xmrig | 057990e8f0684fef442c9822fde833d3463f2434192e29bc75ec1da303ff6fd7

Analysis

max time kernel
97s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27cded0ce973067bce30e5d321294ad0N.exe
Size

1.0MB
MD5

27cded0ce973067bce30e5d321294ad0
SHA1

3a48a9270163e5236c5a0d6478934fa07818481b
SHA256

057990e8f0684fef442c9822fde833d3463f2434192e29bc75ec1da303ff6fd7
SHA512

7144a40fc839bade1253ed314b44a5db73bd7e7689960392d801e0995b679d5fbca4917ceeeaac1e7eca38ea39d0d594d21dd20598bfd626da8e95a789ec3bf9
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcqCarCU+q:knw9oUUEEDl37jcq1J

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/1552-40-0x00007FF76FBD0000-0x00007FF76FFC1000-memory.dmp	xmrig
behavioral2/memory/3488-347-0x00007FF7E2320000-0x00007FF7E2711000-memory.dmp	xmrig
behavioral2/memory/3032-343-0x00007FF753B40000-0x00007FF753F31000-memory.dmp	xmrig
behavioral2/memory/3428-358-0x00007FF6EB460000-0x00007FF6EB851000-memory.dmp	xmrig
behavioral2/memory/1516-338-0x00007FF7FAE70000-0x00007FF7FB261000-memory.dmp	xmrig
behavioral2/memory/4476-320-0x00007FF728F10000-0x00007FF729301000-memory.dmp	xmrig
behavioral2/memory/4712-360-0x00007FF7268C0000-0x00007FF726CB1000-memory.dmp	xmrig
behavioral2/memory/4272-367-0x00007FF74C910000-0x00007FF74CD01000-memory.dmp	xmrig
behavioral2/memory/4044-365-0x00007FF6524D0000-0x00007FF6528C1000-memory.dmp	xmrig
behavioral2/memory/824-371-0x00007FF6F75B0000-0x00007FF6F79A1000-memory.dmp	xmrig
behavioral2/memory/4824-369-0x00007FF632170000-0x00007FF632561000-memory.dmp	xmrig
behavioral2/memory/2708-372-0x00007FF630BD0000-0x00007FF630FC1000-memory.dmp	xmrig
behavioral2/memory/2232-376-0x00007FF600A50000-0x00007FF600E41000-memory.dmp	xmrig
behavioral2/memory/3440-381-0x00007FF644440000-0x00007FF644831000-memory.dmp	xmrig
behavioral2/memory/2016-389-0x00007FF6B5DF0000-0x00007FF6B61E1000-memory.dmp	xmrig
behavioral2/memory/4456-387-0x00007FF692F30000-0x00007FF693321000-memory.dmp	xmrig
behavioral2/memory/4976-385-0x00007FF626C50000-0x00007FF627041000-memory.dmp	xmrig
behavioral2/memory/1352-384-0x00007FF6193B0000-0x00007FF6197A1000-memory.dmp	xmrig
behavioral2/memory/2728-1970-0x00007FF6C6750000-0x00007FF6C6B41000-memory.dmp	xmrig
behavioral2/memory/1620-2004-0x00007FF7017C0000-0x00007FF701BB1000-memory.dmp	xmrig
behavioral2/memory/3212-2003-0x00007FF7AC220000-0x00007FF7AC611000-memory.dmp	xmrig
behavioral2/memory/2368-2005-0x00007FF7A2E30000-0x00007FF7A3221000-memory.dmp	xmrig
behavioral2/memory/32-2010-0x00007FF7EE710000-0x00007FF7EEB01000-memory.dmp	xmrig
behavioral2/memory/1552-2008-0x00007FF76FBD0000-0x00007FF76FFC1000-memory.dmp	xmrig
behavioral2/memory/2088-2018-0x00007FF64CE10000-0x00007FF64D201000-memory.dmp	xmrig
behavioral2/memory/3212-2020-0x00007FF7AC220000-0x00007FF7AC611000-memory.dmp	xmrig
behavioral2/memory/1620-2022-0x00007FF7017C0000-0x00007FF701BB1000-memory.dmp	xmrig
behavioral2/memory/2368-2024-0x00007FF7A2E30000-0x00007FF7A3221000-memory.dmp	xmrig
behavioral2/memory/32-2030-0x00007FF7EE710000-0x00007FF7EEB01000-memory.dmp	xmrig
behavioral2/memory/4476-2032-0x00007FF728F10000-0x00007FF729301000-memory.dmp	xmrig
behavioral2/memory/1516-2034-0x00007FF7FAE70000-0x00007FF7FB261000-memory.dmp	xmrig
behavioral2/memory/1552-2028-0x00007FF76FBD0000-0x00007FF76FFC1000-memory.dmp	xmrig
behavioral2/memory/2728-2026-0x00007FF6C6750000-0x00007FF6C6B41000-memory.dmp	xmrig
behavioral2/memory/3032-2037-0x00007FF753B40000-0x00007FF753F31000-memory.dmp	xmrig
behavioral2/memory/1352-2058-0x00007FF6193B0000-0x00007FF6197A1000-memory.dmp	xmrig
behavioral2/memory/2708-2056-0x00007FF630BD0000-0x00007FF630FC1000-memory.dmp	xmrig
behavioral2/memory/4712-2047-0x00007FF7268C0000-0x00007FF726CB1000-memory.dmp	xmrig
behavioral2/memory/2232-2045-0x00007FF600A50000-0x00007FF600E41000-memory.dmp	xmrig
behavioral2/memory/4976-2052-0x00007FF626C50000-0x00007FF627041000-memory.dmp	xmrig
behavioral2/memory/4272-2041-0x00007FF74C910000-0x00007FF74CD01000-memory.dmp	xmrig
behavioral2/memory/824-2039-0x00007FF6F75B0000-0x00007FF6F79A1000-memory.dmp	xmrig
behavioral2/memory/3440-2048-0x00007FF644440000-0x00007FF644831000-memory.dmp	xmrig
behavioral2/memory/4824-2043-0x00007FF632170000-0x00007FF632561000-memory.dmp	xmrig
behavioral2/memory/4044-2054-0x00007FF6524D0000-0x00007FF6528C1000-memory.dmp	xmrig
behavioral2/memory/4456-2062-0x00007FF692F30000-0x00007FF693321000-memory.dmp	xmrig
behavioral2/memory/3428-2050-0x00007FF6EB460000-0x00007FF6EB851000-memory.dmp	xmrig
behavioral2/memory/3488-2060-0x00007FF7E2320000-0x00007FF7E2711000-memory.dmp	xmrig
behavioral2/memory/2016-2065-0x00007FF6B5DF0000-0x00007FF6B61E1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2088	XAJDpMC.exe
2728	INOUPDc.exe
3212	GXONxCJ.exe
1620	KXbVZPQ.exe
2368	nqxRepT.exe
1552	KjaqUOf.exe
32	ZdubWFd.exe
4476	ELrrggB.exe
1516	gqGhJWQ.exe
3032	ikLaXcI.exe
3488	MioymDQ.exe
3428	idGxYhV.exe
4712	qsBpXlw.exe
4044	HotWkxz.exe
4272	zfbYTpU.exe
4824	kqhxtkQ.exe
824	QOoHrfX.exe
2708	EItARIR.exe
2232	jHiknbf.exe
3440	QLvaxqn.exe
1352	PfwXpUu.exe
4976	qUPXjwF.exe
4456	HCcxyaz.exe
2016	EJNtPEE.exe
1040	nNfRFFZ.exe
2372	nKvRqZw.exe
4560	JjgGeWy.exe
5088	yuzkUEU.exe
4748	boVSgFc.exe
3780	jFApmIv.exe
3104	EiTtJQo.exe
2228	ccLwiGn.exe
1208	dgAtpra.exe
768	EqrEAdn.exe
4024	XzhrOiR.exe
2620	tMxUPJc.exe
4168	cfcRmEd.exe
436	NrMWwnD.exe
4688	xDldlVE.exe
2760	dvAbpHW.exe
2980	xdULPYl.exe
4704	svmSBtR.exe
4884	MerfcYx.exe
2300	JOKvNWd.exe
4448	kOLNfyy.exe
4380	DtuceGg.exe
3560	NeUuSFv.exe
4400	ZbzFVpa.exe
3644	qPvBzWA.exe
4924	ZYAAJEL.exe
4352	KYobMCP.exe
4392	YiXGYBW.exe
4980	gJAdQnT.exe
1324	GhtPHVG.exe
1848	VHIZFdQ.exe
4836	hVrdDdj.exe
2220	ExYrhTW.exe
3920	RxWCqBe.exe
4388	MHToqVw.exe
4012	ZyaXzqo.exe
3016	BhkegoQ.exe
1556	AqShkje.exe
1804	nGzTUow.exe
2428	RqfJZzT.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/452-0-0x00007FF7C5380000-0x00007FF7C5771000-memory.dmp	upx
behavioral2/files/0x000900000002343b-5.dat	upx
behavioral2/files/0x00070000000234a2-7.dat	upx
behavioral2/files/0x00080000000234a1-8.dat	upx
behavioral2/memory/2088-12-0x00007FF64CE10000-0x00007FF64D201000-memory.dmp	upx
behavioral2/files/0x00070000000234a3-18.dat	upx
behavioral2/files/0x00070000000234a4-21.dat	upx
behavioral2/memory/3212-23-0x00007FF7AC220000-0x00007FF7AC611000-memory.dmp	upx
behavioral2/files/0x00070000000234a5-36.dat	upx
behavioral2/memory/2368-32-0x00007FF7A2E30000-0x00007FF7A3221000-memory.dmp	upx
behavioral2/memory/1620-29-0x00007FF7017C0000-0x00007FF701BB1000-memory.dmp	upx
behavioral2/memory/2728-14-0x00007FF6C6750000-0x00007FF6C6B41000-memory.dmp	upx
behavioral2/memory/1552-40-0x00007FF76FBD0000-0x00007FF76FFC1000-memory.dmp	upx
behavioral2/files/0x00070000000234a6-42.dat	upx
behavioral2/files/0x00070000000234a8-50.dat	upx
behavioral2/files/0x00070000000234a9-61.dat	upx
behavioral2/files/0x00070000000234ae-86.dat	upx
behavioral2/files/0x00070000000234b4-113.dat	upx
behavioral2/files/0x00070000000234b6-123.dat	upx
behavioral2/files/0x00070000000234b7-131.dat	upx
behavioral2/files/0x00070000000234b9-141.dat	upx
behavioral2/files/0x00070000000234be-163.dat	upx
behavioral2/memory/3488-347-0x00007FF7E2320000-0x00007FF7E2711000-memory.dmp	upx
behavioral2/memory/3032-343-0x00007FF753B40000-0x00007FF753F31000-memory.dmp	upx
behavioral2/memory/3428-358-0x00007FF6EB460000-0x00007FF6EB851000-memory.dmp	upx
behavioral2/memory/1516-338-0x00007FF7FAE70000-0x00007FF7FB261000-memory.dmp	upx
behavioral2/memory/4476-320-0x00007FF728F10000-0x00007FF729301000-memory.dmp	upx
behavioral2/files/0x00070000000234c0-169.dat	upx
behavioral2/files/0x00070000000234bf-167.dat	upx
behavioral2/files/0x00070000000234bd-161.dat	upx
behavioral2/files/0x00070000000234bc-156.dat	upx
behavioral2/files/0x00070000000234bb-151.dat	upx
behavioral2/files/0x00070000000234ba-143.dat	upx
behavioral2/files/0x00070000000234b8-136.dat	upx
behavioral2/files/0x00070000000234b5-121.dat	upx
behavioral2/files/0x00070000000234b3-111.dat	upx
behavioral2/files/0x00070000000234b2-106.dat	upx
behavioral2/files/0x00070000000234b1-101.dat	upx
behavioral2/files/0x00070000000234b0-96.dat	upx
behavioral2/files/0x00070000000234af-91.dat	upx
behavioral2/files/0x00070000000234ad-78.dat	upx
behavioral2/files/0x00070000000234ac-76.dat	upx
behavioral2/files/0x00070000000234ab-71.dat	upx
behavioral2/files/0x00070000000234aa-66.dat	upx
behavioral2/files/0x00070000000234a7-48.dat	upx
behavioral2/memory/32-44-0x00007FF7EE710000-0x00007FF7EEB01000-memory.dmp	upx
behavioral2/memory/4712-360-0x00007FF7268C0000-0x00007FF726CB1000-memory.dmp	upx
behavioral2/memory/4272-367-0x00007FF74C910000-0x00007FF74CD01000-memory.dmp	upx
behavioral2/memory/4044-365-0x00007FF6524D0000-0x00007FF6528C1000-memory.dmp	upx
behavioral2/memory/824-371-0x00007FF6F75B0000-0x00007FF6F79A1000-memory.dmp	upx
behavioral2/memory/4824-369-0x00007FF632170000-0x00007FF632561000-memory.dmp	upx
behavioral2/memory/2708-372-0x00007FF630BD0000-0x00007FF630FC1000-memory.dmp	upx
behavioral2/memory/2232-376-0x00007FF600A50000-0x00007FF600E41000-memory.dmp	upx
behavioral2/memory/3440-381-0x00007FF644440000-0x00007FF644831000-memory.dmp	upx
behavioral2/memory/2016-389-0x00007FF6B5DF0000-0x00007FF6B61E1000-memory.dmp	upx
behavioral2/memory/4456-387-0x00007FF692F30000-0x00007FF693321000-memory.dmp	upx
behavioral2/memory/4976-385-0x00007FF626C50000-0x00007FF627041000-memory.dmp	upx
behavioral2/memory/1352-384-0x00007FF6193B0000-0x00007FF6197A1000-memory.dmp	upx
behavioral2/memory/2728-1970-0x00007FF6C6750000-0x00007FF6C6B41000-memory.dmp	upx
behavioral2/memory/1620-2004-0x00007FF7017C0000-0x00007FF701BB1000-memory.dmp	upx
behavioral2/memory/3212-2003-0x00007FF7AC220000-0x00007FF7AC611000-memory.dmp	upx
behavioral2/memory/2368-2005-0x00007FF7A2E30000-0x00007FF7A3221000-memory.dmp	upx
behavioral2/memory/32-2010-0x00007FF7EE710000-0x00007FF7EEB01000-memory.dmp	upx
behavioral2/memory/1552-2008-0x00007FF76FBD0000-0x00007FF76FFC1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\VHIZFdQ.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\GGcEmRm.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\ITCOmcQ.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\RapPjhj.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\gqGhJWQ.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\ZbzFVpa.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\sojNKuO.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\xBkriEn.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\krJGDmO.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\qXUcXOp.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\nunljrB.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\lRycvsg.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\NWRMKnA.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\IkLyjZd.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\QLvaxqn.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\tMxUPJc.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\CeCHqkJ.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\slHgZEX.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\APGFwpy.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\ffhfQaw.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\LkcHyay.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\QrrRPfK.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\zVwyepl.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\IRsQDwi.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\JlwOuXZ.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\ZYAAJEL.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\VNsiWeb.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\HHwMiXF.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\rQEDbYS.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\iPXMdtJ.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\EVbAphL.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\WipWIBW.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\qgZklEw.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\cHcXxlH.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\HwuPsgY.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\tOdNRaa.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\NaDponk.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\UYVtLNq.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\XntHpuy.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\PEKJWvF.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\GtiuFoo.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\wOvymkt.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\fbzFsey.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\lMkIWon.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\fhOCBWs.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\mmVWxIu.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\PsKRdth.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\VTuqsSb.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\iDCpgmc.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\EiuQoaH.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\VMNGxQd.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\VDPAYnY.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\hQQvDfi.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\lFeUvEi.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\RdULWjZ.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\yLEuhwY.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\NrMWwnD.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\yfEzSfV.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\lJXQjeU.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\yjNTuva.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\vUVAObv.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\lVfqIVt.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\USjynjt.exe	27cded0ce973067bce30e5d321294ad0N.exe
File created	C:\Windows\System32\GUPVdhz.exe	27cded0ce973067bce30e5d321294ad0N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13044	dwm.exe
Token: SeChangeNotifyPrivilege	13044	dwm.exe
Token: 33	13044	dwm.exe
Token: SeIncBasePriorityPrivilege	13044	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 2088	452	27cded0ce973067bce30e5d321294ad0N.exe	84
PID 452 wrote to memory of 2088	452	27cded0ce973067bce30e5d321294ad0N.exe	84
PID 452 wrote to memory of 2728	452	27cded0ce973067bce30e5d321294ad0N.exe	85
PID 452 wrote to memory of 2728	452	27cded0ce973067bce30e5d321294ad0N.exe	85
PID 452 wrote to memory of 3212	452	27cded0ce973067bce30e5d321294ad0N.exe	86
PID 452 wrote to memory of 3212	452	27cded0ce973067bce30e5d321294ad0N.exe	86
PID 452 wrote to memory of 1620	452	27cded0ce973067bce30e5d321294ad0N.exe	87
PID 452 wrote to memory of 1620	452	27cded0ce973067bce30e5d321294ad0N.exe	87
PID 452 wrote to memory of 2368	452	27cded0ce973067bce30e5d321294ad0N.exe	88
PID 452 wrote to memory of 2368	452	27cded0ce973067bce30e5d321294ad0N.exe	88
PID 452 wrote to memory of 1552	452	27cded0ce973067bce30e5d321294ad0N.exe	89
PID 452 wrote to memory of 1552	452	27cded0ce973067bce30e5d321294ad0N.exe	89
PID 452 wrote to memory of 32	452	27cded0ce973067bce30e5d321294ad0N.exe	90
PID 452 wrote to memory of 32	452	27cded0ce973067bce30e5d321294ad0N.exe	90
PID 452 wrote to memory of 4476	452	27cded0ce973067bce30e5d321294ad0N.exe	91
PID 452 wrote to memory of 4476	452	27cded0ce973067bce30e5d321294ad0N.exe	91
PID 452 wrote to memory of 1516	452	27cded0ce973067bce30e5d321294ad0N.exe	92
PID 452 wrote to memory of 1516	452	27cded0ce973067bce30e5d321294ad0N.exe	92
PID 452 wrote to memory of 3032	452	27cded0ce973067bce30e5d321294ad0N.exe	93
PID 452 wrote to memory of 3032	452	27cded0ce973067bce30e5d321294ad0N.exe	93
PID 452 wrote to memory of 3488	452	27cded0ce973067bce30e5d321294ad0N.exe	94
PID 452 wrote to memory of 3488	452	27cded0ce973067bce30e5d321294ad0N.exe	94
PID 452 wrote to memory of 3428	452	27cded0ce973067bce30e5d321294ad0N.exe	95
PID 452 wrote to memory of 3428	452	27cded0ce973067bce30e5d321294ad0N.exe	95
PID 452 wrote to memory of 4712	452	27cded0ce973067bce30e5d321294ad0N.exe	96
PID 452 wrote to memory of 4712	452	27cded0ce973067bce30e5d321294ad0N.exe	96
PID 452 wrote to memory of 4044	452	27cded0ce973067bce30e5d321294ad0N.exe	97
PID 452 wrote to memory of 4044	452	27cded0ce973067bce30e5d321294ad0N.exe	97
PID 452 wrote to memory of 4272	452	27cded0ce973067bce30e5d321294ad0N.exe	98
PID 452 wrote to memory of 4272	452	27cded0ce973067bce30e5d321294ad0N.exe	98
PID 452 wrote to memory of 4824	452	27cded0ce973067bce30e5d321294ad0N.exe	99
PID 452 wrote to memory of 4824	452	27cded0ce973067bce30e5d321294ad0N.exe	99
PID 452 wrote to memory of 824	452	27cded0ce973067bce30e5d321294ad0N.exe	100
PID 452 wrote to memory of 824	452	27cded0ce973067bce30e5d321294ad0N.exe	100
PID 452 wrote to memory of 2708	452	27cded0ce973067bce30e5d321294ad0N.exe	101
PID 452 wrote to memory of 2708	452	27cded0ce973067bce30e5d321294ad0N.exe	101
PID 452 wrote to memory of 2232	452	27cded0ce973067bce30e5d321294ad0N.exe	102
PID 452 wrote to memory of 2232	452	27cded0ce973067bce30e5d321294ad0N.exe	102
PID 452 wrote to memory of 3440	452	27cded0ce973067bce30e5d321294ad0N.exe	103
PID 452 wrote to memory of 3440	452	27cded0ce973067bce30e5d321294ad0N.exe	103
PID 452 wrote to memory of 1352	452	27cded0ce973067bce30e5d321294ad0N.exe	104
PID 452 wrote to memory of 1352	452	27cded0ce973067bce30e5d321294ad0N.exe	104
PID 452 wrote to memory of 4976	452	27cded0ce973067bce30e5d321294ad0N.exe	105
PID 452 wrote to memory of 4976	452	27cded0ce973067bce30e5d321294ad0N.exe	105
PID 452 wrote to memory of 4456	452	27cded0ce973067bce30e5d321294ad0N.exe	106
PID 452 wrote to memory of 4456	452	27cded0ce973067bce30e5d321294ad0N.exe	106
PID 452 wrote to memory of 2016	452	27cded0ce973067bce30e5d321294ad0N.exe	107
PID 452 wrote to memory of 2016	452	27cded0ce973067bce30e5d321294ad0N.exe	107
PID 452 wrote to memory of 1040	452	27cded0ce973067bce30e5d321294ad0N.exe	108
PID 452 wrote to memory of 1040	452	27cded0ce973067bce30e5d321294ad0N.exe	108
PID 452 wrote to memory of 2372	452	27cded0ce973067bce30e5d321294ad0N.exe	109
PID 452 wrote to memory of 2372	452	27cded0ce973067bce30e5d321294ad0N.exe	109
PID 452 wrote to memory of 4560	452	27cded0ce973067bce30e5d321294ad0N.exe	110
PID 452 wrote to memory of 4560	452	27cded0ce973067bce30e5d321294ad0N.exe	110
PID 452 wrote to memory of 5088	452	27cded0ce973067bce30e5d321294ad0N.exe	111
PID 452 wrote to memory of 5088	452	27cded0ce973067bce30e5d321294ad0N.exe	111
PID 452 wrote to memory of 4748	452	27cded0ce973067bce30e5d321294ad0N.exe	112
PID 452 wrote to memory of 4748	452	27cded0ce973067bce30e5d321294ad0N.exe	112
PID 452 wrote to memory of 3780	452	27cded0ce973067bce30e5d321294ad0N.exe	113
PID 452 wrote to memory of 3780	452	27cded0ce973067bce30e5d321294ad0N.exe	113
PID 452 wrote to memory of 3104	452	27cded0ce973067bce30e5d321294ad0N.exe	114
PID 452 wrote to memory of 3104	452	27cded0ce973067bce30e5d321294ad0N.exe	114
PID 452 wrote to memory of 2228	452	27cded0ce973067bce30e5d321294ad0N.exe	115
PID 452 wrote to memory of 2228	452	27cded0ce973067bce30e5d321294ad0N.exe	115

C:\Users\Admin\AppData\Local\Temp\27cded0ce973067bce30e5d321294ad0N.exe
"C:\Users\Admin\AppData\Local\Temp\27cded0ce973067bce30e5d321294ad0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\System32\XAJDpMC.exe
  C:\Windows\System32\XAJDpMC.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System32\INOUPDc.exe
  C:\Windows\System32\INOUPDc.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System32\GXONxCJ.exe
  C:\Windows\System32\GXONxCJ.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System32\KXbVZPQ.exe
  C:\Windows\System32\KXbVZPQ.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System32\nqxRepT.exe
  C:\Windows\System32\nqxRepT.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System32\KjaqUOf.exe
  C:\Windows\System32\KjaqUOf.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System32\ZdubWFd.exe
  C:\Windows\System32\ZdubWFd.exe
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Windows\System32\ELrrggB.exe
  C:\Windows\System32\ELrrggB.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System32\gqGhJWQ.exe
  C:\Windows\System32\gqGhJWQ.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System32\ikLaXcI.exe
  C:\Windows\System32\ikLaXcI.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System32\MioymDQ.exe
  C:\Windows\System32\MioymDQ.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System32\idGxYhV.exe
  C:\Windows\System32\idGxYhV.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System32\qsBpXlw.exe
  C:\Windows\System32\qsBpXlw.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System32\HotWkxz.exe
  C:\Windows\System32\HotWkxz.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System32\zfbYTpU.exe
  C:\Windows\System32\zfbYTpU.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System32\kqhxtkQ.exe
  C:\Windows\System32\kqhxtkQ.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System32\QOoHrfX.exe
  C:\Windows\System32\QOoHrfX.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System32\EItARIR.exe
  C:\Windows\System32\EItARIR.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System32\jHiknbf.exe
  C:\Windows\System32\jHiknbf.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System32\QLvaxqn.exe
  C:\Windows\System32\QLvaxqn.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System32\PfwXpUu.exe
  C:\Windows\System32\PfwXpUu.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\System32\qUPXjwF.exe
  C:\Windows\System32\qUPXjwF.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System32\HCcxyaz.exe
  C:\Windows\System32\HCcxyaz.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System32\EJNtPEE.exe
  C:\Windows\System32\EJNtPEE.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System32\nNfRFFZ.exe
  C:\Windows\System32\nNfRFFZ.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System32\nKvRqZw.exe
  C:\Windows\System32\nKvRqZw.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System32\JjgGeWy.exe
  C:\Windows\System32\JjgGeWy.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System32\yuzkUEU.exe
  C:\Windows\System32\yuzkUEU.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System32\boVSgFc.exe
  C:\Windows\System32\boVSgFc.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System32\jFApmIv.exe
  C:\Windows\System32\jFApmIv.exe
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Windows\System32\EiTtJQo.exe
  C:\Windows\System32\EiTtJQo.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System32\ccLwiGn.exe
  C:\Windows\System32\ccLwiGn.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System32\dgAtpra.exe
  C:\Windows\System32\dgAtpra.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System32\EqrEAdn.exe
  C:\Windows\System32\EqrEAdn.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System32\XzhrOiR.exe
  C:\Windows\System32\XzhrOiR.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System32\tMxUPJc.exe
  C:\Windows\System32\tMxUPJc.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System32\cfcRmEd.exe
  C:\Windows\System32\cfcRmEd.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System32\NrMWwnD.exe
  C:\Windows\System32\NrMWwnD.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\xDldlVE.exe
  C:\Windows\System32\xDldlVE.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System32\dvAbpHW.exe
  C:\Windows\System32\dvAbpHW.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System32\xdULPYl.exe
  C:\Windows\System32\xdULPYl.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System32\svmSBtR.exe
  C:\Windows\System32\svmSBtR.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System32\MerfcYx.exe
  C:\Windows\System32\MerfcYx.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System32\JOKvNWd.exe
  C:\Windows\System32\JOKvNWd.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System32\kOLNfyy.exe
  C:\Windows\System32\kOLNfyy.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System32\DtuceGg.exe
  C:\Windows\System32\DtuceGg.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System32\NeUuSFv.exe
  C:\Windows\System32\NeUuSFv.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System32\ZbzFVpa.exe
  C:\Windows\System32\ZbzFVpa.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System32\qPvBzWA.exe
  C:\Windows\System32\qPvBzWA.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System32\ZYAAJEL.exe
  C:\Windows\System32\ZYAAJEL.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\KYobMCP.exe
  C:\Windows\System32\KYobMCP.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System32\YiXGYBW.exe
  C:\Windows\System32\YiXGYBW.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System32\gJAdQnT.exe
  C:\Windows\System32\gJAdQnT.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System32\GhtPHVG.exe
  C:\Windows\System32\GhtPHVG.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System32\VHIZFdQ.exe
  C:\Windows\System32\VHIZFdQ.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System32\hVrdDdj.exe
  C:\Windows\System32\hVrdDdj.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System32\ExYrhTW.exe
  C:\Windows\System32\ExYrhTW.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\System32\RxWCqBe.exe
  C:\Windows\System32\RxWCqBe.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System32\MHToqVw.exe
  C:\Windows\System32\MHToqVw.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System32\ZyaXzqo.exe
  C:\Windows\System32\ZyaXzqo.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System32\BhkegoQ.exe
  C:\Windows\System32\BhkegoQ.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System32\AqShkje.exe
  C:\Windows\System32\AqShkje.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System32\nGzTUow.exe
  C:\Windows\System32\nGzTUow.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System32\RqfJZzT.exe
  C:\Windows\System32\RqfJZzT.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System32\lflpGjW.exe
  C:\Windows\System32\lflpGjW.exe
  2⤵
  PID:4576
- C:\Windows\System32\enkWEfI.exe
  C:\Windows\System32\enkWEfI.exe
  2⤵
  PID:2120
- C:\Windows\System32\aoTOOrn.exe
  C:\Windows\System32\aoTOOrn.exe
  2⤵
  PID:1288
- C:\Windows\System32\uFhYzXo.exe
  C:\Windows\System32\uFhYzXo.exe
  2⤵
  PID:3824
- C:\Windows\System32\xDxStox.exe
  C:\Windows\System32\xDxStox.exe
  2⤵
  PID:3936
- C:\Windows\System32\IzEfOIv.exe
  C:\Windows\System32\IzEfOIv.exe
  2⤵
  PID:3464
- C:\Windows\System32\XnxaoZm.exe
  C:\Windows\System32\XnxaoZm.exe
  2⤵
  PID:2360
- C:\Windows\System32\ahKqXFu.exe
  C:\Windows\System32\ahKqXFu.exe
  2⤵
  PID:3420
- C:\Windows\System32\GgVLTuc.exe
  C:\Windows\System32\GgVLTuc.exe
  2⤵
  PID:916
- C:\Windows\System32\hTeQYLZ.exe
  C:\Windows\System32\hTeQYLZ.exe
  2⤵
  PID:1672
- C:\Windows\System32\RWhxekT.exe
  C:\Windows\System32\RWhxekT.exe
  2⤵
  PID:3736
- C:\Windows\System32\rjyRWbR.exe
  C:\Windows\System32\rjyRWbR.exe
  2⤵
  PID:1392
- C:\Windows\System32\HDduEEq.exe
  C:\Windows\System32\HDduEEq.exe
  2⤵
  PID:2404
- C:\Windows\System32\KWxfKcd.exe
  C:\Windows\System32\KWxfKcd.exe
  2⤵
  PID:3080
- C:\Windows\System32\MyfHQgX.exe
  C:\Windows\System32\MyfHQgX.exe
  2⤵
  PID:3336
- C:\Windows\System32\ZZiUWQQ.exe
  C:\Windows\System32\ZZiUWQQ.exe
  2⤵
  PID:3712
- C:\Windows\System32\hGuHKHH.exe
  C:\Windows\System32\hGuHKHH.exe
  2⤵
  PID:1628
- C:\Windows\System32\NCgZuWU.exe
  C:\Windows\System32\NCgZuWU.exe
  2⤵
  PID:844
- C:\Windows\System32\QrrRPfK.exe
  C:\Windows\System32\QrrRPfK.exe
  2⤵
  PID:4488
- C:\Windows\System32\CLaFXRm.exe
  C:\Windows\System32\CLaFXRm.exe
  2⤵
  PID:2472
- C:\Windows\System32\KcUBDYb.exe
  C:\Windows\System32\KcUBDYb.exe
  2⤵
  PID:1944
- C:\Windows\System32\YNTHPMJ.exe
  C:\Windows\System32\YNTHPMJ.exe
  2⤵
  PID:1916
- C:\Windows\System32\ehmyrAR.exe
  C:\Windows\System32\ehmyrAR.exe
  2⤵
  PID:3676
- C:\Windows\System32\MRleTig.exe
  C:\Windows\System32\MRleTig.exe
  2⤵
  PID:212
- C:\Windows\System32\OkpOWku.exe
  C:\Windows\System32\OkpOWku.exe
  2⤵
  PID:4000
- C:\Windows\System32\yLvrEgZ.exe
  C:\Windows\System32\yLvrEgZ.exe
  2⤵
  PID:948
- C:\Windows\System32\xpvYwGB.exe
  C:\Windows\System32\xpvYwGB.exe
  2⤵
  PID:2952
- C:\Windows\System32\caKoZdh.exe
  C:\Windows\System32\caKoZdh.exe
  2⤵
  PID:4232
- C:\Windows\System32\GgcqFyN.exe
  C:\Windows\System32\GgcqFyN.exe
  2⤵
  PID:2124
- C:\Windows\System32\HybFTVA.exe
  C:\Windows\System32\HybFTVA.exe
  2⤵
  PID:1480
- C:\Windows\System32\lyBOEUs.exe
  C:\Windows\System32\lyBOEUs.exe
  2⤵
  PID:1240
- C:\Windows\System32\yfEzSfV.exe
  C:\Windows\System32\yfEzSfV.exe
  2⤵
  PID:2376
- C:\Windows\System32\PGCiIKB.exe
  C:\Windows\System32\PGCiIKB.exe
  2⤵
  PID:4492
- C:\Windows\System32\NgxCMKL.exe
  C:\Windows\System32\NgxCMKL.exe
  2⤵
  PID:2116
- C:\Windows\System32\vstfegj.exe
  C:\Windows\System32\vstfegj.exe
  2⤵
  PID:4264
- C:\Windows\System32\OqxdAxX.exe
  C:\Windows\System32\OqxdAxX.exe
  2⤵
  PID:3880
- C:\Windows\System32\auJXqXK.exe
  C:\Windows\System32\auJXqXK.exe
  2⤵
  PID:4784
- C:\Windows\System32\dDpKJey.exe
  C:\Windows\System32\dDpKJey.exe
  2⤵
  PID:4040
- C:\Windows\System32\mqwmsLH.exe
  C:\Windows\System32\mqwmsLH.exe
  2⤵
  PID:1508
- C:\Windows\System32\SKCBDVj.exe
  C:\Windows\System32\SKCBDVj.exe
  2⤵
  PID:644
- C:\Windows\System32\sojNKuO.exe
  C:\Windows\System32\sojNKuO.exe
  2⤵
  PID:4588
- C:\Windows\System32\wtyFzAg.exe
  C:\Windows\System32\wtyFzAg.exe
  2⤵
  PID:624
- C:\Windows\System32\SApvShm.exe
  C:\Windows\System32\SApvShm.exe
  2⤵
  PID:5140
- C:\Windows\System32\qaqfUPG.exe
  C:\Windows\System32\qaqfUPG.exe
  2⤵
  PID:5172
- C:\Windows\System32\cpdRILc.exe
  C:\Windows\System32\cpdRILc.exe
  2⤵
  PID:5200
- C:\Windows\System32\VIfQFTv.exe
  C:\Windows\System32\VIfQFTv.exe
  2⤵
  PID:5224
- C:\Windows\System32\vMtYiRl.exe
  C:\Windows\System32\vMtYiRl.exe
  2⤵
  PID:5256
- C:\Windows\System32\epiQzYo.exe
  C:\Windows\System32\epiQzYo.exe
  2⤵
  PID:5288
- C:\Windows\System32\ZmjDVOU.exe
  C:\Windows\System32\ZmjDVOU.exe
  2⤵
  PID:5324
- C:\Windows\System32\UPColvm.exe
  C:\Windows\System32\UPColvm.exe
  2⤵
  PID:5344
- C:\Windows\System32\NxbDvLe.exe
  C:\Windows\System32\NxbDvLe.exe
  2⤵
  PID:5372
- C:\Windows\System32\saPvlML.exe
  C:\Windows\System32\saPvlML.exe
  2⤵
  PID:5400
- C:\Windows\System32\HpZMkyt.exe
  C:\Windows\System32\HpZMkyt.exe
  2⤵
  PID:5424
- C:\Windows\System32\GSYRetZ.exe
  C:\Windows\System32\GSYRetZ.exe
  2⤵
  PID:5456
- C:\Windows\System32\qAqezBf.exe
  C:\Windows\System32\qAqezBf.exe
  2⤵
  PID:5484
- C:\Windows\System32\UJTVOkb.exe
  C:\Windows\System32\UJTVOkb.exe
  2⤵
  PID:5512
- C:\Windows\System32\nOqUTMF.exe
  C:\Windows\System32\nOqUTMF.exe
  2⤵
  PID:5540
- C:\Windows\System32\cNTcqSh.exe
  C:\Windows\System32\cNTcqSh.exe
  2⤵
  PID:5576
- C:\Windows\System32\ZjLzyBe.exe
  C:\Windows\System32\ZjLzyBe.exe
  2⤵
  PID:5596
- C:\Windows\System32\zbNuZhL.exe
  C:\Windows\System32\zbNuZhL.exe
  2⤵
  PID:5624
- C:\Windows\System32\nKGJVPu.exe
  C:\Windows\System32\nKGJVPu.exe
  2⤵
  PID:5640
- C:\Windows\System32\vUVAObv.exe
  C:\Windows\System32\vUVAObv.exe
  2⤵
  PID:5656
- C:\Windows\System32\ZFHHeBL.exe
  C:\Windows\System32\ZFHHeBL.exe
  2⤵
  PID:5680
- C:\Windows\System32\rgIOvnH.exe
  C:\Windows\System32\rgIOvnH.exe
  2⤵
  PID:5696
- C:\Windows\System32\hgZzQiE.exe
  C:\Windows\System32\hgZzQiE.exe
  2⤵
  PID:5764
- C:\Windows\System32\qRxWUas.exe
  C:\Windows\System32\qRxWUas.exe
  2⤵
  PID:5800
- C:\Windows\System32\kNHVJGO.exe
  C:\Windows\System32\kNHVJGO.exe
  2⤵
  PID:5820
- C:\Windows\System32\xWHbiru.exe
  C:\Windows\System32\xWHbiru.exe
  2⤵
  PID:5840
- C:\Windows\System32\AZUAyCk.exe
  C:\Windows\System32\AZUAyCk.exe
  2⤵
  PID:5856
- C:\Windows\System32\BCTBWAc.exe
  C:\Windows\System32\BCTBWAc.exe
  2⤵
  PID:5884
- C:\Windows\System32\PPUPbVB.exe
  C:\Windows\System32\PPUPbVB.exe
  2⤵
  PID:5944
- C:\Windows\System32\ZloTRkU.exe
  C:\Windows\System32\ZloTRkU.exe
  2⤵
  PID:5972
- C:\Windows\System32\ItblPTu.exe
  C:\Windows\System32\ItblPTu.exe
  2⤵
  PID:5992
- C:\Windows\System32\GLWUcly.exe
  C:\Windows\System32\GLWUcly.exe
  2⤵
  PID:6012
- C:\Windows\System32\zGYNVZP.exe
  C:\Windows\System32\zGYNVZP.exe
  2⤵
  PID:6040
- C:\Windows\System32\zEGFCvC.exe
  C:\Windows\System32\zEGFCvC.exe
  2⤵
  PID:6056
- C:\Windows\System32\iDCpgmc.exe
  C:\Windows\System32\iDCpgmc.exe
  2⤵
  PID:6072
- C:\Windows\System32\fXqfqgq.exe
  C:\Windows\System32\fXqfqgq.exe
  2⤵
  PID:6092
- C:\Windows\System32\MUnnSoc.exe
  C:\Windows\System32\MUnnSoc.exe
  2⤵
  PID:6108
- C:\Windows\System32\ahRDGCg.exe
  C:\Windows\System32\ahRDGCg.exe
  2⤵
  PID:6128
- C:\Windows\System32\FAgrXEm.exe
  C:\Windows\System32\FAgrXEm.exe
  2⤵
  PID:5464
- C:\Windows\System32\PSlrnOD.exe
  C:\Windows\System32\PSlrnOD.exe
  2⤵
  PID:5356
- C:\Windows\System32\CEpNRSq.exe
  C:\Windows\System32\CEpNRSq.exe
  2⤵
  PID:4428
- C:\Windows\System32\GGcEmRm.exe
  C:\Windows\System32\GGcEmRm.exe
  2⤵
  PID:5244
- C:\Windows\System32\LqGBFSP.exe
  C:\Windows\System32\LqGBFSP.exe
  2⤵
  PID:5208
- C:\Windows\System32\EUAeVFj.exe
  C:\Windows\System32\EUAeVFj.exe
  2⤵
  PID:5164
- C:\Windows\System32\PTojmre.exe
  C:\Windows\System32\PTojmre.exe
  2⤵
  PID:1820
- C:\Windows\System32\Cxvlyzx.exe
  C:\Windows\System32\Cxvlyzx.exe
  2⤵
  PID:1044
- C:\Windows\System32\daXKRnu.exe
  C:\Windows\System32\daXKRnu.exe
  2⤵
  PID:3208
- C:\Windows\System32\CFJiWce.exe
  C:\Windows\System32\CFJiWce.exe
  2⤵
  PID:4564
- C:\Windows\System32\HrwAxBJ.exe
  C:\Windows\System32\HrwAxBJ.exe
  2⤵
  PID:4420
- C:\Windows\System32\tlCuwms.exe
  C:\Windows\System32\tlCuwms.exe
  2⤵
  PID:1284
- C:\Windows\System32\PBCPCWy.exe
  C:\Windows\System32\PBCPCWy.exe
  2⤵
  PID:3180
- C:\Windows\System32\hgPoSPK.exe
  C:\Windows\System32\hgPoSPK.exe
  2⤵
  PID:3172
- C:\Windows\System32\ZIaQVtO.exe
  C:\Windows\System32\ZIaQVtO.exe
  2⤵
  PID:5632
- C:\Windows\System32\ZsPBCqX.exe
  C:\Windows\System32\ZsPBCqX.exe
  2⤵
  PID:5688
- C:\Windows\System32\tOdNRaa.exe
  C:\Windows\System32\tOdNRaa.exe
  2⤵
  PID:5732
- C:\Windows\System32\EDwsrWr.exe
  C:\Windows\System32\EDwsrWr.exe
  2⤵
  PID:5852
- C:\Windows\System32\rWwFtty.exe
  C:\Windows\System32\rWwFtty.exe
  2⤵
  PID:5984
- C:\Windows\System32\fhOCBWs.exe
  C:\Windows\System32\fhOCBWs.exe
  2⤵
  PID:6024
- C:\Windows\System32\yCpSNMy.exe
  C:\Windows\System32\yCpSNMy.exe
  2⤵
  PID:6100
- C:\Windows\System32\PVKlLFf.exe
  C:\Windows\System32\PVKlLFf.exe
  2⤵
  PID:5420
- C:\Windows\System32\SkfEvKT.exe
  C:\Windows\System32\SkfEvKT.exe
  2⤵
  PID:6088
- C:\Windows\System32\sCLIFSM.exe
  C:\Windows\System32\sCLIFSM.exe
  2⤵
  PID:5252
- C:\Windows\System32\pKmnelC.exe
  C:\Windows\System32\pKmnelC.exe
  2⤵
  PID:5148
- C:\Windows\System32\NWvCpBT.exe
  C:\Windows\System32\NWvCpBT.exe
  2⤵
  PID:5128
- C:\Windows\System32\sreQDEA.exe
  C:\Windows\System32\sreQDEA.exe
  2⤵
  PID:4528
- C:\Windows\System32\acvnQhx.exe
  C:\Windows\System32\acvnQhx.exe
  2⤵
  PID:4960
- C:\Windows\System32\pFazfua.exe
  C:\Windows\System32\pFazfua.exe
  2⤵
  PID:5668
- C:\Windows\System32\iPXMdtJ.exe
  C:\Windows\System32\iPXMdtJ.exe
  2⤵
  PID:5816
- C:\Windows\System32\NtfRKlB.exe
  C:\Windows\System32\NtfRKlB.exe
  2⤵
  PID:5896
- C:\Windows\System32\BTixtum.exe
  C:\Windows\System32\BTixtum.exe
  2⤵
  PID:6048
- C:\Windows\System32\azkJgzi.exe
  C:\Windows\System32\azkJgzi.exe
  2⤵
  PID:1160
- C:\Windows\System32\hTSxVMQ.exe
  C:\Windows\System32\hTSxVMQ.exe
  2⤵
  PID:5448
- C:\Windows\System32\mmVWxIu.exe
  C:\Windows\System32\mmVWxIu.exe
  2⤵
  PID:5492
- C:\Windows\System32\moYXXAP.exe
  C:\Windows\System32\moYXXAP.exe
  2⤵
  PID:4284
- C:\Windows\System32\ApQcucA.exe
  C:\Windows\System32\ApQcucA.exe
  2⤵
  PID:5676
- C:\Windows\System32\EBvSXyS.exe
  C:\Windows\System32\EBvSXyS.exe
  2⤵
  PID:5920
- C:\Windows\System32\jwgCSCF.exe
  C:\Windows\System32\jwgCSCF.exe
  2⤵
  PID:6084
- C:\Windows\System32\JGkLJDU.exe
  C:\Windows\System32\JGkLJDU.exe
  2⤵
  PID:6164
- C:\Windows\System32\lysJCBS.exe
  C:\Windows\System32\lysJCBS.exe
  2⤵
  PID:6216
- C:\Windows\System32\EFKFtOI.exe
  C:\Windows\System32\EFKFtOI.exe
  2⤵
  PID:6256
- C:\Windows\System32\LMBnErj.exe
  C:\Windows\System32\LMBnErj.exe
  2⤵
  PID:6272
- C:\Windows\System32\ffxtVVz.exe
  C:\Windows\System32\ffxtVVz.exe
  2⤵
  PID:6308
- C:\Windows\System32\GbHROgD.exe
  C:\Windows\System32\GbHROgD.exe
  2⤵
  PID:6328
- C:\Windows\System32\pTFHFjT.exe
  C:\Windows\System32\pTFHFjT.exe
  2⤵
  PID:6396
- C:\Windows\System32\PfvyROo.exe
  C:\Windows\System32\PfvyROo.exe
  2⤵
  PID:6424
- C:\Windows\System32\PjQEIpH.exe
  C:\Windows\System32\PjQEIpH.exe
  2⤵
  PID:6472
- C:\Windows\System32\sIFFoqc.exe
  C:\Windows\System32\sIFFoqc.exe
  2⤵
  PID:6496
- C:\Windows\System32\vwXMinY.exe
  C:\Windows\System32\vwXMinY.exe
  2⤵
  PID:6540
- C:\Windows\System32\PztdUQE.exe
  C:\Windows\System32\PztdUQE.exe
  2⤵
  PID:6564
- C:\Windows\System32\nVBOqdC.exe
  C:\Windows\System32\nVBOqdC.exe
  2⤵
  PID:6584
- C:\Windows\System32\EvVIvfC.exe
  C:\Windows\System32\EvVIvfC.exe
  2⤵
  PID:6600
- C:\Windows\System32\pEmqmzw.exe
  C:\Windows\System32\pEmqmzw.exe
  2⤵
  PID:6624
- C:\Windows\System32\fXrdIan.exe
  C:\Windows\System32\fXrdIan.exe
  2⤵
  PID:6648
- C:\Windows\System32\CtYBKyF.exe
  C:\Windows\System32\CtYBKyF.exe
  2⤵
  PID:6668
- C:\Windows\System32\ywKqbIu.exe
  C:\Windows\System32\ywKqbIu.exe
  2⤵
  PID:6688
- C:\Windows\System32\XDJOeuM.exe
  C:\Windows\System32\XDJOeuM.exe
  2⤵
  PID:6728
- C:\Windows\System32\SDyrcoK.exe
  C:\Windows\System32\SDyrcoK.exe
  2⤵
  PID:6752
- C:\Windows\System32\KUTFCiS.exe
  C:\Windows\System32\KUTFCiS.exe
  2⤵
  PID:6784
- C:\Windows\System32\BzZGbjK.exe
  C:\Windows\System32\BzZGbjK.exe
  2⤵
  PID:6804
- C:\Windows\System32\UjKjGsl.exe
  C:\Windows\System32\UjKjGsl.exe
  2⤵
  PID:6820
- C:\Windows\System32\DgCGKko.exe
  C:\Windows\System32\DgCGKko.exe
  2⤵
  PID:6856
- C:\Windows\System32\NaDponk.exe
  C:\Windows\System32\NaDponk.exe
  2⤵
  PID:6912
- C:\Windows\System32\AIOWZVr.exe
  C:\Windows\System32\AIOWZVr.exe
  2⤵
  PID:6928
- C:\Windows\System32\WqUvetS.exe
  C:\Windows\System32\WqUvetS.exe
  2⤵
  PID:6944
- C:\Windows\System32\VReGnkl.exe
  C:\Windows\System32\VReGnkl.exe
  2⤵
  PID:6968
- C:\Windows\System32\esyqXBB.exe
  C:\Windows\System32\esyqXBB.exe
  2⤵
  PID:6984
- C:\Windows\System32\ExXKdoA.exe
  C:\Windows\System32\ExXKdoA.exe
  2⤵
  PID:7008
- C:\Windows\System32\wWNJUOv.exe
  C:\Windows\System32\wWNJUOv.exe
  2⤵
  PID:7060
- C:\Windows\System32\MkOfZuJ.exe
  C:\Windows\System32\MkOfZuJ.exe
  2⤵
  PID:7112
- C:\Windows\System32\JWgOkjh.exe
  C:\Windows\System32\JWgOkjh.exe
  2⤵
  PID:7152
- C:\Windows\System32\ffhfQaw.exe
  C:\Windows\System32\ffhfQaw.exe
  2⤵
  PID:2492
- C:\Windows\System32\bQJPOoH.exe
  C:\Windows\System32\bQJPOoH.exe
  2⤵
  PID:5380
- C:\Windows\System32\lenpprI.exe
  C:\Windows\System32\lenpprI.exe
  2⤵
  PID:6156
- C:\Windows\System32\daZFcou.exe
  C:\Windows\System32\daZFcou.exe
  2⤵
  PID:6224
- C:\Windows\System32\ITCOmcQ.exe
  C:\Windows\System32\ITCOmcQ.exe
  2⤵
  PID:6284
- C:\Windows\System32\ulriJNq.exe
  C:\Windows\System32\ulriJNq.exe
  2⤵
  PID:6324
- C:\Windows\System32\shwlezq.exe
  C:\Windows\System32\shwlezq.exe
  2⤵
  PID:6440
- C:\Windows\System32\tBkwAAt.exe
  C:\Windows\System32\tBkwAAt.exe
  2⤵
  PID:6504
- C:\Windows\System32\SOPxLuu.exe
  C:\Windows\System32\SOPxLuu.exe
  2⤵
  PID:6524
- C:\Windows\System32\jWCpNRj.exe
  C:\Windows\System32\jWCpNRj.exe
  2⤵
  PID:6580
- C:\Windows\System32\gpNYbIR.exe
  C:\Windows\System32\gpNYbIR.exe
  2⤵
  PID:6660
- C:\Windows\System32\zASGkrc.exe
  C:\Windows\System32\zASGkrc.exe
  2⤵
  PID:6680
- C:\Windows\System32\KrbbfYX.exe
  C:\Windows\System32\KrbbfYX.exe
  2⤵
  PID:6724
- C:\Windows\System32\BufUGqe.exe
  C:\Windows\System32\BufUGqe.exe
  2⤵
  PID:6836
- C:\Windows\System32\SIeVpWB.exe
  C:\Windows\System32\SIeVpWB.exe
  2⤵
  PID:6812
- C:\Windows\System32\HOutOVC.exe
  C:\Windows\System32\HOutOVC.exe
  2⤵
  PID:6964
- C:\Windows\System32\mKFErRz.exe
  C:\Windows\System32\mKFErRz.exe
  2⤵
  PID:7068
- C:\Windows\System32\EVbAphL.exe
  C:\Windows\System32\EVbAphL.exe
  2⤵
  PID:5652
- C:\Windows\System32\IycvXDB.exe
  C:\Windows\System32\IycvXDB.exe
  2⤵
  PID:5952
- C:\Windows\System32\QZffBvy.exe
  C:\Windows\System32\QZffBvy.exe
  2⤵
  PID:6372
- C:\Windows\System32\HSEKKEp.exe
  C:\Windows\System32\HSEKKEp.exe
  2⤵
  PID:6492
- C:\Windows\System32\yYMPOoR.exe
  C:\Windows\System32\yYMPOoR.exe
  2⤵
  PID:6760
- C:\Windows\System32\OVtSAdo.exe
  C:\Windows\System32\OVtSAdo.exe
  2⤵
  PID:6796
- C:\Windows\System32\cGEDVmQ.exe
  C:\Windows\System32\cGEDVmQ.exe
  2⤵
  PID:6800
- C:\Windows\System32\XjcLMdi.exe
  C:\Windows\System32\XjcLMdi.exe
  2⤵
  PID:7040
- C:\Windows\System32\vfYEFsc.exe
  C:\Windows\System32\vfYEFsc.exe
  2⤵
  PID:6976
- C:\Windows\System32\cXkxCaV.exe
  C:\Windows\System32\cXkxCaV.exe
  2⤵
  PID:6172
- C:\Windows\System32\bxIUeAt.exe
  C:\Windows\System32\bxIUeAt.exe
  2⤵
  PID:7052
- C:\Windows\System32\WipWIBW.exe
  C:\Windows\System32\WipWIBW.exe
  2⤵
  PID:7020
- C:\Windows\System32\JOafkzK.exe
  C:\Windows\System32\JOafkzK.exe
  2⤵
  PID:5192
- C:\Windows\System32\EmCKHYR.exe
  C:\Windows\System32\EmCKHYR.exe
  2⤵
  PID:7228
- C:\Windows\System32\qnrKqIk.exe
  C:\Windows\System32\qnrKqIk.exe
  2⤵
  PID:7252
- C:\Windows\System32\PEKJWvF.exe
  C:\Windows\System32\PEKJWvF.exe
  2⤵
  PID:7268
- C:\Windows\System32\KeXeLFT.exe
  C:\Windows\System32\KeXeLFT.exe
  2⤵
  PID:7284
- C:\Windows\System32\WyxxOUQ.exe
  C:\Windows\System32\WyxxOUQ.exe
  2⤵
  PID:7308
- C:\Windows\System32\rSgTphx.exe
  C:\Windows\System32\rSgTphx.exe
  2⤵
  PID:7324
- C:\Windows\System32\GtiuFoo.exe
  C:\Windows\System32\GtiuFoo.exe
  2⤵
  PID:7360
- C:\Windows\System32\SyQqOLk.exe
  C:\Windows\System32\SyQqOLk.exe
  2⤵
  PID:7376
- C:\Windows\System32\cnPRNQn.exe
  C:\Windows\System32\cnPRNQn.exe
  2⤵
  PID:7404
- C:\Windows\System32\EiuQoaH.exe
  C:\Windows\System32\EiuQoaH.exe
  2⤵
  PID:7452
- C:\Windows\System32\Lnqikfj.exe
  C:\Windows\System32\Lnqikfj.exe
  2⤵
  PID:7480
- C:\Windows\System32\pUgHELQ.exe
  C:\Windows\System32\pUgHELQ.exe
  2⤵
  PID:7536
- C:\Windows\System32\nCRQqFX.exe
  C:\Windows\System32\nCRQqFX.exe
  2⤵
  PID:7564
- C:\Windows\System32\dKUwniN.exe
  C:\Windows\System32\dKUwniN.exe
  2⤵
  PID:7592
- C:\Windows\System32\FmAGXmp.exe
  C:\Windows\System32\FmAGXmp.exe
  2⤵
  PID:7608
- C:\Windows\System32\EcNCoka.exe
  C:\Windows\System32\EcNCoka.exe
  2⤵
  PID:7628
- C:\Windows\System32\aAGWlAK.exe
  C:\Windows\System32\aAGWlAK.exe
  2⤵
  PID:7644
- C:\Windows\System32\fxuMPzq.exe
  C:\Windows\System32\fxuMPzq.exe
  2⤵
  PID:7668
- C:\Windows\System32\Gainsmt.exe
  C:\Windows\System32\Gainsmt.exe
  2⤵
  PID:7684
- C:\Windows\System32\eAaBheB.exe
  C:\Windows\System32\eAaBheB.exe
  2⤵
  PID:7732
- C:\Windows\System32\qpNnRZt.exe
  C:\Windows\System32\qpNnRZt.exe
  2⤵
  PID:7764
- C:\Windows\System32\dKUMcTE.exe
  C:\Windows\System32\dKUMcTE.exe
  2⤵
  PID:7804
- C:\Windows\System32\KUfQZet.exe
  C:\Windows\System32\KUfQZet.exe
  2⤵
  PID:7832
- C:\Windows\System32\QdfWUBy.exe
  C:\Windows\System32\QdfWUBy.exe
  2⤵
  PID:7848
- C:\Windows\System32\GTONqdd.exe
  C:\Windows\System32\GTONqdd.exe
  2⤵
  PID:7868
- C:\Windows\System32\pDmQSzw.exe
  C:\Windows\System32\pDmQSzw.exe
  2⤵
  PID:7892
- C:\Windows\System32\LIxWoHq.exe
  C:\Windows\System32\LIxWoHq.exe
  2⤵
  PID:7932
- C:\Windows\System32\yLSoFCd.exe
  C:\Windows\System32\yLSoFCd.exe
  2⤵
  PID:7960
- C:\Windows\System32\hTQIXol.exe
  C:\Windows\System32\hTQIXol.exe
  2⤵
  PID:7980
- C:\Windows\System32\loBcQeS.exe
  C:\Windows\System32\loBcQeS.exe
  2⤵
  PID:8008
- C:\Windows\System32\SIZZVMo.exe
  C:\Windows\System32\SIZZVMo.exe
  2⤵
  PID:8032
- C:\Windows\System32\rzSHUnC.exe
  C:\Windows\System32\rzSHUnC.exe
  2⤵
  PID:8048
- C:\Windows\System32\LkcHyay.exe
  C:\Windows\System32\LkcHyay.exe
  2⤵
  PID:8068
- C:\Windows\System32\BQeMxVu.exe
  C:\Windows\System32\BQeMxVu.exe
  2⤵
  PID:8092
- C:\Windows\System32\ALrjxao.exe
  C:\Windows\System32\ALrjxao.exe
  2⤵
  PID:8108
- C:\Windows\System32\pPrWiWd.exe
  C:\Windows\System32\pPrWiWd.exe
  2⤵
  PID:8144
- C:\Windows\System32\dOgIALc.exe
  C:\Windows\System32\dOgIALc.exe
  2⤵
  PID:8160
- C:\Windows\System32\MCRnBPt.exe
  C:\Windows\System32\MCRnBPt.exe
  2⤵
  PID:7176
- C:\Windows\System32\zVwyepl.exe
  C:\Windows\System32\zVwyepl.exe
  2⤵
  PID:7240
- C:\Windows\System32\LVexKAN.exe
  C:\Windows\System32\LVexKAN.exe
  2⤵
  PID:7340
- C:\Windows\System32\GRmpxdA.exe
  C:\Windows\System32\GRmpxdA.exe
  2⤵
  PID:7304
- C:\Windows\System32\PObcSwT.exe
  C:\Windows\System32\PObcSwT.exe
  2⤵
  PID:7384
- C:\Windows\System32\zINsDXr.exe
  C:\Windows\System32\zINsDXr.exe
  2⤵
  PID:7556
- C:\Windows\System32\AuSzvif.exe
  C:\Windows\System32\AuSzvif.exe
  2⤵
  PID:7680
- C:\Windows\System32\TAxFtqb.exe
  C:\Windows\System32\TAxFtqb.exe
  2⤵
  PID:7676
- C:\Windows\System32\lVfqIVt.exe
  C:\Windows\System32\lVfqIVt.exe
  2⤵
  PID:7756
- C:\Windows\System32\YVvVtrA.exe
  C:\Windows\System32\YVvVtrA.exe
  2⤵
  PID:7820
- C:\Windows\System32\VNsiWeb.exe
  C:\Windows\System32\VNsiWeb.exe
  2⤵
  PID:7888
- C:\Windows\System32\AnlqHeu.exe
  C:\Windows\System32\AnlqHeu.exe
  2⤵
  PID:8000
- C:\Windows\System32\jXvTVXr.exe
  C:\Windows\System32\jXvTVXr.exe
  2⤵
  PID:8056
- C:\Windows\System32\eZMJRND.exe
  C:\Windows\System32\eZMJRND.exe
  2⤵
  PID:8040
- C:\Windows\System32\rEdUxcu.exe
  C:\Windows\System32\rEdUxcu.exe
  2⤵
  PID:8132
- C:\Windows\System32\ZKpjGYv.exe
  C:\Windows\System32\ZKpjGYv.exe
  2⤵
  PID:6552
- C:\Windows\System32\SxkCDeh.exe
  C:\Windows\System32\SxkCDeh.exe
  2⤵
  PID:7236
- C:\Windows\System32\uPxjoNn.exe
  C:\Windows\System32\uPxjoNn.exe
  2⤵
  PID:7504
- C:\Windows\System32\NjxSEXr.exe
  C:\Windows\System32\NjxSEXr.exe
  2⤵
  PID:7716
- C:\Windows\System32\eXvqLPU.exe
  C:\Windows\System32\eXvqLPU.exe
  2⤵
  PID:7916
- C:\Windows\System32\Bqtnwpf.exe
  C:\Windows\System32\Bqtnwpf.exe
  2⤵
  PID:8044
- C:\Windows\System32\vWwMuPQ.exe
  C:\Windows\System32\vWwMuPQ.exe
  2⤵
  PID:8088
- C:\Windows\System32\VoVQjbn.exe
  C:\Windows\System32\VoVQjbn.exe
  2⤵
  PID:8188
- C:\Windows\System32\CeCHqkJ.exe
  C:\Windows\System32\CeCHqkJ.exe
  2⤵
  PID:7616
- C:\Windows\System32\YZNbeWZ.exe
  C:\Windows\System32\YZNbeWZ.exe
  2⤵
  PID:8104
- C:\Windows\System32\VMNGxQd.exe
  C:\Windows\System32\VMNGxQd.exe
  2⤵
  PID:8184
- C:\Windows\System32\RapPjhj.exe
  C:\Windows\System32\RapPjhj.exe
  2⤵
  PID:7388
- C:\Windows\System32\ruMKcen.exe
  C:\Windows\System32\ruMKcen.exe
  2⤵
  PID:8208
- C:\Windows\System32\ZBtfDQh.exe
  C:\Windows\System32\ZBtfDQh.exe
  2⤵
  PID:8240
- C:\Windows\System32\fAdYspe.exe
  C:\Windows\System32\fAdYspe.exe
  2⤵
  PID:8256
- C:\Windows\System32\xTGCgyj.exe
  C:\Windows\System32\xTGCgyj.exe
  2⤵
  PID:8304
- C:\Windows\System32\acYBbMC.exe
  C:\Windows\System32\acYBbMC.exe
  2⤵
  PID:8340
- C:\Windows\System32\GLoJOCC.exe
  C:\Windows\System32\GLoJOCC.exe
  2⤵
  PID:8364
- C:\Windows\System32\wbzmIqS.exe
  C:\Windows\System32\wbzmIqS.exe
  2⤵
  PID:8408
- C:\Windows\System32\KbcwzBM.exe
  C:\Windows\System32\KbcwzBM.exe
  2⤵
  PID:8424
- C:\Windows\System32\wSTbqis.exe
  C:\Windows\System32\wSTbqis.exe
  2⤵
  PID:8448
- C:\Windows\System32\iaGhbuo.exe
  C:\Windows\System32\iaGhbuo.exe
  2⤵
  PID:8464
- C:\Windows\System32\BMCfuwj.exe
  C:\Windows\System32\BMCfuwj.exe
  2⤵
  PID:8484
- C:\Windows\System32\IAjIJdQ.exe
  C:\Windows\System32\IAjIJdQ.exe
  2⤵
  PID:8508
- C:\Windows\System32\oSnTPca.exe
  C:\Windows\System32\oSnTPca.exe
  2⤵
  PID:8524
- C:\Windows\System32\VvuNaBt.exe
  C:\Windows\System32\VvuNaBt.exe
  2⤵
  PID:8580
- C:\Windows\System32\fCdxxUw.exe
  C:\Windows\System32\fCdxxUw.exe
  2⤵
  PID:8600
- C:\Windows\System32\qacTLBW.exe
  C:\Windows\System32\qacTLBW.exe
  2⤵
  PID:8628
- C:\Windows\System32\QFhSYKo.exe
  C:\Windows\System32\QFhSYKo.exe
  2⤵
  PID:8652
- C:\Windows\System32\uuaSaSY.exe
  C:\Windows\System32\uuaSaSY.exe
  2⤵
  PID:8680
- C:\Windows\System32\NedIPBJ.exe
  C:\Windows\System32\NedIPBJ.exe
  2⤵
  PID:8700
- C:\Windows\System32\ietlCQP.exe
  C:\Windows\System32\ietlCQP.exe
  2⤵
  PID:8736
- C:\Windows\System32\sXHgumV.exe
  C:\Windows\System32\sXHgumV.exe
  2⤵
  PID:8780
- C:\Windows\System32\GvhHzkk.exe
  C:\Windows\System32\GvhHzkk.exe
  2⤵
  PID:8808
- C:\Windows\System32\rmuvbcX.exe
  C:\Windows\System32\rmuvbcX.exe
  2⤵
  PID:8824
- C:\Windows\System32\zisFqqx.exe
  C:\Windows\System32\zisFqqx.exe
  2⤵
  PID:8848
- C:\Windows\System32\MdeHkzx.exe
  C:\Windows\System32\MdeHkzx.exe
  2⤵
  PID:8868
- C:\Windows\System32\XJIRrZY.exe
  C:\Windows\System32\XJIRrZY.exe
  2⤵
  PID:8888
- C:\Windows\System32\IGvgotj.exe
  C:\Windows\System32\IGvgotj.exe
  2⤵
  PID:8908
- C:\Windows\System32\gQdInTY.exe
  C:\Windows\System32\gQdInTY.exe
  2⤵
  PID:8952
- C:\Windows\System32\LSFFDDd.exe
  C:\Windows\System32\LSFFDDd.exe
  2⤵
  PID:8972
- C:\Windows\System32\kvfuzHx.exe
  C:\Windows\System32\kvfuzHx.exe
  2⤵
  PID:9004
- C:\Windows\System32\aMeGnCF.exe
  C:\Windows\System32\aMeGnCF.exe
  2⤵
  PID:9052
- C:\Windows\System32\ZLPldqO.exe
  C:\Windows\System32\ZLPldqO.exe
  2⤵
  PID:9100
- C:\Windows\System32\GiGbYPJ.exe
  C:\Windows\System32\GiGbYPJ.exe
  2⤵
  PID:9132
- C:\Windows\System32\GmHcteq.exe
  C:\Windows\System32\GmHcteq.exe
  2⤵
  PID:9152
- C:\Windows\System32\gJqaXnm.exe
  C:\Windows\System32\gJqaXnm.exe
  2⤵
  PID:9168
- C:\Windows\System32\ZSUCpqa.exe
  C:\Windows\System32\ZSUCpqa.exe
  2⤵
  PID:9200
- C:\Windows\System32\laLJTer.exe
  C:\Windows\System32\laLJTer.exe
  2⤵
  PID:8356
- C:\Windows\System32\LNVhTSD.exe
  C:\Windows\System32\LNVhTSD.exe
  2⤵
  PID:8392
- C:\Windows\System32\fQMQUBj.exe
  C:\Windows\System32\fQMQUBj.exe
  2⤵
  PID:8420
- C:\Windows\System32\uAuOkkV.exe
  C:\Windows\System32\uAuOkkV.exe
  2⤵
  PID:8456
- C:\Windows\System32\UHwBtsc.exe
  C:\Windows\System32\UHwBtsc.exe
  2⤵
  PID:8472
- C:\Windows\System32\hQQvDfi.exe
  C:\Windows\System32\hQQvDfi.exe
  2⤵
  PID:8624
- C:\Windows\System32\idUjnNj.exe
  C:\Windows\System32\idUjnNj.exe
  2⤵
  PID:8672
- C:\Windows\System32\pecaHBA.exe
  C:\Windows\System32\pecaHBA.exe
  2⤵
  PID:8940
- C:\Windows\System32\asKrmGi.exe
  C:\Windows\System32\asKrmGi.exe
  2⤵
  PID:9016
- C:\Windows\System32\rsPaVIp.exe
  C:\Windows\System32\rsPaVIp.exe
  2⤵
  PID:9108
- C:\Windows\System32\DzxFFEA.exe
  C:\Windows\System32\DzxFFEA.exe
  2⤵
  PID:9160
- C:\Windows\System32\ZDtQQoy.exe
  C:\Windows\System32\ZDtQQoy.exe
  2⤵
  PID:9096
- C:\Windows\System32\qxxSmOw.exe
  C:\Windows\System32\qxxSmOw.exe
  2⤵
  PID:9112
- C:\Windows\System32\NgaUgUF.exe
  C:\Windows\System32\NgaUgUF.exe
  2⤵
  PID:9208
- C:\Windows\System32\ZbUBgyw.exe
  C:\Windows\System32\ZbUBgyw.exe
  2⤵
  PID:9124
- C:\Windows\System32\UYVtLNq.exe
  C:\Windows\System32\UYVtLNq.exe
  2⤵
  PID:8220
- C:\Windows\System32\PXQNZTk.exe
  C:\Windows\System32\PXQNZTk.exe
  2⤵
  PID:8516
- C:\Windows\System32\UPZwWtu.exe
  C:\Windows\System32\UPZwWtu.exe
  2⤵
  PID:8536
- C:\Windows\System32\ydTtxwu.exe
  C:\Windows\System32\ydTtxwu.exe
  2⤵
  PID:8760
- C:\Windows\System32\YtGVvvT.exe
  C:\Windows\System32\YtGVvvT.exe
  2⤵
  PID:9088
- C:\Windows\System32\OoZOgBP.exe
  C:\Windows\System32\OoZOgBP.exe
  2⤵
  PID:9196
- C:\Windows\System32\nunljrB.exe
  C:\Windows\System32\nunljrB.exe
  2⤵
  PID:9184
- C:\Windows\System32\OXRAJGI.exe
  C:\Windows\System32\OXRAJGI.exe
  2⤵
  PID:8560
- C:\Windows\System32\ZKPCoJy.exe
  C:\Windows\System32\ZKPCoJy.exe
  2⤵
  PID:8460
- C:\Windows\System32\yUKKmwR.exe
  C:\Windows\System32\yUKKmwR.exe
  2⤵
  PID:8816
- C:\Windows\System32\IfprDbD.exe
  C:\Windows\System32\IfprDbD.exe
  2⤵
  PID:9072
- C:\Windows\System32\tCrHiWY.exe
  C:\Windows\System32\tCrHiWY.exe
  2⤵
  PID:8564
- C:\Windows\System32\xBkriEn.exe
  C:\Windows\System32\xBkriEn.exe
  2⤵
  PID:8272
- C:\Windows\System32\FGORzxL.exe
  C:\Windows\System32\FGORzxL.exe
  2⤵
  PID:9228
- C:\Windows\System32\cwgeTaK.exe
  C:\Windows\System32\cwgeTaK.exe
  2⤵
  PID:9248
- C:\Windows\System32\rgbkeod.exe
  C:\Windows\System32\rgbkeod.exe
  2⤵
  PID:9308
- C:\Windows\System32\hdkvpCu.exe
  C:\Windows\System32\hdkvpCu.exe
  2⤵
  PID:9356
- C:\Windows\System32\DqYbLmk.exe
  C:\Windows\System32\DqYbLmk.exe
  2⤵
  PID:9372
- C:\Windows\System32\EPgDZgo.exe
  C:\Windows\System32\EPgDZgo.exe
  2⤵
  PID:9392
- C:\Windows\System32\KSDWKTD.exe
  C:\Windows\System32\KSDWKTD.exe
  2⤵
  PID:9436
- C:\Windows\System32\hvQNyrR.exe
  C:\Windows\System32\hvQNyrR.exe
  2⤵
  PID:9456
- C:\Windows\System32\XTnJdZH.exe
  C:\Windows\System32\XTnJdZH.exe
  2⤵
  PID:9476
- C:\Windows\System32\NKUMpwE.exe
  C:\Windows\System32\NKUMpwE.exe
  2⤵
  PID:9492
- C:\Windows\System32\ywDTVKW.exe
  C:\Windows\System32\ywDTVKW.exe
  2⤵
  PID:9516
- C:\Windows\System32\MFoOVqN.exe
  C:\Windows\System32\MFoOVqN.exe
  2⤵
  PID:9544
- C:\Windows\System32\OicRsCV.exe
  C:\Windows\System32\OicRsCV.exe
  2⤵
  PID:9564
- C:\Windows\System32\VOJPJYY.exe
  C:\Windows\System32\VOJPJYY.exe
  2⤵
  PID:9612
- C:\Windows\System32\LjwmDIm.exe
  C:\Windows\System32\LjwmDIm.exe
  2⤵
  PID:9632
- C:\Windows\System32\TAPaSLF.exe
  C:\Windows\System32\TAPaSLF.exe
  2⤵
  PID:9648
- C:\Windows\System32\pUtKwBD.exe
  C:\Windows\System32\pUtKwBD.exe
  2⤵
  PID:9676
- C:\Windows\System32\aQgFxoS.exe
  C:\Windows\System32\aQgFxoS.exe
  2⤵
  PID:9716
- C:\Windows\System32\IhcsPMA.exe
  C:\Windows\System32\IhcsPMA.exe
  2⤵
  PID:9748
- C:\Windows\System32\TsWAugk.exe
  C:\Windows\System32\TsWAugk.exe
  2⤵
  PID:9792
- C:\Windows\System32\meTjiNR.exe
  C:\Windows\System32\meTjiNR.exe
  2⤵
  PID:9832
- C:\Windows\System32\juSSOqe.exe
  C:\Windows\System32\juSSOqe.exe
  2⤵
  PID:9856
- C:\Windows\System32\mgwRABm.exe
  C:\Windows\System32\mgwRABm.exe
  2⤵
  PID:9876
- C:\Windows\System32\pGlHWsi.exe
  C:\Windows\System32\pGlHWsi.exe
  2⤵
  PID:9912
- C:\Windows\System32\cVLRfZW.exe
  C:\Windows\System32\cVLRfZW.exe
  2⤵
  PID:9940
- C:\Windows\System32\xwDccOt.exe
  C:\Windows\System32\xwDccOt.exe
  2⤵
  PID:9964
- C:\Windows\System32\NSqzpcy.exe
  C:\Windows\System32\NSqzpcy.exe
  2⤵
  PID:10000
- C:\Windows\System32\mebZAZY.exe
  C:\Windows\System32\mebZAZY.exe
  2⤵
  PID:10028
- C:\Windows\System32\Ftsamsh.exe
  C:\Windows\System32\Ftsamsh.exe
  2⤵
  PID:10044
- C:\Windows\System32\RVybvSq.exe
  C:\Windows\System32\RVybvSq.exe
  2⤵
  PID:10064
- C:\Windows\System32\uJAMFLG.exe
  C:\Windows\System32\uJAMFLG.exe
  2⤵
  PID:10080
- C:\Windows\System32\atwzrpd.exe
  C:\Windows\System32\atwzrpd.exe
  2⤵
  PID:10108
- C:\Windows\System32\MaxqnMe.exe
  C:\Windows\System32\MaxqnMe.exe
  2⤵
  PID:10124
- C:\Windows\System32\UldpkyX.exe
  C:\Windows\System32\UldpkyX.exe
  2⤵
  PID:10164
- C:\Windows\System32\XRkNClm.exe
  C:\Windows\System32\XRkNClm.exe
  2⤵
  PID:10204
- C:\Windows\System32\NbaMPiA.exe
  C:\Windows\System32\NbaMPiA.exe
  2⤵
  PID:10220
- C:\Windows\System32\jDlbAID.exe
  C:\Windows\System32\jDlbAID.exe
  2⤵
  PID:9264
- C:\Windows\System32\oKJCyun.exe
  C:\Windows\System32\oKJCyun.exe
  2⤵
  PID:9320
- C:\Windows\System32\oniYNfY.exe
  C:\Windows\System32\oniYNfY.exe
  2⤵
  PID:9368
- C:\Windows\System32\lRycvsg.exe
  C:\Windows\System32\lRycvsg.exe
  2⤵
  PID:9504
- C:\Windows\System32\kkeleTm.exe
  C:\Windows\System32\kkeleTm.exe
  2⤵
  PID:9540
- C:\Windows\System32\JvzOvdk.exe
  C:\Windows\System32\JvzOvdk.exe
  2⤵
  PID:9600
- C:\Windows\System32\IQLhEjx.exe
  C:\Windows\System32\IQLhEjx.exe
  2⤵
  PID:9656
- C:\Windows\System32\McowPEg.exe
  C:\Windows\System32\McowPEg.exe
  2⤵
  PID:9712
- C:\Windows\System32\nMlghWN.exe
  C:\Windows\System32\nMlghWN.exe
  2⤵
  PID:9776
- C:\Windows\System32\ATUxfLK.exe
  C:\Windows\System32\ATUxfLK.exe
  2⤵
  PID:9888
- C:\Windows\System32\DiuzJkd.exe
  C:\Windows\System32\DiuzJkd.exe
  2⤵
  PID:9984
- C:\Windows\System32\AwOGuWH.exe
  C:\Windows\System32\AwOGuWH.exe
  2⤵
  PID:10020
- C:\Windows\System32\rxUWSDl.exe
  C:\Windows\System32\rxUWSDl.exe
  2⤵
  PID:10088
- C:\Windows\System32\rqDBnrX.exe
  C:\Windows\System32\rqDBnrX.exe
  2⤵
  PID:10180
- C:\Windows\System32\TvbhgYM.exe
  C:\Windows\System32\TvbhgYM.exe
  2⤵
  PID:10116
- C:\Windows\System32\NBvdJJq.exe
  C:\Windows\System32\NBvdJJq.exe
  2⤵
  PID:8540
- C:\Windows\System32\GIxRuWW.exe
  C:\Windows\System32\GIxRuWW.exe
  2⤵
  PID:10212
- C:\Windows\System32\QcmHbuV.exe
  C:\Windows\System32\QcmHbuV.exe
  2⤵
  PID:9416
- C:\Windows\System32\jAAlVSN.exe
  C:\Windows\System32\jAAlVSN.exe
  2⤵
  PID:9532
- C:\Windows\System32\FeLrcDK.exe
  C:\Windows\System32\FeLrcDK.exe
  2⤵
  PID:9924
- C:\Windows\System32\kjfWNjj.exe
  C:\Windows\System32\kjfWNjj.exe
  2⤵
  PID:10136
- C:\Windows\System32\NDcohbU.exe
  C:\Windows\System32\NDcohbU.exe
  2⤵
  PID:10132
- C:\Windows\System32\APGFwpy.exe
  C:\Windows\System32\APGFwpy.exe
  2⤵
  PID:9488
- C:\Windows\System32\yYwGNFq.exe
  C:\Windows\System32\yYwGNFq.exe
  2⤵
  PID:9448
- C:\Windows\System32\XMcOIXR.exe
  C:\Windows\System32\XMcOIXR.exe
  2⤵
  PID:10072
- C:\Windows\System32\rUiuhGP.exe
  C:\Windows\System32\rUiuhGP.exe
  2⤵
  PID:9744
- C:\Windows\System32\idjbNLT.exe
  C:\Windows\System32\idjbNLT.exe
  2⤵
  PID:10260
- C:\Windows\System32\USjynjt.exe
  C:\Windows\System32\USjynjt.exe
  2⤵
  PID:10280
- C:\Windows\System32\bkpoeUO.exe
  C:\Windows\System32\bkpoeUO.exe
  2⤵
  PID:10304
- C:\Windows\System32\BHKqVPa.exe
  C:\Windows\System32\BHKqVPa.exe
  2⤵
  PID:10336
- C:\Windows\System32\iKJjikG.exe
  C:\Windows\System32\iKJjikG.exe
  2⤵
  PID:10364
- C:\Windows\System32\qEvlVBi.exe
  C:\Windows\System32\qEvlVBi.exe
  2⤵
  PID:10412
- C:\Windows\System32\eSCmezW.exe
  C:\Windows\System32\eSCmezW.exe
  2⤵
  PID:10440
- C:\Windows\System32\lqAcBqx.exe
  C:\Windows\System32\lqAcBqx.exe
  2⤵
  PID:10456
- C:\Windows\System32\GmsxXOF.exe
  C:\Windows\System32\GmsxXOF.exe
  2⤵
  PID:10484
- C:\Windows\System32\nSAXRRF.exe
  C:\Windows\System32\nSAXRRF.exe
  2⤵
  PID:10512
- C:\Windows\System32\lPPzBBg.exe
  C:\Windows\System32\lPPzBBg.exe
  2⤵
  PID:10532
- C:\Windows\System32\tXglflN.exe
  C:\Windows\System32\tXglflN.exe
  2⤵
  PID:10560
- C:\Windows\System32\CXAsBNz.exe
  C:\Windows\System32\CXAsBNz.exe
  2⤵
  PID:10584
- C:\Windows\System32\xKvuNCp.exe
  C:\Windows\System32\xKvuNCp.exe
  2⤵
  PID:10624
- C:\Windows\System32\tuiIDqw.exe
  C:\Windows\System32\tuiIDqw.exe
  2⤵
  PID:10660
- C:\Windows\System32\HHwMiXF.exe
  C:\Windows\System32\HHwMiXF.exe
  2⤵
  PID:10680
- C:\Windows\System32\fIiAJLW.exe
  C:\Windows\System32\fIiAJLW.exe
  2⤵
  PID:10708
- C:\Windows\System32\QMmibtF.exe
  C:\Windows\System32\QMmibtF.exe
  2⤵
  PID:10732
- C:\Windows\System32\ChoOFhV.exe
  C:\Windows\System32\ChoOFhV.exe
  2⤵
  PID:10748
- C:\Windows\System32\jSktChw.exe
  C:\Windows\System32\jSktChw.exe
  2⤵
  PID:10772
- C:\Windows\System32\pPQMAEN.exe
  C:\Windows\System32\pPQMAEN.exe
  2⤵
  PID:10808
- C:\Windows\System32\inVEBvy.exe
  C:\Windows\System32\inVEBvy.exe
  2⤵
  PID:10856
- C:\Windows\System32\CtRfZqR.exe
  C:\Windows\System32\CtRfZqR.exe
  2⤵
  PID:10872
- C:\Windows\System32\rAHMnYK.exe
  C:\Windows\System32\rAHMnYK.exe
  2⤵
  PID:10904
- C:\Windows\System32\OPwkvcZ.exe
  C:\Windows\System32\OPwkvcZ.exe
  2⤵
  PID:10932
- C:\Windows\System32\OIqKTbO.exe
  C:\Windows\System32\OIqKTbO.exe
  2⤵
  PID:10960
- C:\Windows\System32\kbDamca.exe
  C:\Windows\System32\kbDamca.exe
  2⤵
  PID:10976
- C:\Windows\System32\QnFwPuZ.exe
  C:\Windows\System32\QnFwPuZ.exe
  2⤵
  PID:11000
- C:\Windows\System32\hahdPcU.exe
  C:\Windows\System32\hahdPcU.exe
  2⤵
  PID:11020
- C:\Windows\System32\qJOPEHv.exe
  C:\Windows\System32\qJOPEHv.exe
  2⤵
  PID:11044
- C:\Windows\System32\dxxGcAx.exe
  C:\Windows\System32\dxxGcAx.exe
  2⤵
  PID:11092
- C:\Windows\System32\ZtNsMEC.exe
  C:\Windows\System32\ZtNsMEC.exe
  2⤵
  PID:11128
- C:\Windows\System32\sKRkyHz.exe
  C:\Windows\System32\sKRkyHz.exe
  2⤵
  PID:11156
- C:\Windows\System32\iaJBWgm.exe
  C:\Windows\System32\iaJBWgm.exe
  2⤵
  PID:11184
- C:\Windows\System32\RGfwwxC.exe
  C:\Windows\System32\RGfwwxC.exe
  2⤵
  PID:11212
- C:\Windows\System32\LhKUPcY.exe
  C:\Windows\System32\LhKUPcY.exe
  2⤵
  PID:11240
- C:\Windows\System32\aJHoyHR.exe
  C:\Windows\System32\aJHoyHR.exe
  2⤵
  PID:10244
- C:\Windows\System32\qwDHRwi.exe
  C:\Windows\System32\qwDHRwi.exe
  2⤵
  PID:10300
- C:\Windows\System32\ONEPpQr.exe
  C:\Windows\System32\ONEPpQr.exe
  2⤵
  PID:10332
- C:\Windows\System32\NWRMKnA.exe
  C:\Windows\System32\NWRMKnA.exe
  2⤵
  PID:10400
- C:\Windows\System32\STPxmsG.exe
  C:\Windows\System32\STPxmsG.exe
  2⤵
  PID:10476
- C:\Windows\System32\vVeFwRV.exe
  C:\Windows\System32\vVeFwRV.exe
  2⤵
  PID:10504
- C:\Windows\System32\onhlwnu.exe
  C:\Windows\System32\onhlwnu.exe
  2⤵
  PID:10568
- C:\Windows\System32\xawQudf.exe
  C:\Windows\System32\xawQudf.exe
  2⤵
  PID:10672
- C:\Windows\System32\OGKDjup.exe
  C:\Windows\System32\OGKDjup.exe
  2⤵
  PID:10756
- C:\Windows\System32\UdSHSNp.exe
  C:\Windows\System32\UdSHSNp.exe
  2⤵
  PID:10792
- C:\Windows\System32\JhjGMjJ.exe
  C:\Windows\System32\JhjGMjJ.exe
  2⤵
  PID:10864
- C:\Windows\System32\NzBAWLm.exe
  C:\Windows\System32\NzBAWLm.exe
  2⤵
  PID:10888
- C:\Windows\System32\QdMuzLf.exe
  C:\Windows\System32\QdMuzLf.exe
  2⤵
  PID:11012
- C:\Windows\System32\mDDLGNS.exe
  C:\Windows\System32\mDDLGNS.exe
  2⤵
  PID:11084
- C:\Windows\System32\OowiMNI.exe
  C:\Windows\System32\OowiMNI.exe
  2⤵
  PID:11144
- C:\Windows\System32\TdihUpJ.exe
  C:\Windows\System32\TdihUpJ.exe
  2⤵
  PID:11168
- C:\Windows\System32\MmnheyS.exe
  C:\Windows\System32\MmnheyS.exe
  2⤵
  PID:11224
- C:\Windows\System32\wOvymkt.exe
  C:\Windows\System32\wOvymkt.exe
  2⤵
  PID:10176
- C:\Windows\System32\KyQSbSg.exe
  C:\Windows\System32\KyQSbSg.exe
  2⤵
  PID:10356
- C:\Windows\System32\fbzFsey.exe
  C:\Windows\System32\fbzFsey.exe
  2⤵
  PID:10404
- C:\Windows\System32\qrzXpjX.exe
  C:\Windows\System32\qrzXpjX.exe
  2⤵
  PID:9892
- C:\Windows\System32\mmcRhoe.exe
  C:\Windows\System32\mmcRhoe.exe
  2⤵
  PID:10696
- C:\Windows\System32\WhypLHu.exe
  C:\Windows\System32\WhypLHu.exe
  2⤵
  PID:11052
- C:\Windows\System32\tljdmGy.exe
  C:\Windows\System32\tljdmGy.exe
  2⤵
  PID:11252
- C:\Windows\System32\CqXIpRz.exe
  C:\Windows\System32\CqXIpRz.exe
  2⤵
  PID:11192
- C:\Windows\System32\NvLnAvl.exe
  C:\Windows\System32\NvLnAvl.exe
  2⤵
  PID:10268
- C:\Windows\System32\pMgJSIF.exe
  C:\Windows\System32\pMgJSIF.exe
  2⤵
  PID:10252
- C:\Windows\System32\FAXdRda.exe
  C:\Windows\System32\FAXdRda.exe
  2⤵
  PID:10784
- C:\Windows\System32\MxRbrmK.exe
  C:\Windows\System32\MxRbrmK.exe
  2⤵
  PID:11284
- C:\Windows\System32\qSHqRPt.exe
  C:\Windows\System32\qSHqRPt.exe
  2⤵
  PID:11304
- C:\Windows\System32\rQEDbYS.exe
  C:\Windows\System32\rQEDbYS.exe
  2⤵
  PID:11352
- C:\Windows\System32\HfqEbGH.exe
  C:\Windows\System32\HfqEbGH.exe
  2⤵
  PID:11380
- C:\Windows\System32\MKsxLMe.exe
  C:\Windows\System32\MKsxLMe.exe
  2⤵
  PID:11424
- C:\Windows\System32\krJGDmO.exe
  C:\Windows\System32\krJGDmO.exe
  2⤵
  PID:11444
- C:\Windows\System32\NivDhTA.exe
  C:\Windows\System32\NivDhTA.exe
  2⤵
  PID:11460
- C:\Windows\System32\JPIBKlw.exe
  C:\Windows\System32\JPIBKlw.exe
  2⤵
  PID:11476
- C:\Windows\System32\mGrZLxn.exe
  C:\Windows\System32\mGrZLxn.exe
  2⤵
  PID:11516
- C:\Windows\System32\FTFvmQz.exe
  C:\Windows\System32\FTFvmQz.exe
  2⤵
  PID:11548
- C:\Windows\System32\KyTMBVY.exe
  C:\Windows\System32\KyTMBVY.exe
  2⤵
  PID:11576
- C:\Windows\System32\mZDHQtC.exe
  C:\Windows\System32\mZDHQtC.exe
  2⤵
  PID:11600
- C:\Windows\System32\hkgvKEe.exe
  C:\Windows\System32\hkgvKEe.exe
  2⤵
  PID:11616
- C:\Windows\System32\IRsQDwi.exe
  C:\Windows\System32\IRsQDwi.exe
  2⤵
  PID:11648
- C:\Windows\System32\GUPVdhz.exe
  C:\Windows\System32\GUPVdhz.exe
  2⤵
  PID:11680
- C:\Windows\System32\VDPAYnY.exe
  C:\Windows\System32\VDPAYnY.exe
  2⤵
  PID:11724
- C:\Windows\System32\NVpgNhp.exe
  C:\Windows\System32\NVpgNhp.exe
  2⤵
  PID:11748
- C:\Windows\System32\nnKdiEf.exe
  C:\Windows\System32\nnKdiEf.exe
  2⤵
  PID:11768
- C:\Windows\System32\VWwOfhJ.exe
  C:\Windows\System32\VWwOfhJ.exe
  2⤵
  PID:11784
- C:\Windows\System32\lFeUvEi.exe
  C:\Windows\System32\lFeUvEi.exe
  2⤵
  PID:11820
- C:\Windows\System32\qDQwOlw.exe
  C:\Windows\System32\qDQwOlw.exe
  2⤵
  PID:11844
- C:\Windows\System32\xKCGQNc.exe
  C:\Windows\System32\xKCGQNc.exe
  2⤵
  PID:11876
- C:\Windows\System32\bmlqPCt.exe
  C:\Windows\System32\bmlqPCt.exe
  2⤵
  PID:11896
- C:\Windows\System32\JlwOuXZ.exe
  C:\Windows\System32\JlwOuXZ.exe
  2⤵
  PID:11912
- C:\Windows\System32\nrOISaQ.exe
  C:\Windows\System32\nrOISaQ.exe
  2⤵
  PID:11928
- C:\Windows\System32\WwHrFqj.exe
  C:\Windows\System32\WwHrFqj.exe
  2⤵
  PID:11968
- C:\Windows\System32\XJPLrLY.exe
  C:\Windows\System32\XJPLrLY.exe
  2⤵
  PID:11988
- C:\Windows\System32\JblNFMu.exe
  C:\Windows\System32\JblNFMu.exe
  2⤵
  PID:12008
- C:\Windows\System32\jnAvGcz.exe
  C:\Windows\System32\jnAvGcz.exe
  2⤵
  PID:12064
- C:\Windows\System32\jkoLvTr.exe
  C:\Windows\System32\jkoLvTr.exe
  2⤵
  PID:12104
- C:\Windows\System32\RdULWjZ.exe
  C:\Windows\System32\RdULWjZ.exe
  2⤵
  PID:12124
- C:\Windows\System32\lMkIWon.exe
  C:\Windows\System32\lMkIWon.exe
  2⤵
  PID:12168
- C:\Windows\System32\PwkFqWU.exe
  C:\Windows\System32\PwkFqWU.exe
  2⤵
  PID:12192
- C:\Windows\System32\KlbefcZ.exe
  C:\Windows\System32\KlbefcZ.exe
  2⤵
  PID:12220
- C:\Windows\System32\ZUajZAv.exe
  C:\Windows\System32\ZUajZAv.exe
  2⤵
  PID:12240
- C:\Windows\System32\MxJRclt.exe
  C:\Windows\System32\MxJRclt.exe
  2⤵
  PID:12276
- C:\Windows\System32\XPpizFF.exe
  C:\Windows\System32\XPpizFF.exe
  2⤵
  PID:11268
- C:\Windows\System32\pFacVQL.exe
  C:\Windows\System32\pFacVQL.exe
  2⤵
  PID:11328
- C:\Windows\System32\ejeBRrn.exe
  C:\Windows\System32\ejeBRrn.exe
  2⤵
  PID:11396
- C:\Windows\System32\ZgKUgEc.exe
  C:\Windows\System32\ZgKUgEc.exe
  2⤵
  PID:11432
- C:\Windows\System32\qgZklEw.exe
  C:\Windows\System32\qgZklEw.exe
  2⤵
  PID:11496
- C:\Windows\System32\AvLadLA.exe
  C:\Windows\System32\AvLadLA.exe
  2⤵
  PID:11556
- C:\Windows\System32\XhvAEcN.exe
  C:\Windows\System32\XhvAEcN.exe
  2⤵
  PID:11628
- C:\Windows\System32\DiwbIwt.exe
  C:\Windows\System32\DiwbIwt.exe
  2⤵
  PID:11736
- C:\Windows\System32\mGkhPKP.exe
  C:\Windows\System32\mGkhPKP.exe
  2⤵
  PID:852
- C:\Windows\System32\RcCjcsl.exe
  C:\Windows\System32\RcCjcsl.exe
  2⤵
  PID:11764
- C:\Windows\System32\UjTNKgc.exe
  C:\Windows\System32\UjTNKgc.exe
  2⤵
  PID:11828
- C:\Windows\System32\EjqCeEQ.exe
  C:\Windows\System32\EjqCeEQ.exe
  2⤵
  PID:11868
- C:\Windows\System32\eFVjxkA.exe
  C:\Windows\System32\eFVjxkA.exe
  2⤵
  PID:11904
- C:\Windows\System32\nxJEvsY.exe
  C:\Windows\System32\nxJEvsY.exe
  2⤵
  PID:12004
- C:\Windows\System32\tSgxnMV.exe
  C:\Windows\System32\tSgxnMV.exe
  2⤵
  PID:12096
- C:\Windows\System32\bEkGMJX.exe
  C:\Windows\System32\bEkGMJX.exe
  2⤵
  PID:12132
- C:\Windows\System32\cEugUde.exe
  C:\Windows\System32\cEugUde.exe
  2⤵
  PID:12232
- C:\Windows\System32\UTJcKBR.exe
  C:\Windows\System32\UTJcKBR.exe
  2⤵
  PID:12228
- C:\Windows\System32\IQRtaqK.exe
  C:\Windows\System32\IQRtaqK.exe
  2⤵
  PID:11296
- C:\Windows\System32\utJOTsW.exe
  C:\Windows\System32\utJOTsW.exe
  2⤵
  PID:11400
- C:\Windows\System32\JrgOPCi.exe
  C:\Windows\System32\JrgOPCi.exe
  2⤵
  PID:11568
- C:\Windows\System32\icpXoyd.exe
  C:\Windows\System32\icpXoyd.exe
  2⤵
  PID:11572
- C:\Windows\System32\eiIwbyf.exe
  C:\Windows\System32\eiIwbyf.exe
  2⤵
  PID:11656
- C:\Windows\System32\jPgcqEN.exe
  C:\Windows\System32\jPgcqEN.exe
  2⤵
  PID:11860
- C:\Windows\System32\qXUcXOp.exe
  C:\Windows\System32\qXUcXOp.exe
  2⤵
  PID:12116
- C:\Windows\System32\ojbarox.exe
  C:\Windows\System32\ojbarox.exe
  2⤵
  PID:12272
- C:\Windows\System32\EVmJXAK.exe
  C:\Windows\System32\EVmJXAK.exe
  2⤵
  PID:11584
- C:\Windows\System32\eOkTONu.exe
  C:\Windows\System32\eOkTONu.exe
  2⤵
  PID:11832
- C:\Windows\System32\QdxqFzt.exe
  C:\Windows\System32\QdxqFzt.exe
  2⤵
  PID:11372
- C:\Windows\System32\TxWwwAr.exe
  C:\Windows\System32\TxWwwAr.exe
  2⤵
  PID:12300
- C:\Windows\System32\PsKRdth.exe
  C:\Windows\System32\PsKRdth.exe
  2⤵
  PID:12324
- C:\Windows\System32\efMPFYw.exe
  C:\Windows\System32\efMPFYw.exe
  2⤵
  PID:12344
- C:\Windows\System32\pmnzElr.exe
  C:\Windows\System32\pmnzElr.exe
  2⤵
  PID:12364
- C:\Windows\System32\XntHpuy.exe
  C:\Windows\System32\XntHpuy.exe
  2⤵
  PID:12388
- C:\Windows\System32\CyuZKhS.exe
  C:\Windows\System32\CyuZKhS.exe
  2⤵
  PID:12412
- C:\Windows\System32\YKpxQMB.exe
  C:\Windows\System32\YKpxQMB.exe
  2⤵
  PID:12428
- C:\Windows\System32\ETJnept.exe
  C:\Windows\System32\ETJnept.exe
  2⤵
  PID:12456
- C:\Windows\System32\ZuVQosj.exe
  C:\Windows\System32\ZuVQosj.exe
  2⤵
  PID:12476
- C:\Windows\System32\fbopDed.exe
  C:\Windows\System32\fbopDed.exe
  2⤵
  PID:12508
- C:\Windows\System32\dPffDDW.exe
  C:\Windows\System32\dPffDDW.exe
  2⤵
  PID:12564
- C:\Windows\System32\fMyLkIH.exe
  C:\Windows\System32\fMyLkIH.exe
  2⤵
  PID:12596
- C:\Windows\System32\cHcXxlH.exe
  C:\Windows\System32\cHcXxlH.exe
  2⤵
  PID:12616
- C:\Windows\System32\TmCDnfH.exe
  C:\Windows\System32\TmCDnfH.exe
  2⤵
  PID:12632
- C:\Windows\System32\ySqgWgJ.exe
  C:\Windows\System32\ySqgWgJ.exe
  2⤵
  PID:12656
- C:\Windows\System32\DovCkak.exe
  C:\Windows\System32\DovCkak.exe
  2⤵
  PID:12672
- C:\Windows\System32\KQxMFQQ.exe
  C:\Windows\System32\KQxMFQQ.exe
  2⤵
  PID:12736
- C:\Windows\System32\wJotCmX.exe
  C:\Windows\System32\wJotCmX.exe
  2⤵
  PID:12756
- C:\Windows\System32\lJXQjeU.exe
  C:\Windows\System32\lJXQjeU.exe
  2⤵
  PID:12772
- C:\Windows\System32\CSnvxOx.exe
  C:\Windows\System32\CSnvxOx.exe
  2⤵
  PID:12800
- C:\Windows\System32\yGtJiCC.exe
  C:\Windows\System32\yGtJiCC.exe
  2⤵
  PID:12828
- C:\Windows\System32\RKTxkNN.exe
  C:\Windows\System32\RKTxkNN.exe
  2⤵
  PID:12844
- C:\Windows\System32\LYtPhHl.exe
  C:\Windows\System32\LYtPhHl.exe
  2⤵
  PID:12920
- C:\Windows\System32\VTuqsSb.exe
  C:\Windows\System32\VTuqsSb.exe
  2⤵
  PID:12948
- C:\Windows\System32\dMpNsOj.exe
  C:\Windows\System32\dMpNsOj.exe
  2⤵
  PID:12964
- C:\Windows\System32\CZQkezc.exe
  C:\Windows\System32\CZQkezc.exe
  2⤵
  PID:13004
- C:\Windows\System32\LXLZTZP.exe
  C:\Windows\System32\LXLZTZP.exe
  2⤵
  PID:13028
- C:\Windows\System32\FkfkPlh.exe
  C:\Windows\System32\FkfkPlh.exe
  2⤵
  PID:13048

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\EItARIR.exe

Filesize
1.0MB

MD5
a75b68974fb73bfd06e3be1e841b3675

SHA1
a84d1ac74f484e7fd672ec2137d3c46a18c6e227

SHA256
081433f40dc00a44d5a06e0608d89fe5463a02b84f25aedb50647f57f530ce76

SHA512
c3da8051b3516e368c5a8fc134b824c24a3ee9f7a078646aba63875ae4843e5cbd337e7343b7fc7c81144851b6879d38a1173a851d06773e71a296152122adec

Download Submit
C:\Windows\System32\EJNtPEE.exe

Filesize
1.0MB

MD5
92b0e63208d16ffaf12df0e7fe48a8cf

SHA1
35a42929fa3bdaa591646edd2bd90bd5c4f5859e

SHA256
ae272ce65d2ebc93e3cb4290800c42c189e7abf1bcfd0a69947a01b624864ce9

SHA512
1c2b7b7dc6482c7542820d89ec8a490cb9410cd35422e121fc3ab59ef2d7677358a5e1bb29fb07d865cc51231d6d73482ba6aa95050188566c89395e3f68e938

Download Submit
C:\Windows\System32\ELrrggB.exe

Filesize
1.0MB

MD5
e9347c8bc387631295a126d6fb00ae1c

SHA1
5401f250b8067914c3719de63d3683ec3b5f973c

SHA256
135a525f999ab1a3faf93f28b633d9d44d3c2666204c70be2ba96cff530ac993

SHA512
a3d42e35b9de6ae4b246f23181710a0f236bfee1f0e05646a25c5222e35aaa0e18e1a0f3f644ad9188e3f2a74ed1f255ca2eb7109404e4a3a164311fcac52990

Download Submit
C:\Windows\System32\EiTtJQo.exe

Filesize
1.0MB

MD5
448c50a2ebc2e41c163b1f0842a18040

SHA1
19d35120cf47d0d8d54115eb7467dcfcd68c176b

SHA256
8c8d71e9901bbf9bf6b231161192f2fe5608bfaa7e1260db261f3265e1ede3b9

SHA512
40a67a6e7a7091f162043eab9b7fc8ed9c1fc330a270965fcfd051a0aa6040532c6ece155fcabc0f95af90d7f824defd5e20fd25949ce73b59cfc21c168ec6c3

Download Submit
C:\Windows\System32\GXONxCJ.exe

Filesize
1.0MB

MD5
8c1f55d8aa582a288585f8eb16dfd9b1

SHA1
ca58bfc856fbcd1bad579c6b26a03ab3c6952206

SHA256
d9c71cf07a2a1bb4777a23899c4c11d3cc813ec2fddad87a0abd1113345b22a3

SHA512
5db33e94e9f207cbaaebefd3e836350e19be23886802bdcba5c31b73366a2327931440ee29616d547e00e6d2e42f31903230e435b0de8cc01fc5b6d8556f0c49

Download Submit
C:\Windows\System32\HCcxyaz.exe

Filesize
1.0MB

MD5
cb37d98a738f2d2e0c4a4b69d5ac49c2

SHA1
05fe721e4419cd9278a545b7268edbfd569cab45

SHA256
ef054d80e725a0eb7d7c5ddc356759b00de075ad61011d30db4fd88537e4c2a9

SHA512
e03a1363aa4e5dc841a7d685a3e44675e084a6b2cc3383043d4433f897ef37d518f9f49111e62bad8be7b1eb3eb9e21587c816f1fc3a4820addd2c8c357b21d5

Download Submit
C:\Windows\System32\HotWkxz.exe

Filesize
1.0MB

MD5
4c8e84a61d9eb3e22d821d1d7daa4a82

SHA1
ddb2a5a0835711dc1cc912dcf275dd6fbac0c458

SHA256
d5ef28f217a50874af2d90a7f39411ffefb525216fe550ce69f64d4d97a93336

SHA512
0b94eb0fe11aeee0c93e3ff5c364bb6cfe23ed718f846f848c2d2f84921ebb6de21a046004d5f8b354c1fdf826ef8ad12a5b484595f77c79f6d1ddb82682ce65

Download Submit
C:\Windows\System32\INOUPDc.exe

Filesize
1.0MB

MD5
653811bc48573d220110768b690c39d9

SHA1
c208b84dfeab1c6ce08f800b58448a6cce7dcca5

SHA256
d0b1e5210ea0ec2f1e2c58878d6c246d624bec572c02d12acae22f595927ab2c

SHA512
5f0af60f91a551557579d7f1ad99d60e7a5c2912dca88b21a935769bbbee10c52ecc2c17dadcbf6c1bb1f9e96c2b270d0ad8d9b1a1ab5ab9ed62f64e95f9d6d3

Download Submit
C:\Windows\System32\JjgGeWy.exe

Filesize
1.0MB

MD5
2d9616636550447698d06ec792a3241b

SHA1
33d3981b37370054dab7dcbefc6493024349cf69

SHA256
440410230042933902f68bb5b305fc886679f8761f94b20db011b3d5c56ff5ae

SHA512
3c0025472a7ce14445ddfa826ec3da2230b70297b1f2ed63559e0541c704e04ae2d663dfe97b220caf07fb78cf653b3be81c43611a513ade744b62dbd41af9f7

Download Submit
C:\Windows\System32\KXbVZPQ.exe

Filesize
1.0MB

MD5
34b01ead666ef217b8bcfb4b65218045

SHA1
762f5d4e756dff9c1a58052e0e69d588705ddfbc

SHA256
bf870d7523923bd820965357ce95802431f221c68960db94b8f39d84071b9fc8

SHA512
af19a8ed40e7e4b0099c7a40e8c70668e97f4051ed5d56f403ab03db4ba77e0264452fb25b150c73d81610511fb6f01448a2219159aad5b19b7b20004803a2bb

Download Submit
C:\Windows\System32\KjaqUOf.exe

Filesize
1.0MB

MD5
932c936f3103254cb477fc83d9541260

SHA1
974bbbd0a7e46983cf91e61c7afa05928f9c7089

SHA256
c3c528bcdea991cfdb8dad342774a101babc51c298d5bcf5d960a4431a6b026e

SHA512
4b36f0574dc0b8c66b2327ef9b9c53523e3d83764b48db090b94f92d1457737cc9b30f228aaf6bb61cef9a8d1ccf8262eb75cde70895f76169533754f9f0c25e

Download Submit
C:\Windows\System32\MioymDQ.exe

Filesize
1.0MB

MD5
c0c228f6047497f281e82a37438746e2

SHA1
2f7ce66a20c08ce1f45c14fcf1bfa767fa99214d

SHA256
4fa880777203151728a25e2379ad8bdbe58e3851eb8b01df520ea71f0e4914ee

SHA512
22b8c60ffede298096996bd2664ffdf8d086e60585dba74089eeacd2de55aa6a7a8ff3dd97b8dc9745c8d3ac71361e4ee4e361bdad1658ffc921a08f24ed6925

Download Submit
C:\Windows\System32\PfwXpUu.exe

Filesize
1.0MB

MD5
adf0c0225445c8dfcf0adb601abf5b29

SHA1
53476e87aac4af068b84bf1a5958727c43cecd9a

SHA256
e0e95051c8d3982b2902e5932af7e30116310352737a220c5c8b656ed5ebaf78

SHA512
d413b8a223f2a0493016601ff450b7905b33fedb2f9488af52f89deda000e71cf4146df8afd20e57f4fe3cc25f01dd17ddee9f679138f57849be279e68f8d9fa

Download Submit
C:\Windows\System32\QLvaxqn.exe

Filesize
1.0MB

MD5
e013f713281cf50660c888b4acfa4055

SHA1
f1700edf3a9c2f9a50aa90bc3e374080f0e8f350

SHA256
1124fd0058d1ec439f19be9052e41a1a6d5044df0ed76223fdeae62e7227bfa5

SHA512
01658e8431c82e0f04d913591222dc5590ad41b4a4d6e7de9d9248a2b7517c8014664ba57038179e66fafca19de7684ff322a2fa4380671e5dff006a5e3b3285

Download Submit
C:\Windows\System32\QOoHrfX.exe

Filesize
1.0MB

MD5
a751056b2a4370a0b026eb9b76995775

SHA1
ffac2fbb5b438e33a195209b152443103e2fe853

SHA256
cbf0f72c0b622e62e15cf2dfd0349aae0a2f71c5f13425d1bc0e8628ea3ef324

SHA512
f6d6d3cc80d518e8d5ee195fba8e4b89f1800f1e8aa5e84de6649d69ae0951b68afa1150375974ff6d73d456676a4a984dc69d5f5350ee3ecf6f8ca7b5cd664e

Download Submit
C:\Windows\System32\XAJDpMC.exe

Filesize
1.0MB

MD5
d0f3a68a11678e6e9d0ba782b62d1a7c

SHA1
438e2a79c3cda4bd02bf54390baf77d41a553f8b

SHA256
f7418069a0c21615f625b1d6d77f7cb8e6507f579e393c0bfa5396a1ebf24f28

SHA512
1d6ea1f3bd841ba42c3fd962a0ad721b372e2467b800b5f0228f5b12b52fb3413dd5065cd3bc89edf4901c3c6e795a8c30eebffcf5e36c4fec4aa7ee60d04edb

Download Submit
C:\Windows\System32\ZdubWFd.exe

Filesize
1.0MB

MD5
02d5a28c0640295f2f9097dfaca7e55b

SHA1
aa3a168d1ca50376319f385c5ab8cafd54d6ec7a

SHA256
604a54688ca02419bf53b808c981ee234384b6786ddad6e1806124e1e423b942

SHA512
183a9f935b14109e049807b575447db69b95647dc408e8452c6f56af7e65d3099058e8b5a963147f69d19fea77bdc59af03dfbdc009a69c52bb7aa4a67500036

Download Submit
C:\Windows\System32\boVSgFc.exe

Filesize
1.0MB

MD5
2a5b787e58a5d5bf99e294574ed4cb15

SHA1
5fe6105032ea5865753a7682999ffdeaccc89457

SHA256
4dfeea9a3653c91feba67fc14fcc4c08b3e440eb9098881e9233956beb3243d9

SHA512
95255d7403b1a62540e982e4de817d2f370fd2036aa66095dae2b0d7388ec30ef82a88fd7f00bec35c08390aaa1a6d6da865878c3a87cb52ceb426016ddddab2

Download Submit
C:\Windows\System32\ccLwiGn.exe

Filesize
1.0MB

MD5
b2aacddb0dc43aa4de5971b29419f3fb

SHA1
250cb1f7e0c4d0d4b638526e8debf9cd6b1730b0

SHA256
d436cb9cb304e8bdfaf189c11d15994040d7d71136fc6aa34b0d00032a3de271

SHA512
19f5f95b5cae2d3487bbec46ea2dd03371009201ff2cbb33d9bcd53371073934ff9df99bb093d94373d5a54b870787777bc86dbc7f410bcb4d645488c43aa607

Download Submit
C:\Windows\System32\dgAtpra.exe

Filesize
1.0MB

MD5
c85d4447ce49d68092203dfab049f242

SHA1
35a26e35ff8c5f6a1d63a5063676e08009598b6e

SHA256
1aeeabd5f220a9088e949fac1f0befa2d21da0330f7f0ab34a3db70c21add3cb

SHA512
f3d8b8c70c25cf989a440e638185e4eca39b0d150fe99fbf200487c411948c922eea77cff17f143d3b99f2cc79aeb904047cdb98b55ea00218b394cb7c7afe3f

Download Submit
C:\Windows\System32\gqGhJWQ.exe

Filesize
1.0MB

MD5
c52bed1533e69c5088b000192a97a487

SHA1
05f7835411de168d58d0e7b73ce6cfbb17bf62be

SHA256
ba2ae17527aaa6a8166f229e76613d79a51d149ba9164961b16f09571bdc5abe

SHA512
4696bdf3d4b52a540b0fbdbd5e1d222bd6e658eea6b89fc0e91a62de0e575ef1d557d75509402f38995c6def9d2fc2ca9f13c91015069a62d6b9a92e2a6bb892

Download Submit
C:\Windows\System32\idGxYhV.exe

Filesize
1.0MB

MD5
4f61ed169cd5ec33e00fbd2cda54f4f0

SHA1
1cae0dc72cdcf641fb75117c2b498a41c382b287

SHA256
f4d0ab7fd109f5caaf81810f615142f72b78d0e19cf26b8288fd5ec94eb53dae

SHA512
e7133cf662b0ba60fdfba5f6fc53e3df4159ebe2766972b8790e7b4f817a5ac1d1fa92290266d8e712c6043df23e1b92e89669caaa386a58f6fb8a45d8411ee3

Download Submit
C:\Windows\System32\ikLaXcI.exe

Filesize
1.0MB

MD5
9ca1ea0854d5b14e448f9be6e6ab0bfc

SHA1
a3da3bd4a6269b23293dc1ae5a686d86f7be21b9

SHA256
1d670ccdcd5ada40ed28f65bb2f307287cecff8b8ca47bb74a5c78394545b86e

SHA512
272d8568461e7904fd20b1b0de5d854dbfadd7c38b522962e9e765b4a3e9e942289947fa8a90c38f5d8ff58371d14f6bcf61c2616bac3543a1f9afc7d315bed6

Download Submit
C:\Windows\System32\jFApmIv.exe

Filesize
1.0MB

MD5
9b1614f1f54f45c0b7cc9eb785ec86ab

SHA1
f3f6e786ce198310612abe8ca598caf2a0b175ff

SHA256
a9800695bb0da87fd609a22e3f6396dd8cab85a27d36487290565566c6c74877

SHA512
a27d27a9d4a489af32995d11ab40980711f317c2050998134429fc258177c08312e6a1949ce87ce5a064c754335fb69c81fced89ad1fb0bd8a259d7c2679ad06

Download Submit
C:\Windows\System32\jHiknbf.exe

Filesize
1.0MB

MD5
3b3794287542b8e9adea99852ce8fcc9

SHA1
894cc385a9e707e0ebb7d1fca9b9ca96dd782fd9

SHA256
4d946dc7051742911e7766cbc38a9dacb23398c7d0ac64ed4edde524ab14fb63

SHA512
8715da606dd59fa666b060d22c8cc5d746f9a21938c687233c04662319f6cbbaadf1de4409c7d72ad280e73d7264cee23b5782043f5480d14efd39de492aa345

Download Submit
C:\Windows\System32\kqhxtkQ.exe

Filesize
1.0MB

MD5
0371c4f124f7008a2f9d63f305fe8501

SHA1
d5bf80b3fadbe5617dc8f46b253b50f8bc1a8fda

SHA256
3c1e7b137eae91c790ce79419b5adfaf754870077d3b8ef37523f27c617a1b36

SHA512
1eeed3ff9a2f5d7fa5ff781b7edaf8a4b3618d992e1a63581327e7f2d5d9f60bf6235cb30da0cb3b84b54d89b63c7d32d6d7e1e2cc2b891018a96ac182e978d0

Download Submit
C:\Windows\System32\nKvRqZw.exe

Filesize
1.0MB

MD5
b868a95fe8bb6f27a883239737bfc16e

SHA1
97e13ed00e58d62acabafeb731eed2023654c37a

SHA256
abdc135c7bfd3eb5e024ee6a843e1e746e7062671d197eeb403ced71b6213fa6

SHA512
2f8bb0739aee53c4d42a5e439afceb782cdf14610d6f77703e2c2f22f27c0107f15bdb110e30b895bab57ec3b20a14f995e8cda29862d19675060e40f9e49366

Download Submit
C:\Windows\System32\nNfRFFZ.exe

Filesize
1.0MB

MD5
ee41fea287da57ed46507175cbee5565

SHA1
6f9ddc90f72e394cc46de0f4eaa36a9f5be9950b

SHA256
0372813a9f85a79328eba35a9a9bd0bb49a6d87aaeb391a346fda9c2e345c652

SHA512
ec935125ccf22abbc6e32ff0a33cb8250cc778d9ec569cc5ae9ad80138c2746f8b3f344df90c817531fc576a3b26c4d740eb2c0552aac520dd63caad580b3b60

Download Submit
C:\Windows\System32\nqxRepT.exe

Filesize
1.0MB

MD5
ca4ba3c62c1cb4dd21330bda8ab6c57e

SHA1
a313f1d8d79a838e5f01060c81761b320128698d

SHA256
0e1586b33481674de43192ad040833c3a47195ad3824752a4a13a6d62a349a9e

SHA512
0f522b3d60cf0180fcae062099da02bd9e0acc33c3f1ccdf0d5c282bef6768eea61bd5dda2e1c11df604308dbb251e38e2a8d3934e4805f0a6ef5b6cac0f4857

Download Submit
C:\Windows\System32\qUPXjwF.exe

Filesize
1.0MB

MD5
a87a2efb2a895453dad668b100ea5058

SHA1
350c38bbfe3616182edd485d49f193e6fdff5753

SHA256
8d315cbdff10f886016186ce5b01781cf2eb364a339eb75045877ebd3b57f042

SHA512
76dd955e17d8945fa2379a8923624e5e9ee85da73d2463cef573b0eafa16e18ad9e605c36036458db60729ae13bf2bc8c1d91c06e2f968167791cf9b3860dae6

Download Submit
C:\Windows\System32\qsBpXlw.exe

Filesize
1.0MB

MD5
e983504ff1487f6aa7235d8961b477d5

SHA1
6d175f040acc692cb5201ea26ed196553770f738

SHA256
0c1e63b541ca537b8a834bdb3a2d278e4de6f5228f783a2857694db5b88b33fc

SHA512
e8ba457c5c0b0b2179dc9a0b993571c523740f138a4b22cf8dc0e2c1bf3495dbb533d55915f9d53a2a1f8e7839cf1df95a1e61c273a6c5aeb054746ecf44ccd8

Download Submit
C:\Windows\System32\yuzkUEU.exe

Filesize
1.0MB

MD5
e837095d6d0f17ba52082787c918efb8

SHA1
fd269a0d0a1470c35fa69e8c8544f0638e184665

SHA256
75cf5a14cdec29692bd56eda047284798400ef4fbde9fb76585792ada96f1832

SHA512
350aab714e387ff0503a8a18b3902c38ba66ee1b4c225a2ffd0e9c2e0c0e9e046bfe489c15584fcc1d5952fbb3fe60fb52fb164f03f0bcc2e20a004fde19e1f7

Download Submit
C:\Windows\System32\zfbYTpU.exe

Filesize
1.0MB

MD5
1aa96363fc245f39546e93640a6e3645

SHA1
370cc4b92681ce35f41886da5f579901bc7581cb

SHA256
f5d8f5f21f99332aa7dd698f902fde73b2d62e00c121a41fd7990e828fff2899

SHA512
53e3d27f4d08b2c1721423490b0cd86c0de74573faa510b1677e47dc18923ed150e48b07cb4f653253ed629e5aa362e46f9c509c588ca79e920d85be3c1bdd54

Download Submit
memory/32-44-0x00007FF7EE710000-0x00007FF7EEB01000-memory.dmp

Filesize
3.9MB

Download
memory/32-2030-0x00007FF7EE710000-0x00007FF7EEB01000-memory.dmp

Filesize
3.9MB

Download
memory/32-2010-0x00007FF7EE710000-0x00007FF7EEB01000-memory.dmp

Filesize
3.9MB

Download
memory/452-0-0x00007FF7C5380000-0x00007FF7C5771000-memory.dmp

Filesize
3.9MB

Download
memory/452-1-0x00000232659A0000-0x00000232659B0000-memory.dmp

Filesize
64KB

Download
memory/824-2039-0x00007FF6F75B0000-0x00007FF6F79A1000-memory.dmp

Filesize
3.9MB

Download
memory/824-371-0x00007FF6F75B0000-0x00007FF6F79A1000-memory.dmp

Filesize
3.9MB

Download
memory/1352-384-0x00007FF6193B0000-0x00007FF6197A1000-memory.dmp

Filesize
3.9MB

Download
memory/1352-2058-0x00007FF6193B0000-0x00007FF6197A1000-memory.dmp

Filesize
3.9MB

Download
memory/1516-2034-0x00007FF7FAE70000-0x00007FF7FB261000-memory.dmp

Filesize
3.9MB

Download
memory/1516-338-0x00007FF7FAE70000-0x00007FF7FB261000-memory.dmp

Filesize
3.9MB

Download
memory/1552-2028-0x00007FF76FBD0000-0x00007FF76FFC1000-memory.dmp

Filesize
3.9MB

Download
memory/1552-40-0x00007FF76FBD0000-0x00007FF76FFC1000-memory.dmp

Filesize
3.9MB

Download
memory/1552-2008-0x00007FF76FBD0000-0x00007FF76FFC1000-memory.dmp

Filesize
3.9MB

Download
memory/1620-2022-0x00007FF7017C0000-0x00007FF701BB1000-memory.dmp

Filesize
3.9MB

Download
memory/1620-2004-0x00007FF7017C0000-0x00007FF701BB1000-memory.dmp

Filesize
3.9MB

Download
memory/1620-29-0x00007FF7017C0000-0x00007FF701BB1000-memory.dmp

Filesize
3.9MB

Download
memory/2016-389-0x00007FF6B5DF0000-0x00007FF6B61E1000-memory.dmp

Filesize
3.9MB

Download
memory/2016-2065-0x00007FF6B5DF0000-0x00007FF6B61E1000-memory.dmp

Filesize
3.9MB

Download
memory/2088-12-0x00007FF64CE10000-0x00007FF64D201000-memory.dmp

Filesize
3.9MB

Download
memory/2088-2018-0x00007FF64CE10000-0x00007FF64D201000-memory.dmp

Filesize
3.9MB

Download
memory/2232-2045-0x00007FF600A50000-0x00007FF600E41000-memory.dmp

Filesize
3.9MB

Download
memory/2232-376-0x00007FF600A50000-0x00007FF600E41000-memory.dmp

Filesize
3.9MB

Download
memory/2368-2005-0x00007FF7A2E30000-0x00007FF7A3221000-memory.dmp

Filesize
3.9MB

Download
memory/2368-2024-0x00007FF7A2E30000-0x00007FF7A3221000-memory.dmp

Filesize
3.9MB

Download
memory/2368-32-0x00007FF7A2E30000-0x00007FF7A3221000-memory.dmp

Filesize
3.9MB

Download
memory/2708-2056-0x00007FF630BD0000-0x00007FF630FC1000-memory.dmp

Filesize
3.9MB

Download
memory/2708-372-0x00007FF630BD0000-0x00007FF630FC1000-memory.dmp

Filesize
3.9MB

Download
memory/2728-14-0x00007FF6C6750000-0x00007FF6C6B41000-memory.dmp

Filesize
3.9MB

Download
memory/2728-2026-0x00007FF6C6750000-0x00007FF6C6B41000-memory.dmp

Filesize
3.9MB

Download
memory/2728-1970-0x00007FF6C6750000-0x00007FF6C6B41000-memory.dmp

Filesize
3.9MB

Download
memory/3032-343-0x00007FF753B40000-0x00007FF753F31000-memory.dmp

Filesize
3.9MB

Download
memory/3032-2037-0x00007FF753B40000-0x00007FF753F31000-memory.dmp

Filesize
3.9MB

Download
memory/3212-2003-0x00007FF7AC220000-0x00007FF7AC611000-memory.dmp

Filesize
3.9MB

Download
memory/3212-2020-0x00007FF7AC220000-0x00007FF7AC611000-memory.dmp

Filesize
3.9MB

Download
memory/3212-23-0x00007FF7AC220000-0x00007FF7AC611000-memory.dmp

Filesize
3.9MB

Download
memory/3428-358-0x00007FF6EB460000-0x00007FF6EB851000-memory.dmp

Filesize
3.9MB

Download
memory/3428-2050-0x00007FF6EB460000-0x00007FF6EB851000-memory.dmp

Filesize
3.9MB

Download
memory/3440-2048-0x00007FF644440000-0x00007FF644831000-memory.dmp

Filesize
3.9MB

Download
memory/3440-381-0x00007FF644440000-0x00007FF644831000-memory.dmp

Filesize
3.9MB

Download
memory/3488-347-0x00007FF7E2320000-0x00007FF7E2711000-memory.dmp

Filesize
3.9MB

Download
memory/3488-2060-0x00007FF7E2320000-0x00007FF7E2711000-memory.dmp

Filesize
3.9MB

Download
memory/4044-2054-0x00007FF6524D0000-0x00007FF6528C1000-memory.dmp

Filesize
3.9MB

Download
memory/4044-365-0x00007FF6524D0000-0x00007FF6528C1000-memory.dmp

Filesize
3.9MB

Download
memory/4272-367-0x00007FF74C910000-0x00007FF74CD01000-memory.dmp

Filesize
3.9MB

Download
memory/4272-2041-0x00007FF74C910000-0x00007FF74CD01000-memory.dmp

Filesize
3.9MB

Download
memory/4456-387-0x00007FF692F30000-0x00007FF693321000-memory.dmp

Filesize
3.9MB

Download
memory/4456-2062-0x00007FF692F30000-0x00007FF693321000-memory.dmp

Filesize
3.9MB

Download
memory/4476-2032-0x00007FF728F10000-0x00007FF729301000-memory.dmp

Filesize
3.9MB

Download
memory/4476-320-0x00007FF728F10000-0x00007FF729301000-memory.dmp

Filesize
3.9MB

Download
memory/4712-2047-0x00007FF7268C0000-0x00007FF726CB1000-memory.dmp

Filesize
3.9MB

Download
memory/4712-360-0x00007FF7268C0000-0x00007FF726CB1000-memory.dmp

Filesize
3.9MB

Download
memory/4824-2043-0x00007FF632170000-0x00007FF632561000-memory.dmp

Filesize
3.9MB

Download
memory/4824-369-0x00007FF632170000-0x00007FF632561000-memory.dmp

Filesize
3.9MB

Download
memory/4976-385-0x00007FF626C50000-0x00007FF627041000-memory.dmp

Filesize
3.9MB

Download
memory/4976-2052-0x00007FF626C50000-0x00007FF627041000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads