Malware Analysis Report

2025-03-15 08:05

Sample ID 240813-n5pv4ssbka
Target 893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499
SHA256 893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499

Threat Level: Known bad

The file 893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499 was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

XMRig Miner payload

Xmrig family

Cobaltstrike family

Cobalt Strike reflective loader

Cobaltstrike

xmrig

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 11:59

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 11:59

Reported

2024-08-13 12:01

Platform

win7-20240704-en

Max time kernel

142s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\miuOklf.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\hHVAvhw.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\rrMrjyL.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\WekvNYl.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\gMuDfkn.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\FyTswzv.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\hDubFHT.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\DBWrxvk.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\FDbORFg.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\ESOSHkN.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\gtLAdJu.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\BYclDhl.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\sQWVKbP.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\rQDeivU.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\OtAfELt.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\bFvbRAV.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\fKaqsiY.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\BMLHSyO.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\ghiAeza.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\ScChGSj.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\DSTdhHp.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\FDbORFg.exe
PID 2752 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\FDbORFg.exe
PID 2752 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\FDbORFg.exe
PID 2752 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\FyTswzv.exe
PID 2752 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\FyTswzv.exe
PID 2752 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\FyTswzv.exe
PID 2752 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\hDubFHT.exe
PID 2752 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\hDubFHT.exe
PID 2752 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\hDubFHT.exe
PID 2752 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\ScChGSj.exe
PID 2752 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\ScChGSj.exe
PID 2752 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\ScChGSj.exe
PID 2752 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\DSTdhHp.exe
PID 2752 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\DSTdhHp.exe
PID 2752 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\DSTdhHp.exe
PID 2752 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\bFvbRAV.exe
PID 2752 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\bFvbRAV.exe
PID 2752 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\bFvbRAV.exe
PID 2752 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\fKaqsiY.exe
PID 2752 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\fKaqsiY.exe
PID 2752 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\fKaqsiY.exe
PID 2752 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\miuOklf.exe
PID 2752 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\miuOklf.exe
PID 2752 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\miuOklf.exe
PID 2752 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\ESOSHkN.exe
PID 2752 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\ESOSHkN.exe
PID 2752 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\ESOSHkN.exe
PID 2752 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\hHVAvhw.exe
PID 2752 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\hHVAvhw.exe
PID 2752 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\hHVAvhw.exe
PID 2752 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\rrMrjyL.exe
PID 2752 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\rrMrjyL.exe
PID 2752 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\rrMrjyL.exe
PID 2752 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\gtLAdJu.exe
PID 2752 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\gtLAdJu.exe
PID 2752 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\gtLAdJu.exe
PID 2752 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\BYclDhl.exe
PID 2752 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\BYclDhl.exe
PID 2752 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\BYclDhl.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\BMLHSyO.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\BMLHSyO.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\BMLHSyO.exe
PID 2752 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\WekvNYl.exe
PID 2752 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\WekvNYl.exe
PID 2752 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\WekvNYl.exe
PID 2752 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\sQWVKbP.exe
PID 2752 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\sQWVKbP.exe
PID 2752 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\sQWVKbP.exe
PID 2752 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\DBWrxvk.exe
PID 2752 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\DBWrxvk.exe
PID 2752 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\DBWrxvk.exe
PID 2752 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\ghiAeza.exe
PID 2752 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\ghiAeza.exe
PID 2752 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\ghiAeza.exe
PID 2752 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\rQDeivU.exe
PID 2752 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\rQDeivU.exe
PID 2752 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\rQDeivU.exe
PID 2752 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\gMuDfkn.exe
PID 2752 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\gMuDfkn.exe
PID 2752 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\gMuDfkn.exe
PID 2752 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\OtAfELt.exe
PID 2752 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\OtAfELt.exe
PID 2752 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\OtAfELt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe

"C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe"

C:\Windows\System\FDbORFg.exe

C:\Windows\System\FDbORFg.exe

C:\Windows\System\FyTswzv.exe

C:\Windows\System\FyTswzv.exe

C:\Windows\System\hDubFHT.exe

C:\Windows\System\hDubFHT.exe

C:\Windows\System\ScChGSj.exe

C:\Windows\System\ScChGSj.exe

C:\Windows\System\DSTdhHp.exe

C:\Windows\System\DSTdhHp.exe

C:\Windows\System\bFvbRAV.exe

C:\Windows\System\bFvbRAV.exe

C:\Windows\System\fKaqsiY.exe

C:\Windows\System\fKaqsiY.exe

C:\Windows\System\miuOklf.exe

C:\Windows\System\miuOklf.exe

C:\Windows\System\ESOSHkN.exe

C:\Windows\System\ESOSHkN.exe

C:\Windows\System\hHVAvhw.exe

C:\Windows\System\hHVAvhw.exe

C:\Windows\System\rrMrjyL.exe

C:\Windows\System\rrMrjyL.exe

C:\Windows\System\gtLAdJu.exe

C:\Windows\System\gtLAdJu.exe

C:\Windows\System\BYclDhl.exe

C:\Windows\System\BYclDhl.exe

C:\Windows\System\BMLHSyO.exe

C:\Windows\System\BMLHSyO.exe

C:\Windows\System\WekvNYl.exe

C:\Windows\System\WekvNYl.exe

C:\Windows\System\sQWVKbP.exe

C:\Windows\System\sQWVKbP.exe

C:\Windows\System\DBWrxvk.exe

C:\Windows\System\DBWrxvk.exe

C:\Windows\System\ghiAeza.exe

C:\Windows\System\ghiAeza.exe

C:\Windows\System\rQDeivU.exe

C:\Windows\System\rQDeivU.exe

C:\Windows\System\gMuDfkn.exe

C:\Windows\System\gMuDfkn.exe

C:\Windows\System\OtAfELt.exe

C:\Windows\System\OtAfELt.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2752-0-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/2752-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\ScChGSj.exe

MD5 a38cdc6d038db7076efa3901851e8166
SHA1 9d207583dd78b97d3cb63b308a9f2b0abad85d50
SHA256 e0fbd6373f7d24ed256fe900f9d0b1bf6ce6bb9018e4971701ea80063d52651b
SHA512 f0d0529335aebbe4d75d9a12c1369f2776796b610422f95780991cacba7177fe71f1330390cd53078728d8a41f4b2d72a5bb78bf96ed492339781b49b5557fc9

\Windows\system\gtLAdJu.exe

MD5 4cce6ee7ed281828a049602944b8644d
SHA1 c2b8a6ecb3b3793616033845230cd72ab2e2f534
SHA256 c4361383f054f50b51253c9a8e21d040711d84f41326cf1110ae4e49581a05ad
SHA512 77e00b7c3eff2fbd1ed736ca86cfc9aae4e83141c2ada4012d1ffefa763579e08382b39a623b839eadc12ac8d400dcd7d9d8bf7fdc095d4b6edfa0d213338fed

memory/2752-14-0x00000000023B0000-0x0000000002701000-memory.dmp

memory/2844-54-0x000000013F880000-0x000000013FBD1000-memory.dmp

C:\Windows\system\hHVAvhw.exe

MD5 0eecbe84a6ec23ef3fab70303f333ac2
SHA1 817e5af025743c9d91ac704e260ebf55101af7ab
SHA256 72aee72c0d6b05640a47842626cf1025bd7fcc4a5bf17a956c431652b79d544b
SHA512 68b50d0a6e1027b1ac825034ff78823690a94adb5cc79e3308935fa89390c73406fae96fc44093761fe674c43166565e8ccb939868614b73c1bc66bc99dc2b7b

C:\Windows\system\miuOklf.exe

MD5 21569a504803662a0388d33af34810d0
SHA1 be26898b1c822603a5d372b29fa7deca65792e83
SHA256 b0aa96846060981580467de1774a858ccdada306ea8ea91b759a54171f17a1f6
SHA512 9cbdef75bf906c6968f7e647ffb5dbe9ba9aef2989507334630e4eea478978a86bd4f8d4f9cf4c83420b0c420362bb579fccbdeff957d479665ae0761653d3b0

memory/2752-29-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2832-39-0x000000013F220000-0x000000013F571000-memory.dmp

C:\Windows\system\sQWVKbP.exe

MD5 6efaa11da4dafa23d4bd34673d36c596
SHA1 6d8c32590214e2e8e0cbd2edb189f7d2e26f8a26
SHA256 6fca6fab2d75df09695c592d418986c45c62ae9bfc8840416e943b5417729c8b
SHA512 2c746e489badccb2a366675471c00f8b4368026ec15858d954e2d79ddb279539a9afceed4866fde1c92f4cf1d33645ef2243c3fc86646502499ee5d6615474ca

\Windows\system\gMuDfkn.exe

MD5 5879539f996310f25d13e65f62a7bbfe
SHA1 492377a99e66e5b5b3bb5778183a33d1f27566af
SHA256 dba0f2ca1c55783e51943acea0f0b1e01644e903ca5dc657ce287a357c77b63c
SHA512 489da99543bee493c659eaef67136c3aed2e2f4fa761f14421efb15feff9cb3f0951eb7765c11c1c7b546d3a738c3009fb1257dbe4635b3b4d3167dd55657b9a

\Windows\system\OtAfELt.exe

MD5 40018ac6cfc9beb9e78f75df0b2c96f4
SHA1 3351952be25d41376794dbca23395deb9953265e
SHA256 f3ce0052b131c668953551ed00851b3d95988e44c5e704e640b4bdbeedbb7285
SHA512 504b8b6e4f352d62939ec38d29a7f92b31fc7f8e35e1c3ab6f0e7f19e338148f3f3d4ce57b0fe30b6f9e386fe382d388e3908d5b28b3bf01732f6968ab9e1493

C:\Windows\system\rQDeivU.exe

MD5 404968c6440d7756d7540a6e888f46a2
SHA1 8b61494cc00b958d20f3dd090c42efa1f16ed148
SHA256 60118bfa74a48f0e3755d0b9f00d1ef2198e74fc24826a0af25ce95e7815f81e
SHA512 d867d1f2308ce9a2dea92673e2775555c3c6f2300987e0c7fa77e42852807010eaa059a876b13e9add1d7440cf6bc3ad8475cd92166c8c6b0af3f02c15c23aba

C:\Windows\system\DBWrxvk.exe

MD5 522ced9a3e86c4bbc5cbb63bee2f6b38
SHA1 7fb072c12949d4e28dacc9e12e9a08c3dcc1eddd
SHA256 e0b88f57eef3185a6c949a93ee397eb91b17cf22269fd521459d7922314e0fc0
SHA512 d638cfaae599430a60db05f69719cee8a45f65428e1851c0c4f0ed1eea7485113d23899a5cf0ec7c611775a4e2a68212e9a048e63b12f816ff954533bc12beb4

C:\Windows\system\ghiAeza.exe

MD5 a038714d541f2def256a01f9df9645f0
SHA1 38c9d6b175f3a07d64a4981d3de2aa27cd1bd2ae
SHA256 3384825c669c971e4174cb66a69d119b78115c2ad8fd16b008302473fbd4537b
SHA512 935490a71849ae9ae0292d9d5b9119c39a8030fcaea806557a1e10d31b01a3e3e8c5e93394bb79253c2a020a0de7f99e3e653f0aca01ded26733229f6154ce54

memory/2752-103-0x000000013FFF0000-0x0000000140341000-memory.dmp

C:\Windows\system\WekvNYl.exe

MD5 f11372932e76e7e648f1a4d6bd9c6bd1
SHA1 ff38d26f66918541bf5471a798e627b8533b30f7
SHA256 c5ea52918f63b380922595a58bdd8cceac796ba526f3a68b5aa92c7aebe6672d
SHA512 475f2a48712912509267c850a5fe97008793298299594ec25c2738e68b1136dbf81bc540ba8115cb729304da14b12dbba34cad3e1c8eaac369b6da81c6a560db

memory/580-90-0x000000013FC10000-0x000000013FF61000-memory.dmp

C:\Windows\system\BYclDhl.exe

MD5 717e3113a79637fc4f76309e39b9317e
SHA1 fda9aaa6ec8f6467a20220d2348757f1acd7d5a2
SHA256 0377adb8b312bd4e8836fd5a2d1f4ca65bf53fa55f26c3923679fe4f664e8778
SHA512 a37487214e5701c14c0478f0d5b02362406ab391500ac3e2bcb053da977a1b66937ea42c61f7272c5a65ba6a1a94680eb5863a192f400d7a603382fbd2b7cf3c

memory/2576-97-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2752-134-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/2752-96-0x00000000023B0000-0x0000000002701000-memory.dmp

memory/2280-85-0x000000013F050000-0x000000013F3A1000-memory.dmp

C:\Windows\system\rrMrjyL.exe

MD5 adff4bda999e3926632a20ef19a4437d
SHA1 1b20a44f6a6cd1e38f8ed15db925005b22d45c37
SHA256 f7e399f14b72d65c95cdb4d28a097e573d9c6545f2ff6f94efdbd058351d9cd3
SHA512 ca245ca485804b26a2b1bae054e4de021755073ecfc8b93cc13f32842bbe0bbf91d0a223cdcfc0e820cc67d648fca413945cc70f6f11b1b74094ae6daddfdcc2

memory/2672-82-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2596-81-0x000000013FAE0000-0x000000013FE31000-memory.dmp

C:\Windows\system\ESOSHkN.exe

MD5 15c1050076ea99da1a91cec4835f654d
SHA1 1842ad6485339451a94fce07574da8ee3eec7411
SHA256 bebccdfbd7d41e25daf69febe528ac27ea119a32f56e9b7930159247564ec65c
SHA512 ce3bd6d9b9fd7c7cd8822584cb3d6687ec8a375aadd3f40bdc49a4fdc21d3585a7483189ec4e33eda5cbfea65c4e81b7b392d388ae00e907acddf400d2b54dea

C:\Windows\system\fKaqsiY.exe

MD5 76a19057e9f90a66dacfe577843e5d45
SHA1 148329ce77faaf35c8331277deb514d6a5fcd380
SHA256 1afeb191a629a4f429a03ee5e5d01a9211b4811899dd9e25eee6114763e5786a
SHA512 100c1e67b94ed2a518ea41e47b23503384e1fd034380c0fc650e15c44b22eb857cf7330f6338adf372eb3729186677a2988af8042c6da098d618036bc5a2c7ee

memory/2980-77-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/788-76-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2888-75-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2752-74-0x00000000023B0000-0x0000000002701000-memory.dmp

memory/2752-73-0x00000000023B0000-0x0000000002701000-memory.dmp

C:\Windows\system\DSTdhHp.exe

MD5 1326f359be4a08360068dc071f2f4d67
SHA1 5962c0f6530de8b351b7bc50e0abd9230f00354e
SHA256 dbfc0f5b3dea5c5a6bd2eaca79eff1c567e50f9ae9d2dd441f04af069e04fda1
SHA512 49758c71beeb88a584ad0befe00e54ce7803083cba8e717694b6bf5af8978e39b7d04a6ef2b1e138e180f225363e888e1336c140c692d26face531c40b70fcd0

memory/2752-71-0x00000000023B0000-0x0000000002701000-memory.dmp

memory/2752-70-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2752-69-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/848-67-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2624-66-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2752-65-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2752-64-0x00000000023B0000-0x0000000002701000-memory.dmp

memory/2752-63-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2752-60-0x000000013FAE0000-0x000000013FE31000-memory.dmp

C:\Windows\system\hDubFHT.exe

MD5 d80249b7664d1fb9d26f05119f70cf90
SHA1 5ccaa2718639327caff60722d18231928c9f61fb
SHA256 9a320d108c8106b61848ba22840e1d5b0bb643f03929a488692b910ffeb81d3f
SHA512 411d9dac6df0594b8987393c231f02682c3afffa2d3bf25b9852e86d3b4be31f9bb5dc9d69d48a63fd50c00d90f10dad5c1511a34bddb9900301dcfa85abb58c

memory/2816-56-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2832-136-0x000000013F220000-0x000000013F571000-memory.dmp

memory/2800-135-0x000000013FA50000-0x000000013FDA1000-memory.dmp

C:\Windows\system\BMLHSyO.exe

MD5 974b6be12acbee78037890b930bedf3d
SHA1 b1872bdcf0675b1bfc823137fce15b9f6c9349a8
SHA256 58060dfa265d20551a333529a8da8030dfe54b70bf24a8ccca68d68cd6bbb6a7
SHA512 abab7a42b2d8e4d84caab6be56d7f16c789497566d9a83136e28ca1d3f496c4affb16410f2947c21e5f0dff46e3f3e261361bc8c18b2d1f9b4584994f27b6272

memory/2800-21-0x000000013FA50000-0x000000013FDA1000-memory.dmp

C:\Windows\system\bFvbRAV.exe

MD5 b840cf39ae4cec4ca384dcef99292b15
SHA1 105d2fb6067c9d1f10df61c61af744a819fe2c2e
SHA256 c0fd2caa7b0797097837f3805c552cbf6fc07a97c71113919ca7ab59ad177a8e
SHA512 4bdfd2daedf795acabcdad979abb42a0cba0f22820cb431bb3dea2e70e602c66bb4ecd8b748a58939c2a4a2bb57389a4a69fab73bbf8c85290e7a12a4e1b200b

C:\Windows\system\FyTswzv.exe

MD5 bedc5960b4de52aceb51829a15e11a85
SHA1 249b3e05cb2e6838443f3109c8bf2de20df4084d
SHA256 f051d47d21c8e54b45b4178a0455c4f3f6359ef021e01796b710db6a1ab7545e
SHA512 9121f69419d92fb09a149712e8e3e81d15b24bf3ec50d6af5ba42d629e28945ef8914c62ea077ae2984d3912229d3472bbff876b1d2dfefeb396a9aca5a4dbc1

C:\Windows\system\FDbORFg.exe

MD5 c77758a32bf07c84b7cb24fa3c7aae73
SHA1 6c8ba050741a7e9564bfdc622a5711cb28c647fd
SHA256 9bdcc4cec1ebbe48374406f7131ec3202c8b2980849b150e157d81dece02eb87
SHA512 05e752ac7372ad1f3f724ced1f5a6d4299573b6ae3b800049b79da4dc14b2f68ad23fac15cd808eef13866258ca3ad70eae4ff24ba8cc83b0cb702ccd865c073

memory/2752-9-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2752-138-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2752-139-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/2980-144-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2280-150-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/580-152-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2596-146-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2864-158-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/3020-156-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2904-160-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/1796-159-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2928-157-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2908-155-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2684-154-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2576-153-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2752-161-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/2752-183-0x00000000023B0000-0x0000000002701000-memory.dmp

memory/2800-207-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2816-232-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2624-236-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2832-234-0x000000013F220000-0x000000013F571000-memory.dmp

memory/2844-230-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/848-238-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2888-240-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/788-242-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2672-244-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2596-246-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2280-248-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/580-250-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2576-252-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2980-261-0x000000013FE40000-0x0000000140191000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 11:59

Reported

2024-08-13 12:01

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\btQYChs.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\dOaOfii.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\pnYakYi.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\gTHrJrl.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\HZAwXvf.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\dSRmYdl.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\cqDqZVl.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\RhMAyak.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\thmJwlZ.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\BoDZRDS.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\edEInXg.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\ZnICEWK.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\EpgKhoJ.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\yuNhoKH.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\NDsIWlG.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\VKVtImV.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\InDujYZ.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\QvdGWZW.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\AcgrbtU.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\UKjaTQP.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
File created C:\Windows\System\owchThs.exe C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1332 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\InDujYZ.exe
PID 1332 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\InDujYZ.exe
PID 1332 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\RhMAyak.exe
PID 1332 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\RhMAyak.exe
PID 1332 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\QvdGWZW.exe
PID 1332 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\QvdGWZW.exe
PID 1332 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\AcgrbtU.exe
PID 1332 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\AcgrbtU.exe
PID 1332 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\btQYChs.exe
PID 1332 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\btQYChs.exe
PID 1332 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\dOaOfii.exe
PID 1332 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\dOaOfii.exe
PID 1332 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\pnYakYi.exe
PID 1332 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\pnYakYi.exe
PID 1332 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\EpgKhoJ.exe
PID 1332 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\EpgKhoJ.exe
PID 1332 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\yuNhoKH.exe
PID 1332 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\yuNhoKH.exe
PID 1332 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\thmJwlZ.exe
PID 1332 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\thmJwlZ.exe
PID 1332 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\NDsIWlG.exe
PID 1332 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\NDsIWlG.exe
PID 1332 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\gTHrJrl.exe
PID 1332 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\gTHrJrl.exe
PID 1332 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\HZAwXvf.exe
PID 1332 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\HZAwXvf.exe
PID 1332 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\dSRmYdl.exe
PID 1332 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\dSRmYdl.exe
PID 1332 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\VKVtImV.exe
PID 1332 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\VKVtImV.exe
PID 1332 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\BoDZRDS.exe
PID 1332 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\BoDZRDS.exe
PID 1332 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\UKjaTQP.exe
PID 1332 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\UKjaTQP.exe
PID 1332 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\edEInXg.exe
PID 1332 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\edEInXg.exe
PID 1332 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\cqDqZVl.exe
PID 1332 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\cqDqZVl.exe
PID 1332 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\owchThs.exe
PID 1332 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\owchThs.exe
PID 1332 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\ZnICEWK.exe
PID 1332 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe C:\Windows\System\ZnICEWK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe

"C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe"

C:\Windows\System\InDujYZ.exe

C:\Windows\System\InDujYZ.exe

C:\Windows\System\RhMAyak.exe

C:\Windows\System\RhMAyak.exe

C:\Windows\System\QvdGWZW.exe

C:\Windows\System\QvdGWZW.exe

C:\Windows\System\AcgrbtU.exe

C:\Windows\System\AcgrbtU.exe

C:\Windows\System\btQYChs.exe

C:\Windows\System\btQYChs.exe

C:\Windows\System\dOaOfii.exe

C:\Windows\System\dOaOfii.exe

C:\Windows\System\pnYakYi.exe

C:\Windows\System\pnYakYi.exe

C:\Windows\System\EpgKhoJ.exe

C:\Windows\System\EpgKhoJ.exe

C:\Windows\System\yuNhoKH.exe

C:\Windows\System\yuNhoKH.exe

C:\Windows\System\thmJwlZ.exe

C:\Windows\System\thmJwlZ.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3988,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:8

C:\Windows\System\NDsIWlG.exe

C:\Windows\System\NDsIWlG.exe

C:\Windows\System\gTHrJrl.exe

C:\Windows\System\gTHrJrl.exe

C:\Windows\System\HZAwXvf.exe

C:\Windows\System\HZAwXvf.exe

C:\Windows\System\dSRmYdl.exe

C:\Windows\System\dSRmYdl.exe

C:\Windows\System\VKVtImV.exe

C:\Windows\System\VKVtImV.exe

C:\Windows\System\BoDZRDS.exe

C:\Windows\System\BoDZRDS.exe

C:\Windows\System\UKjaTQP.exe

C:\Windows\System\UKjaTQP.exe

C:\Windows\System\edEInXg.exe

C:\Windows\System\edEInXg.exe

C:\Windows\System\cqDqZVl.exe

C:\Windows\System\cqDqZVl.exe

C:\Windows\System\owchThs.exe

C:\Windows\System\owchThs.exe

C:\Windows\System\ZnICEWK.exe

C:\Windows\System\ZnICEWK.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1332-0-0x00007FF675030000-0x00007FF675381000-memory.dmp

memory/1332-1-0x000001CC64610000-0x000001CC64620000-memory.dmp

C:\Windows\System\InDujYZ.exe

MD5 b2f87a19c2d4efb6576725b568e70728
SHA1 af860345bc457acd278f92ff9865c4b6dc9d2ed1
SHA256 bac957e190659dabd59f68883ce81526308cc4f9ccf0571177a0c5a8fa717f8b
SHA512 73241af549a896e28c0391c2afef49cb4ffbcc01edc3be8b795e64f66ff8ff120a593398ea541ee839674163d4c4cc9e24954cc03ddc6a6f65d8a4d27b84c4a8

C:\Windows\System\RhMAyak.exe

MD5 3b5ba3f139df0ba5103ef2573bfde6be
SHA1 7bb4f24b7dfc9504dc4d144f90ee1a6f2bdd53ec
SHA256 dc5c4417da80c7bd6a72c0fb64f0eb18a80308daaaa9fd33db1178f7b6469270
SHA512 99be993faa848b9d5923fe7b198745d400425fdf8387fecc362b222242cdbb586845c192ad12a9a20b6dbcfc5ea43ebef762d8a9dafa0928507367f1e72d7d40

C:\Windows\System\QvdGWZW.exe

MD5 40f9bf4ef08bcbea34eb5976db1d8680
SHA1 2dc03de5cd3a3326e4ad4c942f1b72305bf3aed1
SHA256 d4b2a112db95be4d8b0ee8a2e8ff1bef31508be74c2a48e7460ccd466cdf7120
SHA512 b8a06330ff2ad041ac9be4ff5c12231ad78634b2eed65b82cf7298848eac9b9e281788481211124b6fe16077444cdc69942d0cf1a7c92c00ed7a0259001d357f

C:\Windows\System\AcgrbtU.exe

MD5 ba17bebed7acdb5df99912c6a795a63a
SHA1 68ede31b080b4c869c4212c4c6e87e61ff6f86ae
SHA256 afdc1de4ee29e8724ab489d08b62ac78efaf729a67b283796d53c1f13a2b9a01
SHA512 3449b56696f495d2278b0febe7f405b7987f306889033538d2825edc79b3e0c3d38e497a03cc7896ce2cb6a4e68c8034eeb21a0ac789a33c0cf0712ef22e622d

C:\Windows\System\btQYChs.exe

MD5 5b1d4b721b960dbd1e7fb39087e7a542
SHA1 6b24e9f0930fbd9c9a9c0e8859f0541ba264e1cc
SHA256 94c7392dad962f09805517ef06c504901111633557b4de69597347990c5bc0aa
SHA512 33278f933f28f847ba161ea16b88a42ebf644e57385d7e737a7dcfa07b1ccd805ec3ff51ec968ccd7b51a2aa7474d1f224cc99e200771aa52d9c5907b81ee8bc

C:\Windows\System\pnYakYi.exe

MD5 b7fea18b10f9c962340fb1296a4649a3
SHA1 8f7a5bfddb9f318adc2a330106c60fdb5b24c3c5
SHA256 a311e8403f2516ce59b4148b6ef1d862ee133bedb9228570f085b73e84e704d8
SHA512 a372b5548851d6e99dbadc91520a43a73a5decbe9548ab0c332cd31d50adce94eb5331b9a17535287da47e1fb61ed0227e8eba4f964165b12c231c660422e7dc

C:\Windows\System\EpgKhoJ.exe

MD5 e739b07daf18eb820e25a169f73e312d
SHA1 b51b083fee54ecdc7cc1f7327b683cb63dfc3c8a
SHA256 4fd8e568fd6992bb02fe21a38ebe0b20de3343afad5832f1744e42f2f6949278
SHA512 1ed94f0604996cc22f1ea1581f3983f67378f9ee64dce086b0d1deefefd6bc5f55c0465944d142edaf9174b876d01d2cb0ba2034e8589c1f12ec5112a7514d1b

memory/3024-53-0x00007FF61FF50000-0x00007FF6202A1000-memory.dmp

C:\Windows\System\yuNhoKH.exe

MD5 195707483a51d8ad0cdb1c53b33d2b06
SHA1 04389cbdacfdfcac57c7dab6628afd283f623d75
SHA256 0ba4cb7df37c58eff97cd9217f317cba556810ddfa40bf5ee5e283cb7529c7ac
SHA512 a52d4f3b8430e819d22147b7ca5b6365a277a4d4b452e7c3286c601b2606fbd358ee295daa53b62500ac18d08d2f82aa5ae94535ff08e31c50852c1f3d070cc0

memory/4660-54-0x00007FF6D55F0000-0x00007FF6D5941000-memory.dmp

memory/4544-50-0x00007FF773FF0000-0x00007FF774341000-memory.dmp

memory/2272-47-0x00007FF789D00000-0x00007FF78A051000-memory.dmp

memory/2224-46-0x00007FF7F87D0000-0x00007FF7F8B21000-memory.dmp

C:\Windows\System\dOaOfii.exe

MD5 3ae06979d19d7000998d11737fcfa566
SHA1 845b48c4bb21e23a786d3dc6555418e408985532
SHA256 2ef56ea5ed14762adc33a0a2c10118d2689f3ccaa9084565c9d4ed2affb76b7e
SHA512 4f1c209ead3abc5f154b8675966da69a2f6c0ddccadbc4513cebf6cbaafc8504d02d10fa9798e7721bb1f1510e0a715b746858d9e69a709d840f8b1f0d7f76e5

memory/1416-39-0x00007FF793920000-0x00007FF793C71000-memory.dmp

memory/4184-26-0x00007FF6130A0000-0x00007FF6133F1000-memory.dmp

memory/3436-20-0x00007FF762F60000-0x00007FF7632B1000-memory.dmp

memory/3624-8-0x00007FF686690000-0x00007FF6869E1000-memory.dmp

C:\Windows\System\thmJwlZ.exe

MD5 4a08f0d448fa9a173b3d99d03a0f31ca
SHA1 733a9d1d2bafe546baa8a49e6d732390a4971e67
SHA256 bfdbba2e8b74bc902036a875f4c1588f0b9588fc84b6844e066617f7fa7acf5f
SHA512 61e7728297c5edb93c3795c906e7e6b807369d8bba231ee20eadcc3f0da522ef9ed3cd49043601567e93d900076b82f288acafb5a32fb0350e5854f80de3dff1

C:\Windows\System\gTHrJrl.exe

MD5 1fa112529f02694002184299b5c97e2e
SHA1 8dc9d4e7910cbd9c4739386e3149e9ea5f2f1674
SHA256 bfb8e07a79fffa9a6eee1b7370d1ec7e37a2204c02cd49392be36987b4aba569
SHA512 1388218743f3d47dfed0f165daa912c10091131fb6abab333ce3b9597c8533fc957554e678817d745350cb300a4e0d0dea053a7cd700bac865a9da29559df607

C:\Windows\System\NDsIWlG.exe

MD5 f8b07f99a7d3da1d446c8706281bd91f
SHA1 9090bf548332a6148135d760907cbc79cbc0457d
SHA256 bca5848f935d9de7e226884545e3dec9dbeb35752f4369a0065d7ced13d2cbdd
SHA512 4be8b5b250374a635f007715c42054e428e899b78144af2f940fdb51d87c4585602ba345709d9b7aa7dcfa07dd72f89e47e32e18dca9e6140d20bea6e49683c7

C:\Windows\System\dSRmYdl.exe

MD5 1071e1daf765fce1d7c1100fb989c3c7
SHA1 99ff48e65b54ab308bdc22a29d105b86ca5adb48
SHA256 2430307fedd723fad7c33c15596b9c27160ffa35e808e530feee5bd57716285b
SHA512 8c1393bc9ccd29c00d3152373d311ecfb4ad732e5707328d9e774fc23c7cdd74f5192bcedecf68278d4df23f0555695f38fb3a06b922f03961f8b395a12cd225

memory/3864-87-0x00007FF6F6730000-0x00007FF6F6A81000-memory.dmp

C:\Windows\System\VKVtImV.exe

MD5 fe641aec0ae5b82bdbdc760c2f372e52
SHA1 f55f5448f5792e3c90499e603f494156a4ae48b8
SHA256 89e147b940df653a0ed875c7c30725e9d91acfab67a57b39c3e82563c8b3a4e2
SHA512 1ef43c7c66f4c54326f36c2abfe168b17042e5df66ae0d3e5e1bdd640b5a637e7f268e46e067e087b9674a6f6860324f6e9a4a65678fa098c4a3b952df9f886c

C:\Windows\System\UKjaTQP.exe

MD5 043d28a9d503c247e7bf12a0900331a8
SHA1 ef0b6782d5ce95bbf0532e0ba7ba6f73066a48b2
SHA256 c2d663b277a2218366a9c28e9770277f2f6e08c905606e96e7645b04429a62a9
SHA512 142218c4b3b75f65d2fc41664fc1667b8999558d31355c5ae08af79b760e0ad8d80626418cd2ce9198f028f20d58f50fd34e426ceb09f9f45eece13a333a9bf1

C:\Windows\System\cqDqZVl.exe

MD5 bfb2874bc68245400ae938d560e7ccc0
SHA1 43a1fe4190ca0772d26b9b2e7f940acd15a0b429
SHA256 248f524ccc84177d67bc7dd6bec0bfec25a1e6515b6333633b505ce431fca30b
SHA512 223d986a8321fe19d9764966e6fd6a8527a8fe02effc7c5d3b60a3acfc3f841ca90964f43e4360c73df7e8fca3b8aceed92e35bb5868838f1525bd7749e48d1b

memory/1416-124-0x00007FF793920000-0x00007FF793C71000-memory.dmp

memory/4504-127-0x00007FF7D6300000-0x00007FF7D6651000-memory.dmp

C:\Windows\System\owchThs.exe

MD5 e717d1ee6e36bde1e17adeec97fe9344
SHA1 895d7acb4114b09f51e1a671f9b009b730251f12
SHA256 6f276db18f0f40bed5e83ccb15a521ecc8d653438dbd1c149ac632f499edd877
SHA512 f2b7c369cd23243c8ad9b3b91773ab766e4ba9312a625d22ed134a75ce58e7610563ec305fd226d7675d76d614a11dcff126a8b785f038f37ccb2c51bad97e3e

C:\Windows\System\edEInXg.exe

MD5 0177f8bf3e61125cb8664e621e7a2750
SHA1 25aa8ffff8a82bea1d740fc8dd2a031a3c85af48
SHA256 e55dd915c75d924c0b73ec14109cf9b5582ca60a9c87e6b4b62cf387e8eb3636
SHA512 4f409304dbebe5005d6c1f15aa26b01052ede30be797b67f35d7a2deaebb04bac851f0a88ac5d83f68482d2bed06de91b075323964978d20bc4fe0bede47b3f7

memory/2660-119-0x00007FF668E30000-0x00007FF669181000-memory.dmp

memory/3740-118-0x00007FF76D490000-0x00007FF76D7E1000-memory.dmp

memory/1336-114-0x00007FF6B5C60000-0x00007FF6B5FB1000-memory.dmp

memory/4184-113-0x00007FF6130A0000-0x00007FF6133F1000-memory.dmp

memory/3436-112-0x00007FF762F60000-0x00007FF7632B1000-memory.dmp

memory/3624-107-0x00007FF686690000-0x00007FF6869E1000-memory.dmp

C:\Windows\System\BoDZRDS.exe

MD5 d23479daadf3817237b29335dcae0f4d
SHA1 debaf6a60b6c2ea0362ba162fdcd85532efe60d7
SHA256 12a418bc7acf5ce91e9e74c95a1350c98fc3919bf6a4ac4f62caf75a2ebd13ae
SHA512 a9bd05222963ec0c585c3c8016d4a3ad39650a5e99a84d9aa24a8012a5d7a9d0652d79d53a13cbfded308efa46c1b68aaeb7a4f1a2aa1d9a1a3d1b7ee3a7ac92

memory/3924-103-0x00007FF7D46B0000-0x00007FF7D4A01000-memory.dmp

memory/1332-94-0x00007FF675030000-0x00007FF675381000-memory.dmp

memory/408-93-0x00007FF768210000-0x00007FF768561000-memory.dmp

C:\Windows\System\HZAwXvf.exe

MD5 e80755ed5dfe4c30ecfda130d3e6c25c
SHA1 6d7880f7067cdc81cc2af84efecc3160360af742
SHA256 5afe1def6b6c32890922ab48c34766b6fd51510e8a16b379d84976d0da298f9b
SHA512 7341583a5b0a9a953872b44262456cad23fb0e2b62b79e77ab8a3efe6500e65b721dc93fefc6c6dec29ac90b8f14609f3c2f885ae2aa8456aeea5ad932e457fd

memory/696-83-0x00007FF6BE830000-0x00007FF6BEB81000-memory.dmp

memory/1180-73-0x00007FF7289E0000-0x00007FF728D31000-memory.dmp

memory/3520-70-0x00007FF6E72A0000-0x00007FF6E75F1000-memory.dmp

memory/1808-60-0x00007FF7D9310000-0x00007FF7D9661000-memory.dmp

C:\Windows\System\ZnICEWK.exe

MD5 9d098fc080a21f48972429b713da7840
SHA1 742d0e12adfaf7ff1a45610e8e4ead4abf0f6c46
SHA256 535ba631b219fc33ba99e0919313f35c43928f379c99742b53b5aded650c220d
SHA512 16d2d9967496f3e9ce63e6e7aabbd2e8b8ffde3b75cc367bac89f37de57db3d5ee887cd49e4fe39efceeb96ba641fadc584aae6119de4a87faa2bb9efebfde4c

memory/1332-130-0x00007FF675030000-0x00007FF675381000-memory.dmp

memory/4544-143-0x00007FF773FF0000-0x00007FF774341000-memory.dmp

memory/1808-141-0x00007FF7D9310000-0x00007FF7D9661000-memory.dmp

memory/4508-144-0x00007FF7D2F10000-0x00007FF7D3261000-memory.dmp

memory/3520-145-0x00007FF6E72A0000-0x00007FF6E75F1000-memory.dmp

memory/3864-148-0x00007FF6F6730000-0x00007FF6F6A81000-memory.dmp

memory/4504-154-0x00007FF7D6300000-0x00007FF7D6651000-memory.dmp

memory/3740-153-0x00007FF76D490000-0x00007FF76D7E1000-memory.dmp

memory/2660-152-0x00007FF668E30000-0x00007FF669181000-memory.dmp

memory/1336-151-0x00007FF6B5C60000-0x00007FF6B5FB1000-memory.dmp

memory/3924-150-0x00007FF7D46B0000-0x00007FF7D4A01000-memory.dmp

memory/696-147-0x00007FF6BE830000-0x00007FF6BEB81000-memory.dmp

memory/1180-146-0x00007FF7289E0000-0x00007FF728D31000-memory.dmp

memory/408-149-0x00007FF768210000-0x00007FF768561000-memory.dmp

memory/1332-156-0x00007FF675030000-0x00007FF675381000-memory.dmp

memory/1332-173-0x00007FF675030000-0x00007FF675381000-memory.dmp

memory/3624-201-0x00007FF686690000-0x00007FF6869E1000-memory.dmp

memory/3436-203-0x00007FF762F60000-0x00007FF7632B1000-memory.dmp

memory/1416-205-0x00007FF793920000-0x00007FF793C71000-memory.dmp

memory/4184-207-0x00007FF6130A0000-0x00007FF6133F1000-memory.dmp

memory/4660-212-0x00007FF6D55F0000-0x00007FF6D5941000-memory.dmp

memory/2272-215-0x00007FF789D00000-0x00007FF78A051000-memory.dmp

memory/3024-214-0x00007FF61FF50000-0x00007FF6202A1000-memory.dmp

memory/2224-210-0x00007FF7F87D0000-0x00007FF7F8B21000-memory.dmp

memory/4544-217-0x00007FF773FF0000-0x00007FF774341000-memory.dmp

memory/3520-227-0x00007FF6E72A0000-0x00007FF6E75F1000-memory.dmp

memory/1808-229-0x00007FF7D9310000-0x00007FF7D9661000-memory.dmp

memory/1180-231-0x00007FF7289E0000-0x00007FF728D31000-memory.dmp

memory/696-234-0x00007FF6BE830000-0x00007FF6BEB81000-memory.dmp

memory/408-235-0x00007FF768210000-0x00007FF768561000-memory.dmp

memory/3864-237-0x00007FF6F6730000-0x00007FF6F6A81000-memory.dmp

memory/4504-240-0x00007FF7D6300000-0x00007FF7D6651000-memory.dmp

memory/3924-247-0x00007FF7D46B0000-0x00007FF7D4A01000-memory.dmp

memory/1336-246-0x00007FF6B5C60000-0x00007FF6B5FB1000-memory.dmp

memory/2660-244-0x00007FF668E30000-0x00007FF669181000-memory.dmp

memory/3740-242-0x00007FF76D490000-0x00007FF76D7E1000-memory.dmp

memory/4508-251-0x00007FF7D2F10000-0x00007FF7D3261000-memory.dmp