xmrig | dbf4be391fbdbe86e82f83e871c8c8d3a528da8f66873d0da44c7fe9d477569b

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aea5a338e460c2d4414af4480bb48fb0N.exe
Size

1.4MB
MD5

aea5a338e460c2d4414af4480bb48fb0
SHA1

a5d82cd832713b021f76ec4d948c6eb6e51538a1
SHA256

dbf4be391fbdbe86e82f83e871c8c8d3a528da8f66873d0da44c7fe9d477569b
SHA512

0ee8f013cd01952d4922242bbb90cb116de6aeec20fd52088a96b2a83d170140b2a5bcffa1577834002041f3db251e93327a06706840de0d3b9e997954d9e937
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIHbAYhbcdSc0rpYGwpRFb+:knw9oUUEEDlGUJ8Y9cdOryO

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/1088-316-0x00007FF6BF550000-0x00007FF6BF941000-memory.dmp	xmrig
behavioral2/memory/4028-319-0x00007FF6EF520000-0x00007FF6EF911000-memory.dmp	xmrig
behavioral2/memory/2616-326-0x00007FF722010000-0x00007FF722401000-memory.dmp	xmrig
behavioral2/memory/1056-327-0x00007FF6B5270000-0x00007FF6B5661000-memory.dmp	xmrig
behavioral2/memory/5076-332-0x00007FF631530000-0x00007FF631921000-memory.dmp	xmrig
behavioral2/memory/4184-343-0x00007FF689680000-0x00007FF689A71000-memory.dmp	xmrig
behavioral2/memory/4680-348-0x00007FF7D00C0000-0x00007FF7D04B1000-memory.dmp	xmrig
behavioral2/memory/3152-351-0x00007FF69F010000-0x00007FF69F401000-memory.dmp	xmrig
behavioral2/memory/2812-357-0x00007FF7372F0000-0x00007FF7376E1000-memory.dmp	xmrig
behavioral2/memory/2932-358-0x00007FF62F3D0000-0x00007FF62F7C1000-memory.dmp	xmrig
behavioral2/memory/4492-360-0x00007FF67BA30000-0x00007FF67BE21000-memory.dmp	xmrig
behavioral2/memory/2432-361-0x00007FF77B710000-0x00007FF77BB01000-memory.dmp	xmrig
behavioral2/memory/3632-359-0x00007FF7E5080000-0x00007FF7E5471000-memory.dmp	xmrig
behavioral2/memory/3848-362-0x00007FF774A70000-0x00007FF774E61000-memory.dmp	xmrig
behavioral2/memory/3412-363-0x00007FF610280000-0x00007FF610671000-memory.dmp	xmrig
behavioral2/memory/1748-364-0x00007FF65DB90000-0x00007FF65DF81000-memory.dmp	xmrig
behavioral2/memory/1788-356-0x00007FF643950000-0x00007FF643D41000-memory.dmp	xmrig
behavioral2/memory/4776-369-0x00007FF754CA0000-0x00007FF755091000-memory.dmp	xmrig
behavioral2/memory/1016-376-0x00007FF6E82A0000-0x00007FF6E8691000-memory.dmp	xmrig
behavioral2/memory/3844-373-0x00007FF6D9220000-0x00007FF6D9611000-memory.dmp	xmrig
behavioral2/memory/3584-324-0x00007FF63BE70000-0x00007FF63C261000-memory.dmp	xmrig
behavioral2/memory/4740-322-0x00007FF6A3720000-0x00007FF6A3B11000-memory.dmp	xmrig
behavioral2/memory/2764-23-0x00007FF7E4590000-0x00007FF7E4981000-memory.dmp	xmrig
behavioral2/memory/1224-11-0x00007FF7534C0000-0x00007FF7538B1000-memory.dmp	xmrig
behavioral2/memory/1584-1916-0x00007FF6D3710000-0x00007FF6D3B01000-memory.dmp	xmrig
behavioral2/memory/1224-1983-0x00007FF7534C0000-0x00007FF7538B1000-memory.dmp	xmrig
behavioral2/memory/1088-1985-0x00007FF6BF550000-0x00007FF6BF941000-memory.dmp	xmrig
behavioral2/memory/1056-2034-0x00007FF6B5270000-0x00007FF6B5661000-memory.dmp	xmrig
behavioral2/memory/4184-2040-0x00007FF689680000-0x00007FF689A71000-memory.dmp	xmrig
behavioral2/memory/2432-2050-0x00007FF77B710000-0x00007FF77BB01000-memory.dmp	xmrig
behavioral2/memory/1748-2058-0x00007FF65DB90000-0x00007FF65DF81000-memory.dmp	xmrig
behavioral2/memory/4776-2067-0x00007FF754CA0000-0x00007FF755091000-memory.dmp	xmrig
behavioral2/memory/3848-2055-0x00007FF774A70000-0x00007FF774E61000-memory.dmp	xmrig
behavioral2/memory/2932-2052-0x00007FF62F3D0000-0x00007FF62F7C1000-memory.dmp	xmrig
behavioral2/memory/3412-2056-0x00007FF610280000-0x00007FF610671000-memory.dmp	xmrig
behavioral2/memory/4492-2048-0x00007FF67BA30000-0x00007FF67BE21000-memory.dmp	xmrig
behavioral2/memory/3632-2046-0x00007FF7E5080000-0x00007FF7E5471000-memory.dmp	xmrig
behavioral2/memory/1788-2044-0x00007FF643950000-0x00007FF643D41000-memory.dmp	xmrig
behavioral2/memory/3152-2036-0x00007FF69F010000-0x00007FF69F401000-memory.dmp	xmrig
behavioral2/memory/4680-2042-0x00007FF7D00C0000-0x00007FF7D04B1000-memory.dmp	xmrig
behavioral2/memory/5076-2032-0x00007FF631530000-0x00007FF631921000-memory.dmp	xmrig
behavioral2/memory/2812-2038-0x00007FF7372F0000-0x00007FF7376E1000-memory.dmp	xmrig
behavioral2/memory/1016-2030-0x00007FF6E82A0000-0x00007FF6E8691000-memory.dmp	xmrig
behavioral2/memory/4028-2028-0x00007FF6EF520000-0x00007FF6EF911000-memory.dmp	xmrig
behavioral2/memory/3584-2027-0x00007FF63BE70000-0x00007FF63C261000-memory.dmp	xmrig
behavioral2/memory/4740-2026-0x00007FF6A3720000-0x00007FF6A3B11000-memory.dmp	xmrig
behavioral2/memory/2764-2025-0x00007FF7E4590000-0x00007FF7E4981000-memory.dmp	xmrig
behavioral2/memory/2616-2020-0x00007FF722010000-0x00007FF722401000-memory.dmp	xmrig
behavioral2/memory/3844-2018-0x00007FF6D9220000-0x00007FF6D9611000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1224	GbbVzNC.exe
2764	GOTituI.exe
1088	GZNCOkb.exe
3844	wGHTidW.exe
4028	iuPnJHp.exe
1016	mncINfP.exe
4740	CyEwETh.exe
3584	WdQVGNk.exe
2616	STeUQzC.exe
1056	XXtifvf.exe
5076	ClyCcVe.exe
4184	Iqcdxer.exe
4680	GLjQYor.exe
3152	wClEauu.exe
1788	tEtqqDj.exe
2812	UxMlUPI.exe
2932	lAwlMkF.exe
3632	TGBgZqX.exe
4492	GLGEwMh.exe
2432	yrgXGfh.exe
3848	JsEwhAR.exe
3412	lcVsEEh.exe
1748	raCUSZh.exe
4776	yuRbkrW.exe
3120	nhVRiaO.exe
4824	SOQKdlp.exe
5056	ONJvltJ.exe
1084	JBmTVbh.exe
3272	IwoHVVO.exe
2200	ckxBNAi.exe
992	MJzmdej.exe
4744	ycbZlVn.exe
912	OhvHwcg.exe
2596	DRCITfi.exe
4944	vQLomty.exe
1664	iDrDXwV.exe
324	KGPGVYW.exe
3560	yLRhZFP.exe
2304	Kiloiwv.exe
4496	VMOGPsO.exe
2464	fCBVHEa.exe
380	gcXCAZs.exe
4188	GbQFMMC.exe
4284	LpdLJgS.exe
3452	dtrmoiF.exe
4836	OKOcrax.exe
1712	DXznlol.exe
544	QPCjoOF.exe
824	IfJfgbe.exe
860	gcnILlT.exe
2336	TYNxKZI.exe
2952	NKmsMXZ.exe
4264	HvwMzUh.exe
4500	FkPmYXl.exe
956	VAHFKHN.exe
4788	RQayNuS.exe
1416	wDKAuqa.exe
1732	jBSSDtg.exe
4408	navdKKM.exe
4244	ZjNkWLE.exe
760	zRAKNXG.exe
3600	EdWxEFY.exe
3212	SJvcUvx.exe
4292	mayYXrS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1584-0-0x00007FF6D3710000-0x00007FF6D3B01000-memory.dmp	upx
behavioral2/files/0x0009000000023453-5.dat	upx
behavioral2/files/0x000700000002345b-9.dat	upx
behavioral2/files/0x000700000002345a-17.dat	upx
behavioral2/files/0x000700000002345c-21.dat	upx
behavioral2/files/0x000700000002345e-33.dat	upx
behavioral2/files/0x000700000002345f-38.dat	upx
behavioral2/files/0x0007000000023460-43.dat	upx
behavioral2/files/0x0007000000023462-51.dat	upx
behavioral2/files/0x0007000000023463-56.dat	upx
behavioral2/files/0x0007000000023464-63.dat	upx
behavioral2/files/0x0007000000023468-86.dat	upx
behavioral2/files/0x000700000002346a-96.dat	upx
behavioral2/files/0x000700000002346e-113.dat	upx
behavioral2/files/0x0007000000023470-123.dat	upx
behavioral2/files/0x0007000000023478-163.dat	upx
behavioral2/memory/1088-316-0x00007FF6BF550000-0x00007FF6BF941000-memory.dmp	upx
behavioral2/memory/4028-319-0x00007FF6EF520000-0x00007FF6EF911000-memory.dmp	upx
behavioral2/memory/2616-326-0x00007FF722010000-0x00007FF722401000-memory.dmp	upx
behavioral2/memory/1056-327-0x00007FF6B5270000-0x00007FF6B5661000-memory.dmp	upx
behavioral2/memory/5076-332-0x00007FF631530000-0x00007FF631921000-memory.dmp	upx
behavioral2/memory/4184-343-0x00007FF689680000-0x00007FF689A71000-memory.dmp	upx
behavioral2/memory/4680-348-0x00007FF7D00C0000-0x00007FF7D04B1000-memory.dmp	upx
behavioral2/memory/3152-351-0x00007FF69F010000-0x00007FF69F401000-memory.dmp	upx
behavioral2/memory/2812-357-0x00007FF7372F0000-0x00007FF7376E1000-memory.dmp	upx
behavioral2/memory/2932-358-0x00007FF62F3D0000-0x00007FF62F7C1000-memory.dmp	upx
behavioral2/memory/4492-360-0x00007FF67BA30000-0x00007FF67BE21000-memory.dmp	upx
behavioral2/memory/2432-361-0x00007FF77B710000-0x00007FF77BB01000-memory.dmp	upx
behavioral2/memory/3632-359-0x00007FF7E5080000-0x00007FF7E5471000-memory.dmp	upx
behavioral2/memory/3848-362-0x00007FF774A70000-0x00007FF774E61000-memory.dmp	upx
behavioral2/memory/3412-363-0x00007FF610280000-0x00007FF610671000-memory.dmp	upx
behavioral2/memory/1748-364-0x00007FF65DB90000-0x00007FF65DF81000-memory.dmp	upx
behavioral2/memory/1788-356-0x00007FF643950000-0x00007FF643D41000-memory.dmp	upx
behavioral2/memory/4776-369-0x00007FF754CA0000-0x00007FF755091000-memory.dmp	upx
behavioral2/memory/1016-376-0x00007FF6E82A0000-0x00007FF6E8691000-memory.dmp	upx
behavioral2/memory/3844-373-0x00007FF6D9220000-0x00007FF6D9611000-memory.dmp	upx
behavioral2/memory/3584-324-0x00007FF63BE70000-0x00007FF63C261000-memory.dmp	upx
behavioral2/memory/4740-322-0x00007FF6A3720000-0x00007FF6A3B11000-memory.dmp	upx
behavioral2/files/0x0007000000023477-161.dat	upx
behavioral2/files/0x0007000000023476-153.dat	upx
behavioral2/files/0x0007000000023475-148.dat	upx
behavioral2/files/0x0007000000023474-143.dat	upx
behavioral2/files/0x0007000000023473-138.dat	upx
behavioral2/files/0x0007000000023472-133.dat	upx
behavioral2/files/0x0007000000023471-128.dat	upx
behavioral2/files/0x000700000002346f-118.dat	upx
behavioral2/files/0x000700000002346d-111.dat	upx
behavioral2/files/0x000700000002346c-103.dat	upx
behavioral2/files/0x000700000002346b-98.dat	upx
behavioral2/files/0x0007000000023469-88.dat	upx
behavioral2/files/0x0007000000023467-78.dat	upx
behavioral2/files/0x0007000000023466-73.dat	upx
behavioral2/files/0x0007000000023465-68.dat	upx
behavioral2/files/0x0007000000023461-48.dat	upx
behavioral2/files/0x000700000002345d-28.dat	upx
behavioral2/memory/2764-23-0x00007FF7E4590000-0x00007FF7E4981000-memory.dmp	upx
behavioral2/memory/1224-11-0x00007FF7534C0000-0x00007FF7538B1000-memory.dmp	upx
behavioral2/memory/1584-1916-0x00007FF6D3710000-0x00007FF6D3B01000-memory.dmp	upx
behavioral2/memory/1224-1983-0x00007FF7534C0000-0x00007FF7538B1000-memory.dmp	upx
behavioral2/memory/1088-1985-0x00007FF6BF550000-0x00007FF6BF941000-memory.dmp	upx
behavioral2/memory/1056-2034-0x00007FF6B5270000-0x00007FF6B5661000-memory.dmp	upx
behavioral2/memory/4184-2040-0x00007FF689680000-0x00007FF689A71000-memory.dmp	upx
behavioral2/memory/2432-2050-0x00007FF77B710000-0x00007FF77BB01000-memory.dmp	upx
behavioral2/memory/1748-2058-0x00007FF65DB90000-0x00007FF65DF81000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\seoiHDx.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\mBVGMmE.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\rvWJMkM.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\VuBroXb.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\IeXplxr.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\cHDzJyo.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\IyusFFJ.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\pShixpf.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\fQvCuXl.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\XsYAlFt.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\OKCGcaO.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\rcFVdvy.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\wIxujgx.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\HKFaLBu.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\oTRDeTd.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\LCEnwQj.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\yqLIlPW.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\eEHNHNm.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\HvkRQJH.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\LmvoekW.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\hrjnWjo.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\NNGJxVI.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\fPIXuxq.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\VfLHmyH.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\ssWjIqC.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\TYTDaWs.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\GJHPGPI.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\oycBszc.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\yQmwoOT.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\SOQKdlp.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\SXgyEyC.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\AdQOxjX.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\SQVXVkw.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\ClyCcVe.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\iDrDXwV.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\QsWVYZD.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\IZRItek.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\DgYWyQk.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\FlAFRlG.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\yLNwQyV.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\gSQCoxL.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\wmgcBoK.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\RZJVmOk.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\WtqUytq.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\udDzwTz.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\SSJNIZH.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\fjrSkYl.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\zeBAPTh.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\raCUSZh.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\GcRfSBk.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\FhBGYAX.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\tEtqqDj.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\uIqMkFF.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\DWdrgYI.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\DVkICBZ.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\YyHhOuB.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\NevgUCG.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\GuBMeWh.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\TtSbNvH.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\soYjLuQ.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\XjqCxPJ.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\YMnlyql.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\mhbBflR.exe	aea5a338e460c2d4414af4480bb48fb0N.exe
File created	C:\Windows\System32\CZDEEdZ.exe	aea5a338e460c2d4414af4480bb48fb0N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	6136	dwm.exe
Token: SeChangeNotifyPrivilege	6136	dwm.exe
Token: 33	6136	dwm.exe
Token: SeIncBasePriorityPrivilege	6136	dwm.exe
Token: SeShutdownPrivilege	6136	dwm.exe
Token: SeCreatePagefilePrivilege	6136	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1224	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	85
PID 1584 wrote to memory of 1224	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	85
PID 1584 wrote to memory of 2764	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	86
PID 1584 wrote to memory of 2764	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	86
PID 1584 wrote to memory of 1088	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	87
PID 1584 wrote to memory of 1088	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	87
PID 1584 wrote to memory of 3844	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	88
PID 1584 wrote to memory of 3844	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	88
PID 1584 wrote to memory of 4028	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	89
PID 1584 wrote to memory of 4028	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	89
PID 1584 wrote to memory of 1016	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	90
PID 1584 wrote to memory of 1016	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	90
PID 1584 wrote to memory of 4740	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	91
PID 1584 wrote to memory of 4740	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	91
PID 1584 wrote to memory of 3584	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	92
PID 1584 wrote to memory of 3584	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	92
PID 1584 wrote to memory of 2616	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	93
PID 1584 wrote to memory of 2616	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	93
PID 1584 wrote to memory of 1056	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	94
PID 1584 wrote to memory of 1056	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	94
PID 1584 wrote to memory of 5076	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	95
PID 1584 wrote to memory of 5076	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	95
PID 1584 wrote to memory of 4184	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	96
PID 1584 wrote to memory of 4184	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	96
PID 1584 wrote to memory of 4680	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	97
PID 1584 wrote to memory of 4680	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	97
PID 1584 wrote to memory of 3152	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	98
PID 1584 wrote to memory of 3152	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	98
PID 1584 wrote to memory of 1788	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	99
PID 1584 wrote to memory of 1788	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	99
PID 1584 wrote to memory of 2812	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	100
PID 1584 wrote to memory of 2812	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	100
PID 1584 wrote to memory of 2932	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	101
PID 1584 wrote to memory of 2932	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	101
PID 1584 wrote to memory of 3632	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	102
PID 1584 wrote to memory of 3632	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	102
PID 1584 wrote to memory of 4492	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	103
PID 1584 wrote to memory of 4492	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	103
PID 1584 wrote to memory of 2432	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	104
PID 1584 wrote to memory of 2432	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	104
PID 1584 wrote to memory of 3848	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	105
PID 1584 wrote to memory of 3848	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	105
PID 1584 wrote to memory of 3412	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	106
PID 1584 wrote to memory of 3412	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	106
PID 1584 wrote to memory of 1748	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	107
PID 1584 wrote to memory of 1748	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	107
PID 1584 wrote to memory of 4776	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	108
PID 1584 wrote to memory of 4776	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	108
PID 1584 wrote to memory of 3120	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	109
PID 1584 wrote to memory of 3120	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	109
PID 1584 wrote to memory of 4824	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	110
PID 1584 wrote to memory of 4824	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	110
PID 1584 wrote to memory of 5056	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	111
PID 1584 wrote to memory of 5056	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	111
PID 1584 wrote to memory of 1084	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	112
PID 1584 wrote to memory of 1084	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	112
PID 1584 wrote to memory of 3272	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	113
PID 1584 wrote to memory of 3272	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	113
PID 1584 wrote to memory of 2200	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	114
PID 1584 wrote to memory of 2200	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	114
PID 1584 wrote to memory of 992	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	115
PID 1584 wrote to memory of 992	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	115
PID 1584 wrote to memory of 4744	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	116
PID 1584 wrote to memory of 4744	1584	aea5a338e460c2d4414af4480bb48fb0N.exe	116

