xmrig | 81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 00:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
Size

3.2MB
MD5

41389f454fd4967d54127c13920a2277
SHA1

53f446bdba9308f0e04bcd08c79027ceba8c2690
SHA256

81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357
SHA512

3945d695f46bbb71e4d137749319f4c54f66c396989925bace2dfa3c6deb7c2182f36a31548abd01c08026b6fed1dbe86872f9e426892a96039e659d3a81cd82
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc4K:NFWPClF6

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4628-0-0x00007FF722670000-0x00007FF722A65000-memory.dmp	UPX
behavioral2/files/0x00070000000233e3-4.dat	UPX
behavioral2/memory/116-8-0x00007FF703E70000-0x00007FF704265000-memory.dmp	UPX
behavioral2/files/0x00070000000233e4-12.dat	UPX
behavioral2/memory/1948-14-0x00007FF68EF30000-0x00007FF68F325000-memory.dmp	UPX
behavioral2/memory/3484-18-0x00007FF696420000-0x00007FF696815000-memory.dmp	UPX
behavioral2/files/0x00070000000233e5-19.dat	UPX
behavioral2/files/0x00070000000233e6-24.dat	UPX
behavioral2/files/0x00070000000233e7-27.dat	UPX
behavioral2/files/0x00070000000233e8-34.dat	UPX
behavioral2/files/0x00070000000233ea-44.dat	UPX
behavioral2/files/0x00070000000233eb-49.dat	UPX
behavioral2/files/0x00070000000233ec-53.dat	UPX
behavioral2/files/0x00080000000233df-61.dat	UPX
behavioral2/files/0x00070000000233ee-71.dat	UPX
behavioral2/files/0x00070000000233f1-86.dat	UPX
behavioral2/files/0x00070000000233f2-91.dat	UPX
behavioral2/files/0x00070000000233f3-96.dat	UPX
behavioral2/files/0x00070000000233f8-121.dat	UPX
behavioral2/files/0x00070000000233fa-129.dat	UPX
behavioral2/files/0x00070000000233fd-146.dat	UPX
behavioral2/files/0x00070000000233ff-156.dat	UPX
behavioral2/files/0x0007000000023401-166.dat	UPX
behavioral2/memory/2996-684-0x00007FF7106A0000-0x00007FF710A95000-memory.dmp	UPX
behavioral2/files/0x0007000000023400-161.dat	UPX
behavioral2/files/0x00070000000233fe-151.dat	UPX
behavioral2/files/0x00070000000233fc-141.dat	UPX
behavioral2/files/0x00070000000233fb-136.dat	UPX
behavioral2/files/0x00070000000233f9-126.dat	UPX
behavioral2/files/0x00070000000233f7-116.dat	UPX
behavioral2/files/0x00070000000233f6-111.dat	UPX
behavioral2/files/0x00070000000233f5-106.dat	UPX
behavioral2/files/0x00070000000233f4-101.dat	UPX
behavioral2/files/0x00070000000233f0-81.dat	UPX
behavioral2/files/0x00070000000233ef-76.dat	UPX
behavioral2/files/0x00070000000233ed-66.dat	UPX
behavioral2/memory/3272-55-0x00007FF7483A0000-0x00007FF748795000-memory.dmp	UPX
behavioral2/memory/3612-52-0x00007FF7915E0000-0x00007FF7919D5000-memory.dmp	UPX
behavioral2/files/0x00070000000233e9-39.dat	UPX
behavioral2/memory/3768-694-0x00007FF72FEB0000-0x00007FF7302A5000-memory.dmp	UPX
behavioral2/memory/3004-691-0x00007FF69E900000-0x00007FF69ECF5000-memory.dmp	UPX
behavioral2/memory/2404-700-0x00007FF6E1A60000-0x00007FF6E1E55000-memory.dmp	UPX
behavioral2/memory/4716-702-0x00007FF63CFF0000-0x00007FF63D3E5000-memory.dmp	UPX
behavioral2/memory/1080-711-0x00007FF7226B0000-0x00007FF722AA5000-memory.dmp	UPX
behavioral2/memory/2388-715-0x00007FF6EB410000-0x00007FF6EB805000-memory.dmp	UPX
behavioral2/memory/3440-717-0x00007FF6103F0000-0x00007FF6107E5000-memory.dmp	UPX
behavioral2/memory/816-723-0x00007FF666CC0000-0x00007FF6670B5000-memory.dmp	UPX
behavioral2/memory/2044-730-0x00007FF782710000-0x00007FF782B05000-memory.dmp	UPX
behavioral2/memory/5064-733-0x00007FF7EA000000-0x00007FF7EA3F5000-memory.dmp	UPX
behavioral2/memory/4728-735-0x00007FF6787E0000-0x00007FF678BD5000-memory.dmp	UPX
behavioral2/memory/1624-738-0x00007FF795690000-0x00007FF795A85000-memory.dmp	UPX
behavioral2/memory/4892-739-0x00007FF693890000-0x00007FF693C85000-memory.dmp	UPX
behavioral2/memory/4956-741-0x00007FF7478E0000-0x00007FF747CD5000-memory.dmp	UPX
behavioral2/memory/1380-743-0x00007FF6F1DF0000-0x00007FF6F21E5000-memory.dmp	UPX
behavioral2/memory/4060-744-0x00007FF66F760000-0x00007FF66FB55000-memory.dmp	UPX
behavioral2/memory/4920-747-0x00007FF6442A0000-0x00007FF644695000-memory.dmp	UPX
behavioral2/memory/4608-751-0x00007FF6D5970000-0x00007FF6D5D65000-memory.dmp	UPX
behavioral2/memory/3412-762-0x00007FF7F87D0000-0x00007FF7F8BC5000-memory.dmp	UPX
behavioral2/memory/4336-764-0x00007FF6AC310000-0x00007FF6AC705000-memory.dmp	UPX
behavioral2/memory/3860-812-0x00007FF651E00000-0x00007FF6521F5000-memory.dmp	UPX
behavioral2/memory/2544-816-0x00007FF651F20000-0x00007FF652315000-memory.dmp	UPX
behavioral2/memory/3660-826-0x00007FF78C7A0000-0x00007FF78CB95000-memory.dmp	UPX
behavioral2/memory/5088-830-0x00007FF78CDF0000-0x00007FF78D1E5000-memory.dmp	UPX
behavioral2/memory/1888-834-0x00007FF6E3F60000-0x00007FF6E4355000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4628-0-0x00007FF722670000-0x00007FF722A65000-memory.dmp	xmrig
behavioral2/files/0x00070000000233e3-4.dat	xmrig
behavioral2/memory/116-8-0x00007FF703E70000-0x00007FF704265000-memory.dmp	xmrig
behavioral2/files/0x00070000000233e4-12.dat	xmrig
behavioral2/memory/1948-14-0x00007FF68EF30000-0x00007FF68F325000-memory.dmp	xmrig
behavioral2/memory/3484-18-0x00007FF696420000-0x00007FF696815000-memory.dmp	xmrig
behavioral2/files/0x00070000000233e5-19.dat	xmrig
behavioral2/files/0x00070000000233e6-24.dat	xmrig
behavioral2/files/0x00070000000233e7-27.dat	xmrig
behavioral2/files/0x00070000000233e8-34.dat	xmrig
behavioral2/files/0x00070000000233ea-44.dat	xmrig
behavioral2/files/0x00070000000233eb-49.dat	xmrig
behavioral2/files/0x00070000000233ec-53.dat	xmrig
behavioral2/files/0x00080000000233df-61.dat	xmrig
behavioral2/files/0x00070000000233ee-71.dat	xmrig
behavioral2/files/0x00070000000233f1-86.dat	xmrig
behavioral2/files/0x00070000000233f2-91.dat	xmrig
behavioral2/files/0x00070000000233f3-96.dat	xmrig
behavioral2/files/0x00070000000233f8-121.dat	xmrig
behavioral2/files/0x00070000000233fa-129.dat	xmrig
behavioral2/files/0x00070000000233fd-146.dat	xmrig
behavioral2/files/0x00070000000233ff-156.dat	xmrig
behavioral2/files/0x0007000000023401-166.dat	xmrig
behavioral2/memory/2996-684-0x00007FF7106A0000-0x00007FF710A95000-memory.dmp	xmrig
behavioral2/files/0x0007000000023400-161.dat	xmrig
behavioral2/files/0x00070000000233fe-151.dat	xmrig
behavioral2/files/0x00070000000233fc-141.dat	xmrig
behavioral2/files/0x00070000000233fb-136.dat	xmrig
behavioral2/files/0x00070000000233f9-126.dat	xmrig
behavioral2/files/0x00070000000233f7-116.dat	xmrig
behavioral2/files/0x00070000000233f6-111.dat	xmrig
behavioral2/files/0x00070000000233f5-106.dat	xmrig
behavioral2/files/0x00070000000233f4-101.dat	xmrig
behavioral2/files/0x00070000000233f0-81.dat	xmrig
behavioral2/files/0x00070000000233ef-76.dat	xmrig
behavioral2/files/0x00070000000233ed-66.dat	xmrig
behavioral2/memory/3272-55-0x00007FF7483A0000-0x00007FF748795000-memory.dmp	xmrig
behavioral2/memory/3612-52-0x00007FF7915E0000-0x00007FF7919D5000-memory.dmp	xmrig
behavioral2/files/0x00070000000233e9-39.dat	xmrig
behavioral2/memory/3768-694-0x00007FF72FEB0000-0x00007FF7302A5000-memory.dmp	xmrig
behavioral2/memory/3004-691-0x00007FF69E900000-0x00007FF69ECF5000-memory.dmp	xmrig
behavioral2/memory/2404-700-0x00007FF6E1A60000-0x00007FF6E1E55000-memory.dmp	xmrig
behavioral2/memory/4716-702-0x00007FF63CFF0000-0x00007FF63D3E5000-memory.dmp	xmrig
behavioral2/memory/1080-711-0x00007FF7226B0000-0x00007FF722AA5000-memory.dmp	xmrig
behavioral2/memory/2388-715-0x00007FF6EB410000-0x00007FF6EB805000-memory.dmp	xmrig
behavioral2/memory/3440-717-0x00007FF6103F0000-0x00007FF6107E5000-memory.dmp	xmrig
behavioral2/memory/816-723-0x00007FF666CC0000-0x00007FF6670B5000-memory.dmp	xmrig
behavioral2/memory/2044-730-0x00007FF782710000-0x00007FF782B05000-memory.dmp	xmrig
behavioral2/memory/5064-733-0x00007FF7EA000000-0x00007FF7EA3F5000-memory.dmp	xmrig
behavioral2/memory/4728-735-0x00007FF6787E0000-0x00007FF678BD5000-memory.dmp	xmrig
behavioral2/memory/1624-738-0x00007FF795690000-0x00007FF795A85000-memory.dmp	xmrig
behavioral2/memory/4892-739-0x00007FF693890000-0x00007FF693C85000-memory.dmp	xmrig
behavioral2/memory/4956-741-0x00007FF7478E0000-0x00007FF747CD5000-memory.dmp	xmrig
behavioral2/memory/1380-743-0x00007FF6F1DF0000-0x00007FF6F21E5000-memory.dmp	xmrig
behavioral2/memory/4060-744-0x00007FF66F760000-0x00007FF66FB55000-memory.dmp	xmrig
behavioral2/memory/4920-747-0x00007FF6442A0000-0x00007FF644695000-memory.dmp	xmrig
behavioral2/memory/4608-751-0x00007FF6D5970000-0x00007FF6D5D65000-memory.dmp	xmrig
behavioral2/memory/3412-762-0x00007FF7F87D0000-0x00007FF7F8BC5000-memory.dmp	xmrig
behavioral2/memory/4336-764-0x00007FF6AC310000-0x00007FF6AC705000-memory.dmp	xmrig
behavioral2/memory/3860-812-0x00007FF651E00000-0x00007FF6521F5000-memory.dmp	xmrig
behavioral2/memory/2544-816-0x00007FF651F20000-0x00007FF652315000-memory.dmp	xmrig
behavioral2/memory/3660-826-0x00007FF78C7A0000-0x00007FF78CB95000-memory.dmp	xmrig
behavioral2/memory/5088-830-0x00007FF78CDF0000-0x00007FF78D1E5000-memory.dmp	xmrig
behavioral2/memory/1888-834-0x00007FF6E3F60000-0x00007FF6E4355000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
116	yiATFyt.exe
1948	YasIakr.exe
3484	rsrybSa.exe
3612	AziCqEw.exe
3272	RjzrToP.exe
2996	pZiGhFS.exe
3004	AvjXOvV.exe
3768	hMjYhWD.exe
2404	tAViAfn.exe
2604	qNNVuEF.exe
2080	WIwtUxW.exe
4716	CPmrfEY.exe
1080	orjeqTz.exe
2388	ogVKWOp.exe
3440	qIXAbpM.exe
816	OXjVdrR.exe
2044	yfpAEmw.exe
5064	IsNLGPD.exe
4728	ongLtfW.exe
1624	ekUnMig.exe
4892	mJYiwnj.exe
4956	GtLzVfU.exe
1380	mNpSPQH.exe
4060	BnosyqX.exe
4920	lQtmuRH.exe
4608	Flwrmhy.exe
3412	ktiMdVh.exe
4336	vHUmGjM.exe
3860	uNRWQIJ.exe
2544	rJmPwkW.exe
3660	OlVUdXV.exe
5088	TTIkXbv.exe
1888	vEjlmFP.exe
2268	aRrsKgZ.exe
1252	HOmvRBE.exe
2904	XnCxnOc.exe
1748	cSmlzHK.exe
2640	ekBUunp.exe
3704	vlgXcnC.exe
4800	NhnJdAi.exe
3500	ugikRiI.exe
4880	bxDEngS.exe
2172	dfurCkM.exe
4796	zUVAjvY.exe
4004	NnpVnvH.exe
3932	IugGyir.exe
2856	iuMjjTC.exe
2684	GNYgHWs.exe
4456	sPvxvjQ.exe
4436	IlTdhVD.exe
4856	rhaaztq.exe
1284	WSIrcLv.exe
560	bsIbraz.exe
1776	YZBZoDB.exe
4976	fGCFHgX.exe
1660	AamiKqb.exe
3192	ZuLczHB.exe
2936	LTXYWkc.exe
3488	DjtYGPK.exe
780	WXYrTtt.exe
4356	hGobIWL.exe
3864	IbtZPde.exe
4656	gAtSkQh.exe
4084	NBPRoVr.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4628-0-0x00007FF722670000-0x00007FF722A65000-memory.dmp	upx
behavioral2/files/0x00070000000233e3-4.dat	upx
behavioral2/memory/116-8-0x00007FF703E70000-0x00007FF704265000-memory.dmp	upx
behavioral2/files/0x00070000000233e4-12.dat	upx
behavioral2/memory/1948-14-0x00007FF68EF30000-0x00007FF68F325000-memory.dmp	upx
behavioral2/memory/3484-18-0x00007FF696420000-0x00007FF696815000-memory.dmp	upx
behavioral2/files/0x00070000000233e5-19.dat	upx
behavioral2/files/0x00070000000233e6-24.dat	upx
behavioral2/files/0x00070000000233e7-27.dat	upx
behavioral2/files/0x00070000000233e8-34.dat	upx
behavioral2/files/0x00070000000233ea-44.dat	upx
behavioral2/files/0x00070000000233eb-49.dat	upx
behavioral2/files/0x00070000000233ec-53.dat	upx
behavioral2/files/0x00080000000233df-61.dat	upx
behavioral2/files/0x00070000000233ee-71.dat	upx
behavioral2/files/0x00070000000233f1-86.dat	upx
behavioral2/files/0x00070000000233f2-91.dat	upx
behavioral2/files/0x00070000000233f3-96.dat	upx
behavioral2/files/0x00070000000233f8-121.dat	upx
behavioral2/files/0x00070000000233fa-129.dat	upx
behavioral2/files/0x00070000000233fd-146.dat	upx
behavioral2/files/0x00070000000233ff-156.dat	upx
behavioral2/files/0x0007000000023401-166.dat	upx
behavioral2/memory/2996-684-0x00007FF7106A0000-0x00007FF710A95000-memory.dmp	upx
behavioral2/files/0x0007000000023400-161.dat	upx
behavioral2/files/0x00070000000233fe-151.dat	upx
behavioral2/files/0x00070000000233fc-141.dat	upx
behavioral2/files/0x00070000000233fb-136.dat	upx
behavioral2/files/0x00070000000233f9-126.dat	upx
behavioral2/files/0x00070000000233f7-116.dat	upx
behavioral2/files/0x00070000000233f6-111.dat	upx
behavioral2/files/0x00070000000233f5-106.dat	upx
behavioral2/files/0x00070000000233f4-101.dat	upx
behavioral2/files/0x00070000000233f0-81.dat	upx
behavioral2/files/0x00070000000233ef-76.dat	upx
behavioral2/files/0x00070000000233ed-66.dat	upx
behavioral2/memory/3272-55-0x00007FF7483A0000-0x00007FF748795000-memory.dmp	upx
behavioral2/memory/3612-52-0x00007FF7915E0000-0x00007FF7919D5000-memory.dmp	upx
behavioral2/files/0x00070000000233e9-39.dat	upx
behavioral2/memory/3768-694-0x00007FF72FEB0000-0x00007FF7302A5000-memory.dmp	upx
behavioral2/memory/3004-691-0x00007FF69E900000-0x00007FF69ECF5000-memory.dmp	upx
behavioral2/memory/2404-700-0x00007FF6E1A60000-0x00007FF6E1E55000-memory.dmp	upx
behavioral2/memory/4716-702-0x00007FF63CFF0000-0x00007FF63D3E5000-memory.dmp	upx
behavioral2/memory/1080-711-0x00007FF7226B0000-0x00007FF722AA5000-memory.dmp	upx
behavioral2/memory/2388-715-0x00007FF6EB410000-0x00007FF6EB805000-memory.dmp	upx
behavioral2/memory/3440-717-0x00007FF6103F0000-0x00007FF6107E5000-memory.dmp	upx
behavioral2/memory/816-723-0x00007FF666CC0000-0x00007FF6670B5000-memory.dmp	upx
behavioral2/memory/2044-730-0x00007FF782710000-0x00007FF782B05000-memory.dmp	upx
behavioral2/memory/5064-733-0x00007FF7EA000000-0x00007FF7EA3F5000-memory.dmp	upx
behavioral2/memory/4728-735-0x00007FF6787E0000-0x00007FF678BD5000-memory.dmp	upx
behavioral2/memory/1624-738-0x00007FF795690000-0x00007FF795A85000-memory.dmp	upx
behavioral2/memory/4892-739-0x00007FF693890000-0x00007FF693C85000-memory.dmp	upx
behavioral2/memory/4956-741-0x00007FF7478E0000-0x00007FF747CD5000-memory.dmp	upx
behavioral2/memory/1380-743-0x00007FF6F1DF0000-0x00007FF6F21E5000-memory.dmp	upx
behavioral2/memory/4060-744-0x00007FF66F760000-0x00007FF66FB55000-memory.dmp	upx
behavioral2/memory/4920-747-0x00007FF6442A0000-0x00007FF644695000-memory.dmp	upx
behavioral2/memory/4608-751-0x00007FF6D5970000-0x00007FF6D5D65000-memory.dmp	upx
behavioral2/memory/3412-762-0x00007FF7F87D0000-0x00007FF7F8BC5000-memory.dmp	upx
behavioral2/memory/4336-764-0x00007FF6AC310000-0x00007FF6AC705000-memory.dmp	upx
behavioral2/memory/3860-812-0x00007FF651E00000-0x00007FF6521F5000-memory.dmp	upx
behavioral2/memory/2544-816-0x00007FF651F20000-0x00007FF652315000-memory.dmp	upx
behavioral2/memory/3660-826-0x00007FF78C7A0000-0x00007FF78CB95000-memory.dmp	upx
behavioral2/memory/5088-830-0x00007FF78CDF0000-0x00007FF78D1E5000-memory.dmp	upx
behavioral2/memory/1888-834-0x00007FF6E3F60000-0x00007FF6E4355000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\zwNrMvm.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\OXjVdrR.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\DdgKAZc.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\mFhVhRM.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\dfurCkM.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\KolBONe.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\CAMcmaE.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\kvyNYUK.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\hCrXsFb.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\OfMeCmj.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\IbtZPde.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\BVortfW.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\BObjIIj.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\rJmPwkW.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\HOmvRBE.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\orjeqTz.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\HpGYcPQ.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\WNfZpME.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\UVumCuE.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\GtLzVfU.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\vmTsCXF.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\IFSlprz.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\rXupsPa.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\kDPoxtx.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\Flwrmhy.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\jmXjsnc.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\anOcElg.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\pZiGhFS.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\mJYiwnj.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\yBBWUsA.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\hDwxJlK.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\UlrgdOY.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\gsIrJED.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\FgEIpYT.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\oQTFXkO.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\TaHBxqY.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\kXwqiZy.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\BNFGmvk.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\fxeFqTs.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\FBrfzly.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\bdtuAHO.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\qBgmPSz.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\MhOFYpF.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\BmHYCQJ.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\txCOYXv.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\YZBZoDB.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\Hocowfb.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\PtWRWZb.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\iQUPccS.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\HKfTSwI.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\szNyFbS.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\KoBdXAw.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\EFgXSTo.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\AkRrmRO.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\wLgcJfw.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\xElXFUV.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\TALVYwr.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\BnosyqX.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\SKvXqHQ.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\xePHPRs.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\wXPlGlP.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\EDffRWZ.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\xykrTll.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
File created	C:\Windows\System32\dnPspml.exe	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	7956	dwm.exe
Token: SeChangeNotifyPrivilege	7956	dwm.exe
Token: 33	7956	dwm.exe
Token: SeIncBasePriorityPrivilege	7956	dwm.exe
Token: SeShutdownPrivilege	7956	dwm.exe
Token: SeCreatePagefilePrivilege	7956	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 116	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	83
PID 4628 wrote to memory of 116	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	83
PID 4628 wrote to memory of 1948	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	84
PID 4628 wrote to memory of 1948	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	84
PID 4628 wrote to memory of 3484	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	85
PID 4628 wrote to memory of 3484	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	85
PID 4628 wrote to memory of 3612	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	86
PID 4628 wrote to memory of 3612	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	86
PID 4628 wrote to memory of 3272	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	88
PID 4628 wrote to memory of 3272	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	88
PID 4628 wrote to memory of 2996	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	89
PID 4628 wrote to memory of 2996	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	89
PID 4628 wrote to memory of 3004	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	90
PID 4628 wrote to memory of 3004	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	90
PID 4628 wrote to memory of 3768	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	91
PID 4628 wrote to memory of 3768	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	91
PID 4628 wrote to memory of 2404	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	92
PID 4628 wrote to memory of 2404	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	92
PID 4628 wrote to memory of 2604	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	93
PID 4628 wrote to memory of 2604	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	93
PID 4628 wrote to memory of 2080	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	94
PID 4628 wrote to memory of 2080	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	94
PID 4628 wrote to memory of 4716	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	95
PID 4628 wrote to memory of 4716	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	95
PID 4628 wrote to memory of 1080	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	96
PID 4628 wrote to memory of 1080	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	96
PID 4628 wrote to memory of 2388	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	98
PID 4628 wrote to memory of 2388	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	98
PID 4628 wrote to memory of 3440	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	99
PID 4628 wrote to memory of 3440	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	99
PID 4628 wrote to memory of 816	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	100
PID 4628 wrote to memory of 816	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	100
PID 4628 wrote to memory of 2044	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	101
PID 4628 wrote to memory of 2044	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	101
PID 4628 wrote to memory of 5064	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	102
PID 4628 wrote to memory of 5064	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	102
PID 4628 wrote to memory of 4728	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	103
PID 4628 wrote to memory of 4728	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	103
PID 4628 wrote to memory of 1624	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	104
PID 4628 wrote to memory of 1624	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	104
PID 4628 wrote to memory of 4892	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	105
PID 4628 wrote to memory of 4892	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	105
PID 4628 wrote to memory of 4956	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	106
PID 4628 wrote to memory of 4956	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	106
PID 4628 wrote to memory of 1380	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	107
PID 4628 wrote to memory of 1380	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	107
PID 4628 wrote to memory of 4060	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	108
PID 4628 wrote to memory of 4060	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	108
PID 4628 wrote to memory of 4920	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	109
PID 4628 wrote to memory of 4920	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	109
PID 4628 wrote to memory of 4608	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	110
PID 4628 wrote to memory of 4608	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	110
PID 4628 wrote to memory of 3412	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	111
PID 4628 wrote to memory of 3412	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	111
PID 4628 wrote to memory of 4336	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	112
PID 4628 wrote to memory of 4336	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	112
PID 4628 wrote to memory of 3860	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	113
PID 4628 wrote to memory of 3860	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	113
PID 4628 wrote to memory of 2544	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	114
PID 4628 wrote to memory of 2544	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	114
PID 4628 wrote to memory of 3660	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	115
PID 4628 wrote to memory of 3660	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	115
PID 4628 wrote to memory of 5088	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	116
PID 4628 wrote to memory of 5088	4628	81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe	116

C:\Users\Admin\AppData\Local\Temp\81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe
"C:\Users\Admin\AppData\Local\Temp\81f4dba41ecf046c5a0c3402a6886e7e4d92940e74d93d63cf7e4602f264e357.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\System32\yiATFyt.exe
  C:\Windows\System32\yiATFyt.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System32\YasIakr.exe
  C:\Windows\System32\YasIakr.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System32\rsrybSa.exe
  C:\Windows\System32\rsrybSa.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System32\AziCqEw.exe
  C:\Windows\System32\AziCqEw.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System32\RjzrToP.exe
  C:\Windows\System32\RjzrToP.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System32\pZiGhFS.exe
  C:\Windows\System32\pZiGhFS.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System32\AvjXOvV.exe
  C:\Windows\System32\AvjXOvV.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System32\hMjYhWD.exe
  C:\Windows\System32\hMjYhWD.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System32\tAViAfn.exe
  C:\Windows\System32\tAViAfn.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System32\qNNVuEF.exe
  C:\Windows\System32\qNNVuEF.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System32\WIwtUxW.exe
  C:\Windows\System32\WIwtUxW.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System32\CPmrfEY.exe
  C:\Windows\System32\CPmrfEY.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System32\orjeqTz.exe
  C:\Windows\System32\orjeqTz.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System32\ogVKWOp.exe
  C:\Windows\System32\ogVKWOp.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System32\qIXAbpM.exe
  C:\Windows\System32\qIXAbpM.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System32\OXjVdrR.exe
  C:\Windows\System32\OXjVdrR.exe
  2⤵
  - Executes dropped EXE
  PID:816
- C:\Windows\System32\yfpAEmw.exe
  C:\Windows\System32\yfpAEmw.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System32\IsNLGPD.exe
  C:\Windows\System32\IsNLGPD.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System32\ongLtfW.exe
  C:\Windows\System32\ongLtfW.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System32\ekUnMig.exe
  C:\Windows\System32\ekUnMig.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System32\mJYiwnj.exe
  C:\Windows\System32\mJYiwnj.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System32\GtLzVfU.exe
  C:\Windows\System32\GtLzVfU.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System32\mNpSPQH.exe
  C:\Windows\System32\mNpSPQH.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System32\BnosyqX.exe
  C:\Windows\System32\BnosyqX.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System32\lQtmuRH.exe
  C:\Windows\System32\lQtmuRH.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System32\Flwrmhy.exe
  C:\Windows\System32\Flwrmhy.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System32\ktiMdVh.exe
  C:\Windows\System32\ktiMdVh.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System32\vHUmGjM.exe
  C:\Windows\System32\vHUmGjM.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System32\uNRWQIJ.exe
  C:\Windows\System32\uNRWQIJ.exe
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\System32\rJmPwkW.exe
  C:\Windows\System32\rJmPwkW.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System32\OlVUdXV.exe
  C:\Windows\System32\OlVUdXV.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System32\TTIkXbv.exe
  C:\Windows\System32\TTIkXbv.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System32\vEjlmFP.exe
  C:\Windows\System32\vEjlmFP.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System32\aRrsKgZ.exe
  C:\Windows\System32\aRrsKgZ.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System32\HOmvRBE.exe
  C:\Windows\System32\HOmvRBE.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System32\XnCxnOc.exe
  C:\Windows\System32\XnCxnOc.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System32\cSmlzHK.exe
  C:\Windows\System32\cSmlzHK.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System32\ekBUunp.exe
  C:\Windows\System32\ekBUunp.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System32\vlgXcnC.exe
  C:\Windows\System32\vlgXcnC.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System32\NhnJdAi.exe
  C:\Windows\System32\NhnJdAi.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System32\ugikRiI.exe
  C:\Windows\System32\ugikRiI.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System32\bxDEngS.exe
  C:\Windows\System32\bxDEngS.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System32\dfurCkM.exe
  C:\Windows\System32\dfurCkM.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System32\zUVAjvY.exe
  C:\Windows\System32\zUVAjvY.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System32\NnpVnvH.exe
  C:\Windows\System32\NnpVnvH.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System32\IugGyir.exe
  C:\Windows\System32\IugGyir.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System32\iuMjjTC.exe
  C:\Windows\System32\iuMjjTC.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System32\GNYgHWs.exe
  C:\Windows\System32\GNYgHWs.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System32\sPvxvjQ.exe
  C:\Windows\System32\sPvxvjQ.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System32\IlTdhVD.exe
  C:\Windows\System32\IlTdhVD.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\rhaaztq.exe
  C:\Windows\System32\rhaaztq.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System32\WSIrcLv.exe
  C:\Windows\System32\WSIrcLv.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\System32\bsIbraz.exe
  C:\Windows\System32\bsIbraz.exe
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\System32\YZBZoDB.exe
  C:\Windows\System32\YZBZoDB.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System32\fGCFHgX.exe
  C:\Windows\System32\fGCFHgX.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System32\AamiKqb.exe
  C:\Windows\System32\AamiKqb.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System32\ZuLczHB.exe
  C:\Windows\System32\ZuLczHB.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System32\LTXYWkc.exe
  C:\Windows\System32\LTXYWkc.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System32\DjtYGPK.exe
  C:\Windows\System32\DjtYGPK.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System32\WXYrTtt.exe
  C:\Windows\System32\WXYrTtt.exe
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\System32\hGobIWL.exe
  C:\Windows\System32\hGobIWL.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System32\IbtZPde.exe
  C:\Windows\System32\IbtZPde.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System32\gAtSkQh.exe
  C:\Windows\System32\gAtSkQh.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System32\NBPRoVr.exe
  C:\Windows\System32\NBPRoVr.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System32\felXbKf.exe
  C:\Windows\System32\felXbKf.exe
  2⤵
  PID:952
- C:\Windows\System32\FuoxcZs.exe
  C:\Windows\System32\FuoxcZs.exe
  2⤵
  PID:3956
- C:\Windows\System32\AJmkSFV.exe
  C:\Windows\System32\AJmkSFV.exe
  2⤵
  PID:4352
- C:\Windows\System32\cjuHiuF.exe
  C:\Windows\System32\cjuHiuF.exe
  2⤵
  PID:2656
- C:\Windows\System32\UptiOPz.exe
  C:\Windows\System32\UptiOPz.exe
  2⤵
  PID:3580
- C:\Windows\System32\ZKGuEKC.exe
  C:\Windows\System32\ZKGuEKC.exe
  2⤵
  PID:3556
- C:\Windows\System32\UqgvybP.exe
  C:\Windows\System32\UqgvybP.exe
  2⤵
  PID:3260
- C:\Windows\System32\FBrfzly.exe
  C:\Windows\System32\FBrfzly.exe
  2⤵
  PID:1540
- C:\Windows\System32\mCebDUz.exe
  C:\Windows\System32\mCebDUz.exe
  2⤵
  PID:3040
- C:\Windows\System32\jeMZeTM.exe
  C:\Windows\System32\jeMZeTM.exe
  2⤵
  PID:2848
- C:\Windows\System32\EiJYsLI.exe
  C:\Windows\System32\EiJYsLI.exe
  2⤵
  PID:4584
- C:\Windows\System32\pFpzTaP.exe
  C:\Windows\System32\pFpzTaP.exe
  2⤵
  PID:4972
- C:\Windows\System32\mcfZHls.exe
  C:\Windows\System32\mcfZHls.exe
  2⤵
  PID:2028
- C:\Windows\System32\fWEzIUP.exe
  C:\Windows\System32\fWEzIUP.exe
  2⤵
  PID:4196
- C:\Windows\System32\jKuzSxY.exe
  C:\Windows\System32\jKuzSxY.exe
  2⤵
  PID:3256
- C:\Windows\System32\RZjXKAs.exe
  C:\Windows\System32\RZjXKAs.exe
  2⤵
  PID:4176
- C:\Windows\System32\HpGYcPQ.exe
  C:\Windows\System32\HpGYcPQ.exe
  2⤵
  PID:4564
- C:\Windows\System32\blopYeR.exe
  C:\Windows\System32\blopYeR.exe
  2⤵
  PID:4408
- C:\Windows\System32\ldroGOx.exe
  C:\Windows\System32\ldroGOx.exe
  2⤵
  PID:3188
- C:\Windows\System32\XjuPIUZ.exe
  C:\Windows\System32\XjuPIUZ.exe
  2⤵
  PID:1232
- C:\Windows\System32\iIwFrPT.exe
  C:\Windows\System32\iIwFrPT.exe
  2⤵
  PID:4280
- C:\Windows\System32\iPHIuuu.exe
  C:\Windows\System32\iPHIuuu.exe
  2⤵
  PID:4284
- C:\Windows\System32\vmTsCXF.exe
  C:\Windows\System32\vmTsCXF.exe
  2⤵
  PID:2668
- C:\Windows\System32\riCYxju.exe
  C:\Windows\System32\riCYxju.exe
  2⤵
  PID:4768
- C:\Windows\System32\ykrIwtj.exe
  C:\Windows\System32\ykrIwtj.exe
  2⤵
  PID:5128
- C:\Windows\System32\NtTRADs.exe
  C:\Windows\System32\NtTRADs.exe
  2⤵
  PID:5152
- C:\Windows\System32\FZKdzno.exe
  C:\Windows\System32\FZKdzno.exe
  2⤵
  PID:5184
- C:\Windows\System32\FgEIpYT.exe
  C:\Windows\System32\FgEIpYT.exe
  2⤵
  PID:5208
- C:\Windows\System32\vfHOdbD.exe
  C:\Windows\System32\vfHOdbD.exe
  2⤵
  PID:5240
- C:\Windows\System32\PtWRWZb.exe
  C:\Windows\System32\PtWRWZb.exe
  2⤵
  PID:5268
- C:\Windows\System32\jssgzav.exe
  C:\Windows\System32\jssgzav.exe
  2⤵
  PID:5296
- C:\Windows\System32\fypSoMa.exe
  C:\Windows\System32\fypSoMa.exe
  2⤵
  PID:5324
- C:\Windows\System32\VBFcSTQ.exe
  C:\Windows\System32\VBFcSTQ.exe
  2⤵
  PID:5352
- C:\Windows\System32\hziBacK.exe
  C:\Windows\System32\hziBacK.exe
  2⤵
  PID:5380
- C:\Windows\System32\iKHeuCn.exe
  C:\Windows\System32\iKHeuCn.exe
  2⤵
  PID:5408
- C:\Windows\System32\DHgZNeQ.exe
  C:\Windows\System32\DHgZNeQ.exe
  2⤵
  PID:5424
- C:\Windows\System32\HkZKELw.exe
  C:\Windows\System32\HkZKELw.exe
  2⤵
  PID:5460
- C:\Windows\System32\PFvgfGA.exe
  C:\Windows\System32\PFvgfGA.exe
  2⤵
  PID:5492
- C:\Windows\System32\iWJQRbZ.exe
  C:\Windows\System32\iWJQRbZ.exe
  2⤵
  PID:5520
- C:\Windows\System32\gwNUWxk.exe
  C:\Windows\System32\gwNUWxk.exe
  2⤵
  PID:5548
- C:\Windows\System32\FEiGIzB.exe
  C:\Windows\System32\FEiGIzB.exe
  2⤵
  PID:5564
- C:\Windows\System32\BObjIIj.exe
  C:\Windows\System32\BObjIIj.exe
  2⤵
  PID:5604
- C:\Windows\System32\Hocowfb.exe
  C:\Windows\System32\Hocowfb.exe
  2⤵
  PID:5632
- C:\Windows\System32\cGgNPMI.exe
  C:\Windows\System32\cGgNPMI.exe
  2⤵
  PID:5660
- C:\Windows\System32\FZTwKTE.exe
  C:\Windows\System32\FZTwKTE.exe
  2⤵
  PID:5688
- C:\Windows\System32\imXEpkh.exe
  C:\Windows\System32\imXEpkh.exe
  2⤵
  PID:5716
- C:\Windows\System32\RRYhoaA.exe
  C:\Windows\System32\RRYhoaA.exe
  2⤵
  PID:5744
- C:\Windows\System32\ZvkIinJ.exe
  C:\Windows\System32\ZvkIinJ.exe
  2⤵
  PID:5772
- C:\Windows\System32\qlFFxCb.exe
  C:\Windows\System32\qlFFxCb.exe
  2⤵
  PID:5800
- C:\Windows\System32\EFgXSTo.exe
  C:\Windows\System32\EFgXSTo.exe
  2⤵
  PID:5828
- C:\Windows\System32\nMUcXPR.exe
  C:\Windows\System32\nMUcXPR.exe
  2⤵
  PID:5856
- C:\Windows\System32\IGEOuLL.exe
  C:\Windows\System32\IGEOuLL.exe
  2⤵
  PID:5884
- C:\Windows\System32\zCBBkXM.exe
  C:\Windows\System32\zCBBkXM.exe
  2⤵
  PID:5912
- C:\Windows\System32\oQTFXkO.exe
  C:\Windows\System32\oQTFXkO.exe
  2⤵
  PID:5940
- C:\Windows\System32\jODorkB.exe
  C:\Windows\System32\jODorkB.exe
  2⤵
  PID:5956
- C:\Windows\System32\gfDPASu.exe
  C:\Windows\System32\gfDPASu.exe
  2⤵
  PID:5996
- C:\Windows\System32\BVortfW.exe
  C:\Windows\System32\BVortfW.exe
  2⤵
  PID:6024
- C:\Windows\System32\rXupsPa.exe
  C:\Windows\System32\rXupsPa.exe
  2⤵
  PID:6052
- C:\Windows\System32\kWaXJpn.exe
  C:\Windows\System32\kWaXJpn.exe
  2⤵
  PID:6080
- C:\Windows\System32\ErohuFc.exe
  C:\Windows\System32\ErohuFc.exe
  2⤵
  PID:6108
- C:\Windows\System32\LKdDMkw.exe
  C:\Windows\System32\LKdDMkw.exe
  2⤵
  PID:6132
- C:\Windows\System32\OiZcEVE.exe
  C:\Windows\System32\OiZcEVE.exe
  2⤵
  PID:388
- C:\Windows\System32\GpxRDkm.exe
  C:\Windows\System32\GpxRDkm.exe
  2⤵
  PID:4496
- C:\Windows\System32\kUEdiIz.exe
  C:\Windows\System32\kUEdiIz.exe
  2⤵
  PID:2472
- C:\Windows\System32\KolBONe.exe
  C:\Windows\System32\KolBONe.exe
  2⤵
  PID:5176
- C:\Windows\System32\yBBWUsA.exe
  C:\Windows\System32\yBBWUsA.exe
  2⤵
  PID:5224
- C:\Windows\System32\yPGDORQ.exe
  C:\Windows\System32\yPGDORQ.exe
  2⤵
  PID:5304
- C:\Windows\System32\hgdfmUH.exe
  C:\Windows\System32\hgdfmUH.exe
  2⤵
  PID:5360
- C:\Windows\System32\HDVFRPH.exe
  C:\Windows\System32\HDVFRPH.exe
  2⤵
  PID:5420
- C:\Windows\System32\cVutHXz.exe
  C:\Windows\System32\cVutHXz.exe
  2⤵
  PID:5484
- C:\Windows\System32\SWYVzob.exe
  C:\Windows\System32\SWYVzob.exe
  2⤵
  PID:5560
- C:\Windows\System32\xePHPRs.exe
  C:\Windows\System32\xePHPRs.exe
  2⤵
  PID:5612
- C:\Windows\System32\wACKmNe.exe
  C:\Windows\System32\wACKmNe.exe
  2⤵
  PID:5668
- C:\Windows\System32\dzMJffv.exe
  C:\Windows\System32\dzMJffv.exe
  2⤵
  PID:5736
- C:\Windows\System32\SKvXqHQ.exe
  C:\Windows\System32\SKvXqHQ.exe
  2⤵
  PID:5784
- C:\Windows\System32\laguIzY.exe
  C:\Windows\System32\laguIzY.exe
  2⤵
  PID:5864
- C:\Windows\System32\wLgcJfw.exe
  C:\Windows\System32\wLgcJfw.exe
  2⤵
  PID:5924
- C:\Windows\System32\oRWGPGK.exe
  C:\Windows\System32\oRWGPGK.exe
  2⤵
  PID:5980
- C:\Windows\System32\vubFlpw.exe
  C:\Windows\System32\vubFlpw.exe
  2⤵
  PID:6036
- C:\Windows\System32\rzoSmyy.exe
  C:\Windows\System32\rzoSmyy.exe
  2⤵
  PID:6092
- C:\Windows\System32\xElXFUV.exe
  C:\Windows\System32\xElXFUV.exe
  2⤵
  PID:2580
- C:\Windows\System32\NfPERnC.exe
  C:\Windows\System32\NfPERnC.exe
  2⤵
  PID:5148
- C:\Windows\System32\PLgmlre.exe
  C:\Windows\System32\PLgmlre.exe
  2⤵
  PID:5280
- C:\Windows\System32\KoDewpk.exe
  C:\Windows\System32\KoDewpk.exe
  2⤵
  PID:5388
- C:\Windows\System32\CrsxVla.exe
  C:\Windows\System32\CrsxVla.exe
  2⤵
  PID:5532
- C:\Windows\System32\rMDIihF.exe
  C:\Windows\System32\rMDIihF.exe
  2⤵
  PID:980
- C:\Windows\System32\CAMcmaE.exe
  C:\Windows\System32\CAMcmaE.exe
  2⤵
  PID:5812
- C:\Windows\System32\RBdtCCB.exe
  C:\Windows\System32\RBdtCCB.exe
  2⤵
  PID:5892
- C:\Windows\System32\hZDhHcV.exe
  C:\Windows\System32\hZDhHcV.exe
  2⤵
  PID:5020
- C:\Windows\System32\ihScnXI.exe
  C:\Windows\System32\ihScnXI.exe
  2⤵
  PID:1120
- C:\Windows\System32\qBgmPSz.exe
  C:\Windows\System32\qBgmPSz.exe
  2⤵
  PID:972
- C:\Windows\System32\qLLIAIb.exe
  C:\Windows\System32\qLLIAIb.exe
  2⤵
  PID:6160
- C:\Windows\System32\LtnbYVw.exe
  C:\Windows\System32\LtnbYVw.exe
  2⤵
  PID:6200
- C:\Windows\System32\sXRSPOB.exe
  C:\Windows\System32\sXRSPOB.exe
  2⤵
  PID:6216
- C:\Windows\System32\rVlasMO.exe
  C:\Windows\System32\rVlasMO.exe
  2⤵
  PID:6256
- C:\Windows\System32\CRoozIX.exe
  C:\Windows\System32\CRoozIX.exe
  2⤵
  PID:6284
- C:\Windows\System32\ZHXJDAS.exe
  C:\Windows\System32\ZHXJDAS.exe
  2⤵
  PID:6308
- C:\Windows\System32\kcGDNxS.exe
  C:\Windows\System32\kcGDNxS.exe
  2⤵
  PID:6340
- C:\Windows\System32\OlexaSS.exe
  C:\Windows\System32\OlexaSS.exe
  2⤵
  PID:6368
- C:\Windows\System32\FCtEbCY.exe
  C:\Windows\System32\FCtEbCY.exe
  2⤵
  PID:6392
- C:\Windows\System32\yqJgnoh.exe
  C:\Windows\System32\yqJgnoh.exe
  2⤵
  PID:6412
- C:\Windows\System32\DdgKAZc.exe
  C:\Windows\System32\DdgKAZc.exe
  2⤵
  PID:6452
- C:\Windows\System32\nJYIZot.exe
  C:\Windows\System32\nJYIZot.exe
  2⤵
  PID:6480
- C:\Windows\System32\CzRUKka.exe
  C:\Windows\System32\CzRUKka.exe
  2⤵
  PID:6508
- C:\Windows\System32\rilGzcU.exe
  C:\Windows\System32\rilGzcU.exe
  2⤵
  PID:6536
- C:\Windows\System32\CbIRfBj.exe
  C:\Windows\System32\CbIRfBj.exe
  2⤵
  PID:6560
- C:\Windows\System32\psreHAp.exe
  C:\Windows\System32\psreHAp.exe
  2⤵
  PID:6588
- C:\Windows\System32\MhOFYpF.exe
  C:\Windows\System32\MhOFYpF.exe
  2⤵
  PID:6620
- C:\Windows\System32\lPbIApX.exe
  C:\Windows\System32\lPbIApX.exe
  2⤵
  PID:6648
- C:\Windows\System32\pkdULxx.exe
  C:\Windows\System32\pkdULxx.exe
  2⤵
  PID:6676
- C:\Windows\System32\udraGfb.exe
  C:\Windows\System32\udraGfb.exe
  2⤵
  PID:6704
- C:\Windows\System32\bNOpryc.exe
  C:\Windows\System32\bNOpryc.exe
  2⤵
  PID:6732
- C:\Windows\System32\xZPPwRj.exe
  C:\Windows\System32\xZPPwRj.exe
  2⤵
  PID:6760
- C:\Windows\System32\NYyqBDl.exe
  C:\Windows\System32\NYyqBDl.exe
  2⤵
  PID:6788
- C:\Windows\System32\CIrqBPa.exe
  C:\Windows\System32\CIrqBPa.exe
  2⤵
  PID:6816
- C:\Windows\System32\gEiMcmk.exe
  C:\Windows\System32\gEiMcmk.exe
  2⤵
  PID:6844
- C:\Windows\System32\TJWXKlB.exe
  C:\Windows\System32\TJWXKlB.exe
  2⤵
  PID:6872
- C:\Windows\System32\LRTcycY.exe
  C:\Windows\System32\LRTcycY.exe
  2⤵
  PID:6896
- C:\Windows\System32\QsIJDfJ.exe
  C:\Windows\System32\QsIJDfJ.exe
  2⤵
  PID:6928
- C:\Windows\System32\AEcYIYR.exe
  C:\Windows\System32\AEcYIYR.exe
  2⤵
  PID:6956
- C:\Windows\System32\bRsBYKw.exe
  C:\Windows\System32\bRsBYKw.exe
  2⤵
  PID:6984
- C:\Windows\System32\wrmCkQQ.exe
  C:\Windows\System32\wrmCkQQ.exe
  2⤵
  PID:7012
- C:\Windows\System32\ZasrtJP.exe
  C:\Windows\System32\ZasrtJP.exe
  2⤵
  PID:7040
- C:\Windows\System32\MVazhEw.exe
  C:\Windows\System32\MVazhEw.exe
  2⤵
  PID:7068
- C:\Windows\System32\BmHYCQJ.exe
  C:\Windows\System32\BmHYCQJ.exe
  2⤵
  PID:7092
- C:\Windows\System32\zyzmSir.exe
  C:\Windows\System32\zyzmSir.exe
  2⤵
  PID:7124
- C:\Windows\System32\iycHDcz.exe
  C:\Windows\System32\iycHDcz.exe
  2⤵
  PID:7152
- C:\Windows\System32\UjTTfYK.exe
  C:\Windows\System32\UjTTfYK.exe
  2⤵
  PID:1460
- C:\Windows\System32\vDUJtHa.exe
  C:\Windows\System32\vDUJtHa.exe
  2⤵
  PID:5780
- C:\Windows\System32\LkgoWYs.exe
  C:\Windows\System32\LkgoWYs.exe
  2⤵
  PID:6004
- C:\Windows\System32\EIXmJsH.exe
  C:\Windows\System32\EIXmJsH.exe
  2⤵
  PID:5332
- C:\Windows\System32\wXPlGlP.exe
  C:\Windows\System32\wXPlGlP.exe
  2⤵
  PID:2812
- C:\Windows\System32\KweyRtV.exe
  C:\Windows\System32\KweyRtV.exe
  2⤵
  PID:6232
- C:\Windows\System32\IxoSKjp.exe
  C:\Windows\System32\IxoSKjp.exe
  2⤵
  PID:1672
- C:\Windows\System32\yMvqwHs.exe
  C:\Windows\System32\yMvqwHs.exe
  2⤵
  PID:6376
- C:\Windows\System32\VnFfiLq.exe
  C:\Windows\System32\VnFfiLq.exe
  2⤵
  PID:6428
- C:\Windows\System32\VZYwqtt.exe
  C:\Windows\System32\VZYwqtt.exe
  2⤵
  PID:6500
- C:\Windows\System32\ugWDzBY.exe
  C:\Windows\System32\ugWDzBY.exe
  2⤵
  PID:6548
- C:\Windows\System32\gvTPSZY.exe
  C:\Windows\System32\gvTPSZY.exe
  2⤵
  PID:6604
- C:\Windows\System32\QMZHwjO.exe
  C:\Windows\System32\QMZHwjO.exe
  2⤵
  PID:6640
- C:\Windows\System32\LzesiYb.exe
  C:\Windows\System32\LzesiYb.exe
  2⤵
  PID:6724
- C:\Windows\System32\DlPLeXq.exe
  C:\Windows\System32\DlPLeXq.exe
  2⤵
  PID:6908
- C:\Windows\System32\hDwxJlK.exe
  C:\Windows\System32\hDwxJlK.exe
  2⤵
  PID:6964
- C:\Windows\System32\mBmNkVP.exe
  C:\Windows\System32\mBmNkVP.exe
  2⤵
  PID:7032
- C:\Windows\System32\Cktcixo.exe
  C:\Windows\System32\Cktcixo.exe
  2⤵
  PID:7076
- C:\Windows\System32\YsAbjqW.exe
  C:\Windows\System32\YsAbjqW.exe
  2⤵
  PID:7136
- C:\Windows\System32\tcdseWP.exe
  C:\Windows\System32\tcdseWP.exe
  2⤵
  PID:5876
- C:\Windows\System32\jmXjsnc.exe
  C:\Windows\System32\jmXjsnc.exe
  2⤵
  PID:4984
- C:\Windows\System32\WNfZpME.exe
  C:\Windows\System32\WNfZpME.exe
  2⤵
  PID:6208
- C:\Windows\System32\bdtuAHO.exe
  C:\Windows\System32\bdtuAHO.exe
  2⤵
  PID:4068
- C:\Windows\System32\iEXXeFE.exe
  C:\Windows\System32\iEXXeFE.exe
  2⤵
  PID:632
- C:\Windows\System32\wYpHRrn.exe
  C:\Windows\System32\wYpHRrn.exe
  2⤵
  PID:6516
- C:\Windows\System32\CArEJMn.exe
  C:\Windows\System32\CArEJMn.exe
  2⤵
  PID:4104
- C:\Windows\System32\mxLfkEP.exe
  C:\Windows\System32\mxLfkEP.exe
  2⤵
  PID:6668
- C:\Windows\System32\XYXBhng.exe
  C:\Windows\System32\XYXBhng.exe
  2⤵
  PID:5072
- C:\Windows\System32\RYpmQDg.exe
  C:\Windows\System32\RYpmQDg.exe
  2⤵
  PID:400
- C:\Windows\System32\zWrAeIo.exe
  C:\Windows\System32\zWrAeIo.exe
  2⤵
  PID:3636
- C:\Windows\System32\TaHBxqY.exe
  C:\Windows\System32\TaHBxqY.exe
  2⤵
  PID:6712
- C:\Windows\System32\AkRrmRO.exe
  C:\Windows\System32\AkRrmRO.exe
  2⤵
  PID:2844
- C:\Windows\System32\WoXIhdM.exe
  C:\Windows\System32\WoXIhdM.exe
  2⤵
  PID:6940
- C:\Windows\System32\rzMZTYU.exe
  C:\Windows\System32\rzMZTYU.exe
  2⤵
  PID:2396
- C:\Windows\System32\nVzpOwJ.exe
  C:\Windows\System32\nVzpOwJ.exe
  2⤵
  PID:2288
- C:\Windows\System32\eIpEkDX.exe
  C:\Windows\System32\eIpEkDX.exe
  2⤵
  PID:3088
- C:\Windows\System32\euBexVu.exe
  C:\Windows\System32\euBexVu.exe
  2⤵
  PID:3876
- C:\Windows\System32\dvPKlnV.exe
  C:\Windows\System32\dvPKlnV.exe
  2⤵
  PID:2612
- C:\Windows\System32\wOcWNjg.exe
  C:\Windows\System32\wOcWNjg.exe
  2⤵
  PID:3252
- C:\Windows\System32\TeTzCbL.exe
  C:\Windows\System32\TeTzCbL.exe
  2⤵
  PID:4812
- C:\Windows\System32\giZVrdn.exe
  C:\Windows\System32\giZVrdn.exe
  2⤵
  PID:5504
- C:\Windows\System32\XRcZWsM.exe
  C:\Windows\System32\XRcZWsM.exe
  2⤵
  PID:6332
- C:\Windows\System32\kvyNYUK.exe
  C:\Windows\System32\kvyNYUK.exe
  2⤵
  PID:3668
- C:\Windows\System32\vtrgkGK.exe
  C:\Windows\System32\vtrgkGK.exe
  2⤵
  PID:3632
- C:\Windows\System32\hCrXsFb.exe
  C:\Windows\System32\hCrXsFb.exe
  2⤵
  PID:7176
- C:\Windows\System32\pEfkoYC.exe
  C:\Windows\System32\pEfkoYC.exe
  2⤵
  PID:7204
- C:\Windows\System32\zgiDCax.exe
  C:\Windows\System32\zgiDCax.exe
  2⤵
  PID:7232
- C:\Windows\System32\IMqmrxg.exe
  C:\Windows\System32\IMqmrxg.exe
  2⤵
  PID:7260
- C:\Windows\System32\OfMeCmj.exe
  C:\Windows\System32\OfMeCmj.exe
  2⤵
  PID:7288
- C:\Windows\System32\HKfTSwI.exe
  C:\Windows\System32\HKfTSwI.exe
  2⤵
  PID:7304
- C:\Windows\System32\iqdNyMJ.exe
  C:\Windows\System32\iqdNyMJ.exe
  2⤵
  PID:7324
- C:\Windows\System32\aTjMVsG.exe
  C:\Windows\System32\aTjMVsG.exe
  2⤵
  PID:7352
- C:\Windows\System32\STMIGOS.exe
  C:\Windows\System32\STMIGOS.exe
  2⤵
  PID:7368
- C:\Windows\System32\PjJBjKl.exe
  C:\Windows\System32\PjJBjKl.exe
  2⤵
  PID:7396
- C:\Windows\System32\IMDtJgz.exe
  C:\Windows\System32\IMDtJgz.exe
  2⤵
  PID:7424
- C:\Windows\System32\IrPdvRF.exe
  C:\Windows\System32\IrPdvRF.exe
  2⤵
  PID:7836
- C:\Windows\System32\IcDqanm.exe
  C:\Windows\System32\IcDqanm.exe
  2⤵
  PID:7860
- C:\Windows\System32\DfTCGpv.exe
  C:\Windows\System32\DfTCGpv.exe
  2⤵
  PID:7896
- C:\Windows\System32\pqAnnax.exe
  C:\Windows\System32\pqAnnax.exe
  2⤵
  PID:7928
- C:\Windows\System32\DtHfgXy.exe
  C:\Windows\System32\DtHfgXy.exe
  2⤵
  PID:7964
- C:\Windows\System32\iQUPccS.exe
  C:\Windows\System32\iQUPccS.exe
  2⤵
  PID:8000
- C:\Windows\System32\UVumCuE.exe
  C:\Windows\System32\UVumCuE.exe
  2⤵
  PID:8040
- C:\Windows\System32\VMNqsNf.exe
  C:\Windows\System32\VMNqsNf.exe
  2⤵
  PID:8072
- C:\Windows\System32\MquHibK.exe
  C:\Windows\System32\MquHibK.exe
  2⤵
  PID:8100
- C:\Windows\System32\UlrgdOY.exe
  C:\Windows\System32\UlrgdOY.exe
  2⤵
  PID:8136
- C:\Windows\System32\qLTJPWU.exe
  C:\Windows\System32\qLTJPWU.exe
  2⤵
  PID:8180
- C:\Windows\System32\kXwqiZy.exe
  C:\Windows\System32\kXwqiZy.exe
  2⤵
  PID:3044
- C:\Windows\System32\BNFGmvk.exe
  C:\Windows\System32\BNFGmvk.exe
  2⤵
  PID:6120
- C:\Windows\System32\islyGWT.exe
  C:\Windows\System32\islyGWT.exe
  2⤵
  PID:7344
- C:\Windows\System32\BtAKrxX.exe
  C:\Windows\System32\BtAKrxX.exe
  2⤵
  PID:7408
- C:\Windows\System32\HjGOJYl.exe
  C:\Windows\System32\HjGOJYl.exe
  2⤵
  PID:1996
- C:\Windows\System32\szNyFbS.exe
  C:\Windows\System32\szNyFbS.exe
  2⤵
  PID:7676
- C:\Windows\System32\uzYMGfi.exe
  C:\Windows\System32\uzYMGfi.exe
  2⤵
  PID:1044
- C:\Windows\System32\kDPoxtx.exe
  C:\Windows\System32\kDPoxtx.exe
  2⤵
  PID:7796
- C:\Windows\System32\wEQsZNl.exe
  C:\Windows\System32\wEQsZNl.exe
  2⤵
  PID:8108
- C:\Windows\System32\qfPAtEb.exe
  C:\Windows\System32\qfPAtEb.exe
  2⤵
  PID:8116
- C:\Windows\System32\MrCGort.exe
  C:\Windows\System32\MrCGort.exe
  2⤵
  PID:7196
- C:\Windows\System32\FuGVxiB.exe
  C:\Windows\System32\FuGVxiB.exe
  2⤵
  PID:7240
- C:\Windows\System32\gsIrJED.exe
  C:\Windows\System32\gsIrJED.exe
  2⤵
  PID:7296
- C:\Windows\System32\NGYQxwt.exe
  C:\Windows\System32\NGYQxwt.exe
  2⤵
  PID:2168
- C:\Windows\System32\wHFtIyf.exe
  C:\Windows\System32\wHFtIyf.exe
  2⤵
  PID:2160
- C:\Windows\System32\hiPISxY.exe
  C:\Windows\System32\hiPISxY.exe
  2⤵
  PID:7348
- C:\Windows\System32\ToyeICK.exe
  C:\Windows\System32\ToyeICK.exe
  2⤵
  PID:7652
- C:\Windows\System32\HAQDeeb.exe
  C:\Windows\System32\HAQDeeb.exe
  2⤵
  PID:7336
- C:\Windows\System32\KmOPcgA.exe
  C:\Windows\System32\KmOPcgA.exe
  2⤵
  PID:3692
- C:\Windows\System32\KHiCGle.exe
  C:\Windows\System32\KHiCGle.exe
  2⤵
  PID:7724
- C:\Windows\System32\pxzKpdU.exe
  C:\Windows\System32\pxzKpdU.exe
  2⤵
  PID:7456
- C:\Windows\System32\ZGKdCsF.exe
  C:\Windows\System32\ZGKdCsF.exe
  2⤵
  PID:3092
- C:\Windows\System32\muiletR.exe
  C:\Windows\System32\muiletR.exe
  2⤵
  PID:7868
- C:\Windows\System32\txCOYXv.exe
  C:\Windows\System32\txCOYXv.exe
  2⤵
  PID:7516
- C:\Windows\System32\zwNrMvm.exe
  C:\Windows\System32\zwNrMvm.exe
  2⤵
  PID:7528
- C:\Windows\System32\EDffRWZ.exe
  C:\Windows\System32\EDffRWZ.exe
  2⤵
  PID:7544
- C:\Windows\System32\nGLkbeu.exe
  C:\Windows\System32\nGLkbeu.exe
  2⤵
  PID:7568
- C:\Windows\System32\MrZONgT.exe
  C:\Windows\System32\MrZONgT.exe
  2⤵
  PID:2132
- C:\Windows\System32\xykrTll.exe
  C:\Windows\System32\xykrTll.exe
  2⤵
  PID:2100
- C:\Windows\System32\LQhXMaj.exe
  C:\Windows\System32\LQhXMaj.exe
  2⤵
  PID:4668
- C:\Windows\System32\tCIccLE.exe
  C:\Windows\System32\tCIccLE.exe
  2⤵
  PID:2764
- C:\Windows\System32\wsoMEwQ.exe
  C:\Windows\System32\wsoMEwQ.exe
  2⤵
  PID:1248
- C:\Windows\System32\CNFcdQH.exe
  C:\Windows\System32\CNFcdQH.exe
  2⤵
  PID:7588
- C:\Windows\System32\anOcElg.exe
  C:\Windows\System32\anOcElg.exe
  2⤵
  PID:7620
- C:\Windows\System32\dvoTfsp.exe
  C:\Windows\System32\dvoTfsp.exe
  2⤵
  PID:3124
- C:\Windows\System32\ZbdlYbE.exe
  C:\Windows\System32\ZbdlYbE.exe
  2⤵
  PID:7616
- C:\Windows\System32\MtvKmFa.exe
  C:\Windows\System32\MtvKmFa.exe
  2⤵
  PID:8132
- C:\Windows\System32\MEZUPPZ.exe
  C:\Windows\System32\MEZUPPZ.exe
  2⤵
  PID:5116
- C:\Windows\System32\ncKaDIf.exe
  C:\Windows\System32\ncKaDIf.exe
  2⤵
  PID:6324
- C:\Windows\System32\MiZDOUl.exe
  C:\Windows\System32\MiZDOUl.exe
  2⤵
  PID:2400
- C:\Windows\System32\KoBdXAw.exe
  C:\Windows\System32\KoBdXAw.exe
  2⤵
  PID:672
- C:\Windows\System32\BQsrUyf.exe
  C:\Windows\System32\BQsrUyf.exe
  2⤵
  PID:7808
- C:\Windows\System32\hwfcoVS.exe
  C:\Windows\System32\hwfcoVS.exe
  2⤵
  PID:7508

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:7956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AvjXOvV.exe

Filesize
3.2MB

MD5
b958d8c722d78f70db38c0f435a06b64

SHA1
5636c229a065c779227c88c52ad3324341838dde

SHA256
7650f1dfa8d42e43ffcc76872c451a64df514d96ffd65b3f607deb65bb170fb9

SHA512
74a8b5a2baf3aac20fa4e25f8127d14afdcc99e1b1950d08036828a801959e48d96994850a8beabe402856fa5fd4c0b285c8716f83b9201b5a8456535bd44290

Download Submit
C:\Windows\System32\AziCqEw.exe

Filesize
3.2MB

MD5
cfdd571613a6634c3339fa8f7a59434c

SHA1
5836625cc969cc901b9f9a95973535716733c138

SHA256
d798d8a654a819f459ccb84709612281b8fc4bd982efb91d907cc8e9ada65851

SHA512
c0d7fe81009881fb90ad9bf6e24bc0056db2cbae14278a6101b769f95a4bfccf0e77327205dbe676437190f1519152ae2ba88a21c34ef183a2bbaa36ac351d25

Download Submit
C:\Windows\System32\BnosyqX.exe

Filesize
3.2MB

MD5
d9f14b07190ffa00910b5bd8b581bea9

SHA1
90967ce19259791f869e758e47696223f9638cfd

SHA256
ce309b7b36b3e28c6df43ca0d4b52d8119d1afe30a5c80b1ccf1b18cfaba56cc

SHA512
0bcc87fe3d0ab65f47813b9044695b94c03501868bec07800f3996500532844be2b353dee76c1e3c1034704d4b6348e2100a665831adce34f972a2d808e9e993

Download Submit
C:\Windows\System32\CPmrfEY.exe

Filesize
3.2MB

MD5
a3583c5c6fae4ad9f1848f91e9ca63b2

SHA1
cfc0d131b354ae896fe356853565631bd661e018

SHA256
9e5da50ee19a64656486ed5e7f550019e99f2e8950cb53921dad281893bfa35a

SHA512
25eeed100c4c9b6b6109109fe43a94a15a264c9e4fecfccffe9eaf2f865716288d9aa588598263ccc59292aaab6e3e100ce10e5fd074f9949a154aa43040b282

Download Submit
C:\Windows\System32\Flwrmhy.exe

Filesize
3.2MB

MD5
a1d1cdbcfb56a7b8d64cc79ea52ce49d

SHA1
83f2b102c032a456e09bab6d879b7bd485fc4a0e

SHA256
cf8227e19003bd2211acf7813f53a3eef3da11a3b57e7db2ee9ea17bfa198e84

SHA512
29d99c3d544d65c883a0ec2794d17059f4f967a71c0e24e7c8e321016da40f2f347aabdb9b7b9f1319082f0fc27dc792635dcbdb693053661e97eab8606a439a

Download Submit
C:\Windows\System32\GtLzVfU.exe

Filesize
3.2MB

MD5
c26a58510877fac1657da47a8db49ff0

SHA1
79df1926d61403d611108262444f22b792b761cb

SHA256
4f97fbd40585217c1610cee7f589d3afb0c91e9f7a51ff50a3a8581abf0e8272

SHA512
5a5895f483efd020d14ee611289b4ee57e597a7b398f7a10a5fd852c21c5f323cf3120b087bd98e5cd40f6bc4eb304d8f583edd1a1ce18a885a17babfab4c073

Download Submit
C:\Windows\System32\IsNLGPD.exe

Filesize
3.2MB

MD5
8261b31e124e23a3011740eb10db4805

SHA1
c5d3af4737cd7bd824ba3e9213376eef5b73afe7

SHA256
c00f302563f56a3363758eb668083240013d05054d2ff51c9bbca0d250ca373d

SHA512
105dae1a991662cb348ecc262506b96373367807e3a207c1dfee4f7d06045de1df77d9a66e46e41cdc24c2029f3b0021b6c79813c1bf6dcbb334ccd84fafccf7

Download Submit
C:\Windows\System32\OXjVdrR.exe

Filesize
3.2MB

MD5
27024c5ee0e6fa3495fd92ce645b5f04

SHA1
d435edb4016a39dd19a025ebcacfcd0782ae5e98

SHA256
7a11b8ab54878f6515fa7df0943dbfae8d3bdb6a198c8aafcc28907d5bfe1414

SHA512
91ca1a5bc6d678f05eb8d49222449890433bdc21c8961d465cb618f3f5c6ec339bbdb0830906c412f294dc25234dc13ff0324e3f75333333cea6d81ba407096c

Download Submit
C:\Windows\System32\OlVUdXV.exe

Filesize
3.2MB

MD5
d9ef4feed5f6426b9d6c4c6d3cccd14e

SHA1
bff356fe45734d51ce508e2861bb90c6cef7f73c

SHA256
00f9e5295dc684006aa72b712f23edf51980439155c51c3a1d5a1f92ddc57318

SHA512
f115f020a75398d92da7c20aacd937129ae9ab5d28e14fc3a83531d7014b363f5809ae17b9de1160ab2c751cf9f8c40a9f45cc6b1072380b977046a647de328d

Download Submit
C:\Windows\System32\RjzrToP.exe

Filesize
3.2MB

MD5
c83fda205743cf45a2ec156ff9d0a512

SHA1
68c54d6d39fc730352b5771fd980cb2c97fe0f48

SHA256
677e7fedf4d6d46e8525e606eae4226222b8a83b9d6db00f0e57d66acecac204

SHA512
c630653d4e036abcc8a324dafa721576ff60c5c9b57c6f6773b688d31196a0f72ae698fcef0d796493a0487840903a2811f9835c544e43214b6363fd15dfb55b

Download Submit
C:\Windows\System32\TTIkXbv.exe

Filesize
3.2MB

MD5
7434d4175c50df15809ca022fe85848d

SHA1
a9dbbc65551ad444db21fd7fa16c519498202d75

SHA256
f81b1dbbe5de79b16797e50176e42d54035fbff17bdd2e386a0a2ebdb88efcef

SHA512
b1666aa458a5f649d62d993fb25fa745b7b98a4df64e9203c23811c8b4fdc10d782b0579556ccec453ddc9b6356ab9859119605a525e5ed7ebc97f0374a0b282

Download Submit
C:\Windows\System32\WIwtUxW.exe

Filesize
3.2MB

MD5
8c43aabb988c7e0a05e2214296de8c97

SHA1
4a008244f08b72fb78def27442d1f9fa07a5d6e4

SHA256
3e458091056058e510533f1da61226e615a77100348e9b8fc0769483fe96903c

SHA512
20a7e09692ae78a22a185a9ac719fc40ad928214d8e1ca4e3ac36f62804dc90316c9cb8babf56529fb800ed6b1157ed8df4c2ba59ef0c7b9874182b8d0d7cc53

Download Submit
C:\Windows\System32\YasIakr.exe

Filesize
3.2MB

MD5
2010579170d7bdceb66f66728cbafae3

SHA1
542a7783b2743585a091db0a2408e19c46bbd26e

SHA256
9d5fabb41a5d2e79b5abb1279de5d5f14fe6451a4882abcc026eae80e0f60b63

SHA512
15c3d93b6a72e4f9328a7da991e48497870f79a14b0cd0a0da92984e4f7e72384a6ceb0655bf09c8392f89983d5525180a9c61a9464c98796bcc038224f14889

Download Submit
C:\Windows\System32\ekUnMig.exe

Filesize
3.2MB

MD5
efbb4e2753833bcf76b9a82f6c5b4ae4

SHA1
d07c4b97ef3a0e49b07c0223a2c51f29d73676e9

SHA256
49344c7ccc5ce65bc7c1e87e13254902b35a82f4aad1502028eff7e7128cbf36

SHA512
09bafff02a7231eac4532696a9216d8869eb2e8fc61142dfb3456bddac292aa1a83bba39da2ee92da1a8e4e97d4fbb0d534a24d577576baaa5b9b812536b71de

Download Submit
C:\Windows\System32\hMjYhWD.exe

Filesize
3.2MB

MD5
5a80479c85eb1d08984331d47549a480

SHA1
80bb55aa302fdaaec24915140d41da6585e212f2

SHA256
eab4da71d70ffb43930606a6c9e0cb209c95f1ad14e23351dcf53e198ff67dd6

SHA512
030269b5517a46dde754317f90780676d4e9aa9c3b9c803fbdc99ef9ac2e5526196930dff5a5c5d35b620d31f152e374d00d506aa28cc562b5ebaf1a5e8fad9a

Download Submit
C:\Windows\System32\ktiMdVh.exe

Filesize
3.2MB

MD5
543c70a18a2602c6170bb14c44ab2208

SHA1
c0588fe0ff9bb9e4e4f70038a102a7c95c86825d

SHA256
e615451375fbc50105f38b3fa3487ec3af95eb86142a0040ad6a825ef89de951

SHA512
d2d7a0e9e0ce7dad63249383fe421ea4f6929a50af3dd42de26ca35cc2ae7535bcd775310871be7e9427463a7708db4d840b765aa908861c328b07a378acd74c

Download Submit
C:\Windows\System32\lQtmuRH.exe

Filesize
3.2MB

MD5
7ac52190483c44f9e05ed31a2b363ada

SHA1
ab558b9cd211f5279a764d6ac9d21cf6bf607942

SHA256
fadaf842a5d5b1e5900f1eddcc9b99cedb3b6e2447498c93a3f2fe6effc3fd89

SHA512
932e270159bd3a642f98edec7122f3e8bb64bda9b700519fe321c5b91dda6522447bce7946fc6961685e80a740f3ed13ca99ae97c677b60cb4b09b68115d0134

Download Submit
C:\Windows\System32\mJYiwnj.exe

Filesize
3.2MB

MD5
c1dd6ae5c870cb5840921ebf22128f7a

SHA1
0abf7cd42148e3d942f0ace4bcf75a160d8717a6

SHA256
084ea1d834c914326f78924a3fd5de886b094b948479998eadbca95932729d96

SHA512
0d72c5f2dc8d8ab9a964b59538b4f43b198cbc2d4c3c6f106aa5dba2dd38c3c3cb97f9a5ccb81453b027f141238dbc01c5f7f9824db22940291655c7a95114d5

Download Submit
C:\Windows\System32\mNpSPQH.exe

Filesize
3.2MB

MD5
dd3ec7f11cdccf7023d6aaa25d654caa

SHA1
6b97035fb093424e20a45d0e3e228eaeb1356cd1

SHA256
0376d06941a459aa7aa2b15a30a1dd9ae7a14d4f480cf1737244dfbf99c64c02

SHA512
77f61aca2d53acf3f89354df14c59465448c3fb38e591db324dd653971181ee79933b792783aa39f13205bf7cc92fd36695469522dc407245d304058a9522a7a

Download Submit
C:\Windows\System32\ogVKWOp.exe

Filesize
3.2MB

MD5
e58626b5eb41673a6691946e339ecb13

SHA1
e08f8763e4930182ae9a22223de7535d5b240cb0

SHA256
4ca60bb78a6d8fbfc0151c65d3550fcea399e1c4d59ad06bee5c839f732f41af

SHA512
0cdb3e6913836f1f592e653f4589b8f164f0f96eac5011160800234d764f439869e01201916c7fb751d8fd756bfcef11180f41df1b865d465d2b613cffc68f05

Download Submit
C:\Windows\System32\ongLtfW.exe

Filesize
3.2MB

MD5
04abf1510e2dd85d4d22704e60c19761

SHA1
fac5da1f9475e9403f8135a4b22c13d7f10baf47

SHA256
d72fa84b0cbfa0beff303754f699f65065c46b79ad5b6a8e20abb1628026e74b

SHA512
5a1eef6e79770e7ff7b6153236fc7d1488b01ff5d5f500f27f2ac5dcc8ae2ac9e17835425e300aaa9da200d7833aebd65d4e162e6021107a6576de80d7ec5ae9

Download Submit
C:\Windows\System32\orjeqTz.exe

Filesize
3.2MB

MD5
a2f4ee1ac23ba5893182f3cbc4536ded

SHA1
7bc3e017ce451d5a5be9c90bebb0c40cba9c71c1

SHA256
7cc23eff7ac3c302f657e1b474ce96aa3cabd9da37ceb209177a1805fcfb6305

SHA512
63d6c1408421f78aaadbac278711b4adf2ea85adfd7734486f9c209ea3a7b578565b23788a052bda95f4d6e185e93ae6150876db9ba5554f828a2302eebf8d2c

Download Submit
C:\Windows\System32\pZiGhFS.exe

Filesize
3.2MB

MD5
d781ec6fe2ff175030301b9a56f3572e

SHA1
b7a180b563a86a0917f24c42b43cbcdcbde6519a

SHA256
ca01585ac1c6f3cb2f2f3250631067702c231aa8259ce782c7b6a53854ad8628

SHA512
2faa03fddb0b044f2691efb5d848ea492beecefa32b0b3c0f98d4a255cebc58d2c21a6acc276648700dda820011d31a1e8e9e58f441b2d2fbdd7c108c261ab07

Download Submit
C:\Windows\System32\qIXAbpM.exe

Filesize
3.2MB

MD5
74563c7a56fc279567930ff9b84e004e

SHA1
aea634eec98535054e42b432ce13e5b322af8a28

SHA256
2721f313c6510d97bb4cd9819090faff2a596049cf3b12445398f121c68a3dcd

SHA512
b0e47c423ce1947df3b9bd66c0b3dbe37b637b6c22619cee77f777916cde4c5f60f8c44324f0744a9f7434de8ec9ef79b93343d7d5ee907edd2a938f2a99f790

Download Submit
C:\Windows\System32\qNNVuEF.exe

Filesize
3.2MB

MD5
bd9b8a2d99ac6877b09c743849aaa190

SHA1
945d32248e60f36a01db53b05da2d3ede02ab88f

SHA256
934775e0c3529b13cb981c0a19a02115f9123f079864c64df3df345705b7f82d

SHA512
b73b424c74fb30d70550d5b274131890282a940bf470d8182a5cedf55f9f0903b86457795258c828430a6914722f18712b441dbd0a40332118c9e13683539feb

Download Submit
C:\Windows\System32\rJmPwkW.exe

Filesize
3.2MB

MD5
bf1a20c9263ba2342d6153b6d247efc5

SHA1
60a9cf3fe0cd231f033b330fb5bf4f9779ee00ab

SHA256
932c72c982a9e2dd47e996d7988384126d67ebd3097dd06e3c402b6c928b34fb

SHA512
932ab2035c087a8badc8b9a5d48066a9ca82d537af6fd9ae2d8260a04b061120c6edd84d3068370c379ada6e92f18db62b8c32350185e9324754b09570d16057

Download Submit
C:\Windows\System32\rsrybSa.exe

Filesize
3.2MB

MD5
74d30427019a015814f400b151d70fde

SHA1
6a4954a8c218ffdf8f27c9ec7df139aa3249fb89

SHA256
90147fda0e37c6ff0858f27c4c454ea3bfda2a36d1efd349415b58e2d111d153

SHA512
51eb33eb521bc4ec98a5fc0ea75521357f6d94a7bc1365be4c23f7eac7e879766990b3121f3ad91231dcecfe7653fc3458ae47a97f364a9e72473c61f6ba31b9

Download Submit
C:\Windows\System32\tAViAfn.exe

Filesize
3.2MB

MD5
ca0489aeb6d3c0fdb76e009cd8a08c86

SHA1
9ced793e8128496bc7888849990fcaa96d8cfb6b

SHA256
5ccc7de71c3d66a69364a4c0a9ca728e1cc76830fb6960fc78390b01d0f8888a

SHA512
0e4fb406fa7c76f707bd8d0216d4e2e7aa9dec1d5aedb9787bf226e9ed81ebe12f1ec30033a4651b3df7ba33addf627180d4b0b71c68ee79952709fcc8d6e94c

Download Submit
C:\Windows\System32\uNRWQIJ.exe

Filesize
3.2MB

MD5
7d588e14e9521b4a468dd78f371d1f5c

SHA1
5df8e4dd5abd424fb909a67b5b7bff4a76555a5b

SHA256
68fef7cd871704238e7b1dd05a2aded2e6f2453e6d58a55063c5326f261f7491

SHA512
30982fae861748f888a37a48cfd23adfcbb406312df661fec45c7fc6e8f0f0094d8fa7ec18d5c29a6013db34b31417bde1fb3625c517224fd48246ddd59fa17a

Download Submit
C:\Windows\System32\vHUmGjM.exe

Filesize
3.2MB

MD5
b1a5e4e96415e23deb92e3af16e7ce22

SHA1
6c1b27048369dae956f9dc084be0da97919becdc

SHA256
e39f45fec4369b540a5a86641c55d69a2b633e9274e65e7a4f89cd6da1217029

SHA512
f2b50f423ce66e8a057b3b5cdb96d6c9602e4334cbad043ad73f2ff6d7a8288673403527d02a40047d1417d758a61757604c401501a62dcdcf1f743299a3f31d

Download Submit
C:\Windows\System32\yfpAEmw.exe

Filesize
3.2MB

MD5
4d27c47e7a351544cbb7eedbbfbdc9c5

SHA1
722f524acbd8ca47cf890b55d3237322c6eedf02

SHA256
1c6175c264e409ca0894d6fea25522dfbc9b4433259acd256554c6ed7488d39b

SHA512
8cdbd317a27aadaa1e0e6c9ae26eb44b560fcdd2a11a9e79ef87e0bfd9b7e893c41ed8ae5884720da4d3542c4a1c608afda87daf9801aa397aec4daef3e21eea

Download Submit
C:\Windows\System32\yiATFyt.exe

Filesize
3.2MB

MD5
159084109248c3c00bdaeee79a49a1d2

SHA1
cb8e400fa35fb517c05f94d152821c1b9b0cee5b

SHA256
e52c558ec6ac1104df5ef46167b727c536e1a69438ebd297c80a72662fc03ac7

SHA512
ae67e64e47ec5e5dc545592680b588fa9d37384033a579c70028a1d4f44e3d630d00692240cb2c3d58ed00884914e7ce067240930d8de216c01d47366f4b3f2d

Download Submit
memory/116-8-0x00007FF703E70000-0x00007FF704265000-memory.dmp

Filesize
4.0MB

Download
memory/560-854-0x00007FF7201D0000-0x00007FF7205C5000-memory.dmp

Filesize
4.0MB

Download
memory/780-861-0x00007FF659510000-0x00007FF659905000-memory.dmp

Filesize
4.0MB

Download
memory/816-723-0x00007FF666CC0000-0x00007FF6670B5000-memory.dmp

Filesize
4.0MB

Download
memory/952-866-0x00007FF630540000-0x00007FF630935000-memory.dmp

Filesize
4.0MB

Download
memory/1080-711-0x00007FF7226B0000-0x00007FF722AA5000-memory.dmp

Filesize
4.0MB

Download
memory/1252-836-0x00007FF64A8E0000-0x00007FF64ACD5000-memory.dmp

Filesize
4.0MB

Download
memory/1284-853-0x00007FF7CC970000-0x00007FF7CCD65000-memory.dmp

Filesize
4.0MB

Download
memory/1380-743-0x00007FF6F1DF0000-0x00007FF6F21E5000-memory.dmp

Filesize
4.0MB

Download
memory/1624-738-0x00007FF795690000-0x00007FF795A85000-memory.dmp

Filesize
4.0MB

Download
memory/1660-857-0x00007FF691670000-0x00007FF691A65000-memory.dmp

Filesize
4.0MB

Download
memory/1748-838-0x00007FF7AAF50000-0x00007FF7AB345000-memory.dmp

Filesize
4.0MB

Download
memory/1776-855-0x00007FF7BE370000-0x00007FF7BE765000-memory.dmp

Filesize
4.0MB

Download
memory/1888-834-0x00007FF6E3F60000-0x00007FF6E4355000-memory.dmp

Filesize
4.0MB

Download
memory/1948-14-0x00007FF68EF30000-0x00007FF68F325000-memory.dmp

Filesize
4.0MB

Download
memory/2044-730-0x00007FF782710000-0x00007FF782B05000-memory.dmp

Filesize
4.0MB

Download
memory/2172-844-0x00007FF745AB0000-0x00007FF745EA5000-memory.dmp

Filesize
4.0MB

Download
memory/2268-835-0x00007FF6C3B70000-0x00007FF6C3F65000-memory.dmp

Filesize
4.0MB

Download
memory/2388-715-0x00007FF6EB410000-0x00007FF6EB805000-memory.dmp

Filesize
4.0MB

Download
memory/2404-700-0x00007FF6E1A60000-0x00007FF6E1E55000-memory.dmp

Filesize
4.0MB

Download
memory/2544-816-0x00007FF651F20000-0x00007FF652315000-memory.dmp

Filesize
4.0MB

Download
memory/2640-839-0x00007FF68B7A0000-0x00007FF68BB95000-memory.dmp

Filesize
4.0MB

Download
memory/2684-849-0x00007FF681E00000-0x00007FF6821F5000-memory.dmp

Filesize
4.0MB

Download
memory/2856-848-0x00007FF647280000-0x00007FF647675000-memory.dmp

Filesize
4.0MB

Download
memory/2904-837-0x00007FF7AB5D0000-0x00007FF7AB9C5000-memory.dmp

Filesize
4.0MB

Download
memory/2936-859-0x00007FF71CC00000-0x00007FF71CFF5000-memory.dmp

Filesize
4.0MB

Download
memory/2996-684-0x00007FF7106A0000-0x00007FF710A95000-memory.dmp

Filesize
4.0MB

Download
memory/3004-691-0x00007FF69E900000-0x00007FF69ECF5000-memory.dmp

Filesize
4.0MB

Download
memory/3192-858-0x00007FF6A7570000-0x00007FF6A7965000-memory.dmp

Filesize
4.0MB

Download
memory/3272-55-0x00007FF7483A0000-0x00007FF748795000-memory.dmp

Filesize
4.0MB

Download
memory/3412-762-0x00007FF7F87D0000-0x00007FF7F8BC5000-memory.dmp

Filesize
4.0MB

Download
memory/3440-717-0x00007FF6103F0000-0x00007FF6107E5000-memory.dmp

Filesize
4.0MB

Download
memory/3484-18-0x00007FF696420000-0x00007FF696815000-memory.dmp

Filesize
4.0MB

Download
memory/3488-860-0x00007FF60CE30000-0x00007FF60D225000-memory.dmp

Filesize
4.0MB

Download
memory/3500-842-0x00007FF6E8790000-0x00007FF6E8B85000-memory.dmp

Filesize
4.0MB

Download
memory/3612-52-0x00007FF7915E0000-0x00007FF7919D5000-memory.dmp

Filesize
4.0MB

Download
memory/3660-826-0x00007FF78C7A0000-0x00007FF78CB95000-memory.dmp

Filesize
4.0MB

Download
memory/3704-840-0x00007FF6B71E0000-0x00007FF6B75D5000-memory.dmp

Filesize
4.0MB

Download
memory/3768-694-0x00007FF72FEB0000-0x00007FF7302A5000-memory.dmp

Filesize
4.0MB

Download
memory/3860-812-0x00007FF651E00000-0x00007FF6521F5000-memory.dmp

Filesize
4.0MB

Download
memory/3864-863-0x00007FF712E00000-0x00007FF7131F5000-memory.dmp

Filesize
4.0MB

Download
memory/3932-847-0x00007FF62D7F0000-0x00007FF62DBE5000-memory.dmp

Filesize
4.0MB

Download
memory/4004-846-0x00007FF75A450000-0x00007FF75A845000-memory.dmp

Filesize
4.0MB

Download
memory/4060-744-0x00007FF66F760000-0x00007FF66FB55000-memory.dmp

Filesize
4.0MB

Download
memory/4084-865-0x00007FF794F10000-0x00007FF795305000-memory.dmp

Filesize
4.0MB

Download
memory/4336-764-0x00007FF6AC310000-0x00007FF6AC705000-memory.dmp

Filesize
4.0MB

Download
memory/4356-862-0x00007FF61FD70000-0x00007FF620165000-memory.dmp

Filesize
4.0MB

Download
memory/4436-851-0x00007FF7E59C0000-0x00007FF7E5DB5000-memory.dmp

Filesize
4.0MB

Download
memory/4456-850-0x00007FF608050000-0x00007FF608445000-memory.dmp

Filesize
4.0MB

Download
memory/4608-751-0x00007FF6D5970000-0x00007FF6D5D65000-memory.dmp

Filesize
4.0MB

Download
memory/4628-1-0x0000026522F10000-0x0000026522F20000-memory.dmp

Filesize
64KB

Download
memory/4628-0-0x00007FF722670000-0x00007FF722A65000-memory.dmp

Filesize
4.0MB

Download
memory/4656-864-0x00007FF6AE040000-0x00007FF6AE435000-memory.dmp

Filesize
4.0MB

Download
memory/4716-702-0x00007FF63CFF0000-0x00007FF63D3E5000-memory.dmp

Filesize
4.0MB

Download
memory/4728-735-0x00007FF6787E0000-0x00007FF678BD5000-memory.dmp

Filesize
4.0MB

Download
memory/4796-845-0x00007FF6CEA20000-0x00007FF6CEE15000-memory.dmp

Filesize
4.0MB

Download
memory/4800-841-0x00007FF715550000-0x00007FF715945000-memory.dmp

Filesize
4.0MB

Download
memory/4856-852-0x00007FF770590000-0x00007FF770985000-memory.dmp

Filesize
4.0MB

Download
memory/4880-843-0x00007FF62B380000-0x00007FF62B775000-memory.dmp

Filesize
4.0MB

Download
memory/4892-739-0x00007FF693890000-0x00007FF693C85000-memory.dmp

Filesize
4.0MB

Download
memory/4920-747-0x00007FF6442A0000-0x00007FF644695000-memory.dmp

Filesize
4.0MB

Download
memory/4956-741-0x00007FF7478E0000-0x00007FF747CD5000-memory.dmp

Filesize
4.0MB

Download
memory/4976-856-0x00007FF799DC0000-0x00007FF79A1B5000-memory.dmp

Filesize
4.0MB

Download
memory/5064-733-0x00007FF7EA000000-0x00007FF7EA3F5000-memory.dmp

Filesize
4.0MB

Download
memory/5088-830-0x00007FF78CDF0000-0x00007FF78D1E5000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads