xmrig | 6592b26376a98592bffbf57fe94ee258f4e74552b53be4d3f2547c38d68931bd

Analysis

max time kernel
110s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 11:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06ea833649c32f16e110e3462dfa8750N.exe
Size

1.2MB
MD5

06ea833649c32f16e110e3462dfa8750
SHA1

ce7b5c47766fb1f4c821cb311697ac447c7432cc
SHA256

6592b26376a98592bffbf57fe94ee258f4e74552b53be4d3f2547c38d68931bd
SHA512

f91dc2aa5f8771f9ebe62275a1ee16a9ece35927602d58f3706471048b96a43d1abab28eddfd5f04e35559068dbe46886da712bedf0c238658f3ef448a7b1d83
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlgQ5aILMCfmAUhrSO1YNqg:knw9oUUEEDld5aIwC+AUBsn

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/3652-112-0x00007FF6A4E60000-0x00007FF6A5251000-memory.dmp	xmrig
behavioral2/memory/2820-113-0x00007FF76D620000-0x00007FF76DA11000-memory.dmp	xmrig
behavioral2/memory/2940-111-0x00007FF6D1E40000-0x00007FF6D2231000-memory.dmp	xmrig
behavioral2/memory/4016-114-0x00007FF77B4E0000-0x00007FF77B8D1000-memory.dmp	xmrig
behavioral2/memory/4484-115-0x00007FF79ACD0000-0x00007FF79B0C1000-memory.dmp	xmrig
behavioral2/memory/440-116-0x00007FF76F590000-0x00007FF76F981000-memory.dmp	xmrig
behavioral2/memory/4772-117-0x00007FF737720000-0x00007FF737B11000-memory.dmp	xmrig
behavioral2/memory/4776-118-0x00007FF62A100000-0x00007FF62A4F1000-memory.dmp	xmrig
behavioral2/memory/4600-119-0x00007FF68BA10000-0x00007FF68BE01000-memory.dmp	xmrig
behavioral2/memory/2288-120-0x00007FF6F78D0000-0x00007FF6F7CC1000-memory.dmp	xmrig
behavioral2/memory/3504-122-0x00007FF6A28C0000-0x00007FF6A2CB1000-memory.dmp	xmrig
behavioral2/memory/2948-121-0x00007FF661690000-0x00007FF661A81000-memory.dmp	xmrig
behavioral2/memory/1912-123-0x00007FF6871E0000-0x00007FF6875D1000-memory.dmp	xmrig
behavioral2/memory/4660-125-0x00007FF729F50000-0x00007FF72A341000-memory.dmp	xmrig
behavioral2/memory/4508-127-0x00007FF688600000-0x00007FF6889F1000-memory.dmp	xmrig
behavioral2/memory/1388-126-0x00007FF7670B0000-0x00007FF7674A1000-memory.dmp	xmrig
behavioral2/memory/2004-124-0x00007FF76F830000-0x00007FF76FC21000-memory.dmp	xmrig
behavioral2/memory/4796-130-0x00007FF6FB2A0000-0x00007FF6FB691000-memory.dmp	xmrig
behavioral2/memory/4448-131-0x00007FF77DD50000-0x00007FF77E141000-memory.dmp	xmrig
behavioral2/memory/4576-133-0x00007FF612C60000-0x00007FF613051000-memory.dmp	xmrig
behavioral2/memory/1528-128-0x00007FF72E8C0000-0x00007FF72ECB1000-memory.dmp	xmrig
behavioral2/memory/2772-129-0x00007FF7EA2E0000-0x00007FF7EA6D1000-memory.dmp	xmrig
behavioral2/memory/1528-150-0x00007FF72E8C0000-0x00007FF72ECB1000-memory.dmp	xmrig
behavioral2/memory/2772-202-0x00007FF7EA2E0000-0x00007FF7EA6D1000-memory.dmp	xmrig
behavioral2/memory/1388-220-0x00007FF7670B0000-0x00007FF7674A1000-memory.dmp	xmrig
behavioral2/memory/4796-224-0x00007FF6FB2A0000-0x00007FF6FB691000-memory.dmp	xmrig
behavioral2/memory/2940-225-0x00007FF6D1E40000-0x00007FF6D2231000-memory.dmp	xmrig
behavioral2/memory/4448-221-0x00007FF77DD50000-0x00007FF77E141000-memory.dmp	xmrig
behavioral2/memory/440-232-0x00007FF76F590000-0x00007FF76F981000-memory.dmp	xmrig
behavioral2/memory/4016-230-0x00007FF77B4E0000-0x00007FF77B8D1000-memory.dmp	xmrig
behavioral2/memory/4772-241-0x00007FF737720000-0x00007FF737B11000-memory.dmp	xmrig
behavioral2/memory/2004-255-0x00007FF76F830000-0x00007FF76FC21000-memory.dmp	xmrig
behavioral2/memory/4660-257-0x00007FF729F50000-0x00007FF72A341000-memory.dmp	xmrig
behavioral2/memory/2288-253-0x00007FF6F78D0000-0x00007FF6F7CC1000-memory.dmp	xmrig
behavioral2/memory/3504-250-0x00007FF6A28C0000-0x00007FF6A2CB1000-memory.dmp	xmrig
behavioral2/memory/3652-245-0x00007FF6A4E60000-0x00007FF6A5251000-memory.dmp	xmrig
behavioral2/memory/4600-244-0x00007FF68BA10000-0x00007FF68BE01000-memory.dmp	xmrig
behavioral2/memory/4508-238-0x00007FF688600000-0x00007FF6889F1000-memory.dmp	xmrig
behavioral2/memory/2948-252-0x00007FF661690000-0x00007FF661A81000-memory.dmp	xmrig
behavioral2/memory/1912-248-0x00007FF6871E0000-0x00007FF6875D1000-memory.dmp	xmrig
behavioral2/memory/2820-235-0x00007FF76D620000-0x00007FF76DA11000-memory.dmp	xmrig
behavioral2/memory/4484-233-0x00007FF79ACD0000-0x00007FF79B0C1000-memory.dmp	xmrig
behavioral2/memory/4776-240-0x00007FF62A100000-0x00007FF62A4F1000-memory.dmp	xmrig
behavioral2/memory/4576-228-0x00007FF612C60000-0x00007FF613051000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2772	MZenmTp.exe
4796	ZskNDbX.exe
4448	gFsHPss.exe
1388	eViGdpN.exe
4576	blbtSPe.exe
2940	TrHRrVu.exe
4508	cORrcBe.exe
3652	JlhhDtM.exe
2820	gZatbqh.exe
4016	tKigIHH.exe
4484	VouSdyW.exe
440	cUzityX.exe
4772	kGPwhMi.exe
4776	hoKELmK.exe
4600	bCuuwzR.exe
2288	MtBfSOj.exe
2948	nvqEgGC.exe
3504	luKSwhG.exe
1912	AFDdsdF.exe
2004	PrCAajy.exe
4660	YeyuIpq.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1528-0-0x00007FF72E8C0000-0x00007FF72ECB1000-memory.dmp	upx
behavioral2/files/0x0009000000023433-5.dat	upx
behavioral2/files/0x000700000002343f-12.dat	upx
behavioral2/files/0x0007000000023440-20.dat	upx
behavioral2/files/0x0007000000023441-32.dat	upx
behavioral2/files/0x0007000000023445-47.dat	upx
behavioral2/files/0x0007000000023450-107.dat	upx
behavioral2/files/0x0007000000023451-109.dat	upx
behavioral2/files/0x000700000002344f-103.dat	upx
behavioral2/files/0x000700000002344e-95.dat	upx
behavioral2/files/0x000700000002344d-93.dat	upx
behavioral2/files/0x000700000002344c-88.dat	upx
behavioral2/files/0x000700000002344b-83.dat	upx
behavioral2/files/0x000700000002344a-75.dat	upx
behavioral2/files/0x0007000000023449-70.dat	upx
behavioral2/files/0x0007000000023448-68.dat	upx
behavioral2/files/0x0007000000023447-60.dat	upx
behavioral2/files/0x0007000000023446-55.dat	upx
behavioral2/files/0x0007000000023444-46.dat	upx
behavioral2/files/0x0007000000023443-40.dat	upx
behavioral2/memory/4576-38-0x00007FF612C60000-0x00007FF613051000-memory.dmp	upx
behavioral2/memory/4448-35-0x00007FF77DD50000-0x00007FF77E141000-memory.dmp	upx
behavioral2/files/0x0007000000023442-30.dat	upx
behavioral2/files/0x000700000002343e-27.dat	upx
behavioral2/memory/4796-17-0x00007FF6FB2A0000-0x00007FF6FB691000-memory.dmp	upx
behavioral2/memory/2772-9-0x00007FF7EA2E0000-0x00007FF7EA6D1000-memory.dmp	upx
behavioral2/memory/3652-112-0x00007FF6A4E60000-0x00007FF6A5251000-memory.dmp	upx
behavioral2/memory/2820-113-0x00007FF76D620000-0x00007FF76DA11000-memory.dmp	upx
behavioral2/memory/2940-111-0x00007FF6D1E40000-0x00007FF6D2231000-memory.dmp	upx
behavioral2/memory/4016-114-0x00007FF77B4E0000-0x00007FF77B8D1000-memory.dmp	upx
behavioral2/memory/4484-115-0x00007FF79ACD0000-0x00007FF79B0C1000-memory.dmp	upx
behavioral2/memory/440-116-0x00007FF76F590000-0x00007FF76F981000-memory.dmp	upx
behavioral2/memory/4772-117-0x00007FF737720000-0x00007FF737B11000-memory.dmp	upx
behavioral2/memory/4776-118-0x00007FF62A100000-0x00007FF62A4F1000-memory.dmp	upx
behavioral2/memory/4600-119-0x00007FF68BA10000-0x00007FF68BE01000-memory.dmp	upx
behavioral2/memory/2288-120-0x00007FF6F78D0000-0x00007FF6F7CC1000-memory.dmp	upx
behavioral2/memory/3504-122-0x00007FF6A28C0000-0x00007FF6A2CB1000-memory.dmp	upx
behavioral2/memory/2948-121-0x00007FF661690000-0x00007FF661A81000-memory.dmp	upx
behavioral2/memory/1912-123-0x00007FF6871E0000-0x00007FF6875D1000-memory.dmp	upx
behavioral2/memory/4660-125-0x00007FF729F50000-0x00007FF72A341000-memory.dmp	upx
behavioral2/memory/4508-127-0x00007FF688600000-0x00007FF6889F1000-memory.dmp	upx
behavioral2/memory/1388-126-0x00007FF7670B0000-0x00007FF7674A1000-memory.dmp	upx
behavioral2/memory/2004-124-0x00007FF76F830000-0x00007FF76FC21000-memory.dmp	upx
behavioral2/memory/4796-130-0x00007FF6FB2A0000-0x00007FF6FB691000-memory.dmp	upx
behavioral2/memory/4448-131-0x00007FF77DD50000-0x00007FF77E141000-memory.dmp	upx
behavioral2/memory/4576-133-0x00007FF612C60000-0x00007FF613051000-memory.dmp	upx
behavioral2/memory/1528-128-0x00007FF72E8C0000-0x00007FF72ECB1000-memory.dmp	upx
behavioral2/memory/2772-129-0x00007FF7EA2E0000-0x00007FF7EA6D1000-memory.dmp	upx
behavioral2/memory/1528-150-0x00007FF72E8C0000-0x00007FF72ECB1000-memory.dmp	upx
behavioral2/memory/2772-202-0x00007FF7EA2E0000-0x00007FF7EA6D1000-memory.dmp	upx
behavioral2/memory/1388-220-0x00007FF7670B0000-0x00007FF7674A1000-memory.dmp	upx
behavioral2/memory/4796-224-0x00007FF6FB2A0000-0x00007FF6FB691000-memory.dmp	upx
behavioral2/memory/2940-225-0x00007FF6D1E40000-0x00007FF6D2231000-memory.dmp	upx
behavioral2/memory/4448-221-0x00007FF77DD50000-0x00007FF77E141000-memory.dmp	upx
behavioral2/memory/440-232-0x00007FF76F590000-0x00007FF76F981000-memory.dmp	upx
behavioral2/memory/4016-230-0x00007FF77B4E0000-0x00007FF77B8D1000-memory.dmp	upx
behavioral2/memory/4772-241-0x00007FF737720000-0x00007FF737B11000-memory.dmp	upx
behavioral2/memory/2004-255-0x00007FF76F830000-0x00007FF76FC21000-memory.dmp	upx
behavioral2/memory/4660-257-0x00007FF729F50000-0x00007FF72A341000-memory.dmp	upx
behavioral2/memory/2288-253-0x00007FF6F78D0000-0x00007FF6F7CC1000-memory.dmp	upx
behavioral2/memory/3504-250-0x00007FF6A28C0000-0x00007FF6A2CB1000-memory.dmp	upx
behavioral2/memory/3652-245-0x00007FF6A4E60000-0x00007FF6A5251000-memory.dmp	upx
behavioral2/memory/4600-244-0x00007FF68BA10000-0x00007FF68BE01000-memory.dmp	upx
behavioral2/memory/4508-238-0x00007FF688600000-0x00007FF6889F1000-memory.dmp	upx

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System32\bCuuwzR.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\MtBfSOj.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\eViGdpN.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\TrHRrVu.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\cORrcBe.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\tKigIHH.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\JlhhDtM.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\gZatbqh.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\cUzityX.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\hoKELmK.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\PrCAajy.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\gFsHPss.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\VouSdyW.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\kGPwhMi.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\luKSwhG.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\AFDdsdF.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\YeyuIpq.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\MZenmTp.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\ZskNDbX.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\blbtSPe.exe	06ea833649c32f16e110e3462dfa8750N.exe
File created	C:\Windows\System32\nvqEgGC.exe	06ea833649c32f16e110e3462dfa8750N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1528	06ea833649c32f16e110e3462dfa8750N.exe
Token: SeLockMemoryPrivilege	1528	06ea833649c32f16e110e3462dfa8750N.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2772	1528	06ea833649c32f16e110e3462dfa8750N.exe	84
PID 1528 wrote to memory of 2772	1528	06ea833649c32f16e110e3462dfa8750N.exe	84
PID 1528 wrote to memory of 4796	1528	06ea833649c32f16e110e3462dfa8750N.exe	85
PID 1528 wrote to memory of 4796	1528	06ea833649c32f16e110e3462dfa8750N.exe	85
PID 1528 wrote to memory of 4448	1528	06ea833649c32f16e110e3462dfa8750N.exe	86
PID 1528 wrote to memory of 4448	1528	06ea833649c32f16e110e3462dfa8750N.exe	86
PID 1528 wrote to memory of 1388	1528	06ea833649c32f16e110e3462dfa8750N.exe	87
PID 1528 wrote to memory of 1388	1528	06ea833649c32f16e110e3462dfa8750N.exe	87
PID 1528 wrote to memory of 4576	1528	06ea833649c32f16e110e3462dfa8750N.exe	88
PID 1528 wrote to memory of 4576	1528	06ea833649c32f16e110e3462dfa8750N.exe	88
PID 1528 wrote to memory of 2940	1528	06ea833649c32f16e110e3462dfa8750N.exe	89
PID 1528 wrote to memory of 2940	1528	06ea833649c32f16e110e3462dfa8750N.exe	89
PID 1528 wrote to memory of 4508	1528	06ea833649c32f16e110e3462dfa8750N.exe	90
PID 1528 wrote to memory of 4508	1528	06ea833649c32f16e110e3462dfa8750N.exe	90
PID 1528 wrote to memory of 3652	1528	06ea833649c32f16e110e3462dfa8750N.exe	91
PID 1528 wrote to memory of 3652	1528	06ea833649c32f16e110e3462dfa8750N.exe	91
PID 1528 wrote to memory of 2820	1528	06ea833649c32f16e110e3462dfa8750N.exe	92
PID 1528 wrote to memory of 2820	1528	06ea833649c32f16e110e3462dfa8750N.exe	92
PID 1528 wrote to memory of 4016	1528	06ea833649c32f16e110e3462dfa8750N.exe	93
PID 1528 wrote to memory of 4016	1528	06ea833649c32f16e110e3462dfa8750N.exe	93
PID 1528 wrote to memory of 4484	1528	06ea833649c32f16e110e3462dfa8750N.exe	94
PID 1528 wrote to memory of 4484	1528	06ea833649c32f16e110e3462dfa8750N.exe	94
PID 1528 wrote to memory of 440	1528	06ea833649c32f16e110e3462dfa8750N.exe	95
PID 1528 wrote to memory of 440	1528	06ea833649c32f16e110e3462dfa8750N.exe	95
PID 1528 wrote to memory of 4772	1528	06ea833649c32f16e110e3462dfa8750N.exe	96
PID 1528 wrote to memory of 4772	1528	06ea833649c32f16e110e3462dfa8750N.exe	96
PID 1528 wrote to memory of 4776	1528	06ea833649c32f16e110e3462dfa8750N.exe	97
PID 1528 wrote to memory of 4776	1528	06ea833649c32f16e110e3462dfa8750N.exe	97
PID 1528 wrote to memory of 4600	1528	06ea833649c32f16e110e3462dfa8750N.exe	98
PID 1528 wrote to memory of 4600	1528	06ea833649c32f16e110e3462dfa8750N.exe	98
PID 1528 wrote to memory of 2288	1528	06ea833649c32f16e110e3462dfa8750N.exe	99
PID 1528 wrote to memory of 2288	1528	06ea833649c32f16e110e3462dfa8750N.exe	99
PID 1528 wrote to memory of 2948	1528	06ea833649c32f16e110e3462dfa8750N.exe	100
PID 1528 wrote to memory of 2948	1528	06ea833649c32f16e110e3462dfa8750N.exe	100
PID 1528 wrote to memory of 3504	1528	06ea833649c32f16e110e3462dfa8750N.exe	101
PID 1528 wrote to memory of 3504	1528	06ea833649c32f16e110e3462dfa8750N.exe	101
PID 1528 wrote to memory of 1912	1528	06ea833649c32f16e110e3462dfa8750N.exe	102
PID 1528 wrote to memory of 1912	1528	06ea833649c32f16e110e3462dfa8750N.exe	102
PID 1528 wrote to memory of 2004	1528	06ea833649c32f16e110e3462dfa8750N.exe	103
PID 1528 wrote to memory of 2004	1528	06ea833649c32f16e110e3462dfa8750N.exe	103
PID 1528 wrote to memory of 4660	1528	06ea833649c32f16e110e3462dfa8750N.exe	104
PID 1528 wrote to memory of 4660	1528	06ea833649c32f16e110e3462dfa8750N.exe	104

C:\Users\Admin\AppData\Local\Temp\06ea833649c32f16e110e3462dfa8750N.exe
"C:\Users\Admin\AppData\Local\Temp\06ea833649c32f16e110e3462dfa8750N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\System32\MZenmTp.exe
  C:\Windows\System32\MZenmTp.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System32\ZskNDbX.exe
  C:\Windows\System32\ZskNDbX.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System32\gFsHPss.exe
  C:\Windows\System32\gFsHPss.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System32\eViGdpN.exe
  C:\Windows\System32\eViGdpN.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System32\blbtSPe.exe
  C:\Windows\System32\blbtSPe.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System32\TrHRrVu.exe
  C:\Windows\System32\TrHRrVu.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System32\cORrcBe.exe
  C:\Windows\System32\cORrcBe.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System32\JlhhDtM.exe
  C:\Windows\System32\JlhhDtM.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System32\gZatbqh.exe
  C:\Windows\System32\gZatbqh.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System32\tKigIHH.exe
  C:\Windows\System32\tKigIHH.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System32\VouSdyW.exe
  C:\Windows\System32\VouSdyW.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System32\cUzityX.exe
  C:\Windows\System32\cUzityX.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System32\kGPwhMi.exe
  C:\Windows\System32\kGPwhMi.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System32\hoKELmK.exe
  C:\Windows\System32\hoKELmK.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System32\bCuuwzR.exe
  C:\Windows\System32\bCuuwzR.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System32\MtBfSOj.exe
  C:\Windows\System32\MtBfSOj.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System32\nvqEgGC.exe
  C:\Windows\System32\nvqEgGC.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System32\luKSwhG.exe
  C:\Windows\System32\luKSwhG.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System32\AFDdsdF.exe
  C:\Windows\System32\AFDdsdF.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System32\PrCAajy.exe
  C:\Windows\System32\PrCAajy.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System32\YeyuIpq.exe
  C:\Windows\System32\YeyuIpq.exe
  2⤵
  - Executes dropped EXE
  PID:4660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AFDdsdF.exe

Filesize
1.2MB

MD5
eaffd71520733f4f43e8caed3d79d165

SHA1
5721d445dd763ed717ac048b2f7f251b18708547

SHA256
b50426544b290b75066cffa890b04fd7e8c97acf07d36f31b7edf7e6e14194b4

SHA512
3f6cc67cea5cdef3f0e387ca106e2affa64f445097044c8e8e0847f154ae915b37a5bc91256fe12da1938b5106c87e5688ba6f6b09a55bac3bfaa538c9a717d7

Download Submit
C:\Windows\System32\JlhhDtM.exe

Filesize
1.2MB

MD5
d3fa853e239f7f55c70fc49d1b7d7020

SHA1
9a51fe860de3a8104e29589123277580db52e6f0

SHA256
130ed5d8c896f184521ac97abdd69768272dac257992d350a4b63e955055aa3f

SHA512
e8bc3b8e0a7952e272670091bf17382beec60959e07a3c13644673f85a2f2b9af6525a3341bbf478a83297b77af6d08087ad431cbf6d2f11d8cd6943b05b9e17

Download Submit
C:\Windows\System32\MZenmTp.exe

Filesize
1.2MB

MD5
853fbd66f5de6096b6c1cd91749f8c23

SHA1
c42de090d7931e5a64683de994d5cab1fec7e399

SHA256
11ef3f87ec885f1f1ec866ad9885412897e1268adb936811b5b86baf8e3df205

SHA512
d26134b380efbad9ff810a0c9ab233b1f7151ffa90ed2fce651ca3f2c04c0859d1150f3b2eb9ec0d91e5aec701627bb18ba21059cf5c8c85a86af3333c3c7060

Download Submit
C:\Windows\System32\MtBfSOj.exe

Filesize
1.2MB

MD5
8b6a79bbdca18cbe30dc4889d31fb754

SHA1
6927bf70300cf29b4e3cbbe6f3997c4f7b5568ae

SHA256
c1e263f79032a72aaf2effe9a798bcafaee999e5bb46fa8e79ee1b9b088a29ad

SHA512
5ace81b513eca5552d0e2a2818f922202dd5f81f6b59ec86c157e78c018ea9cc07f7a6f5b983ce4657e44ce1a17224526124a7fe0dc4571336c1e2e681ba2f96

Download Submit
C:\Windows\System32\PrCAajy.exe

Filesize
1.2MB

MD5
3ed57fecbca7a5afd3a2ef595810cc42

SHA1
c4bf78f749e71254390470786b799b950dcc1015

SHA256
368bdaafc6f73eed515bade914c41b3c92af65e92f35076e53494e3479d9b715

SHA512
fee0bb0c5cf846a758eb9a823acf750f506dd43203ca30a7cf4c4d216dce08ff58e0bb5cfaafab411963407045c705b4244d36c3112c7afbb4168ecd444ead6e

Download Submit
C:\Windows\System32\TrHRrVu.exe

Filesize
1.2MB

MD5
de0c63d6daae35e8170b662ec16090bd

SHA1
35e8d1ed798d6b468989eb5c79c7035f1f3b0aff

SHA256
d7ab8cc4d63ae6ff43dff3d16c3138b37b8be5323c3332be3622c71026a35075

SHA512
b45abc23da20303fb980e88381bcca0f8ab292691bb64a7931a433638facd4ced9fb11868e6d57c226cf74eb5b8625b8808a3e5f2d32d171369e451cb653846c

Download Submit
C:\Windows\System32\VouSdyW.exe

Filesize
1.2MB

MD5
4d36bfdbd84665fc5dbbee9d33e810a9

SHA1
f812364eac01a7445644bed2b96c7c170730aee6

SHA256
89322d03df35b411eda2af8830266f18b119ca6f95723fb0973521c1911320dc

SHA512
a6298146c9c073ca9deb1fae4f4578b11e96bcca8b937dfee251fa175335fbc21e4989cd76d6f206378955717bdcc775b6fe34bc0a4d70267d0ca58b0cce760a

Download Submit
C:\Windows\System32\YeyuIpq.exe

Filesize
1.2MB

MD5
8e858c5c41670a719e07575611087a11

SHA1
a6a5746eb5300e9b7941be8c74063651f8766b0d

SHA256
4298b521b2e4a97ed30abb1f227bfac71dd1ec4e380ef6161d49697c7e6d3d1a

SHA512
93bc3fdd6b2fc5b1a842344d750180e13160e7ed590d66020077dd48b7c9ee0599e1f71ff6b95bdd60c9da44ce34348cde27446ab6f6099321159d607e7f9b6f

Download Submit
C:\Windows\System32\ZskNDbX.exe

Filesize
1.2MB

MD5
93e0e794ad5cb1044978d7f360823bcf

SHA1
49bbcaa1a066b515b434e996cd66b46cf38bb626

SHA256
adcb7c5617de3e2737ca5a1537a90a28ee572ec5953a53e3f8a31e4274025c53

SHA512
a199df12924d62287dcd0401f5bc9e2d74d3d842e251f119924ee8edeb736700a0e568ee6bb27c84775c66091099f12ed78cd33851c37a669d212199e69b67a3

Download Submit
C:\Windows\System32\bCuuwzR.exe

Filesize
1.2MB

MD5
0c736888e8ef723bd6d2f75fb20453df

SHA1
c923c223446377a407b58e0354d93c0c117b5074

SHA256
87f3dca65f54542cb2f66e88f173a823f4ca3383abd5c3e9997407be2e2d606f

SHA512
8552e8cdcd88e179a06d50493f4ffa2165df89cde07ff292b31d76d3e5679701e1b86c3b2f03c54b6fa57e56c1e6a1e1b9659b6cae9f9e9d92fd70ac6e241a09

Download Submit
C:\Windows\System32\blbtSPe.exe

Filesize
1.2MB

MD5
de8d5d551ceb5d92483351695d5781fa

SHA1
f9cc3ce16c32d11b5b61a34aa98b10442f052ea0

SHA256
02fc046ba8e3f1473685e885d190bfdf0b71526a7a673ee358c10d1f362a6a72

SHA512
411214e481ed44f5cd03a8fb7a43448c14354af63a815b5b4ebeacefa2261581421e366c452354d0e7f5fa6f3fe244190ee4382e4d86cc63035258523c97c63a

Download Submit
C:\Windows\System32\cORrcBe.exe

Filesize
1.2MB

MD5
221a774007a4fa12c29126bf6d8f17d0

SHA1
2c5195a76251eb15c58c29b7c5bad38cf50c6c8e

SHA256
007d35449b939c5701777197f8642ed52e790e19af2e85a78d4295d5dc1e922a

SHA512
e1a0daa5816275cdd0124d18bdacadae4c94243fd439d31b445c9adf79035b141163d8a0e3e0b13e962456b1ad65a5447c0b1f8d9e3ea491206b9782dd77b724

Download Submit
C:\Windows\System32\cUzityX.exe

Filesize
1.2MB

MD5
64233fde3502523934f9805ee943f2f8

SHA1
83ce769b913e1b1e4b15f864fa84f7dd25552474

SHA256
cbf8cd3c83ae89981629ec4bd3fadff401efd5cd7b2b1b92980a085358234baf

SHA512
c8e129bd2d2934a919c8d6828fb56b1d137b5376a8796552e970c00b8b210022e1d3d517f70bb0d240b580209936ddba08185050c526c0d3fac7bd97c705aab0

Download Submit
C:\Windows\System32\eViGdpN.exe

Filesize
1.2MB

MD5
c59fff7b94bcf223298e3d3c4b8d99cd

SHA1
6ef6db8289bd6aad2f7e384f8034f1991ce331d8

SHA256
64b89eacbbc15c52cb482fdfdc4df5aadcbab993f054755432eb44313f7b7aa3

SHA512
e032aec5bdd1e7308c5a8d22d9376aeebe740123801fc235f274b2f5685a4f8d0f76ee72a2e7c35e4255541fc075cc570c146a3a0115bb4e180c46d874ff0284

Download Submit
C:\Windows\System32\gFsHPss.exe

Filesize
1.2MB

MD5
3f916b857e261b29dde844c6af83d435

SHA1
d4b6371ccd58ca62ec0fe13a6ac14f0d114bdc21

SHA256
831f52f4dbeb0e3a2a0493629e0b91873925d85c8392e56a736e2c27c75d6401

SHA512
ba920a4f4941631471dafab0ffebeefae7d42a46014cfad542e153d6077256718f68d139437f8c03d2ca3355138c6caf2e4881e888837eb103a6676494d13dab

Download Submit
C:\Windows\System32\gZatbqh.exe

Filesize
1.2MB

MD5
d92a7d653e70874e6910ffcf6f779a2b

SHA1
070b410a6381c8255960f308aeec1450d500f7b5

SHA256
d3bd89140e8369ca9b69f5c515eeda02f54f196bc6829ea8d62e6b43e0f47f66

SHA512
89be3fe8d526aaba04f820a65c1e3628d02b65e4f87674162d99aae5a46b6bf2b67100d2ae5cecfb48629690579d4a4ceea0a0d854c62f3b3708f1911755a387

Download Submit
C:\Windows\System32\hoKELmK.exe

Filesize
1.2MB

MD5
e4f5760e5d2747ee86d45adff7c039f0

SHA1
34c09d2cea107ad6f655e69031e1907df402482d

SHA256
fc5e18ac55196873a0e24993a98e65ba2949c67338d2a3cf64e8bff48f3b1ce8

SHA512
0f0d27e99c362577b2e97143c7ae24d3705d2278fa869d6297fb3c1eefb8c0850bb1463c486ff6e7f860a9ff403704236eda5ca92833ef5ef857be850bfee64a

Download Submit
C:\Windows\System32\kGPwhMi.exe

Filesize
1.2MB

MD5
2badd788feafb51789890ecdb88bbac3

SHA1
4b82397160c052e3c68fd59d581dbb518dab0557

SHA256
bfa29a4a510164aabd8122f212661756e275db974898e486585d35e56fb0e9fb

SHA512
90aef38d410e7c68a8f6306f5d57671cf99e2317308c11104727ce342fd0ae6ba452e765497dd1dbab0f884e726fbc5f822efa5b2fc6252f3b206192d2245bc5

Download Submit
C:\Windows\System32\luKSwhG.exe

Filesize
1.2MB

MD5
daeda703ea2467ae4da2345855bfbc43

SHA1
3b6c24611b8a22384bb38906f70b6bf37baf4208

SHA256
3735223be63036e9b221cf32089e6e40f317264dab76406d204d658aad8a8ebc

SHA512
60b587dfcd81659c8b96bcf958f40f47eaeac533ae00846fe762ee9bd59357233b0add4059fb28d78cdb58485c24e433a378f413db958dfcd6fcc5b32b09d7a6

Download Submit
C:\Windows\System32\nvqEgGC.exe

Filesize
1.2MB

MD5
b5d2d6ef5e41f169e7c17da2eec1fcba

SHA1
f3c8ed32268842d26e96ab824fa9daf3029a042c

SHA256
9c67c70c60211986e84d4e6005eeedbb4650cee9985d60e664d87af73132f23c

SHA512
2d511061286577b98dee9ae2a763a8ef0ef07918a682e05084e29e1a7886f3f3a1e867be468995d9f65c30b88ae284c5bc0a240e251e4d0f86aac79a8aa6ba21

Download Submit
C:\Windows\System32\tKigIHH.exe

Filesize
1.2MB

MD5
7cdc8503c5fa5a2f265ec933a836dce5

SHA1
e640d0654683c19744663f81f00e663c4f103937

SHA256
aea12889bfff9f59cb9cbcd65cf21acd3069af94b0f7d8eacdde0a56d5bbb7ac

SHA512
11d02487cdf2146ad45d4176fb8aab058b77b0c08d19faf27b74b9fcdf3890192d64bc7449c50ac1d034a0a1eaae1eee1522d63e35578151331ee1445fe3ab71

Download Submit
memory/440-232-0x00007FF76F590000-0x00007FF76F981000-memory.dmp

Filesize
3.9MB

Download
memory/440-116-0x00007FF76F590000-0x00007FF76F981000-memory.dmp

Filesize
3.9MB

Download
memory/1388-220-0x00007FF7670B0000-0x00007FF7674A1000-memory.dmp

Filesize
3.9MB

Download
memory/1388-126-0x00007FF7670B0000-0x00007FF7674A1000-memory.dmp

Filesize
3.9MB

Download
memory/1528-1-0x0000020FBB8D0000-0x0000020FBB8E0000-memory.dmp

Filesize
64KB

Download
memory/1528-0-0x00007FF72E8C0000-0x00007FF72ECB1000-memory.dmp

Filesize
3.9MB

Download
memory/1528-150-0x00007FF72E8C0000-0x00007FF72ECB1000-memory.dmp

Filesize
3.9MB

Download
memory/1528-128-0x00007FF72E8C0000-0x00007FF72ECB1000-memory.dmp

Filesize
3.9MB

Download
memory/1912-248-0x00007FF6871E0000-0x00007FF6875D1000-memory.dmp

Filesize
3.9MB

Download
memory/1912-123-0x00007FF6871E0000-0x00007FF6875D1000-memory.dmp

Filesize
3.9MB

Download
memory/2004-255-0x00007FF76F830000-0x00007FF76FC21000-memory.dmp

Filesize
3.9MB

Download
memory/2004-124-0x00007FF76F830000-0x00007FF76FC21000-memory.dmp

Filesize
3.9MB

Download
memory/2288-120-0x00007FF6F78D0000-0x00007FF6F7CC1000-memory.dmp

Filesize
3.9MB

Download
memory/2288-253-0x00007FF6F78D0000-0x00007FF6F7CC1000-memory.dmp

Filesize
3.9MB

Download
memory/2772-202-0x00007FF7EA2E0000-0x00007FF7EA6D1000-memory.dmp

Filesize
3.9MB

Download
memory/2772-9-0x00007FF7EA2E0000-0x00007FF7EA6D1000-memory.dmp

Filesize
3.9MB

Download
memory/2772-129-0x00007FF7EA2E0000-0x00007FF7EA6D1000-memory.dmp

Filesize
3.9MB

Download
memory/2820-113-0x00007FF76D620000-0x00007FF76DA11000-memory.dmp

Filesize
3.9MB

Download
memory/2820-235-0x00007FF76D620000-0x00007FF76DA11000-memory.dmp

Filesize
3.9MB

Download
memory/2940-225-0x00007FF6D1E40000-0x00007FF6D2231000-memory.dmp

Filesize
3.9MB

Download
memory/2940-111-0x00007FF6D1E40000-0x00007FF6D2231000-memory.dmp

Filesize
3.9MB

Download
memory/2948-252-0x00007FF661690000-0x00007FF661A81000-memory.dmp

Filesize
3.9MB

Download
memory/2948-121-0x00007FF661690000-0x00007FF661A81000-memory.dmp

Filesize
3.9MB

Download
memory/3504-250-0x00007FF6A28C0000-0x00007FF6A2CB1000-memory.dmp

Filesize
3.9MB

Download
memory/3504-122-0x00007FF6A28C0000-0x00007FF6A2CB1000-memory.dmp

Filesize
3.9MB

Download
memory/3652-245-0x00007FF6A4E60000-0x00007FF6A5251000-memory.dmp

Filesize
3.9MB

Download
memory/3652-112-0x00007FF6A4E60000-0x00007FF6A5251000-memory.dmp

Filesize
3.9MB

Download
memory/4016-114-0x00007FF77B4E0000-0x00007FF77B8D1000-memory.dmp

Filesize
3.9MB

Download
memory/4016-230-0x00007FF77B4E0000-0x00007FF77B8D1000-memory.dmp

Filesize
3.9MB

Download
memory/4448-221-0x00007FF77DD50000-0x00007FF77E141000-memory.dmp

Filesize
3.9MB

Download
memory/4448-131-0x00007FF77DD50000-0x00007FF77E141000-memory.dmp

Filesize
3.9MB

Download
memory/4448-35-0x00007FF77DD50000-0x00007FF77E141000-memory.dmp

Filesize
3.9MB

Download
memory/4484-233-0x00007FF79ACD0000-0x00007FF79B0C1000-memory.dmp

Filesize
3.9MB

Download
memory/4484-115-0x00007FF79ACD0000-0x00007FF79B0C1000-memory.dmp

Filesize
3.9MB

Download
memory/4508-238-0x00007FF688600000-0x00007FF6889F1000-memory.dmp

Filesize
3.9MB

Download
memory/4508-127-0x00007FF688600000-0x00007FF6889F1000-memory.dmp

Filesize
3.9MB

Download
memory/4576-228-0x00007FF612C60000-0x00007FF613051000-memory.dmp

Filesize
3.9MB

Download
memory/4576-133-0x00007FF612C60000-0x00007FF613051000-memory.dmp

Filesize
3.9MB

Download
memory/4576-38-0x00007FF612C60000-0x00007FF613051000-memory.dmp

Filesize
3.9MB

Download
memory/4600-119-0x00007FF68BA10000-0x00007FF68BE01000-memory.dmp

Filesize
3.9MB

Download
memory/4600-244-0x00007FF68BA10000-0x00007FF68BE01000-memory.dmp

Filesize
3.9MB

Download
memory/4660-257-0x00007FF729F50000-0x00007FF72A341000-memory.dmp

Filesize
3.9MB

Download
memory/4660-125-0x00007FF729F50000-0x00007FF72A341000-memory.dmp

Filesize
3.9MB

Download
memory/4772-241-0x00007FF737720000-0x00007FF737B11000-memory.dmp

Filesize
3.9MB

Download
memory/4772-117-0x00007FF737720000-0x00007FF737B11000-memory.dmp

Filesize
3.9MB

Download
memory/4776-240-0x00007FF62A100000-0x00007FF62A4F1000-memory.dmp

Filesize
3.9MB

Download
memory/4776-118-0x00007FF62A100000-0x00007FF62A4F1000-memory.dmp

Filesize
3.9MB

Download
memory/4796-130-0x00007FF6FB2A0000-0x00007FF6FB691000-memory.dmp

Filesize
3.9MB

Download
memory/4796-17-0x00007FF6FB2A0000-0x00007FF6FB691000-memory.dmp

Filesize
3.9MB

Download
memory/4796-224-0x00007FF6FB2A0000-0x00007FF6FB691000-memory.dmp

Filesize
3.9MB

Download