xmrig | acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
Size

3.1MB
MD5

3f7fbb876cadcf6fdeec52c512a8f19b
SHA1

12eaab323695a5ddbc3487a4b16a2bc93f6cb70d
SHA256

acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743
SHA512

c41f890f348d2c69f0b7736a5ceae46af332f68c90a16d16965ee712ec74546e96f34ff1e7947cef4fdb1f45fff5e952aeb50f2c1b56cdf2bc9d3e381de08f8f
SSDEEP

98304:S1ONtyBeSFkXV1etEKLlWUTOfeiRA2R76zHrWa:SbBeSFke

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects executables containing URLs to raw contents of a Github gist 64 IoCs

resource	yara_rule
behavioral2/memory/4988-0-0x00007FF7C2F50000-0x00007FF7C3346000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000001e59e-6.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000001e59e-5.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000b00000002320a-10.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3516-11-0x00007FF7EE6D0000-0x00007FF7EEAC6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000b00000002320a-15.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002321e-32.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023220-54.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023225-82.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023226-84.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023228-102.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3940-103-0x00007FF6F57E0000-0x00007FF6F5BD6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023227-106.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002322b-117.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1248-119-0x00007FF697250000-0x00007FF697646000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3448-128-0x00007FF7353F0000-0x00007FF7357E6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1752-132-0x00007FF75F460000-0x00007FF75F856000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002322e-139.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002322d-143.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3736-149-0x00007FF7C2970000-0x00007FF7C2D66000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3920-153-0x00007FF7F19E0000-0x00007FF7F1DD6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002322f-155.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2284-161-0x00007FF7B3800000-0x00007FF7B3BF6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023231-166.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2560-176-0x00007FF6468A0000-0x00007FF646C96000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1560-182-0x00007FF6EEB20000-0x00007FF6EEF16000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023235-188.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1836-195-0x00007FF6827C0000-0x00007FF682BB6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/116-213-0x00007FF668AF0000-0x00007FF668EE6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/5000-220-0x00007FF718A90000-0x00007FF718E86000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1448-227-0x00007FF764EE0000-0x00007FF7652D6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3412-231-0x00007FF713C90000-0x00007FF714086000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4772-233-0x00007FF73F860000-0x00007FF73FC56000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2308-361-0x00007FF6B4F90000-0x00007FF6B5386000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1640-362-0x00007FF70E730000-0x00007FF70EB26000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4416-363-0x00007FF75E330000-0x00007FF75E726000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3028-364-0x00007FF7966E0000-0x00007FF796AD6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3480-367-0x00007FF785430000-0x00007FF785826000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/5136-375-0x00007FF7288B0000-0x00007FF728CA6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/5164-376-0x00007FF7B58A0000-0x00007FF7B5C96000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/5224-378-0x00007FF72CBD0000-0x00007FF72CFC6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/5280-380-0x00007FF78BA00000-0x00007FF78BDF6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/5368-383-0x00007FF794230000-0x00007FF794626000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/5420-385-0x00007FF6C9C90000-0x00007FF6CA086000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/5392-384-0x00007FF68C890000-0x00007FF68CC86000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/5340-382-0x00007FF7B6200000-0x00007FF7B65F6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/5308-381-0x00007FF7E6300000-0x00007FF7E66F6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/5252-379-0x00007FF75FA50000-0x00007FF75FE46000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/5196-377-0x00007FF71E6C0000-0x00007FF71EAB6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4992-366-0x00007FF604800000-0x00007FF604BF6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4732-368-0x00007FF615DF0000-0x00007FF6161E6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1512-365-0x00007FF7D6D20000-0x00007FF7D7116000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3604-360-0x00007FF6B5A00000-0x00007FF6B5DF6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2844-232-0x00007FF78C4B0000-0x00007FF78C8A6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3988-230-0x00007FF60C8B0000-0x00007FF60CCA6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1844-229-0x00007FF619E20000-0x00007FF61A216000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2584-210-0x00007FF6A9870000-0x00007FF6A9C66000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4200-205-0x00007FF79DB20000-0x00007FF79DF16000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023236-203.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2080-200-0x00007FF7D1B40000-0x00007FF7D1F36000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2800-199-0x00007FF6843A0000-0x00007FF684796000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023237-201.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023235-197.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2104-191-0x00007FF682D10000-0x00007FF683106000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4988-0-0x00007FF7C2F50000-0x00007FF7C3346000-memory.dmp	UPX
behavioral2/files/0x000700000001e59e-6.dat	UPX
behavioral2/files/0x000700000001e59e-5.dat	UPX
behavioral2/files/0x000b00000002320a-10.dat	UPX
behavioral2/memory/3516-11-0x00007FF7EE6D0000-0x00007FF7EEAC6000-memory.dmp	UPX
behavioral2/files/0x000b00000002320a-15.dat	UPX
behavioral2/files/0x000700000002321e-32.dat	UPX
behavioral2/files/0x0007000000023220-54.dat	UPX
behavioral2/files/0x0007000000023225-82.dat	UPX
behavioral2/files/0x0007000000023226-84.dat	UPX
behavioral2/files/0x0007000000023228-102.dat	UPX
behavioral2/memory/3940-103-0x00007FF6F57E0000-0x00007FF6F5BD6000-memory.dmp	UPX
behavioral2/files/0x0007000000023227-106.dat	UPX
behavioral2/files/0x000700000002322b-117.dat	UPX
behavioral2/memory/1248-119-0x00007FF697250000-0x00007FF697646000-memory.dmp	UPX
behavioral2/memory/3448-128-0x00007FF7353F0000-0x00007FF7357E6000-memory.dmp	UPX
behavioral2/memory/1752-132-0x00007FF75F460000-0x00007FF75F856000-memory.dmp	UPX
behavioral2/files/0x000700000002322e-139.dat	UPX
behavioral2/files/0x000700000002322d-143.dat	UPX
behavioral2/memory/3736-149-0x00007FF7C2970000-0x00007FF7C2D66000-memory.dmp	UPX
behavioral2/memory/3920-153-0x00007FF7F19E0000-0x00007FF7F1DD6000-memory.dmp	UPX
behavioral2/files/0x000700000002322f-155.dat	UPX
behavioral2/memory/2284-161-0x00007FF7B3800000-0x00007FF7B3BF6000-memory.dmp	UPX
behavioral2/files/0x0007000000023231-166.dat	UPX
behavioral2/memory/2560-176-0x00007FF6468A0000-0x00007FF646C96000-memory.dmp	UPX
behavioral2/memory/1560-182-0x00007FF6EEB20000-0x00007FF6EEF16000-memory.dmp	UPX
behavioral2/files/0x0007000000023235-188.dat	UPX
behavioral2/memory/1836-195-0x00007FF6827C0000-0x00007FF682BB6000-memory.dmp	UPX
behavioral2/memory/116-213-0x00007FF668AF0000-0x00007FF668EE6000-memory.dmp	UPX
behavioral2/memory/5000-220-0x00007FF718A90000-0x00007FF718E86000-memory.dmp	UPX
behavioral2/memory/1448-227-0x00007FF764EE0000-0x00007FF7652D6000-memory.dmp	UPX
behavioral2/memory/3412-231-0x00007FF713C90000-0x00007FF714086000-memory.dmp	UPX
behavioral2/memory/4772-233-0x00007FF73F860000-0x00007FF73FC56000-memory.dmp	UPX
behavioral2/memory/2308-361-0x00007FF6B4F90000-0x00007FF6B5386000-memory.dmp	UPX
behavioral2/memory/1640-362-0x00007FF70E730000-0x00007FF70EB26000-memory.dmp	UPX
behavioral2/memory/4416-363-0x00007FF75E330000-0x00007FF75E726000-memory.dmp	UPX
behavioral2/memory/3028-364-0x00007FF7966E0000-0x00007FF796AD6000-memory.dmp	UPX
behavioral2/memory/3480-367-0x00007FF785430000-0x00007FF785826000-memory.dmp	UPX
behavioral2/memory/5136-375-0x00007FF7288B0000-0x00007FF728CA6000-memory.dmp	UPX
behavioral2/memory/5164-376-0x00007FF7B58A0000-0x00007FF7B5C96000-memory.dmp	UPX
behavioral2/memory/5224-378-0x00007FF72CBD0000-0x00007FF72CFC6000-memory.dmp	UPX
behavioral2/memory/5280-380-0x00007FF78BA00000-0x00007FF78BDF6000-memory.dmp	UPX
behavioral2/memory/5368-383-0x00007FF794230000-0x00007FF794626000-memory.dmp	UPX
behavioral2/memory/5420-385-0x00007FF6C9C90000-0x00007FF6CA086000-memory.dmp	UPX
behavioral2/memory/5392-384-0x00007FF68C890000-0x00007FF68CC86000-memory.dmp	UPX
behavioral2/memory/5340-382-0x00007FF7B6200000-0x00007FF7B65F6000-memory.dmp	UPX
behavioral2/memory/5308-381-0x00007FF7E6300000-0x00007FF7E66F6000-memory.dmp	UPX
behavioral2/memory/5252-379-0x00007FF75FA50000-0x00007FF75FE46000-memory.dmp	UPX
behavioral2/memory/5196-377-0x00007FF71E6C0000-0x00007FF71EAB6000-memory.dmp	UPX
behavioral2/memory/4992-366-0x00007FF604800000-0x00007FF604BF6000-memory.dmp	UPX
behavioral2/memory/4732-368-0x00007FF615DF0000-0x00007FF6161E6000-memory.dmp	UPX
behavioral2/memory/1512-365-0x00007FF7D6D20000-0x00007FF7D7116000-memory.dmp	UPX
behavioral2/memory/3604-360-0x00007FF6B5A00000-0x00007FF6B5DF6000-memory.dmp	UPX
behavioral2/memory/2844-232-0x00007FF78C4B0000-0x00007FF78C8A6000-memory.dmp	UPX
behavioral2/memory/3988-230-0x00007FF60C8B0000-0x00007FF60CCA6000-memory.dmp	UPX
behavioral2/memory/1844-229-0x00007FF619E20000-0x00007FF61A216000-memory.dmp	UPX
behavioral2/memory/2584-210-0x00007FF6A9870000-0x00007FF6A9C66000-memory.dmp	UPX
behavioral2/memory/4200-205-0x00007FF79DB20000-0x00007FF79DF16000-memory.dmp	UPX
behavioral2/files/0x0007000000023236-203.dat	UPX
behavioral2/memory/2080-200-0x00007FF7D1B40000-0x00007FF7D1F36000-memory.dmp	UPX
behavioral2/memory/2800-199-0x00007FF6843A0000-0x00007FF684796000-memory.dmp	UPX
behavioral2/files/0x0007000000023237-201.dat	UPX
behavioral2/files/0x0007000000023235-197.dat	UPX
behavioral2/memory/2104-191-0x00007FF682D10000-0x00007FF683106000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4988-0-0x00007FF7C2F50000-0x00007FF7C3346000-memory.dmp	xmrig
behavioral2/files/0x000700000001e59e-6.dat	xmrig
behavioral2/files/0x000700000001e59e-5.dat	xmrig
behavioral2/files/0x000b00000002320a-10.dat	xmrig
behavioral2/memory/3516-11-0x00007FF7EE6D0000-0x00007FF7EEAC6000-memory.dmp	xmrig
behavioral2/files/0x000b00000002320a-15.dat	xmrig
behavioral2/files/0x000700000002321e-32.dat	xmrig
behavioral2/files/0x0007000000023220-54.dat	xmrig
behavioral2/files/0x0007000000023225-82.dat	xmrig
behavioral2/files/0x0007000000023226-84.dat	xmrig
behavioral2/files/0x0007000000023228-102.dat	xmrig
behavioral2/memory/3940-103-0x00007FF6F57E0000-0x00007FF6F5BD6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023227-106.dat	xmrig
behavioral2/files/0x000700000002322b-117.dat	xmrig
behavioral2/memory/1248-119-0x00007FF697250000-0x00007FF697646000-memory.dmp	xmrig
behavioral2/memory/3448-128-0x00007FF7353F0000-0x00007FF7357E6000-memory.dmp	xmrig
behavioral2/memory/1752-132-0x00007FF75F460000-0x00007FF75F856000-memory.dmp	xmrig
behavioral2/files/0x000700000002322e-139.dat	xmrig
behavioral2/files/0x000700000002322d-143.dat	xmrig
behavioral2/memory/3736-149-0x00007FF7C2970000-0x00007FF7C2D66000-memory.dmp	xmrig
behavioral2/memory/3920-153-0x00007FF7F19E0000-0x00007FF7F1DD6000-memory.dmp	xmrig
behavioral2/files/0x000700000002322f-155.dat	xmrig
behavioral2/memory/2284-161-0x00007FF7B3800000-0x00007FF7B3BF6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023231-166.dat	xmrig
behavioral2/memory/2560-176-0x00007FF6468A0000-0x00007FF646C96000-memory.dmp	xmrig
behavioral2/memory/1560-182-0x00007FF6EEB20000-0x00007FF6EEF16000-memory.dmp	xmrig
behavioral2/files/0x0007000000023235-188.dat	xmrig
behavioral2/memory/1836-195-0x00007FF6827C0000-0x00007FF682BB6000-memory.dmp	xmrig
behavioral2/memory/116-213-0x00007FF668AF0000-0x00007FF668EE6000-memory.dmp	xmrig
behavioral2/memory/5000-220-0x00007FF718A90000-0x00007FF718E86000-memory.dmp	xmrig
behavioral2/memory/1448-227-0x00007FF764EE0000-0x00007FF7652D6000-memory.dmp	xmrig
behavioral2/memory/3412-231-0x00007FF713C90000-0x00007FF714086000-memory.dmp	xmrig
behavioral2/memory/4772-233-0x00007FF73F860000-0x00007FF73FC56000-memory.dmp	xmrig
behavioral2/memory/2308-361-0x00007FF6B4F90000-0x00007FF6B5386000-memory.dmp	xmrig
behavioral2/memory/1640-362-0x00007FF70E730000-0x00007FF70EB26000-memory.dmp	xmrig
behavioral2/memory/4416-363-0x00007FF75E330000-0x00007FF75E726000-memory.dmp	xmrig
behavioral2/memory/3028-364-0x00007FF7966E0000-0x00007FF796AD6000-memory.dmp	xmrig
behavioral2/memory/3480-367-0x00007FF785430000-0x00007FF785826000-memory.dmp	xmrig
behavioral2/memory/5136-375-0x00007FF7288B0000-0x00007FF728CA6000-memory.dmp	xmrig
behavioral2/memory/5164-376-0x00007FF7B58A0000-0x00007FF7B5C96000-memory.dmp	xmrig
behavioral2/memory/5224-378-0x00007FF72CBD0000-0x00007FF72CFC6000-memory.dmp	xmrig
behavioral2/memory/5280-380-0x00007FF78BA00000-0x00007FF78BDF6000-memory.dmp	xmrig
behavioral2/memory/5368-383-0x00007FF794230000-0x00007FF794626000-memory.dmp	xmrig
behavioral2/memory/5420-385-0x00007FF6C9C90000-0x00007FF6CA086000-memory.dmp	xmrig
behavioral2/memory/5392-384-0x00007FF68C890000-0x00007FF68CC86000-memory.dmp	xmrig
behavioral2/memory/5340-382-0x00007FF7B6200000-0x00007FF7B65F6000-memory.dmp	xmrig
behavioral2/memory/5308-381-0x00007FF7E6300000-0x00007FF7E66F6000-memory.dmp	xmrig
behavioral2/memory/5252-379-0x00007FF75FA50000-0x00007FF75FE46000-memory.dmp	xmrig
behavioral2/memory/5196-377-0x00007FF71E6C0000-0x00007FF71EAB6000-memory.dmp	xmrig
behavioral2/memory/4992-366-0x00007FF604800000-0x00007FF604BF6000-memory.dmp	xmrig
behavioral2/memory/4732-368-0x00007FF615DF0000-0x00007FF6161E6000-memory.dmp	xmrig
behavioral2/memory/1512-365-0x00007FF7D6D20000-0x00007FF7D7116000-memory.dmp	xmrig
behavioral2/memory/3604-360-0x00007FF6B5A00000-0x00007FF6B5DF6000-memory.dmp	xmrig
behavioral2/memory/2844-232-0x00007FF78C4B0000-0x00007FF78C8A6000-memory.dmp	xmrig
behavioral2/memory/3988-230-0x00007FF60C8B0000-0x00007FF60CCA6000-memory.dmp	xmrig
behavioral2/memory/1844-229-0x00007FF619E20000-0x00007FF61A216000-memory.dmp	xmrig
behavioral2/memory/2584-210-0x00007FF6A9870000-0x00007FF6A9C66000-memory.dmp	xmrig
behavioral2/memory/4200-205-0x00007FF79DB20000-0x00007FF79DF16000-memory.dmp	xmrig
behavioral2/files/0x0007000000023236-203.dat	xmrig
behavioral2/memory/2080-200-0x00007FF7D1B40000-0x00007FF7D1F36000-memory.dmp	xmrig
behavioral2/memory/2800-199-0x00007FF6843A0000-0x00007FF684796000-memory.dmp	xmrig
behavioral2/files/0x0007000000023237-201.dat	xmrig
behavioral2/files/0x0007000000023235-197.dat	xmrig
behavioral2/memory/2104-191-0x00007FF682D10000-0x00007FF683106000-memory.dmp	xmrig

Blocklisted process makes network request 7 IoCs

flow	pid	Process
19	4244	powershell.exe
23	4244	powershell.exe
35	4244	powershell.exe
36	4244	powershell.exe
42	4244	powershell.exe
48	4244	powershell.exe
49	4244	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
3516	uaoaOUo.exe
3808	knZSmyt.exe
4788	xFurcbp.exe
3872	hLAoRcG.exe
236	UTaQrOk.exe
4556	wkqRaHk.exe
3940	AzQkEio.exe
536	stcuesD.exe
4768	sDktOMV.exe
924	YnYvYCd.exe
1248	WbfLbwd.exe
3448	QEWodMA.exe
1752	gesocoT.exe
4224	PUMrZAX.exe
1740	borUYQx.exe
2284	utCDtwD.exe
3272	VLcpmtI.exe
4896	JEiirMB.exe
2336	PyBfhHx.exe
3736	fARujZh.exe
4908	OFoaqpM.exe
2560	hxADhIF.exe
1560	EgjoHrF.exe
3728	UlZFrwU.exe
3920	raWgQYU.exe
2104	kGfPwoh.exe
1836	xFbdKhV.exe
2800	VjdTazk.exe
2080	aenTkiA.exe
4200	ZnIPvej.exe
2584	FprMGrQ.exe
116	lQUMpok.exe
3988	CcwCSYC.exe
5000	dUKrwyo.exe
3412	QdvYZAr.exe
2844	uVsxhAG.exe
1448	ttvHSvh.exe
4772	opBLvvA.exe
1844	GafJaAd.exe
3604	hwWSpkx.exe
2308	QTpqOny.exe
1640	pXZPoht.exe
4416	KIRHeBb.exe
3028	yRvmStm.exe
1512	opdikaX.exe
4992	qhtbRJm.exe
3480	AryhocY.exe
4732	ufLDPwn.exe
5136	HMqtOWC.exe
5164	sYepcfS.exe
5196	eOEMMdV.exe
5224	baFkJEC.exe
5252	fWAHBgq.exe
5280	eZvwKFm.exe
5308	wZivrFL.exe
5340	GCwFubA.exe
5368	QVxBglw.exe
5392	BkqsbHa.exe
5420	wzQibOK.exe
5448	YYkJDSk.exe
5476	XuEqonJ.exe
5508	vWlyZua.exe
5536	jfVpUMa.exe
5564	OpACABs.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4988-0-0x00007FF7C2F50000-0x00007FF7C3346000-memory.dmp	upx
behavioral2/files/0x000700000001e59e-6.dat	upx
behavioral2/files/0x000700000001e59e-5.dat	upx
behavioral2/files/0x000b00000002320a-10.dat	upx
behavioral2/memory/3516-11-0x00007FF7EE6D0000-0x00007FF7EEAC6000-memory.dmp	upx
behavioral2/files/0x000b00000002320a-15.dat	upx
behavioral2/files/0x000700000002321e-32.dat	upx
behavioral2/files/0x0007000000023220-54.dat	upx
behavioral2/files/0x0007000000023225-82.dat	upx
behavioral2/files/0x0007000000023226-84.dat	upx
behavioral2/files/0x0007000000023228-102.dat	upx
behavioral2/memory/3940-103-0x00007FF6F57E0000-0x00007FF6F5BD6000-memory.dmp	upx
behavioral2/files/0x0007000000023227-106.dat	upx
behavioral2/files/0x000700000002322b-117.dat	upx
behavioral2/memory/1248-119-0x00007FF697250000-0x00007FF697646000-memory.dmp	upx
behavioral2/memory/3448-128-0x00007FF7353F0000-0x00007FF7357E6000-memory.dmp	upx
behavioral2/memory/1752-132-0x00007FF75F460000-0x00007FF75F856000-memory.dmp	upx
behavioral2/files/0x000700000002322e-139.dat	upx
behavioral2/files/0x000700000002322d-143.dat	upx
behavioral2/memory/3736-149-0x00007FF7C2970000-0x00007FF7C2D66000-memory.dmp	upx
behavioral2/memory/3920-153-0x00007FF7F19E0000-0x00007FF7F1DD6000-memory.dmp	upx
behavioral2/files/0x000700000002322f-155.dat	upx
behavioral2/memory/2284-161-0x00007FF7B3800000-0x00007FF7B3BF6000-memory.dmp	upx
behavioral2/files/0x0007000000023231-166.dat	upx
behavioral2/memory/2560-176-0x00007FF6468A0000-0x00007FF646C96000-memory.dmp	upx
behavioral2/memory/1560-182-0x00007FF6EEB20000-0x00007FF6EEF16000-memory.dmp	upx
behavioral2/files/0x0007000000023235-188.dat	upx
behavioral2/memory/1836-195-0x00007FF6827C0000-0x00007FF682BB6000-memory.dmp	upx
behavioral2/memory/116-213-0x00007FF668AF0000-0x00007FF668EE6000-memory.dmp	upx
behavioral2/memory/5000-220-0x00007FF718A90000-0x00007FF718E86000-memory.dmp	upx
behavioral2/memory/1448-227-0x00007FF764EE0000-0x00007FF7652D6000-memory.dmp	upx
behavioral2/memory/3412-231-0x00007FF713C90000-0x00007FF714086000-memory.dmp	upx
behavioral2/memory/4772-233-0x00007FF73F860000-0x00007FF73FC56000-memory.dmp	upx
behavioral2/memory/2308-361-0x00007FF6B4F90000-0x00007FF6B5386000-memory.dmp	upx
behavioral2/memory/1640-362-0x00007FF70E730000-0x00007FF70EB26000-memory.dmp	upx
behavioral2/memory/4416-363-0x00007FF75E330000-0x00007FF75E726000-memory.dmp	upx
behavioral2/memory/3028-364-0x00007FF7966E0000-0x00007FF796AD6000-memory.dmp	upx
behavioral2/memory/3480-367-0x00007FF785430000-0x00007FF785826000-memory.dmp	upx
behavioral2/memory/5136-375-0x00007FF7288B0000-0x00007FF728CA6000-memory.dmp	upx
behavioral2/memory/5164-376-0x00007FF7B58A0000-0x00007FF7B5C96000-memory.dmp	upx
behavioral2/memory/5224-378-0x00007FF72CBD0000-0x00007FF72CFC6000-memory.dmp	upx
behavioral2/memory/5280-380-0x00007FF78BA00000-0x00007FF78BDF6000-memory.dmp	upx
behavioral2/memory/5368-383-0x00007FF794230000-0x00007FF794626000-memory.dmp	upx
behavioral2/memory/5420-385-0x00007FF6C9C90000-0x00007FF6CA086000-memory.dmp	upx
behavioral2/memory/5392-384-0x00007FF68C890000-0x00007FF68CC86000-memory.dmp	upx
behavioral2/memory/5340-382-0x00007FF7B6200000-0x00007FF7B65F6000-memory.dmp	upx
behavioral2/memory/5308-381-0x00007FF7E6300000-0x00007FF7E66F6000-memory.dmp	upx
behavioral2/memory/5252-379-0x00007FF75FA50000-0x00007FF75FE46000-memory.dmp	upx
behavioral2/memory/5196-377-0x00007FF71E6C0000-0x00007FF71EAB6000-memory.dmp	upx
behavioral2/memory/4992-366-0x00007FF604800000-0x00007FF604BF6000-memory.dmp	upx
behavioral2/memory/4732-368-0x00007FF615DF0000-0x00007FF6161E6000-memory.dmp	upx
behavioral2/memory/1512-365-0x00007FF7D6D20000-0x00007FF7D7116000-memory.dmp	upx
behavioral2/memory/3604-360-0x00007FF6B5A00000-0x00007FF6B5DF6000-memory.dmp	upx
behavioral2/memory/2844-232-0x00007FF78C4B0000-0x00007FF78C8A6000-memory.dmp	upx
behavioral2/memory/3988-230-0x00007FF60C8B0000-0x00007FF60CCA6000-memory.dmp	upx
behavioral2/memory/1844-229-0x00007FF619E20000-0x00007FF61A216000-memory.dmp	upx
behavioral2/memory/2584-210-0x00007FF6A9870000-0x00007FF6A9C66000-memory.dmp	upx
behavioral2/memory/4200-205-0x00007FF79DB20000-0x00007FF79DF16000-memory.dmp	upx
behavioral2/files/0x0007000000023236-203.dat	upx
behavioral2/memory/2080-200-0x00007FF7D1B40000-0x00007FF7D1F36000-memory.dmp	upx
behavioral2/memory/2800-199-0x00007FF6843A0000-0x00007FF684796000-memory.dmp	upx
behavioral2/files/0x0007000000023237-201.dat	upx
behavioral2/files/0x0007000000023235-197.dat	upx
behavioral2/memory/2104-191-0x00007FF682D10000-0x00007FF683106000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
14	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\DJkhqXN.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\tHrgKeL.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\eZvsGqs.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\EUfMVOT.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\DoglCgw.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\UzGhbJI.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\BLzaEZS.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\hagYyme.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\lQUMpok.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\qrlPWZw.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\dxjpDfn.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\GeoCDUs.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\WnWKQrT.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\xuWSciM.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\raWgQYU.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\mdiZvjj.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\SLSQCPv.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\jwyhLMO.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\YJqwOac.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\bsNezrR.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\DaNGHWB.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\iLsfNTN.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\ZgjSJGz.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\biyrNMm.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\mtRjMxA.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\QEWodMA.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\PUMrZAX.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\borUYQx.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\opBLvvA.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\maMIKnQ.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\EGwmPJz.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\xfyMnRX.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\HTXvSHj.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\RDZqVyH.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\zHStRkP.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\kKfCHAM.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\inIReAs.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\maWCCGe.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\EaCYjCo.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\pXZPoht.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\ySrjduT.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\tqTvoLD.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\HMqtOWC.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\dSlzsWV.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\GLtEaCc.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\EYfLjoy.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\ZOkuHTb.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\cvSmmJx.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\AryhocY.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\xqPXlnc.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\xFurcbp.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\tGcOyUS.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\YiyuMiB.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\sgSynBx.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\ZcFmciW.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\pymsakj.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\ntkSuTP.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\OFoaqpM.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\QVxBglw.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\TljdVPl.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\AOCiuup.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\YKmUJAM.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\fARujZh.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
File created	C:\Windows\System\tqBOMrk.exe	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4244	powershell.exe
4244	powershell.exe
4244	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
Token: SeLockMemoryPrivilege	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
Token: SeDebugPrivilege	4244	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 4244	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	90
PID 4988 wrote to memory of 4244	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	90
PID 4988 wrote to memory of 3516	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	91
PID 4988 wrote to memory of 3516	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	91
PID 4988 wrote to memory of 3808	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	92
PID 4988 wrote to memory of 3808	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	92
PID 4988 wrote to memory of 4788	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	93
PID 4988 wrote to memory of 4788	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	93
PID 4988 wrote to memory of 3872	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	94
PID 4988 wrote to memory of 3872	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	94
PID 4988 wrote to memory of 236	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	95
PID 4988 wrote to memory of 236	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	95
PID 4988 wrote to memory of 4556	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	96
PID 4988 wrote to memory of 4556	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	96
PID 4988 wrote to memory of 3940	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	97
PID 4988 wrote to memory of 3940	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	97
PID 4988 wrote to memory of 536	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	98
PID 4988 wrote to memory of 536	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	98
PID 4988 wrote to memory of 4768	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	99
PID 4988 wrote to memory of 4768	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	99
PID 4988 wrote to memory of 924	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	100
PID 4988 wrote to memory of 924	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	100
PID 4988 wrote to memory of 1248	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	101
PID 4988 wrote to memory of 1248	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	101
PID 4988 wrote to memory of 3448	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	102
PID 4988 wrote to memory of 3448	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	102
PID 4988 wrote to memory of 1752	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	103
PID 4988 wrote to memory of 1752	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	103
PID 4988 wrote to memory of 4224	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	104
PID 4988 wrote to memory of 4224	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	104
PID 4988 wrote to memory of 1740	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	105
PID 4988 wrote to memory of 1740	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	105
PID 4988 wrote to memory of 2284	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	106
PID 4988 wrote to memory of 2284	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	106
PID 4988 wrote to memory of 3272	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	107
PID 4988 wrote to memory of 3272	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	107
PID 4988 wrote to memory of 2336	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	108
PID 4988 wrote to memory of 2336	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	108
PID 4988 wrote to memory of 4896	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	109
PID 4988 wrote to memory of 4896	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	109
PID 4988 wrote to memory of 3736	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	110
PID 4988 wrote to memory of 3736	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	110
PID 4988 wrote to memory of 4908	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	111
PID 4988 wrote to memory of 4908	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	111
PID 4988 wrote to memory of 2560	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	112
PID 4988 wrote to memory of 2560	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	112
PID 4988 wrote to memory of 1560	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	113
PID 4988 wrote to memory of 1560	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	113
PID 4988 wrote to memory of 3728	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	114
PID 4988 wrote to memory of 3728	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	114
PID 4988 wrote to memory of 3920	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	115
PID 4988 wrote to memory of 3920	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	115
PID 4988 wrote to memory of 2104	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	116
PID 4988 wrote to memory of 2104	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	116
PID 4988 wrote to memory of 1836	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	117
PID 4988 wrote to memory of 1836	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	117
PID 4988 wrote to memory of 2800	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	118
PID 4988 wrote to memory of 2800	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	118
PID 4988 wrote to memory of 2080	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	119
PID 4988 wrote to memory of 2080	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	119
PID 4988 wrote to memory of 4200	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	120
PID 4988 wrote to memory of 4200	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	120
PID 4988 wrote to memory of 2584	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	121
PID 4988 wrote to memory of 2584	4988	acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe	121

C:\Users\Admin\AppData\Local\Temp\acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe
"C:\Users\Admin\AppData\Local\Temp\acb8f1af30eec1a95d81db5d93182da24c8f8338b50a084f3a9c373fea2c3743.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4244
- C:\Windows\System\uaoaOUo.exe
  C:\Windows\System\uaoaOUo.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\knZSmyt.exe
  C:\Windows\System\knZSmyt.exe
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Windows\System\xFurcbp.exe
  C:\Windows\System\xFurcbp.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\hLAoRcG.exe
  C:\Windows\System\hLAoRcG.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\UTaQrOk.exe
  C:\Windows\System\UTaQrOk.exe
  2⤵
  - Executes dropped EXE
  PID:236
- C:\Windows\System\wkqRaHk.exe
  C:\Windows\System\wkqRaHk.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\AzQkEio.exe
  C:\Windows\System\AzQkEio.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\stcuesD.exe
  C:\Windows\System\stcuesD.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\sDktOMV.exe
  C:\Windows\System\sDktOMV.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System\YnYvYCd.exe
  C:\Windows\System\YnYvYCd.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\WbfLbwd.exe
  C:\Windows\System\WbfLbwd.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System\QEWodMA.exe
  C:\Windows\System\QEWodMA.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\gesocoT.exe
  C:\Windows\System\gesocoT.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\PUMrZAX.exe
  C:\Windows\System\PUMrZAX.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System\borUYQx.exe
  C:\Windows\System\borUYQx.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\utCDtwD.exe
  C:\Windows\System\utCDtwD.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\VLcpmtI.exe
  C:\Windows\System\VLcpmtI.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\PyBfhHx.exe
  C:\Windows\System\PyBfhHx.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\JEiirMB.exe
  C:\Windows\System\JEiirMB.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\fARujZh.exe
  C:\Windows\System\fARujZh.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System\OFoaqpM.exe
  C:\Windows\System\OFoaqpM.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\hxADhIF.exe
  C:\Windows\System\hxADhIF.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\EgjoHrF.exe
  C:\Windows\System\EgjoHrF.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\UlZFrwU.exe
  C:\Windows\System\UlZFrwU.exe
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Windows\System\raWgQYU.exe
  C:\Windows\System\raWgQYU.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System\kGfPwoh.exe
  C:\Windows\System\kGfPwoh.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\xFbdKhV.exe
  C:\Windows\System\xFbdKhV.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System\VjdTazk.exe
  C:\Windows\System\VjdTazk.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\aenTkiA.exe
  C:\Windows\System\aenTkiA.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System\ZnIPvej.exe
  C:\Windows\System\ZnIPvej.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\FprMGrQ.exe
  C:\Windows\System\FprMGrQ.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\lQUMpok.exe
  C:\Windows\System\lQUMpok.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\CcwCSYC.exe
  C:\Windows\System\CcwCSYC.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\dUKrwyo.exe
  C:\Windows\System\dUKrwyo.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\QdvYZAr.exe
  C:\Windows\System\QdvYZAr.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\uVsxhAG.exe
  C:\Windows\System\uVsxhAG.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\ttvHSvh.exe
  C:\Windows\System\ttvHSvh.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\opBLvvA.exe
  C:\Windows\System\opBLvvA.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\GafJaAd.exe
  C:\Windows\System\GafJaAd.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\hwWSpkx.exe
  C:\Windows\System\hwWSpkx.exe
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Windows\System\QTpqOny.exe
  C:\Windows\System\QTpqOny.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\pXZPoht.exe
  C:\Windows\System\pXZPoht.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\KIRHeBb.exe
  C:\Windows\System\KIRHeBb.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\yRvmStm.exe
  C:\Windows\System\yRvmStm.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\opdikaX.exe
  C:\Windows\System\opdikaX.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System\qhtbRJm.exe
  C:\Windows\System\qhtbRJm.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\AryhocY.exe
  C:\Windows\System\AryhocY.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System\ufLDPwn.exe
  C:\Windows\System\ufLDPwn.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\HMqtOWC.exe
  C:\Windows\System\HMqtOWC.exe
  2⤵
  - Executes dropped EXE
  PID:5136
- C:\Windows\System\sYepcfS.exe
  C:\Windows\System\sYepcfS.exe
  2⤵
  - Executes dropped EXE
  PID:5164
- C:\Windows\System\eOEMMdV.exe
  C:\Windows\System\eOEMMdV.exe
  2⤵
  - Executes dropped EXE
  PID:5196
- C:\Windows\System\baFkJEC.exe
  C:\Windows\System\baFkJEC.exe
  2⤵
  - Executes dropped EXE
  PID:5224
- C:\Windows\System\fWAHBgq.exe
  C:\Windows\System\fWAHBgq.exe
  2⤵
  - Executes dropped EXE
  PID:5252
- C:\Windows\System\eZvwKFm.exe
  C:\Windows\System\eZvwKFm.exe
  2⤵
  - Executes dropped EXE
  PID:5280
- C:\Windows\System\wZivrFL.exe
  C:\Windows\System\wZivrFL.exe
  2⤵
  - Executes dropped EXE
  PID:5308
- C:\Windows\System\GCwFubA.exe
  C:\Windows\System\GCwFubA.exe
  2⤵
  - Executes dropped EXE
  PID:5340
- C:\Windows\System\QVxBglw.exe
  C:\Windows\System\QVxBglw.exe
  2⤵
  - Executes dropped EXE
  PID:5368
- C:\Windows\System\BkqsbHa.exe
  C:\Windows\System\BkqsbHa.exe
  2⤵
  - Executes dropped EXE
  PID:5392
- C:\Windows\System\wzQibOK.exe
  C:\Windows\System\wzQibOK.exe
  2⤵
  - Executes dropped EXE
  PID:5420
- C:\Windows\System\YYkJDSk.exe
  C:\Windows\System\YYkJDSk.exe
  2⤵
  - Executes dropped EXE
  PID:5448
- C:\Windows\System\XuEqonJ.exe
  C:\Windows\System\XuEqonJ.exe
  2⤵
  - Executes dropped EXE
  PID:5476
- C:\Windows\System\vWlyZua.exe
  C:\Windows\System\vWlyZua.exe
  2⤵
  - Executes dropped EXE
  PID:5508
- C:\Windows\System\jfVpUMa.exe
  C:\Windows\System\jfVpUMa.exe
  2⤵
  - Executes dropped EXE
  PID:5536
- C:\Windows\System\OpACABs.exe
  C:\Windows\System\OpACABs.exe
  2⤵
  - Executes dropped EXE
  PID:5564
- C:\Windows\System\vGNvgIR.exe
  C:\Windows\System\vGNvgIR.exe
  2⤵
  PID:5588
- C:\Windows\System\gAUCgiD.exe
  C:\Windows\System\gAUCgiD.exe
  2⤵
  PID:5616
- C:\Windows\System\eFxhGFE.exe
  C:\Windows\System\eFxhGFE.exe
  2⤵
  PID:5644
- C:\Windows\System\gWvbckf.exe
  C:\Windows\System\gWvbckf.exe
  2⤵
  PID:5672
- C:\Windows\System\vxHOqQR.exe
  C:\Windows\System\vxHOqQR.exe
  2⤵
  PID:5704
- C:\Windows\System\DJkhqXN.exe
  C:\Windows\System\DJkhqXN.exe
  2⤵
  PID:5732
- C:\Windows\System\UAUKOhH.exe
  C:\Windows\System\UAUKOhH.exe
  2⤵
  PID:5764
- C:\Windows\System\IeHaTaZ.exe
  C:\Windows\System\IeHaTaZ.exe
  2⤵
  PID:5792
- C:\Windows\System\PDuJyPZ.exe
  C:\Windows\System\PDuJyPZ.exe
  2⤵
  PID:5816
- C:\Windows\System\VPHquEC.exe
  C:\Windows\System\VPHquEC.exe
  2⤵
  PID:5844
- C:\Windows\System\wXYDxBv.exe
  C:\Windows\System\wXYDxBv.exe
  2⤵
  PID:5872
- C:\Windows\System\spuTdxr.exe
  C:\Windows\System\spuTdxr.exe
  2⤵
  PID:5900
- C:\Windows\System\DwTmycD.exe
  C:\Windows\System\DwTmycD.exe
  2⤵
  PID:5928
- C:\Windows\System\GGWxqOL.exe
  C:\Windows\System\GGWxqOL.exe
  2⤵
  PID:5960
- C:\Windows\System\PTiICwV.exe
  C:\Windows\System\PTiICwV.exe
  2⤵
  PID:5988
- C:\Windows\System\GxKZYWf.exe
  C:\Windows\System\GxKZYWf.exe
  2⤵
  PID:6016
- C:\Windows\System\bftHEtz.exe
  C:\Windows\System\bftHEtz.exe
  2⤵
  PID:6044
- C:\Windows\System\eQWdpZn.exe
  C:\Windows\System\eQWdpZn.exe
  2⤵
  PID:6076
- C:\Windows\System\oKFBZhq.exe
  C:\Windows\System\oKFBZhq.exe
  2⤵
  PID:2100
- C:\Windows\System\NdmksUe.exe
  C:\Windows\System\NdmksUe.exe
  2⤵
  PID:4720
- C:\Windows\System\onTRiEZ.exe
  C:\Windows\System\onTRiEZ.exe
  2⤵
  PID:5444
- C:\Windows\System\tnGkJox.exe
  C:\Windows\System\tnGkJox.exe
  2⤵
  PID:5528
- C:\Windows\System\maMIKnQ.exe
  C:\Windows\System\maMIKnQ.exe
  2⤵
  PID:5580
- C:\Windows\System\HTXvSHj.exe
  C:\Windows\System\HTXvSHj.exe
  2⤵
  PID:5664
- C:\Windows\System\FoNyldv.exe
  C:\Windows\System\FoNyldv.exe
  2⤵
  PID:3756
- C:\Windows\System\DoglCgw.exe
  C:\Windows\System\DoglCgw.exe
  2⤵
  PID:5776
- C:\Windows\System\QGLMPUk.exe
  C:\Windows\System\QGLMPUk.exe
  2⤵
  PID:5888
- C:\Windows\System\oRKpzOr.exe
  C:\Windows\System\oRKpzOr.exe
  2⤵
  PID:5948
- C:\Windows\System\QAgPATc.exe
  C:\Windows\System\QAgPATc.exe
  2⤵
  PID:6004
- C:\Windows\System\PCvghBC.exe
  C:\Windows\System\PCvghBC.exe
  2⤵
  PID:6064
- C:\Windows\System\OIChQsa.exe
  C:\Windows\System\OIChQsa.exe
  2⤵
  PID:3456
- C:\Windows\System\fcNAmWY.exe
  C:\Windows\System\fcNAmWY.exe
  2⤵
  PID:3648
- C:\Windows\System\USBIRAF.exe
  C:\Windows\System\USBIRAF.exe
  2⤵
  PID:3652
- C:\Windows\System\TljdVPl.exe
  C:\Windows\System\TljdVPl.exe
  2⤵
  PID:2928
- C:\Windows\System\TMUgtSU.exe
  C:\Windows\System\TMUgtSU.exe
  2⤵
  PID:5268
- C:\Windows\System\litBhAd.exe
  C:\Windows\System\litBhAd.exe
  2⤵
  PID:1212
- C:\Windows\System\ntwdOcY.exe
  C:\Windows\System\ntwdOcY.exe
  2⤵
  PID:5116
- C:\Windows\System\XJMfRuo.exe
  C:\Windows\System\XJMfRuo.exe
  2⤵
  PID:2948
- C:\Windows\System\oPXyokZ.exe
  C:\Windows\System\oPXyokZ.exe
  2⤵
  PID:5416
- C:\Windows\System\DVAkNyn.exe
  C:\Windows\System\DVAkNyn.exe
  2⤵
  PID:5640
- C:\Windows\System\ecaNBzu.exe
  C:\Windows\System\ecaNBzu.exe
  2⤵
  PID:5636
- C:\Windows\System\SlLGztA.exe
  C:\Windows\System\SlLGztA.exe
  2⤵
  PID:2300
- C:\Windows\System\IlCSMUO.exe
  C:\Windows\System\IlCSMUO.exe
  2⤵
  PID:5916
- C:\Windows\System\heXQJst.exe
  C:\Windows\System\heXQJst.exe
  2⤵
  PID:6068
- C:\Windows\System\RDZqVyH.exe
  C:\Windows\System\RDZqVyH.exe
  2⤵
  PID:2404
- C:\Windows\System\MLjsqby.exe
  C:\Windows\System\MLjsqby.exe
  2⤵
  PID:5032
- C:\Windows\System\EUHhcnq.exe
  C:\Windows\System\EUHhcnq.exe
  2⤵
  PID:3060
- C:\Windows\System\tgnJoxs.exe
  C:\Windows\System\tgnJoxs.exe
  2⤵
  PID:1508
- C:\Windows\System\tHrgKeL.exe
  C:\Windows\System\tHrgKeL.exe
  2⤵
  PID:3568
- C:\Windows\System\iNFEqln.exe
  C:\Windows\System\iNFEqln.exe
  2⤵
  PID:4496
- C:\Windows\System\WXpEdXV.exe
  C:\Windows\System\WXpEdXV.exe
  2⤵
  PID:2832
- C:\Windows\System\RFoHbKy.exe
  C:\Windows\System\RFoHbKy.exe
  2⤵
  PID:3944
- C:\Windows\System\MRThCZk.exe
  C:\Windows\System\MRThCZk.exe
  2⤵
  PID:2008
- C:\Windows\System\uFiudIj.exe
  C:\Windows\System\uFiudIj.exe
  2⤵
  PID:5212
- C:\Windows\System\RvmvuDm.exe
  C:\Windows\System\RvmvuDm.exe
  2⤵
  PID:5868
- C:\Windows\System\bsnBweS.exe
  C:\Windows\System\bsnBweS.exe
  2⤵
  PID:3968
- C:\Windows\System\cASnUzz.exe
  C:\Windows\System\cASnUzz.exe
  2⤵
  PID:1728
- C:\Windows\System\HDfulJK.exe
  C:\Windows\System\HDfulJK.exe
  2⤵
  PID:3512
- C:\Windows\System\HuYopTr.exe
  C:\Windows\System\HuYopTr.exe
  2⤵
  PID:6152
- C:\Windows\System\ZOkuHTb.exe
  C:\Windows\System\ZOkuHTb.exe
  2⤵
  PID:6196
- C:\Windows\System\PYnDbxd.exe
  C:\Windows\System\PYnDbxd.exe
  2⤵
  PID:6232
- C:\Windows\System\oRrdDKp.exe
  C:\Windows\System\oRrdDKp.exe
  2⤵
  PID:6248
- C:\Windows\System\xEmGnkX.exe
  C:\Windows\System\xEmGnkX.exe
  2⤵
  PID:6276
- C:\Windows\System\TSZVByd.exe
  C:\Windows\System\TSZVByd.exe
  2⤵
  PID:6296
- C:\Windows\System\pukRCHS.exe
  C:\Windows\System\pukRCHS.exe
  2⤵
  PID:6368
- C:\Windows\System\wEMYDIy.exe
  C:\Windows\System\wEMYDIy.exe
  2⤵
  PID:6388
- C:\Windows\System\iLsfNTN.exe
  C:\Windows\System\iLsfNTN.exe
  2⤵
  PID:6416
- C:\Windows\System\npxrKQs.exe
  C:\Windows\System\npxrKQs.exe
  2⤵
  PID:6436
- C:\Windows\System\NedvubN.exe
  C:\Windows\System\NedvubN.exe
  2⤵
  PID:6476
- C:\Windows\System\bAwmyFn.exe
  C:\Windows\System\bAwmyFn.exe
  2⤵
  PID:6500
- C:\Windows\System\AgeewSn.exe
  C:\Windows\System\AgeewSn.exe
  2⤵
  PID:6528
- C:\Windows\System\HmLdWcW.exe
  C:\Windows\System\HmLdWcW.exe
  2⤵
  PID:6564
- C:\Windows\System\fVqTxEJ.exe
  C:\Windows\System\fVqTxEJ.exe
  2⤵
  PID:6584
- C:\Windows\System\GKdoybq.exe
  C:\Windows\System\GKdoybq.exe
  2⤵
  PID:6616
- C:\Windows\System\hyBiQTv.exe
  C:\Windows\System\hyBiQTv.exe
  2⤵
  PID:6652
- C:\Windows\System\NiBxERr.exe
  C:\Windows\System\NiBxERr.exe
  2⤵
  PID:6700
- C:\Windows\System\JdJjRox.exe
  C:\Windows\System\JdJjRox.exe
  2⤵
  PID:6724
- C:\Windows\System\McbQyKi.exe
  C:\Windows\System\McbQyKi.exe
  2⤵
  PID:6768
- C:\Windows\System\siQxbPG.exe
  C:\Windows\System\siQxbPG.exe
  2⤵
  PID:6804
- C:\Windows\System\gcRbZZl.exe
  C:\Windows\System\gcRbZZl.exe
  2⤵
  PID:6828
- C:\Windows\System\asvvVom.exe
  C:\Windows\System\asvvVom.exe
  2⤵
  PID:6844
- C:\Windows\System\ZwoFisn.exe
  C:\Windows\System\ZwoFisn.exe
  2⤵
  PID:6868
- C:\Windows\System\WvgSwCe.exe
  C:\Windows\System\WvgSwCe.exe
  2⤵
  PID:6888
- C:\Windows\System\frtQMuQ.exe
  C:\Windows\System\frtQMuQ.exe
  2⤵
  PID:6916
- C:\Windows\System\kAZLofQ.exe
  C:\Windows\System\kAZLofQ.exe
  2⤵
  PID:6932
- C:\Windows\System\ehSrlrR.exe
  C:\Windows\System\ehSrlrR.exe
  2⤵
  PID:6984
- C:\Windows\System\ZgjSJGz.exe
  C:\Windows\System\ZgjSJGz.exe
  2⤵
  PID:7004
- C:\Windows\System\qockHSo.exe
  C:\Windows\System\qockHSo.exe
  2⤵
  PID:7020
- C:\Windows\System\biyrNMm.exe
  C:\Windows\System\biyrNMm.exe
  2⤵
  PID:7100
- C:\Windows\System\NpOjNhB.exe
  C:\Windows\System\NpOjNhB.exe
  2⤵
  PID:7156
- C:\Windows\System\ieHGxAa.exe
  C:\Windows\System\ieHGxAa.exe
  2⤵
  PID:3636
- C:\Windows\System\bseljYZ.exe
  C:\Windows\System\bseljYZ.exe
  2⤵
  PID:1556
- C:\Windows\System\KxZHeNn.exe
  C:\Windows\System\KxZHeNn.exe
  2⤵
  PID:216
- C:\Windows\System\riFOHSg.exe
  C:\Windows\System\riFOHSg.exe
  2⤵
  PID:6216
- C:\Windows\System\oHYkljx.exe
  C:\Windows\System\oHYkljx.exe
  2⤵
  PID:6348
- C:\Windows\System\dSlzsWV.exe
  C:\Windows\System\dSlzsWV.exe
  2⤵
  PID:5036
- C:\Windows\System\mtRjMxA.exe
  C:\Windows\System\mtRjMxA.exe
  2⤵
  PID:6308
- C:\Windows\System\PodZWpn.exe
  C:\Windows\System\PodZWpn.exe
  2⤵
  PID:6380
- C:\Windows\System\dZlfaxs.exe
  C:\Windows\System\dZlfaxs.exe
  2⤵
  PID:6452
- C:\Windows\System\NPMuZDs.exe
  C:\Windows\System\NPMuZDs.exe
  2⤵
  PID:6464
- C:\Windows\System\cvSmmJx.exe
  C:\Windows\System\cvSmmJx.exe
  2⤵
  PID:4532
- C:\Windows\System\HOmVWvX.exe
  C:\Windows\System\HOmVWvX.exe
  2⤵
  PID:6612
- C:\Windows\System\skAkVvl.exe
  C:\Windows\System\skAkVvl.exe
  2⤵
  PID:6596
- C:\Windows\System\oUVFOUj.exe
  C:\Windows\System\oUVFOUj.exe
  2⤵
  PID:6744
- C:\Windows\System\pmyqgWa.exe
  C:\Windows\System\pmyqgWa.exe
  2⤵
  PID:6748
- C:\Windows\System\SRNofGp.exe
  C:\Windows\System\SRNofGp.exe
  2⤵
  PID:3848
- C:\Windows\System\thUhcQj.exe
  C:\Windows\System\thUhcQj.exe
  2⤵
  PID:6824
- C:\Windows\System\dMtlYJJ.exe
  C:\Windows\System\dMtlYJJ.exe
  2⤵
  PID:6796
- C:\Windows\System\ILWWXvg.exe
  C:\Windows\System\ILWWXvg.exe
  2⤵
  PID:6884
- C:\Windows\System\cNjOiRd.exe
  C:\Windows\System\cNjOiRd.exe
  2⤵
  PID:6976
- C:\Windows\System\aOeDrhJ.exe
  C:\Windows\System\aOeDrhJ.exe
  2⤵
  PID:7136
- C:\Windows\System\XYertbv.exe
  C:\Windows\System\XYertbv.exe
  2⤵
  PID:5520
- C:\Windows\System\NyfIpUw.exe
  C:\Windows\System\NyfIpUw.exe
  2⤵
  PID:5524
- C:\Windows\System\GVByOkm.exe
  C:\Windows\System\GVByOkm.exe
  2⤵
  PID:3620
- C:\Windows\System\OPmwGVk.exe
  C:\Windows\System\OPmwGVk.exe
  2⤵
  PID:6408
- C:\Windows\System\ABkXVoZ.exe
  C:\Windows\System\ABkXVoZ.exe
  2⤵
  PID:3500
- C:\Windows\System\UTGDsql.exe
  C:\Windows\System\UTGDsql.exe
  2⤵
  PID:6580
- C:\Windows\System\AOCiuup.exe
  C:\Windows\System\AOCiuup.exe
  2⤵
  PID:6608
- C:\Windows\System\iFHnkLR.exe
  C:\Windows\System\iFHnkLR.exe
  2⤵
  PID:6496
- C:\Windows\System\UAzznam.exe
  C:\Windows\System\UAzznam.exe
  2⤵
  PID:6924
- C:\Windows\System\lfKCzse.exe
  C:\Windows\System\lfKCzse.exe
  2⤵
  PID:6972
- C:\Windows\System\wxgbZgI.exe
  C:\Windows\System\wxgbZgI.exe
  2⤵
  PID:6840
- C:\Windows\System\tHBmklK.exe
  C:\Windows\System\tHBmklK.exe
  2⤵
  PID:7048
- C:\Windows\System\ztuFrCt.exe
  C:\Windows\System\ztuFrCt.exe
  2⤵
  PID:7096
- C:\Windows\System\mdiZvjj.exe
  C:\Windows\System\mdiZvjj.exe
  2⤵
  PID:3592
- C:\Windows\System\ZkraAJk.exe
  C:\Windows\System\ZkraAJk.exe
  2⤵
  PID:4916
- C:\Windows\System\MCgSOmU.exe
  C:\Windows\System\MCgSOmU.exe
  2⤵
  PID:6820
- C:\Windows\System\kZqcUYk.exe
  C:\Windows\System\kZqcUYk.exe
  2⤵
  PID:6116
- C:\Windows\System\QbZxaUf.exe
  C:\Windows\System\QbZxaUf.exe
  2⤵
  PID:2924
- C:\Windows\System\yHLXWCk.exe
  C:\Windows\System\yHLXWCk.exe
  2⤵
  PID:7184
- C:\Windows\System\WrDVcXY.exe
  C:\Windows\System\WrDVcXY.exe
  2⤵
  PID:7212
- C:\Windows\System\UBhJjat.exe
  C:\Windows\System\UBhJjat.exe
  2⤵
  PID:7232
- C:\Windows\System\qCjwLDf.exe
  C:\Windows\System\qCjwLDf.exe
  2⤵
  PID:7264
- C:\Windows\System\DLSBFhl.exe
  C:\Windows\System\DLSBFhl.exe
  2⤵
  PID:7284
- C:\Windows\System\ySrjduT.exe
  C:\Windows\System\ySrjduT.exe
  2⤵
  PID:7304
- C:\Windows\System\JJiHlHZ.exe
  C:\Windows\System\JJiHlHZ.exe
  2⤵
  PID:7324
- C:\Windows\System\VDYOzAR.exe
  C:\Windows\System\VDYOzAR.exe
  2⤵
  PID:7344
- C:\Windows\System\WMvOSuE.exe
  C:\Windows\System\WMvOSuE.exe
  2⤵
  PID:7364
- C:\Windows\System\ePOZgpO.exe
  C:\Windows\System\ePOZgpO.exe
  2⤵
  PID:7420
- C:\Windows\System\ksSoKAn.exe
  C:\Windows\System\ksSoKAn.exe
  2⤵
  PID:7440
- C:\Windows\System\esYhSiC.exe
  C:\Windows\System\esYhSiC.exe
  2⤵
  PID:7464
- C:\Windows\System\iXemOgm.exe
  C:\Windows\System\iXemOgm.exe
  2⤵
  PID:7484
- C:\Windows\System\ynoDrQn.exe
  C:\Windows\System\ynoDrQn.exe
  2⤵
  PID:7500
- C:\Windows\System\ppVBjJZ.exe
  C:\Windows\System\ppVBjJZ.exe
  2⤵
  PID:7592
- C:\Windows\System\nFTgJqu.exe
  C:\Windows\System\nFTgJqu.exe
  2⤵
  PID:7668
- C:\Windows\System\LMJiQzi.exe
  C:\Windows\System\LMJiQzi.exe
  2⤵
  PID:7684
- C:\Windows\System\feLwsNP.exe
  C:\Windows\System\feLwsNP.exe
  2⤵
  PID:7740
- C:\Windows\System\rtDZPLl.exe
  C:\Windows\System\rtDZPLl.exe
  2⤵
  PID:7756
- C:\Windows\System\svIRKDa.exe
  C:\Windows\System\svIRKDa.exe
  2⤵
  PID:7808
- C:\Windows\System\MMTvgQF.exe
  C:\Windows\System\MMTvgQF.exe
  2⤵
  PID:7832
- C:\Windows\System\tGcOyUS.exe
  C:\Windows\System\tGcOyUS.exe
  2⤵
  PID:7852
- C:\Windows\System\kXCIRGo.exe
  C:\Windows\System\kXCIRGo.exe
  2⤵
  PID:7872
- C:\Windows\System\vRdpLmF.exe
  C:\Windows\System\vRdpLmF.exe
  2⤵
  PID:7892
- C:\Windows\System\BQDsFPl.exe
  C:\Windows\System\BQDsFPl.exe
  2⤵
  PID:7932
- C:\Windows\System\TFcLZcm.exe
  C:\Windows\System\TFcLZcm.exe
  2⤵
  PID:7996
- C:\Windows\System\srnTKck.exe
  C:\Windows\System\srnTKck.exe
  2⤵
  PID:8028
- C:\Windows\System\bpiissY.exe
  C:\Windows\System\bpiissY.exe
  2⤵
  PID:8044
- C:\Windows\System\zKcOvrr.exe
  C:\Windows\System\zKcOvrr.exe
  2⤵
  PID:8100
- C:\Windows\System\LUTgpls.exe
  C:\Windows\System\LUTgpls.exe
  2⤵
  PID:8124
- C:\Windows\System\djiOcRx.exe
  C:\Windows\System\djiOcRx.exe
  2⤵
  PID:8140
- C:\Windows\System\eZvsGqs.exe
  C:\Windows\System\eZvsGqs.exe
  2⤵
  PID:8160
- C:\Windows\System\HizusvA.exe
  C:\Windows\System\HizusvA.exe
  2⤵
  PID:8184
- C:\Windows\System\ZRyfwAq.exe
  C:\Windows\System\ZRyfwAq.exe
  2⤵
  PID:1700
- C:\Windows\System\eKldgcQ.exe
  C:\Windows\System\eKldgcQ.exe
  2⤵
  PID:6640
- C:\Windows\System\BgIPUfE.exe
  C:\Windows\System\BgIPUfE.exe
  2⤵
  PID:7228
- C:\Windows\System\EjthXrr.exe
  C:\Windows\System\EjthXrr.exe
  2⤵
  PID:7204
- C:\Windows\System\wqHgyEV.exe
  C:\Windows\System\wqHgyEV.exe
  2⤵
  PID:7396
- C:\Windows\System\favRwrd.exe
  C:\Windows\System\favRwrd.exe
  2⤵
  PID:7512
- C:\Windows\System\hIXwhvS.exe
  C:\Windows\System\hIXwhvS.exe
  2⤵
  PID:7428
- C:\Windows\System\WogGAkj.exe
  C:\Windows\System\WogGAkj.exe
  2⤵
  PID:7496
- C:\Windows\System\xHRIBcr.exe
  C:\Windows\System\xHRIBcr.exe
  2⤵
  PID:7456
- C:\Windows\System\qrlPWZw.exe
  C:\Windows\System\qrlPWZw.exe
  2⤵
  PID:7656
- C:\Windows\System\rFMhaJr.exe
  C:\Windows\System\rFMhaJr.exe
  2⤵
  PID:7660
- C:\Windows\System\RRkeSZt.exe
  C:\Windows\System\RRkeSZt.exe
  2⤵
  PID:7696
- C:\Windows\System\tVHOpdM.exe
  C:\Windows\System\tVHOpdM.exe
  2⤵
  PID:7680
- C:\Windows\System\UzGhbJI.exe
  C:\Windows\System\UzGhbJI.exe
  2⤵
  PID:6132
- C:\Windows\System\KBAXGRG.exe
  C:\Windows\System\KBAXGRG.exe
  2⤵
  PID:8012
- C:\Windows\System\iodheYj.exe
  C:\Windows\System\iodheYj.exe
  2⤵
  PID:8064
- C:\Windows\System\xqPXlnc.exe
  C:\Windows\System\xqPXlnc.exe
  2⤵
  PID:8076
- C:\Windows\System\lROqRws.exe
  C:\Windows\System\lROqRws.exe
  2⤵
  PID:8136
- C:\Windows\System\MotFSMz.exe
  C:\Windows\System\MotFSMz.exe
  2⤵
  PID:7244
- C:\Windows\System\LIZnaLb.exe
  C:\Windows\System\LIZnaLb.exe
  2⤵
  PID:7352
- C:\Windows\System\dkLOheg.exe
  C:\Windows\System\dkLOheg.exe
  2⤵
  PID:5152
- C:\Windows\System\YiyuMiB.exe
  C:\Windows\System\YiyuMiB.exe
  2⤵
  PID:7552
- C:\Windows\System\EOYPebh.exe
  C:\Windows\System\EOYPebh.exe
  2⤵
  PID:7752
- C:\Windows\System\YKmUJAM.exe
  C:\Windows\System\YKmUJAM.exe
  2⤵
  PID:7840
- C:\Windows\System\qTZDcIX.exe
  C:\Windows\System\qTZDcIX.exe
  2⤵
  PID:7824
- C:\Windows\System\WxjhtjQ.exe
  C:\Windows\System\WxjhtjQ.exe
  2⤵
  PID:8036
- C:\Windows\System\pAFyYuX.exe
  C:\Windows\System\pAFyYuX.exe
  2⤵
  PID:8148
- C:\Windows\System\UhCoQHG.exe
  C:\Windows\System\UhCoQHG.exe
  2⤵
  PID:8116
- C:\Windows\System\PZhCIMR.exe
  C:\Windows\System\PZhCIMR.exe
  2⤵
  PID:6908
- C:\Windows\System\EbXvYmx.exe
  C:\Windows\System\EbXvYmx.exe
  2⤵
  PID:7676
- C:\Windows\System\UBwrSnh.exe
  C:\Windows\System\UBwrSnh.exe
  2⤵
  PID:7884
- C:\Windows\System\DQvxDYA.exe
  C:\Windows\System\DQvxDYA.exe
  2⤵
  PID:7944
- C:\Windows\System\kumiZSp.exe
  C:\Windows\System\kumiZSp.exe
  2⤵
  PID:8200
- C:\Windows\System\dxjpDfn.exe
  C:\Windows\System\dxjpDfn.exe
  2⤵
  PID:8260
- C:\Windows\System\aoNtlHv.exe
  C:\Windows\System\aoNtlHv.exe
  2⤵
  PID:8284
- C:\Windows\System\xfeVjcb.exe
  C:\Windows\System\xfeVjcb.exe
  2⤵
  PID:8304
- C:\Windows\System\xUNWRNk.exe
  C:\Windows\System\xUNWRNk.exe
  2⤵
  PID:8328
- C:\Windows\System\maWCCGe.exe
  C:\Windows\System\maWCCGe.exe
  2⤵
  PID:8348
- C:\Windows\System\HSxrAnJ.exe
  C:\Windows\System\HSxrAnJ.exe
  2⤵
  PID:8368
- C:\Windows\System\VASUkej.exe
  C:\Windows\System\VASUkej.exe
  2⤵
  PID:8388
- C:\Windows\System\dzULOPO.exe
  C:\Windows\System\dzULOPO.exe
  2⤵
  PID:8408
- C:\Windows\System\rHllHdO.exe
  C:\Windows\System\rHllHdO.exe
  2⤵
  PID:8424
- C:\Windows\System\GeoCDUs.exe
  C:\Windows\System\GeoCDUs.exe
  2⤵
  PID:8444
- C:\Windows\System\xrLhJKe.exe
  C:\Windows\System\xrLhJKe.exe
  2⤵
  PID:8464
- C:\Windows\System\tvOsbsY.exe
  C:\Windows\System\tvOsbsY.exe
  2⤵
  PID:8484
- C:\Windows\System\allPyps.exe
  C:\Windows\System\allPyps.exe
  2⤵
  PID:8504
- C:\Windows\System\IzWnciZ.exe
  C:\Windows\System\IzWnciZ.exe
  2⤵
  PID:8524
- C:\Windows\System\tGXyUry.exe
  C:\Windows\System\tGXyUry.exe
  2⤵
  PID:8548
- C:\Windows\System\zHStRkP.exe
  C:\Windows\System\zHStRkP.exe
  2⤵
  PID:8568
- C:\Windows\System\MDqFBeT.exe
  C:\Windows\System\MDqFBeT.exe
  2⤵
  PID:8668
- C:\Windows\System\DdDvJzJ.exe
  C:\Windows\System\DdDvJzJ.exe
  2⤵
  PID:8684
- C:\Windows\System\fUnxVYB.exe
  C:\Windows\System\fUnxVYB.exe
  2⤵
  PID:8776
- C:\Windows\System\GFnjPpN.exe
  C:\Windows\System\GFnjPpN.exe
  2⤵
  PID:8808
- C:\Windows\System\uRgcsrx.exe
  C:\Windows\System\uRgcsrx.exe
  2⤵
  PID:8924
- C:\Windows\System\cNacpGQ.exe
  C:\Windows\System\cNacpGQ.exe
  2⤵
  PID:8940
- C:\Windows\System\VKlFGde.exe
  C:\Windows\System\VKlFGde.exe
  2⤵
  PID:8972
- C:\Windows\System\geMZdFo.exe
  C:\Windows\System\geMZdFo.exe
  2⤵
  PID:8988
- C:\Windows\System\WnWKQrT.exe
  C:\Windows\System\WnWKQrT.exe
  2⤵
  PID:9008
- C:\Windows\System\nAfhgfL.exe
  C:\Windows\System\nAfhgfL.exe
  2⤵
  PID:9036
- C:\Windows\System\hSpfHyO.exe
  C:\Windows\System\hSpfHyO.exe
  2⤵
  PID:9068
- C:\Windows\System\cNRhteb.exe
  C:\Windows\System\cNRhteb.exe
  2⤵
  PID:9108
- C:\Windows\System\ITfwQin.exe
  C:\Windows\System\ITfwQin.exe
  2⤵
  PID:9160
- C:\Windows\System\jZPuMJH.exe
  C:\Windows\System\jZPuMJH.exe
  2⤵
  PID:9184
- C:\Windows\System\SeVCwib.exe
  C:\Windows\System\SeVCwib.exe
  2⤵
  PID:7620
- C:\Windows\System\BLzaEZS.exe
  C:\Windows\System\BLzaEZS.exe
  2⤵
  PID:5248
- C:\Windows\System\BgAOBAP.exe
  C:\Windows\System\BgAOBAP.exe
  2⤵
  PID:8252
- C:\Windows\System\RPuAeql.exe
  C:\Windows\System\RPuAeql.exe
  2⤵
  PID:8112
- C:\Windows\System\bVOWTdP.exe
  C:\Windows\System\bVOWTdP.exe
  2⤵
  PID:8296
- C:\Windows\System\hIZylwG.exe
  C:\Windows\System\hIZylwG.exe
  2⤵
  PID:8452
- C:\Windows\System\SHFhTzh.exe
  C:\Windows\System\SHFhTzh.exe
  2⤵
  PID:8360
- C:\Windows\System\SLSQCPv.exe
  C:\Windows\System\SLSQCPv.exe
  2⤵
  PID:8440
- C:\Windows\System\EaCYjCo.exe
  C:\Windows\System\EaCYjCo.exe
  2⤵
  PID:8500
- C:\Windows\System\sgSynBx.exe
  C:\Windows\System\sgSynBx.exe
  2⤵
  PID:8416
- C:\Windows\System\kKfCHAM.exe
  C:\Windows\System\kKfCHAM.exe
  2⤵
  PID:8620
- C:\Windows\System\ROdEerV.exe
  C:\Windows\System\ROdEerV.exe
  2⤵
  PID:8660
- C:\Windows\System\vVAEYzB.exe
  C:\Windows\System\vVAEYzB.exe
  2⤵
  PID:8772
- C:\Windows\System\sQeLSkj.exe
  C:\Windows\System\sQeLSkj.exe
  2⤵
  PID:8708
- C:\Windows\System\EkCOPrc.exe
  C:\Windows\System\EkCOPrc.exe
  2⤵
  PID:8740
- C:\Windows\System\EGwmPJz.exe
  C:\Windows\System\EGwmPJz.exe
  2⤵
  PID:8768
- C:\Windows\System\spMGsge.exe
  C:\Windows\System\spMGsge.exe
  2⤵
  PID:9024
- C:\Windows\System\yHIWJGf.exe
  C:\Windows\System\yHIWJGf.exe
  2⤵
  PID:4568
- C:\Windows\System\WuneNOM.exe
  C:\Windows\System\WuneNOM.exe
  2⤵
  PID:9000
- C:\Windows\System\GrUfuXs.exe
  C:\Windows\System\GrUfuXs.exe
  2⤵
  PID:9080
- C:\Windows\System\mqKFSSV.exe
  C:\Windows\System\mqKFSSV.exe
  2⤵
  PID:9152
- C:\Windows\System\onyKdoP.exe
  C:\Windows\System\onyKdoP.exe
  2⤵
  PID:9172
- C:\Windows\System\yTGMZzd.exe
  C:\Windows\System\yTGMZzd.exe
  2⤵
  PID:7296
- C:\Windows\System\PuUxfNc.exe
  C:\Windows\System\PuUxfNc.exe
  2⤵
  PID:8580
- C:\Windows\System\kFDRvke.exe
  C:\Windows\System\kFDRvke.exe
  2⤵
  PID:8532
- C:\Windows\System\BaloVju.exe
  C:\Windows\System\BaloVju.exe
  2⤵
  PID:5608
- C:\Windows\System\mRRfXwH.exe
  C:\Windows\System\mRRfXwH.exe
  2⤵
  PID:8636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxdruqma.epx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AzQkEio.exe

Filesize
3.1MB

MD5
03b2c23d9fe953f840ffbc9f8a9f5055

SHA1
b907555e18b890ea6a6cc61308dcb9b9e7ba021a

SHA256
70d9623d30f612634cff39355f22be16912b7bbb486294ddac76631ff14dffd1

SHA512
191c5e8521b154ee604aabdbd6c11bd0fbfc04929435d563ccf81b2346497a4a6f86b760607ac57986cd13b48a7d9a8c206bb8e3262c587d710cc88079d2a7d9

Download Submit
C:\Windows\System\BCZafxy.exe

Filesize
8B

MD5
44bf49d36035eb00f5300ac1a1afc446

SHA1
efe4f6ff307f9caed7f6949e1a19ce6bff5ede19

SHA256
d6adb65d904d88ebbf5f73cace13dbd8ceb7d6b2b977c021ad3b0a4aa99b648f

SHA512
8e76802b3f04a2be9fcb0a504a2aab7f3a79e962c545a85c01bc2528c719fc825f28229de452d4507e45ed92f726c1862885d6f18fa5e01cbf2b77dcdf5d1348

Download Submit
C:\Windows\System\EgjoHrF.exe

Filesize
86KB

MD5
9a565d989dd85a92fc8300bcb1c72945

SHA1
a501c1618b50ea5cbfc3bd07c281b518ecd762b1

SHA256
ffbe6e117fdb11569962b751a92016bdd118b999cae52a908cc6526ad0757d71

SHA512
d18d3a77b79af3978fadd342341d65736cc02e767f338412f839629036bb5c2785f44fc0cad14bfa090276c3d0beeb70270f77c1502cb320cb7e8e74f5c32b08

Download Submit
C:\Windows\System\EgjoHrF.exe

Filesize
3.1MB

MD5
3500f291b73266e639ccd1c0af63800a

SHA1
482d11580281115fbc70a85a0a998cf1bbe2bd31

SHA256
76a6746284a44e199fa2ef5211a7760705733556ac84bd783713dbe9ff120a2c

SHA512
70295447ae4f9f19a6e7a176cd87000019c645fdb2f258402323a15be57e5cb5d884301395bf96ae5d42dd875397cfd81f2ead563abde1bf22e3f38ef72a4a36

Download Submit
C:\Windows\System\FprMGrQ.exe

Filesize
3.1MB

MD5
4c368630f06eb94a42fc082006f46366

SHA1
f659323d875f669ce129c7c6c3937ee1fd81e722

SHA256
1686f64aa47dcb8d18afb65e97881fb00cbd710f678c3b1972b20bf234b6d8c1

SHA512
1931426bfe43b757ea3906b80b2410113ddfe3df67df7275050d7ecc9138c6c14d427ccb84b3461c0fb5bd42fd18907751590b22f7e46339d0b5758ff5897c8d

Download Submit
C:\Windows\System\JEiirMB.exe

Filesize
3.1MB

MD5
764c984003f9d14c5a3c8de5c9b77787

SHA1
b8c29a86fd0d0bd7ad212dd96fb5bddf5027d08b

SHA256
b993ea93074952351c9e199938e86a7495e9948f5fa817698367d8bdddacd5c9

SHA512
2af058e1cd3b12e8c6103016169d4b8efcb1b0176328e7bb960fa6eaa1956316a79b2127253a738d57283806468fbf6ec1ca8ba5e0b2ed5378499deac342254c

Download Submit
C:\Windows\System\OFoaqpM.exe

Filesize
3.1MB

MD5
07c89003bf992e3b29e9a2e6ce060d56

SHA1
4616332c608d4ec651cc7e6fc6a484b2f6431377

SHA256
0552dc67cba81f8475ef665efdc073a5af345703ba70338c7b2b13dff6b005db

SHA512
e7e7a68518c2a76688355984715e653f792d1096e30e366804f6413840f9cdc7d4cfa2a8e9cae37c15440c7f5323b03c789a149a491b45943f03483a1c4f53bf

Download Submit
C:\Windows\System\PUMrZAX.exe

Filesize
3.1MB

MD5
c75249a0fe80a497e84997e301c6ee3d

SHA1
4071f5e88fb010ae55d8ce2e350a4357a98e457c

SHA256
fc8512487e538e43ea396b5e5202c05c11554309c6ecf3841a67b678e9e62976

SHA512
00a9c45f6417d9e201bd1e33f848b1273aee140563ea1c6f990fb072120fd27bf1853725c80e42311f936ce3224731d2017bcda5cabe659ca89bcf25fb06586a

Download Submit
C:\Windows\System\PyBfhHx.exe

Filesize
3.1MB

MD5
1c61606e2782fa996d857c2bfae2f9c1

SHA1
00903bc635eb0cce70a965876468fc1a13d94653

SHA256
982b1e4187989cbe5e90b21934e4d99618d621fd0200ffd99f970bdfda9086dc

SHA512
f0b01161d94d5936c3b5ed62015e6562a70264282220512e75b3b65c4008590f6af0c854b6edf36ebd9a0e05d0937f689006b906414e23c8832cdfd7436d31e9

Download Submit
C:\Windows\System\QEWodMA.exe

Filesize
3.1MB

MD5
14086c677b03d82ebeab55aade8ae2f1

SHA1
34b5bf472de76f12c5c4529ecd102c106cec8c7c

SHA256
28adbc6121a794777b1d069c099ef7f591244b236eaaf704b49907b1b1a03ce7

SHA512
6a2724cef5420112fe354e928235c0c4c985ea6f03c36c8ed368f2d88efca1c18bad5190911ffa69ab30c6b617e2ef7921dbc18ca58ccfb228844fb2635fbbda

Download Submit
C:\Windows\System\UTaQrOk.exe

Filesize
3.1MB

MD5
bf54593adc1920e2d0d629d187d7a1d8

SHA1
49b9fc96bff625eb8606d936f217456dfab3f899

SHA256
380696142fa3f72fa7c11f9f5f26eee0e82bce58ec946cc8bd35168028e9fc30

SHA512
f2ff777f34df7e637a0e26ce2829f4226f333fd441dfba67428f204bfd63224d61fa24859d99e010732ca2cab576bb90a207bbaf9aa9859f224ac84879bbf804

Download Submit
C:\Windows\System\UlZFrwU.exe

Filesize
3.1MB

MD5
e2c3ca94c350781b85c6009413629430

SHA1
a294c692a184d17d413fef57a3a3364fe41ada7d

SHA256
1fdd66c2b22e0a941a08766d314a1a480bbeb6949570efd543b17300041567f8

SHA512
7e65031fff5c819e9f9850261072d025c849dc1625d3927676a9a02ccb03a1f1899ab42efcd0485639e5a4752242086bad22bd41fc64ab6be854263a91fa0c33

Download Submit
C:\Windows\System\UlZFrwU.exe

Filesize
21KB

MD5
3a1896ae88f1e3f194d639b6409e1be8

SHA1
99a19ece588079c1301d339af43bf0659a8236f8

SHA256
6555d7e65aa023c4613ee0c6c0b5d8a68af5c221c4a6f2b966adc3ce6edc3c30

SHA512
7b4b69cfd3440c2a9d83d02ec9d90c3ca475c17375ba9c2997ebd1b097cd2f87b04a3f8785c7a9ae735d0fceed75926de1bd072346dfab8da07db697b9c7984b

Download Submit
C:\Windows\System\VLcpmtI.exe

Filesize
768KB

MD5
24b5ffd69d65081193a8f8fa73d97195

SHA1
4e155916ef60ed418f41d249ef4ca5b195f02402

SHA256
389a7db4cc214526722b42ecffbfe21be97f2178948eec077a021957394bed8f

SHA512
379d675f754c0ff5956fa27b9075c21f9ed0963b76e879c2505da01990629e0faf233169ec132f371fac19ded78db45f4753872a606fc0d8722c7587d760104b

Download Submit
C:\Windows\System\VLcpmtI.exe

Filesize
3.1MB

MD5
892928623b22478d21473ecf91f92a2c

SHA1
2756b110c33ed9ecf3fdc56bb0274eae1184927e

SHA256
18665ff469175e04d6dade9e4de63dd6340412c48e759809a6db3447e9f1be66

SHA512
ffa081e3a817b6525c2c96b1d826d90a0cfa8e03508715b9ea9608cdaf223e8ee67b6a224cb6026296dd1122e22a57b81e26775015ba159a1cafe0c5685e23c1

Download Submit
C:\Windows\System\VjdTazk.exe

Filesize
3.1MB

MD5
95fbd875381c4202e0f7bdb6c9d4005c

SHA1
fef4d6471e3b569fa3975727802d5d1737375fdb

SHA256
2c071f8b5e37ba25b7f4130b30ed9680e3a9a2e0fd6a406d0e26e296373a3378

SHA512
49d80ba26446eb450728df3f53ad4d6457b60861a0c6ea9d14adb9f441432de9f1af483cdc1a96a5259253684528a2d8a00f0e69213ff950f401b899c9a90fdc

Download Submit
C:\Windows\System\WbfLbwd.exe

Filesize
3.1MB

MD5
d0e2e9deb82ab6c76dda403bca1c0a02

SHA1
b27d97f526b492906afe2ee9685736cebd1458e0

SHA256
2361d3e5dae32959a49750ba55cc18847effd26509ecfa271bcd3d37de473249

SHA512
55ad9f97f1a1de793fd98fbf57444d8aca81c622d5eae137cafc449eb1d4814e91ff3348b54d93aacd4e3e229e2dc10c549a7856442967a1ba7a471745fcc33e

Download Submit
C:\Windows\System\YnYvYCd.exe

Filesize
3.1MB

MD5
b11b5d2a2863482224037198a5757c39

SHA1
a4caaed3ff76bcf7e949a5f992c0b32ca3b40bd9

SHA256
4eab11b94e4bd8ef12b044f481a00103f90175df1702899adcadd10dbccff94d

SHA512
3522dd449d93dde190d45c9498fb5e1bd275248410199625ad0635b31720ec4914fdecd9f6594fd472d116989cef4e6d057f08339a0eb891f143b062d28294a8

Download Submit
C:\Windows\System\ZnIPvej.exe

Filesize
285KB

MD5
bc1b1f3a47a820c1ecf9a3a52383a1e4

SHA1
45e55f63cee33115e0738cb46b432c7a671b6561

SHA256
91dd59d091231d3f92c7593192f281908b20c88cf09c1242ef5e48c3d0539927

SHA512
ed068d8b8d7cf413e35b6f613ead3f9a0864ddee6784ea1c40530c2c206558c286bf23aedbdf96e3f22b48070ba3def28ad9766e36a41a1a0e04ba7142fb0cab

Download Submit
C:\Windows\System\ZnIPvej.exe

Filesize
3.1MB

MD5
9e918ddc53bcf53993f062422515169d

SHA1
90a38180424a8ea2431b4333da36c0a567dc20ec

SHA256
d79d97ee4b346f244d7da3f420602b9d2ebfab124a6f4d83500ba4390caed7b3

SHA512
076eefc3140e079b3d47682f9752a436bae09234662517ad509aeb0ab9b2c33af08e63b17d546dd7f00fd2b857a56b54432c81f6f0664dfe676824db1d05b1e1

Download Submit
C:\Windows\System\aenTkiA.exe

Filesize
3.1MB

MD5
f8a16adac3b98f9ada3bb70b928e19e4

SHA1
65a0d99803dcd1b21a11a89d1550c386cd8fca6b

SHA256
7f5382cbe948042282f7c642059d18b257e77b2077a524cf79b3855d7296f645

SHA512
4917c576c87b331bd25350082612f8fd0dced94a3aed28ac831e83ca62f99ada0ec2ecd1d557d17f520683eb23b530ccaee69ea0c009be368de86f1ba52ca2fe

Download Submit
C:\Windows\System\borUYQx.exe

Filesize
64KB

MD5
f61c033bf90b57d89bbda83991a10cb8

SHA1
4dd1989432a3c70ae1d2a687aed6495d1257fd5f

SHA256
dbf10af3247ddefb7b9c32009a80a6bf7d4375b499071bdb078f40bd53daed8d

SHA512
4fba3cdd8da9ea55317fed64c7e23f6810baf3b5e602836f81078cdb4f71e6da87d5b82e0047f440ddc702d4fe26c4c03bc618ca357176222ea8c6ddc485e7d7

Download Submit
C:\Windows\System\borUYQx.exe

Filesize
3.1MB

MD5
8808e1b865f24a4227397e6e0e65a9ef

SHA1
4220e1959ef7028e2ea3191c2eca3d2c1f23a815

SHA256
e91ffef09c03cd06786f594efab636e060320cdc50d76b405902bef606947090

SHA512
82d6f11d91e74e1a4e9f5c1e3af8c0627bd91aefa83238424c0bef808eb1e4db0874f953e8350afad61d249471a6bfb88347a6b9112b819e0c26b3081aa52c75

Download Submit
C:\Windows\System\fARujZh.exe

Filesize
234KB

MD5
30a1603ba8867268a9a2bce9114a33d4

SHA1
caff668e19ddc72f6dd780c981b6391b7367d505

SHA256
7877ee05b2847526f15d7adce255c113d5e85c5a348ef793e67c49a817d3069f

SHA512
ecf89bbef9c3d821b1f9899cbe20b1b759bc8d81e06ebc7d58ef2c4129081c5fce778f6bca6cf7f19ee815434b5da313caee380badf40ee2a5efd861ec0b97e2

Download Submit
C:\Windows\System\fARujZh.exe

Filesize
3.1MB

MD5
4e8d41efd7b7140ddb8d0b5c8cdc267e

SHA1
f21a4d56f4f4e315d77e7816ebd53ba1c651e1da

SHA256
cef23a86cf60339b668be287fa29aaf6d9825ab4744dea70161ca62e1a8d88d0

SHA512
5ba7252c130a715c26beacc0aa124e550e59198d67b2c0b9934476d7d264d4a5cd9507d0ab82242f1b789557e48159c5a623ccc396d596484d3cfd7ebaccb08d

Download Submit
C:\Windows\System\gesocoT.exe

Filesize
128KB

MD5
c1720bf6b92ec132d7564eac731fc38f

SHA1
70cb8ffa2b3c3f8755068ca52ef45bc05053e04c

SHA256
309ed1ac33cfbd551bec7fd27b31f8fba68ad8bf7555488bc49b3b419365ad4e

SHA512
bded35dca34da2db81635bd0b1bc8528f941dd3d298b7d8e44ed0acabcd10f167e10f2462737f28b287efd04cf55f2df73664e00f0d667cdbfbf8904a731f97f

Download Submit
C:\Windows\System\gesocoT.exe

Filesize
3.1MB

MD5
4430fc62384fe7f587299a1fc6c3b425

SHA1
dd4ed77e598a8653b1fa0d25887bb16cfd8273f9

SHA256
aba079e0e347f09dc848fe94324a88d26b42b05a10ad2cb03662ca86bb7aa24c

SHA512
c3a5598f1a30bbd6692ad6d51e87cd890ed3d630975484b18f1e193971bfb790b4b67e0100f577086309ac0ee285d3412edf7a800c40efa86ab6058a21f8ed06

Download Submit
C:\Windows\System\hLAoRcG.exe

Filesize
3.1MB

MD5
b8ed9b62ef88c23568427fed1756d44d

SHA1
d3c4bec339826f1c9e8a07bb051032b806962556

SHA256
b15a99d2eb028d4e5605c487a3f16c00dd32a41508495a0942ebf05725ba616b

SHA512
f5712894f13afddd03276c4aedd83f88397f34bfe4c4f63e65c7f74642acba6a47e678077bd283948ef6a6096486c0ff98d51f7f6fc1227b56df70468438582a

Download Submit
C:\Windows\System\hxADhIF.exe

Filesize
3.1MB

MD5
52a2c41575ea29acdfc57c595cc49ec1

SHA1
9ef88715ad1ae9ceaf357f54be079c04633dc0c6

SHA256
ce77ee1a9339be907d70cd9a4b31b0c52a837d738f6d31b4620f12b98453c176

SHA512
ad73f4c7a8baef217302a6090bf0847ea0960d50fbfa65d941e8fa1bf21ef0b0578f41a63a2a6f911d4134c965b39c2d6a491dc2e36ecc5bef9bc6aff3797050

Download Submit
C:\Windows\System\hxADhIF.exe

Filesize
168KB

MD5
a906c4a4781898a654ba9cd08c507f00

SHA1
e11a1e0e14deb508dd57237c287718c8d89765b2

SHA256
b70c034b3a7eb21147e43fd30c87a36a2a9ebc3c44f1cc92f7589d027976f458

SHA512
aaa90d343d244cf8c96257b8d9531b9fcc1f6498e2a110a6522276c9ec2089296766d81f4fb3542d64c03ae4553cc1b3c8eb5426fecfc58adfef0c917a02f7f5

Download Submit
C:\Windows\System\kGfPwoh.exe

Filesize
3.1MB

MD5
f105c5fbb56b4e0440ffa103a32f071f

SHA1
8c8c3134df486372ee586720c9b8de9cbbbefb35

SHA256
23fdafb37d2dee6ec63f14197ac4b7e8a16f46556ef10f6d7422f2653e2c844c

SHA512
9000a6203ccdde3f2f52d24ac32e7da9bef277687448233aafe4194c9db783f7e076c4b8f69127036fbae936fbf8630d5828d62068756912eeb7592a9524d1dc

Download Submit
C:\Windows\System\knZSmyt.exe

Filesize
896KB

MD5
328cedac3d4fa50a020ae3cc13684ea7

SHA1
2270f836bd39dff81f4b6cfcaa234953519197af

SHA256
96c679cdf10b716f496e3c52b725f4e02b598099773e9877da2613e717421940

SHA512
e622df9f9e5b54dbeff5be2a65ae7d560cbeb28f2dc8170e0aa1c26437540a51fdff48e63a54fb68ebbc0fa88e8139b7c27a9fd2c7fe867f65309fcf28119bf5

Download Submit
C:\Windows\System\knZSmyt.exe

Filesize
1.2MB

MD5
a8f99b2b438ca8351865153ae9da12fc

SHA1
536d5d0191412fb737c762736b11ec055d36d244

SHA256
fd0be3eaec25abf3cf41039156e5b909383be27ce4c04844eee5003b351db601

SHA512
de7d0530418674663cedbe4f5f1842e6eb2903353f3166bf61d19d35afd94182db69375694aabe1947bd3be46cbf9fdd406d74ec704db52067235d4dedd2d7f0

Download Submit
C:\Windows\System\lQUMpok.exe

Filesize
3.1MB

MD5
5b8699bcb06901d6ea4d28fd473ce5cc

SHA1
c50ed3d0bd3f2923700b5c02df12d7772ff27a57

SHA256
e511e8194788f724737a2f0d32501535b1598b6c49e8ba3fa35fa143c8e68d58

SHA512
8476e348834c41e5de9b1d1cfe3fa25c672a030b3a03caaa907867d843c48ba7652149234b45cb092b389e7dff575d86fd831cbae48507dcfca9840ad66ec008

Download Submit
C:\Windows\System\raWgQYU.exe

Filesize
3.1MB

MD5
c9a5807c81c6d15c75773e379f7064b2

SHA1
38bd260585962a8f0885b9a4ca1b4bad5c91a444

SHA256
4c996e8764a25e44e480c3d932647caec8503cd60f4ff5251e7046386f56587e

SHA512
a7fbbba2760375662cada62a2a66c4a9a690497a4a510070b99b22e8df2d9b0e3a62ab272a7a8fa485d1ed10ba03b1c920e75a4d710fc58120726094f3169bd4

Download Submit
C:\Windows\System\sDktOMV.exe

Filesize
3.1MB

MD5
38eb7eab805eac6c32cc9f8c7410fb5d

SHA1
8fd219188500aea79e00e5d27eddc540498dc3b1

SHA256
fc98cd6095278058cbb5124023e8d141342936093f72244a0bf44fd91f3bbed0

SHA512
f1fe03046d2695c0685f1295eb9f3891328e55aa4e29e99b41b20577f28f4dd662b278da477bd78781fad5f5b151137b8c0ad685c5428bb05f95f2e3f867ad83

Download Submit
C:\Windows\System\stcuesD.exe

Filesize
1.4MB

MD5
0905409290a4c59bb6d86754ebacbce0

SHA1
b6b072b79585364139c2a6009d361728b2106404

SHA256
51c4f3c659fcb3ece8797231dd589890651b9d3e984f871e39661554fdeb3301

SHA512
6fcb1b1fae83b6d1d2f296c123b4125583c9653e8ade46946607d493ade0c797ca40d667beb33da1467106ec26e3f1ab7a5128975142ef1cbadfaf4e3126b2d3

Download Submit
C:\Windows\System\stcuesD.exe

Filesize
3.1MB

MD5
15246d30d44ed2497306acbaf3cd2eaa

SHA1
453194c19b4867838092be6199e31eeecf57305c

SHA256
eac31e46590c11607fc7b0d82783f366563158f316538bd6917e9298c6b42730

SHA512
ffaa589f7b263c05181eefd8aa8b2f6f92482176d613972ecab5f9e72645786dba4a1312a4c0e249b6dd7f8a9eb5f16dd1a9736245ca78d2ba92b8f3bef44fb7

Download Submit
C:\Windows\System\uaoaOUo.exe

Filesize
2.7MB

MD5
20b2d97a834f0f878ad3223cc8a3212b

SHA1
10ab294e537deb46bb9ef4ce450e70b620c1647b

SHA256
cfd5b5ed4ed5205831aa2a73c22ac70eb2020cef2cbedd8ad4642ed96d4cea20

SHA512
770dd84905974f89a7bcc80763e12e8d21e7b1f65c65cd39c1a9ab1920e9e6980be0e56cf3eccf4d111c5011fada271442e3e89bdc5e1f76acc71b5d7d9f63cd

Download Submit
C:\Windows\System\uaoaOUo.exe

Filesize
1.3MB

MD5
4850be711c75174e63bdb3986b7959bb

SHA1
566464510eb673fe29e1a634c5c384360a969523

SHA256
840d0f2d9883b20f7033b06e489e66217c93ceda37d80d06089dfd25864306de

SHA512
49c9722f509d1d20b930138cef86e4d4ca53200e6b9d506f84183cc88c61d603fc0f5e5aebcd5dba1b5bdbad31a02aaef4547e7b25d6caf8156da44723fe2261

Download Submit
C:\Windows\System\utCDtwD.exe

Filesize
309KB

MD5
f3eb33d9c11d30d4bd63b877a1ec5cae

SHA1
9263589073d46006ddda88f42955cc139cea6c5f

SHA256
d923da5b3338fae5056fc0bf2a9c9bca324b01a08c7933b53a038bc54d38e452

SHA512
97dd28ebf22b2344bb9cd3db9c9614f1da02cb65949c633b0c504a6b05f130a4d8394911e3268f10bdc4a14847e0eeb72e0b1ca9cd68c94063c1922491c7e222

Download Submit
C:\Windows\System\utCDtwD.exe

Filesize
3.1MB

MD5
5b810b96e09055f7715877936279bdee

SHA1
ba346ad56fe83501dd055cd6106beda1e82c11f8

SHA256
10f6a3029c8a1565d25df404d16718bb7d6032775f7c35f7b200b20adb3c2711

SHA512
d1c434cf18db70f32d24e059b12a3a4ae3de231211d7bcaa21253fa2dc2e91dfee692ff00d770c516b33065688be7cba613ca2d7725c83a38b81415cbb80c37f

Download Submit
C:\Windows\System\wkqRaHk.exe

Filesize
448KB

MD5
e1b0e4f1e9d27696701c4b8e6c1fb92b

SHA1
250208f24df0f6e2fcc93e3aa36248290d5d3931

SHA256
eb3827c3694890dc070aaa28840c68cfcfc203a791b424202cd641eb85c99a00

SHA512
2b738d074a6a5aecc2b0f251addf87d8ecf7d947a5d74da76a342d8cf7552a86ebc16e178b4dc3f81b74b6184ec7c8274716ff5f4a3bfd524669584da29cce48

Download Submit
C:\Windows\System\wkqRaHk.exe

Filesize
3.1MB

MD5
35a23512a853047112afa9ddb2bbf622

SHA1
60435244a901c438d0bfd500b1d86495b3ee855d

SHA256
72f40a561d2c15905f5c8164917e94c2b0f7f1557cb2cb250ae3d288082ff3af

SHA512
71bbadce7849891b838707277bac128d0ec3bedcbab8fddc95e885e1158d0fbde7adda0f9b7625bdd6f71b7af5bea11ed2ae9abc2e1c34f222ba28abac4956a0

Download Submit
C:\Windows\System\xFbdKhV.exe

Filesize
3.1MB

MD5
381fa2606b07e6c490691678f3b91c88

SHA1
2c37c02a6350b33e075ddd2e7e7611971f52e53b

SHA256
83d67fb5cdef457ad43ddf0ceef827b3ee509979bf4de67e95429476a06e437a

SHA512
8f305e609ce1f4096ea0096a8b210ffc9810dabfc307b58488aed726aba25b8e4091cdaa9a4ec816c01e262c3b22e075096401b4d615b6d702a05f83244a6641

Download Submit
C:\Windows\System\xFurcbp.exe

Filesize
3.1MB

MD5
b5b786ae1f372aea461dcc6198c59777

SHA1
0e75a78ba2a3014eae700890c1f2d8508b57a0ef

SHA256
960568c0b1981cd7f63ba75f14acd80469e9d6a80d14b8af8e3ef20bbb09bda6

SHA512
e6f8de59631171841d8bae8e7ec59c8ddeccfc2525dfb9c89db83194c79ebbef394eb020703d0fd6e84ba4dbca2509176b7e9aa6fc66bf2d7c0cf88b5a4da53f

Download Submit
memory/116-213-0x00007FF668AF0000-0x00007FF668EE6000-memory.dmp

Filesize
4.0MB

Download
memory/236-91-0x00007FF6A2240000-0x00007FF6A2636000-memory.dmp

Filesize
4.0MB

Download
memory/536-112-0x00007FF6E46C0000-0x00007FF6E4AB6000-memory.dmp

Filesize
4.0MB

Download
memory/924-154-0x00007FF6371B0000-0x00007FF6375A6000-memory.dmp

Filesize
4.0MB

Download
memory/1248-119-0x00007FF697250000-0x00007FF697646000-memory.dmp

Filesize
4.0MB

Download
memory/1448-227-0x00007FF764EE0000-0x00007FF7652D6000-memory.dmp

Filesize
4.0MB

Download
memory/1512-365-0x00007FF7D6D20000-0x00007FF7D7116000-memory.dmp

Filesize
4.0MB

Download
memory/1560-182-0x00007FF6EEB20000-0x00007FF6EEF16000-memory.dmp

Filesize
4.0MB

Download
memory/1640-362-0x00007FF70E730000-0x00007FF70EB26000-memory.dmp

Filesize
4.0MB

Download
memory/1740-142-0x00007FF791BF0000-0x00007FF791FE6000-memory.dmp

Filesize
4.0MB

Download
memory/1752-132-0x00007FF75F460000-0x00007FF75F856000-memory.dmp

Filesize
4.0MB

Download
memory/1836-195-0x00007FF6827C0000-0x00007FF682BB6000-memory.dmp

Filesize
4.0MB

Download
memory/1844-229-0x00007FF619E20000-0x00007FF61A216000-memory.dmp

Filesize
4.0MB

Download
memory/2080-200-0x00007FF7D1B40000-0x00007FF7D1F36000-memory.dmp

Filesize
4.0MB

Download
memory/2104-191-0x00007FF682D10000-0x00007FF683106000-memory.dmp

Filesize
4.0MB

Download
memory/2284-161-0x00007FF7B3800000-0x00007FF7B3BF6000-memory.dmp

Filesize
4.0MB

Download
memory/2308-361-0x00007FF6B4F90000-0x00007FF6B5386000-memory.dmp

Filesize
4.0MB

Download
memory/2336-145-0x00007FF668830000-0x00007FF668C26000-memory.dmp

Filesize
4.0MB

Download
memory/2560-176-0x00007FF6468A0000-0x00007FF646C96000-memory.dmp

Filesize
4.0MB

Download
memory/2584-210-0x00007FF6A9870000-0x00007FF6A9C66000-memory.dmp

Filesize
4.0MB

Download
memory/2800-199-0x00007FF6843A0000-0x00007FF684796000-memory.dmp

Filesize
4.0MB

Download
memory/2844-232-0x00007FF78C4B0000-0x00007FF78C8A6000-memory.dmp

Filesize
4.0MB

Download
memory/3028-364-0x00007FF7966E0000-0x00007FF796AD6000-memory.dmp

Filesize
4.0MB

Download
memory/3272-165-0x00007FF7AB860000-0x00007FF7ABC56000-memory.dmp

Filesize
4.0MB

Download
memory/3412-231-0x00007FF713C90000-0x00007FF714086000-memory.dmp

Filesize
4.0MB

Download
memory/3448-128-0x00007FF7353F0000-0x00007FF7357E6000-memory.dmp

Filesize
4.0MB

Download
memory/3480-367-0x00007FF785430000-0x00007FF785826000-memory.dmp

Filesize
4.0MB

Download
memory/3516-11-0x00007FF7EE6D0000-0x00007FF7EEAC6000-memory.dmp

Filesize
4.0MB

Download
memory/3604-360-0x00007FF6B5A00000-0x00007FF6B5DF6000-memory.dmp

Filesize
4.0MB

Download
memory/3728-187-0x00007FF69E1C0000-0x00007FF69E5B6000-memory.dmp

Filesize
4.0MB

Download
memory/3736-149-0x00007FF7C2970000-0x00007FF7C2D66000-memory.dmp

Filesize
4.0MB

Download
memory/3808-73-0x00007FF667C30000-0x00007FF668026000-memory.dmp

Filesize
4.0MB

Download
memory/3872-53-0x00007FF63F400000-0x00007FF63F7F6000-memory.dmp

Filesize
4.0MB

Download
memory/3920-153-0x00007FF7F19E0000-0x00007FF7F1DD6000-memory.dmp

Filesize
4.0MB

Download
memory/3940-103-0x00007FF6F57E0000-0x00007FF6F5BD6000-memory.dmp

Filesize
4.0MB

Download
memory/3988-230-0x00007FF60C8B0000-0x00007FF60CCA6000-memory.dmp

Filesize
4.0MB

Download
memory/4200-205-0x00007FF79DB20000-0x00007FF79DF16000-memory.dmp

Filesize
4.0MB

Download
memory/4224-136-0x00007FF6038B0000-0x00007FF603CA6000-memory.dmp

Filesize
4.0MB

Download
memory/4244-36-0x000002021DA50000-0x000002021DA60000-memory.dmp

Filesize
64KB

Download
memory/4244-63-0x000002021D9C0000-0x000002021D9E2000-memory.dmp

Filesize
136KB

Download
memory/4244-26-0x00007FFA32060000-0x00007FFA32B21000-memory.dmp

Filesize
10.8MB

Download
memory/4244-29-0x000002021DA50000-0x000002021DA60000-memory.dmp

Filesize
64KB

Download
memory/4416-363-0x00007FF75E330000-0x00007FF75E726000-memory.dmp

Filesize
4.0MB

Download
memory/4556-57-0x00007FF623190000-0x00007FF623586000-memory.dmp

Filesize
4.0MB

Download
memory/4732-368-0x00007FF615DF0000-0x00007FF6161E6000-memory.dmp

Filesize
4.0MB

Download
memory/4768-118-0x00007FF76D7A0000-0x00007FF76DB96000-memory.dmp

Filesize
4.0MB

Download
memory/4772-233-0x00007FF73F860000-0x00007FF73FC56000-memory.dmp

Filesize
4.0MB

Download
memory/4788-85-0x00007FF719280000-0x00007FF719676000-memory.dmp

Filesize
4.0MB

Download
memory/4896-169-0x00007FF7D53C0000-0x00007FF7D57B6000-memory.dmp

Filesize
4.0MB

Download
memory/4908-172-0x00007FF6D3F70000-0x00007FF6D4366000-memory.dmp

Filesize
4.0MB

Download
memory/4988-0-0x00007FF7C2F50000-0x00007FF7C3346000-memory.dmp

Filesize
4.0MB

Download
memory/4988-1-0x0000026626CA0000-0x0000026626CB0000-memory.dmp

Filesize
64KB

Download
memory/4992-366-0x00007FF604800000-0x00007FF604BF6000-memory.dmp

Filesize
4.0MB

Download
memory/5000-220-0x00007FF718A90000-0x00007FF718E86000-memory.dmp

Filesize
4.0MB

Download
memory/5136-375-0x00007FF7288B0000-0x00007FF728CA6000-memory.dmp

Filesize
4.0MB

Download
memory/5164-376-0x00007FF7B58A0000-0x00007FF7B5C96000-memory.dmp

Filesize
4.0MB

Download
memory/5196-377-0x00007FF71E6C0000-0x00007FF71EAB6000-memory.dmp

Filesize
4.0MB

Download
memory/5224-378-0x00007FF72CBD0000-0x00007FF72CFC6000-memory.dmp

Filesize
4.0MB

Download
memory/5252-379-0x00007FF75FA50000-0x00007FF75FE46000-memory.dmp

Filesize
4.0MB

Download
memory/5280-380-0x00007FF78BA00000-0x00007FF78BDF6000-memory.dmp

Filesize
4.0MB

Download
memory/5308-381-0x00007FF7E6300000-0x00007FF7E66F6000-memory.dmp

Filesize
4.0MB

Download
memory/5340-382-0x00007FF7B6200000-0x00007FF7B65F6000-memory.dmp

Filesize
4.0MB

Download
memory/5368-383-0x00007FF794230000-0x00007FF794626000-memory.dmp

Filesize
4.0MB

Download
memory/5392-384-0x00007FF68C890000-0x00007FF68CC86000-memory.dmp

Filesize
4.0MB

Download
memory/5420-385-0x00007FF6C9C90000-0x00007FF6CA086000-memory.dmp

Filesize
4.0MB

Download