Malware Analysis Report

2025-03-15 08:08

Sample ID 240815-mxxqbayfrf
Target e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1
SHA256 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1

Threat Level: Known bad

The file e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1 was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

Cobaltstrike

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 10:51

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 10:51

Reported

2024-08-15 10:53

Platform

win7-20240705-en

Max time kernel

142s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\hcKEmuA.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\bbdvqTT.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\HJeYymq.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\pNeUTif.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\QPXJSxo.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\YkkUYjw.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\DFWgMil.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\QiAhZMx.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\wdiLCzd.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\TKWVWjn.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\ZxCNvtS.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\oXtzcXT.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\unZvjEf.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\fFUTFtA.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\ZGaSjhh.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\GMdwZHW.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\YHnqPjN.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\sACSDfI.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\bTXGbch.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\obsqxNl.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\mXHhqKr.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\pNeUTif.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\pNeUTif.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\pNeUTif.exe
PID 2680 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\QPXJSxo.exe
PID 2680 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\QPXJSxo.exe
PID 2680 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\QPXJSxo.exe
PID 2680 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\obsqxNl.exe
PID 2680 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\obsqxNl.exe
PID 2680 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\obsqxNl.exe
PID 2680 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\hcKEmuA.exe
PID 2680 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\hcKEmuA.exe
PID 2680 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\hcKEmuA.exe
PID 2680 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\fFUTFtA.exe
PID 2680 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\fFUTFtA.exe
PID 2680 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\fFUTFtA.exe
PID 2680 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\TKWVWjn.exe
PID 2680 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\TKWVWjn.exe
PID 2680 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\TKWVWjn.exe
PID 2680 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\ZGaSjhh.exe
PID 2680 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\ZGaSjhh.exe
PID 2680 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\ZGaSjhh.exe
PID 2680 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\oXtzcXT.exe
PID 2680 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\oXtzcXT.exe
PID 2680 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\oXtzcXT.exe
PID 2680 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\ZxCNvtS.exe
PID 2680 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\ZxCNvtS.exe
PID 2680 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\ZxCNvtS.exe
PID 2680 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\bbdvqTT.exe
PID 2680 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\bbdvqTT.exe
PID 2680 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\bbdvqTT.exe
PID 2680 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\YkkUYjw.exe
PID 2680 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\YkkUYjw.exe
PID 2680 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\YkkUYjw.exe
PID 2680 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\mXHhqKr.exe
PID 2680 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\mXHhqKr.exe
PID 2680 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\mXHhqKr.exe
PID 2680 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\GMdwZHW.exe
PID 2680 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\GMdwZHW.exe
PID 2680 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\GMdwZHW.exe
PID 2680 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\YHnqPjN.exe
PID 2680 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\YHnqPjN.exe
PID 2680 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\YHnqPjN.exe
PID 2680 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\sACSDfI.exe
PID 2680 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\sACSDfI.exe
PID 2680 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\sACSDfI.exe
PID 2680 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\bTXGbch.exe
PID 2680 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\bTXGbch.exe
PID 2680 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\bTXGbch.exe
PID 2680 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\unZvjEf.exe
PID 2680 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\unZvjEf.exe
PID 2680 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\unZvjEf.exe
PID 2680 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\HJeYymq.exe
PID 2680 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\HJeYymq.exe
PID 2680 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\HJeYymq.exe
PID 2680 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\DFWgMil.exe
PID 2680 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\DFWgMil.exe
PID 2680 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\DFWgMil.exe
PID 2680 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\QiAhZMx.exe
PID 2680 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\QiAhZMx.exe
PID 2680 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\QiAhZMx.exe
PID 2680 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\wdiLCzd.exe
PID 2680 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\wdiLCzd.exe
PID 2680 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\wdiLCzd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe

"C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe"

C:\Windows\System\pNeUTif.exe

C:\Windows\System\pNeUTif.exe

C:\Windows\System\QPXJSxo.exe

C:\Windows\System\QPXJSxo.exe

C:\Windows\System\obsqxNl.exe

C:\Windows\System\obsqxNl.exe

C:\Windows\System\hcKEmuA.exe

C:\Windows\System\hcKEmuA.exe

C:\Windows\System\fFUTFtA.exe

C:\Windows\System\fFUTFtA.exe

C:\Windows\System\TKWVWjn.exe

C:\Windows\System\TKWVWjn.exe

C:\Windows\System\ZGaSjhh.exe

C:\Windows\System\ZGaSjhh.exe

C:\Windows\System\oXtzcXT.exe

C:\Windows\System\oXtzcXT.exe

C:\Windows\System\ZxCNvtS.exe

C:\Windows\System\ZxCNvtS.exe

C:\Windows\System\bbdvqTT.exe

C:\Windows\System\bbdvqTT.exe

C:\Windows\System\YkkUYjw.exe

C:\Windows\System\YkkUYjw.exe

C:\Windows\System\mXHhqKr.exe

C:\Windows\System\mXHhqKr.exe

C:\Windows\System\GMdwZHW.exe

C:\Windows\System\GMdwZHW.exe

C:\Windows\System\YHnqPjN.exe

C:\Windows\System\YHnqPjN.exe

C:\Windows\System\sACSDfI.exe

C:\Windows\System\sACSDfI.exe

C:\Windows\System\bTXGbch.exe

C:\Windows\System\bTXGbch.exe

C:\Windows\System\unZvjEf.exe

C:\Windows\System\unZvjEf.exe

C:\Windows\System\HJeYymq.exe

C:\Windows\System\HJeYymq.exe

C:\Windows\System\DFWgMil.exe

C:\Windows\System\DFWgMil.exe

C:\Windows\System\QiAhZMx.exe

C:\Windows\System\QiAhZMx.exe

C:\Windows\System\wdiLCzd.exe

C:\Windows\System\wdiLCzd.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2680-0-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2680-1-0x0000000000300000-0x0000000000310000-memory.dmp

memory/2520-15-0x000000013FCC0000-0x0000000140011000-memory.dmp

C:\Windows\system\obsqxNl.exe

MD5 903d373db2f11f2bb9597d974192ce76
SHA1 474b2c62237ac20cf500d912a0f9446850053095
SHA256 8e5011e80f22435676a9183b17a976fe8bf3c772c2ddfbd8d24cc5a9aca433d6
SHA512 c9025c97468768861688357c67fffa6c7ae71b4f226893f54e4a7d06a65a3bf042c70d1e302dbd2b321228d66c3b5df037178be269ad8a68164224179ba569e6

C:\Windows\system\QPXJSxo.exe

MD5 d668fd47baaa63f4317ab6283bb61ad8
SHA1 ea841838af3ec79ae3da1d10502ce0e304bc8e5a
SHA256 f8c6051e1c3a65880f12ab6813a55387c527fd58c97fc32f41da18bb26910feb
SHA512 9645436c5195bf302fcbae583e29a48a881eb5d254d4fbff31c3aa068e56f2ed798c8980cdd7f6bc45dcde4828a8b26d4f3bc7f5518372d88d7403c8b00e520b

C:\Windows\system\pNeUTif.exe

MD5 6ce81c54a0315b87165b806bb4085549
SHA1 a92e1aa30df9c5492666f9ef1c8d5d971ec16665
SHA256 a506a226c826d60306192ea6540d63644480f60f9ccc07570b9a35f43284b2ab
SHA512 f2f927809eda3cd2fd2a812f973417869b0d047618da90030e0bdec26008049c9ba5ef7668267b2056d06d1c8b61adb41821a7b80986a8f5e92edc847257d86a

\Windows\system\hcKEmuA.exe

MD5 a83052784b96e368afe241e080dab7fb
SHA1 5f19cfbf45937c54a30c07d8b80a0850c4f47edf
SHA256 4cc347dd33a8f57e5af9d821de8707334870694adffd80e102afe80ac194ca25
SHA512 7db23a4ce19ecfd8012f39652a18ce09c959b99df1057bb19cb1aa4302cb3923a51b0a439832ba9fd5dbd8959f1ecc932003ea53c451cb8539ad75ecb222a836

memory/2680-23-0x000000013F2E0000-0x000000013F631000-memory.dmp

\Windows\system\YkkUYjw.exe

MD5 a987252775eaebb7c85f0b4516ef45e7
SHA1 9d9df9e08127445e734eb8e4c094a2e2daadc6db
SHA256 1d1391182cb84cc25b6f94e9e676fb7033ce65b4acd1f63e5ee7c56c0499c360
SHA512 cc94e7b2ce921e65e901b84cbb5900656e6708511698d18da836d451500e658b613b679135ee26dd1aa83e980e0a96466bd9d3936a503f48f6974cdee7c6f164

memory/2636-91-0x000000013FE60000-0x00000001401B1000-memory.dmp

C:\Windows\system\bbdvqTT.exe

MD5 3f708a9675d5771fc8e97af63804d484
SHA1 58a09d2d0e18753db3860e83c675941bdbbbe31f
SHA256 80197c037897dc2fa70d34b29b3e77bf1efb0445033af9715b6a3d59965dfec8
SHA512 4603f4cdf2d6f079f72e393b9e5f5f7d87bf2d32273adbde07b8bc06ea65ea9dc3a126e52fdc53bffc3ecfe47d575e5516f6fdcc5a34d1a445d3994f858f2078

memory/2520-95-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2680-97-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2680-96-0x000000013F2E0000-0x000000013F631000-memory.dmp

\Windows\system\YHnqPjN.exe

MD5 f540d381314c595570aff0884615628e
SHA1 e172b8cb1e158a02bcc642ff426645b3eb110413
SHA256 aa6ad9c5685e10f9bc0a71d310db1d56febd7ea9c6397d500a1c3f711027041a
SHA512 21cb72ca807bf032f8e7844b2c33867d91bd9bd54c419f1b7d390fd3b8853e979450f1b988dae0c31450be58a96cda851107bb3cd273b7e19a7280e48dbc6512

C:\Windows\system\mXHhqKr.exe

MD5 e95c32544c2fb0e839640fdfbf726ea0
SHA1 4ae37b9bfc8317476e16d49d418a5e08175e657d
SHA256 50da6336326ddd04e5b34f57a2a5a52e3d0a9497c76d288bac2c4461a345803f
SHA512 72f5e422b2662574e04e53d17e0d8746e7ea910d1bbc1da47457ee9270bbd21dbab52d07229ac68d2b742c472214d0f491e2591efeb50cf12d0f95af0afdac0e

memory/2644-102-0x000000013FB80000-0x000000013FED1000-memory.dmp

C:\Windows\system\bTXGbch.exe

MD5 3bc11bbab5ebc181a64f5e24f2bca2e0
SHA1 2026a10a61b812ca8f2fd55ed54f038aea384165
SHA256 292a7e9cd4452283c71c8082111a97abec4642f81a127f928ef2791d1adb4ede
SHA512 4e56da5545d1136638bfd693554852d0e53793d302baf06e6d75e8bf2610723e900160a69f1c760202fa9355ced87d082454ae72f65709bb275775209a36a2bb

C:\Windows\system\HJeYymq.exe

MD5 5cef17c5d530e1b4b46a650e6054d928
SHA1 42fa5cac93247b89a37d516e50857bc1d08762c1
SHA256 2aeb316c2dafd2a96b1859e3c0ae38be7ca40323b90c386c43ceb086a9717bc4
SHA512 ff196b05c723463ec0952122073469e963f55ccc93ebf39605fd398571bc181c69ca604803d694d0b83f730d3c92c7969e57e494b75f4e937f59a322370c3b1a

C:\Windows\system\QiAhZMx.exe

MD5 641e5f44bf180e7dcebec5672a0faf34
SHA1 8d686d4d7dd5b2f35f96d2fecec8370e53ad3706
SHA256 5fdc6313a2a2ae5e9cab2e1f51c4500b713201a6b95da5b5ccea31de4de777f3
SHA512 6fad3aea39d498b4328e6a35ea90029435fa0e6d88b9073e19e7b2dbd7d314ec78f12d279be2d6ef42d0699b5abfb9e4c48c0ec01ca47beba6736370c91bc816

C:\Windows\system\wdiLCzd.exe

MD5 35515f313c1f26da9ce294db480cac47
SHA1 7834c7c6a114faa237e2889fc04e9d92ed517482
SHA256 fb9483a57c159d584c6c73b0416f5ad758fde601e76008f95268ddc80db8eb1b
SHA512 4d954dc8d8097834bf1c2b7537b62ba10b0657cd85fdd1962477c2ded5049093c755b93933a0c0f690c2c39b46ce4e0da794bb6702636a263c2b832dac85ae2a

C:\Windows\system\DFWgMil.exe

MD5 59eb5ef8d47bfa752ebe4dac72c746af
SHA1 1882ae6e9f4f2deb37675301203c7d683cb47f5a
SHA256 555ae055659589b82e66ade04a808541d8734e23a2bf94c259f8f71d3bbfdfc8
SHA512 09a01b7bc07a5323f65240ebf501e29af0e28bf011d18c488bbab2de5903c195fc85dcc84532491e52c8655ad7c6d6b317682e39acf38121b632644fc0da6896

memory/2468-138-0x000000013F620000-0x000000013F971000-memory.dmp

C:\Windows\system\unZvjEf.exe

MD5 ce36291168304a847d7f55fc496d88d4
SHA1 31da3a796f4703f0bcd756e126c4dcfbf8a25c1a
SHA256 a948197d9a88d0bf1aa129fd73203c18ca34e7ee6f0ebc14126492caa1c1fbd9
SHA512 c07813e2d010d4068560ad6e9caa987ca1b7d08e99f887110332430fb73b49bd796ea762028839362211713337329ffe7526b17bf69700e30822c7812542a1dc

memory/2752-139-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2680-107-0x000000013F650000-0x000000013F9A1000-memory.dmp

C:\Windows\system\sACSDfI.exe

MD5 c62711399e05115672c6cdccea90ecdd
SHA1 4e37e34d89598688bac4ece85ce246bfecae797b
SHA256 5e3b27c03ccd0c17dbf38a004728b30b2f6917664c6d1f9d7b4951d18314e2be
SHA512 6ab25075ffbe41859270b496d2130e2b06c6e8e22ac5dbe5c9fd8b4385e64bdda81dced052030acb543e6319f4f79c19e682b707fc33f84a49a2026ea35aa3ac

memory/2616-93-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2680-92-0x000000013F770000-0x000000013FAC1000-memory.dmp

C:\Windows\system\oXtzcXT.exe

MD5 18d2a5e38db922cc516cddc8ae3abb4c
SHA1 acd19990f60de557126b05714c9907428ee263d8
SHA256 1c5681f9fcab0b112459882627eee15b7250defc619da722519ef7046ff729a8
SHA512 4bbcbcbfdc6af8432a8ac2bfc8a0f8bd1b5d95ea06a7d02da966b74252e07011fcb6b13d8b3c53492138ae1052651faa57b01f5cd77a9040d36fda618b488103

memory/2904-76-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/2820-75-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2680-140-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2680-74-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2680-73-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2680-71-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/2728-70-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2680-68-0x000000013F210000-0x000000013F561000-memory.dmp

memory/2680-67-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2680-66-0x000000013F2F0000-0x000000013F641000-memory.dmp

C:\Windows\system\ZxCNvtS.exe

MD5 d71f67fdaec2c05650b744e4b9bb39ff
SHA1 c6dbaa08eb69b8bc4e1743ea355c907dd70c7f52
SHA256 bab8af46e5e1df25fb6a35d9a69cf5d8af04e78bda1ba11e1bfc39ee8177a4b7
SHA512 32aca56a178acd20cff4e88145fbc2c699b3ea75c5738d265973fa3d049003512b178e96ca0b0f2dc42b0b8d1d2c32a97305919c8c0e604cb787e9448651ce3f

memory/2752-48-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2900-90-0x000000013F210000-0x000000013F561000-memory.dmp

memory/2804-89-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2680-88-0x000000013FC80000-0x000000013FFD1000-memory.dmp

C:\Windows\system\GMdwZHW.exe

MD5 5757d2f11aa55f3aefe39eb8abb23853
SHA1 10efd588b64624f1142669d9a30f7a3d8b980454
SHA256 4f73409ad9b0aaeef417539b1b6501c5301b7907ac2f34b3d9e331a322ec4805
SHA512 0fb683e75e249d1c5dcd5b321097aeb8f18155efe99249203edc19bf3c39e9c087d9417387ca01c7a33bc1d984d491fa0f093ed903c93fbdb71ffaa3a57b96c5

\Windows\system\TKWVWjn.exe

MD5 df842d95fb255a9204225c8e4b6850cc
SHA1 2015f5723fcdf5f1c0b42e4fe2ff91bbdb2db6c0
SHA256 25a2d52744b6d510f231710a381d4f183d241d32cb407bb9a8cecd9f3a1aeae8
SHA512 7fab9152e877430aea495d014018d0c48834766ef1f70e01ab66d00d59c117e0c0c89e99e2456091382faac1dfc5e5bbba85a9d780136243016cada913fdf774

C:\Windows\system\ZGaSjhh.exe

MD5 f7a9c6b5d190b69574ebdb803b312c01
SHA1 d9d6b86e7c617cc6ffc287745c9ca038d12016c6
SHA256 6329eaa882b3c4c109df8b940d77a8eba04a668cf95966987bf380bd0d2ace11
SHA512 afbc729bf44a81e692b2b4788608a7200fb0e6715626da393cdd469094488ee5c7730eb17b29e032c434fe80907f62d2e5740fe2dc73bcbf09b41ae08cd9599f

memory/2680-44-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2468-36-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2680-34-0x000000013F620000-0x000000013F971000-memory.dmp

C:\Windows\system\fFUTFtA.exe

MD5 5daed108b3b4cea064efaa10de663e51
SHA1 3f19e4326b8242c526a9f1b1595696dd327547c4
SHA256 4a0ac9355e79662cbcc7fa061f4b7b1a8e1efdb956ab6acf6670da29ee51954a
SHA512 5d1e6843584bc16d597fa2c4dc5d3673c125fe8a7b53f72800a610e3795ad6df9c8d1d956ef169f947f27406bc7fc3a89a7e71d366879f05e27b782d106b2207

memory/2036-29-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2680-28-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2384-27-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2680-26-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/1272-24-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2680-141-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/1520-157-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2944-161-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2680-162-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2668-160-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2128-159-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2920-158-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2504-156-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2936-163-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2680-164-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2520-224-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/1272-226-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2384-228-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2036-230-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2468-232-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2820-235-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2752-236-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2728-238-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2904-240-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/2804-242-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2900-244-0x000000013F210000-0x000000013F561000-memory.dmp

memory/2616-248-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2636-246-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2644-257-0x000000013FB80000-0x000000013FED1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 10:51

Reported

2024-08-15 10:53

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cyQJUgl.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\PTTVOXo.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\vEYtLWr.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\myCPWkZ.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\fSiLWIC.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\HXqaKKt.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\PkoPHWu.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\VcAJkRz.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\jjXCTXi.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\kqLKiMk.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\LonmFaS.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\FFIYHLw.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\voROaav.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\TZucjTU.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\nCmMzXw.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\NUtHBNQ.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\onWtCAC.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\syGzeJX.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\GmevZhw.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\BMtVVOj.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
File created C:\Windows\System\jZfQyus.exe C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5072 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\syGzeJX.exe
PID 5072 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\syGzeJX.exe
PID 5072 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\cyQJUgl.exe
PID 5072 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\cyQJUgl.exe
PID 5072 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\PTTVOXo.exe
PID 5072 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\PTTVOXo.exe
PID 5072 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\PkoPHWu.exe
PID 5072 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\PkoPHWu.exe
PID 5072 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\voROaav.exe
PID 5072 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\voROaav.exe
PID 5072 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\VcAJkRz.exe
PID 5072 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\VcAJkRz.exe
PID 5072 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\jjXCTXi.exe
PID 5072 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\jjXCTXi.exe
PID 5072 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\GmevZhw.exe
PID 5072 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\GmevZhw.exe
PID 5072 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\TZucjTU.exe
PID 5072 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\TZucjTU.exe
PID 5072 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\nCmMzXw.exe
PID 5072 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\nCmMzXw.exe
PID 5072 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\vEYtLWr.exe
PID 5072 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\vEYtLWr.exe
PID 5072 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\myCPWkZ.exe
PID 5072 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\myCPWkZ.exe
PID 5072 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\NUtHBNQ.exe
PID 5072 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\NUtHBNQ.exe
PID 5072 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\BMtVVOj.exe
PID 5072 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\BMtVVOj.exe
PID 5072 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\jZfQyus.exe
PID 5072 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\jZfQyus.exe
PID 5072 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\kqLKiMk.exe
PID 5072 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\kqLKiMk.exe
PID 5072 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\LonmFaS.exe
PID 5072 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\LonmFaS.exe
PID 5072 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\FFIYHLw.exe
PID 5072 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\FFIYHLw.exe
PID 5072 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\onWtCAC.exe
PID 5072 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\onWtCAC.exe
PID 5072 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\fSiLWIC.exe
PID 5072 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\fSiLWIC.exe
PID 5072 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\HXqaKKt.exe
PID 5072 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe C:\Windows\System\HXqaKKt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe

"C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe"

C:\Windows\System\syGzeJX.exe

C:\Windows\System\syGzeJX.exe

C:\Windows\System\cyQJUgl.exe

C:\Windows\System\cyQJUgl.exe

C:\Windows\System\PTTVOXo.exe

C:\Windows\System\PTTVOXo.exe

C:\Windows\System\PkoPHWu.exe

C:\Windows\System\PkoPHWu.exe

C:\Windows\System\voROaav.exe

C:\Windows\System\voROaav.exe

C:\Windows\System\VcAJkRz.exe

C:\Windows\System\VcAJkRz.exe

C:\Windows\System\jjXCTXi.exe

C:\Windows\System\jjXCTXi.exe

C:\Windows\System\GmevZhw.exe

C:\Windows\System\GmevZhw.exe

C:\Windows\System\TZucjTU.exe

C:\Windows\System\TZucjTU.exe

C:\Windows\System\nCmMzXw.exe

C:\Windows\System\nCmMzXw.exe

C:\Windows\System\vEYtLWr.exe

C:\Windows\System\vEYtLWr.exe

C:\Windows\System\myCPWkZ.exe

C:\Windows\System\myCPWkZ.exe

C:\Windows\System\NUtHBNQ.exe

C:\Windows\System\NUtHBNQ.exe

C:\Windows\System\BMtVVOj.exe

C:\Windows\System\BMtVVOj.exe

C:\Windows\System\jZfQyus.exe

C:\Windows\System\jZfQyus.exe

C:\Windows\System\kqLKiMk.exe

C:\Windows\System\kqLKiMk.exe

C:\Windows\System\LonmFaS.exe

C:\Windows\System\LonmFaS.exe

C:\Windows\System\FFIYHLw.exe

C:\Windows\System\FFIYHLw.exe

C:\Windows\System\onWtCAC.exe

C:\Windows\System\onWtCAC.exe

C:\Windows\System\fSiLWIC.exe

C:\Windows\System\fSiLWIC.exe

C:\Windows\System\HXqaKKt.exe

C:\Windows\System\HXqaKKt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5072-0-0x00007FF650780000-0x00007FF650AD1000-memory.dmp

memory/5072-1-0x000001414FE90000-0x000001414FEA0000-memory.dmp

C:\Windows\System\syGzeJX.exe

MD5 d05e332c616ba3749f913d1e908df4e4
SHA1 c97f23d64fd9e897a97222cf998ec0706c151c74
SHA256 86b8aed94b72a645b79193a4e0178e1a3e58cfaa4e73253313e9a1c0388f3711
SHA512 70f4a47ce1fc8e7ca10c18be9c83b1e3442f26cdb1570397d8aadaa94e9922841e255022f2dac56970ebd9e11554f912b3fd4c9b2569358068bf6977344cb744

C:\Windows\System\PTTVOXo.exe

MD5 0c952a955f80f81da2c54e8eb4cec37a
SHA1 f65706554411135c3a2f04d535fb16e65f8d449d
SHA256 8c5d864fbf08460f45698d1ca01c98df2a0e475455bf04db5cb73b83006f07be
SHA512 a3022e2935941bbd7458084b94e3881c0104071f13826dd464ddf4b34468934bbe92a74621d5d4c140ddf3ab373ab322b4fc3f42baabaf149406948a34a00902

memory/4112-10-0x00007FF7F3FB0000-0x00007FF7F4301000-memory.dmp

C:\Windows\System\cyQJUgl.exe

MD5 2bb2f3143a6af41659e8fed8be77b1a9
SHA1 08a407ed1f8e22b792779eace13b13444d9da098
SHA256 7a2f8b0fc287f8d3b6dde5694a2c5a0c69775f1063d23bea0f14f6c0a8158c41
SHA512 693b74d7086e9bb28d6c7f9061a8351abae76bb86844802adfb5b833814350b6c9803d7d2724ebc513630435369de96cb5f0184931f9e3a5bc8df2f912029e9f

C:\Windows\System\VcAJkRz.exe

MD5 4253c58ec62da2cdf8ac3afab89be42b
SHA1 fe9757268590a6718afdc3cde1b7d84942716fc2
SHA256 3e8e8856f3708200bb8c0113a8336578fdff64b98828f7d288a97f3d10111d91
SHA512 b811db860dda6a9621ecbc21c8668373d9a971595ec3444f66f58044647cd6530b7b5603e55703c17e392a28891a9cfc1ae451b5897a2253404f69254768360e

C:\Windows\System\GmevZhw.exe

MD5 bfaebe19879cd49e595d3b53d68e0064
SHA1 aa720f5106590802ac297aeca7a3aaa7215c077b
SHA256 cb76bc14b15941b8f6d044b4ceb0f97cf9c1f85354dfb210cba763f5085b2b9d
SHA512 2e43e0daf491c81413bd5e04a0f7cf1dc8ec88ec2f90058b67e39e382ff96e3dbf8441fefa49a2becbc1f8e6874f892a335f807e1723015358bf9cb887686987

C:\Windows\System\vEYtLWr.exe

MD5 72362f2e4570f8958083847b6018a7c1
SHA1 a858206575461a5a7e05f612402029a02e2325f5
SHA256 58d6af6706a939dabd0b94398121459a40f1b6dbbf2c36c14d3538142d1bc643
SHA512 8a2098e57701fc10949d1ab6ceb3c694364e4978e1cb908480a9a0b04311e27ab8c8f4dc5b73643a3fdfb884ca4909867ca041fe7f6581af4b5af828b83c7035

C:\Windows\System\NUtHBNQ.exe

MD5 d2875043b32e7b011ebeec2c373d59ce
SHA1 e492a48f9e4ba76639dd3955693056004b7e9619
SHA256 8159f17f4e2999477f43ad5ac795be2539f1133063f5eb81fb5a0faf685ad3f7
SHA512 9b9a193d58e5359eabd1e8ccccd769afa909b37d27a5798477d728ae0485f4635c9f026e90408b81a431d5884b156acc41e07140ff0f9dac0e83d108d3601d11

C:\Windows\System\BMtVVOj.exe

MD5 4b211459992ab69688558f1cf3857ce5
SHA1 c977e5f547e087716d1730b0b7b9e98dac17cb3d
SHA256 55cbac2cef77a5dbb273d84ab8034491cc9c728f5efe29a0cc2bb077f0516e1f
SHA512 1827a027eb0b154d0302c621fde0806ea5a1035297a644e3feedb58eb0a072c6a5a023ea721e111b3cea2cc0b500d371b32a469a53fc978ad20cfc6f93ce093c

C:\Windows\System\jZfQyus.exe

MD5 8007febfc9b4af57ea4ef33644a9a880
SHA1 4da87b6827d209c1d0480c577b5f902961e2a8d4
SHA256 483976cf592d4b6db8c12d08057e3dd40ccf93932721dc01f755482944fb5ef2
SHA512 864a79b0a0f523bb883a90750e1f692e2a1b5c171e5d225f3bf81d069539181b732d89015ebab28685b449d586806302fc442323586047e0b96812d5d04663c9

C:\Windows\System\FFIYHLw.exe

MD5 fe3b7f12b0aef90d675b57bdbeb4d501
SHA1 f6806d66a380b4124d5e23a24e1a81a254d40f3d
SHA256 c5a53f9113e50cbcb08fb69db66f0993c93e1440f2baaa2254aaf4456650fafa
SHA512 8759345c812646644f160b3c3b0e4cfff01cb998a5efd4473968fa6e777f92978e5e443d37d1632324989bcc1b571f101bcd30f3477b363c68b04f1b4032f25c

C:\Windows\System\LonmFaS.exe

MD5 787dba466af6da8d01d36c35607be92f
SHA1 33494afecc642002eabbc0f424111b2c2656c726
SHA256 a2c52d820bd2ec0404bc4e8c9f6236e01f475f8b20f037a5e0b29297eea104f0
SHA512 3e38d2a116c1f86877561d80f98c3917684193c50aa509306195af10b69044c63a6d05f98533f0852f5772212c3b38a3db8a4efb850894447ebc29ee8b7d39f9

C:\Windows\System\fSiLWIC.exe

MD5 b2871d1432db2027f51b7305eb8eba30
SHA1 d9561a0c9bc37d7458660107ecc87b0063f3c74d
SHA256 37d18f692fc5f911d9c6b56a4125f848c63e78abd848d1267d00a2553784bd50
SHA512 75ebe87e914bb9bb2f160cd68f963c566ab6377241c288e20323b31b3ace095d530c2444909890763fe19ae9f50515c0975421f02b9244a631f619b303b781f4

memory/4964-125-0x00007FF690980000-0x00007FF690CD1000-memory.dmp

memory/2392-127-0x00007FF79BA80000-0x00007FF79BDD1000-memory.dmp

memory/4612-126-0x00007FF634860000-0x00007FF634BB1000-memory.dmp

memory/1340-124-0x00007FF71CE20000-0x00007FF71D171000-memory.dmp

memory/1432-121-0x00007FF6FD100000-0x00007FF6FD451000-memory.dmp

memory/2676-120-0x00007FF77E160000-0x00007FF77E4B1000-memory.dmp

C:\Windows\System\HXqaKKt.exe

MD5 54a61ddb5df63404226a4a6848eb92e1
SHA1 85610db14d86e6cade7e78b4c985560e09bbf251
SHA256 b7781a5d2db922da9d03fa98133190d6929640bc497175803a00a22ab4ec927f
SHA512 60ba2b301277d3afe313da31b31a30fe143377f948345a941396756438e2360a3f2b612b26b11a082cb791de829e7f1ec679591c1280c2405d371a8471689473

memory/2344-117-0x00007FF62DBC0000-0x00007FF62DF11000-memory.dmp

C:\Windows\System\onWtCAC.exe

MD5 2538eca90d2699e0d7d901d0ca090cbf
SHA1 90006b7fd625b73b5952ca77aa30bda444c937c6
SHA256 0db0c60f79b8f256382b561a5c330de225d31f05505e4d9b76ee3189b7d8e753
SHA512 17709c746cd8362d1597e46f18f951ef6dddf8d0eb85f3b39d1f81c973c24eef19e3ae9579fdc6bbdbc55c25cce8d033079e757f8ec6b9d0095b9c553350036b

memory/1932-112-0x00007FF7D79E0000-0x00007FF7D7D31000-memory.dmp

memory/3468-111-0x00007FF741890000-0x00007FF741BE1000-memory.dmp

memory/2916-107-0x00007FF790C70000-0x00007FF790FC1000-memory.dmp

C:\Windows\System\kqLKiMk.exe

MD5 3ad61adcfb43d0bc91f3fd6209a1e5d6
SHA1 01ec34769c5d62f2f04c556290c7ff7618274b0f
SHA256 8abe6c31df0f8fa60018d4fde8fa857354c570f785ab9ae0ddd8d59f42a1dab4
SHA512 37a5ac79490371dc4c916153b1c641af6e74b0ab0fb952aea5265a60e2243df62d91d072d88d9f82dfa1866d15e9a2cc69e3b17638734e07dffd1d56a5f22909

C:\Windows\System\myCPWkZ.exe

MD5 5322e71ef83de1999aa6a485e686778b
SHA1 f22bf425383d49d3b108ed831976eba3065bc13e
SHA256 f5b4bc13fe0a54d8574efefeb69dac0456182d9e12e077af99f189ab5390a1be
SHA512 8889895ceb64328033a5e56f5917888a3623e096b84d362a5da934103765b07cfb0ccee782ead8cd4eb10de26a92cb57b25be77d83ddd86800fb62f52c76ad29

memory/2912-77-0x00007FF696A30000-0x00007FF696D81000-memory.dmp

C:\Windows\System\nCmMzXw.exe

MD5 cf3033f0935d4fc5d226546a2e3a4293
SHA1 6d6576f67662e5609ffbf30afaa581e3803912cd
SHA256 2a040b6b0c1f8e9e548e5192e7eb2c909fa184580cde18b16991a59ad7c2a78d
SHA512 af46448d94c0867235a750d7b464830554f0e9455a0973cfdf080f04bfc1cf55d00e247609e6f1f695462b8fab71dfaa9047a923e4c47d95dc050c2824b8e114

C:\Windows\System\TZucjTU.exe

MD5 9be6b54bc207c56abc68f4132b781756
SHA1 d4a6f24b9dc2f3303acbc36c870d8ce0111805db
SHA256 173c79a4be2d3271f6264dbe396c552c41a11fe14a792bca63d8789221ffcffa
SHA512 20987397a6d861ecc3003ba42c92587021ba8433ffe84f69d6fb03ac34df418b97dc6172569633fc37617097bb6a587dc1f1d6b149dbdf772404141edb2733e0

memory/184-68-0x00007FF6EA000000-0x00007FF6EA351000-memory.dmp

memory/4476-57-0x00007FF7B89F0000-0x00007FF7B8D41000-memory.dmp

memory/4756-55-0x00007FF675370000-0x00007FF6756C1000-memory.dmp

C:\Windows\System\voROaav.exe

MD5 fce1cd158471c04438eb1998e1f723d6
SHA1 36d44a4680745fc92f2ea4282593a9afcf7b21be
SHA256 78e167936ffb2d2c18afb9431881dc3cb802f9a5d25575579ec7107af655fbf9
SHA512 cf098685c9a0f88d2852a087ad700f600bb2f581c1edcf5f551257450100b7d552087fe7762a204534bfdaf64f957c8125148ba6eb1ff5983d45ca98490dd124

C:\Windows\System\jjXCTXi.exe

MD5 0579e8e3db7a68b72c34063d24d6365b
SHA1 93d3d1f4f8b237c51808f7f834dedfbd597a6294
SHA256 498db4d5f07a247da4956b5b3ccf1f32484e0409c96e4a9c3b743ade185f6a41
SHA512 fb940755b7fe8ecf97b74a3a637702d0c0d951fbe7df688076b8af2255d3eb9bb4e3a723554b7367eee803ee275e5e13d7a71a58718d026327a519f92102473d

memory/2464-48-0x00007FF74BEC0000-0x00007FF74C211000-memory.dmp

memory/320-41-0x00007FF72E0B0000-0x00007FF72E401000-memory.dmp

memory/3696-35-0x00007FF79B330000-0x00007FF79B681000-memory.dmp

C:\Windows\System\PkoPHWu.exe

MD5 24890541ae2a9fd034e3355d029d2081
SHA1 d05bc30c2c7c28d5283b8a77aaf7d174e8baa1d7
SHA256 e84bbb94b9bb99089a9521adee8dd75bee58a71d21f21197422ae6a0f7f83ab7
SHA512 6023969a33d0a3bf24766d3c31541b27c0ba12e61e8ad593b9027264e40092011e2cac6e7621f2b1e85b5ae4f7beb2209333817268f528956c57a3c8e77df1c8

memory/1916-31-0x00007FF7CAFC0000-0x00007FF7CB311000-memory.dmp

memory/3940-25-0x00007FF628FB0000-0x00007FF629301000-memory.dmp

memory/4556-24-0x00007FF7FD0B0000-0x00007FF7FD401000-memory.dmp

memory/5072-128-0x00007FF650780000-0x00007FF650AD1000-memory.dmp

memory/5072-129-0x00007FF650780000-0x00007FF650AD1000-memory.dmp

memory/4556-131-0x00007FF7FD0B0000-0x00007FF7FD401000-memory.dmp

memory/4112-130-0x00007FF7F3FB0000-0x00007FF7F4301000-memory.dmp

memory/184-143-0x00007FF6EA000000-0x00007FF6EA351000-memory.dmp

memory/2912-141-0x00007FF696A30000-0x00007FF696D81000-memory.dmp

memory/4476-140-0x00007FF7B89F0000-0x00007FF7B8D41000-memory.dmp

memory/2676-149-0x00007FF77E160000-0x00007FF77E4B1000-memory.dmp

memory/4756-138-0x00007FF675370000-0x00007FF6756C1000-memory.dmp

memory/320-136-0x00007FF72E0B0000-0x00007FF72E401000-memory.dmp

memory/2464-139-0x00007FF74BEC0000-0x00007FF74C211000-memory.dmp

memory/3696-137-0x00007FF79B330000-0x00007FF79B681000-memory.dmp

memory/1916-135-0x00007FF7CAFC0000-0x00007FF7CB311000-memory.dmp

memory/3940-134-0x00007FF628FB0000-0x00007FF629301000-memory.dmp

memory/5072-153-0x00007FF650780000-0x00007FF650AD1000-memory.dmp

memory/4112-209-0x00007FF7F3FB0000-0x00007FF7F4301000-memory.dmp

memory/4556-211-0x00007FF7FD0B0000-0x00007FF7FD401000-memory.dmp

memory/3940-213-0x00007FF628FB0000-0x00007FF629301000-memory.dmp

memory/1916-215-0x00007FF7CAFC0000-0x00007FF7CB311000-memory.dmp

memory/3696-228-0x00007FF79B330000-0x00007FF79B681000-memory.dmp

memory/2916-236-0x00007FF790C70000-0x00007FF790FC1000-memory.dmp

memory/2464-235-0x00007FF74BEC0000-0x00007FF74C211000-memory.dmp

memory/4476-238-0x00007FF7B89F0000-0x00007FF7B8D41000-memory.dmp

memory/320-233-0x00007FF72E0B0000-0x00007FF72E401000-memory.dmp

memory/4756-231-0x00007FF675370000-0x00007FF6756C1000-memory.dmp

memory/2912-251-0x00007FF696A30000-0x00007FF696D81000-memory.dmp

memory/2344-252-0x00007FF62DBC0000-0x00007FF62DF11000-memory.dmp

memory/1432-256-0x00007FF6FD100000-0x00007FF6FD451000-memory.dmp

memory/1340-254-0x00007FF71CE20000-0x00007FF71D171000-memory.dmp

memory/2392-258-0x00007FF79BA80000-0x00007FF79BDD1000-memory.dmp

memory/4964-247-0x00007FF690980000-0x00007FF690CD1000-memory.dmp

memory/3468-242-0x00007FF741890000-0x00007FF741BE1000-memory.dmp

memory/1932-241-0x00007FF7D79E0000-0x00007FF7D7D31000-memory.dmp

memory/184-249-0x00007FF6EA000000-0x00007FF6EA351000-memory.dmp

memory/4612-245-0x00007FF634860000-0x00007FF634BB1000-memory.dmp

memory/2676-260-0x00007FF77E160000-0x00007FF77E4B1000-memory.dmp