xmrig | f69cff12f97e1136b3c79b89b5d5c2b4d42b73e1ef58fb98ff6998b5357934d8

Analysis

max time kernel
137s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
Size

2.2MB
MD5

decfdd738102650829c8a48768a25315
SHA1

124ac18d9cd17fa1af137f932964e4aaed307598
SHA256

f69cff12f97e1136b3c79b89b5d5c2b4d42b73e1ef58fb98ff6998b5357934d8
SHA512

2ad5c67b415426e10f0c8e84c7a9ad0dc848d3708c67336170db976b766d029c3b5e4d9c3f4aa5d5c99bbc5ef8bd448e2d40bf30252a4257a266239d6793dbbe
SSDEEP

49152:w0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8Dzcd+cig:w0GnJMOWPClFdx6e0EALKWVTffZiPAcw

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3516-0-0x00007FF6A9890000-0x00007FF6A9C85000-memory.dmp	xmrig
behavioral2/files/0x00080000000240a9-4.dat	xmrig
behavioral2/memory/2316-11-0x00007FF7FE070000-0x00007FF7FE465000-memory.dmp	xmrig
behavioral2/files/0x00070000000240aa-13.dat	xmrig
behavioral2/files/0x00070000000240ab-12.dat	xmrig
behavioral2/memory/2352-10-0x00007FF65B1E0000-0x00007FF65B5D5000-memory.dmp	xmrig
behavioral2/files/0x00070000000240ac-23.dat	xmrig
behavioral2/files/0x00070000000240ae-33.dat	xmrig
behavioral2/files/0x00070000000240af-35.dat	xmrig
behavioral2/files/0x00070000000240b0-40.dat	xmrig
behavioral2/files/0x00070000000240b1-45.dat	xmrig
behavioral2/files/0x00070000000240b4-60.dat	xmrig
behavioral2/files/0x00070000000240b6-70.dat	xmrig
behavioral2/files/0x00070000000240b7-78.dat	xmrig
behavioral2/files/0x00070000000240bb-101.dat	xmrig
behavioral2/files/0x00070000000240bf-115.dat	xmrig
behavioral2/files/0x00070000000240c2-130.dat	xmrig
behavioral2/memory/2020-695-0x00007FF783F70000-0x00007FF784365000-memory.dmp	xmrig
behavioral2/memory/3264-696-0x00007FF6A1470000-0x00007FF6A1865000-memory.dmp	xmrig
behavioral2/memory/2960-697-0x00007FF73DFB0000-0x00007FF73E3A5000-memory.dmp	xmrig
behavioral2/memory/3280-698-0x00007FF74CB70000-0x00007FF74CF65000-memory.dmp	xmrig
behavioral2/memory/1420-700-0x00007FF6E4C40000-0x00007FF6E5035000-memory.dmp	xmrig
behavioral2/memory/2764-701-0x00007FF672100000-0x00007FF6724F5000-memory.dmp	xmrig
behavioral2/memory/4876-702-0x00007FF663B40000-0x00007FF663F35000-memory.dmp	xmrig
behavioral2/memory/4788-703-0x00007FF6A30E0000-0x00007FF6A34D5000-memory.dmp	xmrig
behavioral2/memory/1864-704-0x00007FF6B9180000-0x00007FF6B9575000-memory.dmp	xmrig
behavioral2/memory/876-699-0x00007FF69A790000-0x00007FF69AB85000-memory.dmp	xmrig
behavioral2/memory/4836-694-0x00007FF6C68F0000-0x00007FF6C6CE5000-memory.dmp	xmrig
behavioral2/memory/2616-693-0x00007FF72DAF0000-0x00007FF72DEE5000-memory.dmp	xmrig
behavioral2/memory/3500-713-0x00007FF7F4610000-0x00007FF7F4A05000-memory.dmp	xmrig
behavioral2/memory/3216-727-0x00007FF6E71F0000-0x00007FF6E75E5000-memory.dmp	xmrig
behavioral2/memory/3368-751-0x00007FF61A1C0000-0x00007FF61A5B5000-memory.dmp	xmrig
behavioral2/memory/5096-760-0x00007FF753CC0000-0x00007FF7540B5000-memory.dmp	xmrig
behavioral2/memory/4512-752-0x00007FF648AB0000-0x00007FF648EA5000-memory.dmp	xmrig
behavioral2/memory/2352-1488-0x00007FF65B1E0000-0x00007FF65B5D5000-memory.dmp	xmrig
behavioral2/memory/2316-1752-0x00007FF7FE070000-0x00007FF7FE465000-memory.dmp	xmrig
behavioral2/memory/3516-1483-0x00007FF6A9890000-0x00007FF6A9C85000-memory.dmp	xmrig
behavioral2/memory/4956-745-0x00007FF67EBD0000-0x00007FF67EFC5000-memory.dmp	xmrig
behavioral2/memory/4328-739-0x00007FF73F660000-0x00007FF73FA55000-memory.dmp	xmrig
behavioral2/memory/4808-732-0x00007FF75E990000-0x00007FF75ED85000-memory.dmp	xmrig
behavioral2/memory/452-722-0x00007FF683320000-0x00007FF683715000-memory.dmp	xmrig
behavioral2/memory/2412-710-0x00007FF752E80000-0x00007FF753275000-memory.dmp	xmrig
behavioral2/files/0x00070000000240c8-163.dat	xmrig
behavioral2/files/0x00070000000240c7-158.dat	xmrig
behavioral2/files/0x00070000000240c6-153.dat	xmrig
behavioral2/files/0x00070000000240c5-148.dat	xmrig
behavioral2/files/0x00070000000240c4-143.dat	xmrig
behavioral2/files/0x00070000000240c3-138.dat	xmrig
behavioral2/files/0x00070000000240c1-128.dat	xmrig
behavioral2/files/0x00070000000240c0-123.dat	xmrig
behavioral2/files/0x00070000000240be-113.dat	xmrig
behavioral2/files/0x00070000000240bd-108.dat	xmrig
behavioral2/files/0x00070000000240bc-106.dat	xmrig
behavioral2/files/0x00070000000240ba-93.dat	xmrig
behavioral2/files/0x00070000000240b9-88.dat	xmrig
behavioral2/files/0x00070000000240b8-83.dat	xmrig
behavioral2/files/0x00070000000240b5-68.dat	xmrig
behavioral2/files/0x00070000000240b3-58.dat	xmrig
behavioral2/files/0x00070000000240b2-53.dat	xmrig
behavioral2/files/0x00070000000240ad-28.dat	xmrig
behavioral2/memory/3516-1890-0x00007FF6A9890000-0x00007FF6A9C85000-memory.dmp	xmrig
behavioral2/memory/2352-1891-0x00007FF65B1E0000-0x00007FF65B5D5000-memory.dmp	xmrig
behavioral2/memory/2316-1892-0x00007FF7FE070000-0x00007FF7FE465000-memory.dmp	xmrig
behavioral2/memory/2616-1893-0x00007FF72DAF0000-0x00007FF72DEE5000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2352	eFQBJau.exe
2316	lJlBOck.exe
2616	QKrICDY.exe
5096	gjUwznF.exe
4836	yOgmAZl.exe
2020	WuyZTAz.exe
3264	kTirxOH.exe
2960	RXMyMhi.exe
3280	dmIjneQ.exe
876	PAZPYKm.exe
1420	njgnQid.exe
2764	idEnBdZ.exe
4876	ryfzcYE.exe
4788	JcCTslD.exe
1864	wPiyFIy.exe
2412	FfNcSZy.exe
3500	VTbREdp.exe
452	DEFzsoc.exe
3216	uOOYCqL.exe
4808	MmrixzO.exe
4328	PENXCDD.exe
4956	zvQqHar.exe
3368	kaoVmev.exe
4512	sjPmbBw.exe
756	denxwOm.exe
888	sBQrHdZ.exe
1336	GSPMWPP.exe
4780	dNpXlkZ.exe
112	GccncnR.exe
2888	SNRGRmr.exe
824	gQcoWRm.exe
456	OTXcvPm.exe
2032	DISKNVh.exe
1752	MEuQwdo.exe
1788	CWaSShf.exe
2920	xSYwgrn.exe
1620	oJgeQbv.exe
1324	tKxOhrw.exe
1432	sYCcWts.exe
1588	foFmcmp.exe
1436	cVEyIYE.exe
4444	UvAOtBl.exe
4144	ESVXJWY.exe
3700	JPzzPsM.exe
2636	oAHsDIB.exe
3696	CBmviRV.exe
5036	BtuImpb.exe
2792	EhVJbwh.exe
2476	ibFVUAr.exe
1548	QsRQCtr.exe
4448	iLGxWOq.exe
2380	zZgzVwU.exe
1672	uAvykDg.exe
2016	OAAqixv.exe
3240	EOVIxzQ.exe
1184	XwbUZKx.exe
3548	TRZIheE.exe
980	wstIdMi.exe
636	beHSUgH.exe
2528	iTurKHr.exe
1804	UDEyeLl.exe
4948	QdesexJ.exe
916	waQNBiG.exe
964	CumxKsb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\aUDyyuq.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\tKxOhrw.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\mifjKbO.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\FvEdLBe.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\BtFRmml.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\PhoxVPo.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\nOIPnEq.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\eFvRYlW.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\juNjbjg.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\EzaIrfl.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\BcDDOiK.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\TRZIheE.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\dXzYEtq.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\KwUCBWy.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\lpUenYi.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\oWVLFto.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\rPiIFTk.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\xJLAHXG.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\jzTxpua.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\UvAOtBl.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\ChMWOVD.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\eyBtwQL.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\zWvUQZI.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\LRiWOnx.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\uVtFdFt.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\IaVbsMa.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\srhENIk.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\BtuImpb.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\VRzcnbT.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\HPkppja.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\HMmbbjp.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\RDVshCo.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\GIhKhyc.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\KbNBlvV.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\EiugUHD.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\lJFKKGi.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\HJPnOxy.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\CWrQpRi.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\zZgzVwU.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\TxXctLD.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\DfURWql.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\sXPAXMR.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\nsYDdBr.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\ivOmewM.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\jeSUWKg.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\jMJmZVv.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\Exygrgx.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\ItCOuEy.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\DDeRxwR.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\RKWMonK.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\KGAnVwv.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\yURAfqJ.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\swbrOnM.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\ALrOqDe.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\KluJdRx.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\ulgMhhs.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\vFRpvYm.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\gjOQzSS.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\gFYgsIt.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\hcqtKRm.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\iLGxWOq.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\aOcCMzn.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\GrLBQBa.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\sjPmbBw.exe	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3516-0-0x00007FF6A9890000-0x00007FF6A9C85000-memory.dmp	upx
behavioral2/files/0x00080000000240a9-4.dat	upx
behavioral2/memory/2316-11-0x00007FF7FE070000-0x00007FF7FE465000-memory.dmp	upx
behavioral2/files/0x00070000000240aa-13.dat	upx
behavioral2/files/0x00070000000240ab-12.dat	upx
behavioral2/memory/2352-10-0x00007FF65B1E0000-0x00007FF65B5D5000-memory.dmp	upx
behavioral2/files/0x00070000000240ac-23.dat	upx
behavioral2/files/0x00070000000240ae-33.dat	upx
behavioral2/files/0x00070000000240af-35.dat	upx
behavioral2/files/0x00070000000240b0-40.dat	upx
behavioral2/files/0x00070000000240b1-45.dat	upx
behavioral2/files/0x00070000000240b4-60.dat	upx
behavioral2/files/0x00070000000240b6-70.dat	upx
behavioral2/files/0x00070000000240b7-78.dat	upx
behavioral2/files/0x00070000000240bb-101.dat	upx
behavioral2/files/0x00070000000240bf-115.dat	upx
behavioral2/files/0x00070000000240c2-130.dat	upx
behavioral2/memory/2020-695-0x00007FF783F70000-0x00007FF784365000-memory.dmp	upx
behavioral2/memory/3264-696-0x00007FF6A1470000-0x00007FF6A1865000-memory.dmp	upx
behavioral2/memory/2960-697-0x00007FF73DFB0000-0x00007FF73E3A5000-memory.dmp	upx
behavioral2/memory/3280-698-0x00007FF74CB70000-0x00007FF74CF65000-memory.dmp	upx
behavioral2/memory/1420-700-0x00007FF6E4C40000-0x00007FF6E5035000-memory.dmp	upx
behavioral2/memory/2764-701-0x00007FF672100000-0x00007FF6724F5000-memory.dmp	upx
behavioral2/memory/4876-702-0x00007FF663B40000-0x00007FF663F35000-memory.dmp	upx
behavioral2/memory/4788-703-0x00007FF6A30E0000-0x00007FF6A34D5000-memory.dmp	upx
behavioral2/memory/1864-704-0x00007FF6B9180000-0x00007FF6B9575000-memory.dmp	upx
behavioral2/memory/876-699-0x00007FF69A790000-0x00007FF69AB85000-memory.dmp	upx
behavioral2/memory/4836-694-0x00007FF6C68F0000-0x00007FF6C6CE5000-memory.dmp	upx
behavioral2/memory/2616-693-0x00007FF72DAF0000-0x00007FF72DEE5000-memory.dmp	upx
behavioral2/memory/3500-713-0x00007FF7F4610000-0x00007FF7F4A05000-memory.dmp	upx
behavioral2/memory/3216-727-0x00007FF6E71F0000-0x00007FF6E75E5000-memory.dmp	upx
behavioral2/memory/3368-751-0x00007FF61A1C0000-0x00007FF61A5B5000-memory.dmp	upx
behavioral2/memory/5096-760-0x00007FF753CC0000-0x00007FF7540B5000-memory.dmp	upx
behavioral2/memory/4512-752-0x00007FF648AB0000-0x00007FF648EA5000-memory.dmp	upx
behavioral2/memory/2352-1488-0x00007FF65B1E0000-0x00007FF65B5D5000-memory.dmp	upx
behavioral2/memory/2316-1752-0x00007FF7FE070000-0x00007FF7FE465000-memory.dmp	upx
behavioral2/memory/3516-1483-0x00007FF6A9890000-0x00007FF6A9C85000-memory.dmp	upx
behavioral2/memory/4956-745-0x00007FF67EBD0000-0x00007FF67EFC5000-memory.dmp	upx
behavioral2/memory/4328-739-0x00007FF73F660000-0x00007FF73FA55000-memory.dmp	upx
behavioral2/memory/4808-732-0x00007FF75E990000-0x00007FF75ED85000-memory.dmp	upx
behavioral2/memory/452-722-0x00007FF683320000-0x00007FF683715000-memory.dmp	upx
behavioral2/memory/2412-710-0x00007FF752E80000-0x00007FF753275000-memory.dmp	upx
behavioral2/files/0x00070000000240c8-163.dat	upx
behavioral2/files/0x00070000000240c7-158.dat	upx
behavioral2/files/0x00070000000240c6-153.dat	upx
behavioral2/files/0x00070000000240c5-148.dat	upx
behavioral2/files/0x00070000000240c4-143.dat	upx
behavioral2/files/0x00070000000240c3-138.dat	upx
behavioral2/files/0x00070000000240c1-128.dat	upx
behavioral2/files/0x00070000000240c0-123.dat	upx
behavioral2/files/0x00070000000240be-113.dat	upx
behavioral2/files/0x00070000000240bd-108.dat	upx
behavioral2/files/0x00070000000240bc-106.dat	upx
behavioral2/files/0x00070000000240ba-93.dat	upx
behavioral2/files/0x00070000000240b9-88.dat	upx
behavioral2/files/0x00070000000240b8-83.dat	upx
behavioral2/files/0x00070000000240b5-68.dat	upx
behavioral2/files/0x00070000000240b3-58.dat	upx
behavioral2/files/0x00070000000240b2-53.dat	upx
behavioral2/files/0x00070000000240ad-28.dat	upx
behavioral2/memory/3516-1890-0x00007FF6A9890000-0x00007FF6A9C85000-memory.dmp	upx
behavioral2/memory/2352-1891-0x00007FF65B1E0000-0x00007FF65B5D5000-memory.dmp	upx
behavioral2/memory/2316-1892-0x00007FF7FE070000-0x00007FF7FE465000-memory.dmp	upx
behavioral2/memory/2616-1893-0x00007FF72DAF0000-0x00007FF72DEE5000-memory.dmp	upx

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12616	dwm.exe
Token: SeChangeNotifyPrivilege	12616	dwm.exe
Token: 33	12616	dwm.exe
Token: SeIncBasePriorityPrivilege	12616	dwm.exe
Token: SeShutdownPrivilege	12616	dwm.exe
Token: SeCreatePagefilePrivilege	12616	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 2352	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	87
PID 3516 wrote to memory of 2352	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	87
PID 3516 wrote to memory of 2316	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	88
PID 3516 wrote to memory of 2316	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	88
PID 3516 wrote to memory of 2616	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	89
PID 3516 wrote to memory of 2616	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	89
PID 3516 wrote to memory of 5096	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	90
PID 3516 wrote to memory of 5096	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	90
PID 3516 wrote to memory of 4836	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	91
PID 3516 wrote to memory of 4836	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	91
PID 3516 wrote to memory of 2020	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	92
PID 3516 wrote to memory of 2020	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	92
PID 3516 wrote to memory of 3264	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	93
PID 3516 wrote to memory of 3264	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	93
PID 3516 wrote to memory of 2960	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	94
PID 3516 wrote to memory of 2960	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	94
PID 3516 wrote to memory of 3280	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	95
PID 3516 wrote to memory of 3280	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	95
PID 3516 wrote to memory of 876	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	96
PID 3516 wrote to memory of 876	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	96
PID 3516 wrote to memory of 1420	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	97
PID 3516 wrote to memory of 1420	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	97
PID 3516 wrote to memory of 2764	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	98
PID 3516 wrote to memory of 2764	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	98
PID 3516 wrote to memory of 4876	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	99
PID 3516 wrote to memory of 4876	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	99
PID 3516 wrote to memory of 4788	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	100
PID 3516 wrote to memory of 4788	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	100
PID 3516 wrote to memory of 1864	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	101
PID 3516 wrote to memory of 1864	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	101
PID 3516 wrote to memory of 2412	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	102
PID 3516 wrote to memory of 2412	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	102
PID 3516 wrote to memory of 3500	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	103
PID 3516 wrote to memory of 3500	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	103
PID 3516 wrote to memory of 452	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	104
PID 3516 wrote to memory of 452	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	104
PID 3516 wrote to memory of 3216	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	105
PID 3516 wrote to memory of 3216	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	105
PID 3516 wrote to memory of 4808	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	106
PID 3516 wrote to memory of 4808	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	106
PID 3516 wrote to memory of 4328	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	107
PID 3516 wrote to memory of 4328	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	107
PID 3516 wrote to memory of 4956	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	108
PID 3516 wrote to memory of 4956	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	108
PID 3516 wrote to memory of 3368	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	109
PID 3516 wrote to memory of 3368	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	109
PID 3516 wrote to memory of 4512	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	110
PID 3516 wrote to memory of 4512	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	110
PID 3516 wrote to memory of 756	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	111
PID 3516 wrote to memory of 756	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	111
PID 3516 wrote to memory of 888	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	112
PID 3516 wrote to memory of 888	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	112
PID 3516 wrote to memory of 1336	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	113
PID 3516 wrote to memory of 1336	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	113
PID 3516 wrote to memory of 4780	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	114
PID 3516 wrote to memory of 4780	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	114
PID 3516 wrote to memory of 112	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	115
PID 3516 wrote to memory of 112	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	115
PID 3516 wrote to memory of 2888	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	116
PID 3516 wrote to memory of 2888	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	116
PID 3516 wrote to memory of 824	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	117
PID 3516 wrote to memory of 824	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	117
PID 3516 wrote to memory of 456	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	118
PID 3516 wrote to memory of 456	3516	2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe	118

C:\Users\Admin\AppData\Local\Temp\2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_decfdd738102650829c8a48768a25315_black-basta_imuler_xmrig.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\System32\eFQBJau.exe
  C:\Windows\System32\eFQBJau.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System32\lJlBOck.exe
  C:\Windows\System32\lJlBOck.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System32\QKrICDY.exe
  C:\Windows\System32\QKrICDY.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System32\gjUwznF.exe
  C:\Windows\System32\gjUwznF.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System32\yOgmAZl.exe
  C:\Windows\System32\yOgmAZl.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System32\WuyZTAz.exe
  C:\Windows\System32\WuyZTAz.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System32\kTirxOH.exe
  C:\Windows\System32\kTirxOH.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System32\RXMyMhi.exe
  C:\Windows\System32\RXMyMhi.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System32\dmIjneQ.exe
  C:\Windows\System32\dmIjneQ.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System32\PAZPYKm.exe
  C:\Windows\System32\PAZPYKm.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System32\njgnQid.exe
  C:\Windows\System32\njgnQid.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System32\idEnBdZ.exe
  C:\Windows\System32\idEnBdZ.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System32\ryfzcYE.exe
  C:\Windows\System32\ryfzcYE.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System32\JcCTslD.exe
  C:\Windows\System32\JcCTslD.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\wPiyFIy.exe
  C:\Windows\System32\wPiyFIy.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System32\FfNcSZy.exe
  C:\Windows\System32\FfNcSZy.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System32\VTbREdp.exe
  C:\Windows\System32\VTbREdp.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System32\DEFzsoc.exe
  C:\Windows\System32\DEFzsoc.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System32\uOOYCqL.exe
  C:\Windows\System32\uOOYCqL.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System32\MmrixzO.exe
  C:\Windows\System32\MmrixzO.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System32\PENXCDD.exe
  C:\Windows\System32\PENXCDD.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System32\zvQqHar.exe
  C:\Windows\System32\zvQqHar.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System32\kaoVmev.exe
  C:\Windows\System32\kaoVmev.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System32\sjPmbBw.exe
  C:\Windows\System32\sjPmbBw.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\denxwOm.exe
  C:\Windows\System32\denxwOm.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System32\sBQrHdZ.exe
  C:\Windows\System32\sBQrHdZ.exe
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\System32\GSPMWPP.exe
  C:\Windows\System32\GSPMWPP.exe
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\System32\dNpXlkZ.exe
  C:\Windows\System32\dNpXlkZ.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\GccncnR.exe
  C:\Windows\System32\GccncnR.exe
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\System32\SNRGRmr.exe
  C:\Windows\System32\SNRGRmr.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System32\gQcoWRm.exe
  C:\Windows\System32\gQcoWRm.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System32\OTXcvPm.exe
  C:\Windows\System32\OTXcvPm.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System32\DISKNVh.exe
  C:\Windows\System32\DISKNVh.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System32\MEuQwdo.exe
  C:\Windows\System32\MEuQwdo.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System32\CWaSShf.exe
  C:\Windows\System32\CWaSShf.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System32\xSYwgrn.exe
  C:\Windows\System32\xSYwgrn.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System32\oJgeQbv.exe
  C:\Windows\System32\oJgeQbv.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System32\tKxOhrw.exe
  C:\Windows\System32\tKxOhrw.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System32\sYCcWts.exe
  C:\Windows\System32\sYCcWts.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System32\foFmcmp.exe
  C:\Windows\System32\foFmcmp.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System32\cVEyIYE.exe
  C:\Windows\System32\cVEyIYE.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System32\UvAOtBl.exe
  C:\Windows\System32\UvAOtBl.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System32\ESVXJWY.exe
  C:\Windows\System32\ESVXJWY.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System32\JPzzPsM.exe
  C:\Windows\System32\JPzzPsM.exe
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\System32\oAHsDIB.exe
  C:\Windows\System32\oAHsDIB.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System32\CBmviRV.exe
  C:\Windows\System32\CBmviRV.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System32\BtuImpb.exe
  C:\Windows\System32\BtuImpb.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System32\EhVJbwh.exe
  C:\Windows\System32\EhVJbwh.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System32\ibFVUAr.exe
  C:\Windows\System32\ibFVUAr.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System32\QsRQCtr.exe
  C:\Windows\System32\QsRQCtr.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System32\iLGxWOq.exe
  C:\Windows\System32\iLGxWOq.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System32\zZgzVwU.exe
  C:\Windows\System32\zZgzVwU.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System32\uAvykDg.exe
  C:\Windows\System32\uAvykDg.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System32\OAAqixv.exe
  C:\Windows\System32\OAAqixv.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System32\EOVIxzQ.exe
  C:\Windows\System32\EOVIxzQ.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System32\XwbUZKx.exe
  C:\Windows\System32\XwbUZKx.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System32\TRZIheE.exe
  C:\Windows\System32\TRZIheE.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System32\wstIdMi.exe
  C:\Windows\System32\wstIdMi.exe
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Windows\System32\beHSUgH.exe
  C:\Windows\System32\beHSUgH.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System32\iTurKHr.exe
  C:\Windows\System32\iTurKHr.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System32\UDEyeLl.exe
  C:\Windows\System32\UDEyeLl.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System32\QdesexJ.exe
  C:\Windows\System32\QdesexJ.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System32\waQNBiG.exe
  C:\Windows\System32\waQNBiG.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System32\CumxKsb.exe
  C:\Windows\System32\CumxKsb.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System32\AFlbXls.exe
  C:\Windows\System32\AFlbXls.exe
  2⤵
  PID:2976
- C:\Windows\System32\TxXctLD.exe
  C:\Windows\System32\TxXctLD.exe
  2⤵
  PID:5172
- C:\Windows\System32\mDtmRKs.exe
  C:\Windows\System32\mDtmRKs.exe
  2⤵
  PID:5188
- C:\Windows\System32\QVepFUU.exe
  C:\Windows\System32\QVepFUU.exe
  2⤵
  PID:5204
- C:\Windows\System32\NQKVsRn.exe
  C:\Windows\System32\NQKVsRn.exe
  2⤵
  PID:5240
- C:\Windows\System32\JYaGqcY.exe
  C:\Windows\System32\JYaGqcY.exe
  2⤵
  PID:5260
- C:\Windows\System32\LMGMmYI.exe
  C:\Windows\System32\LMGMmYI.exe
  2⤵
  PID:5296
- C:\Windows\System32\qAXkbuH.exe
  C:\Windows\System32\qAXkbuH.exe
  2⤵
  PID:5316
- C:\Windows\System32\KVnGSxC.exe
  C:\Windows\System32\KVnGSxC.exe
  2⤵
  PID:5344
- C:\Windows\System32\FLQSdOU.exe
  C:\Windows\System32\FLQSdOU.exe
  2⤵
  PID:5368
- C:\Windows\System32\IRaGTCU.exe
  C:\Windows\System32\IRaGTCU.exe
  2⤵
  PID:5400
- C:\Windows\System32\whWObTj.exe
  C:\Windows\System32\whWObTj.exe
  2⤵
  PID:5428
- C:\Windows\System32\ZcUBwyE.exe
  C:\Windows\System32\ZcUBwyE.exe
  2⤵
  PID:5456
- C:\Windows\System32\xVaZWfb.exe
  C:\Windows\System32\xVaZWfb.exe
  2⤵
  PID:5484
- C:\Windows\System32\YutjcxR.exe
  C:\Windows\System32\YutjcxR.exe
  2⤵
  PID:5512
- C:\Windows\System32\odxsIqX.exe
  C:\Windows\System32\odxsIqX.exe
  2⤵
  PID:5540
- C:\Windows\System32\OBDMHzM.exe
  C:\Windows\System32\OBDMHzM.exe
  2⤵
  PID:5564
- C:\Windows\System32\CSsHLOi.exe
  C:\Windows\System32\CSsHLOi.exe
  2⤵
  PID:5592
- C:\Windows\System32\DfURWql.exe
  C:\Windows\System32\DfURWql.exe
  2⤵
  PID:5636
- C:\Windows\System32\QwZCtEE.exe
  C:\Windows\System32\QwZCtEE.exe
  2⤵
  PID:5652
- C:\Windows\System32\NjnzoOz.exe
  C:\Windows\System32\NjnzoOz.exe
  2⤵
  PID:5668
- C:\Windows\System32\sXPAXMR.exe
  C:\Windows\System32\sXPAXMR.exe
  2⤵
  PID:5708
- C:\Windows\System32\OLcYRwl.exe
  C:\Windows\System32\OLcYRwl.exe
  2⤵
  PID:5736
- C:\Windows\System32\yXWZJNE.exe
  C:\Windows\System32\yXWZJNE.exe
  2⤵
  PID:5764
- C:\Windows\System32\lUELYZC.exe
  C:\Windows\System32\lUELYZC.exe
  2⤵
  PID:5796
- C:\Windows\System32\zgdcQoD.exe
  C:\Windows\System32\zgdcQoD.exe
  2⤵
  PID:5820
- C:\Windows\System32\JvzqWbm.exe
  C:\Windows\System32\JvzqWbm.exe
  2⤵
  PID:5848
- C:\Windows\System32\SfKkkNN.exe
  C:\Windows\System32\SfKkkNN.exe
  2⤵
  PID:5872
- C:\Windows\System32\AVKDkQM.exe
  C:\Windows\System32\AVKDkQM.exe
  2⤵
  PID:5904
- C:\Windows\System32\NpcpNUF.exe
  C:\Windows\System32\NpcpNUF.exe
  2⤵
  PID:5932
- C:\Windows\System32\KtSpqAm.exe
  C:\Windows\System32\KtSpqAm.exe
  2⤵
  PID:5960
- C:\Windows\System32\kljSCtu.exe
  C:\Windows\System32\kljSCtu.exe
  2⤵
  PID:5988
- C:\Windows\System32\zeqMqTT.exe
  C:\Windows\System32\zeqMqTT.exe
  2⤵
  PID:6020
- C:\Windows\System32\pmosQXD.exe
  C:\Windows\System32\pmosQXD.exe
  2⤵
  PID:6044
- C:\Windows\System32\ntBuNsY.exe
  C:\Windows\System32\ntBuNsY.exe
  2⤵
  PID:6072
- C:\Windows\System32\XWYlNCK.exe
  C:\Windows\System32\XWYlNCK.exe
  2⤵
  PID:6100
- C:\Windows\System32\AkwcylY.exe
  C:\Windows\System32\AkwcylY.exe
  2⤵
  PID:6124
- C:\Windows\System32\FHonLKU.exe
  C:\Windows\System32\FHonLKU.exe
  2⤵
  PID:1188
- C:\Windows\System32\XNbvpYG.exe
  C:\Windows\System32\XNbvpYG.exe
  2⤵
  PID:2556
- C:\Windows\System32\LoPkDnu.exe
  C:\Windows\System32\LoPkDnu.exe
  2⤵
  PID:5008
- C:\Windows\System32\dcrAcIE.exe
  C:\Windows\System32\dcrAcIE.exe
  2⤵
  PID:4932
- C:\Windows\System32\TjMzIqt.exe
  C:\Windows\System32\TjMzIqt.exe
  2⤵
  PID:5000
- C:\Windows\System32\vFRpvYm.exe
  C:\Windows\System32\vFRpvYm.exe
  2⤵
  PID:3144
- C:\Windows\System32\fqtQBaR.exe
  C:\Windows\System32\fqtQBaR.exe
  2⤵
  PID:5196
- C:\Windows\System32\JSMYniJ.exe
  C:\Windows\System32\JSMYniJ.exe
  2⤵
  PID:5248
- C:\Windows\System32\iSjHWMW.exe
  C:\Windows\System32\iSjHWMW.exe
  2⤵
  PID:5312
- C:\Windows\System32\iiokgsx.exe
  C:\Windows\System32\iiokgsx.exe
  2⤵
  PID:5376
- C:\Windows\System32\AzWhjSh.exe
  C:\Windows\System32\AzWhjSh.exe
  2⤵
  PID:5440
- C:\Windows\System32\ICXhORG.exe
  C:\Windows\System32\ICXhORG.exe
  2⤵
  PID:5492
- C:\Windows\System32\ZscZQHp.exe
  C:\Windows\System32\ZscZQHp.exe
  2⤵
  PID:5616
- C:\Windows\System32\lrvQShY.exe
  C:\Windows\System32\lrvQShY.exe
  2⤵
  PID:5644
- C:\Windows\System32\NZczUbZ.exe
  C:\Windows\System32\NZczUbZ.exe
  2⤵
  PID:5680
- C:\Windows\System32\NMfpQoC.exe
  C:\Windows\System32\NMfpQoC.exe
  2⤵
  PID:5784
- C:\Windows\System32\UWBtJWE.exe
  C:\Windows\System32\UWBtJWE.exe
  2⤵
  PID:5856
- C:\Windows\System32\WyddlKM.exe
  C:\Windows\System32\WyddlKM.exe
  2⤵
  PID:5880
- C:\Windows\System32\gjOQzSS.exe
  C:\Windows\System32\gjOQzSS.exe
  2⤵
  PID:5968
- C:\Windows\System32\zHUYiRS.exe
  C:\Windows\System32\zHUYiRS.exe
  2⤵
  PID:6056
- C:\Windows\System32\dXzYEtq.exe
  C:\Windows\System32\dXzYEtq.exe
  2⤵
  PID:6084
- C:\Windows\System32\cUszGGF.exe
  C:\Windows\System32\cUszGGF.exe
  2⤵
  PID:3464
- C:\Windows\System32\YtEzuph.exe
  C:\Windows\System32\YtEzuph.exe
  2⤵
  PID:1888
- C:\Windows\System32\xvxXhow.exe
  C:\Windows\System32\xvxXhow.exe
  2⤵
  PID:3468
- C:\Windows\System32\XxeejgU.exe
  C:\Windows\System32\XxeejgU.exe
  2⤵
  PID:5272
- C:\Windows\System32\gBVPEUV.exe
  C:\Windows\System32\gBVPEUV.exe
  2⤵
  PID:5412
- C:\Windows\System32\FlkCIIe.exe
  C:\Windows\System32\FlkCIIe.exe
  2⤵
  PID:5524
- C:\Windows\System32\jMcdQyN.exe
  C:\Windows\System32\jMcdQyN.exe
  2⤵
  PID:6184
- C:\Windows\System32\zdgJFCy.exe
  C:\Windows\System32\zdgJFCy.exe
  2⤵
  PID:6204
- C:\Windows\System32\OxnmLgi.exe
  C:\Windows\System32\OxnmLgi.exe
  2⤵
  PID:6232
- C:\Windows\System32\cjYmRtr.exe
  C:\Windows\System32\cjYmRtr.exe
  2⤵
  PID:6260
- C:\Windows\System32\KwUCBWy.exe
  C:\Windows\System32\KwUCBWy.exe
  2⤵
  PID:6284
- C:\Windows\System32\zWvUQZI.exe
  C:\Windows\System32\zWvUQZI.exe
  2⤵
  PID:6312
- C:\Windows\System32\ChMWOVD.exe
  C:\Windows\System32\ChMWOVD.exe
  2⤵
  PID:6344
- C:\Windows\System32\izRoaXt.exe
  C:\Windows\System32\izRoaXt.exe
  2⤵
  PID:6368
- C:\Windows\System32\zYqeiej.exe
  C:\Windows\System32\zYqeiej.exe
  2⤵
  PID:6400
- C:\Windows\System32\BcpyGMj.exe
  C:\Windows\System32\BcpyGMj.exe
  2⤵
  PID:6424
- C:\Windows\System32\gVAoPul.exe
  C:\Windows\System32\gVAoPul.exe
  2⤵
  PID:6456
- C:\Windows\System32\WnRKumB.exe
  C:\Windows\System32\WnRKumB.exe
  2⤵
  PID:6484
- C:\Windows\System32\AYofIzB.exe
  C:\Windows\System32\AYofIzB.exe
  2⤵
  PID:6512
- C:\Windows\System32\mifjKbO.exe
  C:\Windows\System32\mifjKbO.exe
  2⤵
  PID:6540
- C:\Windows\System32\AZSEyHv.exe
  C:\Windows\System32\AZSEyHv.exe
  2⤵
  PID:6564
- C:\Windows\System32\dHgYquS.exe
  C:\Windows\System32\dHgYquS.exe
  2⤵
  PID:6596
- C:\Windows\System32\WqkIEuq.exe
  C:\Windows\System32\WqkIEuq.exe
  2⤵
  PID:6624
- C:\Windows\System32\LRiWOnx.exe
  C:\Windows\System32\LRiWOnx.exe
  2⤵
  PID:6648
- C:\Windows\System32\pKNBadk.exe
  C:\Windows\System32\pKNBadk.exe
  2⤵
  PID:6680
- C:\Windows\System32\AFYGQKF.exe
  C:\Windows\System32\AFYGQKF.exe
  2⤵
  PID:6708
- C:\Windows\System32\KgFIfol.exe
  C:\Windows\System32\KgFIfol.exe
  2⤵
  PID:6736
- C:\Windows\System32\UUOjhzm.exe
  C:\Windows\System32\UUOjhzm.exe
  2⤵
  PID:6760
- C:\Windows\System32\kfZEyrv.exe
  C:\Windows\System32\kfZEyrv.exe
  2⤵
  PID:6800
- C:\Windows\System32\ShVjLBx.exe
  C:\Windows\System32\ShVjLBx.exe
  2⤵
  PID:6820
- C:\Windows\System32\heXNCeF.exe
  C:\Windows\System32\heXNCeF.exe
  2⤵
  PID:6844
- C:\Windows\System32\tIAYdjj.exe
  C:\Windows\System32\tIAYdjj.exe
  2⤵
  PID:6876
- C:\Windows\System32\KqOqxvn.exe
  C:\Windows\System32\KqOqxvn.exe
  2⤵
  PID:6904
- C:\Windows\System32\jwAzBXV.exe
  C:\Windows\System32\jwAzBXV.exe
  2⤵
  PID:6932
- C:\Windows\System32\EbnufAZ.exe
  C:\Windows\System32\EbnufAZ.exe
  2⤵
  PID:6960
- C:\Windows\System32\lpUenYi.exe
  C:\Windows\System32\lpUenYi.exe
  2⤵
  PID:6988
- C:\Windows\System32\wexMsZV.exe
  C:\Windows\System32\wexMsZV.exe
  2⤵
  PID:7012
- C:\Windows\System32\tNPCKcH.exe
  C:\Windows\System32\tNPCKcH.exe
  2⤵
  PID:7044
- C:\Windows\System32\DDrXRPL.exe
  C:\Windows\System32\DDrXRPL.exe
  2⤵
  PID:7084
- C:\Windows\System32\EmZfoWM.exe
  C:\Windows\System32\EmZfoWM.exe
  2⤵
  PID:7100
- C:\Windows\System32\CWKDwaa.exe
  C:\Windows\System32\CWKDwaa.exe
  2⤵
  PID:7128
- C:\Windows\System32\BhijIOb.exe
  C:\Windows\System32\BhijIOb.exe
  2⤵
  PID:7156
- C:\Windows\System32\iwvYRQJ.exe
  C:\Windows\System32\iwvYRQJ.exe
  2⤵
  PID:5660
- C:\Windows\System32\Gnkuglc.exe
  C:\Windows\System32\Gnkuglc.exe
  2⤵
  PID:5776
- C:\Windows\System32\eZRztZM.exe
  C:\Windows\System32\eZRztZM.exe
  2⤵
  PID:5940
- C:\Windows\System32\eeoaefM.exe
  C:\Windows\System32\eeoaefM.exe
  2⤵
  PID:6120
- C:\Windows\System32\TrTiNKr.exe
  C:\Windows\System32\TrTiNKr.exe
  2⤵
  PID:4548
- C:\Windows\System32\cAHfPiX.exe
  C:\Windows\System32\cAHfPiX.exe
  2⤵
  PID:5328
- C:\Windows\System32\LhVCkiZ.exe
  C:\Windows\System32\LhVCkiZ.exe
  2⤵
  PID:6152
- C:\Windows\System32\exxjNig.exe
  C:\Windows\System32\exxjNig.exe
  2⤵
  PID:6244
- C:\Windows\System32\fYYWMLP.exe
  C:\Windows\System32\fYYWMLP.exe
  2⤵
  PID:6292
- C:\Windows\System32\bnpoLdX.exe
  C:\Windows\System32\bnpoLdX.exe
  2⤵
  PID:6356
- C:\Windows\System32\MfjelBL.exe
  C:\Windows\System32\MfjelBL.exe
  2⤵
  PID:2716
- C:\Windows\System32\ueLYbMC.exe
  C:\Windows\System32\ueLYbMC.exe
  2⤵
  PID:6464
- C:\Windows\System32\HZDlevH.exe
  C:\Windows\System32\HZDlevH.exe
  2⤵
  PID:6560
- C:\Windows\System32\hiSFnkx.exe
  C:\Windows\System32\hiSFnkx.exe
  2⤵
  PID:6608
- C:\Windows\System32\zAwCVok.exe
  C:\Windows\System32\zAwCVok.exe
  2⤵
  PID:6656
- C:\Windows\System32\noGUlMu.exe
  C:\Windows\System32\noGUlMu.exe
  2⤵
  PID:6744
- C:\Windows\System32\LeDSBcm.exe
  C:\Windows\System32\LeDSBcm.exe
  2⤵
  PID:6808
- C:\Windows\System32\TsjAKUB.exe
  C:\Windows\System32\TsjAKUB.exe
  2⤵
  PID:6852
- C:\Windows\System32\VRzcnbT.exe
  C:\Windows\System32\VRzcnbT.exe
  2⤵
  PID:6952
- C:\Windows\System32\nsYDdBr.exe
  C:\Windows\System32\nsYDdBr.exe
  2⤵
  PID:7000
- C:\Windows\System32\zpbdVeC.exe
  C:\Windows\System32\zpbdVeC.exe
  2⤵
  PID:7056
- C:\Windows\System32\oEsPPls.exe
  C:\Windows\System32\oEsPPls.exe
  2⤵
  PID:7148
- C:\Windows\System32\KsNTDzd.exe
  C:\Windows\System32\KsNTDzd.exe
  2⤵
  PID:5868
- C:\Windows\System32\VWjsoUC.exe
  C:\Windows\System32\VWjsoUC.exe
  2⤵
  PID:6040
- C:\Windows\System32\QweUhgt.exe
  C:\Windows\System32\QweUhgt.exe
  2⤵
  PID:5364
- C:\Windows\System32\CdrhmYb.exe
  C:\Windows\System32\CdrhmYb.exe
  2⤵
  PID:6272
- C:\Windows\System32\cnCxRjk.exe
  C:\Windows\System32\cnCxRjk.exe
  2⤵
  PID:6376
- C:\Windows\System32\DWQZWsJ.exe
  C:\Windows\System32\DWQZWsJ.exe
  2⤵
  PID:6492
- C:\Windows\System32\FvEdLBe.exe
  C:\Windows\System32\FvEdLBe.exe
  2⤵
  PID:6700
- C:\Windows\System32\VsxBkUL.exe
  C:\Windows\System32\VsxBkUL.exe
  2⤵
  PID:6868
- C:\Windows\System32\BtFRmml.exe
  C:\Windows\System32\BtFRmml.exe
  2⤵
  PID:6968
- C:\Windows\System32\cEIwjRI.exe
  C:\Windows\System32\cEIwjRI.exe
  2⤵
  PID:7036
- C:\Windows\System32\lJFKKGi.exe
  C:\Windows\System32\lJFKKGi.exe
  2⤵
  PID:4996
- C:\Windows\System32\qEizXEL.exe
  C:\Windows\System32\qEizXEL.exe
  2⤵
  PID:3444
- C:\Windows\System32\mGLgbiq.exe
  C:\Windows\System32\mGLgbiq.exe
  2⤵
  PID:3640
- C:\Windows\System32\jACPBXw.exe
  C:\Windows\System32\jACPBXw.exe
  2⤵
  PID:6756
- C:\Windows\System32\IbDzRFI.exe
  C:\Windows\System32\IbDzRFI.exe
  2⤵
  PID:4584
- C:\Windows\System32\ceaGDzf.exe
  C:\Windows\System32\ceaGDzf.exe
  2⤵
  PID:4104
- C:\Windows\System32\deQseCa.exe
  C:\Windows\System32\deQseCa.exe
  2⤵
  PID:7188
- C:\Windows\System32\lehbrXi.exe
  C:\Windows\System32\lehbrXi.exe
  2⤵
  PID:7220
- C:\Windows\System32\KGAnVwv.exe
  C:\Windows\System32\KGAnVwv.exe
  2⤵
  PID:7244
- C:\Windows\System32\qGRudpt.exe
  C:\Windows\System32\qGRudpt.exe
  2⤵
  PID:7276
- C:\Windows\System32\cHjBZXU.exe
  C:\Windows\System32\cHjBZXU.exe
  2⤵
  PID:7304
- C:\Windows\System32\QETNTyC.exe
  C:\Windows\System32\QETNTyC.exe
  2⤵
  PID:7332
- C:\Windows\System32\fnGAfjL.exe
  C:\Windows\System32\fnGAfjL.exe
  2⤵
  PID:7360
- C:\Windows\System32\JqXEMAh.exe
  C:\Windows\System32\JqXEMAh.exe
  2⤵
  PID:7388
- C:\Windows\System32\mGoEpcM.exe
  C:\Windows\System32\mGoEpcM.exe
  2⤵
  PID:7512
- C:\Windows\System32\YuYDkSF.exe
  C:\Windows\System32\YuYDkSF.exe
  2⤵
  PID:7560
- C:\Windows\System32\IXRpCiD.exe
  C:\Windows\System32\IXRpCiD.exe
  2⤵
  PID:7580
- C:\Windows\System32\NPfzVsK.exe
  C:\Windows\System32\NPfzVsK.exe
  2⤵
  PID:7596
- C:\Windows\System32\bGbMBkA.exe
  C:\Windows\System32\bGbMBkA.exe
  2⤵
  PID:7612
- C:\Windows\System32\UIXIBQH.exe
  C:\Windows\System32\UIXIBQH.exe
  2⤵
  PID:7632
- C:\Windows\System32\iMXcCsz.exe
  C:\Windows\System32\iMXcCsz.exe
  2⤵
  PID:7652
- C:\Windows\System32\tJCOuNj.exe
  C:\Windows\System32\tJCOuNj.exe
  2⤵
  PID:7684
- C:\Windows\System32\KbNBlvV.exe
  C:\Windows\System32\KbNBlvV.exe
  2⤵
  PID:7724
- C:\Windows\System32\hKQRQws.exe
  C:\Windows\System32\hKQRQws.exe
  2⤵
  PID:7764
- C:\Windows\System32\yYXczoG.exe
  C:\Windows\System32\yYXczoG.exe
  2⤵
  PID:7788
- C:\Windows\System32\IQqzDVq.exe
  C:\Windows\System32\IQqzDVq.exe
  2⤵
  PID:7848
- C:\Windows\System32\aOcCMzn.exe
  C:\Windows\System32\aOcCMzn.exe
  2⤵
  PID:7868
- C:\Windows\System32\jXRUOhd.exe
  C:\Windows\System32\jXRUOhd.exe
  2⤵
  PID:7900
- C:\Windows\System32\AYdTbFf.exe
  C:\Windows\System32\AYdTbFf.exe
  2⤵
  PID:7940
- C:\Windows\System32\ObVEfQZ.exe
  C:\Windows\System32\ObVEfQZ.exe
  2⤵
  PID:7964
- C:\Windows\System32\XZDgfgt.exe
  C:\Windows\System32\XZDgfgt.exe
  2⤵
  PID:8004
- C:\Windows\System32\vcUpJZQ.exe
  C:\Windows\System32\vcUpJZQ.exe
  2⤵
  PID:8084
- C:\Windows\System32\rquPIuk.exe
  C:\Windows\System32\rquPIuk.exe
  2⤵
  PID:8100
- C:\Windows\System32\Wettyff.exe
  C:\Windows\System32\Wettyff.exe
  2⤵
  PID:8116
- C:\Windows\System32\ZiMokIE.exe
  C:\Windows\System32\ZiMokIE.exe
  2⤵
  PID:8132
- C:\Windows\System32\yKVaNvo.exe
  C:\Windows\System32\yKVaNvo.exe
  2⤵
  PID:8188
- C:\Windows\System32\UBBVdiN.exe
  C:\Windows\System32\UBBVdiN.exe
  2⤵
  PID:7172
- C:\Windows\System32\YjRCyqG.exe
  C:\Windows\System32\YjRCyqG.exe
  2⤵
  PID:7196
- C:\Windows\System32\CAXCGTV.exe
  C:\Windows\System32\CAXCGTV.exe
  2⤵
  PID:632
- C:\Windows\System32\YzOOQUX.exe
  C:\Windows\System32\YzOOQUX.exe
  2⤵
  PID:7260
- C:\Windows\System32\Etjoojd.exe
  C:\Windows\System32\Etjoojd.exe
  2⤵
  PID:3804
- C:\Windows\System32\PHPJTzf.exe
  C:\Windows\System32\PHPJTzf.exe
  2⤵
  PID:2828
- C:\Windows\System32\jfbQrQM.exe
  C:\Windows\System32\jfbQrQM.exe
  2⤵
  PID:7372
- C:\Windows\System32\uXLNvuk.exe
  C:\Windows\System32\uXLNvuk.exe
  2⤵
  PID:1768
- C:\Windows\System32\eYvuNzc.exe
  C:\Windows\System32\eYvuNzc.exe
  2⤵
  PID:3744
- C:\Windows\System32\LVbISxN.exe
  C:\Windows\System32\LVbISxN.exe
  2⤵
  PID:1220
- C:\Windows\System32\rDfmFfQ.exe
  C:\Windows\System32\rDfmFfQ.exe
  2⤵
  PID:3888
- C:\Windows\System32\ZfJZVDV.exe
  C:\Windows\System32\ZfJZVDV.exe
  2⤵
  PID:3652
- C:\Windows\System32\yldqWsr.exe
  C:\Windows\System32\yldqWsr.exe
  2⤵
  PID:1232
- C:\Windows\System32\NBuoWkM.exe
  C:\Windows\System32\NBuoWkM.exe
  2⤵
  PID:1296
- C:\Windows\System32\jphaLhF.exe
  C:\Windows\System32\jphaLhF.exe
  2⤵
  PID:1200
- C:\Windows\System32\ImphnEO.exe
  C:\Windows\System32\ImphnEO.exe
  2⤵
  PID:628
- C:\Windows\System32\MKQyWFO.exe
  C:\Windows\System32\MKQyWFO.exe
  2⤵
  PID:2484
- C:\Windows\System32\RDgBKaz.exe
  C:\Windows\System32\RDgBKaz.exe
  2⤵
  PID:3624
- C:\Windows\System32\uVtFdFt.exe
  C:\Windows\System32\uVtFdFt.exe
  2⤵
  PID:3756
- C:\Windows\System32\GrLBQBa.exe
  C:\Windows\System32\GrLBQBa.exe
  2⤵
  PID:7520
- C:\Windows\System32\JDyjVjb.exe
  C:\Windows\System32\JDyjVjb.exe
  2⤵
  PID:3672
- C:\Windows\System32\yURAfqJ.exe
  C:\Windows\System32\yURAfqJ.exe
  2⤵
  PID:3620
- C:\Windows\System32\gFYgsIt.exe
  C:\Windows\System32\gFYgsIt.exe
  2⤵
  PID:4524
- C:\Windows\System32\KgEHrMm.exe
  C:\Windows\System32\KgEHrMm.exe
  2⤵
  PID:1428
- C:\Windows\System32\EVQJLpl.exe
  C:\Windows\System32\EVQJLpl.exe
  2⤵
  PID:2840
- C:\Windows\System32\iYZrMGp.exe
  C:\Windows\System32\iYZrMGp.exe
  2⤵
  PID:7664
- C:\Windows\System32\xWVPZHZ.exe
  C:\Windows\System32\xWVPZHZ.exe
  2⤵
  PID:7748
- C:\Windows\System32\sxBSjSI.exe
  C:\Windows\System32\sxBSjSI.exe
  2⤵
  PID:7828
- C:\Windows\System32\eYBhfin.exe
  C:\Windows\System32\eYBhfin.exe
  2⤵
  PID:7896
- C:\Windows\System32\YFlqhEm.exe
  C:\Windows\System32\YFlqhEm.exe
  2⤵
  PID:7988
- C:\Windows\System32\BuCPPaZ.exe
  C:\Windows\System32\BuCPPaZ.exe
  2⤵
  PID:8112
- C:\Windows\System32\fzuMxjg.exe
  C:\Windows\System32\fzuMxjg.exe
  2⤵
  PID:8168
- C:\Windows\System32\WBtAttv.exe
  C:\Windows\System32\WBtAttv.exe
  2⤵
  PID:7212
- C:\Windows\System32\USqUcNQ.exe
  C:\Windows\System32\USqUcNQ.exe
  2⤵
  PID:7316
- C:\Windows\System32\dhMLqdJ.exe
  C:\Windows\System32\dhMLqdJ.exe
  2⤵
  PID:1592
- C:\Windows\System32\TUbkzau.exe
  C:\Windows\System32\TUbkzau.exe
  2⤵
  PID:1648
- C:\Windows\System32\xRiVaYu.exe
  C:\Windows\System32\xRiVaYu.exe
  2⤵
  PID:4172
- C:\Windows\System32\OycpyMu.exe
  C:\Windows\System32\OycpyMu.exe
  2⤵
  PID:3612
- C:\Windows\System32\Exygrgx.exe
  C:\Windows\System32\Exygrgx.exe
  2⤵
  PID:7380
- C:\Windows\System32\RRBupFa.exe
  C:\Windows\System32\RRBupFa.exe
  2⤵
  PID:3100
- C:\Windows\System32\fTBuIOz.exe
  C:\Windows\System32\fTBuIOz.exe
  2⤵
  PID:4160
- C:\Windows\System32\Xgcsblq.exe
  C:\Windows\System32\Xgcsblq.exe
  2⤵
  PID:7640
- C:\Windows\System32\dcrStiV.exe
  C:\Windows\System32\dcrStiV.exe
  2⤵
  PID:7620
- C:\Windows\System32\InJFnbs.exe
  C:\Windows\System32\InJFnbs.exe
  2⤵
  PID:7864
- C:\Windows\System32\tPhspoz.exe
  C:\Windows\System32\tPhspoz.exe
  2⤵
  PID:8096
- C:\Windows\System32\NagrTnx.exe
  C:\Windows\System32\NagrTnx.exe
  2⤵
  PID:8124
- C:\Windows\System32\NFeBmDs.exe
  C:\Windows\System32\NFeBmDs.exe
  2⤵
  PID:2136
- C:\Windows\System32\EFHbzHD.exe
  C:\Windows\System32\EFHbzHD.exe
  2⤵
  PID:4868
- C:\Windows\System32\ipcbYrw.exe
  C:\Windows\System32\ipcbYrw.exe
  2⤵
  PID:2948
- C:\Windows\System32\HRovnXZ.exe
  C:\Windows\System32\HRovnXZ.exe
  2⤵
  PID:7648
- C:\Windows\System32\XFbuJeg.exe
  C:\Windows\System32\XFbuJeg.exe
  2⤵
  PID:5080
- C:\Windows\System32\KztZhSJ.exe
  C:\Windows\System32\KztZhSJ.exe
  2⤵
  PID:5084
- C:\Windows\System32\ORXMKPA.exe
  C:\Windows\System32\ORXMKPA.exe
  2⤵
  PID:3092
- C:\Windows\System32\HPkppja.exe
  C:\Windows\System32\HPkppja.exe
  2⤵
  PID:7284
- C:\Windows\System32\oSBavDE.exe
  C:\Windows\System32\oSBavDE.exe
  2⤵
  PID:8208
- C:\Windows\System32\YCypKHA.exe
  C:\Windows\System32\YCypKHA.exe
  2⤵
  PID:8236
- C:\Windows\System32\BQBjHoK.exe
  C:\Windows\System32\BQBjHoK.exe
  2⤵
  PID:8276
- C:\Windows\System32\ZuYQPWY.exe
  C:\Windows\System32\ZuYQPWY.exe
  2⤵
  PID:8296
- C:\Windows\System32\HJPnOxy.exe
  C:\Windows\System32\HJPnOxy.exe
  2⤵
  PID:8332
- C:\Windows\System32\mLwkpgc.exe
  C:\Windows\System32\mLwkpgc.exe
  2⤵
  PID:8356
- C:\Windows\System32\NKDhnTk.exe
  C:\Windows\System32\NKDhnTk.exe
  2⤵
  PID:8376
- C:\Windows\System32\bxvITyt.exe
  C:\Windows\System32\bxvITyt.exe
  2⤵
  PID:8396
- C:\Windows\System32\xCRtNwU.exe
  C:\Windows\System32\xCRtNwU.exe
  2⤵
  PID:8412
- C:\Windows\System32\RvcZgHA.exe
  C:\Windows\System32\RvcZgHA.exe
  2⤵
  PID:8504
- C:\Windows\System32\RrLAHzq.exe
  C:\Windows\System32\RrLAHzq.exe
  2⤵
  PID:8536
- C:\Windows\System32\xIbwtWm.exe
  C:\Windows\System32\xIbwtWm.exe
  2⤵
  PID:8572
- C:\Windows\System32\jDsEsom.exe
  C:\Windows\System32\jDsEsom.exe
  2⤵
  PID:8596
- C:\Windows\System32\PhoxVPo.exe
  C:\Windows\System32\PhoxVPo.exe
  2⤵
  PID:8628
- C:\Windows\System32\zfxsVnB.exe
  C:\Windows\System32\zfxsVnB.exe
  2⤵
  PID:8656
- C:\Windows\System32\wfHbpkK.exe
  C:\Windows\System32\wfHbpkK.exe
  2⤵
  PID:8684
- C:\Windows\System32\FfUuUIU.exe
  C:\Windows\System32\FfUuUIU.exe
  2⤵
  PID:8712
- C:\Windows\System32\AujRroo.exe
  C:\Windows\System32\AujRroo.exe
  2⤵
  PID:8744
- C:\Windows\System32\oWVLFto.exe
  C:\Windows\System32\oWVLFto.exe
  2⤵
  PID:8768
- C:\Windows\System32\HqvatlX.exe
  C:\Windows\System32\HqvatlX.exe
  2⤵
  PID:8800
- C:\Windows\System32\hcqtKRm.exe
  C:\Windows\System32\hcqtKRm.exe
  2⤵
  PID:8840
- C:\Windows\System32\juNjbjg.exe
  C:\Windows\System32\juNjbjg.exe
  2⤵
  PID:8856
- C:\Windows\System32\EzaIrfl.exe
  C:\Windows\System32\EzaIrfl.exe
  2⤵
  PID:8888
- C:\Windows\System32\syupPSn.exe
  C:\Windows\System32\syupPSn.exe
  2⤵
  PID:8916
- C:\Windows\System32\JkduRon.exe
  C:\Windows\System32\JkduRon.exe
  2⤵
  PID:8944
- C:\Windows\System32\fhKlZHm.exe
  C:\Windows\System32\fhKlZHm.exe
  2⤵
  PID:8980
- C:\Windows\System32\QjxLRKF.exe
  C:\Windows\System32\QjxLRKF.exe
  2⤵
  PID:9008
- C:\Windows\System32\YrHlVZI.exe
  C:\Windows\System32\YrHlVZI.exe
  2⤵
  PID:9044
- C:\Windows\System32\tgxyvuL.exe
  C:\Windows\System32\tgxyvuL.exe
  2⤵
  PID:9072
- C:\Windows\System32\sEkyqsh.exe
  C:\Windows\System32\sEkyqsh.exe
  2⤵
  PID:9088
- C:\Windows\System32\FLlYIqW.exe
  C:\Windows\System32\FLlYIqW.exe
  2⤵
  PID:9104
- C:\Windows\System32\lPUgiFO.exe
  C:\Windows\System32\lPUgiFO.exe
  2⤵
  PID:9132
- C:\Windows\System32\BPcwVjq.exe
  C:\Windows\System32\BPcwVjq.exe
  2⤵
  PID:9184
- C:\Windows\System32\swbrOnM.exe
  C:\Windows\System32\swbrOnM.exe
  2⤵
  PID:9212
- C:\Windows\System32\jwWFajA.exe
  C:\Windows\System32\jwWFajA.exe
  2⤵
  PID:7076
- C:\Windows\System32\RtjdEHE.exe
  C:\Windows\System32\RtjdEHE.exe
  2⤵
  PID:8228
- C:\Windows\System32\EJwwUwe.exe
  C:\Windows\System32\EJwwUwe.exe
  2⤵
  PID:7952
- C:\Windows\System32\kFzxJgo.exe
  C:\Windows\System32\kFzxJgo.exe
  2⤵
  PID:8372
- C:\Windows\System32\ehgigZW.exe
  C:\Windows\System32\ehgigZW.exe
  2⤵
  PID:8384
- C:\Windows\System32\TSJWpuX.exe
  C:\Windows\System32\TSJWpuX.exe
  2⤵
  PID:8420
- C:\Windows\System32\FSDjBTC.exe
  C:\Windows\System32\FSDjBTC.exe
  2⤵
  PID:7460
- C:\Windows\System32\hnVAwCd.exe
  C:\Windows\System32\hnVAwCd.exe
  2⤵
  PID:7456
- C:\Windows\System32\jLnaQXm.exe
  C:\Windows\System32\jLnaQXm.exe
  2⤵
  PID:8680
- C:\Windows\System32\zAtVVnn.exe
  C:\Windows\System32\zAtVVnn.exe
  2⤵
  PID:8736
- C:\Windows\System32\raXByAZ.exe
  C:\Windows\System32\raXByAZ.exe
  2⤵
  PID:8776
- C:\Windows\System32\GeRaJOd.exe
  C:\Windows\System32\GeRaJOd.exe
  2⤵
  PID:8880
- C:\Windows\System32\nOIPnEq.exe
  C:\Windows\System32\nOIPnEq.exe
  2⤵
  PID:8936
- C:\Windows\System32\DCtCdtb.exe
  C:\Windows\System32\DCtCdtb.exe
  2⤵
  PID:9004
- C:\Windows\System32\UjeLvLY.exe
  C:\Windows\System32\UjeLvLY.exe
  2⤵
  PID:9064
- C:\Windows\System32\QNZtrJd.exe
  C:\Windows\System32\QNZtrJd.exe
  2⤵
  PID:9120
- C:\Windows\System32\kPhXjra.exe
  C:\Windows\System32\kPhXjra.exe
  2⤵
  PID:9180
- C:\Windows\System32\CkvTqig.exe
  C:\Windows\System32\CkvTqig.exe
  2⤵
  PID:8232
- C:\Windows\System32\ivOmewM.exe
  C:\Windows\System32\ivOmewM.exe
  2⤵
  PID:8308
- C:\Windows\System32\hnYHgqq.exe
  C:\Windows\System32\hnYHgqq.exe
  2⤵
  PID:8548
- C:\Windows\System32\UZoKoVH.exe
  C:\Windows\System32\UZoKoVH.exe
  2⤵
  PID:8676
- C:\Windows\System32\aBfFQwn.exe
  C:\Windows\System32\aBfFQwn.exe
  2⤵
  PID:8832
- C:\Windows\System32\MsuXFAf.exe
  C:\Windows\System32\MsuXFAf.exe
  2⤵
  PID:8996
- C:\Windows\System32\iPfNKNb.exe
  C:\Windows\System32\iPfNKNb.exe
  2⤵
  PID:7552
- C:\Windows\System32\jOuXVhJ.exe
  C:\Windows\System32\jOuXVhJ.exe
  2⤵
  PID:8220
- C:\Windows\System32\jZZmoNU.exe
  C:\Windows\System32\jZZmoNU.exe
  2⤵
  PID:8404
- C:\Windows\System32\ndvvEgU.exe
  C:\Windows\System32\ndvvEgU.exe
  2⤵
  PID:8760
- C:\Windows\System32\srWVgxu.exe
  C:\Windows\System32\srWVgxu.exe
  2⤵
  PID:5108
- C:\Windows\System32\xBpLiOg.exe
  C:\Windows\System32\xBpLiOg.exe
  2⤵
  PID:8580
- C:\Windows\System32\vaoDaYg.exe
  C:\Windows\System32\vaoDaYg.exe
  2⤵
  PID:8900
- C:\Windows\System32\aBMOzYA.exe
  C:\Windows\System32\aBMOzYA.exe
  2⤵
  PID:9148
- C:\Windows\System32\jjHZmIo.exe
  C:\Windows\System32\jjHZmIo.exe
  2⤵
  PID:9244
- C:\Windows\System32\aMRkdBV.exe
  C:\Windows\System32\aMRkdBV.exe
  2⤵
  PID:9272
- C:\Windows\System32\byTyvzP.exe
  C:\Windows\System32\byTyvzP.exe
  2⤵
  PID:9300
- C:\Windows\System32\EXpBxCA.exe
  C:\Windows\System32\EXpBxCA.exe
  2⤵
  PID:9328
- C:\Windows\System32\cpAziGn.exe
  C:\Windows\System32\cpAziGn.exe
  2⤵
  PID:9360
- C:\Windows\System32\lvYSWsR.exe
  C:\Windows\System32\lvYSWsR.exe
  2⤵
  PID:9388
- C:\Windows\System32\kEucubS.exe
  C:\Windows\System32\kEucubS.exe
  2⤵
  PID:9416
- C:\Windows\System32\YyGHYur.exe
  C:\Windows\System32\YyGHYur.exe
  2⤵
  PID:9444
- C:\Windows\System32\qKDWUqG.exe
  C:\Windows\System32\qKDWUqG.exe
  2⤵
  PID:9472
- C:\Windows\System32\LZWNfCP.exe
  C:\Windows\System32\LZWNfCP.exe
  2⤵
  PID:9500
- C:\Windows\System32\ZCnsYev.exe
  C:\Windows\System32\ZCnsYev.exe
  2⤵
  PID:9516
- C:\Windows\System32\CdNBSNx.exe
  C:\Windows\System32\CdNBSNx.exe
  2⤵
  PID:9548
- C:\Windows\System32\pGndUcZ.exe
  C:\Windows\System32\pGndUcZ.exe
  2⤵
  PID:9584
- C:\Windows\System32\ALrOqDe.exe
  C:\Windows\System32\ALrOqDe.exe
  2⤵
  PID:9612
- C:\Windows\System32\AnQtlRA.exe
  C:\Windows\System32\AnQtlRA.exe
  2⤵
  PID:9640
- C:\Windows\System32\jazVrWb.exe
  C:\Windows\System32\jazVrWb.exe
  2⤵
  PID:9668
- C:\Windows\System32\xSdnrow.exe
  C:\Windows\System32\xSdnrow.exe
  2⤵
  PID:9696
- C:\Windows\System32\XowlncP.exe
  C:\Windows\System32\XowlncP.exe
  2⤵
  PID:9712
- C:\Windows\System32\ilCiMWW.exe
  C:\Windows\System32\ilCiMWW.exe
  2⤵
  PID:9728
- C:\Windows\System32\VeveuXt.exe
  C:\Windows\System32\VeveuXt.exe
  2⤵
  PID:9768
- C:\Windows\System32\SgCSfdS.exe
  C:\Windows\System32\SgCSfdS.exe
  2⤵
  PID:9784
- C:\Windows\System32\YFTpcKV.exe
  C:\Windows\System32\YFTpcKV.exe
  2⤵
  PID:9820
- C:\Windows\System32\rrDWqRJ.exe
  C:\Windows\System32\rrDWqRJ.exe
  2⤵
  PID:9856
- C:\Windows\System32\wGaOaBf.exe
  C:\Windows\System32\wGaOaBf.exe
  2⤵
  PID:9892
- C:\Windows\System32\VLZEApP.exe
  C:\Windows\System32\VLZEApP.exe
  2⤵
  PID:9920
- C:\Windows\System32\ZoAqbUf.exe
  C:\Windows\System32\ZoAqbUf.exe
  2⤵
  PID:9936
- C:\Windows\System32\VFJXtxp.exe
  C:\Windows\System32\VFJXtxp.exe
  2⤵
  PID:9960
- C:\Windows\System32\pNDFJme.exe
  C:\Windows\System32\pNDFJme.exe
  2⤵
  PID:9992
- C:\Windows\System32\mkjxnJo.exe
  C:\Windows\System32\mkjxnJo.exe
  2⤵
  PID:10024
- C:\Windows\System32\eFvRYlW.exe
  C:\Windows\System32\eFvRYlW.exe
  2⤵
  PID:10060
- C:\Windows\System32\pNoRUjJ.exe
  C:\Windows\System32\pNoRUjJ.exe
  2⤵
  PID:10088
- C:\Windows\System32\VslEkbC.exe
  C:\Windows\System32\VslEkbC.exe
  2⤵
  PID:10116
- C:\Windows\System32\gmFvMau.exe
  C:\Windows\System32\gmFvMau.exe
  2⤵
  PID:10144
- C:\Windows\System32\KpyyrLl.exe
  C:\Windows\System32\KpyyrLl.exe
  2⤵
  PID:10172
- C:\Windows\System32\JYFwlIl.exe
  C:\Windows\System32\JYFwlIl.exe
  2⤵
  PID:10200
- C:\Windows\System32\smfTkVU.exe
  C:\Windows\System32\smfTkVU.exe
  2⤵
  PID:10228
- C:\Windows\System32\RSXZOVG.exe
  C:\Windows\System32\RSXZOVG.exe
  2⤵
  PID:9240
- C:\Windows\System32\HrepZoF.exe
  C:\Windows\System32\HrepZoF.exe
  2⤵
  PID:9312
- C:\Windows\System32\WLHXjyE.exe
  C:\Windows\System32\WLHXjyE.exe
  2⤵
  PID:9384
- C:\Windows\System32\oVmnlKS.exe
  C:\Windows\System32\oVmnlKS.exe
  2⤵
  PID:9436
- C:\Windows\System32\YtLTTFn.exe
  C:\Windows\System32\YtLTTFn.exe
  2⤵
  PID:9492
- C:\Windows\System32\hJzhBzE.exe
  C:\Windows\System32\hJzhBzE.exe
  2⤵
  PID:9528
- C:\Windows\System32\cvjgOoa.exe
  C:\Windows\System32\cvjgOoa.exe
  2⤵
  PID:9604
- C:\Windows\System32\bYhNaGm.exe
  C:\Windows\System32\bYhNaGm.exe
  2⤵
  PID:9632
- C:\Windows\System32\VnxQdLb.exe
  C:\Windows\System32\VnxQdLb.exe
  2⤵
  PID:9704
- C:\Windows\System32\DdZCjEb.exe
  C:\Windows\System32\DdZCjEb.exe
  2⤵
  PID:9800
- C:\Windows\System32\ItCOuEy.exe
  C:\Windows\System32\ItCOuEy.exe
  2⤵
  PID:9928
- C:\Windows\System32\xETeBIn.exe
  C:\Windows\System32\xETeBIn.exe
  2⤵
  PID:10040
- C:\Windows\System32\ymBXyHA.exe
  C:\Windows\System32\ymBXyHA.exe
  2⤵
  PID:10084
- C:\Windows\System32\lzimhtJ.exe
  C:\Windows\System32\lzimhtJ.exe
  2⤵
  PID:10156
- C:\Windows\System32\jeSUWKg.exe
  C:\Windows\System32\jeSUWKg.exe
  2⤵
  PID:7448
- C:\Windows\System32\ZEzhaGv.exe
  C:\Windows\System32\ZEzhaGv.exe
  2⤵
  PID:9292
- C:\Windows\System32\JrTuTjo.exe
  C:\Windows\System32\JrTuTjo.exe
  2⤵
  PID:9456
- C:\Windows\System32\hoGWTmt.exe
  C:\Windows\System32\hoGWTmt.exe
  2⤵
  PID:9596
- C:\Windows\System32\nALimyh.exe
  C:\Windows\System32\nALimyh.exe
  2⤵
  PID:9736
- C:\Windows\System32\eSQOjmt.exe
  C:\Windows\System32\eSQOjmt.exe
  2⤵
  PID:9932
- C:\Windows\System32\jgqtUfp.exe
  C:\Windows\System32\jgqtUfp.exe
  2⤵
  PID:10112
- C:\Windows\System32\vuycjcR.exe
  C:\Windows\System32\vuycjcR.exe
  2⤵
  PID:9236
- C:\Windows\System32\GssUKOj.exe
  C:\Windows\System32\GssUKOj.exe
  2⤵
  PID:9572
- C:\Windows\System32\AzbRNzW.exe
  C:\Windows\System32\AzbRNzW.exe
  2⤵
  PID:10072
- C:\Windows\System32\WHZGKSO.exe
  C:\Windows\System32\WHZGKSO.exe
  2⤵
  PID:9556
- C:\Windows\System32\xmTZukY.exe
  C:\Windows\System32\xmTZukY.exe
  2⤵
  PID:7776
- C:\Windows\System32\nkBGsCu.exe
  C:\Windows\System32\nkBGsCu.exe
  2⤵
  PID:10248
- C:\Windows\System32\BcfHJPv.exe
  C:\Windows\System32\BcfHJPv.exe
  2⤵
  PID:10276
- C:\Windows\System32\QKjoSle.exe
  C:\Windows\System32\QKjoSle.exe
  2⤵
  PID:10324
- C:\Windows\System32\bEDtFfe.exe
  C:\Windows\System32\bEDtFfe.exe
  2⤵
  PID:10344
- C:\Windows\System32\XcwfUYc.exe
  C:\Windows\System32\XcwfUYc.exe
  2⤵
  PID:10376
- C:\Windows\System32\UOnZEjG.exe
  C:\Windows\System32\UOnZEjG.exe
  2⤵
  PID:10404
- C:\Windows\System32\bHCvFlR.exe
  C:\Windows\System32\bHCvFlR.exe
  2⤵
  PID:10432
- C:\Windows\System32\cWkxJtz.exe
  C:\Windows\System32\cWkxJtz.exe
  2⤵
  PID:10460
- C:\Windows\System32\ZruJLGq.exe
  C:\Windows\System32\ZruJLGq.exe
  2⤵
  PID:10488
- C:\Windows\System32\oVRCxat.exe
  C:\Windows\System32\oVRCxat.exe
  2⤵
  PID:10516
- C:\Windows\System32\tXlCvRR.exe
  C:\Windows\System32\tXlCvRR.exe
  2⤵
  PID:10544
- C:\Windows\System32\Nejqpuq.exe
  C:\Windows\System32\Nejqpuq.exe
  2⤵
  PID:10572
- C:\Windows\System32\zajOcNF.exe
  C:\Windows\System32\zajOcNF.exe
  2⤵
  PID:10604
- C:\Windows\System32\vMhcEps.exe
  C:\Windows\System32\vMhcEps.exe
  2⤵
  PID:10632
- C:\Windows\System32\InzeRbd.exe
  C:\Windows\System32\InzeRbd.exe
  2⤵
  PID:10660
- C:\Windows\System32\bMLLzTo.exe
  C:\Windows\System32\bMLLzTo.exe
  2⤵
  PID:10688
- C:\Windows\System32\NaiNrRF.exe
  C:\Windows\System32\NaiNrRF.exe
  2⤵
  PID:10720
- C:\Windows\System32\CpOJQNx.exe
  C:\Windows\System32\CpOJQNx.exe
  2⤵
  PID:10748
- C:\Windows\System32\bwPofJK.exe
  C:\Windows\System32\bwPofJK.exe
  2⤵
  PID:10776
- C:\Windows\System32\uVkcwVN.exe
  C:\Windows\System32\uVkcwVN.exe
  2⤵
  PID:10804
- C:\Windows\System32\WSkRrda.exe
  C:\Windows\System32\WSkRrda.exe
  2⤵
  PID:10832
- C:\Windows\System32\XOcKuZl.exe
  C:\Windows\System32\XOcKuZl.exe
  2⤵
  PID:10860
- C:\Windows\System32\EawBNAr.exe
  C:\Windows\System32\EawBNAr.exe
  2⤵
  PID:10888
- C:\Windows\System32\KluJdRx.exe
  C:\Windows\System32\KluJdRx.exe
  2⤵
  PID:10916
- C:\Windows\System32\mnWccSG.exe
  C:\Windows\System32\mnWccSG.exe
  2⤵
  PID:10944
- C:\Windows\System32\vAEmkgX.exe
  C:\Windows\System32\vAEmkgX.exe
  2⤵
  PID:10972
- C:\Windows\System32\AysSKXt.exe
  C:\Windows\System32\AysSKXt.exe
  2⤵
  PID:11000
- C:\Windows\System32\aMUJWEd.exe
  C:\Windows\System32\aMUJWEd.exe
  2⤵
  PID:11028
- C:\Windows\System32\BgTJoAH.exe
  C:\Windows\System32\BgTJoAH.exe
  2⤵
  PID:11056
- C:\Windows\System32\QbMjfyJ.exe
  C:\Windows\System32\QbMjfyJ.exe
  2⤵
  PID:11084
- C:\Windows\System32\rYiQpuK.exe
  C:\Windows\System32\rYiQpuK.exe
  2⤵
  PID:11112
- C:\Windows\System32\CVQHcAX.exe
  C:\Windows\System32\CVQHcAX.exe
  2⤵
  PID:11140
- C:\Windows\System32\hjemfhh.exe
  C:\Windows\System32\hjemfhh.exe
  2⤵
  PID:11168
- C:\Windows\System32\dtWVWdB.exe
  C:\Windows\System32\dtWVWdB.exe
  2⤵
  PID:11196
- C:\Windows\System32\aWLoWkm.exe
  C:\Windows\System32\aWLoWkm.exe
  2⤵
  PID:11228
- C:\Windows\System32\lrCUKsK.exe
  C:\Windows\System32\lrCUKsK.exe
  2⤵
  PID:10256
- C:\Windows\System32\YlOHVpy.exe
  C:\Windows\System32\YlOHVpy.exe
  2⤵
  PID:10296
- C:\Windows\System32\TQEoDSz.exe
  C:\Windows\System32\TQEoDSz.exe
  2⤵
  PID:10372
- C:\Windows\System32\ZNrhgzs.exe
  C:\Windows\System32\ZNrhgzs.exe
  2⤵
  PID:10428
- C:\Windows\System32\DiEAWPq.exe
  C:\Windows\System32\DiEAWPq.exe
  2⤵
  PID:10472
- C:\Windows\System32\pTGMrLY.exe
  C:\Windows\System32\pTGMrLY.exe
  2⤵
  PID:10536
- C:\Windows\System32\AQNYHWC.exe
  C:\Windows\System32\AQNYHWC.exe
  2⤵
  PID:10656
- C:\Windows\System32\CoUgzcr.exe
  C:\Windows\System32\CoUgzcr.exe
  2⤵
  PID:10764
- C:\Windows\System32\vKZQAgN.exe
  C:\Windows\System32\vKZQAgN.exe
  2⤵
  PID:10856
- C:\Windows\System32\LkYawtf.exe
  C:\Windows\System32\LkYawtf.exe
  2⤵
  PID:10928
- C:\Windows\System32\qoXQaQQ.exe
  C:\Windows\System32\qoXQaQQ.exe
  2⤵
  PID:11020
- C:\Windows\System32\HMmbbjp.exe
  C:\Windows\System32\HMmbbjp.exe
  2⤵
  PID:11096
- C:\Windows\System32\JNBRJbe.exe
  C:\Windows\System32\JNBRJbe.exe
  2⤵
  PID:11188
- C:\Windows\System32\FIRsdkR.exe
  C:\Windows\System32\FIRsdkR.exe
  2⤵
  PID:10244
- C:\Windows\System32\mphGtKB.exe
  C:\Windows\System32\mphGtKB.exe
  2⤵
  PID:10392
- C:\Windows\System32\xtcvwiY.exe
  C:\Windows\System32\xtcvwiY.exe
  2⤵
  PID:10592
- C:\Windows\System32\eyBtwQL.exe
  C:\Windows\System32\eyBtwQL.exe
  2⤵
  PID:10852
- C:\Windows\System32\ulgMhhs.exe
  C:\Windows\System32\ulgMhhs.exe
  2⤵
  PID:10988
- C:\Windows\System32\LbHyODc.exe
  C:\Windows\System32\LbHyODc.exe
  2⤵
  PID:11136
- C:\Windows\System32\KPgSAxs.exe
  C:\Windows\System32\KPgSAxs.exe
  2⤵
  PID:10336
- C:\Windows\System32\kVfKirk.exe
  C:\Windows\System32\kVfKirk.exe
  2⤵
  PID:10564
- C:\Windows\System32\IeoEnhN.exe
  C:\Windows\System32\IeoEnhN.exe
  2⤵
  PID:11280
- C:\Windows\System32\doqIiJC.exe
  C:\Windows\System32\doqIiJC.exe
  2⤵
  PID:11300
- C:\Windows\System32\BJJYrdj.exe
  C:\Windows\System32\BJJYrdj.exe
  2⤵
  PID:11320
- C:\Windows\System32\EOmhEMX.exe
  C:\Windows\System32\EOmhEMX.exe
  2⤵
  PID:11352
- C:\Windows\System32\iYrxLvI.exe
  C:\Windows\System32\iYrxLvI.exe
  2⤵
  PID:11468
- C:\Windows\System32\YuGbRhY.exe
  C:\Windows\System32\YuGbRhY.exe
  2⤵
  PID:11492
- C:\Windows\System32\LDZTZVi.exe
  C:\Windows\System32\LDZTZVi.exe
  2⤵
  PID:11540
- C:\Windows\System32\wEEdiLC.exe
  C:\Windows\System32\wEEdiLC.exe
  2⤵
  PID:11556
- C:\Windows\System32\bafCRVO.exe
  C:\Windows\System32\bafCRVO.exe
  2⤵
  PID:11584
- C:\Windows\System32\zzDwmgu.exe
  C:\Windows\System32\zzDwmgu.exe
  2⤵
  PID:11612
- C:\Windows\System32\byRpjVs.exe
  C:\Windows\System32\byRpjVs.exe
  2⤵
  PID:11652
- C:\Windows\System32\QbCHHzi.exe
  C:\Windows\System32\QbCHHzi.exe
  2⤵
  PID:11680
- C:\Windows\System32\ZQxncYy.exe
  C:\Windows\System32\ZQxncYy.exe
  2⤵
  PID:11708
- C:\Windows\System32\iXtMYLC.exe
  C:\Windows\System32\iXtMYLC.exe
  2⤵
  PID:11736
- C:\Windows\System32\dIRQTCb.exe
  C:\Windows\System32\dIRQTCb.exe
  2⤵
  PID:11764
- C:\Windows\System32\QbvnIWi.exe
  C:\Windows\System32\QbvnIWi.exe
  2⤵
  PID:11792
- C:\Windows\System32\advzCOR.exe
  C:\Windows\System32\advzCOR.exe
  2⤵
  PID:11820
- C:\Windows\System32\QMNpULy.exe
  C:\Windows\System32\QMNpULy.exe
  2⤵
  PID:11848
- C:\Windows\System32\qBSFXrp.exe
  C:\Windows\System32\qBSFXrp.exe
  2⤵
  PID:11876
- C:\Windows\System32\PHxTBQt.exe
  C:\Windows\System32\PHxTBQt.exe
  2⤵
  PID:11892
- C:\Windows\System32\LAGczEk.exe
  C:\Windows\System32\LAGczEk.exe
  2⤵
  PID:11940
- C:\Windows\System32\HYjbOJd.exe
  C:\Windows\System32\HYjbOJd.exe
  2⤵
  PID:11968
- C:\Windows\System32\rkxoozc.exe
  C:\Windows\System32\rkxoozc.exe
  2⤵
  PID:11992
- C:\Windows\System32\gHbDQeT.exe
  C:\Windows\System32\gHbDQeT.exe
  2⤵
  PID:12028
- C:\Windows\System32\mBaczau.exe
  C:\Windows\System32\mBaczau.exe
  2⤵
  PID:12056
- C:\Windows\System32\EMnqDay.exe
  C:\Windows\System32\EMnqDay.exe
  2⤵
  PID:12084
- C:\Windows\System32\IsbEcZh.exe
  C:\Windows\System32\IsbEcZh.exe
  2⤵
  PID:12112
- C:\Windows\System32\RiFzDnq.exe
  C:\Windows\System32\RiFzDnq.exe
  2⤵
  PID:12132
- C:\Windows\System32\YcJubVL.exe
  C:\Windows\System32\YcJubVL.exe
  2⤵
  PID:12152
- C:\Windows\System32\bncVvOq.exe
  C:\Windows\System32\bncVvOq.exe
  2⤵
  PID:12184
- C:\Windows\System32\fPzJBmX.exe
  C:\Windows\System32\fPzJBmX.exe
  2⤵
  PID:12204
- C:\Windows\System32\CTVQDzC.exe
  C:\Windows\System32\CTVQDzC.exe
  2⤵
  PID:12244
- C:\Windows\System32\JfObMEq.exe
  C:\Windows\System32\JfObMEq.exe
  2⤵
  PID:10420
- C:\Windows\System32\CWrQpRi.exe
  C:\Windows\System32\CWrQpRi.exe
  2⤵
  PID:11316
- C:\Windows\System32\OyFKlYc.exe
  C:\Windows\System32\OyFKlYc.exe
  2⤵
  PID:11396
- C:\Windows\System32\HkRMINl.exe
  C:\Windows\System32\HkRMINl.exe
  2⤵
  PID:11504
- C:\Windows\System32\ehLhkmP.exe
  C:\Windows\System32\ehLhkmP.exe
  2⤵
  PID:11552
- C:\Windows\System32\lndIdia.exe
  C:\Windows\System32\lndIdia.exe
  2⤵
  PID:11596
- C:\Windows\System32\BcDDOiK.exe
  C:\Windows\System32\BcDDOiK.exe
  2⤵
  PID:11668
- C:\Windows\System32\seBFQWi.exe
  C:\Windows\System32\seBFQWi.exe
  2⤵
  PID:11732
- C:\Windows\System32\ZFQcBmf.exe
  C:\Windows\System32\ZFQcBmf.exe
  2⤵
  PID:11804
- C:\Windows\System32\GOhzCYL.exe
  C:\Windows\System32\GOhzCYL.exe
  2⤵
  PID:11888
- C:\Windows\System32\SHjtNSc.exe
  C:\Windows\System32\SHjtNSc.exe
  2⤵
  PID:11988
- C:\Windows\System32\MALfDfe.exe
  C:\Windows\System32\MALfDfe.exe
  2⤵
  PID:12044
- C:\Windows\System32\BcToxlU.exe
  C:\Windows\System32\BcToxlU.exe
  2⤵
  PID:3848
- C:\Windows\System32\kMhJamj.exe
  C:\Windows\System32\kMhJamj.exe
  2⤵
  PID:12104
- C:\Windows\System32\eVFqBSN.exe
  C:\Windows\System32\eVFqBSN.exe
  2⤵
  PID:12140
- C:\Windows\System32\ZwYlMNA.exe
  C:\Windows\System32\ZwYlMNA.exe
  2⤵
  PID:12260
- C:\Windows\System32\ALqGRGu.exe
  C:\Windows\System32\ALqGRGu.exe
  2⤵
  PID:11328
- C:\Windows\System32\MrBhLUd.exe
  C:\Windows\System32\MrBhLUd.exe
  2⤵
  PID:11548
- C:\Windows\System32\vFNQrTP.exe
  C:\Windows\System32\vFNQrTP.exe
  2⤵
  PID:11692
- C:\Windows\System32\trXPCWV.exe
  C:\Windows\System32\trXPCWV.exe
  2⤵
  PID:11844
- C:\Windows\System32\IGkTuJN.exe
  C:\Windows\System32\IGkTuJN.exe
  2⤵
  PID:11928
- C:\Windows\System32\eNHBDCQ.exe
  C:\Windows\System32\eNHBDCQ.exe
  2⤵
  PID:12072
- C:\Windows\System32\qUEHTsl.exe
  C:\Windows\System32\qUEHTsl.exe
  2⤵
  PID:12160
- C:\Windows\System32\WnYGeqy.exe
  C:\Windows\System32\WnYGeqy.exe
  2⤵
  PID:11648
- C:\Windows\System32\aXFyCyX.exe
  C:\Windows\System32\aXFyCyX.exe
  2⤵
  PID:12024
- C:\Windows\System32\iNkHbGN.exe
  C:\Windows\System32\iNkHbGN.exe
  2⤵
  PID:11484
- C:\Windows\System32\rRHWDIh.exe
  C:\Windows\System32\rRHWDIh.exe
  2⤵
  PID:12196
- C:\Windows\System32\zJpoWZj.exe
  C:\Windows\System32\zJpoWZj.exe
  2⤵
  PID:12316
- C:\Windows\System32\IaVbsMa.exe
  C:\Windows\System32\IaVbsMa.exe
  2⤵
  PID:12344
- C:\Windows\System32\uvfyzUN.exe
  C:\Windows\System32\uvfyzUN.exe
  2⤵
  PID:12372
- C:\Windows\System32\rqGynBc.exe
  C:\Windows\System32\rqGynBc.exe
  2⤵
  PID:12400
- C:\Windows\System32\ZwfzWvw.exe
  C:\Windows\System32\ZwfzWvw.exe
  2⤵
  PID:12428
- C:\Windows\System32\yYWrqXx.exe
  C:\Windows\System32\yYWrqXx.exe
  2⤵
  PID:12456
- C:\Windows\System32\EiugUHD.exe
  C:\Windows\System32\EiugUHD.exe
  2⤵
  PID:12484
- C:\Windows\System32\yxCZFyr.exe
  C:\Windows\System32\yxCZFyr.exe
  2⤵
  PID:12512
- C:\Windows\System32\hWMnPqJ.exe
  C:\Windows\System32\hWMnPqJ.exe
  2⤵
  PID:12540
- C:\Windows\System32\dKBIBvv.exe
  C:\Windows\System32\dKBIBvv.exe
  2⤵
  PID:12568
- C:\Windows\System32\GLkXJms.exe
  C:\Windows\System32\GLkXJms.exe
  2⤵
  PID:12596
- C:\Windows\System32\pvvNPRA.exe
  C:\Windows\System32\pvvNPRA.exe
  2⤵
  PID:12624
- C:\Windows\System32\BwYkTtd.exe
  C:\Windows\System32\BwYkTtd.exe
  2⤵
  PID:12652
- C:\Windows\System32\XLGywXq.exe
  C:\Windows\System32\XLGywXq.exe
  2⤵
  PID:12672
- C:\Windows\System32\KNdypuv.exe
  C:\Windows\System32\KNdypuv.exe
  2⤵
  PID:12708
- C:\Windows\System32\QYjYzJk.exe
  C:\Windows\System32\QYjYzJk.exe
  2⤵
  PID:12736
- C:\Windows\System32\RKqmjlC.exe
  C:\Windows\System32\RKqmjlC.exe
  2⤵
  PID:12764
- C:\Windows\System32\hBcpcQl.exe
  C:\Windows\System32\hBcpcQl.exe
  2⤵
  PID:12784
- C:\Windows\System32\laBCXzr.exe
  C:\Windows\System32\laBCXzr.exe
  2⤵
  PID:12808
- C:\Windows\System32\kSxtfIj.exe
  C:\Windows\System32\kSxtfIj.exe
  2⤵
  PID:12836
- C:\Windows\System32\LFlDEqW.exe
  C:\Windows\System32\LFlDEqW.exe
  2⤵
  PID:12880
- C:\Windows\System32\MaqhIrX.exe
  C:\Windows\System32\MaqhIrX.exe
  2⤵
  PID:12904
- C:\Windows\System32\MWasJRK.exe
  C:\Windows\System32\MWasJRK.exe
  2⤵
  PID:12932
- C:\Windows\System32\RZOubie.exe
  C:\Windows\System32\RZOubie.exe
  2⤵
  PID:12952
- C:\Windows\System32\VUTVbIW.exe
  C:\Windows\System32\VUTVbIW.exe
  2⤵
  PID:12980
- C:\Windows\System32\lLXoTmp.exe
  C:\Windows\System32\lLXoTmp.exe
  2⤵
  PID:13008
- C:\Windows\System32\MeBHQMz.exe
  C:\Windows\System32\MeBHQMz.exe
  2⤵
  PID:13032
- C:\Windows\System32\asnKRFG.exe
  C:\Windows\System32\asnKRFG.exe
  2⤵
  PID:13052
- C:\Windows\System32\jMJmZVv.exe
  C:\Windows\System32\jMJmZVv.exe
  2⤵
  PID:13068
- C:\Windows\System32\DDeRxwR.exe
  C:\Windows\System32\DDeRxwR.exe
  2⤵
  PID:13096
- C:\Windows\System32\bGBHIda.exe
  C:\Windows\System32\bGBHIda.exe
  2⤵
  PID:13144
- C:\Windows\System32\TxLiAtN.exe
  C:\Windows\System32\TxLiAtN.exe
  2⤵
  PID:13188
- C:\Windows\System32\xLDHTvG.exe
  C:\Windows\System32\xLDHTvG.exe
  2⤵
  PID:13216
- C:\Windows\System32\NLCeGIh.exe
  C:\Windows\System32\NLCeGIh.exe
  2⤵
  PID:13244
- C:\Windows\System32\WrPabCN.exe
  C:\Windows\System32\WrPabCN.exe
  2⤵
  PID:13272
- C:\Windows\System32\iQfNLYO.exe
  C:\Windows\System32\iQfNLYO.exe
  2⤵
  PID:13300
- C:\Windows\System32\FvjtkhR.exe
  C:\Windows\System32\FvjtkhR.exe
  2⤵
  PID:12300
- C:\Windows\System32\JLSKBoh.exe
  C:\Windows\System32\JLSKBoh.exe
  2⤵
  PID:12364
- C:\Windows\System32\hIXKsDo.exe
  C:\Windows\System32\hIXKsDo.exe
  2⤵
  PID:12444
- C:\Windows\System32\aVOlYtZ.exe
  C:\Windows\System32\aVOlYtZ.exe
  2⤵
  PID:12500
- C:\Windows\System32\sjXNkEk.exe
  C:\Windows\System32\sjXNkEk.exe
  2⤵
  PID:12564
- C:\Windows\System32\WYrPwBk.exe
  C:\Windows\System32\WYrPwBk.exe
  2⤵
  PID:12636
- C:\Windows\System32\wtpMUqd.exe
  C:\Windows\System32\wtpMUqd.exe
  2⤵
  PID:12728
- C:\Windows\System32\MfWZsOR.exe
  C:\Windows\System32\MfWZsOR.exe
  2⤵
  PID:12732
- C:\Windows\System32\srhENIk.exe
  C:\Windows\System32\srhENIk.exe
  2⤵
  PID:12804

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\DEFzsoc.exe

Filesize
2.2MB

MD5
1445399fca1d3f72ad0ad23f85b1fbfb

SHA1
cefbb1edf30f42226428d05584da3d0cb3daa9ff

SHA256
992a401952cf99040e9b4a46d2dea48f61b5af77d55d500829ab07772b722907

SHA512
d3345ce75cd9ee896cee4d232f27e32448b7e2cf28886927de95e26b7b15f7ff01da442a7f1d2725f7c56d6a9152e16af54cd644c5349a51a2f94062a6e91db3

Download Submit
C:\Windows\System32\FfNcSZy.exe

Filesize
2.2MB

MD5
62a3d525c73b9373c326db2b5ab25140

SHA1
d912c7bffa02262c74a51e995ef7d2762a2d4d7e

SHA256
ad0989bbc530237a4419e63e6db0dff0bc91867bb7ce1594b8b92a4c2b353479

SHA512
637f2b909aad5d3ea02570b21bf8d5f26674b916efb81d41ccbfa9fe25d96f3fab29001b5d33cb2a62495a6eb8c69770c8ac7fe063adbe0bd54e802afaf3d98b

Download Submit
C:\Windows\System32\GSPMWPP.exe

Filesize
2.2MB

MD5
4a2285a15612be14e748641aa0b96576

SHA1
658151741e167742259914ed79e37a3fed21e811

SHA256
6d7c73af3e299fd14e711da957e57d4fa18333d933a2fd47c73997b0b43c9fab

SHA512
cb27a5880b0a3da1c10edbec40b191e4313c9eb47e41c47fa1bea2f57e87fd9fd2537b497c539914bb71af49d2783fe5ad07e1317eb971e95864c4bdbc8fc286

Download Submit
C:\Windows\System32\GccncnR.exe

Filesize
2.2MB

MD5
790c7eca7b54f8ff42cf3a9306d9feaf

SHA1
84d0d21522e4be05400dfa89d156a9c1fce7ced1

SHA256
0f9aa8c7df7e61f1ac708b31f48a067a20f425bb96e661da8b916795e88b70ce

SHA512
cdd90f69a5b11e17f05d05a2f26bc95a61f1aac6a39932e7a4bfe0f76f278cf36aaa6db4dd09c9b2d5f8ba1eec349947dc65be96c0b87b864a9f9797019dcfcb

Download Submit
C:\Windows\System32\JcCTslD.exe

Filesize
2.2MB

MD5
451440e971621012fef84bdce67bf871

SHA1
d5b4d3944d0f3759f015b68cb06efd42c1605f47

SHA256
7475dd0e76066719cc7a31c7f3369da7de520c9b9e65ddf82103e90a35036482

SHA512
3ae520f4c2d2ce25d121a4f87ad5821f99c907358e124836ac9cc21844676e30379b2699d67600e53d9ebdf7d553bf78f3e93ce807c5046598ab4447fee8139b

Download Submit
C:\Windows\System32\MmrixzO.exe

Filesize
2.2MB

MD5
48c179a268d098a4bb5519616bdc2f1b

SHA1
415ab579d2cc2002c7bed6b52ce0d02983fb46f0

SHA256
cbad380e3e1e83984ebe011bfc8eec964798746f4fad7215c58da1d3954efa6d

SHA512
8ad171a537dfc6c1bb510be116ab362d111da6a867259404c132e92dcbad96f3133620b3fa1c2b17d3dfb0452c413efa8d00cc1b182bb137c510f3a8bc5c782f

Download Submit
C:\Windows\System32\OTXcvPm.exe

Filesize
2.2MB

MD5
4aac46b5f392049b6b58826479140d93

SHA1
94fe252aa6f6914d1139ef94fdb67291c3ab9c32

SHA256
ef7941c771cd4b03cb3c8fa46d829f35545051711665797b2b16214a921a8703

SHA512
5312dd16545d31f54f8efd3d9994bfed9bf5d3b793126e400601c6c695558a5123cd8acd06b4d25eb60af474cfd6fc38414da3d915c5cee75fd19e46227ed25e

Download Submit
C:\Windows\System32\PAZPYKm.exe

Filesize
2.2MB

MD5
0512963de3fc9f2fcf5587190a46ae7a

SHA1
19cc4c9a8006d77e44c52de2fdb13b9a5a398625

SHA256
6489df1785e0fa925d220e14179d9a1f904b47cdc223dc21290fb861e69798c1

SHA512
943612a122035135d9bc3cce36227957d0075a5490737d3f449ac3cfb3232204d365cd267b2f6c4a92056d1c92ae334dba0ed27547ad6c603911329eaac064d3

Download Submit
C:\Windows\System32\PENXCDD.exe

Filesize
2.2MB

MD5
8c61788da0086ba757e8910e7161c076

SHA1
fa92cffef616d38e78239ca657acce63c790b6e4

SHA256
7f030a0236f7143ea5965d0a67cd43aee0eccb489281259507e50b31d667600f

SHA512
288cc19f38233259756469908c55b76f7f390fe11aa96658588c764a9e31b7f8b861801cb4c83314eefb152ae1a303856f427bb72dd7588b63114c1d0f0edb61

Download Submit
C:\Windows\System32\QKrICDY.exe

Filesize
2.2MB

MD5
b282919d5ecf3c95e76ebf8d64abb1a3

SHA1
e3c08242cf79d2dc0af9587809b5fcb17aec1f42

SHA256
184735e94e27b262c775364c400e47992b73a6d44c3292961bd628862e68a340

SHA512
454b3e00be554a6e3751b2f140b98388b9351803745463d59a829349badcf16d0979d117c5609608ad6cb7d8a19a7b54fa289604a4d52971a8dcb7a41cdd00cb

Download Submit
C:\Windows\System32\RXMyMhi.exe

Filesize
2.2MB

MD5
584f56133a9b5382d77682532faa53aa

SHA1
8df37c71d2f93ac07b70d12061766b104008767d

SHA256
a57905b2037c678b31efe734b83be65c35d1ec68b95ed2772657a932d39d67ef

SHA512
f6447248ef4c57d613b83884740bd35c7a2acfecb9e8401dd14ce56ab9b2a3b0a71bb1955b30f4c1034bffaed6699e55209287dc12d1c141487a54746ecaa920

Download Submit
C:\Windows\System32\SNRGRmr.exe

Filesize
2.2MB

MD5
6531b267c617dc68d5c165eba90cdbde

SHA1
7a0bbbb383b07739897da4ebe486db4cc6684a2a

SHA256
67d302db6fe172b48f15acf52d5ad3e2bc6d1d0c0ccda467a5ce48ad2824911a

SHA512
895b842df095ff92ef10e6ccf9deff4abb431682dedef03798974bb3bd6e2a7ed2fc3ff92a78a536de45eae0da5965dd36f331405bfb7aeb1b19ca583d55bd1a

Download Submit
C:\Windows\System32\VTbREdp.exe

Filesize
2.2MB

MD5
3916dd2b3789d5a841ac7ed2f7047e34

SHA1
cd55bc92861c18791cc45d822a93c71588aba056

SHA256
8a7e7c1f30c82023f52f73ab9b1ca71e14a45f33ca2b080d150ed54f0d58c2a0

SHA512
668f9fb99e004ccf96f6c0ba54dd2bc8aa649b7c3f1d0573b2c2a70615dae909da4815cab755c1a078ffd66575b9f93effa52dc8eddaf6e928e42c2864e2734a

Download Submit
C:\Windows\System32\WuyZTAz.exe

Filesize
2.2MB

MD5
3e253d543919cd34e1fd82decc85b907

SHA1
4fd7cb6cf5fc496b42c644cf9eb1b607a6bd5ba3

SHA256
4cf1e96986317d184d1aa9c839d41f66f4ff502bf507e64898c25591efaf4100

SHA512
9abc01ce48ffc703a3a85d53fdc41f325defeb3a4ebe5c8b0d4533527ad88a922226c46b2aab03db81743a5fa66571da4f2d4efed4d9f63a199faa3edffe9fc9

Download Submit
C:\Windows\System32\dNpXlkZ.exe

Filesize
2.2MB

MD5
0644a2f3606752e89af6471a13d1b0aa

SHA1
53da43c511d106a793c4ac52bd9c0a1f67af1b5d

SHA256
3ab50e63916d454be2f1cae85aadaad8792025e7e184c4290f9c07f79fecb68e

SHA512
910034cff5f495a4d032d3441492fe8493af93ef6a48ed583ebf14ae24cd260ff15faf2500d7094414ae9e4ff2bca1acc2ca6038dd152fbf06f13c960ad36074

Download Submit
C:\Windows\System32\denxwOm.exe

Filesize
2.2MB

MD5
82374863bd2c3553153e6afacf0c0f03

SHA1
c1e096aeb9d154cd87cb5e2e207e1505fdc3ffd1

SHA256
e7bea5bd93f5cc876937f78515ec26bca0130d242b97042c2989630db6478168

SHA512
9e675f94df8494de2637989488b838af84b395cb3cafdf7951e1aff624cc332f8724777226478809250c315db34fde5af1eeb4fdebf5033b1cffd8774b00ba4b

Download Submit
C:\Windows\System32\dmIjneQ.exe

Filesize
2.2MB

MD5
2baceca01b7473a4c4987e4517d88f13

SHA1
e76644ac8a4645d67d45ee4bff2fabc17b4af864

SHA256
7a719a38fd5f1f8d50a40b8c1060c381c1ca5cf9cbd9d48204a6164b914b8a5e

SHA512
f385e060277bcf8902374ac3a922e02b528506f313fbb9dead3fc1c55d84390533fb75968e083a3de5c0de6ee97479057cb7ba36f64f944f2c6c393725a35a47

Download Submit
C:\Windows\System32\eFQBJau.exe

Filesize
2.2MB

MD5
114b420b03725139b63b82ef3543a556

SHA1
3db6242f42c2ddc39ba537d1f4723f542a4946d8

SHA256
469ef6db9fcbaf1866e6865ce761d132fc8e19834ef00f96414d780974ebad7c

SHA512
223e6fe53276ec04cb0f0824e9f672c4dcc9f32f85a2f7a3d29749ed5cd5d65180f9e32044f4dffc5733152b50107a5afcddefb05722e0cdf0c493872f7e11b7

Download Submit
C:\Windows\System32\gQcoWRm.exe

Filesize
2.2MB

MD5
4d9c697df55cf437ae13cb1957a5a794

SHA1
7cfd818cc34449c0921b0ebbc56142e3e13533c9

SHA256
d3fc111add7b9375224048d850987b28f9634afdd42518fb1aee99d4a4e2cb8f

SHA512
359c04ab4c85974ee2e5235e3d4618dd5054ed1bd9253456973d07235f6fa4a334310261323bba951b98bd7288a2125269faed799ce37fe5eba07115c68b0f19

Download Submit
C:\Windows\System32\gjUwznF.exe

Filesize
2.2MB

MD5
bd10d1a5ec4998acf4ef37b22b44b52c

SHA1
bc6e6a2902c934a9799f3fdf22b23c464f255024

SHA256
704278aaa7fcc222d565f7c07eb19c83d4ef0a629038539d8dfe9bed233e8d2e

SHA512
5d33be2eea64055a88e1582a02a6e918d7d3c5eb3b482c3a036b5cdb559b3abc67d603ca2655bc258852a25e3ac0ee9cecebe8325cec0dcf4b2c3ae989c506e2

Download Submit
C:\Windows\System32\idEnBdZ.exe

Filesize
2.2MB

MD5
fd0bde9c570ff775795e8e8b7f12ce40

SHA1
7face49b5f043709b6806e315374667935ea84d2

SHA256
7d845178491d913d444538989ee926ee02584da0f076c1e3a25e70e4bef7da23

SHA512
82a1b973c3a45a0bc34763f4bf5be16c7f624ebbc9380e541e8c1262b8a621e3643c66e2a485babef796d21fca903ba0893c3336f3c7916bfb8389648c074614

Download Submit
C:\Windows\System32\kTirxOH.exe

Filesize
2.2MB

MD5
53df9417bec24af54c8a912955845ebe

SHA1
076383797b179c8353dec2a097a8b3375c8d6476

SHA256
4eb270dd37c64078e01bff476c2c33342413aeb87a6ecca10e63cbfe15f0b788

SHA512
e6d20d3d5d73c6721232d2aec92861fb0b0b5ba2c361752d4749ea3d04abb2d75ea87be1522d08bfd28322b2e7bb633ca5370e4ef5c27535227b569b71c9de42

Download Submit
C:\Windows\System32\kaoVmev.exe

Filesize
2.2MB

MD5
5b02799f149bb4c8aecda0c4585b9aa3

SHA1
270a1ec2bd4aed3be208d89fb6b22bb9c3a41f50

SHA256
40ff4b58f42f2f85dfdb5c3d9655e21486f6db592489021369ad301ae00154bd

SHA512
5bebf595235c23c3ab847ea81a4b76c0dedcdcfb363775294c7bbf95a1f60885c0f923b8ae034b7fc8a78c71da23f28b31c5793b383217d3e7d4b07dcd9a6164

Download Submit
C:\Windows\System32\lJlBOck.exe

Filesize
2.2MB

MD5
834213132b56b77a298e40c937db8933

SHA1
95820c89ac50b0663bdb80d1adc6bd6f6e01a273

SHA256
481233f22bdcc5d33db963b4d05273a1e96afdcbe9987264b43e21cbcc628a83

SHA512
4dae64b6075d0975ac157c90ae7c6e14d3454d1925e96c90843bafcf4d5e8358e4ce3ee9802b1ceca4ef215235c43e67854ed447258e68598a2dd5c8026ef213

Download Submit
C:\Windows\System32\njgnQid.exe

Filesize
2.2MB

MD5
710f9e545fca8b5c46c73c0312d70f8e

SHA1
383e32f543be79c93d9e61af9a0f9a310c3286b3

SHA256
65d4d85b6d7533ffd28d83bf8d2ff8a509225697e17ff1e1bc60ba12d9189cb5

SHA512
e3ba9b2a5f4d7444475ed85777f46ab9656365212951383974318809a773aa9de61bfa1d1fde64d24a199b43676b74105ebed51745fa18f37afe9deb4333bb36

Download Submit
C:\Windows\System32\ryfzcYE.exe

Filesize
2.2MB

MD5
e4da4149360ecb1d347f741c6aa11bd0

SHA1
fd708b653b5bb3998c071130b63d669e34ceb561

SHA256
e7f3e0409e64f38d2d94c06a90fa20ae5f644dc623f2859dca4cd913e06ba94c

SHA512
0083b5a1a04c130a72fd057bd458cb8dac394b81d8b2d7d9866b7c553daf9822ed2b371cccf1df227f00999c4437e66363d8bbc26441f4282542cce1dd72ca35

Download Submit
C:\Windows\System32\sBQrHdZ.exe

Filesize
2.2MB

MD5
37e27e68477a5ecacbd6acc8767a15c0

SHA1
926a8e2907cfea3e2f29189cabb25158df422a2f

SHA256
99038d8141075781b2b02f3543103eafa222f287f047f9c6886dcc950a1ce94b

SHA512
c982110c946d06c5998b08e764ab1463d66ab080a41e04dfd1f0bbdac7ff605d37429c20d13dbddc08bff02e4e48e24ecc4d8835ae4e542d6a59f480b41191a8

Download Submit
C:\Windows\System32\sjPmbBw.exe

Filesize
2.2MB

MD5
1827d90f7d92aa52b0674f7c78eddf2c

SHA1
66040862684631dced881ee61b2bf31b5d6ce368

SHA256
7a9153a314022daa1cd6ad6dcb1a0658eedec5fffdfb46d9ced583ed541799ef

SHA512
65ba16b290219d46c3435902214d5411863ba76705fec9c42fc8b20ffabcc199f8d6b8ff39a20fe85e8ebc5fcf6080321e4aa5670e4191b2dd46a42a30acfaa5

Download Submit
C:\Windows\System32\uOOYCqL.exe

Filesize
2.2MB

MD5
a76197f4f96d3e67e64a216c6c73549f

SHA1
fafac4e55d70535d26a8109f8a451d8063da9dff

SHA256
abb2c74fe53d8023baa3a6bc9220b0cfa029b57239b4fdae59db845f37014bf4

SHA512
8e315617fd38763c7564db85a463fd6c9ee8bee9674cb692b72c8aea580eb76a3036bc5f4dfa70bdf548153743a701e9a6e1e3710ddb502f3247ab0b9b2a090c

Download Submit
C:\Windows\System32\wPiyFIy.exe

Filesize
2.2MB

MD5
d377139740d6d20addea06317b805357

SHA1
add4ae4a88073c24baea97122603d4b042406c1c

SHA256
9c03527503a4fb57120bea128b8cbd4b5a3af2ef7bcac22e7b55352f00dc6b0f

SHA512
3764b53fd2e3ae30c75d5014904cf1f3adc35f69b0417997907b07b0537efbfe59b1cd7cb42ecb48d5bff9aa0de786da8f0f4941fb20b87fd8855f20f7ded9b2

Download Submit
C:\Windows\System32\yOgmAZl.exe

Filesize
2.2MB

MD5
3ff8326b821c335ef6623ebb5777ca31

SHA1
c6622de272fadd95f916db3a14ad4026813630ab

SHA256
5c60f91dde36d4f77f805de46114a3dbb99822d6c49eb17d0ffd56aab5a0e699

SHA512
49694ba2e14ee7017e5085fe453cee02ac6762666ea0007c48dceafea75ceb66f09e469d8cdd148fcc5153e79cc38dec3320b1b0c366f64846e8cd1e9d2a9f10

Download Submit
C:\Windows\System32\zvQqHar.exe

Filesize
2.2MB

MD5
7fe6030ccb07bed1212bd32e8ca17b49

SHA1
2f8a55450486e191dbc628c52b44d12a0cd40613

SHA256
15c5c06e293709a829845b9bb7056d1571c213489d861514cab79948a783ee19

SHA512
b206fec6b47c2bb44087f7873b308494cd3f8b95d8276747cf4f1a81afcb564582c97c11e8b8249d34669295362aa6b5f409e3d1340da9716ef78d8aba662593

Download Submit
memory/452-722-0x00007FF683320000-0x00007FF683715000-memory.dmp

Filesize
4.0MB

Download
memory/452-1909-0x00007FF683320000-0x00007FF683715000-memory.dmp

Filesize
4.0MB

Download
memory/876-699-0x00007FF69A790000-0x00007FF69AB85000-memory.dmp

Filesize
4.0MB

Download
memory/876-1901-0x00007FF69A790000-0x00007FF69AB85000-memory.dmp

Filesize
4.0MB

Download
memory/1420-1904-0x00007FF6E4C40000-0x00007FF6E5035000-memory.dmp

Filesize
4.0MB

Download
memory/1420-700-0x00007FF6E4C40000-0x00007FF6E5035000-memory.dmp

Filesize
4.0MB

Download
memory/1864-704-0x00007FF6B9180000-0x00007FF6B9575000-memory.dmp

Filesize
4.0MB

Download
memory/1864-1905-0x00007FF6B9180000-0x00007FF6B9575000-memory.dmp

Filesize
4.0MB

Download
memory/2020-1897-0x00007FF783F70000-0x00007FF784365000-memory.dmp

Filesize
4.0MB

Download
memory/2020-695-0x00007FF783F70000-0x00007FF784365000-memory.dmp

Filesize
4.0MB

Download
memory/2316-11-0x00007FF7FE070000-0x00007FF7FE465000-memory.dmp

Filesize
4.0MB

Download
memory/2316-1752-0x00007FF7FE070000-0x00007FF7FE465000-memory.dmp

Filesize
4.0MB

Download
memory/2316-1892-0x00007FF7FE070000-0x00007FF7FE465000-memory.dmp

Filesize
4.0MB

Download
memory/2352-1891-0x00007FF65B1E0000-0x00007FF65B5D5000-memory.dmp

Filesize
4.0MB

Download
memory/2352-1488-0x00007FF65B1E0000-0x00007FF65B5D5000-memory.dmp

Filesize
4.0MB

Download
memory/2352-10-0x00007FF65B1E0000-0x00007FF65B5D5000-memory.dmp

Filesize
4.0MB

Download
memory/2412-1910-0x00007FF752E80000-0x00007FF753275000-memory.dmp

Filesize
4.0MB

Download
memory/2412-710-0x00007FF752E80000-0x00007FF753275000-memory.dmp

Filesize
4.0MB

Download
memory/2616-693-0x00007FF72DAF0000-0x00007FF72DEE5000-memory.dmp

Filesize
4.0MB

Download
memory/2616-1893-0x00007FF72DAF0000-0x00007FF72DEE5000-memory.dmp

Filesize
4.0MB

Download
memory/2764-1900-0x00007FF672100000-0x00007FF6724F5000-memory.dmp

Filesize
4.0MB

Download
memory/2764-701-0x00007FF672100000-0x00007FF6724F5000-memory.dmp

Filesize
4.0MB

Download
memory/2960-1898-0x00007FF73DFB0000-0x00007FF73E3A5000-memory.dmp

Filesize
4.0MB

Download
memory/2960-697-0x00007FF73DFB0000-0x00007FF73E3A5000-memory.dmp

Filesize
4.0MB

Download
memory/3216-1908-0x00007FF6E71F0000-0x00007FF6E75E5000-memory.dmp

Filesize
4.0MB

Download
memory/3216-727-0x00007FF6E71F0000-0x00007FF6E75E5000-memory.dmp

Filesize
4.0MB

Download
memory/3264-696-0x00007FF6A1470000-0x00007FF6A1865000-memory.dmp

Filesize
4.0MB

Download
memory/3264-1896-0x00007FF6A1470000-0x00007FF6A1865000-memory.dmp

Filesize
4.0MB

Download
memory/3280-1899-0x00007FF74CB70000-0x00007FF74CF65000-memory.dmp

Filesize
4.0MB

Download
memory/3280-698-0x00007FF74CB70000-0x00007FF74CF65000-memory.dmp

Filesize
4.0MB

Download
memory/3368-1913-0x00007FF61A1C0000-0x00007FF61A5B5000-memory.dmp

Filesize
4.0MB

Download
memory/3368-751-0x00007FF61A1C0000-0x00007FF61A5B5000-memory.dmp

Filesize
4.0MB

Download
memory/3500-713-0x00007FF7F4610000-0x00007FF7F4A05000-memory.dmp

Filesize
4.0MB

Download
memory/3500-1902-0x00007FF7F4610000-0x00007FF7F4A05000-memory.dmp

Filesize
4.0MB

Download
memory/3516-0-0x00007FF6A9890000-0x00007FF6A9C85000-memory.dmp

Filesize
4.0MB

Download
memory/3516-1483-0x00007FF6A9890000-0x00007FF6A9C85000-memory.dmp

Filesize
4.0MB

Download
memory/3516-1-0x0000027DDFF20000-0x0000027DDFF30000-memory.dmp

Filesize
64KB

Download
memory/3516-1890-0x00007FF6A9890000-0x00007FF6A9C85000-memory.dmp

Filesize
4.0MB

Download
memory/4328-1906-0x00007FF73F660000-0x00007FF73FA55000-memory.dmp

Filesize
4.0MB

Download
memory/4328-739-0x00007FF73F660000-0x00007FF73FA55000-memory.dmp

Filesize
4.0MB

Download
memory/4512-1912-0x00007FF648AB0000-0x00007FF648EA5000-memory.dmp

Filesize
4.0MB

Download
memory/4512-752-0x00007FF648AB0000-0x00007FF648EA5000-memory.dmp

Filesize
4.0MB

Download
memory/4788-703-0x00007FF6A30E0000-0x00007FF6A34D5000-memory.dmp

Filesize
4.0MB

Download
memory/4788-1911-0x00007FF6A30E0000-0x00007FF6A34D5000-memory.dmp

Filesize
4.0MB

Download
memory/4808-732-0x00007FF75E990000-0x00007FF75ED85000-memory.dmp

Filesize
4.0MB

Download
memory/4808-1907-0x00007FF75E990000-0x00007FF75ED85000-memory.dmp

Filesize
4.0MB

Download
memory/4836-694-0x00007FF6C68F0000-0x00007FF6C6CE5000-memory.dmp

Filesize
4.0MB

Download
memory/4836-1895-0x00007FF6C68F0000-0x00007FF6C6CE5000-memory.dmp

Filesize
4.0MB

Download
memory/4876-1903-0x00007FF663B40000-0x00007FF663F35000-memory.dmp

Filesize
4.0MB

Download
memory/4876-702-0x00007FF663B40000-0x00007FF663F35000-memory.dmp

Filesize
4.0MB

Download
memory/4956-745-0x00007FF67EBD0000-0x00007FF67EFC5000-memory.dmp

Filesize
4.0MB

Download
memory/4956-1914-0x00007FF67EBD0000-0x00007FF67EFC5000-memory.dmp

Filesize
4.0MB

Download
memory/5096-760-0x00007FF753CC0000-0x00007FF7540B5000-memory.dmp

Filesize
4.0MB

Download
memory/5096-1894-0x00007FF753CC0000-0x00007FF7540B5000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads