xmrig | 22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5

Analysis

max time kernel
138s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
Size

3.4MB
MD5

89a4efc4943bc461a737edf8eac0cdd0
SHA1

2b81daa19d7368ec8960105f0340f8f83b02e2a0
SHA256

22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5
SHA512

abbdd96a44829d6c04d07cbee2e8875ef3c509e414a58b393629c67e2c6bd22ac55c1abf1c972ded92d950df149e98601dfd65eddf9636854d7223cacf8d95b7
SSDEEP

98304:w0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc40j:wFWPClFkj

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/5060-0-0x00007FF620050000-0x00007FF620445000-memory.dmp	xmrig
behavioral2/files/0x00080000000235ae-6.dat	xmrig
behavioral2/files/0x00070000000235b2-9.dat	xmrig
behavioral2/memory/4336-17-0x00007FF76D810000-0x00007FF76DC05000-memory.dmp	xmrig
behavioral2/files/0x00070000000235b3-15.dat	xmrig
behavioral2/memory/4064-18-0x00007FF70E560000-0x00007FF70E955000-memory.dmp	xmrig
behavioral2/memory/4004-14-0x00007FF6027F0000-0x00007FF602BE5000-memory.dmp	xmrig
behavioral2/files/0x00070000000235b4-22.dat	xmrig
behavioral2/memory/536-24-0x00007FF62D3B0000-0x00007FF62D7A5000-memory.dmp	xmrig
behavioral2/files/0x00070000000235b5-30.dat	xmrig
behavioral2/files/0x00080000000235af-35.dat	xmrig
behavioral2/files/0x00070000000235b6-40.dat	xmrig
behavioral2/files/0x00070000000235b7-45.dat	xmrig
behavioral2/files/0x00070000000235b8-50.dat	xmrig
behavioral2/files/0x00070000000235ba-59.dat	xmrig
behavioral2/files/0x00070000000235bb-65.dat	xmrig
behavioral2/files/0x00070000000235bd-72.dat	xmrig
behavioral2/files/0x00070000000235c1-95.dat	xmrig
behavioral2/files/0x00070000000235c3-105.dat	xmrig
behavioral2/files/0x00070000000235c6-116.dat	xmrig
behavioral2/files/0x00070000000235c8-130.dat	xmrig
behavioral2/files/0x00070000000235cb-145.dat	xmrig
behavioral2/files/0x00070000000235d0-166.dat	xmrig
behavioral2/files/0x00070000000235cf-163.dat	xmrig
behavioral2/files/0x00070000000235ce-160.dat	xmrig
behavioral2/files/0x00070000000235cd-155.dat	xmrig
behavioral2/files/0x00070000000235cc-150.dat	xmrig
behavioral2/files/0x00070000000235ca-141.dat	xmrig
behavioral2/files/0x00070000000235c9-135.dat	xmrig
behavioral2/files/0x00070000000235c7-125.dat	xmrig
behavioral2/files/0x00070000000235c5-118.dat	xmrig
behavioral2/files/0x00070000000235c4-113.dat	xmrig
behavioral2/files/0x00070000000235c2-100.dat	xmrig
behavioral2/files/0x00070000000235c0-90.dat	xmrig
behavioral2/files/0x00070000000235bf-85.dat	xmrig
behavioral2/files/0x00070000000235be-80.dat	xmrig
behavioral2/files/0x00070000000235bc-70.dat	xmrig
behavioral2/files/0x00070000000235b9-55.dat	xmrig
behavioral2/memory/1032-925-0x00007FF6EEE10000-0x00007FF6EF205000-memory.dmp	xmrig
behavioral2/memory/4688-934-0x00007FF747F60000-0x00007FF748355000-memory.dmp	xmrig
behavioral2/memory/668-940-0x00007FF6F4D10000-0x00007FF6F5105000-memory.dmp	xmrig
behavioral2/memory/2692-951-0x00007FF63B510000-0x00007FF63B905000-memory.dmp	xmrig
behavioral2/memory/852-956-0x00007FF6DC790000-0x00007FF6DCB85000-memory.dmp	xmrig
behavioral2/memory/4384-966-0x00007FF759ED0000-0x00007FF75A2C5000-memory.dmp	xmrig
behavioral2/memory/3900-955-0x00007FF6FA820000-0x00007FF6FAC15000-memory.dmp	xmrig
behavioral2/memory/4716-950-0x00007FF693800000-0x00007FF693BF5000-memory.dmp	xmrig
behavioral2/memory/4612-947-0x00007FF717630000-0x00007FF717A25000-memory.dmp	xmrig
behavioral2/memory/2812-941-0x00007FF767730000-0x00007FF767B25000-memory.dmp	xmrig
behavioral2/memory/3196-977-0x00007FF682310000-0x00007FF682705000-memory.dmp	xmrig
behavioral2/memory/1568-988-0x00007FF7DDC20000-0x00007FF7DE015000-memory.dmp	xmrig
behavioral2/memory/3500-984-0x00007FF6BEFC0000-0x00007FF6BF3B5000-memory.dmp	xmrig
behavioral2/memory/3828-999-0x00007FF604080000-0x00007FF604475000-memory.dmp	xmrig
behavioral2/memory/5096-1008-0x00007FF663490000-0x00007FF663885000-memory.dmp	xmrig
behavioral2/memory/1140-1006-0x00007FF6BE530000-0x00007FF6BE925000-memory.dmp	xmrig
behavioral2/memory/1228-1004-0x00007FF7DDAD0000-0x00007FF7DDEC5000-memory.dmp	xmrig
behavioral2/memory/1924-996-0x00007FF7F8C40000-0x00007FF7F9035000-memory.dmp	xmrig
behavioral2/memory/900-995-0x00007FF6A0390000-0x00007FF6A0785000-memory.dmp	xmrig
behavioral2/memory/3412-992-0x00007FF7662A0000-0x00007FF766695000-memory.dmp	xmrig
behavioral2/memory/4064-1828-0x00007FF70E560000-0x00007FF70E955000-memory.dmp	xmrig
behavioral2/memory/4004-1829-0x00007FF6027F0000-0x00007FF602BE5000-memory.dmp	xmrig
behavioral2/memory/4336-1830-0x00007FF76D810000-0x00007FF76DC05000-memory.dmp	xmrig
behavioral2/memory/4064-1831-0x00007FF70E560000-0x00007FF70E955000-memory.dmp	xmrig
behavioral2/memory/1032-1832-0x00007FF6EEE10000-0x00007FF6EF205000-memory.dmp	xmrig
behavioral2/memory/536-1833-0x00007FF62D3B0000-0x00007FF62D7A5000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4004	EQyTGyX.exe
4336	xnCnwAG.exe
4064	WeKiaZO.exe
536	ZapEhfU.exe
1032	ZOOIEFL.exe
4688	jjwYFUp.exe
668	zaxTJXb.exe
2812	ooLXePQ.exe
4612	KJiaiRW.exe
4716	xQcVAmm.exe
2692	gckHMeK.exe
3900	lJIOlbu.exe
852	kMpDkQp.exe
4384	eXzXirq.exe
3196	PWekCCR.exe
3500	vzgukia.exe
1568	pVGNaPk.exe
3412	JNiDmcw.exe
900	dMGbHNd.exe
1924	Zcllcqb.exe
3828	TJRABJZ.exe
1228	HbXPKSP.exe
1140	IMgTvUM.exe
5096	tDYnbcn.exe
3384	gVbxJXW.exe
4304	AYPDpSK.exe
2452	EAhEaSw.exe
3312	utBcEVO.exe
4264	EOIXNwQ.exe
4660	yHMPkAT.exe
1444	JAcUbJj.exe
2180	ZFKLwKQ.exe
1572	waxxKCD.exe
4404	ldnwqZE.exe
3960	XbWPjCB.exe
1408	eifCPne.exe
3976	pObriYL.exe
5048	oiwWXmB.exe
2424	OmjOdaz.exe
1640	bbSJRdX.exe
3316	llwglfL.exe
1696	wxiDzKP.exe
936	tJrwClr.exe
4476	RIXrdiW.exe
336	fDxUoKn.exe
4868	QshJzjI.exe
4440	LfSBndg.exe
4464	WiOiOaJ.exe
1812	kQYehAN.exe
4644	oowAoEl.exe
4080	PgsVMgh.exe
3032	vKTHOcu.exe
4056	YOxCArC.exe
4568	LkfwLVg.exe
4364	pWEFdIA.exe
5156	YUMKWmS.exe
5172	WZlNpVB.exe
5200	HsbUFxc.exe
5228	ZturYvi.exe
5268	mFkLhnM.exe
5284	EdmUlyK.exe
5312	FvXYsJx.exe
5340	lvHwQZj.exe
5368	pFrtHlb.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5060-0-0x00007FF620050000-0x00007FF620445000-memory.dmp	upx
behavioral2/files/0x00080000000235ae-6.dat	upx
behavioral2/files/0x00070000000235b2-9.dat	upx
behavioral2/memory/4336-17-0x00007FF76D810000-0x00007FF76DC05000-memory.dmp	upx
behavioral2/files/0x00070000000235b3-15.dat	upx
behavioral2/memory/4064-18-0x00007FF70E560000-0x00007FF70E955000-memory.dmp	upx
behavioral2/memory/4004-14-0x00007FF6027F0000-0x00007FF602BE5000-memory.dmp	upx
behavioral2/files/0x00070000000235b4-22.dat	upx
behavioral2/memory/536-24-0x00007FF62D3B0000-0x00007FF62D7A5000-memory.dmp	upx
behavioral2/files/0x00070000000235b5-30.dat	upx
behavioral2/files/0x00080000000235af-35.dat	upx
behavioral2/files/0x00070000000235b6-40.dat	upx
behavioral2/files/0x00070000000235b7-45.dat	upx
behavioral2/files/0x00070000000235b8-50.dat	upx
behavioral2/files/0x00070000000235ba-59.dat	upx
behavioral2/files/0x00070000000235bb-65.dat	upx
behavioral2/files/0x00070000000235bd-72.dat	upx
behavioral2/files/0x00070000000235c1-95.dat	upx
behavioral2/files/0x00070000000235c3-105.dat	upx
behavioral2/files/0x00070000000235c6-116.dat	upx
behavioral2/files/0x00070000000235c8-130.dat	upx
behavioral2/files/0x00070000000235cb-145.dat	upx
behavioral2/files/0x00070000000235d0-166.dat	upx
behavioral2/files/0x00070000000235cf-163.dat	upx
behavioral2/files/0x00070000000235ce-160.dat	upx
behavioral2/files/0x00070000000235cd-155.dat	upx
behavioral2/files/0x00070000000235cc-150.dat	upx
behavioral2/files/0x00070000000235ca-141.dat	upx
behavioral2/files/0x00070000000235c9-135.dat	upx
behavioral2/files/0x00070000000235c7-125.dat	upx
behavioral2/files/0x00070000000235c5-118.dat	upx
behavioral2/files/0x00070000000235c4-113.dat	upx
behavioral2/files/0x00070000000235c2-100.dat	upx
behavioral2/files/0x00070000000235c0-90.dat	upx
behavioral2/files/0x00070000000235bf-85.dat	upx
behavioral2/files/0x00070000000235be-80.dat	upx
behavioral2/files/0x00070000000235bc-70.dat	upx
behavioral2/files/0x00070000000235b9-55.dat	upx
behavioral2/memory/1032-925-0x00007FF6EEE10000-0x00007FF6EF205000-memory.dmp	upx
behavioral2/memory/4688-934-0x00007FF747F60000-0x00007FF748355000-memory.dmp	upx
behavioral2/memory/668-940-0x00007FF6F4D10000-0x00007FF6F5105000-memory.dmp	upx
behavioral2/memory/2692-951-0x00007FF63B510000-0x00007FF63B905000-memory.dmp	upx
behavioral2/memory/852-956-0x00007FF6DC790000-0x00007FF6DCB85000-memory.dmp	upx
behavioral2/memory/4384-966-0x00007FF759ED0000-0x00007FF75A2C5000-memory.dmp	upx
behavioral2/memory/3900-955-0x00007FF6FA820000-0x00007FF6FAC15000-memory.dmp	upx
behavioral2/memory/4716-950-0x00007FF693800000-0x00007FF693BF5000-memory.dmp	upx
behavioral2/memory/4612-947-0x00007FF717630000-0x00007FF717A25000-memory.dmp	upx
behavioral2/memory/2812-941-0x00007FF767730000-0x00007FF767B25000-memory.dmp	upx
behavioral2/memory/3196-977-0x00007FF682310000-0x00007FF682705000-memory.dmp	upx
behavioral2/memory/1568-988-0x00007FF7DDC20000-0x00007FF7DE015000-memory.dmp	upx
behavioral2/memory/3500-984-0x00007FF6BEFC0000-0x00007FF6BF3B5000-memory.dmp	upx
behavioral2/memory/3828-999-0x00007FF604080000-0x00007FF604475000-memory.dmp	upx
behavioral2/memory/5096-1008-0x00007FF663490000-0x00007FF663885000-memory.dmp	upx
behavioral2/memory/1140-1006-0x00007FF6BE530000-0x00007FF6BE925000-memory.dmp	upx
behavioral2/memory/1228-1004-0x00007FF7DDAD0000-0x00007FF7DDEC5000-memory.dmp	upx
behavioral2/memory/1924-996-0x00007FF7F8C40000-0x00007FF7F9035000-memory.dmp	upx
behavioral2/memory/900-995-0x00007FF6A0390000-0x00007FF6A0785000-memory.dmp	upx
behavioral2/memory/3412-992-0x00007FF7662A0000-0x00007FF766695000-memory.dmp	upx
behavioral2/memory/4064-1828-0x00007FF70E560000-0x00007FF70E955000-memory.dmp	upx
behavioral2/memory/4004-1829-0x00007FF6027F0000-0x00007FF602BE5000-memory.dmp	upx
behavioral2/memory/4336-1830-0x00007FF76D810000-0x00007FF76DC05000-memory.dmp	upx
behavioral2/memory/4064-1831-0x00007FF70E560000-0x00007FF70E955000-memory.dmp	upx
behavioral2/memory/1032-1832-0x00007FF6EEE10000-0x00007FF6EF205000-memory.dmp	upx
behavioral2/memory/536-1833-0x00007FF62D3B0000-0x00007FF62D7A5000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\YOxCArC.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\GcXyOuG.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\gjYhHYA.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\EVQWaKs.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\trVzDvU.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\mDIlRJS.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\qsjvhAG.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\qUylLky.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\dYGpQqF.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\ZHMRnkA.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\RHIKKpL.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\wxOIUFE.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\ZxsInJr.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\iaOeKjU.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\ZusxCtx.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\ZkowvqU.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\IzoyXkP.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\EGbhrOj.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\FVGwkLM.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\oGNjaSC.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\ttesUgi.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\HbxEyrU.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\rpEZOiY.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\wUzPHBZ.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\axVETTh.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\pIXycfe.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\HbXPKSP.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\ZFKLwKQ.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\tJrwClr.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\oUAzvZo.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\bHQfXuF.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\uCSxqKJ.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\jVlqKQo.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\GTipqYg.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\ydLyVKy.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\Xiijxrh.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\rrmDGyY.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\SwKmiNO.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\gquOJZw.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\sdxExUY.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\LPhTglg.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\uCRpwJP.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\OOBtAOZ.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\QDVdzaL.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\jULSVdu.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\VVzmKzd.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\GQVkmDC.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\inIXHOr.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\mfzRCVj.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\WXtSHpY.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\tppYIym.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\sowPwVM.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\KsuYSez.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\tDYnbcn.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\mJmzcgo.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\ySzoiwk.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\HsijYOV.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\bhBNIgo.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\CbCKDcB.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\PsWvtMn.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\nSIBBwS.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\FKPJdsP.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\kmbpRQG.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
File created	C:\Windows\System32\gckHMeK.exe	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13720	dwm.exe
Token: SeChangeNotifyPrivilege	13720	dwm.exe
Token: 33	13720	dwm.exe
Token: SeIncBasePriorityPrivilege	13720	dwm.exe
Token: SeShutdownPrivilege	13720	dwm.exe
Token: SeCreatePagefilePrivilege	13720	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 4004	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	91
PID 5060 wrote to memory of 4004	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	91
PID 5060 wrote to memory of 4336	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	92
PID 5060 wrote to memory of 4336	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	92
PID 5060 wrote to memory of 4064	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	93
PID 5060 wrote to memory of 4064	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	93
PID 5060 wrote to memory of 536	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	94
PID 5060 wrote to memory of 536	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	94
PID 5060 wrote to memory of 1032	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	95
PID 5060 wrote to memory of 1032	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	95
PID 5060 wrote to memory of 4688	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	97
PID 5060 wrote to memory of 4688	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	97
PID 5060 wrote to memory of 668	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	98
PID 5060 wrote to memory of 668	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	98
PID 5060 wrote to memory of 2812	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	99
PID 5060 wrote to memory of 2812	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	99
PID 5060 wrote to memory of 4612	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	100
PID 5060 wrote to memory of 4612	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	100
PID 5060 wrote to memory of 4716	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	101
PID 5060 wrote to memory of 4716	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	101
PID 5060 wrote to memory of 2692	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	102
PID 5060 wrote to memory of 2692	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	102
PID 5060 wrote to memory of 3900	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	103
PID 5060 wrote to memory of 3900	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	103
PID 5060 wrote to memory of 852	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	104
PID 5060 wrote to memory of 852	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	104
PID 5060 wrote to memory of 4384	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	105
PID 5060 wrote to memory of 4384	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	105
PID 5060 wrote to memory of 3196	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	106
PID 5060 wrote to memory of 3196	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	106
PID 5060 wrote to memory of 3500	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	107
PID 5060 wrote to memory of 3500	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	107
PID 5060 wrote to memory of 1568	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	108
PID 5060 wrote to memory of 1568	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	108
PID 5060 wrote to memory of 3412	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	109
PID 5060 wrote to memory of 3412	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	109
PID 5060 wrote to memory of 900	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	110
PID 5060 wrote to memory of 900	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	110
PID 5060 wrote to memory of 1924	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	111
PID 5060 wrote to memory of 1924	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	111
PID 5060 wrote to memory of 3828	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	112
PID 5060 wrote to memory of 3828	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	112
PID 5060 wrote to memory of 1228	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	113
PID 5060 wrote to memory of 1228	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	113
PID 5060 wrote to memory of 1140	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	114
PID 5060 wrote to memory of 1140	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	114
PID 5060 wrote to memory of 5096	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	115
PID 5060 wrote to memory of 5096	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	115
PID 5060 wrote to memory of 3384	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	116
PID 5060 wrote to memory of 3384	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	116
PID 5060 wrote to memory of 4304	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	117
PID 5060 wrote to memory of 4304	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	117
PID 5060 wrote to memory of 2452	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	118
PID 5060 wrote to memory of 2452	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	118
PID 5060 wrote to memory of 3312	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	119
PID 5060 wrote to memory of 3312	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	119
PID 5060 wrote to memory of 4264	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	120
PID 5060 wrote to memory of 4264	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	120
PID 5060 wrote to memory of 4660	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	121
PID 5060 wrote to memory of 4660	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	121
PID 5060 wrote to memory of 1444	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	122
PID 5060 wrote to memory of 1444	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	122
PID 5060 wrote to memory of 2180	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	123
PID 5060 wrote to memory of 2180	5060	22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe	123

C:\Users\Admin\AppData\Local\Temp\22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe
"C:\Users\Admin\AppData\Local\Temp\22f675238c5b3e2181cac3751f910c98a83d65ead6c219ba9665c97be2c9a6e5.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\System32\EQyTGyX.exe
  C:\Windows\System32\EQyTGyX.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System32\xnCnwAG.exe
  C:\Windows\System32\xnCnwAG.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System32\WeKiaZO.exe
  C:\Windows\System32\WeKiaZO.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System32\ZapEhfU.exe
  C:\Windows\System32\ZapEhfU.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System32\ZOOIEFL.exe
  C:\Windows\System32\ZOOIEFL.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System32\jjwYFUp.exe
  C:\Windows\System32\jjwYFUp.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System32\zaxTJXb.exe
  C:\Windows\System32\zaxTJXb.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System32\ooLXePQ.exe
  C:\Windows\System32\ooLXePQ.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System32\KJiaiRW.exe
  C:\Windows\System32\KJiaiRW.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System32\xQcVAmm.exe
  C:\Windows\System32\xQcVAmm.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System32\gckHMeK.exe
  C:\Windows\System32\gckHMeK.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System32\lJIOlbu.exe
  C:\Windows\System32\lJIOlbu.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System32\kMpDkQp.exe
  C:\Windows\System32\kMpDkQp.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System32\eXzXirq.exe
  C:\Windows\System32\eXzXirq.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System32\PWekCCR.exe
  C:\Windows\System32\PWekCCR.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System32\vzgukia.exe
  C:\Windows\System32\vzgukia.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System32\pVGNaPk.exe
  C:\Windows\System32\pVGNaPk.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System32\JNiDmcw.exe
  C:\Windows\System32\JNiDmcw.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System32\dMGbHNd.exe
  C:\Windows\System32\dMGbHNd.exe
  2⤵
  - Executes dropped EXE
  PID:900
- C:\Windows\System32\Zcllcqb.exe
  C:\Windows\System32\Zcllcqb.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System32\TJRABJZ.exe
  C:\Windows\System32\TJRABJZ.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System32\HbXPKSP.exe
  C:\Windows\System32\HbXPKSP.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System32\IMgTvUM.exe
  C:\Windows\System32\IMgTvUM.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System32\tDYnbcn.exe
  C:\Windows\System32\tDYnbcn.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System32\gVbxJXW.exe
  C:\Windows\System32\gVbxJXW.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System32\AYPDpSK.exe
  C:\Windows\System32\AYPDpSK.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System32\EAhEaSw.exe
  C:\Windows\System32\EAhEaSw.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System32\utBcEVO.exe
  C:\Windows\System32\utBcEVO.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System32\EOIXNwQ.exe
  C:\Windows\System32\EOIXNwQ.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System32\yHMPkAT.exe
  C:\Windows\System32\yHMPkAT.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System32\JAcUbJj.exe
  C:\Windows\System32\JAcUbJj.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System32\ZFKLwKQ.exe
  C:\Windows\System32\ZFKLwKQ.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System32\waxxKCD.exe
  C:\Windows\System32\waxxKCD.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System32\ldnwqZE.exe
  C:\Windows\System32\ldnwqZE.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System32\XbWPjCB.exe
  C:\Windows\System32\XbWPjCB.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System32\eifCPne.exe
  C:\Windows\System32\eifCPne.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System32\pObriYL.exe
  C:\Windows\System32\pObriYL.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System32\oiwWXmB.exe
  C:\Windows\System32\oiwWXmB.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System32\OmjOdaz.exe
  C:\Windows\System32\OmjOdaz.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System32\bbSJRdX.exe
  C:\Windows\System32\bbSJRdX.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System32\llwglfL.exe
  C:\Windows\System32\llwglfL.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System32\wxiDzKP.exe
  C:\Windows\System32\wxiDzKP.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System32\tJrwClr.exe
  C:\Windows\System32\tJrwClr.exe
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\System32\RIXrdiW.exe
  C:\Windows\System32\RIXrdiW.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System32\fDxUoKn.exe
  C:\Windows\System32\fDxUoKn.exe
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Windows\System32\QshJzjI.exe
  C:\Windows\System32\QshJzjI.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System32\LfSBndg.exe
  C:\Windows\System32\LfSBndg.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System32\WiOiOaJ.exe
  C:\Windows\System32\WiOiOaJ.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System32\kQYehAN.exe
  C:\Windows\System32\kQYehAN.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System32\oowAoEl.exe
  C:\Windows\System32\oowAoEl.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System32\PgsVMgh.exe
  C:\Windows\System32\PgsVMgh.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System32\vKTHOcu.exe
  C:\Windows\System32\vKTHOcu.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System32\YOxCArC.exe
  C:\Windows\System32\YOxCArC.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System32\LkfwLVg.exe
  C:\Windows\System32\LkfwLVg.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System32\pWEFdIA.exe
  C:\Windows\System32\pWEFdIA.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System32\YUMKWmS.exe
  C:\Windows\System32\YUMKWmS.exe
  2⤵
  - Executes dropped EXE
  PID:5156
- C:\Windows\System32\WZlNpVB.exe
  C:\Windows\System32\WZlNpVB.exe
  2⤵
  - Executes dropped EXE
  PID:5172
- C:\Windows\System32\HsbUFxc.exe
  C:\Windows\System32\HsbUFxc.exe
  2⤵
  - Executes dropped EXE
  PID:5200
- C:\Windows\System32\ZturYvi.exe
  C:\Windows\System32\ZturYvi.exe
  2⤵
  - Executes dropped EXE
  PID:5228
- C:\Windows\System32\mFkLhnM.exe
  C:\Windows\System32\mFkLhnM.exe
  2⤵
  - Executes dropped EXE
  PID:5268
- C:\Windows\System32\EdmUlyK.exe
  C:\Windows\System32\EdmUlyK.exe
  2⤵
  - Executes dropped EXE
  PID:5284
- C:\Windows\System32\FvXYsJx.exe
  C:\Windows\System32\FvXYsJx.exe
  2⤵
  - Executes dropped EXE
  PID:5312
- C:\Windows\System32\lvHwQZj.exe
  C:\Windows\System32\lvHwQZj.exe
  2⤵
  - Executes dropped EXE
  PID:5340
- C:\Windows\System32\pFrtHlb.exe
  C:\Windows\System32\pFrtHlb.exe
  2⤵
  - Executes dropped EXE
  PID:5368
- C:\Windows\System32\LjPhyVy.exe
  C:\Windows\System32\LjPhyVy.exe
  2⤵
  PID:5396
- C:\Windows\System32\VKECgPh.exe
  C:\Windows\System32\VKECgPh.exe
  2⤵
  PID:5424
- C:\Windows\System32\dYGpQqF.exe
  C:\Windows\System32\dYGpQqF.exe
  2⤵
  PID:5448
- C:\Windows\System32\Hurbcde.exe
  C:\Windows\System32\Hurbcde.exe
  2⤵
  PID:5480
- C:\Windows\System32\oxvBoiS.exe
  C:\Windows\System32\oxvBoiS.exe
  2⤵
  PID:5508
- C:\Windows\System32\RaMnIjw.exe
  C:\Windows\System32\RaMnIjw.exe
  2⤵
  PID:5544
- C:\Windows\System32\BJzawTS.exe
  C:\Windows\System32\BJzawTS.exe
  2⤵
  PID:5564
- C:\Windows\System32\gjGnLmF.exe
  C:\Windows\System32\gjGnLmF.exe
  2⤵
  PID:5592
- C:\Windows\System32\kKTNStU.exe
  C:\Windows\System32\kKTNStU.exe
  2⤵
  PID:5620
- C:\Windows\System32\stkLkxy.exe
  C:\Windows\System32\stkLkxy.exe
  2⤵
  PID:5648
- C:\Windows\System32\ZHMRnkA.exe
  C:\Windows\System32\ZHMRnkA.exe
  2⤵
  PID:5676
- C:\Windows\System32\snFKxrV.exe
  C:\Windows\System32\snFKxrV.exe
  2⤵
  PID:5700
- C:\Windows\System32\TQaRIhW.exe
  C:\Windows\System32\TQaRIhW.exe
  2⤵
  PID:5732
- C:\Windows\System32\GLnzPHH.exe
  C:\Windows\System32\GLnzPHH.exe
  2⤵
  PID:5760
- C:\Windows\System32\eSLiulZ.exe
  C:\Windows\System32\eSLiulZ.exe
  2⤵
  PID:5784
- C:\Windows\System32\qdtnFXI.exe
  C:\Windows\System32\qdtnFXI.exe
  2⤵
  PID:5816
- C:\Windows\System32\ZhrnMxH.exe
  C:\Windows\System32\ZhrnMxH.exe
  2⤵
  PID:5840
- C:\Windows\System32\vzoQFUo.exe
  C:\Windows\System32\vzoQFUo.exe
  2⤵
  PID:5872
- C:\Windows\System32\LUsuIuk.exe
  C:\Windows\System32\LUsuIuk.exe
  2⤵
  PID:5900
- C:\Windows\System32\mPphXnn.exe
  C:\Windows\System32\mPphXnn.exe
  2⤵
  PID:5928
- C:\Windows\System32\iaOeKjU.exe
  C:\Windows\System32\iaOeKjU.exe
  2⤵
  PID:5956
- C:\Windows\System32\RHIKKpL.exe
  C:\Windows\System32\RHIKKpL.exe
  2⤵
  PID:5984
- C:\Windows\System32\gFvmBUE.exe
  C:\Windows\System32\gFvmBUE.exe
  2⤵
  PID:6020
- C:\Windows\System32\iDXFXFl.exe
  C:\Windows\System32\iDXFXFl.exe
  2⤵
  PID:6052
- C:\Windows\System32\UNitYsO.exe
  C:\Windows\System32\UNitYsO.exe
  2⤵
  PID:6068
- C:\Windows\System32\CFxscsh.exe
  C:\Windows\System32\CFxscsh.exe
  2⤵
  PID:6108
- C:\Windows\System32\jpHYsOl.exe
  C:\Windows\System32\jpHYsOl.exe
  2⤵
  PID:6136
- C:\Windows\System32\TxPYLxi.exe
  C:\Windows\System32\TxPYLxi.exe
  2⤵
  PID:60
- C:\Windows\System32\hZZfrXG.exe
  C:\Windows\System32\hZZfrXG.exe
  2⤵
  PID:4012
- C:\Windows\System32\PORjwJG.exe
  C:\Windows\System32\PORjwJG.exe
  2⤵
  PID:1552
- C:\Windows\System32\xNtqFMf.exe
  C:\Windows\System32\xNtqFMf.exe
  2⤵
  PID:2844
- C:\Windows\System32\wmrMdlu.exe
  C:\Windows\System32\wmrMdlu.exe
  2⤵
  PID:1052
- C:\Windows\System32\rhoQPel.exe
  C:\Windows\System32\rhoQPel.exe
  2⤵
  PID:5148
- C:\Windows\System32\utgNcCj.exe
  C:\Windows\System32\utgNcCj.exe
  2⤵
  PID:5248
- C:\Windows\System32\fLdYKyW.exe
  C:\Windows\System32\fLdYKyW.exe
  2⤵
  PID:5280
- C:\Windows\System32\lGfJnLX.exe
  C:\Windows\System32\lGfJnLX.exe
  2⤵
  PID:5320
- C:\Windows\System32\bVeIiFk.exe
  C:\Windows\System32\bVeIiFk.exe
  2⤵
  PID:5404
- C:\Windows\System32\tunXifb.exe
  C:\Windows\System32\tunXifb.exe
  2⤵
  PID:5488
- C:\Windows\System32\yTtvDKr.exe
  C:\Windows\System32\yTtvDKr.exe
  2⤵
  PID:5540
- C:\Windows\System32\roMTcaU.exe
  C:\Windows\System32\roMTcaU.exe
  2⤵
  PID:5612
- C:\Windows\System32\tpmmUTG.exe
  C:\Windows\System32\tpmmUTG.exe
  2⤵
  PID:5684
- C:\Windows\System32\uJMpnOW.exe
  C:\Windows\System32\uJMpnOW.exe
  2⤵
  PID:5744
- C:\Windows\System32\QkAaUfk.exe
  C:\Windows\System32\QkAaUfk.exe
  2⤵
  PID:5808
- C:\Windows\System32\qcwesBy.exe
  C:\Windows\System32\qcwesBy.exe
  2⤵
  PID:5892
- C:\Windows\System32\DneIWBZ.exe
  C:\Windows\System32\DneIWBZ.exe
  2⤵
  PID:5940
- C:\Windows\System32\hTNwfKX.exe
  C:\Windows\System32\hTNwfKX.exe
  2⤵
  PID:5996
- C:\Windows\System32\KDBMsmv.exe
  C:\Windows\System32\KDBMsmv.exe
  2⤵
  PID:6088
- C:\Windows\System32\cQMaWPN.exe
  C:\Windows\System32\cQMaWPN.exe
  2⤵
  PID:32
- C:\Windows\System32\LhvAsUU.exe
  C:\Windows\System32\LhvAsUU.exe
  2⤵
  PID:4052
- C:\Windows\System32\zEejoDl.exe
  C:\Windows\System32\zEejoDl.exe
  2⤵
  PID:552
- C:\Windows\System32\OFFefQQ.exe
  C:\Windows\System32\OFFefQQ.exe
  2⤵
  PID:5276
- C:\Windows\System32\QGVMeCW.exe
  C:\Windows\System32\QGVMeCW.exe
  2⤵
  PID:5376
- C:\Windows\System32\aTTYVOn.exe
  C:\Windows\System32\aTTYVOn.exe
  2⤵
  PID:5600
- C:\Windows\System32\ZNptIez.exe
  C:\Windows\System32\ZNptIez.exe
  2⤵
  PID:5708
- C:\Windows\System32\LmXHVoF.exe
  C:\Windows\System32\LmXHVoF.exe
  2⤵
  PID:6168
- C:\Windows\System32\eNuusWE.exe
  C:\Windows\System32\eNuusWE.exe
  2⤵
  PID:6192
- C:\Windows\System32\IYwAGJW.exe
  C:\Windows\System32\IYwAGJW.exe
  2⤵
  PID:6224
- C:\Windows\System32\sIKpcUM.exe
  C:\Windows\System32\sIKpcUM.exe
  2⤵
  PID:6248
- C:\Windows\System32\eFYEpYB.exe
  C:\Windows\System32\eFYEpYB.exe
  2⤵
  PID:6276
- C:\Windows\System32\NfltOfR.exe
  C:\Windows\System32\NfltOfR.exe
  2⤵
  PID:6304
- C:\Windows\System32\NivupTh.exe
  C:\Windows\System32\NivupTh.exe
  2⤵
  PID:6336
- C:\Windows\System32\gNsgPSS.exe
  C:\Windows\System32\gNsgPSS.exe
  2⤵
  PID:6364
- C:\Windows\System32\pwebymf.exe
  C:\Windows\System32\pwebymf.exe
  2⤵
  PID:6388
- C:\Windows\System32\nWJHgJk.exe
  C:\Windows\System32\nWJHgJk.exe
  2⤵
  PID:6416
- C:\Windows\System32\qEQdxSb.exe
  C:\Windows\System32\qEQdxSb.exe
  2⤵
  PID:6448
- C:\Windows\System32\nckxoCw.exe
  C:\Windows\System32\nckxoCw.exe
  2⤵
  PID:6476
- C:\Windows\System32\SmHUsUO.exe
  C:\Windows\System32\SmHUsUO.exe
  2⤵
  PID:6500
- C:\Windows\System32\qbprZrH.exe
  C:\Windows\System32\qbprZrH.exe
  2⤵
  PID:6540
- C:\Windows\System32\BfHCPhC.exe
  C:\Windows\System32\BfHCPhC.exe
  2⤵
  PID:6560
- C:\Windows\System32\iyYVZta.exe
  C:\Windows\System32\iyYVZta.exe
  2⤵
  PID:6588
- C:\Windows\System32\qdxOxuf.exe
  C:\Windows\System32\qdxOxuf.exe
  2⤵
  PID:6616
- C:\Windows\System32\tiPTQCu.exe
  C:\Windows\System32\tiPTQCu.exe
  2⤵
  PID:6644
- C:\Windows\System32\mJmzcgo.exe
  C:\Windows\System32\mJmzcgo.exe
  2⤵
  PID:6672
- C:\Windows\System32\ewvBslH.exe
  C:\Windows\System32\ewvBslH.exe
  2⤵
  PID:6696
- C:\Windows\System32\rGuetuP.exe
  C:\Windows\System32\rGuetuP.exe
  2⤵
  PID:6728
- C:\Windows\System32\LpJfTqO.exe
  C:\Windows\System32\LpJfTqO.exe
  2⤵
  PID:6756
- C:\Windows\System32\rKFEIPE.exe
  C:\Windows\System32\rKFEIPE.exe
  2⤵
  PID:6784
- C:\Windows\System32\JFrxOqX.exe
  C:\Windows\System32\JFrxOqX.exe
  2⤵
  PID:6812
- C:\Windows\System32\sKILQwn.exe
  C:\Windows\System32\sKILQwn.exe
  2⤵
  PID:6836
- C:\Windows\System32\PnYvSyS.exe
  C:\Windows\System32\PnYvSyS.exe
  2⤵
  PID:6864
- C:\Windows\System32\ATxCrPh.exe
  C:\Windows\System32\ATxCrPh.exe
  2⤵
  PID:6896
- C:\Windows\System32\OZNerag.exe
  C:\Windows\System32\OZNerag.exe
  2⤵
  PID:6924
- C:\Windows\System32\Eosxkdf.exe
  C:\Windows\System32\Eosxkdf.exe
  2⤵
  PID:6948
- C:\Windows\System32\DLuLTOb.exe
  C:\Windows\System32\DLuLTOb.exe
  2⤵
  PID:6976
- C:\Windows\System32\HbxEyrU.exe
  C:\Windows\System32\HbxEyrU.exe
  2⤵
  PID:7008
- C:\Windows\System32\nxQDsEN.exe
  C:\Windows\System32\nxQDsEN.exe
  2⤵
  PID:7032
- C:\Windows\System32\TjvHkQL.exe
  C:\Windows\System32\TjvHkQL.exe
  2⤵
  PID:7060
- C:\Windows\System32\pRhTmEn.exe
  C:\Windows\System32\pRhTmEn.exe
  2⤵
  PID:7092
- C:\Windows\System32\cKxkkso.exe
  C:\Windows\System32\cKxkkso.exe
  2⤵
  PID:7120
- C:\Windows\System32\WBmpDgk.exe
  C:\Windows\System32\WBmpDgk.exe
  2⤵
  PID:7148
- C:\Windows\System32\XQTtUMq.exe
  C:\Windows\System32\XQTtUMq.exe
  2⤵
  PID:5768
- C:\Windows\System32\YaZKDJV.exe
  C:\Windows\System32\YaZKDJV.exe
  2⤵
  PID:6004
- C:\Windows\System32\fTpARCJ.exe
  C:\Windows\System32\fTpARCJ.exe
  2⤵
  PID:6116
- C:\Windows\System32\gquOJZw.exe
  C:\Windows\System32\gquOJZw.exe
  2⤵
  PID:5036
- C:\Windows\System32\pDOKQaO.exe
  C:\Windows\System32\pDOKQaO.exe
  2⤵
  PID:5528
- C:\Windows\System32\hDWBPhs.exe
  C:\Windows\System32\hDWBPhs.exe
  2⤵
  PID:5696
- C:\Windows\System32\ZusxCtx.exe
  C:\Windows\System32\ZusxCtx.exe
  2⤵
  PID:6200
- C:\Windows\System32\xNXmSAe.exe
  C:\Windows\System32\xNXmSAe.exe
  2⤵
  PID:6264
- C:\Windows\System32\ZPqdAeq.exe
  C:\Windows\System32\ZPqdAeq.exe
  2⤵
  PID:6320
- C:\Windows\System32\qgPLAyP.exe
  C:\Windows\System32\qgPLAyP.exe
  2⤵
  PID:6396
- C:\Windows\System32\enXdZoy.exe
  C:\Windows\System32\enXdZoy.exe
  2⤵
  PID:6460
- C:\Windows\System32\GDFujTd.exe
  C:\Windows\System32\GDFujTd.exe
  2⤵
  PID:6508
- C:\Windows\System32\ZuojiwS.exe
  C:\Windows\System32\ZuojiwS.exe
  2⤵
  PID:6568
- C:\Windows\System32\GNUNXBK.exe
  C:\Windows\System32\GNUNXBK.exe
  2⤵
  PID:6656
- C:\Windows\System32\YORvpyL.exe
  C:\Windows\System32\YORvpyL.exe
  2⤵
  PID:6704
- C:\Windows\System32\WsIrnvV.exe
  C:\Windows\System32\WsIrnvV.exe
  2⤵
  PID:6776
- C:\Windows\System32\VmnjauK.exe
  C:\Windows\System32\VmnjauK.exe
  2⤵
  PID:6844
- C:\Windows\System32\fepSIwV.exe
  C:\Windows\System32\fepSIwV.exe
  2⤵
  PID:6908
- C:\Windows\System32\IbwMPtX.exe
  C:\Windows\System32\IbwMPtX.exe
  2⤵
  PID:6972
- C:\Windows\System32\mEStZpU.exe
  C:\Windows\System32\mEStZpU.exe
  2⤵
  PID:7084
- C:\Windows\System32\FjARzDJ.exe
  C:\Windows\System32\FjARzDJ.exe
  2⤵
  PID:7104
- C:\Windows\System32\PWhizmR.exe
  C:\Windows\System32\PWhizmR.exe
  2⤵
  PID:7156
- C:\Windows\System32\jfzZRvR.exe
  C:\Windows\System32\jfzZRvR.exe
  2⤵
  PID:6016
- C:\Windows\System32\fniDgsm.exe
  C:\Windows\System32\fniDgsm.exe
  2⤵
  PID:5660
- C:\Windows\System32\wKVjRNM.exe
  C:\Windows\System32\wKVjRNM.exe
  2⤵
  PID:4448
- C:\Windows\System32\pPgGKDl.exe
  C:\Windows\System32\pPgGKDl.exe
  2⤵
  PID:6312
- C:\Windows\System32\KUYyZmK.exe
  C:\Windows\System32\KUYyZmK.exe
  2⤵
  PID:6488
- C:\Windows\System32\bHQfXuF.exe
  C:\Windows\System32\bHQfXuF.exe
  2⤵
  PID:6636
- C:\Windows\System32\UWrjbsC.exe
  C:\Windows\System32\UWrjbsC.exe
  2⤵
  PID:6824
- C:\Windows\System32\iZzmZDb.exe
  C:\Windows\System32\iZzmZDb.exe
  2⤵
  PID:6936
- C:\Windows\System32\KLkNxRZ.exe
  C:\Windows\System32\KLkNxRZ.exe
  2⤵
  PID:7068
- C:\Windows\System32\vkYaywO.exe
  C:\Windows\System32\vkYaywO.exe
  2⤵
  PID:7196
- C:\Windows\System32\VEeEiCg.exe
  C:\Windows\System32\VEeEiCg.exe
  2⤵
  PID:7224
- C:\Windows\System32\nPYWRGe.exe
  C:\Windows\System32\nPYWRGe.exe
  2⤵
  PID:7252
- C:\Windows\System32\wxOIUFE.exe
  C:\Windows\System32\wxOIUFE.exe
  2⤵
  PID:7280
- C:\Windows\System32\vnWezdZ.exe
  C:\Windows\System32\vnWezdZ.exe
  2⤵
  PID:7304
- C:\Windows\System32\UCmrfaS.exe
  C:\Windows\System32\UCmrfaS.exe
  2⤵
  PID:7336
- C:\Windows\System32\PeOwRVM.exe
  C:\Windows\System32\PeOwRVM.exe
  2⤵
  PID:7364
- C:\Windows\System32\EtSzhfr.exe
  C:\Windows\System32\EtSzhfr.exe
  2⤵
  PID:7388
- C:\Windows\System32\Xwjkoqp.exe
  C:\Windows\System32\Xwjkoqp.exe
  2⤵
  PID:7416
- C:\Windows\System32\ViwHdbb.exe
  C:\Windows\System32\ViwHdbb.exe
  2⤵
  PID:7444
- C:\Windows\System32\vVQpjAe.exe
  C:\Windows\System32\vVQpjAe.exe
  2⤵
  PID:7476
- C:\Windows\System32\jMSfagC.exe
  C:\Windows\System32\jMSfagC.exe
  2⤵
  PID:7504
- C:\Windows\System32\LYiVmXr.exe
  C:\Windows\System32\LYiVmXr.exe
  2⤵
  PID:7532
- C:\Windows\System32\zWdBPEn.exe
  C:\Windows\System32\zWdBPEn.exe
  2⤵
  PID:7572
- C:\Windows\System32\FYHvJPk.exe
  C:\Windows\System32\FYHvJPk.exe
  2⤵
  PID:7588
- C:\Windows\System32\ARBGLjf.exe
  C:\Windows\System32\ARBGLjf.exe
  2⤵
  PID:7616
- C:\Windows\System32\trVzDvU.exe
  C:\Windows\System32\trVzDvU.exe
  2⤵
  PID:7644
- C:\Windows\System32\WIfYuuv.exe
  C:\Windows\System32\WIfYuuv.exe
  2⤵
  PID:7672
- C:\Windows\System32\eJPyyES.exe
  C:\Windows\System32\eJPyyES.exe
  2⤵
  PID:7700
- C:\Windows\System32\iXXuPlS.exe
  C:\Windows\System32\iXXuPlS.exe
  2⤵
  PID:7728
- C:\Windows\System32\EgoJiIu.exe
  C:\Windows\System32\EgoJiIu.exe
  2⤵
  PID:7768
- C:\Windows\System32\XXqtYeo.exe
  C:\Windows\System32\XXqtYeo.exe
  2⤵
  PID:7784
- C:\Windows\System32\VIPUyBd.exe
  C:\Windows\System32\VIPUyBd.exe
  2⤵
  PID:7812
- C:\Windows\System32\DmLYtnm.exe
  C:\Windows\System32\DmLYtnm.exe
  2⤵
  PID:7840
- C:\Windows\System32\jeofENd.exe
  C:\Windows\System32\jeofENd.exe
  2⤵
  PID:7868
- C:\Windows\System32\uKDVdQP.exe
  C:\Windows\System32\uKDVdQP.exe
  2⤵
  PID:7896
- C:\Windows\System32\ABfXIpE.exe
  C:\Windows\System32\ABfXIpE.exe
  2⤵
  PID:7920
- C:\Windows\System32\ygMGOAM.exe
  C:\Windows\System32\ygMGOAM.exe
  2⤵
  PID:7952
- C:\Windows\System32\RjCbvZL.exe
  C:\Windows\System32\RjCbvZL.exe
  2⤵
  PID:7980
- C:\Windows\System32\CfXzEfh.exe
  C:\Windows\System32\CfXzEfh.exe
  2⤵
  PID:8008
- C:\Windows\System32\CXpiQPO.exe
  C:\Windows\System32\CXpiQPO.exe
  2⤵
  PID:8032
- C:\Windows\System32\zItkGTJ.exe
  C:\Windows\System32\zItkGTJ.exe
  2⤵
  PID:8064
- C:\Windows\System32\fRNuRMX.exe
  C:\Windows\System32\fRNuRMX.exe
  2⤵
  PID:8092
- C:\Windows\System32\tvZCdDk.exe
  C:\Windows\System32\tvZCdDk.exe
  2⤵
  PID:8120
- C:\Windows\System32\YFfCUUn.exe
  C:\Windows\System32\YFfCUUn.exe
  2⤵
  PID:8148
- C:\Windows\System32\fogcGMZ.exe
  C:\Windows\System32\fogcGMZ.exe
  2⤵
  PID:8176
- C:\Windows\System32\xfYbgEs.exe
  C:\Windows\System32\xfYbgEs.exe
  2⤵
  PID:5912
- C:\Windows\System32\sdxExUY.exe
  C:\Windows\System32\sdxExUY.exe
  2⤵
  PID:6176
- C:\Windows\System32\ULQrTNb.exe
  C:\Windows\System32\ULQrTNb.exe
  2⤵
  PID:6412
- C:\Windows\System32\ToYEPod.exe
  C:\Windows\System32\ToYEPod.exe
  2⤵
  PID:6796
- C:\Windows\System32\FvhrDzX.exe
  C:\Windows\System32\FvhrDzX.exe
  2⤵
  PID:7180
- C:\Windows\System32\wJBbrAc.exe
  C:\Windows\System32\wJBbrAc.exe
  2⤵
  PID:7236
- C:\Windows\System32\QyxGPAd.exe
  C:\Windows\System32\QyxGPAd.exe
  2⤵
  PID:7328
- C:\Windows\System32\XkTSUcN.exe
  C:\Windows\System32\XkTSUcN.exe
  2⤵
  PID:7376
- C:\Windows\System32\nlVfOuV.exe
  C:\Windows\System32\nlVfOuV.exe
  2⤵
  PID:7452
- C:\Windows\System32\EGbhrOj.exe
  C:\Windows\System32\EGbhrOj.exe
  2⤵
  PID:7524
- C:\Windows\System32\GgrQKsM.exe
  C:\Windows\System32\GgrQKsM.exe
  2⤵
  PID:7564
- C:\Windows\System32\wJwCrgs.exe
  C:\Windows\System32\wJwCrgs.exe
  2⤵
  PID:7628
- C:\Windows\System32\QCTNGpJ.exe
  C:\Windows\System32\QCTNGpJ.exe
  2⤵
  PID:7708
- C:\Windows\System32\bouRLqw.exe
  C:\Windows\System32\bouRLqw.exe
  2⤵
  PID:7776
- C:\Windows\System32\zczcGxe.exe
  C:\Windows\System32\zczcGxe.exe
  2⤵
  PID:7820
- C:\Windows\System32\sSSFAvF.exe
  C:\Windows\System32\sSSFAvF.exe
  2⤵
  PID:7876
- C:\Windows\System32\rdvRsDs.exe
  C:\Windows\System32\rdvRsDs.exe
  2⤵
  PID:7936
- C:\Windows\System32\jyRVfSJ.exe
  C:\Windows\System32\jyRVfSJ.exe
  2⤵
  PID:7992
- C:\Windows\System32\wHtDSri.exe
  C:\Windows\System32\wHtDSri.exe
  2⤵
  PID:8084
- C:\Windows\System32\KuokXNR.exe
  C:\Windows\System32\KuokXNR.exe
  2⤵
  PID:8132
- C:\Windows\System32\dhoindH.exe
  C:\Windows\System32\dhoindH.exe
  2⤵
  PID:7132
- C:\Windows\System32\aeXJbfd.exe
  C:\Windows\System32\aeXJbfd.exe
  2⤵
  PID:6356
- C:\Windows\System32\ZFnDJLe.exe
  C:\Windows\System32\ZFnDJLe.exe
  2⤵
  PID:7204
- C:\Windows\System32\ALooVLV.exe
  C:\Windows\System32\ALooVLV.exe
  2⤵
  PID:7356
- C:\Windows\System32\FmgPfVK.exe
  C:\Windows\System32\FmgPfVK.exe
  2⤵
  PID:7488
- C:\Windows\System32\lUUeKWR.exe
  C:\Windows\System32\lUUeKWR.exe
  2⤵
  PID:7600
- C:\Windows\System32\jULSVdu.exe
  C:\Windows\System32\jULSVdu.exe
  2⤵
  PID:7740
- C:\Windows\System32\XEsYqwv.exe
  C:\Windows\System32\XEsYqwv.exe
  2⤵
  PID:7916
- C:\Windows\System32\LPhTglg.exe
  C:\Windows\System32\LPhTglg.exe
  2⤵
  PID:8048
- C:\Windows\System32\uCSxqKJ.exe
  C:\Windows\System32\uCSxqKJ.exe
  2⤵
  PID:8160
- C:\Windows\System32\FQjpJpY.exe
  C:\Windows\System32\FQjpJpY.exe
  2⤵
  PID:8204
- C:\Windows\System32\oUAzvZo.exe
  C:\Windows\System32\oUAzvZo.exe
  2⤵
  PID:8236
- C:\Windows\System32\CDlWUQH.exe
  C:\Windows\System32\CDlWUQH.exe
  2⤵
  PID:8264
- C:\Windows\System32\bNGOstv.exe
  C:\Windows\System32\bNGOstv.exe
  2⤵
  PID:8292
- C:\Windows\System32\IxxmOSW.exe
  C:\Windows\System32\IxxmOSW.exe
  2⤵
  PID:8316
- C:\Windows\System32\GQVkmDC.exe
  C:\Windows\System32\GQVkmDC.exe
  2⤵
  PID:8348
- C:\Windows\System32\MIwfDkF.exe
  C:\Windows\System32\MIwfDkF.exe
  2⤵
  PID:8372
- C:\Windows\System32\FyDnVDZ.exe
  C:\Windows\System32\FyDnVDZ.exe
  2⤵
  PID:8400
- C:\Windows\System32\hAMyTAg.exe
  C:\Windows\System32\hAMyTAg.exe
  2⤵
  PID:8432
- C:\Windows\System32\zpPElsD.exe
  C:\Windows\System32\zpPElsD.exe
  2⤵
  PID:8460
- C:\Windows\System32\jqTPigS.exe
  C:\Windows\System32\jqTPigS.exe
  2⤵
  PID:8500
- C:\Windows\System32\kskemhS.exe
  C:\Windows\System32\kskemhS.exe
  2⤵
  PID:8516
- C:\Windows\System32\VxFrNpv.exe
  C:\Windows\System32\VxFrNpv.exe
  2⤵
  PID:8540
- C:\Windows\System32\VuQEwct.exe
  C:\Windows\System32\VuQEwct.exe
  2⤵
  PID:8568
- C:\Windows\System32\xEOJmBm.exe
  C:\Windows\System32\xEOJmBm.exe
  2⤵
  PID:8600
- C:\Windows\System32\jJHagOw.exe
  C:\Windows\System32\jJHagOw.exe
  2⤵
  PID:8628
- C:\Windows\System32\MrdIjNw.exe
  C:\Windows\System32\MrdIjNw.exe
  2⤵
  PID:8652
- C:\Windows\System32\icoFKJx.exe
  C:\Windows\System32\icoFKJx.exe
  2⤵
  PID:8684
- C:\Windows\System32\bgugcVb.exe
  C:\Windows\System32\bgugcVb.exe
  2⤵
  PID:8712
- C:\Windows\System32\pmdNlHo.exe
  C:\Windows\System32\pmdNlHo.exe
  2⤵
  PID:8736
- C:\Windows\System32\cJUghWR.exe
  C:\Windows\System32\cJUghWR.exe
  2⤵
  PID:8764
- C:\Windows\System32\GFeobHd.exe
  C:\Windows\System32\GFeobHd.exe
  2⤵
  PID:8796
- C:\Windows\System32\NxCIxlz.exe
  C:\Windows\System32\NxCIxlz.exe
  2⤵
  PID:8820
- C:\Windows\System32\RwFMdpE.exe
  C:\Windows\System32\RwFMdpE.exe
  2⤵
  PID:8852
- C:\Windows\System32\IbBFMGl.exe
  C:\Windows\System32\IbBFMGl.exe
  2⤵
  PID:8876
- C:\Windows\System32\mDIlRJS.exe
  C:\Windows\System32\mDIlRJS.exe
  2⤵
  PID:8908
- C:\Windows\System32\yfgEslP.exe
  C:\Windows\System32\yfgEslP.exe
  2⤵
  PID:8932
- C:\Windows\System32\pLskqZF.exe
  C:\Windows\System32\pLskqZF.exe
  2⤵
  PID:8960
- C:\Windows\System32\gIdkPEu.exe
  C:\Windows\System32\gIdkPEu.exe
  2⤵
  PID:8988
- C:\Windows\System32\KbayBuQ.exe
  C:\Windows\System32\KbayBuQ.exe
  2⤵
  PID:9020
- C:\Windows\System32\inIXHOr.exe
  C:\Windows\System32\inIXHOr.exe
  2⤵
  PID:9048
- C:\Windows\System32\RdHKZzr.exe
  C:\Windows\System32\RdHKZzr.exe
  2⤵
  PID:9072
- C:\Windows\System32\EoqUElr.exe
  C:\Windows\System32\EoqUElr.exe
  2⤵
  PID:9104
- C:\Windows\System32\kpBBfqN.exe
  C:\Windows\System32\kpBBfqN.exe
  2⤵
  PID:9132
- C:\Windows\System32\OavOIWT.exe
  C:\Windows\System32\OavOIWT.exe
  2⤵
  PID:9156
- C:\Windows\System32\zFXkwBZ.exe
  C:\Windows\System32\zFXkwBZ.exe
  2⤵
  PID:6548
- C:\Windows\System32\Mitcozn.exe
  C:\Windows\System32\Mitcozn.exe
  2⤵
  PID:7468
- C:\Windows\System32\BMFBlhu.exe
  C:\Windows\System32\BMFBlhu.exe
  2⤵
  PID:7656
- C:\Windows\System32\HxChYbI.exe
  C:\Windows\System32\HxChYbI.exe
  2⤵
  PID:5296
- C:\Windows\System32\mGgMEbC.exe
  C:\Windows\System32\mGgMEbC.exe
  2⤵
  PID:8276
- C:\Windows\System32\paLQUmK.exe
  C:\Windows\System32\paLQUmK.exe
  2⤵
  PID:8324
- C:\Windows\System32\isprmFA.exe
  C:\Windows\System32\isprmFA.exe
  2⤵
  PID:8408
- C:\Windows\System32\XcxiCQP.exe
  C:\Windows\System32\XcxiCQP.exe
  2⤵
  PID:4896
- C:\Windows\System32\HacNZfv.exe
  C:\Windows\System32\HacNZfv.exe
  2⤵
  PID:8524
- C:\Windows\System32\vvhyklX.exe
  C:\Windows\System32\vvhyklX.exe
  2⤵
  PID:8576
- C:\Windows\System32\josPrdH.exe
  C:\Windows\System32\josPrdH.exe
  2⤵
  PID:8676
- C:\Windows\System32\svpjxIZ.exe
  C:\Windows\System32\svpjxIZ.exe
  2⤵
  PID:8744
- C:\Windows\System32\bQHzszD.exe
  C:\Windows\System32\bQHzszD.exe
  2⤵
  PID:8860
- C:\Windows\System32\zwlJOWx.exe
  C:\Windows\System32\zwlJOWx.exe
  2⤵
  PID:840
- C:\Windows\System32\AdyBhls.exe
  C:\Windows\System32\AdyBhls.exe
  2⤵
  PID:8920
- C:\Windows\System32\zvlyZUH.exe
  C:\Windows\System32\zvlyZUH.exe
  2⤵
  PID:8976
- C:\Windows\System32\NpaChYY.exe
  C:\Windows\System32\NpaChYY.exe
  2⤵
  PID:2756
- C:\Windows\System32\ySzoiwk.exe
  C:\Windows\System32\ySzoiwk.exe
  2⤵
  PID:9060
- C:\Windows\System32\JDZFHyX.exe
  C:\Windows\System32\JDZFHyX.exe
  2⤵
  PID:4624
- C:\Windows\System32\UbmxunJ.exe
  C:\Windows\System32\UbmxunJ.exe
  2⤵
  PID:5092
- C:\Windows\System32\HCompeO.exe
  C:\Windows\System32\HCompeO.exe
  2⤵
  PID:2752
- C:\Windows\System32\xUTbVWS.exe
  C:\Windows\System32\xUTbVWS.exe
  2⤵
  PID:3608
- C:\Windows\System32\rmSHoKs.exe
  C:\Windows\System32\rmSHoKs.exe
  2⤵
  PID:7760
- C:\Windows\System32\GPMSJTN.exe
  C:\Windows\System32\GPMSJTN.exe
  2⤵
  PID:440
- C:\Windows\System32\enlSfoO.exe
  C:\Windows\System32\enlSfoO.exe
  2⤵
  PID:896
- C:\Windows\System32\yvartEa.exe
  C:\Windows\System32\yvartEa.exe
  2⤵
  PID:8468
- C:\Windows\System32\ouVaoWc.exe
  C:\Windows\System32\ouVaoWc.exe
  2⤵
  PID:8620
- C:\Windows\System32\RBZQiHW.exe
  C:\Windows\System32\RBZQiHW.exe
  2⤵
  PID:8916
- C:\Windows\System32\AfEKGqm.exe
  C:\Windows\System32\AfEKGqm.exe
  2⤵
  PID:3724
- C:\Windows\System32\byKaPWC.exe
  C:\Windows\System32\byKaPWC.exe
  2⤵
  PID:8548
- C:\Windows\System32\GKxFBWw.exe
  C:\Windows\System32\GKxFBWw.exe
  2⤵
  PID:2616
- C:\Windows\System32\oUQorRz.exe
  C:\Windows\System32\oUQorRz.exe
  2⤵
  PID:9068
- C:\Windows\System32\KSMnYnO.exe
  C:\Windows\System32\KSMnYnO.exe
  2⤵
  PID:3276
- C:\Windows\System32\vsfDGJM.exe
  C:\Windows\System32\vsfDGJM.exe
  2⤵
  PID:5076
- C:\Windows\System32\UYkSRCP.exe
  C:\Windows\System32\UYkSRCP.exe
  2⤵
  PID:8000
- C:\Windows\System32\zkojmzb.exe
  C:\Windows\System32\zkojmzb.exe
  2⤵
  PID:4552
- C:\Windows\System32\fBQjREf.exe
  C:\Windows\System32\fBQjREf.exe
  2⤵
  PID:4872
- C:\Windows\System32\CQMoJHk.exe
  C:\Windows\System32\CQMoJHk.exe
  2⤵
  PID:9188
- C:\Windows\System32\BceWTiR.exe
  C:\Windows\System32\BceWTiR.exe
  2⤵
  PID:8020
- C:\Windows\System32\zuarngw.exe
  C:\Windows\System32\zuarngw.exe
  2⤵
  PID:1424
- C:\Windows\System32\FcxBEGr.exe
  C:\Windows\System32\FcxBEGr.exe
  2⤵
  PID:8692
- C:\Windows\System32\IBKgppy.exe
  C:\Windows\System32\IBKgppy.exe
  2⤵
  PID:9244
- C:\Windows\System32\OgkYvJJ.exe
  C:\Windows\System32\OgkYvJJ.exe
  2⤵
  PID:9272
- C:\Windows\System32\HpNbRld.exe
  C:\Windows\System32\HpNbRld.exe
  2⤵
  PID:9308
- C:\Windows\System32\axFjJUt.exe
  C:\Windows\System32\axFjJUt.exe
  2⤵
  PID:9372
- C:\Windows\System32\mxXgNhh.exe
  C:\Windows\System32\mxXgNhh.exe
  2⤵
  PID:9404
- C:\Windows\System32\HMjrNyc.exe
  C:\Windows\System32\HMjrNyc.exe
  2⤵
  PID:9432
- C:\Windows\System32\hVUccqT.exe
  C:\Windows\System32\hVUccqT.exe
  2⤵
  PID:9448
- C:\Windows\System32\SOIkoPC.exe
  C:\Windows\System32\SOIkoPC.exe
  2⤵
  PID:9492
- C:\Windows\System32\mUrRccR.exe
  C:\Windows\System32\mUrRccR.exe
  2⤵
  PID:9528
- C:\Windows\System32\ZKVGQuf.exe
  C:\Windows\System32\ZKVGQuf.exe
  2⤵
  PID:9548
- C:\Windows\System32\GcXyOuG.exe
  C:\Windows\System32\GcXyOuG.exe
  2⤵
  PID:9576
- C:\Windows\System32\nUVEYyi.exe
  C:\Windows\System32\nUVEYyi.exe
  2⤵
  PID:9608
- C:\Windows\System32\sPbBZrY.exe
  C:\Windows\System32\sPbBZrY.exe
  2⤵
  PID:9644
- C:\Windows\System32\dpcPtYw.exe
  C:\Windows\System32\dpcPtYw.exe
  2⤵
  PID:9676
- C:\Windows\System32\XciIHlF.exe
  C:\Windows\System32\XciIHlF.exe
  2⤵
  PID:9704
- C:\Windows\System32\fxaQmSQ.exe
  C:\Windows\System32\fxaQmSQ.exe
  2⤵
  PID:9736
- C:\Windows\System32\EkWfBhX.exe
  C:\Windows\System32\EkWfBhX.exe
  2⤵
  PID:9764
- C:\Windows\System32\lwDjGHK.exe
  C:\Windows\System32\lwDjGHK.exe
  2⤵
  PID:9792
- C:\Windows\System32\ntkdBxY.exe
  C:\Windows\System32\ntkdBxY.exe
  2⤵
  PID:9820
- C:\Windows\System32\yhPDVga.exe
  C:\Windows\System32\yhPDVga.exe
  2⤵
  PID:9852
- C:\Windows\System32\EFecYup.exe
  C:\Windows\System32\EFecYup.exe
  2⤵
  PID:9880
- C:\Windows\System32\HMZRfxF.exe
  C:\Windows\System32\HMZRfxF.exe
  2⤵
  PID:9908
- C:\Windows\System32\epHvyfd.exe
  C:\Windows\System32\epHvyfd.exe
  2⤵
  PID:9936
- C:\Windows\System32\lOzSktw.exe
  C:\Windows\System32\lOzSktw.exe
  2⤵
  PID:9964
- C:\Windows\System32\WMQWkOX.exe
  C:\Windows\System32\WMQWkOX.exe
  2⤵
  PID:9996
- C:\Windows\System32\aYrlFCb.exe
  C:\Windows\System32\aYrlFCb.exe
  2⤵
  PID:10036
- C:\Windows\System32\HZJqFAJ.exe
  C:\Windows\System32\HZJqFAJ.exe
  2⤵
  PID:10068
- C:\Windows\System32\cDNWKXE.exe
  C:\Windows\System32\cDNWKXE.exe
  2⤵
  PID:10088
- C:\Windows\System32\GDFYequ.exe
  C:\Windows\System32\GDFYequ.exe
  2⤵
  PID:10116
- C:\Windows\System32\XXCJELM.exe
  C:\Windows\System32\XXCJELM.exe
  2⤵
  PID:10148
- C:\Windows\System32\HsijYOV.exe
  C:\Windows\System32\HsijYOV.exe
  2⤵
  PID:10176
- C:\Windows\System32\dcoTODm.exe
  C:\Windows\System32\dcoTODm.exe
  2⤵
  PID:10204
- C:\Windows\System32\bQVdKDP.exe
  C:\Windows\System32\bQVdKDP.exe
  2⤵
  PID:10232
- C:\Windows\System32\thVWYBA.exe
  C:\Windows\System32\thVWYBA.exe
  2⤵
  PID:9264
- C:\Windows\System32\ZXZhvAG.exe
  C:\Windows\System32\ZXZhvAG.exe
  2⤵
  PID:9460
- C:\Windows\System32\ZoGEhFu.exe
  C:\Windows\System32\ZoGEhFu.exe
  2⤵
  PID:9512
- C:\Windows\System32\HVkAzGg.exe
  C:\Windows\System32\HVkAzGg.exe
  2⤵
  PID:9568
- C:\Windows\System32\TGsClBw.exe
  C:\Windows\System32\TGsClBw.exe
  2⤵
  PID:9656
- C:\Windows\System32\zjQuYIY.exe
  C:\Windows\System32\zjQuYIY.exe
  2⤵
  PID:9716
- C:\Windows\System32\ydLyVKy.exe
  C:\Windows\System32\ydLyVKy.exe
  2⤵
  PID:9732
- C:\Windows\System32\fFYkFCX.exe
  C:\Windows\System32\fFYkFCX.exe
  2⤵
  PID:9832
- C:\Windows\System32\bgToUfV.exe
  C:\Windows\System32\bgToUfV.exe
  2⤵
  PID:9892
- C:\Windows\System32\dPqNRjo.exe
  C:\Windows\System32\dPqNRjo.exe
  2⤵
  PID:9956
- C:\Windows\System32\ZkowvqU.exe
  C:\Windows\System32\ZkowvqU.exe
  2⤵
  PID:10008
- C:\Windows\System32\xcAkbtQ.exe
  C:\Windows\System32\xcAkbtQ.exe
  2⤵
  PID:4960
- C:\Windows\System32\gESxTtU.exe
  C:\Windows\System32\gESxTtU.exe
  2⤵
  PID:10076
- C:\Windows\System32\aohrkgv.exe
  C:\Windows\System32\aohrkgv.exe
  2⤵
  PID:10112
- C:\Windows\System32\mfzRCVj.exe
  C:\Windows\System32\mfzRCVj.exe
  2⤵
  PID:10188
- C:\Windows\System32\PsWvtMn.exe
  C:\Windows\System32\PsWvtMn.exe
  2⤵
  PID:9256
- C:\Windows\System32\dZzpfXr.exe
  C:\Windows\System32\dZzpfXr.exe
  2⤵
  PID:9540
- C:\Windows\System32\kiHFPzx.exe
  C:\Windows\System32\kiHFPzx.exe
  2⤵
  PID:9700
- C:\Windows\System32\NghTuMj.exe
  C:\Windows\System32\NghTuMj.exe
  2⤵
  PID:9844
- C:\Windows\System32\ZNOarum.exe
  C:\Windows\System32\ZNOarum.exe
  2⤵
  PID:10024
- C:\Windows\System32\ejIIowt.exe
  C:\Windows\System32\ejIIowt.exe
  2⤵
  PID:5052
- C:\Windows\System32\KGYYgmq.exe
  C:\Windows\System32\KGYYgmq.exe
  2⤵
  PID:10216
- C:\Windows\System32\oLFWptB.exe
  C:\Windows\System32\oLFWptB.exe
  2⤵
  PID:10224
- C:\Windows\System32\wCrFiYi.exe
  C:\Windows\System32\wCrFiYi.exe
  2⤵
  PID:9984
- C:\Windows\System32\VMAPKBT.exe
  C:\Windows\System32\VMAPKBT.exe
  2⤵
  PID:10084
- C:\Windows\System32\Xiijxrh.exe
  C:\Windows\System32\Xiijxrh.exe
  2⤵
  PID:9816
- C:\Windows\System32\OHtiALK.exe
  C:\Windows\System32\OHtiALK.exe
  2⤵
  PID:1792
- C:\Windows\System32\uCRpwJP.exe
  C:\Windows\System32\uCRpwJP.exe
  2⤵
  PID:10256
- C:\Windows\System32\ozpjVNf.exe
  C:\Windows\System32\ozpjVNf.exe
  2⤵
  PID:10284
- C:\Windows\System32\iXpROfB.exe
  C:\Windows\System32\iXpROfB.exe
  2⤵
  PID:10312
- C:\Windows\System32\JAmqvxX.exe
  C:\Windows\System32\JAmqvxX.exe
  2⤵
  PID:10336
- C:\Windows\System32\EEaMtNK.exe
  C:\Windows\System32\EEaMtNK.exe
  2⤵
  PID:10356
- C:\Windows\System32\WXtSHpY.exe
  C:\Windows\System32\WXtSHpY.exe
  2⤵
  PID:10396
- C:\Windows\System32\rVXmLGs.exe
  C:\Windows\System32\rVXmLGs.exe
  2⤵
  PID:10424
- C:\Windows\System32\zAyZJnz.exe
  C:\Windows\System32\zAyZJnz.exe
  2⤵
  PID:10452
- C:\Windows\System32\Pguddkd.exe
  C:\Windows\System32\Pguddkd.exe
  2⤵
  PID:10484
- C:\Windows\System32\vrBezQY.exe
  C:\Windows\System32\vrBezQY.exe
  2⤵
  PID:10504
- C:\Windows\System32\PfXrtJK.exe
  C:\Windows\System32\PfXrtJK.exe
  2⤵
  PID:10532
- C:\Windows\System32\AXAdIWL.exe
  C:\Windows\System32\AXAdIWL.exe
  2⤵
  PID:10568
- C:\Windows\System32\NCZaPzl.exe
  C:\Windows\System32\NCZaPzl.exe
  2⤵
  PID:10596
- C:\Windows\System32\jVlqKQo.exe
  C:\Windows\System32\jVlqKQo.exe
  2⤵
  PID:10624
- C:\Windows\System32\LLiTjgl.exe
  C:\Windows\System32\LLiTjgl.exe
  2⤵
  PID:10640
- C:\Windows\System32\iQQkkds.exe
  C:\Windows\System32\iQQkkds.exe
  2⤵
  PID:10680
- C:\Windows\System32\YUqbDXK.exe
  C:\Windows\System32\YUqbDXK.exe
  2⤵
  PID:10708
- C:\Windows\System32\YzSWzcW.exe
  C:\Windows\System32\YzSWzcW.exe
  2⤵
  PID:10724
- C:\Windows\System32\USSKTEu.exe
  C:\Windows\System32\USSKTEu.exe
  2⤵
  PID:10752
- C:\Windows\System32\hwkBPDm.exe
  C:\Windows\System32\hwkBPDm.exe
  2⤵
  PID:10780
- C:\Windows\System32\GTipqYg.exe
  C:\Windows\System32\GTipqYg.exe
  2⤵
  PID:10820
- C:\Windows\System32\nNFdpom.exe
  C:\Windows\System32\nNFdpom.exe
  2⤵
  PID:10836
- C:\Windows\System32\ZBMOedG.exe
  C:\Windows\System32\ZBMOedG.exe
  2⤵
  PID:10876
- C:\Windows\System32\tppYIym.exe
  C:\Windows\System32\tppYIym.exe
  2⤵
  PID:10904
- C:\Windows\System32\vjyXTmP.exe
  C:\Windows\System32\vjyXTmP.exe
  2⤵
  PID:10932
- C:\Windows\System32\EvkqPJL.exe
  C:\Windows\System32\EvkqPJL.exe
  2⤵
  PID:10948
- C:\Windows\System32\VVzmKzd.exe
  C:\Windows\System32\VVzmKzd.exe
  2⤵
  PID:10976
- C:\Windows\System32\DQHCebp.exe
  C:\Windows\System32\DQHCebp.exe
  2⤵
  PID:10996
- C:\Windows\System32\FVGwkLM.exe
  C:\Windows\System32\FVGwkLM.exe
  2⤵
  PID:11016
- C:\Windows\System32\HFBzfSO.exe
  C:\Windows\System32\HFBzfSO.exe
  2⤵
  PID:11036
- C:\Windows\System32\MpXEdmI.exe
  C:\Windows\System32\MpXEdmI.exe
  2⤵
  PID:11076
- C:\Windows\System32\QGIofcb.exe
  C:\Windows\System32\QGIofcb.exe
  2⤵
  PID:11116
- C:\Windows\System32\rpEZOiY.exe
  C:\Windows\System32\rpEZOiY.exe
  2⤵
  PID:11156
- C:\Windows\System32\ppKCuWR.exe
  C:\Windows\System32\ppKCuWR.exe
  2⤵
  PID:11184
- C:\Windows\System32\KdrSsqh.exe
  C:\Windows\System32\KdrSsqh.exe
  2⤵
  PID:11212
- C:\Windows\System32\fHSDnOv.exe
  C:\Windows\System32\fHSDnOv.exe
  2⤵
  PID:11240
- C:\Windows\System32\XtILDWX.exe
  C:\Windows\System32\XtILDWX.exe
  2⤵
  PID:10248
- C:\Windows\System32\wnSrbhU.exe
  C:\Windows\System32\wnSrbhU.exe
  2⤵
  PID:10304
- C:\Windows\System32\DXwsxhk.exe
  C:\Windows\System32\DXwsxhk.exe
  2⤵
  PID:10376
- C:\Windows\System32\MfQzJle.exe
  C:\Windows\System32\MfQzJle.exe
  2⤵
  PID:10448
- C:\Windows\System32\mPLBmBZ.exe
  C:\Windows\System32\mPLBmBZ.exe
  2⤵
  PID:10524
- C:\Windows\System32\fKpXFVZ.exe
  C:\Windows\System32\fKpXFVZ.exe
  2⤵
  PID:10584
- C:\Windows\System32\PcHcULQ.exe
  C:\Windows\System32\PcHcULQ.exe
  2⤵
  PID:10620
- C:\Windows\System32\zyeUaHu.exe
  C:\Windows\System32\zyeUaHu.exe
  2⤵
  PID:10700
- C:\Windows\System32\Nzrhcyy.exe
  C:\Windows\System32\Nzrhcyy.exe
  2⤵
  PID:10764
- C:\Windows\System32\dzdtvSQ.exe
  C:\Windows\System32\dzdtvSQ.exe
  2⤵
  PID:10808
- C:\Windows\System32\gjYhHYA.exe
  C:\Windows\System32\gjYhHYA.exe
  2⤵
  PID:10900
- C:\Windows\System32\hFyWAXW.exe
  C:\Windows\System32\hFyWAXW.exe
  2⤵
  PID:10972
- C:\Windows\System32\gySXKGd.exe
  C:\Windows\System32\gySXKGd.exe
  2⤵
  PID:11004
- C:\Windows\System32\uxiQOmN.exe
  C:\Windows\System32\uxiQOmN.exe
  2⤵
  PID:11092
- C:\Windows\System32\XbDlNII.exe
  C:\Windows\System32\XbDlNII.exe
  2⤵
  PID:11152
- C:\Windows\System32\VtiqSYa.exe
  C:\Windows\System32\VtiqSYa.exe
  2⤵
  PID:11236
- C:\Windows\System32\dtmMMdA.exe
  C:\Windows\System32\dtmMMdA.exe
  2⤵
  PID:10280
- C:\Windows\System32\dVRnBPV.exe
  C:\Windows\System32\dVRnBPV.exe
  2⤵
  PID:10476
- C:\Windows\System32\luvHULB.exe
  C:\Windows\System32\luvHULB.exe
  2⤵
  PID:10608
- C:\Windows\System32\OfRohzG.exe
  C:\Windows\System32\OfRohzG.exe
  2⤵
  PID:10792
- C:\Windows\System32\OBbHQmY.exe
  C:\Windows\System32\OBbHQmY.exe
  2⤵
  PID:10984
- C:\Windows\System32\ELGvOmH.exe
  C:\Windows\System32\ELGvOmH.exe
  2⤵
  PID:11256
- C:\Windows\System32\wdQmDKr.exe
  C:\Windows\System32\wdQmDKr.exe
  2⤵
  PID:10652
- C:\Windows\System32\GyMsDBO.exe
  C:\Windows\System32\GyMsDBO.exe
  2⤵
  PID:10888
- C:\Windows\System32\aqrbSxp.exe
  C:\Windows\System32\aqrbSxp.exe
  2⤵
  PID:10380
- C:\Windows\System32\OOBtAOZ.exe
  C:\Windows\System32\OOBtAOZ.exe
  2⤵
  PID:11280
- C:\Windows\System32\JzEaXIn.exe
  C:\Windows\System32\JzEaXIn.exe
  2⤵
  PID:11308
- C:\Windows\System32\HYIyTPV.exe
  C:\Windows\System32\HYIyTPV.exe
  2⤵
  PID:11336
- C:\Windows\System32\TRXIdWR.exe
  C:\Windows\System32\TRXIdWR.exe
  2⤵
  PID:11364
- C:\Windows\System32\NpqxLZm.exe
  C:\Windows\System32\NpqxLZm.exe
  2⤵
  PID:11392
- C:\Windows\System32\aFZSfVI.exe
  C:\Windows\System32\aFZSfVI.exe
  2⤵
  PID:11420
- C:\Windows\System32\EWYqboZ.exe
  C:\Windows\System32\EWYqboZ.exe
  2⤵
  PID:11448
- C:\Windows\System32\efgJIzr.exe
  C:\Windows\System32\efgJIzr.exe
  2⤵
  PID:11476
- C:\Windows\System32\qsjvhAG.exe
  C:\Windows\System32\qsjvhAG.exe
  2⤵
  PID:11504
- C:\Windows\System32\JoPodnA.exe
  C:\Windows\System32\JoPodnA.exe
  2⤵
  PID:11520
- C:\Windows\System32\VfRcZXJ.exe
  C:\Windows\System32\VfRcZXJ.exe
  2⤵
  PID:11560
- C:\Windows\System32\wxGZjfL.exe
  C:\Windows\System32\wxGZjfL.exe
  2⤵
  PID:11588
- C:\Windows\System32\rFRtlwt.exe
  C:\Windows\System32\rFRtlwt.exe
  2⤵
  PID:11616
- C:\Windows\System32\AOrUkUb.exe
  C:\Windows\System32\AOrUkUb.exe
  2⤵
  PID:11644
- C:\Windows\System32\AVdvGkf.exe
  C:\Windows\System32\AVdvGkf.exe
  2⤵
  PID:11672
- C:\Windows\System32\WYmjaHj.exe
  C:\Windows\System32\WYmjaHj.exe
  2⤵
  PID:11700
- C:\Windows\System32\hwSsWtP.exe
  C:\Windows\System32\hwSsWtP.exe
  2⤵
  PID:11728
- C:\Windows\System32\ToolHzB.exe
  C:\Windows\System32\ToolHzB.exe
  2⤵
  PID:11756
- C:\Windows\System32\KLOHjBT.exe
  C:\Windows\System32\KLOHjBT.exe
  2⤵
  PID:11784
- C:\Windows\System32\vaKYbKu.exe
  C:\Windows\System32\vaKYbKu.exe
  2⤵
  PID:11812
- C:\Windows\System32\RTGUCJt.exe
  C:\Windows\System32\RTGUCJt.exe
  2⤵
  PID:11840
- C:\Windows\System32\UpNKdCq.exe
  C:\Windows\System32\UpNKdCq.exe
  2⤵
  PID:11876
- C:\Windows\System32\vHbhCme.exe
  C:\Windows\System32\vHbhCme.exe
  2⤵
  PID:11892
- C:\Windows\System32\RddwjQt.exe
  C:\Windows\System32\RddwjQt.exe
  2⤵
  PID:11912
- C:\Windows\System32\hIwqZwW.exe
  C:\Windows\System32\hIwqZwW.exe
  2⤵
  PID:11964
- C:\Windows\System32\BtCALGE.exe
  C:\Windows\System32\BtCALGE.exe
  2⤵
  PID:11992
- C:\Windows\System32\RJitsGq.exe
  C:\Windows\System32\RJitsGq.exe
  2⤵
  PID:12020
- C:\Windows\System32\OVTLvyL.exe
  C:\Windows\System32\OVTLvyL.exe
  2⤵
  PID:12052
- C:\Windows\System32\KRBDPjp.exe
  C:\Windows\System32\KRBDPjp.exe
  2⤵
  PID:12068
- C:\Windows\System32\pPLozPA.exe
  C:\Windows\System32\pPLozPA.exe
  2⤵
  PID:12096
- C:\Windows\System32\FggAtGW.exe
  C:\Windows\System32\FggAtGW.exe
  2⤵
  PID:12136
- C:\Windows\System32\Olyqfwi.exe
  C:\Windows\System32\Olyqfwi.exe
  2⤵
  PID:12164
- C:\Windows\System32\gMMmuxY.exe
  C:\Windows\System32\gMMmuxY.exe
  2⤵
  PID:12192
- C:\Windows\System32\bEweVeL.exe
  C:\Windows\System32\bEweVeL.exe
  2⤵
  PID:12220
- C:\Windows\System32\GBeuEmr.exe
  C:\Windows\System32\GBeuEmr.exe
  2⤵
  PID:12264
- C:\Windows\System32\bMoNcZp.exe
  C:\Windows\System32\bMoNcZp.exe
  2⤵
  PID:10928
- C:\Windows\System32\IzsYXDu.exe
  C:\Windows\System32\IzsYXDu.exe
  2⤵
  PID:11300
- C:\Windows\System32\VQVwRKH.exe
  C:\Windows\System32\VQVwRKH.exe
  2⤵
  PID:11360
- C:\Windows\System32\IzoyXkP.exe
  C:\Windows\System32\IzoyXkP.exe
  2⤵
  PID:11440
- C:\Windows\System32\aZGyIHA.exe
  C:\Windows\System32\aZGyIHA.exe
  2⤵
  PID:11544
- C:\Windows\System32\dawOofz.exe
  C:\Windows\System32\dawOofz.exe
  2⤵
  PID:11604
- C:\Windows\System32\wZCefsi.exe
  C:\Windows\System32\wZCefsi.exe
  2⤵
  PID:11720
- C:\Windows\System32\dgJtNWP.exe
  C:\Windows\System32\dgJtNWP.exe
  2⤵
  PID:11832
- C:\Windows\System32\NWPsjOc.exe
  C:\Windows\System32\NWPsjOc.exe
  2⤵
  PID:11920
- C:\Windows\System32\sKpEpPS.exe
  C:\Windows\System32\sKpEpPS.exe
  2⤵
  PID:12004
- C:\Windows\System32\yinglBn.exe
  C:\Windows\System32\yinglBn.exe
  2⤵
  PID:12048
- C:\Windows\System32\IJVoxbd.exe
  C:\Windows\System32\IJVoxbd.exe
  2⤵
  PID:12160
- C:\Windows\System32\kkaKqiB.exe
  C:\Windows\System32\kkaKqiB.exe
  2⤵
  PID:12232
- C:\Windows\System32\iLcYfZb.exe
  C:\Windows\System32\iLcYfZb.exe
  2⤵
  PID:11348
- C:\Windows\System32\ctCRZpg.exe
  C:\Windows\System32\ctCRZpg.exe
  2⤵
  PID:11492
- C:\Windows\System32\GKXAACF.exe
  C:\Windows\System32\GKXAACF.exe
  2⤵
  PID:11960
- C:\Windows\System32\rkIlzTR.exe
  C:\Windows\System32\rkIlzTR.exe
  2⤵
  PID:3744
- C:\Windows\System32\ahHrYrm.exe
  C:\Windows\System32\ahHrYrm.exe
  2⤵
  PID:12184
- C:\Windows\System32\rzZmUYX.exe
  C:\Windows\System32\rzZmUYX.exe
  2⤵
  PID:11584
- C:\Windows\System32\VDVAUHr.exe
  C:\Windows\System32\VDVAUHr.exe
  2⤵
  PID:12176
- C:\Windows\System32\RpgNfse.exe
  C:\Windows\System32\RpgNfse.exe
  2⤵
  PID:12292
- C:\Windows\System32\xasbEeR.exe
  C:\Windows\System32\xasbEeR.exe
  2⤵
  PID:12328
- C:\Windows\System32\cGrNtdt.exe
  C:\Windows\System32\cGrNtdt.exe
  2⤵
  PID:12344
- C:\Windows\System32\VSkJsHw.exe
  C:\Windows\System32\VSkJsHw.exe
  2⤵
  PID:12384
- C:\Windows\System32\HPMvTxR.exe
  C:\Windows\System32\HPMvTxR.exe
  2⤵
  PID:12412
- C:\Windows\System32\rbianXx.exe
  C:\Windows\System32\rbianXx.exe
  2⤵
  PID:12428
- C:\Windows\System32\VdVTHVk.exe
  C:\Windows\System32\VdVTHVk.exe
  2⤵
  PID:12456
- C:\Windows\System32\gWTnklF.exe
  C:\Windows\System32\gWTnklF.exe
  2⤵
  PID:12496
- C:\Windows\System32\iqwtdvx.exe
  C:\Windows\System32\iqwtdvx.exe
  2⤵
  PID:12524
- C:\Windows\System32\WhueIyK.exe
  C:\Windows\System32\WhueIyK.exe
  2⤵
  PID:12556
- C:\Windows\System32\hYQeFmK.exe
  C:\Windows\System32\hYQeFmK.exe
  2⤵
  PID:12584
- C:\Windows\System32\qxRqqrW.exe
  C:\Windows\System32\qxRqqrW.exe
  2⤵
  PID:12600
- C:\Windows\System32\rcRxzvR.exe
  C:\Windows\System32\rcRxzvR.exe
  2⤵
  PID:12628
- C:\Windows\System32\veFjYOW.exe
  C:\Windows\System32\veFjYOW.exe
  2⤵
  PID:12668
- C:\Windows\System32\cMtgxii.exe
  C:\Windows\System32\cMtgxii.exe
  2⤵
  PID:12696
- C:\Windows\System32\bkeLWav.exe
  C:\Windows\System32\bkeLWav.exe
  2⤵
  PID:12724
- C:\Windows\System32\BElyzio.exe
  C:\Windows\System32\BElyzio.exe
  2⤵
  PID:12784
- C:\Windows\System32\KdVtIui.exe
  C:\Windows\System32\KdVtIui.exe
  2⤵
  PID:12816
- C:\Windows\System32\oqezPed.exe
  C:\Windows\System32\oqezPed.exe
  2⤵
  PID:12844
- C:\Windows\System32\AYTKdoU.exe
  C:\Windows\System32\AYTKdoU.exe
  2⤵
  PID:12880
- C:\Windows\System32\hbrPaYQ.exe
  C:\Windows\System32\hbrPaYQ.exe
  2⤵
  PID:12912
- C:\Windows\System32\amFAWsO.exe
  C:\Windows\System32\amFAWsO.exe
  2⤵
  PID:12940
- C:\Windows\System32\RrTzoKH.exe
  C:\Windows\System32\RrTzoKH.exe
  2⤵
  PID:12960
- C:\Windows\System32\NICouep.exe
  C:\Windows\System32\NICouep.exe
  2⤵
  PID:13000
- C:\Windows\System32\gdackId.exe
  C:\Windows\System32\gdackId.exe
  2⤵
  PID:13036
- C:\Windows\System32\aAwVXdk.exe
  C:\Windows\System32\aAwVXdk.exe
  2⤵
  PID:13052
- C:\Windows\System32\MABXrXZ.exe
  C:\Windows\System32\MABXrXZ.exe
  2⤵
  PID:13084
- C:\Windows\System32\YVOPhim.exe
  C:\Windows\System32\YVOPhim.exe
  2⤵
  PID:13120
- C:\Windows\System32\iVOyxIJ.exe
  C:\Windows\System32\iVOyxIJ.exe
  2⤵
  PID:13144
- C:\Windows\System32\IzRfowJ.exe
  C:\Windows\System32\IzRfowJ.exe
  2⤵
  PID:13176
- C:\Windows\System32\naqMtfx.exe
  C:\Windows\System32\naqMtfx.exe
  2⤵
  PID:13204
- C:\Windows\System32\wUzPHBZ.exe
  C:\Windows\System32\wUzPHBZ.exe
  2⤵
  PID:13232
- C:\Windows\System32\BzHfcZc.exe
  C:\Windows\System32\BzHfcZc.exe
  2⤵
  PID:13260
- C:\Windows\System32\LErlvvn.exe
  C:\Windows\System32\LErlvvn.exe
  2⤵
  PID:13276
- C:\Windows\System32\qUylLky.exe
  C:\Windows\System32\qUylLky.exe
  2⤵
  PID:11608
- C:\Windows\System32\rrmDGyY.exe
  C:\Windows\System32\rrmDGyY.exe
  2⤵
  PID:12336
- C:\Windows\System32\ENZiREN.exe
  C:\Windows\System32\ENZiREN.exe
  2⤵
  PID:12400
- C:\Windows\System32\GyxMiaf.exe
  C:\Windows\System32\GyxMiaf.exe
  2⤵
  PID:12484
- C:\Windows\System32\oGNjaSC.exe
  C:\Windows\System32\oGNjaSC.exe
  2⤵
  PID:12544
- C:\Windows\System32\asltuPg.exe
  C:\Windows\System32\asltuPg.exe
  2⤵
  PID:12620
- C:\Windows\System32\dRxkKSw.exe
  C:\Windows\System32\dRxkKSw.exe
  2⤵
  PID:12692
- C:\Windows\System32\IHnknfs.exe
  C:\Windows\System32\IHnknfs.exe
  2⤵
  PID:12744
- C:\Windows\System32\rSrEZvq.exe
  C:\Windows\System32\rSrEZvq.exe
  2⤵
  PID:12856
- C:\Windows\System32\WjnMoCs.exe
  C:\Windows\System32\WjnMoCs.exe
  2⤵
  PID:12924
- C:\Windows\System32\axVETTh.exe
  C:\Windows\System32\axVETTh.exe
  2⤵
  PID:12980
- C:\Windows\System32\KzZykgw.exe
  C:\Windows\System32\KzZykgw.exe
  2⤵
  PID:13076
- C:\Windows\System32\sowPwVM.exe
  C:\Windows\System32\sowPwVM.exe
  2⤵
  PID:13140
- C:\Windows\System32\lhzmQtB.exe
  C:\Windows\System32\lhzmQtB.exe
  2⤵
  PID:13172
- C:\Windows\System32\GAuhxMe.exe
  C:\Windows\System32\GAuhxMe.exe
  2⤵
  PID:13224
- C:\Windows\System32\HeaPeVZ.exe
  C:\Windows\System32\HeaPeVZ.exe
  2⤵
  PID:13268
- C:\Windows\System32\eXOJQTJ.exe
  C:\Windows\System32\eXOJQTJ.exe
  2⤵
  PID:12468
- C:\Windows\System32\rxkztDc.exe
  C:\Windows\System32\rxkztDc.exe
  2⤵
  PID:12596
- C:\Windows\System32\nSIBBwS.exe
  C:\Windows\System32\nSIBBwS.exe
  2⤵
  PID:12808
- C:\Windows\System32\wUMhcyn.exe
  C:\Windows\System32\wUMhcyn.exe
  2⤵
  PID:12984
- C:\Windows\System32\JpPSxTg.exe
  C:\Windows\System32\JpPSxTg.exe
  2⤵
  PID:13108
- C:\Windows\System32\gZQOtKT.exe
  C:\Windows\System32\gZQOtKT.exe
  2⤵
  PID:13288
- C:\Windows\System32\ttesUgi.exe
  C:\Windows\System32\ttesUgi.exe
  2⤵
  PID:12396
- C:\Windows\System32\wcoeqvw.exe
  C:\Windows\System32\wcoeqvw.exe
  2⤵
  PID:12956
- C:\Windows\System32\ebZJPwU.exe
  C:\Windows\System32\ebZJPwU.exe
  2⤵
  PID:13196
- C:\Windows\System32\dOPORSx.exe
  C:\Windows\System32\dOPORSx.exe
  2⤵
  PID:13068
- C:\Windows\System32\KsuYSez.exe
  C:\Windows\System32\KsuYSez.exe
  2⤵
  PID:12972
- C:\Windows\System32\EVQWaKs.exe
  C:\Windows\System32\EVQWaKs.exe
  2⤵
  PID:13336
- C:\Windows\System32\aTApkWI.exe
  C:\Windows\System32\aTApkWI.exe
  2⤵
  PID:13364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2708,i,8660989700097327804,17931739887231169645,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:8
1⤵
PID:9208

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AYPDpSK.exe

Filesize
3.4MB

MD5
f60e3133924d52e8c39205e603399509

SHA1
85168ab84c758e6fe0dcee9926521504fea9f7f3

SHA256
38ea6cb91e4d22b51663e60fc7a8f7b4fbc8297a3e1fd51fcc6117c949bd2a16

SHA512
bd3004ea317e12bc14f0a9b2cfa4cb69533b0ecb35f3b940093bcbc4ca5c1459b6d2a21f400b8db93aa804957fedf8f6bbfa83e4246a51a608065d11444f4c0a

Download Submit
C:\Windows\System32\EAhEaSw.exe

Filesize
3.4MB

MD5
3cfb005fefa99c31b654872aa5a327f2

SHA1
c0337681708813596424453f3d40daa03e567a6d

SHA256
b82e10ad4eed433e72ce4d59fad14d93fe5692fbc2aeabbd7cbe5d668bfd1ee3

SHA512
21dc6534d559d67a2910aa4700f220e229455cdbcf222b9a51e51216acb7fdd92e91f96c5dd001ed575ed65fc5079d8265589fddd26d1f8cc6d8c38d0f258ff4

Download Submit
C:\Windows\System32\EOIXNwQ.exe

Filesize
3.4MB

MD5
81097df6d3e5a15761497546f7431b55

SHA1
b2f246947af817af619fba2e1cfa7a2f9f3034fd

SHA256
b37da94e230e99738ea65feafe1b930013097ffdf928dc072a0b4087fd92c271

SHA512
cc21d9d8ed3f723c48355779e021ebfb6f4922ea5efe492ec5b40184a57fb03e7c3bd6c172ddf6d625c24c42146a70e18eeb2040be89f60a382cb6799a7249fd

Download Submit
C:\Windows\System32\EQyTGyX.exe

Filesize
3.4MB

MD5
42c417abccb2fc1016b797423ab3920b

SHA1
bf29265387cb74dcb23eb5dae414541d3d7f12eb

SHA256
0ae998107d89ef8afa8973f63f74c70e6d368db2b3c2cb61aaf9ee5c289c0d46

SHA512
31298c7d14315fc58dd28d09e13c74b78980be30fda73cfbc2360490c50fae723e4506d3615f1c4eb33789d96f1052b3a14441cdf5e8754b01e10df15ddab6a5

Download Submit
C:\Windows\System32\HbXPKSP.exe

Filesize
3.4MB

MD5
21d9f3e0776f50b2e0a098a63393cf53

SHA1
93773c6dc953954ddf0ab7383d59860092530243

SHA256
e41fca016d44372d49995f434d2e168596d223f799792caec1fbc4bac9ec4e1f

SHA512
01f56931d141d99b3e2be8ed0314a7924a82c71c9abf8a8e20dca4b18282521dad02b332ea4df3754b03797686ecefed32944c65cf2fb4a3f48953a2f1f7fb28

Download Submit
C:\Windows\System32\IMgTvUM.exe

Filesize
3.4MB

MD5
83571cd5dc2b385999b13281a65b7234

SHA1
11c6522142112d2ac099e5f334d33f402d680340

SHA256
d1076f21f4c28b0f4e78ff94ae5c8e9d98815e700d72ef2f9296b47173622a75

SHA512
1868733a0a4c98b214c2b89f4f75194c520777d8768b1cbee842035f661ab3e5eafa80611584f0ce463aea3a33fee9d25dfb92b0a1cc852a63376667e48edad5

Download Submit
C:\Windows\System32\JAcUbJj.exe

Filesize
3.4MB

MD5
614954ea5478d47919742f1ad74ea698

SHA1
61996dedac3345d36fdf76733fc0ffa5b4869957

SHA256
620bb40178a29284ab34d00d65a4037f6a81947af76ec6446482b8afe2d0e76c

SHA512
4c9ed74eeb7bfa9e61df962ae6f1edad11a425cd328691af138963eac359aa14ca680705ed0db76470092e685442ad30fa9698b22aeb4b361e981324fc416d51

Download Submit
C:\Windows\System32\JNiDmcw.exe

Filesize
3.4MB

MD5
a71d8334f453c2e1f9258958bbb36579

SHA1
32f859f6b39bb2c7035494cbfadf06e0a9ca3cbe

SHA256
9c3bba01bdcc365b624607db3a825dd8002670b44337512cd76dc3f36b428827

SHA512
a03b055c17f297a3ab5b26f8e58e0c7db5f8ba111c5dae6cc9983b461cf79f0873dcb9d4b4be6e31d539224a3832030a995b6ffb2b82f26f130bd11922554d36

Download Submit
C:\Windows\System32\KJiaiRW.exe

Filesize
3.4MB

MD5
c78066c95d1bbcce04ab2701f5249a29

SHA1
0b78aa394fdb035269d02c12522fc39970ed1d33

SHA256
d6da4edc9bdebd2cce8bdb7b91e1a314bc608a67be67bedfa2b02f4778e0e46c

SHA512
a24e00b6c8d66513a9c0e0b4a0b51c88cb0358b11d26b555dccef6f5bd836d9f7a50b5f15a485bcc2f46c1b8eae695676b28c2f8c4f43048c2c5ffdc1f781654

Download Submit
C:\Windows\System32\PWekCCR.exe

Filesize
3.4MB

MD5
b2bb620d247f48e0c7af40015f792596

SHA1
17db3da2c3a0172ddf8420fa8f67fd9be17f8225

SHA256
5808976fd5c30e842d62faade4b7136fde27e210baf351ccbe55bbfdd210dcef

SHA512
736476f51ebcca0ccbe0222cac9f04af0a9e2b84ed72d1bf13ee223595e10c3807132a74edb40ad0e9c51c54419807a570a3866a3a1bcb8384e74f88cb3f0b25

Download Submit
C:\Windows\System32\TJRABJZ.exe

Filesize
3.4MB

MD5
7692a38306432ef52b40ff100f5d4d90

SHA1
a827c0f7fcffdf99efbce8b5dbfb568069165cee

SHA256
2c3ddb7d4523dcc33be4719891786033d7d1264cb6dddf45d7a7b76cbb3b4d31

SHA512
8264d0b41a809aea4f68e6286784316730e963c58cd3a053d8d3e03fee56cc7466a742003c55beb9fcd1ca8d810ab9d40d0d75f888f01c8c75dea59fd22762a7

Download Submit
C:\Windows\System32\WeKiaZO.exe

Filesize
3.4MB

MD5
852f5f11a2696d6e3a3a5d8d8f29f0f3

SHA1
665b52dc0ca05e05646ed9e72a0320b3279ca921

SHA256
6561f8e0568fca72c8954e6eef71fc93432f5048a466cc4470ff9d110dc93560

SHA512
0e31816bed2f71c2901d1a00aa7150358345fbe82b8b95fcff9e8d11b46f1a239288383008c6e2db5eec08e743de870b2b9faa94bcbb1cf4b2bb367404c98857

Download Submit
C:\Windows\System32\ZFKLwKQ.exe

Filesize
3.4MB

MD5
950ee0c8d3a240a4c5090b3cbaf70954

SHA1
4fae10da71d4080702ea8401a8cb830e83dd57ee

SHA256
c3c1ad65fa3869d008c07b1bd307b42e078e1225c34bb1a32ab8be3c33727a43

SHA512
1ff1f41d1c135692675360b8d26ca58fba1a02f02cb4c7d8e32c7526b91fea5397380749e7622b707403e3e913513afce201d0814065329e9e14eada7c7bca2f

Download Submit
C:\Windows\System32\ZOOIEFL.exe

Filesize
3.4MB

MD5
1ecc6ddcbc7bccd3b2c6041b62bc4d5a

SHA1
153ee5c2fd3fe3b7f8b6c93e46819558c852cf19

SHA256
2ccd3cb37008a0a6024ac125c0f3d473efb82d1994b05727087a2aeffecc610e

SHA512
cf96fc2ba7cf7263214c7a30301d38f204d67a473a0800c0d82ac711a6d02860d74acdd2953b8aeb8e63a02bed2fb8585f756942cd314714dbd02a00c08f237b

Download Submit
C:\Windows\System32\ZapEhfU.exe

Filesize
3.4MB

MD5
7aa96668623d6d90f9684a14c8d2a41d

SHA1
533951053bcbe25b313f4a890d8b2e23f3ab65a0

SHA256
ab69d02237ff55f5e23c4a6641ab865029f01eb574ac38f03aca4b2be0aa0773

SHA512
8455396247c3f6ff0724da8b5998f8f6debd655af27f721c32de2c9a8aaad6f7931d494368535392cc3cceacbf5d4a7e141deb3cf7d27ed7da03dcfd4f1a4c74

Download Submit
C:\Windows\System32\Zcllcqb.exe

Filesize
3.4MB

MD5
90ec5d59dc4da7412a412722e922a4e9

SHA1
051df137bcae5f8195c55a111ed747aed825c7cf

SHA256
6f97dc279de1e9dc60d4308a8c1b713a6675c9b0bc354cbd37e2394e4af26d9c

SHA512
e8072d75b6b8e65c3ebfa5668b218ca108adb0e519cc6344b757bc470bc390545e749ca1c2292a27f02dd5aea385276fa2edfb72ad75b645212168c9c6bb5917

Download Submit
C:\Windows\System32\dMGbHNd.exe

Filesize
3.4MB

MD5
1bc62427cac574ad20303d3afc1f1799

SHA1
1c724de940abe0d6f827b3400358fa03762e3937

SHA256
e5c20478622b2c9c82a93a0d917d15cc887ae51b584d86b8dfa94b993dd6075e

SHA512
ccdb95f73d9d8c4adb4ef9a361bca5bc8c8410c444b67dea870c3ee8052286af52ac73f798c5639ee5c9e04c9c8e9d39a8ca1e26fc99b08e21f2bbff0987a143

Download Submit
C:\Windows\System32\eXzXirq.exe

Filesize
3.4MB

MD5
10e7adb76cc4fa24c6aa14195d4cbbca

SHA1
9b48ac5241cccf040c956d951005252f105ef545

SHA256
706621d95997acf7399251da1b1dc656ce7af5b7038f2623166c899f00164843

SHA512
e008438a9db17061d49e4e27dc7f79fa1e63922157e66b1f167644cffa4bf4c2665f27c42a688c7eb62452913a1a5e877fa4c180ac1193f903749fb713f1dddc

Download Submit
C:\Windows\System32\gVbxJXW.exe

Filesize
3.4MB

MD5
fdf3f7eac3740a8bd9a0f1fa4034ef31

SHA1
26ad04afcf5b97b9e1be1f958a545626ecec2d41

SHA256
ef3c58ca93575ae2227e18c5e61dff7f41a266208381f99bbbd647141fd55d1a

SHA512
026e6e1677f4178e187471b372c6cfba784cd3f9386e461829b460c9915ca99c4c092bf6db4573ab207e41ca7fb2df2367dce733448f900c4815b99181b7b453

Download Submit
C:\Windows\System32\gckHMeK.exe

Filesize
3.4MB

MD5
42f80f42de3eac6046c241c549740ed8

SHA1
218398ca3901c0e381ec4d6082b4a00121943316

SHA256
03a3439b1860a99538a8cad7ed74e7db4a9de857dc762fc9ae1dc8d7839a7e13

SHA512
97f488c27b9ae8ec2b80f466dbef8f2badc4110d6f50b4ee0164eea9681bf42e99deb2eb16c27baced1eda4be06cdd096f859c3bad63d1e42ac201511f16b7b8

Download Submit
C:\Windows\System32\jjwYFUp.exe

Filesize
3.4MB

MD5
b909156f69e3a7d138dd76ae435bef71

SHA1
0c8f16a1744a313b9a98225eb139c2b3b218bb62

SHA256
a1b5f57617f1b63978e328f033dd70e07a85f9ea813634ea45126f157aea1e69

SHA512
1267574ae0259c11d16d7f60e4b2f97b2ac222adf54016766b5b98ce8618ec38578dd9d2ea8eac5e68a7b47bbc2f1157da3fa42b3016681ac3bc4efd9ddc176e

Download Submit
C:\Windows\System32\kMpDkQp.exe

Filesize
3.4MB

MD5
b854b572b8331439a9e60786a826f09a

SHA1
20c503df4a6d2fc6e36817b4075742c7b5f89414

SHA256
a32ee30876334b32dea288a61eb46f9e1353b42ffa348dc2942cec7f17778915

SHA512
6fe0faec6ee88409a7b503ab9bfbd879e5d6bd5d3d36baa76c3ad7291e3b606730a03bd74885342cb1cf3d8bcf72dfd82ed599f784bed3191ebfd31392d6e9ea

Download Submit
C:\Windows\System32\lJIOlbu.exe

Filesize
3.4MB

MD5
d8d7b98ec99501196eb98c04edde6f49

SHA1
a9bbf5f3b5d82a7f575bf33e5f327946e6ea07e2

SHA256
e56e1d1d5ba3ae6b8138cf516a89eed9ab6b6cf5f941267c819bfe96bef3ba6c

SHA512
79d6c312af8e1faa87218013f0da3579fbb99bd1c61824f9f2e78e66545d005d0362784efc264510947006046b7773cd1760f1a999bf94d970014f6a4babb6cb

Download Submit
C:\Windows\System32\ooLXePQ.exe

Filesize
3.4MB

MD5
3444d3d1e21764ef246ec2575869e593

SHA1
fec0f617177f2370cf10723515647f782a30deb5

SHA256
8e8e7a4d34fff69cd0de51950003732c96a1daf81d356b5780ca56c688f02dcd

SHA512
79f0694c9a9005a123140ef81e7a754ecc47564d426110c63a7d85a149d940f624f598287fbf8d51f2e6f8cdcef0988cff4ab58955884ec692ba4afd9d557cbe

Download Submit
C:\Windows\System32\pVGNaPk.exe

Filesize
3.4MB

MD5
d008ed9bff812c2fe2fdb885afb07079

SHA1
32b5f6f5fc0f7b2e65bc3045f6d3fbb8b6764007

SHA256
8af293edf7cc6b8b2de3f75bac9a9d50c26c02000fe4f28e28e6290c2de19f6f

SHA512
32234fa4d64e621723a11c6eeb1956ca5295a681a15d16f1ea205c7ea4a99d43ceaffc017e28059e50ce7d028135b8793fe326f8418adef20ee314c64001029a

Download Submit
C:\Windows\System32\tDYnbcn.exe

Filesize
3.4MB

MD5
26de323a01688ac0355dc3a5136a2b40

SHA1
8ef6d083d98b81788544567a081f0a1f4c09ab41

SHA256
dbc6b9fdd4867b19c49b45a528c76534cec5126366f60af25e5657ae2d158062

SHA512
d53250d83e3068cd632a7d1e300130bf26c3550c8d3da48e17dba445561f5b670736dbf6f3c39cd9430ddac60e83f6797390c65892eba9b883d14221b67a7edf

Download Submit
C:\Windows\System32\utBcEVO.exe

Filesize
3.4MB

MD5
39609381c9b242be894c305eb50b3f5f

SHA1
fd328334f27aed88ace08c8e85267720832fe8c6

SHA256
2b445c2444972f70a9172139c9411dcc49be225416b57f9a787a9c98fcd90f21

SHA512
1f4fdd22e3ee7b145b04456a5b92a2231cfba6fa3882376c2a8b9745ee2bac966b148879634e3499207a6d591a715f7e5a4c51ec01aa2ff137f4c70618ba3762

Download Submit
C:\Windows\System32\vzgukia.exe

Filesize
3.4MB

MD5
2e5b7b1e9bd344b20d7a614df303c24a

SHA1
832c57319af1e78d4ee3c0829c396001df9aafa1

SHA256
7bbf24195089ceef09312abf83ecdf75dc4d20a205c2006a8fd8067da11ffa08

SHA512
3a1cc2a2c5c917e2fd28c7166bc0618f9fc54bab25b6d184ac2e65aa722b4cc2e259e86757491fe04e3d01b1cd7d6c4f015967cc8fb1bfde0b641cdfce61ea99

Download Submit
C:\Windows\System32\waxxKCD.exe

Filesize
3.4MB

MD5
527ca02c4bfc91f14da740b1ffc0682e

SHA1
314bffb667f7aff247e64248b3bf4245107d2563

SHA256
42b7acfaec9dbe5d57ba86b358b8ad4f91d7313e14df737404c79873443e7d4c

SHA512
9111ba2f585814631b6b0ec6b4df1bfabeb807dd976135aff7bd8d3ae5835780b996c992956e1e17faa3ed0f479416fb719fd701da6cd023e87e337f59216db8

Download Submit
C:\Windows\System32\xQcVAmm.exe

Filesize
3.4MB

MD5
82aa84d644fe8e6dde8204c13e08a19c

SHA1
d6c23541ef0650b2f3abb747da348efdc6616b48

SHA256
35938b87d853c67d7ececa3a655c698c71429d999882115de6827c3dffa9b2a1

SHA512
ceeb5d3049e810c6fe2ffb23c075a0c226d5dababf6948d49d083d63abd7a8380e22c7de04c585f62eb63ba434be1c8e5336fb119d6d6fdc77a00179190680a8

Download Submit
C:\Windows\System32\xnCnwAG.exe

Filesize
3.4MB

MD5
20ea08d924756989032b630d44934889

SHA1
e366ec15ea866dfea27e610ad5ca5183a95dadf3

SHA256
96c283bf4d64a7f2a2239b2ca24d76a10d992965c1711e517ee4b7f3f21b6f10

SHA512
cc83b40aeb420490749292b4b433dab27f81599085f0a04e7dbdc812eae1845ec11fdfd5d19a1b84b746ce669c54768f76c648e8e61cb6312f163a64388ec39b

Download Submit
C:\Windows\System32\yHMPkAT.exe

Filesize
3.4MB

MD5
e1afc8664346e563dd9ab45a15775b74

SHA1
64a999d8058f85ea1a82487f2c70836e1129fe13

SHA256
c89b83a57bbbff6591e4105cc6f8653007a6dfb8938cc514059f339e45cb08a2

SHA512
455c8b4db7c4f02011481b6a9e6982fd24639c8b963d7ece5e021a04102bf8750f868c16adfeaf6ceb915a5f828e47d6451df72636f4452fb4cdaafea104529f

Download Submit
C:\Windows\System32\zaxTJXb.exe

Filesize
3.4MB

MD5
0541662a325c716db5519493952f911a

SHA1
77202c917cce90d88af48cc69c931afa05ec7428

SHA256
1ebe5819698428cc5f560efb0b54ee408507ac2a72c1462d71c1d27c1e28792c

SHA512
3d961e659ae8acae5e1cf701a4d01314a9d6db2eba5589f5bc34a8a141595cc680ab124a3704248655594edee5cd63e0f06f0667706dd8ba3164bcb79ea1d3c8

Download Submit
memory/536-1833-0x00007FF62D3B0000-0x00007FF62D7A5000-memory.dmp

Filesize
4.0MB

Download
memory/536-24-0x00007FF62D3B0000-0x00007FF62D7A5000-memory.dmp

Filesize
4.0MB

Download
memory/668-940-0x00007FF6F4D10000-0x00007FF6F5105000-memory.dmp

Filesize
4.0MB

Download
memory/668-1835-0x00007FF6F4D10000-0x00007FF6F5105000-memory.dmp

Filesize
4.0MB

Download
memory/852-956-0x00007FF6DC790000-0x00007FF6DCB85000-memory.dmp

Filesize
4.0MB

Download
memory/852-1849-0x00007FF6DC790000-0x00007FF6DCB85000-memory.dmp

Filesize
4.0MB

Download
memory/900-1842-0x00007FF6A0390000-0x00007FF6A0785000-memory.dmp

Filesize
4.0MB

Download
memory/900-995-0x00007FF6A0390000-0x00007FF6A0785000-memory.dmp

Filesize
4.0MB

Download
memory/1032-1832-0x00007FF6EEE10000-0x00007FF6EF205000-memory.dmp

Filesize
4.0MB

Download
memory/1032-925-0x00007FF6EEE10000-0x00007FF6EF205000-memory.dmp

Filesize
4.0MB

Download
memory/1140-1840-0x00007FF6BE530000-0x00007FF6BE925000-memory.dmp

Filesize
4.0MB

Download
memory/1140-1006-0x00007FF6BE530000-0x00007FF6BE925000-memory.dmp

Filesize
4.0MB

Download
memory/1228-1841-0x00007FF7DDAD0000-0x00007FF7DDEC5000-memory.dmp

Filesize
4.0MB

Download
memory/1228-1004-0x00007FF7DDAD0000-0x00007FF7DDEC5000-memory.dmp

Filesize
4.0MB

Download
memory/1568-1850-0x00007FF7DDC20000-0x00007FF7DE015000-memory.dmp

Filesize
4.0MB

Download
memory/1568-988-0x00007FF7DDC20000-0x00007FF7DE015000-memory.dmp

Filesize
4.0MB

Download
memory/1924-996-0x00007FF7F8C40000-0x00007FF7F9035000-memory.dmp

Filesize
4.0MB

Download
memory/1924-1848-0x00007FF7F8C40000-0x00007FF7F9035000-memory.dmp

Filesize
4.0MB

Download
memory/2692-951-0x00007FF63B510000-0x00007FF63B905000-memory.dmp

Filesize
4.0MB

Download
memory/2692-1839-0x00007FF63B510000-0x00007FF63B905000-memory.dmp

Filesize
4.0MB

Download
memory/2812-1836-0x00007FF767730000-0x00007FF767B25000-memory.dmp

Filesize
4.0MB

Download
memory/2812-941-0x00007FF767730000-0x00007FF767B25000-memory.dmp

Filesize
4.0MB

Download
memory/3196-977-0x00007FF682310000-0x00007FF682705000-memory.dmp

Filesize
4.0MB

Download
memory/3196-1852-0x00007FF682310000-0x00007FF682705000-memory.dmp

Filesize
4.0MB

Download
memory/3412-1844-0x00007FF7662A0000-0x00007FF766695000-memory.dmp

Filesize
4.0MB

Download
memory/3412-992-0x00007FF7662A0000-0x00007FF766695000-memory.dmp

Filesize
4.0MB

Download
memory/3500-1843-0x00007FF6BEFC0000-0x00007FF6BF3B5000-memory.dmp

Filesize
4.0MB

Download
memory/3500-984-0x00007FF6BEFC0000-0x00007FF6BF3B5000-memory.dmp

Filesize
4.0MB

Download
memory/3828-1846-0x00007FF604080000-0x00007FF604475000-memory.dmp

Filesize
4.0MB

Download
memory/3828-999-0x00007FF604080000-0x00007FF604475000-memory.dmp

Filesize
4.0MB

Download
memory/3900-1847-0x00007FF6FA820000-0x00007FF6FAC15000-memory.dmp

Filesize
4.0MB

Download
memory/3900-955-0x00007FF6FA820000-0x00007FF6FAC15000-memory.dmp

Filesize
4.0MB

Download
memory/4004-14-0x00007FF6027F0000-0x00007FF602BE5000-memory.dmp

Filesize
4.0MB

Download
memory/4004-1829-0x00007FF6027F0000-0x00007FF602BE5000-memory.dmp

Filesize
4.0MB

Download
memory/4064-1828-0x00007FF70E560000-0x00007FF70E955000-memory.dmp

Filesize
4.0MB

Download
memory/4064-18-0x00007FF70E560000-0x00007FF70E955000-memory.dmp

Filesize
4.0MB

Download
memory/4064-1831-0x00007FF70E560000-0x00007FF70E955000-memory.dmp

Filesize
4.0MB

Download
memory/4336-17-0x00007FF76D810000-0x00007FF76DC05000-memory.dmp

Filesize
4.0MB

Download
memory/4336-1830-0x00007FF76D810000-0x00007FF76DC05000-memory.dmp

Filesize
4.0MB

Download
memory/4384-1845-0x00007FF759ED0000-0x00007FF75A2C5000-memory.dmp

Filesize
4.0MB

Download
memory/4384-966-0x00007FF759ED0000-0x00007FF75A2C5000-memory.dmp

Filesize
4.0MB

Download
memory/4612-947-0x00007FF717630000-0x00007FF717A25000-memory.dmp

Filesize
4.0MB

Download
memory/4612-1834-0x00007FF717630000-0x00007FF717A25000-memory.dmp

Filesize
4.0MB

Download
memory/4688-1837-0x00007FF747F60000-0x00007FF748355000-memory.dmp

Filesize
4.0MB

Download
memory/4688-934-0x00007FF747F60000-0x00007FF748355000-memory.dmp

Filesize
4.0MB

Download
memory/4716-950-0x00007FF693800000-0x00007FF693BF5000-memory.dmp

Filesize
4.0MB

Download
memory/4716-1838-0x00007FF693800000-0x00007FF693BF5000-memory.dmp

Filesize
4.0MB

Download
memory/5060-0-0x00007FF620050000-0x00007FF620445000-memory.dmp

Filesize
4.0MB

Download
memory/5060-1-0x000001D1D61E0000-0x000001D1D61F0000-memory.dmp

Filesize
64KB

Download
memory/5096-1008-0x00007FF663490000-0x00007FF663885000-memory.dmp

Filesize
4.0MB

Download
memory/5096-1851-0x00007FF663490000-0x00007FF663885000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads