xmrig | 8880f6fd3405dcd9c073b27d04ac169d58deea9788f05b72ad197aee7884c5f6

Analysis

max time kernel
105s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

881b1a383eab14f59e6a575fc3f9a920N.exe
Size

1.8MB
MD5

881b1a383eab14f59e6a575fc3f9a920
SHA1

9f6b55230562daa9c04ac4976717223834310e1c
SHA256

8880f6fd3405dcd9c073b27d04ac169d58deea9788f05b72ad197aee7884c5f6
SHA512

3056a49ab32b4e27369bfcae60a69dade06de647ea8b63cef014cbeab62841099c15ff9c42a138fce60026d5ee08a8002fa5aca13decaf1d31e9f46a642f2a66
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcqkeBWF3WAv4op8MDu7Ed7OEaMzsLOIfxj:knw9oUUEEDl37jcqMHd3+7

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/1584-383-0x00007FF72BC40000-0x00007FF72C031000-memory.dmp	xmrig
behavioral2/memory/3160-385-0x00007FF6FC720000-0x00007FF6FCB11000-memory.dmp	xmrig
behavioral2/memory/3980-384-0x00007FF7B8C10000-0x00007FF7B9001000-memory.dmp	xmrig
behavioral2/memory/5056-386-0x00007FF692130000-0x00007FF692521000-memory.dmp	xmrig
behavioral2/memory/4384-390-0x00007FF6C7C50000-0x00007FF6C8041000-memory.dmp	xmrig
behavioral2/memory/1704-409-0x00007FF68F180000-0x00007FF68F571000-memory.dmp	xmrig
behavioral2/memory/4544-422-0x00007FF644F50000-0x00007FF645341000-memory.dmp	xmrig
behavioral2/memory/1652-420-0x00007FF6323B0000-0x00007FF6327A1000-memory.dmp	xmrig
behavioral2/memory/3556-429-0x00007FF7A6B40000-0x00007FF7A6F31000-memory.dmp	xmrig
behavioral2/memory/4580-428-0x00007FF6CAAC0000-0x00007FF6CAEB1000-memory.dmp	xmrig
behavioral2/memory/2892-406-0x00007FF667640000-0x00007FF667A31000-memory.dmp	xmrig
behavioral2/memory/1556-400-0x00007FF73FB70000-0x00007FF73FF61000-memory.dmp	xmrig
behavioral2/memory/4316-394-0x00007FF75EB10000-0x00007FF75EF01000-memory.dmp	xmrig
behavioral2/memory/4168-435-0x00007FF686B60000-0x00007FF686F51000-memory.dmp	xmrig
behavioral2/memory/2200-438-0x00007FF75E800000-0x00007FF75EBF1000-memory.dmp	xmrig
behavioral2/memory/3936-442-0x00007FF635620000-0x00007FF635A11000-memory.dmp	xmrig
behavioral2/memory/2628-434-0x00007FF765B30000-0x00007FF765F21000-memory.dmp	xmrig
behavioral2/memory/2172-432-0x00007FF790510000-0x00007FF790901000-memory.dmp	xmrig
behavioral2/memory/4660-446-0x00007FF6427F0000-0x00007FF642BE1000-memory.dmp	xmrig
behavioral2/memory/4856-466-0x00007FF764EC0000-0x00007FF7652B1000-memory.dmp	xmrig
behavioral2/memory/3652-462-0x00007FF6F2750000-0x00007FF6F2B41000-memory.dmp	xmrig
behavioral2/memory/960-454-0x00007FF6DBDF0000-0x00007FF6DC1E1000-memory.dmp	xmrig
behavioral2/memory/3056-2013-0x00007FF7D4CE0000-0x00007FF7D50D1000-memory.dmp	xmrig
behavioral2/memory/548-2019-0x00007FF6E7A10000-0x00007FF6E7E01000-memory.dmp	xmrig
behavioral2/memory/960-2021-0x00007FF6DBDF0000-0x00007FF6DC1E1000-memory.dmp	xmrig
behavioral2/memory/3056-2023-0x00007FF7D4CE0000-0x00007FF7D50D1000-memory.dmp	xmrig
behavioral2/memory/1584-2027-0x00007FF72BC40000-0x00007FF72C031000-memory.dmp	xmrig
behavioral2/memory/3652-2025-0x00007FF6F2750000-0x00007FF6F2B41000-memory.dmp	xmrig
behavioral2/memory/3980-2029-0x00007FF7B8C10000-0x00007FF7B9001000-memory.dmp	xmrig
behavioral2/memory/4856-2031-0x00007FF764EC0000-0x00007FF7652B1000-memory.dmp	xmrig
behavioral2/memory/3160-2035-0x00007FF6FC720000-0x00007FF6FCB11000-memory.dmp	xmrig
behavioral2/memory/5056-2043-0x00007FF692130000-0x00007FF692521000-memory.dmp	xmrig
behavioral2/memory/4384-2041-0x00007FF6C7C50000-0x00007FF6C8041000-memory.dmp	xmrig
behavioral2/memory/1556-2033-0x00007FF73FB70000-0x00007FF73FF61000-memory.dmp	xmrig
behavioral2/memory/4580-2051-0x00007FF6CAAC0000-0x00007FF6CAEB1000-memory.dmp	xmrig
behavioral2/memory/3556-2053-0x00007FF7A6B40000-0x00007FF7A6F31000-memory.dmp	xmrig
behavioral2/memory/4544-2049-0x00007FF644F50000-0x00007FF645341000-memory.dmp	xmrig
behavioral2/memory/1652-2047-0x00007FF6323B0000-0x00007FF6327A1000-memory.dmp	xmrig
behavioral2/memory/4316-2039-0x00007FF75EB10000-0x00007FF75EF01000-memory.dmp	xmrig
behavioral2/memory/2892-2045-0x00007FF667640000-0x00007FF667A31000-memory.dmp	xmrig
behavioral2/memory/1704-2037-0x00007FF68F180000-0x00007FF68F571000-memory.dmp	xmrig
behavioral2/memory/2628-2059-0x00007FF765B30000-0x00007FF765F21000-memory.dmp	xmrig
behavioral2/memory/2172-2057-0x00007FF790510000-0x00007FF790901000-memory.dmp	xmrig
behavioral2/memory/2200-2055-0x00007FF75E800000-0x00007FF75EBF1000-memory.dmp	xmrig
behavioral2/memory/3936-2073-0x00007FF635620000-0x00007FF635A11000-memory.dmp	xmrig
behavioral2/memory/4660-2066-0x00007FF6427F0000-0x00007FF642BE1000-memory.dmp	xmrig
behavioral2/memory/4168-2061-0x00007FF686B60000-0x00007FF686F51000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
548	giRZLDG.exe
960	PrKElzJ.exe
3056	dHBDGKE.exe
3652	XUXBsjA.exe
1584	CKBifsr.exe
3980	hEoldMS.exe
4856	IrDuLXZ.exe
3160	LQFSmeC.exe
5056	TuYElzN.exe
4384	RUVTiqZ.exe
4316	XaeNLWZ.exe
1556	YHtfsCK.exe
2892	prBpDdU.exe
1704	pmHpWnn.exe
1652	cPBWChm.exe
4544	kqKTpmd.exe
4580	AHwIltV.exe
3556	cSrpWPr.exe
2172	ZMgEXVw.exe
2628	NfPpbRg.exe
4168	jBSnAnM.exe
2200	FTqKCYZ.exe
3936	hjFzIVM.exe
4660	GHcvWRl.exe
3448	TTWUYnW.exe
5012	EteCOMl.exe
628	OWhjuDN.exe
1144	yWKFqIS.exe
696	DPUoqCk.exe
3708	FlWlcht.exe
3184	aJmxVMh.exe
2684	uhhtcjR.exe
756	qrgdHjq.exe
3588	alUUxlj.exe
1848	okOagxn.exe
372	ecSyVar.exe
2932	VxNPsuc.exe
2764	kjjISQd.exe
5048	jfnshli.exe
1296	bkruLUr.exe
2056	rESVANb.exe
4220	IkVDdtc.exe
796	vnxsFJV.exe
1588	zLYmGSv.exe
724	JFeERFc.exe
4888	MDWiMpB.exe
1444	nuugWrr.exe
4512	XwPggoN.exe
4484	yhAXITi.exe
4848	Fmdlzdx.exe
3432	KYjGSRw.exe
2784	NdTLDLk.exe
3256	EvsGnZM.exe
1976	jvARBfJ.exe
4564	awopiaU.exe
3564	kprVsjj.exe
1260	bdZraOk.exe
4788	wWDkeNx.exe
5016	gVIPJYy.exe
2988	JqlqrcX.exe
2104	kEzdDyk.exe
3416	CXEtmuT.exe
1360	tOYWCoO.exe
1964	ARgcwEv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3016-0-0x00007FF78DBA0000-0x00007FF78DF91000-memory.dmp	upx
behavioral2/files/0x00080000000234a8-5.dat	upx
behavioral2/files/0x00070000000234ac-7.dat	upx
behavioral2/files/0x00070000000234ae-17.dat	upx
behavioral2/memory/548-16-0x00007FF6E7A10000-0x00007FF6E7E01000-memory.dmp	upx
behavioral2/files/0x00070000000234ad-19.dat	upx
behavioral2/files/0x00070000000234af-24.dat	upx
behavioral2/files/0x00070000000234b1-38.dat	upx
behavioral2/files/0x00070000000234b2-40.dat	upx
behavioral2/files/0x00070000000234b3-51.dat	upx
behavioral2/files/0x00070000000234b4-56.dat	upx
behavioral2/files/0x00070000000234b6-60.dat	upx
behavioral2/files/0x00070000000234bb-88.dat	upx
behavioral2/files/0x00070000000234bd-101.dat	upx
behavioral2/files/0x00070000000234c4-136.dat	upx
behavioral2/files/0x00070000000234c9-161.dat	upx
behavioral2/memory/1584-383-0x00007FF72BC40000-0x00007FF72C031000-memory.dmp	upx
behavioral2/memory/3160-385-0x00007FF6FC720000-0x00007FF6FCB11000-memory.dmp	upx
behavioral2/memory/3980-384-0x00007FF7B8C10000-0x00007FF7B9001000-memory.dmp	upx
behavioral2/memory/5056-386-0x00007FF692130000-0x00007FF692521000-memory.dmp	upx
behavioral2/files/0x00070000000234ca-163.dat	upx
behavioral2/files/0x00070000000234c8-156.dat	upx
behavioral2/files/0x00070000000234c7-151.dat	upx
behavioral2/memory/4384-390-0x00007FF6C7C50000-0x00007FF6C8041000-memory.dmp	upx
behavioral2/memory/1704-409-0x00007FF68F180000-0x00007FF68F571000-memory.dmp	upx
behavioral2/memory/4544-422-0x00007FF644F50000-0x00007FF645341000-memory.dmp	upx
behavioral2/memory/1652-420-0x00007FF6323B0000-0x00007FF6327A1000-memory.dmp	upx
behavioral2/memory/3556-429-0x00007FF7A6B40000-0x00007FF7A6F31000-memory.dmp	upx
behavioral2/memory/4580-428-0x00007FF6CAAC0000-0x00007FF6CAEB1000-memory.dmp	upx
behavioral2/memory/2892-406-0x00007FF667640000-0x00007FF667A31000-memory.dmp	upx
behavioral2/memory/1556-400-0x00007FF73FB70000-0x00007FF73FF61000-memory.dmp	upx
behavioral2/memory/4316-394-0x00007FF75EB10000-0x00007FF75EF01000-memory.dmp	upx
behavioral2/files/0x00070000000234c6-143.dat	upx
behavioral2/files/0x00070000000234c5-141.dat	upx
behavioral2/memory/4168-435-0x00007FF686B60000-0x00007FF686F51000-memory.dmp	upx
behavioral2/memory/2200-438-0x00007FF75E800000-0x00007FF75EBF1000-memory.dmp	upx
behavioral2/memory/3936-442-0x00007FF635620000-0x00007FF635A11000-memory.dmp	upx
behavioral2/memory/2628-434-0x00007FF765B30000-0x00007FF765F21000-memory.dmp	upx
behavioral2/memory/2172-432-0x00007FF790510000-0x00007FF790901000-memory.dmp	upx
behavioral2/files/0x00070000000234c3-131.dat	upx
behavioral2/files/0x00070000000234c2-126.dat	upx
behavioral2/files/0x00070000000234c1-119.dat	upx
behavioral2/files/0x00070000000234c0-113.dat	upx
behavioral2/files/0x00070000000234bf-111.dat	upx
behavioral2/files/0x00070000000234be-106.dat	upx
behavioral2/files/0x00070000000234bc-96.dat	upx
behavioral2/files/0x00070000000234ba-84.dat	upx
behavioral2/files/0x00070000000234b9-81.dat	upx
behavioral2/files/0x00070000000234b8-76.dat	upx
behavioral2/files/0x00070000000234b7-68.dat	upx
behavioral2/files/0x00070000000234b5-58.dat	upx
behavioral2/files/0x00070000000234b0-36.dat	upx
behavioral2/memory/3056-32-0x00007FF7D4CE0000-0x00007FF7D50D1000-memory.dmp	upx
behavioral2/memory/4660-446-0x00007FF6427F0000-0x00007FF642BE1000-memory.dmp	upx
behavioral2/memory/4856-466-0x00007FF764EC0000-0x00007FF7652B1000-memory.dmp	upx
behavioral2/memory/3652-462-0x00007FF6F2750000-0x00007FF6F2B41000-memory.dmp	upx
behavioral2/memory/960-454-0x00007FF6DBDF0000-0x00007FF6DC1E1000-memory.dmp	upx
behavioral2/memory/3056-2013-0x00007FF7D4CE0000-0x00007FF7D50D1000-memory.dmp	upx
behavioral2/memory/548-2019-0x00007FF6E7A10000-0x00007FF6E7E01000-memory.dmp	upx
behavioral2/memory/960-2021-0x00007FF6DBDF0000-0x00007FF6DC1E1000-memory.dmp	upx
behavioral2/memory/3056-2023-0x00007FF7D4CE0000-0x00007FF7D50D1000-memory.dmp	upx
behavioral2/memory/1584-2027-0x00007FF72BC40000-0x00007FF72C031000-memory.dmp	upx
behavioral2/memory/3652-2025-0x00007FF6F2750000-0x00007FF6F2B41000-memory.dmp	upx
behavioral2/memory/3980-2029-0x00007FF7B8C10000-0x00007FF7B9001000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\EIpVfdL.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\gSNQgsZ.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\wbMQEJH.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\ztoroMz.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\bQhxFFu.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\eEBFVyj.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\ufTiWjJ.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\JTlZkdA.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\xZnVcuq.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\KXiNfLy.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\nFDypkQ.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\PoyrtTB.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\XaeNLWZ.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\dKMCVFY.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\xFcybAc.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\UwMGtLg.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\YIAwgPP.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\ducIsXf.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\zYDXQki.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\KcVkQWc.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\qWfmnHC.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\cakiqia.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\RUVTiqZ.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\YHtfsCK.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\vabGdai.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\GHUpRQu.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\oSlgymv.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\LttDhDn.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\fMutmHr.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\sKjpyNC.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\TTWUYnW.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\eafIJxY.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\pzlxOzT.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\zjbXBDT.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\zayLsGt.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\TZOFKQn.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\LHjnIOm.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\WpEjhQY.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\NdEoczp.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\YCvShuc.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\QPrvZez.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\kEzdDyk.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\DErOgfw.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\LUmqrGa.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\rVOFZPr.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\dcVEyxc.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\JFJHHBG.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\gVIPJYy.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\zJBMgJS.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\rYBHQWt.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\EGtbuAF.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\CuCSsyP.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\SisYzbq.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\pckykci.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\FQFOkxT.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\jaEnGsH.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\qlPqUKb.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\uSdSbxH.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\nkdVkjU.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\raSNRJt.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\ltERwDa.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\yrHkdMp.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\tNuzVTr.exe	881b1a383eab14f59e6a575fc3f9a920N.exe
File created	C:\Windows\System32\GSgKgYo.exe	881b1a383eab14f59e6a575fc3f9a920N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12624	dwm.exe
Token: SeChangeNotifyPrivilege	12624	dwm.exe
Token: 33	12624	dwm.exe
Token: SeIncBasePriorityPrivilege	12624	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 548	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	85
PID 3016 wrote to memory of 548	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	85
PID 3016 wrote to memory of 960	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	86
PID 3016 wrote to memory of 960	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	86
PID 3016 wrote to memory of 3056	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	87
PID 3016 wrote to memory of 3056	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	87
PID 3016 wrote to memory of 3652	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	88
PID 3016 wrote to memory of 3652	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	88
PID 3016 wrote to memory of 1584	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	89
PID 3016 wrote to memory of 1584	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	89
PID 3016 wrote to memory of 3980	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	90
PID 3016 wrote to memory of 3980	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	90
PID 3016 wrote to memory of 4856	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	91
PID 3016 wrote to memory of 4856	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	91
PID 3016 wrote to memory of 3160	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	92
PID 3016 wrote to memory of 3160	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	92
PID 3016 wrote to memory of 5056	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	93
PID 3016 wrote to memory of 5056	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	93
PID 3016 wrote to memory of 4384	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	94
PID 3016 wrote to memory of 4384	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	94
PID 3016 wrote to memory of 4316	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	95
PID 3016 wrote to memory of 4316	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	95
PID 3016 wrote to memory of 1556	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	96
PID 3016 wrote to memory of 1556	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	96
PID 3016 wrote to memory of 2892	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	97
PID 3016 wrote to memory of 2892	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	97
PID 3016 wrote to memory of 1704	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	98
PID 3016 wrote to memory of 1704	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	98
PID 3016 wrote to memory of 1652	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	99
PID 3016 wrote to memory of 1652	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	99
PID 3016 wrote to memory of 4544	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	100
PID 3016 wrote to memory of 4544	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	100
PID 3016 wrote to memory of 4580	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	101
PID 3016 wrote to memory of 4580	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	101
PID 3016 wrote to memory of 3556	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	102
PID 3016 wrote to memory of 3556	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	102
PID 3016 wrote to memory of 2172	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	103
PID 3016 wrote to memory of 2172	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	103
PID 3016 wrote to memory of 2628	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	104
PID 3016 wrote to memory of 2628	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	104
PID 3016 wrote to memory of 4168	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	105
PID 3016 wrote to memory of 4168	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	105
PID 3016 wrote to memory of 2200	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	106
PID 3016 wrote to memory of 2200	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	106
PID 3016 wrote to memory of 3936	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	107
PID 3016 wrote to memory of 3936	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	107
PID 3016 wrote to memory of 4660	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	108
PID 3016 wrote to memory of 4660	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	108
PID 3016 wrote to memory of 3448	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	109
PID 3016 wrote to memory of 3448	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	109
PID 3016 wrote to memory of 5012	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	110
PID 3016 wrote to memory of 5012	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	110
PID 3016 wrote to memory of 628	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	111
PID 3016 wrote to memory of 628	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	111
PID 3016 wrote to memory of 1144	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	112
PID 3016 wrote to memory of 1144	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	112
PID 3016 wrote to memory of 696	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	113
PID 3016 wrote to memory of 696	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	113
PID 3016 wrote to memory of 3708	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	114
PID 3016 wrote to memory of 3708	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	114
PID 3016 wrote to memory of 3184	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	115
PID 3016 wrote to memory of 3184	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	115
PID 3016 wrote to memory of 2684	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	116
PID 3016 wrote to memory of 2684	3016	881b1a383eab14f59e6a575fc3f9a920N.exe	116

C:\Users\Admin\AppData\Local\Temp\881b1a383eab14f59e6a575fc3f9a920N.exe
"C:\Users\Admin\AppData\Local\Temp\881b1a383eab14f59e6a575fc3f9a920N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\System32\giRZLDG.exe
  C:\Windows\System32\giRZLDG.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System32\PrKElzJ.exe
  C:\Windows\System32\PrKElzJ.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System32\dHBDGKE.exe
  C:\Windows\System32\dHBDGKE.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System32\XUXBsjA.exe
  C:\Windows\System32\XUXBsjA.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System32\CKBifsr.exe
  C:\Windows\System32\CKBifsr.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System32\hEoldMS.exe
  C:\Windows\System32\hEoldMS.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System32\IrDuLXZ.exe
  C:\Windows\System32\IrDuLXZ.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System32\LQFSmeC.exe
  C:\Windows\System32\LQFSmeC.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System32\TuYElzN.exe
  C:\Windows\System32\TuYElzN.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\RUVTiqZ.exe
  C:\Windows\System32\RUVTiqZ.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System32\XaeNLWZ.exe
  C:\Windows\System32\XaeNLWZ.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System32\YHtfsCK.exe
  C:\Windows\System32\YHtfsCK.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System32\prBpDdU.exe
  C:\Windows\System32\prBpDdU.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System32\pmHpWnn.exe
  C:\Windows\System32\pmHpWnn.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System32\cPBWChm.exe
  C:\Windows\System32\cPBWChm.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System32\kqKTpmd.exe
  C:\Windows\System32\kqKTpmd.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System32\AHwIltV.exe
  C:\Windows\System32\AHwIltV.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System32\cSrpWPr.exe
  C:\Windows\System32\cSrpWPr.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System32\ZMgEXVw.exe
  C:\Windows\System32\ZMgEXVw.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System32\NfPpbRg.exe
  C:\Windows\System32\NfPpbRg.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System32\jBSnAnM.exe
  C:\Windows\System32\jBSnAnM.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System32\FTqKCYZ.exe
  C:\Windows\System32\FTqKCYZ.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System32\hjFzIVM.exe
  C:\Windows\System32\hjFzIVM.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System32\GHcvWRl.exe
  C:\Windows\System32\GHcvWRl.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System32\TTWUYnW.exe
  C:\Windows\System32\TTWUYnW.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System32\EteCOMl.exe
  C:\Windows\System32\EteCOMl.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System32\OWhjuDN.exe
  C:\Windows\System32\OWhjuDN.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System32\yWKFqIS.exe
  C:\Windows\System32\yWKFqIS.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System32\DPUoqCk.exe
  C:\Windows\System32\DPUoqCk.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System32\FlWlcht.exe
  C:\Windows\System32\FlWlcht.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System32\aJmxVMh.exe
  C:\Windows\System32\aJmxVMh.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System32\uhhtcjR.exe
  C:\Windows\System32\uhhtcjR.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System32\qrgdHjq.exe
  C:\Windows\System32\qrgdHjq.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System32\alUUxlj.exe
  C:\Windows\System32\alUUxlj.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System32\okOagxn.exe
  C:\Windows\System32\okOagxn.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System32\ecSyVar.exe
  C:\Windows\System32\ecSyVar.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System32\VxNPsuc.exe
  C:\Windows\System32\VxNPsuc.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System32\kjjISQd.exe
  C:\Windows\System32\kjjISQd.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System32\jfnshli.exe
  C:\Windows\System32\jfnshli.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System32\bkruLUr.exe
  C:\Windows\System32\bkruLUr.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System32\rESVANb.exe
  C:\Windows\System32\rESVANb.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System32\IkVDdtc.exe
  C:\Windows\System32\IkVDdtc.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System32\vnxsFJV.exe
  C:\Windows\System32\vnxsFJV.exe
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\System32\zLYmGSv.exe
  C:\Windows\System32\zLYmGSv.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System32\JFeERFc.exe
  C:\Windows\System32\JFeERFc.exe
  2⤵
  - Executes dropped EXE
  PID:724
- C:\Windows\System32\MDWiMpB.exe
  C:\Windows\System32\MDWiMpB.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System32\nuugWrr.exe
  C:\Windows\System32\nuugWrr.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System32\XwPggoN.exe
  C:\Windows\System32\XwPggoN.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\yhAXITi.exe
  C:\Windows\System32\yhAXITi.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System32\Fmdlzdx.exe
  C:\Windows\System32\Fmdlzdx.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System32\KYjGSRw.exe
  C:\Windows\System32\KYjGSRw.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\System32\NdTLDLk.exe
  C:\Windows\System32\NdTLDLk.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System32\EvsGnZM.exe
  C:\Windows\System32\EvsGnZM.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System32\jvARBfJ.exe
  C:\Windows\System32\jvARBfJ.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System32\awopiaU.exe
  C:\Windows\System32\awopiaU.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System32\kprVsjj.exe
  C:\Windows\System32\kprVsjj.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System32\bdZraOk.exe
  C:\Windows\System32\bdZraOk.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System32\wWDkeNx.exe
  C:\Windows\System32\wWDkeNx.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\gVIPJYy.exe
  C:\Windows\System32\gVIPJYy.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System32\JqlqrcX.exe
  C:\Windows\System32\JqlqrcX.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System32\kEzdDyk.exe
  C:\Windows\System32\kEzdDyk.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System32\CXEtmuT.exe
  C:\Windows\System32\CXEtmuT.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System32\tOYWCoO.exe
  C:\Windows\System32\tOYWCoO.exe
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\System32\ARgcwEv.exe
  C:\Windows\System32\ARgcwEv.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System32\cvFoFuE.exe
  C:\Windows\System32\cvFoFuE.exe
  2⤵
  PID:3032
- C:\Windows\System32\SCcvbAC.exe
  C:\Windows\System32\SCcvbAC.exe
  2⤵
  PID:4816
- C:\Windows\System32\bzayLUL.exe
  C:\Windows\System32\bzayLUL.exe
  2⤵
  PID:764
- C:\Windows\System32\iDDLHTY.exe
  C:\Windows\System32\iDDLHTY.exe
  2⤵
  PID:4420
- C:\Windows\System32\TZOFKQn.exe
  C:\Windows\System32\TZOFKQn.exe
  2⤵
  PID:992
- C:\Windows\System32\TqOboXu.exe
  C:\Windows\System32\TqOboXu.exe
  2⤵
  PID:4904
- C:\Windows\System32\RlnWHME.exe
  C:\Windows\System32\RlnWHME.exe
  2⤵
  PID:2088
- C:\Windows\System32\vAmKwYp.exe
  C:\Windows\System32\vAmKwYp.exe
  2⤵
  PID:1464
- C:\Windows\System32\MbnXiLE.exe
  C:\Windows\System32\MbnXiLE.exe
  2⤵
  PID:4892
- C:\Windows\System32\AgfuWuq.exe
  C:\Windows\System32\AgfuWuq.exe
  2⤵
  PID:3316
- C:\Windows\System32\SisYzbq.exe
  C:\Windows\System32\SisYzbq.exe
  2⤵
  PID:3508
- C:\Windows\System32\KODQACQ.exe
  C:\Windows\System32\KODQACQ.exe
  2⤵
  PID:4016
- C:\Windows\System32\xCKOkyC.exe
  C:\Windows\System32\xCKOkyC.exe
  2⤵
  PID:4792
- C:\Windows\System32\TwUrXGy.exe
  C:\Windows\System32\TwUrXGy.exe
  2⤵
  PID:4156
- C:\Windows\System32\UrnwQpQ.exe
  C:\Windows\System32\UrnwQpQ.exe
  2⤵
  PID:1528
- C:\Windows\System32\DlfYIoJ.exe
  C:\Windows\System32\DlfYIoJ.exe
  2⤵
  PID:1884
- C:\Windows\System32\BJqwJiv.exe
  C:\Windows\System32\BJqwJiv.exe
  2⤵
  PID:2700
- C:\Windows\System32\hLPlXKf.exe
  C:\Windows\System32\hLPlXKf.exe
  2⤵
  PID:4412
- C:\Windows\System32\uMBFQnU.exe
  C:\Windows\System32\uMBFQnU.exe
  2⤵
  PID:2432
- C:\Windows\System32\zRPWZZY.exe
  C:\Windows\System32\zRPWZZY.exe
  2⤵
  PID:2180
- C:\Windows\System32\wjRUQIf.exe
  C:\Windows\System32\wjRUQIf.exe
  2⤵
  PID:4080
- C:\Windows\System32\QOaZjit.exe
  C:\Windows\System32\QOaZjit.exe
  2⤵
  PID:1172
- C:\Windows\System32\oSlgymv.exe
  C:\Windows\System32\oSlgymv.exe
  2⤵
  PID:1996
- C:\Windows\System32\rCsWONk.exe
  C:\Windows\System32\rCsWONk.exe
  2⤵
  PID:1972
- C:\Windows\System32\DyZhIPQ.exe
  C:\Windows\System32\DyZhIPQ.exe
  2⤵
  PID:1012
- C:\Windows\System32\JtImBGK.exe
  C:\Windows\System32\JtImBGK.exe
  2⤵
  PID:5000
- C:\Windows\System32\vabGdai.exe
  C:\Windows\System32\vabGdai.exe
  2⤵
  PID:904
- C:\Windows\System32\SCfgZQT.exe
  C:\Windows\System32\SCfgZQT.exe
  2⤵
  PID:3288
- C:\Windows\System32\FZJfllZ.exe
  C:\Windows\System32\FZJfllZ.exe
  2⤵
  PID:1752
- C:\Windows\System32\RgSIwgJ.exe
  C:\Windows\System32\RgSIwgJ.exe
  2⤵
  PID:2440
- C:\Windows\System32\oanzYfi.exe
  C:\Windows\System32\oanzYfi.exe
  2⤵
  PID:4372
- C:\Windows\System32\hCEkwxm.exe
  C:\Windows\System32\hCEkwxm.exe
  2⤵
  PID:1404
- C:\Windows\System32\GjKbXmY.exe
  C:\Windows\System32\GjKbXmY.exe
  2⤵
  PID:4356
- C:\Windows\System32\CodJdgN.exe
  C:\Windows\System32\CodJdgN.exe
  2⤵
  PID:4676
- C:\Windows\System32\vTrJbkS.exe
  C:\Windows\System32\vTrJbkS.exe
  2⤵
  PID:3136
- C:\Windows\System32\GKCUthi.exe
  C:\Windows\System32\GKCUthi.exe
  2⤵
  PID:5132
- C:\Windows\System32\gazIvGE.exe
  C:\Windows\System32\gazIvGE.exe
  2⤵
  PID:5160
- C:\Windows\System32\uljmiXZ.exe
  C:\Windows\System32\uljmiXZ.exe
  2⤵
  PID:5184
- C:\Windows\System32\yGgdsAg.exe
  C:\Windows\System32\yGgdsAg.exe
  2⤵
  PID:5212
- C:\Windows\System32\tEsjnXT.exe
  C:\Windows\System32\tEsjnXT.exe
  2⤵
  PID:5240
- C:\Windows\System32\yOStpXn.exe
  C:\Windows\System32\yOStpXn.exe
  2⤵
  PID:5268
- C:\Windows\System32\aiMARsc.exe
  C:\Windows\System32\aiMARsc.exe
  2⤵
  PID:5300
- C:\Windows\System32\xyBJJgg.exe
  C:\Windows\System32\xyBJJgg.exe
  2⤵
  PID:5364
- C:\Windows\System32\LvHyuUa.exe
  C:\Windows\System32\LvHyuUa.exe
  2⤵
  PID:5404
- C:\Windows\System32\TxjxFQa.exe
  C:\Windows\System32\TxjxFQa.exe
  2⤵
  PID:5428
- C:\Windows\System32\gRUFJCX.exe
  C:\Windows\System32\gRUFJCX.exe
  2⤵
  PID:5472
- C:\Windows\System32\nFTGoDk.exe
  C:\Windows\System32\nFTGoDk.exe
  2⤵
  PID:5492
- C:\Windows\System32\NtuQjZb.exe
  C:\Windows\System32\NtuQjZb.exe
  2⤵
  PID:5524
- C:\Windows\System32\PawfsdH.exe
  C:\Windows\System32\PawfsdH.exe
  2⤵
  PID:5540
- C:\Windows\System32\bQhxFFu.exe
  C:\Windows\System32\bQhxFFu.exe
  2⤵
  PID:5564
- C:\Windows\System32\ZsEABUZ.exe
  C:\Windows\System32\ZsEABUZ.exe
  2⤵
  PID:5580
- C:\Windows\System32\bWrgHvw.exe
  C:\Windows\System32\bWrgHvw.exe
  2⤵
  PID:5604
- C:\Windows\System32\lCRebxy.exe
  C:\Windows\System32\lCRebxy.exe
  2⤵
  PID:5668
- C:\Windows\System32\qKzzXFs.exe
  C:\Windows\System32\qKzzXFs.exe
  2⤵
  PID:5724
- C:\Windows\System32\fxcgkpJ.exe
  C:\Windows\System32\fxcgkpJ.exe
  2⤵
  PID:5760
- C:\Windows\System32\HxDJazP.exe
  C:\Windows\System32\HxDJazP.exe
  2⤵
  PID:5800
- C:\Windows\System32\RJhlhxk.exe
  C:\Windows\System32\RJhlhxk.exe
  2⤵
  PID:5860
- C:\Windows\System32\BMGexfV.exe
  C:\Windows\System32\BMGexfV.exe
  2⤵
  PID:5880
- C:\Windows\System32\VrQEMqR.exe
  C:\Windows\System32\VrQEMqR.exe
  2⤵
  PID:5896
- C:\Windows\System32\LHjnIOm.exe
  C:\Windows\System32\LHjnIOm.exe
  2⤵
  PID:5916
- C:\Windows\System32\EWPGVqG.exe
  C:\Windows\System32\EWPGVqG.exe
  2⤵
  PID:5940
- C:\Windows\System32\kTBeFXo.exe
  C:\Windows\System32\kTBeFXo.exe
  2⤵
  PID:5960
- C:\Windows\System32\qSPYDMv.exe
  C:\Windows\System32\qSPYDMv.exe
  2⤵
  PID:5980
- C:\Windows\System32\eEBFVyj.exe
  C:\Windows\System32\eEBFVyj.exe
  2⤵
  PID:6024
- C:\Windows\System32\AeBeZZW.exe
  C:\Windows\System32\AeBeZZW.exe
  2⤵
  PID:6040
- C:\Windows\System32\PNkkVwB.exe
  C:\Windows\System32\PNkkVwB.exe
  2⤵
  PID:6060
- C:\Windows\System32\TiqbsVT.exe
  C:\Windows\System32\TiqbsVT.exe
  2⤵
  PID:6080
- C:\Windows\System32\FkBRsKz.exe
  C:\Windows\System32\FkBRsKz.exe
  2⤵
  PID:6096
- C:\Windows\System32\qgekBDi.exe
  C:\Windows\System32\qgekBDi.exe
  2⤵
  PID:6116
- C:\Windows\System32\JDpEdGW.exe
  C:\Windows\System32\JDpEdGW.exe
  2⤵
  PID:6140
- C:\Windows\System32\bRhkdlo.exe
  C:\Windows\System32\bRhkdlo.exe
  2⤵
  PID:3372
- C:\Windows\System32\ZITnWsa.exe
  C:\Windows\System32\ZITnWsa.exe
  2⤵
  PID:3836
- C:\Windows\System32\ayUpqna.exe
  C:\Windows\System32\ayUpqna.exe
  2⤵
  PID:4236
- C:\Windows\System32\lgAyjEV.exe
  C:\Windows\System32\lgAyjEV.exe
  2⤵
  PID:4516
- C:\Windows\System32\kCWPLmk.exe
  C:\Windows\System32\kCWPLmk.exe
  2⤵
  PID:5264
- C:\Windows\System32\sqfBrrx.exe
  C:\Windows\System32\sqfBrrx.exe
  2⤵
  PID:824
- C:\Windows\System32\pBrfueZ.exe
  C:\Windows\System32\pBrfueZ.exe
  2⤵
  PID:5384
- C:\Windows\System32\iHyPfBO.exe
  C:\Windows\System32\iHyPfBO.exe
  2⤵
  PID:5424
- C:\Windows\System32\JRftMCJ.exe
  C:\Windows\System32\JRftMCJ.exe
  2⤵
  PID:5536
- C:\Windows\System32\pckykci.exe
  C:\Windows\System32\pckykci.exe
  2⤵
  PID:5612
- C:\Windows\System32\TJhHXcP.exe
  C:\Windows\System32\TJhHXcP.exe
  2⤵
  PID:5576
- C:\Windows\System32\wdfxPjZ.exe
  C:\Windows\System32\wdfxPjZ.exe
  2⤵
  PID:5556
- C:\Windows\System32\uUWfVXu.exe
  C:\Windows\System32\uUWfVXu.exe
  2⤵
  PID:5676
- C:\Windows\System32\GRKzyCY.exe
  C:\Windows\System32\GRKzyCY.exe
  2⤵
  PID:5720
- C:\Windows\System32\DErOgfw.exe
  C:\Windows\System32\DErOgfw.exe
  2⤵
  PID:5420
- C:\Windows\System32\jjTLusU.exe
  C:\Windows\System32\jjTLusU.exe
  2⤵
  PID:5992
- C:\Windows\System32\YoWYQjq.exe
  C:\Windows\System32\YoWYQjq.exe
  2⤵
  PID:5924
- C:\Windows\System32\rpIyjHE.exe
  C:\Windows\System32\rpIyjHE.exe
  2⤵
  PID:6092
- C:\Windows\System32\inZxirO.exe
  C:\Windows\System32\inZxirO.exe
  2⤵
  PID:6032
- C:\Windows\System32\dptnhve.exe
  C:\Windows\System32\dptnhve.exe
  2⤵
  PID:6088
- C:\Windows\System32\zHcdFTQ.exe
  C:\Windows\System32\zHcdFTQ.exe
  2⤵
  PID:4536
- C:\Windows\System32\ygOXyAU.exe
  C:\Windows\System32\ygOXyAU.exe
  2⤵
  PID:2780
- C:\Windows\System32\KcVkQWc.exe
  C:\Windows\System32\KcVkQWc.exe
  2⤵
  PID:2024
- C:\Windows\System32\iNwbDjY.exe
  C:\Windows\System32\iNwbDjY.exe
  2⤵
  PID:5256
- C:\Windows\System32\WZtpuSi.exe
  C:\Windows\System32\WZtpuSi.exe
  2⤵
  PID:5308
- C:\Windows\System32\PLzIpWS.exe
  C:\Windows\System32\PLzIpWS.exe
  2⤵
  PID:5708
- C:\Windows\System32\KpSJkhC.exe
  C:\Windows\System32\KpSJkhC.exe
  2⤵
  PID:5772
- C:\Windows\System32\tvGSSMg.exe
  C:\Windows\System32\tvGSSMg.exe
  2⤵
  PID:5516
- C:\Windows\System32\InmavCD.exe
  C:\Windows\System32\InmavCD.exe
  2⤵
  PID:5752
- C:\Windows\System32\BieBEpx.exe
  C:\Windows\System32\BieBEpx.exe
  2⤵
  PID:6104
- C:\Windows\System32\PwlifEl.exe
  C:\Windows\System32\PwlifEl.exe
  2⤵
  PID:2304
- C:\Windows\System32\hRFqlvR.exe
  C:\Windows\System32\hRFqlvR.exe
  2⤵
  PID:4436
- C:\Windows\System32\ufTiWjJ.exe
  C:\Windows\System32\ufTiWjJ.exe
  2⤵
  PID:5588
- C:\Windows\System32\gxxkIUR.exe
  C:\Windows\System32\gxxkIUR.exe
  2⤵
  PID:6016
- C:\Windows\System32\mbExhqz.exe
  C:\Windows\System32\mbExhqz.exe
  2⤵
  PID:5912
- C:\Windows\System32\qcDvihq.exe
  C:\Windows\System32\qcDvihq.exe
  2⤵
  PID:5172
- C:\Windows\System32\WsoSuiN.exe
  C:\Windows\System32\WsoSuiN.exe
  2⤵
  PID:3692
- C:\Windows\System32\cZHgjCY.exe
  C:\Windows\System32\cZHgjCY.exe
  2⤵
  PID:6184
- C:\Windows\System32\rMcHxBu.exe
  C:\Windows\System32\rMcHxBu.exe
  2⤵
  PID:6232
- C:\Windows\System32\ZGvXEvg.exe
  C:\Windows\System32\ZGvXEvg.exe
  2⤵
  PID:6256
- C:\Windows\System32\sCuKeYe.exe
  C:\Windows\System32\sCuKeYe.exe
  2⤵
  PID:6300
- C:\Windows\System32\myEgjJv.exe
  C:\Windows\System32\myEgjJv.exe
  2⤵
  PID:6324
- C:\Windows\System32\NRSNEjX.exe
  C:\Windows\System32\NRSNEjX.exe
  2⤵
  PID:6348
- C:\Windows\System32\EGQFZgp.exe
  C:\Windows\System32\EGQFZgp.exe
  2⤵
  PID:6368
- C:\Windows\System32\WFQiZVg.exe
  C:\Windows\System32\WFQiZVg.exe
  2⤵
  PID:6408
- C:\Windows\System32\WpEjhQY.exe
  C:\Windows\System32\WpEjhQY.exe
  2⤵
  PID:6432
- C:\Windows\System32\gVdmErx.exe
  C:\Windows\System32\gVdmErx.exe
  2⤵
  PID:6456
- C:\Windows\System32\aKndIfv.exe
  C:\Windows\System32\aKndIfv.exe
  2⤵
  PID:6488
- C:\Windows\System32\xAaeZgS.exe
  C:\Windows\System32\xAaeZgS.exe
  2⤵
  PID:6508
- C:\Windows\System32\oQiuRqE.exe
  C:\Windows\System32\oQiuRqE.exe
  2⤵
  PID:6564
- C:\Windows\System32\LPqrvHU.exe
  C:\Windows\System32\LPqrvHU.exe
  2⤵
  PID:6584
- C:\Windows\System32\svZFtHE.exe
  C:\Windows\System32\svZFtHE.exe
  2⤵
  PID:6600
- C:\Windows\System32\YJEioSP.exe
  C:\Windows\System32\YJEioSP.exe
  2⤵
  PID:6636
- C:\Windows\System32\eafIJxY.exe
  C:\Windows\System32\eafIJxY.exe
  2⤵
  PID:6672
- C:\Windows\System32\ulifvsi.exe
  C:\Windows\System32\ulifvsi.exe
  2⤵
  PID:6692
- C:\Windows\System32\zJsyfUR.exe
  C:\Windows\System32\zJsyfUR.exe
  2⤵
  PID:6744
- C:\Windows\System32\pzlxOzT.exe
  C:\Windows\System32\pzlxOzT.exe
  2⤵
  PID:6768
- C:\Windows\System32\wXtQCSC.exe
  C:\Windows\System32\wXtQCSC.exe
  2⤵
  PID:6788
- C:\Windows\System32\ZMQXAcb.exe
  C:\Windows\System32\ZMQXAcb.exe
  2⤵
  PID:6804
- C:\Windows\System32\PYtjhKN.exe
  C:\Windows\System32\PYtjhKN.exe
  2⤵
  PID:6824
- C:\Windows\System32\qWdQisR.exe
  C:\Windows\System32\qWdQisR.exe
  2⤵
  PID:6840
- C:\Windows\System32\lURhIOi.exe
  C:\Windows\System32\lURhIOi.exe
  2⤵
  PID:6864
- C:\Windows\System32\zoOtNAZ.exe
  C:\Windows\System32\zoOtNAZ.exe
  2⤵
  PID:6880
- C:\Windows\System32\sKjpyNC.exe
  C:\Windows\System32\sKjpyNC.exe
  2⤵
  PID:6908
- C:\Windows\System32\RHlmjGL.exe
  C:\Windows\System32\RHlmjGL.exe
  2⤵
  PID:6928
- C:\Windows\System32\SlbJROd.exe
  C:\Windows\System32\SlbJROd.exe
  2⤵
  PID:6948
- C:\Windows\System32\YgeGhDX.exe
  C:\Windows\System32\YgeGhDX.exe
  2⤵
  PID:6968
- C:\Windows\System32\RkVIwIi.exe
  C:\Windows\System32\RkVIwIi.exe
  2⤵
  PID:6988
- C:\Windows\System32\czbTtWA.exe
  C:\Windows\System32\czbTtWA.exe
  2⤵
  PID:7060
- C:\Windows\System32\LBIyofV.exe
  C:\Windows\System32\LBIyofV.exe
  2⤵
  PID:7084
- C:\Windows\System32\mBjWYUC.exe
  C:\Windows\System32\mBjWYUC.exe
  2⤵
  PID:7108
- C:\Windows\System32\ZBizWVV.exe
  C:\Windows\System32\ZBizWVV.exe
  2⤵
  PID:7128
- C:\Windows\System32\yRAJiuW.exe
  C:\Windows\System32\yRAJiuW.exe
  2⤵
  PID:7152
- C:\Windows\System32\tXIlUnk.exe
  C:\Windows\System32\tXIlUnk.exe
  2⤵
  PID:6156
- C:\Windows\System32\tCKdkSj.exe
  C:\Windows\System32\tCKdkSj.exe
  2⤵
  PID:6196
- C:\Windows\System32\mTeGRTd.exe
  C:\Windows\System32\mTeGRTd.exe
  2⤵
  PID:6252
- C:\Windows\System32\xtbdkmB.exe
  C:\Windows\System32\xtbdkmB.exe
  2⤵
  PID:6320
- C:\Windows\System32\BGSOGuQ.exe
  C:\Windows\System32\BGSOGuQ.exe
  2⤵
  PID:6404
- C:\Windows\System32\ymBuZxm.exe
  C:\Windows\System32\ymBuZxm.exe
  2⤵
  PID:6496
- C:\Windows\System32\XKPEEWL.exe
  C:\Windows\System32\XKPEEWL.exe
  2⤵
  PID:6616
- C:\Windows\System32\wEdkXcp.exe
  C:\Windows\System32\wEdkXcp.exe
  2⤵
  PID:6680
- C:\Windows\System32\utjoQei.exe
  C:\Windows\System32\utjoQei.exe
  2⤵
  PID:6684
- C:\Windows\System32\PSzgwAH.exe
  C:\Windows\System32\PSzgwAH.exe
  2⤵
  PID:6764
- C:\Windows\System32\Tlpkpyn.exe
  C:\Windows\System32\Tlpkpyn.exe
  2⤵
  PID:6820
- C:\Windows\System32\KLqadDx.exe
  C:\Windows\System32\KLqadDx.exe
  2⤵
  PID:6872
- C:\Windows\System32\rdfFtoY.exe
  C:\Windows\System32\rdfFtoY.exe
  2⤵
  PID:6608
- C:\Windows\System32\dKMCVFY.exe
  C:\Windows\System32\dKMCVFY.exe
  2⤵
  PID:6776
- C:\Windows\System32\jEbsgPL.exe
  C:\Windows\System32\jEbsgPL.exe
  2⤵
  PID:6888
- C:\Windows\System32\kmdWeqO.exe
  C:\Windows\System32\kmdWeqO.exe
  2⤵
  PID:7100
- C:\Windows\System32\EIpVfdL.exe
  C:\Windows\System32\EIpVfdL.exe
  2⤵
  PID:7096
- C:\Windows\System32\cGTyFUj.exe
  C:\Windows\System32\cGTyFUj.exe
  2⤵
  PID:6364
- C:\Windows\System32\uSiVUTJ.exe
  C:\Windows\System32\uSiVUTJ.exe
  2⤵
  PID:6552
- C:\Windows\System32\BHOtveu.exe
  C:\Windows\System32\BHOtveu.exe
  2⤵
  PID:6532
- C:\Windows\System32\udlxVhE.exe
  C:\Windows\System32\udlxVhE.exe
  2⤵
  PID:6536
- C:\Windows\System32\kVziPEQ.exe
  C:\Windows\System32\kVziPEQ.exe
  2⤵
  PID:6916
- C:\Windows\System32\cuRKHeB.exe
  C:\Windows\System32\cuRKHeB.exe
  2⤵
  PID:7044
- C:\Windows\System32\bGjFnyV.exe
  C:\Windows\System32\bGjFnyV.exe
  2⤵
  PID:7072
- C:\Windows\System32\HBhrqjB.exe
  C:\Windows\System32\HBhrqjB.exe
  2⤵
  PID:6288
- C:\Windows\System32\jhjIzIi.exe
  C:\Windows\System32\jhjIzIi.exe
  2⤵
  PID:6944
- C:\Windows\System32\pzlrzER.exe
  C:\Windows\System32\pzlrzER.exe
  2⤵
  PID:7068
- C:\Windows\System32\dKTRLmg.exe
  C:\Windows\System32\dKTRLmg.exe
  2⤵
  PID:7160
- C:\Windows\System32\FQFOkxT.exe
  C:\Windows\System32\FQFOkxT.exe
  2⤵
  PID:7196
- C:\Windows\System32\avhbNQY.exe
  C:\Windows\System32\avhbNQY.exe
  2⤵
  PID:7248
- C:\Windows\System32\WhMgKRx.exe
  C:\Windows\System32\WhMgKRx.exe
  2⤵
  PID:7268
- C:\Windows\System32\aqqlqQT.exe
  C:\Windows\System32\aqqlqQT.exe
  2⤵
  PID:7288
- C:\Windows\System32\tPWawKV.exe
  C:\Windows\System32\tPWawKV.exe
  2⤵
  PID:7312
- C:\Windows\System32\AGGGCRP.exe
  C:\Windows\System32\AGGGCRP.exe
  2⤵
  PID:7336
- C:\Windows\System32\jUDXMMF.exe
  C:\Windows\System32\jUDXMMF.exe
  2⤵
  PID:7352
- C:\Windows\System32\eepJZZg.exe
  C:\Windows\System32\eepJZZg.exe
  2⤵
  PID:7392
- C:\Windows\System32\amDCyZX.exe
  C:\Windows\System32\amDCyZX.exe
  2⤵
  PID:7428
- C:\Windows\System32\hlMIxQm.exe
  C:\Windows\System32\hlMIxQm.exe
  2⤵
  PID:7444
- C:\Windows\System32\LUmqrGa.exe
  C:\Windows\System32\LUmqrGa.exe
  2⤵
  PID:7468
- C:\Windows\System32\wQGfIHr.exe
  C:\Windows\System32\wQGfIHr.exe
  2⤵
  PID:7488
- C:\Windows\System32\UvCQVjX.exe
  C:\Windows\System32\UvCQVjX.exe
  2⤵
  PID:7512
- C:\Windows\System32\qTAPsBz.exe
  C:\Windows\System32\qTAPsBz.exe
  2⤵
  PID:7540
- C:\Windows\System32\uhfBpJg.exe
  C:\Windows\System32\uhfBpJg.exe
  2⤵
  PID:7588
- C:\Windows\System32\ScTJpty.exe
  C:\Windows\System32\ScTJpty.exe
  2⤵
  PID:7620
- C:\Windows\System32\xwIjgnm.exe
  C:\Windows\System32\xwIjgnm.exe
  2⤵
  PID:7640
- C:\Windows\System32\PLOOeNf.exe
  C:\Windows\System32\PLOOeNf.exe
  2⤵
  PID:7664
- C:\Windows\System32\HiwtwuG.exe
  C:\Windows\System32\HiwtwuG.exe
  2⤵
  PID:7684
- C:\Windows\System32\UTnKUPz.exe
  C:\Windows\System32\UTnKUPz.exe
  2⤵
  PID:7712
- C:\Windows\System32\gSNQgsZ.exe
  C:\Windows\System32\gSNQgsZ.exe
  2⤵
  PID:7728
- C:\Windows\System32\fzYwCLQ.exe
  C:\Windows\System32\fzYwCLQ.exe
  2⤵
  PID:7752
- C:\Windows\System32\SrNKEBj.exe
  C:\Windows\System32\SrNKEBj.exe
  2⤵
  PID:7784
- C:\Windows\System32\UxBLpZh.exe
  C:\Windows\System32\UxBLpZh.exe
  2⤵
  PID:7820
- C:\Windows\System32\udSlimQ.exe
  C:\Windows\System32\udSlimQ.exe
  2⤵
  PID:7852
- C:\Windows\System32\okNXBPv.exe
  C:\Windows\System32\okNXBPv.exe
  2⤵
  PID:7908
- C:\Windows\System32\MrBIcsS.exe
  C:\Windows\System32\MrBIcsS.exe
  2⤵
  PID:7932
- C:\Windows\System32\rQyrqcd.exe
  C:\Windows\System32\rQyrqcd.exe
  2⤵
  PID:7960
- C:\Windows\System32\mNnNtzR.exe
  C:\Windows\System32\mNnNtzR.exe
  2⤵
  PID:7992
- C:\Windows\System32\fLGGucQ.exe
  C:\Windows\System32\fLGGucQ.exe
  2⤵
  PID:8016
- C:\Windows\System32\boZKtSs.exe
  C:\Windows\System32\boZKtSs.exe
  2⤵
  PID:8048
- C:\Windows\System32\yLsZaRZ.exe
  C:\Windows\System32\yLsZaRZ.exe
  2⤵
  PID:8072
- C:\Windows\System32\qGjRPrp.exe
  C:\Windows\System32\qGjRPrp.exe
  2⤵
  PID:8100
- C:\Windows\System32\bwUyrUl.exe
  C:\Windows\System32\bwUyrUl.exe
  2⤵
  PID:8124
- C:\Windows\System32\xFcybAc.exe
  C:\Windows\System32\xFcybAc.exe
  2⤵
  PID:8148
- C:\Windows\System32\YIAwgPP.exe
  C:\Windows\System32\YIAwgPP.exe
  2⤵
  PID:8188
- C:\Windows\System32\cHoFtXQ.exe
  C:\Windows\System32\cHoFtXQ.exe
  2⤵
  PID:7208
- C:\Windows\System32\kutavZj.exe
  C:\Windows\System32\kutavZj.exe
  2⤵
  PID:7256
- C:\Windows\System32\eNBxHcG.exe
  C:\Windows\System32\eNBxHcG.exe
  2⤵
  PID:7320
- C:\Windows\System32\iOztuyi.exe
  C:\Windows\System32\iOztuyi.exe
  2⤵
  PID:7384
- C:\Windows\System32\ducIsXf.exe
  C:\Windows\System32\ducIsXf.exe
  2⤵
  PID:7508
- C:\Windows\System32\zDiaLQu.exe
  C:\Windows\System32\zDiaLQu.exe
  2⤵
  PID:7500
- C:\Windows\System32\gscpstp.exe
  C:\Windows\System32\gscpstp.exe
  2⤵
  PID:7572
- C:\Windows\System32\JWWTqpk.exe
  C:\Windows\System32\JWWTqpk.exe
  2⤵
  PID:7604
- C:\Windows\System32\jcSWWwK.exe
  C:\Windows\System32\jcSWWwK.exe
  2⤵
  PID:7680
- C:\Windows\System32\gjWigYI.exe
  C:\Windows\System32\gjWigYI.exe
  2⤵
  PID:7704
- C:\Windows\System32\ouyDCLu.exe
  C:\Windows\System32\ouyDCLu.exe
  2⤵
  PID:7832
- C:\Windows\System32\DIPoOcr.exe
  C:\Windows\System32\DIPoOcr.exe
  2⤵
  PID:5876
- C:\Windows\System32\lPRWgNU.exe
  C:\Windows\System32\lPRWgNU.exe
  2⤵
  PID:7980
- C:\Windows\System32\rEzeSrq.exe
  C:\Windows\System32\rEzeSrq.exe
  2⤵
  PID:8044
- C:\Windows\System32\hakBkWe.exe
  C:\Windows\System32\hakBkWe.exe
  2⤵
  PID:8116
- C:\Windows\System32\PxrytqG.exe
  C:\Windows\System32\PxrytqG.exe
  2⤵
  PID:8160
- C:\Windows\System32\omawBeB.exe
  C:\Windows\System32\omawBeB.exe
  2⤵
  PID:7308
- C:\Windows\System32\mICZoDw.exe
  C:\Windows\System32\mICZoDw.exe
  2⤵
  PID:7440
- C:\Windows\System32\uhWluEU.exe
  C:\Windows\System32\uhWluEU.exe
  2⤵
  PID:7648
- C:\Windows\System32\EeNkAMu.exe
  C:\Windows\System32\EeNkAMu.exe
  2⤵
  PID:7616
- C:\Windows\System32\vVholYq.exe
  C:\Windows\System32\vVholYq.exe
  2⤵
  PID:7800
- C:\Windows\System32\TTYOICo.exe
  C:\Windows\System32\TTYOICo.exe
  2⤵
  PID:8096
- C:\Windows\System32\cWHazFR.exe
  C:\Windows\System32\cWHazFR.exe
  2⤵
  PID:7180
- C:\Windows\System32\UgdMmCG.exe
  C:\Windows\System32\UgdMmCG.exe
  2⤵
  PID:7532
- C:\Windows\System32\MxFTAxS.exe
  C:\Windows\System32\MxFTAxS.exe
  2⤵
  PID:7864
- C:\Windows\System32\gecSvXB.exe
  C:\Windows\System32\gecSvXB.exe
  2⤵
  PID:8080
- C:\Windows\System32\PtnVFqn.exe
  C:\Windows\System32\PtnVFqn.exe
  2⤵
  PID:7972
- C:\Windows\System32\XpSGuow.exe
  C:\Windows\System32\XpSGuow.exe
  2⤵
  PID:7212
- C:\Windows\System32\jGczrvU.exe
  C:\Windows\System32\jGczrvU.exe
  2⤵
  PID:8228
- C:\Windows\System32\kDRHWpn.exe
  C:\Windows\System32\kDRHWpn.exe
  2⤵
  PID:8256
- C:\Windows\System32\VKGkSXq.exe
  C:\Windows\System32\VKGkSXq.exe
  2⤵
  PID:8272
- C:\Windows\System32\wbMQEJH.exe
  C:\Windows\System32\wbMQEJH.exe
  2⤵
  PID:8296
- C:\Windows\System32\XhIAxFI.exe
  C:\Windows\System32\XhIAxFI.exe
  2⤵
  PID:8328
- C:\Windows\System32\rpvnHEL.exe
  C:\Windows\System32\rpvnHEL.exe
  2⤵
  PID:8380
- C:\Windows\System32\FrqWtuL.exe
  C:\Windows\System32\FrqWtuL.exe
  2⤵
  PID:8408
- C:\Windows\System32\BONuqWV.exe
  C:\Windows\System32\BONuqWV.exe
  2⤵
  PID:8424
- C:\Windows\System32\uFMYFtf.exe
  C:\Windows\System32\uFMYFtf.exe
  2⤵
  PID:8460
- C:\Windows\System32\eBDHrSh.exe
  C:\Windows\System32\eBDHrSh.exe
  2⤵
  PID:8488
- C:\Windows\System32\QZipkso.exe
  C:\Windows\System32\QZipkso.exe
  2⤵
  PID:8512
- C:\Windows\System32\zjbXBDT.exe
  C:\Windows\System32\zjbXBDT.exe
  2⤵
  PID:8532
- C:\Windows\System32\vLMHxyU.exe
  C:\Windows\System32\vLMHxyU.exe
  2⤵
  PID:8564
- C:\Windows\System32\lFRXzku.exe
  C:\Windows\System32\lFRXzku.exe
  2⤵
  PID:8592
- C:\Windows\System32\GzJvbtR.exe
  C:\Windows\System32\GzJvbtR.exe
  2⤵
  PID:8616
- C:\Windows\System32\nelKqVz.exe
  C:\Windows\System32\nelKqVz.exe
  2⤵
  PID:8652
- C:\Windows\System32\lzLKJWA.exe
  C:\Windows\System32\lzLKJWA.exe
  2⤵
  PID:8668
- C:\Windows\System32\Kmlexke.exe
  C:\Windows\System32\Kmlexke.exe
  2⤵
  PID:8700
- C:\Windows\System32\zwiHngb.exe
  C:\Windows\System32\zwiHngb.exe
  2⤵
  PID:8736
- C:\Windows\System32\zBAZsei.exe
  C:\Windows\System32\zBAZsei.exe
  2⤵
  PID:8768
- C:\Windows\System32\XWBZucD.exe
  C:\Windows\System32\XWBZucD.exe
  2⤵
  PID:8788
- C:\Windows\System32\FpGrGux.exe
  C:\Windows\System32\FpGrGux.exe
  2⤵
  PID:8808
- C:\Windows\System32\zOVWlzj.exe
  C:\Windows\System32\zOVWlzj.exe
  2⤵
  PID:8856
- C:\Windows\System32\YFnPcMm.exe
  C:\Windows\System32\YFnPcMm.exe
  2⤵
  PID:8928
- C:\Windows\System32\zJBMgJS.exe
  C:\Windows\System32\zJBMgJS.exe
  2⤵
  PID:8944
- C:\Windows\System32\SbISOcS.exe
  C:\Windows\System32\SbISOcS.exe
  2⤵
  PID:8972
- C:\Windows\System32\EGtbuAF.exe
  C:\Windows\System32\EGtbuAF.exe
  2⤵
  PID:9028
- C:\Windows\System32\bSFflZj.exe
  C:\Windows\System32\bSFflZj.exe
  2⤵
  PID:9048
- C:\Windows\System32\EevNJhP.exe
  C:\Windows\System32\EevNJhP.exe
  2⤵
  PID:9104
- C:\Windows\System32\zlQKGQp.exe
  C:\Windows\System32\zlQKGQp.exe
  2⤵
  PID:9140
- C:\Windows\System32\AxJOwTM.exe
  C:\Windows\System32\AxJOwTM.exe
  2⤵
  PID:9164
- C:\Windows\System32\MsJHFfk.exe
  C:\Windows\System32\MsJHFfk.exe
  2⤵
  PID:9188
- C:\Windows\System32\itXDaYJ.exe
  C:\Windows\System32\itXDaYJ.exe
  2⤵
  PID:9208
- C:\Windows\System32\ukzzeWV.exe
  C:\Windows\System32\ukzzeWV.exe
  2⤵
  PID:8220
- C:\Windows\System32\NPTwPkO.exe
  C:\Windows\System32\NPTwPkO.exe
  2⤵
  PID:8308
- C:\Windows\System32\XwsqYrT.exe
  C:\Windows\System32\XwsqYrT.exe
  2⤵
  PID:8444
- C:\Windows\System32\derrXuG.exe
  C:\Windows\System32\derrXuG.exe
  2⤵
  PID:8500
- C:\Windows\System32\XBJmBnX.exe
  C:\Windows\System32\XBJmBnX.exe
  2⤵
  PID:8604
- C:\Windows\System32\ZsYoBQx.exe
  C:\Windows\System32\ZsYoBQx.exe
  2⤵
  PID:8680
- C:\Windows\System32\CjDexlV.exe
  C:\Windows\System32\CjDexlV.exe
  2⤵
  PID:8732
- C:\Windows\System32\BQvKNgy.exe
  C:\Windows\System32\BQvKNgy.exe
  2⤵
  PID:8844
- C:\Windows\System32\mVzPFes.exe
  C:\Windows\System32\mVzPFes.exe
  2⤵
  PID:8820
- C:\Windows\System32\FszgfPH.exe
  C:\Windows\System32\FszgfPH.exe
  2⤵
  PID:9000
- C:\Windows\System32\OCYcbbS.exe
  C:\Windows\System32\OCYcbbS.exe
  2⤵
  PID:8916
- C:\Windows\System32\nkBmpgf.exe
  C:\Windows\System32\nkBmpgf.exe
  2⤵
  PID:8888
- C:\Windows\System32\qmjbWtx.exe
  C:\Windows\System32\qmjbWtx.exe
  2⤵
  PID:9004
- C:\Windows\System32\EGFDnau.exe
  C:\Windows\System32\EGFDnau.exe
  2⤵
  PID:8952
- C:\Windows\System32\zYDXQki.exe
  C:\Windows\System32\zYDXQki.exe
  2⤵
  PID:9080
- C:\Windows\System32\TEgidiH.exe
  C:\Windows\System32\TEgidiH.exe
  2⤵
  PID:9152
- C:\Windows\System32\sTeabLO.exe
  C:\Windows\System32\sTeabLO.exe
  2⤵
  PID:9196
- C:\Windows\System32\QVjIbKI.exe
  C:\Windows\System32\QVjIbKI.exe
  2⤵
  PID:8404
- C:\Windows\System32\XayUbdJ.exe
  C:\Windows\System32\XayUbdJ.exe
  2⤵
  PID:8480
- C:\Windows\System32\anUTQhy.exe
  C:\Windows\System32\anUTQhy.exe
  2⤵
  PID:8664
- C:\Windows\System32\QVHEqLc.exe
  C:\Windows\System32\QVHEqLc.exe
  2⤵
  PID:8760
- C:\Windows\System32\pptiJLQ.exe
  C:\Windows\System32\pptiJLQ.exe
  2⤵
  PID:8896
- C:\Windows\System32\RmIARUw.exe
  C:\Windows\System32\RmIARUw.exe
  2⤵
  PID:9100
- C:\Windows\System32\wsrHHkQ.exe
  C:\Windows\System32\wsrHHkQ.exe
  2⤵
  PID:8984
- C:\Windows\System32\NRZMJym.exe
  C:\Windows\System32\NRZMJym.exe
  2⤵
  PID:9204
- C:\Windows\System32\opeMNBz.exe
  C:\Windows\System32\opeMNBz.exe
  2⤵
  PID:8660
- C:\Windows\System32\NDdFXlC.exe
  C:\Windows\System32\NDdFXlC.exe
  2⤵
  PID:9172
- C:\Windows\System32\zaBkuQd.exe
  C:\Windows\System32\zaBkuQd.exe
  2⤵
  PID:8892
- C:\Windows\System32\WIeDzRQ.exe
  C:\Windows\System32\WIeDzRQ.exe
  2⤵
  PID:8864
- C:\Windows\System32\rYBHQWt.exe
  C:\Windows\System32\rYBHQWt.exe
  2⤵
  PID:9232
- C:\Windows\System32\AAlLMIK.exe
  C:\Windows\System32\AAlLMIK.exe
  2⤵
  PID:9256
- C:\Windows\System32\BXeTIWm.exe
  C:\Windows\System32\BXeTIWm.exe
  2⤵
  PID:9296
- C:\Windows\System32\EWkBgUg.exe
  C:\Windows\System32\EWkBgUg.exe
  2⤵
  PID:9320
- C:\Windows\System32\jZSsSoW.exe
  C:\Windows\System32\jZSsSoW.exe
  2⤵
  PID:9364
- C:\Windows\System32\HvMmNOj.exe
  C:\Windows\System32\HvMmNOj.exe
  2⤵
  PID:9392
- C:\Windows\System32\EmForjw.exe
  C:\Windows\System32\EmForjw.exe
  2⤵
  PID:9416
- C:\Windows\System32\iCaLKSz.exe
  C:\Windows\System32\iCaLKSz.exe
  2⤵
  PID:9440
- C:\Windows\System32\xNlDqzv.exe
  C:\Windows\System32\xNlDqzv.exe
  2⤵
  PID:9456
- C:\Windows\System32\OTEfUyR.exe
  C:\Windows\System32\OTEfUyR.exe
  2⤵
  PID:9484
- C:\Windows\System32\vaWlcOp.exe
  C:\Windows\System32\vaWlcOp.exe
  2⤵
  PID:9504
- C:\Windows\System32\klSfSbF.exe
  C:\Windows\System32\klSfSbF.exe
  2⤵
  PID:9528
- C:\Windows\System32\NUPxhPC.exe
  C:\Windows\System32\NUPxhPC.exe
  2⤵
  PID:9580
- C:\Windows\System32\jxSrGev.exe
  C:\Windows\System32\jxSrGev.exe
  2⤵
  PID:9612
- C:\Windows\System32\QLXrGnS.exe
  C:\Windows\System32\QLXrGnS.exe
  2⤵
  PID:9632
- C:\Windows\System32\SxjyRqp.exe
  C:\Windows\System32\SxjyRqp.exe
  2⤵
  PID:9680
- C:\Windows\System32\dyDxAXw.exe
  C:\Windows\System32\dyDxAXw.exe
  2⤵
  PID:9700
- C:\Windows\System32\utQPcMJ.exe
  C:\Windows\System32\utQPcMJ.exe
  2⤵
  PID:9732
- C:\Windows\System32\KlcwWky.exe
  C:\Windows\System32\KlcwWky.exe
  2⤵
  PID:9756
- C:\Windows\System32\MMDOhsS.exe
  C:\Windows\System32\MMDOhsS.exe
  2⤵
  PID:9784
- C:\Windows\System32\QlVMZRn.exe
  C:\Windows\System32\QlVMZRn.exe
  2⤵
  PID:9804
- C:\Windows\System32\LCKgvuO.exe
  C:\Windows\System32\LCKgvuO.exe
  2⤵
  PID:9840
- C:\Windows\System32\Edsrdem.exe
  C:\Windows\System32\Edsrdem.exe
  2⤵
  PID:9876
- C:\Windows\System32\kYlFFmx.exe
  C:\Windows\System32\kYlFFmx.exe
  2⤵
  PID:9896
- C:\Windows\System32\DlMMOgQ.exe
  C:\Windows\System32\DlMMOgQ.exe
  2⤵
  PID:9936
- C:\Windows\System32\XJeQLFl.exe
  C:\Windows\System32\XJeQLFl.exe
  2⤵
  PID:9956
- C:\Windows\System32\JCSdMZs.exe
  C:\Windows\System32\JCSdMZs.exe
  2⤵
  PID:9980
- C:\Windows\System32\MfjXgDv.exe
  C:\Windows\System32\MfjXgDv.exe
  2⤵
  PID:9996
- C:\Windows\System32\pHnRmzw.exe
  C:\Windows\System32\pHnRmzw.exe
  2⤵
  PID:10032
- C:\Windows\System32\PvpGOrx.exe
  C:\Windows\System32\PvpGOrx.exe
  2⤵
  PID:10056
- C:\Windows\System32\FGmrqCf.exe
  C:\Windows\System32\FGmrqCf.exe
  2⤵
  PID:10084
- C:\Windows\System32\jdbBlhK.exe
  C:\Windows\System32\jdbBlhK.exe
  2⤵
  PID:10108
- C:\Windows\System32\ImcvXKy.exe
  C:\Windows\System32\ImcvXKy.exe
  2⤵
  PID:10136
- C:\Windows\System32\vMJfoqV.exe
  C:\Windows\System32\vMJfoqV.exe
  2⤵
  PID:10152
- C:\Windows\System32\niRNnZU.exe
  C:\Windows\System32\niRNnZU.exe
  2⤵
  PID:10196
- C:\Windows\System32\PLTdvuu.exe
  C:\Windows\System32\PLTdvuu.exe
  2⤵
  PID:10224
- C:\Windows\System32\SMwtmkQ.exe
  C:\Windows\System32\SMwtmkQ.exe
  2⤵
  PID:8420
- C:\Windows\System32\WvXjKwn.exe
  C:\Windows\System32\WvXjKwn.exe
  2⤵
  PID:9268
- C:\Windows\System32\FRmhxOu.exe
  C:\Windows\System32\FRmhxOu.exe
  2⤵
  PID:9312
- C:\Windows\System32\MheNqFS.exe
  C:\Windows\System32\MheNqFS.exe
  2⤵
  PID:9340
- C:\Windows\System32\raSNRJt.exe
  C:\Windows\System32\raSNRJt.exe
  2⤵
  PID:9436
- C:\Windows\System32\lQWRJWp.exe
  C:\Windows\System32\lQWRJWp.exe
  2⤵
  PID:9500
- C:\Windows\System32\CFsvBhw.exe
  C:\Windows\System32\CFsvBhw.exe
  2⤵
  PID:9540
- C:\Windows\System32\wvUGcWL.exe
  C:\Windows\System32\wvUGcWL.exe
  2⤵
  PID:8588
- C:\Windows\System32\XxXDZiV.exe
  C:\Windows\System32\XxXDZiV.exe
  2⤵
  PID:9800
- C:\Windows\System32\oUkNqoX.exe
  C:\Windows\System32\oUkNqoX.exe
  2⤵
  PID:9828
- C:\Windows\System32\efbzwje.exe
  C:\Windows\System32\efbzwje.exe
  2⤵
  PID:9852
- C:\Windows\System32\APWncNZ.exe
  C:\Windows\System32\APWncNZ.exe
  2⤵
  PID:9904
- C:\Windows\System32\yfxoZzg.exe
  C:\Windows\System32\yfxoZzg.exe
  2⤵
  PID:9952
- C:\Windows\System32\aJzzqeX.exe
  C:\Windows\System32\aJzzqeX.exe
  2⤵
  PID:10100
- C:\Windows\System32\CuCSsyP.exe
  C:\Windows\System32\CuCSsyP.exe
  2⤵
  PID:10072
- C:\Windows\System32\jaEnGsH.exe
  C:\Windows\System32\jaEnGsH.exe
  2⤵
  PID:10144
- C:\Windows\System32\fzbvkKi.exe
  C:\Windows\System32\fzbvkKi.exe
  2⤵
  PID:10188
- C:\Windows\System32\jJjfbtE.exe
  C:\Windows\System32\jJjfbtE.exe
  2⤵
  PID:9244
- C:\Windows\System32\awJUniQ.exe
  C:\Windows\System32\awJUniQ.exe
  2⤵
  PID:9752
- C:\Windows\System32\UURKGOA.exe
  C:\Windows\System32\UURKGOA.exe
  2⤵
  PID:9776
- C:\Windows\System32\DoNUQgy.exe
  C:\Windows\System32\DoNUQgy.exe
  2⤵
  PID:9036
- C:\Windows\System32\NWiuDDo.exe
  C:\Windows\System32\NWiuDDo.exe
  2⤵
  PID:9916
- C:\Windows\System32\HUyQggx.exe
  C:\Windows\System32\HUyQggx.exe
  2⤵
  PID:9992
- C:\Windows\System32\aTibnQl.exe
  C:\Windows\System32\aTibnQl.exe
  2⤵
  PID:10204
- C:\Windows\System32\RBOFDkK.exe
  C:\Windows\System32\RBOFDkK.exe
  2⤵
  PID:9332
- C:\Windows\System32\jBaqcFp.exe
  C:\Windows\System32\jBaqcFp.exe
  2⤵
  PID:10164
- C:\Windows\System32\uzYylyR.exe
  C:\Windows\System32\uzYylyR.exe
  2⤵
  PID:10260
- C:\Windows\System32\llybtYa.exe
  C:\Windows\System32\llybtYa.exe
  2⤵
  PID:10276
- C:\Windows\System32\qWfmnHC.exe
  C:\Windows\System32\qWfmnHC.exe
  2⤵
  PID:10292
- C:\Windows\System32\rKjdkfZ.exe
  C:\Windows\System32\rKjdkfZ.exe
  2⤵
  PID:10324
- C:\Windows\System32\chQiUtb.exe
  C:\Windows\System32\chQiUtb.exe
  2⤵
  PID:10348
- C:\Windows\System32\nGgoqdT.exe
  C:\Windows\System32\nGgoqdT.exe
  2⤵
  PID:10376
- C:\Windows\System32\DmkusOB.exe
  C:\Windows\System32\DmkusOB.exe
  2⤵
  PID:10404
- C:\Windows\System32\LttDhDn.exe
  C:\Windows\System32\LttDhDn.exe
  2⤵
  PID:10420
- C:\Windows\System32\fMutmHr.exe
  C:\Windows\System32\fMutmHr.exe
  2⤵
  PID:10436
- C:\Windows\System32\XRKJcdV.exe
  C:\Windows\System32\XRKJcdV.exe
  2⤵
  PID:10456
- C:\Windows\System32\AHjcLuE.exe
  C:\Windows\System32\AHjcLuE.exe
  2⤵
  PID:10500
- C:\Windows\System32\WQgWakG.exe
  C:\Windows\System32\WQgWakG.exe
  2⤵
  PID:10544
- C:\Windows\System32\Qpmykjc.exe
  C:\Windows\System32\Qpmykjc.exe
  2⤵
  PID:10564
- C:\Windows\System32\elBchqv.exe
  C:\Windows\System32\elBchqv.exe
  2⤵
  PID:10588
- C:\Windows\System32\zcenElA.exe
  C:\Windows\System32\zcenElA.exe
  2⤵
  PID:10616
- C:\Windows\System32\HQHVtKn.exe
  C:\Windows\System32\HQHVtKn.exe
  2⤵
  PID:10664
- C:\Windows\System32\smhFfOG.exe
  C:\Windows\System32\smhFfOG.exe
  2⤵
  PID:10696
- C:\Windows\System32\CHCIKRr.exe
  C:\Windows\System32\CHCIKRr.exe
  2⤵
  PID:10712
- C:\Windows\System32\LlgxvHN.exe
  C:\Windows\System32\LlgxvHN.exe
  2⤵
  PID:10740
- C:\Windows\System32\IsayKRZ.exe
  C:\Windows\System32\IsayKRZ.exe
  2⤵
  PID:10780
- C:\Windows\System32\rVOFZPr.exe
  C:\Windows\System32\rVOFZPr.exe
  2⤵
  PID:10808
- C:\Windows\System32\MLdcxXg.exe
  C:\Windows\System32\MLdcxXg.exe
  2⤵
  PID:10832
- C:\Windows\System32\qwyhibu.exe
  C:\Windows\System32\qwyhibu.exe
  2⤵
  PID:10860
- C:\Windows\System32\IkVFIOM.exe
  C:\Windows\System32\IkVFIOM.exe
  2⤵
  PID:10892
- C:\Windows\System32\gFSGluP.exe
  C:\Windows\System32\gFSGluP.exe
  2⤵
  PID:10916
- C:\Windows\System32\oGqPPpN.exe
  C:\Windows\System32\oGqPPpN.exe
  2⤵
  PID:10936
- C:\Windows\System32\qlPqUKb.exe
  C:\Windows\System32\qlPqUKb.exe
  2⤵
  PID:10968
- C:\Windows\System32\EhgGspl.exe
  C:\Windows\System32\EhgGspl.exe
  2⤵
  PID:10992
- C:\Windows\System32\wWAWSNp.exe
  C:\Windows\System32\wWAWSNp.exe
  2⤵
  PID:11012
- C:\Windows\System32\cvZgKBV.exe
  C:\Windows\System32\cvZgKBV.exe
  2⤵
  PID:11040
- C:\Windows\System32\yyjaIjG.exe
  C:\Windows\System32\yyjaIjG.exe
  2⤵
  PID:11060
- C:\Windows\System32\HGXoJQD.exe
  C:\Windows\System32\HGXoJQD.exe
  2⤵
  PID:11084
- C:\Windows\System32\JTlZkdA.exe
  C:\Windows\System32\JTlZkdA.exe
  2⤵
  PID:11104
- C:\Windows\System32\cakiqia.exe
  C:\Windows\System32\cakiqia.exe
  2⤵
  PID:11140
- C:\Windows\System32\aqMJiyp.exe
  C:\Windows\System32\aqMJiyp.exe
  2⤵
  PID:11192
- C:\Windows\System32\qNRgQnz.exe
  C:\Windows\System32\qNRgQnz.exe
  2⤵
  PID:11220
- C:\Windows\System32\dqUReqz.exe
  C:\Windows\System32\dqUReqz.exe
  2⤵
  PID:11256
- C:\Windows\System32\fPKAXhm.exe
  C:\Windows\System32\fPKAXhm.exe
  2⤵
  PID:9552
- C:\Windows\System32\QmixLoG.exe
  C:\Windows\System32\QmixLoG.exe
  2⤵
  PID:10288
- C:\Windows\System32\mkvIvxD.exe
  C:\Windows\System32\mkvIvxD.exe
  2⤵
  PID:10388
- C:\Windows\System32\cplVINz.exe
  C:\Windows\System32\cplVINz.exe
  2⤵
  PID:10452
- C:\Windows\System32\EnqcxUB.exe
  C:\Windows\System32\EnqcxUB.exe
  2⤵
  PID:10492
- C:\Windows\System32\HhwLttc.exe
  C:\Windows\System32\HhwLttc.exe
  2⤵
  PID:10540
- C:\Windows\System32\SBBgSdP.exe
  C:\Windows\System32\SBBgSdP.exe
  2⤵
  PID:10604
- C:\Windows\System32\cnPijqf.exe
  C:\Windows\System32\cnPijqf.exe
  2⤵
  PID:10704
- C:\Windows\System32\xdsNQkE.exe
  C:\Windows\System32\xdsNQkE.exe
  2⤵
  PID:10764
- C:\Windows\System32\WZZJdBW.exe
  C:\Windows\System32\WZZJdBW.exe
  2⤵
  PID:10820
- C:\Windows\System32\foxJVWd.exe
  C:\Windows\System32\foxJVWd.exe
  2⤵
  PID:10928
- C:\Windows\System32\HzRxbDz.exe
  C:\Windows\System32\HzRxbDz.exe
  2⤵
  PID:10976
- C:\Windows\System32\zayLsGt.exe
  C:\Windows\System32\zayLsGt.exe
  2⤵
  PID:11032
- C:\Windows\System32\fgwLIqk.exe
  C:\Windows\System32\fgwLIqk.exe
  2⤵
  PID:11092
- C:\Windows\System32\bujUNqO.exe
  C:\Windows\System32\bujUNqO.exe
  2⤵
  PID:11152
- C:\Windows\System32\WHhkjfe.exe
  C:\Windows\System32\WHhkjfe.exe
  2⤵
  PID:11200
- C:\Windows\System32\FgKeEUt.exe
  C:\Windows\System32\FgKeEUt.exe
  2⤵
  PID:10272
- C:\Windows\System32\jDRBgec.exe
  C:\Windows\System32\jDRBgec.exe
  2⤵
  PID:10400
- C:\Windows\System32\wyNASVy.exe
  C:\Windows\System32\wyNASVy.exe
  2⤵
  PID:10488
- C:\Windows\System32\uSdSbxH.exe
  C:\Windows\System32\uSdSbxH.exe
  2⤵
  PID:10688
- C:\Windows\System32\MwJsNyc.exe
  C:\Windows\System32\MwJsNyc.exe
  2⤵
  PID:10736
- C:\Windows\System32\GUbvgoO.exe
  C:\Windows\System32\GUbvgoO.exe
  2⤵
  PID:10844
- C:\Windows\System32\kTMMKDp.exe
  C:\Windows\System32\kTMMKDp.exe
  2⤵
  PID:11024
- C:\Windows\System32\NDfpoAq.exe
  C:\Windows\System32\NDfpoAq.exe
  2⤵
  PID:11136
- C:\Windows\System32\qNuTSFP.exe
  C:\Windows\System32\qNuTSFP.exe
  2⤵
  PID:11252
- C:\Windows\System32\vfBGKok.exe
  C:\Windows\System32\vfBGKok.exe
  2⤵
  PID:10316
- C:\Windows\System32\qNhKupB.exe
  C:\Windows\System32\qNhKupB.exe
  2⤵
  PID:10964
- C:\Windows\System32\usDdxmj.exe
  C:\Windows\System32\usDdxmj.exe
  2⤵
  PID:10824
- C:\Windows\System32\UwMGtLg.exe
  C:\Windows\System32\UwMGtLg.exe
  2⤵
  PID:11228
- C:\Windows\System32\gFATvTo.exe
  C:\Windows\System32\gFATvTo.exe
  2⤵
  PID:11284
- C:\Windows\System32\ltERwDa.exe
  C:\Windows\System32\ltERwDa.exe
  2⤵
  PID:11312
- C:\Windows\System32\MppILcc.exe
  C:\Windows\System32\MppILcc.exe
  2⤵
  PID:11336
- C:\Windows\System32\RWSvFpf.exe
  C:\Windows\System32\RWSvFpf.exe
  2⤵
  PID:11356
- C:\Windows\System32\TWPQYcN.exe
  C:\Windows\System32\TWPQYcN.exe
  2⤵
  PID:11384
- C:\Windows\System32\ztoroMz.exe
  C:\Windows\System32\ztoroMz.exe
  2⤵
  PID:11452
- C:\Windows\System32\NVrfhNL.exe
  C:\Windows\System32\NVrfhNL.exe
  2⤵
  PID:11492
- C:\Windows\System32\kLlXhjM.exe
  C:\Windows\System32\kLlXhjM.exe
  2⤵
  PID:11512
- C:\Windows\System32\WGUipfv.exe
  C:\Windows\System32\WGUipfv.exe
  2⤵
  PID:11536
- C:\Windows\System32\cCmyhMg.exe
  C:\Windows\System32\cCmyhMg.exe
  2⤵
  PID:11556
- C:\Windows\System32\aWnhstS.exe
  C:\Windows\System32\aWnhstS.exe
  2⤵
  PID:11588
- C:\Windows\System32\ONzuFnX.exe
  C:\Windows\System32\ONzuFnX.exe
  2⤵
  PID:11652
- C:\Windows\System32\yrHkdMp.exe
  C:\Windows\System32\yrHkdMp.exe
  2⤵
  PID:11680
- C:\Windows\System32\QdJbSma.exe
  C:\Windows\System32\QdJbSma.exe
  2⤵
  PID:11720
- C:\Windows\System32\HiXvJYX.exe
  C:\Windows\System32\HiXvJYX.exe
  2⤵
  PID:11740
- C:\Windows\System32\AArNhwh.exe
  C:\Windows\System32\AArNhwh.exe
  2⤵
  PID:11776
- C:\Windows\System32\nstmCRc.exe
  C:\Windows\System32\nstmCRc.exe
  2⤵
  PID:11796
- C:\Windows\System32\gPXeKsO.exe
  C:\Windows\System32\gPXeKsO.exe
  2⤵
  PID:11836
- C:\Windows\System32\VfyFyav.exe
  C:\Windows\System32\VfyFyav.exe
  2⤵
  PID:11856
- C:\Windows\System32\oivIHkn.exe
  C:\Windows\System32\oivIHkn.exe
  2⤵
  PID:11880
- C:\Windows\System32\EtdcZlC.exe
  C:\Windows\System32\EtdcZlC.exe
  2⤵
  PID:11904
- C:\Windows\System32\psWSMaf.exe
  C:\Windows\System32\psWSMaf.exe
  2⤵
  PID:11924
- C:\Windows\System32\jgBTFQp.exe
  C:\Windows\System32\jgBTFQp.exe
  2⤵
  PID:11952
- C:\Windows\System32\YWJQfxI.exe
  C:\Windows\System32\YWJQfxI.exe
  2⤵
  PID:11972
- C:\Windows\System32\vEKaSKD.exe
  C:\Windows\System32\vEKaSKD.exe
  2⤵
  PID:12016
- C:\Windows\System32\YuiNFeH.exe
  C:\Windows\System32\YuiNFeH.exe
  2⤵
  PID:12040
- C:\Windows\System32\rcovHCm.exe
  C:\Windows\System32\rcovHCm.exe
  2⤵
  PID:12072
- C:\Windows\System32\bYfHFUV.exe
  C:\Windows\System32\bYfHFUV.exe
  2⤵
  PID:12100
- C:\Windows\System32\cYIGhfA.exe
  C:\Windows\System32\cYIGhfA.exe
  2⤵
  PID:12136
- C:\Windows\System32\sjnWLyk.exe
  C:\Windows\System32\sjnWLyk.exe
  2⤵
  PID:12152
- C:\Windows\System32\foEBOyD.exe
  C:\Windows\System32\foEBOyD.exe
  2⤵
  PID:12184
- C:\Windows\System32\VmGjezO.exe
  C:\Windows\System32\VmGjezO.exe
  2⤵
  PID:12240
- C:\Windows\System32\HrWMqhm.exe
  C:\Windows\System32\HrWMqhm.exe
  2⤵
  PID:12256
- C:\Windows\System32\bCBmcjX.exe
  C:\Windows\System32\bCBmcjX.exe
  2⤵
  PID:12272
- C:\Windows\System32\PjqNIzu.exe
  C:\Windows\System32\PjqNIzu.exe
  2⤵
  PID:10560
- C:\Windows\System32\CLxNBtn.exe
  C:\Windows\System32\CLxNBtn.exe
  2⤵
  PID:11376
- C:\Windows\System32\XuKoXob.exe
  C:\Windows\System32\XuKoXob.exe
  2⤵
  PID:11268
- C:\Windows\System32\ufobPKe.exe
  C:\Windows\System32\ufobPKe.exe
  2⤵
  PID:11424
- C:\Windows\System32\xZnVcuq.exe
  C:\Windows\System32\xZnVcuq.exe
  2⤵
  PID:11460
- C:\Windows\System32\CQbVHvn.exe
  C:\Windows\System32\CQbVHvn.exe
  2⤵
  PID:11500
- C:\Windows\System32\yDpKpTf.exe
  C:\Windows\System32\yDpKpTf.exe
  2⤵
  PID:11624
- C:\Windows\System32\OyMAnCy.exe
  C:\Windows\System32\OyMAnCy.exe
  2⤵
  PID:11660
- C:\Windows\System32\urjdsbM.exe
  C:\Windows\System32\urjdsbM.exe
  2⤵
  PID:11728
- C:\Windows\System32\dUUyUoy.exe
  C:\Windows\System32\dUUyUoy.exe
  2⤵
  PID:11784
- C:\Windows\System32\ljoRsLD.exe
  C:\Windows\System32\ljoRsLD.exe
  2⤵
  PID:11848
- C:\Windows\System32\GHUpRQu.exe
  C:\Windows\System32\GHUpRQu.exe
  2⤵
  PID:11968
- C:\Windows\System32\zjCYMxx.exe
  C:\Windows\System32\zjCYMxx.exe
  2⤵
  PID:12004
- C:\Windows\System32\zcouyTB.exe
  C:\Windows\System32\zcouyTB.exe
  2⤵
  PID:12084
- C:\Windows\System32\SxnSAMh.exe
  C:\Windows\System32\SxnSAMh.exe
  2⤵
  PID:12176
- C:\Windows\System32\PLqmooO.exe
  C:\Windows\System32\PLqmooO.exe
  2⤵
  PID:12224
- C:\Windows\System32\iSeinMQ.exe
  C:\Windows\System32\iSeinMQ.exe
  2⤵
  PID:12284
- C:\Windows\System32\xngFkyG.exe
  C:\Windows\System32\xngFkyG.exe
  2⤵
  PID:11324
- C:\Windows\System32\gdJuOeR.exe
  C:\Windows\System32\gdJuOeR.exe
  2⤵
  PID:11544
- C:\Windows\System32\WWFUjdd.exe
  C:\Windows\System32\WWFUjdd.exe
  2⤵
  PID:2948
- C:\Windows\System32\nkdVkjU.exe
  C:\Windows\System32\nkdVkjU.exe
  2⤵
  PID:11844
- C:\Windows\System32\sgGQLWb.exe
  C:\Windows\System32\sgGQLWb.exe
  2⤵
  PID:2928
- C:\Windows\System32\RjiXlND.exe
  C:\Windows\System32\RjiXlND.exe
  2⤵
  PID:5744
- C:\Windows\System32\hrGEVCg.exe
  C:\Windows\System32\hrGEVCg.exe
  2⤵
  PID:11920
- C:\Windows\System32\FEusHtD.exe
  C:\Windows\System32\FEusHtD.exe
  2⤵
  PID:12064
- C:\Windows\System32\MLewxPe.exe
  C:\Windows\System32\MLewxPe.exe
  2⤵
  PID:12200
- C:\Windows\System32\VUNdJoS.exe
  C:\Windows\System32\VUNdJoS.exe
  2⤵
  PID:11328
- C:\Windows\System32\KDZxchA.exe
  C:\Windows\System32\KDZxchA.exe
  2⤵
  PID:11696
- C:\Windows\System32\OVRJCov.exe
  C:\Windows\System32\OVRJCov.exe
  2⤵
  PID:11820
- C:\Windows\System32\UFXxYmW.exe
  C:\Windows\System32\UFXxYmW.exe
  2⤵
  PID:12316
- C:\Windows\System32\QgIYYVT.exe
  C:\Windows\System32\QgIYYVT.exe
  2⤵
  PID:12344
- C:\Windows\System32\FAmBkCB.exe
  C:\Windows\System32\FAmBkCB.exe
  2⤵
  PID:12364
- C:\Windows\System32\EYDpxjc.exe
  C:\Windows\System32\EYDpxjc.exe
  2⤵
  PID:12412
- C:\Windows\System32\ZyFwFaN.exe
  C:\Windows\System32\ZyFwFaN.exe
  2⤵
  PID:12432
- C:\Windows\System32\bToBfyQ.exe
  C:\Windows\System32\bToBfyQ.exe
  2⤵
  PID:12452
- C:\Windows\System32\EfsCxtq.exe
  C:\Windows\System32\EfsCxtq.exe
  2⤵
  PID:12492
- C:\Windows\System32\SnHeRpo.exe
  C:\Windows\System32\SnHeRpo.exe
  2⤵
  PID:12524
- C:\Windows\System32\VywNcyC.exe
  C:\Windows\System32\VywNcyC.exe
  2⤵
  PID:12548
- C:\Windows\System32\aViOkWY.exe
  C:\Windows\System32\aViOkWY.exe
  2⤵
  PID:12588
- C:\Windows\System32\NDpDEip.exe
  C:\Windows\System32\NDpDEip.exe
  2⤵
  PID:12616
- C:\Windows\System32\taavSSX.exe
  C:\Windows\System32\taavSSX.exe
  2⤵
  PID:12632
- C:\Windows\System32\FFhJheU.exe
  C:\Windows\System32\FFhJheU.exe
  2⤵
  PID:12652
- C:\Windows\System32\qYNEdnq.exe
  C:\Windows\System32\qYNEdnq.exe
  2⤵
  PID:12676
- C:\Windows\System32\alJnKNh.exe
  C:\Windows\System32\alJnKNh.exe
  2⤵
  PID:12728
- C:\Windows\System32\YqorgDC.exe
  C:\Windows\System32\YqorgDC.exe
  2⤵
  PID:12748
- C:\Windows\System32\KXiNfLy.exe
  C:\Windows\System32\KXiNfLy.exe
  2⤵
  PID:12772
- C:\Windows\System32\ufdkVKw.exe
  C:\Windows\System32\ufdkVKw.exe
  2⤵
  PID:12792
- C:\Windows\System32\DqEKdFC.exe
  C:\Windows\System32\DqEKdFC.exe
  2⤵
  PID:12828
- C:\Windows\System32\InrkitU.exe
  C:\Windows\System32\InrkitU.exe
  2⤵
  PID:12864
- C:\Windows\System32\NdEoczp.exe
  C:\Windows\System32\NdEoczp.exe
  2⤵
  PID:12884
- C:\Windows\System32\bMxTLAp.exe
  C:\Windows\System32\bMxTLAp.exe
  2⤵
  PID:12920
- C:\Windows\System32\DPlifWR.exe
  C:\Windows\System32\DPlifWR.exe
  2⤵
  PID:12948
- C:\Windows\System32\EYDQWZh.exe
  C:\Windows\System32\EYDQWZh.exe
  2⤵
  PID:12980
- C:\Windows\System32\dcVEyxc.exe
  C:\Windows\System32\dcVEyxc.exe
  2⤵
  PID:12996
- C:\Windows\System32\XAIHhlB.exe
  C:\Windows\System32\XAIHhlB.exe
  2⤵
  PID:13028
- C:\Windows\System32\jyjRyOb.exe
  C:\Windows\System32\jyjRyOb.exe
  2⤵
  PID:13052
- C:\Windows\System32\HIFKLym.exe
  C:\Windows\System32\HIFKLym.exe
  2⤵
  PID:13072
- C:\Windows\System32\wEpWFKL.exe
  C:\Windows\System32\wEpWFKL.exe
  2⤵
  PID:13108
- C:\Windows\System32\HXfBVDm.exe
  C:\Windows\System32\HXfBVDm.exe
  2⤵
  PID:13140
- C:\Windows\System32\GSgKgYo.exe
  C:\Windows\System32\GSgKgYo.exe
  2⤵
  PID:13176
- C:\Windows\System32\kJSqFJr.exe
  C:\Windows\System32\kJSqFJr.exe
  2⤵
  PID:13200
- C:\Windows\System32\nsTzwYF.exe
  C:\Windows\System32\nsTzwYF.exe
  2⤵
  PID:13220
- C:\Windows\System32\OwJobGU.exe
  C:\Windows\System32\OwJobGU.exe
  2⤵
  PID:13248
- C:\Windows\System32\bbUZxEB.exe
  C:\Windows\System32\bbUZxEB.exe
  2⤵
  PID:13264
- C:\Windows\System32\JzlQFgU.exe
  C:\Windows\System32\JzlQFgU.exe
  2⤵
  PID:13300

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AHwIltV.exe

Filesize
1.8MB

MD5
ff2460d4f9bef62786e9e66a09c0f5a5

SHA1
70ac94398827f7eb829bf7822b37f22e2189471b

SHA256
0e98c514bab9c97db0d2f340888d7e3af220cafddd33e7b7dc48fd73c02a19d7

SHA512
17def39024011eb20c7ea1a7d11afc69604f11bde5910dec3474e0aed6a7ce550f73521bcbe9575c629ab89432abe0d55d3637c218f7abf0f07a8d9678b1443a

Download Submit
C:\Windows\System32\CKBifsr.exe

Filesize
1.8MB

MD5
9b5d3391525df3763353e5bd0f6e8236

SHA1
b16379a88b1369f3e185e9964812a1ad80fbd678

SHA256
479bf2d3b3000f18e438dc5de107b43d23945618dcfef359ecf749fddf684108

SHA512
e543842a73b4686ad71ed21daf8bd49622b3cde74a3248f62453e06335535a8c255165a0aece2883e9258d86c9d46dce7dcc291739108495940d4b6bb455c4dc

Download Submit
C:\Windows\System32\DPUoqCk.exe

Filesize
1.8MB

MD5
ca9c0db5e90615b708b9947c8a198e16

SHA1
b091800e0e8174b11d65549cf736c0a7b0a70887

SHA256
7bb2be7aceaced5fa8264711f72480d407b69aa50588e9514fb2eca9fb28c78b

SHA512
2bd606caf18f366fc7f19e96ca3b06e5010f66949175bb7e24e3357d4a2e6dbbcf389ed167805f55bbefab7f9db26570ac469cea0d3b8843a76bc78ab0aa7c8e

Download Submit
C:\Windows\System32\EteCOMl.exe

Filesize
1.8MB

MD5
1d645290e92748e50df28686e2ab523f

SHA1
ba68781c109f3f529937d01835c337dd573d033f

SHA256
2760800335cd598d4620a46cce7c1c7138063b2244923ce7d3ed4d1c127c5210

SHA512
67cdc7ab4d4f87fa0568a3a696b465e72888fa5b0a6de8aa3b80daa0fb52a7c71ad0229d8267b32b144048ec1e7b78aa5f562f0cfb7d99373c4a2b1f04ffc386

Download Submit
C:\Windows\System32\FTqKCYZ.exe

Filesize
1.8MB

MD5
667cc03bcac45fc5dd493d068fc5e99d

SHA1
b243d82d366d36eda317fe6013a75679dd0d8cb3

SHA256
cbba1cf308802e05b97ebc4352c2cf932e9da07a1b042b22904bad6692e58ef6

SHA512
6f834b35aead4c88b21ff5954ea7e67abfddfd524061e3fd8e6a4f6fcd278a0a5a14e783bddb5575b93a82436af3f89cd088bd2a9f0c2d4c70c2b2e852c3d871

Download Submit
C:\Windows\System32\FlWlcht.exe

Filesize
1.8MB

MD5
cbd835c3b10cb73dbf6a049f446efbf2

SHA1
62c12b2949072c944d1b6b72eda90cde110bc8ab

SHA256
76fda70ec1891d1e27064fc18300381974e21089a0219717ec5244808fdf585f

SHA512
9c7b671d6bd2d64bb2584a60c7e1d0bfd67479e1cd84b4c2b387d52ca921b3a440163ceced20625af347fecaf2ddd9e95a6bad7f59ff0c82e4247e3f395d98ab

Download Submit
C:\Windows\System32\GHcvWRl.exe

Filesize
1.8MB

MD5
6ab0ae2ee031f3aced900d4469637f37

SHA1
c40e53ae312939a0193fc20d175356eed9a2e871

SHA256
827a184889e3bff400f9664e8ba4174e1d22d05640185f147eaddbb4dba35e60

SHA512
b67ffd03b4e17db39574b3c542a5e629b625ceed8eb28613a84e0dcf0285be1b3cc2a52ca5037e5e3cd616a63fde4f283243a8285f14d7753d1cb798280043ec

Download Submit
C:\Windows\System32\IrDuLXZ.exe

Filesize
1.8MB

MD5
960726e99a0f2df415661f79d425faf1

SHA1
033f09328bf78c289c3942adecd4e79deb5b2ec2

SHA256
e36612d3bd8bca5132f12de762fe6a587e08be3181ece5675112abc109520e5e

SHA512
f78ad5ce7060ee9caf06b8b8842da528338c4845893f06b0a6bbe0e0820bbf205311aaa04275be4bc855d7cebfa87a2ae2ed679d3481bb49ff6e968ca8e005d9

Download Submit
C:\Windows\System32\LQFSmeC.exe

Filesize
1.8MB

MD5
a3bdd5040b28e4b064f497539811cb7e

SHA1
1b6ea80c03c74da1a7116ac4ec9b1f1f5710426c

SHA256
1102dfc8f941bd0bc51dd34e93c84a5d0488277c410ee98377c7c9573adc4236

SHA512
47dedc529c0c01a8b208c6593d99bc050259d50ebfd90e70b7b0917035c2b6bbe79bad124a52a88489535d8ce793195d9d0dc01d62583134a290d0499c487bba

Download Submit
C:\Windows\System32\NfPpbRg.exe

Filesize
1.8MB

MD5
f32f232daead322bb5022746acc72018

SHA1
95979f9a33fbad181ec2df5215e24b26ec08c7f1

SHA256
f289a1b5470abe984d22044bbec00bb39275e14d2e9c32d6658c09c182b839ad

SHA512
6d1c4af16826b55289aaf1db1808693e381cab1f842accf0a090f26b2d96f887602948c6811b4727494e7ae0ad469e633b353bda1e600c5b3818e37ca8b4b648

Download Submit
C:\Windows\System32\OWhjuDN.exe

Filesize
1.8MB

MD5
4150eb7f624270c1cdab84fa2217322b

SHA1
7c6266ad170d5ba4fdb0c1304da5807eec7d5089

SHA256
8a503fb7a8f8f4e4f9fd8e27c2306f7e20635436cb115fae3843025046ae7d08

SHA512
6ff396b286199a746697d4f646ba57575263bf5a0a38b91ed47d277737b6caadbef4d57ba10cd53034fdf0b607183810ad86028f0548d7f6efc4988760e26341

Download Submit
C:\Windows\System32\PrKElzJ.exe

Filesize
1.8MB

MD5
c91880b0bea7df26f87986871947f80c

SHA1
a0e5717e00246a8206de3cd278fff6bb528fadfc

SHA256
88e48a710f3be65a01fa8667641e638cc8f450709251b8948061c8ce18c44f27

SHA512
486496237bb27bc3bdf05ce3a8d41bd56fed566e59b8496fea8a13a2e394afd0bc7e74e50b16434a1bc2fc4f71f76e61e37de7233a8592706676c69395f1269f

Download Submit
C:\Windows\System32\RUVTiqZ.exe

Filesize
1.8MB

MD5
0f160927cd5e3a9f456cab43999062c0

SHA1
856f28ca1560538f03244bea4b01c7623d021d48

SHA256
c5ff1442d783edab962126c36533838480a3485c950fe657ed5b80b871c062e7

SHA512
2ff9f9f41c830c7a6ead31b60db7bc188208f174f4f804a3c4722b747668f61c589bb0532c0049e7ccd3ef7747f2792770459e1dd03f22a75dd979c205801632

Download Submit
C:\Windows\System32\TTWUYnW.exe

Filesize
1.8MB

MD5
7467445affb437dcf7b0ad401b559f67

SHA1
cada2da516dccccfe19132612d999537952e250a

SHA256
8e3d29644d67e20fa73ee024243bc8aaff6f20c6b824616e1c85ad12cd410142

SHA512
fe9a5e06f8ab0c9266fc5d3a461bcbbe5d552bcb4672c8bff9086935716d3c968305ec4ac980f8687f96088e460fc21bd34ca82d102fbfbcde0526c4bd19b202

Download Submit
C:\Windows\System32\TuYElzN.exe

Filesize
1.8MB

MD5
b9c8e59c1d54bfb26ebd0e6bf252a93a

SHA1
42da5c97f776ba4d188291b72651ace8c52ae879

SHA256
54622bd96fd072752e4b56dc15d2a2578121dae611960cfe4b96c53ea62de225

SHA512
6fcaaae5e9a970bc527f76ca0b132a32f96cb233f1360bc79633ebfa1766de9d05095a712c5283dca9c6d44f95d67c812165917aa68177450c1440fa8ef20418

Download Submit
C:\Windows\System32\XUXBsjA.exe

Filesize
1.8MB

MD5
6435929d550ab1dbc370c9e50b9bd22d

SHA1
ce112d186d7dbbdcfbc7f2f512475f63def295fe

SHA256
f404df14fe59288e7e912490664ebb61cd3a363a4431956582fd34fd34b69e8d

SHA512
cbdc651e00c16e838a7d8e4f9c08de6d9ba1741df6ab5a6346d22c0ff3606c917246ffdfd0c62613d4f7bae9cb0e52bb67667577ef5ecd19c173236d3dfcec24

Download Submit
C:\Windows\System32\XaeNLWZ.exe

Filesize
1.8MB

MD5
13427139aa8707537ac1cca240cac4fc

SHA1
70e1d8fb8f6ec73b4368d9f9d8476461202797a6

SHA256
ef442529c5d2604ad9a57d41de50f66e2b0f02e856717f5aae234cac5aca9c27

SHA512
523ec5f36fce2fe7737d1edc43994956326ecad2bde74f08f8f66112303952d0197717893d83917d16d565a185e4dabb3136f71fdef1aee5c30fdc27757670cc

Download Submit
C:\Windows\System32\YHtfsCK.exe

Filesize
1.8MB

MD5
35559d4b0ebad5dd3a2b38b50af8c152

SHA1
30423c93a05d7bb7c9d99c08dad5d7d97ef2cca7

SHA256
6b602d5046e9de559c0f0743e8caf7f61d7ebb7574aec1f9fe1670e631a8b6b7

SHA512
958bfd0a5420e509bf7a94e254bd679f062d84ab4ac4182d220d7f229a852d7c3a85ebc1821dbba7f8f8e96c370eca2832015444cf47994eb940ad6d69fa83c5

Download Submit
C:\Windows\System32\ZMgEXVw.exe

Filesize
1.8MB

MD5
243474db2a1090a3f5b6c7f9cf66f00c

SHA1
63321aca8dddd024670b2eee2247ea04c44859df

SHA256
001e323a451bb06762d3bbf70ed9fbd640aedb8a3527c2151ee3583bdd4dd783

SHA512
d890bfd01c9fefcf44939595a39de51c9f99aa2111ba6ee1db603ec74a9208476f21755cdb23df68b00345d7370a289d18d92f9e6b001cbbb4a79da2f99a251e

Download Submit
C:\Windows\System32\aJmxVMh.exe

Filesize
1.8MB

MD5
f257b75ef7b4f6315f9d61f137202e04

SHA1
01a3912129d75b733ed4280cf4e87ebd40727877

SHA256
4305f15d7f79c4bc44456040a8226bdee68538359cd7e991fe915873a17e84f7

SHA512
47393e3dbc9fadc755ba42a240248575b74c2194a3baf64a59fd2efc183c9eb700c3796ab4dc591fe2cf581bb503bc90ae8b77ef5113d8d84d308b157b253c19

Download Submit
C:\Windows\System32\cPBWChm.exe

Filesize
1.8MB

MD5
fafe8939f2c2dca34e1a128d27798380

SHA1
10d23889fc590dc9df022ecbab9d2bd51e964103

SHA256
3e24a9ddd8ce019f79a82c7c80d72eb6662ab29ff7b6381814367eef37caf81b

SHA512
3d19d9e4b4efce0fe0b1b055a07ad21f223022ff3929753c7e02889205cd81fe8301c2d46e37fe53c283084e2ef9d5ccbdcec052b316fe00d05b4ce972b40cb5

Download Submit
C:\Windows\System32\cSrpWPr.exe

Filesize
1.8MB

MD5
3799847f238e1a22f9724b7b3f066cde

SHA1
6f1f377a3371bda1b8a9e3c38787e69992a3223e

SHA256
4f1e19452ee10d650f3231cc7fa58e97924c773c8620c30c65c4f925fe19c8db

SHA512
6c1873a6a0be7dc7b55e40d891117e977bbdefb9f2da2d60d7cd2bcd3db1d8f837d38ca2be17bbf3dc09b4daa94d4e14740617271d61e0a5b4c53e35ac54382b

Download Submit
C:\Windows\System32\dHBDGKE.exe

Filesize
1.8MB

MD5
26d31d5e55c7953fdada6e8a850dcec2

SHA1
5819dc53d25aca896cc8dee5f08591fa1089b699

SHA256
c865f369f38ff92ce4dd513e02f4c4a3d9a844ecdb33284e7eabfe6f3c859565

SHA512
beffd55acaa841b34912b860104ae5987eb4ee0ce8398bdb1c2ffb22b5b798bf6290dfca28d06ca45074857a399787ef2e66f52d58d829a5661e1e59a16699d6

Download Submit
C:\Windows\System32\giRZLDG.exe

Filesize
1.8MB

MD5
1f6f938c399f3ca4de0b61df8b83590b

SHA1
ccdc11b09c38211ee24cab893ee8777a563d48a1

SHA256
a9b21663105c299b1296366239f1bc04b11fdf8961f51492b48efe403e0b4a69

SHA512
71331cbc5e16d92e5fe64bb65f517a3599b2796137f42e98b48fa9b76d9ffe15341bcd415e0a257406fca2a04f68eee1989cec5e59bfa1e4de2ca7b8d0f30994

Download Submit
C:\Windows\System32\hEoldMS.exe

Filesize
1.8MB

MD5
f886f72a5db4e247513f924a9beccf0c

SHA1
ec3cbfbb27fbae2581b2c2e06bd3d87ad38e0b6a

SHA256
aab4f6dc7fb61a4801a230113ade77be97168be37fbf9bc85304dec69d17e4d1

SHA512
dcecc13640373c984e85112aab611936ba127148ed4dbd97041d450b42103598deeff53f510ecea9955f64520b4be74d067d0bf32696cacf374c0dd2c75f9bd7

Download Submit
C:\Windows\System32\hjFzIVM.exe

Filesize
1.8MB

MD5
d100dae8517be82ccb7d940e5f18e702

SHA1
ec070d732bcf10ddf5d26c5f107b45096329aee9

SHA256
0fe7de9f892bf5cae7ec6798f6494f37fe68bdb78dd92d5e659b0a9d47f924fa

SHA512
7844655f0ac3a036a4c786213082f01fbb39a9a184b85eba203645634e670875b1ee5512fa6b5d803d74eff422b97b5c829e5dccf72a690809ad139e1b0ab785

Download Submit
C:\Windows\System32\jBSnAnM.exe

Filesize
1.8MB

MD5
93624d38007bec5f916bd635b75f3641

SHA1
0eae23905a733d289810e769e7cd8ed30333ac27

SHA256
50dadf433d100360d8cd00281f67303138a7a3b531f72f55a6f9bacce5e0cf84

SHA512
a542b2e5c9cab2d1a64dc8f0b878cc8db610c1fdaa68f3b87f1b57c4a351ee54df976ce733ac63114c9b3d2ae7a130f91bb33ea7b48d3ffa959437489145537c

Download Submit
C:\Windows\System32\kqKTpmd.exe

Filesize
1.8MB

MD5
6df029936db082d1542b3a7396d2e813

SHA1
f81069cc1d0528d8612f521b89c2272dfd700611

SHA256
d858e234c537144ff938f806cd9ae292a5dd5fd772a324784ff07d4bd98e5b5a

SHA512
2f5160972e5d19da6043d5d05f60a3ef9b4e8c1382bb07d595b6c3760ce759b7565df19d5bef0dd18cf9a335f70bdc5cba99055d9fce876fe585391d05547d78

Download Submit
C:\Windows\System32\pmHpWnn.exe

Filesize
1.8MB

MD5
954d15953c16e39e965138ad6652c0a0

SHA1
af512fc55f1848a3089c0ffad4650dfc36beee9c

SHA256
ccfb0d17ac9534c444ce13d8eb44e45c295576be54d1515f17a50adcf646c06b

SHA512
503cf038fde665aaef332e304b8073be76c56daffa1c88857f135670bdde07a6cc1744be4ea6bc72f697261f9108645b98c2fdf6556f9e8d2534aa3e97bc1153

Download Submit
C:\Windows\System32\prBpDdU.exe

Filesize
1.8MB

MD5
a47248e69c9b3178572dfc35e29802ed

SHA1
a36586b19f59004b5f891a446effccb01b6f4d8c

SHA256
a9c2424313c810c8ac21d96fdd3afa0c014003215ed95411df4a83240768cce3

SHA512
b8db10142a7030ebf0ec9104c42fee6a434aa50d6c5c25053c6f2b3cc2f3c01d2eafc1df1724981d4b400902804566d1e607644d66643bba30c693273c497325

Download Submit
C:\Windows\System32\uhhtcjR.exe

Filesize
1.8MB

MD5
265d624c5b18327e72871e80c2e1774d

SHA1
000fa02056ad169a4bdab775d2ed6671f669dc55

SHA256
1954a5e2c544fc24651ddda2ae7f8b6ba45cd2e4348dcad97ca52c3d2b414a06

SHA512
a71809a16b52e5e3dfbc56fe5fe8b388543f6c469007b536d6599f0822bb771a4397df8d35ad7b60bf13c50da4aac780342663f18814bad08ed07976cc276aa3

Download Submit
C:\Windows\System32\yWKFqIS.exe

Filesize
1.8MB

MD5
bf487ddf3a39d8b45aaa36317cae97fe

SHA1
8ad6fc7316dfec07d341e45c61864cfa4a731d25

SHA256
1a050b87ccc6dd88d839778d12bc2578117fbf76e087594b566f0213568d9f59

SHA512
99acf6cff686cf20268632439e34d9c30d444712b8d7e3aca708585ee1729271e3558d7cb54ddabeff91ff17baf29c8f62c5f074eaf0bf15a4d18cdbb87b2e53

Download Submit
memory/548-16-0x00007FF6E7A10000-0x00007FF6E7E01000-memory.dmp

Filesize
3.9MB

Download
memory/548-2019-0x00007FF6E7A10000-0x00007FF6E7E01000-memory.dmp

Filesize
3.9MB

Download
memory/960-2021-0x00007FF6DBDF0000-0x00007FF6DC1E1000-memory.dmp

Filesize
3.9MB

Download
memory/960-454-0x00007FF6DBDF0000-0x00007FF6DC1E1000-memory.dmp

Filesize
3.9MB

Download
memory/1556-2033-0x00007FF73FB70000-0x00007FF73FF61000-memory.dmp

Filesize
3.9MB

Download
memory/1556-400-0x00007FF73FB70000-0x00007FF73FF61000-memory.dmp

Filesize
3.9MB

Download
memory/1584-2027-0x00007FF72BC40000-0x00007FF72C031000-memory.dmp

Filesize
3.9MB

Download
memory/1584-383-0x00007FF72BC40000-0x00007FF72C031000-memory.dmp

Filesize
3.9MB

Download
memory/1652-2047-0x00007FF6323B0000-0x00007FF6327A1000-memory.dmp

Filesize
3.9MB

Download
memory/1652-420-0x00007FF6323B0000-0x00007FF6327A1000-memory.dmp

Filesize
3.9MB

Download
memory/1704-2037-0x00007FF68F180000-0x00007FF68F571000-memory.dmp

Filesize
3.9MB

Download
memory/1704-409-0x00007FF68F180000-0x00007FF68F571000-memory.dmp

Filesize
3.9MB

Download
memory/2172-432-0x00007FF790510000-0x00007FF790901000-memory.dmp

Filesize
3.9MB

Download
memory/2172-2057-0x00007FF790510000-0x00007FF790901000-memory.dmp

Filesize
3.9MB

Download
memory/2200-2055-0x00007FF75E800000-0x00007FF75EBF1000-memory.dmp

Filesize
3.9MB

Download
memory/2200-438-0x00007FF75E800000-0x00007FF75EBF1000-memory.dmp

Filesize
3.9MB

Download
memory/2628-2059-0x00007FF765B30000-0x00007FF765F21000-memory.dmp

Filesize
3.9MB

Download
memory/2628-434-0x00007FF765B30000-0x00007FF765F21000-memory.dmp

Filesize
3.9MB

Download
memory/2892-2045-0x00007FF667640000-0x00007FF667A31000-memory.dmp

Filesize
3.9MB

Download
memory/2892-406-0x00007FF667640000-0x00007FF667A31000-memory.dmp

Filesize
3.9MB

Download
memory/3016-1-0x0000026B90AE0000-0x0000026B90AF0000-memory.dmp

Filesize
64KB

Download
memory/3016-0-0x00007FF78DBA0000-0x00007FF78DF91000-memory.dmp

Filesize
3.9MB

Download
memory/3056-2013-0x00007FF7D4CE0000-0x00007FF7D50D1000-memory.dmp

Filesize
3.9MB

Download
memory/3056-32-0x00007FF7D4CE0000-0x00007FF7D50D1000-memory.dmp

Filesize
3.9MB

Download
memory/3056-2023-0x00007FF7D4CE0000-0x00007FF7D50D1000-memory.dmp

Filesize
3.9MB

Download
memory/3160-385-0x00007FF6FC720000-0x00007FF6FCB11000-memory.dmp

Filesize
3.9MB

Download
memory/3160-2035-0x00007FF6FC720000-0x00007FF6FCB11000-memory.dmp

Filesize
3.9MB

Download
memory/3556-2053-0x00007FF7A6B40000-0x00007FF7A6F31000-memory.dmp

Filesize
3.9MB

Download
memory/3556-429-0x00007FF7A6B40000-0x00007FF7A6F31000-memory.dmp

Filesize
3.9MB

Download
memory/3652-462-0x00007FF6F2750000-0x00007FF6F2B41000-memory.dmp

Filesize
3.9MB

Download
memory/3652-2025-0x00007FF6F2750000-0x00007FF6F2B41000-memory.dmp

Filesize
3.9MB

Download
memory/3936-2073-0x00007FF635620000-0x00007FF635A11000-memory.dmp

Filesize
3.9MB

Download
memory/3936-442-0x00007FF635620000-0x00007FF635A11000-memory.dmp

Filesize
3.9MB

Download
memory/3980-384-0x00007FF7B8C10000-0x00007FF7B9001000-memory.dmp

Filesize
3.9MB

Download
memory/3980-2029-0x00007FF7B8C10000-0x00007FF7B9001000-memory.dmp

Filesize
3.9MB

Download
memory/4168-435-0x00007FF686B60000-0x00007FF686F51000-memory.dmp

Filesize
3.9MB

Download
memory/4168-2061-0x00007FF686B60000-0x00007FF686F51000-memory.dmp

Filesize
3.9MB

Download
memory/4316-2039-0x00007FF75EB10000-0x00007FF75EF01000-memory.dmp

Filesize
3.9MB

Download
memory/4316-394-0x00007FF75EB10000-0x00007FF75EF01000-memory.dmp

Filesize
3.9MB

Download
memory/4384-390-0x00007FF6C7C50000-0x00007FF6C8041000-memory.dmp

Filesize
3.9MB

Download
memory/4384-2041-0x00007FF6C7C50000-0x00007FF6C8041000-memory.dmp

Filesize
3.9MB

Download
memory/4544-2049-0x00007FF644F50000-0x00007FF645341000-memory.dmp

Filesize
3.9MB

Download
memory/4544-422-0x00007FF644F50000-0x00007FF645341000-memory.dmp

Filesize
3.9MB

Download
memory/4580-2051-0x00007FF6CAAC0000-0x00007FF6CAEB1000-memory.dmp

Filesize
3.9MB

Download
memory/4580-428-0x00007FF6CAAC0000-0x00007FF6CAEB1000-memory.dmp

Filesize
3.9MB

Download
memory/4660-446-0x00007FF6427F0000-0x00007FF642BE1000-memory.dmp

Filesize
3.9MB

Download
memory/4660-2066-0x00007FF6427F0000-0x00007FF642BE1000-memory.dmp

Filesize
3.9MB

Download
memory/4856-2031-0x00007FF764EC0000-0x00007FF7652B1000-memory.dmp

Filesize
3.9MB

Download
memory/4856-466-0x00007FF764EC0000-0x00007FF7652B1000-memory.dmp

Filesize
3.9MB

Download
memory/5056-2043-0x00007FF692130000-0x00007FF692521000-memory.dmp

Filesize
3.9MB

Download
memory/5056-386-0x00007FF692130000-0x00007FF692521000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads