cobaltstrike | 3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff

Resubmissions

28/03/2025, 18:19

250328-wx88sa1ps4 10

28/03/2025, 18:11

250328-wsm5razsew 10

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
Size

6.1MB
MD5

58621203062e1089a24e725a3ad81a5a
SHA1

ede70d27090d3accf131ab5bc4a21e23b9872a0f
SHA256

3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff
SHA512

0a2a426dcc5725301b42f21501e202521511b4c76b320ed35f28e6e09adcd0507b2c01d69c505ebad9ccafae58068975367293e39f570f6c61df842b4f9d633e
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUB:T+q56utgpPF8u/7B

Score

10^/10

cobaltstrike xmrig 0 backdoor miner persistence trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 33 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a000000016cd8-6.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016ce0-9.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016d0c-16.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d52-40.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195ad-80.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195b3-103.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195b1-98.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195c3-131.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195c7-149.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019643-157.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019bf5-186.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019bf6-191.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001998d-184.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019820-180.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000197fd-175.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019761-170.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001975a-164.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001960c-154.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195c6-145.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195c5-139.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195c1-129.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195bd-123.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195bb-118.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195b7-113.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195b5-109.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195af-89.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195a9-69.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195ab-76.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d64-55.dat	cobalt_reflective_dll
behavioral1/files/0x0002000000018334-62.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d5c-48.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d3f-34.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d2c-28.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 55 IoCs

miner

resource	yara_rule
behavioral1/memory/1664-0-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/files/0x000a000000016cd8-6.dat	xmrig
behavioral1/files/0x0009000000016ce0-9.dat	xmrig
behavioral1/memory/2420-18-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/files/0x0009000000016d0c-16.dat	xmrig
behavioral1/memory/2996-29-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/memory/2728-37-0x000000013F5F0000-0x000000013F944000-memory.dmp	xmrig
behavioral1/memory/2876-44-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/files/0x0007000000016d52-40.dat	xmrig
behavioral1/memory/2108-51-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/files/0x00050000000195ad-80.dat	xmrig
behavioral1/memory/2928-94-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/memory/2272-100-0x000000013FFD0000-0x0000000140324000-memory.dmp	xmrig
behavioral1/files/0x00050000000195b3-103.dat	xmrig
behavioral1/files/0x00050000000195b1-98.dat	xmrig
behavioral1/files/0x00050000000195c3-131.dat	xmrig
behavioral1/files/0x00050000000195c7-149.dat	xmrig
behavioral1/files/0x0005000000019643-157.dat	xmrig
behavioral1/files/0x0005000000019bf5-186.dat	xmrig
behavioral1/files/0x0005000000019bf6-191.dat	xmrig
behavioral1/files/0x000500000001998d-184.dat	xmrig
behavioral1/files/0x0005000000019820-180.dat	xmrig
behavioral1/files/0x00050000000197fd-175.dat	xmrig
behavioral1/files/0x0005000000019761-170.dat	xmrig
behavioral1/memory/1664-167-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/files/0x000500000001975a-164.dat	xmrig
behavioral1/files/0x000500000001960c-154.dat	xmrig
behavioral1/files/0x00050000000195c6-145.dat	xmrig
behavioral1/memory/1664-141-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig
behavioral1/files/0x00050000000195c5-139.dat	xmrig
behavioral1/files/0x00050000000195c1-129.dat	xmrig
behavioral1/files/0x00050000000195bd-123.dat	xmrig
behavioral1/files/0x00050000000195bb-118.dat	xmrig
behavioral1/files/0x00050000000195b7-113.dat	xmrig
behavioral1/files/0x00050000000195b5-109.dat	xmrig
behavioral1/memory/2592-92-0x000000013F200000-0x000000013F554000-memory.dmp	xmrig
behavioral1/memory/1324-82-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/1664-81-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/files/0x00050000000195af-89.dat	xmrig
behavioral1/memory/2228-73-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig
behavioral1/memory/2996-71-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/files/0x00050000000195a9-69.dat	xmrig
behavioral1/memory/2876-79-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/files/0x00050000000195ab-76.dat	xmrig
behavioral1/memory/2668-59-0x000000013FA00000-0x000000013FD54000-memory.dmp	xmrig
behavioral1/files/0x0008000000016d64-55.dat	xmrig
behavioral1/memory/2676-65-0x000000013FCB0000-0x0000000140004000-memory.dmp	xmrig
behavioral1/files/0x0002000000018334-62.dat	xmrig
behavioral1/memory/1664-41-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/files/0x0008000000016d5c-48.dat	xmrig
behavioral1/files/0x0007000000016d3f-34.dat	xmrig
behavioral1/files/0x0007000000016d2c-28.dat	xmrig
behavioral1/memory/2380-26-0x000000013FAD0000-0x000000013FE24000-memory.dmp	xmrig
behavioral1/memory/1664-25-0x000000013FAD0000-0x000000013FE24000-memory.dmp	xmrig
behavioral1/memory/2832-24-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
2420	TguoXGy.exe
2380	kujsEJB.exe
2832	BjYFecM.exe
2996	lcVzqFg.exe
2728	oaRlcAT.exe
2876	VPJUjfe.exe
2108	vbsjzPD.exe
2668	RnBeMJC.exe
2676	Ubthrcs.exe
2228	AKOfXgD.exe
1324	rHhZqwh.exe
2592	ReFCEdK.exe
2928	AYNbxxy.exe
2272	upnUJZC.exe
1048	DcMuCis.exe
1784	bbRBGEc.exe
528	REfPwnj.exe
2700	JtPlglx.exe
436	OHigiAW.exe
2600	cEdgLEp.exe
1252	LtFtkVK.exe
584	xdhCOyZ.exe
1844	onSPrMk.exe
672	XoRwgTl.exe
1640	mlVjuse.exe
1348	sQPGCvX.exe
1864	SYFPmZZ.exe
904	xIPKrdZ.exe
1596	VaDKjKk.exe
2156	EXskyuc.exe
1776	TRzvLyK.exe
748	jfqCgVq.exe
1356	kVvHftK.exe
1572	RvhjbIU.exe
1036	KVncbyt.exe
2456	YXwHHWe.exe
1964	IYqBtbH.exe
1456	qFEgTNZ.exe
824	mIcjJxa.exe
1956	PicDESj.exe
2332	EbzjmSB.exe
1932	FoUJtXG.exe
2104	gTUeZlY.exe
1796	PRCEyKy.exe
1944	vOSvnBM.exe
1504	VDwhEZx.exe
3024	fkPCvVS.exe
540	UCHHmMJ.exe
2304	kAGdZCt.exe
2904	KViNptt.exe
1924	ncZMQDq.exe
2012	ShMBFmV.exe
2756	mpHSNmT.exe
2800	ynerRVO.exe
1940	YaTGQAY.exe
1656	FtkwhIM.exe
940	lBWkBkv.exe
1588	jMhCGCy.exe
976	SdZYief.exe
2416	leivLqY.exe
2360	vcjCMsR.exe
2032	HiNYWDB.exe
2812	MrwKRFe.exe
2732	KTvMuZD.exe

Loads dropped DLL 64 IoCs

pid	Process
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1664-0-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/files/0x000a000000016cd8-6.dat	upx
behavioral1/files/0x0009000000016ce0-9.dat	upx
behavioral1/memory/2420-18-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/files/0x0009000000016d0c-16.dat	upx
behavioral1/memory/2996-29-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/memory/2728-37-0x000000013F5F0000-0x000000013F944000-memory.dmp	upx
behavioral1/memory/2876-44-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/files/0x0007000000016d52-40.dat	upx
behavioral1/memory/2108-51-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/files/0x00050000000195ad-80.dat	upx
behavioral1/memory/2928-94-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/memory/2272-100-0x000000013FFD0000-0x0000000140324000-memory.dmp	upx
behavioral1/files/0x00050000000195b3-103.dat	upx
behavioral1/files/0x00050000000195b1-98.dat	upx
behavioral1/files/0x00050000000195c3-131.dat	upx
behavioral1/files/0x00050000000195c7-149.dat	upx
behavioral1/files/0x0005000000019643-157.dat	upx
behavioral1/files/0x0005000000019bf5-186.dat	upx
behavioral1/files/0x0005000000019bf6-191.dat	upx
behavioral1/files/0x000500000001998d-184.dat	upx
behavioral1/files/0x0005000000019820-180.dat	upx
behavioral1/files/0x00050000000197fd-175.dat	upx
behavioral1/files/0x0005000000019761-170.dat	upx
behavioral1/files/0x000500000001975a-164.dat	upx
behavioral1/files/0x000500000001960c-154.dat	upx
behavioral1/files/0x00050000000195c6-145.dat	upx
behavioral1/files/0x00050000000195c5-139.dat	upx
behavioral1/files/0x00050000000195c1-129.dat	upx
behavioral1/files/0x00050000000195bd-123.dat	upx
behavioral1/files/0x00050000000195bb-118.dat	upx
behavioral1/files/0x00050000000195b7-113.dat	upx
behavioral1/files/0x00050000000195b5-109.dat	upx
behavioral1/memory/2592-92-0x000000013F200000-0x000000013F554000-memory.dmp	upx
behavioral1/memory/1324-82-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/files/0x00050000000195af-89.dat	upx
behavioral1/memory/2228-73-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx
behavioral1/memory/2996-71-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/files/0x00050000000195a9-69.dat	upx
behavioral1/memory/2876-79-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/files/0x00050000000195ab-76.dat	upx
behavioral1/memory/2668-59-0x000000013FA00000-0x000000013FD54000-memory.dmp	upx
behavioral1/files/0x0008000000016d64-55.dat	upx
behavioral1/memory/2676-65-0x000000013FCB0000-0x0000000140004000-memory.dmp	upx
behavioral1/files/0x0002000000018334-62.dat	upx
behavioral1/memory/1664-41-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/files/0x0008000000016d5c-48.dat	upx
behavioral1/files/0x0007000000016d3f-34.dat	upx
behavioral1/files/0x0007000000016d2c-28.dat	upx
behavioral1/memory/2380-26-0x000000013FAD0000-0x000000013FE24000-memory.dmp	upx
behavioral1/memory/2832-24-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\kujsEJB.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\kVvHftK.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\FoUJtXG.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\PRCEyKy.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\MrwKRFe.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\rHhZqwh.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\PicDESj.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\ShMBFmV.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\KTvMuZD.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\vcjCMsR.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\kpDZGcR.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\TguoXGy.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\cEdgLEp.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\RvhjbIU.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\KViNptt.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\ZKnREfI.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\vbsjzPD.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\AKOfXgD.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\EbzjmSB.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\VPJUjfe.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\AYNbxxy.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\xdhCOyZ.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\qFEgTNZ.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\FtkwhIM.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\SdZYief.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\IUlBINw.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\Ubthrcs.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\REfPwnj.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\SYFPmZZ.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\VaDKjKk.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\EXskyuc.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\fkPCvVS.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\mpHSNmT.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\HiNYWDB.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\xIPKrdZ.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\KVncbyt.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\leivLqY.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\JtPlglx.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\jfqCgVq.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\kAGdZCt.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\LgtWIGh.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\lBWkBkv.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\mlVjuse.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\YaTGQAY.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\rHtGkiw.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\ReFCEdK.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\DcMuCis.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\sQPGCvX.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\YXwHHWe.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\IFjFkha.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\VpaSbeR.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\LtFtkVK.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\onSPrMk.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\XoRwgTl.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\IYqBtbH.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\gTUeZlY.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\VDwhEZx.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\lcVzqFg.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\oaRlcAT.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\bbRBGEc.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\UCHHmMJ.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\BjYFecM.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\RnBeMJC.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\mIcjJxa.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2280	explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2420	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	31
PID 1664 wrote to memory of 2420	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	31
PID 1664 wrote to memory of 2420	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	31
PID 1664 wrote to memory of 2380	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	32
PID 1664 wrote to memory of 2380	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	32
PID 1664 wrote to memory of 2380	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	32
PID 1664 wrote to memory of 2832	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	33
PID 1664 wrote to memory of 2832	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	33
PID 1664 wrote to memory of 2832	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	33
PID 1664 wrote to memory of 2996	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	34
PID 1664 wrote to memory of 2996	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	34
PID 1664 wrote to memory of 2996	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	34
PID 1664 wrote to memory of 2728	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	35
PID 1664 wrote to memory of 2728	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	35
PID 1664 wrote to memory of 2728	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	35
PID 1664 wrote to memory of 2876	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	36
PID 1664 wrote to memory of 2876	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	36
PID 1664 wrote to memory of 2876	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	36
PID 1664 wrote to memory of 2108	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	37
PID 1664 wrote to memory of 2108	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	37
PID 1664 wrote to memory of 2108	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	37
PID 1664 wrote to memory of 2668	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	38
PID 1664 wrote to memory of 2668	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	38
PID 1664 wrote to memory of 2668	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	38
PID 1664 wrote to memory of 2676	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	39
PID 1664 wrote to memory of 2676	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	39
PID 1664 wrote to memory of 2676	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	39
PID 1664 wrote to memory of 2228	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	40
PID 1664 wrote to memory of 2228	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	40
PID 1664 wrote to memory of 2228	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	40
PID 1664 wrote to memory of 1324	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	41
PID 1664 wrote to memory of 1324	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	41
PID 1664 wrote to memory of 1324	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	41
PID 1664 wrote to memory of 2592	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	42
PID 1664 wrote to memory of 2592	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	42
PID 1664 wrote to memory of 2592	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	42
PID 1664 wrote to memory of 2928	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	43
PID 1664 wrote to memory of 2928	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	43
PID 1664 wrote to memory of 2928	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	43
PID 1664 wrote to memory of 2272	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	44
PID 1664 wrote to memory of 2272	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	44
PID 1664 wrote to memory of 2272	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	44
PID 1664 wrote to memory of 1048	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	45
PID 1664 wrote to memory of 1048	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	45
PID 1664 wrote to memory of 1048	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	45
PID 1664 wrote to memory of 1784	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	46
PID 1664 wrote to memory of 1784	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	46
PID 1664 wrote to memory of 1784	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	46
PID 1664 wrote to memory of 528	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	47
PID 1664 wrote to memory of 528	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	47
PID 1664 wrote to memory of 528	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	47
PID 1664 wrote to memory of 2700	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	48
PID 1664 wrote to memory of 2700	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	48
PID 1664 wrote to memory of 2700	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	48
PID 1664 wrote to memory of 436	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	49
PID 1664 wrote to memory of 436	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	49
PID 1664 wrote to memory of 436	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	49
PID 1664 wrote to memory of 2600	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	50
PID 1664 wrote to memory of 2600	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	50
PID 1664 wrote to memory of 2600	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	50
PID 1664 wrote to memory of 1252	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	51
PID 1664 wrote to memory of 1252	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	51
PID 1664 wrote to memory of 1252	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	51
PID 1664 wrote to memory of 584	1664	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
"C:\Users\Admin\AppData\Local\Temp\3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\System\TguoXGy.exe
  C:\Windows\System\TguoXGy.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\kujsEJB.exe
  C:\Windows\System\kujsEJB.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\BjYFecM.exe
  C:\Windows\System\BjYFecM.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\lcVzqFg.exe
  C:\Windows\System\lcVzqFg.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\oaRlcAT.exe
  C:\Windows\System\oaRlcAT.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\VPJUjfe.exe
  C:\Windows\System\VPJUjfe.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\vbsjzPD.exe
  C:\Windows\System\vbsjzPD.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\RnBeMJC.exe
  C:\Windows\System\RnBeMJC.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System\Ubthrcs.exe
  C:\Windows\System\Ubthrcs.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\AKOfXgD.exe
  C:\Windows\System\AKOfXgD.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\rHhZqwh.exe
  C:\Windows\System\rHhZqwh.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\ReFCEdK.exe
  C:\Windows\System\ReFCEdK.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\AYNbxxy.exe
  C:\Windows\System\AYNbxxy.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\upnUJZC.exe
  C:\Windows\System\upnUJZC.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\DcMuCis.exe
  C:\Windows\System\DcMuCis.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System\bbRBGEc.exe
  C:\Windows\System\bbRBGEc.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\System\REfPwnj.exe
  C:\Windows\System\REfPwnj.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System\JtPlglx.exe
  C:\Windows\System\JtPlglx.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\OHigiAW.exe
  C:\Windows\System\OHigiAW.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\cEdgLEp.exe
  C:\Windows\System\cEdgLEp.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\LtFtkVK.exe
  C:\Windows\System\LtFtkVK.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\xdhCOyZ.exe
  C:\Windows\System\xdhCOyZ.exe
  2⤵
  - Executes dropped EXE
  PID:584
- C:\Windows\System\onSPrMk.exe
  C:\Windows\System\onSPrMk.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\XoRwgTl.exe
  C:\Windows\System\XoRwgTl.exe
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\System\mlVjuse.exe
  C:\Windows\System\mlVjuse.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\sQPGCvX.exe
  C:\Windows\System\sQPGCvX.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System\SYFPmZZ.exe
  C:\Windows\System\SYFPmZZ.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\xIPKrdZ.exe
  C:\Windows\System\xIPKrdZ.exe
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\System\VaDKjKk.exe
  C:\Windows\System\VaDKjKk.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System\EXskyuc.exe
  C:\Windows\System\EXskyuc.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\TRzvLyK.exe
  C:\Windows\System\TRzvLyK.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System\kVvHftK.exe
  C:\Windows\System\kVvHftK.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System\jfqCgVq.exe
  C:\Windows\System\jfqCgVq.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System\KVncbyt.exe
  C:\Windows\System\KVncbyt.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\RvhjbIU.exe
  C:\Windows\System\RvhjbIU.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\YXwHHWe.exe
  C:\Windows\System\YXwHHWe.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\IYqBtbH.exe
  C:\Windows\System\IYqBtbH.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\qFEgTNZ.exe
  C:\Windows\System\qFEgTNZ.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System\mIcjJxa.exe
  C:\Windows\System\mIcjJxa.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System\PicDESj.exe
  C:\Windows\System\PicDESj.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\EbzjmSB.exe
  C:\Windows\System\EbzjmSB.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\FoUJtXG.exe
  C:\Windows\System\FoUJtXG.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\gTUeZlY.exe
  C:\Windows\System\gTUeZlY.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\PRCEyKy.exe
  C:\Windows\System\PRCEyKy.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\vOSvnBM.exe
  C:\Windows\System\vOSvnBM.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\fkPCvVS.exe
  C:\Windows\System\fkPCvVS.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\VDwhEZx.exe
  C:\Windows\System\VDwhEZx.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\UCHHmMJ.exe
  C:\Windows\System\UCHHmMJ.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System\kAGdZCt.exe
  C:\Windows\System\kAGdZCt.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System\ncZMQDq.exe
  C:\Windows\System\ncZMQDq.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\KViNptt.exe
  C:\Windows\System\KViNptt.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\ShMBFmV.exe
  C:\Windows\System\ShMBFmV.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\mpHSNmT.exe
  C:\Windows\System\mpHSNmT.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\MrwKRFe.exe
  C:\Windows\System\MrwKRFe.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\ynerRVO.exe
  C:\Windows\System\ynerRVO.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\KTvMuZD.exe
  C:\Windows\System\KTvMuZD.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\YaTGQAY.exe
  C:\Windows\System\YaTGQAY.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\LgtWIGh.exe
  C:\Windows\System\LgtWIGh.exe
  2⤵
  PID:1804
- C:\Windows\System\FtkwhIM.exe
  C:\Windows\System\FtkwhIM.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\rHtGkiw.exe
  C:\Windows\System\rHtGkiw.exe
  2⤵
  PID:1724
- C:\Windows\System\lBWkBkv.exe
  C:\Windows\System\lBWkBkv.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System\IFjFkha.exe
  C:\Windows\System\IFjFkha.exe
  2⤵
  PID:1168
- C:\Windows\System\jMhCGCy.exe
  C:\Windows\System\jMhCGCy.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\ZKnREfI.exe
  C:\Windows\System\ZKnREfI.exe
  2⤵
  PID:2128
- C:\Windows\System\SdZYief.exe
  C:\Windows\System\SdZYief.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System\xedKJBp.exe
  C:\Windows\System\xedKJBp.exe
  2⤵
  PID:2152
- C:\Windows\System\leivLqY.exe
  C:\Windows\System\leivLqY.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\IUlBINw.exe
  C:\Windows\System\IUlBINw.exe
  2⤵
  PID:1716
- C:\Windows\System\vcjCMsR.exe
  C:\Windows\System\vcjCMsR.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\VpaSbeR.exe
  C:\Windows\System\VpaSbeR.exe
  2⤵
  PID:1268
- C:\Windows\System\HiNYWDB.exe
  C:\Windows\System\HiNYWDB.exe
  2⤵
  - Executes dropped EXE
  PID:2032

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AKOfXgD.exe

Filesize
6.1MB

MD5
552a25fa5367629b331ce0da64bf29de

SHA1
0044084a8e3f14cd836e5e15346c95ebf1a4efb2

SHA256
9c109e2551f52ba968280739775a00b48d10bb6c15d8582fa2fd10f148afb1c4

SHA512
0fa5e7aae6774b630bb5982524454960e1e9bce41d4443a3bde731838fc207ef98f6f08485b75934413634a246714259da04efb1739210b0fd215deabb348899

Download Submit
C:\Windows\system\AYNbxxy.exe

Filesize
6.1MB

MD5
274bdbd1bdfb70822e7eb3a80aab67b3

SHA1
f86645fbeff5f394a95860d13de96148e88fec67

SHA256
fc1bf90c16b65be9d324878d2877c897eab019aef60da157ccf23eaf42d593c7

SHA512
5a1c4a60ff7b99d4d4266a8a000ab2d97f373ae24d04407d53f8dd7cae4eb2a80198715bcdd3e3c325a2e84a494e7c241627f142120058dd758fbdc40538f9b9

Download Submit
C:\Windows\system\BjYFecM.exe

Filesize
6.1MB

MD5
6851783e26543dea1c713be86ad6a745

SHA1
cbfa9a3071da3509f327055adfd224c0bbab4056

SHA256
91a4911a301837127a55ed056afad1c84c63f33c49394b5c27f43f31237cd009

SHA512
c3edfe8040804976eda1211d6bc9db37583c77f24b75ebc0da71335e79c79c910b5dec053ddad29cf4fede0a6337c34fe67748a3f4f5fbb7e56881f8b1d4e33e

Download Submit
C:\Windows\system\DcMuCis.exe

Filesize
6.1MB

MD5
793a34a02fb44e019a362d6ddd2bb652

SHA1
97f29b22e19eb1a17bd115fd2d06318796d7b912

SHA256
b58ad626e324959d751c88fb0a974cd479899cb46a362c5761fbbec6b2cc0a1e

SHA512
cda2a9f975e4955281278ec1c79b464d5f21c43cc280249abefd62e70f20b3e9aefc85ba332af4cf53492bd2ab5127cc35b0b161a6eea64977f17cdd5624e020

Download Submit
C:\Windows\system\EXskyuc.exe

Filesize
6.1MB

MD5
18aa258fd1e3fcb0d517df0b5a6e01eb

SHA1
053edd1492cff9a54e7b4c3bdc96520cbac5407b

SHA256
3a0acf836592998034f6267a1e75b2e007744bd7a94ee146cc4b52f37a51f51d

SHA512
68105488984739210ed81bca47ace4f85372b761d3e28bd9695e9c132b58f584f35563b50d8f57c7e3b5560fcf186227383c33fe9dded400bc483cf60a2b3f1b

Download Submit
C:\Windows\system\JtPlglx.exe

Filesize
6.1MB

MD5
6f985271ac770c462666ee1eda22e472

SHA1
d34a3cba1a62732c0809770c4aa278520ce18988

SHA256
139a974ac33599c90fa9ad4675b4d05dc8d2e58f01fc8c5d2386461500fa3973

SHA512
fba8e57a7a4f4e42ff1bccb3d0ba06a2f891d83daa464195036081d9415501739e6feccb27348f67c423ef93997a392a009e6ab5d66594413ed6cead4f329628

Download Submit
C:\Windows\system\OHigiAW.exe

Filesize
6.1MB

MD5
fa22160541da7a61f0743d7cace70c1b

SHA1
5b3a52f9faf684c9b09f17234eedaa8338934b7e

SHA256
5a9a0f79839de3b70311c2bc5494d5a6f2490cd80e58ee2afca8f602eef8e629

SHA512
89db7b21b8ec2ab934cbf63d2c6700354e5d9abc6cadcc450ee25641afbd1ced12a13d51fa7e310d424160840a3630ddd26bbc450d2beb3bc07930bf3a5f6e0d

Download Submit
C:\Windows\system\REfPwnj.exe

Filesize
6.1MB

MD5
cc68e6cc379666454ab281dbce1d8617

SHA1
a798eac7db7f30a4a23a8df9056d88b18577116b

SHA256
4998a464c03a0b9f563e9a03af35e2fc2e286405ce3345257155d3be89473e23

SHA512
b60e5433e76218ca90f89c1c7f162dc16c49ea4eb7beb113050ba5b3e26cbda05c47076389ba8dd82202c832a329d95f1907c01116cbd734b193d644f8708bcc

Download Submit
C:\Windows\system\RnBeMJC.exe

Filesize
6.1MB

MD5
1c08fa2fd26510e499749660c5dc0ea7

SHA1
87cf70ecc1f4c7873c9860da7fe710a621a7e73d

SHA256
4c9a88a6110c9ac6185474a50975234534ecf7b33848ee1e21c7cbf330573485

SHA512
79420d042598646876fd16a6560b74e3ec47fd93981debf9ed6c46d0d219b1eee2a3c7f35a0453da7bbe999b70eed3d8f3b3a7f646b35d2e8e50ac5830eb67a5

Download Submit
C:\Windows\system\SYFPmZZ.exe

Filesize
6.1MB

MD5
7fbe3a09d3c659ac1285546e94bdaba1

SHA1
f4fabfde21c6c6abd95e330dedabb6a3936e74e2

SHA256
3182dc35f01b3aee36b27ee2deec0b43087c1ca365fa69c129471afee258a5de

SHA512
5a246e1dfb88571489a799fe405f9caeb4e9ac803c720874f5fe56f03996a0f24d88a3c5f76b598b42ebdc8268604597482137fd4488af0a65bc64cff7ab1362

Download Submit
C:\Windows\system\TRzvLyK.exe

Filesize
6.1MB

MD5
836010a297fc8e4d6f6df83e7260b765

SHA1
3f16a2a4a70204c5f6041b15175583684e784125

SHA256
62a97e76aadcecd55471e42f6077faeeb1d130a8d5a8ecc5f0a7641381c016f1

SHA512
4c5b4afc0f9ff77394167c8c674611be3db3f2f66fe3e7fc7c73b68454592af88ea10ae662b11bfd8513adf173d5aa93d75b82228e0ef6372b229122655f0cb7

Download Submit
C:\Windows\system\TguoXGy.exe

Filesize
6.1MB

MD5
d4b117c74bc60b8924aadcd38820f0aa

SHA1
345ef3df4da9d4cde4fab47166512bd4e2e24b44

SHA256
a393f1528c8dcfc102a646a50f2e252dd5b9be61a453c03e2d940cbd8d8ea562

SHA512
8c0f4e584cca696201ca5dd239dd3b1d1292161ff0af00a925b3a36494098627f238e00b20edd3ad4ad0022b8741e8c8190ac92da3dcf5d60262006ff9eb1e2e

Download Submit
C:\Windows\system\Ubthrcs.exe

Filesize
6.1MB

MD5
577afa385a72eb231b1a7368713135dd

SHA1
8f8973f2e03962e5d39b003ecddaefc934e8e431

SHA256
0ad30f1f89cfc88331ca00384342f8688a4f4cdf23137dce4f49c0e3c07b8728

SHA512
5bd6fc4ddbd6683b1f0ecc67bdf8d54f129c7edb7ba3014df6ff3373545e6ea378e35c71938d3f0eb52876925fc036cee6487eba1d2231307c9ce314bb95caee

Download Submit
C:\Windows\system\VPJUjfe.exe

Filesize
6.1MB

MD5
076619e1b60b4d9c925064f34c685d3d

SHA1
7ef43fd8937900340ed6fa4c5960e88775acecef

SHA256
cb52ba885d13bed5ea19f88c1a3dd857de6c856c3994ed7e7b851135a2c3deec

SHA512
0e54170ad74a932d6eb2d361252baed517e788097ab00d75a61c46bdfdef87ecd79291b97a04fe5c1fac6ebd004b1427c7ca997b0cfcebecbe5cb7462669f978

Download Submit
C:\Windows\system\VaDKjKk.exe

Filesize
6.1MB

MD5
8e5abb9d6a49dfcdeca651a6282fa383

SHA1
d22685520811ba8969f4bec358f8d1666b7eaaa8

SHA256
307e764c1b3509743981b301531eb34d27e9e87329e30f61f53121d9d03b9fb1

SHA512
68482cf8771a9e0d5bd588b1cb653b2ff0dd38a3fda291bec6cf529decd90fdf4d615174bee3e4d6283506d62a599cc54be77037d50a3359bff7321094cccf48

Download Submit
C:\Windows\system\XoRwgTl.exe

Filesize
6.1MB

MD5
51a57df526acfedb483fb758861514eb

SHA1
9aa4b610724a6ca5eb71d4c83b8013e845634c8a

SHA256
dec7ff7047ef46696a1dbd83e43d2cbd5e21cc126ca096636d6b845f7ae80b6b

SHA512
7783c914e499ed18bf3d71f85faf075bdbe5d64cc89a360a385ed4f593d473554e66b5492f19a39dbf70c622248684af00e294fde9c74ed0e5bcf5b9e63fac25

Download Submit
C:\Windows\system\bbRBGEc.exe

Filesize
6.1MB

MD5
9a5e4d02076016d1596ec189ac24217b

SHA1
1af39329aaf9dc5c49b183a847beaef6a29fec09

SHA256
4b28eeefbe1d035ee2b3f29a2d48a601215d3f4bc7bc752c0ab80d09842cbc31

SHA512
efe8637588e24d79b90534221349272e23ffd1b42288a3f0a7af3fb9df30ee12d5ec86e002ecf591b3612988a656486fd4cb8849e3c1dad5ae68f74db60ceadd

Download Submit
C:\Windows\system\cEdgLEp.exe

Filesize
6.1MB

MD5
b3755651874f1a302a45922b8da0ca0b

SHA1
4f3fa0da343365e51b4e2ba8a018696b8202ecca

SHA256
0320fa1966be41140d4ef3e7b827fcec37a8517a0537c5edfdf970e2641038ec

SHA512
d492377e3e609a7eb2a4c8810fdf0d36013112dc3d7b2076ceb5719c73356541bb05591b15c7024ffac0d641510775322b9f33788edf4789d2ff46907e03d8ec

Download Submit
C:\Windows\system\lcVzqFg.exe

Filesize
6.1MB

MD5
9834b4312abf1c02929c9b44013773e8

SHA1
f0dc6bb8b6566dff88d66be7b82416c1a5683724

SHA256
4096b7fed643515d98da153bf559a5888d7c99d67037cef5a13e8f875edb824a

SHA512
66ed46fa788f9657fc5539b2fbd86a73c8bb28ae8c2112cc8bf58aff92da2653104fac7c4c42555b1238063a753ff3ab4f2d7bd0206e92fa9581083b3199619f

Download Submit
C:\Windows\system\mlVjuse.exe

Filesize
6.1MB

MD5
5bec1a7c051a450c1f3bdca620c0f4f4

SHA1
13062cf56609e9054cf72088d14ece504519c91e

SHA256
3bd1bfbd1883394766e84aca92f4048c4f777773887888aaa1400b48a7fb0312

SHA512
8823689e9ffcb91326662f59b8e2bdc4ecb155870c14be1bbb65b0c6860ecc6ed20f0b12cea5c5f25832ee0c49885a7fff230117ef8f950c87f19f8dfd6e4e67

Download Submit
C:\Windows\system\oaRlcAT.exe

Filesize
6.1MB

MD5
dc18ba58f617b3382c948a297d363f2f

SHA1
87a3b024ad1b87fff4df2a193b0d34072c962588

SHA256
d578b0ba26f5f00180e73602962aea33c59267f83e397638204589cca3cc1bfc

SHA512
b2e532ed017f7b1c6477dfd08be713879406799bcc6b7cdbbaf3b60846d1c65f8d2087e386f9f31c81ad8d428c66e77f1380e861c73eb6420bf8f551b4c3271a

Download Submit
C:\Windows\system\onSPrMk.exe

Filesize
6.1MB

MD5
f6d8a6378152b5d4f38e0908bf3abff5

SHA1
84d6acdb12389fb475e78d3a360915ea03584418

SHA256
f8cebb695cc43f4ba8d187dacaf099628c26402d60df93c2a9f63ce36eb9f3bd

SHA512
15abb0eaef69209f2b6b16f4117a326f594126fb237b569ca8b8ab3e16825e14d4cdb79f59052f535b13f81c60e0855523108501bc05bf2706d616c7336e8c6a

Download Submit
C:\Windows\system\rHhZqwh.exe

Filesize
6.1MB

MD5
8b587ce8b1e4d11210a3878d3b4a4b1a

SHA1
7e85cf3e43ff7bad6286199a42d35e34d61a70e7

SHA256
92642d147f0fd02e8d8ceff30ff168d57b23e7926e8b7bfc8f42e0d556fc6425

SHA512
81626ac146142b68a67ad2c7875918863eff841b67c6d97cad4b0c62efc5d8c8a8269aa32d2bcb760f99a09851ccf03411974e936dcf16008b8fc5a7982b5559

Download Submit
C:\Windows\system\upnUJZC.exe

Filesize
6.1MB

MD5
bd3f64a2766bb1ee0fb1bb3c27c0a8d2

SHA1
facf3206ed5c618babfc9cf882cd488870a02790

SHA256
fa96af11f57bfa294b8feead2502a039d0162faef802626e9b9a87730d361194

SHA512
334e1a5839989efe95e2b37d323f9d367cc291d297ecc74d50a4fbcb8dff619b6cd9741165b33f7414c1fe7326dce1dce21f25ec9fc4aa02c5de33b963e014c0

Download Submit
C:\Windows\system\vbsjzPD.exe

Filesize
6.1MB

MD5
a86c3357418dde852eb56464edf8daab

SHA1
8c17d87a0c66358d90c44afee65b315a9b41edda

SHA256
62ac3594b285035749f0813a957dfe3e0b52fcb252b077fe9503f1531a8e4936

SHA512
2bc95c8b0417fa1045da791bd17e3f3b1e271a3961fec99dccafe59892ce03849a07487adc813d131358a1d8c197d917c6d16ee09abcc13c3ba969668457de0f

Download Submit
C:\Windows\system\xIPKrdZ.exe

Filesize
6.1MB

MD5
ecb5a4d51346588dcf3eb13a4df27e79

SHA1
c74198add9d6dfe838fcff20b48d2274aefc5d1e

SHA256
04bfa5019e0e0167a1f2114e9c327292ef1d5c1818a903bb8e5df3b781f3b512

SHA512
712eabb57fe7592eda08c8dc978390e215ed067b1f2db09253718a1b04c2a5a27dda947d169bb7e7d01cfa3e92069cac17e91f9de48f6977c381ea9bd31bb964

Download Submit
C:\Windows\system\xdhCOyZ.exe

Filesize
6.1MB

MD5
f87e92225c76d4fadba7af87cc18ff7b

SHA1
4c7754baeb84fe132a35f5cb8b745ef0b4529c58

SHA256
f49f6c399083bc63b1ab0ffa417d92fe7cc3ce9fbd1ae75ca8496738385d6dc9

SHA512
4b69dfcd0fce5499f29a9f3d59c6d0cb28dc26e7ebd137c690290dba3f83570c651847fd9f7f7d73b9f1c73bdfd27c992b3bacf3ff7a0cece5b67f360ad309fe

Download Submit
\Windows\system\LtFtkVK.exe

Filesize
6.1MB

MD5
6e7461f55f9c093d6810717e4c7f1f84

SHA1
f5852a093968a2856fec524d0832b62823c45c9c

SHA256
c07db30a90848a843c0e1df5d359188d05e753df43c4825fca38129c2c5a93f3

SHA512
c90e530b697995c4fdcf559fdbf297270f13feb5ba9e619ae0e4bc4f3bdeba16b0ed80765681a04fc7f30dc02c7f2c76c5ce8b84ae9c9c354c3bcc0963387af2

Download Submit
\Windows\system\ReFCEdK.exe

Filesize
6.1MB

MD5
7571def87e8cbb8f4cba93998c7f9619

SHA1
b7714e658978778df218d57b932e6e186ae66da8

SHA256
656d174ae9b728816e69512b73453ac8f701b113b1f66e37418388fae2dc5d58

SHA512
8d6ce209d520ddcda5719108e7a744cc1fc1fca5190f6a1d0bb726f2e582bde529d9de33963791d9c7fef1a3174932beef52f49583ab52fcb35552d4b02ea529

Download Submit
\Windows\system\jfqCgVq.exe

Filesize
6.1MB

MD5
8ff444cd55f8f896e65000ca82f1f47f

SHA1
82fe7c336ef0857447c6ad461939622895a82406

SHA256
7d4f39fdbbe2175849681324470760a7ac4a43f67fde1697ea393b4a3c3030d8

SHA512
921d4c4144f83b4c75494ace0f3fa26794b26b068c93be7282a6a6253a6eea63cac3b38a3743def140a3ef3241ff96c276a0deb50f432af5e3be04e72c2e163f

Download Submit
\Windows\system\kVvHftK.exe

Filesize
6.1MB

MD5
23c268528c9f3562ecf9dfda0fff080a

SHA1
20f00183f6ca6fe3f5fed68beff35e0564e07bd4

SHA256
9da8b145424671d45a16a04575295fac460ff9665ec10579305c12eefd7e70a9

SHA512
e0e27c3db7e5ec13e8b950287210f4be138896c3650aacdffab823f4863b2a9f73462d88c64069f6ef5d30b6c2dc74b8c88e8d0857c76693f017283cd26d2fa1

Download Submit
\Windows\system\kujsEJB.exe

Filesize
6.1MB

MD5
72cf251f5a830803862a0ffbed4ffa27

SHA1
061faa5226a886157143872f9bb0ea0e9a89b953

SHA256
8599d0fb38e1ff8cbce03c703849dceb5c0018dc8433478ffe53c81e8c892600

SHA512
6dfb8e11779ea8b25e857a46c8dadd76e0b52d926a558243852a5f5cda8dfb235cbdc49474ece1136c8f5567fdac47b2205ab431533076402fcc3f9be83a468d

Download Submit
\Windows\system\sQPGCvX.exe

Filesize
6.1MB

MD5
b8e021ff1759c96f0af95769747188af

SHA1
77cc3f8a8299c2b36e43bc9693c2479a4343c35a

SHA256
1f5dab21d90bd3e5627d860979b82c8285020b93f2ed679a98d5a24a735b3810

SHA512
709a67318730a9d17ceeb3745c823407acea4edc1bb97e481f09577be95bd5b564396c2b2145971f771bf3f8b49c8a84c32fe09a618c1807962e62f1e54c918f

Download Submit
memory/1324-82-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/1664-41-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/1664-81-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/1664-23-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/1664-57-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/1664-93-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/1664-25-0x000000013FAD0000-0x000000013FE24000-memory.dmp

Filesize
3.3MB

Download
memory/1664-0-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/1664-58-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/1664-27-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/1664-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1664-72-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/1664-8-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/1664-36-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/1664-45-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/1664-141-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/1664-167-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2108-51-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2228-73-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-100-0x000000013FFD0000-0x0000000140324000-memory.dmp

Filesize
3.3MB

Download
memory/2380-26-0x000000013FAD0000-0x000000013FE24000-memory.dmp

Filesize
3.3MB

Download
memory/2420-18-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2592-92-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/2668-59-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/2676-65-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/2728-37-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/2832-24-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/2876-44-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2876-79-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2928-94-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2996-71-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/2996-29-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads