xmrig | 7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9

Analysis

max time kernel
138s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
Size

3.3MB
MD5

257ce2c877be07517c8df0e7c70cbb33
SHA1

b853a28f5a8981ef9e4cac713792fc23f3916768
SHA256

7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9
SHA512

4fd71fe2b90fc9af889ad89e1f30b8d66d902a605aef72697d33cfe17958fc08718ce27196293e98bee29c63379ef4561523881e5b61953743ff8d0871d82850
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc4L:NFWPClF7

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 9164 created 8512	9164	WerFaultSecure.exe	376

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/2240-0-0x00007FF6E2E10000-0x00007FF6E3205000-memory.dmp	UPX
behavioral2/files/0x00080000000231fe-5.dat	UPX
behavioral2/files/0x00080000000231fe-6.dat	UPX
behavioral2/files/0x0008000000023201-10.dat	UPX
behavioral2/files/0x0007000000023205-14.dat	UPX
behavioral2/files/0x0007000000023206-21.dat	UPX
behavioral2/files/0x0007000000023206-23.dat	UPX
behavioral2/memory/2088-17-0x00007FF6B63D0000-0x00007FF6B67C5000-memory.dmp	UPX
behavioral2/memory/4488-25-0x00007FF76EA20000-0x00007FF76EE15000-memory.dmp	UPX
behavioral2/files/0x0007000000023207-30.dat	UPX
behavioral2/memory/3676-35-0x00007FF7FB660000-0x00007FF7FBA55000-memory.dmp	UPX
behavioral2/files/0x000700000002320b-58.dat	UPX
behavioral2/files/0x000700000002320c-63.dat	UPX
behavioral2/files/0x000700000002320e-73.dat	UPX
behavioral2/files/0x000700000002320f-78.dat	UPX
behavioral2/files/0x0007000000023211-86.dat	UPX
behavioral2/files/0x0007000000023212-93.dat	UPX
behavioral2/files/0x0007000000023215-108.dat	UPX
behavioral2/memory/2688-417-0x00007FF7B6A60000-0x00007FF7B6E55000-memory.dmp	UPX
behavioral2/memory/4100-418-0x00007FF6C5D40000-0x00007FF6C6135000-memory.dmp	UPX
behavioral2/memory/3932-419-0x00007FF605C90000-0x00007FF606085000-memory.dmp	UPX
behavioral2/memory/2856-420-0x00007FF7C0380000-0x00007FF7C0775000-memory.dmp	UPX
behavioral2/memory/4228-422-0x00007FF61AD30000-0x00007FF61B125000-memory.dmp	UPX
behavioral2/memory/4272-429-0x00007FF7790C0000-0x00007FF7794B5000-memory.dmp	UPX
behavioral2/memory/4264-433-0x00007FF789640000-0x00007FF789A35000-memory.dmp	UPX
behavioral2/memory/1868-435-0x00007FF76FE10000-0x00007FF770205000-memory.dmp	UPX
behavioral2/memory/3876-437-0x00007FF790180000-0x00007FF790575000-memory.dmp	UPX
behavioral2/memory/3896-436-0x00007FF6005B0000-0x00007FF6009A5000-memory.dmp	UPX
behavioral2/memory/1676-434-0x00007FF7A3460000-0x00007FF7A3855000-memory.dmp	UPX
behavioral2/memory/3116-432-0x00007FF635790000-0x00007FF635B85000-memory.dmp	UPX
behavioral2/memory/1984-431-0x00007FF7E65E0000-0x00007FF7E69D5000-memory.dmp	UPX
behavioral2/memory/4516-430-0x00007FF67AF20000-0x00007FF67B315000-memory.dmp	UPX
behavioral2/memory/4708-428-0x00007FF62A3A0000-0x00007FF62A795000-memory.dmp	UPX
behavioral2/memory/3452-444-0x00007FF64CF20000-0x00007FF64D315000-memory.dmp	UPX
behavioral2/memory/3100-449-0x00007FF706880000-0x00007FF706C75000-memory.dmp	UPX
behavioral2/memory/3340-450-0x00007FF710D70000-0x00007FF711165000-memory.dmp	UPX
behavioral2/memory/1340-451-0x00007FF624040000-0x00007FF624435000-memory.dmp	UPX
behavioral2/memory/4120-452-0x00007FF7F6C80000-0x00007FF7F7075000-memory.dmp	UPX
behavioral2/memory/1764-453-0x00007FF65F450000-0x00007FF65F845000-memory.dmp	UPX
behavioral2/memory/3864-454-0x00007FF76E330000-0x00007FF76E725000-memory.dmp	UPX
behavioral2/memory/3928-456-0x00007FF728CB0000-0x00007FF7290A5000-memory.dmp	UPX
behavioral2/memory/3124-457-0x00007FF607C00000-0x00007FF607FF5000-memory.dmp	UPX
behavioral2/memory/4032-458-0x00007FF72DC10000-0x00007FF72E005000-memory.dmp	UPX
behavioral2/memory/4824-460-0x00007FF77F8C0000-0x00007FF77FCB5000-memory.dmp	UPX
behavioral2/memory/1324-462-0x00007FF7A8980000-0x00007FF7A8D75000-memory.dmp	UPX
behavioral2/memory/5048-463-0x00007FF7B92D0000-0x00007FF7B96C5000-memory.dmp	UPX
behavioral2/memory/1376-465-0x00007FF759650000-0x00007FF759A45000-memory.dmp	UPX
behavioral2/memory/3924-467-0x00007FF7261C0000-0x00007FF7265B5000-memory.dmp	UPX
behavioral2/memory/5072-469-0x00007FF663DE0000-0x00007FF6641D5000-memory.dmp	UPX
behavioral2/memory/2592-471-0x00007FF66EF40000-0x00007FF66F335000-memory.dmp	UPX
behavioral2/memory/4460-474-0x00007FF634E80000-0x00007FF635275000-memory.dmp	UPX
behavioral2/memory/3696-476-0x00007FF623990000-0x00007FF623D85000-memory.dmp	UPX
behavioral2/memory/1844-479-0x00007FF6F4460000-0x00007FF6F4855000-memory.dmp	UPX
behavioral2/memory/4240-482-0x00007FF65D280000-0x00007FF65D675000-memory.dmp	UPX
behavioral2/memory/2036-485-0x00007FF786690000-0x00007FF786A85000-memory.dmp	UPX
behavioral2/memory/4000-488-0x00007FF63E2E0000-0x00007FF63E6D5000-memory.dmp	UPX
behavioral2/memory/3672-487-0x00007FF7A8080000-0x00007FF7A8475000-memory.dmp	UPX
behavioral2/memory/3144-486-0x00007FF64F380000-0x00007FF64F775000-memory.dmp	UPX
behavioral2/memory/2040-484-0x00007FF7A2200000-0x00007FF7A25F5000-memory.dmp	UPX
behavioral2/memory/2280-483-0x00007FF637600000-0x00007FF6379F5000-memory.dmp	UPX
behavioral2/memory/3548-481-0x00007FF7E5880000-0x00007FF7E5C75000-memory.dmp	UPX
behavioral2/memory/1932-480-0x00007FF6CB4D0000-0x00007FF6CB8C5000-memory.dmp	UPX
behavioral2/memory/2220-478-0x00007FF756000000-0x00007FF7563F5000-memory.dmp	UPX
behavioral2/memory/3312-477-0x00007FF7E3F50000-0x00007FF7E4345000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2240-0-0x00007FF6E2E10000-0x00007FF6E3205000-memory.dmp	xmrig
behavioral2/files/0x00080000000231fe-5.dat	xmrig
behavioral2/files/0x00080000000231fe-6.dat	xmrig
behavioral2/files/0x0008000000023201-10.dat	xmrig
behavioral2/files/0x0007000000023205-14.dat	xmrig
behavioral2/files/0x0007000000023206-21.dat	xmrig
behavioral2/files/0x0007000000023206-23.dat	xmrig
behavioral2/memory/2088-17-0x00007FF6B63D0000-0x00007FF6B67C5000-memory.dmp	xmrig
behavioral2/memory/4488-25-0x00007FF76EA20000-0x00007FF76EE15000-memory.dmp	xmrig
behavioral2/files/0x0007000000023207-30.dat	xmrig
behavioral2/memory/3676-35-0x00007FF7FB660000-0x00007FF7FBA55000-memory.dmp	xmrig
behavioral2/files/0x000700000002320b-58.dat	xmrig
behavioral2/files/0x000700000002320c-63.dat	xmrig
behavioral2/files/0x000700000002320e-73.dat	xmrig
behavioral2/files/0x000700000002320f-78.dat	xmrig
behavioral2/files/0x0007000000023211-86.dat	xmrig
behavioral2/files/0x0007000000023212-93.dat	xmrig
behavioral2/files/0x0007000000023215-108.dat	xmrig
behavioral2/memory/2688-417-0x00007FF7B6A60000-0x00007FF7B6E55000-memory.dmp	xmrig
behavioral2/memory/4100-418-0x00007FF6C5D40000-0x00007FF6C6135000-memory.dmp	xmrig
behavioral2/memory/3932-419-0x00007FF605C90000-0x00007FF606085000-memory.dmp	xmrig
behavioral2/memory/2856-420-0x00007FF7C0380000-0x00007FF7C0775000-memory.dmp	xmrig
behavioral2/memory/4228-422-0x00007FF61AD30000-0x00007FF61B125000-memory.dmp	xmrig
behavioral2/memory/4272-429-0x00007FF7790C0000-0x00007FF7794B5000-memory.dmp	xmrig
behavioral2/memory/4264-433-0x00007FF789640000-0x00007FF789A35000-memory.dmp	xmrig
behavioral2/memory/1868-435-0x00007FF76FE10000-0x00007FF770205000-memory.dmp	xmrig
behavioral2/memory/3876-437-0x00007FF790180000-0x00007FF790575000-memory.dmp	xmrig
behavioral2/memory/3896-436-0x00007FF6005B0000-0x00007FF6009A5000-memory.dmp	xmrig
behavioral2/memory/1676-434-0x00007FF7A3460000-0x00007FF7A3855000-memory.dmp	xmrig
behavioral2/memory/3116-432-0x00007FF635790000-0x00007FF635B85000-memory.dmp	xmrig
behavioral2/memory/1984-431-0x00007FF7E65E0000-0x00007FF7E69D5000-memory.dmp	xmrig
behavioral2/memory/4516-430-0x00007FF67AF20000-0x00007FF67B315000-memory.dmp	xmrig
behavioral2/memory/4708-428-0x00007FF62A3A0000-0x00007FF62A795000-memory.dmp	xmrig
behavioral2/memory/3452-444-0x00007FF64CF20000-0x00007FF64D315000-memory.dmp	xmrig
behavioral2/memory/3100-449-0x00007FF706880000-0x00007FF706C75000-memory.dmp	xmrig
behavioral2/memory/3340-450-0x00007FF710D70000-0x00007FF711165000-memory.dmp	xmrig
behavioral2/memory/1340-451-0x00007FF624040000-0x00007FF624435000-memory.dmp	xmrig
behavioral2/memory/4120-452-0x00007FF7F6C80000-0x00007FF7F7075000-memory.dmp	xmrig
behavioral2/memory/1764-453-0x00007FF65F450000-0x00007FF65F845000-memory.dmp	xmrig
behavioral2/memory/3864-454-0x00007FF76E330000-0x00007FF76E725000-memory.dmp	xmrig
behavioral2/memory/3928-456-0x00007FF728CB0000-0x00007FF7290A5000-memory.dmp	xmrig
behavioral2/memory/3124-457-0x00007FF607C00000-0x00007FF607FF5000-memory.dmp	xmrig
behavioral2/memory/4032-458-0x00007FF72DC10000-0x00007FF72E005000-memory.dmp	xmrig
behavioral2/memory/4824-460-0x00007FF77F8C0000-0x00007FF77FCB5000-memory.dmp	xmrig
behavioral2/memory/1324-462-0x00007FF7A8980000-0x00007FF7A8D75000-memory.dmp	xmrig
behavioral2/memory/5048-463-0x00007FF7B92D0000-0x00007FF7B96C5000-memory.dmp	xmrig
behavioral2/memory/1376-465-0x00007FF759650000-0x00007FF759A45000-memory.dmp	xmrig
behavioral2/memory/3924-467-0x00007FF7261C0000-0x00007FF7265B5000-memory.dmp	xmrig
behavioral2/memory/5072-469-0x00007FF663DE0000-0x00007FF6641D5000-memory.dmp	xmrig
behavioral2/memory/2592-471-0x00007FF66EF40000-0x00007FF66F335000-memory.dmp	xmrig
behavioral2/memory/4460-474-0x00007FF634E80000-0x00007FF635275000-memory.dmp	xmrig
behavioral2/memory/3696-476-0x00007FF623990000-0x00007FF623D85000-memory.dmp	xmrig
behavioral2/memory/1844-479-0x00007FF6F4460000-0x00007FF6F4855000-memory.dmp	xmrig
behavioral2/memory/4240-482-0x00007FF65D280000-0x00007FF65D675000-memory.dmp	xmrig
behavioral2/memory/2036-485-0x00007FF786690000-0x00007FF786A85000-memory.dmp	xmrig
behavioral2/memory/4000-488-0x00007FF63E2E0000-0x00007FF63E6D5000-memory.dmp	xmrig
behavioral2/memory/3672-487-0x00007FF7A8080000-0x00007FF7A8475000-memory.dmp	xmrig
behavioral2/memory/3144-486-0x00007FF64F380000-0x00007FF64F775000-memory.dmp	xmrig
behavioral2/memory/2040-484-0x00007FF7A2200000-0x00007FF7A25F5000-memory.dmp	xmrig
behavioral2/memory/2280-483-0x00007FF637600000-0x00007FF6379F5000-memory.dmp	xmrig
behavioral2/memory/3548-481-0x00007FF7E5880000-0x00007FF7E5C75000-memory.dmp	xmrig
behavioral2/memory/1932-480-0x00007FF6CB4D0000-0x00007FF6CB8C5000-memory.dmp	xmrig
behavioral2/memory/2220-478-0x00007FF756000000-0x00007FF7563F5000-memory.dmp	xmrig
behavioral2/memory/3312-477-0x00007FF7E3F50000-0x00007FF7E4345000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3464	gYsvjwF.exe
4488	PlELMDl.exe
2088	KErpzod.exe
1104	YGtYQae.exe
3612	FnYBAre.exe
3676	nFodkoz.exe
2408	XiLBjGX.exe
2688	knoRcKR.exe
4100	WXxYPxe.exe
3932	tGHcYFT.exe
2856	fmfejjv.exe
4228	kRyrYCD.exe
4708	QdGABSU.exe
4272	twSIqKl.exe
4516	VdqfpoB.exe
1984	iiSyPGM.exe
3116	fnpeGDh.exe
4264	WzoUsxz.exe
1676	vHMGxWb.exe
1868	gKkMFcj.exe
3896	hchYnVt.exe
3876	dpKOoyy.exe
3452	iUJvyhB.exe
3100	yrMiWwr.exe
3340	MvsJUfp.exe
1340	WXfNOuE.exe
4120	deoasCO.exe
1764	IwdhyMh.exe
3864	vEoVscc.exe
4184	JYMrsMF.exe
3928	KPTNJSz.exe
3124	haeJpIn.exe
4032	DLDmuFb.exe
2428	CbXlhzs.exe
4824	EpmmqPq.exe
2908	ciWgjIS.exe
1324	yguBWDy.exe
5048	MJhihFI.exe
3648	cXQrFaN.exe
1376	bRJVCEY.exe
812	ccrxzsq.exe
3924	BeZNmmH.exe
4424	lVlICJq.exe
5072	ZKGjCKf.exe
3044	QzquFSk.exe
2592	QYCJUCk.exe
3820	mRFpmwI.exe
1132	JHDgGMN.exe
4460	NWfttZY.exe
1388	lKlwiPz.exe
3696	xCBaKTj.exe
3312	LXMdxUi.exe
2220	WzBYGsm.exe
1844	VOmztMm.exe
1932	WQdwBwe.exe
3548	xGrsRXG.exe
4240	eobHVLy.exe
2280	kMxyEAQ.exe
2040	VxvfPio.exe
2036	GKqGOJt.exe
3144	GHjFupp.exe
3672	neujFYT.exe
4000	FwYQiqx.exe
2672	rNVjMlw.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2240-0-0x00007FF6E2E10000-0x00007FF6E3205000-memory.dmp	upx
behavioral2/files/0x00080000000231fe-5.dat	upx
behavioral2/files/0x00080000000231fe-6.dat	upx
behavioral2/files/0x0008000000023201-10.dat	upx
behavioral2/files/0x0007000000023205-14.dat	upx
behavioral2/files/0x0007000000023206-21.dat	upx
behavioral2/files/0x0007000000023206-23.dat	upx
behavioral2/memory/2088-17-0x00007FF6B63D0000-0x00007FF6B67C5000-memory.dmp	upx
behavioral2/memory/4488-25-0x00007FF76EA20000-0x00007FF76EE15000-memory.dmp	upx
behavioral2/files/0x0007000000023207-30.dat	upx
behavioral2/memory/3676-35-0x00007FF7FB660000-0x00007FF7FBA55000-memory.dmp	upx
behavioral2/files/0x000700000002320b-58.dat	upx
behavioral2/files/0x000700000002320c-63.dat	upx
behavioral2/files/0x000700000002320e-73.dat	upx
behavioral2/files/0x000700000002320f-78.dat	upx
behavioral2/files/0x0007000000023211-86.dat	upx
behavioral2/files/0x0007000000023212-93.dat	upx
behavioral2/files/0x0007000000023215-108.dat	upx
behavioral2/memory/2688-417-0x00007FF7B6A60000-0x00007FF7B6E55000-memory.dmp	upx
behavioral2/memory/4100-418-0x00007FF6C5D40000-0x00007FF6C6135000-memory.dmp	upx
behavioral2/memory/3932-419-0x00007FF605C90000-0x00007FF606085000-memory.dmp	upx
behavioral2/memory/2856-420-0x00007FF7C0380000-0x00007FF7C0775000-memory.dmp	upx
behavioral2/memory/4228-422-0x00007FF61AD30000-0x00007FF61B125000-memory.dmp	upx
behavioral2/memory/4272-429-0x00007FF7790C0000-0x00007FF7794B5000-memory.dmp	upx
behavioral2/memory/4264-433-0x00007FF789640000-0x00007FF789A35000-memory.dmp	upx
behavioral2/memory/1868-435-0x00007FF76FE10000-0x00007FF770205000-memory.dmp	upx
behavioral2/memory/3876-437-0x00007FF790180000-0x00007FF790575000-memory.dmp	upx
behavioral2/memory/3896-436-0x00007FF6005B0000-0x00007FF6009A5000-memory.dmp	upx
behavioral2/memory/1676-434-0x00007FF7A3460000-0x00007FF7A3855000-memory.dmp	upx
behavioral2/memory/3116-432-0x00007FF635790000-0x00007FF635B85000-memory.dmp	upx
behavioral2/memory/1984-431-0x00007FF7E65E0000-0x00007FF7E69D5000-memory.dmp	upx
behavioral2/memory/4516-430-0x00007FF67AF20000-0x00007FF67B315000-memory.dmp	upx
behavioral2/memory/4708-428-0x00007FF62A3A0000-0x00007FF62A795000-memory.dmp	upx
behavioral2/memory/3452-444-0x00007FF64CF20000-0x00007FF64D315000-memory.dmp	upx
behavioral2/memory/3100-449-0x00007FF706880000-0x00007FF706C75000-memory.dmp	upx
behavioral2/memory/3340-450-0x00007FF710D70000-0x00007FF711165000-memory.dmp	upx
behavioral2/memory/1340-451-0x00007FF624040000-0x00007FF624435000-memory.dmp	upx
behavioral2/memory/4120-452-0x00007FF7F6C80000-0x00007FF7F7075000-memory.dmp	upx
behavioral2/memory/1764-453-0x00007FF65F450000-0x00007FF65F845000-memory.dmp	upx
behavioral2/memory/3864-454-0x00007FF76E330000-0x00007FF76E725000-memory.dmp	upx
behavioral2/memory/3928-456-0x00007FF728CB0000-0x00007FF7290A5000-memory.dmp	upx
behavioral2/memory/3124-457-0x00007FF607C00000-0x00007FF607FF5000-memory.dmp	upx
behavioral2/memory/4032-458-0x00007FF72DC10000-0x00007FF72E005000-memory.dmp	upx
behavioral2/memory/4824-460-0x00007FF77F8C0000-0x00007FF77FCB5000-memory.dmp	upx
behavioral2/memory/1324-462-0x00007FF7A8980000-0x00007FF7A8D75000-memory.dmp	upx
behavioral2/memory/5048-463-0x00007FF7B92D0000-0x00007FF7B96C5000-memory.dmp	upx
behavioral2/memory/1376-465-0x00007FF759650000-0x00007FF759A45000-memory.dmp	upx
behavioral2/memory/3924-467-0x00007FF7261C0000-0x00007FF7265B5000-memory.dmp	upx
behavioral2/memory/5072-469-0x00007FF663DE0000-0x00007FF6641D5000-memory.dmp	upx
behavioral2/memory/2592-471-0x00007FF66EF40000-0x00007FF66F335000-memory.dmp	upx
behavioral2/memory/4460-474-0x00007FF634E80000-0x00007FF635275000-memory.dmp	upx
behavioral2/memory/3696-476-0x00007FF623990000-0x00007FF623D85000-memory.dmp	upx
behavioral2/memory/1844-479-0x00007FF6F4460000-0x00007FF6F4855000-memory.dmp	upx
behavioral2/memory/4240-482-0x00007FF65D280000-0x00007FF65D675000-memory.dmp	upx
behavioral2/memory/2036-485-0x00007FF786690000-0x00007FF786A85000-memory.dmp	upx
behavioral2/memory/4000-488-0x00007FF63E2E0000-0x00007FF63E6D5000-memory.dmp	upx
behavioral2/memory/3672-487-0x00007FF7A8080000-0x00007FF7A8475000-memory.dmp	upx
behavioral2/memory/3144-486-0x00007FF64F380000-0x00007FF64F775000-memory.dmp	upx
behavioral2/memory/2040-484-0x00007FF7A2200000-0x00007FF7A25F5000-memory.dmp	upx
behavioral2/memory/2280-483-0x00007FF637600000-0x00007FF6379F5000-memory.dmp	upx
behavioral2/memory/3548-481-0x00007FF7E5880000-0x00007FF7E5C75000-memory.dmp	upx
behavioral2/memory/1932-480-0x00007FF6CB4D0000-0x00007FF6CB8C5000-memory.dmp	upx
behavioral2/memory/2220-478-0x00007FF756000000-0x00007FF7563F5000-memory.dmp	upx
behavioral2/memory/3312-477-0x00007FF7E3F50000-0x00007FF7E4345000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\lEPWJfn.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\HErvODq.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\sSYNelE.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\PClKhkG.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\kRyrYCD.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\QTmMCEg.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\JTTPCaB.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\Cfrdjoj.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\RhoAfWN.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\KErpzod.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\SgwBaND.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\ObVKTPa.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\KGKtsdH.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\gMinjWQ.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\ZKGjCKf.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\DjLFPvH.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\KWwCJlt.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\QYVHiaV.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\TMOCfCu.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\dVQUoTu.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\OdsgQmI.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\XFFCfyj.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\CYVXdVb.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\grEbaPw.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\tYULgzi.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\uOzzEyP.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\yguBWDy.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\IdvTaQS.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\rPVbYIZ.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\BugAYQU.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\raNWiik.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\QdGABSU.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\PUMhwMt.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\WhGSmSl.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\dikJkcP.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\sMJSGbm.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\PqygHUX.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\npxcBoI.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\KVAvzGS.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\SicwvLG.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\nmrSDED.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\TIjlhtZ.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\SJWmRoa.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\ysYvhig.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\EpmmqPq.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\UvFgoHo.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\rjitRys.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\LaaoPrv.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\QFwSnaj.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\rocdmQD.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\wqFVkia.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\WYDRVbO.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\NMROzJo.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\RzFPaIg.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\zrRejJW.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\FnCHLjs.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\VkicJXT.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\cXQrFaN.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\neujFYT.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\vRBNojm.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\qlcCWjV.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\IfGwsoY.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\GewiXdX.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
File created	C:\Windows\System32\nZQUWmB.exe	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
8316	WerFaultSecure.exe
8316	WerFaultSecure.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	8364	dwm.exe
Token: SeChangeNotifyPrivilege	8364	dwm.exe
Token: 33	8364	dwm.exe
Token: SeIncBasePriorityPrivilege	8364	dwm.exe
Token: SeShutdownPrivilege	8364	dwm.exe
Token: SeCreatePagefilePrivilege	8364	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3464	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	88
PID 2240 wrote to memory of 3464	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	88
PID 2240 wrote to memory of 4488	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	89
PID 2240 wrote to memory of 4488	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	89
PID 2240 wrote to memory of 2088	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	90
PID 2240 wrote to memory of 2088	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	90
PID 2240 wrote to memory of 1104	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	91
PID 2240 wrote to memory of 1104	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	91
PID 2240 wrote to memory of 3612	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	92
PID 2240 wrote to memory of 3612	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	92
PID 2240 wrote to memory of 3676	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	93
PID 2240 wrote to memory of 3676	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	93
PID 2240 wrote to memory of 2408	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	94
PID 2240 wrote to memory of 2408	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	94
PID 2240 wrote to memory of 2688	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	95
PID 2240 wrote to memory of 2688	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	95
PID 2240 wrote to memory of 4100	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	96
PID 2240 wrote to memory of 4100	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	96
PID 2240 wrote to memory of 3932	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	97
PID 2240 wrote to memory of 3932	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	97
PID 2240 wrote to memory of 2856	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	98
PID 2240 wrote to memory of 2856	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	98
PID 2240 wrote to memory of 4228	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	99
PID 2240 wrote to memory of 4228	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	99
PID 2240 wrote to memory of 4708	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	100
PID 2240 wrote to memory of 4708	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	100
PID 2240 wrote to memory of 4272	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	101
PID 2240 wrote to memory of 4272	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	101
PID 2240 wrote to memory of 4516	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	102
PID 2240 wrote to memory of 4516	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	102
PID 2240 wrote to memory of 1984	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	103
PID 2240 wrote to memory of 1984	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	103
PID 2240 wrote to memory of 3116	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	104
PID 2240 wrote to memory of 3116	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	104
PID 2240 wrote to memory of 4264	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	105
PID 2240 wrote to memory of 4264	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	105
PID 2240 wrote to memory of 1676	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	106
PID 2240 wrote to memory of 1676	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	106
PID 2240 wrote to memory of 1868	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	107
PID 2240 wrote to memory of 1868	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	107
PID 2240 wrote to memory of 3896	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	108
PID 2240 wrote to memory of 3896	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	108
PID 2240 wrote to memory of 3876	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	109
PID 2240 wrote to memory of 3876	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	109
PID 2240 wrote to memory of 3452	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	110
PID 2240 wrote to memory of 3452	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	110
PID 2240 wrote to memory of 3100	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	111
PID 2240 wrote to memory of 3100	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	111
PID 2240 wrote to memory of 3340	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	112
PID 2240 wrote to memory of 3340	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	112
PID 2240 wrote to memory of 1340	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	113
PID 2240 wrote to memory of 1340	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	113
PID 2240 wrote to memory of 4120	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	114
PID 2240 wrote to memory of 4120	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	114
PID 2240 wrote to memory of 1764	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	115
PID 2240 wrote to memory of 1764	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	115
PID 2240 wrote to memory of 3864	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	116
PID 2240 wrote to memory of 3864	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	116
PID 2240 wrote to memory of 4184	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	117
PID 2240 wrote to memory of 4184	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	117
PID 2240 wrote to memory of 3928	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	118
PID 2240 wrote to memory of 3928	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	118
PID 2240 wrote to memory of 3124	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	119
PID 2240 wrote to memory of 3124	2240	7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe	119

C:\Users\Admin\AppData\Local\Temp\7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe
"C:\Users\Admin\AppData\Local\Temp\7941fe68355bf9acb56bd7934859bd3910afa6e9b3c33e5964bfa38054ddd9c9.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\System32\gYsvjwF.exe
  C:\Windows\System32\gYsvjwF.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System32\PlELMDl.exe
  C:\Windows\System32\PlELMDl.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System32\KErpzod.exe
  C:\Windows\System32\KErpzod.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System32\YGtYQae.exe
  C:\Windows\System32\YGtYQae.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System32\FnYBAre.exe
  C:\Windows\System32\FnYBAre.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System32\nFodkoz.exe
  C:\Windows\System32\nFodkoz.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System32\XiLBjGX.exe
  C:\Windows\System32\XiLBjGX.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System32\knoRcKR.exe
  C:\Windows\System32\knoRcKR.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System32\WXxYPxe.exe
  C:\Windows\System32\WXxYPxe.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System32\tGHcYFT.exe
  C:\Windows\System32\tGHcYFT.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System32\fmfejjv.exe
  C:\Windows\System32\fmfejjv.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System32\kRyrYCD.exe
  C:\Windows\System32\kRyrYCD.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System32\QdGABSU.exe
  C:\Windows\System32\QdGABSU.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\twSIqKl.exe
  C:\Windows\System32\twSIqKl.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System32\VdqfpoB.exe
  C:\Windows\System32\VdqfpoB.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System32\iiSyPGM.exe
  C:\Windows\System32\iiSyPGM.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System32\fnpeGDh.exe
  C:\Windows\System32\fnpeGDh.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System32\WzoUsxz.exe
  C:\Windows\System32\WzoUsxz.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System32\vHMGxWb.exe
  C:\Windows\System32\vHMGxWb.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System32\gKkMFcj.exe
  C:\Windows\System32\gKkMFcj.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System32\hchYnVt.exe
  C:\Windows\System32\hchYnVt.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System32\dpKOoyy.exe
  C:\Windows\System32\dpKOoyy.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System32\iUJvyhB.exe
  C:\Windows\System32\iUJvyhB.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System32\yrMiWwr.exe
  C:\Windows\System32\yrMiWwr.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System32\MvsJUfp.exe
  C:\Windows\System32\MvsJUfp.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System32\WXfNOuE.exe
  C:\Windows\System32\WXfNOuE.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\System32\deoasCO.exe
  C:\Windows\System32\deoasCO.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System32\IwdhyMh.exe
  C:\Windows\System32\IwdhyMh.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System32\vEoVscc.exe
  C:\Windows\System32\vEoVscc.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System32\JYMrsMF.exe
  C:\Windows\System32\JYMrsMF.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System32\KPTNJSz.exe
  C:\Windows\System32\KPTNJSz.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System32\haeJpIn.exe
  C:\Windows\System32\haeJpIn.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System32\DLDmuFb.exe
  C:\Windows\System32\DLDmuFb.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System32\CbXlhzs.exe
  C:\Windows\System32\CbXlhzs.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System32\EpmmqPq.exe
  C:\Windows\System32\EpmmqPq.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System32\ciWgjIS.exe
  C:\Windows\System32\ciWgjIS.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System32\yguBWDy.exe
  C:\Windows\System32\yguBWDy.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System32\MJhihFI.exe
  C:\Windows\System32\MJhihFI.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System32\cXQrFaN.exe
  C:\Windows\System32\cXQrFaN.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System32\bRJVCEY.exe
  C:\Windows\System32\bRJVCEY.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System32\ccrxzsq.exe
  C:\Windows\System32\ccrxzsq.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System32\BeZNmmH.exe
  C:\Windows\System32\BeZNmmH.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System32\lVlICJq.exe
  C:\Windows\System32\lVlICJq.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System32\ZKGjCKf.exe
  C:\Windows\System32\ZKGjCKf.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System32\QzquFSk.exe
  C:\Windows\System32\QzquFSk.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System32\QYCJUCk.exe
  C:\Windows\System32\QYCJUCk.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System32\mRFpmwI.exe
  C:\Windows\System32\mRFpmwI.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System32\JHDgGMN.exe
  C:\Windows\System32\JHDgGMN.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System32\NWfttZY.exe
  C:\Windows\System32\NWfttZY.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System32\lKlwiPz.exe
  C:\Windows\System32\lKlwiPz.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System32\xCBaKTj.exe
  C:\Windows\System32\xCBaKTj.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System32\LXMdxUi.exe
  C:\Windows\System32\LXMdxUi.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System32\WzBYGsm.exe
  C:\Windows\System32\WzBYGsm.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\System32\VOmztMm.exe
  C:\Windows\System32\VOmztMm.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System32\WQdwBwe.exe
  C:\Windows\System32\WQdwBwe.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System32\xGrsRXG.exe
  C:\Windows\System32\xGrsRXG.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System32\eobHVLy.exe
  C:\Windows\System32\eobHVLy.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System32\kMxyEAQ.exe
  C:\Windows\System32\kMxyEAQ.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System32\VxvfPio.exe
  C:\Windows\System32\VxvfPio.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System32\GKqGOJt.exe
  C:\Windows\System32\GKqGOJt.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System32\GHjFupp.exe
  C:\Windows\System32\GHjFupp.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System32\neujFYT.exe
  C:\Windows\System32\neujFYT.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System32\FwYQiqx.exe
  C:\Windows\System32\FwYQiqx.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System32\rNVjMlw.exe
  C:\Windows\System32\rNVjMlw.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System32\wQhtepZ.exe
  C:\Windows\System32\wQhtepZ.exe
  2⤵
  PID:2524
- C:\Windows\System32\WYDRVbO.exe
  C:\Windows\System32\WYDRVbO.exe
  2⤵
  PID:1280
- C:\Windows\System32\OdysMpP.exe
  C:\Windows\System32\OdysMpP.exe
  2⤵
  PID:1804
- C:\Windows\System32\SgwBaND.exe
  C:\Windows\System32\SgwBaND.exe
  2⤵
  PID:3652
- C:\Windows\System32\sqgWhNF.exe
  C:\Windows\System32\sqgWhNF.exe
  2⤵
  PID:3936
- C:\Windows\System32\kooMXtq.exe
  C:\Windows\System32\kooMXtq.exe
  2⤵
  PID:4408
- C:\Windows\System32\WcmxvzA.exe
  C:\Windows\System32\WcmxvzA.exe
  2⤵
  PID:5144
- C:\Windows\System32\sEQBBLr.exe
  C:\Windows\System32\sEQBBLr.exe
  2⤵
  PID:5172
- C:\Windows\System32\AncsYeU.exe
  C:\Windows\System32\AncsYeU.exe
  2⤵
  PID:5200
- C:\Windows\System32\bmQatGf.exe
  C:\Windows\System32\bmQatGf.exe
  2⤵
  PID:5228
- C:\Windows\System32\KVAvzGS.exe
  C:\Windows\System32\KVAvzGS.exe
  2⤵
  PID:5256
- C:\Windows\System32\CIMHknv.exe
  C:\Windows\System32\CIMHknv.exe
  2⤵
  PID:5292
- C:\Windows\System32\YMEqIVP.exe
  C:\Windows\System32\YMEqIVP.exe
  2⤵
  PID:5312
- C:\Windows\System32\SicwvLG.exe
  C:\Windows\System32\SicwvLG.exe
  2⤵
  PID:5340
- C:\Windows\System32\IdvTaQS.exe
  C:\Windows\System32\IdvTaQS.exe
  2⤵
  PID:5368
- C:\Windows\System32\qMNhMet.exe
  C:\Windows\System32\qMNhMet.exe
  2⤵
  PID:5396
- C:\Windows\System32\zCRWSbu.exe
  C:\Windows\System32\zCRWSbu.exe
  2⤵
  PID:5424
- C:\Windows\System32\nZQUWmB.exe
  C:\Windows\System32\nZQUWmB.exe
  2⤵
  PID:5452
- C:\Windows\System32\rJqOnFr.exe
  C:\Windows\System32\rJqOnFr.exe
  2⤵
  PID:5480
- C:\Windows\System32\ecIBPZk.exe
  C:\Windows\System32\ecIBPZk.exe
  2⤵
  PID:5508
- C:\Windows\System32\VVuCUOr.exe
  C:\Windows\System32\VVuCUOr.exe
  2⤵
  PID:5536
- C:\Windows\System32\VDtfxOb.exe
  C:\Windows\System32\VDtfxOb.exe
  2⤵
  PID:5564
- C:\Windows\System32\dSgKFPV.exe
  C:\Windows\System32\dSgKFPV.exe
  2⤵
  PID:5592
- C:\Windows\System32\EjRMDkp.exe
  C:\Windows\System32\EjRMDkp.exe
  2⤵
  PID:5620
- C:\Windows\System32\KXDkncO.exe
  C:\Windows\System32\KXDkncO.exe
  2⤵
  PID:5648
- C:\Windows\System32\SHPnBAd.exe
  C:\Windows\System32\SHPnBAd.exe
  2⤵
  PID:5676
- C:\Windows\System32\CJnaxef.exe
  C:\Windows\System32\CJnaxef.exe
  2⤵
  PID:5704
- C:\Windows\System32\qLHQtWP.exe
  C:\Windows\System32\qLHQtWP.exe
  2⤵
  PID:5732
- C:\Windows\System32\YfAtkjY.exe
  C:\Windows\System32\YfAtkjY.exe
  2⤵
  PID:5760
- C:\Windows\System32\WhGSmSl.exe
  C:\Windows\System32\WhGSmSl.exe
  2⤵
  PID:5788
- C:\Windows\System32\HmnHvdr.exe
  C:\Windows\System32\HmnHvdr.exe
  2⤵
  PID:5816
- C:\Windows\System32\JSTqFkH.exe
  C:\Windows\System32\JSTqFkH.exe
  2⤵
  PID:5844
- C:\Windows\System32\EvQeVaE.exe
  C:\Windows\System32\EvQeVaE.exe
  2⤵
  PID:5872
- C:\Windows\System32\HjziIKQ.exe
  C:\Windows\System32\HjziIKQ.exe
  2⤵
  PID:5900
- C:\Windows\System32\aOSEMtH.exe
  C:\Windows\System32\aOSEMtH.exe
  2⤵
  PID:5928
- C:\Windows\System32\RzFPaIg.exe
  C:\Windows\System32\RzFPaIg.exe
  2⤵
  PID:5956
- C:\Windows\System32\oZqjbVW.exe
  C:\Windows\System32\oZqjbVW.exe
  2⤵
  PID:5984
- C:\Windows\System32\dMxHBsB.exe
  C:\Windows\System32\dMxHBsB.exe
  2⤵
  PID:6012
- C:\Windows\System32\RCiPFKi.exe
  C:\Windows\System32\RCiPFKi.exe
  2⤵
  PID:6040
- C:\Windows\System32\UvFgoHo.exe
  C:\Windows\System32\UvFgoHo.exe
  2⤵
  PID:6068
- C:\Windows\System32\sKdxTjk.exe
  C:\Windows\System32\sKdxTjk.exe
  2⤵
  PID:6096
- C:\Windows\System32\ytRVgTT.exe
  C:\Windows\System32\ytRVgTT.exe
  2⤵
  PID:6124
- C:\Windows\System32\GCWeSkd.exe
  C:\Windows\System32\GCWeSkd.exe
  2⤵
  PID:2916
- C:\Windows\System32\tbXPZmS.exe
  C:\Windows\System32\tbXPZmS.exe
  2⤵
  PID:1508
- C:\Windows\System32\BkOHrjG.exe
  C:\Windows\System32\BkOHrjG.exe
  2⤵
  PID:532
- C:\Windows\System32\nQuxTCt.exe
  C:\Windows\System32\nQuxTCt.exe
  2⤵
  PID:5160
- C:\Windows\System32\FAykoEj.exe
  C:\Windows\System32\FAykoEj.exe
  2⤵
  PID:5208
- C:\Windows\System32\UUiZjIz.exe
  C:\Windows\System32\UUiZjIz.exe
  2⤵
  PID:5276
- C:\Windows\System32\dpvvhZw.exe
  C:\Windows\System32\dpvvhZw.exe
  2⤵
  PID:5348
- C:\Windows\System32\jJDkCys.exe
  C:\Windows\System32\jJDkCys.exe
  2⤵
  PID:5404
- C:\Windows\System32\XhZtmsZ.exe
  C:\Windows\System32\XhZtmsZ.exe
  2⤵
  PID:5472
- C:\Windows\System32\OdsgQmI.exe
  C:\Windows\System32\OdsgQmI.exe
  2⤵
  PID:5664
- C:\Windows\System32\QTmMCEg.exe
  C:\Windows\System32\QTmMCEg.exe
  2⤵
  PID:5720
- C:\Windows\System32\NMROzJo.exe
  C:\Windows\System32\NMROzJo.exe
  2⤵
  PID:5740
- C:\Windows\System32\bzbHXEx.exe
  C:\Windows\System32\bzbHXEx.exe
  2⤵
  PID:5948
- C:\Windows\System32\TPhSfdb.exe
  C:\Windows\System32\TPhSfdb.exe
  2⤵
  PID:6000
- C:\Windows\System32\rWdWUrr.exe
  C:\Windows\System32\rWdWUrr.exe
  2⤵
  PID:764
- C:\Windows\System32\UrQtPKd.exe
  C:\Windows\System32\UrQtPKd.exe
  2⤵
  PID:464
- C:\Windows\System32\trCcUCl.exe
  C:\Windows\System32\trCcUCl.exe
  2⤵
  PID:4176
- C:\Windows\System32\eTnJMWD.exe
  C:\Windows\System32\eTnJMWD.exe
  2⤵
  PID:5076
- C:\Windows\System32\cXUUTWY.exe
  C:\Windows\System32\cXUUTWY.exe
  2⤵
  PID:5192
- C:\Windows\System32\nmrSDED.exe
  C:\Windows\System32\nmrSDED.exe
  2⤵
  PID:5020
- C:\Windows\System32\nHZMZOi.exe
  C:\Windows\System32\nHZMZOi.exe
  2⤵
  PID:4480
- C:\Windows\System32\PUMhwMt.exe
  C:\Windows\System32\PUMhwMt.exe
  2⤵
  PID:3956
- C:\Windows\System32\FsSEuiA.exe
  C:\Windows\System32\FsSEuiA.exe
  2⤵
  PID:4248
- C:\Windows\System32\QlsFHvh.exe
  C:\Windows\System32\QlsFHvh.exe
  2⤵
  PID:3716
- C:\Windows\System32\tPXxwRa.exe
  C:\Windows\System32\tPXxwRa.exe
  2⤵
  PID:2720
- C:\Windows\System32\XFFCfyj.exe
  C:\Windows\System32\XFFCfyj.exe
  2⤵
  PID:2136
- C:\Windows\System32\gGklnOl.exe
  C:\Windows\System32\gGklnOl.exe
  2⤵
  PID:396
- C:\Windows\System32\BugAYQU.exe
  C:\Windows\System32\BugAYQU.exe
  2⤵
  PID:2364
- C:\Windows\System32\VlnmySI.exe
  C:\Windows\System32\VlnmySI.exe
  2⤵
  PID:5780
- C:\Windows\System32\DHGLFHS.exe
  C:\Windows\System32\DHGLFHS.exe
  2⤵
  PID:2852
- C:\Windows\System32\nbJBrUO.exe
  C:\Windows\System32\nbJBrUO.exe
  2⤵
  PID:5860
- C:\Windows\System32\nfgqnnj.exe
  C:\Windows\System32\nfgqnnj.exe
  2⤵
  PID:5796
- C:\Windows\System32\ipnmvdi.exe
  C:\Windows\System32\ipnmvdi.exe
  2⤵
  PID:2200
- C:\Windows\System32\JTTPCaB.exe
  C:\Windows\System32\JTTPCaB.exe
  2⤵
  PID:2728
- C:\Windows\System32\SqkyEYc.exe
  C:\Windows\System32\SqkyEYc.exe
  2⤵
  PID:1824
- C:\Windows\System32\TIjlhtZ.exe
  C:\Windows\System32\TIjlhtZ.exe
  2⤵
  PID:5060
- C:\Windows\System32\CYVXdVb.exe
  C:\Windows\System32\CYVXdVb.exe
  2⤵
  PID:4940
- C:\Windows\System32\grEbaPw.exe
  C:\Windows\System32\grEbaPw.exe
  2⤵
  PID:2028
- C:\Windows\System32\bcJnrsn.exe
  C:\Windows\System32\bcJnrsn.exe
  2⤵
  PID:4088
- C:\Windows\System32\atsIPGQ.exe
  C:\Windows\System32\atsIPGQ.exe
  2⤵
  PID:5804
- C:\Windows\System32\pBATCrM.exe
  C:\Windows\System32\pBATCrM.exe
  2⤵
  PID:5684
- C:\Windows\System32\BqVazbE.exe
  C:\Windows\System32\BqVazbE.exe
  2⤵
  PID:4808
- C:\Windows\System32\aULwdjy.exe
  C:\Windows\System32\aULwdjy.exe
  2⤵
  PID:5272
- C:\Windows\System32\iwxxjZw.exe
  C:\Windows\System32\iwxxjZw.exe
  2⤵
  PID:3808
- C:\Windows\System32\MvdemqA.exe
  C:\Windows\System32\MvdemqA.exe
  2⤵
  PID:412
- C:\Windows\System32\zKStzYA.exe
  C:\Windows\System32\zKStzYA.exe
  2⤵
  PID:3056
- C:\Windows\System32\QnEsYPL.exe
  C:\Windows\System32\QnEsYPL.exe
  2⤵
  PID:1704
- C:\Windows\System32\pUqfLqb.exe
  C:\Windows\System32\pUqfLqb.exe
  2⤵
  PID:2748
- C:\Windows\System32\WBSwaSA.exe
  C:\Windows\System32\WBSwaSA.exe
  2⤵
  PID:1732
- C:\Windows\System32\JumclFA.exe
  C:\Windows\System32\JumclFA.exe
  2⤵
  PID:4860
- C:\Windows\System32\fAGwgOt.exe
  C:\Windows\System32\fAGwgOt.exe
  2⤵
  PID:5628
- C:\Windows\System32\ELayrZs.exe
  C:\Windows\System32\ELayrZs.exe
  2⤵
  PID:5544
- C:\Windows\System32\khNSIRF.exe
  C:\Windows\System32\khNSIRF.exe
  2⤵
  PID:4420
- C:\Windows\System32\ULKpWPd.exe
  C:\Windows\System32\ULKpWPd.exe
  2⤵
  PID:6164
- C:\Windows\System32\JGqrfRJ.exe
  C:\Windows\System32\JGqrfRJ.exe
  2⤵
  PID:6184
- C:\Windows\System32\acimgkd.exe
  C:\Windows\System32\acimgkd.exe
  2⤵
  PID:6204
- C:\Windows\System32\JGhFLYg.exe
  C:\Windows\System32\JGhFLYg.exe
  2⤵
  PID:6224
- C:\Windows\System32\TMOCfCu.exe
  C:\Windows\System32\TMOCfCu.exe
  2⤵
  PID:6244
- C:\Windows\System32\wQtgdCb.exe
  C:\Windows\System32\wQtgdCb.exe
  2⤵
  PID:6260
- C:\Windows\System32\WqOhzzl.exe
  C:\Windows\System32\WqOhzzl.exe
  2⤵
  PID:6280
- C:\Windows\System32\ixJwafu.exe
  C:\Windows\System32\ixJwafu.exe
  2⤵
  PID:6376
- C:\Windows\System32\zrRejJW.exe
  C:\Windows\System32\zrRejJW.exe
  2⤵
  PID:6416
- C:\Windows\System32\YUceIgq.exe
  C:\Windows\System32\YUceIgq.exe
  2⤵
  PID:6480
- C:\Windows\System32\KVxHhIc.exe
  C:\Windows\System32\KVxHhIc.exe
  2⤵
  PID:6500
- C:\Windows\System32\eNBqSXi.exe
  C:\Windows\System32\eNBqSXi.exe
  2⤵
  PID:6520
- C:\Windows\System32\BnMEacY.exe
  C:\Windows\System32\BnMEacY.exe
  2⤵
  PID:6536
- C:\Windows\System32\weAONwJ.exe
  C:\Windows\System32\weAONwJ.exe
  2⤵
  PID:6556
- C:\Windows\System32\GXQecrI.exe
  C:\Windows\System32\GXQecrI.exe
  2⤵
  PID:6580
- C:\Windows\System32\jAdSASq.exe
  C:\Windows\System32\jAdSASq.exe
  2⤵
  PID:6600
- C:\Windows\System32\RtMUxxC.exe
  C:\Windows\System32\RtMUxxC.exe
  2⤵
  PID:6620
- C:\Windows\System32\tYULgzi.exe
  C:\Windows\System32\tYULgzi.exe
  2⤵
  PID:6664
- C:\Windows\System32\zKEDmkp.exe
  C:\Windows\System32\zKEDmkp.exe
  2⤵
  PID:6680
- C:\Windows\System32\WmBaDMY.exe
  C:\Windows\System32\WmBaDMY.exe
  2⤵
  PID:6708
- C:\Windows\System32\EXCQoBu.exe
  C:\Windows\System32\EXCQoBu.exe
  2⤵
  PID:6752
- C:\Windows\System32\dsierNw.exe
  C:\Windows\System32\dsierNw.exe
  2⤵
  PID:6780
- C:\Windows\System32\KtdSGZi.exe
  C:\Windows\System32\KtdSGZi.exe
  2⤵
  PID:6824
- C:\Windows\System32\ImHnvmE.exe
  C:\Windows\System32\ImHnvmE.exe
  2⤵
  PID:6856
- C:\Windows\System32\AXDWaPF.exe
  C:\Windows\System32\AXDWaPF.exe
  2⤵
  PID:6876
- C:\Windows\System32\nAxaMwj.exe
  C:\Windows\System32\nAxaMwj.exe
  2⤵
  PID:6952
- C:\Windows\System32\mfDOGcr.exe
  C:\Windows\System32\mfDOGcr.exe
  2⤵
  PID:6972
- C:\Windows\System32\YHMohiz.exe
  C:\Windows\System32\YHMohiz.exe
  2⤵
  PID:7000
- C:\Windows\System32\GchNMQw.exe
  C:\Windows\System32\GchNMQw.exe
  2⤵
  PID:7040
- C:\Windows\System32\BFgzayj.exe
  C:\Windows\System32\BFgzayj.exe
  2⤵
  PID:7064
- C:\Windows\System32\OFBWTGd.exe
  C:\Windows\System32\OFBWTGd.exe
  2⤵
  PID:7120
- C:\Windows\System32\whHxDnS.exe
  C:\Windows\System32\whHxDnS.exe
  2⤵
  PID:7152
- C:\Windows\System32\lEPWJfn.exe
  C:\Windows\System32\lEPWJfn.exe
  2⤵
  PID:336
- C:\Windows\System32\qvMgAKv.exe
  C:\Windows\System32\qvMgAKv.exe
  2⤵
  PID:6176
- C:\Windows\System32\EHxoRXZ.exe
  C:\Windows\System32\EHxoRXZ.exe
  2⤵
  PID:6172
- C:\Windows\System32\enYFlhZ.exe
  C:\Windows\System32\enYFlhZ.exe
  2⤵
  PID:6276
- C:\Windows\System32\JBKsFRu.exe
  C:\Windows\System32\JBKsFRu.exe
  2⤵
  PID:6336
- C:\Windows\System32\DUifhrm.exe
  C:\Windows\System32\DUifhrm.exe
  2⤵
  PID:6424
- C:\Windows\System32\KUWQTRS.exe
  C:\Windows\System32\KUWQTRS.exe
  2⤵
  PID:6544
- C:\Windows\System32\gSUzOqL.exe
  C:\Windows\System32\gSUzOqL.exe
  2⤵
  PID:6548
- C:\Windows\System32\rgkomrT.exe
  C:\Windows\System32\rgkomrT.exe
  2⤵
  PID:6696
- C:\Windows\System32\dDfOQgj.exe
  C:\Windows\System32\dDfOQgj.exe
  2⤵
  PID:6676
- C:\Windows\System32\pOQmckR.exe
  C:\Windows\System32\pOQmckR.exe
  2⤵
  PID:6792
- C:\Windows\System32\FnCHLjs.exe
  C:\Windows\System32\FnCHLjs.exe
  2⤵
  PID:6836
- C:\Windows\System32\nxbIiLj.exe
  C:\Windows\System32\nxbIiLj.exe
  2⤵
  PID:6888
- C:\Windows\System32\OdQlMWa.exe
  C:\Windows\System32\OdQlMWa.exe
  2⤵
  PID:6960
- C:\Windows\System32\RBcyVdV.exe
  C:\Windows\System32\RBcyVdV.exe
  2⤵
  PID:7020
- C:\Windows\System32\oLEQOUH.exe
  C:\Windows\System32\oLEQOUH.exe
  2⤵
  PID:7080
- C:\Windows\System32\QrmsgLU.exe
  C:\Windows\System32\QrmsgLU.exe
  2⤵
  PID:7164
- C:\Windows\System32\DjLFPvH.exe
  C:\Windows\System32\DjLFPvH.exe
  2⤵
  PID:6048
- C:\Windows\System32\rjitRys.exe
  C:\Windows\System32\rjitRys.exe
  2⤵
  PID:6272
- C:\Windows\System32\tmQYFWi.exe
  C:\Windows\System32\tmQYFWi.exe
  2⤵
  PID:6292
- C:\Windows\System32\rMkkwPL.exe
  C:\Windows\System32\rMkkwPL.exe
  2⤵
  PID:6564
- C:\Windows\System32\VkicJXT.exe
  C:\Windows\System32\VkicJXT.exe
  2⤵
  PID:6616
- C:\Windows\System32\KlCzjlr.exe
  C:\Windows\System32\KlCzjlr.exe
  2⤵
  PID:6720
- C:\Windows\System32\HErvODq.exe
  C:\Windows\System32\HErvODq.exe
  2⤵
  PID:6924
- C:\Windows\System32\BqlNokV.exe
  C:\Windows\System32\BqlNokV.exe
  2⤵
  PID:7028
- C:\Windows\System32\LaaoPrv.exe
  C:\Windows\System32\LaaoPrv.exe
  2⤵
  PID:7100
- C:\Windows\System32\yngGKDi.exe
  C:\Windows\System32\yngGKDi.exe
  2⤵
  PID:2384
- C:\Windows\System32\TzoGrFy.exe
  C:\Windows\System32\TzoGrFy.exe
  2⤵
  PID:6356
- C:\Windows\System32\vIrAkyl.exe
  C:\Windows\System32\vIrAkyl.exe
  2⤵
  PID:6404
- C:\Windows\System32\dikJkcP.exe
  C:\Windows\System32\dikJkcP.exe
  2⤵
  PID:6632
- C:\Windows\System32\VgqWGVG.exe
  C:\Windows\System32\VgqWGVG.exe
  2⤵
  PID:7180
- C:\Windows\System32\Cfrdjoj.exe
  C:\Windows\System32\Cfrdjoj.exe
  2⤵
  PID:7196
- C:\Windows\System32\JSEIDKo.exe
  C:\Windows\System32\JSEIDKo.exe
  2⤵
  PID:7216
- C:\Windows\System32\aCFNSdF.exe
  C:\Windows\System32\aCFNSdF.exe
  2⤵
  PID:7240
- C:\Windows\System32\usIUkak.exe
  C:\Windows\System32\usIUkak.exe
  2⤵
  PID:7260
- C:\Windows\System32\fyAsGum.exe
  C:\Windows\System32\fyAsGum.exe
  2⤵
  PID:7340
- C:\Windows\System32\QFwSnaj.exe
  C:\Windows\System32\QFwSnaj.exe
  2⤵
  PID:7364
- C:\Windows\System32\CVQjfPA.exe
  C:\Windows\System32\CVQjfPA.exe
  2⤵
  PID:7380
- C:\Windows\System32\gsskPJw.exe
  C:\Windows\System32\gsskPJw.exe
  2⤵
  PID:7400
- C:\Windows\System32\fEFaWTN.exe
  C:\Windows\System32\fEFaWTN.exe
  2⤵
  PID:7420
- C:\Windows\System32\hdYmSuV.exe
  C:\Windows\System32\hdYmSuV.exe
  2⤵
  PID:7436
- C:\Windows\System32\dVQUoTu.exe
  C:\Windows\System32\dVQUoTu.exe
  2⤵
  PID:7476
- C:\Windows\System32\rKYLnAW.exe
  C:\Windows\System32\rKYLnAW.exe
  2⤵
  PID:7500
- C:\Windows\System32\sSYNelE.exe
  C:\Windows\System32\sSYNelE.exe
  2⤵
  PID:7540
- C:\Windows\System32\egHxlQB.exe
  C:\Windows\System32\egHxlQB.exe
  2⤵
  PID:7596
- C:\Windows\System32\wuZBbIh.exe
  C:\Windows\System32\wuZBbIh.exe
  2⤵
  PID:7616
- C:\Windows\System32\uOzzEyP.exe
  C:\Windows\System32\uOzzEyP.exe
  2⤵
  PID:7652
- C:\Windows\System32\yboaeGv.exe
  C:\Windows\System32\yboaeGv.exe
  2⤵
  PID:7672
- C:\Windows\System32\VRNOLom.exe
  C:\Windows\System32\VRNOLom.exe
  2⤵
  PID:7696
- C:\Windows\System32\xWSOlDs.exe
  C:\Windows\System32\xWSOlDs.exe
  2⤵
  PID:7716
- C:\Windows\System32\GkEsyhY.exe
  C:\Windows\System32\GkEsyhY.exe
  2⤵
  PID:7736
- C:\Windows\System32\PgbCkwZ.exe
  C:\Windows\System32\PgbCkwZ.exe
  2⤵
  PID:7780
- C:\Windows\System32\DVBgTGf.exe
  C:\Windows\System32\DVBgTGf.exe
  2⤵
  PID:7832
- C:\Windows\System32\rPVbYIZ.exe
  C:\Windows\System32\rPVbYIZ.exe
  2⤵
  PID:7912
- C:\Windows\System32\ShbfTmX.exe
  C:\Windows\System32\ShbfTmX.exe
  2⤵
  PID:7932
- C:\Windows\System32\hJfcVep.exe
  C:\Windows\System32\hJfcVep.exe
  2⤵
  PID:7968
- C:\Windows\System32\TUQVNUY.exe
  C:\Windows\System32\TUQVNUY.exe
  2⤵
  PID:8028
- C:\Windows\System32\bZJLaXy.exe
  C:\Windows\System32\bZJLaXy.exe
  2⤵
  PID:8052
- C:\Windows\System32\RFNrIJb.exe
  C:\Windows\System32\RFNrIJb.exe
  2⤵
  PID:8096
- C:\Windows\System32\gAJWaZm.exe
  C:\Windows\System32\gAJWaZm.exe
  2⤵
  PID:8116
- C:\Windows\System32\rocdmQD.exe
  C:\Windows\System32\rocdmQD.exe
  2⤵
  PID:8136
- C:\Windows\System32\LMvbAOU.exe
  C:\Windows\System32\LMvbAOU.exe
  2⤵
  PID:8152
- C:\Windows\System32\icYyVZy.exe
  C:\Windows\System32\icYyVZy.exe
  2⤵
  PID:6904
- C:\Windows\System32\mvmiPWx.exe
  C:\Windows\System32\mvmiPWx.exe
  2⤵
  PID:7172
- C:\Windows\System32\JuFuuGb.exe
  C:\Windows\System32\JuFuuGb.exe
  2⤵
  PID:7256
- C:\Windows\System32\cGQkxnU.exe
  C:\Windows\System32\cGQkxnU.exe
  2⤵
  PID:7304
- C:\Windows\System32\ObVKTPa.exe
  C:\Windows\System32\ObVKTPa.exe
  2⤵
  PID:7292
- C:\Windows\System32\tgUsCBa.exe
  C:\Windows\System32\tgUsCBa.exe
  2⤵
  PID:7376
- C:\Windows\System32\KWwCJlt.exe
  C:\Windows\System32\KWwCJlt.exe
  2⤵
  PID:7372
- C:\Windows\System32\gEYoXod.exe
  C:\Windows\System32\gEYoXod.exe
  2⤵
  PID:7484
- C:\Windows\System32\vRBNojm.exe
  C:\Windows\System32\vRBNojm.exe
  2⤵
  PID:7576
- C:\Windows\System32\jPbFlsq.exe
  C:\Windows\System32\jPbFlsq.exe
  2⤵
  PID:7748
- C:\Windows\System32\lCgoSWU.exe
  C:\Windows\System32\lCgoSWU.exe
  2⤵
  PID:7744
- C:\Windows\System32\jSGMfeT.exe
  C:\Windows\System32\jSGMfeT.exe
  2⤵
  PID:7876
- C:\Windows\System32\WmeHaEs.exe
  C:\Windows\System32\WmeHaEs.exe
  2⤵
  PID:7900
- C:\Windows\System32\imBvPZW.exe
  C:\Windows\System32\imBvPZW.exe
  2⤵
  PID:7980
- C:\Windows\System32\hzkCotv.exe
  C:\Windows\System32\hzkCotv.exe
  2⤵
  PID:8084
- C:\Windows\System32\wZzapUQ.exe
  C:\Windows\System32\wZzapUQ.exe
  2⤵
  PID:8148
- C:\Windows\System32\aWlrQbb.exe
  C:\Windows\System32\aWlrQbb.exe
  2⤵
  PID:8128
- C:\Windows\System32\PClKhkG.exe
  C:\Windows\System32\PClKhkG.exe
  2⤵
  PID:7176
- C:\Windows\System32\PmCriiA.exe
  C:\Windows\System32\PmCriiA.exe
  2⤵
  PID:6220
- C:\Windows\System32\HBmPtXH.exe
  C:\Windows\System32\HBmPtXH.exe
  2⤵
  PID:7432
- C:\Windows\System32\TuomzJl.exe
  C:\Windows\System32\TuomzJl.exe
  2⤵
  PID:7416
- C:\Windows\System32\gtMDUrF.exe
  C:\Windows\System32\gtMDUrF.exe
  2⤵
  PID:7680
- C:\Windows\System32\mtTfcBh.exe
  C:\Windows\System32\mtTfcBh.exe
  2⤵
  PID:7792
- C:\Windows\System32\raNWiik.exe
  C:\Windows\System32\raNWiik.exe
  2⤵
  PID:7976
- C:\Windows\System32\qlcCWjV.exe
  C:\Windows\System32\qlcCWjV.exe
  2⤵
  PID:8024
- C:\Windows\System32\WtvcXJr.exe
  C:\Windows\System32\WtvcXJr.exe
  2⤵
  PID:676
- C:\Windows\System32\pQXPYzb.exe
  C:\Windows\System32\pQXPYzb.exe
  2⤵
  PID:2320
- C:\Windows\System32\lxaNpVZ.exe
  C:\Windows\System32\lxaNpVZ.exe
  2⤵
  PID:7636
- C:\Windows\System32\NElolRK.exe
  C:\Windows\System32\NElolRK.exe
  2⤵
  PID:7396
- C:\Windows\System32\nTRpswS.exe
  C:\Windows\System32\nTRpswS.exe
  2⤵
  PID:7868
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 7868 -s 256
    3⤵
    PID:8956
- C:\Windows\System32\ZiERlNI.exe
  C:\Windows\System32\ZiERlNI.exe
  2⤵
  PID:8008
- C:\Windows\System32\wqFVkia.exe
  C:\Windows\System32\wqFVkia.exe
  2⤵
  PID:4376
- C:\Windows\System32\PYAHXLT.exe
  C:\Windows\System32\PYAHXLT.exe
  2⤵
  PID:7108

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv XuW2FyQ8mUKEnQgOLrcpSQ.0.2
1⤵
PID:8512
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 8512 -s 476
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:8316

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 8512 -i 8512 -h 472 -j 600 -s 592 -d 9000
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:9164

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:8364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\FnYBAre.exe

Filesize
3.3MB

MD5
de3169ff6aee24bbc3939b3bd94788b8

SHA1
61771c8689a5810a70674d48522545d925618ad2

SHA256
cec42fd15166e8ea29bd037794db4babe02652cb5ab7a7f46026c72977190057

SHA512
92821f9008ffdd2fec8a7497edf317fe65daf16bf52cfdbb44148dc6f6ceb93249ba28cdcf0eb0791f27782c80921ed4ed8c8fb3a821b73aae8aebfa29e7a053

Download Submit
C:\Windows\System32\FnYBAre.exe

Filesize
934KB

MD5
59ab51eba33115c63a7705be2fd7c3b3

SHA1
8e7ed2ad841f369b73942dd429f6c0d5e3e05647

SHA256
b2769f54795f8383237b067aa4c345293b95ef1ce0879ec40a8ce3c443e3fa8b

SHA512
3687d72391375c3d2eddc10f889d39fdf85c47deed8ef270af28a4a41c4954b21d92a68c2ca947e8aea3a40420c15eefe4b61b032ca50bf50d8e4d7ba3cb6ce0

Download Submit
C:\Windows\System32\IwdhyMh.exe

Filesize
3.3MB

MD5
0fb881e4dff8cf5084ad1d5d8a791e58

SHA1
a11d4ed159d569407bb08eddcb36a0be609c652e

SHA256
b9d63df5c44429293775f26c8e6a36e4dc4427f2b309b9173b3ac4f4f7ed5cc6

SHA512
c8e1c5309a808815c678b9d94681581d23de5eb25e34b7bc3ee2a7729dbcce711ed773530e4b750e5b9e0137bab9c8db7fa8c27eb73b2316d9d98082ea69a652

Download Submit
C:\Windows\System32\JYMrsMF.exe

Filesize
3.3MB

MD5
7921051317851ff5d2dc36e7583b02a2

SHA1
f273f7e4bc066058e4040d49464773228c573bda

SHA256
d25f6a27899679fc1d4b147502c2a7f95957b3e485c8a921e7f87c33dce7fced

SHA512
dbe467564c5f2040a9085e048f131c1ec66613dcdcbace7a4a24792c84e4f54cc62a32d71af560ea2ceb2e8bcdbe19ea951cc1a1b568993ad3d8fae3dda021f1

Download Submit
C:\Windows\System32\KErpzod.exe

Filesize
1.1MB

MD5
4ea3442856cbd29d1a8d379cb45dd04b

SHA1
486073cf19a2c3d0b46107b1e06c260282a6f153

SHA256
dd565783c517cb56731b06763e319dd68b52c8d767013487b5dd553e06d94815

SHA512
8af7b74cc96bea57eeead44be38a1770ab35c51434fe5e5e0d7f6d2e7161f6041ee1385808f24b7331ef8cb3a7270e7956619d275fb5563931909a46f23eb950

Download Submit
C:\Windows\System32\KErpzod.exe

Filesize
3.3MB

MD5
69f8e0588accc029253c2eb6b43282c2

SHA1
809e03820b844c7b32ac60b881be477c77556729

SHA256
9702788d60d24a41e970f47a1a7e61b7e7548d6bc4678798117cfc0102452b40

SHA512
39b0fb01355b0f950fd81dd4f922d1d4324dccb4e6872be9faf04747342d1b3d092332c611d8348d2f4aa18da0b7d45294a1aab3732720da9fe8e2f5d30b2fb7

Download Submit
C:\Windows\System32\KPTNJSz.exe

Filesize
3.3MB

MD5
415ac0e51b21bf69c6ec3af01fdbf4da

SHA1
cb133399e4e72eadc92d2a954074497c99ce874b

SHA256
145e51b53656e4774bc86c99c6977e4f794655a1c621ce6f37bdd60048b8cfbb

SHA512
0f1c5702fea58a64efe9b0c1f72d43a6353aa5ba08799c7e56e7335c68540682bf140aee348676de0aa838d9a540fe245e839fc5a9f35c5c6a1c03274f86efe4

Download Submit
C:\Windows\System32\MvsJUfp.exe

Filesize
3.3MB

MD5
30866f4393dda748fcf485db418a0457

SHA1
ad61a44bb811edf58e1de6ad289dc8052592c40e

SHA256
fa25f996d0b4c5854d5f04adf7940a15b9e758823865ef5977b92f75aba1c290

SHA512
df63259f9e67c4b0504cae84cc4f0757df28a5deb7121894756c31024bc701da7d45fb040df34442528a91eaa27712e81bf7bc8910352df73fb7a7553ea50a1d

Download Submit
C:\Windows\System32\PlELMDl.exe

Filesize
1.2MB

MD5
6d7be4562532213165259cc757a776a5

SHA1
a58b978e99b9f31af3b049eec172fc2f8e64092f

SHA256
8c3e390fd8199728f18caf77ea4117ad6e5949caa03bc99a1c636f90981182c4

SHA512
d6f74f3fa821d6cfbfed8c6816ec2249a29acdb9e494c03a2d2558d5f6286e72f8188b44a33af811e779047032cd0eaaf29583b5acb58b50e92be06b1efaecfb

Download Submit
C:\Windows\System32\QdGABSU.exe

Filesize
3.3MB

MD5
396cf10fe9d06199ffb32fe1bcda372d

SHA1
42ac6a5f6b8053e77c85bc385406d618804cf442

SHA256
0944f587cf5b31ca0712c96f1253d12c2e79ab39e29ab97d598ea74ac1ecc740

SHA512
fcaa4252cb0dae98def1f0e7703147f53bc9f748b01c280c5ab6506345768c1b20b82354e99ed2432089edb9816ce7ea84a69e8496b2c95ce59c09053a1d76d1

Download Submit
C:\Windows\System32\QdGABSU.exe

Filesize
256KB

MD5
d3d9b4d92b92238ffdf6a003b8431668

SHA1
368a8b9d71a7d677acb4b37ff6e5ecdaae57bfd8

SHA256
4d408a97678621a5e9ab036a39c83bdbe9985915cf0d7b83fd304c30a62a5af0

SHA512
7246a7c79cb01a44fe8471ae2354f5e57c2a08d0dcd96d76aae20a42b6a6ab52c80643c9ca84e54b17ca7677302820e1c2928c23055fa8682565c9024e54ac26

Download Submit
C:\Windows\System32\VdqfpoB.exe

Filesize
3.3MB

MD5
f539a5a53289946f739e70931c68c8e6

SHA1
03d75ccb9846420aada807153935dca03e486d9e

SHA256
ca997b3a4952a73f634abb646b48317a7ddb330380d2a526650412ee985947d3

SHA512
2d8688e4814aa9112b44040ed6b41b459d0f69a1727ab28b045df2925a1fbff8734a1cf09d2eb683cb34b7ae7643bd6b2a3a84e8b7b4b9a4cec081799cfa831f

Download Submit
C:\Windows\System32\WXfNOuE.exe

Filesize
3.3MB

MD5
af4e977e6a2d4730229564e21ca182f4

SHA1
a7e3e1398887f64d4af492b5268ee2887075f7a1

SHA256
52f0b4955ebd9aedca8c141b2a446093537829212a792eca7c0f204f043b2a75

SHA512
8de8e034008b14f023d1fc20a336e2c77bf38af15fd655c53753f1fb6906818c8c5d7dcb740107d609dd4702877158051c695c21635c0800ad6b9f97f5111fc9

Download Submit
C:\Windows\System32\WXxYPxe.exe

Filesize
3.3MB

MD5
97a6115961e1a84ceb5ed0b31ec5f6ba

SHA1
8ac18702237106c1c2b1385c54e3b1d4a34bd2d7

SHA256
5d53ed89157f0a45f2b3ff91b9be8e1f4d2386f52335f6ed8bba22d68614bb46

SHA512
c8702c6c145d0ec98c6c223900c06d9727e6770127c700bb71b186d221647e0e5f8dd6bcd6e16a67e3821fd707f4e2c96c4590ae1355029cc2c82b50c6881332

Download Submit
C:\Windows\System32\WzoUsxz.exe

Filesize
3.3MB

MD5
d5fb399b54389b04079ed750cd646fff

SHA1
823394fa167db596b252ab65a4bf6a3b2d77a48e

SHA256
678475201c5a33b25f0f9e8dd950da2e29aedf8cdcebffb15a27e2b4d523359f

SHA512
f5d65902df1295a239e6d9c0a8652dd7c8dd0631aab11ebb968bd37a469cfc17c377cb332697f576c5c4667f7420b2099ed746250e393bb414efa66e5745b3d0

Download Submit
C:\Windows\System32\XiLBjGX.exe

Filesize
3.3MB

MD5
57ccda3cbd2635fc6125f48a757d299c

SHA1
21d0d91e993f6d1c2bd3e0566c4d066c888fa324

SHA256
3407d796bbdb5d1f39ab10887454adcacfb4cffda43c04f858924d44827ccaa6

SHA512
1d5922f12914974304e2b1c52ea19a65e50663c0e9660e215389872ead8abd8c8d718c36ee36cb74cab24676670d5ab2de0b36ac28c0c0a04633096653d58f82

Download Submit
C:\Windows\System32\YGtYQae.exe

Filesize
1024KB

MD5
1a3b504e90713de6b6977a7d0d95fc3b

SHA1
9783e80b963d4055570031e1c131a15b8eaf1941

SHA256
8be66f4b02b8d1121a6c1a6488764e3cfffc7ec51df33fef6b144dd5893a8897

SHA512
ab9955d4b2d6a8c881c7050b20d65fa3244fd6bfd57e359157569595fb41a611b0083161d86bd4a360946753ff8aaf1213bfa9450657d88369cd145d9d76be3d

Download Submit
C:\Windows\System32\YGtYQae.exe

Filesize
1.4MB

MD5
eb2872284253f6067b044ca4552914b5

SHA1
91640cb5376d897b36a0e87feed4d8bc0427b9eb

SHA256
b185b2e104beb215e868d75fc038bc726500c7fd29904b8920235bae3f08777d

SHA512
9ce669668e5592be7a6956bb0dbfe1ce621520fb8884ffd298f78237bf70d285b8b4cb3e431b05be1bd6fc3a595b6edfd4c8286f678656e748c86d3a2ed6971d

Download Submit
C:\Windows\System32\deoasCO.exe

Filesize
3.3MB

MD5
6ac16562c3917f2adf971631b52a4936

SHA1
d1bf67e1ac0be9f3b1d9bd4978907ca908306488

SHA256
7bcb4bb2b3ecc9125277d7c1668e44706ad647016db80c3ed35e6dfe9f718459

SHA512
9a187f89df5d24be2e0d6d1fd35ca8d9f54636e3b1ac0b090f65049dc4e8c26cd719a49010bce7e325a09970f7bd788522081a60832ebb34babadbb19581d564

Download Submit
C:\Windows\System32\dpKOoyy.exe

Filesize
3.3MB

MD5
a5fbdf36c3a419c6d2578787b1b18127

SHA1
af8d39b47b5a8534db3402453fa06d413814b7e1

SHA256
b82fe1bd61186580c04ac58be8e91a7c8fce52b38331307e473588c441aba4bf

SHA512
c5c4b024827d8896fb42752bd6ddc88ce1a295cdc45c93b3cb863ed998d540a9aa896f6d084500ee6af893e55f6ef0575ce86e08846a7cc4ac1025ba6051c735

Download Submit
C:\Windows\System32\fmfejjv.exe

Filesize
3.3MB

MD5
33b729be6ef36b1fa5ced4665aa5a04e

SHA1
caf6696efa68ca5d4b8f19df71310b0ad5daf699

SHA256
469b3a94d4fa1ea712bf8560dce4007864a19dddb23f3cef4a1d01617e863537

SHA512
6d231778420e4767aa5bf633e66e06812770e624cdc340e06f926fbeae2ced6959d37a7d45a13d66ec2077c22a1d6df2c4e11d0311e4384d40e9e7b778735b7e

Download Submit
C:\Windows\System32\fmfejjv.exe

Filesize
320KB

MD5
f8dac425fbb797ceb1735e9647b079ee

SHA1
ffef151e56ab87ef57526304eb608110b5df8024

SHA256
20b238b707d8c82966cb2e1a67149e1bde8be0d051c013d56057d0de99fb06b1

SHA512
84933139f9ae3e2f23e9d5fcdf0edd556424f790c3e6ccd0c9d0b6aa6611522dea636a5aa40800461b95de9306b0b5a3ae78aa66cb0fec9180a6f899bcedc14b

Download Submit
C:\Windows\System32\fnpeGDh.exe

Filesize
3.3MB

MD5
9d40fbb8dd82fd99f7997ce3c18875c8

SHA1
e0c0225a46f5f6a5c80f4c8b296eccc677652d2f

SHA256
7b196f04afd1f4999ff6d764442ce870e8d44177f987623cc0ce66ea1c04201d

SHA512
453c50e1682299615da9643c9309d9fb73b37791babe20ba96e9ab34f438addf55d1986536c22fcc20692c2c4eafea1ad6a6c7f534829b3657c014eb564709cb

Download Submit
C:\Windows\System32\fnpeGDh.exe

Filesize
64KB

MD5
ae569e5a7c7b7cf1ffbe507911ab6ced

SHA1
400a2f5ec7afd24e669dd90233185a792e50e7cc

SHA256
48758e9560ac724ed839a7f1960349083ad893b86869ecf0487caf60b9f9e737

SHA512
9d0693df7bad9e5406e49e9678ce5c24297be044028d0ebb844cf8f37d1eced71e03884ae95ca0b94bfa5b1622574caf1fe8e4f0d852f0f1b5c90f1aabb3f7f0

Download Submit
C:\Windows\System32\gKkMFcj.exe

Filesize
3.3MB

MD5
454aea33c7fa467ef3461a81ef7534c5

SHA1
fd9b61d34a713d78b34ec305d2cfdcf3622a60a8

SHA256
d8e908298e114f083ba4880d391dc21425729e3538e00035ce8a9874faa409e0

SHA512
fee796f39cf122da0fb9bafe0c3821db599c641d31504c3e0c793ba5837bbf5ded26af7a5b244e86b84ed0ddb1225b7cd7881de04ed3c49c3885b733c7d34797

Download Submit
C:\Windows\System32\gYsvjwF.exe

Filesize
1.6MB

MD5
00a78edf494a86ea916618fe6230cd8c

SHA1
becedae513a0e9e5ca9acf358d4219b3525a4219

SHA256
6663fd086725f0d8211c1dfdf63cdbab3b4ccb69a878c0dbbf6a42298c8c176b

SHA512
636ddcdba3abba22aa887096df16fb3d5db2da99607e2d56e786820cf7f1619af56e7c4fa8e539710225a47fbc2c2715c197157ff9d05fd22d1b744ce1cc71de

Download Submit
C:\Windows\System32\gYsvjwF.exe

Filesize
2.7MB

MD5
0f680cef3c57142abd8b080c74e02876

SHA1
013eb9341340867e23bb4ef93350a604f709e98b

SHA256
3c8ce0b3466aea411231cfa4dde3ee50d07e128dbc686f7f753356d045611522

SHA512
2b154f7482d98a863f4bb5b12bd349d2546e9c81ca91371a7a07a62221f88635dd3ea0eccf7be322fc2b76d9aec4f2006466e25864abd6ff55a86947dd270da1

Download Submit
C:\Windows\System32\haeJpIn.exe

Filesize
3.3MB

MD5
1427d92120dcf43565ff1e45717be236

SHA1
e764b9d4b64af776996ac173f2b9d307bb60595a

SHA256
4d48bfe6e31aaa10509b4919e12d4f96d8366209cf79ac564a66c31ca4b8e614

SHA512
33d22002ae35dd96f5e087f382aa7d86094374263e957b5ce9bc045c91596212bd0ca556447301ff814a2a881b2c4074258f45e8d6da99b19c32160209aca514

Download Submit
C:\Windows\System32\hchYnVt.exe

Filesize
3.3MB

MD5
2b9d5ec84cb23ca7e219c6ec508188e1

SHA1
f98ead6002b824f18e784b564914fd6b2e010f36

SHA256
b35b1232c0afe0ee9cb3d7ab26501ce5081290d86fa89938276649b6c967a831

SHA512
17b53d57f9368414eeb72dcf8a4958bc53bf87c63e815b7c211e11851eea5684fb3b78b0b23b4302b92b6ad6c4a386d11cf32d79b8204b935199e31bf389e68d

Download Submit
C:\Windows\System32\iUJvyhB.exe

Filesize
3.3MB

MD5
93e18a377ed076eb0a35ee4f8e46f645

SHA1
d0afd8122c12151321f6f9e490620cd6f641a217

SHA256
9e0c424f02b4633edda72bbae9b6c7df35b7b1e312e50e231a44ddbc9adf1921

SHA512
058e95b7f7567842a40c36fe8dc070a283256fc677041ef549ca30efb56e55c9e11cbeadfd2edc2978ea74c60bb1e0de6f32c5f6d95156f47725ac11cc4ba299

Download Submit
C:\Windows\System32\iiSyPGM.exe

Filesize
128KB

MD5
60b04c970eee0bc6d9384f2146dcfb21

SHA1
89b2fc7acb9be61bc75b82b58a473e9e56557328

SHA256
4f65d15ee4bde9e93e15978a6de93a74bf3baa58e2382726f5337c998139fca9

SHA512
4d61693ff405b7e9292db15581531e872af6cdf6e5bc6126010cb0e498839e275250187f58833c4e95e5b80f1fe915dceb6e1a52926446ab771bbb31fbbc49f2

Download Submit
C:\Windows\System32\iiSyPGM.exe

Filesize
3.3MB

MD5
373d117a96521c90a8ac5f4b78c74cd3

SHA1
f819d3102327fa1555d555b1caba38489a3fbb93

SHA256
1137935b3b50463567bdbe298c48e9601cbb7de6980f6b8a45ae9e8f3c752633

SHA512
9aaac7f5b35f7687cdcbb5d3176f3ef02b5f3141cb7edb6bbf0452f740f1b4a4e300c5b8122df43273ab34546ee2aa45a02f63b4635087759ea54b573a42962c

Download Submit
C:\Windows\System32\kRyrYCD.exe

Filesize
3.3MB

MD5
9e35d6dc4ab05809c5cf7f5935d6c8f1

SHA1
32e22d792834f9492d2a0102f5a6a484ac771be4

SHA256
9ea286c3f8e34a438d375a1862c93dbca322512cf388af31cf0ea350bf87b4e9

SHA512
066045f9e8d0ff80c53cf0c195b2f88577e5860e7b9ae949f6f43cbf9ac9caf0d766043a5a2c33a4fd5784b0e504dd57c0c9dcfd97c8e326abd63fa718a65f8d

Download Submit
C:\Windows\System32\knoRcKR.exe

Filesize
3.3MB

MD5
a87a3bbbe6bcb869aa00c6ee3c798c01

SHA1
baf5e772aa92506c18d72cb51ee659ff2bb3e42e

SHA256
c0ebb0fefe0abd4c2097e7c4c55ffce37f185104f74505d9f54756caa027eca3

SHA512
9622634d3d3c08a88fbab73a2cddf4a60ecd4efdba5234828a862024472fc67f3abac7e7c18e06046e9f6be8f57a33a3280d94b48e8e7e24f07bbbbf074fc3e2

Download Submit
C:\Windows\System32\nFodkoz.exe

Filesize
3.3MB

MD5
d03fa7ba84d1aebf747b45a2cb277dd8

SHA1
584e4cdca8bc7de344a8196c0506adfefa84f8e3

SHA256
18ce122d04ef8e1428ac3abc3c30d7ad7ab44b2391f270ba83d7a1ed39399f78

SHA512
60ebdf82a317850eed8775dd6849e4ed1a10717e335e29bd47eeb3f819409e1a8e767bdeaaec16c9e24aa219253671ef593a513c8bb50e33aed478f1c44aa74e

Download Submit
C:\Windows\System32\tGHcYFT.exe

Filesize
3.3MB

MD5
ffceee2f77a7fea6211c17f78ea9fc9f

SHA1
c2371ba60ebf6bf9f131f0144875370b29aefb46

SHA256
e592b1a893122570abb77cafb81113b7f7c9bb51f668303cbf7ba2d297d84601

SHA512
b11d750e93b6ac84cde635cd2bd81d2e481de5745d609e6898992a88d61d09ffdd13fb9e25c61fdccdbf700abb23fc76b4a9eef8fa81fd249a04e36f2ec3d067

Download Submit
C:\Windows\System32\tGHcYFT.exe

Filesize
384KB

MD5
07eb1267d1ef815719b910ae04fcbb47

SHA1
0f15293a50513c0a4fff6361b12decffd3528658

SHA256
4f15c5ff3371ace81106fbb116a5e95a7912759192ed7c829400a360b199cbeb

SHA512
2784e6cf0041aee79d1a14fcd7dd3b5d323b0e6cac3369d3c7956c4a114dc3108b13894e9b0454484430ba7ab5cd402887e2414823170ebaebee23872688db70

Download Submit
C:\Windows\System32\twSIqKl.exe

Filesize
3.3MB

MD5
8e67e2ffde4e732adc28b7ee4df8fe7a

SHA1
2bae9bdbb7dc7c6756018dcd6e10008ff93d4496

SHA256
dc355b2360317a674e835e68924d63ee7f7b9ef8fda171db23ddc2dc85add689

SHA512
f60b85f693bd41bf8e7464064fa11f16fda7d7c305742010a5925673ca776cf47aafbe9eebd423f9060a91663dea3952d8f83a0ee6603caab7a406c5274d9b3d

Download Submit
C:\Windows\System32\twSIqKl.exe

Filesize
192KB

MD5
4078acc498785367144b11c7ff73bee3

SHA1
6ae18ea649652a9d920179426e366db6f228773d

SHA256
68f0f3815d88dc84375748a04e4e579e2e35de55a98f64f1b9f36877e7617331

SHA512
bbbadb632a05e04d5dc54df0cb2158fb141b62fab3f47e560e3f5ca0177292a732f14d21a6f4c340930f452ae853a9d6750c6f90efc567df30f34c005170d592

Download Submit
C:\Windows\System32\vEoVscc.exe

Filesize
3.3MB

MD5
96ab9682fabf2a47afc2e189abee9c2b

SHA1
d3b86669459cc420ad580a8e2f0b9c7b3742d337

SHA256
002aadb3e03d5cbf09837f42de08ebe7a31694044a83d01029fc9637e1314155

SHA512
c5fc6b0843cb69bcbb0653065740b666bedffd40b9f407b808823b963b1c3cf50c1ff5b6d4d45c19118a45eba3aaf4ff02915c369e345d7a066cacef9ba2bcad

Download Submit
C:\Windows\System32\vHMGxWb.exe

Filesize
3.3MB

MD5
495ad3f0bdc4d2bd672756d37a449fe6

SHA1
311ea13fbed20e11a12a0dc6a9ab875db0f5ab24

SHA256
380565e8306a3c36cb4a285ffb23b604c533f1987315601d0f293d980214da00

SHA512
1e5fa3ad18e5255c9457354cfc375dcc028b0c3fa083663c80e79ba680774a59a0a45e6207213cfa73c490f7e88b129c8a6c7375aa0608db7d9e74575d4f051c

Download Submit
C:\Windows\System32\yrMiWwr.exe

Filesize
3.3MB

MD5
0e1e2f0eebf955fdcbc25777840bd3de

SHA1
17f9beee174e630abb758fb49f67fd8d11f33b62

SHA256
59824a0662d01dac2966692151a9444c7ec26bf88950a770b2ea237301527ad2

SHA512
0f437256fc4728b3d3c6bc148b2bc31d72274a22b7c5cf1b6ab27005c798c2ac118d1d674ba04edb4cc79c02de2588af75e3cd57f92a2c240ea223cff6ada46d

Download Submit
memory/812-466-0x00007FF78B4D0000-0x00007FF78B8C5000-memory.dmp

Filesize
4.0MB

Download
memory/1104-32-0x00007FF738CC0000-0x00007FF7390B5000-memory.dmp

Filesize
4.0MB

Download
memory/1132-473-0x00007FF7016F0000-0x00007FF701AE5000-memory.dmp

Filesize
4.0MB

Download
memory/1324-462-0x00007FF7A8980000-0x00007FF7A8D75000-memory.dmp

Filesize
4.0MB

Download
memory/1340-451-0x00007FF624040000-0x00007FF624435000-memory.dmp

Filesize
4.0MB

Download
memory/1376-465-0x00007FF759650000-0x00007FF759A45000-memory.dmp

Filesize
4.0MB

Download
memory/1388-475-0x00007FF6261B0000-0x00007FF6265A5000-memory.dmp

Filesize
4.0MB

Download
memory/1676-434-0x00007FF7A3460000-0x00007FF7A3855000-memory.dmp

Filesize
4.0MB

Download
memory/1764-453-0x00007FF65F450000-0x00007FF65F845000-memory.dmp

Filesize
4.0MB

Download
memory/1844-479-0x00007FF6F4460000-0x00007FF6F4855000-memory.dmp

Filesize
4.0MB

Download
memory/1868-435-0x00007FF76FE10000-0x00007FF770205000-memory.dmp

Filesize
4.0MB

Download
memory/1932-480-0x00007FF6CB4D0000-0x00007FF6CB8C5000-memory.dmp

Filesize
4.0MB

Download
memory/1984-431-0x00007FF7E65E0000-0x00007FF7E69D5000-memory.dmp

Filesize
4.0MB

Download
memory/2036-485-0x00007FF786690000-0x00007FF786A85000-memory.dmp

Filesize
4.0MB

Download
memory/2040-484-0x00007FF7A2200000-0x00007FF7A25F5000-memory.dmp

Filesize
4.0MB

Download
memory/2088-17-0x00007FF6B63D0000-0x00007FF6B67C5000-memory.dmp

Filesize
4.0MB

Download
memory/2220-478-0x00007FF756000000-0x00007FF7563F5000-memory.dmp

Filesize
4.0MB

Download
memory/2240-0-0x00007FF6E2E10000-0x00007FF6E3205000-memory.dmp

Filesize
4.0MB

Download
memory/2240-1-0x0000016BE7480000-0x0000016BE7490000-memory.dmp

Filesize
64KB

Download
memory/2280-483-0x00007FF637600000-0x00007FF6379F5000-memory.dmp

Filesize
4.0MB

Download
memory/2408-40-0x00007FF66AE00000-0x00007FF66B1F5000-memory.dmp

Filesize
4.0MB

Download
memory/2428-459-0x00007FF60C210000-0x00007FF60C605000-memory.dmp

Filesize
4.0MB

Download
memory/2592-471-0x00007FF66EF40000-0x00007FF66F335000-memory.dmp

Filesize
4.0MB

Download
memory/2688-417-0x00007FF7B6A60000-0x00007FF7B6E55000-memory.dmp

Filesize
4.0MB

Download
memory/2856-420-0x00007FF7C0380000-0x00007FF7C0775000-memory.dmp

Filesize
4.0MB

Download
memory/2908-461-0x00007FF728960000-0x00007FF728D55000-memory.dmp

Filesize
4.0MB

Download
memory/3044-470-0x00007FF7582A0000-0x00007FF758695000-memory.dmp

Filesize
4.0MB

Download
memory/3100-449-0x00007FF706880000-0x00007FF706C75000-memory.dmp

Filesize
4.0MB

Download
memory/3116-432-0x00007FF635790000-0x00007FF635B85000-memory.dmp

Filesize
4.0MB

Download
memory/3124-457-0x00007FF607C00000-0x00007FF607FF5000-memory.dmp

Filesize
4.0MB

Download
memory/3144-486-0x00007FF64F380000-0x00007FF64F775000-memory.dmp

Filesize
4.0MB

Download
memory/3312-477-0x00007FF7E3F50000-0x00007FF7E4345000-memory.dmp

Filesize
4.0MB

Download
memory/3340-450-0x00007FF710D70000-0x00007FF711165000-memory.dmp

Filesize
4.0MB

Download
memory/3452-444-0x00007FF64CF20000-0x00007FF64D315000-memory.dmp

Filesize
4.0MB

Download
memory/3464-12-0x00007FF6536E0000-0x00007FF653AD5000-memory.dmp

Filesize
4.0MB

Download
memory/3548-481-0x00007FF7E5880000-0x00007FF7E5C75000-memory.dmp

Filesize
4.0MB

Download
memory/3612-37-0x00007FF6A4010000-0x00007FF6A4405000-memory.dmp

Filesize
4.0MB

Download
memory/3648-464-0x00007FF71A3D0000-0x00007FF71A7C5000-memory.dmp

Filesize
4.0MB

Download
memory/3672-487-0x00007FF7A8080000-0x00007FF7A8475000-memory.dmp

Filesize
4.0MB

Download
memory/3676-35-0x00007FF7FB660000-0x00007FF7FBA55000-memory.dmp

Filesize
4.0MB

Download
memory/3696-476-0x00007FF623990000-0x00007FF623D85000-memory.dmp

Filesize
4.0MB

Download
memory/3820-472-0x00007FF7E7280000-0x00007FF7E7675000-memory.dmp

Filesize
4.0MB

Download
memory/3864-454-0x00007FF76E330000-0x00007FF76E725000-memory.dmp

Filesize
4.0MB

Download
memory/3876-437-0x00007FF790180000-0x00007FF790575000-memory.dmp

Filesize
4.0MB

Download
memory/3896-436-0x00007FF6005B0000-0x00007FF6009A5000-memory.dmp

Filesize
4.0MB

Download
memory/3924-467-0x00007FF7261C0000-0x00007FF7265B5000-memory.dmp

Filesize
4.0MB

Download
memory/3928-456-0x00007FF728CB0000-0x00007FF7290A5000-memory.dmp

Filesize
4.0MB

Download
memory/3932-419-0x00007FF605C90000-0x00007FF606085000-memory.dmp

Filesize
4.0MB

Download
memory/4000-488-0x00007FF63E2E0000-0x00007FF63E6D5000-memory.dmp

Filesize
4.0MB

Download
memory/4032-458-0x00007FF72DC10000-0x00007FF72E005000-memory.dmp

Filesize
4.0MB

Download
memory/4100-418-0x00007FF6C5D40000-0x00007FF6C6135000-memory.dmp

Filesize
4.0MB

Download
memory/4120-452-0x00007FF7F6C80000-0x00007FF7F7075000-memory.dmp

Filesize
4.0MB

Download
memory/4184-455-0x00007FF7BA070000-0x00007FF7BA465000-memory.dmp

Filesize
4.0MB

Download
memory/4228-422-0x00007FF61AD30000-0x00007FF61B125000-memory.dmp

Filesize
4.0MB

Download
memory/4240-482-0x00007FF65D280000-0x00007FF65D675000-memory.dmp

Filesize
4.0MB

Download
memory/4264-433-0x00007FF789640000-0x00007FF789A35000-memory.dmp

Filesize
4.0MB

Download
memory/4272-429-0x00007FF7790C0000-0x00007FF7794B5000-memory.dmp

Filesize
4.0MB

Download
memory/4424-468-0x00007FF76B0C0000-0x00007FF76B4B5000-memory.dmp

Filesize
4.0MB

Download
memory/4460-474-0x00007FF634E80000-0x00007FF635275000-memory.dmp

Filesize
4.0MB

Download
memory/4488-25-0x00007FF76EA20000-0x00007FF76EE15000-memory.dmp

Filesize
4.0MB

Download
memory/4516-430-0x00007FF67AF20000-0x00007FF67B315000-memory.dmp

Filesize
4.0MB

Download
memory/4708-428-0x00007FF62A3A0000-0x00007FF62A795000-memory.dmp

Filesize
4.0MB

Download
memory/4824-460-0x00007FF77F8C0000-0x00007FF77FCB5000-memory.dmp

Filesize
4.0MB

Download
memory/5048-463-0x00007FF7B92D0000-0x00007FF7B96C5000-memory.dmp

Filesize
4.0MB

Download
memory/5072-469-0x00007FF663DE0000-0x00007FF6641D5000-memory.dmp

Filesize
4.0MB

Download