Malware Analysis Report

2025-03-15 08:02

Sample ID 240813-n9s4bssdmd
Target 93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74
SHA256 93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74

Threat Level: Known bad

The file 93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74 was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

Cobaltstrike

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 12:06

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 12:06

Reported

2024-08-13 12:08

Platform

win7-20240729-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UFdOIer.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\SJPSISW.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\PTplEjX.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\yOvKBim.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\WITiXrm.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\bClDEDU.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\Dkcdemf.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\LjUvUdC.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\XuhaPGK.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\vfsQsCv.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\dYAgbRn.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\JrlCEMz.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\lSthnKE.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\RiYaKYb.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\YZPjDZx.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\LiYljDl.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\vKuhoXg.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\hYiXRul.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\bbIMAIh.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\TvfkAPg.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\gKUTgig.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\PTplEjX.exe
PID 2388 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\PTplEjX.exe
PID 2388 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\PTplEjX.exe
PID 2388 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\lSthnKE.exe
PID 2388 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\lSthnKE.exe
PID 2388 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\lSthnKE.exe
PID 2388 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\XuhaPGK.exe
PID 2388 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\XuhaPGK.exe
PID 2388 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\XuhaPGK.exe
PID 2388 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\vKuhoXg.exe
PID 2388 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\vKuhoXg.exe
PID 2388 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\vKuhoXg.exe
PID 2388 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\yOvKBim.exe
PID 2388 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\yOvKBim.exe
PID 2388 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\yOvKBim.exe
PID 2388 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\hYiXRul.exe
PID 2388 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\hYiXRul.exe
PID 2388 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\hYiXRul.exe
PID 2388 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\WITiXrm.exe
PID 2388 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\WITiXrm.exe
PID 2388 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\WITiXrm.exe
PID 2388 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\bbIMAIh.exe
PID 2388 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\bbIMAIh.exe
PID 2388 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\bbIMAIh.exe
PID 2388 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\TvfkAPg.exe
PID 2388 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\TvfkAPg.exe
PID 2388 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\TvfkAPg.exe
PID 2388 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\vfsQsCv.exe
PID 2388 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\vfsQsCv.exe
PID 2388 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\vfsQsCv.exe
PID 2388 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\gKUTgig.exe
PID 2388 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\gKUTgig.exe
PID 2388 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\gKUTgig.exe
PID 2388 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\dYAgbRn.exe
PID 2388 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\dYAgbRn.exe
PID 2388 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\dYAgbRn.exe
PID 2388 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\RiYaKYb.exe
PID 2388 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\RiYaKYb.exe
PID 2388 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\RiYaKYb.exe
PID 2388 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\bClDEDU.exe
PID 2388 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\bClDEDU.exe
PID 2388 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\bClDEDU.exe
PID 2388 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\YZPjDZx.exe
PID 2388 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\YZPjDZx.exe
PID 2388 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\YZPjDZx.exe
PID 2388 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\JrlCEMz.exe
PID 2388 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\JrlCEMz.exe
PID 2388 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\JrlCEMz.exe
PID 2388 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\Dkcdemf.exe
PID 2388 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\Dkcdemf.exe
PID 2388 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\Dkcdemf.exe
PID 2388 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\LjUvUdC.exe
PID 2388 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\LjUvUdC.exe
PID 2388 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\LjUvUdC.exe
PID 2388 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\UFdOIer.exe
PID 2388 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\UFdOIer.exe
PID 2388 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\UFdOIer.exe
PID 2388 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\SJPSISW.exe
PID 2388 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\SJPSISW.exe
PID 2388 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\SJPSISW.exe
PID 2388 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\LiYljDl.exe
PID 2388 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\LiYljDl.exe
PID 2388 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\LiYljDl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe

"C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe"

C:\Windows\System\PTplEjX.exe

C:\Windows\System\PTplEjX.exe

C:\Windows\System\lSthnKE.exe

C:\Windows\System\lSthnKE.exe

C:\Windows\System\XuhaPGK.exe

C:\Windows\System\XuhaPGK.exe

C:\Windows\System\vKuhoXg.exe

C:\Windows\System\vKuhoXg.exe

C:\Windows\System\yOvKBim.exe

C:\Windows\System\yOvKBim.exe

C:\Windows\System\hYiXRul.exe

C:\Windows\System\hYiXRul.exe

C:\Windows\System\WITiXrm.exe

C:\Windows\System\WITiXrm.exe

C:\Windows\System\bbIMAIh.exe

C:\Windows\System\bbIMAIh.exe

C:\Windows\System\TvfkAPg.exe

C:\Windows\System\TvfkAPg.exe

C:\Windows\System\vfsQsCv.exe

C:\Windows\System\vfsQsCv.exe

C:\Windows\System\gKUTgig.exe

C:\Windows\System\gKUTgig.exe

C:\Windows\System\dYAgbRn.exe

C:\Windows\System\dYAgbRn.exe

C:\Windows\System\RiYaKYb.exe

C:\Windows\System\RiYaKYb.exe

C:\Windows\System\bClDEDU.exe

C:\Windows\System\bClDEDU.exe

C:\Windows\System\YZPjDZx.exe

C:\Windows\System\YZPjDZx.exe

C:\Windows\System\JrlCEMz.exe

C:\Windows\System\JrlCEMz.exe

C:\Windows\System\Dkcdemf.exe

C:\Windows\System\Dkcdemf.exe

C:\Windows\System\LjUvUdC.exe

C:\Windows\System\LjUvUdC.exe

C:\Windows\System\UFdOIer.exe

C:\Windows\System\UFdOIer.exe

C:\Windows\System\SJPSISW.exe

C:\Windows\System\SJPSISW.exe

C:\Windows\System\LiYljDl.exe

C:\Windows\System\LiYljDl.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2388-0-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2388-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\XuhaPGK.exe

MD5 81cdf4f572a3ffb883710e787ec4d8b7
SHA1 678dc5c8a0876f09f1ed1342db1f5e57ca668883
SHA256 6ec435ef07e2e36d6c027d29979d6e3bf8aff7759b7947f94a89d4b5d37933fd
SHA512 c2256cbbb73bb2386e79f5a67868a64068e473e1e031e9e66f4b3b550e4cdff639333bd7076c0de6684fd26299f900609054839ce5adaff45c7db3592ebd88c3

C:\Windows\system\hYiXRul.exe

MD5 ccf6153e9624096cc5b07aacdc634257
SHA1 81b3afc856d97a19b094dac4c1cba7414074da29
SHA256 8ee7206484c05b720c63cac07b3a874b2142114288de56f36f3f76fa2f14d631
SHA512 6ccd68a4d085cc758144148e0b10820f4a9c24e78b7528739610dc679589e1eed805aed73d2982efbf15b977283f31ce7152a4dc5055725919e64107c709aa51

memory/2828-34-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2388-33-0x000000013FA00000-0x000000013FD51000-memory.dmp

\Windows\system\WITiXrm.exe

MD5 93448b75367b729489f7b7ef073bec86
SHA1 8ddfba8c023aae79c262b1a86ad417e87add865f
SHA256 6d9fdd01b6df5037ed1034bd62e0c896d92c3310e463283738693a441bb04c9e
SHA512 33b0c4500a7860e2273feea05e7be2b609b82e1d87722295b2c34c11f5fb38626b61174ac81c25f5d287cdb91383638af42b48850cadbbe2f24982319b9738ae

C:\Windows\system\vKuhoXg.exe

MD5 97d36f07d3d1c999dcb3b4ce93e5d6bb
SHA1 dbb766919bbc51d1a6050e4237e8dd4116d223d8
SHA256 6885ed3c9c1464674fb25a39fff373db77fd50c229c668885711814805998391
SHA512 04943b340b949456ee97f8d9ac0112bb8a12c1997e18cdae3bc0f06fd10f7cfd1294e7d8c4654f703f4c49c46377189fd640251d3f5cf467c8bb37b567424611

memory/1904-48-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2800-46-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2388-45-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2188-44-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2108-42-0x000000013FF80000-0x00000001402D1000-memory.dmp

C:\Windows\system\yOvKBim.exe

MD5 6b8b420f9a9c1cd5873535aee5fe7da5
SHA1 d763d6f37a83261a15e9416786b3b86b79138cd8
SHA256 18cf7bd9c7ba162c4d8182577a5c29a2a1a3e629d722c4435ed12800375abc3b
SHA512 f0a8d62bc67e8fab1f49ca036e1b9ea9f2424575ee363ee3f9be8639298e74e2685c9f22b929b0f1f5fbc6f65fc516f5fb65e5899ae51d1c858c2a93275bbf28

memory/2388-40-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2520-38-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/2388-14-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

C:\Windows\system\lSthnKE.exe

MD5 e759f4368b0cb02936af726cf44a848d
SHA1 850c2cc5ef0e271c1bb349fbfd5b358464f20e12
SHA256 b1bbc8f167a2e5086911b7cb57c79926d3eeb5a4ab39725d3fa62d4f8361cac7
SHA512 f7d202bfd3eb073bd2ef98e5f0a185345e1caeaa183f912b9d0486c0d37ae457beaf5db7790bba1e65843c7f7a3a14c9f6f35a87bacef37c71ee91c07ad70a5f

memory/2120-25-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2388-7-0x00000000024C0000-0x0000000002811000-memory.dmp

C:\Windows\system\PTplEjX.exe

MD5 7ed014c29bbb6c6e67f19b056cc913ef
SHA1 91c9dc560d6151f9c4a568939f7da3baa5c6126c
SHA256 d097730b7aeaccfa8565f0724757388a6d1f69c9ee38da39d5486ac027beed23
SHA512 e4f9bb563d1d8e69e1f4481dc538cf50f0cf0572f2d926fab4081659c7b5cd06d2ba6a3d3ccc9d1e785a54106705153f0bf95d48d67bfe1ac531d31415e1a644

\Windows\system\bbIMAIh.exe

MD5 bfa3d46a4e910d940203a71be3bc243f
SHA1 31ba040ed827a36d7db45fd053ef4a052e77b48f
SHA256 defcf05e5f3da6c5c9c754628f219b931cbb1e62b861e155dd844859b90e2cd7
SHA512 535c5e36a4bddfbd8385b4dae6e2f6c5f24d8bbc7ca97ba870f228034489a718135ece6d7975d3a73166df8a4ef91dee38b7baadc102ec8877738cde22be7fb5

C:\Windows\system\TvfkAPg.exe

MD5 05b195b09ee951b8133ff14c2d43489d
SHA1 00d099749863b73329d7ee91ae2a43c65dbfaea9
SHA256 ef0fbae61808a744e30b2afd22e7511b991aec14a7aaa4d67c828f8e15474364
SHA512 cf557cf12db4374bb1f53c982524802b4f25acd7e8e8f6771a34e54458d449e508dcac320b0ec279f6688fe0be3f5c6e006619579adb9680e4727d35aaa5b3c9

memory/2388-58-0x00000000024C0000-0x0000000002811000-memory.dmp

memory/2388-63-0x00000000024C0000-0x0000000002811000-memory.dmp

memory/2744-62-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2992-60-0x000000013F840000-0x000000013FB91000-memory.dmp

\Windows\system\vfsQsCv.exe

MD5 d3c41899ae1fa5f24ae3353fc0620e70
SHA1 58f07ef0ec2ca4f67e736fbe5bd53ee6173379b3
SHA256 cca0c67b6bf3328fe1b0a6452eef829edc575ebca97035dc8f0f37753b4a439b
SHA512 4860415c669ab345b9d6d5a81a0dcf25cab314ab13809f44479acaeccbd6fb15944b7b31e8a0ecd3f25e26e382595029c30964d1c41f223129110933fdc45fdc

memory/2316-68-0x000000013F360000-0x000000013F6B1000-memory.dmp

\Windows\system\gKUTgig.exe

MD5 044b957a8b6a21008224153b11c19201
SHA1 aa5b090131d15eb9d0604bc3473a85d9a351aa35
SHA256 8bf5f4575837bb44497b90a8f4e160e5174809ffec0f84c873cd0ebe771e1504
SHA512 bfca3ecaab9522c1334018e60ea4c06fa631624acfd3197093157c2cd404b5b3231765873c38d336ef1e1d35282a46a08f109444a73d0125173400893715119e

memory/2388-76-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2388-74-0x00000000024C0000-0x0000000002811000-memory.dmp

memory/2308-77-0x000000013F590000-0x000000013F8E1000-memory.dmp

C:\Windows\system\dYAgbRn.exe

MD5 b51c5d5ddaa60daaa11daf3ed3ba3bb6
SHA1 058c809127f3b6dfc3dd2d00fb5b622a3e2972d5
SHA256 bdc17d58bd12b4df2cdbfa8478ec11cccc80ff2401476b3e4c73f6bc0d6a0567
SHA512 bb869ca006a2c80dbb87b4157facf204ca6c41987ffb39d1aa0d3fb11ca19cd74a6a71ec4f944336c3a672afff5c24a0e3f1d0cd83099e82cb9778d5ea8d540a

memory/2388-83-0x00000000024C0000-0x0000000002811000-memory.dmp

\Windows\system\JrlCEMz.exe

MD5 c76d9303bea3d1bba79f9b5772106bfc
SHA1 944153f8b9e1acff49d6e936c6d7b17cb299f31c
SHA256 38ec31c7b812040749d1364b98812ee3a1ec6ea64fbc4d93d1fb3e98968a4c47
SHA512 1bd98e2c17fa91ffdb38e5cbe10c6302724a817e86075c8e55f48426f5f8dd21e7f841f20a06691cd86a9cddf1ee245be0a1a0449dde289857f067bdc4fd49de

C:\Windows\system\SJPSISW.exe

MD5 7ac0418fc33dcc18b288d416d69276e5
SHA1 7f489f7ec636d8c41f06242931db8f8e72d654a2
SHA256 e26a98598db383d5d4741d9018e101021da5b69f035fdd43ac901e1f3d31b579
SHA512 01db960f3bdcfe6024725a60c8f1939e60226894a6ff5f5fb586f07f691ab066b666a705e6be6655e4ba0e5ef56294f6a571c509e842469c8456a2857813cb78

memory/2788-124-0x000000013FCC0000-0x0000000140011000-memory.dmp

C:\Windows\system\Dkcdemf.exe

MD5 019ba72920c3a3a9dd699b2b16e2ffd6
SHA1 81d4f90f1eaeac72599f350adf7058787917afd1
SHA256 9cc434dc4bf8027c4ff0ca5ae811a67addf74be45668cf8f7a6a8bdd716c699f
SHA512 9c4a72a4f10c30e05ff51a8b2305243e1de98374163e860ed6ac4e7cb24a5d2258e938eaf36643175cdc42b7e4ece9201d4c4d2ae6c332e2d035c5d5f3d2c159

\Windows\system\UFdOIer.exe

MD5 f9bcab118828f9ecf79870a0bb53fbee
SHA1 1cd28c27202dbea2bc5e0073ad708bdcae83acb5
SHA256 821c4bdbf9d35a0dbb6c276f52af72b8b19362821d4d3574db5130c6b4463db6
SHA512 951990c66fd9f985b0d53305cc98329b4232780bda5f7a4db0533ed8f90ca70821794b8575d96e156d8afba668d11e19ab934e8f35d07d7de05d7e9ed0ee785e

\Windows\system\LiYljDl.exe

MD5 cd17810d82f07952f77d22427e80e41b
SHA1 c688a83a7a7182aa6e4416e412cfb626a9867cb1
SHA256 8d839d30d8307e51b7c730cca549677f86f4e9203dc14a792e59e926f16d95ba
SHA512 1d90fb8c0a9655e1bfa7c92bac54962ede88e373ab1be90c402c6d0340a77adb7f8059af3671c1e373f74a5e2cefcf20a78ade8ba46e8ceafe7f3c051d900d4b

memory/2388-127-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2388-126-0x000000013F080000-0x000000013F3D1000-memory.dmp

C:\Windows\system\bClDEDU.exe

MD5 742e0c9078581f15f187ff23fc5e984e
SHA1 3bb4c69bcc417e3b21f0b419ae237ee0e9bf8a29
SHA256 3a73d33a05d9f952dca433079d8389c56fbc8ed3b7585ef8f29a5caf977f2c59
SHA512 9e280c9bb40163a5791adbf830bcaedfe69176ff56aaa2a8c16bf4a4b9f8d8aedc93798af4407fdb2f46aab4cc359c5d247423b8e7b8030e2b368d3d07ebb464

memory/2388-121-0x000000013FC80000-0x000000013FFD1000-memory.dmp

\Windows\system\YZPjDZx.exe

MD5 10b59d9d3b13d99d2fa78f3d7392c729
SHA1 fc48fe319b4388c17abbf1bed0f1a010e8a661a5
SHA256 fcc3641cee28477d18475eb667a77314955bb0d3ec302777384ca37caeddf96b
SHA512 bf927a8f8cb3b045ede237888e53c61af43e0a65d46afcbd7f43d1d5901c9c0345ec602a9eca8a4da0cb129074e1a4252fb08dd773ceadd48771b14fe818b77f

memory/608-119-0x000000013F080000-0x000000013F3D1000-memory.dmp

C:\Windows\system\LjUvUdC.exe

MD5 3000587eacd46550eaac847171dfd81e
SHA1 67e9f1b8f915931e8bea8decae05786260220667
SHA256 edf1f4df58870d521f82feb2c841d6b04ee3c41b654843af17d5edd10a08f727
SHA512 414dc3eaac2c7cbb937df7e5a98b05b6a37bcd063827491852c33dfc22b1df63b9f9eff2e16e9e398efe3d93ccb7f77ba83911cf08911c0404628504df65100f

memory/1300-110-0x000000013F330000-0x000000013F681000-memory.dmp

C:\Windows\system\RiYaKYb.exe

MD5 5a1a3fca95668eaf6853db5c0d986627
SHA1 5ce389e3e56843bb6d9865373095d0d62ab4dbc8
SHA256 f7a826e50d5bf02486fca9ac69e6238ab6255adf1d2acc7b30548484e9fcc683
SHA512 01e3e514ec38f3ca0ca5591d405b46e001513e713666b6493beb13d770c03376b86f030cbeac77d99b86ca9e423a4787a09e173f5386a6e15714764c44f687a5

memory/1904-134-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2388-135-0x00000000024C0000-0x0000000002811000-memory.dmp

memory/2388-136-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2316-146-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/608-149-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/1268-155-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/1080-157-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2592-156-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/3032-154-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2940-153-0x000000013F500000-0x000000013F851000-memory.dmp

memory/3016-151-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2920-152-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2388-158-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2388-180-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2388-181-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2120-205-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2520-207-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/2108-209-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/2828-211-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2188-213-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2800-215-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/1904-221-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2992-223-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2744-225-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2316-227-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2308-240-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/1300-242-0x000000013F330000-0x000000013F681000-memory.dmp

memory/2788-244-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/608-246-0x000000013F080000-0x000000013F3D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 12:06

Reported

2024-08-13 12:08

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\RqSnwoi.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\vDnMyUB.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\KEBUKbw.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\DuZOvLc.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\dgIHHBW.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\wvJzbhw.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\IGtTain.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\qFmMGwi.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\jvIuiuC.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\ogzKPRM.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\ERrDWNv.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\bVBvEDl.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\VbRDnvM.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\qydxbtB.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\vAGaira.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\PioGgfk.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\PeSzhup.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\nnAVGAq.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\NKXQgdE.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\cxZvpfN.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
File created C:\Windows\System\eraujBj.exe C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\IGtTain.exe
PID 5064 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\IGtTain.exe
PID 5064 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\vAGaira.exe
PID 5064 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\vAGaira.exe
PID 5064 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\NKXQgdE.exe
PID 5064 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\NKXQgdE.exe
PID 5064 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\vDnMyUB.exe
PID 5064 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\vDnMyUB.exe
PID 5064 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\KEBUKbw.exe
PID 5064 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\KEBUKbw.exe
PID 5064 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\cxZvpfN.exe
PID 5064 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\cxZvpfN.exe
PID 5064 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\DuZOvLc.exe
PID 5064 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\DuZOvLc.exe
PID 5064 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\qFmMGwi.exe
PID 5064 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\qFmMGwi.exe
PID 5064 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\PioGgfk.exe
PID 5064 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\PioGgfk.exe
PID 5064 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\PeSzhup.exe
PID 5064 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\PeSzhup.exe
PID 5064 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\nnAVGAq.exe
PID 5064 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\nnAVGAq.exe
PID 5064 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\dgIHHBW.exe
PID 5064 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\dgIHHBW.exe
PID 5064 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\ERrDWNv.exe
PID 5064 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\ERrDWNv.exe
PID 5064 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\eraujBj.exe
PID 5064 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\eraujBj.exe
PID 5064 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\bVBvEDl.exe
PID 5064 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\bVBvEDl.exe
PID 5064 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\jvIuiuC.exe
PID 5064 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\jvIuiuC.exe
PID 5064 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\VbRDnvM.exe
PID 5064 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\VbRDnvM.exe
PID 5064 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\RqSnwoi.exe
PID 5064 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\RqSnwoi.exe
PID 5064 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\qydxbtB.exe
PID 5064 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\qydxbtB.exe
PID 5064 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\ogzKPRM.exe
PID 5064 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\ogzKPRM.exe
PID 5064 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\wvJzbhw.exe
PID 5064 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe C:\Windows\System\wvJzbhw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe

"C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe"

C:\Windows\System\IGtTain.exe

C:\Windows\System\IGtTain.exe

C:\Windows\System\vAGaira.exe

C:\Windows\System\vAGaira.exe

C:\Windows\System\NKXQgdE.exe

C:\Windows\System\NKXQgdE.exe

C:\Windows\System\vDnMyUB.exe

C:\Windows\System\vDnMyUB.exe

C:\Windows\System\KEBUKbw.exe

C:\Windows\System\KEBUKbw.exe

C:\Windows\System\cxZvpfN.exe

C:\Windows\System\cxZvpfN.exe

C:\Windows\System\DuZOvLc.exe

C:\Windows\System\DuZOvLc.exe

C:\Windows\System\qFmMGwi.exe

C:\Windows\System\qFmMGwi.exe

C:\Windows\System\PioGgfk.exe

C:\Windows\System\PioGgfk.exe

C:\Windows\System\PeSzhup.exe

C:\Windows\System\PeSzhup.exe

C:\Windows\System\nnAVGAq.exe

C:\Windows\System\nnAVGAq.exe

C:\Windows\System\dgIHHBW.exe

C:\Windows\System\dgIHHBW.exe

C:\Windows\System\ERrDWNv.exe

C:\Windows\System\ERrDWNv.exe

C:\Windows\System\eraujBj.exe

C:\Windows\System\eraujBj.exe

C:\Windows\System\bVBvEDl.exe

C:\Windows\System\bVBvEDl.exe

C:\Windows\System\jvIuiuC.exe

C:\Windows\System\jvIuiuC.exe

C:\Windows\System\VbRDnvM.exe

C:\Windows\System\VbRDnvM.exe

C:\Windows\System\RqSnwoi.exe

C:\Windows\System\RqSnwoi.exe

C:\Windows\System\qydxbtB.exe

C:\Windows\System\qydxbtB.exe

C:\Windows\System\ogzKPRM.exe

C:\Windows\System\ogzKPRM.exe

C:\Windows\System\wvJzbhw.exe

C:\Windows\System\wvJzbhw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5064-0-0x00007FF7D8780000-0x00007FF7D8AD1000-memory.dmp

memory/5064-1-0x000002618C9C0000-0x000002618C9D0000-memory.dmp

C:\Windows\System\IGtTain.exe

MD5 4b33c247391903aed9ef26b3a51c1790
SHA1 9818048d71101ff56c924b3a9b5281a003d15b2c
SHA256 258cc0122b4a5d1429ceeca390d4a09ac8af76b9b7c22cc5153db58e8b4df418
SHA512 f23366cd17c1bf536be72180cd73525a1ad3c9e201159e12d8858b1f8777c516c0b038921e2dbefd7a57abc783a42440506d41e9541a0e3129de24f1208a3a14

C:\Windows\System\NKXQgdE.exe

MD5 bd2330c91d0d78c5f120754131611877
SHA1 e83baeb452e7073d9a8e4e88a5adfcce2cb637e1
SHA256 7d39a51d3f66641c61b317a1491d330f359dfdb6905c5c7a0e97e6a86caaf690
SHA512 16d8ccffb1b745c2b853a959929054c3fea7f3401a87a23aebddde668689994bb02057eb14ea5e7e39bd932bca164e991ff18fbeb560eda389c529c0bdf65717

C:\Windows\System\vAGaira.exe

MD5 134c89a3096f873ae1319ff651ce72a2
SHA1 667b72c82f16f7e0fe63d480eaa6d479a8f62ca2
SHA256 19e3c2ab9c3dd032097e33d6cbb49630cd1096cb69a97177e4cd781a4c737517
SHA512 f81418ec44ae780807aa44f155f4c1c4b48a5d389e07fb48ea36645f2d0ee6a3a6da9a033406ffd17847e83541f116850256dd9f6ac680804c93131ca637e5f6

memory/4632-14-0x00007FF681FA0000-0x00007FF6822F1000-memory.dmp

C:\Windows\System\vDnMyUB.exe

MD5 21b8ab3b5ce88ac3c0e122c2aab1b4e3
SHA1 d6d549de77591bc4ec57a067b8721bbbadf27ca8
SHA256 94f997ff483c4cab2d99e411bde4054158a2ed31a48107ca0c493e15567cc459
SHA512 563481f99d54e4728b6b0f30c2b968423d87288b8046f03cb83ccd731179566f01935b5a7b4d68863109e10d295ba7df2c954a6c277b2c2ed441d0ba39fac6b7

C:\Windows\System\cxZvpfN.exe

MD5 2402649bd65346486d903c36a004c7b5
SHA1 7a8ee5f9bee54d858d4482087de26d20a4c84641
SHA256 1f24ed0c8b5b71b3db47c52dbe11d2fffa45bd635fda4243028c65f4f4ed8fc6
SHA512 b953da02d42d90cf16b4c20085a974eff228541f7874cc7231c6ade9f73a2abf39bd5484127884fa79d0409ab24e842303ab51301235473779f20a2600477107

C:\Windows\System\KEBUKbw.exe

MD5 1656658fa84ab411e156edec8c449702
SHA1 1464d3286224fad4fda24203a50a8fb7de7b637a
SHA256 84158312dacca85c884631aeb301009d7a552bb65a32dd5919eff2100cd7e866
SHA512 d60164179d992ca04a3f818a8fac099339fbe73fee79c41ffdc4157df86831d7a759657b096744722161e1333226489e3545313117d111517e1a98f67f995a63

C:\Windows\System\nnAVGAq.exe

MD5 6cd047c004a5ad7a0f5e90788a194240
SHA1 fb5869a7315fa479d2cbe2d2e8b346f55a4419ab
SHA256 3a75fb35ee5a9bd6430799595b96134790e456831bc15dac98fc4b11a29bb475
SHA512 ed7ceb80d62bf75a823bfb2a6f85fbfa9e509da333e0d105ae774ec847ef63fd59adfaf177a9e3609abf5d171f10b342060d1d053d7a0857b8b1e0c43558dbfb

memory/1388-65-0x00007FF61BDF0000-0x00007FF61C141000-memory.dmp

C:\Windows\System\eraujBj.exe

MD5 6b5f3d9f9ecd3063cace23e4c8d192d4
SHA1 1ff777ac3ad2a2d3e23bfb45e18e0012e1dcfa94
SHA256 41f2124f85bb830503b2564afdff672f87d377010202b1b689ffce963e180bcd
SHA512 179713cfc4279374ddcb5468188f0010a4483b9d28cc70f408b2defd3adbf49bd3cbc673c3e4133484603fd560793f20dd02c36932758654fb8f9662017e8cb0

C:\Windows\System\qydxbtB.exe

MD5 a1a7865c46d6bb66cee3931a93fab04f
SHA1 d20298a234b5a2ddcbdac03ca8750d46fddeae80
SHA256 17cd08e77bb20d4fed5105119a9449b6017181e6c392b1cb549a29df3ee09273
SHA512 df251bd73ddc0cbcd6755dd918973d613c5a1532828eeba16b16e3bfbf6629dd48aa8a4f08a64f59a3568ccb19aecf90be6b9a928bf12400d97db88311e4b913

C:\Windows\System\wvJzbhw.exe

MD5 2dcaf9d558fbdc622e225d6bba633918
SHA1 985605e7eaec5aa817497d943d798799a7e19056
SHA256 a85c7138a1dabca746fd44be26b1c178da5dc55ad77f196acfcd6ee0a9a4c950
SHA512 e40d9157579eb97296cff7c141ce44e482f68bf1f4af65b8b9c31cb43ba7eed62fc15d5919709089f75f08dcbb26f5595581e4cfe80034dab99163f02a07113d

C:\Windows\System\jvIuiuC.exe

MD5 0ad165ba5751d5d55587fcd51d12489e
SHA1 59c37f6e9b345b71931754e63e49670215163b5b
SHA256 0497efb9836cd89f8c27f54f3e11ca97756502ba204430658239c4923cf9ccdb
SHA512 9f1795a6ab7a449ab57be78589219b2d868d342477e8b723ae3d968b6166cc1acd5dc157da8b00064988a697705bdcf2b8a44be2e09b6cf13fef84f9c7ff7acc

C:\Windows\System\ogzKPRM.exe

MD5 d56a0af0081ce3710b7347ad6539de28
SHA1 cb9a683c2ccdf3bf0298bc94408c00a07d999bb0
SHA256 e969ccbb6056f792a81efb045bb39a9797d539a6fef9c8f1f68480c31042f3e2
SHA512 160375e37e5d281c3020977ceec33a4739b922dd11aaabf692618801d2e562bcc525141cb81430658fe27ce2d8581383ac55c41a491111c39c19559fcef094ec

memory/3316-120-0x00007FF7116B0000-0x00007FF711A01000-memory.dmp

memory/3624-125-0x00007FF733AF0000-0x00007FF733E41000-memory.dmp

memory/1280-124-0x00007FF66B020000-0x00007FF66B371000-memory.dmp

memory/2444-119-0x00007FF68F4D0000-0x00007FF68F821000-memory.dmp

memory/840-118-0x00007FF626DF0000-0x00007FF627141000-memory.dmp

memory/1508-117-0x00007FF6AB800000-0x00007FF6ABB51000-memory.dmp

memory/1896-114-0x00007FF6183B0000-0x00007FF618701000-memory.dmp

memory/1204-112-0x00007FF623340000-0x00007FF623691000-memory.dmp

memory/376-111-0x00007FF634C30000-0x00007FF634F81000-memory.dmp

C:\Windows\System\RqSnwoi.exe

MD5 e02cb461f4fc3cca9de78bc8bae7edb5
SHA1 b777aed6ecf3258f047391ea426248a30b5b67e2
SHA256 4e4746e0ebb8af062d81d77d45a27944c1bb730e80db61f572a5325b347bd368
SHA512 9678f1660f473e733bbe439c2468aaa749338bba253de7689f931e08c9fb58d6e4f4074b624fdd61a724653552c32e0c69b2fc46eaeda99e1366ad437aed29e7

C:\Windows\System\VbRDnvM.exe

MD5 721d0582c046492fa1b5765bafdb2f10
SHA1 01ca9fa22eb52c0745369eea97e5f5142db2ff4a
SHA256 1bdaf5e850bcd130fd9595e87b6b325e4a34afcb6d66f4b92bf3dc2abd7ca70e
SHA512 33413c9e0f9032953d6e91cd834fdb0d3c743744f8a0db4eb0e797e389c3057b5e37bd628176052af618b5f79697617fdc16ca7677912d8b011cc79c64e4f7fe

memory/5000-103-0x00007FF628AF0000-0x00007FF628E41000-memory.dmp

memory/1692-102-0x00007FF724610000-0x00007FF724961000-memory.dmp

C:\Windows\System\bVBvEDl.exe

MD5 86ad3a52151b641bdc6041dfc0ed5246
SHA1 997533844ffdbcfe6759adba0ae55f1f77d483b6
SHA256 94bef5dbcc126074aded223ba582aeb51ac0402a2298c3cfee6f19362271deca
SHA512 e62e2f3e407071a9a15b00e5ddcdc392507ac734cb45489f0fde02f072acc295acfd998f29a99c6f6f42159e3f8a7628bb40d3a06ba51b34c417abeebc5ab675

memory/3540-98-0x00007FF7BCAB0000-0x00007FF7BCE01000-memory.dmp

memory/2992-89-0x00007FF7FE670000-0x00007FF7FE9C1000-memory.dmp

memory/3216-87-0x00007FF715B70000-0x00007FF715EC1000-memory.dmp

C:\Windows\System\ERrDWNv.exe

MD5 30cb817f74bfebb7a1534d45e582bf6a
SHA1 3ff96abb3e717d1a962916658f65f4daeb45e435
SHA256 2fad6896ed5f74c425e8ddcb7e31e57b5f597b4232942a343cbc0f021c3c807b
SHA512 e437bf1701bd53687d32f80823894c3c635f2425ade5749aa9b6061fa49f547184ff6b8fa442381f84557c90a6a58d556393325daf71ff13cffdf8a8de705aeb

C:\Windows\System\dgIHHBW.exe

MD5 946ec9f8b83e4662a276bfd9d560d938
SHA1 580b69094d25b383eb49cc01268f56046331319d
SHA256 0b029371ccc0d530c96205a807ee0e971dcad72e32972ec7eba4cee12a73d31d
SHA512 6689b8f921167d1bff1cd32deff5114fbdb358bad83501f69bb6728310dee4dd1db2b7bb08fd31da77c5a86c0058389b99e9fe1de6dcd022256ac64a33253274

memory/2472-75-0x00007FF7B8390000-0x00007FF7B86E1000-memory.dmp

C:\Windows\System\PeSzhup.exe

MD5 c1ec8342da6684637aa6498d2abd73b8
SHA1 d435d850154e7d0b01d308b1cc60748f9b42e762
SHA256 33eb66a4bb4015e36eb5dc4f9173cb31295bcbc32ff9966faa9e1a3759724da3
SHA512 ae4a346731c3d4b65e80b15ee1434bbec135e6dbc1e4e0f3b8fe362311dc3f709142b49f541adaf9a9c7e2621827ddba52148f5f4a2a30f619896fcaee287f4c

C:\Windows\System\PioGgfk.exe

MD5 7c3a199c551afae6139ad13f4f9017d1
SHA1 28ed042ae4132f3f2ef1ffe9dd035b1326a11c45
SHA256 d20b975ae8ae87e01a96110976f11e8f85ab6e0e37c8910dfab7aa323662c344
SHA512 375b7ee335667aa4eb32cc2f7ad5d0a1260c2fb65ded2e19606e1fcb47c68809b5a5dc38a0e7986db1d653049e8806355f8443ccf1aea89d1ba2d1872ca5f890

memory/4088-56-0x00007FF6F8A70000-0x00007FF6F8DC1000-memory.dmp

C:\Windows\System\qFmMGwi.exe

MD5 d6477e334ecd516a1fc2b60dd475f329
SHA1 d660d71d97e92460f4b5a2465c04a5a2ba94722a
SHA256 958d2b23bd80c3f65af0cd9efe7da38ebb1f93071c05c2407167389c6856f22b
SHA512 f7198bd076e674a47e8d6c49eb9992cf780a345516c18acf68b0644ac975e60f25f271307382a8ef483e757c05c90871d66253b19b9ee20e99cd85f589ca8750

memory/2580-41-0x00007FF608280000-0x00007FF6085D1000-memory.dmp

C:\Windows\System\DuZOvLc.exe

MD5 1c0dd96880b5c80d2574ca74c87bf7d3
SHA1 7b4c0806e2ee41d15c7d52ba9b67694959bfe4a5
SHA256 1e17acdf76a372a96ef6ff07cbeb1e0d8c1ecf6b9482de7193aede7d4b691f0c
SHA512 61d10f0605d24effba5514e9c54d9340b16b8b0bc8a93563579a2448bc61bd9b9102d6923de8a252ba08860c15d36230a7f00969beb2fc24c8a1cc15b6be23ae

memory/2408-28-0x00007FF61E070000-0x00007FF61E3C1000-memory.dmp

memory/4128-20-0x00007FF758520000-0x00007FF758871000-memory.dmp

memory/2408-132-0x00007FF61E070000-0x00007FF61E3C1000-memory.dmp

memory/2992-142-0x00007FF7FE670000-0x00007FF7FE9C1000-memory.dmp

memory/2472-138-0x00007FF7B8390000-0x00007FF7B86E1000-memory.dmp

memory/2580-133-0x00007FF608280000-0x00007FF6085D1000-memory.dmp

memory/4128-130-0x00007FF758520000-0x00007FF758871000-memory.dmp

memory/5064-128-0x00007FF7D8780000-0x00007FF7D8AD1000-memory.dmp

memory/3624-148-0x00007FF733AF0000-0x00007FF733E41000-memory.dmp

memory/376-149-0x00007FF634C30000-0x00007FF634F81000-memory.dmp

memory/5000-147-0x00007FF628AF0000-0x00007FF628E41000-memory.dmp

memory/1692-146-0x00007FF724610000-0x00007FF724961000-memory.dmp

memory/3540-144-0x00007FF7BCAB0000-0x00007FF7BCE01000-memory.dmp

memory/3216-139-0x00007FF715B70000-0x00007FF715EC1000-memory.dmp

memory/1388-137-0x00007FF61BDF0000-0x00007FF61C141000-memory.dmp

memory/5064-150-0x00007FF7D8780000-0x00007FF7D8AD1000-memory.dmp

memory/5064-172-0x00007FF7D8780000-0x00007FF7D8AD1000-memory.dmp

memory/4632-196-0x00007FF681FA0000-0x00007FF6822F1000-memory.dmp

memory/4128-198-0x00007FF758520000-0x00007FF758871000-memory.dmp

memory/2408-200-0x00007FF61E070000-0x00007FF61E3C1000-memory.dmp

memory/1204-202-0x00007FF623340000-0x00007FF623691000-memory.dmp

memory/4088-204-0x00007FF6F8A70000-0x00007FF6F8DC1000-memory.dmp

memory/2580-208-0x00007FF608280000-0x00007FF6085D1000-memory.dmp

memory/1896-207-0x00007FF6183B0000-0x00007FF618701000-memory.dmp

memory/1508-210-0x00007FF6AB800000-0x00007FF6ABB51000-memory.dmp

memory/1388-212-0x00007FF61BDF0000-0x00007FF61C141000-memory.dmp

memory/2472-214-0x00007FF7B8390000-0x00007FF7B86E1000-memory.dmp

memory/2444-216-0x00007FF68F4D0000-0x00007FF68F821000-memory.dmp

memory/3216-218-0x00007FF715B70000-0x00007FF715EC1000-memory.dmp

memory/840-226-0x00007FF626DF0000-0x00007FF627141000-memory.dmp

memory/1280-224-0x00007FF66B020000-0x00007FF66B371000-memory.dmp

memory/2992-222-0x00007FF7FE670000-0x00007FF7FE9C1000-memory.dmp

memory/3316-221-0x00007FF7116B0000-0x00007FF711A01000-memory.dmp

memory/3540-229-0x00007FF7BCAB0000-0x00007FF7BCE01000-memory.dmp

memory/376-231-0x00007FF634C30000-0x00007FF634F81000-memory.dmp

memory/5000-232-0x00007FF628AF0000-0x00007FF628E41000-memory.dmp

memory/3624-234-0x00007FF733AF0000-0x00007FF733E41000-memory.dmp

memory/1692-238-0x00007FF724610000-0x00007FF724961000-memory.dmp