xmrig | 56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c

Analysis

max time kernel
134s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 21:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
Size

1.2MB
MD5

bc0e6ee2a5f4eb852c18836b0a041610
SHA1

19f091d932accad2e11fc0c194aa978c67d53813
SHA256

56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c
SHA512

c82d7bb57cca9fdbc3ae547f169c705e143903db89ce056de163ad79e3050729552f452b337d6c81bcd13424dfe8e6777f87d3d4cf11de264750fc16dee56d11
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIHbAYhbcjFNtbbB6CP:knw9oUUEEDlGUJ8Y9cvtjP

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/5108-415-0x00007FF7B2B70000-0x00007FF7B2F61000-memory.dmp	xmrig
behavioral2/memory/1776-416-0x00007FF6B4990000-0x00007FF6B4D81000-memory.dmp	xmrig
behavioral2/memory/2256-417-0x00007FF6AF800000-0x00007FF6AFBF1000-memory.dmp	xmrig
behavioral2/memory/4164-421-0x00007FF65C110000-0x00007FF65C501000-memory.dmp	xmrig
behavioral2/memory/1180-423-0x00007FF7C3F90000-0x00007FF7C4381000-memory.dmp	xmrig
behavioral2/memory/4460-428-0x00007FF6BFFB0000-0x00007FF6C03A1000-memory.dmp	xmrig
behavioral2/memory/4488-440-0x00007FF64FAB0000-0x00007FF64FEA1000-memory.dmp	xmrig
behavioral2/memory/2476-453-0x00007FF728CE0000-0x00007FF7290D1000-memory.dmp	xmrig
behavioral2/memory/4696-458-0x00007FF6B26A0000-0x00007FF6B2A91000-memory.dmp	xmrig
behavioral2/memory/1292-463-0x00007FF7E3230000-0x00007FF7E3621000-memory.dmp	xmrig
behavioral2/memory/3028-466-0x00007FF6A6910000-0x00007FF6A6D01000-memory.dmp	xmrig
behavioral2/memory/4724-470-0x00007FF690840000-0x00007FF690C31000-memory.dmp	xmrig
behavioral2/memory/4112-471-0x00007FF722E70000-0x00007FF723261000-memory.dmp	xmrig
behavioral2/memory/4588-475-0x00007FF684F60000-0x00007FF685351000-memory.dmp	xmrig
behavioral2/memory/1540-478-0x00007FF697BD0000-0x00007FF697FC1000-memory.dmp	xmrig
behavioral2/memory/4168-476-0x00007FF75F2A0000-0x00007FF75F691000-memory.dmp	xmrig
behavioral2/memory/1616-474-0x00007FF6B97C0000-0x00007FF6B9BB1000-memory.dmp	xmrig
behavioral2/memory/4956-469-0x00007FF710710000-0x00007FF710B01000-memory.dmp	xmrig
behavioral2/memory/1876-467-0x00007FF6BEC20000-0x00007FF6BF011000-memory.dmp	xmrig
behavioral2/memory/2160-464-0x00007FF6B08B0000-0x00007FF6B0CA1000-memory.dmp	xmrig
behavioral2/memory/3740-460-0x00007FF754010000-0x00007FF754401000-memory.dmp	xmrig
behavioral2/memory/4432-449-0x00007FF779850000-0x00007FF779C41000-memory.dmp	xmrig
behavioral2/memory/1192-431-0x00007FF651910000-0x00007FF651D01000-memory.dmp	xmrig
behavioral2/memory/412-1955-0x00007FF6B4850000-0x00007FF6B4C41000-memory.dmp	xmrig
behavioral2/memory/5108-1956-0x00007FF7B2B70000-0x00007FF7B2F61000-memory.dmp	xmrig
behavioral2/memory/412-1962-0x00007FF6B4850000-0x00007FF6B4C41000-memory.dmp	xmrig
behavioral2/memory/5108-1964-0x00007FF7B2B70000-0x00007FF7B2F61000-memory.dmp	xmrig
behavioral2/memory/1540-1970-0x00007FF697BD0000-0x00007FF697FC1000-memory.dmp	xmrig
behavioral2/memory/1776-1966-0x00007FF6B4990000-0x00007FF6B4D81000-memory.dmp	xmrig
behavioral2/memory/2476-1986-0x00007FF728CE0000-0x00007FF7290D1000-memory.dmp	xmrig
behavioral2/memory/3740-1990-0x00007FF754010000-0x00007FF754401000-memory.dmp	xmrig
behavioral2/memory/2160-1992-0x00007FF6B08B0000-0x00007FF6B0CA1000-memory.dmp	xmrig
behavioral2/memory/3028-1994-0x00007FF6A6910000-0x00007FF6A6D01000-memory.dmp	xmrig
behavioral2/memory/4724-2004-0x00007FF690840000-0x00007FF690C31000-memory.dmp	xmrig
behavioral2/memory/1616-2008-0x00007FF6B97C0000-0x00007FF6B9BB1000-memory.dmp	xmrig
behavioral2/memory/4168-2006-0x00007FF75F2A0000-0x00007FF75F691000-memory.dmp	xmrig
behavioral2/memory/4112-2002-0x00007FF722E70000-0x00007FF723261000-memory.dmp	xmrig
behavioral2/memory/4956-2000-0x00007FF710710000-0x00007FF710B01000-memory.dmp	xmrig
behavioral2/memory/1876-1998-0x00007FF6BEC20000-0x00007FF6BF011000-memory.dmp	xmrig
behavioral2/memory/4588-1996-0x00007FF684F60000-0x00007FF685351000-memory.dmp	xmrig
behavioral2/memory/1292-1988-0x00007FF7E3230000-0x00007FF7E3621000-memory.dmp	xmrig
behavioral2/memory/4488-1982-0x00007FF64FAB0000-0x00007FF64FEA1000-memory.dmp	xmrig
behavioral2/memory/4696-1984-0x00007FF6B26A0000-0x00007FF6B2A91000-memory.dmp	xmrig
behavioral2/memory/1192-1980-0x00007FF651910000-0x00007FF651D01000-memory.dmp	xmrig
behavioral2/memory/4432-1978-0x00007FF779850000-0x00007FF779C41000-memory.dmp	xmrig
behavioral2/memory/4164-1976-0x00007FF65C110000-0x00007FF65C501000-memory.dmp	xmrig
behavioral2/memory/4460-1972-0x00007FF6BFFB0000-0x00007FF6C03A1000-memory.dmp	xmrig
behavioral2/memory/2256-1968-0x00007FF6AF800000-0x00007FF6AFBF1000-memory.dmp	xmrig
behavioral2/memory/1180-1974-0x00007FF7C3F90000-0x00007FF7C4381000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
412	VllRicH.exe
5108	WlCeMYZ.exe
1540	CcFzVWr.exe
1776	uOSiqXn.exe
2256	cSEQZzR.exe
4164	pfYcNJx.exe
1180	kNIgiKp.exe
4460	LjEeKcO.exe
1192	PkCuxyP.exe
4488	xnUhKXS.exe
4432	qiQDMZH.exe
2476	hXFjHhP.exe
4696	IXTqaoP.exe
3740	AmdgTVQ.exe
1292	qGZGCTl.exe
2160	sFjQgzJ.exe
3028	OVTuPkF.exe
1876	vssaWhH.exe
4956	NrNQHcL.exe
4724	fUMyOFn.exe
4112	TAciOIU.exe
1616	JnvwVtB.exe
4588	jnObVOs.exe
4168	PvsOLJQ.exe
4000	RkIMohF.exe
4644	QUzdFia.exe
3292	tlBvyBF.exe
4012	FmSVQYO.exe
1172	nIIdLmr.exe
4860	lhnzWwr.exe
3928	ddKpIoX.exe
1580	fWMHwzY.exe
3776	dGXKvHX.exe
384	TLPmTXP.exe
2800	XhsXjGj.exe
1832	gOaZTOb.exe
4544	iYLengP.exe
4852	hCnSHEw.exe
1040	OdgLnHV.exe
4748	QSVhTrQ.exe
3708	rYkJVJJ.exe
2372	wkccdpM.exe
4044	wgKLvFm.exe
3180	kkxLfdc.exe
2012	IuQNLGe.exe
2848	rsAWThL.exe
2764	lHoAUuM.exe
1356	ZmJQPLf.exe
4872	KjAkeaS.exe
4364	phLzqZg.exe
4340	mPlmzGr.exe
2992	ZKxqJba.exe
1404	CpvexvN.exe
2180	MmGnCyB.exe
1928	ERTNNQm.exe
1236	OAifMwc.exe
4944	ltMcYne.exe
1020	PZWCTFN.exe
1516	SOLUMuM.exe
1864	tnYaZDW.exe
2272	hBKFmNh.exe
3760	nHjoVpc.exe
2084	vGEokNX.exe
416	BTrWnRH.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/816-0-0x00007FF7683F0000-0x00007FF7687E1000-memory.dmp	upx
behavioral2/files/0x0009000000023488-5.dat	upx
behavioral2/files/0x00080000000234df-10.dat	upx
behavioral2/files/0x00070000000234e3-20.dat	upx
behavioral2/files/0x00070000000234e5-27.dat	upx
behavioral2/files/0x00070000000234e8-42.dat	upx
behavioral2/files/0x00070000000234e9-47.dat	upx
behavioral2/files/0x00070000000234eb-55.dat	upx
behavioral2/files/0x00070000000234ec-62.dat	upx
behavioral2/files/0x00070000000234ef-77.dat	upx
behavioral2/files/0x00070000000234f1-90.dat	upx
behavioral2/files/0x00070000000234f6-112.dat	upx
behavioral2/files/0x00070000000234ff-157.dat	upx
behavioral2/memory/5108-415-0x00007FF7B2B70000-0x00007FF7B2F61000-memory.dmp	upx
behavioral2/memory/1776-416-0x00007FF6B4990000-0x00007FF6B4D81000-memory.dmp	upx
behavioral2/memory/2256-417-0x00007FF6AF800000-0x00007FF6AFBF1000-memory.dmp	upx
behavioral2/memory/4164-421-0x00007FF65C110000-0x00007FF65C501000-memory.dmp	upx
behavioral2/memory/1180-423-0x00007FF7C3F90000-0x00007FF7C4381000-memory.dmp	upx
behavioral2/memory/4460-428-0x00007FF6BFFB0000-0x00007FF6C03A1000-memory.dmp	upx
behavioral2/memory/4488-440-0x00007FF64FAB0000-0x00007FF64FEA1000-memory.dmp	upx
behavioral2/memory/2476-453-0x00007FF728CE0000-0x00007FF7290D1000-memory.dmp	upx
behavioral2/memory/4696-458-0x00007FF6B26A0000-0x00007FF6B2A91000-memory.dmp	upx
behavioral2/memory/1292-463-0x00007FF7E3230000-0x00007FF7E3621000-memory.dmp	upx
behavioral2/memory/3028-466-0x00007FF6A6910000-0x00007FF6A6D01000-memory.dmp	upx
behavioral2/memory/4724-470-0x00007FF690840000-0x00007FF690C31000-memory.dmp	upx
behavioral2/memory/4112-471-0x00007FF722E70000-0x00007FF723261000-memory.dmp	upx
behavioral2/memory/4588-475-0x00007FF684F60000-0x00007FF685351000-memory.dmp	upx
behavioral2/memory/1540-478-0x00007FF697BD0000-0x00007FF697FC1000-memory.dmp	upx
behavioral2/memory/4168-476-0x00007FF75F2A0000-0x00007FF75F691000-memory.dmp	upx
behavioral2/memory/1616-474-0x00007FF6B97C0000-0x00007FF6B9BB1000-memory.dmp	upx
behavioral2/memory/4956-469-0x00007FF710710000-0x00007FF710B01000-memory.dmp	upx
behavioral2/memory/1876-467-0x00007FF6BEC20000-0x00007FF6BF011000-memory.dmp	upx
behavioral2/memory/2160-464-0x00007FF6B08B0000-0x00007FF6B0CA1000-memory.dmp	upx
behavioral2/memory/3740-460-0x00007FF754010000-0x00007FF754401000-memory.dmp	upx
behavioral2/memory/4432-449-0x00007FF779850000-0x00007FF779C41000-memory.dmp	upx
behavioral2/memory/1192-431-0x00007FF651910000-0x00007FF651D01000-memory.dmp	upx
behavioral2/files/0x0007000000023500-162.dat	upx
behavioral2/files/0x00070000000234fe-152.dat	upx
behavioral2/files/0x00070000000234fd-147.dat	upx
behavioral2/files/0x00070000000234fc-142.dat	upx
behavioral2/files/0x00070000000234fb-137.dat	upx
behavioral2/files/0x00070000000234fa-132.dat	upx
behavioral2/files/0x00070000000234f9-127.dat	upx
behavioral2/files/0x00070000000234f8-122.dat	upx
behavioral2/files/0x00070000000234f7-120.dat	upx
behavioral2/files/0x00070000000234f5-107.dat	upx
behavioral2/files/0x00070000000234f4-105.dat	upx
behavioral2/files/0x00070000000234f3-100.dat	upx
behavioral2/files/0x00070000000234f2-95.dat	upx
behavioral2/files/0x00070000000234f0-82.dat	upx
behavioral2/files/0x00070000000234ee-72.dat	upx
behavioral2/files/0x00070000000234ed-67.dat	upx
behavioral2/files/0x00070000000234ea-52.dat	upx
behavioral2/files/0x00070000000234e7-37.dat	upx
behavioral2/files/0x00070000000234e6-32.dat	upx
behavioral2/files/0x00070000000234e4-25.dat	upx
behavioral2/memory/412-7-0x00007FF6B4850000-0x00007FF6B4C41000-memory.dmp	upx
behavioral2/memory/412-1955-0x00007FF6B4850000-0x00007FF6B4C41000-memory.dmp	upx
behavioral2/memory/5108-1956-0x00007FF7B2B70000-0x00007FF7B2F61000-memory.dmp	upx
behavioral2/memory/412-1962-0x00007FF6B4850000-0x00007FF6B4C41000-memory.dmp	upx
behavioral2/memory/5108-1964-0x00007FF7B2B70000-0x00007FF7B2F61000-memory.dmp	upx
behavioral2/memory/1540-1970-0x00007FF697BD0000-0x00007FF697FC1000-memory.dmp	upx
behavioral2/memory/1776-1966-0x00007FF6B4990000-0x00007FF6B4D81000-memory.dmp	upx
behavioral2/memory/2476-1986-0x00007FF728CE0000-0x00007FF7290D1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\GqWeyVc.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\EmkNukz.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\YsLepMK.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\NFLDfAF.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\ejZoeaw.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\VeNXDhz.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\eRfdPeA.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\wCWUwqO.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\LkLMLPo.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\KWHFhJG.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\oFKHcqW.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\ZmJQPLf.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\jxyGQzJ.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\YKqTZFg.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\NVWnjlE.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\IdLqYOH.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\cmOULjK.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\BELmbRU.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\TLQaVli.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\ZVyzheC.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\CoRYQBv.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\hBSVxoa.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\zrqxXNh.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\IFFbRhL.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\DejGDHG.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\EyiVtxF.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\SVWBIiV.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\CckWSav.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\QHEcEhO.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\Qqjoimj.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\ywTyJAL.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\UYlVLcz.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\gVdJLWt.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\gSvTgzu.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\vGEokNX.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\OAMxvVf.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\SKIKroN.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\FfbDSPp.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\cbQDKlD.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\SZlrLNG.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\kwdXWTY.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\FaeCXZy.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\zqUlonF.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\uSfVPXY.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\JwhriVX.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\gLkujFb.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\QiRNeBa.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\PuzIjMy.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\wSOfmOW.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\FpPOuVS.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\CtsYUSH.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\elSVInt.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\yPHawoW.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\bOuQYbS.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\tCTuFSL.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\sUwZXrJ.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\LHtzOAZ.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\agjbOEL.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\YTwnnpG.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\CYgfxdr.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\CalwTzK.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\mAlTmEz.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\RKFHaip.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
File created	C:\Windows\System32\Cyjodkm.exe	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	4336	dwm.exe
Token: SeChangeNotifyPrivilege	4336	dwm.exe
Token: 33	4336	dwm.exe
Token: SeIncBasePriorityPrivilege	4336	dwm.exe
Token: SeShutdownPrivilege	4336	dwm.exe
Token: SeCreatePagefilePrivilege	4336	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 412	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	85
PID 816 wrote to memory of 412	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	85
PID 816 wrote to memory of 5108	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	86
PID 816 wrote to memory of 5108	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	86
PID 816 wrote to memory of 1540	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	87
PID 816 wrote to memory of 1540	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	87
PID 816 wrote to memory of 1776	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	88
PID 816 wrote to memory of 1776	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	88
PID 816 wrote to memory of 2256	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	89
PID 816 wrote to memory of 2256	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	89
PID 816 wrote to memory of 4164	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	90
PID 816 wrote to memory of 4164	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	90
PID 816 wrote to memory of 1180	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	91
PID 816 wrote to memory of 1180	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	91
PID 816 wrote to memory of 4460	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	92
PID 816 wrote to memory of 4460	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	92
PID 816 wrote to memory of 1192	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	93
PID 816 wrote to memory of 1192	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	93
PID 816 wrote to memory of 4488	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	94
PID 816 wrote to memory of 4488	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	94
PID 816 wrote to memory of 4432	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	95
PID 816 wrote to memory of 4432	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	95
PID 816 wrote to memory of 2476	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	96
PID 816 wrote to memory of 2476	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	96
PID 816 wrote to memory of 4696	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	97
PID 816 wrote to memory of 4696	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	97
PID 816 wrote to memory of 3740	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	98
PID 816 wrote to memory of 3740	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	98
PID 816 wrote to memory of 1292	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	99
PID 816 wrote to memory of 1292	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	99
PID 816 wrote to memory of 2160	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	100
PID 816 wrote to memory of 2160	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	100
PID 816 wrote to memory of 3028	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	101
PID 816 wrote to memory of 3028	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	101
PID 816 wrote to memory of 1876	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	102
PID 816 wrote to memory of 1876	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	102
PID 816 wrote to memory of 4956	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	103
PID 816 wrote to memory of 4956	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	103
PID 816 wrote to memory of 4724	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	104
PID 816 wrote to memory of 4724	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	104
PID 816 wrote to memory of 4112	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	105
PID 816 wrote to memory of 4112	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	105
PID 816 wrote to memory of 1616	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	106
PID 816 wrote to memory of 1616	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	106
PID 816 wrote to memory of 4588	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	107
PID 816 wrote to memory of 4588	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	107
PID 816 wrote to memory of 4168	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	108
PID 816 wrote to memory of 4168	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	108
PID 816 wrote to memory of 4000	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	109
PID 816 wrote to memory of 4000	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	109
PID 816 wrote to memory of 4644	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	110
PID 816 wrote to memory of 4644	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	110
PID 816 wrote to memory of 3292	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	111
PID 816 wrote to memory of 3292	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	111
PID 816 wrote to memory of 4012	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	112
PID 816 wrote to memory of 4012	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	112
PID 816 wrote to memory of 1172	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	113
PID 816 wrote to memory of 1172	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	113
PID 816 wrote to memory of 4860	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	114
PID 816 wrote to memory of 4860	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	114
PID 816 wrote to memory of 3928	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	115
PID 816 wrote to memory of 3928	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	115
PID 816 wrote to memory of 1580	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	116
PID 816 wrote to memory of 1580	816	56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe	116

C:\Users\Admin\AppData\Local\Temp\56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe
"C:\Users\Admin\AppData\Local\Temp\56d14eda71a64d6ff7823ed93c9142aa36b369d9150f7870a412fe761339157c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\System32\VllRicH.exe
  C:\Windows\System32\VllRicH.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System32\WlCeMYZ.exe
  C:\Windows\System32\WlCeMYZ.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System32\CcFzVWr.exe
  C:\Windows\System32\CcFzVWr.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System32\uOSiqXn.exe
  C:\Windows\System32\uOSiqXn.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System32\cSEQZzR.exe
  C:\Windows\System32\cSEQZzR.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System32\pfYcNJx.exe
  C:\Windows\System32\pfYcNJx.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System32\kNIgiKp.exe
  C:\Windows\System32\kNIgiKp.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System32\LjEeKcO.exe
  C:\Windows\System32\LjEeKcO.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System32\PkCuxyP.exe
  C:\Windows\System32\PkCuxyP.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System32\xnUhKXS.exe
  C:\Windows\System32\xnUhKXS.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System32\qiQDMZH.exe
  C:\Windows\System32\qiQDMZH.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System32\hXFjHhP.exe
  C:\Windows\System32\hXFjHhP.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System32\IXTqaoP.exe
  C:\Windows\System32\IXTqaoP.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System32\AmdgTVQ.exe
  C:\Windows\System32\AmdgTVQ.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System32\qGZGCTl.exe
  C:\Windows\System32\qGZGCTl.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System32\sFjQgzJ.exe
  C:\Windows\System32\sFjQgzJ.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System32\OVTuPkF.exe
  C:\Windows\System32\OVTuPkF.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System32\vssaWhH.exe
  C:\Windows\System32\vssaWhH.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System32\NrNQHcL.exe
  C:\Windows\System32\NrNQHcL.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System32\fUMyOFn.exe
  C:\Windows\System32\fUMyOFn.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System32\TAciOIU.exe
  C:\Windows\System32\TAciOIU.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System32\JnvwVtB.exe
  C:\Windows\System32\JnvwVtB.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System32\jnObVOs.exe
  C:\Windows\System32\jnObVOs.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System32\PvsOLJQ.exe
  C:\Windows\System32\PvsOLJQ.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System32\RkIMohF.exe
  C:\Windows\System32\RkIMohF.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System32\QUzdFia.exe
  C:\Windows\System32\QUzdFia.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System32\tlBvyBF.exe
  C:\Windows\System32\tlBvyBF.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System32\FmSVQYO.exe
  C:\Windows\System32\FmSVQYO.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System32\nIIdLmr.exe
  C:\Windows\System32\nIIdLmr.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System32\lhnzWwr.exe
  C:\Windows\System32\lhnzWwr.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\ddKpIoX.exe
  C:\Windows\System32\ddKpIoX.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System32\fWMHwzY.exe
  C:\Windows\System32\fWMHwzY.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System32\dGXKvHX.exe
  C:\Windows\System32\dGXKvHX.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System32\TLPmTXP.exe
  C:\Windows\System32\TLPmTXP.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System32\XhsXjGj.exe
  C:\Windows\System32\XhsXjGj.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System32\gOaZTOb.exe
  C:\Windows\System32\gOaZTOb.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System32\iYLengP.exe
  C:\Windows\System32\iYLengP.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System32\hCnSHEw.exe
  C:\Windows\System32\hCnSHEw.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System32\OdgLnHV.exe
  C:\Windows\System32\OdgLnHV.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System32\QSVhTrQ.exe
  C:\Windows\System32\QSVhTrQ.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System32\rYkJVJJ.exe
  C:\Windows\System32\rYkJVJJ.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System32\wkccdpM.exe
  C:\Windows\System32\wkccdpM.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System32\wgKLvFm.exe
  C:\Windows\System32\wgKLvFm.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System32\kkxLfdc.exe
  C:\Windows\System32\kkxLfdc.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System32\IuQNLGe.exe
  C:\Windows\System32\IuQNLGe.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System32\rsAWThL.exe
  C:\Windows\System32\rsAWThL.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System32\lHoAUuM.exe
  C:\Windows\System32\lHoAUuM.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System32\ZmJQPLf.exe
  C:\Windows\System32\ZmJQPLf.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System32\KjAkeaS.exe
  C:\Windows\System32\KjAkeaS.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System32\phLzqZg.exe
  C:\Windows\System32\phLzqZg.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System32\mPlmzGr.exe
  C:\Windows\System32\mPlmzGr.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System32\ZKxqJba.exe
  C:\Windows\System32\ZKxqJba.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System32\CpvexvN.exe
  C:\Windows\System32\CpvexvN.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System32\MmGnCyB.exe
  C:\Windows\System32\MmGnCyB.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System32\ERTNNQm.exe
  C:\Windows\System32\ERTNNQm.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System32\OAifMwc.exe
  C:\Windows\System32\OAifMwc.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System32\ltMcYne.exe
  C:\Windows\System32\ltMcYne.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System32\PZWCTFN.exe
  C:\Windows\System32\PZWCTFN.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System32\SOLUMuM.exe
  C:\Windows\System32\SOLUMuM.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System32\tnYaZDW.exe
  C:\Windows\System32\tnYaZDW.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System32\hBKFmNh.exe
  C:\Windows\System32\hBKFmNh.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System32\nHjoVpc.exe
  C:\Windows\System32\nHjoVpc.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System32\vGEokNX.exe
  C:\Windows\System32\vGEokNX.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System32\BTrWnRH.exe
  C:\Windows\System32\BTrWnRH.exe
  2⤵
  - Executes dropped EXE
  PID:416
- C:\Windows\System32\wtdttdK.exe
  C:\Windows\System32\wtdttdK.exe
  2⤵
  PID:5000
- C:\Windows\System32\QHEcEhO.exe
  C:\Windows\System32\QHEcEhO.exe
  2⤵
  PID:1620
- C:\Windows\System32\JTdGkkF.exe
  C:\Windows\System32\JTdGkkF.exe
  2⤵
  PID:1704
- C:\Windows\System32\NkHZcLv.exe
  C:\Windows\System32\NkHZcLv.exe
  2⤵
  PID:3104
- C:\Windows\System32\DejGDHG.exe
  C:\Windows\System32\DejGDHG.exe
  2⤵
  PID:2512
- C:\Windows\System32\IyPbTAi.exe
  C:\Windows\System32\IyPbTAi.exe
  2⤵
  PID:2676
- C:\Windows\System32\tukQklL.exe
  C:\Windows\System32\tukQklL.exe
  2⤵
  PID:2760
- C:\Windows\System32\XdPGNee.exe
  C:\Windows\System32\XdPGNee.exe
  2⤵
  PID:376
- C:\Windows\System32\OSYnfPC.exe
  C:\Windows\System32\OSYnfPC.exe
  2⤵
  PID:2260
- C:\Windows\System32\BsngICx.exe
  C:\Windows\System32\BsngICx.exe
  2⤵
  PID:2124
- C:\Windows\System32\kKPNhLq.exe
  C:\Windows\System32\kKPNhLq.exe
  2⤵
  PID:2316
- C:\Windows\System32\wFgMPiO.exe
  C:\Windows\System32\wFgMPiO.exe
  2⤵
  PID:4912
- C:\Windows\System32\tPkKMGj.exe
  C:\Windows\System32\tPkKMGj.exe
  2⤵
  PID:3168
- C:\Windows\System32\lpeTSrT.exe
  C:\Windows\System32\lpeTSrT.exe
  2⤵
  PID:4388
- C:\Windows\System32\wGlQVht.exe
  C:\Windows\System32\wGlQVht.exe
  2⤵
  PID:3004
- C:\Windows\System32\Qqjoimj.exe
  C:\Windows\System32\Qqjoimj.exe
  2⤵
  PID:2888
- C:\Windows\System32\REQyYPr.exe
  C:\Windows\System32\REQyYPr.exe
  2⤵
  PID:840
- C:\Windows\System32\ydnpPlA.exe
  C:\Windows\System32\ydnpPlA.exe
  2⤵
  PID:3728
- C:\Windows\System32\dCXRkXO.exe
  C:\Windows\System32\dCXRkXO.exe
  2⤵
  PID:2240
- C:\Windows\System32\ITMvTtV.exe
  C:\Windows\System32\ITMvTtV.exe
  2⤵
  PID:5124
- C:\Windows\System32\nRqnYCz.exe
  C:\Windows\System32\nRqnYCz.exe
  2⤵
  PID:5164
- C:\Windows\System32\jQYbBLJ.exe
  C:\Windows\System32\jQYbBLJ.exe
  2⤵
  PID:5180
- C:\Windows\System32\wyVjGND.exe
  C:\Windows\System32\wyVjGND.exe
  2⤵
  PID:5212
- C:\Windows\System32\lvfCOqC.exe
  C:\Windows\System32\lvfCOqC.exe
  2⤵
  PID:5240
- C:\Windows\System32\EmYxotM.exe
  C:\Windows\System32\EmYxotM.exe
  2⤵
  PID:5272
- C:\Windows\System32\aGyhUph.exe
  C:\Windows\System32\aGyhUph.exe
  2⤵
  PID:5296
- C:\Windows\System32\uFxpDzz.exe
  C:\Windows\System32\uFxpDzz.exe
  2⤵
  PID:5320
- C:\Windows\System32\YTwnnpG.exe
  C:\Windows\System32\YTwnnpG.exe
  2⤵
  PID:5360
- C:\Windows\System32\tyaZKcL.exe
  C:\Windows\System32\tyaZKcL.exe
  2⤵
  PID:5376
- C:\Windows\System32\iYvjAqz.exe
  C:\Windows\System32\iYvjAqz.exe
  2⤵
  PID:5416
- C:\Windows\System32\ywTyJAL.exe
  C:\Windows\System32\ywTyJAL.exe
  2⤵
  PID:5436
- C:\Windows\System32\EAoGFwU.exe
  C:\Windows\System32\EAoGFwU.exe
  2⤵
  PID:5460
- C:\Windows\System32\VFHnUXP.exe
  C:\Windows\System32\VFHnUXP.exe
  2⤵
  PID:5496
- C:\Windows\System32\ysMGCUo.exe
  C:\Windows\System32\ysMGCUo.exe
  2⤵
  PID:5516
- C:\Windows\System32\EvtYgRU.exe
  C:\Windows\System32\EvtYgRU.exe
  2⤵
  PID:5544
- C:\Windows\System32\JTshixl.exe
  C:\Windows\System32\JTshixl.exe
  2⤵
  PID:5572
- C:\Windows\System32\FINQVuG.exe
  C:\Windows\System32\FINQVuG.exe
  2⤵
  PID:5600
- C:\Windows\System32\YTfKjLu.exe
  C:\Windows\System32\YTfKjLu.exe
  2⤵
  PID:5628
- C:\Windows\System32\tKbtlAn.exe
  C:\Windows\System32\tKbtlAn.exe
  2⤵
  PID:5656
- C:\Windows\System32\pTCDssX.exe
  C:\Windows\System32\pTCDssX.exe
  2⤵
  PID:5684
- C:\Windows\System32\gqxFOcj.exe
  C:\Windows\System32\gqxFOcj.exe
  2⤵
  PID:5732
- C:\Windows\System32\srGbkqc.exe
  C:\Windows\System32\srGbkqc.exe
  2⤵
  PID:5752
- C:\Windows\System32\hhFwAtO.exe
  C:\Windows\System32\hhFwAtO.exe
  2⤵
  PID:5768
- C:\Windows\System32\FmfTCsP.exe
  C:\Windows\System32\FmfTCsP.exe
  2⤵
  PID:5796
- C:\Windows\System32\XdjOYJe.exe
  C:\Windows\System32\XdjOYJe.exe
  2⤵
  PID:5824
- C:\Windows\System32\uIczHBf.exe
  C:\Windows\System32\uIczHBf.exe
  2⤵
  PID:5852
- C:\Windows\System32\XtpvZzq.exe
  C:\Windows\System32\XtpvZzq.exe
  2⤵
  PID:5880
- C:\Windows\System32\pRdYehG.exe
  C:\Windows\System32\pRdYehG.exe
  2⤵
  PID:5904
- C:\Windows\System32\xQCcVQi.exe
  C:\Windows\System32\xQCcVQi.exe
  2⤵
  PID:5936
- C:\Windows\System32\CYgfxdr.exe
  C:\Windows\System32\CYgfxdr.exe
  2⤵
  PID:5964
- C:\Windows\System32\bSNxXpA.exe
  C:\Windows\System32\bSNxXpA.exe
  2⤵
  PID:5992
- C:\Windows\System32\bOuQYbS.exe
  C:\Windows\System32\bOuQYbS.exe
  2⤵
  PID:6016
- C:\Windows\System32\yMRDHYh.exe
  C:\Windows\System32\yMRDHYh.exe
  2⤵
  PID:6048
- C:\Windows\System32\WpIqfYL.exe
  C:\Windows\System32\WpIqfYL.exe
  2⤵
  PID:3748
- C:\Windows\System32\XZYACBh.exe
  C:\Windows\System32\XZYACBh.exe
  2⤵
  PID:1420
- C:\Windows\System32\VwPJilq.exe
  C:\Windows\System32\VwPJilq.exe
  2⤵
  PID:4176
- C:\Windows\System32\PTIoQhZ.exe
  C:\Windows\System32\PTIoQhZ.exe
  2⤵
  PID:4284
- C:\Windows\System32\ZLJODLJ.exe
  C:\Windows\System32\ZLJODLJ.exe
  2⤵
  PID:2292
- C:\Windows\System32\nbzWLHY.exe
  C:\Windows\System32\nbzWLHY.exe
  2⤵
  PID:896
- C:\Windows\System32\CgxibZq.exe
  C:\Windows\System32\CgxibZq.exe
  2⤵
  PID:5148
- C:\Windows\System32\JTOWXvw.exe
  C:\Windows\System32\JTOWXvw.exe
  2⤵
  PID:5228
- C:\Windows\System32\PqWKvAQ.exe
  C:\Windows\System32\PqWKvAQ.exe
  2⤵
  PID:5248
- C:\Windows\System32\tfjqCph.exe
  C:\Windows\System32\tfjqCph.exe
  2⤵
  PID:5304
- C:\Windows\System32\qXqRtQg.exe
  C:\Windows\System32\qXqRtQg.exe
  2⤵
  PID:5352
- C:\Windows\System32\VqKLXEo.exe
  C:\Windows\System32\VqKLXEo.exe
  2⤵
  PID:5484
- C:\Windows\System32\MjLaiOC.exe
  C:\Windows\System32\MjLaiOC.exe
  2⤵
  PID:4384
- C:\Windows\System32\wIRlkPZ.exe
  C:\Windows\System32\wIRlkPZ.exe
  2⤵
  PID:5616
- C:\Windows\System32\uzKWRpv.exe
  C:\Windows\System32\uzKWRpv.exe
  2⤵
  PID:5700
- C:\Windows\System32\iwWIuzq.exe
  C:\Windows\System32\iwWIuzq.exe
  2⤵
  PID:5792
- C:\Windows\System32\vZtcsrq.exe
  C:\Windows\System32\vZtcsrq.exe
  2⤵
  PID:5812
- C:\Windows\System32\viVRiPh.exe
  C:\Windows\System32\viVRiPh.exe
  2⤵
  PID:5864
- C:\Windows\System32\ydWKJjg.exe
  C:\Windows\System32\ydWKJjg.exe
  2⤵
  PID:1452
- C:\Windows\System32\VhESMHg.exe
  C:\Windows\System32\VhESMHg.exe
  2⤵
  PID:5948
- C:\Windows\System32\sltbopW.exe
  C:\Windows\System32\sltbopW.exe
  2⤵
  PID:3040
- C:\Windows\System32\yhWSChj.exe
  C:\Windows\System32\yhWSChj.exe
  2⤵
  PID:6004
- C:\Windows\System32\QnRjuOS.exe
  C:\Windows\System32\QnRjuOS.exe
  2⤵
  PID:2836
- C:\Windows\System32\xtFFkOC.exe
  C:\Windows\System32\xtFFkOC.exe
  2⤵
  PID:2176
- C:\Windows\System32\nhRLBhu.exe
  C:\Windows\System32\nhRLBhu.exe
  2⤵
  PID:5080
- C:\Windows\System32\XfLHbxI.exe
  C:\Windows\System32\XfLHbxI.exe
  2⤵
  PID:6132
- C:\Windows\System32\YSIYdGw.exe
  C:\Windows\System32\YSIYdGw.exe
  2⤵
  PID:1640
- C:\Windows\System32\ZfjvwtG.exe
  C:\Windows\System32\ZfjvwtG.exe
  2⤵
  PID:2684
- C:\Windows\System32\kgNPFZS.exe
  C:\Windows\System32\kgNPFZS.exe
  2⤵
  PID:4500
- C:\Windows\System32\oRtiiTP.exe
  C:\Windows\System32\oRtiiTP.exe
  2⤵
  PID:5372
- C:\Windows\System32\uCTdQdD.exe
  C:\Windows\System32\uCTdQdD.exe
  2⤵
  PID:5456
- C:\Windows\System32\DNIXiAY.exe
  C:\Windows\System32\DNIXiAY.exe
  2⤵
  PID:5672
- C:\Windows\System32\plTXwoy.exe
  C:\Windows\System32\plTXwoy.exe
  2⤵
  PID:5820
- C:\Windows\System32\CalwTzK.exe
  C:\Windows\System32\CalwTzK.exe
  2⤵
  PID:5932
- C:\Windows\System32\CiequbD.exe
  C:\Windows\System32\CiequbD.exe
  2⤵
  PID:6000
- C:\Windows\System32\UoDAEEM.exe
  C:\Windows\System32\UoDAEEM.exe
  2⤵
  PID:6060
- C:\Windows\System32\EyiVtxF.exe
  C:\Windows\System32\EyiVtxF.exe
  2⤵
  PID:4404
- C:\Windows\System32\BgNjqWT.exe
  C:\Windows\System32\BgNjqWT.exe
  2⤵
  PID:5332
- C:\Windows\System32\YsLepMK.exe
  C:\Windows\System32\YsLepMK.exe
  2⤵
  PID:5612
- C:\Windows\System32\fTvPCiA.exe
  C:\Windows\System32\fTvPCiA.exe
  2⤵
  PID:1572
- C:\Windows\System32\ATAfaLT.exe
  C:\Windows\System32\ATAfaLT.exe
  2⤵
  PID:3492
- C:\Windows\System32\ZPPBtzq.exe
  C:\Windows\System32\ZPPBtzq.exe
  2⤵
  PID:1692
- C:\Windows\System32\UyfdMCB.exe
  C:\Windows\System32\UyfdMCB.exe
  2⤵
  PID:6156
- C:\Windows\System32\uMWmImM.exe
  C:\Windows\System32\uMWmImM.exe
  2⤵
  PID:6184
- C:\Windows\System32\HoAWWKz.exe
  C:\Windows\System32\HoAWWKz.exe
  2⤵
  PID:6224
- C:\Windows\System32\xUXJyUA.exe
  C:\Windows\System32\xUXJyUA.exe
  2⤵
  PID:6240
- C:\Windows\System32\qcQehHL.exe
  C:\Windows\System32\qcQehHL.exe
  2⤵
  PID:6268
- C:\Windows\System32\TLQaVli.exe
  C:\Windows\System32\TLQaVli.exe
  2⤵
  PID:6296
- C:\Windows\System32\ERSIRAh.exe
  C:\Windows\System32\ERSIRAh.exe
  2⤵
  PID:6324
- C:\Windows\System32\SfctODF.exe
  C:\Windows\System32\SfctODF.exe
  2⤵
  PID:6352
- C:\Windows\System32\uSfVPXY.exe
  C:\Windows\System32\uSfVPXY.exe
  2⤵
  PID:6380
- C:\Windows\System32\SKIKroN.exe
  C:\Windows\System32\SKIKroN.exe
  2⤵
  PID:6408
- C:\Windows\System32\aJASwYu.exe
  C:\Windows\System32\aJASwYu.exe
  2⤵
  PID:6436
- C:\Windows\System32\uiQhKuQ.exe
  C:\Windows\System32\uiQhKuQ.exe
  2⤵
  PID:6464
- C:\Windows\System32\bcjUhtS.exe
  C:\Windows\System32\bcjUhtS.exe
  2⤵
  PID:6504
- C:\Windows\System32\xnOOPUA.exe
  C:\Windows\System32\xnOOPUA.exe
  2⤵
  PID:6520
- C:\Windows\System32\GRvaVga.exe
  C:\Windows\System32\GRvaVga.exe
  2⤵
  PID:6560
- C:\Windows\System32\TsUPMzE.exe
  C:\Windows\System32\TsUPMzE.exe
  2⤵
  PID:6576
- C:\Windows\System32\ICOwFfs.exe
  C:\Windows\System32\ICOwFfs.exe
  2⤵
  PID:6604
- C:\Windows\System32\ZxyOvKL.exe
  C:\Windows\System32\ZxyOvKL.exe
  2⤵
  PID:6632
- C:\Windows\System32\SDQXVeF.exe
  C:\Windows\System32\SDQXVeF.exe
  2⤵
  PID:6660
- C:\Windows\System32\zvFoztA.exe
  C:\Windows\System32\zvFoztA.exe
  2⤵
  PID:6700
- C:\Windows\System32\qQurnia.exe
  C:\Windows\System32\qQurnia.exe
  2⤵
  PID:6716
- C:\Windows\System32\agjbOEL.exe
  C:\Windows\System32\agjbOEL.exe
  2⤵
  PID:6756
- C:\Windows\System32\RBMLjou.exe
  C:\Windows\System32\RBMLjou.exe
  2⤵
  PID:6772
- C:\Windows\System32\YBvgRAE.exe
  C:\Windows\System32\YBvgRAE.exe
  2⤵
  PID:6800
- C:\Windows\System32\gCoitnd.exe
  C:\Windows\System32\gCoitnd.exe
  2⤵
  PID:6828
- C:\Windows\System32\SBVmcJk.exe
  C:\Windows\System32\SBVmcJk.exe
  2⤵
  PID:6856
- C:\Windows\System32\HpQJlZu.exe
  C:\Windows\System32\HpQJlZu.exe
  2⤵
  PID:6884
- C:\Windows\System32\uwXwSUh.exe
  C:\Windows\System32\uwXwSUh.exe
  2⤵
  PID:6916
- C:\Windows\System32\VebMNSm.exe
  C:\Windows\System32\VebMNSm.exe
  2⤵
  PID:6948
- C:\Windows\System32\IURSKVQ.exe
  C:\Windows\System32\IURSKVQ.exe
  2⤵
  PID:6968
- C:\Windows\System32\jxyGQzJ.exe
  C:\Windows\System32\jxyGQzJ.exe
  2⤵
  PID:6996
- C:\Windows\System32\EAAaErP.exe
  C:\Windows\System32\EAAaErP.exe
  2⤵
  PID:7024
- C:\Windows\System32\BxyoAcL.exe
  C:\Windows\System32\BxyoAcL.exe
  2⤵
  PID:7052
- C:\Windows\System32\WcqHVaP.exe
  C:\Windows\System32\WcqHVaP.exe
  2⤵
  PID:7080
- C:\Windows\System32\QOdYsIY.exe
  C:\Windows\System32\QOdYsIY.exe
  2⤵
  PID:7108
- C:\Windows\System32\KdhMRGc.exe
  C:\Windows\System32\KdhMRGc.exe
  2⤵
  PID:7136
- C:\Windows\System32\cijdluH.exe
  C:\Windows\System32\cijdluH.exe
  2⤵
  PID:5176
- C:\Windows\System32\UYlVLcz.exe
  C:\Windows\System32\UYlVLcz.exe
  2⤵
  PID:1368
- C:\Windows\System32\TdQmUPX.exe
  C:\Windows\System32\TdQmUPX.exe
  2⤵
  PID:6168
- C:\Windows\System32\mAlTmEz.exe
  C:\Windows\System32\mAlTmEz.exe
  2⤵
  PID:6236
- C:\Windows\System32\sYitamw.exe
  C:\Windows\System32\sYitamw.exe
  2⤵
  PID:6284
- C:\Windows\System32\XEuycNK.exe
  C:\Windows\System32\XEuycNK.exe
  2⤵
  PID:6364
- C:\Windows\System32\KQfFoxB.exe
  C:\Windows\System32\KQfFoxB.exe
  2⤵
  PID:6432
- C:\Windows\System32\OztiUcu.exe
  C:\Windows\System32\OztiUcu.exe
  2⤵
  PID:6480
- C:\Windows\System32\ASwzEdd.exe
  C:\Windows\System32\ASwzEdd.exe
  2⤵
  PID:6552
- C:\Windows\System32\YKqTZFg.exe
  C:\Windows\System32\YKqTZFg.exe
  2⤵
  PID:6628
- C:\Windows\System32\JGOpPdK.exe
  C:\Windows\System32\JGOpPdK.exe
  2⤵
  PID:6712
- C:\Windows\System32\wMUAwMs.exe
  C:\Windows\System32\wMUAwMs.exe
  2⤵
  PID:6764
- C:\Windows\System32\iAMIOSS.exe
  C:\Windows\System32\iAMIOSS.exe
  2⤵
  PID:6840
- C:\Windows\System32\yXwisGl.exe
  C:\Windows\System32\yXwisGl.exe
  2⤵
  PID:6904
- C:\Windows\System32\aBQwnKb.exe
  C:\Windows\System32\aBQwnKb.exe
  2⤵
  PID:6960
- C:\Windows\System32\SdvymgS.exe
  C:\Windows\System32\SdvymgS.exe
  2⤵
  PID:3732
- C:\Windows\System32\NBPZMed.exe
  C:\Windows\System32\NBPZMed.exe
  2⤵
  PID:7092
- C:\Windows\System32\WzWHCwf.exe
  C:\Windows\System32\WzWHCwf.exe
  2⤵
  PID:7156
- C:\Windows\System32\dfoxebT.exe
  C:\Windows\System32\dfoxebT.exe
  2⤵
  PID:5268
- C:\Windows\System32\FfbDSPp.exe
  C:\Windows\System32\FfbDSPp.exe
  2⤵
  PID:6264
- C:\Windows\System32\GDxxXwd.exe
  C:\Windows\System32\GDxxXwd.exe
  2⤵
  PID:4448
- C:\Windows\System32\pSYRnmX.exe
  C:\Windows\System32\pSYRnmX.exe
  2⤵
  PID:6404
- C:\Windows\System32\lZVkHxM.exe
  C:\Windows\System32\lZVkHxM.exe
  2⤵
  PID:6932
- C:\Windows\System32\QiRNeBa.exe
  C:\Windows\System32\QiRNeBa.exe
  2⤵
  PID:6788
- C:\Windows\System32\RyJrOXa.exe
  C:\Windows\System32\RyJrOXa.exe
  2⤵
  PID:6536
- C:\Windows\System32\gDMCDdQ.exe
  C:\Windows\System32\gDMCDdQ.exe
  2⤵
  PID:7120
- C:\Windows\System32\HfYxDHY.exe
  C:\Windows\System32\HfYxDHY.exe
  2⤵
  PID:5476
- C:\Windows\System32\RGhFsVC.exe
  C:\Windows\System32\RGhFsVC.exe
  2⤵
  PID:6172
- C:\Windows\System32\PuzIjMy.exe
  C:\Windows\System32\PuzIjMy.exe
  2⤵
  PID:6420
- C:\Windows\System32\oAqmHfN.exe
  C:\Windows\System32\oAqmHfN.exe
  2⤵
  PID:6984
- C:\Windows\System32\tilNvYo.exe
  C:\Windows\System32\tilNvYo.exe
  2⤵
  PID:6896
- C:\Windows\System32\ZnRBmnR.exe
  C:\Windows\System32\ZnRBmnR.exe
  2⤵
  PID:4344
- C:\Windows\System32\RSeheft.exe
  C:\Windows\System32\RSeheft.exe
  2⤵
  PID:5596
- C:\Windows\System32\xFsTekF.exe
  C:\Windows\System32\xFsTekF.exe
  2⤵
  PID:5200
- C:\Windows\System32\NbjHfIw.exe
  C:\Windows\System32\NbjHfIw.exe
  2⤵
  PID:5652
- C:\Windows\System32\zpHfaRT.exe
  C:\Windows\System32\zpHfaRT.exe
  2⤵
  PID:7180
- C:\Windows\System32\OUxuOpj.exe
  C:\Windows\System32\OUxuOpj.exe
  2⤵
  PID:7212
- C:\Windows\System32\KJyVukH.exe
  C:\Windows\System32\KJyVukH.exe
  2⤵
  PID:7228
- C:\Windows\System32\gduINev.exe
  C:\Windows\System32\gduINev.exe
  2⤵
  PID:7248
- C:\Windows\System32\ihsRNAw.exe
  C:\Windows\System32\ihsRNAw.exe
  2⤵
  PID:7272
- C:\Windows\System32\rHBgTdu.exe
  C:\Windows\System32\rHBgTdu.exe
  2⤵
  PID:7292
- C:\Windows\System32\RTRHack.exe
  C:\Windows\System32\RTRHack.exe
  2⤵
  PID:7320
- C:\Windows\System32\AGHXydG.exe
  C:\Windows\System32\AGHXydG.exe
  2⤵
  PID:7356
- C:\Windows\System32\IYihXVW.exe
  C:\Windows\System32\IYihXVW.exe
  2⤵
  PID:7400
- C:\Windows\System32\qBjAyxD.exe
  C:\Windows\System32\qBjAyxD.exe
  2⤵
  PID:7424
- C:\Windows\System32\nbhSzur.exe
  C:\Windows\System32\nbhSzur.exe
  2⤵
  PID:7452
- C:\Windows\System32\xsRmnfs.exe
  C:\Windows\System32\xsRmnfs.exe
  2⤵
  PID:7488
- C:\Windows\System32\PHdiFqL.exe
  C:\Windows\System32\PHdiFqL.exe
  2⤵
  PID:7520
- C:\Windows\System32\pSzQsDW.exe
  C:\Windows\System32\pSzQsDW.exe
  2⤵
  PID:7544
- C:\Windows\System32\IUtfiWn.exe
  C:\Windows\System32\IUtfiWn.exe
  2⤵
  PID:7568
- C:\Windows\System32\idLqfDZ.exe
  C:\Windows\System32\idLqfDZ.exe
  2⤵
  PID:7588
- C:\Windows\System32\GaRSUKf.exe
  C:\Windows\System32\GaRSUKf.exe
  2⤵
  PID:7608
- C:\Windows\System32\JPOvNwX.exe
  C:\Windows\System32\JPOvNwX.exe
  2⤵
  PID:7632
- C:\Windows\System32\aYRpSkk.exe
  C:\Windows\System32\aYRpSkk.exe
  2⤵
  PID:7648
- C:\Windows\System32\jtUQvzy.exe
  C:\Windows\System32\jtUQvzy.exe
  2⤵
  PID:7672
- C:\Windows\System32\tOIyCNh.exe
  C:\Windows\System32\tOIyCNh.exe
  2⤵
  PID:7748
- C:\Windows\System32\pogYJOn.exe
  C:\Windows\System32\pogYJOn.exe
  2⤵
  PID:7764
- C:\Windows\System32\vzMyNNP.exe
  C:\Windows\System32\vzMyNNP.exe
  2⤵
  PID:7792
- C:\Windows\System32\NmZLxoV.exe
  C:\Windows\System32\NmZLxoV.exe
  2⤵
  PID:7828
- C:\Windows\System32\oifTgUp.exe
  C:\Windows\System32\oifTgUp.exe
  2⤵
  PID:7848
- C:\Windows\System32\ITWGJBs.exe
  C:\Windows\System32\ITWGJBs.exe
  2⤵
  PID:7876
- C:\Windows\System32\haYcurJ.exe
  C:\Windows\System32\haYcurJ.exe
  2⤵
  PID:7900
- C:\Windows\System32\yMYxImd.exe
  C:\Windows\System32\yMYxImd.exe
  2⤵
  PID:7932
- C:\Windows\System32\YXRmLqN.exe
  C:\Windows\System32\YXRmLqN.exe
  2⤵
  PID:7948
- C:\Windows\System32\HOyBEaX.exe
  C:\Windows\System32\HOyBEaX.exe
  2⤵
  PID:8000
- C:\Windows\System32\NbgigJb.exe
  C:\Windows\System32\NbgigJb.exe
  2⤵
  PID:8016
- C:\Windows\System32\BauWrHM.exe
  C:\Windows\System32\BauWrHM.exe
  2⤵
  PID:8032
- C:\Windows\System32\Wacsagu.exe
  C:\Windows\System32\Wacsagu.exe
  2⤵
  PID:8052
- C:\Windows\System32\yNJMUZm.exe
  C:\Windows\System32\yNJMUZm.exe
  2⤵
  PID:8076
- C:\Windows\System32\dEjIvdV.exe
  C:\Windows\System32\dEjIvdV.exe
  2⤵
  PID:8132
- C:\Windows\System32\wSOfmOW.exe
  C:\Windows\System32\wSOfmOW.exe
  2⤵
  PID:8164
- C:\Windows\System32\NLwHQUf.exe
  C:\Windows\System32\NLwHQUf.exe
  2⤵
  PID:8180
- C:\Windows\System32\rNNVJug.exe
  C:\Windows\System32\rNNVJug.exe
  2⤵
  PID:7196
- C:\Windows\System32\nyURjqX.exe
  C:\Windows\System32\nyURjqX.exe
  2⤵
  PID:7220
- C:\Windows\System32\tzVVojq.exe
  C:\Windows\System32\tzVVojq.exe
  2⤵
  PID:7304
- C:\Windows\System32\RSOPpaE.exe
  C:\Windows\System32\RSOPpaE.exe
  2⤵
  PID:7332
- C:\Windows\System32\ApVTXvv.exe
  C:\Windows\System32\ApVTXvv.exe
  2⤵
  PID:7376
- C:\Windows\System32\cbQDKlD.exe
  C:\Windows\System32\cbQDKlD.exe
  2⤵
  PID:7508
- C:\Windows\System32\eKXtnEp.exe
  C:\Windows\System32\eKXtnEp.exe
  2⤵
  PID:7552
- C:\Windows\System32\zVNaGJz.exe
  C:\Windows\System32\zVNaGJz.exe
  2⤵
  PID:7596
- C:\Windows\System32\OlSqnDr.exe
  C:\Windows\System32\OlSqnDr.exe
  2⤵
  PID:7640
- C:\Windows\System32\EIEbTbB.exe
  C:\Windows\System32\EIEbTbB.exe
  2⤵
  PID:7680
- C:\Windows\System32\yScwTWY.exe
  C:\Windows\System32\yScwTWY.exe
  2⤵
  PID:7892
- C:\Windows\System32\SMcIILh.exe
  C:\Windows\System32\SMcIILh.exe
  2⤵
  PID:7976
- C:\Windows\System32\VjlItjy.exe
  C:\Windows\System32\VjlItjy.exe
  2⤵
  PID:7972
- C:\Windows\System32\bSWDJGm.exe
  C:\Windows\System32\bSWDJGm.exe
  2⤵
  PID:8068
- C:\Windows\System32\RKFHaip.exe
  C:\Windows\System32\RKFHaip.exe
  2⤵
  PID:8108
- C:\Windows\System32\PmSqHJX.exe
  C:\Windows\System32\PmSqHJX.exe
  2⤵
  PID:8140
- C:\Windows\System32\AcohuQP.exe
  C:\Windows\System32\AcohuQP.exe
  2⤵
  PID:6816
- C:\Windows\System32\ImSoxoa.exe
  C:\Windows\System32\ImSoxoa.exe
  2⤵
  PID:7256
- C:\Windows\System32\wwedGBd.exe
  C:\Windows\System32\wwedGBd.exe
  2⤵
  PID:7436
- C:\Windows\System32\BOpkSlC.exe
  C:\Windows\System32\BOpkSlC.exe
  2⤵
  PID:7540
- C:\Windows\System32\FUqiEzE.exe
  C:\Windows\System32\FUqiEzE.exe
  2⤵
  PID:7732
- C:\Windows\System32\cdFVVzp.exe
  C:\Windows\System32\cdFVVzp.exe
  2⤵
  PID:7860
- C:\Windows\System32\NDuYtrP.exe
  C:\Windows\System32\NDuYtrP.exe
  2⤵
  PID:8156
- C:\Windows\System32\IlstrbN.exe
  C:\Windows\System32\IlstrbN.exe
  2⤵
  PID:7328
- C:\Windows\System32\oYOyzWr.exe
  C:\Windows\System32\oYOyzWr.exe
  2⤵
  PID:7836
- C:\Windows\System32\Cyjodkm.exe
  C:\Windows\System32\Cyjodkm.exe
  2⤵
  PID:8024
- C:\Windows\System32\XiaEcXv.exe
  C:\Windows\System32\XiaEcXv.exe
  2⤵
  PID:7408
- C:\Windows\System32\yjceVOe.exe
  C:\Windows\System32\yjceVOe.exe
  2⤵
  PID:8208
- C:\Windows\System32\NVWnjlE.exe
  C:\Windows\System32\NVWnjlE.exe
  2⤵
  PID:8260
- C:\Windows\System32\fmduBay.exe
  C:\Windows\System32\fmduBay.exe
  2⤵
  PID:8288
- C:\Windows\System32\pAVuTtZ.exe
  C:\Windows\System32\pAVuTtZ.exe
  2⤵
  PID:8308
- C:\Windows\System32\RPPaJWj.exe
  C:\Windows\System32\RPPaJWj.exe
  2⤵
  PID:8324
- C:\Windows\System32\HzFJcoN.exe
  C:\Windows\System32\HzFJcoN.exe
  2⤵
  PID:8348
- C:\Windows\System32\VeNXDhz.exe
  C:\Windows\System32\VeNXDhz.exe
  2⤵
  PID:8380
- C:\Windows\System32\ePBOvpy.exe
  C:\Windows\System32\ePBOvpy.exe
  2⤵
  PID:8416
- C:\Windows\System32\yERNZWE.exe
  C:\Windows\System32\yERNZWE.exe
  2⤵
  PID:8436
- C:\Windows\System32\vsrzowl.exe
  C:\Windows\System32\vsrzowl.exe
  2⤵
  PID:8464
- C:\Windows\System32\hqhIvYs.exe
  C:\Windows\System32\hqhIvYs.exe
  2⤵
  PID:8512
- C:\Windows\System32\HXeFBtu.exe
  C:\Windows\System32\HXeFBtu.exe
  2⤵
  PID:8544
- C:\Windows\System32\pWlAwoH.exe
  C:\Windows\System32\pWlAwoH.exe
  2⤵
  PID:8564
- C:\Windows\System32\ioDCdvK.exe
  C:\Windows\System32\ioDCdvK.exe
  2⤵
  PID:8596
- C:\Windows\System32\tiHDIQB.exe
  C:\Windows\System32\tiHDIQB.exe
  2⤵
  PID:8616
- C:\Windows\System32\zSfeKsA.exe
  C:\Windows\System32\zSfeKsA.exe
  2⤵
  PID:8676
- C:\Windows\System32\BcRpWWi.exe
  C:\Windows\System32\BcRpWWi.exe
  2⤵
  PID:8696
- C:\Windows\System32\SefwqHW.exe
  C:\Windows\System32\SefwqHW.exe
  2⤵
  PID:8720
- C:\Windows\System32\DXrukGr.exe
  C:\Windows\System32\DXrukGr.exe
  2⤵
  PID:8748
- C:\Windows\System32\bkTTSCM.exe
  C:\Windows\System32\bkTTSCM.exe
  2⤵
  PID:8776
- C:\Windows\System32\ycELfUT.exe
  C:\Windows\System32\ycELfUT.exe
  2⤵
  PID:8800
- C:\Windows\System32\CjiVBoz.exe
  C:\Windows\System32\CjiVBoz.exe
  2⤵
  PID:8836
- C:\Windows\System32\oIkCOQc.exe
  C:\Windows\System32\oIkCOQc.exe
  2⤵
  PID:8860
- C:\Windows\System32\UCSRUbu.exe
  C:\Windows\System32\UCSRUbu.exe
  2⤵
  PID:8880
- C:\Windows\System32\ZIMiAkL.exe
  C:\Windows\System32\ZIMiAkL.exe
  2⤵
  PID:8896
- C:\Windows\System32\ejZoeaw.exe
  C:\Windows\System32\ejZoeaw.exe
  2⤵
  PID:8936
- C:\Windows\System32\RJHXtKU.exe
  C:\Windows\System32\RJHXtKU.exe
  2⤵
  PID:8964
- C:\Windows\System32\EALqdpX.exe
  C:\Windows\System32\EALqdpX.exe
  2⤵
  PID:8980
- C:\Windows\System32\UhxUuzn.exe
  C:\Windows\System32\UhxUuzn.exe
  2⤵
  PID:9008
- C:\Windows\System32\IjLKjMv.exe
  C:\Windows\System32\IjLKjMv.exe
  2⤵
  PID:9044
- C:\Windows\System32\ChMjnUt.exe
  C:\Windows\System32\ChMjnUt.exe
  2⤵
  PID:9072
- C:\Windows\System32\wLSQith.exe
  C:\Windows\System32\wLSQith.exe
  2⤵
  PID:9104
- C:\Windows\System32\bNIGxeA.exe
  C:\Windows\System32\bNIGxeA.exe
  2⤵
  PID:9136
- C:\Windows\System32\SZlrLNG.exe
  C:\Windows\System32\SZlrLNG.exe
  2⤵
  PID:9176
- C:\Windows\System32\IFFbRhL.exe
  C:\Windows\System32\IFFbRhL.exe
  2⤵
  PID:9200
- C:\Windows\System32\kyAZsEi.exe
  C:\Windows\System32\kyAZsEi.exe
  2⤵
  PID:8148
- C:\Windows\System32\oCEDhge.exe
  C:\Windows\System32\oCEDhge.exe
  2⤵
  PID:8236
- C:\Windows\System32\iBsdKOA.exe
  C:\Windows\System32\iBsdKOA.exe
  2⤵
  PID:8332
- C:\Windows\System32\kwdXWTY.exe
  C:\Windows\System32\kwdXWTY.exe
  2⤵
  PID:8360
- C:\Windows\System32\HprakZx.exe
  C:\Windows\System32\HprakZx.exe
  2⤵
  PID:8452
- C:\Windows\System32\sJvDMac.exe
  C:\Windows\System32\sJvDMac.exe
  2⤵
  PID:8524
- C:\Windows\System32\sNaiuhu.exe
  C:\Windows\System32\sNaiuhu.exe
  2⤵
  PID:8588
- C:\Windows\System32\PEFZAXy.exe
  C:\Windows\System32\PEFZAXy.exe
  2⤵
  PID:8628
- C:\Windows\System32\qYKmgCW.exe
  C:\Windows\System32\qYKmgCW.exe
  2⤵
  PID:8712
- C:\Windows\System32\vXDqoLm.exe
  C:\Windows\System32\vXDqoLm.exe
  2⤵
  PID:8796
- C:\Windows\System32\TSvutiO.exe
  C:\Windows\System32\TSvutiO.exe
  2⤵
  PID:8824
- C:\Windows\System32\tfqfhYY.exe
  C:\Windows\System32\tfqfhYY.exe
  2⤵
  PID:8892
- C:\Windows\System32\gVdJLWt.exe
  C:\Windows\System32\gVdJLWt.exe
  2⤵
  PID:8960
- C:\Windows\System32\XirGKMs.exe
  C:\Windows\System32\XirGKMs.exe
  2⤵
  PID:9000
- C:\Windows\System32\XSAnVyR.exe
  C:\Windows\System32\XSAnVyR.exe
  2⤵
  PID:9068
- C:\Windows\System32\HBLDyhC.exe
  C:\Windows\System32\HBLDyhC.exe
  2⤵
  PID:9124
- C:\Windows\System32\wCkVKgz.exe
  C:\Windows\System32\wCkVKgz.exe
  2⤵
  PID:9212
- C:\Windows\System32\AwOvhWJ.exe
  C:\Windows\System32\AwOvhWJ.exe
  2⤵
  PID:8372
- C:\Windows\System32\DsyVKTL.exe
  C:\Windows\System32\DsyVKTL.exe
  2⤵
  PID:8460
- C:\Windows\System32\fynuBNK.exe
  C:\Windows\System32\fynuBNK.exe
  2⤵
  PID:8592
- C:\Windows\System32\ZVyzheC.exe
  C:\Windows\System32\ZVyzheC.exe
  2⤵
  PID:8872
- C:\Windows\System32\PLUDngK.exe
  C:\Windows\System32\PLUDngK.exe
  2⤵
  PID:8976
- C:\Windows\System32\XBisGjQ.exe
  C:\Windows\System32\XBisGjQ.exe
  2⤵
  PID:8992
- C:\Windows\System32\gqSMmmu.exe
  C:\Windows\System32\gqSMmmu.exe
  2⤵
  PID:8252
- C:\Windows\System32\sTTbguJ.exe
  C:\Windows\System32\sTTbguJ.exe
  2⤵
  PID:8488
- C:\Windows\System32\ByaRlsL.exe
  C:\Windows\System32\ByaRlsL.exe
  2⤵
  PID:8916
- C:\Windows\System32\ZvFpjIq.exe
  C:\Windows\System32\ZvFpjIq.exe
  2⤵
  PID:9164
- C:\Windows\System32\xByAsMV.exe
  C:\Windows\System32\xByAsMV.exe
  2⤵
  PID:9224
- C:\Windows\System32\LJPuANG.exe
  C:\Windows\System32\LJPuANG.exe
  2⤵
  PID:9260
- C:\Windows\System32\CirvQOU.exe
  C:\Windows\System32\CirvQOU.exe
  2⤵
  PID:9276
- C:\Windows\System32\LsgsFBr.exe
  C:\Windows\System32\LsgsFBr.exe
  2⤵
  PID:9308
- C:\Windows\System32\AvyAfug.exe
  C:\Windows\System32\AvyAfug.exe
  2⤵
  PID:9328
- C:\Windows\System32\JKIvull.exe
  C:\Windows\System32\JKIvull.exe
  2⤵
  PID:9344
- C:\Windows\System32\rXHhqkL.exe
  C:\Windows\System32\rXHhqkL.exe
  2⤵
  PID:9368
- C:\Windows\System32\tAnPIRZ.exe
  C:\Windows\System32\tAnPIRZ.exe
  2⤵
  PID:9396
- C:\Windows\System32\UMwqBDj.exe
  C:\Windows\System32\UMwqBDj.exe
  2⤵
  PID:9412
- C:\Windows\System32\qCWxerZ.exe
  C:\Windows\System32\qCWxerZ.exe
  2⤵
  PID:9448
- C:\Windows\System32\FpPOuVS.exe
  C:\Windows\System32\FpPOuVS.exe
  2⤵
  PID:9484
- C:\Windows\System32\TkkFgAp.exe
  C:\Windows\System32\TkkFgAp.exe
  2⤵
  PID:9520
- C:\Windows\System32\NRjDHhh.exe
  C:\Windows\System32\NRjDHhh.exe
  2⤵
  PID:9544
- C:\Windows\System32\EJjoVHO.exe
  C:\Windows\System32\EJjoVHO.exe
  2⤵
  PID:9560
- C:\Windows\System32\PoapkmF.exe
  C:\Windows\System32\PoapkmF.exe
  2⤵
  PID:9592
- C:\Windows\System32\lIBeMxr.exe
  C:\Windows\System32\lIBeMxr.exe
  2⤵
  PID:9620
- C:\Windows\System32\uHOyeja.exe
  C:\Windows\System32\uHOyeja.exe
  2⤵
  PID:9636
- C:\Windows\System32\GMCMLQj.exe
  C:\Windows\System32\GMCMLQj.exe
  2⤵
  PID:9696
- C:\Windows\System32\FaeCXZy.exe
  C:\Windows\System32\FaeCXZy.exe
  2⤵
  PID:9712
- C:\Windows\System32\ywxJImc.exe
  C:\Windows\System32\ywxJImc.exe
  2⤵
  PID:9728
- C:\Windows\System32\JcvhZqX.exe
  C:\Windows\System32\JcvhZqX.exe
  2⤵
  PID:9752
- C:\Windows\System32\eRfdPeA.exe
  C:\Windows\System32\eRfdPeA.exe
  2⤵
  PID:9784
- C:\Windows\System32\fEtfKvX.exe
  C:\Windows\System32\fEtfKvX.exe
  2⤵
  PID:9848
- C:\Windows\System32\sLDwYFA.exe
  C:\Windows\System32\sLDwYFA.exe
  2⤵
  PID:9872
- C:\Windows\System32\pQMGUdL.exe
  C:\Windows\System32\pQMGUdL.exe
  2⤵
  PID:9896
- C:\Windows\System32\QYJKuJj.exe
  C:\Windows\System32\QYJKuJj.exe
  2⤵
  PID:9916
- C:\Windows\System32\crUHHel.exe
  C:\Windows\System32\crUHHel.exe
  2⤵
  PID:9944
- C:\Windows\System32\XFtCEZt.exe
  C:\Windows\System32\XFtCEZt.exe
  2⤵
  PID:9972
- C:\Windows\System32\yopUwMD.exe
  C:\Windows\System32\yopUwMD.exe
  2⤵
  PID:9992
- C:\Windows\System32\BLKHzpM.exe
  C:\Windows\System32\BLKHzpM.exe
  2⤵
  PID:10016
- C:\Windows\System32\MdOxnwk.exe
  C:\Windows\System32\MdOxnwk.exe
  2⤵
  PID:10124
- C:\Windows\System32\ZJbacVE.exe
  C:\Windows\System32\ZJbacVE.exe
  2⤵
  PID:10140
- C:\Windows\System32\NBPrDGt.exe
  C:\Windows\System32\NBPrDGt.exe
  2⤵
  PID:10156
- C:\Windows\System32\YtkDPCy.exe
  C:\Windows\System32\YtkDPCy.exe
  2⤵
  PID:10172
- C:\Windows\System32\KcydbCu.exe
  C:\Windows\System32\KcydbCu.exe
  2⤵
  PID:10188
- C:\Windows\System32\eEghAlA.exe
  C:\Windows\System32\eEghAlA.exe
  2⤵
  PID:10208
- C:\Windows\System32\YPxMvHy.exe
  C:\Windows\System32\YPxMvHy.exe
  2⤵
  PID:10224
- C:\Windows\System32\IdLqYOH.exe
  C:\Windows\System32\IdLqYOH.exe
  2⤵
  PID:9032
- C:\Windows\System32\RIUSXdo.exe
  C:\Windows\System32\RIUSXdo.exe
  2⤵
  PID:8320
- C:\Windows\System32\GqWeyVc.exe
  C:\Windows\System32\GqWeyVc.exe
  2⤵
  PID:9256
- C:\Windows\System32\JlfpqcY.exe
  C:\Windows\System32\JlfpqcY.exe
  2⤵
  PID:9304
- C:\Windows\System32\NAOFnIF.exe
  C:\Windows\System32\NAOFnIF.exe
  2⤵
  PID:9360
- C:\Windows\System32\EkGVLoR.exe
  C:\Windows\System32\EkGVLoR.exe
  2⤵
  PID:9380
- C:\Windows\System32\krjZGne.exe
  C:\Windows\System32\krjZGne.exe
  2⤵
  PID:9392
- C:\Windows\System32\zqUlonF.exe
  C:\Windows\System32\zqUlonF.exe
  2⤵
  PID:9444
- C:\Windows\System32\kWlKXBh.exe
  C:\Windows\System32\kWlKXBh.exe
  2⤵
  PID:9480
- C:\Windows\System32\WYhpidE.exe
  C:\Windows\System32\WYhpidE.exe
  2⤵
  PID:9576
- C:\Windows\System32\WMOumEg.exe
  C:\Windows\System32\WMOumEg.exe
  2⤵
  PID:9720
- C:\Windows\System32\tBhiYdO.exe
  C:\Windows\System32\tBhiYdO.exe
  2⤵
  PID:9692
- C:\Windows\System32\flJgOuu.exe
  C:\Windows\System32\flJgOuu.exe
  2⤵
  PID:9908
- C:\Windows\System32\eckWnNP.exe
  C:\Windows\System32\eckWnNP.exe
  2⤵
  PID:10060
- C:\Windows\System32\BTURaJV.exe
  C:\Windows\System32\BTURaJV.exe
  2⤵
  PID:10080
- C:\Windows\System32\cmOULjK.exe
  C:\Windows\System32\cmOULjK.exe
  2⤵
  PID:8756
- C:\Windows\System32\LcAjHaN.exe
  C:\Windows\System32\LcAjHaN.exe
  2⤵
  PID:10120
- C:\Windows\System32\gSvTgzu.exe
  C:\Windows\System32\gSvTgzu.exe
  2⤵
  PID:10220
- C:\Windows\System32\IIOvkKM.exe
  C:\Windows\System32\IIOvkKM.exe
  2⤵
  PID:9352
- C:\Windows\System32\uGBfZdY.exe
  C:\Windows\System32\uGBfZdY.exe
  2⤵
  PID:9840
- C:\Windows\System32\gLkujFb.exe
  C:\Windows\System32\gLkujFb.exe
  2⤵
  PID:9988
- C:\Windows\System32\OAMxvVf.exe
  C:\Windows\System32\OAMxvVf.exe
  2⤵
  PID:10076
- C:\Windows\System32\rtyyxbe.exe
  C:\Windows\System32\rtyyxbe.exe
  2⤵
  PID:10108
- C:\Windows\System32\KIBSvTr.exe
  C:\Windows\System32\KIBSvTr.exe
  2⤵
  PID:9424
- C:\Windows\System32\fhQhJyI.exe
  C:\Windows\System32\fhQhJyI.exe
  2⤵
  PID:9572
- C:\Windows\System32\CtsYUSH.exe
  C:\Windows\System32\CtsYUSH.exe
  2⤵
  PID:9476
- C:\Windows\System32\DXRlywo.exe
  C:\Windows\System32\DXRlywo.exe
  2⤵
  PID:9540
- C:\Windows\System32\wCWUwqO.exe
  C:\Windows\System32\wCWUwqO.exe
  2⤵
  PID:10064
- C:\Windows\System32\fqmTTtR.exe
  C:\Windows\System32\fqmTTtR.exe
  2⤵
  PID:10272
- C:\Windows\System32\XiRpZof.exe
  C:\Windows\System32\XiRpZof.exe
  2⤵
  PID:10316
- C:\Windows\System32\AyeQUOx.exe
  C:\Windows\System32\AyeQUOx.exe
  2⤵
  PID:10344
- C:\Windows\System32\PcOkIuz.exe
  C:\Windows\System32\PcOkIuz.exe
  2⤵
  PID:10380
- C:\Windows\System32\AqTIzxY.exe
  C:\Windows\System32\AqTIzxY.exe
  2⤵
  PID:10404
- C:\Windows\System32\IiuFpMB.exe
  C:\Windows\System32\IiuFpMB.exe
  2⤵
  PID:10420
- C:\Windows\System32\sFQfvlZ.exe
  C:\Windows\System32\sFQfvlZ.exe
  2⤵
  PID:10440
- C:\Windows\System32\uMQiPVa.exe
  C:\Windows\System32\uMQiPVa.exe
  2⤵
  PID:10472
- C:\Windows\System32\rNkjlQt.exe
  C:\Windows\System32\rNkjlQt.exe
  2⤵
  PID:10488
- C:\Windows\System32\SjndaTw.exe
  C:\Windows\System32\SjndaTw.exe
  2⤵
  PID:10504
- C:\Windows\System32\CoRYQBv.exe
  C:\Windows\System32\CoRYQBv.exe
  2⤵
  PID:10520
- C:\Windows\System32\CFUMdFa.exe
  C:\Windows\System32\CFUMdFa.exe
  2⤵
  PID:10536
- C:\Windows\System32\kKIeuTU.exe
  C:\Windows\System32\kKIeuTU.exe
  2⤵
  PID:10568
- C:\Windows\System32\EMuWCMW.exe
  C:\Windows\System32\EMuWCMW.exe
  2⤵
  PID:10640
- C:\Windows\System32\YfVrzyT.exe
  C:\Windows\System32\YfVrzyT.exe
  2⤵
  PID:10676
- C:\Windows\System32\aCARaGQ.exe
  C:\Windows\System32\aCARaGQ.exe
  2⤵
  PID:10696
- C:\Windows\System32\xaiogbW.exe
  C:\Windows\System32\xaiogbW.exe
  2⤵
  PID:10720
- C:\Windows\System32\elSVInt.exe
  C:\Windows\System32\elSVInt.exe
  2⤵
  PID:10748
- C:\Windows\System32\pcjFXSo.exe
  C:\Windows\System32\pcjFXSo.exe
  2⤵
  PID:10772
- C:\Windows\System32\AUBlgJD.exe
  C:\Windows\System32\AUBlgJD.exe
  2⤵
  PID:10796
- C:\Windows\System32\IBrXJnu.exe
  C:\Windows\System32\IBrXJnu.exe
  2⤵
  PID:10832
- C:\Windows\System32\ryNkmGd.exe
  C:\Windows\System32\ryNkmGd.exe
  2⤵
  PID:10884
- C:\Windows\System32\nfqtWNx.exe
  C:\Windows\System32\nfqtWNx.exe
  2⤵
  PID:10924
- C:\Windows\System32\RbDtvGs.exe
  C:\Windows\System32\RbDtvGs.exe
  2⤵
  PID:10940
- C:\Windows\System32\BmOQkeM.exe
  C:\Windows\System32\BmOQkeM.exe
  2⤵
  PID:10956
- C:\Windows\System32\DPdJpqj.exe
  C:\Windows\System32\DPdJpqj.exe
  2⤵
  PID:10988
- C:\Windows\System32\redDIfo.exe
  C:\Windows\System32\redDIfo.exe
  2⤵
  PID:11020
- C:\Windows\System32\kUNqCIO.exe
  C:\Windows\System32\kUNqCIO.exe
  2⤵
  PID:11048
- C:\Windows\System32\NkZfKli.exe
  C:\Windows\System32\NkZfKli.exe
  2⤵
  PID:11072
- C:\Windows\System32\WkmeMGz.exe
  C:\Windows\System32\WkmeMGz.exe
  2⤵
  PID:11100
- C:\Windows\System32\IjcvZds.exe
  C:\Windows\System32\IjcvZds.exe
  2⤵
  PID:11132
- C:\Windows\System32\csvzIqL.exe
  C:\Windows\System32\csvzIqL.exe
  2⤵
  PID:11152
- C:\Windows\System32\JLYcsto.exe
  C:\Windows\System32\JLYcsto.exe
  2⤵
  PID:11172
- C:\Windows\System32\dQLysmt.exe
  C:\Windows\System32\dQLysmt.exe
  2⤵
  PID:11192
- C:\Windows\System32\NJsHxyZ.exe
  C:\Windows\System32\NJsHxyZ.exe
  2⤵
  PID:9376
- C:\Windows\System32\WcgHsTB.exe
  C:\Windows\System32\WcgHsTB.exe
  2⤵
  PID:9456
- C:\Windows\System32\WiyfdAr.exe
  C:\Windows\System32\WiyfdAr.exe
  2⤵
  PID:10292
- C:\Windows\System32\CMLdZTb.exe
  C:\Windows\System32\CMLdZTb.exe
  2⤵
  PID:10364
- C:\Windows\System32\jfBdgSU.exe
  C:\Windows\System32\jfBdgSU.exe
  2⤵
  PID:10412
- C:\Windows\System32\EtVmUrR.exe
  C:\Windows\System32\EtVmUrR.exe
  2⤵
  PID:10480
- C:\Windows\System32\QzgRxnF.exe
  C:\Windows\System32\QzgRxnF.exe
  2⤵
  PID:10464
- C:\Windows\System32\EAzVoql.exe
  C:\Windows\System32\EAzVoql.exe
  2⤵
  PID:9296
- C:\Windows\System32\nkgHvuR.exe
  C:\Windows\System32\nkgHvuR.exe
  2⤵
  PID:10612
- C:\Windows\System32\VkCnMnM.exe
  C:\Windows\System32\VkCnMnM.exe
  2⤵
  PID:10740
- C:\Windows\System32\aqgvawH.exe
  C:\Windows\System32\aqgvawH.exe
  2⤵
  PID:10780
- C:\Windows\System32\VfEkuMn.exe
  C:\Windows\System32\VfEkuMn.exe
  2⤵
  PID:10880
- C:\Windows\System32\OSbRDYH.exe
  C:\Windows\System32\OSbRDYH.exe
  2⤵
  PID:10908
- C:\Windows\System32\gCTpcKl.exe
  C:\Windows\System32\gCTpcKl.exe
  2⤵
  PID:10972
- C:\Windows\System32\AmSkdgg.exe
  C:\Windows\System32\AmSkdgg.exe
  2⤵
  PID:11084
- C:\Windows\System32\ukHkrgn.exe
  C:\Windows\System32\ukHkrgn.exe
  2⤵
  PID:11124
- C:\Windows\System32\BDsjLZZ.exe
  C:\Windows\System32\BDsjLZZ.exe
  2⤵
  PID:11240
- C:\Windows\System32\pjrLiny.exe
  C:\Windows\System32\pjrLiny.exe
  2⤵
  PID:5744
- C:\Windows\System32\MaoRZVc.exe
  C:\Windows\System32\MaoRZVc.exe
  2⤵
  PID:11212
- C:\Windows\System32\sJAQIFB.exe
  C:\Windows\System32\sJAQIFB.exe
  2⤵
  PID:10436
- C:\Windows\System32\twQeaDl.exe
  C:\Windows\System32\twQeaDl.exe
  2⤵
  PID:10528
- C:\Windows\System32\LkLMLPo.exe
  C:\Windows\System32\LkLMLPo.exe
  2⤵
  PID:10584
- C:\Windows\System32\EdkzosY.exe
  C:\Windows\System32\EdkzosY.exe
  2⤵
  PID:10824
- C:\Windows\System32\nGmYPRL.exe
  C:\Windows\System32\nGmYPRL.exe
  2⤵
  PID:10932
- C:\Windows\System32\DEibhAj.exe
  C:\Windows\System32\DEibhAj.exe
  2⤵
  PID:11036
- C:\Windows\System32\MGaZSLI.exe
  C:\Windows\System32\MGaZSLI.exe
  2⤵
  PID:11200
- C:\Windows\System32\gGRPmLq.exe
  C:\Windows\System32\gGRPmLq.exe
  2⤵
  PID:10360
- C:\Windows\System32\jzfnEIF.exe
  C:\Windows\System32\jzfnEIF.exe
  2⤵
  PID:10672
- C:\Windows\System32\qrcnkvz.exe
  C:\Windows\System32\qrcnkvz.exe
  2⤵
  PID:11000
- C:\Windows\System32\aDlsKbB.exe
  C:\Windows\System32\aDlsKbB.exe
  2⤵
  PID:4892
- C:\Windows\System32\xaDwOrl.exe
  C:\Windows\System32\xaDwOrl.exe
  2⤵
  PID:11252
- C:\Windows\System32\lucJuIp.exe
  C:\Windows\System32\lucJuIp.exe
  2⤵
  PID:11304
- C:\Windows\System32\ArkgcvM.exe
  C:\Windows\System32\ArkgcvM.exe
  2⤵
  PID:11320
- C:\Windows\System32\XbgNhnO.exe
  C:\Windows\System32\XbgNhnO.exe
  2⤵
  PID:11352
- C:\Windows\System32\SVWBIiV.exe
  C:\Windows\System32\SVWBIiV.exe
  2⤵
  PID:11376
- C:\Windows\System32\sXGMkom.exe
  C:\Windows\System32\sXGMkom.exe
  2⤵
  PID:11392
- C:\Windows\System32\YGGNxcM.exe
  C:\Windows\System32\YGGNxcM.exe
  2⤵
  PID:11432
- C:\Windows\System32\rDIYrrP.exe
  C:\Windows\System32\rDIYrrP.exe
  2⤵
  PID:11448
- C:\Windows\System32\ZoRWfwy.exe
  C:\Windows\System32\ZoRWfwy.exe
  2⤵
  PID:11512
- C:\Windows\System32\DhhFpMv.exe
  C:\Windows\System32\DhhFpMv.exe
  2⤵
  PID:11536
- C:\Windows\System32\tCTuFSL.exe
  C:\Windows\System32\tCTuFSL.exe
  2⤵
  PID:11568
- C:\Windows\System32\wyHqiYb.exe
  C:\Windows\System32\wyHqiYb.exe
  2⤵
  PID:11588
- C:\Windows\System32\vidgUOU.exe
  C:\Windows\System32\vidgUOU.exe
  2⤵
  PID:11608
- C:\Windows\System32\cSnfMYk.exe
  C:\Windows\System32\cSnfMYk.exe
  2⤵
  PID:11652
- C:\Windows\System32\MwjPVhk.exe
  C:\Windows\System32\MwjPVhk.exe
  2⤵
  PID:11680
- C:\Windows\System32\xcHkfiF.exe
  C:\Windows\System32\xcHkfiF.exe
  2⤵
  PID:11700
- C:\Windows\System32\CtBVggG.exe
  C:\Windows\System32\CtBVggG.exe
  2⤵
  PID:11744
- C:\Windows\System32\sUwZXrJ.exe
  C:\Windows\System32\sUwZXrJ.exe
  2⤵
  PID:11768
- C:\Windows\System32\rUpxzHq.exe
  C:\Windows\System32\rUpxzHq.exe
  2⤵
  PID:11788
- C:\Windows\System32\MSJDnSb.exe
  C:\Windows\System32\MSJDnSb.exe
  2⤵
  PID:11804
- C:\Windows\System32\xjPFjsO.exe
  C:\Windows\System32\xjPFjsO.exe
  2⤵
  PID:11824
- C:\Windows\System32\GHSnGCF.exe
  C:\Windows\System32\GHSnGCF.exe
  2⤵
  PID:11852
- C:\Windows\System32\Hkrzfjt.exe
  C:\Windows\System32\Hkrzfjt.exe
  2⤵
  PID:11868
- C:\Windows\System32\wxngcMH.exe
  C:\Windows\System32\wxngcMH.exe
  2⤵
  PID:11892
- C:\Windows\System32\TVCLZSd.exe
  C:\Windows\System32\TVCLZSd.exe
  2⤵
  PID:11964
- C:\Windows\System32\ADtViOK.exe
  C:\Windows\System32\ADtViOK.exe
  2⤵
  PID:11996
- C:\Windows\System32\uyOwpGO.exe
  C:\Windows\System32\uyOwpGO.exe
  2⤵
  PID:12016
- C:\Windows\System32\bRsCXLt.exe
  C:\Windows\System32\bRsCXLt.exe
  2⤵
  PID:12040
- C:\Windows\System32\ooErCCX.exe
  C:\Windows\System32\ooErCCX.exe
  2⤵
  PID:12072
- C:\Windows\System32\AJfeTsQ.exe
  C:\Windows\System32\AJfeTsQ.exe
  2⤵
  PID:12100
- C:\Windows\System32\vxEFdnh.exe
  C:\Windows\System32\vxEFdnh.exe
  2⤵
  PID:12124
- C:\Windows\System32\FOKymKv.exe
  C:\Windows\System32\FOKymKv.exe
  2⤵
  PID:12148
- C:\Windows\System32\TqPHAnF.exe
  C:\Windows\System32\TqPHAnF.exe
  2⤵
  PID:12180
- C:\Windows\System32\ONBdATM.exe
  C:\Windows\System32\ONBdATM.exe
  2⤵
  PID:12208
- C:\Windows\System32\nhopgQI.exe
  C:\Windows\System32\nhopgQI.exe
  2⤵
  PID:12228
- C:\Windows\System32\EHdHbyA.exe
  C:\Windows\System32\EHdHbyA.exe
  2⤵
  PID:12264
- C:\Windows\System32\EGFvbfZ.exe
  C:\Windows\System32\EGFvbfZ.exe
  2⤵
  PID:11112
- C:\Windows\System32\mTXgqJB.exe
  C:\Windows\System32\mTXgqJB.exe
  2⤵
  PID:11336
- C:\Windows\System32\yZLeeev.exe
  C:\Windows\System32\yZLeeev.exe
  2⤵
  PID:11384
- C:\Windows\System32\rPXyKCV.exe
  C:\Windows\System32\rPXyKCV.exe
  2⤵
  PID:11416
- C:\Windows\System32\VvUnXIK.exe
  C:\Windows\System32\VvUnXIK.exe
  2⤵
  PID:11556
- C:\Windows\System32\GFiihOd.exe
  C:\Windows\System32\GFiihOd.exe
  2⤵
  PID:11580
- C:\Windows\System32\RLJdRtP.exe
  C:\Windows\System32\RLJdRtP.exe
  2⤵
  PID:11636
- C:\Windows\System32\zLGGvEv.exe
  C:\Windows\System32\zLGGvEv.exe
  2⤵
  PID:11664
- C:\Windows\System32\TBrCjMC.exe
  C:\Windows\System32\TBrCjMC.exe
  2⤵
  PID:11764
- C:\Windows\System32\SJHHbfV.exe
  C:\Windows\System32\SJHHbfV.exe
  2⤵
  PID:11800
- C:\Windows\System32\vhiZyfG.exe
  C:\Windows\System32\vhiZyfG.exe
  2⤵
  PID:11820
- C:\Windows\System32\DpWDSlz.exe
  C:\Windows\System32\DpWDSlz.exe
  2⤵
  PID:11816
- C:\Windows\System32\hvKujxx.exe
  C:\Windows\System32\hvKujxx.exe
  2⤵
  PID:11988
- C:\Windows\System32\XnMTSBb.exe
  C:\Windows\System32\XnMTSBb.exe
  2⤵
  PID:12112
- C:\Windows\System32\pygJmmq.exe
  C:\Windows\System32\pygJmmq.exe
  2⤵
  PID:12176
- C:\Windows\System32\AxncpKm.exe
  C:\Windows\System32\AxncpKm.exe
  2⤵
  PID:12240
- C:\Windows\System32\ZpUSwkB.exe
  C:\Windows\System32\ZpUSwkB.exe
  2⤵
  PID:10892
- C:\Windows\System32\nMNjdrb.exe
  C:\Windows\System32\nMNjdrb.exe
  2⤵
  PID:11368
- C:\Windows\System32\kxozqWO.exe
  C:\Windows\System32\kxozqWO.exe
  2⤵
  PID:11640
- C:\Windows\System32\MhtwWpm.exe
  C:\Windows\System32\MhtwWpm.exe
  2⤵
  PID:11688
- C:\Windows\System32\UIPJFwF.exe
  C:\Windows\System32\UIPJFwF.exe
  2⤵
  PID:11880
- C:\Windows\System32\ohjQRcD.exe
  C:\Windows\System32\ohjQRcD.exe
  2⤵
  PID:11924
- C:\Windows\System32\Shjbaqu.exe
  C:\Windows\System32\Shjbaqu.exe
  2⤵
  PID:12196
- C:\Windows\System32\EdaJtlC.exe
  C:\Windows\System32\EdaJtlC.exe
  2⤵
  PID:12192
- C:\Windows\System32\hBSVxoa.exe
  C:\Windows\System32\hBSVxoa.exe
  2⤵
  PID:11344
- C:\Windows\System32\OUCNNfp.exe
  C:\Windows\System32\OUCNNfp.exe
  2⤵
  PID:11720
- C:\Windows\System32\KQsWelO.exe
  C:\Windows\System32\KQsWelO.exe
  2⤵
  PID:11784
- C:\Windows\System32\wednpyS.exe
  C:\Windows\System32\wednpyS.exe
  2⤵
  PID:4068
- C:\Windows\System32\TcuEHBE.exe
  C:\Windows\System32\TcuEHBE.exe
  2⤵
  PID:11404
- C:\Windows\System32\cjeOCPU.exe
  C:\Windows\System32\cjeOCPU.exe
  2⤵
  PID:11724
- C:\Windows\System32\wmujNNO.exe
  C:\Windows\System32\wmujNNO.exe
  2⤵
  PID:12324
- C:\Windows\System32\ZWXMUYt.exe
  C:\Windows\System32\ZWXMUYt.exe
  2⤵
  PID:12348
- C:\Windows\System32\MDRxbEz.exe
  C:\Windows\System32\MDRxbEz.exe
  2⤵
  PID:12404
- C:\Windows\System32\sLiuxcN.exe
  C:\Windows\System32\sLiuxcN.exe
  2⤵
  PID:12428
- C:\Windows\System32\FxLobtU.exe
  C:\Windows\System32\FxLobtU.exe
  2⤵
  PID:12476
- C:\Windows\System32\UMUHwuN.exe
  C:\Windows\System32\UMUHwuN.exe
  2⤵
  PID:12508
- C:\Windows\System32\MEgvsza.exe
  C:\Windows\System32\MEgvsza.exe
  2⤵
  PID:12524
- C:\Windows\System32\qoxfczt.exe
  C:\Windows\System32\qoxfczt.exe
  2⤵
  PID:12544
- C:\Windows\System32\TPUUUgd.exe
  C:\Windows\System32\TPUUUgd.exe
  2⤵
  PID:12572
- C:\Windows\System32\DrEeDBl.exe
  C:\Windows\System32\DrEeDBl.exe
  2⤵
  PID:12596
- C:\Windows\System32\eculTLX.exe
  C:\Windows\System32\eculTLX.exe
  2⤵
  PID:12652
- C:\Windows\System32\nTUTcoR.exe
  C:\Windows\System32\nTUTcoR.exe
  2⤵
  PID:12672
- C:\Windows\System32\WdbnOkV.exe
  C:\Windows\System32\WdbnOkV.exe
  2⤵
  PID:12712
- C:\Windows\System32\LYOqFas.exe
  C:\Windows\System32\LYOqFas.exe
  2⤵
  PID:12740
- C:\Windows\System32\UomkLMV.exe
  C:\Windows\System32\UomkLMV.exe
  2⤵
  PID:12760
- C:\Windows\System32\EdZfGyl.exe
  C:\Windows\System32\EdZfGyl.exe
  2⤵
  PID:12776
- C:\Windows\System32\cdbMZQb.exe
  C:\Windows\System32\cdbMZQb.exe
  2⤵
  PID:12816
- C:\Windows\System32\CckWSav.exe
  C:\Windows\System32\CckWSav.exe
  2⤵
  PID:12844
- C:\Windows\System32\BELmbRU.exe
  C:\Windows\System32\BELmbRU.exe
  2⤵
  PID:12860
- C:\Windows\System32\BbrTMrb.exe
  C:\Windows\System32\BbrTMrb.exe
  2⤵
  PID:12880
- C:\Windows\System32\cRPfnAj.exe
  C:\Windows\System32\cRPfnAj.exe
  2⤵
  PID:12912
- C:\Windows\System32\iFTidyh.exe
  C:\Windows\System32\iFTidyh.exe
  2⤵
  PID:12980
- C:\Windows\System32\HgjBUQn.exe
  C:\Windows\System32\HgjBUQn.exe
  2⤵
  PID:13000
- C:\Windows\System32\WwmeWMk.exe
  C:\Windows\System32\WwmeWMk.exe
  2⤵
  PID:13028
- C:\Windows\System32\NoqdPSq.exe
  C:\Windows\System32\NoqdPSq.exe
  2⤵
  PID:13048
- C:\Windows\System32\fPUnkNZ.exe
  C:\Windows\System32\fPUnkNZ.exe
  2⤵
  PID:13084
- C:\Windows\System32\yPHawoW.exe
  C:\Windows\System32\yPHawoW.exe
  2⤵
  PID:13124
- C:\Windows\System32\JZMrbHM.exe
  C:\Windows\System32\JZMrbHM.exe
  2⤵
  PID:13148
- C:\Windows\System32\YkyaUIC.exe
  C:\Windows\System32\YkyaUIC.exe
  2⤵
  PID:13172
- C:\Windows\System32\WCGVlfa.exe
  C:\Windows\System32\WCGVlfa.exe
  2⤵
  PID:13196
- C:\Windows\System32\SefLHQz.exe
  C:\Windows\System32\SefLHQz.exe
  2⤵
  PID:13232
- C:\Windows\System32\kWGxjcK.exe
  C:\Windows\System32\kWGxjcK.exe
  2⤵
  PID:13256
- C:\Windows\System32\ULQqvmg.exe
  C:\Windows\System32\ULQqvmg.exe
  2⤵
  PID:13280
- C:\Windows\System32\EmkNukz.exe
  C:\Windows\System32\EmkNukz.exe
  2⤵
  PID:13296

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AmdgTVQ.exe

Filesize
1.2MB

MD5
630d0a538061a85b27a17e51b5b99341

SHA1
186792f83510052ec716cdc324f6e67080fbb725

SHA256
6b70f3a83ad1b1990f35c82a5f989a5cb45ff716990bd0742088ebadd90ed0a0

SHA512
78428198dc2797a9ca5d919c744d1debb9d0fcf2bd367ed0ae764b2aa27f0acca06f08af7ec6c720357abe5eac17e212c719ab9ed6d6b053433277a241154ba8

Download Submit
C:\Windows\System32\CcFzVWr.exe

Filesize
1.2MB

MD5
a1551533b18309c0b1fb31fd88962e4b

SHA1
76f83d2ab0bf3b275563661641ea4989921f31bc

SHA256
8afe824da9d2e05201b0f9b689cec662908e1f30ce7fea826d599c54d5db4977

SHA512
4cf3e4aedbc4fa8e4a06ebc68065c6ab1fa006c1bb64edac90bc312803b398b82eab2fbd647a5e99fc17394573f19f76d1cb3255e000999e8ca6bccee01fe71c

Download Submit
C:\Windows\System32\FmSVQYO.exe

Filesize
1.2MB

MD5
5686cb1b05c86c6dd4411ff722570d38

SHA1
79b2e128f89050ef405fd9f5b061cd19e454d57d

SHA256
eef1f3e33fe3ddf88cfde9a0b05449e894b6f6e88dfe90e74421ca6edea991dd

SHA512
9d849a194b1682dcf5060935f06ab3a69911db1352693ef9e7380b81af681cbaded88478359a80335b76b23418b36bcf0d0610c666f12059e7bbe1353d119099

Download Submit
C:\Windows\System32\IXTqaoP.exe

Filesize
1.2MB

MD5
048f24337ad6c4f1ca9826a56c5421fd

SHA1
f0b769eb59615a51510287129635dc8256d50c52

SHA256
61a6964e71f996d924e799d6eb093bb2a2d3a2e1e74536142aacc3aa017909f2

SHA512
6696c4636eb91652a596be6b6e2ae12c584afb2f462ebb00598f4809e547e814ee2a5b077d4a23c1b78666a46440159e89b961d97929735b5b2666a847aca953

Download Submit
C:\Windows\System32\JnvwVtB.exe

Filesize
1.2MB

MD5
839c1c575bfb25577469acf7873732d6

SHA1
ec5b6da0cad79eaf9b8ae2eee69be3128a77a8c0

SHA256
42fd16232aca4ffeb6b79a2bf4cdf73ab5ece9c224c18657ecd639c7174e6232

SHA512
e2bb28e76d2f5d679d0a8c520de4c6fccb7c79fcbde85aabd04a7678b6561dac774e6f7a2d30386619e40966cb123dc3ef0baeb7f2e7d87fb0dd58bcd33ce6e7

Download Submit
C:\Windows\System32\LjEeKcO.exe

Filesize
1.2MB

MD5
a5792fcf8a90dbb74df393ee1ff6400d

SHA1
82cf2f42fecf1a7d167aa1db0107ca5e1e2c3d01

SHA256
babd969a4e76903468e75499e52c351ab226f943084d828812f117944c1a16ea

SHA512
920354948d399d96a6d2545103a82adeca907ac02c111328053058e5cfaf4b684d02cdefc64f1105a840bae18ab7946be8d775fa251c9fde24d0d56001e36178

Download Submit
C:\Windows\System32\NrNQHcL.exe

Filesize
1.2MB

MD5
31a0bda58c05ca18ff057de318d89e19

SHA1
37a210956c2f817dbc8d2cd169deb80bdc6f851a

SHA256
fd05d262c2c64ab8692ce3c4726e9b1026bc2aa8befe2b0452fc413aa7450b84

SHA512
b22b97931f6999ba166fbaaa0aa673c71fb9d878516767eec9419826395a56afade2354f79a8ede9eca2f69f2194a2b2b603429b00cb69356482a0e4e4852275

Download Submit
C:\Windows\System32\OVTuPkF.exe

Filesize
1.2MB

MD5
e90a0726a751c0ee08ca04d0c1bba3a2

SHA1
127a73f85a85808d0d3646fc385403a606edad3e

SHA256
de631e1b6fd53faeff7d6d14a8eeb51757bb10843fc285deddd63b858c2fd4b5

SHA512
0d9d806e3faf579548187ccfada67d3ba73701d294c6d4d82538db4d750f126e87f4f2e5931b78283080956428ff628e29f8988cda444f88280baa6f0752e8f9

Download Submit
C:\Windows\System32\PkCuxyP.exe

Filesize
1.2MB

MD5
401e8a66f5db090557e3566caff28baf

SHA1
7a95df060d47388d691c8087ee2b221f5e3b03da

SHA256
edc1243ec3e6f319277594346674a3f3fb5261ade2abb5b3a7bc4c6d813628c3

SHA512
080672147ba8c48851fe1b383f1014970f06eee097615b6ff84b153848a149542d45640378fd1c31666c83c68f1539b509b65473513696028a0ae1e9c77e3320

Download Submit
C:\Windows\System32\PvsOLJQ.exe

Filesize
1.2MB

MD5
d6ba88ed8fe46ee72432a6c2c41a4a9e

SHA1
4e9ba647a3e7fd15a485a9cee7c0f9f812643709

SHA256
769a05783e728e4c030fd575e122deb6d9643eb5bbe6521bf41381856ca09178

SHA512
d8b16e9366a6281989be4d14093e33159608c44213f2d920cf85f25f0f2201d042dde85e7e6c37e1e86cfcc4e4d2f9c6dd32977998f4ce13c86f4af6a4876d9d

Download Submit
C:\Windows\System32\QUzdFia.exe

Filesize
1.2MB

MD5
293c2dc17c5b62c802834080e6f02bca

SHA1
60a8a8ddd70b2381bd0a3405f10401c00e88257d

SHA256
abb1a30011c954b3b9e84fee075d5a5f78483ece073791fe10401e63c3dd3287

SHA512
d39f37ee2083e5980c250f4c0882520a1174e63b285fdb7c1ad15cd679c6f7bee9dc315b5e62195e4a316b6bcc15db6008b15d198ee2e444e45063eac77c5494

Download Submit
C:\Windows\System32\RkIMohF.exe

Filesize
1.2MB

MD5
f60583c2538fe904062d07e99b3dc6ec

SHA1
4d7a3e7acd06b456f002d1b1bc3729d0836f45a8

SHA256
e12a3192140f0c786dff79140335fa8c17c38c1a6cfbb2ea06035d027a54b00c

SHA512
9eb3eeb2ab0c9ab08c6df85b269fa5757c013f1629cdc994ef2a595b3e8657244dd0d74b851525029ae14a31415a56257e2317680de0f4a628abd4deb1803c7b

Download Submit
C:\Windows\System32\TAciOIU.exe

Filesize
1.2MB

MD5
85c353b6c0ddba44baeaa054c2337fb2

SHA1
d221ca175a664a34fe20f849b658604d72f82fd7

SHA256
fe7d2f7787d4c101d1eba764c4011a0b3fdd434b25babb15559fa88875851b4a

SHA512
0cfe7abc89b1207e104a64ea8002bfd3a5eb51f1a7a82e069dfbe04011cad337dcfa9416d4306392d3f111f45d3ea2b9e7b1cc045e42d445e323d361de31dfee

Download Submit
C:\Windows\System32\VllRicH.exe

Filesize
1.2MB

MD5
f25a3c116d7b48da99b8a0c3f7a76970

SHA1
bff09183a4be3c59fa01898627ced92fdadf34de

SHA256
945fa4fbfe0dde3426c1056c02e9a31d1618bb5bf9949464c04febae4b5da49d

SHA512
7b290a072b60d9f86eddc4adb172d9d60a2e3b302dfee9fe9b278141cd35f7d1b662c154c8c45cd65e107200debe3a9fb689601aa003cc4f0a1303a58ecdf7fc

Download Submit
C:\Windows\System32\WlCeMYZ.exe

Filesize
1.2MB

MD5
a34858aefb6a2a5ebef49c54ca9b39d9

SHA1
24422ee56a73e248335cb1fa39f352ecad4bd246

SHA256
17cf0c613acc1c5c85af2b53625eecd040e008194b5dd95ba6059e158ec82784

SHA512
5667ba23b42ca991550a0b7973376006a9a01429400d086b607937bdc48bce31399e3bae5bbd82b316dc682b997e0d3306dba26eeeea4a8d8ab63637a1b48ebb

Download Submit
C:\Windows\System32\cSEQZzR.exe

Filesize
1.2MB

MD5
baf434e8951a4be35da46007c54bbbd0

SHA1
8442223074ea4f71db67046a4fc31ce154b29b63

SHA256
eb38603be5359cd930f5d25c33ff20d53c5762ff4ff2dead9fa54c0baca596b6

SHA512
24324b51e0c6e5170d30ab6302460522354f127ecb9b3736c616c0689be053a324e9cd41053bb591ca90a5319ffc9cae5b54c048a2850564e4c9885fcea8d735

Download Submit
C:\Windows\System32\ddKpIoX.exe

Filesize
1.2MB

MD5
5e0ce3e1ae06d6a5e2b90f087bf9861e

SHA1
253b9b9be3959a5451b28859cd0bcc4ef61bfec7

SHA256
e10644d78f179d834d1cc55ee80bd4a2a5193555ec4c6f0558e94876ec7fcda2

SHA512
4997bc705dab676ac02a85a393c335a523ab237073506d2710fc63b5f48ca27180d8c824c00ec8c593afbdffe209f0de05df67b8834216f7e9d6a39e2ed24618

Download Submit
C:\Windows\System32\fUMyOFn.exe

Filesize
1.2MB

MD5
e56da736eb3fbd51bcd006cad5d8871f

SHA1
b40f226f8ecf2c2ae1d40a9229c49ffa94fdbd28

SHA256
e1c44ab108d465ee02116c860c717c23d4454b515cbf80cdd6bf781846f8c514

SHA512
84ca2f77e11d5ff7844cf4d97d3108baf740bd5b1fd24b97a740f092e49cb5b9cbb96bf7a3590504c80e06b9effde3c3ce0f5abf07efca455b7d2dd6ee80f15f

Download Submit
C:\Windows\System32\fWMHwzY.exe

Filesize
1.2MB

MD5
05aa1f423cb5cb7e31d65b551cf9c45c

SHA1
9e3ed1ae797030ef373f05af6db4a3c936fecd01

SHA256
dde054ca7f0e195bc1cc64296bbacb6a7ebc4b08764515ad849baa9b7205b286

SHA512
868c4ae5c08e081b37c1c41a812647b73a254d62138a88f514afa7ff9c58edbc50f8b909188e040c7acb11ab971afd10023253330682d35b854196080357e7e8

Download Submit
C:\Windows\System32\hXFjHhP.exe

Filesize
1.2MB

MD5
f23c08d61125ab86ed710f3ea0d6bf26

SHA1
ceee4d9c789d4650721ad454917f13c773b0d14e

SHA256
5b7648d60e3434b93e865237f3aa3af3acc39b232e65f08a81411c200214c9ea

SHA512
40fabba091bbc71d8e7fe03aaaef45d6cb775cecd897b7f0999c929b676242a9ae0807577e8cdb4a1a2bc38d061e82827729e19f1730fb3e0a88b77d6da80b65

Download Submit
C:\Windows\System32\jnObVOs.exe

Filesize
1.2MB

MD5
64495c4a4c0594e4e90084fc32c6a822

SHA1
cf5d3db23e524f3d53c78cd24fe906dd0c928953

SHA256
a6ff93f974c8ea548f742da18c4e300079fa4f46b208a633e1160bcca99483f8

SHA512
b78a47a96dd97ce37855367154354baada80268d38d52593b38fae76bd751335d77752c15ef3807bbeaa35e7f6a4048ba04217e24c2de100292693f1d374939c

Download Submit
C:\Windows\System32\kNIgiKp.exe

Filesize
1.2MB

MD5
ebd73c47875739aba0987bc4bc37a103

SHA1
fb0fea4979f253947abfb6b44e86a9cdd1d66b0a

SHA256
e059690e16ac36c2bb08e1910e187302eb92e9aa6723c7ff6fa0371ede8a4934

SHA512
dac3ea040b25de569cf5757713018ce0d5e37a1276785c66946e0fd018fa8e1659811dfa8e64b62d622637b8336f4644b88ec4a5e1d10f2e4ceb11263f56aafb

Download Submit
C:\Windows\System32\lhnzWwr.exe

Filesize
1.2MB

MD5
0eb95baa8958a66b3eb750aef394b26b

SHA1
19c708c8410b9f3892a30718fa478752c50a0b17

SHA256
c0c735388a30615986058d8fec788c01d998487cdb422fd7fce6b3bc73ee935b

SHA512
0c2b6362eaa3e245a473a18535872538b95ca0159815d129f05ce92a942da5dc3a7a963a7dd86c53d6f47828d74aa01adc3f97123100a071c936b2c9ef5a69e6

Download Submit
C:\Windows\System32\nIIdLmr.exe

Filesize
1.2MB

MD5
eb6c7669514739e1834e580601a68468

SHA1
ccc4a482c839e80c4d42c81d541a27af08575835

SHA256
742e9a52adc2fd7c923cdf23888d85b721d5a452b5a36731596c519b150f6825

SHA512
abe1e7a932acf9cb6321b2b86c08abaa3796dd8b2fe4a47a3216f3983d1c54c844efac24b0149bbab50a3593303dc7e92d3dfb868b8a6ef3784b6a456624feaa

Download Submit
C:\Windows\System32\pfYcNJx.exe

Filesize
1.2MB

MD5
aa4e55ed674e56ccc133d90505deec62

SHA1
f47822a8dffe9566820fe4af026fd55f24e219e5

SHA256
a2353a31cb06c4fd05bf7317d817a41959b29706fd316bff1d3ef26bae5d7e8e

SHA512
454fec6d77b997c22959507da84df80f86ed2a00475d330a3a591f526965d65969e73c5bb3ab18dc40ccedd12b68b16d2f8af44aa2e48916c8e28efe21c7e5a4

Download Submit
C:\Windows\System32\qGZGCTl.exe

Filesize
1.2MB

MD5
6008984af7d08aa3508103b759db39d4

SHA1
2495ece273f915732811565ea575ae76a9209c81

SHA256
4a2d060199d818bcd1be2ac5e518b47666f9594f33651e69c5328cbb7acbfa73

SHA512
8b5cd9c8e2a1e6a7f41b808a4ff8d7fa848e04d2c1c4250bce32a8e77b534d8ca2375801dbe7f10b0aa798c6ac8e977afe3e917ed80f8cca9d8c068742b67d59

Download Submit
C:\Windows\System32\qiQDMZH.exe

Filesize
1.2MB

MD5
1a5f633db1adaa1208ce0f4f94202967

SHA1
e9165265847b860dd7e013a2d644de75eb61653d

SHA256
1a3da36d1474e3a6a41caa7d69c288e2fca9ab2f0ae19f6e87b1a64c10e0b38b

SHA512
229ecf2753c9b5dae46a20a59ff5f15d8d8f118db4e13c789260b73bf1b9ca93f1c7b8eb625be0c85d360764699fb5d785ab89edf7589cea19686582863b89fb

Download Submit
C:\Windows\System32\sFjQgzJ.exe

Filesize
1.2MB

MD5
b9fb71399d414b9143110347bfa2bdee

SHA1
db97b00945e4b3dc697120659b1aa2c2c91dad34

SHA256
964b677d264663fdebcf387fa2d43c6590386abed9846904300f19ff52305556

SHA512
77382037c2e00d7c2b13530efa520055e676b7f0d08e4e6f739dc39121a78a1f310cc577f88ccd4b679fad50790e3087ef1eaeeb509bc18c04187da8cf8d4aa5

Download Submit
C:\Windows\System32\tlBvyBF.exe

Filesize
1.2MB

MD5
4a17cd41c4ae107508dcb370926ccbf3

SHA1
ceda1ea28be59258d1546d2aa0d26e2cccf83701

SHA256
fd7d9124beb8abc58e431a9989b88cd05e205f106c8d4778e7b9d46dd5a580dc

SHA512
7343d6db2f583f0550d9cabf30c903ed6f110c1e2d2df88824c4ed2ca4ef32955a0496e46e23606e9bf6e76629d1d568526f200fbe6b6b2902f623774bbec73b

Download Submit
C:\Windows\System32\uOSiqXn.exe

Filesize
1.2MB

MD5
e0776fee77c0fcecf5c08eff0398f2ae

SHA1
0f286708eaf3c95d266a6b0bc60a66b7f165110e

SHA256
fc5435bafd35283d67d7e786b78951adf792f518c97abe7c6562509e10e4a7cc

SHA512
af76512070ab16d52a8b371d9d6098d924d47856c32a8e04d55f3a76a3c74036c4367df7274a65eea4b87c02669012d5e571b795dc74f747021318b2119666a7

Download Submit
C:\Windows\System32\vssaWhH.exe

Filesize
1.2MB

MD5
09b0cc98fbc6521eea06517f83d98355

SHA1
60c33e37b5a90c4051b9dc690e4537088dfe07e5

SHA256
d913a3d8ef638070aa4f602052fee6f53500e67238a7930bd284d3c6828c6913

SHA512
1125ceb63d40f3b191c4edcf4d5ab2a659d91620e96fd145acd6e7ef3c1eaaa31d7cce9a4cc56921b93bf4e41e36049b1b48c0cb15e6bc77f4fdd831d51bd339

Download Submit
C:\Windows\System32\xnUhKXS.exe

Filesize
1.2MB

MD5
eb67aab620d13481ed2fcc1a7b226020

SHA1
d3d1b6affe19bec58fac4ffde225ae0df9a65cfa

SHA256
9fafe644b76d15215b2da4b628d0a5936bd3a00656de0ccece27e117f2ff6329

SHA512
91064441b42182c810b9464d99665014a1dfb2870068d6d9927880c813bb7bb6a96295fbf35028a02083b2766eebf31e036f88832880c1826f9b443f1a467493

Download Submit
memory/412-1962-0x00007FF6B4850000-0x00007FF6B4C41000-memory.dmp

Filesize
3.9MB

Download
memory/412-7-0x00007FF6B4850000-0x00007FF6B4C41000-memory.dmp

Filesize
3.9MB

Download
memory/412-1955-0x00007FF6B4850000-0x00007FF6B4C41000-memory.dmp

Filesize
3.9MB

Download
memory/816-1-0x000001934BB10000-0x000001934BB20000-memory.dmp

Filesize
64KB

Download
memory/816-0-0x00007FF7683F0000-0x00007FF7687E1000-memory.dmp

Filesize
3.9MB

Download
memory/1180-423-0x00007FF7C3F90000-0x00007FF7C4381000-memory.dmp

Filesize
3.9MB

Download
memory/1180-1974-0x00007FF7C3F90000-0x00007FF7C4381000-memory.dmp

Filesize
3.9MB

Download
memory/1192-431-0x00007FF651910000-0x00007FF651D01000-memory.dmp

Filesize
3.9MB

Download
memory/1192-1980-0x00007FF651910000-0x00007FF651D01000-memory.dmp

Filesize
3.9MB

Download
memory/1292-463-0x00007FF7E3230000-0x00007FF7E3621000-memory.dmp

Filesize
3.9MB

Download
memory/1292-1988-0x00007FF7E3230000-0x00007FF7E3621000-memory.dmp

Filesize
3.9MB

Download
memory/1540-1970-0x00007FF697BD0000-0x00007FF697FC1000-memory.dmp

Filesize
3.9MB

Download
memory/1540-478-0x00007FF697BD0000-0x00007FF697FC1000-memory.dmp

Filesize
3.9MB

Download
memory/1616-2008-0x00007FF6B97C0000-0x00007FF6B9BB1000-memory.dmp

Filesize
3.9MB

Download
memory/1616-474-0x00007FF6B97C0000-0x00007FF6B9BB1000-memory.dmp

Filesize
3.9MB

Download
memory/1776-1966-0x00007FF6B4990000-0x00007FF6B4D81000-memory.dmp

Filesize
3.9MB

Download
memory/1776-416-0x00007FF6B4990000-0x00007FF6B4D81000-memory.dmp

Filesize
3.9MB

Download
memory/1876-467-0x00007FF6BEC20000-0x00007FF6BF011000-memory.dmp

Filesize
3.9MB

Download
memory/1876-1998-0x00007FF6BEC20000-0x00007FF6BF011000-memory.dmp

Filesize
3.9MB

Download
memory/2160-1992-0x00007FF6B08B0000-0x00007FF6B0CA1000-memory.dmp

Filesize
3.9MB

Download
memory/2160-464-0x00007FF6B08B0000-0x00007FF6B0CA1000-memory.dmp

Filesize
3.9MB

Download
memory/2256-417-0x00007FF6AF800000-0x00007FF6AFBF1000-memory.dmp

Filesize
3.9MB

Download
memory/2256-1968-0x00007FF6AF800000-0x00007FF6AFBF1000-memory.dmp

Filesize
3.9MB

Download
memory/2476-1986-0x00007FF728CE0000-0x00007FF7290D1000-memory.dmp

Filesize
3.9MB

Download
memory/2476-453-0x00007FF728CE0000-0x00007FF7290D1000-memory.dmp

Filesize
3.9MB

Download
memory/3028-466-0x00007FF6A6910000-0x00007FF6A6D01000-memory.dmp

Filesize
3.9MB

Download
memory/3028-1994-0x00007FF6A6910000-0x00007FF6A6D01000-memory.dmp

Filesize
3.9MB

Download
memory/3740-460-0x00007FF754010000-0x00007FF754401000-memory.dmp

Filesize
3.9MB

Download
memory/3740-1990-0x00007FF754010000-0x00007FF754401000-memory.dmp

Filesize
3.9MB

Download
memory/4112-471-0x00007FF722E70000-0x00007FF723261000-memory.dmp

Filesize
3.9MB

Download
memory/4112-2002-0x00007FF722E70000-0x00007FF723261000-memory.dmp

Filesize
3.9MB

Download
memory/4164-421-0x00007FF65C110000-0x00007FF65C501000-memory.dmp

Filesize
3.9MB

Download
memory/4164-1976-0x00007FF65C110000-0x00007FF65C501000-memory.dmp

Filesize
3.9MB

Download
memory/4168-2006-0x00007FF75F2A0000-0x00007FF75F691000-memory.dmp

Filesize
3.9MB

Download
memory/4168-476-0x00007FF75F2A0000-0x00007FF75F691000-memory.dmp

Filesize
3.9MB

Download
memory/4432-1978-0x00007FF779850000-0x00007FF779C41000-memory.dmp

Filesize
3.9MB

Download
memory/4432-449-0x00007FF779850000-0x00007FF779C41000-memory.dmp

Filesize
3.9MB

Download
memory/4460-428-0x00007FF6BFFB0000-0x00007FF6C03A1000-memory.dmp

Filesize
3.9MB

Download
memory/4460-1972-0x00007FF6BFFB0000-0x00007FF6C03A1000-memory.dmp

Filesize
3.9MB

Download
memory/4488-440-0x00007FF64FAB0000-0x00007FF64FEA1000-memory.dmp

Filesize
3.9MB

Download
memory/4488-1982-0x00007FF64FAB0000-0x00007FF64FEA1000-memory.dmp

Filesize
3.9MB

Download
memory/4588-475-0x00007FF684F60000-0x00007FF685351000-memory.dmp

Filesize
3.9MB

Download
memory/4588-1996-0x00007FF684F60000-0x00007FF685351000-memory.dmp

Filesize
3.9MB

Download
memory/4696-1984-0x00007FF6B26A0000-0x00007FF6B2A91000-memory.dmp

Filesize
3.9MB

Download
memory/4696-458-0x00007FF6B26A0000-0x00007FF6B2A91000-memory.dmp

Filesize
3.9MB

Download
memory/4724-2004-0x00007FF690840000-0x00007FF690C31000-memory.dmp

Filesize
3.9MB

Download
memory/4724-470-0x00007FF690840000-0x00007FF690C31000-memory.dmp

Filesize
3.9MB

Download
memory/4956-469-0x00007FF710710000-0x00007FF710B01000-memory.dmp

Filesize
3.9MB

Download
memory/4956-2000-0x00007FF710710000-0x00007FF710B01000-memory.dmp

Filesize
3.9MB

Download
memory/5108-1964-0x00007FF7B2B70000-0x00007FF7B2F61000-memory.dmp

Filesize
3.9MB

Download
memory/5108-1956-0x00007FF7B2B70000-0x00007FF7B2F61000-memory.dmp

Filesize
3.9MB

Download
memory/5108-415-0x00007FF7B2B70000-0x00007FF7B2F61000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads