cobaltstrike | 783161abb0cd5a55fc64cd158073fe5c654804aee5509552bed6e859525bb6a5

Resubmissions

20-10-2024 19:07

241020-xsskxaxakn 10

16-09-2024 21:47

240916-1nhrpa1fpr 10

16-09-2024 21:33

240916-1ejyds1bqk 10

Analysis

max time kernel
135s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38a6bcbd35708a03a4bd104b84264b8b.exe
Size

5.2MB
MD5

38a6bcbd35708a03a4bd104b84264b8b
SHA1

30777981ea899ab92e5c2a06e378ae3be19ebde7
SHA256

783161abb0cd5a55fc64cd158073fe5c654804aee5509552bed6e859525bb6a5
SHA512

fc1585cd1aa1412ad4525aaf9d6fda9c95e18c7bdc1cdf1e01b4d446fc8677dedb65a982f5d8ffb87b618b229b41850462b4fec8ebe8cde697e6b463a496c536
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lP:RWWBibf56utgpPFotBER/mQ32lUL

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023c1f-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-59.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cac-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-76.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2160-46-0x00007FF766750000-0x00007FF766AA1000-memory.dmp	xmrig
behavioral2/memory/4760-66-0x00007FF6CE490000-0x00007FF6CE7E1000-memory.dmp	xmrig
behavioral2/memory/4344-73-0x00007FF7DEA10000-0x00007FF7DED61000-memory.dmp	xmrig
behavioral2/memory/2068-51-0x00007FF609A50000-0x00007FF609DA1000-memory.dmp	xmrig
behavioral2/memory/2044-121-0x00007FF7B83C0000-0x00007FF7B8711000-memory.dmp	xmrig
behavioral2/memory/4708-122-0x00007FF777C00000-0x00007FF777F51000-memory.dmp	xmrig
behavioral2/memory/2392-124-0x00007FF6199E0000-0x00007FF619D31000-memory.dmp	xmrig
behavioral2/memory/2712-125-0x00007FF7E8360000-0x00007FF7E86B1000-memory.dmp	xmrig
behavioral2/memory/3432-127-0x00007FF7351C0000-0x00007FF735511000-memory.dmp	xmrig
behavioral2/memory/3652-129-0x00007FF7AC600000-0x00007FF7AC951000-memory.dmp	xmrig
behavioral2/memory/3936-130-0x00007FF6CC9E0000-0x00007FF6CCD31000-memory.dmp	xmrig
behavioral2/memory/4356-128-0x00007FF762880000-0x00007FF762BD1000-memory.dmp	xmrig
behavioral2/memory/1564-126-0x00007FF7222B0000-0x00007FF722601000-memory.dmp	xmrig
behavioral2/memory/2252-123-0x00007FF694630000-0x00007FF694981000-memory.dmp	xmrig
behavioral2/memory/4760-131-0x00007FF6CE490000-0x00007FF6CE7E1000-memory.dmp	xmrig
behavioral2/memory/3052-132-0x00007FF6C4960000-0x00007FF6C4CB1000-memory.dmp	xmrig
behavioral2/memory/1532-136-0x00007FF7B9A90000-0x00007FF7B9DE1000-memory.dmp	xmrig
behavioral2/memory/516-141-0x00007FF6A4C40000-0x00007FF6A4F91000-memory.dmp	xmrig
behavioral2/memory/1920-143-0x00007FF77B580000-0x00007FF77B8D1000-memory.dmp	xmrig
behavioral2/memory/2376-142-0x00007FF70A4F0000-0x00007FF70A841000-memory.dmp	xmrig
behavioral2/memory/3272-140-0x00007FF6ECB00000-0x00007FF6ECE51000-memory.dmp	xmrig
behavioral2/memory/1068-137-0x00007FF6A0360000-0x00007FF6A06B1000-memory.dmp	xmrig
behavioral2/memory/5012-144-0x00007FF74F390000-0x00007FF74F6E1000-memory.dmp	xmrig
behavioral2/memory/4760-154-0x00007FF6CE490000-0x00007FF6CE7E1000-memory.dmp	xmrig
behavioral2/memory/4344-222-0x00007FF7DEA10000-0x00007FF7DED61000-memory.dmp	xmrig
behavioral2/memory/3652-224-0x00007FF7AC600000-0x00007FF7AC951000-memory.dmp	xmrig
behavioral2/memory/3052-226-0x00007FF6C4960000-0x00007FF6C4CB1000-memory.dmp	xmrig
behavioral2/memory/1068-228-0x00007FF6A0360000-0x00007FF6A06B1000-memory.dmp	xmrig
behavioral2/memory/1532-230-0x00007FF7B9A90000-0x00007FF7B9DE1000-memory.dmp	xmrig
behavioral2/memory/2160-232-0x00007FF766750000-0x00007FF766AA1000-memory.dmp	xmrig
behavioral2/memory/2068-243-0x00007FF609A50000-0x00007FF609DA1000-memory.dmp	xmrig
behavioral2/memory/3272-245-0x00007FF6ECB00000-0x00007FF6ECE51000-memory.dmp	xmrig
behavioral2/memory/516-247-0x00007FF6A4C40000-0x00007FF6A4F91000-memory.dmp	xmrig
behavioral2/memory/2376-249-0x00007FF70A4F0000-0x00007FF70A841000-memory.dmp	xmrig
behavioral2/memory/2044-257-0x00007FF7B83C0000-0x00007FF7B8711000-memory.dmp	xmrig
behavioral2/memory/1920-255-0x00007FF77B580000-0x00007FF77B8D1000-memory.dmp	xmrig
behavioral2/memory/3936-252-0x00007FF6CC9E0000-0x00007FF6CCD31000-memory.dmp	xmrig
behavioral2/memory/5012-253-0x00007FF74F390000-0x00007FF74F6E1000-memory.dmp	xmrig
behavioral2/memory/4708-263-0x00007FF777C00000-0x00007FF777F51000-memory.dmp	xmrig
behavioral2/memory/2252-266-0x00007FF694630000-0x00007FF694981000-memory.dmp	xmrig
behavioral2/memory/2712-270-0x00007FF7E8360000-0x00007FF7E86B1000-memory.dmp	xmrig
behavioral2/memory/1564-269-0x00007FF7222B0000-0x00007FF722601000-memory.dmp	xmrig
behavioral2/memory/3432-272-0x00007FF7351C0000-0x00007FF735511000-memory.dmp	xmrig
behavioral2/memory/2392-265-0x00007FF6199E0000-0x00007FF619D31000-memory.dmp	xmrig
behavioral2/memory/4356-274-0x00007FF762880000-0x00007FF762BD1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4344	GoqfIak.exe
3652	sudpDrx.exe
3052	eRdzhko.exe
1532	VmYkLFS.exe
1068	OiKhOWb.exe
2160	EwVZFdx.exe
2068	vbwkiip.exe
3272	gEncUgh.exe
516	pKWvgSH.exe
2376	vWjxGFi.exe
1920	aLdlcPm.exe
5012	DmQZQKJ.exe
3936	HcwRheL.exe
2044	nYvzZXp.exe
4708	INvMtab.exe
2252	VxHRhQj.exe
2392	cCLyxVb.exe
2712	dYmlgpL.exe
1564	vnrqFwC.exe
3432	svETEOx.exe
4356	OjWKRVD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4760-0-0x00007FF6CE490000-0x00007FF6CE7E1000-memory.dmp	upx
behavioral2/files/0x000a000000023c1f-5.dat	upx
behavioral2/memory/4344-6-0x00007FF7DEA10000-0x00007FF7DED61000-memory.dmp	upx
behavioral2/files/0x0007000000023cb0-9.dat	upx
behavioral2/files/0x0007000000023caf-11.dat	upx
behavioral2/files/0x0007000000023cb1-23.dat	upx
behavioral2/files/0x0007000000023cb2-28.dat	upx
behavioral2/files/0x0007000000023cb3-35.dat	upx
behavioral2/files/0x0007000000023cb4-41.dat	upx
behavioral2/files/0x0007000000023cb5-45.dat	upx
behavioral2/memory/2160-46-0x00007FF766750000-0x00007FF766AA1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb6-55.dat	upx
behavioral2/files/0x0007000000023cb7-59.dat	upx
behavioral2/memory/4760-66-0x00007FF6CE490000-0x00007FF6CE7E1000-memory.dmp	upx
behavioral2/files/0x0008000000023cac-70.dat	upx
behavioral2/files/0x0007000000023cba-86.dat	upx
behavioral2/files/0x0007000000023cbc-93.dat	upx
behavioral2/files/0x0007000000023cbd-99.dat	upx
behavioral2/files/0x0007000000023cbf-109.dat	upx
behavioral2/files/0x0007000000023cc0-114.dat	upx
behavioral2/files/0x0007000000023cc1-118.dat	upx
behavioral2/files/0x0007000000023cbe-104.dat	upx
behavioral2/files/0x0007000000023cbb-91.dat	upx
behavioral2/files/0x0007000000023cb9-81.dat	upx
behavioral2/files/0x0007000000023cb8-76.dat	upx
behavioral2/memory/4344-73-0x00007FF7DEA10000-0x00007FF7DED61000-memory.dmp	upx
behavioral2/memory/1920-69-0x00007FF77B580000-0x00007FF77B8D1000-memory.dmp	upx
behavioral2/memory/2376-60-0x00007FF70A4F0000-0x00007FF70A841000-memory.dmp	upx
behavioral2/memory/516-54-0x00007FF6A4C40000-0x00007FF6A4F91000-memory.dmp	upx
behavioral2/memory/2068-51-0x00007FF609A50000-0x00007FF609DA1000-memory.dmp	upx
behavioral2/memory/3272-47-0x00007FF6ECB00000-0x00007FF6ECE51000-memory.dmp	upx
behavioral2/memory/1068-36-0x00007FF6A0360000-0x00007FF6A06B1000-memory.dmp	upx
behavioral2/memory/1532-27-0x00007FF7B9A90000-0x00007FF7B9DE1000-memory.dmp	upx
behavioral2/memory/3052-18-0x00007FF6C4960000-0x00007FF6C4CB1000-memory.dmp	upx
behavioral2/memory/3652-12-0x00007FF7AC600000-0x00007FF7AC951000-memory.dmp	upx
behavioral2/memory/5012-120-0x00007FF74F390000-0x00007FF74F6E1000-memory.dmp	upx
behavioral2/memory/2044-121-0x00007FF7B83C0000-0x00007FF7B8711000-memory.dmp	upx
behavioral2/memory/4708-122-0x00007FF777C00000-0x00007FF777F51000-memory.dmp	upx
behavioral2/memory/2392-124-0x00007FF6199E0000-0x00007FF619D31000-memory.dmp	upx
behavioral2/memory/2712-125-0x00007FF7E8360000-0x00007FF7E86B1000-memory.dmp	upx
behavioral2/memory/3432-127-0x00007FF7351C0000-0x00007FF735511000-memory.dmp	upx
behavioral2/memory/3652-129-0x00007FF7AC600000-0x00007FF7AC951000-memory.dmp	upx
behavioral2/memory/3936-130-0x00007FF6CC9E0000-0x00007FF6CCD31000-memory.dmp	upx
behavioral2/memory/4356-128-0x00007FF762880000-0x00007FF762BD1000-memory.dmp	upx
behavioral2/memory/1564-126-0x00007FF7222B0000-0x00007FF722601000-memory.dmp	upx
behavioral2/memory/2252-123-0x00007FF694630000-0x00007FF694981000-memory.dmp	upx
behavioral2/memory/4760-131-0x00007FF6CE490000-0x00007FF6CE7E1000-memory.dmp	upx
behavioral2/memory/3052-132-0x00007FF6C4960000-0x00007FF6C4CB1000-memory.dmp	upx
behavioral2/memory/1532-136-0x00007FF7B9A90000-0x00007FF7B9DE1000-memory.dmp	upx
behavioral2/memory/516-141-0x00007FF6A4C40000-0x00007FF6A4F91000-memory.dmp	upx
behavioral2/memory/1920-143-0x00007FF77B580000-0x00007FF77B8D1000-memory.dmp	upx
behavioral2/memory/2376-142-0x00007FF70A4F0000-0x00007FF70A841000-memory.dmp	upx
behavioral2/memory/3272-140-0x00007FF6ECB00000-0x00007FF6ECE51000-memory.dmp	upx
behavioral2/memory/1068-137-0x00007FF6A0360000-0x00007FF6A06B1000-memory.dmp	upx
behavioral2/memory/5012-144-0x00007FF74F390000-0x00007FF74F6E1000-memory.dmp	upx
behavioral2/memory/4760-154-0x00007FF6CE490000-0x00007FF6CE7E1000-memory.dmp	upx
behavioral2/memory/4344-222-0x00007FF7DEA10000-0x00007FF7DED61000-memory.dmp	upx
behavioral2/memory/3652-224-0x00007FF7AC600000-0x00007FF7AC951000-memory.dmp	upx
behavioral2/memory/3052-226-0x00007FF6C4960000-0x00007FF6C4CB1000-memory.dmp	upx
behavioral2/memory/1068-228-0x00007FF6A0360000-0x00007FF6A06B1000-memory.dmp	upx
behavioral2/memory/1532-230-0x00007FF7B9A90000-0x00007FF7B9DE1000-memory.dmp	upx
behavioral2/memory/2160-232-0x00007FF766750000-0x00007FF766AA1000-memory.dmp	upx
behavioral2/memory/2068-243-0x00007FF609A50000-0x00007FF609DA1000-memory.dmp	upx
behavioral2/memory/3272-245-0x00007FF6ECB00000-0x00007FF6ECE51000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\GoqfIak.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\aLdlcPm.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\nYvzZXp.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\cCLyxVb.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\sudpDrx.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\pKWvgSH.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\vWjxGFi.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\INvMtab.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\VxHRhQj.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\eRdzhko.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\VmYkLFS.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\EwVZFdx.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\dYmlgpL.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\svETEOx.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\OjWKRVD.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\OiKhOWb.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\vbwkiip.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\gEncUgh.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\DmQZQKJ.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\HcwRheL.exe	38a6bcbd35708a03a4bd104b84264b8b.exe
File created	C:\Windows\System\vnrqFwC.exe	38a6bcbd35708a03a4bd104b84264b8b.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4760	38a6bcbd35708a03a4bd104b84264b8b.exe
Token: SeLockMemoryPrivilege	4760	38a6bcbd35708a03a4bd104b84264b8b.exe
Token: SeDebugPrivilege	1464	taskmgr.exe
Token: SeSystemProfilePrivilege	1464	taskmgr.exe
Token: SeCreateGlobalPrivilege	1464	taskmgr.exe
Token: 33	1464	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1464	taskmgr.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe
1464	taskmgr.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4344	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	85
PID 4760 wrote to memory of 4344	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	85
PID 4760 wrote to memory of 3652	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	86
PID 4760 wrote to memory of 3652	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	86
PID 4760 wrote to memory of 3052	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	87
PID 4760 wrote to memory of 3052	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	87
PID 4760 wrote to memory of 1532	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	88
PID 4760 wrote to memory of 1532	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	88
PID 4760 wrote to memory of 1068	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	89
PID 4760 wrote to memory of 1068	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	89
PID 4760 wrote to memory of 2160	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	90
PID 4760 wrote to memory of 2160	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	90
PID 4760 wrote to memory of 2068	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	91
PID 4760 wrote to memory of 2068	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	91
PID 4760 wrote to memory of 3272	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	92
PID 4760 wrote to memory of 3272	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	92
PID 4760 wrote to memory of 516	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	93
PID 4760 wrote to memory of 516	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	93
PID 4760 wrote to memory of 2376	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	94
PID 4760 wrote to memory of 2376	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	94
PID 4760 wrote to memory of 1920	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	95
PID 4760 wrote to memory of 1920	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	95
PID 4760 wrote to memory of 5012	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	96
PID 4760 wrote to memory of 5012	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	96
PID 4760 wrote to memory of 3936	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	97
PID 4760 wrote to memory of 3936	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	97
PID 4760 wrote to memory of 2044	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	98
PID 4760 wrote to memory of 2044	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	98
PID 4760 wrote to memory of 4708	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	99
PID 4760 wrote to memory of 4708	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	99
PID 4760 wrote to memory of 2252	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	100
PID 4760 wrote to memory of 2252	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	100
PID 4760 wrote to memory of 2392	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	101
PID 4760 wrote to memory of 2392	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	101
PID 4760 wrote to memory of 2712	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	102
PID 4760 wrote to memory of 2712	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	102
PID 4760 wrote to memory of 1564	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	103
PID 4760 wrote to memory of 1564	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	103
PID 4760 wrote to memory of 3432	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	104
PID 4760 wrote to memory of 3432	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	104
PID 4760 wrote to memory of 4356	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	105
PID 4760 wrote to memory of 4356	4760	38a6bcbd35708a03a4bd104b84264b8b.exe	105

C:\Users\Admin\AppData\Local\Temp\38a6bcbd35708a03a4bd104b84264b8b.exe
"C:\Users\Admin\AppData\Local\Temp\38a6bcbd35708a03a4bd104b84264b8b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\System\GoqfIak.exe
  C:\Windows\System\GoqfIak.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\sudpDrx.exe
  C:\Windows\System\sudpDrx.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\eRdzhko.exe
  C:\Windows\System\eRdzhko.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\VmYkLFS.exe
  C:\Windows\System\VmYkLFS.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\OiKhOWb.exe
  C:\Windows\System\OiKhOWb.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\EwVZFdx.exe
  C:\Windows\System\EwVZFdx.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\vbwkiip.exe
  C:\Windows\System\vbwkiip.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\gEncUgh.exe
  C:\Windows\System\gEncUgh.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\pKWvgSH.exe
  C:\Windows\System\pKWvgSH.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System\vWjxGFi.exe
  C:\Windows\System\vWjxGFi.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\aLdlcPm.exe
  C:\Windows\System\aLdlcPm.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\DmQZQKJ.exe
  C:\Windows\System\DmQZQKJ.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\HcwRheL.exe
  C:\Windows\System\HcwRheL.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System\nYvzZXp.exe
  C:\Windows\System\nYvzZXp.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\INvMtab.exe
  C:\Windows\System\INvMtab.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System\VxHRhQj.exe
  C:\Windows\System\VxHRhQj.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\cCLyxVb.exe
  C:\Windows\System\cCLyxVb.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\dYmlgpL.exe
  C:\Windows\System\dYmlgpL.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\vnrqFwC.exe
  C:\Windows\System\vnrqFwC.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\svETEOx.exe
  C:\Windows\System\svETEOx.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\System\OjWKRVD.exe
  C:\Windows\System\OjWKRVD.exe
  2⤵
  - Executes dropped EXE
  PID:4356

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DmQZQKJ.exe

Filesize
5.2MB

MD5
d6888c6aa1ba7e220b3ee4422b4fd3ca

SHA1
7af097c3a00c8338cc9ce65dc053a947a11427a1

SHA256
959646c74c77bb487dd5726ad0e1d621fd50817430683beb519257f08f3ab341

SHA512
317daac036f5d69ca012b937876cbafda8f0a7507925e0d0b2c786b3d22da19c35d9cfbdc096840ac5152bf80ae555d839df6e310a2da8b86e445e6b70626838

Download Submit
C:\Windows\System\EwVZFdx.exe

Filesize
5.2MB

MD5
ad74731de56a5bbf2073d6d541843a24

SHA1
17f470330c2a884b5bcc15bd444603bbe3f7181d

SHA256
8cb8b2008e6ff3c9ba803d0687f30d7d209b70eae65b2c9ba7345bc0d677f417

SHA512
5438ed772022b1e16e3595410926edd4afa89719df25fa06f54ff1b3037a96217669c054dd2bf4ad98e6a4117c0455373c01607973d1f4dbd071ce138dcc5947

Download Submit
C:\Windows\System\GoqfIak.exe

Filesize
5.2MB

MD5
d4f50eff1c51c089c4d9842d9bce5d93

SHA1
26679121b2ebb5a216b9fd703e9729b9a64bbc0e

SHA256
4641aea94c88b7efaed0a9357ea8c89a3e5063489f3e47e7c98494e6c50ce3df

SHA512
992740d3eeac732e3a11785fea0355f96d33e5f297161fe2bde1d2365cba1f647d8d27961fabaf0ee9d8c3f806817e2d9bc41156b820e7a4e421a1ff430630b3

Download Submit
C:\Windows\System\HcwRheL.exe

Filesize
5.2MB

MD5
2c69d7217d5e84fca6683a7cbdc29828

SHA1
d25121b47b7475082c04997148c7f326cad07dd1

SHA256
c3d4fb9464d72d365c3c92072a2a8d70c998e6e5bc34cbbe04686787173f4c40

SHA512
68c31396b417606576c04e665e313da61ed6c4f60987d971cb32da5b90a327c1548ecaeb5241096dc4bc4bee2d76fad41be7a959daf6d0590459e904bc4c89a2

Download Submit
C:\Windows\System\INvMtab.exe

Filesize
5.2MB

MD5
ec99a202bfccf76b6ed15222c818facc

SHA1
fac08fe2df1b849b1931226acf4fcc3a502ca393

SHA256
d1bb4b0e814b060dae89b8f8f05084e0a297dac9d01566498ef6697bc0a8f592

SHA512
4c63c92037ddd74e92bed35d53db8fc457b967b4d7cff27bb8d17efb9f82bbe069aa3bd8b933ad253cc9347c73781ec4400c10ae72358df8cb9b55d3782b5f43

Download Submit
C:\Windows\System\OiKhOWb.exe

Filesize
5.2MB

MD5
1b97008cfd2dd1d973a48117276a28c3

SHA1
64ac06119df7b01a72ec453f2aef8504e621289a

SHA256
4f991db6bc03575d48db0ea9d5a4e635d0793ccc4899fa591095333ed07bb5e2

SHA512
2f72ee6c5aaa22d38a0ab84b188f934ecb97320c06dc7469825b73a01c5617904b953460d4bd7e9515e155ee880761def1455da8961a8bdceb975f0019b72467

Download Submit
C:\Windows\System\OjWKRVD.exe

Filesize
5.2MB

MD5
673384ef7a99341a37703e47d1609eb5

SHA1
4b24d1058e1e8358f85d7e067ca4aee27461bae5

SHA256
a1d7da892a43b3813522de2ce8375949bfc781564077abdedc26bae25ef5767c

SHA512
fdf4dccc196d2838f5a50119ab9fc0d7dd59a6153774d74ee306a28beba0fa78c9ebe84430ce551813437d5d7be6e1ed1437e1b972a3109f57a4f4770d7c0645

Download Submit
C:\Windows\System\VmYkLFS.exe

Filesize
5.2MB

MD5
01c11f5413caa39a8d89b922e7ef3123

SHA1
bb5f030a8d13e3c08cc4f4bbe4dbcf1fb35bd8eb

SHA256
5a061577f8db2367401cffda094b6c2397ef22621ed09094c279acaf66d90c0d

SHA512
bd60b301a6aeb5b33f8f832d11be44a5c5a4eebc74a4fd7e24320414e3b7b668a1d6028c51b8274f5e968c3b43f029053546e176bcb23c6356110becfb457eef

Download Submit
C:\Windows\System\VxHRhQj.exe

Filesize
5.2MB

MD5
379cec223d15bc01f29989d5e14d30e9

SHA1
7010dcfc89e4dae66bfbbbb902433426e9acab18

SHA256
05c61c106addfa843496ce279a8183e1ad80b8ffefca05c8b012018ab9d31e03

SHA512
f22ff842177fbc42fe4b54ff76cbcb067332e21deef98ddf1d3fa7d765178a03e22707eb30916f3f73ade96594e514d03e5fa81ac8da0e1dcaa6606f88b1c6a9

Download Submit
C:\Windows\System\aLdlcPm.exe

Filesize
5.2MB

MD5
c030514b9d22641af4957a7c28e30ddf

SHA1
d3ff4d6c0654d2c75a20f2523125e2f87350d022

SHA256
cf0d57b5f31e80767e17051b7a147614a4b6540be956326beca3a6595c6ea6ae

SHA512
9d68fe68e1adca9da34b5415354de6f69c7edabe58ca18dacec5887c04578ba6f49921c0aafc5f85518911aaaab22bdcb440c21b9cb9fc6bcc2b252589c5b6f1

Download Submit
C:\Windows\System\cCLyxVb.exe

Filesize
5.2MB

MD5
677c557ae39a67bacb3ec16e0e52f1a9

SHA1
162853aed715898e554a95987ad507f989e21157

SHA256
8a6a19d5bf964395bbd888273596e3b4b641ee0e13f4f213501e97c324b84e45

SHA512
b1b787f49287b37b864e3f0ac64685e0bf5f782a02a020a85bb56324346c17d438f78c15dc9c56da3f356947afd2ee3a8caddfeb63aa9d1f829a8f7f5110eaf9

Download Submit
C:\Windows\System\dYmlgpL.exe

Filesize
5.2MB

MD5
69b5ae0307155adbda55b48e3a47df05

SHA1
c2a555b93a9fda41d014086a37d7e61e2149cfd8

SHA256
8fe5bf800fc061e79cb60f7188a1552fc74aad46ad2601026f2eded279ded16a

SHA512
8390c4f6a03d86b9d38ce5e7de6cf63efd49e33846659cce737490b0274e28dd18b2e1ecae61b4f2c6f9da0d0a609ad10d399743b47e855bf4714265d48c26bd

Download Submit
C:\Windows\System\eRdzhko.exe

Filesize
5.2MB

MD5
6b80a5d8b6ed3b42e8e1f793ada1b7e6

SHA1
5653520ee0dbc907d332e21d94b00daf3a2f532a

SHA256
927edc74e756927674bf84820b8bf83101dcfbdd06aceefa8874e88ed836f108

SHA512
f5ecee5ad20550d61f559934100d52ff800e2ce65128cd503d2438b3de589d35ed58767e4498fc8096062c8e9b8374bd4b766ce2aaa4ef0080b69385646b9a0a

Download Submit
C:\Windows\System\gEncUgh.exe

Filesize
5.2MB

MD5
195b2ed219cdf512e46163739bb045ae

SHA1
f9087dd2a11930313a39e9d360c971a1cfecd4bc

SHA256
c0466e96baea75cc98ca7e926ac3a6f876b5ca658adef4c611b90ca3bad6a7e3

SHA512
f5bd2ca2be66b0835c31521271eb1adf90648e317b727519cbfb7dcb3b3c91c8794e908bd8c18ed19b6b7f57fad65dae8872e98d76136caaf9553c4cd845886e

Download Submit
C:\Windows\System\nYvzZXp.exe

Filesize
5.2MB

MD5
e90724984fc9ca2c651b5180c0efede2

SHA1
8765ac3c4f810cd22288f4550b5242d41cf09950

SHA256
e6d6edd2bb456280b8f64d6c643e7016417938546a91ee3b5a8d318486c90ca2

SHA512
0cb85f422f03936319e6b1fa849317ef6f910a94940b512c49c8301bf72e6694c8366a5b135d83191df886acedd48aea57a4ceaff862a94e56814cfcd7493fce

Download Submit
C:\Windows\System\pKWvgSH.exe

Filesize
5.2MB

MD5
014aad343a241d46c0a70d2fa1714126

SHA1
96a89084926081f1503b853c06a6a18695381213

SHA256
2dfcc356ceb86602550eb686e5e932d6b0c5410f6b00e768f687fd7babf5200a

SHA512
bacffb2e02f510852710967a92914d87c72af5a822296dbf4de6707604e4e665423125d33eb75273a0fddb1f15735a95540d3936059caa8a39f25d78203ff202

Download Submit
C:\Windows\System\sudpDrx.exe

Filesize
5.2MB

MD5
85abeeeebcbb927941e019c734635824

SHA1
ed422feed47d3f6b3a05e82b596abeac8aae25ca

SHA256
2d8620dcdf6ddd2adf2c6a7c5b3f84edb34380a38fbfa98929c2718792ce6a4e

SHA512
fea1e037bccb0de8ac721dfe25e641bc7c588df03b474085c823a3bed443fdf52d2604d11f0ff003de39fd69adbe446b1febbac636a32d760f029ca41bd0dd93

Download Submit
C:\Windows\System\svETEOx.exe

Filesize
5.2MB

MD5
d4cf2531a310e38c6b61b8533e770b92

SHA1
afa710adef5c3025f8d2535c11021f3de6de0b00

SHA256
5d4017e3b11195f28ea0870f4a1a8dba8fffeeea6789122797d595c2664e167f

SHA512
e623efabd108d8dbda9bb28839b80ec78c004081b1a59afde5f5cc8589bba18fccd432e60bb313479fc6b2e94d11ff0442f386a313a471f1241a0a349131859c

Download Submit
C:\Windows\System\vWjxGFi.exe

Filesize
5.2MB

MD5
b70d7f9ca70683de0455614aa85e0681

SHA1
8133a56d332b5ee6930a6c0ac2b5d1e4f6464034

SHA256
1b24f05842163d8f35c5e4712212fb6e996df00380ec81263e38e532da17b669

SHA512
fc1734d381c15a6b13755c3d1c14c1c34cbab308737db1f83f2f8dae19e30f13591be5ea4ffe98a5e89d3f0bf08d7317cd7e91305e62625693372a232068f0ae

Download Submit
C:\Windows\System\vbwkiip.exe

Filesize
5.2MB

MD5
9be512db0267ce1a116481bb634d5100

SHA1
0c4521b6599cd574ace9bd2a55815e5affb86f62

SHA256
0ddbb6d7130e038ca55ada58185b40db43a66d9b007cab37644174fc2ac1e855

SHA512
40cdbee58d73e3ea97d64b0fb1f3d1c388800d2e62b0ee177623643662eb6e3bb9a78390d65de2291a6deeed9d688fa4d7533f3419d7ef3d746d7132eb78e3c9

Download Submit
C:\Windows\System\vnrqFwC.exe

Filesize
5.2MB

MD5
81ba7c5359a41dcccabf9d5636947902

SHA1
675a5af6aa193725e6fa01fa70c0e0d49c982b20

SHA256
9157b835c852ff276b674e83788c4cd034bc1801bd309ed9d9d52920227ae4fe

SHA512
944f86e17db621451c80e2eda70797628e6e5f66ba92adc75f50a4d56605f7a99a61d89010f9c999eedcbce7c1f34fcaec926c896692996747b3bb6eebff853b

Download Submit
memory/516-54-0x00007FF6A4C40000-0x00007FF6A4F91000-memory.dmp

Filesize
3.3MB

Download
memory/516-247-0x00007FF6A4C40000-0x00007FF6A4F91000-memory.dmp

Filesize
3.3MB

Download
memory/516-141-0x00007FF6A4C40000-0x00007FF6A4F91000-memory.dmp

Filesize
3.3MB

Download
memory/1068-228-0x00007FF6A0360000-0x00007FF6A06B1000-memory.dmp

Filesize
3.3MB

Download
memory/1068-137-0x00007FF6A0360000-0x00007FF6A06B1000-memory.dmp

Filesize
3.3MB

Download
memory/1068-36-0x00007FF6A0360000-0x00007FF6A06B1000-memory.dmp

Filesize
3.3MB

Download
memory/1532-27-0x00007FF7B9A90000-0x00007FF7B9DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1532-136-0x00007FF7B9A90000-0x00007FF7B9DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1532-230-0x00007FF7B9A90000-0x00007FF7B9DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1564-126-0x00007FF7222B0000-0x00007FF722601000-memory.dmp

Filesize
3.3MB

Download
memory/1564-269-0x00007FF7222B0000-0x00007FF722601000-memory.dmp

Filesize
3.3MB

Download
memory/1920-143-0x00007FF77B580000-0x00007FF77B8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1920-69-0x00007FF77B580000-0x00007FF77B8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1920-255-0x00007FF77B580000-0x00007FF77B8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2044-257-0x00007FF7B83C0000-0x00007FF7B8711000-memory.dmp

Filesize
3.3MB

Download
memory/2044-121-0x00007FF7B83C0000-0x00007FF7B8711000-memory.dmp

Filesize
3.3MB

Download
memory/2068-51-0x00007FF609A50000-0x00007FF609DA1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-243-0x00007FF609A50000-0x00007FF609DA1000-memory.dmp

Filesize
3.3MB

Download
memory/2160-232-0x00007FF766750000-0x00007FF766AA1000-memory.dmp

Filesize
3.3MB

Download
memory/2160-46-0x00007FF766750000-0x00007FF766AA1000-memory.dmp

Filesize
3.3MB

Download
memory/2252-266-0x00007FF694630000-0x00007FF694981000-memory.dmp

Filesize
3.3MB

Download
memory/2252-123-0x00007FF694630000-0x00007FF694981000-memory.dmp

Filesize
3.3MB

Download
memory/2376-142-0x00007FF70A4F0000-0x00007FF70A841000-memory.dmp

Filesize
3.3MB

Download
memory/2376-60-0x00007FF70A4F0000-0x00007FF70A841000-memory.dmp

Filesize
3.3MB

Download
memory/2376-249-0x00007FF70A4F0000-0x00007FF70A841000-memory.dmp

Filesize
3.3MB

Download
memory/2392-124-0x00007FF6199E0000-0x00007FF619D31000-memory.dmp

Filesize
3.3MB

Download
memory/2392-265-0x00007FF6199E0000-0x00007FF619D31000-memory.dmp

Filesize
3.3MB

Download
memory/2712-125-0x00007FF7E8360000-0x00007FF7E86B1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-270-0x00007FF7E8360000-0x00007FF7E86B1000-memory.dmp

Filesize
3.3MB

Download
memory/3052-226-0x00007FF6C4960000-0x00007FF6C4CB1000-memory.dmp

Filesize
3.3MB

Download
memory/3052-18-0x00007FF6C4960000-0x00007FF6C4CB1000-memory.dmp

Filesize
3.3MB

Download
memory/3052-132-0x00007FF6C4960000-0x00007FF6C4CB1000-memory.dmp

Filesize
3.3MB

Download
memory/3272-140-0x00007FF6ECB00000-0x00007FF6ECE51000-memory.dmp

Filesize
3.3MB

Download
memory/3272-47-0x00007FF6ECB00000-0x00007FF6ECE51000-memory.dmp

Filesize
3.3MB

Download
memory/3272-245-0x00007FF6ECB00000-0x00007FF6ECE51000-memory.dmp

Filesize
3.3MB

Download
memory/3432-127-0x00007FF7351C0000-0x00007FF735511000-memory.dmp

Filesize
3.3MB

Download
memory/3432-272-0x00007FF7351C0000-0x00007FF735511000-memory.dmp

Filesize
3.3MB

Download
memory/3652-129-0x00007FF7AC600000-0x00007FF7AC951000-memory.dmp

Filesize
3.3MB

Download
memory/3652-224-0x00007FF7AC600000-0x00007FF7AC951000-memory.dmp

Filesize
3.3MB

Download
memory/3652-12-0x00007FF7AC600000-0x00007FF7AC951000-memory.dmp

Filesize
3.3MB

Download
memory/3936-130-0x00007FF6CC9E0000-0x00007FF6CCD31000-memory.dmp

Filesize
3.3MB

Download
memory/3936-252-0x00007FF6CC9E0000-0x00007FF6CCD31000-memory.dmp

Filesize
3.3MB

Download
memory/4344-222-0x00007FF7DEA10000-0x00007FF7DED61000-memory.dmp

Filesize
3.3MB

Download
memory/4344-6-0x00007FF7DEA10000-0x00007FF7DED61000-memory.dmp

Filesize
3.3MB

Download
memory/4344-73-0x00007FF7DEA10000-0x00007FF7DED61000-memory.dmp

Filesize
3.3MB

Download
memory/4356-274-0x00007FF762880000-0x00007FF762BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4356-128-0x00007FF762880000-0x00007FF762BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4708-122-0x00007FF777C00000-0x00007FF777F51000-memory.dmp

Filesize
3.3MB

Download
memory/4708-263-0x00007FF777C00000-0x00007FF777F51000-memory.dmp

Filesize
3.3MB

Download
memory/4760-66-0x00007FF6CE490000-0x00007FF6CE7E1000-memory.dmp

Filesize
3.3MB

Download
memory/4760-131-0x00007FF6CE490000-0x00007FF6CE7E1000-memory.dmp

Filesize
3.3MB

Download
memory/4760-1-0x000001624A170000-0x000001624A180000-memory.dmp

Filesize
64KB

Download
memory/4760-0-0x00007FF6CE490000-0x00007FF6CE7E1000-memory.dmp

Filesize
3.3MB

Download
memory/4760-154-0x00007FF6CE490000-0x00007FF6CE7E1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-253-0x00007FF74F390000-0x00007FF74F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-120-0x00007FF74F390000-0x00007FF74F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-144-0x00007FF74F390000-0x00007FF74F6E1000-memory.dmp

Filesize
3.3MB

Download