Malware Analysis Report

2025-05-06 02:04

Sample ID 241110-q846ba1mhq
Target 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN
SHA256 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8c
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8c

Threat Level: Known bad

The file 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

XMRig Miner payload

xmrig

Cobalt Strike reflective loader

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-10 13:56

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 13:56

Reported

2024-11-10 13:59

Platform

win10v2004-20241007-en

Max time kernel

110s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ugmHIqA.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\RlajyXG.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\NpJwVuI.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\NEIuxZa.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\sZzTnVY.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\sFccLeD.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\qOEzeDd.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\vRlKGQa.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\gMzxFMe.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\fsmBMci.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\vTmMOyh.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\PzdjiVL.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\YcLbGIU.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\wounOUU.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\IzFfcPQ.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\SvUqiuH.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\xbomhsA.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\RYYwpDW.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\eXwZCsN.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\ekHvoAq.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\bWPMcmV.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\ekHvoAq.exe
PID 4780 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\ekHvoAq.exe
PID 4780 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\vRlKGQa.exe
PID 4780 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\vRlKGQa.exe
PID 4780 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\SvUqiuH.exe
PID 4780 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\SvUqiuH.exe
PID 4780 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\gMzxFMe.exe
PID 4780 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\gMzxFMe.exe
PID 4780 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\fsmBMci.exe
PID 4780 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\fsmBMci.exe
PID 4780 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\ugmHIqA.exe
PID 4780 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\ugmHIqA.exe
PID 4780 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\RlajyXG.exe
PID 4780 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\RlajyXG.exe
PID 4780 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\xbomhsA.exe
PID 4780 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\xbomhsA.exe
PID 4780 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\NpJwVuI.exe
PID 4780 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\NpJwVuI.exe
PID 4780 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\RYYwpDW.exe
PID 4780 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\RYYwpDW.exe
PID 4780 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\vTmMOyh.exe
PID 4780 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\vTmMOyh.exe
PID 4780 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\PzdjiVL.exe
PID 4780 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\PzdjiVL.exe
PID 4780 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\YcLbGIU.exe
PID 4780 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\YcLbGIU.exe
PID 4780 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\NEIuxZa.exe
PID 4780 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\NEIuxZa.exe
PID 4780 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\sZzTnVY.exe
PID 4780 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\sZzTnVY.exe
PID 4780 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\sFccLeD.exe
PID 4780 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\sFccLeD.exe
PID 4780 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\eXwZCsN.exe
PID 4780 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\eXwZCsN.exe
PID 4780 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\qOEzeDd.exe
PID 4780 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\qOEzeDd.exe
PID 4780 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\wounOUU.exe
PID 4780 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\wounOUU.exe
PID 4780 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\IzFfcPQ.exe
PID 4780 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\IzFfcPQ.exe
PID 4780 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\bWPMcmV.exe
PID 4780 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\bWPMcmV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe

"C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe"

C:\Windows\System\ekHvoAq.exe

C:\Windows\System\ekHvoAq.exe

C:\Windows\System\vRlKGQa.exe

C:\Windows\System\vRlKGQa.exe

C:\Windows\System\SvUqiuH.exe

C:\Windows\System\SvUqiuH.exe

C:\Windows\System\gMzxFMe.exe

C:\Windows\System\gMzxFMe.exe

C:\Windows\System\fsmBMci.exe

C:\Windows\System\fsmBMci.exe

C:\Windows\System\ugmHIqA.exe

C:\Windows\System\ugmHIqA.exe

C:\Windows\System\RlajyXG.exe

C:\Windows\System\RlajyXG.exe

C:\Windows\System\xbomhsA.exe

C:\Windows\System\xbomhsA.exe

C:\Windows\System\NpJwVuI.exe

C:\Windows\System\NpJwVuI.exe

C:\Windows\System\RYYwpDW.exe

C:\Windows\System\RYYwpDW.exe

C:\Windows\System\vTmMOyh.exe

C:\Windows\System\vTmMOyh.exe

C:\Windows\System\PzdjiVL.exe

C:\Windows\System\PzdjiVL.exe

C:\Windows\System\YcLbGIU.exe

C:\Windows\System\YcLbGIU.exe

C:\Windows\System\NEIuxZa.exe

C:\Windows\System\NEIuxZa.exe

C:\Windows\System\sZzTnVY.exe

C:\Windows\System\sZzTnVY.exe

C:\Windows\System\sFccLeD.exe

C:\Windows\System\sFccLeD.exe

C:\Windows\System\eXwZCsN.exe

C:\Windows\System\eXwZCsN.exe

C:\Windows\System\qOEzeDd.exe

C:\Windows\System\qOEzeDd.exe

C:\Windows\System\wounOUU.exe

C:\Windows\System\wounOUU.exe

C:\Windows\System\IzFfcPQ.exe

C:\Windows\System\IzFfcPQ.exe

C:\Windows\System\bWPMcmV.exe

C:\Windows\System\bWPMcmV.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/4780-0-0x00007FF627030000-0x00007FF627381000-memory.dmp

memory/4780-1-0x000001B841A90000-0x000001B841AA0000-memory.dmp

C:\Windows\System\ekHvoAq.exe

MD5 ebe0cf06c48754962f292c41e3d8d774
SHA1 a154066345453b2f4a41a3a5de38a9ea74d63aea
SHA256 23ff92e5bffb3429ec21947e179f33585ce5711335dcd22a2cd39e2fc1f25b63
SHA512 5af918499474f4ea7191a8de0c4d9ef29ff346fbae3cbe6943c277b65667ccddb621d91b840231571cb4d4f33aa8217c24682e36cd6e4e2c7ebf55d12cdc1ef2

memory/4820-8-0x00007FF749ED0000-0x00007FF74A221000-memory.dmp

C:\Windows\System\vRlKGQa.exe

MD5 43cb3f544a2b07a999afd35eabf5b155
SHA1 30cc148db3c21e27f3094a628fdc474d4b4ec733
SHA256 98979d1acb3b9f6a06db2b298869336ff182aa7883032a9982a21b431bb68ead
SHA512 60de4eb68b8b624d3c4590a639bdcd89da1f32ddce7361f5c3bd5b25dc2bc587bb4eaaa683af6ac57a2ed4381cbbc35fc2cfac24a3858a2b86c6cd4161b7b14e

memory/4540-12-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp

C:\Windows\System\SvUqiuH.exe

MD5 7db360efa94bad923e6731b0dc44c80d
SHA1 b819745ab0699f84f29a04a3f61891fd7196f874
SHA256 195cc4702c55c21886b4814f5dca927b38e0990e509ed1d789bb1a50732870be
SHA512 3b7f7477cbf98c3781bd22b41a125a9e751e97cc708075723d8605ae3a792031546138f32a331e42e0ab6fd22f87a8f44a960a2ad758d31c1022c1ee2c4bc195

C:\Windows\System\gMzxFMe.exe

MD5 61106d9617efe1adc55221dd25073bb6
SHA1 8da41e1840070c479e8247ac84924557d64a93f6
SHA256 cca5cbfcc2963a783b585651fa4c990bc614b769ba38c14a31d21fac378d78a8
SHA512 51e1c899346c379f3ec0dc438ac66d0ab47a6cecea926658a092a96854d1e7a4fe47d564859782c6d5fded264717cc826ccc8fc566e1ce4709cb09b7c79062af

memory/4596-21-0x00007FF78D480000-0x00007FF78D7D1000-memory.dmp

C:\Windows\System\ugmHIqA.exe

MD5 051284e965c1383e6b45debf8f8e643c
SHA1 ca2a3a56434a49baeb69753a50e968650e713373
SHA256 18e984f3074812ec577b300bfc7e324e5c817c34fb725812160703f18d295ce5
SHA512 e0c23b9b3d185bf0ed51d89d79ae21a05c73f0c0b4ce0aaefa914c688b52bf4a8390256ff129b1afbcecb76d0acbcf8a98ba8a47fe7a45e0bca6fda8ebbc5426

C:\Windows\System\RlajyXG.exe

MD5 d78e0514e5bd3d6a84183327ca7663e7
SHA1 be9d4adc650673d4310ec71a8386b6eee4e3ff84
SHA256 0d0de0595907434f5e17e1357c43568ea02a60ce912fb063b9981f0e46019ae8
SHA512 f99756789647441bdaee2c071edf354a0221e8e06b978446419277f63294a41cac60867c485d1da05a7788552cc8ce191f051f970ae87d5b19ff0d187c85389e

C:\Windows\System\xbomhsA.exe

MD5 b51856889301e3b5c5571b46da25a198
SHA1 ca4baa10d0f5d86f96356ba1d8e9cffd1729602a
SHA256 7b38a0c31a498cd62b5589fae18cbbdf0c010d1f51caa7da987a15a2e457786d
SHA512 6c7b9e42169e67862295b4bffe6eef74cb6a97ffccdd10b53a487b4c4877ec00d9f8afc2dc2f6ca2b503e12bdd7fa43e7c324f173e830a0cad24c22f4443dd5a

memory/4952-51-0x00007FF7800C0000-0x00007FF780411000-memory.dmp

C:\Windows\System\PzdjiVL.exe

MD5 078702d27239dbf99aed271c0aa5b783
SHA1 2fdfae471709a428d816843beb6831c9ea390722
SHA256 5df2dac6387bc0afb1f0d7f83e734cb59d80a23aa7167a31244ecee3196641bc
SHA512 b2cffdcf7ee4135766aca4add6714a39ff7043e0dd01404021c6269f421f385fe8cdc0eb9ea561e136ad47241cf8c3c2d38aa602371eb3239b644ca7a81eeb17

C:\Windows\System\YcLbGIU.exe

MD5 9dc64d07c30eabd3cadde647264ccdd3
SHA1 c84ae1b82c6e38341b72f6d50e6e2bf3a9e45b62
SHA256 0fa366dc3632669b7ecb1d672ce45fd73bc91778c8e58bb0c614ef4d37e4691e
SHA512 5b068d960779ef27b6dcf700d7bfcffa8ffeb513c196263d317c282eb36913522539ce27625b70dabadbb1b93264a10fb353f1b53c3fc43da9788b239b09aad1

memory/4756-80-0x00007FF6F35C0000-0x00007FF6F3911000-memory.dmp

C:\Windows\System\sZzTnVY.exe

MD5 00fc4c5fcb5c78c87b77e8ae3fb7df9b
SHA1 c8e4393755714a67cc7a0a72135dbe1419341660
SHA256 2b130667a6f8e913955228741bb4e2b141e8e75eba9f9d125297f1f282450d65
SHA512 88a51559f0d4dc22c58408bb10ff443c1ac0f62a0ce97598fe42d474289c0dc1e49d2de1f704105cedb936711bae5af08f03a7fc069d890b4e7c7edbf43eecb2

memory/4744-90-0x00007FF7EDA50000-0x00007FF7EDDA1000-memory.dmp

memory/1364-91-0x00007FF7C8090000-0x00007FF7C83E1000-memory.dmp

memory/4380-89-0x00007FF72F7C0000-0x00007FF72FB11000-memory.dmp

C:\Windows\System\NEIuxZa.exe

MD5 1c209986663ff58d682178e33926055f
SHA1 021e855c3bf48420fc2fd0d6e556ca5d64bce417
SHA256 b7f7e0e32d972e3892cf4c93688c34248c14dc8185c70fd6f8bb2ac3ddf78b27
SHA512 f9969c84e651a82dc8c62be09707860f2d2bb2872e394c5bc4b1a977bf1879924c789ceeeebc2c11e428bd5265e69cbd003b7e8125e72578eabcf86e20888d28

memory/4724-84-0x00007FF7E3B40000-0x00007FF7E3E91000-memory.dmp

memory/3136-81-0x00007FF7C8730000-0x00007FF7C8A81000-memory.dmp

C:\Windows\System\vTmMOyh.exe

MD5 7d37b3d1fbafb212ad870d650c9b21e7
SHA1 7724a3d1c4d0373ad7fe1fe7360ff8dadc85f606
SHA256 25dd6e0d36142fb366c77cc25c122a1b1e63b28d01a837c4575121d0a29b0e1f
SHA512 02a22ebb4ec6e8b5b3a145f3aac77364519321e0726e538e2155f850e9deb88b0d7fec40b14c90c8522a29ed167db1883fba3f5edff178fe159d7349c7af9b87

C:\Windows\System\RYYwpDW.exe

MD5 b6ae04400b159fa930578e7da2787b9e
SHA1 4567125bb54b8fdc95e422af6cf7e1c452cd6359
SHA256 a4e86f894360dc2ed59dfbcfb120527981ab90cba1de678323b9e5409fe95db7
SHA512 bca8087ff1d2443e05cec5d5a5f3164f8aca6c4cf1c6575726358b0a8e2ec1d351ef26db52d8bf9026d261058f77e17f0f3005537bc22f089ff3fe7694cce106

C:\Windows\System\NpJwVuI.exe

MD5 3722a101c3b89a4cccc785c747066e7c
SHA1 6ffa69dedd205961a085d78b312246d6468f1ff0
SHA256 25959d593a5eea39c5c7fc49a4159b5607e3729d46b018a6d4477ee513ea5f65
SHA512 b661e2c590b027ba9bedcb7ed8bfb77d07f0d0d20717521bb2bca95411d2a7486940d8677ea6195c5052e9794ed154aad3bc8cdc472339bbd6905bee5b8feec3

memory/2912-55-0x00007FF76BC00000-0x00007FF76BF51000-memory.dmp

memory/884-48-0x00007FF69B380000-0x00007FF69B6D1000-memory.dmp

memory/4808-42-0x00007FF6CF900000-0x00007FF6CFC51000-memory.dmp

memory/3964-29-0x00007FF73B2D0000-0x00007FF73B621000-memory.dmp

C:\Windows\System\fsmBMci.exe

MD5 2606917091aa97c4ce010a2d5e355757
SHA1 5adfa1ee7d864590d28dfd9951e26d8a034455f6
SHA256 6aff6abd3ccef24786048d902eff7f722dc043e006395d2c65af492577d60980
SHA512 f87d63042d2ddb02ff0127cf2db5bcf75f5bbe1a231b9acdbea182abf8e42534fd4d5b86511ed9f5c7b71131f2c9ece004dcc017ab1862de7caf07f19bb38186

memory/1288-24-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp

memory/4540-95-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp

memory/4808-99-0x00007FF6CF900000-0x00007FF6CFC51000-memory.dmp

C:\Windows\System\sFccLeD.exe

MD5 b093240e4d21d912ee53a44d24ebefd0
SHA1 5706e68378212293060bd8914b340dbea1b26bb3
SHA256 5b79e810782b68f848a310a7a86dc470f01418c1c9fb6766ddd7125c52821e25
SHA512 71481c17ca2facff02a1baad1d9c4d04ed634e718219ef4e3849181050118799ba714770a22d8adf890692ed67cab06cba68bf687f0e188d87dd1fcd0e877974

C:\Windows\System\eXwZCsN.exe

MD5 5bf32d9e897401fda076a6c00c98973f
SHA1 102f1afaad02379d94466307c24f40d4dca7c4f5
SHA256 a3b4afa8863579f08858f6576fa342d1fc00080dc61cf131c8668432948c12c1
SHA512 8f11d39b57a7d665739201b5c42e573c0d0c501cadef6e93c0fa18427cc5e13dcb23e2bd5ce60f76885ffde8be52dd0bfbe1fcf5aeeef52a06f3a3f562e516c6

C:\Windows\System\wounOUU.exe

MD5 096bab978e09edb5c4c16e5a47a63725
SHA1 115474f1cd8108f7e1ba7348d0257f78c0a6ec03
SHA256 08ba1ad1df6b9988b6ecd3eb47b6a179703122f38907d0a7957f12b79e218e0b
SHA512 37592ab263b36121de298772dc59795362d87d210973bdf830c4b30857f5644d31eb679566e4958ab4c3ab0a1a74e04a7654f9cfade4d6ae987e3eb75a42a1b2

memory/400-133-0x00007FF729650000-0x00007FF7299A1000-memory.dmp

C:\Windows\System\qOEzeDd.exe

MD5 785865a0bca0cdab161abbbc3f79b67b
SHA1 cfde894b730e0789f93622e174eb9dbb2693a40f
SHA256 2d49634d952f87dd464d6e1f6c25b988dd392dac6e168802aa896350e27cc66f
SHA512 ef898bb094cc11e8be56d260267b4594c2377b81f43b489eac34c85e13a33f23f7e9be4b3a961c275a296f162815cc5d334389a4f339fb15002a1d74ad8fc33d

C:\Windows\System\bWPMcmV.exe

MD5 635d108cb29398736ea4ceacb0ad202e
SHA1 e66717e13b135b8503b0be42e73d4b70f3ca2619
SHA256 34a0748f53ee8ffbb008591032c1ca83b98ce6ec3c2372f66ee7e1fdb6de6d14
SHA512 ff6ac5e28e5247aadb9c31957eddb926f8df589cdceac48c06324cef2aa3886c7866e5abdcea0095a99e61f0371f697ebd871db6ef00b81a130194788bbcd367

memory/1556-138-0x00007FF7FC0A0000-0x00007FF7FC3F1000-memory.dmp

C:\Windows\System\IzFfcPQ.exe

MD5 5c08a14ae4161344ddd1235c1ebfb9b8
SHA1 e3a98e83ca4d3f8a526e720ed96a106f8b150eab
SHA256 0dee5d0cd49d89d09a124b4b98f04c25a18d9854751e742b4a564d3d034f5eff
SHA512 334ad5a4b90b0cbedd3c3ad19bd96641c5101a4afcab91c4c1ac9a632d59628b55ef4815fb091063e9415389fd3f4f3af0444fd50b3b35acaf5374882938fb85

memory/4832-135-0x00007FF7BB000000-0x00007FF7BB351000-memory.dmp

memory/1972-134-0x00007FF7AFAE0000-0x00007FF7AFE31000-memory.dmp

memory/2112-128-0x00007FF6F0DE0000-0x00007FF6F1131000-memory.dmp

memory/4804-110-0x00007FF6EBC40000-0x00007FF6EBF91000-memory.dmp

memory/4780-104-0x00007FF627030000-0x00007FF627381000-memory.dmp

memory/884-101-0x00007FF69B380000-0x00007FF69B6D1000-memory.dmp

memory/1288-97-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp

memory/3964-98-0x00007FF73B2D0000-0x00007FF73B621000-memory.dmp

memory/4596-96-0x00007FF78D480000-0x00007FF78D7D1000-memory.dmp

memory/4820-94-0x00007FF749ED0000-0x00007FF74A221000-memory.dmp

memory/2912-102-0x00007FF76BC00000-0x00007FF76BF51000-memory.dmp

memory/4780-145-0x00007FF627030000-0x00007FF627381000-memory.dmp

memory/4804-156-0x00007FF6EBC40000-0x00007FF6EBF91000-memory.dmp

memory/4832-164-0x00007FF7BB000000-0x00007FF7BB351000-memory.dmp

memory/400-165-0x00007FF729650000-0x00007FF7299A1000-memory.dmp

memory/1972-163-0x00007FF7AFAE0000-0x00007FF7AFE31000-memory.dmp

memory/1556-166-0x00007FF7FC0A0000-0x00007FF7FC3F1000-memory.dmp

memory/4780-167-0x00007FF627030000-0x00007FF627381000-memory.dmp

memory/4820-195-0x00007FF749ED0000-0x00007FF74A221000-memory.dmp

memory/4540-197-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp

memory/4596-216-0x00007FF78D480000-0x00007FF78D7D1000-memory.dmp

memory/3964-218-0x00007FF73B2D0000-0x00007FF73B621000-memory.dmp

memory/1288-221-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp

memory/4952-223-0x00007FF7800C0000-0x00007FF780411000-memory.dmp

memory/4808-224-0x00007FF6CF900000-0x00007FF6CFC51000-memory.dmp

memory/884-228-0x00007FF69B380000-0x00007FF69B6D1000-memory.dmp

memory/2912-227-0x00007FF76BC00000-0x00007FF76BF51000-memory.dmp

memory/4756-239-0x00007FF6F35C0000-0x00007FF6F3911000-memory.dmp

memory/4744-240-0x00007FF7EDA50000-0x00007FF7EDDA1000-memory.dmp

memory/3136-237-0x00007FF7C8730000-0x00007FF7C8A81000-memory.dmp

memory/4724-235-0x00007FF7E3B40000-0x00007FF7E3E91000-memory.dmp

memory/4380-231-0x00007FF72F7C0000-0x00007FF72FB11000-memory.dmp

memory/1364-233-0x00007FF7C8090000-0x00007FF7C83E1000-memory.dmp

memory/4804-249-0x00007FF6EBC40000-0x00007FF6EBF91000-memory.dmp

memory/2112-251-0x00007FF6F0DE0000-0x00007FF6F1131000-memory.dmp

memory/4832-253-0x00007FF7BB000000-0x00007FF7BB351000-memory.dmp

memory/400-255-0x00007FF729650000-0x00007FF7299A1000-memory.dmp

memory/1556-257-0x00007FF7FC0A0000-0x00007FF7FC3F1000-memory.dmp

memory/1972-259-0x00007FF7AFAE0000-0x00007FF7AFE31000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 13:56

Reported

2024-11-10 13:58

Platform

win7-20240903-en

Max time kernel

120s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rnlDFHl.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\uqzhUhm.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\CvhcTiv.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\dsmKYdO.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\YBKPqup.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\PouiAeA.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\zxfVcpp.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\MBayiyI.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\CMmyUfV.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\VyxUwaG.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\qzHlpFZ.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\vGKaJQF.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\riqvWkP.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\CbjxYLB.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\KFPoFWg.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\ftrPwmC.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\upIrkor.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\oxLfYpC.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\ZFlLtOP.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\jsxZAxv.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
File created C:\Windows\System\fNkaaGg.exe C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\rnlDFHl.exe
PID 2508 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\rnlDFHl.exe
PID 2508 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\rnlDFHl.exe
PID 2508 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\oxLfYpC.exe
PID 2508 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\oxLfYpC.exe
PID 2508 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\oxLfYpC.exe
PID 2508 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\vGKaJQF.exe
PID 2508 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\vGKaJQF.exe
PID 2508 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\vGKaJQF.exe
PID 2508 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\riqvWkP.exe
PID 2508 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\riqvWkP.exe
PID 2508 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\riqvWkP.exe
PID 2508 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\dsmKYdO.exe
PID 2508 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\dsmKYdO.exe
PID 2508 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\dsmKYdO.exe
PID 2508 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\CbjxYLB.exe
PID 2508 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\CbjxYLB.exe
PID 2508 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\CbjxYLB.exe
PID 2508 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\KFPoFWg.exe
PID 2508 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\KFPoFWg.exe
PID 2508 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\KFPoFWg.exe
PID 2508 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\ZFlLtOP.exe
PID 2508 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\ZFlLtOP.exe
PID 2508 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\ZFlLtOP.exe
PID 2508 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\MBayiyI.exe
PID 2508 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\MBayiyI.exe
PID 2508 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\MBayiyI.exe
PID 2508 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\jsxZAxv.exe
PID 2508 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\jsxZAxv.exe
PID 2508 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\jsxZAxv.exe
PID 2508 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\YBKPqup.exe
PID 2508 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\YBKPqup.exe
PID 2508 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\YBKPqup.exe
PID 2508 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\fNkaaGg.exe
PID 2508 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\fNkaaGg.exe
PID 2508 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\fNkaaGg.exe
PID 2508 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\PouiAeA.exe
PID 2508 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\PouiAeA.exe
PID 2508 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\PouiAeA.exe
PID 2508 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\CMmyUfV.exe
PID 2508 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\CMmyUfV.exe
PID 2508 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\CMmyUfV.exe
PID 2508 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\VyxUwaG.exe
PID 2508 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\VyxUwaG.exe
PID 2508 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\VyxUwaG.exe
PID 2508 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\ftrPwmC.exe
PID 2508 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\ftrPwmC.exe
PID 2508 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\ftrPwmC.exe
PID 2508 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\uqzhUhm.exe
PID 2508 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\uqzhUhm.exe
PID 2508 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\uqzhUhm.exe
PID 2508 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\zxfVcpp.exe
PID 2508 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\zxfVcpp.exe
PID 2508 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\zxfVcpp.exe
PID 2508 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\upIrkor.exe
PID 2508 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\upIrkor.exe
PID 2508 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\upIrkor.exe
PID 2508 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\qzHlpFZ.exe
PID 2508 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\qzHlpFZ.exe
PID 2508 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\qzHlpFZ.exe
PID 2508 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\CvhcTiv.exe
PID 2508 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\CvhcTiv.exe
PID 2508 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe C:\Windows\System\CvhcTiv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe

"C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe"

C:\Windows\System\rnlDFHl.exe

C:\Windows\System\rnlDFHl.exe

C:\Windows\System\oxLfYpC.exe

C:\Windows\System\oxLfYpC.exe

C:\Windows\System\vGKaJQF.exe

C:\Windows\System\vGKaJQF.exe

C:\Windows\System\riqvWkP.exe

C:\Windows\System\riqvWkP.exe

C:\Windows\System\dsmKYdO.exe

C:\Windows\System\dsmKYdO.exe

C:\Windows\System\CbjxYLB.exe

C:\Windows\System\CbjxYLB.exe

C:\Windows\System\KFPoFWg.exe

C:\Windows\System\KFPoFWg.exe

C:\Windows\System\ZFlLtOP.exe

C:\Windows\System\ZFlLtOP.exe

C:\Windows\System\MBayiyI.exe

C:\Windows\System\MBayiyI.exe

C:\Windows\System\jsxZAxv.exe

C:\Windows\System\jsxZAxv.exe

C:\Windows\System\YBKPqup.exe

C:\Windows\System\YBKPqup.exe

C:\Windows\System\fNkaaGg.exe

C:\Windows\System\fNkaaGg.exe

C:\Windows\System\PouiAeA.exe

C:\Windows\System\PouiAeA.exe

C:\Windows\System\CMmyUfV.exe

C:\Windows\System\CMmyUfV.exe

C:\Windows\System\VyxUwaG.exe

C:\Windows\System\VyxUwaG.exe

C:\Windows\System\ftrPwmC.exe

C:\Windows\System\ftrPwmC.exe

C:\Windows\System\uqzhUhm.exe

C:\Windows\System\uqzhUhm.exe

C:\Windows\System\zxfVcpp.exe

C:\Windows\System\zxfVcpp.exe

C:\Windows\System\upIrkor.exe

C:\Windows\System\upIrkor.exe

C:\Windows\System\qzHlpFZ.exe

C:\Windows\System\qzHlpFZ.exe

C:\Windows\System\CvhcTiv.exe

C:\Windows\System\CvhcTiv.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2508-0-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2508-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\rnlDFHl.exe

MD5 c0ff4510fd451d832fdb2c3d9ea5d679
SHA1 d104c8c59290f936151222217b3bcbbad6ecf09b
SHA256 b0a4da9a34000a280bd0debf109e10bf63890c6beef36657fabd5fe9c1d0319c
SHA512 0b058848a06a9a350879112da4651f0901bb4d01c857d980cf288ed0a824712eb14d296e0b789cc5d45f0b09dcb9f7187fc5be3473753796e3b6b346f8e2b328

C:\Windows\system\oxLfYpC.exe

MD5 2c59c4f96f9e32d318c3161176c695a9
SHA1 fc0bb3971240a721a368f9d21c9656529d601a1a
SHA256 d36183c2ca4a1ab264569c03483d09de821d1ed70c13a3b63cd49713a7d76aa0
SHA512 c20b85f6e35ba6fa33c686b2a460a9c656cbcb8202bfcbe97fc2954960c77a222611afc136fb897b029b539e8489d6d7d6f9faf0f541089e9829cf0183a32c19

\Windows\system\vGKaJQF.exe

MD5 40554e4d69e8e24338e0159ecaa59938
SHA1 9f09f9cb5285c668f1427412f83d870a3b63dc4f
SHA256 16b5a403311aed0d73f1db1142f44e0b9fb208433a0b275743d4784ee6f1c825
SHA512 5800944f37b0ea837ce3ea06118d084afb9c2ac2db237224a59aeebd6046dc5156187f9c90d264fb6172e465a701e6d720a3518544d0547030b8078f3021feed

memory/2508-43-0x000000013FD90000-0x00000001400E1000-memory.dmp

\Windows\system\riqvWkP.exe

MD5 40277bc9b9b3460f75c8c03824a63736
SHA1 d5cfeae0e7d193b0fac02bb3ae1a466e18751ab5
SHA256 a6d147bfbf511042ea346954b775a793eb3b8a6d1b0d6ffb8ff2b87d7b09ff63
SHA512 f2c53d8684a5d03aa78041ecf4791c9b327de28199aec3bd3b18f08ae4a054abe906c40cc71b4a65b23b05faa091c401b8e96e3d0f50d5b684f2607490780fca

memory/2704-49-0x000000013F500000-0x000000013F851000-memory.dmp

C:\Windows\system\ZFlLtOP.exe

MD5 f1e611a4c7a6ba6486fdb2337c35625a
SHA1 705edba064c998608ca96e05b4cdd95e7f7edbdc
SHA256 f38d392dff2352a277016b799102225bd30234019b933485aa5dd8fc5fec83e2
SHA512 167cd6dac92a9750219e25f54879dc98af662db7cdacdd9c16167ca2ad85703850cf6271f83eac51a481d4622987e10f4fa2914c64f01bc6863c41f0c3302cb3

memory/2972-63-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2508-68-0x000000013FA00000-0x000000013FD51000-memory.dmp

C:\Windows\system\YBKPqup.exe

MD5 22f0e5e3c1a5efccbb317fc372a743b9
SHA1 09777b0fa21602af72398850459366e6da654e86
SHA256 33ac40a98b5bc9d9991317321328094e811732313d3f1ea5d772ea5f78b76e85
SHA512 fe013b44888857fb4635801830423c1f7fe5aae2289d548ba89bb1f160202d3fe5432f06909c4842d00641ec1fc0b09e4c9925c4e8dec2ca23f7fd173065c5d0

memory/2056-78-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2648-84-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/1944-94-0x000000013F640000-0x000000013F991000-memory.dmp

C:\Windows\system\VyxUwaG.exe

MD5 cc1b255b321c7f17406a619a52da0ce3
SHA1 6fb4e401a42597a7e73dfee8654c34a5420ce9c6
SHA256 7a93e43201eb785cac09f75b570b96280b111f434f41d55a9ae977a414360594
SHA512 880b0f1caff1e53ccac3f83e698005cad107372f5234e0124181799cf731cf2f158e40a67c17330a662a2de44874b60e6b8acf54d76d5a388693332dd69368aa

C:\Windows\system\zxfVcpp.exe

MD5 4d465948e271b78accfa6d0a58f7bdae
SHA1 eba3a3406722c67af98db3f5fa36a20e4b57f9fe
SHA256 59062140e201b40e4efa14aa6475864793c69be96f9e140d736328626c1203c1
SHA512 c9ca736219c72b781841fd9036d23ce9c6647e4c69dca90dfb866291a66492acad9e4a4a13c7c3886bd8e8ae261f2abece29c0e35bdc7e50907e40f4b9c50c91

C:\Windows\system\CvhcTiv.exe

MD5 528487bd22d8aaedbcb34cd30ed0d454
SHA1 17c3f4654ec0bebde4e0952e29a111d5bd6c022b
SHA256 b8cfb92a5246823c7a06d0d2555ecee91232162a48c590236d4866c18c4fe1d2
SHA512 b10745187e93f120ecd0d724a86893f7d2936cf3103451b60bccf0bdb9d7b47c0e99ee82c672217eacefe91982e2b96dacba33ef7d5c0b281014e31e7fb74d11

C:\Windows\system\qzHlpFZ.exe

MD5 d54db5238803216dc6d1c1b79e1c6c8e
SHA1 7b2101ab4610d6e989fa46d1a72d1041a9546178
SHA256 e1bb77389269b10e8c0bfa55370a05a8ea0569f9edb072223736bd3d82ca2366
SHA512 b061ce3d166e44cc486d6422cf13998195506ccc56d1392ceaa046a19d0df50a0387bbfc12f25fa65251f15c1a0ae797764093c525522b4d3a22fe90f985f5dd

C:\Windows\system\upIrkor.exe

MD5 f94de6e51ca3277c3b1342d09991780e
SHA1 3506866840492f90308baf9b5a442d4dd654ee58
SHA256 85c800e3550b83011c069d39e67a7b6a92caa331166047376dc099986afe0e2a
SHA512 20d7e902a6d3c0b5967800d0bfaae60690bfc09d02da90a0c793ca9d7292afe0ebef8a65739809c65414e49e43ce8f7ffa94dbbbd9b57d835483d494b060ebe9

C:\Windows\system\ftrPwmC.exe

MD5 8d42319951dd7caa560087b49dd5e137
SHA1 d64434ce2ad9fd600f270a7f1a8fa1fa540b972f
SHA256 69efd87b0d0a91aad982d6698c5a976aaf28d696c6fcfe7d8d940ed6a25feeff
SHA512 e2d4bca91bf7dfc542d99857744e709d41544a236dc480936fb7e67465e5c844b8f9aa813f015e93270d852305ce269b98221fcc3932405ef45f756eaf7ff98e

memory/2508-111-0x000000013F140000-0x000000013F491000-memory.dmp

C:\Windows\system\uqzhUhm.exe

MD5 e9818cf3a5d53bae721bea34d02c3c13
SHA1 50f6d19528c09dd112c9bdb02a49e065711bcc1e
SHA256 a3911bdbebe51cfd1fc19d59f4318d95be78a64482d0f2ba7e8265f762246317
SHA512 31d1504e19531182ae82a586712ada0f247172108ff232f1f36aa3f4ad7eaf16c4d027dd5169eabf59e08b3b3419091d44af679bc9ed1d2cc076db002421a0af

memory/2508-139-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2772-107-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2952-100-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2508-99-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2972-98-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

C:\Windows\system\CMmyUfV.exe

MD5 7f7855bb32d61379bd313dc9612a3ab3
SHA1 f725c4b0acf47e5f0ad4ecb02e48157d3c01b6f2
SHA256 d11b6926d9942dba366752f3a4e525b746c3cc15bf94e37d9e981e84a0df5001
SHA512 89f375045f079c67516da36a4714f651c74620b373be1c518397f2c2f58ed66b093540b4c69c2c765359b335a5a0ed0d4bf9fdf0c8eae807524acaa84f2c263c

memory/2648-141-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/2508-140-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/2508-93-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2508-92-0x000000013FE20000-0x0000000140171000-memory.dmp

C:\Windows\system\PouiAeA.exe

MD5 5ebe9a875dc9d9ebae02aaef0658befd
SHA1 033bb5fd05d098bf97792d3969fc1ccb34e8d350
SHA256 38a5fba0b035ff74637603f649c0f2ac8b62247df104b7d9781bbc75c68c6032
SHA512 2edd3c5dcee63ea7d28799f23742b4085dc03db9966e4b7633776dd38588af8932e1222fd978d6dcda854865a9884788bff037823537b0e41a9932dd277e1c68

memory/2508-83-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/2704-82-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2508-142-0x000000013F640000-0x000000013F991000-memory.dmp

C:\Windows\system\fNkaaGg.exe

MD5 cd283d70a182800c582a284c808093e1
SHA1 414b0423fd53b1f4b7c32ad7d5b03b1e4fb4ff33
SHA256 f45c8ae56971622b8c4300c4dcd7d1801cec56b881ae9bc0f2ceffddc3c4f72a
SHA512 e146bbdd4388e222ec4b1f4a1ba52d44ca56cbbd6d63c0aa5e106a9ab1fd5909b35562fe02d04c5714628325d51b1e04c866a208e7a944d6e2292bc502f1916c

memory/2508-77-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2772-69-0x000000013F180000-0x000000013F4D1000-memory.dmp

C:\Windows\system\jsxZAxv.exe

MD5 f1c8c4dc179781ec9a0127dc289a9f18
SHA1 c748f23880914dccf8802ae8ab9436a93e58b46c
SHA256 250ba2a844e61d9470e643a79bc4565504b141b644bbecc23ec94301af4894a7
SHA512 7d9687c7ef7b898c6456265553a3123004c3ffab1714ba389e32c798af9d55877e263e83f2f3253d3ed94c49eca9a3a26ddeb3187a7e0c979a98a1688618def6

memory/2508-62-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2952-144-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2508-143-0x000000013F530000-0x000000013F881000-memory.dmp

C:\Windows\system\MBayiyI.exe

MD5 17cecb58005483958d285fca1d8dcf66
SHA1 463183e162e3e4d42ac5474d06f8e6a008721e1a
SHA256 d93fe5ac33c1908c5745e1832ac19965a6f012c316b6da5c6e3bb5a59f356d31
SHA512 fa9a964df0b15ec8da12b67496bf26d9188af45e2912800d2e5b68203ba611606f01a576fc6e59b7b123dbbb2700c5fa2ab338847729ba6d63e70d910fbcd602

memory/3012-57-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2508-56-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2508-145-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2328-48-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2508-31-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/1812-30-0x000000013F120000-0x000000013F471000-memory.dmp

\Windows\system\CbjxYLB.exe

MD5 f5784d5054be473e75c4e6d5cb912f3b
SHA1 5873574d31298a86c6c8a888adf35de9808f83b4
SHA256 23b5f4d23e287e8bfa3ef850c58dc371b9cd22beb9b7f20fa91acd58ecf1fcba
SHA512 098eab8d43897dacec213ebd343515d558b639041ff09f7aa3a1aff2e8a8f16cff5d0a6c077cdea880fc2890d231c66d2898a40740d4ada75f3e788562a0a841

memory/2860-44-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/1176-166-0x000000013F310000-0x000000013F661000-memory.dmp

memory/268-165-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/1096-164-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/1304-163-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/2968-162-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2836-161-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/1580-160-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2508-42-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2508-40-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2508-39-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

C:\Windows\system\KFPoFWg.exe

MD5 c01aaf976b3f1805161be1295ad47ffb
SHA1 bcf3fc7cbcd470b5f1b9332e55e4c5c06653d644
SHA256 f756b6e68bc9393c232cc60844113369119bef2e680a8c7d4c5e2a83f6f98eff
SHA512 f4ce638b817d7f9bb3206e63f6b8c76ace2fca28affbe2717c94fd167f399f2e1bd38ef4752883aeb5a971269d1a513b93d0b42fea7a351467ba83107be76909

memory/1832-37-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2508-28-0x000000013F120000-0x000000013F471000-memory.dmp

memory/1736-27-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

C:\Windows\system\dsmKYdO.exe

MD5 c499ce736a196384754de67cfb405e77
SHA1 fcbffaa6827c1b176aae8e07c847d9c4282a8cc7
SHA256 8048171c61a46d15cff34662e6e3b5c953f1a20e3059a60cef770fb7f9deb920
SHA512 63202aff1c95db66a3b6e7e6e5c9a81d1f690f2219b9d645fedf758baa2d1386f3574343e6059d72d2af5eaaa0a5e0ff0de262efb5b5178603295c13abed9cee

memory/2096-24-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2508-167-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2096-220-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/1812-222-0x000000013F120000-0x000000013F471000-memory.dmp

memory/1736-224-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/1832-226-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2860-228-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2328-237-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/3012-239-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2704-241-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2972-243-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2772-245-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2056-247-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2648-249-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/1944-251-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2952-260-0x000000013F530000-0x000000013F881000-memory.dmp