Malware Analysis Report

2025-03-15 08:02

Sample ID 240815-lyqgysxcne
Target dfc8a622d0d0d1285a5d02644b908880N.exe
SHA256 2787d8692bd406c6c1d6b085c5e6ddcdeca4d05d5a2619083cc0e3b7375a12cb
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2787d8692bd406c6c1d6b085c5e6ddcdeca4d05d5a2619083cc0e3b7375a12cb

Threat Level: Known bad

The file dfc8a622d0d0d1285a5d02644b908880N.exe was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike family

Xmrig family

Cobaltstrike

xmrig

XMRig Miner payload

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 09:56

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 09:56

Reported

2024-08-15 09:58

Platform

win7-20240704-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HzvZTeY.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\sTRsWwH.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\NpBUEJL.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\Imwvwsk.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\xxzGdFD.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\sccSQoc.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\OIyiBwe.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\hyxTIvQ.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\pyOaNOO.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\djnUtmx.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\rkqYrqY.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\lqIUhYc.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\ngCJMIS.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\njfJHFN.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\jvYfQmM.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\TMxwOdQ.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\eFmEBrj.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\dwMcnMj.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\blLahYe.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\uqVXUgo.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\iXSEQFN.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\TMxwOdQ.exe
PID 2732 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\TMxwOdQ.exe
PID 2732 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\TMxwOdQ.exe
PID 2732 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\xxzGdFD.exe
PID 2732 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\xxzGdFD.exe
PID 2732 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\xxzGdFD.exe
PID 2732 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\eFmEBrj.exe
PID 2732 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\eFmEBrj.exe
PID 2732 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\eFmEBrj.exe
PID 2732 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\dwMcnMj.exe
PID 2732 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\dwMcnMj.exe
PID 2732 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\dwMcnMj.exe
PID 2732 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\sccSQoc.exe
PID 2732 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\sccSQoc.exe
PID 2732 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\sccSQoc.exe
PID 2732 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\rkqYrqY.exe
PID 2732 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\rkqYrqY.exe
PID 2732 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\rkqYrqY.exe
PID 2732 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\lqIUhYc.exe
PID 2732 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\lqIUhYc.exe
PID 2732 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\lqIUhYc.exe
PID 2732 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\blLahYe.exe
PID 2732 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\blLahYe.exe
PID 2732 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\blLahYe.exe
PID 2732 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\OIyiBwe.exe
PID 2732 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\OIyiBwe.exe
PID 2732 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\OIyiBwe.exe
PID 2732 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\ngCJMIS.exe
PID 2732 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\ngCJMIS.exe
PID 2732 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\ngCJMIS.exe
PID 2732 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\uqVXUgo.exe
PID 2732 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\uqVXUgo.exe
PID 2732 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\uqVXUgo.exe
PID 2732 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\njfJHFN.exe
PID 2732 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\njfJHFN.exe
PID 2732 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\njfJHFN.exe
PID 2732 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\iXSEQFN.exe
PID 2732 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\iXSEQFN.exe
PID 2732 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\iXSEQFN.exe
PID 2732 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\hyxTIvQ.exe
PID 2732 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\hyxTIvQ.exe
PID 2732 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\hyxTIvQ.exe
PID 2732 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\HzvZTeY.exe
PID 2732 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\HzvZTeY.exe
PID 2732 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\HzvZTeY.exe
PID 2732 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\sTRsWwH.exe
PID 2732 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\sTRsWwH.exe
PID 2732 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\sTRsWwH.exe
PID 2732 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\pyOaNOO.exe
PID 2732 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\pyOaNOO.exe
PID 2732 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\pyOaNOO.exe
PID 2732 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\NpBUEJL.exe
PID 2732 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\NpBUEJL.exe
PID 2732 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\NpBUEJL.exe
PID 2732 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\jvYfQmM.exe
PID 2732 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\jvYfQmM.exe
PID 2732 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\jvYfQmM.exe
PID 2732 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\djnUtmx.exe
PID 2732 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\djnUtmx.exe
PID 2732 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\djnUtmx.exe
PID 2732 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\Imwvwsk.exe
PID 2732 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\Imwvwsk.exe
PID 2732 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\Imwvwsk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe

"C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe"

C:\Windows\System\TMxwOdQ.exe

C:\Windows\System\TMxwOdQ.exe

C:\Windows\System\xxzGdFD.exe

C:\Windows\System\xxzGdFD.exe

C:\Windows\System\eFmEBrj.exe

C:\Windows\System\eFmEBrj.exe

C:\Windows\System\dwMcnMj.exe

C:\Windows\System\dwMcnMj.exe

C:\Windows\System\sccSQoc.exe

C:\Windows\System\sccSQoc.exe

C:\Windows\System\rkqYrqY.exe

C:\Windows\System\rkqYrqY.exe

C:\Windows\System\lqIUhYc.exe

C:\Windows\System\lqIUhYc.exe

C:\Windows\System\blLahYe.exe

C:\Windows\System\blLahYe.exe

C:\Windows\System\OIyiBwe.exe

C:\Windows\System\OIyiBwe.exe

C:\Windows\System\ngCJMIS.exe

C:\Windows\System\ngCJMIS.exe

C:\Windows\System\uqVXUgo.exe

C:\Windows\System\uqVXUgo.exe

C:\Windows\System\njfJHFN.exe

C:\Windows\System\njfJHFN.exe

C:\Windows\System\iXSEQFN.exe

C:\Windows\System\iXSEQFN.exe

C:\Windows\System\hyxTIvQ.exe

C:\Windows\System\hyxTIvQ.exe

C:\Windows\System\HzvZTeY.exe

C:\Windows\System\HzvZTeY.exe

C:\Windows\System\sTRsWwH.exe

C:\Windows\System\sTRsWwH.exe

C:\Windows\System\pyOaNOO.exe

C:\Windows\System\pyOaNOO.exe

C:\Windows\System\NpBUEJL.exe

C:\Windows\System\NpBUEJL.exe

C:\Windows\System\jvYfQmM.exe

C:\Windows\System\jvYfQmM.exe

C:\Windows\System\djnUtmx.exe

C:\Windows\System\djnUtmx.exe

C:\Windows\System\Imwvwsk.exe

C:\Windows\System\Imwvwsk.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2732-0-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2732-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\TMxwOdQ.exe

MD5 c6a2c8cb5f507d5f14f7964cdac745f3
SHA1 1f132e27880dd8ff9a5a1b0e4c671b3083dda8c8
SHA256 0517b7f752b7749f6d4a66761802806ceee236c1a544dcce3ed1e265d3ab36b7
SHA512 004a8ad41469faee3367007edfada59cfab26b7d239900a437c85dab144f91e383ea43c0b2a9b7f9f83cc0fcb154d110e73b762931c9e84b4ebcf0c16f5a906b

memory/2840-7-0x000000013FC80000-0x000000013FFD1000-memory.dmp

\Windows\system\xxzGdFD.exe

MD5 34fb38e494bf9c50560f1b9642d8c179
SHA1 d5026a0d1e95f7d3672988d3a7b692a26cbeec84
SHA256 d65a966156c27e0d6f4e706e939a8ed04db7aecb06a6bc228583345666d32127
SHA512 c0905e040113263afb5edcd8a70d99b8062a66fc67c7c4c0737ed54cd290b9b7668e03ec3084c841012975df86bf7ad7e1cfffb6564bc7f502f84bacd3602725

memory/2716-13-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

C:\Windows\system\eFmEBrj.exe

MD5 02b41161f1e856243653a43376eddd4c
SHA1 839af24440ae0a9542d1de638d01bd822a20fbf8
SHA256 523c3adbb213f65841b88edf41d24f0c851542e93aee7de56c599b6a0745ad36
SHA512 a9decd9d6525ec92815726baba6bf350a8c55fe703da247975d6ca97d96f6f52e0d0fb3e8715594fed0ed5791f7aa77eaf5b1a8ddb08e3017b6c54ad531fa1ff

memory/2868-19-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2732-17-0x0000000002230000-0x0000000002581000-memory.dmp

\Windows\system\dwMcnMj.exe

MD5 d03336c862735a1e5aaef85397b1f712
SHA1 31c05dbfb0ecd622714d690df2377252354f84cb
SHA256 0301254ca1c544eed3b2e2bc4c275bf86de8a2180d001c585440c1501416d7a4
SHA512 7ef002167f443ca0d35f17de83f26f52f9447014e3de2ec43a4f1e1ae0ecba2dc7277f98158d60d8d3eb4257942a8aab4c3b85614c27097a513f261b76a2833c

memory/2644-26-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2732-23-0x000000013F910000-0x000000013FC61000-memory.dmp

\Windows\system\sccSQoc.exe

MD5 19de1090a6bab7263d38b615ae0ce93f
SHA1 03531fb7041fc2d18800eabe3c0217bf6bb4b5d2
SHA256 c2706cd14f9978a987ff640be3519deaf6c205aabbfa52661aa5e064b7463195
SHA512 54ea801318c50218f3967bf8526ab81bdf298ee66f1d9a0bb0d673a315db2f26282caf15159f46d730439f1092d5633b93cde1c53d6be9348e11857afaae5b53

memory/2732-32-0x000000013F470000-0x000000013F7C1000-memory.dmp

C:\Windows\system\rkqYrqY.exe

MD5 9c171ba5b4b0da3a8ff4bb34edeacf8a
SHA1 147d1ee6b4ec9fd5e024f16e43119e226bce612a
SHA256 e3f75a8f9aa6bab26261ebab1595e6add18130ed8afe9b66525b67e42fab1412
SHA512 a0dfdf4c765e89023704db23237b65345cf183004bc54ac6779483a667e042fae86a869dd867b5a96bba855c31fea5655d0593af0deb536df91c970076b521b7

C:\Windows\system\blLahYe.exe

MD5 ecc378b572979023c521bc48b0b180bd
SHA1 9c8b56604125a008ba9a44638b18c869e1b794f7
SHA256 2466059a4398980b40a2100613718aba06523b83af6e0073688e32045f20b007
SHA512 055003ed2ead19a291ae16c3fdb4cf75800f43fc09b4eb332d2c156c466d22d8135053d88f34c960111da304428b5d8dca024f94d7f36c40613aa974274bbbc3

C:\Windows\system\lqIUhYc.exe

MD5 0919a6f9fac3fca338cbe11ace3636d6
SHA1 13b0c0fd5dcbf96216a4f23fba70ef50a146b0a5
SHA256 d5c2ef7d36e10a791f4598537727a89a03e49f2505bca57902dc16ec4c8c9f32
SHA512 070109670e345489dafb84dbff51e1d2260c4fee8ea1d038d099f9579fa42b7dcdc179bb81323280ebdc277515cc07c556fe6d05e61f8fd3b58f36e72bab1c2d

memory/2044-57-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/2840-40-0x000000013FC80000-0x000000013FFD1000-memory.dmp

\Windows\system\ngCJMIS.exe

MD5 c1e86c19ff6cfcea94e7e5ed06112e2f
SHA1 1cd3cd8ff3fc94a8e203f4bca02fddce36c856d2
SHA256 780e27dcb43930087b9006e92bdc248b4d2a54a8e559a6151d4e891afd0294f2
SHA512 9e3ac243d42aa7de085095b64e0927a704e750c1e35711ef9b45cae34e2ea6c8ae9413fa48e7add356a8bd7f163aea9f98ae9035ab2d3fb6244f52dbaaefcdfe

memory/340-69-0x000000013F810000-0x000000013FB61000-memory.dmp

\Windows\system\njfJHFN.exe

MD5 669ab117d89ebf325be920d28e3bbac6
SHA1 bb4e863db66414123846a6cb695274a78eb2326f
SHA256 ebe2359254e2c4564c2a1730e22c6adde7c256e3625330262b39254ff0e30d65
SHA512 126009d13ee6650b4a9a274e310e8470512a08bb0e9d70916457f81805af94e1417786cbb9b91d25d6c66da7ddaf7c24c3f57013213b77d4eba2b44c959a7c6c

memory/2344-82-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2080-75-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2928-98-0x000000013FE80000-0x00000001401D1000-memory.dmp

C:\Windows\system\NpBUEJL.exe

MD5 67cef716e2bf3a453cfe7f58b13199e2
SHA1 7c78973f293000b690fb9ed139660063cf4a5c4c
SHA256 f2ef88b54b9f0518a66e5f9e57aa22e2b8e831905ee52a2edbaf4173acf1d41d
SHA512 b61ee88783a8f614c74c5c183029017b357e29c9e8642a3ae35d806512c0fab70940a3565a2207a462b65edbc75bab8015f35f66931b3798fbf8eaa2679b2519

C:\Windows\system\jvYfQmM.exe

MD5 9d54178fbbe157ffeadcd525ff17b781
SHA1 b7e17092eb94ca2ccc93f24f7b8d6a1dd3bb2afe
SHA256 4a20ecaaecde0438a3a57f87405901c6d5b7827306e444523b6c083f3c6aa76c
SHA512 7592f44b28ff9452084137101484ce3b6615431ce06a6e7701c093a6ad56ae7b70306b51862269317da940438116bb41043d8146d262ff307831352728b858da

\Windows\system\Imwvwsk.exe

MD5 2f54d393fc48362bda9ced39f459f445
SHA1 f2a2df92bd948c0d32775e27d2aa447c8bb9efdc
SHA256 3071b3c71acf71d46e4a6127c3d6d52fe3510bdbfb248a6bbb1653534050b194
SHA512 9fe0610998d866febe5a59e11a95c65be4006b744aa66e6f33f3daaa0d41b5abba9ad5e0c65d5700256f6b0072580f548707d461d58d1acb00fa1f33500fe12c

C:\Windows\system\djnUtmx.exe

MD5 24845f6dc241fff20a151e05b6f4dd84
SHA1 2eab1374c9c8e96593cfd305e162468234fc2149
SHA256 078a6779078b28e6237460c246a973b1ba6e22140d8bb6c35f597eb378cfce73
SHA512 71f51d9169664e15cb07de738f51dbb62d595bd065614cbc17040d9d612d1a6ed0075a97ccdd7e2fe964fcf753ae1d448fde246b6727743a00bb5dc7a70e7927

memory/340-135-0x000000013F810000-0x000000013FB61000-memory.dmp

C:\Windows\system\pyOaNOO.exe

MD5 45fbba86c5eb28714a531ca902608c1c
SHA1 32e9d177bc4dd9d5620af2729eade964befa0216
SHA256 733ff48a9f614bf7a930d5d2845b622d570595dc6d932ba54ab0c5b58c3317bc
SHA512 195d9553bd18bcda74c8e75a951a431884e48fc2421cdfa2237d7eaa9a7a3ffa5cae0d8efef11d475df981a4bfd1dd04cbac7c1a6f004da0fc0def4a3c1c4c57

C:\Windows\system\HzvZTeY.exe

MD5 be3a8f21e5fbeeafa277578b7c08d388
SHA1 5314a97a066b3f64afeb9d3ca52efc03e02ebc3c
SHA256 28abe659d0d62d2d5d431d0f157684402432151b8d43b44fe173ffa4078998d5
SHA512 569f75715f55de37a036adab497eadaf7e8f1a14e2ad383a456568aaf58a5f677cf7444a1d43c09c951595cf0d42725d454e1e951049cc3053996fa7e0f1ea56

C:\Windows\system\sTRsWwH.exe

MD5 7c950ca2f94cf295f4b66d9b61dfc40a
SHA1 6b2aa57bbdf95050ddb4a03d18b4b9e9b9b1f510
SHA256 479cb74d81fc55cbefaa1985d1a2510f9f18b0038cc3339435cecd6cd98455bd
SHA512 92df3bc48c34ba36dfab553dd01e7d7c46f043fb6dd94e9310f7494560b1589f197e1c03896e3ba8b833d25f95d28bff075ecbfb778aeb1144b34e9c5a21b05f

memory/2072-91-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2044-90-0x000000013FE10000-0x0000000140161000-memory.dmp

C:\Windows\system\iXSEQFN.exe

MD5 6981f3fde8a9ac61ff00677370d4d62f
SHA1 0ecffd9d6da58cbe4d86640efc2074dea8292a5c
SHA256 7fd72e7c36dd79773bc5cedcd310eca477aa1d6c2eb2b1d1085857f18e8ec5a3
SHA512 ff3f024cc583b56d43afab45dda0088d820e9b0e77942ed0605dcd9fcdc896340fe0376ccd8fc3c3496f29a5c4149eced7434ca8b486d8a58d121e4ecc5e7dbc

memory/2732-87-0x0000000002230000-0x0000000002581000-memory.dmp

memory/2080-136-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2128-86-0x000000013FD40000-0x0000000140091000-memory.dmp

C:\Windows\system\hyxTIvQ.exe

MD5 8d3e8aff44413e9ad8130037fcfe439b
SHA1 ab1e149818d1adbe331c5c3059ee202695ede587
SHA256 4513c5ab1397e98337becc05953c11a50f422977f39efea67b3948cbd51971b3
SHA512 caba7dbd2d966105bafc042485b48230fe7556b90e43188155ac40f4ca53cd7ba083a7fa5c3024577753b0554c958b1dec0f83b06d51728f52bcc0c6252a1d72

memory/2732-95-0x000000013FE80000-0x00000001401D1000-memory.dmp

C:\Windows\system\uqVXUgo.exe

MD5 39229a4d601b25baed68242f35fcc766
SHA1 6b7561d26940796cf854b92b8c12601b9cda43d7
SHA256 76b330b11da2e2be8c5960bf393eb759d702157ea8e8f6cfedee31b636b90fa3
SHA512 acaa60a1f03530cde2c1728627c63c9f85d61b547a2a96a4ac86cda464e07ea49f4d18d384c0dd269da00dbb220fc1efdd00d1d03fc718fa9fc6df7e6dd3c675

memory/2660-81-0x000000013FEF0000-0x0000000140241000-memory.dmp

memory/2644-66-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/1728-63-0x000000013F5B0000-0x000000013F901000-memory.dmp

C:\Windows\system\OIyiBwe.exe

MD5 4bdc82ec7d4ca7c35de453b82600fab0
SHA1 9e8a105f0477139d08a601ffcea1f3ab5ec72e86
SHA256 a9a606e6d2fab063f1caad7d53206ee9659cb73b1d629f61dc8173fd6af41cb2
SHA512 201d88408c624e15444f06f13d8238aedff5750cc96ed739d57d9eba9cdf59c12d90881b44eec988e37de162e85032a510b8d5c2f7313f89dfe68d608bcb68bb

memory/2344-137-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2732-59-0x0000000002230000-0x0000000002581000-memory.dmp

memory/2868-55-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2128-53-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2660-50-0x000000013FEF0000-0x0000000140241000-memory.dmp

memory/2716-49-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2732-139-0x0000000002230000-0x0000000002581000-memory.dmp

memory/2732-138-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2608-47-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2732-45-0x0000000002230000-0x0000000002581000-memory.dmp

memory/2732-36-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2072-143-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2732-145-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2928-150-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/1728-152-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2976-158-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/1960-162-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2920-161-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2904-160-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/112-159-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2648-163-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/336-164-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/2732-165-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2840-212-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2716-216-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2644-220-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2868-221-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2608-230-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2660-232-0x000000013FEF0000-0x0000000140241000-memory.dmp

memory/2128-234-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2044-236-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/340-238-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/2080-240-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2344-242-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2072-253-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2928-255-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/1728-266-0x000000013F5B0000-0x000000013F901000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 09:56

Reported

2024-08-15 09:58

Platform

win10v2004-20240802-en

Max time kernel

116s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\sgjNlzP.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\isrSXJa.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\CMqDAeR.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\LCQdvQa.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\numwASX.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\dSNAFuB.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\fZFsKeK.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\fbGoHmU.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\sMAvOxH.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\GYRvjCb.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\nGekGZO.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\sGMWqsp.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\QHSisKK.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\sGCnoRM.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\ZIjFayx.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\MUVjJmK.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\IJirQQK.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\NMRDfkC.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\fAuZHhk.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\NObfxuw.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
File created C:\Windows\System\udkZlkH.exe C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\nGekGZO.exe
PID 1936 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\nGekGZO.exe
PID 1936 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\sGMWqsp.exe
PID 1936 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\sGMWqsp.exe
PID 1936 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\QHSisKK.exe
PID 1936 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\QHSisKK.exe
PID 1936 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\CMqDAeR.exe
PID 1936 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\CMqDAeR.exe
PID 1936 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\sGCnoRM.exe
PID 1936 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\sGCnoRM.exe
PID 1936 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\NMRDfkC.exe
PID 1936 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\NMRDfkC.exe
PID 1936 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\sgjNlzP.exe
PID 1936 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\sgjNlzP.exe
PID 1936 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\isrSXJa.exe
PID 1936 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\isrSXJa.exe
PID 1936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\LCQdvQa.exe
PID 1936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\LCQdvQa.exe
PID 1936 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\fAuZHhk.exe
PID 1936 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\fAuZHhk.exe
PID 1936 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\fZFsKeK.exe
PID 1936 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\fZFsKeK.exe
PID 1936 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\fbGoHmU.exe
PID 1936 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\fbGoHmU.exe
PID 1936 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\NObfxuw.exe
PID 1936 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\NObfxuw.exe
PID 1936 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\numwASX.exe
PID 1936 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\numwASX.exe
PID 1936 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\sMAvOxH.exe
PID 1936 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\sMAvOxH.exe
PID 1936 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\udkZlkH.exe
PID 1936 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\udkZlkH.exe
PID 1936 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\dSNAFuB.exe
PID 1936 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\dSNAFuB.exe
PID 1936 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\MUVjJmK.exe
PID 1936 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\MUVjJmK.exe
PID 1936 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\GYRvjCb.exe
PID 1936 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\GYRvjCb.exe
PID 1936 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\IJirQQK.exe
PID 1936 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\IJirQQK.exe
PID 1936 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\ZIjFayx.exe
PID 1936 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe C:\Windows\System\ZIjFayx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe

"C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe"

C:\Windows\System\nGekGZO.exe

C:\Windows\System\nGekGZO.exe

C:\Windows\System\sGMWqsp.exe

C:\Windows\System\sGMWqsp.exe

C:\Windows\System\QHSisKK.exe

C:\Windows\System\QHSisKK.exe

C:\Windows\System\CMqDAeR.exe

C:\Windows\System\CMqDAeR.exe

C:\Windows\System\sGCnoRM.exe

C:\Windows\System\sGCnoRM.exe

C:\Windows\System\NMRDfkC.exe

C:\Windows\System\NMRDfkC.exe

C:\Windows\System\sgjNlzP.exe

C:\Windows\System\sgjNlzP.exe

C:\Windows\System\isrSXJa.exe

C:\Windows\System\isrSXJa.exe

C:\Windows\System\LCQdvQa.exe

C:\Windows\System\LCQdvQa.exe

C:\Windows\System\fAuZHhk.exe

C:\Windows\System\fAuZHhk.exe

C:\Windows\System\fZFsKeK.exe

C:\Windows\System\fZFsKeK.exe

C:\Windows\System\fbGoHmU.exe

C:\Windows\System\fbGoHmU.exe

C:\Windows\System\NObfxuw.exe

C:\Windows\System\NObfxuw.exe

C:\Windows\System\numwASX.exe

C:\Windows\System\numwASX.exe

C:\Windows\System\sMAvOxH.exe

C:\Windows\System\sMAvOxH.exe

C:\Windows\System\udkZlkH.exe

C:\Windows\System\udkZlkH.exe

C:\Windows\System\dSNAFuB.exe

C:\Windows\System\dSNAFuB.exe

C:\Windows\System\MUVjJmK.exe

C:\Windows\System\MUVjJmK.exe

C:\Windows\System\GYRvjCb.exe

C:\Windows\System\GYRvjCb.exe

C:\Windows\System\IJirQQK.exe

C:\Windows\System\IJirQQK.exe

C:\Windows\System\ZIjFayx.exe

C:\Windows\System\ZIjFayx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/1936-0-0x00007FF71CEC0000-0x00007FF71D211000-memory.dmp

memory/1936-1-0x000001BE9F890000-0x000001BE9F8A0000-memory.dmp

C:\Windows\System\nGekGZO.exe

MD5 917cecf9e81a0192fcbaabee761b6529
SHA1 8586eee827f74251a83351233268b2440f746162
SHA256 326458a4fcebc21ce140b82507c0312ad9292e4a885b0ab362301ffb60fd2727
SHA512 c4f8be1c722151d78144aab0dbe34d4b06663651d3728f5379ba06bb571058b8135a4304d759dea64fce074c08a834a703b62f140db95915dd974c5fb9023f20

memory/1068-8-0x00007FF683420000-0x00007FF683771000-memory.dmp

C:\Windows\System\QHSisKK.exe

MD5 418da85a9fb2e4a1996762b337dbcc17
SHA1 db6b0da2bb235297c5f03485bf42591abbbb4251
SHA256 c919adde334d16d786ebef3b715a13feb38abcc10ff4844a486e5fa64f22661d
SHA512 370c235fb3d693c5c065aec82330b874b0ee699aa5fe68fc1cafee838cefac69190411e031be368c71895864e58bc0308044ca815c7da3b0e5e806d5378be1f9

C:\Windows\System\sGMWqsp.exe

MD5 e40d81805a747a70b905957ab6a5851d
SHA1 ec5f20b0b835ee0a8f0ad4a8e823d8a895ba6d6c
SHA256 e6bf8145c17d1ecf7b6c3ed28e82ec8e81f25ebc278f29672c176f89353f13ff
SHA512 5d62e2002dd34600402522b3289ab1258266fe6530dbd93aa5eeed00ff99bd6308cb3c1439b4e431ea737a7132e6a8b9b0baadd012c8cbeed724544ac4894410

C:\Windows\System\CMqDAeR.exe

MD5 8b5b1b75c6255532334ebf1731e7f096
SHA1 6d3f733c546428ccd4eef26719becdad504cd5a1
SHA256 03af8600255395a235d9dbfa66db17623caf0f8e654d67eeddf6b3e4eb373a36
SHA512 36ae012e5fef6bb548b9c4043394cb13802b97a2bfd359b5582e6ad74b23ece1cb5999c97e299ca34c83154644fc6bce42afd41a253fe48199c055bd3a11c552

C:\Windows\System\sGCnoRM.exe

MD5 50a738b4636721dcc742c5f240e56867
SHA1 170da6e849d07d6913068543ddab45052b2235f9
SHA256 fa1a1bd5c929c78dc98fa3ba361241f1337922fe05dbac3793efc48566b0f9a7
SHA512 896c523ff104c323a4f410939802cd11d7efd21ca7471231054d4edd306d36db3d17e7d27128f72feb8f74433459c10e5dfaa054b98db67a79f7c5b201f5a4fc

C:\Windows\System\sgjNlzP.exe

MD5 66505fd2b68f2fbe1645b2dc00266c4b
SHA1 265db95ffce95d4d081e30a80028b87163bbbfd3
SHA256 6bd66af1ac4527742b2aaa37262614400fea5968c6353198fc8bf4f995f695ac
SHA512 9042a35c502712110877534353cd20ff20c666ca37d0dd537895e7e76579dc8cfcb72de04a4e9185b42cbc2d6e72b8539528de39bcf22e2ec641e948e600c2de

C:\Windows\System\isrSXJa.exe

MD5 c36c0e4a650f0da7a106e3a030d57758
SHA1 fedf2954614e5e08125d1ccd2f862b2717e450cd
SHA256 2256043826b0cee17c113a84bad06d9b864e6b4928ab34b38d72a23d1aac0630
SHA512 b70e80e7d5cc33104ca7a8e97a1811420a819c3572ad1924aa002618809dc3d5aa3c91b9a90a07db74da46693cb18f6453970b47e7023118a48e83e3ea1896c7

C:\Windows\System\fAuZHhk.exe

MD5 98c257e2a0355b36196db2ac4b56805d
SHA1 29f57b63dfc04343ecdba0a0ff143d32a22713e9
SHA256 a13a6dffa58272495480e2cea18b1d96520cec4e5971d2f9e70a6e53e8c7c2aa
SHA512 3eed6dac6a28cc56eee96c22e427e411669b46ed14f0cc8a37f9d5c9c255f28de6520b52ea618f4b20ce32cbe5534ddf56e2798a056d3eeeebca01ff0420f33d

C:\Windows\System\fZFsKeK.exe

MD5 c9dd21662579b9c1a6656c9c641775c6
SHA1 cbf3cdfe99dc03d953aa26e092359ba9d3889ff0
SHA256 b73c341010b385759a2a6cea8d555bdebbb15886c76ea7a093621216be775a32
SHA512 e74a2398df6f63f1a4d55f99fe2752b8ce5193fda6cdab745fcafa49c0cc57aaf59a0b1237a340e7e70a331e814762b381775ff65df6d6258787530dc75d8436

C:\Windows\System\NObfxuw.exe

MD5 bc116653bb5a07193928a9a92ed8617f
SHA1 d8a4399fadf26b92988cf8afd785b39865c44ec0
SHA256 69ba588e45dae25d2e1c6d8acd71be0f5b2963d67e1cdba1378371917840c6c4
SHA512 fddd435b86928a1a3f3398e1eb785a257f72ed61d3802dbc9fb3404cf059b13ae5746eb7f3ad6dda288f87e1804aaa4da949b6f2ca104736b4d390435aa93776

C:\Windows\System\numwASX.exe

MD5 b57a5a34c444ddefebbb6c815f90f5ed
SHA1 6ea331be6460cf9f8e42cb992d3040d5c18a55c7
SHA256 b3d4bcaae5811cd9d897f6410d14e298d4be90dfbf571b8d220c21412441365a
SHA512 d017f19a6ceeb9afaae4424385184ca3743dc3fc1e85ea06015cd299be07b004502747cba6e263c5d64513460e0e37610ad1f84b223a60f5c741d9efae690dfe

C:\Windows\System\udkZlkH.exe

MD5 85763807ffa4023088209af65de31f1c
SHA1 6c37a3869d7ebea3529e27b7fb2351af0d37df97
SHA256 ac6b72e3bc82c1836da148e462920b2f97c91ee3453ed4be3b30771df9718416
SHA512 8d7140073a79c21def8bc19c4d0624dd644565d4889826a1e573ff7cbc3d1458df09c126e0a7e89aae2f81eb13305f7c4102eca623bd33c90776922c667d6e65

C:\Windows\System\GYRvjCb.exe

MD5 74bde36d0cced7fb522f9f067c6bfc9b
SHA1 a756f7328518cd198a5661ebb33729e1d3b982a1
SHA256 2951ececb26ea5924a27c63d826aa2d6b092db7d4985b77f3848f6f26185d464
SHA512 32ad4b6469fc30fa53423fa86a28bc8e5220b6081f69dca018aac454ce358f073c118b7a8607dbf1abe6389d8d80373f1024fd7905a6cdfbb74327099dd9e879

C:\Windows\System\ZIjFayx.exe

MD5 922146d280feefefe98bac8486b7641a
SHA1 1b6717899bc6bfc606a4e1d07c5590ad81f3bf5c
SHA256 e1556d1fea069c6ce0553ce9fa81b4032e4413be677df4f17e11bc4984d09bff
SHA512 41212000608f168dac86174a8a3b9ee9dfd58d4f9b6f9b1383e71be212111bf63d62491379ab47f6760f52bdc859da56039374acf86ab269513f458e6d632e92

C:\Windows\System\IJirQQK.exe

MD5 a662823cc28d5479e71ce12c83e34b1f
SHA1 689e2c0ce6cc522b46dc416fe53e394dd53286f2
SHA256 1430c888c952cd9f30bfa0cf4d807f29e1f301a39a3d89261c7a444b12d586c2
SHA512 aba561c9286e629dac579a0fa22bfff37c09158fb1c3b9d525bb2be898f19798a501a3d5ff0e13a9de684a92b544eb4debc6fbee6f3512245067cc982008ea15

C:\Windows\System\MUVjJmK.exe

MD5 7338579a293ab737b70f8fdc9bda8170
SHA1 b4a87b1dde79521945c7b3eb561e0fc2bc8489ae
SHA256 dbcb6932eae52aa90daddce0bae531c11c537c07f98523e80d15d2a1b544d079
SHA512 cff37643c837e858c20cb40fafb77779071f06fca3cebb07d9f4de113517073b9c4b9199e42c2692cab564469107e878fc459495e7cc918e2a78e903ddf61565

C:\Windows\System\dSNAFuB.exe

MD5 82cdf330d67b0017a05f09847290add1
SHA1 49470dd435aa3a34635232aedd00b4293f3d10d9
SHA256 382a92d553d349131c504d329452cc660fd0ff57c7c717feab933c621313028a
SHA512 f088c6fb1c077cfb85c5e9382e05063b02ef4da1846daca985f3f4712a4e3b9eb7a58521095ea22fee2d91a24a9a1dc20a20fb5116a9902cfd65ac8a87db9af3

C:\Windows\System\sMAvOxH.exe

MD5 2c8d54dff95451a6c8e4ae43c8583cd7
SHA1 090b4e5ab375f8ac08599818f3b25d20f3790f6c
SHA256 2d608f37296f4fb7948e9c64244ec5f56fa299682b3fafa054c7175d7f6b6aa4
SHA512 663345621c03f576bf97e61694fb7bcbd218a5198e1a67922cd7f4fedf60cb0f1c879eef3d3227afe2f6125993c8536d0347119b691af4f2796627fb236bf7bb

C:\Windows\System\fbGoHmU.exe

MD5 7e6c559bca4d3adead5bb7b50acd9584
SHA1 8b2ed3b6658369496273c48d696bd9e75e494b5b
SHA256 83e37d7a120bd596a2ca9ed082e3e26dcbbd2d22dc36ce2930da3c433362a24c
SHA512 b0a70a4eb1435532822cf77a628a374aeae704883bbf05b9fff57310158e9b879d6c5a992e8d94e9e0ba2ecaf2ee49a77c07003c36c85c5ff809df795df60709

C:\Windows\System\LCQdvQa.exe

MD5 2af98bd749b9773fd5250de45a01fcbb
SHA1 93ceb65bb26be712dac5a4895644d8bf346fef62
SHA256 e3e2bf0028b45b80f792aa3146738b31e47e30c75bfbe7bd9ab9c6a3bda3e8d8
SHA512 177b38ae7932efa3dec21bf0b89b39542155f9b7a35bded1570abdab8b60d34a845a9d106b9824a59482f15e8c86e6139abf74a64512e01dba5e90633a3612b0

memory/2576-56-0x00007FF76F660000-0x00007FF76F9B1000-memory.dmp

memory/3220-50-0x00007FF61C820000-0x00007FF61CB71000-memory.dmp

C:\Windows\System\NMRDfkC.exe

MD5 6e37ae946c943d7f924ace1bde9deb6c
SHA1 71b6d32d78c399f6f5d16499a1ecc9e5bdd94f7d
SHA256 23fec14d1a24cd694feac7f0fa3c3fb96b0122ca86a7c80444390c30b228c132
SHA512 b8da5aadc8215bea893e997c718fff2377410cc816808df3f62da9b4c8d30f137da67683ee1f2b37ed60c838f57744120796131383e744d517aa3a01f5756b58

memory/3752-42-0x00007FF7C2A50000-0x00007FF7C2DA1000-memory.dmp

memory/376-38-0x00007FF779E70000-0x00007FF77A1C1000-memory.dmp

memory/4624-34-0x00007FF64F010000-0x00007FF64F361000-memory.dmp

memory/212-27-0x00007FF62F4C0000-0x00007FF62F811000-memory.dmp

memory/1012-18-0x00007FF738AF0000-0x00007FF738E41000-memory.dmp

memory/2840-13-0x00007FF65A2A0000-0x00007FF65A5F1000-memory.dmp

memory/3236-116-0x00007FF6DF680000-0x00007FF6DF9D1000-memory.dmp

memory/1068-118-0x00007FF683420000-0x00007FF683771000-memory.dmp

memory/1936-117-0x00007FF71CEC0000-0x00007FF71D211000-memory.dmp

memory/5052-120-0x00007FF7EC840000-0x00007FF7ECB91000-memory.dmp

memory/2388-122-0x00007FF6DB780000-0x00007FF6DBAD1000-memory.dmp

memory/4256-123-0x00007FF7C7090000-0x00007FF7C73E1000-memory.dmp

memory/800-121-0x00007FF637E50000-0x00007FF6381A1000-memory.dmp

memory/4756-124-0x00007FF766F30000-0x00007FF767281000-memory.dmp

memory/2840-119-0x00007FF65A2A0000-0x00007FF65A5F1000-memory.dmp

memory/1784-125-0x00007FF7BCA10000-0x00007FF7BCD61000-memory.dmp

memory/1012-127-0x00007FF738AF0000-0x00007FF738E41000-memory.dmp

memory/4312-130-0x00007FF77E8F0000-0x00007FF77EC41000-memory.dmp

memory/212-129-0x00007FF62F4C0000-0x00007FF62F811000-memory.dmp

memory/2244-131-0x00007FF7F3C20000-0x00007FF7F3F71000-memory.dmp

memory/4528-128-0x00007FF67EFE0000-0x00007FF67F331000-memory.dmp

memory/1936-132-0x00007FF71CEC0000-0x00007FF71D211000-memory.dmp

memory/4540-134-0x00007FF665E50000-0x00007FF6661A1000-memory.dmp

memory/4624-133-0x00007FF64F010000-0x00007FF64F361000-memory.dmp

memory/1208-126-0x00007FF650070000-0x00007FF6503C1000-memory.dmp

memory/3752-136-0x00007FF7C2A50000-0x00007FF7C2DA1000-memory.dmp

memory/3236-139-0x00007FF6DF680000-0x00007FF6DF9D1000-memory.dmp

memory/2576-138-0x00007FF76F660000-0x00007FF76F9B1000-memory.dmp

memory/376-135-0x00007FF779E70000-0x00007FF77A1C1000-memory.dmp

memory/3220-137-0x00007FF61C820000-0x00007FF61CB71000-memory.dmp

memory/1936-151-0x00007FF71CEC0000-0x00007FF71D211000-memory.dmp

memory/1068-201-0x00007FF683420000-0x00007FF683771000-memory.dmp

memory/2840-203-0x00007FF65A2A0000-0x00007FF65A5F1000-memory.dmp

memory/1012-215-0x00007FF738AF0000-0x00007FF738E41000-memory.dmp

memory/212-217-0x00007FF62F4C0000-0x00007FF62F811000-memory.dmp

memory/4624-219-0x00007FF64F010000-0x00007FF64F361000-memory.dmp

memory/3752-221-0x00007FF7C2A50000-0x00007FF7C2DA1000-memory.dmp

memory/376-223-0x00007FF779E70000-0x00007FF77A1C1000-memory.dmp

memory/2576-225-0x00007FF76F660000-0x00007FF76F9B1000-memory.dmp

memory/3220-227-0x00007FF61C820000-0x00007FF61CB71000-memory.dmp

memory/3236-229-0x00007FF6DF680000-0x00007FF6DF9D1000-memory.dmp

memory/2388-238-0x00007FF6DB780000-0x00007FF6DBAD1000-memory.dmp

memory/4540-244-0x00007FF665E50000-0x00007FF6661A1000-memory.dmp

memory/5052-242-0x00007FF7EC840000-0x00007FF7ECB91000-memory.dmp

memory/800-241-0x00007FF637E50000-0x00007FF6381A1000-memory.dmp

memory/4756-248-0x00007FF766F30000-0x00007FF767281000-memory.dmp

memory/1784-250-0x00007FF7BCA10000-0x00007FF7BCD61000-memory.dmp

memory/4256-246-0x00007FF7C7090000-0x00007FF7C73E1000-memory.dmp

memory/4528-257-0x00007FF67EFE0000-0x00007FF67F331000-memory.dmp

memory/2244-255-0x00007FF7F3C20000-0x00007FF7F3F71000-memory.dmp

memory/1208-258-0x00007FF650070000-0x00007FF6503C1000-memory.dmp

memory/4312-254-0x00007FF77E8F0000-0x00007FF77EC41000-memory.dmp