Malware Analysis Report

2025-01-22 19:44

Sample ID 240601-r7sassff95
Target 4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30
SHA256 4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30

Threat Level: Known bad

The file 4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30 was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

XMRig Miner payload

xmrig

Cobaltstrike

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 14:50

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 14:50

Reported

2024-06-01 14:53

Platform

win7-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JSldDng.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\qWYnGZW.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\mlsjWAG.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\xaXGlMl.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\HcshWBa.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\bgpUPUb.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\UeEequn.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\bChMppM.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\FTkudHG.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\pbZIsXz.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\SmWyMHJ.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\vvGmwTV.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\DCmvokj.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\LMUAPyj.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\bOgZbMS.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\BbUOzRM.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\sPFTSFG.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\tunkfFQ.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\kLyIyVH.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\kfqymBl.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\qpFcDoO.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\kfqymBl.exe
PID 2224 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\kfqymBl.exe
PID 2224 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\kfqymBl.exe
PID 2224 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\SmWyMHJ.exe
PID 2224 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\SmWyMHJ.exe
PID 2224 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\SmWyMHJ.exe
PID 2224 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\qpFcDoO.exe
PID 2224 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\qpFcDoO.exe
PID 2224 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\qpFcDoO.exe
PID 2224 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\DCmvokj.exe
PID 2224 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\DCmvokj.exe
PID 2224 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\DCmvokj.exe
PID 2224 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\HcshWBa.exe
PID 2224 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\HcshWBa.exe
PID 2224 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\HcshWBa.exe
PID 2224 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\vvGmwTV.exe
PID 2224 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\vvGmwTV.exe
PID 2224 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\vvGmwTV.exe
PID 2224 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\bOgZbMS.exe
PID 2224 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\bOgZbMS.exe
PID 2224 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\bOgZbMS.exe
PID 2224 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\BbUOzRM.exe
PID 2224 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\BbUOzRM.exe
PID 2224 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\BbUOzRM.exe
PID 2224 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\sPFTSFG.exe
PID 2224 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\sPFTSFG.exe
PID 2224 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\sPFTSFG.exe
PID 2224 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\tunkfFQ.exe
PID 2224 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\tunkfFQ.exe
PID 2224 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\tunkfFQ.exe
PID 2224 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\UeEequn.exe
PID 2224 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\UeEequn.exe
PID 2224 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\UeEequn.exe
PID 2224 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\bChMppM.exe
PID 2224 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\bChMppM.exe
PID 2224 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\bChMppM.exe
PID 2224 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\FTkudHG.exe
PID 2224 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\FTkudHG.exe
PID 2224 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\FTkudHG.exe
PID 2224 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\bgpUPUb.exe
PID 2224 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\bgpUPUb.exe
PID 2224 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\bgpUPUb.exe
PID 2224 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\JSldDng.exe
PID 2224 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\JSldDng.exe
PID 2224 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\JSldDng.exe
PID 2224 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\LMUAPyj.exe
PID 2224 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\LMUAPyj.exe
PID 2224 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\LMUAPyj.exe
PID 2224 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\qWYnGZW.exe
PID 2224 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\qWYnGZW.exe
PID 2224 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\qWYnGZW.exe
PID 2224 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\pbZIsXz.exe
PID 2224 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\pbZIsXz.exe
PID 2224 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\pbZIsXz.exe
PID 2224 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\mlsjWAG.exe
PID 2224 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\mlsjWAG.exe
PID 2224 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\mlsjWAG.exe
PID 2224 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\kLyIyVH.exe
PID 2224 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\kLyIyVH.exe
PID 2224 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\kLyIyVH.exe
PID 2224 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\xaXGlMl.exe
PID 2224 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\xaXGlMl.exe
PID 2224 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\xaXGlMl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe

"C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe"

C:\Windows\System\kfqymBl.exe

C:\Windows\System\kfqymBl.exe

C:\Windows\System\SmWyMHJ.exe

C:\Windows\System\SmWyMHJ.exe

C:\Windows\System\qpFcDoO.exe

C:\Windows\System\qpFcDoO.exe

C:\Windows\System\DCmvokj.exe

C:\Windows\System\DCmvokj.exe

C:\Windows\System\HcshWBa.exe

C:\Windows\System\HcshWBa.exe

C:\Windows\System\vvGmwTV.exe

C:\Windows\System\vvGmwTV.exe

C:\Windows\System\bOgZbMS.exe

C:\Windows\System\bOgZbMS.exe

C:\Windows\System\BbUOzRM.exe

C:\Windows\System\BbUOzRM.exe

C:\Windows\System\sPFTSFG.exe

C:\Windows\System\sPFTSFG.exe

C:\Windows\System\tunkfFQ.exe

C:\Windows\System\tunkfFQ.exe

C:\Windows\System\UeEequn.exe

C:\Windows\System\UeEequn.exe

C:\Windows\System\bChMppM.exe

C:\Windows\System\bChMppM.exe

C:\Windows\System\FTkudHG.exe

C:\Windows\System\FTkudHG.exe

C:\Windows\System\bgpUPUb.exe

C:\Windows\System\bgpUPUb.exe

C:\Windows\System\JSldDng.exe

C:\Windows\System\JSldDng.exe

C:\Windows\System\LMUAPyj.exe

C:\Windows\System\LMUAPyj.exe

C:\Windows\System\qWYnGZW.exe

C:\Windows\System\qWYnGZW.exe

C:\Windows\System\pbZIsXz.exe

C:\Windows\System\pbZIsXz.exe

C:\Windows\System\mlsjWAG.exe

C:\Windows\System\mlsjWAG.exe

C:\Windows\System\kLyIyVH.exe

C:\Windows\System\kLyIyVH.exe

C:\Windows\System\xaXGlMl.exe

C:\Windows\System\xaXGlMl.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2224-0-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2224-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\kfqymBl.exe

MD5 223ce16b7bde63ae8aec2595448213a8
SHA1 a0b21bb21e0546ab0ce09179abb8e52c2870ad30
SHA256 99daa080975cf6556d5af5db632ffa23dfb51435c443c5693ea868f82ef63496
SHA512 d02fc5ed09afe1313699736425b5974ac571acdc6af66040bb83ff43538555de3b458dd04cca8d0ee1ab20c031f4e205c7699fd3ae8a5b368e47bcbd3a74d88b

memory/2432-9-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2224-7-0x000000013FF40000-0x0000000140294000-memory.dmp

\Windows\system\SmWyMHJ.exe

MD5 318c3550f218dfb48886677b6cf8c194
SHA1 1c252dbff39717bd61876af00296dd275acb45d9
SHA256 a5bd37d5000fa0cc38046fd6c7572f5424143fe0dace44b7be94670301684afa
SHA512 84eba25b012ed3347ab3dcf69032b96605b859a269f1bc78b82b8c17a776e6db3937a27d54d3716e74f47273461e39147ccd6f353a3bed16d3554471ba3f4f6c

memory/2596-14-0x000000013FB10000-0x000000013FE64000-memory.dmp

C:\Windows\system\qpFcDoO.exe

MD5 f8da32f412fe8a7e09813e47f29276b8
SHA1 1f2c92a544819102af9403434456f273a26b9279
SHA256 0330ea4ec14b7aeb86fa597c3554799f5222f9e5f0a10e81701c9e17e3d31986
SHA512 42bcc076039dd668897f17b243f2e51b80fd7cf548acaea31aa4259281f9fbc80ad1734405aca7865435d63670b0d127fb5ecfb96c43e3153c7126a3ba690dd6

\Windows\system\DCmvokj.exe

MD5 dfdada151be22874c0adb982734a2e7e
SHA1 91c5e7631f0de39030e612c184f6872bb335ed06
SHA256 b338a6d02712e5b1b0dded1c6a708cc657c7d1b6831290b8f43882991832f691
SHA512 f3b602aebb6e420b1426accf01b194d148c2bd2a460dc79fa01f301ee377301bf6d6e680f09e6fa563dbb4c7f3ed9b4fc97f82827cc53fa3ae1fcc3220013c8c

memory/2640-28-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\vvGmwTV.exe

MD5 0ee75ebfaf712444c2c5d4bdf9e5df33
SHA1 5360d8bc087d90110cae5ab4259ed7104cf5a9ea
SHA256 12e3f4aacc684e10f50cf84ff01cd31af5f3082cdb2aeeb22f5026ed6a0ad2ce
SHA512 10d2770e80e95efbd9c107e8fe53bfb0d01be9f868732b19ff1a981243ae7543814d19038c0b714b060b225f4b12aeed89ef7f694315a33e60a07ed1d852730b

memory/2224-39-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2800-48-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2780-54-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2224-53-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2436-59-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2988-66-0x000000013F9D0000-0x000000013FD24000-memory.dmp

C:\Windows\system\tunkfFQ.exe

MD5 9bc199e265438bd7271402ea09d58273
SHA1 2c3df13e02a3a531715adad50279050eeef27cde
SHA256 7e29898651038e7c8dff945997430ce1ed35cdf787dc40ab1bd4d2f0f6b2176d
SHA512 25329d0e15c5992036407913806ab9d64721c5632e2cdfdbfef9f0e41ddce7dfefe87aee959d3e15761db91febb7bf13e706c32e54ace3e0eacbf558b854c1a8

memory/2596-72-0x000000013FB10000-0x000000013FE64000-memory.dmp

C:\Windows\system\bChMppM.exe

MD5 b40c9d39fcb0d8ffe5d7b59f65357348
SHA1 c804952a4ed20eb87a37dc29e1809f53c9731d03
SHA256 7ea88a03f9ea5b6c9c97a7062f6fdac3e3def4d69b1175d601c619ebfcd45834
SHA512 261acba73859d375e4a65f43bbddc8c9f467ba938c3bb1dc193b375377d1189ec52891654e671630ed0d8ccb9921a42085da100080747b7d3688ba98fce86ae5

C:\Windows\system\JSldDng.exe

MD5 5a5d176fa3e4445c11397c282fe8af70
SHA1 247d8415f7c25714d7c2876b537840262394a20f
SHA256 7708b87d896019819c5d514add1c5a9b088c96f138ba0ce0f45438ed835cf39e
SHA512 d9d1363db28f9655d1c8684bb9c8d175e10e7af804bffeec9e3d8acd792d5e1e6b1861db4f7d702bee77f393136bb9c61a74c8a058bd428c566d94f345b6da96

C:\Windows\system\qWYnGZW.exe

MD5 0679ade58e7904446988c0b9ad3818f1
SHA1 9254f76e4e01697957ed4b659bf3116d5a198e68
SHA256 56a0c1e643fa73e52b4568f07109437c36524fd5cc6a46aa98c844b36ddf8d01
SHA512 35cc1b6048de168aecd5a3f8340dd1d0af9489555775d65c120a85b7faf784d21eacf8faa27b1a246699b2106b84e6678655445fa90fc7641cd57b6ed6ab08aa

C:\Windows\system\mlsjWAG.exe

MD5 e3c8a2463cc3a52045c0124bc3197714
SHA1 29e6ae4d4654c8b34dc9a5a5a0b4e3939cc78d4a
SHA256 cc596db4faba1c2fc911b63916f9d9c309c0ee84242d093926f99a1ec700f6f4
SHA512 803e31c1be8423d384d3146078c4dee2544c1ecf126d12292215ec21af5ff1590f48bf5cd381bd8337f76ece6717100260269e1f5c1d00bdc4fc3b0294170d79

\Windows\system\xaXGlMl.exe

MD5 2a7cae2e2066512d2ea06a87e837cef9
SHA1 9bc3973874ce4cbf824b1bc6e42f8702768e63cb
SHA256 21e8622740c848bf365b79577f7633f1896a56f399f6f70f32f17d0b700368c4
SHA512 03bed969b2acad47f6de476389425f83ecc05b347761ba5f3b816c269752177edd537245635d440af66b16184c91dcea62b5c89659191eaea8fdf097375e4e77

C:\Windows\system\kLyIyVH.exe

MD5 0eef37ecb8228bf999ab76a035e0b4dd
SHA1 bb1beb15c35b5d09a9483d1a33399863ca0e3e18
SHA256 ecc0b73930016ca97466441793069912fe8a355a0952f92d123c403d6dc7265d
SHA512 5406f27b080d7c0fd76c6146b1af3ca58bb40ad9cb575c32395658cc31ec93068e236204a0cfc52de26898b598a754b61c65ae8a74910a42776ac6c9a29b99b6

C:\Windows\system\pbZIsXz.exe

MD5 90a1edfc2edbc8e5c26a881afbd8dbac
SHA1 f1ad0c686a955845f7d7e84cff00c31ce48b4ca0
SHA256 d933ee43015eb2851e62a12bbd2cf9a60fa4229099d9f32b1bf293d08bf122b6
SHA512 e98d7923db67108888fd93d80f77b74bab0c31c0d6baed923a3fb9648f4818207d07ccfdbb35cad06de81e9e8f18979f15b4f9ac11d56d53e49b6c8e3dbe9785

C:\Windows\system\LMUAPyj.exe

MD5 f145eb38833b6bb6b1f05e7c174f249f
SHA1 459b45e8b1c3e86fed47a604a8b87fc2c94357fe
SHA256 00d0748db99f0b464be48cd14755d2a2ea34ccec75e991ff4317e1927b8c1635
SHA512 cdc50b3791303aa5b0e91350a3f42817cc3b88becb5f8f4a1c5c539393c6b1a0c8f9c3bff9deb8090398341c176c669160e473216a4d361e3a8469a323538e47

memory/2224-105-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2636-104-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2976-99-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2224-98-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2792-97-0x000000013F650000-0x000000013F9A4000-memory.dmp

C:\Windows\system\bgpUPUb.exe

MD5 e64d0bebed2094a92a90a3c0603c548a
SHA1 57a1119a160f175e28418b3254ab201b09aecfbd
SHA256 cd19c4d2babd461b6e3c08eb4688181cd8721038826026645fb8660063718e59
SHA512 3bb2ee8ac44bc1215ea99cdc3fb391e040a5047e43ca15bc362b1aca16b5738c0a5e11a5e9f6edcab102caa9c842e187c91e3e7ad1e4ef6f137c89be9f679b46

memory/2876-91-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2224-90-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2640-89-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\FTkudHG.exe

MD5 1096fed69699ed313ce720c8a8403f08
SHA1 04d44f3a1ed4418fdae66336bf4d4a0c61c6258f
SHA256 0ff078533f41b9f86579a831f5d249a39c38fe769c30ee7d3d085cdba1705857
SHA512 435f8143cad6047b90cbec48754c7661b49c0760d3f72ee5546cbb99fee76b16627610098b641ec5877c346b2b916733653caeb0dab448ee5cc3a8fdef413d6f

memory/2832-84-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2224-83-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/1304-82-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2680-74-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2224-73-0x000000013FD70000-0x00000001400C4000-memory.dmp

C:\Windows\system\UeEequn.exe

MD5 3d2346cf3b8b564f297b8047fc42038b
SHA1 a2164f5bc3136e95a3095366c127e6bd4fd29444
SHA256 c2a7c5a776ba7323ef1b03dd7252dbadc3e1c775f9e39ec9b27c39a9bc81f6fa
SHA512 cce38dd9d7902d7c0d1cf2529ff71d80eb22c009362fe5971a964a1bbbed47d4ed245367da984712f905a7752d3d27af551e1ecab7204aabdce740ff201411c0

C:\Windows\system\sPFTSFG.exe

MD5 8c1dea069db07eddb4df8a054f9ecfe5
SHA1 7e5d76f6ac20f3a215321edb169df001948e16f2
SHA256 484faea475bd1b105d2b147707410c412c19812c9cf07229daddce5b5ad05d51
SHA512 8758b82e976d7b1de5a39765fe4b980311314c1e659cdf7d51b80bf1c2bab5986cff3d2240ad4b75b8045277bae4de237cf0940c84a7f0eefe9c3466ecae8398

C:\Windows\system\bOgZbMS.exe

MD5 198ddbce074c42a6901ac8a9c64322ec
SHA1 907c450ec43e15666c38ec45fc4088e5918546c2
SHA256 a2bba0e7ed8952b36509f0a3b181076d7f92b6e02e8db9f284b7b7b146b378d2
SHA512 366f4cf5fff5e513640d3a3d6c7b1367c04693170bde71c35d6b3eb501f9bf70f9113e0c89b03a1769c6f4917974b34f0fb67c2f230b03f670eaeb318a5717d2

C:\Windows\system\BbUOzRM.exe

MD5 8e5ba95337c3edc2be8b15a9ab4c5bc7
SHA1 1cf312d93157125a49226e3c1d90a1e9ecc7c0ac
SHA256 e5856ec7daaf1fa8b082e0e781a9a650bf46376c6f2efc5355561e6a92d3affb
SHA512 74ae5847b52e286ddd96be086c8d99cb31a21b13e6c78f0ffa2a4010af77e2a9926e0cd2adc1e0c22abb192b4e64ea37ed821193d9a26da81b4852581f8f5e13

memory/2780-137-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2636-40-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2792-35-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2224-34-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\HcshWBa.exe

MD5 6eb1e23c101aa5ecd0a0825351e8ddb4
SHA1 c0644ded1e601a818fcdee8182f1531dd83e724e
SHA256 41de8ad7ef88534bd2861a6c364573b730987214cc7eb0d4f8dd13edaff43609
SHA512 a6dd5d14418e3993d0c684d5ba79563cb9e3919f9d5398839bc58fd24076c35678eea8ea0798f7937f053596eac3f68138c968d40d4ecc7a8df4abc7e5d262ce

memory/1304-22-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2224-20-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2224-27-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2436-138-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2224-139-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2988-140-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2224-141-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2680-142-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2224-143-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2224-144-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2876-145-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2224-146-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2976-147-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2224-148-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2432-149-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2596-150-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/1304-151-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2640-152-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2636-153-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2800-154-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2780-155-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2436-156-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2988-157-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2792-158-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2680-159-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2832-160-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2876-161-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2976-162-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 14:50

Reported

2024-06-01 14:53

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\XDpcsjV.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\drdJTBT.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\UsBNWZm.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\mXDQAwF.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\AqNbGCI.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\HfeecuJ.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\BTXUlXB.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\nVQyOqy.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\ZhgHUyR.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\qqsCdhi.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\DbJGxNs.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\fKswMTX.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\xFlZKBq.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\UqGKwbh.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\FdFtpKt.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\EmuzVrx.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\zDgmvRM.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\nQTdxce.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\dCQNJLU.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\uzxizXI.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
File created C:\Windows\System\bUdCVPv.exe C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\nQTdxce.exe
PID 2284 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\nQTdxce.exe
PID 2284 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\nVQyOqy.exe
PID 2284 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\nVQyOqy.exe
PID 2284 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\ZhgHUyR.exe
PID 2284 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\ZhgHUyR.exe
PID 2284 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\dCQNJLU.exe
PID 2284 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\dCQNJLU.exe
PID 2284 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\XDpcsjV.exe
PID 2284 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\XDpcsjV.exe
PID 2284 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\xFlZKBq.exe
PID 2284 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\xFlZKBq.exe
PID 2284 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\drdJTBT.exe
PID 2284 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\drdJTBT.exe
PID 2284 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\UqGKwbh.exe
PID 2284 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\UqGKwbh.exe
PID 2284 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\uzxizXI.exe
PID 2284 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\uzxizXI.exe
PID 2284 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\FdFtpKt.exe
PID 2284 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\FdFtpKt.exe
PID 2284 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\qqsCdhi.exe
PID 2284 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\qqsCdhi.exe
PID 2284 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\bUdCVPv.exe
PID 2284 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\bUdCVPv.exe
PID 2284 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\DbJGxNs.exe
PID 2284 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\DbJGxNs.exe
PID 2284 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\EmuzVrx.exe
PID 2284 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\EmuzVrx.exe
PID 2284 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\AqNbGCI.exe
PID 2284 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\AqNbGCI.exe
PID 2284 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\UsBNWZm.exe
PID 2284 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\UsBNWZm.exe
PID 2284 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\HfeecuJ.exe
PID 2284 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\HfeecuJ.exe
PID 2284 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\mXDQAwF.exe
PID 2284 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\mXDQAwF.exe
PID 2284 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\fKswMTX.exe
PID 2284 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\fKswMTX.exe
PID 2284 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\zDgmvRM.exe
PID 2284 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\zDgmvRM.exe
PID 2284 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\BTXUlXB.exe
PID 2284 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe C:\Windows\System\BTXUlXB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe

"C:\Users\Admin\AppData\Local\Temp\4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30.exe"

C:\Windows\System\nQTdxce.exe

C:\Windows\System\nQTdxce.exe

C:\Windows\System\nVQyOqy.exe

C:\Windows\System\nVQyOqy.exe

C:\Windows\System\ZhgHUyR.exe

C:\Windows\System\ZhgHUyR.exe

C:\Windows\System\dCQNJLU.exe

C:\Windows\System\dCQNJLU.exe

C:\Windows\System\XDpcsjV.exe

C:\Windows\System\XDpcsjV.exe

C:\Windows\System\xFlZKBq.exe

C:\Windows\System\xFlZKBq.exe

C:\Windows\System\drdJTBT.exe

C:\Windows\System\drdJTBT.exe

C:\Windows\System\UqGKwbh.exe

C:\Windows\System\UqGKwbh.exe

C:\Windows\System\uzxizXI.exe

C:\Windows\System\uzxizXI.exe

C:\Windows\System\FdFtpKt.exe

C:\Windows\System\FdFtpKt.exe

C:\Windows\System\qqsCdhi.exe

C:\Windows\System\qqsCdhi.exe

C:\Windows\System\bUdCVPv.exe

C:\Windows\System\bUdCVPv.exe

C:\Windows\System\DbJGxNs.exe

C:\Windows\System\DbJGxNs.exe

C:\Windows\System\EmuzVrx.exe

C:\Windows\System\EmuzVrx.exe

C:\Windows\System\AqNbGCI.exe

C:\Windows\System\AqNbGCI.exe

C:\Windows\System\UsBNWZm.exe

C:\Windows\System\UsBNWZm.exe

C:\Windows\System\HfeecuJ.exe

C:\Windows\System\HfeecuJ.exe

C:\Windows\System\mXDQAwF.exe

C:\Windows\System\mXDQAwF.exe

C:\Windows\System\fKswMTX.exe

C:\Windows\System\fKswMTX.exe

C:\Windows\System\zDgmvRM.exe

C:\Windows\System\zDgmvRM.exe

C:\Windows\System\BTXUlXB.exe

C:\Windows\System\BTXUlXB.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 52.111.229.43:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2284-0-0x00007FF652540000-0x00007FF652894000-memory.dmp

memory/2284-1-0x000001D7E7160000-0x000001D7E7170000-memory.dmp

C:\Windows\System\nQTdxce.exe

MD5 20a6dc233286052dd4c82727fe9a7163
SHA1 cdbcf45ac564d98211685a87ff0ced2e6f2aa892
SHA256 04c75255988fff5439b6a118ff189b365de26ebb7ec6f41478608eb993b7b43d
SHA512 e93a63567020a4e55e05011705cf99e2cca6b99e2897bd27e2205c3db7978c69861dfa3ba84c19c5fb7af5c6151afcf31a94a35a27260ab7f7ef05fa11cb70b4

memory/1420-8-0x00007FF677560000-0x00007FF6778B4000-memory.dmp

C:\Windows\System\ZhgHUyR.exe

MD5 46d2dcec0d4c0a885c397fa12db950c4
SHA1 80efd66ec640c479558a3d5506c5b5f18626bece
SHA256 f4225dbd86f221857635f4a633478604a217e87ecac85106a4d7801a6f2450fd
SHA512 734f25b08100bed2e0de9324506eacbf73b9ece7b249e59451118bb23df60d5aed39d627244f9138d882c8b009f25abfe6fe90919365aa71394bb83a12a29386

C:\Windows\System\nVQyOqy.exe

MD5 eb8ac4f5db59b1981781ddbfe92935d9
SHA1 c248bf9d60e5c3e5d3f4d58de1182de049bd0b2e
SHA256 5fe7b7a7a7c6afeba4535c964b5d6f15b563512e6a4eed687e01e7679e0d3c20
SHA512 40fdc3bf082f39ff1f93c0398d6479eb130408ebf8b8f2d41b65dbd4f2e918db97b723e248543699d792388538ff89cb9782671504593cc52442b31aaf0b29bd

C:\Windows\System\dCQNJLU.exe

MD5 dda122ef8a8d008c2828cd1cdab01a81
SHA1 f08fd3f87de3d48ad87b3603e0f7f2818c1dd3aa
SHA256 a959f753ad51e778a5db9de18d463af372a1b76b08e6e577298e2e33c45b8708
SHA512 f8321994604179798d081c1ff3271f83b71f5a840d17c97b1bbae7c5e693c14741898bd0dbd43a4ccf5ed28977da073777ec5683fd688da485e8718b28d458b2

C:\Windows\System\XDpcsjV.exe

MD5 f73b324983c6a64ee5ecff0458f52951
SHA1 69d55af48e349bd5a2c8b6fb0e9208a5eb085366
SHA256 34fcac8351d1035cbb01ef789f9bbf2cb1fe15d9eb44c656ff240f7d34eddcac
SHA512 ebd953243e247ac03ec6c324ac0730ac9a7c1e4f0b46692bd4ce1eeed02b3cd48fb8f4618a91c9f951d0235648c19a48f6ae29312de653efdeb66e3c04bd13bb

C:\Windows\System\xFlZKBq.exe

MD5 1e7a45e776772c698f2e03bd8ca2d8f5
SHA1 658b700235254601e1960bf7160d5147e9cf3cbb
SHA256 a4ac507ed61e990e9f1ed13c8aebcf6d958b208badac872948a7c6b677b4bccc
SHA512 9fea1930dcedac2a640af408d971e99d0ead085b0090828d3782868b989b350762fa4f0541268ae44d93ff13d19d1be5c01d65afcf4c82c911ec370cb9d93246

C:\Windows\System\drdJTBT.exe

MD5 70fa823be5c6588ce335db68e9e5b195
SHA1 8d562dc06766415041f876d56ffca262af39a316
SHA256 ecd6ae649d3ee7f930c8236b0bfaee3b279ec876f235ee67bdbe77417f763617
SHA512 1eb9db4762589d9ec90e643d729415eda99cfcdeda83abb0f28977b07156a9653ec09dcc651d2966537df7e23bbd03cf56df289721e3875a49dce5130e291942

C:\Windows\System\UqGKwbh.exe

MD5 9e74ab037b9fffb38105fb334473e22d
SHA1 980d99f0fcaa25a5da78d0947f4e23191e86cefc
SHA256 5687f4635c150d6927efcebb30e619e2e064b3093ec12d81c84fadd94a8732ad
SHA512 d35923e8349ebdc6531b75a208eed82812913899569b241f548f3bc94eb25bf0a8edd58f23294f344e96b92b718f96c861d8c840bbaad3ead509504fe862d630

C:\Windows\System\uzxizXI.exe

MD5 be127c00d5df20897dad4fd0f0175c5e
SHA1 a5805ac053e32c0af4cbc2d0dd15dbd988c107c8
SHA256 834825f0d1465dd7868e2962c5e11b216948469dd541f017e207d2cbfa90607e
SHA512 8085ca6399f963abdca304e8ccabd76f03d3f43434d7db3607e9fed23abec39c0b60acda9e28566fced1d36da34a07fa91f8ae2e0d5c64fa87bcab96ffb02288

C:\Windows\System\FdFtpKt.exe

MD5 4a4a3b1bcf1b887f89eb8a550bb705d7
SHA1 19299a8dddf4273572a2b4f3dec5559474b4126a
SHA256 ef2f72ef93c3e3d362de81ee55805af9e609c32dac02be5679129786786ed9dd
SHA512 e6bdc1e4eaeedb28ba3ed4c0c92e7bb59e23b9f029d84eedaf407c276842f1b7b06374efd5b0327c27b31580cb1c4aa8c834d7bf6d979d0eb1de35532622d83b

C:\Windows\System\qqsCdhi.exe

MD5 2706163fe2f6a47a671d22390538fbfb
SHA1 3525e140918ab5a797f00665fea2165d0dc3d566
SHA256 dd0b94797a5e727c538b7241e8b9d46a8444e8b5709d3fc5203fa7a7a8cb5705
SHA512 e0b34ccc025b3d1934a64027d92df48d5d2b21d608b8bf3630f5c3011e61a8fc767e25c5c338e8e68c2eada9daac1e6aa3d8fa66b103484acee574cdffbd0b8b

C:\Windows\System\DbJGxNs.exe

MD5 71e00281da82c6904bf05eeb95dcf12c
SHA1 e1527f00ef85cdead377bbfcb1bbc817f122f46f
SHA256 a6e741d3f8a724d0617092fd3e9be2b57c4958057807f94b5b1c3d915ffdb6ca
SHA512 b358defdd9ac771a701ca3206fcdec28ce07e8a9f0044b25adc5a9a6a34776a2855ab8402c7a1664d851d86d6002c652b8156f3b04c5de4373fd36c64c186f97

C:\Windows\System\EmuzVrx.exe

MD5 fa451dd232667084f03064ee7852ca21
SHA1 b95554aac315f8f183819942789097c60a8f2801
SHA256 4a3782f4a9f395e1e5d6a51a8317d7a66f53fc08ab2de475995e824e03e1c37b
SHA512 b7f200ecc218e7a87621bce2d67b0efd39a203d393546adb7d09b35f388f3191e2511fed2edbead2d098444a68cf2f0ef3bde9572e8499db9a033f89268ae92e

C:\Windows\System\AqNbGCI.exe

MD5 788107b9772b38a5aa7174a667aafe19
SHA1 8cb38c74d0f1a4bc151a718e14b11a8dc37d9b11
SHA256 36de35cf9becfdc27cf0d0e4ed49d85577f358b228c56ccf7d33d472df1f1791
SHA512 06ab8e4fc854c3e37c2286b43e8d75e4407f81c07cd409b258e4a2df3f27174b65aed5d50beac102521243321ae8e6f48427ec238b42b34e17825b32d2746842

memory/1436-91-0x00007FF7255E0000-0x00007FF725934000-memory.dmp

memory/3228-94-0x00007FF672D80000-0x00007FF6730D4000-memory.dmp

memory/4568-98-0x00007FF6B9120000-0x00007FF6B9474000-memory.dmp

memory/3972-97-0x00007FF6B51D0000-0x00007FF6B5524000-memory.dmp

memory/4152-96-0x00007FF66A090000-0x00007FF66A3E4000-memory.dmp

memory/5004-95-0x00007FF7BFAC0000-0x00007FF7BFE14000-memory.dmp

memory/4760-93-0x00007FF63D6A0000-0x00007FF63D9F4000-memory.dmp

memory/5060-92-0x00007FF6296F0000-0x00007FF629A44000-memory.dmp

memory/2588-90-0x00007FF6B7870000-0x00007FF6B7BC4000-memory.dmp

C:\Windows\System\UsBNWZm.exe

MD5 2ffdc740a2ba6b0fc24c73edddd5a5da
SHA1 1a8d91342c5d3450cab4dfda62fee7984ce05b03
SHA256 ebecd8ad1c626a7d99f8b8bbde7500b9b365daeafcbf518238e399399f0fe0f2
SHA512 a97f94ca5bc38483e9584f30950260741b4f2aa07e473e4c36790ea069f5411cbd8b685d74d3097c2465ac9806333637480ded0aa5cbb4544245b79d1d5aaaba

memory/4756-87-0x00007FF712D00000-0x00007FF713054000-memory.dmp

memory/184-84-0x00007FF72A1A0000-0x00007FF72A4F4000-memory.dmp

memory/3948-82-0x00007FF7410C0000-0x00007FF741414000-memory.dmp

C:\Windows\System\bUdCVPv.exe

MD5 8207f42d869165fc2ebc70105310c6e4
SHA1 05ccf3cd0cbf5e9058d5e0cf7e491d6d08e61420
SHA256 03761ecf1219063f3b678b95cb4250bcad845fecddc9ceb12dd34eeb63af908b
SHA512 2e2c5356b061fb9f57c5bee392e75b846190544853f2133aaad09983b31cb68da2b848297e5f7634a0b5e837ffb3bd128ba4dd00ff1041f962074a6de437adc1

memory/1888-29-0x00007FF66CCF0000-0x00007FF66D044000-memory.dmp

memory/2984-23-0x00007FF6365F0000-0x00007FF636944000-memory.dmp

memory/1592-17-0x00007FF70E090000-0x00007FF70E3E4000-memory.dmp

C:\Windows\System\mXDQAwF.exe

MD5 fc279a8cd869223cf15b895ef126fe35
SHA1 2bc29617fb09cc27756f1060a0f6aadc33c6475d
SHA256 f80d925c0c7a9cdc0d44199b61a85d183044a53fb751df2f499eb9f7893754a9
SHA512 fb0c13a00e0ed50156bc6ef703e635d4e2bb6988a3d9f2b22e387a491086c0f9f70867d1f4e3b2558fa6191ddb4a349db053cf04af20f2d36e1b8b12e1ae3af7

C:\Windows\System\fKswMTX.exe

MD5 b21416167fbfff9d45fba7652e6a8b36
SHA1 55bbf2a465b426fde9bb230d38d58fa1463b9bef
SHA256 a20692fd7eff198dbceb94c57b575bd5b08031c9a42f986180ce92c979906c29
SHA512 964566a9358f2129c8bec104e39da3280d4a8d6a1d3c4fce2206afee0fe9e14c7b3ae421ffa24dbf3d83b33c468a3ab50589f1ab6c5ebb4cb2228f1016799982

memory/2484-110-0x00007FF794250000-0x00007FF7945A4000-memory.dmp

C:\Windows\System\BTXUlXB.exe

MD5 51ba5944dcb2f71688e30028d75f6f0b
SHA1 8cd109a93d2c0b9c96457a58e493c7c92f04ad1a
SHA256 5b1aafc2450829775f91a6f76834fd7dbcffd285c6cecb1d6f1aa1761aab357f
SHA512 9ca45cf0de6928d392f98a0c208195946118f52d9a65baa1b5f88c712a29b0322b14bc8f2be512bda5ac3a0b34b9169a7307c865d3ba3492a2c024d2cfce1e9a

C:\Windows\System\zDgmvRM.exe

MD5 67bd95245eacbd108c9fafdfe965ac3f
SHA1 8199bda3ec7245f8c328c76f52be0b57d40a30a9
SHA256 1eb6e1e9cdb230ab66e999e876b209842bab78d5459b8b4dd52ce5f581d255d5
SHA512 d078d406982cf89bfd74e8d52f004740c282b7901fd0c5a3f47a3c993aaf517ed05d30518ada08872d5b9e4a949894679cc2fcb9f4f910a0ab9c1c7ee77e4caa

memory/4008-117-0x00007FF6590C0000-0x00007FF659414000-memory.dmp

memory/2284-127-0x00007FF652540000-0x00007FF652894000-memory.dmp

memory/4896-128-0x00007FF6D8C30000-0x00007FF6D8F84000-memory.dmp

memory/3840-124-0x00007FF6E3A30000-0x00007FF6E3D84000-memory.dmp

C:\Windows\System\HfeecuJ.exe

MD5 89477aaacbda057dde6eb12d38e4d1ac
SHA1 6bafeea67eb87da499c20b60a74ccaf192463702
SHA256 cd3ee96a90bb94ed1dd45e7aa7eebe7059169c306aed8050971d109346f7f91d
SHA512 ed25d667d7e2fe72720bba25253355c748c97c461c1326ec932e3a947579837b19c4cb238dfb558c6f792ed6aa225c31eb9071463a8ee7de56dbd32f3bc78d91

memory/5064-105-0x00007FF69F180000-0x00007FF69F4D4000-memory.dmp

memory/1592-129-0x00007FF70E090000-0x00007FF70E3E4000-memory.dmp

memory/2984-130-0x00007FF6365F0000-0x00007FF636944000-memory.dmp

memory/1888-131-0x00007FF66CCF0000-0x00007FF66D044000-memory.dmp

memory/5064-132-0x00007FF69F180000-0x00007FF69F4D4000-memory.dmp

memory/2484-133-0x00007FF794250000-0x00007FF7945A4000-memory.dmp

memory/4008-134-0x00007FF6590C0000-0x00007FF659414000-memory.dmp

memory/1420-135-0x00007FF677560000-0x00007FF6778B4000-memory.dmp

memory/1592-136-0x00007FF70E090000-0x00007FF70E3E4000-memory.dmp

memory/2984-137-0x00007FF6365F0000-0x00007FF636944000-memory.dmp

memory/1888-138-0x00007FF66CCF0000-0x00007FF66D044000-memory.dmp

memory/3948-140-0x00007FF7410C0000-0x00007FF741414000-memory.dmp

memory/3972-139-0x00007FF6B51D0000-0x00007FF6B5524000-memory.dmp

memory/184-141-0x00007FF72A1A0000-0x00007FF72A4F4000-memory.dmp

memory/4568-142-0x00007FF6B9120000-0x00007FF6B9474000-memory.dmp

memory/1436-144-0x00007FF7255E0000-0x00007FF725934000-memory.dmp

memory/4756-146-0x00007FF712D00000-0x00007FF713054000-memory.dmp

memory/2588-145-0x00007FF6B7870000-0x00007FF6B7BC4000-memory.dmp

memory/5060-143-0x00007FF6296F0000-0x00007FF629A44000-memory.dmp

memory/4152-149-0x00007FF66A090000-0x00007FF66A3E4000-memory.dmp

memory/4760-147-0x00007FF63D6A0000-0x00007FF63D9F4000-memory.dmp

memory/5004-150-0x00007FF7BFAC0000-0x00007FF7BFE14000-memory.dmp

memory/3228-148-0x00007FF672D80000-0x00007FF6730D4000-memory.dmp

memory/2484-151-0x00007FF794250000-0x00007FF7945A4000-memory.dmp

memory/5064-152-0x00007FF69F180000-0x00007FF69F4D4000-memory.dmp

memory/3840-154-0x00007FF6E3A30000-0x00007FF6E3D84000-memory.dmp

memory/4008-153-0x00007FF6590C0000-0x00007FF659414000-memory.dmp

memory/4896-155-0x00007FF6D8C30000-0x00007FF6D8F84000-memory.dmp