xmrig | 75454da0266f4dfa9fd5c573d536cee36b5974cee42f7e934776cfb246619c7f

Analysis

max time kernel
109s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 23:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

224e404b1ba25e72396b2c75d1281890N.exe
Size

1.5MB
MD5

224e404b1ba25e72396b2c75d1281890
SHA1

a4918b5010b10ed80207325ab2aa00494283e40f
SHA256

75454da0266f4dfa9fd5c573d536cee36b5974cee42f7e934776cfb246619c7f
SHA512

9a6e51af3c8f1ce1d593f1b55002622ea1bb58b67a0acf1c57d4ef8149c4355f3e1a6aa9c6e9843e2aeecfb837118a2bd21c0604829de3167e3187e66f8d2272
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIHbAYhbc8lFad+tsytA7WEXLsBb:knw9oUUEEDlGUJ8Y9c87MQosx

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/3492-520-0x00007FF7C7010000-0x00007FF7C7401000-memory.dmp	xmrig
behavioral2/memory/1460-526-0x00007FF6C1830000-0x00007FF6C1C21000-memory.dmp	xmrig
behavioral2/memory/2836-534-0x00007FF7B23A0000-0x00007FF7B2791000-memory.dmp	xmrig
behavioral2/memory/2592-539-0x00007FF7DE890000-0x00007FF7DEC81000-memory.dmp	xmrig
behavioral2/memory/548-551-0x00007FF756210000-0x00007FF756601000-memory.dmp	xmrig
behavioral2/memory/1668-547-0x00007FF6308B0000-0x00007FF630CA1000-memory.dmp	xmrig
behavioral2/memory/2736-554-0x00007FF7033F0000-0x00007FF7037E1000-memory.dmp	xmrig
behavioral2/memory/768-556-0x00007FF671500000-0x00007FF6718F1000-memory.dmp	xmrig
behavioral2/memory/4280-564-0x00007FF70D370000-0x00007FF70D761000-memory.dmp	xmrig
behavioral2/memory/1216-569-0x00007FF73B120000-0x00007FF73B511000-memory.dmp	xmrig
behavioral2/memory/1160-574-0x00007FF799690000-0x00007FF799A81000-memory.dmp	xmrig
behavioral2/memory/4496-576-0x00007FF7B6250000-0x00007FF7B6641000-memory.dmp	xmrig
behavioral2/memory/3036-583-0x00007FF654AC0000-0x00007FF654EB1000-memory.dmp	xmrig
behavioral2/memory/3884-585-0x00007FF7DC5C0000-0x00007FF7DC9B1000-memory.dmp	xmrig
behavioral2/memory/4788-590-0x00007FF6DC1F0000-0x00007FF6DC5E1000-memory.dmp	xmrig
behavioral2/memory/3140-588-0x00007FF7E8360000-0x00007FF7E8751000-memory.dmp	xmrig
behavioral2/memory/5040-586-0x00007FF7F1E80000-0x00007FF7F2271000-memory.dmp	xmrig
behavioral2/memory/3656-577-0x00007FF66DE50000-0x00007FF66E241000-memory.dmp	xmrig
behavioral2/memory/2076-570-0x00007FF6F8860000-0x00007FF6F8C51000-memory.dmp	xmrig
behavioral2/memory/4516-1994-0x00007FF70C580000-0x00007FF70C971000-memory.dmp	xmrig
behavioral2/memory/4528-1995-0x00007FF742790000-0x00007FF742B81000-memory.dmp	xmrig
behavioral2/memory/264-1996-0x00007FF629380000-0x00007FF629771000-memory.dmp	xmrig
behavioral2/memory/216-1997-0x00007FF695B80000-0x00007FF695F71000-memory.dmp	xmrig
behavioral2/memory/4292-2000-0x00007FF734730000-0x00007FF734B21000-memory.dmp	xmrig
behavioral2/memory/4144-2031-0x00007FF652F70000-0x00007FF653361000-memory.dmp	xmrig
behavioral2/memory/4788-2045-0x00007FF6DC1F0000-0x00007FF6DC5E1000-memory.dmp	xmrig
behavioral2/memory/1460-2051-0x00007FF6C1830000-0x00007FF6C1C21000-memory.dmp	xmrig
behavioral2/memory/768-2059-0x00007FF671500000-0x00007FF6718F1000-memory.dmp	xmrig
behavioral2/memory/1160-2069-0x00007FF799690000-0x00007FF799A81000-memory.dmp	xmrig
behavioral2/memory/5040-2077-0x00007FF7F1E80000-0x00007FF7F2271000-memory.dmp	xmrig
behavioral2/memory/4496-2075-0x00007FF7B6250000-0x00007FF7B6641000-memory.dmp	xmrig
behavioral2/memory/3656-2073-0x00007FF66DE50000-0x00007FF66E241000-memory.dmp	xmrig
behavioral2/memory/3036-2071-0x00007FF654AC0000-0x00007FF654EB1000-memory.dmp	xmrig
behavioral2/memory/2076-2067-0x00007FF6F8860000-0x00007FF6F8C51000-memory.dmp	xmrig
behavioral2/memory/1216-2065-0x00007FF73B120000-0x00007FF73B511000-memory.dmp	xmrig
behavioral2/memory/3884-2063-0x00007FF7DC5C0000-0x00007FF7DC9B1000-memory.dmp	xmrig
behavioral2/memory/4280-2061-0x00007FF70D370000-0x00007FF70D761000-memory.dmp	xmrig
behavioral2/memory/2736-2057-0x00007FF7033F0000-0x00007FF7037E1000-memory.dmp	xmrig
behavioral2/memory/2592-2055-0x00007FF7DE890000-0x00007FF7DEC81000-memory.dmp	xmrig
behavioral2/memory/2836-2053-0x00007FF7B23A0000-0x00007FF7B2791000-memory.dmp	xmrig
behavioral2/memory/1668-2049-0x00007FF6308B0000-0x00007FF630CA1000-memory.dmp	xmrig
behavioral2/memory/548-2047-0x00007FF756210000-0x00007FF756601000-memory.dmp	xmrig
behavioral2/memory/3140-2041-0x00007FF7E8360000-0x00007FF7E8751000-memory.dmp	xmrig
behavioral2/memory/3492-2043-0x00007FF7C7010000-0x00007FF7C7401000-memory.dmp	xmrig
behavioral2/memory/264-2037-0x00007FF629380000-0x00007FF629771000-memory.dmp	xmrig
behavioral2/memory/4292-2033-0x00007FF734730000-0x00007FF734B21000-memory.dmp	xmrig
behavioral2/memory/4528-2039-0x00007FF742790000-0x00007FF742B81000-memory.dmp	xmrig
behavioral2/memory/216-2035-0x00007FF695B80000-0x00007FF695F71000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4144	AXjFTXM.exe
4292	TGfqpao.exe
4528	XYCRkFI.exe
264	gEMEAsd.exe
3140	XbMOBGR.exe
216	DFXiBCR.exe
4788	CuDWGjF.exe
3492	mqPHufn.exe
1460	aBsdVOC.exe
2836	rZpPhSa.exe
2592	mNtZWSt.exe
1668	kRHwVnF.exe
548	xNozIma.exe
2736	EUdgbTn.exe
768	nAOuSIT.exe
4280	FpXvnTJ.exe
1216	ohtUCMI.exe
2076	VdwVNOJ.exe
1160	IAoneri.exe
4496	LHtYUaZ.exe
3656	EEoUqdn.exe
3036	CbXmgjj.exe
3884	BAeNDsn.exe
5040	IEEqbHi.exe
2576	EMpxCxf.exe
5032	CCYZQmw.exe
388	ETBDQnu.exe
3360	sbcIeWS.exe
3384	KZLbmDU.exe
1876	tFhPySa.exe
4488	QYqxmBt.exe
1012	baVmEds.exe
2128	OzAXKCV.exe
1564	fBmXbuG.exe
1200	OTHrVsr.exe
1860	iZxVxbS.exe
3864	CCeVbus.exe
2752	leZKIAG.exe
1308	xSPrNDY.exe
3456	UHYvDCD.exe
5100	yRDlHgv.exe
1116	qaNGtpp.exe
4380	tkKVOWv.exe
1380	cUmmFax.exe
1828	STlEwhk.exe
2924	vQUHxlJ.exe
4656	OCnDOFE.exe
4320	jowSMkK.exe
4804	ODZuTYQ.exe
1600	DQLTcgw.exe
228	TgvaCmC.exe
3340	CPiztKz.exe
1960	BuDhlyL.exe
3560	wELSOec.exe
2552	IYhNhEN.exe
2448	jCYWBBb.exe
612	ZmJRVQO.exe
1392	XIGmcUj.exe
716	JDAkkSg.exe
664	foEfDWp.exe
2012	bTcmMUD.exe
5028	kdQtuzc.exe
2560	ejiyFuG.exe
2544	XKeCCPN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4516-0-0x00007FF70C580000-0x00007FF70C971000-memory.dmp	upx
behavioral2/files/0x0007000000023461-7.dat	upx
behavioral2/memory/4528-18-0x00007FF742790000-0x00007FF742B81000-memory.dmp	upx
behavioral2/files/0x0007000000023463-26.dat	upx
behavioral2/files/0x0007000000023465-43.dat	upx
behavioral2/files/0x0007000000023466-48.dat	upx
behavioral2/files/0x0007000000023469-63.dat	upx
behavioral2/files/0x000700000002346c-72.dat	upx
behavioral2/files/0x0007000000023474-118.dat	upx
behavioral2/files/0x000700000002347b-153.dat	upx
behavioral2/memory/216-514-0x00007FF695B80000-0x00007FF695F71000-memory.dmp	upx
behavioral2/memory/3492-520-0x00007FF7C7010000-0x00007FF7C7401000-memory.dmp	upx
behavioral2/memory/1460-526-0x00007FF6C1830000-0x00007FF6C1C21000-memory.dmp	upx
behavioral2/memory/2836-534-0x00007FF7B23A0000-0x00007FF7B2791000-memory.dmp	upx
behavioral2/memory/2592-539-0x00007FF7DE890000-0x00007FF7DEC81000-memory.dmp	upx
behavioral2/memory/548-551-0x00007FF756210000-0x00007FF756601000-memory.dmp	upx
behavioral2/memory/1668-547-0x00007FF6308B0000-0x00007FF630CA1000-memory.dmp	upx
behavioral2/memory/2736-554-0x00007FF7033F0000-0x00007FF7037E1000-memory.dmp	upx
behavioral2/memory/768-556-0x00007FF671500000-0x00007FF6718F1000-memory.dmp	upx
behavioral2/memory/4280-564-0x00007FF70D370000-0x00007FF70D761000-memory.dmp	upx
behavioral2/memory/1216-569-0x00007FF73B120000-0x00007FF73B511000-memory.dmp	upx
behavioral2/memory/1160-574-0x00007FF799690000-0x00007FF799A81000-memory.dmp	upx
behavioral2/memory/4496-576-0x00007FF7B6250000-0x00007FF7B6641000-memory.dmp	upx
behavioral2/memory/3036-583-0x00007FF654AC0000-0x00007FF654EB1000-memory.dmp	upx
behavioral2/memory/3884-585-0x00007FF7DC5C0000-0x00007FF7DC9B1000-memory.dmp	upx
behavioral2/memory/4788-590-0x00007FF6DC1F0000-0x00007FF6DC5E1000-memory.dmp	upx
behavioral2/memory/3140-588-0x00007FF7E8360000-0x00007FF7E8751000-memory.dmp	upx
behavioral2/memory/5040-586-0x00007FF7F1E80000-0x00007FF7F2271000-memory.dmp	upx
behavioral2/memory/3656-577-0x00007FF66DE50000-0x00007FF66E241000-memory.dmp	upx
behavioral2/memory/2076-570-0x00007FF6F8860000-0x00007FF6F8C51000-memory.dmp	upx
behavioral2/files/0x000700000002347f-166.dat	upx
behavioral2/files/0x000700000002347d-163.dat	upx
behavioral2/files/0x000700000002347e-161.dat	upx
behavioral2/files/0x000700000002347c-158.dat	upx
behavioral2/files/0x000700000002347a-145.dat	upx
behavioral2/files/0x0007000000023479-143.dat	upx
behavioral2/files/0x0007000000023478-138.dat	upx
behavioral2/files/0x0007000000023477-133.dat	upx
behavioral2/files/0x0007000000023476-128.dat	upx
behavioral2/files/0x0007000000023475-123.dat	upx
behavioral2/files/0x0007000000023473-113.dat	upx
behavioral2/files/0x0007000000023472-108.dat	upx
behavioral2/files/0x0007000000023471-103.dat	upx
behavioral2/files/0x0007000000023470-98.dat	upx
behavioral2/files/0x000700000002346f-93.dat	upx
behavioral2/files/0x000700000002346e-85.dat	upx
behavioral2/files/0x000700000002346d-83.dat	upx
behavioral2/files/0x000700000002346b-70.dat	upx
behavioral2/files/0x000700000002346a-68.dat	upx
behavioral2/files/0x0007000000023468-58.dat	upx
behavioral2/files/0x0007000000023467-51.dat	upx
behavioral2/files/0x0007000000023464-38.dat	upx
behavioral2/memory/264-33-0x00007FF629380000-0x00007FF629771000-memory.dmp	upx
behavioral2/files/0x0007000000023462-30.dat	upx
behavioral2/files/0x0007000000023460-24.dat	upx
behavioral2/memory/4292-22-0x00007FF734730000-0x00007FF734B21000-memory.dmp	upx
behavioral2/files/0x000800000002345c-15.dat	upx
behavioral2/memory/4144-12-0x00007FF652F70000-0x00007FF653361000-memory.dmp	upx
behavioral2/memory/4516-1994-0x00007FF70C580000-0x00007FF70C971000-memory.dmp	upx
behavioral2/memory/4528-1995-0x00007FF742790000-0x00007FF742B81000-memory.dmp	upx
behavioral2/memory/264-1996-0x00007FF629380000-0x00007FF629771000-memory.dmp	upx
behavioral2/memory/216-1997-0x00007FF695B80000-0x00007FF695F71000-memory.dmp	upx
behavioral2/memory/4292-2000-0x00007FF734730000-0x00007FF734B21000-memory.dmp	upx
behavioral2/memory/4144-2031-0x00007FF652F70000-0x00007FF653361000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\tQUPxgx.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\twijhIt.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\UeqelTA.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\Iygqiyy.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\tEtGWgQ.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\BOabJyU.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\HFqPiBM.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\OxDtsgh.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\STlEwhk.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\reFOxoJ.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\deYVmfS.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\STOOLaO.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\HNfTYAT.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\bYftzWE.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\JQvWKhq.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\CPiztKz.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\QZxHjAC.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\PdhHqLX.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\mjFZmmf.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\vsTFXIz.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\wzUENYJ.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\sDykKVe.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\ySjYnUb.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\cLfrscS.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\ctsmUbw.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\XXMTgRb.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\UHYvDCD.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\xDBIKTi.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\oJgeGHE.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\QSwBmos.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\YsYpZGV.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\jdHHNFK.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\iYJYive.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\ndGZCKH.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\Tuhvxsg.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\xByhGJR.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\wvQoqSY.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\noMJDFs.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\TgvaCmC.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\ZzQVjCK.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\OnMDLSo.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\ENDjQtr.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\uureajC.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\bGcGxEt.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\WWDSvaC.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\cURKupe.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\AGOrYoQ.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\XQrmovI.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\dcfoOWN.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\SlATHvY.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\woDvUmm.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\FMMTjmz.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\CuDWGjF.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\eKtZmkA.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\aJbNhQz.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\BWjRSsS.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\YcVyAYp.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\GspIZdY.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\qpKxuao.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\RhmZDLY.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\VAtuDKh.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\ynRwkeL.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\teAydpX.exe	224e404b1ba25e72396b2c75d1281890N.exe
File created	C:\Windows\System32\jVkevrO.exe	224e404b1ba25e72396b2c75d1281890N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12860	dwm.exe
Token: SeChangeNotifyPrivilege	12860	dwm.exe
Token: 33	12860	dwm.exe
Token: SeIncBasePriorityPrivilege	12860	dwm.exe
Token: SeShutdownPrivilege	12860	dwm.exe
Token: SeCreatePagefilePrivilege	12860	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 4144	4516	224e404b1ba25e72396b2c75d1281890N.exe	85
PID 4516 wrote to memory of 4144	4516	224e404b1ba25e72396b2c75d1281890N.exe	85
PID 4516 wrote to memory of 4292	4516	224e404b1ba25e72396b2c75d1281890N.exe	86
PID 4516 wrote to memory of 4292	4516	224e404b1ba25e72396b2c75d1281890N.exe	86
PID 4516 wrote to memory of 4528	4516	224e404b1ba25e72396b2c75d1281890N.exe	87
PID 4516 wrote to memory of 4528	4516	224e404b1ba25e72396b2c75d1281890N.exe	87
PID 4516 wrote to memory of 264	4516	224e404b1ba25e72396b2c75d1281890N.exe	88
PID 4516 wrote to memory of 264	4516	224e404b1ba25e72396b2c75d1281890N.exe	88
PID 4516 wrote to memory of 216	4516	224e404b1ba25e72396b2c75d1281890N.exe	89
PID 4516 wrote to memory of 216	4516	224e404b1ba25e72396b2c75d1281890N.exe	89
PID 4516 wrote to memory of 3140	4516	224e404b1ba25e72396b2c75d1281890N.exe	90
PID 4516 wrote to memory of 3140	4516	224e404b1ba25e72396b2c75d1281890N.exe	90
PID 4516 wrote to memory of 4788	4516	224e404b1ba25e72396b2c75d1281890N.exe	91
PID 4516 wrote to memory of 4788	4516	224e404b1ba25e72396b2c75d1281890N.exe	91
PID 4516 wrote to memory of 3492	4516	224e404b1ba25e72396b2c75d1281890N.exe	92
PID 4516 wrote to memory of 3492	4516	224e404b1ba25e72396b2c75d1281890N.exe	92
PID 4516 wrote to memory of 1460	4516	224e404b1ba25e72396b2c75d1281890N.exe	93
PID 4516 wrote to memory of 1460	4516	224e404b1ba25e72396b2c75d1281890N.exe	93
PID 4516 wrote to memory of 2836	4516	224e404b1ba25e72396b2c75d1281890N.exe	94
PID 4516 wrote to memory of 2836	4516	224e404b1ba25e72396b2c75d1281890N.exe	94
PID 4516 wrote to memory of 2592	4516	224e404b1ba25e72396b2c75d1281890N.exe	95
PID 4516 wrote to memory of 2592	4516	224e404b1ba25e72396b2c75d1281890N.exe	95
PID 4516 wrote to memory of 1668	4516	224e404b1ba25e72396b2c75d1281890N.exe	96
PID 4516 wrote to memory of 1668	4516	224e404b1ba25e72396b2c75d1281890N.exe	96
PID 4516 wrote to memory of 548	4516	224e404b1ba25e72396b2c75d1281890N.exe	97
PID 4516 wrote to memory of 548	4516	224e404b1ba25e72396b2c75d1281890N.exe	97
PID 4516 wrote to memory of 2736	4516	224e404b1ba25e72396b2c75d1281890N.exe	98
PID 4516 wrote to memory of 2736	4516	224e404b1ba25e72396b2c75d1281890N.exe	98
PID 4516 wrote to memory of 768	4516	224e404b1ba25e72396b2c75d1281890N.exe	99
PID 4516 wrote to memory of 768	4516	224e404b1ba25e72396b2c75d1281890N.exe	99
PID 4516 wrote to memory of 4280	4516	224e404b1ba25e72396b2c75d1281890N.exe	100
PID 4516 wrote to memory of 4280	4516	224e404b1ba25e72396b2c75d1281890N.exe	100
PID 4516 wrote to memory of 1216	4516	224e404b1ba25e72396b2c75d1281890N.exe	101
PID 4516 wrote to memory of 1216	4516	224e404b1ba25e72396b2c75d1281890N.exe	101
PID 4516 wrote to memory of 2076	4516	224e404b1ba25e72396b2c75d1281890N.exe	102
PID 4516 wrote to memory of 2076	4516	224e404b1ba25e72396b2c75d1281890N.exe	102
PID 4516 wrote to memory of 1160	4516	224e404b1ba25e72396b2c75d1281890N.exe	103
PID 4516 wrote to memory of 1160	4516	224e404b1ba25e72396b2c75d1281890N.exe	103
PID 4516 wrote to memory of 4496	4516	224e404b1ba25e72396b2c75d1281890N.exe	104
PID 4516 wrote to memory of 4496	4516	224e404b1ba25e72396b2c75d1281890N.exe	104
PID 4516 wrote to memory of 3656	4516	224e404b1ba25e72396b2c75d1281890N.exe	105
PID 4516 wrote to memory of 3656	4516	224e404b1ba25e72396b2c75d1281890N.exe	105
PID 4516 wrote to memory of 3036	4516	224e404b1ba25e72396b2c75d1281890N.exe	106
PID 4516 wrote to memory of 3036	4516	224e404b1ba25e72396b2c75d1281890N.exe	106
PID 4516 wrote to memory of 3884	4516	224e404b1ba25e72396b2c75d1281890N.exe	107
PID 4516 wrote to memory of 3884	4516	224e404b1ba25e72396b2c75d1281890N.exe	107
PID 4516 wrote to memory of 5040	4516	224e404b1ba25e72396b2c75d1281890N.exe	108
PID 4516 wrote to memory of 5040	4516	224e404b1ba25e72396b2c75d1281890N.exe	108
PID 4516 wrote to memory of 2576	4516	224e404b1ba25e72396b2c75d1281890N.exe	109
PID 4516 wrote to memory of 2576	4516	224e404b1ba25e72396b2c75d1281890N.exe	109
PID 4516 wrote to memory of 5032	4516	224e404b1ba25e72396b2c75d1281890N.exe	110
PID 4516 wrote to memory of 5032	4516	224e404b1ba25e72396b2c75d1281890N.exe	110
PID 4516 wrote to memory of 388	4516	224e404b1ba25e72396b2c75d1281890N.exe	111
PID 4516 wrote to memory of 388	4516	224e404b1ba25e72396b2c75d1281890N.exe	111
PID 4516 wrote to memory of 3360	4516	224e404b1ba25e72396b2c75d1281890N.exe	112
PID 4516 wrote to memory of 3360	4516	224e404b1ba25e72396b2c75d1281890N.exe	112
PID 4516 wrote to memory of 3384	4516	224e404b1ba25e72396b2c75d1281890N.exe	113
PID 4516 wrote to memory of 3384	4516	224e404b1ba25e72396b2c75d1281890N.exe	113
PID 4516 wrote to memory of 1876	4516	224e404b1ba25e72396b2c75d1281890N.exe	114
PID 4516 wrote to memory of 1876	4516	224e404b1ba25e72396b2c75d1281890N.exe	114
PID 4516 wrote to memory of 4488	4516	224e404b1ba25e72396b2c75d1281890N.exe	115
PID 4516 wrote to memory of 4488	4516	224e404b1ba25e72396b2c75d1281890N.exe	115
PID 4516 wrote to memory of 1012	4516	224e404b1ba25e72396b2c75d1281890N.exe	116
PID 4516 wrote to memory of 1012	4516	224e404b1ba25e72396b2c75d1281890N.exe	116

C:\Users\Admin\AppData\Local\Temp\224e404b1ba25e72396b2c75d1281890N.exe
"C:\Users\Admin\AppData\Local\Temp\224e404b1ba25e72396b2c75d1281890N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\System32\AXjFTXM.exe
  C:\Windows\System32\AXjFTXM.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System32\TGfqpao.exe
  C:\Windows\System32\TGfqpao.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System32\XYCRkFI.exe
  C:\Windows\System32\XYCRkFI.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System32\gEMEAsd.exe
  C:\Windows\System32\gEMEAsd.exe
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\System32\DFXiBCR.exe
  C:\Windows\System32\DFXiBCR.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System32\XbMOBGR.exe
  C:\Windows\System32\XbMOBGR.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System32\CuDWGjF.exe
  C:\Windows\System32\CuDWGjF.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\mqPHufn.exe
  C:\Windows\System32\mqPHufn.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System32\aBsdVOC.exe
  C:\Windows\System32\aBsdVOC.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System32\rZpPhSa.exe
  C:\Windows\System32\rZpPhSa.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System32\mNtZWSt.exe
  C:\Windows\System32\mNtZWSt.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System32\kRHwVnF.exe
  C:\Windows\System32\kRHwVnF.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System32\xNozIma.exe
  C:\Windows\System32\xNozIma.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System32\EUdgbTn.exe
  C:\Windows\System32\EUdgbTn.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System32\nAOuSIT.exe
  C:\Windows\System32\nAOuSIT.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System32\FpXvnTJ.exe
  C:\Windows\System32\FpXvnTJ.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System32\ohtUCMI.exe
  C:\Windows\System32\ohtUCMI.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System32\VdwVNOJ.exe
  C:\Windows\System32\VdwVNOJ.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System32\IAoneri.exe
  C:\Windows\System32\IAoneri.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System32\LHtYUaZ.exe
  C:\Windows\System32\LHtYUaZ.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System32\EEoUqdn.exe
  C:\Windows\System32\EEoUqdn.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System32\CbXmgjj.exe
  C:\Windows\System32\CbXmgjj.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System32\BAeNDsn.exe
  C:\Windows\System32\BAeNDsn.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System32\IEEqbHi.exe
  C:\Windows\System32\IEEqbHi.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System32\EMpxCxf.exe
  C:\Windows\System32\EMpxCxf.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System32\CCYZQmw.exe
  C:\Windows\System32\CCYZQmw.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System32\ETBDQnu.exe
  C:\Windows\System32\ETBDQnu.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System32\sbcIeWS.exe
  C:\Windows\System32\sbcIeWS.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System32\KZLbmDU.exe
  C:\Windows\System32\KZLbmDU.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System32\tFhPySa.exe
  C:\Windows\System32\tFhPySa.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System32\QYqxmBt.exe
  C:\Windows\System32\QYqxmBt.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System32\baVmEds.exe
  C:\Windows\System32\baVmEds.exe
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\System32\OzAXKCV.exe
  C:\Windows\System32\OzAXKCV.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System32\fBmXbuG.exe
  C:\Windows\System32\fBmXbuG.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System32\OTHrVsr.exe
  C:\Windows\System32\OTHrVsr.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System32\iZxVxbS.exe
  C:\Windows\System32\iZxVxbS.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System32\CCeVbus.exe
  C:\Windows\System32\CCeVbus.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System32\leZKIAG.exe
  C:\Windows\System32\leZKIAG.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System32\xSPrNDY.exe
  C:\Windows\System32\xSPrNDY.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System32\UHYvDCD.exe
  C:\Windows\System32\UHYvDCD.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System32\yRDlHgv.exe
  C:\Windows\System32\yRDlHgv.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System32\qaNGtpp.exe
  C:\Windows\System32\qaNGtpp.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System32\tkKVOWv.exe
  C:\Windows\System32\tkKVOWv.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System32\cUmmFax.exe
  C:\Windows\System32\cUmmFax.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System32\STlEwhk.exe
  C:\Windows\System32\STlEwhk.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System32\vQUHxlJ.exe
  C:\Windows\System32\vQUHxlJ.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System32\OCnDOFE.exe
  C:\Windows\System32\OCnDOFE.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System32\jowSMkK.exe
  C:\Windows\System32\jowSMkK.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System32\ODZuTYQ.exe
  C:\Windows\System32\ODZuTYQ.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\DQLTcgw.exe
  C:\Windows\System32\DQLTcgw.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System32\TgvaCmC.exe
  C:\Windows\System32\TgvaCmC.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System32\CPiztKz.exe
  C:\Windows\System32\CPiztKz.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System32\BuDhlyL.exe
  C:\Windows\System32\BuDhlyL.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System32\wELSOec.exe
  C:\Windows\System32\wELSOec.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System32\IYhNhEN.exe
  C:\Windows\System32\IYhNhEN.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System32\jCYWBBb.exe
  C:\Windows\System32\jCYWBBb.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System32\ZmJRVQO.exe
  C:\Windows\System32\ZmJRVQO.exe
  2⤵
  - Executes dropped EXE
  PID:612
- C:\Windows\System32\XIGmcUj.exe
  C:\Windows\System32\XIGmcUj.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System32\JDAkkSg.exe
  C:\Windows\System32\JDAkkSg.exe
  2⤵
  - Executes dropped EXE
  PID:716
- C:\Windows\System32\foEfDWp.exe
  C:\Windows\System32\foEfDWp.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System32\bTcmMUD.exe
  C:\Windows\System32\bTcmMUD.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System32\kdQtuzc.exe
  C:\Windows\System32\kdQtuzc.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System32\ejiyFuG.exe
  C:\Windows\System32\ejiyFuG.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System32\XKeCCPN.exe
  C:\Windows\System32\XKeCCPN.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System32\wIbvXLC.exe
  C:\Windows\System32\wIbvXLC.exe
  2⤵
  PID:2040
- C:\Windows\System32\CNPfQTP.exe
  C:\Windows\System32\CNPfQTP.exe
  2⤵
  PID:3932
- C:\Windows\System32\jECPrJw.exe
  C:\Windows\System32\jECPrJw.exe
  2⤵
  PID:1228
- C:\Windows\System32\wvBwILs.exe
  C:\Windows\System32\wvBwILs.exe
  2⤵
  PID:2368
- C:\Windows\System32\HXFeRUC.exe
  C:\Windows\System32\HXFeRUC.exe
  2⤵
  PID:440
- C:\Windows\System32\Tuhvxsg.exe
  C:\Windows\System32\Tuhvxsg.exe
  2⤵
  PID:4764
- C:\Windows\System32\LtRWFAR.exe
  C:\Windows\System32\LtRWFAR.exe
  2⤵
  PID:464
- C:\Windows\System32\xMjDaFw.exe
  C:\Windows\System32\xMjDaFw.exe
  2⤵
  PID:4412
- C:\Windows\System32\LaWbgsa.exe
  C:\Windows\System32\LaWbgsa.exe
  2⤵
  PID:4964
- C:\Windows\System32\ZebhviA.exe
  C:\Windows\System32\ZebhviA.exe
  2⤵
  PID:2712
- C:\Windows\System32\SEzlyYw.exe
  C:\Windows\System32\SEzlyYw.exe
  2⤵
  PID:2572
- C:\Windows\System32\cGSFbRp.exe
  C:\Windows\System32\cGSFbRp.exe
  2⤵
  PID:672
- C:\Windows\System32\bSbwJNx.exe
  C:\Windows\System32\bSbwJNx.exe
  2⤵
  PID:1740
- C:\Windows\System32\TuGVxZc.exe
  C:\Windows\System32\TuGVxZc.exe
  2⤵
  PID:796
- C:\Windows\System32\WBITqZk.exe
  C:\Windows\System32\WBITqZk.exe
  2⤵
  PID:5160
- C:\Windows\System32\QVzHLMP.exe
  C:\Windows\System32\QVzHLMP.exe
  2⤵
  PID:5176
- C:\Windows\System32\mQUEhGv.exe
  C:\Windows\System32\mQUEhGv.exe
  2⤵
  PID:5204
- C:\Windows\System32\SSBSdZD.exe
  C:\Windows\System32\SSBSdZD.exe
  2⤵
  PID:5232
- C:\Windows\System32\aoQmooI.exe
  C:\Windows\System32\aoQmooI.exe
  2⤵
  PID:5264
- C:\Windows\System32\eWjNFJb.exe
  C:\Windows\System32\eWjNFJb.exe
  2⤵
  PID:5300
- C:\Windows\System32\qfjGzVT.exe
  C:\Windows\System32\qfjGzVT.exe
  2⤵
  PID:5320
- C:\Windows\System32\XQrmovI.exe
  C:\Windows\System32\XQrmovI.exe
  2⤵
  PID:5344
- C:\Windows\System32\sGcsqZd.exe
  C:\Windows\System32\sGcsqZd.exe
  2⤵
  PID:5376
- C:\Windows\System32\pxuhksX.exe
  C:\Windows\System32\pxuhksX.exe
  2⤵
  PID:5404
- C:\Windows\System32\SkiatOF.exe
  C:\Windows\System32\SkiatOF.exe
  2⤵
  PID:5428
- C:\Windows\System32\UyBbwur.exe
  C:\Windows\System32\UyBbwur.exe
  2⤵
  PID:5456
- C:\Windows\System32\QZxHjAC.exe
  C:\Windows\System32\QZxHjAC.exe
  2⤵
  PID:5484
- C:\Windows\System32\TWLaoga.exe
  C:\Windows\System32\TWLaoga.exe
  2⤵
  PID:5512
- C:\Windows\System32\sIMYdRA.exe
  C:\Windows\System32\sIMYdRA.exe
  2⤵
  PID:5536
- C:\Windows\System32\DunbYgq.exe
  C:\Windows\System32\DunbYgq.exe
  2⤵
  PID:5568
- C:\Windows\System32\ofHuKUf.exe
  C:\Windows\System32\ofHuKUf.exe
  2⤵
  PID:5616
- C:\Windows\System32\IDuIQFV.exe
  C:\Windows\System32\IDuIQFV.exe
  2⤵
  PID:5636
- C:\Windows\System32\eKtZmkA.exe
  C:\Windows\System32\eKtZmkA.exe
  2⤵
  PID:5652
- C:\Windows\System32\WWDSvaC.exe
  C:\Windows\System32\WWDSvaC.exe
  2⤵
  PID:5676
- C:\Windows\System32\reFOxoJ.exe
  C:\Windows\System32\reFOxoJ.exe
  2⤵
  PID:5716
- C:\Windows\System32\auXpJYu.exe
  C:\Windows\System32\auXpJYu.exe
  2⤵
  PID:5736
- C:\Windows\System32\dcfoOWN.exe
  C:\Windows\System32\dcfoOWN.exe
  2⤵
  PID:5764
- C:\Windows\System32\ZbzzEEO.exe
  C:\Windows\System32\ZbzzEEO.exe
  2⤵
  PID:5792
- C:\Windows\System32\UUIYuNT.exe
  C:\Windows\System32\UUIYuNT.exe
  2⤵
  PID:5828
- C:\Windows\System32\KoVkMwG.exe
  C:\Windows\System32\KoVkMwG.exe
  2⤵
  PID:5848
- C:\Windows\System32\kRTJNqO.exe
  C:\Windows\System32\kRTJNqO.exe
  2⤵
  PID:5884
- C:\Windows\System32\TTrLmaL.exe
  C:\Windows\System32\TTrLmaL.exe
  2⤵
  PID:5912
- C:\Windows\System32\sMzvSpX.exe
  C:\Windows\System32\sMzvSpX.exe
  2⤵
  PID:5944
- C:\Windows\System32\unHGKwd.exe
  C:\Windows\System32\unHGKwd.exe
  2⤵
  PID:5960
- C:\Windows\System32\BJpSTHN.exe
  C:\Windows\System32\BJpSTHN.exe
  2⤵
  PID:5988
- C:\Windows\System32\cVwRqrc.exe
  C:\Windows\System32\cVwRqrc.exe
  2⤵
  PID:6016
- C:\Windows\System32\QIBQPUi.exe
  C:\Windows\System32\QIBQPUi.exe
  2⤵
  PID:6040
- C:\Windows\System32\pIEIYHU.exe
  C:\Windows\System32\pIEIYHU.exe
  2⤵
  PID:6072
- C:\Windows\System32\TUUPvoo.exe
  C:\Windows\System32\TUUPvoo.exe
  2⤵
  PID:6096
- C:\Windows\System32\qrGJGCc.exe
  C:\Windows\System32\qrGJGCc.exe
  2⤵
  PID:6128
- C:\Windows\System32\KrXPlCS.exe
  C:\Windows\System32\KrXPlCS.exe
  2⤵
  PID:4720
- C:\Windows\System32\xDBIKTi.exe
  C:\Windows\System32\xDBIKTi.exe
  2⤵
  PID:1852
- C:\Windows\System32\myxjGLf.exe
  C:\Windows\System32\myxjGLf.exe
  2⤵
  PID:220
- C:\Windows\System32\FSTOGQu.exe
  C:\Windows\System32\FSTOGQu.exe
  2⤵
  PID:4856
- C:\Windows\System32\pZiCbZL.exe
  C:\Windows\System32\pZiCbZL.exe
  2⤵
  PID:3056
- C:\Windows\System32\WhwukJS.exe
  C:\Windows\System32\WhwukJS.exe
  2⤵
  PID:5140
- C:\Windows\System32\NZhUrpE.exe
  C:\Windows\System32\NZhUrpE.exe
  2⤵
  PID:5224
- C:\Windows\System32\bwXHwdq.exe
  C:\Windows\System32\bwXHwdq.exe
  2⤵
  PID:5240
- C:\Windows\System32\DawrPpV.exe
  C:\Windows\System32\DawrPpV.exe
  2⤵
  PID:5312
- C:\Windows\System32\HCVHNsr.exe
  C:\Windows\System32\HCVHNsr.exe
  2⤵
  PID:5352
- C:\Windows\System32\loWLdJx.exe
  C:\Windows\System32\loWLdJx.exe
  2⤵
  PID:5424
- C:\Windows\System32\ENDjQtr.exe
  C:\Windows\System32\ENDjQtr.exe
  2⤵
  PID:5496
- C:\Windows\System32\NTTntkR.exe
  C:\Windows\System32\NTTntkR.exe
  2⤵
  PID:5560
- C:\Windows\System32\zjWbCDe.exe
  C:\Windows\System32\zjWbCDe.exe
  2⤵
  PID:5632
- C:\Windows\System32\EAYwgrC.exe
  C:\Windows\System32\EAYwgrC.exe
  2⤵
  PID:5700
- C:\Windows\System32\VAtuDKh.exe
  C:\Windows\System32\VAtuDKh.exe
  2⤵
  PID:3276
- C:\Windows\System32\RRIrkEQ.exe
  C:\Windows\System32\RRIrkEQ.exe
  2⤵
  PID:5784
- C:\Windows\System32\QhHjkjg.exe
  C:\Windows\System32\QhHjkjg.exe
  2⤵
  PID:5844
- C:\Windows\System32\AtBocxP.exe
  C:\Windows\System32\AtBocxP.exe
  2⤵
  PID:5928
- C:\Windows\System32\rcXIOSd.exe
  C:\Windows\System32\rcXIOSd.exe
  2⤵
  PID:5972
- C:\Windows\System32\cfIgxaf.exe
  C:\Windows\System32\cfIgxaf.exe
  2⤵
  PID:6028
- C:\Windows\System32\EbKhNKR.exe
  C:\Windows\System32\EbKhNKR.exe
  2⤵
  PID:6084
- C:\Windows\System32\CCfJlqA.exe
  C:\Windows\System32\CCfJlqA.exe
  2⤵
  PID:376
- C:\Windows\System32\EXktfNS.exe
  C:\Windows\System32\EXktfNS.exe
  2⤵
  PID:4416
- C:\Windows\System32\vcLblMU.exe
  C:\Windows\System32\vcLblMU.exe
  2⤵
  PID:4000
- C:\Windows\System32\vFJfnEk.exe
  C:\Windows\System32\vFJfnEk.exe
  2⤵
  PID:5168
- C:\Windows\System32\qzkHBbV.exe
  C:\Windows\System32\qzkHBbV.exe
  2⤵
  PID:5244
- C:\Windows\System32\OScJJMz.exe
  C:\Windows\System32\OScJJMz.exe
  2⤵
  PID:5384
- C:\Windows\System32\AFeYoDW.exe
  C:\Windows\System32\AFeYoDW.exe
  2⤵
  PID:2932
- C:\Windows\System32\xByhGJR.exe
  C:\Windows\System32\xByhGJR.exe
  2⤵
  PID:5612
- C:\Windows\System32\WKYlZUA.exe
  C:\Windows\System32\WKYlZUA.exe
  2⤵
  PID:5724
- C:\Windows\System32\BThMVrl.exe
  C:\Windows\System32\BThMVrl.exe
  2⤵
  PID:4924
- C:\Windows\System32\pdCTRkq.exe
  C:\Windows\System32\pdCTRkq.exe
  2⤵
  PID:5892
- C:\Windows\System32\FLWendM.exe
  C:\Windows\System32\FLWendM.exe
  2⤵
  PID:6008
- C:\Windows\System32\mfwHTYn.exe
  C:\Windows\System32\mfwHTYn.exe
  2⤵
  PID:3012
- C:\Windows\System32\kswGIHT.exe
  C:\Windows\System32\kswGIHT.exe
  2⤵
  PID:5128
- C:\Windows\System32\iaTTjeq.exe
  C:\Windows\System32\iaTTjeq.exe
  2⤵
  PID:5272
- C:\Windows\System32\UeqelTA.exe
  C:\Windows\System32\UeqelTA.exe
  2⤵
  PID:4404
- C:\Windows\System32\HOYkaXG.exe
  C:\Windows\System32\HOYkaXG.exe
  2⤵
  PID:3992
- C:\Windows\System32\gicbYpK.exe
  C:\Windows\System32\gicbYpK.exe
  2⤵
  PID:5744
- C:\Windows\System32\tBsCBUH.exe
  C:\Windows\System32\tBsCBUH.exe
  2⤵
  PID:3324
- C:\Windows\System32\MwqbEub.exe
  C:\Windows\System32\MwqbEub.exe
  2⤵
  PID:6136
- C:\Windows\System32\KfPGDJb.exe
  C:\Windows\System32\KfPGDJb.exe
  2⤵
  PID:972
- C:\Windows\System32\XttzwKX.exe
  C:\Windows\System32\XttzwKX.exe
  2⤵
  PID:3984
- C:\Windows\System32\rsAhSdH.exe
  C:\Windows\System32\rsAhSdH.exe
  2⤵
  PID:5576
- C:\Windows\System32\HIZkcby.exe
  C:\Windows\System32\HIZkcby.exe
  2⤵
  PID:5520
- C:\Windows\System32\JDpSnHw.exe
  C:\Windows\System32\JDpSnHw.exe
  2⤵
  PID:3616
- C:\Windows\System32\aXTafoi.exe
  C:\Windows\System32\aXTafoi.exe
  2⤵
  PID:3372
- C:\Windows\System32\KVkGICH.exe
  C:\Windows\System32\KVkGICH.exe
  2⤵
  PID:2376
- C:\Windows\System32\alJUOCE.exe
  C:\Windows\System32\alJUOCE.exe
  2⤵
  PID:2528
- C:\Windows\System32\VnPRFpf.exe
  C:\Windows\System32\VnPRFpf.exe
  2⤵
  PID:4176
- C:\Windows\System32\hGxjahp.exe
  C:\Windows\System32\hGxjahp.exe
  2⤵
  PID:6204
- C:\Windows\System32\aOYNJsA.exe
  C:\Windows\System32\aOYNJsA.exe
  2⤵
  PID:6280
- C:\Windows\System32\vJNqRct.exe
  C:\Windows\System32\vJNqRct.exe
  2⤵
  PID:6320
- C:\Windows\System32\xILwMQr.exe
  C:\Windows\System32\xILwMQr.exe
  2⤵
  PID:6352
- C:\Windows\System32\AQXOmbF.exe
  C:\Windows\System32\AQXOmbF.exe
  2⤵
  PID:6416
- C:\Windows\System32\bgPwNjq.exe
  C:\Windows\System32\bgPwNjq.exe
  2⤵
  PID:6436
- C:\Windows\System32\XiDVwoD.exe
  C:\Windows\System32\XiDVwoD.exe
  2⤵
  PID:6452
- C:\Windows\System32\pRUOBsb.exe
  C:\Windows\System32\pRUOBsb.exe
  2⤵
  PID:6480
- C:\Windows\System32\BVQHsbu.exe
  C:\Windows\System32\BVQHsbu.exe
  2⤵
  PID:6496
- C:\Windows\System32\KtHhJJN.exe
  C:\Windows\System32\KtHhJJN.exe
  2⤵
  PID:6528
- C:\Windows\System32\oExlGNi.exe
  C:\Windows\System32\oExlGNi.exe
  2⤵
  PID:6552
- C:\Windows\System32\bTofnQf.exe
  C:\Windows\System32\bTofnQf.exe
  2⤵
  PID:6572
- C:\Windows\System32\xCacHLI.exe
  C:\Windows\System32\xCacHLI.exe
  2⤵
  PID:6628
- C:\Windows\System32\KaWRAlK.exe
  C:\Windows\System32\KaWRAlK.exe
  2⤵
  PID:6644
- C:\Windows\System32\jKkoBFU.exe
  C:\Windows\System32\jKkoBFU.exe
  2⤵
  PID:6664
- C:\Windows\System32\YKoSFDH.exe
  C:\Windows\System32\YKoSFDH.exe
  2⤵
  PID:6692
- C:\Windows\System32\ZzQVjCK.exe
  C:\Windows\System32\ZzQVjCK.exe
  2⤵
  PID:6716
- C:\Windows\System32\kFSHmKu.exe
  C:\Windows\System32\kFSHmKu.exe
  2⤵
  PID:6736
- C:\Windows\System32\FcNAGgB.exe
  C:\Windows\System32\FcNAGgB.exe
  2⤵
  PID:6764
- C:\Windows\System32\wvQoqSY.exe
  C:\Windows\System32\wvQoqSY.exe
  2⤵
  PID:6824
- C:\Windows\System32\BMxmjVZ.exe
  C:\Windows\System32\BMxmjVZ.exe
  2⤵
  PID:6840
- C:\Windows\System32\HBaIFGd.exe
  C:\Windows\System32\HBaIFGd.exe
  2⤵
  PID:6876
- C:\Windows\System32\WryKTKg.exe
  C:\Windows\System32\WryKTKg.exe
  2⤵
  PID:6896
- C:\Windows\System32\UBWiMRC.exe
  C:\Windows\System32\UBWiMRC.exe
  2⤵
  PID:6936
- C:\Windows\System32\ioLoaPj.exe
  C:\Windows\System32\ioLoaPj.exe
  2⤵
  PID:6952
- C:\Windows\System32\Iygqiyy.exe
  C:\Windows\System32\Iygqiyy.exe
  2⤵
  PID:6972
- C:\Windows\System32\oJgeGHE.exe
  C:\Windows\System32\oJgeGHE.exe
  2⤵
  PID:6992
- C:\Windows\System32\HnkNlEQ.exe
  C:\Windows\System32\HnkNlEQ.exe
  2⤵
  PID:7016
- C:\Windows\System32\KHNrAkf.exe
  C:\Windows\System32\KHNrAkf.exe
  2⤵
  PID:7064
- C:\Windows\System32\IysMARw.exe
  C:\Windows\System32\IysMARw.exe
  2⤵
  PID:7116
- C:\Windows\System32\PdhHqLX.exe
  C:\Windows\System32\PdhHqLX.exe
  2⤵
  PID:7132
- C:\Windows\System32\vtAvalM.exe
  C:\Windows\System32\vtAvalM.exe
  2⤵
  PID:7152
- C:\Windows\System32\KQwEMgF.exe
  C:\Windows\System32\KQwEMgF.exe
  2⤵
  PID:2656
- C:\Windows\System32\PcuTahk.exe
  C:\Windows\System32\PcuTahk.exe
  2⤵
  PID:6184
- C:\Windows\System32\ZDbUPmu.exe
  C:\Windows\System32\ZDbUPmu.exe
  2⤵
  PID:6276
- C:\Windows\System32\tEtGWgQ.exe
  C:\Windows\System32\tEtGWgQ.exe
  2⤵
  PID:3048
- C:\Windows\System32\swLSHLA.exe
  C:\Windows\System32\swLSHLA.exe
  2⤵
  PID:6328
- C:\Windows\System32\gdxuIDP.exe
  C:\Windows\System32\gdxuIDP.exe
  2⤵
  PID:5660
- C:\Windows\System32\KWzMLsN.exe
  C:\Windows\System32\KWzMLsN.exe
  2⤵
  PID:2364
- C:\Windows\System32\OQYftvY.exe
  C:\Windows\System32\OQYftvY.exe
  2⤵
  PID:6256
- C:\Windows\System32\UaukqUQ.exe
  C:\Windows\System32\UaukqUQ.exe
  2⤵
  PID:6340
- C:\Windows\System32\yfMFzZv.exe
  C:\Windows\System32\yfMFzZv.exe
  2⤵
  PID:6460
- C:\Windows\System32\OCfUUcT.exe
  C:\Windows\System32\OCfUUcT.exe
  2⤵
  PID:6512
- C:\Windows\System32\ZyDYmfI.exe
  C:\Windows\System32\ZyDYmfI.exe
  2⤵
  PID:6560
- C:\Windows\System32\JlnJUDY.exe
  C:\Windows\System32\JlnJUDY.exe
  2⤵
  PID:6544
- C:\Windows\System32\CGBmRWw.exe
  C:\Windows\System32\CGBmRWw.exe
  2⤵
  PID:6672
- C:\Windows\System32\fsCqWZS.exe
  C:\Windows\System32\fsCqWZS.exe
  2⤵
  PID:6744
- C:\Windows\System32\ugjMSJQ.exe
  C:\Windows\System32\ugjMSJQ.exe
  2⤵
  PID:6868
- C:\Windows\System32\QSwBmos.exe
  C:\Windows\System32\QSwBmos.exe
  2⤵
  PID:6836
- C:\Windows\System32\Dqpxogt.exe
  C:\Windows\System32\Dqpxogt.exe
  2⤵
  PID:6960
- C:\Windows\System32\YsYpZGV.exe
  C:\Windows\System32\YsYpZGV.exe
  2⤵
  PID:6944
- C:\Windows\System32\wDqJrhl.exe
  C:\Windows\System32\wDqJrhl.exe
  2⤵
  PID:7128
- C:\Windows\System32\gzNVDmJ.exe
  C:\Windows\System32\gzNVDmJ.exe
  2⤵
  PID:2696
- C:\Windows\System32\EsFVWjP.exe
  C:\Windows\System32\EsFVWjP.exe
  2⤵
  PID:2628
- C:\Windows\System32\AwBYZNW.exe
  C:\Windows\System32\AwBYZNW.exe
  2⤵
  PID:848
- C:\Windows\System32\OzAmQUv.exe
  C:\Windows\System32\OzAmQUv.exe
  2⤵
  PID:6448
- C:\Windows\System32\fvPXZAu.exe
  C:\Windows\System32\fvPXZAu.exe
  2⤵
  PID:6492
- C:\Windows\System32\VAddEJl.exe
  C:\Windows\System32\VAddEJl.exe
  2⤵
  PID:6636
- C:\Windows\System32\XGrWnTb.exe
  C:\Windows\System32\XGrWnTb.exe
  2⤵
  PID:6892
- C:\Windows\System32\sfinGWr.exe
  C:\Windows\System32\sfinGWr.exe
  2⤵
  PID:6988
- C:\Windows\System32\XBMHWRX.exe
  C:\Windows\System32\XBMHWRX.exe
  2⤵
  PID:6348
- C:\Windows\System32\NItcunN.exe
  C:\Windows\System32\NItcunN.exe
  2⤵
  PID:6312
- C:\Windows\System32\VLkfUdH.exe
  C:\Windows\System32\VLkfUdH.exe
  2⤵
  PID:6600
- C:\Windows\System32\OnMDLSo.exe
  C:\Windows\System32\OnMDLSo.exe
  2⤵
  PID:6948
- C:\Windows\System32\nUGwhKN.exe
  C:\Windows\System32\nUGwhKN.exe
  2⤵
  PID:1624
- C:\Windows\System32\XSBFtnf.exe
  C:\Windows\System32\XSBFtnf.exe
  2⤵
  PID:7188
- C:\Windows\System32\AfHWETM.exe
  C:\Windows\System32\AfHWETM.exe
  2⤵
  PID:7224
- C:\Windows\System32\eWfrnrH.exe
  C:\Windows\System32\eWfrnrH.exe
  2⤵
  PID:7256
- C:\Windows\System32\yycyuCj.exe
  C:\Windows\System32\yycyuCj.exe
  2⤵
  PID:7280
- C:\Windows\System32\jVkevrO.exe
  C:\Windows\System32\jVkevrO.exe
  2⤵
  PID:7300
- C:\Windows\System32\QCAzwoL.exe
  C:\Windows\System32\QCAzwoL.exe
  2⤵
  PID:7320
- C:\Windows\System32\iZsniwx.exe
  C:\Windows\System32\iZsniwx.exe
  2⤵
  PID:7336
- C:\Windows\System32\NUYMvri.exe
  C:\Windows\System32\NUYMvri.exe
  2⤵
  PID:7372
- C:\Windows\System32\vAVFcdL.exe
  C:\Windows\System32\vAVFcdL.exe
  2⤵
  PID:7388
- C:\Windows\System32\UlhrUVh.exe
  C:\Windows\System32\UlhrUVh.exe
  2⤵
  PID:7424
- C:\Windows\System32\yMTqFij.exe
  C:\Windows\System32\yMTqFij.exe
  2⤵
  PID:7476
- C:\Windows\System32\detNorJ.exe
  C:\Windows\System32\detNorJ.exe
  2⤵
  PID:7504
- C:\Windows\System32\Oebwxaz.exe
  C:\Windows\System32\Oebwxaz.exe
  2⤵
  PID:7536
- C:\Windows\System32\QUnAcUX.exe
  C:\Windows\System32\QUnAcUX.exe
  2⤵
  PID:7568
- C:\Windows\System32\fXmiQKA.exe
  C:\Windows\System32\fXmiQKA.exe
  2⤵
  PID:7592
- C:\Windows\System32\sHlVtlk.exe
  C:\Windows\System32\sHlVtlk.exe
  2⤵
  PID:7620
- C:\Windows\System32\jQDfacg.exe
  C:\Windows\System32\jQDfacg.exe
  2⤵
  PID:7640
- C:\Windows\System32\KAkAcpo.exe
  C:\Windows\System32\KAkAcpo.exe
  2⤵
  PID:7664
- C:\Windows\System32\iLUamcK.exe
  C:\Windows\System32\iLUamcK.exe
  2⤵
  PID:7688
- C:\Windows\System32\MdpKukQ.exe
  C:\Windows\System32\MdpKukQ.exe
  2⤵
  PID:7712
- C:\Windows\System32\MaaaFGu.exe
  C:\Windows\System32\MaaaFGu.exe
  2⤵
  PID:7740
- C:\Windows\System32\sDykKVe.exe
  C:\Windows\System32\sDykKVe.exe
  2⤵
  PID:7756
- C:\Windows\System32\oPUSbjY.exe
  C:\Windows\System32\oPUSbjY.exe
  2⤵
  PID:7840
- C:\Windows\System32\XJnmBSa.exe
  C:\Windows\System32\XJnmBSa.exe
  2⤵
  PID:7872
- C:\Windows\System32\eHRypZh.exe
  C:\Windows\System32\eHRypZh.exe
  2⤵
  PID:7896
- C:\Windows\System32\HvFuwBF.exe
  C:\Windows\System32\HvFuwBF.exe
  2⤵
  PID:7920
- C:\Windows\System32\gYlyYZA.exe
  C:\Windows\System32\gYlyYZA.exe
  2⤵
  PID:7968
- C:\Windows\System32\PETKckW.exe
  C:\Windows\System32\PETKckW.exe
  2⤵
  PID:7988
- C:\Windows\System32\BInbYGV.exe
  C:\Windows\System32\BInbYGV.exe
  2⤵
  PID:8012
- C:\Windows\System32\BYcWJYQ.exe
  C:\Windows\System32\BYcWJYQ.exe
  2⤵
  PID:8032
- C:\Windows\System32\yNQgHnu.exe
  C:\Windows\System32\yNQgHnu.exe
  2⤵
  PID:8076
- C:\Windows\System32\AsyZMEa.exe
  C:\Windows\System32\AsyZMEa.exe
  2⤵
  PID:8100
- C:\Windows\System32\ZfJJxpG.exe
  C:\Windows\System32\ZfJJxpG.exe
  2⤵
  PID:8124
- C:\Windows\System32\DDutMoL.exe
  C:\Windows\System32\DDutMoL.exe
  2⤵
  PID:8140
- C:\Windows\System32\TdnCwoP.exe
  C:\Windows\System32\TdnCwoP.exe
  2⤵
  PID:8164
- C:\Windows\System32\deYVmfS.exe
  C:\Windows\System32\deYVmfS.exe
  2⤵
  PID:8184
- C:\Windows\System32\AeCfpdn.exe
  C:\Windows\System32\AeCfpdn.exe
  2⤵
  PID:6772
- C:\Windows\System32\QuyUxok.exe
  C:\Windows\System32\QuyUxok.exe
  2⤵
  PID:7292
- C:\Windows\System32\ffhhDCA.exe
  C:\Windows\System32\ffhhDCA.exe
  2⤵
  PID:7384
- C:\Windows\System32\qfoHXgX.exe
  C:\Windows\System32\qfoHXgX.exe
  2⤵
  PID:7436
- C:\Windows\System32\qACZCtG.exe
  C:\Windows\System32\qACZCtG.exe
  2⤵
  PID:7412
- C:\Windows\System32\NbWNVVq.exe
  C:\Windows\System32\NbWNVVq.exe
  2⤵
  PID:7524
- C:\Windows\System32\cxnIMnZ.exe
  C:\Windows\System32\cxnIMnZ.exe
  2⤵
  PID:7612
- C:\Windows\System32\STOOLaO.exe
  C:\Windows\System32\STOOLaO.exe
  2⤵
  PID:7672
- C:\Windows\System32\vckLsGH.exe
  C:\Windows\System32\vckLsGH.exe
  2⤵
  PID:7784
- C:\Windows\System32\ESBuaGG.exe
  C:\Windows\System32\ESBuaGG.exe
  2⤵
  PID:7796
- C:\Windows\System32\sNwYwyw.exe
  C:\Windows\System32\sNwYwyw.exe
  2⤵
  PID:7860
- C:\Windows\System32\ynRwkeL.exe
  C:\Windows\System32\ynRwkeL.exe
  2⤵
  PID:7912
- C:\Windows\System32\zDkfXbJ.exe
  C:\Windows\System32\zDkfXbJ.exe
  2⤵
  PID:8064
- C:\Windows\System32\tqZJkOm.exe
  C:\Windows\System32\tqZJkOm.exe
  2⤵
  PID:8096
- C:\Windows\System32\kfURKoG.exe
  C:\Windows\System32\kfURKoG.exe
  2⤵
  PID:8136
- C:\Windows\System32\dQNQcCl.exe
  C:\Windows\System32\dQNQcCl.exe
  2⤵
  PID:7056
- C:\Windows\System32\fhUniAo.exe
  C:\Windows\System32\fhUniAo.exe
  2⤵
  PID:7268
- C:\Windows\System32\UbIUrIH.exe
  C:\Windows\System32\UbIUrIH.exe
  2⤵
  PID:7344
- C:\Windows\System32\iHPbRme.exe
  C:\Windows\System32\iHPbRme.exe
  2⤵
  PID:7604
- C:\Windows\System32\CXBCTIc.exe
  C:\Windows\System32\CXBCTIc.exe
  2⤵
  PID:7648
- C:\Windows\System32\uSqUHDS.exe
  C:\Windows\System32\uSqUHDS.exe
  2⤵
  PID:7768
- C:\Windows\System32\sxqRtLV.exe
  C:\Windows\System32\sxqRtLV.exe
  2⤵
  PID:7904
- C:\Windows\System32\BOabJyU.exe
  C:\Windows\System32\BOabJyU.exe
  2⤵
  PID:8056
- C:\Windows\System32\awLmQhj.exe
  C:\Windows\System32\awLmQhj.exe
  2⤵
  PID:8108
- C:\Windows\System32\iRNQvKU.exe
  C:\Windows\System32\iRNQvKU.exe
  2⤵
  PID:7548
- C:\Windows\System32\GTWCMgR.exe
  C:\Windows\System32\GTWCMgR.exe
  2⤵
  PID:7632
- C:\Windows\System32\gHwfMRJ.exe
  C:\Windows\System32\gHwfMRJ.exe
  2⤵
  PID:8200
- C:\Windows\System32\psQPJrc.exe
  C:\Windows\System32\psQPJrc.exe
  2⤵
  PID:8236
- C:\Windows\System32\rMWpSjY.exe
  C:\Windows\System32\rMWpSjY.exe
  2⤵
  PID:8260
- C:\Windows\System32\ySjYnUb.exe
  C:\Windows\System32\ySjYnUb.exe
  2⤵
  PID:8276
- C:\Windows\System32\FKHdEvQ.exe
  C:\Windows\System32\FKHdEvQ.exe
  2⤵
  PID:8300
- C:\Windows\System32\WpILIcB.exe
  C:\Windows\System32\WpILIcB.exe
  2⤵
  PID:8320
- C:\Windows\System32\RfIWgKC.exe
  C:\Windows\System32\RfIWgKC.exe
  2⤵
  PID:8360
- C:\Windows\System32\ruxyUgt.exe
  C:\Windows\System32\ruxyUgt.exe
  2⤵
  PID:8392
- C:\Windows\System32\rWrKGWi.exe
  C:\Windows\System32\rWrKGWi.exe
  2⤵
  PID:8416
- C:\Windows\System32\nRsdjvE.exe
  C:\Windows\System32\nRsdjvE.exe
  2⤵
  PID:8452
- C:\Windows\System32\vaLpZTL.exe
  C:\Windows\System32\vaLpZTL.exe
  2⤵
  PID:8484
- C:\Windows\System32\tfbyhEH.exe
  C:\Windows\System32\tfbyhEH.exe
  2⤵
  PID:8524
- C:\Windows\System32\UMfRgwu.exe
  C:\Windows\System32\UMfRgwu.exe
  2⤵
  PID:8560
- C:\Windows\System32\XvGsMFx.exe
  C:\Windows\System32\XvGsMFx.exe
  2⤵
  PID:8592
- C:\Windows\System32\EqyRmCb.exe
  C:\Windows\System32\EqyRmCb.exe
  2⤵
  PID:8620
- C:\Windows\System32\JgijJjY.exe
  C:\Windows\System32\JgijJjY.exe
  2⤵
  PID:8644
- C:\Windows\System32\QEaZWHQ.exe
  C:\Windows\System32\QEaZWHQ.exe
  2⤵
  PID:8664
- C:\Windows\System32\PVyTEJc.exe
  C:\Windows\System32\PVyTEJc.exe
  2⤵
  PID:8692
- C:\Windows\System32\ZBouLLY.exe
  C:\Windows\System32\ZBouLLY.exe
  2⤵
  PID:8720
- C:\Windows\System32\jNqtoFT.exe
  C:\Windows\System32\jNqtoFT.exe
  2⤵
  PID:8740
- C:\Windows\System32\QGEtHbe.exe
  C:\Windows\System32\QGEtHbe.exe
  2⤵
  PID:8760
- C:\Windows\System32\QjYAzeL.exe
  C:\Windows\System32\QjYAzeL.exe
  2⤵
  PID:8784
- C:\Windows\System32\teAydpX.exe
  C:\Windows\System32\teAydpX.exe
  2⤵
  PID:8808
- C:\Windows\System32\NFQHjJO.exe
  C:\Windows\System32\NFQHjJO.exe
  2⤵
  PID:8864
- C:\Windows\System32\BqAxlAa.exe
  C:\Windows\System32\BqAxlAa.exe
  2⤵
  PID:8892
- C:\Windows\System32\AhMnCue.exe
  C:\Windows\System32\AhMnCue.exe
  2⤵
  PID:8916
- C:\Windows\System32\jDOhAdL.exe
  C:\Windows\System32\jDOhAdL.exe
  2⤵
  PID:8932
- C:\Windows\System32\GKfIapf.exe
  C:\Windows\System32\GKfIapf.exe
  2⤵
  PID:8964
- C:\Windows\System32\NsuKFXK.exe
  C:\Windows\System32\NsuKFXK.exe
  2⤵
  PID:8992
- C:\Windows\System32\CNgioPw.exe
  C:\Windows\System32\CNgioPw.exe
  2⤵
  PID:9020
- C:\Windows\System32\ybTkioR.exe
  C:\Windows\System32\ybTkioR.exe
  2⤵
  PID:9044
- C:\Windows\System32\vOeoRZX.exe
  C:\Windows\System32\vOeoRZX.exe
  2⤵
  PID:9072
- C:\Windows\System32\HNfTYAT.exe
  C:\Windows\System32\HNfTYAT.exe
  2⤵
  PID:9100
- C:\Windows\System32\myYwUsq.exe
  C:\Windows\System32\myYwUsq.exe
  2⤵
  PID:9120
- C:\Windows\System32\vFQKsVG.exe
  C:\Windows\System32\vFQKsVG.exe
  2⤵
  PID:9140
- C:\Windows\System32\qcrLNoo.exe
  C:\Windows\System32\qcrLNoo.exe
  2⤵
  PID:9160
- C:\Windows\System32\ElNbkgr.exe
  C:\Windows\System32\ElNbkgr.exe
  2⤵
  PID:9188
- C:\Windows\System32\jpzFcvw.exe
  C:\Windows\System32\jpzFcvw.exe
  2⤵
  PID:9208
- C:\Windows\System32\cURKupe.exe
  C:\Windows\System32\cURKupe.exe
  2⤵
  PID:8024
- C:\Windows\System32\ZNJkYhJ.exe
  C:\Windows\System32\ZNJkYhJ.exe
  2⤵
  PID:8208
- C:\Windows\System32\OmptZwY.exe
  C:\Windows\System32\OmptZwY.exe
  2⤵
  PID:8376
- C:\Windows\System32\SULGKcc.exe
  C:\Windows\System32\SULGKcc.exe
  2⤵
  PID:8448
- C:\Windows\System32\GLYVThP.exe
  C:\Windows\System32\GLYVThP.exe
  2⤵
  PID:8516
- C:\Windows\System32\kZbryyl.exe
  C:\Windows\System32\kZbryyl.exe
  2⤵
  PID:8576
- C:\Windows\System32\BvDnIHN.exe
  C:\Windows\System32\BvDnIHN.exe
  2⤵
  PID:8616
- C:\Windows\System32\EyJiwoN.exe
  C:\Windows\System32\EyJiwoN.exe
  2⤵
  PID:8676
- C:\Windows\System32\qXslvCZ.exe
  C:\Windows\System32\qXslvCZ.exe
  2⤵
  PID:8704
- C:\Windows\System32\wcIFMwJ.exe
  C:\Windows\System32\wcIFMwJ.exe
  2⤵
  PID:8872
- C:\Windows\System32\TSbpJAd.exe
  C:\Windows\System32\TSbpJAd.exe
  2⤵
  PID:8928
- C:\Windows\System32\AGOrYoQ.exe
  C:\Windows\System32\AGOrYoQ.exe
  2⤵
  PID:9040
- C:\Windows\System32\bYftzWE.exe
  C:\Windows\System32\bYftzWE.exe
  2⤵
  PID:9028
- C:\Windows\System32\PFrzquD.exe
  C:\Windows\System32\PFrzquD.exe
  2⤵
  PID:9176
- C:\Windows\System32\mlahevx.exe
  C:\Windows\System32\mlahevx.exe
  2⤵
  PID:8116
- C:\Windows\System32\sSKJZRA.exe
  C:\Windows\System32\sSKJZRA.exe
  2⤵
  PID:8372
- C:\Windows\System32\rGJWWsh.exe
  C:\Windows\System32\rGJWWsh.exe
  2⤵
  PID:8460
- C:\Windows\System32\mUfAqEj.exe
  C:\Windows\System32\mUfAqEj.exe
  2⤵
  PID:8716
- C:\Windows\System32\MIESkmS.exe
  C:\Windows\System32\MIESkmS.exe
  2⤵
  PID:8804
- C:\Windows\System32\ESPFSwo.exe
  C:\Windows\System32\ESPFSwo.exe
  2⤵
  PID:9004
- C:\Windows\System32\rkzPzVc.exe
  C:\Windows\System32\rkzPzVc.exe
  2⤵
  PID:9112
- C:\Windows\System32\uUEVehm.exe
  C:\Windows\System32\uUEVehm.exe
  2⤵
  PID:8252
- C:\Windows\System32\BjnXaen.exe
  C:\Windows\System32\BjnXaen.exe
  2⤵
  PID:8792
- C:\Windows\System32\BLlTBHI.exe
  C:\Windows\System32\BLlTBHI.exe
  2⤵
  PID:8972
- C:\Windows\System32\cCbWzQa.exe
  C:\Windows\System32\cCbWzQa.exe
  2⤵
  PID:8604
- C:\Windows\System32\zSgsIgd.exe
  C:\Windows\System32\zSgsIgd.exe
  2⤵
  PID:9224
- C:\Windows\System32\jgpkEEX.exe
  C:\Windows\System32\jgpkEEX.exe
  2⤵
  PID:9240
- C:\Windows\System32\ybKnehJ.exe
  C:\Windows\System32\ybKnehJ.exe
  2⤵
  PID:9280
- C:\Windows\System32\WZLNgTg.exe
  C:\Windows\System32\WZLNgTg.exe
  2⤵
  PID:9340
- C:\Windows\System32\CdBPZkK.exe
  C:\Windows\System32\CdBPZkK.exe
  2⤵
  PID:9384
- C:\Windows\System32\Etjvezo.exe
  C:\Windows\System32\Etjvezo.exe
  2⤵
  PID:9424
- C:\Windows\System32\bMKmSEI.exe
  C:\Windows\System32\bMKmSEI.exe
  2⤵
  PID:9448
- C:\Windows\System32\AVlHUcF.exe
  C:\Windows\System32\AVlHUcF.exe
  2⤵
  PID:9476
- C:\Windows\System32\hcTwxBR.exe
  C:\Windows\System32\hcTwxBR.exe
  2⤵
  PID:9512
- C:\Windows\System32\DvDmdzc.exe
  C:\Windows\System32\DvDmdzc.exe
  2⤵
  PID:9532
- C:\Windows\System32\FAkqhsN.exe
  C:\Windows\System32\FAkqhsN.exe
  2⤵
  PID:9620
- C:\Windows\System32\HvxRaFB.exe
  C:\Windows\System32\HvxRaFB.exe
  2⤵
  PID:9656
- C:\Windows\System32\jyjfleS.exe
  C:\Windows\System32\jyjfleS.exe
  2⤵
  PID:9676
- C:\Windows\System32\JbDgYmi.exe
  C:\Windows\System32\JbDgYmi.exe
  2⤵
  PID:9692
- C:\Windows\System32\NJRgnea.exe
  C:\Windows\System32\NJRgnea.exe
  2⤵
  PID:9720
- C:\Windows\System32\QjwcaFQ.exe
  C:\Windows\System32\QjwcaFQ.exe
  2⤵
  PID:9744
- C:\Windows\System32\ICKnznQ.exe
  C:\Windows\System32\ICKnznQ.exe
  2⤵
  PID:9760
- C:\Windows\System32\pvFVebx.exe
  C:\Windows\System32\pvFVebx.exe
  2⤵
  PID:9832
- C:\Windows\System32\AibaIRe.exe
  C:\Windows\System32\AibaIRe.exe
  2⤵
  PID:9860
- C:\Windows\System32\yZNOtjS.exe
  C:\Windows\System32\yZNOtjS.exe
  2⤵
  PID:9892
- C:\Windows\System32\CWpDMov.exe
  C:\Windows\System32\CWpDMov.exe
  2⤵
  PID:9916
- C:\Windows\System32\InUzyfc.exe
  C:\Windows\System32\InUzyfc.exe
  2⤵
  PID:9940
- C:\Windows\System32\RdscHSX.exe
  C:\Windows\System32\RdscHSX.exe
  2⤵
  PID:9980
- C:\Windows\System32\skMMMWf.exe
  C:\Windows\System32\skMMMWf.exe
  2⤵
  PID:10004
- C:\Windows\System32\tqdJVRB.exe
  C:\Windows\System32\tqdJVRB.exe
  2⤵
  PID:10024
- C:\Windows\System32\MiOQuMw.exe
  C:\Windows\System32\MiOQuMw.exe
  2⤵
  PID:10044
- C:\Windows\System32\oLkDsip.exe
  C:\Windows\System32\oLkDsip.exe
  2⤵
  PID:10068
- C:\Windows\System32\jdHHNFK.exe
  C:\Windows\System32\jdHHNFK.exe
  2⤵
  PID:10088
- C:\Windows\System32\DugsThw.exe
  C:\Windows\System32\DugsThw.exe
  2⤵
  PID:10112
- C:\Windows\System32\NuTayGe.exe
  C:\Windows\System32\NuTayGe.exe
  2⤵
  PID:10132
- C:\Windows\System32\OeyjiAz.exe
  C:\Windows\System32\OeyjiAz.exe
  2⤵
  PID:10160
- C:\Windows\System32\gmGGoJW.exe
  C:\Windows\System32\gmGGoJW.exe
  2⤵
  PID:10208
- C:\Windows\System32\fSYGGbs.exe
  C:\Windows\System32\fSYGGbs.exe
  2⤵
  PID:10236
- C:\Windows\System32\MTHbvQd.exe
  C:\Windows\System32\MTHbvQd.exe
  2⤵
  PID:9320
- C:\Windows\System32\aGCDuko.exe
  C:\Windows\System32\aGCDuko.exe
  2⤵
  PID:9460
- C:\Windows\System32\gZTAJVh.exe
  C:\Windows\System32\gZTAJVh.exe
  2⤵
  PID:9360
- C:\Windows\System32\iBWnwoC.exe
  C:\Windows\System32\iBWnwoC.exe
  2⤵
  PID:9260
- C:\Windows\System32\cLfrscS.exe
  C:\Windows\System32\cLfrscS.exe
  2⤵
  PID:9324
- C:\Windows\System32\WFgneIv.exe
  C:\Windows\System32\WFgneIv.exe
  2⤵
  PID:9380
- C:\Windows\System32\hXdGmMi.exe
  C:\Windows\System32\hXdGmMi.exe
  2⤵
  PID:9504
- C:\Windows\System32\ZDpYoSo.exe
  C:\Windows\System32\ZDpYoSo.exe
  2⤵
  PID:9500
- C:\Windows\System32\aduSCos.exe
  C:\Windows\System32\aduSCos.exe
  2⤵
  PID:9592
- C:\Windows\System32\mjFZmmf.exe
  C:\Windows\System32\mjFZmmf.exe
  2⤵
  PID:9632
- C:\Windows\System32\llShhlC.exe
  C:\Windows\System32\llShhlC.exe
  2⤵
  PID:9700
- C:\Windows\System32\VwqDdlz.exe
  C:\Windows\System32\VwqDdlz.exe
  2⤵
  PID:9740
- C:\Windows\System32\GnDhAMn.exe
  C:\Windows\System32\GnDhAMn.exe
  2⤵
  PID:9796
- C:\Windows\System32\jixrQII.exe
  C:\Windows\System32\jixrQII.exe
  2⤵
  PID:9928
- C:\Windows\System32\uXSosAc.exe
  C:\Windows\System32\uXSosAc.exe
  2⤵
  PID:9964
- C:\Windows\System32\jEsIayW.exe
  C:\Windows\System32\jEsIayW.exe
  2⤵
  PID:10020
- C:\Windows\System32\zhQIxRN.exe
  C:\Windows\System32\zhQIxRN.exe
  2⤵
  PID:10104
- C:\Windows\System32\CorlBar.exe
  C:\Windows\System32\CorlBar.exe
  2⤵
  PID:10152
- C:\Windows\System32\ZTGWvyq.exe
  C:\Windows\System32\ZTGWvyq.exe
  2⤵
  PID:9308
- C:\Windows\System32\PdkWLwJ.exe
  C:\Windows\System32\PdkWLwJ.exe
  2⤵
  PID:9412
- C:\Windows\System32\gekxXnX.exe
  C:\Windows\System32\gekxXnX.exe
  2⤵
  PID:9436
- C:\Windows\System32\TJGkRWY.exe
  C:\Windows\System32\TJGkRWY.exe
  2⤵
  PID:9400
- C:\Windows\System32\xgpmFDW.exe
  C:\Windows\System32\xgpmFDW.exe
  2⤵
  PID:9712
- C:\Windows\System32\gMSAONh.exe
  C:\Windows\System32\gMSAONh.exe
  2⤵
  PID:9840
- C:\Windows\System32\PazLzhq.exe
  C:\Windows\System32\PazLzhq.exe
  2⤵
  PID:10012
- C:\Windows\System32\KwufXku.exe
  C:\Windows\System32\KwufXku.exe
  2⤵
  PID:10128
- C:\Windows\System32\TzldJjd.exe
  C:\Windows\System32\TzldJjd.exe
  2⤵
  PID:9492
- C:\Windows\System32\BMLArhU.exe
  C:\Windows\System32\BMLArhU.exe
  2⤵
  PID:9828
- C:\Windows\System32\RDQiAnh.exe
  C:\Windows\System32\RDQiAnh.exe
  2⤵
  PID:10196
- C:\Windows\System32\ZblCVAF.exe
  C:\Windows\System32\ZblCVAF.exe
  2⤵
  PID:9732
- C:\Windows\System32\zPahqdF.exe
  C:\Windows\System32\zPahqdF.exe
  2⤵
  PID:10252
- C:\Windows\System32\XwPemwM.exe
  C:\Windows\System32\XwPemwM.exe
  2⤵
  PID:10276
- C:\Windows\System32\DetvLFp.exe
  C:\Windows\System32\DetvLFp.exe
  2⤵
  PID:10308
- C:\Windows\System32\yJkeIUo.exe
  C:\Windows\System32\yJkeIUo.exe
  2⤵
  PID:10332
- C:\Windows\System32\YVgwjUe.exe
  C:\Windows\System32\YVgwjUe.exe
  2⤵
  PID:10372
- C:\Windows\System32\iYJYive.exe
  C:\Windows\System32\iYJYive.exe
  2⤵
  PID:10400
- C:\Windows\System32\BWjRSsS.exe
  C:\Windows\System32\BWjRSsS.exe
  2⤵
  PID:10416
- C:\Windows\System32\ZYnzLPC.exe
  C:\Windows\System32\ZYnzLPC.exe
  2⤵
  PID:10452
- C:\Windows\System32\YcVyAYp.exe
  C:\Windows\System32\YcVyAYp.exe
  2⤵
  PID:10488
- C:\Windows\System32\jNYdEHH.exe
  C:\Windows\System32\jNYdEHH.exe
  2⤵
  PID:10520
- C:\Windows\System32\DZKMTvu.exe
  C:\Windows\System32\DZKMTvu.exe
  2⤵
  PID:10548
- C:\Windows\System32\WHNmbaX.exe
  C:\Windows\System32\WHNmbaX.exe
  2⤵
  PID:10572
- C:\Windows\System32\ZiwoJUF.exe
  C:\Windows\System32\ZiwoJUF.exe
  2⤵
  PID:10604
- C:\Windows\System32\DxKqcyF.exe
  C:\Windows\System32\DxKqcyF.exe
  2⤵
  PID:10628
- C:\Windows\System32\dNzzJml.exe
  C:\Windows\System32\dNzzJml.exe
  2⤵
  PID:10656
- C:\Windows\System32\VbDiRiH.exe
  C:\Windows\System32\VbDiRiH.exe
  2⤵
  PID:10688
- C:\Windows\System32\AFbhRyp.exe
  C:\Windows\System32\AFbhRyp.exe
  2⤵
  PID:10712
- C:\Windows\System32\XYRSuUu.exe
  C:\Windows\System32\XYRSuUu.exe
  2⤵
  PID:10740
- C:\Windows\System32\wtJSaSe.exe
  C:\Windows\System32\wtJSaSe.exe
  2⤵
  PID:10760
- C:\Windows\System32\lhkgOeD.exe
  C:\Windows\System32\lhkgOeD.exe
  2⤵
  PID:10792
- C:\Windows\System32\iXOtZzO.exe
  C:\Windows\System32\iXOtZzO.exe
  2⤵
  PID:10808
- C:\Windows\System32\iwfLWFy.exe
  C:\Windows\System32\iwfLWFy.exe
  2⤵
  PID:10832
- C:\Windows\System32\vPpNdbZ.exe
  C:\Windows\System32\vPpNdbZ.exe
  2⤵
  PID:10848
- C:\Windows\System32\vsTFXIz.exe
  C:\Windows\System32\vsTFXIz.exe
  2⤵
  PID:10872
- C:\Windows\System32\ZaSErCU.exe
  C:\Windows\System32\ZaSErCU.exe
  2⤵
  PID:10920
- C:\Windows\System32\wRWCISu.exe
  C:\Windows\System32\wRWCISu.exe
  2⤵
  PID:10960
- C:\Windows\System32\LiemKmC.exe
  C:\Windows\System32\LiemKmC.exe
  2⤵
  PID:10980
- C:\Windows\System32\iwYoTLC.exe
  C:\Windows\System32\iwYoTLC.exe
  2⤵
  PID:10996
- C:\Windows\System32\qaIhviE.exe
  C:\Windows\System32\qaIhviE.exe
  2⤵
  PID:11036
- C:\Windows\System32\cCeVaTe.exe
  C:\Windows\System32\cCeVaTe.exe
  2⤵
  PID:11076
- C:\Windows\System32\koExQyw.exe
  C:\Windows\System32\koExQyw.exe
  2⤵
  PID:11096
- C:\Windows\System32\DlXyExC.exe
  C:\Windows\System32\DlXyExC.exe
  2⤵
  PID:11120
- C:\Windows\System32\QOrGRdL.exe
  C:\Windows\System32\QOrGRdL.exe
  2⤵
  PID:11140
- C:\Windows\System32\blHooWX.exe
  C:\Windows\System32\blHooWX.exe
  2⤵
  PID:11160
- C:\Windows\System32\ndGZCKH.exe
  C:\Windows\System32\ndGZCKH.exe
  2⤵
  PID:11200
- C:\Windows\System32\VdcaZhs.exe
  C:\Windows\System32\VdcaZhs.exe
  2⤵
  PID:11244
- C:\Windows\System32\zpWFPzK.exe
  C:\Windows\System32\zpWFPzK.exe
  2⤵
  PID:10248
- C:\Windows\System32\zfnNqyr.exe
  C:\Windows\System32\zfnNqyr.exe
  2⤵
  PID:10284
- C:\Windows\System32\zvyyeNX.exe
  C:\Windows\System32\zvyyeNX.exe
  2⤵
  PID:10368
- C:\Windows\System32\vdrHmcF.exe
  C:\Windows\System32\vdrHmcF.exe
  2⤵
  PID:10384
- C:\Windows\System32\nKUwRRe.exe
  C:\Windows\System32\nKUwRRe.exe
  2⤵
  PID:10460
- C:\Windows\System32\wzUENYJ.exe
  C:\Windows\System32\wzUENYJ.exe
  2⤵
  PID:10496
- C:\Windows\System32\WxSZWLk.exe
  C:\Windows\System32\WxSZWLk.exe
  2⤵
  PID:10568
- C:\Windows\System32\UsbbwQF.exe
  C:\Windows\System32\UsbbwQF.exe
  2⤵
  PID:10624
- C:\Windows\System32\vGZwkOb.exe
  C:\Windows\System32\vGZwkOb.exe
  2⤵
  PID:10772
- C:\Windows\System32\LgTBMCW.exe
  C:\Windows\System32\LgTBMCW.exe
  2⤵
  PID:10816
- C:\Windows\System32\OCfgiOe.exe
  C:\Windows\System32\OCfgiOe.exe
  2⤵
  PID:10892
- C:\Windows\System32\QXHdUjr.exe
  C:\Windows\System32\QXHdUjr.exe
  2⤵
  PID:10956
- C:\Windows\System32\GzGepEz.exe
  C:\Windows\System32\GzGepEz.exe
  2⤵
  PID:10972
- C:\Windows\System32\lqTzOhI.exe
  C:\Windows\System32\lqTzOhI.exe
  2⤵
  PID:11052
- C:\Windows\System32\IcroJFi.exe
  C:\Windows\System32\IcroJFi.exe
  2⤵
  PID:11116
- C:\Windows\System32\ypxfrmV.exe
  C:\Windows\System32\ypxfrmV.exe
  2⤵
  PID:11176
- C:\Windows\System32\nhmzRyF.exe
  C:\Windows\System32\nhmzRyF.exe
  2⤵
  PID:11220
- C:\Windows\System32\vlTrLYq.exe
  C:\Windows\System32\vlTrLYq.exe
  2⤵
  PID:10060
- C:\Windows\System32\ZpGxpPu.exe
  C:\Windows\System32\ZpGxpPu.exe
  2⤵
  PID:10436
- C:\Windows\System32\gAgoFaL.exe
  C:\Windows\System32\gAgoFaL.exe
  2⤵
  PID:10480
- C:\Windows\System32\MeWhOwP.exe
  C:\Windows\System32\MeWhOwP.exe
  2⤵
  PID:10784
- C:\Windows\System32\FjhHYKd.exe
  C:\Windows\System32\FjhHYKd.exe
  2⤵
  PID:10672
- C:\Windows\System32\TsQtwuy.exe
  C:\Windows\System32\TsQtwuy.exe
  2⤵
  PID:11172
- C:\Windows\System32\OcYtYZm.exe
  C:\Windows\System32\OcYtYZm.exe
  2⤵
  PID:10296
- C:\Windows\System32\xmibDHc.exe
  C:\Windows\System32\xmibDHc.exe
  2⤵
  PID:11252
- C:\Windows\System32\pJdIqhC.exe
  C:\Windows\System32\pJdIqhC.exe
  2⤵
  PID:4260
- C:\Windows\System32\DxVuLps.exe
  C:\Windows\System32\DxVuLps.exe
  2⤵
  PID:10464
- C:\Windows\System32\fPaqkbK.exe
  C:\Windows\System32\fPaqkbK.exe
  2⤵
  PID:10928
- C:\Windows\System32\nFwRhEU.exe
  C:\Windows\System32\nFwRhEU.exe
  2⤵
  PID:10732
- C:\Windows\System32\GspIZdY.exe
  C:\Windows\System32\GspIZdY.exe
  2⤵
  PID:11280
- C:\Windows\System32\dgPwNgb.exe
  C:\Windows\System32\dgPwNgb.exe
  2⤵
  PID:11344
- C:\Windows\System32\pqnNAIh.exe
  C:\Windows\System32\pqnNAIh.exe
  2⤵
  PID:11364
- C:\Windows\System32\ZwFezRh.exe
  C:\Windows\System32\ZwFezRh.exe
  2⤵
  PID:11392
- C:\Windows\System32\odYyOAq.exe
  C:\Windows\System32\odYyOAq.exe
  2⤵
  PID:11408
- C:\Windows\System32\CmjaGVy.exe
  C:\Windows\System32\CmjaGVy.exe
  2⤵
  PID:11464
- C:\Windows\System32\ogZKPZR.exe
  C:\Windows\System32\ogZKPZR.exe
  2⤵
  PID:11488
- C:\Windows\System32\BMDfSPV.exe
  C:\Windows\System32\BMDfSPV.exe
  2⤵
  PID:11508
- C:\Windows\System32\kAlHUlf.exe
  C:\Windows\System32\kAlHUlf.exe
  2⤵
  PID:11536
- C:\Windows\System32\UbbglVM.exe
  C:\Windows\System32\UbbglVM.exe
  2⤵
  PID:11564
- C:\Windows\System32\LIhWPgM.exe
  C:\Windows\System32\LIhWPgM.exe
  2⤵
  PID:11592
- C:\Windows\System32\bQqXwnz.exe
  C:\Windows\System32\bQqXwnz.exe
  2⤵
  PID:11620
- C:\Windows\System32\HFqPiBM.exe
  C:\Windows\System32\HFqPiBM.exe
  2⤵
  PID:11660
- C:\Windows\System32\hlTxXFS.exe
  C:\Windows\System32\hlTxXFS.exe
  2⤵
  PID:11684
- C:\Windows\System32\ayWNqEQ.exe
  C:\Windows\System32\ayWNqEQ.exe
  2⤵
  PID:11704
- C:\Windows\System32\pTsPbyB.exe
  C:\Windows\System32\pTsPbyB.exe
  2⤵
  PID:11740
- C:\Windows\System32\RwlQidW.exe
  C:\Windows\System32\RwlQidW.exe
  2⤵
  PID:11764
- C:\Windows\System32\gdPdBzD.exe
  C:\Windows\System32\gdPdBzD.exe
  2⤵
  PID:11800
- C:\Windows\System32\tvdVlkF.exe
  C:\Windows\System32\tvdVlkF.exe
  2⤵
  PID:11824
- C:\Windows\System32\tQUPxgx.exe
  C:\Windows\System32\tQUPxgx.exe
  2⤵
  PID:11848
- C:\Windows\System32\zzPVQFS.exe
  C:\Windows\System32\zzPVQFS.exe
  2⤵
  PID:11868
- C:\Windows\System32\WiFCmTP.exe
  C:\Windows\System32\WiFCmTP.exe
  2⤵
  PID:11892
- C:\Windows\System32\uUUgiti.exe
  C:\Windows\System32\uUUgiti.exe
  2⤵
  PID:11908
- C:\Windows\System32\OxDtsgh.exe
  C:\Windows\System32\OxDtsgh.exe
  2⤵
  PID:11928
- C:\Windows\System32\rzULEcl.exe
  C:\Windows\System32\rzULEcl.exe
  2⤵
  PID:11948
- C:\Windows\System32\EaRtdLQ.exe
  C:\Windows\System32\EaRtdLQ.exe
  2⤵
  PID:11964
- C:\Windows\System32\YUFnjIF.exe
  C:\Windows\System32\YUFnjIF.exe
  2⤵
  PID:11988
- C:\Windows\System32\QOOHqIs.exe
  C:\Windows\System32\QOOHqIs.exe
  2⤵
  PID:12036
- C:\Windows\System32\nPzwtDY.exe
  C:\Windows\System32\nPzwtDY.exe
  2⤵
  PID:12064
- C:\Windows\System32\qTtcEmF.exe
  C:\Windows\System32\qTtcEmF.exe
  2⤵
  PID:12112
- C:\Windows\System32\twijhIt.exe
  C:\Windows\System32\twijhIt.exe
  2⤵
  PID:12156
- C:\Windows\System32\EqGfNIA.exe
  C:\Windows\System32\EqGfNIA.exe
  2⤵
  PID:12176
- C:\Windows\System32\lTiFkCx.exe
  C:\Windows\System32\lTiFkCx.exe
  2⤵
  PID:12216
- C:\Windows\System32\TLbMQPx.exe
  C:\Windows\System32\TLbMQPx.exe
  2⤵
  PID:12240
- C:\Windows\System32\knLNVfC.exe
  C:\Windows\System32\knLNVfC.exe
  2⤵
  PID:12260
- C:\Windows\System32\uOaBtkY.exe
  C:\Windows\System32\uOaBtkY.exe
  2⤵
  PID:11272
- C:\Windows\System32\defEcyh.exe
  C:\Windows\System32\defEcyh.exe
  2⤵
  PID:11356
- C:\Windows\System32\iXwadDS.exe
  C:\Windows\System32\iXwadDS.exe
  2⤵
  PID:11380
- C:\Windows\System32\MVMEqro.exe
  C:\Windows\System32\MVMEqro.exe
  2⤵
  PID:11500
- C:\Windows\System32\vqJvflz.exe
  C:\Windows\System32\vqJvflz.exe
  2⤵
  PID:11576
- C:\Windows\System32\uBkXPbR.exe
  C:\Windows\System32\uBkXPbR.exe
  2⤵
  PID:11640
- C:\Windows\System32\AacxVcI.exe
  C:\Windows\System32\AacxVcI.exe
  2⤵
  PID:11692
- C:\Windows\System32\qpKxuao.exe
  C:\Windows\System32\qpKxuao.exe
  2⤵
  PID:11736
- C:\Windows\System32\gVfvBMy.exe
  C:\Windows\System32\gVfvBMy.exe
  2⤵
  PID:11864
- C:\Windows\System32\XAzcSOx.exe
  C:\Windows\System32\XAzcSOx.exe
  2⤵
  PID:11836
- C:\Windows\System32\RXzyhQw.exe
  C:\Windows\System32\RXzyhQw.exe
  2⤵
  PID:11936
- C:\Windows\System32\JQvWKhq.exe
  C:\Windows\System32\JQvWKhq.exe
  2⤵
  PID:12056
- C:\Windows\System32\ojxYlrF.exe
  C:\Windows\System32\ojxYlrF.exe
  2⤵
  PID:12100
- C:\Windows\System32\XErJWQZ.exe
  C:\Windows\System32\XErJWQZ.exe
  2⤵
  PID:12136
- C:\Windows\System32\ychuMUT.exe
  C:\Windows\System32\ychuMUT.exe
  2⤵
  PID:12192
- C:\Windows\System32\JIeQSmI.exe
  C:\Windows\System32\JIeQSmI.exe
  2⤵
  PID:12268
- C:\Windows\System32\nBhnFLW.exe
  C:\Windows\System32\nBhnFLW.exe
  2⤵
  PID:11320
- C:\Windows\System32\BKkKKsQ.exe
  C:\Windows\System32\BKkKKsQ.exe
  2⤵
  PID:11496
- C:\Windows\System32\lPlwQcU.exe
  C:\Windows\System32\lPlwQcU.exe
  2⤵
  PID:11548
- C:\Windows\System32\ywghHdP.exe
  C:\Windows\System32\ywghHdP.exe
  2⤵
  PID:11724
- C:\Windows\System32\fBRMzAc.exe
  C:\Windows\System32\fBRMzAc.exe
  2⤵
  PID:11876
- C:\Windows\System32\VIReuou.exe
  C:\Windows\System32\VIReuou.exe
  2⤵
  PID:11920
- C:\Windows\System32\gfcxZjX.exe
  C:\Windows\System32\gfcxZjX.exe
  2⤵
  PID:12252
- C:\Windows\System32\WTffnDk.exe
  C:\Windows\System32\WTffnDk.exe
  2⤵
  PID:11672
- C:\Windows\System32\bfcBjmR.exe
  C:\Windows\System32\bfcBjmR.exe
  2⤵
  PID:11484
- C:\Windows\System32\LeNqJac.exe
  C:\Windows\System32\LeNqJac.exe
  2⤵
  PID:11960
- C:\Windows\System32\NKbInni.exe
  C:\Windows\System32\NKbInni.exe
  2⤵
  PID:11900
- C:\Windows\System32\WBCLjlP.exe
  C:\Windows\System32\WBCLjlP.exe
  2⤵
  PID:4232
- C:\Windows\System32\AQkQCSX.exe
  C:\Windows\System32\AQkQCSX.exe
  2⤵
  PID:11612
- C:\Windows\System32\Ajslhji.exe
  C:\Windows\System32\Ajslhji.exe
  2⤵
  PID:12324
- C:\Windows\System32\PnLeLGV.exe
  C:\Windows\System32\PnLeLGV.exe
  2⤵
  PID:12380
- C:\Windows\System32\DBtvIEI.exe
  C:\Windows\System32\DBtvIEI.exe
  2⤵
  PID:12412
- C:\Windows\System32\aJbNhQz.exe
  C:\Windows\System32\aJbNhQz.exe
  2⤵
  PID:12428
- C:\Windows\System32\bGcGxEt.exe
  C:\Windows\System32\bGcGxEt.exe
  2⤵
  PID:12448
- C:\Windows\System32\SlATHvY.exe
  C:\Windows\System32\SlATHvY.exe
  2⤵
  PID:12480
- C:\Windows\System32\cBNqyNg.exe
  C:\Windows\System32\cBNqyNg.exe
  2⤵
  PID:12524
- C:\Windows\System32\LkPxAYC.exe
  C:\Windows\System32\LkPxAYC.exe
  2⤵
  PID:12540
- C:\Windows\System32\IGDEIcy.exe
  C:\Windows\System32\IGDEIcy.exe
  2⤵
  PID:12564
- C:\Windows\System32\bSipxGP.exe
  C:\Windows\System32\bSipxGP.exe
  2⤵
  PID:12604
- C:\Windows\System32\SfmiQny.exe
  C:\Windows\System32\SfmiQny.exe
  2⤵
  PID:12624
- C:\Windows\System32\TJtyNTw.exe
  C:\Windows\System32\TJtyNTw.exe
  2⤵
  PID:12664
- C:\Windows\System32\lpRVzCP.exe
  C:\Windows\System32\lpRVzCP.exe
  2⤵
  PID:12684
- C:\Windows\System32\XQfGjep.exe
  C:\Windows\System32\XQfGjep.exe
  2⤵
  PID:12720
- C:\Windows\System32\kZnTyFV.exe
  C:\Windows\System32\kZnTyFV.exe
  2⤵
  PID:12736
- C:\Windows\System32\kikPVUW.exe
  C:\Windows\System32\kikPVUW.exe
  2⤵
  PID:12764
- C:\Windows\System32\GyBmvjc.exe
  C:\Windows\System32\GyBmvjc.exe
  2⤵
  PID:12800
- C:\Windows\System32\ctsmUbw.exe
  C:\Windows\System32\ctsmUbw.exe
  2⤵
  PID:12816
- C:\Windows\System32\woDvUmm.exe
  C:\Windows\System32\woDvUmm.exe
  2⤵
  PID:12832
- C:\Windows\System32\DMFuvZF.exe
  C:\Windows\System32\DMFuvZF.exe
  2⤵
  PID:12880
- C:\Windows\System32\NCpJdka.exe
  C:\Windows\System32\NCpJdka.exe
  2⤵
  PID:12916
- C:\Windows\System32\MDqjUlc.exe
  C:\Windows\System32\MDqjUlc.exe
  2⤵
  PID:12952
- C:\Windows\System32\jQLMoRy.exe
  C:\Windows\System32\jQLMoRy.exe
  2⤵
  PID:12984
- C:\Windows\System32\IUOLwBP.exe
  C:\Windows\System32\IUOLwBP.exe
  2⤵
  PID:13004
- C:\Windows\System32\YkpchGm.exe
  C:\Windows\System32\YkpchGm.exe
  2⤵
  PID:13028
- C:\Windows\System32\RItusye.exe
  C:\Windows\System32\RItusye.exe
  2⤵
  PID:13044
- C:\Windows\System32\lGizQmq.exe
  C:\Windows\System32\lGizQmq.exe
  2⤵
  PID:13064
- C:\Windows\System32\ikQpGyK.exe
  C:\Windows\System32\ikQpGyK.exe
  2⤵
  PID:13088
- C:\Windows\System32\HhqoHKK.exe
  C:\Windows\System32\HhqoHKK.exe
  2⤵
  PID:13120
- C:\Windows\System32\kiqHYaL.exe
  C:\Windows\System32\kiqHYaL.exe
  2⤵
  PID:13176
- C:\Windows\System32\lrjKFtc.exe
  C:\Windows\System32\lrjKFtc.exe
  2⤵
  PID:13196
- C:\Windows\System32\mvPWsRF.exe
  C:\Windows\System32\mvPWsRF.exe
  2⤵
  PID:13216
- C:\Windows\System32\fvhKEyE.exe
  C:\Windows\System32\fvhKEyE.exe
  2⤵
  PID:13244
- C:\Windows\System32\kyKixuT.exe
  C:\Windows\System32\kyKixuT.exe
  2⤵
  PID:13268
- C:\Windows\System32\CfhXCqW.exe
  C:\Windows\System32\CfhXCqW.exe
  2⤵
  PID:13300
- C:\Windows\System32\grNtFnF.exe
  C:\Windows\System32\grNtFnF.exe
  2⤵
  PID:11816
- C:\Windows\System32\xhAhJiP.exe
  C:\Windows\System32\xhAhJiP.exe
  2⤵
  PID:12376
- C:\Windows\System32\fVbIpmT.exe
  C:\Windows\System32\fVbIpmT.exe
  2⤵
  PID:12420
- C:\Windows\System32\XXMTgRb.exe
  C:\Windows\System32\XXMTgRb.exe
  2⤵
  PID:12488
- C:\Windows\System32\QWgIQcD.exe
  C:\Windows\System32\QWgIQcD.exe
  2⤵
  PID:12532
- C:\Windows\System32\UjXlHim.exe
  C:\Windows\System32\UjXlHim.exe
  2⤵
  PID:12576
- C:\Windows\System32\TcsLbIg.exe
  C:\Windows\System32\TcsLbIg.exe
  2⤵
  PID:12680
- C:\Windows\System32\LcpeViS.exe
  C:\Windows\System32\LcpeViS.exe
  2⤵
  PID:12728

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AXjFTXM.exe

Filesize
1.5MB

MD5
b2106136fc918898faadc599a521827c

SHA1
baf40ec35e9c4b7a09629dc48f192476b8fc749c

SHA256
d13be652d7713c638e76211ad0a79fc7a740f42e7a985e8f4a05d4d8f6d9a9ac

SHA512
1add3a2f096eecdc79d856c06f53a8a4952b1ca4c2d874fa3637af7a824ffbddfc1f05c42270962fc49f8e71b57f647efad3141e72136f7b0a5b3046fbfc5c6b

Download Submit
C:\Windows\System32\BAeNDsn.exe

Filesize
1.5MB

MD5
aefdaf237851da1be373029a95ce017a

SHA1
6b88cafc77da0e0cd5cf18c38536a1e48874a604

SHA256
4f5c73a6c024b1b780b84bd099081bb797dfc31d7e8ab607f6c5c3106078488c

SHA512
f7974230c59bab66f3f0ebea519f003123ba54ce975abe629d10def4045e4fbe4ff410390373e4801fe9e23f777566db0cf6725cf3c760d0af7e40f4b8063c2b

Download Submit
C:\Windows\System32\CCYZQmw.exe

Filesize
1.5MB

MD5
5ef2794e8939cbc7d2d31c1bc38a0934

SHA1
7ab8aa46717235f2cfa811d208692ba7334c6e0d

SHA256
e42061011917504f27218fd2ea6795627aa494a100829179ff547e90342865c4

SHA512
9e88b8ec9a6f449ade798cf917160c55ffff1f176550c53ee784dfb6aaf3cc27c4a0e4bf3d11efd0df0a68254103a704d48c1a93e416ed1a747b4cfb76b65102

Download Submit
C:\Windows\System32\CbXmgjj.exe

Filesize
1.5MB

MD5
13ca0560ab237ee36b74feee8400e990

SHA1
013eb6b77817089bc930a1460c66f71b495d9ed8

SHA256
4b750d72fc578f558adf8be0ce72b63aed391ad8e60f3ff36d14ff7ae60997f0

SHA512
971f30083b5d6cb997cb44c9260f87f608411cc3bef74465afe885a04eff42099f2d66355989da66cb1498e6d252f2584c0d39b4b9ed116e086ac88ec0bc012d

Download Submit
C:\Windows\System32\CuDWGjF.exe

Filesize
1.5MB

MD5
3be18c5f8d795b411f3d62e16725cf4e

SHA1
1517cf5a95219c058cd3260be078da95a1becb12

SHA256
e2e6de84226a14fa99a0c799a0d6d121de0c347ea65c2b8f7f4a37a386d6b673

SHA512
077531bbce593dc53547023b605d8f079dea87cfdf3bfb52971761be153de22b2bcf3c251010602454e3bc920126efc604c4e1c031969fb5ea52429e821c5a5d

Download Submit
C:\Windows\System32\DFXiBCR.exe

Filesize
1.5MB

MD5
135623c4ccb850f967a89bd8b2765787

SHA1
2ce4e9983c185062498035dced0265b86bad6326

SHA256
ac4b122b27ea243f83ff265ff32ba76d426c0f725fd8cfd9e97b30a69c704b84

SHA512
bff4f2e6b23ae1659457f15a1ed983faf89b2cf09a52c3e969705851fc63fe96badbf5c4e8f008b4d02cb5f6f48d7867cdd8f005ac1a745a74cc5f7d865e7391

Download Submit
C:\Windows\System32\EEoUqdn.exe

Filesize
1.5MB

MD5
50c25715889e995a481ad95cc6e4c950

SHA1
6f442fd07b345fa2f0bb1c07f05c1b3df7b303df

SHA256
c81668ffe5bbd77eca086689126bbd387f964b5f1d678f7eeb59fd5235ed8399

SHA512
f570040ce72e8069c007087b6810691e6cceb74eb7c238799c0d2b6108c86fbc0e4c865a9956554b7019f12a72a5ef4638cab9d36e4c5ea806d550a01a60f8b2

Download Submit
C:\Windows\System32\EMpxCxf.exe

Filesize
1.5MB

MD5
5af8cc45b35be3e13bebef10a538bc83

SHA1
473b6a280ebca204bc923aba1ec7043ab20e8122

SHA256
8e9dfd77987b24931f97aba52400902770ec51de889ccac29ad97be9902888ab

SHA512
faa86bab98ac9107d6a5aca1e7c447a673033e39f4f6839bca6757582830a91ca4cf57775bcdce88afbf31d7da40dc7f4c6888b2ee3fdb36d089403bf59152d7

Download Submit
C:\Windows\System32\ETBDQnu.exe

Filesize
1.5MB

MD5
8985c3fb2ad99f89415c9fadf5a70816

SHA1
ae959b89cd0aa68368081b5230125394d3a2e862

SHA256
25915f5484d10180e779c49ffd6def52ccb8e7a591d6f52ec481ec34f7ed20be

SHA512
eb251388e9101cc26f0747efdd8ad237f8145d8cdf95a6e1e867e46b3d78811e53b35f10a6214bb79a7b69022eaadf1d9d3bebb7ff0bf3576ac25dc390c89c76

Download Submit
C:\Windows\System32\EUdgbTn.exe

Filesize
1.5MB

MD5
3e80a7e9eb5ff846eef1b5f67c6fc711

SHA1
ea27450d059e208e0895bf0bfb52cb9b49076cc4

SHA256
0d2c3ff1c3112017af2ffb8c6c984d32d006cd1212cd70bbb7f91d5c9cc858cd

SHA512
f4620d2ad42110695648dfb5f25dd9c79cce0f4442e534da6598f69a9b0d37c71da446f612beededb97f4159c527331050a97bcc2b9d21141fb7c92f0411c5bf

Download Submit
C:\Windows\System32\FpXvnTJ.exe

Filesize
1.5MB

MD5
bf52cea3bf7268983685771e2ad0c906

SHA1
85657be6f05a8b65dea7534a468bf998048ede61

SHA256
b27e3e43f736a2509315f9467b6cc1043c3b20276a08c969018bb151bb27083e

SHA512
a2e9f6619f1d9b0185dd529c00d2d0ae2549709be6d51a25720a3ce6459de1f8bf58e80bc849149ed1c972d07aaa00ea1ad6128ebf4f789e9811f99fa30a4874

Download Submit
C:\Windows\System32\IAoneri.exe

Filesize
1.5MB

MD5
1af50a62418198d76cc0a60c21e52a3f

SHA1
fde249640401a2daea9f0a78b5c48ac81ecddee6

SHA256
f9c1e60324964c53bc9a2560ce0980880be0f928bd63aa0d9401805ba3d125bf

SHA512
b8432ef2d3dd60c2bb7aadb28b672a85df6322310ed6a4d9f38f4dda4f313233692da61b1d6152c4437972d52f4167823cd728a5d2c2174da41d938b6b787fc8

Download Submit
C:\Windows\System32\IEEqbHi.exe

Filesize
1.5MB

MD5
69771a13d4a25e3f8d8cb41de70a8ad7

SHA1
7a5793e75936489def0f95609ce673a3da8ad159

SHA256
688aca814849d2a40b6a708b2a54b978cd9446d4e0948d41678d8189333a3f65

SHA512
0a110c7614bee444cd12eb82995c3e3fc10f7f1469aec55c6a2fb8c79d1b7a323d75ebeee002b7ca95ffc2d9f98e4d7ea464941ed9a64de093e8d886137f0c1f

Download Submit
C:\Windows\System32\KZLbmDU.exe

Filesize
1.5MB

MD5
ce8ac1e7d0abb17faac514d47516b92f

SHA1
a75aa20cfda775bd1530604be56dc539d00b5889

SHA256
5267d8810553853801d88dbde74acc5be0647676c994fe7e1b9e9b86cb43238c

SHA512
32121b9295258dd2d2f165d4c115427460fd402d3bcc31df17c8b03b61836d2cbc7056cbf71374edab169fc785eb24889fa5599cb951363d43deff3b27aef2f8

Download Submit
C:\Windows\System32\LHtYUaZ.exe

Filesize
1.5MB

MD5
0da112b4cdac780f080bf9ead3425843

SHA1
afae88cd23863a66cdcfe574853d660a23f465f8

SHA256
87953a6fcae2ff5cec362f1e151fd707d800c471963a22116aa2826336239751

SHA512
03f22b1a512d134cf216b80091d52f8e80cd43a39453858c24b65d02005bba47c5e40992e66e0b3eda75c2aee03c81dc408ea5bc696c69cd20eb537590ed89ae

Download Submit
C:\Windows\System32\OzAXKCV.exe

Filesize
1.5MB

MD5
a182dda6f2eabc51dd8cbb98d3f921e8

SHA1
9fb29cc315191c7a94b9330e04c858635831bb33

SHA256
36c51dfdf6c1f9e8cd130938b3fc03ba22e3ace0f727fb0fe2cec2e185fe306b

SHA512
2a31d23c20c359bfe33323ca97b08b33e70d8005d5ae9d86f2c2c095f021513795997f6b99ac2a36bd49ee1513a4c79d8e116116bd17d1c76ff2bc7d2a32b59d

Download Submit
C:\Windows\System32\QYqxmBt.exe

Filesize
1.5MB

MD5
207807053d95ff4ac84155c4212795e9

SHA1
a0bc1214de6557f6f319b7ae2d80ed44b19a7872

SHA256
819053ebb515c4d8b8893620309bdf19950491eeb3fc452145b5e9e7c7c42759

SHA512
f613173184fb7cae29d90e0d391d870f5db23b1e4f1db311925da51365e1586443d6372cbb2db419769a831de3f0d4d59c04052d2ae02b6e5ab2644b2143bf1d

Download Submit
C:\Windows\System32\TGfqpao.exe

Filesize
1.5MB

MD5
322e582eb52316892c2748341e081c3f

SHA1
672e22a941cf8bfb61ebd84485830a914ba9ea02

SHA256
262a91a7a346a52b2c874ebd826f17afc04f31cd333e817826f2de1ca9e7f50a

SHA512
3b45f7c52e23d0c9309d49db2f8ea491bdaa5acf3c41fd00323cc854073416e48f7f320b54bd847fb875608f6479cf55abcf8873b468c1533365ad0f234ceb5d

Download Submit
C:\Windows\System32\VdwVNOJ.exe

Filesize
1.5MB

MD5
f089008b6506be6c06496b65ec5a8674

SHA1
bfb988567a88ed987585913d998414cd9e41202e

SHA256
d031f1d882bcd4ceb0fce8a6c56774cb0e578f5c1ed93b873df423eabb0503a3

SHA512
a515a36f7377982b3baf281b7e65ade42716ae93db6a805cf16c8fde9b32f81b3863b494fb422f1d2629901c0325c2d5303c80550ba66835c2c815f0c917e47a

Download Submit
C:\Windows\System32\XYCRkFI.exe

Filesize
1.5MB

MD5
cd65c6c8e0ab0ddbd9dc12155600a459

SHA1
7042c7be828cdbb55d47f0500567c3767e5709d8

SHA256
abe1822e7967b607065dcd29e9aacb9e956ea9ba019051136e46f68dbdfd5b4e

SHA512
1e601833c2c2958f3b52baccd0a95e41a7dd15843992b4f14a427eeaa0c51f0428d4df2b94e8876210696d2fc16525e2fda99e800f5980147e379595f4d6cfe4

Download Submit
C:\Windows\System32\XbMOBGR.exe

Filesize
1.5MB

MD5
b739b6b354161f9b8d56b5b090dda8f6

SHA1
be983e1ab9e2a258935641f73367369e644feea0

SHA256
ed021f60b4d2924b595c88e869ac9574c6d8f0b5bc0a660341b14a05c6fac175

SHA512
f3979bc4d716699f71dc8385218b80c52b21d6a32b1a6e884ec196177c87511de5de5171255fc3270a1d9d1f4a013adad1ba53f5f17a27c787cfadc9c8b8732d

Download Submit
C:\Windows\System32\aBsdVOC.exe

Filesize
1.5MB

MD5
c2f43d18f1ef923746a276b1e5c9b905

SHA1
ba185cea62d9920668e462c21f77f5933d6cce38

SHA256
8caf2455a27e37d7862970a5e333f60ee612a1ad5b2bc2ac5e433d13900aa317

SHA512
8ccabb0edb20999bcf53de8a3037bd1b9da3cefeba8fa4db474ce376cefc6c8cf2568e21248d859795189cf7de51bf19ed331633b6f44c3a08811ff1932c6f47

Download Submit
C:\Windows\System32\baVmEds.exe

Filesize
1.5MB

MD5
991572db1d8e8a2fd9f7ec9e842640cd

SHA1
14df794989e8cf6028c2c4e6074ceb37b6cd72a8

SHA256
521766826286b8484da173827d8c39266e308e09cfb90d9e6a1881016a192c94

SHA512
e0f913270f92bc563e3785ad98163baa2f198850e3a7510b0526e16af30edb123d34f3eea542e1f9012a67fabeb729f27a8ee6beb2e4a7c2f6d142450df359ac

Download Submit
C:\Windows\System32\gEMEAsd.exe

Filesize
1.5MB

MD5
4f1d7beb15548e221425ac0c44eb693a

SHA1
22d598528ecf76cff38e97eb3100c1318319d90f

SHA256
7963bc265c4d51a8fc166960ea9e76edbb983ec646d9beae77e8825ea5619799

SHA512
97ab7b56aee8d261a839f5d14592645ea6bd756c0bd0a174f4961c77e090addec252052aaf2a7ade5ff3966b17f9e39b675c4aa4ec1f680c89f77064dc1d43a0

Download Submit
C:\Windows\System32\kRHwVnF.exe

Filesize
1.5MB

MD5
7d08df656574fa4a3daf2305c6231c8c

SHA1
29adaf987ed827ed71f94c9e69752f4cec6619fe

SHA256
e4f860972027c1481835d23ea60602756b81b6d81731fb566386528ced950edf

SHA512
68f1a9a746001aa29723ee450c91465280801eab48e5484e52b6facff89ca757f90f1e55998b7793e7f7de5250639cecbd563a5d2961023c037202dc71faf914

Download Submit
C:\Windows\System32\mNtZWSt.exe

Filesize
1.5MB

MD5
40b8bbf80bca0596eeb5afd8aff6a614

SHA1
4e30a81521d18bf88c3c7ea1d8589e5db3e50418

SHA256
3910d2e6c7ff10e6cfa40be5e1a64421f4677ab2b6fe0bcc7b580036a2da9610

SHA512
7b6ab41e8a146f5a461dabbd62c9167433397cd32e2d235e2f703c0d5096a9e798acc7b956a659011f160cb231a42460ef6b37b708087e50761d9f51732c1ec9

Download Submit
C:\Windows\System32\mqPHufn.exe

Filesize
1.5MB

MD5
282fa7f1890b9926d3f2c648db610516

SHA1
64e0444f2f00f72b029200378f7976dfdd02a73f

SHA256
a104252fab7910bedac102e890b95bd4d50bc0ed87325e0aaf69643205a01b80

SHA512
94517475d5dda1430f1e5cb6cf9497eadb7c6d07eddc05888628f5aa46d37c2abd33a80b0484e70a25c623bfe693ccb09853265ab7c1624f73ee7dee085177c2

Download Submit
C:\Windows\System32\nAOuSIT.exe

Filesize
1.5MB

MD5
5a76b42422189b8f8f0014ce50f46c44

SHA1
106f94bc3cff0dc40b2b605d4e48f57ca3eee026

SHA256
8f91805849f1150b4caa311eac44678b254d38f80d6b5d4d505bf7b545c86a8c

SHA512
371bd7a4053101db07f72be07d0ae899751fcda009c19bca61a007dc1738c6d35d5cbabf6853db94ab07ec1c9ad34a5721252e1b51c3a2912227ec92fd6ae876

Download Submit
C:\Windows\System32\ohtUCMI.exe

Filesize
1.5MB

MD5
d2715a52d2dfa2ca14e5e9e32e705076

SHA1
1e66287013e2a587c52e5c65d7144798422b7e4b

SHA256
5e91df28a4ff4174e188406724018b5b0d1b0eb6b118446309cc2c9959b2b819

SHA512
90f7cefa76228130cbcb618f5e31864d8c6d7eac03fdb985d55e2dbf2e5ae864e733128986c2fed4718358b55a83cd2bf30f809e208180067ff71d2755377d1d

Download Submit
C:\Windows\System32\rZpPhSa.exe

Filesize
1.5MB

MD5
972bbcc2732b9f7c2655e66dac65441a

SHA1
78f433394bb0714664e7dd3dce00e3f6a0ccee97

SHA256
c13b2feec7d39d61b843cd974504c3f2da629364fb2ef4d99e630922c6016ad0

SHA512
6ab68d8ece3bdcae2fd4a48a0d79fb0153e1acb77f0310f9f3975fd148fe9cf7328658273ce4f5daaba69181ffafc6de1b48ab988bb455e5ab9505d36902b657

Download Submit
C:\Windows\System32\sbcIeWS.exe

Filesize
1.5MB

MD5
23ec23463851cb0af77ff14c5c36cb09

SHA1
ca6e0522374f1e31d3ff4ea57b11a2c427927950

SHA256
45a0169670dabb666e045cc7c0755132bcf31a26264e6e7e1e48ea201a33276c

SHA512
139f264cb6f22db5de810864d21ef493be17200e1088c493c96ab44fab4a9bb9ef45bf35a93d662dcedea83016a5c2e783864b3ca91150a943eedf9ac46d94fe

Download Submit
C:\Windows\System32\tFhPySa.exe

Filesize
1.5MB

MD5
817b41c952071da1ebc7cd38ed1d4768

SHA1
84f0063e8289e7c8220246f0177166a0fd4acf43

SHA256
c25dd994dc3b92e6cfda61dfa68c0300ac4816e7b78e8842da5e81668bf5dae9

SHA512
faf94706d9a2513ebe52f8869bd2f76ebacf90e49de933b8cb4bd2f68491bee6bbaab6b6fd48226fe053e51104654e7135bc1bcc1c63393c0bb298e6b795b274

Download Submit
C:\Windows\System32\xNozIma.exe

Filesize
1.5MB

MD5
00f0fc7b5bb082e789703b0f5a00b441

SHA1
3665a604de60f089d43a6cc74e3a153d2a0cdc8d

SHA256
45079c7a205474d30509ac7d691b7a6518fc1931053ce7e972c408c6cd2a8962

SHA512
ec6d961003da9076c0f18737701f5ac24ed25adcf0b8238263adeefee265b5c2fd1cc6c450b21a4015c1d4a65fbb671e767288b13d2eca499d38b0719be5d19f

Download Submit
memory/216-514-0x00007FF695B80000-0x00007FF695F71000-memory.dmp

Filesize
3.9MB

Download
memory/216-1997-0x00007FF695B80000-0x00007FF695F71000-memory.dmp

Filesize
3.9MB

Download
memory/216-2035-0x00007FF695B80000-0x00007FF695F71000-memory.dmp

Filesize
3.9MB

Download
memory/264-33-0x00007FF629380000-0x00007FF629771000-memory.dmp

Filesize
3.9MB

Download
memory/264-1996-0x00007FF629380000-0x00007FF629771000-memory.dmp

Filesize
3.9MB

Download
memory/264-2037-0x00007FF629380000-0x00007FF629771000-memory.dmp

Filesize
3.9MB

Download
memory/548-551-0x00007FF756210000-0x00007FF756601000-memory.dmp

Filesize
3.9MB

Download
memory/548-2047-0x00007FF756210000-0x00007FF756601000-memory.dmp

Filesize
3.9MB

Download
memory/768-556-0x00007FF671500000-0x00007FF6718F1000-memory.dmp

Filesize
3.9MB

Download
memory/768-2059-0x00007FF671500000-0x00007FF6718F1000-memory.dmp

Filesize
3.9MB

Download
memory/1160-574-0x00007FF799690000-0x00007FF799A81000-memory.dmp

Filesize
3.9MB

Download
memory/1160-2069-0x00007FF799690000-0x00007FF799A81000-memory.dmp

Filesize
3.9MB

Download
memory/1216-569-0x00007FF73B120000-0x00007FF73B511000-memory.dmp

Filesize
3.9MB

Download
memory/1216-2065-0x00007FF73B120000-0x00007FF73B511000-memory.dmp

Filesize
3.9MB

Download
memory/1460-526-0x00007FF6C1830000-0x00007FF6C1C21000-memory.dmp

Filesize
3.9MB

Download
memory/1460-2051-0x00007FF6C1830000-0x00007FF6C1C21000-memory.dmp

Filesize
3.9MB

Download
memory/1668-547-0x00007FF6308B0000-0x00007FF630CA1000-memory.dmp

Filesize
3.9MB

Download
memory/1668-2049-0x00007FF6308B0000-0x00007FF630CA1000-memory.dmp

Filesize
3.9MB

Download
memory/2076-2067-0x00007FF6F8860000-0x00007FF6F8C51000-memory.dmp

Filesize
3.9MB

Download
memory/2076-570-0x00007FF6F8860000-0x00007FF6F8C51000-memory.dmp

Filesize
3.9MB

Download
memory/2592-539-0x00007FF7DE890000-0x00007FF7DEC81000-memory.dmp

Filesize
3.9MB

Download
memory/2592-2055-0x00007FF7DE890000-0x00007FF7DEC81000-memory.dmp

Filesize
3.9MB

Download
memory/2736-554-0x00007FF7033F0000-0x00007FF7037E1000-memory.dmp

Filesize
3.9MB

Download
memory/2736-2057-0x00007FF7033F0000-0x00007FF7037E1000-memory.dmp

Filesize
3.9MB

Download
memory/2836-2053-0x00007FF7B23A0000-0x00007FF7B2791000-memory.dmp

Filesize
3.9MB

Download
memory/2836-534-0x00007FF7B23A0000-0x00007FF7B2791000-memory.dmp

Filesize
3.9MB

Download
memory/3036-2071-0x00007FF654AC0000-0x00007FF654EB1000-memory.dmp

Filesize
3.9MB

Download
memory/3036-583-0x00007FF654AC0000-0x00007FF654EB1000-memory.dmp

Filesize
3.9MB

Download
memory/3140-2041-0x00007FF7E8360000-0x00007FF7E8751000-memory.dmp

Filesize
3.9MB

Download
memory/3140-588-0x00007FF7E8360000-0x00007FF7E8751000-memory.dmp

Filesize
3.9MB

Download
memory/3492-2043-0x00007FF7C7010000-0x00007FF7C7401000-memory.dmp

Filesize
3.9MB

Download
memory/3492-520-0x00007FF7C7010000-0x00007FF7C7401000-memory.dmp

Filesize
3.9MB

Download
memory/3656-2073-0x00007FF66DE50000-0x00007FF66E241000-memory.dmp

Filesize
3.9MB

Download
memory/3656-577-0x00007FF66DE50000-0x00007FF66E241000-memory.dmp

Filesize
3.9MB

Download
memory/3884-585-0x00007FF7DC5C0000-0x00007FF7DC9B1000-memory.dmp

Filesize
3.9MB

Download
memory/3884-2063-0x00007FF7DC5C0000-0x00007FF7DC9B1000-memory.dmp

Filesize
3.9MB

Download
memory/4144-12-0x00007FF652F70000-0x00007FF653361000-memory.dmp

Filesize
3.9MB

Download
memory/4144-2031-0x00007FF652F70000-0x00007FF653361000-memory.dmp

Filesize
3.9MB

Download
memory/4280-2061-0x00007FF70D370000-0x00007FF70D761000-memory.dmp

Filesize
3.9MB

Download
memory/4280-564-0x00007FF70D370000-0x00007FF70D761000-memory.dmp

Filesize
3.9MB

Download
memory/4292-2033-0x00007FF734730000-0x00007FF734B21000-memory.dmp

Filesize
3.9MB

Download
memory/4292-2000-0x00007FF734730000-0x00007FF734B21000-memory.dmp

Filesize
3.9MB

Download
memory/4292-22-0x00007FF734730000-0x00007FF734B21000-memory.dmp

Filesize
3.9MB

Download
memory/4496-576-0x00007FF7B6250000-0x00007FF7B6641000-memory.dmp

Filesize
3.9MB

Download
memory/4496-2075-0x00007FF7B6250000-0x00007FF7B6641000-memory.dmp

Filesize
3.9MB

Download
memory/4516-1-0x000001D6C6B80000-0x000001D6C6B90000-memory.dmp

Filesize
64KB

Download
memory/4516-1994-0x00007FF70C580000-0x00007FF70C971000-memory.dmp

Filesize
3.9MB

Download
memory/4516-0-0x00007FF70C580000-0x00007FF70C971000-memory.dmp

Filesize
3.9MB

Download
memory/4528-1995-0x00007FF742790000-0x00007FF742B81000-memory.dmp

Filesize
3.9MB

Download
memory/4528-18-0x00007FF742790000-0x00007FF742B81000-memory.dmp

Filesize
3.9MB

Download
memory/4528-2039-0x00007FF742790000-0x00007FF742B81000-memory.dmp

Filesize
3.9MB

Download
memory/4788-590-0x00007FF6DC1F0000-0x00007FF6DC5E1000-memory.dmp

Filesize
3.9MB

Download
memory/4788-2045-0x00007FF6DC1F0000-0x00007FF6DC5E1000-memory.dmp

Filesize
3.9MB

Download
memory/5040-586-0x00007FF7F1E80000-0x00007FF7F2271000-memory.dmp

Filesize
3.9MB

Download
memory/5040-2077-0x00007FF7F1E80000-0x00007FF7F2271000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads