xmrig | a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f

Analysis

max time kernel
65s
max time network
79s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
Size

1.9MB
MD5

2ec0dc83c7917eba7c8fa38e8740aad7
SHA1

31cab6cda43c4cd61b810ae603de8bfa5a048bd8
SHA256

a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f
SHA512

6212aa7298fabe1ce58680f91cac7235381ac73650156639a8532431c5882852abd6b4ccddf520c9401b2a71118649d92eb8d5786d6e16426f0c3f198ca2d43b
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XCejQCCLtZt4Hpti/3AFhgGrTk3HeQIgcS70h:knw9oUUEEDlGUrMNi/3ADGPrAx9v

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3956-0-0x00007FF764730000-0x00007FF764B21000-memory.dmp	UPX
behavioral2/files/0x0007000000023221-7.dat	UPX
behavioral2/files/0x0007000000023222-19.dat	UPX
behavioral2/memory/3008-22-0x00007FF7E5E80000-0x00007FF7E6271000-memory.dmp	UPX
behavioral2/memory/4084-26-0x00007FF7E9FC0000-0x00007FF7EA3B1000-memory.dmp	UPX
behavioral2/files/0x0007000000023224-36.dat	UPX
behavioral2/files/0x0007000000023224-35.dat	UPX
behavioral2/memory/2236-38-0x00007FF7111A0000-0x00007FF711591000-memory.dmp	UPX
behavioral2/files/0x0007000000023225-41.dat	UPX
behavioral2/files/0x0007000000023226-51.dat	UPX
behavioral2/files/0x0007000000023227-49.dat	UPX
behavioral2/files/0x0007000000023227-53.dat	UPX
behavioral2/files/0x0007000000023228-61.dat	UPX
behavioral2/memory/2368-71-0x00007FF636840000-0x00007FF636C31000-memory.dmp	UPX
behavioral2/files/0x000700000002322a-78.dat	UPX
behavioral2/files/0x000700000002322c-87.dat	UPX
behavioral2/files/0x000700000002322d-92.dat	UPX
behavioral2/files/0x000700000002322e-97.dat	UPX
behavioral2/files/0x0007000000023230-107.dat	UPX
behavioral2/files/0x0007000000023232-117.dat	UPX
behavioral2/files/0x000700000002323b-162.dat	UPX
behavioral2/memory/2692-361-0x00007FF687DA0000-0x00007FF688191000-memory.dmp	UPX
behavioral2/memory/5072-362-0x00007FF6CF6F0000-0x00007FF6CFAE1000-memory.dmp	UPX
behavioral2/memory/3560-360-0x00007FF6F94B0000-0x00007FF6F98A1000-memory.dmp	UPX
behavioral2/memory/3376-363-0x00007FF708460000-0x00007FF708851000-memory.dmp	UPX
behavioral2/memory/516-365-0x00007FF63DAF0000-0x00007FF63DEE1000-memory.dmp	UPX
behavioral2/memory/4368-364-0x00007FF67E270000-0x00007FF67E661000-memory.dmp	UPX
behavioral2/memory/4708-372-0x00007FF75DB50000-0x00007FF75DF41000-memory.dmp	UPX
behavioral2/memory/2532-391-0x00007FF60AE90000-0x00007FF60B281000-memory.dmp	UPX
behavioral2/memory/2948-394-0x00007FF72F700000-0x00007FF72FAF1000-memory.dmp	UPX
behavioral2/memory/3104-407-0x00007FF77C630000-0x00007FF77CA21000-memory.dmp	UPX
behavioral2/memory/3536-420-0x00007FF6AE760000-0x00007FF6AEB51000-memory.dmp	UPX
behavioral2/memory/548-425-0x00007FF7D5360000-0x00007FF7D5751000-memory.dmp	UPX
behavioral2/memory/8-429-0x00007FF630E10000-0x00007FF631201000-memory.dmp	UPX
behavioral2/memory/4928-445-0x00007FF6880E0000-0x00007FF6884D1000-memory.dmp	UPX
behavioral2/memory/808-451-0x00007FF7186B0000-0x00007FF718AA1000-memory.dmp	UPX
behavioral2/memory/1588-471-0x00007FF606FE0000-0x00007FF6073D1000-memory.dmp	UPX
behavioral2/memory/116-483-0x00007FF6973D0000-0x00007FF6977C1000-memory.dmp	UPX
behavioral2/memory/624-479-0x00007FF711BF0000-0x00007FF711FE1000-memory.dmp	UPX
behavioral2/memory/4160-489-0x00007FF71C320000-0x00007FF71C711000-memory.dmp	UPX
behavioral2/memory/2944-506-0x00007FF62F200000-0x00007FF62F5F1000-memory.dmp	UPX
behavioral2/memory/4940-549-0x00007FF7ADEC0000-0x00007FF7AE2B1000-memory.dmp	UPX
behavioral2/memory/844-569-0x00007FF71EE80000-0x00007FF71F271000-memory.dmp	UPX
behavioral2/memory/1932-647-0x00007FF65A5F0000-0x00007FF65A9E1000-memory.dmp	UPX
behavioral2/memory/4028-650-0x00007FF6FBEA0000-0x00007FF6FC291000-memory.dmp	UPX
behavioral2/memory/3120-653-0x00007FF72F6D0000-0x00007FF72FAC1000-memory.dmp	UPX
behavioral2/memory/4280-660-0x00007FF797790000-0x00007FF797B81000-memory.dmp	UPX
behavioral2/memory/4960-666-0x00007FF7F4390000-0x00007FF7F4781000-memory.dmp	UPX
behavioral2/memory/536-672-0x00007FF786A70000-0x00007FF786E61000-memory.dmp	UPX
behavioral2/memory/3144-682-0x00007FF7DD280000-0x00007FF7DD671000-memory.dmp	UPX
behavioral2/memory/3348-690-0x00007FF7AEF00000-0x00007FF7AF2F1000-memory.dmp	UPX
behavioral2/memory/4016-692-0x00007FF739230000-0x00007FF739621000-memory.dmp	UPX
behavioral2/memory/2448-694-0x00007FF7E5E40000-0x00007FF7E6231000-memory.dmp	UPX
behavioral2/memory/2656-687-0x00007FF6F82D0000-0x00007FF6F86C1000-memory.dmp	UPX
behavioral2/memory/3920-669-0x00007FF78DF70000-0x00007FF78E361000-memory.dmp	UPX
behavioral2/memory/4532-661-0x00007FF6C2C80000-0x00007FF6C3071000-memory.dmp	UPX
behavioral2/memory/4148-656-0x00007FF6E8D10000-0x00007FF6E9101000-memory.dmp	UPX
behavioral2/memory/2988-642-0x00007FF740530000-0x00007FF740921000-memory.dmp	UPX
behavioral2/memory/1268-558-0x00007FF6B85B0000-0x00007FF6B89A1000-memory.dmp	UPX
behavioral2/memory/4776-547-0x00007FF6CD650000-0x00007FF6CDA41000-memory.dmp	UPX
behavioral2/memory/2696-500-0x00007FF66E9C0000-0x00007FF66EDB1000-memory.dmp	UPX
behavioral2/memory/1364-497-0x00007FF6DFF80000-0x00007FF6E0371000-memory.dmp	UPX
behavioral2/memory/4356-476-0x00007FF624BB0000-0x00007FF624FA1000-memory.dmp	UPX
behavioral2/memory/2320-453-0x00007FF72DD50000-0x00007FF72E141000-memory.dmp	UPX

XMRig Miner payload 58 IoCs

miner

resource	yara_rule
behavioral2/memory/3008-22-0x00007FF7E5E80000-0x00007FF7E6271000-memory.dmp	xmrig
behavioral2/memory/2236-38-0x00007FF7111A0000-0x00007FF711591000-memory.dmp	xmrig
behavioral2/memory/2368-71-0x00007FF636840000-0x00007FF636C31000-memory.dmp	xmrig
behavioral2/memory/2692-361-0x00007FF687DA0000-0x00007FF688191000-memory.dmp	xmrig
behavioral2/memory/5072-362-0x00007FF6CF6F0000-0x00007FF6CFAE1000-memory.dmp	xmrig
behavioral2/memory/3560-360-0x00007FF6F94B0000-0x00007FF6F98A1000-memory.dmp	xmrig
behavioral2/memory/3376-363-0x00007FF708460000-0x00007FF708851000-memory.dmp	xmrig
behavioral2/memory/516-365-0x00007FF63DAF0000-0x00007FF63DEE1000-memory.dmp	xmrig
behavioral2/memory/4368-364-0x00007FF67E270000-0x00007FF67E661000-memory.dmp	xmrig
behavioral2/memory/4708-372-0x00007FF75DB50000-0x00007FF75DF41000-memory.dmp	xmrig
behavioral2/memory/2532-391-0x00007FF60AE90000-0x00007FF60B281000-memory.dmp	xmrig
behavioral2/memory/2948-394-0x00007FF72F700000-0x00007FF72FAF1000-memory.dmp	xmrig
behavioral2/memory/3104-407-0x00007FF77C630000-0x00007FF77CA21000-memory.dmp	xmrig
behavioral2/memory/3536-420-0x00007FF6AE760000-0x00007FF6AEB51000-memory.dmp	xmrig
behavioral2/memory/548-425-0x00007FF7D5360000-0x00007FF7D5751000-memory.dmp	xmrig
behavioral2/memory/8-429-0x00007FF630E10000-0x00007FF631201000-memory.dmp	xmrig
behavioral2/memory/4928-445-0x00007FF6880E0000-0x00007FF6884D1000-memory.dmp	xmrig
behavioral2/memory/808-451-0x00007FF7186B0000-0x00007FF718AA1000-memory.dmp	xmrig
behavioral2/memory/264-458-0x00007FF6B9640000-0x00007FF6B9A31000-memory.dmp	xmrig
behavioral2/memory/1588-471-0x00007FF606FE0000-0x00007FF6073D1000-memory.dmp	xmrig
behavioral2/memory/116-483-0x00007FF6973D0000-0x00007FF6977C1000-memory.dmp	xmrig
behavioral2/memory/624-479-0x00007FF711BF0000-0x00007FF711FE1000-memory.dmp	xmrig
behavioral2/memory/4160-489-0x00007FF71C320000-0x00007FF71C711000-memory.dmp	xmrig
behavioral2/memory/2944-506-0x00007FF62F200000-0x00007FF62F5F1000-memory.dmp	xmrig
behavioral2/memory/4940-549-0x00007FF7ADEC0000-0x00007FF7AE2B1000-memory.dmp	xmrig
behavioral2/memory/844-569-0x00007FF71EE80000-0x00007FF71F271000-memory.dmp	xmrig
behavioral2/memory/1932-647-0x00007FF65A5F0000-0x00007FF65A9E1000-memory.dmp	xmrig
behavioral2/memory/4028-650-0x00007FF6FBEA0000-0x00007FF6FC291000-memory.dmp	xmrig
behavioral2/memory/3120-653-0x00007FF72F6D0000-0x00007FF72FAC1000-memory.dmp	xmrig
behavioral2/memory/4280-660-0x00007FF797790000-0x00007FF797B81000-memory.dmp	xmrig
behavioral2/memory/4960-666-0x00007FF7F4390000-0x00007FF7F4781000-memory.dmp	xmrig
behavioral2/memory/536-672-0x00007FF786A70000-0x00007FF786E61000-memory.dmp	xmrig
behavioral2/memory/3144-682-0x00007FF7DD280000-0x00007FF7DD671000-memory.dmp	xmrig
behavioral2/memory/3348-690-0x00007FF7AEF00000-0x00007FF7AF2F1000-memory.dmp	xmrig
behavioral2/memory/4016-692-0x00007FF739230000-0x00007FF739621000-memory.dmp	xmrig
behavioral2/memory/2448-694-0x00007FF7E5E40000-0x00007FF7E6231000-memory.dmp	xmrig
behavioral2/memory/2656-687-0x00007FF6F82D0000-0x00007FF6F86C1000-memory.dmp	xmrig
behavioral2/memory/3920-669-0x00007FF78DF70000-0x00007FF78E361000-memory.dmp	xmrig
behavioral2/memory/4532-661-0x00007FF6C2C80000-0x00007FF6C3071000-memory.dmp	xmrig
behavioral2/memory/4148-656-0x00007FF6E8D10000-0x00007FF6E9101000-memory.dmp	xmrig
behavioral2/memory/2988-642-0x00007FF740530000-0x00007FF740921000-memory.dmp	xmrig
behavioral2/memory/1268-558-0x00007FF6B85B0000-0x00007FF6B89A1000-memory.dmp	xmrig
behavioral2/memory/4776-547-0x00007FF6CD650000-0x00007FF6CDA41000-memory.dmp	xmrig
behavioral2/memory/2696-500-0x00007FF66E9C0000-0x00007FF66EDB1000-memory.dmp	xmrig
behavioral2/memory/1364-497-0x00007FF6DFF80000-0x00007FF6E0371000-memory.dmp	xmrig
behavioral2/memory/4356-476-0x00007FF624BB0000-0x00007FF624FA1000-memory.dmp	xmrig
behavioral2/memory/2320-453-0x00007FF72DD50000-0x00007FF72E141000-memory.dmp	xmrig
behavioral2/memory/4596-442-0x00007FF7C7910000-0x00007FF7C7D01000-memory.dmp	xmrig
behavioral2/memory/3568-436-0x00007FF6343D0000-0x00007FF6347C1000-memory.dmp	xmrig
behavioral2/memory/532-417-0x00007FF6D9B00000-0x00007FF6D9EF1000-memory.dmp	xmrig
behavioral2/memory/5000-406-0x00007FF6BD7A0000-0x00007FF6BDB91000-memory.dmp	xmrig
behavioral2/memory/852-398-0x00007FF69C490000-0x00007FF69C881000-memory.dmp	xmrig
behavioral2/memory/764-367-0x00007FF621400000-0x00007FF6217F1000-memory.dmp	xmrig
behavioral2/memory/1092-366-0x00007FF619860000-0x00007FF619C51000-memory.dmp	xmrig
behavioral2/memory/4720-59-0x00007FF6FBF40000-0x00007FF6FC331000-memory.dmp	xmrig
behavioral2/memory/2744-57-0x00007FF6546F0000-0x00007FF654AE1000-memory.dmp	xmrig
behavioral2/memory/2216-34-0x00007FF7FC7F0000-0x00007FF7FCBE1000-memory.dmp	xmrig
behavioral2/memory/2752-27-0x00007FF6DFEC0000-0x00007FF6E02B1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3660	WzBCKOd.exe
2752	EkPpsjF.exe
3008	KYHcUsp.exe
4084	wfLmHwF.exe
2216	crKRlvM.exe
2236	UtAzCNT.exe
1728	OXYebKj.exe
2744	gVFnUAx.exe
4720	DusSOnS.exe
4772	YcFzzQK.exe
2368	eImTptq.exe
3772	bsuOQyC.exe
3560	zpOFYRx.exe
2692	gxfhilx.exe
5072	PsygLwS.exe
3376	sRAnxXG.exe
4368	JNiKsYi.exe
516	mSOEtAM.exe
1092	JdAmdib.exe
764	buyGdBo.exe
4708	MYQMaDb.exe
2532	KSJZJbO.exe
2948	xrHWAPT.exe
852	pkSksGz.exe
5000	IbSqoya.exe
3104	neKWbip.exe
532	ZvqWZqF.exe
3536	GOpQxYU.exe
548	MApyjys.exe
8	LmuRNHY.exe
3568	NgRxpwx.exe
4596	HmwHJLM.exe
4928	LNhulQk.exe
808	vpaSVxT.exe
2320	HOOaAKV.exe
264	zxhxFEw.exe
1588	YsULcmP.exe
4356	hJqeiNN.exe
624	UUPyYfH.exe
116	kGgbEsR.exe
4160	uFRRCPH.exe
1364	HWCShOT.exe
2696	WSwxEcF.exe
2944	oCTqyaA.exe
4776	otvXnWT.exe
4940	QfTGhPK.exe
1268	MtvpghC.exe
844	xDXyGjc.exe
2988	ArodWpe.exe
1932	mxmonsE.exe
4028	FenOUGT.exe
3120	nhOqfvT.exe
4148	dOurABP.exe
4280	YgdWVdd.exe
4532	HODCnnu.exe
4960	ZXADHph.exe
3920	EKkfYfx.exe
536	ClptrFc.exe
3144	dxakjOy.exe
2656	BPpNiND.exe
3348	YCsKgOQ.exe
4016	GlGJyLW.exe
2448	jdsWZzm.exe
2376	lWmHpJa.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3956-0-0x00007FF764730000-0x00007FF764B21000-memory.dmp	upx
behavioral2/files/0x0007000000023221-7.dat	upx
behavioral2/files/0x0007000000023222-19.dat	upx
behavioral2/memory/3008-22-0x00007FF7E5E80000-0x00007FF7E6271000-memory.dmp	upx
behavioral2/memory/4084-26-0x00007FF7E9FC0000-0x00007FF7EA3B1000-memory.dmp	upx
behavioral2/files/0x0007000000023224-36.dat	upx
behavioral2/files/0x0007000000023224-35.dat	upx
behavioral2/memory/2236-38-0x00007FF7111A0000-0x00007FF711591000-memory.dmp	upx
behavioral2/files/0x0007000000023225-41.dat	upx
behavioral2/files/0x0007000000023226-51.dat	upx
behavioral2/files/0x0007000000023227-49.dat	upx
behavioral2/files/0x0007000000023227-53.dat	upx
behavioral2/files/0x0007000000023228-61.dat	upx
behavioral2/memory/2368-71-0x00007FF636840000-0x00007FF636C31000-memory.dmp	upx
behavioral2/files/0x000700000002322a-78.dat	upx
behavioral2/files/0x000700000002322c-87.dat	upx
behavioral2/files/0x000700000002322d-92.dat	upx
behavioral2/files/0x000700000002322e-97.dat	upx
behavioral2/files/0x0007000000023230-107.dat	upx
behavioral2/files/0x0007000000023232-117.dat	upx
behavioral2/files/0x000700000002323b-162.dat	upx
behavioral2/memory/2692-361-0x00007FF687DA0000-0x00007FF688191000-memory.dmp	upx
behavioral2/memory/5072-362-0x00007FF6CF6F0000-0x00007FF6CFAE1000-memory.dmp	upx
behavioral2/memory/3560-360-0x00007FF6F94B0000-0x00007FF6F98A1000-memory.dmp	upx
behavioral2/memory/3376-363-0x00007FF708460000-0x00007FF708851000-memory.dmp	upx
behavioral2/memory/516-365-0x00007FF63DAF0000-0x00007FF63DEE1000-memory.dmp	upx
behavioral2/memory/4368-364-0x00007FF67E270000-0x00007FF67E661000-memory.dmp	upx
behavioral2/memory/4708-372-0x00007FF75DB50000-0x00007FF75DF41000-memory.dmp	upx
behavioral2/memory/2532-391-0x00007FF60AE90000-0x00007FF60B281000-memory.dmp	upx
behavioral2/memory/2948-394-0x00007FF72F700000-0x00007FF72FAF1000-memory.dmp	upx
behavioral2/memory/3104-407-0x00007FF77C630000-0x00007FF77CA21000-memory.dmp	upx
behavioral2/memory/3536-420-0x00007FF6AE760000-0x00007FF6AEB51000-memory.dmp	upx
behavioral2/memory/548-425-0x00007FF7D5360000-0x00007FF7D5751000-memory.dmp	upx
behavioral2/memory/8-429-0x00007FF630E10000-0x00007FF631201000-memory.dmp	upx
behavioral2/memory/4928-445-0x00007FF6880E0000-0x00007FF6884D1000-memory.dmp	upx
behavioral2/memory/808-451-0x00007FF7186B0000-0x00007FF718AA1000-memory.dmp	upx
behavioral2/memory/264-458-0x00007FF6B9640000-0x00007FF6B9A31000-memory.dmp	upx
behavioral2/memory/1588-471-0x00007FF606FE0000-0x00007FF6073D1000-memory.dmp	upx
behavioral2/memory/116-483-0x00007FF6973D0000-0x00007FF6977C1000-memory.dmp	upx
behavioral2/memory/624-479-0x00007FF711BF0000-0x00007FF711FE1000-memory.dmp	upx
behavioral2/memory/4160-489-0x00007FF71C320000-0x00007FF71C711000-memory.dmp	upx
behavioral2/memory/2944-506-0x00007FF62F200000-0x00007FF62F5F1000-memory.dmp	upx
behavioral2/memory/4940-549-0x00007FF7ADEC0000-0x00007FF7AE2B1000-memory.dmp	upx
behavioral2/memory/844-569-0x00007FF71EE80000-0x00007FF71F271000-memory.dmp	upx
behavioral2/memory/1932-647-0x00007FF65A5F0000-0x00007FF65A9E1000-memory.dmp	upx
behavioral2/memory/4028-650-0x00007FF6FBEA0000-0x00007FF6FC291000-memory.dmp	upx
behavioral2/memory/3120-653-0x00007FF72F6D0000-0x00007FF72FAC1000-memory.dmp	upx
behavioral2/memory/4280-660-0x00007FF797790000-0x00007FF797B81000-memory.dmp	upx
behavioral2/memory/4960-666-0x00007FF7F4390000-0x00007FF7F4781000-memory.dmp	upx
behavioral2/memory/536-672-0x00007FF786A70000-0x00007FF786E61000-memory.dmp	upx
behavioral2/memory/3144-682-0x00007FF7DD280000-0x00007FF7DD671000-memory.dmp	upx
behavioral2/memory/3348-690-0x00007FF7AEF00000-0x00007FF7AF2F1000-memory.dmp	upx
behavioral2/memory/4016-692-0x00007FF739230000-0x00007FF739621000-memory.dmp	upx
behavioral2/memory/2448-694-0x00007FF7E5E40000-0x00007FF7E6231000-memory.dmp	upx
behavioral2/memory/2656-687-0x00007FF6F82D0000-0x00007FF6F86C1000-memory.dmp	upx
behavioral2/memory/3920-669-0x00007FF78DF70000-0x00007FF78E361000-memory.dmp	upx
behavioral2/memory/4532-661-0x00007FF6C2C80000-0x00007FF6C3071000-memory.dmp	upx
behavioral2/memory/4148-656-0x00007FF6E8D10000-0x00007FF6E9101000-memory.dmp	upx
behavioral2/memory/2988-642-0x00007FF740530000-0x00007FF740921000-memory.dmp	upx
behavioral2/memory/1268-558-0x00007FF6B85B0000-0x00007FF6B89A1000-memory.dmp	upx
behavioral2/memory/4776-547-0x00007FF6CD650000-0x00007FF6CDA41000-memory.dmp	upx
behavioral2/memory/2696-500-0x00007FF66E9C0000-0x00007FF66EDB1000-memory.dmp	upx
behavioral2/memory/1364-497-0x00007FF6DFF80000-0x00007FF6E0371000-memory.dmp	upx
behavioral2/memory/4356-476-0x00007FF624BB0000-0x00007FF624FA1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\gxfhilx.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\DdkGsHN.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\ZPiTXXd.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\IKIkJxZ.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\wzKHMPN.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\fvYGocs.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\TmxnrVd.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\fsawWJi.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\zZIUBaT.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\fEUwnVi.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\YcFzzQK.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\WSwxEcF.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\okmHlnY.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\fPTrjaU.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\HexqFPy.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\CDFBbUU.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\ItfJAqd.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\RqGxAHx.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\LdKYrwn.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\GWzupHW.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\qyPzysC.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\bjlFThs.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\xDXyGjc.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\COrDFeK.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\BIeRTrQ.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\ulERseN.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\kYjhhKG.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\LmuRNHY.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\hJqeiNN.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\AxVDnDV.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\SXAZHtC.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\XHmnFSp.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\rVDgtjT.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\iHHRbin.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\IrjuKvl.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\YgdWVdd.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\eavaLJk.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\UkqpEwV.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\FkPQEFp.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\tlSZNdb.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\ETDztzJ.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\CEOnKoz.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\XfdEsgz.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\otvXnWT.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\peQWajC.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\sKKdjIm.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\BdJyZiq.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\PNWlOyS.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\TeVFzaR.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\bfZajBE.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\GLJXDhO.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\XTqSnGI.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\OIfXIxD.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\cPSOpEk.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\YmaOsTg.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\ZAWoNBy.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\MwzYzIO.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\skEgykc.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\VScGxPS.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\yxFNlQr.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\DpQgtlI.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\ugQUSFM.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\CtOwJVB.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
File created	C:\Windows\System32\hstrfUw.exe	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	9372	dwm.exe
Token: SeChangeNotifyPrivilege	9372	dwm.exe
Token: 33	9372	dwm.exe
Token: SeIncBasePriorityPrivilege	9372	dwm.exe
Token: SeCreateGlobalPrivilege	1184	dwm.exe
Token: SeChangeNotifyPrivilege	1184	dwm.exe
Token: 33	1184	dwm.exe
Token: SeIncBasePriorityPrivilege	1184	dwm.exe
Token: SeCreateGlobalPrivilege	2992	dwm.exe
Token: SeChangeNotifyPrivilege	2992	dwm.exe
Token: 33	2992	dwm.exe
Token: SeIncBasePriorityPrivilege	2992	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 3660	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	91
PID 3956 wrote to memory of 3660	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	91
PID 3956 wrote to memory of 3008	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	92
PID 3956 wrote to memory of 3008	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	92
PID 3956 wrote to memory of 2752	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	93
PID 3956 wrote to memory of 2752	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	93
PID 3956 wrote to memory of 4084	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	94
PID 3956 wrote to memory of 4084	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	94
PID 3956 wrote to memory of 2216	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	95
PID 3956 wrote to memory of 2216	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	95
PID 3956 wrote to memory of 2236	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	96
PID 3956 wrote to memory of 2236	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	96
PID 3956 wrote to memory of 1728	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	97
PID 3956 wrote to memory of 1728	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	97
PID 3956 wrote to memory of 2744	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	98
PID 3956 wrote to memory of 2744	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	98
PID 3956 wrote to memory of 4720	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	99
PID 3956 wrote to memory of 4720	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	99
PID 3956 wrote to memory of 4772	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	100
PID 3956 wrote to memory of 4772	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	100
PID 3956 wrote to memory of 2368	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	101
PID 3956 wrote to memory of 2368	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	101
PID 3956 wrote to memory of 3772	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	102
PID 3956 wrote to memory of 3772	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	102
PID 3956 wrote to memory of 3560	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	103
PID 3956 wrote to memory of 3560	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	103
PID 3956 wrote to memory of 2692	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	104
PID 3956 wrote to memory of 2692	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	104
PID 3956 wrote to memory of 5072	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	105
PID 3956 wrote to memory of 5072	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	105
PID 3956 wrote to memory of 3376	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	106
PID 3956 wrote to memory of 3376	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	106
PID 3956 wrote to memory of 4368	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	107
PID 3956 wrote to memory of 4368	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	107
PID 3956 wrote to memory of 516	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	108
PID 3956 wrote to memory of 516	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	108
PID 3956 wrote to memory of 1092	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	109
PID 3956 wrote to memory of 1092	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	109
PID 3956 wrote to memory of 764	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	110
PID 3956 wrote to memory of 764	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	110
PID 3956 wrote to memory of 4708	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	111
PID 3956 wrote to memory of 4708	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	111
PID 3956 wrote to memory of 2532	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	112
PID 3956 wrote to memory of 2532	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	112
PID 3956 wrote to memory of 2948	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	113
PID 3956 wrote to memory of 2948	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	113
PID 3956 wrote to memory of 852	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	114
PID 3956 wrote to memory of 852	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	114
PID 3956 wrote to memory of 5000	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	115
PID 3956 wrote to memory of 5000	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	115
PID 3956 wrote to memory of 3104	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	116
PID 3956 wrote to memory of 3104	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	116
PID 3956 wrote to memory of 532	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	117
PID 3956 wrote to memory of 532	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	117
PID 3956 wrote to memory of 3536	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	118
PID 3956 wrote to memory of 3536	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	118
PID 3956 wrote to memory of 548	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	119
PID 3956 wrote to memory of 548	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	119
PID 3956 wrote to memory of 8	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	120
PID 3956 wrote to memory of 8	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	120
PID 3956 wrote to memory of 3568	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	121
PID 3956 wrote to memory of 3568	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	121
PID 3956 wrote to memory of 4596	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	122
PID 3956 wrote to memory of 4596	3956	a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe	122

C:\Users\Admin\AppData\Local\Temp\a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe
"C:\Users\Admin\AppData\Local\Temp\a2fd90e4832710094fd35110c1830056f8a596425adf0d0bac7e3caf8b78381f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Windows\System32\WzBCKOd.exe
  C:\Windows\System32\WzBCKOd.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System32\KYHcUsp.exe
  C:\Windows\System32\KYHcUsp.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System32\EkPpsjF.exe
  C:\Windows\System32\EkPpsjF.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System32\wfLmHwF.exe
  C:\Windows\System32\wfLmHwF.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System32\crKRlvM.exe
  C:\Windows\System32\crKRlvM.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System32\UtAzCNT.exe
  C:\Windows\System32\UtAzCNT.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System32\OXYebKj.exe
  C:\Windows\System32\OXYebKj.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System32\gVFnUAx.exe
  C:\Windows\System32\gVFnUAx.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System32\DusSOnS.exe
  C:\Windows\System32\DusSOnS.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System32\YcFzzQK.exe
  C:\Windows\System32\YcFzzQK.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System32\eImTptq.exe
  C:\Windows\System32\eImTptq.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System32\bsuOQyC.exe
  C:\Windows\System32\bsuOQyC.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System32\zpOFYRx.exe
  C:\Windows\System32\zpOFYRx.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System32\gxfhilx.exe
  C:\Windows\System32\gxfhilx.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System32\PsygLwS.exe
  C:\Windows\System32\PsygLwS.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System32\sRAnxXG.exe
  C:\Windows\System32\sRAnxXG.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System32\JNiKsYi.exe
  C:\Windows\System32\JNiKsYi.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System32\mSOEtAM.exe
  C:\Windows\System32\mSOEtAM.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System32\JdAmdib.exe
  C:\Windows\System32\JdAmdib.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System32\buyGdBo.exe
  C:\Windows\System32\buyGdBo.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System32\MYQMaDb.exe
  C:\Windows\System32\MYQMaDb.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\KSJZJbO.exe
  C:\Windows\System32\KSJZJbO.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System32\xrHWAPT.exe
  C:\Windows\System32\xrHWAPT.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System32\pkSksGz.exe
  C:\Windows\System32\pkSksGz.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System32\IbSqoya.exe
  C:\Windows\System32\IbSqoya.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System32\neKWbip.exe
  C:\Windows\System32\neKWbip.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System32\ZvqWZqF.exe
  C:\Windows\System32\ZvqWZqF.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System32\GOpQxYU.exe
  C:\Windows\System32\GOpQxYU.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System32\MApyjys.exe
  C:\Windows\System32\MApyjys.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System32\LmuRNHY.exe
  C:\Windows\System32\LmuRNHY.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System32\NgRxpwx.exe
  C:\Windows\System32\NgRxpwx.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System32\HmwHJLM.exe
  C:\Windows\System32\HmwHJLM.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System32\LNhulQk.exe
  C:\Windows\System32\LNhulQk.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System32\vpaSVxT.exe
  C:\Windows\System32\vpaSVxT.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System32\HOOaAKV.exe
  C:\Windows\System32\HOOaAKV.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System32\zxhxFEw.exe
  C:\Windows\System32\zxhxFEw.exe
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\System32\YsULcmP.exe
  C:\Windows\System32\YsULcmP.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System32\hJqeiNN.exe
  C:\Windows\System32\hJqeiNN.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System32\UUPyYfH.exe
  C:\Windows\System32\UUPyYfH.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System32\kGgbEsR.exe
  C:\Windows\System32\kGgbEsR.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System32\uFRRCPH.exe
  C:\Windows\System32\uFRRCPH.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System32\HWCShOT.exe
  C:\Windows\System32\HWCShOT.exe
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\System32\WSwxEcF.exe
  C:\Windows\System32\WSwxEcF.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System32\oCTqyaA.exe
  C:\Windows\System32\oCTqyaA.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System32\otvXnWT.exe
  C:\Windows\System32\otvXnWT.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System32\QfTGhPK.exe
  C:\Windows\System32\QfTGhPK.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System32\MtvpghC.exe
  C:\Windows\System32\MtvpghC.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System32\xDXyGjc.exe
  C:\Windows\System32\xDXyGjc.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System32\ArodWpe.exe
  C:\Windows\System32\ArodWpe.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System32\mxmonsE.exe
  C:\Windows\System32\mxmonsE.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System32\FenOUGT.exe
  C:\Windows\System32\FenOUGT.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System32\nhOqfvT.exe
  C:\Windows\System32\nhOqfvT.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System32\dOurABP.exe
  C:\Windows\System32\dOurABP.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System32\YgdWVdd.exe
  C:\Windows\System32\YgdWVdd.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System32\HODCnnu.exe
  C:\Windows\System32\HODCnnu.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System32\ZXADHph.exe
  C:\Windows\System32\ZXADHph.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System32\EKkfYfx.exe
  C:\Windows\System32\EKkfYfx.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System32\ClptrFc.exe
  C:\Windows\System32\ClptrFc.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System32\dxakjOy.exe
  C:\Windows\System32\dxakjOy.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System32\BPpNiND.exe
  C:\Windows\System32\BPpNiND.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System32\YCsKgOQ.exe
  C:\Windows\System32\YCsKgOQ.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System32\GlGJyLW.exe
  C:\Windows\System32\GlGJyLW.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System32\jdsWZzm.exe
  C:\Windows\System32\jdsWZzm.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System32\lWmHpJa.exe
  C:\Windows\System32\lWmHpJa.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System32\sZlhjvU.exe
  C:\Windows\System32\sZlhjvU.exe
  2⤵
  PID:4628
- C:\Windows\System32\QfKRGxS.exe
  C:\Windows\System32\QfKRGxS.exe
  2⤵
  PID:1156
- C:\Windows\System32\PEPTtVD.exe
  C:\Windows\System32\PEPTtVD.exe
  2⤵
  PID:3888
- C:\Windows\System32\VdLIGhV.exe
  C:\Windows\System32\VdLIGhV.exe
  2⤵
  PID:1692
- C:\Windows\System32\LdKYrwn.exe
  C:\Windows\System32\LdKYrwn.exe
  2⤵
  PID:2720
- C:\Windows\System32\aNdnqlT.exe
  C:\Windows\System32\aNdnqlT.exe
  2⤵
  PID:4812
- C:\Windows\System32\NnKobQm.exe
  C:\Windows\System32\NnKobQm.exe
  2⤵
  PID:5152
- C:\Windows\System32\eavaLJk.exe
  C:\Windows\System32\eavaLJk.exe
  2⤵
  PID:5184
- C:\Windows\System32\MLSMQZK.exe
  C:\Windows\System32\MLSMQZK.exe
  2⤵
  PID:5208
- C:\Windows\System32\OHALUkF.exe
  C:\Windows\System32\OHALUkF.exe
  2⤵
  PID:5236
- C:\Windows\System32\MEJHGpU.exe
  C:\Windows\System32\MEJHGpU.exe
  2⤵
  PID:5268
- C:\Windows\System32\TeEDHfh.exe
  C:\Windows\System32\TeEDHfh.exe
  2⤵
  PID:5304
- C:\Windows\System32\QOAWvSn.exe
  C:\Windows\System32\QOAWvSn.exe
  2⤵
  PID:5332
- C:\Windows\System32\bEFzNGZ.exe
  C:\Windows\System32\bEFzNGZ.exe
  2⤵
  PID:5368
- C:\Windows\System32\qKbkatk.exe
  C:\Windows\System32\qKbkatk.exe
  2⤵
  PID:5396
- C:\Windows\System32\nMoXzDp.exe
  C:\Windows\System32\nMoXzDp.exe
  2⤵
  PID:5424
- C:\Windows\System32\LmgpGcu.exe
  C:\Windows\System32\LmgpGcu.exe
  2⤵
  PID:5452
- C:\Windows\System32\MfSfsWL.exe
  C:\Windows\System32\MfSfsWL.exe
  2⤵
  PID:5484
- C:\Windows\System32\mBMVdcC.exe
  C:\Windows\System32\mBMVdcC.exe
  2⤵
  PID:5512
- C:\Windows\System32\xJwyTJM.exe
  C:\Windows\System32\xJwyTJM.exe
  2⤵
  PID:5540
- C:\Windows\System32\LLyYIbU.exe
  C:\Windows\System32\LLyYIbU.exe
  2⤵
  PID:5568
- C:\Windows\System32\vOfcipT.exe
  C:\Windows\System32\vOfcipT.exe
  2⤵
  PID:5596
- C:\Windows\System32\dcwtOlE.exe
  C:\Windows\System32\dcwtOlE.exe
  2⤵
  PID:5628
- C:\Windows\System32\cPSOpEk.exe
  C:\Windows\System32\cPSOpEk.exe
  2⤵
  PID:5656
- C:\Windows\System32\miWCjrk.exe
  C:\Windows\System32\miWCjrk.exe
  2⤵
  PID:5680
- C:\Windows\System32\PEZJTrT.exe
  C:\Windows\System32\PEZJTrT.exe
  2⤵
  PID:5704
- C:\Windows\System32\kGftFnK.exe
  C:\Windows\System32\kGftFnK.exe
  2⤵
  PID:5740
- C:\Windows\System32\UkqpEwV.exe
  C:\Windows\System32\UkqpEwV.exe
  2⤵
  PID:5768
- C:\Windows\System32\CDFBbUU.exe
  C:\Windows\System32\CDFBbUU.exe
  2⤵
  PID:5792
- C:\Windows\System32\DJyHaGH.exe
  C:\Windows\System32\DJyHaGH.exe
  2⤵
  PID:5820
- C:\Windows\System32\xNMRVMM.exe
  C:\Windows\System32\xNMRVMM.exe
  2⤵
  PID:5848
- C:\Windows\System32\iKNYczx.exe
  C:\Windows\System32\iKNYczx.exe
  2⤵
  PID:5972
- C:\Windows\System32\okmHlnY.exe
  C:\Windows\System32\okmHlnY.exe
  2⤵
  PID:5988
- C:\Windows\System32\YqCGDpX.exe
  C:\Windows\System32\YqCGDpX.exe
  2⤵
  PID:6016
- C:\Windows\System32\GXwGdku.exe
  C:\Windows\System32\GXwGdku.exe
  2⤵
  PID:6036
- C:\Windows\System32\ugdxEXS.exe
  C:\Windows\System32\ugdxEXS.exe
  2⤵
  PID:6056
- C:\Windows\System32\hmsCtcD.exe
  C:\Windows\System32\hmsCtcD.exe
  2⤵
  PID:6072
- C:\Windows\System32\VScGxPS.exe
  C:\Windows\System32\VScGxPS.exe
  2⤵
  PID:6088
- C:\Windows\System32\rjUDmWd.exe
  C:\Windows\System32\rjUDmWd.exe
  2⤵
  PID:6108
- C:\Windows\System32\CxZwQsK.exe
  C:\Windows\System32\CxZwQsK.exe
  2⤵
  PID:6128
- C:\Windows\System32\PZpweej.exe
  C:\Windows\System32\PZpweej.exe
  2⤵
  PID:3056
- C:\Windows\System32\bKhbxyX.exe
  C:\Windows\System32\bKhbxyX.exe
  2⤵
  PID:3112
- C:\Windows\System32\gyiKEZb.exe
  C:\Windows\System32\gyiKEZb.exe
  2⤵
  PID:5320
- C:\Windows\System32\peQWajC.exe
  C:\Windows\System32\peQWajC.exe
  2⤵
  PID:5380
- C:\Windows\System32\UUXZiyE.exe
  C:\Windows\System32\UUXZiyE.exe
  2⤵
  PID:3240
- C:\Windows\System32\fIUsWfK.exe
  C:\Windows\System32\fIUsWfK.exe
  2⤵
  PID:5448
- C:\Windows\System32\Owunnci.exe
  C:\Windows\System32\Owunnci.exe
  2⤵
  PID:5504
- C:\Windows\System32\FLPWytd.exe
  C:\Windows\System32\FLPWytd.exe
  2⤵
  PID:5580
- C:\Windows\System32\wKiKrGg.exe
  C:\Windows\System32\wKiKrGg.exe
  2⤵
  PID:5640
- C:\Windows\System32\QEwuTNe.exe
  C:\Windows\System32\QEwuTNe.exe
  2⤵
  PID:5700
- C:\Windows\System32\GfsfYyp.exe
  C:\Windows\System32\GfsfYyp.exe
  2⤵
  PID:5720
- C:\Windows\System32\UaJjNac.exe
  C:\Windows\System32\UaJjNac.exe
  2⤵
  PID:956
- C:\Windows\System32\OBfUlaE.exe
  C:\Windows\System32\OBfUlaE.exe
  2⤵
  PID:2296
- C:\Windows\System32\rpoTkFs.exe
  C:\Windows\System32\rpoTkFs.exe
  2⤵
  PID:2364
- C:\Windows\System32\jGeQaVT.exe
  C:\Windows\System32\jGeQaVT.exe
  2⤵
  PID:5964
- C:\Windows\System32\XQmTTOM.exe
  C:\Windows\System32\XQmTTOM.exe
  2⤵
  PID:3692
- C:\Windows\System32\yrHaNcQ.exe
  C:\Windows\System32\yrHaNcQ.exe
  2⤵
  PID:1424
- C:\Windows\System32\XzQFBXD.exe
  C:\Windows\System32\XzQFBXD.exe
  2⤵
  PID:3512
- C:\Windows\System32\FkPQEFp.exe
  C:\Windows\System32\FkPQEFp.exe
  2⤵
  PID:5980
- C:\Windows\System32\XYkqXhZ.exe
  C:\Windows\System32\XYkqXhZ.exe
  2⤵
  PID:6008
- C:\Windows\System32\JEqnATD.exe
  C:\Windows\System32\JEqnATD.exe
  2⤵
  PID:6048
- C:\Windows\System32\XHmnFSp.exe
  C:\Windows\System32\XHmnFSp.exe
  2⤵
  PID:6084
- C:\Windows\System32\pjQXFRk.exe
  C:\Windows\System32\pjQXFRk.exe
  2⤵
  PID:4072
- C:\Windows\System32\ZKLFmXM.exe
  C:\Windows\System32\ZKLFmXM.exe
  2⤵
  PID:5532
- C:\Windows\System32\zJjDjJx.exe
  C:\Windows\System32\zJjDjJx.exe
  2⤵
  PID:4952
- C:\Windows\System32\whzXolh.exe
  C:\Windows\System32\whzXolh.exe
  2⤵
  PID:2756
- C:\Windows\System32\skqqGKX.exe
  C:\Windows\System32\skqqGKX.exe
  2⤵
  PID:1904
- C:\Windows\System32\qejZUyM.exe
  C:\Windows\System32\qejZUyM.exe
  2⤵
  PID:6028
- C:\Windows\System32\KbeYSfM.exe
  C:\Windows\System32\KbeYSfM.exe
  2⤵
  PID:6044
- C:\Windows\System32\LrgxYmO.exe
  C:\Windows\System32\LrgxYmO.exe
  2⤵
  PID:6068
- C:\Windows\System32\oRutjfQ.exe
  C:\Windows\System32\oRutjfQ.exe
  2⤵
  PID:5556
- C:\Windows\System32\nHmmPMH.exe
  C:\Windows\System32\nHmmPMH.exe
  2⤵
  PID:5784
- C:\Windows\System32\CPSSEMK.exe
  C:\Windows\System32\CPSSEMK.exe
  2⤵
  PID:5860
- C:\Windows\System32\MykQeZW.exe
  C:\Windows\System32\MykQeZW.exe
  2⤵
  PID:6004
- C:\Windows\System32\sgfhwfn.exe
  C:\Windows\System32\sgfhwfn.exe
  2⤵
  PID:6352
- C:\Windows\System32\NJDETwL.exe
  C:\Windows\System32\NJDETwL.exe
  2⤵
  PID:6420
- C:\Windows\System32\McPXFOS.exe
  C:\Windows\System32\McPXFOS.exe
  2⤵
  PID:6440
- C:\Windows\System32\XQoYsGl.exe
  C:\Windows\System32\XQoYsGl.exe
  2⤵
  PID:6480
- C:\Windows\System32\GWzupHW.exe
  C:\Windows\System32\GWzupHW.exe
  2⤵
  PID:6516
- C:\Windows\System32\YrIMqib.exe
  C:\Windows\System32\YrIMqib.exe
  2⤵
  PID:6564
- C:\Windows\System32\qyPzysC.exe
  C:\Windows\System32\qyPzysC.exe
  2⤵
  PID:6592
- C:\Windows\System32\FfuUzSl.exe
  C:\Windows\System32\FfuUzSl.exe
  2⤵
  PID:6620
- C:\Windows\System32\rVDgtjT.exe
  C:\Windows\System32\rVDgtjT.exe
  2⤵
  PID:6672
- C:\Windows\System32\ZrxBQmv.exe
  C:\Windows\System32\ZrxBQmv.exe
  2⤵
  PID:6712
- C:\Windows\System32\taDdwWH.exe
  C:\Windows\System32\taDdwWH.exe
  2⤵
  PID:6748
- C:\Windows\System32\lUEDVsc.exe
  C:\Windows\System32\lUEDVsc.exe
  2⤵
  PID:6768
- C:\Windows\System32\ZPiTXXd.exe
  C:\Windows\System32\ZPiTXXd.exe
  2⤵
  PID:6800
- C:\Windows\System32\iGXlKgi.exe
  C:\Windows\System32\iGXlKgi.exe
  2⤵
  PID:6852
- C:\Windows\System32\RasYCJz.exe
  C:\Windows\System32\RasYCJz.exe
  2⤵
  PID:6876
- C:\Windows\System32\iHHRbin.exe
  C:\Windows\System32\iHHRbin.exe
  2⤵
  PID:6940
- C:\Windows\System32\uVBOJDR.exe
  C:\Windows\System32\uVBOJDR.exe
  2⤵
  PID:6988
- C:\Windows\System32\vUoCnsm.exe
  C:\Windows\System32\vUoCnsm.exe
  2⤵
  PID:7024
- C:\Windows\System32\aXKcDEu.exe
  C:\Windows\System32\aXKcDEu.exe
  2⤵
  PID:7044
- C:\Windows\System32\kWoZCua.exe
  C:\Windows\System32\kWoZCua.exe
  2⤵
  PID:7060
- C:\Windows\System32\xohXYbE.exe
  C:\Windows\System32\xohXYbE.exe
  2⤵
  PID:7124
- C:\Windows\System32\bfZajBE.exe
  C:\Windows\System32\bfZajBE.exe
  2⤵
  PID:7144
- C:\Windows\System32\ppxLIPI.exe
  C:\Windows\System32\ppxLIPI.exe
  2⤵
  PID:2556
- C:\Windows\System32\QyObWwE.exe
  C:\Windows\System32\QyObWwE.exe
  2⤵
  PID:6140
- C:\Windows\System32\DhRQLQp.exe
  C:\Windows\System32\DhRQLQp.exe
  2⤵
  PID:6164
- C:\Windows\System32\NReLdOH.exe
  C:\Windows\System32\NReLdOH.exe
  2⤵
  PID:6188
- C:\Windows\System32\dQkqWxR.exe
  C:\Windows\System32\dQkqWxR.exe
  2⤵
  PID:6232
- C:\Windows\System32\JSQeruD.exe
  C:\Windows\System32\JSQeruD.exe
  2⤵
  PID:6300
- C:\Windows\System32\vULAqVG.exe
  C:\Windows\System32\vULAqVG.exe
  2⤵
  PID:6312
- C:\Windows\System32\WMZPIms.exe
  C:\Windows\System32\WMZPIms.exe
  2⤵
  PID:5528
- C:\Windows\System32\ZosZwMu.exe
  C:\Windows\System32\ZosZwMu.exe
  2⤵
  PID:3532
- C:\Windows\System32\ZBQcNhU.exe
  C:\Windows\System32\ZBQcNhU.exe
  2⤵
  PID:6392
- C:\Windows\System32\GqYQEIA.exe
  C:\Windows\System32\GqYQEIA.exe
  2⤵
  PID:6508
- C:\Windows\System32\fpSyUco.exe
  C:\Windows\System32\fpSyUco.exe
  2⤵
  PID:6636
- C:\Windows\System32\zAzRlpq.exe
  C:\Windows\System32\zAzRlpq.exe
  2⤵
  PID:6616
- C:\Windows\System32\vEupeUK.exe
  C:\Windows\System32\vEupeUK.exe
  2⤵
  PID:6688
- C:\Windows\System32\spCrocV.exe
  C:\Windows\System32\spCrocV.exe
  2⤵
  PID:2868
- C:\Windows\System32\MaOQPsr.exe
  C:\Windows\System32\MaOQPsr.exe
  2⤵
  PID:6780
- C:\Windows\System32\KizGHUe.exe
  C:\Windows\System32\KizGHUe.exe
  2⤵
  PID:6904
- C:\Windows\System32\sKKdjIm.exe
  C:\Windows\System32\sKKdjIm.exe
  2⤵
  PID:6888
- C:\Windows\System32\BpFFFZo.exe
  C:\Windows\System32\BpFFFZo.exe
  2⤵
  PID:7032
- C:\Windows\System32\CtOwJVB.exe
  C:\Windows\System32\CtOwJVB.exe
  2⤵
  PID:7096
- C:\Windows\System32\RVIpnSM.exe
  C:\Windows\System32\RVIpnSM.exe
  2⤵
  PID:4568
- C:\Windows\System32\wLeLrmb.exe
  C:\Windows\System32\wLeLrmb.exe
  2⤵
  PID:7164
- C:\Windows\System32\kzzysLI.exe
  C:\Windows\System32\kzzysLI.exe
  2⤵
  PID:6200
- C:\Windows\System32\IKIkJxZ.exe
  C:\Windows\System32\IKIkJxZ.exe
  2⤵
  PID:6212
- C:\Windows\System32\dekcxSa.exe
  C:\Windows\System32\dekcxSa.exe
  2⤵
  PID:6272
- C:\Windows\System32\YmaOsTg.exe
  C:\Windows\System32\YmaOsTg.exe
  2⤵
  PID:6296
- C:\Windows\System32\wcgCXKg.exe
  C:\Windows\System32\wcgCXKg.exe
  2⤵
  PID:6572
- C:\Windows\System32\GLJXDhO.exe
  C:\Windows\System32\GLJXDhO.exe
  2⤵
  PID:6740
- C:\Windows\System32\hFEtUPI.exe
  C:\Windows\System32\hFEtUPI.exe
  2⤵
  PID:7004
- C:\Windows\System32\EzKJCOT.exe
  C:\Windows\System32\EzKJCOT.exe
  2⤵
  PID:884
- C:\Windows\System32\EMmLnnN.exe
  C:\Windows\System32\EMmLnnN.exe
  2⤵
  PID:7052
- C:\Windows\System32\fPTrjaU.exe
  C:\Windows\System32\fPTrjaU.exe
  2⤵
  PID:7132
- C:\Windows\System32\OnXphyz.exe
  C:\Windows\System32\OnXphyz.exe
  2⤵
  PID:2820
- C:\Windows\System32\fsdvELl.exe
  C:\Windows\System32\fsdvELl.exe
  2⤵
  PID:6700
- C:\Windows\System32\wMQuYZx.exe
  C:\Windows\System32\wMQuYZx.exe
  2⤵
  PID:6812
- C:\Windows\System32\gUeplXa.exe
  C:\Windows\System32\gUeplXa.exe
  2⤵
  PID:6924
- C:\Windows\System32\yBudelj.exe
  C:\Windows\System32\yBudelj.exe
  2⤵
  PID:6240
- C:\Windows\System32\ObVzlbR.exe
  C:\Windows\System32\ObVzlbR.exe
  2⤵
  PID:6868
- C:\Windows\System32\ItfJAqd.exe
  C:\Windows\System32\ItfJAqd.exe
  2⤵
  PID:1496
- C:\Windows\System32\SQswYll.exe
  C:\Windows\System32\SQswYll.exe
  2⤵
  PID:7180
- C:\Windows\System32\kdnvwWt.exe
  C:\Windows\System32\kdnvwWt.exe
  2⤵
  PID:7228
- C:\Windows\System32\YiLzpVF.exe
  C:\Windows\System32\YiLzpVF.exe
  2⤵
  PID:7292
- C:\Windows\System32\nsdLrkR.exe
  C:\Windows\System32\nsdLrkR.exe
  2⤵
  PID:7360
- C:\Windows\System32\TmxnrVd.exe
  C:\Windows\System32\TmxnrVd.exe
  2⤵
  PID:7380
- C:\Windows\System32\yxFNlQr.exe
  C:\Windows\System32\yxFNlQr.exe
  2⤵
  PID:7416
- C:\Windows\System32\nHlZNfs.exe
  C:\Windows\System32\nHlZNfs.exe
  2⤵
  PID:7444
- C:\Windows\System32\PQYwFtj.exe
  C:\Windows\System32\PQYwFtj.exe
  2⤵
  PID:7472
- C:\Windows\System32\IrjuKvl.exe
  C:\Windows\System32\IrjuKvl.exe
  2⤵
  PID:7520
- C:\Windows\System32\KMIVtHN.exe
  C:\Windows\System32\KMIVtHN.exe
  2⤵
  PID:7548
- C:\Windows\System32\xshxoAD.exe
  C:\Windows\System32\xshxoAD.exe
  2⤵
  PID:7576
- C:\Windows\System32\etZNuwx.exe
  C:\Windows\System32\etZNuwx.exe
  2⤵
  PID:7616
- C:\Windows\System32\wzKHMPN.exe
  C:\Windows\System32\wzKHMPN.exe
  2⤵
  PID:7640
- C:\Windows\System32\dVTbwHj.exe
  C:\Windows\System32\dVTbwHj.exe
  2⤵
  PID:7668
- C:\Windows\System32\coSQufZ.exe
  C:\Windows\System32\coSQufZ.exe
  2⤵
  PID:7712
- C:\Windows\System32\XUGgiBR.exe
  C:\Windows\System32\XUGgiBR.exe
  2⤵
  PID:7736
- C:\Windows\System32\KqbNwFG.exe
  C:\Windows\System32\KqbNwFG.exe
  2⤵
  PID:7768
- C:\Windows\System32\sEXurad.exe
  C:\Windows\System32\sEXurad.exe
  2⤵
  PID:7800
- C:\Windows\System32\cthfkLp.exe
  C:\Windows\System32\cthfkLp.exe
  2⤵
  PID:7832
- C:\Windows\System32\fsawWJi.exe
  C:\Windows\System32\fsawWJi.exe
  2⤵
  PID:7868
- C:\Windows\System32\eysTkwP.exe
  C:\Windows\System32\eysTkwP.exe
  2⤵
  PID:7888
- C:\Windows\System32\RqGxAHx.exe
  C:\Windows\System32\RqGxAHx.exe
  2⤵
  PID:7904
- C:\Windows\System32\KOoypKt.exe
  C:\Windows\System32\KOoypKt.exe
  2⤵
  PID:7920
- C:\Windows\System32\mOfNajn.exe
  C:\Windows\System32\mOfNajn.exe
  2⤵
  PID:7940
- C:\Windows\System32\bjlFThs.exe
  C:\Windows\System32\bjlFThs.exe
  2⤵
  PID:7976
- C:\Windows\System32\LgBaWHv.exe
  C:\Windows\System32\LgBaWHv.exe
  2⤵
  PID:8044
- C:\Windows\System32\enplSVX.exe
  C:\Windows\System32\enplSVX.exe
  2⤵
  PID:8080
- C:\Windows\System32\SXNXxaK.exe
  C:\Windows\System32\SXNXxaK.exe
  2⤵
  PID:8120
- C:\Windows\System32\tlSZNdb.exe
  C:\Windows\System32\tlSZNdb.exe
  2⤵
  PID:8152
- C:\Windows\System32\HbswZHd.exe
  C:\Windows\System32\HbswZHd.exe
  2⤵
  PID:8188
- C:\Windows\System32\KnWNPlY.exe
  C:\Windows\System32\KnWNPlY.exe
  2⤵
  PID:3916
- C:\Windows\System32\LcbsJgg.exe
  C:\Windows\System32\LcbsJgg.exe
  2⤵
  PID:6328
- C:\Windows\System32\JrVYpyp.exe
  C:\Windows\System32\JrVYpyp.exe
  2⤵
  PID:7220
- C:\Windows\System32\DdkGsHN.exe
  C:\Windows\System32\DdkGsHN.exe
  2⤵
  PID:7280
- C:\Windows\System32\DMbreKf.exe
  C:\Windows\System32\DMbreKf.exe
  2⤵
  PID:7372
- C:\Windows\System32\mXGzxSC.exe
  C:\Windows\System32\mXGzxSC.exe
  2⤵
  PID:7400
- C:\Windows\System32\ZRbZsxC.exe
  C:\Windows\System32\ZRbZsxC.exe
  2⤵
  PID:4444
- C:\Windows\System32\BnzuxCW.exe
  C:\Windows\System32\BnzuxCW.exe
  2⤵
  PID:7484
- C:\Windows\System32\vGKggoZ.exe
  C:\Windows\System32\vGKggoZ.exe
  2⤵
  PID:7512
- C:\Windows\System32\fvYGocs.exe
  C:\Windows\System32\fvYGocs.exe
  2⤵
  PID:7608
- C:\Windows\System32\BdJyZiq.exe
  C:\Windows\System32\BdJyZiq.exe
  2⤵
  PID:7604
- C:\Windows\System32\zZIUBaT.exe
  C:\Windows\System32\zZIUBaT.exe
  2⤵
  PID:7648
- C:\Windows\System32\nJDFzWY.exe
  C:\Windows\System32\nJDFzWY.exe
  2⤵
  PID:7624
- C:\Windows\System32\nLpEihp.exe
  C:\Windows\System32\nLpEihp.exe
  2⤵
  PID:7760
- C:\Windows\System32\kOhfQUt.exe
  C:\Windows\System32\kOhfQUt.exe
  2⤵
  PID:7792
- C:\Windows\System32\HkxMJwg.exe
  C:\Windows\System32\HkxMJwg.exe
  2⤵
  PID:5692
- C:\Windows\System32\JAZirrW.exe
  C:\Windows\System32\JAZirrW.exe
  2⤵
  PID:7992
- C:\Windows\System32\azCGZdU.exe
  C:\Windows\System32\azCGZdU.exe
  2⤵
  PID:8052
- C:\Windows\System32\XTqSnGI.exe
  C:\Windows\System32\XTqSnGI.exe
  2⤵
  PID:8108
- C:\Windows\System32\ZwyKrvY.exe
  C:\Windows\System32\ZwyKrvY.exe
  2⤵
  PID:8176
- C:\Windows\System32\fEUwnVi.exe
  C:\Windows\System32\fEUwnVi.exe
  2⤵
  PID:8184
- C:\Windows\System32\mrZciNy.exe
  C:\Windows\System32\mrZciNy.exe
  2⤵
  PID:5612
- C:\Windows\System32\SYcWWRD.exe
  C:\Windows\System32\SYcWWRD.exe
  2⤵
  PID:7300
- C:\Windows\System32\PrmIJQu.exe
  C:\Windows\System32\PrmIJQu.exe
  2⤵
  PID:7312
- C:\Windows\System32\NWBReGO.exe
  C:\Windows\System32\NWBReGO.exe
  2⤵
  PID:4744
- C:\Windows\System32\LqpCQBu.exe
  C:\Windows\System32\LqpCQBu.exe
  2⤵
  PID:7508
- C:\Windows\System32\ETDztzJ.exe
  C:\Windows\System32\ETDztzJ.exe
  2⤵
  PID:6756
- C:\Windows\System32\OcYNKAM.exe
  C:\Windows\System32\OcYNKAM.exe
  2⤵
  PID:7560
- C:\Windows\System32\tfGzkrf.exe
  C:\Windows\System32\tfGzkrf.exe
  2⤵
  PID:7696
- C:\Windows\System32\LITgmWA.exe
  C:\Windows\System32\LITgmWA.exe
  2⤵
  PID:7936
- C:\Windows\System32\WISAJAp.exe
  C:\Windows\System32\WISAJAp.exe
  2⤵
  PID:7968
- C:\Windows\System32\CEOnKoz.exe
  C:\Windows\System32\CEOnKoz.exe
  2⤵
  PID:6656
- C:\Windows\System32\FiXbAMf.exe
  C:\Windows\System32\FiXbAMf.exe
  2⤵
  PID:8164
- C:\Windows\System32\ZAWoNBy.exe
  C:\Windows\System32\ZAWoNBy.exe
  2⤵
  PID:4768
- C:\Windows\System32\JeRfVBU.exe
  C:\Windows\System32\JeRfVBU.exe
  2⤵
  PID:5780
- C:\Windows\System32\fFKACRT.exe
  C:\Windows\System32\fFKACRT.exe
  2⤵
  PID:7500
- C:\Windows\System32\iRCOQXF.exe
  C:\Windows\System32\iRCOQXF.exe
  2⤵
  PID:7564
- C:\Windows\System32\wFbPmCL.exe
  C:\Windows\System32\wFbPmCL.exe
  2⤵
  PID:7224
- C:\Windows\System32\xyIRZeT.exe
  C:\Windows\System32\xyIRZeT.exe
  2⤵
  PID:456
- C:\Windows\System32\vfLAFcG.exe
  C:\Windows\System32\vfLAFcG.exe
  2⤵
  PID:1760
- C:\Windows\System32\gUcAMUH.exe
  C:\Windows\System32\gUcAMUH.exe
  2⤵
  PID:8072
- C:\Windows\System32\ZkqxdOA.exe
  C:\Windows\System32\ZkqxdOA.exe
  2⤵
  PID:8144
- C:\Windows\System32\LOaVOqK.exe
  C:\Windows\System32\LOaVOqK.exe
  2⤵
  PID:7556
- C:\Windows\System32\KsLRfbU.exe
  C:\Windows\System32\KsLRfbU.exe
  2⤵
  PID:8208
- C:\Windows\System32\DpQgtlI.exe
  C:\Windows\System32\DpQgtlI.exe
  2⤵
  PID:8224
- C:\Windows\System32\jdgmAIp.exe
  C:\Windows\System32\jdgmAIp.exe
  2⤵
  PID:8280
- C:\Windows\System32\ptSQOUA.exe
  C:\Windows\System32\ptSQOUA.exe
  2⤵
  PID:8344
- C:\Windows\System32\clIHUiM.exe
  C:\Windows\System32\clIHUiM.exe
  2⤵
  PID:8364
- C:\Windows\System32\LBecaCl.exe
  C:\Windows\System32\LBecaCl.exe
  2⤵
  PID:8388
- C:\Windows\System32\IjDEsbR.exe
  C:\Windows\System32\IjDEsbR.exe
  2⤵
  PID:8404
- C:\Windows\System32\oRqGnFT.exe
  C:\Windows\System32\oRqGnFT.exe
  2⤵
  PID:8424
- C:\Windows\System32\QIhnqIS.exe
  C:\Windows\System32\QIhnqIS.exe
  2⤵
  PID:8480
- C:\Windows\System32\AIbqlOM.exe
  C:\Windows\System32\AIbqlOM.exe
  2⤵
  PID:8496
- C:\Windows\System32\aIeDbBE.exe
  C:\Windows\System32\aIeDbBE.exe
  2⤵
  PID:8520
- C:\Windows\System32\yONCIoU.exe
  C:\Windows\System32\yONCIoU.exe
  2⤵
  PID:8536
- C:\Windows\System32\HexqFPy.exe
  C:\Windows\System32\HexqFPy.exe
  2⤵
  PID:8628
- C:\Windows\System32\UfFyCmT.exe
  C:\Windows\System32\UfFyCmT.exe
  2⤵
  PID:8644
- C:\Windows\System32\UtvGanW.exe
  C:\Windows\System32\UtvGanW.exe
  2⤵
  PID:8704
- C:\Windows\System32\ZYlmXIS.exe
  C:\Windows\System32\ZYlmXIS.exe
  2⤵
  PID:8720
- C:\Windows\System32\NKfcqXN.exe
  C:\Windows\System32\NKfcqXN.exe
  2⤵
  PID:8740
- C:\Windows\System32\vwIMKoE.exe
  C:\Windows\System32\vwIMKoE.exe
  2⤵
  PID:8760
- C:\Windows\System32\gddOYuE.exe
  C:\Windows\System32\gddOYuE.exe
  2⤵
  PID:8784
- C:\Windows\System32\aiqCYUz.exe
  C:\Windows\System32\aiqCYUz.exe
  2⤵
  PID:8800
- C:\Windows\System32\bVLOPEa.exe
  C:\Windows\System32\bVLOPEa.exe
  2⤵
  PID:8820
- C:\Windows\System32\fHBUecY.exe
  C:\Windows\System32\fHBUecY.exe
  2⤵
  PID:8900
- C:\Windows\System32\AxVDnDV.exe
  C:\Windows\System32\AxVDnDV.exe
  2⤵
  PID:8916
- C:\Windows\System32\SXAZHtC.exe
  C:\Windows\System32\SXAZHtC.exe
  2⤵
  PID:8932
- C:\Windows\System32\rkllYtD.exe
  C:\Windows\System32\rkllYtD.exe
  2⤵
  PID:8952
- C:\Windows\System32\vYWHIlU.exe
  C:\Windows\System32\vYWHIlU.exe
  2⤵
  PID:9008
- C:\Windows\System32\hzQrLOV.exe
  C:\Windows\System32\hzQrLOV.exe
  2⤵
  PID:9084
- C:\Windows\System32\wMcXojL.exe
  C:\Windows\System32\wMcXojL.exe
  2⤵
  PID:9100
- C:\Windows\System32\BvLUedU.exe
  C:\Windows\System32\BvLUedU.exe
  2⤵
  PID:9116
- C:\Windows\System32\VCTbltM.exe
  C:\Windows\System32\VCTbltM.exe
  2⤵
  PID:9156
- C:\Windows\System32\ntDtncj.exe
  C:\Windows\System32\ntDtncj.exe
  2⤵
  PID:9172
- C:\Windows\System32\tdECYio.exe
  C:\Windows\System32\tdECYio.exe
  2⤵
  PID:9192
- C:\Windows\System32\aqgmiYP.exe
  C:\Windows\System32\aqgmiYP.exe
  2⤵
  PID:9212
- C:\Windows\System32\UscuJJH.exe
  C:\Windows\System32\UscuJJH.exe
  2⤵
  PID:7196
- C:\Windows\System32\MdhEMYo.exe
  C:\Windows\System32\MdhEMYo.exe
  2⤵
  PID:8288
- C:\Windows\System32\zZVaJPd.exe
  C:\Windows\System32\zZVaJPd.exe
  2⤵
  PID:8416
- C:\Windows\System32\XfdEsgz.exe
  C:\Windows\System32\XfdEsgz.exe
  2⤵
  PID:8508
- C:\Windows\System32\iHtcHIo.exe
  C:\Windows\System32\iHtcHIo.exe
  2⤵
  PID:8556
- C:\Windows\System32\QlCOlDE.exe
  C:\Windows\System32\QlCOlDE.exe
  2⤵
  PID:8528
- C:\Windows\System32\lADWexQ.exe
  C:\Windows\System32\lADWexQ.exe
  2⤵
  PID:8656
- C:\Windows\System32\RLqukNp.exe
  C:\Windows\System32\RLqukNp.exe
  2⤵
  PID:8680
- C:\Windows\System32\wLJXaCz.exe
  C:\Windows\System32\wLJXaCz.exe
  2⤵
  PID:8692
- C:\Windows\System32\mOpMSeB.exe
  C:\Windows\System32\mOpMSeB.exe
  2⤵
  PID:8888
- C:\Windows\System32\Cbgpvdb.exe
  C:\Windows\System32\Cbgpvdb.exe
  2⤵
  PID:8940
- C:\Windows\System32\MwzYzIO.exe
  C:\Windows\System32\MwzYzIO.exe
  2⤵
  PID:8912
- C:\Windows\System32\ISAxxeb.exe
  C:\Windows\System32\ISAxxeb.exe
  2⤵
  PID:6560
- C:\Windows\System32\znaUUrX.exe
  C:\Windows\System32\znaUUrX.exe
  2⤵
  PID:9016
- C:\Windows\System32\wkegofH.exe
  C:\Windows\System32\wkegofH.exe
  2⤵
  PID:9108
- C:\Windows\System32\LKfpeCs.exe
  C:\Windows\System32\LKfpeCs.exe
  2⤵
  PID:9152
- C:\Windows\System32\FKiJsNv.exe
  C:\Windows\System32\FKiJsNv.exe
  2⤵
  PID:9184
- C:\Windows\System32\toxKqFB.exe
  C:\Windows\System32\toxKqFB.exe
  2⤵
  PID:8276
- C:\Windows\System32\ZTkDHtv.exe
  C:\Windows\System32\ZTkDHtv.exe
  2⤵
  PID:8432
- C:\Windows\System32\cSlOPmF.exe
  C:\Windows\System32\cSlOPmF.exe
  2⤵
  PID:8568
- C:\Windows\System32\UeHvudB.exe
  C:\Windows\System32\UeHvudB.exe
  2⤵
  PID:8652
- C:\Windows\System32\OIfXIxD.exe
  C:\Windows\System32\OIfXIxD.exe
  2⤵
  PID:8460
- C:\Windows\System32\JXOKLTZ.exe
  C:\Windows\System32\JXOKLTZ.exe
  2⤵
  PID:8864
- C:\Windows\System32\CLKbawW.exe
  C:\Windows\System32\CLKbawW.exe
  2⤵
  PID:8832
- C:\Windows\System32\UNMroLK.exe
  C:\Windows\System32\UNMroLK.exe
  2⤵
  PID:9052
- C:\Windows\System32\MRUIyzc.exe
  C:\Windows\System32\MRUIyzc.exe
  2⤵
  PID:1488
- C:\Windows\System32\lfcPuok.exe
  C:\Windows\System32\lfcPuok.exe
  2⤵
  PID:7424
- C:\Windows\System32\DcchaWn.exe
  C:\Windows\System32\DcchaWn.exe
  2⤵
  PID:8340
- C:\Windows\System32\pHAuaNi.exe
  C:\Windows\System32\pHAuaNi.exe
  2⤵
  PID:8968
- C:\Windows\System32\fGCdvYF.exe
  C:\Windows\System32\fGCdvYF.exe
  2⤵
  PID:7344
- C:\Windows\System32\segtXfA.exe
  C:\Windows\System32\segtXfA.exe
  2⤵
  PID:8984
- C:\Windows\System32\HibEbXS.exe
  C:\Windows\System32\HibEbXS.exe
  2⤵
  PID:9096
- C:\Windows\System32\oqikXXK.exe
  C:\Windows\System32\oqikXXK.exe
  2⤵
  PID:5948
- C:\Windows\System32\PNWlOyS.exe
  C:\Windows\System32\PNWlOyS.exe
  2⤵
  PID:9244
- C:\Windows\System32\aJbUCBS.exe
  C:\Windows\System32\aJbUCBS.exe
  2⤵
  PID:9264
- C:\Windows\System32\yYYvVvU.exe
  C:\Windows\System32\yYYvVvU.exe
  2⤵
  PID:9280
- C:\Windows\System32\TKDkFlp.exe
  C:\Windows\System32\TKDkFlp.exe
  2⤵
  PID:9300
- C:\Windows\System32\TciTJFZ.exe
  C:\Windows\System32\TciTJFZ.exe
  2⤵
  PID:9324
- C:\Windows\System32\esZMqsn.exe
  C:\Windows\System32\esZMqsn.exe
  2⤵
  PID:9464
- C:\Windows\System32\lvjLhaU.exe
  C:\Windows\System32\lvjLhaU.exe
  2⤵
  PID:9484
- C:\Windows\System32\HeMWHUR.exe
  C:\Windows\System32\HeMWHUR.exe
  2⤵
  PID:9504
- C:\Windows\System32\rzmfCQQ.exe
  C:\Windows\System32\rzmfCQQ.exe
  2⤵
  PID:9532
- C:\Windows\System32\ugQUSFM.exe
  C:\Windows\System32\ugQUSFM.exe
  2⤵
  PID:9548
- C:\Windows\System32\TeVFzaR.exe
  C:\Windows\System32\TeVFzaR.exe
  2⤵
  PID:9564
- C:\Windows\System32\mPoSeJs.exe
  C:\Windows\System32\mPoSeJs.exe
  2⤵
  PID:9580
- C:\Windows\System32\ufhWlTM.exe
  C:\Windows\System32\ufhWlTM.exe
  2⤵
  PID:9620
- C:\Windows\System32\aMITIVd.exe
  C:\Windows\System32\aMITIVd.exe
  2⤵
  PID:9640
- C:\Windows\System32\wFvNRPQ.exe
  C:\Windows\System32\wFvNRPQ.exe
  2⤵
  PID:9656
- C:\Windows\System32\PlisLBH.exe
  C:\Windows\System32\PlisLBH.exe
  2⤵
  PID:9696
- C:\Windows\System32\hstrfUw.exe
  C:\Windows\System32\hstrfUw.exe
  2⤵
  PID:9756
- C:\Windows\System32\bqVWxnz.exe
  C:\Windows\System32\bqVWxnz.exe
  2⤵
  PID:9788
- C:\Windows\System32\noSGWiU.exe
  C:\Windows\System32\noSGWiU.exe
  2⤵
  PID:9808
- C:\Windows\System32\BIeRTrQ.exe
  C:\Windows\System32\BIeRTrQ.exe
  2⤵
  PID:9824
- C:\Windows\System32\ulERseN.exe
  C:\Windows\System32\ulERseN.exe
  2⤵
  PID:9864
- C:\Windows\System32\COrDFeK.exe
  C:\Windows\System32\COrDFeK.exe
  2⤵
  PID:9880
- C:\Windows\System32\qpMEWse.exe
  C:\Windows\System32\qpMEWse.exe
  2⤵
  PID:9900
- C:\Windows\System32\lEQgquz.exe
  C:\Windows\System32\lEQgquz.exe
  2⤵
  PID:9916
- C:\Windows\System32\avpBVPb.exe
  C:\Windows\System32\avpBVPb.exe
  2⤵
  PID:9936
- C:\Windows\System32\skEgykc.exe
  C:\Windows\System32\skEgykc.exe
  2⤵
  PID:9956
- C:\Windows\System32\ELuXbCP.exe
  C:\Windows\System32\ELuXbCP.exe
  2⤵
  PID:10004
- C:\Windows\System32\eUvREeW.exe
  C:\Windows\System32\eUvREeW.exe
  2⤵
  PID:10128
- C:\Windows\System32\okgnZEd.exe
  C:\Windows\System32\okgnZEd.exe
  2⤵
  PID:10148

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:9372

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\DusSOnS.exe

Filesize
238KB

MD5
e03948e9b63ebadb196a33bb8d476366

SHA1
a89d9cf8fc94afd47e53d188e3d4845d4302de46

SHA256
e064bbd39cddda4eec5bf0a743880cf9a571722ca7d8cc34e4dc7f011c130eef

SHA512
4e6c4f3b85a8928ac7be71f45023781ae5c602fbf3edbec327b95e3b4b983fdb4ada1bc56bbeb1bbcaf0a45849f122bf67ad32a1ef70ad2781af8d2d04bc7b00

Download Submit
C:\Windows\System32\DusSOnS.exe

Filesize
276KB

MD5
eeffb5e861180b21c9cab3d8e02d06bb

SHA1
0d38f0b852139264e2792f0a8852847a8cab9569

SHA256
c7c17406726612d195352b0d42680780564008e0f1f1a328cdde4adfd26a20f4

SHA512
f25b54228625991ec33ccd876080718751354e507290b36af986ffc4fb42ef19a8451b7384a7cc55fc6bc2c887fabceb8a43f6c0e094e5b536b722c6f246a06b

Download Submit
C:\Windows\System32\EkPpsjF.exe

Filesize
1.9MB

MD5
1dbe4bbb95589cc80c32979ae34ffb70

SHA1
ccd7d7671aa15a4e90cb5d7b59b6e0e0c42e5b47

SHA256
422250502ae1cdb48c01616768ab3a38de4b5c07baa625149ce72a742b0b8d3e

SHA512
cac0c3ebb37b82c4e219110845fe35dc2cb7b84b3e10089c7016de2f15934374c688cefd60b5c4c89617ed0840fc81ca72f7aef42126191c2c682743b2f36631

Download Submit
C:\Windows\System32\EkPpsjF.exe

Filesize
955KB

MD5
f40d879e0c93f652fc1789b7ea0d4c24

SHA1
663e8e1c8db748774c5d64c6b86c1740500c9f6a

SHA256
5fd9e824a43a3f0f204a1a8e8788c8c6cf4220ecaf7f489dcf9edf7ed0a09e67

SHA512
fe12c00af272a75a43516fdf8e874c1aecc893110dc62f2b9c1ba286bd1faad5dc0354924605e430bee2fc797d70e63e57dfab6a93e8263f506fb4b01c8b752b

Download Submit
C:\Windows\System32\GOpQxYU.exe

Filesize
1.9MB

MD5
b3926629067135fca85065f61173286b

SHA1
9f5158005db65740b11a3b009ff27868b5789d97

SHA256
4dfa5b4d200ea3cfa0aedf87f4124379009404999858dd938ccff612fb3b2aaf

SHA512
1df25203626be7d4f557cb58b6db81552627a8dcd6c0c3075413f4de1c771c5d6990aaee71c69fa7d04d41c52cdf86b756ebef35c666fad80bec8d10c4532e82

Download Submit
C:\Windows\System32\HmwHJLM.exe

Filesize
1.9MB

MD5
e6d8442fbf42158f620d9ffaedcded7b

SHA1
51f82524768e50d7840a8138cc198d1dad772080

SHA256
33a926e4c2472b7a34bf4cada87f004358c3753cae8248a2e0b695a47a62f9c3

SHA512
6a332b26596d16c4cc4b848abc955d7e7df2c9cdcbc1201a392d2f1e41d4718c4d4df91fbf6262f786f0f601fad82ecea599daab9e559e0b93e6398835e9ebb1

Download Submit
C:\Windows\System32\IbSqoya.exe

Filesize
1.9MB

MD5
48b124198541d10f611d28e4eee556d1

SHA1
ac42a2f9bb2fadb0bb4450e809e6e5b9819102e3

SHA256
2987e84cf50276693ce6de3bb467e4b0fe607a9933ab1aa076662fe1819177b6

SHA512
2b569b8e326f9caea2201a18221cc64f3938914f0ca3fe65085d4ae5502e20324843cb01620177f9ae3720cee63e611e35bae06dff566221570be9761cbb5b87

Download Submit
C:\Windows\System32\JNiKsYi.exe

Filesize
1.9MB

MD5
3a9924f1a30fd37a78cddc588bf4f607

SHA1
bbb2cf0d54a6d9b6cd115f5aca35790b44ec4d9d

SHA256
a72477b2b12c9313308a7421211b7a1279318e8343c1c5e63c96b5961bfb381f

SHA512
f45c81c2305db420b33a059078c2d668d3e4623e5a71592175d3a80c8e81c6396799655ea49cf4b3fd9d3af13d38c6389e1e2df2c258365335c80e30bb7ee8c4

Download Submit
C:\Windows\System32\JNiKsYi.exe

Filesize
112KB

MD5
3e9362fd0b885ff21ddae6408667b860

SHA1
1ca1232a0b4362e2e2464d30d10bf6d53eafe676

SHA256
4d571a4357e17e323b7f65b375f76e1de0202a389a36f72958a7775b3b4aa5f3

SHA512
719672611b1f944b847dc3b505a9bdc9863e24b57af25a791aaf9501c7660a14f67d736162ec6609481f6ffc82ac72951240e3e0fd21dc2d923134dd8a21b2a1

Download Submit
C:\Windows\System32\JdAmdib.exe

Filesize
1.9MB

MD5
9b167d98cbedbbaff42f2b7c89c05227

SHA1
2b33c80352ba16d326cb9702cca723ca1aa8698e

SHA256
d84a7a9058d01d4f310b6add2482ea808af2f8265c39d875cac0b3f561562263

SHA512
1ff9cedc74782cd496a04ef9f24ff4050811ec23a6146ddb1762f422016f7c871529483dea10feba2cfd5f7ade197d4cb551de9b489005ef224788ac3d0a34da

Download Submit
C:\Windows\System32\JdAmdib.exe

Filesize
30KB

MD5
31432b6307ffb3b5c66973c9253024a9

SHA1
1f4ad45187f228b3f0283c6ec3f4f2bc5c73c5ca

SHA256
c4633db5b3db5839d6650f7426791e74113b595ae3a392692d2b72b30c63f21d

SHA512
2d11eefe5daeb957a4e95780426d5e52978ae17cc9ebebb651958563d02db9bd311c320b283f3212aef8c5c5f1bf24d686041a3c30e78bbb43e0ed5d7943bd39

Download Submit
C:\Windows\System32\KSJZJbO.exe

Filesize
1.9MB

MD5
c5bbf7f021b58a268e3c18acef5a63cf

SHA1
57f1544807a6da48bf466112b7e9c1a96b5b8966

SHA256
ccaf94276049d01c3c2281335b0fd01dfe5b45f95966bf5dc73d48bb430244bc

SHA512
4bacdd05c6b34aa709fcb1ba1bf9720d9b3e9d312c37f2dd4fe8a618d608dc7816c60c7e6fb539c2265a47449bd8a072247dfce12d750888436657f721086906

Download Submit
C:\Windows\System32\KYHcUsp.exe

Filesize
1.9MB

MD5
9ad71e78f5ea03899f2f0d6edad20808

SHA1
aa51b002c3876ae7638cb5ce1cf5c1dad753e722

SHA256
d238a83cefeefbf90465cb31c6f40832c7b4d49a1500bcc2f3ae5e5d4ddedd0c

SHA512
1ec6a34ff82701a2e5281b1cb46daa2eda453640f374c263300554d52a059c20d31ee71fb9f3a6ff2b9c13247a9c7dcbe7a829d46da2efde239f45dbdcf83eb6

Download Submit
C:\Windows\System32\LmuRNHY.exe

Filesize
1.9MB

MD5
a4c739088eed6763cc7a2c0adb00c48e

SHA1
a4c1f4ee88da155ec96480d66548018c60a15a0a

SHA256
779911bd7aca1bd974376b74850e6fd21b44485fef741bbe449f5dce1ee8956b

SHA512
3caf4b820dc10553451704e9bd2f8ed92b939f6fed4cf54357fc34feee211b885d85fe80dc35311ecc590845081bcb36427ae7920822b4dd6b5df66560610a42

Download Submit
C:\Windows\System32\LmuRNHY.exe

Filesize
42KB

MD5
6de21d6d3780149eeff09545e2c2b560

SHA1
c94b196b668fe5d8621d383b1078bc2523aa4c5d

SHA256
cb1f93020960239eae70df656d2b17220aa58c194497f94997aa28869cd79a93

SHA512
ddb8d27ef89c5a01d244c73f518c591f34be2ad8ace17e8ae082e04ae2150ad53ab6ab0129288bfe81d45f7d70c1cf492e414031cd4247d5202fead1b90bb4b1

Download Submit
C:\Windows\System32\MApyjys.exe

Filesize
1.9MB

MD5
3ea9589a59f128b408d5195a87e48caa

SHA1
fbba46fbbd4504743980fc09aa8f832646fffeb5

SHA256
3e37c129a42ce59874abd7785a7661cbf3d6867eae54d128fd02d1910233c7af

SHA512
bc92d54bcb3c0e88fb4d6ac0c67d8249eaa2e6cedd102631454c9966f982395eba1ef637fa05f2bcfbc9b636c1813c2bb0aefed08f1416ae3fc8e54fc0af9650

Download Submit
C:\Windows\System32\MYQMaDb.exe

Filesize
1.9MB

MD5
054fa27b1fee14ef96b997138906d594

SHA1
7529de5b5d5855bb04810ade3e696db4cef8ea8f

SHA256
5f245c2782685bde7fd237ceb26d274fa6619b5b61fa41569fef9c2126cce46b

SHA512
8b138effb6cc5772c34e55854d7b376cf2eb3fd9887458109859842ed5d142f895febf5dc86fdfbde8c046535347ad8dfbaa55fdc0c0e8ee9d8ea1630fd844ba

Download Submit
C:\Windows\System32\MYQMaDb.exe

Filesize
30KB

MD5
384d877cbd116c408de522e06b13cf16

SHA1
4696cc440d7bc4f769a6328f903b5a0826cefcae

SHA256
b3a5028ce5f0f79f90de1a2a7f8ed1aa73a6aca19a63c280e18d0c03c6dba649

SHA512
bae03773ee69b07a619313c03cb42bef405f820480d8eb1ce109d5664a3b30b618ef174a2d185a8a73fee0eda2fc79de35677b1c6dbd240d7f8d64d228fbe988

Download Submit
C:\Windows\System32\NgRxpwx.exe

Filesize
1.9MB

MD5
4dc3b6f01d2bcfb0c665ce8689fc448e

SHA1
bbc133dd63527d3ea8975dcf0faccfb2b895d387

SHA256
d8b99d064ff25ff19f8dc6a2c046c7e2c7ced6c1a562f6536da67d1f9d8cae27

SHA512
b8e82cd9f70cb574d0da9ffc9a6c3168001978d01ea8faf00a3bca40a7342323f490fa7adc0a35f33b17461e4292de6cb538ed0e140533becabd60bc1b3e0326

Download Submit
C:\Windows\System32\OXYebKj.exe

Filesize
386KB

MD5
0781c2b06b4ff3d6b238df06f24a15a3

SHA1
bf07c0165f089a371ced530639190da295277438

SHA256
de4ada599b32cd5952face6f94926331129655766fe79f26628789aa545edb71

SHA512
9cc7ec4105c1e6d8bb8b102dd4c4b232b0a98deb394d460a51770065c07ca8d31b62d1e750408cb647ba49086ff13b36b6d548d4ed65fd11e84161b8afb74957

Download Submit
C:\Windows\System32\OXYebKj.exe

Filesize
1.9MB

MD5
8fec93296bf39e5e53c4df272a462838

SHA1
9ad922926f56eb96158ab7e2024ee3aa70daa630

SHA256
6da4c56d4a1c45f90ec449ff753c3f85d964c49d3135e5ca7a5bf4f8241c4410

SHA512
f603bcf2a91faac81113cf195c726485a507d0946ebf1906d3ed93c9717f58e7e82939d8af66cd1bb013833dcfdc39ed7211f60abf01b68b336efdf8b4186b7f

Download Submit
C:\Windows\System32\PsygLwS.exe

Filesize
1.9MB

MD5
773806f709c853619ce5a4f02db83074

SHA1
8ab27beee276d6711fff73095a8617c99fefaf45

SHA256
89577ca4ba67ac8bfd38fd9c8e55051e01eb497dfca906ffc0083475ac651ba0

SHA512
c56f9926deecda0e010c623f60099d65e0641154b58d5555a51f8c33b9be24f91906566862f6039fb4e0ca6958c120255946cc5f1dc88137d85fb4694faa6384

Download Submit
C:\Windows\System32\PsygLwS.exe

Filesize
120KB

MD5
3b0410c1a13201a4dfe901881e6ee40b

SHA1
398a72095de396ce86a964be809499cfab5c1400

SHA256
bbabda68f3ac4124e67bdf746162aee42016c9ccd7ae95e4a249578058acf32d

SHA512
0aa750294ec72ee134042409cfe7e7263c42050fd81cfa4f66bfd96c78dcab79e2457e620f93b0d669f4f673d5ce008ab16ddd09ca87a1e8fd336b05cb6a451e

Download Submit
C:\Windows\System32\UtAzCNT.exe

Filesize
577KB

MD5
67e71bb7da4cc684e4b51df036341c93

SHA1
dad73e1029cb802b193d43081f2944e2583fc82b

SHA256
d5949f122ff2d983f66b4a9551c9f78941c0efdb3a082ccb75ebdea68e401157

SHA512
830ce936c532e199629403a4a713a9ff90adab7665348cde99cf41a6e9cc1352b9b60a401acfdb9e10962fe243d03a6c2754a04d22bc1c4faef76ecc1f482c2a

Download Submit
C:\Windows\System32\UtAzCNT.exe

Filesize
486KB

MD5
e1354ac5d7e3d7752c42a1cc173e7b34

SHA1
c7d74c85107afa96fe2e23abed7907483cfa88ee

SHA256
e066537882ccddb460a457a408defbd333d6007e962b2f75d041eb11286a7a4d

SHA512
277d5c88a6e18b4b62361064f86d334ae013229e2d2b95e6f22cf5127dc1c2ce196ff2711aec0ff2ad73f5bb5e5c9856f35770f488ea9f54ba9e5914174df772

Download Submit
C:\Windows\System32\WzBCKOd.exe

Filesize
1.9MB

MD5
72ca01899c47a3702e7f6cbfe7e483c2

SHA1
fac3136771b5321abbcaafb915a3a8fcf5e807d5

SHA256
a1431d7164445f43b4479e48ab96b81f3acd3363e2a390bf24f5d593422d548e

SHA512
6bb8606181f6120937c502d2f88e5e8f72bad4edd00e0d73ef78ed3eb4531aaf6594f28882aef621952a2b556e3211ac985da62ddc0b7c17d991db3490f6689c

Download Submit
C:\Windows\System32\YcFzzQK.exe

Filesize
1.9MB

MD5
c3dbb9ccc9edb1619aa74ae1dc5c2899

SHA1
27676dbdcba6e39b07f8eb1182ba7810d18f5812

SHA256
f6d8efd5dd9520f40e65ea7e1a1109afdff910226ca3753ebb99cf2cc021ec78

SHA512
b6b578a5f2719021928e550c2f7c9a283b9cf1485899af13ee3b4480e5d025d1dba1cfa78feaabc272fb8f562a861b21cc5ff4141a9b3d535366b3b15177d261

Download Submit
C:\Windows\System32\YcFzzQK.exe

Filesize
198KB

MD5
4832f37d0f3609d9be8492ee31ab6b04

SHA1
bc7ce44020011ed94f1b60c30ae8ef92afe5bb66

SHA256
8f0610c26018f81a6c35bfd2644ca87fdfcb25b029e657847f50817f5c98e24f

SHA512
3b1e59d3bc4ef5449dc1e10103ab37c15315ab321f0cda9346bea062ca08bf346eca8d8812bdaa35d51ff64a2e1e57dfdc376e4d0c7d93a69ddd0871414fa059

Download Submit
C:\Windows\System32\ZvqWZqF.exe

Filesize
1.9MB

MD5
123d47e3439aeeca9c8e3e619ac5f8b9

SHA1
54cc6680baf6fad9af0630d54d8862ef798c8b66

SHA256
dcb81bac43e2d5797c45edd42b6e2884854592bd1f317a34be50b788849d2f54

SHA512
393597e7b8527381cdfab28e35bc2c5b6c70a00c6d7b1b67691872d7b9d5ae475775ef6276bd1b5b7d04f097670abecf390f9c7577cc1713f800a7c10a97bf2c

Download Submit
C:\Windows\System32\bsuOQyC.exe

Filesize
1.9MB

MD5
5a8c19cc829e6ba9d0ad6c8b49ec7e09

SHA1
6321c44755a7ce10d7e27546163d5f937073d32b

SHA256
a36a6b62a2929d288dff058d9bf5be8ded44a51767779707ab1ba04f36d0fab8

SHA512
da8c728eaa1f1dcca2986dbd2ad46f15e924697e4135fd2f7bb768089f53ec6663346653af2d83f42d35585924ae6bcc52a5ffa98e0a83532f7b08267a23d394

Download Submit
C:\Windows\System32\buyGdBo.exe

Filesize
1.9MB

MD5
dedda47a05f6acebf6483d406f5d1013

SHA1
71097f48ac31671fd3721841be8361996c582905

SHA256
cc5edb8b41c6a79d5b62f4d1c829b1553f8129f510e89ed0bcc80c9698d4853c

SHA512
678e33de7e5db0b9b1036e387c920e3cb8476007a3b6b93defdb22b53e2ccf1f8a8dbde7611f667cec0b47f9580beed58e13425e361d1417935ddf1e2c448546

Download Submit
C:\Windows\System32\crKRlvM.exe

Filesize
1.9MB

MD5
68ac26738337dcf8d5801723d0c83b44

SHA1
37938cc27fe4bd66c081dd3049b5b7e63d9cecac

SHA256
87e03f709f94cabbe354220def61075fcd4f2d05a8496e208134579fd9261696

SHA512
e8642ef107d4273b459c657614f48bf87f564e482e006d9be39a563ba96625f05e5d6d908ddd47c331ef876892611cf04302d9d0733edf40089667bd40125ee8

Download Submit
C:\Windows\System32\eImTptq.exe

Filesize
1.9MB

MD5
750d0a8dec6a495d7e191306839b9197

SHA1
249f08825b4c99678caf90e30f0323d4c8f3b507

SHA256
1ad2f84a93f04a6bb748b03e7503144caec190e76777a21094c03c9a8aa49179

SHA512
1912d6fa04d0e86a9b4e477f888b0541eb9620e7acbffe455724aca6954de05c814926de40272dd8ae999a83d1830be98df843b5c484b4c652fec6fe09a34b04

Download Submit
C:\Windows\System32\gVFnUAx.exe

Filesize
1.9MB

MD5
63eb92907ed43d0843505f1ea371dcca

SHA1
b1989c7f8c0029c1ba4a7def248416eab0717af0

SHA256
dc6714c344386dd7cac729a4b502a992f0d7cb2fefe4b4fa11682494951a078a

SHA512
6c432776c9b403743dd12c2262c4a5beaaa18320025c23a0c8f6e958ceefb9f236d7507b2676c2f7f1dfd04bc7f3bb30406ad3512c9f9f8cdd526a170f2b7c10

Download Submit
C:\Windows\System32\gVFnUAx.exe

Filesize
255KB

MD5
131fc4c6cd6edc22e7c925e56b29e973

SHA1
0a238ebcb5619c602b8a2b02ab7e69e87e1989a2

SHA256
a8d02084356e520f8fd0d5b4cdf4f7b6c512d2565198cb28edf676dacc57a5e4

SHA512
c807ec7a76c2567e16a5a157c05775001c008221ef4c231cf92bebdd7fb049cf06942da86be2cfe273f8ba1c9a0931547ca15918c3e8ab0d1e6637665949ed4f

Download Submit
C:\Windows\System32\gxfhilx.exe

Filesize
1.9MB

MD5
c1fc2319436d96df0bbc717df891ca6f

SHA1
05e732d1955d3974c3cdbc956ef995310c75171e

SHA256
d8ead1392fc94262c9865282fa6b3b471c93c6bbb0da6fd183312191767d87f1

SHA512
a64ca170c4dddfbe4379107ba4e756feb3f69dc3291a25a7dc0b02919065f25adc7441a8f71d12d180938ba39534701683f7ea25b30c0f195469a0bb8a49fa8f

Download Submit
C:\Windows\System32\mSOEtAM.exe

Filesize
1.9MB

MD5
b1056f058be941c91ae7c7981989b629

SHA1
2ea473adcda5f7ace29adb1b1a2321c8dbbaa8f3

SHA256
d452bbd0a0c354fa91293b89d3dc11848701e0f18cc6ff4494659ab0aacd6e0a

SHA512
0c617b887fb11cae9e17e0f9b9a2f39aeddae08940666d9b56a2d5069e263429bfed0b62c9bc4d9bc8f7a33d6d3d897774b4fc40780a62b88642a47cae2d1629

Download Submit
C:\Windows\System32\neKWbip.exe

Filesize
1.9MB

MD5
54e62a8324888f0799376fea6c0943e8

SHA1
63a279ccd7feda10f7f5e6e15e175e3ed7a5dd69

SHA256
fa2050db8a8dc490eeb09b5b4e6960de0d429bea5412b2da790c27b6c6a2e8b7

SHA512
a0427219d16239054773112d8a0460d4fb31ad47a47b952ebec6fb168eef97872a5b9ad64626ced1b7031b4ab7194f8d3ccdb266d97a56533982db79bdfc105c

Download Submit
C:\Windows\System32\pkSksGz.exe

Filesize
1.9MB

MD5
af2b6e21678018df77542fbb568aab45

SHA1
6641bb9383f261d29fcf20c8afa158c5d21f2eb3

SHA256
d3c22899084ed66752de7468da77b4514cfb85ea089f85ceb7041ee1a9bcc85e

SHA512
3165486af2353271de9d3a8ee56d08ab9c84fdcfd7fa572e26b7b24d1cd86e4517bee20a581a0a035f82f8d3349fe9575947beeef45e2fa232f6b7aec89f65f9

Download Submit
C:\Windows\System32\sRAnxXG.exe

Filesize
1.9MB

MD5
43fc71194a23c60aab198b003c82814d

SHA1
e93b54fee304bc5f247eb81573ec97ba961b56bd

SHA256
3b202e3296fc684650961f1de35677f898878d74b6398c73a07f91b2501b8942

SHA512
12e6245f7653e5c4c9157a477d56018251ca3af8d827f6c8bdfcb03c6c8fe11ad15680d8e136db4b40cff9e62703380a352bba49ecf66cc4d30af49d522ece02

Download Submit
C:\Windows\System32\sRAnxXG.exe

Filesize
99KB

MD5
639f6e202d118dcf072558884276e186

SHA1
6832223517ad9af7c96a64423096b7873fd0cb7b

SHA256
8045126ed54b7a2183bcabd9d6fc255c8a8975c9947cb62f2cdcd100c8d79ffd

SHA512
555ea74916a574a758368c0fee993b6219af6d786b1453161124859e94385715acf370f35d574471e638b2899f87cb348c1c8a72239f1ad7151aee8cd5eef283

Download Submit
C:\Windows\System32\wfLmHwF.exe

Filesize
832KB

MD5
682b315409d8925e4c3f6438f36ebc96

SHA1
2bd258e60ba6c3451f3b6d05edc2102032e45165

SHA256
590f44e22ab1a4855e94b2e1de3d6be7ee1b991b564e8142835a0cbdc8b894dd

SHA512
163c63715627c1644eab102f4eb6e4dcacbf4d6ba26f35f75e9755f2320340399b1ee229993f8a1dba2f039188fe36652e5ad034dc8ec8522411101154d46fca

Download Submit
C:\Windows\System32\wfLmHwF.exe

Filesize
1.9MB

MD5
9642bb82f2fc05330403a370da6f5504

SHA1
deb64b73d9f72ffa0013cfbe7b5c2b239a926d0a

SHA256
fb30d94733befa87c037b9e0fb3c4475c4c1b2ab8415ea29894213d44d9a58c6

SHA512
9e59032f8a16b56447d1e7ad0d2b265e9fbee1605c03ef642e81c9b7cec9cb84e078a6ce036a00608a54656b29a7df4f4a2cead78e6f4952fbdd1e38163c05fa

Download Submit
C:\Windows\System32\xrHWAPT.exe

Filesize
1.9MB

MD5
d256342a66a75f0b303e10f0d6e5008e

SHA1
4101e2199dcf8e0220cb514a6a5bcac7d0ab8749

SHA256
40309c85f67959a2634599a63263cb6550b08796bbd3762556ef65476efdc3d8

SHA512
af8c0d366f1bb045ce88950129a3a6cd1d81333fbe66c4e8ffc1c87bd9ad65b92ab3d7a3d927c058b3cdddcadd88f3fcc3d6e43acf0f3f8549cc7d14575ea556

Download Submit
C:\Windows\System32\zpOFYRx.exe

Filesize
1.9MB

MD5
bec4851a1f1ceec2ac2d047fe880d1b5

SHA1
d3da0727dc30efa4ed8c8d3f8a44acf8241400b7

SHA256
863b3b36f79a0f8e071db21ff544b32fee6ce885324771b4537ef327229a8cf8

SHA512
0e6da6873994c9cf28a5eedf33156b75623f0da2999ed2fbc8ef465c5460f933ae8161ca3e83223edbf5b0a8b69a7a638a33ea6c2a5ad8d91dee9527cb2d5fbc

Download Submit
C:\Windows\System32\zpOFYRx.exe

Filesize
74KB

MD5
1dbca557c7e562dd7c65d8c50a2a214a

SHA1
4521f7ad8a722ec7e08da894e0241b94278803b0

SHA256
831fd7a3a03d4dbafcc2330b0a529bd28f586b2ea455aed471317af72664a4cc

SHA512
0719ba5ab05986602dd5004224116d7dccf2c59fe24ae34b8a224220a743c1efe1f98a8222bac7c8af9a32b987b983641bdd73326141f9f0c24ceac9477b8ae1

Download Submit
memory/8-429-0x00007FF630E10000-0x00007FF631201000-memory.dmp

Filesize
3.9MB

Download
memory/116-483-0x00007FF6973D0000-0x00007FF6977C1000-memory.dmp

Filesize
3.9MB

Download
memory/264-458-0x00007FF6B9640000-0x00007FF6B9A31000-memory.dmp

Filesize
3.9MB

Download
memory/516-365-0x00007FF63DAF0000-0x00007FF63DEE1000-memory.dmp

Filesize
3.9MB

Download
memory/532-417-0x00007FF6D9B00000-0x00007FF6D9EF1000-memory.dmp

Filesize
3.9MB

Download
memory/536-672-0x00007FF786A70000-0x00007FF786E61000-memory.dmp

Filesize
3.9MB

Download
memory/548-425-0x00007FF7D5360000-0x00007FF7D5751000-memory.dmp

Filesize
3.9MB

Download
memory/624-479-0x00007FF711BF0000-0x00007FF711FE1000-memory.dmp

Filesize
3.9MB

Download
memory/764-367-0x00007FF621400000-0x00007FF6217F1000-memory.dmp

Filesize
3.9MB

Download
memory/808-451-0x00007FF7186B0000-0x00007FF718AA1000-memory.dmp

Filesize
3.9MB

Download
memory/844-569-0x00007FF71EE80000-0x00007FF71F271000-memory.dmp

Filesize
3.9MB

Download
memory/852-398-0x00007FF69C490000-0x00007FF69C881000-memory.dmp

Filesize
3.9MB

Download
memory/1092-366-0x00007FF619860000-0x00007FF619C51000-memory.dmp

Filesize
3.9MB

Download
memory/1268-558-0x00007FF6B85B0000-0x00007FF6B89A1000-memory.dmp

Filesize
3.9MB

Download
memory/1364-497-0x00007FF6DFF80000-0x00007FF6E0371000-memory.dmp

Filesize
3.9MB

Download
memory/1588-471-0x00007FF606FE0000-0x00007FF6073D1000-memory.dmp

Filesize
3.9MB

Download
memory/1728-42-0x00007FF74DC80000-0x00007FF74E071000-memory.dmp

Filesize
3.9MB

Download
memory/1932-647-0x00007FF65A5F0000-0x00007FF65A9E1000-memory.dmp

Filesize
3.9MB

Download
memory/2216-34-0x00007FF7FC7F0000-0x00007FF7FCBE1000-memory.dmp

Filesize
3.9MB

Download
memory/2236-38-0x00007FF7111A0000-0x00007FF711591000-memory.dmp

Filesize
3.9MB

Download
memory/2320-453-0x00007FF72DD50000-0x00007FF72E141000-memory.dmp

Filesize
3.9MB

Download
memory/2368-71-0x00007FF636840000-0x00007FF636C31000-memory.dmp

Filesize
3.9MB

Download
memory/2448-694-0x00007FF7E5E40000-0x00007FF7E6231000-memory.dmp

Filesize
3.9MB

Download
memory/2532-391-0x00007FF60AE90000-0x00007FF60B281000-memory.dmp

Filesize
3.9MB

Download
memory/2656-687-0x00007FF6F82D0000-0x00007FF6F86C1000-memory.dmp

Filesize
3.9MB

Download
memory/2692-361-0x00007FF687DA0000-0x00007FF688191000-memory.dmp

Filesize
3.9MB

Download
memory/2696-500-0x00007FF66E9C0000-0x00007FF66EDB1000-memory.dmp

Filesize
3.9MB

Download
memory/2744-57-0x00007FF6546F0000-0x00007FF654AE1000-memory.dmp

Filesize
3.9MB

Download
memory/2752-27-0x00007FF6DFEC0000-0x00007FF6E02B1000-memory.dmp

Filesize
3.9MB

Download
memory/2944-506-0x00007FF62F200000-0x00007FF62F5F1000-memory.dmp

Filesize
3.9MB

Download
memory/2948-394-0x00007FF72F700000-0x00007FF72FAF1000-memory.dmp

Filesize
3.9MB

Download
memory/2988-642-0x00007FF740530000-0x00007FF740921000-memory.dmp

Filesize
3.9MB

Download
memory/3008-22-0x00007FF7E5E80000-0x00007FF7E6271000-memory.dmp

Filesize
3.9MB

Download
memory/3104-407-0x00007FF77C630000-0x00007FF77CA21000-memory.dmp

Filesize
3.9MB

Download
memory/3120-653-0x00007FF72F6D0000-0x00007FF72FAC1000-memory.dmp

Filesize
3.9MB

Download
memory/3144-682-0x00007FF7DD280000-0x00007FF7DD671000-memory.dmp

Filesize
3.9MB

Download
memory/3348-690-0x00007FF7AEF00000-0x00007FF7AF2F1000-memory.dmp

Filesize
3.9MB

Download
memory/3376-363-0x00007FF708460000-0x00007FF708851000-memory.dmp

Filesize
3.9MB

Download
memory/3536-420-0x00007FF6AE760000-0x00007FF6AEB51000-memory.dmp

Filesize
3.9MB

Download
memory/3560-360-0x00007FF6F94B0000-0x00007FF6F98A1000-memory.dmp

Filesize
3.9MB

Download
memory/3568-436-0x00007FF6343D0000-0x00007FF6347C1000-memory.dmp

Filesize
3.9MB

Download
memory/3660-16-0x00007FF77C790000-0x00007FF77CB81000-memory.dmp

Filesize
3.9MB

Download
memory/3772-72-0x00007FF7B9BF0000-0x00007FF7B9FE1000-memory.dmp

Filesize
3.9MB

Download
memory/3920-669-0x00007FF78DF70000-0x00007FF78E361000-memory.dmp

Filesize
3.9MB

Download
memory/3956-1-0x00000205B5B90000-0x00000205B5BA0000-memory.dmp

Filesize
64KB

Download
memory/3956-0-0x00007FF764730000-0x00007FF764B21000-memory.dmp

Filesize
3.9MB

Download
memory/4016-692-0x00007FF739230000-0x00007FF739621000-memory.dmp

Filesize
3.9MB

Download
memory/4028-650-0x00007FF6FBEA0000-0x00007FF6FC291000-memory.dmp

Filesize
3.9MB

Download
memory/4084-26-0x00007FF7E9FC0000-0x00007FF7EA3B1000-memory.dmp

Filesize
3.9MB

Download
memory/4148-656-0x00007FF6E8D10000-0x00007FF6E9101000-memory.dmp

Filesize
3.9MB

Download
memory/4160-489-0x00007FF71C320000-0x00007FF71C711000-memory.dmp

Filesize
3.9MB

Download
memory/4280-660-0x00007FF797790000-0x00007FF797B81000-memory.dmp

Filesize
3.9MB

Download
memory/4356-476-0x00007FF624BB0000-0x00007FF624FA1000-memory.dmp

Filesize
3.9MB

Download
memory/4368-364-0x00007FF67E270000-0x00007FF67E661000-memory.dmp

Filesize
3.9MB

Download
memory/4532-661-0x00007FF6C2C80000-0x00007FF6C3071000-memory.dmp

Filesize
3.9MB

Download
memory/4596-442-0x00007FF7C7910000-0x00007FF7C7D01000-memory.dmp

Filesize
3.9MB

Download
memory/4708-372-0x00007FF75DB50000-0x00007FF75DF41000-memory.dmp

Filesize
3.9MB

Download
memory/4720-59-0x00007FF6FBF40000-0x00007FF6FC331000-memory.dmp

Filesize
3.9MB

Download
memory/4772-60-0x00007FF6D2F10000-0x00007FF6D3301000-memory.dmp

Filesize
3.9MB

Download
memory/4776-547-0x00007FF6CD650000-0x00007FF6CDA41000-memory.dmp

Filesize
3.9MB

Download
memory/4928-445-0x00007FF6880E0000-0x00007FF6884D1000-memory.dmp

Filesize
3.9MB

Download
memory/4940-549-0x00007FF7ADEC0000-0x00007FF7AE2B1000-memory.dmp

Filesize
3.9MB

Download
memory/4960-666-0x00007FF7F4390000-0x00007FF7F4781000-memory.dmp

Filesize
3.9MB

Download
memory/5000-406-0x00007FF6BD7A0000-0x00007FF6BDB91000-memory.dmp

Filesize
3.9MB

Download
memory/5072-362-0x00007FF6CF6F0000-0x00007FF6CFAE1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads