xmrig | 197002fde0ee9defae2c9a01f6eb1a79550abc24382c8dce4d26fd093f3f6d35

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
Size

2.6MB
MD5

53c115ff3a991b9ee6b5acc81cec1705
SHA1

44aae5583c41c26f0996153ec791f532c7f9dcd2
SHA256

197002fde0ee9defae2c9a01f6eb1a79550abc24382c8dce4d26fd093f3f6d35
SHA512

03901f8ce9b0ed7a84eeaa9c858d820f041fce2411474e970d802fbf7400d1d25a3953f87dd8c0632830ccb867141b9bd07604ca8caeb1b34d06a2ff28041afd
SSDEEP

49152:w0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8Dze7jcmWHEDzshqXR:w0GnJMOWPClFdx6e0EALKWVTffZiPAcw

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4248-0-0x00007FF607090000-0x00007FF607485000-memory.dmp	xmrig
behavioral2/files/0x0008000000024263-5.dat	xmrig
behavioral2/files/0x0007000000024267-10.dat	xmrig
behavioral2/files/0x0007000000024268-11.dat	xmrig
behavioral2/memory/712-15-0x00007FF7A2A10000-0x00007FF7A2E05000-memory.dmp	xmrig
behavioral2/files/0x000700000002426a-34.dat	xmrig
behavioral2/files/0x000700000002426e-48.dat	xmrig
behavioral2/files/0x000700000002426f-51.dat	xmrig
behavioral2/files/0x0007000000024270-58.dat	xmrig
behavioral2/files/0x0007000000024273-73.dat	xmrig
behavioral2/files/0x000700000002427b-113.dat	xmrig
behavioral2/files/0x0007000000024282-148.dat	xmrig
behavioral2/memory/5764-722-0x00007FF791570000-0x00007FF791965000-memory.dmp	xmrig
behavioral2/memory/5960-723-0x00007FF649F20000-0x00007FF64A315000-memory.dmp	xmrig
behavioral2/memory/5548-724-0x00007FF6393D0000-0x00007FF6397C5000-memory.dmp	xmrig
behavioral2/memory/3220-725-0x00007FF7A0830000-0x00007FF7A0C25000-memory.dmp	xmrig
behavioral2/memory/4484-727-0x00007FF7F3760000-0x00007FF7F3B55000-memory.dmp	xmrig
behavioral2/memory/6064-726-0x00007FF680C20000-0x00007FF681015000-memory.dmp	xmrig
behavioral2/memory/4568-728-0x00007FF705A70000-0x00007FF705E65000-memory.dmp	xmrig
behavioral2/memory/4768-729-0x00007FF7D8090000-0x00007FF7D8485000-memory.dmp	xmrig
behavioral2/memory/4616-733-0x00007FF62D910000-0x00007FF62DD05000-memory.dmp	xmrig
behavioral2/memory/5312-735-0x00007FF74DFB0000-0x00007FF74E3A5000-memory.dmp	xmrig
behavioral2/memory/3284-742-0x00007FF654D30000-0x00007FF655125000-memory.dmp	xmrig
behavioral2/memory/4488-747-0x00007FF6E6BF0000-0x00007FF6E6FE5000-memory.dmp	xmrig
behavioral2/memory/4012-745-0x00007FF606790000-0x00007FF606B85000-memory.dmp	xmrig
behavioral2/memory/628-754-0x00007FF655D10000-0x00007FF656105000-memory.dmp	xmrig
behavioral2/memory/4620-758-0x00007FF7E0A10000-0x00007FF7E0E05000-memory.dmp	xmrig
behavioral2/memory/4728-762-0x00007FF6EFFB0000-0x00007FF6F03A5000-memory.dmp	xmrig
behavioral2/memory/4684-766-0x00007FF74BFF0000-0x00007FF74C3E5000-memory.dmp	xmrig
behavioral2/memory/2704-769-0x00007FF67E2B0000-0x00007FF67E6A5000-memory.dmp	xmrig
behavioral2/memory/4844-764-0x00007FF6FF360000-0x00007FF6FF755000-memory.dmp	xmrig
behavioral2/files/0x0007000000024285-163.dat	xmrig
behavioral2/files/0x0007000000024284-158.dat	xmrig
behavioral2/memory/5844-830-0x00007FF7B7040000-0x00007FF7B7435000-memory.dmp	xmrig
behavioral2/files/0x0007000000024283-153.dat	xmrig
behavioral2/files/0x0007000000024281-143.dat	xmrig
behavioral2/files/0x0007000000024280-138.dat	xmrig
behavioral2/files/0x000700000002427f-133.dat	xmrig
behavioral2/files/0x000700000002427e-128.dat	xmrig
behavioral2/files/0x000700000002427d-123.dat	xmrig
behavioral2/files/0x000700000002427c-118.dat	xmrig
behavioral2/files/0x000700000002427a-108.dat	xmrig
behavioral2/files/0x0007000000024279-103.dat	xmrig
behavioral2/files/0x0007000000024278-98.dat	xmrig
behavioral2/files/0x0007000000024277-93.dat	xmrig
behavioral2/files/0x0007000000024276-88.dat	xmrig
behavioral2/files/0x0007000000024275-83.dat	xmrig
behavioral2/files/0x0007000000024274-78.dat	xmrig
behavioral2/files/0x0007000000024272-68.dat	xmrig
behavioral2/files/0x0007000000024271-63.dat	xmrig
behavioral2/files/0x000700000002426d-43.dat	xmrig
behavioral2/files/0x000700000002426b-36.dat	xmrig
behavioral2/files/0x0007000000024269-32.dat	xmrig
behavioral2/files/0x000700000002426c-30.dat	xmrig
behavioral2/memory/2768-9-0x00007FF70F290000-0x00007FF70F685000-memory.dmp	xmrig
behavioral2/memory/4456-834-0x00007FF744210000-0x00007FF744605000-memory.dmp	xmrig
behavioral2/memory/748-833-0x00007FF77FE70000-0x00007FF780265000-memory.dmp	xmrig
behavioral2/memory/4248-1523-0x00007FF607090000-0x00007FF607485000-memory.dmp	xmrig
behavioral2/memory/712-1757-0x00007FF7A2A10000-0x00007FF7A2E05000-memory.dmp	xmrig
behavioral2/memory/5764-1758-0x00007FF791570000-0x00007FF791965000-memory.dmp	xmrig
behavioral2/memory/2768-2125-0x00007FF70F290000-0x00007FF70F685000-memory.dmp	xmrig
behavioral2/memory/5764-2127-0x00007FF791570000-0x00007FF791965000-memory.dmp	xmrig
behavioral2/memory/712-2126-0x00007FF7A2A10000-0x00007FF7A2E05000-memory.dmp	xmrig
behavioral2/memory/5548-2129-0x00007FF6393D0000-0x00007FF6397C5000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2768	zzpQEqj.exe
712	COsOHyc.exe
5764	FNwAtNR.exe
5960	yqmcAUk.exe
5548	KRWRtiA.exe
3220	SAIxjCn.exe
6064	WOrTDUM.exe
4456	njHvDyC.exe
4484	SXgtoRo.exe
4568	jMWTvNp.exe
4768	nCdXkFL.exe
4616	titcgwT.exe
5312	kskXQmt.exe
3284	MTfYHlr.exe
4012	dadQTHk.exe
4488	VUkshiS.exe
628	NXbgOdQ.exe
4620	jkwQXMl.exe
4728	dxTREvO.exe
4844	LCwGeiD.exe
4684	ibZbFHM.exe
2704	rSXvdRf.exe
5844	vTylBiH.exe
748	FCBKyLy.exe
4840	mKWXFmx.exe
672	VvqNzxW.exe
556	nDBSlHL.exe
964	oMpLvEO.exe
5044	CxzggLk.exe
2336	fRpasOi.exe
1648	RxeLCXN.exe
5552	IvGMcdQ.exe
1500	Otagtsw.exe
1976	RNSDnzi.exe
2532	RXUsPYw.exe
3676	pPqasCH.exe
4448	YlddRjb.exe
1160	FZBcfjt.exe
3280	CMcDeUV.exe
2320	bnDOROF.exe
452	PifcKEZ.exe
3440	RkWsujZ.exe
5968	bWuTAtj.exe
5404	PDTdslj.exe
1768	mLFbePY.exe
5340	MXOsuUy.exe
2068	GkZiycn.exe
1532	rfxkcvu.exe
5184	dzHZnUx.exe
5124	tYLWuvF.exe
6072	thiZQcZ.exe
4404	gbYSqnw.exe
2868	kxAWnwd.exe
5308	nGfHsDu.exe
1224	IjeQeFM.exe
1724	aWWvmCf.exe
4028	ilfIsmS.exe
2736	ykhEfYz.exe
1296	BIBZXuY.exe
3348	WhJaxOV.exe
3784	bRFCdbY.exe
4916	NaoarEb.exe
3480	Oindwmw.exe
3344	ZtLclHO.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\NSBarqO.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\aokrTte.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\kEhaWxq.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\LwzocdK.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\fyqmKhN.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\AtYnFSZ.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\cGaEQFn.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\IEzNPvq.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\BNUvVRT.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\eYOyyGh.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\InsgLbR.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\vXKvdjp.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\jLxaKpN.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\FrOvZzL.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\NttCdYd.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\gvaJRtG.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\ruTOWcg.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\pvHWZRu.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\JdfaFEX.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\xPuZeHX.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\REreBSG.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\OTNKsgw.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\ZJTBhQY.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\QSByhIp.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\VeGvQBX.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\qZBtEDC.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\MKHxpLY.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\fiWvGRa.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\LrqzRmO.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\OdsFRVZ.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\XWUxAQJ.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\XjjIqcm.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\FnCWpaz.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\vQVQhBL.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\apXgrId.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\NzEKQzq.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\BGHbkAJ.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\CyxCdMN.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\oZTbfFt.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\lppIwrM.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\izjPNoA.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\rYBWFWU.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\xPlnpHE.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\wrYeeCs.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\fRpasOi.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\IMrMGSv.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\pCHyCGi.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\wjVwlIQ.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\lhJfwSP.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\bQuiTac.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\qayVsBN.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\OJIVOJJ.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\TsaZyTI.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\NAEbnMi.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\tudQfmU.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\daCxsCR.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\jIKxymX.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\MoDUeZW.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\ZLphuCQ.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\mNFDSKQ.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\fWwnQfh.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\PxsMfbr.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\fwzoWFW.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
File created	C:\Windows\System32\KNTUUVc.exe	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4248-0-0x00007FF607090000-0x00007FF607485000-memory.dmp	upx
behavioral2/files/0x0008000000024263-5.dat	upx
behavioral2/files/0x0007000000024267-10.dat	upx
behavioral2/files/0x0007000000024268-11.dat	upx
behavioral2/memory/712-15-0x00007FF7A2A10000-0x00007FF7A2E05000-memory.dmp	upx
behavioral2/files/0x000700000002426a-34.dat	upx
behavioral2/files/0x000700000002426e-48.dat	upx
behavioral2/files/0x000700000002426f-51.dat	upx
behavioral2/files/0x0007000000024270-58.dat	upx
behavioral2/files/0x0007000000024273-73.dat	upx
behavioral2/files/0x000700000002427b-113.dat	upx
behavioral2/files/0x0007000000024282-148.dat	upx
behavioral2/memory/5764-722-0x00007FF791570000-0x00007FF791965000-memory.dmp	upx
behavioral2/memory/5960-723-0x00007FF649F20000-0x00007FF64A315000-memory.dmp	upx
behavioral2/memory/5548-724-0x00007FF6393D0000-0x00007FF6397C5000-memory.dmp	upx
behavioral2/memory/3220-725-0x00007FF7A0830000-0x00007FF7A0C25000-memory.dmp	upx
behavioral2/memory/4484-727-0x00007FF7F3760000-0x00007FF7F3B55000-memory.dmp	upx
behavioral2/memory/6064-726-0x00007FF680C20000-0x00007FF681015000-memory.dmp	upx
behavioral2/memory/4568-728-0x00007FF705A70000-0x00007FF705E65000-memory.dmp	upx
behavioral2/memory/4768-729-0x00007FF7D8090000-0x00007FF7D8485000-memory.dmp	upx
behavioral2/memory/4616-733-0x00007FF62D910000-0x00007FF62DD05000-memory.dmp	upx
behavioral2/memory/5312-735-0x00007FF74DFB0000-0x00007FF74E3A5000-memory.dmp	upx
behavioral2/memory/3284-742-0x00007FF654D30000-0x00007FF655125000-memory.dmp	upx
behavioral2/memory/4488-747-0x00007FF6E6BF0000-0x00007FF6E6FE5000-memory.dmp	upx
behavioral2/memory/4012-745-0x00007FF606790000-0x00007FF606B85000-memory.dmp	upx
behavioral2/memory/628-754-0x00007FF655D10000-0x00007FF656105000-memory.dmp	upx
behavioral2/memory/4620-758-0x00007FF7E0A10000-0x00007FF7E0E05000-memory.dmp	upx
behavioral2/memory/4728-762-0x00007FF6EFFB0000-0x00007FF6F03A5000-memory.dmp	upx
behavioral2/memory/4684-766-0x00007FF74BFF0000-0x00007FF74C3E5000-memory.dmp	upx
behavioral2/memory/2704-769-0x00007FF67E2B0000-0x00007FF67E6A5000-memory.dmp	upx
behavioral2/memory/4844-764-0x00007FF6FF360000-0x00007FF6FF755000-memory.dmp	upx
behavioral2/files/0x0007000000024285-163.dat	upx
behavioral2/files/0x0007000000024284-158.dat	upx
behavioral2/memory/5844-830-0x00007FF7B7040000-0x00007FF7B7435000-memory.dmp	upx
behavioral2/files/0x0007000000024283-153.dat	upx
behavioral2/files/0x0007000000024281-143.dat	upx
behavioral2/files/0x0007000000024280-138.dat	upx
behavioral2/files/0x000700000002427f-133.dat	upx
behavioral2/files/0x000700000002427e-128.dat	upx
behavioral2/files/0x000700000002427d-123.dat	upx
behavioral2/files/0x000700000002427c-118.dat	upx
behavioral2/files/0x000700000002427a-108.dat	upx
behavioral2/files/0x0007000000024279-103.dat	upx
behavioral2/files/0x0007000000024278-98.dat	upx
behavioral2/files/0x0007000000024277-93.dat	upx
behavioral2/files/0x0007000000024276-88.dat	upx
behavioral2/files/0x0007000000024275-83.dat	upx
behavioral2/files/0x0007000000024274-78.dat	upx
behavioral2/files/0x0007000000024272-68.dat	upx
behavioral2/files/0x0007000000024271-63.dat	upx
behavioral2/files/0x000700000002426d-43.dat	upx
behavioral2/files/0x000700000002426b-36.dat	upx
behavioral2/files/0x0007000000024269-32.dat	upx
behavioral2/files/0x000700000002426c-30.dat	upx
behavioral2/memory/2768-9-0x00007FF70F290000-0x00007FF70F685000-memory.dmp	upx
behavioral2/memory/4456-834-0x00007FF744210000-0x00007FF744605000-memory.dmp	upx
behavioral2/memory/748-833-0x00007FF77FE70000-0x00007FF780265000-memory.dmp	upx
behavioral2/memory/4248-1523-0x00007FF607090000-0x00007FF607485000-memory.dmp	upx
behavioral2/memory/712-1757-0x00007FF7A2A10000-0x00007FF7A2E05000-memory.dmp	upx
behavioral2/memory/5764-1758-0x00007FF791570000-0x00007FF791965000-memory.dmp	upx
behavioral2/memory/2768-2125-0x00007FF70F290000-0x00007FF70F685000-memory.dmp	upx
behavioral2/memory/5764-2127-0x00007FF791570000-0x00007FF791965000-memory.dmp	upx
behavioral2/memory/712-2126-0x00007FF7A2A10000-0x00007FF7A2E05000-memory.dmp	upx
behavioral2/memory/5548-2129-0x00007FF6393D0000-0x00007FF6397C5000-memory.dmp	upx

Checks SCSI registry key(s) 3 TTPs 16 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13532	dwm.exe
Token: SeChangeNotifyPrivilege	13532	dwm.exe
Token: 33	13532	dwm.exe
Token: SeIncBasePriorityPrivilege	13532	dwm.exe
Token: SeCreateGlobalPrivilege	14116	dwm.exe
Token: SeChangeNotifyPrivilege	14116	dwm.exe
Token: 33	14116	dwm.exe
Token: SeIncBasePriorityPrivilege	14116	dwm.exe
Token: SeCreateGlobalPrivilege	14220	dwm.exe
Token: SeChangeNotifyPrivilege	14220	dwm.exe
Token: 33	14220	dwm.exe
Token: SeIncBasePriorityPrivilege	14220	dwm.exe
Token: SeCreateGlobalPrivilege	13808	dwm.exe
Token: SeChangeNotifyPrivilege	13808	dwm.exe
Token: 33	13808	dwm.exe
Token: SeIncBasePriorityPrivilege	13808	dwm.exe
Token: SeShutdownPrivilege	13808	dwm.exe
Token: SeCreatePagefilePrivilege	13808	dwm.exe
Token: SeShutdownPrivilege	13808	dwm.exe
Token: SeCreatePagefilePrivilege	13808	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 2768	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	88
PID 4248 wrote to memory of 2768	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	88
PID 4248 wrote to memory of 712	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	89
PID 4248 wrote to memory of 712	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	89
PID 4248 wrote to memory of 6064	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	90
PID 4248 wrote to memory of 6064	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	90
PID 4248 wrote to memory of 5960	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	91
PID 4248 wrote to memory of 5960	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	91
PID 4248 wrote to memory of 5548	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	92
PID 4248 wrote to memory of 5548	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	92
PID 4248 wrote to memory of 3220	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	93
PID 4248 wrote to memory of 3220	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	93
PID 4248 wrote to memory of 5764	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	94
PID 4248 wrote to memory of 5764	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	94
PID 4248 wrote to memory of 4456	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	95
PID 4248 wrote to memory of 4456	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	95
PID 4248 wrote to memory of 4484	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	96
PID 4248 wrote to memory of 4484	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	96
PID 4248 wrote to memory of 4568	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	97
PID 4248 wrote to memory of 4568	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	97
PID 4248 wrote to memory of 4768	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	98
PID 4248 wrote to memory of 4768	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	98
PID 4248 wrote to memory of 4616	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	99
PID 4248 wrote to memory of 4616	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	99
PID 4248 wrote to memory of 5312	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	100
PID 4248 wrote to memory of 5312	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	100
PID 4248 wrote to memory of 3284	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	101
PID 4248 wrote to memory of 3284	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	101
PID 4248 wrote to memory of 4012	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	102
PID 4248 wrote to memory of 4012	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	102
PID 4248 wrote to memory of 4488	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	103
PID 4248 wrote to memory of 4488	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	103
PID 4248 wrote to memory of 628	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	104
PID 4248 wrote to memory of 628	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	104
PID 4248 wrote to memory of 4620	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	105
PID 4248 wrote to memory of 4620	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	105
PID 4248 wrote to memory of 4728	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	106
PID 4248 wrote to memory of 4728	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	106
PID 4248 wrote to memory of 4844	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	107
PID 4248 wrote to memory of 4844	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	107
PID 4248 wrote to memory of 4684	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	108
PID 4248 wrote to memory of 4684	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	108
PID 4248 wrote to memory of 2704	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	109
PID 4248 wrote to memory of 2704	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	109
PID 4248 wrote to memory of 5844	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	110
PID 4248 wrote to memory of 5844	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	110
PID 4248 wrote to memory of 748	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	111
PID 4248 wrote to memory of 748	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	111
PID 4248 wrote to memory of 4840	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	112
PID 4248 wrote to memory of 4840	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	112
PID 4248 wrote to memory of 672	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	113
PID 4248 wrote to memory of 672	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	113
PID 4248 wrote to memory of 556	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	114
PID 4248 wrote to memory of 556	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	114
PID 4248 wrote to memory of 964	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	115
PID 4248 wrote to memory of 964	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	115
PID 4248 wrote to memory of 5044	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	116
PID 4248 wrote to memory of 5044	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	116
PID 4248 wrote to memory of 2336	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	117
PID 4248 wrote to memory of 2336	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	117
PID 4248 wrote to memory of 1648	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	118
PID 4248 wrote to memory of 1648	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	118
PID 4248 wrote to memory of 5552	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	119
PID 4248 wrote to memory of 5552	4248	2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe	119

C:\Users\Admin\AppData\Local\Temp\2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_53c115ff3a991b9ee6b5acc81cec1705_aspxspy_black-basta_poison-ivy_xmrig.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\System32\zzpQEqj.exe
  C:\Windows\System32\zzpQEqj.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System32\COsOHyc.exe
  C:\Windows\System32\COsOHyc.exe
  2⤵
  - Executes dropped EXE
  PID:712
- C:\Windows\System32\WOrTDUM.exe
  C:\Windows\System32\WOrTDUM.exe
  2⤵
  - Executes dropped EXE
  PID:6064
- C:\Windows\System32\yqmcAUk.exe
  C:\Windows\System32\yqmcAUk.exe
  2⤵
  - Executes dropped EXE
  PID:5960
- C:\Windows\System32\KRWRtiA.exe
  C:\Windows\System32\KRWRtiA.exe
  2⤵
  - Executes dropped EXE
  PID:5548
- C:\Windows\System32\SAIxjCn.exe
  C:\Windows\System32\SAIxjCn.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System32\FNwAtNR.exe
  C:\Windows\System32\FNwAtNR.exe
  2⤵
  - Executes dropped EXE
  PID:5764
- C:\Windows\System32\njHvDyC.exe
  C:\Windows\System32\njHvDyC.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System32\SXgtoRo.exe
  C:\Windows\System32\SXgtoRo.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System32\jMWTvNp.exe
  C:\Windows\System32\jMWTvNp.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System32\nCdXkFL.exe
  C:\Windows\System32\nCdXkFL.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System32\titcgwT.exe
  C:\Windows\System32\titcgwT.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System32\kskXQmt.exe
  C:\Windows\System32\kskXQmt.exe
  2⤵
  - Executes dropped EXE
  PID:5312
- C:\Windows\System32\MTfYHlr.exe
  C:\Windows\System32\MTfYHlr.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System32\dadQTHk.exe
  C:\Windows\System32\dadQTHk.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System32\VUkshiS.exe
  C:\Windows\System32\VUkshiS.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System32\NXbgOdQ.exe
  C:\Windows\System32\NXbgOdQ.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System32\jkwQXMl.exe
  C:\Windows\System32\jkwQXMl.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System32\dxTREvO.exe
  C:\Windows\System32\dxTREvO.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System32\LCwGeiD.exe
  C:\Windows\System32\LCwGeiD.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System32\ibZbFHM.exe
  C:\Windows\System32\ibZbFHM.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System32\rSXvdRf.exe
  C:\Windows\System32\rSXvdRf.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System32\vTylBiH.exe
  C:\Windows\System32\vTylBiH.exe
  2⤵
  - Executes dropped EXE
  PID:5844
- C:\Windows\System32\FCBKyLy.exe
  C:\Windows\System32\FCBKyLy.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System32\mKWXFmx.exe
  C:\Windows\System32\mKWXFmx.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System32\VvqNzxW.exe
  C:\Windows\System32\VvqNzxW.exe
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\System32\nDBSlHL.exe
  C:\Windows\System32\nDBSlHL.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System32\oMpLvEO.exe
  C:\Windows\System32\oMpLvEO.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System32\CxzggLk.exe
  C:\Windows\System32\CxzggLk.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System32\fRpasOi.exe
  C:\Windows\System32\fRpasOi.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System32\RxeLCXN.exe
  C:\Windows\System32\RxeLCXN.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System32\IvGMcdQ.exe
  C:\Windows\System32\IvGMcdQ.exe
  2⤵
  - Executes dropped EXE
  PID:5552
- C:\Windows\System32\Otagtsw.exe
  C:\Windows\System32\Otagtsw.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System32\RNSDnzi.exe
  C:\Windows\System32\RNSDnzi.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System32\RXUsPYw.exe
  C:\Windows\System32\RXUsPYw.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System32\pPqasCH.exe
  C:\Windows\System32\pPqasCH.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System32\YlddRjb.exe
  C:\Windows\System32\YlddRjb.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System32\FZBcfjt.exe
  C:\Windows\System32\FZBcfjt.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System32\CMcDeUV.exe
  C:\Windows\System32\CMcDeUV.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System32\bnDOROF.exe
  C:\Windows\System32\bnDOROF.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System32\PifcKEZ.exe
  C:\Windows\System32\PifcKEZ.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System32\RkWsujZ.exe
  C:\Windows\System32\RkWsujZ.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System32\bWuTAtj.exe
  C:\Windows\System32\bWuTAtj.exe
  2⤵
  - Executes dropped EXE
  PID:5968
- C:\Windows\System32\PDTdslj.exe
  C:\Windows\System32\PDTdslj.exe
  2⤵
  - Executes dropped EXE
  PID:5404
- C:\Windows\System32\mLFbePY.exe
  C:\Windows\System32\mLFbePY.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System32\MXOsuUy.exe
  C:\Windows\System32\MXOsuUy.exe
  2⤵
  - Executes dropped EXE
  PID:5340
- C:\Windows\System32\GkZiycn.exe
  C:\Windows\System32\GkZiycn.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System32\rfxkcvu.exe
  C:\Windows\System32\rfxkcvu.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System32\dzHZnUx.exe
  C:\Windows\System32\dzHZnUx.exe
  2⤵
  - Executes dropped EXE
  PID:5184
- C:\Windows\System32\tYLWuvF.exe
  C:\Windows\System32\tYLWuvF.exe
  2⤵
  - Executes dropped EXE
  PID:5124
- C:\Windows\System32\thiZQcZ.exe
  C:\Windows\System32\thiZQcZ.exe
  2⤵
  - Executes dropped EXE
  PID:6072
- C:\Windows\System32\gbYSqnw.exe
  C:\Windows\System32\gbYSqnw.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System32\kxAWnwd.exe
  C:\Windows\System32\kxAWnwd.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System32\nGfHsDu.exe
  C:\Windows\System32\nGfHsDu.exe
  2⤵
  - Executes dropped EXE
  PID:5308
- C:\Windows\System32\IjeQeFM.exe
  C:\Windows\System32\IjeQeFM.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System32\aWWvmCf.exe
  C:\Windows\System32\aWWvmCf.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System32\ilfIsmS.exe
  C:\Windows\System32\ilfIsmS.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System32\ykhEfYz.exe
  C:\Windows\System32\ykhEfYz.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System32\BIBZXuY.exe
  C:\Windows\System32\BIBZXuY.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System32\WhJaxOV.exe
  C:\Windows\System32\WhJaxOV.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System32\bRFCdbY.exe
  C:\Windows\System32\bRFCdbY.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System32\NaoarEb.exe
  C:\Windows\System32\NaoarEb.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System32\Oindwmw.exe
  C:\Windows\System32\Oindwmw.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System32\ZtLclHO.exe
  C:\Windows\System32\ZtLclHO.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System32\bBfvbVe.exe
  C:\Windows\System32\bBfvbVe.exe
  2⤵
  PID:4912
- C:\Windows\System32\onjsdXm.exe
  C:\Windows\System32\onjsdXm.exe
  2⤵
  PID:3472
- C:\Windows\System32\YbDRaAd.exe
  C:\Windows\System32\YbDRaAd.exe
  2⤵
  PID:4284
- C:\Windows\System32\fAiLQsV.exe
  C:\Windows\System32\fAiLQsV.exe
  2⤵
  PID:1452
- C:\Windows\System32\qXxRejP.exe
  C:\Windows\System32\qXxRejP.exe
  2⤵
  PID:3896
- C:\Windows\System32\OJCuufm.exe
  C:\Windows\System32\OJCuufm.exe
  2⤵
  PID:2244
- C:\Windows\System32\cwPBGVa.exe
  C:\Windows\System32\cwPBGVa.exe
  2⤵
  PID:3980
- C:\Windows\System32\GXPIIoy.exe
  C:\Windows\System32\GXPIIoy.exe
  2⤵
  PID:3664
- C:\Windows\System32\ryfVhfO.exe
  C:\Windows\System32\ryfVhfO.exe
  2⤵
  PID:5388
- C:\Windows\System32\ssBTQOX.exe
  C:\Windows\System32\ssBTQOX.exe
  2⤵
  PID:968
- C:\Windows\System32\xMBPCkY.exe
  C:\Windows\System32\xMBPCkY.exe
  2⤵
  PID:5664
- C:\Windows\System32\DyYubQn.exe
  C:\Windows\System32\DyYubQn.exe
  2⤵
  PID:4364
- C:\Windows\System32\HNhRKkQ.exe
  C:\Windows\System32\HNhRKkQ.exe
  2⤵
  PID:4816
- C:\Windows\System32\krmRifQ.exe
  C:\Windows\System32\krmRifQ.exe
  2⤵
  PID:5932
- C:\Windows\System32\znMNHHb.exe
  C:\Windows\System32\znMNHHb.exe
  2⤵
  PID:5352
- C:\Windows\System32\iqtqmQo.exe
  C:\Windows\System32\iqtqmQo.exe
  2⤵
  PID:5748
- C:\Windows\System32\YlJATQH.exe
  C:\Windows\System32\YlJATQH.exe
  2⤵
  PID:5780
- C:\Windows\System32\uJvHNVo.exe
  C:\Windows\System32\uJvHNVo.exe
  2⤵
  PID:4332
- C:\Windows\System32\axBPJen.exe
  C:\Windows\System32\axBPJen.exe
  2⤵
  PID:4340
- C:\Windows\System32\BGHbkAJ.exe
  C:\Windows\System32\BGHbkAJ.exe
  2⤵
  PID:1656
- C:\Windows\System32\jgjDYzM.exe
  C:\Windows\System32\jgjDYzM.exe
  2⤵
  PID:5648
- C:\Windows\System32\mTJIRGO.exe
  C:\Windows\System32\mTJIRGO.exe
  2⤵
  PID:2144
- C:\Windows\System32\xjbgAXV.exe
  C:\Windows\System32\xjbgAXV.exe
  2⤵
  PID:4472
- C:\Windows\System32\WmVoedg.exe
  C:\Windows\System32\WmVoedg.exe
  2⤵
  PID:4596
- C:\Windows\System32\zaQBfdw.exe
  C:\Windows\System32\zaQBfdw.exe
  2⤵
  PID:4500
- C:\Windows\System32\BMmLlZj.exe
  C:\Windows\System32\BMmLlZj.exe
  2⤵
  PID:1588
- C:\Windows\System32\nahtxXr.exe
  C:\Windows\System32\nahtxXr.exe
  2⤵
  PID:4060
- C:\Windows\System32\qZWeAdf.exe
  C:\Windows\System32\qZWeAdf.exe
  2⤵
  PID:4724
- C:\Windows\System32\ObgzHts.exe
  C:\Windows\System32\ObgzHts.exe
  2⤵
  PID:4688
- C:\Windows\System32\wdeEttE.exe
  C:\Windows\System32\wdeEttE.exe
  2⤵
  PID:4656
- C:\Windows\System32\NbHELwv.exe
  C:\Windows\System32\NbHELwv.exe
  2⤵
  PID:2912
- C:\Windows\System32\atJHIfM.exe
  C:\Windows\System32\atJHIfM.exe
  2⤵
  PID:1056
- C:\Windows\System32\hJTjyZU.exe
  C:\Windows\System32\hJTjyZU.exe
  2⤵
  PID:3700
- C:\Windows\System32\vMjuebK.exe
  C:\Windows\System32\vMjuebK.exe
  2⤵
  PID:1904
- C:\Windows\System32\HXVrcLf.exe
  C:\Windows\System32\HXVrcLf.exe
  2⤵
  PID:1668
- C:\Windows\System32\WzLswwF.exe
  C:\Windows\System32\WzLswwF.exe
  2⤵
  PID:4400
- C:\Windows\System32\XHbMhBm.exe
  C:\Windows\System32\XHbMhBm.exe
  2⤵
  PID:2028
- C:\Windows\System32\NjPvCBZ.exe
  C:\Windows\System32\NjPvCBZ.exe
  2⤵
  PID:388
- C:\Windows\System32\CyxCdMN.exe
  C:\Windows\System32\CyxCdMN.exe
  2⤵
  PID:5040
- C:\Windows\System32\PxsMfbr.exe
  C:\Windows\System32\PxsMfbr.exe
  2⤵
  PID:1660
- C:\Windows\System32\StteRWT.exe
  C:\Windows\System32\StteRWT.exe
  2⤵
  PID:6136
- C:\Windows\System32\xowenaf.exe
  C:\Windows\System32\xowenaf.exe
  2⤵
  PID:5544
- C:\Windows\System32\zgRLapY.exe
  C:\Windows\System32\zgRLapY.exe
  2⤵
  PID:5204
- C:\Windows\System32\Lnshqpe.exe
  C:\Windows\System32\Lnshqpe.exe
  2⤵
  PID:5032
- C:\Windows\System32\JmweKog.exe
  C:\Windows\System32\JmweKog.exe
  2⤵
  PID:760
- C:\Windows\System32\OWfCDaS.exe
  C:\Windows\System32\OWfCDaS.exe
  2⤵
  PID:3248
- C:\Windows\System32\zfZqGnb.exe
  C:\Windows\System32\zfZqGnb.exe
  2⤵
  PID:5564
- C:\Windows\System32\WJVFtut.exe
  C:\Windows\System32\WJVFtut.exe
  2⤵
  PID:1748
- C:\Windows\System32\vjxlBix.exe
  C:\Windows\System32\vjxlBix.exe
  2⤵
  PID:3632
- C:\Windows\System32\gzMqUID.exe
  C:\Windows\System32\gzMqUID.exe
  2⤵
  PID:2016
- C:\Windows\System32\mWsLDic.exe
  C:\Windows\System32\mWsLDic.exe
  2⤵
  PID:4832
- C:\Windows\System32\aFgHRug.exe
  C:\Windows\System32\aFgHRug.exe
  2⤵
  PID:3380
- C:\Windows\System32\zWpZymd.exe
  C:\Windows\System32\zWpZymd.exe
  2⤵
  PID:5816
- C:\Windows\System32\ZoqIBKm.exe
  C:\Windows\System32\ZoqIBKm.exe
  2⤵
  PID:368
- C:\Windows\System32\YWdBHiF.exe
  C:\Windows\System32\YWdBHiF.exe
  2⤵
  PID:5384
- C:\Windows\System32\LsWiUID.exe
  C:\Windows\System32\LsWiUID.exe
  2⤵
  PID:836
- C:\Windows\System32\QoDsdOs.exe
  C:\Windows\System32\QoDsdOs.exe
  2⤵
  PID:3912
- C:\Windows\System32\QSwtFhk.exe
  C:\Windows\System32\QSwtFhk.exe
  2⤵
  PID:6036
- C:\Windows\System32\zfwWCEE.exe
  C:\Windows\System32\zfwWCEE.exe
  2⤵
  PID:1644
- C:\Windows\System32\hVUXBfo.exe
  C:\Windows\System32\hVUXBfo.exe
  2⤵
  PID:1084
- C:\Windows\System32\ApUGOBb.exe
  C:\Windows\System32\ApUGOBb.exe
  2⤵
  PID:5588
- C:\Windows\System32\ruTOWcg.exe
  C:\Windows\System32\ruTOWcg.exe
  2⤵
  PID:2040
- C:\Windows\System32\qxvmppg.exe
  C:\Windows\System32\qxvmppg.exe
  2⤵
  PID:3304
- C:\Windows\System32\hepRVOF.exe
  C:\Windows\System32\hepRVOF.exe
  2⤵
  PID:1880
- C:\Windows\System32\qikiMhH.exe
  C:\Windows\System32\qikiMhH.exe
  2⤵
  PID:5560
- C:\Windows\System32\atRYVOj.exe
  C:\Windows\System32\atRYVOj.exe
  2⤵
  PID:3588
- C:\Windows\System32\nJWUJyy.exe
  C:\Windows\System32\nJWUJyy.exe
  2⤵
  PID:5296
- C:\Windows\System32\ntcRcYI.exe
  C:\Windows\System32\ntcRcYI.exe
  2⤵
  PID:1196
- C:\Windows\System32\sxTTiee.exe
  C:\Windows\System32\sxTTiee.exe
  2⤵
  PID:1152
- C:\Windows\System32\SYQNbrT.exe
  C:\Windows\System32\SYQNbrT.exe
  2⤵
  PID:2748
- C:\Windows\System32\pyCKoxe.exe
  C:\Windows\System32\pyCKoxe.exe
  2⤵
  PID:4924
- C:\Windows\System32\mApvzja.exe
  C:\Windows\System32\mApvzja.exe
  2⤵
  PID:4776
- C:\Windows\System32\rLDJqOL.exe
  C:\Windows\System32\rLDJqOL.exe
  2⤵
  PID:996
- C:\Windows\System32\nkbApHu.exe
  C:\Windows\System32\nkbApHu.exe
  2⤵
  PID:4288
- C:\Windows\System32\gyOmQtp.exe
  C:\Windows\System32\gyOmQtp.exe
  2⤵
  PID:2944
- C:\Windows\System32\ndjfcdi.exe
  C:\Windows\System32\ndjfcdi.exe
  2⤵
  PID:5132
- C:\Windows\System32\wfdUkwq.exe
  C:\Windows\System32\wfdUkwq.exe
  2⤵
  PID:6156
- C:\Windows\System32\kmhVVWo.exe
  C:\Windows\System32\kmhVVWo.exe
  2⤵
  PID:6172
- C:\Windows\System32\zEzlTNn.exe
  C:\Windows\System32\zEzlTNn.exe
  2⤵
  PID:6200
- C:\Windows\System32\AkoinBX.exe
  C:\Windows\System32\AkoinBX.exe
  2⤵
  PID:6232
- C:\Windows\System32\GScwVoM.exe
  C:\Windows\System32\GScwVoM.exe
  2⤵
  PID:6260
- C:\Windows\System32\pnhMBtk.exe
  C:\Windows\System32\pnhMBtk.exe
  2⤵
  PID:6288
- C:\Windows\System32\odxJejM.exe
  C:\Windows\System32\odxJejM.exe
  2⤵
  PID:6328
- C:\Windows\System32\GYcdAeu.exe
  C:\Windows\System32\GYcdAeu.exe
  2⤵
  PID:6344
- C:\Windows\System32\oFPRjCI.exe
  C:\Windows\System32\oFPRjCI.exe
  2⤵
  PID:6372
- C:\Windows\System32\kVotbHL.exe
  C:\Windows\System32\kVotbHL.exe
  2⤵
  PID:6400
- C:\Windows\System32\ahZKERV.exe
  C:\Windows\System32\ahZKERV.exe
  2⤵
  PID:6428
- C:\Windows\System32\oiTxBWq.exe
  C:\Windows\System32\oiTxBWq.exe
  2⤵
  PID:6456
- C:\Windows\System32\zElKDFV.exe
  C:\Windows\System32\zElKDFV.exe
  2⤵
  PID:6484
- C:\Windows\System32\vmIaiXN.exe
  C:\Windows\System32\vmIaiXN.exe
  2⤵
  PID:6524
- C:\Windows\System32\EdvhnOL.exe
  C:\Windows\System32\EdvhnOL.exe
  2⤵
  PID:6540
- C:\Windows\System32\WAXhfut.exe
  C:\Windows\System32\WAXhfut.exe
  2⤵
  PID:6576
- C:\Windows\System32\QQbQpHU.exe
  C:\Windows\System32\QQbQpHU.exe
  2⤵
  PID:6596
- C:\Windows\System32\nZLKnxp.exe
  C:\Windows\System32\nZLKnxp.exe
  2⤵
  PID:6636
- C:\Windows\System32\FaLVsxn.exe
  C:\Windows\System32\FaLVsxn.exe
  2⤵
  PID:6652
- C:\Windows\System32\QOPPHnj.exe
  C:\Windows\System32\QOPPHnj.exe
  2⤵
  PID:6680
- C:\Windows\System32\srxxXzy.exe
  C:\Windows\System32\srxxXzy.exe
  2⤵
  PID:6708
- C:\Windows\System32\qAeeoCm.exe
  C:\Windows\System32\qAeeoCm.exe
  2⤵
  PID:6736
- C:\Windows\System32\bbxLcNG.exe
  C:\Windows\System32\bbxLcNG.exe
  2⤵
  PID:6776
- C:\Windows\System32\OFcShjN.exe
  C:\Windows\System32\OFcShjN.exe
  2⤵
  PID:6792
- C:\Windows\System32\jSEBsdO.exe
  C:\Windows\System32\jSEBsdO.exe
  2⤵
  PID:6832
- C:\Windows\System32\sIlvbgD.exe
  C:\Windows\System32\sIlvbgD.exe
  2⤵
  PID:6848
- C:\Windows\System32\RnmJelQ.exe
  C:\Windows\System32\RnmJelQ.exe
  2⤵
  PID:6888
- C:\Windows\System32\IQHQUmx.exe
  C:\Windows\System32\IQHQUmx.exe
  2⤵
  PID:6904
- C:\Windows\System32\UCOYFZr.exe
  C:\Windows\System32\UCOYFZr.exe
  2⤵
  PID:6944
- C:\Windows\System32\vphqWYS.exe
  C:\Windows\System32\vphqWYS.exe
  2⤵
  PID:6960
- C:\Windows\System32\QORcEYp.exe
  C:\Windows\System32\QORcEYp.exe
  2⤵
  PID:7000
- C:\Windows\System32\RRJwtSD.exe
  C:\Windows\System32\RRJwtSD.exe
  2⤵
  PID:7016
- C:\Windows\System32\aGZmlct.exe
  C:\Windows\System32\aGZmlct.exe
  2⤵
  PID:7056
- C:\Windows\System32\EoMgpdp.exe
  C:\Windows\System32\EoMgpdp.exe
  2⤵
  PID:7072
- C:\Windows\System32\rVgCbrY.exe
  C:\Windows\System32\rVgCbrY.exe
  2⤵
  PID:7112
- C:\Windows\System32\LErYhUb.exe
  C:\Windows\System32\LErYhUb.exe
  2⤵
  PID:7128
- C:\Windows\System32\hZkAAcP.exe
  C:\Windows\System32\hZkAAcP.exe
  2⤵
  PID:7156
- C:\Windows\System32\ZsusPXE.exe
  C:\Windows\System32\ZsusPXE.exe
  2⤵
  PID:3080
- C:\Windows\System32\ZVhudej.exe
  C:\Windows\System32\ZVhudej.exe
  2⤵
  PID:4940
- C:\Windows\System32\uwRUBLJ.exe
  C:\Windows\System32\uwRUBLJ.exe
  2⤵
  PID:2332
- C:\Windows\System32\fUUmcWB.exe
  C:\Windows\System32\fUUmcWB.exe
  2⤵
  PID:5660
- C:\Windows\System32\nolsTJU.exe
  C:\Windows\System32\nolsTJU.exe
  2⤵
  PID:4212
- C:\Windows\System32\fsVxqYk.exe
  C:\Windows\System32\fsVxqYk.exe
  2⤵
  PID:6256
- C:\Windows\System32\pnxblzj.exe
  C:\Windows\System32\pnxblzj.exe
  2⤵
  PID:6320
- C:\Windows\System32\ySCYoSM.exe
  C:\Windows\System32\ySCYoSM.exe
  2⤵
  PID:6412
- C:\Windows\System32\kMdbeAh.exe
  C:\Windows\System32\kMdbeAh.exe
  2⤵
  PID:6448
- C:\Windows\System32\zzpicoI.exe
  C:\Windows\System32\zzpicoI.exe
  2⤵
  PID:6516
- C:\Windows\System32\fwzoWFW.exe
  C:\Windows\System32\fwzoWFW.exe
  2⤵
  PID:6548
- C:\Windows\System32\qFgIRah.exe
  C:\Windows\System32\qFgIRah.exe
  2⤵
  PID:6620
- C:\Windows\System32\IpSWnsv.exe
  C:\Windows\System32\IpSWnsv.exe
  2⤵
  PID:6696
- C:\Windows\System32\lqwzUFJ.exe
  C:\Windows\System32\lqwzUFJ.exe
  2⤵
  PID:6804
- C:\Windows\System32\uZycQLB.exe
  C:\Windows\System32\uZycQLB.exe
  2⤵
  PID:6872
- C:\Windows\System32\wqFAedn.exe
  C:\Windows\System32\wqFAedn.exe
  2⤵
  PID:6900
- C:\Windows\System32\ajllVQp.exe
  C:\Windows\System32\ajllVQp.exe
  2⤵
  PID:6972
- C:\Windows\System32\bkuVbXf.exe
  C:\Windows\System32\bkuVbXf.exe
  2⤵
  PID:7040
- C:\Windows\System32\TIFXKdJ.exe
  C:\Windows\System32\TIFXKdJ.exe
  2⤵
  PID:7124
- C:\Windows\System32\OcnmAgl.exe
  C:\Windows\System32\OcnmAgl.exe
  2⤵
  PID:7152
- C:\Windows\System32\cOyZchW.exe
  C:\Windows\System32\cOyZchW.exe
  2⤵
  PID:3736
- C:\Windows\System32\CaRzjuL.exe
  C:\Windows\System32\CaRzjuL.exe
  2⤵
  PID:5640
- C:\Windows\System32\ENWztGa.exe
  C:\Windows\System32\ENWztGa.exe
  2⤵
  PID:6216
- C:\Windows\System32\LwzocdK.exe
  C:\Windows\System32\LwzocdK.exe
  2⤵
  PID:5024
- C:\Windows\System32\TWuiIac.exe
  C:\Windows\System32\TWuiIac.exe
  2⤵
  PID:6480
- C:\Windows\System32\cdalRpW.exe
  C:\Windows\System32\cdalRpW.exe
  2⤵
  PID:6608
- C:\Windows\System32\LrqzRmO.exe
  C:\Windows\System32\LrqzRmO.exe
  2⤵
  PID:6724
- C:\Windows\System32\ZJTBhQY.exe
  C:\Windows\System32\ZJTBhQY.exe
  2⤵
  PID:4432
- C:\Windows\System32\qnIcmVq.exe
  C:\Windows\System32\qnIcmVq.exe
  2⤵
  PID:6976
- C:\Windows\System32\XXbppam.exe
  C:\Windows\System32\XXbppam.exe
  2⤵
  PID:7140
- C:\Windows\System32\zwyfaMt.exe
  C:\Windows\System32\zwyfaMt.exe
  2⤵
  PID:6188
- C:\Windows\System32\LJKTwZO.exe
  C:\Windows\System32\LJKTwZO.exe
  2⤵
  PID:5728
- C:\Windows\System32\WeMfpTo.exe
  C:\Windows\System32\WeMfpTo.exe
  2⤵
  PID:2208
- C:\Windows\System32\QCvuNTl.exe
  C:\Windows\System32\QCvuNTl.exe
  2⤵
  PID:6676
- C:\Windows\System32\OdsFRVZ.exe
  C:\Windows\System32\OdsFRVZ.exe
  2⤵
  PID:4764
- C:\Windows\System32\jnJRBbM.exe
  C:\Windows\System32\jnJRBbM.exe
  2⤵
  PID:1064
- C:\Windows\System32\mfHhpYx.exe
  C:\Windows\System32\mfHhpYx.exe
  2⤵
  PID:1592
- C:\Windows\System32\DOqFyzf.exe
  C:\Windows\System32\DOqFyzf.exe
  2⤵
  PID:7192
- C:\Windows\System32\aveeTdl.exe
  C:\Windows\System32\aveeTdl.exe
  2⤵
  PID:7220
- C:\Windows\System32\KNTUUVc.exe
  C:\Windows\System32\KNTUUVc.exe
  2⤵
  PID:7260
- C:\Windows\System32\NAEbnMi.exe
  C:\Windows\System32\NAEbnMi.exe
  2⤵
  PID:7276
- C:\Windows\System32\uNrMFPP.exe
  C:\Windows\System32\uNrMFPP.exe
  2⤵
  PID:7304
- C:\Windows\System32\mrAwbQu.exe
  C:\Windows\System32\mrAwbQu.exe
  2⤵
  PID:7452
- C:\Windows\System32\qXVvart.exe
  C:\Windows\System32\qXVvart.exe
  2⤵
  PID:7480
- C:\Windows\System32\aTocqlz.exe
  C:\Windows\System32\aTocqlz.exe
  2⤵
  PID:7512
- C:\Windows\System32\zZgZLrl.exe
  C:\Windows\System32\zZgZLrl.exe
  2⤵
  PID:7540
- C:\Windows\System32\sxjQmSO.exe
  C:\Windows\System32\sxjQmSO.exe
  2⤵
  PID:7576
- C:\Windows\System32\eciTWye.exe
  C:\Windows\System32\eciTWye.exe
  2⤵
  PID:7628
- C:\Windows\System32\CRXoNzB.exe
  C:\Windows\System32\CRXoNzB.exe
  2⤵
  PID:7664
- C:\Windows\System32\PYOcQSd.exe
  C:\Windows\System32\PYOcQSd.exe
  2⤵
  PID:7688
- C:\Windows\System32\tudQfmU.exe
  C:\Windows\System32\tudQfmU.exe
  2⤵
  PID:7716
- C:\Windows\System32\oZTbfFt.exe
  C:\Windows\System32\oZTbfFt.exe
  2⤵
  PID:7748
- C:\Windows\System32\GXTuRcM.exe
  C:\Windows\System32\GXTuRcM.exe
  2⤵
  PID:7796
- C:\Windows\System32\TzMzkyk.exe
  C:\Windows\System32\TzMzkyk.exe
  2⤵
  PID:7820
- C:\Windows\System32\qvZdnLX.exe
  C:\Windows\System32\qvZdnLX.exe
  2⤵
  PID:7860
- C:\Windows\System32\ctEJado.exe
  C:\Windows\System32\ctEJado.exe
  2⤵
  PID:7888
- C:\Windows\System32\lPnsmcs.exe
  C:\Windows\System32\lPnsmcs.exe
  2⤵
  PID:7904
- C:\Windows\System32\yaIqgtb.exe
  C:\Windows\System32\yaIqgtb.exe
  2⤵
  PID:7932
- C:\Windows\System32\Xamqxba.exe
  C:\Windows\System32\Xamqxba.exe
  2⤵
  PID:7972
- C:\Windows\System32\cTgYoXd.exe
  C:\Windows\System32\cTgYoXd.exe
  2⤵
  PID:7988
- C:\Windows\System32\kttZZFS.exe
  C:\Windows\System32\kttZZFS.exe
  2⤵
  PID:8016
- C:\Windows\System32\LlcFBDo.exe
  C:\Windows\System32\LlcFBDo.exe
  2⤵
  PID:8044
- C:\Windows\System32\twoIMER.exe
  C:\Windows\System32\twoIMER.exe
  2⤵
  PID:8072
- C:\Windows\System32\RSezDHL.exe
  C:\Windows\System32\RSezDHL.exe
  2⤵
  PID:8112
- C:\Windows\System32\uRHnMtC.exe
  C:\Windows\System32\uRHnMtC.exe
  2⤵
  PID:8128
- C:\Windows\System32\FwpDaNO.exe
  C:\Windows\System32\FwpDaNO.exe
  2⤵
  PID:8168
- C:\Windows\System32\CnJhnkJ.exe
  C:\Windows\System32\CnJhnkJ.exe
  2⤵
  PID:8184
- C:\Windows\System32\sSyQZVh.exe
  C:\Windows\System32\sSyQZVh.exe
  2⤵
  PID:4752
- C:\Windows\System32\cjAIuZY.exe
  C:\Windows\System32\cjAIuZY.exe
  2⤵
  PID:4544
- C:\Windows\System32\JgohyyN.exe
  C:\Windows\System32\JgohyyN.exe
  2⤵
  PID:4716
- C:\Windows\System32\ILuyMen.exe
  C:\Windows\System32\ILuyMen.exe
  2⤵
  PID:2512
- C:\Windows\System32\LWGTXPy.exe
  C:\Windows\System32\LWGTXPy.exe
  2⤵
  PID:2724
- C:\Windows\System32\tvxXdqb.exe
  C:\Windows\System32\tvxXdqb.exe
  2⤵
  PID:7244
- C:\Windows\System32\bUkXazU.exe
  C:\Windows\System32\bUkXazU.exe
  2⤵
  PID:4796
- C:\Windows\System32\cJKsgwe.exe
  C:\Windows\System32\cJKsgwe.exe
  2⤵
  PID:7300
- C:\Windows\System32\teeTPpc.exe
  C:\Windows\System32\teeTPpc.exe
  2⤵
  PID:7392
- C:\Windows\System32\YexNgdc.exe
  C:\Windows\System32\YexNgdc.exe
  2⤵
  PID:2372
- C:\Windows\System32\vWsonhE.exe
  C:\Windows\System32\vWsonhE.exe
  2⤵
  PID:4824
- C:\Windows\System32\ZTpcmHc.exe
  C:\Windows\System32\ZTpcmHc.exe
  2⤵
  PID:7416
- C:\Windows\System32\ycfaKOA.exe
  C:\Windows\System32\ycfaKOA.exe
  2⤵
  PID:7552
- C:\Windows\System32\nGMgApn.exe
  C:\Windows\System32\nGMgApn.exe
  2⤵
  PID:7608
- C:\Windows\System32\wjxssHY.exe
  C:\Windows\System32\wjxssHY.exe
  2⤵
  PID:3000
- C:\Windows\System32\daCxsCR.exe
  C:\Windows\System32\daCxsCR.exe
  2⤵
  PID:7980
- C:\Windows\System32\uYxTScB.exe
  C:\Windows\System32\uYxTScB.exe
  2⤵
  PID:7916
- C:\Windows\System32\iWsonfE.exe
  C:\Windows\System32\iWsonfE.exe
  2⤵
  PID:7844
- C:\Windows\System32\mJBzHgb.exe
  C:\Windows\System32\mJBzHgb.exe
  2⤵
  PID:7740
- C:\Windows\System32\Cqodvjj.exe
  C:\Windows\System32\Cqodvjj.exe
  2⤵
  PID:4092
- C:\Windows\System32\VeGvQBX.exe
  C:\Windows\System32\VeGvQBX.exe
  2⤵
  PID:7208
- C:\Windows\System32\pgwjzTD.exe
  C:\Windows\System32\pgwjzTD.exe
  2⤵
  PID:7272
- C:\Windows\System32\dtzTZPb.exe
  C:\Windows\System32\dtzTZPb.exe
  2⤵
  PID:7444
- C:\Windows\System32\vfRIYDQ.exe
  C:\Windows\System32\vfRIYDQ.exe
  2⤵
  PID:7372
- C:\Windows\System32\UArwWeb.exe
  C:\Windows\System32\UArwWeb.exe
  2⤵
  PID:7436
- C:\Windows\System32\QrrXMVp.exe
  C:\Windows\System32\QrrXMVp.exe
  2⤵
  PID:7724
- C:\Windows\System32\qovoLxf.exe
  C:\Windows\System32\qovoLxf.exe
  2⤵
  PID:7432
- C:\Windows\System32\QIpShZY.exe
  C:\Windows\System32\QIpShZY.exe
  2⤵
  PID:7964
- C:\Windows\System32\fbtJRyT.exe
  C:\Windows\System32\fbtJRyT.exe
  2⤵
  PID:7872
- C:\Windows\System32\AVGPYFo.exe
  C:\Windows\System32\AVGPYFo.exe
  2⤵
  PID:7656
- C:\Windows\System32\cPrYgha.exe
  C:\Windows\System32\cPrYgha.exe
  2⤵
  PID:8160
- C:\Windows\System32\pJQKjhu.exe
  C:\Windows\System32\pJQKjhu.exe
  2⤵
  PID:7572
- C:\Windows\System32\HeaSNrN.exe
  C:\Windows\System32\HeaSNrN.exe
  2⤵
  PID:4044
- C:\Windows\System32\mfDFJyq.exe
  C:\Windows\System32\mfDFJyq.exe
  2⤵
  PID:7504
- C:\Windows\System32\iafnUKr.exe
  C:\Windows\System32\iafnUKr.exe
  2⤵
  PID:7420
- C:\Windows\System32\GlZGQuf.exe
  C:\Windows\System32\GlZGQuf.exe
  2⤵
  PID:8144
- C:\Windows\System32\UJhpJSG.exe
  C:\Windows\System32\UJhpJSG.exe
  2⤵
  PID:380
- C:\Windows\System32\cjWqGLU.exe
  C:\Windows\System32\cjWqGLU.exe
  2⤵
  PID:7944
- C:\Windows\System32\OWBUOnn.exe
  C:\Windows\System32\OWBUOnn.exe
  2⤵
  PID:2664
- C:\Windows\System32\VDZCPDZ.exe
  C:\Windows\System32\VDZCPDZ.exe
  2⤵
  PID:2396
- C:\Windows\System32\WeUbGdq.exe
  C:\Windows\System32\WeUbGdq.exe
  2⤵
  PID:8216
- C:\Windows\System32\jIKxymX.exe
  C:\Windows\System32\jIKxymX.exe
  2⤵
  PID:8248
- C:\Windows\System32\NSBarqO.exe
  C:\Windows\System32\NSBarqO.exe
  2⤵
  PID:8292
- C:\Windows\System32\xYxovLK.exe
  C:\Windows\System32\xYxovLK.exe
  2⤵
  PID:8312
- C:\Windows\System32\rggVixF.exe
  C:\Windows\System32\rggVixF.exe
  2⤵
  PID:8340
- C:\Windows\System32\MPzUqzt.exe
  C:\Windows\System32\MPzUqzt.exe
  2⤵
  PID:8368
- C:\Windows\System32\lWCsiVI.exe
  C:\Windows\System32\lWCsiVI.exe
  2⤵
  PID:8396
- C:\Windows\System32\fhnlOJc.exe
  C:\Windows\System32\fhnlOJc.exe
  2⤵
  PID:8432
- C:\Windows\System32\rlAqoKw.exe
  C:\Windows\System32\rlAqoKw.exe
  2⤵
  PID:8464
- C:\Windows\System32\DBVxoEy.exe
  C:\Windows\System32\DBVxoEy.exe
  2⤵
  PID:8480
- C:\Windows\System32\pppBWcH.exe
  C:\Windows\System32\pppBWcH.exe
  2⤵
  PID:8520
- C:\Windows\System32\tfkczMt.exe
  C:\Windows\System32\tfkczMt.exe
  2⤵
  PID:8540
- C:\Windows\System32\lLeqMdw.exe
  C:\Windows\System32\lLeqMdw.exe
  2⤵
  PID:8568
- C:\Windows\System32\BZArYPL.exe
  C:\Windows\System32\BZArYPL.exe
  2⤵
  PID:8600
- C:\Windows\System32\iCQPAso.exe
  C:\Windows\System32\iCQPAso.exe
  2⤵
  PID:8632
- C:\Windows\System32\HFzkSNM.exe
  C:\Windows\System32\HFzkSNM.exe
  2⤵
  PID:8648
- C:\Windows\System32\LktsmYS.exe
  C:\Windows\System32\LktsmYS.exe
  2⤵
  PID:8688
- C:\Windows\System32\LJXONlZ.exe
  C:\Windows\System32\LJXONlZ.exe
  2⤵
  PID:8720
- C:\Windows\System32\hwwgoIW.exe
  C:\Windows\System32\hwwgoIW.exe
  2⤵
  PID:8744
- C:\Windows\System32\IAeJqLg.exe
  C:\Windows\System32\IAeJqLg.exe
  2⤵
  PID:8784
- C:\Windows\System32\NZRGont.exe
  C:\Windows\System32\NZRGont.exe
  2⤵
  PID:8816
- C:\Windows\System32\BeKtIGg.exe
  C:\Windows\System32\BeKtIGg.exe
  2⤵
  PID:8844
- C:\Windows\System32\SgaCGnt.exe
  C:\Windows\System32\SgaCGnt.exe
  2⤵
  PID:8860
- C:\Windows\System32\hcRJZGL.exe
  C:\Windows\System32\hcRJZGL.exe
  2⤵
  PID:8888
- C:\Windows\System32\rFJlpOe.exe
  C:\Windows\System32\rFJlpOe.exe
  2⤵
  PID:8916
- C:\Windows\System32\MoDUeZW.exe
  C:\Windows\System32\MoDUeZW.exe
  2⤵
  PID:8956
- C:\Windows\System32\WDQZzFM.exe
  C:\Windows\System32\WDQZzFM.exe
  2⤵
  PID:8984
- C:\Windows\System32\JjdOzzI.exe
  C:\Windows\System32\JjdOzzI.exe
  2⤵
  PID:9000
- C:\Windows\System32\jhmJPAX.exe
  C:\Windows\System32\jhmJPAX.exe
  2⤵
  PID:9040
- C:\Windows\System32\HmmEAPx.exe
  C:\Windows\System32\HmmEAPx.exe
  2⤵
  PID:9068
- C:\Windows\System32\tNRuqEJ.exe
  C:\Windows\System32\tNRuqEJ.exe
  2⤵
  PID:9084
- C:\Windows\System32\lppIwrM.exe
  C:\Windows\System32\lppIwrM.exe
  2⤵
  PID:9124
- C:\Windows\System32\iDDwRnm.exe
  C:\Windows\System32\iDDwRnm.exe
  2⤵
  PID:9140
- C:\Windows\System32\fKZAXqg.exe
  C:\Windows\System32\fKZAXqg.exe
  2⤵
  PID:9172
- C:\Windows\System32\MBRnwua.exe
  C:\Windows\System32\MBRnwua.exe
  2⤵
  PID:9196
- C:\Windows\System32\ADKfbdg.exe
  C:\Windows\System32\ADKfbdg.exe
  2⤵
  PID:8212
- C:\Windows\System32\qFtLGQI.exe
  C:\Windows\System32\qFtLGQI.exe
  2⤵
  PID:8304
- C:\Windows\System32\VqAgiEV.exe
  C:\Windows\System32\VqAgiEV.exe
  2⤵
  PID:8360
- C:\Windows\System32\OfaUUKB.exe
  C:\Windows\System32\OfaUUKB.exe
  2⤵
  PID:8448
- C:\Windows\System32\rzrWksS.exe
  C:\Windows\System32\rzrWksS.exe
  2⤵
  PID:8496
- C:\Windows\System32\rYlRgTI.exe
  C:\Windows\System32\rYlRgTI.exe
  2⤵
  PID:8556
- C:\Windows\System32\fBnCeFr.exe
  C:\Windows\System32\fBnCeFr.exe
  2⤵
  PID:8624
- C:\Windows\System32\pjRapag.exe
  C:\Windows\System32\pjRapag.exe
  2⤵
  PID:8680
- C:\Windows\System32\qVRVnjb.exe
  C:\Windows\System32\qVRVnjb.exe
  2⤵
  PID:4356
- C:\Windows\System32\zcCiJhq.exe
  C:\Windows\System32\zcCiJhq.exe
  2⤵
  PID:8808
- C:\Windows\System32\XWUxAQJ.exe
  C:\Windows\System32\XWUxAQJ.exe
  2⤵
  PID:8852
- C:\Windows\System32\TVjCccN.exe
  C:\Windows\System32\TVjCccN.exe
  2⤵
  PID:8948
- C:\Windows\System32\dlEIQWl.exe
  C:\Windows\System32\dlEIQWl.exe
  2⤵
  PID:9028
- C:\Windows\System32\DzdEdKu.exe
  C:\Windows\System32\DzdEdKu.exe
  2⤵
  PID:9080
- C:\Windows\System32\dqPyzhI.exe
  C:\Windows\System32\dqPyzhI.exe
  2⤵
  PID:9120
- C:\Windows\System32\sFnfHYm.exe
  C:\Windows\System32\sFnfHYm.exe
  2⤵
  PID:9212
- C:\Windows\System32\aQjCHeW.exe
  C:\Windows\System32\aQjCHeW.exe
  2⤵
  PID:8460
- C:\Windows\System32\XjjIqcm.exe
  C:\Windows\System32\XjjIqcm.exe
  2⤵
  PID:4300
- C:\Windows\System32\IFaJpQo.exe
  C:\Windows\System32\IFaJpQo.exe
  2⤵
  PID:8716
- C:\Windows\System32\uVFXWKT.exe
  C:\Windows\System32\uVFXWKT.exe
  2⤵
  PID:8880
- C:\Windows\System32\srxKuJF.exe
  C:\Windows\System32\srxKuJF.exe
  2⤵
  PID:9076
- C:\Windows\System32\spwJVGV.exe
  C:\Windows\System32\spwJVGV.exe
  2⤵
  PID:8412
- C:\Windows\System32\iSCBOFh.exe
  C:\Windows\System32\iSCBOFh.exe
  2⤵
  PID:8532
- C:\Windows\System32\tIRgshR.exe
  C:\Windows\System32\tIRgshR.exe
  2⤵
  PID:8932
- C:\Windows\System32\zMlTZXZ.exe
  C:\Windows\System32\zMlTZXZ.exe
  2⤵
  PID:9180
- C:\Windows\System32\ufLtMwx.exe
  C:\Windows\System32\ufLtMwx.exe
  2⤵
  PID:9220
- C:\Windows\System32\pvHWZRu.exe
  C:\Windows\System32\pvHWZRu.exe
  2⤵
  PID:9264
- C:\Windows\System32\OvFRaSQ.exe
  C:\Windows\System32\OvFRaSQ.exe
  2⤵
  PID:9292
- C:\Windows\System32\LjWYJHi.exe
  C:\Windows\System32\LjWYJHi.exe
  2⤵
  PID:9316
- C:\Windows\System32\jVmNxbu.exe
  C:\Windows\System32\jVmNxbu.exe
  2⤵
  PID:9340
- C:\Windows\System32\QzfOHoC.exe
  C:\Windows\System32\QzfOHoC.exe
  2⤵
  PID:9360
- C:\Windows\System32\qayVsBN.exe
  C:\Windows\System32\qayVsBN.exe
  2⤵
  PID:9412
- C:\Windows\System32\LMJJYve.exe
  C:\Windows\System32\LMJJYve.exe
  2⤵
  PID:9436
- C:\Windows\System32\fyqmKhN.exe
  C:\Windows\System32\fyqmKhN.exe
  2⤵
  PID:9464
- C:\Windows\System32\OJIVOJJ.exe
  C:\Windows\System32\OJIVOJJ.exe
  2⤵
  PID:9480
- C:\Windows\System32\UAItsSv.exe
  C:\Windows\System32\UAItsSv.exe
  2⤵
  PID:9508
- C:\Windows\System32\cjkziGv.exe
  C:\Windows\System32\cjkziGv.exe
  2⤵
  PID:9552
- C:\Windows\System32\OFHzdPw.exe
  C:\Windows\System32\OFHzdPw.exe
  2⤵
  PID:9580
- C:\Windows\System32\kVczMtT.exe
  C:\Windows\System32\kVczMtT.exe
  2⤵
  PID:9604
- C:\Windows\System32\RGTbiub.exe
  C:\Windows\System32\RGTbiub.exe
  2⤵
  PID:9628
- C:\Windows\System32\tLuwhjo.exe
  C:\Windows\System32\tLuwhjo.exe
  2⤵
  PID:9664
- C:\Windows\System32\AUsWree.exe
  C:\Windows\System32\AUsWree.exe
  2⤵
  PID:9692
- C:\Windows\System32\WorgZdK.exe
  C:\Windows\System32\WorgZdK.exe
  2⤵
  PID:9720
- C:\Windows\System32\XSrVWXt.exe
  C:\Windows\System32\XSrVWXt.exe
  2⤵
  PID:9736
- C:\Windows\System32\DPsKUAQ.exe
  C:\Windows\System32\DPsKUAQ.exe
  2⤵
  PID:9768
- C:\Windows\System32\MKwpDUf.exe
  C:\Windows\System32\MKwpDUf.exe
  2⤵
  PID:9796
- C:\Windows\System32\SmkfHqu.exe
  C:\Windows\System32\SmkfHqu.exe
  2⤵
  PID:9840
- C:\Windows\System32\jSsDUND.exe
  C:\Windows\System32\jSsDUND.exe
  2⤵
  PID:9868
- C:\Windows\System32\QBbBflb.exe
  C:\Windows\System32\QBbBflb.exe
  2⤵
  PID:9892
- C:\Windows\System32\InsgLbR.exe
  C:\Windows\System32\InsgLbR.exe
  2⤵
  PID:9912
- C:\Windows\System32\xwfjMNG.exe
  C:\Windows\System32\xwfjMNG.exe
  2⤵
  PID:9960
- C:\Windows\System32\sMZCmTI.exe
  C:\Windows\System32\sMZCmTI.exe
  2⤵
  PID:9988
- C:\Windows\System32\XnGZpMk.exe
  C:\Windows\System32\XnGZpMk.exe
  2⤵
  PID:10012
- C:\Windows\System32\TZvyJCi.exe
  C:\Windows\System32\TZvyJCi.exe
  2⤵
  PID:10044
- C:\Windows\System32\fIDHUCa.exe
  C:\Windows\System32\fIDHUCa.exe
  2⤵
  PID:10088
- C:\Windows\System32\LVXACBZ.exe
  C:\Windows\System32\LVXACBZ.exe
  2⤵
  PID:10128
- C:\Windows\System32\WAHkJyI.exe
  C:\Windows\System32\WAHkJyI.exe
  2⤵
  PID:10148
- C:\Windows\System32\amOMBmx.exe
  C:\Windows\System32\amOMBmx.exe
  2⤵
  PID:10164
- C:\Windows\System32\uGdjKiT.exe
  C:\Windows\System32\uGdjKiT.exe
  2⤵
  PID:10212
- C:\Windows\System32\QSByhIp.exe
  C:\Windows\System32\QSByhIp.exe
  2⤵
  PID:10236
- C:\Windows\System32\IkIUwvQ.exe
  C:\Windows\System32\IkIUwvQ.exe
  2⤵
  PID:9252
- C:\Windows\System32\nhZzJAp.exe
  C:\Windows\System32\nhZzJAp.exe
  2⤵
  PID:9312
- C:\Windows\System32\Blxqzsm.exe
  C:\Windows\System32\Blxqzsm.exe
  2⤵
  PID:9356
- C:\Windows\System32\deiPBcq.exe
  C:\Windows\System32\deiPBcq.exe
  2⤵
  PID:9404
- C:\Windows\System32\UHairng.exe
  C:\Windows\System32\UHairng.exe
  2⤵
  PID:9500
- C:\Windows\System32\GZLgzih.exe
  C:\Windows\System32\GZLgzih.exe
  2⤵
  PID:9540
- C:\Windows\System32\USnOwWL.exe
  C:\Windows\System32\USnOwWL.exe
  2⤵
  PID:9616
- C:\Windows\System32\ZYZKDri.exe
  C:\Windows\System32\ZYZKDri.exe
  2⤵
  PID:9704
- C:\Windows\System32\HWlntbq.exe
  C:\Windows\System32\HWlntbq.exe
  2⤵
  PID:9764
- C:\Windows\System32\VNDBIZs.exe
  C:\Windows\System32\VNDBIZs.exe
  2⤵
  PID:9784
- C:\Windows\System32\vDFVfhp.exe
  C:\Windows\System32\vDFVfhp.exe
  2⤵
  PID:9884
- C:\Windows\System32\HHAKrpU.exe
  C:\Windows\System32\HHAKrpU.exe
  2⤵
  PID:9980
- C:\Windows\System32\XTMmbZo.exe
  C:\Windows\System32\XTMmbZo.exe
  2⤵
  PID:10056
- C:\Windows\System32\EwSgOeT.exe
  C:\Windows\System32\EwSgOeT.exe
  2⤵
  PID:10144
- C:\Windows\System32\aJyYNyQ.exe
  C:\Windows\System32\aJyYNyQ.exe
  2⤵
  PID:10208
- C:\Windows\System32\WCZraMS.exe
  C:\Windows\System32\WCZraMS.exe
  2⤵
  PID:9232
- C:\Windows\System32\izjPNoA.exe
  C:\Windows\System32\izjPNoA.exe
  2⤵
  PID:5692
- C:\Windows\System32\QfJyzuR.exe
  C:\Windows\System32\QfJyzuR.exe
  2⤵
  PID:9600
- C:\Windows\System32\NHrZLyI.exe
  C:\Windows\System32\NHrZLyI.exe
  2⤵
  PID:9676
- C:\Windows\System32\ZznVYov.exe
  C:\Windows\System32\ZznVYov.exe
  2⤵
  PID:9856
- C:\Windows\System32\EmrRXwl.exe
  C:\Windows\System32\EmrRXwl.exe
  2⤵
  PID:10072
- C:\Windows\System32\FnCWpaz.exe
  C:\Windows\System32\FnCWpaz.exe
  2⤵
  PID:4408
- C:\Windows\System32\kpMkiTQ.exe
  C:\Windows\System32\kpMkiTQ.exe
  2⤵
  PID:9476
- C:\Windows\System32\csmYaeU.exe
  C:\Windows\System32\csmYaeU.exe
  2⤵
  PID:9936
- C:\Windows\System32\dEFuSpC.exe
  C:\Windows\System32\dEFuSpC.exe
  2⤵
  PID:9532
- C:\Windows\System32\qZBtEDC.exe
  C:\Windows\System32\qZBtEDC.exe
  2⤵
  PID:10244
- C:\Windows\System32\ILRcklH.exe
  C:\Windows\System32\ILRcklH.exe
  2⤵
  PID:10264
- C:\Windows\System32\LBzuthV.exe
  C:\Windows\System32\LBzuthV.exe
  2⤵
  PID:10304
- C:\Windows\System32\xjLZUOM.exe
  C:\Windows\System32\xjLZUOM.exe
  2⤵
  PID:10320
- C:\Windows\System32\qgtZAej.exe
  C:\Windows\System32\qgtZAej.exe
  2⤵
  PID:10348
- C:\Windows\System32\Lzloupv.exe
  C:\Windows\System32\Lzloupv.exe
  2⤵
  PID:10388
- C:\Windows\System32\vNYktzM.exe
  C:\Windows\System32\vNYktzM.exe
  2⤵
  PID:10424
- C:\Windows\System32\EVolVjO.exe
  C:\Windows\System32\EVolVjO.exe
  2⤵
  PID:10456
- C:\Windows\System32\tmFojST.exe
  C:\Windows\System32\tmFojST.exe
  2⤵
  PID:10480
- C:\Windows\System32\kZVeuSH.exe
  C:\Windows\System32\kZVeuSH.exe
  2⤵
  PID:10504
- C:\Windows\System32\udDFWVV.exe
  C:\Windows\System32\udDFWVV.exe
  2⤵
  PID:10544
- C:\Windows\System32\aokrTte.exe
  C:\Windows\System32\aokrTte.exe
  2⤵
  PID:10576
- C:\Windows\System32\OLYXMSE.exe
  C:\Windows\System32\OLYXMSE.exe
  2⤵
  PID:10604
- C:\Windows\System32\enIoAmx.exe
  C:\Windows\System32\enIoAmx.exe
  2⤵
  PID:10628
- C:\Windows\System32\zLInIby.exe
  C:\Windows\System32\zLInIby.exe
  2⤵
  PID:10652
- C:\Windows\System32\EgObEDs.exe
  C:\Windows\System32\EgObEDs.exe
  2⤵
  PID:10688
- C:\Windows\System32\KWouJuf.exe
  C:\Windows\System32\KWouJuf.exe
  2⤵
  PID:10704
- C:\Windows\System32\nwqyqDJ.exe
  C:\Windows\System32\nwqyqDJ.exe
  2⤵
  PID:10732
- C:\Windows\System32\dyFAjGi.exe
  C:\Windows\System32\dyFAjGi.exe
  2⤵
  PID:10772
- C:\Windows\System32\PVOCqsi.exe
  C:\Windows\System32\PVOCqsi.exe
  2⤵
  PID:10800
- C:\Windows\System32\GImKzHP.exe
  C:\Windows\System32\GImKzHP.exe
  2⤵
  PID:10828
- C:\Windows\System32\ILcSNtZ.exe
  C:\Windows\System32\ILcSNtZ.exe
  2⤵
  PID:10856
- C:\Windows\System32\oLAwsQv.exe
  C:\Windows\System32\oLAwsQv.exe
  2⤵
  PID:10876
- C:\Windows\System32\qARHUXC.exe
  C:\Windows\System32\qARHUXC.exe
  2⤵
  PID:10912
- C:\Windows\System32\JkZArrw.exe
  C:\Windows\System32\JkZArrw.exe
  2⤵
  PID:10932
- C:\Windows\System32\vXKvdjp.exe
  C:\Windows\System32\vXKvdjp.exe
  2⤵
  PID:10968
- C:\Windows\System32\wuElifd.exe
  C:\Windows\System32\wuElifd.exe
  2⤵
  PID:10996
- C:\Windows\System32\quqGgFK.exe
  C:\Windows\System32\quqGgFK.exe
  2⤵
  PID:11024
- C:\Windows\System32\SHrleTf.exe
  C:\Windows\System32\SHrleTf.exe
  2⤵
  PID:11052
- C:\Windows\System32\OLSMybY.exe
  C:\Windows\System32\OLSMybY.exe
  2⤵
  PID:11068
- C:\Windows\System32\PlvwICY.exe
  C:\Windows\System32\PlvwICY.exe
  2⤵
  PID:11108
- C:\Windows\System32\sKKpKPu.exe
  C:\Windows\System32\sKKpKPu.exe
  2⤵
  PID:11136
- C:\Windows\System32\bBbJgVX.exe
  C:\Windows\System32\bBbJgVX.exe
  2⤵
  PID:11164
- C:\Windows\System32\xrGmCUE.exe
  C:\Windows\System32\xrGmCUE.exe
  2⤵
  PID:11180
- C:\Windows\System32\CpfQdiM.exe
  C:\Windows\System32\CpfQdiM.exe
  2⤵
  PID:11220
- C:\Windows\System32\plKXqlZ.exe
  C:\Windows\System32\plKXqlZ.exe
  2⤵
  PID:11236
- C:\Windows\System32\AHeCjIm.exe
  C:\Windows\System32\AHeCjIm.exe
  2⤵
  PID:10260
- C:\Windows\System32\THnUssI.exe
  C:\Windows\System32\THnUssI.exe
  2⤵
  PID:10312
- C:\Windows\System32\kRmIcfe.exe
  C:\Windows\System32\kRmIcfe.exe
  2⤵
  PID:10036
- C:\Windows\System32\jFQDiTb.exe
  C:\Windows\System32\jFQDiTb.exe
  2⤵
  PID:10444
- C:\Windows\System32\KwaXJro.exe
  C:\Windows\System32\KwaXJro.exe
  2⤵
  PID:10492
- C:\Windows\System32\DWMZkSJ.exe
  C:\Windows\System32\DWMZkSJ.exe
  2⤵
  PID:8364
- C:\Windows\System32\YCvuUuo.exe
  C:\Windows\System32\YCvuUuo.exe
  2⤵
  PID:10556
- C:\Windows\System32\qYnEmrP.exe
  C:\Windows\System32\qYnEmrP.exe
  2⤵
  PID:10636
- C:\Windows\System32\QrIVORV.exe
  C:\Windows\System32\QrIVORV.exe
  2⤵
  PID:10696
- C:\Windows\System32\QTTmsux.exe
  C:\Windows\System32\QTTmsux.exe
  2⤵
  PID:10720
- C:\Windows\System32\KlmxlvY.exe
  C:\Windows\System32\KlmxlvY.exe
  2⤵
  PID:10824
- C:\Windows\System32\jczPjuQ.exe
  C:\Windows\System32\jczPjuQ.exe
  2⤵
  PID:10864
- C:\Windows\System32\QKzPPhv.exe
  C:\Windows\System32\QKzPPhv.exe
  2⤵
  PID:10956
- C:\Windows\System32\GIgWJNN.exe
  C:\Windows\System32\GIgWJNN.exe
  2⤵
  PID:10988
- C:\Windows\System32\YOotrlu.exe
  C:\Windows\System32\YOotrlu.exe
  2⤵
  PID:11060
- C:\Windows\System32\ZLphuCQ.exe
  C:\Windows\System32\ZLphuCQ.exe
  2⤵
  PID:11128
- C:\Windows\System32\LzPSNwG.exe
  C:\Windows\System32\LzPSNwG.exe
  2⤵
  PID:11200
- C:\Windows\System32\DBuJVoH.exe
  C:\Windows\System32\DBuJVoH.exe
  2⤵
  PID:11248
- C:\Windows\System32\KHxxoug.exe
  C:\Windows\System32\KHxxoug.exe
  2⤵
  PID:10376
- C:\Windows\System32\jzjyboh.exe
  C:\Windows\System32\jzjyboh.exe
  2⤵
  PID:8516
- C:\Windows\System32\WsHKVjo.exe
  C:\Windows\System32\WsHKVjo.exe
  2⤵
  PID:10536
- C:\Windows\System32\cTrbxsq.exe
  C:\Windows\System32\cTrbxsq.exe
  2⤵
  PID:10744
- C:\Windows\System32\OJXjyYX.exe
  C:\Windows\System32\OJXjyYX.exe
  2⤵
  PID:10896
- C:\Windows\System32\AoBozOM.exe
  C:\Windows\System32\AoBozOM.exe
  2⤵
  PID:11040
- C:\Windows\System32\PFFjByb.exe
  C:\Windows\System32\PFFjByb.exe
  2⤵
  PID:11100
- C:\Windows\System32\JaQdXMM.exe
  C:\Windows\System32\JaQdXMM.exe
  2⤵
  PID:10472
- C:\Windows\System32\ILcLnQy.exe
  C:\Windows\System32\ILcLnQy.exe
  2⤵
  PID:10684
- C:\Windows\System32\yoaVwLe.exe
  C:\Windows\System32\yoaVwLe.exe
  2⤵
  PID:11020
- C:\Windows\System32\maQrHDC.exe
  C:\Windows\System32\maQrHDC.exe
  2⤵
  PID:10540
- C:\Windows\System32\yjlzjxe.exe
  C:\Windows\System32\yjlzjxe.exe
  2⤵
  PID:10300
- C:\Windows\System32\AhhijeT.exe
  C:\Windows\System32\AhhijeT.exe
  2⤵
  PID:11276
- C:\Windows\System32\VOTyjXr.exe
  C:\Windows\System32\VOTyjXr.exe
  2⤵
  PID:11292
- C:\Windows\System32\ifztyFH.exe
  C:\Windows\System32\ifztyFH.exe
  2⤵
  PID:11320
- C:\Windows\System32\WoCoTdt.exe
  C:\Windows\System32\WoCoTdt.exe
  2⤵
  PID:11360
- C:\Windows\System32\msYlrLJ.exe
  C:\Windows\System32\msYlrLJ.exe
  2⤵
  PID:11376
- C:\Windows\System32\EyReRPH.exe
  C:\Windows\System32\EyReRPH.exe
  2⤵
  PID:11416
- C:\Windows\System32\VjvpgtY.exe
  C:\Windows\System32\VjvpgtY.exe
  2⤵
  PID:11464
- C:\Windows\System32\vZjmBpS.exe
  C:\Windows\System32\vZjmBpS.exe
  2⤵
  PID:11488
- C:\Windows\System32\teYUSyc.exe
  C:\Windows\System32\teYUSyc.exe
  2⤵
  PID:11520
- C:\Windows\System32\GNMwOHB.exe
  C:\Windows\System32\GNMwOHB.exe
  2⤵
  PID:11536
- C:\Windows\System32\dCGzjLl.exe
  C:\Windows\System32\dCGzjLl.exe
  2⤵
  PID:11580
- C:\Windows\System32\ibtYSiu.exe
  C:\Windows\System32\ibtYSiu.exe
  2⤵
  PID:11608
- C:\Windows\System32\MKuAYii.exe
  C:\Windows\System32\MKuAYii.exe
  2⤵
  PID:11660
- C:\Windows\System32\sjMTTYD.exe
  C:\Windows\System32\sjMTTYD.exe
  2⤵
  PID:11676
- C:\Windows\System32\YcDbIzn.exe
  C:\Windows\System32\YcDbIzn.exe
  2⤵
  PID:11716
- C:\Windows\System32\CqlfgxW.exe
  C:\Windows\System32\CqlfgxW.exe
  2⤵
  PID:11736
- C:\Windows\System32\IMrMGSv.exe
  C:\Windows\System32\IMrMGSv.exe
  2⤵
  PID:11772
- C:\Windows\System32\BfMiiJp.exe
  C:\Windows\System32\BfMiiJp.exe
  2⤵
  PID:11792
- C:\Windows\System32\geIipFZ.exe
  C:\Windows\System32\geIipFZ.exe
  2⤵
  PID:11824
- C:\Windows\System32\XDLeNQE.exe
  C:\Windows\System32\XDLeNQE.exe
  2⤵
  PID:11856
- C:\Windows\System32\bFftVzp.exe
  C:\Windows\System32\bFftVzp.exe
  2⤵
  PID:11884
- C:\Windows\System32\UzboQzJ.exe
  C:\Windows\System32\UzboQzJ.exe
  2⤵
  PID:11912
- C:\Windows\System32\YLYZKYx.exe
  C:\Windows\System32\YLYZKYx.exe
  2⤵
  PID:11932
- C:\Windows\System32\UaIjpNq.exe
  C:\Windows\System32\UaIjpNq.exe
  2⤵
  PID:11960
- C:\Windows\System32\AtYnFSZ.exe
  C:\Windows\System32\AtYnFSZ.exe
  2⤵
  PID:11996
- C:\Windows\System32\spDVfMR.exe
  C:\Windows\System32\spDVfMR.exe
  2⤵
  PID:12024
- C:\Windows\System32\fOmnqFH.exe
  C:\Windows\System32\fOmnqFH.exe
  2⤵
  PID:12052
- C:\Windows\System32\IXnVgrP.exe
  C:\Windows\System32\IXnVgrP.exe
  2⤵
  PID:12068
- C:\Windows\System32\nbmoaET.exe
  C:\Windows\System32\nbmoaET.exe
  2⤵
  PID:12108
- C:\Windows\System32\gDvIUju.exe
  C:\Windows\System32\gDvIUju.exe
  2⤵
  PID:12136
- C:\Windows\System32\tqcCByY.exe
  C:\Windows\System32\tqcCByY.exe
  2⤵
  PID:12156
- C:\Windows\System32\TsaZyTI.exe
  C:\Windows\System32\TsaZyTI.exe
  2⤵
  PID:12192
- C:\Windows\System32\dQreCrO.exe
  C:\Windows\System32\dQreCrO.exe
  2⤵
  PID:12220
- C:\Windows\System32\VHfEiWy.exe
  C:\Windows\System32\VHfEiWy.exe
  2⤵
  PID:12236
- C:\Windows\System32\RZDTHQh.exe
  C:\Windows\System32\RZDTHQh.exe
  2⤵
  PID:12272
- C:\Windows\System32\kcTHIgf.exe
  C:\Windows\System32\kcTHIgf.exe
  2⤵
  PID:11268
- C:\Windows\System32\NgWgWQH.exe
  C:\Windows\System32\NgWgWQH.exe
  2⤵
  PID:11304
- C:\Windows\System32\JdfaFEX.exe
  C:\Windows\System32\JdfaFEX.exe
  2⤵
  PID:11404
- C:\Windows\System32\enFNopv.exe
  C:\Windows\System32\enFNopv.exe
  2⤵
  PID:11476
- C:\Windows\System32\neAyieD.exe
  C:\Windows\System32\neAyieD.exe
  2⤵
  PID:11556
- C:\Windows\System32\XEAVMRk.exe
  C:\Windows\System32\XEAVMRk.exe
  2⤵
  PID:11628
- C:\Windows\System32\JxyXcZo.exe
  C:\Windows\System32\JxyXcZo.exe
  2⤵
  PID:11704
- C:\Windows\System32\KoDFdVf.exe
  C:\Windows\System32\KoDFdVf.exe
  2⤵
  PID:11768
- C:\Windows\System32\tBqTndr.exe
  C:\Windows\System32\tBqTndr.exe
  2⤵
  PID:11804
- C:\Windows\System32\jLxaKpN.exe
  C:\Windows\System32\jLxaKpN.exe
  2⤵
  PID:11904
- C:\Windows\System32\GhkjiyE.exe
  C:\Windows\System32\GhkjiyE.exe
  2⤵
  PID:12008
- C:\Windows\System32\AEReeIv.exe
  C:\Windows\System32\AEReeIv.exe
  2⤵
  PID:12064
- C:\Windows\System32\cGaEQFn.exe
  C:\Windows\System32\cGaEQFn.exe
  2⤵
  PID:12128
- C:\Windows\System32\gMsrQJe.exe
  C:\Windows\System32\gMsrQJe.exe
  2⤵
  PID:12216
- C:\Windows\System32\kvINQZt.exe
  C:\Windows\System32\kvINQZt.exe
  2⤵
  PID:12248
- C:\Windows\System32\HwPTVXc.exe
  C:\Windows\System32\HwPTVXc.exe
  2⤵
  PID:11340
- C:\Windows\System32\BqogMEi.exe
  C:\Windows\System32\BqogMEi.exe
  2⤵
  PID:1720
- C:\Windows\System32\EFvtMLm.exe
  C:\Windows\System32\EFvtMLm.exe
  2⤵
  PID:11604
- C:\Windows\System32\mFKVuQA.exe
  C:\Windows\System32\mFKVuQA.exe
  2⤵
  PID:11896
- C:\Windows\System32\RyYPNEr.exe
  C:\Windows\System32\RyYPNEr.exe
  2⤵
  PID:12044
- C:\Windows\System32\LxSIHya.exe
  C:\Windows\System32\LxSIHya.exe
  2⤵
  PID:10960
- C:\Windows\System32\BpzVRFc.exe
  C:\Windows\System32\BpzVRFc.exe
  2⤵
  PID:11816
- C:\Windows\System32\xqZiDaD.exe
  C:\Windows\System32\xqZiDaD.exe
  2⤵
  PID:12176
- C:\Windows\System32\TFgAeFY.exe
  C:\Windows\System32\TFgAeFY.exe
  2⤵
  PID:12284
- C:\Windows\System32\EwaMmwk.exe
  C:\Windows\System32\EwaMmwk.exe
  2⤵
  PID:12320
- C:\Windows\System32\VHRAuxv.exe
  C:\Windows\System32\VHRAuxv.exe
  2⤵
  PID:12384
- C:\Windows\System32\CaDQqFH.exe
  C:\Windows\System32\CaDQqFH.exe
  2⤵
  PID:12424
- C:\Windows\System32\WjJvsef.exe
  C:\Windows\System32\WjJvsef.exe
  2⤵
  PID:12472
- C:\Windows\System32\LWBhnZH.exe
  C:\Windows\System32\LWBhnZH.exe
  2⤵
  PID:12492
- C:\Windows\System32\kPTPWnQ.exe
  C:\Windows\System32\kPTPWnQ.exe
  2⤵
  PID:12528
- C:\Windows\System32\BTOkVsx.exe
  C:\Windows\System32\BTOkVsx.exe
  2⤵
  PID:12556
- C:\Windows\System32\VdRYMdZ.exe
  C:\Windows\System32\VdRYMdZ.exe
  2⤵
  PID:12584
- C:\Windows\System32\WWNZDKY.exe
  C:\Windows\System32\WWNZDKY.exe
  2⤵
  PID:12624
- C:\Windows\System32\aDXLoiC.exe
  C:\Windows\System32\aDXLoiC.exe
  2⤵
  PID:12644
- C:\Windows\System32\ABfjmxT.exe
  C:\Windows\System32\ABfjmxT.exe
  2⤵
  PID:12680
- C:\Windows\System32\VwTgBaN.exe
  C:\Windows\System32\VwTgBaN.exe
  2⤵
  PID:12696
- C:\Windows\System32\thViuoq.exe
  C:\Windows\System32\thViuoq.exe
  2⤵
  PID:12724
- C:\Windows\System32\vCdriHZ.exe
  C:\Windows\System32\vCdriHZ.exe
  2⤵
  PID:12752
- C:\Windows\System32\frHZcKq.exe
  C:\Windows\System32\frHZcKq.exe
  2⤵
  PID:12792
- C:\Windows\System32\qAkTkJs.exe
  C:\Windows\System32\qAkTkJs.exe
  2⤵
  PID:12816
- C:\Windows\System32\sfNqnwO.exe
  C:\Windows\System32\sfNqnwO.exe
  2⤵
  PID:12844
- C:\Windows\System32\XqKNzvJ.exe
  C:\Windows\System32\XqKNzvJ.exe
  2⤵
  PID:12876
- C:\Windows\System32\mNFDSKQ.exe
  C:\Windows\System32\mNFDSKQ.exe
  2⤵
  PID:12900
- C:\Windows\System32\PqtJOnb.exe
  C:\Windows\System32\PqtJOnb.exe
  2⤵
  PID:12920
- C:\Windows\System32\wKodcMR.exe
  C:\Windows\System32\wKodcMR.exe
  2⤵
  PID:12948
- C:\Windows\System32\ORZhBSi.exe
  C:\Windows\System32\ORZhBSi.exe
  2⤵
  PID:12996
- C:\Windows\System32\VZkbOcM.exe
  C:\Windows\System32\VZkbOcM.exe
  2⤵
  PID:13012
- C:\Windows\System32\ACjlfwy.exe
  C:\Windows\System32\ACjlfwy.exe
  2⤵
  PID:13052
- C:\Windows\System32\nEFIsNz.exe
  C:\Windows\System32\nEFIsNz.exe
  2⤵
  PID:13080
- C:\Windows\System32\vQVQhBL.exe
  C:\Windows\System32\vQVQhBL.exe
  2⤵
  PID:13112
- C:\Windows\System32\NpEtKvg.exe
  C:\Windows\System32\NpEtKvg.exe
  2⤵
  PID:13164
- C:\Windows\System32\bLWbMUO.exe
  C:\Windows\System32\bLWbMUO.exe
  2⤵
  PID:13184
- C:\Windows\System32\cgavusy.exe
  C:\Windows\System32\cgavusy.exe
  2⤵
  PID:13228
- C:\Windows\System32\ruEZUNM.exe
  C:\Windows\System32\ruEZUNM.exe
  2⤵
  PID:13256
- C:\Windows\System32\YjalOVg.exe
  C:\Windows\System32\YjalOVg.exe
  2⤵
  PID:13284
- C:\Windows\System32\LEFUkLy.exe
  C:\Windows\System32\LEFUkLy.exe
  2⤵
  PID:12296
- C:\Windows\System32\zXeFRyV.exe
  C:\Windows\System32\zXeFRyV.exe
  2⤵
  PID:12312
- C:\Windows\System32\txwVawz.exe
  C:\Windows\System32\txwVawz.exe
  2⤵
  PID:12440
- C:\Windows\System32\bCYffjB.exe
  C:\Windows\System32\bCYffjB.exe
  2⤵
  PID:12520
- C:\Windows\System32\AsUdeCF.exe
  C:\Windows\System32\AsUdeCF.exe
  2⤵
  PID:12568
- C:\Windows\System32\bwqLzen.exe
  C:\Windows\System32\bwqLzen.exe
  2⤵
  PID:12652
- C:\Windows\System32\apXgrId.exe
  C:\Windows\System32\apXgrId.exe
  2⤵
  PID:12736
- C:\Windows\System32\yeTDeJO.exe
  C:\Windows\System32\yeTDeJO.exe
  2⤵
  PID:12772
- C:\Windows\System32\ZzTUIQe.exe
  C:\Windows\System32\ZzTUIQe.exe
  2⤵
  PID:12852
- C:\Windows\System32\fWwnQfh.exe
  C:\Windows\System32\fWwnQfh.exe
  2⤵
  PID:12940
- C:\Windows\System32\gTQZvUz.exe
  C:\Windows\System32\gTQZvUz.exe
  2⤵
  PID:12980
- C:\Windows\System32\OEvJVSy.exe
  C:\Windows\System32\OEvJVSy.exe
  2⤵
  PID:13064
- C:\Windows\System32\eTuxqFO.exe
  C:\Windows\System32\eTuxqFO.exe
  2⤵
  PID:13100
- C:\Windows\System32\bRUoNtP.exe
  C:\Windows\System32\bRUoNtP.exe
  2⤵
  PID:13156
- C:\Windows\System32\lRGUhAG.exe
  C:\Windows\System32\lRGUhAG.exe
  2⤵
  PID:13268
- C:\Windows\System32\ZTwjKyg.exe
  C:\Windows\System32\ZTwjKyg.exe
  2⤵
  PID:12308
- C:\Windows\System32\vLxtCZz.exe
  C:\Windows\System32\vLxtCZz.exe
  2⤵
  PID:12548
- C:\Windows\System32\aXHNUOy.exe
  C:\Windows\System32\aXHNUOy.exe
  2⤵
  PID:13280
- C:\Windows\System32\sMBTEtH.exe
  C:\Windows\System32\sMBTEtH.exe
  2⤵
  PID:12896
- C:\Windows\System32\daTCWmD.exe
  C:\Windows\System32\daTCWmD.exe
  2⤵
  PID:12988
- C:\Windows\System32\RPJmfwK.exe
  C:\Windows\System32\RPJmfwK.exe
  2⤵
  PID:13200
- C:\Windows\System32\fsBuBJZ.exe
  C:\Windows\System32\fsBuBJZ.exe
  2⤵
  PID:12500
- C:\Windows\System32\FrOvZzL.exe
  C:\Windows\System32\FrOvZzL.exe
  2⤵
  PID:12632
- C:\Windows\System32\pCHyCGi.exe
  C:\Windows\System32\pCHyCGi.exe
  2⤵
  PID:12936
- C:\Windows\System32\SaWVTzR.exe
  C:\Windows\System32\SaWVTzR.exe
  2⤵
  PID:12828
- C:\Windows\System32\aqUodLg.exe
  C:\Windows\System32\aqUodLg.exe
  2⤵
  PID:13072
- C:\Windows\System32\NttCdYd.exe
  C:\Windows\System32\NttCdYd.exe
  2⤵
  PID:13328
- C:\Windows\System32\ZXPCkgi.exe
  C:\Windows\System32\ZXPCkgi.exe
  2⤵
  PID:13380
- C:\Windows\System32\wjVwlIQ.exe
  C:\Windows\System32\wjVwlIQ.exe
  2⤵
  PID:13408
- C:\Windows\System32\UGpjPUD.exe
  C:\Windows\System32\UGpjPUD.exe
  2⤵
  PID:13436
- C:\Windows\System32\AwDZHyf.exe
  C:\Windows\System32\AwDZHyf.exe
  2⤵
  PID:13452
- C:\Windows\System32\IEzNPvq.exe
  C:\Windows\System32\IEzNPvq.exe
  2⤵
  PID:13492
- C:\Windows\System32\akFjeOQ.exe
  C:\Windows\System32\akFjeOQ.exe
  2⤵
  PID:13520
- C:\Windows\System32\VxWhfDq.exe
  C:\Windows\System32\VxWhfDq.exe
  2⤵
  PID:13552
- C:\Windows\System32\MKHxpLY.exe
  C:\Windows\System32\MKHxpLY.exe
  2⤵
  PID:13576
- C:\Windows\System32\PhXbYIY.exe
  C:\Windows\System32\PhXbYIY.exe
  2⤵
  PID:13592
- C:\Windows\System32\HDwWGWC.exe
  C:\Windows\System32\HDwWGWC.exe
  2⤵
  PID:13620
- C:\Windows\System32\tWwHlRc.exe
  C:\Windows\System32\tWwHlRc.exe
  2⤵
  PID:13660
- C:\Windows\System32\jfQDnTD.exe
  C:\Windows\System32\jfQDnTD.exe
  2⤵
  PID:13688
- C:\Windows\System32\NzEKQzq.exe
  C:\Windows\System32\NzEKQzq.exe
  2⤵
  PID:13708
- C:\Windows\System32\HLqfwnp.exe
  C:\Windows\System32\HLqfwnp.exe
  2⤵
  PID:13744
- C:\Windows\System32\AqhOoTI.exe
  C:\Windows\System32\AqhOoTI.exe
  2⤵
  PID:13772
- C:\Windows\System32\XODsokd.exe
  C:\Windows\System32\XODsokd.exe
  2⤵
  PID:13788
- C:\Windows\System32\lHaTGBd.exe
  C:\Windows\System32\lHaTGBd.exe
  2⤵
  PID:13820
- C:\Windows\System32\EhiBvSQ.exe
  C:\Windows\System32\EhiBvSQ.exe
  2⤵
  PID:13856
- C:\Windows\System32\lhJfwSP.exe
  C:\Windows\System32\lhJfwSP.exe
  2⤵
  PID:13872
- C:\Windows\System32\QtAifet.exe
  C:\Windows\System32\QtAifet.exe
  2⤵
  PID:13892
- C:\Windows\System32\eYOyyGh.exe
  C:\Windows\System32\eYOyyGh.exe
  2⤵
  PID:14172
- C:\Windows\System32\RzuVPTQ.exe
  C:\Windows\System32\RzuVPTQ.exe
  2⤵
  PID:13348
- C:\Windows\System32\cMEEjNJ.exe
  C:\Windows\System32\cMEEjNJ.exe
  2⤵
  PID:13480
- C:\Windows\System32\pyagLPa.exe
  C:\Windows\System32\pyagLPa.exe
  2⤵
  PID:13572
- C:\Windows\System32\zEodOeY.exe
  C:\Windows\System32\zEodOeY.exe
  2⤵
  PID:13652
- C:\Windows\System32\AZVqroX.exe
  C:\Windows\System32\AZVqroX.exe
  2⤵
  PID:13704
- C:\Windows\System32\RYFvzES.exe
  C:\Windows\System32\RYFvzES.exe
  2⤵
  PID:13816
- C:\Windows\System32\yNtjumn.exe
  C:\Windows\System32\yNtjumn.exe
  2⤵
  PID:14128
- C:\Windows\System32\NKZlulO.exe
  C:\Windows\System32\NKZlulO.exe
  2⤵
  PID:14260

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13532

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14116

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:14220

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\COsOHyc.exe

Filesize
2.6MB

MD5
a8ba44c0735c1a08fa522300e9bb56dc

SHA1
79a8b14320b333a7aa4f541e6d52c8cfd31aee57

SHA256
8c3505b3533792dc0da183063b2c72bce6cafb4377baef2a3fbd987bf723eac9

SHA512
836417d33a8e9c202ad136bb1a59a8297cd9199da18b86a2661dee11036085e134f75c3846792bb39a1e9f2b476fdb46af475e6151d27c190ca8a132104f8d6b

Download Submit
C:\Windows\System32\CxzggLk.exe

Filesize
2.6MB

MD5
ba2616a7f9c9887a2e510e1cf49f0a62

SHA1
ff103b3590037bfc35de55f1afd2cff6c1adc6c6

SHA256
1b33efea9b93a3f05ecf3160ab5b186bda2d9bd8aca8293a2278b304808e3756

SHA512
1d384866bf4dab3b0a826c8df2e7e0704c2948e45b7e8b33c7dda74efcd5e969620a3a13621fa0d0e9e88f986fc8d89d4d3d4096ca8a3a5ea5af59e32c428ab0

Download Submit
C:\Windows\System32\FCBKyLy.exe

Filesize
2.6MB

MD5
da09d833681e9a9b83136439a30956ef

SHA1
404a66265484c7c22699b8b41a3fde2054ccdab5

SHA256
a2d2d123c4a62bb0b9c32d3381cda3968e31aea9232ca16147865c079850e1c9

SHA512
dd191de7dac2b935c62cd33b3dc676f0adc2e358fa215352fa72248fbb00726908bef2e28415104c063a800467a26d5f5a5ed4f8cc69ebf3ad0fad161d6e154a

Download Submit
C:\Windows\System32\FNwAtNR.exe

Filesize
2.6MB

MD5
bbb831eb3513773eaf2491a000900561

SHA1
48c00a9d59b1f96e349ac819961142e46eb3b176

SHA256
3fb7d36db3fed28f198892bc329dfaff66c4f982405cb6bf26614ec3893fccc1

SHA512
1deef54ffc139e8739e02e8386655774ff60447950fdaf5b205c0f14c1da8a0af5fcc6c6fb0a6009eedae79c148c16a1371e643a0632a1ebb2d8cb59b82dc309

Download Submit
C:\Windows\System32\IvGMcdQ.exe

Filesize
2.6MB

MD5
351145e9987037eb61cad1cd02895138

SHA1
39c7e9c591f2e27c374027091054e54f8da190e9

SHA256
7f6b3cda541afe778408c983b48fe283457bac7b925643ddfadbb8d620ed29b3

SHA512
074fee8f317e18b1c5e7f3a0717a990d73f54c7fd8cc02e59ec93bc5b8e1597cf37224893fcbcab6be4fc2625bd880bd706430935fd924de3c0e6b3f7e99191b

Download Submit
C:\Windows\System32\KRWRtiA.exe

Filesize
2.6MB

MD5
ffd87033595383d58c7f3a2df0add3a7

SHA1
10c04997c54455f2f6d228aeb237ac403c4bcb5a

SHA256
6e42ff3267f390828924954635c643fad1e08cab2c0a1069ac2e6b382c2bb7e3

SHA512
da15576b9b141eff4e5a7de20e8b2ce4d5e4d8516165d4788b28a7a516581a60dcb60df08b876ea359de727fcfa4a2ee355ae6f0de8884c64d8ccd5184ca55e5

Download Submit
C:\Windows\System32\LCwGeiD.exe

Filesize
2.6MB

MD5
f1799737991727a888ce0a7cc782b4e4

SHA1
bdb14121576f57ca4063b70e88578aada4f327dd

SHA256
1cef431c0561c1815e2369fb12942666d3810f3999c84d5bd881d47f7f5edde6

SHA512
5c578e930539a8941c842aa121a60da593989b274a246d1c086ced43c7667f183f19d077b16757584cfc59b7d782cbb5d0549458401a46f31ada72fec1b51dff

Download Submit
C:\Windows\System32\MTfYHlr.exe

Filesize
2.6MB

MD5
b115197226b9f363239d2270f17d5542

SHA1
96b3f43e52a3975e607b1e379a7b7f2e8ca0b14c

SHA256
a2f0b37783e54d442b30098f074ccf45139a4901783c7cc1b2f7a99f2d076c32

SHA512
830ba57d394a89d21397113c1fd1180c403657df016cdd092f3edb807bfd094958fb9df8a5d15b3120d14fb2b689981f848c4c94d1a0f71609d280a25241fb5d

Download Submit
C:\Windows\System32\NXbgOdQ.exe

Filesize
2.6MB

MD5
4487def3a08003f917990a89207c8894

SHA1
ce5c7a09d687f6efbc1fbeded0df67204d96734e

SHA256
c514636e43f8cfb0d0ceaf051d64e08f5e1bf59173e306acca6667484fc12c29

SHA512
de27587d633f5e39fe3709b3ac9a325d2e8639ad8762f1d168122b8e18ac36f774429e05347ef173a1810bd97d0bae2655b2f9524b5f8576837dce6dd1762e39

Download Submit
C:\Windows\System32\RxeLCXN.exe

Filesize
2.6MB

MD5
6397029651a8a62c571722af7090ec9d

SHA1
512478a425516c37522dbef1630cef9a837aee5f

SHA256
f850fd2ecd3d4f6c047e2c406197ba91e1941bbb4554ff3328f3e9f31e94c88d

SHA512
10f3554a7fd71b7eec4c2482a584d800ddd7788ebff680ca4d1db281961ca19944e7f1075056bf59ef60fe9549b2d2aa5a25e4d0caa60c286e00850af33b6ee3

Download Submit
C:\Windows\System32\SAIxjCn.exe

Filesize
2.6MB

MD5
826d1f3d18c5dd1bd2edb5550c264187

SHA1
b9a22ef6685007bfc72a79b33226006d32819718

SHA256
9c6c4f6f2480890803145ef747cc6c9f6d2a586b874ffcca9c3c9cbc214c1c7c

SHA512
3521e9f000fbd916daf216d21f3262677d4329cd729fd5b7985ff3827e9a14badbd6fd6a574e35b957e9530ee0788e2c594f4006ab716ff1793879711fab61ce

Download Submit
C:\Windows\System32\SXgtoRo.exe

Filesize
2.6MB

MD5
8dd54fc8b775e49dc612b708fc254c14

SHA1
8f7f9901af2646e52ecc88916677e23687fd211d

SHA256
26b623ebf2c709c80eb6c97708d27ac8604f81f6fa787a11e6413198e2e54def

SHA512
a2ca5961f8ceb04a5a9fc9e2aeae7c1ffef6832da2bcc9b3adc3f6e132b57999e9d5698e37efb9e052f736b684d490c90ffc8e81c5a9fcc2079d17d657c9e51e

Download Submit
C:\Windows\System32\VUkshiS.exe

Filesize
2.6MB

MD5
e201dceb1d3d611443317203ef6f89d0

SHA1
2cef78e41c5fe1a0653f29cd91ddb5d22c390347

SHA256
8c35afdce4ef6451d07c5aedc0d7dd7f5bd464ac5329d91d2eac706c8c387aca

SHA512
bba09f7e424e73fb4c122782115135d17a50eeca77eab8abac68825e54a0c36af0c5f9b7d16326836940f25c966adfb9c3ae229cbb452380552e905253162d7a

Download Submit
C:\Windows\System32\VvqNzxW.exe

Filesize
2.6MB

MD5
1f0f534186b575c19d78c350d05503a8

SHA1
485a1d5de9de7d266eb63b10765f83f0934d51f1

SHA256
59480dac6a3748b2331ac4cb1ed3fa124f76f8de3c555fb91dd4fcbff010ede2

SHA512
a8f24f78243e9d4a9ebb3ceaad862614a65a0be660c3bf9e6b8f585b3ac36387f0387753ac7b929995e4c5c5b6a536faa54b219925a6e331618929ed6a64d7b5

Download Submit
C:\Windows\System32\WOrTDUM.exe

Filesize
2.6MB

MD5
8212ac10ca8e07ba34a659fb0853118b

SHA1
f493526b55621a855049615f189b5d6170c9ed6d

SHA256
0595ad39a09283d368344493497cba2ca9a80f2dd9897b93bae31bd12230bfa4

SHA512
07ee7dc428d980cf2610172b16242608991173957734cf606ef6074169befed90e3c9cae36e6b4fbf8f830bd59d6bfa9dbe84b99f3e330cbdb10ab5d041c99bc

Download Submit
C:\Windows\System32\dadQTHk.exe

Filesize
2.6MB

MD5
279fb32f8566e31826ef44c83f28b4a7

SHA1
91f251544722278c405a4a7accec5a7a5cb2c486

SHA256
5e9f88840b1ea11cc35c8214e68235ef78865b966082a2919ef7322ab8fa9f5e

SHA512
b115f85564a707eca7925424e42a55fb3101c3159c33ca320aadc25159a46ee7f10cac342b94c72798b5034c1db42e07b9daaf51307fe7abb3b3c02143bebdf7

Download Submit
C:\Windows\System32\dxTREvO.exe

Filesize
2.6MB

MD5
f0984b461053e5896dd63cdcff4f568c

SHA1
153bb6db42619423601f0453162f5aaa56810ab4

SHA256
50599bb7cd7abc4e2a50a7764705c43191786bb719105dbee608cdb65dcfa411

SHA512
1f563ed4bddee48d4821a990f221b19c94254d50deafe006a106ad167b746280e977f9af8fa4e5e3898b4304486ff185b19c6e94e2eb947964a9a9578e3b3862

Download Submit
C:\Windows\System32\fRpasOi.exe

Filesize
2.6MB

MD5
40890d9199bf7ae694739d3f24eea463

SHA1
97fd237c7bfa43f7ad1eac6ddd70a7532b56f47a

SHA256
37d6c2eda932d1b1e67d02b849d647cf8d9e82926eedbcfb45e7933bad4a1174

SHA512
ae1521c51150e8a8be9b7016803c667e82980d8597702737180dacf3cf423aaed5041c019808320952f13c22d251fd472fe66f64196d7705fb40969d932d5e20

Download Submit
C:\Windows\System32\ibZbFHM.exe

Filesize
2.6MB

MD5
506b17322d0397651e0b495f7e66164e

SHA1
a486f85b4d833df8b424fe883f50988562e08531

SHA256
273eee404162a8cef3b920ce962837ea3623216f5d147b584467a2e13c77abd6

SHA512
2854d46ddd99dfed19b95cc9f276f2ee811ac2d92dc7140566ebc67295a739b474c9a2db30a9aef6e7c7228cd6d658c11e051c68fccaa38fc85b61668091fd85

Download Submit
C:\Windows\System32\jMWTvNp.exe

Filesize
2.6MB

MD5
1944f2e1d51f51219a80f90a99cb9977

SHA1
90fae28334bff4e630a4a3fbc5425f2029650d42

SHA256
cf542b90bb4282e16bbe3008ab15c87c71b7e483c64ae8bc40549c963a580f33

SHA512
02c72fbe9496a774f217951ab283c63da4ce7c510d7aa118f7903c4872ae43bcc158d6ec571af11205f3a3a262d108c93a2c95e3d1eade3a751ddeb1eb112d34

Download Submit
C:\Windows\System32\jkwQXMl.exe

Filesize
2.6MB

MD5
4031610947a3ea8ddad79f58bc498629

SHA1
7f04a041470af6c61605382e90b2d9d99ce44d0f

SHA256
90da22d220f643f6edacc548333a8a7f383bde735207fefa86fe3936d0350fc5

SHA512
c56c4dba51a6c03a255db8bb25ba99d687fe837fafa98b8faf2b463766ab34b54ae48c0a98498d292038b8c2fde8ba0c745fb50dbc949c43082f25e0ba862893

Download Submit
C:\Windows\System32\kskXQmt.exe

Filesize
2.6MB

MD5
e8e8c09b0a4a0a14edcc71401ce64c28

SHA1
3387a419e13568a2c5fd8caea4bd28d0233895f3

SHA256
42edd4eb88f32d591d914cadc332b6bc403a3a4999dc62fa43394a96d1a32ee3

SHA512
00bb8fb672d88715c581840342114c51a93ec2ad650617c547e2251fdc7049258f56e5f893ca5a6014bb008018c1731c27c21eacab631449f90e3059bea98cd9

Download Submit
C:\Windows\System32\mKWXFmx.exe

Filesize
2.6MB

MD5
24cb8e272d3ff6ff401f4535b48cf250

SHA1
1af0fbaec19deaa7e3c02f331e5c92c29c96ead5

SHA256
258c63f354c34e19f741e3c31f7e606d12472ab3e15a52994cd3dd89e44d3c41

SHA512
5d55a9f5ede1f27d3df9e0d70a8762d66c4542b9f07cf3b6db418cd779c29efe9f758bb699254074ff1de072d7540b6f9d0897d07abca0ee3ea6beac07659da4

Download Submit
C:\Windows\System32\nCdXkFL.exe

Filesize
2.6MB

MD5
e8c47c3a57a400bfe5e5212ac9030899

SHA1
ec31d82685c4f74a1659c51de52fc9bd95dc9419

SHA256
e63d234e62d6b17f1c3e6271585afa66d39adbd0f07cf31f39ea7806b690d1d5

SHA512
953e80147a1393cc66b3861d527067a857e97fb1dee70f750f58a7eb49ee8f446f7df830a4879ca1c10ecaf6041ee7025081adbcb6d46dcc28efa61839b7f4c2

Download Submit
C:\Windows\System32\nDBSlHL.exe

Filesize
2.6MB

MD5
902ba29415679dfcbd3c40330faaa650

SHA1
3d4634f2a9f1d134115d9837c0a7d5e2549c7c21

SHA256
ad8e14a9e6cf64b83a8408fa3fe49e05e0f6af315abfa07fdb066cc3361bca30

SHA512
9dbc91fdb36c5aa50dd44d191221ed54f9f9a0bebd585d8daf5db4f81b9836c3ea8d78d8f6bb0f7da61f210ea1bb4864568ff316c8d4ae8eb6810e18b65ddcea

Download Submit
C:\Windows\System32\njHvDyC.exe

Filesize
2.6MB

MD5
b65a99b3ef78156ac5cf52909b735ee4

SHA1
9bc878bf7722483e8c5f303f1561ec749cc07d37

SHA256
359f9de2d495d93bd240ff5245994a5ad0890b5e4595b24dffdfe999d10d2101

SHA512
9c3dd94a022713ebe854f4d1bd0b9ab3b45af64bb2e549f55e049be76c645788f7202e2d11000b2c0c97f7e1a0d41099a024e003c50f40650b405b850bf7a1a2

Download Submit
C:\Windows\System32\oMpLvEO.exe

Filesize
2.6MB

MD5
a4cc7a7253b646c0c7028e010f17a4b5

SHA1
7fabf5a5b2333c8af6d61c677a4b4650636da741

SHA256
1ff00e19f44b0899c5445bbdb50af0c25c4171988708f00dac6c7150677aa763

SHA512
4a6ffb071b86ec23821ed4d58e403684e0762ccb77162f7ded73b929dd373bb77e9a683ee1eda3ce24ea45a34b46e8e1df44b2d6fa3ab0b239625cfb6a19840e

Download Submit
C:\Windows\System32\rSXvdRf.exe

Filesize
2.6MB

MD5
c987381996b57be8443028141cf889d1

SHA1
2c70fcc0c357afe1e8c96b8d4f422cc01332a8a4

SHA256
535358f880fc57fed9256c1fcd93dfbf088607b6c1acdb6756e252b5d4d2c335

SHA512
6c25952da962646cde1ec5521e3cbc0fa2c5571decd0dd156ef77625a78b0d86de080da5defae152fb2496edb23d39c30819c06e8944a9827b9f1d57d413a9c7

Download Submit
C:\Windows\System32\titcgwT.exe

Filesize
2.6MB

MD5
ca3f1e9e99ad9477ae713cdded442af9

SHA1
59578edece171ff8b82d109b11ccacf486c33d6a

SHA256
4d00f96c6090eaf3d996ba69dd2a3399e77e596ca8fc40d3d25169b1e40e4d16

SHA512
3b793909708b1e15b1488832a5d225d2082daf8c7c2ef7e9e4803ae0856132152c5e3f3c61dcc72fee271ae2255e9f81a7e666c86306104a95fcf2ef2237f1ec

Download Submit
C:\Windows\System32\vTylBiH.exe

Filesize
2.6MB

MD5
de469a0e904a1f74bedf0515b51b314f

SHA1
01c8a085bb819a119c56de4b8030d07e05f692bd

SHA256
ba34142392a015ec87fa8ec313c8c16b3367cab24d556800ad317e09c049dce5

SHA512
fcfee4c5b2b0acd50da481ae5d91f2f41d4cbfce44b1e08e52da96fa6638e384638b136408a663ec4709232b39234f6f325b766e4076845599504b93083cfdfb

Download Submit
C:\Windows\System32\yqmcAUk.exe

Filesize
2.6MB

MD5
a6c0b2f8490189945059e37ad2fca2e1

SHA1
c6a9c9afe8f9aa68f64db457477460f0c75b9cff

SHA256
f8e770c485c1c2e99c8dd070cc1b79733ab28e1f47e2c1e2acc3956b26dbf5e3

SHA512
41f5154b2854d2bd5f5ba5ea6c61d129d636d1431733ba4495bd4cf9d1b52720023da989e8be479f60c85e72521a53a36d44b7d040aef3368892c42dae08bdaa

Download Submit
C:\Windows\System32\zzpQEqj.exe

Filesize
2.6MB

MD5
de6176ae2ab3acff17aa8b00b46765b1

SHA1
ecee79e4a6d245f80e94cb03e958ca242a84b262

SHA256
aa99c0716e7e3baa36bba0bc29f14781fce45c71fa836a246ac065f9c7fd12d8

SHA512
9db18eb625727a7ddf2b1653bb8130953995399da7ffcd888f30c1886b2cb06cfb665471f2ca483b6836d3d49ee6a94f8e561ba506235646324803861740414c

Download Submit
memory/628-754-0x00007FF655D10000-0x00007FF656105000-memory.dmp

Filesize
4.0MB

Download
memory/628-2136-0x00007FF655D10000-0x00007FF656105000-memory.dmp

Filesize
4.0MB

Download
memory/712-1757-0x00007FF7A2A10000-0x00007FF7A2E05000-memory.dmp

Filesize
4.0MB

Download
memory/712-15-0x00007FF7A2A10000-0x00007FF7A2E05000-memory.dmp

Filesize
4.0MB

Download
memory/712-2126-0x00007FF7A2A10000-0x00007FF7A2E05000-memory.dmp

Filesize
4.0MB

Download
memory/748-2148-0x00007FF77FE70000-0x00007FF780265000-memory.dmp

Filesize
4.0MB

Download
memory/748-833-0x00007FF77FE70000-0x00007FF780265000-memory.dmp

Filesize
4.0MB

Download
memory/2704-769-0x00007FF67E2B0000-0x00007FF67E6A5000-memory.dmp

Filesize
4.0MB

Download
memory/2704-2147-0x00007FF67E2B0000-0x00007FF67E6A5000-memory.dmp

Filesize
4.0MB

Download
memory/2768-2125-0x00007FF70F290000-0x00007FF70F685000-memory.dmp

Filesize
4.0MB

Download
memory/2768-9-0x00007FF70F290000-0x00007FF70F685000-memory.dmp

Filesize
4.0MB

Download
memory/3220-2130-0x00007FF7A0830000-0x00007FF7A0C25000-memory.dmp

Filesize
4.0MB

Download
memory/3220-725-0x00007FF7A0830000-0x00007FF7A0C25000-memory.dmp

Filesize
4.0MB

Download
memory/3284-2138-0x00007FF654D30000-0x00007FF655125000-memory.dmp

Filesize
4.0MB

Download
memory/3284-742-0x00007FF654D30000-0x00007FF655125000-memory.dmp

Filesize
4.0MB

Download
memory/4012-745-0x00007FF606790000-0x00007FF606B85000-memory.dmp

Filesize
4.0MB

Download
memory/4012-2137-0x00007FF606790000-0x00007FF606B85000-memory.dmp

Filesize
4.0MB

Download
memory/4248-1-0x000001F416F60000-0x000001F416F70000-memory.dmp

Filesize
64KB

Download
memory/4248-0-0x00007FF607090000-0x00007FF607485000-memory.dmp

Filesize
4.0MB

Download
memory/4248-1523-0x00007FF607090000-0x00007FF607485000-memory.dmp

Filesize
4.0MB

Download
memory/4456-834-0x00007FF744210000-0x00007FF744605000-memory.dmp

Filesize
4.0MB

Download
memory/4456-2132-0x00007FF744210000-0x00007FF744605000-memory.dmp

Filesize
4.0MB

Download
memory/4484-2133-0x00007FF7F3760000-0x00007FF7F3B55000-memory.dmp

Filesize
4.0MB

Download
memory/4484-727-0x00007FF7F3760000-0x00007FF7F3B55000-memory.dmp

Filesize
4.0MB

Download
memory/4488-2135-0x00007FF6E6BF0000-0x00007FF6E6FE5000-memory.dmp

Filesize
4.0MB

Download
memory/4488-747-0x00007FF6E6BF0000-0x00007FF6E6FE5000-memory.dmp

Filesize
4.0MB

Download
memory/4568-728-0x00007FF705A70000-0x00007FF705E65000-memory.dmp

Filesize
4.0MB

Download
memory/4568-2142-0x00007FF705A70000-0x00007FF705E65000-memory.dmp

Filesize
4.0MB

Download
memory/4616-733-0x00007FF62D910000-0x00007FF62DD05000-memory.dmp

Filesize
4.0MB

Download
memory/4616-2140-0x00007FF62D910000-0x00007FF62DD05000-memory.dmp

Filesize
4.0MB

Download
memory/4620-2134-0x00007FF7E0A10000-0x00007FF7E0E05000-memory.dmp

Filesize
4.0MB

Download
memory/4620-758-0x00007FF7E0A10000-0x00007FF7E0E05000-memory.dmp

Filesize
4.0MB

Download
memory/4684-766-0x00007FF74BFF0000-0x00007FF74C3E5000-memory.dmp

Filesize
4.0MB

Download
memory/4684-2146-0x00007FF74BFF0000-0x00007FF74C3E5000-memory.dmp

Filesize
4.0MB

Download
memory/4728-2143-0x00007FF6EFFB0000-0x00007FF6F03A5000-memory.dmp

Filesize
4.0MB

Download
memory/4728-762-0x00007FF6EFFB0000-0x00007FF6F03A5000-memory.dmp

Filesize
4.0MB

Download
memory/4768-729-0x00007FF7D8090000-0x00007FF7D8485000-memory.dmp

Filesize
4.0MB

Download
memory/4768-2141-0x00007FF7D8090000-0x00007FF7D8485000-memory.dmp

Filesize
4.0MB

Download
memory/4844-764-0x00007FF6FF360000-0x00007FF6FF755000-memory.dmp

Filesize
4.0MB

Download
memory/4844-2145-0x00007FF6FF360000-0x00007FF6FF755000-memory.dmp

Filesize
4.0MB

Download
memory/5312-2139-0x00007FF74DFB0000-0x00007FF74E3A5000-memory.dmp

Filesize
4.0MB

Download
memory/5312-735-0x00007FF74DFB0000-0x00007FF74E3A5000-memory.dmp

Filesize
4.0MB

Download
memory/5548-2129-0x00007FF6393D0000-0x00007FF6397C5000-memory.dmp

Filesize
4.0MB

Download
memory/5548-724-0x00007FF6393D0000-0x00007FF6397C5000-memory.dmp

Filesize
4.0MB

Download
memory/5764-1758-0x00007FF791570000-0x00007FF791965000-memory.dmp

Filesize
4.0MB

Download
memory/5764-2127-0x00007FF791570000-0x00007FF791965000-memory.dmp

Filesize
4.0MB

Download
memory/5764-722-0x00007FF791570000-0x00007FF791965000-memory.dmp

Filesize
4.0MB

Download
memory/5844-830-0x00007FF7B7040000-0x00007FF7B7435000-memory.dmp

Filesize
4.0MB

Download
memory/5844-2144-0x00007FF7B7040000-0x00007FF7B7435000-memory.dmp

Filesize
4.0MB

Download
memory/5960-723-0x00007FF649F20000-0x00007FF64A315000-memory.dmp

Filesize
4.0MB

Download
memory/5960-2128-0x00007FF649F20000-0x00007FF64A315000-memory.dmp

Filesize
4.0MB

Download
memory/6064-2131-0x00007FF680C20000-0x00007FF681015000-memory.dmp

Filesize
4.0MB

Download
memory/6064-726-0x00007FF680C20000-0x00007FF681015000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads