cobaltstrike | 3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff

Resubmissions

28/03/2025, 18:19

250328-wx88sa1ps4 10

28/03/2025, 18:11

250328-wsm5razsew 10

Analysis

max time kernel
41s
max time network
42s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
28/03/2025, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
Size

6.1MB
MD5

58621203062e1089a24e725a3ad81a5a
SHA1

ede70d27090d3accf131ab5bc4a21e23b9872a0f
SHA256

3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff
SHA512

0a2a426dcc5725301b42f21501e202521511b4c76b320ed35f28e6e09adcd0507b2c01d69c505ebad9ccafae58068975367293e39f570f6c61df842b4f9d633e
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUB:T+q56utgpPF8u/7B

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 34 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral3/files/0x00060000000258d6-4.dat	cobalt_reflective_dll
behavioral3/files/0x00070000000281fe-14.dat	cobalt_reflective_dll
behavioral3/files/0x00070000000281fd-15.dat	cobalt_reflective_dll
behavioral3/files/0x00070000000281ff-24.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028200-27.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028202-40.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028203-45.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028207-64.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028208-70.dat	cobalt_reflective_dll
behavioral3/files/0x000700000002820b-88.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028209-107.dat	cobalt_reflective_dll
behavioral3/files/0x000700000002820d-115.dat	cobalt_reflective_dll
behavioral3/files/0x00080000000281fa-113.dat	cobalt_reflective_dll
behavioral3/files/0x000700000002820c-110.dat	cobalt_reflective_dll
behavioral3/files/0x000700000002820a-86.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028206-60.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028205-55.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028204-50.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028201-35.dat	cobalt_reflective_dll
behavioral3/files/0x000700000002820e-119.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028212-137.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028211-144.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028215-167.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028218-171.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028217-172.dat	cobalt_reflective_dll
behavioral3/files/0x000700000002821a-194.dat	cobalt_reflective_dll
behavioral3/files/0x000700000002821d-201.dat	cobalt_reflective_dll
behavioral3/files/0x000700000002821c-200.dat	cobalt_reflective_dll
behavioral3/files/0x000700000002821b-199.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028219-186.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028216-177.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028214-161.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028213-152.dat	cobalt_reflective_dll
behavioral3/files/0x0007000000028210-138.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral3/memory/3004-0-0x00007FF6C1F60000-0x00007FF6C22B4000-memory.dmp	xmrig
behavioral3/files/0x00060000000258d6-4.dat	xmrig
behavioral3/files/0x00070000000281fe-14.dat	xmrig
behavioral3/files/0x00070000000281fd-15.dat	xmrig
behavioral3/files/0x00070000000281ff-24.dat	xmrig
behavioral3/files/0x0007000000028200-27.dat	xmrig
behavioral3/memory/4104-28-0x00007FF6EA580000-0x00007FF6EA8D4000-memory.dmp	xmrig
behavioral3/files/0x0007000000028202-40.dat	xmrig
behavioral3/files/0x0007000000028203-45.dat	xmrig
behavioral3/files/0x0007000000028207-64.dat	xmrig
behavioral3/files/0x0007000000028208-70.dat	xmrig
behavioral3/memory/4360-82-0x00007FF68B8B0000-0x00007FF68BC04000-memory.dmp	xmrig
behavioral3/files/0x000700000002820b-88.dat	xmrig
behavioral3/memory/1688-96-0x00007FF616E30000-0x00007FF617184000-memory.dmp	xmrig
behavioral3/memory/1004-95-0x00007FF626C10000-0x00007FF626F64000-memory.dmp	xmrig
behavioral3/files/0x0007000000028209-107.dat	xmrig
behavioral3/files/0x000700000002820d-115.dat	xmrig
behavioral3/files/0x00080000000281fa-113.dat	xmrig
behavioral3/memory/4856-112-0x00007FF6601D0000-0x00007FF660524000-memory.dmp	xmrig
behavioral3/files/0x000700000002820c-110.dat	xmrig
behavioral3/memory/4784-109-0x00007FF6F7500000-0x00007FF6F7854000-memory.dmp	xmrig
behavioral3/memory/4768-106-0x00007FF6AB100000-0x00007FF6AB454000-memory.dmp	xmrig
behavioral3/memory/5612-94-0x00007FF700440000-0x00007FF700794000-memory.dmp	xmrig
behavioral3/memory/5316-93-0x00007FF650650000-0x00007FF6509A4000-memory.dmp	xmrig
behavioral3/memory/2056-92-0x00007FF647F40000-0x00007FF648294000-memory.dmp	xmrig
behavioral3/memory/964-91-0x00007FF7658D0000-0x00007FF765C24000-memory.dmp	xmrig
behavioral3/memory/1332-90-0x00007FF7C0A60000-0x00007FF7C0DB4000-memory.dmp	xmrig
behavioral3/files/0x000700000002820a-86.dat	xmrig
behavioral3/memory/3216-85-0x00007FF6BAE90000-0x00007FF6BB1E4000-memory.dmp	xmrig
behavioral3/memory/6012-84-0x00007FF60D0E0000-0x00007FF60D434000-memory.dmp	xmrig
behavioral3/memory/1848-83-0x00007FF69E750000-0x00007FF69EAA4000-memory.dmp	xmrig
behavioral3/memory/5220-81-0x00007FF6DE700000-0x00007FF6DEA54000-memory.dmp	xmrig
behavioral3/files/0x0007000000028206-60.dat	xmrig
behavioral3/files/0x0007000000028205-55.dat	xmrig
behavioral3/files/0x0007000000028204-50.dat	xmrig
behavioral3/files/0x0007000000028201-35.dat	xmrig
behavioral3/memory/5520-23-0x00007FF6CBC90000-0x00007FF6CBFE4000-memory.dmp	xmrig
behavioral3/memory/64-18-0x00007FF7222B0000-0x00007FF722604000-memory.dmp	xmrig
behavioral3/memory/4372-9-0x00007FF76EBA0000-0x00007FF76EEF4000-memory.dmp	xmrig
behavioral3/files/0x000700000002820e-119.dat	xmrig
behavioral3/files/0x0007000000028212-137.dat	xmrig
behavioral3/files/0x0007000000028211-144.dat	xmrig
behavioral3/files/0x0007000000028215-167.dat	xmrig
behavioral3/files/0x0007000000028218-171.dat	xmrig
behavioral3/files/0x0007000000028217-172.dat	xmrig
behavioral3/memory/5060-180-0x00007FF62C810000-0x00007FF62CB64000-memory.dmp	xmrig
behavioral3/memory/2336-185-0x00007FF754480000-0x00007FF7547D4000-memory.dmp	xmrig
behavioral3/files/0x000700000002821a-194.dat	xmrig
behavioral3/files/0x000700000002821d-201.dat	xmrig
behavioral3/files/0x000700000002821c-200.dat	xmrig
behavioral3/files/0x000700000002821b-199.dat	xmrig
behavioral3/files/0x0007000000028219-186.dat	xmrig
behavioral3/memory/5316-184-0x00007FF650650000-0x00007FF6509A4000-memory.dmp	xmrig
behavioral3/memory/5220-181-0x00007FF6DE700000-0x00007FF6DEA54000-memory.dmp	xmrig
behavioral3/files/0x0007000000028216-177.dat	xmrig
behavioral3/memory/3980-174-0x00007FF689260000-0x00007FF6895B4000-memory.dmp	xmrig
behavioral3/memory/5028-168-0x00007FF7B7F40000-0x00007FF7B8294000-memory.dmp	xmrig
behavioral3/memory/5868-164-0x00007FF767450000-0x00007FF7677A4000-memory.dmp	xmrig
behavioral3/files/0x0007000000028214-161.dat	xmrig
behavioral3/memory/5348-159-0x00007FF60C940000-0x00007FF60CC94000-memory.dmp	xmrig
behavioral3/memory/4104-156-0x00007FF6EA580000-0x00007FF6EA8D4000-memory.dmp	xmrig
behavioral3/files/0x0007000000028213-152.dat	xmrig
behavioral3/memory/6040-147-0x00007FF7BA840000-0x00007FF7BAB94000-memory.dmp	xmrig
behavioral3/memory/1224-143-0x00007FF69D550000-0x00007FF69D8A4000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4372	PDSIFfF.exe
64	QLpsCaM.exe
5520	arwaNSJ.exe
4104	DcrgVdu.exe
5220	QzUqGbY.exe
1688	TFehVyR.exe
4360	lyuyHau.exe
1848	ygPaPHg.exe
6012	arBKLKq.exe
3216	ojxWOci.exe
1332	VvBADJm.exe
964	REKMYvc.exe
2056	tQxPVrE.exe
5316	SbipDug.exe
5612	EwcwGcQ.exe
1004	KDdxrda.exe
4768	BvRYaRE.exe
4784	MwkdYMr.exe
4856	VZiTrhx.exe
4872	MMvCPHk.exe
5312	AzxWkSu.exe
1224	HjScwGh.exe
5348	mCHFmLC.exe
6040	zntWwwF.exe
5868	dbKpMCy.exe
3980	dDZRVMn.exe
5060	XHkqbTq.exe
5028	dsFPten.exe
2336	XxyZveY.exe
5912	dWzzUeJ.exe
4192	vILJXsS.exe
3940	rLzSeBa.exe
3840	rWVYkCi.exe
3148	VoRnxas.exe
3100	rMlvEjG.exe
5032	pVATotr.exe
2380	nyqyAKq.exe
4300	eGHmmSe.exe
4684	HviBCrd.exe
2876	UVRAPGj.exe
456	oMSGHQf.exe
1684	jIFdzfo.exe
5788	qtcoDXO.exe
5792	qtlKwwD.exe
5216	iWuUtNi.exe
4840	OGRzOOG.exe
4388	DRKCFiZ.exe
1876	SGFONil.exe
3124	oPSsJEo.exe
1828	WBwWMPl.exe
3672	mYUnIHe.exe
4516	XDXamwt.exe
2372	EigXPYr.exe
2420	lIMJIKh.exe
2760	OAWskRD.exe
4196	VYKlAHm.exe
5688	vrwYOXi.exe
2100	ZSlbaFT.exe
4584	NzfBcvR.exe
2968	TkbghRB.exe
5396	fACDDjn.exe
4320	XyieCDR.exe
1992	GObzVrH.exe
556	YaBYWht.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/3004-0-0x00007FF6C1F60000-0x00007FF6C22B4000-memory.dmp	upx
behavioral3/files/0x00060000000258d6-4.dat	upx
behavioral3/files/0x00070000000281fe-14.dat	upx
behavioral3/files/0x00070000000281fd-15.dat	upx
behavioral3/files/0x00070000000281ff-24.dat	upx
behavioral3/files/0x0007000000028200-27.dat	upx
behavioral3/memory/4104-28-0x00007FF6EA580000-0x00007FF6EA8D4000-memory.dmp	upx
behavioral3/files/0x0007000000028202-40.dat	upx
behavioral3/files/0x0007000000028203-45.dat	upx
behavioral3/files/0x0007000000028207-64.dat	upx
behavioral3/files/0x0007000000028208-70.dat	upx
behavioral3/memory/4360-82-0x00007FF68B8B0000-0x00007FF68BC04000-memory.dmp	upx
behavioral3/files/0x000700000002820b-88.dat	upx
behavioral3/memory/1688-96-0x00007FF616E30000-0x00007FF617184000-memory.dmp	upx
behavioral3/memory/1004-95-0x00007FF626C10000-0x00007FF626F64000-memory.dmp	upx
behavioral3/files/0x0007000000028209-107.dat	upx
behavioral3/files/0x000700000002820d-115.dat	upx
behavioral3/files/0x00080000000281fa-113.dat	upx
behavioral3/memory/4856-112-0x00007FF6601D0000-0x00007FF660524000-memory.dmp	upx
behavioral3/files/0x000700000002820c-110.dat	upx
behavioral3/memory/4784-109-0x00007FF6F7500000-0x00007FF6F7854000-memory.dmp	upx
behavioral3/memory/4768-106-0x00007FF6AB100000-0x00007FF6AB454000-memory.dmp	upx
behavioral3/memory/5612-94-0x00007FF700440000-0x00007FF700794000-memory.dmp	upx
behavioral3/memory/5316-93-0x00007FF650650000-0x00007FF6509A4000-memory.dmp	upx
behavioral3/memory/2056-92-0x00007FF647F40000-0x00007FF648294000-memory.dmp	upx
behavioral3/memory/964-91-0x00007FF7658D0000-0x00007FF765C24000-memory.dmp	upx
behavioral3/memory/1332-90-0x00007FF7C0A60000-0x00007FF7C0DB4000-memory.dmp	upx
behavioral3/files/0x000700000002820a-86.dat	upx
behavioral3/memory/3216-85-0x00007FF6BAE90000-0x00007FF6BB1E4000-memory.dmp	upx
behavioral3/memory/6012-84-0x00007FF60D0E0000-0x00007FF60D434000-memory.dmp	upx
behavioral3/memory/1848-83-0x00007FF69E750000-0x00007FF69EAA4000-memory.dmp	upx
behavioral3/memory/5220-81-0x00007FF6DE700000-0x00007FF6DEA54000-memory.dmp	upx
behavioral3/files/0x0007000000028206-60.dat	upx
behavioral3/files/0x0007000000028205-55.dat	upx
behavioral3/files/0x0007000000028204-50.dat	upx
behavioral3/files/0x0007000000028201-35.dat	upx
behavioral3/memory/5520-23-0x00007FF6CBC90000-0x00007FF6CBFE4000-memory.dmp	upx
behavioral3/memory/64-18-0x00007FF7222B0000-0x00007FF722604000-memory.dmp	upx
behavioral3/memory/4372-9-0x00007FF76EBA0000-0x00007FF76EEF4000-memory.dmp	upx
behavioral3/files/0x000700000002820e-119.dat	upx
behavioral3/files/0x0007000000028212-137.dat	upx
behavioral3/files/0x0007000000028211-144.dat	upx
behavioral3/files/0x0007000000028215-167.dat	upx
behavioral3/files/0x0007000000028218-171.dat	upx
behavioral3/files/0x0007000000028217-172.dat	upx
behavioral3/memory/5060-180-0x00007FF62C810000-0x00007FF62CB64000-memory.dmp	upx
behavioral3/memory/2336-185-0x00007FF754480000-0x00007FF7547D4000-memory.dmp	upx
behavioral3/files/0x000700000002821a-194.dat	upx
behavioral3/files/0x000700000002821d-201.dat	upx
behavioral3/files/0x000700000002821c-200.dat	upx
behavioral3/files/0x000700000002821b-199.dat	upx
behavioral3/files/0x0007000000028219-186.dat	upx
behavioral3/memory/5316-184-0x00007FF650650000-0x00007FF6509A4000-memory.dmp	upx
behavioral3/memory/5220-181-0x00007FF6DE700000-0x00007FF6DEA54000-memory.dmp	upx
behavioral3/files/0x0007000000028216-177.dat	upx
behavioral3/memory/3980-174-0x00007FF689260000-0x00007FF6895B4000-memory.dmp	upx
behavioral3/memory/5028-168-0x00007FF7B7F40000-0x00007FF7B8294000-memory.dmp	upx
behavioral3/memory/5868-164-0x00007FF767450000-0x00007FF7677A4000-memory.dmp	upx
behavioral3/files/0x0007000000028214-161.dat	upx
behavioral3/memory/5348-159-0x00007FF60C940000-0x00007FF60CC94000-memory.dmp	upx
behavioral3/memory/4104-156-0x00007FF6EA580000-0x00007FF6EA8D4000-memory.dmp	upx
behavioral3/files/0x0007000000028213-152.dat	upx
behavioral3/memory/6040-147-0x00007FF7BA840000-0x00007FF7BAB94000-memory.dmp	upx
behavioral3/memory/1224-143-0x00007FF69D550000-0x00007FF69D8A4000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\BvRYaRE.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\vrwYOXi.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\hJtsezf.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\cQuvlkE.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\eGHmmSe.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\sNxDnXc.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\AivNPTK.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\XqDsBnF.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\TDXvVyt.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\jTkBfir.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\pVATotr.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\okCKqkv.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\xScbsNv.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\FixbEjl.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\XuJZStY.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\WmVgXiE.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\dFKwYsn.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\adnCdTl.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\HjScwGh.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\rLzSeBa.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\RBgsynN.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\KzZbZhj.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\ChfmiMa.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\JjxnJYE.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\aRxlnXZ.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\jIFdzfo.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\RvCmyMU.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\qrahZyI.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\EigXPYr.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\GObzVrH.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\NkYLNGn.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\GpQQxlA.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\WHtHjkx.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\jEVEoQv.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\goVwxZs.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\ilTtHVr.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\weYkMCP.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\dGYMrls.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\ZgwynFi.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\UVRAPGj.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\wuzARMD.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\FYnZfzZ.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\YSNmamE.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\zAbcvTP.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\XtCKVuO.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\giDqEfA.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\tDLMGeT.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\ijsLAKQ.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\YLuquWC.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\QCkHghI.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\EUyqFTv.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\oMSGHQf.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\gnSUkYs.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\OIGWAeq.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\EANYoli.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\GfvaBpm.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\cwrgicA.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\DxtXCqD.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\zJRtHEZ.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\MoGQygo.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\zntWwwF.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\nyqyAKq.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\iWuUtNi.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
File created	C:\Windows\System\BWHSxib.exe	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	8036	taskmgr.exe
Token: SeSystemProfilePrivilege	8036	taskmgr.exe
Token: SeCreateGlobalPrivilege	8036	taskmgr.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe
8036	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 4372	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	83
PID 3004 wrote to memory of 4372	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	83
PID 3004 wrote to memory of 64	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	84
PID 3004 wrote to memory of 64	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	84
PID 3004 wrote to memory of 5520	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	85
PID 3004 wrote to memory of 5520	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	85
PID 3004 wrote to memory of 4104	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	86
PID 3004 wrote to memory of 4104	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	86
PID 3004 wrote to memory of 5220	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	87
PID 3004 wrote to memory of 5220	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	87
PID 3004 wrote to memory of 1688	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	88
PID 3004 wrote to memory of 1688	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	88
PID 3004 wrote to memory of 4360	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	89
PID 3004 wrote to memory of 4360	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	89
PID 3004 wrote to memory of 1848	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	90
PID 3004 wrote to memory of 1848	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	90
PID 3004 wrote to memory of 6012	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	91
PID 3004 wrote to memory of 6012	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	91
PID 3004 wrote to memory of 3216	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	92
PID 3004 wrote to memory of 3216	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	92
PID 3004 wrote to memory of 1332	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	93
PID 3004 wrote to memory of 1332	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	93
PID 3004 wrote to memory of 964	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	94
PID 3004 wrote to memory of 964	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	94
PID 3004 wrote to memory of 2056	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	95
PID 3004 wrote to memory of 2056	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	95
PID 3004 wrote to memory of 5316	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	96
PID 3004 wrote to memory of 5316	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	96
PID 3004 wrote to memory of 5612	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	97
PID 3004 wrote to memory of 5612	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	97
PID 3004 wrote to memory of 1004	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	98
PID 3004 wrote to memory of 1004	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	98
PID 3004 wrote to memory of 4768	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	99
PID 3004 wrote to memory of 4768	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	99
PID 3004 wrote to memory of 4784	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	100
PID 3004 wrote to memory of 4784	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	100
PID 3004 wrote to memory of 4856	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	101
PID 3004 wrote to memory of 4856	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	101
PID 3004 wrote to memory of 4872	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	102
PID 3004 wrote to memory of 4872	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	102
PID 3004 wrote to memory of 5312	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	103
PID 3004 wrote to memory of 5312	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	103
PID 3004 wrote to memory of 1224	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	104
PID 3004 wrote to memory of 1224	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	104
PID 3004 wrote to memory of 5348	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	105
PID 3004 wrote to memory of 5348	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	105
PID 3004 wrote to memory of 6040	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	106
PID 3004 wrote to memory of 6040	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	106
PID 3004 wrote to memory of 5868	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	107
PID 3004 wrote to memory of 5868	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	107
PID 3004 wrote to memory of 3980	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	108
PID 3004 wrote to memory of 3980	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	108
PID 3004 wrote to memory of 5060	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	109
PID 3004 wrote to memory of 5060	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	109
PID 3004 wrote to memory of 5028	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	110
PID 3004 wrote to memory of 5028	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	110
PID 3004 wrote to memory of 2336	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	111
PID 3004 wrote to memory of 2336	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	111
PID 3004 wrote to memory of 5912	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	112
PID 3004 wrote to memory of 5912	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	112
PID 3004 wrote to memory of 4192	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	113
PID 3004 wrote to memory of 4192	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	113
PID 3004 wrote to memory of 3940	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	114
PID 3004 wrote to memory of 3940	3004	3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe	114

C:\Users\Admin\AppData\Local\Temp\3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe
"C:\Users\Admin\AppData\Local\Temp\3d56b6478c2099653848011da69eb068369d8320b16a6c8c94e04028715f61ff.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\System\PDSIFfF.exe
  C:\Windows\System\PDSIFfF.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\QLpsCaM.exe
  C:\Windows\System\QLpsCaM.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System\arwaNSJ.exe
  C:\Windows\System\arwaNSJ.exe
  2⤵
  - Executes dropped EXE
  PID:5520
- C:\Windows\System\DcrgVdu.exe
  C:\Windows\System\DcrgVdu.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System\QzUqGbY.exe
  C:\Windows\System\QzUqGbY.exe
  2⤵
  - Executes dropped EXE
  PID:5220
- C:\Windows\System\TFehVyR.exe
  C:\Windows\System\TFehVyR.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\lyuyHau.exe
  C:\Windows\System\lyuyHau.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\ygPaPHg.exe
  C:\Windows\System\ygPaPHg.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\arBKLKq.exe
  C:\Windows\System\arBKLKq.exe
  2⤵
  - Executes dropped EXE
  PID:6012
- C:\Windows\System\ojxWOci.exe
  C:\Windows\System\ojxWOci.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System\VvBADJm.exe
  C:\Windows\System\VvBADJm.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System\REKMYvc.exe
  C:\Windows\System\REKMYvc.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\tQxPVrE.exe
  C:\Windows\System\tQxPVrE.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\SbipDug.exe
  C:\Windows\System\SbipDug.exe
  2⤵
  - Executes dropped EXE
  PID:5316
- C:\Windows\System\EwcwGcQ.exe
  C:\Windows\System\EwcwGcQ.exe
  2⤵
  - Executes dropped EXE
  PID:5612
- C:\Windows\System\KDdxrda.exe
  C:\Windows\System\KDdxrda.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System\BvRYaRE.exe
  C:\Windows\System\BvRYaRE.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System\MwkdYMr.exe
  C:\Windows\System\MwkdYMr.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\VZiTrhx.exe
  C:\Windows\System\VZiTrhx.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\MMvCPHk.exe
  C:\Windows\System\MMvCPHk.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\AzxWkSu.exe
  C:\Windows\System\AzxWkSu.exe
  2⤵
  - Executes dropped EXE
  PID:5312
- C:\Windows\System\HjScwGh.exe
  C:\Windows\System\HjScwGh.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\mCHFmLC.exe
  C:\Windows\System\mCHFmLC.exe
  2⤵
  - Executes dropped EXE
  PID:5348
- C:\Windows\System\zntWwwF.exe
  C:\Windows\System\zntWwwF.exe
  2⤵
  - Executes dropped EXE
  PID:6040
- C:\Windows\System\dbKpMCy.exe
  C:\Windows\System\dbKpMCy.exe
  2⤵
  - Executes dropped EXE
  PID:5868
- C:\Windows\System\dDZRVMn.exe
  C:\Windows\System\dDZRVMn.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\XHkqbTq.exe
  C:\Windows\System\XHkqbTq.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\dsFPten.exe
  C:\Windows\System\dsFPten.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\XxyZveY.exe
  C:\Windows\System\XxyZveY.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\dWzzUeJ.exe
  C:\Windows\System\dWzzUeJ.exe
  2⤵
  - Executes dropped EXE
  PID:5912
- C:\Windows\System\vILJXsS.exe
  C:\Windows\System\vILJXsS.exe
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\System\rLzSeBa.exe
  C:\Windows\System\rLzSeBa.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\rWVYkCi.exe
  C:\Windows\System\rWVYkCi.exe
  2⤵
  - Executes dropped EXE
  PID:3840
- C:\Windows\System\VoRnxas.exe
  C:\Windows\System\VoRnxas.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\System\rMlvEjG.exe
  C:\Windows\System\rMlvEjG.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System\pVATotr.exe
  C:\Windows\System\pVATotr.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\nyqyAKq.exe
  C:\Windows\System\nyqyAKq.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\eGHmmSe.exe
  C:\Windows\System\eGHmmSe.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\HviBCrd.exe
  C:\Windows\System\HviBCrd.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\UVRAPGj.exe
  C:\Windows\System\UVRAPGj.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\oMSGHQf.exe
  C:\Windows\System\oMSGHQf.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System\jIFdzfo.exe
  C:\Windows\System\jIFdzfo.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\qtcoDXO.exe
  C:\Windows\System\qtcoDXO.exe
  2⤵
  - Executes dropped EXE
  PID:5788
- C:\Windows\System\qtlKwwD.exe
  C:\Windows\System\qtlKwwD.exe
  2⤵
  - Executes dropped EXE
  PID:5792
- C:\Windows\System\iWuUtNi.exe
  C:\Windows\System\iWuUtNi.exe
  2⤵
  - Executes dropped EXE
  PID:5216
- C:\Windows\System\OGRzOOG.exe
  C:\Windows\System\OGRzOOG.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\DRKCFiZ.exe
  C:\Windows\System\DRKCFiZ.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\SGFONil.exe
  C:\Windows\System\SGFONil.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\oPSsJEo.exe
  C:\Windows\System\oPSsJEo.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\WBwWMPl.exe
  C:\Windows\System\WBwWMPl.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\mYUnIHe.exe
  C:\Windows\System\mYUnIHe.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\XDXamwt.exe
  C:\Windows\System\XDXamwt.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System\EigXPYr.exe
  C:\Windows\System\EigXPYr.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\lIMJIKh.exe
  C:\Windows\System\lIMJIKh.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\OAWskRD.exe
  C:\Windows\System\OAWskRD.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\VYKlAHm.exe
  C:\Windows\System\VYKlAHm.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System\vrwYOXi.exe
  C:\Windows\System\vrwYOXi.exe
  2⤵
  - Executes dropped EXE
  PID:5688
- C:\Windows\System\ZSlbaFT.exe
  C:\Windows\System\ZSlbaFT.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\NzfBcvR.exe
  C:\Windows\System\NzfBcvR.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\TkbghRB.exe
  C:\Windows\System\TkbghRB.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\fACDDjn.exe
  C:\Windows\System\fACDDjn.exe
  2⤵
  - Executes dropped EXE
  PID:5396
- C:\Windows\System\XyieCDR.exe
  C:\Windows\System\XyieCDR.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\GObzVrH.exe
  C:\Windows\System\GObzVrH.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System\YaBYWht.exe
  C:\Windows\System\YaBYWht.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\erVwUla.exe
  C:\Windows\System\erVwUla.exe
  2⤵
  PID:116
- C:\Windows\System\AiuOKJF.exe
  C:\Windows\System\AiuOKJF.exe
  2⤵
  PID:5780
- C:\Windows\System\gnSUkYs.exe
  C:\Windows\System\gnSUkYs.exe
  2⤵
  PID:3896
- C:\Windows\System\sNxDnXc.exe
  C:\Windows\System\sNxDnXc.exe
  2⤵
  PID:4580
- C:\Windows\System\WZQguEk.exe
  C:\Windows\System\WZQguEk.exe
  2⤵
  PID:2912
- C:\Windows\System\lFnFbcP.exe
  C:\Windows\System\lFnFbcP.exe
  2⤵
  PID:4392
- C:\Windows\System\wuzARMD.exe
  C:\Windows\System\wuzARMD.exe
  2⤵
  PID:5252
- C:\Windows\System\RBgsynN.exe
  C:\Windows\System\RBgsynN.exe
  2⤵
  PID:3656
- C:\Windows\System\cwrgicA.exe
  C:\Windows\System\cwrgicA.exe
  2⤵
  PID:756
- C:\Windows\System\czLgWHD.exe
  C:\Windows\System\czLgWHD.exe
  2⤵
  PID:1112
- C:\Windows\System\Xgaazvr.exe
  C:\Windows\System\Xgaazvr.exe
  2⤵
  PID:6000
- C:\Windows\System\ffgUvJk.exe
  C:\Windows\System\ffgUvJk.exe
  2⤵
  PID:2716
- C:\Windows\System\oFfIWrs.exe
  C:\Windows\System\oFfIWrs.exe
  2⤵
  PID:2088
- C:\Windows\System\XQxbshm.exe
  C:\Windows\System\XQxbshm.exe
  2⤵
  PID:4816
- C:\Windows\System\RvCmyMU.exe
  C:\Windows\System\RvCmyMU.exe
  2⤵
  PID:2864
- C:\Windows\System\xHqsqTR.exe
  C:\Windows\System\xHqsqTR.exe
  2⤵
  PID:1124
- C:\Windows\System\ZrdWfCy.exe
  C:\Windows\System\ZrdWfCy.exe
  2⤵
  PID:4712
- C:\Windows\System\aOOwDge.exe
  C:\Windows\System\aOOwDge.exe
  2⤵
  PID:4912
- C:\Windows\System\mWDszeF.exe
  C:\Windows\System\mWDszeF.exe
  2⤵
  PID:2456
- C:\Windows\System\tHgNxdl.exe
  C:\Windows\System\tHgNxdl.exe
  2⤵
  PID:5472
- C:\Windows\System\vzhopDW.exe
  C:\Windows\System\vzhopDW.exe
  2⤵
  PID:3832
- C:\Windows\System\LzICris.exe
  C:\Windows\System\LzICris.exe
  2⤵
  PID:4432
- C:\Windows\System\nuGWDJx.exe
  C:\Windows\System\nuGWDJx.exe
  2⤵
  PID:5276
- C:\Windows\System\MjPMONU.exe
  C:\Windows\System\MjPMONU.exe
  2⤵
  PID:3668
- C:\Windows\System\pJJDLYq.exe
  C:\Windows\System\pJJDLYq.exe
  2⤵
  PID:1232
- C:\Windows\System\UqFUota.exe
  C:\Windows\System\UqFUota.exe
  2⤵
  PID:1008
- C:\Windows\System\AivNPTK.exe
  C:\Windows\System\AivNPTK.exe
  2⤵
  PID:2408
- C:\Windows\System\dAtPzbF.exe
  C:\Windows\System\dAtPzbF.exe
  2⤵
  PID:692
- C:\Windows\System\zxkWeOV.exe
  C:\Windows\System\zxkWeOV.exe
  2⤵
  PID:4272
- C:\Windows\System\pLAwwUV.exe
  C:\Windows\System\pLAwwUV.exe
  2⤵
  PID:1196
- C:\Windows\System\hWOqUzs.exe
  C:\Windows\System\hWOqUzs.exe
  2⤵
  PID:2636
- C:\Windows\System\GJpdKLL.exe
  C:\Windows\System\GJpdKLL.exe
  2⤵
  PID:4660
- C:\Windows\System\Sbkdxif.exe
  C:\Windows\System\Sbkdxif.exe
  2⤵
  PID:1856
- C:\Windows\System\XlqAwgm.exe
  C:\Windows\System\XlqAwgm.exe
  2⤵
  PID:1644
- C:\Windows\System\mbEtmpD.exe
  C:\Windows\System\mbEtmpD.exe
  2⤵
  PID:5040
- C:\Windows\System\XUhXcFB.exe
  C:\Windows\System\XUhXcFB.exe
  2⤵
  PID:4944
- C:\Windows\System\JVAFtUF.exe
  C:\Windows\System\JVAFtUF.exe
  2⤵
  PID:4352
- C:\Windows\System\BvzINbk.exe
  C:\Windows\System\BvzINbk.exe
  2⤵
  PID:1836
- C:\Windows\System\QCkHghI.exe
  C:\Windows\System\QCkHghI.exe
  2⤵
  PID:1852
- C:\Windows\System\tJdtBaF.exe
  C:\Windows\System\tJdtBaF.exe
  2⤵
  PID:1104
- C:\Windows\System\hJtsezf.exe
  C:\Windows\System\hJtsezf.exe
  2⤵
  PID:3196
- C:\Windows\System\jEVEoQv.exe
  C:\Windows\System\jEVEoQv.exe
  2⤵
  PID:5928
- C:\Windows\System\BWHSxib.exe
  C:\Windows\System\BWHSxib.exe
  2⤵
  PID:2840
- C:\Windows\System\rLlTTqN.exe
  C:\Windows\System\rLlTTqN.exe
  2⤵
  PID:1920
- C:\Windows\System\eenbcUv.exe
  C:\Windows\System\eenbcUv.exe
  2⤵
  PID:2272
- C:\Windows\System\CWZtzOi.exe
  C:\Windows\System\CWZtzOi.exe
  2⤵
  PID:3120
- C:\Windows\System\FybGXSd.exe
  C:\Windows\System\FybGXSd.exe
  2⤵
  PID:2036
- C:\Windows\System\JrpLZtA.exe
  C:\Windows\System\JrpLZtA.exe
  2⤵
  PID:5684
- C:\Windows\System\NIpLFHH.exe
  C:\Windows\System\NIpLFHH.exe
  2⤵
  PID:3588
- C:\Windows\System\aBufFuV.exe
  C:\Windows\System\aBufFuV.exe
  2⤵
  PID:3684
- C:\Windows\System\RDZzioi.exe
  C:\Windows\System\RDZzioi.exe
  2⤵
  PID:1176
- C:\Windows\System\okCKqkv.exe
  C:\Windows\System\okCKqkv.exe
  2⤵
  PID:3236
- C:\Windows\System\nOKmqDW.exe
  C:\Windows\System\nOKmqDW.exe
  2⤵
  PID:1636
- C:\Windows\System\CWFddeQ.exe
  C:\Windows\System\CWFddeQ.exe
  2⤵
  PID:1512
- C:\Windows\System\qrahZyI.exe
  C:\Windows\System\qrahZyI.exe
  2⤵
  PID:2236
- C:\Windows\System\MWgThgy.exe
  C:\Windows\System\MWgThgy.exe
  2⤵
  PID:5940
- C:\Windows\System\rdFZwGl.exe
  C:\Windows\System\rdFZwGl.exe
  2⤵
  PID:5008
- C:\Windows\System\TKgTvUp.exe
  C:\Windows\System\TKgTvUp.exe
  2⤵
  PID:3132
- C:\Windows\System\KAYGJYc.exe
  C:\Windows\System\KAYGJYc.exe
  2⤵
  PID:3152
- C:\Windows\System\qTsMPWu.exe
  C:\Windows\System\qTsMPWu.exe
  2⤵
  PID:4424
- C:\Windows\System\FixbEjl.exe
  C:\Windows\System\FixbEjl.exe
  2⤵
  PID:4628
- C:\Windows\System\KzZbZhj.exe
  C:\Windows\System\KzZbZhj.exe
  2⤵
  PID:2972
- C:\Windows\System\EmptxFR.exe
  C:\Windows\System\EmptxFR.exe
  2⤵
  PID:5280
- C:\Windows\System\cAMMrss.exe
  C:\Windows\System\cAMMrss.exe
  2⤵
  PID:1700
- C:\Windows\System\LCSMLck.exe
  C:\Windows\System\LCSMLck.exe
  2⤵
  PID:240
- C:\Windows\System\giDqEfA.exe
  C:\Windows\System\giDqEfA.exe
  2⤵
  PID:1728
- C:\Windows\System\xstRNqb.exe
  C:\Windows\System\xstRNqb.exe
  2⤵
  PID:2860
- C:\Windows\System\WmNNhVX.exe
  C:\Windows\System\WmNNhVX.exe
  2⤵
  PID:3188
- C:\Windows\System\QpEFEEi.exe
  C:\Windows\System\QpEFEEi.exe
  2⤵
  PID:3648
- C:\Windows\System\pBnFogB.exe
  C:\Windows\System\pBnFogB.exe
  2⤵
  PID:6032
- C:\Windows\System\FYnZfzZ.exe
  C:\Windows\System\FYnZfzZ.exe
  2⤵
  PID:4420
- C:\Windows\System\QIVIwLc.exe
  C:\Windows\System\QIVIwLc.exe
  2⤵
  PID:3964
- C:\Windows\System\gpYvpAj.exe
  C:\Windows\System\gpYvpAj.exe
  2⤵
  PID:3208
- C:\Windows\System\EANYoli.exe
  C:\Windows\System\EANYoli.exe
  2⤵
  PID:5400
- C:\Windows\System\ChfmiMa.exe
  C:\Windows\System\ChfmiMa.exe
  2⤵
  PID:5572
- C:\Windows\System\mcphGku.exe
  C:\Windows\System\mcphGku.exe
  2⤵
  PID:1736
- C:\Windows\System\xwQrQRm.exe
  C:\Windows\System\xwQrQRm.exe
  2⤵
  PID:888
- C:\Windows\System\KEbloxI.exe
  C:\Windows\System\KEbloxI.exe
  2⤵
  PID:5044
- C:\Windows\System\PBOpiix.exe
  C:\Windows\System\PBOpiix.exe
  2⤵
  PID:5728
- C:\Windows\System\bZsajsc.exe
  C:\Windows\System\bZsajsc.exe
  2⤵
  PID:3880
- C:\Windows\System\XqDsBnF.exe
  C:\Windows\System\XqDsBnF.exe
  2⤵
  PID:2560
- C:\Windows\System\QkAQPzj.exe
  C:\Windows\System\QkAQPzj.exe
  2⤵
  PID:4552
- C:\Windows\System\vjBHNuv.exe
  C:\Windows\System\vjBHNuv.exe
  2⤵
  PID:4460
- C:\Windows\System\eZjvinG.exe
  C:\Windows\System\eZjvinG.exe
  2⤵
  PID:4532
- C:\Windows\System\FzhEEjl.exe
  C:\Windows\System\FzhEEjl.exe
  2⤵
  PID:4864
- C:\Windows\System\QWFsOxX.exe
  C:\Windows\System\QWFsOxX.exe
  2⤵
  PID:700
- C:\Windows\System\HlPiAzR.exe
  C:\Windows\System\HlPiAzR.exe
  2⤵
  PID:4980
- C:\Windows\System\NQRtVOl.exe
  C:\Windows\System\NQRtVOl.exe
  2⤵
  PID:5776
- C:\Windows\System\EmgcInf.exe
  C:\Windows\System\EmgcInf.exe
  2⤵
  PID:5000
- C:\Windows\System\XuJZStY.exe
  C:\Windows\System\XuJZStY.exe
  2⤵
  PID:5108
- C:\Windows\System\tznLNGU.exe
  C:\Windows\System\tznLNGU.exe
  2⤵
  PID:2744
- C:\Windows\System\XycTZBt.exe
  C:\Windows\System\XycTZBt.exe
  2⤵
  PID:5800
- C:\Windows\System\HXbNqyB.exe
  C:\Windows\System\HXbNqyB.exe
  2⤵
  PID:4452
- C:\Windows\System\GYsxmvZ.exe
  C:\Windows\System\GYsxmvZ.exe
  2⤵
  PID:4268
- C:\Windows\System\MUfiyQW.exe
  C:\Windows\System\MUfiyQW.exe
  2⤵
  PID:2780
- C:\Windows\System\tDnWIEG.exe
  C:\Windows\System\tDnWIEG.exe
  2⤵
  PID:5932
- C:\Windows\System\scpLqMF.exe
  C:\Windows\System\scpLqMF.exe
  2⤵
  PID:3736
- C:\Windows\System\NkYLNGn.exe
  C:\Windows\System\NkYLNGn.exe
  2⤵
  PID:1552
- C:\Windows\System\tDLMGeT.exe
  C:\Windows\System\tDLMGeT.exe
  2⤵
  PID:3744
- C:\Windows\System\WmVgXiE.exe
  C:\Windows\System\WmVgXiE.exe
  2⤵
  PID:348
- C:\Windows\System\vhaqjOv.exe
  C:\Windows\System\vhaqjOv.exe
  2⤵
  PID:5464
- C:\Windows\System\OIGWAeq.exe
  C:\Windows\System\OIGWAeq.exe
  2⤵
  PID:6156
- C:\Windows\System\goVwxZs.exe
  C:\Windows\System\goVwxZs.exe
  2⤵
  PID:6188
- C:\Windows\System\aqPoSly.exe
  C:\Windows\System\aqPoSly.exe
  2⤵
  PID:6216
- C:\Windows\System\QlTXNsQ.exe
  C:\Windows\System\QlTXNsQ.exe
  2⤵
  PID:6244
- C:\Windows\System\KGqdSbK.exe
  C:\Windows\System\KGqdSbK.exe
  2⤵
  PID:6276
- C:\Windows\System\bFrMQZy.exe
  C:\Windows\System\bFrMQZy.exe
  2⤵
  PID:6304
- C:\Windows\System\JYXASZx.exe
  C:\Windows\System\JYXASZx.exe
  2⤵
  PID:6320
- C:\Windows\System\KIappva.exe
  C:\Windows\System\KIappva.exe
  2⤵
  PID:6352
- C:\Windows\System\DxtXCqD.exe
  C:\Windows\System\DxtXCqD.exe
  2⤵
  PID:6376
- C:\Windows\System\QhvKUKb.exe
  C:\Windows\System\QhvKUKb.exe
  2⤵
  PID:6408
- C:\Windows\System\zJRtHEZ.exe
  C:\Windows\System\zJRtHEZ.exe
  2⤵
  PID:6464
- C:\Windows\System\QMWPbue.exe
  C:\Windows\System\QMWPbue.exe
  2⤵
  PID:6508
- C:\Windows\System\xScbsNv.exe
  C:\Windows\System\xScbsNv.exe
  2⤵
  PID:6544
- C:\Windows\System\UrLlGHi.exe
  C:\Windows\System\UrLlGHi.exe
  2⤵
  PID:6580
- C:\Windows\System\fYBPxis.exe
  C:\Windows\System\fYBPxis.exe
  2⤵
  PID:6608
- C:\Windows\System\JjxnJYE.exe
  C:\Windows\System\JjxnJYE.exe
  2⤵
  PID:6640
- C:\Windows\System\YSNmamE.exe
  C:\Windows\System\YSNmamE.exe
  2⤵
  PID:6664
- C:\Windows\System\IippRVa.exe
  C:\Windows\System\IippRVa.exe
  2⤵
  PID:6692
- C:\Windows\System\zGmTHDo.exe
  C:\Windows\System\zGmTHDo.exe
  2⤵
  PID:6720
- C:\Windows\System\AiNnZNl.exe
  C:\Windows\System\AiNnZNl.exe
  2⤵
  PID:6756
- C:\Windows\System\GfvaBpm.exe
  C:\Windows\System\GfvaBpm.exe
  2⤵
  PID:6776
- C:\Windows\System\TxSAsYd.exe
  C:\Windows\System\TxSAsYd.exe
  2⤵
  PID:6808
- C:\Windows\System\GpQQxlA.exe
  C:\Windows\System\GpQQxlA.exe
  2⤵
  PID:6836
- C:\Windows\System\LeExryb.exe
  C:\Windows\System\LeExryb.exe
  2⤵
  PID:6860
- C:\Windows\System\pDSgMla.exe
  C:\Windows\System\pDSgMla.exe
  2⤵
  PID:6892
- C:\Windows\System\dFKwYsn.exe
  C:\Windows\System\dFKwYsn.exe
  2⤵
  PID:6916
- C:\Windows\System\yXxSuCP.exe
  C:\Windows\System\yXxSuCP.exe
  2⤵
  PID:6948
- C:\Windows\System\lUzEyAK.exe
  C:\Windows\System\lUzEyAK.exe
  2⤵
  PID:6980
- C:\Windows\System\PzRgEwa.exe
  C:\Windows\System\PzRgEwa.exe
  2⤵
  PID:7000
- C:\Windows\System\ijsLAKQ.exe
  C:\Windows\System\ijsLAKQ.exe
  2⤵
  PID:7032
- C:\Windows\System\WFMsaxp.exe
  C:\Windows\System\WFMsaxp.exe
  2⤵
  PID:7072
- C:\Windows\System\lNMXbvD.exe
  C:\Windows\System\lNMXbvD.exe
  2⤵
  PID:7092
- C:\Windows\System\TjhBZFs.exe
  C:\Windows\System\TjhBZFs.exe
  2⤵
  PID:7116
- C:\Windows\System\LdBTkHD.exe
  C:\Windows\System\LdBTkHD.exe
  2⤵
  PID:7144
- C:\Windows\System\HIXiPti.exe
  C:\Windows\System\HIXiPti.exe
  2⤵
  PID:6164
- C:\Windows\System\ilTtHVr.exe
  C:\Windows\System\ilTtHVr.exe
  2⤵
  PID:6252
- C:\Windows\System\baQKjWz.exe
  C:\Windows\System\baQKjWz.exe
  2⤵
  PID:6300
- C:\Windows\System\MoGQygo.exe
  C:\Windows\System\MoGQygo.exe
  2⤵
  PID:6360
- C:\Windows\System\jhgixzf.exe
  C:\Windows\System\jhgixzf.exe
  2⤵
  PID:6452
- C:\Windows\System\zAbcvTP.exe
  C:\Windows\System\zAbcvTP.exe
  2⤵
  PID:6556
- C:\Windows\System\uDPzXNP.exe
  C:\Windows\System\uDPzXNP.exe
  2⤵
  PID:6600
- C:\Windows\System\fiqvppK.exe
  C:\Windows\System\fiqvppK.exe
  2⤵
  PID:6684
- C:\Windows\System\krDupgV.exe
  C:\Windows\System\krDupgV.exe
  2⤵
  PID:6744
- C:\Windows\System\qUwWZps.exe
  C:\Windows\System\qUwWZps.exe
  2⤵
  PID:6796
- C:\Windows\System\djDTdtb.exe
  C:\Windows\System\djDTdtb.exe
  2⤵
  PID:6856
- C:\Windows\System\weYkMCP.exe
  C:\Windows\System\weYkMCP.exe
  2⤵
  PID:6928
- C:\Windows\System\ingOgPx.exe
  C:\Windows\System\ingOgPx.exe
  2⤵
  PID:7012
- C:\Windows\System\XtCKVuO.exe
  C:\Windows\System\XtCKVuO.exe
  2⤵
  PID:7068
- C:\Windows\System\zgsCJAv.exe
  C:\Windows\System\zgsCJAv.exe
  2⤵
  PID:7136
- C:\Windows\System\TDXvVyt.exe
  C:\Windows\System\TDXvVyt.exe
  2⤵
  PID:6204
- C:\Windows\System\dGYMrls.exe
  C:\Windows\System\dGYMrls.exe
  2⤵
  PID:6392
- C:\Windows\System\sDxmqQx.exe
  C:\Windows\System\sDxmqQx.exe
  2⤵
  PID:6572
- C:\Windows\System\hUXhUEg.exe
  C:\Windows\System\hUXhUEg.exe
  2⤵
  PID:6768
- C:\Windows\System\adnCdTl.exe
  C:\Windows\System\adnCdTl.exe
  2⤵
  PID:6884
- C:\Windows\System\WHtHjkx.exe
  C:\Windows\System\WHtHjkx.exe
  2⤵
  PID:7040
- C:\Windows\System\CxLbogL.exe
  C:\Windows\System\CxLbogL.exe
  2⤵
  PID:6176
- C:\Windows\System\EUyqFTv.exe
  C:\Windows\System\EUyqFTv.exe
  2⤵
  PID:6704
- C:\Windows\System\WpbODdE.exe
  C:\Windows\System\WpbODdE.exe
  2⤵
  PID:7024
- C:\Windows\System\QXGxAkb.exe
  C:\Windows\System\QXGxAkb.exe
  2⤵
  PID:6824
- C:\Windows\System\jTkBfir.exe
  C:\Windows\System\jTkBfir.exe
  2⤵
  PID:6628
- C:\Windows\System\uUOAzGS.exe
  C:\Windows\System\uUOAzGS.exe
  2⤵
  PID:7192
- C:\Windows\System\bIqGzmy.exe
  C:\Windows\System\bIqGzmy.exe
  2⤵
  PID:7220
- C:\Windows\System\vjzpWIj.exe
  C:\Windows\System\vjzpWIj.exe
  2⤵
  PID:7248
- C:\Windows\System\wihyznD.exe
  C:\Windows\System\wihyznD.exe
  2⤵
  PID:7280
- C:\Windows\System\JwwxfNx.exe
  C:\Windows\System\JwwxfNx.exe
  2⤵
  PID:7308
- C:\Windows\System\tFAunZJ.exe
  C:\Windows\System\tFAunZJ.exe
  2⤵
  PID:7336
- C:\Windows\System\aRxlnXZ.exe
  C:\Windows\System\aRxlnXZ.exe
  2⤵
  PID:7364
- C:\Windows\System\ZgwynFi.exe
  C:\Windows\System\ZgwynFi.exe
  2⤵
  PID:7392
- C:\Windows\System\JtYAXCb.exe
  C:\Windows\System\JtYAXCb.exe
  2⤵
  PID:7420
- C:\Windows\System\oQPftOH.exe
  C:\Windows\System\oQPftOH.exe
  2⤵
  PID:7448
- C:\Windows\System\FIAtIeB.exe
  C:\Windows\System\FIAtIeB.exe
  2⤵
  PID:7480
- C:\Windows\System\lmIZrco.exe
  C:\Windows\System\lmIZrco.exe
  2⤵
  PID:7504
- C:\Windows\System\iUSBCHR.exe
  C:\Windows\System\iUSBCHR.exe
  2⤵
  PID:7532
- C:\Windows\System\cQuvlkE.exe
  C:\Windows\System\cQuvlkE.exe
  2⤵
  PID:7560
- C:\Windows\System\YLuquWC.exe
  C:\Windows\System\YLuquWC.exe
  2⤵
  PID:7588
- C:\Windows\System\UAzLmTF.exe
  C:\Windows\System\UAzLmTF.exe
  2⤵
  PID:7616
- C:\Windows\System\QwUUVek.exe
  C:\Windows\System\QwUUVek.exe
  2⤵
  PID:7644
- C:\Windows\System\CkadcOk.exe
  C:\Windows\System\CkadcOk.exe
  2⤵
  PID:7672
- C:\Windows\System\LuWoxsv.exe
  C:\Windows\System\LuWoxsv.exe
  2⤵
  PID:7704
- C:\Windows\System\nisauhl.exe
  C:\Windows\System\nisauhl.exe
  2⤵
  PID:7728
- C:\Windows\System\gqASvwU.exe
  C:\Windows\System\gqASvwU.exe
  2⤵
  PID:7756
- C:\Windows\System\UoeeatF.exe
  C:\Windows\System\UoeeatF.exe
  2⤵
  PID:7784
- C:\Windows\System\pTuUwuR.exe
  C:\Windows\System\pTuUwuR.exe
  2⤵
  PID:7812
- C:\Windows\System\vqHVCmZ.exe
  C:\Windows\System\vqHVCmZ.exe
  2⤵
  PID:7840
- C:\Windows\System\IRyrYyC.exe
  C:\Windows\System\IRyrYyC.exe
  2⤵
  PID:7868
- C:\Windows\System\YgBRAIt.exe
  C:\Windows\System\YgBRAIt.exe
  2⤵
  PID:7896
- C:\Windows\System\YmjsudK.exe
  C:\Windows\System\YmjsudK.exe
  2⤵
  PID:7924
- C:\Windows\System\MHoakkq.exe
  C:\Windows\System\MHoakkq.exe
  2⤵
  PID:7360

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AzxWkSu.exe

Filesize
6.1MB

MD5
a23d7a729193ad355ef6cc491ade4f12

SHA1
f96b3c3e0acdc59b85c5434ce5db89a1e294e16c

SHA256
1e0e4f5bac37ef978b7e3c1d173c3435a1fc14e53670c6e6b6c64e9019b17f7f

SHA512
342c6591b1c275534cf7e844e47a7ec4a688874bbf5da35cdeadc7f6c2e4e1815fb40b907163b9647945d01ccce9272d8391f6ad3e90e556fb1f270de0cba090

Download Submit
C:\Windows\System\BvRYaRE.exe

Filesize
6.1MB

MD5
4103b8648512e669d935b02c54824e8a

SHA1
2480c3899f6dce13c172ad6e19f0112a34c76515

SHA256
37b3b783dfcb43bbccf2b78741cc217f3b3869c466fad6df4d8e223a7b8b3c41

SHA512
3428a228a90aa9611270fecf9054916cd80bb73864356681d31628886a7e1c403e9017a0d1eb9d58ccb368ade582e6359bee8f9edd71b8bce69ad3254b9d67ff

Download Submit
C:\Windows\System\DcrgVdu.exe

Filesize
6.1MB

MD5
c0b43ed3b6426fced5bef6fba8265757

SHA1
ce115c5e1583c3c7a69bce5992548a23218d546a

SHA256
f6177a95e24fa5e66a280087cbeb4cc3b9fa7285d73ba8e282a5c1d1e7b02887

SHA512
4607de44fc5ab02033a24ad4727c3f2124afc86a99c4ac33a3b34cec8bf5aed1018b9b1a1a6b282f272812ca9d9eab1d47d2b75398a80b8b59d7823e986f8a6e

Download Submit
C:\Windows\System\EwcwGcQ.exe

Filesize
6.1MB

MD5
403355c04856cf2a4c87ff9deacd7593

SHA1
0aedbf722fee4ebcb97b1b5497ffa3f6f01739a5

SHA256
338e61e39649cb0e6fb09ac31d4c78e92f80891a06345791cc2e80dd3b6c4f62

SHA512
ca72602530debc0328372535e38662bae4cc29ca55ed1b4070e8da59c9b4b88fc500442c027d03eeb87633c3691a3b10d5e5454073740855ffa5e410eaa52cda

Download Submit
C:\Windows\System\HjScwGh.exe

Filesize
6.1MB

MD5
748ac2293d0b165ed13c5fd2a9f8d82d

SHA1
de8ffa4df37abb467d064c69f3f50bab654ae164

SHA256
48a5d38ec91b62b49f21433141a9b1932990d998beb82965e2ba5be602fff6f8

SHA512
af9d7d45b94401478e9f3523c9204251d2b0610ddabecfead045c09afdf09023b8566b58d2228accce582dd253836e76c3f7ed8dc4e641efdfb92dbdd0132404

Download Submit
C:\Windows\System\KDdxrda.exe

Filesize
6.1MB

MD5
ff9d0f97b322a2cfe761b6e212ecac12

SHA1
f28e1bba1bfaf81647f2fa1dc009507fc3f671b0

SHA256
2030553ae1b43e0ae6bd817ce5e82e5fec5d7bd8073b0d3ae150220b325c877b

SHA512
72f880be2f31554d36499d77be4347ec44c6804bc02cd8613f7dc48e0f5a964736dd14601ac579c7fb691b1ad2187e8628485fd356d6e3e3543f59f91fc746d4

Download Submit
C:\Windows\System\MMvCPHk.exe

Filesize
6.1MB

MD5
6570d14ece302300f54223d6773a8546

SHA1
5337afecd5d68f38650ec92ffc46d7eadf7c6bd4

SHA256
90413d62ce2ff2d63b261eb26e53ccc7126a79a33ef8a227b0fa14e7cd00192e

SHA512
9df9b70314a863b68fb620b6cc349d9076191818c6b54db5ed357966a04245e374b31299f914c0c7830ebef74bb98f2bea40c00ed48f0640818f5367621ec97b

Download Submit
C:\Windows\System\MwkdYMr.exe

Filesize
6.1MB

MD5
655c96fb5e5e1b21915cd4ecb7abf5e5

SHA1
e340d208eafb49d886e69dcf766cb7f849bdbacf

SHA256
b64c0354ace04fdde09ce64bb9cee63ad1403e3bc94c6d0da946816168c53072

SHA512
c68e1bd07719b147ee2388752a3d375daa0d6248a3db14d2cb2c0d76340f79355d3c28945d5954fa863dd1e5ff7f898b37f698a8a94290f30c602900462ff16c

Download Submit
C:\Windows\System\PDSIFfF.exe

Filesize
6.1MB

MD5
5731269b7632c2c9e80cff8c5deda6e8

SHA1
f0e77ece5823b4da77d262a833ff37016860491c

SHA256
80307a7ab5b07fa677778101cb8a8d7a86fb217f63bde4203bd32e03aac0b065

SHA512
ecf3c93894bc248130e3715eedae5dec21c3571477985fbfaa90e72506eab5c152cc654ac575a04c9da37794d7b3d644b3299333d5345b8b8590faf73b9db659

Download Submit
C:\Windows\System\QLpsCaM.exe

Filesize
6.1MB

MD5
a23385c745c0cfb00b565b6939a0c110

SHA1
70787ea60659c5a023ca50b8398aebfe46ec403a

SHA256
81b3dd7d7c6e6ef195b62b4e6a008b589f7a6b7ad6fbb9244668ab720892cec0

SHA512
ac3057be44b7f9ab862e60854dd5784614d2274b8381700a6aeab660ef3d5ef52239b9a414785b2d918cba80fc73db81f74d655c7486a11fa538b2f80ed715ff

Download Submit
C:\Windows\System\QzUqGbY.exe

Filesize
6.1MB

MD5
a049e77cce4501d791c293a6d5c1bf41

SHA1
eb3f92374ec41ade16ea1d2f3e2de2d2a70f55d8

SHA256
35b06f0ba17097da81a4520c3e624b996dedf192d2b7546d5f97bb6690179d87

SHA512
f0bde16138c8cb572e980992866635737445e19cea27625ac32de2e528154a9810f5fccdfef1d9f0d8b5db5abd36d38c37d0eb59d6e1396bbc1a0a8980822ab3

Download Submit
C:\Windows\System\REKMYvc.exe

Filesize
6.1MB

MD5
f23c50bf0df3b9fb4a806bf4147c265a

SHA1
e5dc77f6e490ae75f3a181275e11242ca102a3d6

SHA256
c10cfd53c6fbe2bc2835c9059651c71ad3a5d623eff0f0da49081447e7f79cb0

SHA512
1611bdd72a95d21e6b93b20329a2b1cb77cbda3b63f9d3afaec20c002eb1d23395850801e77f97ace8c84d79dba41de8df99125464061de11949a9f3ec2cd264

Download Submit
C:\Windows\System\SbipDug.exe

Filesize
6.1MB

MD5
9b67c1791196e040ef29286d22c6d82d

SHA1
37b3155939a1032f1a145248e6e10fd43b665683

SHA256
3276d1b491ea0157600569adb86f3aafe73449a97c4223530248fb98e07166f6

SHA512
37998052b0df9ef77fa036a8f80e1fcafcde355b0eab4bb22e32de017eb5f8cef645ff448af7813d1ba8c03211e4139f17e507109af7f83899aaadd221ab0882

Download Submit
C:\Windows\System\TFehVyR.exe

Filesize
6.1MB

MD5
7bb865c05e691cb51accc8ef8f2c4217

SHA1
dd31fc52cb215589b020837291a7eaf40e6d8359

SHA256
8e4ba3c41d564ca2a9fafb1cd634e4ad780e5ab9507b268f7f4abd8c63514ccb

SHA512
c41b48a51af1fdc33a9ca2355f575373b67a4d1af58c73c2cb1b707ca848c15a298d9ebebc801558ad41af3a4350c33db033794079811434b8f117f27daa71d4

Download Submit
C:\Windows\System\VZiTrhx.exe

Filesize
6.1MB

MD5
7647ef0fd9676a849469a0c31eb3d0fa

SHA1
9a42998834e71f9146a8e6f29224ae299fd2dd28

SHA256
35fc58b2ab952d2b463beac88271816006929006e4803b26ac07ce923ac654ba

SHA512
64c798b51728ef9ff2113dd0db806f44913d7b08ac1b3d0b5bf195d144f10564e017796fa608d3dafd082a8849d4595d079d4cbbeebda7b37753e915a0eeae75

Download Submit
C:\Windows\System\VoRnxas.exe

Filesize
6.1MB

MD5
19a57643b8bc019d55546e33318e80f9

SHA1
636d0d11a31e92667b959ecf3bcd9e5956b6c3c7

SHA256
95abeaf71f7346030c035667a11891139692f3e081361971f9413ebbc57f4a45

SHA512
23fccb444dcc28df861925c194df490de4ffc3cd15d17562eca9b449983c138a74903f2372fdbf142f355eca30ad4acd57bb5bc808f4dded680cb3b431c6a513

Download Submit
C:\Windows\System\VvBADJm.exe

Filesize
6.1MB

MD5
f26858a08318c39388c078d2aaf5b148

SHA1
7aaf35a023678eff50fd198ae1755af41e2ac862

SHA256
8b7843681bd6957bc0701a185d45cb335d5953423b68d59336812ded49adaa87

SHA512
ef8a83d129b35ebfeef536536f86273c37383b87c525a59e285d66f2f97860424d5a1ec30097595b96e6df7fcb610b4e7adcd3407482db997d28e68143688924

Download Submit
C:\Windows\System\XHkqbTq.exe

Filesize
6.1MB

MD5
b774bd475886e83a3ef1f9f8465d4c56

SHA1
fdfa530c81fbc5d3c2df6262c3af7313b89caaf7

SHA256
c43ba42735011cc3a2011ba2f6bc5dddfc25314dfb10d54642d9b4ca12c696ff

SHA512
4708b672161ba7432eb59e458c8f9b5ac423cb73c3e7a9a0efc0970e1e0bdc9a31a64e297a8b08c1a5816ae70fb755c5de6eb9b0287e40edfec9016c455257be

Download Submit
C:\Windows\System\XxyZveY.exe

Filesize
6.1MB

MD5
496301bab47c3a6387b8e9fec7bfd052

SHA1
dcc81b0986ef2561c060b45cd6d824c759a1173e

SHA256
98178be9f2925d12c75c20084bf3a64576eaac2804a66c856ce469a2b3d5b80d

SHA512
3100fca9ea82aee690b47706e84a04e4bbc206cfd0e190977344e3ef6ac9282658a548987a40eadff6e785027c5147e4f020c7fa2b8a8a5d3f51db3e45c775db

Download Submit
C:\Windows\System\arBKLKq.exe

Filesize
6.1MB

MD5
729e8db791953807ab62ff30e577d1f2

SHA1
6a941347efaea71efac96281136d66a011ff187f

SHA256
ecd3a401f6552d938557e3b003ea8282c2a33825fa317d0a17198182af293020

SHA512
4496e985af572ae3753f2d6da6d7857d9028ac5276de9bc3233172b90d26a2e038c2935b1dae96c30fd5f24fdfa7b8bf12baad0195f4a644d124b40204e4327a

Download Submit
C:\Windows\System\arwaNSJ.exe

Filesize
6.1MB

MD5
9fb87f6f6cb75bd5b2cc579adb286956

SHA1
446759ec4cd3665042b479779a9fc515390ab5ba

SHA256
88f2033a3fe94883103a46d6d6b2f805b27b3f1a4a3c0209080a12e9372d3404

SHA512
86e311714656b468559fde6c6f80adb93442ec02461da65c60d5aed592635a92a2a17d0fd28bbf86644fd6d195d20c9ad6e19837c5786c090431fb2f79e8bc3a

Download Submit
C:\Windows\System\dDZRVMn.exe

Filesize
6.1MB

MD5
2dd64c47464444ae2e70134fedd83939

SHA1
edcfd1471d8a84b8e64a002f3cab0379df8a61d0

SHA256
6495a72cfafa683a4627ddfecad97a7364715ae6829ca57c2f03c5bdf3c9fad9

SHA512
b85399872d41e2a98456891a099b005631dcfebb98129c3fc61b6a8414d3b0b5af02a7555f454f571f9df56d888dd2afca256de856d338264ab8b6e961ef54bf

Download Submit
C:\Windows\System\dWzzUeJ.exe

Filesize
6.1MB

MD5
808026f45cd276d7ec6d3fd8fa58ffee

SHA1
eb6072db0f0900f6586dc8d443b7ecbd7407c8c8

SHA256
e101ebbba4c5f2f85fcfe340ebc7119a52a4c2ff43c22ed74bda1f226c8f0b79

SHA512
72bfa1741e5c0f6a2d16491d7cc6b24c9628c9be7b31c5fa67d80d50458de8da63496bcc50e6ba92f03b11c653410d34e76284432fb9c183ac23cf75dc6044b6

Download Submit
C:\Windows\System\dbKpMCy.exe

Filesize
6.1MB

MD5
3b083cde63958d69a419ec5278af5ba7

SHA1
93f3f724d2bed4acf194d4c2a27234e264ec3ae0

SHA256
ea47ed88c58fbe4a7da76ad93326d6990882c1297aa3e340eddc67c7fcb9d1f5

SHA512
7d68ed8dd770dd8b69edd63b8af8a0f86483590ae816c074ecf18323b3d03e8d42038d57da12c2500ef851c4d27e9028f096b0eb82eeea8653d6e5d45e982e68

Download Submit
C:\Windows\System\dsFPten.exe

Filesize
6.1MB

MD5
270576360c7838b201fb26995f84168a

SHA1
bebaf6e0678f899d51fb3e519b843dd4c19b6ad8

SHA256
f9636409d97235018166d951fbdb2709a40ede4be2ef2418276ed3d00c8270d4

SHA512
0e20d6f9a58c19e7044db85f5fa2ec9dda735f8509220b7610e37815c49d5c36b43564585128a920eb6bf576382ddf0c74f3615876369f24a87c5aa9d2334308

Download Submit
C:\Windows\System\lyuyHau.exe

Filesize
6.1MB

MD5
7208c89c5ba33e0e9f69bd3644d0d349

SHA1
d317030ebcc16df34bad75c498dbfe7f7e595983

SHA256
740f17ed07f1ce6d5bdfddca27ad1f5bbedd3975ee5ce4d09dde127ea7809483

SHA512
4754838b96d45a66e7b696a78d32076e529a7f16f4ffd77e729e115e6f02d1383955cb50ab461f469ca8894d2f70600a134f57e9cf656301774eacb0cd9ec6e7

Download Submit
C:\Windows\System\mCHFmLC.exe

Filesize
6.1MB

MD5
c6bf10a73428be63f5b5afa5ec03076c

SHA1
df6d1ecc6d61f436e12a535dd13d2cc690df62bb

SHA256
81999180e0e86b2249f9626ab985ffb03dfb380b4b554760d8dd6da2d599a39a

SHA512
2ae68b33b8b2e697346d54e866a3b25bfd03cd9adb9db4fce0f6227c7a8b46678fbf5b17b830b7e0d63d10336dda74a28e068c84231cd7946af177803ed10dc9

Download Submit
C:\Windows\System\ojxWOci.exe

Filesize
6.1MB

MD5
77330dc52490c8fd73d4fc77cfcf7e87

SHA1
f2fdbe1d7feb0aa07a77c24765088bdf1392f1b5

SHA256
bb408d6c4386bdd7c00852cfef3abb1a57298c1546f2dbdd2aa9447420ee731b

SHA512
e1287158c6fe992bee0ddcae3003485e722ff4be8bfb2f5212de43cdb05f92c3a475f2d7e23c2724273e9483588b467245a722903d63f8eb7f8ce70acab9e5eb

Download Submit
C:\Windows\System\rLzSeBa.exe

Filesize
6.1MB

MD5
98c344da248eba9354f4792d8a9174dc

SHA1
f1cc4abf712b2a44749113253951aeb25c865681

SHA256
6eff693bff1659a7020cc9f439395dc862342730c214429fc01f58dacf89c429

SHA512
b85d02de6a8bdefe166335042e659c589881e0ed4269267e5fefd5a2f7748c3f98a00ab3cfcda53ad6163e984563cfa4c96ddd6406c8319d6cd6110fa85fb6d4

Download Submit
C:\Windows\System\rWVYkCi.exe

Filesize
6.1MB

MD5
13a14f538f31229adaa8587885c43c4b

SHA1
0a8e6606bd5e03650cbee36ebfbd939b1817fd6d

SHA256
8cd49a44fd9a9767a0d3e9ae76725a190a72cd08fbd759290ad184914210879f

SHA512
e1c54aec9dee3e5cb410a32c5cd3ee0b795e5df738aa2da2c427945fcd8da0cbcc48b156323ecfac8f3f7230fbe0f3e668b5750cb38db97a121b869f00a3a421

Download Submit
C:\Windows\System\tQxPVrE.exe

Filesize
6.1MB

MD5
adae1d0990b2da5a5aff0883d9d6377a

SHA1
aa0e600670fe5373ca64ae99dff5cdfe8dcda183

SHA256
40794ce7b6107bbc54c1c963df559261f442e02372395f3a8a96c438dd63c390

SHA512
a9f26a77126b8aa7b72257a2f74f865b362d558fb1ee7e49f7f067c92ffe7d5b08ecb262ffca01a855a87e6b5b971e15b0c8553c2b0dbe5c5e1079be91cfcc42

Download Submit
C:\Windows\System\vILJXsS.exe

Filesize
6.1MB

MD5
9c8b67d4c861575bd0e08fada5d0da0a

SHA1
1fe218eeddb9a22e33ab69c8d62d223c6f16a357

SHA256
73dbd4b4ce3d209ff319d68900c3beb931c2d75f73f3cf63d2cfe39f62d4f6b8

SHA512
b6efde34dc34c5252c25aa1967631edbb04d25a02d523208774d275d10b0673f40e61288c46563557255fb9cba2c46a0d2f2b998a5ee26eb1d514177f4db1546

Download Submit
C:\Windows\System\ygPaPHg.exe

Filesize
6.1MB

MD5
809f45f386b1dd87450c80586560fd2c

SHA1
decc8887ea3b7271d59aebbcc99410ecf152defa

SHA256
cd8d85fd86974a4c041ad9933f9e454a45d9f3ca16d73f10b9cbaff25fd384a8

SHA512
32b760b5fd6f5527b624a9c0d9a441de901e4c584cd77c64ae47c7ce5c4665bce07225147ffa58ac260ac23801cef82caa21e10e2f3ad337a43406fcbceaa3a9

Download Submit
C:\Windows\System\zntWwwF.exe

Filesize
6.1MB

MD5
2dab7181c7927b18a093591c9ae59c93

SHA1
a2ace6d866140bedd8beaff8b4d3ac20909cd818

SHA256
2ede0448f8eddf3f625c37360bd5bdef83d4e13e6fcd571fea3f8e053aa92a33

SHA512
090135fb04976a32b75d34151cbffe947ffc11573c88ac0ece35cfb81faa2c7dbd873358c921a3ffd00923d021cb44d246c95c9eafb537fa7cf34658b53a220a

Download Submit
memory/64-18-0x00007FF7222B0000-0x00007FF722604000-memory.dmp

Filesize
3.3MB

Download
memory/964-91-0x00007FF7658D0000-0x00007FF765C24000-memory.dmp

Filesize
3.3MB

Download
memory/1004-95-0x00007FF626C10000-0x00007FF626F64000-memory.dmp

Filesize
3.3MB

Download
memory/1224-143-0x00007FF69D550000-0x00007FF69D8A4000-memory.dmp

Filesize
3.3MB

Download
memory/1224-498-0x00007FF69D550000-0x00007FF69D8A4000-memory.dmp

Filesize
3.3MB

Download
memory/1332-90-0x00007FF7C0A60000-0x00007FF7C0DB4000-memory.dmp

Filesize
3.3MB

Download
memory/1688-96-0x00007FF616E30000-0x00007FF617184000-memory.dmp

Filesize
3.3MB

Download
memory/1848-83-0x00007FF69E750000-0x00007FF69EAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-92-0x00007FF647F40000-0x00007FF648294000-memory.dmp

Filesize
3.3MB

Download
memory/2336-185-0x00007FF754480000-0x00007FF7547D4000-memory.dmp

Filesize
3.3MB

Download
memory/3004-126-0x00007FF6C1F60000-0x00007FF6C22B4000-memory.dmp

Filesize
3.3MB

Download
memory/3004-0-0x00007FF6C1F60000-0x00007FF6C22B4000-memory.dmp

Filesize
3.3MB

Download
memory/3004-1-0x0000023C3CA30000-0x0000023C3CA40000-memory.dmp

Filesize
64KB

Download
memory/3216-85-0x00007FF6BAE90000-0x00007FF6BB1E4000-memory.dmp

Filesize
3.3MB

Download
memory/3980-565-0x00007FF689260000-0x00007FF6895B4000-memory.dmp

Filesize
3.3MB

Download
memory/3980-174-0x00007FF689260000-0x00007FF6895B4000-memory.dmp

Filesize
3.3MB

Download
memory/4104-156-0x00007FF6EA580000-0x00007FF6EA8D4000-memory.dmp

Filesize
3.3MB

Download
memory/4104-28-0x00007FF6EA580000-0x00007FF6EA8D4000-memory.dmp

Filesize
3.3MB

Download
memory/4360-82-0x00007FF68B8B0000-0x00007FF68BC04000-memory.dmp

Filesize
3.3MB

Download
memory/4372-9-0x00007FF76EBA0000-0x00007FF76EEF4000-memory.dmp

Filesize
3.3MB

Download
memory/4372-135-0x00007FF76EBA0000-0x00007FF76EEF4000-memory.dmp

Filesize
3.3MB

Download
memory/4768-106-0x00007FF6AB100000-0x00007FF6AB454000-memory.dmp

Filesize
3.3MB

Download
memory/4768-220-0x00007FF6AB100000-0x00007FF6AB454000-memory.dmp

Filesize
3.3MB

Download
memory/4784-222-0x00007FF6F7500000-0x00007FF6F7854000-memory.dmp

Filesize
3.3MB

Download
memory/4784-109-0x00007FF6F7500000-0x00007FF6F7854000-memory.dmp

Filesize
3.3MB

Download
memory/4856-223-0x00007FF6601D0000-0x00007FF660524000-memory.dmp

Filesize
3.3MB

Download
memory/4856-112-0x00007FF6601D0000-0x00007FF660524000-memory.dmp

Filesize
3.3MB

Download
memory/4872-389-0x00007FF74E270000-0x00007FF74E5C4000-memory.dmp

Filesize
3.3MB

Download
memory/4872-124-0x00007FF74E270000-0x00007FF74E5C4000-memory.dmp

Filesize
3.3MB

Download
memory/5028-168-0x00007FF7B7F40000-0x00007FF7B8294000-memory.dmp

Filesize
3.3MB

Download
memory/5028-562-0x00007FF7B7F40000-0x00007FF7B8294000-memory.dmp

Filesize
3.3MB

Download
memory/5060-180-0x00007FF62C810000-0x00007FF62CB64000-memory.dmp

Filesize
3.3MB

Download
memory/5060-624-0x00007FF62C810000-0x00007FF62CB64000-memory.dmp

Filesize
3.3MB

Download
memory/5220-81-0x00007FF6DE700000-0x00007FF6DEA54000-memory.dmp

Filesize
3.3MB

Download
memory/5220-181-0x00007FF6DE700000-0x00007FF6DEA54000-memory.dmp

Filesize
3.3MB

Download
memory/5312-134-0x00007FF65DBA0000-0x00007FF65DEF4000-memory.dmp

Filesize
3.3MB

Download
memory/5312-390-0x00007FF65DBA0000-0x00007FF65DEF4000-memory.dmp

Filesize
3.3MB

Download
memory/5316-93-0x00007FF650650000-0x00007FF6509A4000-memory.dmp

Filesize
3.3MB

Download
memory/5316-184-0x00007FF650650000-0x00007FF6509A4000-memory.dmp

Filesize
3.3MB

Download
memory/5348-159-0x00007FF60C940000-0x00007FF60CC94000-memory.dmp

Filesize
3.3MB

Download
memory/5348-560-0x00007FF60C940000-0x00007FF60CC94000-memory.dmp

Filesize
3.3MB

Download
memory/5520-23-0x00007FF6CBC90000-0x00007FF6CBFE4000-memory.dmp

Filesize
3.3MB

Download
memory/5520-136-0x00007FF6CBC90000-0x00007FF6CBFE4000-memory.dmp

Filesize
3.3MB

Download
memory/5612-94-0x00007FF700440000-0x00007FF700794000-memory.dmp

Filesize
3.3MB

Download
memory/5868-164-0x00007FF767450000-0x00007FF7677A4000-memory.dmp

Filesize
3.3MB

Download
memory/6012-84-0x00007FF60D0E0000-0x00007FF60D434000-memory.dmp

Filesize
3.3MB

Download
memory/6040-439-0x00007FF7BA840000-0x00007FF7BAB94000-memory.dmp

Filesize
3.3MB

Download
memory/6040-147-0x00007FF7BA840000-0x00007FF7BAB94000-memory.dmp

Filesize
3.3MB

Download