xmrig | ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784

Analysis

max time kernel
143s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
Size

1.9MB
MD5

665d0a7ef665c81b50738bab1ce856c8
SHA1

d45f26d56f6eeeca8a559c30400e4f5e270c64c7
SHA256

ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784
SHA512

09e3f684e6e34abcfe950cb8b7c10aca362df4698f6cff5abfe4892cbfdb5a39ffb710a3e1d536b892c24d9c9b329007c0b09966ef898a7d1f2cae0ad62de669
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcqkeBWF3WAv4op8MDu7Edr2gKFkKLE4QcH:knw9oUUEEDl37jcqMHdooeqGwUHSW

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/404-0-0x00007FF7DA630000-0x00007FF7DAA21000-memory.dmp	UPX
behavioral2/files/0x000600000002326c-5.dat	UPX
behavioral2/files/0x0008000000023410-8.dat	UPX
behavioral2/files/0x000800000002340d-18.dat	UPX
behavioral2/memory/2600-22-0x00007FF761BE0000-0x00007FF761FD1000-memory.dmp	UPX
behavioral2/memory/4724-17-0x00007FF619730000-0x00007FF619B21000-memory.dmp	UPX
behavioral2/memory/1376-9-0x00007FF645AD0000-0x00007FF645EC1000-memory.dmp	UPX
behavioral2/files/0x0007000000023412-27.dat	UPX
behavioral2/files/0x0007000000023411-29.dat	UPX
behavioral2/memory/972-32-0x00007FF6CB3F0000-0x00007FF6CB7E1000-memory.dmp	UPX
behavioral2/files/0x0007000000023413-35.dat	UPX
behavioral2/files/0x0007000000023414-40.dat	UPX
behavioral2/files/0x0007000000023415-47.dat	UPX
behavioral2/memory/3192-48-0x00007FF7A5A10000-0x00007FF7A5E01000-memory.dmp	UPX
behavioral2/memory/1188-45-0x00007FF7129D0000-0x00007FF712DC1000-memory.dmp	UPX
behavioral2/memory/4504-38-0x00007FF7FD3D0000-0x00007FF7FD7C1000-memory.dmp	UPX
behavioral2/memory/2668-37-0x00007FF7966A0000-0x00007FF796A91000-memory.dmp	UPX
behavioral2/files/0x0007000000023416-54.dat	UPX
behavioral2/memory/4776-57-0x00007FF6BA210000-0x00007FF6BA601000-memory.dmp	UPX
behavioral2/files/0x0007000000023418-62.dat	UPX
behavioral2/files/0x000800000002340e-68.dat	UPX
behavioral2/files/0x0007000000023419-67.dat	UPX
behavioral2/memory/2936-72-0x00007FF7EA410000-0x00007FF7EA801000-memory.dmp	UPX
behavioral2/files/0x000700000002341a-79.dat	UPX
behavioral2/files/0x000700000002341b-82.dat	UPX
behavioral2/memory/4168-65-0x00007FF76D760000-0x00007FF76DB51000-memory.dmp	UPX
behavioral2/memory/4128-86-0x00007FF716810000-0x00007FF716C01000-memory.dmp	UPX
behavioral2/files/0x000700000002341c-94.dat	UPX
behavioral2/files/0x000700000002341d-93.dat	UPX
behavioral2/memory/4976-97-0x00007FF700630000-0x00007FF700A21000-memory.dmp	UPX
behavioral2/files/0x000700000002341e-103.dat	UPX
behavioral2/memory/404-105-0x00007FF7DA630000-0x00007FF7DAA21000-memory.dmp	UPX
behavioral2/files/0x0007000000023421-116.dat	UPX
behavioral2/files/0x000700000002341f-119.dat	UPX
behavioral2/files/0x0007000000023422-124.dat	UPX
behavioral2/files/0x0007000000023423-130.dat	UPX
behavioral2/memory/3580-131-0x00007FF74BEC0000-0x00007FF74C2B1000-memory.dmp	UPX
behavioral2/files/0x0007000000023424-141.dat	UPX
behavioral2/memory/3824-140-0x00007FF6C0720000-0x00007FF6C0B11000-memory.dmp	UPX
behavioral2/memory/3464-143-0x00007FF6DD6D0000-0x00007FF6DDAC1000-memory.dmp	UPX
behavioral2/memory/2036-138-0x00007FF6701C0000-0x00007FF6705B1000-memory.dmp	UPX
behavioral2/memory/708-133-0x00007FF622960000-0x00007FF622D51000-memory.dmp	UPX
behavioral2/memory/4724-128-0x00007FF619730000-0x00007FF619B21000-memory.dmp	UPX
behavioral2/memory/3352-123-0x00007FF767D10000-0x00007FF768101000-memory.dmp	UPX
behavioral2/memory/1624-120-0x00007FF64EC10000-0x00007FF64F001000-memory.dmp	UPX
behavioral2/files/0x0007000000023420-114.dat	UPX
behavioral2/memory/1300-113-0x00007FF761260000-0x00007FF761651000-memory.dmp	UPX
behavioral2/memory/1376-107-0x00007FF645AD0000-0x00007FF645EC1000-memory.dmp	UPX
behavioral2/memory/3028-102-0x00007FF67BE00000-0x00007FF67C1F1000-memory.dmp	UPX
behavioral2/memory/3396-90-0x00007FF6FF270000-0x00007FF6FF661000-memory.dmp	UPX
behavioral2/files/0x0007000000023429-157.dat	UPX
behavioral2/files/0x000700000002342d-166.dat	UPX
behavioral2/files/0x000700000002342f-172.dat	UPX
behavioral2/files/0x0007000000023430-198.dat	UPX
behavioral2/files/0x0007000000023433-204.dat	UPX
behavioral2/memory/4744-215-0x00007FF70DF70000-0x00007FF70E361000-memory.dmp	UPX
behavioral2/memory/3284-222-0x00007FF774860000-0x00007FF774C51000-memory.dmp	UPX
behavioral2/memory/3728-220-0x00007FF6D6700000-0x00007FF6D6AF1000-memory.dmp	UPX
behavioral2/memory/2800-237-0x00007FF608F90000-0x00007FF609381000-memory.dmp	UPX
behavioral2/memory/864-239-0x00007FF72D040000-0x00007FF72D431000-memory.dmp	UPX
behavioral2/memory/3796-240-0x00007FF7310E0000-0x00007FF7314D1000-memory.dmp	UPX
behavioral2/memory/1804-242-0x00007FF6448B0000-0x00007FF644CA1000-memory.dmp	UPX
behavioral2/memory/1292-245-0x00007FF6F9F70000-0x00007FF6FA361000-memory.dmp	UPX
behavioral2/memory/1188-247-0x00007FF7129D0000-0x00007FF712DC1000-memory.dmp	UPX

XMRig Miner payload 53 IoCs

miner

resource	yara_rule
behavioral2/memory/2600-22-0x00007FF761BE0000-0x00007FF761FD1000-memory.dmp	xmrig
behavioral2/memory/972-32-0x00007FF6CB3F0000-0x00007FF6CB7E1000-memory.dmp	xmrig
behavioral2/memory/1188-45-0x00007FF7129D0000-0x00007FF712DC1000-memory.dmp	xmrig
behavioral2/memory/4504-38-0x00007FF7FD3D0000-0x00007FF7FD7C1000-memory.dmp	xmrig
behavioral2/memory/2668-37-0x00007FF7966A0000-0x00007FF796A91000-memory.dmp	xmrig
behavioral2/memory/4776-57-0x00007FF6BA210000-0x00007FF6BA601000-memory.dmp	xmrig
behavioral2/memory/4128-86-0x00007FF716810000-0x00007FF716C01000-memory.dmp	xmrig
behavioral2/memory/404-105-0x00007FF7DA630000-0x00007FF7DAA21000-memory.dmp	xmrig
behavioral2/memory/3580-131-0x00007FF74BEC0000-0x00007FF74C2B1000-memory.dmp	xmrig
behavioral2/memory/3824-140-0x00007FF6C0720000-0x00007FF6C0B11000-memory.dmp	xmrig
behavioral2/memory/3464-143-0x00007FF6DD6D0000-0x00007FF6DDAC1000-memory.dmp	xmrig
behavioral2/memory/2036-138-0x00007FF6701C0000-0x00007FF6705B1000-memory.dmp	xmrig
behavioral2/memory/708-133-0x00007FF622960000-0x00007FF622D51000-memory.dmp	xmrig
behavioral2/memory/4724-128-0x00007FF619730000-0x00007FF619B21000-memory.dmp	xmrig
behavioral2/memory/1624-120-0x00007FF64EC10000-0x00007FF64F001000-memory.dmp	xmrig
behavioral2/memory/1300-113-0x00007FF761260000-0x00007FF761651000-memory.dmp	xmrig
behavioral2/memory/1376-107-0x00007FF645AD0000-0x00007FF645EC1000-memory.dmp	xmrig
behavioral2/memory/3396-90-0x00007FF6FF270000-0x00007FF6FF661000-memory.dmp	xmrig
behavioral2/memory/4744-215-0x00007FF70DF70000-0x00007FF70E361000-memory.dmp	xmrig
behavioral2/memory/3284-222-0x00007FF774860000-0x00007FF774C51000-memory.dmp	xmrig
behavioral2/memory/3728-220-0x00007FF6D6700000-0x00007FF6D6AF1000-memory.dmp	xmrig
behavioral2/memory/2800-237-0x00007FF608F90000-0x00007FF609381000-memory.dmp	xmrig
behavioral2/memory/864-239-0x00007FF72D040000-0x00007FF72D431000-memory.dmp	xmrig
behavioral2/memory/3796-240-0x00007FF7310E0000-0x00007FF7314D1000-memory.dmp	xmrig
behavioral2/memory/1804-242-0x00007FF6448B0000-0x00007FF644CA1000-memory.dmp	xmrig
behavioral2/memory/1292-245-0x00007FF6F9F70000-0x00007FF6FA361000-memory.dmp	xmrig
behavioral2/memory/1188-247-0x00007FF7129D0000-0x00007FF712DC1000-memory.dmp	xmrig
behavioral2/memory/4548-249-0x00007FF766880000-0x00007FF766C71000-memory.dmp	xmrig
behavioral2/memory/1760-326-0x00007FF66AC30000-0x00007FF66B021000-memory.dmp	xmrig
behavioral2/memory/1036-332-0x00007FF78B790000-0x00007FF78BB81000-memory.dmp	xmrig
behavioral2/memory/800-337-0x00007FF72CE50000-0x00007FF72D241000-memory.dmp	xmrig
behavioral2/memory/5084-344-0x00007FF604A70000-0x00007FF604E61000-memory.dmp	xmrig
behavioral2/memory/1956-346-0x00007FF7DB7C0000-0x00007FF7DBBB1000-memory.dmp	xmrig
behavioral2/memory/2896-347-0x00007FF6D0150000-0x00007FF6D0541000-memory.dmp	xmrig
behavioral2/memory/4960-352-0x00007FF74D6E0000-0x00007FF74DAD1000-memory.dmp	xmrig
behavioral2/memory/3836-354-0x00007FF7089C0000-0x00007FF708DB1000-memory.dmp	xmrig
behavioral2/memory/4804-328-0x00007FF701A60000-0x00007FF701E51000-memory.dmp	xmrig
behavioral2/memory/3044-357-0x00007FF7BA440000-0x00007FF7BA831000-memory.dmp	xmrig
behavioral2/memory/232-361-0x00007FF713A90000-0x00007FF713E81000-memory.dmp	xmrig
behavioral2/memory/2876-369-0x00007FF778930000-0x00007FF778D21000-memory.dmp	xmrig
behavioral2/memory/3140-497-0x00007FF6D5F00000-0x00007FF6D62F1000-memory.dmp	xmrig
behavioral2/memory/5060-252-0x00007FF646A20000-0x00007FF646E11000-memory.dmp	xmrig
behavioral2/memory/3756-250-0x00007FF6E08A0000-0x00007FF6E0C91000-memory.dmp	xmrig
behavioral2/memory/3692-248-0x00007FF6576A0000-0x00007FF657A91000-memory.dmp	xmrig
behavioral2/memory/2888-246-0x00007FF697D00000-0x00007FF6980F1000-memory.dmp	xmrig
behavioral2/memory/2532-244-0x00007FF60A830000-0x00007FF60AC21000-memory.dmp	xmrig
behavioral2/memory/512-243-0x00007FF60C4F0000-0x00007FF60C8E1000-memory.dmp	xmrig
behavioral2/memory/4012-241-0x00007FF720110000-0x00007FF720501000-memory.dmp	xmrig
behavioral2/memory/4404-238-0x00007FF617620000-0x00007FF617A11000-memory.dmp	xmrig
behavioral2/memory/228-235-0x00007FF657210000-0x00007FF657601000-memory.dmp	xmrig
behavioral2/memory/1660-199-0x00007FF73C7C0000-0x00007FF73CBB1000-memory.dmp	xmrig
behavioral2/memory/4460-169-0x00007FF6715F0000-0x00007FF6719E1000-memory.dmp	xmrig
behavioral2/memory/972-155-0x00007FF6CB3F0000-0x00007FF6CB7E1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1376	SHUzSNw.exe
2600	dmMndym.exe
4724	BdcdEXL.exe
972	oVhqjvX.exe
2668	TtMhOof.exe
4504	ENHIVOm.exe
1188	mSStsbC.exe
3192	AuJRHKj.exe
4776	hwePTUE.exe
4168	hheghAZ.exe
4128	RBSZPnM.exe
2936	IaNEPhv.exe
3396	rBwZFHY.exe
1300	eyjFzUk.exe
1624	XieJnEr.exe
4976	GeHuOoD.exe
3028	ufZsiaj.exe
3352	jzTkLLI.exe
3580	cbDxQcw.exe
708	WuvTJkm.exe
2036	pNRHGVl.exe
3824	CWIMDKd.exe
3464	kXfkcuF.exe
4460	UyOFHHB.exe
2888	mxfHaRC.exe
1160	CWYXTuU.exe
1660	ApGErJd.exe
4744	jzYnZiv.exe
3728	XZNYJpz.exe
3692	zOUXVBa.exe
3284	hhxeGGO.exe
4548	ChaPcBX.exe
3756	MXHKJhD.exe
228	xqLuidL.exe
2800	mVKFBOU.exe
4404	ySCDFSo.exe
864	iStmeYO.exe
3796	xbSBfJE.exe
4012	rEHdjln.exe
5056	ROshAqb.exe
1804	jQoNkFD.exe
512	UJadPKu.exe
2532	dmwQLfc.exe
1292	haXPcbv.exe
5060	QbviJdI.exe
1760	ywQHwvn.exe
4804	yjfLWVj.exe
1036	wPYxkDl.exe
800	arpbSJS.exe
5084	NvZTjMB.exe
1956	smORmTB.exe
2896	LMviGAk.exe
4960	PUjJpDT.exe
3836	cjupCja.exe
3044	yxjdbUo.exe
232	pDfOiUa.exe
2876	VdPUZEB.exe
3140	DOqIsIJ.exe
4572	yTWItNq.exe
1544	hFgqkFj.exe
4660	uhbXvhI.exe
5020	fsRzjDz.exe
4636	yKncKvN.exe
4628	ThHINeI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/404-0-0x00007FF7DA630000-0x00007FF7DAA21000-memory.dmp	upx
behavioral2/files/0x000600000002326c-5.dat	upx
behavioral2/files/0x0008000000023410-8.dat	upx
behavioral2/files/0x000800000002340d-18.dat	upx
behavioral2/memory/2600-22-0x00007FF761BE0000-0x00007FF761FD1000-memory.dmp	upx
behavioral2/memory/4724-17-0x00007FF619730000-0x00007FF619B21000-memory.dmp	upx
behavioral2/memory/1376-9-0x00007FF645AD0000-0x00007FF645EC1000-memory.dmp	upx
behavioral2/files/0x0007000000023412-27.dat	upx
behavioral2/files/0x0007000000023411-29.dat	upx
behavioral2/memory/972-32-0x00007FF6CB3F0000-0x00007FF6CB7E1000-memory.dmp	upx
behavioral2/files/0x0007000000023413-35.dat	upx
behavioral2/files/0x0007000000023414-40.dat	upx
behavioral2/files/0x0007000000023415-47.dat	upx
behavioral2/memory/3192-48-0x00007FF7A5A10000-0x00007FF7A5E01000-memory.dmp	upx
behavioral2/memory/1188-45-0x00007FF7129D0000-0x00007FF712DC1000-memory.dmp	upx
behavioral2/memory/4504-38-0x00007FF7FD3D0000-0x00007FF7FD7C1000-memory.dmp	upx
behavioral2/memory/2668-37-0x00007FF7966A0000-0x00007FF796A91000-memory.dmp	upx
behavioral2/files/0x0007000000023416-54.dat	upx
behavioral2/memory/4776-57-0x00007FF6BA210000-0x00007FF6BA601000-memory.dmp	upx
behavioral2/files/0x0007000000023418-62.dat	upx
behavioral2/files/0x000800000002340e-68.dat	upx
behavioral2/files/0x0007000000023419-67.dat	upx
behavioral2/memory/2936-72-0x00007FF7EA410000-0x00007FF7EA801000-memory.dmp	upx
behavioral2/files/0x000700000002341a-79.dat	upx
behavioral2/files/0x000700000002341b-82.dat	upx
behavioral2/memory/4168-65-0x00007FF76D760000-0x00007FF76DB51000-memory.dmp	upx
behavioral2/memory/4128-86-0x00007FF716810000-0x00007FF716C01000-memory.dmp	upx
behavioral2/files/0x000700000002341c-94.dat	upx
behavioral2/files/0x000700000002341d-93.dat	upx
behavioral2/memory/4976-97-0x00007FF700630000-0x00007FF700A21000-memory.dmp	upx
behavioral2/files/0x000700000002341e-103.dat	upx
behavioral2/memory/404-105-0x00007FF7DA630000-0x00007FF7DAA21000-memory.dmp	upx
behavioral2/files/0x0007000000023421-116.dat	upx
behavioral2/files/0x000700000002341f-119.dat	upx
behavioral2/files/0x0007000000023422-124.dat	upx
behavioral2/files/0x0007000000023423-130.dat	upx
behavioral2/memory/3580-131-0x00007FF74BEC0000-0x00007FF74C2B1000-memory.dmp	upx
behavioral2/files/0x0007000000023424-141.dat	upx
behavioral2/memory/3824-140-0x00007FF6C0720000-0x00007FF6C0B11000-memory.dmp	upx
behavioral2/memory/3464-143-0x00007FF6DD6D0000-0x00007FF6DDAC1000-memory.dmp	upx
behavioral2/memory/2036-138-0x00007FF6701C0000-0x00007FF6705B1000-memory.dmp	upx
behavioral2/memory/708-133-0x00007FF622960000-0x00007FF622D51000-memory.dmp	upx
behavioral2/memory/4724-128-0x00007FF619730000-0x00007FF619B21000-memory.dmp	upx
behavioral2/memory/3352-123-0x00007FF767D10000-0x00007FF768101000-memory.dmp	upx
behavioral2/memory/1624-120-0x00007FF64EC10000-0x00007FF64F001000-memory.dmp	upx
behavioral2/files/0x0007000000023420-114.dat	upx
behavioral2/memory/1300-113-0x00007FF761260000-0x00007FF761651000-memory.dmp	upx
behavioral2/memory/1376-107-0x00007FF645AD0000-0x00007FF645EC1000-memory.dmp	upx
behavioral2/memory/3028-102-0x00007FF67BE00000-0x00007FF67C1F1000-memory.dmp	upx
behavioral2/memory/3396-90-0x00007FF6FF270000-0x00007FF6FF661000-memory.dmp	upx
behavioral2/files/0x0007000000023429-157.dat	upx
behavioral2/files/0x000700000002342d-166.dat	upx
behavioral2/files/0x000700000002342f-172.dat	upx
behavioral2/files/0x0007000000023430-198.dat	upx
behavioral2/files/0x0007000000023433-204.dat	upx
behavioral2/memory/4744-215-0x00007FF70DF70000-0x00007FF70E361000-memory.dmp	upx
behavioral2/memory/3284-222-0x00007FF774860000-0x00007FF774C51000-memory.dmp	upx
behavioral2/memory/3728-220-0x00007FF6D6700000-0x00007FF6D6AF1000-memory.dmp	upx
behavioral2/memory/2800-237-0x00007FF608F90000-0x00007FF609381000-memory.dmp	upx
behavioral2/memory/864-239-0x00007FF72D040000-0x00007FF72D431000-memory.dmp	upx
behavioral2/memory/3796-240-0x00007FF7310E0000-0x00007FF7314D1000-memory.dmp	upx
behavioral2/memory/1804-242-0x00007FF6448B0000-0x00007FF644CA1000-memory.dmp	upx
behavioral2/memory/1292-245-0x00007FF6F9F70000-0x00007FF6FA361000-memory.dmp	upx
behavioral2/memory/1188-247-0x00007FF7129D0000-0x00007FF712DC1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\bMCjBfN.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\CkznOjK.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\bFqhbtU.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\ujdiXMF.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\AuJRHKj.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\CWIMDKd.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\tzGzbST.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\sppRjdi.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\yuuherk.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\XieJnEr.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\YngDzEp.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\IzEcFGL.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\EJBGnjT.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\rDMEJOB.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\DTDdGlu.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\RfXQvJI.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\wHpZCBQ.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\ENHIVOm.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\vrRlSuw.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\tKShahx.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\TTnEOqd.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\pZRwfOp.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\vXNBTEA.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\RrYuUoh.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\qLCNGpm.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\XrmytNf.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\rqBPQqX.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\KapiuCr.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\zJqTHto.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\EMJntFw.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\dMTPRUv.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\qUlyUQi.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\jQoNkFD.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\ZPylLZE.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\DakYRqv.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\uqjuLtP.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\fBSlZEJ.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\OiSkNnq.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\WiflYVO.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\ttDaxwz.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\qErymHl.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\jlfJVJe.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\pxQYpVA.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\PUjJpDT.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\DvNKMom.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\DaqTaCC.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\tXGRCaN.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\RcPeeXG.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\GabAQsy.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\fuxaQoE.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\ClDsTyI.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\cXgTyko.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\SCMLiaX.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\AYIIqCs.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\hFAeCKg.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\peATHZh.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\RxLkRPK.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\ZmVIAvo.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\Xgvllrg.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\mVKFBOU.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\XGdKWdZ.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\UqhmFvW.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\GeHuOoD.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
File created	C:\Windows\System32\ufZsiaj.exe	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	9344	dwm.exe
Token: SeChangeNotifyPrivilege	9344	dwm.exe
Token: 33	9344	dwm.exe
Token: SeIncBasePriorityPrivilege	9344	dwm.exe
Token: SeCreateGlobalPrivilege	10540	dwm.exe
Token: SeChangeNotifyPrivilege	10540	dwm.exe
Token: 33	10540	dwm.exe
Token: SeIncBasePriorityPrivilege	10540	dwm.exe
Token: SeShutdownPrivilege	10540	dwm.exe
Token: SeCreatePagefilePrivilege	10540	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 1376	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	87
PID 404 wrote to memory of 1376	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	87
PID 404 wrote to memory of 4724	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	88
PID 404 wrote to memory of 4724	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	88
PID 404 wrote to memory of 2600	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	89
PID 404 wrote to memory of 2600	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	89
PID 404 wrote to memory of 972	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	90
PID 404 wrote to memory of 972	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	90
PID 404 wrote to memory of 2668	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	91
PID 404 wrote to memory of 2668	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	91
PID 404 wrote to memory of 4504	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	92
PID 404 wrote to memory of 4504	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	92
PID 404 wrote to memory of 1188	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	93
PID 404 wrote to memory of 1188	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	93
PID 404 wrote to memory of 3192	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	94
PID 404 wrote to memory of 3192	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	94
PID 404 wrote to memory of 4776	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	95
PID 404 wrote to memory of 4776	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	95
PID 404 wrote to memory of 4168	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	97
PID 404 wrote to memory of 4168	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	97
PID 404 wrote to memory of 4128	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	98
PID 404 wrote to memory of 4128	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	98
PID 404 wrote to memory of 2936	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	99
PID 404 wrote to memory of 2936	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	99
PID 404 wrote to memory of 3396	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	100
PID 404 wrote to memory of 3396	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	100
PID 404 wrote to memory of 1300	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	101
PID 404 wrote to memory of 1300	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	101
PID 404 wrote to memory of 1624	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	102
PID 404 wrote to memory of 1624	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	102
PID 404 wrote to memory of 4976	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	103
PID 404 wrote to memory of 4976	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	103
PID 404 wrote to memory of 3028	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	104
PID 404 wrote to memory of 3028	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	104
PID 404 wrote to memory of 3352	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	105
PID 404 wrote to memory of 3352	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	105
PID 404 wrote to memory of 3580	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	106
PID 404 wrote to memory of 3580	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	106
PID 404 wrote to memory of 708	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	107
PID 404 wrote to memory of 708	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	107
PID 404 wrote to memory of 2036	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	108
PID 404 wrote to memory of 2036	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	108
PID 404 wrote to memory of 3824	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	109
PID 404 wrote to memory of 3824	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	109
PID 404 wrote to memory of 3464	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	110
PID 404 wrote to memory of 3464	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	110
PID 404 wrote to memory of 4460	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	111
PID 404 wrote to memory of 4460	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	111
PID 404 wrote to memory of 2888	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	112
PID 404 wrote to memory of 2888	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	112
PID 404 wrote to memory of 1160	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	113
PID 404 wrote to memory of 1160	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	113
PID 404 wrote to memory of 1660	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	114
PID 404 wrote to memory of 1660	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	114
PID 404 wrote to memory of 4744	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	115
PID 404 wrote to memory of 4744	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	115
PID 404 wrote to memory of 3728	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	116
PID 404 wrote to memory of 3728	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	116
PID 404 wrote to memory of 3692	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	117
PID 404 wrote to memory of 3692	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	117
PID 404 wrote to memory of 3284	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	118
PID 404 wrote to memory of 3284	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	118
PID 404 wrote to memory of 4548	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	119
PID 404 wrote to memory of 4548	404	ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe	119

C:\Users\Admin\AppData\Local\Temp\ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe
"C:\Users\Admin\AppData\Local\Temp\ca49cfed48f22de049b6d6065738ca1bb349a824baeccd6def2b843bce72c784.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\System32\SHUzSNw.exe
  C:\Windows\System32\SHUzSNw.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System32\BdcdEXL.exe
  C:\Windows\System32\BdcdEXL.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System32\dmMndym.exe
  C:\Windows\System32\dmMndym.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System32\oVhqjvX.exe
  C:\Windows\System32\oVhqjvX.exe
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\System32\TtMhOof.exe
  C:\Windows\System32\TtMhOof.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System32\ENHIVOm.exe
  C:\Windows\System32\ENHIVOm.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System32\mSStsbC.exe
  C:\Windows\System32\mSStsbC.exe
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\System32\AuJRHKj.exe
  C:\Windows\System32\AuJRHKj.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System32\hwePTUE.exe
  C:\Windows\System32\hwePTUE.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System32\hheghAZ.exe
  C:\Windows\System32\hheghAZ.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System32\RBSZPnM.exe
  C:\Windows\System32\RBSZPnM.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\System32\IaNEPhv.exe
  C:\Windows\System32\IaNEPhv.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System32\rBwZFHY.exe
  C:\Windows\System32\rBwZFHY.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System32\eyjFzUk.exe
  C:\Windows\System32\eyjFzUk.exe
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\System32\XieJnEr.exe
  C:\Windows\System32\XieJnEr.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System32\GeHuOoD.exe
  C:\Windows\System32\GeHuOoD.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System32\ufZsiaj.exe
  C:\Windows\System32\ufZsiaj.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System32\jzTkLLI.exe
  C:\Windows\System32\jzTkLLI.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System32\cbDxQcw.exe
  C:\Windows\System32\cbDxQcw.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System32\WuvTJkm.exe
  C:\Windows\System32\WuvTJkm.exe
  2⤵
  - Executes dropped EXE
  PID:708
- C:\Windows\System32\pNRHGVl.exe
  C:\Windows\System32\pNRHGVl.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System32\CWIMDKd.exe
  C:\Windows\System32\CWIMDKd.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\System32\kXfkcuF.exe
  C:\Windows\System32\kXfkcuF.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System32\UyOFHHB.exe
  C:\Windows\System32\UyOFHHB.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System32\mxfHaRC.exe
  C:\Windows\System32\mxfHaRC.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System32\CWYXTuU.exe
  C:\Windows\System32\CWYXTuU.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System32\ApGErJd.exe
  C:\Windows\System32\ApGErJd.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System32\jzYnZiv.exe
  C:\Windows\System32\jzYnZiv.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System32\XZNYJpz.exe
  C:\Windows\System32\XZNYJpz.exe
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Windows\System32\zOUXVBa.exe
  C:\Windows\System32\zOUXVBa.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System32\hhxeGGO.exe
  C:\Windows\System32\hhxeGGO.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System32\ChaPcBX.exe
  C:\Windows\System32\ChaPcBX.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System32\MXHKJhD.exe
  C:\Windows\System32\MXHKJhD.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\System32\xqLuidL.exe
  C:\Windows\System32\xqLuidL.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System32\mVKFBOU.exe
  C:\Windows\System32\mVKFBOU.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System32\ySCDFSo.exe
  C:\Windows\System32\ySCDFSo.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System32\iStmeYO.exe
  C:\Windows\System32\iStmeYO.exe
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\System32\dmwQLfc.exe
  C:\Windows\System32\dmwQLfc.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System32\xbSBfJE.exe
  C:\Windows\System32\xbSBfJE.exe
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Windows\System32\rEHdjln.exe
  C:\Windows\System32\rEHdjln.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System32\ROshAqb.exe
  C:\Windows\System32\ROshAqb.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\jQoNkFD.exe
  C:\Windows\System32\jQoNkFD.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System32\UJadPKu.exe
  C:\Windows\System32\UJadPKu.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System32\haXPcbv.exe
  C:\Windows\System32\haXPcbv.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System32\QbviJdI.exe
  C:\Windows\System32\QbviJdI.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System32\ywQHwvn.exe
  C:\Windows\System32\ywQHwvn.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System32\yjfLWVj.exe
  C:\Windows\System32\yjfLWVj.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\wPYxkDl.exe
  C:\Windows\System32\wPYxkDl.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System32\arpbSJS.exe
  C:\Windows\System32\arpbSJS.exe
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Windows\System32\NvZTjMB.exe
  C:\Windows\System32\NvZTjMB.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System32\smORmTB.exe
  C:\Windows\System32\smORmTB.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System32\LMviGAk.exe
  C:\Windows\System32\LMviGAk.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System32\PUjJpDT.exe
  C:\Windows\System32\PUjJpDT.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System32\cjupCja.exe
  C:\Windows\System32\cjupCja.exe
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\System32\yxjdbUo.exe
  C:\Windows\System32\yxjdbUo.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System32\pDfOiUa.exe
  C:\Windows\System32\pDfOiUa.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System32\VdPUZEB.exe
  C:\Windows\System32\VdPUZEB.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System32\DOqIsIJ.exe
  C:\Windows\System32\DOqIsIJ.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System32\yTWItNq.exe
  C:\Windows\System32\yTWItNq.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System32\hFgqkFj.exe
  C:\Windows\System32\hFgqkFj.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System32\uhbXvhI.exe
  C:\Windows\System32\uhbXvhI.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System32\fsRzjDz.exe
  C:\Windows\System32\fsRzjDz.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System32\yKncKvN.exe
  C:\Windows\System32\yKncKvN.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System32\ThHINeI.exe
  C:\Windows\System32\ThHINeI.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System32\DvNKMom.exe
  C:\Windows\System32\DvNKMom.exe
  2⤵
  PID:3316
- C:\Windows\System32\SjpMNBy.exe
  C:\Windows\System32\SjpMNBy.exe
  2⤵
  PID:2796
- C:\Windows\System32\cSQfNvO.exe
  C:\Windows\System32\cSQfNvO.exe
  2⤵
  PID:3428
- C:\Windows\System32\AAbTtZu.exe
  C:\Windows\System32\AAbTtZu.exe
  2⤵
  PID:2212
- C:\Windows\System32\gRcyGBc.exe
  C:\Windows\System32\gRcyGBc.exe
  2⤵
  PID:4492
- C:\Windows\System32\FvVucsN.exe
  C:\Windows\System32\FvVucsN.exe
  2⤵
  PID:2008
- C:\Windows\System32\PQUbFKI.exe
  C:\Windows\System32\PQUbFKI.exe
  2⤵
  PID:4508
- C:\Windows\System32\xHDPCYY.exe
  C:\Windows\System32\xHDPCYY.exe
  2⤵
  PID:220
- C:\Windows\System32\vpahOvL.exe
  C:\Windows\System32\vpahOvL.exe
  2⤵
  PID:2756
- C:\Windows\System32\XWXcdJX.exe
  C:\Windows\System32\XWXcdJX.exe
  2⤵
  PID:1948
- C:\Windows\System32\vrRlSuw.exe
  C:\Windows\System32\vrRlSuw.exe
  2⤵
  PID:3392
- C:\Windows\System32\ENgsImZ.exe
  C:\Windows\System32\ENgsImZ.exe
  2⤵
  PID:5136
- C:\Windows\System32\ZPylLZE.exe
  C:\Windows\System32\ZPylLZE.exe
  2⤵
  PID:5176
- C:\Windows\System32\qLCNGpm.exe
  C:\Windows\System32\qLCNGpm.exe
  2⤵
  PID:5244
- C:\Windows\System32\vXNBTEA.exe
  C:\Windows\System32\vXNBTEA.exe
  2⤵
  PID:5296
- C:\Windows\System32\QkqrPCr.exe
  C:\Windows\System32\QkqrPCr.exe
  2⤵
  PID:5324
- C:\Windows\System32\NVyTtdV.exe
  C:\Windows\System32\NVyTtdV.exe
  2⤵
  PID:5344
- C:\Windows\System32\RcMlrYs.exe
  C:\Windows\System32\RcMlrYs.exe
  2⤵
  PID:5372
- C:\Windows\System32\KZyZjpw.exe
  C:\Windows\System32\KZyZjpw.exe
  2⤵
  PID:5388
- C:\Windows\System32\ysrqKwY.exe
  C:\Windows\System32\ysrqKwY.exe
  2⤵
  PID:5404
- C:\Windows\System32\GTFxzvi.exe
  C:\Windows\System32\GTFxzvi.exe
  2⤵
  PID:5456
- C:\Windows\System32\IZFuzJk.exe
  C:\Windows\System32\IZFuzJk.exe
  2⤵
  PID:5472
- C:\Windows\System32\momyPts.exe
  C:\Windows\System32\momyPts.exe
  2⤵
  PID:5496
- C:\Windows\System32\eHBpBaL.exe
  C:\Windows\System32\eHBpBaL.exe
  2⤵
  PID:5568
- C:\Windows\System32\nRYmTQj.exe
  C:\Windows\System32\nRYmTQj.exe
  2⤵
  PID:5588
- C:\Windows\System32\Xgvllrg.exe
  C:\Windows\System32\Xgvllrg.exe
  2⤵
  PID:5616
- C:\Windows\System32\RtHKlkw.exe
  C:\Windows\System32\RtHKlkw.exe
  2⤵
  PID:5644
- C:\Windows\System32\kAIwkIn.exe
  C:\Windows\System32\kAIwkIn.exe
  2⤵
  PID:5672
- C:\Windows\System32\HGrKtds.exe
  C:\Windows\System32\HGrKtds.exe
  2⤵
  PID:5700
- C:\Windows\System32\mJRsXvq.exe
  C:\Windows\System32\mJRsXvq.exe
  2⤵
  PID:5728
- C:\Windows\System32\KsMpzOI.exe
  C:\Windows\System32\KsMpzOI.exe
  2⤵
  PID:5756
- C:\Windows\System32\EOIEKUz.exe
  C:\Windows\System32\EOIEKUz.exe
  2⤵
  PID:5784
- C:\Windows\System32\ywCafWg.exe
  C:\Windows\System32\ywCafWg.exe
  2⤵
  PID:5812
- C:\Windows\System32\DaqTaCC.exe
  C:\Windows\System32\DaqTaCC.exe
  2⤵
  PID:5840
- C:\Windows\System32\Smeeatc.exe
  C:\Windows\System32\Smeeatc.exe
  2⤵
  PID:5868
- C:\Windows\System32\SNbFcqj.exe
  C:\Windows\System32\SNbFcqj.exe
  2⤵
  PID:5896
- C:\Windows\System32\FtSLiJB.exe
  C:\Windows\System32\FtSLiJB.exe
  2⤵
  PID:5924
- C:\Windows\System32\NIgfWrZ.exe
  C:\Windows\System32\NIgfWrZ.exe
  2⤵
  PID:5952
- C:\Windows\System32\PRZCqIf.exe
  C:\Windows\System32\PRZCqIf.exe
  2⤵
  PID:5980
- C:\Windows\System32\FzMpUVM.exe
  C:\Windows\System32\FzMpUVM.exe
  2⤵
  PID:6012
- C:\Windows\System32\iZsGWwn.exe
  C:\Windows\System32\iZsGWwn.exe
  2⤵
  PID:6032
- C:\Windows\System32\olnQbfg.exe
  C:\Windows\System32\olnQbfg.exe
  2⤵
  PID:6048
- C:\Windows\System32\tXGRCaN.exe
  C:\Windows\System32\tXGRCaN.exe
  2⤵
  PID:6064
- C:\Windows\System32\xXGCXfC.exe
  C:\Windows\System32\xXGCXfC.exe
  2⤵
  PID:6120
- C:\Windows\System32\bmUFltF.exe
  C:\Windows\System32\bmUFltF.exe
  2⤵
  PID:4432
- C:\Windows\System32\srADKcS.exe
  C:\Windows\System32\srADKcS.exe
  2⤵
  PID:4436
- C:\Windows\System32\yJgHDbv.exe
  C:\Windows\System32\yJgHDbv.exe
  2⤵
  PID:5196
- C:\Windows\System32\JlACwOv.exe
  C:\Windows\System32\JlACwOv.exe
  2⤵
  PID:4288
- C:\Windows\System32\UxcXWWb.exe
  C:\Windows\System32\UxcXWWb.exe
  2⤵
  PID:5316
- C:\Windows\System32\caVKFXp.exe
  C:\Windows\System32\caVKFXp.exe
  2⤵
  PID:5368
- C:\Windows\System32\fAQDMSE.exe
  C:\Windows\System32\fAQDMSE.exe
  2⤵
  PID:5424
- C:\Windows\System32\SGpOcFV.exe
  C:\Windows\System32\SGpOcFV.exe
  2⤵
  PID:5468
- C:\Windows\System32\SCMLiaX.exe
  C:\Windows\System32\SCMLiaX.exe
  2⤵
  PID:5484
- C:\Windows\System32\CuqbrTI.exe
  C:\Windows\System32\CuqbrTI.exe
  2⤵
  PID:5544
- C:\Windows\System32\bMCjBfN.exe
  C:\Windows\System32\bMCjBfN.exe
  2⤵
  PID:5604
- C:\Windows\System32\gKVxNGc.exe
  C:\Windows\System32\gKVxNGc.exe
  2⤵
  PID:5656
- C:\Windows\System32\jfDGhbz.exe
  C:\Windows\System32\jfDGhbz.exe
  2⤵
  PID:5856
- C:\Windows\System32\aAqiydL.exe
  C:\Windows\System32\aAqiydL.exe
  2⤵
  PID:6000
- C:\Windows\System32\haITbdD.exe
  C:\Windows\System32\haITbdD.exe
  2⤵
  PID:6044
- C:\Windows\System32\sksSuzX.exe
  C:\Windows\System32\sksSuzX.exe
  2⤵
  PID:6108
- C:\Windows\System32\SkZrhQT.exe
  C:\Windows\System32\SkZrhQT.exe
  2⤵
  PID:4796
- C:\Windows\System32\zJqTHto.exe
  C:\Windows\System32\zJqTHto.exe
  2⤵
  PID:1712
- C:\Windows\System32\eJpcNxm.exe
  C:\Windows\System32\eJpcNxm.exe
  2⤵
  PID:1428
- C:\Windows\System32\MKzhSue.exe
  C:\Windows\System32\MKzhSue.exe
  2⤵
  PID:5384
- C:\Windows\System32\URKHfSK.exe
  C:\Windows\System32\URKHfSK.exe
  2⤵
  PID:624
- C:\Windows\System32\YngDzEp.exe
  C:\Windows\System32\YngDzEp.exe
  2⤵
  PID:5632
- C:\Windows\System32\YgfrJpq.exe
  C:\Windows\System32\YgfrJpq.exe
  2⤵
  PID:5488
- C:\Windows\System32\ojFWcOk.exe
  C:\Windows\System32\ojFWcOk.exe
  2⤵
  PID:4584
- C:\Windows\System32\GgiTxOW.exe
  C:\Windows\System32\GgiTxOW.exe
  2⤵
  PID:5612
- C:\Windows\System32\CNrCFKp.exe
  C:\Windows\System32\CNrCFKp.exe
  2⤵
  PID:4352
- C:\Windows\System32\XUznLQp.exe
  C:\Windows\System32\XUznLQp.exe
  2⤵
  PID:5780
- C:\Windows\System32\TwnFJCu.exe
  C:\Windows\System32\TwnFJCu.exe
  2⤵
  PID:5852
- C:\Windows\System32\pPSSPVw.exe
  C:\Windows\System32\pPSSPVw.exe
  2⤵
  PID:6020
- C:\Windows\System32\vfXrMfZ.exe
  C:\Windows\System32\vfXrMfZ.exe
  2⤵
  PID:6024
- C:\Windows\System32\OtiNJui.exe
  C:\Windows\System32\OtiNJui.exe
  2⤵
  PID:1548
- C:\Windows\System32\qErymHl.exe
  C:\Windows\System32\qErymHl.exe
  2⤵
  PID:6092
- C:\Windows\System32\tUGhFMW.exe
  C:\Windows\System32\tUGhFMW.exe
  2⤵
  PID:5336
- C:\Windows\System32\zZjobeL.exe
  C:\Windows\System32\zZjobeL.exe
  2⤵
  PID:2280
- C:\Windows\System32\ahFGBMY.exe
  C:\Windows\System32\ahFGBMY.exe
  2⤵
  PID:5600
- C:\Windows\System32\fKTfPog.exe
  C:\Windows\System32\fKTfPog.exe
  2⤵
  PID:676
- C:\Windows\System32\CkznOjK.exe
  C:\Windows\System32\CkznOjK.exe
  2⤵
  PID:5260
- C:\Windows\System32\hFAeCKg.exe
  C:\Windows\System32\hFAeCKg.exe
  2⤵
  PID:5696
- C:\Windows\System32\mRoEjfb.exe
  C:\Windows\System32\mRoEjfb.exe
  2⤵
  PID:2456
- C:\Windows\System32\tzkDdfg.exe
  C:\Windows\System32\tzkDdfg.exe
  2⤵
  PID:5716
- C:\Windows\System32\gdrfLGI.exe
  C:\Windows\System32\gdrfLGI.exe
  2⤵
  PID:1836
- C:\Windows\System32\NJwGRea.exe
  C:\Windows\System32\NJwGRea.exe
  2⤵
  PID:6168
- C:\Windows\System32\wSuDskv.exe
  C:\Windows\System32\wSuDskv.exe
  2⤵
  PID:6208
- C:\Windows\System32\Sbehyfm.exe
  C:\Windows\System32\Sbehyfm.exe
  2⤵
  PID:6256
- C:\Windows\System32\HtBXrXN.exe
  C:\Windows\System32\HtBXrXN.exe
  2⤵
  PID:6276
- C:\Windows\System32\leAoTMt.exe
  C:\Windows\System32\leAoTMt.exe
  2⤵
  PID:6296
- C:\Windows\System32\PnGBDXf.exe
  C:\Windows\System32\PnGBDXf.exe
  2⤵
  PID:6316
- C:\Windows\System32\RWMfRhF.exe
  C:\Windows\System32\RWMfRhF.exe
  2⤵
  PID:6372
- C:\Windows\System32\IzEcFGL.exe
  C:\Windows\System32\IzEcFGL.exe
  2⤵
  PID:6424
- C:\Windows\System32\kNWcLIB.exe
  C:\Windows\System32\kNWcLIB.exe
  2⤵
  PID:6444
- C:\Windows\System32\ezQqSaU.exe
  C:\Windows\System32\ezQqSaU.exe
  2⤵
  PID:6460
- C:\Windows\System32\MPIaXYo.exe
  C:\Windows\System32\MPIaXYo.exe
  2⤵
  PID:6512
- C:\Windows\System32\OaBgYdj.exe
  C:\Windows\System32\OaBgYdj.exe
  2⤵
  PID:6532
- C:\Windows\System32\KUdTtQF.exe
  C:\Windows\System32\KUdTtQF.exe
  2⤵
  PID:6548
- C:\Windows\System32\HqAgMph.exe
  C:\Windows\System32\HqAgMph.exe
  2⤵
  PID:6568
- C:\Windows\System32\mFkikVg.exe
  C:\Windows\System32\mFkikVg.exe
  2⤵
  PID:6588
- C:\Windows\System32\KAGYBMt.exe
  C:\Windows\System32\KAGYBMt.exe
  2⤵
  PID:6608
- C:\Windows\System32\KHJAEiZ.exe
  C:\Windows\System32\KHJAEiZ.exe
  2⤵
  PID:6644
- C:\Windows\System32\FvodDlJ.exe
  C:\Windows\System32\FvodDlJ.exe
  2⤵
  PID:6664
- C:\Windows\System32\gVsVRqu.exe
  C:\Windows\System32\gVsVRqu.exe
  2⤵
  PID:6740
- C:\Windows\System32\GqYWyxJ.exe
  C:\Windows\System32\GqYWyxJ.exe
  2⤵
  PID:6776
- C:\Windows\System32\ndkgqSk.exe
  C:\Windows\System32\ndkgqSk.exe
  2⤵
  PID:6796
- C:\Windows\System32\jwBtwjx.exe
  C:\Windows\System32\jwBtwjx.exe
  2⤵
  PID:6816
- C:\Windows\System32\eRRoIzr.exe
  C:\Windows\System32\eRRoIzr.exe
  2⤵
  PID:6832
- C:\Windows\System32\cgznxvH.exe
  C:\Windows\System32\cgznxvH.exe
  2⤵
  PID:6888
- C:\Windows\System32\HQFZurV.exe
  C:\Windows\System32\HQFZurV.exe
  2⤵
  PID:6916
- C:\Windows\System32\RgWCllm.exe
  C:\Windows\System32\RgWCllm.exe
  2⤵
  PID:6936
- C:\Windows\System32\PyWKkBi.exe
  C:\Windows\System32\PyWKkBi.exe
  2⤵
  PID:6972
- C:\Windows\System32\SZbgwdP.exe
  C:\Windows\System32\SZbgwdP.exe
  2⤵
  PID:6988
- C:\Windows\System32\ohElGvW.exe
  C:\Windows\System32\ohElGvW.exe
  2⤵
  PID:7024
- C:\Windows\System32\QaNhhDo.exe
  C:\Windows\System32\QaNhhDo.exe
  2⤵
  PID:7104
- C:\Windows\System32\RCJsEaJ.exe
  C:\Windows\System32\RCJsEaJ.exe
  2⤵
  PID:7120
- C:\Windows\System32\DTDdGlu.exe
  C:\Windows\System32\DTDdGlu.exe
  2⤵
  PID:7136
- C:\Windows\System32\LubguKJ.exe
  C:\Windows\System32\LubguKJ.exe
  2⤵
  PID:4052
- C:\Windows\System32\flXTwlV.exe
  C:\Windows\System32\flXTwlV.exe
  2⤵
  PID:6084
- C:\Windows\System32\tzGzbST.exe
  C:\Windows\System32\tzGzbST.exe
  2⤵
  PID:6160
- C:\Windows\System32\tixqLJn.exe
  C:\Windows\System32\tixqLJn.exe
  2⤵
  PID:6220
- C:\Windows\System32\fVRBwgq.exe
  C:\Windows\System32\fVRBwgq.exe
  2⤵
  PID:6244
- C:\Windows\System32\CggyYpB.exe
  C:\Windows\System32\CggyYpB.exe
  2⤵
  PID:6216
- C:\Windows\System32\XFMUWAb.exe
  C:\Windows\System32\XFMUWAb.exe
  2⤵
  PID:6400
- C:\Windows\System32\heREXEh.exe
  C:\Windows\System32\heREXEh.exe
  2⤵
  PID:6472
- C:\Windows\System32\gwsCqVY.exe
  C:\Windows\System32\gwsCqVY.exe
  2⤵
  PID:6528
- C:\Windows\System32\SpzToGu.exe
  C:\Windows\System32\SpzToGu.exe
  2⤵
  PID:6632
- C:\Windows\System32\blJCLut.exe
  C:\Windows\System32\blJCLut.exe
  2⤵
  PID:6584
- C:\Windows\System32\wEQOALw.exe
  C:\Windows\System32\wEQOALw.exe
  2⤵
  PID:6684
- C:\Windows\System32\gHtNcht.exe
  C:\Windows\System32\gHtNcht.exe
  2⤵
  PID:6752
- C:\Windows\System32\fuxaQoE.exe
  C:\Windows\System32\fuxaQoE.exe
  2⤵
  PID:6852
- C:\Windows\System32\fgpgJuA.exe
  C:\Windows\System32\fgpgJuA.exe
  2⤵
  PID:6856
- C:\Windows\System32\pxQYpVA.exe
  C:\Windows\System32\pxQYpVA.exe
  2⤵
  PID:6944
- C:\Windows\System32\mVmlLed.exe
  C:\Windows\System32\mVmlLed.exe
  2⤵
  PID:6964
- C:\Windows\System32\bFqhbtU.exe
  C:\Windows\System32\bFqhbtU.exe
  2⤵
  PID:7068
- C:\Windows\System32\HDuIkWp.exe
  C:\Windows\System32\HDuIkWp.exe
  2⤵
  PID:7100
- C:\Windows\System32\LiGJieg.exe
  C:\Windows\System32\LiGJieg.exe
  2⤵
  PID:7128
- C:\Windows\System32\kuKHjWl.exe
  C:\Windows\System32\kuKHjWl.exe
  2⤵
  PID:5740
- C:\Windows\System32\siKtksU.exe
  C:\Windows\System32\siKtksU.exe
  2⤵
  PID:6236
- C:\Windows\System32\UNanamM.exe
  C:\Windows\System32\UNanamM.exe
  2⤵
  PID:6368
- C:\Windows\System32\zDcGaMM.exe
  C:\Windows\System32\zDcGaMM.exe
  2⤵
  PID:6476
- C:\Windows\System32\bMDNelX.exe
  C:\Windows\System32\bMDNelX.exe
  2⤵
  PID:6620
- C:\Windows\System32\VZJiEeK.exe
  C:\Windows\System32\VZJiEeK.exe
  2⤵
  PID:6580
- C:\Windows\System32\YuqYTht.exe
  C:\Windows\System32\YuqYTht.exe
  2⤵
  PID:6728
- C:\Windows\System32\oQVKEEx.exe
  C:\Windows\System32\oQVKEEx.exe
  2⤵
  PID:6748
- C:\Windows\System32\KhmSNEp.exe
  C:\Windows\System32\KhmSNEp.exe
  2⤵
  PID:6908
- C:\Windows\System32\AYIIqCs.exe
  C:\Windows\System32\AYIIqCs.exe
  2⤵
  PID:6904
- C:\Windows\System32\XrmytNf.exe
  C:\Windows\System32\XrmytNf.exe
  2⤵
  PID:6652
- C:\Windows\System32\gFshoSy.exe
  C:\Windows\System32\gFshoSy.exe
  2⤵
  PID:6616
- C:\Windows\System32\ehzwJqu.exe
  C:\Windows\System32\ehzwJqu.exe
  2⤵
  PID:6056
- C:\Windows\System32\WlPqSuf.exe
  C:\Windows\System32\WlPqSuf.exe
  2⤵
  PID:7188
- C:\Windows\System32\XGdKWdZ.exe
  C:\Windows\System32\XGdKWdZ.exe
  2⤵
  PID:7208
- C:\Windows\System32\CrfKIhf.exe
  C:\Windows\System32\CrfKIhf.exe
  2⤵
  PID:7224
- C:\Windows\System32\UqhmFvW.exe
  C:\Windows\System32\UqhmFvW.exe
  2⤵
  PID:7252
- C:\Windows\System32\OxsQAkk.exe
  C:\Windows\System32\OxsQAkk.exe
  2⤵
  PID:7272
- C:\Windows\System32\pZRwfOp.exe
  C:\Windows\System32\pZRwfOp.exe
  2⤵
  PID:7304
- C:\Windows\System32\fWzzMZS.exe
  C:\Windows\System32\fWzzMZS.exe
  2⤵
  PID:7364
- C:\Windows\System32\iOoJoki.exe
  C:\Windows\System32\iOoJoki.exe
  2⤵
  PID:7408
- C:\Windows\System32\acspjMv.exe
  C:\Windows\System32\acspjMv.exe
  2⤵
  PID:7424
- C:\Windows\System32\peATHZh.exe
  C:\Windows\System32\peATHZh.exe
  2⤵
  PID:7444
- C:\Windows\System32\nWZoxEd.exe
  C:\Windows\System32\nWZoxEd.exe
  2⤵
  PID:7464
- C:\Windows\System32\GKisAPN.exe
  C:\Windows\System32\GKisAPN.exe
  2⤵
  PID:7500
- C:\Windows\System32\mxpqRrC.exe
  C:\Windows\System32\mxpqRrC.exe
  2⤵
  PID:7544
- C:\Windows\System32\FflkurI.exe
  C:\Windows\System32\FflkurI.exe
  2⤵
  PID:7576
- C:\Windows\System32\AZstofa.exe
  C:\Windows\System32\AZstofa.exe
  2⤵
  PID:7608
- C:\Windows\System32\RfXQvJI.exe
  C:\Windows\System32\RfXQvJI.exe
  2⤵
  PID:7632
- C:\Windows\System32\fnTOyea.exe
  C:\Windows\System32\fnTOyea.exe
  2⤵
  PID:7648
- C:\Windows\System32\tKShahx.exe
  C:\Windows\System32\tKShahx.exe
  2⤵
  PID:7688
- C:\Windows\System32\ZchffWu.exe
  C:\Windows\System32\ZchffWu.exe
  2⤵
  PID:7748
- C:\Windows\System32\nUwEpSS.exe
  C:\Windows\System32\nUwEpSS.exe
  2⤵
  PID:7772
- C:\Windows\System32\zpmNnpK.exe
  C:\Windows\System32\zpmNnpK.exe
  2⤵
  PID:7808
- C:\Windows\System32\uQZTnyo.exe
  C:\Windows\System32\uQZTnyo.exe
  2⤵
  PID:7852
- C:\Windows\System32\WORRgCt.exe
  C:\Windows\System32\WORRgCt.exe
  2⤵
  PID:7872
- C:\Windows\System32\JBmxUGd.exe
  C:\Windows\System32\JBmxUGd.exe
  2⤵
  PID:7892
- C:\Windows\System32\EMJntFw.exe
  C:\Windows\System32\EMJntFw.exe
  2⤵
  PID:7932
- C:\Windows\System32\CGPXsWB.exe
  C:\Windows\System32\CGPXsWB.exe
  2⤵
  PID:7972
- C:\Windows\System32\nWDYPYO.exe
  C:\Windows\System32\nWDYPYO.exe
  2⤵
  PID:7992
- C:\Windows\System32\OWSvnxL.exe
  C:\Windows\System32\OWSvnxL.exe
  2⤵
  PID:8008
- C:\Windows\System32\nPdryZB.exe
  C:\Windows\System32\nPdryZB.exe
  2⤵
  PID:8056
- C:\Windows\System32\DakYRqv.exe
  C:\Windows\System32\DakYRqv.exe
  2⤵
  PID:8076
- C:\Windows\System32\Sjtzaaj.exe
  C:\Windows\System32\Sjtzaaj.exe
  2⤵
  PID:8096
- C:\Windows\System32\QjxzugE.exe
  C:\Windows\System32\QjxzugE.exe
  2⤵
  PID:8116
- C:\Windows\System32\OHjMNXP.exe
  C:\Windows\System32\OHjMNXP.exe
  2⤵
  PID:8176
- C:\Windows\System32\vMNFOen.exe
  C:\Windows\System32\vMNFOen.exe
  2⤵
  PID:7016
- C:\Windows\System32\GKrcXyF.exe
  C:\Windows\System32\GKrcXyF.exe
  2⤵
  PID:7200
- C:\Windows\System32\RxLkRPK.exe
  C:\Windows\System32\RxLkRPK.exe
  2⤵
  PID:7280
- C:\Windows\System32\sZEtFKz.exe
  C:\Windows\System32\sZEtFKz.exe
  2⤵
  PID:7376
- C:\Windows\System32\BOxkPAZ.exe
  C:\Windows\System32\BOxkPAZ.exe
  2⤵
  PID:7416
- C:\Windows\System32\czrQsJJ.exe
  C:\Windows\System32\czrQsJJ.exe
  2⤵
  PID:7488
- C:\Windows\System32\soWeeVG.exe
  C:\Windows\System32\soWeeVG.exe
  2⤵
  PID:7480
- C:\Windows\System32\yrtHKyE.exe
  C:\Windows\System32\yrtHKyE.exe
  2⤵
  PID:7516
- C:\Windows\System32\bMNQMQx.exe
  C:\Windows\System32\bMNQMQx.exe
  2⤵
  PID:7592
- C:\Windows\System32\tUWcbIJ.exe
  C:\Windows\System32\tUWcbIJ.exe
  2⤵
  PID:7660
- C:\Windows\System32\xulYwCC.exe
  C:\Windows\System32\xulYwCC.exe
  2⤵
  PID:7784
- C:\Windows\System32\ujdiXMF.exe
  C:\Windows\System32\ujdiXMF.exe
  2⤵
  PID:7824
- C:\Windows\System32\rqBPQqX.exe
  C:\Windows\System32\rqBPQqX.exe
  2⤵
  PID:7912
- C:\Windows\System32\uqjuLtP.exe
  C:\Windows\System32\uqjuLtP.exe
  2⤵
  PID:7956
- C:\Windows\System32\BpKZnCn.exe
  C:\Windows\System32\BpKZnCn.exe
  2⤵
  PID:8040
- C:\Windows\System32\aXLpEBS.exe
  C:\Windows\System32\aXLpEBS.exe
  2⤵
  PID:8068
- C:\Windows\System32\xCwSeTD.exe
  C:\Windows\System32\xCwSeTD.exe
  2⤵
  PID:8184
- C:\Windows\System32\gXsxWyK.exe
  C:\Windows\System32\gXsxWyK.exe
  2⤵
  PID:7248
- C:\Windows\System32\fBrjhLh.exe
  C:\Windows\System32\fBrjhLh.exe
  2⤵
  PID:7240
- C:\Windows\System32\KpZFlTX.exe
  C:\Windows\System32\KpZFlTX.exe
  2⤵
  PID:7096
- C:\Windows\System32\WiflYVO.exe
  C:\Windows\System32\WiflYVO.exe
  2⤵
  PID:7508
- C:\Windows\System32\yniqbpa.exe
  C:\Windows\System32\yniqbpa.exe
  2⤵
  PID:7696
- C:\Windows\System32\fstQbTp.exe
  C:\Windows\System32\fstQbTp.exe
  2⤵
  PID:7556
- C:\Windows\System32\oJeANAX.exe
  C:\Windows\System32\oJeANAX.exe
  2⤵
  PID:7840
- C:\Windows\System32\OixsKyz.exe
  C:\Windows\System32\OixsKyz.exe
  2⤵
  PID:7764
- C:\Windows\System32\dFbDYML.exe
  C:\Windows\System32\dFbDYML.exe
  2⤵
  PID:8164
- C:\Windows\System32\VATHncH.exe
  C:\Windows\System32\VATHncH.exe
  2⤵
  PID:7436
- C:\Windows\System32\zrTclXZ.exe
  C:\Windows\System32\zrTclXZ.exe
  2⤵
  PID:7312
- C:\Windows\System32\FwwzPzF.exe
  C:\Windows\System32\FwwzPzF.exe
  2⤵
  PID:8124
- C:\Windows\System32\CdbfXzx.exe
  C:\Windows\System32\CdbfXzx.exe
  2⤵
  PID:332
- C:\Windows\System32\TTnEOqd.exe
  C:\Windows\System32\TTnEOqd.exe
  2⤵
  PID:8224
- C:\Windows\System32\LmUXqzn.exe
  C:\Windows\System32\LmUXqzn.exe
  2⤵
  PID:8244
- C:\Windows\System32\rhIOiYp.exe
  C:\Windows\System32\rhIOiYp.exe
  2⤵
  PID:8264
- C:\Windows\System32\KdBMCFf.exe
  C:\Windows\System32\KdBMCFf.exe
  2⤵
  PID:8304
- C:\Windows\System32\yxYdKrQ.exe
  C:\Windows\System32\yxYdKrQ.exe
  2⤵
  PID:8340
- C:\Windows\System32\QxUIhqc.exe
  C:\Windows\System32\QxUIhqc.exe
  2⤵
  PID:8356
- C:\Windows\System32\NFSHQlp.exe
  C:\Windows\System32\NFSHQlp.exe
  2⤵
  PID:8384
- C:\Windows\System32\sppRjdi.exe
  C:\Windows\System32\sppRjdi.exe
  2⤵
  PID:8424
- C:\Windows\System32\YYztnra.exe
  C:\Windows\System32\YYztnra.exe
  2⤵
  PID:8444
- C:\Windows\System32\ampnNOd.exe
  C:\Windows\System32\ampnNOd.exe
  2⤵
  PID:8496
- C:\Windows\System32\kVtlMoz.exe
  C:\Windows\System32\kVtlMoz.exe
  2⤵
  PID:8516
- C:\Windows\System32\PSeelqm.exe
  C:\Windows\System32\PSeelqm.exe
  2⤵
  PID:8532
- C:\Windows\System32\lytJuji.exe
  C:\Windows\System32\lytJuji.exe
  2⤵
  PID:8552
- C:\Windows\System32\rDMEJOB.exe
  C:\Windows\System32\rDMEJOB.exe
  2⤵
  PID:8572
- C:\Windows\System32\IdvtSYq.exe
  C:\Windows\System32\IdvtSYq.exe
  2⤵
  PID:8588
- C:\Windows\System32\EJBGnjT.exe
  C:\Windows\System32\EJBGnjT.exe
  2⤵
  PID:8636
- C:\Windows\System32\VosFkCC.exe
  C:\Windows\System32\VosFkCC.exe
  2⤵
  PID:8652
- C:\Windows\System32\knMWOSZ.exe
  C:\Windows\System32\knMWOSZ.exe
  2⤵
  PID:8708
- C:\Windows\System32\vWzCiAQ.exe
  C:\Windows\System32\vWzCiAQ.exe
  2⤵
  PID:8788
- C:\Windows\System32\YrmjKum.exe
  C:\Windows\System32\YrmjKum.exe
  2⤵
  PID:8824
- C:\Windows\System32\Aavfnzs.exe
  C:\Windows\System32\Aavfnzs.exe
  2⤵
  PID:8844
- C:\Windows\System32\VcyJUAv.exe
  C:\Windows\System32\VcyJUAv.exe
  2⤵
  PID:8860
- C:\Windows\System32\iMCVAlT.exe
  C:\Windows\System32\iMCVAlT.exe
  2⤵
  PID:8880
- C:\Windows\System32\mamMHOA.exe
  C:\Windows\System32\mamMHOA.exe
  2⤵
  PID:8956
- C:\Windows\System32\KYsbncZ.exe
  C:\Windows\System32\KYsbncZ.exe
  2⤵
  PID:8992
- C:\Windows\System32\SloSzos.exe
  C:\Windows\System32\SloSzos.exe
  2⤵
  PID:9012
- C:\Windows\System32\AmDYXYB.exe
  C:\Windows\System32\AmDYXYB.exe
  2⤵
  PID:9032
- C:\Windows\System32\MXgCsyf.exe
  C:\Windows\System32\MXgCsyf.exe
  2⤵
  PID:9100
- C:\Windows\System32\iGSGfbp.exe
  C:\Windows\System32\iGSGfbp.exe
  2⤵
  PID:9116
- C:\Windows\System32\vzblGce.exe
  C:\Windows\System32\vzblGce.exe
  2⤵
  PID:9136
- C:\Windows\System32\doVyIQU.exe
  C:\Windows\System32\doVyIQU.exe
  2⤵
  PID:9176
- C:\Windows\System32\yuuherk.exe
  C:\Windows\System32\yuuherk.exe
  2⤵
  PID:9196
- C:\Windows\System32\MKfsAFD.exe
  C:\Windows\System32\MKfsAFD.exe
  2⤵
  PID:9212
- C:\Windows\System32\ZmVIAvo.exe
  C:\Windows\System32\ZmVIAvo.exe
  2⤵
  PID:8200
- C:\Windows\System32\DgWIsYk.exe
  C:\Windows\System32\DgWIsYk.exe
  2⤵
  PID:8220
- C:\Windows\System32\cMGJRrP.exe
  C:\Windows\System32\cMGJRrP.exe
  2⤵
  PID:8236
- C:\Windows\System32\RcPeeXG.exe
  C:\Windows\System32\RcPeeXG.exe
  2⤵
  PID:8376
- C:\Windows\System32\clNYudj.exe
  C:\Windows\System32\clNYudj.exe
  2⤵
  PID:8372
- C:\Windows\System32\eVriCax.exe
  C:\Windows\System32\eVriCax.exe
  2⤵
  PID:8548
- C:\Windows\System32\ektdtDl.exe
  C:\Windows\System32\ektdtDl.exe
  2⤵
  PID:8564
- C:\Windows\System32\DYJlDsg.exe
  C:\Windows\System32\DYJlDsg.exe
  2⤵
  PID:8544
- C:\Windows\System32\FhZltJh.exe
  C:\Windows\System32\FhZltJh.exe
  2⤵
  PID:8680
- C:\Windows\System32\RrYuUoh.exe
  C:\Windows\System32\RrYuUoh.exe
  2⤵
  PID:8768
- C:\Windows\System32\kpdfXDx.exe
  C:\Windows\System32\kpdfXDx.exe
  2⤵
  PID:8852
- C:\Windows\System32\spszRFP.exe
  C:\Windows\System32\spszRFP.exe
  2⤵
  PID:8820
- C:\Windows\System32\gDkOVNY.exe
  C:\Windows\System32\gDkOVNY.exe
  2⤵
  PID:4512
- C:\Windows\System32\uxNpYQp.exe
  C:\Windows\System32\uxNpYQp.exe
  2⤵
  PID:9008
- C:\Windows\System32\xOeDCKy.exe
  C:\Windows\System32\xOeDCKy.exe
  2⤵
  PID:9024
- C:\Windows\System32\QHKsVZM.exe
  C:\Windows\System32\QHKsVZM.exe
  2⤵
  PID:9064
- C:\Windows\System32\NfjovUr.exe
  C:\Windows\System32\NfjovUr.exe
  2⤵
  PID:4420
- C:\Windows\System32\wUUNolL.exe
  C:\Windows\System32\wUUNolL.exe
  2⤵
  PID:9188
- C:\Windows\System32\NcFIgpz.exe
  C:\Windows\System32\NcFIgpz.exe
  2⤵
  PID:8312
- C:\Windows\System32\HTjajJt.exe
  C:\Windows\System32\HTjajJt.exe
  2⤵
  PID:8456
- C:\Windows\System32\fgmpnWy.exe
  C:\Windows\System32\fgmpnWy.exe
  2⤵
  PID:7924
- C:\Windows\System32\kVQCjeu.exe
  C:\Windows\System32\kVQCjeu.exe
  2⤵
  PID:8684
- C:\Windows\System32\HBSzsgF.exe
  C:\Windows\System32\HBSzsgF.exe
  2⤵
  PID:8856
- C:\Windows\System32\jlfJVJe.exe
  C:\Windows\System32\jlfJVJe.exe
  2⤵
  PID:8924
- C:\Windows\System32\mnDMfZv.exe
  C:\Windows\System32\mnDMfZv.exe
  2⤵
  PID:8872
- C:\Windows\System32\fBSlZEJ.exe
  C:\Windows\System32\fBSlZEJ.exe
  2⤵
  PID:8984
- C:\Windows\System32\qEzSOMk.exe
  C:\Windows\System32\qEzSOMk.exe
  2⤵
  PID:9048
- C:\Windows\System32\eWqphtp.exe
  C:\Windows\System32\eWqphtp.exe
  2⤵
  PID:9124
- C:\Windows\System32\MdgUnZK.exe
  C:\Windows\System32\MdgUnZK.exe
  2⤵
  PID:3920
- C:\Windows\System32\nSXibXF.exe
  C:\Windows\System32\nSXibXF.exe
  2⤵
  PID:8240
- C:\Windows\System32\FUpCzSR.exe
  C:\Windows\System32\FUpCzSR.exe
  2⤵
  PID:8556
- C:\Windows\System32\bOPKVlW.exe
  C:\Windows\System32\bOPKVlW.exe
  2⤵
  PID:8832
- C:\Windows\System32\QzyuLfl.exe
  C:\Windows\System32\QzyuLfl.exe
  2⤵
  PID:2040
- C:\Windows\System32\jCtPehS.exe
  C:\Windows\System32\jCtPehS.exe
  2⤵
  PID:5064
- C:\Windows\System32\QRwrOZh.exe
  C:\Windows\System32\QRwrOZh.exe
  2⤵
  PID:5032
- C:\Windows\System32\pQRAXMr.exe
  C:\Windows\System32\pQRAXMr.exe
  2⤵
  PID:4464
- C:\Windows\System32\WBjfphy.exe
  C:\Windows\System32\WBjfphy.exe
  2⤵
  PID:8980
- C:\Windows\System32\USkNVkz.exe
  C:\Windows\System32\USkNVkz.exe
  2⤵
  PID:1012
- C:\Windows\System32\WzOguJu.exe
  C:\Windows\System32\WzOguJu.exe
  2⤵
  PID:4428
- C:\Windows\System32\VcyDnWg.exe
  C:\Windows\System32\VcyDnWg.exe
  2⤵
  PID:3176
- C:\Windows\System32\Npjudjx.exe
  C:\Windows\System32\Npjudjx.exe
  2⤵
  PID:9264
- C:\Windows\System32\JamDYLu.exe
  C:\Windows\System32\JamDYLu.exe
  2⤵
  PID:9284
- C:\Windows\System32\CMHPCfh.exe
  C:\Windows\System32\CMHPCfh.exe
  2⤵
  PID:9328
- C:\Windows\System32\EuHuYBI.exe
  C:\Windows\System32\EuHuYBI.exe
  2⤵
  PID:9360
- C:\Windows\System32\lpjqFqn.exe
  C:\Windows\System32\lpjqFqn.exe
  2⤵
  PID:9376
- C:\Windows\System32\LBKIzcD.exe
  C:\Windows\System32\LBKIzcD.exe
  2⤵
  PID:9404
- C:\Windows\System32\ylFQxJo.exe
  C:\Windows\System32\ylFQxJo.exe
  2⤵
  PID:9436
- C:\Windows\System32\gurxSzW.exe
  C:\Windows\System32\gurxSzW.exe
  2⤵
  PID:9472
- C:\Windows\System32\ZpJfIpb.exe
  C:\Windows\System32\ZpJfIpb.exe
  2⤵
  PID:9492
- C:\Windows\System32\HyvLVRs.exe
  C:\Windows\System32\HyvLVRs.exe
  2⤵
  PID:9512
- C:\Windows\System32\XrRBTUc.exe
  C:\Windows\System32\XrRBTUc.exe
  2⤵
  PID:9528
- C:\Windows\System32\kwYLptD.exe
  C:\Windows\System32\kwYLptD.exe
  2⤵
  PID:9548
- C:\Windows\System32\wHpZCBQ.exe
  C:\Windows\System32\wHpZCBQ.exe
  2⤵
  PID:9568
- C:\Windows\System32\tGHxuaA.exe
  C:\Windows\System32\tGHxuaA.exe
  2⤵
  PID:9588
- C:\Windows\System32\sGdySbv.exe
  C:\Windows\System32\sGdySbv.exe
  2⤵
  PID:9648
- C:\Windows\System32\YbeTMBz.exe
  C:\Windows\System32\YbeTMBz.exe
  2⤵
  PID:9664
- C:\Windows\System32\ILEXKzz.exe
  C:\Windows\System32\ILEXKzz.exe
  2⤵
  PID:9688
- C:\Windows\System32\zcJFWva.exe
  C:\Windows\System32\zcJFWva.exe
  2⤵
  PID:9796
- C:\Windows\System32\pWGequb.exe
  C:\Windows\System32\pWGequb.exe
  2⤵
  PID:9836
- C:\Windows\System32\nSZOTnY.exe
  C:\Windows\System32\nSZOTnY.exe
  2⤵
  PID:9852
- C:\Windows\System32\cXgTyko.exe
  C:\Windows\System32\cXgTyko.exe
  2⤵
  PID:9868
- C:\Windows\System32\jveepKs.exe
  C:\Windows\System32\jveepKs.exe
  2⤵
  PID:9888
- C:\Windows\System32\ZdlIdKy.exe
  C:\Windows\System32\ZdlIdKy.exe
  2⤵
  PID:9936
- C:\Windows\System32\MhVwglH.exe
  C:\Windows\System32\MhVwglH.exe
  2⤵
  PID:9972
- C:\Windows\System32\AuPqQPn.exe
  C:\Windows\System32\AuPqQPn.exe
  2⤵
  PID:10008
- C:\Windows\System32\oDzaZjd.exe
  C:\Windows\System32\oDzaZjd.exe
  2⤵
  PID:10044
- C:\Windows\System32\sChXAiz.exe
  C:\Windows\System32\sChXAiz.exe
  2⤵
  PID:10064
- C:\Windows\System32\fWypzBj.exe
  C:\Windows\System32\fWypzBj.exe
  2⤵
  PID:10088

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:9344

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:10540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ApGErJd.exe

Filesize
1.9MB

MD5
ef401e6c8004199497e089e8c9b227ce

SHA1
3a3193710a446bda9454a825f699875ceb3944a3

SHA256
17e0b48fab6cfa3e72bbfd2709e15fbcaa3f24adf6bf06ad3ae7ba37fe65913c

SHA512
13c20447ac185e922e436d8e77f9fda9eb5a69fb5c7a5992822f7ef8a402e42b396e63993117e285f24e34e68555ed0b4db691df7e71d1cbb73a753636d16c32

Download Submit
C:\Windows\System32\AuJRHKj.exe

Filesize
1.9MB

MD5
972e2741ce2b46a33e9e017c1f4e0a47

SHA1
ad53fc1dfa5df2388e86f923ba35dfde46575ccd

SHA256
54ad05a40766179b6f7035d07f17dd57eb98cba4325137e9e71b2b9527445b4f

SHA512
d0f8e5e1ab41414d1665a5426fe5c90fa4bf14b43b36c20543044744f2c0501c47b992cdc8151d69c245592510f79518e053a88a7ca5253f1f8f207b7a299b95

Download Submit
C:\Windows\System32\BdcdEXL.exe

Filesize
1.9MB

MD5
9fbdd2ca16e038011011a17a17418467

SHA1
fe4f9f3906b2dec3661504e1487e4381cc890063

SHA256
b6f9f50054a10b2e07f58a30380f566511fb5a0a3f89848d9b230838fd90b584

SHA512
e9ba45f628500ecc9672d01301e58582557de87316e8dc301ef7be50b8e38a7f02e08eee09f46cb354e3927b956aa19d78d323537ba6d4ac3b76540585abfee9

Download Submit
C:\Windows\System32\CWIMDKd.exe

Filesize
1.9MB

MD5
b15db7d8e43f8ffc296c1ce182f4c868

SHA1
3c64853d375c57c367230a7e215414e7eda2d87a

SHA256
106c73f2de46980baf1dcd5a056dabf8dd6441631689409d7dab8488e2f62613

SHA512
7cbb1ea8624d075614579f722316b457bc7c335e89eb66a6093ec638969cd949141ca2ed3ad166a003a9df3a19c5a677b03151caab88c73dcf3291b9c994b801

Download Submit
C:\Windows\System32\CWYXTuU.exe

Filesize
1.9MB

MD5
988ab1f3565cdf68b7456963132cb57d

SHA1
e80a48a79d0be65037d57ceeaade0ad427b5487f

SHA256
1cab0ba76978b231ab04c8cd44bdafdf2392b817a9e2b022db6f5d36af285c1c

SHA512
78e4422c5bc16e5bd47dc5d4681fb7f6c276be312bc108c439325e541362da1a042d52f139dab48a7131c13c28b0dd09621319d1bac042e4aa2ac432a53f4aeb

Download Submit
C:\Windows\System32\ChaPcBX.exe

Filesize
1.9MB

MD5
6d0b5565d8ea0080ab483b190b96e7d0

SHA1
909c1032edafa479833ef7182e43c85f96551a60

SHA256
7b3b0f79886bfc17946d7b565aa4f6cec9b1a644ef60b438d221ccb8fb6e1418

SHA512
d116aaabe22745c6be18340f7eedc4882242a9e055c07b60564b7acde2180cdf71a2a769683c0ef8c2db843d5f63208a7d09a70783012792af1684ae3aeea092

Download Submit
C:\Windows\System32\ENHIVOm.exe

Filesize
1.9MB

MD5
736ee3600d5412af14550a15d05212ee

SHA1
3c9c112cdbca982ce0c871cd93146927f46d7ee2

SHA256
6be36b134df6f53281c87244aa5fd0197aa8b00d3b802f3b9285a2ca36ab78a3

SHA512
d8da45c591ee7f5a213e5d7f0175ae14800950c5de62a2c971a6bbc50492653b8f7e1de21f5e63f29118b9622a0e456d38163f1a92363797398f1a9c36fc04d5

Download Submit
C:\Windows\System32\GeHuOoD.exe

Filesize
1.9MB

MD5
551a6574e44a504701ef1a5eefd46eff

SHA1
904c6141507b00cc97fd202f08c1f0e35b7d1b5f

SHA256
e105af97fd00398b6941657b61a1d2a568c0b53c8b6a61718a514b2906363a86

SHA512
cf6fd6c542a59eaf68ac5579510718146f7c632300338a0c8b137e83b545edd1bf27cea67c4088460670b92b658eac01608e122728263af237df5d98a4a42a72

Download Submit
C:\Windows\System32\IaNEPhv.exe

Filesize
1.9MB

MD5
90b0c9255fb368f3da12511c8c1c4fd8

SHA1
0d0d73b2db658bdfb6d2e7f849d0b3cb8a42ecd8

SHA256
1e924654a9981186839b728b3f77ad39e16486d844fde13e99379ef669442733

SHA512
d4230485f9521c8357ee0db8bc160c6aef2ddbe8edb899c1434e95b334429360591543f18b4e4d5bbeb92e9e940ec0493927e528004e62360c0265239f7c9753

Download Submit
C:\Windows\System32\MXHKJhD.exe

Filesize
1.9MB

MD5
d7eeb12d78c017e699ef61b211a87e1a

SHA1
7d2b26fe8814f7272c772f3d0362d7db756e42c4

SHA256
aac138e8b12f86bc57ca5b98634610ab5bc4b25a4d50d5294845f22f68bc568c

SHA512
9b918e93b9fe07fdecc3e880e959b2dc7325c0a2546d37f651812a2156e3a8f19e1eb5238f43c64316e04a593017a2352b88543da7dfbcfc3b26206420ebb78d

Download Submit
C:\Windows\System32\RBSZPnM.exe

Filesize
1.9MB

MD5
8795dee15a4da4cf2e51c1222262810e

SHA1
67d1dbe533000166e26d9207a22831d6f351778f

SHA256
f6fe69b2f0e9931aeae28767e6d8092983754f337e91aba26847c0b0009ed08f

SHA512
b1b54a461d4f6f8c7a20b62f4fbf7e9dcbee696923fdc8046f50a46d99068fd2bcaa247506cfdfbca12d402a0330c7da74a65d4ad4586cb11ef5f36b6843b1d5

Download Submit
C:\Windows\System32\SHUzSNw.exe

Filesize
1.9MB

MD5
82be91feca5e7e48898e03e58790b3af

SHA1
87ee0a8ff00db3e491a12749893718648b9781c9

SHA256
e1fbdfa6f6e085d09b843ad7d31090db70cd16abf76d577226c950880312839b

SHA512
0a514a9dd207c760bee5a1eda3340790de12a9b69401902b562c313e89da959ef0f1f5ff261886df2f10ac5474f1cfa487e3de4b0bcbf88d81f277d4ef34e912

Download Submit
C:\Windows\System32\TtMhOof.exe

Filesize
1.9MB

MD5
ef4c0cbe0470f193fbc361d3adb413e7

SHA1
04971b5032744bfa8b0b8e238abffd9e3aadff34

SHA256
186edf9374a778cd83e4f3c8d6d5ac537827c04f3e8e4e89ddc4e40b21b36d87

SHA512
dfc50693c4cb964e783c77d8bb957ec6c7f328d2f656c815d3db9146dcf518ba5336680b2e899f821d03d12ed8a305dbf720d570d707bbb25ee2a68c1f71ac40

Download Submit
C:\Windows\System32\UyOFHHB.exe

Filesize
1.9MB

MD5
bc3e428d9d6df29faecf439c89a272da

SHA1
04d077ebda59eb721cf82c071b7bd47c6227f92e

SHA256
6be6c8c6b45cb2264794666928b3622c5dcfec361ca1f87a53e7e8a8520801bb

SHA512
f826b57c7fe3d9afc3114a4611c5f2620c986f6f6369ce84d829db58a34964cf5a302875c3eb2a23c1870ea024a71fca0a5efdba2af051d59d64b7a648a46ed6

Download Submit
C:\Windows\System32\WuvTJkm.exe

Filesize
1.9MB

MD5
62050656efda300fc2da87a4769992f2

SHA1
fdbc3ec1f381d3749c4ce4075928e5312cb88255

SHA256
a3733da20f5eefeee32bb815e3320e5b254cecdd5af4c2478a1adea4ee7bf22b

SHA512
70522e85975776664b1bfd0d4316f653c5712e02a28b02bdd6f3cc48aedfc30cbaaa8fd6441c60cfc81a801d226f248534869e6561d0d052c2328a003cd9dcc0

Download Submit
C:\Windows\System32\XZNYJpz.exe

Filesize
1.9MB

MD5
37884d7040010eac3b076b2dc65c7c37

SHA1
3112a423d7b66df194e8c296bee188508f7c04cc

SHA256
4baa556b9cdec63784d471321d9407db4586b5ce1bce47e92fcc8990ca6f6be0

SHA512
2ce892c178a4c4903255ec0b1752757564c398580d601f3116072be55d5598e7a25aa61866c46a706721ebe40769eff40fde79c34e7815f88e33133699764165

Download Submit
C:\Windows\System32\XieJnEr.exe

Filesize
1.9MB

MD5
1f35202c3c24241f412824c366fd90f7

SHA1
4b0e385344bb88cc3baa4721c58ccc0381b93696

SHA256
4d7264d0e82a7bf81f7c4aac1fc79dac22cd59ff94f452b6ac163f3cfea35461

SHA512
7fbd2374a3079eecf030eb736faefecf93554545c9b877fa69267c31d06b84c876058b0df05d48398f9db45c11d9b77b54f471bb15da048ae65b0eaa5d005ad0

Download Submit
C:\Windows\System32\cbDxQcw.exe

Filesize
1.9MB

MD5
9426253b64d1f52d7a8f83b7b0b7c9d6

SHA1
905c2118d569ea87f53a51be7a3f4d29d2d3f396

SHA256
e450e21f1a4d1a0ff4ce2f6a6f59ebdf86ee9151e0b7be65bbfb94dff7e8c40d

SHA512
00ce259d1fc3f3a6d8b32750895f83effba603b3c3f3261aa226d8ae1e146d067ae9922b19ac12eeb30c20c131465f72e242679ef004de3c24174af3c60dfd98

Download Submit
C:\Windows\System32\dmMndym.exe

Filesize
1.9MB

MD5
ecfa3b9c303e954e7fc1c656a0202112

SHA1
e35675228f1ad5299979b50ba18b976b59cf711b

SHA256
5aa4e7931450825b92f723f3405c4ae488597fb1413865ab407b534da92f9372

SHA512
5e1dee9473da9e2f6b2afea1d62d8ea7670ae25901992f230fd71325650944824dc9676e98af2e7ca56ea507a721f6195e6d945b287b382433bf57d3f50f6cb1

Download Submit
C:\Windows\System32\eyjFzUk.exe

Filesize
1.9MB

MD5
47fbf9e4a15818862817f6ed62eff37e

SHA1
d3b135075935ca11754bf53acea9c91d803d9fc4

SHA256
e7a35d0a48b595b2d9f97471f31e628bb42fdea73b66c61f98ba9fe4d1370e4e

SHA512
9ca6331ddd95a8dbf4950dd00a607e7dba12fd0d98c53df520937a64aeb15da7a441eb421b1a4ef196037cd7d1f89a4e0d2ae69605f0ddc974e8d05d51391653

Download Submit
C:\Windows\System32\hheghAZ.exe

Filesize
1.9MB

MD5
7b4ee6983b68f6042e90b4f9bffe3e7b

SHA1
d0387706bf7cd0f3dfd79643ee555c9519cf8623

SHA256
dd28b2de23676b0784afadf94f2afde5e157964a63c1dcc496d719ae80a31f88

SHA512
84077f9aca2dbe76097f87f1050d7e332f5b63e6da7272ff4e95e6c1d096c1269fc602f674e5898ab2dab7f4ac48bbeca85c8954636c06b0debcf9cc17a186aa

Download Submit
C:\Windows\System32\hhxeGGO.exe

Filesize
1.9MB

MD5
1422c277393e456dfc8e0835b65e9052

SHA1
da5b49af4d9b4a9a5bbf260ed04fd71d3d4b02db

SHA256
326ce9fcf263ca34bc106e98f4d9c8a4ee00da2d0457ddde72902f949a056492

SHA512
0cdef8ecb6e12614fc44dc483acdd03d6e16937888e447fb8519175607bb8107c039f7be5be8b35b8c4741ea5679e819a41c9c90a5d5b7c8e8c6f4a651113e9e

Download Submit
C:\Windows\System32\hwePTUE.exe

Filesize
1.9MB

MD5
c296d3fe3859cede414d12513656d66a

SHA1
04f9671148b159cb4c5cda1e3ede07fc7bda239f

SHA256
18ae4d0e2b6dba852d7273600ff5c48fd016367bdabdc1d38467e87379609bd4

SHA512
eb4c706c94f8a359776ba1980f6d84af6f7a291c785bedc1618f804d46e6dc541e416df187a75885b23d3bc9ac731c6b53b55bebaf081b03021059fb855b7c86

Download Submit
C:\Windows\System32\jzTkLLI.exe

Filesize
1.9MB

MD5
6bc6292304f24c83b1e014c8120958f6

SHA1
b7278ff4d93c7e31c891f5b71b845d5d3ab5d951

SHA256
955e63cffca55c2002ee8312d2512d6e10f972f5eff3433bae2e1a6b75ddee88

SHA512
66c5af749f5fc023743a1543b2d4d4f5583a988b2080aa36f0a662797c6fa4bbc518041bec023e26bbac8e73927bb497cd02e064f14e270fa070d20d4706ae51

Download Submit
C:\Windows\System32\jzYnZiv.exe

Filesize
1.9MB

MD5
4f71b17e50426b644da5d41471b5e521

SHA1
b7761335ea893a387e72503dd17fe63a5394562c

SHA256
b6101e36728c905452cbebf84a0b1a0df3d8791045a6f865cbc84e20bd8a98d0

SHA512
17144e43b6200f93dec82798eba2870780af77d2dd3faa70b0e9b41254f2954d4963cdb05962973939fe4ab3766beeadf9f12ceb18839732a9d5428f60cdbb61

Download Submit
C:\Windows\System32\kXfkcuF.exe

Filesize
1.9MB

MD5
aed0f8326377a31fc1023a54847777e3

SHA1
8e969558959b1a2bf027db1bcade63d9da856265

SHA256
053131a8fce2498f9cd3a13f0bef7b91552cb2611823e4cdd2475088ffcf3b4b

SHA512
9d522bad7faa80f84e017f04c7c175c0d5be0499ecbfed694b70c29498f87fdd5c20e6016554f773db255543a6982e6d043a501d59e574b69b24fdbc77fd446b

Download Submit
C:\Windows\System32\mSStsbC.exe

Filesize
1.9MB

MD5
a79909119379cfd45ee6f9a4cf185133

SHA1
8589703ddeca0fff9bcf537e138d60e7de27d197

SHA256
e8e9b0973213423116e7f0f2156b34df39d356519dd25ca50782c3976c1c19fb

SHA512
ae58cc01b76f49409b8424021c94d147ee7493d385783389aeaee3acf60c87ce54e2f7a9a3079300c297a0f22d0353dde5dd15277e04b9b679a620f65904976c

Download Submit
C:\Windows\System32\mVKFBOU.exe

Filesize
1.9MB

MD5
53e200fc07d95c0f81830063bc631df1

SHA1
3f71355ebbd92b4d703b63162836746c9208ed13

SHA256
1a8bc87d6cc350683e7883febb5ea9da94ed1722c20aebe2db37296781c99959

SHA512
6b470a83275ffe0752bf79a11c8f37c5e9f72de8a7b3e754e9113d009b6e3ff8765e49f8d76f691ab7c7250f062c7bf1e4e5883a2de6ae9e34bede17f042b1f0

Download Submit
C:\Windows\System32\mxfHaRC.exe

Filesize
1.9MB

MD5
61637c08a60279bf20690185876e48f1

SHA1
e32b7dfc1ac335799e9120139e999fd2c365422d

SHA256
72fa884ea9621f3d53210b19b9f64923483e1757b8473d4119d7af2430ac4847

SHA512
43858d0f6fd72646e862dc7b2100c0e7b3476ea5d476998cd9be5b5e1ad66261ed9e38249ef5c47f93dd9853a5543de76bef98a6af9b82bc23ddb32a4dc79b7a

Download Submit
C:\Windows\System32\oVhqjvX.exe

Filesize
1.9MB

MD5
ec2007d3089d4db6b1c962dd550b8476

SHA1
a3a7350f8e903e73b685c1ec850a2cfbcae15509

SHA256
837a7fabf3f626745ddfc99dd459006730c5abb4391ced78e53cd4a47e6568b9

SHA512
9dfacec1bc234db48f19cb792df1334f61fbbfd8e0c41dfdcc45e03d5aca10dadd5719a2081619d493eb0adc5a4c712120ee29ffdd9609fdfaab63f221634d81

Download Submit
C:\Windows\System32\pNRHGVl.exe

Filesize
1.9MB

MD5
18e24135fdc81e45f60862898d6fd226

SHA1
31ec4ec23dbac08f55b301f42857b4d957dc96f1

SHA256
34d841d824174e201c6cc3a23c15d2f35f83708b82da56357f8d8bf3ebd28163

SHA512
d587ac93d69903f49aa88ca76afb61f15d16e59831590d9bcfc71152e59dae57781763667a9f2a7db821d00e0e100494ca3b4feef2cb157d4b1e3deae94dbea0

Download Submit
C:\Windows\System32\rBwZFHY.exe

Filesize
1.9MB

MD5
06c47e4b9f7550d4c935467e76565613

SHA1
f9c206b36e7e9d570f0768d3e10f4de4497dee9f

SHA256
114b82af5eb67a2797f5ee23b6b8b9223a66977fc80313147850e8778f6015dd

SHA512
192c666cca19e69fb08151deae72d834e53348724ccc717affc6acba5cb0a7921af0a0e2d37fdd5d3968ef8fdabd5a888e516dcda1d234ebd25caa11529a17d6

Download Submit
C:\Windows\System32\ufZsiaj.exe

Filesize
1.9MB

MD5
e4bcdec39547c98c4e9db23cb6533579

SHA1
c838d53c52f552a19e06c0be5bf0b720bb5e00e6

SHA256
993b7ff10107d50d1c06f62fbd42cb6bd4094b14ffa20dae45bb5d33f3a6dd4b

SHA512
1cd3dc5605498a0fb49cd547d4d718396d93871db69cb45cde23f0f55a64b7ead8a0b07a70a30d65b9f0a6799d496696a6184f0f8154cc0cee08266bf331c9c3

Download Submit
C:\Windows\System32\xqLuidL.exe

Filesize
1.9MB

MD5
365b52973701a0894455108020d85755

SHA1
4be71311c9f6ef85ab4dc6e6e60f94521366e7aa

SHA256
e93fb4b2d4ec1c63f43d982244a81caead7da064a65c5ab91d3a9d22209d75fc

SHA512
3135f51331e695c76ffc9cc38e18f33bc9f03fb9b034f3cff6546c3698865261615fb47e474a5de5036bb76171c358f107f46bdfc5a5810cf4830611314803b6

Download Submit
C:\Windows\System32\zOUXVBa.exe

Filesize
1.9MB

MD5
76d6425881ac4e6ee83f085ff1bd541b

SHA1
370b4985d60e0d12fd7e5a2da5d166aaf4d9a99b

SHA256
daa5f324c947e9aa2433b8fcb3458ea468febc660c07199ec0b39b7ff214596a

SHA512
6b747a60a2d4e6533f7e9846f810f64c3286feeaa0672c7ae791ff1aa4ef466ed0faf2aa46f8c18c03782706c6006268838bb7abc73b0166928eb460a22764f5

Download Submit
memory/228-235-0x00007FF657210000-0x00007FF657601000-memory.dmp

Filesize
3.9MB

Download
memory/232-361-0x00007FF713A90000-0x00007FF713E81000-memory.dmp

Filesize
3.9MB

Download
memory/404-0-0x00007FF7DA630000-0x00007FF7DAA21000-memory.dmp

Filesize
3.9MB

Download
memory/404-105-0x00007FF7DA630000-0x00007FF7DAA21000-memory.dmp

Filesize
3.9MB

Download
memory/404-1-0x0000014E51370000-0x0000014E51380000-memory.dmp

Filesize
64KB

Download
memory/512-243-0x00007FF60C4F0000-0x00007FF60C8E1000-memory.dmp

Filesize
3.9MB

Download
memory/708-133-0x00007FF622960000-0x00007FF622D51000-memory.dmp

Filesize
3.9MB

Download
memory/800-337-0x00007FF72CE50000-0x00007FF72D241000-memory.dmp

Filesize
3.9MB

Download
memory/864-239-0x00007FF72D040000-0x00007FF72D431000-memory.dmp

Filesize
3.9MB

Download
memory/972-155-0x00007FF6CB3F0000-0x00007FF6CB7E1000-memory.dmp

Filesize
3.9MB

Download
memory/972-32-0x00007FF6CB3F0000-0x00007FF6CB7E1000-memory.dmp

Filesize
3.9MB

Download
memory/1036-332-0x00007FF78B790000-0x00007FF78BB81000-memory.dmp

Filesize
3.9MB

Download
memory/1160-175-0x00007FF723B50000-0x00007FF723F41000-memory.dmp

Filesize
3.9MB

Download
memory/1188-247-0x00007FF7129D0000-0x00007FF712DC1000-memory.dmp

Filesize
3.9MB

Download
memory/1188-45-0x00007FF7129D0000-0x00007FF712DC1000-memory.dmp

Filesize
3.9MB

Download
memory/1292-245-0x00007FF6F9F70000-0x00007FF6FA361000-memory.dmp

Filesize
3.9MB

Download
memory/1300-113-0x00007FF761260000-0x00007FF761651000-memory.dmp

Filesize
3.9MB

Download
memory/1376-107-0x00007FF645AD0000-0x00007FF645EC1000-memory.dmp

Filesize
3.9MB

Download
memory/1376-9-0x00007FF645AD0000-0x00007FF645EC1000-memory.dmp

Filesize
3.9MB

Download
memory/1624-120-0x00007FF64EC10000-0x00007FF64F001000-memory.dmp

Filesize
3.9MB

Download
memory/1660-199-0x00007FF73C7C0000-0x00007FF73CBB1000-memory.dmp

Filesize
3.9MB

Download
memory/1760-326-0x00007FF66AC30000-0x00007FF66B021000-memory.dmp

Filesize
3.9MB

Download
memory/1804-242-0x00007FF6448B0000-0x00007FF644CA1000-memory.dmp

Filesize
3.9MB

Download
memory/1956-346-0x00007FF7DB7C0000-0x00007FF7DBBB1000-memory.dmp

Filesize
3.9MB

Download
memory/2036-138-0x00007FF6701C0000-0x00007FF6705B1000-memory.dmp

Filesize
3.9MB

Download
memory/2532-244-0x00007FF60A830000-0x00007FF60AC21000-memory.dmp

Filesize
3.9MB

Download
memory/2600-22-0x00007FF761BE0000-0x00007FF761FD1000-memory.dmp

Filesize
3.9MB

Download
memory/2668-37-0x00007FF7966A0000-0x00007FF796A91000-memory.dmp

Filesize
3.9MB

Download
memory/2800-237-0x00007FF608F90000-0x00007FF609381000-memory.dmp

Filesize
3.9MB

Download
memory/2876-369-0x00007FF778930000-0x00007FF778D21000-memory.dmp

Filesize
3.9MB

Download
memory/2888-246-0x00007FF697D00000-0x00007FF6980F1000-memory.dmp

Filesize
3.9MB

Download
memory/2896-347-0x00007FF6D0150000-0x00007FF6D0541000-memory.dmp

Filesize
3.9MB

Download
memory/2936-72-0x00007FF7EA410000-0x00007FF7EA801000-memory.dmp

Filesize
3.9MB

Download
memory/3028-102-0x00007FF67BE00000-0x00007FF67C1F1000-memory.dmp

Filesize
3.9MB

Download
memory/3044-357-0x00007FF7BA440000-0x00007FF7BA831000-memory.dmp

Filesize
3.9MB

Download
memory/3140-497-0x00007FF6D5F00000-0x00007FF6D62F1000-memory.dmp

Filesize
3.9MB

Download
memory/3192-48-0x00007FF7A5A10000-0x00007FF7A5E01000-memory.dmp

Filesize
3.9MB

Download
memory/3284-222-0x00007FF774860000-0x00007FF774C51000-memory.dmp

Filesize
3.9MB

Download
memory/3352-123-0x00007FF767D10000-0x00007FF768101000-memory.dmp

Filesize
3.9MB

Download
memory/3396-90-0x00007FF6FF270000-0x00007FF6FF661000-memory.dmp

Filesize
3.9MB

Download
memory/3464-143-0x00007FF6DD6D0000-0x00007FF6DDAC1000-memory.dmp

Filesize
3.9MB

Download
memory/3580-131-0x00007FF74BEC0000-0x00007FF74C2B1000-memory.dmp

Filesize
3.9MB

Download
memory/3692-248-0x00007FF6576A0000-0x00007FF657A91000-memory.dmp

Filesize
3.9MB

Download
memory/3728-220-0x00007FF6D6700000-0x00007FF6D6AF1000-memory.dmp

Filesize
3.9MB

Download
memory/3756-250-0x00007FF6E08A0000-0x00007FF6E0C91000-memory.dmp

Filesize
3.9MB

Download
memory/3796-240-0x00007FF7310E0000-0x00007FF7314D1000-memory.dmp

Filesize
3.9MB

Download
memory/3824-140-0x00007FF6C0720000-0x00007FF6C0B11000-memory.dmp

Filesize
3.9MB

Download
memory/3836-354-0x00007FF7089C0000-0x00007FF708DB1000-memory.dmp

Filesize
3.9MB

Download
memory/4012-241-0x00007FF720110000-0x00007FF720501000-memory.dmp

Filesize
3.9MB

Download
memory/4128-86-0x00007FF716810000-0x00007FF716C01000-memory.dmp

Filesize
3.9MB

Download
memory/4168-65-0x00007FF76D760000-0x00007FF76DB51000-memory.dmp

Filesize
3.9MB

Download
memory/4404-238-0x00007FF617620000-0x00007FF617A11000-memory.dmp

Filesize
3.9MB

Download
memory/4460-169-0x00007FF6715F0000-0x00007FF6719E1000-memory.dmp

Filesize
3.9MB

Download
memory/4504-38-0x00007FF7FD3D0000-0x00007FF7FD7C1000-memory.dmp

Filesize
3.9MB

Download
memory/4548-249-0x00007FF766880000-0x00007FF766C71000-memory.dmp

Filesize
3.9MB

Download
memory/4724-128-0x00007FF619730000-0x00007FF619B21000-memory.dmp

Filesize
3.9MB

Download
memory/4724-17-0x00007FF619730000-0x00007FF619B21000-memory.dmp

Filesize
3.9MB

Download
memory/4744-215-0x00007FF70DF70000-0x00007FF70E361000-memory.dmp

Filesize
3.9MB

Download
memory/4776-57-0x00007FF6BA210000-0x00007FF6BA601000-memory.dmp

Filesize
3.9MB

Download
memory/4804-328-0x00007FF701A60000-0x00007FF701E51000-memory.dmp

Filesize
3.9MB

Download
memory/4960-352-0x00007FF74D6E0000-0x00007FF74DAD1000-memory.dmp

Filesize
3.9MB

Download
memory/4976-97-0x00007FF700630000-0x00007FF700A21000-memory.dmp

Filesize
3.9MB

Download
memory/5056-251-0x00007FF7595B0000-0x00007FF7599A1000-memory.dmp

Filesize
3.9MB

Download
memory/5060-252-0x00007FF646A20000-0x00007FF646E11000-memory.dmp

Filesize
3.9MB

Download
memory/5084-344-0x00007FF604A70000-0x00007FF604E61000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads