xmrig | ff0db28d7fbe4004e4272243079e191dd273f90029fda634c7e152f0474cadfb

Analysis

max time kernel
35s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240729-en
resource tags

arch:x64arch:x86image:win10v2004-20240729-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 23:52

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

02dde36451f709e02658e947d7786db1_JaffaCakes118.exe
Size

2.8MB
MD5

02dde36451f709e02658e947d7786db1
SHA1

cdfda1360689fe1543dce00f6266dd219f9c96e6
SHA256

ff0db28d7fbe4004e4272243079e191dd273f90029fda634c7e152f0474cadfb
SHA512

00985502dc4a5ebfc230c3bcbd9d871d217a31bbd34f7822ce6f7c23e4410a6d08f20f86b5536fc1a771c4b46e192b912eb60b9e73e06b38f5586e4b54bfe242
SSDEEP

49152:Lz071uv4BPMkibTIA5sf6r+WVc2HhG82g1Vr5s1PTleLWrJ5I/P02:NABw

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 20 IoCs

miner

resource	yara_rule
behavioral2/memory/952-210-0x00007FF79BF60000-0x00007FF79C352000-memory.dmp	xmrig
behavioral2/memory/3436-252-0x00007FF603660000-0x00007FF603A52000-memory.dmp	xmrig
behavioral2/memory/3320-265-0x00007FF7E7C10000-0x00007FF7E8002000-memory.dmp	xmrig
behavioral2/memory/3756-276-0x00007FF7F3430000-0x00007FF7F3822000-memory.dmp	xmrig
behavioral2/memory/1112-292-0x00007FF69B9A0000-0x00007FF69BD92000-memory.dmp	xmrig
behavioral2/memory/1608-297-0x00007FF73BC80000-0x00007FF73C072000-memory.dmp	xmrig
behavioral2/memory/752-302-0x00007FF7AC0A0000-0x00007FF7AC492000-memory.dmp	xmrig
behavioral2/memory/1676-306-0x00007FF6CDEC0000-0x00007FF6CE2B2000-memory.dmp	xmrig
behavioral2/memory/432-305-0x00007FF6EEEA0000-0x00007FF6EF292000-memory.dmp	xmrig
behavioral2/memory/1204-304-0x00007FF76F4A0000-0x00007FF76F892000-memory.dmp	xmrig
behavioral2/memory/672-303-0x00007FF7394A0000-0x00007FF739892000-memory.dmp	xmrig
behavioral2/memory/3860-301-0x00007FF6595D0000-0x00007FF6599C2000-memory.dmp	xmrig
behavioral2/memory/3688-300-0x00007FF75CFB0000-0x00007FF75D3A2000-memory.dmp	xmrig
behavioral2/memory/3972-299-0x00007FF6DC2B0000-0x00007FF6DC6A2000-memory.dmp	xmrig
behavioral2/memory/3956-298-0x00007FF656600000-0x00007FF6569F2000-memory.dmp	xmrig
behavioral2/memory/1040-296-0x00007FF672070000-0x00007FF672462000-memory.dmp	xmrig
behavioral2/memory/3400-295-0x00007FF7F3940000-0x00007FF7F3D32000-memory.dmp	xmrig
behavioral2/memory/2756-294-0x00007FF68CCD0000-0x00007FF68D0C2000-memory.dmp	xmrig
behavioral2/memory/3204-291-0x00007FF7039D0000-0x00007FF703DC2000-memory.dmp	xmrig
behavioral2/memory/1164-246-0x00007FF6BCB20000-0x00007FF6BCF12000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3344	powershell.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2332-0-0x00007FF640F40000-0x00007FF641332000-memory.dmp	upx
behavioral2/files/0x00090000000235bf-6.dat	upx
behavioral2/files/0x000800000002360d-8.dat	upx
behavioral2/memory/2020-16-0x00007FF635510000-0x00007FF635902000-memory.dmp	upx
behavioral2/files/0x000700000002360e-19.dat	upx
behavioral2/files/0x0007000000023614-39.dat	upx
behavioral2/files/0x000700000002361f-90.dat	upx
behavioral2/files/0x0007000000023622-149.dat	upx
behavioral2/files/0x0007000000023623-169.dat	upx
behavioral2/memory/952-210-0x00007FF79BF60000-0x00007FF79C352000-memory.dmp	upx
behavioral2/memory/3436-252-0x00007FF603660000-0x00007FF603A52000-memory.dmp	upx
behavioral2/memory/3320-265-0x00007FF7E7C10000-0x00007FF7E8002000-memory.dmp	upx
behavioral2/memory/3756-276-0x00007FF7F3430000-0x00007FF7F3822000-memory.dmp	upx
behavioral2/memory/1112-292-0x00007FF69B9A0000-0x00007FF69BD92000-memory.dmp	upx
behavioral2/memory/1608-297-0x00007FF73BC80000-0x00007FF73C072000-memory.dmp	upx
behavioral2/memory/752-302-0x00007FF7AC0A0000-0x00007FF7AC492000-memory.dmp	upx
behavioral2/memory/1676-306-0x00007FF6CDEC0000-0x00007FF6CE2B2000-memory.dmp	upx
behavioral2/memory/432-305-0x00007FF6EEEA0000-0x00007FF6EF292000-memory.dmp	upx
behavioral2/memory/1204-304-0x00007FF76F4A0000-0x00007FF76F892000-memory.dmp	upx
behavioral2/memory/672-303-0x00007FF7394A0000-0x00007FF739892000-memory.dmp	upx
behavioral2/memory/3860-301-0x00007FF6595D0000-0x00007FF6599C2000-memory.dmp	upx
behavioral2/memory/3688-300-0x00007FF75CFB0000-0x00007FF75D3A2000-memory.dmp	upx
behavioral2/memory/3972-299-0x00007FF6DC2B0000-0x00007FF6DC6A2000-memory.dmp	upx
behavioral2/memory/3956-298-0x00007FF656600000-0x00007FF6569F2000-memory.dmp	upx
behavioral2/memory/1040-296-0x00007FF672070000-0x00007FF672462000-memory.dmp	upx
behavioral2/memory/3400-295-0x00007FF7F3940000-0x00007FF7F3D32000-memory.dmp	upx
behavioral2/memory/2756-294-0x00007FF68CCD0000-0x00007FF68D0C2000-memory.dmp	upx
behavioral2/memory/3204-291-0x00007FF7039D0000-0x00007FF703DC2000-memory.dmp	upx
behavioral2/memory/1164-246-0x00007FF6BCB20000-0x00007FF6BCF12000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

C:\Users\Admin\AppData\Local\Temp\02dde36451f709e02658e947d7786db1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02dde36451f709e02658e947d7786db1_JaffaCakes118.exe"
1⤵
PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3344
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3344" "2980" "2920" "2984" "0" "0" "2988" "0" "0" "0" "0" "0"
    3⤵
    PID:12480
- C:\Windows\System\WuHpauK.exe
  C:\Windows\System\WuHpauK.exe
  2⤵
  PID:2020
- C:\Windows\System\sVJYTTi.exe
  C:\Windows\System\sVJYTTi.exe
  2⤵
  PID:896
- C:\Windows\System\zQrbEki.exe
  C:\Windows\System\zQrbEki.exe
  2⤵
  PID:432
- C:\Windows\System\KkyKbiF.exe
  C:\Windows\System\KkyKbiF.exe
  2⤵
  PID:952
- C:\Windows\System\BEalNay.exe
  C:\Windows\System\BEalNay.exe
  2⤵
  PID:3436
- C:\Windows\System\kqpVHTz.exe
  C:\Windows\System\kqpVHTz.exe
  2⤵
  PID:3400
- C:\Windows\System\KAFLvJz.exe
  C:\Windows\System\KAFLvJz.exe
  2⤵
  PID:3972
- C:\Windows\System\rwvGiTl.exe
  C:\Windows\System\rwvGiTl.exe
  2⤵
  PID:3956
- C:\Windows\System\TdkLDzy.exe
  C:\Windows\System\TdkLDzy.exe
  2⤵
  PID:3688
- C:\Windows\System\PSzndNV.exe
  C:\Windows\System\PSzndNV.exe
  2⤵
  PID:404
- C:\Windows\System\ziWLcza.exe
  C:\Windows\System\ziWLcza.exe
  2⤵
  PID:2516
- C:\Windows\System\oqTXRAG.exe
  C:\Windows\System\oqTXRAG.exe
  2⤵
  PID:2652
- C:\Windows\System\ApVwoiW.exe
  C:\Windows\System\ApVwoiW.exe
  2⤵
  PID:1288
- C:\Windows\System\WenwxsL.exe
  C:\Windows\System\WenwxsL.exe
  2⤵
  PID:1872
- C:\Windows\System\MotMdgF.exe
  C:\Windows\System\MotMdgF.exe
  2⤵
  PID:4760
- C:\Windows\System\PMlPmVf.exe
  C:\Windows\System\PMlPmVf.exe
  2⤵
  PID:4136
- C:\Windows\System\prDbvft.exe
  C:\Windows\System\prDbvft.exe
  2⤵
  PID:1488
- C:\Windows\System\OnPqdRw.exe
  C:\Windows\System\OnPqdRw.exe
  2⤵
  PID:776
- C:\Windows\System\ocAAOhx.exe
  C:\Windows\System\ocAAOhx.exe
  2⤵
  PID:3840
- C:\Windows\System\uOLDEEl.exe
  C:\Windows\System\uOLDEEl.exe
  2⤵
  PID:2500
- C:\Windows\System\XMAwClf.exe
  C:\Windows\System\XMAwClf.exe
  2⤵
  PID:4032
- C:\Windows\System\NkOXzLa.exe
  C:\Windows\System\NkOXzLa.exe
  2⤵
  PID:2068
- C:\Windows\System\uWkzmWo.exe
  C:\Windows\System\uWkzmWo.exe
  2⤵
  PID:4144
- C:\Windows\System\VkluRwo.exe
  C:\Windows\System\VkluRwo.exe
  2⤵
  PID:1248
- C:\Windows\System\IZAcMeS.exe
  C:\Windows\System\IZAcMeS.exe
  2⤵
  PID:3080
- C:\Windows\System\KaCcONM.exe
  C:\Windows\System\KaCcONM.exe
  2⤵
  PID:2704
- C:\Windows\System\sHPJlYg.exe
  C:\Windows\System\sHPJlYg.exe
  2⤵
  PID:3988
- C:\Windows\System\QHoSJjx.exe
  C:\Windows\System\QHoSJjx.exe
  2⤵
  PID:1080
- C:\Windows\System\EKLJdvR.exe
  C:\Windows\System\EKLJdvR.exe
  2⤵
  PID:1936
- C:\Windows\System\AUBABQS.exe
  C:\Windows\System\AUBABQS.exe
  2⤵
  PID:3952
- C:\Windows\System\wWDZZlu.exe
  C:\Windows\System\wWDZZlu.exe
  2⤵
  PID:3184
- C:\Windows\System\rkjwopR.exe
  C:\Windows\System\rkjwopR.exe
  2⤵
  PID:772
- C:\Windows\System\xBQlGsP.exe
  C:\Windows\System\xBQlGsP.exe
  2⤵
  PID:4456
- C:\Windows\System\qMBNfRO.exe
  C:\Windows\System\qMBNfRO.exe
  2⤵
  PID:2640
- C:\Windows\System\wrPlFch.exe
  C:\Windows\System\wrPlFch.exe
  2⤵
  PID:5132
- C:\Windows\System\BmWNLiD.exe
  C:\Windows\System\BmWNLiD.exe
  2⤵
  PID:5152
- C:\Windows\System\BxOqbnL.exe
  C:\Windows\System\BxOqbnL.exe
  2⤵
  PID:5168
- C:\Windows\System\oZoHNYz.exe
  C:\Windows\System\oZoHNYz.exe
  2⤵
  PID:5184
- C:\Windows\System\adCdAdx.exe
  C:\Windows\System\adCdAdx.exe
  2⤵
  PID:5200
- C:\Windows\System\XkQxtaz.exe
  C:\Windows\System\XkQxtaz.exe
  2⤵
  PID:5216
- C:\Windows\System\UuNodTQ.exe
  C:\Windows\System\UuNodTQ.exe
  2⤵
  PID:5232
- C:\Windows\System\aQkEOwD.exe
  C:\Windows\System\aQkEOwD.exe
  2⤵
  PID:5256
- C:\Windows\System\WEwakfn.exe
  C:\Windows\System\WEwakfn.exe
  2⤵
  PID:5280
- C:\Windows\System\mVGSQbg.exe
  C:\Windows\System\mVGSQbg.exe
  2⤵
  PID:5392
- C:\Windows\System\qngXagh.exe
  C:\Windows\System\qngXagh.exe
  2⤵
  PID:5416
- C:\Windows\System\zPAEjik.exe
  C:\Windows\System\zPAEjik.exe
  2⤵
  PID:5440
- C:\Windows\System\uMBfzIX.exe
  C:\Windows\System\uMBfzIX.exe
  2⤵
  PID:5592
- C:\Windows\System\YoiEHbl.exe
  C:\Windows\System\YoiEHbl.exe
  2⤵
  PID:5620
- C:\Windows\System\koNaurB.exe
  C:\Windows\System\koNaurB.exe
  2⤵
  PID:5644
- C:\Windows\System\vYhAyTC.exe
  C:\Windows\System\vYhAyTC.exe
  2⤵
  PID:5688
- C:\Windows\System\PcocFsh.exe
  C:\Windows\System\PcocFsh.exe
  2⤵
  PID:5772
- C:\Windows\System\XUWfdvv.exe
  C:\Windows\System\XUWfdvv.exe
  2⤵
  PID:5872
- C:\Windows\System\ImtDlNG.exe
  C:\Windows\System\ImtDlNG.exe
  2⤵
  PID:5896
- C:\Windows\System\KZYhscx.exe
  C:\Windows\System\KZYhscx.exe
  2⤵
  PID:6020
- C:\Windows\System\ZyBaTRx.exe
  C:\Windows\System\ZyBaTRx.exe
  2⤵
  PID:6096
- C:\Windows\System\uNAhypD.exe
  C:\Windows\System\uNAhypD.exe
  2⤵
  PID:5192
- C:\Windows\System\hHMndHI.exe
  C:\Windows\System\hHMndHI.exe
  2⤵
  PID:5336
- C:\Windows\System\uaqUEJm.exe
  C:\Windows\System\uaqUEJm.exe
  2⤵
  PID:5384
- C:\Windows\System\jgQqbwC.exe
  C:\Windows\System\jgQqbwC.exe
  2⤵
  PID:4184
- C:\Windows\System\weHOfmx.exe
  C:\Windows\System\weHOfmx.exe
  2⤵
  PID:5636
- C:\Windows\System\GcaEdAX.exe
  C:\Windows\System\GcaEdAX.exe
  2⤵
  PID:5176
- C:\Windows\System\lXYiYKP.exe
  C:\Windows\System\lXYiYKP.exe
  2⤵
  PID:6148
- C:\Windows\System\fYtndPx.exe
  C:\Windows\System\fYtndPx.exe
  2⤵
  PID:6424
- C:\Windows\System\grVdRyR.exe
  C:\Windows\System\grVdRyR.exe
  2⤵
  PID:6588
- C:\Windows\System\YOQvmLH.exe
  C:\Windows\System\YOQvmLH.exe
  2⤵
  PID:6920
- C:\Windows\System\vqCcHdP.exe
  C:\Windows\System\vqCcHdP.exe
  2⤵
  PID:6948
- C:\Windows\System\sRHaOkJ.exe
  C:\Windows\System\sRHaOkJ.exe
  2⤵
  PID:5892
- C:\Windows\System\TPYbnoM.exe
  C:\Windows\System\TPYbnoM.exe
  2⤵
  PID:7252
- C:\Windows\System\TSIKRzP.exe
  C:\Windows\System\TSIKRzP.exe
  2⤵
  PID:7908
- C:\Windows\System\anWHrGF.exe
  C:\Windows\System\anWHrGF.exe
  2⤵
  PID:7104
- C:\Windows\System\mcdRufs.exe
  C:\Windows\System\mcdRufs.exe
  2⤵
  PID:6088
- C:\Windows\System\xxcxEBf.exe
  C:\Windows\System\xxcxEBf.exe
  2⤵
  PID:7648
- C:\Windows\System\otddxsI.exe
  C:\Windows\System\otddxsI.exe
  2⤵
  PID:8140
- C:\Windows\System\cmxyVjt.exe
  C:\Windows\System\cmxyVjt.exe
  2⤵
  PID:8796
- C:\Windows\System\VFWGduL.exe
  C:\Windows\System\VFWGduL.exe
  2⤵
  PID:9024
- C:\Windows\System\qEKFgSB.exe
  C:\Windows\System\qEKFgSB.exe
  2⤵
  PID:4664
- C:\Windows\System\BngiJgc.exe
  C:\Windows\System\BngiJgc.exe
  2⤵
  PID:8160
- C:\Windows\System\xeIeziA.exe
  C:\Windows\System\xeIeziA.exe
  2⤵
  PID:7848
- C:\Windows\System\CVCevEj.exe
  C:\Windows\System\CVCevEj.exe
  2⤵
  PID:8416
- C:\Windows\System\kEZIyjJ.exe
  C:\Windows\System\kEZIyjJ.exe
  2⤵
  PID:6800
- C:\Windows\System\mIIQBWS.exe
  C:\Windows\System\mIIQBWS.exe
  2⤵
  PID:9244
- C:\Windows\System\hsXvVDO.exe
  C:\Windows\System\hsXvVDO.exe
  2⤵
  PID:9272
- C:\Windows\System\GMHPUiI.exe
  C:\Windows\System\GMHPUiI.exe
  2⤵
  PID:9636
- C:\Windows\System\tBbMCro.exe
  C:\Windows\System\tBbMCro.exe
  2⤵
  PID:10084
- C:\Windows\System\bjINaEJ.exe
  C:\Windows\System\bjINaEJ.exe
  2⤵
  PID:10108
- C:\Windows\System\nWssrnA.exe
  C:\Windows\System\nWssrnA.exe
  2⤵
  PID:9740
- C:\Windows\System\gDMxLTo.exe
  C:\Windows\System\gDMxLTo.exe
  2⤵
  PID:10476
- C:\Windows\System\gHhDPuh.exe
  C:\Windows\System\gHhDPuh.exe
  2⤵
  PID:10504
- C:\Windows\System\LVjIoZZ.exe
  C:\Windows\System\LVjIoZZ.exe
  2⤵
  PID:11056
- C:\Windows\System\xohVVgG.exe
  C:\Windows\System\xohVVgG.exe
  2⤵
  PID:11072
- C:\Windows\System\fMpNgNo.exe
  C:\Windows\System\fMpNgNo.exe
  2⤵
  PID:11372
- C:\Windows\System\tGmUKFt.exe
  C:\Windows\System\tGmUKFt.exe
  2⤵
  PID:11396
- C:\Windows\System\iLRtuAw.exe
  C:\Windows\System\iLRtuAw.exe
  2⤵
  PID:11900
- C:\Windows\System\ludyhlP.exe
  C:\Windows\System\ludyhlP.exe
  2⤵
  PID:11928
- C:\Windows\System\FTczJgv.exe
  C:\Windows\System\FTczJgv.exe
  2⤵
  PID:11952
- C:\Windows\System\lIDHPev.exe
  C:\Windows\System\lIDHPev.exe
  2⤵
  PID:10568
- C:\Windows\System\BMaYXrd.exe
  C:\Windows\System\BMaYXrd.exe
  2⤵
  PID:11168
- C:\Windows\System\HNBRMJO.exe
  C:\Windows\System\HNBRMJO.exe
  2⤵
  PID:12088
- C:\Windows\System\ieItowK.exe
  C:\Windows\System\ieItowK.exe
  2⤵
  PID:12468
- C:\Windows\System\jiSxLeV.exe
  C:\Windows\System\jiSxLeV.exe
  2⤵
  PID:12612
- C:\Windows\System\vwufiIZ.exe
  C:\Windows\System\vwufiIZ.exe
  2⤵
  PID:12644
- C:\Windows\System\iVXeoDV.exe
  C:\Windows\System\iVXeoDV.exe
  2⤵
  PID:12668
- C:\Windows\System\BYbkylx.exe
  C:\Windows\System\BYbkylx.exe
  2⤵
  PID:13072
- C:\Windows\System\npzcFbh.exe
  C:\Windows\System\npzcFbh.exe
  2⤵
  PID:11204
- C:\Windows\System\fuAgGrZ.exe
  C:\Windows\System\fuAgGrZ.exe
  2⤵
  PID:12712
- C:\Windows\System\sqlfbtg.exe
  C:\Windows\System\sqlfbtg.exe
  2⤵
  PID:12356
- C:\Windows\System\IzloBAB.exe
  C:\Windows\System\IzloBAB.exe
  2⤵
  PID:12412
- C:\Windows\System\dTRJfDK.exe
  C:\Windows\System\dTRJfDK.exe
  2⤵
  PID:12436
- C:\Windows\System\ZCslzAR.exe
  C:\Windows\System\ZCslzAR.exe
  2⤵
  PID:3580
- C:\Windows\System\hQyuQNp.exe
  C:\Windows\System\hQyuQNp.exe
  2⤵
  PID:12500
- C:\Windows\System\PMkIvMZ.exe
  C:\Windows\System\PMkIvMZ.exe
  2⤵
  PID:11356
- C:\Windows\System\pViYZEI.exe
  C:\Windows\System\pViYZEI.exe
  2⤵
  PID:12604
- C:\Windows\System\KjVHOpv.exe
  C:\Windows\System\KjVHOpv.exe
  2⤵
  PID:12660
- C:\Windows\System\nNCSjSx.exe
  C:\Windows\System\nNCSjSx.exe
  2⤵
  PID:12920
- C:\Windows\System\TrUXzsp.exe
  C:\Windows\System\TrUXzsp.exe
  2⤵
  PID:12936
- C:\Windows\System\nHopjhO.exe
  C:\Windows\System\nHopjhO.exe
  2⤵
  PID:10344
- C:\Windows\System\zbLSCAF.exe
  C:\Windows\System\zbLSCAF.exe
  2⤵
  PID:11780
- C:\Windows\System\VTcpGfa.exe
  C:\Windows\System\VTcpGfa.exe
  2⤵
  PID:12320
- C:\Windows\System\ivTZNwn.exe
  C:\Windows\System\ivTZNwn.exe
  2⤵
  PID:12724
- C:\Windows\System\UWYtidk.exe
  C:\Windows\System\UWYtidk.exe
  2⤵
  PID:13060
- C:\Windows\System\TZmbnLj.exe
  C:\Windows\System\TZmbnLj.exe
  2⤵
  PID:13020
- C:\Windows\System\ySxoGza.exe
  C:\Windows\System\ySxoGza.exe
  2⤵
  PID:12688
- C:\Windows\System\CMjZQrc.exe
  C:\Windows\System\CMjZQrc.exe
  2⤵
  PID:9564
- C:\Windows\System\nOyXtpt.exe
  C:\Windows\System\nOyXtpt.exe
  2⤵
  PID:11540
- C:\Windows\System\OujOikz.exe
  C:\Windows\System\OujOikz.exe
  2⤵
  PID:13228
- C:\Windows\System\uYQqReJ.exe
  C:\Windows\System\uYQqReJ.exe
  2⤵
  PID:12352
- C:\Windows\System\pvxKMjb.exe
  C:\Windows\System\pvxKMjb.exe
  2⤵
  PID:4812
- C:\Windows\System\vaIADbK.exe
  C:\Windows\System\vaIADbK.exe
  2⤵
  PID:12540
- C:\Windows\System\KUumxGT.exe
  C:\Windows\System\KUumxGT.exe
  2⤵
  PID:12792
- C:\Windows\System\SPtGjKD.exe
  C:\Windows\System\SPtGjKD.exe
  2⤵
  PID:12968
- C:\Windows\System\BVNeanO.exe
  C:\Windows\System\BVNeanO.exe
  2⤵
  PID:11536
- C:\Windows\System\iHbYnET.exe
  C:\Windows\System\iHbYnET.exe
  2⤵
  PID:4704
- C:\Windows\System\ToKXyHz.exe
  C:\Windows\System\ToKXyHz.exe
  2⤵
  PID:12700
- C:\Windows\System\bcZPsai.exe
  C:\Windows\System\bcZPsai.exe
  2⤵
  PID:12744
- C:\Windows\System\XUAPHwW.exe
  C:\Windows\System\XUAPHwW.exe
  2⤵
  PID:12964
- C:\Windows\System\RYvpgIw.exe
  C:\Windows\System\RYvpgIw.exe
  2⤵
  PID:13008
- C:\Windows\System\HamKeUy.exe
  C:\Windows\System\HamKeUy.exe
  2⤵
  PID:13124
- C:\Windows\System\nRGYXKE.exe
  C:\Windows\System\nRGYXKE.exe
  2⤵
  PID:12900
- C:\Windows\System\jsACrSm.exe
  C:\Windows\System\jsACrSm.exe
  2⤵
  PID:12556
- C:\Windows\System\UCFUVcE.exe
  C:\Windows\System\UCFUVcE.exe
  2⤵
  PID:4712
- C:\Windows\System\WttUwkT.exe
  C:\Windows\System\WttUwkT.exe
  2⤵
  PID:4036
- C:\Windows\System\TNVJACi.exe
  C:\Windows\System\TNVJACi.exe
  2⤵
  PID:5716
- C:\Windows\System\THFkSVw.exe
  C:\Windows\System\THFkSVw.exe
  2⤵
  PID:13264
- C:\Windows\System\jyVbfOn.exe
  C:\Windows\System\jyVbfOn.exe
  2⤵
  PID:3324
- C:\Windows\System\rekNVOA.exe
  C:\Windows\System\rekNVOA.exe
  2⤵
  PID:12536
- C:\Windows\System\EiTdYMz.exe
  C:\Windows\System\EiTdYMz.exe
  2⤵
  PID:12520
- C:\Windows\System\pBANDXO.exe
  C:\Windows\System\pBANDXO.exe
  2⤵
  PID:2808
- C:\Windows\System\qLXxXIA.exe
  C:\Windows\System\qLXxXIA.exe
  2⤵
  PID:5848
- C:\Windows\System\hsgDZNI.exe
  C:\Windows\System\hsgDZNI.exe
  2⤵
  PID:11832
- C:\Windows\System\jQSmBoL.exe
  C:\Windows\System\jQSmBoL.exe
  2⤵
  PID:13344
- C:\Windows\System\KrzwyeT.exe
  C:\Windows\System\KrzwyeT.exe
  2⤵
  PID:13500
- C:\Windows\System\VrGtpzY.exe
  C:\Windows\System\VrGtpzY.exe
  2⤵
  PID:13532
- C:\Windows\System\mHtqpOW.exe
  C:\Windows\System\mHtqpOW.exe
  2⤵
  PID:13548
- C:\Windows\System\YYkVPIh.exe
  C:\Windows\System\YYkVPIh.exe
  2⤵
  PID:13580
- C:\Windows\System\cUbIaQh.exe
  C:\Windows\System\cUbIaQh.exe
  2⤵
  PID:13612
- C:\Windows\System\UExqJCQ.exe
  C:\Windows\System\UExqJCQ.exe
  2⤵
  PID:13632
- C:\Windows\System\NIzuKNw.exe
  C:\Windows\System\NIzuKNw.exe
  2⤵
  PID:13664
- C:\Windows\System\VCaAKcx.exe
  C:\Windows\System\VCaAKcx.exe
  2⤵
  PID:13696
- C:\Windows\System\nNkaLgl.exe
  C:\Windows\System\nNkaLgl.exe
  2⤵
  PID:13728
- C:\Windows\System\jHsCoEf.exe
  C:\Windows\System\jHsCoEf.exe
  2⤵
  PID:13764
- C:\Windows\System\RABqzZy.exe
  C:\Windows\System\RABqzZy.exe
  2⤵
  PID:13796
- C:\Windows\System\NSlPrGF.exe
  C:\Windows\System\NSlPrGF.exe
  2⤵
  PID:13876
- C:\Windows\System\uYuShkY.exe
  C:\Windows\System\uYuShkY.exe
  2⤵
  PID:13924
- C:\Windows\System\diNfjJU.exe
  C:\Windows\System\diNfjJU.exe
  2⤵
  PID:13956
- C:\Windows\System\OOLtsoi.exe
  C:\Windows\System\OOLtsoi.exe
  2⤵
  PID:14000
- C:\Windows\System\OvllAbb.exe
  C:\Windows\System\OvllAbb.exe
  2⤵
  PID:14036
- C:\Windows\System\uBdMOnn.exe
  C:\Windows\System\uBdMOnn.exe
  2⤵
  PID:14100
- C:\Windows\System\ykEcDNn.exe
  C:\Windows\System\ykEcDNn.exe
  2⤵
  PID:14132
- C:\Windows\System\RUwrPRo.exe
  C:\Windows\System\RUwrPRo.exe
  2⤵
  PID:14148
- C:\Windows\System\FDXiyem.exe
  C:\Windows\System\FDXiyem.exe
  2⤵
  PID:14168
- C:\Windows\System\floWEva.exe
  C:\Windows\System\floWEva.exe
  2⤵
  PID:14200
- C:\Windows\System\FcvIeEc.exe
  C:\Windows\System\FcvIeEc.exe
  2⤵
  PID:14232
- C:\Windows\System\uYVMvZm.exe
  C:\Windows\System\uYVMvZm.exe
  2⤵
  PID:14312
- C:\Windows\System\xYBeEid.exe
  C:\Windows\System\xYBeEid.exe
  2⤵
  PID:13204
- C:\Windows\System\ERArVcM.exe
  C:\Windows\System\ERArVcM.exe
  2⤵
  PID:548
- C:\Windows\System\BMHxnyo.exe
  C:\Windows\System\BMHxnyo.exe
  2⤵
  PID:13356
- C:\Windows\System\IMoOhFV.exe
  C:\Windows\System\IMoOhFV.exe
  2⤵
  PID:13372
- C:\Windows\System\jArDuOv.exe
  C:\Windows\System\jArDuOv.exe
  2⤵
  PID:5564
- C:\Windows\System\KKmwyrk.exe
  C:\Windows\System\KKmwyrk.exe
  2⤵
  PID:13432
- C:\Windows\System\ugiOXFn.exe
  C:\Windows\System\ugiOXFn.exe
  2⤵
  PID:13496
- C:\Windows\System\HthZbAV.exe
  C:\Windows\System\HthZbAV.exe
  2⤵
  PID:13540
- C:\Windows\System\iVhaXsB.exe
  C:\Windows\System\iVhaXsB.exe
  2⤵
  PID:13604
- C:\Windows\System\PrLjbcP.exe
  C:\Windows\System\PrLjbcP.exe
  2⤵
  PID:13672
- C:\Windows\System\lZTDqTu.exe
  C:\Windows\System\lZTDqTu.exe
  2⤵
  PID:13776
- C:\Windows\System\eorDCMa.exe
  C:\Windows\System\eorDCMa.exe
  2⤵
  PID:13840
- C:\Windows\System\mkkJJyQ.exe
  C:\Windows\System\mkkJJyQ.exe
  2⤵
  PID:13872
- C:\Windows\System\Nycaota.exe
  C:\Windows\System\Nycaota.exe
  2⤵
  PID:13936
- C:\Windows\System\ZjGmWZg.exe
  C:\Windows\System\ZjGmWZg.exe
  2⤵
  PID:13980
- C:\Windows\System\bSeMela.exe
  C:\Windows\System\bSeMela.exe
  2⤵
  PID:14112
- C:\Windows\System\BdVKJXr.exe
  C:\Windows\System\BdVKJXr.exe
  2⤵
  PID:14212
- C:\Windows\System\BlXuJZq.exe
  C:\Windows\System\BlXuJZq.exe
  2⤵
  PID:14276
- C:\Windows\System\QLnxvwD.exe
  C:\Windows\System\QLnxvwD.exe
  2⤵
  PID:5780
- C:\Windows\System\vphGoGp.exe
  C:\Windows\System\vphGoGp.exe
  2⤵
  PID:1452
- C:\Windows\System\ePrmvoR.exe
  C:\Windows\System\ePrmvoR.exe
  2⤵
  PID:6616
- C:\Windows\System\VogodCY.exe
  C:\Windows\System\VogodCY.exe
  2⤵
  PID:13448
- C:\Windows\System\uvNIGqt.exe
  C:\Windows\System\uvNIGqt.exe
  2⤵
  PID:13624
- C:\Windows\System\NbzuRah.exe
  C:\Windows\System\NbzuRah.exe
  2⤵
  PID:13760
- C:\Windows\System\MuYVUTO.exe
  C:\Windows\System\MuYVUTO.exe
  2⤵
  PID:13888
- C:\Windows\System\pepCyrA.exe
  C:\Windows\System\pepCyrA.exe
  2⤵
  PID:2664
- C:\Windows\System\JLZBzIg.exe
  C:\Windows\System\JLZBzIg.exe
  2⤵
  PID:13240
- C:\Windows\System\yNhqCjG.exe
  C:\Windows\System\yNhqCjG.exe
  2⤵
  PID:14164
- C:\Windows\System\fySxTDA.exe
  C:\Windows\System\fySxTDA.exe
  2⤵
  PID:14228
- C:\Windows\System\duVnuBT.exe
  C:\Windows\System\duVnuBT.exe
  2⤵
  PID:13300
- C:\Windows\System\kaRQzTC.exe
  C:\Windows\System\kaRQzTC.exe
  2⤵
  PID:13320
- C:\Windows\System\ZzLlVkG.exe
  C:\Windows\System\ZzLlVkG.exe
  2⤵
  PID:13488
- C:\Windows\System\VfchVeX.exe
  C:\Windows\System\VfchVeX.exe
  2⤵
  PID:13656
- C:\Windows\System\ApYuyXB.exe
  C:\Windows\System\ApYuyXB.exe
  2⤵
  PID:13868
- C:\Windows\System\KWZModc.exe
  C:\Windows\System\KWZModc.exe
  2⤵
  PID:11700
- C:\Windows\System\HDqgivU.exe
  C:\Windows\System\HDqgivU.exe
  2⤵
  PID:14272
- C:\Windows\System\gycPhjM.exe
  C:\Windows\System\gycPhjM.exe
  2⤵
  PID:2220
- C:\Windows\System\sTjfDmC.exe
  C:\Windows\System\sTjfDmC.exe
  2⤵
  PID:3332
- C:\Windows\System\QVPFvcJ.exe
  C:\Windows\System\QVPFvcJ.exe
  2⤵
  PID:13724
- C:\Windows\System\ZBUQbUC.exe
  C:\Windows\System\ZBUQbUC.exe
  2⤵
  PID:12364
- C:\Windows\System\BWGSvDX.exe
  C:\Windows\System\BWGSvDX.exe
  2⤵
  PID:4840
- C:\Windows\System\avFQtMT.exe
  C:\Windows\System\avFQtMT.exe
  2⤵
  PID:13932
- C:\Windows\System\TqiTWdR.exe
  C:\Windows\System\TqiTWdR.exe
  2⤵
  PID:4628
- C:\Windows\System\pKGPdLR.exe
  C:\Windows\System\pKGPdLR.exe
  2⤵
  PID:14140
- C:\Windows\System\MeWxgYN.exe
  C:\Windows\System\MeWxgYN.exe
  2⤵
  PID:10300
- C:\Windows\System\wlcQxjo.exe
  C:\Windows\System\wlcQxjo.exe
  2⤵
  PID:14352
- C:\Windows\System\ZwFcKLg.exe
  C:\Windows\System\ZwFcKLg.exe
  2⤵
  PID:14368
- C:\Windows\System\HRhkmrZ.exe
  C:\Windows\System\HRhkmrZ.exe
  2⤵
  PID:14384
- C:\Windows\System\ljDbpes.exe
  C:\Windows\System\ljDbpes.exe
  2⤵
  PID:14400
- C:\Windows\System\vVMFlgI.exe
  C:\Windows\System\vVMFlgI.exe
  2⤵
  PID:14416
- C:\Windows\System\vMVlmDT.exe
  C:\Windows\System\vMVlmDT.exe
  2⤵
  PID:14432
- C:\Windows\System\qgtcPfF.exe
  C:\Windows\System\qgtcPfF.exe
  2⤵
  PID:14448
- C:\Windows\System\ALQpCLI.exe
  C:\Windows\System\ALQpCLI.exe
  2⤵
  PID:14464
- C:\Windows\System\AcnzFnG.exe
  C:\Windows\System\AcnzFnG.exe
  2⤵
  PID:14480
- C:\Windows\System\oxmaWDx.exe
  C:\Windows\System\oxmaWDx.exe
  2⤵
  PID:14496
- C:\Windows\System\YVPiSae.exe
  C:\Windows\System\YVPiSae.exe
  2⤵
  PID:14512
- C:\Windows\System\CwhGiWR.exe
  C:\Windows\System\CwhGiWR.exe
  2⤵
  PID:14528
- C:\Windows\System\yxSRPtW.exe
  C:\Windows\System\yxSRPtW.exe
  2⤵
  PID:14544
- C:\Windows\System\MMRWufP.exe
  C:\Windows\System\MMRWufP.exe
  2⤵
  PID:14560
- C:\Windows\System\LaSpNZG.exe
  C:\Windows\System\LaSpNZG.exe
  2⤵
  PID:14576
- C:\Windows\System\UuCqsUt.exe
  C:\Windows\System\UuCqsUt.exe
  2⤵
  PID:14592
- C:\Windows\System\hCghkXS.exe
  C:\Windows\System\hCghkXS.exe
  2⤵
  PID:14612
- C:\Windows\System\UaKSUar.exe
  C:\Windows\System\UaKSUar.exe
  2⤵
  PID:14628
- C:\Windows\System\sbkEQYw.exe
  C:\Windows\System\sbkEQYw.exe
  2⤵
  PID:14644
- C:\Windows\System\IAYVrJi.exe
  C:\Windows\System\IAYVrJi.exe
  2⤵
  PID:14660
- C:\Windows\System\WbGYKIy.exe
  C:\Windows\System\WbGYKIy.exe
  2⤵
  PID:14676
- C:\Windows\System\NgRjezt.exe
  C:\Windows\System\NgRjezt.exe
  2⤵
  PID:14692
- C:\Windows\System\nEGvMeE.exe
  C:\Windows\System\nEGvMeE.exe
  2⤵
  PID:14708
- C:\Windows\System\mlYhEHp.exe
  C:\Windows\System\mlYhEHp.exe
  2⤵
  PID:14724
- C:\Windows\System\sIzjIxU.exe
  C:\Windows\System\sIzjIxU.exe
  2⤵
  PID:14744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\IByRzWK.exe

Filesize
2.8MB

MD5
50d3ba89c1fb29f15538ce0521868aa7

SHA1
4c6c3475ffc5d6d6b0ae9c3c38537726d97163f0

SHA256
f24c4ec09e2dd102cde6524fa8086e197307d56dd6815b786ad6ee20493b182a

SHA512
938904b571686964af5f9671a3ee8394892c189c797c0e7215b085c2c13d84b682dafd3a49590711f87a888acfc519e744da5e157d8a96d58de90d8021b0b2bd

Download Submit
C:\Windows\System\LQyjdTR.exe

Filesize
2.8MB

MD5
9f81e1b46212b62eb01ea6f1ccc3992d

SHA1
6a1a3ee5d8c53208a8b00c4aba0ac49df93a21c1

SHA256
8f4cc5123fef61d442ced600bad4ed26042bec4101647e00cee78f2027ff17e6

SHA512
95d7ea2fd1eea0d2bcb74760e93eef3577fd7eded394c2c775fa25bd07723f84e3e49eb48c8d7afd57e5bb41aca5da3ae232fd6c05fbb4bf187411c4773af0e4

Download Submit
C:\Windows\System\WuHpauK.exe

Filesize
2.8MB

MD5
ed3c92c678633abe82bd881e504ed300

SHA1
e40ed0d3dd5bdf21def58f3b6a65ae9b9b549d9d

SHA256
59cc39ca9f266aa1d6636230b339b27c5b4a2795ab87fe9c38af326297ffc1b5

SHA512
eecbeab8a999b433149e89d9faed77340728534833d0a23c58bfb63bc897c3b39aaec829cb144420f7fc8bf4511b8c140793504fa809373a6da414117727bdb8

Download Submit
C:\Windows\System\rpXudDz.exe

Filesize
2.8MB

MD5
112a4324de3e61eaca1f1f8b9ed24d72

SHA1
0c6e103d2aeb67dd6e3f8ff89dd3a9cb04a90be9

SHA256
23934a47f01e7a74fd01576afc7baf239d7181146af441bce0a4d2f2f3e71bbe

SHA512
c1f200f2adfca5f2b701dae9d85fe1bbb83182798800811e66fa06729bb92125ff881b92c2083ac47c95f812adeb4fb5c7250718b070f8fc65e4e825b79efe7a

Download Submit
C:\Windows\System\sVJYTTi.exe

Filesize
2.8MB

MD5
abcd6a6f5ed688806c36fc2bc74cb17c

SHA1
51c558bd8294a27960bdf3cece02d8b5bfa36af0

SHA256
5562b8c619cc1a92f0cf05a1d770e3b20c5c1fa95c4d09e41cc6575a1336d6ea

SHA512
2b1c6f9072c2a75947b1140b9a2c2e43704d8a32cc7a273bd7b1ffb7dd9b5c09225656e8d4fc3b78aaa79e1eb17ea54564e3b3a7b401e164a4818551d74166b8

Download Submit
C:\Windows\System\tTELkdh.exe

Filesize
2.8MB

MD5
91398b5a7f2a8e74eb180f5790755732

SHA1
76e9d68e6e50007bd07412fccf51fdbcf26c03a3

SHA256
06534655a369b7b15a67da01368048c182247419037da1141bbee4ecf313e7ae

SHA512
1a275f34ac9e29ee159eab546c0008366ab8939eac37228511a1ef1760931337d121a7e62e6d325973d488cda855f8d2f57f7462536d836195a6173fbdfdbb7f

Download Submit
C:\Windows\System\zQrbEki.exe

Filesize
2.8MB

MD5
9778fea833dc256dd17b71fe0203e582

SHA1
dbaec2254edeb8b0d422f9a4751ac2ff2d638eef

SHA256
4a25c32c593a632d566ff0ae29158e480d6a3046235d8af864ca5090019dc77b

SHA512
8ac669a74caf938ec2b766ac78111d41bb7e07d66cff8b2f380c0f5300e66fd66843e5b6eea076c43afb2523cd7abc54bdc5e5ff7d244818cecd652a18f0a0d7

Download Submit
memory/432-305-0x00007FF6EEEA0000-0x00007FF6EF292000-memory.dmp

Filesize
3.9MB

Download
memory/672-303-0x00007FF7394A0000-0x00007FF739892000-memory.dmp

Filesize
3.9MB

Download
memory/752-302-0x00007FF7AC0A0000-0x00007FF7AC492000-memory.dmp

Filesize
3.9MB

Download
memory/952-210-0x00007FF79BF60000-0x00007FF79C352000-memory.dmp

Filesize
3.9MB

Download
memory/1040-296-0x00007FF672070000-0x00007FF672462000-memory.dmp

Filesize
3.9MB

Download
memory/1112-292-0x00007FF69B9A0000-0x00007FF69BD92000-memory.dmp

Filesize
3.9MB

Download
memory/1164-246-0x00007FF6BCB20000-0x00007FF6BCF12000-memory.dmp

Filesize
3.9MB

Download
memory/1204-304-0x00007FF76F4A0000-0x00007FF76F892000-memory.dmp

Filesize
3.9MB

Download
memory/1608-297-0x00007FF73BC80000-0x00007FF73C072000-memory.dmp

Filesize
3.9MB

Download
memory/1676-306-0x00007FF6CDEC0000-0x00007FF6CE2B2000-memory.dmp

Filesize
3.9MB

Download
memory/2020-16-0x00007FF635510000-0x00007FF635902000-memory.dmp

Filesize
3.9MB

Download
memory/2332-1-0x000001AA02880000-0x000001AA02890000-memory.dmp

Filesize
64KB

Download
memory/2332-0-0x00007FF640F40000-0x00007FF641332000-memory.dmp

Filesize
3.9MB

Download
memory/2756-294-0x00007FF68CCD0000-0x00007FF68D0C2000-memory.dmp

Filesize
3.9MB

Download
memory/3204-291-0x00007FF7039D0000-0x00007FF703DC2000-memory.dmp

Filesize
3.9MB

Download
memory/3320-265-0x00007FF7E7C10000-0x00007FF7E8002000-memory.dmp

Filesize
3.9MB

Download
memory/3400-295-0x00007FF7F3940000-0x00007FF7F3D32000-memory.dmp

Filesize
3.9MB

Download
memory/3436-252-0x00007FF603660000-0x00007FF603A52000-memory.dmp

Filesize
3.9MB

Download
memory/3688-300-0x00007FF75CFB0000-0x00007FF75D3A2000-memory.dmp

Filesize
3.9MB

Download
memory/3756-276-0x00007FF7F3430000-0x00007FF7F3822000-memory.dmp

Filesize
3.9MB

Download
memory/3860-301-0x00007FF6595D0000-0x00007FF6599C2000-memory.dmp

Filesize
3.9MB

Download
memory/3956-298-0x00007FF656600000-0x00007FF6569F2000-memory.dmp

Filesize
3.9MB

Download
memory/3972-299-0x00007FF6DC2B0000-0x00007FF6DC6A2000-memory.dmp

Filesize
3.9MB

Download