ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

Analysis

max time kernel
165s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca.exe
Size

12KB
MD5

6ae20d67905e7a08d9557ca32e7323c4
SHA1

af2da143d5d7463f2b5987f3fb1fd1b2bde11f43
SHA256

ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca
SHA512

5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96
SSDEEP

384:mESPOUaORge+CAbGaZUYT0sJYLI1dJGRb:mxPOUaKhZByUQ1w

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 43 IoCs

pid	Process
316	itttougoqtf.exe
3096	snhehslasvk.exe
3968	wpbjzsdlurs.exe
4988	zadostnvnfa.exe
4516	.exe
1360	ckxucuggptj.exe
4348	.exe
4228	fmrhvuyrjhr.exe
3052	.exe
2372	jxtmnnrckvz.exe
3164	.exe
2712	mhoryojmejh.exe
1424	sukkjpuqztx.exe
2256	wmpwwowihes.exe
1304	pgfsokvdtso.exe
4828	mlotyhuiytt.exe
1036	zasdhizpvvm.exe
4724	gjdihfeierc.exe
4480	jtxoagwsffk.exe
1264	nwztshodzts.exe
2224	.exe
2612	qgtydahwaha.exe
3940	xtqrobkrwrq.exe
776	.exe
2216	aeswzcccpfy.exe
5012	.exe
2948	domcrcvnrth.exe
1664	dcbxoywkegg.exe
4576	qkuadbkjvsm.exe
1564	uuwfvucuogv.exe
224	rhinaxlhifm.exe
4352	ujkssxdrcsu.exe
1004	.exe
5096	xtfgdqwcdgc.exe
3596	.exe
4320	aehlvronxuk.exe
2468	.exe
2844	egbqoszyyis.exe
2160	.exe
2456	hrdvzsrqsea.exe
1060	.exe
4244	kbxjrtkbusj.exe
4484	xjqmgofskep.exe

Sets file to hidden 1 TTPs 43 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
432	attrib.exe
460	attrib.exe
1948	attrib.exe
4988	attrib.exe
3340	attrib.exe
3508	attrib.exe
692	attrib.exe
1712	attrib.exe
2564	attrib.exe
4668	attrib.exe
3888	attrib.exe
2116	attrib.exe
564	attrib.exe
2004	attrib.exe
1140	attrib.exe
796	attrib.exe
3120	attrib.exe
1508	attrib.exe
2224	attrib.exe
2112	attrib.exe
4240	attrib.exe
2924	attrib.exe
4232	attrib.exe
4796	attrib.exe
4192	attrib.exe
4280	attrib.exe
4320	attrib.exe
796	attrib.exe
1072	attrib.exe
4280	attrib.exe
2812	attrib.exe
448	attrib.exe
2464	attrib.exe
1564	attrib.exe
2812	attrib.exe
3060	attrib.exe
228	attrib.exe
3888	attrib.exe
3136	attrib.exe
4412	attrib.exe
4396	attrib.exe
872	attrib.exe
4540	attrib.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\.exe.bat	.exe
File opened for modification	C:\Windows\SysWOW64\aehlvronxuk.exe.bat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\snhehslasvk.exe.bat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\nwztshodzts.exe.bat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\.exe.bat	.exe
File opened for modification	C:\Windows\SysWOW64\ckxucuggptj.exe.bat	attrib.exe
File created	C:\Windows\SysWOW64\qkuadbkjvsm.exe.bat	qkuadbkjvsm.exe
File opened for modification	C:\Windows\SysWOW64\gjdihfeierc.exe.bat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\domcrcvnrth.exe	.exe
File opened for modification	C:\Windows\SysWOW64\rhinaxlhifm.exe	uuwfvucuogv.exe
File opened for modification	C:\Windows\SysWOW64\ujkssxdrcsu.exe.bat	attrib.exe
File created	C:\Windows\SysWOW64\aehlvronxuk.exe	.exe
File opened for modification	C:\Windows\SysWOW64\hrdvzsrqsea.exe.bat	attrib.exe
File created	C:\Windows\SysWOW64\aeswzcccpfy.exe.bat	aeswzcccpfy.exe
File opened for modification	C:\Windows\SysWOW64\jtxoagwsffk.exe.bat	attrib.exe
File created	C:\Windows\SysWOW64\domcrcvnrth.exe	.exe
File opened for modification	C:\Windows\SysWOW64\jtxoagwsffk.exe.bat	jtxoagwsffk.exe
File created	C:\Windows\SysWOW64\.exe.bat	.exe
File opened for modification	C:\Windows\SysWOW64\.exe.bat	.exe
File created	C:\Windows\SysWOW64\egbqoszyyis.exe.bat	egbqoszyyis.exe
File created	C:\Windows\SysWOW64\.exe	zadostnvnfa.exe
File opened for modification	C:\Windows\SysWOW64\pgfsokvdtso.exe.bat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\xtfgdqwcdgc.exe	.exe
File opened for modification	C:\Windows\SysWOW64\xtfgdqwcdgc.exe.bat	xtfgdqwcdgc.exe
File opened for modification	C:\Windows\SysWOW64\.exe	zadostnvnfa.exe
File opened for modification	C:\Windows\SysWOW64\zadostnvnfa.exe.bat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\sukkjpuqztx.exe.bat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\egbqoszyyis.exe	.exe
File opened for modification	C:\Windows\SysWOW64\itttougoqtf.exe	ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca.exe
File opened for modification	C:\Windows\SysWOW64\ckxucuggptj.exe.bat	attrib.exe
File created	C:\Windows\SysWOW64\.exe	nwztshodzts.exe
File opened for modification	C:\Windows\SysWOW64\aeswzcccpfy.exe	.exe
File opened for modification	C:\Windows\SysWOW64\hrdvzsrqsea.exe.bat	hrdvzsrqsea.exe
File opened for modification	C:\Windows\SysWOW64\ckxucuggptj.exe.bat	ckxucuggptj.exe
File opened for modification	C:\Windows\SysWOW64\nwztshodzts.exe.bat	nwztshodzts.exe
File opened for modification	C:\Windows\SysWOW64\xtqrobkrwrq.exe.bat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\xjqmgofskep.exe	kbxjrtkbusj.exe
File created	C:\Windows\SysWOW64\ckxucuggptj.exe	.exe
File created	C:\Windows\SysWOW64\.exe	fmrhvuyrjhr.exe
File created	C:\Windows\SysWOW64\wmpwwowihes.exe	sukkjpuqztx.exe
File opened for modification	C:\Windows\SysWOW64\.exe.bat	attrib.exe
File created	C:\Windows\SysWOW64\xtfgdqwcdgc.exe	.exe
File opened for modification	C:\Windows\SysWOW64\zadostnvnfa.exe.bat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\mhoryojmejh.exe.bat	attrib.exe
File created	C:\Windows\SysWOW64\rhinaxlhifm.exe.bat	rhinaxlhifm.exe
File opened for modification	C:\Windows\SysWOW64\jxtmnnrckvz.exe.bat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\jxtmnnrckvz.exe.bat	jxtmnnrckvz.exe
File opened for modification	C:\Windows\SysWOW64\mhoryojmejh.exe.bat	mhoryojmejh.exe
File opened for modification	C:\Windows\SysWOW64\jtxoagwsffk.exe.bat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\uuwfvucuogv.exe.bat	attrib.exe
File created	C:\Windows\SysWOW64\.exe.bat	.exe
File created	C:\Windows\SysWOW64\hrdvzsrqsea.exe.bat	hrdvzsrqsea.exe
File created	C:\Windows\SysWOW64\fmrhvuyrjhr.exe	.exe
File opened for modification	C:\Windows\SysWOW64\.exe.bat	.exe
File opened for modification	C:\Windows\SysWOW64\mlotyhuiytt.exe.bat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\xtqrobkrwrq.exe	qgtydahwaha.exe
File created	C:\Windows\SysWOW64\wpbjzsdlurs.exe.bat	wpbjzsdlurs.exe
File opened for modification	C:\Windows\SysWOW64\.exe.bat	.exe
File opened for modification	C:\Windows\SysWOW64\mhoryojmejh.exe.bat	attrib.exe
File created	C:\Windows\SysWOW64\gjdihfeierc.exe.bat	gjdihfeierc.exe
File created	C:\Windows\SysWOW64\.exe	aehlvronxuk.exe
File opened for modification	C:\Windows\SysWOW64\kbxjrtkbusj.exe.bat	kbxjrtkbusj.exe
File opened for modification	C:\Windows\SysWOW64\zadostnvnfa.exe.bat	zadostnvnfa.exe
File created	C:\Windows\SysWOW64\mhoryojmejh.exe	.exe

Enumerates processes with tasklist 1 TTPs 43 IoCs

Process Discovery

T1057

pid	Process
4356	tasklist.exe
536	tasklist.exe
1712	tasklist.exe
2820	tasklist.exe
4152	tasklist.exe
4480	tasklist.exe
2860	tasklist.exe
1376	tasklist.exe
1032	tasklist.exe
1236	tasklist.exe
2040	tasklist.exe
436	tasklist.exe
5028	tasklist.exe
4480	tasklist.exe
760	tasklist.exe
2204	tasklist.exe
2844	tasklist.exe
4728	tasklist.exe
2672	tasklist.exe
4436	tasklist.exe
2280	tasklist.exe
2440	tasklist.exe
1100	tasklist.exe
1312	tasklist.exe
1664	tasklist.exe
4392	tasklist.exe
1608	tasklist.exe
4700	tasklist.exe
1444	tasklist.exe
1876	tasklist.exe
4652	tasklist.exe
1312	tasklist.exe
2352	tasklist.exe
2072	tasklist.exe
2116	tasklist.exe
4156	tasklist.exe
4732	tasklist.exe
1796	tasklist.exe
852	tasklist.exe
2296	tasklist.exe
2380	tasklist.exe
1316	tasklist.exe
2480	tasklist.exe

Runs ping.exe 1 TTPs 43 IoCs

Remote System Discovery

T1018

pid	Process
228	PING.EXE
3604	PING.EXE
2252	PING.EXE
3388	PING.EXE
4164	PING.EXE
2516	PING.EXE
824	PING.EXE
3628	PING.EXE
3892	PING.EXE
1624	PING.EXE
4236	PING.EXE
176	PING.EXE
4260	PING.EXE
4864	PING.EXE
1996	PING.EXE
4724	PING.EXE
4652	PING.EXE
4844	PING.EXE
2668	PING.EXE
1360	PING.EXE
628	PING.EXE
3484	PING.EXE
2384	PING.EXE
432	PING.EXE
2712	PING.EXE
2436	PING.EXE
2812	PING.EXE
3440	PING.EXE
4928	PING.EXE
5044	PING.EXE
4584	PING.EXE
4236	PING.EXE
3596	PING.EXE
1140	PING.EXE
4456	PING.EXE
1788	PING.EXE
692	PING.EXE
2256	PING.EXE
2152	PING.EXE
2868	PING.EXE
4240	PING.EXE
4860	PING.EXE
4156	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3488	ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca.exe
3488	ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca.exe
316	itttougoqtf.exe
316	itttougoqtf.exe
3096	snhehslasvk.exe
3096	snhehslasvk.exe
3968	wpbjzsdlurs.exe
3968	wpbjzsdlurs.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe
4988	zadostnvnfa.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	tasklist.exe
Token: SeDebugPrivilege	4356	tasklist.exe
Token: SeDebugPrivilege	4728	tasklist.exe
Token: SeDebugPrivilege	2352	tasklist.exe
Token: SeDebugPrivilege	536	tasklist.exe
Token: SeDebugPrivilege	2072	tasklist.exe
Token: SeDebugPrivilege	2296	tasklist.exe
Token: SeDebugPrivilege	4652	tasklist.exe
Token: SeDebugPrivilege	1312	tasklist.exe
Token: SeDebugPrivilege	760	tasklist.exe
Token: SeDebugPrivilege	2116	tasklist.exe
Token: SeDebugPrivilege	2672	tasklist.exe
Token: SeDebugPrivilege	1664	tasklist.exe
Token: SeDebugPrivilege	4436	tasklist.exe
Token: SeDebugPrivilege	4156	tasklist.exe
Token: SeDebugPrivilege	2860	tasklist.exe
Token: SeDebugPrivilege	1376	tasklist.exe
Token: SeDebugPrivilege	1712	tasklist.exe
Token: SeDebugPrivilege	2380	tasklist.exe
Token: SeDebugPrivilege	2204	tasklist.exe
Token: SeDebugPrivilege	4732	tasklist.exe
Token: SeDebugPrivilege	2820	tasklist.exe
Token: SeDebugPrivilege	4152	tasklist.exe
Token: SeDebugPrivilege	1032	tasklist.exe
Token: SeDebugPrivilege	1796	tasklist.exe
Token: SeDebugPrivilege	1236	tasklist.exe
Token: SeDebugPrivilege	2040	tasklist.exe
Token: SeDebugPrivilege	4480	tasklist.exe
Token: SeDebugPrivilege	4392	tasklist.exe
Token: SeDebugPrivilege	2844	tasklist.exe
Token: SeDebugPrivilege	2280	tasklist.exe
Token: SeDebugPrivilege	436	tasklist.exe
Token: SeDebugPrivilege	1608	tasklist.exe
Token: SeDebugPrivilege	852	tasklist.exe
Token: SeDebugPrivilege	5028	tasklist.exe
Token: SeDebugPrivilege	4480	tasklist.exe
Token: SeDebugPrivilege	2440	tasklist.exe
Token: SeDebugPrivilege	1316	tasklist.exe
Token: SeDebugPrivilege	2480	tasklist.exe
Token: SeDebugPrivilege	1100	tasklist.exe
Token: SeDebugPrivilege	4700	tasklist.exe
Token: SeDebugPrivilege	1444	tasklist.exe
Token: SeDebugPrivilege	1876	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 5020	3488	ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca.exe	82
PID 3488 wrote to memory of 5020	3488	ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca.exe	82
PID 3488 wrote to memory of 5020	3488	ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca.exe	82
PID 5020 wrote to memory of 3888	5020	cmd.exe	83
PID 5020 wrote to memory of 3888	5020	cmd.exe	83
PID 5020 wrote to memory of 3888	5020	cmd.exe	83
PID 5020 wrote to memory of 1312	5020	cmd.exe	85
PID 5020 wrote to memory of 1312	5020	cmd.exe	85
PID 5020 wrote to memory of 1312	5020	cmd.exe	85
PID 5020 wrote to memory of 3264	5020	cmd.exe	84
PID 5020 wrote to memory of 3264	5020	cmd.exe	84
PID 5020 wrote to memory of 3264	5020	cmd.exe	84
PID 5020 wrote to memory of 4260	5020	cmd.exe	88
PID 5020 wrote to memory of 4260	5020	cmd.exe	88
PID 5020 wrote to memory of 4260	5020	cmd.exe	88
PID 5020 wrote to memory of 316	5020	cmd.exe	89
PID 5020 wrote to memory of 316	5020	cmd.exe	89
PID 5020 wrote to memory of 316	5020	cmd.exe	89
PID 5020 wrote to memory of 220	5020	cmd.exe	90
PID 5020 wrote to memory of 220	5020	cmd.exe	90
PID 5020 wrote to memory of 220	5020	cmd.exe	90
PID 316 wrote to memory of 3556	316	itttougoqtf.exe	91
PID 316 wrote to memory of 3556	316	itttougoqtf.exe	91
PID 316 wrote to memory of 3556	316	itttougoqtf.exe	91
PID 3556 wrote to memory of 448	3556	cmd.exe	93
PID 3556 wrote to memory of 448	3556	cmd.exe	93
PID 3556 wrote to memory of 448	3556	cmd.exe	93
PID 3556 wrote to memory of 4356	3556	cmd.exe	94
PID 3556 wrote to memory of 4356	3556	cmd.exe	94
PID 3556 wrote to memory of 4356	3556	cmd.exe	94
PID 3556 wrote to memory of 3820	3556	cmd.exe	95
PID 3556 wrote to memory of 3820	3556	cmd.exe	95
PID 3556 wrote to memory of 3820	3556	cmd.exe	95
PID 3556 wrote to memory of 4236	3556	cmd.exe	96
PID 3556 wrote to memory of 4236	3556	cmd.exe	96
PID 3556 wrote to memory of 4236	3556	cmd.exe	96
PID 3556 wrote to memory of 3096	3556	cmd.exe	97
PID 3556 wrote to memory of 3096	3556	cmd.exe	97
PID 3556 wrote to memory of 3096	3556	cmd.exe	97
PID 3556 wrote to memory of 3104	3556	cmd.exe	99
PID 3556 wrote to memory of 3104	3556	cmd.exe	99
PID 3556 wrote to memory of 3104	3556	cmd.exe	99
PID 3096 wrote to memory of 764	3096	snhehslasvk.exe	98
PID 3096 wrote to memory of 764	3096	snhehslasvk.exe	98
PID 3096 wrote to memory of 764	3096	snhehslasvk.exe	98
PID 764 wrote to memory of 2116	764	cmd.exe	101
PID 764 wrote to memory of 2116	764	cmd.exe	101
PID 764 wrote to memory of 2116	764	cmd.exe	101
PID 764 wrote to memory of 4728	764	cmd.exe	103
PID 764 wrote to memory of 4728	764	cmd.exe	103
PID 764 wrote to memory of 4728	764	cmd.exe	103
PID 764 wrote to memory of 1144	764	cmd.exe	102
PID 764 wrote to memory of 1144	764	cmd.exe	102
PID 764 wrote to memory of 1144	764	cmd.exe	102
PID 764 wrote to memory of 4844	764	cmd.exe	104
PID 764 wrote to memory of 4844	764	cmd.exe	104
PID 764 wrote to memory of 4844	764	cmd.exe	104
PID 764 wrote to memory of 3968	764	cmd.exe	105
PID 764 wrote to memory of 3968	764	cmd.exe	105
PID 764 wrote to memory of 3968	764	cmd.exe	105
PID 764 wrote to memory of 1892	764	cmd.exe	107
PID 764 wrote to memory of 1892	764	cmd.exe	107
PID 764 wrote to memory of 1892	764	cmd.exe	107
PID 3968 wrote to memory of 2796	3968	wpbjzsdlurs.exe	106

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1436	attrib.exe
3900	attrib.exe
460	attrib.exe
2040	attrib.exe
2004	attrib.exe
4900	attrib.exe
3060	attrib.exe
228	attrib.exe
4484	attrib.exe
3104	attrib.exe
1184	attrib.exe
2356	attrib.exe
3136	attrib.exe
4640	attrib.exe
1352	attrib.exe
564	attrib.exe
4304	attrib.exe
1712	attrib.exe
2812	attrib.exe
4540	attrib.exe
692	attrib.exe
4280	attrib.exe
4192	attrib.exe
2116	attrib.exe
4280	attrib.exe
4688	attrib.exe
4988	attrib.exe
4832	attrib.exe
3888	attrib.exe
3096	attrib.exe
2304	attrib.exe
2800	attrib.exe
2224	attrib.exe
3060	attrib.exe
2480	attrib.exe
872	attrib.exe
3508	attrib.exe
3120	attrib.exe
2564	attrib.exe
4412	attrib.exe
3988	attrib.exe
1508	attrib.exe
4320	attrib.exe
4232	attrib.exe
796	attrib.exe
2296	attrib.exe
2004	attrib.exe
780	attrib.exe
956	attrib.exe
796	attrib.exe
4396	attrib.exe
4700	attrib.exe
452	attrib.exe
2928	attrib.exe
3756	attrib.exe
1948	attrib.exe
1904	attrib.exe
1072	attrib.exe
3852	attrib.exe
3060	attrib.exe
1892	attrib.exe
432	attrib.exe
2924	attrib.exe
1440	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca.exe
"C:\Users\Admin\AppData\Local\Temp\ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Users\Admin\AppData\Local\Temp\ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca.exe.bat -r -a +s +h
    3⤵
    - Sets file to hidden
    PID:3888
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i /b "ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca.exe"
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4260
- - C:\Windows\SysWOW64\itttougoqtf.exe
    C:\Windows\system32\itttougoqtf.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\itttougoqtf.exe.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\itttougoqtf.exe.bat -r -a +s +h
        5⤵
        Sets file to hidden
        
        PID:448
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "itttougoqtf.exe"
        5⤵
        
        PID:3820
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:4236
    - - C:\Windows\SysWOW64\snhehslasvk.exe
        
        C:\Windows\system32\snhehslasvk.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3096
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\snhehslasvk.exe.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\snhehslasvk.exe.bat -r -a +s +h
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2116
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "snhehslasvk.exe"
        7⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        7⤵
        Runs ping.exe
        
        PID:4844
        
        C:\Windows\SysWOW64\wpbjzsdlurs.exe
        
        C:\Windows\system32\wpbjzsdlurs.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\wpbjzsdlurs.exe.bat
        8⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\wpbjzsdlurs.exe.bat -r -a +s +h
        9⤵
        Sets file to hidden
        
        PID:2464
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "wpbjzsdlurs.exe"
        9⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        9⤵
        Runs ping.exe
        
        PID:3596
        
        C:\Windows\SysWOW64\zadostnvnfa.exe
        
        C:\Windows\system32\zadostnvnfa.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\zadostnvnfa.exe.bat
        10⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\zadostnvnfa.exe.bat -r -a +s +h
        11⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3508
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        11⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "zadostnvnfa.exe"
        11⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        11⤵
        Runs ping.exe
        
        PID:4864
        
        C:\Windows\SysWOW64\.exe
        
        C:\Windows\system32\.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\.exe.bat
        12⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a +s +h
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2224
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        13⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b ".exe"
        13⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        13⤵
        Runs ping.exe
        
        PID:1788
        
        C:\Windows\SysWOW64\ckxucuggptj.exe
        
        C:\Windows\system32\ckxucuggptj.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ckxucuggptj.exe.bat
        14⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\ckxucuggptj.exe.bat -r -a +s +h
        15⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2812
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        15⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "ckxucuggptj.exe"
        15⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        15⤵
        Runs ping.exe
        
        PID:628
        
        C:\Windows\SysWOW64\.exe
        
        C:\Windows\system32\.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\.exe.bat
        16⤵
        
        PID:460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a +s +h
        17⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:432
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        17⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b ".exe"
        17⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        17⤵
        Runs ping.exe
        
        PID:3484
        
        C:\Windows\SysWOW64\fmrhvuyrjhr.exe
        
        C:\Windows\system32\fmrhvuyrjhr.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\fmrhvuyrjhr.exe.bat
        18⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\fmrhvuyrjhr.exe.bat -r -a +s +h
        19⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:564
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        19⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "fmrhvuyrjhr.exe"
        19⤵
        
        PID:112
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        19⤵
        Runs ping.exe
        
        PID:228
        
        C:\Windows\SysWOW64\.exe
        
        C:\Windows\system32\.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\.exe.bat
        20⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a +s +h
        21⤵
        Sets file to hidden
        
        PID:4240
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        21⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b ".exe"
        21⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        21⤵
        Runs ping.exe
        
        PID:1140
        
        C:\Windows\SysWOW64\jxtmnnrckvz.exe
        
        C:\Windows\system32\jxtmnnrckvz.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\jxtmnnrckvz.exe.bat
        22⤵
        
        PID:700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\jxtmnnrckvz.exe.bat -r -a +s +h
        23⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4540
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        23⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "jxtmnnrckvz.exe"
        23⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        23⤵
        Runs ping.exe
        
        PID:3604
        
        C:\Windows\SysWOW64\.exe
        
        C:\Windows\system32\.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\.exe.bat
        24⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a +s +h
        25⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4320
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        25⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b ".exe"
        25⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        25⤵
        Runs ping.exe
        
        PID:692
        
        C:\Windows\SysWOW64\mhoryojmejh.exe
        
        C:\Windows\system32\mhoryojmejh.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\mhoryojmejh.exe.bat
        26⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\mhoryojmejh.exe.bat -r -a +s +h
        27⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2004
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        27⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "mhoryojmejh.exe"
        27⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        27⤵
        Runs ping.exe
        
        PID:3628
        
        C:\Windows\SysWOW64\sukkjpuqztx.exe
        
        C:\Windows\system32\sukkjpuqztx.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\sukkjpuqztx.exe.bat
        28⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\sukkjpuqztx.exe.bat -r -a +s +h
        29⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4280
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        29⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "sukkjpuqztx.exe"
        29⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        29⤵
        Runs ping.exe
        
        PID:3388
        
        C:\Windows\SysWOW64\wmpwwowihes.exe
        
        C:\Windows\system32\wmpwwowihes.exe
        29⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\wmpwwowihes.exe.bat
        30⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\wmpwwowihes.exe.bat -r -a +s +h
        31⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:796
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        31⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "wmpwwowihes.exe"
        31⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        31⤵
        Runs ping.exe
        
        PID:2384
        
        C:\Windows\SysWOW64\pgfsokvdtso.exe
        
        C:\Windows\system32\pgfsokvdtso.exe
        31⤵
        Executes dropped EXE
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\pgfsokvdtso.exe.bat
        32⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\pgfsokvdtso.exe.bat -r -a +s +h
        33⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2924
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        33⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "pgfsokvdtso.exe"
        33⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        33⤵
        Runs ping.exe
        
        PID:432
        
        C:\Windows\SysWOW64\mlotyhuiytt.exe
        
        C:\Windows\system32\mlotyhuiytt.exe
        33⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\mlotyhuiytt.exe.bat
        34⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\mlotyhuiytt.exe.bat -r -a +s +h
        35⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:460
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        35⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "mlotyhuiytt.exe"
        35⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        35⤵
        Runs ping.exe
        
        PID:3892
        
        C:\Windows\SysWOW64\zasdhizpvvm.exe
        
        C:\Windows\system32\zasdhizpvvm.exe
        35⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\zasdhizpvvm.exe.bat
        36⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\zasdhizpvvm.exe.bat -r -a +s +h
        37⤵
        Sets file to hidden
        
        PID:1140
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        37⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "zasdhizpvvm.exe"
        37⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        37⤵
        Runs ping.exe
        
        PID:2668
        
        C:\Windows\SysWOW64\gjdihfeierc.exe
        
        C:\Windows\system32\gjdihfeierc.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\gjdihfeierc.exe.bat
        38⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\gjdihfeierc.exe.bat -r -a +s +h
        39⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:692
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "gjdihfeierc.exe"
        39⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        39⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        39⤵
        Runs ping.exe
        
        PID:2712
        
        C:\Windows\SysWOW64\jtxoagwsffk.exe
        
        C:\Windows\system32\jtxoagwsffk.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\jtxoagwsffk.exe.bat
        40⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\jtxoagwsffk.exe.bat -r -a +s +h
        41⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1948
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        41⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "jtxoagwsffk.exe"
        41⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        41⤵
        Runs ping.exe
        
        PID:1996
        
        C:\Windows\SysWOW64\nwztshodzts.exe
        
        C:\Windows\system32\nwztshodzts.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\nwztshodzts.exe.bat
        42⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\nwztshodzts.exe.bat -r -a +s +h
        43⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4232
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        43⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "nwztshodzts.exe"
        43⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        43⤵
        Runs ping.exe
        
        PID:2436
        
        C:\Windows\SysWOW64\.exe
        
        C:\Windows\system32\.exe
        43⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\.exe.bat
        44⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a +s +h
        45⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:796
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        45⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b ".exe"
        45⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        45⤵
        Runs ping.exe
        
        PID:2812
        
        C:\Windows\SysWOW64\qgtydahwaha.exe
        
        C:\Windows\system32\qgtydahwaha.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\qgtydahwaha.exe.bat
        46⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\qgtydahwaha.exe.bat -r -a +s +h
        47⤵
        Sets file to hidden
        
        PID:1564
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        47⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "qgtydahwaha.exe"
        47⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        47⤵
        Runs ping.exe
        
        PID:4164
        
        C:\Windows\SysWOW64\xtqrobkrwrq.exe
        
        C:\Windows\system32\xtqrobkrwrq.exe
        47⤵
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\xtqrobkrwrq.exe.bat
        48⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\xtqrobkrwrq.exe.bat -r -a +s +h
        49⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3136
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        49⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "xtqrobkrwrq.exe"
        49⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        49⤵
        Runs ping.exe
        
        PID:1624
        
        C:\Windows\SysWOW64\.exe
        
        C:\Windows\system32\.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\.exe.bat
        50⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a +s +h
        51⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4412
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        51⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b ".exe"
        51⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        51⤵
        Runs ping.exe
        
        PID:4236
        
        C:\Windows\SysWOW64\aeswzcccpfy.exe
        
        C:\Windows\system32\aeswzcccpfy.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\aeswzcccpfy.exe.bat
        52⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\aeswzcccpfy.exe.bat -r -a +s +h
        53⤵
        Sets file to hidden
        
        PID:4796
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        53⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "aeswzcccpfy.exe"
        53⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        53⤵
        Runs ping.exe
        
        PID:2516
        
        C:\Windows\SysWOW64\.exe
        
        C:\Windows\system32\.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\.exe.bat
        54⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a +s +h
        55⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4396
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        55⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b ".exe"
        55⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        55⤵
        Runs ping.exe
        
        PID:4724
        
        C:\Windows\SysWOW64\domcrcvnrth.exe
        
        C:\Windows\system32\domcrcvnrth.exe
        55⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\domcrcvnrth.exe.bat
        56⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\domcrcvnrth.exe.bat -r -a +s +h
        57⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4988
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        57⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "domcrcvnrth.exe"
        57⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        57⤵
        Runs ping.exe
        
        PID:3440
        
        C:\Windows\SysWOW64\dcbxoywkegg.exe
        
        C:\Windows\system32\dcbxoywkegg.exe
        57⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\dcbxoywkegg.exe.bat
        58⤵
        
        PID:876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\dcbxoywkegg.exe.bat -r -a +s +h
        59⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3120
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        59⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "dcbxoywkegg.exe"
        59⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        59⤵
        Runs ping.exe
        
        PID:4928
        
        C:\Windows\SysWOW64\qkuadbkjvsm.exe
        
        C:\Windows\system32\qkuadbkjvsm.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\qkuadbkjvsm.exe.bat
        60⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\qkuadbkjvsm.exe.bat -r -a +s +h
        61⤵
        Sets file to hidden
        
        PID:2812
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        61⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "qkuadbkjvsm.exe"
        61⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        61⤵
        Runs ping.exe
        
        PID:2256
        
        C:\Windows\SysWOW64\uuwfvucuogv.exe
        
        C:\Windows\system32\uuwfvucuogv.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\uuwfvucuogv.exe.bat
        62⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\uuwfvucuogv.exe.bat -r -a +s +h
        63⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3060
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        63⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "uuwfvucuogv.exe"
        63⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        63⤵
        Runs ping.exe
        
        PID:176
        
        C:\Windows\SysWOW64\rhinaxlhifm.exe
        
        C:\Windows\system32\rhinaxlhifm.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\rhinaxlhifm.exe.bat
        64⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\rhinaxlhifm.exe.bat -r -a +s +h
        65⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:228
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        65⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "rhinaxlhifm.exe"
        65⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        65⤵
        Runs ping.exe
        
        PID:2152
        
        C:\Windows\SysWOW64\ujkssxdrcsu.exe
        
        C:\Windows\system32\ujkssxdrcsu.exe
        65⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ujkssxdrcsu.exe.bat
        66⤵
        
        PID:308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\ujkssxdrcsu.exe.bat -r -a +s +h
        67⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1072
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        67⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "ujkssxdrcsu.exe"
        67⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        67⤵
        Runs ping.exe
        
        PID:2868
        
        C:\Windows\SysWOW64\.exe
        
        C:\Windows\system32\.exe
        67⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\.exe.bat
        68⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a +s +h
        69⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1712
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        69⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b ".exe"
        69⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        69⤵
        Runs ping.exe
        
        PID:4240
        
        C:\Windows\SysWOW64\xtfgdqwcdgc.exe
        
        C:\Windows\system32\xtfgdqwcdgc.exe
        69⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\xtfgdqwcdgc.exe.bat
        70⤵
        
        PID:672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\xtfgdqwcdgc.exe.bat -r -a +s +h
        71⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2564
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        71⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "xtfgdqwcdgc.exe"
        71⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        71⤵
        Runs ping.exe
        
        PID:5044
        
        C:\Windows\SysWOW64\.exe
        
        C:\Windows\system32\.exe
        71⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\.exe.bat
        72⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a +s +h
        73⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1508
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        73⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b ".exe"
        73⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        73⤵
        Runs ping.exe
        
        PID:4860
        
        C:\Windows\SysWOW64\aehlvronxuk.exe
        
        C:\Windows\system32\aehlvronxuk.exe
        73⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\aehlvronxuk.exe.bat
        74⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\aehlvronxuk.exe.bat -r -a +s +h
        75⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:872
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        75⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "aehlvronxuk.exe"
        75⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        75⤵
        Runs ping.exe
        
        PID:4584
        
        C:\Windows\SysWOW64\.exe
        
        C:\Windows\system32\.exe
        75⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\.exe.bat
        76⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a +s +h
        77⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4280
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        77⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b ".exe"
        77⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        77⤵
        Runs ping.exe
        
        PID:2252
        
        C:\Windows\SysWOW64\egbqoszyyis.exe
        
        C:\Windows\system32\egbqoszyyis.exe
        77⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\egbqoszyyis.exe.bat
        78⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\egbqoszyyis.exe.bat -r -a +s +h
        79⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4192
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        79⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "egbqoszyyis.exe"
        79⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        79⤵
        Runs ping.exe
        
        PID:4156
        
        C:\Windows\SysWOW64\.exe
        
        C:\Windows\system32\.exe
        79⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\.exe.bat
        80⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a +s +h
        81⤵
        Sets file to hidden
        
        PID:4668
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        81⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b ".exe"
        81⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        81⤵
        Runs ping.exe
        
        PID:4456
        
        C:\Windows\SysWOW64\hrdvzsrqsea.exe
        
        C:\Windows\system32\hrdvzsrqsea.exe
        81⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\hrdvzsrqsea.exe.bat
        82⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\hrdvzsrqsea.exe.bat -r -a +s +h
        83⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        83⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "hrdvzsrqsea.exe"
        83⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        83⤵
        Runs ping.exe
        
        PID:4652
        
        C:\Windows\SysWOW64\.exe
        
        C:\Windows\system32\.exe
        83⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\.exe.bat
        84⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a +s +h
        85⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3888
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b ".exe"
        85⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        85⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        85⤵
        Runs ping.exe
        
        PID:1360
        
        C:\Windows\SysWOW64\kbxjrtkbusj.exe
        
        C:\Windows\system32\kbxjrtkbusj.exe
        85⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\kbxjrtkbusj.exe.bat
        86⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\kbxjrtkbusj.exe.bat -r -a +s +h
        87⤵
        Sets file to hidden
        
        PID:3340
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        87⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i /b "kbxjrtkbusj.exe"
        87⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        87⤵
        Runs ping.exe
        
        PID:824
        
        C:\Windows\SysWOW64\xjqmgofskep.exe
        
        C:\Windows\system32\xjqmgofskep.exe
        87⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\kbxjrtkbusj.exe.bat -r -a -s -h
        87⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a -s -h
        85⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\hrdvzsrqsea.exe.bat -r -a -s -h
        83⤵
        Views/modifies file attributes
        
        PID:1440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a -s -h
        81⤵
        Views/modifies file attributes
        
        PID:4832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\egbqoszyyis.exe.bat -r -a -s -h
        79⤵
        Views/modifies file attributes
        
        PID:3060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a -s -h
        77⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\aehlvronxuk.exe.bat -r -a -s -h
        75⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a -s -h
        73⤵
        Views/modifies file attributes
        
        PID:3852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\xtfgdqwcdgc.exe.bat -r -a -s -h
        71⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a -s -h
        69⤵
        Views/modifies file attributes
        
        PID:4484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\ujkssxdrcsu.exe.bat -r -a -s -h
        67⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\rhinaxlhifm.exe.bat -r -a -s -h
        65⤵
        Views/modifies file attributes
        
        PID:4700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\uuwfvucuogv.exe.bat -r -a -s -h
        63⤵
        Drops file in System32 directory
        
        PID:1100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\qkuadbkjvsm.exe.bat -r -a -s -h
        61⤵
        Views/modifies file attributes
        
        PID:2480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\dcbxoywkegg.exe.bat -r -a -s -h
        59⤵
        Views/modifies file attributes
        
        PID:4640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\domcrcvnrth.exe.bat -r -a -s -h
        57⤵
        Views/modifies file attributes
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a -s -h
        55⤵
        Views/modifies file attributes
        
        PID:4688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\aeswzcccpfy.exe.bat -r -a -s -h
        53⤵
        Views/modifies file attributes
        
        PID:2296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a -s -h
        51⤵
        Views/modifies file attributes
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\xtqrobkrwrq.exe.bat -r -a -s -h
        49⤵
        Views/modifies file attributes
        
        PID:1904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\qgtydahwaha.exe.bat -r -a -s -h
        47⤵
        Views/modifies file attributes
        
        PID:3060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a -s -h
        45⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\nwztshodzts.exe.bat -r -a -s -h
        43⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\jtxoagwsffk.exe.bat -r -a -s -h
        41⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\gjdihfeierc.exe.bat -r -a -s -h
        39⤵
        Views/modifies file attributes
        
        PID:2004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\zasdhizpvvm.exe.bat -r -a -s -h
        37⤵
        Views/modifies file attributes
        
        PID:2040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\mlotyhuiytt.exe.bat -r -a -s -h
        35⤵
        Views/modifies file attributes
        
        PID:780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\pgfsokvdtso.exe.bat -r -a -s -h
        33⤵
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\wmpwwowihes.exe.bat -r -a -s -h
        31⤵
        Views/modifies file attributes
        
        PID:2356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\sukkjpuqztx.exe.bat -r -a -s -h
        29⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\mhoryojmejh.exe.bat -r -a -s -h
        27⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a -s -h
        25⤵
        Views/modifies file attributes
        
        PID:3900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\jxtmnnrckvz.exe.bat -r -a -s -h
        23⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a -s -h
        21⤵
        Views/modifies file attributes
        
        PID:3096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\fmrhvuyrjhr.exe.bat -r -a -s -h
        19⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a -s -h
        17⤵
        Views/modifies file attributes
        
        PID:1352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\ckxucuggptj.exe.bat -r -a -s -h
        15⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\.exe.bat -r -a -s -h
        13⤵
        Views/modifies file attributes
        
        PID:2928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\zadostnvnfa.exe.bat -r -a -s -h
        11⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\wpbjzsdlurs.exe.bat -r -a -s -h
        9⤵
        Views/modifies file attributes
        
        PID:452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\snhehslasvk.exe.bat -r -a -s -h
        7⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1892
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows\SysWOW64\itttougoqtf.exe.bat -r -a -s -h
        5⤵
        Views/modifies file attributes
        
        PID:3104
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Users\Admin\AppData\Local\Temp\ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca.exe.bat -r -a -s -h
    3⤵
    PID:220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca.exe.bat

Filesize
375B

MD5
cfeafa6df8258ff628742a07da9c312f

SHA1
27d0e1c2fb873354a52ed7f18ead3914573a1e7b

SHA256
18fd297efdbab9d174396cba7c6ee80c848ebdcd5699371378f9d1d1781a130f

SHA512
ed848120f5d9c94b5229d155a868b8ab102b9f5dfd95f23fa39f7dd13bc89ab3a29b1c16dbeae66b01b0aa1beeff4349043f677af7efd3ffdce77c27cf9c92d1

Download Submit
C:\Windows\SysWOW64\.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\.exe.bat

Filesize
247B

MD5
51835e47ab3e09acfd601cb9a09e84d5

SHA1
2500d8ebd0f406bcd13c51c8e15c89a527bf024d

SHA256
7dc73436f79b012726c41942805cba011033702121ac413f98206c96723db873

SHA512
43a52e7f34306880f95426c99530ae6461f06995f9d4a3e7faf35557e24018cf4b947079264f60d68b6058939ba3b4698d82c5d98c29a741dd0b4f8f830ebeb7

Download Submit
C:\Windows\SysWOW64\.exe.bat

Filesize
247B

MD5
0c75836dadfed7a591ad17f01905086b

SHA1
1f019ffdfff7dafdf943d05176e20190756baf49

SHA256
60ef3ae643f57c788d7fccbeb42112481b671e3fa730b7d329f272e0a8e3b318

SHA512
bb592cc1aba0499f99c2eeded0726ee9c291e7bf85c2db34d5903909b081c114799e628fde5630528832eb78e8352df5618049f9f287ed54fb31de71e54b7777

Download Submit
C:\Windows\SysWOW64\.exe.bat

Filesize
247B

MD5
61a7b3ffa523af740f473a62f33aa6c1

SHA1
57c78d7486122e87b657a642e75f9c65b627652d

SHA256
c84e23b773ea6cb800931ed015e801ef5ad72323ee3bdd925311fe671cba092e

SHA512
05a1666e1553d1a05f69639d7e1b05bb34f5d046bd3dc0bfcb0092e0e201cdb8cd6c99cc54587b040c58cf43124db4930e61f816e91e2b06f7b8623f5d2cc931

Download Submit
C:\Windows\SysWOW64\.exe.bat

Filesize
247B

MD5
4a8b6868d00ee10693ad3709ff5190fa

SHA1
00ee2e0397506b628e9b57df077ef475f2a21a00

SHA256
1ab5da1290bd68aa1c251754cf7b9abcfcb0ca4892a51d390a3801faba143f64

SHA512
f516bada89da94448cf2d6bae93dff6ebb5e073fb052f5526035a27f5d11123c1fd5149b35643251cf24ace4811fc64be99b65f55c024efec1477631c149003b

Download Submit
C:\Windows\SysWOW64\.exe.bat

Filesize
247B

MD5
6ba1da1c3a608ec59d2d22f48f5eecc7

SHA1
118ea1f6e2159c3953285603a8b43f0c9dc2eb83

SHA256
40239bc6226f47cf6ed2f29f0451c41bceaa823c1c910ab68652af3540b587c0

SHA512
024ed678f60a0bed3d158162660daf60584e40d75a2977b1cb01a83be7168b4d24ce1e1ba0b36b01410b5989ec4835390a0b8c25a71e1d5b5a07e7bf11ae6d87

Download Submit
C:\Windows\SysWOW64\ckxucuggptj.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\ckxucuggptj.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\ckxucuggptj.exe.bat

Filesize
258B

MD5
ab3ab20101f7f6091fe4732aec1e261f

SHA1
1edb287e8756d97cf3581b31239bcb693394a0f0

SHA256
f9a46e9a0252758d9b3b83443a5cda6fa58e2cbd6a1c0fd5d72f56182944fd00

SHA512
f412e731c823aecee999cadb05ae40377ef5f27b08180d6365654c2f6507e7e0642cbcaa0f1733fe8dcc849ddf4c6b934f6e78c90d048e94b4a5700176c7cd32

Download Submit
C:\Windows\SysWOW64\fmrhvuyrjhr.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\fmrhvuyrjhr.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\fmrhvuyrjhr.exe.bat

Filesize
258B

MD5
b4c1f78717afead7b39d94f0b36f042c

SHA1
870f28c7e4d7d065b2a2747d5f6adba7f7d905eb

SHA256
1f5aabab1da0906a1972b402f94a32bce1849e67f772f5830288ae0e0394065d

SHA512
d95be62cd9c7a5397b0c0fe844a159f7f9116026a79328e85bd71b81d52b3fcf7a8851a9e7c37b815cab0f945ac57d9a58d245ae3d877abfdf44feadded7de81

Download Submit
C:\Windows\SysWOW64\gjdihfeierc.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\gjdihfeierc.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\gjdihfeierc.exe.bat

Filesize
269B

MD5
61ce4c91f7379eace1463b8bfe2f4ba9

SHA1
78f692e296b3eed55f733724d6bc1c513e56737d

SHA256
9dc2a12869840950c2df931d4de58392bbd9ca2f3610aa0e76861e9bcd69391e

SHA512
d4583d663327f2beb7e64d2311bdacaba818d615dd645013f68075f31ba0190161b51a4f1b4793cd90788cda24947f0b3ff00dc3936afb7357807953a5d67f3e

Download Submit
C:\Windows\SysWOW64\itttougoqtf.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\itttougoqtf.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\itttougoqtf.exe.bat

Filesize
269B

MD5
3c3bc44d18245fe9be9982e3987c77ca

SHA1
35a59b9b359357fb68650d3c784d17acf2f7878b

SHA256
a4de0a9f2b843a297fd8339e0111dc728609765ecf9b99656b657885354a8e21

SHA512
cc921ddc61a6f43d1ffc9ce83b78f55d6b88859e4c9de877590e921cd37846253fdd011f29e17fd3d647d25e2c9cc2bc6996815c302543ed309d6f9854373a4d

Download Submit
C:\Windows\SysWOW64\jtxoagwsffk.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\jtxoagwsffk.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\jtxoagwsffk.exe.bat

Filesize
269B

MD5
c4b7c7e1ee55c91979a9fcf59676e547

SHA1
6b26ffb80cf2f8f00443534469f2f093da6db111

SHA256
0a5b1c333d283aec49f54540e81d3f24e72f9c0133a1bd4dd57b3b6816cebfeb

SHA512
eb53063b5091cc9e24fe4d86d53e738a26e447663a62630bff48a8f974c9a28ba93f73b18f1b4c87be66e7a23db3df53faaeab5af2e97ec7214a03917270ee8e

Download Submit
C:\Windows\SysWOW64\jxtmnnrckvz.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\jxtmnnrckvz.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\jxtmnnrckvz.exe.bat

Filesize
258B

MD5
f669bf66975054542b78b0995e1e7fc2

SHA1
d6bfb85fd662f45a98d034f875a7bd9bd59fe7e8

SHA256
a01048754f3ea91953d158bd8c750a32668d09bbf97ed9ed56aeb217e256dfb3

SHA512
a62af7e97287fba992df1ca368328319e84300cbf4235a75cb65da52aa093873332d6b7612174cb885336152de7e9db76aadd7463d02703c14190cd01ead7270

Download Submit
C:\Windows\SysWOW64\mhoryojmejh.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\mhoryojmejh.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\mhoryojmejh.exe.bat

Filesize
269B

MD5
04994fbaad276cb0c10df37ccdcbc5e7

SHA1
94a31140cc326b14058991c5e330983efb6cb12b

SHA256
5906ccfb2ed96043e4561c49fb3efc84448dc5374f198c282a0e7ec4e2721194

SHA512
128b8370a41cdd0f49341bc6a578e6482e1f29d938c14fb5d874f406d815aa7132b3bc271374bc024861b58bfec5484b17af03d5ce6ae2b0546bc601e7593f08

Download Submit
C:\Windows\SysWOW64\mlotyhuiytt.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\mlotyhuiytt.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\mlotyhuiytt.exe.bat

Filesize
269B

MD5
8aaaf15f27ffb8d3c70e09e6eef2b435

SHA1
7b92316c3b96f07fd7afcf80de9477d338a72b54

SHA256
d48f962c359a1762621a8a147273f627941fc7b75c46c48cde878a0356eba0cb

SHA512
a6a54da76633101ec431722a5a94c594cd7db0d0dfc4d672705965ee03e9e037b25d1a7f3707764236499ea98f7461d5bd7e7c0ee5125f43445868e3240da32f

Download Submit
C:\Windows\SysWOW64\nwztshodzts.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\nwztshodzts.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\nwztshodzts.exe.bat

Filesize
258B

MD5
e90c9c855bbbbf5606e87e32161f4092

SHA1
7d4507339911169b96e61876adcdc5a917df12e9

SHA256
2a2aa170d24d58d6b0d022267adb1c9444e28cd39aaa0124f9bc7782b4f24ad9

SHA512
7086c36acdb4ba1c66816b0dfa2f4649d5c7d251e23d40c3385bc31168a290f06607e623232c84d2cc46167ebd29dc5bfff21a47789f0bb897b469d1094b69be

Download Submit
C:\Windows\SysWOW64\pgfsokvdtso.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\pgfsokvdtso.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\pgfsokvdtso.exe.bat

Filesize
269B

MD5
d0e911cfb646aa53025d10afa0925224

SHA1
6ddd1de9af7e13d3015a608a8555b502244545f6

SHA256
d9f51e375a93c360fe51cdcdd934c8842635fb87a6a3972c88ecb7bc709b9ce6

SHA512
ab509023bd9fda174fb3689b87e97b276afcbda56fb85479b0069d1ab5fe6d2344eb183ee00521d780cbe88293f52463aef1370faa123415f606aefa42c6eaf0

Download Submit
C:\Windows\SysWOW64\qgtydahwaha.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\qgtydahwaha.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\qgtydahwaha.exe.bat

Filesize
269B

MD5
6d7a87df3288d50185a1443b7c5ca032

SHA1
c2ea3cf056c6b558147dd5337a123fa7d6d891f8

SHA256
3ceb7125ec8d1ab2a8b1f251b5b9db43bf5301df953c8e840b2808239fa822f6

SHA512
1512ca02032dfbd85a509d547225c1907e33e9b28f46660819ca0a2f8dbc04d901cf545e6ecdd10bb70cfc41de0e395fae5ebaf4d0f518cbed04fb05301c404b

Download Submit
C:\Windows\SysWOW64\snhehslasvk.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\snhehslasvk.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\snhehslasvk.exe.bat

Filesize
269B

MD5
372d87e333b0d97ba8a767c7d27e2e8b

SHA1
dc82412f49354dedad3943cda7c80ec90c2ce9f3

SHA256
43dd4a64ff9a0b8bd4123538b33c73d820e00ebe35e2024761009836204a3caf

SHA512
3e3c32e69d986b624d335a69086175efa20686e0dd92db7a604c82b1c300e0b2d104ae0c5338fdc735f5a369edf5e29dacf92f7a4da7dca7da305e15abc83332

Download Submit
C:\Windows\SysWOW64\sukkjpuqztx.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\sukkjpuqztx.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\sukkjpuqztx.exe.bat

Filesize
269B

MD5
bbb494de560783e859bb7bd6c9bbebaa

SHA1
14aa75f8c81443d435130f92f5f03f96cd96ebf5

SHA256
40d7ec213e2d1a86456dadf2754e8a69cbbe7095d72800b18b080fbe707611ff

SHA512
b173ef7be153ff01d1608eaa7a65a254b540b039b1768c97b0de5bf67b70a1c2cd6df686d12b116683bec774def5de170baaadd4fa899ee6ee4168fae7480b63

Download Submit
C:\Windows\SysWOW64\wmpwwowihes.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\wmpwwowihes.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\wmpwwowihes.exe.bat

Filesize
269B

MD5
a1f2dd2763be7632df930b934044e563

SHA1
917eabe52f31838c95c59aaaf1dac638de7ef72b

SHA256
6b3765aa2caf09bdf6eb87cb8e75794d70acc5908e26a918b718ab88d57ab8aa

SHA512
bac46dacc45b1b3a057354e183ad4226628db444845f5aab1e8996c3d7e1b2f1a4d7d5ff3a763382fc31dd7cef0998aa70c42580f3f9c261823216921f428a8f

Download Submit
C:\Windows\SysWOW64\wpbjzsdlurs.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\wpbjzsdlurs.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\wpbjzsdlurs.exe.bat

Filesize
269B

MD5
3b0a903a6d1771b59b85bc45260a8db8

SHA1
c807f78c663801306d4b5965008a257be33584e3

SHA256
2214533e440afffb9af3d1d6dc1079295b0f649638904ab7355f764e0cbc9a39

SHA512
6c1ad05cc33ed5a3da288abe955afc12dacd4a8f0677bd8f8f6eceb627f9da1151dc337bb23bad97fd8a26b687a806b953ca24846247ac5e524706c658e76ea6

Download Submit
C:\Windows\SysWOW64\xtqrobkrwrq.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\zadostnvnfa.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\zadostnvnfa.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\zadostnvnfa.exe.bat

Filesize
258B

MD5
3af45b33dcbd934d851d5826e16a17ab

SHA1
006a0bf0736d7ec3597ec8e98f9491384b29a474

SHA256
024d10d6360e8bf099a98e0427391fc0aa642c9746fff8a111d28f2a54ff45ce

SHA512
422cefacd5192946e0617e40314a36b3fb6efd8cd35b0973fe856e44b276044c0d5d0bc70c61e5658941a1b85c072910033bb9bec100518d54ba7c83a7e0a5b0

Download Submit
C:\Windows\SysWOW64\zasdhizpvvm.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\zasdhizpvvm.exe

Filesize
12KB

MD5
6ae20d67905e7a08d9557ca32e7323c4

SHA1
af2da143d5d7463f2b5987f3fb1fd1b2bde11f43

SHA256
ad9f4251bede76b855922e9ceb06e5ce2fb407499b5fd61b3c858140232166ca

SHA512
5fcf6a5db1ff259f56e6f1e6d6be7f9b0dc6f58bbf58db2126f5b7a67869a87499dde73367e772d1d2facd5eccee8a2c81cefc6a919cd94e1998845f2e4aeb96

Download Submit
C:\Windows\SysWOW64\zasdhizpvvm.exe.bat

Filesize
269B

MD5
dd75a24f24e838d7944e6bf512487122

SHA1
2c1dbe3ae20cba0f37b34315b7845d11cb9db809

SHA256
53096b3e1308f0aa59eba200690a09caa5556c5457c7dce271938358c857dfd4

SHA512
a91ce1724412e2d9adcca8c834fb7a27d3ed9c2eefb2c9a1947a1c58c2e03e97fca60b918d6252e4122defbfbe9e8059908d5b306f8f7884b02fc6404ee5580d

Download Submit
memory/112-224-0x0000000000000000-mapping.dmp

Download
memory/220-142-0x0000000000000000-mapping.dmp

Download
memory/224-295-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/228-225-0x0000000000000000-mapping.dmp

Download
memory/316-139-0x0000000000000000-mapping.dmp

Download
memory/316-144-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/432-211-0x0000000000000000-mapping.dmp

Download
memory/448-146-0x0000000000000000-mapping.dmp

Download
memory/452-175-0x0000000000000000-mapping.dmp

Download
memory/460-208-0x0000000000000000-mapping.dmp

Download
memory/536-180-0x0000000000000000-mapping.dmp

Download
memory/564-222-0x0000000000000000-mapping.dmp

Download
memory/628-204-0x0000000000000000-mapping.dmp

Download
memory/764-154-0x0000000000000000-mapping.dmp

Download
memory/776-287-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/1004-297-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/1036-263-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/1060-306-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/1144-159-0x0000000000000000-mapping.dmp

Download
memory/1184-186-0x0000000000000000-mapping.dmp

Download
memory/1264-275-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/1304-255-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/1304-254-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/1312-223-0x0000000000000000-mapping.dmp

Download
memory/1312-136-0x0000000000000000-mapping.dmp

Download
memory/1352-218-0x0000000000000000-mapping.dmp

Download
memory/1360-199-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/1360-194-0x0000000000000000-mapping.dmp

Download
memory/1424-246-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/1564-293-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/1564-294-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/1664-291-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/1788-193-0x0000000000000000-mapping.dmp

Download
memory/1832-170-0x0000000000000000-mapping.dmp

Download
memory/1892-163-0x0000000000000000-mapping.dmp

Download
memory/1944-229-0x0000000000000000-mapping.dmp

Download
memory/2072-191-0x0000000000000000-mapping.dmp

Download
memory/2116-157-0x0000000000000000-mapping.dmp

Download
memory/2160-304-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/2216-288-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/2224-278-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/2224-190-0x0000000000000000-mapping.dmp

Download
memory/2252-203-0x0000000000000000-mapping.dmp

Download
memory/2256-250-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/2296-202-0x0000000000000000-mapping.dmp

Download
memory/2352-169-0x0000000000000000-mapping.dmp

Download
memory/2372-234-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/2456-305-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/2464-168-0x0000000000000000-mapping.dmp

Download
memory/2468-301-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/2520-176-0x0000000000000000-mapping.dmp

Download
memory/2612-282-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/2612-283-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/2712-242-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/2796-165-0x0000000000000000-mapping.dmp

Download
memory/2812-201-0x0000000000000000-mapping.dmp

Download
memory/2844-303-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/2844-302-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/2860-198-0x0000000000000000-mapping.dmp

Download
memory/2928-197-0x0000000000000000-mapping.dmp

Download
memory/2948-290-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/3052-230-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/3052-226-0x0000000000000000-mapping.dmp

Download
memory/3096-150-0x0000000000000000-mapping.dmp

Download
memory/3096-155-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/3104-153-0x0000000000000000-mapping.dmp

Download
memory/3164-237-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/3164-238-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/3264-137-0x0000000000000000-mapping.dmp

Download
memory/3484-214-0x0000000000000000-mapping.dmp

Download
memory/3488-133-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/3492-228-0x0000000000000000-mapping.dmp

Download
memory/3508-179-0x0000000000000000-mapping.dmp

Download
memory/3556-143-0x0000000000000000-mapping.dmp

Download
memory/3596-299-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/3596-171-0x0000000000000000-mapping.dmp

Download
memory/3756-207-0x0000000000000000-mapping.dmp

Download
memory/3820-148-0x0000000000000000-mapping.dmp

Download
memory/3888-135-0x0000000000000000-mapping.dmp

Download
memory/3940-286-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/3968-161-0x0000000000000000-mapping.dmp

Download
memory/3968-166-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/4020-219-0x0000000000000000-mapping.dmp

Download
memory/4048-192-0x0000000000000000-mapping.dmp

Download
memory/4228-220-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/4228-215-0x0000000000000000-mapping.dmp

Download
memory/4236-149-0x0000000000000000-mapping.dmp

Download
memory/4244-307-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/4260-138-0x0000000000000000-mapping.dmp

Download
memory/4320-300-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/4348-205-0x0000000000000000-mapping.dmp

Download
memory/4348-209-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/4352-296-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/4356-147-0x0000000000000000-mapping.dmp

Download
memory/4480-271-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/4484-308-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/4516-188-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/4516-183-0x0000000000000000-mapping.dmp

Download
memory/4576-292-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/4652-212-0x0000000000000000-mapping.dmp

Download
memory/4724-267-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/4728-158-0x0000000000000000-mapping.dmp

Download
memory/4776-213-0x0000000000000000-mapping.dmp

Download
memory/4828-259-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/4844-160-0x0000000000000000-mapping.dmp

Download
memory/4864-182-0x0000000000000000-mapping.dmp

Download
memory/4924-187-0x0000000000000000-mapping.dmp

Download
memory/4964-181-0x0000000000000000-mapping.dmp

Download
memory/4988-172-0x0000000000000000-mapping.dmp

Download
memory/4988-177-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/5012-289-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download
memory/5020-132-0x0000000000000000-mapping.dmp

Download
memory/5096-298-0x0000000000400000-0x0000000000410153-memory.dmp

Filesize
64KB

Download