xmrig | abc9ff3246474245dca0fcf46717193bf7075aa8bc9571e23908127e2ac8d2f7

Analysis

max time kernel
120s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 07:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

63a3250a90604575c96fb8d24f04bf00N.exe
Size

1.9MB
MD5

63a3250a90604575c96fb8d24f04bf00
SHA1

64a670dfa3aaf55326d18693ae7869b9ee387a8a
SHA256

abc9ff3246474245dca0fcf46717193bf7075aa8bc9571e23908127e2ac8d2f7
SHA512

1bb13c978197ec137c5ebc0aefdc7643804200e553302345d544805e87deef06f08b091a7a7f4143530d9f048c56165484dd0a01ba3451072648d89de5d08b8b
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zjP+sjI1XPl9fNZA6opD7U138nlrsT:knw9oUUEEDl37jcq4nPUjfNiFWM4V

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/916-14-0x00007FF7BAA40000-0x00007FF7BAE31000-memory.dmp	xmrig
behavioral2/memory/3664-27-0x00007FF726BC0000-0x00007FF726FB1000-memory.dmp	xmrig
behavioral2/memory/3316-28-0x00007FF7C5020000-0x00007FF7C5411000-memory.dmp	xmrig
behavioral2/memory/2996-460-0x00007FF72AEB0000-0x00007FF72B2A1000-memory.dmp	xmrig
behavioral2/memory/3960-462-0x00007FF6C85F0000-0x00007FF6C89E1000-memory.dmp	xmrig
behavioral2/memory/4436-461-0x00007FF7F7350000-0x00007FF7F7741000-memory.dmp	xmrig
behavioral2/memory/4612-463-0x00007FF6FE690000-0x00007FF6FEA81000-memory.dmp	xmrig
behavioral2/memory/2496-464-0x00007FF7A0930000-0x00007FF7A0D21000-memory.dmp	xmrig
behavioral2/memory/1608-465-0x00007FF6A92E0000-0x00007FF6A96D1000-memory.dmp	xmrig
behavioral2/memory/1616-466-0x00007FF6923C0000-0x00007FF6927B1000-memory.dmp	xmrig
behavioral2/memory/2076-477-0x00007FF615AE0000-0x00007FF615ED1000-memory.dmp	xmrig
behavioral2/memory/5088-480-0x00007FF677070000-0x00007FF677461000-memory.dmp	xmrig
behavioral2/memory/2980-487-0x00007FF7ED0F0000-0x00007FF7ED4E1000-memory.dmp	xmrig
behavioral2/memory/4712-492-0x00007FF7899C0000-0x00007FF789DB1000-memory.dmp	xmrig
behavioral2/memory/2932-497-0x00007FF7C4A60000-0x00007FF7C4E51000-memory.dmp	xmrig
behavioral2/memory/3024-499-0x00007FF66F930000-0x00007FF66FD21000-memory.dmp	xmrig
behavioral2/memory/4964-503-0x00007FF7E1850000-0x00007FF7E1C41000-memory.dmp	xmrig
behavioral2/memory/956-504-0x00007FF7DE210000-0x00007FF7DE601000-memory.dmp	xmrig
behavioral2/memory/2028-508-0x00007FF7399E0000-0x00007FF739DD1000-memory.dmp	xmrig
behavioral2/memory/4912-502-0x00007FF761940000-0x00007FF761D31000-memory.dmp	xmrig
behavioral2/memory/4480-500-0x00007FF73BBB0000-0x00007FF73BFA1000-memory.dmp	xmrig
behavioral2/memory/1732-2005-0x00007FF6C6CD0000-0x00007FF6C70C1000-memory.dmp	xmrig
behavioral2/memory/984-2006-0x00007FF7416D0000-0x00007FF741AC1000-memory.dmp	xmrig
behavioral2/memory/916-2012-0x00007FF7BAA40000-0x00007FF7BAE31000-memory.dmp	xmrig
behavioral2/memory/3664-2016-0x00007FF726BC0000-0x00007FF726FB1000-memory.dmp	xmrig
behavioral2/memory/4600-2014-0x00007FF6F7EB0000-0x00007FF6F82A1000-memory.dmp	xmrig
behavioral2/memory/3316-2018-0x00007FF7C5020000-0x00007FF7C5411000-memory.dmp	xmrig
behavioral2/memory/3960-2055-0x00007FF6C85F0000-0x00007FF6C89E1000-memory.dmp	xmrig
behavioral2/memory/2028-2053-0x00007FF7399E0000-0x00007FF739DD1000-memory.dmp	xmrig
behavioral2/memory/956-2084-0x00007FF7DE210000-0x00007FF7DE601000-memory.dmp	xmrig
behavioral2/memory/4964-2082-0x00007FF7E1850000-0x00007FF7E1C41000-memory.dmp	xmrig
behavioral2/memory/4912-2080-0x00007FF761940000-0x00007FF761D31000-memory.dmp	xmrig
behavioral2/memory/4480-2078-0x00007FF73BBB0000-0x00007FF73BFA1000-memory.dmp	xmrig
behavioral2/memory/2932-2074-0x00007FF7C4A60000-0x00007FF7C4E51000-memory.dmp	xmrig
behavioral2/memory/4712-2072-0x00007FF7899C0000-0x00007FF789DB1000-memory.dmp	xmrig
behavioral2/memory/3024-2076-0x00007FF66F930000-0x00007FF66FD21000-memory.dmp	xmrig
behavioral2/memory/5088-2070-0x00007FF677070000-0x00007FF677461000-memory.dmp	xmrig
behavioral2/memory/2980-2068-0x00007FF7ED0F0000-0x00007FF7ED4E1000-memory.dmp	xmrig
behavioral2/memory/2076-2066-0x00007FF615AE0000-0x00007FF615ED1000-memory.dmp	xmrig
behavioral2/memory/1616-2064-0x00007FF6923C0000-0x00007FF6927B1000-memory.dmp	xmrig
behavioral2/memory/1732-2058-0x00007FF6C6CD0000-0x00007FF6C70C1000-memory.dmp	xmrig
behavioral2/memory/2996-2057-0x00007FF72AEB0000-0x00007FF72B2A1000-memory.dmp	xmrig
behavioral2/memory/984-2052-0x00007FF7416D0000-0x00007FF741AC1000-memory.dmp	xmrig
behavioral2/memory/4612-2051-0x00007FF6FE690000-0x00007FF6FEA81000-memory.dmp	xmrig
behavioral2/memory/2496-2062-0x00007FF7A0930000-0x00007FF7A0D21000-memory.dmp	xmrig
behavioral2/memory/1608-2060-0x00007FF6A92E0000-0x00007FF6A96D1000-memory.dmp	xmrig
behavioral2/memory/4436-2047-0x00007FF7F7350000-0x00007FF7F7741000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4600	FQYAahI.exe
916	ATFtAcN.exe
3664	vBbgiAT.exe
3316	OLcaNdV.exe
1732	wnKEwch.exe
984	AtZEkuI.exe
2028	UDpqxNI.exe
2996	QiaJHca.exe
4436	cVyFTZN.exe
3960	YhORYwL.exe
4612	KIWSFoA.exe
2496	dLEfEmK.exe
1608	ZfOrlxY.exe
1616	fRZBRvr.exe
2076	xFIQPRc.exe
5088	RuJZqHL.exe
2980	EPpsXyk.exe
4712	hMLASZQ.exe
2932	xRLUbMQ.exe
3024	myoyaNj.exe
4480	DCAbMTI.exe
4912	uYYWVfF.exe
4964	voPrmxp.exe
956	vPZLCca.exe
1260	TfOrrWP.exe
3888	YyCKeCT.exe
4316	YNwrsoY.exe
1780	mpMLSmU.exe
1524	bQscetx.exe
3624	yCeEBHQ.exe
4456	ykpYwHL.exe
4208	RUUsUni.exe
2436	AuWotys.exe
4860	ekUcfaw.exe
3132	RbfEgff.exe
3008	bUPCmWH.exe
1360	wLaIDxN.exe
4084	lFGlRGB.exe
4132	cfPBjZJ.exe
3828	mxKUCon.exe
2872	SSvqaad.exe
4924	mmBjLUe.exe
2176	mESmoQk.exe
1292	PrMBANX.exe
376	AtLGxKt.exe
4804	YIKkAOK.exe
3140	qendPzU.exe
2368	qpyZnlV.exe
2204	UiKnuqq.exe
2912	KrPZTOg.exe
3016	btGTLrT.exe
3516	aVadcYH.exe
4548	EAMxKUo.exe
3480	dUrbuNc.exe
4092	amqdJTz.exe
3580	UZLNnGd.exe
2616	HIhWecW.exe
1684	OfrAGIB.exe
2512	MpaPliH.exe
4968	yEHmOhI.exe
2100	CIiAkCc.exe
2764	TKLyZAw.exe
3584	QeCJvOR.exe
4780	HhBaUXs.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4044-0-0x00007FF783B00000-0x00007FF783EF1000-memory.dmp	upx
behavioral2/files/0x0009000000023471-5.dat	upx
behavioral2/files/0x00080000000234ce-7.dat	upx
behavioral2/memory/4600-11-0x00007FF6F7EB0000-0x00007FF6F82A1000-memory.dmp	upx
behavioral2/memory/916-14-0x00007FF7BAA40000-0x00007FF7BAE31000-memory.dmp	upx
behavioral2/files/0x00070000000234cf-8.dat	upx
behavioral2/files/0x00070000000234d0-23.dat	upx
behavioral2/memory/3664-27-0x00007FF726BC0000-0x00007FF726FB1000-memory.dmp	upx
behavioral2/files/0x00070000000234d1-31.dat	upx
behavioral2/files/0x00070000000234d2-42.dat	upx
behavioral2/files/0x00070000000234d3-49.dat	upx
behavioral2/files/0x00070000000234d5-51.dat	upx
behavioral2/files/0x00070000000234d6-56.dat	upx
behavioral2/files/0x00070000000234d8-65.dat	upx
behavioral2/files/0x00070000000234da-76.dat	upx
behavioral2/files/0x00070000000234e1-111.dat	upx
behavioral2/files/0x00070000000234e3-121.dat	upx
behavioral2/files/0x00070000000234eb-161.dat	upx
behavioral2/files/0x00070000000234ec-166.dat	upx
behavioral2/files/0x00070000000234ea-156.dat	upx
behavioral2/files/0x00070000000234e9-152.dat	upx
behavioral2/files/0x00070000000234e8-149.dat	upx
behavioral2/files/0x00070000000234e7-141.dat	upx
behavioral2/files/0x00070000000234e6-136.dat	upx
behavioral2/files/0x00070000000234e5-131.dat	upx
behavioral2/files/0x00070000000234e4-126.dat	upx
behavioral2/files/0x00070000000234e2-116.dat	upx
behavioral2/files/0x00070000000234e0-106.dat	upx
behavioral2/files/0x00070000000234df-102.dat	upx
behavioral2/files/0x00070000000234de-96.dat	upx
behavioral2/files/0x00070000000234dd-91.dat	upx
behavioral2/files/0x00070000000234dc-86.dat	upx
behavioral2/files/0x00070000000234db-81.dat	upx
behavioral2/files/0x00070000000234d9-74.dat	upx
behavioral2/files/0x00070000000234d7-61.dat	upx
behavioral2/files/0x00070000000234d4-45.dat	upx
behavioral2/memory/1732-30-0x00007FF6C6CD0000-0x00007FF6C70C1000-memory.dmp	upx
behavioral2/memory/3316-28-0x00007FF7C5020000-0x00007FF7C5411000-memory.dmp	upx
behavioral2/memory/984-458-0x00007FF7416D0000-0x00007FF741AC1000-memory.dmp	upx
behavioral2/memory/2996-460-0x00007FF72AEB0000-0x00007FF72B2A1000-memory.dmp	upx
behavioral2/memory/3960-462-0x00007FF6C85F0000-0x00007FF6C89E1000-memory.dmp	upx
behavioral2/memory/4436-461-0x00007FF7F7350000-0x00007FF7F7741000-memory.dmp	upx
behavioral2/memory/4612-463-0x00007FF6FE690000-0x00007FF6FEA81000-memory.dmp	upx
behavioral2/memory/2496-464-0x00007FF7A0930000-0x00007FF7A0D21000-memory.dmp	upx
behavioral2/memory/1608-465-0x00007FF6A92E0000-0x00007FF6A96D1000-memory.dmp	upx
behavioral2/memory/1616-466-0x00007FF6923C0000-0x00007FF6927B1000-memory.dmp	upx
behavioral2/memory/2076-477-0x00007FF615AE0000-0x00007FF615ED1000-memory.dmp	upx
behavioral2/memory/5088-480-0x00007FF677070000-0x00007FF677461000-memory.dmp	upx
behavioral2/memory/2980-487-0x00007FF7ED0F0000-0x00007FF7ED4E1000-memory.dmp	upx
behavioral2/memory/4712-492-0x00007FF7899C0000-0x00007FF789DB1000-memory.dmp	upx
behavioral2/memory/2932-497-0x00007FF7C4A60000-0x00007FF7C4E51000-memory.dmp	upx
behavioral2/memory/3024-499-0x00007FF66F930000-0x00007FF66FD21000-memory.dmp	upx
behavioral2/memory/4964-503-0x00007FF7E1850000-0x00007FF7E1C41000-memory.dmp	upx
behavioral2/memory/956-504-0x00007FF7DE210000-0x00007FF7DE601000-memory.dmp	upx
behavioral2/memory/2028-508-0x00007FF7399E0000-0x00007FF739DD1000-memory.dmp	upx
behavioral2/memory/4912-502-0x00007FF761940000-0x00007FF761D31000-memory.dmp	upx
behavioral2/memory/4480-500-0x00007FF73BBB0000-0x00007FF73BFA1000-memory.dmp	upx
behavioral2/memory/1732-2005-0x00007FF6C6CD0000-0x00007FF6C70C1000-memory.dmp	upx
behavioral2/memory/984-2006-0x00007FF7416D0000-0x00007FF741AC1000-memory.dmp	upx
behavioral2/memory/916-2012-0x00007FF7BAA40000-0x00007FF7BAE31000-memory.dmp	upx
behavioral2/memory/3664-2016-0x00007FF726BC0000-0x00007FF726FB1000-memory.dmp	upx
behavioral2/memory/4600-2014-0x00007FF6F7EB0000-0x00007FF6F82A1000-memory.dmp	upx
behavioral2/memory/3316-2018-0x00007FF7C5020000-0x00007FF7C5411000-memory.dmp	upx
behavioral2/memory/3960-2055-0x00007FF6C85F0000-0x00007FF6C89E1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\UISwdaZ.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\PNuzKTr.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\WVGXbmS.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\ATFtAcN.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\MuhUktF.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\yAFgKTC.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\dPMHbpn.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\eZCdIHx.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\Udridxl.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\uRYIOGr.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\ZJUnTRO.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\YIKkAOK.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\zynCTzy.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\ygFWhOj.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\yCeEBHQ.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\ajbwnLa.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\bzXdybJ.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\kclZcIT.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\qcPPsUI.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\fSlJUUc.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\duJdgyS.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\rlhsDIn.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\wLaIDxN.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\NHrkyGj.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\mFmbnkO.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\aMXixqB.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\etgCtMW.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\uEWzCfi.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\iOblXIf.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\bGcxTyn.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\PHvizVr.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\RtwHEpC.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\EHsrvYl.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\OZGKbBH.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\XCvEOZT.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\DWzRvAh.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\wpKtgEu.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\DBoAjdJ.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\baNrGrC.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\jFnzLIZ.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\wZalRsx.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\AYkZvBt.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\POAiuxq.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\ecqoACe.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\UDpqxNI.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\TJgtEtS.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\HbYkYoE.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\zVckYRy.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\GtuDEIw.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\DcxjiDQ.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\YNwrsoY.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\lMPxcAd.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\LPbsnMm.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\sJgiYgY.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\EhBGUny.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\VkpeQZP.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\ogkorFb.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\ogeyuVG.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\sjoClFo.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\ikmdUgp.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\zVQKwjA.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\nkLPTcw.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\svpTGEl.exe	63a3250a90604575c96fb8d24f04bf00N.exe
File created	C:\Windows\System32\lPMHrSS.exe	63a3250a90604575c96fb8d24f04bf00N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	11824	dwm.exe
Token: SeChangeNotifyPrivilege	11824	dwm.exe
Token: 33	11824	dwm.exe
Token: SeIncBasePriorityPrivilege	11824	dwm.exe
Token: SeShutdownPrivilege	11824	dwm.exe
Token: SeCreatePagefilePrivilege	11824	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 4600	4044	63a3250a90604575c96fb8d24f04bf00N.exe	85
PID 4044 wrote to memory of 4600	4044	63a3250a90604575c96fb8d24f04bf00N.exe	85
PID 4044 wrote to memory of 916	4044	63a3250a90604575c96fb8d24f04bf00N.exe	86
PID 4044 wrote to memory of 916	4044	63a3250a90604575c96fb8d24f04bf00N.exe	86
PID 4044 wrote to memory of 3664	4044	63a3250a90604575c96fb8d24f04bf00N.exe	87
PID 4044 wrote to memory of 3664	4044	63a3250a90604575c96fb8d24f04bf00N.exe	87
PID 4044 wrote to memory of 3316	4044	63a3250a90604575c96fb8d24f04bf00N.exe	88
PID 4044 wrote to memory of 3316	4044	63a3250a90604575c96fb8d24f04bf00N.exe	88
PID 4044 wrote to memory of 1732	4044	63a3250a90604575c96fb8d24f04bf00N.exe	89
PID 4044 wrote to memory of 1732	4044	63a3250a90604575c96fb8d24f04bf00N.exe	89
PID 4044 wrote to memory of 984	4044	63a3250a90604575c96fb8d24f04bf00N.exe	90
PID 4044 wrote to memory of 984	4044	63a3250a90604575c96fb8d24f04bf00N.exe	90
PID 4044 wrote to memory of 2028	4044	63a3250a90604575c96fb8d24f04bf00N.exe	91
PID 4044 wrote to memory of 2028	4044	63a3250a90604575c96fb8d24f04bf00N.exe	91
PID 4044 wrote to memory of 2996	4044	63a3250a90604575c96fb8d24f04bf00N.exe	92
PID 4044 wrote to memory of 2996	4044	63a3250a90604575c96fb8d24f04bf00N.exe	92
PID 4044 wrote to memory of 4436	4044	63a3250a90604575c96fb8d24f04bf00N.exe	93
PID 4044 wrote to memory of 4436	4044	63a3250a90604575c96fb8d24f04bf00N.exe	93
PID 4044 wrote to memory of 3960	4044	63a3250a90604575c96fb8d24f04bf00N.exe	94
PID 4044 wrote to memory of 3960	4044	63a3250a90604575c96fb8d24f04bf00N.exe	94
PID 4044 wrote to memory of 4612	4044	63a3250a90604575c96fb8d24f04bf00N.exe	95
PID 4044 wrote to memory of 4612	4044	63a3250a90604575c96fb8d24f04bf00N.exe	95
PID 4044 wrote to memory of 2496	4044	63a3250a90604575c96fb8d24f04bf00N.exe	96
PID 4044 wrote to memory of 2496	4044	63a3250a90604575c96fb8d24f04bf00N.exe	96
PID 4044 wrote to memory of 1608	4044	63a3250a90604575c96fb8d24f04bf00N.exe	97
PID 4044 wrote to memory of 1608	4044	63a3250a90604575c96fb8d24f04bf00N.exe	97
PID 4044 wrote to memory of 1616	4044	63a3250a90604575c96fb8d24f04bf00N.exe	98
PID 4044 wrote to memory of 1616	4044	63a3250a90604575c96fb8d24f04bf00N.exe	98
PID 4044 wrote to memory of 2076	4044	63a3250a90604575c96fb8d24f04bf00N.exe	99
PID 4044 wrote to memory of 2076	4044	63a3250a90604575c96fb8d24f04bf00N.exe	99
PID 4044 wrote to memory of 5088	4044	63a3250a90604575c96fb8d24f04bf00N.exe	100
PID 4044 wrote to memory of 5088	4044	63a3250a90604575c96fb8d24f04bf00N.exe	100
PID 4044 wrote to memory of 2980	4044	63a3250a90604575c96fb8d24f04bf00N.exe	101
PID 4044 wrote to memory of 2980	4044	63a3250a90604575c96fb8d24f04bf00N.exe	101
PID 4044 wrote to memory of 4712	4044	63a3250a90604575c96fb8d24f04bf00N.exe	102
PID 4044 wrote to memory of 4712	4044	63a3250a90604575c96fb8d24f04bf00N.exe	102
PID 4044 wrote to memory of 2932	4044	63a3250a90604575c96fb8d24f04bf00N.exe	103
PID 4044 wrote to memory of 2932	4044	63a3250a90604575c96fb8d24f04bf00N.exe	103
PID 4044 wrote to memory of 3024	4044	63a3250a90604575c96fb8d24f04bf00N.exe	104
PID 4044 wrote to memory of 3024	4044	63a3250a90604575c96fb8d24f04bf00N.exe	104
PID 4044 wrote to memory of 4480	4044	63a3250a90604575c96fb8d24f04bf00N.exe	105
PID 4044 wrote to memory of 4480	4044	63a3250a90604575c96fb8d24f04bf00N.exe	105
PID 4044 wrote to memory of 4912	4044	63a3250a90604575c96fb8d24f04bf00N.exe	106
PID 4044 wrote to memory of 4912	4044	63a3250a90604575c96fb8d24f04bf00N.exe	106
PID 4044 wrote to memory of 4964	4044	63a3250a90604575c96fb8d24f04bf00N.exe	107
PID 4044 wrote to memory of 4964	4044	63a3250a90604575c96fb8d24f04bf00N.exe	107
PID 4044 wrote to memory of 956	4044	63a3250a90604575c96fb8d24f04bf00N.exe	108
PID 4044 wrote to memory of 956	4044	63a3250a90604575c96fb8d24f04bf00N.exe	108
PID 4044 wrote to memory of 1260	4044	63a3250a90604575c96fb8d24f04bf00N.exe	109
PID 4044 wrote to memory of 1260	4044	63a3250a90604575c96fb8d24f04bf00N.exe	109
PID 4044 wrote to memory of 3888	4044	63a3250a90604575c96fb8d24f04bf00N.exe	110
PID 4044 wrote to memory of 3888	4044	63a3250a90604575c96fb8d24f04bf00N.exe	110
PID 4044 wrote to memory of 4316	4044	63a3250a90604575c96fb8d24f04bf00N.exe	111
PID 4044 wrote to memory of 4316	4044	63a3250a90604575c96fb8d24f04bf00N.exe	111
PID 4044 wrote to memory of 1780	4044	63a3250a90604575c96fb8d24f04bf00N.exe	112
PID 4044 wrote to memory of 1780	4044	63a3250a90604575c96fb8d24f04bf00N.exe	112
PID 4044 wrote to memory of 1524	4044	63a3250a90604575c96fb8d24f04bf00N.exe	113
PID 4044 wrote to memory of 1524	4044	63a3250a90604575c96fb8d24f04bf00N.exe	113
PID 4044 wrote to memory of 3624	4044	63a3250a90604575c96fb8d24f04bf00N.exe	114
PID 4044 wrote to memory of 3624	4044	63a3250a90604575c96fb8d24f04bf00N.exe	114
PID 4044 wrote to memory of 4456	4044	63a3250a90604575c96fb8d24f04bf00N.exe	115
PID 4044 wrote to memory of 4456	4044	63a3250a90604575c96fb8d24f04bf00N.exe	115
PID 4044 wrote to memory of 4208	4044	63a3250a90604575c96fb8d24f04bf00N.exe	116
PID 4044 wrote to memory of 4208	4044	63a3250a90604575c96fb8d24f04bf00N.exe	116

C:\Users\Admin\AppData\Local\Temp\63a3250a90604575c96fb8d24f04bf00N.exe
"C:\Users\Admin\AppData\Local\Temp\63a3250a90604575c96fb8d24f04bf00N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\System32\FQYAahI.exe
  C:\Windows\System32\FQYAahI.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System32\ATFtAcN.exe
  C:\Windows\System32\ATFtAcN.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System32\vBbgiAT.exe
  C:\Windows\System32\vBbgiAT.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System32\OLcaNdV.exe
  C:\Windows\System32\OLcaNdV.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System32\wnKEwch.exe
  C:\Windows\System32\wnKEwch.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System32\AtZEkuI.exe
  C:\Windows\System32\AtZEkuI.exe
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\System32\UDpqxNI.exe
  C:\Windows\System32\UDpqxNI.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System32\QiaJHca.exe
  C:\Windows\System32\QiaJHca.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System32\cVyFTZN.exe
  C:\Windows\System32\cVyFTZN.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\YhORYwL.exe
  C:\Windows\System32\YhORYwL.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System32\KIWSFoA.exe
  C:\Windows\System32\KIWSFoA.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System32\dLEfEmK.exe
  C:\Windows\System32\dLEfEmK.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System32\ZfOrlxY.exe
  C:\Windows\System32\ZfOrlxY.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System32\fRZBRvr.exe
  C:\Windows\System32\fRZBRvr.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System32\xFIQPRc.exe
  C:\Windows\System32\xFIQPRc.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System32\RuJZqHL.exe
  C:\Windows\System32\RuJZqHL.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System32\EPpsXyk.exe
  C:\Windows\System32\EPpsXyk.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System32\hMLASZQ.exe
  C:\Windows\System32\hMLASZQ.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System32\xRLUbMQ.exe
  C:\Windows\System32\xRLUbMQ.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System32\myoyaNj.exe
  C:\Windows\System32\myoyaNj.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System32\DCAbMTI.exe
  C:\Windows\System32\DCAbMTI.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System32\uYYWVfF.exe
  C:\Windows\System32\uYYWVfF.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System32\voPrmxp.exe
  C:\Windows\System32\voPrmxp.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System32\vPZLCca.exe
  C:\Windows\System32\vPZLCca.exe
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Windows\System32\TfOrrWP.exe
  C:\Windows\System32\TfOrrWP.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System32\YyCKeCT.exe
  C:\Windows\System32\YyCKeCT.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System32\YNwrsoY.exe
  C:\Windows\System32\YNwrsoY.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System32\mpMLSmU.exe
  C:\Windows\System32\mpMLSmU.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System32\bQscetx.exe
  C:\Windows\System32\bQscetx.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System32\yCeEBHQ.exe
  C:\Windows\System32\yCeEBHQ.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System32\ykpYwHL.exe
  C:\Windows\System32\ykpYwHL.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System32\RUUsUni.exe
  C:\Windows\System32\RUUsUni.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System32\AuWotys.exe
  C:\Windows\System32\AuWotys.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System32\ekUcfaw.exe
  C:\Windows\System32\ekUcfaw.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\RbfEgff.exe
  C:\Windows\System32\RbfEgff.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System32\bUPCmWH.exe
  C:\Windows\System32\bUPCmWH.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System32\wLaIDxN.exe
  C:\Windows\System32\wLaIDxN.exe
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\System32\lFGlRGB.exe
  C:\Windows\System32\lFGlRGB.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System32\cfPBjZJ.exe
  C:\Windows\System32\cfPBjZJ.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System32\mxKUCon.exe
  C:\Windows\System32\mxKUCon.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System32\SSvqaad.exe
  C:\Windows\System32\SSvqaad.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System32\mmBjLUe.exe
  C:\Windows\System32\mmBjLUe.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\mESmoQk.exe
  C:\Windows\System32\mESmoQk.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System32\PrMBANX.exe
  C:\Windows\System32\PrMBANX.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System32\AtLGxKt.exe
  C:\Windows\System32\AtLGxKt.exe
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\System32\YIKkAOK.exe
  C:\Windows\System32\YIKkAOK.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\qendPzU.exe
  C:\Windows\System32\qendPzU.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System32\qpyZnlV.exe
  C:\Windows\System32\qpyZnlV.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System32\UiKnuqq.exe
  C:\Windows\System32\UiKnuqq.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System32\KrPZTOg.exe
  C:\Windows\System32\KrPZTOg.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System32\btGTLrT.exe
  C:\Windows\System32\btGTLrT.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System32\aVadcYH.exe
  C:\Windows\System32\aVadcYH.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System32\EAMxKUo.exe
  C:\Windows\System32\EAMxKUo.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System32\dUrbuNc.exe
  C:\Windows\System32\dUrbuNc.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System32\amqdJTz.exe
  C:\Windows\System32\amqdJTz.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System32\UZLNnGd.exe
  C:\Windows\System32\UZLNnGd.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System32\HIhWecW.exe
  C:\Windows\System32\HIhWecW.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System32\OfrAGIB.exe
  C:\Windows\System32\OfrAGIB.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System32\MpaPliH.exe
  C:\Windows\System32\MpaPliH.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System32\yEHmOhI.exe
  C:\Windows\System32\yEHmOhI.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System32\CIiAkCc.exe
  C:\Windows\System32\CIiAkCc.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System32\TKLyZAw.exe
  C:\Windows\System32\TKLyZAw.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System32\QeCJvOR.exe
  C:\Windows\System32\QeCJvOR.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System32\HhBaUXs.exe
  C:\Windows\System32\HhBaUXs.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\CzRLEBl.exe
  C:\Windows\System32\CzRLEBl.exe
  2⤵
  PID:4080
- C:\Windows\System32\MyfHyvI.exe
  C:\Windows\System32\MyfHyvI.exe
  2⤵
  PID:2240
- C:\Windows\System32\bxTpats.exe
  C:\Windows\System32\bxTpats.exe
  2⤵
  PID:3748
- C:\Windows\System32\gAKQYXZ.exe
  C:\Windows\System32\gAKQYXZ.exe
  2⤵
  PID:1088
- C:\Windows\System32\UISwdaZ.exe
  C:\Windows\System32\UISwdaZ.exe
  2⤵
  PID:2728
- C:\Windows\System32\CXAiKur.exe
  C:\Windows\System32\CXAiKur.exe
  2⤵
  PID:1580
- C:\Windows\System32\epBBrke.exe
  C:\Windows\System32\epBBrke.exe
  2⤵
  PID:2192
- C:\Windows\System32\VkpeQZP.exe
  C:\Windows\System32\VkpeQZP.exe
  2⤵
  PID:2144
- C:\Windows\System32\cnNbGSU.exe
  C:\Windows\System32\cnNbGSU.exe
  2⤵
  PID:4340
- C:\Windows\System32\BhmaKNb.exe
  C:\Windows\System32\BhmaKNb.exe
  2⤵
  PID:1056
- C:\Windows\System32\BMZKWOA.exe
  C:\Windows\System32\BMZKWOA.exe
  2⤵
  PID:1032
- C:\Windows\System32\sUUomEx.exe
  C:\Windows\System32\sUUomEx.exe
  2⤵
  PID:2476
- C:\Windows\System32\CnQZOfT.exe
  C:\Windows\System32\CnQZOfT.exe
  2⤵
  PID:4468
- C:\Windows\System32\GihuHcn.exe
  C:\Windows\System32\GihuHcn.exe
  2⤵
  PID:3576
- C:\Windows\System32\wcQUMLy.exe
  C:\Windows\System32\wcQUMLy.exe
  2⤵
  PID:4064
- C:\Windows\System32\baNrGrC.exe
  C:\Windows\System32\baNrGrC.exe
  2⤵
  PID:1236
- C:\Windows\System32\ZmgmJkb.exe
  C:\Windows\System32\ZmgmJkb.exe
  2⤵
  PID:2644
- C:\Windows\System32\mtGpCNJ.exe
  C:\Windows\System32\mtGpCNJ.exe
  2⤵
  PID:812
- C:\Windows\System32\oFndmLi.exe
  C:\Windows\System32\oFndmLi.exe
  2⤵
  PID:4596
- C:\Windows\System32\zMuuUzL.exe
  C:\Windows\System32\zMuuUzL.exe
  2⤵
  PID:4672
- C:\Windows\System32\OsNVlpq.exe
  C:\Windows\System32\OsNVlpq.exe
  2⤵
  PID:1948
- C:\Windows\System32\gFctwqC.exe
  C:\Windows\System32\gFctwqC.exe
  2⤵
  PID:2092
- C:\Windows\System32\yjeedWf.exe
  C:\Windows\System32\yjeedWf.exe
  2⤵
  PID:1300
- C:\Windows\System32\FDmvcUF.exe
  C:\Windows\System32\FDmvcUF.exe
  2⤵
  PID:784
- C:\Windows\System32\MeUzUet.exe
  C:\Windows\System32\MeUzUet.exe
  2⤵
  PID:672
- C:\Windows\System32\DEAmWtv.exe
  C:\Windows\System32\DEAmWtv.exe
  2⤵
  PID:2852
- C:\Windows\System32\pHupbUc.exe
  C:\Windows\System32\pHupbUc.exe
  2⤵
  PID:5128
- C:\Windows\System32\WmXBmDW.exe
  C:\Windows\System32\WmXBmDW.exe
  2⤵
  PID:5148
- C:\Windows\System32\CqoIIsL.exe
  C:\Windows\System32\CqoIIsL.exe
  2⤵
  PID:5172
- C:\Windows\System32\yHIqdWr.exe
  C:\Windows\System32\yHIqdWr.exe
  2⤵
  PID:5200
- C:\Windows\System32\NHrkyGj.exe
  C:\Windows\System32\NHrkyGj.exe
  2⤵
  PID:5232
- C:\Windows\System32\rySvYim.exe
  C:\Windows\System32\rySvYim.exe
  2⤵
  PID:5260
- C:\Windows\System32\bmFdqlr.exe
  C:\Windows\System32\bmFdqlr.exe
  2⤵
  PID:5288
- C:\Windows\System32\ixbMSAN.exe
  C:\Windows\System32\ixbMSAN.exe
  2⤵
  PID:5316
- C:\Windows\System32\BwUPoKi.exe
  C:\Windows\System32\BwUPoKi.exe
  2⤵
  PID:5344
- C:\Windows\System32\AmWBJyN.exe
  C:\Windows\System32\AmWBJyN.exe
  2⤵
  PID:5372
- C:\Windows\System32\RoKtKcW.exe
  C:\Windows\System32\RoKtKcW.exe
  2⤵
  PID:5400
- C:\Windows\System32\BIydvcS.exe
  C:\Windows\System32\BIydvcS.exe
  2⤵
  PID:5428
- C:\Windows\System32\SpfHuff.exe
  C:\Windows\System32\SpfHuff.exe
  2⤵
  PID:5460
- C:\Windows\System32\jFfwgPG.exe
  C:\Windows\System32\jFfwgPG.exe
  2⤵
  PID:5484
- C:\Windows\System32\OwxYyrA.exe
  C:\Windows\System32\OwxYyrA.exe
  2⤵
  PID:5512
- C:\Windows\System32\RtcULzj.exe
  C:\Windows\System32\RtcULzj.exe
  2⤵
  PID:5536
- C:\Windows\System32\qkNGPbx.exe
  C:\Windows\System32\qkNGPbx.exe
  2⤵
  PID:5568
- C:\Windows\System32\musizvG.exe
  C:\Windows\System32\musizvG.exe
  2⤵
  PID:5600
- C:\Windows\System32\oDHyTIL.exe
  C:\Windows\System32\oDHyTIL.exe
  2⤵
  PID:5628
- C:\Windows\System32\sIdNXTx.exe
  C:\Windows\System32\sIdNXTx.exe
  2⤵
  PID:5656
- C:\Windows\System32\jLIDvSU.exe
  C:\Windows\System32\jLIDvSU.exe
  2⤵
  PID:5680
- C:\Windows\System32\adeAJqM.exe
  C:\Windows\System32\adeAJqM.exe
  2⤵
  PID:5712
- C:\Windows\System32\feyPjSD.exe
  C:\Windows\System32\feyPjSD.exe
  2⤵
  PID:5752
- C:\Windows\System32\HOJgjRc.exe
  C:\Windows\System32\HOJgjRc.exe
  2⤵
  PID:5768
- C:\Windows\System32\xbDbLpj.exe
  C:\Windows\System32\xbDbLpj.exe
  2⤵
  PID:5804
- C:\Windows\System32\UxEbtkd.exe
  C:\Windows\System32\UxEbtkd.exe
  2⤵
  PID:5824
- C:\Windows\System32\lCoHZOb.exe
  C:\Windows\System32\lCoHZOb.exe
  2⤵
  PID:5848
- C:\Windows\System32\xLszcBP.exe
  C:\Windows\System32\xLszcBP.exe
  2⤵
  PID:5888
- C:\Windows\System32\abvsiYg.exe
  C:\Windows\System32\abvsiYg.exe
  2⤵
  PID:5920
- C:\Windows\System32\ODSbqaz.exe
  C:\Windows\System32\ODSbqaz.exe
  2⤵
  PID:5936
- C:\Windows\System32\gSGhMIo.exe
  C:\Windows\System32\gSGhMIo.exe
  2⤵
  PID:5960
- C:\Windows\System32\CFlVggS.exe
  C:\Windows\System32\CFlVggS.exe
  2⤵
  PID:6004
- C:\Windows\System32\ugUWGOE.exe
  C:\Windows\System32\ugUWGOE.exe
  2⤵
  PID:6020
- C:\Windows\System32\mQdTCSe.exe
  C:\Windows\System32\mQdTCSe.exe
  2⤵
  PID:6048
- C:\Windows\System32\bQoDGox.exe
  C:\Windows\System32\bQoDGox.exe
  2⤵
  PID:6076
- C:\Windows\System32\gCYwPMK.exe
  C:\Windows\System32\gCYwPMK.exe
  2⤵
  PID:6104
- C:\Windows\System32\BeYvIUT.exe
  C:\Windows\System32\BeYvIUT.exe
  2⤵
  PID:6132
- C:\Windows\System32\muetuTV.exe
  C:\Windows\System32\muetuTV.exe
  2⤵
  PID:3508
- C:\Windows\System32\PUBVcBu.exe
  C:\Windows\System32\PUBVcBu.exe
  2⤵
  PID:660
- C:\Windows\System32\PNpzOpM.exe
  C:\Windows\System32\PNpzOpM.exe
  2⤵
  PID:4036
- C:\Windows\System32\mFmbnkO.exe
  C:\Windows\System32\mFmbnkO.exe
  2⤵
  PID:5328
- C:\Windows\System32\vPiNWlR.exe
  C:\Windows\System32\vPiNWlR.exe
  2⤵
  PID:5364
- C:\Windows\System32\CZpmaic.exe
  C:\Windows\System32\CZpmaic.exe
  2⤵
  PID:5408
- C:\Windows\System32\wAUEHre.exe
  C:\Windows\System32\wAUEHre.exe
  2⤵
  PID:5440
- C:\Windows\System32\dFXfgjg.exe
  C:\Windows\System32\dFXfgjg.exe
  2⤵
  PID:5576
- C:\Windows\System32\eWodaLd.exe
  C:\Windows\System32\eWodaLd.exe
  2⤵
  PID:5612
- C:\Windows\System32\AQGBrLf.exe
  C:\Windows\System32\AQGBrLf.exe
  2⤵
  PID:5668
- C:\Windows\System32\NkNtVtC.exe
  C:\Windows\System32\NkNtVtC.exe
  2⤵
  PID:5704
- C:\Windows\System32\mYgqzKu.exe
  C:\Windows\System32\mYgqzKu.exe
  2⤵
  PID:5800
- C:\Windows\System32\bmnReiw.exe
  C:\Windows\System32\bmnReiw.exe
  2⤵
  PID:5904
- C:\Windows\System32\GPmQnAQ.exe
  C:\Windows\System32\GPmQnAQ.exe
  2⤵
  PID:4888
- C:\Windows\System32\GJaLwoO.exe
  C:\Windows\System32\GJaLwoO.exe
  2⤵
  PID:3512
- C:\Windows\System32\XGqMkEQ.exe
  C:\Windows\System32\XGqMkEQ.exe
  2⤵
  PID:6068
- C:\Windows\System32\IypWqZC.exe
  C:\Windows\System32\IypWqZC.exe
  2⤵
  PID:1168
- C:\Windows\System32\iuFgKrq.exe
  C:\Windows\System32\iuFgKrq.exe
  2⤵
  PID:6084
- C:\Windows\System32\NSGyDbb.exe
  C:\Windows\System32\NSGyDbb.exe
  2⤵
  PID:2208
- C:\Windows\System32\lgTEqVI.exe
  C:\Windows\System32\lgTEqVI.exe
  2⤵
  PID:1808
- C:\Windows\System32\TJgtEtS.exe
  C:\Windows\System32\TJgtEtS.exe
  2⤵
  PID:5084
- C:\Windows\System32\BSJgGom.exe
  C:\Windows\System32\BSJgGom.exe
  2⤵
  PID:3704
- C:\Windows\System32\XZSaSwT.exe
  C:\Windows\System32\XZSaSwT.exe
  2⤵
  PID:4676
- C:\Windows\System32\WMGxLMI.exe
  C:\Windows\System32\WMGxLMI.exe
  2⤵
  PID:5336
- C:\Windows\System32\ajbwnLa.exe
  C:\Windows\System32\ajbwnLa.exe
  2⤵
  PID:5436
- C:\Windows\System32\RjTJOyX.exe
  C:\Windows\System32\RjTJOyX.exe
  2⤵
  PID:5564
- C:\Windows\System32\lzekaOp.exe
  C:\Windows\System32\lzekaOp.exe
  2⤵
  PID:4388
- C:\Windows\System32\QmfhvaV.exe
  C:\Windows\System32\QmfhvaV.exe
  2⤵
  PID:5932
- C:\Windows\System32\mJUmsQM.exe
  C:\Windows\System32\mJUmsQM.exe
  2⤵
  PID:5280
- C:\Windows\System32\eocZeJe.exe
  C:\Windows\System32\eocZeJe.exe
  2⤵
  PID:1676
- C:\Windows\System32\MSvjTaJ.exe
  C:\Windows\System32\MSvjTaJ.exe
  2⤵
  PID:2392
- C:\Windows\System32\lEiwmun.exe
  C:\Windows\System32\lEiwmun.exe
  2⤵
  PID:2196
- C:\Windows\System32\MzDgALL.exe
  C:\Windows\System32\MzDgALL.exe
  2⤵
  PID:1656
- C:\Windows\System32\aEZhhjG.exe
  C:\Windows\System32\aEZhhjG.exe
  2⤵
  PID:1076
- C:\Windows\System32\Udridxl.exe
  C:\Windows\System32\Udridxl.exe
  2⤵
  PID:5380
- C:\Windows\System32\zumYNcQ.exe
  C:\Windows\System32\zumYNcQ.exe
  2⤵
  PID:5664
- C:\Windows\System32\dXeMueW.exe
  C:\Windows\System32\dXeMueW.exe
  2⤵
  PID:6016
- C:\Windows\System32\VxRrqhi.exe
  C:\Windows\System32\VxRrqhi.exe
  2⤵
  PID:5592
- C:\Windows\System32\eCjxvzm.exe
  C:\Windows\System32\eCjxvzm.exe
  2⤵
  PID:6096
- C:\Windows\System32\lQUYMSp.exe
  C:\Windows\System32\lQUYMSp.exe
  2⤵
  PID:1040
- C:\Windows\System32\aZUFeVw.exe
  C:\Windows\System32\aZUFeVw.exe
  2⤵
  PID:3544
- C:\Windows\System32\CzcqAlz.exe
  C:\Windows\System32\CzcqAlz.exe
  2⤵
  PID:4516
- C:\Windows\System32\GxrXAUr.exe
  C:\Windows\System32\GxrXAUr.exe
  2⤵
  PID:4904
- C:\Windows\System32\lwnXbAM.exe
  C:\Windows\System32\lwnXbAM.exe
  2⤵
  PID:6164
- C:\Windows\System32\xoVStpB.exe
  C:\Windows\System32\xoVStpB.exe
  2⤵
  PID:6184
- C:\Windows\System32\wRugUHr.exe
  C:\Windows\System32\wRugUHr.exe
  2⤵
  PID:6252
- C:\Windows\System32\JhoUNoF.exe
  C:\Windows\System32\JhoUNoF.exe
  2⤵
  PID:6288
- C:\Windows\System32\tZuViWY.exe
  C:\Windows\System32\tZuViWY.exe
  2⤵
  PID:6316
- C:\Windows\System32\gOCHcZB.exe
  C:\Windows\System32\gOCHcZB.exe
  2⤵
  PID:6344
- C:\Windows\System32\eXXbfzA.exe
  C:\Windows\System32\eXXbfzA.exe
  2⤵
  PID:6360
- C:\Windows\System32\KNGwMTS.exe
  C:\Windows\System32\KNGwMTS.exe
  2⤵
  PID:6404
- C:\Windows\System32\iBVYDCB.exe
  C:\Windows\System32\iBVYDCB.exe
  2⤵
  PID:6428
- C:\Windows\System32\AHLjxkG.exe
  C:\Windows\System32\AHLjxkG.exe
  2⤵
  PID:6452
- C:\Windows\System32\JMNvVfI.exe
  C:\Windows\System32\JMNvVfI.exe
  2⤵
  PID:6496
- C:\Windows\System32\aMXixqB.exe
  C:\Windows\System32\aMXixqB.exe
  2⤵
  PID:6516
- C:\Windows\System32\ufvGCiF.exe
  C:\Windows\System32\ufvGCiF.exe
  2⤵
  PID:6536
- C:\Windows\System32\etgCtMW.exe
  C:\Windows\System32\etgCtMW.exe
  2⤵
  PID:6552
- C:\Windows\System32\dSQjwkV.exe
  C:\Windows\System32\dSQjwkV.exe
  2⤵
  PID:6580
- C:\Windows\System32\tIvTwfp.exe
  C:\Windows\System32\tIvTwfp.exe
  2⤵
  PID:6600
- C:\Windows\System32\jrtOYRW.exe
  C:\Windows\System32\jrtOYRW.exe
  2⤵
  PID:6624
- C:\Windows\System32\KCgwqAg.exe
  C:\Windows\System32\KCgwqAg.exe
  2⤵
  PID:6644
- C:\Windows\System32\XIOHRwP.exe
  C:\Windows\System32\XIOHRwP.exe
  2⤵
  PID:6672
- C:\Windows\System32\iQScLQA.exe
  C:\Windows\System32\iQScLQA.exe
  2⤵
  PID:6692
- C:\Windows\System32\fMkcXVF.exe
  C:\Windows\System32\fMkcXVF.exe
  2⤵
  PID:6708
- C:\Windows\System32\wwTuhOL.exe
  C:\Windows\System32\wwTuhOL.exe
  2⤵
  PID:6732
- C:\Windows\System32\FrCjiCz.exe
  C:\Windows\System32\FrCjiCz.exe
  2⤵
  PID:6752
- C:\Windows\System32\JDWDBtC.exe
  C:\Windows\System32\JDWDBtC.exe
  2⤵
  PID:6776
- C:\Windows\System32\EsqOwQW.exe
  C:\Windows\System32\EsqOwQW.exe
  2⤵
  PID:6792
- C:\Windows\System32\ilTqGvo.exe
  C:\Windows\System32\ilTqGvo.exe
  2⤵
  PID:6816
- C:\Windows\System32\fSlJUUc.exe
  C:\Windows\System32\fSlJUUc.exe
  2⤵
  PID:6836
- C:\Windows\System32\bKjQjEM.exe
  C:\Windows\System32\bKjQjEM.exe
  2⤵
  PID:6884
- C:\Windows\System32\IEbUvyq.exe
  C:\Windows\System32\IEbUvyq.exe
  2⤵
  PID:6936
- C:\Windows\System32\lMPxcAd.exe
  C:\Windows\System32\lMPxcAd.exe
  2⤵
  PID:7012
- C:\Windows\System32\oroynsN.exe
  C:\Windows\System32\oroynsN.exe
  2⤵
  PID:7044
- C:\Windows\System32\gozMInW.exe
  C:\Windows\System32\gozMInW.exe
  2⤵
  PID:7068
- C:\Windows\System32\ugmIxZu.exe
  C:\Windows\System32\ugmIxZu.exe
  2⤵
  PID:7116
- C:\Windows\System32\CfnkFoy.exe
  C:\Windows\System32\CfnkFoy.exe
  2⤵
  PID:7140
- C:\Windows\System32\tUzJFab.exe
  C:\Windows\System32\tUzJFab.exe
  2⤵
  PID:7160
- C:\Windows\System32\XiIasdV.exe
  C:\Windows\System32\XiIasdV.exe
  2⤵
  PID:5872
- C:\Windows\System32\YyJSyaa.exe
  C:\Windows\System32\YyJSyaa.exe
  2⤵
  PID:6152
- C:\Windows\System32\oTtuTRD.exe
  C:\Windows\System32\oTtuTRD.exe
  2⤵
  PID:6172
- C:\Windows\System32\gFIVtOZ.exe
  C:\Windows\System32\gFIVtOZ.exe
  2⤵
  PID:6300
- C:\Windows\System32\AfVNsAw.exe
  C:\Windows\System32\AfVNsAw.exe
  2⤵
  PID:6324
- C:\Windows\System32\hYWzysZ.exe
  C:\Windows\System32\hYWzysZ.exe
  2⤵
  PID:6424
- C:\Windows\System32\ZghfrLy.exe
  C:\Windows\System32\ZghfrLy.exe
  2⤵
  PID:6460
- C:\Windows\System32\NMCwFaP.exe
  C:\Windows\System32\NMCwFaP.exe
  2⤵
  PID:6504
- C:\Windows\System32\KHymuoT.exe
  C:\Windows\System32\KHymuoT.exe
  2⤵
  PID:6636
- C:\Windows\System32\jWxfwWV.exe
  C:\Windows\System32\jWxfwWV.exe
  2⤵
  PID:6788
- C:\Windows\System32\mAPeXEw.exe
  C:\Windows\System32\mAPeXEw.exe
  2⤵
  PID:6832
- C:\Windows\System32\bicLImQ.exe
  C:\Windows\System32\bicLImQ.exe
  2⤵
  PID:6680
- C:\Windows\System32\NpsjYZY.exe
  C:\Windows\System32\NpsjYZY.exe
  2⤵
  PID:6944
- C:\Windows\System32\yaVKDVY.exe
  C:\Windows\System32\yaVKDVY.exe
  2⤵
  PID:6996
- C:\Windows\System32\XGWSBtG.exe
  C:\Windows\System32\XGWSBtG.exe
  2⤵
  PID:7084
- C:\Windows\System32\KjbkCcH.exe
  C:\Windows\System32\KjbkCcH.exe
  2⤵
  PID:7104
- C:\Windows\System32\WUonBeP.exe
  C:\Windows\System32\WUonBeP.exe
  2⤵
  PID:5928
- C:\Windows\System32\RzueByP.exe
  C:\Windows\System32\RzueByP.exe
  2⤵
  PID:6156
- C:\Windows\System32\jZrJuPu.exe
  C:\Windows\System32\jZrJuPu.exe
  2⤵
  PID:6352
- C:\Windows\System32\ahrzjmJ.exe
  C:\Windows\System32\ahrzjmJ.exe
  2⤵
  PID:6488
- C:\Windows\System32\tSBeOsB.exe
  C:\Windows\System32\tSBeOsB.exe
  2⤵
  PID:6544
- C:\Windows\System32\cAvqPYy.exe
  C:\Windows\System32\cAvqPYy.exe
  2⤵
  PID:6808
- C:\Windows\System32\aZECeyX.exe
  C:\Windows\System32\aZECeyX.exe
  2⤵
  PID:6896
- C:\Windows\System32\cGQLWpr.exe
  C:\Windows\System32\cGQLWpr.exe
  2⤵
  PID:7052
- C:\Windows\System32\LpmvGev.exe
  C:\Windows\System32\LpmvGev.exe
  2⤵
  PID:7148
- C:\Windows\System32\xtOJtJT.exe
  C:\Windows\System32\xtOJtJT.exe
  2⤵
  PID:5156
- C:\Windows\System32\hitQYMP.exe
  C:\Windows\System32\hitQYMP.exe
  2⤵
  PID:6564
- C:\Windows\System32\vpmatOV.exe
  C:\Windows\System32\vpmatOV.exe
  2⤵
  PID:6804
- C:\Windows\System32\mBWbtHr.exe
  C:\Windows\System32\mBWbtHr.exe
  2⤵
  PID:7076
- C:\Windows\System32\rsRRbvY.exe
  C:\Windows\System32\rsRRbvY.exe
  2⤵
  PID:7204
- C:\Windows\System32\pTgldHk.exe
  C:\Windows\System32\pTgldHk.exe
  2⤵
  PID:7272
- C:\Windows\System32\SMdHSpQ.exe
  C:\Windows\System32\SMdHSpQ.exe
  2⤵
  PID:7308
- C:\Windows\System32\WBOPmgU.exe
  C:\Windows\System32\WBOPmgU.exe
  2⤵
  PID:7340
- C:\Windows\System32\UeeBAJb.exe
  C:\Windows\System32\UeeBAJb.exe
  2⤵
  PID:7368
- C:\Windows\System32\VCSkoyL.exe
  C:\Windows\System32\VCSkoyL.exe
  2⤵
  PID:7384
- C:\Windows\System32\bzXdybJ.exe
  C:\Windows\System32\bzXdybJ.exe
  2⤵
  PID:7412
- C:\Windows\System32\LnylSSV.exe
  C:\Windows\System32\LnylSSV.exe
  2⤵
  PID:7432
- C:\Windows\System32\OzqmroM.exe
  C:\Windows\System32\OzqmroM.exe
  2⤵
  PID:7460
- C:\Windows\System32\HLVjDwo.exe
  C:\Windows\System32\HLVjDwo.exe
  2⤵
  PID:7496
- C:\Windows\System32\rSwQKqK.exe
  C:\Windows\System32\rSwQKqK.exe
  2⤵
  PID:7516
- C:\Windows\System32\HbYkYoE.exe
  C:\Windows\System32\HbYkYoE.exe
  2⤵
  PID:7552
- C:\Windows\System32\blooUUO.exe
  C:\Windows\System32\blooUUO.exe
  2⤵
  PID:7580
- C:\Windows\System32\dwrjBIc.exe
  C:\Windows\System32\dwrjBIc.exe
  2⤵
  PID:7600
- C:\Windows\System32\vMYwelv.exe
  C:\Windows\System32\vMYwelv.exe
  2⤵
  PID:7628
- C:\Windows\System32\XbsuLLh.exe
  C:\Windows\System32\XbsuLLh.exe
  2⤵
  PID:7648
- C:\Windows\System32\qSSUDKK.exe
  C:\Windows\System32\qSSUDKK.exe
  2⤵
  PID:7680
- C:\Windows\System32\MuhUktF.exe
  C:\Windows\System32\MuhUktF.exe
  2⤵
  PID:7712
- C:\Windows\System32\OtrQsGC.exe
  C:\Windows\System32\OtrQsGC.exe
  2⤵
  PID:7736
- C:\Windows\System32\gJicZIK.exe
  C:\Windows\System32\gJicZIK.exe
  2⤵
  PID:7764
- C:\Windows\System32\yAFgKTC.exe
  C:\Windows\System32\yAFgKTC.exe
  2⤵
  PID:7784
- C:\Windows\System32\NZgMdzC.exe
  C:\Windows\System32\NZgMdzC.exe
  2⤵
  PID:7812
- C:\Windows\System32\XFhnsbT.exe
  C:\Windows\System32\XFhnsbT.exe
  2⤵
  PID:7848
- C:\Windows\System32\BmKxWrm.exe
  C:\Windows\System32\BmKxWrm.exe
  2⤵
  PID:7872
- C:\Windows\System32\UgQWeXg.exe
  C:\Windows\System32\UgQWeXg.exe
  2⤵
  PID:7892
- C:\Windows\System32\SQJdRtb.exe
  C:\Windows\System32\SQJdRtb.exe
  2⤵
  PID:7924
- C:\Windows\System32\PbbtjcW.exe
  C:\Windows\System32\PbbtjcW.exe
  2⤵
  PID:7944
- C:\Windows\System32\DTiktea.exe
  C:\Windows\System32\DTiktea.exe
  2⤵
  PID:7964
- C:\Windows\System32\ssJkptA.exe
  C:\Windows\System32\ssJkptA.exe
  2⤵
  PID:7984
- C:\Windows\System32\zLhyTej.exe
  C:\Windows\System32\zLhyTej.exe
  2⤵
  PID:8008
- C:\Windows\System32\mHJuFyX.exe
  C:\Windows\System32\mHJuFyX.exe
  2⤵
  PID:8028
- C:\Windows\System32\NoehsTz.exe
  C:\Windows\System32\NoehsTz.exe
  2⤵
  PID:8052
- C:\Windows\System32\JUsygpT.exe
  C:\Windows\System32\JUsygpT.exe
  2⤵
  PID:8080
- C:\Windows\System32\TZMDLLR.exe
  C:\Windows\System32\TZMDLLR.exe
  2⤵
  PID:8132
- C:\Windows\System32\iUIiYrr.exe
  C:\Windows\System32\iUIiYrr.exe
  2⤵
  PID:8188
- C:\Windows\System32\dVRUOms.exe
  C:\Windows\System32\dVRUOms.exe
  2⤵
  PID:6976
- C:\Windows\System32\ZfyQHUD.exe
  C:\Windows\System32\ZfyQHUD.exe
  2⤵
  PID:7244
- C:\Windows\System32\eIAoJXe.exe
  C:\Windows\System32\eIAoJXe.exe
  2⤵
  PID:7284
- C:\Windows\System32\ieMKPIj.exe
  C:\Windows\System32\ieMKPIj.exe
  2⤵
  PID:7364
- C:\Windows\System32\AsPlJeO.exe
  C:\Windows\System32\AsPlJeO.exe
  2⤵
  PID:7452
- C:\Windows\System32\ogkorFb.exe
  C:\Windows\System32\ogkorFb.exe
  2⤵
  PID:7504
- C:\Windows\System32\zKLgZpU.exe
  C:\Windows\System32\zKLgZpU.exe
  2⤵
  PID:7568
- C:\Windows\System32\duJdgyS.exe
  C:\Windows\System32\duJdgyS.exe
  2⤵
  PID:7592
- C:\Windows\System32\uHPyETD.exe
  C:\Windows\System32\uHPyETD.exe
  2⤵
  PID:7644
- C:\Windows\System32\kTAMQgh.exe
  C:\Windows\System32\kTAMQgh.exe
  2⤵
  PID:7776
- C:\Windows\System32\wkzNDnw.exe
  C:\Windows\System32\wkzNDnw.exe
  2⤵
  PID:7828
- C:\Windows\System32\FnXYMrV.exe
  C:\Windows\System32\FnXYMrV.exe
  2⤵
  PID:7880
- C:\Windows\System32\cIhqGLt.exe
  C:\Windows\System32\cIhqGLt.exe
  2⤵
  PID:7932
- C:\Windows\System32\ypJMUnR.exe
  C:\Windows\System32\ypJMUnR.exe
  2⤵
  PID:8000
- C:\Windows\System32\YpSlcvv.exe
  C:\Windows\System32\YpSlcvv.exe
  2⤵
  PID:8060
- C:\Windows\System32\wZWTJat.exe
  C:\Windows\System32\wZWTJat.exe
  2⤵
  PID:8100
- C:\Windows\System32\cPTLMyh.exe
  C:\Windows\System32\cPTLMyh.exe
  2⤵
  PID:8116
- C:\Windows\System32\WklQyxi.exe
  C:\Windows\System32\WklQyxi.exe
  2⤵
  PID:7176
- C:\Windows\System32\lGQgwNL.exe
  C:\Windows\System32\lGQgwNL.exe
  2⤵
  PID:7240
- C:\Windows\System32\LbvZEZP.exe
  C:\Windows\System32\LbvZEZP.exe
  2⤵
  PID:7532
- C:\Windows\System32\szYyWtM.exe
  C:\Windows\System32\szYyWtM.exe
  2⤵
  PID:7792
- C:\Windows\System32\QCPYVOD.exe
  C:\Windows\System32\QCPYVOD.exe
  2⤵
  PID:7864
- C:\Windows\System32\tiPzomY.exe
  C:\Windows\System32\tiPzomY.exe
  2⤵
  PID:8076
- C:\Windows\System32\pAzvjiR.exe
  C:\Windows\System32\pAzvjiR.exe
  2⤵
  PID:8156
- C:\Windows\System32\VnTsnuT.exe
  C:\Windows\System32\VnTsnuT.exe
  2⤵
  PID:7720
- C:\Windows\System32\ikmdUgp.exe
  C:\Windows\System32\ikmdUgp.exe
  2⤵
  PID:4112
- C:\Windows\System32\OahHEaj.exe
  C:\Windows\System32\OahHEaj.exe
  2⤵
  PID:7840
- C:\Windows\System32\xZJqxgL.exe
  C:\Windows\System32\xZJqxgL.exe
  2⤵
  PID:8092
- C:\Windows\System32\JIIIroa.exe
  C:\Windows\System32\JIIIroa.exe
  2⤵
  PID:8068
- C:\Windows\System32\jILMklG.exe
  C:\Windows\System32\jILMklG.exe
  2⤵
  PID:8216
- C:\Windows\System32\GVgfAOS.exe
  C:\Windows\System32\GVgfAOS.exe
  2⤵
  PID:8260
- C:\Windows\System32\CecjFlX.exe
  C:\Windows\System32\CecjFlX.exe
  2⤵
  PID:8280
- C:\Windows\System32\cLxVapW.exe
  C:\Windows\System32\cLxVapW.exe
  2⤵
  PID:8340
- C:\Windows\System32\zVckYRy.exe
  C:\Windows\System32\zVckYRy.exe
  2⤵
  PID:8356
- C:\Windows\System32\gXVqQZz.exe
  C:\Windows\System32\gXVqQZz.exe
  2⤵
  PID:8376
- C:\Windows\System32\jFnzLIZ.exe
  C:\Windows\System32\jFnzLIZ.exe
  2⤵
  PID:8428
- C:\Windows\System32\LPbsnMm.exe
  C:\Windows\System32\LPbsnMm.exe
  2⤵
  PID:8464
- C:\Windows\System32\wZalRsx.exe
  C:\Windows\System32\wZalRsx.exe
  2⤵
  PID:8492
- C:\Windows\System32\sJgiYgY.exe
  C:\Windows\System32\sJgiYgY.exe
  2⤵
  PID:8508
- C:\Windows\System32\MloBfnq.exe
  C:\Windows\System32\MloBfnq.exe
  2⤵
  PID:8528
- C:\Windows\System32\VAudeNN.exe
  C:\Windows\System32\VAudeNN.exe
  2⤵
  PID:8552
- C:\Windows\System32\JBaEBGa.exe
  C:\Windows\System32\JBaEBGa.exe
  2⤵
  PID:8576
- C:\Windows\System32\HWJlpyf.exe
  C:\Windows\System32\HWJlpyf.exe
  2⤵
  PID:8596
- C:\Windows\System32\CstBYhH.exe
  C:\Windows\System32\CstBYhH.exe
  2⤵
  PID:8640
- C:\Windows\System32\Xpxjgmv.exe
  C:\Windows\System32\Xpxjgmv.exe
  2⤵
  PID:8668
- C:\Windows\System32\ENfKCVH.exe
  C:\Windows\System32\ENfKCVH.exe
  2⤵
  PID:8708
- C:\Windows\System32\pMkXZrW.exe
  C:\Windows\System32\pMkXZrW.exe
  2⤵
  PID:8736
- C:\Windows\System32\zVQKwjA.exe
  C:\Windows\System32\zVQKwjA.exe
  2⤵
  PID:8756
- C:\Windows\System32\HXAnGoI.exe
  C:\Windows\System32\HXAnGoI.exe
  2⤵
  PID:8780
- C:\Windows\System32\dPMHbpn.exe
  C:\Windows\System32\dPMHbpn.exe
  2⤵
  PID:8808
- C:\Windows\System32\MTQTZBk.exe
  C:\Windows\System32\MTQTZBk.exe
  2⤵
  PID:8844
- C:\Windows\System32\CIFnfMr.exe
  C:\Windows\System32\CIFnfMr.exe
  2⤵
  PID:8872
- C:\Windows\System32\kVOMPzr.exe
  C:\Windows\System32\kVOMPzr.exe
  2⤵
  PID:8896
- C:\Windows\System32\XsrEgkX.exe
  C:\Windows\System32\XsrEgkX.exe
  2⤵
  PID:8928
- C:\Windows\System32\emKszAa.exe
  C:\Windows\System32\emKszAa.exe
  2⤵
  PID:8960
- C:\Windows\System32\lICSXjB.exe
  C:\Windows\System32\lICSXjB.exe
  2⤵
  PID:8996
- C:\Windows\System32\bpMjuXo.exe
  C:\Windows\System32\bpMjuXo.exe
  2⤵
  PID:9016
- C:\Windows\System32\BmcHdgd.exe
  C:\Windows\System32\BmcHdgd.exe
  2⤵
  PID:9036
- C:\Windows\System32\DVnIPnW.exe
  C:\Windows\System32\DVnIPnW.exe
  2⤵
  PID:9056
- C:\Windows\System32\guWJuAZ.exe
  C:\Windows\System32\guWJuAZ.exe
  2⤵
  PID:9092
- C:\Windows\System32\ZLkycxz.exe
  C:\Windows\System32\ZLkycxz.exe
  2⤵
  PID:9108
- C:\Windows\System32\rYWOzcO.exe
  C:\Windows\System32\rYWOzcO.exe
  2⤵
  PID:9132
- C:\Windows\System32\cegtfhm.exe
  C:\Windows\System32\cegtfhm.exe
  2⤵
  PID:9160
- C:\Windows\System32\WBFITCp.exe
  C:\Windows\System32\WBFITCp.exe
  2⤵
  PID:9184
- C:\Windows\System32\zynCTzy.exe
  C:\Windows\System32\zynCTzy.exe
  2⤵
  PID:8248
- C:\Windows\System32\azVNuuE.exe
  C:\Windows\System32\azVNuuE.exe
  2⤵
  PID:8372
- C:\Windows\System32\DUwaQLD.exe
  C:\Windows\System32\DUwaQLD.exe
  2⤵
  PID:8488
- C:\Windows\System32\eZCdIHx.exe
  C:\Windows\System32\eZCdIHx.exe
  2⤵
  PID:8524
- C:\Windows\System32\EhBGUny.exe
  C:\Windows\System32\EhBGUny.exe
  2⤵
  PID:8648
- C:\Windows\System32\SwfFJJf.exe
  C:\Windows\System32\SwfFJJf.exe
  2⤵
  PID:8772
- C:\Windows\System32\KFvACXX.exe
  C:\Windows\System32\KFvACXX.exe
  2⤵
  PID:8944
- C:\Windows\System32\rlhsDIn.exe
  C:\Windows\System32\rlhsDIn.exe
  2⤵
  PID:8924
- C:\Windows\System32\mpyleef.exe
  C:\Windows\System32\mpyleef.exe
  2⤵
  PID:9028
- C:\Windows\System32\uyaAuaR.exe
  C:\Windows\System32\uyaAuaR.exe
  2⤵
  PID:9068
- C:\Windows\System32\hRzxQtK.exe
  C:\Windows\System32\hRzxQtK.exe
  2⤵
  PID:9104
- C:\Windows\System32\cPXcmDa.exe
  C:\Windows\System32\cPXcmDa.exe
  2⤵
  PID:9152
- C:\Windows\System32\xzCToXA.exe
  C:\Windows\System32\xzCToXA.exe
  2⤵
  PID:8368
- C:\Windows\System32\xcqDhXD.exe
  C:\Windows\System32\xcqDhXD.exe
  2⤵
  PID:7952
- C:\Windows\System32\KKIcqIM.exe
  C:\Windows\System32\KKIcqIM.exe
  2⤵
  PID:9200
- C:\Windows\System32\sENUiFq.exe
  C:\Windows\System32\sENUiFq.exe
  2⤵
  PID:8348
- C:\Windows\System32\IdXBHay.exe
  C:\Windows\System32\IdXBHay.exe
  2⤵
  PID:8444
- C:\Windows\System32\AYkZvBt.exe
  C:\Windows\System32\AYkZvBt.exe
  2⤵
  PID:8636
- C:\Windows\System32\qgUPeEt.exe
  C:\Windows\System32\qgUPeEt.exe
  2⤵
  PID:8296
- C:\Windows\System32\EHsrvYl.exe
  C:\Windows\System32\EHsrvYl.exe
  2⤵
  PID:8656
- C:\Windows\System32\GtuDEIw.exe
  C:\Windows\System32\GtuDEIw.exe
  2⤵
  PID:8720
- C:\Windows\System32\WMvskWt.exe
  C:\Windows\System32\WMvskWt.exe
  2⤵
  PID:8940
- C:\Windows\System32\jhIPxOB.exe
  C:\Windows\System32\jhIPxOB.exe
  2⤵
  PID:8884
- C:\Windows\System32\JpBxBal.exe
  C:\Windows\System32\JpBxBal.exe
  2⤵
  PID:8352
- C:\Windows\System32\cnJxPZa.exe
  C:\Windows\System32\cnJxPZa.exe
  2⤵
  PID:8272
- C:\Windows\System32\zWUUSLZ.exe
  C:\Windows\System32\zWUUSLZ.exe
  2⤵
  PID:9144
- C:\Windows\System32\WPYsMuJ.exe
  C:\Windows\System32\WPYsMuJ.exe
  2⤵
  PID:9212
- C:\Windows\System32\zPZNbBE.exe
  C:\Windows\System32\zPZNbBE.exe
  2⤵
  PID:8628
- C:\Windows\System32\uEWzCfi.exe
  C:\Windows\System32\uEWzCfi.exe
  2⤵
  PID:9228
- C:\Windows\System32\hkdsiRG.exe
  C:\Windows\System32\hkdsiRG.exe
  2⤵
  PID:9268
- C:\Windows\System32\TpWYCcz.exe
  C:\Windows\System32\TpWYCcz.exe
  2⤵
  PID:9292
- C:\Windows\System32\mZbABvP.exe
  C:\Windows\System32\mZbABvP.exe
  2⤵
  PID:9308
- C:\Windows\System32\SkCSEbs.exe
  C:\Windows\System32\SkCSEbs.exe
  2⤵
  PID:9372
- C:\Windows\System32\jevjbxt.exe
  C:\Windows\System32\jevjbxt.exe
  2⤵
  PID:9408
- C:\Windows\System32\XQIFVyN.exe
  C:\Windows\System32\XQIFVyN.exe
  2⤵
  PID:9432
- C:\Windows\System32\BBGgHNM.exe
  C:\Windows\System32\BBGgHNM.exe
  2⤵
  PID:9468
- C:\Windows\System32\umPbanF.exe
  C:\Windows\System32\umPbanF.exe
  2⤵
  PID:9488
- C:\Windows\System32\xnKdzPk.exe
  C:\Windows\System32\xnKdzPk.exe
  2⤵
  PID:9524
- C:\Windows\System32\VxwEMxh.exe
  C:\Windows\System32\VxwEMxh.exe
  2⤵
  PID:9552
- C:\Windows\System32\rfjkZWH.exe
  C:\Windows\System32\rfjkZWH.exe
  2⤵
  PID:9568
- C:\Windows\System32\MjNZTmn.exe
  C:\Windows\System32\MjNZTmn.exe
  2⤵
  PID:9616
- C:\Windows\System32\DfzMUUK.exe
  C:\Windows\System32\DfzMUUK.exe
  2⤵
  PID:9648
- C:\Windows\System32\PNuzKTr.exe
  C:\Windows\System32\PNuzKTr.exe
  2⤵
  PID:9664
- C:\Windows\System32\hHMAMeY.exe
  C:\Windows\System32\hHMAMeY.exe
  2⤵
  PID:9684
- C:\Windows\System32\ecqoACe.exe
  C:\Windows\System32\ecqoACe.exe
  2⤵
  PID:9720
- C:\Windows\System32\UFjmGWy.exe
  C:\Windows\System32\UFjmGWy.exe
  2⤵
  PID:9740
- C:\Windows\System32\kclZcIT.exe
  C:\Windows\System32\kclZcIT.exe
  2⤵
  PID:9776
- C:\Windows\System32\HqsdJBb.exe
  C:\Windows\System32\HqsdJBb.exe
  2⤵
  PID:9804
- C:\Windows\System32\vUzhmkl.exe
  C:\Windows\System32\vUzhmkl.exe
  2⤵
  PID:9824
- C:\Windows\System32\RARNiPv.exe
  C:\Windows\System32\RARNiPv.exe
  2⤵
  PID:9864
- C:\Windows\System32\uRYIOGr.exe
  C:\Windows\System32\uRYIOGr.exe
  2⤵
  PID:9888
- C:\Windows\System32\apHFyRL.exe
  C:\Windows\System32\apHFyRL.exe
  2⤵
  PID:9904
- C:\Windows\System32\dRKEZFS.exe
  C:\Windows\System32\dRKEZFS.exe
  2⤵
  PID:9932
- C:\Windows\System32\otFaXrw.exe
  C:\Windows\System32\otFaXrw.exe
  2⤵
  PID:9952
- C:\Windows\System32\IuHpXqs.exe
  C:\Windows\System32\IuHpXqs.exe
  2⤵
  PID:9988
- C:\Windows\System32\megwvzK.exe
  C:\Windows\System32\megwvzK.exe
  2⤵
  PID:10020
- C:\Windows\System32\kuDhJMN.exe
  C:\Windows\System32\kuDhJMN.exe
  2⤵
  PID:10044
- C:\Windows\System32\qbEiQPu.exe
  C:\Windows\System32\qbEiQPu.exe
  2⤵
  PID:10072
- C:\Windows\System32\CEcfPyH.exe
  C:\Windows\System32\CEcfPyH.exe
  2⤵
  PID:10092
- C:\Windows\System32\uXGUGZu.exe
  C:\Windows\System32\uXGUGZu.exe
  2⤵
  PID:10116
- C:\Windows\System32\QzpVtVb.exe
  C:\Windows\System32\QzpVtVb.exe
  2⤵
  PID:10144
- C:\Windows\System32\DtHPLQi.exe
  C:\Windows\System32\DtHPLQi.exe
  2⤵
  PID:10200
- C:\Windows\System32\VFIGysU.exe
  C:\Windows\System32\VFIGysU.exe
  2⤵
  PID:10220
- C:\Windows\System32\RaRIfbI.exe
  C:\Windows\System32\RaRIfbI.exe
  2⤵
  PID:10236
- C:\Windows\System32\uVarKEg.exe
  C:\Windows\System32\uVarKEg.exe
  2⤵
  PID:8228
- C:\Windows\System32\MWdZJsQ.exe
  C:\Windows\System32\MWdZJsQ.exe
  2⤵
  PID:9288
- C:\Windows\System32\vVKCDel.exe
  C:\Windows\System32\vVKCDel.exe
  2⤵
  PID:9340
- C:\Windows\System32\FWhHnCT.exe
  C:\Windows\System32\FWhHnCT.exe
  2⤵
  PID:9404
- C:\Windows\System32\yyfIflP.exe
  C:\Windows\System32\yyfIflP.exe
  2⤵
  PID:9416
- C:\Windows\System32\WQNMfbQ.exe
  C:\Windows\System32\WQNMfbQ.exe
  2⤵
  PID:9508
- C:\Windows\System32\dygIFiN.exe
  C:\Windows\System32\dygIFiN.exe
  2⤵
  PID:9564
- C:\Windows\System32\UDkjLoV.exe
  C:\Windows\System32\UDkjLoV.exe
  2⤵
  PID:9576
- C:\Windows\System32\vGfXChi.exe
  C:\Windows\System32\vGfXChi.exe
  2⤵
  PID:9676
- C:\Windows\System32\wDFbrYF.exe
  C:\Windows\System32\wDFbrYF.exe
  2⤵
  PID:9760
- C:\Windows\System32\hWqndIB.exe
  C:\Windows\System32\hWqndIB.exe
  2⤵
  PID:9856
- C:\Windows\System32\oglLUEm.exe
  C:\Windows\System32\oglLUEm.exe
  2⤵
  PID:9944
- C:\Windows\System32\SyeFAYo.exe
  C:\Windows\System32\SyeFAYo.exe
  2⤵
  PID:10104
- C:\Windows\System32\zoCTvWz.exe
  C:\Windows\System32\zoCTvWz.exe
  2⤵
  PID:10140
- C:\Windows\System32\RGTKuis.exe
  C:\Windows\System32\RGTKuis.exe
  2⤵
  PID:10176
- C:\Windows\System32\kXXKvnL.exe
  C:\Windows\System32\kXXKvnL.exe
  2⤵
  PID:9004
- C:\Windows\System32\wBRyIOf.exe
  C:\Windows\System32\wBRyIOf.exe
  2⤵
  PID:9284
- C:\Windows\System32\KumRRtH.exe
  C:\Windows\System32\KumRRtH.exe
  2⤵
  PID:9476
- C:\Windows\System32\ViXwJCN.exe
  C:\Windows\System32\ViXwJCN.exe
  2⤵
  PID:9680
- C:\Windows\System32\eqCbVHS.exe
  C:\Windows\System32\eqCbVHS.exe
  2⤵
  PID:9748
- C:\Windows\System32\POAiuxq.exe
  C:\Windows\System32\POAiuxq.exe
  2⤵
  PID:9836
- C:\Windows\System32\DWzRvAh.exe
  C:\Windows\System32\DWzRvAh.exe
  2⤵
  PID:10056
- C:\Windows\System32\DKrKVvJ.exe
  C:\Windows\System32\DKrKVvJ.exe
  2⤵
  PID:8500
- C:\Windows\System32\LeDMrrP.exe
  C:\Windows\System32\LeDMrrP.exe
  2⤵
  PID:10228
- C:\Windows\System32\DsZIGsd.exe
  C:\Windows\System32\DsZIGsd.exe
  2⤵
  PID:9696
- C:\Windows\System32\UuMKaPy.exe
  C:\Windows\System32\UuMKaPy.exe
  2⤵
  PID:9276
- C:\Windows\System32\wgodYvB.exe
  C:\Windows\System32\wgodYvB.exe
  2⤵
  PID:10268
- C:\Windows\System32\tvACwHe.exe
  C:\Windows\System32\tvACwHe.exe
  2⤵
  PID:10284
- C:\Windows\System32\ewDqCwf.exe
  C:\Windows\System32\ewDqCwf.exe
  2⤵
  PID:10312
- C:\Windows\System32\rxWOgWX.exe
  C:\Windows\System32\rxWOgWX.exe
  2⤵
  PID:10332
- C:\Windows\System32\ZnmRarh.exe
  C:\Windows\System32\ZnmRarh.exe
  2⤵
  PID:10368
- C:\Windows\System32\AYZGlre.exe
  C:\Windows\System32\AYZGlre.exe
  2⤵
  PID:10384
- C:\Windows\System32\xyYbxUG.exe
  C:\Windows\System32\xyYbxUG.exe
  2⤵
  PID:10412
- C:\Windows\System32\DFAZMRH.exe
  C:\Windows\System32\DFAZMRH.exe
  2⤵
  PID:10432
- C:\Windows\System32\TBONWaM.exe
  C:\Windows\System32\TBONWaM.exe
  2⤵
  PID:10448
- C:\Windows\System32\nTyANqI.exe
  C:\Windows\System32\nTyANqI.exe
  2⤵
  PID:10472
- C:\Windows\System32\nBmcBZZ.exe
  C:\Windows\System32\nBmcBZZ.exe
  2⤵
  PID:10500
- C:\Windows\System32\QhqOVso.exe
  C:\Windows\System32\QhqOVso.exe
  2⤵
  PID:10540
- C:\Windows\System32\fcyxvFJ.exe
  C:\Windows\System32\fcyxvFJ.exe
  2⤵
  PID:10596
- C:\Windows\System32\RKSsbTy.exe
  C:\Windows\System32\RKSsbTy.exe
  2⤵
  PID:10628
- C:\Windows\System32\sFHlacM.exe
  C:\Windows\System32\sFHlacM.exe
  2⤵
  PID:10648
- C:\Windows\System32\yTtHSzd.exe
  C:\Windows\System32\yTtHSzd.exe
  2⤵
  PID:10672
- C:\Windows\System32\ufHrcBh.exe
  C:\Windows\System32\ufHrcBh.exe
  2⤵
  PID:10700
- C:\Windows\System32\BQhTmrc.exe
  C:\Windows\System32\BQhTmrc.exe
  2⤵
  PID:10732
- C:\Windows\System32\MzKrKlD.exe
  C:\Windows\System32\MzKrKlD.exe
  2⤵
  PID:10752
- C:\Windows\System32\TsvSWOX.exe
  C:\Windows\System32\TsvSWOX.exe
  2⤵
  PID:10776
- C:\Windows\System32\rDzKWOv.exe
  C:\Windows\System32\rDzKWOv.exe
  2⤵
  PID:10804
- C:\Windows\System32\SnUueCP.exe
  C:\Windows\System32\SnUueCP.exe
  2⤵
  PID:10824
- C:\Windows\System32\TXEyJsq.exe
  C:\Windows\System32\TXEyJsq.exe
  2⤵
  PID:10840
- C:\Windows\System32\GWPDQRo.exe
  C:\Windows\System32\GWPDQRo.exe
  2⤵
  PID:10864
- C:\Windows\System32\SbblUZH.exe
  C:\Windows\System32\SbblUZH.exe
  2⤵
  PID:10904
- C:\Windows\System32\WVGXbmS.exe
  C:\Windows\System32\WVGXbmS.exe
  2⤵
  PID:10920
- C:\Windows\System32\ZkytbxT.exe
  C:\Windows\System32\ZkytbxT.exe
  2⤵
  PID:10952
- C:\Windows\System32\QdaOrxL.exe
  C:\Windows\System32\QdaOrxL.exe
  2⤵
  PID:10968
- C:\Windows\System32\NoDWWVG.exe
  C:\Windows\System32\NoDWWVG.exe
  2⤵
  PID:10992
- C:\Windows\System32\evizDmE.exe
  C:\Windows\System32\evizDmE.exe
  2⤵
  PID:11016
- C:\Windows\System32\Ndcinua.exe
  C:\Windows\System32\Ndcinua.exe
  2⤵
  PID:11048
- C:\Windows\System32\YGzgmCK.exe
  C:\Windows\System32\YGzgmCK.exe
  2⤵
  PID:11112
- C:\Windows\System32\LrWjYzO.exe
  C:\Windows\System32\LrWjYzO.exe
  2⤵
  PID:11172
- C:\Windows\System32\NGPNcvn.exe
  C:\Windows\System32\NGPNcvn.exe
  2⤵
  PID:11196
- C:\Windows\System32\dMWxvgm.exe
  C:\Windows\System32\dMWxvgm.exe
  2⤵
  PID:11212
- C:\Windows\System32\NRIpsXI.exe
  C:\Windows\System32\NRIpsXI.exe
  2⤵
  PID:11232
- C:\Windows\System32\zCThYTZ.exe
  C:\Windows\System32\zCThYTZ.exe
  2⤵
  PID:9588
- C:\Windows\System32\CCRtnSV.exe
  C:\Windows\System32\CCRtnSV.exe
  2⤵
  PID:10004
- C:\Windows\System32\hDcyoJu.exe
  C:\Windows\System32\hDcyoJu.exe
  2⤵
  PID:10276
- C:\Windows\System32\bOqpZSs.exe
  C:\Windows\System32\bOqpZSs.exe
  2⤵
  PID:10380
- C:\Windows\System32\RqIqGOp.exe
  C:\Windows\System32\RqIqGOp.exe
  2⤵
  PID:10444
- C:\Windows\System32\iliddJM.exe
  C:\Windows\System32\iliddJM.exe
  2⤵
  PID:10528
- C:\Windows\System32\HPwMGSi.exe
  C:\Windows\System32\HPwMGSi.exe
  2⤵
  PID:10552
- C:\Windows\System32\NduoOnr.exe
  C:\Windows\System32\NduoOnr.exe
  2⤵
  PID:10644
- C:\Windows\System32\BCryOED.exe
  C:\Windows\System32\BCryOED.exe
  2⤵
  PID:10716
- C:\Windows\System32\nmGEwix.exe
  C:\Windows\System32\nmGEwix.exe
  2⤵
  PID:10740
- C:\Windows\System32\RIpPxhF.exe
  C:\Windows\System32\RIpPxhF.exe
  2⤵
  PID:10788
- C:\Windows\System32\DLauKzw.exe
  C:\Windows\System32\DLauKzw.exe
  2⤵
  PID:10896
- C:\Windows\System32\DKhJzGC.exe
  C:\Windows\System32\DKhJzGC.exe
  2⤵
  PID:10944
- C:\Windows\System32\IoENfVS.exe
  C:\Windows\System32\IoENfVS.exe
  2⤵
  PID:10984
- C:\Windows\System32\wpKtgEu.exe
  C:\Windows\System32\wpKtgEu.exe
  2⤵
  PID:11108
- C:\Windows\System32\bXmMyiJ.exe
  C:\Windows\System32\bXmMyiJ.exe
  2⤵
  PID:11180
- C:\Windows\System32\sLoCiIQ.exe
  C:\Windows\System32\sLoCiIQ.exe
  2⤵
  PID:11228
- C:\Windows\System32\xOFJgTD.exe
  C:\Windows\System32\xOFJgTD.exe
  2⤵
  PID:9996
- C:\Windows\System32\wvZrUCA.exe
  C:\Windows\System32\wvZrUCA.exe
  2⤵
  PID:10348
- C:\Windows\System32\dxFsnNl.exe
  C:\Windows\System32\dxFsnNl.exe
  2⤵
  PID:10396
- C:\Windows\System32\ngKWNSS.exe
  C:\Windows\System32\ngKWNSS.exe
  2⤵
  PID:10636
- C:\Windows\System32\pXXOxmT.exe
  C:\Windows\System32\pXXOxmT.exe
  2⤵
  PID:10764
- C:\Windows\System32\HjdBVBJ.exe
  C:\Windows\System32\HjdBVBJ.exe
  2⤵
  PID:10872
- C:\Windows\System32\CgDwHVS.exe
  C:\Windows\System32\CgDwHVS.exe
  2⤵
  PID:11096
- C:\Windows\System32\TdPZLHM.exe
  C:\Windows\System32\TdPZLHM.exe
  2⤵
  PID:11144
- C:\Windows\System32\QosPKfa.exe
  C:\Windows\System32\QosPKfa.exe
  2⤵
  PID:10260
- C:\Windows\System32\nkLPTcw.exe
  C:\Windows\System32\nkLPTcw.exe
  2⤵
  PID:10360
- C:\Windows\System32\WPdDpyK.exe
  C:\Windows\System32\WPdDpyK.exe
  2⤵
  PID:10976
- C:\Windows\System32\BdKUtPm.exe
  C:\Windows\System32\BdKUtPm.exe
  2⤵
  PID:10572
- C:\Windows\System32\FNbHohO.exe
  C:\Windows\System32\FNbHohO.exe
  2⤵
  PID:10480
- C:\Windows\System32\MtISqsL.exe
  C:\Windows\System32\MtISqsL.exe
  2⤵
  PID:11296
- C:\Windows\System32\faSoDee.exe
  C:\Windows\System32\faSoDee.exe
  2⤵
  PID:11340
- C:\Windows\System32\kvrslSJ.exe
  C:\Windows\System32\kvrslSJ.exe
  2⤵
  PID:11372
- C:\Windows\System32\YmvhCJx.exe
  C:\Windows\System32\YmvhCJx.exe
  2⤵
  PID:11408
- C:\Windows\System32\lPIGYxU.exe
  C:\Windows\System32\lPIGYxU.exe
  2⤵
  PID:11444
- C:\Windows\System32\kTjNgJV.exe
  C:\Windows\System32\kTjNgJV.exe
  2⤵
  PID:11460
- C:\Windows\System32\LyIukrh.exe
  C:\Windows\System32\LyIukrh.exe
  2⤵
  PID:11500
- C:\Windows\System32\WTwjGnH.exe
  C:\Windows\System32\WTwjGnH.exe
  2⤵
  PID:11516
- C:\Windows\System32\bkFmRNa.exe
  C:\Windows\System32\bkFmRNa.exe
  2⤵
  PID:11540
- C:\Windows\System32\CHlFpXe.exe
  C:\Windows\System32\CHlFpXe.exe
  2⤵
  PID:11564
- C:\Windows\System32\ZMuFfGw.exe
  C:\Windows\System32\ZMuFfGw.exe
  2⤵
  PID:11584
- C:\Windows\System32\VghxSWT.exe
  C:\Windows\System32\VghxSWT.exe
  2⤵
  PID:11612
- C:\Windows\System32\kIuvEtE.exe
  C:\Windows\System32\kIuvEtE.exe
  2⤵
  PID:11632
- C:\Windows\System32\paAtTJB.exe
  C:\Windows\System32\paAtTJB.exe
  2⤵
  PID:11656
- C:\Windows\System32\cmEYWKt.exe
  C:\Windows\System32\cmEYWKt.exe
  2⤵
  PID:11684
- C:\Windows\System32\iOblXIf.exe
  C:\Windows\System32\iOblXIf.exe
  2⤵
  PID:11708
- C:\Windows\System32\wPeLwuq.exe
  C:\Windows\System32\wPeLwuq.exe
  2⤵
  PID:11752
- C:\Windows\System32\psLsjHF.exe
  C:\Windows\System32\psLsjHF.exe
  2⤵
  PID:11784
- C:\Windows\System32\OLDyyQX.exe
  C:\Windows\System32\OLDyyQX.exe
  2⤵
  PID:11812
- C:\Windows\System32\nwkfclK.exe
  C:\Windows\System32\nwkfclK.exe
  2⤵
  PID:11836
- C:\Windows\System32\ogeyuVG.exe
  C:\Windows\System32\ogeyuVG.exe
  2⤵
  PID:11872
- C:\Windows\System32\rPLHVXj.exe
  C:\Windows\System32\rPLHVXj.exe
  2⤵
  PID:11892
- C:\Windows\System32\llmPWSx.exe
  C:\Windows\System32\llmPWSx.exe
  2⤵
  PID:11908
- C:\Windows\System32\TnUEvrt.exe
  C:\Windows\System32\TnUEvrt.exe
  2⤵
  PID:11932
- C:\Windows\System32\svpTGEl.exe
  C:\Windows\System32\svpTGEl.exe
  2⤵
  PID:11956
- C:\Windows\System32\HJMXbcH.exe
  C:\Windows\System32\HJMXbcH.exe
  2⤵
  PID:11992
- C:\Windows\System32\wQAuEXc.exe
  C:\Windows\System32\wQAuEXc.exe
  2⤵
  PID:12040
- C:\Windows\System32\ARHcoyg.exe
  C:\Windows\System32\ARHcoyg.exe
  2⤵
  PID:12068
- C:\Windows\System32\AqCuEbX.exe
  C:\Windows\System32\AqCuEbX.exe
  2⤵
  PID:12088
- C:\Windows\System32\rTTknee.exe
  C:\Windows\System32\rTTknee.exe
  2⤵
  PID:12116
- C:\Windows\System32\YVasNGe.exe
  C:\Windows\System32\YVasNGe.exe
  2⤵
  PID:12140
- C:\Windows\System32\pQFCxJk.exe
  C:\Windows\System32\pQFCxJk.exe
  2⤵
  PID:12160
- C:\Windows\System32\NUvaFcW.exe
  C:\Windows\System32\NUvaFcW.exe
  2⤵
  PID:12176
- C:\Windows\System32\TaIwlsk.exe
  C:\Windows\System32\TaIwlsk.exe
  2⤵
  PID:12212
- C:\Windows\System32\WBPZUZy.exe
  C:\Windows\System32\WBPZUZy.exe
  2⤵
  PID:12284
- C:\Windows\System32\SnlOUgn.exe
  C:\Windows\System32\SnlOUgn.exe
  2⤵
  PID:11276
- C:\Windows\System32\VmfBlzz.exe
  C:\Windows\System32\VmfBlzz.exe
  2⤵
  PID:11360
- C:\Windows\System32\OoqLZkQ.exe
  C:\Windows\System32\OoqLZkQ.exe
  2⤵
  PID:11392
- C:\Windows\System32\qwuYnNP.exe
  C:\Windows\System32\qwuYnNP.exe
  2⤵
  PID:11416
- C:\Windows\System32\DiwyRNM.exe
  C:\Windows\System32\DiwyRNM.exe
  2⤵
  PID:11512
- C:\Windows\System32\CVlEqZC.exe
  C:\Windows\System32\CVlEqZC.exe
  2⤵
  PID:11576
- C:\Windows\System32\mtbVpFg.exe
  C:\Windows\System32\mtbVpFg.exe
  2⤵
  PID:11628
- C:\Windows\System32\yPEUyvE.exe
  C:\Windows\System32\yPEUyvE.exe
  2⤵
  PID:11716
- C:\Windows\System32\tFtpBbv.exe
  C:\Windows\System32\tFtpBbv.exe
  2⤵
  PID:11832
- C:\Windows\System32\jdtcSdP.exe
  C:\Windows\System32\jdtcSdP.exe
  2⤵
  PID:11844
- C:\Windows\System32\jQUHABr.exe
  C:\Windows\System32\jQUHABr.exe
  2⤵
  PID:11972
- C:\Windows\System32\onwJuBB.exe
  C:\Windows\System32\onwJuBB.exe
  2⤵
  PID:11984
- C:\Windows\System32\VipymaF.exe
  C:\Windows\System32\VipymaF.exe
  2⤵
  PID:12008
- C:\Windows\System32\GYGZQaG.exe
  C:\Windows\System32\GYGZQaG.exe
  2⤵
  PID:12048
- C:\Windows\System32\CLJOVJY.exe
  C:\Windows\System32\CLJOVJY.exe
  2⤵
  PID:3744
- C:\Windows\System32\UHqiUSs.exe
  C:\Windows\System32\UHqiUSs.exe
  2⤵
  PID:12168
- C:\Windows\System32\exOxeAU.exe
  C:\Windows\System32\exOxeAU.exe
  2⤵
  PID:12172
- C:\Windows\System32\JrCzqjI.exe
  C:\Windows\System32\JrCzqjI.exe
  2⤵
  PID:12268
- C:\Windows\System32\FDiKLaz.exe
  C:\Windows\System32\FDiKLaz.exe
  2⤵
  PID:11280
- C:\Windows\System32\vepZuUh.exe
  C:\Windows\System32\vepZuUh.exe
  2⤵
  PID:11492
- C:\Windows\System32\wCRJcNI.exe
  C:\Windows\System32\wCRJcNI.exe
  2⤵
  PID:11524
- C:\Windows\System32\hlqWIKe.exe
  C:\Windows\System32\hlqWIKe.exe
  2⤵
  PID:11728
- C:\Windows\System32\UPCfQzp.exe
  C:\Windows\System32\UPCfQzp.exe
  2⤵
  PID:11672
- C:\Windows\System32\gCRSgkw.exe
  C:\Windows\System32\gCRSgkw.exe
  2⤵
  PID:11940
- C:\Windows\System32\PyaoOtP.exe
  C:\Windows\System32\PyaoOtP.exe
  2⤵
  PID:4736
- C:\Windows\System32\DGKVrYS.exe
  C:\Windows\System32\DGKVrYS.exe
  2⤵
  PID:12148
- C:\Windows\System32\lPMHrSS.exe
  C:\Windows\System32\lPMHrSS.exe
  2⤵
  PID:11452
- C:\Windows\System32\slZIXyh.exe
  C:\Windows\System32\slZIXyh.exe
  2⤵
  PID:11852
- C:\Windows\System32\VCBgOXT.exe
  C:\Windows\System32\VCBgOXT.exe
  2⤵
  PID:12084
- C:\Windows\System32\dhFUuNY.exe
  C:\Windows\System32\dhFUuNY.exe
  2⤵
  PID:11556
- C:\Windows\System32\dWeMuwa.exe
  C:\Windows\System32\dWeMuwa.exe
  2⤵
  PID:11620
- C:\Windows\System32\TZuvepO.exe
  C:\Windows\System32\TZuvepO.exe
  2⤵
  PID:12332
- C:\Windows\System32\bGcxTyn.exe
  C:\Windows\System32\bGcxTyn.exe
  2⤵
  PID:12364
- C:\Windows\System32\NpeYyvx.exe
  C:\Windows\System32\NpeYyvx.exe
  2⤵
  PID:12380
- C:\Windows\System32\CGDJnmW.exe
  C:\Windows\System32\CGDJnmW.exe
  2⤵
  PID:12416
- C:\Windows\System32\FTWUvnX.exe
  C:\Windows\System32\FTWUvnX.exe
  2⤵
  PID:12464
- C:\Windows\System32\BCLtuNp.exe
  C:\Windows\System32\BCLtuNp.exe
  2⤵
  PID:12500
- C:\Windows\System32\OEkRGDm.exe
  C:\Windows\System32\OEkRGDm.exe
  2⤵
  PID:12516
- C:\Windows\System32\zCcgcIF.exe
  C:\Windows\System32\zCcgcIF.exe
  2⤵
  PID:12536
- C:\Windows\System32\gvvsrXn.exe
  C:\Windows\System32\gvvsrXn.exe
  2⤵
  PID:12576
- C:\Windows\System32\lnbMyzt.exe
  C:\Windows\System32\lnbMyzt.exe
  2⤵
  PID:12600
- C:\Windows\System32\ICCNprJ.exe
  C:\Windows\System32\ICCNprJ.exe
  2⤵
  PID:12640
- C:\Windows\System32\BSZyGcP.exe
  C:\Windows\System32\BSZyGcP.exe
  2⤵
  PID:12672
- C:\Windows\System32\ktJvNES.exe
  C:\Windows\System32\ktJvNES.exe
  2⤵
  PID:12696
- C:\Windows\System32\PHvizVr.exe
  C:\Windows\System32\PHvizVr.exe
  2⤵
  PID:12724
- C:\Windows\System32\emeIrlW.exe
  C:\Windows\System32\emeIrlW.exe
  2⤵
  PID:12752
- C:\Windows\System32\psubNzF.exe
  C:\Windows\System32\psubNzF.exe
  2⤵
  PID:12788
- C:\Windows\System32\vicuhSu.exe
  C:\Windows\System32\vicuhSu.exe
  2⤵
  PID:12812
- C:\Windows\System32\nBPubKp.exe
  C:\Windows\System32\nBPubKp.exe
  2⤵
  PID:12836
- C:\Windows\System32\dzaBdBe.exe
  C:\Windows\System32\dzaBdBe.exe
  2⤵
  PID:12856
- C:\Windows\System32\taBLgVn.exe
  C:\Windows\System32\taBLgVn.exe
  2⤵
  PID:12872
- C:\Windows\System32\foJLpFt.exe
  C:\Windows\System32\foJLpFt.exe
  2⤵
  PID:12912
- C:\Windows\System32\ULmQJUD.exe
  C:\Windows\System32\ULmQJUD.exe
  2⤵
  PID:12936
- C:\Windows\System32\tPcuiAQ.exe
  C:\Windows\System32\tPcuiAQ.exe
  2⤵
  PID:12964
- C:\Windows\System32\kOhYQat.exe
  C:\Windows\System32\kOhYQat.exe
  2⤵
  PID:13020
- C:\Windows\System32\HSDBsOV.exe
  C:\Windows\System32\HSDBsOV.exe
  2⤵
  PID:13044
- C:\Windows\System32\Bbchype.exe
  C:\Windows\System32\Bbchype.exe
  2⤵
  PID:13072
- C:\Windows\System32\OZGKbBH.exe
  C:\Windows\System32\OZGKbBH.exe
  2⤵
  PID:13088
- C:\Windows\System32\GaMMJxG.exe
  C:\Windows\System32\GaMMJxG.exe
  2⤵
  PID:13124
- C:\Windows\System32\iRjjjbY.exe
  C:\Windows\System32\iRjjjbY.exe
  2⤵
  PID:13144
- C:\Windows\System32\xrWhcfM.exe
  C:\Windows\System32\xrWhcfM.exe
  2⤵
  PID:13160
- C:\Windows\System32\vcYcwjM.exe
  C:\Windows\System32\vcYcwjM.exe
  2⤵
  PID:13212
- C:\Windows\System32\PvAELvl.exe
  C:\Windows\System32\PvAELvl.exe
  2⤵
  PID:13240
- C:\Windows\System32\hClzzhy.exe
  C:\Windows\System32\hClzzhy.exe
  2⤵
  PID:13260

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:11824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ATFtAcN.exe

Filesize
1.9MB

MD5
a8d51196f06b3fc3206f8edea5fae9b2

SHA1
7eedf3e7521f02012b8e320a2a3e3234edd7af20

SHA256
9b02760a8831f5e537957ff24d4f56a3772e0641fc0fca7b4ff7a549cca03af0

SHA512
178a92f18200e1002b194c1f69e50a96ae67bfca7c9b92a980078d8af8de57067852cddb1f9e9e2ac2ca279ecf4c8fcff03af2df27865b3591a1643a1936ff02

Download Submit
C:\Windows\System32\AtZEkuI.exe

Filesize
1.9MB

MD5
c89da0377297e211bc3aac991d7ae9ec

SHA1
0c679c8aaccb5a3c1efe4d67880ca2cdb6f4e34d

SHA256
ace40383ccdc362fec2a6ab418859c3dacfea3ac41e1cdee67575993353325a6

SHA512
e47cb2c3b099a194986d252f7dce7c8f9b388c207759cd58b086cf55d55482349745f5ba6ab454f151df7a4bd268a5baced3bc370d44b02ce9f8eefe85eb015c

Download Submit
C:\Windows\System32\DCAbMTI.exe

Filesize
1.9MB

MD5
b379933ed3fa90991cb2ee3111abeba7

SHA1
089cbbeb5f5a7d53692e13afcb952c895f39ddb7

SHA256
7cfc5186e5579e88758d273fe9da32021c72cd77255571ed98652e78796f2355

SHA512
a86f5e8e7d8159bc3825ffe8bece52636898cbf392ce2ba6d2010a7c022589cb1b2b5bbc45993f842ce6d818a6899b7e992f15a34ebc3c6250b656a717bbbe09

Download Submit
C:\Windows\System32\EPpsXyk.exe

Filesize
1.9MB

MD5
b713e31a8c34cc8aa5a157be0eee0b2f

SHA1
e575c4c48fb6d0ecaa7e3dd0e0dc584f097884b2

SHA256
f726903f0a7fd4365a49237547952b2382d3b44d09a9a3f800129c3f378d51aa

SHA512
41cc407714962abb4b0e6c6b1409622c5f0189ffeba029fec7fa05c9e77678e5c014fcaad13613988d0c8dff389fc2541e5b970f3102b7fffb73997cfb4dcfe6

Download Submit
C:\Windows\System32\FQYAahI.exe

Filesize
1.9MB

MD5
2fe32f00215366123e0aeadef34c3463

SHA1
931fb3d4f32d494e9ce6e08e3b5963c9d4fa4bb1

SHA256
dfb62dc9904ffa5394e2163811da6275d549030f0326f19854d25fb82c5b1eb2

SHA512
be12607f618252d933931b5439e86551290ac72d73ef9472c8053c7c0ff90825ae8fbaffb509443dc324911a6dcfec371633eb99b24b99de0141201191fcec7e

Download Submit
C:\Windows\System32\KIWSFoA.exe

Filesize
1.9MB

MD5
dd0c39a19afd1f611cac18041cfbf132

SHA1
de73bae19260c790b111ffc10a86da38ec2f6442

SHA256
336a4dab34dc70177d565d88df9fa28149c021b4eb8374e1c92fca230f0a5c8a

SHA512
90991c267c8e1cb56d2c8edb78ce5fc4367c28fe956e6af7295a8cf2f8d22415b4871ad11d1bddce31862964b15149917f4b284dc3b55ba67adbedd9ede4da41

Download Submit
C:\Windows\System32\OLcaNdV.exe

Filesize
1.9MB

MD5
0689e9dea47ade91e22f69d83312d31b

SHA1
2fffb9a72ca2a3340668811ac31704edd7196798

SHA256
5cc1392d2501f113903502e813142e3f01c613db5c45be2f2838de88feb0ad2c

SHA512
52e57c3651c436811f549801b4b86b6e44d9018f156fa7e8a5c30542da0baaf1549b0447a32aa8d1cdf19b48669d680f9d9997741c82fd6578f525123bc498fb

Download Submit
C:\Windows\System32\QiaJHca.exe

Filesize
1.9MB

MD5
1084ded489bd619fe734b1a958011ff6

SHA1
f746c903300a45066c82bfd9c5db777f4c3a28bb

SHA256
29f452bba05083ea798ee02868f1d921cc5d1b431f8461374236d259cb5be781

SHA512
8c9d7d17677937218f53942fb69c577d739eaf35fb2d0c4df84838c53cff653a20f069947ae396e9cc2f6e86a8e2c06b30ecf292afa880a5303f88eef3cad627

Download Submit
C:\Windows\System32\RUUsUni.exe

Filesize
1.9MB

MD5
7fe29060bd767d2f668cb203738b5977

SHA1
873df1340a42c204c550019b8dee135412da5f1d

SHA256
620e96a2e8689383f693dc4033dae17af7e5c892572f372119b80038be2e4580

SHA512
382dd69f15fd7c3d72667e372c554b77eb71478092cddeb3f6f342f4a1bb7d7a4325f934b84f01ad57ebab4782dcea0868a105d5ef774959fd88cbffae4fc7ff

Download Submit
C:\Windows\System32\RuJZqHL.exe

Filesize
1.9MB

MD5
0dbb457e840858b0996ffbfdd8abb637

SHA1
30280de9672a6fd946d22a7baa51ca3a42ba146d

SHA256
a1e19ed63e518dce4cac45a93ed6596a44bf1c2b7214e65ad60890904ba702f5

SHA512
8d9a1a1ffb7afa36f271c16fb017531f493bb9edcbca564a782a24393e3ad242bf665f09b2b2379b4524768b04e4331610dc60daa972b4f19edfb4d10bf64d46

Download Submit
C:\Windows\System32\TfOrrWP.exe

Filesize
1.9MB

MD5
095b9c90b2ac88ab770f6e1786ade82c

SHA1
3641d14ef4f6d34d67f55f6aa7b3907aa993fc3e

SHA256
d19ab280db4e93f654dbe4bdba794bced26338c5d64a6d7ef9bfd6b327a64bb3

SHA512
51b1e71b4dea9cc40bed09e93944bfda50157cb772987a6b770c5d9d197490ac13640d03bf86326dd7404a59965cb3dfce61e2a893a2cb2651df0d5b4cc37ccb

Download Submit
C:\Windows\System32\UDpqxNI.exe

Filesize
1.9MB

MD5
927b19aaf4d94e5c634826541a49082a

SHA1
9893a50f60768adc1e18f4ef3165f8715d9b36d9

SHA256
6d8deba672758c352e07d268ab036ecd70ff856b2a6fe1c745d299d1e5bb91f6

SHA512
2010eee17023e2cf2056ebd543c222c94dc247b76449c7bbd23f931b049142ef0bfd3b51e586cf5534b7d9e09d2477a8572c3207b92ab75c1603bf43d2b93a54

Download Submit
C:\Windows\System32\YNwrsoY.exe

Filesize
1.9MB

MD5
417b075db8f551ba65c6de9353486809

SHA1
7d2b91cd0cd7fae0f03f229d53089e40ecea55d9

SHA256
b928048a5e7d1551bd5f3105309cc86b2dc86ba3b276948441ff56381fa31d11

SHA512
f6c95a966bbb5291787c03bb60c5206cb60304310dd34447a14204e8c8a5400440e8f21d90d898fdd718a97a58ea2e153c066bb4a02d2dbf51e1d10ce521470f

Download Submit
C:\Windows\System32\YhORYwL.exe

Filesize
1.9MB

MD5
537dee7e4e3a875b32f9ea945bdfde54

SHA1
987eda8b0682204d682064a2973d3a3fc934e1fc

SHA256
4cca1e531d45417c5414c651d6c6a06623214825de3b6580080d100740798fe1

SHA512
71ba733e51ab8fffa8fe08722cf0ec4065861a239eee730d53c6163e312986a7710a9ed51788094c0b80f6ee81b6cc8ee7841379473ae10e8503817210a6ba45

Download Submit
C:\Windows\System32\YyCKeCT.exe

Filesize
1.9MB

MD5
6f95b084def7b30cbb3fc0fa2425448b

SHA1
eeda783645863b8b7d28075626f5455817df98d8

SHA256
6e8558bf194e4a9cc80c8e25526471784ed358c222cf7d5a9dfbeff43f1b6475

SHA512
53c92b1c580d398dbf4e75840099511d92a1779729a2a4787aeda646e41143893693db8c6a5719714df06767d2a9586d5badbbf7d58f27e99f2649ae396ce993

Download Submit
C:\Windows\System32\ZfOrlxY.exe

Filesize
1.9MB

MD5
df2c5cb2871db2dcf5fb1d75f2a689e1

SHA1
0f0f8aad4687207aa749636af0f0169c082655a3

SHA256
c7abf357a9e1d6bf336b70a53a2fc3f10a52037b0acfb21cdd6e9211e7b89a26

SHA512
eaefddad12c02fbacfb57b113302210789c84e276df43b51dccc32e5e54b5a76637c182d984fdf5ca2a2d22cd11c567f5b1615a3f86114f37ed0cb883512d905

Download Submit
C:\Windows\System32\bQscetx.exe

Filesize
1.9MB

MD5
59519b01b140017cf140582bb1d1816f

SHA1
c8f183d72a5c5bf9903e736227f0e40e65dd1bab

SHA256
f9d1b758a3398be12ef5a742b30752ceeb01d196455b51add4b93e3b08bfdd8e

SHA512
afcbdbf536bce7aecc0013c31728fcfff621075385b1d32e3e6577ad824e196446cbeb1b30230250754ddbdaa3e722edbdde8d938a9cc537993b66c1614adf0a

Download Submit
C:\Windows\System32\cVyFTZN.exe

Filesize
1.9MB

MD5
41c51f69dafcbb2ff1cb2a25158ebadb

SHA1
1a0db14ce7de8605d3bcacc7386f05df002603be

SHA256
ca82d0c2870ef4e4887cadf40fa8012291c1b1eed35a70565659fae73028ba00

SHA512
07b82dc22bf2776a4482273851d84f914686e2c5ea73179423787760eb16a2c84e3fee30ea6fa44bee75a0cc095108c4f480cadeca1501ddf62831b97b2a99d4

Download Submit
C:\Windows\System32\dLEfEmK.exe

Filesize
1.9MB

MD5
35f6ca31cc4b3679d713b1ffe736fe8d

SHA1
9684e8d2d08b3d79c950c73abee3a78971e04c25

SHA256
e4bab04c2ef4c03c711a13d102750269569c150e75d0c4b0bf0494229914612b

SHA512
7a0956d29b26bf29c86407058ec8d3b5fcb2a944650d5bdcfdb34dfbe549f888d2cfeff265d08b0deabf84fd3e54e03e3c69fe5d02327478c5ec5769d8c247be

Download Submit
C:\Windows\System32\fRZBRvr.exe

Filesize
1.9MB

MD5
521a6cb9020612a3d4fd0d635e4cbcf7

SHA1
6588f93d6edc056cb7ff9633babc9b57ccaae4e3

SHA256
7bc82900c8d92b618cd6f113631f46c501ececff3b0cb4f84e96e0a5a9235532

SHA512
991e27ae50325053e606458f9233c8709219ac9720e6c5fda73bcb70537cd530d0754c328d9ba62c30ce8a4538df04773ee2262f1111137016b04248dc775f70

Download Submit
C:\Windows\System32\hMLASZQ.exe

Filesize
1.9MB

MD5
01a61b4bbebfa2a31f1c8e1af6c3e028

SHA1
9980756caad21544511382fc81fdea5f82721442

SHA256
f6a8ceb3eddcb57925296ca8523c0302ddbc34d4edbdec9625ce6fae363f0dcf

SHA512
cee583c9b87467d13f46f3777950d7f1ef3898b2d3f03f55d6cf3d64fb4b3894d2f328fff0d2e185d8ad9eb94031af0c019eb75945b7fbcee757ae8753838b50

Download Submit
C:\Windows\System32\mpMLSmU.exe

Filesize
1.9MB

MD5
419a1b33193b67d039c45e29ffece732

SHA1
1b7e8cdc56191fb60edfa5b9f350a5218b8e820a

SHA256
09fdefa3e6d5619b0fef40730dad87dc4e70e791bf14c653fd794df2debf5cc5

SHA512
4c041fe01881d6a3f0ddd40d366510fa88b8b511ff1721f537d0b33ffdc4923048625f413ac192a80396ee176f98311c588b346ea079cfea8b8fdc065d1b64a0

Download Submit
C:\Windows\System32\myoyaNj.exe

Filesize
1.9MB

MD5
6b106b326f360520c3c53b47a7b23df5

SHA1
c5d57a1607494bbdda4b72ea6d71a08a01d6a3c2

SHA256
42abf6423e0f02a7e8c4941b87221733dd299e622209a854e1fd5167d2532119

SHA512
bed4e96933ea4e7cc99a8a24e2644ea688b68fa30704c2aeea966aed4c81b2bad87d4ef77767bcea4add162e5c070a65db40921fedcc89eb8c1ea4975ffedcef

Download Submit
C:\Windows\System32\uYYWVfF.exe

Filesize
1.9MB

MD5
0cd90236e7ed45df8031ac6425529484

SHA1
7075b5e0662676603ea419e784bdadef76b2a3fb

SHA256
a53d2e8d6d203f937eb3b2c6155f3d2603e861f1d2bf5cf93d9b30552fd4d3dc

SHA512
8bfeebbc3da00b41d6b483a941e69da3484cae0a8abad3dfbdfdff59005832cdb09ec009f508c567c7ca38f2775d694ef901334cf59b532cd36ad0a6f248d529

Download Submit
C:\Windows\System32\vBbgiAT.exe

Filesize
1.9MB

MD5
153ed891785efe535c5abb6a920b7261

SHA1
46de446476e9462ad995519f13bf99da1ef3cb0a

SHA256
280c78a62acddeecefd8f35f07cd87046cd4783d341ddffe958f4f26bf2020ea

SHA512
624e9ee61c070bfbb6b8cf3849727e53d261e48d3f2120283c4b9772dcd75fff676e2888dcfda5bde2b1a5c352c1e03a753adf1975cf6d2605460ff4426e4feb

Download Submit
C:\Windows\System32\vPZLCca.exe

Filesize
1.9MB

MD5
10dca7b5c7298e73262a57d3d62d3950

SHA1
868d71176724586d0b83a91292359bc2286c8b40

SHA256
d232c5d9ee7dcbd9285bd9df0e5ab857c24b106c11f269200e20a51a2909d31d

SHA512
cf6668e6fb2a281859ee7cc368c635ed7e3567d3df3b8fbfdbfdf1a819aa4485a67541f2d43e3a8a57d3320845c73df22b769e0c42af8747f8db9f76672c814d

Download Submit
C:\Windows\System32\voPrmxp.exe

Filesize
1.9MB

MD5
f8e044fbf44a08716fb4d8d1d0752e9a

SHA1
f315ee4e8adc35316f4693c94ba618a6032245d1

SHA256
abc138bea4d66388119ada3fd4230c4fc35121523ce4aa2de20bc6cd5296f2e9

SHA512
62656027f21c38b21bca78fc79a6d1cc416fc3df2f119b45af7cc07f093127178301902a08a3a195536329e05e479fff07ed33285450d3ddd3f53a875128f277

Download Submit
C:\Windows\System32\wnKEwch.exe

Filesize
1.9MB

MD5
736280789215084761b94511de3a99f6

SHA1
8ca3ee21ea9fc369d0ef52d030bf57ac4be4c37c

SHA256
9fe20368275fae1a123505a8992a072d2d05fd45a030fda08ba74da86b7af9eb

SHA512
40733df19c3fd8d3c5b211bfe1c8c2dfaeea236928fd91893dbfd1a699c2e2888c41882abc8e396f64fd333078fc140172531b80f9a10eca75e00747e566205c

Download Submit
C:\Windows\System32\xFIQPRc.exe

Filesize
1.9MB

MD5
0a1f1b97efec2a7f3102ef628f3cf1ce

SHA1
1612fa563c66e4545f122b954f39378bbd176f03

SHA256
e0e794e2ee5a6408111dcfefeebfb7749d9e727dd2b10a9c4190afa70a829125

SHA512
251162ae845e21a220171fe4aa833ccb15291d131fb7e92f8ad1463cc885dc949a0e94f190b67c639698b193315940710a054532cb5276e33dee60edab078668

Download Submit
C:\Windows\System32\xRLUbMQ.exe

Filesize
1.9MB

MD5
fa5be4248409495fc84f77e451c7070e

SHA1
06f068f1b93e256e99afd682c7d50e2ef40b1f04

SHA256
9f042f28af8f3d14aec1ad5ed23c005beac116dda2960360d94bfd1f3e6d6925

SHA512
aaa3748b5c630a16216e64ec13f8ff94fca88845b1dd2acbf09962e1188854411ad79149937117b83b78e4af15d174dc1a51cf644d2d18ec8872316989529c14

Download Submit
C:\Windows\System32\yCeEBHQ.exe

Filesize
1.9MB

MD5
5c1dfb870d2a6b18c1242b740a252d45

SHA1
9428b78a627296144b3dc774af377c25b86d1a17

SHA256
6a8c784c41bfd4629b00151c53d376b009f80b5b3c48921628151581b62bce70

SHA512
4679b0f59cb2b999803ede8564578df80b53f94f4c2e4cf55705434bf8ed85a71f3679f77217b1da35bab5bdcc9b2a5a80f5f7c4b45302b99a220d6bfca58515

Download Submit
C:\Windows\System32\ykpYwHL.exe

Filesize
1.9MB

MD5
89a7d35df96c03ecacb78236ceadb492

SHA1
ca5732c879881f2e86f8537b25e64eba1e59aa89

SHA256
02db75cd9738245440b015a70a3481d49d77b2907539100df80f85625b409390

SHA512
72c9d10e1bcfb6b8e06c5d42ad49b0520c4a1266ed202e3630de4de3c9b0082a0a8f28a4f5bfe40ac320fb646fd860eb6b2aa62f761873ed3cf69ab686498527

Download Submit
memory/916-2012-0x00007FF7BAA40000-0x00007FF7BAE31000-memory.dmp

Filesize
3.9MB

Download
memory/916-14-0x00007FF7BAA40000-0x00007FF7BAE31000-memory.dmp

Filesize
3.9MB

Download
memory/956-2084-0x00007FF7DE210000-0x00007FF7DE601000-memory.dmp

Filesize
3.9MB

Download
memory/956-504-0x00007FF7DE210000-0x00007FF7DE601000-memory.dmp

Filesize
3.9MB

Download
memory/984-458-0x00007FF7416D0000-0x00007FF741AC1000-memory.dmp

Filesize
3.9MB

Download
memory/984-2006-0x00007FF7416D0000-0x00007FF741AC1000-memory.dmp

Filesize
3.9MB

Download
memory/984-2052-0x00007FF7416D0000-0x00007FF741AC1000-memory.dmp

Filesize
3.9MB

Download
memory/1608-2060-0x00007FF6A92E0000-0x00007FF6A96D1000-memory.dmp

Filesize
3.9MB

Download
memory/1608-465-0x00007FF6A92E0000-0x00007FF6A96D1000-memory.dmp

Filesize
3.9MB

Download
memory/1616-2064-0x00007FF6923C0000-0x00007FF6927B1000-memory.dmp

Filesize
3.9MB

Download
memory/1616-466-0x00007FF6923C0000-0x00007FF6927B1000-memory.dmp

Filesize
3.9MB

Download
memory/1732-2058-0x00007FF6C6CD0000-0x00007FF6C70C1000-memory.dmp

Filesize
3.9MB

Download
memory/1732-30-0x00007FF6C6CD0000-0x00007FF6C70C1000-memory.dmp

Filesize
3.9MB

Download
memory/1732-2005-0x00007FF6C6CD0000-0x00007FF6C70C1000-memory.dmp

Filesize
3.9MB

Download
memory/2028-2053-0x00007FF7399E0000-0x00007FF739DD1000-memory.dmp

Filesize
3.9MB

Download
memory/2028-508-0x00007FF7399E0000-0x00007FF739DD1000-memory.dmp

Filesize
3.9MB

Download
memory/2076-477-0x00007FF615AE0000-0x00007FF615ED1000-memory.dmp

Filesize
3.9MB

Download
memory/2076-2066-0x00007FF615AE0000-0x00007FF615ED1000-memory.dmp

Filesize
3.9MB

Download
memory/2496-464-0x00007FF7A0930000-0x00007FF7A0D21000-memory.dmp

Filesize
3.9MB

Download
memory/2496-2062-0x00007FF7A0930000-0x00007FF7A0D21000-memory.dmp

Filesize
3.9MB

Download
memory/2932-2074-0x00007FF7C4A60000-0x00007FF7C4E51000-memory.dmp

Filesize
3.9MB

Download
memory/2932-497-0x00007FF7C4A60000-0x00007FF7C4E51000-memory.dmp

Filesize
3.9MB

Download
memory/2980-487-0x00007FF7ED0F0000-0x00007FF7ED4E1000-memory.dmp

Filesize
3.9MB

Download
memory/2980-2068-0x00007FF7ED0F0000-0x00007FF7ED4E1000-memory.dmp

Filesize
3.9MB

Download
memory/2996-2057-0x00007FF72AEB0000-0x00007FF72B2A1000-memory.dmp

Filesize
3.9MB

Download
memory/2996-460-0x00007FF72AEB0000-0x00007FF72B2A1000-memory.dmp

Filesize
3.9MB

Download
memory/3024-2076-0x00007FF66F930000-0x00007FF66FD21000-memory.dmp

Filesize
3.9MB

Download
memory/3024-499-0x00007FF66F930000-0x00007FF66FD21000-memory.dmp

Filesize
3.9MB

Download
memory/3316-28-0x00007FF7C5020000-0x00007FF7C5411000-memory.dmp

Filesize
3.9MB

Download
memory/3316-2018-0x00007FF7C5020000-0x00007FF7C5411000-memory.dmp

Filesize
3.9MB

Download
memory/3664-2016-0x00007FF726BC0000-0x00007FF726FB1000-memory.dmp

Filesize
3.9MB

Download
memory/3664-27-0x00007FF726BC0000-0x00007FF726FB1000-memory.dmp

Filesize
3.9MB

Download
memory/3960-2055-0x00007FF6C85F0000-0x00007FF6C89E1000-memory.dmp

Filesize
3.9MB

Download
memory/3960-462-0x00007FF6C85F0000-0x00007FF6C89E1000-memory.dmp

Filesize
3.9MB

Download
memory/4044-0-0x00007FF783B00000-0x00007FF783EF1000-memory.dmp

Filesize
3.9MB

Download
memory/4044-1-0x000001EA34920000-0x000001EA34930000-memory.dmp

Filesize
64KB

Download
memory/4436-2047-0x00007FF7F7350000-0x00007FF7F7741000-memory.dmp

Filesize
3.9MB

Download
memory/4436-461-0x00007FF7F7350000-0x00007FF7F7741000-memory.dmp

Filesize
3.9MB

Download
memory/4480-2078-0x00007FF73BBB0000-0x00007FF73BFA1000-memory.dmp

Filesize
3.9MB

Download
memory/4480-500-0x00007FF73BBB0000-0x00007FF73BFA1000-memory.dmp

Filesize
3.9MB

Download
memory/4600-2014-0x00007FF6F7EB0000-0x00007FF6F82A1000-memory.dmp

Filesize
3.9MB

Download
memory/4600-11-0x00007FF6F7EB0000-0x00007FF6F82A1000-memory.dmp

Filesize
3.9MB

Download
memory/4612-463-0x00007FF6FE690000-0x00007FF6FEA81000-memory.dmp

Filesize
3.9MB

Download
memory/4612-2051-0x00007FF6FE690000-0x00007FF6FEA81000-memory.dmp

Filesize
3.9MB

Download
memory/4712-492-0x00007FF7899C0000-0x00007FF789DB1000-memory.dmp

Filesize
3.9MB

Download
memory/4712-2072-0x00007FF7899C0000-0x00007FF789DB1000-memory.dmp

Filesize
3.9MB

Download
memory/4912-502-0x00007FF761940000-0x00007FF761D31000-memory.dmp

Filesize
3.9MB

Download
memory/4912-2080-0x00007FF761940000-0x00007FF761D31000-memory.dmp

Filesize
3.9MB

Download
memory/4964-503-0x00007FF7E1850000-0x00007FF7E1C41000-memory.dmp

Filesize
3.9MB

Download
memory/4964-2082-0x00007FF7E1850000-0x00007FF7E1C41000-memory.dmp

Filesize
3.9MB

Download
memory/5088-480-0x00007FF677070000-0x00007FF677461000-memory.dmp

Filesize
3.9MB

Download
memory/5088-2070-0x00007FF677070000-0x00007FF677461000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads