xmrig | aad0dfdd4ffd5723eebe6f3afa7a83a336911fc82456339a2a8856a63f8deaf0

Analysis

max time kernel
120s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac33d8fbde62ec58be660400e4049cb0N.exe
Size

1.2MB
MD5

ac33d8fbde62ec58be660400e4049cb0
SHA1

41892d5b77696cd394a50cacfca63c13ab1f4092
SHA256

aad0dfdd4ffd5723eebe6f3afa7a83a336911fc82456339a2a8856a63f8deaf0
SHA512

c4361fe89740eea8e22df4ac88e651c4a255aac13e690b75d41f3173e544d4029e75c0a4774bc644ff205d1c27cc123b18f02b572a2d8b9e63ae4835c687625c
SSDEEP

24576:JanwhSe11QSONCpGJCjETPl+Me7bPMS5bcGvjjsNY6LHLjpdc:knw9oUUEEDl+xTMSwrL4

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/872-326-0x00007FF770280000-0x00007FF770671000-memory.dmp	xmrig
behavioral2/memory/3896-329-0x00007FF6FCA20000-0x00007FF6FCE11000-memory.dmp	xmrig
behavioral2/memory/4988-336-0x00007FF7A0AB0000-0x00007FF7A0EA1000-memory.dmp	xmrig
behavioral2/memory/4900-350-0x00007FF741B80000-0x00007FF741F71000-memory.dmp	xmrig
behavioral2/memory/636-356-0x00007FF7C7600000-0x00007FF7C79F1000-memory.dmp	xmrig
behavioral2/memory/4640-341-0x00007FF6CACC0000-0x00007FF6CB0B1000-memory.dmp	xmrig
behavioral2/memory/3196-370-0x00007FF7EB3E0000-0x00007FF7EB7D1000-memory.dmp	xmrig
behavioral2/memory/3348-386-0x00007FF68E6F0000-0x00007FF68EAE1000-memory.dmp	xmrig
behavioral2/memory/220-391-0x00007FF6D7FE0000-0x00007FF6D83D1000-memory.dmp	xmrig
behavioral2/memory/1504-378-0x00007FF647460000-0x00007FF647851000-memory.dmp	xmrig
behavioral2/memory/4072-372-0x00007FF620A10000-0x00007FF620E01000-memory.dmp	xmrig
behavioral2/memory/1312-359-0x00007FF66A0E0000-0x00007FF66A4D1000-memory.dmp	xmrig
behavioral2/memory/3804-395-0x00007FF632D10000-0x00007FF633101000-memory.dmp	xmrig
behavioral2/memory/3396-398-0x00007FF6EB8D0000-0x00007FF6EBCC1000-memory.dmp	xmrig
behavioral2/memory/3288-405-0x00007FF613B80000-0x00007FF613F71000-memory.dmp	xmrig
behavioral2/memory/4872-404-0x00007FF631C00000-0x00007FF631FF1000-memory.dmp	xmrig
behavioral2/memory/664-400-0x00007FF67C380000-0x00007FF67C771000-memory.dmp	xmrig
behavioral2/memory/2808-397-0x00007FF613BB0000-0x00007FF613FA1000-memory.dmp	xmrig
behavioral2/memory/1920-1990-0x00007FF7AD730000-0x00007FF7ADB21000-memory.dmp	xmrig
behavioral2/memory/3076-1991-0x00007FF7CC960000-0x00007FF7CCD51000-memory.dmp	xmrig
behavioral2/memory/2528-1992-0x00007FF779B60000-0x00007FF779F51000-memory.dmp	xmrig
behavioral2/memory/2956-2025-0x00007FF785E40000-0x00007FF786231000-memory.dmp	xmrig
behavioral2/memory/4904-2026-0x00007FF7F2930000-0x00007FF7F2D21000-memory.dmp	xmrig
behavioral2/memory/2396-2027-0x00007FF65AA30000-0x00007FF65AE21000-memory.dmp	xmrig
behavioral2/memory/1920-2033-0x00007FF7AD730000-0x00007FF7ADB21000-memory.dmp	xmrig
behavioral2/memory/3076-2035-0x00007FF7CC960000-0x00007FF7CCD51000-memory.dmp	xmrig
behavioral2/memory/2396-2037-0x00007FF65AA30000-0x00007FF65AE21000-memory.dmp	xmrig
behavioral2/memory/2528-2039-0x00007FF779B60000-0x00007FF779F51000-memory.dmp	xmrig
behavioral2/memory/2956-2043-0x00007FF785E40000-0x00007FF786231000-memory.dmp	xmrig
behavioral2/memory/4904-2045-0x00007FF7F2930000-0x00007FF7F2D21000-memory.dmp	xmrig
behavioral2/memory/3288-2049-0x00007FF613B80000-0x00007FF613F71000-memory.dmp	xmrig
behavioral2/memory/3896-2047-0x00007FF6FCA20000-0x00007FF6FCE11000-memory.dmp	xmrig
behavioral2/memory/872-2041-0x00007FF770280000-0x00007FF770671000-memory.dmp	xmrig
behavioral2/memory/636-2061-0x00007FF7C7600000-0x00007FF7C79F1000-memory.dmp	xmrig
behavioral2/memory/3804-2076-0x00007FF632D10000-0x00007FF633101000-memory.dmp	xmrig
behavioral2/memory/664-2080-0x00007FF67C380000-0x00007FF67C771000-memory.dmp	xmrig
behavioral2/memory/3348-2070-0x00007FF68E6F0000-0x00007FF68EAE1000-memory.dmp	xmrig
behavioral2/memory/3396-2069-0x00007FF6EB8D0000-0x00007FF6EBCC1000-memory.dmp	xmrig
behavioral2/memory/1504-2065-0x00007FF647460000-0x00007FF647851000-memory.dmp	xmrig
behavioral2/memory/4872-2078-0x00007FF631C00000-0x00007FF631FF1000-memory.dmp	xmrig
behavioral2/memory/4072-2063-0x00007FF620A10000-0x00007FF620E01000-memory.dmp	xmrig
behavioral2/memory/220-2074-0x00007FF6D7FE0000-0x00007FF6D83D1000-memory.dmp	xmrig
behavioral2/memory/2808-2072-0x00007FF613BB0000-0x00007FF613FA1000-memory.dmp	xmrig
behavioral2/memory/4900-2059-0x00007FF741B80000-0x00007FF741F71000-memory.dmp	xmrig
behavioral2/memory/3196-2055-0x00007FF7EB3E0000-0x00007FF7EB7D1000-memory.dmp	xmrig
behavioral2/memory/1312-2057-0x00007FF66A0E0000-0x00007FF66A4D1000-memory.dmp	xmrig
behavioral2/memory/4988-2053-0x00007FF7A0AB0000-0x00007FF7A0EA1000-memory.dmp	xmrig
behavioral2/memory/4640-2051-0x00007FF6CACC0000-0x00007FF6CB0B1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1920	PXEadqa.exe
3076	aLBcWum.exe
2528	ZqklEDt.exe
2396	vLBXHqU.exe
2956	ABTeldn.exe
4904	UCNGCbL.exe
3288	eNwfXLR.exe
872	NPfHKSE.exe
3896	ZrhnQsv.exe
4988	FjOwaqX.exe
4640	bmXtdNe.exe
4900	MMRSmVZ.exe
636	YKKeWLq.exe
1312	ayySuNG.exe
3196	PEQRmhO.exe
4072	aURGmft.exe
1504	rmJjkAE.exe
3348	mrkWsce.exe
220	fvMROFC.exe
3804	yjWqzst.exe
2808	JpDnUgI.exe
3396	nlzuZmI.exe
664	esIfGDf.exe
4872	HROWhXQ.exe
2680	UVYmWnC.exe
4636	FHWFPSx.exe
1376	wHUXhNa.exe
3032	biaWMEA.exe
2076	IRXRMlD.exe
3356	SVMiqtQ.exe
3660	mghresQ.exe
3576	DYIRvOn.exe
1280	lyTjbsW.exe
2240	ClwZVqW.exe
4716	OJlqcUu.exe
3616	UEnziMf.exe
1876	yFWwCqw.exe
3688	ClYUHyF.exe
3448	nRWFxOb.exe
4240	oduxpNc.exe
2236	nfBPdyI.exe
1944	AhEcoOl.exe
3824	sSrdwxK.exe
3284	bcoNhhg.exe
2216	RYCmdSJ.exe
912	dwlNxpg.exe
1172	KGFtdeL.exe
4112	KJgoNex.exe
1200	TdhkXxW.exe
5036	MHWXdFL.exe
1404	jdVDYEI.exe
4436	OOrLRWB.exe
4948	sBjFZjV.exe
860	ABzrDoZ.exe
4564	VDXIeMF.exe
1792	ATnnZjQ.exe
4644	DapGTUI.exe
4256	UNKyYdp.exe
2248	lvleTuS.exe
1616	PzxRrcM.exe
1476	WiCFPiq.exe
2348	cqiazLZ.exe
2624	ITDqicg.exe
4528	wxeQjrA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5004-0-0x00007FF65A460000-0x00007FF65A851000-memory.dmp	upx
behavioral2/files/0x00080000000234fd-4.dat	upx
behavioral2/memory/1920-8-0x00007FF7AD730000-0x00007FF7ADB21000-memory.dmp	upx
behavioral2/files/0x0007000000023502-18.dat	upx
behavioral2/files/0x0007000000023504-20.dat	upx
behavioral2/files/0x0007000000023503-30.dat	upx
behavioral2/files/0x0007000000023506-35.dat	upx
behavioral2/files/0x0007000000023505-39.dat	upx
behavioral2/files/0x0007000000023507-46.dat	upx
behavioral2/files/0x0007000000023508-52.dat	upx
behavioral2/files/0x000700000002350a-62.dat	upx
behavioral2/files/0x000700000002350d-77.dat	upx
behavioral2/files/0x000700000002350e-82.dat	upx
behavioral2/files/0x0007000000023510-90.dat	upx
behavioral2/files/0x0007000000023515-117.dat	upx
behavioral2/files/0x0007000000023517-127.dat	upx
behavioral2/memory/872-326-0x00007FF770280000-0x00007FF770671000-memory.dmp	upx
behavioral2/memory/3896-329-0x00007FF6FCA20000-0x00007FF6FCE11000-memory.dmp	upx
behavioral2/files/0x0007000000023520-168.dat	upx
behavioral2/files/0x000700000002351f-165.dat	upx
behavioral2/files/0x000700000002351e-162.dat	upx
behavioral2/files/0x000700000002351d-157.dat	upx
behavioral2/files/0x000700000002351c-152.dat	upx
behavioral2/files/0x000700000002351b-150.dat	upx
behavioral2/files/0x000700000002351a-145.dat	upx
behavioral2/files/0x0007000000023519-140.dat	upx
behavioral2/memory/4988-336-0x00007FF7A0AB0000-0x00007FF7A0EA1000-memory.dmp	upx
behavioral2/memory/4900-350-0x00007FF741B80000-0x00007FF741F71000-memory.dmp	upx
behavioral2/memory/636-356-0x00007FF7C7600000-0x00007FF7C79F1000-memory.dmp	upx
behavioral2/memory/4640-341-0x00007FF6CACC0000-0x00007FF6CB0B1000-memory.dmp	upx
behavioral2/files/0x0007000000023518-132.dat	upx
behavioral2/files/0x0007000000023516-125.dat	upx
behavioral2/files/0x0007000000023514-112.dat	upx
behavioral2/files/0x0007000000023513-107.dat	upx
behavioral2/files/0x0007000000023512-102.dat	upx
behavioral2/files/0x0007000000023511-97.dat	upx
behavioral2/files/0x000700000002350f-87.dat	upx
behavioral2/files/0x000700000002350c-72.dat	upx
behavioral2/files/0x000700000002350b-67.dat	upx
behavioral2/memory/3196-370-0x00007FF7EB3E0000-0x00007FF7EB7D1000-memory.dmp	upx
behavioral2/memory/3348-386-0x00007FF68E6F0000-0x00007FF68EAE1000-memory.dmp	upx
behavioral2/memory/220-391-0x00007FF6D7FE0000-0x00007FF6D83D1000-memory.dmp	upx
behavioral2/memory/1504-378-0x00007FF647460000-0x00007FF647851000-memory.dmp	upx
behavioral2/memory/4072-372-0x00007FF620A10000-0x00007FF620E01000-memory.dmp	upx
behavioral2/memory/1312-359-0x00007FF66A0E0000-0x00007FF66A4D1000-memory.dmp	upx
behavioral2/files/0x0007000000023509-57.dat	upx
behavioral2/memory/4904-49-0x00007FF7F2930000-0x00007FF7F2D21000-memory.dmp	upx
behavioral2/memory/2396-33-0x00007FF65AA30000-0x00007FF65AE21000-memory.dmp	upx
behavioral2/memory/2956-28-0x00007FF785E40000-0x00007FF786231000-memory.dmp	upx
behavioral2/memory/2528-27-0x00007FF779B60000-0x00007FF779F51000-memory.dmp	upx
behavioral2/memory/3076-21-0x00007FF7CC960000-0x00007FF7CCD51000-memory.dmp	upx
behavioral2/files/0x0007000000023501-24.dat	upx
behavioral2/memory/3804-395-0x00007FF632D10000-0x00007FF633101000-memory.dmp	upx
behavioral2/memory/3396-398-0x00007FF6EB8D0000-0x00007FF6EBCC1000-memory.dmp	upx
behavioral2/memory/3288-405-0x00007FF613B80000-0x00007FF613F71000-memory.dmp	upx
behavioral2/memory/4872-404-0x00007FF631C00000-0x00007FF631FF1000-memory.dmp	upx
behavioral2/memory/664-400-0x00007FF67C380000-0x00007FF67C771000-memory.dmp	upx
behavioral2/memory/2808-397-0x00007FF613BB0000-0x00007FF613FA1000-memory.dmp	upx
behavioral2/memory/1920-1990-0x00007FF7AD730000-0x00007FF7ADB21000-memory.dmp	upx
behavioral2/memory/3076-1991-0x00007FF7CC960000-0x00007FF7CCD51000-memory.dmp	upx
behavioral2/memory/2528-1992-0x00007FF779B60000-0x00007FF779F51000-memory.dmp	upx
behavioral2/memory/2956-2025-0x00007FF785E40000-0x00007FF786231000-memory.dmp	upx
behavioral2/memory/4904-2026-0x00007FF7F2930000-0x00007FF7F2D21000-memory.dmp	upx
behavioral2/memory/2396-2027-0x00007FF65AA30000-0x00007FF65AE21000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\qhOTOaP.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\gJDserE.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\gjtfDwM.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\VdmrCtV.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\CKEAmTU.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\GjxCIlm.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\XgFtLzK.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\KbJZMBq.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\BIytjfL.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\cKomHhO.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\uDabWLu.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\heaqhQH.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\qyaGIdD.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\kpOJRiB.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\mbxhUbE.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\kCyZaXn.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\EJJgDkt.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\DoYzzrN.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\QhnBUqQ.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\PMNHCEt.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\bepcDox.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\oqPOquO.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\QvKiGdA.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\qqEHztL.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\EihEEbB.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\EpyShUL.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\YjmMKCb.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\IAvLFyx.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\QNwmCfn.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\TihagYj.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\nkiycZl.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\McKynTF.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\WCxnxdC.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\Utfjhqg.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\uWRtnqJ.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\WEOkgCg.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\RJnYZvg.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\lyTjbsW.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\kVbUxhC.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\UpLXSeT.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\NgfMAuX.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\SEKlBGC.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\xupWyyT.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\yvjOMXl.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\DsSiYDR.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\XdRXjCY.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\lhYCTci.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\GqpcvpU.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\mzycgde.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\uEgAidM.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\IUMbqYO.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\rxzDBsZ.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\ZmJdiTD.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\nsyNvUY.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\raVSIQU.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\YOdMFQv.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\BebGPWY.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\wgjLkxG.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\RikGtfc.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\YKKeWLq.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\iODjmyO.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\fGLnnmN.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\RCdSqaQ.exe	ac33d8fbde62ec58be660400e4049cb0N.exe
File created	C:\Windows\System32\tCklaMS.exe	ac33d8fbde62ec58be660400e4049cb0N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12976	dwm.exe
Token: SeChangeNotifyPrivilege	12976	dwm.exe
Token: 33	12976	dwm.exe
Token: SeIncBasePriorityPrivilege	12976	dwm.exe
Token: SeShutdownPrivilege	12976	dwm.exe
Token: SeCreatePagefilePrivilege	12976	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 1920	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	85
PID 5004 wrote to memory of 1920	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	85
PID 5004 wrote to memory of 3076	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	86
PID 5004 wrote to memory of 3076	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	86
PID 5004 wrote to memory of 2528	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	87
PID 5004 wrote to memory of 2528	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	87
PID 5004 wrote to memory of 2396	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	88
PID 5004 wrote to memory of 2396	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	88
PID 5004 wrote to memory of 2956	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	89
PID 5004 wrote to memory of 2956	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	89
PID 5004 wrote to memory of 4904	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	90
PID 5004 wrote to memory of 4904	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	90
PID 5004 wrote to memory of 3288	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	91
PID 5004 wrote to memory of 3288	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	91
PID 5004 wrote to memory of 872	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	92
PID 5004 wrote to memory of 872	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	92
PID 5004 wrote to memory of 3896	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	93
PID 5004 wrote to memory of 3896	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	93
PID 5004 wrote to memory of 4988	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	94
PID 5004 wrote to memory of 4988	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	94
PID 5004 wrote to memory of 4640	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	95
PID 5004 wrote to memory of 4640	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	95
PID 5004 wrote to memory of 4900	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	96
PID 5004 wrote to memory of 4900	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	96
PID 5004 wrote to memory of 636	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	97
PID 5004 wrote to memory of 636	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	97
PID 5004 wrote to memory of 1312	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	98
PID 5004 wrote to memory of 1312	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	98
PID 5004 wrote to memory of 3196	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	99
PID 5004 wrote to memory of 3196	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	99
PID 5004 wrote to memory of 4072	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	100
PID 5004 wrote to memory of 4072	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	100
PID 5004 wrote to memory of 1504	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	101
PID 5004 wrote to memory of 1504	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	101
PID 5004 wrote to memory of 3348	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	102
PID 5004 wrote to memory of 3348	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	102
PID 5004 wrote to memory of 220	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	103
PID 5004 wrote to memory of 220	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	103
PID 5004 wrote to memory of 3804	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	104
PID 5004 wrote to memory of 3804	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	104
PID 5004 wrote to memory of 2808	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	105
PID 5004 wrote to memory of 2808	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	105
PID 5004 wrote to memory of 3396	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	106
PID 5004 wrote to memory of 3396	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	106
PID 5004 wrote to memory of 664	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	107
PID 5004 wrote to memory of 664	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	107
PID 5004 wrote to memory of 4872	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	108
PID 5004 wrote to memory of 4872	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	108
PID 5004 wrote to memory of 2680	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	109
PID 5004 wrote to memory of 2680	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	109
PID 5004 wrote to memory of 4636	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	110
PID 5004 wrote to memory of 4636	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	110
PID 5004 wrote to memory of 1376	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	111
PID 5004 wrote to memory of 1376	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	111
PID 5004 wrote to memory of 3032	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	112
PID 5004 wrote to memory of 3032	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	112
PID 5004 wrote to memory of 2076	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	113
PID 5004 wrote to memory of 2076	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	113
PID 5004 wrote to memory of 3356	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	114
PID 5004 wrote to memory of 3356	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	114
PID 5004 wrote to memory of 3660	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	115
PID 5004 wrote to memory of 3660	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	115
PID 5004 wrote to memory of 3576	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	116
PID 5004 wrote to memory of 3576	5004	ac33d8fbde62ec58be660400e4049cb0N.exe	116

C:\Users\Admin\AppData\Local\Temp\ac33d8fbde62ec58be660400e4049cb0N.exe
"C:\Users\Admin\AppData\Local\Temp\ac33d8fbde62ec58be660400e4049cb0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\System32\PXEadqa.exe
  C:\Windows\System32\PXEadqa.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System32\aLBcWum.exe
  C:\Windows\System32\aLBcWum.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System32\ZqklEDt.exe
  C:\Windows\System32\ZqklEDt.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System32\vLBXHqU.exe
  C:\Windows\System32\vLBXHqU.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System32\ABTeldn.exe
  C:\Windows\System32\ABTeldn.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System32\UCNGCbL.exe
  C:\Windows\System32\UCNGCbL.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System32\eNwfXLR.exe
  C:\Windows\System32\eNwfXLR.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System32\NPfHKSE.exe
  C:\Windows\System32\NPfHKSE.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System32\ZrhnQsv.exe
  C:\Windows\System32\ZrhnQsv.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System32\FjOwaqX.exe
  C:\Windows\System32\FjOwaqX.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\bmXtdNe.exe
  C:\Windows\System32\bmXtdNe.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System32\MMRSmVZ.exe
  C:\Windows\System32\MMRSmVZ.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System32\YKKeWLq.exe
  C:\Windows\System32\YKKeWLq.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System32\ayySuNG.exe
  C:\Windows\System32\ayySuNG.exe
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\System32\PEQRmhO.exe
  C:\Windows\System32\PEQRmhO.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System32\aURGmft.exe
  C:\Windows\System32\aURGmft.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System32\rmJjkAE.exe
  C:\Windows\System32\rmJjkAE.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System32\mrkWsce.exe
  C:\Windows\System32\mrkWsce.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System32\fvMROFC.exe
  C:\Windows\System32\fvMROFC.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System32\yjWqzst.exe
  C:\Windows\System32\yjWqzst.exe
  2⤵
  - Executes dropped EXE
  PID:3804
- C:\Windows\System32\JpDnUgI.exe
  C:\Windows\System32\JpDnUgI.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System32\nlzuZmI.exe
  C:\Windows\System32\nlzuZmI.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System32\esIfGDf.exe
  C:\Windows\System32\esIfGDf.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System32\HROWhXQ.exe
  C:\Windows\System32\HROWhXQ.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System32\UVYmWnC.exe
  C:\Windows\System32\UVYmWnC.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System32\FHWFPSx.exe
  C:\Windows\System32\FHWFPSx.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System32\wHUXhNa.exe
  C:\Windows\System32\wHUXhNa.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System32\biaWMEA.exe
  C:\Windows\System32\biaWMEA.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System32\IRXRMlD.exe
  C:\Windows\System32\IRXRMlD.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System32\SVMiqtQ.exe
  C:\Windows\System32\SVMiqtQ.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System32\mghresQ.exe
  C:\Windows\System32\mghresQ.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System32\DYIRvOn.exe
  C:\Windows\System32\DYIRvOn.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System32\lyTjbsW.exe
  C:\Windows\System32\lyTjbsW.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System32\ClwZVqW.exe
  C:\Windows\System32\ClwZVqW.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System32\OJlqcUu.exe
  C:\Windows\System32\OJlqcUu.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System32\UEnziMf.exe
  C:\Windows\System32\UEnziMf.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System32\yFWwCqw.exe
  C:\Windows\System32\yFWwCqw.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System32\ClYUHyF.exe
  C:\Windows\System32\ClYUHyF.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System32\nRWFxOb.exe
  C:\Windows\System32\nRWFxOb.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System32\oduxpNc.exe
  C:\Windows\System32\oduxpNc.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System32\nfBPdyI.exe
  C:\Windows\System32\nfBPdyI.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System32\AhEcoOl.exe
  C:\Windows\System32\AhEcoOl.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System32\sSrdwxK.exe
  C:\Windows\System32\sSrdwxK.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\System32\bcoNhhg.exe
  C:\Windows\System32\bcoNhhg.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System32\RYCmdSJ.exe
  C:\Windows\System32\RYCmdSJ.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System32\dwlNxpg.exe
  C:\Windows\System32\dwlNxpg.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\System32\KGFtdeL.exe
  C:\Windows\System32\KGFtdeL.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System32\KJgoNex.exe
  C:\Windows\System32\KJgoNex.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System32\TdhkXxW.exe
  C:\Windows\System32\TdhkXxW.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System32\MHWXdFL.exe
  C:\Windows\System32\MHWXdFL.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System32\jdVDYEI.exe
  C:\Windows\System32\jdVDYEI.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System32\OOrLRWB.exe
  C:\Windows\System32\OOrLRWB.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\sBjFZjV.exe
  C:\Windows\System32\sBjFZjV.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System32\ABzrDoZ.exe
  C:\Windows\System32\ABzrDoZ.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System32\VDXIeMF.exe
  C:\Windows\System32\VDXIeMF.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System32\ATnnZjQ.exe
  C:\Windows\System32\ATnnZjQ.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System32\DapGTUI.exe
  C:\Windows\System32\DapGTUI.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System32\UNKyYdp.exe
  C:\Windows\System32\UNKyYdp.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System32\lvleTuS.exe
  C:\Windows\System32\lvleTuS.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System32\PzxRrcM.exe
  C:\Windows\System32\PzxRrcM.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System32\WiCFPiq.exe
  C:\Windows\System32\WiCFPiq.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System32\cqiazLZ.exe
  C:\Windows\System32\cqiazLZ.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System32\ITDqicg.exe
  C:\Windows\System32\ITDqicg.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System32\wxeQjrA.exe
  C:\Windows\System32\wxeQjrA.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System32\sPaUdBZ.exe
  C:\Windows\System32\sPaUdBZ.exe
  2⤵
  PID:1448
- C:\Windows\System32\TCxGUhw.exe
  C:\Windows\System32\TCxGUhw.exe
  2⤵
  PID:3372
- C:\Windows\System32\rGYLfoM.exe
  C:\Windows\System32\rGYLfoM.exe
  2⤵
  PID:1268
- C:\Windows\System32\XAyLqRx.exe
  C:\Windows\System32\XAyLqRx.exe
  2⤵
  PID:5044
- C:\Windows\System32\AzessFR.exe
  C:\Windows\System32\AzessFR.exe
  2⤵
  PID:3388
- C:\Windows\System32\DDOxAEK.exe
  C:\Windows\System32\DDOxAEK.exe
  2⤵
  PID:4556
- C:\Windows\System32\MGqLGjE.exe
  C:\Windows\System32\MGqLGjE.exe
  2⤵
  PID:4492
- C:\Windows\System32\OZulNew.exe
  C:\Windows\System32\OZulNew.exe
  2⤵
  PID:2008
- C:\Windows\System32\FGfYSMH.exe
  C:\Windows\System32\FGfYSMH.exe
  2⤵
  PID:3504
- C:\Windows\System32\NCjNKoc.exe
  C:\Windows\System32\NCjNKoc.exe
  2⤵
  PID:1648
- C:\Windows\System32\jIEApzv.exe
  C:\Windows\System32\jIEApzv.exe
  2⤵
  PID:4932
- C:\Windows\System32\XdRXjCY.exe
  C:\Windows\System32\XdRXjCY.exe
  2⤵
  PID:2212
- C:\Windows\System32\RlFjCCN.exe
  C:\Windows\System32\RlFjCCN.exe
  2⤵
  PID:4600
- C:\Windows\System32\npaQayB.exe
  C:\Windows\System32\npaQayB.exe
  2⤵
  PID:3160
- C:\Windows\System32\axgzuVM.exe
  C:\Windows\System32\axgzuVM.exe
  2⤵
  PID:3532
- C:\Windows\System32\vCvrAxo.exe
  C:\Windows\System32\vCvrAxo.exe
  2⤵
  PID:2484
- C:\Windows\System32\HdwihTh.exe
  C:\Windows\System32\HdwihTh.exe
  2⤵
  PID:2840
- C:\Windows\System32\QNwmCfn.exe
  C:\Windows\System32\QNwmCfn.exe
  2⤵
  PID:1368
- C:\Windows\System32\lByvWtS.exe
  C:\Windows\System32\lByvWtS.exe
  2⤵
  PID:1264
- C:\Windows\System32\zuexeZA.exe
  C:\Windows\System32\zuexeZA.exe
  2⤵
  PID:796
- C:\Windows\System32\liUJuzb.exe
  C:\Windows\System32\liUJuzb.exe
  2⤵
  PID:4044
- C:\Windows\System32\dCtaBrz.exe
  C:\Windows\System32\dCtaBrz.exe
  2⤵
  PID:2552
- C:\Windows\System32\cWEOftu.exe
  C:\Windows\System32\cWEOftu.exe
  2⤵
  PID:3144
- C:\Windows\System32\qrAVwXd.exe
  C:\Windows\System32\qrAVwXd.exe
  2⤵
  PID:4212
- C:\Windows\System32\AEARfon.exe
  C:\Windows\System32\AEARfon.exe
  2⤵
  PID:2004
- C:\Windows\System32\rEsxDii.exe
  C:\Windows\System32\rEsxDii.exe
  2⤵
  PID:5024
- C:\Windows\System32\DrGUpRf.exe
  C:\Windows\System32\DrGUpRf.exe
  2⤵
  PID:928
- C:\Windows\System32\FQoJoPv.exe
  C:\Windows\System32\FQoJoPv.exe
  2⤵
  PID:1812
- C:\Windows\System32\epmIgFM.exe
  C:\Windows\System32\epmIgFM.exe
  2⤵
  PID:3420
- C:\Windows\System32\HwHNUTk.exe
  C:\Windows\System32\HwHNUTk.exe
  2⤵
  PID:376
- C:\Windows\System32\Epuqbbq.exe
  C:\Windows\System32\Epuqbbq.exe
  2⤵
  PID:4176
- C:\Windows\System32\hNRaZIo.exe
  C:\Windows\System32\hNRaZIo.exe
  2⤵
  PID:4700
- C:\Windows\System32\BLtxHma.exe
  C:\Windows\System32\BLtxHma.exe
  2⤵
  PID:540
- C:\Windows\System32\YOdMFQv.exe
  C:\Windows\System32\YOdMFQv.exe
  2⤵
  PID:3632
- C:\Windows\System32\wviAxhE.exe
  C:\Windows\System32\wviAxhE.exe
  2⤵
  PID:2112
- C:\Windows\System32\gSULyNW.exe
  C:\Windows\System32\gSULyNW.exe
  2⤵
  PID:2788
- C:\Windows\System32\JzAsFjd.exe
  C:\Windows\System32\JzAsFjd.exe
  2⤵
  PID:4732
- C:\Windows\System32\dHFvOaW.exe
  C:\Windows\System32\dHFvOaW.exe
  2⤵
  PID:1052
- C:\Windows\System32\aFigvXB.exe
  C:\Windows\System32\aFigvXB.exe
  2⤵
  PID:1856
- C:\Windows\System32\atSLBoq.exe
  C:\Windows\System32\atSLBoq.exe
  2⤵
  PID:3856
- C:\Windows\System32\dQdKBWD.exe
  C:\Windows\System32\dQdKBWD.exe
  2⤵
  PID:1788
- C:\Windows\System32\OIxAMeG.exe
  C:\Windows\System32\OIxAMeG.exe
  2⤵
  PID:5152
- C:\Windows\System32\mBTHskI.exe
  C:\Windows\System32\mBTHskI.exe
  2⤵
  PID:5192
- C:\Windows\System32\YIaAhnN.exe
  C:\Windows\System32\YIaAhnN.exe
  2⤵
  PID:5248
- C:\Windows\System32\GNmRClB.exe
  C:\Windows\System32\GNmRClB.exe
  2⤵
  PID:5276
- C:\Windows\System32\YJLUsLL.exe
  C:\Windows\System32\YJLUsLL.exe
  2⤵
  PID:5316
- C:\Windows\System32\RNSrhki.exe
  C:\Windows\System32\RNSrhki.exe
  2⤵
  PID:5332
- C:\Windows\System32\GHpnbWd.exe
  C:\Windows\System32\GHpnbWd.exe
  2⤵
  PID:5360
- C:\Windows\System32\DSIuJzp.exe
  C:\Windows\System32\DSIuJzp.exe
  2⤵
  PID:5384
- C:\Windows\System32\yUiHsMu.exe
  C:\Windows\System32\yUiHsMu.exe
  2⤵
  PID:5404
- C:\Windows\System32\tCklaMS.exe
  C:\Windows\System32\tCklaMS.exe
  2⤵
  PID:5440
- C:\Windows\System32\XGTmwaJ.exe
  C:\Windows\System32\XGTmwaJ.exe
  2⤵
  PID:5488
- C:\Windows\System32\DeIKjQP.exe
  C:\Windows\System32\DeIKjQP.exe
  2⤵
  PID:5512
- C:\Windows\System32\RvBXgsd.exe
  C:\Windows\System32\RvBXgsd.exe
  2⤵
  PID:5532
- C:\Windows\System32\ZARIuGT.exe
  C:\Windows\System32\ZARIuGT.exe
  2⤵
  PID:5552
- C:\Windows\System32\gPbfmrr.exe
  C:\Windows\System32\gPbfmrr.exe
  2⤵
  PID:5568
- C:\Windows\System32\NMvqmGj.exe
  C:\Windows\System32\NMvqmGj.exe
  2⤵
  PID:5624
- C:\Windows\System32\gxvAsWi.exe
  C:\Windows\System32\gxvAsWi.exe
  2⤵
  PID:5640
- C:\Windows\System32\CDOzErr.exe
  C:\Windows\System32\CDOzErr.exe
  2⤵
  PID:5664
- C:\Windows\System32\bkxpKTK.exe
  C:\Windows\System32\bkxpKTK.exe
  2⤵
  PID:5680
- C:\Windows\System32\ZsmxUCl.exe
  C:\Windows\System32\ZsmxUCl.exe
  2⤵
  PID:5700
- C:\Windows\System32\Sgubwlk.exe
  C:\Windows\System32\Sgubwlk.exe
  2⤵
  PID:5740
- C:\Windows\System32\aBpBkqX.exe
  C:\Windows\System32\aBpBkqX.exe
  2⤵
  PID:5760
- C:\Windows\System32\EihEEbB.exe
  C:\Windows\System32\EihEEbB.exe
  2⤵
  PID:5776
- C:\Windows\System32\wxfRGhZ.exe
  C:\Windows\System32\wxfRGhZ.exe
  2⤵
  PID:5792
- C:\Windows\System32\xhneJLX.exe
  C:\Windows\System32\xhneJLX.exe
  2⤵
  PID:5808
- C:\Windows\System32\iLquNtE.exe
  C:\Windows\System32\iLquNtE.exe
  2⤵
  PID:5852
- C:\Windows\System32\zTenHJx.exe
  C:\Windows\System32\zTenHJx.exe
  2⤵
  PID:5876
- C:\Windows\System32\adDvHfG.exe
  C:\Windows\System32\adDvHfG.exe
  2⤵
  PID:5892
- C:\Windows\System32\BijQMuI.exe
  C:\Windows\System32\BijQMuI.exe
  2⤵
  PID:5916
- C:\Windows\System32\tqYrfhN.exe
  C:\Windows\System32\tqYrfhN.exe
  2⤵
  PID:5936
- C:\Windows\System32\UHLobIX.exe
  C:\Windows\System32\UHLobIX.exe
  2⤵
  PID:5952
- C:\Windows\System32\sDpRhRZ.exe
  C:\Windows\System32\sDpRhRZ.exe
  2⤵
  PID:5980
- C:\Windows\System32\FKOwFAy.exe
  C:\Windows\System32\FKOwFAy.exe
  2⤵
  PID:6012
- C:\Windows\System32\kTLhUMV.exe
  C:\Windows\System32\kTLhUMV.exe
  2⤵
  PID:6028
- C:\Windows\System32\VdmrCtV.exe
  C:\Windows\System32\VdmrCtV.exe
  2⤵
  PID:6052
- C:\Windows\System32\EpyShUL.exe
  C:\Windows\System32\EpyShUL.exe
  2⤵
  PID:6132
- C:\Windows\System32\biaMbMj.exe
  C:\Windows\System32\biaMbMj.exe
  2⤵
  PID:4940
- C:\Windows\System32\EJJgDkt.exe
  C:\Windows\System32\EJJgDkt.exe
  2⤵
  PID:3672
- C:\Windows\System32\WFvVRjc.exe
  C:\Windows\System32\WFvVRjc.exe
  2⤵
  PID:5164
- C:\Windows\System32\KbDwHMG.exe
  C:\Windows\System32\KbDwHMG.exe
  2⤵
  PID:5256
- C:\Windows\System32\vxdCPyX.exe
  C:\Windows\System32\vxdCPyX.exe
  2⤵
  PID:1708
- C:\Windows\System32\jEeqaoi.exe
  C:\Windows\System32\jEeqaoi.exe
  2⤵
  PID:5324
- C:\Windows\System32\HjCUZzy.exe
  C:\Windows\System32\HjCUZzy.exe
  2⤵
  PID:5376
- C:\Windows\System32\fnsRYJd.exe
  C:\Windows\System32\fnsRYJd.exe
  2⤵
  PID:5352
- C:\Windows\System32\GRveeWg.exe
  C:\Windows\System32\GRveeWg.exe
  2⤵
  PID:5508
- C:\Windows\System32\tuYwujY.exe
  C:\Windows\System32\tuYwujY.exe
  2⤵
  PID:5596
- C:\Windows\System32\mJEVGDn.exe
  C:\Windows\System32\mJEVGDn.exe
  2⤵
  PID:5696
- C:\Windows\System32\zqIPcmt.exe
  C:\Windows\System32\zqIPcmt.exe
  2⤵
  PID:5784
- C:\Windows\System32\lhYCTci.exe
  C:\Windows\System32\lhYCTci.exe
  2⤵
  PID:5804
- C:\Windows\System32\inazJHM.exe
  C:\Windows\System32\inazJHM.exe
  2⤵
  PID:5788
- C:\Windows\System32\bwXLBmk.exe
  C:\Windows\System32\bwXLBmk.exe
  2⤵
  PID:5900
- C:\Windows\System32\atCduQw.exe
  C:\Windows\System32\atCduQw.exe
  2⤵
  PID:5948
- C:\Windows\System32\mGZsMOq.exe
  C:\Windows\System32\mGZsMOq.exe
  2⤵
  PID:5968
- C:\Windows\System32\dEbgVja.exe
  C:\Windows\System32\dEbgVja.exe
  2⤵
  PID:6112
- C:\Windows\System32\Hyntppl.exe
  C:\Windows\System32\Hyntppl.exe
  2⤵
  PID:1104
- C:\Windows\System32\heaqhQH.exe
  C:\Windows\System32\heaqhQH.exe
  2⤵
  PID:2400
- C:\Windows\System32\KHEQcFI.exe
  C:\Windows\System32\KHEQcFI.exe
  2⤵
  PID:2412
- C:\Windows\System32\UehUsQG.exe
  C:\Windows\System32\UehUsQG.exe
  2⤵
  PID:5372
- C:\Windows\System32\DzZWYXP.exe
  C:\Windows\System32\DzZWYXP.exe
  2⤵
  PID:5436
- C:\Windows\System32\ZtwuPGX.exe
  C:\Windows\System32\ZtwuPGX.exe
  2⤵
  PID:5548
- C:\Windows\System32\OAWRfyk.exe
  C:\Windows\System32\OAWRfyk.exe
  2⤵
  PID:5728
- C:\Windows\System32\JYSFeEK.exe
  C:\Windows\System32\JYSFeEK.exe
  2⤵
  PID:5844
- C:\Windows\System32\ZyUftWw.exe
  C:\Windows\System32\ZyUftWw.exe
  2⤵
  PID:5172
- C:\Windows\System32\KUREHrM.exe
  C:\Windows\System32\KUREHrM.exe
  2⤵
  PID:5576
- C:\Windows\System32\xggRuMj.exe
  C:\Windows\System32\xggRuMj.exe
  2⤵
  PID:5524
- C:\Windows\System32\qwlOTiu.exe
  C:\Windows\System32\qwlOTiu.exe
  2⤵
  PID:5928
- C:\Windows\System32\XYsCytx.exe
  C:\Windows\System32\XYsCytx.exe
  2⤵
  PID:5480
- C:\Windows\System32\BPhNjCu.exe
  C:\Windows\System32\BPhNjCu.exe
  2⤵
  PID:6176
- C:\Windows\System32\qyaGIdD.exe
  C:\Windows\System32\qyaGIdD.exe
  2⤵
  PID:6192
- C:\Windows\System32\veKMnGA.exe
  C:\Windows\System32\veKMnGA.exe
  2⤵
  PID:6212
- C:\Windows\System32\fKwgwop.exe
  C:\Windows\System32\fKwgwop.exe
  2⤵
  PID:6244
- C:\Windows\System32\FNLUchK.exe
  C:\Windows\System32\FNLUchK.exe
  2⤵
  PID:6268
- C:\Windows\System32\GqpcvpU.exe
  C:\Windows\System32\GqpcvpU.exe
  2⤵
  PID:6288
- C:\Windows\System32\gPxNfKc.exe
  C:\Windows\System32\gPxNfKc.exe
  2⤵
  PID:6312
- C:\Windows\System32\TBuolyv.exe
  C:\Windows\System32\TBuolyv.exe
  2⤵
  PID:6344
- C:\Windows\System32\XgrcUni.exe
  C:\Windows\System32\XgrcUni.exe
  2⤵
  PID:6372
- C:\Windows\System32\yMnymIT.exe
  C:\Windows\System32\yMnymIT.exe
  2⤵
  PID:6416
- C:\Windows\System32\jnckfMQ.exe
  C:\Windows\System32\jnckfMQ.exe
  2⤵
  PID:6436
- C:\Windows\System32\oDMQSmz.exe
  C:\Windows\System32\oDMQSmz.exe
  2⤵
  PID:6472
- C:\Windows\System32\NVxLqMR.exe
  C:\Windows\System32\NVxLqMR.exe
  2⤵
  PID:6496
- C:\Windows\System32\mzycgde.exe
  C:\Windows\System32\mzycgde.exe
  2⤵
  PID:6544
- C:\Windows\System32\YAZgLTc.exe
  C:\Windows\System32\YAZgLTc.exe
  2⤵
  PID:6560
- C:\Windows\System32\SEKlBGC.exe
  C:\Windows\System32\SEKlBGC.exe
  2⤵
  PID:6580
- C:\Windows\System32\NanbJcf.exe
  C:\Windows\System32\NanbJcf.exe
  2⤵
  PID:6620
- C:\Windows\System32\oJDUqNR.exe
  C:\Windows\System32\oJDUqNR.exe
  2⤵
  PID:6660
- C:\Windows\System32\aGSnOMg.exe
  C:\Windows\System32\aGSnOMg.exe
  2⤵
  PID:6684
- C:\Windows\System32\uIGVXhq.exe
  C:\Windows\System32\uIGVXhq.exe
  2⤵
  PID:6704
- C:\Windows\System32\fedCgac.exe
  C:\Windows\System32\fedCgac.exe
  2⤵
  PID:6724
- C:\Windows\System32\YIbvqjq.exe
  C:\Windows\System32\YIbvqjq.exe
  2⤵
  PID:6740
- C:\Windows\System32\uYXjaEY.exe
  C:\Windows\System32\uYXjaEY.exe
  2⤵
  PID:6764
- C:\Windows\System32\ZebiNVr.exe
  C:\Windows\System32\ZebiNVr.exe
  2⤵
  PID:6784
- C:\Windows\System32\soGUVoU.exe
  C:\Windows\System32\soGUVoU.exe
  2⤵
  PID:6808
- C:\Windows\System32\qEsuFNv.exe
  C:\Windows\System32\qEsuFNv.exe
  2⤵
  PID:6872
- C:\Windows\System32\dIPnIKI.exe
  C:\Windows\System32\dIPnIKI.exe
  2⤵
  PID:6908
- C:\Windows\System32\cKGsERP.exe
  C:\Windows\System32\cKGsERP.exe
  2⤵
  PID:6928
- C:\Windows\System32\KWbBeuW.exe
  C:\Windows\System32\KWbBeuW.exe
  2⤵
  PID:6948
- C:\Windows\System32\jHkcTgP.exe
  C:\Windows\System32\jHkcTgP.exe
  2⤵
  PID:6972
- C:\Windows\System32\vPdbLTY.exe
  C:\Windows\System32\vPdbLTY.exe
  2⤵
  PID:6988
- C:\Windows\System32\ujKPJUD.exe
  C:\Windows\System32\ujKPJUD.exe
  2⤵
  PID:7024
- C:\Windows\System32\blpzXou.exe
  C:\Windows\System32\blpzXou.exe
  2⤵
  PID:7084
- C:\Windows\System32\rBahamn.exe
  C:\Windows\System32\rBahamn.exe
  2⤵
  PID:7104
- C:\Windows\System32\xQVJdZc.exe
  C:\Windows\System32\xQVJdZc.exe
  2⤵
  PID:7124
- C:\Windows\System32\JkYMaeQ.exe
  C:\Windows\System32\JkYMaeQ.exe
  2⤵
  PID:7152
- C:\Windows\System32\AUCCCQg.exe
  C:\Windows\System32\AUCCCQg.exe
  2⤵
  PID:5672
- C:\Windows\System32\klthoGA.exe
  C:\Windows\System32\klthoGA.exe
  2⤵
  PID:6172
- C:\Windows\System32\PvUqtup.exe
  C:\Windows\System32\PvUqtup.exe
  2⤵
  PID:6280
- C:\Windows\System32\WXhqOGN.exe
  C:\Windows\System32\WXhqOGN.exe
  2⤵
  PID:6304
- C:\Windows\System32\dtpCoCY.exe
  C:\Windows\System32\dtpCoCY.exe
  2⤵
  PID:6336
- C:\Windows\System32\NrNJEkr.exe
  C:\Windows\System32\NrNJEkr.exe
  2⤵
  PID:6460
- C:\Windows\System32\oMgtmSc.exe
  C:\Windows\System32\oMgtmSc.exe
  2⤵
  PID:6536
- C:\Windows\System32\agrLUAZ.exe
  C:\Windows\System32\agrLUAZ.exe
  2⤵
  PID:6596
- C:\Windows\System32\diUtbMu.exe
  C:\Windows\System32\diUtbMu.exe
  2⤵
  PID:6656
- C:\Windows\System32\RjKtOxz.exe
  C:\Windows\System32\RjKtOxz.exe
  2⤵
  PID:6760
- C:\Windows\System32\fUEjVIR.exe
  C:\Windows\System32\fUEjVIR.exe
  2⤵
  PID:6732
- C:\Windows\System32\cHplaOs.exe
  C:\Windows\System32\cHplaOs.exe
  2⤵
  PID:6884
- C:\Windows\System32\ypZXMtF.exe
  C:\Windows\System32\ypZXMtF.exe
  2⤵
  PID:6860
- C:\Windows\System32\qevWAqW.exe
  C:\Windows\System32\qevWAqW.exe
  2⤵
  PID:6980
- C:\Windows\System32\pDxecgF.exe
  C:\Windows\System32\pDxecgF.exe
  2⤵
  PID:7072
- C:\Windows\System32\HVXJsIi.exe
  C:\Windows\System32\HVXJsIi.exe
  2⤵
  PID:7120
- C:\Windows\System32\AQwmLvn.exe
  C:\Windows\System32\AQwmLvn.exe
  2⤵
  PID:6080
- C:\Windows\System32\GhBWOlx.exe
  C:\Windows\System32\GhBWOlx.exe
  2⤵
  PID:6236
- C:\Windows\System32\BebGPWY.exe
  C:\Windows\System32\BebGPWY.exe
  2⤵
  PID:6396
- C:\Windows\System32\FPxmeKq.exe
  C:\Windows\System32\FPxmeKq.exe
  2⤵
  PID:6604
- C:\Windows\System32\mVCyQEt.exe
  C:\Windows\System32\mVCyQEt.exe
  2⤵
  PID:6776
- C:\Windows\System32\jYnLwvY.exe
  C:\Windows\System32\jYnLwvY.exe
  2⤵
  PID:6900
- C:\Windows\System32\iJejqSU.exe
  C:\Windows\System32\iJejqSU.exe
  2⤵
  PID:7100
- C:\Windows\System32\JfIAATh.exe
  C:\Windows\System32\JfIAATh.exe
  2⤵
  PID:6308
- C:\Windows\System32\yndSCdf.exe
  C:\Windows\System32\yndSCdf.exe
  2⤵
  PID:6540
- C:\Windows\System32\exghcYt.exe
  C:\Windows\System32\exghcYt.exe
  2⤵
  PID:7148
- C:\Windows\System32\vYGTonx.exe
  C:\Windows\System32\vYGTonx.exe
  2⤵
  PID:6720
- C:\Windows\System32\OBfsEEX.exe
  C:\Windows\System32\OBfsEEX.exe
  2⤵
  PID:6400
- C:\Windows\System32\xupWyyT.exe
  C:\Windows\System32\xupWyyT.exe
  2⤵
  PID:7184
- C:\Windows\System32\vxgMhUi.exe
  C:\Windows\System32\vxgMhUi.exe
  2⤵
  PID:7208
- C:\Windows\System32\wODkZBY.exe
  C:\Windows\System32\wODkZBY.exe
  2⤵
  PID:7236
- C:\Windows\System32\FGJuYBt.exe
  C:\Windows\System32\FGJuYBt.exe
  2⤵
  PID:7260
- C:\Windows\System32\DfCSTAK.exe
  C:\Windows\System32\DfCSTAK.exe
  2⤵
  PID:7276
- C:\Windows\System32\gwJYVVf.exe
  C:\Windows\System32\gwJYVVf.exe
  2⤵
  PID:7332
- C:\Windows\System32\QRgyQjq.exe
  C:\Windows\System32\QRgyQjq.exe
  2⤵
  PID:7384
- C:\Windows\System32\VOKaKXo.exe
  C:\Windows\System32\VOKaKXo.exe
  2⤵
  PID:7408
- C:\Windows\System32\djwRcdA.exe
  C:\Windows\System32\djwRcdA.exe
  2⤵
  PID:7428
- C:\Windows\System32\pjFhIKD.exe
  C:\Windows\System32\pjFhIKD.exe
  2⤵
  PID:7456
- C:\Windows\System32\NBCrunv.exe
  C:\Windows\System32\NBCrunv.exe
  2⤵
  PID:7476
- C:\Windows\System32\ZxAXYLz.exe
  C:\Windows\System32\ZxAXYLz.exe
  2⤵
  PID:7508
- C:\Windows\System32\BkveXXl.exe
  C:\Windows\System32\BkveXXl.exe
  2⤵
  PID:7552
- C:\Windows\System32\EFDSWIv.exe
  C:\Windows\System32\EFDSWIv.exe
  2⤵
  PID:7588
- C:\Windows\System32\bNOXmit.exe
  C:\Windows\System32\bNOXmit.exe
  2⤵
  PID:7616
- C:\Windows\System32\ICCFRnB.exe
  C:\Windows\System32\ICCFRnB.exe
  2⤵
  PID:7636
- C:\Windows\System32\KFHaUQW.exe
  C:\Windows\System32\KFHaUQW.exe
  2⤵
  PID:7652
- C:\Windows\System32\UJfIFJZ.exe
  C:\Windows\System32\UJfIFJZ.exe
  2⤵
  PID:7672
- C:\Windows\System32\CKEAmTU.exe
  C:\Windows\System32\CKEAmTU.exe
  2⤵
  PID:7696
- C:\Windows\System32\YjmMKCb.exe
  C:\Windows\System32\YjmMKCb.exe
  2⤵
  PID:7752
- C:\Windows\System32\ORfOHLN.exe
  C:\Windows\System32\ORfOHLN.exe
  2⤵
  PID:7768
- C:\Windows\System32\kpOJRiB.exe
  C:\Windows\System32\kpOJRiB.exe
  2⤵
  PID:7792
- C:\Windows\System32\cOpqLBs.exe
  C:\Windows\System32\cOpqLBs.exe
  2⤵
  PID:7828
- C:\Windows\System32\XzIpfOP.exe
  C:\Windows\System32\XzIpfOP.exe
  2⤵
  PID:7864
- C:\Windows\System32\UsATCci.exe
  C:\Windows\System32\UsATCci.exe
  2⤵
  PID:7904
- C:\Windows\System32\GxdwHos.exe
  C:\Windows\System32\GxdwHos.exe
  2⤵
  PID:7920
- C:\Windows\System32\MYlGLBa.exe
  C:\Windows\System32\MYlGLBa.exe
  2⤵
  PID:7944
- C:\Windows\System32\thrXpdn.exe
  C:\Windows\System32\thrXpdn.exe
  2⤵
  PID:7976
- C:\Windows\System32\QsdQnkY.exe
  C:\Windows\System32\QsdQnkY.exe
  2⤵
  PID:8000
- C:\Windows\System32\SUcTkqR.exe
  C:\Windows\System32\SUcTkqR.exe
  2⤵
  PID:8020
- C:\Windows\System32\GjxCIlm.exe
  C:\Windows\System32\GjxCIlm.exe
  2⤵
  PID:8056
- C:\Windows\System32\SwbHanR.exe
  C:\Windows\System32\SwbHanR.exe
  2⤵
  PID:8072
- C:\Windows\System32\PavmoYt.exe
  C:\Windows\System32\PavmoYt.exe
  2⤵
  PID:8096
- C:\Windows\System32\xsHJNhJ.exe
  C:\Windows\System32\xsHJNhJ.exe
  2⤵
  PID:8112
- C:\Windows\System32\CVSpIet.exe
  C:\Windows\System32\CVSpIet.exe
  2⤵
  PID:8136
- C:\Windows\System32\yopdBNM.exe
  C:\Windows\System32\yopdBNM.exe
  2⤵
  PID:8160
- C:\Windows\System32\BbBXLWw.exe
  C:\Windows\System32\BbBXLWw.exe
  2⤵
  PID:7228
- C:\Windows\System32\BxvZryh.exe
  C:\Windows\System32\BxvZryh.exe
  2⤵
  PID:7328
- C:\Windows\System32\cEIYvih.exe
  C:\Windows\System32\cEIYvih.exe
  2⤵
  PID:7396
- C:\Windows\System32\IepkgFz.exe
  C:\Windows\System32\IepkgFz.exe
  2⤵
  PID:7424
- C:\Windows\System32\pYJVApj.exe
  C:\Windows\System32\pYJVApj.exe
  2⤵
  PID:7524
- C:\Windows\System32\sjnMvkA.exe
  C:\Windows\System32\sjnMvkA.exe
  2⤵
  PID:7608
- C:\Windows\System32\PGlWjJu.exe
  C:\Windows\System32\PGlWjJu.exe
  2⤵
  PID:7704
- C:\Windows\System32\wgjLkxG.exe
  C:\Windows\System32\wgjLkxG.exe
  2⤵
  PID:7724
- C:\Windows\System32\KZxDPwB.exe
  C:\Windows\System32\KZxDPwB.exe
  2⤵
  PID:7764
- C:\Windows\System32\OliiMRv.exe
  C:\Windows\System32\OliiMRv.exe
  2⤵
  PID:7804
- C:\Windows\System32\wRAtXkr.exe
  C:\Windows\System32\wRAtXkr.exe
  2⤵
  PID:7896
- C:\Windows\System32\UBQSRDl.exe
  C:\Windows\System32\UBQSRDl.exe
  2⤵
  PID:7960
- C:\Windows\System32\AmGfVta.exe
  C:\Windows\System32\AmGfVta.exe
  2⤵
  PID:8120
- C:\Windows\System32\MdeQeyN.exe
  C:\Windows\System32\MdeQeyN.exe
  2⤵
  PID:8156
- C:\Windows\System32\IAvLFyx.exe
  C:\Windows\System32\IAvLFyx.exe
  2⤵
  PID:8144
- C:\Windows\System32\McqaXGj.exe
  C:\Windows\System32\McqaXGj.exe
  2⤵
  PID:5656
- C:\Windows\System32\GhaPrHh.exe
  C:\Windows\System32\GhaPrHh.exe
  2⤵
  PID:7308
- C:\Windows\System32\XgFtLzK.exe
  C:\Windows\System32\XgFtLzK.exe
  2⤵
  PID:7348
- C:\Windows\System32\vGnqhTa.exe
  C:\Windows\System32\vGnqhTa.exe
  2⤵
  PID:7488
- C:\Windows\System32\iBasRCn.exe
  C:\Windows\System32\iBasRCn.exe
  2⤵
  PID:7540
- C:\Windows\System32\clvHhZz.exe
  C:\Windows\System32\clvHhZz.exe
  2⤵
  PID:7744
- C:\Windows\System32\POgpzhH.exe
  C:\Windows\System32\POgpzhH.exe
  2⤵
  PID:8016
- C:\Windows\System32\jNbsfhx.exe
  C:\Windows\System32\jNbsfhx.exe
  2⤵
  PID:7492
- C:\Windows\System32\qhOTOaP.exe
  C:\Windows\System32\qhOTOaP.exe
  2⤵
  PID:7364
- C:\Windows\System32\RhmomwI.exe
  C:\Windows\System32\RhmomwI.exe
  2⤵
  PID:7664
- C:\Windows\System32\Lnzuhwn.exe
  C:\Windows\System32\Lnzuhwn.exe
  2⤵
  PID:8208
- C:\Windows\System32\dRhNFfP.exe
  C:\Windows\System32\dRhNFfP.exe
  2⤵
  PID:8232
- C:\Windows\System32\UJCVHgD.exe
  C:\Windows\System32\UJCVHgD.exe
  2⤵
  PID:8260
- C:\Windows\System32\KmPqlRg.exe
  C:\Windows\System32\KmPqlRg.exe
  2⤵
  PID:8284
- C:\Windows\System32\ueDGDnj.exe
  C:\Windows\System32\ueDGDnj.exe
  2⤵
  PID:8304
- C:\Windows\System32\kVbUxhC.exe
  C:\Windows\System32\kVbUxhC.exe
  2⤵
  PID:8320
- C:\Windows\System32\kmsGLVt.exe
  C:\Windows\System32\kmsGLVt.exe
  2⤵
  PID:8372
- C:\Windows\System32\rzpHwIL.exe
  C:\Windows\System32\rzpHwIL.exe
  2⤵
  PID:8412
- C:\Windows\System32\WPwUWci.exe
  C:\Windows\System32\WPwUWci.exe
  2⤵
  PID:8440
- C:\Windows\System32\mbxhUbE.exe
  C:\Windows\System32\mbxhUbE.exe
  2⤵
  PID:8480
- C:\Windows\System32\bqqIFRC.exe
  C:\Windows\System32\bqqIFRC.exe
  2⤵
  PID:8548
- C:\Windows\System32\TqaWrhX.exe
  C:\Windows\System32\TqaWrhX.exe
  2⤵
  PID:8588
- C:\Windows\System32\EtTEwfB.exe
  C:\Windows\System32\EtTEwfB.exe
  2⤵
  PID:8644
- C:\Windows\System32\RikGtfc.exe
  C:\Windows\System32\RikGtfc.exe
  2⤵
  PID:8700
- C:\Windows\System32\EvJfuLX.exe
  C:\Windows\System32\EvJfuLX.exe
  2⤵
  PID:8716
- C:\Windows\System32\YiNOyuj.exe
  C:\Windows\System32\YiNOyuj.exe
  2⤵
  PID:8732
- C:\Windows\System32\AobpkFU.exe
  C:\Windows\System32\AobpkFU.exe
  2⤵
  PID:8748
- C:\Windows\System32\jaCQcHu.exe
  C:\Windows\System32\jaCQcHu.exe
  2⤵
  PID:8764
- C:\Windows\System32\ezjAXoi.exe
  C:\Windows\System32\ezjAXoi.exe
  2⤵
  PID:8784
- C:\Windows\System32\khtKODq.exe
  C:\Windows\System32\khtKODq.exe
  2⤵
  PID:8828
- C:\Windows\System32\YbwnSFv.exe
  C:\Windows\System32\YbwnSFv.exe
  2⤵
  PID:8872
- C:\Windows\System32\lYCRTrh.exe
  C:\Windows\System32\lYCRTrh.exe
  2⤵
  PID:8896
- C:\Windows\System32\vGkoQxs.exe
  C:\Windows\System32\vGkoQxs.exe
  2⤵
  PID:8912
- C:\Windows\System32\zINjnVI.exe
  C:\Windows\System32\zINjnVI.exe
  2⤵
  PID:8940
- C:\Windows\System32\iSiFwoE.exe
  C:\Windows\System32\iSiFwoE.exe
  2⤵
  PID:8964
- C:\Windows\System32\PdaWOZM.exe
  C:\Windows\System32\PdaWOZM.exe
  2⤵
  PID:9000
- C:\Windows\System32\bepcDox.exe
  C:\Windows\System32\bepcDox.exe
  2⤵
  PID:9044
- C:\Windows\System32\AAbTmKs.exe
  C:\Windows\System32\AAbTmKs.exe
  2⤵
  PID:9076
- C:\Windows\System32\VRzxaIE.exe
  C:\Windows\System32\VRzxaIE.exe
  2⤵
  PID:9092
- C:\Windows\System32\fIodzgR.exe
  C:\Windows\System32\fIodzgR.exe
  2⤵
  PID:9144
- C:\Windows\System32\qRebVcP.exe
  C:\Windows\System32\qRebVcP.exe
  2⤵
  PID:9172
- C:\Windows\System32\gJDserE.exe
  C:\Windows\System32\gJDserE.exe
  2⤵
  PID:7416
- C:\Windows\System32\uaKyBKP.exe
  C:\Windows\System32\uaKyBKP.exe
  2⤵
  PID:7940
- C:\Windows\System32\XkGstSU.exe
  C:\Windows\System32\XkGstSU.exe
  2⤵
  PID:8224
- C:\Windows\System32\OcDCEnY.exe
  C:\Windows\System32\OcDCEnY.exe
  2⤵
  PID:8328
- C:\Windows\System32\xsqekJQ.exe
  C:\Windows\System32\xsqekJQ.exe
  2⤵
  PID:8424
- C:\Windows\System32\bVTAGJN.exe
  C:\Windows\System32\bVTAGJN.exe
  2⤵
  PID:8492
- C:\Windows\System32\ttDpwYI.exe
  C:\Windows\System32\ttDpwYI.exe
  2⤵
  PID:8572
- C:\Windows\System32\XEzUMOR.exe
  C:\Windows\System32\XEzUMOR.exe
  2⤵
  PID:8596
- C:\Windows\System32\FFQYsML.exe
  C:\Windows\System32\FFQYsML.exe
  2⤵
  PID:8560
- C:\Windows\System32\AKLzNAe.exe
  C:\Windows\System32\AKLzNAe.exe
  2⤵
  PID:8580
- C:\Windows\System32\ycGcxdq.exe
  C:\Windows\System32\ycGcxdq.exe
  2⤵
  PID:8756
- C:\Windows\System32\KbJZMBq.exe
  C:\Windows\System32\KbJZMBq.exe
  2⤵
  PID:8656
- C:\Windows\System32\uEDBLLK.exe
  C:\Windows\System32\uEDBLLK.exe
  2⤵
  PID:8792
- C:\Windows\System32\TihagYj.exe
  C:\Windows\System32\TihagYj.exe
  2⤵
  PID:8724
- C:\Windows\System32\WCxnxdC.exe
  C:\Windows\System32\WCxnxdC.exe
  2⤵
  PID:8920
- C:\Windows\System32\PQqgvUJ.exe
  C:\Windows\System32\PQqgvUJ.exe
  2⤵
  PID:8952
- C:\Windows\System32\jypkEXy.exe
  C:\Windows\System32\jypkEXy.exe
  2⤵
  PID:9072
- C:\Windows\System32\lYNMFHM.exe
  C:\Windows\System32\lYNMFHM.exe
  2⤵
  PID:9128
- C:\Windows\System32\PMKlMuc.exe
  C:\Windows\System32\PMKlMuc.exe
  2⤵
  PID:9156
- C:\Windows\System32\rxzDBsZ.exe
  C:\Windows\System32\rxzDBsZ.exe
  2⤵
  PID:9188
- C:\Windows\System32\LclMVvo.exe
  C:\Windows\System32\LclMVvo.exe
  2⤵
  PID:8300
- C:\Windows\System32\FTkCVrS.exe
  C:\Windows\System32\FTkCVrS.exe
  2⤵
  PID:8432
- C:\Windows\System32\DHVUyrM.exe
  C:\Windows\System32\DHVUyrM.exe
  2⤵
  PID:8524
- C:\Windows\System32\yvjOMXl.exe
  C:\Windows\System32\yvjOMXl.exe
  2⤵
  PID:8508
- C:\Windows\System32\zllacvd.exe
  C:\Windows\System32\zllacvd.exe
  2⤵
  PID:8712
- C:\Windows\System32\FvmCTIf.exe
  C:\Windows\System32\FvmCTIf.exe
  2⤵
  PID:8972
- C:\Windows\System32\KHEfqjo.exe
  C:\Windows\System32\KHEfqjo.exe
  2⤵
  PID:9012
- C:\Windows\System32\iODjmyO.exe
  C:\Windows\System32\iODjmyO.exe
  2⤵
  PID:8092
- C:\Windows\System32\QSJqZBp.exe
  C:\Windows\System32\QSJqZBp.exe
  2⤵
  PID:8692
- C:\Windows\System32\CyxOCLI.exe
  C:\Windows\System32\CyxOCLI.exe
  2⤵
  PID:8884
- C:\Windows\System32\nYjdCEb.exe
  C:\Windows\System32\nYjdCEb.exe
  2⤵
  PID:8980
- C:\Windows\System32\tXekMgJ.exe
  C:\Windows\System32\tXekMgJ.exe
  2⤵
  PID:8512
- C:\Windows\System32\PVSBDDk.exe
  C:\Windows\System32\PVSBDDk.exe
  2⤵
  PID:9220
- C:\Windows\System32\ZZAslyl.exe
  C:\Windows\System32\ZZAslyl.exe
  2⤵
  PID:9240
- C:\Windows\System32\sCxJWpx.exe
  C:\Windows\System32\sCxJWpx.exe
  2⤵
  PID:9284
- C:\Windows\System32\xIwGPQm.exe
  C:\Windows\System32\xIwGPQm.exe
  2⤵
  PID:9300
- C:\Windows\System32\kmwCfiy.exe
  C:\Windows\System32\kmwCfiy.exe
  2⤵
  PID:9336
- C:\Windows\System32\uPJMyLC.exe
  C:\Windows\System32\uPJMyLC.exe
  2⤵
  PID:9356
- C:\Windows\System32\ryQYKxC.exe
  C:\Windows\System32\ryQYKxC.exe
  2⤵
  PID:9376
- C:\Windows\System32\AfpQBMm.exe
  C:\Windows\System32\AfpQBMm.exe
  2⤵
  PID:9432
- C:\Windows\System32\bSkcuob.exe
  C:\Windows\System32\bSkcuob.exe
  2⤵
  PID:9480
- C:\Windows\System32\NXJzeyJ.exe
  C:\Windows\System32\NXJzeyJ.exe
  2⤵
  PID:9504
- C:\Windows\System32\AeIdGxS.exe
  C:\Windows\System32\AeIdGxS.exe
  2⤵
  PID:9524
- C:\Windows\System32\okKhpHr.exe
  C:\Windows\System32\okKhpHr.exe
  2⤵
  PID:9568
- C:\Windows\System32\PajGmZu.exe
  C:\Windows\System32\PajGmZu.exe
  2⤵
  PID:9584
- C:\Windows\System32\BBWCVuJ.exe
  C:\Windows\System32\BBWCVuJ.exe
  2⤵
  PID:9604
- C:\Windows\System32\NdPRaQb.exe
  C:\Windows\System32\NdPRaQb.exe
  2⤵
  PID:9628
- C:\Windows\System32\DhBefJX.exe
  C:\Windows\System32\DhBefJX.exe
  2⤵
  PID:9648
- C:\Windows\System32\CfkZtLT.exe
  C:\Windows\System32\CfkZtLT.exe
  2⤵
  PID:9668
- C:\Windows\System32\Jfgascp.exe
  C:\Windows\System32\Jfgascp.exe
  2⤵
  PID:9712
- C:\Windows\System32\Utfjhqg.exe
  C:\Windows\System32\Utfjhqg.exe
  2⤵
  PID:9732
- C:\Windows\System32\THILRlc.exe
  C:\Windows\System32\THILRlc.exe
  2⤵
  PID:9772
- C:\Windows\System32\whpNYBh.exe
  C:\Windows\System32\whpNYBh.exe
  2⤵
  PID:9788
- C:\Windows\System32\ToUznXO.exe
  C:\Windows\System32\ToUznXO.exe
  2⤵
  PID:9816
- C:\Windows\System32\HZImNjV.exe
  C:\Windows\System32\HZImNjV.exe
  2⤵
  PID:9844
- C:\Windows\System32\warfKPx.exe
  C:\Windows\System32\warfKPx.exe
  2⤵
  PID:9872
- C:\Windows\System32\sogelQt.exe
  C:\Windows\System32\sogelQt.exe
  2⤵
  PID:9936
- C:\Windows\System32\lsZXmQD.exe
  C:\Windows\System32\lsZXmQD.exe
  2⤵
  PID:9960
- C:\Windows\System32\KUJwZok.exe
  C:\Windows\System32\KUJwZok.exe
  2⤵
  PID:9976
- C:\Windows\System32\DsSiYDR.exe
  C:\Windows\System32\DsSiYDR.exe
  2⤵
  PID:9996
- C:\Windows\System32\eFxpNPK.exe
  C:\Windows\System32\eFxpNPK.exe
  2⤵
  PID:10020
- C:\Windows\System32\IbwCjJe.exe
  C:\Windows\System32\IbwCjJe.exe
  2⤵
  PID:10060
- C:\Windows\System32\giifQfP.exe
  C:\Windows\System32\giifQfP.exe
  2⤵
  PID:10096
- C:\Windows\System32\NKPIPpL.exe
  C:\Windows\System32\NKPIPpL.exe
  2⤵
  PID:10116
- C:\Windows\System32\AoiHiyL.exe
  C:\Windows\System32\AoiHiyL.exe
  2⤵
  PID:10144
- C:\Windows\System32\fIKYwBd.exe
  C:\Windows\System32\fIKYwBd.exe
  2⤵
  PID:10180
- C:\Windows\System32\YGuXAef.exe
  C:\Windows\System32\YGuXAef.exe
  2⤵
  PID:10204
- C:\Windows\System32\weIxzsl.exe
  C:\Windows\System32\weIxzsl.exe
  2⤵
  PID:10228
- C:\Windows\System32\ECcXMqM.exe
  C:\Windows\System32\ECcXMqM.exe
  2⤵
  PID:8844
- C:\Windows\System32\XQgsbSr.exe
  C:\Windows\System32\XQgsbSr.exe
  2⤵
  PID:8616
- C:\Windows\System32\QPAZWip.exe
  C:\Windows\System32\QPAZWip.exe
  2⤵
  PID:9364
- C:\Windows\System32\WpvtaiN.exe
  C:\Windows\System32\WpvtaiN.exe
  2⤵
  PID:9440
- C:\Windows\System32\NxXpjOv.exe
  C:\Windows\System32\NxXpjOv.exe
  2⤵
  PID:9500
- C:\Windows\System32\gsFqLZj.exe
  C:\Windows\System32\gsFqLZj.exe
  2⤵
  PID:9532
- C:\Windows\System32\RWjNxCu.exe
  C:\Windows\System32\RWjNxCu.exe
  2⤵
  PID:9612
- C:\Windows\System32\aPteQuU.exe
  C:\Windows\System32\aPteQuU.exe
  2⤵
  PID:9700
- C:\Windows\System32\coTPdHB.exe
  C:\Windows\System32\coTPdHB.exe
  2⤵
  PID:9744
- C:\Windows\System32\MwEgRlQ.exe
  C:\Windows\System32\MwEgRlQ.exe
  2⤵
  PID:9796
- C:\Windows\System32\fQqAUik.exe
  C:\Windows\System32\fQqAUik.exe
  2⤵
  PID:9916
- C:\Windows\System32\UpLXSeT.exe
  C:\Windows\System32\UpLXSeT.exe
  2⤵
  PID:9944
- C:\Windows\System32\emCtSUF.exe
  C:\Windows\System32\emCtSUF.exe
  2⤵
  PID:9992
- C:\Windows\System32\QIpcNcJ.exe
  C:\Windows\System32\QIpcNcJ.exe
  2⤵
  PID:10044
- C:\Windows\System32\bSXWtfa.exe
  C:\Windows\System32\bSXWtfa.exe
  2⤵
  PID:10108
- C:\Windows\System32\ZoOALWL.exe
  C:\Windows\System32\ZoOALWL.exe
  2⤵
  PID:10152
- C:\Windows\System32\PHKbAkp.exe
  C:\Windows\System32\PHKbAkp.exe
  2⤵
  PID:8608
- C:\Windows\System32\FDDfFxY.exe
  C:\Windows\System32\FDDfFxY.exe
  2⤵
  PID:9368
- C:\Windows\System32\YxrxxuE.exe
  C:\Windows\System32\YxrxxuE.exe
  2⤵
  PID:9468
- C:\Windows\System32\pXGXtua.exe
  C:\Windows\System32\pXGXtua.exe
  2⤵
  PID:9596
- C:\Windows\System32\njneWXj.exe
  C:\Windows\System32\njneWXj.exe
  2⤵
  PID:9888
- C:\Windows\System32\ojeNXvA.exe
  C:\Windows\System32\ojeNXvA.exe
  2⤵
  PID:10028
- C:\Windows\System32\fsoiGlO.exe
  C:\Windows\System32\fsoiGlO.exe
  2⤵
  PID:10080
- C:\Windows\System32\ClAlfXH.exe
  C:\Windows\System32\ClAlfXH.exe
  2⤵
  PID:9232
- C:\Windows\System32\QLyPPLX.exe
  C:\Windows\System32\QLyPPLX.exe
  2⤵
  PID:9600
- C:\Windows\System32\EavvviK.exe
  C:\Windows\System32\EavvviK.exe
  2⤵
  PID:10084
- C:\Windows\System32\CZQtlQU.exe
  C:\Windows\System32\CZQtlQU.exe
  2⤵
  PID:10196
- C:\Windows\System32\EaVjkUQ.exe
  C:\Windows\System32\EaVjkUQ.exe
  2⤵
  PID:9704
- C:\Windows\System32\sDfpluu.exe
  C:\Windows\System32\sDfpluu.exe
  2⤵
  PID:10244
- C:\Windows\System32\NgfMAuX.exe
  C:\Windows\System32\NgfMAuX.exe
  2⤵
  PID:10276
- C:\Windows\System32\wkErJpk.exe
  C:\Windows\System32\wkErJpk.exe
  2⤵
  PID:10312
- C:\Windows\System32\NSHXVBG.exe
  C:\Windows\System32\NSHXVBG.exe
  2⤵
  PID:10328
- C:\Windows\System32\QaWBwFT.exe
  C:\Windows\System32\QaWBwFT.exe
  2⤵
  PID:10348
- C:\Windows\System32\EacZSUU.exe
  C:\Windows\System32\EacZSUU.exe
  2⤵
  PID:10376
- C:\Windows\System32\VKpUMtU.exe
  C:\Windows\System32\VKpUMtU.exe
  2⤵
  PID:10432
- C:\Windows\System32\yQtvjRC.exe
  C:\Windows\System32\yQtvjRC.exe
  2⤵
  PID:10452
- C:\Windows\System32\uEgAidM.exe
  C:\Windows\System32\uEgAidM.exe
  2⤵
  PID:10476
- C:\Windows\System32\ufwfdqF.exe
  C:\Windows\System32\ufwfdqF.exe
  2⤵
  PID:10496
- C:\Windows\System32\sCyUwRY.exe
  C:\Windows\System32\sCyUwRY.exe
  2⤵
  PID:10532
- C:\Windows\System32\oqPOquO.exe
  C:\Windows\System32\oqPOquO.exe
  2⤵
  PID:10552
- C:\Windows\System32\fGLnnmN.exe
  C:\Windows\System32\fGLnnmN.exe
  2⤵
  PID:10588
- C:\Windows\System32\qoYADFr.exe
  C:\Windows\System32\qoYADFr.exe
  2⤵
  PID:10608
- C:\Windows\System32\ovWjspI.exe
  C:\Windows\System32\ovWjspI.exe
  2⤵
  PID:10624
- C:\Windows\System32\wMPNbyX.exe
  C:\Windows\System32\wMPNbyX.exe
  2⤵
  PID:10660
- C:\Windows\System32\LyazCzZ.exe
  C:\Windows\System32\LyazCzZ.exe
  2⤵
  PID:10680
- C:\Windows\System32\yDQloia.exe
  C:\Windows\System32\yDQloia.exe
  2⤵
  PID:10696
- C:\Windows\System32\LAyTFdB.exe
  C:\Windows\System32\LAyTFdB.exe
  2⤵
  PID:10740
- C:\Windows\System32\WxhmRDV.exe
  C:\Windows\System32\WxhmRDV.exe
  2⤵
  PID:10756
- C:\Windows\System32\ouXdlhE.exe
  C:\Windows\System32\ouXdlhE.exe
  2⤵
  PID:10780
- C:\Windows\System32\xUJeSRA.exe
  C:\Windows\System32\xUJeSRA.exe
  2⤵
  PID:10796
- C:\Windows\System32\csefgEL.exe
  C:\Windows\System32\csefgEL.exe
  2⤵
  PID:10832
- C:\Windows\System32\dbNqiwb.exe
  C:\Windows\System32\dbNqiwb.exe
  2⤵
  PID:10848
- C:\Windows\System32\fECGPXo.exe
  C:\Windows\System32\fECGPXo.exe
  2⤵
  PID:10924
- C:\Windows\System32\YyRnyne.exe
  C:\Windows\System32\YyRnyne.exe
  2⤵
  PID:10948
- C:\Windows\System32\nsSQbBB.exe
  C:\Windows\System32\nsSQbBB.exe
  2⤵
  PID:10984
- C:\Windows\System32\WFrHymQ.exe
  C:\Windows\System32\WFrHymQ.exe
  2⤵
  PID:11008
- C:\Windows\System32\JzgwQCQ.exe
  C:\Windows\System32\JzgwQCQ.exe
  2⤵
  PID:11024
- C:\Windows\System32\OPSPkCt.exe
  C:\Windows\System32\OPSPkCt.exe
  2⤵
  PID:11068
- C:\Windows\System32\ZmJdiTD.exe
  C:\Windows\System32\ZmJdiTD.exe
  2⤵
  PID:11112
- C:\Windows\System32\hTDXNpT.exe
  C:\Windows\System32\hTDXNpT.exe
  2⤵
  PID:11132
- C:\Windows\System32\fqtNfGQ.exe
  C:\Windows\System32\fqtNfGQ.exe
  2⤵
  PID:11156
- C:\Windows\System32\BgUrHfH.exe
  C:\Windows\System32\BgUrHfH.exe
  2⤵
  PID:11176
- C:\Windows\System32\DoYzzrN.exe
  C:\Windows\System32\DoYzzrN.exe
  2⤵
  PID:11216
- C:\Windows\System32\KftHHdk.exe
  C:\Windows\System32\KftHHdk.exe
  2⤵
  PID:11240
- C:\Windows\System32\oVoHWdn.exe
  C:\Windows\System32\oVoHWdn.exe
  2⤵
  PID:11256
- C:\Windows\System32\XWpbeTA.exe
  C:\Windows\System32\XWpbeTA.exe
  2⤵
  PID:10324
- C:\Windows\System32\apZlgas.exe
  C:\Windows\System32\apZlgas.exe
  2⤵
  PID:10368
- C:\Windows\System32\eHWfHot.exe
  C:\Windows\System32\eHWfHot.exe
  2⤵
  PID:10416
- C:\Windows\System32\PkuBvme.exe
  C:\Windows\System32\PkuBvme.exe
  2⤵
  PID:10472
- C:\Windows\System32\dzlvcwp.exe
  C:\Windows\System32\dzlvcwp.exe
  2⤵
  PID:10572
- C:\Windows\System32\xUxoIWO.exe
  C:\Windows\System32\xUxoIWO.exe
  2⤵
  PID:10600
- C:\Windows\System32\qpWvFrE.exe
  C:\Windows\System32\qpWvFrE.exe
  2⤵
  PID:10692
- C:\Windows\System32\UtuDiGI.exe
  C:\Windows\System32\UtuDiGI.exe
  2⤵
  PID:10764
- C:\Windows\System32\kwCuUKf.exe
  C:\Windows\System32\kwCuUKf.exe
  2⤵
  PID:10804
- C:\Windows\System32\nifshkQ.exe
  C:\Windows\System32\nifshkQ.exe
  2⤵
  PID:10892
- C:\Windows\System32\trmAoyR.exe
  C:\Windows\System32\trmAoyR.exe
  2⤵
  PID:10980
- C:\Windows\System32\VNaJtlG.exe
  C:\Windows\System32\VNaJtlG.exe
  2⤵
  PID:11044
- C:\Windows\System32\kYQdAjW.exe
  C:\Windows\System32\kYQdAjW.exe
  2⤵
  PID:11088
- C:\Windows\System32\suxtQzz.exe
  C:\Windows\System32\suxtQzz.exe
  2⤵
  PID:11152
- C:\Windows\System32\GiVJxRD.exe
  C:\Windows\System32\GiVJxRD.exe
  2⤵
  PID:11232
- C:\Windows\System32\sOtQmYu.exe
  C:\Windows\System32\sOtQmYu.exe
  2⤵
  PID:9784
- C:\Windows\System32\VSycCLh.exe
  C:\Windows\System32\VSycCLh.exe
  2⤵
  PID:10400
- C:\Windows\System32\tKNNspf.exe
  C:\Windows\System32\tKNNspf.exe
  2⤵
  PID:10508
- C:\Windows\System32\xYjBdss.exe
  C:\Windows\System32\xYjBdss.exe
  2⤵
  PID:10676
- C:\Windows\System32\qPhZxxn.exe
  C:\Windows\System32\qPhZxxn.exe
  2⤵
  PID:10788
- C:\Windows\System32\RQbFJZV.exe
  C:\Windows\System32\RQbFJZV.exe
  2⤵
  PID:9756
- C:\Windows\System32\QvKiGdA.exe
  C:\Windows\System32\QvKiGdA.exe
  2⤵
  PID:11120
- C:\Windows\System32\cDimiMv.exe
  C:\Windows\System32\cDimiMv.exe
  2⤵
  PID:10304
- C:\Windows\System32\yZhdBsZ.exe
  C:\Windows\System32\yZhdBsZ.exe
  2⤵
  PID:10544
- C:\Windows\System32\dwZfZBr.exe
  C:\Windows\System32\dwZfZBr.exe
  2⤵
  PID:10904
- C:\Windows\System32\AxdlSZH.exe
  C:\Windows\System32\AxdlSZH.exe
  2⤵
  PID:11252
- C:\Windows\System32\pGNvXTq.exe
  C:\Windows\System32\pGNvXTq.exe
  2⤵
  PID:10752
- C:\Windows\System32\JEUmViR.exe
  C:\Windows\System32\JEUmViR.exe
  2⤵
  PID:11316
- C:\Windows\System32\mXAKGZN.exe
  C:\Windows\System32\mXAKGZN.exe
  2⤵
  PID:11340
- C:\Windows\System32\JqprDEP.exe
  C:\Windows\System32\JqprDEP.exe
  2⤵
  PID:11360
- C:\Windows\System32\QWObYTA.exe
  C:\Windows\System32\QWObYTA.exe
  2⤵
  PID:11388
- C:\Windows\System32\onXlEIk.exe
  C:\Windows\System32\onXlEIk.exe
  2⤵
  PID:11412
- C:\Windows\System32\tXHZTZL.exe
  C:\Windows\System32\tXHZTZL.exe
  2⤵
  PID:11428
- C:\Windows\System32\qYurnPt.exe
  C:\Windows\System32\qYurnPt.exe
  2⤵
  PID:11476
- C:\Windows\System32\cuCsjYf.exe
  C:\Windows\System32\cuCsjYf.exe
  2⤵
  PID:11500
- C:\Windows\System32\sAHwOHY.exe
  C:\Windows\System32\sAHwOHY.exe
  2⤵
  PID:11520
- C:\Windows\System32\nsyNvUY.exe
  C:\Windows\System32\nsyNvUY.exe
  2⤵
  PID:11536
- C:\Windows\System32\syRntxn.exe
  C:\Windows\System32\syRntxn.exe
  2⤵
  PID:11580
- C:\Windows\System32\YpbeMtP.exe
  C:\Windows\System32\YpbeMtP.exe
  2⤵
  PID:11608
- C:\Windows\System32\xDkRMTh.exe
  C:\Windows\System32\xDkRMTh.exe
  2⤵
  PID:11628
- C:\Windows\System32\etzljVc.exe
  C:\Windows\System32\etzljVc.exe
  2⤵
  PID:11644
- C:\Windows\System32\qYZpXfk.exe
  C:\Windows\System32\qYZpXfk.exe
  2⤵
  PID:11688
- C:\Windows\System32\eAnDDiw.exe
  C:\Windows\System32\eAnDDiw.exe
  2⤵
  PID:11720
- C:\Windows\System32\XsxGzpJ.exe
  C:\Windows\System32\XsxGzpJ.exe
  2⤵
  PID:11768
- C:\Windows\System32\BIytjfL.exe
  C:\Windows\System32\BIytjfL.exe
  2⤵
  PID:11788
- C:\Windows\System32\vrwlsCv.exe
  C:\Windows\System32\vrwlsCv.exe
  2⤵
  PID:11812
- C:\Windows\System32\FWuwqOc.exe
  C:\Windows\System32\FWuwqOc.exe
  2⤵
  PID:11840
- C:\Windows\System32\WTkKRow.exe
  C:\Windows\System32\WTkKRow.exe
  2⤵
  PID:11872
- C:\Windows\System32\KCGAdHk.exe
  C:\Windows\System32\KCGAdHk.exe
  2⤵
  PID:11888
- C:\Windows\System32\QOkPJGG.exe
  C:\Windows\System32\QOkPJGG.exe
  2⤵
  PID:11916
- C:\Windows\System32\UERgZTw.exe
  C:\Windows\System32\UERgZTw.exe
  2⤵
  PID:11948
- C:\Windows\System32\uWRtnqJ.exe
  C:\Windows\System32\uWRtnqJ.exe
  2⤵
  PID:11976
- C:\Windows\System32\FNQgyUR.exe
  C:\Windows\System32\FNQgyUR.exe
  2⤵
  PID:11996
- C:\Windows\System32\ZclRvll.exe
  C:\Windows\System32\ZclRvll.exe
  2⤵
  PID:12032
- C:\Windows\System32\YkQVqlU.exe
  C:\Windows\System32\YkQVqlU.exe
  2⤵
  PID:12052
- C:\Windows\System32\RVqNZgG.exe
  C:\Windows\System32\RVqNZgG.exe
  2⤵
  PID:12080
- C:\Windows\System32\OjUXTUD.exe
  C:\Windows\System32\OjUXTUD.exe
  2⤵
  PID:12100
- C:\Windows\System32\xdYPRMs.exe
  C:\Windows\System32\xdYPRMs.exe
  2⤵
  PID:12128
- C:\Windows\System32\itowKjE.exe
  C:\Windows\System32\itowKjE.exe
  2⤵
  PID:12144
- C:\Windows\System32\FDXrAfH.exe
  C:\Windows\System32\FDXrAfH.exe
  2⤵
  PID:12184
- C:\Windows\System32\wDUPkkR.exe
  C:\Windows\System32\wDUPkkR.exe
  2⤵
  PID:12224
- C:\Windows\System32\fHclFYQ.exe
  C:\Windows\System32\fHclFYQ.exe
  2⤵
  PID:12252
- C:\Windows\System32\SfbRQXK.exe
  C:\Windows\System32\SfbRQXK.exe
  2⤵
  PID:11076
- C:\Windows\System32\JZtIsSn.exe
  C:\Windows\System32\JZtIsSn.exe
  2⤵
  PID:11300
- C:\Windows\System32\CLmNqoK.exe
  C:\Windows\System32\CLmNqoK.exe
  2⤵
  PID:11396
- C:\Windows\System32\LwmfcZS.exe
  C:\Windows\System32\LwmfcZS.exe
  2⤵
  PID:11472
- C:\Windows\System32\DBKjDdm.exe
  C:\Windows\System32\DBKjDdm.exe
  2⤵
  PID:11492
- C:\Windows\System32\FWuZgRz.exe
  C:\Windows\System32\FWuZgRz.exe
  2⤵
  PID:11564
- C:\Windows\System32\vizprWq.exe
  C:\Windows\System32\vizprWq.exe
  2⤵
  PID:11624
- C:\Windows\System32\KSyRDtb.exe
  C:\Windows\System32\KSyRDtb.exe
  2⤵
  PID:11700
- C:\Windows\System32\hGOnAZa.exe
  C:\Windows\System32\hGOnAZa.exe
  2⤵
  PID:11752
- C:\Windows\System32\gSSJagH.exe
  C:\Windows\System32\gSSJagH.exe
  2⤵
  PID:11800
- C:\Windows\System32\QbhDsQF.exe
  C:\Windows\System32\QbhDsQF.exe
  2⤵
  PID:11868
- C:\Windows\System32\PucHGiL.exe
  C:\Windows\System32\PucHGiL.exe
  2⤵
  PID:11912
- C:\Windows\System32\bdLugVj.exe
  C:\Windows\System32\bdLugVj.exe
  2⤵
  PID:12060
- C:\Windows\System32\OurJVDa.exe
  C:\Windows\System32\OurJVDa.exe
  2⤵
  PID:12024
- C:\Windows\System32\aRNwjmb.exe
  C:\Windows\System32\aRNwjmb.exe
  2⤵
  PID:12120
- C:\Windows\System32\uymGjVp.exe
  C:\Windows\System32\uymGjVp.exe
  2⤵
  PID:12208
- C:\Windows\System32\LSAZsMZ.exe
  C:\Windows\System32\LSAZsMZ.exe
  2⤵
  PID:12240
- C:\Windows\System32\GZbLMaM.exe
  C:\Windows\System32\GZbLMaM.exe
  2⤵
  PID:11328
- C:\Windows\System32\QYhUYCE.exe
  C:\Windows\System32\QYhUYCE.exe
  2⤵
  PID:11440
- C:\Windows\System32\kBjlNlU.exe
  C:\Windows\System32\kBjlNlU.exe
  2⤵
  PID:11604
- C:\Windows\System32\faOholJ.exe
  C:\Windows\System32\faOholJ.exe
  2⤵
  PID:11732
- C:\Windows\System32\QTQIBDS.exe
  C:\Windows\System32\QTQIBDS.exe
  2⤵
  PID:11880
- C:\Windows\System32\SZrvvqf.exe
  C:\Windows\System32\SZrvvqf.exe
  2⤵
  PID:12164
- C:\Windows\System32\bBKokhv.exe
  C:\Windows\System32\bBKokhv.exe
  2⤵
  PID:12176
- C:\Windows\System32\qYTneeQ.exe
  C:\Windows\System32\qYTneeQ.exe
  2⤵
  PID:11356
- C:\Windows\System32\UrFVinv.exe
  C:\Windows\System32\UrFVinv.exe
  2⤵
  PID:11448
- C:\Windows\System32\pkOHIua.exe
  C:\Windows\System32\pkOHIua.exe
  2⤵
  PID:12140
- C:\Windows\System32\WEOkgCg.exe
  C:\Windows\System32\WEOkgCg.exe
  2⤵
  PID:544
- C:\Windows\System32\naAAaJk.exe
  C:\Windows\System32\naAAaJk.exe
  2⤵
  PID:10644
- C:\Windows\System32\gwkOZfP.exe
  C:\Windows\System32\gwkOZfP.exe
  2⤵
  PID:11968
- C:\Windows\System32\bzYefTX.exe
  C:\Windows\System32\bzYefTX.exe
  2⤵
  PID:11652
- C:\Windows\System32\sJVshqF.exe
  C:\Windows\System32\sJVshqF.exe
  2⤵
  PID:12316
- C:\Windows\System32\OduvHFx.exe
  C:\Windows\System32\OduvHFx.exe
  2⤵
  PID:12348
- C:\Windows\System32\hdWnLBy.exe
  C:\Windows\System32\hdWnLBy.exe
  2⤵
  PID:12372
- C:\Windows\System32\ezGeajF.exe
  C:\Windows\System32\ezGeajF.exe
  2⤵
  PID:12392
- C:\Windows\System32\nlQibpP.exe
  C:\Windows\System32\nlQibpP.exe
  2⤵
  PID:12436
- C:\Windows\System32\cteDrer.exe
  C:\Windows\System32\cteDrer.exe
  2⤵
  PID:12472
- C:\Windows\System32\tzPUzFu.exe
  C:\Windows\System32\tzPUzFu.exe
  2⤵
  PID:12508
- C:\Windows\System32\OFBYFmP.exe
  C:\Windows\System32\OFBYFmP.exe
  2⤵
  PID:12528
- C:\Windows\System32\anDROrF.exe
  C:\Windows\System32\anDROrF.exe
  2⤵
  PID:12548
- C:\Windows\System32\GIrazCW.exe
  C:\Windows\System32\GIrazCW.exe
  2⤵
  PID:12564
- C:\Windows\System32\QhnBUqQ.exe
  C:\Windows\System32\QhnBUqQ.exe
  2⤵
  PID:12584
- C:\Windows\System32\FiiKztS.exe
  C:\Windows\System32\FiiKztS.exe
  2⤵
  PID:12612
- C:\Windows\System32\vfkezBt.exe
  C:\Windows\System32\vfkezBt.exe
  2⤵
  PID:12660
- C:\Windows\System32\JpRGhsI.exe
  C:\Windows\System32\JpRGhsI.exe
  2⤵
  PID:12696
- C:\Windows\System32\uRQMGzc.exe
  C:\Windows\System32\uRQMGzc.exe
  2⤵
  PID:12716
- C:\Windows\System32\BJGDZTM.exe
  C:\Windows\System32\BJGDZTM.exe
  2⤵
  PID:12740
- C:\Windows\System32\DQMouNJ.exe
  C:\Windows\System32\DQMouNJ.exe
  2⤵
  PID:12760
- C:\Windows\System32\zhnegGJ.exe
  C:\Windows\System32\zhnegGJ.exe
  2⤵
  PID:12776
- C:\Windows\System32\hpeJEiP.exe
  C:\Windows\System32\hpeJEiP.exe
  2⤵
  PID:12800
- C:\Windows\System32\CnfnuWS.exe
  C:\Windows\System32\CnfnuWS.exe
  2⤵
  PID:12856
- C:\Windows\System32\PveSmgY.exe
  C:\Windows\System32\PveSmgY.exe
  2⤵
  PID:12900
- C:\Windows\System32\IaIDcdu.exe
  C:\Windows\System32\IaIDcdu.exe
  2⤵
  PID:12920
- C:\Windows\System32\YWjbLfB.exe
  C:\Windows\System32\YWjbLfB.exe
  2⤵
  PID:12948
- C:\Windows\System32\PMNHCEt.exe
  C:\Windows\System32\PMNHCEt.exe
  2⤵
  PID:12984
- C:\Windows\System32\gyOszkq.exe
  C:\Windows\System32\gyOszkq.exe
  2⤵
  PID:13004
- C:\Windows\System32\duSSyWP.exe
  C:\Windows\System32\duSSyWP.exe
  2⤵
  PID:13044
- C:\Windows\System32\akWcCBM.exe
  C:\Windows\System32\akWcCBM.exe
  2⤵
  PID:13064
- C:\Windows\System32\ucBXiOY.exe
  C:\Windows\System32\ucBXiOY.exe
  2⤵
  PID:13088
- C:\Windows\System32\EvnJNGZ.exe
  C:\Windows\System32\EvnJNGZ.exe
  2⤵
  PID:13108
- C:\Windows\System32\Jgwffss.exe
  C:\Windows\System32\Jgwffss.exe
  2⤵
  PID:13132
- C:\Windows\System32\KGatcAc.exe
  C:\Windows\System32\KGatcAc.exe
  2⤵
  PID:13176
- C:\Windows\System32\ogrNFnD.exe
  C:\Windows\System32\ogrNFnD.exe
  2⤵
  PID:13200
- C:\Windows\System32\kCyZaXn.exe
  C:\Windows\System32\kCyZaXn.exe
  2⤵
  PID:13224
- C:\Windows\System32\OtAnOiS.exe
  C:\Windows\System32\OtAnOiS.exe
  2⤵
  PID:13244
- C:\Windows\System32\TJVSNLC.exe
  C:\Windows\System32\TJVSNLC.exe
  2⤵
  PID:13264
- C:\Windows\System32\cTPfvbX.exe
  C:\Windows\System32\cTPfvbX.exe
  2⤵
  PID:13280
- C:\Windows\System32\LTbmFSN.exe
  C:\Windows\System32\LTbmFSN.exe
  2⤵
  PID:13304
- C:\Windows\System32\NgpQXBL.exe
  C:\Windows\System32\NgpQXBL.exe
  2⤵
  PID:12308

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ABTeldn.exe

Filesize
1.2MB

MD5
f269231a5103d6ff936aa2bf26f18770

SHA1
7c9b2881e898589391d5acd92f62a3de1cf26525

SHA256
520f779bf293aee5efa96d6d2d5809e7aa3573ea5d9e28e8d4477a7dfbd08cfd

SHA512
5f0bc9d576936e035f7f5e67b02b33185d9afd2464628fb781cec4a5efe473a9fbdc4eb2447d5d4935697bd75825e94557d6c2fbe256739eb06f35faec6cf2d5

Download Submit
C:\Windows\System32\DYIRvOn.exe

Filesize
1.2MB

MD5
818f0f4ffd2369458f4fa54eec861a0e

SHA1
ac134bc426eb8290331a2f39e28e285431807103

SHA256
d1bcf41efeda9f93e2a45f00dbc36a9877bde514b0b610b4d54addf6e7b25b6f

SHA512
2ba0bd97eafd9e9d3a1847325c76e0f7d12ac7f3596bdcf4261b364746e9e7f2d75032abb88be7aacdbd5876799c5d982129860fd0eef9132215d2f95d445c10

Download Submit
C:\Windows\System32\FHWFPSx.exe

Filesize
1.2MB

MD5
29bbe3b8879fdac8b44b47a299bb6454

SHA1
98821ea3b9bdf8035a8c62a6a927762e53be03f1

SHA256
3fceb1d37702e8f9c88554937cb48cd9fabbd403bbba35550e8703ea087b48a7

SHA512
b79a4ef84c97735b3d055dde4de93becb94ed679cd8ab00fcb1dd8fe75ebb59f774f84e5d500e7591971ea0d4f638b885e060799c947e0f5c5b4ad9269dcfbeb

Download Submit
C:\Windows\System32\FjOwaqX.exe

Filesize
1.2MB

MD5
dbd99afdaf5f40b91c77ee63037f6182

SHA1
3280fde56ce7b301e5595f9d7d715214af993721

SHA256
33a9926382d14aac0b59e006b6bda7601bf22e26cd66745f2827658552ab494f

SHA512
7f9821039d74622a69349a89f82d3becb811cbcc00994ea4059260d01eec17167a1a98d9f5e9ea16254a0220007c5c8ea84c8d1975d6b5ae0c507e0504f25832

Download Submit
C:\Windows\System32\HROWhXQ.exe

Filesize
1.2MB

MD5
e106b8cf9f2011d95322044bcbfdff15

SHA1
b9a24131fc8166ee9867693edd22db167e882f6b

SHA256
574bd0af14690c8b673df545afc92b71c2e166e46b54b8d0b6be4124bc3f3273

SHA512
cc353f0ac6e7498e01f39fc905d3614e4a7435ce7e155768d9211d9c004bcabed4bc8a77e1153b33c666c1135e91d62c9324230c00408b0f6a8d496317fe0540

Download Submit
C:\Windows\System32\IRXRMlD.exe

Filesize
1.2MB

MD5
b4f43d9c1a37a79d28816a35f86d9f93

SHA1
a81ee8f041369d6668953d6c6764bea3be4eb92e

SHA256
2e064c477734fd80b474274f8b90f5579e465be07870b009d12b290e48c7abcf

SHA512
7eee0c569a4dc5e8f53a1cd0c128391ffc0feb5b19c105e949f5f2fb4daa898662724a8e595d8c303633ce0c7fd6691736d01800ecf88c83495a4b92027a0f6b

Download Submit
C:\Windows\System32\JpDnUgI.exe

Filesize
1.2MB

MD5
d50e4668c1ab8ecb934cea6ced020a6c

SHA1
87ab204d966daf400a6e5758ba5c653a780c4742

SHA256
282f61447281af32d05defe7d49f427c1b9ec801497c4633f5c04898ab420449

SHA512
093144d5cff32b932c1dd13c76983b3ecd8e47e7d472f014f37a11e4912cffefc18df4e22666849169322c9cfca9db458255ea90ffb250763b80ba25ee63ebd0

Download Submit
C:\Windows\System32\MMRSmVZ.exe

Filesize
1.2MB

MD5
2432a3f5c9b53e009e1df36c8a9f46ac

SHA1
e0f1ad95cb636eca3511f6dc98a43575f805ff42

SHA256
0d00a3861e714f9420fac0de34fdf28680777d5e3a3004f5fbd168be8952869b

SHA512
a82af2b74d339aeb240bb2b01cb29d8d84ae3a30a601c9a62d5e419202192a2582eaf3062e645625183d33db8cb0bbafa0d04abfa318512d7343dc45a787353b

Download Submit
C:\Windows\System32\NPfHKSE.exe

Filesize
1.2MB

MD5
2ab832938503603dbefcda83edb9b82d

SHA1
b92a409a51007028f6aae924407047fd4c7671b5

SHA256
d953404593626902cdccb0ef3571c9cbb699544e70d0ff8649e2334aeae47856

SHA512
1eff7814d56b6678e97d9c0f92e9f1c2fb7590f1efd42aacc00ecc12d645c2cc91d716d1c0a7a5f92c13155d6a060df3c956557e4d7e5b1a674d92c384e1bd9a

Download Submit
C:\Windows\System32\PEQRmhO.exe

Filesize
1.2MB

MD5
f7cc4c8f774c96765eac7bbdfa4bc1c1

SHA1
35870551b113ac4f7467f2d980e9e81a5cf4bcd7

SHA256
84144392eea2761a92e35802f107f9502375792072e24672a603e36bafce7dc3

SHA512
52bd817248c0cee7b19d7e62a1a195e3c0ae094ace3a1d5d69864586794199448dc42714ceb0467b04feb2512f1dcccc287713eb7a801d2f7ccc7e923cca554a

Download Submit
C:\Windows\System32\PXEadqa.exe

Filesize
1.2MB

MD5
23d6ac7a8fdea0f339561387d66cdec9

SHA1
ac79b8f19879c650625764ecf6967eb7c87061e1

SHA256
9a533561005b7c6554b0fc4345210b5deae044f839e7c0eba9fa7f8fc637245c

SHA512
c0c530a261e1eaf871dbda46df305d1448aa2558eb52a8911a827e7b3ea2311abce110b4482f169a24d3d110a8f205064f25076594bed3dc43b69ab2ad0f0d12

Download Submit
C:\Windows\System32\SVMiqtQ.exe

Filesize
1.2MB

MD5
ff53c3283b1bb3f939f5829c3cf44296

SHA1
ae74ccf3fad858ccb0f9440749809439e7d3ad8e

SHA256
0723144087183f06d1afa140837aa751e722b0de0058700cadff6f6ec62bf0ef

SHA512
0c41b368c17a9328e3ba4d3016de3624fe1d61c8b5973c39c73473435afc448c1ff6e85a420704a73431233565f95dddf24c5ee7d4b7b1f95d9bcc3846817f91

Download Submit
C:\Windows\System32\UCNGCbL.exe

Filesize
1.2MB

MD5
bb1458fdd8b6cf8cf7613a8533bcd323

SHA1
518405dbcc1f8bc03b191d6a856ea6fa0ef0bfce

SHA256
a5b8be21f345dbbba1bd9c9381fd349456036e5500ede8556047e1405a0b4e46

SHA512
da0619daabcb63573fa0540a9879643bd8582408152210d82cf4cefa536475e4b1c6df7f11ecee7aa406ff1bb067027a0ade4a43daea9beceec058d3026de62d

Download Submit
C:\Windows\System32\UVYmWnC.exe

Filesize
1.2MB

MD5
b08b964648d6b4678210ee437dbf3066

SHA1
afd2d1ae7ec8339192411857cc50caac4ed2883a

SHA256
8e35c6f417c21c89d23e60e0eacd4471d3fcf68e31fad2a235f28d52ebe55383

SHA512
4ce702810c16e312c557b2d42c576c7bb3d6f7881788897243034bdce03509be9cf458c99035eee514151c70e969fc8fccaca1be030c67d8ddc10d46f27efb0c

Download Submit
C:\Windows\System32\YKKeWLq.exe

Filesize
1.2MB

MD5
3bc1a82ed81e7fbc5894b461beafe575

SHA1
dfca8a35536e1f1ca504e2e8a1ece36aa9c3cbb6

SHA256
00885843c90abf71f698004c5a7b975479a5a75207d9a45c0257bb8fd4f743df

SHA512
3241fdcacf488ff14e2b3e15874ff14e1d4773beb0b6bc459853309eaa2fcf343723a974058bc79603177868434a4c544188857609dd39ee43045f7e0f98c70c

Download Submit
C:\Windows\System32\ZqklEDt.exe

Filesize
1.2MB

MD5
77a89dc257f4a9196e56bec663bebfe6

SHA1
ae711f1d8e3c31ba287aeffba67643c664542a43

SHA256
e40682f69fdeab9581e33d94c8a8adeaafb5fb7b3c3c93b6a903c9f9ca6484bf

SHA512
1fac8846a1638f25afb6948b2e8ff93be3cbbbee191e49d8648ff18ed5a5805cde09a8bf1ab2cdae08f72888c8ec71fcf76d07b7494968376d63748a557f2796

Download Submit
C:\Windows\System32\ZrhnQsv.exe

Filesize
1.2MB

MD5
4f1df4e6af912a272c58a03676b185c9

SHA1
d0cd8c7deb159c9adfa4fd59d06bd5abe69b027e

SHA256
50f5650a3aff572c02b0e6767a0029d8fb5537223a89e8e086f72d45eeaec614

SHA512
a0203fa4d799eee5847a83227ee9d4ab8ddbdc29aa10f9d9613b1593bb7e0d6cbbdf709eb2a58f0a1a9bfd29feae5ca2806fbae77aa9d864238dd43003f651d5

Download Submit
C:\Windows\System32\aLBcWum.exe

Filesize
1.2MB

MD5
5331df683bce7d827b22b884a346a7e7

SHA1
ed51530ce5ce23f4cbc08c01e85f1086db5c8b99

SHA256
aae30a295e4db7966290a686f766882d89be8ee2c38b2cf62504402aa025df9e

SHA512
87943a5d2b04c8459f47ab0275dd8bcfb2a5e874093d57a68ec429630e8a5c9dc4e7fc28d6404ab0bc9093206f8dfd2ef79751913f234331508fe2390d122ee8

Download Submit
C:\Windows\System32\aURGmft.exe

Filesize
1.2MB

MD5
1786d5bade3c5cad43d6ff09b9570910

SHA1
478236023be16ea97ae3c9da0a587de9d39ee82c

SHA256
fdbe5853690766798cba456aada45f657df0632255c13d2847591f0895f44ab8

SHA512
1084a5446b42ff8c2922bc5ff227e399bfb5a19bbcbebbca7d26422cfbb19b94d53bdf596b833cb422e0ffdddafae4db5e952a49f83347e81898b09381118c1f

Download Submit
C:\Windows\System32\ayySuNG.exe

Filesize
1.2MB

MD5
663a7771f2588a4941ede60bbd5e4bd2

SHA1
dbb6ce284e487a70b8b889776ee38ef38fc34612

SHA256
af1e64613a25d97f962e828edb3907bcd8631732e92425e30e8ee7ca3be28541

SHA512
5bdbc2ed545f2e2a752728362af93faa617464ced395a0bf0958587bd94c10eb487714ee96ea8f0f71d5eaf7e8396bcf30a316a314f46fcaf42c3faa6f99d52c

Download Submit
C:\Windows\System32\biaWMEA.exe

Filesize
1.2MB

MD5
c55129e9d64c7c06bd6c5d78de3ce804

SHA1
f142c1773a7b9221a5bb2b2df191e47f64f60ddc

SHA256
250f1020e1a7963abab9ab8ec3e29572a3d7deb5605e304aba45c835495a5c84

SHA512
d31e96de593b27d985b05e19ead9762d2b2f7ad2c87adb3c7e1227f7b08942c2b4ab52aca78f337fdb600ab3eb58bfb2a832aa830dd40fec715e986478873c89

Download Submit
C:\Windows\System32\bmXtdNe.exe

Filesize
1.2MB

MD5
83a7c1e78851c0ddf484a47133238eb3

SHA1
bef60903c6e74316671da3f327bd84016d816a83

SHA256
e3c6ca75a4498b0973d59a4511e64d4c58d2ef7a3e7cd3b3a72d3ab3406def90

SHA512
a3ebd6d8651e221483ee68b58d1df036dc76cb42458ff62dcd19350f8313295fa98daa11d70d97756e3d6b95eb0c2e6eff316c397f0d47296391d3f602ef41e5

Download Submit
C:\Windows\System32\eNwfXLR.exe

Filesize
1.2MB

MD5
62a75cb752be52f17bc6fcef340a2273

SHA1
3fbb20ad740fbbfdebea530334cac823d6cd1e5f

SHA256
f8cfddc2481f90c802b1005b030d41cc3de5f1cad2cc62ead88e19cf62dcb55b

SHA512
81bbd6d3ee3d7dd4a20809b5f0ccd58528580941866865824439a8dc77a02232b05a29d9d7d564cf73f6873cdfd204690d81eb5909e4509f19e1082b393a5f92

Download Submit
C:\Windows\System32\esIfGDf.exe

Filesize
1.2MB

MD5
1345c26e55a718561a5393025dc31365

SHA1
39cb83350727e74b4b237e8d1c6526297a088576

SHA256
2fbd29ac20ef6e5bb6cdd5cf941b1689bf4d4f1b90f816141579500ff138fd96

SHA512
af01dd8dfd2b671d8d6b93057f700ad122944578eddb9dc8fd9c8a1d59d579dcd449e4d77d4d696ef63b24d3a4ddfffaa8d5af76629deb0b42f3b1b68c35dac1

Download Submit
C:\Windows\System32\fvMROFC.exe

Filesize
1.2MB

MD5
cbdc5763dc3edf986038c2241f0e5ec0

SHA1
1e002fcf5c6fbd4172078e6a91cfc2b533541256

SHA256
5200d633e75818f42cfe86ecc579b2f8d9b74f95f3c616f95615995e9e370a50

SHA512
6603d6be517537e4b6d3771a51a589f70448fb77538746ca1ac854b151d510274d8fd7b156b80078798a17eee6143aa93f2c7e77c5e5871b37bd2bb13d19290c

Download Submit
C:\Windows\System32\lyTjbsW.exe

Filesize
1.2MB

MD5
aaa17cec9f79f52969fa7e0b3c601a9c

SHA1
366ae92a573338910038fb93a00351c3e9d47288

SHA256
396ecac11df40f6f90256e36dbe6febaf35b4e4c166bbd09624ff15ca04bb5b9

SHA512
0806abe9d241becc00f36ead11c200f7d0687cde18744897315bedd702be90694a8b93cb8b56c43e1d3809a85d8ecd1a1ddc0ad11b9e27d611963fe8e7a37fc2

Download Submit
C:\Windows\System32\mghresQ.exe

Filesize
1.2MB

MD5
4cca1866a9e56b9ec4a0ff88cf08079c

SHA1
ef64d8e3bf59ea43b8cfec66babb603ebd74e929

SHA256
f4e4929e1127816b9d2aa5be33de4d629356690c9db965c2e0ed113d725d480e

SHA512
c8c5ff21ec16f1116854cc45b27fef268a585bac06998c2871df411644f0bafe52ff20b246fdb673b330b56a729c7878b88684837d31c06729828b430727c787

Download Submit
C:\Windows\System32\mrkWsce.exe

Filesize
1.2MB

MD5
83c9bc854cd300c7bd20692c14724b30

SHA1
4cd178adbddf8a68c5f7d4ed5c10da77eac1f934

SHA256
d29062265dfed373e446b8cce416ed8f5fa419f888130356ea66b505087527c7

SHA512
11fdefbf8daaae38fc953c6995dfd3d31615abe3b6e941a334079fc77eb26a320b65fe84ffa066bf228f2325dcef1a1b1ee165d30dc25fccac744637b2e60c95

Download Submit
C:\Windows\System32\nlzuZmI.exe

Filesize
1.2MB

MD5
5a470c571e3f88d34a791e4340460c54

SHA1
60b85c38878e0e174c05671f14b3e385ed836017

SHA256
85242d03eddcdab48f77ab18bf5ba872b6ab4db762c15b97e76c06d1394105b0

SHA512
d03b1cc8bcdff3bc2219bda3f1eb24c0187bcadede25b5a9815daa55443852723dfb65b4052ea5e8634794d72126e94b90e6e870985b491b37ff42e3d22f0843

Download Submit
C:\Windows\System32\rmJjkAE.exe

Filesize
1.2MB

MD5
d301d509c6f953a5cac0afe0f06fa572

SHA1
af1368ce3aa7d2ed5047b015990209fb30acc0cc

SHA256
3a3e038aa01e02c2aaf4c2595fc106e69981e7c06baa94521ddfa12e4b2df225

SHA512
79d72d1a944b2824c97c6338b40ea17d430d2aa4bc12ea3ba6da55a17545224f02035ea8ad7f56c450f5e32190f06bba00afba1c024367be46794f5882f85143

Download Submit
C:\Windows\System32\vLBXHqU.exe

Filesize
1.2MB

MD5
7f0c0bc24c1818be7b18a15607982d12

SHA1
8d0013c3b99dca0b943a7394c6b141e7054f9436

SHA256
39b1971255a39539421d584f8153a86784289ce0c9838c5ea70b36576b64f642

SHA512
724b8abec703c9174dea8a99fc1e30f588e6d9258e0bf319e126f81a38edb3f95fa3c60892f5722a39acee7b07bbdac712c6f48bb4cbe874cdd62529f2b5554d

Download Submit
C:\Windows\System32\wHUXhNa.exe

Filesize
1.2MB

MD5
a38c73f399c9d662eff661b859ff159f

SHA1
2d48b3cfc1978123115fbcab231b1390b5767a63

SHA256
32e890771034b3ba8b28aa7f1fa91f742e95a2514534f53b5aaacfecdfd878eb

SHA512
2009b1c4440af488367494d233868e8a6f5db42bf9bb19957c5d6ad9a394805325b263ae08badc61b6c8c84446cda16540f075a54af4a0e6c8c185d6643a9e0d

Download Submit
C:\Windows\System32\yjWqzst.exe

Filesize
1.2MB

MD5
152965aca89452c72c9df2b993c801c0

SHA1
c561319d815e889e740f9df7502207bdba6985f0

SHA256
df7b9f22d64734085f72d540eaaff79799ef48d8d91611f4f552c06350b091aa

SHA512
28795378effe53f5472d4ce6648c1fc06a2cd584eb22b0b4617fc83c5a53c135f31441d17ae199e637262421afa2aa9596d2374632f90168d6df66062fff123d

Download Submit
memory/220-2074-0x00007FF6D7FE0000-0x00007FF6D83D1000-memory.dmp

Filesize
3.9MB

Download
memory/220-391-0x00007FF6D7FE0000-0x00007FF6D83D1000-memory.dmp

Filesize
3.9MB

Download
memory/636-356-0x00007FF7C7600000-0x00007FF7C79F1000-memory.dmp

Filesize
3.9MB

Download
memory/636-2061-0x00007FF7C7600000-0x00007FF7C79F1000-memory.dmp

Filesize
3.9MB

Download
memory/664-400-0x00007FF67C380000-0x00007FF67C771000-memory.dmp

Filesize
3.9MB

Download
memory/664-2080-0x00007FF67C380000-0x00007FF67C771000-memory.dmp

Filesize
3.9MB

Download
memory/872-2041-0x00007FF770280000-0x00007FF770671000-memory.dmp

Filesize
3.9MB

Download
memory/872-326-0x00007FF770280000-0x00007FF770671000-memory.dmp

Filesize
3.9MB

Download
memory/1312-2057-0x00007FF66A0E0000-0x00007FF66A4D1000-memory.dmp

Filesize
3.9MB

Download
memory/1312-359-0x00007FF66A0E0000-0x00007FF66A4D1000-memory.dmp

Filesize
3.9MB

Download
memory/1504-378-0x00007FF647460000-0x00007FF647851000-memory.dmp

Filesize
3.9MB

Download
memory/1504-2065-0x00007FF647460000-0x00007FF647851000-memory.dmp

Filesize
3.9MB

Download
memory/1920-2033-0x00007FF7AD730000-0x00007FF7ADB21000-memory.dmp

Filesize
3.9MB

Download
memory/1920-8-0x00007FF7AD730000-0x00007FF7ADB21000-memory.dmp

Filesize
3.9MB

Download
memory/1920-1990-0x00007FF7AD730000-0x00007FF7ADB21000-memory.dmp

Filesize
3.9MB

Download
memory/2396-2037-0x00007FF65AA30000-0x00007FF65AE21000-memory.dmp

Filesize
3.9MB

Download
memory/2396-33-0x00007FF65AA30000-0x00007FF65AE21000-memory.dmp

Filesize
3.9MB

Download
memory/2396-2027-0x00007FF65AA30000-0x00007FF65AE21000-memory.dmp

Filesize
3.9MB

Download
memory/2528-27-0x00007FF779B60000-0x00007FF779F51000-memory.dmp

Filesize
3.9MB

Download
memory/2528-1992-0x00007FF779B60000-0x00007FF779F51000-memory.dmp

Filesize
3.9MB

Download
memory/2528-2039-0x00007FF779B60000-0x00007FF779F51000-memory.dmp

Filesize
3.9MB

Download
memory/2808-2072-0x00007FF613BB0000-0x00007FF613FA1000-memory.dmp

Filesize
3.9MB

Download
memory/2808-397-0x00007FF613BB0000-0x00007FF613FA1000-memory.dmp

Filesize
3.9MB

Download
memory/2956-28-0x00007FF785E40000-0x00007FF786231000-memory.dmp

Filesize
3.9MB

Download
memory/2956-2043-0x00007FF785E40000-0x00007FF786231000-memory.dmp

Filesize
3.9MB

Download
memory/2956-2025-0x00007FF785E40000-0x00007FF786231000-memory.dmp

Filesize
3.9MB

Download
memory/3076-2035-0x00007FF7CC960000-0x00007FF7CCD51000-memory.dmp

Filesize
3.9MB

Download
memory/3076-1991-0x00007FF7CC960000-0x00007FF7CCD51000-memory.dmp

Filesize
3.9MB

Download
memory/3076-21-0x00007FF7CC960000-0x00007FF7CCD51000-memory.dmp

Filesize
3.9MB

Download
memory/3196-370-0x00007FF7EB3E0000-0x00007FF7EB7D1000-memory.dmp

Filesize
3.9MB

Download
memory/3196-2055-0x00007FF7EB3E0000-0x00007FF7EB7D1000-memory.dmp

Filesize
3.9MB

Download
memory/3288-405-0x00007FF613B80000-0x00007FF613F71000-memory.dmp

Filesize
3.9MB

Download
memory/3288-2049-0x00007FF613B80000-0x00007FF613F71000-memory.dmp

Filesize
3.9MB

Download
memory/3348-2070-0x00007FF68E6F0000-0x00007FF68EAE1000-memory.dmp

Filesize
3.9MB

Download
memory/3348-386-0x00007FF68E6F0000-0x00007FF68EAE1000-memory.dmp

Filesize
3.9MB

Download
memory/3396-398-0x00007FF6EB8D0000-0x00007FF6EBCC1000-memory.dmp

Filesize
3.9MB

Download
memory/3396-2069-0x00007FF6EB8D0000-0x00007FF6EBCC1000-memory.dmp

Filesize
3.9MB

Download
memory/3804-395-0x00007FF632D10000-0x00007FF633101000-memory.dmp

Filesize
3.9MB

Download
memory/3804-2076-0x00007FF632D10000-0x00007FF633101000-memory.dmp

Filesize
3.9MB

Download
memory/3896-329-0x00007FF6FCA20000-0x00007FF6FCE11000-memory.dmp

Filesize
3.9MB

Download
memory/3896-2047-0x00007FF6FCA20000-0x00007FF6FCE11000-memory.dmp

Filesize
3.9MB

Download
memory/4072-372-0x00007FF620A10000-0x00007FF620E01000-memory.dmp

Filesize
3.9MB

Download
memory/4072-2063-0x00007FF620A10000-0x00007FF620E01000-memory.dmp

Filesize
3.9MB

Download
memory/4640-2051-0x00007FF6CACC0000-0x00007FF6CB0B1000-memory.dmp

Filesize
3.9MB

Download
memory/4640-341-0x00007FF6CACC0000-0x00007FF6CB0B1000-memory.dmp

Filesize
3.9MB

Download
memory/4872-404-0x00007FF631C00000-0x00007FF631FF1000-memory.dmp

Filesize
3.9MB

Download
memory/4872-2078-0x00007FF631C00000-0x00007FF631FF1000-memory.dmp

Filesize
3.9MB

Download
memory/4900-350-0x00007FF741B80000-0x00007FF741F71000-memory.dmp

Filesize
3.9MB

Download
memory/4900-2059-0x00007FF741B80000-0x00007FF741F71000-memory.dmp

Filesize
3.9MB

Download
memory/4904-49-0x00007FF7F2930000-0x00007FF7F2D21000-memory.dmp

Filesize
3.9MB

Download
memory/4904-2026-0x00007FF7F2930000-0x00007FF7F2D21000-memory.dmp

Filesize
3.9MB

Download
memory/4904-2045-0x00007FF7F2930000-0x00007FF7F2D21000-memory.dmp

Filesize
3.9MB

Download
memory/4988-336-0x00007FF7A0AB0000-0x00007FF7A0EA1000-memory.dmp

Filesize
3.9MB

Download
memory/4988-2053-0x00007FF7A0AB0000-0x00007FF7A0EA1000-memory.dmp

Filesize
3.9MB

Download
memory/5004-0-0x00007FF65A460000-0x00007FF65A851000-memory.dmp

Filesize
3.9MB

Download
memory/5004-1-0x0000027519500000-0x0000027519510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads