kpot | 495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 19:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
Size

2.1MB
MD5

956281e9290a1dfb5fbd23f08a990998
SHA1

5ca03fe733d63b9b555e6842875dc7797da687b9
SHA256

495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2
SHA512

58316adf3a465d12027d7fbcf8c45bccd1bf324a6139d672c587f7767128eed272cb5dca826fbe2a11f6d344513ce5767a2328eba540d320ed1e34a86a27a042
SSDEEP

49152:BezaTF8FcNkNdfE0pZ9ozt4wIC5aIwC+Agr6StVEnmcKxY/O1X:BemTLkNdfE0pZrwM

Score

10^/10

kpot xmrig miner stealer trojan upx

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 45 IoCs

resource	yara_rule
behavioral2/files/0x000700000001e59e-5.dat	family_kpot
behavioral2/files/0x000700000001e59e-8.dat	family_kpot
behavioral2/files/0x0008000000023203-7.dat	family_kpot
behavioral2/files/0x0007000000023207-25.dat	family_kpot
behavioral2/files/0x000700000002322f-219.dat	family_kpot
behavioral2/files/0x0007000000023219-214.dat	family_kpot
behavioral2/files/0x0007000000023218-209.dat	family_kpot
behavioral2/files/0x000700000002322c-208.dat	family_kpot
behavioral2/files/0x000700000002322b-207.dat	family_kpot
behavioral2/files/0x0007000000023216-197.dat	family_kpot
behavioral2/files/0x000700000002322a-196.dat	family_kpot
behavioral2/files/0x0007000000023229-195.dat	family_kpot
behavioral2/files/0x0007000000023228-194.dat	family_kpot
behavioral2/files/0x0007000000023227-191.dat	family_kpot
behavioral2/files/0x0007000000023226-190.dat	family_kpot
behavioral2/files/0x0007000000023224-187.dat	family_kpot
behavioral2/files/0x000700000002320f-171.dat	family_kpot
behavioral2/files/0x0007000000023222-168.dat	family_kpot
behavioral2/files/0x000700000002320e-162.dat	family_kpot
behavioral2/files/0x000700000002322e-218.dat	family_kpot
behavioral2/files/0x0007000000023213-153.dat	family_kpot
behavioral2/files/0x0007000000023220-149.dat	family_kpot
behavioral2/files/0x000700000002322d-213.dat	family_kpot
behavioral2/files/0x000700000002321e-145.dat	family_kpot
behavioral2/files/0x0007000000023217-141.dat	family_kpot
behavioral2/files/0x000700000002321d-140.dat	family_kpot
behavioral2/files/0x000700000002321c-139.dat	family_kpot
behavioral2/files/0x0007000000023212-125.dat	family_kpot
behavioral2/files/0x0007000000023215-117.dat	family_kpot
behavioral2/files/0x000700000002321b-181.dat	family_kpot
behavioral2/files/0x0007000000023210-114.dat	family_kpot
behavioral2/files/0x0007000000023221-161.dat	family_kpot
behavioral2/files/0x0007000000023214-107.dat	family_kpot
behavioral2/files/0x000700000002321f-148.dat	family_kpot
behavioral2/files/0x000700000002320b-94.dat	family_kpot
behavioral2/files/0x000700000002320d-131.dat	family_kpot
behavioral2/files/0x000700000002321a-110.dat	family_kpot
behavioral2/files/0x000700000002320a-69.dat	family_kpot
behavioral2/files/0x0007000000023211-67.dat	family_kpot
behavioral2/files/0x000700000002320c-76.dat	family_kpot
behavioral2/files/0x0007000000023207-45.dat	family_kpot
behavioral2/files/0x0007000000023209-57.dat	family_kpot
behavioral2/files/0x0007000000023208-27.dat	family_kpot
behavioral2/files/0x0008000000023203-19.dat	family_kpot
behavioral2/files/0x0008000000023200-15.dat	family_kpot

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/2576-0-0x00007FF769E30000-0x00007FF76A184000-memory.dmp	UPX
behavioral2/files/0x000700000001e59e-5.dat	UPX
behavioral2/files/0x000700000001e59e-8.dat	UPX
behavioral2/files/0x0008000000023203-7.dat	UPX
behavioral2/memory/4180-13-0x00007FF719C80000-0x00007FF719FD4000-memory.dmp	UPX
behavioral2/files/0x0007000000023207-25.dat	UPX
behavioral2/memory/1644-617-0x00007FF6034D0000-0x00007FF603824000-memory.dmp	UPX
behavioral2/memory/1392-621-0x00007FF6B1E70000-0x00007FF6B21C4000-memory.dmp	UPX
behavioral2/memory/1748-625-0x00007FF6772B0000-0x00007FF677604000-memory.dmp	UPX
behavioral2/memory/1800-629-0x00007FF7DF3F0000-0x00007FF7DF744000-memory.dmp	UPX
behavioral2/memory/3644-691-0x00007FF7B3AA0000-0x00007FF7B3DF4000-memory.dmp	UPX
behavioral2/memory/3516-724-0x00007FF7B0CC0000-0x00007FF7B1014000-memory.dmp	UPX
behavioral2/memory/4036-876-0x00007FF600BE0000-0x00007FF600F34000-memory.dmp	UPX
behavioral2/memory/2452-916-0x00007FF60D9B0000-0x00007FF60DD04000-memory.dmp	UPX
behavioral2/memory/860-924-0x00007FF693280000-0x00007FF6935D4000-memory.dmp	UPX
behavioral2/memory/396-1013-0x00007FF6CD0E0000-0x00007FF6CD434000-memory.dmp	UPX
behavioral2/memory/1936-1019-0x00007FF6DDC70000-0x00007FF6DDFC4000-memory.dmp	UPX
behavioral2/memory/4628-1039-0x00007FF695390000-0x00007FF6956E4000-memory.dmp	UPX
behavioral2/memory/2400-1061-0x00007FF6986A0000-0x00007FF6989F4000-memory.dmp	UPX
behavioral2/memory/4980-1069-0x00007FF79CC00000-0x00007FF79CF54000-memory.dmp	UPX
behavioral2/memory/2580-1075-0x00007FF7DA820000-0x00007FF7DAB74000-memory.dmp	UPX
behavioral2/memory/2604-1078-0x00007FF697260000-0x00007FF6975B4000-memory.dmp	UPX
behavioral2/memory/1584-1081-0x00007FF67FBB0000-0x00007FF67FF04000-memory.dmp	UPX
behavioral2/memory/3912-1085-0x00007FF602D00000-0x00007FF603054000-memory.dmp	UPX
behavioral2/memory/2664-1088-0x00007FF7DA010000-0x00007FF7DA364000-memory.dmp	UPX
behavioral2/memory/2000-1092-0x00007FF663610000-0x00007FF663964000-memory.dmp	UPX
behavioral2/memory/440-1095-0x00007FF703080000-0x00007FF7033D4000-memory.dmp	UPX
behavioral2/memory/4432-1099-0x00007FF79CC70000-0x00007FF79CFC4000-memory.dmp	UPX
behavioral2/memory/2748-1102-0x00007FF64BC30000-0x00007FF64BF84000-memory.dmp	UPX
behavioral2/memory/2716-1103-0x00007FF7DBB70000-0x00007FF7DBEC4000-memory.dmp	UPX
behavioral2/memory/2280-1101-0x00007FF75EAB0000-0x00007FF75EE04000-memory.dmp	UPX
behavioral2/memory/952-1100-0x00007FF65A3A0000-0x00007FF65A6F4000-memory.dmp	UPX
behavioral2/memory/4156-1098-0x00007FF78E4B0000-0x00007FF78E804000-memory.dmp	UPX
behavioral2/memory/3460-1097-0x00007FF76AC00000-0x00007FF76AF54000-memory.dmp	UPX
behavioral2/memory/3036-1096-0x00007FF737920000-0x00007FF737C74000-memory.dmp	UPX
behavioral2/memory/4324-1094-0x00007FF788870000-0x00007FF788BC4000-memory.dmp	UPX
behavioral2/memory/4364-1093-0x00007FF63B6B0000-0x00007FF63BA04000-memory.dmp	UPX
behavioral2/memory/5024-1091-0x00007FF6927C0000-0x00007FF692B14000-memory.dmp	UPX
behavioral2/memory/4920-1090-0x00007FF6893F0000-0x00007FF689744000-memory.dmp	UPX
behavioral2/memory/2240-1089-0x00007FF79D210000-0x00007FF79D564000-memory.dmp	UPX
behavioral2/memory/4504-1087-0x00007FF7E6980000-0x00007FF7E6CD4000-memory.dmp	UPX
behavioral2/memory/4832-1086-0x00007FF7A06A0000-0x00007FF7A09F4000-memory.dmp	UPX
behavioral2/memory/4492-1084-0x00007FF7A4870000-0x00007FF7A4BC4000-memory.dmp	UPX
behavioral2/memory/1804-1083-0x00007FF709B70000-0x00007FF709EC4000-memory.dmp	UPX
behavioral2/memory/5080-1082-0x00007FF74F590000-0x00007FF74F8E4000-memory.dmp	UPX
behavioral2/memory/3732-1080-0x00007FF7B1710000-0x00007FF7B1A64000-memory.dmp	UPX
behavioral2/memory/4304-1079-0x00007FF7D82B0000-0x00007FF7D8604000-memory.dmp	UPX
behavioral2/memory/740-1077-0x00007FF7284B0000-0x00007FF728804000-memory.dmp	UPX
behavioral2/memory/2072-1072-0x00007FF6E90F0000-0x00007FF6E9444000-memory.dmp	UPX
behavioral2/memory/3468-628-0x00007FF79DE90000-0x00007FF79E1E4000-memory.dmp	UPX
behavioral2/memory/1044-627-0x00007FF601160000-0x00007FF6014B4000-memory.dmp	UPX
behavioral2/memory/3964-626-0x00007FF72B1C0000-0x00007FF72B514000-memory.dmp	UPX
behavioral2/memory/2700-624-0x00007FF7AA4F0000-0x00007FF7AA844000-memory.dmp	UPX
behavioral2/memory/4792-623-0x00007FF774EC0000-0x00007FF775214000-memory.dmp	UPX
behavioral2/memory/1204-622-0x00007FF777EB0000-0x00007FF778204000-memory.dmp	UPX
behavioral2/memory/4480-620-0x00007FF6221B0000-0x00007FF622504000-memory.dmp	UPX
behavioral2/memory/4544-619-0x00007FF7DFB20000-0x00007FF7DFE74000-memory.dmp	UPX
behavioral2/memory/3116-618-0x00007FF7C7910000-0x00007FF7C7C64000-memory.dmp	UPX
behavioral2/memory/4104-611-0x00007FF7A0340000-0x00007FF7A0694000-memory.dmp	UPX
behavioral2/memory/4404-423-0x00007FF7B44C0000-0x00007FF7B4814000-memory.dmp	UPX
behavioral2/memory/2012-310-0x00007FF6F4820000-0x00007FF6F4B74000-memory.dmp	UPX
behavioral2/files/0x000700000002322f-219.dat	UPX
behavioral2/files/0x0007000000023219-214.dat	UPX
behavioral2/files/0x0007000000023218-209.dat	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2576-0-0x00007FF769E30000-0x00007FF76A184000-memory.dmp	xmrig
behavioral2/files/0x000700000001e59e-5.dat	xmrig
behavioral2/files/0x000700000001e59e-8.dat	xmrig
behavioral2/files/0x0008000000023203-7.dat	xmrig
behavioral2/memory/4180-13-0x00007FF719C80000-0x00007FF719FD4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023207-25.dat	xmrig
behavioral2/memory/1644-617-0x00007FF6034D0000-0x00007FF603824000-memory.dmp	xmrig
behavioral2/memory/1392-621-0x00007FF6B1E70000-0x00007FF6B21C4000-memory.dmp	xmrig
behavioral2/memory/1748-625-0x00007FF6772B0000-0x00007FF677604000-memory.dmp	xmrig
behavioral2/memory/1800-629-0x00007FF7DF3F0000-0x00007FF7DF744000-memory.dmp	xmrig
behavioral2/memory/3644-691-0x00007FF7B3AA0000-0x00007FF7B3DF4000-memory.dmp	xmrig
behavioral2/memory/3516-724-0x00007FF7B0CC0000-0x00007FF7B1014000-memory.dmp	xmrig
behavioral2/memory/4036-876-0x00007FF600BE0000-0x00007FF600F34000-memory.dmp	xmrig
behavioral2/memory/2452-916-0x00007FF60D9B0000-0x00007FF60DD04000-memory.dmp	xmrig
behavioral2/memory/860-924-0x00007FF693280000-0x00007FF6935D4000-memory.dmp	xmrig
behavioral2/memory/396-1013-0x00007FF6CD0E0000-0x00007FF6CD434000-memory.dmp	xmrig
behavioral2/memory/1936-1019-0x00007FF6DDC70000-0x00007FF6DDFC4000-memory.dmp	xmrig
behavioral2/memory/4628-1039-0x00007FF695390000-0x00007FF6956E4000-memory.dmp	xmrig
behavioral2/memory/2400-1061-0x00007FF6986A0000-0x00007FF6989F4000-memory.dmp	xmrig
behavioral2/memory/4980-1069-0x00007FF79CC00000-0x00007FF79CF54000-memory.dmp	xmrig
behavioral2/memory/2580-1075-0x00007FF7DA820000-0x00007FF7DAB74000-memory.dmp	xmrig
behavioral2/memory/2604-1078-0x00007FF697260000-0x00007FF6975B4000-memory.dmp	xmrig
behavioral2/memory/1584-1081-0x00007FF67FBB0000-0x00007FF67FF04000-memory.dmp	xmrig
behavioral2/memory/3912-1085-0x00007FF602D00000-0x00007FF603054000-memory.dmp	xmrig
behavioral2/memory/2664-1088-0x00007FF7DA010000-0x00007FF7DA364000-memory.dmp	xmrig
behavioral2/memory/2000-1092-0x00007FF663610000-0x00007FF663964000-memory.dmp	xmrig
behavioral2/memory/440-1095-0x00007FF703080000-0x00007FF7033D4000-memory.dmp	xmrig
behavioral2/memory/4432-1099-0x00007FF79CC70000-0x00007FF79CFC4000-memory.dmp	xmrig
behavioral2/memory/2748-1102-0x00007FF64BC30000-0x00007FF64BF84000-memory.dmp	xmrig
behavioral2/memory/2716-1103-0x00007FF7DBB70000-0x00007FF7DBEC4000-memory.dmp	xmrig
behavioral2/memory/2280-1101-0x00007FF75EAB0000-0x00007FF75EE04000-memory.dmp	xmrig
behavioral2/memory/952-1100-0x00007FF65A3A0000-0x00007FF65A6F4000-memory.dmp	xmrig
behavioral2/memory/4156-1098-0x00007FF78E4B0000-0x00007FF78E804000-memory.dmp	xmrig
behavioral2/memory/3460-1097-0x00007FF76AC00000-0x00007FF76AF54000-memory.dmp	xmrig
behavioral2/memory/3036-1096-0x00007FF737920000-0x00007FF737C74000-memory.dmp	xmrig
behavioral2/memory/4324-1094-0x00007FF788870000-0x00007FF788BC4000-memory.dmp	xmrig
behavioral2/memory/4364-1093-0x00007FF63B6B0000-0x00007FF63BA04000-memory.dmp	xmrig
behavioral2/memory/5024-1091-0x00007FF6927C0000-0x00007FF692B14000-memory.dmp	xmrig
behavioral2/memory/4920-1090-0x00007FF6893F0000-0x00007FF689744000-memory.dmp	xmrig
behavioral2/memory/2240-1089-0x00007FF79D210000-0x00007FF79D564000-memory.dmp	xmrig
behavioral2/memory/4504-1087-0x00007FF7E6980000-0x00007FF7E6CD4000-memory.dmp	xmrig
behavioral2/memory/4832-1086-0x00007FF7A06A0000-0x00007FF7A09F4000-memory.dmp	xmrig
behavioral2/memory/4492-1084-0x00007FF7A4870000-0x00007FF7A4BC4000-memory.dmp	xmrig
behavioral2/memory/1804-1083-0x00007FF709B70000-0x00007FF709EC4000-memory.dmp	xmrig
behavioral2/memory/5080-1082-0x00007FF74F590000-0x00007FF74F8E4000-memory.dmp	xmrig
behavioral2/memory/3732-1080-0x00007FF7B1710000-0x00007FF7B1A64000-memory.dmp	xmrig
behavioral2/memory/4304-1079-0x00007FF7D82B0000-0x00007FF7D8604000-memory.dmp	xmrig
behavioral2/memory/740-1077-0x00007FF7284B0000-0x00007FF728804000-memory.dmp	xmrig
behavioral2/memory/2072-1072-0x00007FF6E90F0000-0x00007FF6E9444000-memory.dmp	xmrig
behavioral2/memory/3468-628-0x00007FF79DE90000-0x00007FF79E1E4000-memory.dmp	xmrig
behavioral2/memory/1044-627-0x00007FF601160000-0x00007FF6014B4000-memory.dmp	xmrig
behavioral2/memory/3964-626-0x00007FF72B1C0000-0x00007FF72B514000-memory.dmp	xmrig
behavioral2/memory/2700-624-0x00007FF7AA4F0000-0x00007FF7AA844000-memory.dmp	xmrig
behavioral2/memory/4792-623-0x00007FF774EC0000-0x00007FF775214000-memory.dmp	xmrig
behavioral2/memory/1204-622-0x00007FF777EB0000-0x00007FF778204000-memory.dmp	xmrig
behavioral2/memory/4480-620-0x00007FF6221B0000-0x00007FF622504000-memory.dmp	xmrig
behavioral2/memory/4544-619-0x00007FF7DFB20000-0x00007FF7DFE74000-memory.dmp	xmrig
behavioral2/memory/3116-618-0x00007FF7C7910000-0x00007FF7C7C64000-memory.dmp	xmrig
behavioral2/memory/4104-611-0x00007FF7A0340000-0x00007FF7A0694000-memory.dmp	xmrig
behavioral2/memory/4404-423-0x00007FF7B44C0000-0x00007FF7B4814000-memory.dmp	xmrig
behavioral2/memory/2012-310-0x00007FF6F4820000-0x00007FF6F4B74000-memory.dmp	xmrig
behavioral2/files/0x000700000002322f-219.dat	xmrig
behavioral2/files/0x0007000000023219-214.dat	xmrig
behavioral2/files/0x0007000000023218-209.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4180	xiKJrVd.exe
5036	boQEwVp.exe
1928	HgOGbyO.exe
2936	Ikyadff.exe
436	QemnBLX.exe
4816	ZzPvSRz.exe
1964	JHiYHpZ.exe
4440	ogWCTBG.exe
4940	PinlVAN.exe
980	yRGucpS.exe
3100	ihheDIN.exe
5040	EIMiJRd.exe
3508	lRurxxp.exe
2012	lEUZRLv.exe
4404	yUGudjK.exe
4104	rzFwdOG.exe
1644	vknzNFw.exe
3116	ZowcIoi.exe
4544	ASXSdXr.exe
4480	KzFFRzg.exe
1392	pBohFyZ.exe
2540	PfCCvVf.exe
1204	ZgswMNc.exe
4792	ulUXzKQ.exe
2700	ANQXDrP.exe
1748	PWsTkkn.exe
3964	gIxGXLC.exe
1044	LcqsIyG.exe
3468	fuFbnKp.exe
544	NUIYkoU.exe
1800	YgNbZNC.exe
3644	fhYKwep.exe
3516	QdnEfmc.exe
4036	ixPTsFe.exe
2452	RrMUtos.exe
860	jXhYwnd.exe
396	yGDyhXG.exe
1936	wTJgwoa.exe
4628	IlDWdQo.exe
2400	FlUkRHi.exe
4980	uZcvWuS.exe
2072	OPmpFel.exe
2580	UkLLCau.exe
1576	TgPykah.exe
740	bAYgTqu.exe
2604	KjOHjIm.exe
4304	bpFptFb.exe
3732	InHxkvc.exe
1584	kemrOZd.exe
5080	JgGbkgJ.exe
1804	KkASWEq.exe
4492	sezXhGf.exe
3912	tIQSsmv.exe
4832	PTOHnqh.exe
4504	HabXAyk.exe
2664	uyTLzTD.exe
2240	EyumyQc.exe
4920	SHvmGeX.exe
5024	fbLrNBq.exe
2000	PHiVaNf.exe
4364	PYxKPsN.exe
4324	tXqMNkf.exe
440	RTwCjri.exe
3036	iweQLso.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2576-0-0x00007FF769E30000-0x00007FF76A184000-memory.dmp	upx
behavioral2/files/0x000700000001e59e-5.dat	upx
behavioral2/files/0x000700000001e59e-8.dat	upx
behavioral2/files/0x0008000000023203-7.dat	upx
behavioral2/memory/4180-13-0x00007FF719C80000-0x00007FF719FD4000-memory.dmp	upx
behavioral2/files/0x0007000000023207-25.dat	upx
behavioral2/memory/1644-617-0x00007FF6034D0000-0x00007FF603824000-memory.dmp	upx
behavioral2/memory/1392-621-0x00007FF6B1E70000-0x00007FF6B21C4000-memory.dmp	upx
behavioral2/memory/1748-625-0x00007FF6772B0000-0x00007FF677604000-memory.dmp	upx
behavioral2/memory/1800-629-0x00007FF7DF3F0000-0x00007FF7DF744000-memory.dmp	upx
behavioral2/memory/3644-691-0x00007FF7B3AA0000-0x00007FF7B3DF4000-memory.dmp	upx
behavioral2/memory/3516-724-0x00007FF7B0CC0000-0x00007FF7B1014000-memory.dmp	upx
behavioral2/memory/4036-876-0x00007FF600BE0000-0x00007FF600F34000-memory.dmp	upx
behavioral2/memory/2452-916-0x00007FF60D9B0000-0x00007FF60DD04000-memory.dmp	upx
behavioral2/memory/860-924-0x00007FF693280000-0x00007FF6935D4000-memory.dmp	upx
behavioral2/memory/396-1013-0x00007FF6CD0E0000-0x00007FF6CD434000-memory.dmp	upx
behavioral2/memory/1936-1019-0x00007FF6DDC70000-0x00007FF6DDFC4000-memory.dmp	upx
behavioral2/memory/4628-1039-0x00007FF695390000-0x00007FF6956E4000-memory.dmp	upx
behavioral2/memory/2400-1061-0x00007FF6986A0000-0x00007FF6989F4000-memory.dmp	upx
behavioral2/memory/4980-1069-0x00007FF79CC00000-0x00007FF79CF54000-memory.dmp	upx
behavioral2/memory/2580-1075-0x00007FF7DA820000-0x00007FF7DAB74000-memory.dmp	upx
behavioral2/memory/2604-1078-0x00007FF697260000-0x00007FF6975B4000-memory.dmp	upx
behavioral2/memory/1584-1081-0x00007FF67FBB0000-0x00007FF67FF04000-memory.dmp	upx
behavioral2/memory/3912-1085-0x00007FF602D00000-0x00007FF603054000-memory.dmp	upx
behavioral2/memory/2664-1088-0x00007FF7DA010000-0x00007FF7DA364000-memory.dmp	upx
behavioral2/memory/2000-1092-0x00007FF663610000-0x00007FF663964000-memory.dmp	upx
behavioral2/memory/440-1095-0x00007FF703080000-0x00007FF7033D4000-memory.dmp	upx
behavioral2/memory/4432-1099-0x00007FF79CC70000-0x00007FF79CFC4000-memory.dmp	upx
behavioral2/memory/2748-1102-0x00007FF64BC30000-0x00007FF64BF84000-memory.dmp	upx
behavioral2/memory/2716-1103-0x00007FF7DBB70000-0x00007FF7DBEC4000-memory.dmp	upx
behavioral2/memory/2280-1101-0x00007FF75EAB0000-0x00007FF75EE04000-memory.dmp	upx
behavioral2/memory/952-1100-0x00007FF65A3A0000-0x00007FF65A6F4000-memory.dmp	upx
behavioral2/memory/4156-1098-0x00007FF78E4B0000-0x00007FF78E804000-memory.dmp	upx
behavioral2/memory/3460-1097-0x00007FF76AC00000-0x00007FF76AF54000-memory.dmp	upx
behavioral2/memory/3036-1096-0x00007FF737920000-0x00007FF737C74000-memory.dmp	upx
behavioral2/memory/4324-1094-0x00007FF788870000-0x00007FF788BC4000-memory.dmp	upx
behavioral2/memory/4364-1093-0x00007FF63B6B0000-0x00007FF63BA04000-memory.dmp	upx
behavioral2/memory/5024-1091-0x00007FF6927C0000-0x00007FF692B14000-memory.dmp	upx
behavioral2/memory/4920-1090-0x00007FF6893F0000-0x00007FF689744000-memory.dmp	upx
behavioral2/memory/2240-1089-0x00007FF79D210000-0x00007FF79D564000-memory.dmp	upx
behavioral2/memory/4504-1087-0x00007FF7E6980000-0x00007FF7E6CD4000-memory.dmp	upx
behavioral2/memory/4832-1086-0x00007FF7A06A0000-0x00007FF7A09F4000-memory.dmp	upx
behavioral2/memory/4492-1084-0x00007FF7A4870000-0x00007FF7A4BC4000-memory.dmp	upx
behavioral2/memory/1804-1083-0x00007FF709B70000-0x00007FF709EC4000-memory.dmp	upx
behavioral2/memory/5080-1082-0x00007FF74F590000-0x00007FF74F8E4000-memory.dmp	upx
behavioral2/memory/3732-1080-0x00007FF7B1710000-0x00007FF7B1A64000-memory.dmp	upx
behavioral2/memory/4304-1079-0x00007FF7D82B0000-0x00007FF7D8604000-memory.dmp	upx
behavioral2/memory/740-1077-0x00007FF7284B0000-0x00007FF728804000-memory.dmp	upx
behavioral2/memory/2072-1072-0x00007FF6E90F0000-0x00007FF6E9444000-memory.dmp	upx
behavioral2/memory/3468-628-0x00007FF79DE90000-0x00007FF79E1E4000-memory.dmp	upx
behavioral2/memory/1044-627-0x00007FF601160000-0x00007FF6014B4000-memory.dmp	upx
behavioral2/memory/3964-626-0x00007FF72B1C0000-0x00007FF72B514000-memory.dmp	upx
behavioral2/memory/2700-624-0x00007FF7AA4F0000-0x00007FF7AA844000-memory.dmp	upx
behavioral2/memory/4792-623-0x00007FF774EC0000-0x00007FF775214000-memory.dmp	upx
behavioral2/memory/1204-622-0x00007FF777EB0000-0x00007FF778204000-memory.dmp	upx
behavioral2/memory/4480-620-0x00007FF6221B0000-0x00007FF622504000-memory.dmp	upx
behavioral2/memory/4544-619-0x00007FF7DFB20000-0x00007FF7DFE74000-memory.dmp	upx
behavioral2/memory/3116-618-0x00007FF7C7910000-0x00007FF7C7C64000-memory.dmp	upx
behavioral2/memory/4104-611-0x00007FF7A0340000-0x00007FF7A0694000-memory.dmp	upx
behavioral2/memory/4404-423-0x00007FF7B44C0000-0x00007FF7B4814000-memory.dmp	upx
behavioral2/memory/2012-310-0x00007FF6F4820000-0x00007FF6F4B74000-memory.dmp	upx
behavioral2/files/0x000700000002322f-219.dat	upx
behavioral2/files/0x0007000000023219-214.dat	upx
behavioral2/files/0x0007000000023218-209.dat	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\GubQrNb.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\KdBdRSK.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\jCYHEeY.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\yUGudjK.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\rdxuKzG.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\UAbcbBW.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\wqgcPrw.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\YJozePR.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\ZaGFGsA.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\uKTIJqE.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\fejsKed.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\ebGkisN.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\xTbOHOZ.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\jVIsJVT.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\uyTLzTD.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\bgUqIXs.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\TjJOvVT.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\eNxcnpd.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\yGDyhXG.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\VnzuSNp.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\fehrxul.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\hzckvuT.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\RrolXzY.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\hUSeASn.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\ObLTpul.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\kqskxYb.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\TpAMfrf.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\UpQjUTn.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\QdnEfmc.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\EyumyQc.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\hmRgQUq.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\yYhhyXx.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\WewMCxC.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\VZSVfiW.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\TdDSuOj.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\FSwkVYo.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\dUaponm.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\yRGucpS.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\KkASWEq.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\PHiVaNf.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\rUnYtoF.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\KCdWhJa.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\fLeltnO.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\SVlWVwA.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\KzFFRzg.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\wTJgwoa.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\xsTtRRm.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\lMYUyyd.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\kQwJFMj.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\lMIPtTp.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\vmDibEU.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\imZnzlR.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\GkLFdVc.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\mbpdsgR.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\Ikyadff.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\GbILYjz.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\svrbeYC.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\krTHDbl.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\cvkVnlZ.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\GSkbuZa.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\WTZwrWb.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\tmPDkkf.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\VFntyso.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
File created	C:\Windows\System\FvOYXSJ.exe	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
Token: SeLockMemoryPrivilege	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
Token: SeCreateGlobalPrivilege	9188	dwm.exe
Token: SeChangeNotifyPrivilege	9188	dwm.exe
Token: 33	9188	dwm.exe
Token: SeIncBasePriorityPrivilege	9188	dwm.exe
Token: SeCreateGlobalPrivilege	3180	dwm.exe
Token: SeChangeNotifyPrivilege	3180	dwm.exe
Token: 33	3180	dwm.exe
Token: SeIncBasePriorityPrivilege	3180	dwm.exe
Token: SeCreateGlobalPrivilege	2192	dwm.exe
Token: SeChangeNotifyPrivilege	2192	dwm.exe
Token: 33	2192	dwm.exe
Token: SeIncBasePriorityPrivilege	2192	dwm.exe
Token: SeShutdownPrivilege	2192	dwm.exe
Token: SeCreatePagefilePrivilege	2192	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 4180	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	91
PID 2576 wrote to memory of 4180	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	91
PID 2576 wrote to memory of 5036	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	92
PID 2576 wrote to memory of 5036	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	92
PID 2576 wrote to memory of 1928	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	93
PID 2576 wrote to memory of 1928	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	93
PID 2576 wrote to memory of 2936	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	94
PID 2576 wrote to memory of 2936	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	94
PID 2576 wrote to memory of 436	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	95
PID 2576 wrote to memory of 436	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	95
PID 2576 wrote to memory of 4816	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	96
PID 2576 wrote to memory of 4816	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	96
PID 2576 wrote to memory of 1964	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	97
PID 2576 wrote to memory of 1964	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	97
PID 2576 wrote to memory of 4440	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	98
PID 2576 wrote to memory of 4440	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	98
PID 2576 wrote to memory of 4940	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	99
PID 2576 wrote to memory of 4940	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	99
PID 2576 wrote to memory of 980	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	100
PID 2576 wrote to memory of 980	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	100
PID 2576 wrote to memory of 1644	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	101
PID 2576 wrote to memory of 1644	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	101
PID 2576 wrote to memory of 3100	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	102
PID 2576 wrote to memory of 3100	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	102
PID 2576 wrote to memory of 5040	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	103
PID 2576 wrote to memory of 5040	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	103
PID 2576 wrote to memory of 3508	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	104
PID 2576 wrote to memory of 3508	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	104
PID 2576 wrote to memory of 2012	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	105
PID 2576 wrote to memory of 2012	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	105
PID 2576 wrote to memory of 4404	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	106
PID 2576 wrote to memory of 4404	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	106
PID 2576 wrote to memory of 4104	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	107
PID 2576 wrote to memory of 4104	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	107
PID 2576 wrote to memory of 3116	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	108
PID 2576 wrote to memory of 3116	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	108
PID 2576 wrote to memory of 4544	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	109
PID 2576 wrote to memory of 4544	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	109
PID 2576 wrote to memory of 4480	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	110
PID 2576 wrote to memory of 4480	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	110
PID 2576 wrote to memory of 1392	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	111
PID 2576 wrote to memory of 1392	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	111
PID 2576 wrote to memory of 2540	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	112
PID 2576 wrote to memory of 2540	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	112
PID 2576 wrote to memory of 1204	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	113
PID 2576 wrote to memory of 1204	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	113
PID 2576 wrote to memory of 4792	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	114
PID 2576 wrote to memory of 4792	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	114
PID 2576 wrote to memory of 2700	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	115
PID 2576 wrote to memory of 2700	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	115
PID 2576 wrote to memory of 1748	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	116
PID 2576 wrote to memory of 1748	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	116
PID 2576 wrote to memory of 3964	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	117
PID 2576 wrote to memory of 3964	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	117
PID 2576 wrote to memory of 1044	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	118
PID 2576 wrote to memory of 1044	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	118
PID 2576 wrote to memory of 3468	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	119
PID 2576 wrote to memory of 3468	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	119
PID 2576 wrote to memory of 544	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	120
PID 2576 wrote to memory of 544	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	120
PID 2576 wrote to memory of 1800	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	121
PID 2576 wrote to memory of 1800	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	121
PID 2576 wrote to memory of 3912	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	122
PID 2576 wrote to memory of 3912	2576	495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe	122

C:\Users\Admin\AppData\Local\Temp\495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe
"C:\Users\Admin\AppData\Local\Temp\495a52d260ef2dd1722626b06bdd923c4b79246fcd53f8c3c7d59585ae1f9cb2.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\System\xiKJrVd.exe
  C:\Windows\System\xiKJrVd.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System\boQEwVp.exe
  C:\Windows\System\boQEwVp.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\HgOGbyO.exe
  C:\Windows\System\HgOGbyO.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\Ikyadff.exe
  C:\Windows\System\Ikyadff.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\QemnBLX.exe
  C:\Windows\System\QemnBLX.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\ZzPvSRz.exe
  C:\Windows\System\ZzPvSRz.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\JHiYHpZ.exe
  C:\Windows\System\JHiYHpZ.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\ogWCTBG.exe
  C:\Windows\System\ogWCTBG.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\PinlVAN.exe
  C:\Windows\System\PinlVAN.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\yRGucpS.exe
  C:\Windows\System\yRGucpS.exe
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Windows\System\vknzNFw.exe
  C:\Windows\System\vknzNFw.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\ihheDIN.exe
  C:\Windows\System\ihheDIN.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System\EIMiJRd.exe
  C:\Windows\System\EIMiJRd.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\lRurxxp.exe
  C:\Windows\System\lRurxxp.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\lEUZRLv.exe
  C:\Windows\System\lEUZRLv.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\yUGudjK.exe
  C:\Windows\System\yUGudjK.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\rzFwdOG.exe
  C:\Windows\System\rzFwdOG.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System\ZowcIoi.exe
  C:\Windows\System\ZowcIoi.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System\ASXSdXr.exe
  C:\Windows\System\ASXSdXr.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\KzFFRzg.exe
  C:\Windows\System\KzFFRzg.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\pBohFyZ.exe
  C:\Windows\System\pBohFyZ.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\PfCCvVf.exe
  C:\Windows\System\PfCCvVf.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\ZgswMNc.exe
  C:\Windows\System\ZgswMNc.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System\ulUXzKQ.exe
  C:\Windows\System\ulUXzKQ.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\ANQXDrP.exe
  C:\Windows\System\ANQXDrP.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\PWsTkkn.exe
  C:\Windows\System\PWsTkkn.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\gIxGXLC.exe
  C:\Windows\System\gIxGXLC.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System\LcqsIyG.exe
  C:\Windows\System\LcqsIyG.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System\fuFbnKp.exe
  C:\Windows\System\fuFbnKp.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System\NUIYkoU.exe
  C:\Windows\System\NUIYkoU.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System\YgNbZNC.exe
  C:\Windows\System\YgNbZNC.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\tIQSsmv.exe
  C:\Windows\System\tIQSsmv.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System\fhYKwep.exe
  C:\Windows\System\fhYKwep.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\HabXAyk.exe
  C:\Windows\System\HabXAyk.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\QdnEfmc.exe
  C:\Windows\System\QdnEfmc.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\ixPTsFe.exe
  C:\Windows\System\ixPTsFe.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\RrMUtos.exe
  C:\Windows\System\RrMUtos.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\jXhYwnd.exe
  C:\Windows\System\jXhYwnd.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\yGDyhXG.exe
  C:\Windows\System\yGDyhXG.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\wTJgwoa.exe
  C:\Windows\System\wTJgwoa.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\IlDWdQo.exe
  C:\Windows\System\IlDWdQo.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\FlUkRHi.exe
  C:\Windows\System\FlUkRHi.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\uZcvWuS.exe
  C:\Windows\System\uZcvWuS.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\OPmpFel.exe
  C:\Windows\System\OPmpFel.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\UkLLCau.exe
  C:\Windows\System\UkLLCau.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\TgPykah.exe
  C:\Windows\System\TgPykah.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System\bAYgTqu.exe
  C:\Windows\System\bAYgTqu.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System\KjOHjIm.exe
  C:\Windows\System\KjOHjIm.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\bpFptFb.exe
  C:\Windows\System\bpFptFb.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\InHxkvc.exe
  C:\Windows\System\InHxkvc.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System\kemrOZd.exe
  C:\Windows\System\kemrOZd.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\JgGbkgJ.exe
  C:\Windows\System\JgGbkgJ.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\KkASWEq.exe
  C:\Windows\System\KkASWEq.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\sezXhGf.exe
  C:\Windows\System\sezXhGf.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\PTOHnqh.exe
  C:\Windows\System\PTOHnqh.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\uyTLzTD.exe
  C:\Windows\System\uyTLzTD.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\EyumyQc.exe
  C:\Windows\System\EyumyQc.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\SHvmGeX.exe
  C:\Windows\System\SHvmGeX.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\fbLrNBq.exe
  C:\Windows\System\fbLrNBq.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\PHiVaNf.exe
  C:\Windows\System\PHiVaNf.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\PYxKPsN.exe
  C:\Windows\System\PYxKPsN.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\tXqMNkf.exe
  C:\Windows\System\tXqMNkf.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System\RTwCjri.exe
  C:\Windows\System\RTwCjri.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System\iweQLso.exe
  C:\Windows\System\iweQLso.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\XvrNgJU.exe
  C:\Windows\System\XvrNgJU.exe
  2⤵
  PID:3460
- C:\Windows\System\rpIKMAp.exe
  C:\Windows\System\rpIKMAp.exe
  2⤵
  PID:4156
- C:\Windows\System\vBGqYuJ.exe
  C:\Windows\System\vBGqYuJ.exe
  2⤵
  PID:2628
- C:\Windows\System\vmDibEU.exe
  C:\Windows\System\vmDibEU.exe
  2⤵
  PID:1612
- C:\Windows\System\tmPDkkf.exe
  C:\Windows\System\tmPDkkf.exe
  2⤵
  PID:4432
- C:\Windows\System\MOBGOIj.exe
  C:\Windows\System\MOBGOIj.exe
  2⤵
  PID:952
- C:\Windows\System\BnRgMuW.exe
  C:\Windows\System\BnRgMuW.exe
  2⤵
  PID:2280
- C:\Windows\System\uYAAapD.exe
  C:\Windows\System\uYAAapD.exe
  2⤵
  PID:2748
- C:\Windows\System\sAxptXG.exe
  C:\Windows\System\sAxptXG.exe
  2⤵
  PID:2716
- C:\Windows\System\xsBYvzf.exe
  C:\Windows\System\xsBYvzf.exe
  2⤵
  PID:3208
- C:\Windows\System\ccXHHPt.exe
  C:\Windows\System\ccXHHPt.exe
  2⤵
  PID:4032
- C:\Windows\System\hqwAGQG.exe
  C:\Windows\System\hqwAGQG.exe
  2⤵
  PID:4612
- C:\Windows\System\ESlQTPW.exe
  C:\Windows\System\ESlQTPW.exe
  2⤵
  PID:3324
- C:\Windows\System\hzckvuT.exe
  C:\Windows\System\hzckvuT.exe
  2⤵
  PID:3020
- C:\Windows\System\imZnzlR.exe
  C:\Windows\System\imZnzlR.exe
  2⤵
  PID:2572
- C:\Windows\System\rdxuKzG.exe
  C:\Windows\System\rdxuKzG.exe
  2⤵
  PID:856
- C:\Windows\System\BNVPLYo.exe
  C:\Windows\System\BNVPLYo.exe
  2⤵
  PID:5068
- C:\Windows\System\dzMHFVi.exe
  C:\Windows\System\dzMHFVi.exe
  2⤵
  PID:2660
- C:\Windows\System\qnhmCak.exe
  C:\Windows\System\qnhmCak.exe
  2⤵
  PID:5136
- C:\Windows\System\cijtRFb.exe
  C:\Windows\System\cijtRFb.exe
  2⤵
  PID:5156
- C:\Windows\System\QLYFbXv.exe
  C:\Windows\System\QLYFbXv.exe
  2⤵
  PID:5176
- C:\Windows\System\iDkcEbP.exe
  C:\Windows\System\iDkcEbP.exe
  2⤵
  PID:5196
- C:\Windows\System\CxbgHOh.exe
  C:\Windows\System\CxbgHOh.exe
  2⤵
  PID:5212
- C:\Windows\System\lMZbLAd.exe
  C:\Windows\System\lMZbLAd.exe
  2⤵
  PID:5228
- C:\Windows\System\aoOuwyy.exe
  C:\Windows\System\aoOuwyy.exe
  2⤵
  PID:5256
- C:\Windows\System\YJozePR.exe
  C:\Windows\System\YJozePR.exe
  2⤵
  PID:5280
- C:\Windows\System\KMSkzXQ.exe
  C:\Windows\System\KMSkzXQ.exe
  2⤵
  PID:5300
- C:\Windows\System\jDVqQio.exe
  C:\Windows\System\jDVqQio.exe
  2⤵
  PID:5316
- C:\Windows\System\vnCyKlC.exe
  C:\Windows\System\vnCyKlC.exe
  2⤵
  PID:5332
- C:\Windows\System\qQGEARv.exe
  C:\Windows\System\qQGEARv.exe
  2⤵
  PID:5348
- C:\Windows\System\pylzPPc.exe
  C:\Windows\System\pylzPPc.exe
  2⤵
  PID:5376
- C:\Windows\System\JqyyVmP.exe
  C:\Windows\System\JqyyVmP.exe
  2⤵
  PID:5392
- C:\Windows\System\bJVSQBK.exe
  C:\Windows\System\bJVSQBK.exe
  2⤵
  PID:5408
- C:\Windows\System\uWNtQGa.exe
  C:\Windows\System\uWNtQGa.exe
  2⤵
  PID:5432
- C:\Windows\System\aWsVReF.exe
  C:\Windows\System\aWsVReF.exe
  2⤵
  PID:5448
- C:\Windows\System\bdRexyt.exe
  C:\Windows\System\bdRexyt.exe
  2⤵
  PID:5468
- C:\Windows\System\iRkKhDP.exe
  C:\Windows\System\iRkKhDP.exe
  2⤵
  PID:5484
- C:\Windows\System\LtQqbiP.exe
  C:\Windows\System\LtQqbiP.exe
  2⤵
  PID:5504
- C:\Windows\System\ezcLyKz.exe
  C:\Windows\System\ezcLyKz.exe
  2⤵
  PID:5532
- C:\Windows\System\CagbmhQ.exe
  C:\Windows\System\CagbmhQ.exe
  2⤵
  PID:5548
- C:\Windows\System\VnzuSNp.exe
  C:\Windows\System\VnzuSNp.exe
  2⤵
  PID:5572
- C:\Windows\System\ZaGFGsA.exe
  C:\Windows\System\ZaGFGsA.exe
  2⤵
  PID:5592
- C:\Windows\System\UCoKuHb.exe
  C:\Windows\System\UCoKuHb.exe
  2⤵
  PID:5608
- C:\Windows\System\GEnEZvW.exe
  C:\Windows\System\GEnEZvW.exe
  2⤵
  PID:5636
- C:\Windows\System\qdhGwhl.exe
  C:\Windows\System\qdhGwhl.exe
  2⤵
  PID:5652
- C:\Windows\System\ITcsHhe.exe
  C:\Windows\System\ITcsHhe.exe
  2⤵
  PID:5668
- C:\Windows\System\utetgZF.exe
  C:\Windows\System\utetgZF.exe
  2⤵
  PID:5688
- C:\Windows\System\MhheRPr.exe
  C:\Windows\System\MhheRPr.exe
  2⤵
  PID:5708
- C:\Windows\System\DNuDafr.exe
  C:\Windows\System\DNuDafr.exe
  2⤵
  PID:5728
- C:\Windows\System\PmlsUoS.exe
  C:\Windows\System\PmlsUoS.exe
  2⤵
  PID:5748
- C:\Windows\System\ZsNCTNY.exe
  C:\Windows\System\ZsNCTNY.exe
  2⤵
  PID:5764
- C:\Windows\System\YqhLcSN.exe
  C:\Windows\System\YqhLcSN.exe
  2⤵
  PID:5788
- C:\Windows\System\bQUgSAU.exe
  C:\Windows\System\bQUgSAU.exe
  2⤵
  PID:5804
- C:\Windows\System\cEZwoXk.exe
  C:\Windows\System\cEZwoXk.exe
  2⤵
  PID:5824
- C:\Windows\System\UAbcbBW.exe
  C:\Windows\System\UAbcbBW.exe
  2⤵
  PID:5844
- C:\Windows\System\UMGWqlp.exe
  C:\Windows\System\UMGWqlp.exe
  2⤵
  PID:5860
- C:\Windows\System\SRXeVwN.exe
  C:\Windows\System\SRXeVwN.exe
  2⤵
  PID:5892
- C:\Windows\System\rUnYtoF.exe
  C:\Windows\System\rUnYtoF.exe
  2⤵
  PID:5912
- C:\Windows\System\mjEfCbt.exe
  C:\Windows\System\mjEfCbt.exe
  2⤵
  PID:5928
- C:\Windows\System\fejsKed.exe
  C:\Windows\System\fejsKed.exe
  2⤵
  PID:5944
- C:\Windows\System\VFntyso.exe
  C:\Windows\System\VFntyso.exe
  2⤵
  PID:5964
- C:\Windows\System\OLvKdft.exe
  C:\Windows\System\OLvKdft.exe
  2⤵
  PID:5988
- C:\Windows\System\QEJhYow.exe
  C:\Windows\System\QEJhYow.exe
  2⤵
  PID:6004
- C:\Windows\System\jQAvKPA.exe
  C:\Windows\System\jQAvKPA.exe
  2⤵
  PID:6020
- C:\Windows\System\hmRgQUq.exe
  C:\Windows\System\hmRgQUq.exe
  2⤵
  PID:6040
- C:\Windows\System\AIsswUS.exe
  C:\Windows\System\AIsswUS.exe
  2⤵
  PID:6056
- C:\Windows\System\ZttndPs.exe
  C:\Windows\System\ZttndPs.exe
  2⤵
  PID:6076
- C:\Windows\System\SIhrPVR.exe
  C:\Windows\System\SIhrPVR.exe
  2⤵
  PID:6100
- C:\Windows\System\edDHuWC.exe
  C:\Windows\System\edDHuWC.exe
  2⤵
  PID:6116
- C:\Windows\System\aDhjAmm.exe
  C:\Windows\System\aDhjAmm.exe
  2⤵
  PID:6132
- C:\Windows\System\VAgfPnu.exe
  C:\Windows\System\VAgfPnu.exe
  2⤵
  PID:5092
- C:\Windows\System\GbILYjz.exe
  C:\Windows\System\GbILYjz.exe
  2⤵
  PID:2300
- C:\Windows\System\xjMSnxm.exe
  C:\Windows\System\xjMSnxm.exe
  2⤵
  PID:468
- C:\Windows\System\lfLeKhI.exe
  C:\Windows\System\lfLeKhI.exe
  2⤵
  PID:1028
- C:\Windows\System\GyWztyf.exe
  C:\Windows\System\GyWztyf.exe
  2⤵
  PID:2564
- C:\Windows\System\MMApqPL.exe
  C:\Windows\System\MMApqPL.exe
  2⤵
  PID:4352
- C:\Windows\System\NPEzVCT.exe
  C:\Windows\System\NPEzVCT.exe
  2⤵
  PID:1216
- C:\Windows\System\JnjDHus.exe
  C:\Windows\System\JnjDHus.exe
  2⤵
  PID:5208
- C:\Windows\System\eNSSWcq.exe
  C:\Windows\System\eNSSWcq.exe
  2⤵
  PID:5116
- C:\Windows\System\ixIOeZL.exe
  C:\Windows\System\ixIOeZL.exe
  2⤵
  PID:2216
- C:\Windows\System\XkHYrSm.exe
  C:\Windows\System\XkHYrSm.exe
  2⤵
  PID:5424
- C:\Windows\System\TdDSuOj.exe
  C:\Windows\System\TdDSuOj.exe
  2⤵
  PID:3712
- C:\Windows\System\yYhhyXx.exe
  C:\Windows\System\yYhhyXx.exe
  2⤵
  PID:6168
- C:\Windows\System\FvOYXSJ.exe
  C:\Windows\System\FvOYXSJ.exe
  2⤵
  PID:6184
- C:\Windows\System\xsTtRRm.exe
  C:\Windows\System\xsTtRRm.exe
  2⤵
  PID:6200
- C:\Windows\System\svrbeYC.exe
  C:\Windows\System\svrbeYC.exe
  2⤵
  PID:6216
- C:\Windows\System\yYjmDvO.exe
  C:\Windows\System\yYjmDvO.exe
  2⤵
  PID:6236
- C:\Windows\System\OWNuajy.exe
  C:\Windows\System\OWNuajy.exe
  2⤵
  PID:6264
- C:\Windows\System\UQYnIXT.exe
  C:\Windows\System\UQYnIXT.exe
  2⤵
  PID:6280
- C:\Windows\System\pcTMGMc.exe
  C:\Windows\System\pcTMGMc.exe
  2⤵
  PID:6296
- C:\Windows\System\SOpOPtu.exe
  C:\Windows\System\SOpOPtu.exe
  2⤵
  PID:6316
- C:\Windows\System\nWNChlJ.exe
  C:\Windows\System\nWNChlJ.exe
  2⤵
  PID:6336
- C:\Windows\System\FOouRKr.exe
  C:\Windows\System\FOouRKr.exe
  2⤵
  PID:6352
- C:\Windows\System\nkNTxxA.exe
  C:\Windows\System\nkNTxxA.exe
  2⤵
  PID:6380
- C:\Windows\System\RVypPYc.exe
  C:\Windows\System\RVypPYc.exe
  2⤵
  PID:6400
- C:\Windows\System\DoUeKsM.exe
  C:\Windows\System\DoUeKsM.exe
  2⤵
  PID:6416
- C:\Windows\System\umQDmId.exe
  C:\Windows\System\umQDmId.exe
  2⤵
  PID:6432
- C:\Windows\System\mpFvwzp.exe
  C:\Windows\System\mpFvwzp.exe
  2⤵
  PID:6456
- C:\Windows\System\jBsVawS.exe
  C:\Windows\System\jBsVawS.exe
  2⤵
  PID:6472
- C:\Windows\System\AeXLElr.exe
  C:\Windows\System\AeXLElr.exe
  2⤵
  PID:6492
- C:\Windows\System\FSwkVYo.exe
  C:\Windows\System\FSwkVYo.exe
  2⤵
  PID:6512
- C:\Windows\System\bgUqIXs.exe
  C:\Windows\System\bgUqIXs.exe
  2⤵
  PID:6528
- C:\Windows\System\JIaLeda.exe
  C:\Windows\System\JIaLeda.exe
  2⤵
  PID:6548
- C:\Windows\System\RVtZUbQ.exe
  C:\Windows\System\RVtZUbQ.exe
  2⤵
  PID:6568
- C:\Windows\System\VKjQtEg.exe
  C:\Windows\System\VKjQtEg.exe
  2⤵
  PID:6584
- C:\Windows\System\KqHRXBK.exe
  C:\Windows\System\KqHRXBK.exe
  2⤵
  PID:6612
- C:\Windows\System\ebGkisN.exe
  C:\Windows\System\ebGkisN.exe
  2⤵
  PID:6628
- C:\Windows\System\tvRmyEF.exe
  C:\Windows\System\tvRmyEF.exe
  2⤵
  PID:6644
- C:\Windows\System\eOFhqko.exe
  C:\Windows\System\eOFhqko.exe
  2⤵
  PID:6664
- C:\Windows\System\DzdNbrC.exe
  C:\Windows\System\DzdNbrC.exe
  2⤵
  PID:6680
- C:\Windows\System\USYMqGv.exe
  C:\Windows\System\USYMqGv.exe
  2⤵
  PID:6700
- C:\Windows\System\IfrwUrY.exe
  C:\Windows\System\IfrwUrY.exe
  2⤵
  PID:6720
- C:\Windows\System\bnHjVBx.exe
  C:\Windows\System\bnHjVBx.exe
  2⤵
  PID:6736
- C:\Windows\System\EMVnBeK.exe
  C:\Windows\System\EMVnBeK.exe
  2⤵
  PID:6756
- C:\Windows\System\EMaKHGE.exe
  C:\Windows\System\EMaKHGE.exe
  2⤵
  PID:6780
- C:\Windows\System\Kagktit.exe
  C:\Windows\System\Kagktit.exe
  2⤵
  PID:6800
- C:\Windows\System\ljiLilo.exe
  C:\Windows\System\ljiLilo.exe
  2⤵
  PID:6820
- C:\Windows\System\kocPpUo.exe
  C:\Windows\System\kocPpUo.exe
  2⤵
  PID:6836
- C:\Windows\System\BjNfTDS.exe
  C:\Windows\System\BjNfTDS.exe
  2⤵
  PID:6852
- C:\Windows\System\LFfqxAt.exe
  C:\Windows\System\LFfqxAt.exe
  2⤵
  PID:6876
- C:\Windows\System\zyDsxch.exe
  C:\Windows\System\zyDsxch.exe
  2⤵
  PID:6892
- C:\Windows\System\usIqDAY.exe
  C:\Windows\System\usIqDAY.exe
  2⤵
  PID:6920
- C:\Windows\System\CXmvcTk.exe
  C:\Windows\System\CXmvcTk.exe
  2⤵
  PID:6936
- C:\Windows\System\XqCdBvB.exe
  C:\Windows\System\XqCdBvB.exe
  2⤵
  PID:6956
- C:\Windows\System\GkLFdVc.exe
  C:\Windows\System\GkLFdVc.exe
  2⤵
  PID:6976
- C:\Windows\System\WMYxzNq.exe
  C:\Windows\System\WMYxzNq.exe
  2⤵
  PID:6992
- C:\Windows\System\utCfKJu.exe
  C:\Windows\System\utCfKJu.exe
  2⤵
  PID:7012
- C:\Windows\System\mbpdsgR.exe
  C:\Windows\System\mbpdsgR.exe
  2⤵
  PID:7032
- C:\Windows\System\PKscouO.exe
  C:\Windows\System\PKscouO.exe
  2⤵
  PID:7048
- C:\Windows\System\TjJOvVT.exe
  C:\Windows\System\TjJOvVT.exe
  2⤵
  PID:7068
- C:\Windows\System\scSLihL.exe
  C:\Windows\System\scSLihL.exe
  2⤵
  PID:7088
- C:\Windows\System\lIncUkI.exe
  C:\Windows\System\lIncUkI.exe
  2⤵
  PID:7104
- C:\Windows\System\WcqgINf.exe
  C:\Windows\System\WcqgINf.exe
  2⤵
  PID:7120
- C:\Windows\System\YBJrLnI.exe
  C:\Windows\System\YBJrLnI.exe
  2⤵
  PID:7144
- C:\Windows\System\wqgcPrw.exe
  C:\Windows\System\wqgcPrw.exe
  2⤵
  PID:7160
- C:\Windows\System\smbGRVN.exe
  C:\Windows\System\smbGRVN.exe
  2⤵
  PID:5496
- C:\Windows\System\xTbOHOZ.exe
  C:\Windows\System\xTbOHOZ.exe
  2⤵
  PID:5580
- C:\Windows\System\jVIsJVT.exe
  C:\Windows\System\jVIsJVT.exe
  2⤵
  PID:5604
- C:\Windows\System\lMYUyyd.exe
  C:\Windows\System\lMYUyyd.exe
  2⤵
  PID:3692
- C:\Windows\System\nvQbQxS.exe
  C:\Windows\System\nvQbQxS.exe
  2⤵
  PID:5684
- C:\Windows\System\LHuKmnZ.exe
  C:\Windows\System\LHuKmnZ.exe
  2⤵
  PID:216
- C:\Windows\System\dDSBIOA.exe
  C:\Windows\System\dDSBIOA.exe
  2⤵
  PID:5784
- C:\Windows\System\eNxcnpd.exe
  C:\Windows\System\eNxcnpd.exe
  2⤵
  PID:5840
- C:\Windows\System\Ovdjjrt.exe
  C:\Windows\System\Ovdjjrt.exe
  2⤵
  PID:884
- C:\Windows\System\gMgzIzS.exe
  C:\Windows\System\gMgzIzS.exe
  2⤵
  PID:5940
- C:\Windows\System\SiEVqBd.exe
  C:\Windows\System\SiEVqBd.exe
  2⤵
  PID:5952
- C:\Windows\System\kQwJFMj.exe
  C:\Windows\System\kQwJFMj.exe
  2⤵
  PID:6048
- C:\Windows\System\pRKgXGR.exe
  C:\Windows\System\pRKgXGR.exe
  2⤵
  PID:5144
- C:\Windows\System\UEgFDZC.exe
  C:\Windows\System\UEgFDZC.exe
  2⤵
  PID:6128
- C:\Windows\System\SaaRqUb.exe
  C:\Windows\System\SaaRqUb.exe
  2⤵
  PID:4360
- C:\Windows\System\TPPPQvZ.exe
  C:\Windows\System\TPPPQvZ.exe
  2⤵
  PID:7212
- C:\Windows\System\UnMeYDX.exe
  C:\Windows\System\UnMeYDX.exe
  2⤵
  PID:7236
- C:\Windows\System\ZpwapAS.exe
  C:\Windows\System\ZpwapAS.exe
  2⤵
  PID:7252
- C:\Windows\System\RBkIzCz.exe
  C:\Windows\System\RBkIzCz.exe
  2⤵
  PID:7268
- C:\Windows\System\nEThCjx.exe
  C:\Windows\System\nEThCjx.exe
  2⤵
  PID:7288
- C:\Windows\System\DetwJnp.exe
  C:\Windows\System\DetwJnp.exe
  2⤵
  PID:7308
- C:\Windows\System\oRiazHl.exe
  C:\Windows\System\oRiazHl.exe
  2⤵
  PID:7328
- C:\Windows\System\MycMUVg.exe
  C:\Windows\System\MycMUVg.exe
  2⤵
  PID:7348
- C:\Windows\System\JhMulMW.exe
  C:\Windows\System\JhMulMW.exe
  2⤵
  PID:7364
- C:\Windows\System\jcXrOXt.exe
  C:\Windows\System\jcXrOXt.exe
  2⤵
  PID:7380
- C:\Windows\System\OtHLile.exe
  C:\Windows\System\OtHLile.exe
  2⤵
  PID:7404
- C:\Windows\System\cvkVnlZ.exe
  C:\Windows\System\cvkVnlZ.exe
  2⤵
  PID:7420
- C:\Windows\System\ZQrCejM.exe
  C:\Windows\System\ZQrCejM.exe
  2⤵
  PID:7436
- C:\Windows\System\FRuyYZX.exe
  C:\Windows\System\FRuyYZX.exe
  2⤵
  PID:7452
- C:\Windows\System\BuuGxGg.exe
  C:\Windows\System\BuuGxGg.exe
  2⤵
  PID:7476
- C:\Windows\System\XdgpyEj.exe
  C:\Windows\System\XdgpyEj.exe
  2⤵
  PID:7492
- C:\Windows\System\RrolXzY.exe
  C:\Windows\System\RrolXzY.exe
  2⤵
  PID:7508
- C:\Windows\System\VCCkFWf.exe
  C:\Windows\System\VCCkFWf.exe
  2⤵
  PID:7532
- C:\Windows\System\VrBdyvq.exe
  C:\Windows\System\VrBdyvq.exe
  2⤵
  PID:7552
- C:\Windows\System\xOLJIbQ.exe
  C:\Windows\System\xOLJIbQ.exe
  2⤵
  PID:7724
- C:\Windows\System\TCLeRnD.exe
  C:\Windows\System\TCLeRnD.exe
  2⤵
  PID:7740
- C:\Windows\System\LaIOADw.exe
  C:\Windows\System\LaIOADw.exe
  2⤵
  PID:7756
- C:\Windows\System\UOYofdl.exe
  C:\Windows\System\UOYofdl.exe
  2⤵
  PID:7772
- C:\Windows\System\zQDbFsJ.exe
  C:\Windows\System\zQDbFsJ.exe
  2⤵
  PID:7788
- C:\Windows\System\qlWoOPz.exe
  C:\Windows\System\qlWoOPz.exe
  2⤵
  PID:7804
- C:\Windows\System\ZPTWGgG.exe
  C:\Windows\System\ZPTWGgG.exe
  2⤵
  PID:7820
- C:\Windows\System\KCdWhJa.exe
  C:\Windows\System\KCdWhJa.exe
  2⤵
  PID:7836
- C:\Windows\System\SFkGZdJ.exe
  C:\Windows\System\SFkGZdJ.exe
  2⤵
  PID:7856
- C:\Windows\System\xXTOqAE.exe
  C:\Windows\System\xXTOqAE.exe
  2⤵
  PID:7872
- C:\Windows\System\NGcsHSP.exe
  C:\Windows\System\NGcsHSP.exe
  2⤵
  PID:7888
- C:\Windows\System\gpbhxDE.exe
  C:\Windows\System\gpbhxDE.exe
  2⤵
  PID:7908
- C:\Windows\System\wpEMsHj.exe
  C:\Windows\System\wpEMsHj.exe
  2⤵
  PID:7924
- C:\Windows\System\pPvwqBQ.exe
  C:\Windows\System\pPvwqBQ.exe
  2⤵
  PID:7940
- C:\Windows\System\IOrSXZd.exe
  C:\Windows\System\IOrSXZd.exe
  2⤵
  PID:7956
- C:\Windows\System\kTdgXyc.exe
  C:\Windows\System\kTdgXyc.exe
  2⤵
  PID:7972
- C:\Windows\System\yzVBKEg.exe
  C:\Windows\System\yzVBKEg.exe
  2⤵
  PID:7988
- C:\Windows\System\kqskxYb.exe
  C:\Windows\System\kqskxYb.exe
  2⤵
  PID:8004
- C:\Windows\System\rTIdVyI.exe
  C:\Windows\System\rTIdVyI.exe
  2⤵
  PID:8020
- C:\Windows\System\wfeGjHw.exe
  C:\Windows\System\wfeGjHw.exe
  2⤵
  PID:8036
- C:\Windows\System\XXqDvJB.exe
  C:\Windows\System\XXqDvJB.exe
  2⤵
  PID:8052
- C:\Windows\System\oQAqLcu.exe
  C:\Windows\System\oQAqLcu.exe
  2⤵
  PID:8068
- C:\Windows\System\GSkbuZa.exe
  C:\Windows\System\GSkbuZa.exe
  2⤵
  PID:8084
- C:\Windows\System\krTHDbl.exe
  C:\Windows\System\krTHDbl.exe
  2⤵
  PID:8104
- C:\Windows\System\AgmsWIZ.exe
  C:\Windows\System\AgmsWIZ.exe
  2⤵
  PID:8120
- C:\Windows\System\NqOUiQo.exe
  C:\Windows\System\NqOUiQo.exe
  2⤵
  PID:8136
- C:\Windows\System\ftGifLx.exe
  C:\Windows\System\ftGifLx.exe
  2⤵
  PID:8152
- C:\Windows\System\uKTIJqE.exe
  C:\Windows\System\uKTIJqE.exe
  2⤵
  PID:8168
- C:\Windows\System\FAaUAjs.exe
  C:\Windows\System\FAaUAjs.exe
  2⤵
  PID:8184
- C:\Windows\System\fehrxul.exe
  C:\Windows\System\fehrxul.exe
  2⤵
  PID:1004
- C:\Windows\System\UDpsiFj.exe
  C:\Windows\System\UDpsiFj.exe
  2⤵
  PID:5648
- C:\Windows\System\pnmrRbn.exe
  C:\Windows\System\pnmrRbn.exe
  2⤵
  PID:5920
- C:\Windows\System\rZHLvGi.exe
  C:\Windows\System\rZHLvGi.exe
  2⤵
  PID:6000
- C:\Windows\System\TpAMfrf.exe
  C:\Windows\System\TpAMfrf.exe
  2⤵
  PID:6108
- C:\Windows\System\WTZwrWb.exe
  C:\Windows\System\WTZwrWb.exe
  2⤵
  PID:4336
- C:\Windows\System\MyeqQgL.exe
  C:\Windows\System\MyeqQgL.exe
  2⤵
  PID:4708
- C:\Windows\System\sdWkvoa.exe
  C:\Windows\System\sdWkvoa.exe
  2⤵
  PID:1664
- C:\Windows\System\WewMCxC.exe
  C:\Windows\System\WewMCxC.exe
  2⤵
  PID:456
- C:\Windows\System\MhNvjDA.exe
  C:\Windows\System\MhNvjDA.exe
  2⤵
  PID:5128
- C:\Windows\System\xRfQrro.exe
  C:\Windows\System\xRfQrro.exe
  2⤵
  PID:3068
- C:\Windows\System\DrcsOhf.exe
  C:\Windows\System\DrcsOhf.exe
  2⤵
  PID:7248
- C:\Windows\System\fLeltnO.exe
  C:\Windows\System\fLeltnO.exe
  2⤵
  PID:7316
- C:\Windows\System\FcOPQWw.exe
  C:\Windows\System\FcOPQWw.exe
  2⤵
  PID:7412
- C:\Windows\System\owYiUum.exe
  C:\Windows\System\owYiUum.exe
  2⤵
  PID:7448
- C:\Windows\System\nVuZznT.exe
  C:\Windows\System\nVuZznT.exe
  2⤵
  PID:7544
- C:\Windows\System\fYXJLav.exe
  C:\Windows\System\fYXJLav.exe
  2⤵
  PID:6464
- C:\Windows\System\wTBySot.exe
  C:\Windows\System\wTBySot.exe
  2⤵
  PID:6544
- C:\Windows\System\CUnLAlE.exe
  C:\Windows\System\CUnLAlE.exe
  2⤵
  PID:7028
- C:\Windows\System\GubQrNb.exe
  C:\Windows\System\GubQrNb.exe
  2⤵
  PID:6032
- C:\Windows\System\lMIPtTp.exe
  C:\Windows\System\lMIPtTp.exe
  2⤵
  PID:7396
- C:\Windows\System\GIywFMD.exe
  C:\Windows\System\GIywFMD.exe
  2⤵
  PID:2568
- C:\Windows\System\BkKDpCg.exe
  C:\Windows\System\BkKDpCg.exe
  2⤵
  PID:4788
- C:\Windows\System\UpQjUTn.exe
  C:\Windows\System\UpQjUTn.exe
  2⤵
  PID:8204
- C:\Windows\System\BjSkgDw.exe
  C:\Windows\System\BjSkgDw.exe
  2⤵
  PID:8224
- C:\Windows\System\QoyjurC.exe
  C:\Windows\System\QoyjurC.exe
  2⤵
  PID:8240
- C:\Windows\System\VZSVfiW.exe
  C:\Windows\System\VZSVfiW.exe
  2⤵
  PID:8272
- C:\Windows\System\DgKPGIl.exe
  C:\Windows\System\DgKPGIl.exe
  2⤵
  PID:8288
- C:\Windows\System\UmcPiXL.exe
  C:\Windows\System\UmcPiXL.exe
  2⤵
  PID:8304
- C:\Windows\System\BoZPlbC.exe
  C:\Windows\System\BoZPlbC.exe
  2⤵
  PID:8324
- C:\Windows\System\HmfdANS.exe
  C:\Windows\System\HmfdANS.exe
  2⤵
  PID:8340
- C:\Windows\System\GiFlGUs.exe
  C:\Windows\System\GiFlGUs.exe
  2⤵
  PID:8364
- C:\Windows\System\nHHlVLE.exe
  C:\Windows\System\nHHlVLE.exe
  2⤵
  PID:8384
- C:\Windows\System\jflHmOo.exe
  C:\Windows\System\jflHmOo.exe
  2⤵
  PID:8408
- C:\Windows\System\tEXkcZn.exe
  C:\Windows\System\tEXkcZn.exe
  2⤵
  PID:8432
- C:\Windows\System\hUSeASn.exe
  C:\Windows\System\hUSeASn.exe
  2⤵
  PID:8448
- C:\Windows\System\dUaponm.exe
  C:\Windows\System\dUaponm.exe
  2⤵
  PID:8472
- C:\Windows\System\ObLTpul.exe
  C:\Windows\System\ObLTpul.exe
  2⤵
  PID:8492
- C:\Windows\System\bNWDEjx.exe
  C:\Windows\System\bNWDEjx.exe
  2⤵
  PID:8508
- C:\Windows\System\KCBwxYu.exe
  C:\Windows\System\KCBwxYu.exe
  2⤵
  PID:8528
- C:\Windows\System\DYlHAbO.exe
  C:\Windows\System\DYlHAbO.exe
  2⤵
  PID:8544
- C:\Windows\System\bfSRcfB.exe
  C:\Windows\System\bfSRcfB.exe
  2⤵
  PID:8560
- C:\Windows\System\xCIeuhe.exe
  C:\Windows\System\xCIeuhe.exe
  2⤵
  PID:8584
- C:\Windows\System\KdBdRSK.exe
  C:\Windows\System\KdBdRSK.exe
  2⤵
  PID:8600
- C:\Windows\System\LGptFUN.exe
  C:\Windows\System\LGptFUN.exe
  2⤵
  PID:8624
- C:\Windows\System\bQVWDlr.exe
  C:\Windows\System\bQVWDlr.exe
  2⤵
  PID:8648
- C:\Windows\System\teukYqc.exe
  C:\Windows\System\teukYqc.exe
  2⤵
  PID:8672
- C:\Windows\System\jCYHEeY.exe
  C:\Windows\System\jCYHEeY.exe
  2⤵
  PID:8692
- C:\Windows\System\ldmcyVB.exe
  C:\Windows\System\ldmcyVB.exe
  2⤵
  PID:8712
- C:\Windows\System\feaWVHd.exe
  C:\Windows\System\feaWVHd.exe
  2⤵
  PID:8728
- C:\Windows\System\xOnGTIW.exe
  C:\Windows\System\xOnGTIW.exe
  2⤵
  PID:8756
- C:\Windows\System\YRwnPyw.exe
  C:\Windows\System\YRwnPyw.exe
  2⤵
  PID:8776
- C:\Windows\System\fdgIGOH.exe
  C:\Windows\System\fdgIGOH.exe
  2⤵
  PID:8792
- C:\Windows\System\GpQWKFu.exe
  C:\Windows\System\GpQWKFu.exe
  2⤵
  PID:8816
- C:\Windows\System\PAzGpDd.exe
  C:\Windows\System\PAzGpDd.exe
  2⤵
  PID:8832
- C:\Windows\System\TWsYshX.exe
  C:\Windows\System\TWsYshX.exe
  2⤵
  PID:8848
- C:\Windows\System\BkOAZvU.exe
  C:\Windows\System\BkOAZvU.exe
  2⤵
  PID:8864
- C:\Windows\System\hvBuEMA.exe
  C:\Windows\System\hvBuEMA.exe
  2⤵
  PID:8884
- C:\Windows\System\cljArzK.exe
  C:\Windows\System\cljArzK.exe
  2⤵
  PID:8908
- C:\Windows\System\SVlWVwA.exe
  C:\Windows\System\SVlWVwA.exe
  2⤵
  PID:8924
- C:\Windows\System\rjYRGtd.exe
  C:\Windows\System\rjYRGtd.exe
  2⤵
  PID:8948
- C:\Windows\System\BPmSvpF.exe
  C:\Windows\System\BPmSvpF.exe
  2⤵
  PID:8964
- C:\Windows\System\RTHxOnu.exe
  C:\Windows\System\RTHxOnu.exe
  2⤵
  PID:8984

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:9188

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ANQXDrP.exe

Filesize
2.1MB

MD5
0f1482e1d505e1918991428e8076cd9a

SHA1
b0cb217ea4f1ed0c1a554872753d7666205c111e

SHA256
44cd35316ac58600c9465c19aab265ebff9d1541f1484c660c4217d52d9c7070

SHA512
c81c8622e9afb940f375eb65b680edf4436ca54abd733e517ed08ee3c64e1b0c1f9c8065c530071b2c6a711cef12866d22c99dac0fdaec08d6924aeb3616f6c6

Download Submit
C:\Windows\System\ASXSdXr.exe

Filesize
2.1MB

MD5
979e72c3596b8f49d7c054391708b446

SHA1
e8298cd274be670768af56f04fae2a32770a0bb9

SHA256
964d04b766e1753add13fc2ffa5cf4a2ef93e15fbd798a252f096eea9800aa20

SHA512
37a501c9462920e8b941690d2747740d410c6bb8b381384754fcb6650d6ffb42f661a63b6e9c3406acc6f0568b8c67976ec11294b42a38fb49a6ed24095ec24c

Download Submit
C:\Windows\System\EIMiJRd.exe

Filesize
2.1MB

MD5
a61125918b8ea77e4adadabf8fd70fe3

SHA1
eac3f7bc092557cf3c73407cc18655486a3a492f

SHA256
6ffe2fb4ad4cdd2e3fed30e97fdc74f0d392f3d57d0c728d61c1921f1d204894

SHA512
87253e3bdc030617c7ea79d39743401d6373975bcd235c7dafe3f8d8ea66579fa131a12ab47c51a40bf2c4269e7e3dc0c2e6bc144501bc0d782d51f2151c220a

Download Submit
C:\Windows\System\FlUkRHi.exe

Filesize
2.1MB

MD5
49d49444eb3f1924a0d18855b67925b3

SHA1
6d8d2d3b201adc56017c104d9cbf343d4ade12a4

SHA256
02b635e203a24a4f04524013953a0b4a9196361a6ed7b53d0facfb6223521f70

SHA512
48a20d723399132274b016e007543212ece394660426e30f39a17db6ff6b9bd932331d7fa20e3022877a2591f85a618b435da0c78f64892a8c8dcb2371536833

Download Submit
C:\Windows\System\HgOGbyO.exe

Filesize
2.1MB

MD5
3f73fb21dae5ff9f2302097a21ef8983

SHA1
e15ffb55bca99128f7b7cf35ff83a5d9430e6115

SHA256
68a06991ab73ad025171e78444260d7c2a58b5fde936b4318432367b36df132c

SHA512
92461e1bef0f5481fe9ac1d14cdf9a0126611030885a38c74c953ec7cea87a4edf01b67517d73f8701858e981f9f5059ba485876b9761ef1319755d2f5beed04

Download Submit
C:\Windows\System\HgOGbyO.exe

Filesize
832KB

MD5
fe23d8f2a683ea3c37e211db5c47c198

SHA1
c8d98757080f758fa71fe2947f967f4c2ba26b77

SHA256
e791fb8dbe7f5a7d384dc32653c49cf355982fbc2394ea1e3030cd6ebb798cb8

SHA512
ff5ab31bffe4dcd555455f3d81b2d9fca6cd687b604f37f4aa99e780677c84919321fd43b5fd13f9cb6081978b182fef58c2564f773d39cf2fefe33142ce3656

Download Submit
C:\Windows\System\Ikyadff.exe

Filesize
128KB

MD5
7ce4ba1725e83a50f64ba525f8815dcf

SHA1
b1714a2d23cfc42c18c37e1546ac0908d8252c04

SHA256
9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908

SHA512
2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

Download Submit
C:\Windows\System\Ikyadff.exe

Filesize
2.1MB

MD5
4f7c5a43666031c5a83e3d883f5f2163

SHA1
92ce025c6e0a7ba2059aead14dc144a4b3c9c332

SHA256
a9cf09d9bd6e525b95c4bde1d5658ac2b0981ee56d599cb837bf5fd04cc36f1a

SHA512
4d6c02a3dfd150156a3369bd55c015c78c332bfae2364f199fad895715fd8772d3ee178549242db4697a683f10f31d66f8cf467203207a351bed0503976b2329

Download Submit
C:\Windows\System\IlDWdQo.exe

Filesize
2.1MB

MD5
37ae3b6281a69e02527c09a789cb1731

SHA1
e7ca17dc5b490dc8ea7a991bc4a35151c23da94f

SHA256
455a0df97cd9da64b6d1368578f5e9e77e7eb0b416a090e4c875b7ba504cc906

SHA512
4c8ac4e256cb639e6330ceda0831efe91c7951a3d66cd2a7842e8add12d1365ded685be2760534d3228d4c094df5a5a5c320880e5f58bf030687365f148fa904

Download Submit
C:\Windows\System\JHiYHpZ.exe

Filesize
2.1MB

MD5
8ba5e429bc8c39777e82b23a43a223c5

SHA1
0d5fd48b311e7bdaeeb1f6d4f8e7b8254ea48224

SHA256
b1f100a384c25578d65f7eb2d71b2574c31720b9af8276f49c95f29aa98de5b6

SHA512
0084d3ee43913621193c1e8949a6f606fadad9c19648423e9295f31554b7e1b9f07b217d5e8eea53a5d951bf1ed9d6bb3d473bdeac8888322f6a15c1a6413ae6

Download Submit
C:\Windows\System\KzFFRzg.exe

Filesize
2.1MB

MD5
977d312851fde0e16e762f73ae8cec85

SHA1
dd86b6b1294d3bfd00f2567842bfab248fc00f0b

SHA256
ee1c944f8f33557cfbb74f615a5d4cf187a2c39330492bc9a3261cd06e90ea2c

SHA512
3d5a4d94039629a0c2804805746d641928beb221b70f346f13b64475f30044387a974223322f126cafac02d3372f4c9dd55f131d10b5e4edefbd40ae20d8be73

Download Submit
C:\Windows\System\LcqsIyG.exe

Filesize
2.1MB

MD5
dc5c97efab3e46b161390c55d8f2e742

SHA1
03388d0c7ae70f1549fe3a39a86535e3e94cea60

SHA256
4c62adfbb2d4b0414f524f4e0e9301b26ce065baeaa30a4f0934a5070bbfc85f

SHA512
4d421e89491e952d47c2e1ae82bc93a71e4b3b8bb49cec1d0c40716f5dada9864a23603ed8b3eac4d070ec59b1b5bb8c046553fbc6dd838a24fbce856375195b

Download Submit
C:\Windows\System\NUIYkoU.exe

Filesize
2.1MB

MD5
f50def6081c38d9e8a56ddf20c9297f7

SHA1
0d3ad0b9cbd632250fb23a51167cd5136323831e

SHA256
ce322e731822890b994988c7d8d61d80b933bea9070bd2feba9073019604fcda

SHA512
bca90b4f78c3118bf735b28a063e5bdb6d765762e66ff6c25f61931179825d34f828a7d1dba57b0f4009cf2ea0a76ff80260fec9e85bc900b0f2b0be9e2db701

Download Submit
C:\Windows\System\OPmpFel.exe

Filesize
2.1MB

MD5
97c6c7139953e9772e1b91faa2cbb6d0

SHA1
c4a3abd14bd1bfd4670a1a8a93df874ece1be025

SHA256
2459d16827e7025d95dc936d25cc570bfb5d5ace9f85d4b7ae77e11fa9434b35

SHA512
7d9c3ade821f8c0799aba0ff6b396487c0f4efcb06e8296731612de1fc877e7ab7a085d6597bd2ee21ba3e3bc279c759f9eacf4bb655a64ab2bf48a870eb8523

Download Submit
C:\Windows\System\PWsTkkn.exe

Filesize
2.1MB

MD5
f7dc7981ebaa06012b0c3878649b2f2c

SHA1
8050f7eb2cbf05bacd05863660082e53124a07aa

SHA256
c1bb9d8a81f854845d015f1313c5f802b60d47f8ba852c03a2e1506809405e09

SHA512
3b0e70a4551f20cf9a8f000106058bbe6784b318ada505a70c813a5d5dbdfc616574f4a855a1ccd5193d67a3d77feb72520ddaf24c055f89562b5557ad6f30f6

Download Submit
C:\Windows\System\PfCCvVf.exe

Filesize
2.1MB

MD5
5bfeb787f70dca4bfb403558937b634c

SHA1
f01b3fe6a8610b298ef39a1b25c0e603854a1d48

SHA256
386eaff0b581a0f81208eb601430939e7dc8018311c1a4a8fa80f91469ebaeae

SHA512
24c028d69078d982b0bf52cc9fade674bd7850d28a320623323c6d4698376d922602c3b299c33574525efc405bdc3fbc7904544637ec4b6c1d20eb12bfb74cee

Download Submit
C:\Windows\System\PinlVAN.exe

Filesize
2.1MB

MD5
1813f994bf2d9629fc814b07fe221999

SHA1
11683a052d4d282de5be2e681ee13168fb993ca4

SHA256
4766f14a10c0e6635f6634df13f6b6bca0cdd71d39855e37793f76caaed995c7

SHA512
136f14dd5462e365984595ba2656711ddc9c339b6687c0900e2bae35f2a188209afada547ee0a1ed7df1c01e416e177189a507927dac7ff022b3e9da128789ec

Download Submit
C:\Windows\System\QdnEfmc.exe

Filesize
2.1MB

MD5
c233ba60e2dcedef7fa01f72e11003d6

SHA1
dd538ee14e7aab4eefa38e6c37280a2509a5bd1b

SHA256
3123e57b86d9891c85226d0ad98b5ee92b083eafce9b1297efbb4eea7c431152

SHA512
727e6b0f878f3f35c7387848270e120026bbc8cdc41cfdbcc54f2f2a7ed640e2e8e8cc9d30ec0a454680f80a1ab89fef7ae3f6325b223f2e17b5ae4803b9cf9e

Download Submit
C:\Windows\System\QemnBLX.exe

Filesize
2.1MB

MD5
b30f986d697133c43c47abed29f8f3d8

SHA1
5d0468bf8f5e607220691b7683a276504ada93f2

SHA256
7aee702b78fab235d5fc3a1e38e024c795b4c12718a3e195b1cdd6c8033e4693

SHA512
c6712b50b2e1f426c59d46084d9a71c90394dc0550382800d0f6df7b83a1900468c619dc867d1209637180aec848e5a5e7510e32eebf1acae674ec60d26b1df4

Download Submit
C:\Windows\System\RrMUtos.exe

Filesize
2.1MB

MD5
2c2754843398413ea252559ef4d143b2

SHA1
66d212f29ca362f9652c02a8d7072c3b2437ad45

SHA256
f13303c7a615102710a4da136693410a1afc50e569034b3f97ac2833255ecdd1

SHA512
a59d34aaa8ee715abfcf16c14c4b2c80be91b8ce660b8f123c36859f4e0c72ad2f12014dcb89ef553b0d8060d8b3f723e9610118d98cf191488d113d6dab1e8e

Download Submit
C:\Windows\System\YgNbZNC.exe

Filesize
2.1MB

MD5
05994225fe3706aab1494cb183175371

SHA1
6cb79534e928dd18fe6e601d4314abcf8d3f6b7e

SHA256
3ad8303db050797c2affcab0edbfcf23730fd301e75a778bad206236942a0e26

SHA512
54c8aafa36eba8ad242587ad2ebc285d0219c5eee7fd71cd5cd25629bd0b6bf10ebce59a34b0126895bae3febfe871defbea91d6eddef40804d9f11b985ac136

Download Submit
C:\Windows\System\ZgswMNc.exe

Filesize
2.1MB

MD5
65574c5f15e9db9eca6661aae20b0cb0

SHA1
c1b328462f247a7631ae4bdd92fe5c18846a8a4b

SHA256
be7aaf4f6679437c6eda0c9fb5c0d59938d9d895d6e525dd62fee7be131351aa

SHA512
4104d9c7355c5c9886244b8b6ea26684916639ded840d9f4e8c83f08e8d5863b6585e6ff0226208790ce681064716f705b60d7694efcbcf7edc93753ce4e770e

Download Submit
C:\Windows\System\ZowcIoi.exe

Filesize
2.1MB

MD5
7fad58333a933f2c811549cb1f8187e6

SHA1
040d8c7a09f0685b62c471c7c214c430de83d7a9

SHA256
0aef3b702e0867cf03a1da5e9584c0933852d274b29a26fb5c2221885639f661

SHA512
11dcdf606b902f2a16fb0277dd2a3002f7011d8eb1a1b5d58d2c793e8dd628d14bf6e3e2e616e967297bf63ee3afa3ace6a296610e083a700dcf3f9a24b5df3f

Download Submit
C:\Windows\System\ZzPvSRz.exe

Filesize
2.1MB

MD5
80aa07e29e6b88fa38cdc2f8b37f837d

SHA1
932bacfc44ada9fb334ed81bccf1ac86d183a259

SHA256
2db7320b60c05fd1d4531039f6d8c298874c1f475d93b6fe86bf6c9f0d1d5aeb

SHA512
29df20ec2a21875dfcf8430d3ac2ae4128eca70fa713021f0ddeb75dd9de66026c645e0e73645e4785c70161a4bf76f3df40a167c41a8847cb9d0d9f545e99b3

Download Submit
C:\Windows\System\boQEwVp.exe

Filesize
2.1MB

MD5
22633210bedd95620541d0dd54cc92d9

SHA1
cf5342f435c3a4d6ce5187d191c92bf9341d4c80

SHA256
07d102362ab43f07cb211d6a269d1707cc860b9a8de45541a1b0ae1e08fe57df

SHA512
db00e486289649d1f02d8635d6599fc1a18a4c471df383aa967b1b480a4091474623785078e5659111267b81ce8947b3dada1a05b108a1461dcccba197494832

Download Submit
C:\Windows\System\fhYKwep.exe

Filesize
2.1MB

MD5
6ec5b6986c8111cb1974bac2740cce5b

SHA1
9dbd92f24f4458a74e4038a91e27d757b2ec9b18

SHA256
d42f2f40b37dc906178c3fe704fa6593b5cc1567449eec6c1ba10f0af5b84fed

SHA512
87ca3437a9eea1f83d46aa6b32c154fdaeabee19476e45c37dceaedd7937a107a8dee035ba6ba2fbcd459e7eaae6bb527513962356b17e0795d8f59244a68046

Download Submit
C:\Windows\System\fuFbnKp.exe

Filesize
2.1MB

MD5
58f21347d113e70f0c12a3c336bc4132

SHA1
4d9a17ab9cf27e1ac6232faf27deee7f826f2586

SHA256
aedcdc197b9f67386964fdc0a28e4f67622f20d801d195d1200012ebef2f7414

SHA512
6b4eafb5cf91d945f057cccfa10431eb7a2f52a64b5a76808ac52a33d79123492af728039e47a5169a510c5a87d12054bc9e13b13209c2c6110d0ec9222f77af

Download Submit
C:\Windows\System\gIxGXLC.exe

Filesize
2.1MB

MD5
e9231b27268c04680d256a0386ffca18

SHA1
09520d782d1dc938878925066360bb186b9d995f

SHA256
d04cfd47e7a99ec6980542ebbc4ef53cd3d3bfe89c450cbc9a90cc45a311e4a9

SHA512
1540c126c6fa81fd4609fedba25bccca1923ab4a2304ac53345d56bef3380a71221273cc60092e5d4170a5a630138b5994eda3f4df2d4ed298bbc213144fbe9f

Download Submit
C:\Windows\System\ihheDIN.exe

Filesize
2.1MB

MD5
f732c3bfc21ccc016840163b843f6e56

SHA1
aa328b004d5018f0c714d58fc49963814960df01

SHA256
8019131860168731c1f8f2a1d7a2296e04783e3fc5a668dd9c3b510ede3a7b4f

SHA512
6f0accf7db3f217287aabc6d7ddf84b8183a6fb844867eda84b8def69d891a5a7709e50c7e955a03d01f9a59c56cb58b0b22ade9a529418cc6b993c75f82af07

Download Submit
C:\Windows\System\ixPTsFe.exe

Filesize
2.1MB

MD5
00a89b7801f8b3b46709fe84eb7b587a

SHA1
6b6beb4bc7dd888884e685b26fc4bf4374bcf808

SHA256
106154df718f23f657bf63a5a79944db17c2d6207efea0e5d6eea94fa4ed1d7a

SHA512
0f44b82b9c46066eee856cc7f3c4b5d567883756554a0dedcbbb18554439e5b69f6365719e523ee332dacc858f068240ce4d401b60f91a414e58d33b485c742a

Download Submit
C:\Windows\System\jXhYwnd.exe

Filesize
2.1MB

MD5
c5ffbdd611ff7769f906533d561c308b

SHA1
1c6e1f796a974c7eb12e60f0d19a46de34a836aa

SHA256
ccf053a2f4ab3f6eb7a09a3a1a6be3c77ac68e18f658264d6615eded9c2e4c72

SHA512
21984c4e86fdbc3d489cf559e6af4c94c89f0978d4dd72dca7ee8069bb44e957cbae8b0fe2653cbc651b068b83056d7c31884fd9db31160f5a9ed223c3949f7c

Download Submit
C:\Windows\System\lEUZRLv.exe

Filesize
2.1MB

MD5
2a26c816f11d346a5d869e5532a0569d

SHA1
2656d3bbdbfd5e7884865b50cfe440916a44a5d1

SHA256
696f109402640b2dcdd37299e371cd2f328a2c1e806efac6724a2bf63287043b

SHA512
e15420d892dde6d9a6061332b7626f9228904e0c01e0d8da288675014e83ecd44dedbd51ef369d7a81dcbb0a10276e3c15898392674404b65fe41bddcbfad4e5

Download Submit
C:\Windows\System\lRurxxp.exe

Filesize
2.1MB

MD5
4f51c877a42556c7d375bd897499cf80

SHA1
4cf0e4481b491395cc74fae6c8beb889534152f3

SHA256
53ea6b40c4350e736fb14fefecbe54acba8943231e4cc3ea11b12a2ca36e3407

SHA512
13b34a16a6db8138acaf4d79c35fc894a56a566ee7d98b2be3d2ba302120f130df7643717602b496c905820e2d6eff84e36b18b676087726c647fa6fe413ea06

Download Submit
C:\Windows\System\ogWCTBG.exe

Filesize
2.1MB

MD5
270c60e7180d9f73740b517fa5f2951b

SHA1
2ac2fbb9057738b2e75c357aad149fd48778bb1c

SHA256
4f8d6ff02f346d863cdefc7f49c533adb4d3f03ae7df2d4e9ccbf044ee1c3a8f

SHA512
b63ddf4d439a557d2a211b54698c8c1a2e431da78570c7d29aee95edc9960d7d61d94424882b5e6cadf2f4b715b6ad18ca81edb72d85e5c7816afdb64bfc103b

Download Submit
C:\Windows\System\pBohFyZ.exe

Filesize
2.1MB

MD5
627ffcd2d873b2f3fe99b019bddfcaf2

SHA1
c615916a566b9d396fd7c80ac38cafc1e00910bd

SHA256
07e5764cc8b4e5c3891060630cb8b891b821e006ea8c1ea93695096611ef2c40

SHA512
e5f01d3c6a13f1f7b05c45d7bd94cca6d2427327d64ac609f37f18d88d29aedf27dae494b53809a5088331cbd7501682d7e3868506effd713e55fd48a73bb6f2

Download Submit
C:\Windows\System\rzFwdOG.exe

Filesize
2.1MB

MD5
15382105eac65122f372181b3a052cea

SHA1
68bac7dffcc283fbf9c6e7b62bc8e255d9dd81ad

SHA256
e333aedc684d15b29700c4733cbeccb6142a25187b92dd6cffe0cf038a0e52ad

SHA512
b4b8c4f97c8369d0a282f81d46346897ca844099909400b04cc09af30caf68ea94711360f71a9f01ec88227cde40b535e4ba16079883c85b4f0adc61533f1af0

Download Submit
C:\Windows\System\uZcvWuS.exe

Filesize
2.1MB

MD5
b740837aa18aff19b956877ee3dda790

SHA1
48413e2a67f03785f707ed28c6f3947d5cbfbea4

SHA256
6e04c8aed8b930163ce3dda5fba0967658a67751e9cab6b482cbae0246e8d0f5

SHA512
e3676d2a99d4a7b9478cbfb86515f7c7e1faf13b0c827786d5ebc78378c3126cf13ec4b35c4a1a4523f3bf6843d7d81ea0cc89a45ec56716201294d76ec7d0b9

Download Submit
C:\Windows\System\ulUXzKQ.exe

Filesize
2.1MB

MD5
3d350fc83d416854d327e75047f2fb0d

SHA1
508702e7510c192a0f47351971f5614886121f2f

SHA256
d84be13c946ae19c36bf3a3190380834aac2c852c17a3fe61c4fffc3058f6183

SHA512
194b7dff1b8b1d81468e153159cb2c89e7c4ea297427ceb1efe8cd4176fbe2050e05cf78a5c2cb712dab3976315f90a6182413da56a14503a9e81e8dcb7bbbfa

Download Submit
C:\Windows\System\vknzNFw.exe

Filesize
2.1MB

MD5
cf978ae46ad55067fff5546146f38ca8

SHA1
eacf072d8679609f6bd86f3922683b54c2d5a73d

SHA256
ff96497d46e42bb5c86de2195afb477d1487fc649eb38d52f50654e77ac8163d

SHA512
355bb531cd126478d7f152ab98da9da45bfe1eeea357eda13c1deda17829d67d377d24adfe04e45479042f8d0c65f6320ee3fc9c067418d0396ea45b38c4cee2

Download Submit
C:\Windows\System\wTJgwoa.exe

Filesize
2.1MB

MD5
c8327665e492493c071de105bda604c4

SHA1
4a0d5144264324ef7580babc78aab435a7a37505

SHA256
c7f117ab786a2b5caabf4fb08c63e842e7829171bb2488e2fbaa696f1c7af327

SHA512
2bd0911333bcef6d0c69d6a2bc020a1763d6ee61e5d24cf64e5e5823e51f05bcee68e16758631801229c5139b9adefaa35d4c3f6c9136c2fbb21d16a5437cb65

Download Submit
C:\Windows\System\xiKJrVd.exe

Filesize
2.1MB

MD5
898b9d7ac2d287f33eba060954f5d7ae

SHA1
09e5f710cc18514cece0b9be3f2d68b08c33b0dd

SHA256
92e1d91884a19ed3408fc79dfacfe41aebeffbab4968b08013cbd96398f84e5c

SHA512
c1dacaf304f670fa1878af79dedcba5222e671326789c401ed5d79392ac8cc684ae752294bf61289cc393ccc2fb8c05680dc339a767eafd7a6ee5a80bed7030a

Download Submit
C:\Windows\System\xiKJrVd.exe

Filesize
960KB

MD5
180ec18cff675908ea09fb02b8edeae7

SHA1
908a0fde6e66598e819044f800d2fb12a2c2d5e4

SHA256
35e0571c2720559fc2e392ef1ac01a4890a7f5a52de790fe0560ba1ddb8b0978

SHA512
f4efca4f8c80307ac309f06271cca1b553bd93330b442aaa71749f3ce5f3d47dab778dbee66162c088762bb8f4726a65ed8e5313f9bd8da09d951b910b9f8e49

Download Submit
C:\Windows\System\yGDyhXG.exe

Filesize
2.1MB

MD5
5f69f10ef0979e080963ccb9e8784c50

SHA1
fc6fd07b585a4027f07fba144d0cc15447aa5cf1

SHA256
0c98ec6109c92720fddbfc7f9b8fcba750d6c4eb272978fa3ccf0c9e313b0eaf

SHA512
3849cb88cd4dd55912507db705bf7ac2d05de76df8da91d826290d14f1dd2be57ba8d8c9f7915e65919ca3c2a6bce588a3d97ab9605ebf256bc887122d8afed5

Download Submit
C:\Windows\System\yRGucpS.exe

Filesize
2.1MB

MD5
71515d8e05046b7b9e9415bbc3033314

SHA1
2337b4267f52c9b8e2507a683236256f38ccecd5

SHA256
9ea7c2daec67d5be1981e0ba2b43d1d44959328affa8dc7642a7f6a289d3ce1c

SHA512
3be2d3296c24a61369e8223a53b51090fedb929060005354920a9efd86d64ea6853658330a43e0fc3ba3b4155f0ce93e0d137bf51eba86920f97b8956a86532f

Download Submit
C:\Windows\System\yUGudjK.exe

Filesize
2.1MB

MD5
b79c4e2164af65f4c793b7322373a574

SHA1
4cd59ee9a3cf46a7110bead366521fe65b917c75

SHA256
a4924e014b8a3a24fd873bb3f6ae317503e0b494d94faa0b7eccdd14a7213c4a

SHA512
20ec48a0a9fbf2b6c50d6581fc2d31c8a46f53f835304626c0c1de87013b9b1604f3495a11bacee5195f95d5357114a9be2771989b89751c006d19646ae5991b

Download Submit
memory/396-1013-0x00007FF6CD0E0000-0x00007FF6CD434000-memory.dmp

Filesize
3.3MB

Download
memory/436-33-0x00007FF65EA80000-0x00007FF65EDD4000-memory.dmp

Filesize
3.3MB

Download
memory/440-1095-0x00007FF703080000-0x00007FF7033D4000-memory.dmp

Filesize
3.3MB

Download
memory/740-1077-0x00007FF7284B0000-0x00007FF728804000-memory.dmp

Filesize
3.3MB

Download
memory/860-924-0x00007FF693280000-0x00007FF6935D4000-memory.dmp

Filesize
3.3MB

Download
memory/952-1100-0x00007FF65A3A0000-0x00007FF65A6F4000-memory.dmp

Filesize
3.3MB

Download
memory/1044-627-0x00007FF601160000-0x00007FF6014B4000-memory.dmp

Filesize
3.3MB

Download
memory/1204-622-0x00007FF777EB0000-0x00007FF778204000-memory.dmp

Filesize
3.3MB

Download
memory/1392-621-0x00007FF6B1E70000-0x00007FF6B21C4000-memory.dmp

Filesize
3.3MB

Download
memory/1584-1081-0x00007FF67FBB0000-0x00007FF67FF04000-memory.dmp

Filesize
3.3MB

Download
memory/1644-617-0x00007FF6034D0000-0x00007FF603824000-memory.dmp

Filesize
3.3MB

Download
memory/1748-625-0x00007FF6772B0000-0x00007FF677604000-memory.dmp

Filesize
3.3MB

Download
memory/1800-629-0x00007FF7DF3F0000-0x00007FF7DF744000-memory.dmp

Filesize
3.3MB

Download
memory/1804-1083-0x00007FF709B70000-0x00007FF709EC4000-memory.dmp

Filesize
3.3MB

Download
memory/1928-22-0x00007FF631740000-0x00007FF631A94000-memory.dmp

Filesize
3.3MB

Download
memory/1936-1019-0x00007FF6DDC70000-0x00007FF6DDFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2000-1092-0x00007FF663610000-0x00007FF663964000-memory.dmp

Filesize
3.3MB

Download
memory/2012-310-0x00007FF6F4820000-0x00007FF6F4B74000-memory.dmp

Filesize
3.3MB

Download
memory/2072-1072-0x00007FF6E90F0000-0x00007FF6E9444000-memory.dmp

Filesize
3.3MB

Download
memory/2240-1089-0x00007FF79D210000-0x00007FF79D564000-memory.dmp

Filesize
3.3MB

Download
memory/2280-1101-0x00007FF75EAB0000-0x00007FF75EE04000-memory.dmp

Filesize
3.3MB

Download
memory/2400-1061-0x00007FF6986A0000-0x00007FF6989F4000-memory.dmp

Filesize
3.3MB

Download
memory/2452-916-0x00007FF60D9B0000-0x00007FF60DD04000-memory.dmp

Filesize
3.3MB

Download
memory/2576-1-0x000001E28CC00000-0x000001E28CC10000-memory.dmp

Filesize
64KB

Download
memory/2576-0-0x00007FF769E30000-0x00007FF76A184000-memory.dmp

Filesize
3.3MB

Download
memory/2580-1075-0x00007FF7DA820000-0x00007FF7DAB74000-memory.dmp

Filesize
3.3MB

Download
memory/2604-1078-0x00007FF697260000-0x00007FF6975B4000-memory.dmp

Filesize
3.3MB

Download
memory/2664-1088-0x00007FF7DA010000-0x00007FF7DA364000-memory.dmp

Filesize
3.3MB

Download
memory/2700-624-0x00007FF7AA4F0000-0x00007FF7AA844000-memory.dmp

Filesize
3.3MB

Download
memory/2716-1103-0x00007FF7DBB70000-0x00007FF7DBEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2748-1102-0x00007FF64BC30000-0x00007FF64BF84000-memory.dmp

Filesize
3.3MB

Download
memory/3036-1096-0x00007FF737920000-0x00007FF737C74000-memory.dmp

Filesize
3.3MB

Download
memory/3100-150-0x00007FF7299B0000-0x00007FF729D04000-memory.dmp

Filesize
3.3MB

Download
memory/3116-618-0x00007FF7C7910000-0x00007FF7C7C64000-memory.dmp

Filesize
3.3MB

Download
memory/3460-1097-0x00007FF76AC00000-0x00007FF76AF54000-memory.dmp

Filesize
3.3MB

Download
memory/3468-628-0x00007FF79DE90000-0x00007FF79E1E4000-memory.dmp

Filesize
3.3MB

Download
memory/3516-724-0x00007FF7B0CC0000-0x00007FF7B1014000-memory.dmp

Filesize
3.3MB

Download
memory/3644-691-0x00007FF7B3AA0000-0x00007FF7B3DF4000-memory.dmp

Filesize
3.3MB

Download
memory/3732-1080-0x00007FF7B1710000-0x00007FF7B1A64000-memory.dmp

Filesize
3.3MB

Download
memory/3912-1085-0x00007FF602D00000-0x00007FF603054000-memory.dmp

Filesize
3.3MB

Download
memory/3964-626-0x00007FF72B1C0000-0x00007FF72B514000-memory.dmp

Filesize
3.3MB

Download
memory/4036-876-0x00007FF600BE0000-0x00007FF600F34000-memory.dmp

Filesize
3.3MB

Download
memory/4104-611-0x00007FF7A0340000-0x00007FF7A0694000-memory.dmp

Filesize
3.3MB

Download
memory/4156-1098-0x00007FF78E4B0000-0x00007FF78E804000-memory.dmp

Filesize
3.3MB

Download
memory/4180-13-0x00007FF719C80000-0x00007FF719FD4000-memory.dmp

Filesize
3.3MB

Download
memory/4304-1079-0x00007FF7D82B0000-0x00007FF7D8604000-memory.dmp

Filesize
3.3MB

Download
memory/4324-1094-0x00007FF788870000-0x00007FF788BC4000-memory.dmp

Filesize
3.3MB

Download
memory/4364-1093-0x00007FF63B6B0000-0x00007FF63BA04000-memory.dmp

Filesize
3.3MB

Download
memory/4404-423-0x00007FF7B44C0000-0x00007FF7B4814000-memory.dmp

Filesize
3.3MB

Download
memory/4432-1099-0x00007FF79CC70000-0x00007FF79CFC4000-memory.dmp

Filesize
3.3MB

Download
memory/4440-73-0x00007FF7E7340000-0x00007FF7E7694000-memory.dmp

Filesize
3.3MB

Download
memory/4480-620-0x00007FF6221B0000-0x00007FF622504000-memory.dmp

Filesize
3.3MB

Download
memory/4492-1084-0x00007FF7A4870000-0x00007FF7A4BC4000-memory.dmp

Filesize
3.3MB

Download
memory/4504-1087-0x00007FF7E6980000-0x00007FF7E6CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4544-619-0x00007FF7DFB20000-0x00007FF7DFE74000-memory.dmp

Filesize
3.3MB

Download
memory/4628-1039-0x00007FF695390000-0x00007FF6956E4000-memory.dmp

Filesize
3.3MB

Download
memory/4792-623-0x00007FF774EC0000-0x00007FF775214000-memory.dmp

Filesize
3.3MB

Download
memory/4816-46-0x00007FF7D2EA0000-0x00007FF7D31F4000-memory.dmp

Filesize
3.3MB

Download
memory/4832-1086-0x00007FF7A06A0000-0x00007FF7A09F4000-memory.dmp

Filesize
3.3MB

Download
memory/4920-1090-0x00007FF6893F0000-0x00007FF689744000-memory.dmp

Filesize
3.3MB

Download
memory/4940-103-0x00007FF775120000-0x00007FF775474000-memory.dmp

Filesize
3.3MB

Download
memory/4980-1069-0x00007FF79CC00000-0x00007FF79CF54000-memory.dmp

Filesize
3.3MB

Download
memory/5024-1091-0x00007FF6927C0000-0x00007FF692B14000-memory.dmp

Filesize
3.3MB

Download
memory/5040-229-0x00007FF69AC40000-0x00007FF69AF94000-memory.dmp

Filesize
3.3MB

Download
memory/5080-1082-0x00007FF74F590000-0x00007FF74F8E4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads