xmrig | 63b98fe6516ad45fdd8ababe1c40fa01b402d6bf4ef719674fea7e8b0373e3be

Analysis

max time kernel
102s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 12:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
Size

1.5MB
MD5

d8aa9da5c6ffb037da6a0e47fbcfda50
SHA1

024365d44e49163bfeff4997d91faf6419180360
SHA256

63b98fe6516ad45fdd8ababe1c40fa01b402d6bf4ef719674fea7e8b0373e3be
SHA512

0abe655b0fb14ba999f7175928174e2320a7d0afb8bbf10f927682a151c07962bfba0472541922fc3bcc18733623299769d4aac322c736e84d89aef7c8b2a0bd
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcqdt3/mbq+KYUQtGbQq8EnNwp7YE1QD6kh:knw9oUUEEDl37jcqdt3uB38NwJuZ

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/3156-12-0x00007FF7D8470000-0x00007FF7D8861000-memory.dmp	xmrig
behavioral2/memory/3572-32-0x00007FF6F5AF0000-0x00007FF6F5EE1000-memory.dmp	xmrig
behavioral2/memory/632-40-0x00007FF7B3FF0000-0x00007FF7B43E1000-memory.dmp	xmrig
behavioral2/memory/1668-359-0x00007FF7BE700000-0x00007FF7BEAF1000-memory.dmp	xmrig
behavioral2/memory/2064-360-0x00007FF7FBB50000-0x00007FF7FBF41000-memory.dmp	xmrig
behavioral2/memory/1272-56-0x00007FF678AD0000-0x00007FF678EC1000-memory.dmp	xmrig
behavioral2/memory/1236-52-0x00007FF60A520000-0x00007FF60A911000-memory.dmp	xmrig
behavioral2/memory/4320-370-0x00007FF6E2910000-0x00007FF6E2D01000-memory.dmp	xmrig
behavioral2/memory/3024-373-0x00007FF63BC20000-0x00007FF63C011000-memory.dmp	xmrig
behavioral2/memory/516-375-0x00007FF650DB0000-0x00007FF6511A1000-memory.dmp	xmrig
behavioral2/memory/968-382-0x00007FF6DE150000-0x00007FF6DE541000-memory.dmp	xmrig
behavioral2/memory/2104-388-0x00007FF6967D0000-0x00007FF696BC1000-memory.dmp	xmrig
behavioral2/memory/1908-400-0x00007FF6ACF10000-0x00007FF6AD301000-memory.dmp	xmrig
behavioral2/memory/2992-418-0x00007FF7E1790000-0x00007FF7E1B81000-memory.dmp	xmrig
behavioral2/memory/2868-427-0x00007FF6D6600000-0x00007FF6D69F1000-memory.dmp	xmrig
behavioral2/memory/2032-453-0x00007FF7F2290000-0x00007FF7F2681000-memory.dmp	xmrig
behavioral2/memory/4812-458-0x00007FF601040000-0x00007FF601431000-memory.dmp	xmrig
behavioral2/memory/4996-447-0x00007FF6748E0000-0x00007FF674CD1000-memory.dmp	xmrig
behavioral2/memory/4984-439-0x00007FF617D60000-0x00007FF618151000-memory.dmp	xmrig
behavioral2/memory/2152-438-0x00007FF705770000-0x00007FF705B61000-memory.dmp	xmrig
behavioral2/memory/4256-404-0x00007FF6BA430000-0x00007FF6BA821000-memory.dmp	xmrig
behavioral2/memory/4516-398-0x00007FF697D10000-0x00007FF698101000-memory.dmp	xmrig
behavioral2/memory/2456-391-0x00007FF7ADC90000-0x00007FF7AE081000-memory.dmp	xmrig
behavioral2/memory/3464-2003-0x00007FF74AE80000-0x00007FF74B271000-memory.dmp	xmrig
behavioral2/memory/3156-2009-0x00007FF7D8470000-0x00007FF7D8861000-memory.dmp	xmrig
behavioral2/memory/3464-2011-0x00007FF74AE80000-0x00007FF74B271000-memory.dmp	xmrig
behavioral2/memory/1236-2015-0x00007FF60A520000-0x00007FF60A911000-memory.dmp	xmrig
behavioral2/memory/3572-2013-0x00007FF6F5AF0000-0x00007FF6F5EE1000-memory.dmp	xmrig
behavioral2/memory/632-2017-0x00007FF7B3FF0000-0x00007FF7B43E1000-memory.dmp	xmrig
behavioral2/memory/4812-2033-0x00007FF601040000-0x00007FF601431000-memory.dmp	xmrig
behavioral2/memory/1272-2019-0x00007FF678AD0000-0x00007FF678EC1000-memory.dmp	xmrig
behavioral2/memory/516-2037-0x00007FF650DB0000-0x00007FF6511A1000-memory.dmp	xmrig
behavioral2/memory/4256-2045-0x00007FF6BA430000-0x00007FF6BA821000-memory.dmp	xmrig
behavioral2/memory/1908-2043-0x00007FF6ACF10000-0x00007FF6AD301000-memory.dmp	xmrig
behavioral2/memory/2152-2051-0x00007FF705770000-0x00007FF705B61000-memory.dmp	xmrig
behavioral2/memory/4984-2053-0x00007FF617D60000-0x00007FF618151000-memory.dmp	xmrig
behavioral2/memory/4996-2055-0x00007FF6748E0000-0x00007FF674CD1000-memory.dmp	xmrig
behavioral2/memory/2868-2049-0x00007FF6D6600000-0x00007FF6D69F1000-memory.dmp	xmrig
behavioral2/memory/2992-2047-0x00007FF7E1790000-0x00007FF7E1B81000-memory.dmp	xmrig
behavioral2/memory/4516-2041-0x00007FF697D10000-0x00007FF698101000-memory.dmp	xmrig
behavioral2/memory/2456-2039-0x00007FF7ADC90000-0x00007FF7AE081000-memory.dmp	xmrig
behavioral2/memory/2064-2035-0x00007FF7FBB50000-0x00007FF7FBF41000-memory.dmp	xmrig
behavioral2/memory/4320-2031-0x00007FF6E2910000-0x00007FF6E2D01000-memory.dmp	xmrig
behavioral2/memory/1668-2029-0x00007FF7BE700000-0x00007FF7BEAF1000-memory.dmp	xmrig
behavioral2/memory/2032-2027-0x00007FF7F2290000-0x00007FF7F2681000-memory.dmp	xmrig
behavioral2/memory/3024-2025-0x00007FF63BC20000-0x00007FF63C011000-memory.dmp	xmrig
behavioral2/memory/2104-2023-0x00007FF6967D0000-0x00007FF696BC1000-memory.dmp	xmrig
behavioral2/memory/968-2021-0x00007FF6DE150000-0x00007FF6DE541000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3156	AZuPHmr.exe
3464	MjEOPtP.exe
1236	XRkCpoP.exe
3572	vAACTtN.exe
632	dacECGo.exe
1272	cAZuTXu.exe
1668	aUbVWfV.exe
2032	zlwVUpd.exe
2064	aHISzad.exe
4320	vgWggtZ.exe
4812	qELJCzC.exe
3024	TFTEfIs.exe
516	JmtHeas.exe
968	BjpKUdO.exe
2104	soRCfIj.exe
2456	RSNhzao.exe
4516	nROBdWz.exe
1908	IMclxTC.exe
4256	JroCZET.exe
2992	LpMVHAS.exe
2868	kMOhbnM.exe
2152	lClVJpH.exe
4984	DjUibJi.exe
4996	CuvMzID.exe
2468	vyHqbVJ.exe
3820	wRmnEPi.exe
924	sabBkCu.exe
1888	SlQmTSU.exe
3292	hWzXZBh.exe
4648	SFOzNrr.exe
2848	cWzWCQH.exe
2944	qbdcWDK.exe
2872	VdzFumV.exe
976	XVOFNEO.exe
3548	GQXtzLn.exe
440	WdEepmo.exe
1176	ZUBDSGs.exe
1604	KuEdySu.exe
3612	sPXAvKA.exe
2160	AjuKjRo.exe
3844	YJweGAF.exe
3972	wlWjUfy.exe
648	AfSnqPD.exe
1900	nSOvsJb.exe
2552	eQxJrgY.exe
1980	PJKLwnw.exe
3608	UCtRwrt.exe
4028	LmCGbvR.exe
1660	pbTWMdi.exe
1536	vODNzIv.exe
2412	xWKekyi.exe
3152	MMaHuuX.exe
4496	tKHJFjT.exe
2368	ghwgcjp.exe
4552	aXreFOD.exe
4380	AZfxDMk.exe
520	UXlAsgB.exe
4220	ThNbaIE.exe
4732	JJmUHYc.exe
208	VIRCHjn.exe
1232	PUQutFg.exe
740	dDYqmLm.exe
4164	Nhrpvrj.exe
3124	HRunFCl.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3188-0-0x00007FF608CC0000-0x00007FF6090B1000-memory.dmp	upx
behavioral2/files/0x000a00000002347c-5.dat	upx
behavioral2/memory/3156-12-0x00007FF7D8470000-0x00007FF7D8861000-memory.dmp	upx
behavioral2/files/0x000800000002349f-11.dat	upx
behavioral2/files/0x00070000000234a1-19.dat	upx
behavioral2/files/0x00070000000234a2-28.dat	upx
behavioral2/memory/3464-26-0x00007FF74AE80000-0x00007FF74B271000-memory.dmp	upx
behavioral2/memory/3572-32-0x00007FF6F5AF0000-0x00007FF6F5EE1000-memory.dmp	upx
behavioral2/files/0x00070000000234a3-34.dat	upx
behavioral2/memory/632-40-0x00007FF7B3FF0000-0x00007FF7B43E1000-memory.dmp	upx
behavioral2/files/0x00070000000234a4-44.dat	upx
behavioral2/files/0x00070000000234a7-48.dat	upx
behavioral2/files/0x00070000000234a8-60.dat	upx
behavioral2/files/0x00070000000234ab-80.dat	upx
behavioral2/files/0x00070000000234ac-85.dat	upx
behavioral2/files/0x00070000000234b0-99.dat	upx
behavioral2/files/0x00070000000234b8-145.dat	upx
behavioral2/files/0x00070000000234bc-165.dat	upx
behavioral2/memory/1668-359-0x00007FF7BE700000-0x00007FF7BEAF1000-memory.dmp	upx
behavioral2/memory/2064-360-0x00007FF7FBB50000-0x00007FF7FBF41000-memory.dmp	upx
behavioral2/files/0x00070000000234be-168.dat	upx
behavioral2/files/0x00070000000234bd-163.dat	upx
behavioral2/files/0x00070000000234bb-160.dat	upx
behavioral2/files/0x00070000000234ba-153.dat	upx
behavioral2/files/0x00070000000234b9-150.dat	upx
behavioral2/files/0x00070000000234b7-138.dat	upx
behavioral2/files/0x00070000000234b6-135.dat	upx
behavioral2/files/0x00070000000234b5-130.dat	upx
behavioral2/files/0x00070000000234b4-125.dat	upx
behavioral2/files/0x00070000000234b3-117.dat	upx
behavioral2/files/0x00070000000234b2-112.dat	upx
behavioral2/files/0x00070000000234b1-107.dat	upx
behavioral2/files/0x00070000000234af-98.dat	upx
behavioral2/files/0x00070000000234ae-92.dat	upx
behavioral2/files/0x00070000000234ad-87.dat	upx
behavioral2/files/0x00070000000234aa-75.dat	upx
behavioral2/files/0x00070000000234a9-70.dat	upx
behavioral2/memory/1272-56-0x00007FF678AD0000-0x00007FF678EC1000-memory.dmp	upx
behavioral2/memory/1236-52-0x00007FF60A520000-0x00007FF60A911000-memory.dmp	upx
behavioral2/files/0x00070000000234a5-51.dat	upx
behavioral2/files/0x00070000000234a6-46.dat	upx
behavioral2/files/0x00070000000234a0-25.dat	upx
behavioral2/memory/4320-370-0x00007FF6E2910000-0x00007FF6E2D01000-memory.dmp	upx
behavioral2/memory/3024-373-0x00007FF63BC20000-0x00007FF63C011000-memory.dmp	upx
behavioral2/memory/516-375-0x00007FF650DB0000-0x00007FF6511A1000-memory.dmp	upx
behavioral2/memory/968-382-0x00007FF6DE150000-0x00007FF6DE541000-memory.dmp	upx
behavioral2/memory/2104-388-0x00007FF6967D0000-0x00007FF696BC1000-memory.dmp	upx
behavioral2/memory/1908-400-0x00007FF6ACF10000-0x00007FF6AD301000-memory.dmp	upx
behavioral2/memory/2992-418-0x00007FF7E1790000-0x00007FF7E1B81000-memory.dmp	upx
behavioral2/memory/2868-427-0x00007FF6D6600000-0x00007FF6D69F1000-memory.dmp	upx
behavioral2/memory/2032-453-0x00007FF7F2290000-0x00007FF7F2681000-memory.dmp	upx
behavioral2/memory/4812-458-0x00007FF601040000-0x00007FF601431000-memory.dmp	upx
behavioral2/memory/4996-447-0x00007FF6748E0000-0x00007FF674CD1000-memory.dmp	upx
behavioral2/memory/4984-439-0x00007FF617D60000-0x00007FF618151000-memory.dmp	upx
behavioral2/memory/2152-438-0x00007FF705770000-0x00007FF705B61000-memory.dmp	upx
behavioral2/memory/4256-404-0x00007FF6BA430000-0x00007FF6BA821000-memory.dmp	upx
behavioral2/memory/4516-398-0x00007FF697D10000-0x00007FF698101000-memory.dmp	upx
behavioral2/memory/2456-391-0x00007FF7ADC90000-0x00007FF7AE081000-memory.dmp	upx
behavioral2/memory/3464-2003-0x00007FF74AE80000-0x00007FF74B271000-memory.dmp	upx
behavioral2/memory/3156-2009-0x00007FF7D8470000-0x00007FF7D8861000-memory.dmp	upx
behavioral2/memory/3464-2011-0x00007FF74AE80000-0x00007FF74B271000-memory.dmp	upx
behavioral2/memory/1236-2015-0x00007FF60A520000-0x00007FF60A911000-memory.dmp	upx
behavioral2/memory/3572-2013-0x00007FF6F5AF0000-0x00007FF6F5EE1000-memory.dmp	upx
behavioral2/memory/632-2017-0x00007FF7B3FF0000-0x00007FF7B43E1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DNmKSoE.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\rnBrwVs.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\ldKXumB.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\uXcBSBD.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\lUWWNQT.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\MtIfVHW.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\nZVZBbl.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\XmVeKIH.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\JAmFGEd.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\nvPMUJR.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\WyuAIVz.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\jIiPXll.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\VHIwrbz.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\VbHxiCk.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\SlQmTSU.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\xdSXrWa.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\HAdjTsD.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\XfojzXg.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\SQZfUsi.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\HbjgYhT.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\JneyOzQ.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\aanIFot.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\GQoaVBJ.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\NJBzTiD.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\OWlCxCS.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\VdzFumV.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\AGRsXAx.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\QwFncvP.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\IMclxTC.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\AZfxDMk.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\VsgNwGG.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\xUMDMNe.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\KspiCXQ.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\vyHqbVJ.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\XLJMwdo.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\oTREKsk.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\OBdSatg.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\deBzwYR.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\WGpGvyE.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\bVhBCbV.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\CbRxnwR.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\cAZuTXu.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\cWzWCQH.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\nJFNjYN.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\HhDAUqR.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\hVezLxp.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\olmPbtK.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\frECXRo.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\oqWRViT.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\tjlihRI.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\WqErkbk.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\wlVRJYc.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\tTSMzMo.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\rtfdpUj.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\XVOFNEO.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\ZmmwGNN.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\uKxRkfy.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\eRHPdep.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\hLEsyii.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\GWemAPP.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\GXlNBJq.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\uZVurYz.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\njjqSIs.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
File created	C:\Windows\System32\DzfVpOT.exe	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13144	dwm.exe
Token: SeChangeNotifyPrivilege	13144	dwm.exe
Token: 33	13144	dwm.exe
Token: SeIncBasePriorityPrivilege	13144	dwm.exe
Token: SeShutdownPrivilege	13144	dwm.exe
Token: SeCreatePagefilePrivilege	13144	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 3156	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	84
PID 3188 wrote to memory of 3156	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	84
PID 3188 wrote to memory of 3464	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	85
PID 3188 wrote to memory of 3464	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	85
PID 3188 wrote to memory of 1236	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	86
PID 3188 wrote to memory of 1236	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	86
PID 3188 wrote to memory of 3572	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	87
PID 3188 wrote to memory of 3572	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	87
PID 3188 wrote to memory of 632	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	88
PID 3188 wrote to memory of 632	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	88
PID 3188 wrote to memory of 1272	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	89
PID 3188 wrote to memory of 1272	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	89
PID 3188 wrote to memory of 2064	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	90
PID 3188 wrote to memory of 2064	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	90
PID 3188 wrote to memory of 1668	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	91
PID 3188 wrote to memory of 1668	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	91
PID 3188 wrote to memory of 2032	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	92
PID 3188 wrote to memory of 2032	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	92
PID 3188 wrote to memory of 4320	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	93
PID 3188 wrote to memory of 4320	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	93
PID 3188 wrote to memory of 4812	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	94
PID 3188 wrote to memory of 4812	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	94
PID 3188 wrote to memory of 3024	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	95
PID 3188 wrote to memory of 3024	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	95
PID 3188 wrote to memory of 516	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	96
PID 3188 wrote to memory of 516	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	96
PID 3188 wrote to memory of 968	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	97
PID 3188 wrote to memory of 968	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	97
PID 3188 wrote to memory of 2104	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	98
PID 3188 wrote to memory of 2104	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	98
PID 3188 wrote to memory of 2456	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	99
PID 3188 wrote to memory of 2456	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	99
PID 3188 wrote to memory of 4516	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	100
PID 3188 wrote to memory of 4516	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	100
PID 3188 wrote to memory of 1908	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	101
PID 3188 wrote to memory of 1908	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	101
PID 3188 wrote to memory of 4256	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	102
PID 3188 wrote to memory of 4256	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	102
PID 3188 wrote to memory of 2992	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	103
PID 3188 wrote to memory of 2992	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	103
PID 3188 wrote to memory of 2868	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	104
PID 3188 wrote to memory of 2868	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	104
PID 3188 wrote to memory of 2152	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	105
PID 3188 wrote to memory of 2152	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	105
PID 3188 wrote to memory of 4984	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	106
PID 3188 wrote to memory of 4984	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	106
PID 3188 wrote to memory of 4996	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	107
PID 3188 wrote to memory of 4996	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	107
PID 3188 wrote to memory of 2468	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	108
PID 3188 wrote to memory of 2468	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	108
PID 3188 wrote to memory of 3820	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	109
PID 3188 wrote to memory of 3820	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	109
PID 3188 wrote to memory of 924	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	110
PID 3188 wrote to memory of 924	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	110
PID 3188 wrote to memory of 1888	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	111
PID 3188 wrote to memory of 1888	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	111
PID 3188 wrote to memory of 3292	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	112
PID 3188 wrote to memory of 3292	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	112
PID 3188 wrote to memory of 4648	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	113
PID 3188 wrote to memory of 4648	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	113
PID 3188 wrote to memory of 2848	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	114
PID 3188 wrote to memory of 2848	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	114
PID 3188 wrote to memory of 2944	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	115
PID 3188 wrote to memory of 2944	3188	d8aa9da5c6ffb037da6a0e47fbcfda50N.exe	115

C:\Users\Admin\AppData\Local\Temp\d8aa9da5c6ffb037da6a0e47fbcfda50N.exe
"C:\Users\Admin\AppData\Local\Temp\d8aa9da5c6ffb037da6a0e47fbcfda50N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\System32\AZuPHmr.exe
  C:\Windows\System32\AZuPHmr.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System32\MjEOPtP.exe
  C:\Windows\System32\MjEOPtP.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System32\XRkCpoP.exe
  C:\Windows\System32\XRkCpoP.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System32\vAACTtN.exe
  C:\Windows\System32\vAACTtN.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System32\dacECGo.exe
  C:\Windows\System32\dacECGo.exe
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\System32\cAZuTXu.exe
  C:\Windows\System32\cAZuTXu.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System32\aHISzad.exe
  C:\Windows\System32\aHISzad.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System32\aUbVWfV.exe
  C:\Windows\System32\aUbVWfV.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System32\zlwVUpd.exe
  C:\Windows\System32\zlwVUpd.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System32\vgWggtZ.exe
  C:\Windows\System32\vgWggtZ.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System32\qELJCzC.exe
  C:\Windows\System32\qELJCzC.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System32\TFTEfIs.exe
  C:\Windows\System32\TFTEfIs.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System32\JmtHeas.exe
  C:\Windows\System32\JmtHeas.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System32\BjpKUdO.exe
  C:\Windows\System32\BjpKUdO.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System32\soRCfIj.exe
  C:\Windows\System32\soRCfIj.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System32\RSNhzao.exe
  C:\Windows\System32\RSNhzao.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System32\nROBdWz.exe
  C:\Windows\System32\nROBdWz.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System32\IMclxTC.exe
  C:\Windows\System32\IMclxTC.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System32\JroCZET.exe
  C:\Windows\System32\JroCZET.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System32\LpMVHAS.exe
  C:\Windows\System32\LpMVHAS.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System32\kMOhbnM.exe
  C:\Windows\System32\kMOhbnM.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System32\lClVJpH.exe
  C:\Windows\System32\lClVJpH.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System32\DjUibJi.exe
  C:\Windows\System32\DjUibJi.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System32\CuvMzID.exe
  C:\Windows\System32\CuvMzID.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System32\vyHqbVJ.exe
  C:\Windows\System32\vyHqbVJ.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System32\wRmnEPi.exe
  C:\Windows\System32\wRmnEPi.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System32\sabBkCu.exe
  C:\Windows\System32\sabBkCu.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System32\SlQmTSU.exe
  C:\Windows\System32\SlQmTSU.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System32\hWzXZBh.exe
  C:\Windows\System32\hWzXZBh.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System32\SFOzNrr.exe
  C:\Windows\System32\SFOzNrr.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System32\cWzWCQH.exe
  C:\Windows\System32\cWzWCQH.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System32\qbdcWDK.exe
  C:\Windows\System32\qbdcWDK.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System32\VdzFumV.exe
  C:\Windows\System32\VdzFumV.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System32\XVOFNEO.exe
  C:\Windows\System32\XVOFNEO.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System32\GQXtzLn.exe
  C:\Windows\System32\GQXtzLn.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System32\WdEepmo.exe
  C:\Windows\System32\WdEepmo.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System32\ZUBDSGs.exe
  C:\Windows\System32\ZUBDSGs.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System32\KuEdySu.exe
  C:\Windows\System32\KuEdySu.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System32\sPXAvKA.exe
  C:\Windows\System32\sPXAvKA.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System32\AjuKjRo.exe
  C:\Windows\System32\AjuKjRo.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System32\YJweGAF.exe
  C:\Windows\System32\YJweGAF.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System32\wlWjUfy.exe
  C:\Windows\System32\wlWjUfy.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System32\AfSnqPD.exe
  C:\Windows\System32\AfSnqPD.exe
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Windows\System32\nSOvsJb.exe
  C:\Windows\System32\nSOvsJb.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System32\eQxJrgY.exe
  C:\Windows\System32\eQxJrgY.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System32\PJKLwnw.exe
  C:\Windows\System32\PJKLwnw.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System32\UCtRwrt.exe
  C:\Windows\System32\UCtRwrt.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System32\LmCGbvR.exe
  C:\Windows\System32\LmCGbvR.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System32\pbTWMdi.exe
  C:\Windows\System32\pbTWMdi.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System32\vODNzIv.exe
  C:\Windows\System32\vODNzIv.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System32\xWKekyi.exe
  C:\Windows\System32\xWKekyi.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System32\MMaHuuX.exe
  C:\Windows\System32\MMaHuuX.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System32\tKHJFjT.exe
  C:\Windows\System32\tKHJFjT.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System32\ghwgcjp.exe
  C:\Windows\System32\ghwgcjp.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System32\aXreFOD.exe
  C:\Windows\System32\aXreFOD.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System32\AZfxDMk.exe
  C:\Windows\System32\AZfxDMk.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System32\UXlAsgB.exe
  C:\Windows\System32\UXlAsgB.exe
  2⤵
  - Executes dropped EXE
  PID:520
- C:\Windows\System32\ThNbaIE.exe
  C:\Windows\System32\ThNbaIE.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System32\JJmUHYc.exe
  C:\Windows\System32\JJmUHYc.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System32\VIRCHjn.exe
  C:\Windows\System32\VIRCHjn.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System32\PUQutFg.exe
  C:\Windows\System32\PUQutFg.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System32\dDYqmLm.exe
  C:\Windows\System32\dDYqmLm.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System32\Nhrpvrj.exe
  C:\Windows\System32\Nhrpvrj.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System32\HRunFCl.exe
  C:\Windows\System32\HRunFCl.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System32\NJBzTiD.exe
  C:\Windows\System32\NJBzTiD.exe
  2⤵
  PID:2932
- C:\Windows\System32\TYfacoH.exe
  C:\Windows\System32\TYfacoH.exe
  2⤵
  PID:724
- C:\Windows\System32\bjxBRal.exe
  C:\Windows\System32\bjxBRal.exe
  2⤵
  PID:2168
- C:\Windows\System32\ElKMJUO.exe
  C:\Windows\System32\ElKMJUO.exe
  2⤵
  PID:4856
- C:\Windows\System32\qNcuomG.exe
  C:\Windows\System32\qNcuomG.exe
  2⤵
  PID:780
- C:\Windows\System32\CPRCKFC.exe
  C:\Windows\System32\CPRCKFC.exe
  2⤵
  PID:3540
- C:\Windows\System32\LyaNsMd.exe
  C:\Windows\System32\LyaNsMd.exe
  2⤵
  PID:4452
- C:\Windows\System32\xtnzBaS.exe
  C:\Windows\System32\xtnzBaS.exe
  2⤵
  PID:3116
- C:\Windows\System32\JJjJefZ.exe
  C:\Windows\System32\JJjJefZ.exe
  2⤵
  PID:1316
- C:\Windows\System32\PuJZRfa.exe
  C:\Windows\System32\PuJZRfa.exe
  2⤵
  PID:4184
- C:\Windows\System32\elIVhSd.exe
  C:\Windows\System32\elIVhSd.exe
  2⤵
  PID:1780
- C:\Windows\System32\IKQriJc.exe
  C:\Windows\System32\IKQriJc.exe
  2⤵
  PID:1440
- C:\Windows\System32\heYtvLS.exe
  C:\Windows\System32\heYtvLS.exe
  2⤵
  PID:592
- C:\Windows\System32\snKVbnu.exe
  C:\Windows\System32\snKVbnu.exe
  2⤵
  PID:452
- C:\Windows\System32\AVMDoFx.exe
  C:\Windows\System32\AVMDoFx.exe
  2⤵
  PID:4888
- C:\Windows\System32\vAPFAVc.exe
  C:\Windows\System32\vAPFAVc.exe
  2⤵
  PID:4980
- C:\Windows\System32\XOjeQLr.exe
  C:\Windows\System32\XOjeQLr.exe
  2⤵
  PID:2212
- C:\Windows\System32\VFnkLfZ.exe
  C:\Windows\System32\VFnkLfZ.exe
  2⤵
  PID:556
- C:\Windows\System32\NootAWO.exe
  C:\Windows\System32\NootAWO.exe
  2⤵
  PID:3084
- C:\Windows\System32\RsKTpaZ.exe
  C:\Windows\System32\RsKTpaZ.exe
  2⤵
  PID:5092
- C:\Windows\System32\XLJMwdo.exe
  C:\Windows\System32\XLJMwdo.exe
  2⤵
  PID:216
- C:\Windows\System32\fJSTqDs.exe
  C:\Windows\System32\fJSTqDs.exe
  2⤵
  PID:2280
- C:\Windows\System32\VgNFUNQ.exe
  C:\Windows\System32\VgNFUNQ.exe
  2⤵
  PID:4884
- C:\Windows\System32\bYLjjhQ.exe
  C:\Windows\System32\bYLjjhQ.exe
  2⤵
  PID:1128
- C:\Windows\System32\XnsdQdv.exe
  C:\Windows\System32\XnsdQdv.exe
  2⤵
  PID:1124
- C:\Windows\System32\rBnfzUc.exe
  C:\Windows\System32\rBnfzUc.exe
  2⤵
  PID:768
- C:\Windows\System32\Itedysx.exe
  C:\Windows\System32\Itedysx.exe
  2⤵
  PID:692
- C:\Windows\System32\wXwwFKO.exe
  C:\Windows\System32\wXwwFKO.exe
  2⤵
  PID:2236
- C:\Windows\System32\MwCICXe.exe
  C:\Windows\System32\MwCICXe.exe
  2⤵
  PID:1612
- C:\Windows\System32\WjulrSE.exe
  C:\Windows\System32\WjulrSE.exe
  2⤵
  PID:4272
- C:\Windows\System32\EkwBNiS.exe
  C:\Windows\System32\EkwBNiS.exe
  2⤵
  PID:2256
- C:\Windows\System32\MKmePWE.exe
  C:\Windows\System32\MKmePWE.exe
  2⤵
  PID:2896
- C:\Windows\System32\EtNTWjQ.exe
  C:\Windows\System32\EtNTWjQ.exe
  2⤵
  PID:4108
- C:\Windows\System32\NWARWIS.exe
  C:\Windows\System32\NWARWIS.exe
  2⤵
  PID:4572
- C:\Windows\System32\hPHHWKx.exe
  C:\Windows\System32\hPHHWKx.exe
  2⤵
  PID:4776
- C:\Windows\System32\kQdCSVL.exe
  C:\Windows\System32\kQdCSVL.exe
  2⤵
  PID:4372
- C:\Windows\System32\zxiidmE.exe
  C:\Windows\System32\zxiidmE.exe
  2⤵
  PID:3424
- C:\Windows\System32\CIKYnLl.exe
  C:\Windows\System32\CIKYnLl.exe
  2⤵
  PID:4796
- C:\Windows\System32\AspDqVZ.exe
  C:\Windows\System32\AspDqVZ.exe
  2⤵
  PID:3140
- C:\Windows\System32\ldKXumB.exe
  C:\Windows\System32\ldKXumB.exe
  2⤵
  PID:3144
- C:\Windows\System32\WBzmsse.exe
  C:\Windows\System32\WBzmsse.exe
  2⤵
  PID:1744
- C:\Windows\System32\EJGxztB.exe
  C:\Windows\System32\EJGxztB.exe
  2⤵
  PID:3940
- C:\Windows\System32\FKwAfSU.exe
  C:\Windows\System32\FKwAfSU.exe
  2⤵
  PID:3420
- C:\Windows\System32\khnyDIU.exe
  C:\Windows\System32\khnyDIU.exe
  2⤵
  PID:2348
- C:\Windows\System32\xdSXrWa.exe
  C:\Windows\System32\xdSXrWa.exe
  2⤵
  PID:3004
- C:\Windows\System32\xnbiobQ.exe
  C:\Windows\System32\xnbiobQ.exe
  2⤵
  PID:4976
- C:\Windows\System32\aZeQHYD.exe
  C:\Windows\System32\aZeQHYD.exe
  2⤵
  PID:2996
- C:\Windows\System32\puxjqpP.exe
  C:\Windows\System32\puxjqpP.exe
  2⤵
  PID:2004
- C:\Windows\System32\nzbiOzB.exe
  C:\Windows\System32\nzbiOzB.exe
  2⤵
  PID:4680
- C:\Windows\System32\PDNrtNL.exe
  C:\Windows\System32\PDNrtNL.exe
  2⤵
  PID:752
- C:\Windows\System32\cIggqVx.exe
  C:\Windows\System32\cIggqVx.exe
  2⤵
  PID:348
- C:\Windows\System32\oCyKcwN.exe
  C:\Windows\System32\oCyKcwN.exe
  2⤵
  PID:5164
- C:\Windows\System32\wgIKksk.exe
  C:\Windows\System32\wgIKksk.exe
  2⤵
  PID:5228
- C:\Windows\System32\UHfQcew.exe
  C:\Windows\System32\UHfQcew.exe
  2⤵
  PID:5244
- C:\Windows\System32\TaZBaEu.exe
  C:\Windows\System32\TaZBaEu.exe
  2⤵
  PID:5264
- C:\Windows\System32\gvzDrjN.exe
  C:\Windows\System32\gvzDrjN.exe
  2⤵
  PID:5284
- C:\Windows\System32\nKLStST.exe
  C:\Windows\System32\nKLStST.exe
  2⤵
  PID:5328
- C:\Windows\System32\HvvEaok.exe
  C:\Windows\System32\HvvEaok.exe
  2⤵
  PID:5344
- C:\Windows\System32\ZmmwGNN.exe
  C:\Windows\System32\ZmmwGNN.exe
  2⤵
  PID:5404
- C:\Windows\System32\PkFTxpC.exe
  C:\Windows\System32\PkFTxpC.exe
  2⤵
  PID:5424
- C:\Windows\System32\oOumCdY.exe
  C:\Windows\System32\oOumCdY.exe
  2⤵
  PID:5440
- C:\Windows\System32\sjYcAds.exe
  C:\Windows\System32\sjYcAds.exe
  2⤵
  PID:5480
- C:\Windows\System32\LqeyIZJ.exe
  C:\Windows\System32\LqeyIZJ.exe
  2⤵
  PID:5512
- C:\Windows\System32\GRgibRV.exe
  C:\Windows\System32\GRgibRV.exe
  2⤵
  PID:5588
- C:\Windows\System32\JIVzNfM.exe
  C:\Windows\System32\JIVzNfM.exe
  2⤵
  PID:5620
- C:\Windows\System32\wgYhcRP.exe
  C:\Windows\System32\wgYhcRP.exe
  2⤵
  PID:5640
- C:\Windows\System32\kCktAnP.exe
  C:\Windows\System32\kCktAnP.exe
  2⤵
  PID:5664
- C:\Windows\System32\nEFxhXh.exe
  C:\Windows\System32\nEFxhXh.exe
  2⤵
  PID:5684
- C:\Windows\System32\QIeiZao.exe
  C:\Windows\System32\QIeiZao.exe
  2⤵
  PID:5704
- C:\Windows\System32\MEoOquQ.exe
  C:\Windows\System32\MEoOquQ.exe
  2⤵
  PID:5744
- C:\Windows\System32\XsIdjSI.exe
  C:\Windows\System32\XsIdjSI.exe
  2⤵
  PID:5768
- C:\Windows\System32\RfRacQY.exe
  C:\Windows\System32\RfRacQY.exe
  2⤵
  PID:5796
- C:\Windows\System32\ObRsYtX.exe
  C:\Windows\System32\ObRsYtX.exe
  2⤵
  PID:5860
- C:\Windows\System32\AoSreYY.exe
  C:\Windows\System32\AoSreYY.exe
  2⤵
  PID:5900
- C:\Windows\System32\gPaDUko.exe
  C:\Windows\System32\gPaDUko.exe
  2⤵
  PID:5924
- C:\Windows\System32\leZZmSa.exe
  C:\Windows\System32\leZZmSa.exe
  2⤵
  PID:5940
- C:\Windows\System32\jQoWOOs.exe
  C:\Windows\System32\jQoWOOs.exe
  2⤵
  PID:5960
- C:\Windows\System32\WjnYndv.exe
  C:\Windows\System32\WjnYndv.exe
  2⤵
  PID:5988
- C:\Windows\System32\UcbAGaO.exe
  C:\Windows\System32\UcbAGaO.exe
  2⤵
  PID:6004
- C:\Windows\System32\ZazAcqR.exe
  C:\Windows\System32\ZazAcqR.exe
  2⤵
  PID:6028
- C:\Windows\System32\nmRAQJl.exe
  C:\Windows\System32\nmRAQJl.exe
  2⤵
  PID:6092
- C:\Windows\System32\wrRxQaM.exe
  C:\Windows\System32\wrRxQaM.exe
  2⤵
  PID:6120
- C:\Windows\System32\PqiGiOx.exe
  C:\Windows\System32\PqiGiOx.exe
  2⤵
  PID:5040
- C:\Windows\System32\DKRwVsm.exe
  C:\Windows\System32\DKRwVsm.exe
  2⤵
  PID:4752
- C:\Windows\System32\PaHaVpM.exe
  C:\Windows\System32\PaHaVpM.exe
  2⤵
  PID:2356
- C:\Windows\System32\BPDRwOD.exe
  C:\Windows\System32\BPDRwOD.exe
  2⤵
  PID:5148
- C:\Windows\System32\KoGPStt.exe
  C:\Windows\System32\KoGPStt.exe
  2⤵
  PID:5272
- C:\Windows\System32\FbqZGJs.exe
  C:\Windows\System32\FbqZGJs.exe
  2⤵
  PID:5256
- C:\Windows\System32\Vjuvqxe.exe
  C:\Windows\System32\Vjuvqxe.exe
  2⤵
  PID:5412
- C:\Windows\System32\nZVZBbl.exe
  C:\Windows\System32\nZVZBbl.exe
  2⤵
  PID:5364
- C:\Windows\System32\ZdSOeMg.exe
  C:\Windows\System32\ZdSOeMg.exe
  2⤵
  PID:5468
- C:\Windows\System32\VsgNwGG.exe
  C:\Windows\System32\VsgNwGG.exe
  2⤵
  PID:3172
- C:\Windows\System32\cijTHBP.exe
  C:\Windows\System32\cijTHBP.exe
  2⤵
  PID:5132
- C:\Windows\System32\VsmyuXz.exe
  C:\Windows\System32\VsmyuXz.exe
  2⤵
  PID:5536
- C:\Windows\System32\wrlMhdf.exe
  C:\Windows\System32\wrlMhdf.exe
  2⤵
  PID:5616
- C:\Windows\System32\woxyTPP.exe
  C:\Windows\System32\woxyTPP.exe
  2⤵
  PID:5648
- C:\Windows\System32\RfCUGYx.exe
  C:\Windows\System32\RfCUGYx.exe
  2⤵
  PID:5696
- C:\Windows\System32\kHcWGCn.exe
  C:\Windows\System32\kHcWGCn.exe
  2⤵
  PID:5880
- C:\Windows\System32\IKNGRAL.exe
  C:\Windows\System32\IKNGRAL.exe
  2⤵
  PID:5916
- C:\Windows\System32\pXeVosx.exe
  C:\Windows\System32\pXeVosx.exe
  2⤵
  PID:5936
- C:\Windows\System32\OOpCUlc.exe
  C:\Windows\System32\OOpCUlc.exe
  2⤵
  PID:5972
- C:\Windows\System32\ZlHNqxy.exe
  C:\Windows\System32\ZlHNqxy.exe
  2⤵
  PID:5968
- C:\Windows\System32\kHICxlV.exe
  C:\Windows\System32\kHICxlV.exe
  2⤵
  PID:6104
- C:\Windows\System32\HbjgYhT.exe
  C:\Windows\System32\HbjgYhT.exe
  2⤵
  PID:680
- C:\Windows\System32\nJFNjYN.exe
  C:\Windows\System32\nJFNjYN.exe
  2⤵
  PID:5324
- C:\Windows\System32\OhsUxMx.exe
  C:\Windows\System32\OhsUxMx.exe
  2⤵
  PID:5336
- C:\Windows\System32\frkKUnN.exe
  C:\Windows\System32\frkKUnN.exe
  2⤵
  PID:5448
- C:\Windows\System32\MpUEUkv.exe
  C:\Windows\System32\MpUEUkv.exe
  2⤵
  PID:5476
- C:\Windows\System32\aCSSyHI.exe
  C:\Windows\System32\aCSSyHI.exe
  2⤵
  PID:5828
- C:\Windows\System32\jUYQogi.exe
  C:\Windows\System32\jUYQogi.exe
  2⤵
  PID:5876
- C:\Windows\System32\jIMznyy.exe
  C:\Windows\System32\jIMznyy.exe
  2⤵
  PID:6044
- C:\Windows\System32\brFvkBl.exe
  C:\Windows\System32\brFvkBl.exe
  2⤵
  PID:5432
- C:\Windows\System32\oqWRViT.exe
  C:\Windows\System32\oqWRViT.exe
  2⤵
  PID:4816
- C:\Windows\System32\IqqXhVi.exe
  C:\Windows\System32\IqqXhVi.exe
  2⤵
  PID:5508
- C:\Windows\System32\wzZrQjF.exe
  C:\Windows\System32\wzZrQjF.exe
  2⤵
  PID:6132
- C:\Windows\System32\evLRuWZ.exe
  C:\Windows\System32\evLRuWZ.exe
  2⤵
  PID:6148
- C:\Windows\System32\MiTITna.exe
  C:\Windows\System32\MiTITna.exe
  2⤵
  PID:6172
- C:\Windows\System32\eFmIQlC.exe
  C:\Windows\System32\eFmIQlC.exe
  2⤵
  PID:6196
- C:\Windows\System32\gnarVvz.exe
  C:\Windows\System32\gnarVvz.exe
  2⤵
  PID:6244
- C:\Windows\System32\wfxIecG.exe
  C:\Windows\System32\wfxIecG.exe
  2⤵
  PID:6260
- C:\Windows\System32\BHIgMkn.exe
  C:\Windows\System32\BHIgMkn.exe
  2⤵
  PID:6288
- C:\Windows\System32\geWPWGo.exe
  C:\Windows\System32\geWPWGo.exe
  2⤵
  PID:6308
- C:\Windows\System32\HxfOslu.exe
  C:\Windows\System32\HxfOslu.exe
  2⤵
  PID:6336
- C:\Windows\System32\UmlVJXe.exe
  C:\Windows\System32\UmlVJXe.exe
  2⤵
  PID:6352
- C:\Windows\System32\HVSjGnx.exe
  C:\Windows\System32\HVSjGnx.exe
  2⤵
  PID:6384
- C:\Windows\System32\vVsVwEU.exe
  C:\Windows\System32\vVsVwEU.exe
  2⤵
  PID:6400
- C:\Windows\System32\QdBybcd.exe
  C:\Windows\System32\QdBybcd.exe
  2⤵
  PID:6420
- C:\Windows\System32\OWlCxCS.exe
  C:\Windows\System32\OWlCxCS.exe
  2⤵
  PID:6464
- C:\Windows\System32\UiZeAlo.exe
  C:\Windows\System32\UiZeAlo.exe
  2⤵
  PID:6488
- C:\Windows\System32\FiXJvcg.exe
  C:\Windows\System32\FiXJvcg.exe
  2⤵
  PID:6532
- C:\Windows\System32\KqGsCKd.exe
  C:\Windows\System32\KqGsCKd.exe
  2⤵
  PID:6584
- C:\Windows\System32\KFUKRqd.exe
  C:\Windows\System32\KFUKRqd.exe
  2⤵
  PID:6604
- C:\Windows\System32\EwjjBkS.exe
  C:\Windows\System32\EwjjBkS.exe
  2⤵
  PID:6632
- C:\Windows\System32\cwbxXpw.exe
  C:\Windows\System32\cwbxXpw.exe
  2⤵
  PID:6664
- C:\Windows\System32\KBnsvYh.exe
  C:\Windows\System32\KBnsvYh.exe
  2⤵
  PID:6716
- C:\Windows\System32\CBKqeci.exe
  C:\Windows\System32\CBKqeci.exe
  2⤵
  PID:6732
- C:\Windows\System32\TjEPcoz.exe
  C:\Windows\System32\TjEPcoz.exe
  2⤵
  PID:6752
- C:\Windows\System32\WrSLVfa.exe
  C:\Windows\System32\WrSLVfa.exe
  2⤵
  PID:6780
- C:\Windows\System32\fhzOGdH.exe
  C:\Windows\System32\fhzOGdH.exe
  2⤵
  PID:6804
- C:\Windows\System32\xUSvfxj.exe
  C:\Windows\System32\xUSvfxj.exe
  2⤵
  PID:6828
- C:\Windows\System32\WJrwRBl.exe
  C:\Windows\System32\WJrwRBl.exe
  2⤵
  PID:6856
- C:\Windows\System32\fpEWcra.exe
  C:\Windows\System32\fpEWcra.exe
  2⤵
  PID:6884
- C:\Windows\System32\LqnBRot.exe
  C:\Windows\System32\LqnBRot.exe
  2⤵
  PID:6904
- C:\Windows\System32\sxcEwlN.exe
  C:\Windows\System32\sxcEwlN.exe
  2⤵
  PID:6952
- C:\Windows\System32\ywbhBAO.exe
  C:\Windows\System32\ywbhBAO.exe
  2⤵
  PID:6980
- C:\Windows\System32\XagQUfY.exe
  C:\Windows\System32\XagQUfY.exe
  2⤵
  PID:7004
- C:\Windows\System32\VdmwPNs.exe
  C:\Windows\System32\VdmwPNs.exe
  2⤵
  PID:7020
- C:\Windows\System32\ruMhWuh.exe
  C:\Windows\System32\ruMhWuh.exe
  2⤵
  PID:7092
- C:\Windows\System32\rOXBxIw.exe
  C:\Windows\System32\rOXBxIw.exe
  2⤵
  PID:7112
- C:\Windows\System32\JcEiEaL.exe
  C:\Windows\System32\JcEiEaL.exe
  2⤵
  PID:7132
- C:\Windows\System32\imowqGn.exe
  C:\Windows\System32\imowqGn.exe
  2⤵
  PID:7152
- C:\Windows\System32\xmvYFDB.exe
  C:\Windows\System32\xmvYFDB.exe
  2⤵
  PID:5312
- C:\Windows\System32\yZPJByj.exe
  C:\Windows\System32\yZPJByj.exe
  2⤵
  PID:6204
- C:\Windows\System32\lKKBatf.exe
  C:\Windows\System32\lKKBatf.exe
  2⤵
  PID:6284
- C:\Windows\System32\HaFVWMr.exe
  C:\Windows\System32\HaFVWMr.exe
  2⤵
  PID:6300
- C:\Windows\System32\eEEmsWY.exe
  C:\Windows\System32\eEEmsWY.exe
  2⤵
  PID:6412
- C:\Windows\System32\lBvjewb.exe
  C:\Windows\System32\lBvjewb.exe
  2⤵
  PID:6480
- C:\Windows\System32\zUCUOck.exe
  C:\Windows\System32\zUCUOck.exe
  2⤵
  PID:6512
- C:\Windows\System32\LWeiSET.exe
  C:\Windows\System32\LWeiSET.exe
  2⤵
  PID:6540
- C:\Windows\System32\EEeDiMq.exe
  C:\Windows\System32\EEeDiMq.exe
  2⤵
  PID:6616
- C:\Windows\System32\mcINUmM.exe
  C:\Windows\System32\mcINUmM.exe
  2⤵
  PID:6712
- C:\Windows\System32\Itihojz.exe
  C:\Windows\System32\Itihojz.exe
  2⤵
  PID:6840
- C:\Windows\System32\VqOzfxt.exe
  C:\Windows\System32\VqOzfxt.exe
  2⤵
  PID:6916
- C:\Windows\System32\JHPIcId.exe
  C:\Windows\System32\JHPIcId.exe
  2⤵
  PID:6960
- C:\Windows\System32\iJXFBTo.exe
  C:\Windows\System32\iJXFBTo.exe
  2⤵
  PID:7000
- C:\Windows\System32\vMMnZsO.exe
  C:\Windows\System32\vMMnZsO.exe
  2⤵
  PID:7124
- C:\Windows\System32\fpyRCKP.exe
  C:\Windows\System32\fpyRCKP.exe
  2⤵
  PID:7108
- C:\Windows\System32\jeCkxLt.exe
  C:\Windows\System32\jeCkxLt.exe
  2⤵
  PID:6052
- C:\Windows\System32\bHAkYFx.exe
  C:\Windows\System32\bHAkYFx.exe
  2⤵
  PID:6316
- C:\Windows\System32\tuwJivh.exe
  C:\Windows\System32\tuwJivh.exe
  2⤵
  PID:6500
- C:\Windows\System32\ajCHvXG.exe
  C:\Windows\System32\ajCHvXG.exe
  2⤵
  PID:6612
- C:\Windows\System32\nRRaqpJ.exe
  C:\Windows\System32\nRRaqpJ.exe
  2⤵
  PID:6824
- C:\Windows\System32\nRcfgbh.exe
  C:\Windows\System32\nRcfgbh.exe
  2⤵
  PID:6912
- C:\Windows\System32\nXiCZhv.exe
  C:\Windows\System32\nXiCZhv.exe
  2⤵
  PID:7144
- C:\Windows\System32\EVpKxYk.exe
  C:\Windows\System32\EVpKxYk.exe
  2⤵
  PID:2732
- C:\Windows\System32\TFgkksU.exe
  C:\Windows\System32\TFgkksU.exe
  2⤵
  PID:6660
- C:\Windows\System32\wYmQFli.exe
  C:\Windows\System32\wYmQFli.exe
  2⤵
  PID:5636
- C:\Windows\System32\KVcIBkS.exe
  C:\Windows\System32\KVcIBkS.exe
  2⤵
  PID:6760
- C:\Windows\System32\dKwpNrI.exe
  C:\Windows\System32\dKwpNrI.exe
  2⤵
  PID:7184
- C:\Windows\System32\gzQIehT.exe
  C:\Windows\System32\gzQIehT.exe
  2⤵
  PID:7212
- C:\Windows\System32\BEMkoGB.exe
  C:\Windows\System32\BEMkoGB.exe
  2⤵
  PID:7232
- C:\Windows\System32\UNibeVO.exe
  C:\Windows\System32\UNibeVO.exe
  2⤵
  PID:7256
- C:\Windows\System32\nCkIlWn.exe
  C:\Windows\System32\nCkIlWn.exe
  2⤵
  PID:7276
- C:\Windows\System32\iKRVMLn.exe
  C:\Windows\System32\iKRVMLn.exe
  2⤵
  PID:7308
- C:\Windows\System32\iCaajAG.exe
  C:\Windows\System32\iCaajAG.exe
  2⤵
  PID:7332
- C:\Windows\System32\ClALpTc.exe
  C:\Windows\System32\ClALpTc.exe
  2⤵
  PID:7364
- C:\Windows\System32\FgbGxMj.exe
  C:\Windows\System32\FgbGxMj.exe
  2⤵
  PID:7400
- C:\Windows\System32\YnByemN.exe
  C:\Windows\System32\YnByemN.exe
  2⤵
  PID:7424
- C:\Windows\System32\LIROlci.exe
  C:\Windows\System32\LIROlci.exe
  2⤵
  PID:7468
- C:\Windows\System32\UWcSdrO.exe
  C:\Windows\System32\UWcSdrO.exe
  2⤵
  PID:7504
- C:\Windows\System32\ouAXXQH.exe
  C:\Windows\System32\ouAXXQH.exe
  2⤵
  PID:7520
- C:\Windows\System32\HQjZlFO.exe
  C:\Windows\System32\HQjZlFO.exe
  2⤵
  PID:7540
- C:\Windows\System32\uKxRkfy.exe
  C:\Windows\System32\uKxRkfy.exe
  2⤵
  PID:7556
- C:\Windows\System32\csoLqPk.exe
  C:\Windows\System32\csoLqPk.exe
  2⤵
  PID:7608
- C:\Windows\System32\BuxHcVn.exe
  C:\Windows\System32\BuxHcVn.exe
  2⤵
  PID:7632
- C:\Windows\System32\gxHKXmU.exe
  C:\Windows\System32\gxHKXmU.exe
  2⤵
  PID:7660
- C:\Windows\System32\IFhOAJA.exe
  C:\Windows\System32\IFhOAJA.exe
  2⤵
  PID:7684
- C:\Windows\System32\QHjlJgT.exe
  C:\Windows\System32\QHjlJgT.exe
  2⤵
  PID:7744
- C:\Windows\System32\JYqOQrQ.exe
  C:\Windows\System32\JYqOQrQ.exe
  2⤵
  PID:7760
- C:\Windows\System32\IsEpqYs.exe
  C:\Windows\System32\IsEpqYs.exe
  2⤵
  PID:7784
- C:\Windows\System32\Ljqmdwd.exe
  C:\Windows\System32\Ljqmdwd.exe
  2⤵
  PID:7804
- C:\Windows\System32\aWzVjlj.exe
  C:\Windows\System32\aWzVjlj.exe
  2⤵
  PID:7828
- C:\Windows\System32\uwngjsO.exe
  C:\Windows\System32\uwngjsO.exe
  2⤵
  PID:7860
- C:\Windows\System32\MdvJRIV.exe
  C:\Windows\System32\MdvJRIV.exe
  2⤵
  PID:7888
- C:\Windows\System32\aYAXfyv.exe
  C:\Windows\System32\aYAXfyv.exe
  2⤵
  PID:7908
- C:\Windows\System32\HupMGbk.exe
  C:\Windows\System32\HupMGbk.exe
  2⤵
  PID:7940
- C:\Windows\System32\lSSFdOS.exe
  C:\Windows\System32\lSSFdOS.exe
  2⤵
  PID:7960
- C:\Windows\System32\phEOekC.exe
  C:\Windows\System32\phEOekC.exe
  2⤵
  PID:7988
- C:\Windows\System32\MVJyDrk.exe
  C:\Windows\System32\MVJyDrk.exe
  2⤵
  PID:8008
- C:\Windows\System32\glSsrDY.exe
  C:\Windows\System32\glSsrDY.exe
  2⤵
  PID:8032
- C:\Windows\System32\VhAMIzX.exe
  C:\Windows\System32\VhAMIzX.exe
  2⤵
  PID:8088
- C:\Windows\System32\rRXlwKb.exe
  C:\Windows\System32\rRXlwKb.exe
  2⤵
  PID:8112
- C:\Windows\System32\hfllglY.exe
  C:\Windows\System32\hfllglY.exe
  2⤵
  PID:8128
- C:\Windows\System32\ozSfMua.exe
  C:\Windows\System32\ozSfMua.exe
  2⤵
  PID:8160
- C:\Windows\System32\JnaGuHr.exe
  C:\Windows\System32\JnaGuHr.exe
  2⤵
  PID:6924
- C:\Windows\System32\xLixqYy.exe
  C:\Windows\System32\xLixqYy.exe
  2⤵
  PID:7176
- C:\Windows\System32\XmVeKIH.exe
  C:\Windows\System32\XmVeKIH.exe
  2⤵
  PID:7272
- C:\Windows\System32\ogJeemV.exe
  C:\Windows\System32\ogJeemV.exe
  2⤵
  PID:7340
- C:\Windows\System32\GXlNBJq.exe
  C:\Windows\System32\GXlNBJq.exe
  2⤵
  PID:7408
- C:\Windows\System32\uPUnmXv.exe
  C:\Windows\System32\uPUnmXv.exe
  2⤵
  PID:7464
- C:\Windows\System32\rhEtxrg.exe
  C:\Windows\System32\rhEtxrg.exe
  2⤵
  PID:7512
- C:\Windows\System32\QzfYzBf.exe
  C:\Windows\System32\QzfYzBf.exe
  2⤵
  PID:7584
- C:\Windows\System32\cvsgILw.exe
  C:\Windows\System32\cvsgILw.exe
  2⤵
  PID:7676
- C:\Windows\System32\ecKWUrg.exe
  C:\Windows\System32\ecKWUrg.exe
  2⤵
  PID:7756
- C:\Windows\System32\JAmFGEd.exe
  C:\Windows\System32\JAmFGEd.exe
  2⤵
  PID:7800
- C:\Windows\System32\JneyOzQ.exe
  C:\Windows\System32\JneyOzQ.exe
  2⤵
  PID:8052
- C:\Windows\System32\HTUxAZj.exe
  C:\Windows\System32\HTUxAZj.exe
  2⤵
  PID:8108
- C:\Windows\System32\lrMWotf.exe
  C:\Windows\System32\lrMWotf.exe
  2⤵
  PID:8120
- C:\Windows\System32\bYWkavQ.exe
  C:\Windows\System32\bYWkavQ.exe
  2⤵
  PID:7172
- C:\Windows\System32\AaKjKHL.exe
  C:\Windows\System32\AaKjKHL.exe
  2⤵
  PID:6472
- C:\Windows\System32\tahPLUn.exe
  C:\Windows\System32\tahPLUn.exe
  2⤵
  PID:7268
- C:\Windows\System32\YNkBRfH.exe
  C:\Windows\System32\YNkBRfH.exe
  2⤵
  PID:7396
- C:\Windows\System32\KnrqVfo.exe
  C:\Windows\System32\KnrqVfo.exe
  2⤵
  PID:7416
- C:\Windows\System32\REWcCEt.exe
  C:\Windows\System32\REWcCEt.exe
  2⤵
  PID:7496
- C:\Windows\System32\ndKpapn.exe
  C:\Windows\System32\ndKpapn.exe
  2⤵
  PID:7624
- C:\Windows\System32\SHisISY.exe
  C:\Windows\System32\SHisISY.exe
  2⤵
  PID:7752
- C:\Windows\System32\uXcBSBD.exe
  C:\Windows\System32\uXcBSBD.exe
  2⤵
  PID:7692
- C:\Windows\System32\HhDAUqR.exe
  C:\Windows\System32\HhDAUqR.exe
  2⤵
  PID:7592
- C:\Windows\System32\XVqwbbM.exe
  C:\Windows\System32\XVqwbbM.exe
  2⤵
  PID:8200
- C:\Windows\System32\tnVOQpD.exe
  C:\Windows\System32\tnVOQpD.exe
  2⤵
  PID:8216
- C:\Windows\System32\YkOiyok.exe
  C:\Windows\System32\YkOiyok.exe
  2⤵
  PID:8232
- C:\Windows\System32\hIJfMtG.exe
  C:\Windows\System32\hIJfMtG.exe
  2⤵
  PID:8248
- C:\Windows\System32\QWWnsmP.exe
  C:\Windows\System32\QWWnsmP.exe
  2⤵
  PID:8264
- C:\Windows\System32\OBdSatg.exe
  C:\Windows\System32\OBdSatg.exe
  2⤵
  PID:8280
- C:\Windows\System32\QfDRNan.exe
  C:\Windows\System32\QfDRNan.exe
  2⤵
  PID:8296
- C:\Windows\System32\tjlihRI.exe
  C:\Windows\System32\tjlihRI.exe
  2⤵
  PID:8316
- C:\Windows\System32\itmhSxg.exe
  C:\Windows\System32\itmhSxg.exe
  2⤵
  PID:8332
- C:\Windows\System32\FbTFhRQ.exe
  C:\Windows\System32\FbTFhRQ.exe
  2⤵
  PID:8348
- C:\Windows\System32\qhYLcQi.exe
  C:\Windows\System32\qhYLcQi.exe
  2⤵
  PID:8500
- C:\Windows\System32\ZBYdDjc.exe
  C:\Windows\System32\ZBYdDjc.exe
  2⤵
  PID:8536
- C:\Windows\System32\xXwDehI.exe
  C:\Windows\System32\xXwDehI.exe
  2⤵
  PID:8564
- C:\Windows\System32\zLBqEay.exe
  C:\Windows\System32\zLBqEay.exe
  2⤵
  PID:8616
- C:\Windows\System32\HAdjTsD.exe
  C:\Windows\System32\HAdjTsD.exe
  2⤵
  PID:8640
- C:\Windows\System32\pyBWGji.exe
  C:\Windows\System32\pyBWGji.exe
  2⤵
  PID:8660
- C:\Windows\System32\XfojzXg.exe
  C:\Windows\System32\XfojzXg.exe
  2⤵
  PID:8676
- C:\Windows\System32\JufhhAH.exe
  C:\Windows\System32\JufhhAH.exe
  2⤵
  PID:8708
- C:\Windows\System32\rhxXWCe.exe
  C:\Windows\System32\rhxXWCe.exe
  2⤵
  PID:8880
- C:\Windows\System32\LTkqPMB.exe
  C:\Windows\System32\LTkqPMB.exe
  2⤵
  PID:8904
- C:\Windows\System32\CbPsYlm.exe
  C:\Windows\System32\CbPsYlm.exe
  2⤵
  PID:8920
- C:\Windows\System32\FcKnGvJ.exe
  C:\Windows\System32\FcKnGvJ.exe
  2⤵
  PID:8944
- C:\Windows\System32\OOKTHQS.exe
  C:\Windows\System32\OOKTHQS.exe
  2⤵
  PID:8980
- C:\Windows\System32\XoaXIHv.exe
  C:\Windows\System32\XoaXIHv.exe
  2⤵
  PID:9000
- C:\Windows\System32\iyAQHnV.exe
  C:\Windows\System32\iyAQHnV.exe
  2⤵
  PID:9024
- C:\Windows\System32\DQRImJi.exe
  C:\Windows\System32\DQRImJi.exe
  2⤵
  PID:9044
- C:\Windows\System32\ORVYjEN.exe
  C:\Windows\System32\ORVYjEN.exe
  2⤵
  PID:9064
- C:\Windows\System32\SyWwpRx.exe
  C:\Windows\System32\SyWwpRx.exe
  2⤵
  PID:9096
- C:\Windows\System32\PsUiziV.exe
  C:\Windows\System32\PsUiziV.exe
  2⤵
  PID:9116
- C:\Windows\System32\SQZfUsi.exe
  C:\Windows\System32\SQZfUsi.exe
  2⤵
  PID:9140
- C:\Windows\System32\nvPMUJR.exe
  C:\Windows\System32\nvPMUJR.exe
  2⤵
  PID:9176
- C:\Windows\System32\rRXxtPL.exe
  C:\Windows\System32\rRXxtPL.exe
  2⤵
  PID:7880
- C:\Windows\System32\mhaNGxl.exe
  C:\Windows\System32\mhaNGxl.exe
  2⤵
  PID:7628
- C:\Windows\System32\mGKxcJj.exe
  C:\Windows\System32\mGKxcJj.exe
  2⤵
  PID:7836
- C:\Windows\System32\VRniDPh.exe
  C:\Windows\System32\VRniDPh.exe
  2⤵
  PID:7900
- C:\Windows\System32\GNiNOWz.exe
  C:\Windows\System32\GNiNOWz.exe
  2⤵
  PID:8020
- C:\Windows\System32\uZVurYz.exe
  C:\Windows\System32\uZVurYz.exe
  2⤵
  PID:8304
- C:\Windows\System32\BSmZLCC.exe
  C:\Windows\System32\BSmZLCC.exe
  2⤵
  PID:8356
- C:\Windows\System32\QxxHyVB.exe
  C:\Windows\System32\QxxHyVB.exe
  2⤵
  PID:7516
- C:\Windows\System32\jZHcuDQ.exe
  C:\Windows\System32\jZHcuDQ.exe
  2⤵
  PID:8400
- C:\Windows\System32\DrrDwtK.exe
  C:\Windows\System32\DrrDwtK.exe
  2⤵
  PID:8416
- C:\Windows\System32\zTrbXXr.exe
  C:\Windows\System32\zTrbXXr.exe
  2⤵
  PID:8456
- C:\Windows\System32\yyPbbaM.exe
  C:\Windows\System32\yyPbbaM.exe
  2⤵
  PID:8532
- C:\Windows\System32\bmWISFj.exe
  C:\Windows\System32\bmWISFj.exe
  2⤵
  PID:8548
- C:\Windows\System32\KZwvPaV.exe
  C:\Windows\System32\KZwvPaV.exe
  2⤵
  PID:8760
- C:\Windows\System32\xUMDMNe.exe
  C:\Windows\System32\xUMDMNe.exe
  2⤵
  PID:8796
- C:\Windows\System32\vhMRDUB.exe
  C:\Windows\System32\vhMRDUB.exe
  2⤵
  PID:8752
- C:\Windows\System32\kULNybo.exe
  C:\Windows\System32\kULNybo.exe
  2⤵
  PID:8896
- C:\Windows\System32\lqZWAEE.exe
  C:\Windows\System32\lqZWAEE.exe
  2⤵
  PID:8892
- C:\Windows\System32\RUILdMX.exe
  C:\Windows\System32\RUILdMX.exe
  2⤵
  PID:9072
- C:\Windows\System32\gKUiOnk.exe
  C:\Windows\System32\gKUiOnk.exe
  2⤵
  PID:9132
- C:\Windows\System32\TGRQUll.exe
  C:\Windows\System32\TGRQUll.exe
  2⤵
  PID:9152
- C:\Windows\System32\yoltMvu.exe
  C:\Windows\System32\yoltMvu.exe
  2⤵
  PID:7852
- C:\Windows\System32\bRdQZqr.exe
  C:\Windows\System32\bRdQZqr.exe
  2⤵
  PID:8256
- C:\Windows\System32\JzIqCVN.exe
  C:\Windows\System32\JzIqCVN.exe
  2⤵
  PID:7552
- C:\Windows\System32\oSDAErb.exe
  C:\Windows\System32\oSDAErb.exe
  2⤵
  PID:8476
- C:\Windows\System32\ONEBGCx.exe
  C:\Windows\System32\ONEBGCx.exe
  2⤵
  PID:7652
- C:\Windows\System32\eRHPdep.exe
  C:\Windows\System32\eRHPdep.exe
  2⤵
  PID:8464
- C:\Windows\System32\VTxwwyW.exe
  C:\Windows\System32\VTxwwyW.exe
  2⤵
  PID:8656
- C:\Windows\System32\aanIFot.exe
  C:\Windows\System32\aanIFot.exe
  2⤵
  PID:8748
- C:\Windows\System32\oTAEAWc.exe
  C:\Windows\System32\oTAEAWc.exe
  2⤵
  PID:8956
- C:\Windows\System32\focVIIm.exe
  C:\Windows\System32\focVIIm.exe
  2⤵
  PID:9148
- C:\Windows\System32\FLGNCSB.exe
  C:\Windows\System32\FLGNCSB.exe
  2⤵
  PID:7956
- C:\Windows\System32\eCEtEAq.exe
  C:\Windows\System32\eCEtEAq.exe
  2⤵
  PID:7656
- C:\Windows\System32\eboBXyW.exe
  C:\Windows\System32\eboBXyW.exe
  2⤵
  PID:8808
- C:\Windows\System32\nGUSgui.exe
  C:\Windows\System32\nGUSgui.exe
  2⤵
  PID:7772
- C:\Windows\System32\GnKtYJP.exe
  C:\Windows\System32\GnKtYJP.exe
  2⤵
  PID:8608
- C:\Windows\System32\qAArllh.exe
  C:\Windows\System32\qAArllh.exe
  2⤵
  PID:9224
- C:\Windows\System32\TGJAHQj.exe
  C:\Windows\System32\TGJAHQj.exe
  2⤵
  PID:9256
- C:\Windows\System32\WyuAIVz.exe
  C:\Windows\System32\WyuAIVz.exe
  2⤵
  PID:9280
- C:\Windows\System32\znAQAWx.exe
  C:\Windows\System32\znAQAWx.exe
  2⤵
  PID:9300
- C:\Windows\System32\NJBwxaw.exe
  C:\Windows\System32\NJBwxaw.exe
  2⤵
  PID:9328
- C:\Windows\System32\QJzOICY.exe
  C:\Windows\System32\QJzOICY.exe
  2⤵
  PID:9356
- C:\Windows\System32\hUvudmx.exe
  C:\Windows\System32\hUvudmx.exe
  2⤵
  PID:9372
- C:\Windows\System32\ZmqUGcB.exe
  C:\Windows\System32\ZmqUGcB.exe
  2⤵
  PID:9396
- C:\Windows\System32\OWOEMuY.exe
  C:\Windows\System32\OWOEMuY.exe
  2⤵
  PID:9416
- C:\Windows\System32\GQoaVBJ.exe
  C:\Windows\System32\GQoaVBJ.exe
  2⤵
  PID:9464
- C:\Windows\System32\OBymHuV.exe
  C:\Windows\System32\OBymHuV.exe
  2⤵
  PID:9508
- C:\Windows\System32\pZcSsPY.exe
  C:\Windows\System32\pZcSsPY.exe
  2⤵
  PID:9536
- C:\Windows\System32\lQFHRbM.exe
  C:\Windows\System32\lQFHRbM.exe
  2⤵
  PID:9552
- C:\Windows\System32\KqwyNQf.exe
  C:\Windows\System32\KqwyNQf.exe
  2⤵
  PID:9576
- C:\Windows\System32\hJCqwUc.exe
  C:\Windows\System32\hJCqwUc.exe
  2⤵
  PID:9612
- C:\Windows\System32\oOtFMdh.exe
  C:\Windows\System32\oOtFMdh.exe
  2⤵
  PID:9632
- C:\Windows\System32\MKRnYvq.exe
  C:\Windows\System32\MKRnYvq.exe
  2⤵
  PID:9660
- C:\Windows\System32\QJrDcNE.exe
  C:\Windows\System32\QJrDcNE.exe
  2⤵
  PID:9680
- C:\Windows\System32\dyBiKZo.exe
  C:\Windows\System32\dyBiKZo.exe
  2⤵
  PID:9704
- C:\Windows\System32\tosBseU.exe
  C:\Windows\System32\tosBseU.exe
  2⤵
  PID:9736
- C:\Windows\System32\YImaNgq.exe
  C:\Windows\System32\YImaNgq.exe
  2⤵
  PID:9764
- C:\Windows\System32\njjqSIs.exe
  C:\Windows\System32\njjqSIs.exe
  2⤵
  PID:9788
- C:\Windows\System32\bsLmluc.exe
  C:\Windows\System32\bsLmluc.exe
  2⤵
  PID:9820
- C:\Windows\System32\IFYiDZb.exe
  C:\Windows\System32\IFYiDZb.exe
  2⤵
  PID:9868
- C:\Windows\System32\sbQFqAA.exe
  C:\Windows\System32\sbQFqAA.exe
  2⤵
  PID:9896
- C:\Windows\System32\FNzLjmw.exe
  C:\Windows\System32\FNzLjmw.exe
  2⤵
  PID:9920
- C:\Windows\System32\LCWskQg.exe
  C:\Windows\System32\LCWskQg.exe
  2⤵
  PID:9940
- C:\Windows\System32\hrxrozw.exe
  C:\Windows\System32\hrxrozw.exe
  2⤵
  PID:9960
- C:\Windows\System32\lPMChXd.exe
  C:\Windows\System32\lPMChXd.exe
  2⤵
  PID:10000
- C:\Windows\System32\fClAwRK.exe
  C:\Windows\System32\fClAwRK.exe
  2⤵
  PID:10036
- C:\Windows\System32\ZfryUgk.exe
  C:\Windows\System32\ZfryUgk.exe
  2⤵
  PID:10072
- C:\Windows\System32\ZztGQQs.exe
  C:\Windows\System32\ZztGQQs.exe
  2⤵
  PID:10096
- C:\Windows\System32\BWAJrTP.exe
  C:\Windows\System32\BWAJrTP.exe
  2⤵
  PID:10120
- C:\Windows\System32\sNrZCPa.exe
  C:\Windows\System32\sNrZCPa.exe
  2⤵
  PID:10140
- C:\Windows\System32\fOJxoKw.exe
  C:\Windows\System32\fOJxoKw.exe
  2⤵
  PID:10188
- C:\Windows\System32\EfPHvot.exe
  C:\Windows\System32\EfPHvot.exe
  2⤵
  PID:10216
- C:\Windows\System32\YqJcoAD.exe
  C:\Windows\System32\YqJcoAD.exe
  2⤵
  PID:10236
- C:\Windows\System32\RBtHaAn.exe
  C:\Windows\System32\RBtHaAn.exe
  2⤵
  PID:9232
- C:\Windows\System32\hVezLxp.exe
  C:\Windows\System32\hVezLxp.exe
  2⤵
  PID:9264
- C:\Windows\System32\lApkWRY.exe
  C:\Windows\System32\lApkWRY.exe
  2⤵
  PID:9340
- C:\Windows\System32\ABhRcGt.exe
  C:\Windows\System32\ABhRcGt.exe
  2⤵
  PID:9380
- C:\Windows\System32\rvtDUdg.exe
  C:\Windows\System32\rvtDUdg.exe
  2⤵
  PID:9548
- C:\Windows\System32\mXFjoEe.exe
  C:\Windows\System32\mXFjoEe.exe
  2⤵
  PID:9624
- C:\Windows\System32\rmWmsAD.exe
  C:\Windows\System32\rmWmsAD.exe
  2⤵
  PID:9644
- C:\Windows\System32\DzfVpOT.exe
  C:\Windows\System32\DzfVpOT.exe
  2⤵
  PID:9700
- C:\Windows\System32\xJvLMRt.exe
  C:\Windows\System32\xJvLMRt.exe
  2⤵
  PID:9756
- C:\Windows\System32\tmbdqsy.exe
  C:\Windows\System32\tmbdqsy.exe
  2⤵
  PID:9812
- C:\Windows\System32\yarGvPt.exe
  C:\Windows\System32\yarGvPt.exe
  2⤵
  PID:9828
- C:\Windows\System32\mqdjsKS.exe
  C:\Windows\System32\mqdjsKS.exe
  2⤵
  PID:9892
- C:\Windows\System32\WqErkbk.exe
  C:\Windows\System32\WqErkbk.exe
  2⤵
  PID:9932
- C:\Windows\System32\hOimkIR.exe
  C:\Windows\System32\hOimkIR.exe
  2⤵
  PID:10032
- C:\Windows\System32\VMXhZLh.exe
  C:\Windows\System32\VMXhZLh.exe
  2⤵
  PID:10116
- C:\Windows\System32\AGRsXAx.exe
  C:\Windows\System32\AGRsXAx.exe
  2⤵
  PID:10196
- C:\Windows\System32\WfnnKdV.exe
  C:\Windows\System32\WfnnKdV.exe
  2⤵
  PID:8340
- C:\Windows\System32\tFxkQoP.exe
  C:\Windows\System32\tFxkQoP.exe
  2⤵
  PID:9348
- C:\Windows\System32\mUclMhJ.exe
  C:\Windows\System32\mUclMhJ.exe
  2⤵
  PID:9516
- C:\Windows\System32\gJdxMCZ.exe
  C:\Windows\System32\gJdxMCZ.exe
  2⤵
  PID:9688
- C:\Windows\System32\PWZVRWB.exe
  C:\Windows\System32\PWZVRWB.exe
  2⤵
  PID:9716
- C:\Windows\System32\YvdeJfh.exe
  C:\Windows\System32\YvdeJfh.exe
  2⤵
  PID:9836
- C:\Windows\System32\WzOvOVY.exe
  C:\Windows\System32\WzOvOVY.exe
  2⤵
  PID:9864
- C:\Windows\System32\gRiKhPV.exe
  C:\Windows\System32\gRiKhPV.exe
  2⤵
  PID:10016
- C:\Windows\System32\sQyKgCD.exe
  C:\Windows\System32\sQyKgCD.exe
  2⤵
  PID:8344
- C:\Windows\System32\GJJgeMp.exe
  C:\Windows\System32\GJJgeMp.exe
  2⤵
  PID:9676
- C:\Windows\System32\sAKmnVx.exe
  C:\Windows\System32\sAKmnVx.exe
  2⤵
  PID:10252
- C:\Windows\System32\bVhBCbV.exe
  C:\Windows\System32\bVhBCbV.exe
  2⤵
  PID:10276
- C:\Windows\System32\TPGaxwm.exe
  C:\Windows\System32\TPGaxwm.exe
  2⤵
  PID:10292
- C:\Windows\System32\tJAljCz.exe
  C:\Windows\System32\tJAljCz.exe
  2⤵
  PID:10328
- C:\Windows\System32\grvwLck.exe
  C:\Windows\System32\grvwLck.exe
  2⤵
  PID:10368
- C:\Windows\System32\whtHXYD.exe
  C:\Windows\System32\whtHXYD.exe
  2⤵
  PID:10396
- C:\Windows\System32\JJFLrjq.exe
  C:\Windows\System32\JJFLrjq.exe
  2⤵
  PID:10424
- C:\Windows\System32\HqlNVpa.exe
  C:\Windows\System32\HqlNVpa.exe
  2⤵
  PID:10452
- C:\Windows\System32\rRoAVVe.exe
  C:\Windows\System32\rRoAVVe.exe
  2⤵
  PID:10472
- C:\Windows\System32\DHKRkHw.exe
  C:\Windows\System32\DHKRkHw.exe
  2⤵
  PID:10492
- C:\Windows\System32\DsODEnv.exe
  C:\Windows\System32\DsODEnv.exe
  2⤵
  PID:10512
- C:\Windows\System32\XWyWTTD.exe
  C:\Windows\System32\XWyWTTD.exe
  2⤵
  PID:10532
- C:\Windows\System32\AGdKNsB.exe
  C:\Windows\System32\AGdKNsB.exe
  2⤵
  PID:10552
- C:\Windows\System32\DNmKSoE.exe
  C:\Windows\System32\DNmKSoE.exe
  2⤵
  PID:10584
- C:\Windows\System32\grXRops.exe
  C:\Windows\System32\grXRops.exe
  2⤵
  PID:10608
- C:\Windows\System32\itvZCcF.exe
  C:\Windows\System32\itvZCcF.exe
  2⤵
  PID:10660
- C:\Windows\System32\zelPXtJ.exe
  C:\Windows\System32\zelPXtJ.exe
  2⤵
  PID:10684
- C:\Windows\System32\aSlxQJX.exe
  C:\Windows\System32\aSlxQJX.exe
  2⤵
  PID:10720
- C:\Windows\System32\GnVUjDP.exe
  C:\Windows\System32\GnVUjDP.exe
  2⤵
  PID:10752
- C:\Windows\System32\wmRSjfO.exe
  C:\Windows\System32\wmRSjfO.exe
  2⤵
  PID:10780
- C:\Windows\System32\ZHRpVzP.exe
  C:\Windows\System32\ZHRpVzP.exe
  2⤵
  PID:10800
- C:\Windows\System32\pvmoKhz.exe
  C:\Windows\System32\pvmoKhz.exe
  2⤵
  PID:10836
- C:\Windows\System32\LuyDaBh.exe
  C:\Windows\System32\LuyDaBh.exe
  2⤵
  PID:10888
- C:\Windows\System32\ZZMlLZz.exe
  C:\Windows\System32\ZZMlLZz.exe
  2⤵
  PID:10912
- C:\Windows\System32\JwbTHyH.exe
  C:\Windows\System32\JwbTHyH.exe
  2⤵
  PID:10940
- C:\Windows\System32\mITQmGa.exe
  C:\Windows\System32\mITQmGa.exe
  2⤵
  PID:10956
- C:\Windows\System32\VahlFls.exe
  C:\Windows\System32\VahlFls.exe
  2⤵
  PID:10984
- C:\Windows\System32\XnMQeJh.exe
  C:\Windows\System32\XnMQeJh.exe
  2⤵
  PID:11004
- C:\Windows\System32\AnILnUG.exe
  C:\Windows\System32\AnILnUG.exe
  2⤵
  PID:11028
- C:\Windows\System32\jIiPXll.exe
  C:\Windows\System32\jIiPXll.exe
  2⤵
  PID:11048
- C:\Windows\System32\eLhDDtd.exe
  C:\Windows\System32\eLhDDtd.exe
  2⤵
  PID:11076
- C:\Windows\System32\BddYkOZ.exe
  C:\Windows\System32\BddYkOZ.exe
  2⤵
  PID:11096
- C:\Windows\System32\QHTixNY.exe
  C:\Windows\System32\QHTixNY.exe
  2⤵
  PID:11112
- C:\Windows\System32\FjIyEXD.exe
  C:\Windows\System32\FjIyEXD.exe
  2⤵
  PID:11136
- C:\Windows\System32\TPzePIC.exe
  C:\Windows\System32\TPzePIC.exe
  2⤵
  PID:11164
- C:\Windows\System32\wlVRJYc.exe
  C:\Windows\System32\wlVRJYc.exe
  2⤵
  PID:11188
- C:\Windows\System32\GZgkAZu.exe
  C:\Windows\System32\GZgkAZu.exe
  2⤵
  PID:11240
- C:\Windows\System32\xpTcAKE.exe
  C:\Windows\System32\xpTcAKE.exe
  2⤵
  PID:10212
- C:\Windows\System32\tSvACPJ.exe
  C:\Windows\System32\tSvACPJ.exe
  2⤵
  PID:10272
- C:\Windows\System32\hLEsyii.exe
  C:\Windows\System32\hLEsyii.exe
  2⤵
  PID:10352
- C:\Windows\System32\LZjMxdy.exe
  C:\Windows\System32\LZjMxdy.exe
  2⤵
  PID:10444
- C:\Windows\System32\WIyfKTI.exe
  C:\Windows\System32\WIyfKTI.exe
  2⤵
  PID:10508
- C:\Windows\System32\CjAxIfo.exe
  C:\Windows\System32\CjAxIfo.exe
  2⤵
  PID:10580
- C:\Windows\System32\gCiXBfI.exe
  C:\Windows\System32\gCiXBfI.exe
  2⤵
  PID:10648
- C:\Windows\System32\JsCNIGA.exe
  C:\Windows\System32\JsCNIGA.exe
  2⤵
  PID:10676
- C:\Windows\System32\hWcYuNw.exe
  C:\Windows\System32\hWcYuNw.exe
  2⤵
  PID:10764
- C:\Windows\System32\FKdQueR.exe
  C:\Windows\System32\FKdQueR.exe
  2⤵
  PID:10796
- C:\Windows\System32\qzddFXV.exe
  C:\Windows\System32\qzddFXV.exe
  2⤵
  PID:10848
- C:\Windows\System32\zqZpZkM.exe
  C:\Windows\System32\zqZpZkM.exe
  2⤵
  PID:10952
- C:\Windows\System32\jiElTJH.exe
  C:\Windows\System32\jiElTJH.exe
  2⤵
  PID:10992
- C:\Windows\System32\owhayKP.exe
  C:\Windows\System32\owhayKP.exe
  2⤵
  PID:11064
- C:\Windows\System32\lxEjMae.exe
  C:\Windows\System32\lxEjMae.exe
  2⤵
  PID:11132
- C:\Windows\System32\ZZdKfrm.exe
  C:\Windows\System32\ZZdKfrm.exe
  2⤵
  PID:11172
- C:\Windows\System32\WIzIvZV.exe
  C:\Windows\System32\WIzIvZV.exe
  2⤵
  PID:10228
- C:\Windows\System32\tTSMzMo.exe
  C:\Windows\System32\tTSMzMo.exe
  2⤵
  PID:10284
- C:\Windows\System32\FHtSZIy.exe
  C:\Windows\System32\FHtSZIy.exe
  2⤵
  PID:10384
- C:\Windows\System32\TFbzNcu.exe
  C:\Windows\System32\TFbzNcu.exe
  2⤵
  PID:10572
- C:\Windows\System32\fFuphXm.exe
  C:\Windows\System32\fFuphXm.exe
  2⤵
  PID:10680
- C:\Windows\System32\bZDcFET.exe
  C:\Windows\System32\bZDcFET.exe
  2⤵
  PID:10704
- C:\Windows\System32\cdXGniP.exe
  C:\Windows\System32\cdXGniP.exe
  2⤵
  PID:11020
- C:\Windows\System32\wYpSpry.exe
  C:\Windows\System32\wYpSpry.exe
  2⤵
  PID:11152
- C:\Windows\System32\FHfiXbd.exe
  C:\Windows\System32\FHfiXbd.exe
  2⤵
  PID:10048
- C:\Windows\System32\FrwrWft.exe
  C:\Windows\System32\FrwrWft.exe
  2⤵
  PID:10696
- C:\Windows\System32\flNjPqg.exe
  C:\Windows\System32\flNjPqg.exe
  2⤵
  PID:11024
- C:\Windows\System32\NYPsHnJ.exe
  C:\Windows\System32\NYPsHnJ.exe
  2⤵
  PID:10616
- C:\Windows\System32\CbRxnwR.exe
  C:\Windows\System32\CbRxnwR.exe
  2⤵
  PID:11284
- C:\Windows\System32\BNGaLTW.exe
  C:\Windows\System32\BNGaLTW.exe
  2⤵
  PID:11332
- C:\Windows\System32\cbhbbzO.exe
  C:\Windows\System32\cbhbbzO.exe
  2⤵
  PID:11352
- C:\Windows\System32\OIpLxgu.exe
  C:\Windows\System32\OIpLxgu.exe
  2⤵
  PID:11376
- C:\Windows\System32\DTpQZKD.exe
  C:\Windows\System32\DTpQZKD.exe
  2⤵
  PID:11416
- C:\Windows\System32\RDMzrMO.exe
  C:\Windows\System32\RDMzrMO.exe
  2⤵
  PID:11436
- C:\Windows\System32\xcSRfXs.exe
  C:\Windows\System32\xcSRfXs.exe
  2⤵
  PID:11460
- C:\Windows\System32\VDiIenR.exe
  C:\Windows\System32\VDiIenR.exe
  2⤵
  PID:11484
- C:\Windows\System32\ixYgLHc.exe
  C:\Windows\System32\ixYgLHc.exe
  2⤵
  PID:11516
- C:\Windows\System32\CaqhKEw.exe
  C:\Windows\System32\CaqhKEw.exe
  2⤵
  PID:11536
- C:\Windows\System32\sOzFNkW.exe
  C:\Windows\System32\sOzFNkW.exe
  2⤵
  PID:11560
- C:\Windows\System32\RUwfAnv.exe
  C:\Windows\System32\RUwfAnv.exe
  2⤵
  PID:11596
- C:\Windows\System32\NhaOnSL.exe
  C:\Windows\System32\NhaOnSL.exe
  2⤵
  PID:11628
- C:\Windows\System32\YbfodTC.exe
  C:\Windows\System32\YbfodTC.exe
  2⤵
  PID:11660
- C:\Windows\System32\HJWmvCH.exe
  C:\Windows\System32\HJWmvCH.exe
  2⤵
  PID:11684
- C:\Windows\System32\mpOoIGf.exe
  C:\Windows\System32\mpOoIGf.exe
  2⤵
  PID:11716
- C:\Windows\System32\tafuaGg.exe
  C:\Windows\System32\tafuaGg.exe
  2⤵
  PID:11744
- C:\Windows\System32\SuJuRTW.exe
  C:\Windows\System32\SuJuRTW.exe
  2⤵
  PID:11776
- C:\Windows\System32\ycUdOBt.exe
  C:\Windows\System32\ycUdOBt.exe
  2⤵
  PID:11792
- C:\Windows\System32\mykjEuC.exe
  C:\Windows\System32\mykjEuC.exe
  2⤵
  PID:11820
- C:\Windows\System32\mIyNpWO.exe
  C:\Windows\System32\mIyNpWO.exe
  2⤵
  PID:11844
- C:\Windows\System32\eQOgUOR.exe
  C:\Windows\System32\eQOgUOR.exe
  2⤵
  PID:11860
- C:\Windows\System32\cXTiJfF.exe
  C:\Windows\System32\cXTiJfF.exe
  2⤵
  PID:11892
- C:\Windows\System32\pCKchUO.exe
  C:\Windows\System32\pCKchUO.exe
  2⤵
  PID:11916
- C:\Windows\System32\iqBcNuo.exe
  C:\Windows\System32\iqBcNuo.exe
  2⤵
  PID:11948
- C:\Windows\System32\VHIwrbz.exe
  C:\Windows\System32\VHIwrbz.exe
  2⤵
  PID:11976
- C:\Windows\System32\jeqZZKw.exe
  C:\Windows\System32\jeqZZKw.exe
  2⤵
  PID:12036
- C:\Windows\System32\tgZmeHk.exe
  C:\Windows\System32\tgZmeHk.exe
  2⤵
  PID:12056
- C:\Windows\System32\cvbHJun.exe
  C:\Windows\System32\cvbHJun.exe
  2⤵
  PID:12084
- C:\Windows\System32\hadyErr.exe
  C:\Windows\System32\hadyErr.exe
  2⤵
  PID:12124
- C:\Windows\System32\qrtxfLm.exe
  C:\Windows\System32\qrtxfLm.exe
  2⤵
  PID:12148
- C:\Windows\System32\OvCdIrf.exe
  C:\Windows\System32\OvCdIrf.exe
  2⤵
  PID:12172
- C:\Windows\System32\KQSEDBA.exe
  C:\Windows\System32\KQSEDBA.exe
  2⤵
  PID:12204
- C:\Windows\System32\TVmpMMe.exe
  C:\Windows\System32\TVmpMMe.exe
  2⤵
  PID:12220
- C:\Windows\System32\IOIEYRe.exe
  C:\Windows\System32\IOIEYRe.exe
  2⤵
  PID:12248
- C:\Windows\System32\olmPbtK.exe
  C:\Windows\System32\olmPbtK.exe
  2⤵
  PID:12268
- C:\Windows\System32\JnRPFRo.exe
  C:\Windows\System32\JnRPFRo.exe
  2⤵
  PID:11248
- C:\Windows\System32\hNicnPK.exe
  C:\Windows\System32\hNicnPK.exe
  2⤵
  PID:11300
- C:\Windows\System32\OenroNH.exe
  C:\Windows\System32\OenroNH.exe
  2⤵
  PID:11404
- C:\Windows\System32\YIZouxK.exe
  C:\Windows\System32\YIZouxK.exe
  2⤵
  PID:11432
- C:\Windows\System32\dIdCzqW.exe
  C:\Windows\System32\dIdCzqW.exe
  2⤵
  PID:11512
- C:\Windows\System32\tmpoMbn.exe
  C:\Windows\System32\tmpoMbn.exe
  2⤵
  PID:11544
- C:\Windows\System32\kzKyLit.exe
  C:\Windows\System32\kzKyLit.exe
  2⤵
  PID:11604
- C:\Windows\System32\UyYJnvl.exe
  C:\Windows\System32\UyYJnvl.exe
  2⤵
  PID:11700
- C:\Windows\System32\rnBrwVs.exe
  C:\Windows\System32\rnBrwVs.exe
  2⤵
  PID:11768
- C:\Windows\System32\rtfdpUj.exe
  C:\Windows\System32\rtfdpUj.exe
  2⤵
  PID:11852
- C:\Windows\System32\deBzwYR.exe
  C:\Windows\System32\deBzwYR.exe
  2⤵
  PID:11940
- C:\Windows\System32\HUncYNC.exe
  C:\Windows\System32\HUncYNC.exe
  2⤵
  PID:12008
- C:\Windows\System32\oTREKsk.exe
  C:\Windows\System32\oTREKsk.exe
  2⤵
  PID:12076
- C:\Windows\System32\evcjDEa.exe
  C:\Windows\System32\evcjDEa.exe
  2⤵
  PID:12120
- C:\Windows\System32\ZnBchpo.exe
  C:\Windows\System32\ZnBchpo.exe
  2⤵
  PID:12160
- C:\Windows\System32\vOBQFZP.exe
  C:\Windows\System32\vOBQFZP.exe
  2⤵
  PID:12212
- C:\Windows\System32\QwFncvP.exe
  C:\Windows\System32\QwFncvP.exe
  2⤵
  PID:10300
- C:\Windows\System32\ArpMlgQ.exe
  C:\Windows\System32\ArpMlgQ.exe
  2⤵
  PID:11312
- C:\Windows\System32\yZXRazE.exe
  C:\Windows\System32\yZXRazE.exe
  2⤵
  PID:11392
- C:\Windows\System32\nknPDxm.exe
  C:\Windows\System32\nknPDxm.exe
  2⤵
  PID:11548
- C:\Windows\System32\YNRySLu.exe
  C:\Windows\System32\YNRySLu.exe
  2⤵
  PID:10464
- C:\Windows\System32\DlkdAJs.exe
  C:\Windows\System32\DlkdAJs.exe
  2⤵
  PID:2444
- C:\Windows\System32\PBxbGKD.exe
  C:\Windows\System32\PBxbGKD.exe
  2⤵
  PID:1344
- C:\Windows\System32\PFRzjgB.exe
  C:\Windows\System32\PFRzjgB.exe
  2⤵
  PID:12072
- C:\Windows\System32\KspiCXQ.exe
  C:\Windows\System32\KspiCXQ.exe
  2⤵
  PID:12244
- C:\Windows\System32\JxWYdMW.exe
  C:\Windows\System32\JxWYdMW.exe
  2⤵
  PID:11556
- C:\Windows\System32\EiCQgKf.exe
  C:\Windows\System32\EiCQgKf.exe
  2⤵
  PID:11960
- C:\Windows\System32\xXjhZRP.exe
  C:\Windows\System32\xXjhZRP.exe
  2⤵
  PID:12164
- C:\Windows\System32\GZOXGEK.exe
  C:\Windows\System32\GZOXGEK.exe
  2⤵
  PID:11532
- C:\Windows\System32\AzQrDlO.exe
  C:\Windows\System32\AzQrDlO.exe
  2⤵
  PID:11872
- C:\Windows\System32\tITXAyL.exe
  C:\Windows\System32\tITXAyL.exe
  2⤵
  PID:12308
- C:\Windows\System32\ByYKuQh.exe
  C:\Windows\System32\ByYKuQh.exe
  2⤵
  PID:12332
- C:\Windows\System32\EQJGpZa.exe
  C:\Windows\System32\EQJGpZa.exe
  2⤵
  PID:12360
- C:\Windows\System32\sQemhWk.exe
  C:\Windows\System32\sQemhWk.exe
  2⤵
  PID:12380
- C:\Windows\System32\hvkTdcZ.exe
  C:\Windows\System32\hvkTdcZ.exe
  2⤵
  PID:12400
- C:\Windows\System32\tIcwXCa.exe
  C:\Windows\System32\tIcwXCa.exe
  2⤵
  PID:12448
- C:\Windows\System32\hvpZxdF.exe
  C:\Windows\System32\hvpZxdF.exe
  2⤵
  PID:12488
- C:\Windows\System32\HgcdPoS.exe
  C:\Windows\System32\HgcdPoS.exe
  2⤵
  PID:12508
- C:\Windows\System32\HckUvyA.exe
  C:\Windows\System32\HckUvyA.exe
  2⤵
  PID:12536
- C:\Windows\System32\WGpGvyE.exe
  C:\Windows\System32\WGpGvyE.exe
  2⤵
  PID:12556
- C:\Windows\System32\OLXhJYf.exe
  C:\Windows\System32\OLXhJYf.exe
  2⤵
  PID:12596
- C:\Windows\System32\AKzWCqH.exe
  C:\Windows\System32\AKzWCqH.exe
  2⤵
  PID:12616
- C:\Windows\System32\GObgjnw.exe
  C:\Windows\System32\GObgjnw.exe
  2⤵
  PID:12648
- C:\Windows\System32\rGiRanc.exe
  C:\Windows\System32\rGiRanc.exe
  2⤵
  PID:12672
- C:\Windows\System32\BcuXsGq.exe
  C:\Windows\System32\BcuXsGq.exe
  2⤵
  PID:12692
- C:\Windows\System32\LtnmCys.exe
  C:\Windows\System32\LtnmCys.exe
  2⤵
  PID:12736
- C:\Windows\System32\HuoYhJj.exe
  C:\Windows\System32\HuoYhJj.exe
  2⤵
  PID:12760
- C:\Windows\System32\kmZyHEQ.exe
  C:\Windows\System32\kmZyHEQ.exe
  2⤵
  PID:12804
- C:\Windows\System32\lUWWNQT.exe
  C:\Windows\System32\lUWWNQT.exe
  2⤵
  PID:12836
- C:\Windows\System32\AUJZXhy.exe
  C:\Windows\System32\AUJZXhy.exe
  2⤵
  PID:12860
- C:\Windows\System32\nZgclTU.exe
  C:\Windows\System32\nZgclTU.exe
  2⤵
  PID:12880
- C:\Windows\System32\AqdJbTS.exe
  C:\Windows\System32\AqdJbTS.exe
  2⤵
  PID:12908
- C:\Windows\System32\zFpCPVX.exe
  C:\Windows\System32\zFpCPVX.exe
  2⤵
  PID:12968
- C:\Windows\System32\GWemAPP.exe
  C:\Windows\System32\GWemAPP.exe
  2⤵
  PID:12992
- C:\Windows\System32\RQQIUgh.exe
  C:\Windows\System32\RQQIUgh.exe
  2⤵
  PID:13016
- C:\Windows\System32\nmlFvJH.exe
  C:\Windows\System32\nmlFvJH.exe
  2⤵
  PID:13040
- C:\Windows\System32\gZxnhdP.exe
  C:\Windows\System32\gZxnhdP.exe
  2⤵
  PID:13064
- C:\Windows\System32\OftwFQa.exe
  C:\Windows\System32\OftwFQa.exe
  2⤵
  PID:13108
- C:\Windows\System32\kaEfZec.exe
  C:\Windows\System32\kaEfZec.exe
  2⤵
  PID:13132

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AZuPHmr.exe

Filesize
1.5MB

MD5
7a26f6ce1e73cfdbf0c94964ad53c7a4

SHA1
4256fc3b10903366fcedf870b7ab5f6dec45cf45

SHA256
8fef7e23dacd79f07afea8796d004ed5a34d62083cc41cca091bcb83b826f144

SHA512
e30beb08eb6d1a5140c31bf0f6ca65978c92cca94db3936c4727afbdd9d07dcdd51393e2ed3f0a6f611ebd20d5d149187eee2fd395e94070dfd883330902680a

Download Submit
C:\Windows\System32\BjpKUdO.exe

Filesize
1.5MB

MD5
ebc1dffc552e999597ecb0f4bbb83450

SHA1
e63bf64640a889b97f772b2d1290bebf12bfd9a8

SHA256
2e34b626a266bb8bff577dcc662c2efebf907da8180aecf67d8227af530fe181

SHA512
22bcd590e67db95f2cb97732b7733c9387070044c2698110a20edc5a3dedea9bb960e2b821238b6f038a2638d489b9c0a1c86b800cb92abe72ab3a85cc32344e

Download Submit
C:\Windows\System32\CuvMzID.exe

Filesize
1.5MB

MD5
f8ff040d9d9316b5762dd1591cb3cd4d

SHA1
7363252f0d4b4c04ce72b828fa418c59bfd80c57

SHA256
5a5fd3f01661a327cd93b0b0b238057e2ca594fb7a7e63c42669097578c7a33f

SHA512
ab4a9a152e832ea8fd5fc1870b9f3370b01fe97491dccb48bf4087431353f9fa88721ddbdb42eaee0bbb03b28dbe5e65be0a98c1eeedad7a47525f517b4c96c7

Download Submit
C:\Windows\System32\DjUibJi.exe

Filesize
1.5MB

MD5
7e50a07607c6ee734933df00cacc50eb

SHA1
23b438f74b85c1ba78b4f38669582c359a797e0d

SHA256
155bcc69b196304a5cdfcf63744afd02ba0b39972387060b1b09a6fc997a046e

SHA512
e9f441b9b2bb7709ad290a39250555ba767592087e2077240849004a81a577c61cbb4637394818b7a22180e7e196add5fb73e517452ceabc6637d39766ec0259

Download Submit
C:\Windows\System32\IMclxTC.exe

Filesize
1.5MB

MD5
b5fda4608188c75936141d5c65699568

SHA1
99c5912e2f50acb1eb2d47b2b53a830eca0aedd7

SHA256
e0b4777691e80c0273bf40a9bab9a9d38e3c26f20f6e3d683c3b806192778d12

SHA512
34f48fc806a980665fef1820c7f565dff8e0c08f065a9a4a87a9dd2480f9faa917f7188989f185903b69e4456d5fc6a2f2a56524dbfc1ce0d0b570ab370008a9

Download Submit
C:\Windows\System32\JmtHeas.exe

Filesize
1.5MB

MD5
e280c3b412ac311b5442a690d0d690f7

SHA1
aea0ec9720a63e6b51341e7ade0c87c63f2cfb93

SHA256
ea2f8cb052000916d5a2a1fac5515ee02944691ec49bf39eaa0232b05e4b0882

SHA512
0e2afc65778abc0612b085e87bdbbaece7f3a853ed8c1092dcbe2149b137c091c03c040019fed7a735eef2f8c6e263faf6ae40dff6ddc24907a9694068be35fe

Download Submit
C:\Windows\System32\JroCZET.exe

Filesize
1.5MB

MD5
f88ffa3a808b4f95d8cbdf11727eeafd

SHA1
6b577277e90000e159657f41d225f909fcd7d935

SHA256
699e540bb88de7c1510e0b3575c89491b7464c11d68e38b781a67339cda79433

SHA512
14b09b333b8dd09f77f5158a9756e79ae4a344a95e6a812516649ee4fb8bfb2c88714cd2062a0f250ad978e4bfc9a4b0332bb0cb17e4fc82584dc7f1aec30f99

Download Submit
C:\Windows\System32\LpMVHAS.exe

Filesize
1.5MB

MD5
a0f7dde6a8b0874aeda16a86764c772d

SHA1
e923207229c70a831463124c4c938e3bc33c7353

SHA256
57b7e7bbc7ed22edacdccebc50bcd15b24c5b9dc5dd591914339eee8cc2ef9f8

SHA512
aabf2b66997f8e9f66d92e8820c4e239158a43476a151c1900ceb80a47bc45d7a8cbb00a2581766bf6a30fc84e8d55b909831fc4534b76ba3f8a95142940b629

Download Submit
C:\Windows\System32\MjEOPtP.exe

Filesize
1.5MB

MD5
05ca96866e51ad70e79bb19ece6f544a

SHA1
9cc8862aa75e8d3ecbee0667d5fa230de43dfad2

SHA256
e72398ae0f376622005109567b0a9004a94263a2750cd1e395d6f9fc993f3169

SHA512
defd1c4903be25e0b945b44c751a446e59dd619a0d48642c844088881882387e93883bfe8781c072ab943fc0c784b39a96fc4e4410e6deb134bbce4337255a08

Download Submit
C:\Windows\System32\RSNhzao.exe

Filesize
1.5MB

MD5
8a9db84275a447d684442022530f0856

SHA1
76384d9e378fcfcd1d109a8814315fcf94b7f0b1

SHA256
e7144b3d19edcfec4e1f87f3325f9ee932d384ae91e24b496f5c9749bc1f41ac

SHA512
c9eb9430e5d1bfec90850aac700045f6ee27acb63af2232e5a0e9fdfa8b1bcd059fa15d4a92d0451f242b2ec633c85cae20f3899b21a0bda6d2f22af8f7a5eb9

Download Submit
C:\Windows\System32\SFOzNrr.exe

Filesize
1.5MB

MD5
6c66409a8699932e7b6dd1ed61e7d9a4

SHA1
4329c474dbbe4472c90db799c773f203fe9b98ae

SHA256
66960b52ea685090697b3e38aae53ae455232b292f2e7390faf9c1ee3953f7af

SHA512
bb8946e0f9e938991b4c9a60480dab0a22b856d09b831fd433c57ac671fb90c9520ec496fd1734a2d754955afce0489e0ba8370118d6c9f0278f7042d895c6f2

Download Submit
C:\Windows\System32\SlQmTSU.exe

Filesize
1.5MB

MD5
19addce3404fc5c38a8fd02394cc0fe7

SHA1
e3e2e6c46913b4c945289bae6528072b5e7591e2

SHA256
85162b84d385f64c34a3b940e42437ea48348b25d3d4cc3eb8f500071f3f6dd0

SHA512
fa48b74902668fff527cc1465afbc40416efecef986d608eb3f8218b69cf6da8167109271cdf1dda20ea2755735621826e0987f0d93fb4adcfb949d381659709

Download Submit
C:\Windows\System32\TFTEfIs.exe

Filesize
1.5MB

MD5
db47e32b511df128e6d7b88c67aa05ee

SHA1
b182922010f6401e7620ee948a04a5a9a77c71e3

SHA256
9959f1b4785944b9ee3fb7d0a9a408da369dcf916123aed9cd0de5abe9ae6238

SHA512
4881304f99f69f1987d0d0cab5672b64892573285ffcb769a0daed17134b695776d757360a63cc6c6087f27f672a64ebfe3cfb94e35d21cfa06557f7decce19b

Download Submit
C:\Windows\System32\VdzFumV.exe

Filesize
1.5MB

MD5
6855e92f6e94a0132ae2523071162bd0

SHA1
8addce6ea77135b80ddea855c5b8a29ba19205f7

SHA256
63175ab458a2fd37f436c1805f0458d686a99900e51226711154e8602c35d88f

SHA512
6983a3a038319c603e90a652da9d84f12bf75febde1a4ac57f4e688404e8ddf2fae6e35cc4060bc1e63457cf087ea90f1e31f276e790e11d41a08ea048efd870

Download Submit
C:\Windows\System32\XRkCpoP.exe

Filesize
1.5MB

MD5
2494306b78ae1c54213688f1cb1d71b9

SHA1
301241c2f5aa383ecadcc5bc0d7420c7cf35bef2

SHA256
daca4b24ec6ac3b82e508f05f808013ec50aa326319e66c2a0eafc4fab9c0ada

SHA512
fdbc5fc8187580237014b8fdab82ac5de9d1940f311f1e9a7aec62a4662b06bd44e0f95024591e7da81f48819d9f6c4466313626f8d80e965b835ec40160da57

Download Submit
C:\Windows\System32\aHISzad.exe

Filesize
1.5MB

MD5
b82104239687fb480cd1121b597e6078

SHA1
1eabac71070897672eb93a6a5cd65851195003ee

SHA256
424e3d951d1a4f361392e274020d5cfef339736c998b98d5cf6aa371d7dbf63c

SHA512
e6265f3ef5e0625902e0dc9cb0628368300ebc85f3dab967deff1dace3db65bca5c5d15ea9dc225aa483570c7eb948e5f05a7a33c4ee09b3d676202394db291b

Download Submit
C:\Windows\System32\aUbVWfV.exe

Filesize
1.5MB

MD5
127c57ddfe533150be3b4251ca81e336

SHA1
14a9246e6ede163e08c2dffb43a20045ec04999d

SHA256
325c2d14e8933f9db7a78556bf5e116d9ae2bdefc2ecce76a1a410a26c1db1e2

SHA512
54f4b6d507cc6bc93ec80c0a81717452708aa4655cdcf5082992a6d98aadfec06b229211fbf55931648784862793f001761174f6aa9191654d52e2798a876d2f

Download Submit
C:\Windows\System32\cAZuTXu.exe

Filesize
1.5MB

MD5
30deddfc970a50aa8e5da5bee80750f4

SHA1
ebd6ae29a0d369763ed5a8fd4ea203543a2c8b57

SHA256
0adb63ecfa0ed9824f5f59da74ff4e928e610f9890b9af8f3bfc8f355c503ce8

SHA512
470f32ea7c8cfa9d81e6ef2aeecb1a080ca9af6115dde0bed1393f47699807735c8446871c0e9ff57d8cb4f34298686dd3322b514abbc452e115780c4fd262d2

Download Submit
C:\Windows\System32\cWzWCQH.exe

Filesize
1.5MB

MD5
04212d1648de1254d077fe7a688db9f7

SHA1
4e8ab2a569beb77381fb1a18b47e349a1c219511

SHA256
09e1e86a5240da6980ab134dda9661d115031edb8bf335959dd5433adc61d294

SHA512
ef8af4f54bcfbdd915b133593e7159de049364f85427a7d270b96aed7a144cbdeecf973067fa20fc63d1b283b358764ac24ce723961e7c6d39b43233d64cae50

Download Submit
C:\Windows\System32\dacECGo.exe

Filesize
1.5MB

MD5
e83c9873618c6d6220e9b738caa08d69

SHA1
3ff4377f5c6412b05e4aae5655ac32288b45da57

SHA256
f34bb2b2db44f6de98d3e4cf11418130ba6c18ecedb6f59365aaabdb47c1a350

SHA512
5b9b740b0e05caf19533c0f26a6fea97af55e2f9fdde79f902b2533803be19e6da6eebe562e604b223699d295d33966e80f774b97f1d7db4a9470764cbfa8387

Download Submit
C:\Windows\System32\hWzXZBh.exe

Filesize
1.5MB

MD5
8779c42da839da28310085065edb747f

SHA1
5009ef7f5d32bb52ab010b4718380ddf29e8e154

SHA256
5e811ec29499d1ce5df06d6612344a91765ec82d971ffc0859debcda9123d883

SHA512
c9f6a6ae91658027f7e39823602e91b0653c75ebb4716e9f16fcf30e781439b50872b250bb4a2315aec6f3ee5bfad3208114c81ec5810c7c7d88d6aa99955988

Download Submit
C:\Windows\System32\kMOhbnM.exe

Filesize
1.5MB

MD5
ff342619c0eb250b791ec574b6735830

SHA1
e49dec1c86256b896ead025356eccbccbe2a38c6

SHA256
dcea93e5c7c124232f79fa4c51073dac99afabdd8681d7bd9ce4aa47f0bb650c

SHA512
b70944b55dc091271ab152aded7c6cdd0e6febfbfa57d77fb6820a43401a15951452ccd09dfebe0886f6f9dc39f69ff16c19fe5a988de5ae0fe7d4463225dfa4

Download Submit
C:\Windows\System32\lClVJpH.exe

Filesize
1.5MB

MD5
7e0b7dd9a0816168f5bd1dee11830200

SHA1
96057e548a19d1bf811e881f350734b52704691a

SHA256
c2387c86eeb88a95d18c922f164263da2aad93465ca91e0cb2c48afa1a20c47d

SHA512
b523c2b4bfde6d6b992c55425ae83413c1238353aa17636834f914002e16afcac6cf15de8e85cc47b48d69a47217b50f84a2ce685949016f546fa27adcab531f

Download Submit
C:\Windows\System32\nROBdWz.exe

Filesize
1.5MB

MD5
a8b0ad4d1b2ea89d4b647783cbc91eb1

SHA1
2711194d1b60af4bfaa7bba243d22603c8ccd888

SHA256
c26f9cb15941d11e7e1d2b7b7946a8a2bb5a8c7dde843bbb1815a1fc90dd3507

SHA512
d4658231cbd77da0d6009bc1d7c5115e9c3c9f3a76065878dd7823466884684fbc17c84e591ea06a1de9cb02efb5376b396837a7e5fbad68e11024143c18d7e4

Download Submit
C:\Windows\System32\qELJCzC.exe

Filesize
1.5MB

MD5
4154d016e743e3e7376601deb289d6c5

SHA1
8fe092f035850df929eedecd39b98df93cb6150b

SHA256
66f91c30c1ed089925e9e4d24ca63219cce3f2a5e0387efd363e82cc9c714065

SHA512
323584f00dc64c3426ee82fdfa6780f3a8f2ee1d4eca1f2232cdc1f55f00524fec46ce32b12712036b5bc24bed769e271c801025c516d93bb23fb4d2600ffb5f

Download Submit
C:\Windows\System32\qbdcWDK.exe

Filesize
1.5MB

MD5
8be6694a90da27db372cd37b6f7e4b46

SHA1
97cdfd2a96a87f06cc11b78b242eec839766b119

SHA256
724a37b3b21fa81f478fd2f3cbb01970ccd32df2fed7ec4b3ffddad4643f1cfc

SHA512
04a642b710d9038a5f1bc2d03f99e2ed429de237d4a9354ffc07460286d577e85adc50d372ae9962865747ffffdf94c1896c9511392ec0abf28eb975c6cbddaf

Download Submit
C:\Windows\System32\sabBkCu.exe

Filesize
1.5MB

MD5
a26383e52450659e968bb024c6b2078b

SHA1
d67b53cbb56cf53b8cf51c2ebc04727af221f74c

SHA256
4587f60d682f1a88d59e13ef496175faeb87c067882e42df29ef5e38b2572a38

SHA512
e84e4164e0c78d3f3e25a7f8195b9631cbfe3e63739d669a36b820eccc1c43fe659c1177a2677d41550f1bcd9e723c6776fad95e8caffcfb0d928f35d961b017

Download Submit
C:\Windows\System32\soRCfIj.exe

Filesize
1.5MB

MD5
e4389387843dc993e10c4f09258a5a3d

SHA1
c5d4fd5601ff73361b43929e6a53afa36dca146c

SHA256
6561914cdb59176c046871b5f02af7e3767e153d2e0e929036574450b5705c19

SHA512
5a9ee8916486d633555cf76daf68533276ddc727974dbb9627b18dc5ebd000496802ef981d379d639b4927155157e8c547587262edda81209339ef0708b4b375

Download Submit
C:\Windows\System32\vAACTtN.exe

Filesize
1.5MB

MD5
a78e64d43f22aa1828f4ef7b2371cc34

SHA1
c34e077b31cb357cca6fe50ba717d5318d391bf3

SHA256
618348d7b1d9347b3058a236bdef40e7804a9afb502715de0a921fe2e77bd7c3

SHA512
bc8e526f3d97a316e97a916b1dfd7ff0e6264b8a569b2e4e2703258cd0121df3f7de062dd64168e3cba0d405b434b7677b9f8d2b808bb9c419f943a5f52d0442

Download Submit
C:\Windows\System32\vgWggtZ.exe

Filesize
1.5MB

MD5
3e9bfe6f9fb4300407bc540ecf5939e9

SHA1
fc04f0d22a1f894165d4aa73d56509b1e0fe8dd4

SHA256
4c2152adc2d957d1817951d91738eaa0da2f6e2a5bb4c83c61e675484c689b4a

SHA512
6571c349d9ae668cb61e79c0bc024a050283a770602cbb699b40c5620a1708dca4c47e1be2c21a604bfc1af437764527e82ecb9f1850390fa92e5cdd745e367d

Download Submit
C:\Windows\System32\vyHqbVJ.exe

Filesize
1.5MB

MD5
40aa6493852f933a1da23e1b1681f2d5

SHA1
56beff2ed6d2a4f72eee260ffefcf8eb4e627a70

SHA256
bf61529187a3e01bfa0e32430a273c768b360433b9b24abbdb317e4dadd6afe4

SHA512
711cbb80bd70ae0e0eec3dd1b6258fd2fe12229c10cf85ec8c9817ea370a0f0d84d8149d19dab590bf397ad09ef0eb124b00632e044acfa607f13b6a2610ac1c

Download Submit
C:\Windows\System32\wRmnEPi.exe

Filesize
1.5MB

MD5
996749a65054aefdd413c384e0f350ff

SHA1
1b5c7ee49153341ff374a84d62f98ea403893dce

SHA256
da804e3d21c397577c2dd81843908fd659c4668aa3db3579eb17a31cd676f5ab

SHA512
bac3da9d9010fedf4275e1741e1fdfa260eafeb81fbd0ae9f8b3fa52ba62ccfe86eb9014f5dfb455f3801950f74695b16c6fc816b347232af1aa65194f31688f

Download Submit
C:\Windows\System32\zlwVUpd.exe

Filesize
1.5MB

MD5
2a558c892d2f34d2a48d3c94c149ecee

SHA1
e62fd143be2abeeaf310a66edfc97ca886fb640f

SHA256
e605e864cfc44107e64fd7e08bd3ace17f9fb8038622f8b67210ffc464b08590

SHA512
88b3809bc379a4337c672a9bd817b6b87ab52a82edee2ebbf6d703d79a80478bdb4dd9ec9b3026abec2f7c38dcbb54f2b0d9082bfd39b0a3d1e2dff7edfe5154

Download Submit
memory/516-375-0x00007FF650DB0000-0x00007FF6511A1000-memory.dmp

Filesize
3.9MB

Download
memory/516-2037-0x00007FF650DB0000-0x00007FF6511A1000-memory.dmp

Filesize
3.9MB

Download
memory/632-40-0x00007FF7B3FF0000-0x00007FF7B43E1000-memory.dmp

Filesize
3.9MB

Download
memory/632-2017-0x00007FF7B3FF0000-0x00007FF7B43E1000-memory.dmp

Filesize
3.9MB

Download
memory/968-2021-0x00007FF6DE150000-0x00007FF6DE541000-memory.dmp

Filesize
3.9MB

Download
memory/968-382-0x00007FF6DE150000-0x00007FF6DE541000-memory.dmp

Filesize
3.9MB

Download
memory/1236-52-0x00007FF60A520000-0x00007FF60A911000-memory.dmp

Filesize
3.9MB

Download
memory/1236-2015-0x00007FF60A520000-0x00007FF60A911000-memory.dmp

Filesize
3.9MB

Download
memory/1272-56-0x00007FF678AD0000-0x00007FF678EC1000-memory.dmp

Filesize
3.9MB

Download
memory/1272-2019-0x00007FF678AD0000-0x00007FF678EC1000-memory.dmp

Filesize
3.9MB

Download
memory/1668-359-0x00007FF7BE700000-0x00007FF7BEAF1000-memory.dmp

Filesize
3.9MB

Download
memory/1668-2029-0x00007FF7BE700000-0x00007FF7BEAF1000-memory.dmp

Filesize
3.9MB

Download
memory/1908-400-0x00007FF6ACF10000-0x00007FF6AD301000-memory.dmp

Filesize
3.9MB

Download
memory/1908-2043-0x00007FF6ACF10000-0x00007FF6AD301000-memory.dmp

Filesize
3.9MB

Download
memory/2032-2027-0x00007FF7F2290000-0x00007FF7F2681000-memory.dmp

Filesize
3.9MB

Download
memory/2032-453-0x00007FF7F2290000-0x00007FF7F2681000-memory.dmp

Filesize
3.9MB

Download
memory/2064-360-0x00007FF7FBB50000-0x00007FF7FBF41000-memory.dmp

Filesize
3.9MB

Download
memory/2064-2035-0x00007FF7FBB50000-0x00007FF7FBF41000-memory.dmp

Filesize
3.9MB

Download
memory/2104-388-0x00007FF6967D0000-0x00007FF696BC1000-memory.dmp

Filesize
3.9MB

Download
memory/2104-2023-0x00007FF6967D0000-0x00007FF696BC1000-memory.dmp

Filesize
3.9MB

Download
memory/2152-2051-0x00007FF705770000-0x00007FF705B61000-memory.dmp

Filesize
3.9MB

Download
memory/2152-438-0x00007FF705770000-0x00007FF705B61000-memory.dmp

Filesize
3.9MB

Download
memory/2456-391-0x00007FF7ADC90000-0x00007FF7AE081000-memory.dmp

Filesize
3.9MB

Download
memory/2456-2039-0x00007FF7ADC90000-0x00007FF7AE081000-memory.dmp

Filesize
3.9MB

Download
memory/2868-427-0x00007FF6D6600000-0x00007FF6D69F1000-memory.dmp

Filesize
3.9MB

Download
memory/2868-2049-0x00007FF6D6600000-0x00007FF6D69F1000-memory.dmp

Filesize
3.9MB

Download
memory/2992-2047-0x00007FF7E1790000-0x00007FF7E1B81000-memory.dmp

Filesize
3.9MB

Download
memory/2992-418-0x00007FF7E1790000-0x00007FF7E1B81000-memory.dmp

Filesize
3.9MB

Download
memory/3024-373-0x00007FF63BC20000-0x00007FF63C011000-memory.dmp

Filesize
3.9MB

Download
memory/3024-2025-0x00007FF63BC20000-0x00007FF63C011000-memory.dmp

Filesize
3.9MB

Download
memory/3156-12-0x00007FF7D8470000-0x00007FF7D8861000-memory.dmp

Filesize
3.9MB

Download
memory/3156-2009-0x00007FF7D8470000-0x00007FF7D8861000-memory.dmp

Filesize
3.9MB

Download
memory/3188-0-0x00007FF608CC0000-0x00007FF6090B1000-memory.dmp

Filesize
3.9MB

Download
memory/3188-1-0x000001C740B10000-0x000001C740B20000-memory.dmp

Filesize
64KB

Download
memory/3464-26-0x00007FF74AE80000-0x00007FF74B271000-memory.dmp

Filesize
3.9MB

Download
memory/3464-2011-0x00007FF74AE80000-0x00007FF74B271000-memory.dmp

Filesize
3.9MB

Download
memory/3464-2003-0x00007FF74AE80000-0x00007FF74B271000-memory.dmp

Filesize
3.9MB

Download
memory/3572-2013-0x00007FF6F5AF0000-0x00007FF6F5EE1000-memory.dmp

Filesize
3.9MB

Download
memory/3572-32-0x00007FF6F5AF0000-0x00007FF6F5EE1000-memory.dmp

Filesize
3.9MB

Download
memory/4256-2045-0x00007FF6BA430000-0x00007FF6BA821000-memory.dmp

Filesize
3.9MB

Download
memory/4256-404-0x00007FF6BA430000-0x00007FF6BA821000-memory.dmp

Filesize
3.9MB

Download
memory/4320-370-0x00007FF6E2910000-0x00007FF6E2D01000-memory.dmp

Filesize
3.9MB

Download
memory/4320-2031-0x00007FF6E2910000-0x00007FF6E2D01000-memory.dmp

Filesize
3.9MB

Download
memory/4516-2041-0x00007FF697D10000-0x00007FF698101000-memory.dmp

Filesize
3.9MB

Download
memory/4516-398-0x00007FF697D10000-0x00007FF698101000-memory.dmp

Filesize
3.9MB

Download
memory/4812-2033-0x00007FF601040000-0x00007FF601431000-memory.dmp

Filesize
3.9MB

Download
memory/4812-458-0x00007FF601040000-0x00007FF601431000-memory.dmp

Filesize
3.9MB

Download
memory/4984-2053-0x00007FF617D60000-0x00007FF618151000-memory.dmp

Filesize
3.9MB

Download
memory/4984-439-0x00007FF617D60000-0x00007FF618151000-memory.dmp

Filesize
3.9MB

Download
memory/4996-2055-0x00007FF6748E0000-0x00007FF674CD1000-memory.dmp

Filesize
3.9MB

Download
memory/4996-447-0x00007FF6748E0000-0x00007FF674CD1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads