xmrig | b023f9aff6302a553dc6ddd0f35ce577f869f2626a47c223b6a02b6fab0f5f7e

Analysis

max time kernel
103s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2025, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
Size

2.2MB
MD5

514c0ae271732d09ca5b02e2c2282021
SHA1

f3fd4a8f4965345d8d48291dbd657eea64b24f7e
SHA256

b023f9aff6302a553dc6ddd0f35ce577f869f2626a47c223b6a02b6fab0f5f7e
SHA512

a4d3649d314c5a629ab30f85e2db393037e0f432124f60ca8fad0d7cfd924d770ff0a4b17324aacc7c4ee0ca9685181d6b72f49035df9e177afa9ccb26447282
SSDEEP

49152:w0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8Dzcd+e2:w0GnJMOWPClFdx6e0EALKWVTffZiPAcL

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/2140-0-0x00007FF714570000-0x00007FF714965000-memory.dmp	xmrig
behavioral1/files/0x000a00000002334d-4.dat	xmrig
behavioral1/memory/3516-10-0x00007FF6A1900000-0x00007FF6A1CF5000-memory.dmp	xmrig
behavioral1/files/0x000800000002423d-12.dat	xmrig
behavioral1/files/0x0007000000024242-25.dat	xmrig
behavioral1/files/0x0007000000024245-38.dat	xmrig
behavioral1/files/0x0007000000024244-42.dat	xmrig
behavioral1/files/0x0007000000024247-47.dat	xmrig
behavioral1/files/0x0007000000024249-60.dat	xmrig
behavioral1/files/0x000700000002424b-67.dat	xmrig
behavioral1/files/0x000700000002424d-80.dat	xmrig
behavioral1/files/0x0007000000024258-135.dat	xmrig
behavioral1/files/0x000700000002425b-150.dat	xmrig
behavioral1/memory/5316-584-0x00007FF66CF20000-0x00007FF66D315000-memory.dmp	xmrig
behavioral1/memory/4460-612-0x00007FF7AAEF0000-0x00007FF7AB2E5000-memory.dmp	xmrig
behavioral1/memory/4668-633-0x00007FF61FD90000-0x00007FF620185000-memory.dmp	xmrig
behavioral1/memory/4788-635-0x00007FF709650000-0x00007FF709A45000-memory.dmp	xmrig
behavioral1/memory/3416-637-0x00007FF7D13E0000-0x00007FF7D17D5000-memory.dmp	xmrig
behavioral1/memory/4212-638-0x00007FF7C9C90000-0x00007FF7CA085000-memory.dmp	xmrig
behavioral1/memory/4816-636-0x00007FF65CBE0000-0x00007FF65CFD5000-memory.dmp	xmrig
behavioral1/memory/3936-640-0x00007FF7C0290000-0x00007FF7C0685000-memory.dmp	xmrig
behavioral1/memory/2040-641-0x00007FF7DD740000-0x00007FF7DDB35000-memory.dmp	xmrig
behavioral1/memory/2436-643-0x00007FF6136E0000-0x00007FF613AD5000-memory.dmp	xmrig
behavioral1/memory/4136-642-0x00007FF630CF0000-0x00007FF6310E5000-memory.dmp	xmrig
behavioral1/memory/2140-1731-0x00007FF714570000-0x00007FF714965000-memory.dmp	xmrig
behavioral1/memory/3516-1851-0x00007FF6A1900000-0x00007FF6A1CF5000-memory.dmp	xmrig
behavioral1/memory/5316-1853-0x00007FF66CF20000-0x00007FF66D315000-memory.dmp	xmrig
behavioral1/memory/4072-1852-0x00007FF6B7D40000-0x00007FF6B8135000-memory.dmp	xmrig
behavioral1/memory/4400-659-0x00007FF64E660000-0x00007FF64EA55000-memory.dmp	xmrig
behavioral1/memory/3388-644-0x00007FF732190000-0x00007FF732585000-memory.dmp	xmrig
behavioral1/memory/2396-639-0x00007FF7A4070000-0x00007FF7A4465000-memory.dmp	xmrig
behavioral1/memory/4632-625-0x00007FF77E880000-0x00007FF77EC75000-memory.dmp	xmrig
behavioral1/memory/1496-615-0x00007FF6FD440000-0x00007FF6FD835000-memory.dmp	xmrig
behavioral1/memory/2312-604-0x00007FF6FA1F0000-0x00007FF6FA5E5000-memory.dmp	xmrig
behavioral1/memory/4708-599-0x00007FF67C720000-0x00007FF67CB15000-memory.dmp	xmrig
behavioral1/memory/4368-590-0x00007FF69FE20000-0x00007FF6A0215000-memory.dmp	xmrig
behavioral1/memory/4432-592-0x00007FF723D70000-0x00007FF724165000-memory.dmp	xmrig
behavioral1/files/0x000700000002425e-165.dat	xmrig
behavioral1/files/0x000700000002425d-160.dat	xmrig
behavioral1/files/0x000700000002425c-155.dat	xmrig
behavioral1/files/0x000700000002425a-145.dat	xmrig
behavioral1/files/0x0007000000024259-140.dat	xmrig
behavioral1/files/0x0007000000024257-130.dat	xmrig
behavioral1/files/0x0007000000024256-125.dat	xmrig
behavioral1/files/0x0007000000024255-120.dat	xmrig
behavioral1/files/0x0007000000024254-115.dat	xmrig
behavioral1/files/0x0007000000024253-110.dat	xmrig
behavioral1/files/0x0007000000024252-105.dat	xmrig
behavioral1/files/0x0007000000024251-100.dat	xmrig
behavioral1/files/0x0007000000024250-95.dat	xmrig
behavioral1/files/0x000700000002424f-90.dat	xmrig
behavioral1/files/0x000700000002424e-85.dat	xmrig
behavioral1/files/0x000700000002424c-75.dat	xmrig
behavioral1/files/0x000700000002424a-65.dat	xmrig
behavioral1/files/0x0007000000024248-57.dat	xmrig
behavioral1/files/0x0007000000024246-41.dat	xmrig
behavioral1/memory/5844-39-0x00007FF6C04F0000-0x00007FF6C08E5000-memory.dmp	xmrig
behavioral1/memory/5488-35-0x00007FF6DAD40000-0x00007FF6DB135000-memory.dmp	xmrig
behavioral1/memory/4072-30-0x00007FF6B7D40000-0x00007FF6B8135000-memory.dmp	xmrig
behavioral1/files/0x0007000000024243-23.dat	xmrig
behavioral1/files/0x0007000000024241-20.dat	xmrig
behavioral1/memory/2140-1854-0x00007FF714570000-0x00007FF714965000-memory.dmp	xmrig
behavioral1/memory/3516-1855-0x00007FF6A1900000-0x00007FF6A1CF5000-memory.dmp	xmrig
behavioral1/memory/5488-1856-0x00007FF6DAD40000-0x00007FF6DB135000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3516	qISkxzv.exe
4072	jUjNHqT.exe
5488	BqmLXoW.exe
2436	VEzOWFj.exe
5844	juPinJQ.exe
3388	xdJdeHV.exe
5316	jXxuKvq.exe
4400	obXDCyo.exe
4368	UWWFmyQ.exe
4432	sAZPOOe.exe
4708	QhtbnKw.exe
2312	zzQtIjr.exe
4460	lrSxQjl.exe
1496	DKlgTqB.exe
4632	Ecbihib.exe
4668	OOuHnLa.exe
4788	nMEMgZL.exe
4816	JHtaqjF.exe
3416	ItvaCfw.exe
4212	CesFhEi.exe
2396	QWkDjdT.exe
3936	fljfgec.exe
2040	jWizjhW.exe
4136	nGpzsze.exe
4372	mjGJeYb.exe
2856	fPvQMbQ.exe
988	mHwTTiT.exe
1464	JiCHmRd.exe
1428	YpSlHTm.exe
4016	plojBjI.exe
4020	foJSeoP.exe
2100	oonTPFA.exe
4060	YkQEIfX.exe
3764	tuUYQSR.exe
2760	JiDdObU.exe
3804	HhxjVKp.exe
5664	VtvsMzm.exe
4920	MrkoAwy.exe
4776	MUPFUxa.exe
5256	nkiwiZn.exe
2764	hRylJOz.exe
3876	emdxmer.exe
5848	SRmqPRa.exe
3584	jKvYiBR.exe
3880	EUcAZeZ.exe
2740	ZAQJgAU.exe
2292	utgkpPj.exe
1208	XolFFvN.exe
2236	lvuzRfl.exe
5248	tLwrvxN.exe
3552	bcTmhpF.exe
5624	OBFizdY.exe
3312	vBCcGrO.exe
4948	flYVMIn.exe
4688	QEfYTzA.exe
3680	YUudjkS.exe
2912	GcvNRjz.exe
1912	mYgpOGh.exe
1856	gmandYk.exe
3624	YHnRUGT.exe
6008	hoHOzYD.exe
4980	JEbGBtP.exe
3456	qTaTcSR.exe
4924	jVcNAkM.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\ZcBcdXu.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\rAfmAbO.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\bDpMBNR.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\LFNCuqg.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\oZUOSAZ.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\lrSxQjl.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\edrMEkl.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\mliZQiD.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\nktEJZg.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\DoxHKKW.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\fWogotb.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\KRxYonu.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\zzQtIjr.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\ZAQJgAU.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\LrKUWGy.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\PIvGvTV.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\klykHgB.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\qTaTcSR.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\SltjSon.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\YuInLGt.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\gbyyzoq.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\HTKPDZD.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\tqQbXao.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\fKZTmGQ.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\nZVvcEs.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\tuUYQSR.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\tLwrvxN.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\RGhjWSa.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\BOVdFKN.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\XnbqNjM.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\rGyswts.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\aqAueYL.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\rIherew.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\QWkDjdT.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\cKfevzW.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\YUXkblF.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\UHbqtAg.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\OrZTGhe.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\hfmLClG.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\miWBWgd.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\BUKdDJp.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\QYaSWOX.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\msiSnAd.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\fUQsQeW.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\pUcEMur.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\PWGJuJB.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\iVKbrXJ.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\rkRoITw.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\plojBjI.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\hoPQfLF.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\umdWcpv.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\dzCrpAE.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\PfDEuik.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\LCHKhwL.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\sPbxOco.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\fumLqAa.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\NnMoOGi.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\mPmABNj.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\zRJprKD.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\HMDtMdc.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\YUudjkS.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\NEkdQWs.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\XINkUfK.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
File created	C:\Windows\System32\XkbDymu.exe	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2140-0-0x00007FF714570000-0x00007FF714965000-memory.dmp	upx
behavioral1/files/0x000a00000002334d-4.dat	upx
behavioral1/memory/3516-10-0x00007FF6A1900000-0x00007FF6A1CF5000-memory.dmp	upx
behavioral1/files/0x000800000002423d-12.dat	upx
behavioral1/files/0x0007000000024242-25.dat	upx
behavioral1/files/0x0007000000024245-38.dat	upx
behavioral1/files/0x0007000000024244-42.dat	upx
behavioral1/files/0x0007000000024247-47.dat	upx
behavioral1/files/0x0007000000024249-60.dat	upx
behavioral1/files/0x000700000002424b-67.dat	upx
behavioral1/files/0x000700000002424d-80.dat	upx
behavioral1/files/0x0007000000024258-135.dat	upx
behavioral1/files/0x000700000002425b-150.dat	upx
behavioral1/memory/5316-584-0x00007FF66CF20000-0x00007FF66D315000-memory.dmp	upx
behavioral1/memory/4460-612-0x00007FF7AAEF0000-0x00007FF7AB2E5000-memory.dmp	upx
behavioral1/memory/4668-633-0x00007FF61FD90000-0x00007FF620185000-memory.dmp	upx
behavioral1/memory/4788-635-0x00007FF709650000-0x00007FF709A45000-memory.dmp	upx
behavioral1/memory/3416-637-0x00007FF7D13E0000-0x00007FF7D17D5000-memory.dmp	upx
behavioral1/memory/4212-638-0x00007FF7C9C90000-0x00007FF7CA085000-memory.dmp	upx
behavioral1/memory/4816-636-0x00007FF65CBE0000-0x00007FF65CFD5000-memory.dmp	upx
behavioral1/memory/3936-640-0x00007FF7C0290000-0x00007FF7C0685000-memory.dmp	upx
behavioral1/memory/2040-641-0x00007FF7DD740000-0x00007FF7DDB35000-memory.dmp	upx
behavioral1/memory/2436-643-0x00007FF6136E0000-0x00007FF613AD5000-memory.dmp	upx
behavioral1/memory/4136-642-0x00007FF630CF0000-0x00007FF6310E5000-memory.dmp	upx
behavioral1/memory/2140-1731-0x00007FF714570000-0x00007FF714965000-memory.dmp	upx
behavioral1/memory/3516-1851-0x00007FF6A1900000-0x00007FF6A1CF5000-memory.dmp	upx
behavioral1/memory/5316-1853-0x00007FF66CF20000-0x00007FF66D315000-memory.dmp	upx
behavioral1/memory/4072-1852-0x00007FF6B7D40000-0x00007FF6B8135000-memory.dmp	upx
behavioral1/memory/4400-659-0x00007FF64E660000-0x00007FF64EA55000-memory.dmp	upx
behavioral1/memory/3388-644-0x00007FF732190000-0x00007FF732585000-memory.dmp	upx
behavioral1/memory/2396-639-0x00007FF7A4070000-0x00007FF7A4465000-memory.dmp	upx
behavioral1/memory/4632-625-0x00007FF77E880000-0x00007FF77EC75000-memory.dmp	upx
behavioral1/memory/1496-615-0x00007FF6FD440000-0x00007FF6FD835000-memory.dmp	upx
behavioral1/memory/2312-604-0x00007FF6FA1F0000-0x00007FF6FA5E5000-memory.dmp	upx
behavioral1/memory/4708-599-0x00007FF67C720000-0x00007FF67CB15000-memory.dmp	upx
behavioral1/memory/4368-590-0x00007FF69FE20000-0x00007FF6A0215000-memory.dmp	upx
behavioral1/memory/4432-592-0x00007FF723D70000-0x00007FF724165000-memory.dmp	upx
behavioral1/files/0x000700000002425e-165.dat	upx
behavioral1/files/0x000700000002425d-160.dat	upx
behavioral1/files/0x000700000002425c-155.dat	upx
behavioral1/files/0x000700000002425a-145.dat	upx
behavioral1/files/0x0007000000024259-140.dat	upx
behavioral1/files/0x0007000000024257-130.dat	upx
behavioral1/files/0x0007000000024256-125.dat	upx
behavioral1/files/0x0007000000024255-120.dat	upx
behavioral1/files/0x0007000000024254-115.dat	upx
behavioral1/files/0x0007000000024253-110.dat	upx
behavioral1/files/0x0007000000024252-105.dat	upx
behavioral1/files/0x0007000000024251-100.dat	upx
behavioral1/files/0x0007000000024250-95.dat	upx
behavioral1/files/0x000700000002424f-90.dat	upx
behavioral1/files/0x000700000002424e-85.dat	upx
behavioral1/files/0x000700000002424c-75.dat	upx
behavioral1/files/0x000700000002424a-65.dat	upx
behavioral1/files/0x0007000000024248-57.dat	upx
behavioral1/files/0x0007000000024246-41.dat	upx
behavioral1/memory/5844-39-0x00007FF6C04F0000-0x00007FF6C08E5000-memory.dmp	upx
behavioral1/memory/5488-35-0x00007FF6DAD40000-0x00007FF6DB135000-memory.dmp	upx
behavioral1/memory/4072-30-0x00007FF6B7D40000-0x00007FF6B8135000-memory.dmp	upx
behavioral1/files/0x0007000000024243-23.dat	upx
behavioral1/files/0x0007000000024241-20.dat	upx
behavioral1/memory/2140-1854-0x00007FF714570000-0x00007FF714965000-memory.dmp	upx
behavioral1/memory/3516-1855-0x00007FF6A1900000-0x00007FF6A1CF5000-memory.dmp	upx
behavioral1/memory/5488-1856-0x00007FF6DAD40000-0x00007FF6DB135000-memory.dmp	upx

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12944	dwm.exe
Token: SeChangeNotifyPrivilege	12944	dwm.exe
Token: 33	12944	dwm.exe
Token: SeIncBasePriorityPrivilege	12944	dwm.exe
Token: SeShutdownPrivilege	12944	dwm.exe
Token: SeCreatePagefilePrivilege	12944	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 3516	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	87
PID 2140 wrote to memory of 3516	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	87
PID 2140 wrote to memory of 4072	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	88
PID 2140 wrote to memory of 4072	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	88
PID 2140 wrote to memory of 5488	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	89
PID 2140 wrote to memory of 5488	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	89
PID 2140 wrote to memory of 2436	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	90
PID 2140 wrote to memory of 2436	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	90
PID 2140 wrote to memory of 5844	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	91
PID 2140 wrote to memory of 5844	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	91
PID 2140 wrote to memory of 3388	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	92
PID 2140 wrote to memory of 3388	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	92
PID 2140 wrote to memory of 5316	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	93
PID 2140 wrote to memory of 5316	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	93
PID 2140 wrote to memory of 4400	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	94
PID 2140 wrote to memory of 4400	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	94
PID 2140 wrote to memory of 4368	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	95
PID 2140 wrote to memory of 4368	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	95
PID 2140 wrote to memory of 4432	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	96
PID 2140 wrote to memory of 4432	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	96
PID 2140 wrote to memory of 4708	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	97
PID 2140 wrote to memory of 4708	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	97
PID 2140 wrote to memory of 2312	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	98
PID 2140 wrote to memory of 2312	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	98
PID 2140 wrote to memory of 4460	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	99
PID 2140 wrote to memory of 4460	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	99
PID 2140 wrote to memory of 1496	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	100
PID 2140 wrote to memory of 1496	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	100
PID 2140 wrote to memory of 4632	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	101
PID 2140 wrote to memory of 4632	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	101
PID 2140 wrote to memory of 4668	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	102
PID 2140 wrote to memory of 4668	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	102
PID 2140 wrote to memory of 4788	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	103
PID 2140 wrote to memory of 4788	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	103
PID 2140 wrote to memory of 4816	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	104
PID 2140 wrote to memory of 4816	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	104
PID 2140 wrote to memory of 3416	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	105
PID 2140 wrote to memory of 3416	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	105
PID 2140 wrote to memory of 4212	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	106
PID 2140 wrote to memory of 4212	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	106
PID 2140 wrote to memory of 2396	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	107
PID 2140 wrote to memory of 2396	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	107
PID 2140 wrote to memory of 3936	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	108
PID 2140 wrote to memory of 3936	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	108
PID 2140 wrote to memory of 2040	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	109
PID 2140 wrote to memory of 2040	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	109
PID 2140 wrote to memory of 4136	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	110
PID 2140 wrote to memory of 4136	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	110
PID 2140 wrote to memory of 4372	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	111
PID 2140 wrote to memory of 4372	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	111
PID 2140 wrote to memory of 2856	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	112
PID 2140 wrote to memory of 2856	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	112
PID 2140 wrote to memory of 988	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	113
PID 2140 wrote to memory of 988	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	113
PID 2140 wrote to memory of 1464	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	114
PID 2140 wrote to memory of 1464	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	114
PID 2140 wrote to memory of 1428	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	115
PID 2140 wrote to memory of 1428	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	115
PID 2140 wrote to memory of 4016	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	116
PID 2140 wrote to memory of 4016	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	116
PID 2140 wrote to memory of 4020	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	117
PID 2140 wrote to memory of 4020	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	117
PID 2140 wrote to memory of 2100	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	118
PID 2140 wrote to memory of 2100	2140	2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe	118

C:\Users\Admin\AppData\Local\Temp\2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-07_514c0ae271732d09ca5b02e2c2282021_black-basta_imuler_xmrig.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\System32\qISkxzv.exe
  C:\Windows\System32\qISkxzv.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System32\jUjNHqT.exe
  C:\Windows\System32\jUjNHqT.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System32\BqmLXoW.exe
  C:\Windows\System32\BqmLXoW.exe
  2⤵
  - Executes dropped EXE
  PID:5488
- C:\Windows\System32\VEzOWFj.exe
  C:\Windows\System32\VEzOWFj.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System32\juPinJQ.exe
  C:\Windows\System32\juPinJQ.exe
  2⤵
  - Executes dropped EXE
  PID:5844
- C:\Windows\System32\xdJdeHV.exe
  C:\Windows\System32\xdJdeHV.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System32\jXxuKvq.exe
  C:\Windows\System32\jXxuKvq.exe
  2⤵
  - Executes dropped EXE
  PID:5316
- C:\Windows\System32\obXDCyo.exe
  C:\Windows\System32\obXDCyo.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System32\UWWFmyQ.exe
  C:\Windows\System32\UWWFmyQ.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System32\sAZPOOe.exe
  C:\Windows\System32\sAZPOOe.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System32\QhtbnKw.exe
  C:\Windows\System32\QhtbnKw.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\zzQtIjr.exe
  C:\Windows\System32\zzQtIjr.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System32\lrSxQjl.exe
  C:\Windows\System32\lrSxQjl.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System32\DKlgTqB.exe
  C:\Windows\System32\DKlgTqB.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System32\Ecbihib.exe
  C:\Windows\System32\Ecbihib.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System32\OOuHnLa.exe
  C:\Windows\System32\OOuHnLa.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System32\nMEMgZL.exe
  C:\Windows\System32\nMEMgZL.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\JHtaqjF.exe
  C:\Windows\System32\JHtaqjF.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System32\ItvaCfw.exe
  C:\Windows\System32\ItvaCfw.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System32\CesFhEi.exe
  C:\Windows\System32\CesFhEi.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System32\QWkDjdT.exe
  C:\Windows\System32\QWkDjdT.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System32\fljfgec.exe
  C:\Windows\System32\fljfgec.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System32\jWizjhW.exe
  C:\Windows\System32\jWizjhW.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System32\nGpzsze.exe
  C:\Windows\System32\nGpzsze.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System32\mjGJeYb.exe
  C:\Windows\System32\mjGJeYb.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System32\fPvQMbQ.exe
  C:\Windows\System32\fPvQMbQ.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System32\mHwTTiT.exe
  C:\Windows\System32\mHwTTiT.exe
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\System32\JiCHmRd.exe
  C:\Windows\System32\JiCHmRd.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System32\YpSlHTm.exe
  C:\Windows\System32\YpSlHTm.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System32\plojBjI.exe
  C:\Windows\System32\plojBjI.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System32\foJSeoP.exe
  C:\Windows\System32\foJSeoP.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System32\oonTPFA.exe
  C:\Windows\System32\oonTPFA.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System32\YkQEIfX.exe
  C:\Windows\System32\YkQEIfX.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System32\tuUYQSR.exe
  C:\Windows\System32\tuUYQSR.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System32\JiDdObU.exe
  C:\Windows\System32\JiDdObU.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System32\HhxjVKp.exe
  C:\Windows\System32\HhxjVKp.exe
  2⤵
  - Executes dropped EXE
  PID:3804
- C:\Windows\System32\VtvsMzm.exe
  C:\Windows\System32\VtvsMzm.exe
  2⤵
  - Executes dropped EXE
  PID:5664
- C:\Windows\System32\MrkoAwy.exe
  C:\Windows\System32\MrkoAwy.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System32\MUPFUxa.exe
  C:\Windows\System32\MUPFUxa.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System32\nkiwiZn.exe
  C:\Windows\System32\nkiwiZn.exe
  2⤵
  - Executes dropped EXE
  PID:5256
- C:\Windows\System32\hRylJOz.exe
  C:\Windows\System32\hRylJOz.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System32\emdxmer.exe
  C:\Windows\System32\emdxmer.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System32\SRmqPRa.exe
  C:\Windows\System32\SRmqPRa.exe
  2⤵
  - Executes dropped EXE
  PID:5848
- C:\Windows\System32\jKvYiBR.exe
  C:\Windows\System32\jKvYiBR.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System32\EUcAZeZ.exe
  C:\Windows\System32\EUcAZeZ.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System32\ZAQJgAU.exe
  C:\Windows\System32\ZAQJgAU.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System32\utgkpPj.exe
  C:\Windows\System32\utgkpPj.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System32\XolFFvN.exe
  C:\Windows\System32\XolFFvN.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System32\lvuzRfl.exe
  C:\Windows\System32\lvuzRfl.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System32\tLwrvxN.exe
  C:\Windows\System32\tLwrvxN.exe
  2⤵
  - Executes dropped EXE
  PID:5248
- C:\Windows\System32\bcTmhpF.exe
  C:\Windows\System32\bcTmhpF.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System32\OBFizdY.exe
  C:\Windows\System32\OBFizdY.exe
  2⤵
  - Executes dropped EXE
  PID:5624
- C:\Windows\System32\vBCcGrO.exe
  C:\Windows\System32\vBCcGrO.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System32\flYVMIn.exe
  C:\Windows\System32\flYVMIn.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System32\QEfYTzA.exe
  C:\Windows\System32\QEfYTzA.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System32\YUudjkS.exe
  C:\Windows\System32\YUudjkS.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System32\GcvNRjz.exe
  C:\Windows\System32\GcvNRjz.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System32\mYgpOGh.exe
  C:\Windows\System32\mYgpOGh.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System32\gmandYk.exe
  C:\Windows\System32\gmandYk.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System32\YHnRUGT.exe
  C:\Windows\System32\YHnRUGT.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System32\hoHOzYD.exe
  C:\Windows\System32\hoHOzYD.exe
  2⤵
  - Executes dropped EXE
  PID:6008
- C:\Windows\System32\JEbGBtP.exe
  C:\Windows\System32\JEbGBtP.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System32\qTaTcSR.exe
  C:\Windows\System32\qTaTcSR.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System32\jVcNAkM.exe
  C:\Windows\System32\jVcNAkM.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\gJRjhIk.exe
  C:\Windows\System32\gJRjhIk.exe
  2⤵
  PID:3364
- C:\Windows\System32\NIOIJTv.exe
  C:\Windows\System32\NIOIJTv.exe
  2⤵
  PID:2480
- C:\Windows\System32\FDKjFvj.exe
  C:\Windows\System32\FDKjFvj.exe
  2⤵
  PID:3000
- C:\Windows\System32\bDpMBNR.exe
  C:\Windows\System32\bDpMBNR.exe
  2⤵
  PID:3008
- C:\Windows\System32\PRwNspO.exe
  C:\Windows\System32\PRwNspO.exe
  2⤵
  PID:5896
- C:\Windows\System32\aWJXSRk.exe
  C:\Windows\System32\aWJXSRk.exe
  2⤵
  PID:5028
- C:\Windows\System32\CxbrqnJ.exe
  C:\Windows\System32\CxbrqnJ.exe
  2⤵
  PID:668
- C:\Windows\System32\MXUeMzI.exe
  C:\Windows\System32\MXUeMzI.exe
  2⤵
  PID:4080
- C:\Windows\System32\plCRmdk.exe
  C:\Windows\System32\plCRmdk.exe
  2⤵
  PID:4152
- C:\Windows\System32\bqjZfxd.exe
  C:\Windows\System32\bqjZfxd.exe
  2⤵
  PID:4856
- C:\Windows\System32\UuPoBIC.exe
  C:\Windows\System32\UuPoBIC.exe
  2⤵
  PID:2524
- C:\Windows\System32\NEkdQWs.exe
  C:\Windows\System32\NEkdQWs.exe
  2⤵
  PID:4056
- C:\Windows\System32\AVkjuid.exe
  C:\Windows\System32\AVkjuid.exe
  2⤵
  PID:6068
- C:\Windows\System32\DUjbnQa.exe
  C:\Windows\System32\DUjbnQa.exe
  2⤵
  PID:2516
- C:\Windows\System32\wyWPYWb.exe
  C:\Windows\System32\wyWPYWb.exe
  2⤵
  PID:5384
- C:\Windows\System32\DzDlkRW.exe
  C:\Windows\System32\DzDlkRW.exe
  2⤵
  PID:5048
- C:\Windows\System32\YHErZFa.exe
  C:\Windows\System32\YHErZFa.exe
  2⤵
  PID:1064
- C:\Windows\System32\xxbmhnK.exe
  C:\Windows\System32\xxbmhnK.exe
  2⤵
  PID:1288
- C:\Windows\System32\gGiRRuk.exe
  C:\Windows\System32\gGiRRuk.exe
  2⤵
  PID:5616
- C:\Windows\System32\GbnJAVN.exe
  C:\Windows\System32\GbnJAVN.exe
  2⤵
  PID:1448
- C:\Windows\System32\cKfevzW.exe
  C:\Windows\System32\cKfevzW.exe
  2⤵
  PID:1388
- C:\Windows\System32\cPqKmNh.exe
  C:\Windows\System32\cPqKmNh.exe
  2⤵
  PID:4872
- C:\Windows\System32\qLsKFww.exe
  C:\Windows\System32\qLsKFww.exe
  2⤵
  PID:4280
- C:\Windows\System32\BzEvyKn.exe
  C:\Windows\System32\BzEvyKn.exe
  2⤵
  PID:4076
- C:\Windows\System32\MBKLROG.exe
  C:\Windows\System32\MBKLROG.exe
  2⤵
  PID:3576
- C:\Windows\System32\VYllGNQ.exe
  C:\Windows\System32\VYllGNQ.exe
  2⤵
  PID:4392
- C:\Windows\System32\ZqpxrMb.exe
  C:\Windows\System32\ZqpxrMb.exe
  2⤵
  PID:4448
- C:\Windows\System32\rlLRoAx.exe
  C:\Windows\System32\rlLRoAx.exe
  2⤵
  PID:4704
- C:\Windows\System32\lpTRMwa.exe
  C:\Windows\System32\lpTRMwa.exe
  2⤵
  PID:5156
- C:\Windows\System32\edrMEkl.exe
  C:\Windows\System32\edrMEkl.exe
  2⤵
  PID:4580
- C:\Windows\System32\XXQwuCV.exe
  C:\Windows\System32\XXQwuCV.exe
  2⤵
  PID:4804
- C:\Windows\System32\Oihxrcw.exe
  C:\Windows\System32\Oihxrcw.exe
  2⤵
  PID:5584
- C:\Windows\System32\qTBqueb.exe
  C:\Windows\System32\qTBqueb.exe
  2⤵
  PID:1348
- C:\Windows\System32\lYODCCd.exe
  C:\Windows\System32\lYODCCd.exe
  2⤵
  PID:448
- C:\Windows\System32\jOVpTIl.exe
  C:\Windows\System32\jOVpTIl.exe
  2⤵
  PID:1456
- C:\Windows\System32\aQUQilS.exe
  C:\Windows\System32\aQUQilS.exe
  2⤵
  PID:2036
- C:\Windows\System32\NZxBuQW.exe
  C:\Windows\System32\NZxBuQW.exe
  2⤵
  PID:3096
- C:\Windows\System32\Tppumng.exe
  C:\Windows\System32\Tppumng.exe
  2⤵
  PID:2332
- C:\Windows\System32\ylAMHBa.exe
  C:\Windows\System32\ylAMHBa.exe
  2⤵
  PID:628
- C:\Windows\System32\QddjLxb.exe
  C:\Windows\System32\QddjLxb.exe
  2⤵
  PID:5872
- C:\Windows\System32\Jfpuhlv.exe
  C:\Windows\System32\Jfpuhlv.exe
  2⤵
  PID:4196
- C:\Windows\System32\lAICISn.exe
  C:\Windows\System32\lAICISn.exe
  2⤵
  PID:1868
- C:\Windows\System32\ruAJzwa.exe
  C:\Windows\System32\ruAJzwa.exe
  2⤵
  PID:3712
- C:\Windows\System32\QtjtFQi.exe
  C:\Windows\System32\QtjtFQi.exe
  2⤵
  PID:3908
- C:\Windows\System32\dzCrpAE.exe
  C:\Windows\System32\dzCrpAE.exe
  2⤵
  PID:6076
- C:\Windows\System32\EhypfuG.exe
  C:\Windows\System32\EhypfuG.exe
  2⤵
  PID:5708
- C:\Windows\System32\LgNsdMa.exe
  C:\Windows\System32\LgNsdMa.exe
  2⤵
  PID:620
- C:\Windows\System32\dcDeXun.exe
  C:\Windows\System32\dcDeXun.exe
  2⤵
  PID:1120
- C:\Windows\System32\jqHSMgi.exe
  C:\Windows\System32\jqHSMgi.exe
  2⤵
  PID:2808
- C:\Windows\System32\nKVnxza.exe
  C:\Windows\System32\nKVnxza.exe
  2⤵
  PID:2704
- C:\Windows\System32\NThREuY.exe
  C:\Windows\System32\NThREuY.exe
  2⤵
  PID:1012
- C:\Windows\System32\XnuqQrd.exe
  C:\Windows\System32\XnuqQrd.exe
  2⤵
  PID:2732
- C:\Windows\System32\gOtdoVW.exe
  C:\Windows\System32\gOtdoVW.exe
  2⤵
  PID:5912
- C:\Windows\System32\xkloIJv.exe
  C:\Windows\System32\xkloIJv.exe
  2⤵
  PID:4988
- C:\Windows\System32\DIVRhXz.exe
  C:\Windows\System32\DIVRhXz.exe
  2⤵
  PID:4032
- C:\Windows\System32\PUwKAin.exe
  C:\Windows\System32\PUwKAin.exe
  2⤵
  PID:5404
- C:\Windows\System32\bhvcQpq.exe
  C:\Windows\System32\bhvcQpq.exe
  2⤵
  PID:5296
- C:\Windows\System32\cMqjVpz.exe
  C:\Windows\System32\cMqjVpz.exe
  2⤵
  PID:2548
- C:\Windows\System32\UpHoGyq.exe
  C:\Windows\System32\UpHoGyq.exe
  2⤵
  PID:5504
- C:\Windows\System32\VdzMvgI.exe
  C:\Windows\System32\VdzMvgI.exe
  2⤵
  PID:5428
- C:\Windows\System32\YBiiboH.exe
  C:\Windows\System32\YBiiboH.exe
  2⤵
  PID:4256
- C:\Windows\System32\sWGkLiw.exe
  C:\Windows\System32\sWGkLiw.exe
  2⤵
  PID:4508
- C:\Windows\System32\LrKUWGy.exe
  C:\Windows\System32\LrKUWGy.exe
  2⤵
  PID:5132
- C:\Windows\System32\KnbNNFu.exe
  C:\Windows\System32\KnbNNFu.exe
  2⤵
  PID:4652
- C:\Windows\System32\QBshcdO.exe
  C:\Windows\System32\QBshcdO.exe
  2⤵
  PID:1644
- C:\Windows\System32\zMDTCir.exe
  C:\Windows\System32\zMDTCir.exe
  2⤵
  PID:5932
- C:\Windows\System32\uRyrsbW.exe
  C:\Windows\System32\uRyrsbW.exe
  2⤵
  PID:1988
- C:\Windows\System32\IyNsgZc.exe
  C:\Windows\System32\IyNsgZc.exe
  2⤵
  PID:3032
- C:\Windows\System32\PtuUynE.exe
  C:\Windows\System32\PtuUynE.exe
  2⤵
  PID:4184
- C:\Windows\System32\ixIQHiN.exe
  C:\Windows\System32\ixIQHiN.exe
  2⤵
  PID:2692
- C:\Windows\System32\rxwQdHe.exe
  C:\Windows\System32\rxwQdHe.exe
  2⤵
  PID:1004
- C:\Windows\System32\DieWoqI.exe
  C:\Windows\System32\DieWoqI.exe
  2⤵
  PID:388
- C:\Windows\System32\ZKEIOHR.exe
  C:\Windows\System32\ZKEIOHR.exe
  2⤵
  PID:1716
- C:\Windows\System32\FfrcWVb.exe
  C:\Windows\System32\FfrcWVb.exe
  2⤵
  PID:5220
- C:\Windows\System32\xGuhmYA.exe
  C:\Windows\System32\xGuhmYA.exe
  2⤵
  PID:1260
- C:\Windows\System32\UiwwHSt.exe
  C:\Windows\System32\UiwwHSt.exe
  2⤵
  PID:5052
- C:\Windows\System32\HDcmlDk.exe
  C:\Windows\System32\HDcmlDk.exe
  2⤵
  PID:4272
- C:\Windows\System32\NzlwSdM.exe
  C:\Windows\System32\NzlwSdM.exe
  2⤵
  PID:4492
- C:\Windows\System32\LFNCuqg.exe
  C:\Windows\System32\LFNCuqg.exe
  2⤵
  PID:4812
- C:\Windows\System32\tktsPVJ.exe
  C:\Windows\System32\tktsPVJ.exe
  2⤵
  PID:5580
- C:\Windows\System32\zAqOOnW.exe
  C:\Windows\System32\zAqOOnW.exe
  2⤵
  PID:4916
- C:\Windows\System32\NPOevYb.exe
  C:\Windows\System32\NPOevYb.exe
  2⤵
  PID:6100
- C:\Windows\System32\FXPsfLe.exe
  C:\Windows\System32\FXPsfLe.exe
  2⤵
  PID:5656
- C:\Windows\System32\gGJsDYw.exe
  C:\Windows\System32\gGJsDYw.exe
  2⤵
  PID:2020
- C:\Windows\System32\FjiitCP.exe
  C:\Windows\System32\FjiitCP.exe
  2⤵
  PID:5464
- C:\Windows\System32\zghgtgE.exe
  C:\Windows\System32\zghgtgE.exe
  2⤵
  PID:5484
- C:\Windows\System32\HaqIIbs.exe
  C:\Windows\System32\HaqIIbs.exe
  2⤵
  PID:5680
- C:\Windows\System32\apcYGzD.exe
  C:\Windows\System32\apcYGzD.exe
  2⤵
  PID:6156
- C:\Windows\System32\XINkUfK.exe
  C:\Windows\System32\XINkUfK.exe
  2⤵
  PID:6184
- C:\Windows\System32\fYvaDFg.exe
  C:\Windows\System32\fYvaDFg.exe
  2⤵
  PID:6212
- C:\Windows\System32\JCsRmXm.exe
  C:\Windows\System32\JCsRmXm.exe
  2⤵
  PID:6240
- C:\Windows\System32\fibVrCq.exe
  C:\Windows\System32\fibVrCq.exe
  2⤵
  PID:6280
- C:\Windows\System32\uAldcDJ.exe
  C:\Windows\System32\uAldcDJ.exe
  2⤵
  PID:6296
- C:\Windows\System32\gbyyzoq.exe
  C:\Windows\System32\gbyyzoq.exe
  2⤵
  PID:6324
- C:\Windows\System32\hoPQfLF.exe
  C:\Windows\System32\hoPQfLF.exe
  2⤵
  PID:6352
- C:\Windows\System32\NnMoOGi.exe
  C:\Windows\System32\NnMoOGi.exe
  2⤵
  PID:6376
- C:\Windows\System32\HTKPDZD.exe
  C:\Windows\System32\HTKPDZD.exe
  2⤵
  PID:6408
- C:\Windows\System32\BxxXqzN.exe
  C:\Windows\System32\BxxXqzN.exe
  2⤵
  PID:6436
- C:\Windows\System32\mVJelfA.exe
  C:\Windows\System32\mVJelfA.exe
  2⤵
  PID:6464
- C:\Windows\System32\glyzsHs.exe
  C:\Windows\System32\glyzsHs.exe
  2⤵
  PID:6492
- C:\Windows\System32\ZwUaSXi.exe
  C:\Windows\System32\ZwUaSXi.exe
  2⤵
  PID:6516
- C:\Windows\System32\TlCmACb.exe
  C:\Windows\System32\TlCmACb.exe
  2⤵
  PID:6548
- C:\Windows\System32\VkFiTBS.exe
  C:\Windows\System32\VkFiTBS.exe
  2⤵
  PID:6576
- C:\Windows\System32\RGhjWSa.exe
  C:\Windows\System32\RGhjWSa.exe
  2⤵
  PID:6604
- C:\Windows\System32\oaXmpvc.exe
  C:\Windows\System32\oaXmpvc.exe
  2⤵
  PID:6632
- C:\Windows\System32\EdQDUvz.exe
  C:\Windows\System32\EdQDUvz.exe
  2⤵
  PID:6660
- C:\Windows\System32\naIAREF.exe
  C:\Windows\System32\naIAREF.exe
  2⤵
  PID:6688
- C:\Windows\System32\GjaJZHZ.exe
  C:\Windows\System32\GjaJZHZ.exe
  2⤵
  PID:6716
- C:\Windows\System32\evEGYjL.exe
  C:\Windows\System32\evEGYjL.exe
  2⤵
  PID:6768
- C:\Windows\System32\hXfLzfZ.exe
  C:\Windows\System32\hXfLzfZ.exe
  2⤵
  PID:6792
- C:\Windows\System32\DoxHKKW.exe
  C:\Windows\System32\DoxHKKW.exe
  2⤵
  PID:6828
- C:\Windows\System32\XxabXXo.exe
  C:\Windows\System32\XxabXXo.exe
  2⤵
  PID:6860
- C:\Windows\System32\YUXkblF.exe
  C:\Windows\System32\YUXkblF.exe
  2⤵
  PID:6892
- C:\Windows\System32\RaKcqjB.exe
  C:\Windows\System32\RaKcqjB.exe
  2⤵
  PID:6912
- C:\Windows\System32\YOZJxOK.exe
  C:\Windows\System32\YOZJxOK.exe
  2⤵
  PID:6944
- C:\Windows\System32\mPmABNj.exe
  C:\Windows\System32\mPmABNj.exe
  2⤵
  PID:6968
- C:\Windows\System32\kKuPfuG.exe
  C:\Windows\System32\kKuPfuG.exe
  2⤵
  PID:7004
- C:\Windows\System32\ldxVEyw.exe
  C:\Windows\System32\ldxVEyw.exe
  2⤵
  PID:7036
- C:\Windows\System32\PlCscxX.exe
  C:\Windows\System32\PlCscxX.exe
  2⤵
  PID:7080
- C:\Windows\System32\WeOXIGD.exe
  C:\Windows\System32\WeOXIGD.exe
  2⤵
  PID:7100
- C:\Windows\System32\azOmnKj.exe
  C:\Windows\System32\azOmnKj.exe
  2⤵
  PID:7116
- C:\Windows\System32\WstrziQ.exe
  C:\Windows\System32\WstrziQ.exe
  2⤵
  PID:7140
- C:\Windows\System32\QYaSWOX.exe
  C:\Windows\System32\QYaSWOX.exe
  2⤵
  PID:3960
- C:\Windows\System32\lRDixmq.exe
  C:\Windows\System32\lRDixmq.exe
  2⤵
  PID:5924
- C:\Windows\System32\vSHuyyy.exe
  C:\Windows\System32\vSHuyyy.exe
  2⤵
  PID:6224
- C:\Windows\System32\Wrvwyrm.exe
  C:\Windows\System32\Wrvwyrm.exe
  2⤵
  PID:4472
- C:\Windows\System32\ypuDENA.exe
  C:\Windows\System32\ypuDENA.exe
  2⤵
  PID:6504
- C:\Windows\System32\kAXydrC.exe
  C:\Windows\System32\kAXydrC.exe
  2⤵
  PID:6560
- C:\Windows\System32\pVCdHOd.exe
  C:\Windows\System32\pVCdHOd.exe
  2⤵
  PID:6584
- C:\Windows\System32\xzFHBWu.exe
  C:\Windows\System32\xzFHBWu.exe
  2⤵
  PID:6616
- C:\Windows\System32\iqYsSxN.exe
  C:\Windows\System32\iqYsSxN.exe
  2⤵
  PID:224
- C:\Windows\System32\qUxTUth.exe
  C:\Windows\System32\qUxTUth.exe
  2⤵
  PID:232
- C:\Windows\System32\LcGEvfK.exe
  C:\Windows\System32\LcGEvfK.exe
  2⤵
  PID:4556
- C:\Windows\System32\jtCcTnK.exe
  C:\Windows\System32\jtCcTnK.exe
  2⤵
  PID:6784
- C:\Windows\System32\uPDrtbj.exe
  C:\Windows\System32\uPDrtbj.exe
  2⤵
  PID:4576
- C:\Windows\System32\nNFTZOm.exe
  C:\Windows\System32\nNFTZOm.exe
  2⤵
  PID:4260
- C:\Windows\System32\WISBCRa.exe
  C:\Windows\System32\WISBCRa.exe
  2⤵
  PID:7068
- C:\Windows\System32\QoAvjzo.exe
  C:\Windows\System32\QoAvjzo.exe
  2⤵
  PID:5304
- C:\Windows\System32\yKqTlpE.exe
  C:\Windows\System32\yKqTlpE.exe
  2⤵
  PID:2052
- C:\Windows\System32\yXaZvII.exe
  C:\Windows\System32\yXaZvII.exe
  2⤵
  PID:7096
- C:\Windows\System32\WYZOOBK.exe
  C:\Windows\System32\WYZOOBK.exe
  2⤵
  PID:5352
- C:\Windows\System32\hQdMCbo.exe
  C:\Windows\System32\hQdMCbo.exe
  2⤵
  PID:6372
- C:\Windows\System32\zOytcpn.exe
  C:\Windows\System32\zOytcpn.exe
  2⤵
  PID:6332
- C:\Windows\System32\jUtnkTr.exe
  C:\Windows\System32\jUtnkTr.exe
  2⤵
  PID:2812
- C:\Windows\System32\tqQbXao.exe
  C:\Windows\System32\tqQbXao.exe
  2⤵
  PID:3912
- C:\Windows\System32\NoSYGOm.exe
  C:\Windows\System32\NoSYGOm.exe
  2⤵
  PID:6540
- C:\Windows\System32\RgyEzZg.exe
  C:\Windows\System32\RgyEzZg.exe
  2⤵
  PID:6776
- C:\Windows\System32\QvfdmMh.exe
  C:\Windows\System32\QvfdmMh.exe
  2⤵
  PID:6884
- C:\Windows\System32\mzfypME.exe
  C:\Windows\System32\mzfypME.exe
  2⤵
  PID:4352
- C:\Windows\System32\MZWsHvI.exe
  C:\Windows\System32\MZWsHvI.exe
  2⤵
  PID:7012
- C:\Windows\System32\fROhiGF.exe
  C:\Windows\System32\fROhiGF.exe
  2⤵
  PID:7112
- C:\Windows\System32\ItOaQiC.exe
  C:\Windows\System32\ItOaQiC.exe
  2⤵
  PID:5976
- C:\Windows\System32\hZQHjMA.exe
  C:\Windows\System32\hZQHjMA.exe
  2⤵
  PID:6472
- C:\Windows\System32\kYTnRHT.exe
  C:\Windows\System32\kYTnRHT.exe
  2⤵
  PID:4128
- C:\Windows\System32\BljpGnQ.exe
  C:\Windows\System32\BljpGnQ.exe
  2⤵
  PID:4700
- C:\Windows\System32\WpDoRkA.exe
  C:\Windows\System32\WpDoRkA.exe
  2⤵
  PID:4428
- C:\Windows\System32\DXIiiEs.exe
  C:\Windows\System32\DXIiiEs.exe
  2⤵
  PID:6760
- C:\Windows\System32\tmPcepx.exe
  C:\Windows\System32\tmPcepx.exe
  2⤵
  PID:6248
- C:\Windows\System32\lmIirVR.exe
  C:\Windows\System32\lmIirVR.exe
  2⤵
  PID:6416
- C:\Windows\System32\gAdEjRw.exe
  C:\Windows\System32\gAdEjRw.exe
  2⤵
  PID:2908
- C:\Windows\System32\CAmXIPt.exe
  C:\Windows\System32\CAmXIPt.exe
  2⤵
  PID:7176
- C:\Windows\System32\haOrECL.exe
  C:\Windows\System32\haOrECL.exe
  2⤵
  PID:7204
- C:\Windows\System32\kPJjOUS.exe
  C:\Windows\System32\kPJjOUS.exe
  2⤵
  PID:7236
- C:\Windows\System32\cvXKtYn.exe
  C:\Windows\System32\cvXKtYn.exe
  2⤵
  PID:7268
- C:\Windows\System32\tjApcwk.exe
  C:\Windows\System32\tjApcwk.exe
  2⤵
  PID:7300
- C:\Windows\System32\GGVlDUj.exe
  C:\Windows\System32\GGVlDUj.exe
  2⤵
  PID:7332
- C:\Windows\System32\UlYOXhZ.exe
  C:\Windows\System32\UlYOXhZ.exe
  2⤵
  PID:7364
- C:\Windows\System32\PfDEuik.exe
  C:\Windows\System32\PfDEuik.exe
  2⤵
  PID:7400
- C:\Windows\System32\kPsttRH.exe
  C:\Windows\System32\kPsttRH.exe
  2⤵
  PID:7424
- C:\Windows\System32\TuxNWKB.exe
  C:\Windows\System32\TuxNWKB.exe
  2⤵
  PID:7452
- C:\Windows\System32\QWJhVyr.exe
  C:\Windows\System32\QWJhVyr.exe
  2⤵
  PID:7480
- C:\Windows\System32\zuoMNOo.exe
  C:\Windows\System32\zuoMNOo.exe
  2⤵
  PID:7508
- C:\Windows\System32\nGjOsss.exe
  C:\Windows\System32\nGjOsss.exe
  2⤵
  PID:7548
- C:\Windows\System32\ofPVIAF.exe
  C:\Windows\System32\ofPVIAF.exe
  2⤵
  PID:7584
- C:\Windows\System32\ImMwmfT.exe
  C:\Windows\System32\ImMwmfT.exe
  2⤵
  PID:7604
- C:\Windows\System32\lZSwehv.exe
  C:\Windows\System32\lZSwehv.exe
  2⤵
  PID:7632
- C:\Windows\System32\iHuMrJZ.exe
  C:\Windows\System32\iHuMrJZ.exe
  2⤵
  PID:7652
- C:\Windows\System32\rlBlUtF.exe
  C:\Windows\System32\rlBlUtF.exe
  2⤵
  PID:7684
- C:\Windows\System32\ytqGcbk.exe
  C:\Windows\System32\ytqGcbk.exe
  2⤵
  PID:7712
- C:\Windows\System32\zRJprKD.exe
  C:\Windows\System32\zRJprKD.exe
  2⤵
  PID:7744
- C:\Windows\System32\ltfBAkg.exe
  C:\Windows\System32\ltfBAkg.exe
  2⤵
  PID:7784
- C:\Windows\System32\vUcpxnO.exe
  C:\Windows\System32\vUcpxnO.exe
  2⤵
  PID:7816
- C:\Windows\System32\msiSnAd.exe
  C:\Windows\System32\msiSnAd.exe
  2⤵
  PID:7852
- C:\Windows\System32\idmtJQO.exe
  C:\Windows\System32\idmtJQO.exe
  2⤵
  PID:7880
- C:\Windows\System32\LmQSGDd.exe
  C:\Windows\System32\LmQSGDd.exe
  2⤵
  PID:7908
- C:\Windows\System32\vIKTTUA.exe
  C:\Windows\System32\vIKTTUA.exe
  2⤵
  PID:7936
- C:\Windows\System32\EbmkgPj.exe
  C:\Windows\System32\EbmkgPj.exe
  2⤵
  PID:7964
- C:\Windows\System32\SjWGETF.exe
  C:\Windows\System32\SjWGETF.exe
  2⤵
  PID:7992
- C:\Windows\System32\uTlfreU.exe
  C:\Windows\System32\uTlfreU.exe
  2⤵
  PID:8020
- C:\Windows\System32\eNcHizF.exe
  C:\Windows\System32\eNcHizF.exe
  2⤵
  PID:8048
- C:\Windows\System32\zkJBvlY.exe
  C:\Windows\System32\zkJBvlY.exe
  2⤵
  PID:8076
- C:\Windows\System32\DgUEbnS.exe
  C:\Windows\System32\DgUEbnS.exe
  2⤵
  PID:8100
- C:\Windows\System32\Fcvgbep.exe
  C:\Windows\System32\Fcvgbep.exe
  2⤵
  PID:8132
- C:\Windows\System32\DSUULwg.exe
  C:\Windows\System32\DSUULwg.exe
  2⤵
  PID:8160
- C:\Windows\System32\LCHKhwL.exe
  C:\Windows\System32\LCHKhwL.exe
  2⤵
  PID:8188
- C:\Windows\System32\juUgjAb.exe
  C:\Windows\System32\juUgjAb.exe
  2⤵
  PID:7188
- C:\Windows\System32\nCGMGpG.exe
  C:\Windows\System32\nCGMGpG.exe
  2⤵
  PID:7228
- C:\Windows\System32\PIvGvTV.exe
  C:\Windows\System32\PIvGvTV.exe
  2⤵
  PID:7324
- C:\Windows\System32\viKUEii.exe
  C:\Windows\System32\viKUEii.exe
  2⤵
  PID:7408
- C:\Windows\System32\OPNMNks.exe
  C:\Windows\System32\OPNMNks.exe
  2⤵
  PID:7448
- C:\Windows\System32\GgfNHHe.exe
  C:\Windows\System32\GgfNHHe.exe
  2⤵
  PID:7536
- C:\Windows\System32\HlpvCLI.exe
  C:\Windows\System32\HlpvCLI.exe
  2⤵
  PID:7616
- C:\Windows\System32\vuoBfwQ.exe
  C:\Windows\System32\vuoBfwQ.exe
  2⤵
  PID:7728
- C:\Windows\System32\WJkNODw.exe
  C:\Windows\System32\WJkNODw.exe
  2⤵
  PID:7796
- C:\Windows\System32\xxTKCJS.exe
  C:\Windows\System32\xxTKCJS.exe
  2⤵
  PID:7900
- C:\Windows\System32\HbZCvgg.exe
  C:\Windows\System32\HbZCvgg.exe
  2⤵
  PID:7948
- C:\Windows\System32\mVbtfsO.exe
  C:\Windows\System32\mVbtfsO.exe
  2⤵
  PID:8068
- C:\Windows\System32\JrZLMml.exe
  C:\Windows\System32\JrZLMml.exe
  2⤵
  PID:8128
- C:\Windows\System32\MGdDhca.exe
  C:\Windows\System32\MGdDhca.exe
  2⤵
  PID:8172
- C:\Windows\System32\xgXBUDF.exe
  C:\Windows\System32\xgXBUDF.exe
  2⤵
  PID:7252
- C:\Windows\System32\qJltGJR.exe
  C:\Windows\System32\qJltGJR.exe
  2⤵
  PID:7492
- C:\Windows\System32\fFnNuzX.exe
  C:\Windows\System32\fFnNuzX.exe
  2⤵
  PID:7664
- C:\Windows\System32\vmdOgGR.exe
  C:\Windows\System32\vmdOgGR.exe
  2⤵
  PID:7976
- C:\Windows\System32\fxTrNJZ.exe
  C:\Windows\System32\fxTrNJZ.exe
  2⤵
  PID:7376
- C:\Windows\System32\YruIJcv.exe
  C:\Windows\System32\YruIJcv.exe
  2⤵
  PID:7696
- C:\Windows\System32\tWkUdbR.exe
  C:\Windows\System32\tWkUdbR.exe
  2⤵
  PID:8156
- C:\Windows\System32\VnZlChm.exe
  C:\Windows\System32\VnZlChm.exe
  2⤵
  PID:7436
- C:\Windows\System32\OTBleiE.exe
  C:\Windows\System32\OTBleiE.exe
  2⤵
  PID:8216
- C:\Windows\System32\ZzYJdmG.exe
  C:\Windows\System32\ZzYJdmG.exe
  2⤵
  PID:8252
- C:\Windows\System32\eNWxUlz.exe
  C:\Windows\System32\eNWxUlz.exe
  2⤵
  PID:8276
- C:\Windows\System32\RudDKWi.exe
  C:\Windows\System32\RudDKWi.exe
  2⤵
  PID:8308
- C:\Windows\System32\YfDoVdB.exe
  C:\Windows\System32\YfDoVdB.exe
  2⤵
  PID:8340
- C:\Windows\System32\fWogotb.exe
  C:\Windows\System32\fWogotb.exe
  2⤵
  PID:8356
- C:\Windows\System32\zVHAiCC.exe
  C:\Windows\System32\zVHAiCC.exe
  2⤵
  PID:8408
- C:\Windows\System32\nIcpCxr.exe
  C:\Windows\System32\nIcpCxr.exe
  2⤵
  PID:8424
- C:\Windows\System32\uLPREPQ.exe
  C:\Windows\System32\uLPREPQ.exe
  2⤵
  PID:8456
- C:\Windows\System32\nOiFUqs.exe
  C:\Windows\System32\nOiFUqs.exe
  2⤵
  PID:8484
- C:\Windows\System32\xbziOhU.exe
  C:\Windows\System32\xbziOhU.exe
  2⤵
  PID:8516
- C:\Windows\System32\dJNjoaS.exe
  C:\Windows\System32\dJNjoaS.exe
  2⤵
  PID:8544
- C:\Windows\System32\HRkPBeU.exe
  C:\Windows\System32\HRkPBeU.exe
  2⤵
  PID:8572
- C:\Windows\System32\sPbxOco.exe
  C:\Windows\System32\sPbxOco.exe
  2⤵
  PID:8604
- C:\Windows\System32\RbiCliq.exe
  C:\Windows\System32\RbiCliq.exe
  2⤵
  PID:8620
- C:\Windows\System32\TeBeCbu.exe
  C:\Windows\System32\TeBeCbu.exe
  2⤵
  PID:8640
- C:\Windows\System32\CCMbLDD.exe
  C:\Windows\System32\CCMbLDD.exe
  2⤵
  PID:8660
- C:\Windows\System32\FGHBDyI.exe
  C:\Windows\System32\FGHBDyI.exe
  2⤵
  PID:8676
- C:\Windows\System32\ivuJgUt.exe
  C:\Windows\System32\ivuJgUt.exe
  2⤵
  PID:8708
- C:\Windows\System32\sMETTTZ.exe
  C:\Windows\System32\sMETTTZ.exe
  2⤵
  PID:8748
- C:\Windows\System32\SUOAkpK.exe
  C:\Windows\System32\SUOAkpK.exe
  2⤵
  PID:8816
- C:\Windows\System32\klykHgB.exe
  C:\Windows\System32\klykHgB.exe
  2⤵
  PID:8832
- C:\Windows\System32\XkbDymu.exe
  C:\Windows\System32\XkbDymu.exe
  2⤵
  PID:8860
- C:\Windows\System32\zPNjiBy.exe
  C:\Windows\System32\zPNjiBy.exe
  2⤵
  PID:8888
- C:\Windows\System32\irgsdwn.exe
  C:\Windows\System32\irgsdwn.exe
  2⤵
  PID:8924
- C:\Windows\System32\hffrxKY.exe
  C:\Windows\System32\hffrxKY.exe
  2⤵
  PID:8952
- C:\Windows\System32\PgnIsDP.exe
  C:\Windows\System32\PgnIsDP.exe
  2⤵
  PID:8996
- C:\Windows\System32\KRxYonu.exe
  C:\Windows\System32\KRxYonu.exe
  2⤵
  PID:9032
- C:\Windows\System32\covztXK.exe
  C:\Windows\System32\covztXK.exe
  2⤵
  PID:9064
- C:\Windows\System32\OgqniKf.exe
  C:\Windows\System32\OgqniKf.exe
  2⤵
  PID:9088
- C:\Windows\System32\eXzscvY.exe
  C:\Windows\System32\eXzscvY.exe
  2⤵
  PID:9120
- C:\Windows\System32\ePltijg.exe
  C:\Windows\System32\ePltijg.exe
  2⤵
  PID:9148
- C:\Windows\System32\mXUHMQD.exe
  C:\Windows\System32\mXUHMQD.exe
  2⤵
  PID:9172
- C:\Windows\System32\ACcDXDG.exe
  C:\Windows\System32\ACcDXDG.exe
  2⤵
  PID:8204
- C:\Windows\System32\hCRRnBM.exe
  C:\Windows\System32\hCRRnBM.exe
  2⤵
  PID:8272
- C:\Windows\System32\aAwNSXV.exe
  C:\Windows\System32\aAwNSXV.exe
  2⤵
  PID:8332
- C:\Windows\System32\ENwEZuR.exe
  C:\Windows\System32\ENwEZuR.exe
  2⤵
  PID:8392
- C:\Windows\System32\CtzCBvA.exe
  C:\Windows\System32\CtzCBvA.exe
  2⤵
  PID:8416
- C:\Windows\System32\WVmjnlo.exe
  C:\Windows\System32\WVmjnlo.exe
  2⤵
  PID:8496
- C:\Windows\System32\IgIWqaX.exe
  C:\Windows\System32\IgIWqaX.exe
  2⤵
  PID:8564
- C:\Windows\System32\tcoBaYN.exe
  C:\Windows\System32\tcoBaYN.exe
  2⤵
  PID:8632
- C:\Windows\System32\gqrAzRo.exe
  C:\Windows\System32\gqrAzRo.exe
  2⤵
  PID:8720
- C:\Windows\System32\OrxYbnS.exe
  C:\Windows\System32\OrxYbnS.exe
  2⤵
  PID:8740
- C:\Windows\System32\HEcSEgJ.exe
  C:\Windows\System32\HEcSEgJ.exe
  2⤵
  PID:8828
- C:\Windows\System32\djnzkzh.exe
  C:\Windows\System32\djnzkzh.exe
  2⤵
  PID:8908
- C:\Windows\System32\iHAUstG.exe
  C:\Windows\System32\iHAUstG.exe
  2⤵
  PID:9060
- C:\Windows\System32\GiaWDAJ.exe
  C:\Windows\System32\GiaWDAJ.exe
  2⤵
  PID:9100
- C:\Windows\System32\LprYnpa.exe
  C:\Windows\System32\LprYnpa.exe
  2⤵
  PID:9160
- C:\Windows\System32\CRUMUND.exe
  C:\Windows\System32\CRUMUND.exe
  2⤵
  PID:8268
- C:\Windows\System32\cBisGVn.exe
  C:\Windows\System32\cBisGVn.exe
  2⤵
  PID:8092
- C:\Windows\System32\AIlkKty.exe
  C:\Windows\System32\AIlkKty.exe
  2⤵
  PID:8540
- C:\Windows\System32\sxSHXWP.exe
  C:\Windows\System32\sxSHXWP.exe
  2⤵
  PID:8668
- C:\Windows\System32\kDIHbpO.exe
  C:\Windows\System32\kDIHbpO.exe
  2⤵
  PID:8856
- C:\Windows\System32\XZrIxrn.exe
  C:\Windows\System32\XZrIxrn.exe
  2⤵
  PID:9076
- C:\Windows\System32\DjPEBvV.exe
  C:\Windows\System32\DjPEBvV.exe
  2⤵
  PID:8208
- C:\Windows\System32\CTVZqRy.exe
  C:\Windows\System32\CTVZqRy.exe
  2⤵
  PID:8512
- C:\Windows\System32\xtNksFK.exe
  C:\Windows\System32\xtNksFK.exe
  2⤵
  PID:8976
- C:\Windows\System32\DVZmuSZ.exe
  C:\Windows\System32\DVZmuSZ.exe
  2⤵
  PID:8948
- C:\Windows\System32\LJjcNeG.exe
  C:\Windows\System32\LJjcNeG.exe
  2⤵
  PID:9156
- C:\Windows\System32\oBwMVzg.exe
  C:\Windows\System32\oBwMVzg.exe
  2⤵
  PID:9248
- C:\Windows\System32\ZqbFQLP.exe
  C:\Windows\System32\ZqbFQLP.exe
  2⤵
  PID:9276
- C:\Windows\System32\YutCgCq.exe
  C:\Windows\System32\YutCgCq.exe
  2⤵
  PID:9304
- C:\Windows\System32\zenDLZf.exe
  C:\Windows\System32\zenDLZf.exe
  2⤵
  PID:9332
- C:\Windows\System32\AzStdZZ.exe
  C:\Windows\System32\AzStdZZ.exe
  2⤵
  PID:9360
- C:\Windows\System32\RLHQlfJ.exe
  C:\Windows\System32\RLHQlfJ.exe
  2⤵
  PID:9388
- C:\Windows\System32\liOqCiL.exe
  C:\Windows\System32\liOqCiL.exe
  2⤵
  PID:9416
- C:\Windows\System32\AjbGzGQ.exe
  C:\Windows\System32\AjbGzGQ.exe
  2⤵
  PID:9444
- C:\Windows\System32\mliZQiD.exe
  C:\Windows\System32\mliZQiD.exe
  2⤵
  PID:9476
- C:\Windows\System32\hqLjNgO.exe
  C:\Windows\System32\hqLjNgO.exe
  2⤵
  PID:9508
- C:\Windows\System32\fUQsQeW.exe
  C:\Windows\System32\fUQsQeW.exe
  2⤵
  PID:9536
- C:\Windows\System32\OhqljcK.exe
  C:\Windows\System32\OhqljcK.exe
  2⤵
  PID:9568
- C:\Windows\System32\udOKHvX.exe
  C:\Windows\System32\udOKHvX.exe
  2⤵
  PID:9596
- C:\Windows\System32\anKqDNB.exe
  C:\Windows\System32\anKqDNB.exe
  2⤵
  PID:9624
- C:\Windows\System32\KcFHZOZ.exe
  C:\Windows\System32\KcFHZOZ.exe
  2⤵
  PID:9656
- C:\Windows\System32\qUCiUWB.exe
  C:\Windows\System32\qUCiUWB.exe
  2⤵
  PID:9684
- C:\Windows\System32\RbwPSiP.exe
  C:\Windows\System32\RbwPSiP.exe
  2⤵
  PID:9712
- C:\Windows\System32\CeRHEwW.exe
  C:\Windows\System32\CeRHEwW.exe
  2⤵
  PID:9740
- C:\Windows\System32\aqEHCGE.exe
  C:\Windows\System32\aqEHCGE.exe
  2⤵
  PID:9768
- C:\Windows\System32\XnVIiNy.exe
  C:\Windows\System32\XnVIiNy.exe
  2⤵
  PID:9804
- C:\Windows\System32\XCkyCcn.exe
  C:\Windows\System32\XCkyCcn.exe
  2⤵
  PID:9832
- C:\Windows\System32\dKzGpFL.exe
  C:\Windows\System32\dKzGpFL.exe
  2⤵
  PID:9868
- C:\Windows\System32\CZqTzoo.exe
  C:\Windows\System32\CZqTzoo.exe
  2⤵
  PID:9904
- C:\Windows\System32\rxuhEuX.exe
  C:\Windows\System32\rxuhEuX.exe
  2⤵
  PID:9932
- C:\Windows\System32\BfqcUTo.exe
  C:\Windows\System32\BfqcUTo.exe
  2⤵
  PID:9964
- C:\Windows\System32\lrVzwis.exe
  C:\Windows\System32\lrVzwis.exe
  2⤵
  PID:10008
- C:\Windows\System32\aHYzDEE.exe
  C:\Windows\System32\aHYzDEE.exe
  2⤵
  PID:10036
- C:\Windows\System32\NnliZrs.exe
  C:\Windows\System32\NnliZrs.exe
  2⤵
  PID:10064
- C:\Windows\System32\CKHkCZk.exe
  C:\Windows\System32\CKHkCZk.exe
  2⤵
  PID:10084
- C:\Windows\System32\YRRHYds.exe
  C:\Windows\System32\YRRHYds.exe
  2⤵
  PID:10124
- C:\Windows\System32\wxOAMur.exe
  C:\Windows\System32\wxOAMur.exe
  2⤵
  PID:10176
- C:\Windows\System32\oZUOSAZ.exe
  C:\Windows\System32\oZUOSAZ.exe
  2⤵
  PID:10208
- C:\Windows\System32\UUhcyZL.exe
  C:\Windows\System32\UUhcyZL.exe
  2⤵
  PID:9244
- C:\Windows\System32\iaIIuye.exe
  C:\Windows\System32\iaIIuye.exe
  2⤵
  PID:9328
- C:\Windows\System32\NyUmdzb.exe
  C:\Windows\System32\NyUmdzb.exe
  2⤵
  PID:9408
- C:\Windows\System32\ithbSoZ.exe
  C:\Windows\System32\ithbSoZ.exe
  2⤵
  PID:9488
- C:\Windows\System32\PORfpzA.exe
  C:\Windows\System32\PORfpzA.exe
  2⤵
  PID:9560
- C:\Windows\System32\QGWYEyS.exe
  C:\Windows\System32\QGWYEyS.exe
  2⤵
  PID:9676
- C:\Windows\System32\cgyLJzI.exe
  C:\Windows\System32\cgyLJzI.exe
  2⤵
  PID:9752
- C:\Windows\System32\rGuXhJC.exe
  C:\Windows\System32\rGuXhJC.exe
  2⤵
  PID:9860
- C:\Windows\System32\pYgLotW.exe
  C:\Windows\System32\pYgLotW.exe
  2⤵
  PID:9960
- C:\Windows\System32\wbXgECv.exe
  C:\Windows\System32\wbXgECv.exe
  2⤵
  PID:10020
- C:\Windows\System32\zgcdQSe.exe
  C:\Windows\System32\zgcdQSe.exe
  2⤵
  PID:10192
- C:\Windows\System32\tdGSBIq.exe
  C:\Windows\System32\tdGSBIq.exe
  2⤵
  PID:9372
- C:\Windows\System32\oWPKqpF.exe
  C:\Windows\System32\oWPKqpF.exe
  2⤵
  PID:9468
- C:\Windows\System32\MvRzvNN.exe
  C:\Windows\System32\MvRzvNN.exe
  2⤵
  PID:9588
- C:\Windows\System32\VioXTEx.exe
  C:\Windows\System32\VioXTEx.exe
  2⤵
  PID:9788
- C:\Windows\System32\XluLiRO.exe
  C:\Windows\System32\XluLiRO.exe
  2⤵
  PID:9916
- C:\Windows\System32\vyfTTAY.exe
  C:\Windows\System32\vyfTTAY.exe
  2⤵
  PID:9532
- C:\Windows\System32\FxeHYuZ.exe
  C:\Windows\System32\FxeHYuZ.exe
  2⤵
  PID:10028
- C:\Windows\System32\HVKrkoj.exe
  C:\Windows\System32\HVKrkoj.exe
  2⤵
  PID:10272
- C:\Windows\System32\qfsAPFZ.exe
  C:\Windows\System32\qfsAPFZ.exe
  2⤵
  PID:10300
- C:\Windows\System32\LIaBbuX.exe
  C:\Windows\System32\LIaBbuX.exe
  2⤵
  PID:10332
- C:\Windows\System32\qBABrIx.exe
  C:\Windows\System32\qBABrIx.exe
  2⤵
  PID:10360
- C:\Windows\System32\xEqoTbR.exe
  C:\Windows\System32\xEqoTbR.exe
  2⤵
  PID:10388
- C:\Windows\System32\kFZlKjI.exe
  C:\Windows\System32\kFZlKjI.exe
  2⤵
  PID:10416
- C:\Windows\System32\oNzFjJq.exe
  C:\Windows\System32\oNzFjJq.exe
  2⤵
  PID:10448
- C:\Windows\System32\OherXRQ.exe
  C:\Windows\System32\OherXRQ.exe
  2⤵
  PID:10476
- C:\Windows\System32\KjNGkBR.exe
  C:\Windows\System32\KjNGkBR.exe
  2⤵
  PID:10512
- C:\Windows\System32\BOVdFKN.exe
  C:\Windows\System32\BOVdFKN.exe
  2⤵
  PID:10544
- C:\Windows\System32\OCNCgvW.exe
  C:\Windows\System32\OCNCgvW.exe
  2⤵
  PID:10584
- C:\Windows\System32\SltjSon.exe
  C:\Windows\System32\SltjSon.exe
  2⤵
  PID:10616
- C:\Windows\System32\YkfUclE.exe
  C:\Windows\System32\YkfUclE.exe
  2⤵
  PID:10648
- C:\Windows\System32\WXaNlEf.exe
  C:\Windows\System32\WXaNlEf.exe
  2⤵
  PID:10688
- C:\Windows\System32\pwkRwJS.exe
  C:\Windows\System32\pwkRwJS.exe
  2⤵
  PID:10712
- C:\Windows\System32\gZiNfMy.exe
  C:\Windows\System32\gZiNfMy.exe
  2⤵
  PID:10740
- C:\Windows\System32\iPviPzq.exe
  C:\Windows\System32\iPviPzq.exe
  2⤵
  PID:10768
- C:\Windows\System32\xNYbIoH.exe
  C:\Windows\System32\xNYbIoH.exe
  2⤵
  PID:10796
- C:\Windows\System32\cUCUpVK.exe
  C:\Windows\System32\cUCUpVK.exe
  2⤵
  PID:10824
- C:\Windows\System32\PdOYGpp.exe
  C:\Windows\System32\PdOYGpp.exe
  2⤵
  PID:10852
- C:\Windows\System32\ZcBcdXu.exe
  C:\Windows\System32\ZcBcdXu.exe
  2⤵
  PID:10888
- C:\Windows\System32\drkNuHF.exe
  C:\Windows\System32\drkNuHF.exe
  2⤵
  PID:10916
- C:\Windows\System32\LHBYRsv.exe
  C:\Windows\System32\LHBYRsv.exe
  2⤵
  PID:10944
- C:\Windows\System32\QCWoMLc.exe
  C:\Windows\System32\QCWoMLc.exe
  2⤵
  PID:10992
- C:\Windows\System32\GjKiFqa.exe
  C:\Windows\System32\GjKiFqa.exe
  2⤵
  PID:11020
- C:\Windows\System32\pRaySQV.exe
  C:\Windows\System32\pRaySQV.exe
  2⤵
  PID:11048
- C:\Windows\System32\UHbqtAg.exe
  C:\Windows\System32\UHbqtAg.exe
  2⤵
  PID:11076
- C:\Windows\System32\fDpprdg.exe
  C:\Windows\System32\fDpprdg.exe
  2⤵
  PID:11104
- C:\Windows\System32\ZxhrUog.exe
  C:\Windows\System32\ZxhrUog.exe
  2⤵
  PID:11132
- C:\Windows\System32\Yvpjmqz.exe
  C:\Windows\System32\Yvpjmqz.exe
  2⤵
  PID:11164
- C:\Windows\System32\tFjTufP.exe
  C:\Windows\System32\tFjTufP.exe
  2⤵
  PID:11192
- C:\Windows\System32\HkCOOlu.exe
  C:\Windows\System32\HkCOOlu.exe
  2⤵
  PID:11220
- C:\Windows\System32\OrZTGhe.exe
  C:\Windows\System32\OrZTGhe.exe
  2⤵
  PID:11248
- C:\Windows\System32\hfmLClG.exe
  C:\Windows\System32\hfmLClG.exe
  2⤵
  PID:9456
- C:\Windows\System32\uEvVDdx.exe
  C:\Windows\System32\uEvVDdx.exe
  2⤵
  PID:10292
- C:\Windows\System32\IWQqmJf.exe
  C:\Windows\System32\IWQqmJf.exe
  2⤵
  PID:10356
- C:\Windows\System32\cjKRiXU.exe
  C:\Windows\System32\cjKRiXU.exe
  2⤵
  PID:10428
- C:\Windows\System32\yRmjkjS.exe
  C:\Windows\System32\yRmjkjS.exe
  2⤵
  PID:10504
- C:\Windows\System32\vVFSGZD.exe
  C:\Windows\System32\vVFSGZD.exe
  2⤵
  PID:10596
- C:\Windows\System32\boyUNiD.exe
  C:\Windows\System32\boyUNiD.exe
  2⤵
  PID:3752
- C:\Windows\System32\KBIoEAA.exe
  C:\Windows\System32\KBIoEAA.exe
  2⤵
  PID:10736
- C:\Windows\System32\fGkdNHS.exe
  C:\Windows\System32\fGkdNHS.exe
  2⤵
  PID:10792
- C:\Windows\System32\CiHpSQA.exe
  C:\Windows\System32\CiHpSQA.exe
  2⤵
  PID:10880
- C:\Windows\System32\XnbqNjM.exe
  C:\Windows\System32\XnbqNjM.exe
  2⤵
  PID:10940
- C:\Windows\System32\fumLqAa.exe
  C:\Windows\System32\fumLqAa.exe
  2⤵
  PID:11032
- C:\Windows\System32\EXQmYsw.exe
  C:\Windows\System32\EXQmYsw.exe
  2⤵
  PID:11096
- C:\Windows\System32\RiykScK.exe
  C:\Windows\System32\RiykScK.exe
  2⤵
  PID:11160
- C:\Windows\System32\fKZTmGQ.exe
  C:\Windows\System32\fKZTmGQ.exe
  2⤵
  PID:11236
- C:\Windows\System32\iaeEYdT.exe
  C:\Windows\System32\iaeEYdT.exe
  2⤵
  PID:9816
- C:\Windows\System32\SewvmaV.exe
  C:\Windows\System32\SewvmaV.exe
  2⤵
  PID:10412
- C:\Windows\System32\qiBnZDd.exe
  C:\Windows\System32\qiBnZDd.exe
  2⤵
  PID:10576
- C:\Windows\System32\GQuuSZv.exe
  C:\Windows\System32\GQuuSZv.exe
  2⤵
  PID:10760
- C:\Windows\System32\YRJDJyR.exe
  C:\Windows\System32\YRJDJyR.exe
  2⤵
  PID:6952
- C:\Windows\System32\bBuLoGU.exe
  C:\Windows\System32\bBuLoGU.exe
  2⤵
  PID:11016
- C:\Windows\System32\NYBfXiV.exe
  C:\Windows\System32\NYBfXiV.exe
  2⤵
  PID:11184
- C:\Windows\System32\qOyTQtl.exe
  C:\Windows\System32\qOyTQtl.exe
  2⤵
  PID:10380
- C:\Windows\System32\LwkTPfg.exe
  C:\Windows\System32\LwkTPfg.exe
  2⤵
  PID:10724
- C:\Windows\System32\VYuyZBP.exe
  C:\Windows\System32\VYuyZBP.exe
  2⤵
  PID:11088
- C:\Windows\System32\WFCBiMV.exe
  C:\Windows\System32\WFCBiMV.exe
  2⤵
  PID:10536
- C:\Windows\System32\fgbuzPo.exe
  C:\Windows\System32\fgbuzPo.exe
  2⤵
  PID:10280
- C:\Windows\System32\OJDapco.exe
  C:\Windows\System32\OJDapco.exe
  2⤵
  PID:11012
- C:\Windows\System32\XhGoyUf.exe
  C:\Windows\System32\XhGoyUf.exe
  2⤵
  PID:11292
- C:\Windows\System32\rAfmAbO.exe
  C:\Windows\System32\rAfmAbO.exe
  2⤵
  PID:11320
- C:\Windows\System32\XcltFNb.exe
  C:\Windows\System32\XcltFNb.exe
  2⤵
  PID:11348
- C:\Windows\System32\TdahIal.exe
  C:\Windows\System32\TdahIal.exe
  2⤵
  PID:11376
- C:\Windows\System32\aRwrhkQ.exe
  C:\Windows\System32\aRwrhkQ.exe
  2⤵
  PID:11404
- C:\Windows\System32\ZlwZkeN.exe
  C:\Windows\System32\ZlwZkeN.exe
  2⤵
  PID:11432
- C:\Windows\System32\hUOzREq.exe
  C:\Windows\System32\hUOzREq.exe
  2⤵
  PID:11460
- C:\Windows\System32\qPKcDzm.exe
  C:\Windows\System32\qPKcDzm.exe
  2⤵
  PID:11488
- C:\Windows\System32\ewNVuoX.exe
  C:\Windows\System32\ewNVuoX.exe
  2⤵
  PID:11516
- C:\Windows\System32\rNUPtGk.exe
  C:\Windows\System32\rNUPtGk.exe
  2⤵
  PID:11540
- C:\Windows\System32\HMDtMdc.exe
  C:\Windows\System32\HMDtMdc.exe
  2⤵
  PID:11572
- C:\Windows\System32\nOjjbzY.exe
  C:\Windows\System32\nOjjbzY.exe
  2⤵
  PID:11600
- C:\Windows\System32\XQpXOmr.exe
  C:\Windows\System32\XQpXOmr.exe
  2⤵
  PID:11628
- C:\Windows\System32\sTnFefg.exe
  C:\Windows\System32\sTnFefg.exe
  2⤵
  PID:11656
- C:\Windows\System32\TBVDqVz.exe
  C:\Windows\System32\TBVDqVz.exe
  2⤵
  PID:11684
- C:\Windows\System32\tENLFSy.exe
  C:\Windows\System32\tENLFSy.exe
  2⤵
  PID:11700
- C:\Windows\System32\bqbFVqI.exe
  C:\Windows\System32\bqbFVqI.exe
  2⤵
  PID:11728
- C:\Windows\System32\rGyswts.exe
  C:\Windows\System32\rGyswts.exe
  2⤵
  PID:11768
- C:\Windows\System32\KZgcxei.exe
  C:\Windows\System32\KZgcxei.exe
  2⤵
  PID:11800
- C:\Windows\System32\aqAueYL.exe
  C:\Windows\System32\aqAueYL.exe
  2⤵
  PID:11828
- C:\Windows\System32\LNmPvpD.exe
  C:\Windows\System32\LNmPvpD.exe
  2⤵
  PID:11860
- C:\Windows\System32\OEpKJRo.exe
  C:\Windows\System32\OEpKJRo.exe
  2⤵
  PID:11884
- C:\Windows\System32\xIrwhto.exe
  C:\Windows\System32\xIrwhto.exe
  2⤵
  PID:11912
- C:\Windows\System32\tVdDCXR.exe
  C:\Windows\System32\tVdDCXR.exe
  2⤵
  PID:11940
- C:\Windows\System32\scUepjo.exe
  C:\Windows\System32\scUepjo.exe
  2⤵
  PID:11968
- C:\Windows\System32\VAMfDzi.exe
  C:\Windows\System32\VAMfDzi.exe
  2⤵
  PID:11996
- C:\Windows\System32\pUcEMur.exe
  C:\Windows\System32\pUcEMur.exe
  2⤵
  PID:12024
- C:\Windows\System32\SMUfymk.exe
  C:\Windows\System32\SMUfymk.exe
  2⤵
  PID:12052
- C:\Windows\System32\IwLkzmo.exe
  C:\Windows\System32\IwLkzmo.exe
  2⤵
  PID:12080
- C:\Windows\System32\LPvMbZa.exe
  C:\Windows\System32\LPvMbZa.exe
  2⤵
  PID:12108
- C:\Windows\System32\baSsmnz.exe
  C:\Windows\System32\baSsmnz.exe
  2⤵
  PID:12140
- C:\Windows\System32\kWiqdbb.exe
  C:\Windows\System32\kWiqdbb.exe
  2⤵
  PID:12168
- C:\Windows\System32\cbLgguX.exe
  C:\Windows\System32\cbLgguX.exe
  2⤵
  PID:12196
- C:\Windows\System32\huYoVmv.exe
  C:\Windows\System32\huYoVmv.exe
  2⤵
  PID:12216
- C:\Windows\System32\qMCwNGG.exe
  C:\Windows\System32\qMCwNGG.exe
  2⤵
  PID:12240
- C:\Windows\System32\ROBymPc.exe
  C:\Windows\System32\ROBymPc.exe
  2⤵
  PID:12280
- C:\Windows\System32\figCPaU.exe
  C:\Windows\System32\figCPaU.exe
  2⤵
  PID:11344
- C:\Windows\System32\rIherew.exe
  C:\Windows\System32\rIherew.exe
  2⤵
  PID:11416
- C:\Windows\System32\wVaKsWy.exe
  C:\Windows\System32\wVaKsWy.exe
  2⤵
  PID:11456
- C:\Windows\System32\VarnyrW.exe
  C:\Windows\System32\VarnyrW.exe
  2⤵
  PID:11524
- C:\Windows\System32\oeRdIxO.exe
  C:\Windows\System32\oeRdIxO.exe
  2⤵
  PID:11592
- C:\Windows\System32\ZKRsbhd.exe
  C:\Windows\System32\ZKRsbhd.exe
  2⤵
  PID:11624
- C:\Windows\System32\nKPrlRs.exe
  C:\Windows\System32\nKPrlRs.exe
  2⤵
  PID:11692
- C:\Windows\System32\UiIIxMO.exe
  C:\Windows\System32\UiIIxMO.exe
  2⤵
  PID:11764
- C:\Windows\System32\hclSIEa.exe
  C:\Windows\System32\hclSIEa.exe
  2⤵
  PID:11840
- C:\Windows\System32\ZnnkOSU.exe
  C:\Windows\System32\ZnnkOSU.exe
  2⤵
  PID:11924
- C:\Windows\System32\RVWyszs.exe
  C:\Windows\System32\RVWyszs.exe
  2⤵
  PID:11988
- C:\Windows\System32\uwIiikA.exe
  C:\Windows\System32\uwIiikA.exe
  2⤵
  PID:12048
- C:\Windows\System32\ufgqxsU.exe
  C:\Windows\System32\ufgqxsU.exe
  2⤵
  PID:12120
- C:\Windows\System32\OEgpUEt.exe
  C:\Windows\System32\OEgpUEt.exe
  2⤵
  PID:12188
- C:\Windows\System32\aPpKDgb.exe
  C:\Windows\System32\aPpKDgb.exe
  2⤵
  PID:12252
- C:\Windows\System32\NrSQfJt.exe
  C:\Windows\System32\NrSQfJt.exe
  2⤵
  PID:11368
- C:\Windows\System32\yAREHuh.exe
  C:\Windows\System32\yAREHuh.exe
  2⤵
  PID:11452
- C:\Windows\System32\AQHelvH.exe
  C:\Windows\System32\AQHelvH.exe
  2⤵
  PID:5608
- C:\Windows\System32\EPLNrWU.exe
  C:\Windows\System32\EPLNrWU.exe
  2⤵
  PID:11568
- C:\Windows\System32\RTCcHWy.exe
  C:\Windows\System32\RTCcHWy.exe
  2⤵
  PID:11792
- C:\Windows\System32\pZiecGn.exe
  C:\Windows\System32\pZiecGn.exe
  2⤵
  PID:11880
- C:\Windows\System32\wzziJUg.exe
  C:\Windows\System32\wzziJUg.exe
  2⤵
  PID:12044
- C:\Windows\System32\amfITTt.exe
  C:\Windows\System32\amfITTt.exe
  2⤵
  PID:12204
- C:\Windows\System32\QpfPGlc.exe
  C:\Windows\System32\QpfPGlc.exe
  2⤵
  PID:716
- C:\Windows\System32\wQUeXUL.exe
  C:\Windows\System32\wQUeXUL.exe
  2⤵
  PID:11564
- C:\Windows\System32\jSnvqbh.exe
  C:\Windows\System32\jSnvqbh.exe
  2⤵
  PID:11752
- C:\Windows\System32\duLJZcu.exe
  C:\Windows\System32\duLJZcu.exe
  2⤵
  PID:12276
- C:\Windows\System32\bYSulKD.exe
  C:\Windows\System32\bYSulKD.exe
  2⤵
  PID:11508
- C:\Windows\System32\EuuESBJ.exe
  C:\Windows\System32\EuuESBJ.exe
  2⤵
  PID:12164
- C:\Windows\System32\IdotAia.exe
  C:\Windows\System32\IdotAia.exe
  2⤵
  PID:2352
- C:\Windows\System32\zwuKqUO.exe
  C:\Windows\System32\zwuKqUO.exe
  2⤵
  PID:12308
- C:\Windows\System32\xjVhlEE.exe
  C:\Windows\System32\xjVhlEE.exe
  2⤵
  PID:12336
- C:\Windows\System32\mmwfSYy.exe
  C:\Windows\System32\mmwfSYy.exe
  2⤵
  PID:12364
- C:\Windows\System32\RspsdPZ.exe
  C:\Windows\System32\RspsdPZ.exe
  2⤵
  PID:12392
- C:\Windows\System32\MbgiorD.exe
  C:\Windows\System32\MbgiorD.exe
  2⤵
  PID:12420
- C:\Windows\System32\sNgptgi.exe
  C:\Windows\System32\sNgptgi.exe
  2⤵
  PID:12448
- C:\Windows\System32\bEfHiJI.exe
  C:\Windows\System32\bEfHiJI.exe
  2⤵
  PID:12496
- C:\Windows\System32\LYrStUx.exe
  C:\Windows\System32\LYrStUx.exe
  2⤵
  PID:12524
- C:\Windows\System32\CdTOJoR.exe
  C:\Windows\System32\CdTOJoR.exe
  2⤵
  PID:12564
- C:\Windows\System32\OHNSykw.exe
  C:\Windows\System32\OHNSykw.exe
  2⤵
  PID:12596
- C:\Windows\System32\miWBWgd.exe
  C:\Windows\System32\miWBWgd.exe
  2⤵
  PID:12624
- C:\Windows\System32\gWIjAMb.exe
  C:\Windows\System32\gWIjAMb.exe
  2⤵
  PID:12652
- C:\Windows\System32\zcXDIMi.exe
  C:\Windows\System32\zcXDIMi.exe
  2⤵
  PID:12680
- C:\Windows\System32\umdWcpv.exe
  C:\Windows\System32\umdWcpv.exe
  2⤵
  PID:12708
- C:\Windows\System32\WLgUBoO.exe
  C:\Windows\System32\WLgUBoO.exe
  2⤵
  PID:12736
- C:\Windows\System32\IoUDwKY.exe
  C:\Windows\System32\IoUDwKY.exe
  2⤵
  PID:12764
- C:\Windows\System32\uUGVYyL.exe
  C:\Windows\System32\uUGVYyL.exe
  2⤵
  PID:12792
- C:\Windows\System32\suIDdty.exe
  C:\Windows\System32\suIDdty.exe
  2⤵
  PID:12820
- C:\Windows\System32\qDFYcsa.exe
  C:\Windows\System32\qDFYcsa.exe
  2⤵
  PID:12848
- C:\Windows\System32\DAPGMgr.exe
  C:\Windows\System32\DAPGMgr.exe
  2⤵
  PID:12876
- C:\Windows\System32\UewROjT.exe
  C:\Windows\System32\UewROjT.exe
  2⤵
  PID:12904
- C:\Windows\System32\WiWKVTX.exe
  C:\Windows\System32\WiWKVTX.exe
  2⤵
  PID:12932
- C:\Windows\System32\dvvugvI.exe
  C:\Windows\System32\dvvugvI.exe
  2⤵
  PID:12960
- C:\Windows\System32\nZVvcEs.exe
  C:\Windows\System32\nZVvcEs.exe
  2⤵
  PID:12988
- C:\Windows\System32\gMtjjkX.exe
  C:\Windows\System32\gMtjjkX.exe
  2⤵
  PID:13016
- C:\Windows\System32\ZHFrHxa.exe
  C:\Windows\System32\ZHFrHxa.exe
  2⤵
  PID:13044
- C:\Windows\System32\cjVnmtF.exe
  C:\Windows\System32\cjVnmtF.exe
  2⤵
  PID:13072
- C:\Windows\System32\hdeVRpe.exe
  C:\Windows\System32\hdeVRpe.exe
  2⤵
  PID:13100
- C:\Windows\System32\YuInLGt.exe
  C:\Windows\System32\YuInLGt.exe
  2⤵
  PID:13128
- C:\Windows\System32\TrwHpTK.exe
  C:\Windows\System32\TrwHpTK.exe
  2⤵
  PID:13156
- C:\Windows\System32\GeHvyWw.exe
  C:\Windows\System32\GeHvyWw.exe
  2⤵
  PID:13184
- C:\Windows\System32\afhltDd.exe
  C:\Windows\System32\afhltDd.exe
  2⤵
  PID:13204
- C:\Windows\System32\HVhMIHI.exe
  C:\Windows\System32\HVhMIHI.exe
  2⤵
  PID:13220
- C:\Windows\System32\SDoHvIw.exe
  C:\Windows\System32\SDoHvIw.exe
  2⤵
  PID:13264
- C:\Windows\System32\tAsuuBW.exe
  C:\Windows\System32\tAsuuBW.exe
  2⤵
  PID:13292
- C:\Windows\System32\edtqoag.exe
  C:\Windows\System32\edtqoag.exe
  2⤵
  PID:12304
- C:\Windows\System32\rEUDJWQ.exe
  C:\Windows\System32\rEUDJWQ.exe
  2⤵
  PID:12360
- C:\Windows\System32\aYaLtVE.exe
  C:\Windows\System32\aYaLtVE.exe
  2⤵
  PID:12432
- C:\Windows\System32\TqXwdtn.exe
  C:\Windows\System32\TqXwdtn.exe
  2⤵
  PID:12508
- C:\Windows\System32\mjGLbuO.exe
  C:\Windows\System32\mjGLbuO.exe
  2⤵
  PID:12572
- C:\Windows\System32\xiXeaxp.exe
  C:\Windows\System32\xiXeaxp.exe
  2⤵
  PID:12640
- C:\Windows\System32\oYiOiXx.exe
  C:\Windows\System32\oYiOiXx.exe
  2⤵
  PID:12704
- C:\Windows\System32\IGaedfV.exe
  C:\Windows\System32\IGaedfV.exe
  2⤵
  PID:12776
- C:\Windows\System32\PWGJuJB.exe
  C:\Windows\System32\PWGJuJB.exe
  2⤵
  PID:12840
- C:\Windows\System32\IFWrxyt.exe
  C:\Windows\System32\IFWrxyt.exe
  2⤵
  PID:13056
- C:\Windows\System32\sLbzMwO.exe
  C:\Windows\System32\sLbzMwO.exe
  2⤵
  PID:13092
- C:\Windows\System32\pwkryBP.exe
  C:\Windows\System32\pwkryBP.exe
  2⤵
  PID:13152
- C:\Windows\System32\EXXZAiU.exe
  C:\Windows\System32\EXXZAiU.exe
  2⤵
  PID:13196

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BqmLXoW.exe

Filesize
2.2MB

MD5
5f5bba5c95b3f4b45f67185c9141c21d

SHA1
72003fbf51341daa711fe7513b63e403d6f194de

SHA256
9b91f68d8a2e04d7e9492e2d278bafdf01f22a66f4ca74f5c2fdd3e963adb348

SHA512
94729a1c1ff4c2eeadce5a40ee455e73a12b939c6a7b6997e3c3ac0aa1ef2995cba8ef28039873c9db74d3da99f30364f3fe27ce38781e126be2f4aa28ab4edb

Download Submit
C:\Windows\System32\CesFhEi.exe

Filesize
2.2MB

MD5
19604175d85e04aeb6006ca343418db1

SHA1
8663b7573e57f07c3fbca495baedba3bf802dd10

SHA256
545261395ec963f315bd755b2ba10f82dd4c8b36dbe88bca54b269fc7222d2bf

SHA512
bc5d9d3ddb9d32d3b9eb44d2ef8f660b2853201cde302e360140962f9bd0ec66ed6aca45c7deafb654188e99f379c1ccf520a7ac33cf3ac12a8c158864ad43f1

Download Submit
C:\Windows\System32\DKlgTqB.exe

Filesize
2.2MB

MD5
f6bcde50aac379f4cd319f406eaff94d

SHA1
ac17029c8623ee99ca47eeb49c901d51ef685885

SHA256
320da5523edb64cdb04a1ca8d5719e759f680ef4b57944710ff93f528cab4653

SHA512
e7743f7ba67928840dd492c30ea154c8593b79bc61080c9c4c207090d83a674cda45da492d1c8ee7eb0ed19c682fe59c5ce6af0ef16afa7e9164e71f8f6d0ff4

Download Submit
C:\Windows\System32\Ecbihib.exe

Filesize
2.2MB

MD5
af2864baee0dca5e6ee2637d673a3353

SHA1
f7c7bcb281972511538764f64fef133aa7191e43

SHA256
bfadba09294f3a069a979a431232165ef4b94e1750da16f1c303367feac0d78c

SHA512
ed401e6a96a537d2a5813620efcaab2bee6dbaa39b1f3b4e355ff7fe01234658392cd3bb672e761b8b47e6b3d4c370224bfe13ecb055c455d8dc62bbc5720196

Download Submit
C:\Windows\System32\ItvaCfw.exe

Filesize
2.2MB

MD5
3f8cb2244817b6ab3060f8aa8110fc00

SHA1
a09bd43ed474179c0a49b078615dea5efc76af04

SHA256
dfecc97d619cde464428f4e95b341096a51d1b2b5569988fab243bf7d4cd2454

SHA512
d2b1a140a9d1bb91f203e3f28b98441352c71ba28644c23fa4e34b434c624532ecbcec5637c4b1dd1c8c570bb3094ea1ddccbb01d8b3f0531d8a15709422cb98

Download Submit
C:\Windows\System32\JHtaqjF.exe

Filesize
2.2MB

MD5
7458b1f5ba1242970e1b2e626c0a66bd

SHA1
7637659b0160fbc871a3d3a43e1bbddbbfdbdc2f

SHA256
0b2f3716dde371ff8e98573efb63102445fe3f143eec9baf1ce05f3a8b3e3868

SHA512
9ce8400ed4154101b37fcc5aac759929b1c6ee4cde46470cc538d85663932a7327a70232027bf5496f85bdcb15922c85b247ee74722f822a33a4a5c467d7a8c2

Download Submit
C:\Windows\System32\JiCHmRd.exe

Filesize
2.2MB

MD5
77bb24ebbf4a4819e7b53a4bc9997f35

SHA1
7e3ada7f36de391369d57c94011af6b7e7d70bce

SHA256
4d57734c02b1e306926a90d4be8804b167b9864105f8c9203111ba0f33cfbd90

SHA512
bfa97cc32f15e611cd180a1d335947fa1c9627b1ef3874c925e520e02387b57d0f1722c421cde8462495f5ac9c185dc7daf155a103c9f63ea8af5a3c4a559268

Download Submit
C:\Windows\System32\OOuHnLa.exe

Filesize
2.2MB

MD5
f176399de383ed8bd09088bbf89cb5ef

SHA1
b5b69a62d5a006f31a2ac577131d7e75a4ed8cb4

SHA256
a464401918322ace4d79b6404a822eb9773a08d28ee3863b82b74143741a6609

SHA512
9d9e587f902afe171fc75bfa13d9013f5c278a63ff848dd1aeca5395c7ad79ecf121e08f7fe3e4c43622d9e94c21e3d80f967ae98b26cbd40a0b708dcd1ed7b3

Download Submit
C:\Windows\System32\QWkDjdT.exe

Filesize
2.2MB

MD5
fca4fe593c0fddde1dcc773718df5cbf

SHA1
7206d48e5387c73d3e73ccbbc03f60c8f9ea2800

SHA256
a6a04e73e096db38b384934773c0aca63976066fc642efadae75fc6e61c31aca

SHA512
1df1d4b8ccb6ea20390c716862b84dcd452aceda6f87899a38379f103c146848a8431c434b15281593c815ea97e3b1816dfb1639fdb70a524f8608b0fbbfac3c

Download Submit
C:\Windows\System32\QhtbnKw.exe

Filesize
2.2MB

MD5
a7ef48563c98766a6728bc702326d8f4

SHA1
fe5a9a16c099ad649653935343e4bcff6371ff19

SHA256
bd64b0475bf275d684aeb986caabd4cd5f83131549166ea73931b2547d67d93c

SHA512
f221f01ef4e8c38030ceebef0d67f71c0973eccc1d106955350b579d8d6293f82d9d808e03b5aef2f3e2be4dca2f6d14734386e76f6e6e8bc190be3a804d0c00

Download Submit
C:\Windows\System32\UWWFmyQ.exe

Filesize
2.2MB

MD5
5ac5e436566020cd95b164b1d2b625c9

SHA1
16cc777ee7106bc5da4c62285e92844d87e8ae09

SHA256
c5384544ee632dad91ec36aede1ff69cd2e518ae05f707bbc6194464ed7c7267

SHA512
a6538fe34125a80f487790dc14e8640b98aaf23ab5bca194b5cdabca0861b3b5da048758d9e0afbac21efe4cd90f8c7568d690f1916ee18735388d16dcf80158

Download Submit
C:\Windows\System32\VEzOWFj.exe

Filesize
2.2MB

MD5
e01f3841ce96677a2f092040ce9bdf92

SHA1
aadec746bea999cf8ed10d2faf6600ace82f9471

SHA256
3fc5f8cf95e8b32399d958262b5ee9d22f476922dc137fff9612971bc20fbd2c

SHA512
a0802da14ca232bc69e083490060134b54c6d8f3b3ee4e838dc010620ce784c561b5a3cca83268975192c6472086b954ac6c85aa801f007e7b636cb9da6714ab

Download Submit
C:\Windows\System32\YpSlHTm.exe

Filesize
2.2MB

MD5
8947a2c17f37813af7dc107ab53cda4a

SHA1
6d456996836a6872b01f0a3232a0198430231a83

SHA256
935ec34e1feba4610321821596f0c7e67a24d09b6de911d089eea2b4b1dce310

SHA512
b9971ff78835a54c3427956a10a89a98f7901beaac70be864336f8232a0aa1fe9da02affd504cbd69ceb1c1aa1b0f1044d65d5f7c12aa8f5d7324159984d0548

Download Submit
C:\Windows\System32\fPvQMbQ.exe

Filesize
2.2MB

MD5
edb8e6f42dc33e54f4709639236c4f23

SHA1
077d42f9c218317176fae13730747065b0e84bdd

SHA256
ec3112ff9466496e13437de81e31ea3adefea30edf974a7845933d2247fb81b0

SHA512
210cb5656635bdb24fd444ed5a83179e7422adfb0007e194f8d5547f0f31919072afdd5ff3ad280b0229acb201d503d09cf296ff793d01a67447f97da0b51e23

Download Submit
C:\Windows\System32\fljfgec.exe

Filesize
2.2MB

MD5
923ff75ccfda3669b25a7e694b202118

SHA1
f55a68919d9178cdd4cfcf392b53071532bcfac8

SHA256
12f7a4c0846ce58e8c02c553fc24d9c5a86733142867c77dda9bca404ffe2fa1

SHA512
e6b2d9f9c72b5f725fbd62ea78f66eebc07ffc659ab4118e0ca4c2e3d05d9e4a353e68352d071052f06b2f52c64f861194b51670424cffe9e653986f793e66f8

Download Submit
C:\Windows\System32\foJSeoP.exe

Filesize
2.2MB

MD5
523e4dda81574e42526933bc3cee3f68

SHA1
769cf95ffcfe9d21a288d4757d3bcb4c7d4fe116

SHA256
78c72a29f1e0ddbf15de2994940388bd51b6be9dec71c8274ecb1f124d0ca112

SHA512
d3a41e63fbe5ff79136ac01afb0d8dd9cc51b1cf46e0e16ca9baf31bb6c27595f2b67bbcc25d6be7b109773a825b5cb31a42ff66bd6d582a8083f0cbbdf2f492

Download Submit
C:\Windows\System32\jUjNHqT.exe

Filesize
2.2MB

MD5
287461c3462421da8b2d2b8e43393bb4

SHA1
0cdbd7390b7e70b168b6c095220d9c84824f61b7

SHA256
d3178074656935611617b0ca306025a370f17df3c9d304d6bcd344d9cf9f5547

SHA512
fd97c008ca560054222e82194b96631f7002f16420ba0638132d95e93db812624c89482d7b099b46149427eb66bfa37caca23bb99a3cec9520f6b7050a233117

Download Submit
C:\Windows\System32\jWizjhW.exe

Filesize
2.2MB

MD5
4486f8f9d3193a456d49c4461c3fe324

SHA1
06f884f27975101d9214d7ac4434281a2778de63

SHA256
aa49de26053c72cbffa30f076922e065e62db707a7b59a2a9ad7affca8cf0cfa

SHA512
835381af5c682969be360b47b75422a91d47590d1189399388911b380ae070970c737eb3d2e796cfd3ff894056d0868b71564351febd9740f09166115e2eecef

Download Submit
C:\Windows\System32\jXxuKvq.exe

Filesize
2.2MB

MD5
b8c8c91d9f6b17dd27b24c91ec30535d

SHA1
9228c9c6f4d0972307a6527cfd7b6898293e7b55

SHA256
ba656ff786436270546adf7ea9514d9b1a2f607565e85aa7117ec85e96355acd

SHA512
3511703749c76d21ff28d7d5059685fb81cb315c5d9c1c194a3e6ffebae299f7461b2386dbe0e6f7941101ac865c070fbcab1d4e40eef4301088aebf3f8e8062

Download Submit
C:\Windows\System32\juPinJQ.exe

Filesize
2.2MB

MD5
17e455a15890ce7f91d5b259484f4139

SHA1
b7c28479dcc2adcab8fa1b73496fb88100c28ad4

SHA256
440c0dd8d7d7adcbf490b5e4b107807ed329a2d3b90ee5c67d5cc3616217bf9c

SHA512
0ecb63001817eee3e277dac7fd43d88af7b9768cb22717ab6b944f78a3c7b927a6737ef3dd1cfbabdfbe356c92363ea3a948571c5e7f04a49c546c2f56e18730

Download Submit
C:\Windows\System32\lrSxQjl.exe

Filesize
2.2MB

MD5
bc608839fb81a344caf1f93c72a39d58

SHA1
aac5767a21ff2c17c60abad02b803066b6a2facd

SHA256
1a080185a7c33e2de0acc6ba0e7eec15fe833fb42753b6f1d7540e5777453237

SHA512
6c5e19710831fc37cf9f67f1ac057c383796546d00c3ac07cd6015f94ec9f48e0a1c384030a3681bd2cd1ee155dacd2f52bfbaef103339866f82daebbdea6894

Download Submit
C:\Windows\System32\mHwTTiT.exe

Filesize
2.2MB

MD5
c70f70207801a774945278e41ad9b8ab

SHA1
6fbaa9a87443d25b3cb4148022fbf6fc6d3ec384

SHA256
d02f086114b69f7f493300103acc194ba55a6cae9e16b3567b88aa8e3b8d20ff

SHA512
6c8eef4a3910b732c79fa61e5c704e4260fde36c4da6747b03e319a1fd2df5b69808862f75cb685db54715d64d114f2ae6e75cc0b12e371d4c23c4dd14d48cea

Download Submit
C:\Windows\System32\mjGJeYb.exe

Filesize
2.2MB

MD5
51d7525edc51641a78bed9e90610a970

SHA1
6bd383a2547732dd1642bccaf87a43d7bb8e6cb6

SHA256
145c9762ce08d65cb310471a81fd501800e2cccb9b5af20d3797e83fec1acb45

SHA512
51ef181f7ef23f8a345564abd7286eb2125cbbe06804302635c852f333339eb9d1699908f22a2790ede8b4c95a6f88be90fe3550d8672fcfee3e74147d8e249b

Download Submit
C:\Windows\System32\nGpzsze.exe

Filesize
2.2MB

MD5
a4abe1c3f18822ba4b61043285399497

SHA1
5b03dca3bc6dddd9fc3da75765979d74f21f28ab

SHA256
efc35bf40f6e302842139a0233a9951207b099b26b032f97c15046df612889d4

SHA512
52a73428ff5be9484478b766fa0f6b84e27e4a0a0eab83948553bec446406e86c68dc67e9506786ede25585882cbc71ef4e89275d2198634a67dfa0e74a48fab

Download Submit
C:\Windows\System32\nMEMgZL.exe

Filesize
2.2MB

MD5
eb8c91367116b9f17fcc2ff427cee16e

SHA1
f9bdfcd4793508b03c2fb554884b9ae6bd65d383

SHA256
96c8d04e663bb6996e4b4235b500f063c985e473b75850a4f58f7ef554d74743

SHA512
8b8f0fc698ca275d4167fa7031202fad0aac80e8237fd62f2e828af2f712dafecfbc3a28f2641c4c8ca7c821db6c152373aef41ad43b174c28a011068bddcc64

Download Submit
C:\Windows\System32\obXDCyo.exe

Filesize
2.2MB

MD5
7e6c066d4160f6a24b749598641e0453

SHA1
e26bbbed0c5f6f0116a058fb7011199b0b854d05

SHA256
8cf7c89fd9ab9bf3c2a959508fd2fe625268765f06b673ef143c0e0698ccd9a3

SHA512
1cb5fc5c4b83cb1951ee143eb6cacf51a79700aa4e734833e8475235dcb702262bcf7a0d6abf5dda402c33f821f1ca51437fcd1775c6f78b9d9113a1205f3601

Download Submit
C:\Windows\System32\oonTPFA.exe

Filesize
2.2MB

MD5
74d24e9783e9fea1e4c95b60caf206f2

SHA1
b6895ae31c37747309e8462a92abc7973ef19f06

SHA256
a3907fea91bd8fe86d453c9c9e019c8252ce16022aba90719c409d01546515f3

SHA512
524d1866161949d2a5ffb18dce83568d4d49720eb811c4c4fc36c5efeaab4b7b419e4c52b8535ab0b4ba76564185a232977c2dd3988af56e252c11161c84e9d4

Download Submit
C:\Windows\System32\plojBjI.exe

Filesize
2.2MB

MD5
0a1406d7de9dfd5d3a8f154d3886d2bb

SHA1
ab75b35679ce533456be7626624cb52e7e84b153

SHA256
ac4fcc32a7a12f6233a4307be0f0621f08e351276e68e22c6034b0ef0e8e3d41

SHA512
16e04aaa340f5d68c9a1dd2063cb15d2a52e56890bc315a4b7ce8bc47001cb7ece9d9e9a5ef6a434d77494224d99a7b20680fa5be93e87a47ae1fb42a587701f

Download Submit
C:\Windows\System32\qISkxzv.exe

Filesize
2.2MB

MD5
05e85a4331754aaa183dd47e1c26b4de

SHA1
90ed7a0599be2097154248dcb2e9f7f474ff2cf5

SHA256
cc3934bf754806669e132dcd5940420fc3cbc65d05ba818e45478607fd8c3e89

SHA512
9ee9746a69c54d25662b6acd904cdb8928c0288c4ce9f4cd0d61ef6923145ace7d1881b6342a8e251a963a411e6750fdcad863eb87724429e748a07cb5162602

Download Submit
C:\Windows\System32\sAZPOOe.exe

Filesize
2.2MB

MD5
25c1379d190d3061f02daa5b16ef9028

SHA1
a9a3a714521da906d465484237e8f8b8ef748c01

SHA256
4b78859be1ea370dda323c0dcd2206da19a82df3241edfb18f48d313142b05e2

SHA512
b8f87e79a851f440afc1766ee7cc1635e4093074329b82447a8e76593a732f8ef90869035a5fce5fca5ddfbff32d5249d5ccf554d69d96e14c61472daf92e089

Download Submit
C:\Windows\System32\xdJdeHV.exe

Filesize
2.2MB

MD5
a347c337f7e5f492b965933ad51ed121

SHA1
aa7ff0ecd7f4f7f7d44280073702db92c196bb1c

SHA256
b2e1a5910948c5a21ca821c2ddcf0970f3b86418f18a6ad186ebc1343e9191b6

SHA512
76ca5ec02b7a4e09158d6994dbbe7dd16efb768cbccceb506bf8ef85d9df7b0025a2ca8e811e72737276e8885ea8288e23e560751609594cd576d0e916c08f4d

Download Submit
C:\Windows\System32\zzQtIjr.exe

Filesize
2.2MB

MD5
9c036c81124c832a76129050387150c5

SHA1
cb2b570b5c3732fb9449f8f8e70ee2be965673d5

SHA256
52c1e73a18076ec08c2c7417094a54318c20ddd24088da07383081d4f02602fc

SHA512
7803ed1f19665637cc4cd708715e42a15a0ccabbabcecddf78e8f6c053c870b8c3943d5e1313572e744d2d02b8e37ed0b92318bda8f26f0d46d6f1c07f81d734

Download Submit
memory/1496-1871-0x00007FF6FD440000-0x00007FF6FD835000-memory.dmp

Filesize
4.0MB

Download
memory/1496-615-0x00007FF6FD440000-0x00007FF6FD835000-memory.dmp

Filesize
4.0MB

Download
memory/2040-641-0x00007FF7DD740000-0x00007FF7DDB35000-memory.dmp

Filesize
4.0MB

Download
memory/2040-1877-0x00007FF7DD740000-0x00007FF7DDB35000-memory.dmp

Filesize
4.0MB

Download
memory/2140-0-0x00007FF714570000-0x00007FF714965000-memory.dmp

Filesize
4.0MB

Download
memory/2140-1731-0x00007FF714570000-0x00007FF714965000-memory.dmp

Filesize
4.0MB

Download
memory/2140-1854-0x00007FF714570000-0x00007FF714965000-memory.dmp

Filesize
4.0MB

Download
memory/2140-1-0x000001D98FE70000-0x000001D98FE80000-memory.dmp

Filesize
64KB

Download
memory/2312-604-0x00007FF6FA1F0000-0x00007FF6FA5E5000-memory.dmp

Filesize
4.0MB

Download
memory/2312-1868-0x00007FF6FA1F0000-0x00007FF6FA5E5000-memory.dmp

Filesize
4.0MB

Download
memory/2396-639-0x00007FF7A4070000-0x00007FF7A4465000-memory.dmp

Filesize
4.0MB

Download
memory/2396-1875-0x00007FF7A4070000-0x00007FF7A4465000-memory.dmp

Filesize
4.0MB

Download
memory/2436-643-0x00007FF6136E0000-0x00007FF613AD5000-memory.dmp

Filesize
4.0MB

Download
memory/2436-1858-0x00007FF6136E0000-0x00007FF613AD5000-memory.dmp

Filesize
4.0MB

Download
memory/3388-1861-0x00007FF732190000-0x00007FF732585000-memory.dmp

Filesize
4.0MB

Download
memory/3388-644-0x00007FF732190000-0x00007FF732585000-memory.dmp

Filesize
4.0MB

Download
memory/3416-637-0x00007FF7D13E0000-0x00007FF7D17D5000-memory.dmp

Filesize
4.0MB

Download
memory/3416-1870-0x00007FF7D13E0000-0x00007FF7D17D5000-memory.dmp

Filesize
4.0MB

Download
memory/3516-1855-0x00007FF6A1900000-0x00007FF6A1CF5000-memory.dmp

Filesize
4.0MB

Download
memory/3516-1851-0x00007FF6A1900000-0x00007FF6A1CF5000-memory.dmp

Filesize
4.0MB

Download
memory/3516-10-0x00007FF6A1900000-0x00007FF6A1CF5000-memory.dmp

Filesize
4.0MB

Download
memory/3936-1878-0x00007FF7C0290000-0x00007FF7C0685000-memory.dmp

Filesize
4.0MB

Download
memory/3936-640-0x00007FF7C0290000-0x00007FF7C0685000-memory.dmp

Filesize
4.0MB

Download
memory/4072-1857-0x00007FF6B7D40000-0x00007FF6B8135000-memory.dmp

Filesize
4.0MB

Download
memory/4072-1852-0x00007FF6B7D40000-0x00007FF6B8135000-memory.dmp

Filesize
4.0MB

Download
memory/4072-30-0x00007FF6B7D40000-0x00007FF6B8135000-memory.dmp

Filesize
4.0MB

Download
memory/4136-1874-0x00007FF630CF0000-0x00007FF6310E5000-memory.dmp

Filesize
4.0MB

Download
memory/4136-642-0x00007FF630CF0000-0x00007FF6310E5000-memory.dmp

Filesize
4.0MB

Download
memory/4212-1867-0x00007FF7C9C90000-0x00007FF7CA085000-memory.dmp

Filesize
4.0MB

Download
memory/4212-638-0x00007FF7C9C90000-0x00007FF7CA085000-memory.dmp

Filesize
4.0MB

Download
memory/4368-590-0x00007FF69FE20000-0x00007FF6A0215000-memory.dmp

Filesize
4.0MB

Download
memory/4368-1864-0x00007FF69FE20000-0x00007FF6A0215000-memory.dmp

Filesize
4.0MB

Download
memory/4400-1860-0x00007FF64E660000-0x00007FF64EA55000-memory.dmp

Filesize
4.0MB

Download
memory/4400-659-0x00007FF64E660000-0x00007FF64EA55000-memory.dmp

Filesize
4.0MB

Download
memory/4432-1863-0x00007FF723D70000-0x00007FF724165000-memory.dmp

Filesize
4.0MB

Download
memory/4432-592-0x00007FF723D70000-0x00007FF724165000-memory.dmp

Filesize
4.0MB

Download
memory/4460-1866-0x00007FF7AAEF0000-0x00007FF7AB2E5000-memory.dmp

Filesize
4.0MB

Download
memory/4460-612-0x00007FF7AAEF0000-0x00007FF7AB2E5000-memory.dmp

Filesize
4.0MB

Download
memory/4632-625-0x00007FF77E880000-0x00007FF77EC75000-memory.dmp

Filesize
4.0MB

Download
memory/4632-1872-0x00007FF77E880000-0x00007FF77EC75000-memory.dmp

Filesize
4.0MB

Download
memory/4668-633-0x00007FF61FD90000-0x00007FF620185000-memory.dmp

Filesize
4.0MB

Download
memory/4668-1876-0x00007FF61FD90000-0x00007FF620185000-memory.dmp

Filesize
4.0MB

Download
memory/4708-1865-0x00007FF67C720000-0x00007FF67CB15000-memory.dmp

Filesize
4.0MB

Download
memory/4708-599-0x00007FF67C720000-0x00007FF67CB15000-memory.dmp

Filesize
4.0MB

Download
memory/4788-635-0x00007FF709650000-0x00007FF709A45000-memory.dmp

Filesize
4.0MB

Download
memory/4788-1869-0x00007FF709650000-0x00007FF709A45000-memory.dmp

Filesize
4.0MB

Download
memory/4816-636-0x00007FF65CBE0000-0x00007FF65CFD5000-memory.dmp

Filesize
4.0MB

Download
memory/4816-1873-0x00007FF65CBE0000-0x00007FF65CFD5000-memory.dmp

Filesize
4.0MB

Download
memory/5316-1862-0x00007FF66CF20000-0x00007FF66D315000-memory.dmp

Filesize
4.0MB

Download
memory/5316-1853-0x00007FF66CF20000-0x00007FF66D315000-memory.dmp

Filesize
4.0MB

Download
memory/5316-584-0x00007FF66CF20000-0x00007FF66D315000-memory.dmp

Filesize
4.0MB

Download
memory/5488-1856-0x00007FF6DAD40000-0x00007FF6DB135000-memory.dmp

Filesize
4.0MB

Download
memory/5488-35-0x00007FF6DAD40000-0x00007FF6DB135000-memory.dmp

Filesize
4.0MB

Download
memory/5844-1859-0x00007FF6C04F0000-0x00007FF6C08E5000-memory.dmp

Filesize
4.0MB

Download
memory/5844-39-0x00007FF6C04F0000-0x00007FF6C08E5000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads