cobaltstrike | 403d7b70074545bd8547ef8c47691a4599b2839c1e99a9f924e4117b34489df5

Analysis

max time kernel
47s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 12:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
Size

6.0MB
MD5

dce9920dd659525f325b40db0c0d1353
SHA1

e469fef40cb22f2d999831f940281064cfe25ac6
SHA256

403d7b70074545bd8547ef8c47691a4599b2839c1e99a9f924e4117b34489df5
SHA512

e7f639a25257c2b03b873eed954d8c8b4a199c8c76da75b8cc0b3e48a7fbd5c7293705c9597c8399af284f7e4b8e6b92a37ae44f8eefd1ebd61b8d7509ab4bec
SSDEEP

98304:EniLf9FdfE0pZB156utgpPFotBER/mQ32lU0:eOl56utgpPF8u/70

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 64 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a00000001225c-3.dat	cobalt_reflective_dll
behavioral1/files/0x000d0000000122cb-7.dat	cobalt_reflective_dll
behavioral1/files/0x000d0000000122cb-12.dat	cobalt_reflective_dll
behavioral1/files/0x00330000000142c5-9.dat	cobalt_reflective_dll
behavioral1/files/0x00330000000142c5-18.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000144f4-22.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000144f4-19.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014636-30.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014636-26.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001468c-37.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001468c-34.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014825-43.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014825-46.dat	cobalt_reflective_dll
behavioral1/files/0x00330000000142c5-14.dat	cobalt_reflective_dll
behavioral1/files/0x000a00000001225c-6.dat	cobalt_reflective_dll
behavioral1/files/0x0033000000014355-52.dat	cobalt_reflective_dll
behavioral1/files/0x0033000000014355-49.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000155fd-56.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015609-62.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015609-65.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000155fd-59.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c04-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c04-79.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015648-73.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015648-70.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c1c-87.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c1c-91.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c2f-95.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c2f-98.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c41-103.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c41-101.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c5a-111.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c5a-120.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c62-117.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c51-115.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c62-114.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c51-107.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c7b-131.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c7b-129.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c9b-152.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ca1-155.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c92-148.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c9b-145.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ca1-150.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c92-142.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c85-139.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c85-137.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cd7-168.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cd7-166.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ea0-191.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015e2f-195.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016052-211.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001604a-209.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016258-214.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001604a-205.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015eb6-202.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ea0-200.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015eb6-196.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015df9-189.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015e2f-185.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015db9-184.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015db9-177.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015df9-181.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015da6-175.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/1740-0-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/files/0x000a00000001225c-3.dat	xmrig
behavioral1/files/0x000d0000000122cb-7.dat	xmrig
behavioral1/files/0x000d0000000122cb-12.dat	xmrig
behavioral1/files/0x00330000000142c5-9.dat	xmrig
behavioral1/files/0x00330000000142c5-18.dat	xmrig
behavioral1/files/0x00070000000144f4-22.dat	xmrig
behavioral1/memory/2100-25-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/files/0x00070000000144f4-19.dat	xmrig
behavioral1/files/0x0007000000014636-30.dat	xmrig
behavioral1/files/0x0007000000014636-26.dat	xmrig
behavioral1/memory/2788-32-0x000000013F8F0000-0x000000013FC44000-memory.dmp	xmrig
behavioral1/memory/2228-36-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/files/0x000700000001468c-37.dat	xmrig
behavioral1/memory/1740-40-0x0000000002420000-0x0000000002774000-memory.dmp	xmrig
behavioral1/memory/2876-42-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/files/0x000700000001468c-34.dat	xmrig
behavioral1/memory/2696-33-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	xmrig
behavioral1/memory/2660-17-0x000000013F1D0000-0x000000013F524000-memory.dmp	xmrig
behavioral1/files/0x0009000000014825-43.dat	xmrig
behavioral1/files/0x0009000000014825-46.dat	xmrig
behavioral1/files/0x00330000000142c5-14.dat	xmrig
behavioral1/memory/2260-48-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/files/0x000a00000001225c-6.dat	xmrig
behavioral1/files/0x0033000000014355-52.dat	xmrig
behavioral1/memory/2580-55-0x000000013FA20000-0x000000013FD74000-memory.dmp	xmrig
behavioral1/files/0x0033000000014355-49.dat	xmrig
behavioral1/files/0x00070000000155fd-56.dat	xmrig
behavioral1/files/0x0006000000015609-62.dat	xmrig
behavioral1/files/0x0006000000015609-65.dat	xmrig
behavioral1/memory/2736-69-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
behavioral1/memory/2292-68-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/files/0x00070000000155fd-59.dat	xmrig
behavioral1/memory/1740-74-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/2660-76-0x000000013F1D0000-0x000000013F524000-memory.dmp	xmrig
behavioral1/memory/2936-78-0x000000013FEC0000-0x0000000140214000-memory.dmp	xmrig
behavioral1/files/0x0006000000015c04-82.dat	xmrig
behavioral1/files/0x0006000000015c04-79.dat	xmrig
behavioral1/files/0x0006000000015648-73.dat	xmrig
behavioral1/files/0x0006000000015648-70.dat	xmrig
behavioral1/memory/2100-84-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/memory/3004-85-0x000000013FA20000-0x000000013FD74000-memory.dmp	xmrig
behavioral1/files/0x0006000000015c1c-87.dat	xmrig
behavioral1/files/0x0006000000015c1c-91.dat	xmrig
behavioral1/memory/2120-93-0x000000013FF00000-0x0000000140254000-memory.dmp	xmrig
behavioral1/memory/1740-86-0x000000013FA20000-0x000000013FD74000-memory.dmp	xmrig
behavioral1/files/0x0006000000015c2f-95.dat	xmrig
behavioral1/files/0x0006000000015c2f-98.dat	xmrig
behavioral1/memory/2300-100-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/files/0x0006000000015c41-103.dat	xmrig
behavioral1/memory/1864-105-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/files/0x0006000000015c41-101.dat	xmrig
behavioral1/files/0x0006000000015c5a-111.dat	xmrig
behavioral1/memory/1764-124-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/memory/2912-125-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2012-126-0x000000013FB00000-0x000000013FE54000-memory.dmp	xmrig
behavioral1/memory/1740-123-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/files/0x0006000000015c5a-120.dat	xmrig
behavioral1/files/0x0006000000015c62-117.dat	xmrig
behavioral1/files/0x0006000000015c51-115.dat	xmrig
behavioral1/files/0x0006000000015c62-114.dat	xmrig
behavioral1/files/0x0006000000015c51-107.dat	xmrig
behavioral1/files/0x0006000000015c7b-131.dat	xmrig
behavioral1/memory/1976-134-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig

Executes dropped EXE 54 IoCs

pid	Process
2228	IgwnhJG.exe
2660	dnpSCgk.exe
2100	SFtSGoB.exe
2788	mlIMBZq.exe
2696	lmpUjaN.exe
2876	dmhApeG.exe
2260	RnvnlXO.exe
2580	mweSULh.exe
2736	yrKokbd.exe
2292	pFaWkSm.exe
2936	HZxvKrd.exe
3004	sYHykBw.exe
2120	vysPNQM.exe
2300	coVDWAL.exe
1864	cYhDTEC.exe
1764	oXAvTAT.exe
2912	hpEuqyr.exe
2012	enoPTqq.exe
1976	lruAExR.exe
1152	wUPMETX.exe
872	ddndztq.exe
2536	vZdiFAp.exe
1620	feHXvTJ.exe
2296	auIBjvf.exe
2080	axdnwdv.exe
1652	UoccZCz.exe
2248	YvEPFey.exe
2324	ghfsgZO.exe
2460	UMEZTDh.exe
1676	NimrWAX.exe
948	QfzasGK.exe
304	uxQYemZ.exe
1084	QtqDlUL.exe
768	APSdPJI.exe
1164	LEENcbV.exe
896	yJpRcyy.exe
1260	rQqPAGP.exe
2352	TTVVqQd.exe
2008	uqPrONs.exe
888	JeGobkE.exe
1592	MKUVJHx.exe
2768	cTdmgGb.exe
2764	geaoNsX.exe
2140	oRpJbpM.exe
2684	AtMRBbd.exe
2804	ULLdfPj.exe
2984	hhuYWoA.exe
3024	yyawLUM.exe
1248	UOTYFsK.exe
784	ldfOlKc.exe
2892	rSlGHZf.exe
2888	jsSUEtV.exe
2820	bbRUYPC.exe
2884	aapybEa.exe

Loads dropped DLL 54 IoCs

pid	Process
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1740-0-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/files/0x000a00000001225c-3.dat	upx
behavioral1/files/0x000d0000000122cb-7.dat	upx
behavioral1/files/0x000d0000000122cb-12.dat	upx
behavioral1/files/0x00330000000142c5-9.dat	upx
behavioral1/files/0x00330000000142c5-18.dat	upx
behavioral1/files/0x00070000000144f4-22.dat	upx
behavioral1/memory/2100-25-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/files/0x00070000000144f4-19.dat	upx
behavioral1/files/0x0007000000014636-30.dat	upx
behavioral1/files/0x0007000000014636-26.dat	upx
behavioral1/memory/2788-32-0x000000013F8F0000-0x000000013FC44000-memory.dmp	upx
behavioral1/memory/2228-36-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/files/0x000700000001468c-37.dat	upx
behavioral1/memory/2876-42-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/files/0x000700000001468c-34.dat	upx
behavioral1/memory/2696-33-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	upx
behavioral1/memory/2660-17-0x000000013F1D0000-0x000000013F524000-memory.dmp	upx
behavioral1/files/0x0009000000014825-43.dat	upx
behavioral1/files/0x0009000000014825-46.dat	upx
behavioral1/files/0x00330000000142c5-14.dat	upx
behavioral1/memory/2260-48-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/files/0x000a00000001225c-6.dat	upx
behavioral1/files/0x0033000000014355-52.dat	upx
behavioral1/memory/2580-55-0x000000013FA20000-0x000000013FD74000-memory.dmp	upx
behavioral1/files/0x0033000000014355-49.dat	upx
behavioral1/files/0x00070000000155fd-56.dat	upx
behavioral1/files/0x0006000000015609-62.dat	upx
behavioral1/files/0x0006000000015609-65.dat	upx
behavioral1/memory/2736-69-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
behavioral1/memory/2292-68-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/files/0x00070000000155fd-59.dat	upx
behavioral1/memory/1740-74-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/2660-76-0x000000013F1D0000-0x000000013F524000-memory.dmp	upx
behavioral1/memory/2936-78-0x000000013FEC0000-0x0000000140214000-memory.dmp	upx
behavioral1/files/0x0006000000015c04-82.dat	upx
behavioral1/files/0x0006000000015c04-79.dat	upx
behavioral1/files/0x0006000000015648-73.dat	upx
behavioral1/files/0x0006000000015648-70.dat	upx
behavioral1/memory/2100-84-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/memory/3004-85-0x000000013FA20000-0x000000013FD74000-memory.dmp	upx
behavioral1/files/0x0006000000015c1c-87.dat	upx
behavioral1/files/0x0006000000015c1c-91.dat	upx
behavioral1/memory/2120-93-0x000000013FF00000-0x0000000140254000-memory.dmp	upx
behavioral1/files/0x0006000000015c2f-95.dat	upx
behavioral1/files/0x0006000000015c2f-98.dat	upx
behavioral1/memory/2300-100-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/files/0x0006000000015c41-103.dat	upx
behavioral1/memory/1864-105-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/files/0x0006000000015c41-101.dat	upx
behavioral1/files/0x0006000000015c5a-111.dat	upx
behavioral1/memory/1764-124-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/memory/2912-125-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2012-126-0x000000013FB00000-0x000000013FE54000-memory.dmp	upx
behavioral1/files/0x0006000000015c5a-120.dat	upx
behavioral1/files/0x0006000000015c62-117.dat	upx
behavioral1/files/0x0006000000015c51-115.dat	upx
behavioral1/files/0x0006000000015c62-114.dat	upx
behavioral1/files/0x0006000000015c51-107.dat	upx
behavioral1/files/0x0006000000015c7b-131.dat	upx
behavioral1/memory/1976-134-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/files/0x0006000000015c7b-129.dat	upx
behavioral1/files/0x0006000000015c9b-152.dat	upx
behavioral1/memory/1152-157-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	upx

Drops file in Windows directory 54 IoCs

description	ioc	Process
File created	C:\Windows\System\axdnwdv.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UOTYFsK.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yJpRcyy.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uqPrONs.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yyawLUM.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lruAExR.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wUPMETX.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\geaoNsX.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SFtSGoB.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yrKokbd.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\feHXvTJ.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QtqDlUL.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TTVVqQd.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oRpJbpM.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sYHykBw.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\coVDWAL.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oXAvTAT.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\enoPTqq.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cTdmgGb.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NimrWAX.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ldfOlKc.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YvEPFey.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ghfsgZO.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LEENcbV.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dmhApeG.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vysPNQM.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ULLdfPj.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mlIMBZq.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AtMRBbd.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bbRUYPC.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jsSUEtV.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IgwnhJG.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dnpSCgk.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RnvnlXO.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pFaWkSm.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UMEZTDh.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QfzasGK.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JeGobkE.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mweSULh.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hpEuqyr.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uxQYemZ.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\APSdPJI.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ddndztq.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\auIBjvf.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hhuYWoA.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HZxvKrd.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vZdiFAp.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rQqPAGP.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MKUVJHx.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cYhDTEC.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rSlGHZf.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lmpUjaN.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UoccZCz.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aapybEa.exe	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2228	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	29
PID 1740 wrote to memory of 2228	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	29
PID 1740 wrote to memory of 2228	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	29
PID 1740 wrote to memory of 2660	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	30
PID 1740 wrote to memory of 2660	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	30
PID 1740 wrote to memory of 2660	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	30
PID 1740 wrote to memory of 2100	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	31
PID 1740 wrote to memory of 2100	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	31
PID 1740 wrote to memory of 2100	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	31
PID 1740 wrote to memory of 2788	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	32
PID 1740 wrote to memory of 2788	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	32
PID 1740 wrote to memory of 2788	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	32
PID 1740 wrote to memory of 2696	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	33
PID 1740 wrote to memory of 2696	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	33
PID 1740 wrote to memory of 2696	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	33
PID 1740 wrote to memory of 2876	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	34
PID 1740 wrote to memory of 2876	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	34
PID 1740 wrote to memory of 2876	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	34
PID 1740 wrote to memory of 2260	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	35
PID 1740 wrote to memory of 2260	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	35
PID 1740 wrote to memory of 2260	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	35
PID 1740 wrote to memory of 2580	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	36
PID 1740 wrote to memory of 2580	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	36
PID 1740 wrote to memory of 2580	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	36
PID 1740 wrote to memory of 2736	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	37
PID 1740 wrote to memory of 2736	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	37
PID 1740 wrote to memory of 2736	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	37
PID 1740 wrote to memory of 2292	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	38
PID 1740 wrote to memory of 2292	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	38
PID 1740 wrote to memory of 2292	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	38
PID 1740 wrote to memory of 2936	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	40
PID 1740 wrote to memory of 2936	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	40
PID 1740 wrote to memory of 2936	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	40
PID 1740 wrote to memory of 3004	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	39
PID 1740 wrote to memory of 3004	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	39
PID 1740 wrote to memory of 3004	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	39
PID 1740 wrote to memory of 2120	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	41
PID 1740 wrote to memory of 2120	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	41
PID 1740 wrote to memory of 2120	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	41
PID 1740 wrote to memory of 2300	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	42
PID 1740 wrote to memory of 2300	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	42
PID 1740 wrote to memory of 2300	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	42
PID 1740 wrote to memory of 1864	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	43
PID 1740 wrote to memory of 1864	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	43
PID 1740 wrote to memory of 1864	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	43
PID 1740 wrote to memory of 1764	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	44
PID 1740 wrote to memory of 1764	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	44
PID 1740 wrote to memory of 1764	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	44
PID 1740 wrote to memory of 2012	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	46
PID 1740 wrote to memory of 2012	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	46
PID 1740 wrote to memory of 2012	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	46
PID 1740 wrote to memory of 2912	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	45
PID 1740 wrote to memory of 2912	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	45
PID 1740 wrote to memory of 2912	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	45
PID 1740 wrote to memory of 1976	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	47
PID 1740 wrote to memory of 1976	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	47
PID 1740 wrote to memory of 1976	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	47
PID 1740 wrote to memory of 1152	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	51
PID 1740 wrote to memory of 1152	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	51
PID 1740 wrote to memory of 1152	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	51
PID 1740 wrote to memory of 872	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	50
PID 1740 wrote to memory of 872	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	50
PID 1740 wrote to memory of 872	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	50
PID 1740 wrote to memory of 2536	1740	2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe	48

C:\Users\Admin\AppData\Local\Temp\2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_dce9920dd659525f325b40db0c0d1353_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\System\IgwnhJG.exe
  C:\Windows\System\IgwnhJG.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\dnpSCgk.exe
  C:\Windows\System\dnpSCgk.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\SFtSGoB.exe
  C:\Windows\System\SFtSGoB.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\mlIMBZq.exe
  C:\Windows\System\mlIMBZq.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\lmpUjaN.exe
  C:\Windows\System\lmpUjaN.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\dmhApeG.exe
  C:\Windows\System\dmhApeG.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\RnvnlXO.exe
  C:\Windows\System\RnvnlXO.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System\mweSULh.exe
  C:\Windows\System\mweSULh.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\yrKokbd.exe
  C:\Windows\System\yrKokbd.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\pFaWkSm.exe
  C:\Windows\System\pFaWkSm.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\sYHykBw.exe
  C:\Windows\System\sYHykBw.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\HZxvKrd.exe
  C:\Windows\System\HZxvKrd.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\vysPNQM.exe
  C:\Windows\System\vysPNQM.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\coVDWAL.exe
  C:\Windows\System\coVDWAL.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System\cYhDTEC.exe
  C:\Windows\System\cYhDTEC.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\oXAvTAT.exe
  C:\Windows\System\oXAvTAT.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System\hpEuqyr.exe
  C:\Windows\System\hpEuqyr.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\enoPTqq.exe
  C:\Windows\System\enoPTqq.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\lruAExR.exe
  C:\Windows\System\lruAExR.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\vZdiFAp.exe
  C:\Windows\System\vZdiFAp.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\feHXvTJ.exe
  C:\Windows\System\feHXvTJ.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System\ddndztq.exe
  C:\Windows\System\ddndztq.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\wUPMETX.exe
  C:\Windows\System\wUPMETX.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System\YvEPFey.exe
  C:\Windows\System\YvEPFey.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System\UMEZTDh.exe
  C:\Windows\System\UMEZTDh.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\QfzasGK.exe
  C:\Windows\System\QfzasGK.exe
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\System\rQqPAGP.exe
  C:\Windows\System\rQqPAGP.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System\TTVVqQd.exe
  C:\Windows\System\TTVVqQd.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\uqPrONs.exe
  C:\Windows\System\uqPrONs.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\LEENcbV.exe
  C:\Windows\System\LEENcbV.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System\JeGobkE.exe
  C:\Windows\System\JeGobkE.exe
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\System\yJpRcyy.exe
  C:\Windows\System\yJpRcyy.exe
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\System\MKUVJHx.exe
  C:\Windows\System\MKUVJHx.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System\cTdmgGb.exe
  C:\Windows\System\cTdmgGb.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\QtqDlUL.exe
  C:\Windows\System\QtqDlUL.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System\APSdPJI.exe
  C:\Windows\System\APSdPJI.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System\uxQYemZ.exe
  C:\Windows\System\uxQYemZ.exe
  2⤵
  - Executes dropped EXE
  PID:304
- C:\Windows\System\geaoNsX.exe
  C:\Windows\System\geaoNsX.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\oRpJbpM.exe
  C:\Windows\System\oRpJbpM.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\AtMRBbd.exe
  C:\Windows\System\AtMRBbd.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\ULLdfPj.exe
  C:\Windows\System\ULLdfPj.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\NimrWAX.exe
  C:\Windows\System\NimrWAX.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\ghfsgZO.exe
  C:\Windows\System\ghfsgZO.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\hhuYWoA.exe
  C:\Windows\System\hhuYWoA.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\UoccZCz.exe
  C:\Windows\System\UoccZCz.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\axdnwdv.exe
  C:\Windows\System\axdnwdv.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System\auIBjvf.exe
  C:\Windows\System\auIBjvf.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\yyawLUM.exe
  C:\Windows\System\yyawLUM.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\UOTYFsK.exe
  C:\Windows\System\UOTYFsK.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System\ldfOlKc.exe
  C:\Windows\System\ldfOlKc.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\System\rSlGHZf.exe
  C:\Windows\System\rSlGHZf.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\jsSUEtV.exe
  C:\Windows\System\jsSUEtV.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\bbRUYPC.exe
  C:\Windows\System\bbRUYPC.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\aapybEa.exe
  C:\Windows\System\aapybEa.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\Jbgsxtt.exe
  C:\Windows\System\Jbgsxtt.exe
  2⤵
  PID:2864
- C:\Windows\System\uiCKRtl.exe
  C:\Windows\System\uiCKRtl.exe
  2⤵
  PID:2972
- C:\Windows\System\tsevgDD.exe
  C:\Windows\System\tsevgDD.exe
  2⤵
  PID:436
- C:\Windows\System\OwnqKMu.exe
  C:\Windows\System\OwnqKMu.exe
  2⤵
  PID:672
- C:\Windows\System\QadKeWX.exe
  C:\Windows\System\QadKeWX.exe
  2⤵
  PID:1464
- C:\Windows\System\ImDaiGL.exe
  C:\Windows\System\ImDaiGL.exe
  2⤵
  PID:2880
- C:\Windows\System\SWiCBrf.exe
  C:\Windows\System\SWiCBrf.exe
  2⤵
  PID:2340
- C:\Windows\System\PfbHgel.exe
  C:\Windows\System\PfbHgel.exe
  2⤵
  PID:692
- C:\Windows\System\ZfVOkVM.exe
  C:\Windows\System\ZfVOkVM.exe
  2⤵
  PID:2376
- C:\Windows\System\cmcVKkb.exe
  C:\Windows\System\cmcVKkb.exe
  2⤵
  PID:2200
- C:\Windows\System\fGalBaY.exe
  C:\Windows\System\fGalBaY.exe
  2⤵
  PID:388
- C:\Windows\System\bjuhbFU.exe
  C:\Windows\System\bjuhbFU.exe
  2⤵
  PID:1704
- C:\Windows\System\wGgqWYX.exe
  C:\Windows\System\wGgqWYX.exe
  2⤵
  PID:2612
- C:\Windows\System\BykIjei.exe
  C:\Windows\System\BykIjei.exe
  2⤵
  PID:2004
- C:\Windows\System\YFEzlzS.exe
  C:\Windows\System\YFEzlzS.exe
  2⤵
  PID:2724
- C:\Windows\System\dmwPeLZ.exe
  C:\Windows\System\dmwPeLZ.exe
  2⤵
  PID:2716
- C:\Windows\System\NNSLaKx.exe
  C:\Windows\System\NNSLaKx.exe
  2⤵
  PID:1580
- C:\Windows\System\QWWNJIu.exe
  C:\Windows\System\QWWNJIu.exe
  2⤵
  PID:1544
- C:\Windows\System\aqlNAXk.exe
  C:\Windows\System\aqlNAXk.exe
  2⤵
  PID:1568
- C:\Windows\System\NbJhFiN.exe
  C:\Windows\System\NbJhFiN.exe
  2⤵
  PID:704
- C:\Windows\System\XJOlZJm.exe
  C:\Windows\System\XJOlZJm.exe
  2⤵
  PID:1888
- C:\Windows\System\WAGEMJZ.exe
  C:\Windows\System\WAGEMJZ.exe
  2⤵
  PID:2244
- C:\Windows\System\ukSNphT.exe
  C:\Windows\System\ukSNphT.exe
  2⤵
  PID:2372
- C:\Windows\System\jtIwpaZ.exe
  C:\Windows\System\jtIwpaZ.exe
  2⤵
  PID:944
- C:\Windows\System\TFUWSWO.exe
  C:\Windows\System\TFUWSWO.exe
  2⤵
  PID:2108
- C:\Windows\System\umhWAhz.exe
  C:\Windows\System\umhWAhz.exe
  2⤵
  PID:2708
- C:\Windows\System\PKuWBjW.exe
  C:\Windows\System\PKuWBjW.exe
  2⤵
  PID:1936
- C:\Windows\System\HJQNKih.exe
  C:\Windows\System\HJQNKih.exe
  2⤵
  PID:1980
- C:\Windows\System\DEVOGDt.exe
  C:\Windows\System\DEVOGDt.exe
  2⤵
  PID:3048
- C:\Windows\System\uCpzwDJ.exe
  C:\Windows\System\uCpzwDJ.exe
  2⤵
  PID:2548
- C:\Windows\System\pQxjgbo.exe
  C:\Windows\System\pQxjgbo.exe
  2⤵
  PID:1948
- C:\Windows\System\zvVIHIy.exe
  C:\Windows\System\zvVIHIy.exe
  2⤵
  PID:1444
- C:\Windows\System\zhzOQYa.exe
  C:\Windows\System\zhzOQYa.exe
  2⤵
  PID:472
- C:\Windows\System\HvNhlrV.exe
  C:\Windows\System\HvNhlrV.exe
  2⤵
  PID:1868
- C:\Windows\System\tpahRSS.exe
  C:\Windows\System\tpahRSS.exe
  2⤵
  PID:2848
- C:\Windows\System\lwIBwpe.exe
  C:\Windows\System\lwIBwpe.exe
  2⤵
  PID:2840
- C:\Windows\System\GebULlL.exe
  C:\Windows\System\GebULlL.exe
  2⤵
  PID:3000
- C:\Windows\System\smBccin.exe
  C:\Windows\System\smBccin.exe
  2⤵
  PID:548
- C:\Windows\System\hVMqlQO.exe
  C:\Windows\System\hVMqlQO.exe
  2⤵
  PID:2556
- C:\Windows\System\tSPjYPc.exe
  C:\Windows\System\tSPjYPc.exe
  2⤵
  PID:1496
- C:\Windows\System\SrvXmKv.exe
  C:\Windows\System\SrvXmKv.exe
  2⤵
  PID:2844
- C:\Windows\System\cgBXBJv.exe
  C:\Windows\System\cgBXBJv.exe
  2⤵
  PID:1448
- C:\Windows\System\sDZMUtD.exe
  C:\Windows\System\sDZMUtD.exe
  2⤵
  PID:852
- C:\Windows\System\zZuxcSH.exe
  C:\Windows\System\zZuxcSH.exe
  2⤵
  PID:2712
- C:\Windows\System\lVMJdLh.exe
  C:\Windows\System\lVMJdLh.exe
  2⤵
  PID:848
- C:\Windows\System\lXxJtHK.exe
  C:\Windows\System\lXxJtHK.exe
  2⤵
  PID:2760
- C:\Windows\System\aVugLKR.exe
  C:\Windows\System\aVugLKR.exe
  2⤵
  PID:268
- C:\Windows\System\UAYJBRQ.exe
  C:\Windows\System\UAYJBRQ.exe
  2⤵
  PID:2832
- C:\Windows\System\VeeWAdy.exe
  C:\Windows\System\VeeWAdy.exe
  2⤵
  PID:1628
- C:\Windows\System\WtJujmb.exe
  C:\Windows\System\WtJujmb.exe
  2⤵
  PID:2956
- C:\Windows\System\biQKvnU.exe
  C:\Windows\System\biQKvnU.exe
  2⤵
  PID:764
- C:\Windows\System\XRtLtJB.exe
  C:\Windows\System\XRtLtJB.exe
  2⤵
  PID:1664
- C:\Windows\System\nGQGzKk.exe
  C:\Windows\System\nGQGzKk.exe
  2⤵
  PID:1984
- C:\Windows\System\luoGrnh.exe
  C:\Windows\System\luoGrnh.exe
  2⤵
  PID:636
- C:\Windows\System\wXtmkCe.exe
  C:\Windows\System\wXtmkCe.exe
  2⤵
  PID:2836
- C:\Windows\System\LENquqO.exe
  C:\Windows\System\LENquqO.exe
  2⤵
  PID:1912
- C:\Windows\System\SlLXJYG.exe
  C:\Windows\System\SlLXJYG.exe
  2⤵
  PID:396
- C:\Windows\System\eUsyWsG.exe
  C:\Windows\System\eUsyWsG.exe
  2⤵
  PID:2072
- C:\Windows\System\lKtOvJo.exe
  C:\Windows\System\lKtOvJo.exe
  2⤵
  PID:2440
- C:\Windows\System\oheivOL.exe
  C:\Windows\System\oheivOL.exe
  2⤵
  PID:2872
- C:\Windows\System\dHEHpsC.exe
  C:\Windows\System\dHEHpsC.exe
  2⤵
  PID:2040
- C:\Windows\System\VZSfidC.exe
  C:\Windows\System\VZSfidC.exe
  2⤵
  PID:1608
- C:\Windows\System\SAVRBGZ.exe
  C:\Windows\System\SAVRBGZ.exe
  2⤵
  PID:1920
- C:\Windows\System\WVkZrTt.exe
  C:\Windows\System\WVkZrTt.exe
  2⤵
  PID:2624
- C:\Windows\System\GoxjFHe.exe
  C:\Windows\System\GoxjFHe.exe
  2⤵
  PID:3056
- C:\Windows\System\zCdfNJZ.exe
  C:\Windows\System\zCdfNJZ.exe
  2⤵
  PID:1524
- C:\Windows\System\BRsHYWD.exe
  C:\Windows\System\BRsHYWD.exe
  2⤵
  PID:2512
- C:\Windows\System\khwKoJV.exe
  C:\Windows\System\khwKoJV.exe
  2⤵
  PID:1520
- C:\Windows\System\jzFAudy.exe
  C:\Windows\System\jzFAudy.exe
  2⤵
  PID:2308
- C:\Windows\System\IaYvrQo.exe
  C:\Windows\System\IaYvrQo.exe
  2⤵
  PID:1100
- C:\Windows\System\sSmeuPo.exe
  C:\Windows\System\sSmeuPo.exe
  2⤵
  PID:2780
- C:\Windows\System\TxIdQap.exe
  C:\Windows\System\TxIdQap.exe
  2⤵
  PID:2568
- C:\Windows\System\vmFvXjt.exe
  C:\Windows\System\vmFvXjt.exe
  2⤵
  PID:2036
- C:\Windows\System\SiIeYUW.exe
  C:\Windows\System\SiIeYUW.exe
  2⤵
  PID:296
- C:\Windows\System\hbSjnVB.exe
  C:\Windows\System\hbSjnVB.exe
  2⤵
  PID:1624
- C:\Windows\System\YAukqDr.exe
  C:\Windows\System\YAukqDr.exe
  2⤵
  PID:2516
- C:\Windows\System\YmeoiXt.exe
  C:\Windows\System\YmeoiXt.exe
  2⤵
  PID:576
- C:\Windows\System\FfJqsTD.exe
  C:\Windows\System\FfJqsTD.exe
  2⤵
  PID:1872
- C:\Windows\System\aTgyFcK.exe
  C:\Windows\System\aTgyFcK.exe
  2⤵
  PID:2828
- C:\Windows\System\mcpfviZ.exe
  C:\Windows\System\mcpfviZ.exe
  2⤵
  PID:1744
- C:\Windows\System\TdKiinC.exe
  C:\Windows\System\TdKiinC.exe
  2⤵
  PID:1512
- C:\Windows\System\gMADsAZ.exe
  C:\Windows\System\gMADsAZ.exe
  2⤵
  PID:2924
- C:\Windows\System\Etvsici.exe
  C:\Windows\System\Etvsici.exe
  2⤵
  PID:2744
- C:\Windows\System\ubHBARd.exe
  C:\Windows\System\ubHBARd.exe
  2⤵
  PID:1860
- C:\Windows\System\sjxXMaa.exe
  C:\Windows\System\sjxXMaa.exe
  2⤵
  PID:2964
- C:\Windows\System\KoTWBup.exe
  C:\Windows\System\KoTWBup.exe
  2⤵
  PID:2060
- C:\Windows\System\qgSYGxo.exe
  C:\Windows\System\qgSYGxo.exe
  2⤵
  PID:580
- C:\Windows\System\rAQPfPd.exe
  C:\Windows\System\rAQPfPd.exe
  2⤵
  PID:3060
- C:\Windows\System\axbFzcy.exe
  C:\Windows\System\axbFzcy.exe
  2⤵
  PID:1708
- C:\Windows\System\cilEkYu.exe
  C:\Windows\System\cilEkYu.exe
  2⤵
  PID:2636
- C:\Windows\System\utqFhia.exe
  C:\Windows\System\utqFhia.exe
  2⤵
  PID:1968
- C:\Windows\System\wJCVcef.exe
  C:\Windows\System\wJCVcef.exe
  2⤵
  PID:2672
- C:\Windows\System\UmWeJJr.exe
  C:\Windows\System\UmWeJJr.exe
  2⤵
  PID:1508
- C:\Windows\System\cFZXwbs.exe
  C:\Windows\System\cFZXwbs.exe
  2⤵
  PID:1528
- C:\Windows\System\CYiyAXP.exe
  C:\Windows\System\CYiyAXP.exe
  2⤵
  PID:2180
- C:\Windows\System\eLDwGRb.exe
  C:\Windows\System\eLDwGRb.exe
  2⤵
  PID:2640
- C:\Windows\System\NnNpgAC.exe
  C:\Windows\System\NnNpgAC.exe
  2⤵
  PID:2800
- C:\Windows\System\bipxWbJ.exe
  C:\Windows\System\bipxWbJ.exe
  2⤵
  PID:2576
- C:\Windows\System\IDsMgxJ.exe
  C:\Windows\System\IDsMgxJ.exe
  2⤵
  PID:2808
- C:\Windows\System\iMylJgF.exe
  C:\Windows\System\iMylJgF.exe
  2⤵
  PID:2720
- C:\Windows\System\NtBmzXP.exe
  C:\Windows\System\NtBmzXP.exe
  2⤵
  PID:2776
- C:\Windows\System\XVKNBbN.exe
  C:\Windows\System\XVKNBbN.exe
  2⤵
  PID:1560
- C:\Windows\System\tZHJpGM.exe
  C:\Windows\System\tZHJpGM.exe
  2⤵
  PID:628
- C:\Windows\System\VIEhwAU.exe
  C:\Windows\System\VIEhwAU.exe
  2⤵
  PID:1696
- C:\Windows\System\MeQZSkx.exe
  C:\Windows\System\MeQZSkx.exe
  2⤵
  PID:2056
- C:\Windows\System\HlxBccP.exe
  C:\Windows\System\HlxBccP.exe
  2⤵
  PID:1480
- C:\Windows\System\zLCCUtM.exe
  C:\Windows\System\zLCCUtM.exe
  2⤵
  PID:1332
- C:\Windows\System\SFUcNPt.exe
  C:\Windows\System\SFUcNPt.exe
  2⤵
  PID:2996
- C:\Windows\System\ouuhxzy.exe
  C:\Windows\System\ouuhxzy.exe
  2⤵
  PID:3268
- C:\Windows\System\SUsCOFS.exe
  C:\Windows\System\SUsCOFS.exe
  2⤵
  PID:3248
- C:\Windows\System\MFjsGeh.exe
  C:\Windows\System\MFjsGeh.exe
  2⤵
  PID:1808
- C:\Windows\System\hfeyXaC.exe
  C:\Windows\System\hfeyXaC.exe
  2⤵
  PID:2412
- C:\Windows\System\BMImZSs.exe
  C:\Windows\System\BMImZSs.exe
  2⤵
  PID:1116
- C:\Windows\System\xQxsiOn.exe
  C:\Windows\System\xQxsiOn.exe
  2⤵
  PID:3324
- C:\Windows\System\gKbCekz.exe
  C:\Windows\System\gKbCekz.exe
  2⤵
  PID:3356
- C:\Windows\System\WCWTDYn.exe
  C:\Windows\System\WCWTDYn.exe
  2⤵
  PID:3388
- C:\Windows\System\IGXXmJS.exe
  C:\Windows\System\IGXXmJS.exe
  2⤵
  PID:3404
- C:\Windows\System\qGJkaWh.exe
  C:\Windows\System\qGJkaWh.exe
  2⤵
  PID:3372
- C:\Windows\System\FUBzxEf.exe
  C:\Windows\System\FUBzxEf.exe
  2⤵
  PID:3340
- C:\Windows\System\rcDcGDT.exe
  C:\Windows\System\rcDcGDT.exe
  2⤵
  PID:3308
- C:\Windows\System\szlKlvA.exe
  C:\Windows\System\szlKlvA.exe
  2⤵
  PID:3292
- C:\Windows\System\LVzeuwc.exe
  C:\Windows\System\LVzeuwc.exe
  2⤵
  PID:2532
- C:\Windows\System\HkwunEN.exe
  C:\Windows\System\HkwunEN.exe
  2⤵
  PID:2220
- C:\Windows\System\rlppnKv.exe
  C:\Windows\System\rlppnKv.exe
  2⤵
  PID:3424
- C:\Windows\System\mloknHi.exe
  C:\Windows\System\mloknHi.exe
  2⤵
  PID:3480
- C:\Windows\System\ghVKzaT.exe
  C:\Windows\System\ghVKzaT.exe
  2⤵
  PID:3464
- C:\Windows\System\bIymsYy.exe
  C:\Windows\System\bIymsYy.exe
  2⤵
  PID:3544
- C:\Windows\System\TrIuFPO.exe
  C:\Windows\System\TrIuFPO.exe
  2⤵
  PID:3528
- C:\Windows\System\kesTrmM.exe
  C:\Windows\System\kesTrmM.exe
  2⤵
  PID:3512
- C:\Windows\System\jWigHcE.exe
  C:\Windows\System\jWigHcE.exe
  2⤵
  PID:3496
- C:\Windows\System\ZZXEIGi.exe
  C:\Windows\System\ZZXEIGi.exe
  2⤵
  PID:3448
- C:\Windows\System\nsCJlXl.exe
  C:\Windows\System\nsCJlXl.exe
  2⤵
  PID:1112
- C:\Windows\System\KqmSTKl.exe
  C:\Windows\System\KqmSTKl.exe
  2⤵
  PID:1748
- C:\Windows\System\wLJDyDu.exe
  C:\Windows\System\wLJDyDu.exe
  2⤵
  PID:1324
- C:\Windows\System\xXaGuch.exe
  C:\Windows\System\xXaGuch.exe
  2⤵
  PID:3568
- C:\Windows\System\rLKPOyX.exe
  C:\Windows\System\rLKPOyX.exe
  2⤵
  PID:3600
- C:\Windows\System\uczsRna.exe
  C:\Windows\System\uczsRna.exe
  2⤵
  PID:3680
- C:\Windows\System\SDqmHGm.exe
  C:\Windows\System\SDqmHGm.exe
  2⤵
  PID:3664
- C:\Windows\System\ZFxzOfR.exe
  C:\Windows\System\ZFxzOfR.exe
  2⤵
  PID:3648
- C:\Windows\System\OeQyWKj.exe
  C:\Windows\System\OeQyWKj.exe
  2⤵
  PID:3632
- C:\Windows\System\XZDeKHW.exe
  C:\Windows\System\XZDeKHW.exe
  2⤵
  PID:3616
- C:\Windows\System\GeCQotW.exe
  C:\Windows\System\GeCQotW.exe
  2⤵
  PID:3584
- C:\Windows\System\BobIplM.exe
  C:\Windows\System\BobIplM.exe
  2⤵
  PID:3724
- C:\Windows\System\hDrWDzZ.exe
  C:\Windows\System\hDrWDzZ.exe
  2⤵
  PID:3788
- C:\Windows\System\pZqFuXc.exe
  C:\Windows\System\pZqFuXc.exe
  2⤵
  PID:3820
- C:\Windows\System\CqSaMdO.exe
  C:\Windows\System\CqSaMdO.exe
  2⤵
  PID:3804
- C:\Windows\System\eFQiRYo.exe
  C:\Windows\System\eFQiRYo.exe
  2⤵
  PID:3772
- C:\Windows\System\EaWzFch.exe
  C:\Windows\System\EaWzFch.exe
  2⤵
  PID:3756
- C:\Windows\System\UDILzaV.exe
  C:\Windows\System\UDILzaV.exe
  2⤵
  PID:3740
- C:\Windows\System\zfHoyRi.exe
  C:\Windows\System\zfHoyRi.exe
  2⤵
  PID:3708
- C:\Windows\System\PCFLCWz.exe
  C:\Windows\System\PCFLCWz.exe
  2⤵
  PID:3900
- C:\Windows\System\wHuOzGZ.exe
  C:\Windows\System\wHuOzGZ.exe
  2⤵
  PID:3948
- C:\Windows\System\yhOoppR.exe
  C:\Windows\System\yhOoppR.exe
  2⤵
  PID:3932
- C:\Windows\System\LSZJHxE.exe
  C:\Windows\System\LSZJHxE.exe
  2⤵
  PID:3916
- C:\Windows\System\fPOVuKp.exe
  C:\Windows\System\fPOVuKp.exe
  2⤵
  PID:3884
- C:\Windows\System\jSOIiht.exe
  C:\Windows\System\jSOIiht.exe
  2⤵
  PID:3868
- C:\Windows\System\XkZEIgX.exe
  C:\Windows\System\XkZEIgX.exe
  2⤵
  PID:3852
- C:\Windows\System\BggAlHp.exe
  C:\Windows\System\BggAlHp.exe
  2⤵
  PID:3836
- C:\Windows\System\uLdwdQD.exe
  C:\Windows\System\uLdwdQD.exe
  2⤵
  PID:4016
- C:\Windows\System\nmoqVEL.exe
  C:\Windows\System\nmoqVEL.exe
  2⤵
  PID:3996
- C:\Windows\System\JTZtznh.exe
  C:\Windows\System\JTZtznh.exe
  2⤵
  PID:4048
- C:\Windows\System\YuRIriS.exe
  C:\Windows\System\YuRIriS.exe
  2⤵
  PID:4064
- C:\Windows\System\ULjpCLK.exe
  C:\Windows\System\ULjpCLK.exe
  2⤵
  PID:4032
- C:\Windows\System\ZInrDyP.exe
  C:\Windows\System\ZInrDyP.exe
  2⤵
  PID:3980
- C:\Windows\System\GWPYhJw.exe
  C:\Windows\System\GWPYhJw.exe
  2⤵
  PID:3964
- C:\Windows\System\TGWfPMC.exe
  C:\Windows\System\TGWfPMC.exe
  2⤵
  PID:3092
- C:\Windows\System\MBEYUFm.exe
  C:\Windows\System\MBEYUFm.exe
  2⤵
  PID:3120
- C:\Windows\System\aiiXhJy.exe
  C:\Windows\System\aiiXhJy.exe
  2⤵
  PID:3172
- C:\Windows\System\lPNEZOx.exe
  C:\Windows\System\lPNEZOx.exe
  2⤵
  PID:3196
- C:\Windows\System\URbMpxE.exe
  C:\Windows\System\URbMpxE.exe
  2⤵
  PID:3236
- C:\Windows\System\OvrQlUs.exe
  C:\Windows\System\OvrQlUs.exe
  2⤵
  PID:3352
- C:\Windows\System\IOBTubC.exe
  C:\Windows\System\IOBTubC.exe
  2⤵
  PID:3288
- C:\Windows\System\FqFyyRW.exe
  C:\Windows\System\FqFyyRW.exe
  2⤵
  PID:3276
- C:\Windows\System\zhsisoM.exe
  C:\Windows\System\zhsisoM.exe
  2⤵
  PID:3216
- C:\Windows\System\xUOJPJs.exe
  C:\Windows\System\xUOJPJs.exe
  2⤵
  PID:3336
- C:\Windows\System\sNEClwS.exe
  C:\Windows\System\sNEClwS.exe
  2⤵
  PID:3228
- C:\Windows\System\fUAMGFp.exe
  C:\Windows\System\fUAMGFp.exe
  2⤵
  PID:3596
- C:\Windows\System\WWYwiQl.exe
  C:\Windows\System\WWYwiQl.exe
  2⤵
  PID:3552
- C:\Windows\System\dPyLkfW.exe
  C:\Windows\System\dPyLkfW.exe
  2⤵
  PID:3488
- C:\Windows\System\tJjJgRe.exe
  C:\Windows\System\tJjJgRe.exe
  2⤵
  PID:3264
- C:\Windows\System\FeiXOBs.exe
  C:\Windows\System\FeiXOBs.exe
  2⤵
  PID:3412
- C:\Windows\System\lAVzNeS.exe
  C:\Windows\System\lAVzNeS.exe
  2⤵
  PID:3828
- C:\Windows\System\cdjLPXI.exe
  C:\Windows\System\cdjLPXI.exe
  2⤵
  PID:3816
- C:\Windows\System\zFgTZjv.exe
  C:\Windows\System\zFgTZjv.exe
  2⤵
  PID:3640
- C:\Windows\System\tjUNsnB.exe
  C:\Windows\System\tjUNsnB.exe
  2⤵
  PID:3864
- C:\Windows\System\PbbNXsN.exe
  C:\Windows\System\PbbNXsN.exe
  2⤵
  PID:3768
- C:\Windows\System\AxdfJPc.exe
  C:\Windows\System\AxdfJPc.exe
  2⤵
  PID:3692
- C:\Windows\System\ESvAmwI.exe
  C:\Windows\System\ESvAmwI.exe
  2⤵
  PID:3476
- C:\Windows\System\WYbJFkR.exe
  C:\Windows\System\WYbJFkR.exe
  2⤵
  PID:3656
- C:\Windows\System\jQKfgPQ.exe
  C:\Windows\System\jQKfgPQ.exe
  2⤵
  PID:3752
- C:\Windows\System\CLoqtCP.exe
  C:\Windows\System\CLoqtCP.exe
  2⤵
  PID:3928
- C:\Windows\System\fhwDTEP.exe
  C:\Windows\System\fhwDTEP.exe
  2⤵
  PID:3960
- C:\Windows\System\uFbVHHU.exe
  C:\Windows\System\uFbVHHU.exe
  2⤵
  PID:4028
- C:\Windows\System\AaWPUDr.exe
  C:\Windows\System\AaWPUDr.exe
  2⤵
  PID:3748
- C:\Windows\System\zhqeOSH.exe
  C:\Windows\System\zhqeOSH.exe
  2⤵
  PID:3908
- C:\Windows\System\eclUsMU.exe
  C:\Windows\System\eclUsMU.exe
  2⤵
  PID:3976
- C:\Windows\System\kVxvNCh.exe
  C:\Windows\System\kVxvNCh.exe
  2⤵
  PID:2264
- C:\Windows\System\PBiSxPL.exe
  C:\Windows\System\PBiSxPL.exe
  2⤵
  PID:1692
- C:\Windows\System\AXThXPK.exe
  C:\Windows\System\AXThXPK.exe
  2⤵
  PID:1192
- C:\Windows\System\wxTjBOM.exe
  C:\Windows\System\wxTjBOM.exe
  2⤵
  PID:856
- C:\Windows\System\FPeKvKb.exe
  C:\Windows\System\FPeKvKb.exe
  2⤵
  PID:4076
- C:\Windows\System\dWJiiQp.exe
  C:\Windows\System\dWJiiQp.exe
  2⤵
  PID:1108
- C:\Windows\System\gImHrJK.exe
  C:\Windows\System\gImHrJK.exe
  2⤵
  PID:1900
- C:\Windows\System\HkrjyJq.exe
  C:\Windows\System\HkrjyJq.exe
  2⤵
  PID:2400
- C:\Windows\System\FKEkbWz.exe
  C:\Windows\System\FKEkbWz.exe
  2⤵
  PID:4088
- C:\Windows\System\WQyeqGX.exe
  C:\Windows\System\WQyeqGX.exe
  2⤵
  PID:1884
- C:\Windows\System\EBwjbhu.exe
  C:\Windows\System\EBwjbhu.exe
  2⤵
  PID:1540
- C:\Windows\System\eCWFxrz.exe
  C:\Windows\System\eCWFxrz.exe
  2⤵
  PID:3232
- C:\Windows\System\GROxWjM.exe
  C:\Windows\System\GROxWjM.exe
  2⤵
  PID:3184
- C:\Windows\System\nbsHvtQ.exe
  C:\Windows\System\nbsHvtQ.exe
  2⤵
  PID:3080
- C:\Windows\System\KdNjhRG.exe
  C:\Windows\System\KdNjhRG.exe
  2⤵
  PID:3076
- C:\Windows\System\lTBAeDF.exe
  C:\Windows\System\lTBAeDF.exe
  2⤵
  PID:3104
- C:\Windows\System\WrODbiO.exe
  C:\Windows\System\WrODbiO.exe
  2⤵
  PID:3332
- C:\Windows\System\FSAqBQl.exe
  C:\Windows\System\FSAqBQl.exe
  2⤵
  PID:3208
- C:\Windows\System\JqGunev.exe
  C:\Windows\System\JqGunev.exe
  2⤵
  PID:1404
- C:\Windows\System\hbAhwNE.exe
  C:\Windows\System\hbAhwNE.exe
  2⤵
  PID:3764
- C:\Windows\System\lCArxTM.exe
  C:\Windows\System\lCArxTM.exe
  2⤵
  PID:3540
- C:\Windows\System\hwdCLQR.exe
  C:\Windows\System\hwdCLQR.exe
  2⤵
  PID:3676
- C:\Windows\System\fBsewmd.exe
  C:\Windows\System\fBsewmd.exe
  2⤵
  PID:3876
- C:\Windows\System\xGSwbNw.exe
  C:\Windows\System\xGSwbNw.exe
  2⤵
  PID:824
- C:\Windows\System\GJBxYPh.exe
  C:\Windows\System\GJBxYPh.exe
  2⤵
  PID:1896
- C:\Windows\System\wSIsgoe.exe
  C:\Windows\System\wSIsgoe.exe
  2⤵
  PID:1716
- C:\Windows\System\MyxoicK.exe
  C:\Windows\System\MyxoicK.exe
  2⤵
  PID:2480
- C:\Windows\System\EZXVZPj.exe
  C:\Windows\System\EZXVZPj.exe
  2⤵
  PID:1784
- C:\Windows\System\CeVTsJv.exe
  C:\Windows\System\CeVTsJv.exe
  2⤵
  PID:3148
- C:\Windows\System\MkvOJcg.exe
  C:\Windows\System\MkvOJcg.exe
  2⤵
  PID:4056
- C:\Windows\System\ZFWFnZq.exe
  C:\Windows\System\ZFWFnZq.exe
  2⤵
  PID:3944
- C:\Windows\System\VTYtyeN.exe
  C:\Windows\System\VTYtyeN.exe
  2⤵
  PID:3672
- C:\Windows\System\xXWUKVb.exe
  C:\Windows\System\xXWUKVb.exe
  2⤵
  PID:3860
- C:\Windows\System\BTNUZNH.exe
  C:\Windows\System\BTNUZNH.exe
  2⤵
  PID:3440
- C:\Windows\System\DBpOEzd.exe
  C:\Windows\System\DBpOEzd.exe
  2⤵
  PID:2900
- C:\Windows\System\UNWfWQa.exe
  C:\Windows\System\UNWfWQa.exe
  2⤵
  PID:3108
- C:\Windows\System\lUAnVPB.exe
  C:\Windows\System\lUAnVPB.exe
  2⤵
  PID:3244
- C:\Windows\System\wnXtvOD.exe
  C:\Windows\System\wnXtvOD.exe
  2⤵
  PID:3720
- C:\Windows\System\nLGMnwy.exe
  C:\Windows\System\nLGMnwy.exe
  2⤵
  PID:3320
- C:\Windows\System\SgOxpON.exe
  C:\Windows\System\SgOxpON.exe
  2⤵
  PID:3304
- C:\Windows\System\HGcPVhJ.exe
  C:\Windows\System\HGcPVhJ.exe
  2⤵
  PID:3180
- C:\Windows\System\tojMSlB.exe
  C:\Windows\System\tojMSlB.exe
  2⤵
  PID:3628
- C:\Windows\System\ZOpAqKY.exe
  C:\Windows\System\ZOpAqKY.exe
  2⤵
  PID:2732
- C:\Windows\System\BGQIDIT.exe
  C:\Windows\System\BGQIDIT.exe
  2⤵
  PID:1064
- C:\Windows\System\LBlAmJM.exe
  C:\Windows\System\LBlAmJM.exe
  2⤵
  PID:3396
- C:\Windows\System\bdoqiYY.exe
  C:\Windows\System\bdoqiYY.exe
  2⤵
  PID:3348
- C:\Windows\System\tBFfJss.exe
  C:\Windows\System\tBFfJss.exe
  2⤵
  PID:2508
- C:\Windows\System\oYANcQF.exe
  C:\Windows\System\oYANcQF.exe
  2⤵
  PID:4044
- C:\Windows\System\nFvEipt.exe
  C:\Windows\System\nFvEipt.exe
  2⤵
  PID:1264
- C:\Windows\System\RNHvAkR.exe
  C:\Windows\System\RNHvAkR.exe
  2⤵
  PID:3612
- C:\Windows\System\DEMdlxX.exe
  C:\Windows\System\DEMdlxX.exe
  2⤵
  PID:3224
- C:\Windows\System\BirOKiw.exe
  C:\Windows\System\BirOKiw.exe
  2⤵
  PID:3912
- C:\Windows\System\pEswwaE.exe
  C:\Windows\System\pEswwaE.exe
  2⤵
  PID:3812
- C:\Windows\System\QaRhWmW.exe
  C:\Windows\System\QaRhWmW.exe
  2⤵
  PID:3716
- C:\Windows\System\bxLokAn.exe
  C:\Windows\System\bxLokAn.exe
  2⤵
  PID:3704
- C:\Windows\System\hVrjVOo.exe
  C:\Windows\System\hVrjVOo.exe
  2⤵
  PID:3576
- C:\Windows\System\ilcDNVD.exe
  C:\Windows\System\ilcDNVD.exe
  2⤵
  PID:3608
- C:\Windows\System\sDaonjt.exe
  C:\Windows\System\sDaonjt.exe
  2⤵
  PID:2320
- C:\Windows\System\IrldcXG.exe
  C:\Windows\System\IrldcXG.exe
  2⤵
  PID:2976
- C:\Windows\System\roWfFNf.exe
  C:\Windows\System\roWfFNf.exe
  2⤵
  PID:2364
- C:\Windows\System\vOpIFcd.exe
  C:\Windows\System\vOpIFcd.exe
  2⤵
  PID:980
- C:\Windows\System\yvtPUCf.exe
  C:\Windows\System\yvtPUCf.exe
  2⤵
  PID:4148
- C:\Windows\System\iBztmrT.exe
  C:\Windows\System\iBztmrT.exe
  2⤵
  PID:4180
- C:\Windows\System\snjZSMJ.exe
  C:\Windows\System\snjZSMJ.exe
  2⤵
  PID:4196
- C:\Windows\System\poLCsvR.exe
  C:\Windows\System\poLCsvR.exe
  2⤵
  PID:4228
- C:\Windows\System\dPiBftA.exe
  C:\Windows\System\dPiBftA.exe
  2⤵
  PID:4212
- C:\Windows\System\KCIAASD.exe
  C:\Windows\System\KCIAASD.exe
  2⤵
  PID:4164
- C:\Windows\System\OKKMWhE.exe
  C:\Windows\System\OKKMWhE.exe
  2⤵
  PID:4132
- C:\Windows\System\HHqYtjQ.exe
  C:\Windows\System\HHqYtjQ.exe
  2⤵
  PID:4116
- C:\Windows\System\bnHsmkd.exe
  C:\Windows\System\bnHsmkd.exe
  2⤵
  PID:4244
- C:\Windows\System\UkKCHuL.exe
  C:\Windows\System\UkKCHuL.exe
  2⤵
  PID:4276
- C:\Windows\System\aEGrqCf.exe
  C:\Windows\System\aEGrqCf.exe
  2⤵
  PID:4308
- C:\Windows\System\AurNAxD.exe
  C:\Windows\System\AurNAxD.exe
  2⤵
  PID:4292
- C:\Windows\System\xtjbgiU.exe
  C:\Windows\System\xtjbgiU.exe
  2⤵
  PID:4340
- C:\Windows\System\xDdkgaJ.exe
  C:\Windows\System\xDdkgaJ.exe
  2⤵
  PID:4324
- C:\Windows\System\EhGBnZc.exe
  C:\Windows\System\EhGBnZc.exe
  2⤵
  PID:4260
- C:\Windows\System\pbRhcmW.exe
  C:\Windows\System\pbRhcmW.exe
  2⤵
  PID:4396
- C:\Windows\System\oqiypqe.exe
  C:\Windows\System\oqiypqe.exe
  2⤵
  PID:4412
- C:\Windows\System\EDvvpxR.exe
  C:\Windows\System\EDvvpxR.exe
  2⤵
  PID:4444
- C:\Windows\System\PMrpBIF.exe
  C:\Windows\System\PMrpBIF.exe
  2⤵
  PID:4460
- C:\Windows\System\mMzJdvh.exe
  C:\Windows\System\mMzJdvh.exe
  2⤵
  PID:4428
- C:\Windows\System\HIPOXuz.exe
  C:\Windows\System\HIPOXuz.exe
  2⤵
  PID:4380
- C:\Windows\System\yFaQhQx.exe
  C:\Windows\System\yFaQhQx.exe
  2⤵
  PID:4364
- C:\Windows\System\OWZpgft.exe
  C:\Windows\System\OWZpgft.exe
  2⤵
  PID:4476
- C:\Windows\System\UroEceV.exe
  C:\Windows\System\UroEceV.exe
  2⤵
  PID:4508
- C:\Windows\System\aAiZZuy.exe
  C:\Windows\System\aAiZZuy.exe
  2⤵
  PID:4556
- C:\Windows\System\cceVwFx.exe
  C:\Windows\System\cceVwFx.exe
  2⤵
  PID:4588
- C:\Windows\System\tJOvMnE.exe
  C:\Windows\System\tJOvMnE.exe
  2⤵
  PID:4620
- C:\Windows\System\XElMRbS.exe
  C:\Windows\System\XElMRbS.exe
  2⤵
  PID:4604
- C:\Windows\System\uCYvrmy.exe
  C:\Windows\System\uCYvrmy.exe
  2⤵
  PID:4572
- C:\Windows\System\hVRbgZO.exe
  C:\Windows\System\hVRbgZO.exe
  2⤵
  PID:4540
- C:\Windows\System\LwiDNBH.exe
  C:\Windows\System\LwiDNBH.exe
  2⤵
  PID:4524
- C:\Windows\System\eXqJUeO.exe
  C:\Windows\System\eXqJUeO.exe
  2⤵
  PID:4492
- C:\Windows\System\bhRejzV.exe
  C:\Windows\System\bhRejzV.exe
  2⤵
  PID:4640
- C:\Windows\System\cQYOvJc.exe
  C:\Windows\System\cQYOvJc.exe
  2⤵
  PID:4672
- C:\Windows\System\hNotSgs.exe
  C:\Windows\System\hNotSgs.exe
  2⤵
  PID:4704
- C:\Windows\System\cdPZwYD.exe
  C:\Windows\System\cdPZwYD.exe
  2⤵
  PID:4720
- C:\Windows\System\kKrXCTv.exe
  C:\Windows\System\kKrXCTv.exe
  2⤵
  PID:4688
- C:\Windows\System\qKgMOIw.exe
  C:\Windows\System\qKgMOIw.exe
  2⤵
  PID:4656
- C:\Windows\System\VbHXtXt.exe
  C:\Windows\System\VbHXtXt.exe
  2⤵
  PID:4752
- C:\Windows\System\UVrAxGu.exe
  C:\Windows\System\UVrAxGu.exe
  2⤵
  PID:4736
- C:\Windows\System\audCnMr.exe
  C:\Windows\System\audCnMr.exe
  2⤵
  PID:4784
- C:\Windows\System\ZiwDXok.exe
  C:\Windows\System\ZiwDXok.exe
  2⤵
  PID:4832
- C:\Windows\System\MBwLWgz.exe
  C:\Windows\System\MBwLWgz.exe
  2⤵
  PID:4816
- C:\Windows\System\JRDnpnI.exe
  C:\Windows\System\JRDnpnI.exe
  2⤵
  PID:4864
- C:\Windows\System\YCJMqkr.exe
  C:\Windows\System\YCJMqkr.exe
  2⤵
  PID:4848
- C:\Windows\System\GSRLDvs.exe
  C:\Windows\System\GSRLDvs.exe
  2⤵
  PID:4800
- C:\Windows\System\VUmissK.exe
  C:\Windows\System\VUmissK.exe
  2⤵
  PID:4768
- C:\Windows\System\ZCNctzY.exe
  C:\Windows\System\ZCNctzY.exe
  2⤵
  PID:4908
- C:\Windows\System\zEwVfwi.exe
  C:\Windows\System\zEwVfwi.exe
  2⤵
  PID:4888
- C:\Windows\System\XZQcyOD.exe
  C:\Windows\System\XZQcyOD.exe
  2⤵
  PID:4940
- C:\Windows\System\bmkLGvp.exe
  C:\Windows\System\bmkLGvp.exe
  2⤵
  PID:4924
- C:\Windows\System\jHxbdcB.exe
  C:\Windows\System\jHxbdcB.exe
  2⤵
  PID:4988
- C:\Windows\System\eJeXCrB.exe
  C:\Windows\System\eJeXCrB.exe
  2⤵
  PID:5004
- C:\Windows\System\oQEHheY.exe
  C:\Windows\System\oQEHheY.exe
  2⤵
  PID:4972
- C:\Windows\System\gqbMuGk.exe
  C:\Windows\System\gqbMuGk.exe
  2⤵
  PID:4956
- C:\Windows\System\piXBWVZ.exe
  C:\Windows\System\piXBWVZ.exe
  2⤵
  PID:5020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\HZxvKrd.exe

Filesize
226KB

MD5
67449a7560141f90aef8950e5daaa1d2

SHA1
7ef11e33d14c5b555f99880578220dfa9c18b73f

SHA256
43b2c01135416797c9a7340bb74289e052c62e56775371bf73b005b638244655

SHA512
54a5fb8e39bc507ff53251a168c3ee7cd62a65ca7ad4b11d0133f69b5bb99c11701d0dfab4a0f3911451f97738394c5d643a9226aca70cd4efac13cecd286cc2

Download Submit
C:\Windows\system\IgwnhJG.exe

Filesize
414KB

MD5
a06a28a575e0b2288a7d64b489bd6d59

SHA1
c4c9f8dba6e335c3560d68fb622faa4ad30bd65b

SHA256
9e2ae8caee81f5e2fa07117bb8785c16e9c18ba9dc91022ccb6772111e0535b2

SHA512
6c25e177b17c98b438569f67eda6031546bf4094522901aaecd2ca73f0275dfd71b4a8b468e6d966c84aeb4cca09cd262ce141dc326f39db3d70ffc8b10e3050

Download Submit
C:\Windows\system\NimrWAX.exe

Filesize
178KB

MD5
bd06eb6daf997356d20fe72629d86914

SHA1
67d6a8a127262ccac6dfd73508b9b502b2d3f5ab

SHA256
5daea3f24645553ccbd16682d96d731e7c743027c9e43eeeb6030677885ff9a3

SHA512
56cfea71d9f5376e1bf8d088859cf54398f8cf3db8a4ae841d1a47b0442e05ff55212c8a6c6d67becb3d6a6ce5eb9369f23723899683f79bbbb2f61a4e7ddb30

Download Submit
C:\Windows\system\QfzasGK.exe

Filesize
35KB

MD5
24f3bf40880f136a7f09bdf3a28682c8

SHA1
3a52c07764069974f9d1baf74f441d424a811d20

SHA256
d6bfd2938a107660604b75df14aaf468e92fb30756486910bad641aab31c2f5c

SHA512
51ef5a721b40fab1145cf5783e0f26a6e8b4fd225f1914dab8362b69de55b337677a3a9b1fbabba329fec42767d36346897943d6cd771eba739ae21326d5514e

Download Submit
C:\Windows\system\RnvnlXO.exe

Filesize
32KB

MD5
319848c255ee2f2e2777fb08a5692bc6

SHA1
0e1279c0ec87522d3d74a00af1d837501d7448c2

SHA256
4672647b7342259ac65e904334f10d7ff8cadee6f2132671701e5b69fe621df1

SHA512
e91d374bc80a3785d9a265405f74d67df82230091bb03edfe682b8c68f8f3c4aac4703b655e776920eef2600ec8aa3256fe342eb84680aa7ae7c99b9d629c683

Download Submit
C:\Windows\system\SFtSGoB.exe

Filesize
259KB

MD5
3dffc73799ac1ccffc623d082e0a6401

SHA1
4155aef2babaec6573ec50b135c4769d8bd064c1

SHA256
d147925df8ac11268657bdc40916df8e62c2bcc181c3372903548b81a02c11a2

SHA512
c8c07fd74f714cc928715056d2355dec4e6242007759a4b87b5049eeeb572dca13cfa28abc1065eb259620b8587cd3ae6fb91084e29a9ad6d3d7fd466c75c105

Download Submit
C:\Windows\system\SFtSGoB.exe

Filesize
313KB

MD5
6c928387279510d0678da58619576bdd

SHA1
158d1c9ad2ac16a185b41b28321f308e48bcbb6e

SHA256
2ad523501b78c655b3c5d6cec0d6f5c3deba2643f1c3439086592a718296ec80

SHA512
2d652cf038a3c52e67d885e8617a0ab06c8097127dddb42722006e5e00a8d9040ed79fdd18b0d76928a753abf72b29d0f9420eab67e70a60e89902aff82bb490

Download Submit
C:\Windows\system\UMEZTDh.exe

Filesize
39KB

MD5
2a1e3c38162d3059a09bf594fdfdb141

SHA1
260fbdd2253e8ea5a9ac5516a040c4c8d53af41b

SHA256
19c1f50e6faa31d0dafe7b543f2b87bcc40df0f6e3f3e0799602265339a5f8aa

SHA512
64b8a1867a6cf8f8640d9bfd63c25c8eb54388156888903985ab4a276569ded3988c4c1d1c2da27daaa6be84316d27f0bbffae0d1b35fad7e67fca82ee35bacf

Download Submit
C:\Windows\system\UoccZCz.exe

Filesize
385KB

MD5
acbba07a9972d93b1ae27d0f61195540

SHA1
10a6bca4f32721ebc5de06483e0c4ebf572da0db

SHA256
e893cac2572318a010609305e1cb2776b892e2ec01c4176dff1f25e6be27842d

SHA512
a22214fe19c1796231501e401e5f50c643309796227e3a99e92d1f676369c76908ba78843bb144b457d299bec2e1c99056cc060e6d9be181d89ec906bbf72dc3

Download Submit
C:\Windows\system\YvEPFey.exe

Filesize
204KB

MD5
d65a4a8153568a77058199e3cf0f98f8

SHA1
10b7502f0c8a3fe1d5888b90113161ecea88f39e

SHA256
fa99a03348fd52c6412945d9884af97ed76a9ced74b31d71f7285b5f5ab889bf

SHA512
a8abda61d6304a819168d3532b180a3a40618f96179305dce944b4954c9531e9c1c9346ec94f099cdda1a08721e5d77d85acc4c292c6b9ce9f542434f7c6e195

Download Submit
C:\Windows\system\auIBjvf.exe

Filesize
110KB

MD5
8768f17717e13ef11cb248dd3d111670

SHA1
80ae7b81ea96014a7ef4ec8c01504e590d1b1397

SHA256
cde329f6cf39721c5661ed446aa3afcc5f627f03a51711e3f60f5ef79a3f4c48

SHA512
6a8a2edf18d814336964064c22b0a5a356ab4300f542e12e235a531755e541195dcbf2dc8b5221d20f109991c92dc126a5d1adc1e2c09d9c3fe525d8704943c2

Download Submit
C:\Windows\system\axdnwdv.exe

Filesize
265KB

MD5
2e9205a0b22436ac510ae1363a1dc6bd

SHA1
a48cd2e6e6f99215f04aea86f8b8cfbb0b610e6f

SHA256
ee10a7e20afd4bcacec9fc4d6c50a7a337761ffc8a7e83c3206470ef36272ff6

SHA512
0cafa735ca85286f438180cb4def791e1a5a035ba4abc01b06a2e640ad333c5f7300a75847266d6a93279f8d56fd0f4853801ff27d91cf6ed648975763d060a5

Download Submit
C:\Windows\system\cYhDTEC.exe

Filesize
34KB

MD5
b35edf84c10a5480e126cafa060f6f75

SHA1
ae3531d1a72410c606cfade44eb4afe64dec2d64

SHA256
7652f1b3fd0f599385245f49a144d1d0a9bbcc9d4619948a6e6cf7da2a45e5ea

SHA512
004f7d1b59516479e0cc3d2030df87f26328286062b901697fc634854bab2ed1ee9f6bc930ab5c9d65078211fd1525f966ecd71647321f99185b45dc439e9a81

Download Submit
C:\Windows\system\coVDWAL.exe

Filesize
181KB

MD5
cb2f1dfd99e7bc40871705db44ca585f

SHA1
90b2792fc257f00424bf2eaa23254fe437741366

SHA256
872ec2b8fb57c17ebe8885ede523d7e2765e41680013967823f13f883b92709d

SHA512
db0d73bd7f45bfca9a5eae38b01c019132a0fbc18cdda2aa210ee4334acd451b28f200a6ffd4c0a678070706e382a2bbf8ce8f8264c03022a872f14c051189fa

Download Submit
C:\Windows\system\ddndztq.exe

Filesize
207KB

MD5
dafd4320c815cd9c19f476b0510e7b6f

SHA1
04971dc934a5a8fe732956411cedbf17bf75b7f1

SHA256
2c6ba8f2424c0b599222802d444d5324fb25ea3131a8e23bbb3effaa1b2993ea

SHA512
ca9299633fce7fd19a273ea53fdcb72c47a50f36610d1162e66289dc721ac9d9dd521e1f2067d9b5b2aaefc3bb84b1720a056dd6db3adcb31951721dd820dd16

Download Submit
C:\Windows\system\dmhApeG.exe

Filesize
134KB

MD5
9f965567c84c19f48a90de8520e0c45f

SHA1
225c5eabb1599e1af0aa532975e34a39022ef6b0

SHA256
2e79952d9945d441cbad884768af01723dbee10484b1e3497d0342f79aaf0d86

SHA512
c7bcbe52262623b129f354384fa7aff19206b60fbcf7e434bc376e7bd7c304c811f0743d1a3c83c029e4e693b9171301ede88e9418cd3566e50b224dadb2dc62

Download Submit
C:\Windows\system\dnpSCgk.exe

Filesize
371KB

MD5
d8e083d695bb01d17dbde9dfffa0d37c

SHA1
30b3764146edb233a80e1af15abdd726d4ca52e2

SHA256
da42d4891d7dea76d48bd042ff9bea2b2082305c64d236037ad6c46a56103f96

SHA512
1e41a84dc855d09a5f5b8d04f6c7069afd509881374fff74d32839a543bcee15e7c7bc61f873849ff42b49dd796b4adbf9efca253b84e9d8bc6c3db75eb8fb90

Download Submit
C:\Windows\system\enoPTqq.exe

Filesize
111KB

MD5
2bb9ccdbbd934ffcddecd5651562a3f9

SHA1
b7e62794d76fa015ef43871ae8d0ff96b0517d13

SHA256
aceda59773f3619cfa833c296654d535ef5910a02698b679b31774f4ac914243

SHA512
78ee78686f80b78b6b161e47b9861eb6726cd8f6ed78dd02cdde3a5738bfad1890665810ddd24eefc21466b726355796571dc5e8200013df41a08ab58911969b

Download Submit
C:\Windows\system\feHXvTJ.exe

Filesize
1KB

MD5
46cbc330f4e5abca03d1f356cdd9c94d

SHA1
f6210baaff8bc37afdcab739001db0f94e251681

SHA256
4ba33395154eb8c429d45f0cbb1ff1eb14c4aff3c6e4c5b9b158a58b607cc4a4

SHA512
97437a127596988d31887c39dde3f01e53aa46f9098bf6492a52e09243b98a77c04d7d10e4bfbef738c6c3489f13f1bc8a0083c2e1c57ca5b9190c34ef0cf966

Download Submit
C:\Windows\system\ghfsgZO.exe

Filesize
45KB

MD5
7978211ac23f0b7e5584164a1a881fcb

SHA1
68b07eb93dce404e9b1a40bc9621f41fdf75a1e0

SHA256
38f6f8ca38f4294676c2e962361552f8c2c4a85daac821718229ee6f19445cf0

SHA512
12388b68bee63fcf2f01414c8171c8a271e88b1ed678139bcc3c3d66f4b1e44381f87edabf95d85c612ec6d65897a6ec6960e8f8233b655c34b23d168cb67247

Download Submit
C:\Windows\system\hpEuqyr.exe

Filesize
124KB

MD5
5e6ef51a237e7d1764bf6cc3e498e90a

SHA1
dd37e8654fc11c19a3b7514829b0471cc7f7af4d

SHA256
7ef5317b68ef5110c44808890605e45f570dd4ccdad44fdf7355526fb8aca529

SHA512
da612bb4ff64e4d3d7d26a5041b7c9625173c060df52b9489e84d078d6c164f3548669568442294ff51e4cef7f93fc7208432d6fc8230e6aee67c5f60bce1167

Download Submit
C:\Windows\system\lmpUjaN.exe

Filesize
227KB

MD5
a8a6fceda428ad0e97fa4a14dd1923b1

SHA1
1dc4c474e0aa00c482df89050c6bd93ff352542f

SHA256
d907b15e045998ddeefcfe66e0b59639f4570c88f3bdd4d96d6935f4906295b0

SHA512
be83d78b1469baaf75ee68ca8deb222a8603b1defea0a77c98f67037a7578f00bd2fefbbe0904a10b2edeeab7167513e8abe1710c7df564593e58abe804b5266

Download Submit
C:\Windows\system\lruAExR.exe

Filesize
37KB

MD5
2482713453f0aa40dd898d9a3fa0518d

SHA1
51ad7971d2d6331dcb44ab93c97916f828feffd8

SHA256
2455fb57fb2a33b9f4267eee8ee69791968cc502eada8f8d7ab1c36751bfd76e

SHA512
939ac443793bd241384f3fe1969efa5f223ee9ee9bef3fca3687923b9c71a363a55c55ee37cb51c4ac7845da0a18d23bf370a255a529f3eaacb5c4b375c6d36a

Download Submit
C:\Windows\system\mlIMBZq.exe

Filesize
225KB

MD5
ffa59f8c04586eabac46c0c51a611362

SHA1
5853acc9a082f5fa1bf83ff03fd7123f096a7a5f

SHA256
17a1504b5b0dcb0e66d5f0deaed507f2df60b9475decf3a4001188872c7fba11

SHA512
2332ffcabdb25ce67d787a30201faa22a946c30c59dd7063c1dd2a1cb85268e79b62998d718c5e5a90ef6bcabb29ddb4c489e70467783675324e7f6b544e69c9

Download Submit
C:\Windows\system\mweSULh.exe

Filesize
36KB

MD5
6e7dfaa2a2a3dcaa5cad62b60d68416c

SHA1
b1e00340eac036f69c264bacb7790651b4691dd8

SHA256
783db9f5c0b5f283362d72369d674bc335e7b7f72eb9d7db5b1c3b42dcb3e656

SHA512
4eb0f3ca999c24ae9c75ed9c6eaf79fee9338f7a661f1737d9b92de5bf8cf87dddfed740a15b5074468983af200336398c7c10bfda9e32af79f6ef21643958ac

Download Submit
C:\Windows\system\oXAvTAT.exe

Filesize
116KB

MD5
06137186273913c07959ad834011665d

SHA1
75825ea035b54a510fcb8985c19cc88b32135c67

SHA256
71b96bc15c3b0b4c293aea3ce3bf6ab3351563473dc5947812fe43f275e54b1c

SHA512
527fb6776c87ef63e5e5ff68e1f5cdce75ccddace8da7e90f2526be91de35633b74ad5906a2a8c0bf878ca0c4726fb45891caba7dde393aab785b6767d20e072

Download Submit
C:\Windows\system\pFaWkSm.exe

Filesize
264KB

MD5
6a89016579c46ae623be8fb81df0f6bd

SHA1
01bb8f0acbf7ebdd1622c43e44b5f13b2864491e

SHA256
212aa3410a9061475b67c7c5633a227ff74363460385f40a09ecb8ffc12c19db

SHA512
2f7f75887a75f7e676a1129f530fc18757865ec1bcd1b86e18c261ba70e097bed50d5ab451b6b6873cf3a4da9ca127777664f400bfece7db50ea78158a3a9b70

Download Submit
C:\Windows\system\sYHykBw.exe

Filesize
85KB

MD5
b9d82475b2016386c6277e6bd4a5229d

SHA1
21ff20d7695f75a51af6281fd03c4be4222a6b7a

SHA256
a107a1b73c0c587ccfcf718d42a4bfc2ddba35fcfd8a521deeae8e9cfb3cf09e

SHA512
e43ee9857363a1a0884623b371522039e6cd50c67b07a942288bdf9969703bd04f358987ad58fe8b60272a93002acbee86ffcb0296b20ab1a165bb5f29b8f28e

Download Submit
C:\Windows\system\vZdiFAp.exe

Filesize
3KB

MD5
687be9bb34fb6eeba0659f055c29a82d

SHA1
86ff69d4fd9e5fc1ad47c53cf7cd7f0f77b5a7af

SHA256
c826a13be5d6edb87f58a3341496f034f693d80876a6cd8c7a2c4fe784d066eb

SHA512
1a5bfc13a268d1ed24e30421e0848debbfd6ca4f08495cdee24aaf8f552c9172b02c27bfb6c7e4e4660e7de85811fa3cf0b97d56744b29015e4f170a9aaafe93

Download Submit
C:\Windows\system\vysPNQM.exe

Filesize
411KB

MD5
3e47826cb66574ba57e62ccbd4795827

SHA1
61cc828d248109009282704c5072740b782a2b52

SHA256
6e857f8d550a5a8289d5a8b206f545dd78f67a9fe8f93b98769c675eeae90662

SHA512
a14871965aa4bfef85730d0247a68ee3665bdfb72085be35615669bc315a6f3b80902dc767d4562f6fdea216dfc6dc6f0e782bb3e874b75bfeaa5c1a35eb304a

Download Submit
C:\Windows\system\wUPMETX.exe

Filesize
92KB

MD5
d26f5bc40df7835194c307349019dfe3

SHA1
2dae20ed9e013dcc43e02593a2ef5c17cf123811

SHA256
a65add0c101f104dd029c28312e0c9e1301d05da9d29cb26b2024a56fa2c68b2

SHA512
0aaaf3b12b3da148b4d30823b7e8f3b51662648325631fa88b5661515f1e039252993b421856d5abde802bbe8fd07d38759674a31a05870a8511803cc21c48be

Download Submit
C:\Windows\system\yrKokbd.exe

Filesize
314KB

MD5
a0f2340066053fe35beb000793892389

SHA1
15e238a998560d91bbd23c3d1fba1e9ae0bfe903

SHA256
1766ef8153c85a43908e4dbe3724c6e67b620747119fb0adb9e0069e5ebebb1d

SHA512
78f810bd4266f5759a74acf0f822eb504091c65fadcffe91f6234f28235966937c9da9f820a43f8c1cacb9300a60a3206250f5245887556cc104c18e3fd632a5

Download Submit
\Windows\system\APSdPJI.exe

Filesize
88KB

MD5
bf6a3f384ef1eaf2a87b8008e12981d7

SHA1
6fe7821ad9b46e4f758a5da00c8c3ea9f317339d

SHA256
49886cfdfaaa9da818c76b09a4855c0f66717f4b3ece854965c9b00372d28d6f

SHA512
2edceba6e38fecea14d6d5289a4becc01e20c345d78ccd08715e9873bcde7a1082b6cd8c0429da12be7e97b00bd9392504f9eaa996bcf5246b0a1b2db9affc17

Download Submit
\Windows\system\HZxvKrd.exe

Filesize
252KB

MD5
5867b5d0d45e5edd5901e24c1df395b4

SHA1
ad48fc6282058fff12a6d17a9b6430ac7eababd8

SHA256
e5fa8ebdded350e6aafd9b73c89c2630c15b6a9723fc2eff72febbdf57243fe1

SHA512
43e69fdfa9999e7f1db251a27451570f15ae3aeda0bfe0854a68723f9e0fe4d446389b7dbee5c20edea034af099a3ca0f9d12a0b1c9fdcaff6114bb1e4a45833

Download Submit
\Windows\system\IgwnhJG.exe

Filesize
442KB

MD5
d79b517008ec4e64a0ff397cecc79ced

SHA1
09303357bc539d7a60a2316a3b78c161624a7256

SHA256
7e0a9d6aa6407120e7db61f506bb301e13d498d9fcf4c74e4333225aa9c0baee

SHA512
2f8f63a12c1d3415d5f2ffb1cc0fddf8882753b5bd114eaa88308222888faf12b4f2ed6d8a9794bd4ca00dbede813f9c7a27dcd52a9e5f7db8b4b2567c01126c

Download Submit
\Windows\system\NimrWAX.exe

Filesize
241KB

MD5
3a218ec77ad57c11c6a70d38e7ca193a

SHA1
995eb4a7175fdb8f9b069dc5a50ef0ca593f0b5d

SHA256
a0ebdd85eea9408f2d7befc1dc6336df031ea4969d2c6efe361f9f0ee15d04e0

SHA512
5c68979c26d0ef11973f03651cca3af5b8c8ba589dbf27da973445b6379b6a5c2e10acbb9d558b434c419ddb038c76d0c446c5dffdb10a4a5a4ef3f949d01235

Download Submit
\Windows\system\QfzasGK.exe

Filesize
76KB

MD5
1a69f895b7934ef3a1948e9c40e79c33

SHA1
60c56d57a1565e6d6b9736ee0c69b5f9c05007da

SHA256
b7e1db2c544210b65ab6bca921faeda175786d1da692a2769c5123c377862a8d

SHA512
8da3c1b4a7d8a2859ec0ea67fc69f421f8bace5126f65256933d2ba598edb9cd7c3385128a8293052cab2e37599c25cd1224795f3a3f9cb9e3fb47a61ef69588

Download Submit
\Windows\system\RnvnlXO.exe

Filesize
71KB

MD5
5da9d6594d5e80b9a09057d8c2dcf92e

SHA1
b211c09aee5712d2e65b0fa636fc05d2c31ab5a0

SHA256
4e9d13e6a0f700a2c0581b89da26e49c55ab842e81579a2c396007922d55c5b1

SHA512
7d19f94ce805034bdd28082c84b4be4702ae1071e0f6814ccb4214dab7f251c2bad337c2c21ca6abd711b2239e8c085d0709b0cd1d6be2e649e0ccbd2fe47673

Download Submit
\Windows\system\SFtSGoB.exe

Filesize
311KB

MD5
a78724cadaa9a74a168cd24c92503a66

SHA1
2301939c9bb5418b8b0540d9f6a785f44327b70d

SHA256
6c3a8ffef29ba74add6c2f8bde57d72ce46886bcc4ccd1cf8ec1b38137885539

SHA512
a8d61bc0d39a057c779fe21e2fab27ca02378518da33d1e114ba931a2a602ce7a06607b06590e4d2a1e7a8a0acd53405180187494eaef620c7e5a9e2b3044cc1

Download Submit
\Windows\system\UMEZTDh.exe

Filesize
31KB

MD5
f49b7626658418433da9b3ea5c2f02a6

SHA1
8b66cb682d16e6179a27e07a9d10ce302511f5f8

SHA256
6dcb82e7323eef0f9acda7cfe5b0549b0bbb665ae9ba91eab99109af66bab428

SHA512
22b178461d1d2057ce5b8784367a694e0fcc2b2eb31de0cf2fce86773c55b00bf2326dfe440de3770cd18210826bcb1b72169b22091bbfb618360407f78f885d

Download Submit
\Windows\system\UoccZCz.exe

Filesize
251KB

MD5
b248a5484721f321c8ed01de20c16f98

SHA1
1bcdad38765f1cd04753a466b4f9d0af045579bf

SHA256
17936478970a558b8f6335295e628460cd6eaa2989d5fc822253e604bc6dbf55

SHA512
946f63a5323e2ca9ec7a9898b9709ecc4f1944c335c22c70bfc324cf79188d7d9bfc2bad5ab09686582bec6382f5542fea9c92081521a39117f9fd214c16aaae

Download Submit
\Windows\system\YvEPFey.exe

Filesize
146KB

MD5
7cdd0537e2d844a650a1568aec6e17bf

SHA1
413cd3838a14a75ca59590f09f316a696cdabac3

SHA256
ce6abfa8fb52c189481b75f74d6fd5ef8535bb5d0a223a3559ce6c88b08746ad

SHA512
092c48f769e554461e091846c704f48fdc926281e01a7be255de8735e7178e9046804a9ea706b63ad2924cefafe4a20f5e2fab124cbf9682afb2d5796431ca51

Download Submit
\Windows\system\auIBjvf.exe

Filesize
83KB

MD5
f8e6f3a1dfe478cd73c0930e85d14910

SHA1
aba7985c80110a1e5157f74c0f1b87c242c496b8

SHA256
88a3c510bf979cddae4084fce7251dd9d3c2e3b02c133ac740d9074e3ff0e185

SHA512
7ab3fd3732e48e08365e2162a4331bf68247798eb3e54a3ec5ac690a224e590c46aedda23844849d9b69548c6f38a7dc8143d9be608e841684df5870e179f7bf

Download Submit
\Windows\system\axdnwdv.exe

Filesize
301KB

MD5
88a88a66a44d2098c32abe0328948142

SHA1
8f604278ff654192c1d53921822c485ee0488c2e

SHA256
6156ca756e139ac62199cd4550850e22e840ef33372aebf45163968d4c7db9de

SHA512
46e03ab597bb2ff84f3fa79c3db70235a01f814ea069aa341cf942eb4a036f1814c13b9581aef5496de235e1ace2b46c304ed21d5583ddf8e5eef475f93123e7

Download Submit
\Windows\system\cYhDTEC.exe

Filesize
384KB

MD5
5f7cc97a2a8072665aca0e2fc03131a9

SHA1
896f307173b92892061f1bd648f2c084aa87118d

SHA256
2ee934ec73f589f7a975ff6272ac54db01b39d015ae384a858050a0d7c616bfb

SHA512
5e6fcdab736413aca5642b5af05dd20ea81a249e88099a7db29250371030fa43c1d1dbdcdc59c49de9734a24fdc296236de6ad6adefa6e4b5a124033749bad82

Download Submit
\Windows\system\coVDWAL.exe

Filesize
313KB

MD5
0d5c031e905fa9c395b7e09bf0ad4b54

SHA1
75fd97508f40fab5a6412d72a2fd5e06022feba7

SHA256
34cca43208878dc5eb10e16c98c94791846dea0e0a044cb9e5ba5bc6997307b2

SHA512
1360d012a07fedb86cd9db45464da01424402261804c087f655c10b4c684f44bfc08f6bdf353d20c4eff6f2e22c9a82e707074cc6bcd5c9c2aba8423592f045b

Download Submit
\Windows\system\ddndztq.exe

Filesize
287KB

MD5
139062539430da36630d263a15f04ce0

SHA1
f5dacc7075b5c0bbac0c2633e76d72c788028266

SHA256
7f276dff5d787b201467005bfb0652be9569992b76c5d7cad585958a459a19a3

SHA512
d0e5c4243c0eb7ed293c161d82ed2e730cb31e3116217c66e786518b46e69e336239f5c6c838d36400b77cd6fa2689daa9b68b975a3f9f3b05798d8aabae5238

Download Submit
\Windows\system\dmhApeG.exe

Filesize
111KB

MD5
784f5fbb216e888e874af50f85ca578b

SHA1
64a313a54d5b5756a73b461882972b974041ba9f

SHA256
9d5b6d5e04b0cc34a0d031fcb78b89a7f8588a040fb6bd73ebfc422d31eb3797

SHA512
fd9c134dc8e3aa6d0e9d95d93c1f9b255b080cce187df095d2ae79971c49441a2830e5defed55cbdc4a0d45d12d9682a31543c05c4dbc2683b753099ef3b51d4

Download Submit
\Windows\system\dnpSCgk.exe

Filesize
229KB

MD5
4d91dc8b0da5e5d23525d89c36843d39

SHA1
138f897e24fcf1cf9f65fa0a787e4540c5281df1

SHA256
fca54284cb2b23e549017160e55bf1005cd66ce07f41884b4b19710664932a4c

SHA512
c387f61b8e54ee1a11e361412106e7ce6457c1151deb14f09ae568cf885df9edbc87a3e02ff3c7f84c098af3519ea97aeafb330a476313d2520b2d262e0506bf

Download Submit
\Windows\system\enoPTqq.exe

Filesize
162KB

MD5
8f949d0c20a1dc7d1dd9c3c8dac6dfcd

SHA1
197bfb6ecf82a3dd7ae63feb5c9bbe93103acee7

SHA256
16d6808963a131650aaa76cab0040df9973529fa147de98c3bbf91af152e8fe2

SHA512
88f4c8dc38379f96174626eb46eff198c2d7e03d611ab17285a36aad8aaa39b460aa1b769447aa8b8618ec1a974554b2e1191a7ccb3e3c2e33c9da546ab1effe

Download Submit
\Windows\system\feHXvTJ.exe

Filesize
136KB

MD5
f74a4f0a16c9c493e64a4e152bb1f128

SHA1
be53d6f832c5244bc189886b9da230f1d57e299e

SHA256
de948ed68459fa4596cb46d61587da46155c4b7a0fd21b2c3cfa490786b15f9a

SHA512
b747c737b54e67de4e8d74a6fe1eaf895395c01b5bcf1086314a45ffc60e5a6093474e8406b6a1569314c93d4ec5bae7df958bfb9a7cce2e0ec2fa007287979c

Download Submit
\Windows\system\ghfsgZO.exe

Filesize
192KB

MD5
5cbbd12683dff472a11dc1eeacaa1b25

SHA1
129d189456d38cfaa868ec18fb8f68d7d0b80e9b

SHA256
7538ef662565d761cc3bc6e7efb1045933cdd1cc736749944d80bc4b1a5aae1a

SHA512
ab0de19d65f63165b238248ae78ffff137e7dcf54b92deb3b381a4207f555fa38c8bb2c0e2514adebd242f8dab37d140efd045e867ab6b7300dc889e7b70a245

Download Submit
\Windows\system\hpEuqyr.exe

Filesize
79KB

MD5
5a20ab89d9c074b1e6455a2d5470b93e

SHA1
c1880bcc44d679a70644385f0bc1f8cec7950a8a

SHA256
56714e3831e7d8f5ea561ca1399b86310bb65557d45c72fcc57707c12415a72d

SHA512
85e643aea1558ba3e00f10a3e19413fa16b4ff7e0057a67729691c23c6b84ee0b885e99440096d27bc406be5a66482c2a9b389683168f8395753438a66e0dda5

Download Submit
\Windows\system\lmpUjaN.exe

Filesize
121KB

MD5
ebf052261dafa0da93f09136c89f0af8

SHA1
8c5fe6b2a0bd050d043056dc0f93f7613347df7d

SHA256
7eb1bffbfa39b5446212dc5dd564d5f28e0b170dd94652a9e55d616b830cd21d

SHA512
807b1975cb386a4dd619d927014ec98c12d52b4bcc8d0c74b8185e3d9e198fb2c7a0920f3f17757756c3a0a6485d7bb3a2f22767c7d8777556e593c33417b589

Download Submit
\Windows\system\lruAExR.exe

Filesize
31KB

MD5
790d5bf4f790cf23fc8107fab98cf7c8

SHA1
2afbfb6a831521c576714918e08b73d0c5460d4a

SHA256
830a5ae2e93bb7284278bddee9c982c5fa447f70671c0d977abe4165cb0be0f2

SHA512
869ea1dd952ae483626e8a03cc47b4c765e73d645cdc0afbee730f8ef18eecde566bc04aa4fb974ee4f540a0870c0a7b6cf20cd6e81e0ba2aec680f57785f962

Download Submit
\Windows\system\mlIMBZq.exe

Filesize
175KB

MD5
35d04d3a86d9d6901f09ef008db56774

SHA1
629a15111582526d2f5551ea329f48d98ae53ba0

SHA256
cdf2055be33dccdda10bc4b67c55e8130581c3bfe2be86ba8a2a980ec45191f2

SHA512
fdb3c78c8c6a93d8b6827c3c010a77754cd48e59737e3706a3f63976c9e0c42058c52eb7d54cfa66122b492bd590d205450d5057afef63fecaefdd3baa172d3d

Download Submit
\Windows\system\mweSULh.exe

Filesize
370KB

MD5
6692b3f201240edda212cb2ec4a9ff1c

SHA1
d3ca31fecd3cd8d831b95ffca9edaf252f830034

SHA256
4cb8fab1b0ba975fe6640fa6fea7371fa54aca7a794fb9f660997fa779c5ea34

SHA512
f70a81f0faf8669cd96d016a938a7bafc2e993dedeba1845cd164343948d1c368ca7c383f2b2903e875b78a5520ce9c995750043288c926b3e58f407c674b10e

Download Submit
\Windows\system\oXAvTAT.exe

Filesize
113KB

MD5
2df29e8142681b98dca0662d335da088

SHA1
cabcc1e257c7c9e627969ff7a6b06fb4446092b9

SHA256
c7b9bf7cbc4d328aff2af1a442bc2afd9159e81854817c2cdd14d6f529446d63

SHA512
08dc89ece522c7a3fda7a63d382ee1f4342d1627af1618484a4a4bfead3585d7ddee3cc902880d8f744c99f310388c80fbd3eb3c7eaf17c38e3c3a176e4ac0da

Download Submit
\Windows\system\pFaWkSm.exe

Filesize
233KB

MD5
8ec83fc54826f53c3fe8afc03551e439

SHA1
688e7c3e4e5ef11705b0acb6b019426a1f2aa730

SHA256
68efeea57f8c6e6d1aa843f740724c68fdf98e0c153ed9f1be252fdfc2d111f3

SHA512
5bb53ec1c9bb8a065a95b2acbd654cfab622352e61511aad7e9486b06806291dcb14c30db32b30ce1dca7312e86c7783c1b7226d9f86831a95a6bb5b47e2ee92

Download Submit
\Windows\system\sYHykBw.exe

Filesize
245KB

MD5
8676cec0b9a741041de8b9c7c0e91faf

SHA1
1a19c551d5a1f0d34f5a6baafe0b0b25b756db57

SHA256
5d3897964bb0d925970b34ff39f1cf9f487ae65c6dc54e064c11282c4b7dd640

SHA512
275fae83dc644755c344b20aca148b3b3d05de52bbe0be200987d00c0ff64c6df2b7f9beb915c66e6eb3a616450fb4fd1e01ae58ed7819bcefeb5afef50652fc

Download Submit
\Windows\system\uxQYemZ.exe

Filesize
4KB

MD5
f4d8d25efed6cb198a73f91011df8251

SHA1
153dcecc97df47340d708ce8a545b49504974ab5

SHA256
c28cb6c8190011f819668268a5249dfa2cc01494f178a6d8cad9f08b19f69f45

SHA512
927f1f3761481ff702b13f477d6ca3c39eee4c14f59ecdba12b9b3a541b7b42c7aecebdbc9a44de0c35cf6393047a16b2cfbc5777b0a804eaaec10ff5a775527

Download Submit
\Windows\system\vZdiFAp.exe

Filesize
202KB

MD5
2fff22540fe8017a7fec4681de4f87b2

SHA1
5031c04611c281ddba2094b1362e986c5089f224

SHA256
48291e2d6df746d01fa4693570f855fbb46b29055dc78598f59c48c6c911b5d3

SHA512
e3aeac2278142366dad7b8d868939a5735605909205a515a1ffe7863635a39e5c7a8e1d97a3e851b02f937cdfc1ee2159a5c4e0c7bfc1f8afde13a833130998a

Download Submit
\Windows\system\vysPNQM.exe

Filesize
107KB

MD5
8ce0651cb83306beed5ab54e2efbba94

SHA1
44ed72c67214ccc2f9a4ab7ea7388a9d5b4c9cf3

SHA256
cf504fb9824389927cb629114f458fa1360fb2e9762a61e168fbaad6593b0e38

SHA512
ad33123902165de4255a9648a727d57b55506942b9f2cc7219e62c5936336321ace5a1491e6ba4e8040ee25069ab8a959cf762666cfd64c6c01fed36a7dffa49

Download Submit
\Windows\system\wUPMETX.exe

Filesize
119KB

MD5
69a9f205dc0be0eb3f75fbbe1a211f96

SHA1
749ba7e4cf83abdecfc066b135edbbe23fb2862b

SHA256
b9c1ec83980d1360a901d9eca4d0d200945338a9b6c9cdb4273221d684a62b47

SHA512
f05dfd56316e4795a6c7abc09eda2108581e005daf9de96cacf26c060a1035fb0da8281616bd5d0d6f0730bef50fd3b661e1ccb7586963ad643301b8abfde325

Download Submit
\Windows\system\yrKokbd.exe

Filesize
216KB

MD5
93d52cac1600f3b82ad9b755ec9e8f82

SHA1
7a433ed873aa949b1dae07a3b80360694fc49ea0

SHA256
25d881d2d5712e414221dbb3e7af7d604ebc2516f2a0b51b9c12ab1acde0cb13

SHA512
932b7a91699bd314a17a6bb0a27bd935d630cf6e5d3ba9716c17966783111516552f733c85793f8e5f6cf3358c5979982007ae5dcb58477a2f660921de6d91cf

Download Submit
memory/304-247-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/872-158-0x000000013FAB0000-0x000000013FE04000-memory.dmp

Filesize
3.3MB

Download
memory/1152-157-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

Filesize
3.3MB

Download
memory/1620-163-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/1652-227-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/1676-236-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/1740-90-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1740-249-0x000000013F3B0000-0x000000013F704000-memory.dmp

Filesize
3.3MB

Download
memory/1740-86-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/1740-94-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1740-171-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1740-133-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1740-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1740-132-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/1740-10-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/1740-28-0x000000013F8F0000-0x000000013FC44000-memory.dmp

Filesize
3.3MB

Download
memory/1740-128-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/1740-40-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1740-104-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/1740-159-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/1740-160-0x000000013FAB0000-0x000000013FE04000-memory.dmp

Filesize
3.3MB

Download
memory/1740-161-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1740-41-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

Filesize
3.3MB

Download
memory/1740-164-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1740-248-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/1740-204-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/1740-77-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1740-127-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1740-74-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/1740-60-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1740-0-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/1740-165-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/1740-232-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/1740-208-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/1740-123-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/1740-237-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/1740-67-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/1740-54-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/1764-124-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/1864-105-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/1976-134-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2012-126-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/2080-194-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2100-84-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2100-25-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2120-93-0x000000013FF00000-0x0000000140254000-memory.dmp

Filesize
3.3MB

Download
memory/2228-36-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2248-233-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2260-48-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/2292-68-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2296-176-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2300-100-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2324-234-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2460-235-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2536-162-0x000000013FBF0000-0x000000013FF44000-memory.dmp

Filesize
3.3MB

Download
memory/2580-55-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/2660-17-0x000000013F1D0000-0x000000013F524000-memory.dmp

Filesize
3.3MB

Download
memory/2660-76-0x000000013F1D0000-0x000000013F524000-memory.dmp

Filesize
3.3MB

Download
memory/2696-33-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

Filesize
3.3MB

Download
memory/2736-69-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/2788-32-0x000000013F8F0000-0x000000013FC44000-memory.dmp

Filesize
3.3MB

Download
memory/2876-42-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-125-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2936-78-0x000000013FEC0000-0x0000000140214000-memory.dmp

Filesize
3.3MB

Download
memory/3004-85-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download