xmrig | 23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
Size

3.1MB
MD5

36376458d0672c7782c9f50fb32b4e58
SHA1

f401103c4d03320e5bcc3241a14c2e915b23b4d0
SHA256

23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db
SHA512

66f8ab7a98dc1ddfc3a021efee99233cb7eeb312e931b614f9dfdd7e8c8c4bafee484e743c526c04eed775618de4988bea5606c04eba9eb554fd2ce0d8468801
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc40H:NFWPClFkH

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4848-0-0x00007FF638370000-0x00007FF638765000-memory.dmp	UPX
behavioral2/files/0x0010000000023143-4.dat	UPX
behavioral2/files/0x000a0000000231aa-11.dat	UPX
behavioral2/memory/4868-13-0x00007FF6E0C20000-0x00007FF6E1015000-memory.dmp	UPX
behavioral2/files/0x00070000000231fc-21.dat	UPX
behavioral2/files/0x00070000000231fd-22.dat	UPX
behavioral2/memory/224-30-0x00007FF7901B0000-0x00007FF7905A5000-memory.dmp	UPX
behavioral2/files/0x00070000000231fe-32.dat	UPX
behavioral2/files/0x00070000000231ff-34.dat	UPX
behavioral2/files/0x0007000000023202-46.dat	UPX
behavioral2/files/0x0007000000023200-40.dat	UPX
behavioral2/memory/3960-49-0x00007FF65BC90000-0x00007FF65C085000-memory.dmp	UPX
behavioral2/files/0x0007000000023201-56.dat	UPX
behavioral2/files/0x0007000000023203-60.dat	UPX
behavioral2/memory/1348-66-0x00007FF6F2680000-0x00007FF6F2A75000-memory.dmp	UPX
behavioral2/memory/3740-68-0x00007FF629D80000-0x00007FF62A175000-memory.dmp	UPX
behavioral2/files/0x0007000000023206-75.dat	UPX
behavioral2/files/0x0007000000023207-80.dat	UPX
behavioral2/memory/4868-85-0x00007FF6E0C20000-0x00007FF6E1015000-memory.dmp	UPX
behavioral2/memory/2776-87-0x00007FF7CDA70000-0x00007FF7CDE65000-memory.dmp	UPX
behavioral2/memory/3760-88-0x00007FF7BDF20000-0x00007FF7BE315000-memory.dmp	UPX
behavioral2/files/0x0007000000023209-94.dat	UPX
behavioral2/files/0x000700000002320a-101.dat	UPX
behavioral2/files/0x000700000002320b-103.dat	UPX
behavioral2/memory/4384-112-0x00007FF645BD0000-0x00007FF645FC5000-memory.dmp	UPX
behavioral2/files/0x000700000002320d-118.dat	UPX
behavioral2/files/0x000700000002320f-128.dat	UPX
behavioral2/files/0x0007000000023210-133.dat	UPX
behavioral2/files/0x0007000000023214-153.dat	UPX
behavioral2/files/0x0007000000023215-158.dat	UPX
behavioral2/files/0x0007000000023216-163.dat	UPX
behavioral2/files/0x0007000000023217-168.dat	UPX
behavioral2/files/0x0007000000023219-176.dat	UPX
behavioral2/memory/4564-287-0x00007FF780CD0000-0x00007FF7810C5000-memory.dmp	UPX
behavioral2/memory/2660-299-0x00007FF7BD470000-0x00007FF7BD865000-memory.dmp	UPX
behavioral2/memory/4952-301-0x00007FF6CA8F0000-0x00007FF6CACE5000-memory.dmp	UPX
behavioral2/memory/3488-322-0x00007FF66F030000-0x00007FF66F425000-memory.dmp	UPX
behavioral2/memory/1980-325-0x00007FF6B70B0000-0x00007FF6B74A5000-memory.dmp	UPX
behavioral2/memory/2636-333-0x00007FF6F8450000-0x00007FF6F8845000-memory.dmp	UPX
behavioral2/memory/4080-336-0x00007FF769660000-0x00007FF769A55000-memory.dmp	UPX
behavioral2/memory/1388-347-0x00007FF7AF8C0000-0x00007FF7AFCB5000-memory.dmp	UPX
behavioral2/memory/5116-349-0x00007FF658420000-0x00007FF658815000-memory.dmp	UPX
behavioral2/memory/1200-350-0x00007FF618990000-0x00007FF618D85000-memory.dmp	UPX
behavioral2/memory/4324-353-0x00007FF78A990000-0x00007FF78AD85000-memory.dmp	UPX
behavioral2/memory/1300-355-0x00007FF6CE2D0000-0x00007FF6CE6C5000-memory.dmp	UPX
behavioral2/memory/5020-357-0x00007FF6E63D0000-0x00007FF6E67C5000-memory.dmp	UPX
behavioral2/memory/2924-359-0x00007FF7D8770000-0x00007FF7D8B65000-memory.dmp	UPX
behavioral2/memory/4068-361-0x00007FF717FF0000-0x00007FF7183E5000-memory.dmp	UPX
behavioral2/memory/2384-363-0x00007FF760B90000-0x00007FF760F85000-memory.dmp	UPX
behavioral2/memory/1620-365-0x00007FF7D3B20000-0x00007FF7D3F15000-memory.dmp	UPX
behavioral2/memory/3008-367-0x00007FF794400000-0x00007FF7947F5000-memory.dmp	UPX
behavioral2/memory/640-369-0x00007FF758430000-0x00007FF758825000-memory.dmp	UPX
behavioral2/memory/1084-371-0x00007FF625780000-0x00007FF625B75000-memory.dmp	UPX
behavioral2/memory/4292-378-0x00007FF65F4E0000-0x00007FF65F8D5000-memory.dmp	UPX
behavioral2/memory/3540-383-0x00007FF6EE550000-0x00007FF6EE945000-memory.dmp	UPX
behavioral2/memory/2388-385-0x00007FF7B2D10000-0x00007FF7B3105000-memory.dmp	UPX
behavioral2/memory/736-387-0x00007FF6C02F0000-0x00007FF6C06E5000-memory.dmp	UPX
behavioral2/memory/4436-388-0x00007FF7D56E0000-0x00007FF7D5AD5000-memory.dmp	UPX
behavioral2/memory/228-381-0x00007FF709B90000-0x00007FF709F85000-memory.dmp	UPX
behavioral2/memory/4944-368-0x00007FF640D60000-0x00007FF641155000-memory.dmp	UPX
behavioral2/memory/3208-366-0x00007FF65EA90000-0x00007FF65EE85000-memory.dmp	UPX
behavioral2/memory/4964-364-0x00007FF6ECA50000-0x00007FF6ECE45000-memory.dmp	UPX
behavioral2/memory/928-362-0x00007FF6C0E70000-0x00007FF6C1265000-memory.dmp	UPX
behavioral2/memory/3944-360-0x00007FF757640000-0x00007FF757A35000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4848-0-0x00007FF638370000-0x00007FF638765000-memory.dmp	xmrig
behavioral2/files/0x0010000000023143-4.dat	xmrig
behavioral2/files/0x000a0000000231aa-11.dat	xmrig
behavioral2/memory/4868-13-0x00007FF6E0C20000-0x00007FF6E1015000-memory.dmp	xmrig
behavioral2/files/0x00070000000231fc-21.dat	xmrig
behavioral2/files/0x00070000000231fd-22.dat	xmrig
behavioral2/memory/224-30-0x00007FF7901B0000-0x00007FF7905A5000-memory.dmp	xmrig
behavioral2/files/0x00070000000231fe-32.dat	xmrig
behavioral2/files/0x00070000000231ff-34.dat	xmrig
behavioral2/files/0x0007000000023202-46.dat	xmrig
behavioral2/files/0x0007000000023200-40.dat	xmrig
behavioral2/memory/3960-49-0x00007FF65BC90000-0x00007FF65C085000-memory.dmp	xmrig
behavioral2/files/0x0007000000023201-56.dat	xmrig
behavioral2/files/0x0007000000023203-60.dat	xmrig
behavioral2/memory/1348-66-0x00007FF6F2680000-0x00007FF6F2A75000-memory.dmp	xmrig
behavioral2/memory/3740-68-0x00007FF629D80000-0x00007FF62A175000-memory.dmp	xmrig
behavioral2/files/0x0007000000023206-75.dat	xmrig
behavioral2/files/0x0007000000023207-80.dat	xmrig
behavioral2/memory/4868-85-0x00007FF6E0C20000-0x00007FF6E1015000-memory.dmp	xmrig
behavioral2/memory/2776-87-0x00007FF7CDA70000-0x00007FF7CDE65000-memory.dmp	xmrig
behavioral2/memory/3760-88-0x00007FF7BDF20000-0x00007FF7BE315000-memory.dmp	xmrig
behavioral2/files/0x0007000000023209-94.dat	xmrig
behavioral2/files/0x000700000002320a-101.dat	xmrig
behavioral2/files/0x000700000002320b-103.dat	xmrig
behavioral2/memory/4384-112-0x00007FF645BD0000-0x00007FF645FC5000-memory.dmp	xmrig
behavioral2/files/0x000700000002320d-118.dat	xmrig
behavioral2/files/0x000700000002320f-128.dat	xmrig
behavioral2/files/0x0007000000023210-133.dat	xmrig
behavioral2/files/0x0007000000023214-153.dat	xmrig
behavioral2/files/0x0007000000023215-158.dat	xmrig
behavioral2/files/0x0007000000023216-163.dat	xmrig
behavioral2/files/0x0007000000023217-168.dat	xmrig
behavioral2/files/0x0007000000023219-176.dat	xmrig
behavioral2/memory/4564-287-0x00007FF780CD0000-0x00007FF7810C5000-memory.dmp	xmrig
behavioral2/memory/2660-299-0x00007FF7BD470000-0x00007FF7BD865000-memory.dmp	xmrig
behavioral2/memory/4952-301-0x00007FF6CA8F0000-0x00007FF6CACE5000-memory.dmp	xmrig
behavioral2/memory/3488-322-0x00007FF66F030000-0x00007FF66F425000-memory.dmp	xmrig
behavioral2/memory/1980-325-0x00007FF6B70B0000-0x00007FF6B74A5000-memory.dmp	xmrig
behavioral2/memory/2636-333-0x00007FF6F8450000-0x00007FF6F8845000-memory.dmp	xmrig
behavioral2/memory/4080-336-0x00007FF769660000-0x00007FF769A55000-memory.dmp	xmrig
behavioral2/memory/1388-347-0x00007FF7AF8C0000-0x00007FF7AFCB5000-memory.dmp	xmrig
behavioral2/memory/5116-349-0x00007FF658420000-0x00007FF658815000-memory.dmp	xmrig
behavioral2/memory/1200-350-0x00007FF618990000-0x00007FF618D85000-memory.dmp	xmrig
behavioral2/memory/4324-353-0x00007FF78A990000-0x00007FF78AD85000-memory.dmp	xmrig
behavioral2/memory/1300-355-0x00007FF6CE2D0000-0x00007FF6CE6C5000-memory.dmp	xmrig
behavioral2/memory/5020-357-0x00007FF6E63D0000-0x00007FF6E67C5000-memory.dmp	xmrig
behavioral2/memory/2924-359-0x00007FF7D8770000-0x00007FF7D8B65000-memory.dmp	xmrig
behavioral2/memory/4068-361-0x00007FF717FF0000-0x00007FF7183E5000-memory.dmp	xmrig
behavioral2/memory/2384-363-0x00007FF760B90000-0x00007FF760F85000-memory.dmp	xmrig
behavioral2/memory/1620-365-0x00007FF7D3B20000-0x00007FF7D3F15000-memory.dmp	xmrig
behavioral2/memory/3008-367-0x00007FF794400000-0x00007FF7947F5000-memory.dmp	xmrig
behavioral2/memory/640-369-0x00007FF758430000-0x00007FF758825000-memory.dmp	xmrig
behavioral2/memory/1084-371-0x00007FF625780000-0x00007FF625B75000-memory.dmp	xmrig
behavioral2/memory/4292-378-0x00007FF65F4E0000-0x00007FF65F8D5000-memory.dmp	xmrig
behavioral2/memory/3540-383-0x00007FF6EE550000-0x00007FF6EE945000-memory.dmp	xmrig
behavioral2/memory/2388-385-0x00007FF7B2D10000-0x00007FF7B3105000-memory.dmp	xmrig
behavioral2/memory/736-387-0x00007FF6C02F0000-0x00007FF6C06E5000-memory.dmp	xmrig
behavioral2/memory/4436-388-0x00007FF7D56E0000-0x00007FF7D5AD5000-memory.dmp	xmrig
behavioral2/memory/228-381-0x00007FF709B90000-0x00007FF709F85000-memory.dmp	xmrig
behavioral2/memory/4944-368-0x00007FF640D60000-0x00007FF641155000-memory.dmp	xmrig
behavioral2/memory/3208-366-0x00007FF65EA90000-0x00007FF65EE85000-memory.dmp	xmrig
behavioral2/memory/4964-364-0x00007FF6ECA50000-0x00007FF6ECE45000-memory.dmp	xmrig
behavioral2/memory/928-362-0x00007FF6C0E70000-0x00007FF6C1265000-memory.dmp	xmrig
behavioral2/memory/3944-360-0x00007FF757640000-0x00007FF757A35000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4868	PPEauuw.exe
3988	xZTcuUQ.exe
1484	cVOXAnL.exe
1944	qNuWYeG.exe
224	fCyulee.exe
2352	HWkyebz.exe
3500	qxvXvzx.exe
3960	mGBZTVt.exe
4580	aCJeAJK.exe
1348	baEQMzf.exe
3740	NkOtOQF.exe
4640	IeLUuOV.exe
2776	sviCvDz.exe
3760	AZUxJKO.exe
4384	iZOnJaR.exe
2908	OaEEEnY.exe
3444	tPKzsIv.exe
4564	lqxVxZy.exe
704	eLnpIlL.exe
2660	uVIIkvD.exe
4952	meOmKnr.exe
4872	tocAhRU.exe
1900	KztRIAE.exe
4208	MKLurBg.exe
4316	udIJPcC.exe
3488	xrJGXIq.exe
1980	TspVSde.exe
4056	iwruABL.exe
2636	aCbVvzN.exe
4792	YhrTXIM.exe
3704	CZalqnH.exe
4080	RJszjaL.exe
1388	gmXdwfm.exe
2668	MPPYJxS.exe
5116	jFgGYnY.exe
1200	KSZPYwv.exe
1904	yOAoejf.exe
2120	XTUTPwB.exe
4324	HWOABIf.exe
4724	JNWsiYI.exe
1300	xHAmgEk.exe
2796	ZbOXVYX.exe
5020	shVIaEQ.exe
216	snxgvNv.exe
2924	peinQWP.exe
3944	YkwTHlD.exe
4068	LKHQhkX.exe
928	McTUHzU.exe
2384	mAFaznF.exe
4964	anqATut.exe
1620	TrnYxmC.exe
3208	HUsWnlZ.exe
3008	lUeDkbD.exe
4944	KHrckJy.exe
640	lmXGKVp.exe
1084	NsUbBEi.exe
4292	JNDTCcP.exe
228	FJYWUkH.exe
3540	NKBhesm.exe
2388	ilPEnFq.exe
736	NHIJMCB.exe
4436	XpiBNSs.exe
3000	qHSxQjm.exe
3780	qcdgUdi.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4848-0-0x00007FF638370000-0x00007FF638765000-memory.dmp	upx
behavioral2/files/0x0010000000023143-4.dat	upx
behavioral2/files/0x000a0000000231aa-11.dat	upx
behavioral2/memory/4868-13-0x00007FF6E0C20000-0x00007FF6E1015000-memory.dmp	upx
behavioral2/files/0x00070000000231fc-21.dat	upx
behavioral2/files/0x00070000000231fd-22.dat	upx
behavioral2/memory/224-30-0x00007FF7901B0000-0x00007FF7905A5000-memory.dmp	upx
behavioral2/files/0x00070000000231fe-32.dat	upx
behavioral2/files/0x00070000000231ff-34.dat	upx
behavioral2/files/0x0007000000023202-46.dat	upx
behavioral2/files/0x0007000000023200-40.dat	upx
behavioral2/memory/3960-49-0x00007FF65BC90000-0x00007FF65C085000-memory.dmp	upx
behavioral2/files/0x0007000000023201-56.dat	upx
behavioral2/files/0x0007000000023203-60.dat	upx
behavioral2/memory/1348-66-0x00007FF6F2680000-0x00007FF6F2A75000-memory.dmp	upx
behavioral2/memory/3740-68-0x00007FF629D80000-0x00007FF62A175000-memory.dmp	upx
behavioral2/files/0x0007000000023206-75.dat	upx
behavioral2/files/0x0007000000023207-80.dat	upx
behavioral2/memory/4868-85-0x00007FF6E0C20000-0x00007FF6E1015000-memory.dmp	upx
behavioral2/memory/2776-87-0x00007FF7CDA70000-0x00007FF7CDE65000-memory.dmp	upx
behavioral2/memory/3760-88-0x00007FF7BDF20000-0x00007FF7BE315000-memory.dmp	upx
behavioral2/files/0x0007000000023209-94.dat	upx
behavioral2/files/0x000700000002320a-101.dat	upx
behavioral2/files/0x000700000002320b-103.dat	upx
behavioral2/memory/4384-112-0x00007FF645BD0000-0x00007FF645FC5000-memory.dmp	upx
behavioral2/files/0x000700000002320d-118.dat	upx
behavioral2/files/0x000700000002320f-128.dat	upx
behavioral2/files/0x0007000000023210-133.dat	upx
behavioral2/files/0x0007000000023214-153.dat	upx
behavioral2/files/0x0007000000023215-158.dat	upx
behavioral2/files/0x0007000000023216-163.dat	upx
behavioral2/files/0x0007000000023217-168.dat	upx
behavioral2/files/0x0007000000023219-176.dat	upx
behavioral2/memory/4564-287-0x00007FF780CD0000-0x00007FF7810C5000-memory.dmp	upx
behavioral2/memory/2660-299-0x00007FF7BD470000-0x00007FF7BD865000-memory.dmp	upx
behavioral2/memory/4952-301-0x00007FF6CA8F0000-0x00007FF6CACE5000-memory.dmp	upx
behavioral2/memory/3488-322-0x00007FF66F030000-0x00007FF66F425000-memory.dmp	upx
behavioral2/memory/1980-325-0x00007FF6B70B0000-0x00007FF6B74A5000-memory.dmp	upx
behavioral2/memory/2636-333-0x00007FF6F8450000-0x00007FF6F8845000-memory.dmp	upx
behavioral2/memory/4080-336-0x00007FF769660000-0x00007FF769A55000-memory.dmp	upx
behavioral2/memory/1388-347-0x00007FF7AF8C0000-0x00007FF7AFCB5000-memory.dmp	upx
behavioral2/memory/5116-349-0x00007FF658420000-0x00007FF658815000-memory.dmp	upx
behavioral2/memory/1200-350-0x00007FF618990000-0x00007FF618D85000-memory.dmp	upx
behavioral2/memory/4324-353-0x00007FF78A990000-0x00007FF78AD85000-memory.dmp	upx
behavioral2/memory/1300-355-0x00007FF6CE2D0000-0x00007FF6CE6C5000-memory.dmp	upx
behavioral2/memory/5020-357-0x00007FF6E63D0000-0x00007FF6E67C5000-memory.dmp	upx
behavioral2/memory/2924-359-0x00007FF7D8770000-0x00007FF7D8B65000-memory.dmp	upx
behavioral2/memory/4068-361-0x00007FF717FF0000-0x00007FF7183E5000-memory.dmp	upx
behavioral2/memory/2384-363-0x00007FF760B90000-0x00007FF760F85000-memory.dmp	upx
behavioral2/memory/1620-365-0x00007FF7D3B20000-0x00007FF7D3F15000-memory.dmp	upx
behavioral2/memory/3008-367-0x00007FF794400000-0x00007FF7947F5000-memory.dmp	upx
behavioral2/memory/640-369-0x00007FF758430000-0x00007FF758825000-memory.dmp	upx
behavioral2/memory/1084-371-0x00007FF625780000-0x00007FF625B75000-memory.dmp	upx
behavioral2/memory/4292-378-0x00007FF65F4E0000-0x00007FF65F8D5000-memory.dmp	upx
behavioral2/memory/3540-383-0x00007FF6EE550000-0x00007FF6EE945000-memory.dmp	upx
behavioral2/memory/2388-385-0x00007FF7B2D10000-0x00007FF7B3105000-memory.dmp	upx
behavioral2/memory/736-387-0x00007FF6C02F0000-0x00007FF6C06E5000-memory.dmp	upx
behavioral2/memory/4436-388-0x00007FF7D56E0000-0x00007FF7D5AD5000-memory.dmp	upx
behavioral2/memory/228-381-0x00007FF709B90000-0x00007FF709F85000-memory.dmp	upx
behavioral2/memory/4944-368-0x00007FF640D60000-0x00007FF641155000-memory.dmp	upx
behavioral2/memory/3208-366-0x00007FF65EA90000-0x00007FF65EE85000-memory.dmp	upx
behavioral2/memory/4964-364-0x00007FF6ECA50000-0x00007FF6ECE45000-memory.dmp	upx
behavioral2/memory/928-362-0x00007FF6C0E70000-0x00007FF6C1265000-memory.dmp	upx
behavioral2/memory/3944-360-0x00007FF757640000-0x00007FF757A35000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\cUahRJU.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\qlZXSFQ.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\cguADih.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\kwMCJbl.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\jXDgtTT.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\LhrlTkh.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\tdXPFNG.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\RhLMVjP.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\AwgJsKG.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\aTKCeql.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\ZJKiqhZ.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\eWvdxri.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\NHbcuYD.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\OaxmvnJ.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\NsyuTxN.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\GjbUeGa.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\KcNssjo.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\nqlsdEZ.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\VpLInvk.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\gzqoXzF.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\MPPYJxS.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\xHAmgEk.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\NVQIreG.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\aSYAizR.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\hFHJtXI.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\IeuOKlL.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\vPKvMrS.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\RFereUR.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\skKCewZ.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\lVycxfE.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\CObXWks.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\LodNqrt.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\wRagIGA.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\tnSkVcS.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\iZOnJaR.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\JibfCIW.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\KBgGAzH.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\nSsJgfj.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\skqwLDp.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\gmXdwfm.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\rFsBCla.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\pfpqtDw.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\xJyIJIN.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\wrzkyyN.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\zTdjxlP.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\KXebgWe.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\LsXRdXV.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\jFgGYnY.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\HWOABIf.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\anqATut.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\trpYnGU.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\bzQWizR.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\qWEnmTR.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\kXEbbSI.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\HTUbjfd.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\watiyEy.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\cVOXAnL.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\lmXGKVp.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\qcdgUdi.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\wyHwVSv.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\UrhVXpp.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\XGubiPN.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\goNacSg.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
File created	C:\Windows\System32\oDdlfHx.exe	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2468	dwm.exe
Token: SeChangeNotifyPrivilege	2468	dwm.exe
Token: 33	2468	dwm.exe
Token: SeIncBasePriorityPrivilege	2468	dwm.exe
Token: SeShutdownPrivilege	2468	dwm.exe
Token: SeCreatePagefilePrivilege	2468	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4868	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	88
PID 4848 wrote to memory of 4868	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	88
PID 4848 wrote to memory of 3988	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	89
PID 4848 wrote to memory of 3988	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	89
PID 4848 wrote to memory of 1484	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	90
PID 4848 wrote to memory of 1484	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	90
PID 4848 wrote to memory of 1944	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	91
PID 4848 wrote to memory of 1944	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	91
PID 4848 wrote to memory of 224	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	92
PID 4848 wrote to memory of 224	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	92
PID 4848 wrote to memory of 2352	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	93
PID 4848 wrote to memory of 2352	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	93
PID 4848 wrote to memory of 3500	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	94
PID 4848 wrote to memory of 3500	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	94
PID 4848 wrote to memory of 4580	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	95
PID 4848 wrote to memory of 4580	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	95
PID 4848 wrote to memory of 3960	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	96
PID 4848 wrote to memory of 3960	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	96
PID 4848 wrote to memory of 1348	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	97
PID 4848 wrote to memory of 1348	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	97
PID 4848 wrote to memory of 3740	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	98
PID 4848 wrote to memory of 3740	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	98
PID 4848 wrote to memory of 4640	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	99
PID 4848 wrote to memory of 4640	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	99
PID 4848 wrote to memory of 2776	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	100
PID 4848 wrote to memory of 2776	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	100
PID 4848 wrote to memory of 3760	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	101
PID 4848 wrote to memory of 3760	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	101
PID 4848 wrote to memory of 4384	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	103
PID 4848 wrote to memory of 4384	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	103
PID 4848 wrote to memory of 2908	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	104
PID 4848 wrote to memory of 2908	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	104
PID 4848 wrote to memory of 3444	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	105
PID 4848 wrote to memory of 3444	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	105
PID 4848 wrote to memory of 4564	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	106
PID 4848 wrote to memory of 4564	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	106
PID 4848 wrote to memory of 704	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	107
PID 4848 wrote to memory of 704	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	107
PID 4848 wrote to memory of 2660	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	108
PID 4848 wrote to memory of 2660	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	108
PID 4848 wrote to memory of 4952	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	109
PID 4848 wrote to memory of 4952	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	109
PID 4848 wrote to memory of 4872	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	110
PID 4848 wrote to memory of 4872	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	110
PID 4848 wrote to memory of 1900	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	111
PID 4848 wrote to memory of 1900	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	111
PID 4848 wrote to memory of 4208	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	112
PID 4848 wrote to memory of 4208	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	112
PID 4848 wrote to memory of 4316	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	113
PID 4848 wrote to memory of 4316	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	113
PID 4848 wrote to memory of 3488	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	114
PID 4848 wrote to memory of 3488	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	114
PID 4848 wrote to memory of 1980	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	115
PID 4848 wrote to memory of 1980	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	115
PID 4848 wrote to memory of 4056	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	116
PID 4848 wrote to memory of 4056	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	116
PID 4848 wrote to memory of 2636	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	117
PID 4848 wrote to memory of 2636	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	117
PID 4848 wrote to memory of 4792	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	118
PID 4848 wrote to memory of 4792	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	118
PID 4848 wrote to memory of 3704	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	119
PID 4848 wrote to memory of 3704	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	119
PID 4848 wrote to memory of 4080	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	120
PID 4848 wrote to memory of 4080	4848	23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe	120

C:\Users\Admin\AppData\Local\Temp\23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe
"C:\Users\Admin\AppData\Local\Temp\23ad1ebc7cf14c83401f9682a8f354579b6e79f5effdb4d8d47a3f8e4819e9db.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\System32\PPEauuw.exe
  C:\Windows\System32\PPEauuw.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System32\xZTcuUQ.exe
  C:\Windows\System32\xZTcuUQ.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System32\cVOXAnL.exe
  C:\Windows\System32\cVOXAnL.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System32\qNuWYeG.exe
  C:\Windows\System32\qNuWYeG.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System32\fCyulee.exe
  C:\Windows\System32\fCyulee.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System32\HWkyebz.exe
  C:\Windows\System32\HWkyebz.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System32\qxvXvzx.exe
  C:\Windows\System32\qxvXvzx.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System32\aCJeAJK.exe
  C:\Windows\System32\aCJeAJK.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System32\mGBZTVt.exe
  C:\Windows\System32\mGBZTVt.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System32\baEQMzf.exe
  C:\Windows\System32\baEQMzf.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System32\NkOtOQF.exe
  C:\Windows\System32\NkOtOQF.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System32\IeLUuOV.exe
  C:\Windows\System32\IeLUuOV.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System32\sviCvDz.exe
  C:\Windows\System32\sviCvDz.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System32\AZUxJKO.exe
  C:\Windows\System32\AZUxJKO.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System32\iZOnJaR.exe
  C:\Windows\System32\iZOnJaR.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System32\OaEEEnY.exe
  C:\Windows\System32\OaEEEnY.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System32\tPKzsIv.exe
  C:\Windows\System32\tPKzsIv.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System32\lqxVxZy.exe
  C:\Windows\System32\lqxVxZy.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System32\eLnpIlL.exe
  C:\Windows\System32\eLnpIlL.exe
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\System32\uVIIkvD.exe
  C:\Windows\System32\uVIIkvD.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System32\meOmKnr.exe
  C:\Windows\System32\meOmKnr.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System32\tocAhRU.exe
  C:\Windows\System32\tocAhRU.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System32\KztRIAE.exe
  C:\Windows\System32\KztRIAE.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System32\MKLurBg.exe
  C:\Windows\System32\MKLurBg.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System32\udIJPcC.exe
  C:\Windows\System32\udIJPcC.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System32\xrJGXIq.exe
  C:\Windows\System32\xrJGXIq.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System32\TspVSde.exe
  C:\Windows\System32\TspVSde.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System32\iwruABL.exe
  C:\Windows\System32\iwruABL.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System32\aCbVvzN.exe
  C:\Windows\System32\aCbVvzN.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System32\YhrTXIM.exe
  C:\Windows\System32\YhrTXIM.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System32\CZalqnH.exe
  C:\Windows\System32\CZalqnH.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System32\RJszjaL.exe
  C:\Windows\System32\RJszjaL.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System32\gmXdwfm.exe
  C:\Windows\System32\gmXdwfm.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System32\MPPYJxS.exe
  C:\Windows\System32\MPPYJxS.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System32\jFgGYnY.exe
  C:\Windows\System32\jFgGYnY.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System32\KSZPYwv.exe
  C:\Windows\System32\KSZPYwv.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System32\yOAoejf.exe
  C:\Windows\System32\yOAoejf.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System32\XTUTPwB.exe
  C:\Windows\System32\XTUTPwB.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System32\HWOABIf.exe
  C:\Windows\System32\HWOABIf.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System32\JNWsiYI.exe
  C:\Windows\System32\JNWsiYI.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System32\xHAmgEk.exe
  C:\Windows\System32\xHAmgEk.exe
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\System32\ZbOXVYX.exe
  C:\Windows\System32\ZbOXVYX.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System32\shVIaEQ.exe
  C:\Windows\System32\shVIaEQ.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System32\snxgvNv.exe
  C:\Windows\System32\snxgvNv.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System32\peinQWP.exe
  C:\Windows\System32\peinQWP.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System32\YkwTHlD.exe
  C:\Windows\System32\YkwTHlD.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\LKHQhkX.exe
  C:\Windows\System32\LKHQhkX.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System32\McTUHzU.exe
  C:\Windows\System32\McTUHzU.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System32\mAFaznF.exe
  C:\Windows\System32\mAFaznF.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System32\anqATut.exe
  C:\Windows\System32\anqATut.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System32\TrnYxmC.exe
  C:\Windows\System32\TrnYxmC.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System32\HUsWnlZ.exe
  C:\Windows\System32\HUsWnlZ.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System32\lUeDkbD.exe
  C:\Windows\System32\lUeDkbD.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System32\KHrckJy.exe
  C:\Windows\System32\KHrckJy.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System32\lmXGKVp.exe
  C:\Windows\System32\lmXGKVp.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\NsUbBEi.exe
  C:\Windows\System32\NsUbBEi.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System32\JNDTCcP.exe
  C:\Windows\System32\JNDTCcP.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System32\FJYWUkH.exe
  C:\Windows\System32\FJYWUkH.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System32\NKBhesm.exe
  C:\Windows\System32\NKBhesm.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System32\ilPEnFq.exe
  C:\Windows\System32\ilPEnFq.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System32\NHIJMCB.exe
  C:\Windows\System32\NHIJMCB.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\System32\XpiBNSs.exe
  C:\Windows\System32\XpiBNSs.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\qHSxQjm.exe
  C:\Windows\System32\qHSxQjm.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System32\qcdgUdi.exe
  C:\Windows\System32\qcdgUdi.exe
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Windows\System32\NVQIreG.exe
  C:\Windows\System32\NVQIreG.exe
  2⤵
  PID:3584
- C:\Windows\System32\QsSekqT.exe
  C:\Windows\System32\QsSekqT.exe
  2⤵
  PID:3256
- C:\Windows\System32\iwUExBE.exe
  C:\Windows\System32\iwUExBE.exe
  2⤵
  PID:4544
- C:\Windows\System32\XbqxgEi.exe
  C:\Windows\System32\XbqxgEi.exe
  2⤵
  PID:1112
- C:\Windows\System32\NHbcuYD.exe
  C:\Windows\System32\NHbcuYD.exe
  2⤵
  PID:3084
- C:\Windows\System32\IRIPRbp.exe
  C:\Windows\System32\IRIPRbp.exe
  2⤵
  PID:1420
- C:\Windows\System32\jmaADLu.exe
  C:\Windows\System32\jmaADLu.exe
  2⤵
  PID:4028
- C:\Windows\System32\DpKToKh.exe
  C:\Windows\System32\DpKToKh.exe
  2⤵
  PID:5136
- C:\Windows\System32\lodzHeb.exe
  C:\Windows\System32\lodzHeb.exe
  2⤵
  PID:5152
- C:\Windows\System32\JbXaTIm.exe
  C:\Windows\System32\JbXaTIm.exe
  2⤵
  PID:5172
- C:\Windows\System32\MXGVeYU.exe
  C:\Windows\System32\MXGVeYU.exe
  2⤵
  PID:5268
- C:\Windows\System32\rnETEpK.exe
  C:\Windows\System32\rnETEpK.exe
  2⤵
  PID:5284
- C:\Windows\System32\LDUmSmB.exe
  C:\Windows\System32\LDUmSmB.exe
  2⤵
  PID:5300
- C:\Windows\System32\RrONjWf.exe
  C:\Windows\System32\RrONjWf.exe
  2⤵
  PID:5352
- C:\Windows\System32\fJfujBl.exe
  C:\Windows\System32\fJfujBl.exe
  2⤵
  PID:5384
- C:\Windows\System32\jUhCBAf.exe
  C:\Windows\System32\jUhCBAf.exe
  2⤵
  PID:5400
- C:\Windows\System32\gCfqRDY.exe
  C:\Windows\System32\gCfqRDY.exe
  2⤵
  PID:5464
- C:\Windows\System32\ZQXXZNg.exe
  C:\Windows\System32\ZQXXZNg.exe
  2⤵
  PID:5488
- C:\Windows\System32\oLXnNud.exe
  C:\Windows\System32\oLXnNud.exe
  2⤵
  PID:5508
- C:\Windows\System32\eRsuIiD.exe
  C:\Windows\System32\eRsuIiD.exe
  2⤵
  PID:5524
- C:\Windows\System32\NBpWYtC.exe
  C:\Windows\System32\NBpWYtC.exe
  2⤵
  PID:5548
- C:\Windows\System32\skKCewZ.exe
  C:\Windows\System32\skKCewZ.exe
  2⤵
  PID:5692
- C:\Windows\System32\JibfCIW.exe
  C:\Windows\System32\JibfCIW.exe
  2⤵
  PID:5712
- C:\Windows\System32\nsvWZXW.exe
  C:\Windows\System32\nsvWZXW.exe
  2⤵
  PID:5776
- C:\Windows\System32\sFnBpNU.exe
  C:\Windows\System32\sFnBpNU.exe
  2⤵
  PID:5952
- C:\Windows\System32\yMQUtrR.exe
  C:\Windows\System32\yMQUtrR.exe
  2⤵
  PID:5968
- C:\Windows\System32\VANtNwa.exe
  C:\Windows\System32\VANtNwa.exe
  2⤵
  PID:5996
- C:\Windows\System32\cicDMEA.exe
  C:\Windows\System32\cicDMEA.exe
  2⤵
  PID:6040
- C:\Windows\System32\vZsUgwC.exe
  C:\Windows\System32\vZsUgwC.exe
  2⤵
  PID:6068
- C:\Windows\System32\kVtNDIV.exe
  C:\Windows\System32\kVtNDIV.exe
  2⤵
  PID:6100
- C:\Windows\System32\rFsBCla.exe
  C:\Windows\System32\rFsBCla.exe
  2⤵
  PID:3248
- C:\Windows\System32\CtOvJwN.exe
  C:\Windows\System32\CtOvJwN.exe
  2⤵
  PID:5148
- C:\Windows\System32\uIWbePI.exe
  C:\Windows\System32\uIWbePI.exe
  2⤵
  PID:1368
- C:\Windows\System32\YLmnNsW.exe
  C:\Windows\System32\YLmnNsW.exe
  2⤵
  PID:748
- C:\Windows\System32\OADjXmC.exe
  C:\Windows\System32\OADjXmC.exe
  2⤵
  PID:636
- C:\Windows\System32\bzQalaG.exe
  C:\Windows\System32\bzQalaG.exe
  2⤵
  PID:2680
- C:\Windows\System32\oFyNXQb.exe
  C:\Windows\System32\oFyNXQb.exe
  2⤵
  PID:5412
- C:\Windows\System32\xWqLjor.exe
  C:\Windows\System32\xWqLjor.exe
  2⤵
  PID:5436
- C:\Windows\System32\ewOSUyT.exe
  C:\Windows\System32\ewOSUyT.exe
  2⤵
  PID:5500
- C:\Windows\System32\sQXWIes.exe
  C:\Windows\System32\sQXWIes.exe
  2⤵
  PID:4396
- C:\Windows\System32\PWItDIF.exe
  C:\Windows\System32\PWItDIF.exe
  2⤵
  PID:1028
- C:\Windows\System32\SafgNYJ.exe
  C:\Windows\System32\SafgNYJ.exe
  2⤵
  PID:1604
- C:\Windows\System32\bzQWizR.exe
  C:\Windows\System32\bzQWizR.exe
  2⤵
  PID:3224
- C:\Windows\System32\xCAAUad.exe
  C:\Windows\System32\xCAAUad.exe
  2⤵
  PID:5476
- C:\Windows\System32\VrYLCGx.exe
  C:\Windows\System32\VrYLCGx.exe
  2⤵
  PID:5660
- C:\Windows\System32\cDPgwDv.exe
  C:\Windows\System32\cDPgwDv.exe
  2⤵
  PID:5752
- C:\Windows\System32\wRCuUPX.exe
  C:\Windows\System32\wRCuUPX.exe
  2⤵
  PID:4620
- C:\Windows\System32\YjNQZrO.exe
  C:\Windows\System32\YjNQZrO.exe
  2⤵
  PID:3520
- C:\Windows\System32\dmlcCGy.exe
  C:\Windows\System32\dmlcCGy.exe
  2⤵
  PID:5824
- C:\Windows\System32\INHLaDw.exe
  C:\Windows\System32\INHLaDw.exe
  2⤵
  PID:5860
- C:\Windows\System32\ePCKMhp.exe
  C:\Windows\System32\ePCKMhp.exe
  2⤵
  PID:3220
- C:\Windows\System32\DMEskIN.exe
  C:\Windows\System32\DMEskIN.exe
  2⤵
  PID:2708
- C:\Windows\System32\LhrlTkh.exe
  C:\Windows\System32\LhrlTkh.exe
  2⤵
  PID:5000
- C:\Windows\System32\YGcqaHX.exe
  C:\Windows\System32\YGcqaHX.exe
  2⤵
  PID:5936
- C:\Windows\System32\ieFuwzR.exe
  C:\Windows\System32\ieFuwzR.exe
  2⤵
  PID:6056
- C:\Windows\System32\qWEnmTR.exe
  C:\Windows\System32\qWEnmTR.exe
  2⤵
  PID:2196
- C:\Windows\System32\FWblQPn.exe
  C:\Windows\System32\FWblQPn.exe
  2⤵
  PID:6136
- C:\Windows\System32\WsNnDOV.exe
  C:\Windows\System32\WsNnDOV.exe
  2⤵
  PID:5196
- C:\Windows\System32\usroixw.exe
  C:\Windows\System32\usroixw.exe
  2⤵
  PID:5276
- C:\Windows\System32\CJcyGCo.exe
  C:\Windows\System32\CJcyGCo.exe
  2⤵
  PID:5348
- C:\Windows\System32\bPkwIQj.exe
  C:\Windows\System32\bPkwIQj.exe
  2⤵
  PID:5084
- C:\Windows\System32\RWlUlEc.exe
  C:\Windows\System32\RWlUlEc.exe
  2⤵
  PID:3368
- C:\Windows\System32\MeoEwtU.exe
  C:\Windows\System32\MeoEwtU.exe
  2⤵
  PID:2004
- C:\Windows\System32\aGxmPaa.exe
  C:\Windows\System32\aGxmPaa.exe
  2⤵
  PID:5680
- C:\Windows\System32\QyttlaY.exe
  C:\Windows\System32\QyttlaY.exe
  2⤵
  PID:5796
- C:\Windows\System32\JkxySqz.exe
  C:\Windows\System32\JkxySqz.exe
  2⤵
  PID:5496
- C:\Windows\System32\WmPJKxf.exe
  C:\Windows\System32\WmPJKxf.exe
  2⤵
  PID:5868
- C:\Windows\System32\kXEbbSI.exe
  C:\Windows\System32\kXEbbSI.exe
  2⤵
  PID:5724
- C:\Windows\System32\XbfHcgp.exe
  C:\Windows\System32\XbfHcgp.exe
  2⤵
  PID:5988
- C:\Windows\System32\CORfqan.exe
  C:\Windows\System32\CORfqan.exe
  2⤵
  PID:1192
- C:\Windows\System32\lVycxfE.exe
  C:\Windows\System32\lVycxfE.exe
  2⤵
  PID:5656
- C:\Windows\System32\bMrJIRS.exe
  C:\Windows\System32\bMrJIRS.exe
  2⤵
  PID:5208
- C:\Windows\System32\xJyIJIN.exe
  C:\Windows\System32\xJyIJIN.exe
  2⤵
  PID:5768
- C:\Windows\System32\qcCFwCj.exe
  C:\Windows\System32\qcCFwCj.exe
  2⤵
  PID:4332
- C:\Windows\System32\tvuRnmM.exe
  C:\Windows\System32\tvuRnmM.exe
  2⤵
  PID:2684
- C:\Windows\System32\XrAUYcO.exe
  C:\Windows\System32\XrAUYcO.exe
  2⤵
  PID:4388
- C:\Windows\System32\QwxeWvw.exe
  C:\Windows\System32\QwxeWvw.exe
  2⤵
  PID:5764
- C:\Windows\System32\AMzoySN.exe
  C:\Windows\System32\AMzoySN.exe
  2⤵
  PID:3880
- C:\Windows\System32\oipAbpx.exe
  C:\Windows\System32\oipAbpx.exe
  2⤵
  PID:5636
- C:\Windows\System32\uyVZvPA.exe
  C:\Windows\System32\uyVZvPA.exe
  2⤵
  PID:4220
- C:\Windows\System32\wrzkyyN.exe
  C:\Windows\System32\wrzkyyN.exe
  2⤵
  PID:2028
- C:\Windows\System32\EbEWRLk.exe
  C:\Windows\System32\EbEWRLk.exe
  2⤵
  PID:5480
- C:\Windows\System32\IvSGTqd.exe
  C:\Windows\System32\IvSGTqd.exe
  2⤵
  PID:944
- C:\Windows\System32\CgmnnZX.exe
  C:\Windows\System32\CgmnnZX.exe
  2⤵
  PID:5256
- C:\Windows\System32\jbvkDdr.exe
  C:\Windows\System32\jbvkDdr.exe
  2⤵
  PID:3752
- C:\Windows\System32\bSSvsTi.exe
  C:\Windows\System32\bSSvsTi.exe
  2⤵
  PID:6156
- C:\Windows\System32\xLKBwlb.exe
  C:\Windows\System32\xLKBwlb.exe
  2⤵
  PID:6172
- C:\Windows\System32\NuXfTwS.exe
  C:\Windows\System32\NuXfTwS.exe
  2⤵
  PID:6196
- C:\Windows\System32\GjbUeGa.exe
  C:\Windows\System32\GjbUeGa.exe
  2⤵
  PID:6216
- C:\Windows\System32\tdXPFNG.exe
  C:\Windows\System32\tdXPFNG.exe
  2⤵
  PID:6280
- C:\Windows\System32\NTRatoH.exe
  C:\Windows\System32\NTRatoH.exe
  2⤵
  PID:6304
- C:\Windows\System32\ifbqbbU.exe
  C:\Windows\System32\ifbqbbU.exe
  2⤵
  PID:6320
- C:\Windows\System32\KcogKKZ.exe
  C:\Windows\System32\KcogKKZ.exe
  2⤵
  PID:6340
- C:\Windows\System32\VXZKKMH.exe
  C:\Windows\System32\VXZKKMH.exe
  2⤵
  PID:6356
- C:\Windows\System32\VTZEwUh.exe
  C:\Windows\System32\VTZEwUh.exe
  2⤵
  PID:6372
- C:\Windows\System32\KcNssjo.exe
  C:\Windows\System32\KcNssjo.exe
  2⤵
  PID:6420
- C:\Windows\System32\lTyMarq.exe
  C:\Windows\System32\lTyMarq.exe
  2⤵
  PID:6444
- C:\Windows\System32\zTdjxlP.exe
  C:\Windows\System32\zTdjxlP.exe
  2⤵
  PID:6504
- C:\Windows\System32\wjVSzfh.exe
  C:\Windows\System32\wjVSzfh.exe
  2⤵
  PID:6520
- C:\Windows\System32\NmhMqJJ.exe
  C:\Windows\System32\NmhMqJJ.exe
  2⤵
  PID:6544
- C:\Windows\System32\pfpqtDw.exe
  C:\Windows\System32\pfpqtDw.exe
  2⤵
  PID:6560
- C:\Windows\System32\XGubiPN.exe
  C:\Windows\System32\XGubiPN.exe
  2⤵
  PID:6576
- C:\Windows\System32\OlPQiVi.exe
  C:\Windows\System32\OlPQiVi.exe
  2⤵
  PID:6596
- C:\Windows\System32\lTfYnyd.exe
  C:\Windows\System32\lTfYnyd.exe
  2⤵
  PID:6620
- C:\Windows\System32\ZMyklPR.exe
  C:\Windows\System32\ZMyklPR.exe
  2⤵
  PID:6664
- C:\Windows\System32\jRQqFWV.exe
  C:\Windows\System32\jRQqFWV.exe
  2⤵
  PID:6680
- C:\Windows\System32\QMhFXwV.exe
  C:\Windows\System32\QMhFXwV.exe
  2⤵
  PID:6708
- C:\Windows\System32\gysTYPU.exe
  C:\Windows\System32\gysTYPU.exe
  2⤵
  PID:6724
- C:\Windows\System32\ozxcYQK.exe
  C:\Windows\System32\ozxcYQK.exe
  2⤵
  PID:6744
- C:\Windows\System32\VhMFTty.exe
  C:\Windows\System32\VhMFTty.exe
  2⤵
  PID:6764
- C:\Windows\System32\RhLMVjP.exe
  C:\Windows\System32\RhLMVjP.exe
  2⤵
  PID:6784
- C:\Windows\System32\WTElzdy.exe
  C:\Windows\System32\WTElzdy.exe
  2⤵
  PID:6800
- C:\Windows\System32\hewGQBb.exe
  C:\Windows\System32\hewGQBb.exe
  2⤵
  PID:6848
- C:\Windows\System32\goNacSg.exe
  C:\Windows\System32\goNacSg.exe
  2⤵
  PID:6916
- C:\Windows\System32\knVFkJK.exe
  C:\Windows\System32\knVFkJK.exe
  2⤵
  PID:6936
- C:\Windows\System32\gVtYIXA.exe
  C:\Windows\System32\gVtYIXA.exe
  2⤵
  PID:6952
- C:\Windows\System32\kxPVCUh.exe
  C:\Windows\System32\kxPVCUh.exe
  2⤵
  PID:6972
- C:\Windows\System32\UfCWeKo.exe
  C:\Windows\System32\UfCWeKo.exe
  2⤵
  PID:7032
- C:\Windows\System32\cUahRJU.exe
  C:\Windows\System32\cUahRJU.exe
  2⤵
  PID:7132
- C:\Windows\System32\VwfBeVK.exe
  C:\Windows\System32\VwfBeVK.exe
  2⤵
  PID:6168
- C:\Windows\System32\KBgGAzH.exe
  C:\Windows\System32\KBgGAzH.exe
  2⤵
  PID:4784
- C:\Windows\System32\oDdlfHx.exe
  C:\Windows\System32\oDdlfHx.exe
  2⤵
  PID:6260
- C:\Windows\System32\qlZXSFQ.exe
  C:\Windows\System32\qlZXSFQ.exe
  2⤵
  PID:5544
- C:\Windows\System32\jbELBTf.exe
  C:\Windows\System32\jbELBTf.exe
  2⤵
  PID:6312
- C:\Windows\System32\nSsJgfj.exe
  C:\Windows\System32\nSsJgfj.exe
  2⤵
  PID:6348
- C:\Windows\System32\wJVfmee.exe
  C:\Windows\System32\wJVfmee.exe
  2⤵
  PID:6492
- C:\Windows\System32\bvTHsIH.exe
  C:\Windows\System32\bvTHsIH.exe
  2⤵
  PID:6540
- C:\Windows\System32\ykBaisA.exe
  C:\Windows\System32\ykBaisA.exe
  2⤵
  PID:6532
- C:\Windows\System32\jUkmXOO.exe
  C:\Windows\System32\jUkmXOO.exe
  2⤵
  PID:6592
- C:\Windows\System32\poTfBNV.exe
  C:\Windows\System32\poTfBNV.exe
  2⤵
  PID:6676
- C:\Windows\System32\SJRIIvX.exe
  C:\Windows\System32\SJRIIvX.exe
  2⤵
  PID:6780
- C:\Windows\System32\WpnoVNb.exe
  C:\Windows\System32\WpnoVNb.exe
  2⤵
  PID:6792
- C:\Windows\System32\TgfHCed.exe
  C:\Windows\System32\TgfHCed.exe
  2⤵
  PID:6736
- C:\Windows\System32\peYSiKB.exe
  C:\Windows\System32\peYSiKB.exe
  2⤵
  PID:6948
- C:\Windows\System32\HTUbjfd.exe
  C:\Windows\System32\HTUbjfd.exe
  2⤵
  PID:6980
- C:\Windows\System32\qDTMhCR.exe
  C:\Windows\System32\qDTMhCR.exe
  2⤵
  PID:7020
- C:\Windows\System32\igMFmpX.exe
  C:\Windows\System32\igMFmpX.exe
  2⤵
  PID:7116
- C:\Windows\System32\RFBNpjK.exe
  C:\Windows\System32\RFBNpjK.exe
  2⤵
  PID:5568
- C:\Windows\System32\KXebgWe.exe
  C:\Windows\System32\KXebgWe.exe
  2⤵
  PID:7164
- C:\Windows\System32\kIthzHW.exe
  C:\Windows\System32\kIthzHW.exe
  2⤵
  PID:6296
- C:\Windows\System32\cguADih.exe
  C:\Windows\System32\cguADih.exe
  2⤵
  PID:1652
- C:\Windows\System32\LDILBGe.exe
  C:\Windows\System32\LDILBGe.exe
  2⤵
  PID:6488
- C:\Windows\System32\BONymVI.exe
  C:\Windows\System32\BONymVI.exe
  2⤵
  PID:6608
- C:\Windows\System32\kYZYREG.exe
  C:\Windows\System32\kYZYREG.exe
  2⤵
  PID:6892
- C:\Windows\System32\VukJhFd.exe
  C:\Windows\System32\VukJhFd.exe
  2⤵
  PID:6896
- C:\Windows\System32\OaxmvnJ.exe
  C:\Windows\System32\OaxmvnJ.exe
  2⤵
  PID:7108
- C:\Windows\System32\PihypHv.exe
  C:\Windows\System32\PihypHv.exe
  2⤵
  PID:5244
- C:\Windows\System32\DsObANa.exe
  C:\Windows\System32\DsObANa.exe
  2⤵
  PID:6452
- C:\Windows\System32\watiyEy.exe
  C:\Windows\System32\watiyEy.exe
  2⤵
  PID:6640
- C:\Windows\System32\LOvnyiG.exe
  C:\Windows\System32\LOvnyiG.exe
  2⤵
  PID:6644
- C:\Windows\System32\hKQOsRQ.exe
  C:\Windows\System32\hKQOsRQ.exe
  2⤵
  PID:6188
- C:\Windows\System32\NciJGiw.exe
  C:\Windows\System32\NciJGiw.exe
  2⤵
  PID:5164
- C:\Windows\System32\BTxaysg.exe
  C:\Windows\System32\BTxaysg.exe
  2⤵
  PID:7196
- C:\Windows\System32\nqlsdEZ.exe
  C:\Windows\System32\nqlsdEZ.exe
  2⤵
  PID:7268
- C:\Windows\System32\cHQkmvx.exe
  C:\Windows\System32\cHQkmvx.exe
  2⤵
  PID:7300
- C:\Windows\System32\VTDZsyU.exe
  C:\Windows\System32\VTDZsyU.exe
  2⤵
  PID:7344
- C:\Windows\System32\kwMCJbl.exe
  C:\Windows\System32\kwMCJbl.exe
  2⤵
  PID:7364
- C:\Windows\System32\OPWrXxL.exe
  C:\Windows\System32\OPWrXxL.exe
  2⤵
  PID:7400
- C:\Windows\System32\orXmoGD.exe
  C:\Windows\System32\orXmoGD.exe
  2⤵
  PID:7416
- C:\Windows\System32\NsyuTxN.exe
  C:\Windows\System32\NsyuTxN.exe
  2⤵
  PID:7440
- C:\Windows\System32\hFbcQPg.exe
  C:\Windows\System32\hFbcQPg.exe
  2⤵
  PID:7464
- C:\Windows\System32\wenpzVO.exe
  C:\Windows\System32\wenpzVO.exe
  2⤵
  PID:7488
- C:\Windows\System32\QSaNXDS.exe
  C:\Windows\System32\QSaNXDS.exe
  2⤵
  PID:7520
- C:\Windows\System32\jXDgtTT.exe
  C:\Windows\System32\jXDgtTT.exe
  2⤵
  PID:7576
- C:\Windows\System32\EWDFrYD.exe
  C:\Windows\System32\EWDFrYD.exe
  2⤵
  PID:7596
- C:\Windows\System32\KpfiPbW.exe
  C:\Windows\System32\KpfiPbW.exe
  2⤵
  PID:7620
- C:\Windows\System32\vUxEfPR.exe
  C:\Windows\System32\vUxEfPR.exe
  2⤵
  PID:7636
- C:\Windows\System32\CObXWks.exe
  C:\Windows\System32\CObXWks.exe
  2⤵
  PID:7656
- C:\Windows\System32\IIhGVXQ.exe
  C:\Windows\System32\IIhGVXQ.exe
  2⤵
  PID:7676
- C:\Windows\System32\JMoIiWS.exe
  C:\Windows\System32\JMoIiWS.exe
  2⤵
  PID:7700
- C:\Windows\System32\bqzuhXm.exe
  C:\Windows\System32\bqzuhXm.exe
  2⤵
  PID:7716
- C:\Windows\System32\DVmKigG.exe
  C:\Windows\System32\DVmKigG.exe
  2⤵
  PID:7776
- C:\Windows\System32\tEZrLkI.exe
  C:\Windows\System32\tEZrLkI.exe
  2⤵
  PID:7796
- C:\Windows\System32\eFvRIrs.exe
  C:\Windows\System32\eFvRIrs.exe
  2⤵
  PID:7852
- C:\Windows\System32\jkyFiDy.exe
  C:\Windows\System32\jkyFiDy.exe
  2⤵
  PID:7900
- C:\Windows\System32\vXxHdRj.exe
  C:\Windows\System32\vXxHdRj.exe
  2⤵
  PID:7932
- C:\Windows\System32\CowGEJs.exe
  C:\Windows\System32\CowGEJs.exe
  2⤵
  PID:7964
- C:\Windows\System32\vPKvMrS.exe
  C:\Windows\System32\vPKvMrS.exe
  2⤵
  PID:8000
- C:\Windows\System32\IioaJUg.exe
  C:\Windows\System32\IioaJUg.exe
  2⤵
  PID:8036
- C:\Windows\System32\VpLInvk.exe
  C:\Windows\System32\VpLInvk.exe
  2⤵
  PID:8060
- C:\Windows\System32\YqvWxyq.exe
  C:\Windows\System32\YqvWxyq.exe
  2⤵
  PID:8080
- C:\Windows\System32\QyKWRVJ.exe
  C:\Windows\System32\QyKWRVJ.exe
  2⤵
  PID:8096
- C:\Windows\System32\jZsvQcr.exe
  C:\Windows\System32\jZsvQcr.exe
  2⤵
  PID:8120
- C:\Windows\System32\LuyIDxd.exe
  C:\Windows\System32\LuyIDxd.exe
  2⤵
  PID:8136
- C:\Windows\System32\jnPyXyK.exe
  C:\Windows\System32\jnPyXyK.exe
  2⤵
  PID:8168
- C:\Windows\System32\WqNkbSb.exe
  C:\Windows\System32\WqNkbSb.exe
  2⤵
  PID:6208
- C:\Windows\System32\gzqoXzF.exe
  C:\Windows\System32\gzqoXzF.exe
  2⤵
  PID:6568
- C:\Windows\System32\kjpXVEF.exe
  C:\Windows\System32\kjpXVEF.exe
  2⤵
  PID:7180
- C:\Windows\System32\eCjLttU.exe
  C:\Windows\System32\eCjLttU.exe
  2⤵
  PID:7208
- C:\Windows\System32\TXDFbMJ.exe
  C:\Windows\System32\TXDFbMJ.exe
  2⤵
  PID:7288
- C:\Windows\System32\aSYAizR.exe
  C:\Windows\System32\aSYAizR.exe
  2⤵
  PID:7452
- C:\Windows\System32\IWNzRZn.exe
  C:\Windows\System32\IWNzRZn.exe
  2⤵
  PID:7512
- C:\Windows\System32\vxUBHyb.exe
  C:\Windows\System32\vxUBHyb.exe
  2⤵
  PID:7628
- C:\Windows\System32\ofZRlxR.exe
  C:\Windows\System32\ofZRlxR.exe
  2⤵
  PID:7608
- C:\Windows\System32\skqwLDp.exe
  C:\Windows\System32\skqwLDp.exe
  2⤵
  PID:7764
- C:\Windows\System32\oRQpNzh.exe
  C:\Windows\System32\oRQpNzh.exe
  2⤵
  PID:7740
- C:\Windows\System32\xxDQJKn.exe
  C:\Windows\System32\xxDQJKn.exe
  2⤵
  PID:7840
- C:\Windows\System32\AwgJsKG.exe
  C:\Windows\System32\AwgJsKG.exe
  2⤵
  PID:7916
- C:\Windows\System32\erbhbwO.exe
  C:\Windows\System32\erbhbwO.exe
  2⤵
  PID:7960
- C:\Windows\System32\oOfkKhZ.exe
  C:\Windows\System32\oOfkKhZ.exe
  2⤵
  PID:7984
- C:\Windows\System32\LodNqrt.exe
  C:\Windows\System32\LodNqrt.exe
  2⤵
  PID:8092
- C:\Windows\System32\LmjzODa.exe
  C:\Windows\System32\LmjzODa.exe
  2⤵
  PID:8184
- C:\Windows\System32\ZupauYG.exe
  C:\Windows\System32\ZupauYG.exe
  2⤵
  PID:7176
- C:\Windows\System32\RsLNQay.exe
  C:\Windows\System32\RsLNQay.exe
  2⤵
  PID:5564
- C:\Windows\System32\bJugkvk.exe
  C:\Windows\System32\bJugkvk.exe
  2⤵
  PID:7092
- C:\Windows\System32\avskKXO.exe
  C:\Windows\System32\avskKXO.exe
  2⤵
  PID:7352
- C:\Windows\System32\AcSCAkT.exe
  C:\Windows\System32\AcSCAkT.exe
  2⤵
  PID:5448
- C:\Windows\System32\daMBPrS.exe
  C:\Windows\System32\daMBPrS.exe
  2⤵
  PID:7692
- C:\Windows\System32\OsTpuhG.exe
  C:\Windows\System32\OsTpuhG.exe
  2⤵
  PID:7708
- C:\Windows\System32\qYuQkVI.exe
  C:\Windows\System32\qYuQkVI.exe
  2⤵
  PID:7896
- C:\Windows\System32\svbLEja.exe
  C:\Windows\System32\svbLEja.exe
  2⤵
  PID:8068
- C:\Windows\System32\NXAqYUN.exe
  C:\Windows\System32\NXAqYUN.exe
  2⤵
  PID:6776
- C:\Windows\System32\HZTxCJK.exe
  C:\Windows\System32\HZTxCJK.exe
  2⤵
  PID:5576
- C:\Windows\System32\rUxaWhP.exe
  C:\Windows\System32\rUxaWhP.exe
  2⤵
  PID:7868
- C:\Windows\System32\aTKCeql.exe
  C:\Windows\System32\aTKCeql.exe
  2⤵
  PID:7644
- C:\Windows\System32\cLBxCLk.exe
  C:\Windows\System32\cLBxCLk.exe
  2⤵
  PID:7788
- C:\Windows\System32\AhVgUmm.exe
  C:\Windows\System32\AhVgUmm.exe
  2⤵
  PID:8076
- C:\Windows\System32\AXDxBiK.exe
  C:\Windows\System32\AXDxBiK.exe
  2⤵
  PID:6336
- C:\Windows\System32\CPHTjoZ.exe
  C:\Windows\System32\CPHTjoZ.exe
  2⤵
  PID:8244
- C:\Windows\System32\QAtHMqk.exe
  C:\Windows\System32\QAtHMqk.exe
  2⤵
  PID:8324
- C:\Windows\System32\gAfgACw.exe
  C:\Windows\System32\gAfgACw.exe
  2⤵
  PID:8356
- C:\Windows\System32\gNJmiBw.exe
  C:\Windows\System32\gNJmiBw.exe
  2⤵
  PID:8376
- C:\Windows\System32\ANPHjBR.exe
  C:\Windows\System32\ANPHjBR.exe
  2⤵
  PID:8396
- C:\Windows\System32\mAclbMH.exe
  C:\Windows\System32\mAclbMH.exe
  2⤵
  PID:8416
- C:\Windows\System32\RFereUR.exe
  C:\Windows\System32\RFereUR.exe
  2⤵
  PID:8436
- C:\Windows\System32\siQThDu.exe
  C:\Windows\System32\siQThDu.exe
  2⤵
  PID:8456
- C:\Windows\System32\rlIpMEJ.exe
  C:\Windows\System32\rlIpMEJ.exe
  2⤵
  PID:8480
- C:\Windows\System32\GmvEGZN.exe
  C:\Windows\System32\GmvEGZN.exe
  2⤵
  PID:8500
- C:\Windows\System32\WtchCMg.exe
  C:\Windows\System32\WtchCMg.exe
  2⤵
  PID:8520
- C:\Windows\System32\iSHovAv.exe
  C:\Windows\System32\iSHovAv.exe
  2⤵
  PID:8536
- C:\Windows\System32\UgZEmCU.exe
  C:\Windows\System32\UgZEmCU.exe
  2⤵
  PID:8556
- C:\Windows\System32\smromgV.exe
  C:\Windows\System32\smromgV.exe
  2⤵
  PID:8576
- C:\Windows\System32\wRagIGA.exe
  C:\Windows\System32\wRagIGA.exe
  2⤵
  PID:8608
- C:\Windows\System32\bbAMgsV.exe
  C:\Windows\System32\bbAMgsV.exe
  2⤵
  PID:8632
- C:\Windows\System32\BsQzrdg.exe
  C:\Windows\System32\BsQzrdg.exe
  2⤵
  PID:8676
- C:\Windows\System32\quNXTyn.exe
  C:\Windows\System32\quNXTyn.exe
  2⤵
  PID:8696
- C:\Windows\System32\xwFTWPP.exe
  C:\Windows\System32\xwFTWPP.exe
  2⤵
  PID:8768
- C:\Windows\System32\wyHwVSv.exe
  C:\Windows\System32\wyHwVSv.exe
  2⤵
  PID:8788
- C:\Windows\System32\WBmJoSp.exe
  C:\Windows\System32\WBmJoSp.exe
  2⤵
  PID:8804
- C:\Windows\System32\vDbvQfa.exe
  C:\Windows\System32\vDbvQfa.exe
  2⤵
  PID:8836
- C:\Windows\System32\HBJmjID.exe
  C:\Windows\System32\HBJmjID.exe
  2⤵
  PID:8856
- C:\Windows\System32\keOFwiu.exe
  C:\Windows\System32\keOFwiu.exe
  2⤵
  PID:8948
- C:\Windows\System32\XzaYatE.exe
  C:\Windows\System32\XzaYatE.exe
  2⤵
  PID:9016
- C:\Windows\System32\bXcWceC.exe
  C:\Windows\System32\bXcWceC.exe
  2⤵
  PID:9060
- C:\Windows\System32\jbOIVSN.exe
  C:\Windows\System32\jbOIVSN.exe
  2⤵
  PID:9080
- C:\Windows\System32\trQgOFl.exe
  C:\Windows\System32\trQgOFl.exe
  2⤵
  PID:9100
- C:\Windows\System32\vTkBmii.exe
  C:\Windows\System32\vTkBmii.exe
  2⤵
  PID:9124
- C:\Windows\System32\vNhwJOZ.exe
  C:\Windows\System32\vNhwJOZ.exe
  2⤵
  PID:9144

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AZUxJKO.exe

Filesize
3.1MB

MD5
aa4a214f9feb7b94d279751694bf279e

SHA1
8a5568143e37bbac9b270150daae399e2228bcec

SHA256
6da4fa3f8bc9d8431db83a9a2799b89e55fb05da6f6a577ebcedbe1d77aac4a4

SHA512
cad967c5d611adb759de7e9cb07eba0b9591bf065fb35793c07a0d7e5571683cfd5edc67e107bad7addc7f771a1d8d42b78b9d1cdf7c491b2b26788505d3aa62

Download Submit
C:\Windows\System32\CZalqnH.exe

Filesize
3.1MB

MD5
aa44eb487c23fd4d74b30a4ce07e3f06

SHA1
4a254d6ead6c67752e366fbe242648305f20ed4c

SHA256
5f343d65d74304f7951f49283f99ebe6bb8e85088fe48c11eaf56fd65a6f26c6

SHA512
7d687ec5e699f29b4d4506fc50240c1cbeae063fd5b954cc635723c71d43e491ec1d6eea2d1728e7e414c9ecaad31c3348077c5116d870fc84f299e501b6741a

Download Submit
C:\Windows\System32\HWkyebz.exe

Filesize
3.1MB

MD5
2e514b55437d06f2ca3f844a706b05cd

SHA1
a576feb2f017d9da1e5a3c4b59558c7ee71f7468

SHA256
c7895f9806238662d5fd0c6749c75f3c37dc1b2418a40473aa04e554389301e8

SHA512
17ce07361c8a6cf508d11fe47a98f66b44f4b7fda4201f23c3c7c73a5b2013e21c25fc0051d53d9e99e10bea4bf8d54d9bff080ba495505e97b41357aaff93ac

Download Submit
C:\Windows\System32\IeLUuOV.exe

Filesize
3.1MB

MD5
7e046930d5527f49a3c2f86e9b055568

SHA1
a2ccb3cc595dfee6dfb9884941f249116f56289f

SHA256
d4debcb21486c3786d8339886c67a998dae0960ceb6347b632783aee40c7c250

SHA512
583bfc58a2e1a9859b1cc53947901951d2ad03513eb4b0026ce1fb338f2562c57a0f691e64289a765bab3dab390c17fdaf6a4edb3c6b79b64ff13971f563db0c

Download Submit
C:\Windows\System32\KztRIAE.exe

Filesize
3.1MB

MD5
f8b454e2c73535a844ae8d5ab984e16b

SHA1
5113bc683357501b03174b6e8886052e41f81552

SHA256
60560e153746946d4918a8e6d470c7661d1a1e8444b32f28f690844c8daf4a0b

SHA512
30b135a9e901ee406d92842c6e59eb9214e7850de18e68afffd0acbef8a08f99f30454b12ac92f2b57c1bd042e8c241e0d5fdd1496f1ab3a051d69a7d1719ec3

Download Submit
C:\Windows\System32\MKLurBg.exe

Filesize
3.1MB

MD5
5b42d6b6b6379a401d8f783aa1572f61

SHA1
35a42e61fb6d88480717cb1b914e57a6f8ebb799

SHA256
8953c0fab5de7788661b6a79b5832dc88e512d39439c0087b03234412c210ca9

SHA512
73836cca565ef0b4bac7933f103153a5e842be17a9016157b5e46c7b6a74879c6b9b2f791ca906c30a2a1ab6aebb384c87a6e2b9fd4ff34b605d3da4a1e2c808

Download Submit
C:\Windows\System32\NkOtOQF.exe

Filesize
3.1MB

MD5
68edce3da04de3a40dae495683046480

SHA1
0ece4d884539cdeac98428151aa924b0a2e81ff4

SHA256
1817c9a385f925d9a3a1585f80404ec0baa85707bf77e2e7ff16e4d8c59c0381

SHA512
2ec01414c1be5bf60f0eff41ccb200ed1cf85bff1877c6df784f22de24308fe0ce6a5ceac7e53f354c98cd24d250b1f00f93ac96c88b9da271a593016555e98c

Download Submit
C:\Windows\System32\OaEEEnY.exe

Filesize
3.1MB

MD5
202f99ad54025c1f15cf3de3a4de7fad

SHA1
e5bd3928ca4d8b28a101c123f03891d9c48065c5

SHA256
c24aaa5381ed81bf83d40710269246cbba62437c625145d2ae745ebb201cf30b

SHA512
1d55864bdc34377db063ff21aaa2560d4b736b76fa4dc9d11c733837364e8b0ec71d07cd155e2174ab44482f78d0888b9e583babbd1f0b1547e7d28feef2ad16

Download Submit
C:\Windows\System32\PPEauuw.exe

Filesize
3.1MB

MD5
c88e3d43af1d2a5b1546a2cff3b43bf0

SHA1
2854008921975a4e229d49ca1fe5edbee55c7f0f

SHA256
1c5df63bef7b2ed78dfc7584c7754601d466a3e177f335cabfc154ffc5b0105e

SHA512
9c3b70b5badfe4eb41025e179f1ae5a632d1c4bab9d04bcec45da6f1c602bcbe008eef39e462306b90d1a6b746ede9ac4f7706df73edf3f7fbe3c4f2bca2af87

Download Submit
C:\Windows\System32\RJszjaL.exe

Filesize
3.1MB

MD5
e2a039083ce78dd62495faf1f029fce6

SHA1
b6b895f12bedfda4a6acf4c6565aaefb9a4d06d9

SHA256
1c6ba2ab39926a3525d4d97ccac0adab288b4e7e93816b71d440ba0bff0792d6

SHA512
44ebf31bda3aace73f635a2127e4ace955da294fa4e3fdc269314f4026d3a7b7c9cac9375a12ae101ec14dfd0b0d2a4ce08144afe1543981a9bd6528c425c9af

Download Submit
C:\Windows\System32\TspVSde.exe

Filesize
3.1MB

MD5
68350c0b69678676870b8c9ee69f0e5d

SHA1
2b58c0b192c6e236d0d49f4ea43a0da1b8fc8ef4

SHA256
e0ada32f3691719250ba44579ad464005aac573208204fe9e9e639d3e9e75abb

SHA512
7a2c5819565ae97da96dfa64244f11d0f0df3b0535341ac392d9199c777408787836c90d01dbd1fe514aa8e80d086db2aac218d103348c876fdfe991ce4eb6a5

Download Submit
C:\Windows\System32\YhrTXIM.exe

Filesize
3.1MB

MD5
6979eb1a676f5243cd0b058f7e713ac6

SHA1
af2848cf9e804bc6afe48d6fc094a1cd9ca9d049

SHA256
7081dd3f0ea654c839667d266f397d91f0172bfa859d6d19cede351d6d883069

SHA512
0b169f3d7658389eaaee83986898cb6f356e8259854031f6864093d88756403fb7ed0fa7d93efd849b70ada297f8f23b4ead0180c752e8ca92f1510797cfd98e

Download Submit
C:\Windows\System32\aCJeAJK.exe

Filesize
3.1MB

MD5
4c51a18650560cb94ae5c2eedf85eea6

SHA1
f1aa988aec54076e0322a7bc29b7a38db37053d8

SHA256
b0e47344d7c94286546261e003c1bf509b3929612f53ce1f67af7ed2e76dfb8b

SHA512
fca939130736a2d528ee50a1fc2ca857de299d64703fa96bd3f2cf8498759974a90a48db2ddb468ccab33cd7e324a1b0b6e6d272563c74265a1e20090c533797

Download Submit
C:\Windows\System32\aCbVvzN.exe

Filesize
3.1MB

MD5
2ea6e421953e404d4dd899b2a60ee643

SHA1
7b8de1d3273d9cbc48b06e0c052894bd6413306c

SHA256
b5b0e2c2426b1a7ec1220c909327eda1ff4e43c46f0518321922b171c0f7492e

SHA512
003f8e843cab101c632f66b6a27e150f4a9fb4b638fdfd83fdd48e8316ea6b76b77e145a0859842f6053df1c73e491b3f5350f28835f8196b7aad375b3fbdbee

Download Submit
C:\Windows\System32\baEQMzf.exe

Filesize
3.1MB

MD5
3abc5635db927ffd9c77b4d6df09c4f8

SHA1
bb9c1a316fb533b6d36fc627f99edd05bf241dc5

SHA256
9c23f0becea0686835a360dba5a1ae7d3b6a750ce631255b9a619e8f15f550b5

SHA512
0c235633aa06a01939b85348167bfdc9e26d739f2b2017e03f7f2cac6c73de9f84e2fd9834c10c77936a2c49c38107bd8d68e7ad18363534c97b2fedc840fbff

Download Submit
C:\Windows\System32\cVOXAnL.exe

Filesize
3.1MB

MD5
be5a3f5e26f77badc9e55fca4a2c1d46

SHA1
7a48fecae74598cab7cd704d17f7727175287e8b

SHA256
5beb83f823aa64eccafd7f9d4f91682d99df509a72df1500b335f01dc0fe30a1

SHA512
efda533f14f8594d73e2c749e32e6e573fc182306f29a7c5157d8b05a4d70943bec6c590a4419031772d3a33571978c1f4bd71b9af0dbdec3b937e66b182a3d5

Download Submit
C:\Windows\System32\eLnpIlL.exe

Filesize
3.1MB

MD5
d9617da39318537d932de6cf093cbff5

SHA1
16d308fa4e5b93c219faf53989226a6f9a178bc0

SHA256
af35572994956ccf83a6c34d99593f979ff0f14d5c937c19418acf8992fe2d6a

SHA512
4c5bbe2e46b15f81859277ed20656a97f5029270fdbaed43c4ee0272d1e6700505814dae9e27f3ca5527f34da3442b2d294e3c26ba66c7d98f32df6418195e9c

Download Submit
C:\Windows\System32\fCyulee.exe

Filesize
3.1MB

MD5
a6b4090744f820305ea67d645f5b037a

SHA1
50c5275b094405a4c56f0e6bb221f2a6acc2abf8

SHA256
c59f4fd0d5c7be02a3c592e8a834f06f3e6bf7c4b3de511b3b255dcaacdb5bbc

SHA512
0137abd4c775e6f2e1bcafee620985657c1727c89e626883a6331b5b14cfab0a742093e30296aea091d786f6f49449fc674ddab0cd5feba9267e924b5fb457c5

Download Submit
C:\Windows\System32\iZOnJaR.exe

Filesize
3.1MB

MD5
2c8296b3680426f6f1a8670e96c32a26

SHA1
7bffdf33050aa752152296973a6cc4bae64c3a28

SHA256
ce25fc7c86bc204763173a1fd04da9bbd0536b3f09417e074e1e2d2af75b2da0

SHA512
d764baba1ba47baf99cac994f21468c1ad3462fb437a6cd07f8a5dd7adbde7f0953f7161e6508ccd6e8bf742fda921f1f87d89d385270be4e15b40940aa9b713

Download Submit
C:\Windows\System32\iwruABL.exe

Filesize
3.1MB

MD5
25528ccf1692227c13b61b4743136dd4

SHA1
d3086f7b4149e1306633535e271a08a69722ff34

SHA256
f3fbe3b1b37954cfa08e65f9ebee9c6173c5f626c94d6be968f0c6141546b0d5

SHA512
5d5ef2fef491fab378bb0e808e6953ac3e7994e54eebf31751bfd5afde98a96ab285cbff9e661bc153988020e7331bb023e9202ec4b94f6d93f2b184df494b87

Download Submit
C:\Windows\System32\lqxVxZy.exe

Filesize
3.1MB

MD5
8093e698f2bd38538eded3ebba7c4f08

SHA1
2b8f8c6e8f7165fc896f27581177bd453ca287d5

SHA256
961454899e969eb28ec9a5c1316d8e89df6b82e8b15f6b4fa6f9b21cfdaf5802

SHA512
bc20b54164002406d49a74b82795bc50f894c9b992bfee15fa594244af155f046f78fb639f0654467b9c0fca8536ea1536933cc64b848fd61d66a9309991ce1e

Download Submit
C:\Windows\System32\mGBZTVt.exe

Filesize
3.1MB

MD5
cf6549dad42a0ad7ea22412eb5e354ec

SHA1
8ad1ce2c4ed214108ba5ea291e20d295044f8fba

SHA256
f2c560a62235542f968988b9365b41a9543c9cfc21cd180f59b6895334ba2c0e

SHA512
d60870e864c9b688faead21d699ba607800a5cb3b8f884496ac7b96fe79c07fc4670bfbbb0b7a704f76f781b129d4574103c457162ebd8691472615dca0db90d

Download Submit
C:\Windows\System32\meOmKnr.exe

Filesize
3.1MB

MD5
23a9d31de89acec346ed1c3a81de5da5

SHA1
8f5cab0ee39ac1aae3a4d3934d279cae62a4999c

SHA256
61b96024cdb6e275e25e87833ccf344c4ebb283523dac8e1ecdddb9e43f6e697

SHA512
52713245d80c6ca672c10cc25c0a0df844c32f7d0f56fb3e3746128c201ab8c1380186ad9353a07b2b8b964e88ef3b2ef74cb35bbce4d63e384f6a13837728c9

Download Submit
C:\Windows\System32\qNuWYeG.exe

Filesize
3.1MB

MD5
cf277c80bfb0bea175be867446447989

SHA1
0e563dd76ebeee58e01a49d988450aeb9c112765

SHA256
17642244f947716d77a12a63a4d42c7507f769a08f441a5b16590e7c79acf471

SHA512
45e35b9e938b9218aa85ee26e2903f48fc27eb30ccbd0a3509391868132c7217de408536492618394df4bf11ebacc05982ee0c99fbe8e546e8b74f28b875883a

Download Submit
C:\Windows\System32\qxvXvzx.exe

Filesize
3.1MB

MD5
7f1aa61222c8e08293c07d5809d15ac8

SHA1
fb48efe4246c60609c9d7463d42a17f10908eeb0

SHA256
66d630703e43702516e1445b09048a196f3b7d125ea4604649f379e387d67f38

SHA512
47bb8520e4580843073f7cabbf8c366b2454c11567c356da79e98c192be61d932514c58ed85bcf33bc2dedccf1468842241b32cd2028bf876bb7bd844f945630

Download Submit
C:\Windows\System32\sviCvDz.exe

Filesize
3.1MB

MD5
3558bd8558b06f6787d0dec2f970b9a2

SHA1
b2477be6e7be9cce803b4f033ea7970dd42b2eed

SHA256
676530dc730c43d270e816e376f59695bb0986a2f48fd3ed7663f38a8e4bb4c3

SHA512
05f93aa5ca7fcde0799f734ea4884cb99908d4361f5ba918e4e68b60a63e3288cd971a7cce8dc44f4879bd721e540fac89994ec4963ff4a698d6306ae0497258

Download Submit
C:\Windows\System32\tPKzsIv.exe

Filesize
3.1MB

MD5
d7b8faf8551b9150511866b2f5c01272

SHA1
3150b74b0e1c45ea663bb294a65163e23a31a84b

SHA256
eac1cfe706362606a606f5a6bd4ba66c64bbc613c423ac73362b14af703a456a

SHA512
25f67effe38fbad2c885d948e5f1e02b968a4f72ef4e420bcc4ca06e54f7710b4dba9da1b238d5b0b9e9a997fd133deca80a47c27fb40b92437f436e692335f5

Download Submit
C:\Windows\System32\tocAhRU.exe

Filesize
3.1MB

MD5
cfbb2eb2f680f2602c386f0aa76fc9ec

SHA1
8bacdb71695262efd078fdf52fd5953ea6b8234e

SHA256
be903e46bd64575b3ef62be2146cc59f2e1de246c2c419910da04ec330a2225c

SHA512
6d181ce36a9012970e40b26e1ea8ff57acb01a25f0d87beb10f34bcec57232e14a0bf42450266f62187c530228230d912dee57328c00398acdd28579f21f2f0a

Download Submit
C:\Windows\System32\uVIIkvD.exe

Filesize
3.1MB

MD5
9cf08a6eca8b5f06701dbd00ef6908bf

SHA1
9efc64ccebc45cdbdb1dbc6c03edbfcc5893a008

SHA256
1ef99b69fcf76e3a0ea93ffde1709917280af855b64e4b1c35968e2685bd3496

SHA512
b6640eeb3581e7fd385b5beb39ccdd1945380978a8e883fed637dbeb7088d46c48816867393c19250a4beded1d3551b921df455618f9899502297aac02e14921

Download Submit
C:\Windows\System32\udIJPcC.exe

Filesize
3.1MB

MD5
958ca651261e4d3dd85841e717c6c38b

SHA1
b09ea7a066ff6d5fa81c4586bfe3e514e794415a

SHA256
2969955b6f46de0078db5125320aa1fd16b8aa1e9e43ba48ad9084a8e6a50671

SHA512
60f1c293c57c7a41cd4c84d6fd518e4e42ea55a97ca859fd2c9f20c903c3c93e17a00574a88510c9304ef39b851f290daa1a8065ba9b0edacc452abddb855cff

Download Submit
C:\Windows\System32\xZTcuUQ.exe

Filesize
3.1MB

MD5
1de810b3193effbfb5521b42911e3716

SHA1
bbe4a953cef587445c7f47970acd0940005588ec

SHA256
0e93af8dd3d37281b89bfc8e4dbb4ba06e4902dfaa898eb258dc0ab622ef81eb

SHA512
3e559b8cb3606e461ad2d3dfc34c4473beaaf659872704f1de53a3a3d8ed076fa8a5c588011d61eee2df2c748aaf81652a488349cc567b1700b8d5e67518fa36

Download Submit
C:\Windows\System32\xrJGXIq.exe

Filesize
3.1MB

MD5
545eb96a17b9b20591118bdb6a896c45

SHA1
9da3cb2863d7f7ca1020dda3b9dfae6ce5c175af

SHA256
4ffecd672b4400e7b2df53d6b56b0bd9e9841c17946982371a58bac11af08290

SHA512
25e73a9739a90e587c5d4de263594c5f67cd4e4985d7f0d93a26f39423d268828d9fb1ab24ddefec5818ba80f74201d0114dbd23db2a92dcc478281a5906fb99

Download Submit
memory/216-358-0x00007FF7E1E30000-0x00007FF7E2225000-memory.dmp

Filesize
4.0MB

Download
memory/224-30-0x00007FF7901B0000-0x00007FF7905A5000-memory.dmp

Filesize
4.0MB

Download
memory/228-381-0x00007FF709B90000-0x00007FF709F85000-memory.dmp

Filesize
4.0MB

Download
memory/640-369-0x00007FF758430000-0x00007FF758825000-memory.dmp

Filesize
4.0MB

Download
memory/736-387-0x00007FF6C02F0000-0x00007FF6C06E5000-memory.dmp

Filesize
4.0MB

Download
memory/928-362-0x00007FF6C0E70000-0x00007FF6C1265000-memory.dmp

Filesize
4.0MB

Download
memory/1084-371-0x00007FF625780000-0x00007FF625B75000-memory.dmp

Filesize
4.0MB

Download
memory/1200-350-0x00007FF618990000-0x00007FF618D85000-memory.dmp

Filesize
4.0MB

Download
memory/1300-355-0x00007FF6CE2D0000-0x00007FF6CE6C5000-memory.dmp

Filesize
4.0MB

Download
memory/1348-66-0x00007FF6F2680000-0x00007FF6F2A75000-memory.dmp

Filesize
4.0MB

Download
memory/1388-347-0x00007FF7AF8C0000-0x00007FF7AFCB5000-memory.dmp

Filesize
4.0MB

Download
memory/1484-18-0x00007FF75D210000-0x00007FF75D605000-memory.dmp

Filesize
4.0MB

Download
memory/1620-365-0x00007FF7D3B20000-0x00007FF7D3F15000-memory.dmp

Filesize
4.0MB

Download
memory/1900-310-0x00007FF7D3A70000-0x00007FF7D3E65000-memory.dmp

Filesize
4.0MB

Download
memory/1904-351-0x00007FF72ACD0000-0x00007FF72B0C5000-memory.dmp

Filesize
4.0MB

Download
memory/1944-25-0x00007FF676FB0000-0x00007FF6773A5000-memory.dmp

Filesize
4.0MB

Download
memory/1980-325-0x00007FF6B70B0000-0x00007FF6B74A5000-memory.dmp

Filesize
4.0MB

Download
memory/2120-352-0x00007FF70CEB0000-0x00007FF70D2A5000-memory.dmp

Filesize
4.0MB

Download
memory/2352-45-0x00007FF713A40000-0x00007FF713E35000-memory.dmp

Filesize
4.0MB

Download
memory/2384-363-0x00007FF760B90000-0x00007FF760F85000-memory.dmp

Filesize
4.0MB

Download
memory/2388-385-0x00007FF7B2D10000-0x00007FF7B3105000-memory.dmp

Filesize
4.0MB

Download
memory/2636-333-0x00007FF6F8450000-0x00007FF6F8845000-memory.dmp

Filesize
4.0MB

Download
memory/2660-299-0x00007FF7BD470000-0x00007FF7BD865000-memory.dmp

Filesize
4.0MB

Download
memory/2668-348-0x00007FF6975F0000-0x00007FF6979E5000-memory.dmp

Filesize
4.0MB

Download
memory/2776-87-0x00007FF7CDA70000-0x00007FF7CDE65000-memory.dmp

Filesize
4.0MB

Download
memory/2796-356-0x00007FF712430000-0x00007FF712825000-memory.dmp

Filesize
4.0MB

Download
memory/2908-280-0x00007FF77AF80000-0x00007FF77B375000-memory.dmp

Filesize
4.0MB

Download
memory/2924-359-0x00007FF7D8770000-0x00007FF7D8B65000-memory.dmp

Filesize
4.0MB

Download
memory/3008-367-0x00007FF794400000-0x00007FF7947F5000-memory.dmp

Filesize
4.0MB

Download
memory/3208-366-0x00007FF65EA90000-0x00007FF65EE85000-memory.dmp

Filesize
4.0MB

Download
memory/3444-281-0x00007FF7ECFD0000-0x00007FF7ED3C5000-memory.dmp

Filesize
4.0MB

Download
memory/3488-322-0x00007FF66F030000-0x00007FF66F425000-memory.dmp

Filesize
4.0MB

Download
memory/3500-58-0x00007FF6732E0000-0x00007FF6736D5000-memory.dmp

Filesize
4.0MB

Download
memory/3540-383-0x00007FF6EE550000-0x00007FF6EE945000-memory.dmp

Filesize
4.0MB

Download
memory/3704-335-0x00007FF741EA0000-0x00007FF742295000-memory.dmp

Filesize
4.0MB

Download
memory/3740-68-0x00007FF629D80000-0x00007FF62A175000-memory.dmp

Filesize
4.0MB

Download
memory/3760-88-0x00007FF7BDF20000-0x00007FF7BE315000-memory.dmp

Filesize
4.0MB

Download
memory/3944-360-0x00007FF757640000-0x00007FF757A35000-memory.dmp

Filesize
4.0MB

Download
memory/3960-49-0x00007FF65BC90000-0x00007FF65C085000-memory.dmp

Filesize
4.0MB

Download
memory/3988-16-0x00007FF7DD7E0000-0x00007FF7DDBD5000-memory.dmp

Filesize
4.0MB

Download
memory/4056-331-0x00007FF7C62C0000-0x00007FF7C66B5000-memory.dmp

Filesize
4.0MB

Download
memory/4068-361-0x00007FF717FF0000-0x00007FF7183E5000-memory.dmp

Filesize
4.0MB

Download
memory/4080-336-0x00007FF769660000-0x00007FF769A55000-memory.dmp

Filesize
4.0MB

Download
memory/4208-315-0x00007FF6AB610000-0x00007FF6ABA05000-memory.dmp

Filesize
4.0MB

Download
memory/4292-378-0x00007FF65F4E0000-0x00007FF65F8D5000-memory.dmp

Filesize
4.0MB

Download
memory/4316-316-0x00007FF66F930000-0x00007FF66FD25000-memory.dmp

Filesize
4.0MB

Download
memory/4324-353-0x00007FF78A990000-0x00007FF78AD85000-memory.dmp

Filesize
4.0MB

Download
memory/4384-112-0x00007FF645BD0000-0x00007FF645FC5000-memory.dmp

Filesize
4.0MB

Download
memory/4436-388-0x00007FF7D56E0000-0x00007FF7D5AD5000-memory.dmp

Filesize
4.0MB

Download
memory/4564-287-0x00007FF780CD0000-0x00007FF7810C5000-memory.dmp

Filesize
4.0MB

Download
memory/4580-52-0x00007FF7DE290000-0x00007FF7DE685000-memory.dmp

Filesize
4.0MB

Download
memory/4640-86-0x00007FF757A30000-0x00007FF757E25000-memory.dmp

Filesize
4.0MB

Download
memory/4724-354-0x00007FF7DBCC0000-0x00007FF7DC0B5000-memory.dmp

Filesize
4.0MB

Download
memory/4792-334-0x00007FF7D2730000-0x00007FF7D2B25000-memory.dmp

Filesize
4.0MB

Download
memory/4848-82-0x00007FF638370000-0x00007FF638765000-memory.dmp

Filesize
4.0MB

Download
memory/4848-0-0x00007FF638370000-0x00007FF638765000-memory.dmp

Filesize
4.0MB

Download
memory/4848-1-0x00000189D22F0000-0x00000189D2300000-memory.dmp

Filesize
64KB

Download
memory/4868-85-0x00007FF6E0C20000-0x00007FF6E1015000-memory.dmp

Filesize
4.0MB

Download
memory/4868-13-0x00007FF6E0C20000-0x00007FF6E1015000-memory.dmp

Filesize
4.0MB

Download
memory/4872-306-0x00007FF7E76C0000-0x00007FF7E7AB5000-memory.dmp

Filesize
4.0MB

Download
memory/4944-368-0x00007FF640D60000-0x00007FF641155000-memory.dmp

Filesize
4.0MB

Download
memory/4952-301-0x00007FF6CA8F0000-0x00007FF6CACE5000-memory.dmp

Filesize
4.0MB

Download
memory/4964-364-0x00007FF6ECA50000-0x00007FF6ECE45000-memory.dmp

Filesize
4.0MB

Download
memory/5020-357-0x00007FF6E63D0000-0x00007FF6E67C5000-memory.dmp

Filesize
4.0MB

Download
memory/5116-349-0x00007FF658420000-0x00007FF658815000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads