xmrig | f4ff8537a0c360fde1c62a058211f10a3ad028ed436d3db65843d03586d69d56

Analysis

max time kernel
101s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d64d7f842ee072375fa89d2541653700N.exe
Size

943KB
MD5

d64d7f842ee072375fa89d2541653700
SHA1

4f7c2bfe5a76d96451668f49396aae7a21255b0f
SHA256

f4ff8537a0c360fde1c62a058211f10a3ad028ed436d3db65843d03586d69d56
SHA512

864f6211e02fac923969ff9d3f5673ac346a2379181f143f06bb838921d6b7c58831491812d4843ea914fbcaafa3707109cae17cdc3fb55813cab6fa59d2888e
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlOqzJO0Rb8g+/97eQCCxR:knw9oUUEEDlOuJ/6b

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/924-47-0x00007FF7F55B0000-0x00007FF7F59A1000-memory.dmp	xmrig
behavioral2/memory/4736-43-0x00007FF73D9C0000-0x00007FF73DDB1000-memory.dmp	xmrig
behavioral2/memory/2904-27-0x00007FF610220000-0x00007FF610611000-memory.dmp	xmrig
behavioral2/memory/4612-306-0x00007FF6453A0000-0x00007FF645791000-memory.dmp	xmrig
behavioral2/memory/3652-92-0x00007FF68B4F0000-0x00007FF68B8E1000-memory.dmp	xmrig
behavioral2/memory/1268-76-0x00007FF669E30000-0x00007FF66A221000-memory.dmp	xmrig
behavioral2/memory/2968-308-0x00007FF7F6100000-0x00007FF7F64F1000-memory.dmp	xmrig
behavioral2/memory/2824-307-0x00007FF60CF90000-0x00007FF60D381000-memory.dmp	xmrig
behavioral2/memory/3148-309-0x00007FF6E0B20000-0x00007FF6E0F11000-memory.dmp	xmrig
behavioral2/memory/4728-310-0x00007FF71F510000-0x00007FF71F901000-memory.dmp	xmrig
behavioral2/memory/4512-311-0x00007FF788380000-0x00007FF788771000-memory.dmp	xmrig
behavioral2/memory/3896-312-0x00007FF7F5AA0000-0x00007FF7F5E91000-memory.dmp	xmrig
behavioral2/memory/2856-313-0x00007FF7F6E40000-0x00007FF7F7231000-memory.dmp	xmrig
behavioral2/memory/2760-319-0x00007FF765B30000-0x00007FF765F21000-memory.dmp	xmrig
behavioral2/memory/3948-324-0x00007FF6E3790000-0x00007FF6E3B81000-memory.dmp	xmrig
behavioral2/memory/2560-329-0x00007FF6C1D00000-0x00007FF6C20F1000-memory.dmp	xmrig
behavioral2/memory/3416-320-0x00007FF69B420000-0x00007FF69B811000-memory.dmp	xmrig
behavioral2/memory/4792-975-0x00007FF6C3F80000-0x00007FF6C4371000-memory.dmp	xmrig
behavioral2/memory/4628-1447-0x00007FF708D30000-0x00007FF709121000-memory.dmp	xmrig
behavioral2/memory/4724-1952-0x00007FF61A1F0000-0x00007FF61A5E1000-memory.dmp	xmrig
behavioral2/memory/1008-1953-0x00007FF6E7200000-0x00007FF6E75F1000-memory.dmp	xmrig
behavioral2/memory/4736-1954-0x00007FF73D9C0000-0x00007FF73DDB1000-memory.dmp	xmrig
behavioral2/memory/1612-1987-0x00007FF69CA50000-0x00007FF69CE41000-memory.dmp	xmrig
behavioral2/memory/1084-1988-0x00007FF74CF80000-0x00007FF74D371000-memory.dmp	xmrig
behavioral2/memory/2580-1989-0x00007FF6164C0000-0x00007FF6168B1000-memory.dmp	xmrig
behavioral2/memory/4792-1991-0x00007FF6C3F80000-0x00007FF6C4371000-memory.dmp	xmrig
behavioral2/memory/4628-1998-0x00007FF708D30000-0x00007FF709121000-memory.dmp	xmrig
behavioral2/memory/3776-2000-0x00007FF7F3ED0000-0x00007FF7F42C1000-memory.dmp	xmrig
behavioral2/memory/4724-2002-0x00007FF61A1F0000-0x00007FF61A5E1000-memory.dmp	xmrig
behavioral2/memory/2904-2004-0x00007FF610220000-0x00007FF610611000-memory.dmp	xmrig
behavioral2/memory/1008-2007-0x00007FF6E7200000-0x00007FF6E75F1000-memory.dmp	xmrig
behavioral2/memory/924-2008-0x00007FF7F55B0000-0x00007FF7F59A1000-memory.dmp	xmrig
behavioral2/memory/4736-2010-0x00007FF73D9C0000-0x00007FF73DDB1000-memory.dmp	xmrig
behavioral2/memory/1612-2012-0x00007FF69CA50000-0x00007FF69CE41000-memory.dmp	xmrig
behavioral2/memory/1268-2040-0x00007FF669E30000-0x00007FF66A221000-memory.dmp	xmrig
behavioral2/memory/1084-2044-0x00007FF74CF80000-0x00007FF74D371000-memory.dmp	xmrig
behavioral2/memory/2580-2048-0x00007FF6164C0000-0x00007FF6168B1000-memory.dmp	xmrig
behavioral2/memory/4612-2052-0x00007FF6453A0000-0x00007FF645791000-memory.dmp	xmrig
behavioral2/memory/3416-2050-0x00007FF69B420000-0x00007FF69B811000-memory.dmp	xmrig
behavioral2/memory/3652-2042-0x00007FF68B4F0000-0x00007FF68B8E1000-memory.dmp	xmrig
behavioral2/memory/2760-2046-0x00007FF765B30000-0x00007FF765F21000-memory.dmp	xmrig
behavioral2/memory/4728-2072-0x00007FF71F510000-0x00007FF71F901000-memory.dmp	xmrig
behavioral2/memory/3948-2058-0x00007FF6E3790000-0x00007FF6E3B81000-memory.dmp	xmrig
behavioral2/memory/2968-2056-0x00007FF7F6100000-0x00007FF7F64F1000-memory.dmp	xmrig
behavioral2/memory/2856-2070-0x00007FF7F6E40000-0x00007FF7F7231000-memory.dmp	xmrig
behavioral2/memory/4512-2067-0x00007FF788380000-0x00007FF788771000-memory.dmp	xmrig
behavioral2/memory/3896-2064-0x00007FF7F5AA0000-0x00007FF7F5E91000-memory.dmp	xmrig
behavioral2/memory/2560-2062-0x00007FF6C1D00000-0x00007FF6C20F1000-memory.dmp	xmrig
behavioral2/memory/3148-2060-0x00007FF6E0B20000-0x00007FF6E0F11000-memory.dmp	xmrig
behavioral2/memory/2824-2054-0x00007FF60CF90000-0x00007FF60D381000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4628	AzbHlyl.exe
3776	Rihdqpj.exe
4724	JBFHBMy.exe
2904	mMbMuse.exe
1008	mraGcZb.exe
924	WWZyDaz.exe
4736	bTmwHRl.exe
1612	eQwviVo.exe
1268	kFSMDGH.exe
2760	irjkrpp.exe
1084	YGCQJkc.exe
2580	aINSDXB.exe
3652	QLfwapf.exe
4612	ixYIeyy.exe
3416	VfrbNsq.exe
2824	IjoIzlL.exe
3948	STEgZzH.exe
2560	yDFVARW.exe
2968	HzQePwE.exe
3148	IjuMlGf.exe
4728	veagCOT.exe
4512	VJpCqft.exe
3896	OuiEAde.exe
2856	RLAJQDI.exe
5064	gmiUECB.exe
4356	AzTUpPl.exe
2044	sZnbyaR.exe
4704	ixMPkeR.exe
3980	qjqLLdN.exe
2668	EKUXtyh.exe
2864	lBHQeIT.exe
3912	ZkfvEaO.exe
2276	anWGNxS.exe
3920	MZiCURr.exe
5096	VFXwNGQ.exe
4080	TORmAnQ.exe
4856	trbscZa.exe
4924	hAOmMLi.exe
1676	EILoQNL.exe
2460	eDLbhsx.exe
4700	AROiiTv.exe
4120	cUPHWUv.exe
2232	pLEmIoe.exe
4324	wJaGSzb.exe
4340	kUMlIBb.exe
664	feloBZd.exe
3108	mLktTlB.exe
4916	CQQeHYo.exe
744	eDOWszi.exe
2896	ILIKpzj.exe
60	uVeMswx.exe
4624	gCglzeF.exe
1452	JENbmPH.exe
4112	JnusiQD.exe
1576	UFqskof.exe
4416	UmayLYm.exe
556	IHUZjwy.exe
1972	WRUUViA.exe
2732	anLFsbj.exe
1320	nfqYBYQ.exe
4480	fddWebv.exe
728	FLGgjJL.exe
792	nDnHmUp.exe
4428	hbRmQGQ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4792-0-0x00007FF6C3F80000-0x00007FF6C4371000-memory.dmp	upx
behavioral2/files/0x00080000000234d2-4.dat	upx
behavioral2/memory/4628-7-0x00007FF708D30000-0x00007FF709121000-memory.dmp	upx
behavioral2/files/0x00070000000234d6-11.dat	upx
behavioral2/files/0x00070000000234d7-10.dat	upx
behavioral2/memory/3776-14-0x00007FF7F3ED0000-0x00007FF7F42C1000-memory.dmp	upx
behavioral2/memory/4724-20-0x00007FF61A1F0000-0x00007FF61A5E1000-memory.dmp	upx
behavioral2/files/0x00070000000234d8-23.dat	upx
behavioral2/files/0x00080000000234d3-32.dat	upx
behavioral2/files/0x00070000000234da-33.dat	upx
behavioral2/files/0x00070000000234dc-46.dat	upx
behavioral2/memory/924-47-0x00007FF7F55B0000-0x00007FF7F59A1000-memory.dmp	upx
behavioral2/memory/1612-48-0x00007FF69CA50000-0x00007FF69CE41000-memory.dmp	upx
behavioral2/files/0x00070000000234db-40.dat	upx
behavioral2/memory/4736-43-0x00007FF73D9C0000-0x00007FF73DDB1000-memory.dmp	upx
behavioral2/memory/1008-34-0x00007FF6E7200000-0x00007FF6E75F1000-memory.dmp	upx
behavioral2/memory/2904-27-0x00007FF610220000-0x00007FF610611000-memory.dmp	upx
behavioral2/files/0x00070000000234dd-55.dat	upx
behavioral2/files/0x00070000000234df-78.dat	upx
behavioral2/files/0x00070000000234e1-79.dat	upx
behavioral2/memory/1084-84-0x00007FF74CF80000-0x00007FF74D371000-memory.dmp	upx
behavioral2/memory/2580-90-0x00007FF6164C0000-0x00007FF6168B1000-memory.dmp	upx
behavioral2/files/0x00070000000234e4-95.dat	upx
behavioral2/files/0x00070000000234e5-98.dat	upx
behavioral2/files/0x00070000000234ea-123.dat	upx
behavioral2/files/0x00070000000234ed-138.dat	upx
behavioral2/files/0x00070000000234f0-149.dat	upx
behavioral2/files/0x00070000000234f4-173.dat	upx
behavioral2/memory/4612-306-0x00007FF6453A0000-0x00007FF645791000-memory.dmp	upx
behavioral2/files/0x00070000000234f3-168.dat	upx
behavioral2/files/0x00070000000234f2-163.dat	upx
behavioral2/files/0x00070000000234f1-158.dat	upx
behavioral2/files/0x00070000000234ef-151.dat	upx
behavioral2/files/0x00070000000234ee-146.dat	upx
behavioral2/files/0x00070000000234ec-133.dat	upx
behavioral2/files/0x00070000000234eb-128.dat	upx
behavioral2/files/0x00070000000234e9-118.dat	upx
behavioral2/files/0x00070000000234e8-116.dat	upx
behavioral2/files/0x00070000000234e7-111.dat	upx
behavioral2/files/0x00070000000234e6-103.dat	upx
behavioral2/memory/3652-92-0x00007FF68B4F0000-0x00007FF68B8E1000-memory.dmp	upx
behavioral2/files/0x00070000000234e3-89.dat	upx
behavioral2/files/0x00070000000234e0-86.dat	upx
behavioral2/memory/1268-76-0x00007FF669E30000-0x00007FF66A221000-memory.dmp	upx
behavioral2/files/0x00070000000234de-74.dat	upx
behavioral2/files/0x00070000000234e2-73.dat	upx
behavioral2/memory/2968-308-0x00007FF7F6100000-0x00007FF7F64F1000-memory.dmp	upx
behavioral2/memory/2824-307-0x00007FF60CF90000-0x00007FF60D381000-memory.dmp	upx
behavioral2/memory/3148-309-0x00007FF6E0B20000-0x00007FF6E0F11000-memory.dmp	upx
behavioral2/memory/4728-310-0x00007FF71F510000-0x00007FF71F901000-memory.dmp	upx
behavioral2/memory/4512-311-0x00007FF788380000-0x00007FF788771000-memory.dmp	upx
behavioral2/memory/3896-312-0x00007FF7F5AA0000-0x00007FF7F5E91000-memory.dmp	upx
behavioral2/memory/2856-313-0x00007FF7F6E40000-0x00007FF7F7231000-memory.dmp	upx
behavioral2/memory/2760-319-0x00007FF765B30000-0x00007FF765F21000-memory.dmp	upx
behavioral2/memory/3948-324-0x00007FF6E3790000-0x00007FF6E3B81000-memory.dmp	upx
behavioral2/memory/2560-329-0x00007FF6C1D00000-0x00007FF6C20F1000-memory.dmp	upx
behavioral2/memory/3416-320-0x00007FF69B420000-0x00007FF69B811000-memory.dmp	upx
behavioral2/memory/4792-975-0x00007FF6C3F80000-0x00007FF6C4371000-memory.dmp	upx
behavioral2/memory/4628-1447-0x00007FF708D30000-0x00007FF709121000-memory.dmp	upx
behavioral2/memory/4724-1952-0x00007FF61A1F0000-0x00007FF61A5E1000-memory.dmp	upx
behavioral2/memory/1008-1953-0x00007FF6E7200000-0x00007FF6E75F1000-memory.dmp	upx
behavioral2/memory/4736-1954-0x00007FF73D9C0000-0x00007FF73DDB1000-memory.dmp	upx
behavioral2/memory/1612-1987-0x00007FF69CA50000-0x00007FF69CE41000-memory.dmp	upx
behavioral2/memory/1084-1988-0x00007FF74CF80000-0x00007FF74D371000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\GZHxuYG.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\YDnDtcC.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\Wqaitqq.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\bqkmDzv.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\RByikXM.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\yvMrRap.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\ZkfvEaO.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\AtDMqKR.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\rurQsKh.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\vovDWXd.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\GvpCsNx.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\bzyfJKZ.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\ysDQNOQ.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\UmayLYm.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\bVNSiGP.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\yrbiRyp.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\AwdrqmM.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\tIIVFMP.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\nfqYBYQ.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\dXNeRMB.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\mvHJNlX.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\XtRUpbn.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\witvutp.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\nlGIVnH.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\WUoTyGJ.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\CNmwYdr.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\SzWonlg.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\mpEXaPo.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\aINSDXB.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\lrtwgQr.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\nikQCPO.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\XcmVTdL.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\dWuFixP.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\PseBABw.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\ciAskqD.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\HfdKKaB.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\BrvvtOy.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\zgmBlBU.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\YvncdDH.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\mutqfVd.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\rctwEvb.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\dRSYZXL.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\LZDNjlp.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\jwBzElq.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\jzGxwUm.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\UvuCQWZ.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\esWPeeg.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\kkZqHDo.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\PeqAgLY.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\jrWppKY.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\pAbrSkp.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\WwQoCHG.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\VvjhgYc.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\KeNlufp.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\cUPHWUv.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\iUXTfdV.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\QpWZhww.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\IGJEOKG.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\yEYaKoV.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\SxsSVkS.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\TNTPEip.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\zzlrlgU.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\CReeaaO.exe	d64d7f842ee072375fa89d2541653700N.exe
File created	C:\Windows\System32\XnCHfgd.exe	d64d7f842ee072375fa89d2541653700N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13656	dwm.exe
Token: SeChangeNotifyPrivilege	13656	dwm.exe
Token: 33	13656	dwm.exe
Token: SeIncBasePriorityPrivilege	13656	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 4628	4792	d64d7f842ee072375fa89d2541653700N.exe	84
PID 4792 wrote to memory of 4628	4792	d64d7f842ee072375fa89d2541653700N.exe	84
PID 4792 wrote to memory of 3776	4792	d64d7f842ee072375fa89d2541653700N.exe	85
PID 4792 wrote to memory of 3776	4792	d64d7f842ee072375fa89d2541653700N.exe	85
PID 4792 wrote to memory of 4724	4792	d64d7f842ee072375fa89d2541653700N.exe	86
PID 4792 wrote to memory of 4724	4792	d64d7f842ee072375fa89d2541653700N.exe	86
PID 4792 wrote to memory of 2904	4792	d64d7f842ee072375fa89d2541653700N.exe	88
PID 4792 wrote to memory of 2904	4792	d64d7f842ee072375fa89d2541653700N.exe	88
PID 4792 wrote to memory of 1008	4792	d64d7f842ee072375fa89d2541653700N.exe	89
PID 4792 wrote to memory of 1008	4792	d64d7f842ee072375fa89d2541653700N.exe	89
PID 4792 wrote to memory of 924	4792	d64d7f842ee072375fa89d2541653700N.exe	90
PID 4792 wrote to memory of 924	4792	d64d7f842ee072375fa89d2541653700N.exe	90
PID 4792 wrote to memory of 4736	4792	d64d7f842ee072375fa89d2541653700N.exe	91
PID 4792 wrote to memory of 4736	4792	d64d7f842ee072375fa89d2541653700N.exe	91
PID 4792 wrote to memory of 1612	4792	d64d7f842ee072375fa89d2541653700N.exe	92
PID 4792 wrote to memory of 1612	4792	d64d7f842ee072375fa89d2541653700N.exe	92
PID 4792 wrote to memory of 1268	4792	d64d7f842ee072375fa89d2541653700N.exe	93
PID 4792 wrote to memory of 1268	4792	d64d7f842ee072375fa89d2541653700N.exe	93
PID 4792 wrote to memory of 2760	4792	d64d7f842ee072375fa89d2541653700N.exe	96
PID 4792 wrote to memory of 2760	4792	d64d7f842ee072375fa89d2541653700N.exe	96
PID 4792 wrote to memory of 1084	4792	d64d7f842ee072375fa89d2541653700N.exe	97
PID 4792 wrote to memory of 1084	4792	d64d7f842ee072375fa89d2541653700N.exe	97
PID 4792 wrote to memory of 2580	4792	d64d7f842ee072375fa89d2541653700N.exe	98
PID 4792 wrote to memory of 2580	4792	d64d7f842ee072375fa89d2541653700N.exe	98
PID 4792 wrote to memory of 3416	4792	d64d7f842ee072375fa89d2541653700N.exe	99
PID 4792 wrote to memory of 3416	4792	d64d7f842ee072375fa89d2541653700N.exe	99
PID 4792 wrote to memory of 3652	4792	d64d7f842ee072375fa89d2541653700N.exe	100
PID 4792 wrote to memory of 3652	4792	d64d7f842ee072375fa89d2541653700N.exe	100
PID 4792 wrote to memory of 4612	4792	d64d7f842ee072375fa89d2541653700N.exe	101
PID 4792 wrote to memory of 4612	4792	d64d7f842ee072375fa89d2541653700N.exe	101
PID 4792 wrote to memory of 2824	4792	d64d7f842ee072375fa89d2541653700N.exe	102
PID 4792 wrote to memory of 2824	4792	d64d7f842ee072375fa89d2541653700N.exe	102
PID 4792 wrote to memory of 3948	4792	d64d7f842ee072375fa89d2541653700N.exe	103
PID 4792 wrote to memory of 3948	4792	d64d7f842ee072375fa89d2541653700N.exe	103
PID 4792 wrote to memory of 2560	4792	d64d7f842ee072375fa89d2541653700N.exe	104
PID 4792 wrote to memory of 2560	4792	d64d7f842ee072375fa89d2541653700N.exe	104
PID 4792 wrote to memory of 2968	4792	d64d7f842ee072375fa89d2541653700N.exe	105
PID 4792 wrote to memory of 2968	4792	d64d7f842ee072375fa89d2541653700N.exe	105
PID 4792 wrote to memory of 3148	4792	d64d7f842ee072375fa89d2541653700N.exe	106
PID 4792 wrote to memory of 3148	4792	d64d7f842ee072375fa89d2541653700N.exe	106
PID 4792 wrote to memory of 4728	4792	d64d7f842ee072375fa89d2541653700N.exe	107
PID 4792 wrote to memory of 4728	4792	d64d7f842ee072375fa89d2541653700N.exe	107
PID 4792 wrote to memory of 4512	4792	d64d7f842ee072375fa89d2541653700N.exe	108
PID 4792 wrote to memory of 4512	4792	d64d7f842ee072375fa89d2541653700N.exe	108
PID 4792 wrote to memory of 3896	4792	d64d7f842ee072375fa89d2541653700N.exe	109
PID 4792 wrote to memory of 3896	4792	d64d7f842ee072375fa89d2541653700N.exe	109
PID 4792 wrote to memory of 2856	4792	d64d7f842ee072375fa89d2541653700N.exe	110
PID 4792 wrote to memory of 2856	4792	d64d7f842ee072375fa89d2541653700N.exe	110
PID 4792 wrote to memory of 5064	4792	d64d7f842ee072375fa89d2541653700N.exe	111
PID 4792 wrote to memory of 5064	4792	d64d7f842ee072375fa89d2541653700N.exe	111
PID 4792 wrote to memory of 4356	4792	d64d7f842ee072375fa89d2541653700N.exe	112
PID 4792 wrote to memory of 4356	4792	d64d7f842ee072375fa89d2541653700N.exe	112
PID 4792 wrote to memory of 2044	4792	d64d7f842ee072375fa89d2541653700N.exe	113
PID 4792 wrote to memory of 2044	4792	d64d7f842ee072375fa89d2541653700N.exe	113
PID 4792 wrote to memory of 4704	4792	d64d7f842ee072375fa89d2541653700N.exe	114
PID 4792 wrote to memory of 4704	4792	d64d7f842ee072375fa89d2541653700N.exe	114
PID 4792 wrote to memory of 3980	4792	d64d7f842ee072375fa89d2541653700N.exe	115
PID 4792 wrote to memory of 3980	4792	d64d7f842ee072375fa89d2541653700N.exe	115
PID 4792 wrote to memory of 2668	4792	d64d7f842ee072375fa89d2541653700N.exe	116
PID 4792 wrote to memory of 2668	4792	d64d7f842ee072375fa89d2541653700N.exe	116
PID 4792 wrote to memory of 2864	4792	d64d7f842ee072375fa89d2541653700N.exe	117
PID 4792 wrote to memory of 2864	4792	d64d7f842ee072375fa89d2541653700N.exe	117
PID 4792 wrote to memory of 3912	4792	d64d7f842ee072375fa89d2541653700N.exe	118
PID 4792 wrote to memory of 3912	4792	d64d7f842ee072375fa89d2541653700N.exe	118

C:\Users\Admin\AppData\Local\Temp\d64d7f842ee072375fa89d2541653700N.exe
"C:\Users\Admin\AppData\Local\Temp\d64d7f842ee072375fa89d2541653700N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\System32\AzbHlyl.exe
  C:\Windows\System32\AzbHlyl.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System32\Rihdqpj.exe
  C:\Windows\System32\Rihdqpj.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System32\JBFHBMy.exe
  C:\Windows\System32\JBFHBMy.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System32\mMbMuse.exe
  C:\Windows\System32\mMbMuse.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System32\mraGcZb.exe
  C:\Windows\System32\mraGcZb.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System32\WWZyDaz.exe
  C:\Windows\System32\WWZyDaz.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System32\bTmwHRl.exe
  C:\Windows\System32\bTmwHRl.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System32\eQwviVo.exe
  C:\Windows\System32\eQwviVo.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System32\kFSMDGH.exe
  C:\Windows\System32\kFSMDGH.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System32\irjkrpp.exe
  C:\Windows\System32\irjkrpp.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System32\YGCQJkc.exe
  C:\Windows\System32\YGCQJkc.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System32\aINSDXB.exe
  C:\Windows\System32\aINSDXB.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System32\VfrbNsq.exe
  C:\Windows\System32\VfrbNsq.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System32\QLfwapf.exe
  C:\Windows\System32\QLfwapf.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System32\ixYIeyy.exe
  C:\Windows\System32\ixYIeyy.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System32\IjoIzlL.exe
  C:\Windows\System32\IjoIzlL.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System32\STEgZzH.exe
  C:\Windows\System32\STEgZzH.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System32\yDFVARW.exe
  C:\Windows\System32\yDFVARW.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System32\HzQePwE.exe
  C:\Windows\System32\HzQePwE.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System32\IjuMlGf.exe
  C:\Windows\System32\IjuMlGf.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\System32\veagCOT.exe
  C:\Windows\System32\veagCOT.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System32\VJpCqft.exe
  C:\Windows\System32\VJpCqft.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\OuiEAde.exe
  C:\Windows\System32\OuiEAde.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System32\RLAJQDI.exe
  C:\Windows\System32\RLAJQDI.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System32\gmiUECB.exe
  C:\Windows\System32\gmiUECB.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System32\AzTUpPl.exe
  C:\Windows\System32\AzTUpPl.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System32\sZnbyaR.exe
  C:\Windows\System32\sZnbyaR.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System32\ixMPkeR.exe
  C:\Windows\System32\ixMPkeR.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System32\qjqLLdN.exe
  C:\Windows\System32\qjqLLdN.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System32\EKUXtyh.exe
  C:\Windows\System32\EKUXtyh.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System32\lBHQeIT.exe
  C:\Windows\System32\lBHQeIT.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System32\ZkfvEaO.exe
  C:\Windows\System32\ZkfvEaO.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System32\anWGNxS.exe
  C:\Windows\System32\anWGNxS.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System32\MZiCURr.exe
  C:\Windows\System32\MZiCURr.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System32\VFXwNGQ.exe
  C:\Windows\System32\VFXwNGQ.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System32\TORmAnQ.exe
  C:\Windows\System32\TORmAnQ.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System32\trbscZa.exe
  C:\Windows\System32\trbscZa.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System32\hAOmMLi.exe
  C:\Windows\System32\hAOmMLi.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\EILoQNL.exe
  C:\Windows\System32\EILoQNL.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System32\eDLbhsx.exe
  C:\Windows\System32\eDLbhsx.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System32\AROiiTv.exe
  C:\Windows\System32\AROiiTv.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System32\cUPHWUv.exe
  C:\Windows\System32\cUPHWUv.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System32\pLEmIoe.exe
  C:\Windows\System32\pLEmIoe.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System32\wJaGSzb.exe
  C:\Windows\System32\wJaGSzb.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System32\kUMlIBb.exe
  C:\Windows\System32\kUMlIBb.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System32\feloBZd.exe
  C:\Windows\System32\feloBZd.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System32\mLktTlB.exe
  C:\Windows\System32\mLktTlB.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System32\CQQeHYo.exe
  C:\Windows\System32\CQQeHYo.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System32\eDOWszi.exe
  C:\Windows\System32\eDOWszi.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System32\ILIKpzj.exe
  C:\Windows\System32\ILIKpzj.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System32\uVeMswx.exe
  C:\Windows\System32\uVeMswx.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System32\gCglzeF.exe
  C:\Windows\System32\gCglzeF.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System32\JENbmPH.exe
  C:\Windows\System32\JENbmPH.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System32\JnusiQD.exe
  C:\Windows\System32\JnusiQD.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System32\UFqskof.exe
  C:\Windows\System32\UFqskof.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System32\UmayLYm.exe
  C:\Windows\System32\UmayLYm.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System32\IHUZjwy.exe
  C:\Windows\System32\IHUZjwy.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System32\WRUUViA.exe
  C:\Windows\System32\WRUUViA.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System32\anLFsbj.exe
  C:\Windows\System32\anLFsbj.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System32\nfqYBYQ.exe
  C:\Windows\System32\nfqYBYQ.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System32\fddWebv.exe
  C:\Windows\System32\fddWebv.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System32\FLGgjJL.exe
  C:\Windows\System32\FLGgjJL.exe
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Windows\System32\nDnHmUp.exe
  C:\Windows\System32\nDnHmUp.exe
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\System32\hbRmQGQ.exe
  C:\Windows\System32\hbRmQGQ.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System32\xVAuQLh.exe
  C:\Windows\System32\xVAuQLh.exe
  2⤵
  PID:2516
- C:\Windows\System32\NyhYOEH.exe
  C:\Windows\System32\NyhYOEH.exe
  2⤵
  PID:4632
- C:\Windows\System32\DLozGbD.exe
  C:\Windows\System32\DLozGbD.exe
  2⤵
  PID:4484
- C:\Windows\System32\kBzVVcg.exe
  C:\Windows\System32\kBzVVcg.exe
  2⤵
  PID:4024
- C:\Windows\System32\VraGwxg.exe
  C:\Windows\System32\VraGwxg.exe
  2⤵
  PID:3856
- C:\Windows\System32\jTTKYik.exe
  C:\Windows\System32\jTTKYik.exe
  2⤵
  PID:3780
- C:\Windows\System32\QxiPCWj.exe
  C:\Windows\System32\QxiPCWj.exe
  2⤵
  PID:64
- C:\Windows\System32\aJmvnln.exe
  C:\Windows\System32\aJmvnln.exe
  2⤵
  PID:5072
- C:\Windows\System32\BXHOQLX.exe
  C:\Windows\System32\BXHOQLX.exe
  2⤵
  PID:764
- C:\Windows\System32\QsKcRlk.exe
  C:\Windows\System32\QsKcRlk.exe
  2⤵
  PID:1484
- C:\Windows\System32\qZErTuD.exe
  C:\Windows\System32\qZErTuD.exe
  2⤵
  PID:1072
- C:\Windows\System32\QeFxnFP.exe
  C:\Windows\System32\QeFxnFP.exe
  2⤵
  PID:2748
- C:\Windows\System32\dICxzVc.exe
  C:\Windows\System32\dICxzVc.exe
  2⤵
  PID:3536
- C:\Windows\System32\PzYCnga.exe
  C:\Windows\System32\PzYCnga.exe
  2⤵
  PID:4012
- C:\Windows\System32\wcuRAdt.exe
  C:\Windows\System32\wcuRAdt.exe
  2⤵
  PID:2772
- C:\Windows\System32\DUHSIJj.exe
  C:\Windows\System32\DUHSIJj.exe
  2⤵
  PID:1132
- C:\Windows\System32\szKVnDu.exe
  C:\Windows\System32\szKVnDu.exe
  2⤵
  PID:3364
- C:\Windows\System32\ZKAmJNw.exe
  C:\Windows\System32\ZKAmJNw.exe
  2⤵
  PID:2832
- C:\Windows\System32\mutqfVd.exe
  C:\Windows\System32\mutqfVd.exe
  2⤵
  PID:1456
- C:\Windows\System32\RpptlnL.exe
  C:\Windows\System32\RpptlnL.exe
  2⤵
  PID:928
- C:\Windows\System32\NIVhvoU.exe
  C:\Windows\System32\NIVhvoU.exe
  2⤵
  PID:4396
- C:\Windows\System32\aMEsZdN.exe
  C:\Windows\System32\aMEsZdN.exe
  2⤵
  PID:4344
- C:\Windows\System32\PbItLaM.exe
  C:\Windows\System32\PbItLaM.exe
  2⤵
  PID:3496
- C:\Windows\System32\IYtAnHx.exe
  C:\Windows\System32\IYtAnHx.exe
  2⤵
  PID:3840
- C:\Windows\System32\LsxlMHl.exe
  C:\Windows\System32\LsxlMHl.exe
  2⤵
  PID:2984
- C:\Windows\System32\GTOQpnD.exe
  C:\Windows\System32\GTOQpnD.exe
  2⤵
  PID:1460
- C:\Windows\System32\GVitrEH.exe
  C:\Windows\System32\GVitrEH.exe
  2⤵
  PID:1800
- C:\Windows\System32\lrtwgQr.exe
  C:\Windows\System32\lrtwgQr.exe
  2⤵
  PID:2884
- C:\Windows\System32\oCBTjpY.exe
  C:\Windows\System32\oCBTjpY.exe
  2⤵
  PID:1652
- C:\Windows\System32\FRSEahB.exe
  C:\Windows\System32\FRSEahB.exe
  2⤵
  PID:552
- C:\Windows\System32\UvuCQWZ.exe
  C:\Windows\System32\UvuCQWZ.exe
  2⤵
  PID:988
- C:\Windows\System32\GbMCHgK.exe
  C:\Windows\System32\GbMCHgK.exe
  2⤵
  PID:4888
- C:\Windows\System32\XtXmFXv.exe
  C:\Windows\System32\XtXmFXv.exe
  2⤵
  PID:4608
- C:\Windows\System32\xFubMmt.exe
  C:\Windows\System32\xFubMmt.exe
  2⤵
  PID:4520
- C:\Windows\System32\HjsLLHj.exe
  C:\Windows\System32\HjsLLHj.exe
  2⤵
  PID:4468
- C:\Windows\System32\ZqhNvTv.exe
  C:\Windows\System32\ZqhNvTv.exe
  2⤵
  PID:2212
- C:\Windows\System32\HwHkcHm.exe
  C:\Windows\System32\HwHkcHm.exe
  2⤵
  PID:1568
- C:\Windows\System32\gvzqxWM.exe
  C:\Windows\System32\gvzqxWM.exe
  2⤵
  PID:3312
- C:\Windows\System32\yqkWtnM.exe
  C:\Windows\System32\yqkWtnM.exe
  2⤵
  PID:5144
- C:\Windows\System32\eQROYBZ.exe
  C:\Windows\System32\eQROYBZ.exe
  2⤵
  PID:5196
- C:\Windows\System32\CURscSO.exe
  C:\Windows\System32\CURscSO.exe
  2⤵
  PID:5228
- C:\Windows\System32\nikQCPO.exe
  C:\Windows\System32\nikQCPO.exe
  2⤵
  PID:5260
- C:\Windows\System32\xUdJutE.exe
  C:\Windows\System32\xUdJutE.exe
  2⤵
  PID:5296
- C:\Windows\System32\LYjvkPj.exe
  C:\Windows\System32\LYjvkPj.exe
  2⤵
  PID:5316
- C:\Windows\System32\TxzqDTm.exe
  C:\Windows\System32\TxzqDTm.exe
  2⤵
  PID:5344
- C:\Windows\System32\kuAqAFD.exe
  C:\Windows\System32\kuAqAFD.exe
  2⤵
  PID:5364
- C:\Windows\System32\slZzaQh.exe
  C:\Windows\System32\slZzaQh.exe
  2⤵
  PID:5388
- C:\Windows\System32\rctwEvb.exe
  C:\Windows\System32\rctwEvb.exe
  2⤵
  PID:5432
- C:\Windows\System32\DHYUerG.exe
  C:\Windows\System32\DHYUerG.exe
  2⤵
  PID:5452
- C:\Windows\System32\bqkmDzv.exe
  C:\Windows\System32\bqkmDzv.exe
  2⤵
  PID:5472
- C:\Windows\System32\pTMXVSP.exe
  C:\Windows\System32\pTMXVSP.exe
  2⤵
  PID:5508
- C:\Windows\System32\sLDXbXJ.exe
  C:\Windows\System32\sLDXbXJ.exe
  2⤵
  PID:5536
- C:\Windows\System32\wbLVycQ.exe
  C:\Windows\System32\wbLVycQ.exe
  2⤵
  PID:5552
- C:\Windows\System32\UJsCRKE.exe
  C:\Windows\System32\UJsCRKE.exe
  2⤵
  PID:5576
- C:\Windows\System32\jrWppKY.exe
  C:\Windows\System32\jrWppKY.exe
  2⤵
  PID:5592
- C:\Windows\System32\XLzTccB.exe
  C:\Windows\System32\XLzTccB.exe
  2⤵
  PID:5612
- C:\Windows\System32\gyMiqDN.exe
  C:\Windows\System32\gyMiqDN.exe
  2⤵
  PID:5628
- C:\Windows\System32\Kztgxuh.exe
  C:\Windows\System32\Kztgxuh.exe
  2⤵
  PID:5660
- C:\Windows\System32\CZAEooQ.exe
  C:\Windows\System32\CZAEooQ.exe
  2⤵
  PID:5732
- C:\Windows\System32\YyplXbJ.exe
  C:\Windows\System32\YyplXbJ.exe
  2⤵
  PID:5756
- C:\Windows\System32\BkwoqUs.exe
  C:\Windows\System32\BkwoqUs.exe
  2⤵
  PID:5780
- C:\Windows\System32\jTaAGOp.exe
  C:\Windows\System32\jTaAGOp.exe
  2⤵
  PID:5804
- C:\Windows\System32\lAhizCA.exe
  C:\Windows\System32\lAhizCA.exe
  2⤵
  PID:5824
- C:\Windows\System32\QBodlAn.exe
  C:\Windows\System32\QBodlAn.exe
  2⤵
  PID:5840
- C:\Windows\System32\oxNArkK.exe
  C:\Windows\System32\oxNArkK.exe
  2⤵
  PID:5872
- C:\Windows\System32\CyuwTaP.exe
  C:\Windows\System32\CyuwTaP.exe
  2⤵
  PID:5904
- C:\Windows\System32\FMdjxlT.exe
  C:\Windows\System32\FMdjxlT.exe
  2⤵
  PID:5948
- C:\Windows\System32\pwulMgg.exe
  C:\Windows\System32\pwulMgg.exe
  2⤵
  PID:5976
- C:\Windows\System32\RqwjDXA.exe
  C:\Windows\System32\RqwjDXA.exe
  2⤵
  PID:6036
- C:\Windows\System32\dxwUlJz.exe
  C:\Windows\System32\dxwUlJz.exe
  2⤵
  PID:6052
- C:\Windows\System32\ykJZRKy.exe
  C:\Windows\System32\ykJZRKy.exe
  2⤵
  PID:6068
- C:\Windows\System32\mjVRrPm.exe
  C:\Windows\System32\mjVRrPm.exe
  2⤵
  PID:6088
- C:\Windows\System32\AvogMwQ.exe
  C:\Windows\System32\AvogMwQ.exe
  2⤵
  PID:6108
- C:\Windows\System32\OnCFpXi.exe
  C:\Windows\System32\OnCFpXi.exe
  2⤵
  PID:6124
- C:\Windows\System32\FUsPIlZ.exe
  C:\Windows\System32\FUsPIlZ.exe
  2⤵
  PID:2148
- C:\Windows\System32\kTEanSF.exe
  C:\Windows\System32\kTEanSF.exe
  2⤵
  PID:5204
- C:\Windows\System32\EYCkHLV.exe
  C:\Windows\System32\EYCkHLV.exe
  2⤵
  PID:5224
- C:\Windows\System32\FoUPtWz.exe
  C:\Windows\System32\FoUPtWz.exe
  2⤵
  PID:5416
- C:\Windows\System32\duvIHzN.exe
  C:\Windows\System32\duvIHzN.exe
  2⤵
  PID:5460
- C:\Windows\System32\ymTpwfp.exe
  C:\Windows\System32\ymTpwfp.exe
  2⤵
  PID:5492
- C:\Windows\System32\YGrhpTb.exe
  C:\Windows\System32\YGrhpTb.exe
  2⤵
  PID:5568
- C:\Windows\System32\RhcsctF.exe
  C:\Windows\System32\RhcsctF.exe
  2⤵
  PID:5608
- C:\Windows\System32\pAbrSkp.exe
  C:\Windows\System32\pAbrSkp.exe
  2⤵
  PID:5680
- C:\Windows\System32\NwPNVgE.exe
  C:\Windows\System32\NwPNVgE.exe
  2⤵
  PID:5744
- C:\Windows\System32\jCFHvcp.exe
  C:\Windows\System32\jCFHvcp.exe
  2⤵
  PID:5708
- C:\Windows\System32\dRSYZXL.exe
  C:\Windows\System32\dRSYZXL.exe
  2⤵
  PID:5868
- C:\Windows\System32\HVwaqmP.exe
  C:\Windows\System32\HVwaqmP.exe
  2⤵
  PID:5836
- C:\Windows\System32\voXvJcV.exe
  C:\Windows\System32\voXvJcV.exe
  2⤵
  PID:5920
- C:\Windows\System32\korVgoW.exe
  C:\Windows\System32\korVgoW.exe
  2⤵
  PID:2236
- C:\Windows\System32\ULOwkOQ.exe
  C:\Windows\System32\ULOwkOQ.exe
  2⤵
  PID:6080
- C:\Windows\System32\xfGwnML.exe
  C:\Windows\System32\xfGwnML.exe
  2⤵
  PID:5140
- C:\Windows\System32\vDyYEui.exe
  C:\Windows\System32\vDyYEui.exe
  2⤵
  PID:5352
- C:\Windows\System32\HJQQQHz.exe
  C:\Windows\System32\HJQQQHz.exe
  2⤵
  PID:5548
- C:\Windows\System32\khYzPfO.exe
  C:\Windows\System32\khYzPfO.exe
  2⤵
  PID:5544
- C:\Windows\System32\BqozVcl.exe
  C:\Windows\System32\BqozVcl.exe
  2⤵
  PID:5788
- C:\Windows\System32\qTClzAJ.exe
  C:\Windows\System32\qTClzAJ.exe
  2⤵
  PID:5884
- C:\Windows\System32\hPntgLF.exe
  C:\Windows\System32\hPntgLF.exe
  2⤵
  PID:5992
- C:\Windows\System32\VZbRGYO.exe
  C:\Windows\System32\VZbRGYO.exe
  2⤵
  PID:5168
- C:\Windows\System32\AEFlzdA.exe
  C:\Windows\System32\AEFlzdA.exe
  2⤵
  PID:5588
- C:\Windows\System32\JozyWvY.exe
  C:\Windows\System32\JozyWvY.exe
  2⤵
  PID:5996
- C:\Windows\System32\YaHJyUt.exe
  C:\Windows\System32\YaHJyUt.exe
  2⤵
  PID:6140
- C:\Windows\System32\CEcemZv.exe
  C:\Windows\System32\CEcemZv.exe
  2⤵
  PID:5724
- C:\Windows\System32\VitvOWd.exe
  C:\Windows\System32\VitvOWd.exe
  2⤵
  PID:6164
- C:\Windows\System32\KugeFcR.exe
  C:\Windows\System32\KugeFcR.exe
  2⤵
  PID:6192
- C:\Windows\System32\LZDNjlp.exe
  C:\Windows\System32\LZDNjlp.exe
  2⤵
  PID:6208
- C:\Windows\System32\rsbhtjr.exe
  C:\Windows\System32\rsbhtjr.exe
  2⤵
  PID:6228
- C:\Windows\System32\yhfZyna.exe
  C:\Windows\System32\yhfZyna.exe
  2⤵
  PID:6244
- C:\Windows\System32\AtDMqKR.exe
  C:\Windows\System32\AtDMqKR.exe
  2⤵
  PID:6272
- C:\Windows\System32\TNTPEip.exe
  C:\Windows\System32\TNTPEip.exe
  2⤵
  PID:6300
- C:\Windows\System32\eIRSYhy.exe
  C:\Windows\System32\eIRSYhy.exe
  2⤵
  PID:6372
- C:\Windows\System32\TZasAna.exe
  C:\Windows\System32\TZasAna.exe
  2⤵
  PID:6424
- C:\Windows\System32\QLHXPHh.exe
  C:\Windows\System32\QLHXPHh.exe
  2⤵
  PID:6448
- C:\Windows\System32\CgoAYbI.exe
  C:\Windows\System32\CgoAYbI.exe
  2⤵
  PID:6480
- C:\Windows\System32\TIsFHwu.exe
  C:\Windows\System32\TIsFHwu.exe
  2⤵
  PID:6508
- C:\Windows\System32\YdueJmJ.exe
  C:\Windows\System32\YdueJmJ.exe
  2⤵
  PID:6532
- C:\Windows\System32\rhAQbIf.exe
  C:\Windows\System32\rhAQbIf.exe
  2⤵
  PID:6552
- C:\Windows\System32\oLenFDU.exe
  C:\Windows\System32\oLenFDU.exe
  2⤵
  PID:6580
- C:\Windows\System32\iEFQtwm.exe
  C:\Windows\System32\iEFQtwm.exe
  2⤵
  PID:6600
- C:\Windows\System32\saAcili.exe
  C:\Windows\System32\saAcili.exe
  2⤵
  PID:6616
- C:\Windows\System32\GfWgaCO.exe
  C:\Windows\System32\GfWgaCO.exe
  2⤵
  PID:6656
- C:\Windows\System32\imEJEmh.exe
  C:\Windows\System32\imEJEmh.exe
  2⤵
  PID:6684
- C:\Windows\System32\WwQoCHG.exe
  C:\Windows\System32\WwQoCHG.exe
  2⤵
  PID:6704
- C:\Windows\System32\rdnzzDB.exe
  C:\Windows\System32\rdnzzDB.exe
  2⤵
  PID:6720
- C:\Windows\System32\HzzYNze.exe
  C:\Windows\System32\HzzYNze.exe
  2⤵
  PID:6744
- C:\Windows\System32\IfgPpuF.exe
  C:\Windows\System32\IfgPpuF.exe
  2⤵
  PID:6760
- C:\Windows\System32\LIqvdJd.exe
  C:\Windows\System32\LIqvdJd.exe
  2⤵
  PID:6780
- C:\Windows\System32\BuztJkY.exe
  C:\Windows\System32\BuztJkY.exe
  2⤵
  PID:6796
- C:\Windows\System32\CqBptPm.exe
  C:\Windows\System32\CqBptPm.exe
  2⤵
  PID:6816
- C:\Windows\System32\qjsImlZ.exe
  C:\Windows\System32\qjsImlZ.exe
  2⤵
  PID:6892
- C:\Windows\System32\vtzMipR.exe
  C:\Windows\System32\vtzMipR.exe
  2⤵
  PID:6916
- C:\Windows\System32\GZHxuYG.exe
  C:\Windows\System32\GZHxuYG.exe
  2⤵
  PID:6948
- C:\Windows\System32\gJIcbQp.exe
  C:\Windows\System32\gJIcbQp.exe
  2⤵
  PID:6964
- C:\Windows\System32\JSwYgmv.exe
  C:\Windows\System32\JSwYgmv.exe
  2⤵
  PID:6992
- C:\Windows\System32\GFIZCvq.exe
  C:\Windows\System32\GFIZCvq.exe
  2⤵
  PID:7012
- C:\Windows\System32\vlbVQuS.exe
  C:\Windows\System32\vlbVQuS.exe
  2⤵
  PID:7028
- C:\Windows\System32\yEQWZmv.exe
  C:\Windows\System32\yEQWZmv.exe
  2⤵
  PID:7084
- C:\Windows\System32\yhzQNZW.exe
  C:\Windows\System32\yhzQNZW.exe
  2⤵
  PID:7100
- C:\Windows\System32\gPzzbXP.exe
  C:\Windows\System32\gPzzbXP.exe
  2⤵
  PID:7148
- C:\Windows\System32\ciAskqD.exe
  C:\Windows\System32\ciAskqD.exe
  2⤵
  PID:5240
- C:\Windows\System32\TUCGrYt.exe
  C:\Windows\System32\TUCGrYt.exe
  2⤵
  PID:5324
- C:\Windows\System32\IMTrpMh.exe
  C:\Windows\System32\IMTrpMh.exe
  2⤵
  PID:6240
- C:\Windows\System32\UXTyygV.exe
  C:\Windows\System32\UXTyygV.exe
  2⤵
  PID:6236
- C:\Windows\System32\jITymOi.exe
  C:\Windows\System32\jITymOi.exe
  2⤵
  PID:6332
- C:\Windows\System32\oDLwemO.exe
  C:\Windows\System32\oDLwemO.exe
  2⤵
  PID:6504
- C:\Windows\System32\CWrbjTd.exe
  C:\Windows\System32\CWrbjTd.exe
  2⤵
  PID:6564
- C:\Windows\System32\dXNeRMB.exe
  C:\Windows\System32\dXNeRMB.exe
  2⤵
  PID:6544
- C:\Windows\System32\biaojpE.exe
  C:\Windows\System32\biaojpE.exe
  2⤵
  PID:6596
- C:\Windows\System32\adIfiIa.exe
  C:\Windows\System32\adIfiIa.exe
  2⤵
  PID:6668
- C:\Windows\System32\tHmNwhV.exe
  C:\Windows\System32\tHmNwhV.exe
  2⤵
  PID:6776
- C:\Windows\System32\WrTKFwm.exe
  C:\Windows\System32\WrTKFwm.exe
  2⤵
  PID:6828
- C:\Windows\System32\aGURaKj.exe
  C:\Windows\System32\aGURaKj.exe
  2⤵
  PID:6772
- C:\Windows\System32\GsuTgrE.exe
  C:\Windows\System32\GsuTgrE.exe
  2⤵
  PID:6924
- C:\Windows\System32\PZUgptk.exe
  C:\Windows\System32\PZUgptk.exe
  2⤵
  PID:6904
- C:\Windows\System32\yqoRgNj.exe
  C:\Windows\System32\yqoRgNj.exe
  2⤵
  PID:7128
- C:\Windows\System32\IOTcIOf.exe
  C:\Windows\System32\IOTcIOf.exe
  2⤵
  PID:6284
- C:\Windows\System32\rMOCcvm.exe
  C:\Windows\System32\rMOCcvm.exe
  2⤵
  PID:6396
- C:\Windows\System32\NsgOsWh.exe
  C:\Windows\System32\NsgOsWh.exe
  2⤵
  PID:6560
- C:\Windows\System32\hYKFwVh.exe
  C:\Windows\System32\hYKFwVh.exe
  2⤵
  PID:6640
- C:\Windows\System32\AHpXPBW.exe
  C:\Windows\System32\AHpXPBW.exe
  2⤵
  PID:6624
- C:\Windows\System32\bVNSiGP.exe
  C:\Windows\System32\bVNSiGP.exe
  2⤵
  PID:6848
- C:\Windows\System32\isJffUk.exe
  C:\Windows\System32\isJffUk.exe
  2⤵
  PID:7136
- C:\Windows\System32\qIyPfcq.exe
  C:\Windows\System32\qIyPfcq.exe
  2⤵
  PID:6312
- C:\Windows\System32\mQTlGZp.exe
  C:\Windows\System32\mQTlGZp.exe
  2⤵
  PID:6628
- C:\Windows\System32\HfdKKaB.exe
  C:\Windows\System32\HfdKKaB.exe
  2⤵
  PID:7160
- C:\Windows\System32\CyBfayc.exe
  C:\Windows\System32\CyBfayc.exe
  2⤵
  PID:6972
- C:\Windows\System32\VrgsDDz.exe
  C:\Windows\System32\VrgsDDz.exe
  2⤵
  PID:7200
- C:\Windows\System32\PowzMEc.exe
  C:\Windows\System32\PowzMEc.exe
  2⤵
  PID:7216
- C:\Windows\System32\OLlmUoQ.exe
  C:\Windows\System32\OLlmUoQ.exe
  2⤵
  PID:7236
- C:\Windows\System32\mjMcicG.exe
  C:\Windows\System32\mjMcicG.exe
  2⤵
  PID:7256
- C:\Windows\System32\XRnzGSs.exe
  C:\Windows\System32\XRnzGSs.exe
  2⤵
  PID:7300
- C:\Windows\System32\aRDOEjj.exe
  C:\Windows\System32\aRDOEjj.exe
  2⤵
  PID:7324
- C:\Windows\System32\QYjXkiX.exe
  C:\Windows\System32\QYjXkiX.exe
  2⤵
  PID:7352
- C:\Windows\System32\HdhoTDi.exe
  C:\Windows\System32\HdhoTDi.exe
  2⤵
  PID:7372
- C:\Windows\System32\XcmVTdL.exe
  C:\Windows\System32\XcmVTdL.exe
  2⤵
  PID:7388
- C:\Windows\System32\JbiLXRI.exe
  C:\Windows\System32\JbiLXRI.exe
  2⤵
  PID:7412
- C:\Windows\System32\QZjbEFK.exe
  C:\Windows\System32\QZjbEFK.exe
  2⤵
  PID:7440
- C:\Windows\System32\nnsgDqy.exe
  C:\Windows\System32\nnsgDqy.exe
  2⤵
  PID:7504
- C:\Windows\System32\zaGmVMr.exe
  C:\Windows\System32\zaGmVMr.exe
  2⤵
  PID:7520
- C:\Windows\System32\TnmZnYd.exe
  C:\Windows\System32\TnmZnYd.exe
  2⤵
  PID:7536
- C:\Windows\System32\bYhoYwq.exe
  C:\Windows\System32\bYhoYwq.exe
  2⤵
  PID:7556
- C:\Windows\System32\QOaRZfD.exe
  C:\Windows\System32\QOaRZfD.exe
  2⤵
  PID:7572
- C:\Windows\System32\DhuTJlt.exe
  C:\Windows\System32\DhuTJlt.exe
  2⤵
  PID:7596
- C:\Windows\System32\DjFvkOA.exe
  C:\Windows\System32\DjFvkOA.exe
  2⤵
  PID:7656
- C:\Windows\System32\hnZLnWb.exe
  C:\Windows\System32\hnZLnWb.exe
  2⤵
  PID:7708
- C:\Windows\System32\iUXTfdV.exe
  C:\Windows\System32\iUXTfdV.exe
  2⤵
  PID:7728
- C:\Windows\System32\WdEeyJd.exe
  C:\Windows\System32\WdEeyJd.exe
  2⤵
  PID:7756
- C:\Windows\System32\ImCXXfs.exe
  C:\Windows\System32\ImCXXfs.exe
  2⤵
  PID:7772
- C:\Windows\System32\MdJeXiV.exe
  C:\Windows\System32\MdJeXiV.exe
  2⤵
  PID:7800
- C:\Windows\System32\aJpTeXo.exe
  C:\Windows\System32\aJpTeXo.exe
  2⤵
  PID:7820
- C:\Windows\System32\NTQYUdO.exe
  C:\Windows\System32\NTQYUdO.exe
  2⤵
  PID:7848
- C:\Windows\System32\vCbRPJV.exe
  C:\Windows\System32\vCbRPJV.exe
  2⤵
  PID:7892
- C:\Windows\System32\BCWumfA.exe
  C:\Windows\System32\BCWumfA.exe
  2⤵
  PID:7908
- C:\Windows\System32\WCnzWNp.exe
  C:\Windows\System32\WCnzWNp.exe
  2⤵
  PID:7936
- C:\Windows\System32\McGEQpv.exe
  C:\Windows\System32\McGEQpv.exe
  2⤵
  PID:7964
- C:\Windows\System32\EOGyaNY.exe
  C:\Windows\System32\EOGyaNY.exe
  2⤵
  PID:8000
- C:\Windows\System32\ODelDzn.exe
  C:\Windows\System32\ODelDzn.exe
  2⤵
  PID:8036
- C:\Windows\System32\ZocGATB.exe
  C:\Windows\System32\ZocGATB.exe
  2⤵
  PID:8056
- C:\Windows\System32\AKPYTuz.exe
  C:\Windows\System32\AKPYTuz.exe
  2⤵
  PID:8084
- C:\Windows\System32\JvoMsOD.exe
  C:\Windows\System32\JvoMsOD.exe
  2⤵
  PID:8128
- C:\Windows\System32\LRJNCbz.exe
  C:\Windows\System32\LRJNCbz.exe
  2⤵
  PID:8152
- C:\Windows\System32\egeaxyJ.exe
  C:\Windows\System32\egeaxyJ.exe
  2⤵
  PID:8172
- C:\Windows\System32\aSdqTEn.exe
  C:\Windows\System32\aSdqTEn.exe
  2⤵
  PID:8188
- C:\Windows\System32\yFOtBtT.exe
  C:\Windows\System32\yFOtBtT.exe
  2⤵
  PID:6524
- C:\Windows\System32\MMfgncK.exe
  C:\Windows\System32\MMfgncK.exe
  2⤵
  PID:7192
- C:\Windows\System32\nHpbmhE.exe
  C:\Windows\System32\nHpbmhE.exe
  2⤵
  PID:7368
- C:\Windows\System32\SzWonlg.exe
  C:\Windows\System32\SzWonlg.exe
  2⤵
  PID:7408
- C:\Windows\System32\sxOGgsx.exe
  C:\Windows\System32\sxOGgsx.exe
  2⤵
  PID:7456
- C:\Windows\System32\PPJoXjL.exe
  C:\Windows\System32\PPJoXjL.exe
  2⤵
  PID:7532
- C:\Windows\System32\esWPeeg.exe
  C:\Windows\System32\esWPeeg.exe
  2⤵
  PID:7580
- C:\Windows\System32\dJDJMUx.exe
  C:\Windows\System32\dJDJMUx.exe
  2⤵
  PID:7604
- C:\Windows\System32\SDeStXG.exe
  C:\Windows\System32\SDeStXG.exe
  2⤵
  PID:7764
- C:\Windows\System32\aLIgCci.exe
  C:\Windows\System32\aLIgCci.exe
  2⤵
  PID:7808
- C:\Windows\System32\KfxkMlY.exe
  C:\Windows\System32\KfxkMlY.exe
  2⤵
  PID:7868
- C:\Windows\System32\BrvvtOy.exe
  C:\Windows\System32\BrvvtOy.exe
  2⤵
  PID:7932
- C:\Windows\System32\yrbiRyp.exe
  C:\Windows\System32\yrbiRyp.exe
  2⤵
  PID:7976
- C:\Windows\System32\lIXsyru.exe
  C:\Windows\System32\lIXsyru.exe
  2⤵
  PID:8008
- C:\Windows\System32\AjBpiVw.exe
  C:\Windows\System32\AjBpiVw.exe
  2⤵
  PID:8100
- C:\Windows\System32\sxOqnTP.exe
  C:\Windows\System32\sxOqnTP.exe
  2⤵
  PID:8144
- C:\Windows\System32\CYRUsBH.exe
  C:\Windows\System32\CYRUsBH.exe
  2⤵
  PID:7180
- C:\Windows\System32\eLMjcnH.exe
  C:\Windows\System32\eLMjcnH.exe
  2⤵
  PID:7224
- C:\Windows\System32\sfhkOQS.exe
  C:\Windows\System32\sfhkOQS.exe
  2⤵
  PID:7244
- C:\Windows\System32\sTOGSWE.exe
  C:\Windows\System32\sTOGSWE.exe
  2⤵
  PID:7592
- C:\Windows\System32\dyNJtWj.exe
  C:\Windows\System32\dyNJtWj.exe
  2⤵
  PID:7284
- C:\Windows\System32\AwdrqmM.exe
  C:\Windows\System32\AwdrqmM.exe
  2⤵
  PID:7904
- C:\Windows\System32\VaIQnUI.exe
  C:\Windows\System32\VaIQnUI.exe
  2⤵
  PID:7396
- C:\Windows\System32\fOxWGhx.exe
  C:\Windows\System32\fOxWGhx.exe
  2⤵
  PID:7816
- C:\Windows\System32\sRDtmnR.exe
  C:\Windows\System32\sRDtmnR.exe
  2⤵
  PID:7740
- C:\Windows\System32\zgmBlBU.exe
  C:\Windows\System32\zgmBlBU.exe
  2⤵
  PID:8024
- C:\Windows\System32\YPYRtlG.exe
  C:\Windows\System32\YPYRtlG.exe
  2⤵
  PID:7516
- C:\Windows\System32\PHDRISE.exe
  C:\Windows\System32\PHDRISE.exe
  2⤵
  PID:8212
- C:\Windows\System32\mvHJNlX.exe
  C:\Windows\System32\mvHJNlX.exe
  2⤵
  PID:8236
- C:\Windows\System32\jDyPdme.exe
  C:\Windows\System32\jDyPdme.exe
  2⤵
  PID:8288
- C:\Windows\System32\GYguYWb.exe
  C:\Windows\System32\GYguYWb.exe
  2⤵
  PID:8308
- C:\Windows\System32\YOwuKNM.exe
  C:\Windows\System32\YOwuKNM.exe
  2⤵
  PID:8332
- C:\Windows\System32\fpHXFwz.exe
  C:\Windows\System32\fpHXFwz.exe
  2⤵
  PID:8348
- C:\Windows\System32\SIpVbYv.exe
  C:\Windows\System32\SIpVbYv.exe
  2⤵
  PID:8388
- C:\Windows\System32\SQgXhur.exe
  C:\Windows\System32\SQgXhur.exe
  2⤵
  PID:8428
- C:\Windows\System32\adSuyQU.exe
  C:\Windows\System32\adSuyQU.exe
  2⤵
  PID:8456
- C:\Windows\System32\hWZFGvn.exe
  C:\Windows\System32\hWZFGvn.exe
  2⤵
  PID:8472
- C:\Windows\System32\uInfnBa.exe
  C:\Windows\System32\uInfnBa.exe
  2⤵
  PID:8512
- C:\Windows\System32\uAPiNRa.exe
  C:\Windows\System32\uAPiNRa.exe
  2⤵
  PID:8532
- C:\Windows\System32\zzlrlgU.exe
  C:\Windows\System32\zzlrlgU.exe
  2⤵
  PID:8552
- C:\Windows\System32\GYztfat.exe
  C:\Windows\System32\GYztfat.exe
  2⤵
  PID:8576
- C:\Windows\System32\mGZuEUq.exe
  C:\Windows\System32\mGZuEUq.exe
  2⤵
  PID:8592
- C:\Windows\System32\AoLpENq.exe
  C:\Windows\System32\AoLpENq.exe
  2⤵
  PID:8616
- C:\Windows\System32\ZsaOVyG.exe
  C:\Windows\System32\ZsaOVyG.exe
  2⤵
  PID:8632
- C:\Windows\System32\BeCUiYA.exe
  C:\Windows\System32\BeCUiYA.exe
  2⤵
  PID:8704
- C:\Windows\System32\cXyGefz.exe
  C:\Windows\System32\cXyGefz.exe
  2⤵
  PID:8724
- C:\Windows\System32\NbVziLD.exe
  C:\Windows\System32\NbVziLD.exe
  2⤵
  PID:8748
- C:\Windows\System32\iaGbMOc.exe
  C:\Windows\System32\iaGbMOc.exe
  2⤵
  PID:8768
- C:\Windows\System32\gdrUuNz.exe
  C:\Windows\System32\gdrUuNz.exe
  2⤵
  PID:8784
- C:\Windows\System32\EQpiFwh.exe
  C:\Windows\System32\EQpiFwh.exe
  2⤵
  PID:8812
- C:\Windows\System32\ZQjIEVP.exe
  C:\Windows\System32\ZQjIEVP.exe
  2⤵
  PID:8836
- C:\Windows\System32\KQWowUs.exe
  C:\Windows\System32\KQWowUs.exe
  2⤵
  PID:8892
- C:\Windows\System32\zYHpBlU.exe
  C:\Windows\System32\zYHpBlU.exe
  2⤵
  PID:8912
- C:\Windows\System32\witvutp.exe
  C:\Windows\System32\witvutp.exe
  2⤵
  PID:8936
- C:\Windows\System32\XDwhJVm.exe
  C:\Windows\System32\XDwhJVm.exe
  2⤵
  PID:8980
- C:\Windows\System32\VvjhgYc.exe
  C:\Windows\System32\VvjhgYc.exe
  2⤵
  PID:9000
- C:\Windows\System32\fyyJTXO.exe
  C:\Windows\System32\fyyJTXO.exe
  2⤵
  PID:9020
- C:\Windows\System32\dWuFixP.exe
  C:\Windows\System32\dWuFixP.exe
  2⤵
  PID:9036
- C:\Windows\System32\RXholBO.exe
  C:\Windows\System32\RXholBO.exe
  2⤵
  PID:9100
- C:\Windows\System32\RByikXM.exe
  C:\Windows\System32\RByikXM.exe
  2⤵
  PID:9116
- C:\Windows\System32\GvpCsNx.exe
  C:\Windows\System32\GvpCsNx.exe
  2⤵
  PID:9136
- C:\Windows\System32\zCEAouv.exe
  C:\Windows\System32\zCEAouv.exe
  2⤵
  PID:9160
- C:\Windows\System32\sxIUWax.exe
  C:\Windows\System32\sxIUWax.exe
  2⤵
  PID:8112
- C:\Windows\System32\whJJOaP.exe
  C:\Windows\System32\whJJOaP.exe
  2⤵
  PID:8268
- C:\Windows\System32\VbVSwpe.exe
  C:\Windows\System32\VbVSwpe.exe
  2⤵
  PID:8316
- C:\Windows\System32\qdXlrRA.exe
  C:\Windows\System32\qdXlrRA.exe
  2⤵
  PID:8372
- C:\Windows\System32\nSUoARz.exe
  C:\Windows\System32\nSUoARz.exe
  2⤵
  PID:8420
- C:\Windows\System32\eVABBqw.exe
  C:\Windows\System32\eVABBqw.exe
  2⤵
  PID:8492
- C:\Windows\System32\zHdybNN.exe
  C:\Windows\System32\zHdybNN.exe
  2⤵
  PID:8548
- C:\Windows\System32\XXschqq.exe
  C:\Windows\System32\XXschqq.exe
  2⤵
  PID:8624
- C:\Windows\System32\oLRbcFw.exe
  C:\Windows\System32\oLRbcFw.exe
  2⤵
  PID:8680
- C:\Windows\System32\BWzANZj.exe
  C:\Windows\System32\BWzANZj.exe
  2⤵
  PID:8740
- C:\Windows\System32\ewvMmLH.exe
  C:\Windows\System32\ewvMmLH.exe
  2⤵
  PID:8828
- C:\Windows\System32\kPvgPAq.exe
  C:\Windows\System32\kPvgPAq.exe
  2⤵
  PID:8872
- C:\Windows\System32\xQdbWFy.exe
  C:\Windows\System32\xQdbWFy.exe
  2⤵
  PID:8868
- C:\Windows\System32\awCfuab.exe
  C:\Windows\System32\awCfuab.exe
  2⤵
  PID:9012
- C:\Windows\System32\srhnpZP.exe
  C:\Windows\System32\srhnpZP.exe
  2⤵
  PID:9032
- C:\Windows\System32\FzclOVM.exe
  C:\Windows\System32\FzclOVM.exe
  2⤵
  PID:9132
- C:\Windows\System32\MQglPNQ.exe
  C:\Windows\System32\MQglPNQ.exe
  2⤵
  PID:9188
- C:\Windows\System32\ygGtkuF.exe
  C:\Windows\System32\ygGtkuF.exe
  2⤵
  PID:7716
- C:\Windows\System32\VCAJCZV.exe
  C:\Windows\System32\VCAJCZV.exe
  2⤵
  PID:8300
- C:\Windows\System32\mwazVsS.exe
  C:\Windows\System32\mwazVsS.exe
  2⤵
  PID:8364
- C:\Windows\System32\HEIDeSy.exe
  C:\Windows\System32\HEIDeSy.exe
  2⤵
  PID:8524
- C:\Windows\System32\udpiTvw.exe
  C:\Windows\System32\udpiTvw.exe
  2⤵
  PID:8968
- C:\Windows\System32\BToaPPi.exe
  C:\Windows\System32\BToaPPi.exe
  2⤵
  PID:9016
- C:\Windows\System32\CCWARfF.exe
  C:\Windows\System32\CCWARfF.exe
  2⤵
  PID:9204
- C:\Windows\System32\OqJaGEq.exe
  C:\Windows\System32\OqJaGEq.exe
  2⤵
  PID:9208
- C:\Windows\System32\cdSeOgv.exe
  C:\Windows\System32\cdSeOgv.exe
  2⤵
  PID:8656
- C:\Windows\System32\ThLOIGA.exe
  C:\Windows\System32\ThLOIGA.exe
  2⤵
  PID:9184
- C:\Windows\System32\WSSaBcA.exe
  C:\Windows\System32\WSSaBcA.exe
  2⤵
  PID:9108
- C:\Windows\System32\uboPxbe.exe
  C:\Windows\System32\uboPxbe.exe
  2⤵
  PID:9228
- C:\Windows\System32\XtRUpbn.exe
  C:\Windows\System32\XtRUpbn.exe
  2⤵
  PID:9256
- C:\Windows\System32\kkZqHDo.exe
  C:\Windows\System32\kkZqHDo.exe
  2⤵
  PID:9280
- C:\Windows\System32\vslIleb.exe
  C:\Windows\System32\vslIleb.exe
  2⤵
  PID:9300
- C:\Windows\System32\RhcfvUK.exe
  C:\Windows\System32\RhcfvUK.exe
  2⤵
  PID:9328
- C:\Windows\System32\Aeqennz.exe
  C:\Windows\System32\Aeqennz.exe
  2⤵
  PID:9344
- C:\Windows\System32\UFIRHfS.exe
  C:\Windows\System32\UFIRHfS.exe
  2⤵
  PID:9392
- C:\Windows\System32\GyHFNKT.exe
  C:\Windows\System32\GyHFNKT.exe
  2⤵
  PID:9420
- C:\Windows\System32\ubUikCr.exe
  C:\Windows\System32\ubUikCr.exe
  2⤵
  PID:9448
- C:\Windows\System32\jUGamvv.exe
  C:\Windows\System32\jUGamvv.exe
  2⤵
  PID:9464
- C:\Windows\System32\LvbpZQn.exe
  C:\Windows\System32\LvbpZQn.exe
  2⤵
  PID:9504
- C:\Windows\System32\biFrQfR.exe
  C:\Windows\System32\biFrQfR.exe
  2⤵
  PID:9528
- C:\Windows\System32\MSNmQgj.exe
  C:\Windows\System32\MSNmQgj.exe
  2⤵
  PID:9544
- C:\Windows\System32\PtlxULF.exe
  C:\Windows\System32\PtlxULF.exe
  2⤵
  PID:9568
- C:\Windows\System32\xBVehPs.exe
  C:\Windows\System32\xBVehPs.exe
  2⤵
  PID:9588
- C:\Windows\System32\PYDnljn.exe
  C:\Windows\System32\PYDnljn.exe
  2⤵
  PID:9604
- C:\Windows\System32\AGtYZdH.exe
  C:\Windows\System32\AGtYZdH.exe
  2⤵
  PID:9636
- C:\Windows\System32\xcUvWfw.exe
  C:\Windows\System32\xcUvWfw.exe
  2⤵
  PID:9680
- C:\Windows\System32\YOxvjVl.exe
  C:\Windows\System32\YOxvjVl.exe
  2⤵
  PID:9700
- C:\Windows\System32\YGUVOGh.exe
  C:\Windows\System32\YGUVOGh.exe
  2⤵
  PID:9756
- C:\Windows\System32\FcmrtNn.exe
  C:\Windows\System32\FcmrtNn.exe
  2⤵
  PID:9804
- C:\Windows\System32\LqcCcAx.exe
  C:\Windows\System32\LqcCcAx.exe
  2⤵
  PID:9820
- C:\Windows\System32\lZpNvpx.exe
  C:\Windows\System32\lZpNvpx.exe
  2⤵
  PID:9840
- C:\Windows\System32\FyYJoeq.exe
  C:\Windows\System32\FyYJoeq.exe
  2⤵
  PID:9868
- C:\Windows\System32\QpWZhww.exe
  C:\Windows\System32\QpWZhww.exe
  2⤵
  PID:9900
- C:\Windows\System32\YGDzPzr.exe
  C:\Windows\System32\YGDzPzr.exe
  2⤵
  PID:9928
- C:\Windows\System32\OXaTPeb.exe
  C:\Windows\System32\OXaTPeb.exe
  2⤵
  PID:9956
- C:\Windows\System32\gWlxAJN.exe
  C:\Windows\System32\gWlxAJN.exe
  2⤵
  PID:9988
- C:\Windows\System32\rqJRFoY.exe
  C:\Windows\System32\rqJRFoY.exe
  2⤵
  PID:10020
- C:\Windows\System32\mpEXaPo.exe
  C:\Windows\System32\mpEXaPo.exe
  2⤵
  PID:10036
- C:\Windows\System32\BmLgqTe.exe
  C:\Windows\System32\BmLgqTe.exe
  2⤵
  PID:10056
- C:\Windows\System32\mUOQOwz.exe
  C:\Windows\System32\mUOQOwz.exe
  2⤵
  PID:10096
- C:\Windows\System32\FZIPBtL.exe
  C:\Windows\System32\FZIPBtL.exe
  2⤵
  PID:10136
- C:\Windows\System32\UaIndRH.exe
  C:\Windows\System32\UaIndRH.exe
  2⤵
  PID:10152
- C:\Windows\System32\tZUiogc.exe
  C:\Windows\System32\tZUiogc.exe
  2⤵
  PID:10180
- C:\Windows\System32\rurQsKh.exe
  C:\Windows\System32\rurQsKh.exe
  2⤵
  PID:10208
- C:\Windows\System32\IEAbzpq.exe
  C:\Windows\System32\IEAbzpq.exe
  2⤵
  PID:10228
- C:\Windows\System32\LXWNyrp.exe
  C:\Windows\System32\LXWNyrp.exe
  2⤵
  PID:9252
- C:\Windows\System32\QcdlGzN.exe
  C:\Windows\System32\QcdlGzN.exe
  2⤵
  PID:9268
- C:\Windows\System32\PseBABw.exe
  C:\Windows\System32\PseBABw.exe
  2⤵
  PID:9336
- C:\Windows\System32\zhpRFOQ.exe
  C:\Windows\System32\zhpRFOQ.exe
  2⤵
  PID:9384
- C:\Windows\System32\AFQwCHZ.exe
  C:\Windows\System32\AFQwCHZ.exe
  2⤵
  PID:9460
- C:\Windows\System32\UqqTmTR.exe
  C:\Windows\System32\UqqTmTR.exe
  2⤵
  PID:9476
- C:\Windows\System32\ybwtRGd.exe
  C:\Windows\System32\ybwtRGd.exe
  2⤵
  PID:9536
- C:\Windows\System32\RUmJPLN.exe
  C:\Windows\System32\RUmJPLN.exe
  2⤵
  PID:9688
- C:\Windows\System32\VvrQtJx.exe
  C:\Windows\System32\VvrQtJx.exe
  2⤵
  PID:9772
- C:\Windows\System32\RJuPZcf.exe
  C:\Windows\System32\RJuPZcf.exe
  2⤵
  PID:9884
- C:\Windows\System32\AFtKjHs.exe
  C:\Windows\System32\AFtKjHs.exe
  2⤵
  PID:9940
- C:\Windows\System32\PsBMWkr.exe
  C:\Windows\System32\PsBMWkr.exe
  2⤵
  PID:10032
- C:\Windows\System32\uLZpOfB.exe
  C:\Windows\System32\uLZpOfB.exe
  2⤵
  PID:10052
- C:\Windows\System32\tQCmdsL.exe
  C:\Windows\System32\tQCmdsL.exe
  2⤵
  PID:10132
- C:\Windows\System32\QmrDgZk.exe
  C:\Windows\System32\QmrDgZk.exe
  2⤵
  PID:10176
- C:\Windows\System32\RiPgQRG.exe
  C:\Windows\System32\RiPgQRG.exe
  2⤵
  PID:9296
- C:\Windows\System32\dOPwjXy.exe
  C:\Windows\System32\dOPwjXy.exe
  2⤵
  PID:9320
- C:\Windows\System32\ADFPOMu.exe
  C:\Windows\System32\ADFPOMu.exe
  2⤵
  PID:9428
- C:\Windows\System32\MGTtJYN.exe
  C:\Windows\System32\MGTtJYN.exe
  2⤵
  PID:9648
- C:\Windows\System32\iqkWAjx.exe
  C:\Windows\System32\iqkWAjx.exe
  2⤵
  PID:9828
- C:\Windows\System32\NQQDBwi.exe
  C:\Windows\System32\NQQDBwi.exe
  2⤵
  PID:10048
- C:\Windows\System32\mdXtFba.exe
  C:\Windows\System32\mdXtFba.exe
  2⤵
  PID:10164
- C:\Windows\System32\TYVeOVM.exe
  C:\Windows\System32\TYVeOVM.exe
  2⤵
  PID:9444
- C:\Windows\System32\VjZkyrE.exe
  C:\Windows\System32\VjZkyrE.exe
  2⤵
  PID:9616
- C:\Windows\System32\JzkOtdh.exe
  C:\Windows\System32\JzkOtdh.exe
  2⤵
  PID:9944
- C:\Windows\System32\tsJrJfe.exe
  C:\Windows\System32\tsJrJfe.exe
  2⤵
  PID:9272
- C:\Windows\System32\eWhKZiZ.exe
  C:\Windows\System32\eWhKZiZ.exe
  2⤵
  PID:9752
- C:\Windows\System32\YTJjYhS.exe
  C:\Windows\System32\YTJjYhS.exe
  2⤵
  PID:10248
- C:\Windows\System32\lAuuPRC.exe
  C:\Windows\System32\lAuuPRC.exe
  2⤵
  PID:10272
- C:\Windows\System32\YuOOtnC.exe
  C:\Windows\System32\YuOOtnC.exe
  2⤵
  PID:10308
- C:\Windows\System32\cwRaKDH.exe
  C:\Windows\System32\cwRaKDH.exe
  2⤵
  PID:10336
- C:\Windows\System32\CReeaaO.exe
  C:\Windows\System32\CReeaaO.exe
  2⤵
  PID:10376
- C:\Windows\System32\BWtWyih.exe
  C:\Windows\System32\BWtWyih.exe
  2⤵
  PID:10416
- C:\Windows\System32\ZUzcIco.exe
  C:\Windows\System32\ZUzcIco.exe
  2⤵
  PID:10448
- C:\Windows\System32\cGsQEod.exe
  C:\Windows\System32\cGsQEod.exe
  2⤵
  PID:10472
- C:\Windows\System32\eNQKOwq.exe
  C:\Windows\System32\eNQKOwq.exe
  2⤵
  PID:10512
- C:\Windows\System32\yUwthaf.exe
  C:\Windows\System32\yUwthaf.exe
  2⤵
  PID:10536
- C:\Windows\System32\LNMIgVw.exe
  C:\Windows\System32\LNMIgVw.exe
  2⤵
  PID:10564
- C:\Windows\System32\EbjZwyj.exe
  C:\Windows\System32\EbjZwyj.exe
  2⤵
  PID:10580
- C:\Windows\System32\PuCWSuw.exe
  C:\Windows\System32\PuCWSuw.exe
  2⤵
  PID:10616
- C:\Windows\System32\XhWHsfY.exe
  C:\Windows\System32\XhWHsfY.exe
  2⤵
  PID:10644
- C:\Windows\System32\dpYANZx.exe
  C:\Windows\System32\dpYANZx.exe
  2⤵
  PID:10664
- C:\Windows\System32\idpTyuh.exe
  C:\Windows\System32\idpTyuh.exe
  2⤵
  PID:10684
- C:\Windows\System32\IsdpYiM.exe
  C:\Windows\System32\IsdpYiM.exe
  2⤵
  PID:10700
- C:\Windows\System32\kWCryja.exe
  C:\Windows\System32\kWCryja.exe
  2⤵
  PID:10728
- C:\Windows\System32\CAEtJSM.exe
  C:\Windows\System32\CAEtJSM.exe
  2⤵
  PID:10820
- C:\Windows\System32\nJTBtaP.exe
  C:\Windows\System32\nJTBtaP.exe
  2⤵
  PID:10844
- C:\Windows\System32\MbiUMGf.exe
  C:\Windows\System32\MbiUMGf.exe
  2⤵
  PID:10876
- C:\Windows\System32\PivRKXG.exe
  C:\Windows\System32\PivRKXG.exe
  2⤵
  PID:10896
- C:\Windows\System32\ygATOui.exe
  C:\Windows\System32\ygATOui.exe
  2⤵
  PID:10916
- C:\Windows\System32\stTbCwg.exe
  C:\Windows\System32\stTbCwg.exe
  2⤵
  PID:10936
- C:\Windows\System32\bzyfJKZ.exe
  C:\Windows\System32\bzyfJKZ.exe
  2⤵
  PID:10952
- C:\Windows\System32\NqDAnav.exe
  C:\Windows\System32\NqDAnav.exe
  2⤵
  PID:10972
- C:\Windows\System32\ysDQNOQ.exe
  C:\Windows\System32\ysDQNOQ.exe
  2⤵
  PID:11052
- C:\Windows\System32\PeqAgLY.exe
  C:\Windows\System32\PeqAgLY.exe
  2⤵
  PID:11096
- C:\Windows\System32\WmhQRTP.exe
  C:\Windows\System32\WmhQRTP.exe
  2⤵
  PID:11124
- C:\Windows\System32\jqqKCpv.exe
  C:\Windows\System32\jqqKCpv.exe
  2⤵
  PID:11156
- C:\Windows\System32\DhxTwNK.exe
  C:\Windows\System32\DhxTwNK.exe
  2⤵
  PID:11184
- C:\Windows\System32\iaZxOWI.exe
  C:\Windows\System32\iaZxOWI.exe
  2⤵
  PID:11208
- C:\Windows\System32\tqfPyLW.exe
  C:\Windows\System32\tqfPyLW.exe
  2⤵
  PID:11224
- C:\Windows\System32\BMMCnCT.exe
  C:\Windows\System32\BMMCnCT.exe
  2⤵
  PID:11244
- C:\Windows\System32\CEDlXrZ.exe
  C:\Windows\System32\CEDlXrZ.exe
  2⤵
  PID:11260
- C:\Windows\System32\IVDAfIT.exe
  C:\Windows\System32\IVDAfIT.exe
  2⤵
  PID:10268
- C:\Windows\System32\asguUpt.exe
  C:\Windows\System32\asguUpt.exe
  2⤵
  PID:10348
- C:\Windows\System32\VJrRkBX.exe
  C:\Windows\System32\VJrRkBX.exe
  2⤵
  PID:10392
- C:\Windows\System32\nlGIVnH.exe
  C:\Windows\System32\nlGIVnH.exe
  2⤵
  PID:10492
- C:\Windows\System32\KMsHwxU.exe
  C:\Windows\System32\KMsHwxU.exe
  2⤵
  PID:10544
- C:\Windows\System32\XnCHfgd.exe
  C:\Windows\System32\XnCHfgd.exe
  2⤵
  PID:10612
- C:\Windows\System32\suYiUvc.exe
  C:\Windows\System32\suYiUvc.exe
  2⤵
  PID:10708
- C:\Windows\System32\vwncmAH.exe
  C:\Windows\System32\vwncmAH.exe
  2⤵
  PID:10792
- C:\Windows\System32\BySvUoz.exe
  C:\Windows\System32\BySvUoz.exe
  2⤵
  PID:10888
- C:\Windows\System32\gHnBupE.exe
  C:\Windows\System32\gHnBupE.exe
  2⤵
  PID:10932
- C:\Windows\System32\BgdJqGq.exe
  C:\Windows\System32\BgdJqGq.exe
  2⤵
  PID:11024
- C:\Windows\System32\UpVnjzK.exe
  C:\Windows\System32\UpVnjzK.exe
  2⤵
  PID:11072
- C:\Windows\System32\egbzgqn.exe
  C:\Windows\System32\egbzgqn.exe
  2⤵
  PID:11148
- C:\Windows\System32\RHfYsQn.exe
  C:\Windows\System32\RHfYsQn.exe
  2⤵
  PID:11216
- C:\Windows\System32\LQCSmXQ.exe
  C:\Windows\System32\LQCSmXQ.exe
  2⤵
  PID:10332
- C:\Windows\System32\vTHblLA.exe
  C:\Windows\System32\vTHblLA.exe
  2⤵
  PID:10384
- C:\Windows\System32\ARWJMac.exe
  C:\Windows\System32\ARWJMac.exe
  2⤵
  PID:10572
- C:\Windows\System32\ddhBpoN.exe
  C:\Windows\System32\ddhBpoN.exe
  2⤵
  PID:10788
- C:\Windows\System32\jwBzElq.exe
  C:\Windows\System32\jwBzElq.exe
  2⤵
  PID:11004
- C:\Windows\System32\cESNkMP.exe
  C:\Windows\System32\cESNkMP.exe
  2⤵
  PID:11136
- C:\Windows\System32\NiAmKXC.exe
  C:\Windows\System32\NiAmKXC.exe
  2⤵
  PID:11240
- C:\Windows\System32\ZvUDMpA.exe
  C:\Windows\System32\ZvUDMpA.exe
  2⤵
  PID:10088
- C:\Windows\System32\XYpkKkR.exe
  C:\Windows\System32\XYpkKkR.exe
  2⤵
  PID:10428
- C:\Windows\System32\yIgPTak.exe
  C:\Windows\System32\yIgPTak.exe
  2⤵
  PID:11180
- C:\Windows\System32\IFwZZCP.exe
  C:\Windows\System32\IFwZZCP.exe
  2⤵
  PID:10556
- C:\Windows\System32\SeIIuGs.exe
  C:\Windows\System32\SeIIuGs.exe
  2⤵
  PID:10752
- C:\Windows\System32\vovDWXd.exe
  C:\Windows\System32\vovDWXd.exe
  2⤵
  PID:11312
- C:\Windows\System32\HcYhAhT.exe
  C:\Windows\System32\HcYhAhT.exe
  2⤵
  PID:11352
- C:\Windows\System32\tIIVFMP.exe
  C:\Windows\System32\tIIVFMP.exe
  2⤵
  PID:11380
- C:\Windows\System32\TjrPImF.exe
  C:\Windows\System32\TjrPImF.exe
  2⤵
  PID:11416
- C:\Windows\System32\hpyfAyH.exe
  C:\Windows\System32\hpyfAyH.exe
  2⤵
  PID:11464
- C:\Windows\System32\KrykzMh.exe
  C:\Windows\System32\KrykzMh.exe
  2⤵
  PID:11500
- C:\Windows\System32\oPyJqxi.exe
  C:\Windows\System32\oPyJqxi.exe
  2⤵
  PID:11536
- C:\Windows\System32\WOEEdbv.exe
  C:\Windows\System32\WOEEdbv.exe
  2⤵
  PID:11564
- C:\Windows\System32\dWZagHq.exe
  C:\Windows\System32\dWZagHq.exe
  2⤵
  PID:11588
- C:\Windows\System32\yfrTCrh.exe
  C:\Windows\System32\yfrTCrh.exe
  2⤵
  PID:11612
- C:\Windows\System32\QTIqSCs.exe
  C:\Windows\System32\QTIqSCs.exe
  2⤵
  PID:11640
- C:\Windows\System32\GPbSdvI.exe
  C:\Windows\System32\GPbSdvI.exe
  2⤵
  PID:11688
- C:\Windows\System32\vyZqFMY.exe
  C:\Windows\System32\vyZqFMY.exe
  2⤵
  PID:11716
- C:\Windows\System32\lBwaXeT.exe
  C:\Windows\System32\lBwaXeT.exe
  2⤵
  PID:11748
- C:\Windows\System32\pZfPFWR.exe
  C:\Windows\System32\pZfPFWR.exe
  2⤵
  PID:11780
- C:\Windows\System32\dLyLpYL.exe
  C:\Windows\System32\dLyLpYL.exe
  2⤵
  PID:11800
- C:\Windows\System32\IWUKLdy.exe
  C:\Windows\System32\IWUKLdy.exe
  2⤵
  PID:11848
- C:\Windows\System32\oxMiHtW.exe
  C:\Windows\System32\oxMiHtW.exe
  2⤵
  PID:11864
- C:\Windows\System32\TDCdrpQ.exe
  C:\Windows\System32\TDCdrpQ.exe
  2⤵
  PID:11884
- C:\Windows\System32\xFxCpVY.exe
  C:\Windows\System32\xFxCpVY.exe
  2⤵
  PID:11900
- C:\Windows\System32\pBzhjzO.exe
  C:\Windows\System32\pBzhjzO.exe
  2⤵
  PID:11924
- C:\Windows\System32\FkKeDyD.exe
  C:\Windows\System32\FkKeDyD.exe
  2⤵
  PID:11976
- C:\Windows\System32\vPAqTxx.exe
  C:\Windows\System32\vPAqTxx.exe
  2⤵
  PID:12028
- C:\Windows\System32\AwaVLrg.exe
  C:\Windows\System32\AwaVLrg.exe
  2⤵
  PID:12048
- C:\Windows\System32\YGQZywm.exe
  C:\Windows\System32\YGQZywm.exe
  2⤵
  PID:12080
- C:\Windows\System32\ETEBEJe.exe
  C:\Windows\System32\ETEBEJe.exe
  2⤵
  PID:12116
- C:\Windows\System32\yhhDZKf.exe
  C:\Windows\System32\yhhDZKf.exe
  2⤵
  PID:12144
- C:\Windows\System32\ugzxqwF.exe
  C:\Windows\System32\ugzxqwF.exe
  2⤵
  PID:12176
- C:\Windows\System32\njmUvwM.exe
  C:\Windows\System32\njmUvwM.exe
  2⤵
  PID:12232
- C:\Windows\System32\BKIvfda.exe
  C:\Windows\System32\BKIvfda.exe
  2⤵
  PID:12260
- C:\Windows\System32\ixovqGe.exe
  C:\Windows\System32\ixovqGe.exe
  2⤵
  PID:10980
- C:\Windows\System32\yIIFhOT.exe
  C:\Windows\System32\yIIFhOT.exe
  2⤵
  PID:11332
- C:\Windows\System32\AUONoIF.exe
  C:\Windows\System32\AUONoIF.exe
  2⤵
  PID:11448
- C:\Windows\System32\mMZUwEp.exe
  C:\Windows\System32\mMZUwEp.exe
  2⤵
  PID:11576
- C:\Windows\System32\fjjNWfH.exe
  C:\Windows\System32\fjjNWfH.exe
  2⤵
  PID:11628
- C:\Windows\System32\WUoTyGJ.exe
  C:\Windows\System32\WUoTyGJ.exe
  2⤵
  PID:11700
- C:\Windows\System32\Qssocrp.exe
  C:\Windows\System32\Qssocrp.exe
  2⤵
  PID:11744
- C:\Windows\System32\lJsCIJb.exe
  C:\Windows\System32\lJsCIJb.exe
  2⤵
  PID:11816
- C:\Windows\System32\RFZZjDo.exe
  C:\Windows\System32\RFZZjDo.exe
  2⤵
  PID:11856
- C:\Windows\System32\iiArhoJ.exe
  C:\Windows\System32\iiArhoJ.exe
  2⤵
  PID:11932
- C:\Windows\System32\wyGeZAf.exe
  C:\Windows\System32\wyGeZAf.exe
  2⤵
  PID:12040
- C:\Windows\System32\bKRDHYM.exe
  C:\Windows\System32\bKRDHYM.exe
  2⤵
  PID:12156
- C:\Windows\System32\kGiAlMC.exe
  C:\Windows\System32\kGiAlMC.exe
  2⤵
  PID:12244
- C:\Windows\System32\LxBmsZl.exe
  C:\Windows\System32\LxBmsZl.exe
  2⤵
  PID:11284
- C:\Windows\System32\yJHHOnz.exe
  C:\Windows\System32\yJHHOnz.exe
  2⤵
  PID:11400
- C:\Windows\System32\YDnDtcC.exe
  C:\Windows\System32\YDnDtcC.exe
  2⤵
  PID:2176
- C:\Windows\System32\VeglZUE.exe
  C:\Windows\System32\VeglZUE.exe
  2⤵
  PID:11756
- C:\Windows\System32\YvncdDH.exe
  C:\Windows\System32\YvncdDH.exe
  2⤵
  PID:11828
- C:\Windows\System32\yEYaKoV.exe
  C:\Windows\System32\yEYaKoV.exe
  2⤵
  PID:12016
- C:\Windows\System32\IxiIGkZ.exe
  C:\Windows\System32\IxiIGkZ.exe
  2⤵
  PID:12216
- C:\Windows\System32\SxsSVkS.exe
  C:\Windows\System32\SxsSVkS.exe
  2⤵
  PID:10840
- C:\Windows\System32\sOmaQma.exe
  C:\Windows\System32\sOmaQma.exe
  2⤵
  PID:11684
- C:\Windows\System32\rqTSjzg.exe
  C:\Windows\System32\rqTSjzg.exe
  2⤵
  PID:12124
- C:\Windows\System32\YfGrBBO.exe
  C:\Windows\System32\YfGrBBO.exe
  2⤵
  PID:11736
- C:\Windows\System32\EvzguJm.exe
  C:\Windows\System32\EvzguJm.exe
  2⤵
  PID:11908
- C:\Windows\System32\HOeFCPp.exe
  C:\Windows\System32\HOeFCPp.exe
  2⤵
  PID:12308
- C:\Windows\System32\idwLfJq.exe
  C:\Windows\System32\idwLfJq.exe
  2⤵
  PID:12332
- C:\Windows\System32\rdFzZVb.exe
  C:\Windows\System32\rdFzZVb.exe
  2⤵
  PID:12360
- C:\Windows\System32\knjGDDY.exe
  C:\Windows\System32\knjGDDY.exe
  2⤵
  PID:12384
- C:\Windows\System32\cgqnicF.exe
  C:\Windows\System32\cgqnicF.exe
  2⤵
  PID:12400
- C:\Windows\System32\mDOvMsR.exe
  C:\Windows\System32\mDOvMsR.exe
  2⤵
  PID:12420
- C:\Windows\System32\IGJEOKG.exe
  C:\Windows\System32\IGJEOKG.exe
  2⤵
  PID:12444
- C:\Windows\System32\KeNlufp.exe
  C:\Windows\System32\KeNlufp.exe
  2⤵
  PID:12512
- C:\Windows\System32\FDPjOMN.exe
  C:\Windows\System32\FDPjOMN.exe
  2⤵
  PID:12532
- C:\Windows\System32\sZzYiDN.exe
  C:\Windows\System32\sZzYiDN.exe
  2⤵
  PID:12560
- C:\Windows\System32\eiQfspn.exe
  C:\Windows\System32\eiQfspn.exe
  2⤵
  PID:12588
- C:\Windows\System32\WLpGhZW.exe
  C:\Windows\System32\WLpGhZW.exe
  2⤵
  PID:12620
- C:\Windows\System32\NmavPAw.exe
  C:\Windows\System32\NmavPAw.exe
  2⤵
  PID:12648
- C:\Windows\System32\HMyKCqR.exe
  C:\Windows\System32\HMyKCqR.exe
  2⤵
  PID:12676
- C:\Windows\System32\rwhIVsV.exe
  C:\Windows\System32\rwhIVsV.exe
  2⤵
  PID:12708
- C:\Windows\System32\tWUEgip.exe
  C:\Windows\System32\tWUEgip.exe
  2⤵
  PID:12728
- C:\Windows\System32\HYsYZgh.exe
  C:\Windows\System32\HYsYZgh.exe
  2⤵
  PID:12756
- C:\Windows\System32\CNmwYdr.exe
  C:\Windows\System32\CNmwYdr.exe
  2⤵
  PID:12788
- C:\Windows\System32\UeYrTrK.exe
  C:\Windows\System32\UeYrTrK.exe
  2⤵
  PID:12804
- C:\Windows\System32\uuDqFrg.exe
  C:\Windows\System32\uuDqFrg.exe
  2⤵
  PID:12828
- C:\Windows\System32\vZCTzIm.exe
  C:\Windows\System32\vZCTzIm.exe
  2⤵
  PID:12844
- C:\Windows\System32\Wqaitqq.exe
  C:\Windows\System32\Wqaitqq.exe
  2⤵
  PID:12904
- C:\Windows\System32\hvbCPau.exe
  C:\Windows\System32\hvbCPau.exe
  2⤵
  PID:12920
- C:\Windows\System32\vRsVBpx.exe
  C:\Windows\System32\vRsVBpx.exe
  2⤵
  PID:12948
- C:\Windows\System32\NStAgJs.exe
  C:\Windows\System32\NStAgJs.exe
  2⤵
  PID:12964
- C:\Windows\System32\UmrKkMo.exe
  C:\Windows\System32\UmrKkMo.exe
  2⤵
  PID:12988
- C:\Windows\System32\EVxxXXS.exe
  C:\Windows\System32\EVxxXXS.exe
  2⤵
  PID:13044
- C:\Windows\System32\unvqwbZ.exe
  C:\Windows\System32\unvqwbZ.exe
  2⤵
  PID:13080
- C:\Windows\System32\lKrEhmr.exe
  C:\Windows\System32\lKrEhmr.exe
  2⤵
  PID:13108
- C:\Windows\System32\LKYeDGT.exe
  C:\Windows\System32\LKYeDGT.exe
  2⤵
  PID:13124
- C:\Windows\System32\nxPWSab.exe
  C:\Windows\System32\nxPWSab.exe
  2⤵
  PID:13148
- C:\Windows\System32\jJlIest.exe
  C:\Windows\System32\jJlIest.exe
  2⤵
  PID:13188
- C:\Windows\System32\XeIQiob.exe
  C:\Windows\System32\XeIQiob.exe
  2⤵
  PID:13220
- C:\Windows\System32\tJCdoDt.exe
  C:\Windows\System32\tJCdoDt.exe
  2⤵
  PID:13240
- C:\Windows\System32\lWBUjJd.exe
  C:\Windows\System32\lWBUjJd.exe
  2⤵
  PID:13264
- C:\Windows\System32\qHWicXr.exe
  C:\Windows\System32\qHWicXr.exe
  2⤵
  PID:12296
- C:\Windows\System32\aoWMBNU.exe
  C:\Windows\System32\aoWMBNU.exe
  2⤵
  PID:12348
- C:\Windows\System32\oOFCvpW.exe
  C:\Windows\System32\oOFCvpW.exe
  2⤵
  PID:12432
- C:\Windows\System32\eaBxOcA.exe
  C:\Windows\System32\eaBxOcA.exe
  2⤵
  PID:12492
- C:\Windows\System32\ysfHGDL.exe
  C:\Windows\System32\ysfHGDL.exe
  2⤵
  PID:12464
- C:\Windows\System32\sHuCtVU.exe
  C:\Windows\System32\sHuCtVU.exe
  2⤵
  PID:12608
- C:\Windows\System32\yxKJkdm.exe
  C:\Windows\System32\yxKJkdm.exe
  2⤵
  PID:12660
- C:\Windows\System32\YfZEapm.exe
  C:\Windows\System32\YfZEapm.exe
  2⤵
  PID:12724
- C:\Windows\System32\fFIwqpL.exe
  C:\Windows\System32\fFIwqpL.exe
  2⤵
  PID:12764
- C:\Windows\System32\qACEgjC.exe
  C:\Windows\System32\qACEgjC.exe
  2⤵
  PID:12796
- C:\Windows\System32\uxXNanH.exe
  C:\Windows\System32\uxXNanH.exe
  2⤵
  PID:12868
- C:\Windows\System32\PEdqQHV.exe
  C:\Windows\System32\PEdqQHV.exe
  2⤵
  PID:12892
- C:\Windows\System32\WMTiyVA.exe
  C:\Windows\System32\WMTiyVA.exe
  2⤵
  PID:12960
- C:\Windows\System32\gFeTbeR.exe
  C:\Windows\System32\gFeTbeR.exe
  2⤵
  PID:13052
- C:\Windows\System32\zLurQJL.exe
  C:\Windows\System32\zLurQJL.exe
  2⤵
  PID:13136
- C:\Windows\System32\eSAbnPU.exe
  C:\Windows\System32\eSAbnPU.exe
  2⤵
  PID:13160
- C:\Windows\System32\rWjQezA.exe
  C:\Windows\System32\rWjQezA.exe
  2⤵
  PID:13208
- C:\Windows\System32\ILxRHuw.exe
  C:\Windows\System32\ILxRHuw.exe
  2⤵
  PID:12356

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AzTUpPl.exe

Filesize
949KB

MD5
e0df5691c87fe7e816ba21b98a690562

SHA1
5f065dd1edaaa002f698707e02da7e67b67ac7a0

SHA256
3063ad1a77327a5cbf89cb8971b77e3f1e38d49533b95aea26ebb09cdfa76936

SHA512
56ca21829e5d13a92f517d93f5c1238f014eebf4aef1dacd2eb71b4b7647fd5e3ae2c9f0bcb67601774217eaa2fa767eb0e602f89c427c098c780f9b4015d8de

Download Submit
C:\Windows\System32\AzbHlyl.exe

Filesize
943KB

MD5
08a914170c79764e693805bf90ef7fb2

SHA1
9a53a193ca91002d38ffdaf07437666314eee7b3

SHA256
a85513163cec2c49263f2440b3af90bf7481b56a4db1487cc0c0b7edcb342143

SHA512
6c4c636a42378244ac57a92b43ec97f219269618a6dab764ab4109c4981f95bfa920fbced4cb564aa8634ab8aa45fd76de3c9e67f82ca39c7c2feb064fb731e8

Download Submit
C:\Windows\System32\EKUXtyh.exe

Filesize
950KB

MD5
0ac3c9649cb69836398376445b7e3beb

SHA1
83364bb9dc0e030075382f453132ec0b75779ac1

SHA256
ef74aee5088de1b36d862dd4c7b2fc8a8ad4890e1354de2a2c9072ece65ed09c

SHA512
d9c6ee2370d40a4a6861c43f57e5aa9d7eebc0e0896b873ee0e4f06c917fb73da8570eb6a17ebab1086f28dae4e6a5c1de21de7aaa0c43aae257a3a23aba9336

Download Submit
C:\Windows\System32\HzQePwE.exe

Filesize
947KB

MD5
5a44027d9d25f70ed446688123110a02

SHA1
a958b8a5dd842b9e7aa98fc05d4b7c9c01eb2f9b

SHA256
34378cf2a091f8fb2448c33872fe5011dc3aea26d4639a37f8c37f43f428b2c1

SHA512
2a7cb0468ad5854f88159b132e2e0343441d59093c19d0744f4de80ace6b249bed7dfda33dd7063009bc2f0553cca8325569fa88cc6969f252e0493e97a74180

Download Submit
C:\Windows\System32\IjoIzlL.exe

Filesize
946KB

MD5
1941d8bb9a397a0aafbfbdfbf4ab248d

SHA1
dead2ae615f12e704e50a8a7ae07d4a8ddbe2e29

SHA256
10a3bf9e60c42c3c0a718df903eab36a6b202fe5e99eee9b9cc9e2d9d999b53d

SHA512
298784d9667c72e35fcb5fd29ae2ac7a69f8b45d7cffdcbd658fbad46ad99bde9d171d12342527a0dd0eea3b3f5b08641e64625bd40f17483110af102eb58982

Download Submit
C:\Windows\System32\IjuMlGf.exe

Filesize
947KB

MD5
5d8e3f1fb8af5069202dd4c92d72b80b

SHA1
a9134292a3e9909feca7a37addd630e85db7f21a

SHA256
e4b604fe49d1023bed6681fdb36f8ec307dd697c34412d3788be139f560c1590

SHA512
3ed779912d3ce4c2c5f0a24fbdc7286b9b31eefa32ad217dc4c484d5a705fd188acf0938bd8b3bbd822b173679b9225273eed6a1c79d562dc5c1bab971ccb5ef

Download Submit
C:\Windows\System32\JBFHBMy.exe

Filesize
943KB

MD5
949beb74339b0f68c7c2e07703950c89

SHA1
8c0509d931a12027ebd6df59ab9ccb0fa04f77ae

SHA256
5441be0a32c1c0b91d491bb6f227a2a59bfa7959d4bf03a8b86977e72bcd8a83

SHA512
b5152f8bcfe4faea33ba0c230d76934d3be3fec8a2f9f5046ea29864ec5174134b58e8b3cb97d641c0d6bdef3d9f1db5146a9dcc047245faab915036a6936c7f

Download Submit
C:\Windows\System32\OuiEAde.exe

Filesize
948KB

MD5
025b9aefb94d869beba89a2599390a4a

SHA1
1d9c1f1d44db7a8c4724805ab2273a0c517d3cc2

SHA256
d07400d23c336edc51e1fc433ca85533882b24fa0809ff274e7639772b47aabc

SHA512
a821ece9e6b6bf5e87074b7f3c5514ec69d48b74d1657477a3f7abcacf60ce985fc9ef31ef42de96b15cb661f79bf7f8490343e9b9ba926ed0a5c1dce881032e

Download Submit
C:\Windows\System32\QLfwapf.exe

Filesize
946KB

MD5
0858eb3e9aad063dd3bc9a9e6d3e2fee

SHA1
c8f64b17a460362c1e47b409dcb523c65315d501

SHA256
74d9905334f1529ebdbf01607ddb9ea798024ebf133e7809e95522fae267bab6

SHA512
25e4fb12c20590b4a8f87aae1659dd4f174a9fdc447993578654a7cdfa3c011e1146dc4c7fe2e2f91b1a618af2d1f7749f8c3e5ad9939d9b2e1f0f287da3a463

Download Submit
C:\Windows\System32\RLAJQDI.exe

Filesize
948KB

MD5
ee4ef8eaf35bdccdb956f5a5cded7967

SHA1
0c8eefb98d9b40c095017bef814eb2c9b69ac8c9

SHA256
7f3677d8ff21e64bc039a35365a8a8d1a3688e92b5da340ac2a3880c0bd5cff0

SHA512
ecc3839f7ebe7f3d9e6c19e99b86cf59f87e3069486ec9501ef04492b0e3ce4660d04a0f6509db2f836cbaa79aa096105b21ed06865b3bb7af02b25d6d0aec99

Download Submit
C:\Windows\System32\Rihdqpj.exe

Filesize
943KB

MD5
89169ade3b4849e8d635d545998595e0

SHA1
ee0eceb0e830113a62846f7a776f96635e6cfda1

SHA256
4ba528b19df764af62117a9e04f2656582fbc20a63829cf37df67754d42a6205

SHA512
abca2bed66955881087e4173bd9348060595d9f928df2678cd75875683b6141dc9d4485f99a5063c7cdb70349dc00136982093aa612b09e8a30e19f58c37a935

Download Submit
C:\Windows\System32\STEgZzH.exe

Filesize
946KB

MD5
5481bb43ae83e72c1026365521553183

SHA1
3587b77f29514e1b042164260e3d30ce98cbe867

SHA256
02313e0ba436d5f839bf86bb5d2ad61bc19b86301c9bf246faa13124e6fcd143

SHA512
6898326a2c4039189d4cb19530e04562964287d67c21850fa5d39dba9a372f9a68792fe800b9f575db157fcad1ce676669d97c93a1a76b7119f35fdd128f9170

Download Submit
C:\Windows\System32\VJpCqft.exe

Filesize
948KB

MD5
e78937d53b1f0c9b01e8cc746d79baea

SHA1
474d9f109ce677dc6e13ee029f7f1c51f6f4456e

SHA256
545229b3cb929cfd2dccc9398aa94f3d1bba5dc68ea1fd5b98a7c71990a44177

SHA512
cc01a89a8d9a84d3917643938c6a81bc279b386b148c41e5ea963f2b5319f5203eed8139fcc448f52bf6f3a8eaba4e74efe08928f4204491e418a51f8b31aecb

Download Submit
C:\Windows\System32\VfrbNsq.exe

Filesize
945KB

MD5
75d4babef7d93a11a94fbf7326ec5267

SHA1
8aeb9b051708d277ddd5295ee8853a7551ea62f8

SHA256
2f7b6a61e4571b80cd3ecfa2529a6c9a26ae28547dcaeeba01efa73fea8fa5ce

SHA512
8530de124eb9cccb8f6be491338a3eef8735920ca1909e2eac27a35d6c782bc5eb8523ce4710dd1c4b64a08b148618784704b8d60fb389a2df0c9f8c843c3cbc

Download Submit
C:\Windows\System32\WWZyDaz.exe

Filesize
944KB

MD5
f8fd3966941acfe7ffa0f15b32ee67fb

SHA1
071233d5b82708f3a8402ef8633318f35ad1ba08

SHA256
c5bc661405af72315dac4bdf697c02bd0dd1edcf93dd2794b335a652392c548e

SHA512
19aeadd0b45963d88e3e84361c4013db1645c13c970ec0887ba920fc74c1a2c58575bcaa2e365006e19db790da8a38aa7bef75d0b58de67716ae7e549ca20dfa

Download Submit
C:\Windows\System32\YGCQJkc.exe

Filesize
945KB

MD5
4bb37a42156ba60360b58dc141a54a72

SHA1
99e216feca8a60bf825046141319a563e6f8a10a

SHA256
669024de4203300ce1b61bf769bef4e247598d7b614884c78970acca743b35a8

SHA512
667e75b9e4ec0ece0e50dbca662c3f308b4e0488ba0926f97cf248f8484c0ff9ef54be17edb633548a9f95d78e91183f9abcd6deef987e17aeb0eb29910856fc

Download Submit
C:\Windows\System32\ZkfvEaO.exe

Filesize
950KB

MD5
0fee762b9f151c7ead7fdff48e6aefce

SHA1
e1f28f4abbda3aa9b0a00926d3966524bacf719a

SHA256
dca705a02ec3b5451b67dd4fc0bba3a29d0974b9814c76e53d0033cca720966b

SHA512
52a3ff1daeb0fb591498a60549ffed9fc8197d51d1bd55c36c9790d1f82c21688c87e71f98bbce47a857627ef3e8e8ff42ed670eb4ecff3ca70a7ba7f4615ff4

Download Submit
C:\Windows\System32\aINSDXB.exe

Filesize
945KB

MD5
0fb0f6037eec8c800807edd7e172f8ab

SHA1
9ba96fbec50b1a04c0fc1e76998658e35ff16559

SHA256
e7e8b92a6aade7ad9df92ad6e3d0a9d662452d1bcec4711be1560d4e54ae9879

SHA512
e5b49dc3c23ef8bf0f8fcb8fc35cfa02096115a6d927a8f9d06958ba0dd040ceafe19134a82bd1eab3fc71ed2e7fda3012cb08c136fb47ea93f12a6695005bec

Download Submit
C:\Windows\System32\bTmwHRl.exe

Filesize
944KB

MD5
33142179dc14ceea147b39a4a31fc12a

SHA1
4b8807a983c2c4d5d9b036aff29e3af378a453eb

SHA256
be9a185de60e8d2828a868391c97c6f0be77d6f8ecec8b503f5b8453bc6a190f

SHA512
0221d151635c9a219577f4f104d046845b40d564f2994a0bbdd3464701bb8c76e8afdd8676ac1cd70ec7786f8b9ca8cbe0bdc947d41930c3d14f076bd63fe2fa

Download Submit
C:\Windows\System32\eQwviVo.exe

Filesize
944KB

MD5
ef009be5f615c6c66392148858b3c387

SHA1
618a70663be6b35f2c428288a4b2d082cf80e72c

SHA256
a1d12c7acf45e36aad1ccf660a89789a8e1e44d4ca234a3d57b82b6427de2c1d

SHA512
072755003ef4feecd0165cfd751edff97b741a1bad48911e54124d9736487b8b3cf24a2d78b878323456930058c6147565c9fa4f0314aeac7932553aa1164ec2

Download Submit
C:\Windows\System32\gmiUECB.exe

Filesize
948KB

MD5
6e1904552ed4469a76a7855d3f8fbca9

SHA1
a6d1e852fc3d185840e6fdb14d11bb9bc90d2d93

SHA256
8221a8dc60a663b9ff3928020e52597faa9d850b32429835adf317e626c36b6d

SHA512
a55926f10315f3939768e95bf9ed40c623c582b64112aaf807d34a58a679474ae44156bc1ae7b7231325a2fa652700444f38e249853b8cc4f49232222001bb53

Download Submit
C:\Windows\System32\irjkrpp.exe

Filesize
945KB

MD5
3ec58d113fdefd99452097c0dadbe73c

SHA1
48b927935be67b92189a7befcdf73c54f4906c26

SHA256
d8c5dc7cf19d6999d178680be7bd2f612d9ee2e0c0ae382ea830033973d77d5b

SHA512
ea0d9a4bb55ba5aebc6138b92131d630a3e193d6305f12ae1ed6071b60381411378ce528fd95d42a388ddc5a62dd26ed2528a5b0741fd556036e19d5f4ec51d9

Download Submit
C:\Windows\System32\ixMPkeR.exe

Filesize
949KB

MD5
f09088dc90b0c984f952f0bd20625c9d

SHA1
c52938d4010f8c411aa66f8d558f45c56ff81741

SHA256
76388e9618150f0c6427bcdc3009c2397deffba18b932f1bcd9e9bcf27102aec

SHA512
e87a509866bd978b3188f20313dadf97e70d86b840b005ac1c9da7eef2dc4a8cc98066295f5960ae3bd0186d5608bed295bf9cb9b53b7626e01d72bad996adf1

Download Submit
C:\Windows\System32\ixYIeyy.exe

Filesize
946KB

MD5
0d5fee60dbd4ada9f3994b19fd808d48

SHA1
91f6343f800a7ba7c7dfb03dbb71c9bf0eb207fe

SHA256
402ddaa9aeb0a7d8c1c93545095945da4fd3aa22ba21cc2d8b3d373fd3cee760

SHA512
914cd9a97ca3d3002b5aade62856c8d8a61dca04b1c1e146640a54e5a72e13b9785d47100d59f7bb98ece9dcccb1c21efac83e6a61370d2a143e66efdd4a36ae

Download Submit
C:\Windows\System32\kFSMDGH.exe

Filesize
945KB

MD5
749d89885ec6652549b33d8024f99c04

SHA1
727c9ae4c43d8f50863cba082e21f6fa5b229b79

SHA256
f366e9b93251b2dd80bffcf7e97cff306fb0e3032f98701e197d820010c42fc0

SHA512
1042c22ef8de844597ea5212c16da0f7aff746256a275f33f9f1bef40c4c6c1d3c544274d5573af389bb7ffea25c66014609995f61b263582d5b367ee3936696

Download Submit
C:\Windows\System32\lBHQeIT.exe

Filesize
950KB

MD5
6c420a828ee32df2cfdb71427b84e133

SHA1
7ebb014aa2354cf8eb63ba974c9695c59be1ec2b

SHA256
d2ccc54472415bba752095447fe7c36d6ce1c26810a9032c0581ece1e90136cb

SHA512
45103ee2adea7e077d288745b9921b0a6e1350885612c0169110977094f2333b7c072a7afbc6e062f4187046662cc58a0df109ef6d6c383b8f491d90f51bb681

Download Submit
C:\Windows\System32\mMbMuse.exe

Filesize
943KB

MD5
94032cde2e95ee42084d2547f205a32f

SHA1
173ce795eac9253643f088de8cc5d7b6d6563a4e

SHA256
3094de4b80469b27c4d7c8cda97d2fcaf06c6035403f45272ceb4cd4a2ea0b81

SHA512
ac53a09ee5aed1b13262662ff2cead73cab977892447b120f1126b344fb18f87eab7390201abb069bdbea6db2e21e2208c3bea7beae3ec1a73c2830075e5ddca

Download Submit
C:\Windows\System32\mraGcZb.exe

Filesize
944KB

MD5
ce88bcb312d446eb132b225cd1506367

SHA1
65461653bc875cf6df10426a6aa5658ec9947cee

SHA256
d27fcd3ede63c00bc69e808724f25559a3bed0e2ca322db10ed3ff42e673f1dc

SHA512
be470da83542ffae53bd83dc6993101493f588b77d9e942ad62998b4a1bcbd88aa73b231fb40c4d99f3d8fa49d4a917c2c423256bb4a562889c3fe2134b56af8

Download Submit
C:\Windows\System32\qjqLLdN.exe

Filesize
949KB

MD5
6078bde6c5c3a07e04eb83be2e521884

SHA1
1c3ce1b837a5d32be1a7bed79f2101f38951ec1f

SHA256
d4780f680fe92dc808fb88a2ae7f0a85b4d910463ea9bac5acbeadab16b2e254

SHA512
add0f90e6835b8a7b58f861c436c21f10c36346b6e56c5aaf190a70199a0132171fc3e563f5d7cf0c51ba1ded905b9ba032def24d0dde9edeff9002af3873523

Download Submit
C:\Windows\System32\sZnbyaR.exe

Filesize
949KB

MD5
35e691c2b37d6761745586437c58a1d2

SHA1
81b3e795869da8dc4afce95cc9ccbc7f68f2f407

SHA256
6a2521de2b48647617353d6c5b4160fa0cb124b40c1ef9b5889553399470bddd

SHA512
5df6e9f7235e61bef8de8b8fc85c6e5cc0793a4bfe1ce4b3ecb7e34043e5754a2626ecf8b106d28b7bc5c362e77ef4ab3039dab6d37ec96155bc80f53a2623bd

Download Submit
C:\Windows\System32\veagCOT.exe

Filesize
947KB

MD5
c25735e02b7721289806be1c89819cfb

SHA1
bb5fa85db4359bedcfb8a8d664a4bcbdcc938af2

SHA256
0e85b2f62c78dff4348dc30e203cdeaebb11e64c4a001eb538e3674367940f5d

SHA512
1b92f4816314377339251228fda846c6fd92c9b5ad616d3bbac9319eb987b7b84fe86fc1c30f8f7b4e3758ad6631f6f245667ee1e5db2f70d4d1f77bb9b3db6a

Download Submit
C:\Windows\System32\yDFVARW.exe

Filesize
947KB

MD5
47e3ff5569a3b6a39df694b2be6ca10a

SHA1
133615ea9f7207e9d8447818f7c477a05f43c0df

SHA256
88fd8025bb41725032909948aa2e57d4ab12a728844e761fff2cf6a222a355ff

SHA512
a741225460f12bc30458a497a11653b0d8cbce424a234538646c0c37d431236c60879436c2acd064780cea351f02f498633356dc3e398846496407aa1bc0d90b

Download Submit
memory/924-47-0x00007FF7F55B0000-0x00007FF7F59A1000-memory.dmp

Filesize
3.9MB

Download
memory/924-2008-0x00007FF7F55B0000-0x00007FF7F59A1000-memory.dmp

Filesize
3.9MB

Download
memory/1008-34-0x00007FF6E7200000-0x00007FF6E75F1000-memory.dmp

Filesize
3.9MB

Download
memory/1008-1953-0x00007FF6E7200000-0x00007FF6E75F1000-memory.dmp

Filesize
3.9MB

Download
memory/1008-2007-0x00007FF6E7200000-0x00007FF6E75F1000-memory.dmp

Filesize
3.9MB

Download
memory/1084-84-0x00007FF74CF80000-0x00007FF74D371000-memory.dmp

Filesize
3.9MB

Download
memory/1084-2044-0x00007FF74CF80000-0x00007FF74D371000-memory.dmp

Filesize
3.9MB

Download
memory/1084-1988-0x00007FF74CF80000-0x00007FF74D371000-memory.dmp

Filesize
3.9MB

Download
memory/1268-2040-0x00007FF669E30000-0x00007FF66A221000-memory.dmp

Filesize
3.9MB

Download
memory/1268-76-0x00007FF669E30000-0x00007FF66A221000-memory.dmp

Filesize
3.9MB

Download
memory/1612-2012-0x00007FF69CA50000-0x00007FF69CE41000-memory.dmp

Filesize
3.9MB

Download
memory/1612-48-0x00007FF69CA50000-0x00007FF69CE41000-memory.dmp

Filesize
3.9MB

Download
memory/1612-1987-0x00007FF69CA50000-0x00007FF69CE41000-memory.dmp

Filesize
3.9MB

Download
memory/2560-329-0x00007FF6C1D00000-0x00007FF6C20F1000-memory.dmp

Filesize
3.9MB

Download
memory/2560-2062-0x00007FF6C1D00000-0x00007FF6C20F1000-memory.dmp

Filesize
3.9MB

Download
memory/2580-2048-0x00007FF6164C0000-0x00007FF6168B1000-memory.dmp

Filesize
3.9MB

Download
memory/2580-1989-0x00007FF6164C0000-0x00007FF6168B1000-memory.dmp

Filesize
3.9MB

Download
memory/2580-90-0x00007FF6164C0000-0x00007FF6168B1000-memory.dmp

Filesize
3.9MB

Download
memory/2760-319-0x00007FF765B30000-0x00007FF765F21000-memory.dmp

Filesize
3.9MB

Download
memory/2760-2046-0x00007FF765B30000-0x00007FF765F21000-memory.dmp

Filesize
3.9MB

Download
memory/2824-2054-0x00007FF60CF90000-0x00007FF60D381000-memory.dmp

Filesize
3.9MB

Download
memory/2824-307-0x00007FF60CF90000-0x00007FF60D381000-memory.dmp

Filesize
3.9MB

Download
memory/2856-2070-0x00007FF7F6E40000-0x00007FF7F7231000-memory.dmp

Filesize
3.9MB

Download
memory/2856-313-0x00007FF7F6E40000-0x00007FF7F7231000-memory.dmp

Filesize
3.9MB

Download
memory/2904-27-0x00007FF610220000-0x00007FF610611000-memory.dmp

Filesize
3.9MB

Download
memory/2904-2004-0x00007FF610220000-0x00007FF610611000-memory.dmp

Filesize
3.9MB

Download
memory/2968-308-0x00007FF7F6100000-0x00007FF7F64F1000-memory.dmp

Filesize
3.9MB

Download
memory/2968-2056-0x00007FF7F6100000-0x00007FF7F64F1000-memory.dmp

Filesize
3.9MB

Download
memory/3148-2060-0x00007FF6E0B20000-0x00007FF6E0F11000-memory.dmp

Filesize
3.9MB

Download
memory/3148-309-0x00007FF6E0B20000-0x00007FF6E0F11000-memory.dmp

Filesize
3.9MB

Download
memory/3416-2050-0x00007FF69B420000-0x00007FF69B811000-memory.dmp

Filesize
3.9MB

Download
memory/3416-320-0x00007FF69B420000-0x00007FF69B811000-memory.dmp

Filesize
3.9MB

Download
memory/3652-92-0x00007FF68B4F0000-0x00007FF68B8E1000-memory.dmp

Filesize
3.9MB

Download
memory/3652-2042-0x00007FF68B4F0000-0x00007FF68B8E1000-memory.dmp

Filesize
3.9MB

Download
memory/3776-14-0x00007FF7F3ED0000-0x00007FF7F42C1000-memory.dmp

Filesize
3.9MB

Download
memory/3776-2000-0x00007FF7F3ED0000-0x00007FF7F42C1000-memory.dmp

Filesize
3.9MB

Download
memory/3896-2064-0x00007FF7F5AA0000-0x00007FF7F5E91000-memory.dmp

Filesize
3.9MB

Download
memory/3896-312-0x00007FF7F5AA0000-0x00007FF7F5E91000-memory.dmp

Filesize
3.9MB

Download
memory/3948-2058-0x00007FF6E3790000-0x00007FF6E3B81000-memory.dmp

Filesize
3.9MB

Download
memory/3948-324-0x00007FF6E3790000-0x00007FF6E3B81000-memory.dmp

Filesize
3.9MB

Download
memory/4512-2067-0x00007FF788380000-0x00007FF788771000-memory.dmp

Filesize
3.9MB

Download
memory/4512-311-0x00007FF788380000-0x00007FF788771000-memory.dmp

Filesize
3.9MB

Download
memory/4612-2052-0x00007FF6453A0000-0x00007FF645791000-memory.dmp

Filesize
3.9MB

Download
memory/4612-306-0x00007FF6453A0000-0x00007FF645791000-memory.dmp

Filesize
3.9MB

Download
memory/4628-7-0x00007FF708D30000-0x00007FF709121000-memory.dmp

Filesize
3.9MB

Download
memory/4628-1447-0x00007FF708D30000-0x00007FF709121000-memory.dmp

Filesize
3.9MB

Download
memory/4628-1998-0x00007FF708D30000-0x00007FF709121000-memory.dmp

Filesize
3.9MB

Download
memory/4724-1952-0x00007FF61A1F0000-0x00007FF61A5E1000-memory.dmp

Filesize
3.9MB

Download
memory/4724-2002-0x00007FF61A1F0000-0x00007FF61A5E1000-memory.dmp

Filesize
3.9MB

Download
memory/4724-20-0x00007FF61A1F0000-0x00007FF61A5E1000-memory.dmp

Filesize
3.9MB

Download
memory/4728-2072-0x00007FF71F510000-0x00007FF71F901000-memory.dmp

Filesize
3.9MB

Download
memory/4728-310-0x00007FF71F510000-0x00007FF71F901000-memory.dmp

Filesize
3.9MB

Download
memory/4736-43-0x00007FF73D9C0000-0x00007FF73DDB1000-memory.dmp

Filesize
3.9MB

Download
memory/4736-1954-0x00007FF73D9C0000-0x00007FF73DDB1000-memory.dmp

Filesize
3.9MB

Download
memory/4736-2010-0x00007FF73D9C0000-0x00007FF73DDB1000-memory.dmp

Filesize
3.9MB

Download
memory/4792-1-0x000001638F780000-0x000001638F790000-memory.dmp

Filesize
64KB

Download
memory/4792-1991-0x00007FF6C3F80000-0x00007FF6C4371000-memory.dmp

Filesize
3.9MB

Download
memory/4792-0-0x00007FF6C3F80000-0x00007FF6C4371000-memory.dmp

Filesize
3.9MB

Download
memory/4792-975-0x00007FF6C3F80000-0x00007FF6C4371000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads