Malware Analysis Report

2025-03-15 08:06

Sample ID 240813-gyn7nsshpj
Target 7921fefb99b3d5e667e5718e684b4c10N.exe
SHA256 6a58ba2ed9733230e539e9b630bf02e9090ed1eb6a7d1f0dbed90681b89b0fae
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a58ba2ed9733230e539e9b630bf02e9090ed1eb6a7d1f0dbed90681b89b0fae

Threat Level: Known bad

The file 7921fefb99b3d5e667e5718e684b4c10N.exe was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

XMRig Miner payload

xmrig

Cobaltstrike

Cobaltstrike family

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 06:12

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 06:12

Reported

2024-08-13 06:15

Platform

win7-20240708-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cBZURLj.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\LCrMfNh.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\teGsXNX.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\aFbXQxM.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\mZLnWfd.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\arXPlVP.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\IBNYIHH.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\jfUQQWy.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\HESHeCF.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\rroZmgH.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\stYeRar.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\mhiKXfp.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\hHqlYYD.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\qBmrsCr.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\xnqhNHY.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\FLcOkDm.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\rBTxpGO.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\wEWfEMs.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\yqwBTLJ.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\JDximkL.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\qwhXxIV.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2556 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\aFbXQxM.exe
PID 2556 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\aFbXQxM.exe
PID 2556 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\aFbXQxM.exe
PID 2556 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\xnqhNHY.exe
PID 2556 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\xnqhNHY.exe
PID 2556 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\xnqhNHY.exe
PID 2556 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\FLcOkDm.exe
PID 2556 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\FLcOkDm.exe
PID 2556 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\FLcOkDm.exe
PID 2556 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\mZLnWfd.exe
PID 2556 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\mZLnWfd.exe
PID 2556 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\mZLnWfd.exe
PID 2556 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\rBTxpGO.exe
PID 2556 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\rBTxpGO.exe
PID 2556 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\rBTxpGO.exe
PID 2556 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\arXPlVP.exe
PID 2556 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\arXPlVP.exe
PID 2556 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\arXPlVP.exe
PID 2556 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\cBZURLj.exe
PID 2556 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\cBZURLj.exe
PID 2556 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\cBZURLj.exe
PID 2556 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\LCrMfNh.exe
PID 2556 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\LCrMfNh.exe
PID 2556 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\LCrMfNh.exe
PID 2556 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\rroZmgH.exe
PID 2556 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\rroZmgH.exe
PID 2556 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\rroZmgH.exe
PID 2556 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\wEWfEMs.exe
PID 2556 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\wEWfEMs.exe
PID 2556 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\wEWfEMs.exe
PID 2556 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\stYeRar.exe
PID 2556 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\stYeRar.exe
PID 2556 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\stYeRar.exe
PID 2556 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\IBNYIHH.exe
PID 2556 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\IBNYIHH.exe
PID 2556 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\IBNYIHH.exe
PID 2556 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\yqwBTLJ.exe
PID 2556 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\yqwBTLJ.exe
PID 2556 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\yqwBTLJ.exe
PID 2556 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\JDximkL.exe
PID 2556 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\JDximkL.exe
PID 2556 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\JDximkL.exe
PID 2556 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\jfUQQWy.exe
PID 2556 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\jfUQQWy.exe
PID 2556 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\jfUQQWy.exe
PID 2556 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\teGsXNX.exe
PID 2556 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\teGsXNX.exe
PID 2556 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\teGsXNX.exe
PID 2556 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\qwhXxIV.exe
PID 2556 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\qwhXxIV.exe
PID 2556 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\qwhXxIV.exe
PID 2556 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\HESHeCF.exe
PID 2556 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\HESHeCF.exe
PID 2556 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\HESHeCF.exe
PID 2556 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\mhiKXfp.exe
PID 2556 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\mhiKXfp.exe
PID 2556 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\mhiKXfp.exe
PID 2556 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\hHqlYYD.exe
PID 2556 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\hHqlYYD.exe
PID 2556 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\hHqlYYD.exe
PID 2556 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\qBmrsCr.exe
PID 2556 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\qBmrsCr.exe
PID 2556 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\qBmrsCr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe

"C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe"

C:\Windows\System\aFbXQxM.exe

C:\Windows\System\aFbXQxM.exe

C:\Windows\System\xnqhNHY.exe

C:\Windows\System\xnqhNHY.exe

C:\Windows\System\FLcOkDm.exe

C:\Windows\System\FLcOkDm.exe

C:\Windows\System\mZLnWfd.exe

C:\Windows\System\mZLnWfd.exe

C:\Windows\System\rBTxpGO.exe

C:\Windows\System\rBTxpGO.exe

C:\Windows\System\arXPlVP.exe

C:\Windows\System\arXPlVP.exe

C:\Windows\System\cBZURLj.exe

C:\Windows\System\cBZURLj.exe

C:\Windows\System\LCrMfNh.exe

C:\Windows\System\LCrMfNh.exe

C:\Windows\System\rroZmgH.exe

C:\Windows\System\rroZmgH.exe

C:\Windows\System\wEWfEMs.exe

C:\Windows\System\wEWfEMs.exe

C:\Windows\System\stYeRar.exe

C:\Windows\System\stYeRar.exe

C:\Windows\System\IBNYIHH.exe

C:\Windows\System\IBNYIHH.exe

C:\Windows\System\yqwBTLJ.exe

C:\Windows\System\yqwBTLJ.exe

C:\Windows\System\JDximkL.exe

C:\Windows\System\JDximkL.exe

C:\Windows\System\jfUQQWy.exe

C:\Windows\System\jfUQQWy.exe

C:\Windows\System\teGsXNX.exe

C:\Windows\System\teGsXNX.exe

C:\Windows\System\qwhXxIV.exe

C:\Windows\System\qwhXxIV.exe

C:\Windows\System\HESHeCF.exe

C:\Windows\System\HESHeCF.exe

C:\Windows\System\mhiKXfp.exe

C:\Windows\System\mhiKXfp.exe

C:\Windows\System\hHqlYYD.exe

C:\Windows\System\hHqlYYD.exe

C:\Windows\System\qBmrsCr.exe

C:\Windows\System\qBmrsCr.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2556-0-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2556-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\aFbXQxM.exe

MD5 f0247e1436d4815e2ef63201911c5883
SHA1 4ca6244cb50b878e56e41b550e2cfadfb16256c1
SHA256 200af33ae4427389cc052cee88d4445ad9e3500769b03526de979e7c4538c44b
SHA512 78347f6a7b050fd2c9c0a1eae889fcc2c0b9d87cef1e9675f1c1232f8213189a3230077d7e9c60e97a3878b3dba9d8be521b2ec17464daee7702d397d20282fc

C:\Windows\system\xnqhNHY.exe

MD5 08b721d8be6bcf0ea76f56aa5245d8ea
SHA1 9203ec4533e796aeeaf3834d3b04acd42c245f86
SHA256 eae93a0a3a32ac613c3cab0655d1fc8dcb1f8aad68a1da75376c49fab79f38c8
SHA512 d0d7f2e8ac5770acecedfa197f615e76c9403b61e070ba76424bd090eb9da25b09ba4f82c46c5edeecbaa57ccf64f6ecd1d284b7486450eec9c60f260193e331

C:\Windows\system\FLcOkDm.exe

MD5 14b60556f3240c21ba7f66e493c90220
SHA1 f30c78eb57da0f4a4ddbd96b01c648812bef3d37
SHA256 3e1ad6907e0c71173234ba97eb7fe0ede8a5b6239db6e07569da3f23f6e09da7
SHA512 e5003d9d4cf949d5b5c6ee2ea5dc30ad52b79593459fd9eb04125b476cac7f3281188a01508f38980317109df5edc2c21bf9052c973718f732caa9ae5efbd627

memory/2840-16-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2556-15-0x0000000002220000-0x0000000002571000-memory.dmp

memory/612-11-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2556-7-0x0000000002220000-0x0000000002571000-memory.dmp

memory/2556-18-0x0000000002220000-0x0000000002571000-memory.dmp

memory/2748-23-0x000000013F600000-0x000000013F951000-memory.dmp

\Windows\system\mZLnWfd.exe

MD5 e2c13907a60b985d2dd9e8cb931ec949
SHA1 9357b8a364e303d323d228e50ebcc1bac46bede3
SHA256 cbd6a2d5dc507e326b1c420de12dd0d2d1587d72afeec297e2a0a2a9f30f3498
SHA512 66e6270c4a3b2d912ad4762d0df316492193265c54c6166e3c35e0d91ebf2542fc607bfce3cbfeb2bf6c78030afb634e5dc30e6eec2fb9044d7829fd1414f1d1

memory/2616-29-0x000000013F7F0000-0x000000013FB41000-memory.dmp

\Windows\system\rBTxpGO.exe

MD5 b3afef3c28f21be165afe10901f3d629
SHA1 152465f9b6b33c4eafe368e63c18a5bf1f25404c
SHA256 b17e1086986af37fed35f3bfea7775a0d703aff8c59e838c800a54501899766e
SHA512 d03e940bada7821b63f3ede4dc8463e2fd928b3e0fe08659d9f10773447b45f77624a04439dd883cb607a5fbf1d45fb880cce7ff604d257432c0349f74b3d3a8

\Windows\system\cBZURLj.exe

MD5 96a1f2d8fa6e64e8c19c8669fe87e204
SHA1 82806fed24dbffa63473ad6b079150ae479922fc
SHA256 b3d791f8d9445e68220e50a7bbbbe6830437f24f0f7a5555b1682e94003843b6
SHA512 327e802417732385525674156758b13b092264ee33cbae69e7b43172ea730a52fb801c2c4afc18d9c781ecc8641f1ff80bd535be04c30af960f23e350cf902b3

\Windows\system\arXPlVP.exe

MD5 af14ea71f849c0d376ea9d55f15ce896
SHA1 3bee1518926410e815365820efabb395b393ed54
SHA256 af3e2c9320e5fe6d991f4cda4e6c8d27a545f4a02fb189dd90cc93e9c4917de6
SHA512 21d12af3afcc3cb05d5d4e10339e38bffc9a051107fa3e5156d5d1f116853142b5f65ee1908241ae8e066cd8003197870f5427921fc25ada66410c0d33dda1c8

memory/2556-54-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2556-56-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2808-57-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2556-60-0x000000013F7D0000-0x000000013FB21000-memory.dmp

\Windows\system\rroZmgH.exe

MD5 366b336f3330d1825f4f7a09c3c1c29c
SHA1 9032ef8efd553bdbdcdff32231bbe99d61fa62f3
SHA256 0530a27a80f48a31b5b9598593a9733ef17de7720ecbc574008034217858ddc2
SHA512 c54602b210ce9328a3bcb43a73b20958b058be29778cfc71b9074903d4690abbd00f66546b77389835c9153427d727a10a4f1f924d4f62937bac3d9cf9c2ad27

memory/612-55-0x000000013F0B0000-0x000000013F401000-memory.dmp

C:\Windows\system\LCrMfNh.exe

MD5 939aa332d3db537c83421d29a102f0f6
SHA1 3a500f5fdd6b7c07b90a016cdd89b2c1cbcc3592
SHA256 bf90ac6f689d4c239c8bd9231a78da3f57073ed96cd5e59c8f28ddcb179ea65a
SHA512 039425342a3ba7b23841392bc17595ff4d91166da9dcd405be90f8e10499f2a043248ed15b25d05722783b9e472fd7fe6d42515cac4f3f4c7f26bd53ecb20252

memory/2744-49-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2556-48-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2556-46-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2644-45-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/352-42-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/1708-65-0x000000013F7D0000-0x000000013FB21000-memory.dmp

\Windows\system\wEWfEMs.exe

MD5 1a8d235f41b91d53b2d60e40d4470133
SHA1 d9e1d4e1773533c76437052d3d5c286c63670b2d
SHA256 f0dedc2df7a567e6c0e44a0064e17f73fcf754d3f36ebc712f8973aa1627378b
SHA512 26c5683550d6dc2a10fcc980b0d5f6d74e32217779825a81ffdac4770473105f9fdf0b22e055d7bd486f6b719731ac56f1ae00275325adcb23d2c1698f07fa5c

memory/2556-75-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2748-80-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2556-79-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2252-78-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2140-77-0x000000013FF10000-0x0000000140261000-memory.dmp

\Windows\system\stYeRar.exe

MD5 bdc20104c0ebf6c5fafafe117eb44191
SHA1 5975ca66f344fe457b161559fc3eb7669b5048c7
SHA256 1d1096713fccba7c9a1911a178f1d982f04b08ab2c37a8d4715e7767873682f9
SHA512 a42d186726df348ca36395e22efb87b06b16b86bd5c0b7ba5626d300ac394e5ff29ec425dac28a9e969fbc0d6460e8f322a6bd2daea5b2d5e443bbdcca6997f1

C:\Windows\system\IBNYIHH.exe

MD5 df68fb3dbcc8993bdfdc76cb08a26a83
SHA1 72be75fb9a6c14d5aff62473393930b5229664a7
SHA256 3e07a3156b14a271b77bf8b94e8061310d5aaffb0a0f50795d0fea48c620b6ef
SHA512 094918c42e4c8a30125282703e77b3698d72e7d972b3b57e14cfec8dc982b8a1adeed3ccdead8262bebe3135129d2bd96d4b72a34683f51da16b2d9672f23ce7

memory/2068-88-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2556-87-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2616-86-0x000000013F7F0000-0x000000013FB41000-memory.dmp

C:\Windows\system\yqwBTLJ.exe

MD5 6db3748d04660083d17d612371e846d2
SHA1 6311722ac74b7f604cb4dcb728efb44767c2eb48
SHA256 facbe76d3c7505a166d87f51ba7c7602f4b14f6bc0724bb96c2ef04ae0d4beba
SHA512 0eedebd40e6bde06db5312207b005614079623975442ab628a6cf35a5d7015a64f33b8f3b01d90eafe192a644d88386bb03c7183d7930f5f0d98004cc2d986e0

memory/1964-96-0x000000013FEF0000-0x0000000140241000-memory.dmp

memory/2556-95-0x000000013FEF0000-0x0000000140241000-memory.dmp

C:\Windows\system\JDximkL.exe

MD5 99b10b2a2605c07e167fc71ce9e690b4
SHA1 7d119e71384e9a181131a086f1d436b6d95315ad
SHA256 2395ee53442e324c95ab181c6ffde3b0c5607d9e96f0bd97bb602ab86353fbd5
SHA512 ba910e6d89e110b506ae2791deb33415f6e2f63e33d4d46cdd0e53a5481dabb7f5f8d8bbdbd7bcdae46468c10590590997051ae3a944aba25d85c55d3910445e

memory/2576-103-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2556-102-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/352-93-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2556-109-0x0000000002220000-0x0000000002571000-memory.dmp

C:\Windows\system\jfUQQWy.exe

MD5 99baffce9ca2f664ab1d0cd3769680d4
SHA1 232589fe87ba17b9fd8f6500eede3d4e6b2a10ec
SHA256 94a25847d67ea26962d4fc200f5914eba5664ab5bcacd65703fad1c01a4ea6ed
SHA512 2c286e4e29d609bb134e59af2313d7b68a6a9eddb70fd57752ff9bb9a1ebb6a4b4239a7f8ba4163682504dd98e4fc7cc29971b5db5eb023c2c5cea27b80f8306

C:\Windows\system\HESHeCF.exe

MD5 64b93913a5498b01b2e7de73350da3c3
SHA1 8c30d4d97f3cb36055e438c66be58aa7ea8ac357
SHA256 1a0edddde86ef773da89bc8e041526da5b239c4a2fc5c421833cc4cdeab77155
SHA512 4919688134b8988a59811df1655f7429b9dcd3fc9fed9727d6af9c0d4251b9f7bf076658706f340d21fce415cfe3775ca35b3ab3b675a86b46efca6e02fe850c

\Windows\system\mhiKXfp.exe

MD5 d0bdcde31ac4a146c6d59c9c67a5f63f
SHA1 4a7d599ee5848e06ea1c9e02d4438ba91a19f98c
SHA256 880cb63f27d709c82da3496ad8c71ac5aa54a4351ed5578e666ecc515f65e71b
SHA512 e89332dc89539bc2c2652ad653336bb5e8328dda77da538de4cabf677f805eedc841e163cab3bd605a50af0501155d28482d461a4480f534a71df1781f1066d2

\Windows\system\qBmrsCr.exe

MD5 aeec45eb530518e96fca45e388286988
SHA1 588a2a17ce1a1d67acecddafcffa9f242c87f246
SHA256 dc0b61e6adcf128543958d852d6fee6810edb43cd4d82171eaf46dac8956023a
SHA512 16fbd3668226c5927b05c93abea8ce0565829e53544a2f22ef6e60c314990351d08d5183002dfaf263d27f399115d2a09a4eec56929124f39e53795eb330c183

C:\Windows\system\hHqlYYD.exe

MD5 3f7001113fd071841ef3938998de8466
SHA1 164f246f5149c1d7e8993bc71090b29745666f12
SHA256 98e4be4a3fd6bbca4e7e57d63a591c34c0176e6f2a15d7fcbe4e5c7288d4e7d8
SHA512 bcd7471e959f2f649d49052cae03cbb2caa0e29eff1e86e048e78cf23d7eec17d7e040735c47ce2eb69445f8009af1b2d495b4b38e30bd026eb8b686508d965f

C:\Windows\system\qwhXxIV.exe

MD5 177112a6a57c92eb128a33ac98e525af
SHA1 463b8e1ee86061bd649a639d25c4a695898881bc
SHA256 5555b1498d6a668bfb6bf05cc939be0651d3159ded39967f0696ad983569e10c
SHA512 3e8a653e84dd2ca0043ac462baab05c1ea1b26a86a5db02c22eeed9d5fc19dc8a55023c8f5f7aaf4526b2f7e5a573ae1ec52279a59d8078c5515c2ff1f26b858

C:\Windows\system\teGsXNX.exe

MD5 e546a88bbbc79bce57a1f68c6723f2a0
SHA1 fef2703c7b53911af0acee72873a460e8a0c3127
SHA256 f16683f6cab1f28bd311fe880853d9c9daf0deef4a4411a0e6b0ce682de00e1e
SHA512 8b694c59c56b7b333bb416a0cc59cca58ce97629984843c891508e23497d0ae2048b0913f3365a8ecf440f003922de7284153bd3b46d1ac4cb7a70e4d7267ea0

memory/2556-139-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2808-140-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2940-156-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2132-160-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2556-162-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/688-161-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/2920-159-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2184-158-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2956-157-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2676-155-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2556-163-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2556-173-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2556-177-0x000000013FEF0000-0x0000000140241000-memory.dmp

memory/2556-187-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2556-188-0x0000000002220000-0x0000000002571000-memory.dmp

memory/612-217-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2840-219-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2748-221-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2616-223-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/352-225-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2644-227-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/2744-229-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2808-231-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/1708-236-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/2140-238-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2252-240-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2068-242-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/1964-251-0x000000013FEF0000-0x0000000140241000-memory.dmp

memory/2576-253-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 06:12

Reported

2024-08-13 06:15

Platform

win10v2004-20240802-en

Max time kernel

112s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\OVQryvw.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\NoudIQg.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\PnmYKYt.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\wOThBqt.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\kZkUzIh.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\ItEFcPh.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\MkGsJRE.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\LijAtXU.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\gaXqBqx.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\mhSQMrA.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\XLNnfND.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\nSgyVkn.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\vMYDyYL.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\LHkYHWh.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\ZkqLPrK.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\QoijMRg.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\mMdhRaC.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\xZOEhhg.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\cNxEWVy.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\Xxtxxyf.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
File created C:\Windows\System\CxUPuAZ.exe C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4512 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\gaXqBqx.exe
PID 4512 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\gaXqBqx.exe
PID 4512 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\mMdhRaC.exe
PID 4512 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\mMdhRaC.exe
PID 4512 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\PnmYKYt.exe
PID 4512 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\PnmYKYt.exe
PID 4512 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\mhSQMrA.exe
PID 4512 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\mhSQMrA.exe
PID 4512 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\XLNnfND.exe
PID 4512 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\XLNnfND.exe
PID 4512 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\nSgyVkn.exe
PID 4512 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\nSgyVkn.exe
PID 4512 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\wOThBqt.exe
PID 4512 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\wOThBqt.exe
PID 4512 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\xZOEhhg.exe
PID 4512 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\xZOEhhg.exe
PID 4512 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\vMYDyYL.exe
PID 4512 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\vMYDyYL.exe
PID 4512 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\cNxEWVy.exe
PID 4512 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\cNxEWVy.exe
PID 4512 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\kZkUzIh.exe
PID 4512 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\kZkUzIh.exe
PID 4512 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\ItEFcPh.exe
PID 4512 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\ItEFcPh.exe
PID 4512 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\LHkYHWh.exe
PID 4512 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\LHkYHWh.exe
PID 4512 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\OVQryvw.exe
PID 4512 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\OVQryvw.exe
PID 4512 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\ZkqLPrK.exe
PID 4512 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\ZkqLPrK.exe
PID 4512 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\LijAtXU.exe
PID 4512 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\LijAtXU.exe
PID 4512 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\Xxtxxyf.exe
PID 4512 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\Xxtxxyf.exe
PID 4512 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\CxUPuAZ.exe
PID 4512 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\CxUPuAZ.exe
PID 4512 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\QoijMRg.exe
PID 4512 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\QoijMRg.exe
PID 4512 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\MkGsJRE.exe
PID 4512 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\MkGsJRE.exe
PID 4512 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\NoudIQg.exe
PID 4512 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe C:\Windows\System\NoudIQg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe

"C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe"

C:\Windows\System\gaXqBqx.exe

C:\Windows\System\gaXqBqx.exe

C:\Windows\System\mMdhRaC.exe

C:\Windows\System\mMdhRaC.exe

C:\Windows\System\PnmYKYt.exe

C:\Windows\System\PnmYKYt.exe

C:\Windows\System\mhSQMrA.exe

C:\Windows\System\mhSQMrA.exe

C:\Windows\System\XLNnfND.exe

C:\Windows\System\XLNnfND.exe

C:\Windows\System\nSgyVkn.exe

C:\Windows\System\nSgyVkn.exe

C:\Windows\System\wOThBqt.exe

C:\Windows\System\wOThBqt.exe

C:\Windows\System\xZOEhhg.exe

C:\Windows\System\xZOEhhg.exe

C:\Windows\System\vMYDyYL.exe

C:\Windows\System\vMYDyYL.exe

C:\Windows\System\cNxEWVy.exe

C:\Windows\System\cNxEWVy.exe

C:\Windows\System\kZkUzIh.exe

C:\Windows\System\kZkUzIh.exe

C:\Windows\System\ItEFcPh.exe

C:\Windows\System\ItEFcPh.exe

C:\Windows\System\LHkYHWh.exe

C:\Windows\System\LHkYHWh.exe

C:\Windows\System\OVQryvw.exe

C:\Windows\System\OVQryvw.exe

C:\Windows\System\ZkqLPrK.exe

C:\Windows\System\ZkqLPrK.exe

C:\Windows\System\LijAtXU.exe

C:\Windows\System\LijAtXU.exe

C:\Windows\System\Xxtxxyf.exe

C:\Windows\System\Xxtxxyf.exe

C:\Windows\System\CxUPuAZ.exe

C:\Windows\System\CxUPuAZ.exe

C:\Windows\System\QoijMRg.exe

C:\Windows\System\QoijMRg.exe

C:\Windows\System\MkGsJRE.exe

C:\Windows\System\MkGsJRE.exe

C:\Windows\System\NoudIQg.exe

C:\Windows\System\NoudIQg.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/4512-0-0x00007FF697C60000-0x00007FF697FB1000-memory.dmp

memory/4512-1-0x000001C74C7D0000-0x000001C74C7E0000-memory.dmp

C:\Windows\System\gaXqBqx.exe

MD5 7675fc4d458d8464dafbb07c2edd6a08
SHA1 08335787f0ff33ffc2731620b0031ee3d55373de
SHA256 4a5decff52d8daa9e5432be6243c7747e5033332a21bfa64c72ebd66c3e4585f
SHA512 30a50c45b4d1cd257d6f8964dd45d0c915a0f08893003078702aaf2bdb0cfee287a1be6519f3dbd979c01fb7ef82d4a00bcbe805250c8fe91fd8062e1d341cd2

C:\Windows\System\PnmYKYt.exe

MD5 55c3f86c061357d2497e1947eb15250f
SHA1 d17a12f67bea909183d1cad6cb042d8b50191e8c
SHA256 68aa6cd64ebcaaed37f12d8746f934e6c568e98e0b9afbcd351eec955c44f5fa
SHA512 c9ba3ca799aa03d27720913ccf8fa1141e02c75f5477d2374093b8ea38cdd4f40056f0f72fdf4a581ccbb5ca580de9adb01ecf2d341ca7f98a340e490a053afa

C:\Windows\System\mhSQMrA.exe

MD5 0469570f748a8eaad8754a22d9c8a7d0
SHA1 1eb43e63e6532acf144bb0267337b68f3db18d64
SHA256 afb5cdb24601c0b176316feca0fad3f916ca251534e4bb470bf664d69dabe539
SHA512 ffb30a4034787885b04fbf7cfa78cb001c27f9a81d2c8e7f36138cf8e365fda6e0b532c0312b4c624bce4ba9d96525d29ac672e5e9b3c866cbb0663c5cc139de

C:\Windows\System\XLNnfND.exe

MD5 0aba0e28ccf5ed5714b4ee280b62bb1d
SHA1 9ecb8e6c46f1d43aa40b6c7be71d384392add8b6
SHA256 9ae1b07a214daf44a164e1aa84b992e9bc0c7fba5db589ea3b165269d8573242
SHA512 5445817056ddbc719eb58f11ab958088b108efdfb37dced8628c3def252f43bde1dfed0cce79112a761ccc8c30f13035b5505654ccca88419699c748498fc390

memory/1104-30-0x00007FF702A10000-0x00007FF702D61000-memory.dmp

memory/1540-27-0x00007FF6BA9E0000-0x00007FF6BAD31000-memory.dmp

memory/1212-25-0x00007FF720F50000-0x00007FF7212A1000-memory.dmp

memory/3040-15-0x00007FF7E1D80000-0x00007FF7E20D1000-memory.dmp

C:\Windows\System\mMdhRaC.exe

MD5 8784d1e95deea603651494a25542b409
SHA1 9c4ddeb96f0c5df4b1e6c4a7f3ee62c5c0f4d651
SHA256 13664e8f40a17586538e71fda415eaf39ba92bd4281da2320977e52119b45640
SHA512 f7fd1dd6a561432328725e598f29ad291c360ae58930bde76474e4f0aa54cb37c58ec30789b1cafefa468b92d88822e76d5274b41d56c071d2d7b8de92186914

memory/4968-8-0x00007FF6CFF30000-0x00007FF6D0281000-memory.dmp

C:\Windows\System\wOThBqt.exe

MD5 a9810692530df4a8d2e95ae8d60172cc
SHA1 bbd77e0ae95742251ec29480260718675a326398
SHA256 f251b88caefd05fee87683ae2945406c1d0daf8bec8d3cc4926513c82f2caa61
SHA512 1fc689da8fed86fb23bb3aa9cc11d3974906f44b272fa4dfe12775cf048a2f5e8bf359566f6f23b64a3f5abfc793fc587c49ea6da50df68bd6d82adf1c32aaaf

C:\Windows\System\vMYDyYL.exe

MD5 d490487482a9418e7cc64035bd5ad2c8
SHA1 7388f2ab235918ed98e5eb6f403d288300ee309f
SHA256 5dcb39fe235d437913ad10ac7f4ef0ba1e06ebb887226beddd8ed1a9ef14047d
SHA512 1c626bda69e237a00b34777b1149f9951c599dcda2c01c21a4d304f70a5fd95574ee412898ddc2a16ab0bb471eea9b0e6fecfb90f66e9a9ec9c80a1720e6a96f

C:\Windows\System\cNxEWVy.exe

MD5 2eab3c374fa55da61763549fbe0c2db8
SHA1 204cb5f0407e4507a672441e7f6cfb648d2ccfdd
SHA256 a65117da6f29d84e238f17feb148a5f9b344890df4b66d4493f1c76b1f5ca612
SHA512 6ba6ea823ce5ac3f2a2f988ed66dcfe047c6f2131bd6965ca0c034d8ae9482af848a9e8cdc53546df137649f2b90e6e63f533176f1747d823671c963202122d3

memory/4512-58-0x00007FF697C60000-0x00007FF697FB1000-memory.dmp

memory/4968-70-0x00007FF6CFF30000-0x00007FF6D0281000-memory.dmp

memory/2236-74-0x00007FF74A6B0000-0x00007FF74AA01000-memory.dmp

C:\Windows\System\kZkUzIh.exe

MD5 df3e29904c72bdd872e2f202675e111e
SHA1 025b66536a3bbd066da958d6fbdeb3e0105b8937
SHA256 e1abc19dbb75b00ffa087a8f1fccc06a075b1ddb1a850c85537a4fb4b51bf984
SHA512 bca5a0b2452361f0ceb818f91e626e736fe713c5cad3317255a39f74cb6ea5c607a2a9fcafba8ddf3d33380e98aba00d591e383e187badf5dacf87fea0249d18

C:\Windows\System\ItEFcPh.exe

MD5 47a746db7e736a9327431265d1e524ac
SHA1 05f09ec03479a824ac296a295d100aa29b1832af
SHA256 01e51b9132ebcacab3ee50ecb91164f2823cfe4417a71ca454a4275bd35bc494
SHA512 bdd52bd4521d2d0c3cc7a43ca0a48172a39a2f4a81ebc99a143e72a78b344a8c7080dc255fc4b87e89f979bc736e2d1e4782846b92d48397482edda8d88200b9

memory/4748-71-0x00007FF7778A0000-0x00007FF777BF1000-memory.dmp

memory/2896-64-0x00007FF73D630000-0x00007FF73D981000-memory.dmp

memory/5040-57-0x00007FF615CB0000-0x00007FF616001000-memory.dmp

memory/3592-55-0x00007FF7A7FE0000-0x00007FF7A8331000-memory.dmp

memory/5084-48-0x00007FF7CEAE0000-0x00007FF7CEE31000-memory.dmp

C:\Windows\System\xZOEhhg.exe

MD5 f711ee969224eadca2b0abeb830a2ac0
SHA1 a17d9f87fe16ae985ccd2ab90e3ce3abfca88d41
SHA256 1932be587e21919a436f38067294f9a4f939a252202c60f2ffd934595d0aadf7
SHA512 ebd40065f4afc9c54fe491d92bfab25d52204f39b60606e3aa7b2af9e1721540818cd3161081cfff2e1dad8907e262f7daa722925f6263d649b56fd1decc983d

memory/4628-43-0x00007FF7840E0000-0x00007FF784431000-memory.dmp

C:\Windows\System\nSgyVkn.exe

MD5 fa123946de865bb79e331663e30cccc3
SHA1 762801e217788d16c1965150e9b40713e9ce70d5
SHA256 4001a8172ded75276ae5562421d43fd1a556edf9c46175c38276e59db77949b4
SHA512 22b0d27866fec36cfd1bed7c0b7113848b7b8cd262c754e19c304d79dcd5bb8bb2cfb27a512ced483ee61d6e5fe4dae2b9fb4014fc121eef8919a7fe760eedfd

C:\Windows\System\LijAtXU.exe

MD5 3afc4aaa9d9835d2e8b0e0e2895c985e
SHA1 7774cb35f9cffa8eeadf3ba92d9e1f4571a20e8e
SHA256 e2337f4e1d5b552604e0c9eaf9d3cd1aec557c1b568945164a1814ad8b96806b
SHA512 709521d0afd50d2815f0d382e81743896400b37c0561ffe1a16bdda87fd542b2a0f4caf3d0168aa906427845b948d9d8839671a912303709dd2194cb11ce95d1

C:\Windows\System\Xxtxxyf.exe

MD5 c0b685593b44b3b6f37641f7bd661813
SHA1 05bb5bbc5000bd700a21cb3dabfc9aac6d12b842
SHA256 79ee5ce902083e5463d2676842e8fe3857a9b90363e39b81c405a5b10112cad8
SHA512 a16a791d22db36241b89711b749a43dcf709016afbf2fbfd7c3e13164be15fea6eb2ccd48eb1cfaa63b0165a4167b35933aa1d124bf1ab4e3578d208c02bcfcc

memory/3592-115-0x00007FF7A7FE0000-0x00007FF7A8331000-memory.dmp

memory/1808-122-0x00007FF6C25F0000-0x00007FF6C2941000-memory.dmp

C:\Windows\System\MkGsJRE.exe

MD5 95378b55ed32350c4f6ce9f467d6ad7f
SHA1 4bc1852a29aeb61b7b4cdfd58080630d86ed8ba4
SHA256 909962bf969c122f2dc4c91905dea071634c305b6f9e7fff8bb562f1ebf49e85
SHA512 f42e3342aa9f4b0c0a0c0207829960e2dbc671eb50eebf784b0ecabb25297f810ad1b5d67ca1bea112be0925ae352f04d2c5e742bb38c1b73d5704ddc350ec06

memory/2540-129-0x00007FF662500000-0x00007FF662851000-memory.dmp

C:\Windows\System\NoudIQg.exe

MD5 d5d8ae75ef99a065d3058de50c174014
SHA1 ad42a1abf46e0200c116b9d3b861a1ad3121306a
SHA256 206682021d5c4963dbdb720062a37137e8e01a77368132a40deada784327fab3
SHA512 0fdf3ab8437825b0d7a239210f06661bcc24201f911eec053dbacdf190ede1b81fca44cbe312b5b39b52ae8c5fbe8e875d59ca640f80335092b12ac2cc458e3e

C:\Windows\System\QoijMRg.exe

MD5 1eac2db3f2c4a0bbe9c9a3ec16776a9b
SHA1 e1f9422b1833f9a8fbdcbe1fb057243a01abd738
SHA256 5823e48d6218c31fb42ea6747825fc9880dfd8cd0dfd54df54e391a1bfe395b7
SHA512 e587a82abd33c4cb85a21bc741cc512fcfadea92386c1f72d7a0fd03fc760abccdf66615e509160079e7262a0ef2ac1d9055f4ab753f3a210dd3769742da0695

memory/3244-127-0x00007FF7F0080000-0x00007FF7F03D1000-memory.dmp

memory/5104-126-0x00007FF76BDE0000-0x00007FF76C131000-memory.dmp

memory/5040-123-0x00007FF615CB0000-0x00007FF616001000-memory.dmp

C:\Windows\System\CxUPuAZ.exe

MD5 31785c90f902874d03fee4d360096473
SHA1 ed53ef94942c25229e510c6c41195f484c8ad5d0
SHA256 a6602637e01ee924524948af85f0750e2becb8ac29e75484f0c95fe847f06b5d
SHA512 9bb102a072cbecdc68c8b6f7bebace4bc706deb70a1166b874fb620f9c05f3343f45a053d110f2f2b79ac3185b5f6cd7f445013add1306c2fafb53900bf4a5c9

memory/3236-114-0x00007FF67A4C0000-0x00007FF67A811000-memory.dmp

memory/4884-104-0x00007FF7C0FE0000-0x00007FF7C1331000-memory.dmp

memory/4628-99-0x00007FF7840E0000-0x00007FF784431000-memory.dmp

C:\Windows\System\ZkqLPrK.exe

MD5 fede65f1e1152df878edd20ef9de9353
SHA1 3d2df06ac6693b66f95fd987b5a571510614fb0a
SHA256 1fad2239bb6fd86cacd5c28c921be0be8617e603a1a85b3df229b08b2f221127
SHA512 fb4b33539900784661526488fe6cdbe7404eadbdbaf2cecba014edabb88dbf3b9106b603639cbc9ea1cf729d85bf0bd0f693ee747a624f4b6f666e4c5150a34f

memory/940-95-0x00007FF71B210000-0x00007FF71B561000-memory.dmp

memory/1104-93-0x00007FF702A10000-0x00007FF702D61000-memory.dmp

memory/4812-89-0x00007FF799830000-0x00007FF799B81000-memory.dmp

memory/5108-91-0x00007FF7065D0000-0x00007FF706921000-memory.dmp

C:\Windows\System\OVQryvw.exe

MD5 158e510316487603fca6cd886e8e0021
SHA1 01112f55a7cda84f9ff223b9ff4072e2fa89f82b
SHA256 fc12cc9154c45b2bc3acb6b66ca9f07817c71889814bf7c6022d98c081f8b6f3
SHA512 1b630e2a6dc2253cd529681575953c0dfe79e5ed2c6f71c51b5d54708e8470c45e4724ea5d58700e871b44c33e9945b804995b73d4a8d88ee2e0f8204482906b

C:\Windows\System\LHkYHWh.exe

MD5 92f75e707f62f7bca84eafd32c8df114
SHA1 5760943d473c4e861b80b5979fc6b9fc74209907
SHA256 2bb576ca9f86e5315b87049a50b571ce9618c24f56aaf8983c72cfbc572ae2dd
SHA512 2995073798c3e1a701ba1f296028bd7fbd59ed318f64925e87f56a2967a89ab226292a1e8a8edb1897c9006034c97270df799252387651872a5f1ed32e9d429e

memory/4512-134-0x00007FF697C60000-0x00007FF697FB1000-memory.dmp

memory/2236-145-0x00007FF74A6B0000-0x00007FF74AA01000-memory.dmp

memory/2896-144-0x00007FF73D630000-0x00007FF73D981000-memory.dmp

memory/4748-146-0x00007FF7778A0000-0x00007FF777BF1000-memory.dmp

memory/940-149-0x00007FF71B210000-0x00007FF71B561000-memory.dmp

memory/1808-152-0x00007FF6C25F0000-0x00007FF6C2941000-memory.dmp

memory/5104-153-0x00007FF76BDE0000-0x00007FF76C131000-memory.dmp

memory/3244-155-0x00007FF7F0080000-0x00007FF7F03D1000-memory.dmp

memory/4884-150-0x00007FF7C0FE0000-0x00007FF7C1331000-memory.dmp

memory/3236-151-0x00007FF67A4C0000-0x00007FF67A811000-memory.dmp

memory/4512-156-0x00007FF697C60000-0x00007FF697FB1000-memory.dmp

memory/4968-201-0x00007FF6CFF30000-0x00007FF6D0281000-memory.dmp

memory/3040-213-0x00007FF7E1D80000-0x00007FF7E20D1000-memory.dmp

memory/1212-215-0x00007FF720F50000-0x00007FF7212A1000-memory.dmp

memory/1540-217-0x00007FF6BA9E0000-0x00007FF6BAD31000-memory.dmp

memory/1104-219-0x00007FF702A10000-0x00007FF702D61000-memory.dmp

memory/4628-221-0x00007FF7840E0000-0x00007FF784431000-memory.dmp

memory/5084-223-0x00007FF7CEAE0000-0x00007FF7CEE31000-memory.dmp

memory/3592-225-0x00007FF7A7FE0000-0x00007FF7A8331000-memory.dmp

memory/5040-227-0x00007FF615CB0000-0x00007FF616001000-memory.dmp

memory/2896-229-0x00007FF73D630000-0x00007FF73D981000-memory.dmp

memory/4748-242-0x00007FF7778A0000-0x00007FF777BF1000-memory.dmp

memory/2236-244-0x00007FF74A6B0000-0x00007FF74AA01000-memory.dmp

memory/5108-247-0x00007FF7065D0000-0x00007FF706921000-memory.dmp

memory/4812-248-0x00007FF799830000-0x00007FF799B81000-memory.dmp

memory/3236-250-0x00007FF67A4C0000-0x00007FF67A811000-memory.dmp

memory/940-252-0x00007FF71B210000-0x00007FF71B561000-memory.dmp

memory/4884-254-0x00007FF7C0FE0000-0x00007FF7C1331000-memory.dmp

memory/1808-256-0x00007FF6C25F0000-0x00007FF6C2941000-memory.dmp

memory/5104-258-0x00007FF76BDE0000-0x00007FF76C131000-memory.dmp

memory/2540-260-0x00007FF662500000-0x00007FF662851000-memory.dmp

memory/3244-263-0x00007FF7F0080000-0x00007FF7F03D1000-memory.dmp