xmrig | c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf

Analysis

max time kernel
137s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
Size

2.6MB
MD5

73015688631298875ce6af6e716ed309
SHA1

d8dd251753b363be1e823964943a4d8e3dd809bc
SHA256

c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf
SHA512

5fb6210465e442ef10e449c2c8bb01b9468205b2afc4c2a329daef7d3005e5fb87f8dc84ad0f3a29f2a07ee21d31f328fd44e713446f59be9a486aa3a0a0ec35
SSDEEP

49152:N0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8DzJxhWCONx7os:N0GnJMOWPClFdx6e0EALKWVTffZiPAcg

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3928-0-0x00007FF6A0420000-0x00007FF6A0815000-memory.dmp	UPX
behavioral2/files/0x000900000002343c-4.dat	UPX
behavioral2/memory/2496-8-0x00007FF6029E0000-0x00007FF602DD5000-memory.dmp	UPX
behavioral2/files/0x0008000000023445-11.dat	UPX
behavioral2/files/0x0008000000023442-12.dat	UPX
behavioral2/memory/2116-15-0x00007FF6BC100000-0x00007FF6BC4F5000-memory.dmp	UPX
behavioral2/files/0x0007000000023446-23.dat	UPX
behavioral2/files/0x0007000000023447-27.dat	UPX
behavioral2/memory/436-34-0x00007FF6C1750000-0x00007FF6C1B45000-memory.dmp	UPX
behavioral2/files/0x0007000000023449-40.dat	UPX
behavioral2/files/0x000700000002344b-44.dat	UPX
behavioral2/files/0x000700000002344a-50.dat	UPX
behavioral2/files/0x0008000000023443-58.dat	UPX
behavioral2/files/0x000700000002344c-61.dat	UPX
behavioral2/memory/4336-69-0x00007FF7E31D0000-0x00007FF7E35C5000-memory.dmp	UPX
behavioral2/memory/5036-70-0x00007FF6A0150000-0x00007FF6A0545000-memory.dmp	UPX
behavioral2/memory/4268-71-0x00007FF78DF10000-0x00007FF78E305000-memory.dmp	UPX
behavioral2/files/0x000700000002344d-73.dat	UPX
behavioral2/files/0x000700000002344e-78.dat	UPX
behavioral2/files/0x0007000000023450-88.dat	UPX
behavioral2/files/0x0007000000023451-93.dat	UPX
behavioral2/files/0x0007000000023455-108.dat	UPX
behavioral2/files/0x0007000000023456-113.dat	UPX
behavioral2/files/0x0007000000023457-118.dat	UPX
behavioral2/files/0x0007000000023458-123.dat	UPX
behavioral2/files/0x0007000000023459-126.dat	UPX
behavioral2/memory/1268-128-0x00007FF7FCD20000-0x00007FF7FD115000-memory.dmp	UPX
behavioral2/memory/1656-140-0x00007FF6551A0000-0x00007FF655595000-memory.dmp	UPX
behavioral2/files/0x000700000002345a-142.dat	UPX
behavioral2/memory/540-147-0x00007FF6785F0000-0x00007FF6789E5000-memory.dmp	UPX
behavioral2/files/0x000700000002345c-150.dat	UPX
behavioral2/memory/748-153-0x00007FF65B460000-0x00007FF65B855000-memory.dmp	UPX
behavioral2/memory/3928-158-0x00007FF6A0420000-0x00007FF6A0815000-memory.dmp	UPX
behavioral2/memory/4524-164-0x00007FF6E9880000-0x00007FF6E9C75000-memory.dmp	UPX
behavioral2/files/0x000700000002345e-174.dat	UPX
behavioral2/files/0x000700000002345f-182.dat	UPX
behavioral2/memory/4768-185-0x00007FF744650000-0x00007FF744A45000-memory.dmp	UPX
behavioral2/files/0x0007000000023461-196.dat	UPX
behavioral2/memory/436-305-0x00007FF6C1750000-0x00007FF6C1B45000-memory.dmp	UPX
behavioral2/memory/3840-306-0x00007FF60FFA0000-0x00007FF610395000-memory.dmp	UPX
behavioral2/memory/2820-307-0x00007FF613340000-0x00007FF613735000-memory.dmp	UPX
behavioral2/memory/3956-308-0x00007FF75D540000-0x00007FF75D935000-memory.dmp	UPX
behavioral2/memory/4452-310-0x00007FF68DBA0000-0x00007FF68DF95000-memory.dmp	UPX
behavioral2/memory/2984-311-0x00007FF6EF260000-0x00007FF6EF655000-memory.dmp	UPX
behavioral2/memory/696-309-0x00007FF779CC0000-0x00007FF77A0B5000-memory.dmp	UPX
behavioral2/memory/884-312-0x00007FF7F4F70000-0x00007FF7F5365000-memory.dmp	UPX
behavioral2/memory/3912-314-0x00007FF7E7470000-0x00007FF7E7865000-memory.dmp	UPX
behavioral2/memory/4368-313-0x00007FF6E1FF0000-0x00007FF6E23E5000-memory.dmp	UPX
behavioral2/files/0x0007000000023463-200.dat	UPX
behavioral2/memory/4088-198-0x00007FF6585C0000-0x00007FF6589B5000-memory.dmp	UPX
behavioral2/memory/3132-195-0x00007FF6ECB70000-0x00007FF6ECF65000-memory.dmp	UPX
behavioral2/files/0x0007000000023462-193.dat	UPX
behavioral2/memory/264-192-0x00007FF631BE0000-0x00007FF631FD5000-memory.dmp	UPX
behavioral2/files/0x0007000000023460-189.dat	UPX
behavioral2/memory/4828-315-0x00007FF7CD2E0000-0x00007FF7CD6D5000-memory.dmp	UPX
behavioral2/memory/4300-188-0x00007FF6940F0000-0x00007FF6944E5000-memory.dmp	UPX
behavioral2/memory/4988-320-0x00007FF72CB30000-0x00007FF72CF25000-memory.dmp	UPX
behavioral2/memory/4704-317-0x00007FF7B9A40000-0x00007FF7B9E35000-memory.dmp	UPX
behavioral2/memory/3784-181-0x00007FF7E5260000-0x00007FF7E5655000-memory.dmp	UPX
behavioral2/memory/5040-178-0x00007FF690EC0000-0x00007FF6912B5000-memory.dmp	UPX
behavioral2/memory/3572-176-0x00007FF657520000-0x00007FF657915000-memory.dmp	UPX
behavioral2/memory/4784-326-0x00007FF705DB0000-0x00007FF7061A5000-memory.dmp	UPX
behavioral2/memory/1916-342-0x00007FF6C1000000-0x00007FF6C13F5000-memory.dmp	UPX
behavioral2/memory/3844-352-0x00007FF735470000-0x00007FF735865000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3928-0-0x00007FF6A0420000-0x00007FF6A0815000-memory.dmp	xmrig
behavioral2/files/0x000900000002343c-4.dat	xmrig
behavioral2/memory/2496-8-0x00007FF6029E0000-0x00007FF602DD5000-memory.dmp	xmrig
behavioral2/files/0x0008000000023445-11.dat	xmrig
behavioral2/files/0x0008000000023442-12.dat	xmrig
behavioral2/memory/2116-15-0x00007FF6BC100000-0x00007FF6BC4F5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023446-23.dat	xmrig
behavioral2/files/0x0007000000023447-27.dat	xmrig
behavioral2/memory/436-34-0x00007FF6C1750000-0x00007FF6C1B45000-memory.dmp	xmrig
behavioral2/files/0x0007000000023449-40.dat	xmrig
behavioral2/files/0x000700000002344b-44.dat	xmrig
behavioral2/files/0x000700000002344a-50.dat	xmrig
behavioral2/files/0x0008000000023443-58.dat	xmrig
behavioral2/files/0x000700000002344c-61.dat	xmrig
behavioral2/memory/4336-69-0x00007FF7E31D0000-0x00007FF7E35C5000-memory.dmp	xmrig
behavioral2/memory/5036-70-0x00007FF6A0150000-0x00007FF6A0545000-memory.dmp	xmrig
behavioral2/memory/4268-71-0x00007FF78DF10000-0x00007FF78E305000-memory.dmp	xmrig
behavioral2/files/0x000700000002344d-73.dat	xmrig
behavioral2/files/0x000700000002344e-78.dat	xmrig
behavioral2/files/0x0007000000023450-88.dat	xmrig
behavioral2/files/0x0007000000023451-93.dat	xmrig
behavioral2/files/0x0007000000023455-108.dat	xmrig
behavioral2/files/0x0007000000023456-113.dat	xmrig
behavioral2/files/0x0007000000023457-118.dat	xmrig
behavioral2/files/0x0007000000023458-123.dat	xmrig
behavioral2/files/0x0007000000023459-126.dat	xmrig
behavioral2/memory/1268-128-0x00007FF7FCD20000-0x00007FF7FD115000-memory.dmp	xmrig
behavioral2/memory/1656-140-0x00007FF6551A0000-0x00007FF655595000-memory.dmp	xmrig
behavioral2/files/0x000700000002345a-142.dat	xmrig
behavioral2/memory/540-147-0x00007FF6785F0000-0x00007FF6789E5000-memory.dmp	xmrig
behavioral2/files/0x000700000002345c-150.dat	xmrig
behavioral2/memory/748-153-0x00007FF65B460000-0x00007FF65B855000-memory.dmp	xmrig
behavioral2/memory/3928-158-0x00007FF6A0420000-0x00007FF6A0815000-memory.dmp	xmrig
behavioral2/memory/4524-164-0x00007FF6E9880000-0x00007FF6E9C75000-memory.dmp	xmrig
behavioral2/files/0x000700000002345e-174.dat	xmrig
behavioral2/files/0x000700000002345f-182.dat	xmrig
behavioral2/memory/4768-185-0x00007FF744650000-0x00007FF744A45000-memory.dmp	xmrig
behavioral2/files/0x0007000000023461-196.dat	xmrig
behavioral2/memory/436-305-0x00007FF6C1750000-0x00007FF6C1B45000-memory.dmp	xmrig
behavioral2/memory/3840-306-0x00007FF60FFA0000-0x00007FF610395000-memory.dmp	xmrig
behavioral2/memory/2820-307-0x00007FF613340000-0x00007FF613735000-memory.dmp	xmrig
behavioral2/memory/3956-308-0x00007FF75D540000-0x00007FF75D935000-memory.dmp	xmrig
behavioral2/memory/4452-310-0x00007FF68DBA0000-0x00007FF68DF95000-memory.dmp	xmrig
behavioral2/memory/2984-311-0x00007FF6EF260000-0x00007FF6EF655000-memory.dmp	xmrig
behavioral2/memory/696-309-0x00007FF779CC0000-0x00007FF77A0B5000-memory.dmp	xmrig
behavioral2/memory/884-312-0x00007FF7F4F70000-0x00007FF7F5365000-memory.dmp	xmrig
behavioral2/memory/3912-314-0x00007FF7E7470000-0x00007FF7E7865000-memory.dmp	xmrig
behavioral2/memory/4368-313-0x00007FF6E1FF0000-0x00007FF6E23E5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023463-200.dat	xmrig
behavioral2/memory/4088-198-0x00007FF6585C0000-0x00007FF6589B5000-memory.dmp	xmrig
behavioral2/memory/3132-195-0x00007FF6ECB70000-0x00007FF6ECF65000-memory.dmp	xmrig
behavioral2/files/0x0007000000023462-193.dat	xmrig
behavioral2/memory/264-192-0x00007FF631BE0000-0x00007FF631FD5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023460-189.dat	xmrig
behavioral2/memory/4828-315-0x00007FF7CD2E0000-0x00007FF7CD6D5000-memory.dmp	xmrig
behavioral2/memory/4300-188-0x00007FF6940F0000-0x00007FF6944E5000-memory.dmp	xmrig
behavioral2/memory/4988-320-0x00007FF72CB30000-0x00007FF72CF25000-memory.dmp	xmrig
behavioral2/memory/4704-317-0x00007FF7B9A40000-0x00007FF7B9E35000-memory.dmp	xmrig
behavioral2/memory/3784-181-0x00007FF7E5260000-0x00007FF7E5655000-memory.dmp	xmrig
behavioral2/memory/5040-178-0x00007FF690EC0000-0x00007FF6912B5000-memory.dmp	xmrig
behavioral2/memory/3572-176-0x00007FF657520000-0x00007FF657915000-memory.dmp	xmrig
behavioral2/memory/4784-326-0x00007FF705DB0000-0x00007FF7061A5000-memory.dmp	xmrig
behavioral2/memory/1916-342-0x00007FF6C1000000-0x00007FF6C13F5000-memory.dmp	xmrig
behavioral2/memory/3844-352-0x00007FF735470000-0x00007FF735865000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2496	EvMOXbl.exe
2116	uHrLwfz.exe
3784	OgtvPbS.exe
4300	galqEXq.exe
3132	gFAuOkC.exe
436	ClRoZrA.exe
2380	mEOOQzj.exe
2240	lrQJUha.exe
4336	GpXzbez.exe
4540	JtXpGLI.exe
5036	RorUTvz.exe
4268	FRIypuo.exe
1268	AQCJubJ.exe
2552	IOLFpSx.exe
4840	Synxypk.exe
4780	DzZhqBI.exe
1656	tDFtxrx.exe
4692	BYnJBSZ.exe
840	TDtrUdX.exe
540	LiTiagK.exe
4976	oLREWLY.exe
4584	TluXZEs.exe
748	SWnBjuP.exe
4676	bfCZSXR.exe
4796	EsJUWSB.exe
4524	uHufzVU.exe
2388	aSVrQIP.exe
3572	MSqWziX.exe
5040	DNdbhFx.exe
4768	WTezdpY.exe
264	OokkWtM.exe
4088	hWaVgBS.exe
3840	IxiPVQb.exe
2820	yvJlviR.exe
3956	QfNzDqT.exe
696	qJEExOr.exe
4452	SjOQGzF.exe
2984	cuciDaV.exe
884	fNnrUvS.exe
4368	mbVQIqw.exe
3912	vVlzwDn.exe
4828	huNxoOz.exe
4704	mAAhRCu.exe
4988	HLiqnGa.exe
4784	hhnVigv.exe
1296	rCUVMlT.exe
3536	aQOnOXA.exe
1916	nVcrRPN.exe
3056	AiDjqYQ.exe
3844	AxrYAdE.exe
3764	gbYlLlo.exe
732	vkniKcq.exe
4632	WQYLjJd.exe
2652	ujdGCYU.exe
3484	clXHULW.exe
2252	mDMqAUf.exe
4892	IBrvuWM.exe
1060	QKiTJSo.exe
4852	ethAlCu.exe
2352	hIcdgxA.exe
3672	zyEiYjX.exe
3336	rkOJVBH.exe
1792	wMjaJnK.exe
396	ioUEjDx.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3928-0-0x00007FF6A0420000-0x00007FF6A0815000-memory.dmp	upx
behavioral2/files/0x000900000002343c-4.dat	upx
behavioral2/memory/2496-8-0x00007FF6029E0000-0x00007FF602DD5000-memory.dmp	upx
behavioral2/files/0x0008000000023445-11.dat	upx
behavioral2/files/0x0008000000023442-12.dat	upx
behavioral2/memory/2116-15-0x00007FF6BC100000-0x00007FF6BC4F5000-memory.dmp	upx
behavioral2/files/0x0007000000023446-23.dat	upx
behavioral2/files/0x0007000000023447-27.dat	upx
behavioral2/memory/436-34-0x00007FF6C1750000-0x00007FF6C1B45000-memory.dmp	upx
behavioral2/files/0x0007000000023449-40.dat	upx
behavioral2/files/0x000700000002344b-44.dat	upx
behavioral2/files/0x000700000002344a-50.dat	upx
behavioral2/files/0x0008000000023443-58.dat	upx
behavioral2/files/0x000700000002344c-61.dat	upx
behavioral2/memory/4336-69-0x00007FF7E31D0000-0x00007FF7E35C5000-memory.dmp	upx
behavioral2/memory/5036-70-0x00007FF6A0150000-0x00007FF6A0545000-memory.dmp	upx
behavioral2/memory/4268-71-0x00007FF78DF10000-0x00007FF78E305000-memory.dmp	upx
behavioral2/files/0x000700000002344d-73.dat	upx
behavioral2/files/0x000700000002344e-78.dat	upx
behavioral2/files/0x0007000000023450-88.dat	upx
behavioral2/files/0x0007000000023451-93.dat	upx
behavioral2/files/0x0007000000023455-108.dat	upx
behavioral2/files/0x0007000000023456-113.dat	upx
behavioral2/files/0x0007000000023457-118.dat	upx
behavioral2/files/0x0007000000023458-123.dat	upx
behavioral2/files/0x0007000000023459-126.dat	upx
behavioral2/memory/1268-128-0x00007FF7FCD20000-0x00007FF7FD115000-memory.dmp	upx
behavioral2/memory/1656-140-0x00007FF6551A0000-0x00007FF655595000-memory.dmp	upx
behavioral2/files/0x000700000002345a-142.dat	upx
behavioral2/memory/540-147-0x00007FF6785F0000-0x00007FF6789E5000-memory.dmp	upx
behavioral2/files/0x000700000002345c-150.dat	upx
behavioral2/memory/748-153-0x00007FF65B460000-0x00007FF65B855000-memory.dmp	upx
behavioral2/memory/3928-158-0x00007FF6A0420000-0x00007FF6A0815000-memory.dmp	upx
behavioral2/memory/4524-164-0x00007FF6E9880000-0x00007FF6E9C75000-memory.dmp	upx
behavioral2/files/0x000700000002345e-174.dat	upx
behavioral2/files/0x000700000002345f-182.dat	upx
behavioral2/memory/4768-185-0x00007FF744650000-0x00007FF744A45000-memory.dmp	upx
behavioral2/files/0x0007000000023461-196.dat	upx
behavioral2/memory/436-305-0x00007FF6C1750000-0x00007FF6C1B45000-memory.dmp	upx
behavioral2/memory/3840-306-0x00007FF60FFA0000-0x00007FF610395000-memory.dmp	upx
behavioral2/memory/2820-307-0x00007FF613340000-0x00007FF613735000-memory.dmp	upx
behavioral2/memory/3956-308-0x00007FF75D540000-0x00007FF75D935000-memory.dmp	upx
behavioral2/memory/4452-310-0x00007FF68DBA0000-0x00007FF68DF95000-memory.dmp	upx
behavioral2/memory/2984-311-0x00007FF6EF260000-0x00007FF6EF655000-memory.dmp	upx
behavioral2/memory/696-309-0x00007FF779CC0000-0x00007FF77A0B5000-memory.dmp	upx
behavioral2/memory/884-312-0x00007FF7F4F70000-0x00007FF7F5365000-memory.dmp	upx
behavioral2/memory/3912-314-0x00007FF7E7470000-0x00007FF7E7865000-memory.dmp	upx
behavioral2/memory/4368-313-0x00007FF6E1FF0000-0x00007FF6E23E5000-memory.dmp	upx
behavioral2/files/0x0007000000023463-200.dat	upx
behavioral2/memory/4088-198-0x00007FF6585C0000-0x00007FF6589B5000-memory.dmp	upx
behavioral2/memory/3132-195-0x00007FF6ECB70000-0x00007FF6ECF65000-memory.dmp	upx
behavioral2/files/0x0007000000023462-193.dat	upx
behavioral2/memory/264-192-0x00007FF631BE0000-0x00007FF631FD5000-memory.dmp	upx
behavioral2/files/0x0007000000023460-189.dat	upx
behavioral2/memory/4828-315-0x00007FF7CD2E0000-0x00007FF7CD6D5000-memory.dmp	upx
behavioral2/memory/4300-188-0x00007FF6940F0000-0x00007FF6944E5000-memory.dmp	upx
behavioral2/memory/4988-320-0x00007FF72CB30000-0x00007FF72CF25000-memory.dmp	upx
behavioral2/memory/4704-317-0x00007FF7B9A40000-0x00007FF7B9E35000-memory.dmp	upx
behavioral2/memory/3784-181-0x00007FF7E5260000-0x00007FF7E5655000-memory.dmp	upx
behavioral2/memory/5040-178-0x00007FF690EC0000-0x00007FF6912B5000-memory.dmp	upx
behavioral2/memory/3572-176-0x00007FF657520000-0x00007FF657915000-memory.dmp	upx
behavioral2/memory/4784-326-0x00007FF705DB0000-0x00007FF7061A5000-memory.dmp	upx
behavioral2/memory/1916-342-0x00007FF6C1000000-0x00007FF6C13F5000-memory.dmp	upx
behavioral2/memory/3844-352-0x00007FF735470000-0x00007FF735865000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\GpXzbez.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\GbLwOaM.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\hfVfTll.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\aLTkvZk.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\GzlCXam.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\LlSqVGG.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\FOfeNQk.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\AiDjqYQ.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\eyfVdyq.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\UZCGdGi.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\bYtRJdr.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\MSqWziX.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\XpwmOOw.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\JwMuuRv.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\UpApDfF.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\wZjBWvh.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\BZichzj.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\sOmGLoA.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\UPeNAGY.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\bCSrKSx.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\ctiXWta.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\gzGArDb.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\pXJYoAa.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\IsOUPtm.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\kxLmlkN.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\vUighXt.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\KceqHvO.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\dPISiTI.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\YydRYbu.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\gvKXFUC.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\kpTAEyd.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\nUBwkMC.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\IBrvuWM.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\otwDzhF.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\egbQfoz.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\UANacpD.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\HtoZGCd.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\JPVETlH.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\CBohNEZ.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\LibTzCL.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\BmrKhNl.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\RorUTvz.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\WmchoaG.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\fTYJAyG.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\lBEHzuZ.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\eVSldHf.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\QnkFMVi.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\LKIlPSW.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\OiSOkRR.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\ucPCHXg.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\ktLPaQe.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\NdUFlgl.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\NPuelnj.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\fqPfJAk.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\MKcqSrT.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\JtXpGLI.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\TluXZEs.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\KyDlhPe.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\kREYCEl.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\TPmsWLo.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\WTezdpY.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\hhnVigv.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\QTqCCwt.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
File created	C:\Windows\System32\MJbITzN.exe	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	4416	dwm.exe
Token: SeChangeNotifyPrivilege	4416	dwm.exe
Token: 33	4416	dwm.exe
Token: SeIncBasePriorityPrivilege	4416	dwm.exe
Token: SeCreateGlobalPrivilege	9340	dwm.exe
Token: SeChangeNotifyPrivilege	9340	dwm.exe
Token: 33	9340	dwm.exe
Token: SeIncBasePriorityPrivilege	9340	dwm.exe
Token: SeShutdownPrivilege	9340	dwm.exe
Token: SeCreatePagefilePrivilege	9340	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
9500	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 2496	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	84
PID 3928 wrote to memory of 2496	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	84
PID 3928 wrote to memory of 2116	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	85
PID 3928 wrote to memory of 2116	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	85
PID 3928 wrote to memory of 3784	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	86
PID 3928 wrote to memory of 3784	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	86
PID 3928 wrote to memory of 4300	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	87
PID 3928 wrote to memory of 4300	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	87
PID 3928 wrote to memory of 3132	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	88
PID 3928 wrote to memory of 3132	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	88
PID 3928 wrote to memory of 436	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	89
PID 3928 wrote to memory of 436	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	89
PID 3928 wrote to memory of 2380	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	90
PID 3928 wrote to memory of 2380	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	90
PID 3928 wrote to memory of 2240	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	91
PID 3928 wrote to memory of 2240	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	91
PID 3928 wrote to memory of 4336	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	93
PID 3928 wrote to memory of 4336	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	93
PID 3928 wrote to memory of 4540	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	94
PID 3928 wrote to memory of 4540	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	94
PID 3928 wrote to memory of 5036	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	95
PID 3928 wrote to memory of 5036	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	95
PID 3928 wrote to memory of 4268	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	96
PID 3928 wrote to memory of 4268	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	96
PID 3928 wrote to memory of 1268	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	97
PID 3928 wrote to memory of 1268	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	97
PID 3928 wrote to memory of 2552	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	98
PID 3928 wrote to memory of 2552	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	98
PID 3928 wrote to memory of 4840	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	99
PID 3928 wrote to memory of 4840	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	99
PID 3928 wrote to memory of 4780	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	100
PID 3928 wrote to memory of 4780	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	100
PID 3928 wrote to memory of 1656	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	101
PID 3928 wrote to memory of 1656	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	101
PID 3928 wrote to memory of 4692	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	102
PID 3928 wrote to memory of 4692	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	102
PID 3928 wrote to memory of 840	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	103
PID 3928 wrote to memory of 840	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	103
PID 3928 wrote to memory of 540	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	104
PID 3928 wrote to memory of 540	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	104
PID 3928 wrote to memory of 4976	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	105
PID 3928 wrote to memory of 4976	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	105
PID 3928 wrote to memory of 4584	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	106
PID 3928 wrote to memory of 4584	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	106
PID 3928 wrote to memory of 748	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	107
PID 3928 wrote to memory of 748	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	107
PID 3928 wrote to memory of 4676	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	108
PID 3928 wrote to memory of 4676	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	108
PID 3928 wrote to memory of 4796	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	109
PID 3928 wrote to memory of 4796	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	109
PID 3928 wrote to memory of 4524	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	111
PID 3928 wrote to memory of 4524	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	111
PID 3928 wrote to memory of 2388	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	112
PID 3928 wrote to memory of 2388	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	112
PID 3928 wrote to memory of 3572	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	113
PID 3928 wrote to memory of 3572	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	113
PID 3928 wrote to memory of 5040	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	114
PID 3928 wrote to memory of 5040	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	114
PID 3928 wrote to memory of 4768	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	115
PID 3928 wrote to memory of 4768	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	115
PID 3928 wrote to memory of 264	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	116
PID 3928 wrote to memory of 264	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	116
PID 3928 wrote to memory of 4088	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	117
PID 3928 wrote to memory of 4088	3928	c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe	117

C:\Users\Admin\AppData\Local\Temp\c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe
"C:\Users\Admin\AppData\Local\Temp\c9be098971fa9d25354bc6366cd87e6696566382bb219841ebfceb3214cc81cf.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\System32\EvMOXbl.exe
  C:\Windows\System32\EvMOXbl.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System32\uHrLwfz.exe
  C:\Windows\System32\uHrLwfz.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System32\OgtvPbS.exe
  C:\Windows\System32\OgtvPbS.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System32\galqEXq.exe
  C:\Windows\System32\galqEXq.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System32\gFAuOkC.exe
  C:\Windows\System32\gFAuOkC.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System32\ClRoZrA.exe
  C:\Windows\System32\ClRoZrA.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\mEOOQzj.exe
  C:\Windows\System32\mEOOQzj.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System32\lrQJUha.exe
  C:\Windows\System32\lrQJUha.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System32\GpXzbez.exe
  C:\Windows\System32\GpXzbez.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System32\JtXpGLI.exe
  C:\Windows\System32\JtXpGLI.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System32\RorUTvz.exe
  C:\Windows\System32\RorUTvz.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System32\FRIypuo.exe
  C:\Windows\System32\FRIypuo.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System32\AQCJubJ.exe
  C:\Windows\System32\AQCJubJ.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System32\IOLFpSx.exe
  C:\Windows\System32\IOLFpSx.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System32\Synxypk.exe
  C:\Windows\System32\Synxypk.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System32\DzZhqBI.exe
  C:\Windows\System32\DzZhqBI.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\tDFtxrx.exe
  C:\Windows\System32\tDFtxrx.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System32\BYnJBSZ.exe
  C:\Windows\System32\BYnJBSZ.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System32\TDtrUdX.exe
  C:\Windows\System32\TDtrUdX.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System32\LiTiagK.exe
  C:\Windows\System32\LiTiagK.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System32\oLREWLY.exe
  C:\Windows\System32\oLREWLY.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System32\TluXZEs.exe
  C:\Windows\System32\TluXZEs.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System32\SWnBjuP.exe
  C:\Windows\System32\SWnBjuP.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System32\bfCZSXR.exe
  C:\Windows\System32\bfCZSXR.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System32\EsJUWSB.exe
  C:\Windows\System32\EsJUWSB.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System32\uHufzVU.exe
  C:\Windows\System32\uHufzVU.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System32\aSVrQIP.exe
  C:\Windows\System32\aSVrQIP.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System32\MSqWziX.exe
  C:\Windows\System32\MSqWziX.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System32\DNdbhFx.exe
  C:\Windows\System32\DNdbhFx.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System32\WTezdpY.exe
  C:\Windows\System32\WTezdpY.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System32\OokkWtM.exe
  C:\Windows\System32\OokkWtM.exe
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\System32\hWaVgBS.exe
  C:\Windows\System32\hWaVgBS.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System32\IxiPVQb.exe
  C:\Windows\System32\IxiPVQb.exe
  2⤵
  - Executes dropped EXE
  PID:3840
- C:\Windows\System32\yvJlviR.exe
  C:\Windows\System32\yvJlviR.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System32\QfNzDqT.exe
  C:\Windows\System32\QfNzDqT.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System32\qJEExOr.exe
  C:\Windows\System32\qJEExOr.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System32\SjOQGzF.exe
  C:\Windows\System32\SjOQGzF.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\cuciDaV.exe
  C:\Windows\System32\cuciDaV.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System32\fNnrUvS.exe
  C:\Windows\System32\fNnrUvS.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System32\mbVQIqw.exe
  C:\Windows\System32\mbVQIqw.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System32\vVlzwDn.exe
  C:\Windows\System32\vVlzwDn.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System32\huNxoOz.exe
  C:\Windows\System32\huNxoOz.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\mAAhRCu.exe
  C:\Windows\System32\mAAhRCu.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System32\HLiqnGa.exe
  C:\Windows\System32\HLiqnGa.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\hhnVigv.exe
  C:\Windows\System32\hhnVigv.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System32\rCUVMlT.exe
  C:\Windows\System32\rCUVMlT.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System32\aQOnOXA.exe
  C:\Windows\System32\aQOnOXA.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System32\nVcrRPN.exe
  C:\Windows\System32\nVcrRPN.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System32\AiDjqYQ.exe
  C:\Windows\System32\AiDjqYQ.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System32\AxrYAdE.exe
  C:\Windows\System32\AxrYAdE.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System32\gbYlLlo.exe
  C:\Windows\System32\gbYlLlo.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System32\vkniKcq.exe
  C:\Windows\System32\vkniKcq.exe
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\System32\WQYLjJd.exe
  C:\Windows\System32\WQYLjJd.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System32\ujdGCYU.exe
  C:\Windows\System32\ujdGCYU.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System32\clXHULW.exe
  C:\Windows\System32\clXHULW.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System32\mDMqAUf.exe
  C:\Windows\System32\mDMqAUf.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System32\IBrvuWM.exe
  C:\Windows\System32\IBrvuWM.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System32\QKiTJSo.exe
  C:\Windows\System32\QKiTJSo.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System32\ethAlCu.exe
  C:\Windows\System32\ethAlCu.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System32\hIcdgxA.exe
  C:\Windows\System32\hIcdgxA.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System32\zyEiYjX.exe
  C:\Windows\System32\zyEiYjX.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System32\rkOJVBH.exe
  C:\Windows\System32\rkOJVBH.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System32\wMjaJnK.exe
  C:\Windows\System32\wMjaJnK.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System32\ioUEjDx.exe
  C:\Windows\System32\ioUEjDx.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System32\zCROiXp.exe
  C:\Windows\System32\zCROiXp.exe
  2⤵
  PID:3228
- C:\Windows\System32\dWgDtJJ.exe
  C:\Windows\System32\dWgDtJJ.exe
  2⤵
  PID:2296
- C:\Windows\System32\lwzshSR.exe
  C:\Windows\System32\lwzshSR.exe
  2⤵
  PID:2140
- C:\Windows\System32\lnNoHjV.exe
  C:\Windows\System32\lnNoHjV.exe
  2⤵
  PID:2172
- C:\Windows\System32\dFGhoZJ.exe
  C:\Windows\System32\dFGhoZJ.exe
  2⤵
  PID:4696
- C:\Windows\System32\TPILfgY.exe
  C:\Windows\System32\TPILfgY.exe
  2⤵
  PID:3868
- C:\Windows\System32\NOvGQQo.exe
  C:\Windows\System32\NOvGQQo.exe
  2⤵
  PID:4896
- C:\Windows\System32\nbczEua.exe
  C:\Windows\System32\nbczEua.exe
  2⤵
  PID:3060
- C:\Windows\System32\zTBCQfq.exe
  C:\Windows\System32\zTBCQfq.exe
  2⤵
  PID:4460
- C:\Windows\System32\XpwmOOw.exe
  C:\Windows\System32\XpwmOOw.exe
  2⤵
  PID:4360
- C:\Windows\System32\PZmQFuB.exe
  C:\Windows\System32\PZmQFuB.exe
  2⤵
  PID:4508
- C:\Windows\System32\VAcrPHR.exe
  C:\Windows\System32\VAcrPHR.exe
  2⤵
  PID:5000
- C:\Windows\System32\gEcDwDT.exe
  C:\Windows\System32\gEcDwDT.exe
  2⤵
  PID:4052
- C:\Windows\System32\pOfBFDw.exe
  C:\Windows\System32\pOfBFDw.exe
  2⤵
  PID:2500
- C:\Windows\System32\JwMuuRv.exe
  C:\Windows\System32\JwMuuRv.exe
  2⤵
  PID:464
- C:\Windows\System32\HOpdXcV.exe
  C:\Windows\System32\HOpdXcV.exe
  2⤵
  PID:432
- C:\Windows\System32\DHLMTFv.exe
  C:\Windows\System32\DHLMTFv.exe
  2⤵
  PID:768
- C:\Windows\System32\viCeKXi.exe
  C:\Windows\System32\viCeKXi.exe
  2⤵
  PID:5136
- C:\Windows\System32\KceqHvO.exe
  C:\Windows\System32\KceqHvO.exe
  2⤵
  PID:5156
- C:\Windows\System32\cfnpeVd.exe
  C:\Windows\System32\cfnpeVd.exe
  2⤵
  PID:5172
- C:\Windows\System32\otwDzhF.exe
  C:\Windows\System32\otwDzhF.exe
  2⤵
  PID:5220
- C:\Windows\System32\egbQfoz.exe
  C:\Windows\System32\egbQfoz.exe
  2⤵
  PID:5272
- C:\Windows\System32\hFscXXz.exe
  C:\Windows\System32\hFscXXz.exe
  2⤵
  PID:5348
- C:\Windows\System32\sCwoVxr.exe
  C:\Windows\System32\sCwoVxr.exe
  2⤵
  PID:5384
- C:\Windows\System32\sIhLXvr.exe
  C:\Windows\System32\sIhLXvr.exe
  2⤵
  PID:5412
- C:\Windows\System32\DriiMzE.exe
  C:\Windows\System32\DriiMzE.exe
  2⤵
  PID:5444
- C:\Windows\System32\sEPiqxo.exe
  C:\Windows\System32\sEPiqxo.exe
  2⤵
  PID:5468
- C:\Windows\System32\AjYbJHP.exe
  C:\Windows\System32\AjYbJHP.exe
  2⤵
  PID:5492
- C:\Windows\System32\GIqHyjl.exe
  C:\Windows\System32\GIqHyjl.exe
  2⤵
  PID:5512
- C:\Windows\System32\vEdglia.exe
  C:\Windows\System32\vEdglia.exe
  2⤵
  PID:5544
- C:\Windows\System32\ovyfJAZ.exe
  C:\Windows\System32\ovyfJAZ.exe
  2⤵
  PID:5564
- C:\Windows\System32\nELSwdx.exe
  C:\Windows\System32\nELSwdx.exe
  2⤵
  PID:5592
- C:\Windows\System32\KocHcQY.exe
  C:\Windows\System32\KocHcQY.exe
  2⤵
  PID:5612
- C:\Windows\System32\xHQSKyG.exe
  C:\Windows\System32\xHQSKyG.exe
  2⤵
  PID:5652
- C:\Windows\System32\nQddCyZ.exe
  C:\Windows\System32\nQddCyZ.exe
  2⤵
  PID:5688
- C:\Windows\System32\xSOSDaU.exe
  C:\Windows\System32\xSOSDaU.exe
  2⤵
  PID:5740
- C:\Windows\System32\KpRxAPK.exe
  C:\Windows\System32\KpRxAPK.exe
  2⤵
  PID:5768
- C:\Windows\System32\zoYFtHE.exe
  C:\Windows\System32\zoYFtHE.exe
  2⤵
  PID:5788
- C:\Windows\System32\QRQtZCb.exe
  C:\Windows\System32\QRQtZCb.exe
  2⤵
  PID:5808
- C:\Windows\System32\gYXrkYz.exe
  C:\Windows\System32\gYXrkYz.exe
  2⤵
  PID:5824
- C:\Windows\System32\JUuUbbX.exe
  C:\Windows\System32\JUuUbbX.exe
  2⤵
  PID:5852
- C:\Windows\System32\TkaYLkN.exe
  C:\Windows\System32\TkaYLkN.exe
  2⤵
  PID:5868
- C:\Windows\System32\KYXwyFN.exe
  C:\Windows\System32\KYXwyFN.exe
  2⤵
  PID:5884
- C:\Windows\System32\zkdyDJT.exe
  C:\Windows\System32\zkdyDJT.exe
  2⤵
  PID:5904
- C:\Windows\System32\pBfwsOE.exe
  C:\Windows\System32\pBfwsOE.exe
  2⤵
  PID:5920
- C:\Windows\System32\FPrQZxH.exe
  C:\Windows\System32\FPrQZxH.exe
  2⤵
  PID:5940
- C:\Windows\System32\kytgSnt.exe
  C:\Windows\System32\kytgSnt.exe
  2⤵
  PID:6000
- C:\Windows\System32\VzkahmT.exe
  C:\Windows\System32\VzkahmT.exe
  2⤵
  PID:6024
- C:\Windows\System32\IuuqQbs.exe
  C:\Windows\System32\IuuqQbs.exe
  2⤵
  PID:6040
- C:\Windows\System32\qwUvKbI.exe
  C:\Windows\System32\qwUvKbI.exe
  2⤵
  PID:6056
- C:\Windows\System32\IpUqHRL.exe
  C:\Windows\System32\IpUqHRL.exe
  2⤵
  PID:6080
- C:\Windows\System32\rYVBxpL.exe
  C:\Windows\System32\rYVBxpL.exe
  2⤵
  PID:6096
- C:\Windows\System32\sFbFfvw.exe
  C:\Windows\System32\sFbFfvw.exe
  2⤵
  PID:6120
- C:\Windows\System32\cejvzsk.exe
  C:\Windows\System32\cejvzsk.exe
  2⤵
  PID:6140
- C:\Windows\System32\UiKxKKq.exe
  C:\Windows\System32\UiKxKKq.exe
  2⤵
  PID:8
- C:\Windows\System32\okRnsYl.exe
  C:\Windows\System32\okRnsYl.exe
  2⤵
  PID:5196
- C:\Windows\System32\tyPoxGP.exe
  C:\Windows\System32\tyPoxGP.exe
  2⤵
  PID:5328
- C:\Windows\System32\PdCVIvB.exe
  C:\Windows\System32\PdCVIvB.exe
  2⤵
  PID:2056
- C:\Windows\System32\GdnWCrt.exe
  C:\Windows\System32\GdnWCrt.exe
  2⤵
  PID:5368
- C:\Windows\System32\tLlwUMU.exe
  C:\Windows\System32\tLlwUMU.exe
  2⤵
  PID:3200
- C:\Windows\System32\tiSmBiP.exe
  C:\Windows\System32\tiSmBiP.exe
  2⤵
  PID:5620
- C:\Windows\System32\srbkOdm.exe
  C:\Windows\System32\srbkOdm.exe
  2⤵
  PID:5716
- C:\Windows\System32\tOTqIPB.exe
  C:\Windows\System32\tOTqIPB.exe
  2⤵
  PID:5780
- C:\Windows\System32\VMyzGjd.exe
  C:\Windows\System32\VMyzGjd.exe
  2⤵
  PID:5796
- C:\Windows\System32\XxcSwkd.exe
  C:\Windows\System32\XxcSwkd.exe
  2⤵
  PID:5880
- C:\Windows\System32\LGKZZfO.exe
  C:\Windows\System32\LGKZZfO.exe
  2⤵
  PID:5960
- C:\Windows\System32\nhhCBrS.exe
  C:\Windows\System32\nhhCBrS.exe
  2⤵
  PID:6092
- C:\Windows\System32\rwYqdzU.exe
  C:\Windows\System32\rwYqdzU.exe
  2⤵
  PID:764
- C:\Windows\System32\ODcmptz.exe
  C:\Windows\System32\ODcmptz.exe
  2⤵
  PID:5164
- C:\Windows\System32\tERtRBR.exe
  C:\Windows\System32\tERtRBR.exe
  2⤵
  PID:2516
- C:\Windows\System32\WmchoaG.exe
  C:\Windows\System32\WmchoaG.exe
  2⤵
  PID:5236
- C:\Windows\System32\RkOHNxM.exe
  C:\Windows\System32\RkOHNxM.exe
  2⤵
  PID:5372
- C:\Windows\System32\OXViFFK.exe
  C:\Windows\System32\OXViFFK.exe
  2⤵
  PID:5572
- C:\Windows\System32\DvWcgYv.exe
  C:\Windows\System32\DvWcgYv.exe
  2⤵
  PID:5192
- C:\Windows\System32\FQZngoC.exe
  C:\Windows\System32\FQZngoC.exe
  2⤵
  PID:900
- C:\Windows\System32\mOGNxcK.exe
  C:\Windows\System32\mOGNxcK.exe
  2⤵
  PID:5840
- C:\Windows\System32\cFvGzKD.exe
  C:\Windows\System32\cFvGzKD.exe
  2⤵
  PID:5988
- C:\Windows\System32\UANacpD.exe
  C:\Windows\System32\UANacpD.exe
  2⤵
  PID:2604
- C:\Windows\System32\StsDmCC.exe
  C:\Windows\System32\StsDmCC.exe
  2⤵
  PID:2548
- C:\Windows\System32\bCSrKSx.exe
  C:\Windows\System32\bCSrKSx.exe
  2⤵
  PID:3300
- C:\Windows\System32\OqHXByp.exe
  C:\Windows\System32\OqHXByp.exe
  2⤵
  PID:5088
- C:\Windows\System32\UZCGdGi.exe
  C:\Windows\System32\UZCGdGi.exe
  2⤵
  PID:3904
- C:\Windows\System32\NbZIsJw.exe
  C:\Windows\System32\NbZIsJw.exe
  2⤵
  PID:5956
- C:\Windows\System32\qWttNvZ.exe
  C:\Windows\System32\qWttNvZ.exe
  2⤵
  PID:460
- C:\Windows\System32\HtoZGCd.exe
  C:\Windows\System32\HtoZGCd.exe
  2⤵
  PID:5500
- C:\Windows\System32\OiSOkRR.exe
  C:\Windows\System32\OiSOkRR.exe
  2⤵
  PID:5932
- C:\Windows\System32\aLTkvZk.exe
  C:\Windows\System32\aLTkvZk.exe
  2⤵
  PID:6208
- C:\Windows\System32\dPISiTI.exe
  C:\Windows\System32\dPISiTI.exe
  2⤵
  PID:6240
- C:\Windows\System32\KaAOEqW.exe
  C:\Windows\System32\KaAOEqW.exe
  2⤵
  PID:6284
- C:\Windows\System32\ktLPaQe.exe
  C:\Windows\System32\ktLPaQe.exe
  2⤵
  PID:6328
- C:\Windows\System32\eCmLeOd.exe
  C:\Windows\System32\eCmLeOd.exe
  2⤵
  PID:6352
- C:\Windows\System32\JPVETlH.exe
  C:\Windows\System32\JPVETlH.exe
  2⤵
  PID:6372
- C:\Windows\System32\ZQvgVgV.exe
  C:\Windows\System32\ZQvgVgV.exe
  2⤵
  PID:6396
- C:\Windows\System32\itqBcJV.exe
  C:\Windows\System32\itqBcJV.exe
  2⤵
  PID:6428
- C:\Windows\System32\AcEvIQn.exe
  C:\Windows\System32\AcEvIQn.exe
  2⤵
  PID:6476
- C:\Windows\System32\hOQgGkC.exe
  C:\Windows\System32\hOQgGkC.exe
  2⤵
  PID:6532
- C:\Windows\System32\qOsPnmL.exe
  C:\Windows\System32\qOsPnmL.exe
  2⤵
  PID:6552
- C:\Windows\System32\wHkdGJy.exe
  C:\Windows\System32\wHkdGJy.exe
  2⤵
  PID:6580
- C:\Windows\System32\BixIaJB.exe
  C:\Windows\System32\BixIaJB.exe
  2⤵
  PID:6620
- C:\Windows\System32\KyDlhPe.exe
  C:\Windows\System32\KyDlhPe.exe
  2⤵
  PID:6652
- C:\Windows\System32\UpApDfF.exe
  C:\Windows\System32\UpApDfF.exe
  2⤵
  PID:6684
- C:\Windows\System32\sVzsDmz.exe
  C:\Windows\System32\sVzsDmz.exe
  2⤵
  PID:6716
- C:\Windows\System32\OvjrzKc.exe
  C:\Windows\System32\OvjrzKc.exe
  2⤵
  PID:6736
- C:\Windows\System32\CKzhOVI.exe
  C:\Windows\System32\CKzhOVI.exe
  2⤵
  PID:6752
- C:\Windows\System32\hLCGlLr.exe
  C:\Windows\System32\hLCGlLr.exe
  2⤵
  PID:6792
- C:\Windows\System32\agAKEuN.exe
  C:\Windows\System32\agAKEuN.exe
  2⤵
  PID:6820
- C:\Windows\System32\SdXFsmn.exe
  C:\Windows\System32\SdXFsmn.exe
  2⤵
  PID:6836
- C:\Windows\System32\iUXdrlN.exe
  C:\Windows\System32\iUXdrlN.exe
  2⤵
  PID:6856
- C:\Windows\System32\ZjldQbQ.exe
  C:\Windows\System32\ZjldQbQ.exe
  2⤵
  PID:6888
- C:\Windows\System32\xzdHSln.exe
  C:\Windows\System32\xzdHSln.exe
  2⤵
  PID:6904
- C:\Windows\System32\AWOdCNS.exe
  C:\Windows\System32\AWOdCNS.exe
  2⤵
  PID:6920
- C:\Windows\System32\PNpTXLs.exe
  C:\Windows\System32\PNpTXLs.exe
  2⤵
  PID:6940
- C:\Windows\System32\CBohNEZ.exe
  C:\Windows\System32\CBohNEZ.exe
  2⤵
  PID:6960
- C:\Windows\System32\XDPMtsH.exe
  C:\Windows\System32\XDPMtsH.exe
  2⤵
  PID:7000
- C:\Windows\System32\HpZBdUM.exe
  C:\Windows\System32\HpZBdUM.exe
  2⤵
  PID:7056
- C:\Windows\System32\JzBhIom.exe
  C:\Windows\System32\JzBhIom.exe
  2⤵
  PID:7076
- C:\Windows\System32\sfDSETQ.exe
  C:\Windows\System32\sfDSETQ.exe
  2⤵
  PID:7100
- C:\Windows\System32\fTYJAyG.exe
  C:\Windows\System32\fTYJAyG.exe
  2⤵
  PID:7116
- C:\Windows\System32\OexrvXz.exe
  C:\Windows\System32\OexrvXz.exe
  2⤵
  PID:5536
- C:\Windows\System32\wZjBWvh.exe
  C:\Windows\System32\wZjBWvh.exe
  2⤵
  PID:6220
- C:\Windows\System32\YydRYbu.exe
  C:\Windows\System32\YydRYbu.exe
  2⤵
  PID:6296
- C:\Windows\System32\NdUFlgl.exe
  C:\Windows\System32\NdUFlgl.exe
  2⤵
  PID:6340
- C:\Windows\System32\NPuelnj.exe
  C:\Windows\System32\NPuelnj.exe
  2⤵
  PID:6444
- C:\Windows\System32\zIubUUU.exe
  C:\Windows\System32\zIubUUU.exe
  2⤵
  PID:6460
- C:\Windows\System32\YbaIolm.exe
  C:\Windows\System32\YbaIolm.exe
  2⤵
  PID:6484
- C:\Windows\System32\XZgfvuZ.exe
  C:\Windows\System32\XZgfvuZ.exe
  2⤵
  PID:6560
- C:\Windows\System32\QTqCCwt.exe
  C:\Windows\System32\QTqCCwt.exe
  2⤵
  PID:5116
- C:\Windows\System32\pZkZydU.exe
  C:\Windows\System32\pZkZydU.exe
  2⤵
  PID:6668
- C:\Windows\System32\GzlCXam.exe
  C:\Windows\System32\GzlCXam.exe
  2⤵
  PID:6780
- C:\Windows\System32\yHkGZkt.exe
  C:\Windows\System32\yHkGZkt.exe
  2⤵
  PID:1388
- C:\Windows\System32\NsrGOYi.exe
  C:\Windows\System32\NsrGOYi.exe
  2⤵
  PID:6948
- C:\Windows\System32\LQmRbdR.exe
  C:\Windows\System32\LQmRbdR.exe
  2⤵
  PID:6932
- C:\Windows\System32\fpfBaRk.exe
  C:\Windows\System32\fpfBaRk.exe
  2⤵
  PID:7024
- C:\Windows\System32\ldVcXMe.exe
  C:\Windows\System32\ldVcXMe.exe
  2⤵
  PID:7036
- C:\Windows\System32\lmWJjgg.exe
  C:\Windows\System32\lmWJjgg.exe
  2⤵
  PID:2932
- C:\Windows\System32\rvHVgws.exe
  C:\Windows\System32\rvHVgws.exe
  2⤵
  PID:6324
- C:\Windows\System32\GnsxNxu.exe
  C:\Windows\System32\GnsxNxu.exe
  2⤵
  PID:4716
- C:\Windows\System32\gVEdHax.exe
  C:\Windows\System32\gVEdHax.exe
  2⤵
  PID:6596
- C:\Windows\System32\LPxLuJR.exe
  C:\Windows\System32\LPxLuJR.exe
  2⤵
  PID:6664
- C:\Windows\System32\ucPCHXg.exe
  C:\Windows\System32\ucPCHXg.exe
  2⤵
  PID:6900
- C:\Windows\System32\LvjInBK.exe
  C:\Windows\System32\LvjInBK.exe
  2⤵
  PID:7096
- C:\Windows\System32\tumTPoI.exe
  C:\Windows\System32\tumTPoI.exe
  2⤵
  PID:5112
- C:\Windows\System32\JpXMtwK.exe
  C:\Windows\System32\JpXMtwK.exe
  2⤵
  PID:7156
- C:\Windows\System32\SIrUvfP.exe
  C:\Windows\System32\SIrUvfP.exe
  2⤵
  PID:5280
- C:\Windows\System32\etjLmbE.exe
  C:\Windows\System32\etjLmbE.exe
  2⤵
  PID:636
- C:\Windows\System32\OWzoxss.exe
  C:\Windows\System32\OWzoxss.exe
  2⤵
  PID:6608
- C:\Windows\System32\IPkMzCg.exe
  C:\Windows\System32\IPkMzCg.exe
  2⤵
  PID:7012
- C:\Windows\System32\aJzogpC.exe
  C:\Windows\System32\aJzogpC.exe
  2⤵
  PID:6916
- C:\Windows\System32\ttwwKWz.exe
  C:\Windows\System32\ttwwKWz.exe
  2⤵
  PID:7220
- C:\Windows\System32\YroQwXJ.exe
  C:\Windows\System32\YroQwXJ.exe
  2⤵
  PID:7260
- C:\Windows\System32\kREYCEl.exe
  C:\Windows\System32\kREYCEl.exe
  2⤵
  PID:7284
- C:\Windows\System32\KpzlskP.exe
  C:\Windows\System32\KpzlskP.exe
  2⤵
  PID:7344
- C:\Windows\System32\ywWBgRu.exe
  C:\Windows\System32\ywWBgRu.exe
  2⤵
  PID:7368
- C:\Windows\System32\gbQXRUA.exe
  C:\Windows\System32\gbQXRUA.exe
  2⤵
  PID:7388
- C:\Windows\System32\AutKciQ.exe
  C:\Windows\System32\AutKciQ.exe
  2⤵
  PID:7420
- C:\Windows\System32\kKwxIjc.exe
  C:\Windows\System32\kKwxIjc.exe
  2⤵
  PID:7452
- C:\Windows\System32\zCsblgu.exe
  C:\Windows\System32\zCsblgu.exe
  2⤵
  PID:7468
- C:\Windows\System32\KsReLUo.exe
  C:\Windows\System32\KsReLUo.exe
  2⤵
  PID:7492
- C:\Windows\System32\lBEHzuZ.exe
  C:\Windows\System32\lBEHzuZ.exe
  2⤵
  PID:7512
- C:\Windows\System32\eyfVdyq.exe
  C:\Windows\System32\eyfVdyq.exe
  2⤵
  PID:7552
- C:\Windows\System32\XDDPxMC.exe
  C:\Windows\System32\XDDPxMC.exe
  2⤵
  PID:7572
- C:\Windows\System32\GpRbArF.exe
  C:\Windows\System32\GpRbArF.exe
  2⤵
  PID:7600
- C:\Windows\System32\fRGtAQI.exe
  C:\Windows\System32\fRGtAQI.exe
  2⤵
  PID:7664
- C:\Windows\System32\hyKHzpx.exe
  C:\Windows\System32\hyKHzpx.exe
  2⤵
  PID:7684
- C:\Windows\System32\LibTzCL.exe
  C:\Windows\System32\LibTzCL.exe
  2⤵
  PID:7744
- C:\Windows\System32\DBNuUlT.exe
  C:\Windows\System32\DBNuUlT.exe
  2⤵
  PID:7784
- C:\Windows\System32\xEltwkT.exe
  C:\Windows\System32\xEltwkT.exe
  2⤵
  PID:7816
- C:\Windows\System32\AhbcaSM.exe
  C:\Windows\System32\AhbcaSM.exe
  2⤵
  PID:7836
- C:\Windows\System32\ScVjYNE.exe
  C:\Windows\System32\ScVjYNE.exe
  2⤵
  PID:7852
- C:\Windows\System32\EBHGWHb.exe
  C:\Windows\System32\EBHGWHb.exe
  2⤵
  PID:7872
- C:\Windows\System32\tTLFUDs.exe
  C:\Windows\System32\tTLFUDs.exe
  2⤵
  PID:7892
- C:\Windows\System32\arrkrGn.exe
  C:\Windows\System32\arrkrGn.exe
  2⤵
  PID:7940
- C:\Windows\System32\ASOcpnq.exe
  C:\Windows\System32\ASOcpnq.exe
  2⤵
  PID:7964
- C:\Windows\System32\HiJenrP.exe
  C:\Windows\System32\HiJenrP.exe
  2⤵
  PID:8024
- C:\Windows\System32\Oyiqlop.exe
  C:\Windows\System32\Oyiqlop.exe
  2⤵
  PID:8044
- C:\Windows\System32\MNPKDIw.exe
  C:\Windows\System32\MNPKDIw.exe
  2⤵
  PID:8064
- C:\Windows\System32\OHcYWGq.exe
  C:\Windows\System32\OHcYWGq.exe
  2⤵
  PID:8084
- C:\Windows\System32\AQmuGUI.exe
  C:\Windows\System32\AQmuGUI.exe
  2⤵
  PID:8104
- C:\Windows\System32\SBKelOA.exe
  C:\Windows\System32\SBKelOA.exe
  2⤵
  PID:8152
- C:\Windows\System32\MJbITzN.exe
  C:\Windows\System32\MJbITzN.exe
  2⤵
  PID:8172
- C:\Windows\System32\lbEcrrY.exe
  C:\Windows\System32\lbEcrrY.exe
  2⤵
  PID:6512
- C:\Windows\System32\kQfiUQT.exe
  C:\Windows\System32\kQfiUQT.exe
  2⤵
  PID:5264
- C:\Windows\System32\ZphYwNV.exe
  C:\Windows\System32\ZphYwNV.exe
  2⤵
  PID:1736
- C:\Windows\System32\ZXhOtJb.exe
  C:\Windows\System32\ZXhOtJb.exe
  2⤵
  PID:7316
- C:\Windows\System32\ctiXWta.exe
  C:\Windows\System32\ctiXWta.exe
  2⤵
  PID:7352
- C:\Windows\System32\fTBfPTv.exe
  C:\Windows\System32\fTBfPTv.exe
  2⤵
  PID:7460
- C:\Windows\System32\BZichzj.exe
  C:\Windows\System32\BZichzj.exe
  2⤵
  PID:7544
- C:\Windows\System32\DlIOLqK.exe
  C:\Windows\System32\DlIOLqK.exe
  2⤵
  PID:7584
- C:\Windows\System32\eVSldHf.exe
  C:\Windows\System32\eVSldHf.exe
  2⤵
  PID:7696
- C:\Windows\System32\sOmGLoA.exe
  C:\Windows\System32\sOmGLoA.exe
  2⤵
  PID:7700
- C:\Windows\System32\onjixKp.exe
  C:\Windows\System32\onjixKp.exe
  2⤵
  PID:7764
- C:\Windows\System32\IUiVNqN.exe
  C:\Windows\System32\IUiVNqN.exe
  2⤵
  PID:7800
- C:\Windows\System32\OrlasdP.exe
  C:\Windows\System32\OrlasdP.exe
  2⤵
  PID:7868
- C:\Windows\System32\XlbkYjH.exe
  C:\Windows\System32\XlbkYjH.exe
  2⤵
  PID:7932
- C:\Windows\System32\iUHJRgQ.exe
  C:\Windows\System32\iUHJRgQ.exe
  2⤵
  PID:7952
- C:\Windows\System32\gvKXFUC.exe
  C:\Windows\System32\gvKXFUC.exe
  2⤵
  PID:8096
- C:\Windows\System32\zxrWWjb.exe
  C:\Windows\System32\zxrWWjb.exe
  2⤵
  PID:8124
- C:\Windows\System32\WIAzUUY.exe
  C:\Windows\System32\WIAzUUY.exe
  2⤵
  PID:6696
- C:\Windows\System32\ypIBiwy.exe
  C:\Windows\System32\ypIBiwy.exe
  2⤵
  PID:7396
- C:\Windows\System32\UPeNAGY.exe
  C:\Windows\System32\UPeNAGY.exe
  2⤵
  PID:7384
- C:\Windows\System32\wauQxlY.exe
  C:\Windows\System32\wauQxlY.exe
  2⤵
  PID:7564
- C:\Windows\System32\kpTAEyd.exe
  C:\Windows\System32\kpTAEyd.exe
  2⤵
  PID:7752
- C:\Windows\System32\cMWmIpL.exe
  C:\Windows\System32\cMWmIpL.exe
  2⤵
  PID:7812
- C:\Windows\System32\rRKTYqy.exe
  C:\Windows\System32\rRKTYqy.exe
  2⤵
  PID:8036
- C:\Windows\System32\GbLwOaM.exe
  C:\Windows\System32\GbLwOaM.exe
  2⤵
  PID:6680
- C:\Windows\System32\zuSsZNd.exe
  C:\Windows\System32\zuSsZNd.exe
  2⤵
  PID:7232
- C:\Windows\System32\WYQddzm.exe
  C:\Windows\System32\WYQddzm.exe
  2⤵
  PID:7152
- C:\Windows\System32\xWhaKDA.exe
  C:\Windows\System32\xWhaKDA.exe
  2⤵
  PID:5504
- C:\Windows\System32\hOsmCRb.exe
  C:\Windows\System32\hOsmCRb.exe
  2⤵
  PID:7632
- C:\Windows\System32\uzEkXCY.exe
  C:\Windows\System32\uzEkXCY.exe
  2⤵
  PID:5968
- C:\Windows\System32\zsbePeP.exe
  C:\Windows\System32\zsbePeP.exe
  2⤵
  PID:8012
- C:\Windows\System32\wrbcaqX.exe
  C:\Windows\System32\wrbcaqX.exe
  2⤵
  PID:4572
- C:\Windows\System32\fTlaoto.exe
  C:\Windows\System32\fTlaoto.exe
  2⤵
  PID:8200
- C:\Windows\System32\AnphYyx.exe
  C:\Windows\System32\AnphYyx.exe
  2⤵
  PID:8220
- C:\Windows\System32\cuMERwP.exe
  C:\Windows\System32\cuMERwP.exe
  2⤵
  PID:8240
- C:\Windows\System32\yMsnMrZ.exe
  C:\Windows\System32\yMsnMrZ.exe
  2⤵
  PID:8272
- C:\Windows\System32\bMutMau.exe
  C:\Windows\System32\bMutMau.exe
  2⤵
  PID:8296
- C:\Windows\System32\gzGArDb.exe
  C:\Windows\System32\gzGArDb.exe
  2⤵
  PID:8316
- C:\Windows\System32\hfVfTll.exe
  C:\Windows\System32\hfVfTll.exe
  2⤵
  PID:8336
- C:\Windows\System32\UNSvdvl.exe
  C:\Windows\System32\UNSvdvl.exe
  2⤵
  PID:8376
- C:\Windows\System32\hJDVqQT.exe
  C:\Windows\System32\hJDVqQT.exe
  2⤵
  PID:8424
- C:\Windows\System32\fqPfJAk.exe
  C:\Windows\System32\fqPfJAk.exe
  2⤵
  PID:8440
- C:\Windows\System32\UxXUllH.exe
  C:\Windows\System32\UxXUllH.exe
  2⤵
  PID:8468
- C:\Windows\System32\TPmsWLo.exe
  C:\Windows\System32\TPmsWLo.exe
  2⤵
  PID:8488
- C:\Windows\System32\yXcvGox.exe
  C:\Windows\System32\yXcvGox.exe
  2⤵
  PID:8556
- C:\Windows\System32\roeefcm.exe
  C:\Windows\System32\roeefcm.exe
  2⤵
  PID:8600
- C:\Windows\System32\ExoZsmm.exe
  C:\Windows\System32\ExoZsmm.exe
  2⤵
  PID:8616
- C:\Windows\System32\lMnGMJg.exe
  C:\Windows\System32\lMnGMJg.exe
  2⤵
  PID:8640
- C:\Windows\System32\JovnNkH.exe
  C:\Windows\System32\JovnNkH.exe
  2⤵
  PID:8656
- C:\Windows\System32\bYtRJdr.exe
  C:\Windows\System32\bYtRJdr.exe
  2⤵
  PID:8672
- C:\Windows\System32\LlSqVGG.exe
  C:\Windows\System32\LlSqVGG.exe
  2⤵
  PID:8724
- C:\Windows\System32\RZkNnuD.exe
  C:\Windows\System32\RZkNnuD.exe
  2⤵
  PID:8764
- C:\Windows\System32\YZxBBAp.exe
  C:\Windows\System32\YZxBBAp.exe
  2⤵
  PID:8808
- C:\Windows\System32\qfOMSjp.exe
  C:\Windows\System32\qfOMSjp.exe
  2⤵
  PID:8832
- C:\Windows\System32\MKcqSrT.exe
  C:\Windows\System32\MKcqSrT.exe
  2⤵
  PID:8848
- C:\Windows\System32\QVtUaYJ.exe
  C:\Windows\System32\QVtUaYJ.exe
  2⤵
  PID:8896
- C:\Windows\System32\zmVtMOr.exe
  C:\Windows\System32\zmVtMOr.exe
  2⤵
  PID:8916
- C:\Windows\System32\GokdDeo.exe
  C:\Windows\System32\GokdDeo.exe
  2⤵
  PID:8952
- C:\Windows\System32\tEEYYfv.exe
  C:\Windows\System32\tEEYYfv.exe
  2⤵
  PID:8988
- C:\Windows\System32\pXJYoAa.exe
  C:\Windows\System32\pXJYoAa.exe
  2⤵
  PID:9028
- C:\Windows\System32\PoTjrRo.exe
  C:\Windows\System32\PoTjrRo.exe
  2⤵
  PID:9044
- C:\Windows\System32\YGxDVbU.exe
  C:\Windows\System32\YGxDVbU.exe
  2⤵
  PID:9064
- C:\Windows\System32\gHTZSYa.exe
  C:\Windows\System32\gHTZSYa.exe
  2⤵
  PID:9084
- C:\Windows\System32\UHJoJso.exe
  C:\Windows\System32\UHJoJso.exe
  2⤵
  PID:9100
- C:\Windows\System32\NLhhcuO.exe
  C:\Windows\System32\NLhhcuO.exe
  2⤵
  PID:9116
- C:\Windows\System32\nUBwkMC.exe
  C:\Windows\System32\nUBwkMC.exe
  2⤵
  PID:9136
- C:\Windows\System32\yXNyITL.exe
  C:\Windows\System32\yXNyITL.exe
  2⤵
  PID:9200
- C:\Windows\System32\FjgFJbk.exe
  C:\Windows\System32\FjgFJbk.exe
  2⤵
  PID:7672
- C:\Windows\System32\GjSkjMn.exe
  C:\Windows\System32\GjSkjMn.exe
  2⤵
  PID:8252
- C:\Windows\System32\RZMwQSk.exe
  C:\Windows\System32\RZMwQSk.exe
  2⤵
  PID:8372
- C:\Windows\System32\IsOUPtm.exe
  C:\Windows\System32\IsOUPtm.exe
  2⤵
  PID:8500
- C:\Windows\System32\stKaWUj.exe
  C:\Windows\System32\stKaWUj.exe
  2⤵
  PID:7920
- C:\Windows\System32\sVqsckS.exe
  C:\Windows\System32\sVqsckS.exe
  2⤵
  PID:8516
- C:\Windows\System32\PioFPbB.exe
  C:\Windows\System32\PioFPbB.exe
  2⤵
  PID:8532
- C:\Windows\System32\RPDTWNW.exe
  C:\Windows\System32\RPDTWNW.exe
  2⤵
  PID:8624
- C:\Windows\System32\jDpvErV.exe
  C:\Windows\System32\jDpvErV.exe
  2⤵
  PID:8696
- C:\Windows\System32\fXkbGht.exe
  C:\Windows\System32\fXkbGht.exe
  2⤵
  PID:8796
- C:\Windows\System32\JcbIAKU.exe
  C:\Windows\System32\JcbIAKU.exe
  2⤵
  PID:8884
- C:\Windows\System32\kxLmlkN.exe
  C:\Windows\System32\kxLmlkN.exe
  2⤵
  PID:8860
- C:\Windows\System32\DdBWKYc.exe
  C:\Windows\System32\DdBWKYc.exe
  2⤵
  PID:3700
- C:\Windows\System32\LRIRzVF.exe
  C:\Windows\System32\LRIRzVF.exe
  2⤵
  PID:4924
- C:\Windows\System32\tjatZVj.exe
  C:\Windows\System32\tjatZVj.exe
  2⤵
  PID:9016
- C:\Windows\System32\QnkFMVi.exe
  C:\Windows\System32\QnkFMVi.exe
  2⤵
  PID:9112
- C:\Windows\System32\BDtYmoG.exe
  C:\Windows\System32\BDtYmoG.exe
  2⤵
  PID:9192
- C:\Windows\System32\vUighXt.exe
  C:\Windows\System32\vUighXt.exe
  2⤵
  PID:9164
- C:\Windows\System32\bBXNXKg.exe
  C:\Windows\System32\bBXNXKg.exe
  2⤵
  PID:7188
- C:\Windows\System32\FOfeNQk.exe
  C:\Windows\System32\FOfeNQk.exe
  2⤵
  PID:8308
- C:\Windows\System32\VlkphzN.exe
  C:\Windows\System32\VlkphzN.exe
  2⤵
  PID:392

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:9340

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AQCJubJ.exe

Filesize
2.6MB

MD5
a76a8006ae91c874161eed90d8b616e5

SHA1
fe473484ddccb0bbd83fdec7994ac84606cd24ee

SHA256
f32bc2cbcca2c94f22981847a4430c4566a0ef8f29de7b15d44f1d2273482f9d

SHA512
0c6fe8acdae05fbac9c2951ec0412f2a68c1f0fe83cea8490bfeae01247c82ed74afa81ca1d5830580965292f2580418693a663a0ddc442fb3d5f04e51106d20

Download Submit
C:\Windows\System32\BYnJBSZ.exe

Filesize
2.6MB

MD5
424ac5c8a4c52b17a823239314327821

SHA1
f3e1c1cf627765eb1a135ab6c56674ab90502be8

SHA256
9537609f37bb698a2a933b6ceeb0575e8ddf3b3d8d38101b6a64dcfe35fe982b

SHA512
9b09c7a01377da39d6952da430f615793a161193ab9ef853a7fe12b045811c09eced6055dc9e6f327b0de1e871bd7f0805a8c6caa86f3595ae52defc697e515f

Download Submit
C:\Windows\System32\ClRoZrA.exe

Filesize
2.6MB

MD5
d0f6de8b43ad4ba1ce2b357f458e6da3

SHA1
ce5e1c8a13c93209ebad84e0a368ab90fa9fba2e

SHA256
7000b51ff307915ad4663e1ab18dc22408b42015ec6aed21b88604663fbb4a3d

SHA512
3cac47543c6dc5ee7b9d93724bbf4bae302b9e36b947971c7c62be272ebf02e2e0935acf4e2fb3d381a0be6a97876f28b6cab40acf66428aba10d97e191fca40

Download Submit
C:\Windows\System32\DNdbhFx.exe

Filesize
2.6MB

MD5
7cc3ef1c368b9f11c3c1e8dba0f72c51

SHA1
d735718270e1cc317d81f5a022f97800a1e01857

SHA256
65bb90ca6c18efed3d1355985eff2c1f44c3f6f2d95f1c4a8ca6802d6da493a6

SHA512
600f355ec5253526caaaed199ebb6adf4b94a0dd584155c493765be0df6706aee47b3e46d174fe3168cf13c3eae0c9742b48e3c678ba7c52f6f12c361df635aa

Download Submit
C:\Windows\System32\DzZhqBI.exe

Filesize
2.6MB

MD5
30d734704a986f0a00acb075ee51baa4

SHA1
75194124c7f0fe7d31afcdde3c7add87816ca880

SHA256
1bbeebcf80c5ccc3ecbe6efe96dfaa06a910c7886ec5d6808a354d4eab76cad7

SHA512
bde5fee1599d8f3cfe15786a7b0e79583b2388963d36ab407b45baf21942b2658dc22f2ab7e5cf2e0255b898a06030458e355c1528b8de48a14a3339233b28d5

Download Submit
C:\Windows\System32\EsJUWSB.exe

Filesize
2.6MB

MD5
8c7cd29558628c498f8efbed4591720e

SHA1
24ce4bd934c0bd01390c67d691d4b0cae4b6d033

SHA256
8d22d4a3373347ce2dcd03242102b0fe3f85243edf61041ae0b21c96f2d93cda

SHA512
da157dc0abd448a0143102aa3d598cd1396387241e33686f5c5f578fbc3a38cd165394dad6fdccc9cc9b6f8e14b8097aee6c60c7ef51cb7eb3b507988f99c5d2

Download Submit
C:\Windows\System32\EvMOXbl.exe

Filesize
2.6MB

MD5
386ac7a49c594a471b4dc7370638c79e

SHA1
ad370307c2ad6ed47c73508f2146ec4d26ab17de

SHA256
bb584044b8a69c881e037acb2e631045d696fb05665a00e80c2207c6a9f2c297

SHA512
a39b8d2698f0799afd99e39e5ca83e1165bf9736c80cc74d5bf3f27b7f6629713fc508911f5bd13d21b6fe6291a475bce932660e0d91441e1f6ae7ca312c6c7b

Download Submit
C:\Windows\System32\FRIypuo.exe

Filesize
2.6MB

MD5
f4ca64f344f57f2cd7f02a3b95333048

SHA1
8ef530dd301bcc2184f2a68457d6b26621cf8193

SHA256
a3668dbb55bb5f087c6731c9803accc5c425be52cd23664855d5c7b3a1fb3a5e

SHA512
83c0b2090958d4e01e30abaac856ef890b5e15610c5474440c28adf96d466f4de1556b3675242ee28c99df4cade381e7d2aea001bd207a5cec63c17c38f38a69

Download Submit
C:\Windows\System32\GpXzbez.exe

Filesize
2.6MB

MD5
0e475ad9b5d905406bd558aea5d011ca

SHA1
05c6ba0358d27dd5edf8a199f1417cbb3b2374f2

SHA256
0d73e88a4413c00ed3497fb92edb88e6999108c8b2e748ef4fb651b5b077759a

SHA512
67e0484600b125f863522960d9f03055f4d476a1ff23c7d6a0ba6ad60ddd1792248a7f815c5738312314a62296c3c27bd19d351502e9885dce77eb011aea472e

Download Submit
C:\Windows\System32\IOLFpSx.exe

Filesize
2.6MB

MD5
7cb6e60b8e33b2cb8c999b1dad430edd

SHA1
bece101d2b318d191fc98fd7a3f85bd8c5d366e8

SHA256
7945bd3d65758e7a1699ac8f4908a96755a9c19ede6e8a1db82843720f440fc9

SHA512
761f6aa71fd5e9e95d2e752a334fe05e0fb211d3ecf7eebaa579778d9d8bdca4db1446fe6dbd990c171846057976b5e34c4679951b6e5c374d26c7c504781ba9

Download Submit
C:\Windows\System32\IxiPVQb.exe

Filesize
2.6MB

MD5
b593db39dc2ac17e04e70f5a0e60bfbf

SHA1
9c3fb6022ce12f1c4f5f692a1195fe259927f941

SHA256
9c71c92eb78da1010b5e5e4e0f8f8fd7cbe23663f67e8293af62437e8ad436c8

SHA512
e2d42a020cc1df4336eea763e4ff53e984ab6513d8742fb01110d8a39cb5d20ca07376044d7d3813128dad6955020831e7ae7246138b5497c060a2159eff6403

Download Submit
C:\Windows\System32\JtXpGLI.exe

Filesize
2.6MB

MD5
05a12d6e51160d8ba7894f210698f662

SHA1
0af238aaf5a907ee72a90f4b42ce61d16c5bcb4c

SHA256
d5d84a9c4675177df8e263c2494fa5a9db61e9b5d203000653dec61db43417f5

SHA512
151745c257cd786e745cf9261a2db362e22aa765b2a8fbda498aee36deed376b98352d21b5c11ac2b615582afcb3e8bc40c1233b34a356e4b5b2eb6177344812

Download Submit
C:\Windows\System32\LiTiagK.exe

Filesize
2.6MB

MD5
f51ce9c43eeb4b0b8d7dd6a1cdb069ac

SHA1
706b15b7762e05f8173d17bc0381571d5ea60c46

SHA256
a19ecf56948fa60d0701cab0768eb78f83d3fd4dd6c1fef0ff3fc99255a873a8

SHA512
9f69eeaeab92c1241e3ab4c84354113fb893c59ff8b8b555f6fabf4efb02601ada9c31f5ac2061e81eb86bce4acfbbded4d97659db7d04b17afcb5be03cf736f

Download Submit
C:\Windows\System32\MSqWziX.exe

Filesize
2.6MB

MD5
f5228d2425187296a318b19f798c67a7

SHA1
3c402b8677e1b0dcc0fde297391c3155d63b82ac

SHA256
cd16bea1ae4819b4a18c66d115fd35e39fbcfda4db73d8a4cb03a1273d7a154a

SHA512
3d6bf55b5a4b1bddb46bc7cd8bcfe86af1ccd02cb8aeb0a51303f8e00ea20bc963502712d4549d2fb054085caa9251fa6d4a90e8afff790e1d84ecb8aa18771c

Download Submit
C:\Windows\System32\OgtvPbS.exe

Filesize
2.6MB

MD5
f0d1def11a3711f6273e902b5c506a8d

SHA1
1a8c17aa368dad73c6a0a0430a32ecb85571838d

SHA256
c93011fb7f80af2cba0aba73b69649828e35ae88ba71e0d087af496ea95cb149

SHA512
95e4b3f95408032d5f2a1f547b3987fe537866fc0493cf8d0bdc4c3e7264be4ca18dc98a1d11ed7d7db4abe46102933bd8d1b671da664d562fd31b96d6500c8d

Download Submit
C:\Windows\System32\OokkWtM.exe

Filesize
2.6MB

MD5
e13004345bf88ceab20d5d09bb45e137

SHA1
de68cd0ac488604fb82746da3d9119ea254f5465

SHA256
7a4398c244c572c9a7334275025457379610ac68fa1c3c4c346e8aa38002f93b

SHA512
93fa9544c75cbab86169a91498a47373184ca88f60a87a7d42db41f38f37d9930551e6ea6dc8fa506d99e3c2c100daf98bbfdd69bb155a8c63e7d0f39d431c8a

Download Submit
C:\Windows\System32\RorUTvz.exe

Filesize
2.6MB

MD5
8279ddfb6eb2ac383ef69f2df59a0feb

SHA1
589eabbfb3220f966929cf1c5cdf12b0fe2872cb

SHA256
65385e73edaef1a74a05fc334a936d256fa8c97916b5d9473928eddd10294375

SHA512
fb49ade097b3514fd66672e92231da0e65ff1f318a175535a03cb091c42fef769a16b4b326db9625591a8221253305dca706c71469001d53a8ae590237c2780e

Download Submit
C:\Windows\System32\SWnBjuP.exe

Filesize
2.6MB

MD5
c43a58334e98fb969b300e568da6d4a1

SHA1
a4aaa1e14f1bdfbbdf0ef0758da8d0ed123dff79

SHA256
5e8a022fe5d31f73a1b930bcb36bae07178acb24c6cd6077d19051ac8b5a0426

SHA512
4a2ec806a8e036c34e09ea65b3a67b3f9700f5884c46d1ba16a837aaeb550bd2795b71ebff1a3ed392ed20c25362f92b2e5ed202666445c01652bb83081c29b9

Download Submit
C:\Windows\System32\Synxypk.exe

Filesize
2.6MB

MD5
3e58537b5f4bf48d4902964a3438f828

SHA1
07111b68513857b075411f86b5778a4de88d16bd

SHA256
7e524295d4d173969a2071a09f66d57bcba6d0f82d2634054fac2c31273c5638

SHA512
e619fc8f95a43d0db133b3aa3f250aa62d8618f8a902f9643e5dcd02682555dd3a2345151f55ac5e52df7b28bb6795980980ea68256e99c629df8c8f15fd6c97

Download Submit
C:\Windows\System32\TDtrUdX.exe

Filesize
2.6MB

MD5
58ff33f4c6377c6268ac9a8de349e156

SHA1
4bc6c386f447f42b52b730fee5e177b6279869af

SHA256
80d9846c3e1e3ef475b08febe373874ee7463068046ebfa040e503fe9b388768

SHA512
0e1fcc0e81ce6c0d8cbad6a85746b72e00d8765879e370d6e1077a228b50055caf5b8c1b562400243fbb5606b77059130bd340161fd3f4b9cc7a5165556b67f2

Download Submit
C:\Windows\System32\TluXZEs.exe

Filesize
2.6MB

MD5
bd12b664acad31046600ba8e1a1e7c0c

SHA1
ca735a73a4eb36638a96b8d881a3fe0cedff23d7

SHA256
3bea344128ef1e5770228366784e490c31dc492b191dfd8ed9e59c4ce73ee790

SHA512
2893c4283ade08eefe705bbbe9ab0bd36912b66cb6cb3c1cffedfc5024d0eac4e97ee026b27e53a94c0544eba1634cf1c5db0f77db2889113285ab03f0d74bbf

Download Submit
C:\Windows\System32\WTezdpY.exe

Filesize
2.6MB

MD5
70e7f3258917f3ac5c9306d70a5a5e3e

SHA1
d414013f6b0b6e9cc05a68d84977ce1bc18ec69f

SHA256
dae518512f3f6bbc1ceb2e4358a25cf1cdbeff3c1c7643f7af451d75ef3bd3cc

SHA512
da99bff09b787c23ff00f2d9d8bd8a2c46402ed58ca60ee00c25ba13bc8a47fbfa029b8c191870eb0f436b05ad7ebbb2899163837143eb4569e8ad7e21f93735

Download Submit
C:\Windows\System32\aSVrQIP.exe

Filesize
2.6MB

MD5
8f73e115b54792bd6711d6b03dde2a75

SHA1
16baf1967a714bcac5fc8caa40315a72d3b6cc91

SHA256
04f9fa2c1c3359848120617bae3cffb39afb9e47f80f9f771eb5c185b679df03

SHA512
9a07890d06afd4981244e83e9372db81333dec72d110ed06305e6836dcf8bdffa32b7d3fe642cfba2cd8ffd978548faea34e456d13dba8b83912ac096d65699a

Download Submit
C:\Windows\System32\bfCZSXR.exe

Filesize
2.6MB

MD5
502baa0bef5f088fe9178aff49396ca6

SHA1
e28ea68323d5b7a01c429651cf08faef49a32fb4

SHA256
bc519f19f61a78c13cee0a50e55cf3c1ec611314f0aa3be0b0511be313af8885

SHA512
6f2c2e1e75df2ddc4e30aeb90ee6fec5f5722ce959b4f350aa46ce684f7313ed3a2e5ca40d1b52a61e45dcc22fb306eb6993eb02e9cd06327cb1ee290002510f

Download Submit
C:\Windows\System32\gFAuOkC.exe

Filesize
2.6MB

MD5
48120d8f94848af5a9abf4279386213f

SHA1
cfd360c15a0a95fe76a83a1ea22e38ef8ae74ff6

SHA256
1fb33c4e026106f1a1471b3322dc2a8bb5406248469e3e464574d5c56b85c4d7

SHA512
0e063f78226260519585f9fcb365308084cbe4e0949cbfb95d41405f072082a8d5390546a612aec4d8f71559a05d842b1266d5ce792bde0ed62a8b0388cc69bf

Download Submit
C:\Windows\System32\galqEXq.exe

Filesize
2.6MB

MD5
eff19a999de9bf3fbaa0b5dca2f99c3c

SHA1
e257b87abd753b8be6ee4e8f7bb1890cc8318291

SHA256
efe20988581e39d85f7366e9a6a7a03284053077d56492bb409c25a48c1c728c

SHA512
0bad90e6d845d05252860b9381e4a73ed061c9d09d53eee369db6bc1a2597c63fe2c64c78ec01125dc038fe41a4d8699748d03559c18e731b99de4dc31e3313e

Download Submit
C:\Windows\System32\hWaVgBS.exe

Filesize
2.6MB

MD5
3f6cabfe18130b313e6293b78af4e290

SHA1
958fa1963dd310ac6a500692428753006d30cace

SHA256
b01f98b2385847f6c0c90725abdb237f9e2140c4ad1baed777531934d777d9a2

SHA512
535e70e03eb75b628a21db57b035079f9e418cdd7690db778712257492b69c7fd278ee028ef04097482c1aa292b2d93ae536cf6a52a91e33ebba8acd0fbe2324

Download Submit
C:\Windows\System32\lrQJUha.exe

Filesize
2.6MB

MD5
aac8b7f7805a0f65800ab2879b044445

SHA1
1a231ee08272dd66c59ff90e88c9b72a00888375

SHA256
3ea016666ad9dfbb93bd845aa7faac27308a0a45cf7603771a255c82d4be9b6f

SHA512
790c4f447764e6510dc657a0bcd4779cfed6c4bca8b9ee7cc803ff969444cb0a1ff11940fe86cc8b06caf14e10a78375781010bc1b016131922ebcb5c899ad66

Download Submit
C:\Windows\System32\mEOOQzj.exe

Filesize
2.6MB

MD5
d890f6a9cae85859a80856fa001a024f

SHA1
823857e5e01245c4c0ea878b308c1a249758143c

SHA256
4704e80307677b67aa5053042136dc4b113624e93e1a861ab48759dc2a112cf1

SHA512
98dc20019f7987ff31bbf50f23caf0cee6d8b909d0c0fe5428a10c4c0247a5fe46793739cc97399a6d6b143e882d859d884efcecab631a8d66013edd5e284bbe

Download Submit
C:\Windows\System32\oLREWLY.exe

Filesize
2.6MB

MD5
88afc9c6855fb7d39598ac5780476898

SHA1
afe65a36c981d4bfc2196a759023c22618853a6a

SHA256
2b13344753850cf412ebe9031f86043a37817922b3545a5fbbc25d904efd5618

SHA512
5169101895945e7b14b1676412f0c0276fc849800bfdcae8a4991220b298da5b36690a2039d16a3c018194170ccaffe610f11c1be50cb753e4ba2105c16bb60e

Download Submit
C:\Windows\System32\tDFtxrx.exe

Filesize
2.6MB

MD5
a5214cca4f0ad710425377e42dbba774

SHA1
191b047a75c18988a175e5f1574702a1696b7367

SHA256
854d693cf979bb985b109140cf46b4b7863a553ab6c25b137e40bfabe0ded4e2

SHA512
f536fcf22bac9c0598bac09dcf3df49fc42891c36d28435753b485e1e143c408df2e48289615e48bf7a0262ef5d531c9944c1dd7d9a629db0942e8ccb53fb1c5

Download Submit
C:\Windows\System32\uHrLwfz.exe

Filesize
2.6MB

MD5
b0e3b445e2848b43ad0d8c8a2aa6bd95

SHA1
09d2d2cfb3b2ce35453a5dc0d33beae72edcb0b1

SHA256
b51e9fdcb0d0df9c75ebeab464f8e7dbe74a045622ee9893ecc7d7807c090345

SHA512
cde653313e7ff4acbad66b99cc14fee33e41b8e072e527dfdc85136c9e9d58d38ae07852bff1a2dd83f580a22b8330482562859e4173ab97fee1faeca0998d56

Download Submit
C:\Windows\System32\uHufzVU.exe

Filesize
2.6MB

MD5
a4ec5184dc80b6eeaf9598b378d4b400

SHA1
a74d0f9652a4b00bd34c5100fc770a0f1a780cb8

SHA256
63e9e37eebd6f2febac67aa64c26c831be264080b26daef83c929fbfc6b11ac8

SHA512
b38cb595d0291fc9ff640b58fd46439f1b217bc16c9a8a40046d1aade6d910b4cb77062a3c2941e0b0415962f4d8bd39a2c2d06550ef43255c6b4c4c06ceeb51

Download Submit
memory/264-192-0x00007FF631BE0000-0x00007FF631FD5000-memory.dmp

Filesize
4.0MB

Download
memory/436-34-0x00007FF6C1750000-0x00007FF6C1B45000-memory.dmp

Filesize
4.0MB

Download
memory/436-305-0x00007FF6C1750000-0x00007FF6C1B45000-memory.dmp

Filesize
4.0MB

Download
memory/540-147-0x00007FF6785F0000-0x00007FF6789E5000-memory.dmp

Filesize
4.0MB

Download
memory/696-309-0x00007FF779CC0000-0x00007FF77A0B5000-memory.dmp

Filesize
4.0MB

Download
memory/732-357-0x00007FF664B10000-0x00007FF664F05000-memory.dmp

Filesize
4.0MB

Download
memory/748-153-0x00007FF65B460000-0x00007FF65B855000-memory.dmp

Filesize
4.0MB

Download
memory/840-146-0x00007FF695420000-0x00007FF695815000-memory.dmp

Filesize
4.0MB

Download
memory/884-312-0x00007FF7F4F70000-0x00007FF7F5365000-memory.dmp

Filesize
4.0MB

Download
memory/1268-128-0x00007FF7FCD20000-0x00007FF7FD115000-memory.dmp

Filesize
4.0MB

Download
memory/1296-330-0x00007FF7963D0000-0x00007FF7967C5000-memory.dmp

Filesize
4.0MB

Download
memory/1656-140-0x00007FF6551A0000-0x00007FF655595000-memory.dmp

Filesize
4.0MB

Download
memory/1916-342-0x00007FF6C1000000-0x00007FF6C13F5000-memory.dmp

Filesize
4.0MB

Download
memory/2116-15-0x00007FF6BC100000-0x00007FF6BC4F5000-memory.dmp

Filesize
4.0MB

Download
memory/2116-173-0x00007FF6BC100000-0x00007FF6BC4F5000-memory.dmp

Filesize
4.0MB

Download
memory/2240-65-0x00007FF642FF0000-0x00007FF6433E5000-memory.dmp

Filesize
4.0MB

Download
memory/2252-380-0x00007FF79A020000-0x00007FF79A415000-memory.dmp

Filesize
4.0MB

Download
memory/2380-52-0x00007FF7B2C80000-0x00007FF7B3075000-memory.dmp

Filesize
4.0MB

Download
memory/2388-167-0x00007FF616750000-0x00007FF616B45000-memory.dmp

Filesize
4.0MB

Download
memory/2496-170-0x00007FF6029E0000-0x00007FF602DD5000-memory.dmp

Filesize
4.0MB

Download
memory/2496-8-0x00007FF6029E0000-0x00007FF602DD5000-memory.dmp

Filesize
4.0MB

Download
memory/2552-129-0x00007FF741E90000-0x00007FF742285000-memory.dmp

Filesize
4.0MB

Download
memory/2652-374-0x00007FF7D8200000-0x00007FF7D85F5000-memory.dmp

Filesize
4.0MB

Download
memory/2820-307-0x00007FF613340000-0x00007FF613735000-memory.dmp

Filesize
4.0MB

Download
memory/2984-311-0x00007FF6EF260000-0x00007FF6EF655000-memory.dmp

Filesize
4.0MB

Download
memory/3056-345-0x00007FF65A700000-0x00007FF65AAF5000-memory.dmp

Filesize
4.0MB

Download
memory/3132-30-0x00007FF6ECB70000-0x00007FF6ECF65000-memory.dmp

Filesize
4.0MB

Download
memory/3132-195-0x00007FF6ECB70000-0x00007FF6ECF65000-memory.dmp

Filesize
4.0MB

Download
memory/3484-379-0x00007FF70DC40000-0x00007FF70E035000-memory.dmp

Filesize
4.0MB

Download
memory/3536-335-0x00007FF6F1A10000-0x00007FF6F1E05000-memory.dmp

Filesize
4.0MB

Download
memory/3572-176-0x00007FF657520000-0x00007FF657915000-memory.dmp

Filesize
4.0MB

Download
memory/3764-354-0x00007FF632B80000-0x00007FF632F75000-memory.dmp

Filesize
4.0MB

Download
memory/3784-22-0x00007FF7E5260000-0x00007FF7E5655000-memory.dmp

Filesize
4.0MB

Download
memory/3784-181-0x00007FF7E5260000-0x00007FF7E5655000-memory.dmp

Filesize
4.0MB

Download
memory/3840-306-0x00007FF60FFA0000-0x00007FF610395000-memory.dmp

Filesize
4.0MB

Download
memory/3844-352-0x00007FF735470000-0x00007FF735865000-memory.dmp

Filesize
4.0MB

Download
memory/3912-314-0x00007FF7E7470000-0x00007FF7E7865000-memory.dmp

Filesize
4.0MB

Download
memory/3928-158-0x00007FF6A0420000-0x00007FF6A0815000-memory.dmp

Filesize
4.0MB

Download
memory/3928-1-0x00000233C4340000-0x00000233C4350000-memory.dmp

Filesize
64KB

Download
memory/3928-0-0x00007FF6A0420000-0x00007FF6A0815000-memory.dmp

Filesize
4.0MB

Download
memory/3956-308-0x00007FF75D540000-0x00007FF75D935000-memory.dmp

Filesize
4.0MB

Download
memory/4088-198-0x00007FF6585C0000-0x00007FF6589B5000-memory.dmp

Filesize
4.0MB

Download
memory/4268-71-0x00007FF78DF10000-0x00007FF78E305000-memory.dmp

Filesize
4.0MB

Download
memory/4300-188-0x00007FF6940F0000-0x00007FF6944E5000-memory.dmp

Filesize
4.0MB

Download
memory/4300-24-0x00007FF6940F0000-0x00007FF6944E5000-memory.dmp

Filesize
4.0MB

Download
memory/4336-69-0x00007FF7E31D0000-0x00007FF7E35C5000-memory.dmp

Filesize
4.0MB

Download
memory/4368-313-0x00007FF6E1FF0000-0x00007FF6E23E5000-memory.dmp

Filesize
4.0MB

Download
memory/4452-310-0x00007FF68DBA0000-0x00007FF68DF95000-memory.dmp

Filesize
4.0MB

Download
memory/4524-164-0x00007FF6E9880000-0x00007FF6E9C75000-memory.dmp

Filesize
4.0MB

Download
memory/4540-72-0x00007FF7EDE50000-0x00007FF7EE245000-memory.dmp

Filesize
4.0MB

Download
memory/4584-152-0x00007FF7510B0000-0x00007FF7514A5000-memory.dmp

Filesize
4.0MB

Download
memory/4632-370-0x00007FF6F7100000-0x00007FF6F74F5000-memory.dmp

Filesize
4.0MB

Download
memory/4676-161-0x00007FF624260000-0x00007FF624655000-memory.dmp

Filesize
4.0MB

Download
memory/4692-141-0x00007FF70D290000-0x00007FF70D685000-memory.dmp

Filesize
4.0MB

Download
memory/4704-317-0x00007FF7B9A40000-0x00007FF7B9E35000-memory.dmp

Filesize
4.0MB

Download
memory/4768-185-0x00007FF744650000-0x00007FF744A45000-memory.dmp

Filesize
4.0MB

Download
memory/4780-136-0x00007FF75EF30000-0x00007FF75F325000-memory.dmp

Filesize
4.0MB

Download
memory/4784-326-0x00007FF705DB0000-0x00007FF7061A5000-memory.dmp

Filesize
4.0MB

Download
memory/4796-155-0x00007FF63B500000-0x00007FF63B8F5000-memory.dmp

Filesize
4.0MB

Download
memory/4828-315-0x00007FF7CD2E0000-0x00007FF7CD6D5000-memory.dmp

Filesize
4.0MB

Download
memory/4840-130-0x00007FF6DFBD0000-0x00007FF6DFFC5000-memory.dmp

Filesize
4.0MB

Download
memory/4976-149-0x00007FF791710000-0x00007FF791B05000-memory.dmp

Filesize
4.0MB

Download
memory/4988-320-0x00007FF72CB30000-0x00007FF72CF25000-memory.dmp

Filesize
4.0MB

Download
memory/5036-70-0x00007FF6A0150000-0x00007FF6A0545000-memory.dmp

Filesize
4.0MB

Download
memory/5040-178-0x00007FF690EC0000-0x00007FF6912B5000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads