.exe
PID 2216 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\YQBjmgp.exe
PID 2216 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\YQBjmgp.exe
PID 2216 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\YQBjmgp.exe
PID 2216 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\WoYjZNh.exe
PID 2216 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\WoYjZNh.exe
PID 2216 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\WoYjZNh.exe
PID 2216 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\FernKRV.exe
PID 2216 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\FernKRV.exe
PID 2216 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\FernKRV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe

"C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe"

C:\Windows\System\FnINxgE.exe

C:\Windows\System\FnINxgE.exe

C:\Windows\System\xvXFzjL.exe

C:\Windows\System\xvXFzjL.exe

C:\Windows\System\YSeYTsA.exe

C:\Windows\System\YSeYTsA.exe

C:\Windows\System\yhlmKdw.exe

C:\Windows\System\yhlmKdw.exe

C:\Windows\System\KLYivic.exe

C:\Windows\System\KLYivic.exe

C:\Windows\System\HtVZlXe.exe

C:\Windows\System\HtVZlXe.exe

C:\Windows\System\QtFqLYm.exe

C:\Windows\System\QtFqLYm.exe

C:\Windows\System\kcAnWhn.exe

C:\Windows\System\kcAnWhn.exe

C:\Windows\System\hbIphxY.exe

C:\Windows\System\hbIphxY.exe

C:\Windows\System\hbEIaap.exe

C:\Windows\System\hbEIaap.exe

C:\Windows\System\GriFaZh.exe

C:\Windows\System\GriFaZh.exe

C:\Windows\System\DUTJTzR.exe

C:\Windows\System\DUTJTzR.exe

C:\Windows\System\OFOUWtg.exe

C:\Windows\System\OFOUWtg.exe

C:\Windows\System\Vuhtkcm.exe

C:\Windows\System\Vuhtkcm.exe

C:\Windows\System\qqITEfC.exe

C:\Windows\System\qqITEfC.exe

C:\Windows\System\hAKCWtv.exe

C:\Windows\System\hAKCWtv.exe

C:\Windows\System\cCUcSdo.exe

C:\Windows\System\cCUcSdo.exe

C:\Windows\System\tVBwLRF.exe

C:\Windows\System\tVBwLRF.exe

C:\Windows\System\YQBjmgp.exe

C:\Windows\System\YQBjmgp.exe

C:\Windows\System\WoYjZNh.exe

C:\Windows\System\WoYjZNh.exe

C:\Windows\System\FernKRV.exe

C:\Windows\System\FernKRV.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2216-0-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2216-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\FnINxgE.exe

MD5 69a572365fef69db87ad39b7db3dc2ac
SHA1 81cf6cde5d4d43983d8167742023396bbc369cd0
SHA256 79f0daaa042f33edd1909790d4a40bf4e1595f86b19ec1e0ca60eb087e221f6f
SHA512 eaaab684cb8976d091788603a784bb522dda621ebd1f0704c5f034e87103f8b90ab0089a4590ad16a74fac1b0c5794508393bfd966cd2941f55cb2310fe8e677

\Windows\system\xvXFzjL.exe

MD5 bce92dcf122e930ae8f4c62f595c0ded
SHA1 6ced4e69304248acad9e3e01fbd470109f2b5268
SHA256 155b3362f5ca4ced5c3632443d7352507ad4ac0b319be0b678ab278eb02100da
SHA512 b58d9c0b96f75be360958a0c20e37e9d276e7e3562c9b5c95e87eecb0677cfb6625261e241e38586409c18aeed261ddcbb45ee86571807424e8bada3ed714f9d

C:\Windows\system\yhlmKdw.exe

MD5 ef380cefed0642ce5af5bf2fb8b3452f
SHA1 b44d0a2ce88a97b2029807a1936b6a9b637d6cdd
SHA256 4266a9c3967f0f21dd9f27be39dc100e7718511b83dd599d5ee6086dd2f310a5
SHA512 355d584e3fa7ac8cd97181b59428a1f280cfb7eccd83d4235e4271e969dfd360c2c582dcf205f2129c53c01eee604a7c3d00da3928dc1394ced59f2b756e0669

memory/2608-27-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/1632-29-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2216-15-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2804-28-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2216-23-0x000000013F710000-0x000000013FA64000-memory.dmp

C:\Windows\system\HtVZlXe.exe

MD5 e15734d50ef2495add2b32f0e2007c2d
SHA1 949587650e27c8e1557549fddba451da1528f5a6
SHA256 b17a67c33601a36a04ed15d98a1e965dae95e8b22ad1292601acd5ad7dc27590
SHA512 9c71ac4af28f6068e459537559a86b04b4f06d32c11e5996a791a7fb31d90c9df58593e5c85dcb9851f46dbd55db8ae88150a2fa76ff82891f3cc290e2c489cb

memory/2216-38-0x000000013F660000-0x000000013F9B4000-memory.dmp

C:\Windows\system\KLYivic.exe

MD5 815fae26d1a06e639c445a09a769809f
SHA1 2321eefd2040be08775d350c532ca83ef6de4687
SHA256 06eff60334055d1d38f501e2edbfa8de1958efcb067842fbb94dde72c560a08a
SHA512 09e5cdc2c9e4a6bfa1bf92112edd36db9d9a894d6f425135ed40d3e334125b60787d16ba895d02a3fdb36830bfe30587bb3158a6c12e8937140a2ca0ad15644f

memory/2708-41-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2724-37-0x000000013F770000-0x000000013FAC4000-memory.dmp

C:\Windows\system\YSeYTsA.exe

MD5 a897d02bd21b9a29c67cdcfead21dd6a
SHA1 3d1ac5ba0a37acd8aa9400da99d11c7b0b2d5b39
SHA256 0a54bc025ab361b0b3b0738ac73a610124057bd564f7cdd2b586d37e648f2dea
SHA512 7a708e730501f2231689f7ef2ddb737f5049bba0b5870a25c4e33edc378f65834d1ff914f46719bd6b7cfd8bee55e2715674303fce3233cbdbcafed3dcace8eb

memory/2216-20-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2200-10-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\QtFqLYm.exe

MD5 0ca3e126242cfbb5258fa995f876babc
SHA1 7718dfb5470ab6d5983c45b8f121e7aa1e6d4986
SHA256 fbf8f617cfdb6baa5f1f146349906444976cfb34e8416c5cc912d3e4874e4cd2
SHA512 efaba09ded86e659c8ea87228edbe17f38f61ce148246ea79450381b28a82504d041581d02cbd273ec76921c9793691be04129ba20ebb372ffcb76faf7c16d98

memory/2200-57-0x000000013F670000-0x000000013F9C4000-memory.dmp

\Windows\system\hbIphxY.exe

MD5 a216d49f7935e5c699ca0ad9c617ea3f
SHA1 1da68ac8d33fbe4290a3db4d2eccd0b2c5c9b4f7
SHA256 75d1e42a5cfecac64f8d0aa82e87916be3d4456cbd3ea13b638f92c327f67659
SHA512 cc61447fa2f2a0e6eb2aadfebaeaee070a1032c18637d7d661bd1a50f9da3d8ccfddfd6d5e9a74ec7073405c65fa2babc5575bbdb1315da35689866fe6039421

memory/2652-55-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2548-48-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2216-54-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

C:\Windows\system\kcAnWhn.exe

MD5 2aee640301f7425908ab3a57b5b21a5f
SHA1 485ca961bb6c3569810d55053727cc20743503c0
SHA256 dccf8f8044e46be02e960e20da4a99c6e8431cdda9d18a9df922b5228db80632
SHA512 e6ab1deb512f6170ac75fd23aeeb8a750f608c6016ed51be09a4b32d6f8c378e28fc5c0fcfb4a2435a039cb77c138468c71d38b5075831eacd16e44aa53fc061

memory/2784-63-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2216-62-0x000000013FE90000-0x00000001401E4000-memory.dmp

C:\Windows\system\hbEIaap.exe

MD5 e4f6222b3dccadd5d2ae74a4dcdbcf5d
SHA1 7dfa15fb58e5c189ae89fd10d0e7a44b98a65e81
SHA256 88762e284686d577626a22f63da5619ec8b871874ea7a07ddc370ac7d0df59cf
SHA512 018a183c07b0ecddec27d84b0d4a9ae8412f6704e18cb05658a11d47d79f9098df32acf4c0ca5bee3cca038dbdb448b9bcfeb01be9505d09905f964cae3e2e0b

memory/2608-69-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2588-71-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2216-70-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\DUTJTzR.exe

MD5 9a4d39d9958f3152d907aebd56757867
SHA1 95fd1d5063a5ce3a06945df8ce1a295401839410
SHA256 68e365d737594104ff8567fdaabef11249cceeaf31a5efd4d8ad4046e729ac99
SHA512 949dec73ce848f1bf443339edc958bd702aa8c5261c024356a619b26c999a0fca53bf8e6f2c46d35cfcc404deb9bd275dd318c3971f24411e63cd7e04b494425

memory/2724-82-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2216-84-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2824-85-0x000000013F1F0000-0x000000013F544000-memory.dmp

C:\Windows\system\Vuhtkcm.exe

MD5 01d5deea598e106ab27c148f998afb6c
SHA1 54ce55a8da08abe923be9702459ec77b7189ee76
SHA256 f12e6c47f60a5e27a1fd4f3d5e5007fa29507cd5145ff8b452eb6ac0f615c780
SHA512 11a816c13f1d590a8effb75bf4f284296c48009edf4ebbf719439772e5d237213824235cdfc0bfeac747a949e7e4294ec128e1828633b6815a778e39da67acc9

C:\Windows\system\qqITEfC.exe

MD5 3f66a65916c3e8ecb23720d99926222d
SHA1 92747dcc5b7b2c1e4527b905d63699ae9e4a4cd8
SHA256 8d016c96ba8324756690c6d100f6b86ae6fc4f40f6e5aef759aa0e22cb8c0225
SHA512 f49a519955032adcca5fac28bf29a6a46aff7cdb96f3668afc29f4027b9fdc5d0b6bde2071f77f4431df521f2465c2c0a7c9747d0ea4ec000712e5bd9128b215

C:\Windows\system\hAKCWtv.exe

MD5 25bf4b13a42ec491eab1245d5b2adcdc
SHA1 cb35c482af43fddc8fffc81dea8033ed1ab9757b
SHA256 25733bae9dd2d27fb2f5773f603ea7d80072c93e53aa9e82e0ba5ef70e790b80
SHA512 110fdb79b33890e85153514b317cffe452ff5d3545dbaeead5bcb0ee8072bff0f359ab175bca9b88437db4f1ce0b6236994378eb9d685d38c18a9c4369d102f1

C:\Windows\system\WoYjZNh.exe

MD5 1a771f45820f42442bccc37db94b4801
SHA1 b7c45170861460bbe7782b724f8d3182aee8453b
SHA256 4e59ef56e0e0c859389d5b6129c173cdf402d0e290a859fcc7c1bacafa674f65
SHA512 7aac45ec8a2c35d11cca3378eac37cca15dbed4b71511b8086dd231b167edc60dd91c1e3086eb055fb295b80584311d30bfe57dbd4e03f9c9c47095428620953

\Windows\system\FernKRV.exe

MD5 ea263910db97589ec29e93b67c88154b
SHA1 993bcaaf46e0deeb40b959bd41df4126cc60d0e3
SHA256 d5d24085071fa3e33c48b000b48f13b815bd6f3bbbebc554fd86598b10f14d9d
SHA512 df121a89d2102fb252c694914ec7c8379e0a17b3437b7f47afd35361f0e00c230f632d16e75d28e13bd354c337f585d48ec4257db3d9ec2626770ecc826984c4

C:\Windows\system\YQBjmgp.exe

MD5 3585ddfc4bb46187b9022013ab09a378
SHA1 0c52ccb8f1a34b01fbd53be8d38696189ff4a56c
SHA256 6c46b492d1c30fdf0b4ca58bf432e87d04f1bc55b1647ae0f7702574c1c87487
SHA512 a41e650fb89e7f17217b299ae4dd9e7bae839d6604495386a85d984e44f14a4104ea2f3bda33279b3e15f7db3007b2c1b38e7792c2ac7ee7a2bd4e5fabd9ec85

C:\Windows\system\tVBwLRF.exe

MD5 a0f4f6ead03085f972a61a738578fe7e
SHA1 f1429b9a1e2df6b9c65ce02535b95c1d20169291
SHA256 3393796e89c2597916c8435990311114f9bd02c0aabbbb906dfd65ba1ee00b86
SHA512 361133211a15e5371aa5f1a60b6e04a34c0725b62548f60726cd2a8b559d5be82c6a1ae3053c250be630af987cc95228164eed43cc2ab282c88a31a0fc572952

C:\Windows\system\cCUcSdo.exe

MD5 86cdc0230d2c21d5b9be3c6241928346
SHA1 46701ffb0430d855d6d74c489ee5af4d7b14026b
SHA256 d595ed606471dba070a42f37bb6e63cf9b3cad1ee3d690c3ccb5915b5df940a8
SHA512 5e33d34d2203d414a01ae8c31c481de4545bffbfd9945e43c14a7bcdf59f32edf83f6cca241a6f158f9e0305b5a5a6eea3fea151d2e044fb09f61933f398ff1e

memory/2264-98-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2552-92-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2216-97-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\OFOUWtg.exe

MD5 f51055f0133f40490e3c62a9a06b6fff
SHA1 12b63ec60eff47fadbbc960c58b0e87a4961eaef
SHA256 7c8cde508d4713e50d46ef93a458995342f6be2298861b78d190f96f832616ea
SHA512 37ca655fee1d4f55f99129fc761b1ce662b71d67d51740c78ac41841b9aaebd237d44a94220fdf2ae535ad64b6e599889e029ef9708948ea38d32f88e6f4562d

memory/2708-83-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2332-76-0x000000013F920000-0x000000013FC74000-memory.dmp

C:\Windows\system\GriFaZh.exe

MD5 0ddc56e22a1651040f78998a490f1980
SHA1 5a10ef5762307eabe6c3f78a3b2c74e637520cc5
SHA256 425a397f9b2ef4fa86cd7b8953eee563c5bd8d1fdb10ca6b6330783bb2166876
SHA512 25efc32a1a084673f836646a1b393d34a4dccaad72d1190864b16482a53026e3c3e814e4c0e087e7043b925ba665cd4179af2d3c288d38cb398f94d39ddeb822

memory/2216-74-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2216-135-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2216-136-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2332-137-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2216-138-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2824-139-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2552-140-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2264-141-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2804-142-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2200-143-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1632-145-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2608-144-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2708-146-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2724-147-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2548-148-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2652-149-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2784-150-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2588-151-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2332-152-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2824-153-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2264-154-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2552-155-0x000000013F960000-0x000000013FCB4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 11:33

Reported

2024-06-01 11:35

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\oudOCAN.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\MTfBNmC.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\Elnhkiu.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\VzefQtl.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\uYBJbRg.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\cRGZRfL.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\mVKNEup.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\iBpitNG.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\kHrKwvw.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\vNKhfPq.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\SFADwmX.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\HDnKsLs.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\vOLEbOZ.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\MzEgahp.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\GpAQsob.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\yOuvAHW.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\TVCrLEM.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\KLnuRbz.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\sRorSFq.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\zVKYlqZ.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
File created C:\Windows\System\doATtpU.exe C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1032 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\MzEgahp.exe
PID 1032 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\MzEgahp.exe
PID 1032 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\mVKNEup.exe
PID 1032 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\mVKNEup.exe
PID 1032 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\iBpitNG.exe
PID 1032 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\iBpitNG.exe
PID 1032 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\GpAQsob.exe
PID 1032 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\GpAQsob.exe
PID 1032 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\zVKYlqZ.exe
PID 1032 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\zVKYlqZ.exe
PID 1032 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\MTfBNmC.exe
PID 1032 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\MTfBNmC.exe
PID 1032 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\kHrKwvw.exe
PID 1032 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\kHrKwvw.exe
PID 1032 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\VzefQtl.exe
PID 1032 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\VzefQtl.exe
PID 1032 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\doATtpU.exe
PID 1032 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\doATtpU.exe
PID 1032 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\Elnhkiu.exe
PID 1032 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\Elnhkiu.exe
PID 1032 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\yOuvAHW.exe
PID 1032 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\yOuvAHW.exe
PID 1032 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\vNKhfPq.exe
PID 1032 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\vNKhfPq.exe
PID 1032 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\TVCrLEM.exe
PID 1032 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\TVCrLEM.exe
PID 1032 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\SFADwmX.exe
PID 1032 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\SFADwmX.exe
PID 1032 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\oudOCAN.exe
PID 1032 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\oudOCAN.exe
PID 1032 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\HDnKsLs.exe
PID 1032 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\HDnKsLs.exe
PID 1032 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\KLnuRbz.exe
PID 1032 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\KLnuRbz.exe
PID 1032 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\vOLEbOZ.exe
PID 1032 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\vOLEbOZ.exe
PID 1032 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\uYBJbRg.exe
PID 1032 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\uYBJbRg.exe
PID 1032 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\sRorSFq.exe
PID 1032 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\sRorSFq.exe
PID 1032 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\cRGZRfL.exe
PID 1032 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe C:\Windows\System\cRGZRfL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe

"C:\Users\Admin\AppData\Local\Temp\ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20.exe"

C:\Windows\System\MzEgahp.exe

C:\Windows\System\MzEgahp.exe

C:\Windows\System\mVKNEup.exe

C:\Windows\System\mVKNEup.exe

C:\Windows\System\iBpitNG.exe

C:\Windows\System\iBpitNG.exe

C:\Windows\System\GpAQsob.exe

C:\Windows\System\GpAQsob.exe

C:\Windows\System\zVKYlqZ.exe

C:\Windows\System\zVKYlqZ.exe

C:\Windows\System\MTfBNmC.exe

C:\Windows\System\MTfBNmC.exe

C:\Windows\System\kHrKwvw.exe

C:\Windows\System\kHrKwvw.exe

C:\Windows\System\VzefQtl.exe

C:\Windows\System\VzefQtl.exe

C:\Windows\System\doATtpU.exe

C:\Windows\System\doATtpU.exe

C:\Windows\System\Elnhkiu.exe

C:\Windows\System\Elnhkiu.exe

C:\Windows\System\yOuvAHW.exe

C:\Windows\System\yOuvAHW.exe

C:\Windows\System\vNKhfPq.exe

C:\Windows\System\vNKhfPq.exe

C:\Windows\System\TVCrLEM.exe

C:\Windows\System\TVCrLEM.exe

C:\Windows\System\SFADwmX.exe

C:\Windows\System\SFADwmX.exe

C:\Windows\System\oudOCAN.exe

C:\Windows\System\oudOCAN.exe

C:\Windows\System\HDnKsLs.exe

C:\Windows\System\HDnKsLs.exe

C:\Windows\System\KLnuRbz.exe

C:\Windows\System\KLnuRbz.exe

C:\Windows\System\vOLEbOZ.exe

C:\Windows\System\vOLEbOZ.exe

C:\Windows\System\uYBJbRg.exe

C:\Windows\System\uYBJbRg.exe

C:\Windows\System\sRorSFq.exe

C:\Windows\System\sRorSFq.exe

C:\Windows\System\cRGZRfL.exe

C:\Windows\System\cRGZRfL.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/1032-0-0x00007FF635260000-0x00007FF6355B4000-memory.dmp

memory/1032-1-0x000002190AA80000-0x000002190AA90000-memory.dmp

C:\Windows\System\MzEgahp.exe

MD5 51c7c09a1d90d157b2f28b85b11f265f
SHA1 da8b980d2edea04aff592f7ece48e3a45c5ce925
SHA256 f479233bd9dcd3909ee5afa6fb11e945a0b6ef584d56e7c24740bd2d460a34f5
SHA512 4d9ae623097aa60822f9bd3f17bb9f85e302daad0ef171648d8c33e9f739c1dab868080885da7d255e393dd5739ec06cb0d7b34e0c9c6ddaffdadbf74154589d

C:\Windows\System\iBpitNG.exe

MD5 aaf6c463734a263114e907989a665a26
SHA1 e72eab7d18f2b605320f9c4e4593d6357c8046cc
SHA256 54d5428924c3b27a63d38b33e2e2e2d027a3d5c32a248d5ee51fbe85dfa1e674
SHA512 c78e403d09617218d24a97907d35799b631c306f768a47bc19a78cccd652602da08f4e74bffe056d5a7838fc26845ffac290f0eb8ed20634436ca286dd41126c

C:\Windows\System\mVKNEup.exe

MD5 1a0adad33d47b1e150e1c5573c3f8a59
SHA1 32c4ed70ccd4a5978e37fe35818da086979271c7
SHA256 935b73a73665a9ea182cf59ceac0318542ed4b4bcffb75aa0f499538efc9d285
SHA512 043890e2a3fc76fcbc1832fb73721a7410cc7d8f1e0bfe234853c7243b64ad7f034c4d66d9ec9e17ee3eed554ca8d383c47ed3dedbb59e62ded80404001fcfa6

memory/4488-17-0x00007FF7D7660000-0x00007FF7D79B4000-memory.dmp

memory/4172-18-0x00007FF624D40000-0x00007FF625094000-memory.dmp

memory/336-7-0x00007FF6DEAA0000-0x00007FF6DEDF4000-memory.dmp

C:\Windows\System\GpAQsob.exe

MD5 0af182324d2a5285f45161a997e0ce07
SHA1 73eeeb30ca40bb55ea6271bd3d148bd40ef4b1d8
SHA256 7cf0ac87ed896bcfbe2776136ba4b012086a8c945ae9d19d18cde04ebb7f5a57
SHA512 8d373c04338c0778753d6c138bd9c6719d78146fe65f01a04f90c045cf13a594ea4d1e60969339f76d373a8948a2e75745b62465c3f80d6fc2aa92c1cb552847

memory/4500-26-0x00007FF7D8E30000-0x00007FF7D9184000-memory.dmp

C:\Windows\System\zVKYlqZ.exe

MD5 a1431990a4e08dd470a12cb167043c50
SHA1 ab11dce1bfae8a612d61c3671aa12c52ff8bc73f
SHA256 ff44b580bf96af66f51caec9e97101fa03f27c5acd4adb6515b40387a9ca06d1
SHA512 3eda26a990268589b107a50706e6b8633eca5bb912242687543465bdfaa02330a0b3a42b2a8d0e3cbfb5124ab3eebab8d930b47d2b1fe4e84c9da600f51a8218

C:\Windows\System\MTfBNmC.exe

MD5 2e50e67b0bfcb02068b9a218ad5fbf39
SHA1 4bcbe72e6258b069d67c48eb9ae88eb5d4cd6cf7
SHA256 e5b6a451638830a0eb75ce92bbfa08d9a7e8f7d72657b6d9e7e5889aa91a9622
SHA512 5b9134d1c823a72710f5da8519fdf2fe25d684167b9d9c4269338f1ab413de45bd364a50114e4ed84acb535bc1fa4222444ed6f8f4fc355dcec1bf58162b6037

memory/3036-33-0x00007FF7792B0000-0x00007FF779604000-memory.dmp

memory/4656-39-0x00007FF7DF4C0000-0x00007FF7DF814000-memory.dmp

C:\Windows\System\kHrKwvw.exe

MD5 5234d740745b2ab48353f4efda2d4208
SHA1 3df4ce29f235a9024a31f1e42258b99b67ac0bd2
SHA256 633536106312c8e892d6e3b0f0362cec5d014e0f6a12b8e4d3a6b6cbc029d6a9
SHA512 07abc0794764367c42e12e1272e379082eed0b51374ffd6ea1a11e780c985ae4998d3d470dcf40ddb4f82d2a72c730f602472c8810fab93d3dc061b24de67535

C:\Windows\System\VzefQtl.exe

MD5 e893b63a5189ab79dac5349ca9443263
SHA1 de8e974dd57fcaf17340629b3902469c31e5a2d2
SHA256 377d5f3ffada57a3f587fe8c558ddcad678167289f40290bf7f37023c15d6759
SHA512 9de8ecb23b3e5d94a2a0288838d99527ff9c3bcfe25499815272596b4fcd3041cc3bdfb6966166be3e37475b88e1b3180b608212b6eeeaec30bf9e4ab5d9356d

memory/5084-54-0x00007FF714CF0000-0x00007FF715044000-memory.dmp

memory/1020-57-0x00007FF71B1F0000-0x00007FF71B544000-memory.dmp

memory/5064-59-0x00007FF7808C0000-0x00007FF780C14000-memory.dmp

C:\Windows\System\doATtpU.exe

MD5 0f1b20567d6905b4ef9bb89a7954b0bf
SHA1 13e5eb6b6d4c3624a8c6540f3f6d1f6e535b7c30
SHA256 7180e2b088c70d32d65fda008e52003345eb221055a08317ed4b55d7580991a2
SHA512 93c432bd2170dcce872c95c70f5433eb52468c19f60a46819a1354d02b84862445069d9f2a8b8d2b2275b9dbc868892eb34cf31ebebb8cacbcc4c93034b117ed

C:\Windows\System\vNKhfPq.exe

MD5 8cf26005b8f9b4dca3ef44d2e09204c0
SHA1 207518dd0602ab7805881097e10f6f000efe5f4e
SHA256 eadc7569faa8b92a4fd9ade0802246aef26a0f16a283ada936d90017bc8838af
SHA512 58d98d7243fb16813d113a6e1c8bbda06fb60fa8c330ed2987fd27e190c22840f84639dabf602b1f8f552cf17f1a8a248c49f50e0b244b3752f5ee0d4cf675d0

C:\Windows\System\vOLEbOZ.exe

MD5 8eb6f0813b77d2d9a3a8f744843a1659
SHA1 c282f2a38aacfe6a4608616dcf38059f837ba63c
SHA256 cf6003daa43207598e437a749ffb3fc09469311151bdda33738512c8bc3f3d08
SHA512 5325a26a481905ead42098d580de859589392f5439b51f1bba5a4bf814e24510bd6cb49d47c233aec135fcc775ce8b60a165b994e6a4ebc3d6c394a01327c600

C:\Windows\System\cRGZRfL.exe

MD5 eb53d84d01e29703b97fbba4102a82c8
SHA1 adcb1d3f6be9acaf2ebc470be75c6248d144ce67
SHA256 77b90d4974e2afd64095d5f98f9fa3ed6f3be3cf76c64bed5b69f6d5441cda4c
SHA512 32948656574a1a29b4657a2b5f2a09496e34930fe2854dd6cb6cbfe30594106f32bcec22a8d52b63e8150715786fa91a51a87e37b716e6348d5a4269fae3d168

C:\Windows\System\sRorSFq.exe

MD5 61cc153e8129e57215a3c0a02a3321c1
SHA1 07fa8269b046cb76ed80a43f72ac9e0362814952
SHA256 8e281dd8d9952606b02c2fbf105e7c099ed9c6c4c4ad6e3bf9e41ede8ce9987d
SHA512 37c792d4e9fe07e053e62596d91fa3980c9b9f79db6ae9686b3b90de16e7be4fa9bde888d6002ab091e93730cdba958cd72c9ab18f5776c7f8b460deb40b0b08

C:\Windows\System\uYBJbRg.exe

MD5 052decb94e795b3548bbfeeb6190f077
SHA1 3eafaefe1388de40193db28a3b0313fc466a7c8b
SHA256 5bdd80479b6fd36f38126012b2ee66f11da506435e5666b2d2aa1fa11d54de8f
SHA512 79ef098491c47a373163c2bfc8bd560fc13d16bc300e8fbe1c1fa808ef370c1294b3fc92b442651ff6a4bbbcb281f6291f6be6f4978386f5ab04174175b4ca13

C:\Windows\System\KLnuRbz.exe

MD5 6ba8503a1dd333db0c2646cd8af04582
SHA1 dad545569715fe002730789f5f14c3394ddbb11e
SHA256 75732e6cd6d8c2e38315272efa7ff8bf2a196f5adf1c2ce36a806af51747b724
SHA512 978963cd3199cb035e773cd7774c34a4e3f00ddebeaf80c98bce0bbd78f05783b93e8a7321c84f2f85c9f1132cb06ce56cb7bdc57fe1f7ca876febc46bff4593

C:\Windows\System\HDnKsLs.exe

MD5 a33d11710829823899ec03dd5d2c924d
SHA1 1bd85af18979591c28f7efb3bbbace84feda2a16
SHA256 c51530bf8a8b8cac27c9fc9516e16fbc633f37ca6ad420640d7a331cc5ddf423
SHA512 c9e07f8f6f7f27311dce23d5f486b182db4aab3028d71af26bfdf565047940da0433298102e0c00b118a30365650c42cf1430c47359bee1207da52977f58ca93

C:\Windows\System\oudOCAN.exe

MD5 7f430e0b9b725f7bec921381772e5962
SHA1 13710cf54c6b8f4003615512041eb8bcaffaf772
SHA256 9293954ff891f9ca033d0baee270b38c5172836433d9bfffc3aa3150dac1f892
SHA512 376213a76e68934b6dfe7543a1f96ec75d5868758bf4d3a3c5153f3e3e75995eafabdbbd6ff008488fd1f2512f7c05856f1aa08e43f0d5c1879b18798efc0bcc

C:\Windows\System\SFADwmX.exe

MD5 e3ff768f9f4a5a1350ee463301af0fea
SHA1 e5f78ce9a24ea8fd8632e8a038a1ff957af5c2b8
SHA256 f03117384d55dec40502f0dc6cee88fee7ecbccbb97c5f153c4528fe1467c236
SHA512 38d9b84f7f092cd7818b2e0831637295042955c17961c9aee16d3d97a667bf8324fdb82534dd666d1d88f0c220e1f4ac0ef7b16839e98407f811aeab2383fbff

C:\Windows\System\TVCrLEM.exe

MD5 d67aa2253b4cd2335f52bc9c5e36aa70
SHA1 68f7c34ec39db43d400b14a886cba8b7500725fc
SHA256 92b9296eb5e5a8b17093391aab50dd61f71e3920634b39b7533bb0dc366dc09d
SHA512 c070e80612647f3ccabfe3129de6e10fd99b9d1ea0b60c9c058b45c8893304c8dd6bbcad303fd26ce6dd77c22659f8eedea1d52839c2b1c1bd69e32cd8d522b9

C:\Windows\System\yOuvAHW.exe

MD5 8cabc4814adc5ba204df8aa8f57fe7eb
SHA1 526ec3fd439d6c1ab516760e02e3fb1bccd664c5
SHA256 b5e84a6fc4d6c72e9f708ced9aa60100025f8861fddb1c4dae1a64f56c856db3
SHA512 89bcd6ef384a972a7d1e1cdc14f203f45506d2e4ed3bbd45b90475f2f973164b6bf0faf251fa0ec57d3526359e0606d5f9623bfe9bfaede94c48b4e4f3a6b075

C:\Windows\System\Elnhkiu.exe

MD5 33f04b34280b3dc0e026a8288fc6d2ff
SHA1 fb82dbc0801d19c2defd4d46ab5cade159502302
SHA256 94d6464304387ea7565dd2fa552d07abd556410d728b6eca7b7270b73fbfa5b1
SHA512 42c5deb10416f75925012bfa23e57e831226997f5c39d30fb5c690c424aaa237e7e3ce8400e7565e8d1478696b99abb0cb27b2e585bff9a56f4750695a5a5906

memory/4992-55-0x00007FF7DC3A0000-0x00007FF7DC6F4000-memory.dmp

memory/1032-117-0x00007FF635260000-0x00007FF6355B4000-memory.dmp

memory/4916-120-0x00007FF6778E0000-0x00007FF677C34000-memory.dmp

memory/4380-119-0x00007FF7552C0000-0x00007FF755614000-memory.dmp

memory/4624-122-0x00007FF79A750000-0x00007FF79AAA4000-memory.dmp

memory/4864-123-0x00007FF703950000-0x00007FF703CA4000-memory.dmp

memory/4872-124-0x00007FF607C60000-0x00007FF607FB4000-memory.dmp

memory/4984-121-0x00007FF6032F0000-0x00007FF603644000-memory.dmp

memory/3860-118-0x00007FF7DB9F0000-0x00007FF7DBD44000-memory.dmp

memory/396-125-0x00007FF67F650000-0x00007FF67F9A4000-memory.dmp

memory/2312-126-0x00007FF6673F0000-0x00007FF667744000-memory.dmp

memory/1388-127-0x00007FF624F50000-0x00007FF6252A4000-memory.dmp

memory/5012-128-0x00007FF77CA60000-0x00007FF77CDB4000-memory.dmp

memory/336-129-0x00007FF6DEAA0000-0x00007FF6DEDF4000-memory.dmp

memory/4172-130-0x00007FF624D40000-0x00007FF625094000-memory.dmp

memory/4500-131-0x00007FF7D8E30000-0x00007FF7D9184000-memory.dmp

memory/3036-132-0x00007FF7792B0000-0x00007FF779604000-memory.dmp

memory/4656-133-0x00007FF7DF4C0000-0x00007FF7DF814000-memory.dmp

memory/5084-134-0x00007FF714CF0000-0x00007FF715044000-memory.dmp

memory/4992-135-0x00007FF7DC3A0000-0x00007FF7DC6F4000-memory.dmp

memory/5064-136-0x00007FF7808C0000-0x00007FF780C14000-memory.dmp

memory/336-137-0x00007FF6DEAA0000-0x00007FF6DEDF4000-memory.dmp

memory/4488-138-0x00007FF7D7660000-0x00007FF7D79B4000-memory.dmp

memory/4172-139-0x00007FF624D40000-0x00007FF625094000-memory.dmp

memory/4500-140-0x00007FF7D8E30000-0x00007FF7D9184000-memory.dmp

memory/3036-141-0x00007FF7792B0000-0x00007FF779604000-memory.dmp

memory/4656-142-0x00007FF7DF4C0000-0x00007FF7DF814000-memory.dmp

memory/5084-143-0x00007FF714CF0000-0x00007FF715044000-memory.dmp

memory/1020-144-0x00007FF71B1F0000-0x00007FF71B544000-memory.dmp

memory/4992-145-0x00007FF7DC3A0000-0x00007FF7DC6F4000-memory.dmp

memory/5064-146-0x00007FF7808C0000-0x00007FF780C14000-memory.dmp

memory/3860-148-0x00007FF7DB9F0000-0x00007FF7DBD44000-memory.dmp

memory/4380-147-0x00007FF7552C0000-0x00007FF755614000-memory.dmp

memory/4984-150-0x00007FF6032F0000-0x00007FF603644000-memory.dmp

memory/4872-152-0x00007FF607C60000-0x00007FF607FB4000-memory.dmp

memory/396-153-0x00007FF67F650000-0x00007FF67F9A4000-memory.dmp

memory/4916-154-0x00007FF6778E0000-0x00007FF677C34000-memory.dmp

memory/4864-151-0x00007FF703950000-0x00007FF703CA4000-memory.dmp

memory/4624-149-0x00007FF79A750000-0x00007FF79AAA4000-memory.dmp

memory/1388-156-0x00007FF624F50000-0x00007FF6252A4000-memory.dmp

memory/2312-157-0x00007FF6673F0000-0x00007FF667744000-memory.dmp

memory/5012-155-0x00007FF77CA60000-0x00007FF77CDB4000-memory.dmp