C:\Users\Admin\AppData\Local\Temp\aea5a338e460c2d4414af4480bb48fb0N.exe
"C:\Users\Admin\AppData\Local\Temp\aea5a338e460c2d4414af4480bb48fb0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\System32\GbbVzNC.exe
  C:\Windows\System32\GbbVzNC.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System32\GOTituI.exe
  C:\Windows\System32\GOTituI.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System32\GZNCOkb.exe
  C:\Windows\System32\GZNCOkb.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System32\wGHTidW.exe
  C:\Windows\System32\wGHTidW.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System32\iuPnJHp.exe
  C:\Windows\System32\iuPnJHp.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System32\mncINfP.exe
  C:\Windows\System32\mncINfP.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System32\CyEwETh.exe
  C:\Windows\System32\CyEwETh.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System32\WdQVGNk.exe
  C:\Windows\System32\WdQVGNk.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System32\STeUQzC.exe
  C:\Windows\System32\STeUQzC.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System32\XXtifvf.exe
  C:\Windows\System32\XXtifvf.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System32\ClyCcVe.exe
  C:\Windows\System32\ClyCcVe.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System32\Iqcdxer.exe
  C:\Windows\System32\Iqcdxer.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System32\GLjQYor.exe
  C:\Windows\System32\GLjQYor.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System32\wClEauu.exe
  C:\Windows\System32\wClEauu.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System32\tEtqqDj.exe
  C:\Windows\System32\tEtqqDj.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System32\UxMlUPI.exe
  C:\Windows\System32\UxMlUPI.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System32\lAwlMkF.exe
  C:\Windows\System32\lAwlMkF.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System32\TGBgZqX.exe
  C:\Windows\System32\TGBgZqX.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System32\GLGEwMh.exe
  C:\Windows\System32\GLGEwMh.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System32\yrgXGfh.exe
  C:\Windows\System32\yrgXGfh.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System32\JsEwhAR.exe
  C:\Windows\System32\JsEwhAR.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System32\lcVsEEh.exe
  C:\Windows\System32\lcVsEEh.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System32\raCUSZh.exe
  C:\Windows\System32\raCUSZh.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System32\yuRbkrW.exe
  C:\Windows\System32\yuRbkrW.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System32\nhVRiaO.exe
  C:\Windows\System32\nhVRiaO.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System32\SOQKdlp.exe
  C:\Windows\System32\SOQKdlp.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System32\ONJvltJ.exe
  C:\Windows\System32\ONJvltJ.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\JBmTVbh.exe
  C:\Windows\System32\JBmTVbh.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System32\IwoHVVO.exe
  C:\Windows\System32\IwoHVVO.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System32\ckxBNAi.exe
  C:\Windows\System32\ckxBNAi.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System32\MJzmdej.exe
  C:\Windows\System32\MJzmdej.exe
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\System32\ycbZlVn.exe
  C:\Windows\System32\ycbZlVn.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System32\OhvHwcg.exe
  C:\Windows\System32\OhvHwcg.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\System32\DRCITfi.exe
  C:\Windows\System32\DRCITfi.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System32\vQLomty.exe
  C:\Windows\System32\vQLomty.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System32\iDrDXwV.exe
  C:\Windows\System32\iDrDXwV.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System32\KGPGVYW.exe
  C:\Windows\System32\KGPGVYW.exe
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\System32\yLRhZFP.exe
  C:\Windows\System32\yLRhZFP.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System32\Kiloiwv.exe
  C:\Windows\System32\Kiloiwv.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System32\VMOGPsO.exe
  C:\Windows\System32\VMOGPsO.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System32\fCBVHEa.exe
  C:\Windows\System32\fCBVHEa.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System32\gcXCAZs.exe
  C:\Windows\System32\gcXCAZs.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System32\GbQFMMC.exe
  C:\Windows\System32\GbQFMMC.exe
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\System32\LpdLJgS.exe
  C:\Windows\System32\LpdLJgS.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System32\dtrmoiF.exe
  C:\Windows\System32\dtrmoiF.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System32\OKOcrax.exe
  C:\Windows\System32\OKOcrax.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System32\DXznlol.exe
  C:\Windows\System32\DXznlol.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System32\QPCjoOF.exe
  C:\Windows\System32\QPCjoOF.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System32\IfJfgbe.exe
  C:\Windows\System32\IfJfgbe.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System32\gcnILlT.exe
  C:\Windows\System32\gcnILlT.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System32\TYNxKZI.exe
  C:\Windows\System32\TYNxKZI.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System32\NKmsMXZ.exe
  C:\Windows\System32\NKmsMXZ.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System32\HvwMzUh.exe
  C:\Windows\System32\HvwMzUh.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System32\FkPmYXl.exe
  C:\Windows\System32\FkPmYXl.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System32\VAHFKHN.exe
  C:\Windows\System32\VAHFKHN.exe
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Windows\System32\RQayNuS.exe
  C:\Windows\System32\RQayNuS.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\wDKAuqa.exe
  C:\Windows\System32\wDKAuqa.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System32\jBSSDtg.exe
  C:\Windows\System32\jBSSDtg.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System32\navdKKM.exe
  C:\Windows\System32\navdKKM.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System32\ZjNkWLE.exe
  C:\Windows\System32\ZjNkWLE.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System32\zRAKNXG.exe
  C:\Windows\System32\zRAKNXG.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System32\EdWxEFY.exe
  C:\Windows\System32\EdWxEFY.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\System32\SJvcUvx.exe
  C:\Windows\System32\SJvcUvx.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System32\mayYXrS.exe
  C:\Windows\System32\mayYXrS.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System32\FibFNIy.exe
  C:\Windows\System32\FibFNIy.exe
  2⤵
  PID:3524
- C:\Windows\System32\lFGeKbZ.exe
  C:\Windows\System32\lFGeKbZ.exe
  2⤵
  PID:1768
- C:\Windows\System32\dJxiABr.exe
  C:\Windows\System32\dJxiABr.exe
  2⤵
  PID:4120
- C:\Windows\System32\ZUjlKQc.exe
  C:\Windows\System32\ZUjlKQc.exe
  2⤵
  PID:3068
- C:\Windows\System32\GGRblDu.exe
  C:\Windows\System32\GGRblDu.exe
  2⤵
  PID:3508
- C:\Windows\System32\qBdkGNv.exe
  C:\Windows\System32\qBdkGNv.exe
  2⤵
  PID:3564
- C:\Windows\System32\toVRXFw.exe
  C:\Windows\System32\toVRXFw.exe
  2⤵
  PID:4456
- C:\Windows\System32\vNNgOaA.exe
  C:\Windows\System32\vNNgOaA.exe
  2⤵
  PID:4392
- C:\Windows\System32\NUZPdcX.exe
  C:\Windows\System32\NUZPdcX.exe
  2⤵
  PID:4532
- C:\Windows\System32\ajFOwnX.exe
  C:\Windows\System32\ajFOwnX.exe
  2⤵
  PID:2412
- C:\Windows\System32\emBWouL.exe
  C:\Windows\System32\emBWouL.exe
  2⤵
  PID:5060
- C:\Windows\System32\RZJVmOk.exe
  C:\Windows\System32\RZJVmOk.exe
  2⤵
  PID:3908
- C:\Windows\System32\izjHtPI.exe
  C:\Windows\System32\izjHtPI.exe
  2⤵
  PID:3284
- C:\Windows\System32\OhseOga.exe
  C:\Windows\System32\OhseOga.exe
  2⤵
  PID:2440
- C:\Windows\System32\UuDkroO.exe
  C:\Windows\System32\UuDkroO.exe
  2⤵
  PID:5148
- C:\Windows\System32\JEmSLaL.exe
  C:\Windows\System32\JEmSLaL.exe
  2⤵
  PID:5172
- C:\Windows\System32\lPQXQGq.exe
  C:\Windows\System32\lPQXQGq.exe
  2⤵
  PID:5208
- C:\Windows\System32\UiUthfm.exe
  C:\Windows\System32\UiUthfm.exe
  2⤵
  PID:5224
- C:\Windows\System32\IsdDfEd.exe
  C:\Windows\System32\IsdDfEd.exe
  2⤵
  PID:5260
- C:\Windows\System32\KyLFurP.exe
  C:\Windows\System32\KyLFurP.exe
  2⤵
  PID:5284
- C:\Windows\System32\WtqUytq.exe
  C:\Windows\System32\WtqUytq.exe
  2⤵
  PID:5352
- C:\Windows\System32\yBjGDtC.exe
  C:\Windows\System32\yBjGDtC.exe
  2⤵
  PID:5388
- C:\Windows\System32\sZZMUji.exe
  C:\Windows\System32\sZZMUji.exe
  2⤵
  PID:5432
- C:\Windows\System32\hsHXyxH.exe
  C:\Windows\System32\hsHXyxH.exe
  2⤵
  PID:5448
- C:\Windows\System32\AiaPCOe.exe
  C:\Windows\System32\AiaPCOe.exe
  2⤵
  PID:5488
- C:\Windows\System32\UdewpXI.exe
  C:\Windows\System32\UdewpXI.exe
  2⤵
  PID:5504
- C:\Windows\System32\ZRGYxbo.exe
  C:\Windows\System32\ZRGYxbo.exe
  2⤵
  PID:5528
- C:\Windows\System32\lIkCdiU.exe
  C:\Windows\System32\lIkCdiU.exe
  2⤵
  PID:5576
- C:\Windows\System32\mdCLwhA.exe
  C:\Windows\System32\mdCLwhA.exe
  2⤵
  PID:5608
- C:\Windows\System32\gfdGfuA.exe
  C:\Windows\System32\gfdGfuA.exe
  2⤵
  PID:5672
- C:\Windows\System32\pvWSoRv.exe
  C:\Windows\System32\pvWSoRv.exe
  2⤵
  PID:5732
- C:\Windows\System32\bMdyFbe.exe
  C:\Windows\System32\bMdyFbe.exe
  2⤵
  PID:5756
- C:\Windows\System32\auvNXyN.exe
  C:\Windows\System32\auvNXyN.exe
  2⤵
  PID:5800
- C:\Windows\System32\fWxUPfA.exe
  C:\Windows\System32\fWxUPfA.exe
  2⤵
  PID:5840
- C:\Windows\System32\TErDgBo.exe
  C:\Windows\System32\TErDgBo.exe
  2⤵
  PID:5856
- C:\Windows\System32\cHDzJyo.exe
  C:\Windows\System32\cHDzJyo.exe
  2⤵
  PID:5872
- C:\Windows\System32\uffceyO.exe
  C:\Windows\System32\uffceyO.exe
  2⤵
  PID:5908
- C:\Windows\System32\mCZQbyn.exe
  C:\Windows\System32\mCZQbyn.exe
  2⤵
  PID:5952
- C:\Windows\System32\LMzhNfo.exe
  C:\Windows\System32\LMzhNfo.exe
  2⤵
  PID:5972
- C:\Windows\System32\oubERVv.exe
  C:\Windows\System32\oubERVv.exe
  2⤵
  PID:5988
- C:\Windows\System32\IyusFFJ.exe
  C:\Windows\System32\IyusFFJ.exe
  2⤵
  PID:6016
- C:\Windows\System32\agFvyao.exe
  C:\Windows\System32\agFvyao.exe
  2⤵
  PID:6036
- C:\Windows\System32\pJpltez.exe
  C:\Windows\System32\pJpltez.exe
  2⤵
  PID:6068
- C:\Windows\System32\fPIXuxq.exe
  C:\Windows\System32\fPIXuxq.exe
  2⤵
  PID:6124
- C:\Windows\System32\oCfsXsr.exe
  C:\Windows\System32\oCfsXsr.exe
  2⤵
  PID:2692
- C:\Windows\System32\LfWLWsT.exe
  C:\Windows\System32\LfWLWsT.exe
  2⤵
  PID:4720
- C:\Windows\System32\oxofksU.exe
  C:\Windows\System32\oxofksU.exe
  2⤵
  PID:4752
- C:\Windows\System32\sKPZwur.exe
  C:\Windows\System32\sKPZwur.exe
  2⤵
  PID:5180
- C:\Windows\System32\hUdzSQs.exe
  C:\Windows\System32\hUdzSQs.exe
  2⤵
  PID:1092
- C:\Windows\System32\mULDeOX.exe
  C:\Windows\System32\mULDeOX.exe
  2⤵
  PID:5236
- C:\Windows\System32\gkcGoQh.exe
  C:\Windows\System32\gkcGoQh.exe
  2⤵
  PID:2424
- C:\Windows\System32\WDhceSr.exe
  C:\Windows\System32\WDhceSr.exe
  2⤵
  PID:1484
- C:\Windows\System32\DFVJBax.exe
  C:\Windows\System32\DFVJBax.exe
  2⤵
  PID:4176
- C:\Windows\System32\SXgyEyC.exe
  C:\Windows\System32\SXgyEyC.exe
  2⤵
  PID:4040
- C:\Windows\System32\gePtgtR.exe
  C:\Windows\System32\gePtgtR.exe
  2⤵
  PID:3556
- C:\Windows\System32\aJRQlrM.exe
  C:\Windows\System32\aJRQlrM.exe
  2⤵
  PID:1192
- C:\Windows\System32\rkMSWag.exe
  C:\Windows\System32\rkMSWag.exe
  2⤵
  PID:876
- C:\Windows\System32\QsWVYZD.exe
  C:\Windows\System32\QsWVYZD.exe
  2⤵
  PID:468
- C:\Windows\System32\VfLHmyH.exe
  C:\Windows\System32\VfLHmyH.exe
  2⤵
  PID:5256
- C:\Windows\System32\wSZbyPW.exe
  C:\Windows\System32\wSZbyPW.exe
  2⤵
  PID:4484
- C:\Windows\System32\shaVSKF.exe
  C:\Windows\System32\shaVSKF.exe
  2⤵
  PID:4524
- C:\Windows\System32\zvMjezQ.exe
  C:\Windows\System32\zvMjezQ.exe
  2⤵
  PID:3024
- C:\Windows\System32\UnRtVlZ.exe
  C:\Windows\System32\UnRtVlZ.exe
  2⤵
  PID:5440
- C:\Windows\System32\XaDlYjF.exe
  C:\Windows\System32\XaDlYjF.exe
  2⤵
  PID:3928
- C:\Windows\System32\eFmmKdv.exe
  C:\Windows\System32\eFmmKdv.exe
  2⤵
  PID:5480
- C:\Windows\System32\XYdVhao.exe
  C:\Windows\System32\XYdVhao.exe
  2⤵
  PID:5512
- C:\Windows\System32\jHqQsxx.exe
  C:\Windows\System32\jHqQsxx.exe
  2⤵
  PID:5568
- C:\Windows\System32\nYazxlT.exe
  C:\Windows\System32\nYazxlT.exe
  2⤵
  PID:1648
- C:\Windows\System32\eflirPt.exe
  C:\Windows\System32\eflirPt.exe
  2⤵
  PID:3840
- C:\Windows\System32\bmRsCIH.exe
  C:\Windows\System32\bmRsCIH.exe
  2⤵
  PID:5636
- C:\Windows\System32\gVBaGhT.exe
  C:\Windows\System32\gVBaGhT.exe
  2⤵
  PID:3988
- C:\Windows\System32\MyvOfBq.exe
  C:\Windows\System32\MyvOfBq.exe
  2⤵
  PID:2220
- C:\Windows\System32\hAbyiBF.exe
  C:\Windows\System32\hAbyiBF.exe
  2⤵
  PID:4876
- C:\Windows\System32\YXlBSri.exe
  C:\Windows\System32\YXlBSri.exe
  2⤵
  PID:4512
- C:\Windows\System32\lkhbuZm.exe
  C:\Windows\System32\lkhbuZm.exe
  2⤵
  PID:4896
- C:\Windows\System32\cDRxTka.exe
  C:\Windows\System32\cDRxTka.exe
  2⤵
  PID:5892
- C:\Windows\System32\KrMpjBr.exe
  C:\Windows\System32\KrMpjBr.exe
  2⤵
  PID:6024
- C:\Windows\System32\dOGtAXW.exe
  C:\Windows\System32\dOGtAXW.exe
  2⤵
  PID:792
- C:\Windows\System32\uqwyTzt.exe
  C:\Windows\System32\uqwyTzt.exe
  2⤵
  PID:5068
- C:\Windows\System32\pvRxkjY.exe
  C:\Windows\System32\pvRxkjY.exe
  2⤵
  PID:1152
- C:\Windows\System32\HuQKDtA.exe
  C:\Windows\System32\HuQKDtA.exe
  2⤵
  PID:2476
- C:\Windows\System32\EkEUWvz.exe
  C:\Windows\System32\EkEUWvz.exe
  2⤵
  PID:4172
- C:\Windows\System32\mSFToPX.exe
  C:\Windows\System32\mSFToPX.exe
  2⤵
  PID:5348
- C:\Windows\System32\sxdDJQp.exe
  C:\Windows\System32\sxdDJQp.exe
  2⤵
  PID:5460
- C:\Windows\System32\bzmjpUu.exe
  C:\Windows\System32\bzmjpUu.exe
  2⤵
  PID:5560
- C:\Windows\System32\JFThFmL.exe
  C:\Windows\System32\JFThFmL.exe
  2⤵
  PID:4388
- C:\Windows\System32\qDOUuag.exe
  C:\Windows\System32\qDOUuag.exe
  2⤵
  PID:5036
- C:\Windows\System32\oziVeRP.exe
  C:\Windows\System32\oziVeRP.exe
  2⤵
  PID:5848
- C:\Windows\System32\CoVROTC.exe
  C:\Windows\System32\CoVROTC.exe
  2⤵
  PID:4068
- C:\Windows\System32\hYVUPNp.exe
  C:\Windows\System32\hYVUPNp.exe
  2⤵
  PID:6008
- C:\Windows\System32\LDcHahf.exe
  C:\Windows\System32\LDcHahf.exe
  2⤵
  PID:1232
- C:\Windows\System32\HPOuRSc.exe
  C:\Windows\System32\HPOuRSc.exe
  2⤵
  PID:2024
- C:\Windows\System32\kgYVwdF.exe
  C:\Windows\System32\kgYVwdF.exe
  2⤵
  PID:2892
- C:\Windows\System32\KJRTBkj.exe
  C:\Windows\System32\KJRTBkj.exe
  2⤵
  PID:2328
- C:\Windows\System32\QbkSjOz.exe
  C:\Windows\System32\QbkSjOz.exe
  2⤵
  PID:5720
- C:\Windows\System32\wckQrdc.exe
  C:\Windows\System32\wckQrdc.exe
  2⤵
  PID:5980
- C:\Windows\System32\bjloWJa.exe
  C:\Windows\System32\bjloWJa.exe
  2⤵
  PID:5272
- C:\Windows\System32\IQRdoSN.exe
  C:\Windows\System32\IQRdoSN.exe
  2⤵
  PID:5548
- C:\Windows\System32\bUwAjZM.exe
  C:\Windows\System32\bUwAjZM.exe
  2⤵
  PID:6168
- C:\Windows\System32\rBhLneX.exe
  C:\Windows\System32\rBhLneX.exe
  2⤵
  PID:6184
- C:\Windows\System32\CIpUYrA.exe
  C:\Windows\System32\CIpUYrA.exe
  2⤵
  PID:6208
- C:\Windows\System32\IAYOhrH.exe
  C:\Windows\System32\IAYOhrH.exe
  2⤵
  PID:6288
- C:\Windows\System32\eAoTwvm.exe
  C:\Windows\System32\eAoTwvm.exe
  2⤵
  PID:6336
- C:\Windows\System32\muedFsL.exe
  C:\Windows\System32\muedFsL.exe
  2⤵
  PID:6364
- C:\Windows\System32\zWBbxDC.exe
  C:\Windows\System32\zWBbxDC.exe
  2⤵
  PID:6380
- C:\Windows\System32\pNHzZES.exe
  C:\Windows\System32\pNHzZES.exe
  2⤵
  PID:6408
- C:\Windows\System32\JwPsXfW.exe
  C:\Windows\System32\JwPsXfW.exe
  2⤵
  PID:6448
- C:\Windows\System32\ZNNsrna.exe
  C:\Windows\System32\ZNNsrna.exe
  2⤵
  PID:6472
- C:\Windows\System32\xeZFsiw.exe
  C:\Windows\System32\xeZFsiw.exe
  2⤵
  PID:6500
- C:\Windows\System32\ZImldkW.exe
  C:\Windows\System32\ZImldkW.exe
  2⤵
  PID:6540
- C:\Windows\System32\GcRfSBk.exe
  C:\Windows\System32\GcRfSBk.exe
  2⤵
  PID:6564
- C:\Windows\System32\YaENipj.exe
  C:\Windows\System32\YaENipj.exe
  2⤵
  PID:6596
- C:\Windows\System32\QUAMTlO.exe
  C:\Windows\System32\QUAMTlO.exe
  2⤵
  PID:6616
- C:\Windows\System32\FMUBqCx.exe
  C:\Windows\System32\FMUBqCx.exe
  2⤵
  PID:6644
- C:\Windows\System32\AAQWrHY.exe
  C:\Windows\System32\AAQWrHY.exe
  2⤵
  PID:6684
- C:\Windows\System32\FjWAnNu.exe
  C:\Windows\System32\FjWAnNu.exe
  2⤵
  PID:6708
- C:\Windows\System32\MQzdJvh.exe
  C:\Windows\System32\MQzdJvh.exe
  2⤵
  PID:6724
- C:\Windows\System32\dJYXUSv.exe
  C:\Windows\System32\dJYXUSv.exe
  2⤵
  PID:6744
- C:\Windows\System32\CTCuSJR.exe
  C:\Windows\System32\CTCuSJR.exe
  2⤵
  PID:6764
- C:\Windows\System32\rDQdAzq.exe
  C:\Windows\System32\rDQdAzq.exe
  2⤵
  PID:6780
- C:\Windows\System32\JZZsWQv.exe
  C:\Windows\System32\JZZsWQv.exe
  2⤵
  PID:6804
- C:\Windows\System32\aAPSDUv.exe
  C:\Windows\System32\aAPSDUv.exe
  2⤵
  PID:6820
- C:\Windows\System32\rBzbwxs.exe
  C:\Windows\System32\rBzbwxs.exe
  2⤵
  PID:6860
- C:\Windows\System32\UkzOSos.exe
  C:\Windows\System32\UkzOSos.exe
  2⤵
  PID:6880
- C:\Windows\System32\rGoauhU.exe
  C:\Windows\System32\rGoauhU.exe
  2⤵
  PID:6952
- C:\Windows\System32\MFIQoFB.exe
  C:\Windows\System32\MFIQoFB.exe
  2⤵
  PID:6976
- C:\Windows\System32\ERarBIp.exe
  C:\Windows\System32\ERarBIp.exe
  2⤵
  PID:7004
- C:\Windows\System32\QfwlTdy.exe
  C:\Windows\System32\QfwlTdy.exe
  2⤵
  PID:7024
- C:\Windows\System32\IDPaDmE.exe
  C:\Windows\System32\IDPaDmE.exe
  2⤵
  PID:7072
- C:\Windows\System32\KVxFxFG.exe
  C:\Windows\System32\KVxFxFG.exe
  2⤵
  PID:7100
- C:\Windows\System32\xKPMqoq.exe
  C:\Windows\System32\xKPMqoq.exe
  2⤵
  PID:7116
- C:\Windows\System32\HcsVVPX.exe
  C:\Windows\System32\HcsVVPX.exe
  2⤵
  PID:7140
- C:\Windows\System32\SVgUumH.exe
  C:\Windows\System32\SVgUumH.exe
  2⤵
  PID:7156
- C:\Windows\System32\JVfNCgP.exe
  C:\Windows\System32\JVfNCgP.exe
  2⤵
  PID:6160
- C:\Windows\System32\qhDzRJM.exe
  C:\Windows\System32\qhDzRJM.exe
  2⤵
  PID:6180
- C:\Windows\System32\ERaBKAn.exe
  C:\Windows\System32\ERaBKAn.exe
  2⤵
  PID:6260
- C:\Windows\System32\WwzKbsM.exe
  C:\Windows\System32\WwzKbsM.exe
  2⤵
  PID:6360
- C:\Windows\System32\ewSRrFI.exe
  C:\Windows\System32\ewSRrFI.exe
  2⤵
  PID:5400
- C:\Windows\System32\QbdXFgZ.exe
  C:\Windows\System32\QbdXFgZ.exe
  2⤵
  PID:6464
- C:\Windows\System32\lsDmXyx.exe
  C:\Windows\System32\lsDmXyx.exe
  2⤵
  PID:5416
- C:\Windows\System32\alWQGTF.exe
  C:\Windows\System32\alWQGTF.exe
  2⤵
  PID:6552
- C:\Windows\System32\aSOnfvv.exe
  C:\Windows\System32\aSOnfvv.exe
  2⤵
  PID:6592
- C:\Windows\System32\dmHosGY.exe
  C:\Windows\System32\dmHosGY.exe
  2⤵
  PID:5364
- C:\Windows\System32\IsAiiXs.exe
  C:\Windows\System32\IsAiiXs.exe
  2⤵
  PID:6680
- C:\Windows\System32\PzKIaZO.exe
  C:\Windows\System32\PzKIaZO.exe
  2⤵
  PID:5668
- C:\Windows\System32\MvxYpGO.exe
  C:\Windows\System32\MvxYpGO.exe
  2⤵
  PID:5688
- C:\Windows\System32\QaGyKxc.exe
  C:\Windows\System32\QaGyKxc.exe
  2⤵
  PID:6908
- C:\Windows\System32\PzxJoKg.exe
  C:\Windows\System32\PzxJoKg.exe
  2⤵
  PID:6964
- C:\Windows\System32\jvuPijB.exe
  C:\Windows\System32\jvuPijB.exe
  2⤵
  PID:7052
- C:\Windows\System32\lFukiZR.exe
  C:\Windows\System32\lFukiZR.exe
  2⤵
  PID:7080
- C:\Windows\System32\eLjVAWb.exe
  C:\Windows\System32\eLjVAWb.exe
  2⤵
  PID:5660
- C:\Windows\System32\iMSNntV.exe
  C:\Windows\System32\iMSNntV.exe
  2⤵
  PID:3896
- C:\Windows\System32\WYHoeFz.exe
  C:\Windows\System32\WYHoeFz.exe
  2⤵
  PID:6240
- C:\Windows\System32\WZgyXZx.exe
  C:\Windows\System32\WZgyXZx.exe
  2⤵
  PID:6284
- C:\Windows\System32\dqXgANc.exe
  C:\Windows\System32\dqXgANc.exe
  2⤵
  PID:6392
- C:\Windows\System32\ONahgsJ.exe
  C:\Windows\System32\ONahgsJ.exe
  2⤵
  PID:6468
- C:\Windows\System32\BQSZqTB.exe
  C:\Windows\System32\BQSZqTB.exe
  2⤵
  PID:6612
- C:\Windows\System32\ZCLxWDa.exe
  C:\Windows\System32\ZCLxWDa.exe
  2⤵
  PID:6800
- C:\Windows\System32\oyEuNYo.exe
  C:\Windows\System32\oyEuNYo.exe
  2⤵
  PID:6972
- C:\Windows\System32\IigRTto.exe
  C:\Windows\System32\IigRTto.exe
  2⤵
  PID:7136
- C:\Windows\System32\GOtqJRn.exe
  C:\Windows\System32\GOtqJRn.exe
  2⤵
  PID:6376
- C:\Windows\System32\IDNcrEM.exe
  C:\Windows\System32\IDNcrEM.exe
  2⤵
  PID:6236
- C:\Windows\System32\XmaIPbu.exe
  C:\Windows\System32\XmaIPbu.exe
  2⤵
  PID:6700
- C:\Windows\System32\fqKYciv.exe
  C:\Windows\System32\fqKYciv.exe
  2⤵
  PID:5696
- C:\Windows\System32\tLTuIcW.exe
  C:\Windows\System32\tLTuIcW.exe
  2⤵
  PID:6200
- C:\Windows\System32\PFSxzSs.exe
  C:\Windows\System32\PFSxzSs.exe
  2⤵
  PID:6696
- C:\Windows\System32\OwgYGgp.exe
  C:\Windows\System32\OwgYGgp.exe
  2⤵
  PID:6456
- C:\Windows\System32\RrhPvKd.exe
  C:\Windows\System32\RrhPvKd.exe
  2⤵
  PID:7184
- C:\Windows\System32\PFvCKXD.exe
  C:\Windows\System32\PFvCKXD.exe
  2⤵
  PID:7212
- C:\Windows\System32\mvPgaYj.exe
  C:\Windows\System32\mvPgaYj.exe
  2⤵
  PID:7252
- C:\Windows\System32\YMGZrYj.exe
  C:\Windows\System32\YMGZrYj.exe
  2⤵
  PID:7284
- C:\Windows\System32\dxVYPFz.exe
  C:\Windows\System32\dxVYPFz.exe
  2⤵
  PID:7312
- C:\Windows\System32\LeTHmTL.exe
  C:\Windows\System32\LeTHmTL.exe
  2⤵
  PID:7332
- C:\Windows\System32\hMPfXFp.exe
  C:\Windows\System32\hMPfXFp.exe
  2⤵
  PID:7368
- C:\Windows\System32\udDzwTz.exe
  C:\Windows\System32\udDzwTz.exe
  2⤵
  PID:7388
- C:\Windows\System32\HwmHhnX.exe
  C:\Windows\System32\HwmHhnX.exe
  2⤵
  PID:7424
- C:\Windows\System32\InlQnQF.exe
  C:\Windows\System32\InlQnQF.exe
  2⤵
  PID:7440
- C:\Windows\System32\vBNRDpm.exe
  C:\Windows\System32\vBNRDpm.exe
  2⤵
  PID:7464
- C:\Windows\System32\HixUAMy.exe
  C:\Windows\System32\HixUAMy.exe
  2⤵
  PID:7484
- C:\Windows\System32\xLiEIuF.exe
  C:\Windows\System32\xLiEIuF.exe
  2⤵
  PID:7508
- C:\Windows\System32\MUtmWLG.exe
  C:\Windows\System32\MUtmWLG.exe
  2⤵
  PID:7556
- C:\Windows\System32\COSbATl.exe
  C:\Windows\System32\COSbATl.exe
  2⤵
  PID:7596
- C:\Windows\System32\oUQinle.exe
  C:\Windows\System32\oUQinle.exe
  2⤵
  PID:7624
- C:\Windows\System32\vuYJECt.exe
  C:\Windows\System32\vuYJECt.exe
  2⤵
  PID:7652
- C:\Windows\System32\MwwvxCe.exe
  C:\Windows\System32\MwwvxCe.exe
  2⤵
  PID:7676
- C:\Windows\System32\COUZzKX.exe
  C:\Windows\System32\COUZzKX.exe
  2⤵
  PID:7692
- C:\Windows\System32\JBkhLzt.exe
  C:\Windows\System32\JBkhLzt.exe
  2⤵
  PID:7740
- C:\Windows\System32\qdlGBar.exe
  C:\Windows\System32\qdlGBar.exe
  2⤵
  PID:7764
- C:\Windows\System32\HVruWXl.exe
  C:\Windows\System32\HVruWXl.exe
  2⤵
  PID:7784
- C:\Windows\System32\mKolxpO.exe
  C:\Windows\System32\mKolxpO.exe
  2⤵
  PID:7820
- C:\Windows\System32\pShixpf.exe
  C:\Windows\System32\pShixpf.exe
  2⤵
  PID:7836
- C:\Windows\System32\MOuvvXG.exe
  C:\Windows\System32\MOuvvXG.exe
  2⤵
  PID:7864
- C:\Windows\System32\YojLgtK.exe
  C:\Windows\System32\YojLgtK.exe
  2⤵
  PID:7892
- C:\Windows\System32\rfZbbqX.exe
  C:\Windows\System32\rfZbbqX.exe
  2⤵
  PID:7932
- C:\Windows\System32\CmFHaiu.exe
  C:\Windows\System32\CmFHaiu.exe
  2⤵
  PID:7960
- C:\Windows\System32\EDxrzOU.exe
  C:\Windows\System32\EDxrzOU.exe
  2⤵
  PID:7984
- C:\Windows\System32\JFdPzwg.exe
  C:\Windows\System32\JFdPzwg.exe
  2⤵
  PID:8016
- C:\Windows\System32\igYCFht.exe
  C:\Windows\System32\igYCFht.exe
  2⤵
  PID:8032
- C:\Windows\System32\dcYdXnp.exe
  C:\Windows\System32\dcYdXnp.exe
  2⤵
  PID:8064
- C:\Windows\System32\YIxXzCy.exe
  C:\Windows\System32\YIxXzCy.exe
  2⤵
  PID:8096
- C:\Windows\System32\SGiNPcL.exe
  C:\Windows\System32\SGiNPcL.exe
  2⤵
  PID:8112
- C:\Windows\System32\IPYAlTk.exe
  C:\Windows\System32\IPYAlTk.exe
  2⤵
  PID:8144
- C:\Windows\System32\rcuFKCW.exe
  C:\Windows\System32\rcuFKCW.exe
  2⤵
  PID:7192
- C:\Windows\System32\wkUSrpg.exe
  C:\Windows\System32\wkUSrpg.exe
  2⤵
  PID:7272
- C:\Windows\System32\FYkCUwW.exe
  C:\Windows\System32\FYkCUwW.exe
  2⤵
  PID:7320
- C:\Windows\System32\ZGlhJIR.exe
  C:\Windows\System32\ZGlhJIR.exe
  2⤵
  PID:7380
- C:\Windows\System32\pFZysft.exe
  C:\Windows\System32\pFZysft.exe
  2⤵
  PID:7408
- C:\Windows\System32\kKIZyrr.exe
  C:\Windows\System32\kKIZyrr.exe
  2⤵
  PID:7460
- C:\Windows\System32\ssWjIqC.exe
  C:\Windows\System32\ssWjIqC.exe
  2⤵
  PID:7456
- C:\Windows\System32\EzrwlNc.exe
  C:\Windows\System32\EzrwlNc.exe
  2⤵
  PID:7536
- C:\Windows\System32\xOXLKuT.exe
  C:\Windows\System32\xOXLKuT.exe
  2⤵
  PID:7716
- C:\Windows\System32\oXcvrJs.exe
  C:\Windows\System32\oXcvrJs.exe
  2⤵
  PID:7776
- C:\Windows\System32\vUGScci.exe
  C:\Windows\System32\vUGScci.exe
  2⤵
  PID:7812
- C:\Windows\System32\qfEWwAP.exe
  C:\Windows\System32\qfEWwAP.exe
  2⤵
  PID:7924
- C:\Windows\System32\AnxpRbW.exe
  C:\Windows\System32\AnxpRbW.exe
  2⤵
  PID:7968
- C:\Windows\System32\MmTbecO.exe
  C:\Windows\System32\MmTbecO.exe
  2⤵
  PID:7996
- C:\Windows\System32\MrsqVMI.exe
  C:\Windows\System32\MrsqVMI.exe
  2⤵
  PID:8040
- C:\Windows\System32\GDQicxs.exe
  C:\Windows\System32\GDQicxs.exe
  2⤵
  PID:8092
- C:\Windows\System32\LKqTVtv.exe
  C:\Windows\System32\LKqTVtv.exe
  2⤵
  PID:8136
- C:\Windows\System32\jOoZvnz.exe
  C:\Windows\System32\jOoZvnz.exe
  2⤵
  PID:7176
- C:\Windows\System32\fpWDeEr.exe
  C:\Windows\System32\fpWDeEr.exe
  2⤵
  PID:7280
- C:\Windows\System32\eXriDUp.exe
  C:\Windows\System32\eXriDUp.exe
  2⤵
  PID:7472
- C:\Windows\System32\qxHaffR.exe
  C:\Windows\System32\qxHaffR.exe
  2⤵
  PID:7632
- C:\Windows\System32\UZcHQYA.exe
  C:\Windows\System32\UZcHQYA.exe
  2⤵
  PID:7732
- C:\Windows\System32\HAxRnPt.exe
  C:\Windows\System32\HAxRnPt.exe
  2⤵
  PID:7944
- C:\Windows\System32\kbFasdi.exe
  C:\Windows\System32\kbFasdi.exe
  2⤵
  PID:8052
- C:\Windows\System32\WMcRhdH.exe
  C:\Windows\System32\WMcRhdH.exe
  2⤵
  PID:7300
- C:\Windows\System32\KvCAgwI.exe
  C:\Windows\System32\KvCAgwI.exe
  2⤵
  PID:7684
- C:\Windows\System32\cDeaSzN.exe
  C:\Windows\System32\cDeaSzN.exe
  2⤵
  PID:7904
- C:\Windows\System32\EWyEEyC.exe
  C:\Windows\System32\EWyEEyC.exe
  2⤵
  PID:8176
- C:\Windows\System32\wvzVQbk.exe
  C:\Windows\System32\wvzVQbk.exe
  2⤵
  PID:8212
- C:\Windows\System32\bZIgmsm.exe
  C:\Windows\System32\bZIgmsm.exe
  2⤵
  PID:8232
- C:\Windows\System32\CrPyabI.exe
  C:\Windows\System32\CrPyabI.exe
  2⤵
  PID:8252
- C:\Windows\System32\EyXsRbK.exe
  C:\Windows\System32\EyXsRbK.exe
  2⤵
  PID:8272
- C:\Windows\System32\SFxwxLn.exe
  C:\Windows\System32\SFxwxLn.exe
  2⤵
  PID:8328
- C:\Windows\System32\SVnZzhx.exe
  C:\Windows\System32\SVnZzhx.exe
  2⤵
  PID:8360
- C:\Windows\System32\wfNcCwF.exe
  C:\Windows\System32\wfNcCwF.exe
  2⤵
  PID:8380
- C:\Windows\System32\KbwqtGR.exe
  C:\Windows\System32\KbwqtGR.exe
  2⤵
  PID:8404
- C:\Windows\System32\ndNwuyg.exe
  C:\Windows\System32\ndNwuyg.exe
  2⤵
  PID:8436
- C:\Windows\System32\aKkzKkM.exe
  C:\Windows\System32\aKkzKkM.exe
  2⤵
  PID:8464
- C:\Windows\System32\WZdlkwc.exe
  C:\Windows\System32\WZdlkwc.exe
  2⤵
  PID:8500
- C:\Windows\System32\BoTvCbZ.exe
  C:\Windows\System32\BoTvCbZ.exe
  2⤵
  PID:8532
- C:\Windows\System32\ClrMjpn.exe
  C:\Windows\System32\ClrMjpn.exe
  2⤵
  PID:8560
- C:\Windows\System32\GFkJdol.exe
  C:\Windows\System32\GFkJdol.exe
  2⤵
  PID:8596
- C:\Windows\System32\AdQOxjX.exe
  C:\Windows\System32\AdQOxjX.exe
  2⤵
  PID:8624
- C:\Windows\System32\hmncvVE.exe
  C:\Windows\System32\hmncvVE.exe
  2⤵
  PID:8648
- C:\Windows\System32\djozMzn.exe
  C:\Windows\System32\djozMzn.exe
  2⤵
  PID:8676
- C:\Windows\System32\TuFmOxQ.exe
  C:\Windows\System32\TuFmOxQ.exe
  2⤵
  PID:8704
- C:\Windows\System32\cHKFsyi.exe
  C:\Windows\System32\cHKFsyi.exe
  2⤵
  PID:8736
- C:\Windows\System32\fQvCuXl.exe
  C:\Windows\System32\fQvCuXl.exe
  2⤵
  PID:8756
- C:\Windows\System32\qllCYQg.exe
  C:\Windows\System32\qllCYQg.exe
  2⤵
  PID:8780
- C:\Windows\System32\SSJNIZH.exe
  C:\Windows\System32\SSJNIZH.exe
  2⤵
  PID:8820
- C:\Windows\System32\msTTNMU.exe
  C:\Windows\System32\msTTNMU.exe
  2⤵
  PID:8844
- C:\Windows\System32\OWCPyTQ.exe
  C:\Windows\System32\OWCPyTQ.exe
  2⤵
  PID:8872
- C:\Windows\System32\oPfAVOI.exe
  C:\Windows\System32\oPfAVOI.exe
  2⤵
  PID:8892
- C:\Windows\System32\otFumkx.exe
  C:\Windows\System32\otFumkx.exe
  2⤵
  PID:8932
- C:\Windows\System32\uIqMkFF.exe
  C:\Windows\System32\uIqMkFF.exe
  2⤵
  PID:8956
- C:\Windows\System32\FpeQzjS.exe
  C:\Windows\System32\FpeQzjS.exe
  2⤵
  PID:8984
- C:\Windows\System32\PMcPXUR.exe
  C:\Windows\System32\PMcPXUR.exe
  2⤵
  PID:9004
- C:\Windows\System32\oJgCWeh.exe
  C:\Windows\System32\oJgCWeh.exe
  2⤵
  PID:9020
- C:\Windows\System32\zduYypX.exe
  C:\Windows\System32\zduYypX.exe
  2⤵
  PID:9056
- C:\Windows\System32\LCEnwQj.exe
  C:\Windows\System32\LCEnwQj.exe
  2⤵
  PID:9088
- C:\Windows\System32\KTUitqW.exe
  C:\Windows\System32\KTUitqW.exe
  2⤵
  PID:9108
- C:\Windows\System32\AFNLRbs.exe
  C:\Windows\System32\AFNLRbs.exe
  2⤵
  PID:9140
- C:\Windows\System32\DAYhbZD.exe
  C:\Windows\System32\DAYhbZD.exe
  2⤵
  PID:9156
- C:\Windows\System32\pfCMoUn.exe
  C:\Windows\System32\pfCMoUn.exe
  2⤵
  PID:9200
- C:\Windows\System32\pWTJMnt.exe
  C:\Windows\System32\pWTJMnt.exe
  2⤵
  PID:8228
- C:\Windows\System32\soYjLuQ.exe
  C:\Windows\System32\soYjLuQ.exe
  2⤵
  PID:8248
- C:\Windows\System32\ssnCWDF.exe
  C:\Windows\System32\ssnCWDF.exe
  2⤵
  PID:8260
- C:\Windows\System32\BcvIXjf.exe
  C:\Windows\System32\BcvIXjf.exe
  2⤵
  PID:8424
- C:\Windows\System32\jbiYPhu.exe
  C:\Windows\System32\jbiYPhu.exe
  2⤵
  PID:8476
- C:\Windows\System32\mBVGMmE.exe
  C:\Windows\System32\mBVGMmE.exe
  2⤵
  PID:8544
- C:\Windows\System32\vMFiqMx.exe
  C:\Windows\System32\vMFiqMx.exe
  2⤵
  PID:8608
- C:\Windows\System32\EkNprOd.exe
  C:\Windows\System32\EkNprOd.exe
  2⤵
  PID:8668
- C:\Windows\System32\yMJyTyS.exe
  C:\Windows\System32\yMJyTyS.exe
  2⤵
  PID:8720
- C:\Windows\System32\PPWyliU.exe
  C:\Windows\System32\PPWyliU.exe
  2⤵
  PID:8812
- C:\Windows\System32\TZXLwxK.exe
  C:\Windows\System32\TZXLwxK.exe
  2⤵
  PID:8860
- C:\Windows\System32\FlAFRlG.exe
  C:\Windows\System32\FlAFRlG.exe
  2⤵
  PID:8912
- C:\Windows\System32\nOTCuJJ.exe
  C:\Windows\System32\nOTCuJJ.exe
  2⤵
  PID:9000
- C:\Windows\System32\OFUoXmS.exe
  C:\Windows\System32\OFUoXmS.exe
  2⤵
  PID:9068
- C:\Windows\System32\gxHZoEa.exe
  C:\Windows\System32\gxHZoEa.exe
  2⤵
  PID:9152
- C:\Windows\System32\nmAgzMe.exe
  C:\Windows\System32\nmAgzMe.exe
  2⤵
  PID:9212
- C:\Windows\System32\gbJJrIR.exe
  C:\Windows\System32\gbJJrIR.exe
  2⤵
  PID:8220
- C:\Windows\System32\OuqACqh.exe
  C:\Windows\System32\OuqACqh.exe
  2⤵
  PID:8456
- C:\Windows\System32\brugbxg.exe
  C:\Windows\System32\brugbxg.exe
  2⤵
  PID:8548
- C:\Windows\System32\NevgUCG.exe
  C:\Windows\System32\NevgUCG.exe
  2⤵
  PID:8804
- C:\Windows\System32\GzYzMjj.exe
  C:\Windows\System32\GzYzMjj.exe
  2⤵
  PID:8964
- C:\Windows\System32\cmxMfPN.exe
  C:\Windows\System32\cmxMfPN.exe
  2⤵
  PID:9072
- C:\Windows\System32\xeDAxRA.exe
  C:\Windows\System32\xeDAxRA.exe
  2⤵
  PID:8200
- C:\Windows\System32\vlzCaha.exe
  C:\Windows\System32\vlzCaha.exe
  2⤵
  PID:8420
- C:\Windows\System32\FIDtpaL.exe
  C:\Windows\System32\FIDtpaL.exe
  2⤵
  PID:8748
- C:\Windows\System32\yLNwQyV.exe
  C:\Windows\System32\yLNwQyV.exe
  2⤵
  PID:9208
- C:\Windows\System32\CwlBBKM.exe
  C:\Windows\System32\CwlBBKM.exe
  2⤵
  PID:8588
- C:\Windows\System32\ftpipno.exe
  C:\Windows\System32\ftpipno.exe
  2⤵
  PID:9232
- C:\Windows\System32\TYTDaWs.exe
  C:\Windows\System32\TYTDaWs.exe
  2⤵
  PID:9256
- C:\Windows\System32\EQAPbZt.exe
  C:\Windows\System32\EQAPbZt.exe
  2⤵
  PID:9296
- C:\Windows\System32\RIeFWoW.exe
  C:\Windows\System32\RIeFWoW.exe
  2⤵
  PID:9312
- C:\Windows\System32\NSPFlak.exe
  C:\Windows\System32\NSPFlak.exe
  2⤵
  PID:9340
- C:\Windows\System32\wDZpoqa.exe
  C:\Windows\System32\wDZpoqa.exe
  2⤵
  PID:9360
- C:\Windows\System32\ZQYhyHD.exe
  C:\Windows\System32\ZQYhyHD.exe
  2⤵
  PID:9404
- C:\Windows\System32\VhlHIrC.exe
  C:\Windows\System32\VhlHIrC.exe
  2⤵
  PID:9428
- C:\Windows\System32\NBmwehO.exe
  C:\Windows\System32\NBmwehO.exe
  2⤵
  PID:9452
- C:\Windows\System32\udtUXjp.exe
  C:\Windows\System32\udtUXjp.exe
  2⤵
  PID:9480
- C:\Windows\System32\JmLqwwR.exe
  C:\Windows\System32\JmLqwwR.exe
  2⤵
  PID:9500
- C:\Windows\System32\CXkycoQ.exe
  C:\Windows\System32\CXkycoQ.exe
  2⤵
  PID:9528
- C:\Windows\System32\aINAfow.exe
  C:\Windows\System32\aINAfow.exe
  2⤵
  PID:9572
- C:\Windows\System32\JJhGzsH.exe
  C:\Windows\System32\JJhGzsH.exe
  2⤵
  PID:9592
- C:\Windows\System32\GDtxFfG.exe
  C:\Windows\System32\GDtxFfG.exe
  2⤵
  PID:9632
- C:\Windows\System32\DsQwKlq.exe
  C:\Windows\System32\DsQwKlq.exe
  2⤵
  PID:9656
- C:\Windows\System32\RlLhVsL.exe
  C:\Windows\System32\RlLhVsL.exe
  2⤵
  PID:9676
- C:\Windows\System32\vKuPtOJ.exe
  C:\Windows\System32\vKuPtOJ.exe
  2⤵
  PID:9704
- C:\Windows\System32\mMHlJKJ.exe
  C:\Windows\System32\mMHlJKJ.exe
  2⤵
  PID:9732
- C:\Windows\System32\CJDIHWW.exe
  C:\Windows\System32\CJDIHWW.exe
  2⤵
  PID:9768
- C:\Windows\System32\rcFVdvy.exe
  C:\Windows\System32\rcFVdvy.exe
  2⤵
  PID:9788
- C:\Windows\System32\nGTcHMd.exe
  C:\Windows\System32\nGTcHMd.exe
  2⤵
  PID:9808
- C:\Windows\System32\TebJGGk.exe
  C:\Windows\System32\TebJGGk.exe
  2⤵
  PID:9840
- C:\Windows\System32\EFHalUG.exe
  C:\Windows\System32\EFHalUG.exe
  2⤵
  PID:9880
- C:\Windows\System32\vYSpKVj.exe
  C:\Windows\System32\vYSpKVj.exe
  2⤵
  PID:9908
- C:\Windows\System32\gSQCoxL.exe
  C:\Windows\System32\gSQCoxL.exe
  2⤵
  PID:9928
- C:\Windows\System32\wmgcBoK.exe
  C:\Windows\System32\wmgcBoK.exe
  2⤵
  PID:9952
- C:\Windows\System32\ZPnVsGE.exe
  C:\Windows\System32\ZPnVsGE.exe
  2⤵
  PID:9968
- C:\Windows\System32\OZHTsrg.exe
  C:\Windows\System32\OZHTsrg.exe
  2⤵
  PID:9992
- C:\Windows\System32\EyPKVse.exe
  C:\Windows\System32\EyPKVse.exe
  2⤵
  PID:10016
- C:\Windows\System32\UftcgYO.exe
  C:\Windows\System32\UftcgYO.exe
  2⤵
  PID:10080
- C:\Windows\System32\SbIMOdR.exe
  C:\Windows\System32\SbIMOdR.exe
  2⤵
  PID:10104
- C:\Windows\System32\nHirLcJ.exe
  C:\Windows\System32\nHirLcJ.exe
  2⤵
  PID:10128
- C:\Windows\System32\soecaqI.exe
  C:\Windows\System32\soecaqI.exe
  2⤵
  PID:10152
- C:\Windows\System32\PaOdUoR.exe
  C:\Windows\System32\PaOdUoR.exe
  2⤵
  PID:10188
- C:\Windows\System32\ZNwIyvv.exe
  C:\Windows\System32\ZNwIyvv.exe
  2⤵
  PID:10216
- C:\Windows\System32\SQVXVkw.exe
  C:\Windows\System32\SQVXVkw.exe
  2⤵
  PID:9224
- C:\Windows\System32\LUhbdzL.exe
  C:\Windows\System32\LUhbdzL.exe
  2⤵
  PID:9288
- C:\Windows\System32\tumkSEN.exe
  C:\Windows\System32\tumkSEN.exe
  2⤵
  PID:9336
- C:\Windows\System32\mdyQviL.exe
  C:\Windows\System32\mdyQviL.exe
  2⤵
  PID:9380
- C:\Windows\System32\LyLXMSy.exe
  C:\Windows\System32\LyLXMSy.exe
  2⤵
  PID:9476
- C:\Windows\System32\zUNnOEr.exe
  C:\Windows\System32\zUNnOEr.exe
  2⤵
  PID:9568
- C:\Windows\System32\hJDmDcb.exe
  C:\Windows\System32\hJDmDcb.exe
  2⤵
  PID:9616
- C:\Windows\System32\oKfFwIm.exe
  C:\Windows\System32\oKfFwIm.exe
  2⤵
  PID:9664
- C:\Windows\System32\fCoYzHp.exe
  C:\Windows\System32\fCoYzHp.exe
  2⤵
  PID:9752
- C:\Windows\System32\XWrLWxq.exe
  C:\Windows\System32\XWrLWxq.exe
  2⤵
  PID:9784
- C:\Windows\System32\beigbPF.exe
  C:\Windows\System32\beigbPF.exe
  2⤵
  PID:9888
- C:\Windows\System32\iAZqedk.exe
  C:\Windows\System32\iAZqedk.exe
  2⤵
  PID:9976
- C:\Windows\System32\yqLIlPW.exe
  C:\Windows\System32\yqLIlPW.exe
  2⤵
  PID:10012
- C:\Windows\System32\UZuzyFm.exe
  C:\Windows\System32\UZuzyFm.exe
  2⤵
  PID:10076
- C:\Windows\System32\XAJShXI.exe
  C:\Windows\System32\XAJShXI.exe
  2⤵
  PID:10112
- C:\Windows\System32\NvFjuhV.exe
  C:\Windows\System32\NvFjuhV.exe
  2⤵
  PID:10164
- C:\Windows\System32\SOhgglK.exe
  C:\Windows\System32\SOhgglK.exe
  2⤵
  PID:9356
- C:\Windows\System32\ZBepSiG.exe
  C:\Windows\System32\ZBepSiG.exe
  2⤵
  PID:9436
- C:\Windows\System32\SZuwEjf.exe
  C:\Windows\System32\SZuwEjf.exe
  2⤵
  PID:9628
- C:\Windows\System32\wOLmWpc.exe
  C:\Windows\System32\wOLmWpc.exe
  2⤵
  PID:9716
- C:\Windows\System32\FhBGYAX.exe
  C:\Windows\System32\FhBGYAX.exe
  2⤵
  PID:9896
- C:\Windows\System32\jkAnVQe.exe
  C:\Windows\System32\jkAnVQe.exe
  2⤵
  PID:9980
- C:\Windows\System32\bHyvgJK.exe
  C:\Windows\System32\bHyvgJK.exe
  2⤵
  PID:10136
- C:\Windows\System32\RyjXnJY.exe
  C:\Windows\System32\RyjXnJY.exe
  2⤵
  PID:9472
- C:\Windows\System32\mbocuJJ.exe
  C:\Windows\System32\mbocuJJ.exe
  2⤵
  PID:9776
- C:\Windows\System32\QNnaXqR.exe
  C:\Windows\System32\QNnaXqR.exe
  2⤵
  PID:10116
- C:\Windows\System32\PZudQCn.exe
  C:\Windows\System32\PZudQCn.exe
  2⤵
  PID:9496
- C:\Windows\System32\RqptiUt.exe
  C:\Windows\System32\RqptiUt.exe
  2⤵
  PID:10260
- C:\Windows\System32\fASOZpL.exe
  C:\Windows\System32\fASOZpL.exe
  2⤵
  PID:10276
- C:\Windows\System32\wxrpjDA.exe
  C:\Windows\System32\wxrpjDA.exe
  2⤵
  PID:10296
- C:\Windows\System32\NwVYBJT.exe
  C:\Windows\System32\NwVYBJT.exe
  2⤵
  PID:10320
- C:\Windows\System32\fhXBVTV.exe
  C:\Windows\System32\fhXBVTV.exe
  2⤵
  PID:10368
- C:\Windows\System32\KTgJjrZ.exe
  C:\Windows\System32\KTgJjrZ.exe
  2⤵
  PID:10392
- C:\Windows\System32\uCdYhDo.exe
  C:\Windows\System32\uCdYhDo.exe
  2⤵
  PID:10420
- C:\Windows\System32\FiHGtBy.exe
  C:\Windows\System32\FiHGtBy.exe
  2⤵
  PID:10436
- C:\Windows\System32\hpYIDtR.exe
  C:\Windows\System32\hpYIDtR.exe
  2⤵
  PID:10476
- C:\Windows\System32\KDUbbaf.exe
  C:\Windows\System32\KDUbbaf.exe
  2⤵
  PID:10512
- C:\Windows\System32\PzzJEIL.exe
  C:\Windows\System32\PzzJEIL.exe
  2⤵
  PID:10540
- C:\Windows\System32\byvGoko.exe
  C:\Windows\System32\byvGoko.exe
  2⤵
  PID:10572
- C:\Windows\System32\snlbTOt.exe
  C:\Windows\System32\snlbTOt.exe
  2⤵
  PID:10624
- C:\Windows\System32\DgYWyQk.exe
  C:\Windows\System32\DgYWyQk.exe
  2⤵
  PID:10748
- C:\Windows\System32\EnQKJDx.exe
  C:\Windows\System32\EnQKJDx.exe
  2⤵
  PID:10764
- C:\Windows\System32\zvZaJfr.exe
  C:\Windows\System32\zvZaJfr.exe
  2⤵
  PID:10780
- C:\Windows\System32\yjsEMHs.exe
  C:\Windows\System32\yjsEMHs.exe
  2⤵
  PID:10796
- C:\Windows\System32\yktuclX.exe
  C:\Windows\System32\yktuclX.exe
  2⤵
  PID:10812
- C:\Windows\System32\SfLIdaw.exe
  C:\Windows\System32\SfLIdaw.exe
  2⤵
  PID:10828
- C:\Windows\System32\VOBPKXY.exe
  C:\Windows\System32\VOBPKXY.exe
  2⤵
  PID:10844
- C:\Windows\System32\SGmLVUD.exe
  C:\Windows\System32\SGmLVUD.exe
  2⤵
  PID:10860
- C:\Windows\System32\CVJWTCx.exe
  C:\Windows\System32\CVJWTCx.exe
  2⤵
  PID:10876
- C:\Windows\System32\wJVRXwt.exe
  C:\Windows\System32\wJVRXwt.exe
  2⤵
  PID:10892
- C:\Windows\System32\yIFpADB.exe
  C:\Windows\System32\yIFpADB.exe
  2⤵
  PID:10908
- C:\Windows\System32\OTIczTb.exe
  C:\Windows\System32\OTIczTb.exe
  2⤵
  PID:10924
- C:\Windows\System32\GLWSqAG.exe
  C:\Windows\System32\GLWSqAG.exe
  2⤵
  PID:10940
- C:\Windows\System32\eEHNHNm.exe
  C:\Windows\System32\eEHNHNm.exe
  2⤵
  PID:10956
- C:\Windows\System32\zwEQTEt.exe
  C:\Windows\System32\zwEQTEt.exe
  2⤵
  PID:10972
- C:\Windows\System32\uhbGbpE.exe
  C:\Windows\System32\uhbGbpE.exe
  2⤵
  PID:10988
- C:\Windows\System32\DKGwXKk.exe
  C:\Windows\System32\DKGwXKk.exe
  2⤵
  PID:11004
- C:\Windows\System32\cKDmSwi.exe
  C:\Windows\System32\cKDmSwi.exe
  2⤵
  PID:11020
- C:\Windows\System32\nPKHuit.exe
  C:\Windows\System32\nPKHuit.exe
  2⤵
  PID:11040
- C:\Windows\System32\wWaRDlJ.exe
  C:\Windows\System32\wWaRDlJ.exe
  2⤵
  PID:11064
- C:\Windows\System32\wbLpJAw.exe
  C:\Windows\System32\wbLpJAw.exe
  2⤵
  PID:11088
- C:\Windows\System32\cwXefsv.exe
  C:\Windows\System32\cwXefsv.exe
  2⤵
  PID:11116
- C:\Windows\System32\mBftKPU.exe
  C:\Windows\System32\mBftKPU.exe
  2⤵
  PID:11132
- C:\Windows\System32\iUnYFuc.exe
  C:\Windows\System32\iUnYFuc.exe
  2⤵
  PID:10272
- C:\Windows\System32\fmlogrk.exe
  C:\Windows\System32\fmlogrk.exe
  2⤵
  PID:10340
- C:\Windows\System32\hEYXKaY.exe
  C:\Windows\System32\hEYXKaY.exe
  2⤵
  PID:10536
- C:\Windows\System32\xgHwNey.exe
  C:\Windows\System32\xgHwNey.exe
  2⤵
  PID:10524
- C:\Windows\System32\MvqYtMr.exe
  C:\Windows\System32\MvqYtMr.exe
  2⤵
  PID:10692
- C:\Windows\System32\XjqCxPJ.exe
  C:\Windows\System32\XjqCxPJ.exe
  2⤵
  PID:10700
- C:\Windows\System32\hMbZxEN.exe
  C:\Windows\System32\hMbZxEN.exe
  2⤵
  PID:10920
- C:\Windows\System32\beITcty.exe
  C:\Windows\System32\beITcty.exe
  2⤵
  PID:10968
- C:\Windows\System32\GUgolgj.exe
  C:\Windows\System32\GUgolgj.exe
  2⤵
  PID:10948
- C:\Windows\System32\ymvpQfj.exe
  C:\Windows\System32\ymvpQfj.exe
  2⤵
  PID:10760
- C:\Windows\System32\DCiXrHW.exe
  C:\Windows\System32\DCiXrHW.exe
  2⤵
  PID:11056
- C:\Windows\System32\txxHFKr.exe
  C:\Windows\System32\txxHFKr.exe
  2⤵
  PID:9512
- C:\Windows\System32\dssTdtZ.exe
  C:\Windows\System32\dssTdtZ.exe
  2⤵
  PID:11160
- C:\Windows\System32\lmgnNuC.exe
  C:\Windows\System32\lmgnNuC.exe
  2⤵
  PID:11244
- C:\Windows\System32\OuRHOVf.exe
  C:\Windows\System32\OuRHOVf.exe
  2⤵
  PID:10308
- C:\Windows\System32\YOELJvp.exe
  C:\Windows\System32\YOELJvp.exe
  2⤵
  PID:10548
- C:\Windows\System32\DfGGMMc.exe
  C:\Windows\System32\DfGGMMc.exe
  2⤵
  PID:10936
- C:\Windows\System32\qPHfiqg.exe
  C:\Windows\System32\qPHfiqg.exe
  2⤵
  PID:10712
- C:\Windows\System32\FYKmTbW.exe
  C:\Windows\System32\FYKmTbW.exe
  2⤵
  PID:10756
- C:\Windows\System32\PHQcapb.exe
  C:\Windows\System32\PHQcapb.exe
  2⤵
  PID:10268
- C:\Windows\System32\cvMnLTO.exe
  C:\Windows\System32\cvMnLTO.exe
  2⤵
  PID:10256
- C:\Windows\System32\DWdrgYI.exe
  C:\Windows\System32\DWdrgYI.exe
  2⤵
  PID:10616
- C:\Windows\System32\SULUuzd.exe
  C:\Windows\System32\SULUuzd.exe
  2⤵
  PID:11284
- C:\Windows\System32\DVkICBZ.exe
  C:\Windows\System32\DVkICBZ.exe
  2⤵
  PID:11312
- C:\Windows\System32\PCeKkSY.exe
  C:\Windows\System32\PCeKkSY.exe
  2⤵
  PID:11368
- C:\Windows\System32\RPXLcnD.exe
  C:\Windows\System32\RPXLcnD.exe
  2⤵
  PID:11392
- C:\Windows\System32\ijHSile.exe
  C:\Windows\System32\ijHSile.exe
  2⤵
  PID:11424
- C:\Windows\System32\ajxpkne.exe
  C:\Windows\System32\ajxpkne.exe
  2⤵
  PID:11464
- C:\Windows\System32\OpmslFp.exe
  C:\Windows\System32\OpmslFp.exe
  2⤵
  PID:11488
- C:\Windows\System32\BqGhtxy.exe
  C:\Windows\System32\BqGhtxy.exe
  2⤵
  PID:11508
- C:\Windows\System32\XRdTAdV.exe
  C:\Windows\System32\XRdTAdV.exe
  2⤵
  PID:11552
- C:\Windows\System32\GJHPGPI.exe
  C:\Windows\System32\GJHPGPI.exe
  2⤵
  PID:11588
- C:\Windows\System32\mQgVQPp.exe
  C:\Windows\System32\mQgVQPp.exe
  2⤵
  PID:11664
- C:\Windows\System32\SmaHrcA.exe
  C:\Windows\System32\SmaHrcA.exe
  2⤵
  PID:11696
- C:\Windows\System32\rvWJMkM.exe
  C:\Windows\System32\rvWJMkM.exe
  2⤵
  PID:11732
- C:\Windows\System32\gzKbUgN.exe
  C:\Windows\System32\gzKbUgN.exe
  2⤵
  PID:11760
- C:\Windows\System32\VuBroXb.exe
  C:\Windows\System32\VuBroXb.exe
  2⤵
  PID:11792
- C:\Windows\System32\FTcysHF.exe
  C:\Windows\System32\FTcysHF.exe
  2⤵
  PID:11848
- C:\Windows\System32\hRRBNDy.exe
  C:\Windows\System32\hRRBNDy.exe
  2⤵
  PID:11864
- C:\Windows\System32\xQDZGrW.exe
  C:\Windows\System32\xQDZGrW.exe
  2⤵
  PID:11892
- C:\Windows\System32\LrdYSRS.exe
  C:\Windows\System32\LrdYSRS.exe
  2⤵
  PID:11920
- C:\Windows\System32\zqUKGPM.exe
  C:\Windows\System32\zqUKGPM.exe
  2⤵
  PID:11948
- C:\Windows\System32\CZDEEdZ.exe
  C:\Windows\System32\CZDEEdZ.exe
  2⤵
  PID:11964
- C:\Windows\System32\ZbHTsAZ.exe
  C:\Windows\System32\ZbHTsAZ.exe
  2⤵
  PID:11988
- C:\Windows\System32\tolSQTc.exe
  C:\Windows\System32\tolSQTc.exe
  2⤵
  PID:12024
- C:\Windows\System32\OlhTGXs.exe
  C:\Windows\System32\OlhTGXs.exe
  2⤵
  PID:12060
- C:\Windows\System32\HoDZNLP.exe
  C:\Windows\System32\HoDZNLP.exe
  2⤵
  PID:12088
- C:\Windows\System32\UuDmtLL.exe
  C:\Windows\System32\UuDmtLL.exe
  2⤵
  PID:12108
- C:\Windows\System32\seoiHDx.exe
  C:\Windows\System32\seoiHDx.exe
  2⤵
  PID:12124
- C:\Windows\System32\pCpOqlf.exe
  C:\Windows\System32\pCpOqlf.exe
  2⤵
  PID:12152
- C:\Windows\System32\IZRItek.exe
  C:\Windows\System32\IZRItek.exe
  2⤵
  PID:12200
- C:\Windows\System32\WSYFqey.exe
  C:\Windows\System32\WSYFqey.exe
  2⤵
  PID:12224
- C:\Windows\System32\ciOsuVD.exe
  C:\Windows\System32\ciOsuVD.exe
  2⤵
  PID:12256
- C:\Windows\System32\bEHcutK.exe
  C:\Windows\System32\bEHcutK.exe
  2⤵
  PID:10708
- C:\Windows\System32\GuBMeWh.exe
  C:\Windows\System32\GuBMeWh.exe
  2⤵
  PID:11344
- C:\Windows\System32\eXYLuek.exe
  C:\Windows\System32\eXYLuek.exe
  2⤵
  PID:11408
- C:\Windows\System32\gOpLKoI.exe
  C:\Windows\System32\gOpLKoI.exe
  2⤵
  PID:11500
- C:\Windows\System32\nJUTjMD.exe
  C:\Windows\System32\nJUTjMD.exe
  2⤵
  PID:11600
- C:\Windows\System32\oycBszc.exe
  C:\Windows\System32\oycBszc.exe
  2⤵
  PID:11716
- C:\Windows\System32\rzYJDpo.exe
  C:\Windows\System32\rzYJDpo.exe
  2⤵
  PID:11804
- C:\Windows\System32\JiFpfPQ.exe
  C:\Windows\System32\JiFpfPQ.exe
  2⤵
  PID:11856
- C:\Windows\System32\PXKGTmw.exe
  C:\Windows\System32\PXKGTmw.exe
  2⤵
  PID:11932
- C:\Windows\System32\yQmwoOT.exe
  C:\Windows\System32\yQmwoOT.exe
  2⤵
  PID:12036
- C:\Windows\System32\tllDZGm.exe
  C:\Windows\System32\tllDZGm.exe
  2⤵
  PID:12076
- C:\Windows\System32\DTVEgSC.exe
  C:\Windows\System32\DTVEgSC.exe
  2⤵
  PID:12120
- C:\Windows\System32\DFhToyL.exe
  C:\Windows\System32\DFhToyL.exe
  2⤵
  PID:12180
- C:\Windows\System32\mtHmKhH.exe
  C:\Windows\System32\mtHmKhH.exe
  2⤵
  PID:12216
- C:\Windows\System32\KYvVfqX.exe
  C:\Windows\System32\KYvVfqX.exe
  2⤵
  PID:11356
- C:\Windows\System32\OOHqlRy.exe
  C:\Windows\System32\OOHqlRy.exe
  2⤵
  PID:11576
- C:\Windows\System32\YnnlVBJ.exe
  C:\Windows\System32\YnnlVBJ.exe
  2⤵
  PID:11684
- C:\Windows\System32\UnoEENY.exe
  C:\Windows\System32\UnoEENY.exe
  2⤵
  PID:11908
- C:\Windows\System32\JEzDaFL.exe
  C:\Windows\System32\JEzDaFL.exe
  2⤵
  PID:1612
- C:\Windows\System32\CePTWuk.exe
  C:\Windows\System32\CePTWuk.exe
  2⤵
  PID:4612
- C:\Windows\System32\oanFbSr.exe
  C:\Windows\System32\oanFbSr.exe
  2⤵
  PID:12100
- C:\Windows\System32\nfecNVc.exe
  C:\Windows\System32\nfecNVc.exe
  2⤵
  PID:12220
- C:\Windows\System32\YyHhOuB.exe
  C:\Windows\System32\YyHhOuB.exe
  2⤵
  PID:11752
- C:\Windows\System32\XRLSWLN.exe
  C:\Windows\System32\XRLSWLN.exe
  2⤵
  PID:2688
- C:\Windows\System32\FZgOhyP.exe
  C:\Windows\System32\FZgOhyP.exe
  2⤵
  PID:12140
- C:\Windows\System32\iaaIyfU.exe
  C:\Windows\System32\iaaIyfU.exe
  2⤵
  PID:12296
- C:\Windows\System32\YMnlyql.exe
  C:\Windows\System32\YMnlyql.exe
  2⤵
  PID:12312
- C:\Windows\System32\jjBlybE.exe
  C:\Windows\System32\jjBlybE.exe
  2⤵
  PID:12336
- C:\Windows\System32\BSlnyaR.exe
  C:\Windows\System32\BSlnyaR.exe
  2⤵
  PID:12380
- C:\Windows\System32\tQgmyLM.exe
  C:\Windows\System32\tQgmyLM.exe
  2⤵
  PID:12400
- C:\Windows\System32\TxBMHRX.exe
  C:\Windows\System32\TxBMHRX.exe
  2⤵
  PID:12420
- C:\Windows\System32\wUSqNVm.exe
  C:\Windows\System32\wUSqNVm.exe
  2⤵
  PID:12468
- C:\Windows\System32\HvkRQJH.exe
  C:\Windows\System32\HvkRQJH.exe
  2⤵
  PID:12488
- C:\Windows\System32\iPswCKV.exe
  C:\Windows\System32\iPswCKV.exe
  2⤵
  PID:12508
- C:\Windows\System32\ptvrKNK.exe
  C:\Windows\System32\ptvrKNK.exe
  2⤵
  PID:12556
- C:\Windows\System32\SBIddcF.exe
  C:\Windows\System32\SBIddcF.exe
  2⤵
  PID:12572
- C:\Windows\System32\HseyLlj.exe
  C:\Windows\System32\HseyLlj.exe
  2⤵
  PID:12600
- C:\Windows\System32\czEorgm.exe
  C:\Windows\System32\czEorgm.exe
  2⤵
  PID:12616
- C:\Windows\System32\PcHSntB.exe
  C:\Windows\System32\PcHSntB.exe
  2⤵
  PID:12636
- C:\Windows\System32\IeXplxr.exe
  C:\Windows\System32\IeXplxr.exe
  2⤵
  PID:12652
- C:\Windows\System32\JPRMBRu.exe
  C:\Windows\System32\JPRMBRu.exe
  2⤵
  PID:12676
- C:\Windows\System32\YNepIbb.exe
  C:\Windows\System32\YNepIbb.exe
  2⤵
  PID:12700
- C:\Windows\System32\qAlwHib.exe
  C:\Windows\System32\qAlwHib.exe
  2⤵
  PID:12736
- C:\Windows\System32\CnrRqbl.exe
  C:\Windows\System32\CnrRqbl.exe
  2⤵
  PID:12804
- C:\Windows\System32\aalLscG.exe
  C:\Windows\System32\aalLscG.exe
  2⤵
  PID:12828
- C:\Windows\System32\QYoFAQP.exe
  C:\Windows\System32\QYoFAQP.exe
  2⤵
  PID:12848
- C:\Windows\System32\njyMDdJ.exe
  C:\Windows\System32\njyMDdJ.exe
  2⤵
  PID:12892
- C:\Windows\System32\oAmVvIL.exe
  C:\Windows\System32\oAmVvIL.exe
  2⤵
  PID:12912
- C:\Windows\System32\sbblRRf.exe
  C:\Windows\System32\sbblRRf.exe
  2⤵
  PID:12944
- C:\Windows\System32\hqhqdzl.exe
  C:\Windows\System32\hqhqdzl.exe
  2⤵
  PID:12968
- C:\Windows\System32\XvMOpwG.exe
  C:\Windows\System32\XvMOpwG.exe
  2⤵
  PID:12992
- C:\Windows\System32\DZXFBSA.exe
  C:\Windows\System32\DZXFBSA.exe
  2⤵
  PID:13036
- C:\Windows\System32\zFEZjOu.exe
  C:\Windows\System32\zFEZjOu.exe
  2⤵
  PID:13052
- C:\Windows\System32\PcztpWh.exe
  C:\Windows\System32\PcztpWh.exe
  2⤵
  PID:13092
- C:\Windows\System32\peEzXLL.exe
  C:\Windows\System32\peEzXLL.exe
  2⤵
  PID:13116
- C:\Windows\System32\TtSbNvH.exe
  C:\Windows\System32\TtSbNvH.exe
  2⤵
  PID:13136
- C:\Windows\System32\nClpHZF.exe
  C:\Windows\System32\nClpHZF.exe
  2⤵
  PID:13160
- C:\Windows\System32\qsaCspL.exe
  C:\Windows\System32\qsaCspL.exe
  2⤵
  PID:13176
- C:\Windows\System32\OzKwBhY.exe
  C:\Windows\System32\OzKwBhY.exe
  2⤵
  PID:13200
- C:\Windows\System32\nKQZBTH.exe
  C:\Windows\System32\nKQZBTH.exe
  2⤵
  PID:13236
- C:\Windows\System32\EBFjKrU.exe
  C:\Windows\System32\EBFjKrU.exe
  2⤵
  PID:13268
- C:\Windows\System32\MuUpRsJ.exe
  C:\Windows\System32\MuUpRsJ.exe
  2⤵
  PID:11648
- C:\Windows\System32\ZLflDCs.exe
  C:\Windows\System32\ZLflDCs.exe
  2⤵
  PID:11996
- C:\Windows\System32\WCURTTN.exe
  C:\Windows\System32\WCURTTN.exe
  2⤵
  PID:12360
- C:\Windows\System32\WAMGxab.exe
  C:\Windows\System32\WAMGxab.exe
  2⤵
  PID:12448
- C:\Windows\System32\zSCikkN.exe
  C:\Windows\System32\zSCikkN.exe
  2⤵
  PID:12496
- C:\Windows\System32\oTRDeTd.exe
  C:\Windows\System32\oTRDeTd.exe
  2⤵
  PID:12524
- C:\Windows\System32\wbCgFQl.exe
  C:\Windows\System32\wbCgFQl.exe
  2⤵
  PID:12632
- C:\Windows\System32\XsYAlFt.exe
  C:\Windows\System32\XsYAlFt.exe
  2⤵
  PID:12692
- C:\Windows\System32\wIxujgx.exe
  C:\Windows\System32\wIxujgx.exe
  2⤵
  PID:12784
- C:\Windows\System32\QRysUqf.exe
  C:\Windows\System32\QRysUqf.exe
  2⤵
  PID:12812
- C:\Windows\System32\eSADwhW.exe
  C:\Windows\System32\eSADwhW.exe
  2⤵
  PID:12884
- C:\Windows\System32\jNoXIlk.exe
  C:\Windows\System32\jNoXIlk.exe
  2⤵
  PID:13004
- C:\Windows\System32\prBWwpX.exe
  C:\Windows\System32\prBWwpX.exe
  2⤵
  PID:13044
- C:\Windows\System32\jeHTRHO.exe
  C:\Windows\System32\jeHTRHO.exe
  2⤵
  PID:13132
- C:\Windows\System32\zeBAPTh.exe
  C:\Windows\System32\zeBAPTh.exe
  2⤵
  PID:13144
- C:\Windows\System32\DJCsuTY.exe
  C:\Windows\System32\DJCsuTY.exe
  2⤵
  PID:13172
- C:\Windows\System32\mYzWHep.exe
  C:\Windows\System32\mYzWHep.exe
  2⤵
  PID:13248

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ClyCcVe.exe

Filesize
1.4MB

MD5
c20bc83de34ec48fe9daf9eab671083b

SHA1
b8a2ab051cafba3943f870d77748ac8946336383

SHA256
a13ce80cdba377a282b366b29560133fb219550667198ad48a778450191a07d5

SHA512
f585fbbebd36244ec0861207c8080ab9ef8fa9eb880b6ba1dfb58b9a625b2ed9663d2e111a46448f26765b0f50caf7f47dc1fc0bf6b30ee9b0ac011d011d4692

Download Submit
C:\Windows\System32\CyEwETh.exe

Filesize
1.4MB

MD5
2ab057cf17167f4e763c8e23aa233841

SHA1
3f5ae9a5e754148ff19836d8d8bf52b505113ff0

SHA256
4ea7edf10d463bad9e753341447c21f1c619f53a89eafb06e84b5d7aa6a74781

SHA512
a9f860f1dab9fb52a8e389a6a21b6c432d8e8e7f3791673480900afb67cadfb63ad482be7bd8ca0b1e7fea9e39fe6d0f7d8f21b757ab6550e7efe6ec6db4c130

Download Submit
C:\Windows\System32\GLGEwMh.exe

Filesize
1.4MB

MD5
94f8e0c730e6e9781f28b4ed17b86266

SHA1
b8a1da631cd0fc1da0cf44c8df1513a702fb51df

SHA256
67ca77b2b6d19dca5b2a90366f8daeb0e379f4713383237c08749e0c4b47310d

SHA512
eaaf2a282c9746b278c34cf3d2af3db9e61767b37b875b951a65c89d76e4ed1047b8cd12ee44f6c8c834c1905a90aa346507238e8587bb58a9cc16b1d58c90f3

Download Submit
C:\Windows\System32\GLjQYor.exe

Filesize
1.4MB

MD5
64ac1e2946a2690941182c1cd242cfd7

SHA1
cbdac82e4b0720018af9fe78ef845680ab4e830e

SHA256
ce0cadb8b567213ed7a0fcdc6666b77838cefdbe521bce049e379338866f7533

SHA512
32f39e79f71686e9287206b71f777dfa96c6196a38dd93c7eea5208215cbd239eaf8677d89ccc9c1d2e3605f7a48aa215f868a177db21f2f518e0a495b9d500c

Download Submit
C:\Windows\System32\GOTituI.exe

Filesize
1.4MB

MD5
3637e0f5db893d3a0ffb5e73441d9432

SHA1
05acf28f0ca63a8304536beac2c834545da5877a

SHA256
e001ed7b1484a1e10772f67d0444f9173cbaa81ed65dd3212a04ac7d418f4c39

SHA512
58ab180c52583dd0fc4606e24b4782d6ccaec4f1c4047de3114edfbfececa389a0240bb03642f67f7e430316f5d4ece01af046ec279e84634fe8296c75a48c78

Download Submit
C:\Windows\System32\GZNCOkb.exe

Filesize
1.4MB

MD5
58033ca5798a15b8c6523f80c52cbe6c

SHA1
64723e32daee461bd8262ee6a5d1398efe9e53a8

SHA256
f808ef1ec1cacd7eb313f67ed15867e99ed83ea53282ab4bda37d871b55c25cf

SHA512
bb9377d1c554f4e65793459ff59b0130aa1662d71a9ae964050b8c711770aa16020e2fc307b164970443c674e64497983b1ea2accce3aaa84635926a498d69cf

Download Submit
C:\Windows\System32\GbbVzNC.exe

Filesize
1.4MB

MD5
0a6fc90ea0d2036ca834323ca4470ce4

SHA1
d8508bd7a5293f4301103fe78862b2be479ab993

SHA256
f7a0adde6c56e16fdd3b72a647837661f50b799ac482ac4cb1b7f91a0a564e72

SHA512
cd8a9e3ad8af49a8208c50a57246f9dbf2c897a22430ecd33fb22423d5d513ae713c69188fb9fccb3da16cd5c89380bc617d9cffa51e60ecd99b40c61d9d9006

Download Submit
C:\Windows\System32\Iqcdxer.exe

Filesize
1.4MB

MD5
fbb0927181c4d2a1d852ab12b340b842

SHA1
4784f8d423765f9b544c27caf24e68f5b74a8716

SHA256
1c3634bff5a67ebd219dbd29f4d3b0a81f31ead1a246240f6b240efc91170259

SHA512
676edd0572a39fea9146e4d7609f7a0f7d53615f4dd15e9cd5f8a194b74dc064468c2feac9198f04566566950aaa1357549866673277737b57671fe41f61638f

Download Submit
C:\Windows\System32\IwoHVVO.exe

Filesize
1.4MB

MD5
dde280fccd25db96d49142f74dc8d6c6

SHA1
542e2702cbe7857dc9296685913b432f0a8321e4

SHA256
5c4aa6b7fb8af13ddfce4b1222d11458e1f2b65886d4e6e201c33e4356fb7ea2

SHA512
c6931c161d4e2c0f23b702ef15fc42c2eae5a2bb8b7221923af2a11846572f70122a1c89c91eeaf9ca828d680783b08f391c299ff88945e4b01b61ee6fb98d5a

Download Submit
C:\Windows\System32\JBmTVbh.exe

Filesize
1.4MB

MD5
0e122f4301827f2cf2840dd122cab099

SHA1
a5ebd439f0984ba71d3a06fbf074245d5c88075e

SHA256
e11b313fc488cd575a63f62dee03b7b2bf09b66c65d438fc32ffaa49346b1d6f

SHA512
73379405e13df09230fd4e8733ff971e1fc270d915ebc4791e2e6ca9791eca5f2ff6384901e1908de60d8240e9a38ac6b2b57c9a859f56181a9a5e68a3361d55

Download Submit
C:\Windows\System32\JsEwhAR.exe

Filesize
1.4MB

MD5
ffdf490b665bb34ad1606a8372df1ae0

SHA1
bf43d51193259daa53dae995d18e07ca0e2b7eaf

SHA256
06b1f24639f975a5675304dd2555f8dfb636f82842bec850a34d88dee24e583d

SHA512
05123337b2172f87bd7aa6cb88f51c191cac890fe7b8bf0b8bad4ed563614124bdffdf2930465a5957a64ca2d0fc385f1aa7dd5945d0de0feb9a5cda5f21deb2

Download Submit
C:\Windows\System32\MJzmdej.exe

Filesize
1.4MB

MD5
e41ff1cbc8f47d24fb7ff79af01d2a79

SHA1
6076eafd6290fdd7e4d60b5b099d3d33a3e0f328

SHA256
7be68dac18cbb289425327640275c813e6c65506933b02a085f600fbd1832ca6

SHA512
e7bfad877073b1d6eae42558098aaecaafb0ed75bf1af33b1381f10f7d0b60a34d68be2f2d8b5ec5007046011200949628174d22472050c9c8c4c228f9fdae3f

Download Submit
C:\Windows\System32\ONJvltJ.exe

Filesize
1.4MB

MD5
f030f4a4e488a966557cadc79bc2c092

SHA1
b742126b6303b56cc565d16e64751cdcbaafae77

SHA256
39b00fb8f992a69419bf9830f64ef8166c83a377635fabbcedf85c6e4bc9e02d

SHA512
f743b0c0f03958088f7cd10100e86f462dac4fcd0095757ba12cf15aafd7d732825d0c1dbda75292ff4a10fd8c6e5f360ba92ffe7e575339bd3d3d605a761cf1

Download Submit
C:\Windows\System32\SOQKdlp.exe

Filesize
1.4MB

MD5
b7303dd595752e340cc7941fc20139a1

SHA1
afac8f312a1d1aaf842e8da7aa9ef6dbc8ea8985

SHA256
c383aa9352b21ca102a61448aa4a5f91b0617cefb7dc8592d931b2136f3f102a

SHA512
75169cd96954dd1111f6040c75f4dd2bbfe497b5b16a88738771bba52757db53fe6b4d227c41a4eb62a657dab7ba75e344d0f49ad115d2eaa0cf394ebf878bfa

Download Submit
C:\Windows\System32\STeUQzC.exe

Filesize
1.4MB

MD5
af298f8c664d54bbf5ef0ebd54ad0790

SHA1
ad799e270d94a40f4b6d11c5689fde0b6f962599

SHA256
4149b0998abc9ae9daba210966d7070bc788cb094f8c11299fb96f315d11fb31

SHA512
fca106962827164d6d116f8c68dd404c9b1a7fbb7b93572edb7e04a4123f02d98072f37469ed86f33badc575c61eba70a0c49d9e7e1a6fdcf242de96ea6c8a7c

Download Submit
C:\Windows\System32\TGBgZqX.exe

Filesize
1.4MB

MD5
c8f635ea01d7cfa171a19278a37ce00d

SHA1
4612db48782ae50c928e8c7b3f2c33174d9f62c9

SHA256
081a57d6041d8000dc44c37dd20381255cd2f8ee744f2c2dae71a37fc5a6474c

SHA512
24e49f34feff8e7b5e14443555fde70a30ad43608a865374e92c6e948f6e36724867ce56379385d0bd2a10a0cb19bac156db00c28e45ce41260c334b1b827208

Download Submit
C:\Windows\System32\UxMlUPI.exe

Filesize
1.4MB

MD5
5de987aed0403fa9ecf857512877fd6a

SHA1
ebf059cd9a9224bf94f1eda528e24acc5b513483

SHA256
76904bfd8a31e40cf522cdcc599edb0605c8bbc41eae6381d224e68d53a3735c

SHA512
611a98c11841779c873cba6a05835209fbf6a34cbfab9d22b9eaf9338cae94aea90d891a7fa2b971121e27c97ff28619f0464a77f82c35c52f1e4865d765e212

Download Submit
C:\Windows\System32\WdQVGNk.exe

Filesize
1.4MB

MD5
5b237fbed74e534b1e8b4f014dcd08fa

SHA1
3c6496e3213d4f11f54ec8b167fdbd815d70ef86

SHA256
8bf1a931fb7dbb25dda724a1dc00cd86955af3b05d543be17f7273d688a63dbc

SHA512
c04fcd76bb3d5b1d7583171a37a44166f2c3246345335647544ffb26e4ac04b3579db276048752390a979cfde658b071a5f0f6ef9db39282b324a380ba51adcf

Download Submit
C:\Windows\System32\XXtifvf.exe

Filesize
1.4MB

MD5
2632a7d6b297a81a67d2d20854e12f6f

SHA1
7b01049f1118838cf15b54c94171204c0336cb21

SHA256
abcb3410e80b759505841cc42f03b8b9db0849d95ce4ed2c4fe56630fb5d1732

SHA512
0b041dbfaff204a51df4ec29fdab9eaf0d881abda2b7d03510629c5c544d3cb868e95be15d5c37cba02482feff429714f475874358fe6faf31588e4c5d61b02c

Download Submit
C:\Windows\System32\ckxBNAi.exe

Filesize
1.4MB

MD5
d957f6393ca27c241c864f6fad7973da

SHA1
2c4b3a7f5813b07443e7b31cc062b376252ca5e6

SHA256
1cb21145154529f199d2195616ff2ef85f736ae199f3f8711b7b11bd877db449

SHA512
11feff53b43a4012467b6d63644ad044cb242fa7e53902b9882ea4e73117a0b9349cdb9f3c56038ce0b079213d9f108c4d30cc0506305333a8df3c5ba04a0c1c

Download Submit
C:\Windows\System32\iuPnJHp.exe

Filesize
1.4MB

MD5
53eedda5c1ce628f52a58023ae379a20

SHA1
3630c7072a2188ab676bb7567c77fb943b78a435

SHA256
52d40d6a2ecc71a32c8143a550542040a14d089f36ec99779d37b0eaa62915dd

SHA512
5b6b61589e5819faeb600e0fc32d0a3aacc5e782630401b9dc710b428b6824281779f0f8d50b8a691b0f09f8e3e59783b110f0e04d760d9db08057463da85296

Download Submit
C:\Windows\System32\lAwlMkF.exe

Filesize
1.4MB

MD5
0cbd7926cdf5dc0f2b8b435ea7985330

SHA1
f503689b7a6954e5c46ee34b9fd47e68f429e068

SHA256
26f9dab97b1f2cbc95668ee30228eeef971bb08f2b1a2d196234ffb4eb911d02

SHA512
5a4cbf4581a6448f0a5ddde50de6def16f560f423853faa8411232877ed8be2e0ddac4f44dcac626ca420dcc067fcfa28325e88d0ac4e58faf16c910c4f06e1a

Download Submit
C:\Windows\System32\lcVsEEh.exe

Filesize
1.4MB

MD5
5980851aed3b1d59a9d7162f4ba09a0e

SHA1
5fd05ddd370cce947f67fb57183304696227e32e

SHA256
dc8975cb9948a9f3fd91371ca262b132d1b756c44ba2d68a863a0f75e70350bf

SHA512
e0d0641d4225c8a9d84912a2b388cb2786f0c9c5644892243192a9b81ca95a07709bc143ee020fbb902c8bd2b3c89ba9c0456dd5fbc79451cd5eae25326ddec4

Download Submit
C:\Windows\System32\mncINfP.exe

Filesize
1.4MB

MD5
8d61c4a21532cee3ed3e8fa550c3145a

SHA1
afb0c0adc72a23bb7a2e74bb798c4ab3e65ba7c0

SHA256
141ef729a9faa97bc9cfb659a6ea7c55f7ade476f116269f342563230ea478ee

SHA512
f7160ce58e16b507a4a5f5009c05227448e0c9f244e496eea8346b4b957975e6e53e0e4528864c508b881c531a607797bd94761d081c33d579a24fb26215fe9e

Download Submit
C:\Windows\System32\nhVRiaO.exe

Filesize
1.4MB

MD5
f1538fa102aafe249a436e1fa3da303d

SHA1
21c271c771c12a7331c7e4741460b49f5c2a5397

SHA256
0e9b8945fafc34d1d766e3d551de07a0c0ecebef50637ce266eb302cd66d33d5

SHA512
b6c7cd3acb6ab7f9757a84434609ecb371080aba4d5fa092abce161485e01c753753b456d529af544c80cf045e5732fa2b2e25dc718ccf333b36706b09930bcb

Download Submit
C:\Windows\System32\raCUSZh.exe

Filesize
1.4MB

MD5
a7b8a67e33513da604dad2a45bfd6d8a

SHA1
72fa4ac99f7a553e931ed8121cec080c2d01865f

SHA256
6811023ed7223aba54f4ba1533403c91d58899d58bd51ebc3db6666c3a7b61c4

SHA512
df2c35f0e8c01d08168aff96c82023ed7e8229339530309c14040cdfdfae9540cf924811f9a75a9f09ff39f5b5bae4a8c3eb7010ffdec9b0ebdc2b0f08a72c8c

Download Submit
C:\Windows\System32\tEtqqDj.exe

Filesize
1.4MB

MD5
5014825b3246897b85a2c475eeed6b49

SHA1
ae08bd8a6d4e77645b8f4b80b13f6448a62cd431

SHA256
3ca55b3e6059694286f1cc98e9daffca40234f9bc0cb2408fb8157736bb953a3

SHA512
a922fc7b507dd2fe88fac20bc23d617f5c6e390ecdd4ffdd67adc5ff9170a118df343bccf90c5c1ba39db0fe627f833d3107204b2752dc0c2f3346b44403f3fc

Download Submit
C:\Windows\System32\wClEauu.exe

Filesize
1.4MB

MD5
29e507a6185133e6a6293b676b4d9edb

SHA1
6d22e2dfc48681c2cbf7ef43f6aaeea99267365d

SHA256
50460476b6856e8fba473181107d33d483c7e4620ffd762a5d25b27f9b310e13

SHA512
7946dd8dbe256a9e5f7fcca92045b223703c5ac02bc2285135934508c227f4bb461c3d4b1ca3e5496d311175edd5afb7a280df5fd3b2cc26070dc985db4d6ed1

Download Submit
C:\Windows\System32\wGHTidW.exe

Filesize
1.4MB

MD5
05df8cf90223a63de202c7ddedb8d6ca

SHA1
bae38a95d9015cac86e48520811437e07df74a39

SHA256
b285022a5cec9d671a7da67b418d6be22c893b9ae702afcbbd7f67cf5b279d9b

SHA512
3659d53aeb5803e20393a64acf4e3d1af6b111270827f5629ce4554ec24e46888676356213f148c8f114fc694e453755c175f4d8d9cac1b2d443756103b69e37

Download Submit
C:\Windows\System32\ycbZlVn.exe

Filesize
1.4MB

MD5
4409c9e71ae7c03a8b050a4eb311d38e

SHA1
ceaffd595e89711474e3c3919c7111bebd5a3465

SHA256
41d2c06e899f08d10ccb662c9ddf76db1630b3f3a206b3cad726092f36a8581d

SHA512
3c86223cd0d8e85c0268ff0f3e81c92bd1d09b42107e41a64ca6ff15666873606f6303c635ebd4cc12d0c3f053a338fceb9e7f2102c70af17ff82b0124463fc2

Download Submit
C:\Windows\System32\yrgXGfh.exe

Filesize
1.4MB

MD5
88f7d6bdc65731f102c9f1773ed5130c

SHA1
7187176b4770391e6dedfd99e8d8e777ec81470f

SHA256
d9f80be9559110187da648939a3be8323f17758c32a7b20a48c4000a8f0cd824

SHA512
60c90c78acae7de35119b316a1906d5d48d7a824e2c47193049bb3665dc195c5daf83d659f7597a455c2937d966b899ea99391836cdc0bc909952d56d8262b2a

Download Submit
C:\Windows\System32\yuRbkrW.exe

Filesize
1.4MB

MD5
b2bfe52c039849947bc5cf3d1b3ff495

SHA1
0d28e7236aba440aa16dbc96cf6d006399cad06f

SHA256
4db5eddcc46977d5f99dbddbcc14aad81651556400876071e0a78acbcaa04bbf

SHA512
16495a0e4d6ef01d3bfc8adf37e35d5c61376c837c80017436fbc5385b24869f546ff189103ee1fdb3300ed33e8f69ae7f6667cf9110964653e15be3aba9a2f4

Download Submit
memory/1016-2030-0x00007FF6E82A0000-0x00007FF6E8691000-memory.dmp

Filesize
3.9MB

Download
memory/1016-376-0x00007FF6E82A0000-0x00007FF6E8691000-memory.dmp

Filesize
3.9MB

Download
memory/1056-2034-0x00007FF6B5270000-0x00007FF6B5661000-memory.dmp

Filesize
3.9MB

Download
memory/1056-327-0x00007FF6B5270000-0x00007FF6B5661000-memory.dmp

Filesize
3.9MB

Download
memory/1088-1985-0x00007FF6BF550000-0x00007FF6BF941000-memory.dmp

Filesize
3.9MB

Download
memory/1088-316-0x00007FF6BF550000-0x00007FF6BF941000-memory.dmp

Filesize
3.9MB

Download
memory/1224-11-0x00007FF7534C0000-0x00007FF7538B1000-memory.dmp

Filesize
3.9MB

Download
memory/1224-1983-0x00007FF7534C0000-0x00007FF7538B1000-memory.dmp

Filesize
3.9MB

Download
memory/1584-1916-0x00007FF6D3710000-0x00007FF6D3B01000-memory.dmp

Filesize
3.9MB

Download
memory/1584-1-0x0000026AC0AC0000-0x0000026AC0AD0000-memory.dmp

Filesize
64KB

Download
memory/1584-0-0x00007FF6D3710000-0x00007FF6D3B01000-memory.dmp

Filesize
3.9MB

Download
memory/1748-2058-0x00007FF65DB90000-0x00007FF65DF81000-memory.dmp

Filesize
3.9MB

Download
memory/1748-364-0x00007FF65DB90000-0x00007FF65DF81000-memory.dmp

Filesize
3.9MB

Download
memory/1788-356-0x00007FF643950000-0x00007FF643D41000-memory.dmp

Filesize
3.9MB

Download
memory/1788-2044-0x00007FF643950000-0x00007FF643D41000-memory.dmp

Filesize
3.9MB

Download
memory/2432-361-0x00007FF77B710000-0x00007FF77BB01000-memory.dmp

Filesize
3.9MB

Download
memory/2432-2050-0x00007FF77B710000-0x00007FF77BB01000-memory.dmp

Filesize
3.9MB

Download
memory/2616-2020-0x00007FF722010000-0x00007FF722401000-memory.dmp

Filesize
3.9MB

Download
memory/2616-326-0x00007FF722010000-0x00007FF722401000-memory.dmp

Filesize
3.9MB

Download
memory/2764-23-0x00007FF7E4590000-0x00007FF7E4981000-memory.dmp

Filesize
3.9MB

Download
memory/2764-2025-0x00007FF7E4590000-0x00007FF7E4981000-memory.dmp

Filesize
3.9MB

Download
memory/2812-357-0x00007FF7372F0000-0x00007FF7376E1000-memory.dmp

Filesize
3.9MB

Download
memory/2812-2038-0x00007FF7372F0000-0x00007FF7376E1000-memory.dmp

Filesize
3.9MB

Download
memory/2932-358-0x00007FF62F3D0000-0x00007FF62F7C1000-memory.dmp

Filesize
3.9MB

Download
memory/2932-2052-0x00007FF62F3D0000-0x00007FF62F7C1000-memory.dmp

Filesize
3.9MB

Download
memory/3152-2036-0x00007FF69F010000-0x00007FF69F401000-memory.dmp

Filesize
3.9MB

Download
memory/3152-351-0x00007FF69F010000-0x00007FF69F401000-memory.dmp

Filesize
3.9MB

Download
memory/3412-363-0x00007FF610280000-0x00007FF610671000-memory.dmp

Filesize
3.9MB

Download
memory/3412-2056-0x00007FF610280000-0x00007FF610671000-memory.dmp

Filesize
3.9MB

Download
memory/3584-2027-0x00007FF63BE70000-0x00007FF63C261000-memory.dmp

Filesize
3.9MB

Download
memory/3584-324-0x00007FF63BE70000-0x00007FF63C261000-memory.dmp

Filesize
3.9MB

Download
memory/3632-359-0x00007FF7E5080000-0x00007FF7E5471000-memory.dmp

Filesize
3.9MB

Download
memory/3632-2046-0x00007FF7E5080000-0x00007FF7E5471000-memory.dmp

Filesize
3.9MB

Download
memory/3844-373-0x00007FF6D9220000-0x00007FF6D9611000-memory.dmp

Filesize
3.9MB

Download
memory/3844-2018-0x00007FF6D9220000-0x00007FF6D9611000-memory.dmp

Filesize
3.9MB

Download
memory/3848-2055-0x00007FF774A70000-0x00007FF774E61000-memory.dmp

Filesize
3.9MB

Download
memory/3848-362-0x00007FF774A70000-0x00007FF774E61000-memory.dmp

Filesize
3.9MB

Download
memory/4028-319-0x00007FF6EF520000-0x00007FF6EF911000-memory.dmp

Filesize
3.9MB

Download
memory/4028-2028-0x00007FF6EF520000-0x00007FF6EF911000-memory.dmp

Filesize
3.9MB

Download
memory/4184-2040-0x00007FF689680000-0x00007FF689A71000-memory.dmp

Filesize
3.9MB

Download
memory/4184-343-0x00007FF689680000-0x00007FF689A71000-memory.dmp

Filesize
3.9MB

Download
memory/4492-2048-0x00007FF67BA30000-0x00007FF67BE21000-memory.dmp

Filesize
3.9MB

Download
memory/4492-360-0x00007FF67BA30000-0x00007FF67BE21000-memory.dmp

Filesize
3.9MB

Download
memory/4680-2042-0x00007FF7D00C0000-0x00007FF7D04B1000-memory.dmp

Filesize
3.9MB

Download
memory/4680-348-0x00007FF7D00C0000-0x00007FF7D04B1000-memory.dmp

Filesize
3.9MB

Download
memory/4740-2026-0x00007FF6A3720000-0x00007FF6A3B11000-memory.dmp

Filesize
3.9MB

Download
memory/4740-322-0x00007FF6A3720000-0x00007FF6A3B11000-memory.dmp

Filesize
3.9MB

Download
memory/4776-2067-0x00007FF754CA0000-0x00007FF755091000-memory.dmp

Filesize
3.9MB

Download
memory/4776-369-0x00007FF754CA0000-0x00007FF755091000-memory.dmp

Filesize
3.9MB

Download
memory/5076-2032-0x00007FF631530000-0x00007FF631921000-memory.dmp

Filesize
3.9MB

Download
memory/5076-332-0x00007FF631530000-0x00007FF631921000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads