xmrig | 301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
Size

1.4MB
MD5

3ad16a775f9a50170792b872a18d3548
SHA1

32015a91fb9cbd26cfcca1c4d9ec87e8cc6bd4b1
SHA256

301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe
SHA512

ea3923055961e6e147ea78043e567891162a955e6af9e4239731021b2e42f87d2d9b4a9297636d9008285ff97767a16b7837261534572c39557fcb3b125be473
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIHbAYhbcZ4GhX/dERVwURI68csrEjhlVI:knw9oUUEEDlGUJ8Y9ctYVk68yI

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4324-0-0x00007FF726B40000-0x00007FF726F31000-memory.dmp	UPX
behavioral2/files/0x000700000002321b-6.dat	UPX
behavioral2/files/0x0004000000022747-11.dat	UPX
behavioral2/files/0x000700000002321c-15.dat	UPX
behavioral2/memory/540-14-0x00007FF68ED70000-0x00007FF68F161000-memory.dmp	UPX
behavioral2/files/0x000700000002321c-19.dat	UPX
behavioral2/files/0x000700000002321d-23.dat	UPX
behavioral2/files/0x000700000002321d-27.dat	UPX
behavioral2/files/0x000700000002321e-33.dat	UPX
behavioral2/files/0x000700000002321f-35.dat	UPX
behavioral2/files/0x0007000000023220-40.dat	UPX
behavioral2/files/0x0007000000023220-42.dat	UPX
behavioral2/memory/1312-47-0x00007FF66F920000-0x00007FF66FD11000-memory.dmp	UPX
behavioral2/memory/1876-51-0x00007FF7ED440000-0x00007FF7ED831000-memory.dmp	UPX
behavioral2/files/0x0007000000023221-52.dat	UPX
behavioral2/memory/1892-54-0x00007FF713420000-0x00007FF713811000-memory.dmp	UPX
behavioral2/files/0x0007000000023222-49.dat	UPX
behavioral2/files/0x0007000000023221-46.dat	UPX
behavioral2/memory/3172-41-0x00007FF7C2020000-0x00007FF7C2411000-memory.dmp	UPX
behavioral2/memory/2368-39-0x00007FF65D8F0000-0x00007FF65DCE1000-memory.dmp	UPX
behavioral2/files/0x000700000002321f-31.dat	UPX
behavioral2/memory/3204-30-0x00007FF742000000-0x00007FF7423F1000-memory.dmp	UPX
behavioral2/files/0x000700000002321e-25.dat	UPX
behavioral2/files/0x0008000000023217-59.dat	UPX
behavioral2/files/0x0007000000023223-65.dat	UPX
behavioral2/memory/3212-69-0x00007FF749E20000-0x00007FF74A211000-memory.dmp	UPX
behavioral2/memory/2568-70-0x00007FF770D10000-0x00007FF771101000-memory.dmp	UPX
behavioral2/files/0x0007000000023225-80.dat	UPX
behavioral2/files/0x0007000000023229-97.dat	UPX
behavioral2/files/0x000700000002322a-102.dat	UPX
behavioral2/files/0x0007000000023236-162.dat	UPX
behavioral2/memory/4496-256-0x00007FF737010000-0x00007FF737401000-memory.dmp	UPX
behavioral2/memory/892-255-0x00007FF796320000-0x00007FF796711000-memory.dmp	UPX
behavioral2/memory/1680-257-0x00007FF6981C0000-0x00007FF6985B1000-memory.dmp	UPX
behavioral2/memory/3888-258-0x00007FF7603B0000-0x00007FF7607A1000-memory.dmp	UPX
behavioral2/memory/3924-260-0x00007FF774430000-0x00007FF774821000-memory.dmp	UPX
behavioral2/memory/940-259-0x00007FF7B7ED0000-0x00007FF7B82C1000-memory.dmp	UPX
behavioral2/memory/2416-265-0x00007FF7E9540000-0x00007FF7E9931000-memory.dmp	UPX
behavioral2/files/0x0007000000023238-170.dat	UPX
behavioral2/memory/2444-269-0x00007FF7F3030000-0x00007FF7F3421000-memory.dmp	UPX
behavioral2/memory/5060-284-0x00007FF71E650000-0x00007FF71EA41000-memory.dmp	UPX
behavioral2/memory/4156-295-0x00007FF6C9E40000-0x00007FF6CA231000-memory.dmp	UPX
behavioral2/memory/828-302-0x00007FF7E2E90000-0x00007FF7E3281000-memory.dmp	UPX
behavioral2/memory/3144-312-0x00007FF628190000-0x00007FF628581000-memory.dmp	UPX
behavioral2/memory/3596-317-0x00007FF61C9A0000-0x00007FF61CD91000-memory.dmp	UPX
behavioral2/memory/2792-327-0x00007FF77E270000-0x00007FF77E661000-memory.dmp	UPX
behavioral2/memory/3276-331-0x00007FF773870000-0x00007FF773C61000-memory.dmp	UPX
behavioral2/memory/3340-336-0x00007FF70ED40000-0x00007FF70F131000-memory.dmp	UPX
behavioral2/memory/440-340-0x00007FF7285F0000-0x00007FF7289E1000-memory.dmp	UPX
behavioral2/memory/1048-345-0x00007FF7A88B0000-0x00007FF7A8CA1000-memory.dmp	UPX
behavioral2/memory/880-349-0x00007FF6B2190000-0x00007FF6B2581000-memory.dmp	UPX
behavioral2/memory/1116-355-0x00007FF693260000-0x00007FF693651000-memory.dmp	UPX
behavioral2/memory/4860-358-0x00007FF775660000-0x00007FF775A51000-memory.dmp	UPX
behavioral2/memory/3964-289-0x00007FF771960000-0x00007FF771D51000-memory.dmp	UPX
behavioral2/memory/4820-279-0x00007FF6993B0000-0x00007FF6997A1000-memory.dmp	UPX
behavioral2/memory/5056-273-0x00007FF684A20000-0x00007FF684E11000-memory.dmp	UPX
behavioral2/memory/3100-390-0x00007FF634820000-0x00007FF634C11000-memory.dmp	UPX
behavioral2/memory/3920-393-0x00007FF692AF0000-0x00007FF692EE1000-memory.dmp	UPX
behavioral2/memory/1076-395-0x00007FF7190A0000-0x00007FF719491000-memory.dmp	UPX
behavioral2/files/0x0007000000023237-167.dat	UPX
behavioral2/memory/4368-396-0x00007FF7E21B0000-0x00007FF7E25A1000-memory.dmp	UPX
behavioral2/memory/3996-397-0x00007FF766A90000-0x00007FF766E81000-memory.dmp	UPX
behavioral2/memory/1848-399-0x00007FF6356A0000-0x00007FF635A91000-memory.dmp	UPX
behavioral2/memory/1672-401-0x00007FF6124B0000-0x00007FF6128A1000-memory.dmp	UPX

XMRig Miner payload 58 IoCs

miner

resource	yara_rule
behavioral2/memory/1312-47-0x00007FF66F920000-0x00007FF66FD11000-memory.dmp	xmrig
behavioral2/memory/3172-41-0x00007FF7C2020000-0x00007FF7C2411000-memory.dmp	xmrig
behavioral2/memory/2368-39-0x00007FF65D8F0000-0x00007FF65DCE1000-memory.dmp	xmrig
behavioral2/memory/3204-30-0x00007FF742000000-0x00007FF7423F1000-memory.dmp	xmrig
behavioral2/memory/3212-69-0x00007FF749E20000-0x00007FF74A211000-memory.dmp	xmrig
behavioral2/memory/2568-70-0x00007FF770D10000-0x00007FF771101000-memory.dmp	xmrig
behavioral2/memory/4496-256-0x00007FF737010000-0x00007FF737401000-memory.dmp	xmrig
behavioral2/memory/892-255-0x00007FF796320000-0x00007FF796711000-memory.dmp	xmrig
behavioral2/memory/1680-257-0x00007FF6981C0000-0x00007FF6985B1000-memory.dmp	xmrig
behavioral2/memory/3888-258-0x00007FF7603B0000-0x00007FF7607A1000-memory.dmp	xmrig
behavioral2/memory/3924-260-0x00007FF774430000-0x00007FF774821000-memory.dmp	xmrig
behavioral2/memory/940-259-0x00007FF7B7ED0000-0x00007FF7B82C1000-memory.dmp	xmrig
behavioral2/memory/2416-265-0x00007FF7E9540000-0x00007FF7E9931000-memory.dmp	xmrig
behavioral2/memory/2444-269-0x00007FF7F3030000-0x00007FF7F3421000-memory.dmp	xmrig
behavioral2/memory/5060-284-0x00007FF71E650000-0x00007FF71EA41000-memory.dmp	xmrig
behavioral2/memory/4156-295-0x00007FF6C9E40000-0x00007FF6CA231000-memory.dmp	xmrig
behavioral2/memory/828-302-0x00007FF7E2E90000-0x00007FF7E3281000-memory.dmp	xmrig
behavioral2/memory/3144-312-0x00007FF628190000-0x00007FF628581000-memory.dmp	xmrig
behavioral2/memory/3596-317-0x00007FF61C9A0000-0x00007FF61CD91000-memory.dmp	xmrig
behavioral2/memory/2792-327-0x00007FF77E270000-0x00007FF77E661000-memory.dmp	xmrig
behavioral2/memory/3276-331-0x00007FF773870000-0x00007FF773C61000-memory.dmp	xmrig
behavioral2/memory/3340-336-0x00007FF70ED40000-0x00007FF70F131000-memory.dmp	xmrig
behavioral2/memory/440-340-0x00007FF7285F0000-0x00007FF7289E1000-memory.dmp	xmrig
behavioral2/memory/1048-345-0x00007FF7A88B0000-0x00007FF7A8CA1000-memory.dmp	xmrig
behavioral2/memory/880-349-0x00007FF6B2190000-0x00007FF6B2581000-memory.dmp	xmrig
behavioral2/memory/1116-355-0x00007FF693260000-0x00007FF693651000-memory.dmp	xmrig
behavioral2/memory/4860-358-0x00007FF775660000-0x00007FF775A51000-memory.dmp	xmrig
behavioral2/memory/3964-289-0x00007FF771960000-0x00007FF771D51000-memory.dmp	xmrig
behavioral2/memory/4820-279-0x00007FF6993B0000-0x00007FF6997A1000-memory.dmp	xmrig
behavioral2/memory/5056-273-0x00007FF684A20000-0x00007FF684E11000-memory.dmp	xmrig
behavioral2/memory/3100-390-0x00007FF634820000-0x00007FF634C11000-memory.dmp	xmrig
behavioral2/memory/3920-393-0x00007FF692AF0000-0x00007FF692EE1000-memory.dmp	xmrig
behavioral2/memory/1076-395-0x00007FF7190A0000-0x00007FF719491000-memory.dmp	xmrig
behavioral2/memory/4368-396-0x00007FF7E21B0000-0x00007FF7E25A1000-memory.dmp	xmrig
behavioral2/memory/3996-397-0x00007FF766A90000-0x00007FF766E81000-memory.dmp	xmrig
behavioral2/memory/1848-399-0x00007FF6356A0000-0x00007FF635A91000-memory.dmp	xmrig
behavioral2/memory/1672-401-0x00007FF6124B0000-0x00007FF6128A1000-memory.dmp	xmrig
behavioral2/memory/1144-408-0x00007FF7B0EB0000-0x00007FF7B12A1000-memory.dmp	xmrig
behavioral2/memory/2404-410-0x00007FF7492A0000-0x00007FF749691000-memory.dmp	xmrig
behavioral2/memory/4760-413-0x00007FF7A3D00000-0x00007FF7A40F1000-memory.dmp	xmrig
behavioral2/memory/4644-420-0x00007FF69C780000-0x00007FF69CB71000-memory.dmp	xmrig
behavioral2/memory/1032-423-0x00007FF74F740000-0x00007FF74FB31000-memory.dmp	xmrig
behavioral2/memory/3896-415-0x00007FF776EF0000-0x00007FF7772E1000-memory.dmp	xmrig
behavioral2/memory/4880-412-0x00007FF7A28B0000-0x00007FF7A2CA1000-memory.dmp	xmrig
behavioral2/memory/3580-433-0x00007FF676690000-0x00007FF676A81000-memory.dmp	xmrig
behavioral2/memory/5032-435-0x00007FF798C90000-0x00007FF799081000-memory.dmp	xmrig
behavioral2/memory/4552-512-0x00007FF7C1E30000-0x00007FF7C2221000-memory.dmp	xmrig
behavioral2/memory/4864-520-0x00007FF601A20000-0x00007FF601E11000-memory.dmp	xmrig
behavioral2/memory/1640-524-0x00007FF7A1EA0000-0x00007FF7A2291000-memory.dmp	xmrig
behavioral2/memory/4576-530-0x00007FF7194A0000-0x00007FF719891000-memory.dmp	xmrig
behavioral2/memory/1984-535-0x00007FF619CF0000-0x00007FF61A0E1000-memory.dmp	xmrig
behavioral2/memory/2464-536-0x00007FF75CDC0000-0x00007FF75D1B1000-memory.dmp	xmrig
behavioral2/memory/4028-539-0x00007FF6B4FD0000-0x00007FF6B53C1000-memory.dmp	xmrig
behavioral2/memory/3264-556-0x00007FF70FB00000-0x00007FF70FEF1000-memory.dmp	xmrig
behavioral2/memory/3296-559-0x00007FF714230000-0x00007FF714621000-memory.dmp	xmrig
behavioral2/memory/1040-575-0x00007FF649540000-0x00007FF649931000-memory.dmp	xmrig
behavioral2/memory/824-548-0x00007FF6A19C0000-0x00007FF6A1DB1000-memory.dmp	xmrig
behavioral2/memory/2184-543-0x00007FF70E460000-0x00007FF70E851000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4412	NfMRsHp.exe
540	YPgsERJ.exe
764	pWkRkeb.exe
3204	qmTasBJ.exe
2368	YKQOHNZ.exe
3172	jROcXKK.exe
1312	gfClqHG.exe
1876	JoqvgeC.exe
1892	tfUJVsW.exe
3212	jLVWrFd.exe
2568	NWycxDD.exe
892	BNYOMvN.exe
4496	hACFZRt.exe
1680	TuQEnQw.exe
3888	eygSsdo.exe
940	DKdhwUy.exe
3924	ojuUJHt.exe
2416	iLtOgjD.exe
2444	GWiXXkp.exe
5056	JBFcHGh.exe
4820	HExvhtj.exe
5060	qwlSrkU.exe
3964	WqNBPyT.exe
4156	yLesosm.exe
828	kLujHMD.exe
3144	yLvBdjG.exe
3596	UWYkdYz.exe
2792	yiDSkon.exe
3276	IbNZGNN.exe
3340	gqEIRbH.exe
440	syFDhkh.exe
1048	llLpYRB.exe
880	LQxOMRt.exe
1116	fuCznTf.exe
4860	AkklwrL.exe
3100	ebIJqIL.exe
3920	ExZUtjV.exe
1076	nvAHXAN.exe
4368	SefiVPT.exe
3996	letEhpd.exe
1848	EboNipu.exe
1672	fwnEgSD.exe
1144	pDkNEeI.exe
2404	oyWCaRx.exe
4880	WeqIFTz.exe
4760	kSTBhoB.exe
3896	rKuEVNT.exe
4644	wUaqJtj.exe
1032	kuUJMPE.exe
3580	gsKSaNz.exe
5032	YWLczHI.exe
4552	fxofwWv.exe
4864	jAgZbvX.exe
1640	MYYBVwf.exe
4576	tPKyfQj.exe
1984	ZPIyQwf.exe
2464	dLUFeBL.exe
4028	ZkdHBkO.exe
2184	JnqUvmr.exe
2532	MULAwBk.exe
824	bqAABLp.exe
4992	OJCVcGa.exe
3264	jsNkBaz.exe
4480	LcCCBaS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4324-0-0x00007FF726B40000-0x00007FF726F31000-memory.dmp	upx
behavioral2/files/0x000700000002321b-6.dat	upx
behavioral2/files/0x0004000000022747-11.dat	upx
behavioral2/files/0x000700000002321c-15.dat	upx
behavioral2/memory/540-14-0x00007FF68ED70000-0x00007FF68F161000-memory.dmp	upx
behavioral2/files/0x000700000002321c-19.dat	upx
behavioral2/files/0x000700000002321d-23.dat	upx
behavioral2/files/0x000700000002321d-27.dat	upx
behavioral2/files/0x000700000002321e-33.dat	upx
behavioral2/files/0x000700000002321f-35.dat	upx
behavioral2/files/0x0007000000023220-40.dat	upx
behavioral2/files/0x0007000000023220-42.dat	upx
behavioral2/memory/1312-47-0x00007FF66F920000-0x00007FF66FD11000-memory.dmp	upx
behavioral2/memory/1876-51-0x00007FF7ED440000-0x00007FF7ED831000-memory.dmp	upx
behavioral2/files/0x0007000000023221-52.dat	upx
behavioral2/memory/1892-54-0x00007FF713420000-0x00007FF713811000-memory.dmp	upx
behavioral2/files/0x0007000000023222-49.dat	upx
behavioral2/files/0x0007000000023221-46.dat	upx
behavioral2/memory/3172-41-0x00007FF7C2020000-0x00007FF7C2411000-memory.dmp	upx
behavioral2/memory/2368-39-0x00007FF65D8F0000-0x00007FF65DCE1000-memory.dmp	upx
behavioral2/files/0x000700000002321f-31.dat	upx
behavioral2/memory/3204-30-0x00007FF742000000-0x00007FF7423F1000-memory.dmp	upx
behavioral2/files/0x000700000002321e-25.dat	upx
behavioral2/files/0x0008000000023217-59.dat	upx
behavioral2/files/0x0007000000023223-65.dat	upx
behavioral2/memory/3212-69-0x00007FF749E20000-0x00007FF74A211000-memory.dmp	upx
behavioral2/memory/2568-70-0x00007FF770D10000-0x00007FF771101000-memory.dmp	upx
behavioral2/files/0x0007000000023225-80.dat	upx
behavioral2/files/0x0007000000023229-97.dat	upx
behavioral2/files/0x000700000002322a-102.dat	upx
behavioral2/files/0x0007000000023236-162.dat	upx
behavioral2/memory/4496-256-0x00007FF737010000-0x00007FF737401000-memory.dmp	upx
behavioral2/memory/892-255-0x00007FF796320000-0x00007FF796711000-memory.dmp	upx
behavioral2/memory/1680-257-0x00007FF6981C0000-0x00007FF6985B1000-memory.dmp	upx
behavioral2/memory/3888-258-0x00007FF7603B0000-0x00007FF7607A1000-memory.dmp	upx
behavioral2/memory/3924-260-0x00007FF774430000-0x00007FF774821000-memory.dmp	upx
behavioral2/memory/940-259-0x00007FF7B7ED0000-0x00007FF7B82C1000-memory.dmp	upx
behavioral2/memory/2416-265-0x00007FF7E9540000-0x00007FF7E9931000-memory.dmp	upx
behavioral2/files/0x0007000000023238-170.dat	upx
behavioral2/memory/2444-269-0x00007FF7F3030000-0x00007FF7F3421000-memory.dmp	upx
behavioral2/memory/5060-284-0x00007FF71E650000-0x00007FF71EA41000-memory.dmp	upx
behavioral2/memory/4156-295-0x00007FF6C9E40000-0x00007FF6CA231000-memory.dmp	upx
behavioral2/memory/828-302-0x00007FF7E2E90000-0x00007FF7E3281000-memory.dmp	upx
behavioral2/memory/3144-312-0x00007FF628190000-0x00007FF628581000-memory.dmp	upx
behavioral2/memory/3596-317-0x00007FF61C9A0000-0x00007FF61CD91000-memory.dmp	upx
behavioral2/memory/2792-327-0x00007FF77E270000-0x00007FF77E661000-memory.dmp	upx
behavioral2/memory/3276-331-0x00007FF773870000-0x00007FF773C61000-memory.dmp	upx
behavioral2/memory/3340-336-0x00007FF70ED40000-0x00007FF70F131000-memory.dmp	upx
behavioral2/memory/440-340-0x00007FF7285F0000-0x00007FF7289E1000-memory.dmp	upx
behavioral2/memory/1048-345-0x00007FF7A88B0000-0x00007FF7A8CA1000-memory.dmp	upx
behavioral2/memory/880-349-0x00007FF6B2190000-0x00007FF6B2581000-memory.dmp	upx
behavioral2/memory/1116-355-0x00007FF693260000-0x00007FF693651000-memory.dmp	upx
behavioral2/memory/4860-358-0x00007FF775660000-0x00007FF775A51000-memory.dmp	upx
behavioral2/memory/3964-289-0x00007FF771960000-0x00007FF771D51000-memory.dmp	upx
behavioral2/memory/4820-279-0x00007FF6993B0000-0x00007FF6997A1000-memory.dmp	upx
behavioral2/memory/5056-273-0x00007FF684A20000-0x00007FF684E11000-memory.dmp	upx
behavioral2/memory/3100-390-0x00007FF634820000-0x00007FF634C11000-memory.dmp	upx
behavioral2/memory/3920-393-0x00007FF692AF0000-0x00007FF692EE1000-memory.dmp	upx
behavioral2/memory/1076-395-0x00007FF7190A0000-0x00007FF719491000-memory.dmp	upx
behavioral2/files/0x0007000000023237-167.dat	upx
behavioral2/memory/4368-396-0x00007FF7E21B0000-0x00007FF7E25A1000-memory.dmp	upx
behavioral2/memory/3996-397-0x00007FF766A90000-0x00007FF766E81000-memory.dmp	upx
behavioral2/memory/1848-399-0x00007FF6356A0000-0x00007FF635A91000-memory.dmp	upx
behavioral2/memory/1672-401-0x00007FF6124B0000-0x00007FF6128A1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\gfClqHG.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\fcXQjDi.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\WcFYSPK.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\sppuSkA.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\rdfvNlq.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\ayOypjm.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\oVuLNvZ.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\iAENKxZ.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\aUaajWV.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\zYwXshg.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\uUjpxsF.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\jROcXKK.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\JoqvgeC.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\HAfWvQw.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\EeQOvzc.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\mRVyfPx.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\GifmWSi.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\VwxpbSP.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\VnmKfFG.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\LOcKfWm.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\EXlbYen.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\WtakvqP.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\NqyGntX.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\UdsDMDX.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\fPpBQrY.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\BNYOMvN.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\jUilxMH.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\wgzsmOQ.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\VlaCQmy.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\QmxaAbQ.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\pDkNEeI.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\uWnKBQP.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\WAOLaxE.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\EtKuATO.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\hDLbdfw.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\IsVpDcq.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\oqKdDex.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\UlGjzcw.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\NfMRsHp.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\QXqMrqF.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\RHEMYLn.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\yMFnHmE.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\JzCfqGK.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\ExZUtjV.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\DEURMdn.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\ToJwopc.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\xaauqzZ.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\JoCtXFA.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\fOBCnak.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\ONhrqha.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\KCOQTIb.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\aWNMrpI.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\IbNZGNN.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\WfBglRF.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\UMlzlHX.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\hACFZRt.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\zFGnnUR.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\kukFLYA.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\WqNBPyT.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\YAQbaka.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\xQxlNFc.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\JEooPPE.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\RKHCiKu.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
File created	C:\Windows\System32\NlvblVC.exe	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	4284	dwm.exe
Token: SeChangeNotifyPrivilege	4284	dwm.exe
Token: 33	4284	dwm.exe
Token: SeIncBasePriorityPrivilege	4284	dwm.exe
Token: SeShutdownPrivilege	4284	dwm.exe
Token: SeCreatePagefilePrivilege	4284	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 4412	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	88
PID 4324 wrote to memory of 4412	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	88
PID 4324 wrote to memory of 540	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	89
PID 4324 wrote to memory of 540	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	89
PID 4324 wrote to memory of 764	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	90
PID 4324 wrote to memory of 764	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	90
PID 4324 wrote to memory of 3204	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	91
PID 4324 wrote to memory of 3204	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	91
PID 4324 wrote to memory of 2368	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	92
PID 4324 wrote to memory of 2368	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	92
PID 4324 wrote to memory of 3172	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	93
PID 4324 wrote to memory of 3172	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	93
PID 4324 wrote to memory of 1312	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	94
PID 4324 wrote to memory of 1312	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	94
PID 4324 wrote to memory of 1876	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	95
PID 4324 wrote to memory of 1876	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	95
PID 4324 wrote to memory of 1892	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	96
PID 4324 wrote to memory of 1892	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	96
PID 4324 wrote to memory of 3212	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	97
PID 4324 wrote to memory of 3212	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	97
PID 4324 wrote to memory of 2568	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	98
PID 4324 wrote to memory of 2568	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	98
PID 4324 wrote to memory of 892	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	99
PID 4324 wrote to memory of 892	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	99
PID 4324 wrote to memory of 4496	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	100
PID 4324 wrote to memory of 4496	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	100
PID 4324 wrote to memory of 1680	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	101
PID 4324 wrote to memory of 1680	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	101
PID 4324 wrote to memory of 3888	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	102
PID 4324 wrote to memory of 3888	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	102
PID 4324 wrote to memory of 940	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	103
PID 4324 wrote to memory of 940	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	103
PID 4324 wrote to memory of 3924	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	104
PID 4324 wrote to memory of 3924	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	104
PID 4324 wrote to memory of 2416	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	105
PID 4324 wrote to memory of 2416	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	105
PID 4324 wrote to memory of 2444	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	106
PID 4324 wrote to memory of 2444	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	106
PID 4324 wrote to memory of 5056	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	107
PID 4324 wrote to memory of 5056	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	107
PID 4324 wrote to memory of 4820	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	108
PID 4324 wrote to memory of 4820	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	108
PID 4324 wrote to memory of 5060	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	109
PID 4324 wrote to memory of 5060	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	109
PID 4324 wrote to memory of 3964	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	110
PID 4324 wrote to memory of 3964	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	110
PID 4324 wrote to memory of 4156	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	111
PID 4324 wrote to memory of 4156	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	111
PID 4324 wrote to memory of 828	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	112
PID 4324 wrote to memory of 828	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	112
PID 4324 wrote to memory of 3144	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	113
PID 4324 wrote to memory of 3144	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	113
PID 4324 wrote to memory of 3596	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	114
PID 4324 wrote to memory of 3596	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	114
PID 4324 wrote to memory of 2792	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	115
PID 4324 wrote to memory of 2792	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	115
PID 4324 wrote to memory of 3276	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	116
PID 4324 wrote to memory of 3276	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	116
PID 4324 wrote to memory of 3340	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	117
PID 4324 wrote to memory of 3340	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	117
PID 4324 wrote to memory of 440	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	118
PID 4324 wrote to memory of 440	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	118
PID 4324 wrote to memory of 1048	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	119
PID 4324 wrote to memory of 1048	4324	301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe	119

C:\Users\Admin\AppData\Local\Temp\301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe
"C:\Users\Admin\AppData\Local\Temp\301b856c3f63333148eb53a5e2d618f528a207e0ff4e274caf5b3ee2d94faebe.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\System32\NfMRsHp.exe
  C:\Windows\System32\NfMRsHp.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System32\YPgsERJ.exe
  C:\Windows\System32\YPgsERJ.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System32\pWkRkeb.exe
  C:\Windows\System32\pWkRkeb.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System32\qmTasBJ.exe
  C:\Windows\System32\qmTasBJ.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System32\YKQOHNZ.exe
  C:\Windows\System32\YKQOHNZ.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System32\jROcXKK.exe
  C:\Windows\System32\jROcXKK.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System32\gfClqHG.exe
  C:\Windows\System32\gfClqHG.exe
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\System32\JoqvgeC.exe
  C:\Windows\System32\JoqvgeC.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System32\tfUJVsW.exe
  C:\Windows\System32\tfUJVsW.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System32\jLVWrFd.exe
  C:\Windows\System32\jLVWrFd.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System32\NWycxDD.exe
  C:\Windows\System32\NWycxDD.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System32\BNYOMvN.exe
  C:\Windows\System32\BNYOMvN.exe
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\System32\hACFZRt.exe
  C:\Windows\System32\hACFZRt.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System32\TuQEnQw.exe
  C:\Windows\System32\TuQEnQw.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System32\eygSsdo.exe
  C:\Windows\System32\eygSsdo.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System32\DKdhwUy.exe
  C:\Windows\System32\DKdhwUy.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System32\ojuUJHt.exe
  C:\Windows\System32\ojuUJHt.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System32\iLtOgjD.exe
  C:\Windows\System32\iLtOgjD.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System32\GWiXXkp.exe
  C:\Windows\System32\GWiXXkp.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System32\JBFcHGh.exe
  C:\Windows\System32\JBFcHGh.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\HExvhtj.exe
  C:\Windows\System32\HExvhtj.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System32\qwlSrkU.exe
  C:\Windows\System32\qwlSrkU.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System32\WqNBPyT.exe
  C:\Windows\System32\WqNBPyT.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System32\yLesosm.exe
  C:\Windows\System32\yLesosm.exe
  2⤵
  - Executes dropped EXE
  PID:4156
- C:\Windows\System32\kLujHMD.exe
  C:\Windows\System32\kLujHMD.exe
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\System32\yLvBdjG.exe
  C:\Windows\System32\yLvBdjG.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System32\UWYkdYz.exe
  C:\Windows\System32\UWYkdYz.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System32\yiDSkon.exe
  C:\Windows\System32\yiDSkon.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System32\IbNZGNN.exe
  C:\Windows\System32\IbNZGNN.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System32\gqEIRbH.exe
  C:\Windows\System32\gqEIRbH.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System32\syFDhkh.exe
  C:\Windows\System32\syFDhkh.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System32\llLpYRB.exe
  C:\Windows\System32\llLpYRB.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System32\LQxOMRt.exe
  C:\Windows\System32\LQxOMRt.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System32\fuCznTf.exe
  C:\Windows\System32\fuCznTf.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System32\AkklwrL.exe
  C:\Windows\System32\AkklwrL.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\ebIJqIL.exe
  C:\Windows\System32\ebIJqIL.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System32\ExZUtjV.exe
  C:\Windows\System32\ExZUtjV.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System32\nvAHXAN.exe
  C:\Windows\System32\nvAHXAN.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System32\SefiVPT.exe
  C:\Windows\System32\SefiVPT.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System32\letEhpd.exe
  C:\Windows\System32\letEhpd.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System32\EboNipu.exe
  C:\Windows\System32\EboNipu.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System32\fwnEgSD.exe
  C:\Windows\System32\fwnEgSD.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System32\pDkNEeI.exe
  C:\Windows\System32\pDkNEeI.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System32\oyWCaRx.exe
  C:\Windows\System32\oyWCaRx.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System32\WeqIFTz.exe
  C:\Windows\System32\WeqIFTz.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System32\kSTBhoB.exe
  C:\Windows\System32\kSTBhoB.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System32\rKuEVNT.exe
  C:\Windows\System32\rKuEVNT.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System32\wUaqJtj.exe
  C:\Windows\System32\wUaqJtj.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System32\kuUJMPE.exe
  C:\Windows\System32\kuUJMPE.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System32\gsKSaNz.exe
  C:\Windows\System32\gsKSaNz.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System32\YWLczHI.exe
  C:\Windows\System32\YWLczHI.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System32\fxofwWv.exe
  C:\Windows\System32\fxofwWv.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System32\jAgZbvX.exe
  C:\Windows\System32\jAgZbvX.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System32\MYYBVwf.exe
  C:\Windows\System32\MYYBVwf.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System32\tPKyfQj.exe
  C:\Windows\System32\tPKyfQj.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System32\ZPIyQwf.exe
  C:\Windows\System32\ZPIyQwf.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System32\dLUFeBL.exe
  C:\Windows\System32\dLUFeBL.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System32\ZkdHBkO.exe
  C:\Windows\System32\ZkdHBkO.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System32\JnqUvmr.exe
  C:\Windows\System32\JnqUvmr.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System32\MULAwBk.exe
  C:\Windows\System32\MULAwBk.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System32\bqAABLp.exe
  C:\Windows\System32\bqAABLp.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System32\OJCVcGa.exe
  C:\Windows\System32\OJCVcGa.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System32\jsNkBaz.exe
  C:\Windows\System32\jsNkBaz.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System32\LcCCBaS.exe
  C:\Windows\System32\LcCCBaS.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System32\WSRXmMB.exe
  C:\Windows\System32\WSRXmMB.exe
  2⤵
  PID:3024
- C:\Windows\System32\sNAFfCi.exe
  C:\Windows\System32\sNAFfCi.exe
  2⤵
  PID:4196
- C:\Windows\System32\wtxfufY.exe
  C:\Windows\System32\wtxfufY.exe
  2⤵
  PID:3296
- C:\Windows\System32\SylPxKW.exe
  C:\Windows\System32\SylPxKW.exe
  2⤵
  PID:2344
- C:\Windows\System32\tsyIsLa.exe
  C:\Windows\System32\tsyIsLa.exe
  2⤵
  PID:1708
- C:\Windows\System32\YeFKICt.exe
  C:\Windows\System32\YeFKICt.exe
  2⤵
  PID:1040
- C:\Windows\System32\FlvSlib.exe
  C:\Windows\System32\FlvSlib.exe
  2⤵
  PID:1832
- C:\Windows\System32\NqyGntX.exe
  C:\Windows\System32\NqyGntX.exe
  2⤵
  PID:3972
- C:\Windows\System32\kRIaazM.exe
  C:\Windows\System32\kRIaazM.exe
  2⤵
  PID:3200
- C:\Windows\System32\RjrmBPz.exe
  C:\Windows\System32\RjrmBPz.exe
  2⤵
  PID:5108
- C:\Windows\System32\QXqMrqF.exe
  C:\Windows\System32\QXqMrqF.exe
  2⤵
  PID:3412
- C:\Windows\System32\EfnVsFt.exe
  C:\Windows\System32\EfnVsFt.exe
  2⤵
  PID:1624
- C:\Windows\System32\MuWNkPj.exe
  C:\Windows\System32\MuWNkPj.exe
  2⤵
  PID:244
- C:\Windows\System32\UBeCpSE.exe
  C:\Windows\System32\UBeCpSE.exe
  2⤵
  PID:3288
- C:\Windows\System32\zFGnnUR.exe
  C:\Windows\System32\zFGnnUR.exe
  2⤵
  PID:1056
- C:\Windows\System32\pnyOsKy.exe
  C:\Windows\System32\pnyOsKy.exe
  2⤵
  PID:516
- C:\Windows\System32\YAQbaka.exe
  C:\Windows\System32\YAQbaka.exe
  2⤵
  PID:5156
- C:\Windows\System32\lmSODfT.exe
  C:\Windows\System32\lmSODfT.exe
  2⤵
  PID:5188
- C:\Windows\System32\GIjpPbG.exe
  C:\Windows\System32\GIjpPbG.exe
  2⤵
  PID:5236
- C:\Windows\System32\ZhGcIZt.exe
  C:\Windows\System32\ZhGcIZt.exe
  2⤵
  PID:5268
- C:\Windows\System32\aRALkla.exe
  C:\Windows\System32\aRALkla.exe
  2⤵
  PID:5308
- C:\Windows\System32\dnlIKKl.exe
  C:\Windows\System32\dnlIKKl.exe
  2⤵
  PID:5332
- C:\Windows\System32\qLNXyGD.exe
  C:\Windows\System32\qLNXyGD.exe
  2⤵
  PID:5352
- C:\Windows\System32\RKHCiKu.exe
  C:\Windows\System32\RKHCiKu.exe
  2⤵
  PID:5376
- C:\Windows\System32\bQUVOMP.exe
  C:\Windows\System32\bQUVOMP.exe
  2⤵
  PID:5416
- C:\Windows\System32\UhrhKmP.exe
  C:\Windows\System32\UhrhKmP.exe
  2⤵
  PID:5444
- C:\Windows\System32\aFmsnfB.exe
  C:\Windows\System32\aFmsnfB.exe
  2⤵
  PID:5488
- C:\Windows\System32\ITwHswe.exe
  C:\Windows\System32\ITwHswe.exe
  2⤵
  PID:5556
- C:\Windows\System32\mefkMWc.exe
  C:\Windows\System32\mefkMWc.exe
  2⤵
  PID:5588
- C:\Windows\System32\EULEuLW.exe
  C:\Windows\System32\EULEuLW.exe
  2⤵
  PID:5620
- C:\Windows\System32\mfFNGwH.exe
  C:\Windows\System32\mfFNGwH.exe
  2⤵
  PID:5684
- C:\Windows\System32\hflHvFD.exe
  C:\Windows\System32\hflHvFD.exe
  2⤵
  PID:5704
- C:\Windows\System32\rKuIumC.exe
  C:\Windows\System32\rKuIumC.exe
  2⤵
  PID:5724
- C:\Windows\System32\KobIWhz.exe
  C:\Windows\System32\KobIWhz.exe
  2⤵
  PID:5752
- C:\Windows\System32\GifmWSi.exe
  C:\Windows\System32\GifmWSi.exe
  2⤵
  PID:5812
- C:\Windows\System32\oCWtuXm.exe
  C:\Windows\System32\oCWtuXm.exe
  2⤵
  PID:5848
- C:\Windows\System32\qQqYcTb.exe
  C:\Windows\System32\qQqYcTb.exe
  2⤵
  PID:5876
- C:\Windows\System32\OazAPge.exe
  C:\Windows\System32\OazAPge.exe
  2⤵
  PID:5920
- C:\Windows\System32\nYmApnf.exe
  C:\Windows\System32\nYmApnf.exe
  2⤵
  PID:5952
- C:\Windows\System32\RQusAdQ.exe
  C:\Windows\System32\RQusAdQ.exe
  2⤵
  PID:6000
- C:\Windows\System32\rNOXLOz.exe
  C:\Windows\System32\rNOXLOz.exe
  2⤵
  PID:6036
- C:\Windows\System32\eKgKoLZ.exe
  C:\Windows\System32\eKgKoLZ.exe
  2⤵
  PID:6084
- C:\Windows\System32\UdsDMDX.exe
  C:\Windows\System32\UdsDMDX.exe
  2⤵
  PID:6104
- C:\Windows\System32\HAfWvQw.exe
  C:\Windows\System32\HAfWvQw.exe
  2⤵
  PID:6140
- C:\Windows\System32\wjTYRRP.exe
  C:\Windows\System32\wjTYRRP.exe
  2⤵
  PID:5128
- C:\Windows\System32\SRXgcAw.exe
  C:\Windows\System32\SRXgcAw.exe
  2⤵
  PID:3136
- C:\Windows\System32\NzgwvMh.exe
  C:\Windows\System32\NzgwvMh.exe
  2⤵
  PID:5228
- C:\Windows\System32\DbTEruv.exe
  C:\Windows\System32\DbTEruv.exe
  2⤵
  PID:4396
- C:\Windows\System32\OSWnIAv.exe
  C:\Windows\System32\OSWnIAv.exe
  2⤵
  PID:5400
- C:\Windows\System32\WSJGsGl.exe
  C:\Windows\System32\WSJGsGl.exe
  2⤵
  PID:5440
- C:\Windows\System32\DoZaaXj.exe
  C:\Windows\System32\DoZaaXj.exe
  2⤵
  PID:5468
- C:\Windows\System32\ZcCiQhV.exe
  C:\Windows\System32\ZcCiQhV.exe
  2⤵
  PID:5524
- C:\Windows\System32\WTCbQpy.exe
  C:\Windows\System32\WTCbQpy.exe
  2⤵
  PID:3576
- C:\Windows\System32\RCJePlB.exe
  C:\Windows\System32\RCJePlB.exe
  2⤵
  PID:2832
- C:\Windows\System32\hZYZvSe.exe
  C:\Windows\System32\hZYZvSe.exe
  2⤵
  PID:5716
- C:\Windows\System32\LFnJRaV.exe
  C:\Windows\System32\LFnJRaV.exe
  2⤵
  PID:5764
- C:\Windows\System32\gpAUvrW.exe
  C:\Windows\System32\gpAUvrW.exe
  2⤵
  PID:5828
- C:\Windows\System32\DEURMdn.exe
  C:\Windows\System32\DEURMdn.exe
  2⤵
  PID:5888
- C:\Windows\System32\gLUGegZ.exe
  C:\Windows\System32\gLUGegZ.exe
  2⤵
  PID:5944
- C:\Windows\System32\ayOypjm.exe
  C:\Windows\System32\ayOypjm.exe
  2⤵
  PID:6044
- C:\Windows\System32\MYoHTkj.exe
  C:\Windows\System32\MYoHTkj.exe
  2⤵
  PID:4752
- C:\Windows\System32\SPYSGPB.exe
  C:\Windows\System32\SPYSGPB.exe
  2⤵
  PID:6120
- C:\Windows\System32\XzhxxyX.exe
  C:\Windows\System32\XzhxxyX.exe
  2⤵
  PID:1284
- C:\Windows\System32\jXfCJlM.exe
  C:\Windows\System32\jXfCJlM.exe
  2⤵
  PID:5300
- C:\Windows\System32\wiOwWwz.exe
  C:\Windows\System32\wiOwWwz.exe
  2⤵
  PID:4008
- C:\Windows\System32\aeyBOtF.exe
  C:\Windows\System32\aeyBOtF.exe
  2⤵
  PID:5212
- C:\Windows\System32\xLlAkCO.exe
  C:\Windows\System32\xLlAkCO.exe
  2⤵
  PID:3556
- C:\Windows\System32\CjnPgVy.exe
  C:\Windows\System32\CjnPgVy.exe
  2⤵
  PID:4816
- C:\Windows\System32\EIPuwpg.exe
  C:\Windows\System32\EIPuwpg.exe
  2⤵
  PID:5796
- C:\Windows\System32\VwxpbSP.exe
  C:\Windows\System32\VwxpbSP.exe
  2⤵
  PID:5916
- C:\Windows\System32\NwhFWAz.exe
  C:\Windows\System32\NwhFWAz.exe
  2⤵
  PID:5904
- C:\Windows\System32\vbBmBxw.exe
  C:\Windows\System32\vbBmBxw.exe
  2⤵
  PID:6028
- C:\Windows\System32\ToJwopc.exe
  C:\Windows\System32\ToJwopc.exe
  2⤵
  PID:6092
- C:\Windows\System32\xaauqzZ.exe
  C:\Windows\System32\xaauqzZ.exe
  2⤵
  PID:2740
- C:\Windows\System32\QzpYZRg.exe
  C:\Windows\System32\QzpYZRg.exe
  2⤵
  PID:5288
- C:\Windows\System32\PKfmbev.exe
  C:\Windows\System32\PKfmbev.exe
  2⤵
  PID:5464
- C:\Windows\System32\dkBwYWN.exe
  C:\Windows\System32\dkBwYWN.exe
  2⤵
  PID:5508
- C:\Windows\System32\JIoPdOb.exe
  C:\Windows\System32\JIoPdOb.exe
  2⤵
  PID:6072
- C:\Windows\System32\HhhWraE.exe
  C:\Windows\System32\HhhWraE.exe
  2⤵
  PID:5740
- C:\Windows\System32\cYGyNBb.exe
  C:\Windows\System32\cYGyNBb.exe
  2⤵
  PID:6148
- C:\Windows\System32\jfqcdJC.exe
  C:\Windows\System32\jfqcdJC.exe
  2⤵
  PID:6168
- C:\Windows\System32\KkmKtxr.exe
  C:\Windows\System32\KkmKtxr.exe
  2⤵
  PID:6192
- C:\Windows\System32\rRqYlLQ.exe
  C:\Windows\System32\rRqYlLQ.exe
  2⤵
  PID:6264
- C:\Windows\System32\EeQOvzc.exe
  C:\Windows\System32\EeQOvzc.exe
  2⤵
  PID:6340
- C:\Windows\System32\ayBzSCp.exe
  C:\Windows\System32\ayBzSCp.exe
  2⤵
  PID:6384
- C:\Windows\System32\bzKRruN.exe
  C:\Windows\System32\bzKRruN.exe
  2⤵
  PID:6416
- C:\Windows\System32\Vdlwmqq.exe
  C:\Windows\System32\Vdlwmqq.exe
  2⤵
  PID:6464
- C:\Windows\System32\qADFLBh.exe
  C:\Windows\System32\qADFLBh.exe
  2⤵
  PID:6488
- C:\Windows\System32\xnjJEwt.exe
  C:\Windows\System32\xnjJEwt.exe
  2⤵
  PID:6504
- C:\Windows\System32\XGRuHuM.exe
  C:\Windows\System32\XGRuHuM.exe
  2⤵
  PID:6544
- C:\Windows\System32\RHEMYLn.exe
  C:\Windows\System32\RHEMYLn.exe
  2⤵
  PID:6588
- C:\Windows\System32\ayiiNef.exe
  C:\Windows\System32\ayiiNef.exe
  2⤵
  PID:6604
- C:\Windows\System32\tkfmCEN.exe
  C:\Windows\System32\tkfmCEN.exe
  2⤵
  PID:6624
- C:\Windows\System32\AjgSFdX.exe
  C:\Windows\System32\AjgSFdX.exe
  2⤵
  PID:6648
- C:\Windows\System32\hlBVtbw.exe
  C:\Windows\System32\hlBVtbw.exe
  2⤵
  PID:6704
- C:\Windows\System32\STNepCJ.exe
  C:\Windows\System32\STNepCJ.exe
  2⤵
  PID:6736
- C:\Windows\System32\qFLIFlt.exe
  C:\Windows\System32\qFLIFlt.exe
  2⤵
  PID:6796
- C:\Windows\System32\TsetBnz.exe
  C:\Windows\System32\TsetBnz.exe
  2⤵
  PID:6836
- C:\Windows\System32\SMYkktW.exe
  C:\Windows\System32\SMYkktW.exe
  2⤵
  PID:6852
- C:\Windows\System32\BRdskGS.exe
  C:\Windows\System32\BRdskGS.exe
  2⤵
  PID:6876
- C:\Windows\System32\tXHsWdN.exe
  C:\Windows\System32\tXHsWdN.exe
  2⤵
  PID:6948
- C:\Windows\System32\YPQSokq.exe
  C:\Windows\System32\YPQSokq.exe
  2⤵
  PID:6976
- C:\Windows\System32\fcXQjDi.exe
  C:\Windows\System32\fcXQjDi.exe
  2⤵
  PID:7000
- C:\Windows\System32\mUWgehM.exe
  C:\Windows\System32\mUWgehM.exe
  2⤵
  PID:7016
- C:\Windows\System32\ONhrqha.exe
  C:\Windows\System32\ONhrqha.exe
  2⤵
  PID:7032
- C:\Windows\System32\fTDRXmX.exe
  C:\Windows\System32\fTDRXmX.exe
  2⤵
  PID:7052
- C:\Windows\System32\VnmKfFG.exe
  C:\Windows\System32\VnmKfFG.exe
  2⤵
  PID:7072
- C:\Windows\System32\WcFYSPK.exe
  C:\Windows\System32\WcFYSPK.exe
  2⤵
  PID:7092
- C:\Windows\System32\wITDwNs.exe
  C:\Windows\System32\wITDwNs.exe
  2⤵
  PID:7128
- C:\Windows\System32\faHicmm.exe
  C:\Windows\System32\faHicmm.exe
  2⤵
  PID:5316
- C:\Windows\System32\LOcKfWm.exe
  C:\Windows\System32\LOcKfWm.exe
  2⤵
  PID:4984
- C:\Windows\System32\oVuLNvZ.exe
  C:\Windows\System32\oVuLNvZ.exe
  2⤵
  PID:6216
- C:\Windows\System32\XjQzdsY.exe
  C:\Windows\System32\XjQzdsY.exe
  2⤵
  PID:5668
- C:\Windows\System32\dYOStkI.exe
  C:\Windows\System32\dYOStkI.exe
  2⤵
  PID:6360
- C:\Windows\System32\jUilxMH.exe
  C:\Windows\System32\jUilxMH.exe
  2⤵
  PID:6404
- C:\Windows\System32\qYMgqvq.exe
  C:\Windows\System32\qYMgqvq.exe
  2⤵
  PID:5712
- C:\Windows\System32\HlrNARe.exe
  C:\Windows\System32\HlrNARe.exe
  2⤵
  PID:5660
- C:\Windows\System32\hoeBXlL.exe
  C:\Windows\System32\hoeBXlL.exe
  2⤵
  PID:6496
- C:\Windows\System32\QwyPckz.exe
  C:\Windows\System32\QwyPckz.exe
  2⤵
  PID:5696
- C:\Windows\System32\mWdDXKT.exe
  C:\Windows\System32\mWdDXKT.exe
  2⤵
  PID:6600
- C:\Windows\System32\xQxlNFc.exe
  C:\Windows\System32\xQxlNFc.exe
  2⤵
  PID:6620
- C:\Windows\System32\QWiDDox.exe
  C:\Windows\System32\QWiDDox.exe
  2⤵
  PID:5768
- C:\Windows\System32\tnJpOqL.exe
  C:\Windows\System32\tnJpOqL.exe
  2⤵
  PID:5900
- C:\Windows\System32\EtKuATO.exe
  C:\Windows\System32\EtKuATO.exe
  2⤵
  PID:6860
- C:\Windows\System32\eOSOBbu.exe
  C:\Windows\System32\eOSOBbu.exe
  2⤵
  PID:6916
- C:\Windows\System32\ObntVbl.exe
  C:\Windows\System32\ObntVbl.exe
  2⤵
  PID:6964
- C:\Windows\System32\fklorMB.exe
  C:\Windows\System32\fklorMB.exe
  2⤵
  PID:7040
- C:\Windows\System32\NlvblVC.exe
  C:\Windows\System32\NlvblVC.exe
  2⤵
  PID:6988
- C:\Windows\System32\posrsnM.exe
  C:\Windows\System32\posrsnM.exe
  2⤵
  PID:7140
- C:\Windows\System32\uWnKBQP.exe
  C:\Windows\System32\uWnKBQP.exe
  2⤵
  PID:6156
- C:\Windows\System32\HZfypzg.exe
  C:\Windows\System32\HZfypzg.exe
  2⤵
  PID:6276
- C:\Windows\System32\xRrBwbI.exe
  C:\Windows\System32\xRrBwbI.exe
  2⤵
  PID:6372
- C:\Windows\System32\EomkclP.exe
  C:\Windows\System32\EomkclP.exe
  2⤵
  PID:6456
- C:\Windows\System32\NTWDTxI.exe
  C:\Windows\System32\NTWDTxI.exe
  2⤵
  PID:6556
- C:\Windows\System32\mozyMdF.exe
  C:\Windows\System32\mozyMdF.exe
  2⤵
  PID:6672
- C:\Windows\System32\HLiCjaK.exe
  C:\Windows\System32\HLiCjaK.exe
  2⤵
  PID:6752
- C:\Windows\System32\aVKtLzW.exe
  C:\Windows\System32\aVKtLzW.exe
  2⤵
  PID:6912
- C:\Windows\System32\rIFSvMk.exe
  C:\Windows\System32\rIFSvMk.exe
  2⤵
  PID:6932
- C:\Windows\System32\yqClCuw.exe
  C:\Windows\System32\yqClCuw.exe
  2⤵
  PID:6972
- C:\Windows\System32\tzXBGex.exe
  C:\Windows\System32\tzXBGex.exe
  2⤵
  PID:6436
- C:\Windows\System32\wgzsmOQ.exe
  C:\Windows\System32\wgzsmOQ.exe
  2⤵
  PID:6928
- C:\Windows\System32\KVnCqSQ.exe
  C:\Windows\System32\KVnCqSQ.exe
  2⤵
  PID:7064
- C:\Windows\System32\jaVkmMW.exe
  C:\Windows\System32\jaVkmMW.exe
  2⤵
  PID:6452
- C:\Windows\System32\dkgHMxZ.exe
  C:\Windows\System32\dkgHMxZ.exe
  2⤵
  PID:6584
- C:\Windows\System32\WfBglRF.exe
  C:\Windows\System32\WfBglRF.exe
  2⤵
  PID:7196
- C:\Windows\System32\sppuSkA.exe
  C:\Windows\System32\sppuSkA.exe
  2⤵
  PID:7244
- C:\Windows\System32\qpomUFS.exe
  C:\Windows\System32\qpomUFS.exe
  2⤵
  PID:7260
- C:\Windows\System32\vwWHAwK.exe
  C:\Windows\System32\vwWHAwK.exe
  2⤵
  PID:7280
- C:\Windows\System32\ntmvgcp.exe
  C:\Windows\System32\ntmvgcp.exe
  2⤵
  PID:7324
- C:\Windows\System32\xMULuOL.exe
  C:\Windows\System32\xMULuOL.exe
  2⤵
  PID:7340
- C:\Windows\System32\wpRrUeL.exe
  C:\Windows\System32\wpRrUeL.exe
  2⤵
  PID:7404
- C:\Windows\System32\cJGcUOu.exe
  C:\Windows\System32\cJGcUOu.exe
  2⤵
  PID:7424
- C:\Windows\System32\KCOQTIb.exe
  C:\Windows\System32\KCOQTIb.exe
  2⤵
  PID:7492
- C:\Windows\System32\cyiaEfW.exe
  C:\Windows\System32\cyiaEfW.exe
  2⤵
  PID:7508
- C:\Windows\System32\iAENKxZ.exe
  C:\Windows\System32\iAENKxZ.exe
  2⤵
  PID:7528
- C:\Windows\System32\TmouUYj.exe
  C:\Windows\System32\TmouUYj.exe
  2⤵
  PID:7572
- C:\Windows\System32\mNDBczS.exe
  C:\Windows\System32\mNDBczS.exe
  2⤵
  PID:7588
- C:\Windows\System32\MzdmCnf.exe
  C:\Windows\System32\MzdmCnf.exe
  2⤵
  PID:7608
- C:\Windows\System32\WAOLaxE.exe
  C:\Windows\System32\WAOLaxE.exe
  2⤵
  PID:7628
- C:\Windows\System32\VecReUQ.exe
  C:\Windows\System32\VecReUQ.exe
  2⤵
  PID:7672
- C:\Windows\System32\VNtmpwI.exe
  C:\Windows\System32\VNtmpwI.exe
  2⤵
  PID:7708
- C:\Windows\System32\GApKvYJ.exe
  C:\Windows\System32\GApKvYJ.exe
  2⤵
  PID:7744
- C:\Windows\System32\ThPKJSD.exe
  C:\Windows\System32\ThPKJSD.exe
  2⤵
  PID:7760
- C:\Windows\System32\Cmslzwm.exe
  C:\Windows\System32\Cmslzwm.exe
  2⤵
  PID:7780
- C:\Windows\System32\zIVsgTV.exe
  C:\Windows\System32\zIVsgTV.exe
  2⤵
  PID:7804
- C:\Windows\System32\yMFnHmE.exe
  C:\Windows\System32\yMFnHmE.exe
  2⤵
  PID:7856
- C:\Windows\System32\PkDLKus.exe
  C:\Windows\System32\PkDLKus.exe
  2⤵
  PID:7876
- C:\Windows\System32\IINbMrc.exe
  C:\Windows\System32\IINbMrc.exe
  2⤵
  PID:7912
- C:\Windows\System32\kukFLYA.exe
  C:\Windows\System32\kukFLYA.exe
  2⤵
  PID:7956
- C:\Windows\System32\Wjlnmha.exe
  C:\Windows\System32\Wjlnmha.exe
  2⤵
  PID:7976
- C:\Windows\System32\srjEKZO.exe
  C:\Windows\System32\srjEKZO.exe
  2⤵
  PID:8008
- C:\Windows\System32\EloVvYH.exe
  C:\Windows\System32\EloVvYH.exe
  2⤵
  PID:8028
- C:\Windows\System32\ykmHTJJ.exe
  C:\Windows\System32\ykmHTJJ.exe
  2⤵
  PID:8044
- C:\Windows\System32\YngaecT.exe
  C:\Windows\System32\YngaecT.exe
  2⤵
  PID:8064
- C:\Windows\System32\JxUDsvx.exe
  C:\Windows\System32\JxUDsvx.exe
  2⤵
  PID:8088
- C:\Windows\System32\GHvirhr.exe
  C:\Windows\System32\GHvirhr.exe
  2⤵
  PID:8132
- C:\Windows\System32\cKseUEw.exe
  C:\Windows\System32\cKseUEw.exe
  2⤵
  PID:8164
- C:\Windows\System32\SMCWLor.exe
  C:\Windows\System32\SMCWLor.exe
  2⤵
  PID:8188
- C:\Windows\System32\wQRkDes.exe
  C:\Windows\System32\wQRkDes.exe
  2⤵
  PID:7084
- C:\Windows\System32\XoPzuHJ.exe
  C:\Windows\System32\XoPzuHJ.exe
  2⤵
  PID:6820
- C:\Windows\System32\WSKjsqq.exe
  C:\Windows\System32\WSKjsqq.exe
  2⤵
  PID:7364
- C:\Windows\System32\dQAmgYq.exe
  C:\Windows\System32\dQAmgYq.exe
  2⤵
  PID:5616
- C:\Windows\System32\TYNbeQE.exe
  C:\Windows\System32\TYNbeQE.exe
  2⤵
  PID:7396
- C:\Windows\System32\XXpCzHC.exe
  C:\Windows\System32\XXpCzHC.exe
  2⤵
  PID:7452
- C:\Windows\System32\TFPdNFt.exe
  C:\Windows\System32\TFPdNFt.exe
  2⤵
  PID:7524
- C:\Windows\System32\BAmFCfT.exe
  C:\Windows\System32\BAmFCfT.exe
  2⤵
  PID:7640
- C:\Windows\System32\HNMfgqG.exe
  C:\Windows\System32\HNMfgqG.exe
  2⤵
  PID:7740
- C:\Windows\System32\JJfLwyx.exe
  C:\Windows\System32\JJfLwyx.exe
  2⤵
  PID:5992
- C:\Windows\System32\WmWxjHW.exe
  C:\Windows\System32\WmWxjHW.exe
  2⤵
  PID:7772
- C:\Windows\System32\aUaajWV.exe
  C:\Windows\System32\aUaajWV.exe
  2⤵
  PID:7800
- C:\Windows\System32\vSWNDme.exe
  C:\Windows\System32\vSWNDme.exe
  2⤵
  PID:7896
- C:\Windows\System32\YGZnBVJ.exe
  C:\Windows\System32\YGZnBVJ.exe
  2⤵
  PID:7868
- C:\Windows\System32\RXfIAxg.exe
  C:\Windows\System32\RXfIAxg.exe
  2⤵
  PID:8020
- C:\Windows\System32\bybnTBz.exe
  C:\Windows\System32\bybnTBz.exe
  2⤵
  PID:8116
- C:\Windows\System32\PdUIyML.exe
  C:\Windows\System32\PdUIyML.exe
  2⤵
  PID:6728
- C:\Windows\System32\kUSwadl.exe
  C:\Windows\System32\kUSwadl.exe
  2⤵
  PID:8148
- C:\Windows\System32\uDsGACu.exe
  C:\Windows\System32\uDsGACu.exe
  2⤵
  PID:6272
- C:\Windows\System32\hDLbdfw.exe
  C:\Windows\System32\hDLbdfw.exe
  2⤵
  PID:7268
- C:\Windows\System32\VlaCQmy.exe
  C:\Windows\System32\VlaCQmy.exe
  2⤵
  PID:7400
- C:\Windows\System32\NiOttkZ.exe
  C:\Windows\System32\NiOttkZ.exe
  2⤵
  PID:7392
- C:\Windows\System32\waQYVnf.exe
  C:\Windows\System32\waQYVnf.exe
  2⤵
  PID:7668
- C:\Windows\System32\SaCOfan.exe
  C:\Windows\System32\SaCOfan.exe
  2⤵
  PID:7620
- C:\Windows\System32\JoCtXFA.exe
  C:\Windows\System32\JoCtXFA.exe
  2⤵
  PID:7720
- C:\Windows\System32\zYwXshg.exe
  C:\Windows\System32\zYwXshg.exe
  2⤵
  PID:7732
- C:\Windows\System32\wjTARzM.exe
  C:\Windows\System32\wjTARzM.exe
  2⤵
  PID:7864
- C:\Windows\System32\bvreRmw.exe
  C:\Windows\System32\bvreRmw.exe
  2⤵
  PID:7996
- C:\Windows\System32\mEVLmkP.exe
  C:\Windows\System32\mEVLmkP.exe
  2⤵
  PID:5112
- C:\Windows\System32\EXlbYen.exe
  C:\Windows\System32\EXlbYen.exe
  2⤵
  PID:6212
- C:\Windows\System32\EYtFfQm.exe
  C:\Windows\System32\EYtFfQm.exe
  2⤵
  PID:7544
- C:\Windows\System32\MNqiTcq.exe
  C:\Windows\System32\MNqiTcq.exe
  2⤵
  PID:8100
- C:\Windows\System32\uFdliPl.exe
  C:\Windows\System32\uFdliPl.exe
  2⤵
  PID:7888
- C:\Windows\System32\OodJeIP.exe
  C:\Windows\System32\OodJeIP.exe
  2⤵
  PID:8260
- C:\Windows\System32\vosnyrp.exe
  C:\Windows\System32\vosnyrp.exe
  2⤵
  PID:8292
- C:\Windows\System32\vzifCxw.exe
  C:\Windows\System32\vzifCxw.exe
  2⤵
  PID:8328
- C:\Windows\System32\vxycbkG.exe
  C:\Windows\System32\vxycbkG.exe
  2⤵
  PID:8344
- C:\Windows\System32\sZonBXH.exe
  C:\Windows\System32\sZonBXH.exe
  2⤵
  PID:8368
- C:\Windows\System32\XXyckCS.exe
  C:\Windows\System32\XXyckCS.exe
  2⤵
  PID:8388
- C:\Windows\System32\jtWewdJ.exe
  C:\Windows\System32\jtWewdJ.exe
  2⤵
  PID:8432
- C:\Windows\System32\dciNWnF.exe
  C:\Windows\System32\dciNWnF.exe
  2⤵
  PID:8448
- C:\Windows\System32\UbrRVld.exe
  C:\Windows\System32\UbrRVld.exe
  2⤵
  PID:8480
- C:\Windows\System32\FpEwljM.exe
  C:\Windows\System32\FpEwljM.exe
  2⤵
  PID:8552
- C:\Windows\System32\XUXdEMi.exe
  C:\Windows\System32\XUXdEMi.exe
  2⤵
  PID:8576
- C:\Windows\System32\oRHDQjC.exe
  C:\Windows\System32\oRHDQjC.exe
  2⤵
  PID:8632
- C:\Windows\System32\hdSnosP.exe
  C:\Windows\System32\hdSnosP.exe
  2⤵
  PID:8680
- C:\Windows\System32\HWUOrSF.exe
  C:\Windows\System32\HWUOrSF.exe
  2⤵
  PID:8696
- C:\Windows\System32\anhTNdL.exe
  C:\Windows\System32\anhTNdL.exe
  2⤵
  PID:8716
- C:\Windows\System32\apZQqAM.exe
  C:\Windows\System32\apZQqAM.exe
  2⤵
  PID:8748
- C:\Windows\System32\CkFoLFE.exe
  C:\Windows\System32\CkFoLFE.exe
  2⤵
  PID:8780
- C:\Windows\System32\lUnhiLM.exe
  C:\Windows\System32\lUnhiLM.exe
  2⤵
  PID:8800
- C:\Windows\System32\MbWOAQY.exe
  C:\Windows\System32\MbWOAQY.exe
  2⤵
  PID:8872
- C:\Windows\System32\bKZbboY.exe
  C:\Windows\System32\bKZbboY.exe
  2⤵
  PID:8892
- C:\Windows\System32\JzCfqGK.exe
  C:\Windows\System32\JzCfqGK.exe
  2⤵
  PID:8908
- C:\Windows\System32\qENBlOI.exe
  C:\Windows\System32\qENBlOI.exe
  2⤵
  PID:8944
- C:\Windows\System32\CetVgGu.exe
  C:\Windows\System32\CetVgGu.exe
  2⤵
  PID:8964
- C:\Windows\System32\ofyPYiy.exe
  C:\Windows\System32\ofyPYiy.exe
  2⤵
  PID:8984
- C:\Windows\System32\OkHjpdu.exe
  C:\Windows\System32\OkHjpdu.exe
  2⤵
  PID:9000
- C:\Windows\System32\tDQLVqv.exe
  C:\Windows\System32\tDQLVqv.exe
  2⤵
  PID:9020
- C:\Windows\System32\Ymycyka.exe
  C:\Windows\System32\Ymycyka.exe
  2⤵
  PID:9044
- C:\Windows\System32\GedBbTD.exe
  C:\Windows\System32\GedBbTD.exe
  2⤵
  PID:9064
- C:\Windows\System32\pvsMMJh.exe
  C:\Windows\System32\pvsMMJh.exe
  2⤵
  PID:9084
- C:\Windows\System32\cREypDW.exe
  C:\Windows\System32\cREypDW.exe
  2⤵
  PID:9100
- C:\Windows\System32\loAOAwr.exe
  C:\Windows\System32\loAOAwr.exe
  2⤵
  PID:9148
- C:\Windows\System32\rXPXsNZ.exe
  C:\Windows\System32\rXPXsNZ.exe
  2⤵
  PID:9200
- C:\Windows\System32\XfmoDXf.exe
  C:\Windows\System32\XfmoDXf.exe
  2⤵
  PID:7420
- C:\Windows\System32\KSEOTIn.exe
  C:\Windows\System32\KSEOTIn.exe
  2⤵
  PID:7568
- C:\Windows\System32\AdjCXTZ.exe
  C:\Windows\System32\AdjCXTZ.exe
  2⤵
  PID:8212
- C:\Windows\System32\NlVBTUv.exe
  C:\Windows\System32\NlVBTUv.exe
  2⤵
  PID:8272
- C:\Windows\System32\uKkhkNx.exe
  C:\Windows\System32\uKkhkNx.exe
  2⤵
  PID:8364
- C:\Windows\System32\kGlOnVk.exe
  C:\Windows\System32\kGlOnVk.exe
  2⤵
  PID:8408
- C:\Windows\System32\lxVsQYO.exe
  C:\Windows\System32\lxVsQYO.exe
  2⤵
  PID:8504
- C:\Windows\System32\GTKWnHF.exe
  C:\Windows\System32\GTKWnHF.exe
  2⤵
  PID:8508
- C:\Windows\System32\prMDJBv.exe
  C:\Windows\System32\prMDJBv.exe
  2⤵
  PID:8560
- C:\Windows\System32\YChEoIK.exe
  C:\Windows\System32\YChEoIK.exe
  2⤵
  PID:8688
- C:\Windows\System32\pRmKyhL.exe
  C:\Windows\System32\pRmKyhL.exe
  2⤵
  PID:8776
- C:\Windows\System32\GFYgsHu.exe
  C:\Windows\System32\GFYgsHu.exe
  2⤵
  PID:8828
- C:\Windows\System32\ajqoEDF.exe
  C:\Windows\System32\ajqoEDF.exe
  2⤵
  PID:8808
- C:\Windows\System32\WOKblvm.exe
  C:\Windows\System32\WOKblvm.exe
  2⤵
  PID:8904
- C:\Windows\System32\mwJBFPz.exe
  C:\Windows\System32\mwJBFPz.exe
  2⤵
  PID:8956
- C:\Windows\System32\VFjmnaW.exe
  C:\Windows\System32\VFjmnaW.exe
  2⤵
  PID:8952
- C:\Windows\System32\yIPWiiM.exe
  C:\Windows\System32\yIPWiiM.exe
  2⤵
  PID:9096
- C:\Windows\System32\FhdwERK.exe
  C:\Windows\System32\FhdwERK.exe
  2⤵
  PID:9132
- C:\Windows\System32\AQRxwwy.exe
  C:\Windows\System32\AQRxwwy.exe
  2⤵
  PID:8208
- C:\Windows\System32\ZDqDihK.exe
  C:\Windows\System32\ZDqDihK.exe
  2⤵
  PID:8340
- C:\Windows\System32\IdYNmnN.exe
  C:\Windows\System32\IdYNmnN.exe
  2⤵
  PID:8520
- C:\Windows\System32\CFaqMbL.exe
  C:\Windows\System32\CFaqMbL.exe
  2⤵
  PID:8460
- C:\Windows\System32\zfqvXxz.exe
  C:\Windows\System32\zfqvXxz.exe
  2⤵
  PID:4848
- C:\Windows\System32\TxxazEc.exe
  C:\Windows\System32\TxxazEc.exe
  2⤵
  PID:8792
- C:\Windows\System32\IHFeLIP.exe
  C:\Windows\System32\IHFeLIP.exe
  2⤵
  PID:8936
- C:\Windows\System32\aWNMrpI.exe
  C:\Windows\System32\aWNMrpI.exe
  2⤵
  PID:9092
- C:\Windows\System32\XibplkX.exe
  C:\Windows\System32\XibplkX.exe
  2⤵
  PID:9164
- C:\Windows\System32\ZvedXIu.exe
  C:\Windows\System32\ZvedXIu.exe
  2⤵
  PID:8412
- C:\Windows\System32\hhocrAO.exe
  C:\Windows\System32\hhocrAO.exe
  2⤵
  PID:9228
- C:\Windows\System32\HaltmXa.exe
  C:\Windows\System32\HaltmXa.exe
  2⤵
  PID:9292
- C:\Windows\System32\xclyoVY.exe
  C:\Windows\System32\xclyoVY.exe
  2⤵
  PID:9312
- C:\Windows\System32\QzcYrLw.exe
  C:\Windows\System32\QzcYrLw.exe
  2⤵
  PID:9328
- C:\Windows\System32\IsVpDcq.exe
  C:\Windows\System32\IsVpDcq.exe
  2⤵
  PID:9348
- C:\Windows\System32\QGuvXQj.exe
  C:\Windows\System32\QGuvXQj.exe
  2⤵
  PID:9416
- C:\Windows\System32\QmxaAbQ.exe
  C:\Windows\System32\QmxaAbQ.exe
  2⤵
  PID:9436
- C:\Windows\System32\lDITopl.exe
  C:\Windows\System32\lDITopl.exe
  2⤵
  PID:9472
- C:\Windows\System32\pQMOZmQ.exe
  C:\Windows\System32\pQMOZmQ.exe
  2⤵
  PID:9492
- C:\Windows\System32\MtTfiHJ.exe
  C:\Windows\System32\MtTfiHJ.exe
  2⤵
  PID:9512
- C:\Windows\System32\DDsbwRg.exe
  C:\Windows\System32\DDsbwRg.exe
  2⤵
  PID:9528
- C:\Windows\System32\irYOLLU.exe
  C:\Windows\System32\irYOLLU.exe
  2⤵
  PID:9544
- C:\Windows\System32\dZyikBn.exe
  C:\Windows\System32\dZyikBn.exe
  2⤵
  PID:9564
- C:\Windows\System32\CVVcLYq.exe
  C:\Windows\System32\CVVcLYq.exe
  2⤵
  PID:9588
- C:\Windows\System32\KHNRIEr.exe
  C:\Windows\System32\KHNRIEr.exe
  2⤵
  PID:9640
- C:\Windows\System32\VylNofv.exe
  C:\Windows\System32\VylNofv.exe
  2⤵
  PID:9660
- C:\Windows\System32\LbGidgT.exe
  C:\Windows\System32\LbGidgT.exe
  2⤵
  PID:9724
- C:\Windows\System32\JEooPPE.exe
  C:\Windows\System32\JEooPPE.exe
  2⤵
  PID:9744
- C:\Windows\System32\wBtwHbp.exe
  C:\Windows\System32\wBtwHbp.exe
  2⤵
  PID:9760
- C:\Windows\System32\GtmOWrS.exe
  C:\Windows\System32\GtmOWrS.exe
  2⤵
  PID:9784
- C:\Windows\System32\riRZOOp.exe
  C:\Windows\System32\riRZOOp.exe
  2⤵
  PID:9804
- C:\Windows\System32\uIDBjMg.exe
  C:\Windows\System32\uIDBjMg.exe
  2⤵
  PID:9828
- C:\Windows\System32\dvITydc.exe
  C:\Windows\System32\dvITydc.exe
  2⤵
  PID:9892
- C:\Windows\System32\qteihlj.exe
  C:\Windows\System32\qteihlj.exe
  2⤵
  PID:9948
- C:\Windows\System32\WtakvqP.exe
  C:\Windows\System32\WtakvqP.exe
  2⤵
  PID:9976
- C:\Windows\System32\UMlzlHX.exe
  C:\Windows\System32\UMlzlHX.exe
  2⤵
  PID:9996
- C:\Windows\System32\LEAwmAq.exe
  C:\Windows\System32\LEAwmAq.exe
  2⤵
  PID:10048
- C:\Windows\System32\aewCrXj.exe
  C:\Windows\System32\aewCrXj.exe
  2⤵
  PID:10080
- C:\Windows\System32\DPicJRw.exe
  C:\Windows\System32\DPicJRw.exe
  2⤵
  PID:10104
- C:\Windows\System32\ipoAHhS.exe
  C:\Windows\System32\ipoAHhS.exe
  2⤵
  PID:10120
- C:\Windows\System32\QFtwXkg.exe
  C:\Windows\System32\QFtwXkg.exe
  2⤵
  PID:10136
- C:\Windows\System32\TzaCbHE.exe
  C:\Windows\System32\TzaCbHE.exe
  2⤵
  PID:10156
- C:\Windows\System32\bLHzhmQ.exe
  C:\Windows\System32\bLHzhmQ.exe
  2⤵
  PID:9260

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BNYOMvN.exe

Filesize
1.4MB

MD5
185d2e7e49ee6e77182dc31c25ba4d80

SHA1
070c7d258ed71e387d57428b99f53117e84d6828

SHA256
85e13491c6f7ce8be6b7dbbd64cd673fcb3c9b957e8e432c65f29315c0f960b6

SHA512
1925fc463260a2214cc24e47cf8a679558192fc6e212ebcfd557b531977f2e95c3f092474cdac3cc6834f9c7d0c5396b2a4f049e1e99e0e9aab9b74e5c6d36ab

Download Submit
C:\Windows\System32\DKdhwUy.exe

Filesize
1.4MB

MD5
0541ec17cc975056fac76e379063ccf9

SHA1
9ffe7670bde3522c59955eda78d9801c8e096de3

SHA256
0c9916128df7d89074585efaa24d5f477bdc691a3a18e0fc95f030113625ba35

SHA512
561f09c2e722bb22d0af95f45b403b0414f219d1a229f7d25f9ca712e61866d7cb98ecb4c9ec716f2ff797ecec5f181f434a2bb641deacf51be50d4b2eaff1e4

Download Submit
C:\Windows\System32\GWiXXkp.exe

Filesize
1.4MB

MD5
6908a0616d9bf8ec93041ecfc8b16a98

SHA1
d708d8127ae78f7e8f91b43f79983c946fcce124

SHA256
b247ba033c136042e51dd661afdace580b002b453bb4da2375a3090a8a55301b

SHA512
c688da3a05a4cfcc11a8771b3cf2b38dca79dd227374ad910804e1bf1b0a41a81d02f08ed3e31ab8959d42b9ff69703a14cb6eea6dcc5e1f8d80150e79553993

Download Submit
C:\Windows\System32\HExvhtj.exe

Filesize
1.4MB

MD5
e8bf7ec843bdf323962864e5e85c9147

SHA1
de07f9c3808494476ecdb24211f05de9c61f6610

SHA256
50f9548ec30160fcda9baabd12534a87277102c7ae3cc85f39a983d9d604939c

SHA512
35e210dba257af7d628803374e5006d1388a13c00fb1a7167592e035710ef2a236e464663374889e69e5accb853bb6165e28a0c9c59035ad7b8f86c5fd82bc9c

Download Submit
C:\Windows\System32\IbNZGNN.exe

Filesize
1.4MB

MD5
d3fbd86bb8e5bc9b813b83dfda50a1f2

SHA1
6c9283a167493b4310f2bb1b755b3b7d7c5512d2

SHA256
04cd45f807a3f9f12a29c60c366a0bb863e9e4d325e2ac759412a5598a647d89

SHA512
cfa32acdddc8c77133d338d04826e5e43fcf0e9c674066ba551efc2e2a77be0ced5b5d13d638c2b1f3d1acca73cd684f110d7e245403bfb90d605395cbc3e4c8

Download Submit
C:\Windows\System32\JBFcHGh.exe

Filesize
1.4MB

MD5
bd626e8748a45f24c0a93c071b4af86f

SHA1
6ed4391b1990011ed103e56be02d27a6672983cf

SHA256
269d810a36c472af9236bd5fa0298efdfc73b909e30d69ad457d0c9d49fdb0cc

SHA512
67c4fdaac3ebfde2642921248d76a3559f6271b42e94051c9bc11fc729a10995adda493bd25fce2516dae5124dbc2ac421daa029b7b1bbf176352ae097661efc

Download Submit
C:\Windows\System32\JoqvgeC.exe

Filesize
1.4MB

MD5
96291458d4953531ff16f79949dc104e

SHA1
c392b60e0a3437873464b07fdcdacf5cb85fc24b

SHA256
a86bc16f034ad58de8728482034bc538fb9a9ba7fb34ad4018e9a5707d484d3f

SHA512
ec575781877a7f7efc0b39ead161573dffecb2eae192b0fc81bfdedfa30fbe8fa8a8a4f7ad205e68ef003c72f76bc736e796f8d44fd7bf31237cdb2ac60b7e95

Download Submit
C:\Windows\System32\JoqvgeC.exe

Filesize
64KB

MD5
4fff8570bfe714b85dd8448e4f55621d

SHA1
9503024b80c66a99434491fe06c84943537a6a02

SHA256
8ca4b370724f5701924a44bfaa327ebacb0e041b80ff3c432470b62c1ff6ebbe

SHA512
b92889ea56d1eda7d2cfc7f8d2f37e5724316dfa653184fd9110df28cf0ea9ae8330f63e50225208217e92b13b5494dad0bcd0d86c8538f15c6d09a0717239db

Download Submit
C:\Windows\System32\NWycxDD.exe

Filesize
1.4MB

MD5
5fa535b1739d7bf8a17036e37f8db1b1

SHA1
774aa43693cc8e297aab34a21452f98a4f204580

SHA256
849bec083af63eacb576892573c269b6547c97a38b0c39cd90ce970dbb78355d

SHA512
0b7e8bf3f1d4042b14cb6a5f303da9c8c4b432e11c41125bee668c484eedc5b2ff57dc18e0c93a3d33a3efe73d02f37f3af2460d6255b11b4c0009f7064d9975

Download Submit
C:\Windows\System32\NWycxDD.exe

Filesize
576KB

MD5
970e49d66f2ac1f0c5aa37c23932cc22

SHA1
f13d83b9f982b0504ed0586a2162d43a6a96f301

SHA256
adc90a427ed2d1115ef5602d62a34fb5f324d329e283e3f49f5e61339d15058b

SHA512
5aba02743a3a356ad760275c2b85404a190c9618311be0423bd51a41dc3465d9f54d7842e63c0eb6fd095a0eb378d5786aebff3f52a42f97fca957573b0bf5f3

Download Submit
C:\Windows\System32\NfMRsHp.exe

Filesize
1.4MB

MD5
dedec7084154667147b131369f282e7f

SHA1
2766fc3a5c2854944c057d32785c8d851138c063

SHA256
95a9318f4adc928699558d45f90fdb1a47f3d06ff3cce7919920e1f819bfbc47

SHA512
9fa2d8f2f12149b3b8be770e7f07add40e2bfe89b65505a6ec4d2ae256e3815e75daebcd18a535a8ddbffe48156871e3ea1cb7f3f8dfdaafa8e31f2a878dae46

Download Submit
C:\Windows\System32\NfMRsHp.exe

Filesize
1.2MB

MD5
259de999a9e710851063fa503408e2ad

SHA1
b5aa8a71262b21f49aac8c0def9a81eef1413a11

SHA256
71ed31b20352111e4699549783ed8ab219ae881c4e4fd0ff2e5846fa5e0cd3da

SHA512
f8ae71db267cbf3593b72dbbeb500dad489eacf538e6a48321ed3272336ba28e57a9a832bfed22e9b71c3f094e133f5bd0a764d269262b187c48a8e1fe976723

Download Submit
C:\Windows\System32\TuQEnQw.exe

Filesize
1.4MB

MD5
fb465d0d2f8eecf4bce5c1e91bf7111f

SHA1
813a01aa604529a69a8889ce5055c673d44381ff

SHA256
b4437eda0dfcd89bc3397679c10124588ada41d0dd88517b55c19a1b2671f6de

SHA512
cb33fc74effec095c98f7a308e6fbe5b2cac71e44f20505bb1140b0656f5bf2ec570ec3ac5126977f8fe8bfd9f7dade41464cef72e42255c566c72e0c8dc4423

Download Submit
C:\Windows\System32\UWYkdYz.exe

Filesize
1.4MB

MD5
37eb5533b6126382b704076822393bc8

SHA1
ab50c263923d989e5ead495a79ec23631379b1ca

SHA256
47047c1a973717f71bd1670a66f96d2dfd87ae00d79be6d776f0d7861c527f5f

SHA512
6c8a2b63724fb1a30379a03de2ac377135f724525a5f77e59c7d117c3e6442e7b5cf6f887c8099a7241c8e3d4750761d83e7b2d1e47b9c05a5f8daab46a33d67

Download Submit
C:\Windows\System32\WqNBPyT.exe

Filesize
1.4MB

MD5
59ff8b917c573dd87c346ff1f60f8f5a

SHA1
86ff50867151c1ed3f81c39166e61a8b1b0ff9a7

SHA256
487b249ce140cf33e9fa0995617e11ee58bb23baf6ff01aecf9d000afe650ce4

SHA512
e1ae78fc6ba1c19add9ec1a698afdab9ab927787e4f92058b50ab82f356cc8afcdbfeac0a057d2d17bddf5aebcc0b935a547a5503531ce7a33fddf39dff1db04

Download Submit
C:\Windows\System32\YKQOHNZ.exe

Filesize
1.4MB

MD5
408643301725a130534ac37cc033c9c3

SHA1
c7735150f58a0bcdab9b317bd2822f6ee8e184eb

SHA256
1ea07fa4d7526e2aa620b8c67ab3c0576057786aee59e2ec8e48a6a886501804

SHA512
7e6edf67bf2bd1bbc94a3781e7dbba35d7a22ab15cffda3c3a95ee96f2ab306579b576a46d8bbb716583a5b6099898f5cc429bc46323ced322acd5c42549af36

Download Submit
C:\Windows\System32\YKQOHNZ.exe

Filesize
960KB

MD5
0efefff1a2fc4f0c061f87cf8107c4b7

SHA1
277d27d857b5553e5d66bbe62bee43b152c67845

SHA256
d6a7caa3910e2d1d7636f4525f2978f7b7fdabbb3216bd771088fcea4216a146

SHA512
5a776df7a26e17b6c12b30a8a8a87f7c7e6f0604a12ce093f6231c6d4065fe7928b00521a086bcc7b0fa898d0f286784fe79704e8681a6ad9d1d252493c77008

Download Submit
C:\Windows\System32\YPgsERJ.exe

Filesize
1.4MB

MD5
4067502965e23fe00d6d877e1c10f33e

SHA1
503a1290707a2b193b575d2e133cd445409a65e8

SHA256
2708c74b6ddc2234643cf89c35f777fdf14833b340c4a8b65e49b8e3f5a2e38a

SHA512
e61278c21e9ad8e8b0c662fa05d821a7b3cf497b7b18dc5843ee76c3ef0cf9b5498d35a10c5f9ef6c1cffbb0e4ab61be0490aa4f01d6bd8b2ac064508726e6cc

Download Submit
C:\Windows\System32\eygSsdo.exe

Filesize
1.4MB

MD5
bc0dfdfb4072f5da68406c9a47100d77

SHA1
6c6ec45fdc246f6e8476d467cecd5e37648b204c

SHA256
4ebe84d944e88199193a4a90d6cabd62b4337abe6777baa331a17d6263e24996

SHA512
725cb7d8e3834e100cc3a9b4a2b5b7a6a25269ad234ad5093f54bb64ede8d794b6e6e6d5faa526fa33c61830a8e0227995bb7e15f3fb604ba99cfeb0536bd7ca

Download Submit
C:\Windows\System32\gfClqHG.exe

Filesize
384KB

MD5
681885218590138b84122217405dc2ab

SHA1
33c70a90fbc36f19a25210995a972efb9d247734

SHA256
208237d1f37ae55e72a4ffe65d8581e6e7bf6be8d3b7f13bca1c70b5b8461ec6

SHA512
3b2156cd506d118173227686a91a4bf7b3302fca6fbf94adda38392cbe3ea5aea64619d0c62808f647a47434ec8513721a361182bd7a8dc8c6432361660d60f8

Download Submit
C:\Windows\System32\gfClqHG.exe

Filesize
320KB

MD5
54144d1a4f5b698850836424f8cee10b

SHA1
d4f25d4e85ca099d8b25dc7f0b3ab0e749dc10a3

SHA256
ab451e4c2f545b56439a3e0ad58367ab1dccac2e0fd5ad33d96f4bf1181587da

SHA512
841eb82d80dbd6972d6460b3062893ce6e37fd040c023b273a97785dd48b061ee103dbb8269c119c47e787541d902a6b96dbf4b1efec63d12c6e7b374f0c5f5e

Download Submit
C:\Windows\System32\gqEIRbH.exe

Filesize
1.4MB

MD5
cc91949b51858735c351f22bc2d4fc09

SHA1
2ecb98036f48051a0c09c5806cf0a407df7bbb81

SHA256
24a4136f5ad2083e4afc7ddad74498b79cde7653ab988e726c8733af7d41445a

SHA512
09feea9c3dffbdd16c683777231a8197c020e0d621f750fa0304bd3e01107864e534607d93e8ddfd751c06ededb260ef2e96b1ea7c45794022336c96c59b53dd

Download Submit
C:\Windows\System32\gqEIRbH.exe

Filesize
126KB

MD5
b98ca6b436aa73640bbf7d27ad5ee3dd

SHA1
d52e571875a016c6d55af10909fb7e8279d240f6

SHA256
4af39862525956baa9af1f4f365a1d52f9d07b08b47b64908b598501d2e86d3f

SHA512
9760960523ba71db90e08f74bfb288854af2577af051640ed5f9ac6774e814fc51a2d4245cc06b0853cca14e81e7d75e7f3a041ca2a54e8a1023edf07d4d93ad

Download Submit
C:\Windows\System32\hACFZRt.exe

Filesize
256KB

MD5
4f2ee1a9c9d8c08dcc1ad31fac265106

SHA1
9f8a2f25af0cdc3749dd080f619c118cc42a6d99

SHA256
cc0a3041f6ed2cb4bd252070556817bd578d3fa97e8ea73e192db50fd3664563

SHA512
e7230c71218850fbd4e1e860fb3e02ae90ee31e768b62efc1efaa7d8767735e36631a666d955a238ed1f054c7dff5ac2ad3846d8dee5fa988e0a0208305d4401

Download Submit
C:\Windows\System32\iLtOgjD.exe

Filesize
1.4MB

MD5
b676f16f9037021f0429b0ad398d413b

SHA1
a0687b1b1ec3f1e5a34cdc296ba7b876a5926c74

SHA256
89643352246bc8c6c7f69a328bb6a67e8c38f32c8e222b5e944b144673d7849f

SHA512
b6a2586aad30af5c2d275db85c2be6ab727937f96daca1a5b02c44d8172e0212e837c24469eb02cde10a04f5a5863451e45735d265c3905eba2abd07f55e4064

Download Submit
C:\Windows\System32\iLtOgjD.exe

Filesize
14KB

MD5
f585abd9f35c0d3eb49563540621633e

SHA1
ed3616c5c6a617dc7d9f7d4189bdaa9be8a7014f

SHA256
54f28af916d0499029f0637afd4eb3db0fcc30728f3a29cdac8c7b0cfa73c471

SHA512
6e45574b9d8ead43eb035939f4202955fd01bb4c5c7190468a37725a9976109dd0987da1e25561ee358bf6d159fe2ed4ad7f1b872edf3009dd137d66b373a1a8

Download Submit
C:\Windows\System32\jLVWrFd.exe

Filesize
640KB

MD5
3cf76162c6dda1f89f2ad962c157d43b

SHA1
1eb751bcf5454818f5fbf643170f692064ac0eb8

SHA256
fc257e6d26c033352e87b21349e84e0b70c1e46ef2f2af808736e694dc46f31c

SHA512
6ed0bc96a9ecbe23c4d0af3082caa39a533679172dbf389b8036c0b3b14bde8c8783df45161fa5b1f2fce0e338ed8f85b1be54c456322f1aafdd61878e165823

Download Submit
C:\Windows\System32\jROcXKK.exe

Filesize
1.4MB

MD5
21ef371d686e87c4aec95692830337bd

SHA1
9e281ffbc249aeff96f8a364194a49ab6872f1ef

SHA256
81ee83a19dbc09fa95077e3fff955723462df2b8d9561cfa1da5f8992b1a366b

SHA512
25ebe6484f2cf46019c00ab93aa67951b9ec5187d1e5c70bb5512a45778c109d8ff1ea72571981389f4f4b9b72577589f701e0be3fe2daccd0a46786ca2e3075

Download Submit
C:\Windows\System32\jROcXKK.exe

Filesize
448KB

MD5
cd3b865bd20cb43107d9da43af57f025

SHA1
e285ab87b9758fc9b720b6b1ef202542ad1a17f1

SHA256
5b880ae160d2157c2b042bea106b6e589e80fd46737ff6520e98271679fafc9f

SHA512
67ff98eabbf3838dc2d6e206fcb0deb2899386e970383b182e380c8540d872872da51342ff3267380fd7bb9b7dd0c06ea80a33edb0b58fe48a5204bddef363d7

Download Submit
C:\Windows\System32\kLujHMD.exe

Filesize
1.4MB

MD5
37a17395f39d7ea481871474f221d201

SHA1
182f3b45add498e1ee987cd22ead73fe1c062b50

SHA256
88085dd9893107918c045a4aa307f83022f1a49029246b8ecc56694b7cf9fe17

SHA512
cf035aab5062d556666b5d7d14104353a69157b43deb5e2ae43ddae305defe039fd7fdc568eb372310cc8bac1b3b0d67f54fa81a9ec7bde3351536600398da35

Download Submit
C:\Windows\System32\llLpYRB.exe

Filesize
1.4MB

MD5
2353b2858ee57080c1dd5a1de7c0bcbe

SHA1
162396800a338dbdb6195f32f89ef1475a3e944a

SHA256
37435f1061839f295ebed15dd84208d61f7e6fadc7c0b1182e3962607c229617

SHA512
a3c44e97a8fabd9658164ff04a2e2d524d24b53ac1aa1734e68d9f052e3a2dd69d49a2ce0f82b11d540026025fccd69ca3c6b0dfc1c542f2b6cefecffc5be48f

Download Submit
C:\Windows\System32\ojuUJHt.exe

Filesize
1.4MB

MD5
5ed19d75743f0e4ac48dbfba27c482a4

SHA1
e2b0ce9518e43d84d5a1609dd78b784ce6183e71

SHA256
d6ea7876d9112b5865f9d153a6d7b2f0ed47c54d0bab679a425829b70c80abb4

SHA512
3ccdc802433bac6cc118b366c4f505d79710fcad8b0840652911d4734066e90597b1d7c9049768ebc6fa325d227635b580a029770c818695d016e4af1dfedb75

Download Submit
C:\Windows\System32\ojuUJHt.exe

Filesize
42KB

MD5
6de21d6d3780149eeff09545e2c2b560

SHA1
c94b196b668fe5d8621d383b1078bc2523aa4c5d

SHA256
cb1f93020960239eae70df656d2b17220aa58c194497f94997aa28869cd79a93

SHA512
ddb8d27ef89c5a01d244c73f518c591f34be2ad8ace17e8ae082e04ae2150ad53ab6ab0129288bfe81d45f7d70c1cf492e414031cd4247d5202fead1b90bb4b1

Download Submit
C:\Windows\System32\pWkRkeb.exe

Filesize
1.4MB

MD5
a439ded8aca07680cdcc82d4dc680779

SHA1
af88c2ebda25f744ce12e64c69289640d334b566

SHA256
eb37ab120852c41a769c10b489625b0d135216bc1df4a2de22567b08cd8ad76c

SHA512
b15d53f0ce39d8e6e6350abfd9f061fa093cb3660403b2bbd7c286a489f87603430a53125e823fcf37e437e36171493c114eca4ba3000f05291912f6011417a7

Download Submit
C:\Windows\System32\pWkRkeb.exe

Filesize
832KB

MD5
5561d93857bae2c148f5a0abfe964dd5

SHA1
5672080d8a6b8622e4b340a6a65e054afd649074

SHA256
593efbc5ecce486df8688c9d48e82c376fa77b6396c96c41bd4c0acfbd982a8a

SHA512
e4c642ae5ccdecabc2fa27791060d2faaa2d8cf2b3613bd28a2627d32da47d6ba7d9b641c53a28ba5863639735160a42f40a63efa0ce9f786b76cf7ec1af0a46

Download Submit
C:\Windows\System32\qmTasBJ.exe

Filesize
768KB

MD5
685de15e1d084bc004fbf7bb283f7445

SHA1
48cd3e828429e29d9308fc900047ee605a579a61

SHA256
f20c26c29ed06718ef68e8c40f96642fa809769ce10ab02c49d1c80bbd7a5ff4

SHA512
f514d3213482081441c5b2b417c4f00a1a34d528b1d56c62cd15a346048db63f3c2bc718a8ed4d2fb926096d27aa5079326ed30e07915d71c65c7063828b6877

Download Submit
C:\Windows\System32\qmTasBJ.exe

Filesize
704KB

MD5
be364f8f5201574da3cea18e67aba50d

SHA1
5b08e5b606f891e3c02cf5ad2f09431842b0a4d8

SHA256
61c4466b060257ccd2cd7a831063a61b4728085f77ea0cbd0f635e598ad225e2

SHA512
5870c5ef35a64ff0c29f63cc03fcb801e35ee4bbf2204e191e683db982cb3a59f286500683c554e2e4ed1a8e364ff9046fed8dcf7014ab95aa9e3d70e74bc6f5

Download Submit
C:\Windows\System32\qwlSrkU.exe

Filesize
1.4MB

MD5
d63b070aca241e709c36505ea3d09845

SHA1
6164b225dba0538a307a1e2acc8da23ac9c71abc

SHA256
ebaaac3180de9c03b836bb390f95ed0032658460792a26113a7b5923ebab9486

SHA512
a1a8b7c6e0c4d9ac7e95e3b2ed0fe197d67e5bb7b49dff9b37c1d40efa399b1327ac35cc056c8af2d4b7f1e3a93a8ce806256d4de8d2cd274d256bc3070137c3

Download Submit
C:\Windows\System32\syFDhkh.exe

Filesize
1.4MB

MD5
35a86368da605a371b689b3aa09e5876

SHA1
0fa84848f7c2d519cfdb45b4da6dd7338283efee

SHA256
bde09143caad0ab235074132e3b838f29095c07d4e984282cb66b87d6b97f9a7

SHA512
f6c82d554dba8d134d599e02926ecbfacff7196601f12c0973cd2f5ffb7985614558f36fb3f8582eff39136a72d5ca7fd6ef006f520fc0088d303335b4dd20e6

Download Submit
C:\Windows\System32\tfUJVsW.exe

Filesize
128KB

MD5
18bd523bb2a1a1369bb861c2beda1bc3

SHA1
159ae1849d055c1d8bb25e42b0e54ed974d7314d

SHA256
12ad6f35b7fdd28af2b7c5797d1f91e4834bef196506c91686fa763f49df8e50

SHA512
e46efb48b6f9a49b07b22487034e5c017ad4a36bd99d35dd05d2c587eb6b3734064c55ef0a3736ebf2791f6c83e5c5733adf99ea9ff7946e625fb17da3bf781d

Download Submit
C:\Windows\System32\tfUJVsW.exe

Filesize
1.4MB

MD5
158ac5da6babc2d7c5c521f310d76098

SHA1
16fe25d06775d4f47c2ce84de9ce097703e02ae9

SHA256
12e958bae06bd90ebea4aba189d14beb4613f5b2b65007e74366dc43042f6f59

SHA512
50326a748ac465a40d5282777f56a75e2a9a376c50a4bf28c832f68d9f377a6ae133732ad7231d3cccac78444036a648974575313fb472f96bd7a952ca6141d5

Download Submit
C:\Windows\System32\yLesosm.exe

Filesize
1.4MB

MD5
eb09151ddcff1f9c57ed715a2a5b501b

SHA1
54b9413fd9358e5656836eff9c24382af5fecea3

SHA256
f371233f5ffd9c85914320adc218b1382e461d3e19d8c867177abc3bbabb302d

SHA512
d0fe40b6adbf2a700225c22cfcc7f1570d874abdea7573db31e4d48e2bdedd9b2c416dbb6546c1f48e7cbdbbfeaab3d970b085a0801a97400d6d21f4b2ae9621

Download Submit
C:\Windows\System32\yLvBdjG.exe

Filesize
1.4MB

MD5
064154e800d42ab9d82d14e3ec18ab1c

SHA1
af461ca3876bff0e882577e1debf60c954c3efef

SHA256
7c62d31d7b838719704e580c9276c6106b76e5e3e9a01be24dfc47745b78f56d

SHA512
af5b72d3da5d46fc7441a6e8c533ea1f4f276baf9c751d26bc9fa70b1eded4f4abb98207aabab00680be2acb349614d2303464da3d9c5ebba1b22f72ac606938

Download Submit
C:\Windows\System32\yiDSkon.exe

Filesize
1.4MB

MD5
e2c2e2f06717f4b3b7d83c58497f98e3

SHA1
d5e39363eda2d5bad6dc383a18d90b4bb5db634b

SHA256
7c85fc7ebeb1b65efa32ef1ce9fcf37ea4c011d62a1d53ed2cab35bcece932ac

SHA512
f986356545ecf0c89afcf9be435f06fa5b8e79d0d09b9ac95beeabc610e6ea4722e65e0e0fbca2515e1f722507118ef83b5542c5611da432d04237bbe1379973

Download Submit
memory/440-340-0x00007FF7285F0000-0x00007FF7289E1000-memory.dmp

Filesize
3.9MB

Download
memory/540-14-0x00007FF68ED70000-0x00007FF68F161000-memory.dmp

Filesize
3.9MB

Download
memory/764-16-0x00007FF65E740000-0x00007FF65EB31000-memory.dmp

Filesize
3.9MB

Download
memory/824-548-0x00007FF6A19C0000-0x00007FF6A1DB1000-memory.dmp

Filesize
3.9MB

Download
memory/828-302-0x00007FF7E2E90000-0x00007FF7E3281000-memory.dmp

Filesize
3.9MB

Download
memory/880-349-0x00007FF6B2190000-0x00007FF6B2581000-memory.dmp

Filesize
3.9MB

Download
memory/892-255-0x00007FF796320000-0x00007FF796711000-memory.dmp

Filesize
3.9MB

Download
memory/940-259-0x00007FF7B7ED0000-0x00007FF7B82C1000-memory.dmp

Filesize
3.9MB

Download
memory/1032-423-0x00007FF74F740000-0x00007FF74FB31000-memory.dmp

Filesize
3.9MB

Download
memory/1040-575-0x00007FF649540000-0x00007FF649931000-memory.dmp

Filesize
3.9MB

Download
memory/1048-345-0x00007FF7A88B0000-0x00007FF7A8CA1000-memory.dmp

Filesize
3.9MB

Download
memory/1076-395-0x00007FF7190A0000-0x00007FF719491000-memory.dmp

Filesize
3.9MB

Download
memory/1116-355-0x00007FF693260000-0x00007FF693651000-memory.dmp

Filesize
3.9MB

Download
memory/1144-408-0x00007FF7B0EB0000-0x00007FF7B12A1000-memory.dmp

Filesize
3.9MB

Download
memory/1312-47-0x00007FF66F920000-0x00007FF66FD11000-memory.dmp

Filesize
3.9MB

Download
memory/1640-524-0x00007FF7A1EA0000-0x00007FF7A2291000-memory.dmp

Filesize
3.9MB

Download
memory/1672-401-0x00007FF6124B0000-0x00007FF6128A1000-memory.dmp

Filesize
3.9MB

Download
memory/1680-257-0x00007FF6981C0000-0x00007FF6985B1000-memory.dmp

Filesize
3.9MB

Download
memory/1848-399-0x00007FF6356A0000-0x00007FF635A91000-memory.dmp

Filesize
3.9MB

Download
memory/1876-51-0x00007FF7ED440000-0x00007FF7ED831000-memory.dmp

Filesize
3.9MB

Download
memory/1892-54-0x00007FF713420000-0x00007FF713811000-memory.dmp

Filesize
3.9MB

Download
memory/1984-535-0x00007FF619CF0000-0x00007FF61A0E1000-memory.dmp

Filesize
3.9MB

Download
memory/2184-543-0x00007FF70E460000-0x00007FF70E851000-memory.dmp

Filesize
3.9MB

Download
memory/2368-39-0x00007FF65D8F0000-0x00007FF65DCE1000-memory.dmp

Filesize
3.9MB

Download
memory/2404-410-0x00007FF7492A0000-0x00007FF749691000-memory.dmp

Filesize
3.9MB

Download
memory/2416-265-0x00007FF7E9540000-0x00007FF7E9931000-memory.dmp

Filesize
3.9MB

Download
memory/2444-269-0x00007FF7F3030000-0x00007FF7F3421000-memory.dmp

Filesize
3.9MB

Download
memory/2464-536-0x00007FF75CDC0000-0x00007FF75D1B1000-memory.dmp

Filesize
3.9MB

Download
memory/2568-70-0x00007FF770D10000-0x00007FF771101000-memory.dmp

Filesize
3.9MB

Download
memory/2792-327-0x00007FF77E270000-0x00007FF77E661000-memory.dmp

Filesize
3.9MB

Download
memory/3100-390-0x00007FF634820000-0x00007FF634C11000-memory.dmp

Filesize
3.9MB

Download
memory/3144-312-0x00007FF628190000-0x00007FF628581000-memory.dmp

Filesize
3.9MB

Download
memory/3172-41-0x00007FF7C2020000-0x00007FF7C2411000-memory.dmp

Filesize
3.9MB

Download
memory/3204-30-0x00007FF742000000-0x00007FF7423F1000-memory.dmp

Filesize
3.9MB

Download
memory/3212-69-0x00007FF749E20000-0x00007FF74A211000-memory.dmp

Filesize
3.9MB

Download
memory/3264-556-0x00007FF70FB00000-0x00007FF70FEF1000-memory.dmp

Filesize
3.9MB

Download
memory/3276-331-0x00007FF773870000-0x00007FF773C61000-memory.dmp

Filesize
3.9MB

Download
memory/3296-559-0x00007FF714230000-0x00007FF714621000-memory.dmp

Filesize
3.9MB

Download
memory/3340-336-0x00007FF70ED40000-0x00007FF70F131000-memory.dmp

Filesize
3.9MB

Download
memory/3580-433-0x00007FF676690000-0x00007FF676A81000-memory.dmp

Filesize
3.9MB

Download
memory/3596-317-0x00007FF61C9A0000-0x00007FF61CD91000-memory.dmp

Filesize
3.9MB

Download
memory/3888-258-0x00007FF7603B0000-0x00007FF7607A1000-memory.dmp

Filesize
3.9MB

Download
memory/3896-415-0x00007FF776EF0000-0x00007FF7772E1000-memory.dmp

Filesize
3.9MB

Download
memory/3920-393-0x00007FF692AF0000-0x00007FF692EE1000-memory.dmp

Filesize
3.9MB

Download
memory/3924-260-0x00007FF774430000-0x00007FF774821000-memory.dmp

Filesize
3.9MB

Download
memory/3964-289-0x00007FF771960000-0x00007FF771D51000-memory.dmp

Filesize
3.9MB

Download
memory/3996-397-0x00007FF766A90000-0x00007FF766E81000-memory.dmp

Filesize
3.9MB

Download
memory/4028-539-0x00007FF6B4FD0000-0x00007FF6B53C1000-memory.dmp

Filesize
3.9MB

Download
memory/4156-295-0x00007FF6C9E40000-0x00007FF6CA231000-memory.dmp

Filesize
3.9MB

Download
memory/4324-1-0x000001D46DEA0000-0x000001D46DEB0000-memory.dmp

Filesize
64KB

Download
memory/4324-0-0x00007FF726B40000-0x00007FF726F31000-memory.dmp

Filesize
3.9MB

Download
memory/4368-396-0x00007FF7E21B0000-0x00007FF7E25A1000-memory.dmp

Filesize
3.9MB

Download
memory/4412-10-0x00007FF6E9120000-0x00007FF6E9511000-memory.dmp

Filesize
3.9MB

Download
memory/4496-256-0x00007FF737010000-0x00007FF737401000-memory.dmp

Filesize
3.9MB

Download
memory/4552-512-0x00007FF7C1E30000-0x00007FF7C2221000-memory.dmp

Filesize
3.9MB

Download
memory/4576-530-0x00007FF7194A0000-0x00007FF719891000-memory.dmp

Filesize
3.9MB

Download
memory/4644-420-0x00007FF69C780000-0x00007FF69CB71000-memory.dmp

Filesize
3.9MB

Download
memory/4760-413-0x00007FF7A3D00000-0x00007FF7A40F1000-memory.dmp

Filesize
3.9MB

Download
memory/4820-279-0x00007FF6993B0000-0x00007FF6997A1000-memory.dmp

Filesize
3.9MB

Download
memory/4860-358-0x00007FF775660000-0x00007FF775A51000-memory.dmp

Filesize
3.9MB

Download
memory/4864-520-0x00007FF601A20000-0x00007FF601E11000-memory.dmp

Filesize
3.9MB

Download
memory/4880-412-0x00007FF7A28B0000-0x00007FF7A2CA1000-memory.dmp

Filesize
3.9MB

Download
memory/5032-435-0x00007FF798C90000-0x00007FF799081000-memory.dmp

Filesize
3.9MB

Download
memory/5056-273-0x00007FF684A20000-0x00007FF684E11000-memory.dmp

Filesize
3.9MB

Download
memory/5060-284-0x00007FF71E650000-0x00007FF71EA41000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads