xmrig | 98413691ba20dcc5f5668a0c312a2b44bf1e1d2a1a40e70aa7119510edf22a94

Analysis

max time kernel
106s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59747c66dab136dd5dcaaee00d848480N.exe
Size

1.8MB
MD5

59747c66dab136dd5dcaaee00d848480
SHA1

87b2bb3580e250ba3dbb4391c98d33af2851409b
SHA256

98413691ba20dcc5f5668a0c312a2b44bf1e1d2a1a40e70aa7119510edf22a94
SHA512

ac3c1934f10e2eb28f8298762cba04e345412b59372b1fada5ae210c4c0949583a5e797037a611424d2979ccb97dca55eda88db2c580e4e99dfb21a1302b4c5f
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlOZ9ZReBCs1VcvGYcgo04aG2c/+8Xg0FWdXGFSfWE/:knw9oUUEEDlOlR1dqgPgKtuq

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/3356-26-0x00007FF68F6E0000-0x00007FF68FAD1000-memory.dmp	xmrig
behavioral2/memory/3884-11-0x00007FF76F320000-0x00007FF76F711000-memory.dmp	xmrig
behavioral2/memory/868-51-0x00007FF764090000-0x00007FF764481000-memory.dmp	xmrig
behavioral2/memory/456-447-0x00007FF6F8540000-0x00007FF6F8931000-memory.dmp	xmrig
behavioral2/memory/396-71-0x00007FF6709C0000-0x00007FF670DB1000-memory.dmp	xmrig
behavioral2/memory/4936-68-0x00007FF6E3E30000-0x00007FF6E4221000-memory.dmp	xmrig
behavioral2/memory/4856-66-0x00007FF65C430000-0x00007FF65C821000-memory.dmp	xmrig
behavioral2/memory/1516-64-0x00007FF6BCA70000-0x00007FF6BCE61000-memory.dmp	xmrig
behavioral2/memory/2052-448-0x00007FF668F80000-0x00007FF669371000-memory.dmp	xmrig
behavioral2/memory/4048-450-0x00007FF7ACBD0000-0x00007FF7ACFC1000-memory.dmp	xmrig
behavioral2/memory/3812-451-0x00007FF6DEDE0000-0x00007FF6DF1D1000-memory.dmp	xmrig
behavioral2/memory/2216-449-0x00007FF707800000-0x00007FF707BF1000-memory.dmp	xmrig
behavioral2/memory/3408-454-0x00007FF6BB7C0000-0x00007FF6BBBB1000-memory.dmp	xmrig
behavioral2/memory/1460-456-0x00007FF63CD50000-0x00007FF63D141000-memory.dmp	xmrig
behavioral2/memory/1084-460-0x00007FF72B600000-0x00007FF72B9F1000-memory.dmp	xmrig
behavioral2/memory/4728-466-0x00007FF6C6F30000-0x00007FF6C7321000-memory.dmp	xmrig
behavioral2/memory/4556-469-0x00007FF653400000-0x00007FF6537F1000-memory.dmp	xmrig
behavioral2/memory/2360-473-0x00007FF6FA9F0000-0x00007FF6FADE1000-memory.dmp	xmrig
behavioral2/memory/3900-478-0x00007FF7D85D0000-0x00007FF7D89C1000-memory.dmp	xmrig
behavioral2/memory/3884-1064-0x00007FF76F320000-0x00007FF76F711000-memory.dmp	xmrig
behavioral2/memory/2716-1062-0x00007FF78EF00000-0x00007FF78F2F1000-memory.dmp	xmrig
behavioral2/memory/1916-1996-0x00007FF707270000-0x00007FF707661000-memory.dmp	xmrig
behavioral2/memory/216-1997-0x00007FF79C530000-0x00007FF79C921000-memory.dmp	xmrig
behavioral2/memory/1516-1998-0x00007FF6BCA70000-0x00007FF6BCE61000-memory.dmp	xmrig
behavioral2/memory/2672-2030-0x00007FF641D50000-0x00007FF642141000-memory.dmp	xmrig
behavioral2/memory/2716-2032-0x00007FF78EF00000-0x00007FF78F2F1000-memory.dmp	xmrig
behavioral2/memory/3884-2037-0x00007FF76F320000-0x00007FF76F711000-memory.dmp	xmrig
behavioral2/memory/3016-2039-0x00007FF634E00000-0x00007FF6351F1000-memory.dmp	xmrig
behavioral2/memory/3036-2043-0x00007FF695C80000-0x00007FF696071000-memory.dmp	xmrig
behavioral2/memory/3356-2042-0x00007FF68F6E0000-0x00007FF68FAD1000-memory.dmp	xmrig
behavioral2/memory/216-2047-0x00007FF79C530000-0x00007FF79C921000-memory.dmp	xmrig
behavioral2/memory/4936-2051-0x00007FF6E3E30000-0x00007FF6E4221000-memory.dmp	xmrig
behavioral2/memory/868-2049-0x00007FF764090000-0x00007FF764481000-memory.dmp	xmrig
behavioral2/memory/1916-2045-0x00007FF707270000-0x00007FF707661000-memory.dmp	xmrig
behavioral2/memory/1516-2053-0x00007FF6BCA70000-0x00007FF6BCE61000-memory.dmp	xmrig
behavioral2/memory/4856-2057-0x00007FF65C430000-0x00007FF65C821000-memory.dmp	xmrig
behavioral2/memory/396-2055-0x00007FF6709C0000-0x00007FF670DB1000-memory.dmp	xmrig
behavioral2/memory/456-2062-0x00007FF6F8540000-0x00007FF6F8931000-memory.dmp	xmrig
behavioral2/memory/1084-2088-0x00007FF72B600000-0x00007FF72B9F1000-memory.dmp	xmrig
behavioral2/memory/4556-2084-0x00007FF653400000-0x00007FF6537F1000-memory.dmp	xmrig
behavioral2/memory/2360-2082-0x00007FF6FA9F0000-0x00007FF6FADE1000-memory.dmp	xmrig
behavioral2/memory/3900-2064-0x00007FF7D85D0000-0x00007FF7D89C1000-memory.dmp	xmrig
behavioral2/memory/4728-2086-0x00007FF6C6F30000-0x00007FF6C7321000-memory.dmp	xmrig
behavioral2/memory/1460-2080-0x00007FF63CD50000-0x00007FF63D141000-memory.dmp	xmrig
behavioral2/memory/3408-2078-0x00007FF6BB7C0000-0x00007FF6BBBB1000-memory.dmp	xmrig
behavioral2/memory/3812-2074-0x00007FF6DEDE0000-0x00007FF6DF1D1000-memory.dmp	xmrig
behavioral2/memory/2052-2072-0x00007FF668F80000-0x00007FF669371000-memory.dmp	xmrig
behavioral2/memory/4048-2069-0x00007FF7ACBD0000-0x00007FF7ACFC1000-memory.dmp	xmrig
behavioral2/memory/2216-2067-0x00007FF707800000-0x00007FF707BF1000-memory.dmp	xmrig
behavioral2/memory/2672-2059-0x00007FF641D50000-0x00007FF642141000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3884	jUXmEiq.exe
3016	OEMlJcW.exe
3036	dOXvDLl.exe
3356	xOvlsYx.exe
1916	vpramml.exe
216	Gyvkloy.exe
868	VDNevJJ.exe
4936	TCrssJA.exe
1516	LYhlPkU.exe
396	MACFIFj.exe
4856	aDXfbfi.exe
2672	loqKerK.exe
456	pvpMomg.exe
2052	MSyqKmU.exe
2216	NNKGOHt.exe
4048	eqUSNrb.exe
3812	scTpejc.exe
3408	ZNwFWYF.exe
1460	UtNwYhR.exe
1084	wDmEbjJ.exe
4728	LIvIYZE.exe
4556	kMMdzXq.exe
2360	OYytCXH.exe
3900	YVCnHhv.exe
4148	SnXdGlH.exe
1652	cWHXtZD.exe
3100	DkwffEH.exe
4828	ijoKDvC.exe
2988	KsqOsYL.exe
3564	aNRqDoh.exe
900	cDhDVgn.exe
1424	UKQeoiC.exe
3852	eoAgwhu.exe
2860	riEYjRW.exe
3420	eArbToe.exe
3836	cjOjRZe.exe
1196	PYFcaar.exe
3768	mZBYoCt.exe
2024	ulfNyaD.exe
3448	SzbIbUJ.exe
5040	PWBamEk.exe
3868	ksHYiFm.exe
4428	kLJZjAR.exe
1356	lbWWIjV.exe
3400	jzBjhoA.exe
3516	bucYgVd.exe
2732	ZwnEIFL.exe
4388	LNcYOuW.exe
1540	UExDswH.exe
1992	UCkGuDO.exe
4480	rOCfnCO.exe
1128	xZPcPUL.exe
2948	fxFfjnB.exe
4804	lTTNTgY.exe
3944	qPJrAUY.exe
3988	zQTzyCl.exe
2416	FMCFjbu.exe
2668	mGvZmpb.exe
3352	DdGaWtc.exe
2704	cEJposl.exe
1612	SydXbVI.exe
4456	lFWKBmU.exe
1248	dCXiAUc.exe
3692	fIVxZXT.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2716-0-0x00007FF78EF00000-0x00007FF78F2F1000-memory.dmp	upx
behavioral2/files/0x0009000000023476-4.dat	upx
behavioral2/files/0x00070000000234d3-8.dat	upx
behavioral2/memory/3016-12-0x00007FF634E00000-0x00007FF6351F1000-memory.dmp	upx
behavioral2/files/0x00070000000234d2-16.dat	upx
behavioral2/files/0x00070000000234d4-23.dat	upx
behavioral2/memory/3356-26-0x00007FF68F6E0000-0x00007FF68FAD1000-memory.dmp	upx
behavioral2/memory/3036-18-0x00007FF695C80000-0x00007FF696071000-memory.dmp	upx
behavioral2/memory/3884-11-0x00007FF76F320000-0x00007FF76F711000-memory.dmp	upx
behavioral2/files/0x00070000000234d5-28.dat	upx
behavioral2/files/0x00070000000234d6-35.dat	upx
behavioral2/memory/1916-34-0x00007FF707270000-0x00007FF707661000-memory.dmp	upx
behavioral2/files/0x00070000000234d7-39.dat	upx
behavioral2/files/0x00070000000234d8-46.dat	upx
behavioral2/files/0x00080000000234cf-48.dat	upx
behavioral2/memory/868-51-0x00007FF764090000-0x00007FF764481000-memory.dmp	upx
behavioral2/files/0x00070000000234da-59.dat	upx
behavioral2/files/0x00070000000234d9-55.dat	upx
behavioral2/memory/216-50-0x00007FF79C530000-0x00007FF79C921000-memory.dmp	upx
behavioral2/files/0x00070000000234ef-173.dat	upx
behavioral2/files/0x00070000000234ee-168.dat	upx
behavioral2/memory/456-447-0x00007FF6F8540000-0x00007FF6F8931000-memory.dmp	upx
behavioral2/files/0x00070000000234ed-163.dat	upx
behavioral2/files/0x00070000000234ec-158.dat	upx
behavioral2/files/0x00070000000234eb-153.dat	upx
behavioral2/files/0x00070000000234ea-148.dat	upx
behavioral2/files/0x00070000000234e9-143.dat	upx
behavioral2/files/0x00070000000234e8-138.dat	upx
behavioral2/files/0x00070000000234e7-133.dat	upx
behavioral2/files/0x00070000000234e6-128.dat	upx
behavioral2/files/0x00070000000234e5-123.dat	upx
behavioral2/files/0x00070000000234e4-118.dat	upx
behavioral2/files/0x00070000000234e3-113.dat	upx
behavioral2/files/0x00070000000234e2-108.dat	upx
behavioral2/files/0x00070000000234e1-103.dat	upx
behavioral2/files/0x00070000000234e0-98.dat	upx
behavioral2/files/0x00070000000234df-93.dat	upx
behavioral2/files/0x00070000000234de-88.dat	upx
behavioral2/files/0x00070000000234dd-83.dat	upx
behavioral2/files/0x00070000000234dc-78.dat	upx
behavioral2/files/0x00070000000234db-76.dat	upx
behavioral2/memory/2672-72-0x00007FF641D50000-0x00007FF642141000-memory.dmp	upx
behavioral2/memory/396-71-0x00007FF6709C0000-0x00007FF670DB1000-memory.dmp	upx
behavioral2/memory/4936-68-0x00007FF6E3E30000-0x00007FF6E4221000-memory.dmp	upx
behavioral2/memory/4856-66-0x00007FF65C430000-0x00007FF65C821000-memory.dmp	upx
behavioral2/memory/1516-64-0x00007FF6BCA70000-0x00007FF6BCE61000-memory.dmp	upx
behavioral2/memory/2052-448-0x00007FF668F80000-0x00007FF669371000-memory.dmp	upx
behavioral2/memory/4048-450-0x00007FF7ACBD0000-0x00007FF7ACFC1000-memory.dmp	upx
behavioral2/memory/3812-451-0x00007FF6DEDE0000-0x00007FF6DF1D1000-memory.dmp	upx
behavioral2/memory/2216-449-0x00007FF707800000-0x00007FF707BF1000-memory.dmp	upx
behavioral2/memory/3408-454-0x00007FF6BB7C0000-0x00007FF6BBBB1000-memory.dmp	upx
behavioral2/memory/1460-456-0x00007FF63CD50000-0x00007FF63D141000-memory.dmp	upx
behavioral2/memory/1084-460-0x00007FF72B600000-0x00007FF72B9F1000-memory.dmp	upx
behavioral2/memory/4728-466-0x00007FF6C6F30000-0x00007FF6C7321000-memory.dmp	upx
behavioral2/memory/4556-469-0x00007FF653400000-0x00007FF6537F1000-memory.dmp	upx
behavioral2/memory/2360-473-0x00007FF6FA9F0000-0x00007FF6FADE1000-memory.dmp	upx
behavioral2/memory/3900-478-0x00007FF7D85D0000-0x00007FF7D89C1000-memory.dmp	upx
behavioral2/memory/3884-1064-0x00007FF76F320000-0x00007FF76F711000-memory.dmp	upx
behavioral2/memory/2716-1062-0x00007FF78EF00000-0x00007FF78F2F1000-memory.dmp	upx
behavioral2/memory/1916-1996-0x00007FF707270000-0x00007FF707661000-memory.dmp	upx
behavioral2/memory/216-1997-0x00007FF79C530000-0x00007FF79C921000-memory.dmp	upx
behavioral2/memory/1516-1998-0x00007FF6BCA70000-0x00007FF6BCE61000-memory.dmp	upx
behavioral2/memory/2672-2030-0x00007FF641D50000-0x00007FF642141000-memory.dmp	upx
behavioral2/memory/2716-2032-0x00007FF78EF00000-0x00007FF78F2F1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\jzBjhoA.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\RcKHuSM.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\NfSAdoQ.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\TzYOgsX.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\sgznXht.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\NolNMmV.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\xplVdxT.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\WbdwIrz.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\hcOLraL.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\VURiwxc.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\nGIkIFv.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\prOaMPd.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\lKgxtQS.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\dnzYhgB.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\nMlNTdi.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\aWkSKos.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\Grnffzs.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\EDxwhtr.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\qFdJAuN.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\SoZjgWG.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\fxFfjnB.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\thdgKJK.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\nyddnMi.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\vRGbVrN.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\QKGFRzf.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\FMCFjbu.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\rBZeKXQ.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\tAJaWHn.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\XrOtbEu.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\TfDKwiq.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\FfzASMf.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\fIVxZXT.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\scTpejc.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\zMSejMH.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\ItkxZhY.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\lKwCJCE.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\GrAgOGM.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\EzNhNJs.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\ntEffrA.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\QVOIktA.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\BtunvqZ.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\Gyvkloy.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\HGsCkoM.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\NHtNece.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\jIHCImG.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\vcAGJpy.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\DdGaWtc.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\MyodIlq.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\bClLZDC.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\MXLNgbb.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\pMMrzXx.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\RCiiwNu.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\GRJxPPi.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\FaMdgpY.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\NNKGOHt.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\cWHXtZD.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\eoAgwhu.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\TFBdydX.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\gWBNipC.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\IXnXAlr.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\vCbwGmr.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\gplmfWJ.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\UYePJvJ.exe	59747c66dab136dd5dcaaee00d848480N.exe
File created	C:\Windows\System32\ldzZnyJ.exe	59747c66dab136dd5dcaaee00d848480N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12900	dwm.exe
Token: SeChangeNotifyPrivilege	12900	dwm.exe
Token: 33	12900	dwm.exe
Token: SeIncBasePriorityPrivilege	12900	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 3884	2716	59747c66dab136dd5dcaaee00d848480N.exe	85
PID 2716 wrote to memory of 3884	2716	59747c66dab136dd5dcaaee00d848480N.exe	85
PID 2716 wrote to memory of 3016	2716	59747c66dab136dd5dcaaee00d848480N.exe	86
PID 2716 wrote to memory of 3016	2716	59747c66dab136dd5dcaaee00d848480N.exe	86
PID 2716 wrote to memory of 3036	2716	59747c66dab136dd5dcaaee00d848480N.exe	87
PID 2716 wrote to memory of 3036	2716	59747c66dab136dd5dcaaee00d848480N.exe	87
PID 2716 wrote to memory of 3356	2716	59747c66dab136dd5dcaaee00d848480N.exe	88
PID 2716 wrote to memory of 3356	2716	59747c66dab136dd5dcaaee00d848480N.exe	88
PID 2716 wrote to memory of 1916	2716	59747c66dab136dd5dcaaee00d848480N.exe	89
PID 2716 wrote to memory of 1916	2716	59747c66dab136dd5dcaaee00d848480N.exe	89
PID 2716 wrote to memory of 216	2716	59747c66dab136dd5dcaaee00d848480N.exe	90
PID 2716 wrote to memory of 216	2716	59747c66dab136dd5dcaaee00d848480N.exe	90
PID 2716 wrote to memory of 4936	2716	59747c66dab136dd5dcaaee00d848480N.exe	91
PID 2716 wrote to memory of 4936	2716	59747c66dab136dd5dcaaee00d848480N.exe	91
PID 2716 wrote to memory of 868	2716	59747c66dab136dd5dcaaee00d848480N.exe	92
PID 2716 wrote to memory of 868	2716	59747c66dab136dd5dcaaee00d848480N.exe	92
PID 2716 wrote to memory of 1516	2716	59747c66dab136dd5dcaaee00d848480N.exe	93
PID 2716 wrote to memory of 1516	2716	59747c66dab136dd5dcaaee00d848480N.exe	93
PID 2716 wrote to memory of 396	2716	59747c66dab136dd5dcaaee00d848480N.exe	94
PID 2716 wrote to memory of 396	2716	59747c66dab136dd5dcaaee00d848480N.exe	94
PID 2716 wrote to memory of 4856	2716	59747c66dab136dd5dcaaee00d848480N.exe	95
PID 2716 wrote to memory of 4856	2716	59747c66dab136dd5dcaaee00d848480N.exe	95
PID 2716 wrote to memory of 2672	2716	59747c66dab136dd5dcaaee00d848480N.exe	97
PID 2716 wrote to memory of 2672	2716	59747c66dab136dd5dcaaee00d848480N.exe	97
PID 2716 wrote to memory of 456	2716	59747c66dab136dd5dcaaee00d848480N.exe	98
PID 2716 wrote to memory of 456	2716	59747c66dab136dd5dcaaee00d848480N.exe	98
PID 2716 wrote to memory of 2052	2716	59747c66dab136dd5dcaaee00d848480N.exe	99
PID 2716 wrote to memory of 2052	2716	59747c66dab136dd5dcaaee00d848480N.exe	99
PID 2716 wrote to memory of 2216	2716	59747c66dab136dd5dcaaee00d848480N.exe	100
PID 2716 wrote to memory of 2216	2716	59747c66dab136dd5dcaaee00d848480N.exe	100
PID 2716 wrote to memory of 4048	2716	59747c66dab136dd5dcaaee00d848480N.exe	101
PID 2716 wrote to memory of 4048	2716	59747c66dab136dd5dcaaee00d848480N.exe	101
PID 2716 wrote to memory of 3812	2716	59747c66dab136dd5dcaaee00d848480N.exe	102
PID 2716 wrote to memory of 3812	2716	59747c66dab136dd5dcaaee00d848480N.exe	102
PID 2716 wrote to memory of 3408	2716	59747c66dab136dd5dcaaee00d848480N.exe	103
PID 2716 wrote to memory of 3408	2716	59747c66dab136dd5dcaaee00d848480N.exe	103
PID 2716 wrote to memory of 1460	2716	59747c66dab136dd5dcaaee00d848480N.exe	104
PID 2716 wrote to memory of 1460	2716	59747c66dab136dd5dcaaee00d848480N.exe	104
PID 2716 wrote to memory of 1084	2716	59747c66dab136dd5dcaaee00d848480N.exe	105
PID 2716 wrote to memory of 1084	2716	59747c66dab136dd5dcaaee00d848480N.exe	105
PID 2716 wrote to memory of 4728	2716	59747c66dab136dd5dcaaee00d848480N.exe	106
PID 2716 wrote to memory of 4728	2716	59747c66dab136dd5dcaaee00d848480N.exe	106
PID 2716 wrote to memory of 4556	2716	59747c66dab136dd5dcaaee00d848480N.exe	107
PID 2716 wrote to memory of 4556	2716	59747c66dab136dd5dcaaee00d848480N.exe	107
PID 2716 wrote to memory of 2360	2716	59747c66dab136dd5dcaaee00d848480N.exe	108
PID 2716 wrote to memory of 2360	2716	59747c66dab136dd5dcaaee00d848480N.exe	108
PID 2716 wrote to memory of 3900	2716	59747c66dab136dd5dcaaee00d848480N.exe	109
PID 2716 wrote to memory of 3900	2716	59747c66dab136dd5dcaaee00d848480N.exe	109
PID 2716 wrote to memory of 4148	2716	59747c66dab136dd5dcaaee00d848480N.exe	110
PID 2716 wrote to memory of 4148	2716	59747c66dab136dd5dcaaee00d848480N.exe	110
PID 2716 wrote to memory of 1652	2716	59747c66dab136dd5dcaaee00d848480N.exe	111
PID 2716 wrote to memory of 1652	2716	59747c66dab136dd5dcaaee00d848480N.exe	111
PID 2716 wrote to memory of 3100	2716	59747c66dab136dd5dcaaee00d848480N.exe	112
PID 2716 wrote to memory of 3100	2716	59747c66dab136dd5dcaaee00d848480N.exe	112
PID 2716 wrote to memory of 4828	2716	59747c66dab136dd5dcaaee00d848480N.exe	113
PID 2716 wrote to memory of 4828	2716	59747c66dab136dd5dcaaee00d848480N.exe	113
PID 2716 wrote to memory of 2988	2716	59747c66dab136dd5dcaaee00d848480N.exe	114
PID 2716 wrote to memory of 2988	2716	59747c66dab136dd5dcaaee00d848480N.exe	114
PID 2716 wrote to memory of 3564	2716	59747c66dab136dd5dcaaee00d848480N.exe	115
PID 2716 wrote to memory of 3564	2716	59747c66dab136dd5dcaaee00d848480N.exe	115
PID 2716 wrote to memory of 900	2716	59747c66dab136dd5dcaaee00d848480N.exe	116
PID 2716 wrote to memory of 900	2716	59747c66dab136dd5dcaaee00d848480N.exe	116
PID 2716 wrote to memory of 1424	2716	59747c66dab136dd5dcaaee00d848480N.exe	117
PID 2716 wrote to memory of 1424	2716	59747c66dab136dd5dcaaee00d848480N.exe	117

C:\Users\Admin\AppData\Local\Temp\59747c66dab136dd5dcaaee00d848480N.exe
"C:\Users\Admin\AppData\Local\Temp\59747c66dab136dd5dcaaee00d848480N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\System32\jUXmEiq.exe
  C:\Windows\System32\jUXmEiq.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System32\OEMlJcW.exe
  C:\Windows\System32\OEMlJcW.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System32\dOXvDLl.exe
  C:\Windows\System32\dOXvDLl.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System32\xOvlsYx.exe
  C:\Windows\System32\xOvlsYx.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System32\vpramml.exe
  C:\Windows\System32\vpramml.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System32\Gyvkloy.exe
  C:\Windows\System32\Gyvkloy.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System32\TCrssJA.exe
  C:\Windows\System32\TCrssJA.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System32\VDNevJJ.exe
  C:\Windows\System32\VDNevJJ.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System32\LYhlPkU.exe
  C:\Windows\System32\LYhlPkU.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System32\MACFIFj.exe
  C:\Windows\System32\MACFIFj.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System32\aDXfbfi.exe
  C:\Windows\System32\aDXfbfi.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System32\loqKerK.exe
  C:\Windows\System32\loqKerK.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System32\pvpMomg.exe
  C:\Windows\System32\pvpMomg.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System32\MSyqKmU.exe
  C:\Windows\System32\MSyqKmU.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System32\NNKGOHt.exe
  C:\Windows\System32\NNKGOHt.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System32\eqUSNrb.exe
  C:\Windows\System32\eqUSNrb.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System32\scTpejc.exe
  C:\Windows\System32\scTpejc.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System32\ZNwFWYF.exe
  C:\Windows\System32\ZNwFWYF.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System32\UtNwYhR.exe
  C:\Windows\System32\UtNwYhR.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System32\wDmEbjJ.exe
  C:\Windows\System32\wDmEbjJ.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System32\LIvIYZE.exe
  C:\Windows\System32\LIvIYZE.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System32\kMMdzXq.exe
  C:\Windows\System32\kMMdzXq.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System32\OYytCXH.exe
  C:\Windows\System32\OYytCXH.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System32\YVCnHhv.exe
  C:\Windows\System32\YVCnHhv.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System32\SnXdGlH.exe
  C:\Windows\System32\SnXdGlH.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System32\cWHXtZD.exe
  C:\Windows\System32\cWHXtZD.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System32\DkwffEH.exe
  C:\Windows\System32\DkwffEH.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System32\ijoKDvC.exe
  C:\Windows\System32\ijoKDvC.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\KsqOsYL.exe
  C:\Windows\System32\KsqOsYL.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System32\aNRqDoh.exe
  C:\Windows\System32\aNRqDoh.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System32\cDhDVgn.exe
  C:\Windows\System32\cDhDVgn.exe
  2⤵
  - Executes dropped EXE
  PID:900
- C:\Windows\System32\UKQeoiC.exe
  C:\Windows\System32\UKQeoiC.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System32\eoAgwhu.exe
  C:\Windows\System32\eoAgwhu.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System32\riEYjRW.exe
  C:\Windows\System32\riEYjRW.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System32\eArbToe.exe
  C:\Windows\System32\eArbToe.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System32\cjOjRZe.exe
  C:\Windows\System32\cjOjRZe.exe
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\System32\PYFcaar.exe
  C:\Windows\System32\PYFcaar.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System32\mZBYoCt.exe
  C:\Windows\System32\mZBYoCt.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System32\ulfNyaD.exe
  C:\Windows\System32\ulfNyaD.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System32\SzbIbUJ.exe
  C:\Windows\System32\SzbIbUJ.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System32\PWBamEk.exe
  C:\Windows\System32\PWBamEk.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System32\ksHYiFm.exe
  C:\Windows\System32\ksHYiFm.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System32\kLJZjAR.exe
  C:\Windows\System32\kLJZjAR.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System32\lbWWIjV.exe
  C:\Windows\System32\lbWWIjV.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System32\jzBjhoA.exe
  C:\Windows\System32\jzBjhoA.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System32\bucYgVd.exe
  C:\Windows\System32\bucYgVd.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System32\ZwnEIFL.exe
  C:\Windows\System32\ZwnEIFL.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System32\LNcYOuW.exe
  C:\Windows\System32\LNcYOuW.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System32\UExDswH.exe
  C:\Windows\System32\UExDswH.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System32\UCkGuDO.exe
  C:\Windows\System32\UCkGuDO.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System32\rOCfnCO.exe
  C:\Windows\System32\rOCfnCO.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System32\xZPcPUL.exe
  C:\Windows\System32\xZPcPUL.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System32\fxFfjnB.exe
  C:\Windows\System32\fxFfjnB.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System32\lTTNTgY.exe
  C:\Windows\System32\lTTNTgY.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\qPJrAUY.exe
  C:\Windows\System32\qPJrAUY.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\zQTzyCl.exe
  C:\Windows\System32\zQTzyCl.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System32\FMCFjbu.exe
  C:\Windows\System32\FMCFjbu.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System32\mGvZmpb.exe
  C:\Windows\System32\mGvZmpb.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System32\DdGaWtc.exe
  C:\Windows\System32\DdGaWtc.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System32\cEJposl.exe
  C:\Windows\System32\cEJposl.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System32\SydXbVI.exe
  C:\Windows\System32\SydXbVI.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System32\lFWKBmU.exe
  C:\Windows\System32\lFWKBmU.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System32\dCXiAUc.exe
  C:\Windows\System32\dCXiAUc.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System32\fIVxZXT.exe
  C:\Windows\System32\fIVxZXT.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System32\MpBMVqd.exe
  C:\Windows\System32\MpBMVqd.exe
  2⤵
  PID:2064
- C:\Windows\System32\pzYzZHF.exe
  C:\Windows\System32\pzYzZHF.exe
  2⤵
  PID:1800
- C:\Windows\System32\GorkhyY.exe
  C:\Windows\System32\GorkhyY.exe
  2⤵
  PID:1988
- C:\Windows\System32\qAfbSVu.exe
  C:\Windows\System32\qAfbSVu.exe
  2⤵
  PID:4920
- C:\Windows\System32\rBZeKXQ.exe
  C:\Windows\System32\rBZeKXQ.exe
  2⤵
  PID:2368
- C:\Windows\System32\ZwKeOfE.exe
  C:\Windows\System32\ZwKeOfE.exe
  2⤵
  PID:2584
- C:\Windows\System32\lDVTvid.exe
  C:\Windows\System32\lDVTvid.exe
  2⤵
  PID:1940
- C:\Windows\System32\eftBGqw.exe
  C:\Windows\System32\eftBGqw.exe
  2⤵
  PID:4244
- C:\Windows\System32\tJCSmLw.exe
  C:\Windows\System32\tJCSmLw.exe
  2⤵
  PID:3648
- C:\Windows\System32\lHQkqvy.exe
  C:\Windows\System32\lHQkqvy.exe
  2⤵
  PID:2632
- C:\Windows\System32\pJaEIVq.exe
  C:\Windows\System32\pJaEIVq.exe
  2⤵
  PID:5020
- C:\Windows\System32\sWXATou.exe
  C:\Windows\System32\sWXATou.exe
  2⤵
  PID:4484
- C:\Windows\System32\TdYnSYD.exe
  C:\Windows\System32\TdYnSYD.exe
  2⤵
  PID:4416
- C:\Windows\System32\zMSejMH.exe
  C:\Windows\System32\zMSejMH.exe
  2⤵
  PID:1384
- C:\Windows\System32\fxpawnq.exe
  C:\Windows\System32\fxpawnq.exe
  2⤵
  PID:1156
- C:\Windows\System32\osFAJoO.exe
  C:\Windows\System32\osFAJoO.exe
  2⤵
  PID:3004
- C:\Windows\System32\iDdatuc.exe
  C:\Windows\System32\iDdatuc.exe
  2⤵
  PID:4680
- C:\Windows\System32\NolNMmV.exe
  C:\Windows\System32\NolNMmV.exe
  2⤵
  PID:1620
- C:\Windows\System32\ItkxZhY.exe
  C:\Windows\System32\ItkxZhY.exe
  2⤵
  PID:4000
- C:\Windows\System32\UIlIxiu.exe
  C:\Windows\System32\UIlIxiu.exe
  2⤵
  PID:1064
- C:\Windows\System32\cTsppAr.exe
  C:\Windows\System32\cTsppAr.exe
  2⤵
  PID:4232
- C:\Windows\System32\IIeOKSN.exe
  C:\Windows\System32\IIeOKSN.exe
  2⤵
  PID:4296
- C:\Windows\System32\nMlNTdi.exe
  C:\Windows\System32\nMlNTdi.exe
  2⤵
  PID:432
- C:\Windows\System32\SuvshMT.exe
  C:\Windows\System32\SuvshMT.exe
  2⤵
  PID:3068
- C:\Windows\System32\SLubgCR.exe
  C:\Windows\System32\SLubgCR.exe
  2⤵
  PID:1300
- C:\Windows\System32\PJSoeOv.exe
  C:\Windows\System32\PJSoeOv.exe
  2⤵
  PID:1996
- C:\Windows\System32\pSBbKtC.exe
  C:\Windows\System32\pSBbKtC.exe
  2⤵
  PID:3556
- C:\Windows\System32\Dveoihw.exe
  C:\Windows\System32\Dveoihw.exe
  2⤵
  PID:5144
- C:\Windows\System32\xSKXgZq.exe
  C:\Windows\System32\xSKXgZq.exe
  2⤵
  PID:5172
- C:\Windows\System32\LZWfDbm.exe
  C:\Windows\System32\LZWfDbm.exe
  2⤵
  PID:5200
- C:\Windows\System32\CAUfEjV.exe
  C:\Windows\System32\CAUfEjV.exe
  2⤵
  PID:5228
- C:\Windows\System32\qjIlOAs.exe
  C:\Windows\System32\qjIlOAs.exe
  2⤵
  PID:5256
- C:\Windows\System32\PiJOvqw.exe
  C:\Windows\System32\PiJOvqw.exe
  2⤵
  PID:5296
- C:\Windows\System32\PzAclPF.exe
  C:\Windows\System32\PzAclPF.exe
  2⤵
  PID:5312
- C:\Windows\System32\zTbVLqO.exe
  C:\Windows\System32\zTbVLqO.exe
  2⤵
  PID:5340
- C:\Windows\System32\ExQSUEe.exe
  C:\Windows\System32\ExQSUEe.exe
  2⤵
  PID:5368
- C:\Windows\System32\OUoTBAQ.exe
  C:\Windows\System32\OUoTBAQ.exe
  2⤵
  PID:5408
- C:\Windows\System32\tAJaWHn.exe
  C:\Windows\System32\tAJaWHn.exe
  2⤵
  PID:5424
- C:\Windows\System32\bhJmzQS.exe
  C:\Windows\System32\bhJmzQS.exe
  2⤵
  PID:5452
- C:\Windows\System32\AZuWYTh.exe
  C:\Windows\System32\AZuWYTh.exe
  2⤵
  PID:5480
- C:\Windows\System32\nSHmzHl.exe
  C:\Windows\System32\nSHmzHl.exe
  2⤵
  PID:5508
- C:\Windows\System32\naCCsUS.exe
  C:\Windows\System32\naCCsUS.exe
  2⤵
  PID:5536
- C:\Windows\System32\eQVCUuD.exe
  C:\Windows\System32\eQVCUuD.exe
  2⤵
  PID:5564
- C:\Windows\System32\yrHbUzS.exe
  C:\Windows\System32\yrHbUzS.exe
  2⤵
  PID:5604
- C:\Windows\System32\GrvEJmG.exe
  C:\Windows\System32\GrvEJmG.exe
  2⤵
  PID:5620
- C:\Windows\System32\kXsXkvN.exe
  C:\Windows\System32\kXsXkvN.exe
  2⤵
  PID:5660
- C:\Windows\System32\LxAdPdL.exe
  C:\Windows\System32\LxAdPdL.exe
  2⤵
  PID:5676
- C:\Windows\System32\naiGLEa.exe
  C:\Windows\System32\naiGLEa.exe
  2⤵
  PID:5704
- C:\Windows\System32\GQGpIlW.exe
  C:\Windows\System32\GQGpIlW.exe
  2⤵
  PID:5744
- C:\Windows\System32\BuIMpLm.exe
  C:\Windows\System32\BuIMpLm.exe
  2⤵
  PID:5760
- C:\Windows\System32\sIQdWYh.exe
  C:\Windows\System32\sIQdWYh.exe
  2⤵
  PID:5788
- C:\Windows\System32\oyAZRca.exe
  C:\Windows\System32\oyAZRca.exe
  2⤵
  PID:5816
- C:\Windows\System32\ucYMcmm.exe
  C:\Windows\System32\ucYMcmm.exe
  2⤵
  PID:5844
- C:\Windows\System32\YHfzrxT.exe
  C:\Windows\System32\YHfzrxT.exe
  2⤵
  PID:5872
- C:\Windows\System32\gplmfWJ.exe
  C:\Windows\System32\gplmfWJ.exe
  2⤵
  PID:5900
- C:\Windows\System32\umHThgK.exe
  C:\Windows\System32\umHThgK.exe
  2⤵
  PID:5928
- C:\Windows\System32\HmMenmt.exe
  C:\Windows\System32\HmMenmt.exe
  2⤵
  PID:5956
- C:\Windows\System32\HBIjqMS.exe
  C:\Windows\System32\HBIjqMS.exe
  2⤵
  PID:5984
- C:\Windows\System32\cPENJrJ.exe
  C:\Windows\System32\cPENJrJ.exe
  2⤵
  PID:6024
- C:\Windows\System32\zjvOmps.exe
  C:\Windows\System32\zjvOmps.exe
  2⤵
  PID:6044
- C:\Windows\System32\GyoCJBz.exe
  C:\Windows\System32\GyoCJBz.exe
  2⤵
  PID:6124
- C:\Windows\System32\QoEZcRC.exe
  C:\Windows\System32\QoEZcRC.exe
  2⤵
  PID:628
- C:\Windows\System32\PHQTgAt.exe
  C:\Windows\System32\PHQTgAt.exe
  2⤵
  PID:3616
- C:\Windows\System32\YUSgTyM.exe
  C:\Windows\System32\YUSgTyM.exe
  2⤵
  PID:5212
- C:\Windows\System32\RoMAkxT.exe
  C:\Windows\System32\RoMAkxT.exe
  2⤵
  PID:5244
- C:\Windows\System32\VpUppMB.exe
  C:\Windows\System32\VpUppMB.exe
  2⤵
  PID:5304
- C:\Windows\System32\pBykKjd.exe
  C:\Windows\System32\pBykKjd.exe
  2⤵
  PID:5352
- C:\Windows\System32\WvUMiSW.exe
  C:\Windows\System32\WvUMiSW.exe
  2⤵
  PID:5384
- C:\Windows\System32\xplVdxT.exe
  C:\Windows\System32\xplVdxT.exe
  2⤵
  PID:5476
- C:\Windows\System32\YQoNJeF.exe
  C:\Windows\System32\YQoNJeF.exe
  2⤵
  PID:5532
- C:\Windows\System32\LuXUPXm.exe
  C:\Windows\System32\LuXUPXm.exe
  2⤵
  PID:5552
- C:\Windows\System32\ArAVZIE.exe
  C:\Windows\System32\ArAVZIE.exe
  2⤵
  PID:5612
- C:\Windows\System32\zQoaKqH.exe
  C:\Windows\System32\zQoaKqH.exe
  2⤵
  PID:3620
- C:\Windows\System32\ntEffrA.exe
  C:\Windows\System32\ntEffrA.exe
  2⤵
  PID:5044
- C:\Windows\System32\rRrUYsc.exe
  C:\Windows\System32\rRrUYsc.exe
  2⤵
  PID:5716
- C:\Windows\System32\TsALZrR.exe
  C:\Windows\System32\TsALZrR.exe
  2⤵
  PID:5720
- C:\Windows\System32\qjKKAsC.exe
  C:\Windows\System32\qjKKAsC.exe
  2⤵
  PID:5776
- C:\Windows\System32\OHGwXGI.exe
  C:\Windows\System32\OHGwXGI.exe
  2⤵
  PID:5804
- C:\Windows\System32\MyodIlq.exe
  C:\Windows\System32\MyodIlq.exe
  2⤵
  PID:3864
- C:\Windows\System32\YxcuGqQ.exe
  C:\Windows\System32\YxcuGqQ.exe
  2⤵
  PID:3788
- C:\Windows\System32\zvIdyRW.exe
  C:\Windows\System32\zvIdyRW.exe
  2⤵
  PID:5896
- C:\Windows\System32\XFxhWUG.exe
  C:\Windows\System32\XFxhWUG.exe
  2⤵
  PID:3676
- C:\Windows\System32\GYOReiU.exe
  C:\Windows\System32\GYOReiU.exe
  2⤵
  PID:6032
- C:\Windows\System32\HGsCkoM.exe
  C:\Windows\System32\HGsCkoM.exe
  2⤵
  PID:1500
- C:\Windows\System32\ChEGpPu.exe
  C:\Windows\System32\ChEGpPu.exe
  2⤵
  PID:4704
- C:\Windows\System32\TFBdydX.exe
  C:\Windows\System32\TFBdydX.exe
  2⤵
  PID:4640
- C:\Windows\System32\bhRSBDA.exe
  C:\Windows\System32\bhRSBDA.exe
  2⤵
  PID:6116
- C:\Windows\System32\SFCmuQM.exe
  C:\Windows\System32\SFCmuQM.exe
  2⤵
  PID:1112
- C:\Windows\System32\mttenZt.exe
  C:\Windows\System32\mttenZt.exe
  2⤵
  PID:224
- C:\Windows\System32\HIYKyxo.exe
  C:\Windows\System32\HIYKyxo.exe
  2⤵
  PID:6112
- C:\Windows\System32\hXMmCYR.exe
  C:\Windows\System32\hXMmCYR.exe
  2⤵
  PID:5224
- C:\Windows\System32\QAksHpo.exe
  C:\Windows\System32\QAksHpo.exe
  2⤵
  PID:5548
- C:\Windows\System32\WbdwIrz.exe
  C:\Windows\System32\WbdwIrz.exe
  2⤵
  PID:5784
- C:\Windows\System32\ICEJRZw.exe
  C:\Windows\System32\ICEJRZw.exe
  2⤵
  PID:5860
- C:\Windows\System32\YbgBllp.exe
  C:\Windows\System32\YbgBllp.exe
  2⤵
  PID:5940
- C:\Windows\System32\aCrjzUz.exe
  C:\Windows\System32\aCrjzUz.exe
  2⤵
  PID:3872
- C:\Windows\System32\PteXLma.exe
  C:\Windows\System32\PteXLma.exe
  2⤵
  PID:2036
- C:\Windows\System32\cvLgaah.exe
  C:\Windows\System32\cvLgaah.exe
  2⤵
  PID:2272
- C:\Windows\System32\WGBMWlf.exe
  C:\Windows\System32\WGBMWlf.exe
  2⤵
  PID:5156
- C:\Windows\System32\URIIsee.exe
  C:\Windows\System32\URIIsee.exe
  2⤵
  PID:5400
- C:\Windows\System32\HTxPcDB.exe
  C:\Windows\System32\HTxPcDB.exe
  2⤵
  PID:3828
- C:\Windows\System32\boqrdkH.exe
  C:\Windows\System32\boqrdkH.exe
  2⤵
  PID:1840
- C:\Windows\System32\aWkSKos.exe
  C:\Windows\System32\aWkSKos.exe
  2⤵
  PID:5496
- C:\Windows\System32\vusjNbF.exe
  C:\Windows\System32\vusjNbF.exe
  2⤵
  PID:4876
- C:\Windows\System32\joddDZa.exe
  C:\Windows\System32\joddDZa.exe
  2⤵
  PID:5580
- C:\Windows\System32\EPXNRcs.exe
  C:\Windows\System32\EPXNRcs.exe
  2⤵
  PID:5736
- C:\Windows\System32\HsLXIGL.exe
  C:\Windows\System32\HsLXIGL.exe
  2⤵
  PID:6156
- C:\Windows\System32\fJktmyG.exe
  C:\Windows\System32\fJktmyG.exe
  2⤵
  PID:6184
- C:\Windows\System32\zOYNAca.exe
  C:\Windows\System32\zOYNAca.exe
  2⤵
  PID:6224
- C:\Windows\System32\YkJoakA.exe
  C:\Windows\System32\YkJoakA.exe
  2⤵
  PID:6240
- C:\Windows\System32\ASSpTdy.exe
  C:\Windows\System32\ASSpTdy.exe
  2⤵
  PID:6268
- C:\Windows\System32\Grnffzs.exe
  C:\Windows\System32\Grnffzs.exe
  2⤵
  PID:6284
- C:\Windows\System32\vUHmqCg.exe
  C:\Windows\System32\vUHmqCg.exe
  2⤵
  PID:6308
- C:\Windows\System32\zubWlJr.exe
  C:\Windows\System32\zubWlJr.exe
  2⤵
  PID:6328
- C:\Windows\System32\bIFclwB.exe
  C:\Windows\System32\bIFclwB.exe
  2⤵
  PID:6348
- C:\Windows\System32\fdxoBMo.exe
  C:\Windows\System32\fdxoBMo.exe
  2⤵
  PID:6384
- C:\Windows\System32\fWVpovw.exe
  C:\Windows\System32\fWVpovw.exe
  2⤵
  PID:6448
- C:\Windows\System32\IdgTIdQ.exe
  C:\Windows\System32\IdgTIdQ.exe
  2⤵
  PID:6476
- C:\Windows\System32\aVhSUXY.exe
  C:\Windows\System32\aVhSUXY.exe
  2⤵
  PID:6508
- C:\Windows\System32\zDpeMqL.exe
  C:\Windows\System32\zDpeMqL.exe
  2⤵
  PID:6544
- C:\Windows\System32\sCTBFxb.exe
  C:\Windows\System32\sCTBFxb.exe
  2⤵
  PID:6568
- C:\Windows\System32\DUfRmzB.exe
  C:\Windows\System32\DUfRmzB.exe
  2⤵
  PID:6588
- C:\Windows\System32\nrwdcqP.exe
  C:\Windows\System32\nrwdcqP.exe
  2⤵
  PID:6612
- C:\Windows\System32\VKWiCtV.exe
  C:\Windows\System32\VKWiCtV.exe
  2⤵
  PID:6628
- C:\Windows\System32\EtiRutg.exe
  C:\Windows\System32\EtiRutg.exe
  2⤵
  PID:6668
- C:\Windows\System32\nYWLFPO.exe
  C:\Windows\System32\nYWLFPO.exe
  2⤵
  PID:6684
- C:\Windows\System32\hKmymEE.exe
  C:\Windows\System32\hKmymEE.exe
  2⤵
  PID:6704
- C:\Windows\System32\XTSrIud.exe
  C:\Windows\System32\XTSrIud.exe
  2⤵
  PID:6724
- C:\Windows\System32\hfLpNLo.exe
  C:\Windows\System32\hfLpNLo.exe
  2⤵
  PID:6748
- C:\Windows\System32\ffRDwmN.exe
  C:\Windows\System32\ffRDwmN.exe
  2⤵
  PID:6816
- C:\Windows\System32\BGXxjVW.exe
  C:\Windows\System32\BGXxjVW.exe
  2⤵
  PID:6864
- C:\Windows\System32\qnCKHxp.exe
  C:\Windows\System32\qnCKHxp.exe
  2⤵
  PID:6892
- C:\Windows\System32\wTQdMJf.exe
  C:\Windows\System32\wTQdMJf.exe
  2⤵
  PID:6920
- C:\Windows\System32\qZvTSwV.exe
  C:\Windows\System32\qZvTSwV.exe
  2⤵
  PID:6944
- C:\Windows\System32\FOfLAPd.exe
  C:\Windows\System32\FOfLAPd.exe
  2⤵
  PID:6964
- C:\Windows\System32\YaRswPx.exe
  C:\Windows\System32\YaRswPx.exe
  2⤵
  PID:6984
- C:\Windows\System32\UYePJvJ.exe
  C:\Windows\System32\UYePJvJ.exe
  2⤵
  PID:7000
- C:\Windows\System32\ydXSYDQ.exe
  C:\Windows\System32\ydXSYDQ.exe
  2⤵
  PID:7032
- C:\Windows\System32\ulDdgEB.exe
  C:\Windows\System32\ulDdgEB.exe
  2⤵
  PID:7056
- C:\Windows\System32\BMCNhem.exe
  C:\Windows\System32\BMCNhem.exe
  2⤵
  PID:7084
- C:\Windows\System32\ofDZNpG.exe
  C:\Windows\System32\ofDZNpG.exe
  2⤵
  PID:7136
- C:\Windows\System32\oXDkwOQ.exe
  C:\Windows\System32\oXDkwOQ.exe
  2⤵
  PID:7156
- C:\Windows\System32\dYcZVvo.exe
  C:\Windows\System32\dYcZVvo.exe
  2⤵
  PID:6168
- C:\Windows\System32\RcKHuSM.exe
  C:\Windows\System32\RcKHuSM.exe
  2⤵
  PID:6232
- C:\Windows\System32\tIELszD.exe
  C:\Windows\System32\tIELszD.exe
  2⤵
  PID:6300
- C:\Windows\System32\Wqvpnln.exe
  C:\Windows\System32\Wqvpnln.exe
  2⤵
  PID:6420
- C:\Windows\System32\mqeuLAg.exe
  C:\Windows\System32\mqeuLAg.exe
  2⤵
  PID:6488
- C:\Windows\System32\VOgShJe.exe
  C:\Windows\System32\VOgShJe.exe
  2⤵
  PID:6540
- C:\Windows\System32\ySTuRoG.exe
  C:\Windows\System32\ySTuRoG.exe
  2⤵
  PID:6660
- C:\Windows\System32\iXISIvb.exe
  C:\Windows\System32\iXISIvb.exe
  2⤵
  PID:6716
- C:\Windows\System32\qHxqFMp.exe
  C:\Windows\System32\qHxqFMp.exe
  2⤵
  PID:6764
- C:\Windows\System32\AnAzfOa.exe
  C:\Windows\System32\AnAzfOa.exe
  2⤵
  PID:6804
- C:\Windows\System32\ePIADTQ.exe
  C:\Windows\System32\ePIADTQ.exe
  2⤵
  PID:6960
- C:\Windows\System32\thdgKJK.exe
  C:\Windows\System32\thdgKJK.exe
  2⤵
  PID:6992
- C:\Windows\System32\CTBiJPh.exe
  C:\Windows\System32\CTBiJPh.exe
  2⤵
  PID:7108
- C:\Windows\System32\cOTTqhr.exe
  C:\Windows\System32\cOTTqhr.exe
  2⤵
  PID:7132
- C:\Windows\System32\ZAipvuv.exe
  C:\Windows\System32\ZAipvuv.exe
  2⤵
  PID:7152
- C:\Windows\System32\tpeSUWu.exe
  C:\Windows\System32\tpeSUWu.exe
  2⤵
  PID:6336
- C:\Windows\System32\OOwlbGv.exe
  C:\Windows\System32\OOwlbGv.exe
  2⤵
  PID:6524
- C:\Windows\System32\AldOkwT.exe
  C:\Windows\System32\AldOkwT.exe
  2⤵
  PID:6624
- C:\Windows\System32\DukWsah.exe
  C:\Windows\System32\DukWsah.exe
  2⤵
  PID:6860
- C:\Windows\System32\fBcMTqF.exe
  C:\Windows\System32\fBcMTqF.exe
  2⤵
  PID:6996
- C:\Windows\System32\fAlTUCA.exe
  C:\Windows\System32\fAlTUCA.exe
  2⤵
  PID:7072
- C:\Windows\System32\UdHIPzA.exe
  C:\Windows\System32\UdHIPzA.exe
  2⤵
  PID:6380
- C:\Windows\System32\BxFXvvX.exe
  C:\Windows\System32\BxFXvvX.exe
  2⤵
  PID:6696
- C:\Windows\System32\ZykOTre.exe
  C:\Windows\System32\ZykOTre.exe
  2⤵
  PID:7096
- C:\Windows\System32\ChncOzY.exe
  C:\Windows\System32\ChncOzY.exe
  2⤵
  PID:7064
- C:\Windows\System32\gWBNipC.exe
  C:\Windows\System32\gWBNipC.exe
  2⤵
  PID:7172
- C:\Windows\System32\euQFkmI.exe
  C:\Windows\System32\euQFkmI.exe
  2⤵
  PID:7192
- C:\Windows\System32\KMvoOZN.exe
  C:\Windows\System32\KMvoOZN.exe
  2⤵
  PID:7212
- C:\Windows\System32\MDNsMbv.exe
  C:\Windows\System32\MDNsMbv.exe
  2⤵
  PID:7248
- C:\Windows\System32\DnuqJkd.exe
  C:\Windows\System32\DnuqJkd.exe
  2⤵
  PID:7268
- C:\Windows\System32\xIEGHUq.exe
  C:\Windows\System32\xIEGHUq.exe
  2⤵
  PID:7300
- C:\Windows\System32\JvmDisN.exe
  C:\Windows\System32\JvmDisN.exe
  2⤵
  PID:7320
- C:\Windows\System32\wZsqNgP.exe
  C:\Windows\System32\wZsqNgP.exe
  2⤵
  PID:7348
- C:\Windows\System32\OmGJHfd.exe
  C:\Windows\System32\OmGJHfd.exe
  2⤵
  PID:7392
- C:\Windows\System32\oWxYppw.exe
  C:\Windows\System32\oWxYppw.exe
  2⤵
  PID:7416
- C:\Windows\System32\EElosYN.exe
  C:\Windows\System32\EElosYN.exe
  2⤵
  PID:7448
- C:\Windows\System32\jgEvAQV.exe
  C:\Windows\System32\jgEvAQV.exe
  2⤵
  PID:7464
- C:\Windows\System32\WlvVLzd.exe
  C:\Windows\System32\WlvVLzd.exe
  2⤵
  PID:7500
- C:\Windows\System32\GrBaoUC.exe
  C:\Windows\System32\GrBaoUC.exe
  2⤵
  PID:7524
- C:\Windows\System32\vrGlHtw.exe
  C:\Windows\System32\vrGlHtw.exe
  2⤵
  PID:7552
- C:\Windows\System32\nyddnMi.exe
  C:\Windows\System32\nyddnMi.exe
  2⤵
  PID:7588
- C:\Windows\System32\tPjGeeZ.exe
  C:\Windows\System32\tPjGeeZ.exe
  2⤵
  PID:7616
- C:\Windows\System32\uTfmlrc.exe
  C:\Windows\System32\uTfmlrc.exe
  2⤵
  PID:7640
- C:\Windows\System32\DdZrKQJ.exe
  C:\Windows\System32\DdZrKQJ.exe
  2⤵
  PID:7684
- C:\Windows\System32\PTrxzGx.exe
  C:\Windows\System32\PTrxzGx.exe
  2⤵
  PID:7708
- C:\Windows\System32\cPJnnsy.exe
  C:\Windows\System32\cPJnnsy.exe
  2⤵
  PID:7728
- C:\Windows\System32\YfnsHPh.exe
  C:\Windows\System32\YfnsHPh.exe
  2⤵
  PID:7748
- C:\Windows\System32\RFMvbUF.exe
  C:\Windows\System32\RFMvbUF.exe
  2⤵
  PID:7776
- C:\Windows\System32\bClLZDC.exe
  C:\Windows\System32\bClLZDC.exe
  2⤵
  PID:7800
- C:\Windows\System32\EJJOJzL.exe
  C:\Windows\System32\EJJOJzL.exe
  2⤵
  PID:7840
- C:\Windows\System32\dEvGUQT.exe
  C:\Windows\System32\dEvGUQT.exe
  2⤵
  PID:7860
- C:\Windows\System32\XrOtbEu.exe
  C:\Windows\System32\XrOtbEu.exe
  2⤵
  PID:7880
- C:\Windows\System32\ChnRvgb.exe
  C:\Windows\System32\ChnRvgb.exe
  2⤵
  PID:7916
- C:\Windows\System32\xgovmoi.exe
  C:\Windows\System32\xgovmoi.exe
  2⤵
  PID:7944
- C:\Windows\System32\xRWlXaT.exe
  C:\Windows\System32\xRWlXaT.exe
  2⤵
  PID:7964
- C:\Windows\System32\IXnXAlr.exe
  C:\Windows\System32\IXnXAlr.exe
  2⤵
  PID:7996
- C:\Windows\System32\GjaUPWa.exe
  C:\Windows\System32\GjaUPWa.exe
  2⤵
  PID:8016
- C:\Windows\System32\WHFkzLi.exe
  C:\Windows\System32\WHFkzLi.exe
  2⤵
  PID:8060
- C:\Windows\System32\RpdLRIZ.exe
  C:\Windows\System32\RpdLRIZ.exe
  2⤵
  PID:8084
- C:\Windows\System32\bBoFFdA.exe
  C:\Windows\System32\bBoFFdA.exe
  2⤵
  PID:8108
- C:\Windows\System32\SfhCUhM.exe
  C:\Windows\System32\SfhCUhM.exe
  2⤵
  PID:8160
- C:\Windows\System32\sdVVnUO.exe
  C:\Windows\System32\sdVVnUO.exe
  2⤵
  PID:8188
- C:\Windows\System32\OraMeza.exe
  C:\Windows\System32\OraMeza.exe
  2⤵
  PID:7220
- C:\Windows\System32\eYdGGyW.exe
  C:\Windows\System32\eYdGGyW.exe
  2⤵
  PID:7236
- C:\Windows\System32\hEloPTk.exe
  C:\Windows\System32\hEloPTk.exe
  2⤵
  PID:7308
- C:\Windows\System32\kvCZGyQ.exe
  C:\Windows\System32\kvCZGyQ.exe
  2⤵
  PID:7400
- C:\Windows\System32\BuceMkn.exe
  C:\Windows\System32\BuceMkn.exe
  2⤵
  PID:7436
- C:\Windows\System32\rTQBISB.exe
  C:\Windows\System32\rTQBISB.exe
  2⤵
  PID:7492
- C:\Windows\System32\LvoKMER.exe
  C:\Windows\System32\LvoKMER.exe
  2⤵
  PID:6908
- C:\Windows\System32\UCoxzia.exe
  C:\Windows\System32\UCoxzia.exe
  2⤵
  PID:7600
- C:\Windows\System32\PzYPYeP.exe
  C:\Windows\System32\PzYPYeP.exe
  2⤵
  PID:7724
- C:\Windows\System32\JWVZwrG.exe
  C:\Windows\System32\JWVZwrG.exe
  2⤵
  PID:7792
- C:\Windows\System32\lyqLrzU.exe
  C:\Windows\System32\lyqLrzU.exe
  2⤵
  PID:7876
- C:\Windows\System32\HBBlXEk.exe
  C:\Windows\System32\HBBlXEk.exe
  2⤵
  PID:7852
- C:\Windows\System32\hikMCli.exe
  C:\Windows\System32\hikMCli.exe
  2⤵
  PID:7992
- C:\Windows\System32\lKwCJCE.exe
  C:\Windows\System32\lKwCJCE.exe
  2⤵
  PID:8052
- C:\Windows\System32\FnFWvMy.exe
  C:\Windows\System32\FnFWvMy.exe
  2⤵
  PID:8104
- C:\Windows\System32\IVnfSnZ.exe
  C:\Windows\System32\IVnfSnZ.exe
  2⤵
  PID:8184
- C:\Windows\System32\VzpOiLx.exe
  C:\Windows\System32\VzpOiLx.exe
  2⤵
  PID:7232
- C:\Windows\System32\dkJxNrO.exe
  C:\Windows\System32\dkJxNrO.exe
  2⤵
  PID:7488
- C:\Windows\System32\TXJXDnd.exe
  C:\Windows\System32\TXJXDnd.exe
  2⤵
  PID:7584
- C:\Windows\System32\zPhVVuP.exe
  C:\Windows\System32\zPhVVuP.exe
  2⤵
  PID:7796
- C:\Windows\System32\XzWfzlw.exe
  C:\Windows\System32\XzWfzlw.exe
  2⤵
  PID:7904
- C:\Windows\System32\vbrsEsW.exe
  C:\Windows\System32\vbrsEsW.exe
  2⤵
  PID:7976
- C:\Windows\System32\GRJxPPi.exe
  C:\Windows\System32\GRJxPPi.exe
  2⤵
  PID:7312
- C:\Windows\System32\LvMKqEh.exe
  C:\Windows\System32\LvMKqEh.exe
  2⤵
  PID:7548
- C:\Windows\System32\MuMfKkW.exe
  C:\Windows\System32\MuMfKkW.exe
  2⤵
  PID:7720
- C:\Windows\System32\LcabiCc.exe
  C:\Windows\System32\LcabiCc.exe
  2⤵
  PID:7956
- C:\Windows\System32\NUkxESv.exe
  C:\Windows\System32\NUkxESv.exe
  2⤵
  PID:8096
- C:\Windows\System32\XyUGSUI.exe
  C:\Windows\System32\XyUGSUI.exe
  2⤵
  PID:8224
- C:\Windows\System32\VGjgjSS.exe
  C:\Windows\System32\VGjgjSS.exe
  2⤵
  PID:8248
- C:\Windows\System32\qHSDuks.exe
  C:\Windows\System32\qHSDuks.exe
  2⤵
  PID:8268
- C:\Windows\System32\wVwtoRY.exe
  C:\Windows\System32\wVwtoRY.exe
  2⤵
  PID:8292
- C:\Windows\System32\nbhpdVi.exe
  C:\Windows\System32\nbhpdVi.exe
  2⤵
  PID:8312
- C:\Windows\System32\hdHAmIi.exe
  C:\Windows\System32\hdHAmIi.exe
  2⤵
  PID:8344
- C:\Windows\System32\FHkJQgs.exe
  C:\Windows\System32\FHkJQgs.exe
  2⤵
  PID:8380
- C:\Windows\System32\MFjiAPb.exe
  C:\Windows\System32\MFjiAPb.exe
  2⤵
  PID:8400
- C:\Windows\System32\kJgfCsw.exe
  C:\Windows\System32\kJgfCsw.exe
  2⤵
  PID:8436
- C:\Windows\System32\dIEdtfD.exe
  C:\Windows\System32\dIEdtfD.exe
  2⤵
  PID:8492
- C:\Windows\System32\OqhqWrT.exe
  C:\Windows\System32\OqhqWrT.exe
  2⤵
  PID:8524
- C:\Windows\System32\xDSFySa.exe
  C:\Windows\System32\xDSFySa.exe
  2⤵
  PID:8544
- C:\Windows\System32\YeyhaBk.exe
  C:\Windows\System32\YeyhaBk.exe
  2⤵
  PID:8564
- C:\Windows\System32\ePPLLrh.exe
  C:\Windows\System32\ePPLLrh.exe
  2⤵
  PID:8580
- C:\Windows\System32\BzkujTG.exe
  C:\Windows\System32\BzkujTG.exe
  2⤵
  PID:8596
- C:\Windows\System32\MXLNgbb.exe
  C:\Windows\System32\MXLNgbb.exe
  2⤵
  PID:8616
- C:\Windows\System32\pKeltfw.exe
  C:\Windows\System32\pKeltfw.exe
  2⤵
  PID:8632
- C:\Windows\System32\aFURqlL.exe
  C:\Windows\System32\aFURqlL.exe
  2⤵
  PID:8648
- C:\Windows\System32\alFJZxa.exe
  C:\Windows\System32\alFJZxa.exe
  2⤵
  PID:8672
- C:\Windows\System32\tOYtuPc.exe
  C:\Windows\System32\tOYtuPc.exe
  2⤵
  PID:8708
- C:\Windows\System32\WRVnSaB.exe
  C:\Windows\System32\WRVnSaB.exe
  2⤵
  PID:8756
- C:\Windows\System32\hcOLraL.exe
  C:\Windows\System32\hcOLraL.exe
  2⤵
  PID:8800
- C:\Windows\System32\DvDQTkm.exe
  C:\Windows\System32\DvDQTkm.exe
  2⤵
  PID:8832
- C:\Windows\System32\MrguaBX.exe
  C:\Windows\System32\MrguaBX.exe
  2⤵
  PID:8896
- C:\Windows\System32\SijxRFO.exe
  C:\Windows\System32\SijxRFO.exe
  2⤵
  PID:8980
- C:\Windows\System32\dKEUQMg.exe
  C:\Windows\System32\dKEUQMg.exe
  2⤵
  PID:9064
- C:\Windows\System32\EDxwhtr.exe
  C:\Windows\System32\EDxwhtr.exe
  2⤵
  PID:9080
- C:\Windows\System32\eYuybIu.exe
  C:\Windows\System32\eYuybIu.exe
  2⤵
  PID:9108
- C:\Windows\System32\wGHefCC.exe
  C:\Windows\System32\wGHefCC.exe
  2⤵
  PID:9128
- C:\Windows\System32\nieFJbA.exe
  C:\Windows\System32\nieFJbA.exe
  2⤵
  PID:9160
- C:\Windows\System32\FaMdgpY.exe
  C:\Windows\System32\FaMdgpY.exe
  2⤵
  PID:9200
- C:\Windows\System32\jhTbAcr.exe
  C:\Windows\System32\jhTbAcr.exe
  2⤵
  PID:7288
- C:\Windows\System32\OMwwJko.exe
  C:\Windows\System32\OMwwJko.exe
  2⤵
  PID:8256
- C:\Windows\System32\OYNwKsj.exe
  C:\Windows\System32\OYNwKsj.exe
  2⤵
  PID:8324
- C:\Windows\System32\elQQNAx.exe
  C:\Windows\System32\elQQNAx.exe
  2⤵
  PID:8392
- C:\Windows\System32\dpKfPgj.exe
  C:\Windows\System32\dpKfPgj.exe
  2⤵
  PID:8540
- C:\Windows\System32\BrUDzRV.exe
  C:\Windows\System32\BrUDzRV.exe
  2⤵
  PID:8468
- C:\Windows\System32\vCbwGmr.exe
  C:\Windows\System32\vCbwGmr.exe
  2⤵
  PID:8480
- C:\Windows\System32\orLzSlv.exe
  C:\Windows\System32\orLzSlv.exe
  2⤵
  PID:8608
- C:\Windows\System32\lkaUHnk.exe
  C:\Windows\System32\lkaUHnk.exe
  2⤵
  PID:8668
- C:\Windows\System32\AKqflEs.exe
  C:\Windows\System32\AKqflEs.exe
  2⤵
  PID:8560
- C:\Windows\System32\ydFwVQN.exe
  C:\Windows\System32\ydFwVQN.exe
  2⤵
  PID:8716
- C:\Windows\System32\uCQGwQI.exe
  C:\Windows\System32\uCQGwQI.exe
  2⤵
  PID:8844
- C:\Windows\System32\JIJToYC.exe
  C:\Windows\System32\JIJToYC.exe
  2⤵
  PID:8728
- C:\Windows\System32\SwdFDRE.exe
  C:\Windows\System32\SwdFDRE.exe
  2⤵
  PID:8884
- C:\Windows\System32\SuMFkNs.exe
  C:\Windows\System32\SuMFkNs.exe
  2⤵
  PID:8956
- C:\Windows\System32\ESlbhHo.exe
  C:\Windows\System32\ESlbhHo.exe
  2⤵
  PID:9028
- C:\Windows\System32\sKEzqeG.exe
  C:\Windows\System32\sKEzqeG.exe
  2⤵
  PID:9100
- C:\Windows\System32\MGcLvAP.exe
  C:\Windows\System32\MGcLvAP.exe
  2⤵
  PID:9144
- C:\Windows\System32\fHRrqSa.exe
  C:\Windows\System32\fHRrqSa.exe
  2⤵
  PID:7612
- C:\Windows\System32\yCqIxdj.exe
  C:\Windows\System32\yCqIxdj.exe
  2⤵
  PID:8284
- C:\Windows\System32\aVYSuhP.exe
  C:\Windows\System32\aVYSuhP.exe
  2⤵
  PID:8484
- C:\Windows\System32\YeHaApt.exe
  C:\Windows\System32\YeHaApt.exe
  2⤵
  PID:8552
- C:\Windows\System32\jasQQkv.exe
  C:\Windows\System32\jasQQkv.exe
  2⤵
  PID:8592
- C:\Windows\System32\QtQqQKN.exe
  C:\Windows\System32\QtQqQKN.exe
  2⤵
  PID:8688
- C:\Windows\System32\MYyjleN.exe
  C:\Windows\System32\MYyjleN.exe
  2⤵
  PID:8908
- C:\Windows\System32\gQokxVo.exe
  C:\Windows\System32\gQokxVo.exe
  2⤵
  PID:9060
- C:\Windows\System32\ihlfUXJ.exe
  C:\Windows\System32\ihlfUXJ.exe
  2⤵
  PID:9172
- C:\Windows\System32\SgGUgSc.exe
  C:\Windows\System32\SgGUgSc.exe
  2⤵
  PID:8304
- C:\Windows\System32\SheQRyl.exe
  C:\Windows\System32\SheQRyl.exe
  2⤵
  PID:8500
- C:\Windows\System32\uqdugHc.exe
  C:\Windows\System32\uqdugHc.exe
  2⤵
  PID:8972
- C:\Windows\System32\evevALC.exe
  C:\Windows\System32\evevALC.exe
  2⤵
  PID:8748
- C:\Windows\System32\QAVuyMc.exe
  C:\Windows\System32\QAVuyMc.exe
  2⤵
  PID:8452
- C:\Windows\System32\rJMnkbh.exe
  C:\Windows\System32\rJMnkbh.exe
  2⤵
  PID:8488
- C:\Windows\System32\bcCYKfi.exe
  C:\Windows\System32\bcCYKfi.exe
  2⤵
  PID:9236
- C:\Windows\System32\QbHwjiG.exe
  C:\Windows\System32\QbHwjiG.exe
  2⤵
  PID:9260
- C:\Windows\System32\YqAmabb.exe
  C:\Windows\System32\YqAmabb.exe
  2⤵
  PID:9280
- C:\Windows\System32\hvfWzId.exe
  C:\Windows\System32\hvfWzId.exe
  2⤵
  PID:9304
- C:\Windows\System32\vbhqsaK.exe
  C:\Windows\System32\vbhqsaK.exe
  2⤵
  PID:9364
- C:\Windows\System32\iSEhkCc.exe
  C:\Windows\System32\iSEhkCc.exe
  2⤵
  PID:9388
- C:\Windows\System32\MUjYXGX.exe
  C:\Windows\System32\MUjYXGX.exe
  2⤵
  PID:9404
- C:\Windows\System32\sGXsJIC.exe
  C:\Windows\System32\sGXsJIC.exe
  2⤵
  PID:9432
- C:\Windows\System32\zqYJpWb.exe
  C:\Windows\System32\zqYJpWb.exe
  2⤵
  PID:9448
- C:\Windows\System32\ZMTwcdd.exe
  C:\Windows\System32\ZMTwcdd.exe
  2⤵
  PID:9476
- C:\Windows\System32\RvEUUge.exe
  C:\Windows\System32\RvEUUge.exe
  2⤵
  PID:9520
- C:\Windows\System32\QVOIktA.exe
  C:\Windows\System32\QVOIktA.exe
  2⤵
  PID:9560
- C:\Windows\System32\SgJWLea.exe
  C:\Windows\System32\SgJWLea.exe
  2⤵
  PID:9588
- C:\Windows\System32\YCEsWux.exe
  C:\Windows\System32\YCEsWux.exe
  2⤵
  PID:9616
- C:\Windows\System32\MAToVFL.exe
  C:\Windows\System32\MAToVFL.exe
  2⤵
  PID:9640
- C:\Windows\System32\paJomBu.exe
  C:\Windows\System32\paJomBu.exe
  2⤵
  PID:9668
- C:\Windows\System32\zIpBSJz.exe
  C:\Windows\System32\zIpBSJz.exe
  2⤵
  PID:9708
- C:\Windows\System32\fAJiRNI.exe
  C:\Windows\System32\fAJiRNI.exe
  2⤵
  PID:9732
- C:\Windows\System32\ilNbIgz.exe
  C:\Windows\System32\ilNbIgz.exe
  2⤵
  PID:9764
- C:\Windows\System32\oAkpkWr.exe
  C:\Windows\System32\oAkpkWr.exe
  2⤵
  PID:9784
- C:\Windows\System32\LoqIbXC.exe
  C:\Windows\System32\LoqIbXC.exe
  2⤵
  PID:9808
- C:\Windows\System32\gYLjTqR.exe
  C:\Windows\System32\gYLjTqR.exe
  2⤵
  PID:9836
- C:\Windows\System32\MCrYIfm.exe
  C:\Windows\System32\MCrYIfm.exe
  2⤵
  PID:9864
- C:\Windows\System32\daYjoKq.exe
  C:\Windows\System32\daYjoKq.exe
  2⤵
  PID:9912
- C:\Windows\System32\VvbMddJ.exe
  C:\Windows\System32\VvbMddJ.exe
  2⤵
  PID:9932
- C:\Windows\System32\YVWYxcY.exe
  C:\Windows\System32\YVWYxcY.exe
  2⤵
  PID:9952
- C:\Windows\System32\XZyuwOt.exe
  C:\Windows\System32\XZyuwOt.exe
  2⤵
  PID:9976
- C:\Windows\System32\qqPLLdw.exe
  C:\Windows\System32\qqPLLdw.exe
  2⤵
  PID:10016
- C:\Windows\System32\vRGbVrN.exe
  C:\Windows\System32\vRGbVrN.exe
  2⤵
  PID:10036
- C:\Windows\System32\YOsFXia.exe
  C:\Windows\System32\YOsFXia.exe
  2⤵
  PID:10060
- C:\Windows\System32\PWJJpRI.exe
  C:\Windows\System32\PWJJpRI.exe
  2⤵
  PID:10100
- C:\Windows\System32\DccEDhR.exe
  C:\Windows\System32\DccEDhR.exe
  2⤵
  PID:10124
- C:\Windows\System32\bBxkbmu.exe
  C:\Windows\System32\bBxkbmu.exe
  2⤵
  PID:10148
- C:\Windows\System32\TfRwFfB.exe
  C:\Windows\System32\TfRwFfB.exe
  2⤵
  PID:10176
- C:\Windows\System32\rHPnRwO.exe
  C:\Windows\System32\rHPnRwO.exe
  2⤵
  PID:10208
- C:\Windows\System32\dumQyIr.exe
  C:\Windows\System32\dumQyIr.exe
  2⤵
  PID:10236
- C:\Windows\System32\TmYLsZC.exe
  C:\Windows\System32\TmYLsZC.exe
  2⤵
  PID:9228
- C:\Windows\System32\pMMrzXx.exe
  C:\Windows\System32\pMMrzXx.exe
  2⤵
  PID:9352
- C:\Windows\System32\lGWxgbv.exe
  C:\Windows\System32\lGWxgbv.exe
  2⤵
  PID:9376
- C:\Windows\System32\VWUXFud.exe
  C:\Windows\System32\VWUXFud.exe
  2⤵
  PID:9416
- C:\Windows\System32\TfDKwiq.exe
  C:\Windows\System32\TfDKwiq.exe
  2⤵
  PID:9484
- C:\Windows\System32\aFvMsTq.exe
  C:\Windows\System32\aFvMsTq.exe
  2⤵
  PID:9568
- C:\Windows\System32\fEGqIMT.exe
  C:\Windows\System32\fEGqIMT.exe
  2⤵
  PID:9632
- C:\Windows\System32\WHFMLSY.exe
  C:\Windows\System32\WHFMLSY.exe
  2⤵
  PID:9680
- C:\Windows\System32\TubMBUu.exe
  C:\Windows\System32\TubMBUu.exe
  2⤵
  PID:9756
- C:\Windows\System32\XdmOaha.exe
  C:\Windows\System32\XdmOaha.exe
  2⤵
  PID:9828
- C:\Windows\System32\CUTKQCM.exe
  C:\Windows\System32\CUTKQCM.exe
  2⤵
  PID:9876
- C:\Windows\System32\WcqZHUb.exe
  C:\Windows\System32\WcqZHUb.exe
  2⤵
  PID:9928
- C:\Windows\System32\vCOFfAf.exe
  C:\Windows\System32\vCOFfAf.exe
  2⤵
  PID:10032
- C:\Windows\System32\BtunvqZ.exe
  C:\Windows\System32\BtunvqZ.exe
  2⤵
  PID:10092
- C:\Windows\System32\lpKmLkW.exe
  C:\Windows\System32\lpKmLkW.exe
  2⤵
  PID:10132
- C:\Windows\System32\YDxKEQZ.exe
  C:\Windows\System32\YDxKEQZ.exe
  2⤵
  PID:10196
- C:\Windows\System32\vXQuMSQ.exe
  C:\Windows\System32\vXQuMSQ.exe
  2⤵
  PID:9300
- C:\Windows\System32\TYdZmnS.exe
  C:\Windows\System32\TYdZmnS.exe
  2⤵
  PID:9456
- C:\Windows\System32\DnoVEpK.exe
  C:\Windows\System32\DnoVEpK.exe
  2⤵
  PID:9748
- C:\Windows\System32\JHkqcNX.exe
  C:\Windows\System32\JHkqcNX.exe
  2⤵
  PID:9800
- C:\Windows\System32\iwRohVt.exe
  C:\Windows\System32\iwRohVt.exe
  2⤵
  PID:9924
- C:\Windows\System32\RldQbAU.exe
  C:\Windows\System32\RldQbAU.exe
  2⤵
  PID:9996
- C:\Windows\System32\tFvpoCC.exe
  C:\Windows\System32\tFvpoCC.exe
  2⤵
  PID:10216
- C:\Windows\System32\gBvnaCI.exe
  C:\Windows\System32\gBvnaCI.exe
  2⤵
  PID:9608
- C:\Windows\System32\guHovCW.exe
  C:\Windows\System32\guHovCW.exe
  2⤵
  PID:9832
- C:\Windows\System32\VWecJOu.exe
  C:\Windows\System32\VWecJOu.exe
  2⤵
  PID:9728
- C:\Windows\System32\FUgrBhn.exe
  C:\Windows\System32\FUgrBhn.exe
  2⤵
  PID:10252
- C:\Windows\System32\iWyDZsZ.exe
  C:\Windows\System32\iWyDZsZ.exe
  2⤵
  PID:10280
- C:\Windows\System32\huuOikt.exe
  C:\Windows\System32\huuOikt.exe
  2⤵
  PID:10296
- C:\Windows\System32\OBDHFws.exe
  C:\Windows\System32\OBDHFws.exe
  2⤵
  PID:10328
- C:\Windows\System32\jcEeCUK.exe
  C:\Windows\System32\jcEeCUK.exe
  2⤵
  PID:10344
- C:\Windows\System32\MfUnmIT.exe
  C:\Windows\System32\MfUnmIT.exe
  2⤵
  PID:10384
- C:\Windows\System32\qFdJAuN.exe
  C:\Windows\System32\qFdJAuN.exe
  2⤵
  PID:10424
- C:\Windows\System32\FFvLyZy.exe
  C:\Windows\System32\FFvLyZy.exe
  2⤵
  PID:10448
- C:\Windows\System32\faieDMk.exe
  C:\Windows\System32\faieDMk.exe
  2⤵
  PID:10480
- C:\Windows\System32\kMrgkkz.exe
  C:\Windows\System32\kMrgkkz.exe
  2⤵
  PID:10496
- C:\Windows\System32\cHzskNS.exe
  C:\Windows\System32\cHzskNS.exe
  2⤵
  PID:10524
- C:\Windows\System32\ldzZnyJ.exe
  C:\Windows\System32\ldzZnyJ.exe
  2⤵
  PID:10564
- C:\Windows\System32\qXabGaG.exe
  C:\Windows\System32\qXabGaG.exe
  2⤵
  PID:10592
- C:\Windows\System32\NGyzmZO.exe
  C:\Windows\System32\NGyzmZO.exe
  2⤵
  PID:10616
- C:\Windows\System32\vrdOtvf.exe
  C:\Windows\System32\vrdOtvf.exe
  2⤵
  PID:10644
- C:\Windows\System32\TYAhdLF.exe
  C:\Windows\System32\TYAhdLF.exe
  2⤵
  PID:10664
- C:\Windows\System32\ZSPtxZH.exe
  C:\Windows\System32\ZSPtxZH.exe
  2⤵
  PID:10680
- C:\Windows\System32\FCrxBHc.exe
  C:\Windows\System32\FCrxBHc.exe
  2⤵
  PID:10700
- C:\Windows\System32\WymJIsj.exe
  C:\Windows\System32\WymJIsj.exe
  2⤵
  PID:10736
- C:\Windows\System32\vYKJNAR.exe
  C:\Windows\System32\vYKJNAR.exe
  2⤵
  PID:10756
- C:\Windows\System32\TnahLIh.exe
  C:\Windows\System32\TnahLIh.exe
  2⤵
  PID:10772
- C:\Windows\System32\VubiZpn.exe
  C:\Windows\System32\VubiZpn.exe
  2⤵
  PID:10824
- C:\Windows\System32\wkLQSAa.exe
  C:\Windows\System32\wkLQSAa.exe
  2⤵
  PID:10848
- C:\Windows\System32\MogqPzY.exe
  C:\Windows\System32\MogqPzY.exe
  2⤵
  PID:10900
- C:\Windows\System32\lbovfpB.exe
  C:\Windows\System32\lbovfpB.exe
  2⤵
  PID:10916
- C:\Windows\System32\ZpAHgOc.exe
  C:\Windows\System32\ZpAHgOc.exe
  2⤵
  PID:10948
- C:\Windows\System32\TWardtx.exe
  C:\Windows\System32\TWardtx.exe
  2⤵
  PID:10972
- C:\Windows\System32\jlYyZmX.exe
  C:\Windows\System32\jlYyZmX.exe
  2⤵
  PID:11008
- C:\Windows\System32\MXzNdgo.exe
  C:\Windows\System32\MXzNdgo.exe
  2⤵
  PID:11028
- C:\Windows\System32\ZXzEOYM.exe
  C:\Windows\System32\ZXzEOYM.exe
  2⤵
  PID:11064
- C:\Windows\System32\BWDTxjC.exe
  C:\Windows\System32\BWDTxjC.exe
  2⤵
  PID:11092
- C:\Windows\System32\FJOqAKw.exe
  C:\Windows\System32\FJOqAKw.exe
  2⤵
  PID:11124
- C:\Windows\System32\jHLHQPa.exe
  C:\Windows\System32\jHLHQPa.exe
  2⤵
  PID:11140
- C:\Windows\System32\TUKYHBH.exe
  C:\Windows\System32\TUKYHBH.exe
  2⤵
  PID:11168
- C:\Windows\System32\CodkoiR.exe
  C:\Windows\System32\CodkoiR.exe
  2⤵
  PID:11220
- C:\Windows\System32\zEGeCFJ.exe
  C:\Windows\System32\zEGeCFJ.exe
  2⤵
  PID:11252
- C:\Windows\System32\VURiwxc.exe
  C:\Windows\System32\VURiwxc.exe
  2⤵
  PID:10120
- C:\Windows\System32\iClmpMn.exe
  C:\Windows\System32\iClmpMn.exe
  2⤵
  PID:10320
- C:\Windows\System32\Azsxnwy.exe
  C:\Windows\System32\Azsxnwy.exe
  2⤵
  PID:10380
- C:\Windows\System32\xpDPKUL.exe
  C:\Windows\System32\xpDPKUL.exe
  2⤵
  PID:10420
- C:\Windows\System32\CvKuwsJ.exe
  C:\Windows\System32\CvKuwsJ.exe
  2⤵
  PID:10464
- C:\Windows\System32\owPkJQi.exe
  C:\Windows\System32\owPkJQi.exe
  2⤵
  PID:10508
- C:\Windows\System32\GrAgOGM.exe
  C:\Windows\System32\GrAgOGM.exe
  2⤵
  PID:10584
- C:\Windows\System32\uzNGpVi.exe
  C:\Windows\System32\uzNGpVi.exe
  2⤵
  PID:10672
- C:\Windows\System32\RefjkUD.exe
  C:\Windows\System32\RefjkUD.exe
  2⤵
  PID:10720
- C:\Windows\System32\EmUZnUr.exe
  C:\Windows\System32\EmUZnUr.exe
  2⤵
  PID:10784
- C:\Windows\System32\NyhZEym.exe
  C:\Windows\System32\NyhZEym.exe
  2⤵
  PID:10840
- C:\Windows\System32\pvvrhzZ.exe
  C:\Windows\System32\pvvrhzZ.exe
  2⤵
  PID:10940
- C:\Windows\System32\nGIkIFv.exe
  C:\Windows\System32\nGIkIFv.exe
  2⤵
  PID:11016
- C:\Windows\System32\oGltNle.exe
  C:\Windows\System32\oGltNle.exe
  2⤵
  PID:11080
- C:\Windows\System32\vlmbemH.exe
  C:\Windows\System32\vlmbemH.exe
  2⤵
  PID:11156
- C:\Windows\System32\bTkNqFr.exe
  C:\Windows\System32\bTkNqFr.exe
  2⤵
  PID:11228
- C:\Windows\System32\NHtNece.exe
  C:\Windows\System32\NHtNece.exe
  2⤵
  PID:10220
- C:\Windows\System32\cQGDxMb.exe
  C:\Windows\System32\cQGDxMb.exe
  2⤵
  PID:10336
- C:\Windows\System32\ueKVtul.exe
  C:\Windows\System32\ueKVtul.exe
  2⤵
  PID:10400
- C:\Windows\System32\stcvXzl.exe
  C:\Windows\System32\stcvXzl.exe
  2⤵
  PID:10576
- C:\Windows\System32\uCdKGnW.exe
  C:\Windows\System32\uCdKGnW.exe
  2⤵
  PID:10752
- C:\Windows\System32\ZjrChak.exe
  C:\Windows\System32\ZjrChak.exe
  2⤵
  PID:10956
- C:\Windows\System32\CLZvMmL.exe
  C:\Windows\System32\CLZvMmL.exe
  2⤵
  PID:11052
- C:\Windows\System32\gShvTAK.exe
  C:\Windows\System32\gShvTAK.exe
  2⤵
  PID:10308
- C:\Windows\System32\DUeWwrl.exe
  C:\Windows\System32\DUeWwrl.exe
  2⤵
  PID:10660
- C:\Windows\System32\XfKqgvA.exe
  C:\Windows\System32\XfKqgvA.exe
  2⤵
  PID:10832
- C:\Windows\System32\evNYPvG.exe
  C:\Windows\System32\evNYPvG.exe
  2⤵
  PID:10560
- C:\Windows\System32\NlMoHby.exe
  C:\Windows\System32\NlMoHby.exe
  2⤵
  PID:11212
- C:\Windows\System32\uqouQwV.exe
  C:\Windows\System32\uqouQwV.exe
  2⤵
  PID:11292
- C:\Windows\System32\UdYCcoY.exe
  C:\Windows\System32\UdYCcoY.exe
  2⤵
  PID:11336
- C:\Windows\System32\tnxMJqg.exe
  C:\Windows\System32\tnxMJqg.exe
  2⤵
  PID:11360
- C:\Windows\System32\wkdElKO.exe
  C:\Windows\System32\wkdElKO.exe
  2⤵
  PID:11388
- C:\Windows\System32\MJCNRVT.exe
  C:\Windows\System32\MJCNRVT.exe
  2⤵
  PID:11404
- C:\Windows\System32\IPgswtW.exe
  C:\Windows\System32\IPgswtW.exe
  2⤵
  PID:11432
- C:\Windows\System32\RIWfJYu.exe
  C:\Windows\System32\RIWfJYu.exe
  2⤵
  PID:11448
- C:\Windows\System32\RUmkDZA.exe
  C:\Windows\System32\RUmkDZA.exe
  2⤵
  PID:11468
- C:\Windows\System32\KxOZCcn.exe
  C:\Windows\System32\KxOZCcn.exe
  2⤵
  PID:11500
- C:\Windows\System32\TzYOgsX.exe
  C:\Windows\System32\TzYOgsX.exe
  2⤵
  PID:11544
- C:\Windows\System32\mTBmbey.exe
  C:\Windows\System32\mTBmbey.exe
  2⤵
  PID:11580
- C:\Windows\System32\UPcsZOM.exe
  C:\Windows\System32\UPcsZOM.exe
  2⤵
  PID:11600
- C:\Windows\System32\RCiiwNu.exe
  C:\Windows\System32\RCiiwNu.exe
  2⤵
  PID:11624
- C:\Windows\System32\IeHijSt.exe
  C:\Windows\System32\IeHijSt.exe
  2⤵
  PID:11648
- C:\Windows\System32\kDGAluu.exe
  C:\Windows\System32\kDGAluu.exe
  2⤵
  PID:11688
- C:\Windows\System32\cRbrrBG.exe
  C:\Windows\System32\cRbrrBG.exe
  2⤵
  PID:11720
- C:\Windows\System32\bFrPmtl.exe
  C:\Windows\System32\bFrPmtl.exe
  2⤵
  PID:11740
- C:\Windows\System32\lzSsGQA.exe
  C:\Windows\System32\lzSsGQA.exe
  2⤵
  PID:11768
- C:\Windows\System32\PqWiZxD.exe
  C:\Windows\System32\PqWiZxD.exe
  2⤵
  PID:11788
- C:\Windows\System32\vyBnHjw.exe
  C:\Windows\System32\vyBnHjw.exe
  2⤵
  PID:11840
- C:\Windows\System32\HZvQlBz.exe
  C:\Windows\System32\HZvQlBz.exe
  2⤵
  PID:11856
- C:\Windows\System32\wWJifOw.exe
  C:\Windows\System32\wWJifOw.exe
  2⤵
  PID:11896
- C:\Windows\System32\ZNxWlnR.exe
  C:\Windows\System32\ZNxWlnR.exe
  2⤵
  PID:11924
- C:\Windows\System32\OmbOfJU.exe
  C:\Windows\System32\OmbOfJU.exe
  2⤵
  PID:11948
- C:\Windows\System32\SoZjgWG.exe
  C:\Windows\System32\SoZjgWG.exe
  2⤵
  PID:11968
- C:\Windows\System32\ROFACOJ.exe
  C:\Windows\System32\ROFACOJ.exe
  2⤵
  PID:12004
- C:\Windows\System32\NtnzQDh.exe
  C:\Windows\System32\NtnzQDh.exe
  2⤵
  PID:12028
- C:\Windows\System32\xzafOMN.exe
  C:\Windows\System32\xzafOMN.exe
  2⤵
  PID:12068
- C:\Windows\System32\aweYXnz.exe
  C:\Windows\System32\aweYXnz.exe
  2⤵
  PID:12084
- C:\Windows\System32\BLxlxro.exe
  C:\Windows\System32\BLxlxro.exe
  2⤵
  PID:12124
- C:\Windows\System32\LAbUqCa.exe
  C:\Windows\System32\LAbUqCa.exe
  2⤵
  PID:12148
- C:\Windows\System32\lHqGhDD.exe
  C:\Windows\System32\lHqGhDD.exe
  2⤵
  PID:12180
- C:\Windows\System32\gZJbRFL.exe
  C:\Windows\System32\gZJbRFL.exe
  2⤵
  PID:12204
- C:\Windows\System32\vaMlsZv.exe
  C:\Windows\System32\vaMlsZv.exe
  2⤵
  PID:12224
- C:\Windows\System32\GeLodGZ.exe
  C:\Windows\System32\GeLodGZ.exe
  2⤵
  PID:12248
- C:\Windows\System32\mlDCUjH.exe
  C:\Windows\System32\mlDCUjH.exe
  2⤵
  PID:12272
- C:\Windows\System32\kxRePUf.exe
  C:\Windows\System32\kxRePUf.exe
  2⤵
  PID:11268
- C:\Windows\System32\RZyjLqE.exe
  C:\Windows\System32\RZyjLqE.exe
  2⤵
  PID:11332
- C:\Windows\System32\YMpGjWA.exe
  C:\Windows\System32\YMpGjWA.exe
  2⤵
  PID:11352
- C:\Windows\System32\GWQPijO.exe
  C:\Windows\System32\GWQPijO.exe
  2⤵
  PID:11476
- C:\Windows\System32\bdmFhQW.exe
  C:\Windows\System32\bdmFhQW.exe
  2⤵
  PID:11488
- C:\Windows\System32\PUKHaJp.exe
  C:\Windows\System32\PUKHaJp.exe
  2⤵
  PID:11636
- C:\Windows\System32\AzPOFPy.exe
  C:\Windows\System32\AzPOFPy.exe
  2⤵
  PID:11736
- C:\Windows\System32\VZwWPrw.exe
  C:\Windows\System32\VZwWPrw.exe
  2⤵
  PID:11784
- C:\Windows\System32\oSzUXiz.exe
  C:\Windows\System32\oSzUXiz.exe
  2⤵
  PID:11852
- C:\Windows\System32\vQBmOUS.exe
  C:\Windows\System32\vQBmOUS.exe
  2⤵
  PID:11876
- C:\Windows\System32\yHEEBvo.exe
  C:\Windows\System32\yHEEBvo.exe
  2⤵
  PID:11940
- C:\Windows\System32\ZofFvpE.exe
  C:\Windows\System32\ZofFvpE.exe
  2⤵
  PID:12012
- C:\Windows\System32\NqvceGo.exe
  C:\Windows\System32\NqvceGo.exe
  2⤵
  PID:12092
- C:\Windows\System32\SOcHxmL.exe
  C:\Windows\System32\SOcHxmL.exe
  2⤵
  PID:12140
- C:\Windows\System32\EzNhNJs.exe
  C:\Windows\System32\EzNhNJs.exe
  2⤵
  PID:12196
- C:\Windows\System32\NrTCzPD.exe
  C:\Windows\System32\NrTCzPD.exe
  2⤵
  PID:12236
- C:\Windows\System32\TYzDgWP.exe
  C:\Windows\System32\TYzDgWP.exe
  2⤵
  PID:10988
- C:\Windows\System32\ZYYXCqy.exe
  C:\Windows\System32\ZYYXCqy.exe
  2⤵
  PID:11444
- C:\Windows\System32\JZYmAlB.exe
  C:\Windows\System32\JZYmAlB.exe
  2⤵
  PID:11532
- C:\Windows\System32\HRjshfJ.exe
  C:\Windows\System32\HRjshfJ.exe
  2⤵
  PID:11920
- C:\Windows\System32\dWelRcl.exe
  C:\Windows\System32\dWelRcl.exe
  2⤵
  PID:12136
- C:\Windows\System32\JoWdvfI.exe
  C:\Windows\System32\JoWdvfI.exe
  2⤵
  PID:12244
- C:\Windows\System32\AZcessi.exe
  C:\Windows\System32\AZcessi.exe
  2⤵
  PID:11536
- C:\Windows\System32\eceRBnr.exe
  C:\Windows\System32\eceRBnr.exe
  2⤵
  PID:12192
- C:\Windows\System32\umlGzRt.exe
  C:\Windows\System32\umlGzRt.exe
  2⤵
  PID:11276
- C:\Windows\System32\cNMdQZE.exe
  C:\Windows\System32\cNMdQZE.exe
  2⤵
  PID:12292
- C:\Windows\System32\wBICqwx.exe
  C:\Windows\System32\wBICqwx.exe
  2⤵
  PID:12336
- C:\Windows\System32\sDyRIoU.exe
  C:\Windows\System32\sDyRIoU.exe
  2⤵
  PID:12376
- C:\Windows\System32\qFRjGAZ.exe
  C:\Windows\System32\qFRjGAZ.exe
  2⤵
  PID:12392
- C:\Windows\System32\NFOSwTx.exe
  C:\Windows\System32\NFOSwTx.exe
  2⤵
  PID:12428
- C:\Windows\System32\mSnvkeQ.exe
  C:\Windows\System32\mSnvkeQ.exe
  2⤵
  PID:12464
- C:\Windows\System32\BAeLKPa.exe
  C:\Windows\System32\BAeLKPa.exe
  2⤵
  PID:12500
- C:\Windows\System32\ypAQAgo.exe
  C:\Windows\System32\ypAQAgo.exe
  2⤵
  PID:12520
- C:\Windows\System32\axGmWnV.exe
  C:\Windows\System32\axGmWnV.exe
  2⤵
  PID:12536
- C:\Windows\System32\jIHCImG.exe
  C:\Windows\System32\jIHCImG.exe
  2⤵
  PID:12560
- C:\Windows\System32\cqHelSr.exe
  C:\Windows\System32\cqHelSr.exe
  2⤵
  PID:12588
- C:\Windows\System32\kpCnuIu.exe
  C:\Windows\System32\kpCnuIu.exe
  2⤵
  PID:12644
- C:\Windows\System32\irlKurd.exe
  C:\Windows\System32\irlKurd.exe
  2⤵
  PID:12660
- C:\Windows\System32\eyxJZzz.exe
  C:\Windows\System32\eyxJZzz.exe
  2⤵
  PID:12676
- C:\Windows\System32\fuxxYpp.exe
  C:\Windows\System32\fuxxYpp.exe
  2⤵
  PID:12712
- C:\Windows\System32\GMdBBay.exe
  C:\Windows\System32\GMdBBay.exe
  2⤵
  PID:12732
- C:\Windows\System32\RKwmDRl.exe
  C:\Windows\System32\RKwmDRl.exe
  2⤵
  PID:12772
- C:\Windows\System32\RRPMvZE.exe
  C:\Windows\System32\RRPMvZE.exe
  2⤵
  PID:12796
- C:\Windows\System32\bCQQJov.exe
  C:\Windows\System32\bCQQJov.exe
  2⤵
  PID:12816
- C:\Windows\System32\AJgIxom.exe
  C:\Windows\System32\AJgIxom.exe
  2⤵
  PID:12844
- C:\Windows\System32\QKGFRzf.exe
  C:\Windows\System32\QKGFRzf.exe
  2⤵
  PID:12872
- C:\Windows\System32\KuMWuap.exe
  C:\Windows\System32\KuMWuap.exe
  2⤵
  PID:12892
- C:\Windows\System32\OUgbngp.exe
  C:\Windows\System32\OUgbngp.exe
  2⤵
  PID:12940
- C:\Windows\System32\Qmuuqbe.exe
  C:\Windows\System32\Qmuuqbe.exe
  2⤵
  PID:12964
- C:\Windows\System32\MOJigDG.exe
  C:\Windows\System32\MOJigDG.exe
  2⤵
  PID:12984
- C:\Windows\System32\hDXSLum.exe
  C:\Windows\System32\hDXSLum.exe
  2⤵
  PID:13024
- C:\Windows\System32\qYMimBY.exe
  C:\Windows\System32\qYMimBY.exe
  2⤵
  PID:13052
- C:\Windows\System32\qvCxeHS.exe
  C:\Windows\System32\qvCxeHS.exe
  2⤵
  PID:13068
- C:\Windows\System32\NfSAdoQ.exe
  C:\Windows\System32\NfSAdoQ.exe
  2⤵
  PID:13096
- C:\Windows\System32\anzurSu.exe
  C:\Windows\System32\anzurSu.exe
  2⤵
  PID:13112
- C:\Windows\System32\HJCZMdJ.exe
  C:\Windows\System32\HJCZMdJ.exe
  2⤵
  PID:13132
- C:\Windows\System32\iIneYwz.exe
  C:\Windows\System32\iIneYwz.exe
  2⤵
  PID:13196
- C:\Windows\System32\PqmnkMV.exe
  C:\Windows\System32\PqmnkMV.exe
  2⤵
  PID:13228
- C:\Windows\System32\NSxDdBB.exe
  C:\Windows\System32\NSxDdBB.exe
  2⤵
  PID:13256
- C:\Windows\System32\GsEHuWv.exe
  C:\Windows\System32\GsEHuWv.exe
  2⤵
  PID:13280
- C:\Windows\System32\EBUGPZX.exe
  C:\Windows\System32\EBUGPZX.exe
  2⤵
  PID:11824
- C:\Windows\System32\OgjJYDW.exe
  C:\Windows\System32\OgjJYDW.exe
  2⤵
  PID:3552
- C:\Windows\System32\cQUQGYV.exe
  C:\Windows\System32\cQUQGYV.exe
  2⤵
  PID:12448
- C:\Windows\System32\pMOcoHx.exe
  C:\Windows\System32\pMOcoHx.exe
  2⤵
  PID:12480
- C:\Windows\System32\eYDhWXq.exe
  C:\Windows\System32\eYDhWXq.exe
  2⤵
  PID:12532
- C:\Windows\System32\ezRhJZd.exe
  C:\Windows\System32\ezRhJZd.exe
  2⤵
  PID:12572
- C:\Windows\System32\dnzYhgB.exe
  C:\Windows\System32\dnzYhgB.exe
  2⤵
  PID:12600
- C:\Windows\System32\dJwyQOF.exe
  C:\Windows\System32\dJwyQOF.exe
  2⤵
  PID:12656
- C:\Windows\System32\vUDuozm.exe
  C:\Windows\System32\vUDuozm.exe
  2⤵
  PID:12752
- C:\Windows\System32\exKJhFH.exe
  C:\Windows\System32\exKJhFH.exe
  2⤵
  PID:12832

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\DkwffEH.exe

Filesize
1.8MB

MD5
2100a5405765c18c351a3df640892902

SHA1
ac3eba51a319e6147b0801508ed34f2ec2f6f290

SHA256
faeb8c019e7d47ef4ede5abbfe144af790df42886c03b158bd18298f5c340e0c

SHA512
1f83150ffbe778ba7f924b4e8b78a9a2fa33e94f73831ce5eff08c87e66970c6e0e5b744cccbe7494972dd54f91276e3b345705c0f15c6cdf5050684d00fc759

Download Submit
C:\Windows\System32\Gyvkloy.exe

Filesize
1.8MB

MD5
eb95cd95653ade07df9be195769b949a

SHA1
dfa1ae210095686192003b3f5f7c02d41431c670

SHA256
79597b6d06f9d0fa472ce700ad1a7c299516f547b1c6a629b4e0bd588ee490b6

SHA512
49198bb287d186851897a0299ff0162937bfb125477914dadbff6efdfe672b54d79df2e951bacea321ec1bfcc0ce015779b286612888190209040d1e4f355508

Download Submit
C:\Windows\System32\KsqOsYL.exe

Filesize
1.8MB

MD5
b7003835605cd69e1d6c4ce38a67e049

SHA1
ac240101e0891bc1405e3e362a2f1eee7e79131a

SHA256
4436eb2d59f6b91844a1c9eb07bb5930b95cd07f93643ba6922bc2e29758458b

SHA512
c6cd5fa233e6a39110efbc59be562460bbca4f624fad60ff8e1b9323db37b927db8bf29a5fa11a6489e9ddd98a0e7b1e1fc104058ad0fae5b8b80adad054de44

Download Submit
C:\Windows\System32\LIvIYZE.exe

Filesize
1.8MB

MD5
b4a5ab71cdc326d8b451005cfb88befd

SHA1
917cd86b8b1019cf642c8ee18eb36c688fb2747b

SHA256
ddaa802e31874f9ae792b3a88948b6f816df408cb9a785b7553affdf657ed91e

SHA512
48455598cfe272a59f0ef92746cf97cff36df1405f67c964ef537c1cc6eb03b21a066fdace36fa464604639c9ec46238e1706d3094ec31c559bc0b938ffceab4

Download Submit
C:\Windows\System32\LYhlPkU.exe

Filesize
1.8MB

MD5
5686eddd1a5412496386f29ca7636a97

SHA1
2db36c6c04e7845c08e457e618f2dcd234bcd6f5

SHA256
c496f942c189fed0172726f8ad025f3cb8167dcc836d8602ece68b282fc93817

SHA512
c5e39836dd920760b3fcc76452e1ce6ed00d1f9fd848de99656c994d3c4174a48c06b2b9ae26e6f20515905e3305f26cb139c9accc21c7579d6ed4090937abf3

Download Submit
C:\Windows\System32\MACFIFj.exe

Filesize
1.8MB

MD5
3ec9d599019ccb2400401aa5e5797183

SHA1
48641f0cbc79ab04dc19e541d88b1333a4d4c01e

SHA256
ba982f5d3501938b22532bb932a6f8898cca395b04d3320b4a0329e9d2110ef4

SHA512
9643e5602f29aa91f56915ebedb41a711ad01fa9a322bfaba63060c3a6f98e1ae451a4004bd144ef2a01fdfe0d85994b90450224916ce5476428f5ce2128fe4a

Download Submit
C:\Windows\System32\MSyqKmU.exe

Filesize
1.8MB

MD5
b23bf918677cde5e6b109e57c0753949

SHA1
577ffac54a4616f7d6780907341be5e34d47abc5

SHA256
37dae2fa83d9a01555f2cac696dda25fe3b1f57235de71cccd17b7ca30dbe3f0

SHA512
5c3d5893b0ad7c22078d160fcbe29436ce7947aa61fa0f57a4da0b8294596aa7ac93e2dd668488a0b2162dca0c3cb95d9f833e95a1c242ca4b4fc1d20d1fc860

Download Submit
C:\Windows\System32\NNKGOHt.exe

Filesize
1.8MB

MD5
48a37e8c04664066824177b543e8c6da

SHA1
03acbfb4d9c5bb1dce51dcf95892d4958d3726ae

SHA256
9b5046162579ac8b1414ead295c5df7dba193813f9309ad2fc4db4d9ea59dea9

SHA512
035db713e5feb4d91b12a7573b7f21fc1bbaaed6938f3c4ab75afef59ec7a02bda348b06ab892bd26fedfe08a8ffe8c677c3f17daecb15a8e33f677d343f21fe

Download Submit
C:\Windows\System32\OEMlJcW.exe

Filesize
1.8MB

MD5
0579024124e36809eea45467a6c34d3c

SHA1
c36bc645b6b5b3fe30b59e6cc6e8e909d896b49a

SHA256
e0744291b86e18610488d4c21dfd430d999148ed24da326a5fc2225079886cf5

SHA512
c3bba6c50ffb50906b2f530241f90d55b67d28937f1abc5a0743dd57d2fdeed80f7bce33cd2ebd7d4b543eb9f21c3036c20f926e512970177e7f84f6c829d037

Download Submit
C:\Windows\System32\OYytCXH.exe

Filesize
1.8MB

MD5
da11010e93d2ce2d5582260b34acff5c

SHA1
bc40b312aa884ccabc539c261fd79fcb0fdee2de

SHA256
908bd81c5294aa2fc13cf25a914d916a60c14f11469be64504a7661c0acccfa1

SHA512
75a4406474bdafdbdc8b7aad0a5614f1ec43b6e2b42c7b811c84fbbe27cbf94c4531a15f488244c13373584df74aa730634ad60a204d25fa55b5505f13885d76

Download Submit
C:\Windows\System32\SnXdGlH.exe

Filesize
1.8MB

MD5
17420658c283222552b47a470530dc2b

SHA1
469c19d43cee43cdce2d09d477c38ec366260657

SHA256
d4598c70ed634030b18214a24340b9dbe29986f63cfc81004325d6401737e74b

SHA512
4aebb26e1ee84bdc2cfcd617cda96ea3aae1ecc1d3d752fe3a6d5aed385f0993b7c3eb46b7cdabeacd094de9dffa7615965359a94047312589b7fa73de6d8800

Download Submit
C:\Windows\System32\TCrssJA.exe

Filesize
1.8MB

MD5
bb0ad23c745ad4a154f5955226638526

SHA1
d19777d10167271725e6421ffdefbcf46bd8c435

SHA256
35ebd6bd313cb1505fef88931831948f5b4e149077d7150d83572ebd38ac6c48

SHA512
d9d0e9478f44825245259507a67e637106811a22f34e68b1968b91a997684d0b46e75f2d2ae45f67a8c4224990254471e6ccc4d0e26440534b300485aaf7861f

Download Submit
C:\Windows\System32\UKQeoiC.exe

Filesize
1.8MB

MD5
943b510c061bc6c4094a75b24f048d43

SHA1
2ed9d95cce7c29eb609f12d3b380144dfb0ef73f

SHA256
342dc63102f641d14a99d993cff754cfa23424746612f72bbe7306e26b9456dc

SHA512
854547b8e773b3db3ff6e59fc82567b4623c859c714ee9fb8bbc0c471d83e8b4c8824f1b156bcbede1215dab8c68030fb3eaa9ce98f906b219034d65cef08bd7

Download Submit
C:\Windows\System32\UtNwYhR.exe

Filesize
1.8MB

MD5
e4cd7607d5f06116e34e500e3141ca97

SHA1
2fcebc04c2fc5c24790f884f65202921b0a5df8d

SHA256
720af676d2a919d051282079875c555aa3b29455d8fed5b739ff094813156c82

SHA512
5919e0b02096f50fce7d0c507862a554ea0c32692decc3df1eeebd177e136004fefd7a10cd45e78923d8818f9417b3e36eb225cdc383dafec1401c6cca967e57

Download Submit
C:\Windows\System32\VDNevJJ.exe

Filesize
1.8MB

MD5
eead3b2da675c0733da5cb29cd4d9b18

SHA1
de85db36dae358efcf94de84c8c2b03f3828144a

SHA256
7681b75e1c04810f22699da970bc46f39d9a30a40ce241a87f628ce8b235e96a

SHA512
e3ae08533f3ac9d01de7a47ffd5d6f08f5993c095f891e0cff9bcff0274704dc6e798e566db37cbb0e510dac1190fd902990974fd43f869e4c1d3f6964945610

Download Submit
C:\Windows\System32\YVCnHhv.exe

Filesize
1.8MB

MD5
ac3e4637450fd74b9942c80ab018712c

SHA1
f0613f9d9a718211d5c1d374dcd0b52c32ad095c

SHA256
dabe2c960079452e2f9e969e08bb75724a959f0934c843e7ba79c653db756e3c

SHA512
959f35992b91a290a3978079a8b6052398fb479e168bda83eb64e2eb72670be88b8ee7cc7b9f6895ce552bd23964897d718a3decdc7d3a5eefce01c2f381ed78

Download Submit
C:\Windows\System32\ZNwFWYF.exe

Filesize
1.8MB

MD5
0034573c48ab2663cbd50edce1529c93

SHA1
10c8b2b580c0b404e4a9676533f23b5a8ddf57fd

SHA256
28208a248f48706a0f6052efbc90d4c8ea133cb768b0f474b80534c51dbd98df

SHA512
a8af6b3e2acfe12da09b7b4fca847b3709b34e6758b6a22659121a96978740d6c2976b45c807cdcc5efc902fb9402d01f00e983afafc9cbc3e61638af44e3863

Download Submit
C:\Windows\System32\aDXfbfi.exe

Filesize
1.8MB

MD5
976c9183eec487013ad3777e5439631e

SHA1
3b55175163b8fcd05d04e7f187893fccb8760cd3

SHA256
88153292ac71a255957820fabf247a9006ae02a0d9f4bd34df589300065c124c

SHA512
79378e62fb9df7d070e380c15fd12178eef2208a414c9f85fe876f13b2f51c154df48d2890c862970b32ca25799ca2b70f68eef517d8c4d3f08c4a96bbc22972

Download Submit
C:\Windows\System32\aNRqDoh.exe

Filesize
1.8MB

MD5
cf3cbc1edecbdfb9a6f9a1afcf64316a

SHA1
896885fbbf35b6d141a2c0a4889104485a67c99c

SHA256
f588430ccffb838792b9080c1173eedbc74bb7ae55f4d47ee823787a305f95ef

SHA512
327d85696d7b1dbeb7cb0f9eb0f227f1e4f9563f1352c04ee36de1da93c0a4d0b82d42b615355ecedd18ca8778dfa5967628ea8f8989b2e73f51629767aed5b3

Download Submit
C:\Windows\System32\cDhDVgn.exe

Filesize
1.8MB

MD5
39d5eb1afa2908d3adafc9dc6db4955a

SHA1
fe18f7cc418f96f9b9f6793204e54bbc9328f7f3

SHA256
aca4deaa3e60102b6f8282876331d181c10a831832b0bc96a96f8cd8a27909d2

SHA512
b292ac60955eb1eddfe0ac574714ae4ca851bd7fc9c798e80ebc62f46ecb2fcd716340f11087e37c7538a67ea07a89342d51a4618688d5b666335dae36a85aa6

Download Submit
C:\Windows\System32\cWHXtZD.exe

Filesize
1.8MB

MD5
bc7cb861d44a4d5ab8c40eb9b3dca0ff

SHA1
8b93fafa9b048a75d8b7dfda2a92acadc0399d3f

SHA256
3c9307c1e34efc25ac328eb6b2f0049eeae99fa6cb4a4aee2189fb40f6d85be8

SHA512
00982b181f134b8b705c4c7b250d00dcd2b02427f4cf482440b72059586e219a75c73cbfed682f22f7ce6fb2493b67a57b952cbfe7e2e4f84d8f7848ea518ba0

Download Submit
C:\Windows\System32\dOXvDLl.exe

Filesize
1.8MB

MD5
8314bd6a15ccf18e91912eba11dd9dd8

SHA1
3aded0faaf1d4bfa2148bc62e232d93d7f0f0db0

SHA256
476cfaba97cccd95a559642ec24c6a0217ca4ca3111a773dc5c1e6cf2f53ce41

SHA512
1a6368a93ec74bffef2836373ab08171fa099f221b5b7b2276596d5f5ea8e1978d485606425f01b5dfbc74600d593d02b9ea767458949218c74b812fcc4007df

Download Submit
C:\Windows\System32\eqUSNrb.exe

Filesize
1.8MB

MD5
4ec3a11801201f0c5a0dacbb161d9674

SHA1
5af11658f69163a3d231221f53c4ce02045b0fd5

SHA256
399d6154121519ab5e8981f49a92ee2f99a0cfe35fd80c1455a3a8f38cd9630d

SHA512
cdf28a780b5b5f48dae219715f8aff718545f4bcd966edaa917b637aef07419bf117da4089daa12f2d27018d2c9bc63afc664b4c4666883baf7f58da8ade3fe8

Download Submit
C:\Windows\System32\ijoKDvC.exe

Filesize
1.8MB

MD5
93eeff0ef7cc011504428e1d79b1d78f

SHA1
8ecffd13b5b3584d2811f52ba99ead8a41e9638f

SHA256
cb46468a68cd90a5808a9b4c5bd1ddaccc0f1ba56aa2c7b528d78db3e9521b69

SHA512
0ff195a4666b06aca59dbba3a65713ef7e858c50962de68c7c43b65a9b72844a97f88af68c7ef8f4969342ae73b9ec4aebe52eab9a89af03be3a5dc74aa36ad2

Download Submit
C:\Windows\System32\jUXmEiq.exe

Filesize
1.8MB

MD5
c00b37bab241e94ac7a148117ccb3486

SHA1
e31702ca41bfe1679bb670a08fe59303cc7ff748

SHA256
da70fde09e466eaac846b896ddd595baac8f465970d54f6bf61507e79dda8303

SHA512
d929c6793f8329aa2c37498481968ed76af139fa025bd1527546237396bc89f5b917880ca536cead37c78e58218c974662a8874eab0579267ebf9c71941b2bb6

Download Submit
C:\Windows\System32\kMMdzXq.exe

Filesize
1.8MB

MD5
e580fc91ab0e04c086aab4cf29182c2e

SHA1
ce4888a2bd9f422cf6db849872b0916ee7819d36

SHA256
9a5b102fcba574eb75d5467ca80437a816a0c806b63f025bc0004a05040efcbb

SHA512
a6f6917478f004ed098c5c4229dba476e4e1b3bed4c22a7edbf663a8b87a1013d3a962f41ce61bfae59828c7467f8a13b2e6aa7b5f5c1644d7a140b1ae1b4924

Download Submit
C:\Windows\System32\loqKerK.exe

Filesize
1.8MB

MD5
c43c961ae49754f1efa1d00211294aff

SHA1
5c91f4aa0237656eeadb9300ac43ec870178171a

SHA256
942e2e9b87996422c6094d495c3980560a972ac20f6512dff3bc9a504591b973

SHA512
96f69eace21d643447cfd8fd1f0900904ee3f361bbf6f731e58b9daf70efa631ab8cadc90c91ccd8b81a6b5cb3fa7a32e00239ef74c82c6dafb22b6dc1da20f8

Download Submit
C:\Windows\System32\pvpMomg.exe

Filesize
1.8MB

MD5
ed62ec81379c39cf5138f406ed38c0d9

SHA1
4cac34a08743c1ab2ed981f4910cc20cb1c192a7

SHA256
3107ffc4fd9cd5ef726a6a2ef1536245de67caee385e5e62cdf37d8e5a25f98d

SHA512
e67ed605c4f19475c618130143b02686c310730f50a635e194f150cfec5d8a38e47b4c37be045cec45d89a4e1cb26d22eb58fe75c55119e3d8c89e5962e344e0

Download Submit
C:\Windows\System32\scTpejc.exe

Filesize
1.8MB

MD5
5fee3d0c81fc7cdb012692d546600d3a

SHA1
0505473e64944049efe75c7d143db8cd59047ab9

SHA256
57d431f1454258fa9436c75d7439ea197ca84e3727e8bd2d68e6f73562948b33

SHA512
fc8b16776cf683cc79f13a268be386a4f58b5869cb3264d9d2c865b39cf922296a806d233945d1ba6e7a41d9378c12da93505c6123886ae39af5587af5968873

Download Submit
C:\Windows\System32\vpramml.exe

Filesize
1.8MB

MD5
bc37e1c4375ffff17af0adbab0068bd0

SHA1
0cad496967a0debb329d773940eaaf23ec438de1

SHA256
5a08500b1865e16b765e07418a0f3169e1ecfe5e628dad63f82f131a62c498f1

SHA512
39a2a9c7ae60f0ced550c6e2c3da43854b84650182b6c5d5a00357a9ccda98d38c0e84efd3fb69e02dafee382057b9157827669dbbf5ea9a982f1729eb4990b7

Download Submit
C:\Windows\System32\wDmEbjJ.exe

Filesize
1.8MB

MD5
b4e59c70b161492588e41d5d0e76d103

SHA1
f58028f523c4189f02b0e1661b9b622272dccb3a

SHA256
9d5553536b93bde14603f5a275011428accb1c287edc811a3c2f1b1fdc084f94

SHA512
c26bbf46ecc30a61800f827e45561269213ff365a76f36434adf362c52feffb5ddb815a60bea8b57dbab1fa21c84d0ce6da1328f261c74648156e3a407d8a154

Download Submit
C:\Windows\System32\xOvlsYx.exe

Filesize
1.8MB

MD5
21d4d0730969d53b18309d7805611f63

SHA1
e6238ce9a02646c62fe3f578d92007ff23d433d9

SHA256
12d1254bec4e45a8d1881160d9a0010d252c0738b3db5f138946381822347441

SHA512
150b0689898825bf21dcc2b97ac5dc476311918e27a79a4237d3109ca78edef4cc50db8ecfe146ce6d6eac635d659b2a2424587ad169d185419a311853c3951d

Download Submit
memory/216-50-0x00007FF79C530000-0x00007FF79C921000-memory.dmp

Filesize
3.9MB

Download
memory/216-1997-0x00007FF79C530000-0x00007FF79C921000-memory.dmp

Filesize
3.9MB

Download
memory/216-2047-0x00007FF79C530000-0x00007FF79C921000-memory.dmp

Filesize
3.9MB

Download
memory/396-2055-0x00007FF6709C0000-0x00007FF670DB1000-memory.dmp

Filesize
3.9MB

Download
memory/396-71-0x00007FF6709C0000-0x00007FF670DB1000-memory.dmp

Filesize
3.9MB

Download
memory/456-447-0x00007FF6F8540000-0x00007FF6F8931000-memory.dmp

Filesize
3.9MB

Download
memory/456-2062-0x00007FF6F8540000-0x00007FF6F8931000-memory.dmp

Filesize
3.9MB

Download
memory/868-2049-0x00007FF764090000-0x00007FF764481000-memory.dmp

Filesize
3.9MB

Download
memory/868-51-0x00007FF764090000-0x00007FF764481000-memory.dmp

Filesize
3.9MB

Download
memory/1084-460-0x00007FF72B600000-0x00007FF72B9F1000-memory.dmp

Filesize
3.9MB

Download
memory/1084-2088-0x00007FF72B600000-0x00007FF72B9F1000-memory.dmp

Filesize
3.9MB

Download
memory/1460-456-0x00007FF63CD50000-0x00007FF63D141000-memory.dmp

Filesize
3.9MB

Download
memory/1460-2080-0x00007FF63CD50000-0x00007FF63D141000-memory.dmp

Filesize
3.9MB

Download
memory/1516-64-0x00007FF6BCA70000-0x00007FF6BCE61000-memory.dmp

Filesize
3.9MB

Download
memory/1516-1998-0x00007FF6BCA70000-0x00007FF6BCE61000-memory.dmp

Filesize
3.9MB

Download
memory/1516-2053-0x00007FF6BCA70000-0x00007FF6BCE61000-memory.dmp

Filesize
3.9MB

Download
memory/1916-2045-0x00007FF707270000-0x00007FF707661000-memory.dmp

Filesize
3.9MB

Download
memory/1916-34-0x00007FF707270000-0x00007FF707661000-memory.dmp

Filesize
3.9MB

Download
memory/1916-1996-0x00007FF707270000-0x00007FF707661000-memory.dmp

Filesize
3.9MB

Download
memory/2052-448-0x00007FF668F80000-0x00007FF669371000-memory.dmp

Filesize
3.9MB

Download
memory/2052-2072-0x00007FF668F80000-0x00007FF669371000-memory.dmp

Filesize
3.9MB

Download
memory/2216-449-0x00007FF707800000-0x00007FF707BF1000-memory.dmp

Filesize
3.9MB

Download
memory/2216-2067-0x00007FF707800000-0x00007FF707BF1000-memory.dmp

Filesize
3.9MB

Download
memory/2360-473-0x00007FF6FA9F0000-0x00007FF6FADE1000-memory.dmp

Filesize
3.9MB

Download
memory/2360-2082-0x00007FF6FA9F0000-0x00007FF6FADE1000-memory.dmp

Filesize
3.9MB

Download
memory/2672-2059-0x00007FF641D50000-0x00007FF642141000-memory.dmp

Filesize
3.9MB

Download
memory/2672-72-0x00007FF641D50000-0x00007FF642141000-memory.dmp

Filesize
3.9MB

Download
memory/2672-2030-0x00007FF641D50000-0x00007FF642141000-memory.dmp

Filesize
3.9MB

Download
memory/2716-1062-0x00007FF78EF00000-0x00007FF78F2F1000-memory.dmp

Filesize
3.9MB

Download
memory/2716-1-0x0000021260690000-0x00000212606A0000-memory.dmp

Filesize
64KB

Download
memory/2716-2032-0x00007FF78EF00000-0x00007FF78F2F1000-memory.dmp

Filesize
3.9MB

Download
memory/2716-0-0x00007FF78EF00000-0x00007FF78F2F1000-memory.dmp

Filesize
3.9MB

Download
memory/3016-2039-0x00007FF634E00000-0x00007FF6351F1000-memory.dmp

Filesize
3.9MB

Download
memory/3016-12-0x00007FF634E00000-0x00007FF6351F1000-memory.dmp

Filesize
3.9MB

Download
memory/3036-2043-0x00007FF695C80000-0x00007FF696071000-memory.dmp

Filesize
3.9MB

Download
memory/3036-18-0x00007FF695C80000-0x00007FF696071000-memory.dmp

Filesize
3.9MB

Download
memory/3356-26-0x00007FF68F6E0000-0x00007FF68FAD1000-memory.dmp

Filesize
3.9MB

Download
memory/3356-2042-0x00007FF68F6E0000-0x00007FF68FAD1000-memory.dmp

Filesize
3.9MB

Download
memory/3408-2078-0x00007FF6BB7C0000-0x00007FF6BBBB1000-memory.dmp

Filesize
3.9MB

Download
memory/3408-454-0x00007FF6BB7C0000-0x00007FF6BBBB1000-memory.dmp

Filesize
3.9MB

Download
memory/3812-451-0x00007FF6DEDE0000-0x00007FF6DF1D1000-memory.dmp

Filesize
3.9MB

Download
memory/3812-2074-0x00007FF6DEDE0000-0x00007FF6DF1D1000-memory.dmp

Filesize
3.9MB

Download
memory/3884-1064-0x00007FF76F320000-0x00007FF76F711000-memory.dmp

Filesize
3.9MB

Download
memory/3884-2037-0x00007FF76F320000-0x00007FF76F711000-memory.dmp

Filesize
3.9MB

Download
memory/3884-11-0x00007FF76F320000-0x00007FF76F711000-memory.dmp

Filesize
3.9MB

Download
memory/3900-478-0x00007FF7D85D0000-0x00007FF7D89C1000-memory.dmp

Filesize
3.9MB

Download
memory/3900-2064-0x00007FF7D85D0000-0x00007FF7D89C1000-memory.dmp

Filesize
3.9MB

Download
memory/4048-2069-0x00007FF7ACBD0000-0x00007FF7ACFC1000-memory.dmp

Filesize
3.9MB

Download
memory/4048-450-0x00007FF7ACBD0000-0x00007FF7ACFC1000-memory.dmp

Filesize
3.9MB

Download
memory/4556-469-0x00007FF653400000-0x00007FF6537F1000-memory.dmp

Filesize
3.9MB

Download
memory/4556-2084-0x00007FF653400000-0x00007FF6537F1000-memory.dmp

Filesize
3.9MB

Download
memory/4728-2086-0x00007FF6C6F30000-0x00007FF6C7321000-memory.dmp

Filesize
3.9MB

Download
memory/4728-466-0x00007FF6C6F30000-0x00007FF6C7321000-memory.dmp

Filesize
3.9MB

Download
memory/4856-66-0x00007FF65C430000-0x00007FF65C821000-memory.dmp

Filesize
3.9MB

Download
memory/4856-2057-0x00007FF65C430000-0x00007FF65C821000-memory.dmp

Filesize
3.9MB

Download
memory/4936-68-0x00007FF6E3E30000-0x00007FF6E4221000-memory.dmp

Filesize
3.9MB

Download
memory/4936-2051-0x00007FF6E3E30000-0x00007FF6E4221000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads