Malware Analysis Report

2025-01-22 19:25

Sample ID 240806-pc1btayekq
Target 69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20
SHA256 69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20

Threat Level: Known bad

The file 69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20 was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

Cobaltstrike family

Cobalt Strike reflective loader

Cobaltstrike

XMRig Miner payload

xmrig

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 12:11

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 12:11

Reported

2024-08-06 12:14

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nYupmBU.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\jEdwjIG.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\aJEHkqC.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\EdzKrYG.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\CijbwWT.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\MRjiNuO.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\ZRsVyaD.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\HENcyQh.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\HHNGihY.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\AjgPayk.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\xaKMAaC.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\cQDwIFt.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\DspdAnL.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\dOcyREd.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\qHDLdHW.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\RwWxSCY.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\fAwyONf.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\MtzZHfq.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\JTJybSy.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\JgzFGTC.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\dWMVPkf.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 844 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\JTJybSy.exe
PID 844 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\JTJybSy.exe
PID 844 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\DspdAnL.exe
PID 844 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\DspdAnL.exe
PID 844 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\cQDwIFt.exe
PID 844 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\cQDwIFt.exe
PID 844 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\dOcyREd.exe
PID 844 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\dOcyREd.exe
PID 844 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\ZRsVyaD.exe
PID 844 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\ZRsVyaD.exe
PID 844 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\MRjiNuO.exe
PID 844 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\MRjiNuO.exe
PID 844 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\nYupmBU.exe
PID 844 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\nYupmBU.exe
PID 844 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\HENcyQh.exe
PID 844 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\HENcyQh.exe
PID 844 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\HHNGihY.exe
PID 844 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\HHNGihY.exe
PID 844 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\qHDLdHW.exe
PID 844 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\qHDLdHW.exe
PID 844 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\jEdwjIG.exe
PID 844 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\jEdwjIG.exe
PID 844 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\AjgPayk.exe
PID 844 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\AjgPayk.exe
PID 844 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\xaKMAaC.exe
PID 844 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\xaKMAaC.exe
PID 844 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\dWMVPkf.exe
PID 844 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\dWMVPkf.exe
PID 844 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\RwWxSCY.exe
PID 844 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\RwWxSCY.exe
PID 844 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\aJEHkqC.exe
PID 844 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\aJEHkqC.exe
PID 844 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\fAwyONf.exe
PID 844 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\fAwyONf.exe
PID 844 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\MtzZHfq.exe
PID 844 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\MtzZHfq.exe
PID 844 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\EdzKrYG.exe
PID 844 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\EdzKrYG.exe
PID 844 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\JgzFGTC.exe
PID 844 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\JgzFGTC.exe
PID 844 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\CijbwWT.exe
PID 844 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\CijbwWT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe

"C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe"

C:\Windows\System\JTJybSy.exe

C:\Windows\System\JTJybSy.exe

C:\Windows\System\DspdAnL.exe

C:\Windows\System\DspdAnL.exe

C:\Windows\System\cQDwIFt.exe

C:\Windows\System\cQDwIFt.exe

C:\Windows\System\dOcyREd.exe

C:\Windows\System\dOcyREd.exe

C:\Windows\System\ZRsVyaD.exe

C:\Windows\System\ZRsVyaD.exe

C:\Windows\System\MRjiNuO.exe

C:\Windows\System\MRjiNuO.exe

C:\Windows\System\nYupmBU.exe

C:\Windows\System\nYupmBU.exe

C:\Windows\System\HENcyQh.exe

C:\Windows\System\HENcyQh.exe

C:\Windows\System\HHNGihY.exe

C:\Windows\System\HHNGihY.exe

C:\Windows\System\qHDLdHW.exe

C:\Windows\System\qHDLdHW.exe

C:\Windows\System\jEdwjIG.exe

C:\Windows\System\jEdwjIG.exe

C:\Windows\System\AjgPayk.exe

C:\Windows\System\AjgPayk.exe

C:\Windows\System\xaKMAaC.exe

C:\Windows\System\xaKMAaC.exe

C:\Windows\System\dWMVPkf.exe

C:\Windows\System\dWMVPkf.exe

C:\Windows\System\RwWxSCY.exe

C:\Windows\System\RwWxSCY.exe

C:\Windows\System\aJEHkqC.exe

C:\Windows\System\aJEHkqC.exe

C:\Windows\System\fAwyONf.exe

C:\Windows\System\fAwyONf.exe

C:\Windows\System\MtzZHfq.exe

C:\Windows\System\MtzZHfq.exe

C:\Windows\System\EdzKrYG.exe

C:\Windows\System\EdzKrYG.exe

C:\Windows\System\JgzFGTC.exe

C:\Windows\System\JgzFGTC.exe

C:\Windows\System\CijbwWT.exe

C:\Windows\System\CijbwWT.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 52.111.229.48:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/844-0-0x00007FF711950000-0x00007FF711CA4000-memory.dmp

memory/844-1-0x0000015C69840000-0x0000015C69850000-memory.dmp

C:\Windows\System\JTJybSy.exe

MD5 29996ecc6a7db31f2a94af2efdaf919c
SHA1 a6dadd3072d37279f47d46740162a296a7a92dca
SHA256 fff115db35dbed574aef8a1ec263bf653afd3c10fe7036f88872622c6e748a78
SHA512 b8645dab9798f0f6517535e1a4460f52489698b000a13b8fff65614fe415c2a13fee3bf49fcfa0e7f6c8c0e053ff10a50b69196d709fe41a6d4a4ae25b25e79b

C:\Windows\System\cQDwIFt.exe

MD5 0a81f512365b627bc560124929f8f76a
SHA1 68a8552a6b2c030daee8586ad8405a29e775d1ab
SHA256 38f49b97ba6abfea2fc60741930c88eb6eb8916a413ac97112696dc970e8b034
SHA512 28a6c57c26da09229a90ac96a8920ee1b1a3031acbb84815c1a094e4fee9580790432bff1fb3f832790c795f87c0d7a447ebb5a338869363fe68ec7a2efbf5d2

memory/2628-23-0x00007FF70BB00000-0x00007FF70BE54000-memory.dmp

C:\Windows\System\dOcyREd.exe

MD5 ef8e2ca7f9d986151af330b7289665a0
SHA1 fa983502689d74a55583c3bf8142dda25259dfff
SHA256 56ed4de85831a024b611d3ebf27ee75343f903dc026521eb8021230d2b7b5e0a
SHA512 b9b42ef825deb6c6a013f951813de516fa23d11664d6ac131e97382e91d2471e4cacf3254e837af7e4f6a56585255115563c676d0706e52ba4c32b1a8c6ac930

C:\Windows\System\ZRsVyaD.exe

MD5 a0a66df9eed8396cfa7869532a812c67
SHA1 66829482d2e7651dae20c12b77138cb256a460c0
SHA256 29fe6d2b548b779c450895bc25bae4251f7eb46a4316ec33fe4941d4f172a200
SHA512 40c4737cd297ca5da4096ebdfad088f075c37f88c7c721b002e75da34be2563d9bad5c4249d65d85fcf2b286e61ed2d94a8f2337475e2c0c7b1ac3b651f4d23f

C:\Windows\System\nYupmBU.exe

MD5 609facbaaca3cd8563e5692251f9fc65
SHA1 35b25c7cda22e1aa1d994e06d496a93395f7d529
SHA256 1191f19b7ab9a8a779ccbc7220929591e8fadf8bab792f8960f18250d0a03cab
SHA512 becf1f6b412c15486cc2c5361c4183cf21ad8679f198b93dd842ae18f11ef96eb27ad82d473c82853f7140e67e2bcf493a942b1dbeddf0956f149e528684e236

C:\Windows\System\qHDLdHW.exe

MD5 06e81f2688bc720d0965c095b9efeea3
SHA1 e73559a84e363a03736c32fa59b08460efbcf497
SHA256 58fa74ae5eb01857deb0d73df54988c99327e92816c92ff6a66d662a2ff98f94
SHA512 93abccc093abb2bd58588f0757f78df78cd3aca388aecfadd4d0b612414b3fb278cd135d667e31182b88c3c6aab368eaebe1bd990263ce08a70dce6b332e13f7

C:\Windows\System\HHNGihY.exe

MD5 c8db09df69a75de47851874fa29057eb
SHA1 47fa0a35761c190c0c87cea003bbfd026040877b
SHA256 ab22992f77e1e99081dc0f5da68c1167ec625668c84f75f13d7ca62585183b38
SHA512 60367a3e43747499663649caf53bab93900ee2f5890b58d1f6805caaf98f38b5a034e2e6fdd778adf4d67cd7e7f892db9d8f4ff3f7b29454a2f8fdc52040edca

memory/2152-57-0x00007FF640A30000-0x00007FF640D84000-memory.dmp

memory/5028-65-0x00007FF7BEE80000-0x00007FF7BF1D4000-memory.dmp

C:\Windows\System\jEdwjIG.exe

MD5 26c047cc3a99fbe133c2e81c6591782c
SHA1 e033b1d9ce64eaf3b0c8adcb050e6dc3f5476f3f
SHA256 ab462bdc867317d8ead6820e7f03aa6eebae0f2f0f07b142f664af96ffc513af
SHA512 88d8f067ef41c720372061c56f73e2b1270554625cda798cb1f27f0abe1593780399b50891ec3c7ed2853db9d1687765aeff67435d5b1c1016be41d58ba87dda

memory/4252-66-0x00007FF7E8D00000-0x00007FF7E9054000-memory.dmp

memory/4716-63-0x00007FF66AFA0000-0x00007FF66B2F4000-memory.dmp

memory/2312-54-0x00007FF78CD00000-0x00007FF78D054000-memory.dmp

memory/2280-51-0x00007FF73BA60000-0x00007FF73BDB4000-memory.dmp

C:\Windows\System\HENcyQh.exe

MD5 943d86ee0ab759c048f587f0c822d8b2
SHA1 cfc4433947da04ed30be6167e92b985fa2cfb1a3
SHA256 5a2369ba6d56cefc173c65b9f88398fc98c75c86bfc5663b9ef6a0018a1fa7fc
SHA512 ab0426d1ef89ee9bc14dc4aadf5951471644e26f509bf61ccf5e3a748ac7fa34eddd6e1ff08288e3b1bc295b872aa8fc905ebd33c4a6250ebb7d06c86f4d32fd

C:\Windows\System\MRjiNuO.exe

MD5 d5d52392f6bc3c2367ff5eaab72b7eef
SHA1 66a12dc80f286c28ba54c688e1572645b9370afe
SHA256 cc0bf06ebbeb90eba2af65d7c23e193e6b4e1bc121095848ff1876fee468ae40
SHA512 0f55cb952bd147396eb3c3c71d4263ed316222605061421bc2c27f1da6feadaa53948bd381c3f9afa269f37961d0d827f1acb837295b4d59bf00694b46f4d9bb

memory/2744-38-0x00007FF75C080000-0x00007FF75C3D4000-memory.dmp

memory/448-29-0x00007FF657760000-0x00007FF657AB4000-memory.dmp

memory/3324-21-0x00007FF766F00000-0x00007FF767254000-memory.dmp

C:\Windows\System\DspdAnL.exe

MD5 0f07ae94d8b5d2407f1530ea7622eaa5
SHA1 fa978c1c5446de2d6f0cf8cf11ef1c4533e7c5ab
SHA256 7d660e758d850eb2ef24c8c6ab9dabac52497fbf6d6f584917e11f818d21091b
SHA512 3e4bd2f336583f7127f15b89507aab379363f0e755b827fc70e0d4715e47521b8dbdd750f376513218bb7b81bfbd74ebac0224599555e035f3f9f2cf5376f205

memory/4492-10-0x00007FF6AAF70000-0x00007FF6AB2C4000-memory.dmp

C:\Windows\System\AjgPayk.exe

MD5 126f64a013f6cd2985b7ca6fba388bf9
SHA1 e1e2a0a0dd16f3be7979bd575e39e87bb7c52bc4
SHA256 89a1f0ef5f061fc6fe52dcf1c6c554dca966cfcb694521adb1b20684f4a86dbc
SHA512 5aed9f40d0e354b2de5ecc4a49482e03e557d0c57916e5986670e2e09eeeb958c187ed1ecec49cddeeccde26e15fa00f6fe97328cb1c53b936fe58afc5efd4e0

memory/4200-74-0x00007FF74CF80000-0x00007FF74D2D4000-memory.dmp

C:\Windows\System\RwWxSCY.exe

MD5 d2a78c469896e87bf88da70e3110b00a
SHA1 b2bf162072db2ba907ee51eba61fd464f4c825e3
SHA256 955e6049a8c03b46de75b6c548105a9b71f0cf13c8460001f6747bd0f2a00717
SHA512 974be2147ac44f51104cb63d67680e256f6a8c70a18547ced1f81350541f084ef8e2b136597d7c4ba75d66464b52393602f16889bd8199f13566515c64e1eeab

memory/844-90-0x00007FF711950000-0x00007FF711CA4000-memory.dmp

memory/4492-98-0x00007FF6AAF70000-0x00007FF6AB2C4000-memory.dmp

memory/1992-104-0x00007FF63D1D0000-0x00007FF63D524000-memory.dmp

C:\Windows\System\fAwyONf.exe

MD5 cf96019e3c4accf5b6cc674f9ec42dc1
SHA1 7e4b26a09a2f06f201ad66a13973ca079f91fe6a
SHA256 268dd38dce2edc07195c55e5412dc9e81d62d6f81c437e2982716d821de3e2f6
SHA512 fa19ce7c37f83371c21808ffe2a316972827feb89e9aae235228037725c00901b2366afc08ed0ef44aabab9314424d519ee7beee60814b7cc5c1b787d4b2b096

C:\Windows\System\EdzKrYG.exe

MD5 a5b1a658e43898f99dc14913b5abcf9d
SHA1 36579586e6031c28913ca13b7af965250c580752
SHA256 920d9a3465d9c010f9ce8dff1937d9ada90f638951698506a697d1c2e46759f2
SHA512 967c63cfa8544f9a846b0e5c1bc110bb88426b14e031950ef000789d938a21c75db4e428c8556b61c77e8b529123a340ce0e98f629b3aef530f9e33ec9e64005

C:\Windows\System\MtzZHfq.exe

MD5 765833ce28ddef700bf1471746a94163
SHA1 11156c8142e957179fad1e2d95584abd979f4b01
SHA256 a4e129885279ef002cc0a6bb2dcc86125ffbd0c77a99298abe26f8e0db5cb990
SHA512 2217d8874dfd1f056ff5d7e611e3a24fe319e610a71f52edc5bee7140610b5b3510da28b14336699a8332402eae7cf1ad72e9d1ebcf99aa3575b8314ff99395d

memory/1372-108-0x00007FF6E2E00000-0x00007FF6E3154000-memory.dmp

C:\Windows\System\aJEHkqC.exe

MD5 ffc6d839d7e494b65cb104eff8261511
SHA1 cae16fde3ad471602b98b56a328d308fe1a61bd4
SHA256 d5e94503c36b8cf14eca6179de847140e6535ae9696040070fe30266c78bbbf9
SHA512 c055a4a71d3d4f13893ee9daacdcde3d5d2473f4a75fa3d4583de62d164d417d83f92e4abed1840b5c08a7f1cab42986d0cf4f335db0126b3f31d8a207878eca

memory/3324-99-0x00007FF766F00000-0x00007FF767254000-memory.dmp

memory/5048-96-0x00007FF753880000-0x00007FF753BD4000-memory.dmp

memory/4396-91-0x00007FF71B400000-0x00007FF71B754000-memory.dmp

C:\Windows\System\dWMVPkf.exe

MD5 a385b82efc66a43054a68f661376a234
SHA1 bd8d8f3b769c5046daf95f713669eb90ed04edc9
SHA256 ebcbf3ca4b508a072ca71e43e53d4d9f1d68fc1a9c612ce3ea14b97df8ef898f
SHA512 eb445c908858e4fbf4427d65e10cfc5b31432f846b0ba8f077a76b50e5ca0391401b44c2ae3569f04411dd806f3b6dc26e6b31b95207fc4a62ec3ab42f8a88ff

C:\Windows\System\xaKMAaC.exe

MD5 e4efaced4110340d0367351161b6cbf0
SHA1 496308c0b91b60bee2845663cd6b98054eff0576
SHA256 73ac3621a400e63c8f128e30509c26b2adfe57fa9e6bc09f1ecb801d9f135b9a
SHA512 5703ca8b0e0c7a1d168963c6a2a5468a88a239b624ad752c776a7cf0c6223bd89d1627b8cc1fa7a35b7c3fb09c7e81567c05a6b8f32b32649259b573d257286e

memory/2288-78-0x00007FF740180000-0x00007FF7404D4000-memory.dmp

memory/448-118-0x00007FF657760000-0x00007FF657AB4000-memory.dmp

memory/4900-119-0x00007FF6F74E0000-0x00007FF6F7834000-memory.dmp

memory/1560-122-0x00007FF7F16B0000-0x00007FF7F1A04000-memory.dmp

C:\Windows\System\CijbwWT.exe

MD5 e0d9ec6a4e0ab4cbbe7ccaeb89f9e577
SHA1 a28e690533b3368c47dffddbc6fa91645954e3ed
SHA256 dfc26f5185cf0626f416c6dfc1b458177dfbf54454d8d0e5d9a74dd2cbb379ac
SHA512 f9024b644b024781585af9327d1ba6184c86bff13dd5975c05e1877901a296a3fc2691481e90caedd637f19ba33b6c30dcc38e86387e15167150baf99423682a

C:\Windows\System\JgzFGTC.exe

MD5 cfafeab87280f715b0721bea97c83b6c
SHA1 8ae82e8cf995f9059bd29adb392934077b54128a
SHA256 0ab1442a207a5c60a55e4d4c5c499c900fff60b5e027ed9277a52e62f8d697ba
SHA512 038349cd29771683a74acb673e4fcaa6fb89ec1000f8fecda4c3f1e976f5d41b13465a080c04968d3c83fe666b07d202233cb71e16f12052378520f73b41c15b

memory/2744-130-0x00007FF75C080000-0x00007FF75C3D4000-memory.dmp

memory/1288-132-0x00007FF7522C0000-0x00007FF752614000-memory.dmp

memory/2128-131-0x00007FF7B0200000-0x00007FF7B0554000-memory.dmp

memory/4716-134-0x00007FF66AFA0000-0x00007FF66B2F4000-memory.dmp

memory/2280-133-0x00007FF73BA60000-0x00007FF73BDB4000-memory.dmp

memory/2312-135-0x00007FF78CD00000-0x00007FF78D054000-memory.dmp

memory/5028-136-0x00007FF7BEE80000-0x00007FF7BF1D4000-memory.dmp

memory/4252-137-0x00007FF7E8D00000-0x00007FF7E9054000-memory.dmp

memory/4200-138-0x00007FF74CF80000-0x00007FF74D2D4000-memory.dmp

memory/2288-139-0x00007FF740180000-0x00007FF7404D4000-memory.dmp

memory/5048-140-0x00007FF753880000-0x00007FF753BD4000-memory.dmp

memory/1992-141-0x00007FF63D1D0000-0x00007FF63D524000-memory.dmp

memory/1372-142-0x00007FF6E2E00000-0x00007FF6E3154000-memory.dmp

memory/4492-143-0x00007FF6AAF70000-0x00007FF6AB2C4000-memory.dmp

memory/2628-144-0x00007FF70BB00000-0x00007FF70BE54000-memory.dmp

memory/3324-145-0x00007FF766F00000-0x00007FF767254000-memory.dmp

memory/448-146-0x00007FF657760000-0x00007FF657AB4000-memory.dmp

memory/2744-147-0x00007FF75C080000-0x00007FF75C3D4000-memory.dmp

memory/2280-148-0x00007FF73BA60000-0x00007FF73BDB4000-memory.dmp

memory/2152-149-0x00007FF640A30000-0x00007FF640D84000-memory.dmp

memory/4716-151-0x00007FF66AFA0000-0x00007FF66B2F4000-memory.dmp

memory/2312-150-0x00007FF78CD00000-0x00007FF78D054000-memory.dmp

memory/5028-152-0x00007FF7BEE80000-0x00007FF7BF1D4000-memory.dmp

memory/4252-153-0x00007FF7E8D00000-0x00007FF7E9054000-memory.dmp

memory/4200-154-0x00007FF74CF80000-0x00007FF74D2D4000-memory.dmp

memory/2288-155-0x00007FF740180000-0x00007FF7404D4000-memory.dmp

memory/4396-156-0x00007FF71B400000-0x00007FF71B754000-memory.dmp

memory/5048-157-0x00007FF753880000-0x00007FF753BD4000-memory.dmp

memory/1992-159-0x00007FF63D1D0000-0x00007FF63D524000-memory.dmp

memory/1372-158-0x00007FF6E2E00000-0x00007FF6E3154000-memory.dmp

memory/4900-161-0x00007FF6F74E0000-0x00007FF6F7834000-memory.dmp

memory/1560-160-0x00007FF7F16B0000-0x00007FF7F1A04000-memory.dmp

memory/2128-162-0x00007FF7B0200000-0x00007FF7B0554000-memory.dmp

memory/1288-163-0x00007FF7522C0000-0x00007FF752614000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 12:11

Reported

2024-08-06 12:14

Platform

win7-20240704-en

Max time kernel

139s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\qHDLdHW.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\jEdwjIG.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\dWMVPkf.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\MtzZHfq.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\EdzKrYG.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\CijbwWT.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\JTJybSy.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\DspdAnL.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\xaKMAaC.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\HENcyQh.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\HHNGihY.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\RwWxSCY.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\fAwyONf.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\cQDwIFt.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\nYupmBU.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\MRjiNuO.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\AjgPayk.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\aJEHkqC.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\JgzFGTC.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\dOcyREd.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
File created C:\Windows\System\ZRsVyaD.exe C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\JTJybSy.exe
PID 2752 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\JTJybSy.exe
PID 2752 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\JTJybSy.exe
PID 2752 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\DspdAnL.exe
PID 2752 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\DspdAnL.exe
PID 2752 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\DspdAnL.exe
PID 2752 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\cQDwIFt.exe
PID 2752 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\cQDwIFt.exe
PID 2752 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\cQDwIFt.exe
PID 2752 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\dOcyREd.exe
PID 2752 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\dOcyREd.exe
PID 2752 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\dOcyREd.exe
PID 2752 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\ZRsVyaD.exe
PID 2752 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\ZRsVyaD.exe
PID 2752 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\ZRsVyaD.exe
PID 2752 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\MRjiNuO.exe
PID 2752 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\MRjiNuO.exe
PID 2752 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\MRjiNuO.exe
PID 2752 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\nYupmBU.exe
PID 2752 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\nYupmBU.exe
PID 2752 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\nYupmBU.exe
PID 2752 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\HENcyQh.exe
PID 2752 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\HENcyQh.exe
PID 2752 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\HENcyQh.exe
PID 2752 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\HHNGihY.exe
PID 2752 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\HHNGihY.exe
PID 2752 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\HHNGihY.exe
PID 2752 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\qHDLdHW.exe
PID 2752 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\qHDLdHW.exe
PID 2752 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\qHDLdHW.exe
PID 2752 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\jEdwjIG.exe
PID 2752 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\jEdwjIG.exe
PID 2752 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\jEdwjIG.exe
PID 2752 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\AjgPayk.exe
PID 2752 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\AjgPayk.exe
PID 2752 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\AjgPayk.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\xaKMAaC.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\xaKMAaC.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\xaKMAaC.exe
PID 2752 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\dWMVPkf.exe
PID 2752 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\dWMVPkf.exe
PID 2752 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\dWMVPkf.exe
PID 2752 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\RwWxSCY.exe
PID 2752 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\RwWxSCY.exe
PID 2752 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\RwWxSCY.exe
PID 2752 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\aJEHkqC.exe
PID 2752 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\aJEHkqC.exe
PID 2752 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\aJEHkqC.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\fAwyONf.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\fAwyONf.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\fAwyONf.exe
PID 2752 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\MtzZHfq.exe
PID 2752 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\MtzZHfq.exe
PID 2752 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\MtzZHfq.exe
PID 2752 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\EdzKrYG.exe
PID 2752 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\EdzKrYG.exe
PID 2752 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\EdzKrYG.exe
PID 2752 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\JgzFGTC.exe
PID 2752 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\JgzFGTC.exe
PID 2752 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\JgzFGTC.exe
PID 2752 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\CijbwWT.exe
PID 2752 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\CijbwWT.exe
PID 2752 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe C:\Windows\System\CijbwWT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe

"C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe"

C:\Windows\System\JTJybSy.exe

C:\Windows\System\JTJybSy.exe

C:\Windows\System\DspdAnL.exe

C:\Windows\System\DspdAnL.exe

C:\Windows\System\cQDwIFt.exe

C:\Windows\System\cQDwIFt.exe

C:\Windows\System\dOcyREd.exe

C:\Windows\System\dOcyREd.exe

C:\Windows\System\ZRsVyaD.exe

C:\Windows\System\ZRsVyaD.exe

C:\Windows\System\MRjiNuO.exe

C:\Windows\System\MRjiNuO.exe

C:\Windows\System\nYupmBU.exe

C:\Windows\System\nYupmBU.exe

C:\Windows\System\HENcyQh.exe

C:\Windows\System\HENcyQh.exe

C:\Windows\System\HHNGihY.exe

C:\Windows\System\HHNGihY.exe

C:\Windows\System\qHDLdHW.exe

C:\Windows\System\qHDLdHW.exe

C:\Windows\System\jEdwjIG.exe

C:\Windows\System\jEdwjIG.exe

C:\Windows\System\AjgPayk.exe

C:\Windows\System\AjgPayk.exe

C:\Windows\System\xaKMAaC.exe

C:\Windows\System\xaKMAaC.exe

C:\Windows\System\dWMVPkf.exe

C:\Windows\System\dWMVPkf.exe

C:\Windows\System\RwWxSCY.exe

C:\Windows\System\RwWxSCY.exe

C:\Windows\System\aJEHkqC.exe

C:\Windows\System\aJEHkqC.exe

C:\Windows\System\fAwyONf.exe

C:\Windows\System\fAwyONf.exe

C:\Windows\System\MtzZHfq.exe

C:\Windows\System\MtzZHfq.exe

C:\Windows\System\EdzKrYG.exe

C:\Windows\System\EdzKrYG.exe

C:\Windows\System\JgzFGTC.exe

C:\Windows\System\JgzFGTC.exe

C:\Windows\System\CijbwWT.exe

C:\Windows\System\CijbwWT.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2752-0-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2752-1-0x00000000001F0000-0x0000000000200000-memory.dmp

memory/2800-19-0x000000013F480000-0x000000013F7D4000-memory.dmp

C:\Windows\system\HENcyQh.exe

MD5 943d86ee0ab759c048f587f0c822d8b2
SHA1 cfc4433947da04ed30be6167e92b985fa2cfb1a3
SHA256 5a2369ba6d56cefc173c65b9f88398fc98c75c86bfc5663b9ef6a0018a1fa7fc
SHA512 ab0426d1ef89ee9bc14dc4aadf5951471644e26f509bf61ccf5e3a748ac7fa34eddd6e1ff08288e3b1bc295b872aa8fc905ebd33c4a6250ebb7d06c86f4d32fd

\Windows\system\cQDwIFt.exe

MD5 0a81f512365b627bc560124929f8f76a
SHA1 68a8552a6b2c030daee8586ad8405a29e775d1ab
SHA256 38f49b97ba6abfea2fc60741930c88eb6eb8916a413ac97112696dc970e8b034
SHA512 28a6c57c26da09229a90ac96a8920ee1b1a3031acbb84815c1a094e4fee9580790432bff1fb3f832790c795f87c0d7a447ebb5a338869363fe68ec7a2efbf5d2

C:\Windows\system\qHDLdHW.exe

MD5 06e81f2688bc720d0965c095b9efeea3
SHA1 e73559a84e363a03736c32fa59b08460efbcf497
SHA256 58fa74ae5eb01857deb0d73df54988c99327e92816c92ff6a66d662a2ff98f94
SHA512 93abccc093abb2bd58588f0757f78df78cd3aca388aecfadd4d0b612414b3fb278cd135d667e31182b88c3c6aab368eaebe1bd990263ce08a70dce6b332e13f7

memory/2752-58-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2300-60-0x000000013F6F0000-0x000000013FA44000-memory.dmp

\Windows\system\jEdwjIG.exe

MD5 26c047cc3a99fbe133c2e81c6591782c
SHA1 e033b1d9ce64eaf3b0c8adcb050e6dc3f5476f3f
SHA256 ab462bdc867317d8ead6820e7f03aa6eebae0f2f0f07b142f664af96ffc513af
SHA512 88d8f067ef41c720372061c56f73e2b1270554625cda798cb1f27f0abe1593780399b50891ec3c7ed2853db9d1687765aeff67435d5b1c1016be41d58ba87dda

C:\Windows\system\xaKMAaC.exe

MD5 e4efaced4110340d0367351161b6cbf0
SHA1 496308c0b91b60bee2845663cd6b98054eff0576
SHA256 73ac3621a400e63c8f128e30509c26b2adfe57fa9e6bc09f1ecb801d9f135b9a
SHA512 5703ca8b0e0c7a1d168963c6a2a5468a88a239b624ad752c776a7cf0c6223bd89d1627b8cc1fa7a35b7c3fb09c7e81567c05a6b8f32b32649259b573d257286e

C:\Windows\system\dWMVPkf.exe

MD5 a385b82efc66a43054a68f661376a234
SHA1 bd8d8f3b769c5046daf95f713669eb90ed04edc9
SHA256 ebcbf3ca4b508a072ca71e43e53d4d9f1d68fc1a9c612ce3ea14b97df8ef898f
SHA512 eb445c908858e4fbf4427d65e10cfc5b31432f846b0ba8f077a76b50e5ca0391401b44c2ae3569f04411dd806f3b6dc26e6b31b95207fc4a62ec3ab42f8a88ff

C:\Windows\system\JgzFGTC.exe

MD5 cfafeab87280f715b0721bea97c83b6c
SHA1 8ae82e8cf995f9059bd29adb392934077b54128a
SHA256 0ab1442a207a5c60a55e4d4c5c499c900fff60b5e027ed9277a52e62f8d697ba
SHA512 038349cd29771683a74acb673e4fcaa6fb89ec1000f8fecda4c3f1e976f5d41b13465a080c04968d3c83fe666b07d202233cb71e16f12052378520f73b41c15b

\Windows\system\CijbwWT.exe

MD5 e0d9ec6a4e0ab4cbbe7ccaeb89f9e577
SHA1 a28e690533b3368c47dffddbc6fa91645954e3ed
SHA256 dfc26f5185cf0626f416c6dfc1b458177dfbf54454d8d0e5d9a74dd2cbb379ac
SHA512 f9024b644b024781585af9327d1ba6184c86bff13dd5975c05e1877901a296a3fc2691481e90caedd637f19ba33b6c30dcc38e86387e15167150baf99423682a

C:\Windows\system\EdzKrYG.exe

MD5 a5b1a658e43898f99dc14913b5abcf9d
SHA1 36579586e6031c28913ca13b7af965250c580752
SHA256 920d9a3465d9c010f9ce8dff1937d9ada90f638951698506a697d1c2e46759f2
SHA512 967c63cfa8544f9a846b0e5c1bc110bb88426b14e031950ef000789d938a21c75db4e428c8556b61c77e8b529123a340ce0e98f629b3aef530f9e33ec9e64005

C:\Windows\system\MtzZHfq.exe

MD5 765833ce28ddef700bf1471746a94163
SHA1 11156c8142e957179fad1e2d95584abd979f4b01
SHA256 a4e129885279ef002cc0a6bb2dcc86125ffbd0c77a99298abe26f8e0db5cb990
SHA512 2217d8874dfd1f056ff5d7e611e3a24fe319e610a71f52edc5bee7140610b5b3510da28b14336699a8332402eae7cf1ad72e9d1ebcf99aa3575b8314ff99395d

C:\Windows\system\fAwyONf.exe

MD5 cf96019e3c4accf5b6cc674f9ec42dc1
SHA1 7e4b26a09a2f06f201ad66a13973ca079f91fe6a
SHA256 268dd38dce2edc07195c55e5412dc9e81d62d6f81c437e2982716d821de3e2f6
SHA512 fa19ce7c37f83371c21808ffe2a316972827feb89e9aae235228037725c00901b2366afc08ed0ef44aabab9314424d519ee7beee60814b7cc5c1b787d4b2b096

C:\Windows\system\aJEHkqC.exe

MD5 ffc6d839d7e494b65cb104eff8261511
SHA1 cae16fde3ad471602b98b56a328d308fe1a61bd4
SHA256 d5e94503c36b8cf14eca6179de847140e6535ae9696040070fe30266c78bbbf9
SHA512 c055a4a71d3d4f13893ee9daacdcde3d5d2473f4a75fa3d4583de62d164d417d83f92e4abed1840b5c08a7f1cab42986d0cf4f335db0126b3f31d8a207878eca

memory/2752-93-0x0000000002360000-0x00000000026B4000-memory.dmp

C:\Windows\system\RwWxSCY.exe

MD5 d2a78c469896e87bf88da70e3110b00a
SHA1 b2bf162072db2ba907ee51eba61fd464f4c825e3
SHA256 955e6049a8c03b46de75b6c548105a9b71f0cf13c8460001f6747bd0f2a00717
SHA512 974be2147ac44f51104cb63d67680e256f6a8c70a18547ced1f81350541f084ef8e2b136597d7c4ba75d66464b52393602f16889bd8199f13566515c64e1eeab

memory/2752-117-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2752-118-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2752-88-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2520-83-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2096-77-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2752-76-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2964-72-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/1804-71-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2036-70-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2752-69-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2616-68-0x000000013F680000-0x000000013F9D4000-memory.dmp

C:\Windows\system\HHNGihY.exe

MD5 c8db09df69a75de47851874fa29057eb
SHA1 47fa0a35761c190c0c87cea003bbfd026040877b
SHA256 ab22992f77e1e99081dc0f5da68c1167ec625668c84f75f13d7ca62585183b38
SHA512 60367a3e43747499663649caf53bab93900ee2f5890b58d1f6805caaf98f38b5a034e2e6fdd778adf4d67cd7e7f892db9d8f4ff3f7b29454a2f8fdc52040edca

C:\Windows\system\nYupmBU.exe

MD5 609facbaaca3cd8563e5692251f9fc65
SHA1 35b25c7cda22e1aa1d994e06d496a93395f7d529
SHA256 1191f19b7ab9a8a779ccbc7220929591e8fadf8bab792f8960f18250d0a03cab
SHA512 becf1f6b412c15486cc2c5361c4183cf21ad8679f198b93dd842ae18f11ef96eb27ad82d473c82853f7140e67e2bcf493a942b1dbeddf0956f149e528684e236

C:\Windows\system\AjgPayk.exe

MD5 126f64a013f6cd2985b7ca6fba388bf9
SHA1 e1e2a0a0dd16f3be7979bd575e39e87bb7c52bc4
SHA256 89a1f0ef5f061fc6fe52dcf1c6c554dca966cfcb694521adb1b20684f4a86dbc
SHA512 5aed9f40d0e354b2de5ecc4a49482e03e557d0c57916e5986670e2e09eeeb958c187ed1ecec49cddeeccde26e15fa00f6fe97328cb1c53b936fe58afc5efd4e0

memory/2764-47-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2752-30-0x0000000002360000-0x00000000026B4000-memory.dmp

C:\Windows\system\dOcyREd.exe

MD5 ef8e2ca7f9d986151af330b7289665a0
SHA1 fa983502689d74a55583c3bf8142dda25259dfff
SHA256 56ed4de85831a024b611d3ebf27ee75343f903dc026521eb8021230d2b7b5e0a
SHA512 b9b42ef825deb6c6a013f951813de516fa23d11664d6ac131e97382e91d2471e4cacf3254e837af7e4f6a56585255115563c676d0706e52ba4c32b1a8c6ac930

memory/2752-21-0x000000013F6F0000-0x000000013FA44000-memory.dmp

\Windows\system\ZRsVyaD.exe

MD5 a0a66df9eed8396cfa7869532a812c67
SHA1 66829482d2e7651dae20c12b77138cb256a460c0
SHA256 29fe6d2b548b779c450895bc25bae4251f7eb46a4316ec33fe4941d4f172a200
SHA512 40c4737cd297ca5da4096ebdfad088f075c37f88c7c721b002e75da34be2563d9bad5c4249d65d85fcf2b286e61ed2d94a8f2337475e2c0c7b1ac3b651f4d23f

memory/596-59-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2752-55-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2636-50-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2752-44-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2628-41-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2752-40-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2832-39-0x000000013FAF0000-0x000000013FE44000-memory.dmp

C:\Windows\system\MRjiNuO.exe

MD5 d5d52392f6bc3c2367ff5eaab72b7eef
SHA1 66a12dc80f286c28ba54c688e1572645b9370afe
SHA256 cc0bf06ebbeb90eba2af65d7c23e193e6b4e1bc121095848ff1876fee468ae40
SHA512 0f55cb952bd147396eb3c3c71d4263ed316222605061421bc2c27f1da6feadaa53948bd381c3f9afa269f37961d0d827f1acb837295b4d59bf00694b46f4d9bb

C:\Windows\system\DspdAnL.exe

MD5 0f07ae94d8b5d2407f1530ea7622eaa5
SHA1 fa978c1c5446de2d6f0cf8cf11ef1c4533e7c5ab
SHA256 7d660e758d850eb2ef24c8c6ab9dabac52497fbf6d6f584917e11f818d21091b
SHA512 3e4bd2f336583f7127f15b89507aab379363f0e755b827fc70e0d4715e47521b8dbdd750f376513218bb7b81bfbd74ebac0224599555e035f3f9f2cf5376f205

memory/2752-10-0x000000013F480000-0x000000013F7D4000-memory.dmp

C:\Windows\system\JTJybSy.exe

MD5 29996ecc6a7db31f2a94af2efdaf919c
SHA1 a6dadd3072d37279f47d46740162a296a7a92dca
SHA256 fff115db35dbed574aef8a1ec263bf653afd3c10fe7036f88872622c6e748a78
SHA512 b8645dab9798f0f6517535e1a4460f52489698b000a13b8fff65614fe415c2a13fee3bf49fcfa0e7f6c8c0e053ff10a50b69196d709fe41a6d4a4ae25b25e79b

memory/2752-133-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/1804-136-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2964-137-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2036-135-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2616-134-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2096-138-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2520-139-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2516-140-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2800-141-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2832-142-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2628-143-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2636-145-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2764-144-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2300-147-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/596-146-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2516-148-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2096-149-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2616-150-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2036-151-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2520-154-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2964-153-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/1804-152-0x000000013F090000-0x000000013F3E4000-memory.dmp