cobaltstrike | 783161abb0cd5a55fc64cd158073fe5c654804aee5509552bed6e859525bb6a5

Resubmissions

20-10-2024 19:07

241020-xsskxaxakn 10

16-09-2024 21:47

240916-1nhrpa1fpr 10

16-09-2024 21:33

240916-1ejyds1bqk 10

Analysis

max time kernel
91s
max time network
87s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16-09-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38a6bcbd35708a03a4bd104b84264b8b.exe
Size

5.2MB
MD5

38a6bcbd35708a03a4bd104b84264b8b
SHA1

30777981ea899ab92e5c2a06e378ae3be19ebde7
SHA256

783161abb0cd5a55fc64cd158073fe5c654804aee5509552bed6e859525bb6a5
SHA512

fc1585cd1aa1412ad4525aaf9d6fda9c95e18c7bdc1cdf1e01b4d446fc8677dedb65a982f5d8ffb87b618b229b41850462b4fec8ebe8cde697e6b463a496c536
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lP:RWWBibf56utgpPFotBER/mQ32lUL

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000800000001ac0f-4.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001ac12-10.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac13-15.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac14-22.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac15-26.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac17-44.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac18-49.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac19-57.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac1a-67.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac1b-70.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac16-45.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001ac10-39.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac1c-76.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac1d-83.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac1f-102.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac22-115.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac23-126.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac24-129.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac21-114.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac20-108.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001ac1e-92.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral1/memory/2092-73-0x00007FF7DF410000-0x00007FF7DF761000-memory.dmp	xmrig
behavioral1/memory/1460-72-0x00007FF78FA80000-0x00007FF78FDD1000-memory.dmp	xmrig
behavioral1/memory/2832-66-0x00007FF73B940000-0x00007FF73BC91000-memory.dmp	xmrig
behavioral1/memory/2108-65-0x00007FF6F1770000-0x00007FF6F1AC1000-memory.dmp	xmrig
behavioral1/memory/5036-85-0x00007FF6F4BD0000-0x00007FF6F4F21000-memory.dmp	xmrig
behavioral1/memory/2520-79-0x00007FF703FB0000-0x00007FF704301000-memory.dmp	xmrig
behavioral1/memory/1444-94-0x00007FF735B90000-0x00007FF735EE1000-memory.dmp	xmrig
behavioral1/memory/236-118-0x00007FF7DE7A0000-0x00007FF7DEAF1000-memory.dmp	xmrig
behavioral1/memory/356-124-0x00007FF665260000-0x00007FF6655B1000-memory.dmp	xmrig
behavioral1/memory/1840-116-0x00007FF7AA530000-0x00007FF7AA881000-memory.dmp	xmrig
behavioral1/memory/4400-110-0x00007FF682B60000-0x00007FF682EB1000-memory.dmp	xmrig
behavioral1/memory/2284-99-0x00007FF6185A0000-0x00007FF6188F1000-memory.dmp	xmrig
behavioral1/memory/4660-97-0x00007FF7B3B60000-0x00007FF7B3EB1000-memory.dmp	xmrig
behavioral1/memory/2520-133-0x00007FF703FB0000-0x00007FF704301000-memory.dmp	xmrig
behavioral1/memory/4220-139-0x00007FF66D940000-0x00007FF66DC91000-memory.dmp	xmrig
behavioral1/memory/876-138-0x00007FF7290F0000-0x00007FF729441000-memory.dmp	xmrig
behavioral1/memory/2980-141-0x00007FF736A90000-0x00007FF736DE1000-memory.dmp	xmrig
behavioral1/memory/4960-140-0x00007FF7E6AF0000-0x00007FF7E6E41000-memory.dmp	xmrig
behavioral1/memory/3592-132-0x00007FF7D4520000-0x00007FF7D4871000-memory.dmp	xmrig
behavioral1/memory/3884-150-0x00007FF665B90000-0x00007FF665EE1000-memory.dmp	xmrig
behavioral1/memory/3868-156-0x00007FF7DD670000-0x00007FF7DD9C1000-memory.dmp	xmrig
behavioral1/memory/4744-160-0x00007FF6BA190000-0x00007FF6BA4E1000-memory.dmp	xmrig
behavioral1/memory/2920-167-0x00007FF762380000-0x00007FF7626D1000-memory.dmp	xmrig
behavioral1/memory/2520-168-0x00007FF703FB0000-0x00007FF704301000-memory.dmp	xmrig
behavioral1/memory/5036-218-0x00007FF6F4BD0000-0x00007FF6F4F21000-memory.dmp	xmrig
behavioral1/memory/1444-220-0x00007FF735B90000-0x00007FF735EE1000-memory.dmp	xmrig
behavioral1/memory/2284-222-0x00007FF6185A0000-0x00007FF6188F1000-memory.dmp	xmrig
behavioral1/memory/4400-232-0x00007FF682B60000-0x00007FF682EB1000-memory.dmp	xmrig
behavioral1/memory/236-234-0x00007FF7DE7A0000-0x00007FF7DEAF1000-memory.dmp	xmrig
behavioral1/memory/3592-236-0x00007FF7D4520000-0x00007FF7D4871000-memory.dmp	xmrig
behavioral1/memory/2108-239-0x00007FF6F1770000-0x00007FF6F1AC1000-memory.dmp	xmrig
behavioral1/memory/1460-242-0x00007FF78FA80000-0x00007FF78FDD1000-memory.dmp	xmrig
behavioral1/memory/876-241-0x00007FF7290F0000-0x00007FF729441000-memory.dmp	xmrig
behavioral1/memory/2092-247-0x00007FF7DF410000-0x00007FF7DF761000-memory.dmp	xmrig
behavioral1/memory/2832-248-0x00007FF73B940000-0x00007FF73BC91000-memory.dmp	xmrig
behavioral1/memory/2980-245-0x00007FF736A90000-0x00007FF736DE1000-memory.dmp	xmrig
behavioral1/memory/3884-253-0x00007FF665B90000-0x00007FF665EE1000-memory.dmp	xmrig
behavioral1/memory/3868-255-0x00007FF7DD670000-0x00007FF7DD9C1000-memory.dmp	xmrig
behavioral1/memory/4660-263-0x00007FF7B3B60000-0x00007FF7B3EB1000-memory.dmp	xmrig
behavioral1/memory/4744-265-0x00007FF6BA190000-0x00007FF6BA4E1000-memory.dmp	xmrig
behavioral1/memory/1840-267-0x00007FF7AA530000-0x00007FF7AA881000-memory.dmp	xmrig
behavioral1/memory/356-269-0x00007FF665260000-0x00007FF6655B1000-memory.dmp	xmrig
behavioral1/memory/4220-271-0x00007FF66D940000-0x00007FF66DC91000-memory.dmp	xmrig
behavioral1/memory/4960-275-0x00007FF7E6AF0000-0x00007FF7E6E41000-memory.dmp	xmrig
behavioral1/memory/2920-276-0x00007FF762380000-0x00007FF7626D1000-memory.dmp	xmrig
behavioral1/memory/2520-280-0x00007FF703FB0000-0x00007FF704301000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5036	CfWRrga.exe
1444	znvSCyS.exe
2284	BkgHUvQ.exe
4400	YlHNeIM.exe
236	rIeBVHG.exe
3592	gvxyESz.exe
876	rJVZgNy.exe
2108	khYCkEH.exe
1460	mSnyxKh.exe
2832	fCvDNHI.exe
2092	JBmeEzm.exe
2980	DIWFvhR.exe
3884	bvPvpko.exe
3868	OtgZdPD.exe
4660	cwpIWJn.exe
4744	HdZbGyG.exe
1840	cEazcws.exe
356	rNBqmqr.exe
2920	LDQJZJZ.exe
4220	okBAcAk.exe
4960	imZdzsb.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2520-0-0x00007FF703FB0000-0x00007FF704301000-memory.dmp	upx
behavioral1/files/0x000800000001ac0f-4.dat	upx
behavioral1/files/0x000800000001ac12-10.dat	upx
behavioral1/files/0x000700000001ac13-15.dat	upx
behavioral1/memory/2284-18-0x00007FF6185A0000-0x00007FF6188F1000-memory.dmp	upx
behavioral1/memory/1444-14-0x00007FF735B90000-0x00007FF735EE1000-memory.dmp	upx
behavioral1/memory/5036-7-0x00007FF6F4BD0000-0x00007FF6F4F21000-memory.dmp	upx
behavioral1/files/0x000700000001ac14-22.dat	upx
behavioral1/memory/4400-25-0x00007FF682B60000-0x00007FF682EB1000-memory.dmp	upx
behavioral1/files/0x000700000001ac15-26.dat	upx
behavioral1/memory/236-32-0x00007FF7DE7A0000-0x00007FF7DEAF1000-memory.dmp	upx
behavioral1/files/0x000700000001ac17-44.dat	upx
behavioral1/files/0x000700000001ac18-49.dat	upx
behavioral1/files/0x000700000001ac19-57.dat	upx
behavioral1/files/0x000700000001ac1a-67.dat	upx
behavioral1/files/0x000700000001ac1b-70.dat	upx
behavioral1/memory/2092-73-0x00007FF7DF410000-0x00007FF7DF761000-memory.dmp	upx
behavioral1/memory/1460-72-0x00007FF78FA80000-0x00007FF78FDD1000-memory.dmp	upx
behavioral1/memory/2980-69-0x00007FF736A90000-0x00007FF736DE1000-memory.dmp	upx
behavioral1/memory/2832-66-0x00007FF73B940000-0x00007FF73BC91000-memory.dmp	upx
behavioral1/memory/2108-65-0x00007FF6F1770000-0x00007FF6F1AC1000-memory.dmp	upx
behavioral1/memory/876-61-0x00007FF7290F0000-0x00007FF729441000-memory.dmp	upx
behavioral1/files/0x000700000001ac16-45.dat	upx
behavioral1/files/0x000800000001ac10-39.dat	upx
behavioral1/memory/3592-38-0x00007FF7D4520000-0x00007FF7D4871000-memory.dmp	upx
behavioral1/files/0x000700000001ac1c-76.dat	upx
behavioral1/files/0x000700000001ac1d-83.dat	upx
behavioral1/memory/3868-86-0x00007FF7DD670000-0x00007FF7DD9C1000-memory.dmp	upx
behavioral1/memory/5036-85-0x00007FF6F4BD0000-0x00007FF6F4F21000-memory.dmp	upx
behavioral1/memory/3884-82-0x00007FF665B90000-0x00007FF665EE1000-memory.dmp	upx
behavioral1/memory/2520-79-0x00007FF703FB0000-0x00007FF704301000-memory.dmp	upx
behavioral1/memory/1444-94-0x00007FF735B90000-0x00007FF735EE1000-memory.dmp	upx
behavioral1/files/0x000700000001ac1f-102.dat	upx
behavioral1/memory/4744-107-0x00007FF6BA190000-0x00007FF6BA4E1000-memory.dmp	upx
behavioral1/files/0x000700000001ac22-115.dat	upx
behavioral1/memory/236-118-0x00007FF7DE7A0000-0x00007FF7DEAF1000-memory.dmp	upx
behavioral1/files/0x000700000001ac23-126.dat	upx
behavioral1/files/0x000700000001ac24-129.dat	upx
behavioral1/memory/356-124-0x00007FF665260000-0x00007FF6655B1000-memory.dmp	upx
behavioral1/memory/2920-123-0x00007FF762380000-0x00007FF7626D1000-memory.dmp	upx
behavioral1/memory/1840-116-0x00007FF7AA530000-0x00007FF7AA881000-memory.dmp	upx
behavioral1/files/0x000700000001ac21-114.dat	upx
behavioral1/memory/4400-110-0x00007FF682B60000-0x00007FF682EB1000-memory.dmp	upx
behavioral1/files/0x000700000001ac20-108.dat	upx
behavioral1/memory/2284-99-0x00007FF6185A0000-0x00007FF6188F1000-memory.dmp	upx
behavioral1/memory/4660-97-0x00007FF7B3B60000-0x00007FF7B3EB1000-memory.dmp	upx
behavioral1/files/0x000700000001ac1e-92.dat	upx
behavioral1/memory/2520-133-0x00007FF703FB0000-0x00007FF704301000-memory.dmp	upx
behavioral1/memory/4220-139-0x00007FF66D940000-0x00007FF66DC91000-memory.dmp	upx
behavioral1/memory/876-138-0x00007FF7290F0000-0x00007FF729441000-memory.dmp	upx
behavioral1/memory/2980-141-0x00007FF736A90000-0x00007FF736DE1000-memory.dmp	upx
behavioral1/memory/4960-140-0x00007FF7E6AF0000-0x00007FF7E6E41000-memory.dmp	upx
behavioral1/memory/3592-132-0x00007FF7D4520000-0x00007FF7D4871000-memory.dmp	upx
behavioral1/memory/3884-150-0x00007FF665B90000-0x00007FF665EE1000-memory.dmp	upx
behavioral1/memory/3868-156-0x00007FF7DD670000-0x00007FF7DD9C1000-memory.dmp	upx
behavioral1/memory/4744-160-0x00007FF6BA190000-0x00007FF6BA4E1000-memory.dmp	upx
behavioral1/memory/2920-167-0x00007FF762380000-0x00007FF7626D1000-memory.dmp	upx
behavioral1/memory/2520-168-0x00007FF703FB0000-0x00007FF704301000-memory.dmp	upx
behavioral1/memory/5036-218-0x00007FF6F4BD0000-0x00007FF6F4F21000-memory.dmp	upx
behavioral1/memory/1444-220-0x00007FF735B90000-0x00007FF735EE1000-memory.dmp	upx
behavioral1/memory/2284-222-0x00007FF6185A0000-0x00007FF6188F1000-memory.dmp	upx
behavioral1/memory/4400-232-0x00007FF682B60000-0x00007FF682EB1000-memory.dmp	upx
behavioral1/memory/236-234-0x00007FF7DE7A0000-0x00007FF7DEAF1000-memory.dmp	upx
behavioral1/memory/3592-236-0x00007FF7D4520000-0x00007FF7D4871000-memory.dmp	upx

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\System\mSnyxKh.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\OtgZdPD.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\rNBqmqr.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\System\YlHNeIM.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\rIeBVHG.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\khYCkEH.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\JBmeEzm.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\rJVZgNy.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\bvPvpko.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\LDQJZJZ.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\imZdzsb.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\znvSCyS.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\System\cEazcws.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\DIWFvhR.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\okBAcAk.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\BkgHUvQ.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\fCvDNHI.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\HdZbGyG.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\System\CfWRrga.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\gvxyESz.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\cwpIWJn.exe	38a6bcbd35708a03a4bd104b84264b8b.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
716	taskmgr.exe
716	taskmgr.exe
716	taskmgr.exe
716	taskmgr.exe
716	taskmgr.exe
716	taskmgr.exe
716	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2520	38a6bcbd35708a03a4bd104b84264b8b.exe
Token: SeLockMemoryPrivilege	2520	38a6bcbd35708a03a4bd104b84264b8b.exe
Token: SeDebugPrivilege	2560	taskmgr.exe
Token: SeSystemProfilePrivilege	2560	taskmgr.exe
Token: SeCreateGlobalPrivilege	2560	taskmgr.exe
Token: 33	2560	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2560	taskmgr.exe
Token: SeDebugPrivilege	716	taskmgr.exe
Token: SeSystemProfilePrivilege	716	taskmgr.exe
Token: SeCreateGlobalPrivilege	716	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 5036	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	74
PID 2520 wrote to memory of 5036	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	74
PID 2520 wrote to memory of 1444	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	75
PID 2520 wrote to memory of 1444	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	75
PID 2520 wrote to memory of 2284	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	76
PID 2520 wrote to memory of 2284	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	76
PID 2520 wrote to memory of 4400	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	77
PID 2520 wrote to memory of 4400	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	77
PID 2520 wrote to memory of 236	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	78
PID 2520 wrote to memory of 236	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	78
PID 2520 wrote to memory of 3592	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	79
PID 2520 wrote to memory of 3592	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	79
PID 2520 wrote to memory of 876	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	80
PID 2520 wrote to memory of 876	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	80
PID 2520 wrote to memory of 2108	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	81
PID 2520 wrote to memory of 2108	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	81
PID 2520 wrote to memory of 1460	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	82
PID 2520 wrote to memory of 1460	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	82
PID 2520 wrote to memory of 2832	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	83
PID 2520 wrote to memory of 2832	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	83
PID 2520 wrote to memory of 2092	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	84
PID 2520 wrote to memory of 2092	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	84
PID 2520 wrote to memory of 2980	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	85
PID 2520 wrote to memory of 2980	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	85
PID 2520 wrote to memory of 3884	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	86
PID 2520 wrote to memory of 3884	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	86
PID 2520 wrote to memory of 3868	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	87
PID 2520 wrote to memory of 3868	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	87
PID 2520 wrote to memory of 4660	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	88
PID 2520 wrote to memory of 4660	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	88
PID 2520 wrote to memory of 4744	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	89
PID 2520 wrote to memory of 4744	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	89
PID 2520 wrote to memory of 1840	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	90
PID 2520 wrote to memory of 1840	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	90
PID 2520 wrote to memory of 356	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	91
PID 2520 wrote to memory of 356	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	91
PID 2520 wrote to memory of 2920	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	92
PID 2520 wrote to memory of 2920	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	92
PID 2520 wrote to memory of 4220	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	93
PID 2520 wrote to memory of 4220	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	93
PID 2520 wrote to memory of 4960	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	94
PID 2520 wrote to memory of 4960	2520	38a6bcbd35708a03a4bd104b84264b8b.exe	94

C:\Users\Admin\AppData\Local\Temp\38a6bcbd35708a03a4bd104b84264b8b.exe
"C:\Users\Admin\AppData\Local\Temp\38a6bcbd35708a03a4bd104b84264b8b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\System\CfWRrga.exe
  C:\Windows\System\CfWRrga.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\znvSCyS.exe
  C:\Windows\System\znvSCyS.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\BkgHUvQ.exe
  C:\Windows\System\BkgHUvQ.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\YlHNeIM.exe
  C:\Windows\System\YlHNeIM.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\rIeBVHG.exe
  C:\Windows\System\rIeBVHG.exe
  2⤵
  - Executes dropped EXE
  PID:236
- C:\Windows\System\gvxyESz.exe
  C:\Windows\System\gvxyESz.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\rJVZgNy.exe
  C:\Windows\System\rJVZgNy.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System\khYCkEH.exe
  C:\Windows\System\khYCkEH.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\mSnyxKh.exe
  C:\Windows\System\mSnyxKh.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\fCvDNHI.exe
  C:\Windows\System\fCvDNHI.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\JBmeEzm.exe
  C:\Windows\System\JBmeEzm.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\DIWFvhR.exe
  C:\Windows\System\DIWFvhR.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\bvPvpko.exe
  C:\Windows\System\bvPvpko.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System\OtgZdPD.exe
  C:\Windows\System\OtgZdPD.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System\cwpIWJn.exe
  C:\Windows\System\cwpIWJn.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System\HdZbGyG.exe
  C:\Windows\System\HdZbGyG.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\cEazcws.exe
  C:\Windows\System\cEazcws.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System\rNBqmqr.exe
  C:\Windows\System\rNBqmqr.exe
  2⤵
  - Executes dropped EXE
  PID:356
- C:\Windows\System\LDQJZJZ.exe
  C:\Windows\System\LDQJZJZ.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\okBAcAk.exe
  C:\Windows\System\okBAcAk.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\imZdzsb.exe
  C:\Windows\System\imZdzsb.exe
  2⤵
  - Executes dropped EXE
  PID:4960

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2560

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.pri

Filesize
171KB

MD5
30ec43ce86e297c1ee42df6209f5b18f

SHA1
fe0a5ea6566502081cb23b2f0e91a3ab166aeed6

SHA256
8ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4

SHA512
19e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri

Filesize
2KB

MD5
b8da5aac926bbaec818b15f56bb5d7f6

SHA1
2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5

SHA256
5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086

SHA512
c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436

Download Submit
C:\Windows\System\BkgHUvQ.exe

Filesize
5.2MB

MD5
5b2d93f9a5ae7c72f366b3ee8ed4a066

SHA1
5b06491fd3b5445c5fecedb8ca1b90e4f88436ed

SHA256
61a5ad238e3591ccdee902b6e888cf7ec5b100129280c8540c0432ca930709c6

SHA512
d1b78ea9930c0d35bea233d928ed6434fa469a2ba2f599160e635dbdea9c6eb38fbf00ad7030f59d435c3619e5bd24a3dda5fb35b9435a3e06a81b4cdd6908e9

Download Submit
C:\Windows\System\CfWRrga.exe

Filesize
5.2MB

MD5
8c81db2421df4f741b36e832b20ae671

SHA1
5837e5ad4b08ef7790c11e94917eccc03e519bd0

SHA256
13bfe7b13830bbf0eeb18afe6529acc5c54a822caf3320a9cf4ac0ead62e04e1

SHA512
6b60d09a6eeb5b87cd3263fd01e0ed92f4cf47d70c73cee4dd2a86ad6cb4b930fd1301f178d5b75e69b9a2c633ceaa71f7b395b0f67ea5de931dbf3aa7983d0c

Download Submit
C:\Windows\System\DIWFvhR.exe

Filesize
5.2MB

MD5
93504764a3674138f59b3f22e4f136df

SHA1
5e5c5efe0586c4cc0e3ba676dab8df83bdd16fc1

SHA256
d904a9f6290f2bb15afed6fe2eda6f2357006f5831fd1c9831fd3dfca32d9d5b

SHA512
db4a95a4f71982ff38f20d2759a8f56e85eeb8bfbcd24b96c1e10dd6f02cb074a1fec70d11fde29ed2fb3d23a150c3859d669b3cd36341ef0c5acab69e521322

Download Submit
C:\Windows\System\HdZbGyG.exe

Filesize
5.2MB

MD5
787c43cc900e9958bbb359e7a72da180

SHA1
420dd276c635ce5847ccfcf68b902d6f26ad41c2

SHA256
ce0266b0131dd381e72ba14fb50aee758b40731063b5f9a82edb79b7851dafbe

SHA512
fde27ff68e75258d8042cdbe7d7bc26dab5e727ad85adbb4a36ffa5f73ab650d0a41fad5c5ac25e458402403226133caea3580d3d1aa7095a5739ccab2b6337b

Download Submit
C:\Windows\System\JBmeEzm.exe

Filesize
5.2MB

MD5
00684ac32e140f555b735fc1e3ddcd87

SHA1
b1b205c04fee61d09494bb0f5c436e0030f1f7c9

SHA256
5bc22378f9ef7ab63abe25e0d1c58816a6adb14e2f9132125040f0a11c019a2f

SHA512
896fe38c7fa5de50df97777625587f4c072dd2fa45691bbe8508d5a1439a5903b5d6ae1e58134e13b1817849a0dba1857d271a792a46f298ff9611f97e34db90

Download Submit
C:\Windows\System\LDQJZJZ.exe

Filesize
5.2MB

MD5
a3364fd3f6186500ce0a47a700aaa737

SHA1
4f940d3a61604cec2fc4d0f0c50ee781d40f153e

SHA256
62156526d73bb2a173449b5307dbd64965cc9da988ab35659024ee0f0c4cabca

SHA512
1f02be497c2c09ed2ed166b497e39b2cb6b614340c01d415d663488d188858ef96069461999f14f65d973a57164aad2601baaa34e6924cf2eb764e504e99adf6

Download Submit
C:\Windows\System\OtgZdPD.exe

Filesize
5.2MB

MD5
88756dbdd8729b0b3f4849957b120e5d

SHA1
29c7325518a191f92fdcf7c2e502d35f69f07362

SHA256
62028761424c732dc5a9526ecf5618e41822eddff8a24ec73b5c1058083d22e7

SHA512
0cc24a8eb01cc32452e3361fecf09f5ff46e332da233523392d4ffd2fc9ac972a7189486414796121bc2ec142125e6f6bf240601d4d54f91dbaa10af6ed24f28

Download Submit
C:\Windows\System\YlHNeIM.exe

Filesize
5.2MB

MD5
5c65adc7098b7f5eff87b9f2c2fcbd85

SHA1
a4fcd30f75c298b5571a268e5afded7476384b74

SHA256
eb46c9a6efbe89529404eb8f00d39009a110eb522aa700f8280e0833387239d1

SHA512
b3873e4571a5ddccdd1d42e7f785626a45e1938edbab60c309b5783387ba7453cd362fb0a8e08e78d254d8def747863ca591f451158a5871e2ad5d23e8bdfbf1

Download Submit
C:\Windows\System\bvPvpko.exe

Filesize
5.2MB

MD5
d894ccfad86d310d35922ad8994d0764

SHA1
62bcc62762d789a3009bd420b2b54eeaccc5e567

SHA256
914c276c2271d5f6968365adfd5984376bf019be65b367e6517b1469e7e008e1

SHA512
e0cf9eeba74123364833c048daf18ca4d468f41718445b35568a91e24a3cd89dea898783c3fe039b610bf92edd4afe178b62330c1d7a341f0d48a88358374458

Download Submit
C:\Windows\System\cEazcws.exe

Filesize
5.2MB

MD5
18004e205f43adcb715b1cf93bc94f43

SHA1
a3e2f952dad4c83438f55ad64d6d0827b3df6cb9

SHA256
7459be06776bf2da5a2b51fd1d862b9fd44ef61362bd13522571ee3d49c6ef18

SHA512
dd4c1cc7783cbc542b99f763a58d4424cf270fb7ac676747aaf8324e1950788e8db0b666ad9c4027707f476f74087d799ee439bcfbc87460de351d200e03e0fa

Download Submit
C:\Windows\System\cwpIWJn.exe

Filesize
5.2MB

MD5
8e410b8d6a48f69aadfc0d919835785d

SHA1
90140dcd8309250efbcd57b399c69e453bf4a0c1

SHA256
765ca9b0a9319e4dbd550d3004e20c7c4ebcc999d366a6d0e1e053e92b4f1e63

SHA512
576320fd63a987e8c5b52139841c9f03730232f029f505a33ffc27ca4a6a16867f081d7b6ac4c97905626acd3d337eafe1256b84c046079193659dd737a1e409

Download Submit
C:\Windows\System\fCvDNHI.exe

Filesize
5.2MB

MD5
0929f96e0106a8c7a655130c628fdf3f

SHA1
f4cdae5b2917b3d63fe5d3d50688e1f2adb9f026

SHA256
e8aafca92106608ec3aab1c240aba85a73458d9d4f326b942c9ca8572b731502

SHA512
231d669e0bc2c97644f365656d2a9da24639ad4d3ac65432b7d34db0a3380fcb79aa3ba6d208458f433f73e72dae14d04ef3e898d7be6439b09090f6b524b4fc

Download Submit
C:\Windows\System\gvxyESz.exe

Filesize
5.2MB

MD5
8be19dba5f2df9273d2252ab8b5010be

SHA1
fc66602260f7db9868b3f2d36beade2511545159

SHA256
bc15c98e0f0e5a74dad5ecd8659f26421484ff4ad36bb608789961f262eaa7db

SHA512
0036db490c406200cd0391d66fe358850432c5c603a14c1d890b1637f4e42395a1d65381377508563ecbf76eac24d791fd898b6cea816087aefa824d6f96612b

Download Submit
C:\Windows\System\imZdzsb.exe

Filesize
5.2MB

MD5
e643c8e3a0d6b2915e8ab56d5818a76c

SHA1
79ca9ee8e9567c7c9a7e88040f42f85e1279edb9

SHA256
1fc19fa28c74ae2b945d1a8bdc0d68d0ed7e324fadf0a65a7c4335ae5b103779

SHA512
174216ae2daee4b11b944810a877dbd9b42a34f331b61c1820fdc0c0f0e64ccf0da8684118976d7d10d51a908708d2ef0919c4c89e6a13971d45517ed37ce63f

Download Submit
C:\Windows\System\khYCkEH.exe

Filesize
5.2MB

MD5
3ac6f3f034a3ac397a0ae98899047428

SHA1
4d96685d547e3adf295be988bb70469d9bc621dd

SHA256
b00a818e77d9739598927818f598c63a4d931f73a9b37501a25814e758a38234

SHA512
4b28311bdb1187742ba100f38d9cdd5e6e7f34ae52564eb39be0128d16137d7c15f59d051418045ed23ecfbe0e3f3ac9f350f5adfbec0b5cdfd14305ab89986c

Download Submit
C:\Windows\System\mSnyxKh.exe

Filesize
5.2MB

MD5
fedf99c0572338485eb80afba4acb583

SHA1
2d462b8ad4cf4a94d804de00a903590a6d141153

SHA256
c417261e99aa21db6c6e13b097c2ebf68fbed5f313cf9efd2f424f838be71f77

SHA512
4eb3e0a2392304f2398559b339b2d182299549d9a0c88af20b9b35e47aafe1684a930dd8a7a007f21d9e1f4fb7fad38dd187ff04b1205dc018c682b1733fe777

Download Submit
C:\Windows\System\okBAcAk.exe

Filesize
5.2MB

MD5
875fe00232e8b7c7bebcfdf0f37b25d2

SHA1
c32ba0e0c4904d081047b19fe6dd89a120c6004e

SHA256
23614f31daaf449c60a3a03b78d47976e98cbd67c8548f2800a0af57344d7bf9

SHA512
2fa69cd88f404e77c9230c07303e641d5d9f4f2627a04bfaeb7658dfb4374bf820d65ba68fd7878b6459340fd7e27f224d7949961fd0024c5218ef53401f24b5

Download Submit
C:\Windows\System\rIeBVHG.exe

Filesize
5.2MB

MD5
e8aea9111fd5f0138ad10636c1cef6cf

SHA1
89c007c9023148b96ced7112b6ba0918663cac0b

SHA256
13574dd1da41e3d4e2e84e1bf405ed5d0aa52a40230e39839d3b0c0ab45e2bb2

SHA512
df7482f70f7274e320a82ebd830c0b50a378ac869bcbe7131b901405a23a993da2f41d4aac5c0c18202b946d938732e996ffbff49177dae429961cbf49a18c91

Download Submit
C:\Windows\System\rJVZgNy.exe

Filesize
5.2MB

MD5
34f7e3af936acdea2137ed3231534984

SHA1
f177c99634739c53d4f66cb68a1041cfb3d62884

SHA256
70621d0ce56e4923ad77e2a63672ac85c4239434a5e02804d1e3c6a2bac28f53

SHA512
799ab520908106818f6199f42a1a65d358e69219c248426165f3cc383c43ebe22264c19c88c9a73ca11ec7bce2607d550faebef485d98ad1e9adeeb5fa889043

Download Submit
C:\Windows\System\rNBqmqr.exe

Filesize
5.2MB

MD5
c3241a5dab76d439b9b771e2082bd8a6

SHA1
41748e0c1c6707d2e3027de8d4c57b1d4d165bfc

SHA256
eee143083e8f3e5d81092307123421f69f2c9a3d41f8c2904edf7f44889d45bc

SHA512
489dbf304c9df1a517843b9a7382ca5a3ae25380a19f9b5742a99eaf522311b62a4424f9649844073e0d4b923af8db39e78f35ac7881ea2aab772517445b7db4

Download Submit
C:\Windows\System\znvSCyS.exe

Filesize
5.2MB

MD5
56a877beac3daf54de2e5e7b6fce1da6

SHA1
c7774a5e55799423d0bee3ab7424800fcf2c208b

SHA256
550a5cfd9dc0a5b3d91e507fbbd5c0c07074c1e61d7ea5d80c1b672506cc05bd

SHA512
16171062f2912cea70f96725105986bab83c665bc5714300d59f0d8c8e12521d17017cd18dd0ee45038045c441a67e1a073cc5ebeff563b74f2201f15540c189

Download Submit
memory/236-32-0x00007FF7DE7A0000-0x00007FF7DEAF1000-memory.dmp

Filesize
3.3MB

Download
memory/236-234-0x00007FF7DE7A0000-0x00007FF7DEAF1000-memory.dmp

Filesize
3.3MB

Download
memory/236-118-0x00007FF7DE7A0000-0x00007FF7DEAF1000-memory.dmp

Filesize
3.3MB

Download
memory/356-124-0x00007FF665260000-0x00007FF6655B1000-memory.dmp

Filesize
3.3MB

Download
memory/356-269-0x00007FF665260000-0x00007FF6655B1000-memory.dmp

Filesize
3.3MB

Download
memory/876-241-0x00007FF7290F0000-0x00007FF729441000-memory.dmp

Filesize
3.3MB

Download
memory/876-138-0x00007FF7290F0000-0x00007FF729441000-memory.dmp

Filesize
3.3MB

Download
memory/876-61-0x00007FF7290F0000-0x00007FF729441000-memory.dmp

Filesize
3.3MB

Download
memory/1444-220-0x00007FF735B90000-0x00007FF735EE1000-memory.dmp

Filesize
3.3MB

Download
memory/1444-94-0x00007FF735B90000-0x00007FF735EE1000-memory.dmp

Filesize
3.3MB

Download
memory/1444-14-0x00007FF735B90000-0x00007FF735EE1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-242-0x00007FF78FA80000-0x00007FF78FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-72-0x00007FF78FA80000-0x00007FF78FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1840-267-0x00007FF7AA530000-0x00007FF7AA881000-memory.dmp

Filesize
3.3MB

Download
memory/1840-116-0x00007FF7AA530000-0x00007FF7AA881000-memory.dmp

Filesize
3.3MB

Download
memory/2092-73-0x00007FF7DF410000-0x00007FF7DF761000-memory.dmp

Filesize
3.3MB

Download
memory/2092-247-0x00007FF7DF410000-0x00007FF7DF761000-memory.dmp

Filesize
3.3MB

Download
memory/2108-239-0x00007FF6F1770000-0x00007FF6F1AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-65-0x00007FF6F1770000-0x00007FF6F1AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2284-222-0x00007FF6185A0000-0x00007FF6188F1000-memory.dmp

Filesize
3.3MB

Download
memory/2284-99-0x00007FF6185A0000-0x00007FF6188F1000-memory.dmp

Filesize
3.3MB

Download
memory/2284-18-0x00007FF6185A0000-0x00007FF6188F1000-memory.dmp

Filesize
3.3MB

Download
memory/2520-168-0x00007FF703FB0000-0x00007FF704301000-memory.dmp

Filesize
3.3MB

Download
memory/2520-1-0x000002EFF0530000-0x000002EFF0540000-memory.dmp

Filesize
64KB

Download
memory/2520-133-0x00007FF703FB0000-0x00007FF704301000-memory.dmp

Filesize
3.3MB

Download
memory/2520-79-0x00007FF703FB0000-0x00007FF704301000-memory.dmp

Filesize
3.3MB

Download
memory/2520-0-0x00007FF703FB0000-0x00007FF704301000-memory.dmp

Filesize
3.3MB

Download
memory/2520-280-0x00007FF703FB0000-0x00007FF704301000-memory.dmp

Filesize
3.3MB

Download
memory/2832-248-0x00007FF73B940000-0x00007FF73BC91000-memory.dmp

Filesize
3.3MB

Download
memory/2832-66-0x00007FF73B940000-0x00007FF73BC91000-memory.dmp

Filesize
3.3MB

Download
memory/2920-167-0x00007FF762380000-0x00007FF7626D1000-memory.dmp

Filesize
3.3MB

Download
memory/2920-276-0x00007FF762380000-0x00007FF7626D1000-memory.dmp

Filesize
3.3MB

Download
memory/2920-123-0x00007FF762380000-0x00007FF7626D1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-141-0x00007FF736A90000-0x00007FF736DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-245-0x00007FF736A90000-0x00007FF736DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-69-0x00007FF736A90000-0x00007FF736DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3592-38-0x00007FF7D4520000-0x00007FF7D4871000-memory.dmp

Filesize
3.3MB

Download
memory/3592-236-0x00007FF7D4520000-0x00007FF7D4871000-memory.dmp

Filesize
3.3MB

Download
memory/3592-132-0x00007FF7D4520000-0x00007FF7D4871000-memory.dmp

Filesize
3.3MB

Download
memory/3868-156-0x00007FF7DD670000-0x00007FF7DD9C1000-memory.dmp

Filesize
3.3MB

Download
memory/3868-255-0x00007FF7DD670000-0x00007FF7DD9C1000-memory.dmp

Filesize
3.3MB

Download
memory/3868-86-0x00007FF7DD670000-0x00007FF7DD9C1000-memory.dmp

Filesize
3.3MB

Download
memory/3884-82-0x00007FF665B90000-0x00007FF665EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3884-150-0x00007FF665B90000-0x00007FF665EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3884-253-0x00007FF665B90000-0x00007FF665EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4220-271-0x00007FF66D940000-0x00007FF66DC91000-memory.dmp

Filesize
3.3MB

Download
memory/4220-139-0x00007FF66D940000-0x00007FF66DC91000-memory.dmp

Filesize
3.3MB

Download
memory/4400-25-0x00007FF682B60000-0x00007FF682EB1000-memory.dmp

Filesize
3.3MB

Download
memory/4400-110-0x00007FF682B60000-0x00007FF682EB1000-memory.dmp

Filesize
3.3MB

Download
memory/4400-232-0x00007FF682B60000-0x00007FF682EB1000-memory.dmp

Filesize
3.3MB

Download
memory/4660-263-0x00007FF7B3B60000-0x00007FF7B3EB1000-memory.dmp

Filesize
3.3MB

Download
memory/4660-97-0x00007FF7B3B60000-0x00007FF7B3EB1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-265-0x00007FF6BA190000-0x00007FF6BA4E1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-160-0x00007FF6BA190000-0x00007FF6BA4E1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-107-0x00007FF6BA190000-0x00007FF6BA4E1000-memory.dmp

Filesize
3.3MB

Download
memory/4960-275-0x00007FF7E6AF0000-0x00007FF7E6E41000-memory.dmp

Filesize
3.3MB

Download
memory/4960-140-0x00007FF7E6AF0000-0x00007FF7E6E41000-memory.dmp

Filesize
3.3MB

Download
memory/5036-85-0x00007FF6F4BD0000-0x00007FF6F4F21000-memory.dmp

Filesize
3.3MB

Download
memory/5036-7-0x00007FF6F4BD0000-0x00007FF6F4F21000-memory.dmp

Filesize
3.3MB

Download
memory/5036-218-0x00007FF6F4BD0000-0x00007FF6F4F21000-memory.dmp

Filesize
3.3MB

Download