xmrig | e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7

Analysis

max time kernel
124s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
Size

2.3MB
MD5

6819ef0f8c3f9ebd73bddad420561534
SHA1

fc07a61ed0774800bc76cbfefc91a6e95719d0d4
SHA256

e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7
SHA512

e2bfb612959eb32182a842f339e78c7bc078fc3221d13faf5656c4ebbc55457510dc28271398cb63cf36473ff9324b8f93fe217d484f1ee34ded1985e4d4fbf6
SSDEEP

49152:N0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8Dze7jcqD0+qd:N0GnJMOWPClFdx6e0EALKWVTffZiPAc3

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/556-0-0x00007FF6AD780000-0x00007FF6ADB75000-memory.dmp	UPX
behavioral2/files/0x00080000000231e7-6.dat	UPX
behavioral2/files/0x00060000000231ed-9.dat	UPX
behavioral2/files/0x00060000000231ed-15.dat	UPX
behavioral2/memory/856-17-0x00007FF773D40000-0x00007FF774135000-memory.dmp	UPX
behavioral2/files/0x00060000000231ed-18.dat	UPX
behavioral2/memory/2428-32-0x00007FF6D09B0000-0x00007FF6D0DA5000-memory.dmp	UPX
behavioral2/files/0x00060000000231f0-40.dat	UPX
behavioral2/files/0x00060000000231ef-35.dat	UPX
behavioral2/files/0x00060000000231f2-48.dat	UPX
behavioral2/files/0x00060000000231f3-53.dat	UPX
behavioral2/files/0x00060000000231f3-56.dat	UPX
behavioral2/memory/3184-58-0x00007FF657C40000-0x00007FF658035000-memory.dmp	UPX
behavioral2/memory/3288-59-0x00007FF6851F0000-0x00007FF6855E5000-memory.dmp	UPX
behavioral2/files/0x00060000000231f6-68.dat	UPX
behavioral2/files/0x00080000000231e8-73.dat	UPX
behavioral2/files/0x00060000000231f7-80.dat	UPX
behavioral2/files/0x00060000000231f7-78.dat	UPX
behavioral2/files/0x00060000000231f8-87.dat	UPX
behavioral2/memory/1768-84-0x00007FF69C5F0000-0x00007FF69C9E5000-memory.dmp	UPX
behavioral2/memory/1460-86-0x00007FF715980000-0x00007FF715D75000-memory.dmp	UPX
behavioral2/memory/556-92-0x00007FF6AD780000-0x00007FF6ADB75000-memory.dmp	UPX
behavioral2/files/0x00060000000231fa-101.dat	UPX
behavioral2/memory/2684-104-0x00007FF7038A0000-0x00007FF703C95000-memory.dmp	UPX
behavioral2/files/0x00060000000231fa-99.dat	UPX
behavioral2/memory/4876-108-0x00007FF7FC6E0000-0x00007FF7FCAD5000-memory.dmp	UPX
behavioral2/memory/1880-109-0x00007FF71FDC0000-0x00007FF7201B5000-memory.dmp	UPX
behavioral2/memory/856-112-0x00007FF773D40000-0x00007FF774135000-memory.dmp	UPX
behavioral2/memory/4644-117-0x00007FF611580000-0x00007FF611975000-memory.dmp	UPX
behavioral2/memory/4016-119-0x00007FF6BC1E0000-0x00007FF6BC5D5000-memory.dmp	UPX
behavioral2/files/0x00060000000231fc-125.dat	UPX
behavioral2/files/0x00060000000231fd-129.dat	UPX
behavioral2/files/0x0006000000023200-139.dat	UPX
behavioral2/memory/4140-148-0x00007FF67E080000-0x00007FF67E475000-memory.dmp	UPX
behavioral2/files/0x0006000000023201-156.dat	UPX
behavioral2/files/0x0006000000023202-159.dat	UPX
behavioral2/files/0x0006000000023205-175.dat	UPX
behavioral2/files/0x0006000000023207-183.dat	UPX
behavioral2/files/0x0006000000023209-193.dat	UPX
behavioral2/memory/2644-461-0x00007FF779570000-0x00007FF779965000-memory.dmp	UPX
behavioral2/memory/1484-463-0x00007FF72EAE0000-0x00007FF72EED5000-memory.dmp	UPX
behavioral2/memory/2028-465-0x00007FF69B630000-0x00007FF69BA25000-memory.dmp	UPX
behavioral2/memory/880-464-0x00007FF64CD70000-0x00007FF64D165000-memory.dmp	UPX
behavioral2/memory/5112-466-0x00007FF71AEE0000-0x00007FF71B2D5000-memory.dmp	UPX
behavioral2/memory/3472-462-0x00007FF71E2B0000-0x00007FF71E6A5000-memory.dmp	UPX
behavioral2/memory/2956-460-0x00007FF7BA7F0000-0x00007FF7BABE5000-memory.dmp	UPX
behavioral2/memory/4880-484-0x00007FF7A0A40000-0x00007FF7A0E35000-memory.dmp	UPX
behavioral2/memory/3636-489-0x00007FF7ECF20000-0x00007FF7ED315000-memory.dmp	UPX
behavioral2/memory/3748-497-0x00007FF664DF0000-0x00007FF6651E5000-memory.dmp	UPX
behavioral2/memory/4728-514-0x00007FF712140000-0x00007FF712535000-memory.dmp	UPX
behavioral2/memory/4316-527-0x00007FF611D40000-0x00007FF612135000-memory.dmp	UPX
behavioral2/memory/3640-547-0x00007FF6748D0000-0x00007FF674CC5000-memory.dmp	UPX
behavioral2/memory/4652-566-0x00007FF6E0790000-0x00007FF6E0B85000-memory.dmp	UPX
behavioral2/memory/4440-580-0x00007FF65F010000-0x00007FF65F405000-memory.dmp	UPX
behavioral2/memory/1676-598-0x00007FF6C67D0000-0x00007FF6C6BC5000-memory.dmp	UPX
behavioral2/memory/3796-606-0x00007FF75A0E0000-0x00007FF75A4D5000-memory.dmp	UPX
behavioral2/memory/2188-615-0x00007FF6C8070000-0x00007FF6C8465000-memory.dmp	UPX
behavioral2/memory/4588-625-0x00007FF643700000-0x00007FF643AF5000-memory.dmp	UPX
behavioral2/memory/4944-632-0x00007FF69B1B0000-0x00007FF69B5A5000-memory.dmp	UPX
behavioral2/memory/4320-592-0x00007FF688800000-0x00007FF688BF5000-memory.dmp	UPX
behavioral2/memory/4388-569-0x00007FF7ECC60000-0x00007FF7ED055000-memory.dmp	UPX
behavioral2/memory/1872-555-0x00007FF7F3110000-0x00007FF7F3505000-memory.dmp	UPX
behavioral2/memory/3112-537-0x00007FF705B00000-0x00007FF705EF5000-memory.dmp	UPX
behavioral2/memory/3388-525-0x00007FF613CB0000-0x00007FF6140A5000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/556-0-0x00007FF6AD780000-0x00007FF6ADB75000-memory.dmp	xmrig
behavioral2/files/0x00080000000231e7-6.dat	xmrig
behavioral2/files/0x00060000000231ed-9.dat	xmrig
behavioral2/files/0x00060000000231ed-15.dat	xmrig
behavioral2/memory/856-17-0x00007FF773D40000-0x00007FF774135000-memory.dmp	xmrig
behavioral2/files/0x00060000000231ed-18.dat	xmrig
behavioral2/memory/2428-32-0x00007FF6D09B0000-0x00007FF6D0DA5000-memory.dmp	xmrig
behavioral2/files/0x00060000000231f0-40.dat	xmrig
behavioral2/files/0x00060000000231ef-35.dat	xmrig
behavioral2/files/0x00060000000231f2-48.dat	xmrig
behavioral2/files/0x00060000000231f3-53.dat	xmrig
behavioral2/files/0x00060000000231f3-56.dat	xmrig
behavioral2/memory/3184-58-0x00007FF657C40000-0x00007FF658035000-memory.dmp	xmrig
behavioral2/memory/3288-59-0x00007FF6851F0000-0x00007FF6855E5000-memory.dmp	xmrig
behavioral2/files/0x00060000000231f6-68.dat	xmrig
behavioral2/files/0x00080000000231e8-73.dat	xmrig
behavioral2/files/0x00060000000231f7-80.dat	xmrig
behavioral2/files/0x00060000000231f7-78.dat	xmrig
behavioral2/files/0x00060000000231f8-87.dat	xmrig
behavioral2/memory/1768-84-0x00007FF69C5F0000-0x00007FF69C9E5000-memory.dmp	xmrig
behavioral2/memory/1460-86-0x00007FF715980000-0x00007FF715D75000-memory.dmp	xmrig
behavioral2/memory/556-92-0x00007FF6AD780000-0x00007FF6ADB75000-memory.dmp	xmrig
behavioral2/files/0x00060000000231fa-101.dat	xmrig
behavioral2/memory/2684-104-0x00007FF7038A0000-0x00007FF703C95000-memory.dmp	xmrig
behavioral2/files/0x00060000000231fa-99.dat	xmrig
behavioral2/memory/4876-108-0x00007FF7FC6E0000-0x00007FF7FCAD5000-memory.dmp	xmrig
behavioral2/memory/1880-109-0x00007FF71FDC0000-0x00007FF7201B5000-memory.dmp	xmrig
behavioral2/memory/856-112-0x00007FF773D40000-0x00007FF774135000-memory.dmp	xmrig
behavioral2/memory/4644-117-0x00007FF611580000-0x00007FF611975000-memory.dmp	xmrig
behavioral2/memory/4016-119-0x00007FF6BC1E0000-0x00007FF6BC5D5000-memory.dmp	xmrig
behavioral2/files/0x00060000000231fc-125.dat	xmrig
behavioral2/files/0x00060000000231fd-129.dat	xmrig
behavioral2/files/0x0006000000023200-139.dat	xmrig
behavioral2/memory/4140-148-0x00007FF67E080000-0x00007FF67E475000-memory.dmp	xmrig
behavioral2/files/0x0006000000023201-156.dat	xmrig
behavioral2/files/0x0006000000023202-159.dat	xmrig
behavioral2/files/0x0006000000023205-175.dat	xmrig
behavioral2/files/0x0006000000023207-183.dat	xmrig
behavioral2/files/0x0006000000023209-193.dat	xmrig
behavioral2/memory/2644-461-0x00007FF779570000-0x00007FF779965000-memory.dmp	xmrig
behavioral2/memory/1484-463-0x00007FF72EAE0000-0x00007FF72EED5000-memory.dmp	xmrig
behavioral2/memory/2028-465-0x00007FF69B630000-0x00007FF69BA25000-memory.dmp	xmrig
behavioral2/memory/880-464-0x00007FF64CD70000-0x00007FF64D165000-memory.dmp	xmrig
behavioral2/memory/5112-466-0x00007FF71AEE0000-0x00007FF71B2D5000-memory.dmp	xmrig
behavioral2/memory/3472-462-0x00007FF71E2B0000-0x00007FF71E6A5000-memory.dmp	xmrig
behavioral2/memory/2956-460-0x00007FF7BA7F0000-0x00007FF7BABE5000-memory.dmp	xmrig
behavioral2/memory/4880-484-0x00007FF7A0A40000-0x00007FF7A0E35000-memory.dmp	xmrig
behavioral2/memory/3636-489-0x00007FF7ECF20000-0x00007FF7ED315000-memory.dmp	xmrig
behavioral2/memory/3748-497-0x00007FF664DF0000-0x00007FF6651E5000-memory.dmp	xmrig
behavioral2/memory/4728-514-0x00007FF712140000-0x00007FF712535000-memory.dmp	xmrig
behavioral2/memory/4316-527-0x00007FF611D40000-0x00007FF612135000-memory.dmp	xmrig
behavioral2/memory/3640-547-0x00007FF6748D0000-0x00007FF674CC5000-memory.dmp	xmrig
behavioral2/memory/4652-566-0x00007FF6E0790000-0x00007FF6E0B85000-memory.dmp	xmrig
behavioral2/memory/4440-580-0x00007FF65F010000-0x00007FF65F405000-memory.dmp	xmrig
behavioral2/memory/1676-598-0x00007FF6C67D0000-0x00007FF6C6BC5000-memory.dmp	xmrig
behavioral2/memory/3796-606-0x00007FF75A0E0000-0x00007FF75A4D5000-memory.dmp	xmrig
behavioral2/memory/2188-615-0x00007FF6C8070000-0x00007FF6C8465000-memory.dmp	xmrig
behavioral2/memory/4588-625-0x00007FF643700000-0x00007FF643AF5000-memory.dmp	xmrig
behavioral2/memory/4944-632-0x00007FF69B1B0000-0x00007FF69B5A5000-memory.dmp	xmrig
behavioral2/memory/4320-592-0x00007FF688800000-0x00007FF688BF5000-memory.dmp	xmrig
behavioral2/memory/4388-569-0x00007FF7ECC60000-0x00007FF7ED055000-memory.dmp	xmrig
behavioral2/memory/1872-555-0x00007FF7F3110000-0x00007FF7F3505000-memory.dmp	xmrig
behavioral2/memory/3112-537-0x00007FF705B00000-0x00007FF705EF5000-memory.dmp	xmrig
behavioral2/memory/3388-525-0x00007FF613CB0000-0x00007FF6140A5000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2684	YfBcWqK.exe
2504	aUSOlTK.exe
856	PyqiRHf.exe
4644	HTNpeCa.exe
2428	BpnOrTq.exe
4648	kmvHiRm.exe
4524	wRDHZlG.exe
2040	qNhyJfB.exe
3184	xGctRjp.exe
3288	BWvUIrG.exe
1768	NqLacBl.exe
1460	WhyPhwF.exe
2932	oQxHLqd.exe
348	QCoiOjC.exe
1824	CDEtfTT.exe
1880	MIYdqrB.exe
4876	EwcYFdl.exe
3264	AeJVGpQ.exe
4016	FocSNsM.exe
1700	IxqhEfU.exe
3220	CunTokJ.exe
4140	PxWUgLY.exe
4000	wrYBhtl.exe
4280	lNwhPaE.exe
5056	iWiQOje.exe
2956	pNUDlEa.exe
2644	ZAfkSnX.exe
3472	ykwtnJN.exe
1484	SEstdOG.exe
880	WYNsgbR.exe
2028	ISGNrpj.exe
5112	wVBmgDE.exe
3024	mJVadhC.exe
3892	PKKMjkD.exe
4880	YiQoJdO.exe
3636	qGIeDNA.exe
3748	hTVwlnZ.exe
2920	MnlNDbH.exe
4728	yjEbvzR.exe
3456	wbwQupi.exe
3388	VdfhEum.exe
4316	ycEgeUx.exe
3112	gihXxJF.exe
3640	BfnnGjr.exe
1872	jTXkcRs.exe
4652	SpxIavc.exe
4388	tvKxgaJ.exe
4440	wkgWcoQ.exe
4320	rWAIIaq.exe
1676	mvidUKQ.exe
3796	hSUAKrP.exe
2188	BZmqzxR.exe
4588	NLjVWhn.exe
4944	BWggNUL.exe
2044	wIKtlrD.exe
4848	AFJuEwo.exe
2384	edoIcIf.exe
1944	KamriiP.exe
2032	TrFYpcU.exe
4364	waQMMEj.exe
2360	hlksPFI.exe
4752	qaGjVTy.exe
3100	wXFEwaM.exe
2848	FpXsayq.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/556-0-0x00007FF6AD780000-0x00007FF6ADB75000-memory.dmp	upx
behavioral2/files/0x00080000000231e7-6.dat	upx
behavioral2/files/0x00060000000231ed-9.dat	upx
behavioral2/files/0x00060000000231ed-15.dat	upx
behavioral2/memory/856-17-0x00007FF773D40000-0x00007FF774135000-memory.dmp	upx
behavioral2/files/0x00060000000231ed-18.dat	upx
behavioral2/memory/2428-32-0x00007FF6D09B0000-0x00007FF6D0DA5000-memory.dmp	upx
behavioral2/files/0x00060000000231f0-40.dat	upx
behavioral2/files/0x00060000000231ef-35.dat	upx
behavioral2/files/0x00060000000231f2-48.dat	upx
behavioral2/files/0x00060000000231f3-53.dat	upx
behavioral2/files/0x00060000000231f3-56.dat	upx
behavioral2/memory/3184-58-0x00007FF657C40000-0x00007FF658035000-memory.dmp	upx
behavioral2/memory/3288-59-0x00007FF6851F0000-0x00007FF6855E5000-memory.dmp	upx
behavioral2/files/0x00060000000231f6-68.dat	upx
behavioral2/files/0x00080000000231e8-73.dat	upx
behavioral2/files/0x00060000000231f7-80.dat	upx
behavioral2/files/0x00060000000231f7-78.dat	upx
behavioral2/files/0x00060000000231f8-87.dat	upx
behavioral2/memory/1768-84-0x00007FF69C5F0000-0x00007FF69C9E5000-memory.dmp	upx
behavioral2/memory/1460-86-0x00007FF715980000-0x00007FF715D75000-memory.dmp	upx
behavioral2/memory/556-92-0x00007FF6AD780000-0x00007FF6ADB75000-memory.dmp	upx
behavioral2/files/0x00060000000231fa-101.dat	upx
behavioral2/memory/2684-104-0x00007FF7038A0000-0x00007FF703C95000-memory.dmp	upx
behavioral2/files/0x00060000000231fa-99.dat	upx
behavioral2/memory/4876-108-0x00007FF7FC6E0000-0x00007FF7FCAD5000-memory.dmp	upx
behavioral2/memory/1880-109-0x00007FF71FDC0000-0x00007FF7201B5000-memory.dmp	upx
behavioral2/memory/856-112-0x00007FF773D40000-0x00007FF774135000-memory.dmp	upx
behavioral2/memory/4644-117-0x00007FF611580000-0x00007FF611975000-memory.dmp	upx
behavioral2/memory/4016-119-0x00007FF6BC1E0000-0x00007FF6BC5D5000-memory.dmp	upx
behavioral2/files/0x00060000000231fc-125.dat	upx
behavioral2/files/0x00060000000231fd-129.dat	upx
behavioral2/files/0x0006000000023200-139.dat	upx
behavioral2/memory/4140-148-0x00007FF67E080000-0x00007FF67E475000-memory.dmp	upx
behavioral2/files/0x0006000000023201-156.dat	upx
behavioral2/files/0x0006000000023202-159.dat	upx
behavioral2/files/0x0006000000023205-175.dat	upx
behavioral2/files/0x0006000000023207-183.dat	upx
behavioral2/files/0x0006000000023209-193.dat	upx
behavioral2/memory/2644-461-0x00007FF779570000-0x00007FF779965000-memory.dmp	upx
behavioral2/memory/1484-463-0x00007FF72EAE0000-0x00007FF72EED5000-memory.dmp	upx
behavioral2/memory/2028-465-0x00007FF69B630000-0x00007FF69BA25000-memory.dmp	upx
behavioral2/memory/880-464-0x00007FF64CD70000-0x00007FF64D165000-memory.dmp	upx
behavioral2/memory/5112-466-0x00007FF71AEE0000-0x00007FF71B2D5000-memory.dmp	upx
behavioral2/memory/3472-462-0x00007FF71E2B0000-0x00007FF71E6A5000-memory.dmp	upx
behavioral2/memory/2956-460-0x00007FF7BA7F0000-0x00007FF7BABE5000-memory.dmp	upx
behavioral2/memory/4880-484-0x00007FF7A0A40000-0x00007FF7A0E35000-memory.dmp	upx
behavioral2/memory/3636-489-0x00007FF7ECF20000-0x00007FF7ED315000-memory.dmp	upx
behavioral2/memory/3748-497-0x00007FF664DF0000-0x00007FF6651E5000-memory.dmp	upx
behavioral2/memory/4728-514-0x00007FF712140000-0x00007FF712535000-memory.dmp	upx
behavioral2/memory/4316-527-0x00007FF611D40000-0x00007FF612135000-memory.dmp	upx
behavioral2/memory/3640-547-0x00007FF6748D0000-0x00007FF674CC5000-memory.dmp	upx
behavioral2/memory/4652-566-0x00007FF6E0790000-0x00007FF6E0B85000-memory.dmp	upx
behavioral2/memory/4440-580-0x00007FF65F010000-0x00007FF65F405000-memory.dmp	upx
behavioral2/memory/1676-598-0x00007FF6C67D0000-0x00007FF6C6BC5000-memory.dmp	upx
behavioral2/memory/3796-606-0x00007FF75A0E0000-0x00007FF75A4D5000-memory.dmp	upx
behavioral2/memory/2188-615-0x00007FF6C8070000-0x00007FF6C8465000-memory.dmp	upx
behavioral2/memory/4588-625-0x00007FF643700000-0x00007FF643AF5000-memory.dmp	upx
behavioral2/memory/4944-632-0x00007FF69B1B0000-0x00007FF69B5A5000-memory.dmp	upx
behavioral2/memory/4320-592-0x00007FF688800000-0x00007FF688BF5000-memory.dmp	upx
behavioral2/memory/4388-569-0x00007FF7ECC60000-0x00007FF7ED055000-memory.dmp	upx
behavioral2/memory/1872-555-0x00007FF7F3110000-0x00007FF7F3505000-memory.dmp	upx
behavioral2/memory/3112-537-0x00007FF705B00000-0x00007FF705EF5000-memory.dmp	upx
behavioral2/memory/3388-525-0x00007FF613CB0000-0x00007FF6140A5000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\xGctRjp.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\FpmpqWG.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\MFUVHri.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\isfdTqZ.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\ycEgeUx.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\qSGqVIw.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\pJAZgXC.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\ZaYcGtU.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\KDYjCnI.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\YCnshQR.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\zYxPTtE.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\XYKZfrJ.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\VdfhEum.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\IliCSdr.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\IhAOSrw.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\SOubKti.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\JCTewzB.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\VPUCENT.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\CaDMCyb.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\zSGLdDj.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\xNTLkfA.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\JiiamZh.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\KwBrDbM.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\ohlVMYI.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\GnKiItG.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\jLATHxy.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\YlcokFB.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\RTbCbOq.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\MSxMvnC.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\RdnYabJ.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\FpXsayq.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\SyHDuXW.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\RRfIaxQ.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\GskIFbD.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\MmprIwG.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\qjIsXPr.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\UUUgegU.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\TrFYpcU.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\bPKApUz.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\xPvReJT.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\JwBPNWm.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\KjVmQox.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\eypMIUD.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\ZNvfjRd.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\SSpzpgo.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\zYfVqqz.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\tKAOoLP.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\AFJuEwo.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\xrkeNkP.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\KNyHAnT.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\ocFhFAU.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\qwNonGn.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\QpGEyuN.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\ygUWXDW.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\nadsqMh.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\AwyVwDU.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\rmlGVpt.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\dQWzCwr.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\URWHIjb.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\TlcJiho.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\HnHnOEm.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\bzphQvd.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\KMYDdol.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
File created	C:\Windows\System32\unYukon.exe	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	9300	dwm.exe
Token: SeChangeNotifyPrivilege	9300	dwm.exe
Token: 33	9300	dwm.exe
Token: SeIncBasePriorityPrivilege	9300	dwm.exe
Token: SeShutdownPrivilege	9300	dwm.exe
Token: SeCreatePagefilePrivilege	9300	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 2684	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	85
PID 556 wrote to memory of 2684	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	85
PID 556 wrote to memory of 2504	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	86
PID 556 wrote to memory of 2504	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	86
PID 556 wrote to memory of 856	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	87
PID 556 wrote to memory of 856	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	87
PID 556 wrote to memory of 4644	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	88
PID 556 wrote to memory of 4644	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	88
PID 556 wrote to memory of 2428	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	89
PID 556 wrote to memory of 2428	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	89
PID 556 wrote to memory of 4648	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	90
PID 556 wrote to memory of 4648	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	90
PID 556 wrote to memory of 4524	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	91
PID 556 wrote to memory of 4524	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	91
PID 556 wrote to memory of 2040	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	92
PID 556 wrote to memory of 2040	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	92
PID 556 wrote to memory of 3184	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	93
PID 556 wrote to memory of 3184	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	93
PID 556 wrote to memory of 3288	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	94
PID 556 wrote to memory of 3288	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	94
PID 556 wrote to memory of 1768	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	95
PID 556 wrote to memory of 1768	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	95
PID 556 wrote to memory of 1460	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	96
PID 556 wrote to memory of 1460	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	96
PID 556 wrote to memory of 2932	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	97
PID 556 wrote to memory of 2932	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	97
PID 556 wrote to memory of 348	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	98
PID 556 wrote to memory of 348	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	98
PID 556 wrote to memory of 1824	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	99
PID 556 wrote to memory of 1824	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	99
PID 556 wrote to memory of 1880	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	100
PID 556 wrote to memory of 1880	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	100
PID 556 wrote to memory of 4876	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	101
PID 556 wrote to memory of 4876	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	101
PID 556 wrote to memory of 3264	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	102
PID 556 wrote to memory of 3264	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	102
PID 556 wrote to memory of 4016	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	103
PID 556 wrote to memory of 4016	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	103
PID 556 wrote to memory of 1700	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	104
PID 556 wrote to memory of 1700	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	104
PID 556 wrote to memory of 3220	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	105
PID 556 wrote to memory of 3220	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	105
PID 556 wrote to memory of 4140	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	106
PID 556 wrote to memory of 4140	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	106
PID 556 wrote to memory of 4000	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	107
PID 556 wrote to memory of 4000	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	107
PID 556 wrote to memory of 4280	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	108
PID 556 wrote to memory of 4280	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	108
PID 556 wrote to memory of 5056	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	109
PID 556 wrote to memory of 5056	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	109
PID 556 wrote to memory of 2956	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	110
PID 556 wrote to memory of 2956	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	110
PID 556 wrote to memory of 2644	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	111
PID 556 wrote to memory of 2644	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	111
PID 556 wrote to memory of 3472	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	112
PID 556 wrote to memory of 3472	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	112
PID 556 wrote to memory of 1484	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	113
PID 556 wrote to memory of 1484	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	113
PID 556 wrote to memory of 880	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	114
PID 556 wrote to memory of 880	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	114
PID 556 wrote to memory of 2028	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	115
PID 556 wrote to memory of 2028	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	115
PID 556 wrote to memory of 5112	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	116
PID 556 wrote to memory of 5112	556	e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe	116

C:\Users\Admin\AppData\Local\Temp\e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe
"C:\Users\Admin\AppData\Local\Temp\e42a21d0672a4b41b72aa1e4f5dc4ed2db2d7671a17dd1f97dcd34198604a3a7.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\System32\YfBcWqK.exe
  C:\Windows\System32\YfBcWqK.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System32\aUSOlTK.exe
  C:\Windows\System32\aUSOlTK.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System32\PyqiRHf.exe
  C:\Windows\System32\PyqiRHf.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System32\HTNpeCa.exe
  C:\Windows\System32\HTNpeCa.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System32\BpnOrTq.exe
  C:\Windows\System32\BpnOrTq.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System32\kmvHiRm.exe
  C:\Windows\System32\kmvHiRm.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System32\wRDHZlG.exe
  C:\Windows\System32\wRDHZlG.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System32\qNhyJfB.exe
  C:\Windows\System32\qNhyJfB.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System32\xGctRjp.exe
  C:\Windows\System32\xGctRjp.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System32\BWvUIrG.exe
  C:\Windows\System32\BWvUIrG.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System32\NqLacBl.exe
  C:\Windows\System32\NqLacBl.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System32\WhyPhwF.exe
  C:\Windows\System32\WhyPhwF.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System32\oQxHLqd.exe
  C:\Windows\System32\oQxHLqd.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System32\QCoiOjC.exe
  C:\Windows\System32\QCoiOjC.exe
  2⤵
  - Executes dropped EXE
  PID:348
- C:\Windows\System32\CDEtfTT.exe
  C:\Windows\System32\CDEtfTT.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System32\MIYdqrB.exe
  C:\Windows\System32\MIYdqrB.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System32\EwcYFdl.exe
  C:\Windows\System32\EwcYFdl.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System32\AeJVGpQ.exe
  C:\Windows\System32\AeJVGpQ.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System32\FocSNsM.exe
  C:\Windows\System32\FocSNsM.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System32\IxqhEfU.exe
  C:\Windows\System32\IxqhEfU.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System32\CunTokJ.exe
  C:\Windows\System32\CunTokJ.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System32\PxWUgLY.exe
  C:\Windows\System32\PxWUgLY.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System32\wrYBhtl.exe
  C:\Windows\System32\wrYBhtl.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System32\lNwhPaE.exe
  C:\Windows\System32\lNwhPaE.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System32\iWiQOje.exe
  C:\Windows\System32\iWiQOje.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\pNUDlEa.exe
  C:\Windows\System32\pNUDlEa.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System32\ZAfkSnX.exe
  C:\Windows\System32\ZAfkSnX.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System32\ykwtnJN.exe
  C:\Windows\System32\ykwtnJN.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System32\SEstdOG.exe
  C:\Windows\System32\SEstdOG.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System32\WYNsgbR.exe
  C:\Windows\System32\WYNsgbR.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System32\ISGNrpj.exe
  C:\Windows\System32\ISGNrpj.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System32\wVBmgDE.exe
  C:\Windows\System32\wVBmgDE.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System32\mJVadhC.exe
  C:\Windows\System32\mJVadhC.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System32\PKKMjkD.exe
  C:\Windows\System32\PKKMjkD.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System32\YiQoJdO.exe
  C:\Windows\System32\YiQoJdO.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System32\qGIeDNA.exe
  C:\Windows\System32\qGIeDNA.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System32\hTVwlnZ.exe
  C:\Windows\System32\hTVwlnZ.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System32\MnlNDbH.exe
  C:\Windows\System32\MnlNDbH.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System32\yjEbvzR.exe
  C:\Windows\System32\yjEbvzR.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System32\wbwQupi.exe
  C:\Windows\System32\wbwQupi.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System32\VdfhEum.exe
  C:\Windows\System32\VdfhEum.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System32\ycEgeUx.exe
  C:\Windows\System32\ycEgeUx.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System32\gihXxJF.exe
  C:\Windows\System32\gihXxJF.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System32\BfnnGjr.exe
  C:\Windows\System32\BfnnGjr.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System32\jTXkcRs.exe
  C:\Windows\System32\jTXkcRs.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System32\SpxIavc.exe
  C:\Windows\System32\SpxIavc.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System32\tvKxgaJ.exe
  C:\Windows\System32\tvKxgaJ.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System32\wkgWcoQ.exe
  C:\Windows\System32\wkgWcoQ.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System32\rWAIIaq.exe
  C:\Windows\System32\rWAIIaq.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System32\mvidUKQ.exe
  C:\Windows\System32\mvidUKQ.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System32\hSUAKrP.exe
  C:\Windows\System32\hSUAKrP.exe
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Windows\System32\BZmqzxR.exe
  C:\Windows\System32\BZmqzxR.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System32\NLjVWhn.exe
  C:\Windows\System32\NLjVWhn.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System32\BWggNUL.exe
  C:\Windows\System32\BWggNUL.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System32\wIKtlrD.exe
  C:\Windows\System32\wIKtlrD.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System32\AFJuEwo.exe
  C:\Windows\System32\AFJuEwo.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System32\edoIcIf.exe
  C:\Windows\System32\edoIcIf.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System32\KamriiP.exe
  C:\Windows\System32\KamriiP.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System32\TrFYpcU.exe
  C:\Windows\System32\TrFYpcU.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System32\waQMMEj.exe
  C:\Windows\System32\waQMMEj.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System32\hlksPFI.exe
  C:\Windows\System32\hlksPFI.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System32\qaGjVTy.exe
  C:\Windows\System32\qaGjVTy.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System32\wXFEwaM.exe
  C:\Windows\System32\wXFEwaM.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System32\FpXsayq.exe
  C:\Windows\System32\FpXsayq.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System32\DwTiaia.exe
  C:\Windows\System32\DwTiaia.exe
  2⤵
  PID:4036
- C:\Windows\System32\zSGLdDj.exe
  C:\Windows\System32\zSGLdDj.exe
  2⤵
  PID:4012
- C:\Windows\System32\lbiBdMg.exe
  C:\Windows\System32\lbiBdMg.exe
  2⤵
  PID:636
- C:\Windows\System32\xLpVOgC.exe
  C:\Windows\System32\xLpVOgC.exe
  2⤵
  PID:4540
- C:\Windows\System32\ZwTrcXm.exe
  C:\Windows\System32\ZwTrcXm.exe
  2⤵
  PID:5088
- C:\Windows\System32\EeyZVad.exe
  C:\Windows\System32\EeyZVad.exe
  2⤵
  PID:1032
- C:\Windows\System32\jxusrts.exe
  C:\Windows\System32\jxusrts.exe
  2⤵
  PID:1172
- C:\Windows\System32\yYJTiGo.exe
  C:\Windows\System32\yYJTiGo.exe
  2⤵
  PID:1264
- C:\Windows\System32\GxRhWrt.exe
  C:\Windows\System32\GxRhWrt.exe
  2⤵
  PID:3004
- C:\Windows\System32\PwQjhMR.exe
  C:\Windows\System32\PwQjhMR.exe
  2⤵
  PID:3064
- C:\Windows\System32\gXnVNZn.exe
  C:\Windows\System32\gXnVNZn.exe
  2⤵
  PID:3812
- C:\Windows\System32\qgNXtzB.exe
  C:\Windows\System32\qgNXtzB.exe
  2⤵
  PID:460
- C:\Windows\System32\IjpXzJK.exe
  C:\Windows\System32\IjpXzJK.exe
  2⤵
  PID:4744
- C:\Windows\System32\lDhBtMM.exe
  C:\Windows\System32\lDhBtMM.exe
  2⤵
  PID:676
- C:\Windows\System32\xrkeNkP.exe
  C:\Windows\System32\xrkeNkP.exe
  2⤵
  PID:4496
- C:\Windows\System32\bPKApUz.exe
  C:\Windows\System32\bPKApUz.exe
  2⤵
  PID:380
- C:\Windows\System32\MSxMvnC.exe
  C:\Windows\System32\MSxMvnC.exe
  2⤵
  PID:1736
- C:\Windows\System32\MPKJUXB.exe
  C:\Windows\System32\MPKJUXB.exe
  2⤵
  PID:368
- C:\Windows\System32\gIPOpmn.exe
  C:\Windows\System32\gIPOpmn.exe
  2⤵
  PID:212
- C:\Windows\System32\EoPSJds.exe
  C:\Windows\System32\EoPSJds.exe
  2⤵
  PID:4972
- C:\Windows\System32\MuEqhyx.exe
  C:\Windows\System32\MuEqhyx.exe
  2⤵
  PID:3036
- C:\Windows\System32\AHjYCrp.exe
  C:\Windows\System32\AHjYCrp.exe
  2⤵
  PID:5124
- C:\Windows\System32\pWfdvQC.exe
  C:\Windows\System32\pWfdvQC.exe
  2⤵
  PID:5140
- C:\Windows\System32\BLqxaTH.exe
  C:\Windows\System32\BLqxaTH.exe
  2⤵
  PID:5168
- C:\Windows\System32\RTrUvCB.exe
  C:\Windows\System32\RTrUvCB.exe
  2⤵
  PID:5196
- C:\Windows\System32\oKXnBFK.exe
  C:\Windows\System32\oKXnBFK.exe
  2⤵
  PID:5224
- C:\Windows\System32\QYBjlfu.exe
  C:\Windows\System32\QYBjlfu.exe
  2⤵
  PID:5252
- C:\Windows\System32\HWjpoIj.exe
  C:\Windows\System32\HWjpoIj.exe
  2⤵
  PID:5280
- C:\Windows\System32\FdJcjUK.exe
  C:\Windows\System32\FdJcjUK.exe
  2⤵
  PID:5308
- C:\Windows\System32\BwRTDyW.exe
  C:\Windows\System32\BwRTDyW.exe
  2⤵
  PID:5336
- C:\Windows\System32\IwiNwcp.exe
  C:\Windows\System32\IwiNwcp.exe
  2⤵
  PID:5364
- C:\Windows\System32\uFMUUNK.exe
  C:\Windows\System32\uFMUUNK.exe
  2⤵
  PID:5392
- C:\Windows\System32\JjTzhYP.exe
  C:\Windows\System32\JjTzhYP.exe
  2⤵
  PID:5420
- C:\Windows\System32\lbPBRvb.exe
  C:\Windows\System32\lbPBRvb.exe
  2⤵
  PID:5448
- C:\Windows\System32\jsloKtc.exe
  C:\Windows\System32\jsloKtc.exe
  2⤵
  PID:5476
- C:\Windows\System32\DzkCnJB.exe
  C:\Windows\System32\DzkCnJB.exe
  2⤵
  PID:5504
- C:\Windows\System32\nadsqMh.exe
  C:\Windows\System32\nadsqMh.exe
  2⤵
  PID:5532
- C:\Windows\System32\IhAOSrw.exe
  C:\Windows\System32\IhAOSrw.exe
  2⤵
  PID:5560
- C:\Windows\System32\vfyZwrK.exe
  C:\Windows\System32\vfyZwrK.exe
  2⤵
  PID:5588
- C:\Windows\System32\BBRilXL.exe
  C:\Windows\System32\BBRilXL.exe
  2⤵
  PID:5616
- C:\Windows\System32\oGGDvGu.exe
  C:\Windows\System32\oGGDvGu.exe
  2⤵
  PID:5644
- C:\Windows\System32\PvUOnDp.exe
  C:\Windows\System32\PvUOnDp.exe
  2⤵
  PID:5672
- C:\Windows\System32\GskIFbD.exe
  C:\Windows\System32\GskIFbD.exe
  2⤵
  PID:5700
- C:\Windows\System32\utlMdvG.exe
  C:\Windows\System32\utlMdvG.exe
  2⤵
  PID:5728
- C:\Windows\System32\zYfVqqz.exe
  C:\Windows\System32\zYfVqqz.exe
  2⤵
  PID:5756
- C:\Windows\System32\pJAZgXC.exe
  C:\Windows\System32\pJAZgXC.exe
  2⤵
  PID:5784
- C:\Windows\System32\IliCSdr.exe
  C:\Windows\System32\IliCSdr.exe
  2⤵
  PID:5812
- C:\Windows\System32\qwNonGn.exe
  C:\Windows\System32\qwNonGn.exe
  2⤵
  PID:5840
- C:\Windows\System32\ilpBnHV.exe
  C:\Windows\System32\ilpBnHV.exe
  2⤵
  PID:5868
- C:\Windows\System32\riFmsIE.exe
  C:\Windows\System32\riFmsIE.exe
  2⤵
  PID:5896
- C:\Windows\System32\ohlVMYI.exe
  C:\Windows\System32\ohlVMYI.exe
  2⤵
  PID:5924
- C:\Windows\System32\FKIGodC.exe
  C:\Windows\System32\FKIGodC.exe
  2⤵
  PID:5952
- C:\Windows\System32\yzHLzYT.exe
  C:\Windows\System32\yzHLzYT.exe
  2⤵
  PID:5980
- C:\Windows\System32\ayqsfRl.exe
  C:\Windows\System32\ayqsfRl.exe
  2⤵
  PID:6008
- C:\Windows\System32\finUiWa.exe
  C:\Windows\System32\finUiWa.exe
  2⤵
  PID:6044
- C:\Windows\System32\cuYzQYe.exe
  C:\Windows\System32\cuYzQYe.exe
  2⤵
  PID:6064
- C:\Windows\System32\bRXtgkd.exe
  C:\Windows\System32\bRXtgkd.exe
  2⤵
  PID:6092
- C:\Windows\System32\HzQxdlY.exe
  C:\Windows\System32\HzQxdlY.exe
  2⤵
  PID:1488
- C:\Windows\System32\VkbdbdL.exe
  C:\Windows\System32\VkbdbdL.exe
  2⤵
  PID:4832
- C:\Windows\System32\bzphQvd.exe
  C:\Windows\System32\bzphQvd.exe
  2⤵
  PID:2332
- C:\Windows\System32\FpmpqWG.exe
  C:\Windows\System32\FpmpqWG.exe
  2⤵
  PID:5132
- C:\Windows\System32\DlBzPmK.exe
  C:\Windows\System32\DlBzPmK.exe
  2⤵
  PID:5184
- C:\Windows\System32\ANQMuAu.exe
  C:\Windows\System32\ANQMuAu.exe
  2⤵
  PID:5236
- C:\Windows\System32\ZaYcGtU.exe
  C:\Windows\System32\ZaYcGtU.exe
  2⤵
  PID:5268
- C:\Windows\System32\KDYjCnI.exe
  C:\Windows\System32\KDYjCnI.exe
  2⤵
  PID:5332
- C:\Windows\System32\thkWldB.exe
  C:\Windows\System32\thkWldB.exe
  2⤵
  PID:5376
- C:\Windows\System32\AXABFII.exe
  C:\Windows\System32\AXABFII.exe
  2⤵
  PID:5572
- C:\Windows\System32\mFqdDHB.exe
  C:\Windows\System32\mFqdDHB.exe
  2⤵
  PID:5640
- C:\Windows\System32\SryKYWv.exe
  C:\Windows\System32\SryKYWv.exe
  2⤵
  PID:5668
- C:\Windows\System32\UpEuVEL.exe
  C:\Windows\System32\UpEuVEL.exe
  2⤵
  PID:5696
- C:\Windows\System32\xAusSBY.exe
  C:\Windows\System32\xAusSBY.exe
  2⤵
  PID:5744
- C:\Windows\System32\EFXNeTc.exe
  C:\Windows\System32\EFXNeTc.exe
  2⤵
  PID:5772
- C:\Windows\System32\aGWYoEs.exe
  C:\Windows\System32\aGWYoEs.exe
  2⤵
  PID:5856
- C:\Windows\System32\jrKkSZw.exe
  C:\Windows\System32\jrKkSZw.exe
  2⤵
  PID:5884
- C:\Windows\System32\cdFdZhu.exe
  C:\Windows\System32\cdFdZhu.exe
  2⤵
  PID:6020
- C:\Windows\System32\BFtensD.exe
  C:\Windows\System32\BFtensD.exe
  2⤵
  PID:6040
- C:\Windows\System32\RrWxSKn.exe
  C:\Windows\System32\RrWxSKn.exe
  2⤵
  PID:6060
- C:\Windows\System32\SOubKti.exe
  C:\Windows\System32\SOubKti.exe
  2⤵
  PID:6076
- C:\Windows\System32\AVJSYyR.exe
  C:\Windows\System32\AVJSYyR.exe
  2⤵
  PID:2768
- C:\Windows\System32\krakfXG.exe
  C:\Windows\System32\krakfXG.exe
  2⤵
  PID:4352
- C:\Windows\System32\DjlZvyO.exe
  C:\Windows\System32\DjlZvyO.exe
  2⤵
  PID:2212
- C:\Windows\System32\dQWzCwr.exe
  C:\Windows\System32\dQWzCwr.exe
  2⤵
  PID:2076
- C:\Windows\System32\RBJcdqq.exe
  C:\Windows\System32\RBJcdqq.exe
  2⤵
  PID:4592
- C:\Windows\System32\UapXHVm.exe
  C:\Windows\System32\UapXHVm.exe
  2⤵
  PID:1436
- C:\Windows\System32\XDcYquA.exe
  C:\Windows\System32\XDcYquA.exe
  2⤵
  PID:5432
- C:\Windows\System32\RjFIJHA.exe
  C:\Windows\System32\RjFIJHA.exe
  2⤵
  PID:5628
- C:\Windows\System32\pgnRvvE.exe
  C:\Windows\System32\pgnRvvE.exe
  2⤵
  PID:5724
- C:\Windows\System32\KNyHAnT.exe
  C:\Windows\System32\KNyHAnT.exe
  2⤵
  PID:5800
- C:\Windows\System32\fXYThOm.exe
  C:\Windows\System32\fXYThOm.exe
  2⤵
  PID:5892
- C:\Windows\System32\ABIFZxv.exe
  C:\Windows\System32\ABIFZxv.exe
  2⤵
  PID:1420
- C:\Windows\System32\cmaHMCx.exe
  C:\Windows\System32\cmaHMCx.exe
  2⤵
  PID:1280
- C:\Windows\System32\bibYCUA.exe
  C:\Windows\System32\bibYCUA.exe
  2⤵
  PID:4348
- C:\Windows\System32\tPEZUrb.exe
  C:\Windows\System32\tPEZUrb.exe
  2⤵
  PID:3944
- C:\Windows\System32\UmWtDSO.exe
  C:\Windows\System32\UmWtDSO.exe
  2⤵
  PID:2616
- C:\Windows\System32\gspQKQl.exe
  C:\Windows\System32\gspQKQl.exe
  2⤵
  PID:3188
- C:\Windows\System32\VKxmLCM.exe
  C:\Windows\System32\VKxmLCM.exe
  2⤵
  PID:932
- C:\Windows\System32\yYQsuTW.exe
  C:\Windows\System32\yYQsuTW.exe
  2⤵
  PID:6004
- C:\Windows\System32\UUalqES.exe
  C:\Windows\System32\UUalqES.exe
  2⤵
  PID:6056
- C:\Windows\System32\LMoNIpz.exe
  C:\Windows\System32\LMoNIpz.exe
  2⤵
  PID:5852
- C:\Windows\System32\EbVRlrN.exe
  C:\Windows\System32\EbVRlrN.exe
  2⤵
  PID:444
- C:\Windows\System32\jRytxkS.exe
  C:\Windows\System32\jRytxkS.exe
  2⤵
  PID:6180
- C:\Windows\System32\bdDnqry.exe
  C:\Windows\System32\bdDnqry.exe
  2⤵
  PID:6196
- C:\Windows\System32\rJvwyUh.exe
  C:\Windows\System32\rJvwyUh.exe
  2⤵
  PID:6216
- C:\Windows\System32\vgENyfV.exe
  C:\Windows\System32\vgENyfV.exe
  2⤵
  PID:6232
- C:\Windows\System32\qrJoMDs.exe
  C:\Windows\System32\qrJoMDs.exe
  2⤵
  PID:6252
- C:\Windows\System32\OiOqbdU.exe
  C:\Windows\System32\OiOqbdU.exe
  2⤵
  PID:6272
- C:\Windows\System32\MmprIwG.exe
  C:\Windows\System32\MmprIwG.exe
  2⤵
  PID:6324
- C:\Windows\System32\mxWdaQw.exe
  C:\Windows\System32\mxWdaQw.exe
  2⤵
  PID:6368
- C:\Windows\System32\cSybHje.exe
  C:\Windows\System32\cSybHje.exe
  2⤵
  PID:6412
- C:\Windows\System32\XwXtvES.exe
  C:\Windows\System32\XwXtvES.exe
  2⤵
  PID:6428
- C:\Windows\System32\qdLWCie.exe
  C:\Windows\System32\qdLWCie.exe
  2⤵
  PID:6468
- C:\Windows\System32\JwBPNWm.exe
  C:\Windows\System32\JwBPNWm.exe
  2⤵
  PID:6524
- C:\Windows\System32\pIWBocN.exe
  C:\Windows\System32\pIWBocN.exe
  2⤵
  PID:6564
- C:\Windows\System32\BFOdnYb.exe
  C:\Windows\System32\BFOdnYb.exe
  2⤵
  PID:6584
- C:\Windows\System32\KMYDdol.exe
  C:\Windows\System32\KMYDdol.exe
  2⤵
  PID:6616
- C:\Windows\System32\xtWLbPJ.exe
  C:\Windows\System32\xtWLbPJ.exe
  2⤵
  PID:6632
- C:\Windows\System32\UgNrvae.exe
  C:\Windows\System32\UgNrvae.exe
  2⤵
  PID:6652
- C:\Windows\System32\qwIMzQN.exe
  C:\Windows\System32\qwIMzQN.exe
  2⤵
  PID:6688
- C:\Windows\System32\gjhuYKX.exe
  C:\Windows\System32\gjhuYKX.exe
  2⤵
  PID:6708
- C:\Windows\System32\unYukon.exe
  C:\Windows\System32\unYukon.exe
  2⤵
  PID:6728
- C:\Windows\System32\jYaioQK.exe
  C:\Windows\System32\jYaioQK.exe
  2⤵
  PID:6748
- C:\Windows\System32\NyEBYaI.exe
  C:\Windows\System32\NyEBYaI.exe
  2⤵
  PID:6812
- C:\Windows\System32\QJaZlOX.exe
  C:\Windows\System32\QJaZlOX.exe
  2⤵
  PID:6832
- C:\Windows\System32\JCTewzB.exe
  C:\Windows\System32\JCTewzB.exe
  2⤵
  PID:6872
- C:\Windows\System32\pdebFNZ.exe
  C:\Windows\System32\pdebFNZ.exe
  2⤵
  PID:6944
- C:\Windows\System32\HGBrijN.exe
  C:\Windows\System32\HGBrijN.exe
  2⤵
  PID:6960
- C:\Windows\System32\PvUzoWD.exe
  C:\Windows\System32\PvUzoWD.exe
  2⤵
  PID:6984
- C:\Windows\System32\SfYSAfe.exe
  C:\Windows\System32\SfYSAfe.exe
  2⤵
  PID:7016
- C:\Windows\System32\fiSAMsI.exe
  C:\Windows\System32\fiSAMsI.exe
  2⤵
  PID:7044
- C:\Windows\System32\RZhewxu.exe
  C:\Windows\System32\RZhewxu.exe
  2⤵
  PID:7068
- C:\Windows\System32\kVcXzDi.exe
  C:\Windows\System32\kVcXzDi.exe
  2⤵
  PID:7088
- C:\Windows\System32\OqfAJLt.exe
  C:\Windows\System32\OqfAJLt.exe
  2⤵
  PID:7124
- C:\Windows\System32\VvHqXDH.exe
  C:\Windows\System32\VvHqXDH.exe
  2⤵
  PID:7152
- C:\Windows\System32\SyHDuXW.exe
  C:\Windows\System32\SyHDuXW.exe
  2⤵
  PID:6148
- C:\Windows\System32\vmtMTuu.exe
  C:\Windows\System32\vmtMTuu.exe
  2⤵
  PID:6244
- C:\Windows\System32\XmIpNPj.exe
  C:\Windows\System32\XmIpNPj.exe
  2⤵
  PID:6212
- C:\Windows\System32\OybkPVV.exe
  C:\Windows\System32\OybkPVV.exe
  2⤵
  PID:6360
- C:\Windows\System32\ArPjtff.exe
  C:\Windows\System32\ArPjtff.exe
  2⤵
  PID:6420
- C:\Windows\System32\KwBrDbM.exe
  C:\Windows\System32\KwBrDbM.exe
  2⤵
  PID:6476
- C:\Windows\System32\TlcJiho.exe
  C:\Windows\System32\TlcJiho.exe
  2⤵
  PID:6556
- C:\Windows\System32\vjmEQuM.exe
  C:\Windows\System32\vjmEQuM.exe
  2⤵
  PID:6644
- C:\Windows\System32\isfdTqZ.exe
  C:\Windows\System32\isfdTqZ.exe
  2⤵
  PID:6648
- C:\Windows\System32\GnKiItG.exe
  C:\Windows\System32\GnKiItG.exe
  2⤵
  PID:6716
- C:\Windows\System32\KjVmQox.exe
  C:\Windows\System32\KjVmQox.exe
  2⤵
  PID:6828
- C:\Windows\System32\NPqxces.exe
  C:\Windows\System32\NPqxces.exe
  2⤵
  PID:5528
- C:\Windows\System32\MWMfXbo.exe
  C:\Windows\System32\MWMfXbo.exe
  2⤵
  PID:6976
- C:\Windows\System32\vnhLzWF.exe
  C:\Windows\System32\vnhLzWF.exe
  2⤵
  PID:6996
- C:\Windows\System32\HnHnOEm.exe
  C:\Windows\System32\HnHnOEm.exe
  2⤵
  PID:7084
- C:\Windows\System32\gExWuVg.exe
  C:\Windows\System32\gExWuVg.exe
  2⤵
  PID:7144
- C:\Windows\System32\YCnshQR.exe
  C:\Windows\System32\YCnshQR.exe
  2⤵
  PID:6204
- C:\Windows\System32\AwyVwDU.exe
  C:\Windows\System32\AwyVwDU.exe
  2⤵
  PID:6208
- C:\Windows\System32\oZInteH.exe
  C:\Windows\System32\oZInteH.exe
  2⤵
  PID:6284
- C:\Windows\System32\dFxiJSN.exe
  C:\Windows\System32\dFxiJSN.exe
  2⤵
  PID:6268
- C:\Windows\System32\ATUAHfb.exe
  C:\Windows\System32\ATUAHfb.exe
  2⤵
  PID:6356
- C:\Windows\System32\CjgyRkg.exe
  C:\Windows\System32\CjgyRkg.exe
  2⤵
  PID:6488
- C:\Windows\System32\DYKPxQn.exe
  C:\Windows\System32\DYKPxQn.exe
  2⤵
  PID:6664
- C:\Windows\System32\KKacQac.exe
  C:\Windows\System32\KKacQac.exe
  2⤵
  PID:6740
- C:\Windows\System32\likvxDc.exe
  C:\Windows\System32\likvxDc.exe
  2⤵
  PID:6904
- C:\Windows\System32\mPJPFtb.exe
  C:\Windows\System32\mPJPFtb.exe
  2⤵
  PID:5492
- C:\Windows\System32\ZUMPVpG.exe
  C:\Windows\System32\ZUMPVpG.exe
  2⤵
  PID:7032
- C:\Windows\System32\LMKxgPH.exe
  C:\Windows\System32\LMKxgPH.exe
  2⤵
  PID:7136
- C:\Windows\System32\UeUCfAa.exe
  C:\Windows\System32\UeUCfAa.exe
  2⤵
  PID:6896
- C:\Windows\System32\cjRsESv.exe
  C:\Windows\System32\cjRsESv.exe
  2⤵
  PID:6308
- C:\Windows\System32\AVusHpq.exe
  C:\Windows\System32\AVusHpq.exe
  2⤵
  PID:7056
- C:\Windows\System32\gtGpkPT.exe
  C:\Windows\System32\gtGpkPT.exe
  2⤵
  PID:7176
- C:\Windows\System32\poqMkAf.exe
  C:\Windows\System32\poqMkAf.exe
  2⤵
  PID:7216
- C:\Windows\System32\KaRNNxK.exe
  C:\Windows\System32\KaRNNxK.exe
  2⤵
  PID:7232
- C:\Windows\System32\XPqyXHX.exe
  C:\Windows\System32\XPqyXHX.exe
  2⤵
  PID:7252
- C:\Windows\System32\PqthKNX.exe
  C:\Windows\System32\PqthKNX.exe
  2⤵
  PID:7268
- C:\Windows\System32\lOSfipX.exe
  C:\Windows\System32\lOSfipX.exe
  2⤵
  PID:7360
- C:\Windows\System32\IKgUGDs.exe
  C:\Windows\System32\IKgUGDs.exe
  2⤵
  PID:7384
- C:\Windows\System32\ChEWTFD.exe
  C:\Windows\System32\ChEWTFD.exe
  2⤵
  PID:7400
- C:\Windows\System32\LRzLiih.exe
  C:\Windows\System32\LRzLiih.exe
  2⤵
  PID:7420
- C:\Windows\System32\NCKZXyR.exe
  C:\Windows\System32\NCKZXyR.exe
  2⤵
  PID:7448
- C:\Windows\System32\HzQemro.exe
  C:\Windows\System32\HzQemro.exe
  2⤵
  PID:7500
- C:\Windows\System32\pxeMKBt.exe
  C:\Windows\System32\pxeMKBt.exe
  2⤵
  PID:7524
- C:\Windows\System32\jpPsNqw.exe
  C:\Windows\System32\jpPsNqw.exe
  2⤵
  PID:7560
- C:\Windows\System32\IVlRJKj.exe
  C:\Windows\System32\IVlRJKj.exe
  2⤵
  PID:7584
- C:\Windows\System32\IEEHJrW.exe
  C:\Windows\System32\IEEHJrW.exe
  2⤵
  PID:7608
- C:\Windows\System32\jLATHxy.exe
  C:\Windows\System32\jLATHxy.exe
  2⤵
  PID:7640
- C:\Windows\System32\fteljaW.exe
  C:\Windows\System32\fteljaW.exe
  2⤵
  PID:7660
- C:\Windows\System32\VMCAIzn.exe
  C:\Windows\System32\VMCAIzn.exe
  2⤵
  PID:7716
- C:\Windows\System32\VPGkrGv.exe
  C:\Windows\System32\VPGkrGv.exe
  2⤵
  PID:7732
- C:\Windows\System32\MYMaeRl.exe
  C:\Windows\System32\MYMaeRl.exe
  2⤵
  PID:7748
- C:\Windows\System32\xumvaMA.exe
  C:\Windows\System32\xumvaMA.exe
  2⤵
  PID:7796
- C:\Windows\System32\plzfKag.exe
  C:\Windows\System32\plzfKag.exe
  2⤵
  PID:7812
- C:\Windows\System32\YIwizFW.exe
  C:\Windows\System32\YIwizFW.exe
  2⤵
  PID:7852
- C:\Windows\System32\OwRPWjn.exe
  C:\Windows\System32\OwRPWjn.exe
  2⤵
  PID:7876
- C:\Windows\System32\HpoGKTA.exe
  C:\Windows\System32\HpoGKTA.exe
  2⤵
  PID:7892
- C:\Windows\System32\WCMTuzC.exe
  C:\Windows\System32\WCMTuzC.exe
  2⤵
  PID:7912
- C:\Windows\System32\VPUCENT.exe
  C:\Windows\System32\VPUCENT.exe
  2⤵
  PID:7952
- C:\Windows\System32\JlalCDw.exe
  C:\Windows\System32\JlalCDw.exe
  2⤵
  PID:8012
- C:\Windows\System32\QeUMjKP.exe
  C:\Windows\System32\QeUMjKP.exe
  2⤵
  PID:8048
- C:\Windows\System32\RRfIaxQ.exe
  C:\Windows\System32\RRfIaxQ.exe
  2⤵
  PID:8072
- C:\Windows\System32\CHGHJoD.exe
  C:\Windows\System32\CHGHJoD.exe
  2⤵
  PID:8108
- C:\Windows\System32\xNTLkfA.exe
  C:\Windows\System32\xNTLkfA.exe
  2⤵
  PID:8140
- C:\Windows\System32\YYBwFbQ.exe
  C:\Windows\System32\YYBwFbQ.exe
  2⤵
  PID:8164
- C:\Windows\System32\kribwOU.exe
  C:\Windows\System32\kribwOU.exe
  2⤵
  PID:6856
- C:\Windows\System32\AmhMJwy.exe
  C:\Windows\System32\AmhMJwy.exe
  2⤵
  PID:6136
- C:\Windows\System32\XrqToKz.exe
  C:\Windows\System32\XrqToKz.exe
  2⤵
  PID:7200
- C:\Windows\System32\JMRqbXH.exe
  C:\Windows\System32\JMRqbXH.exe
  2⤵
  PID:7240
- C:\Windows\System32\FzefENb.exe
  C:\Windows\System32\FzefENb.exe
  2⤵
  PID:7280
- C:\Windows\System32\Unfepke.exe
  C:\Windows\System32\Unfepke.exe
  2⤵
  PID:7412
- C:\Windows\System32\YMcXaGu.exe
  C:\Windows\System32\YMcXaGu.exe
  2⤵
  PID:7544
- C:\Windows\System32\GMUFpQh.exe
  C:\Windows\System32\GMUFpQh.exe
  2⤵
  PID:7632
- C:\Windows\System32\dJwDBAa.exe
  C:\Windows\System32\dJwDBAa.exe
  2⤵
  PID:3512
- C:\Windows\System32\qSGqVIw.exe
  C:\Windows\System32\qSGqVIw.exe
  2⤵
  PID:1332
- C:\Windows\System32\VAFKFck.exe
  C:\Windows\System32\VAFKFck.exe
  2⤵
  PID:7728
- C:\Windows\System32\CaDMCyb.exe
  C:\Windows\System32\CaDMCyb.exe
  2⤵
  PID:7784
- C:\Windows\System32\AQsAuVi.exe
  C:\Windows\System32\AQsAuVi.exe
  2⤵
  PID:7780
- C:\Windows\System32\xNPYVTQ.exe
  C:\Windows\System32\xNPYVTQ.exe
  2⤵
  PID:5240
- C:\Windows\System32\VWdabNg.exe
  C:\Windows\System32\VWdabNg.exe
  2⤵
  PID:7848
- C:\Windows\System32\phIjJGU.exe
  C:\Windows\System32\phIjJGU.exe
  2⤵
  PID:7904
- C:\Windows\System32\zYxPTtE.exe
  C:\Windows\System32\zYxPTtE.exe
  2⤵
  PID:8020
- C:\Windows\System32\TPeJOML.exe
  C:\Windows\System32\TPeJOML.exe
  2⤵
  PID:8028
- C:\Windows\System32\TIIwxzj.exe
  C:\Windows\System32\TIIwxzj.exe
  2⤵
  PID:8100
- C:\Windows\System32\FufRVDC.exe
  C:\Windows\System32\FufRVDC.exe
  2⤵
  PID:7228
- C:\Windows\System32\nTFYZcw.exe
  C:\Windows\System32\nTFYZcw.exe
  2⤵
  PID:7248
- C:\Windows\System32\lWhumYE.exe
  C:\Windows\System32\lWhumYE.exe
  2⤵
  PID:3992
- C:\Windows\System32\qeOJWVw.exe
  C:\Windows\System32\qeOJWVw.exe
  2⤵
  PID:7172
- C:\Windows\System32\ldttzfl.exe
  C:\Windows\System32\ldttzfl.exe
  2⤵
  PID:4600
- C:\Windows\System32\eypMIUD.exe
  C:\Windows\System32\eypMIUD.exe
  2⤵
  PID:7368
- C:\Windows\System32\MYxKNDj.exe
  C:\Windows\System32\MYxKNDj.exe
  2⤵
  PID:7460
- C:\Windows\System32\CeBFDjI.exe
  C:\Windows\System32\CeBFDjI.exe
  2⤵
  PID:7592
- C:\Windows\System32\IOcqAXf.exe
  C:\Windows\System32\IOcqAXf.exe
  2⤵
  PID:1796
- C:\Windows\System32\RdnYabJ.exe
  C:\Windows\System32\RdnYabJ.exe
  2⤵
  PID:2952
- C:\Windows\System32\ikkYHbi.exe
  C:\Windows\System32\ikkYHbi.exe
  2⤵
  PID:7924
- C:\Windows\System32\TqzrrHi.exe
  C:\Windows\System32\TqzrrHi.exe
  2⤵
  PID:7992
- C:\Windows\System32\lSIpuAY.exe
  C:\Windows\System32\lSIpuAY.exe
  2⤵
  PID:6240
- C:\Windows\System32\fyNEaBq.exe
  C:\Windows\System32\fyNEaBq.exe
  2⤵
  PID:8188
- C:\Windows\System32\gOqbZOh.exe
  C:\Windows\System32\gOqbZOh.exe
  2⤵
  PID:7324
- C:\Windows\System32\LLNorop.exe
  C:\Windows\System32\LLNorop.exe
  2⤵
  PID:1068
- C:\Windows\System32\bIcCwDF.exe
  C:\Windows\System32\bIcCwDF.exe
  2⤵
  PID:7808
- C:\Windows\System32\tKAOoLP.exe
  C:\Windows\System32\tKAOoLP.exe
  2⤵
  PID:3780
- C:\Windows\System32\FJaCsdn.exe
  C:\Windows\System32\FJaCsdn.exe
  2⤵
  PID:2352
- C:\Windows\System32\ErNKuzh.exe
  C:\Windows\System32\ErNKuzh.exe
  2⤵
  PID:8120
- C:\Windows\System32\nUWhFoI.exe
  C:\Windows\System32\nUWhFoI.exe
  2⤵
  PID:7468
- C:\Windows\System32\NypYEsB.exe
  C:\Windows\System32\NypYEsB.exe
  2⤵
  PID:4896
- C:\Windows\System32\gcpakMM.exe
  C:\Windows\System32\gcpakMM.exe
  2⤵
  PID:2136
- C:\Windows\System32\jCKHyKY.exe
  C:\Windows\System32\jCKHyKY.exe
  2⤵
  PID:8136
- C:\Windows\System32\YlcokFB.exe
  C:\Windows\System32\YlcokFB.exe
  2⤵
  PID:7284
- C:\Windows\System32\ouqPXgz.exe
  C:\Windows\System32\ouqPXgz.exe
  2⤵
  PID:7680
- C:\Windows\System32\TVbZoUb.exe
  C:\Windows\System32\TVbZoUb.exe
  2⤵
  PID:4684
- C:\Windows\System32\JTWWfYd.exe
  C:\Windows\System32\JTWWfYd.exe
  2⤵
  PID:8208
- C:\Windows\System32\nnMwRhe.exe
  C:\Windows\System32\nnMwRhe.exe
  2⤵
  PID:8224
- C:\Windows\System32\DXcLCzv.exe
  C:\Windows\System32\DXcLCzv.exe
  2⤵
  PID:8292
- C:\Windows\System32\BpUxIzd.exe
  C:\Windows\System32\BpUxIzd.exe
  2⤵
  PID:8312
- C:\Windows\System32\ISNEoOb.exe
  C:\Windows\System32\ISNEoOb.exe
  2⤵
  PID:8340
- C:\Windows\System32\PGxUhaE.exe
  C:\Windows\System32\PGxUhaE.exe
  2⤵
  PID:8376
- C:\Windows\System32\BcTrHcd.exe
  C:\Windows\System32\BcTrHcd.exe
  2⤵
  PID:8396
- C:\Windows\System32\ZnEtLjy.exe
  C:\Windows\System32\ZnEtLjy.exe
  2⤵
  PID:8432
- C:\Windows\System32\GRWTxkT.exe
  C:\Windows\System32\GRWTxkT.exe
  2⤵
  PID:8452
- C:\Windows\System32\qjIsXPr.exe
  C:\Windows\System32\qjIsXPr.exe
  2⤵
  PID:8472
- C:\Windows\System32\ZNvfjRd.exe
  C:\Windows\System32\ZNvfjRd.exe
  2⤵
  PID:8524
- C:\Windows\System32\rycMdtE.exe
  C:\Windows\System32\rycMdtE.exe
  2⤵
  PID:8544
- C:\Windows\System32\RTbCbOq.exe
  C:\Windows\System32\RTbCbOq.exe
  2⤵
  PID:8576
- C:\Windows\System32\fGWxbtb.exe
  C:\Windows\System32\fGWxbtb.exe
  2⤵
  PID:8592
- C:\Windows\System32\yyojrXm.exe
  C:\Windows\System32\yyojrXm.exe
  2⤵
  PID:8632
- C:\Windows\System32\QGLkSXk.exe
  C:\Windows\System32\QGLkSXk.exe
  2⤵
  PID:8656
- C:\Windows\System32\cjYlccI.exe
  C:\Windows\System32\cjYlccI.exe
  2⤵
  PID:8696
- C:\Windows\System32\QpGEyuN.exe
  C:\Windows\System32\QpGEyuN.exe
  2⤵
  PID:8716
- C:\Windows\System32\VRljLiQ.exe
  C:\Windows\System32\VRljLiQ.exe
  2⤵
  PID:8736
- C:\Windows\System32\QFhDbqU.exe
  C:\Windows\System32\QFhDbqU.exe
  2⤵
  PID:8756
- C:\Windows\System32\MaXuVDv.exe
  C:\Windows\System32\MaXuVDv.exe
  2⤵
  PID:8824
- C:\Windows\System32\SlKpNyo.exe
  C:\Windows\System32\SlKpNyo.exe
  2⤵
  PID:8848
- C:\Windows\System32\osUduBi.exe
  C:\Windows\System32\osUduBi.exe
  2⤵
  PID:8872
- C:\Windows\System32\ErEbynd.exe
  C:\Windows\System32\ErEbynd.exe
  2⤵
  PID:8892
- C:\Windows\System32\QBQijpb.exe
  C:\Windows\System32\QBQijpb.exe
  2⤵
  PID:8912
- C:\Windows\System32\GtwUadq.exe
  C:\Windows\System32\GtwUadq.exe
  2⤵
  PID:8928
- C:\Windows\System32\HUdMxbd.exe
  C:\Windows\System32\HUdMxbd.exe
  2⤵
  PID:8948
- C:\Windows\System32\GdXxnMJ.exe
  C:\Windows\System32\GdXxnMJ.exe
  2⤵
  PID:8984
- C:\Windows\System32\RKQDUXE.exe
  C:\Windows\System32\RKQDUXE.exe
  2⤵
  PID:9044
- C:\Windows\System32\jXUDtHZ.exe
  C:\Windows\System32\jXUDtHZ.exe
  2⤵
  PID:9076
- C:\Windows\System32\lXGrVCI.exe
  C:\Windows\System32\lXGrVCI.exe
  2⤵
  PID:9124
- C:\Windows\System32\NoTKCcE.exe
  C:\Windows\System32\NoTKCcE.exe
  2⤵
  PID:9160
- C:\Windows\System32\OEvCsaw.exe
  C:\Windows\System32\OEvCsaw.exe
  2⤵
  PID:9184
- C:\Windows\System32\oclNHnM.exe
  C:\Windows\System32\oclNHnM.exe
  2⤵
  PID:9212
- C:\Windows\System32\kxLelbx.exe
  C:\Windows\System32\kxLelbx.exe
  2⤵
  PID:8240
- C:\Windows\System32\VpGktZU.exe
  C:\Windows\System32\VpGktZU.exe
  2⤵
  PID:8196
- C:\Windows\System32\URWHIjb.exe
  C:\Windows\System32\URWHIjb.exe
  2⤵
  PID:8232
- C:\Windows\System32\JSojPJC.exe
  C:\Windows\System32\JSojPJC.exe
  2⤵
  PID:8304
- C:\Windows\System32\SSpzpgo.exe
  C:\Windows\System32\SSpzpgo.exe
  2⤵
  PID:8448
- C:\Windows\System32\AtwXqjg.exe
  C:\Windows\System32\AtwXqjg.exe
  2⤵
  PID:8488
- C:\Windows\System32\UZSnjmg.exe
  C:\Windows\System32\UZSnjmg.exe
  2⤵
  PID:8520
- C:\Windows\System32\ocinBfS.exe
  C:\Windows\System32\ocinBfS.exe
  2⤵
  PID:8572
- C:\Windows\System32\qEyyoOR.exe
  C:\Windows\System32\qEyyoOR.exe
  2⤵
  PID:8672
- C:\Windows\System32\pthNnhB.exe
  C:\Windows\System32\pthNnhB.exe
  2⤵
  PID:8704
- C:\Windows\System32\MFUVHri.exe
  C:\Windows\System32\MFUVHri.exe
  2⤵
  PID:8732
- C:\Windows\System32\HDimYUs.exe
  C:\Windows\System32\HDimYUs.exe
  2⤵
  PID:8868
- C:\Windows\System32\DEFYxwp.exe
  C:\Windows\System32\DEFYxwp.exe
  2⤵
  PID:8972

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:9300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AeJVGpQ.exe

Filesize
2.3MB

MD5
6ecf5532c917d903008b99f712f0814f

SHA1
fa90bbd9591af713615aa1b96e74d684bccefbad

SHA256
21724d235ba19e6ac6f234c237899a9c691c81ff68d69168138cde517bdc41f9

SHA512
22a1a87db34cc8291bbc96b7028a59e57c7d0093a1115936eed8ca87dbdc576c698ab1c6cab655eaab67b161362dc1e2c30ee6314625cc70ec40910232d22990

Download Submit
C:\Windows\System32\BWvUIrG.exe

Filesize
2.3MB

MD5
cfb700fef61c5c3796fffa46260d768a

SHA1
ac59f5156ae6a6772c822cb45cff03814170b2cf

SHA256
3082dd6f619b30d738c193624fedea79c7dd1c549bd554b5c213074a72b93cdf

SHA512
e6949e983af36b8bd8e929d821a7e4d617e462f5f52d209488d7fdb092aafaf8a6a0ad29e65038ba4bdc56210c92d9cdef31bfcc8cb34305dc2e072c73b38640

Download Submit
C:\Windows\System32\BpnOrTq.exe

Filesize
2.3MB

MD5
6b43e4e9c74fb88a833ba1861f6fd334

SHA1
58c9bd4c5fb811457aa746a7743fe19738aec59d

SHA256
7dd6742e6fe2f1022548d32b13377df151e69567d3d6fbfd49fee60214ea2da2

SHA512
36fe80ec932ba1ffdd538b5703c5ee46cf3b747bb2bc1e4a5687fe93826fff569eaecbfadf7e7ad1e42dc87d1df116cd3d59f490a8ed05022ae12d333b0786c9

Download Submit
C:\Windows\System32\BpnOrTq.exe

Filesize
352KB

MD5
84c72484c1f835c04cb26ef8dbadc4e0

SHA1
45b3013c490fdd9eb0e79797642e1bbe343b9176

SHA256
d254d5f786588ca37277bdc0e620b11b42b5840ca05be3f32f386c0e8ce1a1be

SHA512
dc5fa88f8d294802e3f6e6db86b2d34215535f4a4156a249b7b0d3d9bd5afdd1c9155d50f4b43709ca45b18b31de7d09f0934f33930be08e63656e805cfc5da2

Download Submit
C:\Windows\System32\CDEtfTT.exe

Filesize
189KB

MD5
58add2a2172d3b526cf7f5ad8e0ababd

SHA1
cafc7b109e1af17874d782b80872706a3be3741b

SHA256
203b4dec00008eb0936c1ef5c03cf1450dc04fa9f3880e08d8229c932e71932c

SHA512
27313e3f69502175acb77062afb4b8feb89c9e779138a116dc4aecd5b56501d7118a2369cd86b411af9f968abd297c3d892c59a12ce2387d47ff890eee484fc0

Download Submit
C:\Windows\System32\CDEtfTT.exe

Filesize
2.3MB

MD5
f0c05709be99accdd671c4a93a036685

SHA1
0a59f41cc8d89518aaac1d36a054415223a65217

SHA256
b17857ca4500e3c27262f59b7b4aa903fc8631f72207f2fec111171061ac1c27

SHA512
985e2628125126562606bcfc2e8c2b64269afd71339a3a9831a5b22c11a626fc5fd4a35d1deedf1730c9758ff98fff92bbf78ab18f7e40883cc12286c4e01f29

Download Submit
C:\Windows\System32\CunTokJ.exe

Filesize
2.3MB

MD5
65f27c7283d0acb8d83865e4fa3e3b3f

SHA1
e0bb140900405356da8a729cbaf796379b5fa374

SHA256
647c7ad83ae4afc9328f4efd52890347a7a114303470874bab5ffde8b15c12e3

SHA512
168302903e10b3147f97293bc3fad1afe37edda13b66ca3d74c7b27497d994b7a3d2cd56df236637a406667a4782daa79777952a553ce083e57f1b86e334a1da

Download Submit
C:\Windows\System32\EwcYFdl.exe

Filesize
106KB

MD5
12d32fdee8b9947e094fee86be3f636a

SHA1
4696e8e2e3aecbcec40dcb72617bfe1fe4c987c7

SHA256
00a76c043265e4547b4f2616762c3a5d0720f592761d2bd9b3e1dc060a536f08

SHA512
fc3db908b6c5374d7a00be31c938d2df51f73b718930e83705592b560970084f0dc40da415f5f97dd46b53bec011118eecf914e0b17823c656c45c049a20b0fa

Download Submit
C:\Windows\System32\EwcYFdl.exe

Filesize
150KB

MD5
8fd8ab54ea1c4cef1f9e9e383314ce12

SHA1
6df0574be0b9789c82e516852609d5bdbb2e4a4d

SHA256
c50a1bf7638c07cdab98a834fd6f4b6384648c304342b0fcf648e5c2027ba9f5

SHA512
6176e3ccf090dcae71ffe87c0996bb2199bc7e796ed9c1ee43aa17905c006d4523b3157170e9ed977db2b63f0e3b87ab170546b2ed3d20a5d1526d2d4c0aeabd

Download Submit
C:\Windows\System32\FocSNsM.exe

Filesize
2.3MB

MD5
02c853d1e0fab9c0ce84691b52037d91

SHA1
45e30a5cc052fe74069a9cb65a7a9be9e7f81e4a

SHA256
75422be1d25fe1c1e5dd45124f2f77312c3764984d458f266cd8e62705a4219c

SHA512
b0add74e3f880c3edf4027ebe2209ceda1127dd81e56ddbbaec7802bc2072153d0a8e2fc427f98cf633a3b343068be17ab6a16a3cd303fb143cd3cca8f68c3f0

Download Submit
C:\Windows\System32\FocSNsM.exe

Filesize
244KB

MD5
40aaf7555923ad1007e6321dd19889d7

SHA1
c87072f50abdcd2d793723e09ae0f7c15124995f

SHA256
ecd4655dfbcb131c60b7b6c02e191876bf2ff6759b3d1c415e4fef27d427198c

SHA512
004be532925ec1ecdb67643189da31e3c7cc2ef1750636a96fc7dcaf0ca6425009feb9b350ead65b4ac2aebcbe080d72470027b2d5e12401327266c75e0051a0

Download Submit
C:\Windows\System32\HTNpeCa.exe

Filesize
2.3MB

MD5
5039fe51e53cd0e131f119772f56692d

SHA1
2b72f7ac235295b3490606e3dd7b89cf8039e0e9

SHA256
7fed5fc232dd5c981b08fcd5943d43937389a2493c497bd1adacb77aa964c7a4

SHA512
85807253df7e39ca7b591d303b3fc398a8eb12080270540a3521d73ed1976c7180c6533b35376f20b272d45194ddfc8886fae35a533a45832e73fe239dba4653

Download Submit
C:\Windows\System32\ISGNrpj.exe

Filesize
2.3MB

MD5
40b425b64dd18e108824fdec7653551a

SHA1
fef717b2cdfc205673646a27202cf1d2983762bf

SHA256
908bd28cf061b862d07b208e9ea790296bcbdfc46cafff2adf0a900ec39ce55c

SHA512
209e2b99be40b2fe95db6afb16239429a880317f734804c5d87e5df8d3929aa94dc30730df72013745e6b39cd6ae1782b3306d2e69f26e2f3aa52a83133338b6

Download Submit
C:\Windows\System32\IxqhEfU.exe

Filesize
2.3MB

MD5
71d2d388cb98e3ddf229b99b50e00ebd

SHA1
c38853aca461a23fd1c4e853fc1487fa325cedd3

SHA256
741de305ec810b233bd9c770eb760f81b63fa4ce5892e9e6cb47c514b77fefbd

SHA512
d9b0db03233f602c366d5aca6116d40b920369f7c5928b77d4f68570b04463ca127e24d8fa2d26cc8c0c28579387a04c42ac46dbfe62d8f01dcfe77ff7cf7bb4

Download Submit
C:\Windows\System32\IxqhEfU.exe

Filesize
192KB

MD5
4078acc498785367144b11c7ff73bee3

SHA1
6ae18ea649652a9d920179426e366db6f228773d

SHA256
68f0f3815d88dc84375748a04e4e579e2e35de55a98f64f1b9f36877e7617331

SHA512
bbbadb632a05e04d5dc54df0cb2158fb141b62fab3f47e560e3f5ca0177292a732f14d21a6f4c340930f452ae853a9d6750c6f90efc567df30f34c005170d592

Download Submit
C:\Windows\System32\MIYdqrB.exe

Filesize
2.3MB

MD5
afdcf4c998b844b44d4fd60f15d2e310

SHA1
9727b6224f9b4e9ea9b7e3fff9e98badf3759f81

SHA256
3d1215ac4d9d44c3a150ae1623773f205113c8f761b341688b3abcab414e553e

SHA512
5716ba7b34055167855365f67ca6c4b3afea87e98bab04f1d4c9a343621a43240acf60a6cd7cb7e7e59af582356e8a50c0365f7fb1fa0c50803f394fbe39f3a8

Download Submit
C:\Windows\System32\NqLacBl.exe

Filesize
2.3MB

MD5
0458610062a430e604cc669e7fcaf31c

SHA1
c96ae09f15d9560dd0a1b86a56b23ee44569983a

SHA256
a3517593216699381229854163a83fa6d7572f1e5d4911bf0d129c34d52d11a3

SHA512
da2554f8206f9dac4a8b5ffe7a3c509602544412854df239f6b4d051ecece9cc32ed939ab63b2200d2a0d833daf3b202dcd31cfb226fd5af3ff680d443a33deb

Download Submit
C:\Windows\System32\PxWUgLY.exe

Filesize
2.3MB

MD5
b67efa57e643b51841ed50749af9cbac

SHA1
8fb79607ec0bc4eb5091f9e1e704b4f5f32f9a2a

SHA256
4bbda792ce50b48c499c4445fa846d05284c18a8556a635bc9c76f0b9c8f1b00

SHA512
7a21c73458b94a6b38b055e52aae897b98942e3e4c1b0de62caad92b4227874266bea6c1bf4edcd6cccd5c0dc61adae131079db8db1b9c004938d9df5be03a08

Download Submit
C:\Windows\System32\PyqiRHf.exe

Filesize
64KB

MD5
ae569e5a7c7b7cf1ffbe507911ab6ced

SHA1
400a2f5ec7afd24e669dd90233185a792e50e7cc

SHA256
48758e9560ac724ed839a7f1960349083ad893b86869ecf0487caf60b9f9e737

SHA512
9d0693df7bad9e5406e49e9678ce5c24297be044028d0ebb844cf8f37d1eced71e03884ae95ca0b94bfa5b1622574caf1fe8e4f0d852f0f1b5c90f1aabb3f7f0

Download Submit
C:\Windows\System32\PyqiRHf.exe

Filesize
315KB

MD5
789ac4a6abe9986e01e2c2553999148a

SHA1
4cb8ab37c5eb1df8e28594f995f3ffc4e51485ec

SHA256
effb9297b25db3340c951e6fb89c81d3304228e93fe31a8f33135cc7cdc89584

SHA512
6e424d87dff66426e54c2fa509c16168d87ce58a9eb40729f560726c00f707edbe4e98e83f9669fba68816ecbc04a8fe7e059a9ec81dc8cbcbdb50e9a10a60f9

Download Submit
C:\Windows\System32\PyqiRHf.exe

Filesize
128KB

MD5
60b04c970eee0bc6d9384f2146dcfb21

SHA1
89b2fc7acb9be61bc75b82b58a473e9e56557328

SHA256
4f65d15ee4bde9e93e15978a6de93a74bf3baa58e2382726f5337c998139fca9

SHA512
4d61693ff405b7e9292db15581531e872af6cdf6e5bc6126010cb0e498839e275250187f58833c4e95e5b80f1fe915dceb6e1a52926446ab771bbb31fbbc49f2

Download Submit
C:\Windows\System32\QCoiOjC.exe

Filesize
132KB

MD5
4e82f4a018ce274465ae172d6661163f

SHA1
fdd0d3af9a86e630b49624b4a1d512b436b5eda0

SHA256
82752e0f5fd7ec2940cd52f7cef1e0bbb609c519d029d4bc9fe79a557e0e6b4a

SHA512
519d51272eb504b7e6501cfcecbdbdd49666b71d9895cea589183d7fcc318767832971ace6321bccfae606d4475084852b0c79476be28b843ec19591ab9ee370

Download Submit
C:\Windows\System32\QCoiOjC.exe

Filesize
175KB

MD5
baf11ebb06bf61f154feb8dd4e2edbae

SHA1
306430713a5219a887c152fdcc4d9e68222e78ed

SHA256
cb1ad1a9fd69af06896051027aa190ab9f46b2e8c541ca3ecf20a2583d84173b

SHA512
e277852cdf27648f9d8bed8fcae163aa241267f0026f89cf94044d12303397e80162a1e398232f241cf9007f14a100806bd3930bfe872f91d67354df72c123e9

Download Submit
C:\Windows\System32\SEstdOG.exe

Filesize
2.3MB

MD5
abd30631f4de007128eec1472fcc3bb6

SHA1
1d8375ddff4d33362ef3ce0d440c1fcb4837ae80

SHA256
24779e9796703314d4ccdf924ada0792c58dc9e71fbd03acde6024784050527d

SHA512
7b1708fbc5e4b4cffd0968eb9d98c9ce7f28b4dcc04b5d3578afb3f04be0368b5ed6d29c78ce3a3e239729388eeb386329f84b3acb4e1f3007925ca1497302a3

Download Submit
C:\Windows\System32\WYNsgbR.exe

Filesize
28KB

MD5
c397eae88ac21ea8c2e19d08ee5abaea

SHA1
3fd33203498e3ec7b921380b5a3665475ab992f3

SHA256
5b3774c339f47f8b7fd3297fdf1d768ffc6011839855aab0783608ceb109a4a5

SHA512
b0c52f512f4f578d62ced816d0f956babba565137f37ffc5cdf0e3db7bc5097c5cdae8c3ee092e99977aaec626a72b27f372bc7e1ff663e4cf63d7c8828cbbc5

Download Submit
C:\Windows\System32\WYNsgbR.exe

Filesize
2.3MB

MD5
8cbe91706babf84911473529c72db741

SHA1
9d9606ef93b6748795824f1fe2eaae2752e22d5b

SHA256
1bee02b907822ef2b7bfcfed62e9e7638cac46677ed087d434e7210b9b94447f

SHA512
8bf17f45e82a8fd2286f2beffe24baa0c8c72917956cc910df20581ddde9384303b3f0878ad9969aa4c2126ab20692ebafbdb7bedcfa6d1d3d43947866312c62

Download Submit
C:\Windows\System32\WhyPhwF.exe

Filesize
105KB

MD5
0fc6a63379f5c59eb75f26aade2b5057

SHA1
b720ec77c44b46497006783f7169b3b2d948c0d0

SHA256
0165d41ed813564f3bea232fd6ce54e13e3f9422964646caf1fd53d53e536139

SHA512
30e9c24e9128457f55ba5d12f5e9c7714fb66ff0f62b50d2297b367d6a8317efc1b950921f19e5861d91257547ce5bd7d0040d5c1b45279d23c3b21d0b189a9a

Download Submit
C:\Windows\System32\WhyPhwF.exe

Filesize
2.3MB

MD5
1e292584fe4ced2d30341c8dc4275f2c

SHA1
4b427e5a005fee865f744b8d06c03270bba90d1d

SHA256
f2f4a3b823c01028f1608261c0cbb981b237f936e1fc48c91cb60ee021c49629

SHA512
60962ebc04a7b4bad389a3180ce0c8ded17ebc674ccb457233cb1782873c5fbd87e6816219c9feaf68cbe4d917178cd8753cdfb8915a17cc1109b3f1023c26f5

Download Submit
C:\Windows\System32\YfBcWqK.exe

Filesize
2.3MB

MD5
d1b6c0f624a1ec7ae61ee55a7a69d340

SHA1
c8da1ca71ca7fa23f31847ea0abf74e7c1846956

SHA256
fe6bc1107769244ba53800960758a6111ab4ba0f87c342a60ed4e4c68d378954

SHA512
7b3f09df5d0d44be70de27817f9b9c2a4829f35bc674e5c7ae1ecd889577d11ea5c451be3e9086d0bcd061c36490c36759f5702d9ea5c70a4b4564977fdad828

Download Submit
C:\Windows\System32\YfBcWqK.exe

Filesize
275KB

MD5
5ef88898cf25faf60829ac851b06a198

SHA1
d5f4df338a1b043fc6867b5b8a68d49370547262

SHA256
7b3847abe6b064d082c16d95fbbf62b5c766356e8bc8c6e74605dde946c2ceaf

SHA512
bdbf5e13dad89d1f9b391fe519061a682d749fbed3cbb6f52a83ada7e71ab687e89929a4c4c1352b00388f0eb2d1bf76755b954f53a7e54d87b5c3155b7c6037

Download Submit
C:\Windows\System32\ZAfkSnX.exe

Filesize
2.3MB

MD5
b21889ab12adf1f51c9723488ac82434

SHA1
6c7778ab005897a14382ffcc6a9a8bd594128dd8

SHA256
df31c2e5303a6f6954d171b6417c8bf09b0fd94c5a4120908cc69cb1be94bc25

SHA512
893ca49a99723179844c9afb0ac46e9e79f73c1cb68223eb7da67d45f9b9608fea955519dffa3d1d8ace64bd3ab4329e070c19b7a28972b2b5469bfdb2f75dbc

Download Submit
C:\Windows\System32\aUSOlTK.exe

Filesize
2.3MB

MD5
cb22a3411725ca74eaf034c47eef7aa8

SHA1
0bc5e1f3003a56b55da786b28cd72a81ee5abfca

SHA256
e9198675144308f14ce9a34ab78c4f2ee4f869c99d0e625028dec332786673a1

SHA512
544d5a3f01d7d6f9997ec3f31757c9ff3cb4f5b7b3cee8f3c990c7780252b86b5c160847c02eef3c7b9628eb082d00425ddee79903a504c12118e48d78f91a0e

Download Submit
C:\Windows\System32\iWiQOje.exe

Filesize
2.3MB

MD5
0e9e6064831eaee3f2b521ee6bec81a8

SHA1
09fcc56920eda9021ee096730ba15c25cdd16472

SHA256
ddc96597f4d4881a6328f9d92981ffc0a9e513ea229a0e225f5d03fa081c207a

SHA512
7b99cceb3cbb516c6fd58381573deb92c665c70d8ef7c2b34fa8064f2702c94dbd115d584298d67d78a718c010079ca0402396f843fa78111f2c068ca0d27c7f

Download Submit
C:\Windows\System32\iWiQOje.exe

Filesize
66KB

MD5
cd1d974ab4ac8e7f66d1ab1635e13a5a

SHA1
3f0f1e0f5eff9ba43ece72c2eb5cd7523fc94924

SHA256
a49331b1d27eb9852c0083ab7415b804e3b206c66ce28f1e427316f16fe8d8ce

SHA512
4eaf410ee468d6bb4ab5e56b7e9ff5980ebdf2664e2bd968a006a1a035191716165e6ac3cc407a5bd471040562afb3b31e2b3d7c92d22e313bb15c7736b343a5

Download Submit
C:\Windows\System32\kmvHiRm.exe

Filesize
2.3MB

MD5
1a9448e7070e5e95ebc7eb93049c9e31

SHA1
db72965e76c2ae5b0953763760ee9a0fa7e24f2d

SHA256
2f1a4d5494b3c3eb9e1992995f5fc0317b3a972d52c6c5659eb9ff95486eb0d8

SHA512
47e76f187342eb3051055d5c17516aab0105996a9c844f0256498b8b09b54f293129f51bf9c3f8de568c0eff6324c0805bd54f6fb935d275508ac154f5d11866

Download Submit
C:\Windows\System32\kmvHiRm.exe

Filesize
398KB

MD5
2a7c7cbd46bf474fa1a545cc9d74e282

SHA1
4210eefa266f3e46fe7ae0f50bef19f74d943fe6

SHA256
2ff32bf88938c9280f01d67bb4548c531a80f6b941e8f847465b8a0623396fee

SHA512
d12d433b02e92e01b57b4b57e660182098687dd2d6dd231c1bfabb5967bb97c1a5b60ba64136f9ae10d44c3a4edc72c6cc46f1d67e8399a656d7b1704a4cc19c

Download Submit
C:\Windows\System32\lNwhPaE.exe

Filesize
2.3MB

MD5
8917248cfa80e7b9b35b60d5a71b827c

SHA1
bb911edc9ecb746e45ee93f5ef43ec508a7cadd7

SHA256
bf8d31da0484352176d2168d507fe065070987f5753257c4ddcb5519eb2b76de

SHA512
4cc34393afd25b225d9b448a98bfdd52ad73638bd9f6d0f1cd8c6e38a029333c5bb626f8bc1eb61259d197682d517afa792f15ababf8f47585b09c3f36122133

Download Submit
C:\Windows\System32\lNwhPaE.exe

Filesize
106KB

MD5
fca9afcce8638eff0422368c10d7f90c

SHA1
420ea1b8ceef38638497bf5861058c8ef74a448c

SHA256
abc0a18dcbb3232417796fa76a68b2949786e8055195d3ee4b0ce6c76be05006

SHA512
d4ab104c4412e46df2339e979c1b7773202e37701c4998a432081eb98441b502e3769e989e9333541757bbdee43bdb9150c5256a8f9692760368c358469ee98c

Download Submit
C:\Windows\System32\oQxHLqd.exe

Filesize
181KB

MD5
dd588e56fa58bb14c0706c51acab66b5

SHA1
b0ea17351bb49b55ba22720bcfe1ce43fde3152e

SHA256
aac547bc9fccd930a8dace2cf51f987bb8ffa9f5ac31494777ebc750c6e83a77

SHA512
a078e57e0cac0e3ed55deead4fe082a7539fc08a77830e1b37517d17fca97a4b71b4cd7582cb3c77d1474e88abdaa0544cf31605949ea3eb61a2f4e214d4bb6f

Download Submit
C:\Windows\System32\oQxHLqd.exe

Filesize
2.3MB

MD5
3a0d09e6f3c04d6c3462beaaef52d031

SHA1
2448ecdfbb1fef07f0c21c7f7fcfb61c167e27df

SHA256
4c532d22a944f9c518e258b25535a5d419eb188744287f58ff4e60d54d65994e

SHA512
32012c8f1f2773cd2c1864f53eedd31c1fde823293f03953794c43c3336600ee8003291b670fcbb0e6447ff22b884013c7f7456b2852d3d3d4f0e9f35b8d3835

Download Submit
C:\Windows\System32\pNUDlEa.exe

Filesize
2.3MB

MD5
bc1530a5aa609b98240159a7cd9b669a

SHA1
ba0b139ee6e511ecccd759c9f74d60766e288411

SHA256
bc141a16d0aa1aba2025d225d55caa62db4e5ab333bc0665ac54a4ae16d45d26

SHA512
4515b8cdb8f67e6f8e077bcd755798dfd64dd130dbaab1b300abaa3ede307f0b607243652ff7ac5f42fa4a37a03446e6d6455e1e2fdeaf1a0d2098ea8b179bda

Download Submit
C:\Windows\System32\qNhyJfB.exe

Filesize
2.3MB

MD5
fdb447bcf5b172034076e2a860e907ba

SHA1
b9e1a7854e48a083107ed82608d4104f8089fe4e

SHA256
e2776c6cfcf5107d639eba0c053ab6502fc2f558ac590b470ccd11a49abf8e67

SHA512
8039e0af694631174c5c4a13936836214c9c5bd469ca33eac43bd2f96105bb8c711ecc7684f4d3a9bd047be9ff77b9e53b80bda4088a08d2608e23bc370d9ce4

Download Submit
C:\Windows\System32\qNhyJfB.exe

Filesize
271KB

MD5
5bbde873e515d532be089a2d30c5adba

SHA1
350ee88ca34637c4399d89e184284dcf5a3d2812

SHA256
0736df476eb531ce93bd775d10386713f158375a0ed320a4092f5236e8dd973e

SHA512
ff479fffc997eeca4bacd865cc7f1830f1f2c32869f6a905e6ebf5004b51610e07c37ff031855780aa76d47e40db7a46f822286760d3907cf0a48aaf6319f612

Download Submit
C:\Windows\System32\wRDHZlG.exe

Filesize
2.3MB

MD5
dbd9df5cd0a895a9f02dde537efe1a17

SHA1
bcbf428903b0531acdc4b52289543e5efb5eb8ef

SHA256
e02fa9f86ee213edad24ebf0722e5b106050318f0f8ecd415773a0e6c51b00e7

SHA512
71a63dc7d499cb8aac87c095a755d3f46742de38caba3b8b8713b4dbe57f31fcd10153ad74bbff4d0574db4c3b49cd6da8b96a11cff2ffc697abc8f225a4d92f

Download Submit
C:\Windows\System32\wVBmgDE.exe

Filesize
15KB

MD5
84b1734c3897c943372cb4ec0dd5e062

SHA1
9c74d73d230694c1f9b510bc988cb0b8f34a9d1b

SHA256
164f6fbe082059ed3f92cb31837bdf5d9ef678c2bfee696aceda607eec9be601

SHA512
caf4132abd2bc78683ea8421624090fb9386ee4207007d4d1fee70f36623a4816be3e8e2c74e180f8387cba9510abcd9abafff3e32441c6ef8c422741278c5af

Download Submit
C:\Windows\System32\wVBmgDE.exe

Filesize
2.3MB

MD5
9b7ac477e9bb8af15ddb9695d2a79701

SHA1
b9794360668eaf08bf182d6b95f052a47d0938f5

SHA256
57b9be07b3d62e8160f77049287ac28e054cfa5662c0ee2a6674987cf736729c

SHA512
9f37b26729c69643e763c2f6ea609dd0d95ae8c98e848befb29d6727aa3b03f0ea33007995fa8cefc93deb1652aa02d1ddb06ae76911a60976f99bc343096127

Download Submit
C:\Windows\System32\wrYBhtl.exe

Filesize
158KB

MD5
523bc16efe3541c69e9bbd9a6769e93f

SHA1
3463907566a8709df9490c47f9c6978b05ea2ad6

SHA256
79a3428985cc32ea20d770d2c67f6311934398a4df94d37905c682195c5a3943

SHA512
6f6afa42d42c1a57340d1f0a84989e17f192b96c87d0f68ba4b14b9ea43b8eb5e3bd26c6cb16bb25106b3cc4bb190798c38fc15f4095ed4061241cc0d0911402

Download Submit
C:\Windows\System32\wrYBhtl.exe

Filesize
2.3MB

MD5
5b4352006e809c7377d81d6c2b06bb21

SHA1
db11d7ed6575eef0d3c85a46b6b6cb497ade1263

SHA256
1f460c8e9d0ef687499786476028efc0f22736334cb507efcee5d2e702e5fd38

SHA512
26d107e629e216c6b8a414be6d2e5f9ecb32e1430d5308eb7e7502b74402a910648e2b6ef8baf8189d86c4397c9935869c9ddd308c31a85dfc816ab04835a29d

Download Submit
C:\Windows\System32\xGctRjp.exe

Filesize
322KB

MD5
5af7bff6a10789ab4c0737a7feabbbd2

SHA1
b462ecebf73bd404dd045100e1a65c56670359cf

SHA256
9cb5c910a8c0edfcc71713ddfa88186e7a7003cff03b3db270159a328abf05ab

SHA512
ebfd705bd3635e23b44d952a4b130b5c62fde807442b0bf9f779a5620e3ddda599bf1ab5842dbc5361904dfa2541d10268e4367e26effeb3ea15bf965d4ffa7d

Download Submit
C:\Windows\System32\xGctRjp.exe

Filesize
349KB

MD5
f602cbe849ba433913858adff99ee712

SHA1
7f686624f435c74c74e4ea587f37e899c9e0418c

SHA256
3e509fe0ca0b2fa8894e509883168264bd150279faa72c7896f7605f4b8951bf

SHA512
57174746498c894a633392acff8d645dc5df87842c705cd2e276a3eb21004b4b8b757d702e2e90467b64118801034b2ea890c5e3d624e373ea661e3e0bfc6f49

Download Submit
C:\Windows\System32\ykwtnJN.exe

Filesize
2.3MB

MD5
09a10c7afe6e16686ea84c2ccd8f3020

SHA1
f96e6a3dfe51b672a771dc9a36384cc6823725a1

SHA256
a5ab83d5e75ef702eafee7524e37b248b10d08db39de190809ed468081873b29

SHA512
992764e115ec5afc2fdde9fa0b57f210a583de32610d3a2a359ee76266df5209739c0e2d690be53b5f6d81b26de44afb0b3c256690d0057904c17c6c6280974d

Download Submit
C:\Windows\System32\ykwtnJN.exe

Filesize
14KB

MD5
4db68cc1c64c5730869ef06f39b6cc8d

SHA1
a1ecae27e9d5e295d3d1aba6454ed53aa2a2f060

SHA256
664104830fe34c0bc44d07a4a5df3d8bb828afa20613bef15795822004630877

SHA512
95e02dc160c8fce3166d5a2ab0e20da31935a6b120ca99d9bfeba8f88b9dad5ff47ec2f0aaac19f51a2ab66a6913d1dc0e5fd630dcff76a354786a5345271153

Download Submit
memory/348-89-0x00007FF66FEF0000-0x00007FF6702E5000-memory.dmp

Filesize
4.0MB

Download
memory/556-92-0x00007FF6AD780000-0x00007FF6ADB75000-memory.dmp

Filesize
4.0MB

Download
memory/556-1-0x000001CF976F0000-0x000001CF97700000-memory.dmp

Filesize
64KB

Download
memory/556-0-0x00007FF6AD780000-0x00007FF6ADB75000-memory.dmp

Filesize
4.0MB

Download
memory/856-112-0x00007FF773D40000-0x00007FF774135000-memory.dmp

Filesize
4.0MB

Download
memory/856-17-0x00007FF773D40000-0x00007FF774135000-memory.dmp

Filesize
4.0MB

Download
memory/880-464-0x00007FF64CD70000-0x00007FF64D165000-memory.dmp

Filesize
4.0MB

Download
memory/1460-86-0x00007FF715980000-0x00007FF715D75000-memory.dmp

Filesize
4.0MB

Download
memory/1484-463-0x00007FF72EAE0000-0x00007FF72EED5000-memory.dmp

Filesize
4.0MB

Download
memory/1676-598-0x00007FF6C67D0000-0x00007FF6C6BC5000-memory.dmp

Filesize
4.0MB

Download
memory/1700-127-0x00007FF787A90000-0x00007FF787E85000-memory.dmp

Filesize
4.0MB

Download
memory/1768-84-0x00007FF69C5F0000-0x00007FF69C9E5000-memory.dmp

Filesize
4.0MB

Download
memory/1824-106-0x00007FF735C50000-0x00007FF736045000-memory.dmp

Filesize
4.0MB

Download
memory/1872-555-0x00007FF7F3110000-0x00007FF7F3505000-memory.dmp

Filesize
4.0MB

Download
memory/1880-109-0x00007FF71FDC0000-0x00007FF7201B5000-memory.dmp

Filesize
4.0MB

Download
memory/2028-465-0x00007FF69B630000-0x00007FF69BA25000-memory.dmp

Filesize
4.0MB

Download
memory/2040-153-0x00007FF7D55D0000-0x00007FF7D59C5000-memory.dmp

Filesize
4.0MB

Download
memory/2040-52-0x00007FF7D55D0000-0x00007FF7D59C5000-memory.dmp

Filesize
4.0MB

Download
memory/2188-615-0x00007FF6C8070000-0x00007FF6C8465000-memory.dmp

Filesize
4.0MB

Download
memory/2428-123-0x00007FF6D09B0000-0x00007FF6D0DA5000-memory.dmp

Filesize
4.0MB

Download
memory/2428-32-0x00007FF6D09B0000-0x00007FF6D0DA5000-memory.dmp

Filesize
4.0MB

Download
memory/2504-22-0x00007FF64A950000-0x00007FF64AD45000-memory.dmp

Filesize
4.0MB

Download
memory/2644-461-0x00007FF779570000-0x00007FF779965000-memory.dmp

Filesize
4.0MB

Download
memory/2684-14-0x00007FF7038A0000-0x00007FF703C95000-memory.dmp

Filesize
4.0MB

Download
memory/2684-104-0x00007FF7038A0000-0x00007FF703C95000-memory.dmp

Filesize
4.0MB

Download
memory/2920-502-0x00007FF61A3F0000-0x00007FF61A7E5000-memory.dmp

Filesize
4.0MB

Download
memory/2932-88-0x00007FF765C20000-0x00007FF766015000-memory.dmp

Filesize
4.0MB

Download
memory/2956-460-0x00007FF7BA7F0000-0x00007FF7BABE5000-memory.dmp

Filesize
4.0MB

Download
memory/3024-472-0x00007FF601E30000-0x00007FF602225000-memory.dmp

Filesize
4.0MB

Download
memory/3112-537-0x00007FF705B00000-0x00007FF705EF5000-memory.dmp

Filesize
4.0MB

Download
memory/3184-58-0x00007FF657C40000-0x00007FF658035000-memory.dmp

Filesize
4.0MB

Download
memory/3184-161-0x00007FF657C40000-0x00007FF658035000-memory.dmp

Filesize
4.0MB

Download
memory/3220-137-0x00007FF64D340000-0x00007FF64D735000-memory.dmp

Filesize
4.0MB

Download
memory/3264-114-0x00007FF7A9630000-0x00007FF7A9A25000-memory.dmp

Filesize
4.0MB

Download
memory/3288-59-0x00007FF6851F0000-0x00007FF6855E5000-memory.dmp

Filesize
4.0MB

Download
memory/3388-525-0x00007FF613CB0000-0x00007FF6140A5000-memory.dmp

Filesize
4.0MB

Download
memory/3456-522-0x00007FF7F25F0000-0x00007FF7F29E5000-memory.dmp

Filesize
4.0MB

Download
memory/3472-462-0x00007FF71E2B0000-0x00007FF71E6A5000-memory.dmp

Filesize
4.0MB

Download
memory/3636-489-0x00007FF7ECF20000-0x00007FF7ED315000-memory.dmp

Filesize
4.0MB

Download
memory/3640-547-0x00007FF6748D0000-0x00007FF674CC5000-memory.dmp

Filesize
4.0MB

Download
memory/3748-497-0x00007FF664DF0000-0x00007FF6651E5000-memory.dmp

Filesize
4.0MB

Download
memory/3796-606-0x00007FF75A0E0000-0x00007FF75A4D5000-memory.dmp

Filesize
4.0MB

Download
memory/3892-476-0x00007FF782D00000-0x00007FF7830F5000-memory.dmp

Filesize
4.0MB

Download
memory/4000-142-0x00007FF7260E0000-0x00007FF7264D5000-memory.dmp

Filesize
4.0MB

Download
memory/4016-119-0x00007FF6BC1E0000-0x00007FF6BC5D5000-memory.dmp

Filesize
4.0MB

Download
memory/4140-148-0x00007FF67E080000-0x00007FF67E475000-memory.dmp

Filesize
4.0MB

Download
memory/4280-155-0x00007FF63D220000-0x00007FF63D615000-memory.dmp

Filesize
4.0MB

Download
memory/4316-527-0x00007FF611D40000-0x00007FF612135000-memory.dmp

Filesize
4.0MB

Download
memory/4320-592-0x00007FF688800000-0x00007FF688BF5000-memory.dmp

Filesize
4.0MB

Download
memory/4388-569-0x00007FF7ECC60000-0x00007FF7ED055000-memory.dmp

Filesize
4.0MB

Download
memory/4440-580-0x00007FF65F010000-0x00007FF65F405000-memory.dmp

Filesize
4.0MB

Download
memory/4524-131-0x00007FF7084B0000-0x00007FF7088A5000-memory.dmp

Filesize
4.0MB

Download
memory/4524-39-0x00007FF7084B0000-0x00007FF7088A5000-memory.dmp

Filesize
4.0MB

Download
memory/4588-625-0x00007FF643700000-0x00007FF643AF5000-memory.dmp

Filesize
4.0MB

Download
memory/4644-117-0x00007FF611580000-0x00007FF611975000-memory.dmp

Filesize
4.0MB

Download
memory/4644-25-0x00007FF611580000-0x00007FF611975000-memory.dmp

Filesize
4.0MB

Download
memory/4648-46-0x00007FF65AAF0000-0x00007FF65AEE5000-memory.dmp

Filesize
4.0MB

Download
memory/4648-141-0x00007FF65AAF0000-0x00007FF65AEE5000-memory.dmp

Filesize
4.0MB

Download
memory/4652-566-0x00007FF6E0790000-0x00007FF6E0B85000-memory.dmp

Filesize
4.0MB

Download
memory/4728-514-0x00007FF712140000-0x00007FF712535000-memory.dmp

Filesize
4.0MB

Download
memory/4876-108-0x00007FF7FC6E0000-0x00007FF7FCAD5000-memory.dmp

Filesize
4.0MB

Download
memory/4880-484-0x00007FF7A0A40000-0x00007FF7A0E35000-memory.dmp

Filesize
4.0MB

Download
memory/4944-632-0x00007FF69B1B0000-0x00007FF69B5A5000-memory.dmp

Filesize
4.0MB

Download
memory/5056-158-0x00007FF7FB3A0000-0x00007FF7FB795000-memory.dmp

Filesize
4.0MB

Download
memory/5112-466-0x00007FF71AEE0000-0x00007FF71B2D5000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads