kpot | aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
Size

2.0MB
MD5

351d4a590606411abd7de625cd8a62c1
SHA1

1faaec3befe697771d546d302b975493b432b7a0
SHA256

aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845
SHA512

eda3f0a3e31ba211687d7a014f617e19a83ba52e16ae639b1e0c8c97a5ce8a90531a1bb76c95124fd25bbbef97e01f3695f8d46af17189ea9894f16c22c5f268
SSDEEP

49152:BezaTF8FcNkNdfE0pZ9ozt4wIC5aIwC+Agr6StVEnmcvQvEh:BemTLkNdfE0pZrwP

Score

10^/10

kpot xmrig miner stealer trojan upx

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 43 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f6-5.dat	family_kpot
behavioral2/files/0x00070000000231f6-6.dat	family_kpot
behavioral2/files/0x00070000000231f7-11.dat	family_kpot
behavioral2/files/0x00070000000231f8-17.dat	family_kpot
behavioral2/files/0x00070000000231f8-20.dat	family_kpot
behavioral2/files/0x00070000000231f9-23.dat	family_kpot
behavioral2/files/0x00070000000231fb-33.dat	family_kpot
behavioral2/files/0x00070000000231fc-49.dat	family_kpot
behavioral2/files/0x00070000000231ff-62.dat	family_kpot
behavioral2/files/0x0007000000023202-87.dat	family_kpot
behavioral2/files/0x0007000000023203-92.dat	family_kpot
behavioral2/files/0x0007000000023209-129.dat	family_kpot
behavioral2/files/0x0007000000023215-187.dat	family_kpot
behavioral2/files/0x0007000000023213-185.dat	family_kpot
behavioral2/files/0x0007000000023214-181.dat	family_kpot
behavioral2/files/0x0007000000023212-179.dat	family_kpot
behavioral2/files/0x0007000000023211-174.dat	family_kpot
behavioral2/files/0x0007000000023210-168.dat	family_kpot
behavioral2/files/0x000700000002320e-157.dat	family_kpot
behavioral2/files/0x000700000002320f-153.dat	family_kpot
behavioral2/files/0x000700000002320d-151.dat	family_kpot
behavioral2/files/0x000700000002320c-146.dat	family_kpot
behavioral2/files/0x000700000002320a-134.dat	family_kpot
behavioral2/files/0x000700000002320b-131.dat	family_kpot
behavioral2/files/0x0007000000023208-123.dat	family_kpot
behavioral2/files/0x0007000000023209-120.dat	family_kpot
behavioral2/files/0x0007000000023207-111.dat	family_kpot
behavioral2/files/0x0007000000023206-108.dat	family_kpot
behavioral2/files/0x0007000000023205-104.dat	family_kpot
behavioral2/files/0x0007000000023204-89.dat	family_kpot
behavioral2/files/0x0007000000023203-83.dat	family_kpot
behavioral2/files/0x0007000000023201-81.dat	family_kpot
behavioral2/files/0x0007000000023202-77.dat	family_kpot
behavioral2/files/0x0007000000023200-71.dat	family_kpot
behavioral2/files/0x00080000000231f3-64.dat	family_kpot
behavioral2/files/0x00070000000231ff-56.dat	family_kpot
behavioral2/files/0x00070000000231fe-51.dat	family_kpot
behavioral2/files/0x00070000000231fd-45.dat	family_kpot
behavioral2/files/0x00070000000231fb-39.dat	family_kpot
behavioral2/files/0x00070000000231fc-38.dat	family_kpot
behavioral2/files/0x00070000000231fa-25.dat	family_kpot
behavioral2/files/0x00070000000231f7-15.dat	family_kpot
behavioral2/files/0x00070000000231f8-10.dat	family_kpot

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4852-0-0x00007FF710000000-0x00007FF710354000-memory.dmp	UPX
behavioral2/files/0x00070000000231f6-5.dat	UPX
behavioral2/files/0x00070000000231f6-6.dat	UPX
behavioral2/files/0x00070000000231f7-11.dat	UPX
behavioral2/memory/1692-12-0x00007FF684400000-0x00007FF684754000-memory.dmp	UPX
behavioral2/files/0x00070000000231f8-17.dat	UPX
behavioral2/files/0x00070000000231f8-20.dat	UPX
behavioral2/files/0x00070000000231f9-23.dat	UPX
behavioral2/files/0x00070000000231fb-33.dat	UPX
behavioral2/memory/1968-37-0x00007FF7D2F70000-0x00007FF7D32C4000-memory.dmp	UPX
behavioral2/files/0x00070000000231fc-49.dat	UPX
behavioral2/files/0x00070000000231ff-62.dat	UPX
behavioral2/memory/4216-68-0x00007FF660400000-0x00007FF660754000-memory.dmp	UPX
behavioral2/memory/2328-80-0x00007FF620FD0000-0x00007FF621324000-memory.dmp	UPX
behavioral2/files/0x0007000000023202-87.dat	UPX
behavioral2/files/0x0007000000023203-92.dat	UPX
behavioral2/memory/4976-107-0x00007FF6FA680000-0x00007FF6FA9D4000-memory.dmp	UPX
behavioral2/files/0x0007000000023209-129.dat	UPX
behavioral2/memory/3608-190-0x00007FF6DA2E0000-0x00007FF6DA634000-memory.dmp	UPX
behavioral2/memory/2412-247-0x00007FF7C90D0000-0x00007FF7C9424000-memory.dmp	UPX
behavioral2/memory/3956-282-0x00007FF6087F0000-0x00007FF608B44000-memory.dmp	UPX
behavioral2/memory/4372-293-0x00007FF674FC0000-0x00007FF675314000-memory.dmp	UPX
behavioral2/memory/4788-340-0x00007FF608E80000-0x00007FF6091D4000-memory.dmp	UPX
behavioral2/memory/5680-386-0x00007FF686790000-0x00007FF686AE4000-memory.dmp	UPX
behavioral2/memory/5980-421-0x00007FF6D9880000-0x00007FF6D9BD4000-memory.dmp	UPX
behavioral2/memory/6100-432-0x00007FF6965D0000-0x00007FF696924000-memory.dmp	UPX
behavioral2/memory/6040-425-0x00007FF6DF4C0000-0x00007FF6DF814000-memory.dmp	UPX
behavioral2/memory/5920-414-0x00007FF7746C0000-0x00007FF774A14000-memory.dmp	UPX
behavioral2/memory/5860-407-0x00007FF6AA0D0000-0x00007FF6AA424000-memory.dmp	UPX
behavioral2/memory/5800-400-0x00007FF64B170000-0x00007FF64B4C4000-memory.dmp	UPX
behavioral2/memory/5740-393-0x00007FF78B420000-0x00007FF78B774000-memory.dmp	UPX
behavioral2/memory/5588-379-0x00007FF79E6E0000-0x00007FF79EA34000-memory.dmp	UPX
behavioral2/memory/5524-372-0x00007FF7460F0000-0x00007FF746444000-memory.dmp	UPX
behavioral2/memory/5460-365-0x00007FF60DA90000-0x00007FF60DDE4000-memory.dmp	UPX
behavioral2/memory/5400-361-0x00007FF7CA700000-0x00007FF7CAA54000-memory.dmp	UPX
behavioral2/memory/5340-354-0x00007FF734840000-0x00007FF734B94000-memory.dmp	UPX
behavioral2/memory/5164-347-0x00007FF70A190000-0x00007FF70A4E4000-memory.dmp	UPX
behavioral2/memory/4992-333-0x00007FF6007F0000-0x00007FF600B44000-memory.dmp	UPX
behavioral2/memory/4084-326-0x00007FF7A9140000-0x00007FF7A9494000-memory.dmp	UPX
behavioral2/memory/2992-322-0x00007FF7470F0000-0x00007FF747444000-memory.dmp	UPX
behavioral2/memory/4988-318-0x00007FF7450F0000-0x00007FF745444000-memory.dmp	UPX
behavioral2/memory/4332-314-0x00007FF767550000-0x00007FF7678A4000-memory.dmp	UPX
behavioral2/memory/960-307-0x00007FF733230000-0x00007FF733584000-memory.dmp	UPX
behavioral2/memory/380-300-0x00007FF6428C0000-0x00007FF642C14000-memory.dmp	UPX
behavioral2/memory/2968-286-0x00007FF6EB370000-0x00007FF6EB6C4000-memory.dmp	UPX
behavioral2/memory/4612-275-0x00007FF64E420000-0x00007FF64E774000-memory.dmp	UPX
behavioral2/memory/896-268-0x00007FF6411F0000-0x00007FF641544000-memory.dmp	UPX
behavioral2/memory/3844-261-0x00007FF6C6690000-0x00007FF6C69E4000-memory.dmp	UPX
behavioral2/memory/2840-254-0x00007FF7052C0000-0x00007FF705614000-memory.dmp	UPX
behavioral2/memory/3524-240-0x00007FF73EA60000-0x00007FF73EDB4000-memory.dmp	UPX
behavioral2/memory/2844-233-0x00007FF66A500000-0x00007FF66A854000-memory.dmp	UPX
behavioral2/memory/2964-226-0x00007FF615670000-0x00007FF6159C4000-memory.dmp	UPX
behavioral2/memory/2372-219-0x00007FF60E130000-0x00007FF60E484000-memory.dmp	UPX
behavioral2/memory/1828-215-0x00007FF7D6F10000-0x00007FF7D7264000-memory.dmp	UPX
behavioral2/memory/3368-211-0x00007FF7E52E0000-0x00007FF7E5634000-memory.dmp	UPX
behavioral2/memory/2940-204-0x00007FF64DB20000-0x00007FF64DE74000-memory.dmp	UPX
behavioral2/memory/4500-197-0x00007FF707C00000-0x00007FF707F54000-memory.dmp	UPX
behavioral2/files/0x0007000000023215-187.dat	UPX
behavioral2/files/0x0007000000023213-185.dat	UPX
behavioral2/memory/4036-184-0x00007FF6CF6D0000-0x00007FF6CFA24000-memory.dmp	UPX
behavioral2/files/0x0007000000023214-181.dat	UPX
behavioral2/files/0x0007000000023212-179.dat	UPX
behavioral2/files/0x0007000000023211-174.dat	UPX
behavioral2/memory/1712-173-0x00007FF7D6110000-0x00007FF7D6464000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4852-0-0x00007FF710000000-0x00007FF710354000-memory.dmp	xmrig
behavioral2/files/0x00070000000231f6-5.dat	xmrig
behavioral2/files/0x00070000000231f6-6.dat	xmrig
behavioral2/files/0x00070000000231f7-11.dat	xmrig
behavioral2/memory/1692-12-0x00007FF684400000-0x00007FF684754000-memory.dmp	xmrig
behavioral2/files/0x00070000000231f8-17.dat	xmrig
behavioral2/files/0x00070000000231f8-20.dat	xmrig
behavioral2/files/0x00070000000231f9-23.dat	xmrig
behavioral2/files/0x00070000000231fb-33.dat	xmrig
behavioral2/memory/1968-37-0x00007FF7D2F70000-0x00007FF7D32C4000-memory.dmp	xmrig
behavioral2/files/0x00070000000231fc-49.dat	xmrig
behavioral2/files/0x00070000000231ff-62.dat	xmrig
behavioral2/memory/4216-68-0x00007FF660400000-0x00007FF660754000-memory.dmp	xmrig
behavioral2/memory/2328-80-0x00007FF620FD0000-0x00007FF621324000-memory.dmp	xmrig
behavioral2/files/0x0007000000023202-87.dat	xmrig
behavioral2/files/0x0007000000023203-92.dat	xmrig
behavioral2/memory/4976-107-0x00007FF6FA680000-0x00007FF6FA9D4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023209-129.dat	xmrig
behavioral2/memory/3608-190-0x00007FF6DA2E0000-0x00007FF6DA634000-memory.dmp	xmrig
behavioral2/memory/2412-247-0x00007FF7C90D0000-0x00007FF7C9424000-memory.dmp	xmrig
behavioral2/memory/3956-282-0x00007FF6087F0000-0x00007FF608B44000-memory.dmp	xmrig
behavioral2/memory/4372-293-0x00007FF674FC0000-0x00007FF675314000-memory.dmp	xmrig
behavioral2/memory/4788-340-0x00007FF608E80000-0x00007FF6091D4000-memory.dmp	xmrig
behavioral2/memory/5680-386-0x00007FF686790000-0x00007FF686AE4000-memory.dmp	xmrig
behavioral2/memory/5980-421-0x00007FF6D9880000-0x00007FF6D9BD4000-memory.dmp	xmrig
behavioral2/memory/6100-432-0x00007FF6965D0000-0x00007FF696924000-memory.dmp	xmrig
behavioral2/memory/6040-425-0x00007FF6DF4C0000-0x00007FF6DF814000-memory.dmp	xmrig
behavioral2/memory/5920-414-0x00007FF7746C0000-0x00007FF774A14000-memory.dmp	xmrig
behavioral2/memory/5860-407-0x00007FF6AA0D0000-0x00007FF6AA424000-memory.dmp	xmrig
behavioral2/memory/5800-400-0x00007FF64B170000-0x00007FF64B4C4000-memory.dmp	xmrig
behavioral2/memory/5740-393-0x00007FF78B420000-0x00007FF78B774000-memory.dmp	xmrig
behavioral2/memory/5588-379-0x00007FF79E6E0000-0x00007FF79EA34000-memory.dmp	xmrig
behavioral2/memory/5524-372-0x00007FF7460F0000-0x00007FF746444000-memory.dmp	xmrig
behavioral2/memory/5460-365-0x00007FF60DA90000-0x00007FF60DDE4000-memory.dmp	xmrig
behavioral2/memory/5400-361-0x00007FF7CA700000-0x00007FF7CAA54000-memory.dmp	xmrig
behavioral2/memory/5340-354-0x00007FF734840000-0x00007FF734B94000-memory.dmp	xmrig
behavioral2/memory/5164-347-0x00007FF70A190000-0x00007FF70A4E4000-memory.dmp	xmrig
behavioral2/memory/4992-333-0x00007FF6007F0000-0x00007FF600B44000-memory.dmp	xmrig
behavioral2/memory/4084-326-0x00007FF7A9140000-0x00007FF7A9494000-memory.dmp	xmrig
behavioral2/memory/2992-322-0x00007FF7470F0000-0x00007FF747444000-memory.dmp	xmrig
behavioral2/memory/4988-318-0x00007FF7450F0000-0x00007FF745444000-memory.dmp	xmrig
behavioral2/memory/4332-314-0x00007FF767550000-0x00007FF7678A4000-memory.dmp	xmrig
behavioral2/memory/960-307-0x00007FF733230000-0x00007FF733584000-memory.dmp	xmrig
behavioral2/memory/380-300-0x00007FF6428C0000-0x00007FF642C14000-memory.dmp	xmrig
behavioral2/memory/2968-286-0x00007FF6EB370000-0x00007FF6EB6C4000-memory.dmp	xmrig
behavioral2/memory/4612-275-0x00007FF64E420000-0x00007FF64E774000-memory.dmp	xmrig
behavioral2/memory/896-268-0x00007FF6411F0000-0x00007FF641544000-memory.dmp	xmrig
behavioral2/memory/3844-261-0x00007FF6C6690000-0x00007FF6C69E4000-memory.dmp	xmrig
behavioral2/memory/2840-254-0x00007FF7052C0000-0x00007FF705614000-memory.dmp	xmrig
behavioral2/memory/3524-240-0x00007FF73EA60000-0x00007FF73EDB4000-memory.dmp	xmrig
behavioral2/memory/2844-233-0x00007FF66A500000-0x00007FF66A854000-memory.dmp	xmrig
behavioral2/memory/2964-226-0x00007FF615670000-0x00007FF6159C4000-memory.dmp	xmrig
behavioral2/memory/2372-219-0x00007FF60E130000-0x00007FF60E484000-memory.dmp	xmrig
behavioral2/memory/1828-215-0x00007FF7D6F10000-0x00007FF7D7264000-memory.dmp	xmrig
behavioral2/memory/3368-211-0x00007FF7E52E0000-0x00007FF7E5634000-memory.dmp	xmrig
behavioral2/memory/2940-204-0x00007FF64DB20000-0x00007FF64DE74000-memory.dmp	xmrig
behavioral2/memory/4500-197-0x00007FF707C00000-0x00007FF707F54000-memory.dmp	xmrig
behavioral2/files/0x0007000000023215-187.dat	xmrig
behavioral2/files/0x0007000000023213-185.dat	xmrig
behavioral2/memory/4036-184-0x00007FF6CF6D0000-0x00007FF6CFA24000-memory.dmp	xmrig
behavioral2/files/0x0007000000023214-181.dat	xmrig
behavioral2/files/0x0007000000023212-179.dat	xmrig
behavioral2/files/0x0007000000023211-174.dat	xmrig
behavioral2/memory/1712-173-0x00007FF7D6110000-0x00007FF7D6464000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4416	IOaqVUQ.exe
1692	lHjoiBi.exe
3232	ICJnlQx.exe
1968	hJbSLhJ.exe
4588	RLEtSSd.exe
4068	PhoyiVN.exe
3800	tmsdgHG.exe
2328	mvfMQBk.exe
3944	cnDYBKu.exe
3352	HtqHJUZ.exe
4216	gLGRQrS.exe
4844	AOaljKO.exe
2660	JQPzsNo.exe
3628	EoZoCWK.exe
2376	ekXzntP.exe
4564	LbEDYul.exe
1820	QBhCYlu.exe
4976	JqpuNmC.exe
1336	XWpULYE.exe
4500	cqyREfu.exe
4508	yWTZReV.exe
2940	GpMDNuO.exe
3392	CXSuYjA.exe
3368	FShmGWo.exe
4648	Mfazhhq.exe
1828	gCazGMx.exe
2372	zMsQGzg.exe
1712	LssvvtR.exe
2964	sEHtplq.exe
2844	cvmGQGh.exe
4036	GPfaWvN.exe
3524	KqwimIM.exe
3608	qlXQUgl.exe
2412	eiNXeBZ.exe
1364	SXtOsWu.exe
2840	SDbDItT.exe
1548	vjmJHZP.exe
3844	wqfzFXW.exe
5084	CChKnbE.exe
896	ioPIXcP.exe
3268	JsjYGUQ.exe
4276	yYWWTjT.exe
4280	UPawQAI.exe
4612	kOETciY.exe
4532	VPVuiWc.exe
3956	yXUjgXH.exe
1836	gXdtQqh.exe
2968	BQFvVOm.exe
3596	OrcPjka.exe
4372	XAbZuce.exe
3884	TOOcwFU.exe
380	yYlNBeB.exe
3656	OhXJIub.exe
960	ruomgjn.exe
3784	BbLHtGo.exe
4332	iVJelQQ.exe
2980	SWFgKhF.exe
4988	XCDNebu.exe
4040	LRGUnpA.exe
2992	ouHmlJc.exe
2420	ZKavMcg.exe
2480	NKZclKU.exe
4084	QuLOsnn.exe
2920	uxPiJeM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4852-0-0x00007FF710000000-0x00007FF710354000-memory.dmp	upx
behavioral2/files/0x00070000000231f6-5.dat	upx
behavioral2/files/0x00070000000231f6-6.dat	upx
behavioral2/files/0x00070000000231f7-11.dat	upx
behavioral2/memory/1692-12-0x00007FF684400000-0x00007FF684754000-memory.dmp	upx
behavioral2/files/0x00070000000231f8-17.dat	upx
behavioral2/files/0x00070000000231f8-20.dat	upx
behavioral2/files/0x00070000000231f9-23.dat	upx
behavioral2/files/0x00070000000231fb-33.dat	upx
behavioral2/memory/1968-37-0x00007FF7D2F70000-0x00007FF7D32C4000-memory.dmp	upx
behavioral2/files/0x00070000000231fc-49.dat	upx
behavioral2/files/0x00070000000231ff-62.dat	upx
behavioral2/memory/4216-68-0x00007FF660400000-0x00007FF660754000-memory.dmp	upx
behavioral2/memory/2328-80-0x00007FF620FD0000-0x00007FF621324000-memory.dmp	upx
behavioral2/files/0x0007000000023202-87.dat	upx
behavioral2/files/0x0007000000023203-92.dat	upx
behavioral2/memory/4976-107-0x00007FF6FA680000-0x00007FF6FA9D4000-memory.dmp	upx
behavioral2/files/0x0007000000023209-129.dat	upx
behavioral2/memory/3608-190-0x00007FF6DA2E0000-0x00007FF6DA634000-memory.dmp	upx
behavioral2/memory/2412-247-0x00007FF7C90D0000-0x00007FF7C9424000-memory.dmp	upx
behavioral2/memory/3956-282-0x00007FF6087F0000-0x00007FF608B44000-memory.dmp	upx
behavioral2/memory/4372-293-0x00007FF674FC0000-0x00007FF675314000-memory.dmp	upx
behavioral2/memory/4788-340-0x00007FF608E80000-0x00007FF6091D4000-memory.dmp	upx
behavioral2/memory/5680-386-0x00007FF686790000-0x00007FF686AE4000-memory.dmp	upx
behavioral2/memory/5980-421-0x00007FF6D9880000-0x00007FF6D9BD4000-memory.dmp	upx
behavioral2/memory/6100-432-0x00007FF6965D0000-0x00007FF696924000-memory.dmp	upx
behavioral2/memory/6040-425-0x00007FF6DF4C0000-0x00007FF6DF814000-memory.dmp	upx
behavioral2/memory/5920-414-0x00007FF7746C0000-0x00007FF774A14000-memory.dmp	upx
behavioral2/memory/5860-407-0x00007FF6AA0D0000-0x00007FF6AA424000-memory.dmp	upx
behavioral2/memory/5800-400-0x00007FF64B170000-0x00007FF64B4C4000-memory.dmp	upx
behavioral2/memory/5740-393-0x00007FF78B420000-0x00007FF78B774000-memory.dmp	upx
behavioral2/memory/5588-379-0x00007FF79E6E0000-0x00007FF79EA34000-memory.dmp	upx
behavioral2/memory/5524-372-0x00007FF7460F0000-0x00007FF746444000-memory.dmp	upx
behavioral2/memory/5460-365-0x00007FF60DA90000-0x00007FF60DDE4000-memory.dmp	upx
behavioral2/memory/5400-361-0x00007FF7CA700000-0x00007FF7CAA54000-memory.dmp	upx
behavioral2/memory/5340-354-0x00007FF734840000-0x00007FF734B94000-memory.dmp	upx
behavioral2/memory/5164-347-0x00007FF70A190000-0x00007FF70A4E4000-memory.dmp	upx
behavioral2/memory/4992-333-0x00007FF6007F0000-0x00007FF600B44000-memory.dmp	upx
behavioral2/memory/4084-326-0x00007FF7A9140000-0x00007FF7A9494000-memory.dmp	upx
behavioral2/memory/2992-322-0x00007FF7470F0000-0x00007FF747444000-memory.dmp	upx
behavioral2/memory/4988-318-0x00007FF7450F0000-0x00007FF745444000-memory.dmp	upx
behavioral2/memory/4332-314-0x00007FF767550000-0x00007FF7678A4000-memory.dmp	upx
behavioral2/memory/960-307-0x00007FF733230000-0x00007FF733584000-memory.dmp	upx
behavioral2/memory/380-300-0x00007FF6428C0000-0x00007FF642C14000-memory.dmp	upx
behavioral2/memory/2968-286-0x00007FF6EB370000-0x00007FF6EB6C4000-memory.dmp	upx
behavioral2/memory/4612-275-0x00007FF64E420000-0x00007FF64E774000-memory.dmp	upx
behavioral2/memory/896-268-0x00007FF6411F0000-0x00007FF641544000-memory.dmp	upx
behavioral2/memory/3844-261-0x00007FF6C6690000-0x00007FF6C69E4000-memory.dmp	upx
behavioral2/memory/2840-254-0x00007FF7052C0000-0x00007FF705614000-memory.dmp	upx
behavioral2/memory/3524-240-0x00007FF73EA60000-0x00007FF73EDB4000-memory.dmp	upx
behavioral2/memory/2844-233-0x00007FF66A500000-0x00007FF66A854000-memory.dmp	upx
behavioral2/memory/2964-226-0x00007FF615670000-0x00007FF6159C4000-memory.dmp	upx
behavioral2/memory/2372-219-0x00007FF60E130000-0x00007FF60E484000-memory.dmp	upx
behavioral2/memory/1828-215-0x00007FF7D6F10000-0x00007FF7D7264000-memory.dmp	upx
behavioral2/memory/3368-211-0x00007FF7E52E0000-0x00007FF7E5634000-memory.dmp	upx
behavioral2/memory/2940-204-0x00007FF64DB20000-0x00007FF64DE74000-memory.dmp	upx
behavioral2/memory/4500-197-0x00007FF707C00000-0x00007FF707F54000-memory.dmp	upx
behavioral2/files/0x0007000000023215-187.dat	upx
behavioral2/files/0x0007000000023213-185.dat	upx
behavioral2/memory/4036-184-0x00007FF6CF6D0000-0x00007FF6CFA24000-memory.dmp	upx
behavioral2/files/0x0007000000023214-181.dat	upx
behavioral2/files/0x0007000000023212-179.dat	upx
behavioral2/files/0x0007000000023211-174.dat	upx
behavioral2/memory/1712-173-0x00007FF7D6110000-0x00007FF7D6464000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\OMILZnp.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\CXSuYjA.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\SZrttRX.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\jMKCkhk.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\tGZLIgw.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\osQiPWK.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\vdHemVd.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\TSmMjHG.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\hJbSLhJ.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\aPadidU.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\eIbPurw.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\rBGUwRU.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\zrjDpMz.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\tmsdgHG.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\XCDNebu.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\cCMOrXw.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\NPsuzOt.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\uHkbtqA.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\haVMKeM.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\CuIMQez.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\jjvHbyE.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\LIRQQcN.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\ULxiKOP.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\HfICOEI.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\tZSvGHO.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\KuYowST.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\UyDwygd.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\qIExMWT.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\Mfazhhq.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\yXUjgXH.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\QxbdmFK.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\RtkAexq.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\AByNHBg.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\fMNQnrE.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\cvmGQGh.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\ioPIXcP.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\rhgrxjM.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\sfYrlKo.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\BRKFwul.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\HbTnBNh.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\xxZAniz.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\vjmJHZP.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\kRndfco.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\IXnbkqb.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\AZGjDrT.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\OourBnX.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\xXLjxWh.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\PrpAdss.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\UPawQAI.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\HNpXQWg.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\pYfZcbA.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\copayHx.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\WQjXAfv.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\yWTZReV.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\vayakVs.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\cqyREfu.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\iINVSAV.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\OJejYQV.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\mMbdfBx.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\LgCIEQz.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\yTMITHd.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\FAXIIwC.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\gCazGMx.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
File created	C:\Windows\System\yYWWTjT.exe	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
Token: SeLockMemoryPrivilege	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
Token: SeCreateGlobalPrivilege	8808	dwm.exe
Token: SeChangeNotifyPrivilege	8808	dwm.exe
Token: 33	8808	dwm.exe
Token: SeIncBasePriorityPrivilege	8808	dwm.exe
Token: SeCreateGlobalPrivilege	1060	dwm.exe
Token: SeChangeNotifyPrivilege	1060	dwm.exe
Token: 33	1060	dwm.exe
Token: SeIncBasePriorityPrivilege	1060	dwm.exe
Token: SeShutdownPrivilege	1060	dwm.exe
Token: SeCreatePagefilePrivilege	1060	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 4416	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	88
PID 4852 wrote to memory of 4416	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	88
PID 4852 wrote to memory of 1692	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	89
PID 4852 wrote to memory of 1692	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	89
PID 4852 wrote to memory of 3232	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	90
PID 4852 wrote to memory of 3232	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	90
PID 4852 wrote to memory of 1968	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	91
PID 4852 wrote to memory of 1968	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	91
PID 4852 wrote to memory of 4588	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	92
PID 4852 wrote to memory of 4588	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	92
PID 4852 wrote to memory of 4068	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	93
PID 4852 wrote to memory of 4068	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	93
PID 4852 wrote to memory of 3800	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	94
PID 4852 wrote to memory of 3800	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	94
PID 4852 wrote to memory of 2328	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	95
PID 4852 wrote to memory of 2328	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	95
PID 4852 wrote to memory of 3944	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	96
PID 4852 wrote to memory of 3944	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	96
PID 4852 wrote to memory of 3352	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	97
PID 4852 wrote to memory of 3352	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	97
PID 4852 wrote to memory of 4216	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	98
PID 4852 wrote to memory of 4216	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	98
PID 4852 wrote to memory of 4844	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	99
PID 4852 wrote to memory of 4844	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	99
PID 4852 wrote to memory of 2660	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	100
PID 4852 wrote to memory of 2660	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	100
PID 4852 wrote to memory of 3628	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	101
PID 4852 wrote to memory of 3628	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	101
PID 4852 wrote to memory of 2376	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	102
PID 4852 wrote to memory of 2376	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	102
PID 4852 wrote to memory of 4564	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	103
PID 4852 wrote to memory of 4564	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	103
PID 4852 wrote to memory of 1820	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	104
PID 4852 wrote to memory of 1820	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	104
PID 4852 wrote to memory of 4976	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	105
PID 4852 wrote to memory of 4976	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	105
PID 4852 wrote to memory of 1336	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	106
PID 4852 wrote to memory of 1336	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	106
PID 4852 wrote to memory of 4500	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	107
PID 4852 wrote to memory of 4500	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	107
PID 4852 wrote to memory of 4508	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	108
PID 4852 wrote to memory of 4508	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	108
PID 4852 wrote to memory of 2940	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	109
PID 4852 wrote to memory of 2940	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	109
PID 4852 wrote to memory of 3392	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	110
PID 4852 wrote to memory of 3392	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	110
PID 4852 wrote to memory of 3368	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	111
PID 4852 wrote to memory of 3368	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	111
PID 4852 wrote to memory of 4648	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	112
PID 4852 wrote to memory of 4648	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	112
PID 4852 wrote to memory of 1828	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	113
PID 4852 wrote to memory of 1828	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	113
PID 4852 wrote to memory of 2372	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	114
PID 4852 wrote to memory of 2372	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	114
PID 4852 wrote to memory of 1712	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	115
PID 4852 wrote to memory of 1712	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	115
PID 4852 wrote to memory of 2964	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	116
PID 4852 wrote to memory of 2964	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	116
PID 4852 wrote to memory of 2844	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	117
PID 4852 wrote to memory of 2844	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	117
PID 4852 wrote to memory of 4036	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	118
PID 4852 wrote to memory of 4036	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	118
PID 4852 wrote to memory of 3524	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	119
PID 4852 wrote to memory of 3524	4852	aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe	119

C:\Users\Admin\AppData\Local\Temp\aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe
"C:\Users\Admin\AppData\Local\Temp\aabea69c871804b4cb254cc1c068a200a891629fd0672752503f3c76cacff845.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\System\IOaqVUQ.exe
  C:\Windows\System\IOaqVUQ.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\lHjoiBi.exe
  C:\Windows\System\lHjoiBi.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System\ICJnlQx.exe
  C:\Windows\System\ICJnlQx.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\hJbSLhJ.exe
  C:\Windows\System\hJbSLhJ.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\RLEtSSd.exe
  C:\Windows\System\RLEtSSd.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System\PhoyiVN.exe
  C:\Windows\System\PhoyiVN.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\tmsdgHG.exe
  C:\Windows\System\tmsdgHG.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\System\mvfMQBk.exe
  C:\Windows\System\mvfMQBk.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\cnDYBKu.exe
  C:\Windows\System\cnDYBKu.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\HtqHJUZ.exe
  C:\Windows\System\HtqHJUZ.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\gLGRQrS.exe
  C:\Windows\System\gLGRQrS.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System\AOaljKO.exe
  C:\Windows\System\AOaljKO.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\JQPzsNo.exe
  C:\Windows\System\JQPzsNo.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\EoZoCWK.exe
  C:\Windows\System\EoZoCWK.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\ekXzntP.exe
  C:\Windows\System\ekXzntP.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\LbEDYul.exe
  C:\Windows\System\LbEDYul.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\QBhCYlu.exe
  C:\Windows\System\QBhCYlu.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\JqpuNmC.exe
  C:\Windows\System\JqpuNmC.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\XWpULYE.exe
  C:\Windows\System\XWpULYE.exe
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\System\cqyREfu.exe
  C:\Windows\System\cqyREfu.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\yWTZReV.exe
  C:\Windows\System\yWTZReV.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System\GpMDNuO.exe
  C:\Windows\System\GpMDNuO.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\CXSuYjA.exe
  C:\Windows\System\CXSuYjA.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System\FShmGWo.exe
  C:\Windows\System\FShmGWo.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System\Mfazhhq.exe
  C:\Windows\System\Mfazhhq.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System\gCazGMx.exe
  C:\Windows\System\gCazGMx.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\zMsQGzg.exe
  C:\Windows\System\zMsQGzg.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\LssvvtR.exe
  C:\Windows\System\LssvvtR.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\sEHtplq.exe
  C:\Windows\System\sEHtplq.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\cvmGQGh.exe
  C:\Windows\System\cvmGQGh.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\GPfaWvN.exe
  C:\Windows\System\GPfaWvN.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\KqwimIM.exe
  C:\Windows\System\KqwimIM.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System\qlXQUgl.exe
  C:\Windows\System\qlXQUgl.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\eiNXeBZ.exe
  C:\Windows\System\eiNXeBZ.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\SXtOsWu.exe
  C:\Windows\System\SXtOsWu.exe
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\System\SDbDItT.exe
  C:\Windows\System\SDbDItT.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\vjmJHZP.exe
  C:\Windows\System\vjmJHZP.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\wqfzFXW.exe
  C:\Windows\System\wqfzFXW.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System\CChKnbE.exe
  C:\Windows\System\CChKnbE.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\ioPIXcP.exe
  C:\Windows\System\ioPIXcP.exe
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\System\JsjYGUQ.exe
  C:\Windows\System\JsjYGUQ.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System\yYWWTjT.exe
  C:\Windows\System\yYWWTjT.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\UPawQAI.exe
  C:\Windows\System\UPawQAI.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\kOETciY.exe
  C:\Windows\System\kOETciY.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\VPVuiWc.exe
  C:\Windows\System\VPVuiWc.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\yXUjgXH.exe
  C:\Windows\System\yXUjgXH.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\gXdtQqh.exe
  C:\Windows\System\gXdtQqh.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System\BQFvVOm.exe
  C:\Windows\System\BQFvVOm.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\OrcPjka.exe
  C:\Windows\System\OrcPjka.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System\XAbZuce.exe
  C:\Windows\System\XAbZuce.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\TOOcwFU.exe
  C:\Windows\System\TOOcwFU.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System\yYlNBeB.exe
  C:\Windows\System\yYlNBeB.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\OhXJIub.exe
  C:\Windows\System\OhXJIub.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System\ruomgjn.exe
  C:\Windows\System\ruomgjn.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System\BbLHtGo.exe
  C:\Windows\System\BbLHtGo.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System\iVJelQQ.exe
  C:\Windows\System\iVJelQQ.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System\SWFgKhF.exe
  C:\Windows\System\SWFgKhF.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\XCDNebu.exe
  C:\Windows\System\XCDNebu.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\LRGUnpA.exe
  C:\Windows\System\LRGUnpA.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\ouHmlJc.exe
  C:\Windows\System\ouHmlJc.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\ZKavMcg.exe
  C:\Windows\System\ZKavMcg.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\NKZclKU.exe
  C:\Windows\System\NKZclKU.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\QuLOsnn.exe
  C:\Windows\System\QuLOsnn.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System\uxPiJeM.exe
  C:\Windows\System\uxPiJeM.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\pwJcRKW.exe
  C:\Windows\System\pwJcRKW.exe
  2⤵
  PID:4992
- C:\Windows\System\dffypKZ.exe
  C:\Windows\System\dffypKZ.exe
  2⤵
  PID:4900
- C:\Windows\System\SZrttRX.exe
  C:\Windows\System\SZrttRX.exe
  2⤵
  PID:4788
- C:\Windows\System\kUsipvC.exe
  C:\Windows\System\kUsipvC.exe
  2⤵
  PID:5132
- C:\Windows\System\bZcZhQy.exe
  C:\Windows\System\bZcZhQy.exe
  2⤵
  PID:5164
- C:\Windows\System\HkCaFHF.exe
  C:\Windows\System\HkCaFHF.exe
  2⤵
  PID:5200
- C:\Windows\System\LFBRiIO.exe
  C:\Windows\System\LFBRiIO.exe
  2⤵
  PID:5232
- C:\Windows\System\lInyWqo.exe
  C:\Windows\System\lInyWqo.exe
  2⤵
  PID:5268
- C:\Windows\System\ZhOsRXB.exe
  C:\Windows\System\ZhOsRXB.exe
  2⤵
  PID:5304
- C:\Windows\System\rhgrxjM.exe
  C:\Windows\System\rhgrxjM.exe
  2⤵
  PID:5340
- C:\Windows\System\QxbdmFK.exe
  C:\Windows\System\QxbdmFK.exe
  2⤵
  PID:5368
- C:\Windows\System\ZwttDLe.exe
  C:\Windows\System\ZwttDLe.exe
  2⤵
  PID:5400
- C:\Windows\System\kQFBTwt.exe
  C:\Windows\System\kQFBTwt.exe
  2⤵
  PID:5428
- C:\Windows\System\LqBcMzu.exe
  C:\Windows\System\LqBcMzu.exe
  2⤵
  PID:5460
- C:\Windows\System\tZSvGHO.exe
  C:\Windows\System\tZSvGHO.exe
  2⤵
  PID:5488
- C:\Windows\System\iINVSAV.exe
  C:\Windows\System\iINVSAV.exe
  2⤵
  PID:5524
- C:\Windows\System\rkGgjKO.exe
  C:\Windows\System\rkGgjKO.exe
  2⤵
  PID:5556
- C:\Windows\System\kVceHdz.exe
  C:\Windows\System\kVceHdz.exe
  2⤵
  PID:5588
- C:\Windows\System\CebmhkT.exe
  C:\Windows\System\CebmhkT.exe
  2⤵
  PID:5616
- C:\Windows\System\bbDOmCk.exe
  C:\Windows\System\bbDOmCk.exe
  2⤵
  PID:5648
- C:\Windows\System\yfhiKRL.exe
  C:\Windows\System\yfhiKRL.exe
  2⤵
  PID:5680
- C:\Windows\System\kRndfco.exe
  C:\Windows\System\kRndfco.exe
  2⤵
  PID:5708
- C:\Windows\System\LQOSNAT.exe
  C:\Windows\System\LQOSNAT.exe
  2⤵
  PID:5740
- C:\Windows\System\IGfuzWv.exe
  C:\Windows\System\IGfuzWv.exe
  2⤵
  PID:5768
- C:\Windows\System\sfYrlKo.exe
  C:\Windows\System\sfYrlKo.exe
  2⤵
  PID:5800
- C:\Windows\System\cCMOrXw.exe
  C:\Windows\System\cCMOrXw.exe
  2⤵
  PID:5828
- C:\Windows\System\XKVSscD.exe
  C:\Windows\System\XKVSscD.exe
  2⤵
  PID:5860
- C:\Windows\System\HwBYatU.exe
  C:\Windows\System\HwBYatU.exe
  2⤵
  PID:5888
- C:\Windows\System\yAsMwud.exe
  C:\Windows\System\yAsMwud.exe
  2⤵
  PID:5920
- C:\Windows\System\DXVaCjY.exe
  C:\Windows\System\DXVaCjY.exe
  2⤵
  PID:5948
- C:\Windows\System\IpcFkNS.exe
  C:\Windows\System\IpcFkNS.exe
  2⤵
  PID:5980
- C:\Windows\System\kJfRqvV.exe
  C:\Windows\System\kJfRqvV.exe
  2⤵
  PID:6008
- C:\Windows\System\NPsuzOt.exe
  C:\Windows\System\NPsuzOt.exe
  2⤵
  PID:6040
- C:\Windows\System\GbXGnQz.exe
  C:\Windows\System\GbXGnQz.exe
  2⤵
  PID:6068
- C:\Windows\System\EeNBVwz.exe
  C:\Windows\System\EeNBVwz.exe
  2⤵
  PID:6100
- C:\Windows\System\ERqDdnr.exe
  C:\Windows\System\ERqDdnr.exe
  2⤵
  PID:6128
- C:\Windows\System\bMGRMXF.exe
  C:\Windows\System\bMGRMXF.exe
  2⤵
  PID:1120
- C:\Windows\System\HNpXQWg.exe
  C:\Windows\System\HNpXQWg.exe
  2⤵
  PID:4148
- C:\Windows\System\FitJKDk.exe
  C:\Windows\System\FitJKDk.exe
  2⤵
  PID:3972
- C:\Windows\System\ZFmMVwe.exe
  C:\Windows\System\ZFmMVwe.exe
  2⤵
  PID:5156
- C:\Windows\System\SkaGvQg.exe
  C:\Windows\System\SkaGvQg.exe
  2⤵
  PID:5224
- C:\Windows\System\TutKKKr.exe
  C:\Windows\System\TutKKKr.exe
  2⤵
  PID:5296
- C:\Windows\System\JLEHVSp.exe
  C:\Windows\System\JLEHVSp.exe
  2⤵
  PID:5364
- C:\Windows\System\VWBJupU.exe
  C:\Windows\System\VWBJupU.exe
  2⤵
  PID:5452
- C:\Windows\System\IgOoeXc.exe
  C:\Windows\System\IgOoeXc.exe
  2⤵
  PID:644
- C:\Windows\System\KuYowST.exe
  C:\Windows\System\KuYowST.exe
  2⤵
  PID:5584
- C:\Windows\System\iwtNjxb.exe
  C:\Windows\System\iwtNjxb.exe
  2⤵
  PID:5644
- C:\Windows\System\WnnFSYH.exe
  C:\Windows\System\WnnFSYH.exe
  2⤵
  PID:5732
- C:\Windows\System\UWyIqNV.exe
  C:\Windows\System\UWyIqNV.exe
  2⤵
  PID:5764
- C:\Windows\System\hkEmqgX.exe
  C:\Windows\System\hkEmqgX.exe
  2⤵
  PID:5820
- C:\Windows\System\RDbaGGC.exe
  C:\Windows\System\RDbaGGC.exe
  2⤵
  PID:5884
- C:\Windows\System\ERfiApd.exe
  C:\Windows\System\ERfiApd.exe
  2⤵
  PID:5968
- C:\Windows\System\kcpcDZC.exe
  C:\Windows\System\kcpcDZC.exe
  2⤵
  PID:6036
- C:\Windows\System\dpNNyRr.exe
  C:\Windows\System\dpNNyRr.exe
  2⤵
  PID:6096
- C:\Windows\System\nOzBkan.exe
  C:\Windows\System\nOzBkan.exe
  2⤵
  PID:1384
- C:\Windows\System\wZCLIBj.exe
  C:\Windows\System\wZCLIBj.exe
  2⤵
  PID:4092
- C:\Windows\System\jMKCkhk.exe
  C:\Windows\System\jMKCkhk.exe
  2⤵
  PID:5260
- C:\Windows\System\tgVXJBG.exe
  C:\Windows\System\tgVXJBG.exe
  2⤵
  PID:5420
- C:\Windows\System\lubSJCx.exe
  C:\Windows\System\lubSJCx.exe
  2⤵
  PID:3624
- C:\Windows\System\pEgZTFb.exe
  C:\Windows\System\pEgZTFb.exe
  2⤵
  PID:5640
- C:\Windows\System\vyBnDbn.exe
  C:\Windows\System\vyBnDbn.exe
  2⤵
  PID:5760
- C:\Windows\System\RvvtpRQ.exe
  C:\Windows\System\RvvtpRQ.exe
  2⤵
  PID:5876
- C:\Windows\System\BQxFyZf.exe
  C:\Windows\System\BQxFyZf.exe
  2⤵
  PID:5976
- C:\Windows\System\Gvaksgv.exe
  C:\Windows\System\Gvaksgv.exe
  2⤵
  PID:6116
- C:\Windows\System\juXDwsc.exe
  C:\Windows\System\juXDwsc.exe
  2⤵
  PID:1576
- C:\Windows\System\UVJeWny.exe
  C:\Windows\System\UVJeWny.exe
  2⤵
  PID:5360
- C:\Windows\System\kFVhfEI.exe
  C:\Windows\System\kFVhfEI.exe
  2⤵
  PID:5580
- C:\Windows\System\BmcynRA.exe
  C:\Windows\System\BmcynRA.exe
  2⤵
  PID:1484
- C:\Windows\System\wMZkwFJ.exe
  C:\Windows\System\wMZkwFJ.exe
  2⤵
  PID:6172
- C:\Windows\System\BRKFwul.exe
  C:\Windows\System\BRKFwul.exe
  2⤵
  PID:6204
- C:\Windows\System\bnpeefq.exe
  C:\Windows\System\bnpeefq.exe
  2⤵
  PID:6236
- C:\Windows\System\hFwLJvP.exe
  C:\Windows\System\hFwLJvP.exe
  2⤵
  PID:6264
- C:\Windows\System\HbTnBNh.exe
  C:\Windows\System\HbTnBNh.exe
  2⤵
  PID:6296
- C:\Windows\System\LufOSSB.exe
  C:\Windows\System\LufOSSB.exe
  2⤵
  PID:6324
- C:\Windows\System\XQZcprY.exe
  C:\Windows\System\XQZcprY.exe
  2⤵
  PID:6356
- C:\Windows\System\LOxWGIP.exe
  C:\Windows\System\LOxWGIP.exe
  2⤵
  PID:6388
- C:\Windows\System\uZokAel.exe
  C:\Windows\System\uZokAel.exe
  2⤵
  PID:6420
- C:\Windows\System\oXUEyAP.exe
  C:\Windows\System\oXUEyAP.exe
  2⤵
  PID:6448
- C:\Windows\System\jFvDdbi.exe
  C:\Windows\System\jFvDdbi.exe
  2⤵
  PID:6480
- C:\Windows\System\BCkadZo.exe
  C:\Windows\System\BCkadZo.exe
  2⤵
  PID:6512
- C:\Windows\System\AKVlNUa.exe
  C:\Windows\System\AKVlNUa.exe
  2⤵
  PID:6540
- C:\Windows\System\iarIIDf.exe
  C:\Windows\System\iarIIDf.exe
  2⤵
  PID:6572
- C:\Windows\System\YAOhkXY.exe
  C:\Windows\System\YAOhkXY.exe
  2⤵
  PID:6600
- C:\Windows\System\AgWzFmZ.exe
  C:\Windows\System\AgWzFmZ.exe
  2⤵
  PID:6632
- C:\Windows\System\pYfZcbA.exe
  C:\Windows\System\pYfZcbA.exe
  2⤵
  PID:6680
- C:\Windows\System\pnpopKW.exe
  C:\Windows\System\pnpopKW.exe
  2⤵
  PID:6712
- C:\Windows\System\iIZfZPe.exe
  C:\Windows\System\iIZfZPe.exe
  2⤵
  PID:6736
- C:\Windows\System\aPadidU.exe
  C:\Windows\System\aPadidU.exe
  2⤵
  PID:6764
- C:\Windows\System\WPMKoNj.exe
  C:\Windows\System\WPMKoNj.exe
  2⤵
  PID:6796
- C:\Windows\System\TgGHdQM.exe
  C:\Windows\System\TgGHdQM.exe
  2⤵
  PID:6828
- C:\Windows\System\OJejYQV.exe
  C:\Windows\System\OJejYQV.exe
  2⤵
  PID:6860
- C:\Windows\System\hcYBKbh.exe
  C:\Windows\System\hcYBKbh.exe
  2⤵
  PID:6892
- C:\Windows\System\LMZlwCg.exe
  C:\Windows\System\LMZlwCg.exe
  2⤵
  PID:6920
- C:\Windows\System\vayakVs.exe
  C:\Windows\System\vayakVs.exe
  2⤵
  PID:6952
- C:\Windows\System\UyDwygd.exe
  C:\Windows\System\UyDwygd.exe
  2⤵
  PID:6984
- C:\Windows\System\cWCPwlF.exe
  C:\Windows\System\cWCPwlF.exe
  2⤵
  PID:7016
- C:\Windows\System\mMbdfBx.exe
  C:\Windows\System\mMbdfBx.exe
  2⤵
  PID:7052
- C:\Windows\System\FVPzJur.exe
  C:\Windows\System\FVPzJur.exe
  2⤵
  PID:7088
- C:\Windows\System\VGXyTNH.exe
  C:\Windows\System\VGXyTNH.exe
  2⤵
  PID:7124
- C:\Windows\System\rzzzjGD.exe
  C:\Windows\System\rzzzjGD.exe
  2⤵
  PID:7160
- C:\Windows\System\DiPWWbZ.exe
  C:\Windows\System\DiPWWbZ.exe
  2⤵
  PID:1540
- C:\Windows\System\sGPKeRX.exe
  C:\Windows\System\sGPKeRX.exe
  2⤵
  PID:3540
- C:\Windows\System\tGZLIgw.exe
  C:\Windows\System\tGZLIgw.exe
  2⤵
  PID:2792
- C:\Windows\System\UnVNeSQ.exe
  C:\Windows\System\UnVNeSQ.exe
  2⤵
  PID:4836
- C:\Windows\System\WDjwNxh.exe
  C:\Windows\System\WDjwNxh.exe
  2⤵
  PID:1708
- C:\Windows\System\BFgYugS.exe
  C:\Windows\System\BFgYugS.exe
  2⤵
  PID:6228
- C:\Windows\System\edfIDfV.exe
  C:\Windows\System\edfIDfV.exe
  2⤵
  PID:6284
- C:\Windows\System\QxtQTpi.exe
  C:\Windows\System\QxtQTpi.exe
  2⤵
  PID:2832
- C:\Windows\System\ihXcAyf.exe
  C:\Windows\System\ihXcAyf.exe
  2⤵
  PID:6380
- C:\Windows\System\QJOicyU.exe
  C:\Windows\System\QJOicyU.exe
  2⤵
  PID:4616
- C:\Windows\System\LYUBedJ.exe
  C:\Windows\System\LYUBedJ.exe
  2⤵
  PID:6456
- C:\Windows\System\LgCIEQz.exe
  C:\Windows\System\LgCIEQz.exe
  2⤵
  PID:6668
- C:\Windows\System\YkraYor.exe
  C:\Windows\System\YkraYor.exe
  2⤵
  PID:6752
- C:\Windows\System\HVisPQu.exe
  C:\Windows\System\HVisPQu.exe
  2⤵
  PID:6772
- C:\Windows\System\XZUXWfm.exe
  C:\Windows\System\XZUXWfm.exe
  2⤵
  PID:6820
- C:\Windows\System\UNoLCGx.exe
  C:\Windows\System\UNoLCGx.exe
  2⤵
  PID:6852
- C:\Windows\System\NAbKUmo.exe
  C:\Windows\System\NAbKUmo.exe
  2⤵
  PID:6884
- C:\Windows\System\ozsLIQM.exe
  C:\Windows\System\ozsLIQM.exe
  2⤵
  PID:4520
- C:\Windows\System\nPJcKnH.exe
  C:\Windows\System\nPJcKnH.exe
  2⤵
  PID:6960
- C:\Windows\System\yzUzDZz.exe
  C:\Windows\System\yzUzDZz.exe
  2⤵
  PID:7024
- C:\Windows\System\xpiolmn.exe
  C:\Windows\System\xpiolmn.exe
  2⤵
  PID:7076
- C:\Windows\System\eIbPurw.exe
  C:\Windows\System\eIbPurw.exe
  2⤵
  PID:7132
- C:\Windows\System\WzUeclk.exe
  C:\Windows\System\WzUeclk.exe
  2⤵
  PID:7156
- C:\Windows\System\rBGUwRU.exe
  C:\Windows\System\rBGUwRU.exe
  2⤵
  PID:2888
- C:\Windows\System\srkxktE.exe
  C:\Windows\System\srkxktE.exe
  2⤵
  PID:4764
- C:\Windows\System\uHkbtqA.exe
  C:\Windows\System\uHkbtqA.exe
  2⤵
  PID:2408
- C:\Windows\System\IsSIAsn.exe
  C:\Windows\System\IsSIAsn.exe
  2⤵
  PID:6212
- C:\Windows\System\gqGlJxo.exe
  C:\Windows\System\gqGlJxo.exe
  2⤵
  PID:2280
- C:\Windows\System\rqUtXEf.exe
  C:\Windows\System\rqUtXEf.exe
  2⤵
  PID:6352
- C:\Windows\System\TDWMdiy.exe
  C:\Windows\System\TDWMdiy.exe
  2⤵
  PID:4132
- C:\Windows\System\haVMKeM.exe
  C:\Windows\System\haVMKeM.exe
  2⤵
  PID:2988
- C:\Windows\System\nvSiApa.exe
  C:\Windows\System\nvSiApa.exe
  2⤵
  PID:3432
- C:\Windows\System\mdCEOBS.exe
  C:\Windows\System\mdCEOBS.exe
  2⤵
  PID:564
- C:\Windows\System\dyMVmfV.exe
  C:\Windows\System\dyMVmfV.exe
  2⤵
  PID:1408
- C:\Windows\System\osQiPWK.exe
  C:\Windows\System\osQiPWK.exe
  2⤵
  PID:6536
- C:\Windows\System\copayHx.exe
  C:\Windows\System\copayHx.exe
  2⤵
  PID:2468
- C:\Windows\System\nckbMMS.exe
  C:\Windows\System\nckbMMS.exe
  2⤵
  PID:5776
- C:\Windows\System\usXbyEp.exe
  C:\Windows\System\usXbyEp.exe
  2⤵
  PID:6136
- C:\Windows\System\yTMITHd.exe
  C:\Windows\System\yTMITHd.exe
  2⤵
  PID:6440
- C:\Windows\System\mbVvtDN.exe
  C:\Windows\System\mbVvtDN.exe
  2⤵
  PID:6676
- C:\Windows\System\MgIJCTL.exe
  C:\Windows\System\MgIJCTL.exe
  2⤵
  PID:6792
- C:\Windows\System\yPFQsHQ.exe
  C:\Windows\System\yPFQsHQ.exe
  2⤵
  PID:6848
- C:\Windows\System\WQjXAfv.exe
  C:\Windows\System\WQjXAfv.exe
  2⤵
  PID:6912
- C:\Windows\System\YCulqNJ.exe
  C:\Windows\System\YCulqNJ.exe
  2⤵
  PID:7012
- C:\Windows\System\HHULfXr.exe
  C:\Windows\System\HHULfXr.exe
  2⤵
  PID:6596
- C:\Windows\System\EcXnCcx.exe
  C:\Windows\System\EcXnCcx.exe
  2⤵
  PID:4920
- C:\Windows\System\GGOLRxE.exe
  C:\Windows\System\GGOLRxE.exe
  2⤵
  PID:1380
- C:\Windows\System\ToUczLI.exe
  C:\Windows\System\ToUczLI.exe
  2⤵
  PID:2140
- C:\Windows\System\oHpFoMv.exe
  C:\Windows\System\oHpFoMv.exe
  2⤵
  PID:6376
- C:\Windows\System\jhlnyhx.exe
  C:\Windows\System\jhlnyhx.exe
  2⤵
  PID:6560
- C:\Windows\System\rnyMSKy.exe
  C:\Windows\System\rnyMSKy.exe
  2⤵
  PID:4328
- C:\Windows\System\EdKZnWw.exe
  C:\Windows\System\EdKZnWw.exe
  2⤵
  PID:6728
- C:\Windows\System\JxDCrcz.exe
  C:\Windows\System\JxDCrcz.exe
  2⤵
  PID:6880
- C:\Windows\System\KalLEhU.exe
  C:\Windows\System\KalLEhU.exe
  2⤵
  PID:6396
- C:\Windows\System\lRQaaMW.exe
  C:\Windows\System\lRQaaMW.exe
  2⤵
  PID:1000
- C:\Windows\System\ECGqZqR.exe
  C:\Windows\System\ECGqZqR.exe
  2⤵
  PID:6548
- C:\Windows\System\oiTUlyl.exe
  C:\Windows\System\oiTUlyl.exe
  2⤵
  PID:5896
- C:\Windows\System\ZIGueMd.exe
  C:\Windows\System\ZIGueMd.exe
  2⤵
  PID:6836
- C:\Windows\System\xudXIQb.exe
  C:\Windows\System\xudXIQb.exe
  2⤵
  PID:2156
- C:\Windows\System\NcmeXeA.exe
  C:\Windows\System\NcmeXeA.exe
  2⤵
  PID:6016
- C:\Windows\System\pQpzZmC.exe
  C:\Windows\System\pQpzZmC.exe
  2⤵
  PID:7188
- C:\Windows\System\IYHyEfi.exe
  C:\Windows\System\IYHyEfi.exe
  2⤵
  PID:7204
- C:\Windows\System\WAsevxO.exe
  C:\Windows\System\WAsevxO.exe
  2⤵
  PID:7224
- C:\Windows\System\IXnbkqb.exe
  C:\Windows\System\IXnbkqb.exe
  2⤵
  PID:7244
- C:\Windows\System\ChZFvzA.exe
  C:\Windows\System\ChZFvzA.exe
  2⤵
  PID:7268
- C:\Windows\System\OCTKsem.exe
  C:\Windows\System\OCTKsem.exe
  2⤵
  PID:7296
- C:\Windows\System\vdHemVd.exe
  C:\Windows\System\vdHemVd.exe
  2⤵
  PID:7316
- C:\Windows\System\fWxtMYN.exe
  C:\Windows\System\fWxtMYN.exe
  2⤵
  PID:7332
- C:\Windows\System\qpGKGje.exe
  C:\Windows\System\qpGKGje.exe
  2⤵
  PID:7356
- C:\Windows\System\CuIMQez.exe
  C:\Windows\System\CuIMQez.exe
  2⤵
  PID:7420
- C:\Windows\System\nnugXjL.exe
  C:\Windows\System\nnugXjL.exe
  2⤵
  PID:7512
- C:\Windows\System\tDETsCg.exe
  C:\Windows\System\tDETsCg.exe
  2⤵
  PID:7540
- C:\Windows\System\scpXrhl.exe
  C:\Windows\System\scpXrhl.exe
  2⤵
  PID:7564
- C:\Windows\System\TSmMjHG.exe
  C:\Windows\System\TSmMjHG.exe
  2⤵
  PID:7580
- C:\Windows\System\hDNxFGg.exe
  C:\Windows\System\hDNxFGg.exe
  2⤵
  PID:7600
- C:\Windows\System\PiViQsZ.exe
  C:\Windows\System\PiViQsZ.exe
  2⤵
  PID:7624
- C:\Windows\System\ZhLoRLT.exe
  C:\Windows\System\ZhLoRLT.exe
  2⤵
  PID:7648
- C:\Windows\System\VTkRyfQ.exe
  C:\Windows\System\VTkRyfQ.exe
  2⤵
  PID:7688
- C:\Windows\System\twqeYvO.exe
  C:\Windows\System\twqeYvO.exe
  2⤵
  PID:7748
- C:\Windows\System\FAXIIwC.exe
  C:\Windows\System\FAXIIwC.exe
  2⤵
  PID:7768
- C:\Windows\System\adiGPXl.exe
  C:\Windows\System\adiGPXl.exe
  2⤵
  PID:7904
- C:\Windows\System\dFVapkl.exe
  C:\Windows\System\dFVapkl.exe
  2⤵
  PID:7940
- C:\Windows\System\wUhzYFT.exe
  C:\Windows\System\wUhzYFT.exe
  2⤵
  PID:7960
- C:\Windows\System\kheMtwn.exe
  C:\Windows\System\kheMtwn.exe
  2⤵
  PID:7984
- C:\Windows\System\BVsyqYb.exe
  C:\Windows\System\BVsyqYb.exe
  2⤵
  PID:8000
- C:\Windows\System\DNuqUHp.exe
  C:\Windows\System\DNuqUHp.exe
  2⤵
  PID:8024
- C:\Windows\System\yqWUAke.exe
  C:\Windows\System\yqWUAke.exe
  2⤵
  PID:8044
- C:\Windows\System\DVwTQyZ.exe
  C:\Windows\System\DVwTQyZ.exe
  2⤵
  PID:8068
- C:\Windows\System\ptcRnpA.exe
  C:\Windows\System\ptcRnpA.exe
  2⤵
  PID:8084
- C:\Windows\System\ofLRAPl.exe
  C:\Windows\System\ofLRAPl.exe
  2⤵
  PID:8140
- C:\Windows\System\EAxrdJo.exe
  C:\Windows\System\EAxrdJo.exe
  2⤵
  PID:8160
- C:\Windows\System\jjvHbyE.exe
  C:\Windows\System\jjvHbyE.exe
  2⤵
  PID:8180
- C:\Windows\System\pOLYpVr.exe
  C:\Windows\System\pOLYpVr.exe
  2⤵
  PID:6652
- C:\Windows\System\erhtGIA.exe
  C:\Windows\System\erhtGIA.exe
  2⤵
  PID:7216
- C:\Windows\System\dMVUTES.exe
  C:\Windows\System\dMVUTES.exe
  2⤵
  PID:7256
- C:\Windows\System\PnnWVGt.exe
  C:\Windows\System\PnnWVGt.exe
  2⤵
  PID:7288
- C:\Windows\System\bmMWFdf.exe
  C:\Windows\System\bmMWFdf.exe
  2⤵
  PID:7328
- C:\Windows\System\WGxxYEf.exe
  C:\Windows\System\WGxxYEf.exe
  2⤵
  PID:7304
- C:\Windows\System\ydxDfis.exe
  C:\Windows\System\ydxDfis.exe
  2⤵
  PID:7384
- C:\Windows\System\OMILZnp.exe
  C:\Windows\System\OMILZnp.exe
  2⤵
  PID:7520
- C:\Windows\System\wUOjGkn.exe
  C:\Windows\System\wUOjGkn.exe
  2⤵
  PID:7552
- C:\Windows\System\tfjqCpf.exe
  C:\Windows\System\tfjqCpf.exe
  2⤵
  PID:7644
- C:\Windows\System\dhTXCnx.exe
  C:\Windows\System\dhTXCnx.exe
  2⤵
  PID:7680
- C:\Windows\System\zmbYcfn.exe
  C:\Windows\System\zmbYcfn.exe
  2⤵
  PID:7760
- C:\Windows\System\iDwRacQ.exe
  C:\Windows\System\iDwRacQ.exe
  2⤵
  PID:7840
- C:\Windows\System\WnZARii.exe
  C:\Windows\System\WnZARii.exe
  2⤵
  PID:7972
- C:\Windows\System\fbyraRc.exe
  C:\Windows\System\fbyraRc.exe
  2⤵
  PID:8172
- C:\Windows\System\OKaVVIs.exe
  C:\Windows\System\OKaVVIs.exe
  2⤵
  PID:7172
- C:\Windows\System\LIRQQcN.exe
  C:\Windows\System\LIRQQcN.exe
  2⤵
  PID:7352
- C:\Windows\System\dLsBGIK.exe
  C:\Windows\System\dLsBGIK.exe
  2⤵
  PID:7200
- C:\Windows\System\AZGjDrT.exe
  C:\Windows\System\AZGjDrT.exe
  2⤵
  PID:6744
- C:\Windows\System\LzlJJlj.exe
  C:\Windows\System\LzlJJlj.exe
  2⤵
  PID:7528
- C:\Windows\System\jPkcBop.exe
  C:\Windows\System\jPkcBop.exe
  2⤵
  PID:7636
- C:\Windows\System\KqAxfyo.exe
  C:\Windows\System\KqAxfyo.exe
  2⤵
  PID:7560
- C:\Windows\System\JtONaLP.exe
  C:\Windows\System\JtONaLP.exe
  2⤵
  PID:7968
- C:\Windows\System\OourBnX.exe
  C:\Windows\System\OourBnX.exe
  2⤵
  PID:7264
- C:\Windows\System\evQuyVQ.exe
  C:\Windows\System\evQuyVQ.exe
  2⤵
  PID:7176
- C:\Windows\System\RtkAexq.exe
  C:\Windows\System\RtkAexq.exe
  2⤵
  PID:7464
- C:\Windows\System\vaLzVuF.exe
  C:\Windows\System\vaLzVuF.exe
  2⤵
  PID:8012
- C:\Windows\System\EQDXzmb.exe
  C:\Windows\System\EQDXzmb.exe
  2⤵
  PID:7892
- C:\Windows\System\FIJBlog.exe
  C:\Windows\System\FIJBlog.exe
  2⤵
  PID:8200
- C:\Windows\System\YVgSHgq.exe
  C:\Windows\System\YVgSHgq.exe
  2⤵
  PID:8224
- C:\Windows\System\Yiladhv.exe
  C:\Windows\System\Yiladhv.exe
  2⤵
  PID:8240
- C:\Windows\System\xXLjxWh.exe
  C:\Windows\System\xXLjxWh.exe
  2⤵
  PID:8280
- C:\Windows\System\pzqGEnk.exe
  C:\Windows\System\pzqGEnk.exe
  2⤵
  PID:8296
- C:\Windows\System\icgIpbw.exe
  C:\Windows\System\icgIpbw.exe
  2⤵
  PID:8312
- C:\Windows\System\zrjDpMz.exe
  C:\Windows\System\zrjDpMz.exe
  2⤵
  PID:8368
- C:\Windows\System\PrpAdss.exe
  C:\Windows\System\PrpAdss.exe
  2⤵
  PID:8388
- C:\Windows\System\JpPrwWW.exe
  C:\Windows\System\JpPrwWW.exe
  2⤵
  PID:8412
- C:\Windows\System\SyNuCAx.exe
  C:\Windows\System\SyNuCAx.exe
  2⤵
  PID:8472
- C:\Windows\System\SXXVscf.exe
  C:\Windows\System\SXXVscf.exe
  2⤵
  PID:8492
- C:\Windows\System\xeWTXgw.exe
  C:\Windows\System\xeWTXgw.exe
  2⤵
  PID:8520
- C:\Windows\System\pnocalX.exe
  C:\Windows\System\pnocalX.exe
  2⤵
  PID:8536
- C:\Windows\System\qIExMWT.exe
  C:\Windows\System\qIExMWT.exe
  2⤵
  PID:8560
- C:\Windows\System\LHhVpus.exe
  C:\Windows\System\LHhVpus.exe
  2⤵
  PID:8584
- C:\Windows\System\nceSMIS.exe
  C:\Windows\System\nceSMIS.exe
  2⤵
  PID:8600
- C:\Windows\System\iEULozx.exe
  C:\Windows\System\iEULozx.exe
  2⤵
  PID:8624
- C:\Windows\System\QjtietB.exe
  C:\Windows\System\QjtietB.exe
  2⤵
  PID:8672
- C:\Windows\System\AByNHBg.exe
  C:\Windows\System\AByNHBg.exe
  2⤵
  PID:8692
- C:\Windows\System\MONaZXW.exe
  C:\Windows\System\MONaZXW.exe
  2⤵
  PID:8716
- C:\Windows\System\Ahhhzoz.exe
  C:\Windows\System\Ahhhzoz.exe
  2⤵
  PID:8732
- C:\Windows\System\KDjwSAU.exe
  C:\Windows\System\KDjwSAU.exe
  2⤵
  PID:8756
- C:\Windows\System\nUlfHKM.exe
  C:\Windows\System\nUlfHKM.exe
  2⤵
  PID:8772
- C:\Windows\System\ULxiKOP.exe
  C:\Windows\System\ULxiKOP.exe
  2⤵
  PID:8796
- C:\Windows\System\fMNQnrE.exe
  C:\Windows\System\fMNQnrE.exe
  2⤵
  PID:8820
- C:\Windows\System\jZBRmdP.exe
  C:\Windows\System\jZBRmdP.exe
  2⤵
  PID:8928
- C:\Windows\System\HfICOEI.exe
  C:\Windows\System\HfICOEI.exe
  2⤵
  PID:9020
- C:\Windows\System\hJcTcbZ.exe
  C:\Windows\System\hJcTcbZ.exe
  2⤵
  PID:9056
- C:\Windows\System\HMRUmLQ.exe
  C:\Windows\System\HMRUmLQ.exe
  2⤵
  PID:9084
- C:\Windows\System\kfGeYeA.exe
  C:\Windows\System\kfGeYeA.exe
  2⤵
  PID:9132
- C:\Windows\System\vuJIiKv.exe
  C:\Windows\System\vuJIiKv.exe
  2⤵
  PID:9168
- C:\Windows\System\soMeJpT.exe
  C:\Windows\System\soMeJpT.exe
  2⤵
  PID:9184
- C:\Windows\System\RcxDbhv.exe
  C:\Windows\System\RcxDbhv.exe
  2⤵
  PID:9204
- C:\Windows\System\xxZAniz.exe
  C:\Windows\System\xxZAniz.exe
  2⤵
  PID:7504
- C:\Windows\System\KDKOGDa.exe
  C:\Windows\System\KDKOGDa.exe
  2⤵
  PID:456
- C:\Windows\System\xAgvvxv.exe
  C:\Windows\System\xAgvvxv.exe
  2⤵
  PID:8212
- C:\Windows\System\gxRvALv.exe
  C:\Windows\System\gxRvALv.exe
  2⤵
  PID:8232
- C:\Windows\System\skUPoaZ.exe
  C:\Windows\System\skUPoaZ.exe
  2⤵
  PID:8364
- C:\Windows\System\isdjegK.exe
  C:\Windows\System\isdjegK.exe
  2⤵
  PID:8436
- C:\Windows\System\cyrTaAJ.exe
  C:\Windows\System\cyrTaAJ.exe
  2⤵
  PID:8552
- C:\Windows\System\TVPvBri.exe
  C:\Windows\System\TVPvBri.exe
  2⤵
  PID:8596

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:8808

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AOaljKO.exe

Filesize
2.0MB

MD5
99770c265ea47f9fb035dcc1f1406cfa

SHA1
a5d7a91a00b8d002e8f37bf83a4f6e80317057b2

SHA256
d8d33b82cadcc954341b5fc7544a55d439b7eb59501ea3010653cda51acfcbbb

SHA512
94ff13d962f6ba08a29ae6e1cc74471b4cd9b5ea9d6f91cf3b2c79dc44ae5635deea60eb868300426ce1b4ef6624e38b353290f7f1ddb4f03f5f6eab71682847

Download Submit
C:\Windows\System\CXSuYjA.exe

Filesize
2.0MB

MD5
29177e7f72e8278db5e836b2da9c6275

SHA1
beab904363b1bba332cb412c104bba70ed11655f

SHA256
082d8e269d711671bd6cc42d4706b94cd68dd06a679dc6def2956fba61b14a3b

SHA512
7cfd5ff2ca29900fa659c8c23fab9c7bec9fd3a6eaac69d79975235bc40c3ebed3894962e952a2d00bb0a7b31956255954f480ff146ec432af04a7b607d6cb32

Download Submit
C:\Windows\System\EoZoCWK.exe

Filesize
2.0MB

MD5
33ab94e4a90f514ca00eaae5a0bb9637

SHA1
18164771df18986a4abf61deee6a4881738bd644

SHA256
362573185867f3ee403ae945f34dafbc49fda341588eb149c21bfbfd027762ec

SHA512
a45cfb244b8281ae5191df62f4acbf244e89b185acc1c4a464f36f72c604fd6770cfe526fd0d622800b82fb617f34795bdd998e367532b0272222eb5d5dee486

Download Submit
C:\Windows\System\EoZoCWK.exe

Filesize
64KB

MD5
51e4020b90426a266032ae5bcb74e5b3

SHA1
242fa8dc7d05d7b78f629fe2652627274810a122

SHA256
5984cb4794a67b4fd33c39a8582f294030d387db17fdb4933391142fb7f614c6

SHA512
5acda5a7b0ce962164cbb0c2fe75fb43a2d35d269fbb33e0eda06f3daf5a3cc37b11c0b76c58b3b3846604a879813821c87b0ead541065090905bfc897125758

Download Submit
C:\Windows\System\FShmGWo.exe

Filesize
2.0MB

MD5
7a1f1406c1906979a1a78157bc247b37

SHA1
ea136a2c80b7932f543156c71dbe4796051bf021

SHA256
cbfb0bfd4b4c3ce1913abe45bf35b017b4fc4a241bf8ed109ec43c8c19b2d4cf

SHA512
8a7fcdfda7171032855d11cd38764042faaf7dc85fdc1e930ab298add26bc50023b02600861cb7ab5e4ba4f8fcf64fe314e480eed6ec11df9b3321f6c9b6aeb3

Download Submit
C:\Windows\System\GPfaWvN.exe

Filesize
2.0MB

MD5
71055d2c5e103d0a08c5a52faf5c4652

SHA1
1b6e90eccad7b5177434dc33e8a89e446148024e

SHA256
3a9f83b92ec593775e204f742a56e9c3f8d0346891573838256797b9913c4acb

SHA512
23985d43d4ee87d388b85373d47260cf3e736890cdcba156bc5856a8adf12b062fb1dbb8ec44dee609c3e9b4916ab6d9660e0360d0e6d8128c2ed053ad23bbc2

Download Submit
C:\Windows\System\GpMDNuO.exe

Filesize
2.0MB

MD5
f2eaf3133a3a1faefb304d27fcefc932

SHA1
e89733609c1afd09c6177e24b3545434d453c2f8

SHA256
323da01b7621968fc9f7469df7360603142c60795c32a8974d7e5b34faf756eb

SHA512
fb4ff1c92a9452a1312d7475e0ad7e6562e171d013c030c94c50d4520105be24ddc0edb35a8b8471ee4d389c320b006d64f02921d42e3cb64f7e3e6eece9fc08

Download Submit
C:\Windows\System\HtqHJUZ.exe

Filesize
2.0MB

MD5
e11c9cc30f89f59174218f26bce854f9

SHA1
54d60d42412934d93dc9d07a29655cf2522583cb

SHA256
9fe9f49775da77838b1cbee72c0a9a4505c09c91687e4e95e88e6ce0c0436846

SHA512
d83207d7cc1bef520f94eeef49ef9c622502dd43f20bee48a725cc4d13bc5dd69c8166b5b146d696502bb4357c124d3d425bdf655f139fe4df93f3efaa62d5f9

Download Submit
C:\Windows\System\HtqHJUZ.exe

Filesize
320KB

MD5
d21590ae8170aaccbcd19e7067ab6994

SHA1
10f350169749c21440531509a3e7295f89c18083

SHA256
46a31c66a5e2b5dc524bccbbcd87f163f058b2fedffe048e3850fee93fbd703a

SHA512
0a218e8b4f06e2867073755e2a8ca9407d373ed70a6cdd1433032aeda4491ab35054bde1767383405cb6459bec67b81063efb85a1f210d8040c877770e4e047f

Download Submit
C:\Windows\System\ICJnlQx.exe

Filesize
2.0MB

MD5
2d273a16dfcaa9a1fbdba57e1f3f2f67

SHA1
bc6eef6e5643353c7ddc416bbdaf5633b547fa01

SHA256
f2e31d05b4ac712e6114293be37c492af5546b985b3323b33bcb8cbe9e1ea4a4

SHA512
4a8b56f0f2c2d2dfdc6e3659ffb39cbf869c8d56533ec7ed79b0cee15df547f5aa4084bf4893f529cd77813caf9b2747dc4033a7fbe06b209a9a9c1775bfde58

Download Submit
C:\Windows\System\ICJnlQx.exe

Filesize
14KB

MD5
dc44fb2b3e57e75c8602aa4c49539a5a

SHA1
24d941c20591e062b13370ff61695ba9a0df3ddd

SHA256
239057df4cfe21552e1f81bd6c8a1d05dc2da476fa8d51f2abc685d5edb284e7

SHA512
df7086ec197871656f6dbb264459c3e607921ef5f7df012183b1e78378425131eb62a52ea1cb4abef39705630474c99405c280f76d05f98848003a90ee35f713

Download Submit
C:\Windows\System\IOaqVUQ.exe

Filesize
448KB

MD5
0642442db4acbbfb6037e06789624264

SHA1
923aee440a6887c7a7a8a78085aa492b2cdcee65

SHA256
5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85

SHA512
7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

Download Submit
C:\Windows\System\IOaqVUQ.exe

Filesize
640KB

MD5
469aca0e2abc33bcc5100f89b3196890

SHA1
b77c2be76b0bcd5c1640c82143bf4ae8abf6ed35

SHA256
8e4d419e754f89fae1d30741df9483d06709f6d20541cbce976b97c6b74f264f

SHA512
bb8f27156094a7b200e5c1844466de9827240ad5c62598ca983899918fcfddc76480438ab7ff457f4059655d26f5dee65f9d3ba57dc850a7e0c1c267d7e2bdae

Download Submit
C:\Windows\System\JQPzsNo.exe

Filesize
2.0MB

MD5
61dba7c30e13fee818b90d617ec11293

SHA1
40a551c286e49245ec0be7fd32d53074d1e9b972

SHA256
33673390238ba7c4f0ed7067bc815e4513194e68910218c2a8a344e9c3e97a0b

SHA512
52fb8bd7032c1c9f0ecb7b301f8274174d587ca1291e7a76d94e6a1927d919de2aeb511aca3002b746518bb898bfd7cb9ccf7b34159c438754e3f203f33b6a6c

Download Submit
C:\Windows\System\JqpuNmC.exe

Filesize
2.0MB

MD5
ce7453a5b512d3d8b2a742743cee0414

SHA1
8ac222d16fce8af98eeeb84e564bf5bf1221295c

SHA256
8b3f8bc53cb3bbdc7dd31167c7e40aef6c8394ce52235d524d6811b1e7a0f0d0

SHA512
c95312b6a9f363759888df3a68ab93610fa6794f380bd1d32e0f1fd1bfae65cf8e3da2d1ad7d27174d3eab16f9d78e4c4b3353381f6dbfbff65923f346ea452c

Download Submit
C:\Windows\System\KqwimIM.exe

Filesize
2.0MB

MD5
f4a8b7f1890656516fcb3e0ac3459957

SHA1
f0d19c50f9fe0f77fea6d30733c6862c8e965b92

SHA256
cae17632ce91a71a549258312facf49ef6937d9807055a8c44d493a92645bb0d

SHA512
45f31b00c892a57a6389c8963297b8061bfc27d76ea1d6ecbe32a5153a6d84e32e8f7ad748a29b44cd32a7fab4646fb31b1145601438934d89d4a438dbd87538

Download Submit
C:\Windows\System\LbEDYul.exe

Filesize
2.0MB

MD5
e284c7b6cc482eec201e12eade36bdae

SHA1
18d5868a32ad99d903b86184c17c7dd7cdfdd893

SHA256
cb019630a0aff2d26b4820f3ef6932fc0138e7793cf37f44c7f878ced60cad89

SHA512
121e7a6dc4143245975441509ea96d9fcce59f3bfaf6c3064f5e8a692d115455b37c9955fb3edcd5cfb13e9612543de323160f1cd70bd0c3e040cf57000c1728

Download Submit
C:\Windows\System\LssvvtR.exe

Filesize
2.0MB

MD5
1261484e79f88786e99a1311a7ac8463

SHA1
2c8b65839a07c8a9830c8d3e06bfd1ef4f4caa28

SHA256
09cf3f371e576effb5a358744750221b81a162adb07f8d6a854171d4d18a19aa

SHA512
c6949e5d663411b281dcd6756325ae8612070ca92c457e8c742add2e3f7a893843e59a4dd87f25ef9114575cd5f16aa20ecd00ae01229d5370d94e4f269af862

Download Submit
C:\Windows\System\Mfazhhq.exe

Filesize
2.0MB

MD5
86c70a6da550d69bf498493ced776ae2

SHA1
f323b0260d063fcda04023dd6640029ecde73d1d

SHA256
a12c42042a96fa29baa211115725f9fef2e52f40de4b0c9355de013972718cd9

SHA512
a3d2e1bb95c6a44df934abd7f3bc61372b986a52383e15e1e9c8c20888768875f86dbf79ac6b27cc1eaa78f5758e3dc14d83e7c99427fa99c1649983d70adcc4

Download Submit
C:\Windows\System\PhoyiVN.exe

Filesize
832KB

MD5
fe23d8f2a683ea3c37e211db5c47c198

SHA1
c8d98757080f758fa71fe2947f967f4c2ba26b77

SHA256
e791fb8dbe7f5a7d384dc32653c49cf355982fbc2394ea1e3030cd6ebb798cb8

SHA512
ff5ab31bffe4dcd555455f3d81b2d9fca6cd687b604f37f4aa99e780677c84919321fd43b5fd13f9cb6081978b182fef58c2564f773d39cf2fefe33142ce3656

Download Submit
C:\Windows\System\PhoyiVN.exe

Filesize
2.0MB

MD5
bcf1eb19fc90a1ced0166eee4c7531fd

SHA1
d4d8c34d3683e59e02cc7e4fabfee0c8346abc8d

SHA256
7d41e21f2f56afa7b711d6fc77b537080d8b15bd7a5323a9556889a273fc0736

SHA512
784ae93689713a306d927ab7df18d907c8b816ee3dae3c53ca0a9866e08712593a5c8cf13dc866b92a92f15f27318c17ae82cfbfbd326f19e269ddb62a230362

Download Submit
C:\Windows\System\QBhCYlu.exe

Filesize
2.0MB

MD5
e0e7792ad12c24e28619b24f66c99345

SHA1
ae6aba130cc65a9c69d80f4fcef01ea9861a7b01

SHA256
f4e79c97b94ec996ab1b77f253c61619ea019c03a1829e172d468770c58063e6

SHA512
cab22462ce90096caeb159ea4971016ff049502e25db34bd773b26d7f703dbd1edfb8bd51ecf9c25b7881db247f73e2c234ef99ec7ab3194867ac75f90c490a9

Download Submit
C:\Windows\System\RLEtSSd.exe

Filesize
2.0MB

MD5
6a8ff0da02e5dc61188deabf3fbd33b1

SHA1
2db9bfc9cc56318384055604627379a221b4ae16

SHA256
76a045c03d368d64e1b0fe48baf378a6d6afb0417752d04cee35b2e3d50a2d3a

SHA512
a11ac4f886ae64edb0212fd9b4a99105084886c29db6d245ef27bdb1de05f55ecb6fb2f333ae3218aa9436c0d4ab7e193ae7c5ce2b027356f5af014d0fe553af

Download Submit
C:\Windows\System\XWpULYE.exe

Filesize
2.0MB

MD5
402a6d93867358daebee648b0f1e042b

SHA1
44c024883f035df02e5530e99517f8a4a948c4f1

SHA256
1de81d064d7b288a2e5b47f40f5bbee2ecc0cd1bc719d93c9a4b1e1f0a73c345

SHA512
1e3a6bb0df812da5cba7aa27993228bae97c015510565a7bf3325577fdee052de9ad16ddde50ebb7c0dd3da1476285e7d801eaa4c1801d95fd669c1f76088986

Download Submit
C:\Windows\System\cnDYBKu.exe

Filesize
2.0MB

MD5
463180aa79595eaaae3f9a918a71655e

SHA1
34996ae0d90a00d6ad15a27d3e9e6a8832971cb4

SHA256
200cf2d2c1cbf3bee1995800d3d76569817716b2e4349f40fa12bd6e3a3588a9

SHA512
4590b9681dd1a0c9873ffba68df0578030fe7c8dfa4e6f35afb6942bbe6fc55faef754d517799886e966d0aebdd7fb0914d76daab840c05459089c6d273871e8

Download Submit
C:\Windows\System\cqyREfu.exe

Filesize
2.0MB

MD5
079e5bcca4ed43301fcc4699aee7ed85

SHA1
e01b77d547c51715c3dff6380a76a72bc11bde3e

SHA256
e7a1271989d887a72e79882c00b442e6e8bef5e3e0dacb78a7a6515ebb7a35ca

SHA512
d3a344ba632048b67e8378e4dcbf508ea6894da94a846e9df5e12baaf94c94bb069e4f42e45bb35c5c4bf19627f266ef89e407e3a8453afb1e57500ef17d330b

Download Submit
C:\Windows\System\cvmGQGh.exe

Filesize
2.0MB

MD5
e942dfb45f12b1acc5bf8ef6492753c6

SHA1
a143b953dbb89fd9354b1b742aeb0447e0d59319

SHA256
d30c58a3eaee4fc610c4ddba2340e760e73561bf2d52c8037d1bcbccd9ce9f16

SHA512
201fb1fc2d9cdf6060cc6031dac6358c54aee137a3e0602ce3665804dfa54cf4d9fda5ee0b00ca216cb504bf3bd5d4b25241a0e17349d88b09bc083ccfbae243

Download Submit
C:\Windows\System\ekXzntP.exe

Filesize
2.0MB

MD5
43e18bb53eb1075299a1e9798b5c7c5a

SHA1
324b4db946a9c7f5379742c9c82e7dabd666acbf

SHA256
f81e61f473848b096cfa7cb6e3667ecd7f0976670f8baf3e91c312aa7d9b7b5f

SHA512
6182a35dec8b1affab05b17fa8a0d179c9c5ad5d6424c2a1b347145cb57284175e08bb2e7a1800315c743470c53a2dbc865ad2f6409112cd9e0e65ab3e432789

Download Submit
C:\Windows\System\ekXzntP.exe

Filesize
42KB

MD5
ab398a97be87d673255417e437ed11c3

SHA1
a207c79044fac84521152ca54b08f23fa43a0970

SHA256
5644db319c1fb8e72a9aeaa6e73282113e3c9d0fe85c37ee13bdc705d3cd33ae

SHA512
154ad80913e59455f3535456f30b1d6fcbb702821ca5f14b62b5f68c4e141749b003bddcb84aa755344271645364f19513eccceff398ed651bf4a9aac1ea241d

Download Submit
C:\Windows\System\gCazGMx.exe

Filesize
2.0MB

MD5
7b038de702c8b0dda4e74d960755ae2b

SHA1
f4a51544ac3060cbbef0f33702aa26efd13f65c1

SHA256
b1e69b1c43dea59b600f7d162bb917a1edb95cbd8fb7796a1176454342b04c2f

SHA512
0d9f16cfcacc9443c34c83f9d8570b3b372d5144a2a54873c95cc0bf4f3356a34bb2e4b89e53c093ea3306ba1cc9cce02683ebee662e2d00ea922b0561a93ab8

Download Submit
C:\Windows\System\gLGRQrS.exe

Filesize
2.0MB

MD5
3584192178c62a5ab23467085e190d87

SHA1
da33ddaa6b05133706a84d50d55f5e54147559fd

SHA256
481303659a3db989b83309474e03ecf76228351fa5c1457d31423ada8d379320

SHA512
2e6e761ee645d1ffa2560bedc2c9f4e01de8b8e301c97cf5ad36c2e81c85ac1c47bf425595a82f378a7de31d7effe1ea80e049f602d6854532a1713f57105067

Download Submit
C:\Windows\System\hJbSLhJ.exe

Filesize
896KB

MD5
d8061570a3d685a09a8726d2e2043dcd

SHA1
5784ed9099dd4b61b63fc8ab2f585fc9e4456099

SHA256
2858747fe15b825bca2004f1fb5434e70a8f8952f994cb7850f53fc69e794e72

SHA512
491823d9b7c3d0e919d65b711645bd0839fa6e3b7a404dd101f61c497b50d40cc12658380d09032bb5d5d2ac84e5d2791f8235e5d4c6f54ca1090b042d3a4b7a

Download Submit
C:\Windows\System\lHjoiBi.exe

Filesize
256KB

MD5
c852d0de044ecfdc8164664b8ea3dc6f

SHA1
cfc38798bcbec8419f442fddcbe34cb37971445d

SHA256
32715d7c1c8dcbb10f1add6b003e18def383412f1b6c48f4d9670b8e3ef1d0b7

SHA512
e03bd3ea4470974d8087b8d17ce90233e5a96284236038a869c3b63a693e9a7c9719f6671b6b5d0dbeb167dd4786cd1b7a4b214b02967aac04fad66c8195132f

Download Submit
C:\Windows\System\lHjoiBi.exe

Filesize
2.0MB

MD5
b2f74582f46404894a0f63d4c1e23d8d

SHA1
dbbe6d373dceba9892975efd308ce21d59eeeb3a

SHA256
e2a4b491ab4a491c8196e95e3080f76d2ea5ebb8501f4c77c42c367d4a00bb29

SHA512
fff1838653331a47e5b991b76f6473fb824d419d794f8ce09c9ff3fcb65a3877b222074747a8db35fd899ec9d3ba0df199fe1f27756183ea1f3455123bb931f2

Download Submit
C:\Windows\System\mvfMQBk.exe

Filesize
2.0MB

MD5
8c3fbec1fcf46a3fa08400b363b0be54

SHA1
50e8930d7ba830d550aab9380723027b7803d474

SHA256
ea80869c4d704548db6bf9796c110b7a08bf8b354749b044d025f4c8720680cd

SHA512
4445a64db82561ca8c8aa7bbf7257a16b56ec9833d283b77bc550c100dac913c4f322f24b7246514d02e538a3edea477671111e8de270ba5693ad10a8af08a1a

Download Submit
C:\Windows\System\qlXQUgl.exe

Filesize
2.0MB

MD5
96edfd5ccbd733a5e9cf4bda467c926b

SHA1
fc3021395510e240a7e862dda5c211c905e4c48d

SHA256
379401c1278b8eca224405da0924c501f74fb111b530004bb8d06bb4f970c3df

SHA512
18c2953a506a5bd7f8b59c33c0637893886f5585b019f5d9af7f2b9d1e74633b5b32523627716d0ccf2a39bc3df91cfd3e2f6844fb8cf9acbb57d8cf3f20a7d3

Download Submit
C:\Windows\System\sEHtplq.exe

Filesize
2.0MB

MD5
eba08625627604a20571f0849ba22836

SHA1
0ec5632f73846d71910f5acf5524c35bb2c050d3

SHA256
b4417d1819fc51c0330f70af736d0dc2f911ccb429ea6c76cfb1982f130284f2

SHA512
ef8feab9da0af34724b529d9bd28fc6051df3eb49025b465945df104ad22980d1df1f3b5d119ee3c42ba70e0eaccae6135a8cefd74a7e2e15e0f1c4bd6e52143

Download Submit
C:\Windows\System\tmsdgHG.exe

Filesize
2.0MB

MD5
28a24e03ff68c1e9f6fcc26fb31c480b

SHA1
c2e3138c42e93a05b71b0ced0cb4d3df6c57e60c

SHA256
15aedb958b0a06359e45f039d3097bf31befc156f52c08c38233c15441be1928

SHA512
8c518881219d8d62c5f42968d0721eddf085bce9955e53478465c57fd089ad90ef13497e36efb62ddaaec2a3be09ddfac0ef08c4370bbc525bde69062d500206

Download Submit
C:\Windows\System\tmsdgHG.exe

Filesize
512KB

MD5
6b5887af4274a78686a788865765637c

SHA1
5afc15e6fcbc11377bbabbda47ff43f6ebedd369

SHA256
ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006

SHA512
4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

Download Submit
C:\Windows\System\yWTZReV.exe

Filesize
2.0MB

MD5
240b8b0dec43587e8c04b84986d4494f

SHA1
772281a299be86787dcb9328b07eb829e0d2a016

SHA256
2ae62d5e2a244cd9fe43776079bafa1101cc22e2a5d1e37b5e41e3895e591999

SHA512
ec4d40d5e97868ab4b68cf5d34fa6a773d2be52cfcb769cb50610fc82b5b4c98a9517dee5d5e9f49934bd3f05bd2ade300dc752db76d5ee12ce8851bb9f178d2

Download Submit
C:\Windows\System\yWTZReV.exe

Filesize
128KB

MD5
7ce4ba1725e83a50f64ba525f8815dcf

SHA1
b1714a2d23cfc42c18c37e1546ac0908d8252c04

SHA256
9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908

SHA512
2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

Download Submit
C:\Windows\System\zMsQGzg.exe

Filesize
2.0MB

MD5
891f0445209f973830eac92fa76cf5b4

SHA1
98ac870ffab9ba70827d4e2e0c31b4ba3baf4402

SHA256
89756ec2d59849f9e0919976fbf2a143fd28e99b5b9b053944df6a94b25aee5d

SHA512
36a07ea40ca5f71173bb346dfbec591e87183d5eb489f003f8cb8094c1e9193275fcd19362c019e36758494e41ed134bf12b2c8d75157967d0dc80ea8ba1e4ca

Download Submit
memory/380-300-0x00007FF6428C0000-0x00007FF642C14000-memory.dmp

Filesize
3.3MB

Download
memory/896-268-0x00007FF6411F0000-0x00007FF641544000-memory.dmp

Filesize
3.3MB

Download
memory/960-307-0x00007FF733230000-0x00007FF733584000-memory.dmp

Filesize
3.3MB

Download
memory/1336-139-0x00007FF7014C0000-0x00007FF701814000-memory.dmp

Filesize
3.3MB

Download
memory/1692-12-0x00007FF684400000-0x00007FF684754000-memory.dmp

Filesize
3.3MB

Download
memory/1712-173-0x00007FF7D6110000-0x00007FF7D6464000-memory.dmp

Filesize
3.3MB

Download
memory/1820-128-0x00007FF6D9A90000-0x00007FF6D9DE4000-memory.dmp

Filesize
3.3MB

Download
memory/1828-215-0x00007FF7D6F10000-0x00007FF7D7264000-memory.dmp

Filesize
3.3MB

Download
memory/1968-37-0x00007FF7D2F70000-0x00007FF7D32C4000-memory.dmp

Filesize
3.3MB

Download
memory/2328-80-0x00007FF620FD0000-0x00007FF621324000-memory.dmp

Filesize
3.3MB

Download
memory/2372-219-0x00007FF60E130000-0x00007FF60E484000-memory.dmp

Filesize
3.3MB

Download
memory/2376-113-0x00007FF70CDC0000-0x00007FF70D114000-memory.dmp

Filesize
3.3MB

Download
memory/2412-247-0x00007FF7C90D0000-0x00007FF7C9424000-memory.dmp

Filesize
3.3MB

Download
memory/2660-110-0x00007FF68B290000-0x00007FF68B5E4000-memory.dmp

Filesize
3.3MB

Download
memory/2840-254-0x00007FF7052C0000-0x00007FF705614000-memory.dmp

Filesize
3.3MB

Download
memory/2844-233-0x00007FF66A500000-0x00007FF66A854000-memory.dmp

Filesize
3.3MB

Download
memory/2940-204-0x00007FF64DB20000-0x00007FF64DE74000-memory.dmp

Filesize
3.3MB

Download
memory/2964-226-0x00007FF615670000-0x00007FF6159C4000-memory.dmp

Filesize
3.3MB

Download
memory/2968-286-0x00007FF6EB370000-0x00007FF6EB6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2992-322-0x00007FF7470F0000-0x00007FF747444000-memory.dmp

Filesize
3.3MB

Download
memory/3232-22-0x00007FF601410000-0x00007FF601764000-memory.dmp

Filesize
3.3MB

Download
memory/3352-61-0x00007FF662A30000-0x00007FF662D84000-memory.dmp

Filesize
3.3MB

Download
memory/3368-211-0x00007FF7E52E0000-0x00007FF7E5634000-memory.dmp

Filesize
3.3MB

Download
memory/3392-156-0x00007FF7F8AF0000-0x00007FF7F8E44000-memory.dmp

Filesize
3.3MB

Download
memory/3524-240-0x00007FF73EA60000-0x00007FF73EDB4000-memory.dmp

Filesize
3.3MB

Download
memory/3608-190-0x00007FF6DA2E0000-0x00007FF6DA634000-memory.dmp

Filesize
3.3MB

Download
memory/3628-97-0x00007FF63EF60000-0x00007FF63F2B4000-memory.dmp

Filesize
3.3MB

Download
memory/3800-76-0x00007FF719190000-0x00007FF7194E4000-memory.dmp

Filesize
3.3MB

Download
memory/3844-261-0x00007FF6C6690000-0x00007FF6C69E4000-memory.dmp

Filesize
3.3MB

Download
memory/3944-60-0x00007FF70B470000-0x00007FF70B7C4000-memory.dmp

Filesize
3.3MB

Download
memory/3956-282-0x00007FF6087F0000-0x00007FF608B44000-memory.dmp

Filesize
3.3MB

Download
memory/4036-184-0x00007FF6CF6D0000-0x00007FF6CFA24000-memory.dmp

Filesize
3.3MB

Download
memory/4068-55-0x00007FF7ADD70000-0x00007FF7AE0C4000-memory.dmp

Filesize
3.3MB

Download
memory/4084-326-0x00007FF7A9140000-0x00007FF7A9494000-memory.dmp

Filesize
3.3MB

Download
memory/4216-68-0x00007FF660400000-0x00007FF660754000-memory.dmp

Filesize
3.3MB

Download
memory/4332-314-0x00007FF767550000-0x00007FF7678A4000-memory.dmp

Filesize
3.3MB

Download
memory/4372-293-0x00007FF674FC0000-0x00007FF675314000-memory.dmp

Filesize
3.3MB

Download
memory/4416-8-0x00007FF73D030000-0x00007FF73D384000-memory.dmp

Filesize
3.3MB

Download
memory/4500-197-0x00007FF707C00000-0x00007FF707F54000-memory.dmp

Filesize
3.3MB

Download
memory/4508-145-0x00007FF628F70000-0x00007FF6292C4000-memory.dmp

Filesize
3.3MB

Download
memory/4564-119-0x00007FF671DA0000-0x00007FF6720F4000-memory.dmp

Filesize
3.3MB

Download
memory/4588-34-0x00007FF7CE150000-0x00007FF7CE4A4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-275-0x00007FF64E420000-0x00007FF64E774000-memory.dmp

Filesize
3.3MB

Download
memory/4648-162-0x00007FF6FD9B0000-0x00007FF6FDD04000-memory.dmp

Filesize
3.3MB

Download
memory/4788-340-0x00007FF608E80000-0x00007FF6091D4000-memory.dmp

Filesize
3.3MB

Download
memory/4844-86-0x00007FF74F7D0000-0x00007FF74FB24000-memory.dmp

Filesize
3.3MB

Download
memory/4852-0-0x00007FF710000000-0x00007FF710354000-memory.dmp

Filesize
3.3MB

Download
memory/4852-1-0x000001CBCF070000-0x000001CBCF080000-memory.dmp

Filesize
64KB

Download
memory/4976-107-0x00007FF6FA680000-0x00007FF6FA9D4000-memory.dmp

Filesize
3.3MB

Download
memory/4988-318-0x00007FF7450F0000-0x00007FF745444000-memory.dmp

Filesize
3.3MB

Download
memory/4992-333-0x00007FF6007F0000-0x00007FF600B44000-memory.dmp

Filesize
3.3MB

Download
memory/5164-347-0x00007FF70A190000-0x00007FF70A4E4000-memory.dmp

Filesize
3.3MB

Download
memory/5340-354-0x00007FF734840000-0x00007FF734B94000-memory.dmp

Filesize
3.3MB

Download
memory/5400-361-0x00007FF7CA700000-0x00007FF7CAA54000-memory.dmp

Filesize
3.3MB

Download
memory/5460-365-0x00007FF60DA90000-0x00007FF60DDE4000-memory.dmp

Filesize
3.3MB

Download
memory/5524-372-0x00007FF7460F0000-0x00007FF746444000-memory.dmp

Filesize
3.3MB

Download
memory/5588-379-0x00007FF79E6E0000-0x00007FF79EA34000-memory.dmp

Filesize
3.3MB

Download
memory/5680-386-0x00007FF686790000-0x00007FF686AE4000-memory.dmp

Filesize
3.3MB

Download
memory/5740-393-0x00007FF78B420000-0x00007FF78B774000-memory.dmp

Filesize
3.3MB

Download
memory/5800-400-0x00007FF64B170000-0x00007FF64B4C4000-memory.dmp

Filesize
3.3MB

Download
memory/5860-407-0x00007FF6AA0D0000-0x00007FF6AA424000-memory.dmp

Filesize
3.3MB

Download
memory/5920-414-0x00007FF7746C0000-0x00007FF774A14000-memory.dmp

Filesize
3.3MB

Download
memory/5980-421-0x00007FF6D9880000-0x00007FF6D9BD4000-memory.dmp

Filesize
3.3MB

Download
memory/6040-425-0x00007FF6DF4C0000-0x00007FF6DF814000-memory.dmp

Filesize
3.3MB

Download
memory/6100-432-0x00007FF6965D0000-0x00007FF696924000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads