xmrig | 27eeb003a821564408cbd0b2012d77c1a1bb508ef5f5be73b69b36fdda640c63

Analysis

max time kernel
118s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6190ce3ae1ee874d181a0155647fce00N.exe
Size

1.2MB
MD5

6190ce3ae1ee874d181a0155647fce00
SHA1

e6e83c595d0b6cffc2ea2ee73388120540b95326
SHA256

27eeb003a821564408cbd0b2012d77c1a1bb508ef5f5be73b69b36fdda640c63
SHA512

a0bddeeafd58854bb31f2c0c92e9195c66915b9d9388ae6d25a543bea5de11e5f01d4d3c0ca3fe2c08855a889886ef3967731aa116cc21a3f41de1e67cf2e4e0
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XCtSw83V2Y759Kh:knw9oUUEEDlGUrCVhi

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/4628-20-0x00007FF70CAC0000-0x00007FF70CEB1000-memory.dmp	xmrig
behavioral2/memory/4916-36-0x00007FF6FC200000-0x00007FF6FC5F1000-memory.dmp	xmrig
behavioral2/memory/3244-56-0x00007FF7E39B0000-0x00007FF7E3DA1000-memory.dmp	xmrig
behavioral2/memory/932-394-0x00007FF6058B0000-0x00007FF605CA1000-memory.dmp	xmrig
behavioral2/memory/4112-396-0x00007FF7EEA80000-0x00007FF7EEE71000-memory.dmp	xmrig
behavioral2/memory/4036-395-0x00007FF656BE0000-0x00007FF656FD1000-memory.dmp	xmrig
behavioral2/memory/1576-393-0x00007FF77C420000-0x00007FF77C811000-memory.dmp	xmrig
behavioral2/memory/2196-62-0x00007FF7C8950000-0x00007FF7C8D41000-memory.dmp	xmrig
behavioral2/memory/2924-61-0x00007FF6FC930000-0x00007FF6FCD21000-memory.dmp	xmrig
behavioral2/memory/3692-55-0x00007FF64B410000-0x00007FF64B801000-memory.dmp	xmrig
behavioral2/memory/2436-397-0x00007FF60D4C0000-0x00007FF60D8B1000-memory.dmp	xmrig
behavioral2/memory/1760-399-0x00007FF605050000-0x00007FF605441000-memory.dmp	xmrig
behavioral2/memory/2152-398-0x00007FF6C4F90000-0x00007FF6C5381000-memory.dmp	xmrig
behavioral2/memory/1208-400-0x00007FF793900000-0x00007FF793CF1000-memory.dmp	xmrig
behavioral2/memory/4436-401-0x00007FF7BA290000-0x00007FF7BA681000-memory.dmp	xmrig
behavioral2/memory/5108-1973-0x00007FF73E0C0000-0x00007FF73E4B1000-memory.dmp	xmrig
behavioral2/memory/3100-1974-0x00007FF66D140000-0x00007FF66D531000-memory.dmp	xmrig
behavioral2/memory/4912-1975-0x00007FF687D40000-0x00007FF688131000-memory.dmp	xmrig
behavioral2/memory/2620-1976-0x00007FF76E320000-0x00007FF76E711000-memory.dmp	xmrig
behavioral2/memory/5040-1977-0x00007FF74CA80000-0x00007FF74CE71000-memory.dmp	xmrig
behavioral2/memory/1260-1978-0x00007FF7D49E0000-0x00007FF7D4DD1000-memory.dmp	xmrig
behavioral2/memory/4676-1997-0x00007FF6EE500000-0x00007FF6EE8F1000-memory.dmp	xmrig
behavioral2/memory/224-1998-0x00007FF6B4AD0000-0x00007FF6B4EC1000-memory.dmp	xmrig
behavioral2/memory/4540-2007-0x00007FF6FC260000-0x00007FF6FC651000-memory.dmp	xmrig
behavioral2/memory/2736-2016-0x00007FF6B4720000-0x00007FF6B4B11000-memory.dmp	xmrig
behavioral2/memory/4628-2020-0x00007FF70CAC0000-0x00007FF70CEB1000-memory.dmp	xmrig
behavioral2/memory/4916-2022-0x00007FF6FC200000-0x00007FF6FC5F1000-memory.dmp	xmrig
behavioral2/memory/3244-2024-0x00007FF7E39B0000-0x00007FF7E3DA1000-memory.dmp	xmrig
behavioral2/memory/3100-2026-0x00007FF66D140000-0x00007FF66D531000-memory.dmp	xmrig
behavioral2/memory/3692-2030-0x00007FF64B410000-0x00007FF64B801000-memory.dmp	xmrig
behavioral2/memory/2620-2038-0x00007FF76E320000-0x00007FF76E711000-memory.dmp	xmrig
behavioral2/memory/2924-2036-0x00007FF6FC930000-0x00007FF6FCD21000-memory.dmp	xmrig
behavioral2/memory/2196-2034-0x00007FF7C8950000-0x00007FF7C8D41000-memory.dmp	xmrig
behavioral2/memory/1260-2032-0x00007FF7D49E0000-0x00007FF7D4DD1000-memory.dmp	xmrig
behavioral2/memory/4912-2029-0x00007FF687D40000-0x00007FF688131000-memory.dmp	xmrig
behavioral2/memory/224-2054-0x00007FF6B4AD0000-0x00007FF6B4EC1000-memory.dmp	xmrig
behavioral2/memory/5040-2052-0x00007FF74CA80000-0x00007FF74CE71000-memory.dmp	xmrig
behavioral2/memory/932-2061-0x00007FF6058B0000-0x00007FF605CA1000-memory.dmp	xmrig
behavioral2/memory/1760-2050-0x00007FF605050000-0x00007FF605441000-memory.dmp	xmrig
behavioral2/memory/4112-2048-0x00007FF7EEA80000-0x00007FF7EEE71000-memory.dmp	xmrig
behavioral2/memory/2436-2046-0x00007FF60D4C0000-0x00007FF60D8B1000-memory.dmp	xmrig
behavioral2/memory/2152-2044-0x00007FF6C4F90000-0x00007FF6C5381000-memory.dmp	xmrig
behavioral2/memory/2736-2042-0x00007FF6B4720000-0x00007FF6B4B11000-memory.dmp	xmrig
behavioral2/memory/1208-2056-0x00007FF793900000-0x00007FF793CF1000-memory.dmp	xmrig
behavioral2/memory/4676-2040-0x00007FF6EE500000-0x00007FF6EE8F1000-memory.dmp	xmrig
behavioral2/memory/1576-2062-0x00007FF77C420000-0x00007FF77C811000-memory.dmp	xmrig
behavioral2/memory/4436-2064-0x00007FF7BA290000-0x00007FF7BA681000-memory.dmp	xmrig
behavioral2/memory/4036-2058-0x00007FF656BE0000-0x00007FF656FD1000-memory.dmp	xmrig
behavioral2/memory/4540-2174-0x00007FF6FC260000-0x00007FF6FC651000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4628	oEHGHwm.exe
3244	YVNoCHx.exe
3100	hzDPOlP.exe
4916	wCbQzrE.exe
2924	QweUqJT.exe
4912	XKxZkWn.exe
3692	uvBbhCn.exe
2196	hcMnvlx.exe
1260	duqGyHp.exe
2620	hAzEuCA.exe
4676	OjqbpDB.exe
5040	lBeAkml.exe
224	EWTsIng.exe
4540	rzYurnJ.exe
2736	JIAywkr.exe
1576	xEBmTHp.exe
932	FFRRKBP.exe
4036	LefxkrM.exe
4112	iTOVQpC.exe
2436	QaRvOLz.exe
2152	dkeVNmJ.exe
1760	RZydpSB.exe
1208	IDukkME.exe
4436	lUgpjih.exe
3044	GTwYxBv.exe
4692	wCxEKqR.exe
960	BVxagyS.exe
3140	owJvnGE.exe
3748	cfpkMrH.exe
3288	wvALIsl.exe
2600	iucWLpl.exe
1388	AVoURAz.exe
624	IZgmeRc.exe
2684	WApMAuZ.exe
4920	PnIpHaC.exe
1492	CLTPLQe.exe
892	JCRhlmU.exe
668	kjhEbiF.exe
4656	HRSGmCb.exe
448	HPxArtb.exe
1016	OnsAfoQ.exe
8	BHricYd.exe
1080	NMJPOsq.exe
1376	SDwpzTV.exe
1924	GGtWwuY.exe
4244	tDfDkuf.exe
3512	pCjbivy.exe
4292	mMZZDJb.exe
3224	nIiisEA.exe
4504	XZKIeeq.exe
3308	kMXTKGJ.exe
1772	gEigAyi.exe
4596	ZZTFzhm.exe
1244	KdagXxV.exe
1096	PKvxEzf.exe
4636	GRRMjam.exe
4812	IijOoCz.exe
944	dWAjDiO.exe
1640	ytupYXt.exe
5112	aEFxjdT.exe
2800	cEXwhOJ.exe
4736	Axwvkcr.exe
3420	UvPvPXg.exe
1440	nlwUJeW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5108-0-0x00007FF73E0C0000-0x00007FF73E4B1000-memory.dmp	upx
behavioral2/files/0x0009000000023428-5.dat	upx
behavioral2/files/0x000700000002348a-8.dat	upx
behavioral2/files/0x000700000002348b-25.dat	upx
behavioral2/memory/3100-33-0x00007FF66D140000-0x00007FF66D531000-memory.dmp	upx
behavioral2/memory/4628-20-0x00007FF70CAC0000-0x00007FF70CEB1000-memory.dmp	upx
behavioral2/files/0x000700000002348c-19.dat	upx
behavioral2/files/0x0008000000023489-16.dat	upx
behavioral2/files/0x000700000002348e-44.dat	upx
behavioral2/files/0x000700000002348d-43.dat	upx
behavioral2/files/0x0007000000023491-45.dat	upx
behavioral2/memory/4916-36-0x00007FF6FC200000-0x00007FF6FC5F1000-memory.dmp	upx
behavioral2/files/0x000700000002348f-35.dat	upx
behavioral2/files/0x0007000000023490-49.dat	upx
behavioral2/memory/4912-47-0x00007FF687D40000-0x00007FF688131000-memory.dmp	upx
behavioral2/memory/3244-56-0x00007FF7E39B0000-0x00007FF7E3DA1000-memory.dmp	upx
behavioral2/files/0x0007000000023494-64.dat	upx
behavioral2/files/0x0007000000023492-77.dat	upx
behavioral2/memory/224-81-0x00007FF6B4AD0000-0x00007FF6B4EC1000-memory.dmp	upx
behavioral2/files/0x0007000000023497-98.dat	upx
behavioral2/files/0x0007000000023499-106.dat	upx
behavioral2/files/0x000700000002349a-118.dat	upx
behavioral2/files/0x000700000002349f-140.dat	upx
behavioral2/files/0x00070000000234a1-153.dat	upx
behavioral2/files/0x00070000000234a6-171.dat	upx
behavioral2/memory/932-394-0x00007FF6058B0000-0x00007FF605CA1000-memory.dmp	upx
behavioral2/memory/4112-396-0x00007FF7EEA80000-0x00007FF7EEE71000-memory.dmp	upx
behavioral2/memory/4036-395-0x00007FF656BE0000-0x00007FF656FD1000-memory.dmp	upx
behavioral2/memory/1576-393-0x00007FF77C420000-0x00007FF77C811000-memory.dmp	upx
behavioral2/files/0x00070000000234a7-176.dat	upx
behavioral2/files/0x00070000000234a5-173.dat	upx
behavioral2/files/0x00070000000234a4-165.dat	upx
behavioral2/files/0x00070000000234a3-163.dat	upx
behavioral2/files/0x00070000000234a2-158.dat	upx
behavioral2/files/0x00070000000234a0-148.dat	upx
behavioral2/files/0x000700000002349e-138.dat	upx
behavioral2/files/0x000700000002349d-133.dat	upx
behavioral2/files/0x000700000002349c-128.dat	upx
behavioral2/files/0x000700000002349b-123.dat	upx
behavioral2/files/0x0007000000023498-108.dat	upx
behavioral2/files/0x0008000000023487-103.dat	upx
behavioral2/files/0x0007000000023496-90.dat	upx
behavioral2/memory/2736-89-0x00007FF6B4720000-0x00007FF6B4B11000-memory.dmp	upx
behavioral2/files/0x0007000000023495-88.dat	upx
behavioral2/memory/4540-87-0x00007FF6FC260000-0x00007FF6FC651000-memory.dmp	upx
behavioral2/files/0x0007000000023493-84.dat	upx
behavioral2/memory/4676-80-0x00007FF6EE500000-0x00007FF6EE8F1000-memory.dmp	upx
behavioral2/memory/5040-73-0x00007FF74CA80000-0x00007FF74CE71000-memory.dmp	upx
behavioral2/memory/2620-72-0x00007FF76E320000-0x00007FF76E711000-memory.dmp	upx
behavioral2/memory/1260-66-0x00007FF7D49E0000-0x00007FF7D4DD1000-memory.dmp	upx
behavioral2/memory/2196-62-0x00007FF7C8950000-0x00007FF7C8D41000-memory.dmp	upx
behavioral2/memory/2924-61-0x00007FF6FC930000-0x00007FF6FCD21000-memory.dmp	upx
behavioral2/memory/3692-55-0x00007FF64B410000-0x00007FF64B801000-memory.dmp	upx
behavioral2/memory/2436-397-0x00007FF60D4C0000-0x00007FF60D8B1000-memory.dmp	upx
behavioral2/memory/1760-399-0x00007FF605050000-0x00007FF605441000-memory.dmp	upx
behavioral2/memory/2152-398-0x00007FF6C4F90000-0x00007FF6C5381000-memory.dmp	upx
behavioral2/memory/1208-400-0x00007FF793900000-0x00007FF793CF1000-memory.dmp	upx
behavioral2/memory/4436-401-0x00007FF7BA290000-0x00007FF7BA681000-memory.dmp	upx
behavioral2/memory/5108-1973-0x00007FF73E0C0000-0x00007FF73E4B1000-memory.dmp	upx
behavioral2/memory/3100-1974-0x00007FF66D140000-0x00007FF66D531000-memory.dmp	upx
behavioral2/memory/4912-1975-0x00007FF687D40000-0x00007FF688131000-memory.dmp	upx
behavioral2/memory/2620-1976-0x00007FF76E320000-0x00007FF76E711000-memory.dmp	upx
behavioral2/memory/5040-1977-0x00007FF74CA80000-0x00007FF74CE71000-memory.dmp	upx
behavioral2/memory/1260-1978-0x00007FF7D49E0000-0x00007FF7D4DD1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\GyUPJoR.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\YGyyHiy.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\FxStkmp.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\WqBYNjx.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\tiVBvmx.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\UgjPXhe.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\NNHUwfQ.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\xDroIol.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\CLTPLQe.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\zuVLKMT.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\yqOmrPo.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\lBriMMV.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\wCQxSrl.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\hZupjHk.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\ZlDUajm.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\mchmJZD.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\kfkNDWe.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\sIxQihD.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\ynUVtxE.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\AtHNCAU.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\xEBmTHp.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\QJQiRlq.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\YVAfBjD.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\cviWSED.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\SubHRHt.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\FbHqOMt.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\wxpcaix.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\vFIGesa.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\KRcRmpa.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\ZHjXwzq.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\EyWySbW.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\apUsLWl.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\oGvKaMw.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\gNFapRU.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\EWTsIng.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\yfyVjDp.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\XqrFaNx.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\RuBJlVI.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\rzYurnJ.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\JIAywkr.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\pVDpniN.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\GzuvWXe.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\eLuwNiA.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\WKhBFDX.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\IVWxDxh.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\FtauPUc.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\RfnJfSO.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\eqjBepR.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\KezuHZI.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\sIpjgKh.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\SJMUFYt.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\GXxdcRK.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\DMdAYGl.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\FFRRKBP.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\wJtvuiK.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\FMqxirc.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\RFdFovr.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\dawsTqo.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\WRYIwzs.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\MSoHfha.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\NbJsuim.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\DsvFHip.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\mmvomlk.exe	6190ce3ae1ee874d181a0155647fce00N.exe
File created	C:\Windows\System32\LmlEFfK.exe	6190ce3ae1ee874d181a0155647fce00N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13024	dwm.exe
Token: SeChangeNotifyPrivilege	13024	dwm.exe
Token: 33	13024	dwm.exe
Token: SeIncBasePriorityPrivilege	13024	dwm.exe
Token: SeShutdownPrivilege	13024	dwm.exe
Token: SeCreatePagefilePrivilege	13024	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 4628	5108	6190ce3ae1ee874d181a0155647fce00N.exe	84
PID 5108 wrote to memory of 4628	5108	6190ce3ae1ee874d181a0155647fce00N.exe	84
PID 5108 wrote to memory of 3244	5108	6190ce3ae1ee874d181a0155647fce00N.exe	85
PID 5108 wrote to memory of 3244	5108	6190ce3ae1ee874d181a0155647fce00N.exe	85
PID 5108 wrote to memory of 3100	5108	6190ce3ae1ee874d181a0155647fce00N.exe	86
PID 5108 wrote to memory of 3100	5108	6190ce3ae1ee874d181a0155647fce00N.exe	86
PID 5108 wrote to memory of 2924	5108	6190ce3ae1ee874d181a0155647fce00N.exe	87
PID 5108 wrote to memory of 2924	5108	6190ce3ae1ee874d181a0155647fce00N.exe	87
PID 5108 wrote to memory of 4916	5108	6190ce3ae1ee874d181a0155647fce00N.exe	88
PID 5108 wrote to memory of 4916	5108	6190ce3ae1ee874d181a0155647fce00N.exe	88
PID 5108 wrote to memory of 4912	5108	6190ce3ae1ee874d181a0155647fce00N.exe	90
PID 5108 wrote to memory of 4912	5108	6190ce3ae1ee874d181a0155647fce00N.exe	90
PID 5108 wrote to memory of 3692	5108	6190ce3ae1ee874d181a0155647fce00N.exe	91
PID 5108 wrote to memory of 3692	5108	6190ce3ae1ee874d181a0155647fce00N.exe	91
PID 5108 wrote to memory of 2196	5108	6190ce3ae1ee874d181a0155647fce00N.exe	92
PID 5108 wrote to memory of 2196	5108	6190ce3ae1ee874d181a0155647fce00N.exe	92
PID 5108 wrote to memory of 2620	5108	6190ce3ae1ee874d181a0155647fce00N.exe	93
PID 5108 wrote to memory of 2620	5108	6190ce3ae1ee874d181a0155647fce00N.exe	93
PID 5108 wrote to memory of 1260	5108	6190ce3ae1ee874d181a0155647fce00N.exe	94
PID 5108 wrote to memory of 1260	5108	6190ce3ae1ee874d181a0155647fce00N.exe	94
PID 5108 wrote to memory of 4676	5108	6190ce3ae1ee874d181a0155647fce00N.exe	95
PID 5108 wrote to memory of 4676	5108	6190ce3ae1ee874d181a0155647fce00N.exe	95
PID 5108 wrote to memory of 224	5108	6190ce3ae1ee874d181a0155647fce00N.exe	96
PID 5108 wrote to memory of 224	5108	6190ce3ae1ee874d181a0155647fce00N.exe	96
PID 5108 wrote to memory of 5040	5108	6190ce3ae1ee874d181a0155647fce00N.exe	97
PID 5108 wrote to memory of 5040	5108	6190ce3ae1ee874d181a0155647fce00N.exe	97
PID 5108 wrote to memory of 4540	5108	6190ce3ae1ee874d181a0155647fce00N.exe	98
PID 5108 wrote to memory of 4540	5108	6190ce3ae1ee874d181a0155647fce00N.exe	98
PID 5108 wrote to memory of 2736	5108	6190ce3ae1ee874d181a0155647fce00N.exe	99
PID 5108 wrote to memory of 2736	5108	6190ce3ae1ee874d181a0155647fce00N.exe	99
PID 5108 wrote to memory of 1576	5108	6190ce3ae1ee874d181a0155647fce00N.exe	100
PID 5108 wrote to memory of 1576	5108	6190ce3ae1ee874d181a0155647fce00N.exe	100
PID 5108 wrote to memory of 932	5108	6190ce3ae1ee874d181a0155647fce00N.exe	101
PID 5108 wrote to memory of 932	5108	6190ce3ae1ee874d181a0155647fce00N.exe	101
PID 5108 wrote to memory of 4036	5108	6190ce3ae1ee874d181a0155647fce00N.exe	102
PID 5108 wrote to memory of 4036	5108	6190ce3ae1ee874d181a0155647fce00N.exe	102
PID 5108 wrote to memory of 4112	5108	6190ce3ae1ee874d181a0155647fce00N.exe	103
PID 5108 wrote to memory of 4112	5108	6190ce3ae1ee874d181a0155647fce00N.exe	103
PID 5108 wrote to memory of 2436	5108	6190ce3ae1ee874d181a0155647fce00N.exe	104
PID 5108 wrote to memory of 2436	5108	6190ce3ae1ee874d181a0155647fce00N.exe	104
PID 5108 wrote to memory of 2152	5108	6190ce3ae1ee874d181a0155647fce00N.exe	105
PID 5108 wrote to memory of 2152	5108	6190ce3ae1ee874d181a0155647fce00N.exe	105
PID 5108 wrote to memory of 1760	5108	6190ce3ae1ee874d181a0155647fce00N.exe	106
PID 5108 wrote to memory of 1760	5108	6190ce3ae1ee874d181a0155647fce00N.exe	106
PID 5108 wrote to memory of 1208	5108	6190ce3ae1ee874d181a0155647fce00N.exe	107
PID 5108 wrote to memory of 1208	5108	6190ce3ae1ee874d181a0155647fce00N.exe	107
PID 5108 wrote to memory of 4436	5108	6190ce3ae1ee874d181a0155647fce00N.exe	108
PID 5108 wrote to memory of 4436	5108	6190ce3ae1ee874d181a0155647fce00N.exe	108
PID 5108 wrote to memory of 3044	5108	6190ce3ae1ee874d181a0155647fce00N.exe	109
PID 5108 wrote to memory of 3044	5108	6190ce3ae1ee874d181a0155647fce00N.exe	109
PID 5108 wrote to memory of 4692	5108	6190ce3ae1ee874d181a0155647fce00N.exe	110
PID 5108 wrote to memory of 4692	5108	6190ce3ae1ee874d181a0155647fce00N.exe	110
PID 5108 wrote to memory of 960	5108	6190ce3ae1ee874d181a0155647fce00N.exe	111
PID 5108 wrote to memory of 960	5108	6190ce3ae1ee874d181a0155647fce00N.exe	111
PID 5108 wrote to memory of 3140	5108	6190ce3ae1ee874d181a0155647fce00N.exe	112
PID 5108 wrote to memory of 3140	5108	6190ce3ae1ee874d181a0155647fce00N.exe	112
PID 5108 wrote to memory of 3748	5108	6190ce3ae1ee874d181a0155647fce00N.exe	113
PID 5108 wrote to memory of 3748	5108	6190ce3ae1ee874d181a0155647fce00N.exe	113
PID 5108 wrote to memory of 3288	5108	6190ce3ae1ee874d181a0155647fce00N.exe	114
PID 5108 wrote to memory of 3288	5108	6190ce3ae1ee874d181a0155647fce00N.exe	114
PID 5108 wrote to memory of 2600	5108	6190ce3ae1ee874d181a0155647fce00N.exe	115
PID 5108 wrote to memory of 2600	5108	6190ce3ae1ee874d181a0155647fce00N.exe	115
PID 5108 wrote to memory of 1388	5108	6190ce3ae1ee874d181a0155647fce00N.exe	116
PID 5108 wrote to memory of 1388	5108	6190ce3ae1ee874d181a0155647fce00N.exe	116

C:\Users\Admin\AppData\Local\Temp\6190ce3ae1ee874d181a0155647fce00N.exe
"C:\Users\Admin\AppData\Local\Temp\6190ce3ae1ee874d181a0155647fce00N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\System32\oEHGHwm.exe
  C:\Windows\System32\oEHGHwm.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System32\YVNoCHx.exe
  C:\Windows\System32\YVNoCHx.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System32\hzDPOlP.exe
  C:\Windows\System32\hzDPOlP.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System32\QweUqJT.exe
  C:\Windows\System32\QweUqJT.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System32\wCbQzrE.exe
  C:\Windows\System32\wCbQzrE.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System32\XKxZkWn.exe
  C:\Windows\System32\XKxZkWn.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System32\uvBbhCn.exe
  C:\Windows\System32\uvBbhCn.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System32\hcMnvlx.exe
  C:\Windows\System32\hcMnvlx.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System32\hAzEuCA.exe
  C:\Windows\System32\hAzEuCA.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System32\duqGyHp.exe
  C:\Windows\System32\duqGyHp.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System32\OjqbpDB.exe
  C:\Windows\System32\OjqbpDB.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System32\EWTsIng.exe
  C:\Windows\System32\EWTsIng.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System32\lBeAkml.exe
  C:\Windows\System32\lBeAkml.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System32\rzYurnJ.exe
  C:\Windows\System32\rzYurnJ.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System32\JIAywkr.exe
  C:\Windows\System32\JIAywkr.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System32\xEBmTHp.exe
  C:\Windows\System32\xEBmTHp.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System32\FFRRKBP.exe
  C:\Windows\System32\FFRRKBP.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\System32\LefxkrM.exe
  C:\Windows\System32\LefxkrM.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System32\iTOVQpC.exe
  C:\Windows\System32\iTOVQpC.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System32\QaRvOLz.exe
  C:\Windows\System32\QaRvOLz.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System32\dkeVNmJ.exe
  C:\Windows\System32\dkeVNmJ.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System32\RZydpSB.exe
  C:\Windows\System32\RZydpSB.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System32\IDukkME.exe
  C:\Windows\System32\IDukkME.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System32\lUgpjih.exe
  C:\Windows\System32\lUgpjih.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\GTwYxBv.exe
  C:\Windows\System32\GTwYxBv.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System32\wCxEKqR.exe
  C:\Windows\System32\wCxEKqR.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System32\BVxagyS.exe
  C:\Windows\System32\BVxagyS.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System32\owJvnGE.exe
  C:\Windows\System32\owJvnGE.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System32\cfpkMrH.exe
  C:\Windows\System32\cfpkMrH.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System32\wvALIsl.exe
  C:\Windows\System32\wvALIsl.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System32\iucWLpl.exe
  C:\Windows\System32\iucWLpl.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System32\AVoURAz.exe
  C:\Windows\System32\AVoURAz.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System32\IZgmeRc.exe
  C:\Windows\System32\IZgmeRc.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System32\WApMAuZ.exe
  C:\Windows\System32\WApMAuZ.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System32\PnIpHaC.exe
  C:\Windows\System32\PnIpHaC.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System32\CLTPLQe.exe
  C:\Windows\System32\CLTPLQe.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System32\JCRhlmU.exe
  C:\Windows\System32\JCRhlmU.exe
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\System32\kjhEbiF.exe
  C:\Windows\System32\kjhEbiF.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System32\HRSGmCb.exe
  C:\Windows\System32\HRSGmCb.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System32\HPxArtb.exe
  C:\Windows\System32\HPxArtb.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System32\OnsAfoQ.exe
  C:\Windows\System32\OnsAfoQ.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System32\BHricYd.exe
  C:\Windows\System32\BHricYd.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System32\NMJPOsq.exe
  C:\Windows\System32\NMJPOsq.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System32\SDwpzTV.exe
  C:\Windows\System32\SDwpzTV.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System32\GGtWwuY.exe
  C:\Windows\System32\GGtWwuY.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System32\tDfDkuf.exe
  C:\Windows\System32\tDfDkuf.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System32\pCjbivy.exe
  C:\Windows\System32\pCjbivy.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System32\mMZZDJb.exe
  C:\Windows\System32\mMZZDJb.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System32\nIiisEA.exe
  C:\Windows\System32\nIiisEA.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System32\XZKIeeq.exe
  C:\Windows\System32\XZKIeeq.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System32\kMXTKGJ.exe
  C:\Windows\System32\kMXTKGJ.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System32\gEigAyi.exe
  C:\Windows\System32\gEigAyi.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System32\ZZTFzhm.exe
  C:\Windows\System32\ZZTFzhm.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System32\KdagXxV.exe
  C:\Windows\System32\KdagXxV.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System32\PKvxEzf.exe
  C:\Windows\System32\PKvxEzf.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System32\GRRMjam.exe
  C:\Windows\System32\GRRMjam.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System32\IijOoCz.exe
  C:\Windows\System32\IijOoCz.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System32\dWAjDiO.exe
  C:\Windows\System32\dWAjDiO.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System32\ytupYXt.exe
  C:\Windows\System32\ytupYXt.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System32\aEFxjdT.exe
  C:\Windows\System32\aEFxjdT.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System32\cEXwhOJ.exe
  C:\Windows\System32\cEXwhOJ.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System32\Axwvkcr.exe
  C:\Windows\System32\Axwvkcr.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System32\UvPvPXg.exe
  C:\Windows\System32\UvPvPXg.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System32\nlwUJeW.exe
  C:\Windows\System32\nlwUJeW.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System32\xlCrEtd.exe
  C:\Windows\System32\xlCrEtd.exe
  2⤵
  PID:3432
- C:\Windows\System32\vKzfEBW.exe
  C:\Windows\System32\vKzfEBW.exe
  2⤵
  PID:2564
- C:\Windows\System32\JiMipKf.exe
  C:\Windows\System32\JiMipKf.exe
  2⤵
  PID:1980
- C:\Windows\System32\cogTTmY.exe
  C:\Windows\System32\cogTTmY.exe
  2⤵
  PID:1992
- C:\Windows\System32\FtauPUc.exe
  C:\Windows\System32\FtauPUc.exe
  2⤵
  PID:3556
- C:\Windows\System32\QaipUVB.exe
  C:\Windows\System32\QaipUVB.exe
  2⤵
  PID:2548
- C:\Windows\System32\rgCdAxl.exe
  C:\Windows\System32\rgCdAxl.exe
  2⤵
  PID:1052
- C:\Windows\System32\XisBefO.exe
  C:\Windows\System32\XisBefO.exe
  2⤵
  PID:4552
- C:\Windows\System32\yrnzQOz.exe
  C:\Windows\System32\yrnzQOz.exe
  2⤵
  PID:4072
- C:\Windows\System32\tbgaKcg.exe
  C:\Windows\System32\tbgaKcg.exe
  2⤵
  PID:4364
- C:\Windows\System32\DfqYftk.exe
  C:\Windows\System32\DfqYftk.exe
  2⤵
  PID:1928
- C:\Windows\System32\ABdTzoE.exe
  C:\Windows\System32\ABdTzoE.exe
  2⤵
  PID:1148
- C:\Windows\System32\OzrmqOJ.exe
  C:\Windows\System32\OzrmqOJ.exe
  2⤵
  PID:1984
- C:\Windows\System32\gUsDUMW.exe
  C:\Windows\System32\gUsDUMW.exe
  2⤵
  PID:4500
- C:\Windows\System32\QNtQAor.exe
  C:\Windows\System32\QNtQAor.exe
  2⤵
  PID:4576
- C:\Windows\System32\wgGrirn.exe
  C:\Windows\System32\wgGrirn.exe
  2⤵
  PID:3936
- C:\Windows\System32\XZuRXda.exe
  C:\Windows\System32\XZuRXda.exe
  2⤵
  PID:228
- C:\Windows\System32\dMFskik.exe
  C:\Windows\System32\dMFskik.exe
  2⤵
  PID:4100
- C:\Windows\System32\MhGSPgo.exe
  C:\Windows\System32\MhGSPgo.exe
  2⤵
  PID:4964
- C:\Windows\System32\bvTXmWG.exe
  C:\Windows\System32\bvTXmWG.exe
  2⤵
  PID:4376
- C:\Windows\System32\ZicIIiW.exe
  C:\Windows\System32\ZicIIiW.exe
  2⤵
  PID:2488
- C:\Windows\System32\zEMfaNf.exe
  C:\Windows\System32\zEMfaNf.exe
  2⤵
  PID:1156
- C:\Windows\System32\DAOVIpf.exe
  C:\Windows\System32\DAOVIpf.exe
  2⤵
  PID:4448
- C:\Windows\System32\bVcaMNd.exe
  C:\Windows\System32\bVcaMNd.exe
  2⤵
  PID:2880
- C:\Windows\System32\RPbzdJi.exe
  C:\Windows\System32\RPbzdJi.exe
  2⤵
  PID:3436
- C:\Windows\System32\tUwcBtw.exe
  C:\Windows\System32\tUwcBtw.exe
  2⤵
  PID:4136
- C:\Windows\System32\PKncipF.exe
  C:\Windows\System32\PKncipF.exe
  2⤵
  PID:1396
- C:\Windows\System32\qYmFjIt.exe
  C:\Windows\System32\qYmFjIt.exe
  2⤵
  PID:1076
- C:\Windows\System32\WRzNVrn.exe
  C:\Windows\System32\WRzNVrn.exe
  2⤵
  PID:3324
- C:\Windows\System32\XYPsrCf.exe
  C:\Windows\System32\XYPsrCf.exe
  2⤵
  PID:1612
- C:\Windows\System32\vPqWKpN.exe
  C:\Windows\System32\vPqWKpN.exe
  2⤵
  PID:1820
- C:\Windows\System32\hTNgNom.exe
  C:\Windows\System32\hTNgNom.exe
  2⤵
  PID:3588
- C:\Windows\System32\KucOFcd.exe
  C:\Windows\System32\KucOFcd.exe
  2⤵
  PID:3320
- C:\Windows\System32\DsdkMfF.exe
  C:\Windows\System32\DsdkMfF.exe
  2⤵
  PID:424
- C:\Windows\System32\hRjBhei.exe
  C:\Windows\System32\hRjBhei.exe
  2⤵
  PID:3596
- C:\Windows\System32\yfyVjDp.exe
  C:\Windows\System32\yfyVjDp.exe
  2⤵
  PID:2552
- C:\Windows\System32\fVRwWPc.exe
  C:\Windows\System32\fVRwWPc.exe
  2⤵
  PID:60
- C:\Windows\System32\NHjvtPB.exe
  C:\Windows\System32\NHjvtPB.exe
  2⤵
  PID:1528
- C:\Windows\System32\OdbpFSG.exe
  C:\Windows\System32\OdbpFSG.exe
  2⤵
  PID:4360
- C:\Windows\System32\QCMewac.exe
  C:\Windows\System32\QCMewac.exe
  2⤵
  PID:1668
- C:\Windows\System32\zdnturn.exe
  C:\Windows\System32\zdnturn.exe
  2⤵
  PID:4584
- C:\Windows\System32\NbJsuim.exe
  C:\Windows\System32\NbJsuim.exe
  2⤵
  PID:4508
- C:\Windows\System32\mEyGEPP.exe
  C:\Windows\System32\mEyGEPP.exe
  2⤵
  PID:4976
- C:\Windows\System32\lZeJhki.exe
  C:\Windows\System32\lZeJhki.exe
  2⤵
  PID:2344
- C:\Windows\System32\hTtNlxE.exe
  C:\Windows\System32\hTtNlxE.exe
  2⤵
  PID:464
- C:\Windows\System32\EfLZJHw.exe
  C:\Windows\System32\EfLZJHw.exe
  2⤵
  PID:2828
- C:\Windows\System32\dctwTRI.exe
  C:\Windows\System32\dctwTRI.exe
  2⤵
  PID:3516
- C:\Windows\System32\RfnJfSO.exe
  C:\Windows\System32\RfnJfSO.exe
  2⤵
  PID:3332
- C:\Windows\System32\CRpRbPW.exe
  C:\Windows\System32\CRpRbPW.exe
  2⤵
  PID:5140
- C:\Windows\System32\kADjxvN.exe
  C:\Windows\System32\kADjxvN.exe
  2⤵
  PID:5160
- C:\Windows\System32\UTRcUwS.exe
  C:\Windows\System32\UTRcUwS.exe
  2⤵
  PID:5180
- C:\Windows\System32\lZuzBrr.exe
  C:\Windows\System32\lZuzBrr.exe
  2⤵
  PID:5200
- C:\Windows\System32\RvyuOyt.exe
  C:\Windows\System32\RvyuOyt.exe
  2⤵
  PID:5228
- C:\Windows\System32\CECGGWi.exe
  C:\Windows\System32\CECGGWi.exe
  2⤵
  PID:5244
- C:\Windows\System32\VOHwBbr.exe
  C:\Windows\System32\VOHwBbr.exe
  2⤵
  PID:5264
- C:\Windows\System32\DAHlHLF.exe
  C:\Windows\System32\DAHlHLF.exe
  2⤵
  PID:5288
- C:\Windows\System32\nBBuHuM.exe
  C:\Windows\System32\nBBuHuM.exe
  2⤵
  PID:5312
- C:\Windows\System32\rHLioyD.exe
  C:\Windows\System32\rHLioyD.exe
  2⤵
  PID:5340
- C:\Windows\System32\smApenR.exe
  C:\Windows\System32\smApenR.exe
  2⤵
  PID:5360
- C:\Windows\System32\LjdZfzk.exe
  C:\Windows\System32\LjdZfzk.exe
  2⤵
  PID:5380
- C:\Windows\System32\wgHWBJk.exe
  C:\Windows\System32\wgHWBJk.exe
  2⤵
  PID:5428
- C:\Windows\System32\pVDpniN.exe
  C:\Windows\System32\pVDpniN.exe
  2⤵
  PID:5448
- C:\Windows\System32\ulrjURW.exe
  C:\Windows\System32\ulrjURW.exe
  2⤵
  PID:5472
- C:\Windows\System32\wfdaSrr.exe
  C:\Windows\System32\wfdaSrr.exe
  2⤵
  PID:5496
- C:\Windows\System32\sjkTxBJ.exe
  C:\Windows\System32\sjkTxBJ.exe
  2⤵
  PID:5516
- C:\Windows\System32\uQyLnxx.exe
  C:\Windows\System32\uQyLnxx.exe
  2⤵
  PID:5536
- C:\Windows\System32\guyWWVz.exe
  C:\Windows\System32\guyWWVz.exe
  2⤵
  PID:5588
- C:\Windows\System32\dQlFxfF.exe
  C:\Windows\System32\dQlFxfF.exe
  2⤵
  PID:5624
- C:\Windows\System32\iHaoeeG.exe
  C:\Windows\System32\iHaoeeG.exe
  2⤵
  PID:5644
- C:\Windows\System32\zHKvxwU.exe
  C:\Windows\System32\zHKvxwU.exe
  2⤵
  PID:5664
- C:\Windows\System32\qXfVgUQ.exe
  C:\Windows\System32\qXfVgUQ.exe
  2⤵
  PID:5732
- C:\Windows\System32\SixXOXW.exe
  C:\Windows\System32\SixXOXW.exe
  2⤵
  PID:5772
- C:\Windows\System32\tfCBzpy.exe
  C:\Windows\System32\tfCBzpy.exe
  2⤵
  PID:5792
- C:\Windows\System32\WDnikzz.exe
  C:\Windows\System32\WDnikzz.exe
  2⤵
  PID:5836
- C:\Windows\System32\MqYlacP.exe
  C:\Windows\System32\MqYlacP.exe
  2⤵
  PID:5880
- C:\Windows\System32\ZaDAKdp.exe
  C:\Windows\System32\ZaDAKdp.exe
  2⤵
  PID:5900
- C:\Windows\System32\kxCpCEh.exe
  C:\Windows\System32\kxCpCEh.exe
  2⤵
  PID:5932
- C:\Windows\System32\CmYyiVb.exe
  C:\Windows\System32\CmYyiVb.exe
  2⤵
  PID:5952
- C:\Windows\System32\FgkAfkI.exe
  C:\Windows\System32\FgkAfkI.exe
  2⤵
  PID:5980
- C:\Windows\System32\KvoGPyU.exe
  C:\Windows\System32\KvoGPyU.exe
  2⤵
  PID:6012
- C:\Windows\System32\QyykkhO.exe
  C:\Windows\System32\QyykkhO.exe
  2⤵
  PID:6052
- C:\Windows\System32\wJtvuiK.exe
  C:\Windows\System32\wJtvuiK.exe
  2⤵
  PID:6084
- C:\Windows\System32\hWaPtOM.exe
  C:\Windows\System32\hWaPtOM.exe
  2⤵
  PID:6100
- C:\Windows\System32\QJQiRlq.exe
  C:\Windows\System32\QJQiRlq.exe
  2⤵
  PID:6136
- C:\Windows\System32\RsoMsLe.exe
  C:\Windows\System32\RsoMsLe.exe
  2⤵
  PID:5128
- C:\Windows\System32\rNeYTwa.exe
  C:\Windows\System32\rNeYTwa.exe
  2⤵
  PID:5052
- C:\Windows\System32\lvNRNVX.exe
  C:\Windows\System32\lvNRNVX.exe
  2⤵
  PID:2948
- C:\Windows\System32\qJqvrNv.exe
  C:\Windows\System32\qJqvrNv.exe
  2⤵
  PID:5192
- C:\Windows\System32\fcAdIBb.exe
  C:\Windows\System32\fcAdIBb.exe
  2⤵
  PID:5272
- C:\Windows\System32\eVpBPlb.exe
  C:\Windows\System32\eVpBPlb.exe
  2⤵
  PID:5440
- C:\Windows\System32\VaiNdGw.exe
  C:\Windows\System32\VaiNdGw.exe
  2⤵
  PID:5416
- C:\Windows\System32\ydaiTOQ.exe
  C:\Windows\System32\ydaiTOQ.exe
  2⤵
  PID:5468
- C:\Windows\System32\vDyHkpq.exe
  C:\Windows\System32\vDyHkpq.exe
  2⤵
  PID:5596
- C:\Windows\System32\QvmbRsy.exe
  C:\Windows\System32\QvmbRsy.exe
  2⤵
  PID:5504
- C:\Windows\System32\RprBOYC.exe
  C:\Windows\System32\RprBOYC.exe
  2⤵
  PID:5724
- C:\Windows\System32\KxvosZx.exe
  C:\Windows\System32\KxvosZx.exe
  2⤵
  PID:5608
- C:\Windows\System32\WNYCgOH.exe
  C:\Windows\System32\WNYCgOH.exe
  2⤵
  PID:5656
- C:\Windows\System32\LDndHiA.exe
  C:\Windows\System32\LDndHiA.exe
  2⤵
  PID:5768
- C:\Windows\System32\niIxZgK.exe
  C:\Windows\System32\niIxZgK.exe
  2⤵
  PID:5824
- C:\Windows\System32\JEFLSyV.exe
  C:\Windows\System32\JEFLSyV.exe
  2⤵
  PID:5872
- C:\Windows\System32\QAOsmmo.exe
  C:\Windows\System32\QAOsmmo.exe
  2⤵
  PID:5960
- C:\Windows\System32\dOldgsq.exe
  C:\Windows\System32\dOldgsq.exe
  2⤵
  PID:6004
- C:\Windows\System32\AWrutRZ.exe
  C:\Windows\System32\AWrutRZ.exe
  2⤵
  PID:6048
- C:\Windows\System32\dozNMdA.exe
  C:\Windows\System32\dozNMdA.exe
  2⤵
  PID:6076
- C:\Windows\System32\ZlGwwiv.exe
  C:\Windows\System32\ZlGwwiv.exe
  2⤵
  PID:6124
- C:\Windows\System32\WbdzFZL.exe
  C:\Windows\System32\WbdzFZL.exe
  2⤵
  PID:5172
- C:\Windows\System32\PbUyBzr.exe
  C:\Windows\System32\PbUyBzr.exe
  2⤵
  PID:3964
- C:\Windows\System32\NdrIgkP.exe
  C:\Windows\System32\NdrIgkP.exe
  2⤵
  PID:5256
- C:\Windows\System32\BSeQxdA.exe
  C:\Windows\System32\BSeQxdA.exe
  2⤵
  PID:5424
- C:\Windows\System32\BdauPvH.exe
  C:\Windows\System32\BdauPvH.exe
  2⤵
  PID:5828
- C:\Windows\System32\bgGcFXc.exe
  C:\Windows\System32\bgGcFXc.exe
  2⤵
  PID:5972
- C:\Windows\System32\zeyZudM.exe
  C:\Windows\System32\zeyZudM.exe
  2⤵
  PID:6116
- C:\Windows\System32\knGTmxU.exe
  C:\Windows\System32\knGTmxU.exe
  2⤵
  PID:6196
- C:\Windows\System32\tbkTWvD.exe
  C:\Windows\System32\tbkTWvD.exe
  2⤵
  PID:6240
- C:\Windows\System32\QqQhpoG.exe
  C:\Windows\System32\QqQhpoG.exe
  2⤵
  PID:6260
- C:\Windows\System32\DwQhzvK.exe
  C:\Windows\System32\DwQhzvK.exe
  2⤵
  PID:6284
- C:\Windows\System32\BIehoIm.exe
  C:\Windows\System32\BIehoIm.exe
  2⤵
  PID:6300
- C:\Windows\System32\jWBClnL.exe
  C:\Windows\System32\jWBClnL.exe
  2⤵
  PID:6328
- C:\Windows\System32\ewuNaXA.exe
  C:\Windows\System32\ewuNaXA.exe
  2⤵
  PID:6360
- C:\Windows\System32\MKnzBaE.exe
  C:\Windows\System32\MKnzBaE.exe
  2⤵
  PID:6376
- C:\Windows\System32\DsvFHip.exe
  C:\Windows\System32\DsvFHip.exe
  2⤵
  PID:6396
- C:\Windows\System32\sYgpazn.exe
  C:\Windows\System32\sYgpazn.exe
  2⤵
  PID:6428
- C:\Windows\System32\eqjBepR.exe
  C:\Windows\System32\eqjBepR.exe
  2⤵
  PID:6448
- C:\Windows\System32\HjpbzBH.exe
  C:\Windows\System32\HjpbzBH.exe
  2⤵
  PID:6488
- C:\Windows\System32\bftALmL.exe
  C:\Windows\System32\bftALmL.exe
  2⤵
  PID:6504
- C:\Windows\System32\hPEJSDR.exe
  C:\Windows\System32\hPEJSDR.exe
  2⤵
  PID:6528
- C:\Windows\System32\xAFhOPO.exe
  C:\Windows\System32\xAFhOPO.exe
  2⤵
  PID:6548
- C:\Windows\System32\GNfYaKk.exe
  C:\Windows\System32\GNfYaKk.exe
  2⤵
  PID:6564
- C:\Windows\System32\VCJOKpx.exe
  C:\Windows\System32\VCJOKpx.exe
  2⤵
  PID:6592
- C:\Windows\System32\ktvUMjY.exe
  C:\Windows\System32\ktvUMjY.exe
  2⤵
  PID:6608
- C:\Windows\System32\gNmiNKS.exe
  C:\Windows\System32\gNmiNKS.exe
  2⤵
  PID:6692
- C:\Windows\System32\xTqmHbs.exe
  C:\Windows\System32\xTqmHbs.exe
  2⤵
  PID:6744
- C:\Windows\System32\kqXuzxX.exe
  C:\Windows\System32\kqXuzxX.exe
  2⤵
  PID:6776
- C:\Windows\System32\AupAaWc.exe
  C:\Windows\System32\AupAaWc.exe
  2⤵
  PID:6792
- C:\Windows\System32\qPbQcTk.exe
  C:\Windows\System32\qPbQcTk.exe
  2⤵
  PID:6836
- C:\Windows\System32\BvTqdIl.exe
  C:\Windows\System32\BvTqdIl.exe
  2⤵
  PID:6876
- C:\Windows\System32\zZIapXf.exe
  C:\Windows\System32\zZIapXf.exe
  2⤵
  PID:6896
- C:\Windows\System32\irXbIIR.exe
  C:\Windows\System32\irXbIIR.exe
  2⤵
  PID:6912
- C:\Windows\System32\JiTUENU.exe
  C:\Windows\System32\JiTUENU.exe
  2⤵
  PID:6940
- C:\Windows\System32\BlLJppz.exe
  C:\Windows\System32\BlLJppz.exe
  2⤵
  PID:6956
- C:\Windows\System32\BbRsRLA.exe
  C:\Windows\System32\BbRsRLA.exe
  2⤵
  PID:6984
- C:\Windows\System32\WfWsYFy.exe
  C:\Windows\System32\WfWsYFy.exe
  2⤵
  PID:7008
- C:\Windows\System32\MlbrjnW.exe
  C:\Windows\System32\MlbrjnW.exe
  2⤵
  PID:7028
- C:\Windows\System32\ENMsKug.exe
  C:\Windows\System32\ENMsKug.exe
  2⤵
  PID:7044
- C:\Windows\System32\CRRpNNj.exe
  C:\Windows\System32\CRRpNNj.exe
  2⤵
  PID:7068
- C:\Windows\System32\zuVLKMT.exe
  C:\Windows\System32\zuVLKMT.exe
  2⤵
  PID:7100
- C:\Windows\System32\TTcsZhk.exe
  C:\Windows\System32\TTcsZhk.exe
  2⤵
  PID:7116
- C:\Windows\System32\YVAfBjD.exe
  C:\Windows\System32\YVAfBjD.exe
  2⤵
  PID:6000
- C:\Windows\System32\OVEFquB.exe
  C:\Windows\System32\OVEFquB.exe
  2⤵
  PID:4028
- C:\Windows\System32\uHXnwXi.exe
  C:\Windows\System32\uHXnwXi.exe
  2⤵
  PID:5660
- C:\Windows\System32\kMwTqJI.exe
  C:\Windows\System32\kMwTqJI.exe
  2⤵
  PID:6296
- C:\Windows\System32\RSEJJnS.exe
  C:\Windows\System32\RSEJJnS.exe
  2⤵
  PID:6388
- C:\Windows\System32\buVBgBl.exe
  C:\Windows\System32\buVBgBl.exe
  2⤵
  PID:6248
- C:\Windows\System32\MSuCnHU.exe
  C:\Windows\System32\MSuCnHU.exe
  2⤵
  PID:6420
- C:\Windows\System32\HKOkiIN.exe
  C:\Windows\System32\HKOkiIN.exe
  2⤵
  PID:6500
- C:\Windows\System32\UAdSLXr.exe
  C:\Windows\System32\UAdSLXr.exe
  2⤵
  PID:6520
- C:\Windows\System32\FBKFtww.exe
  C:\Windows\System32\FBKFtww.exe
  2⤵
  PID:6560
- C:\Windows\System32\fAHssBq.exe
  C:\Windows\System32\fAHssBq.exe
  2⤵
  PID:6604
- C:\Windows\System32\GyUPJoR.exe
  C:\Windows\System32\GyUPJoR.exe
  2⤵
  PID:6788
- C:\Windows\System32\TrmBZkT.exe
  C:\Windows\System32\TrmBZkT.exe
  2⤵
  PID:6752
- C:\Windows\System32\sSTYDDH.exe
  C:\Windows\System32\sSTYDDH.exe
  2⤵
  PID:6852
- C:\Windows\System32\YGyyHiy.exe
  C:\Windows\System32\YGyyHiy.exe
  2⤵
  PID:6892
- C:\Windows\System32\ZrqpDjU.exe
  C:\Windows\System32\ZrqpDjU.exe
  2⤵
  PID:6972
- C:\Windows\System32\egzXCEy.exe
  C:\Windows\System32\egzXCEy.exe
  2⤵
  PID:7004
- C:\Windows\System32\Jykpgvb.exe
  C:\Windows\System32\Jykpgvb.exe
  2⤵
  PID:7036
- C:\Windows\System32\ztZhDop.exe
  C:\Windows\System32\ztZhDop.exe
  2⤵
  PID:7084
- C:\Windows\System32\YlPaxDS.exe
  C:\Windows\System32\YlPaxDS.exe
  2⤵
  PID:7144
- C:\Windows\System32\mqYgKhy.exe
  C:\Windows\System32\mqYgKhy.exe
  2⤵
  PID:5300
- C:\Windows\System32\mqrqDos.exe
  C:\Windows\System32\mqrqDos.exe
  2⤵
  PID:6632
- C:\Windows\System32\GzuvWXe.exe
  C:\Windows\System32\GzuvWXe.exe
  2⤵
  PID:6772
- C:\Windows\System32\IeQrUlq.exe
  C:\Windows\System32\IeQrUlq.exe
  2⤵
  PID:6904
- C:\Windows\System32\wCDqHgy.exe
  C:\Windows\System32\wCDqHgy.exe
  2⤵
  PID:7092
- C:\Windows\System32\RKUzOnX.exe
  C:\Windows\System32\RKUzOnX.exe
  2⤵
  PID:6168
- C:\Windows\System32\psEJtjC.exe
  C:\Windows\System32\psEJtjC.exe
  2⤵
  PID:6460
- C:\Windows\System32\EGqyaUs.exe
  C:\Windows\System32\EGqyaUs.exe
  2⤵
  PID:6824
- C:\Windows\System32\dkGaqCC.exe
  C:\Windows\System32\dkGaqCC.exe
  2⤵
  PID:6268
- C:\Windows\System32\XHjLxqQ.exe
  C:\Windows\System32\XHjLxqQ.exe
  2⤵
  PID:7196
- C:\Windows\System32\KOoPFrs.exe
  C:\Windows\System32\KOoPFrs.exe
  2⤵
  PID:7212
- C:\Windows\System32\QJwzIqO.exe
  C:\Windows\System32\QJwzIqO.exe
  2⤵
  PID:7232
- C:\Windows\System32\jhWBlXu.exe
  C:\Windows\System32\jhWBlXu.exe
  2⤵
  PID:7264
- C:\Windows\System32\Spbcnkz.exe
  C:\Windows\System32\Spbcnkz.exe
  2⤵
  PID:7280
- C:\Windows\System32\rZHpMrC.exe
  C:\Windows\System32\rZHpMrC.exe
  2⤵
  PID:7304
- C:\Windows\System32\kfkNDWe.exe
  C:\Windows\System32\kfkNDWe.exe
  2⤵
  PID:7348
- C:\Windows\System32\NkkuOzV.exe
  C:\Windows\System32\NkkuOzV.exe
  2⤵
  PID:7368
- C:\Windows\System32\KezuHZI.exe
  C:\Windows\System32\KezuHZI.exe
  2⤵
  PID:7392
- C:\Windows\System32\yBWcXaO.exe
  C:\Windows\System32\yBWcXaO.exe
  2⤵
  PID:7416
- C:\Windows\System32\wCMetUM.exe
  C:\Windows\System32\wCMetUM.exe
  2⤵
  PID:7440
- C:\Windows\System32\kYsQvSv.exe
  C:\Windows\System32\kYsQvSv.exe
  2⤵
  PID:7468
- C:\Windows\System32\nffnvUw.exe
  C:\Windows\System32\nffnvUw.exe
  2⤵
  PID:7484
- C:\Windows\System32\jLJEhYN.exe
  C:\Windows\System32\jLJEhYN.exe
  2⤵
  PID:7508
- C:\Windows\System32\zlXugUD.exe
  C:\Windows\System32\zlXugUD.exe
  2⤵
  PID:7556
- C:\Windows\System32\vqjDsaX.exe
  C:\Windows\System32\vqjDsaX.exe
  2⤵
  PID:7620
- C:\Windows\System32\oIGnvxL.exe
  C:\Windows\System32\oIGnvxL.exe
  2⤵
  PID:7644
- C:\Windows\System32\nysVXuC.exe
  C:\Windows\System32\nysVXuC.exe
  2⤵
  PID:7664
- C:\Windows\System32\EIKPDIk.exe
  C:\Windows\System32\EIKPDIk.exe
  2⤵
  PID:7688
- C:\Windows\System32\HbRNBbU.exe
  C:\Windows\System32\HbRNBbU.exe
  2⤵
  PID:7720
- C:\Windows\System32\FMqxirc.exe
  C:\Windows\System32\FMqxirc.exe
  2⤵
  PID:7748
- C:\Windows\System32\frHzzdV.exe
  C:\Windows\System32\frHzzdV.exe
  2⤵
  PID:7772
- C:\Windows\System32\FxStkmp.exe
  C:\Windows\System32\FxStkmp.exe
  2⤵
  PID:7808
- C:\Windows\System32\oreWGPA.exe
  C:\Windows\System32\oreWGPA.exe
  2⤵
  PID:7832
- C:\Windows\System32\iVdRIht.exe
  C:\Windows\System32\iVdRIht.exe
  2⤵
  PID:7856
- C:\Windows\System32\bmAdTyK.exe
  C:\Windows\System32\bmAdTyK.exe
  2⤵
  PID:7880
- C:\Windows\System32\WxvLsTB.exe
  C:\Windows\System32\WxvLsTB.exe
  2⤵
  PID:7916
- C:\Windows\System32\zIXbANn.exe
  C:\Windows\System32\zIXbANn.exe
  2⤵
  PID:7952
- C:\Windows\System32\TwiIVDj.exe
  C:\Windows\System32\TwiIVDj.exe
  2⤵
  PID:7972
- C:\Windows\System32\hBUBSBG.exe
  C:\Windows\System32\hBUBSBG.exe
  2⤵
  PID:7992
- C:\Windows\System32\GHgdzWl.exe
  C:\Windows\System32\GHgdzWl.exe
  2⤵
  PID:8016
- C:\Windows\System32\SQpEIbX.exe
  C:\Windows\System32\SQpEIbX.exe
  2⤵
  PID:8036
- C:\Windows\System32\rywReNG.exe
  C:\Windows\System32\rywReNG.exe
  2⤵
  PID:8056
- C:\Windows\System32\uTrjAMM.exe
  C:\Windows\System32\uTrjAMM.exe
  2⤵
  PID:8080
- C:\Windows\System32\ZUySDVf.exe
  C:\Windows\System32\ZUySDVf.exe
  2⤵
  PID:8096
- C:\Windows\System32\hqzjpJR.exe
  C:\Windows\System32\hqzjpJR.exe
  2⤵
  PID:8128
- C:\Windows\System32\yqOmrPo.exe
  C:\Windows\System32\yqOmrPo.exe
  2⤵
  PID:8152
- C:\Windows\System32\aXWJNlQ.exe
  C:\Windows\System32\aXWJNlQ.exe
  2⤵
  PID:8168
- C:\Windows\System32\ByqFnkf.exe
  C:\Windows\System32\ByqFnkf.exe
  2⤵
  PID:6952
- C:\Windows\System32\NqQsYen.exe
  C:\Windows\System32\NqQsYen.exe
  2⤵
  PID:7204
- C:\Windows\System32\RbVAskY.exe
  C:\Windows\System32\RbVAskY.exe
  2⤵
  PID:7524
- C:\Windows\System32\WqBYNjx.exe
  C:\Windows\System32\WqBYNjx.exe
  2⤵
  PID:7432
- C:\Windows\System32\luvTmoy.exe
  C:\Windows\System32\luvTmoy.exe
  2⤵
  PID:7520
- C:\Windows\System32\RMAVToQ.exe
  C:\Windows\System32\RMAVToQ.exe
  2⤵
  PID:7564
- C:\Windows\System32\zmvpsaR.exe
  C:\Windows\System32\zmvpsaR.exe
  2⤵
  PID:7632
- C:\Windows\System32\gbrMTCP.exe
  C:\Windows\System32\gbrMTCP.exe
  2⤵
  PID:7732
- C:\Windows\System32\hXrvdXY.exe
  C:\Windows\System32\hXrvdXY.exe
  2⤵
  PID:7828
- C:\Windows\System32\dUavjVI.exe
  C:\Windows\System32\dUavjVI.exe
  2⤵
  PID:7876
- C:\Windows\System32\sIxQihD.exe
  C:\Windows\System32\sIxQihD.exe
  2⤵
  PID:7888
- C:\Windows\System32\NMmTZkP.exe
  C:\Windows\System32\NMmTZkP.exe
  2⤵
  PID:7944
- C:\Windows\System32\zTxbQoG.exe
  C:\Windows\System32\zTxbQoG.exe
  2⤵
  PID:8004
- C:\Windows\System32\JQYhehJ.exe
  C:\Windows\System32\JQYhehJ.exe
  2⤵
  PID:8064
- C:\Windows\System32\DgDLENB.exe
  C:\Windows\System32\DgDLENB.exe
  2⤵
  PID:8120
- C:\Windows\System32\PTxUDUs.exe
  C:\Windows\System32\PTxUDUs.exe
  2⤵
  PID:8184
- C:\Windows\System32\iuthpCj.exe
  C:\Windows\System32\iuthpCj.exe
  2⤵
  PID:7300
- C:\Windows\System32\bwicODY.exe
  C:\Windows\System32\bwicODY.exe
  2⤵
  PID:7504
- C:\Windows\System32\AUonKWi.exe
  C:\Windows\System32\AUonKWi.exe
  2⤵
  PID:7552
- C:\Windows\System32\nazrOmZ.exe
  C:\Windows\System32\nazrOmZ.exe
  2⤵
  PID:7744
- C:\Windows\System32\SJMUFYt.exe
  C:\Windows\System32\SJMUFYt.exe
  2⤵
  PID:7924
- C:\Windows\System32\lFaGjwa.exe
  C:\Windows\System32\lFaGjwa.exe
  2⤵
  PID:7928
- C:\Windows\System32\gpvEmXE.exe
  C:\Windows\System32\gpvEmXE.exe
  2⤵
  PID:8176
- C:\Windows\System32\StWfHLH.exe
  C:\Windows\System32\StWfHLH.exe
  2⤵
  PID:7568
- C:\Windows\System32\GVRnshC.exe
  C:\Windows\System32\GVRnshC.exe
  2⤵
  PID:7816
- C:\Windows\System32\IrTkIQn.exe
  C:\Windows\System32\IrTkIQn.exe
  2⤵
  PID:8024
- C:\Windows\System32\lBriMMV.exe
  C:\Windows\System32\lBriMMV.exe
  2⤵
  PID:7164
- C:\Windows\System32\fNgEqOA.exe
  C:\Windows\System32\fNgEqOA.exe
  2⤵
  PID:8268
- C:\Windows\System32\cHmuNVw.exe
  C:\Windows\System32\cHmuNVw.exe
  2⤵
  PID:8296
- C:\Windows\System32\pDzYLLm.exe
  C:\Windows\System32\pDzYLLm.exe
  2⤵
  PID:8320
- C:\Windows\System32\KStvtaH.exe
  C:\Windows\System32\KStvtaH.exe
  2⤵
  PID:8336
- C:\Windows\System32\UKMajfa.exe
  C:\Windows\System32\UKMajfa.exe
  2⤵
  PID:8380
- C:\Windows\System32\sIpjgKh.exe
  C:\Windows\System32\sIpjgKh.exe
  2⤵
  PID:8408
- C:\Windows\System32\PuzhsNq.exe
  C:\Windows\System32\PuzhsNq.exe
  2⤵
  PID:8424
- C:\Windows\System32\kxODPgH.exe
  C:\Windows\System32\kxODPgH.exe
  2⤵
  PID:8440
- C:\Windows\System32\wxpcaix.exe
  C:\Windows\System32\wxpcaix.exe
  2⤵
  PID:8468
- C:\Windows\System32\OuaDFBS.exe
  C:\Windows\System32\OuaDFBS.exe
  2⤵
  PID:8488
- C:\Windows\System32\nPZUvnE.exe
  C:\Windows\System32\nPZUvnE.exe
  2⤵
  PID:8536
- C:\Windows\System32\zOzaFoF.exe
  C:\Windows\System32\zOzaFoF.exe
  2⤵
  PID:8564
- C:\Windows\System32\jgpOzFP.exe
  C:\Windows\System32\jgpOzFP.exe
  2⤵
  PID:8588
- C:\Windows\System32\TQQtiNp.exe
  C:\Windows\System32\TQQtiNp.exe
  2⤵
  PID:8628
- C:\Windows\System32\hjrngvh.exe
  C:\Windows\System32\hjrngvh.exe
  2⤵
  PID:8644
- C:\Windows\System32\VjNHwYC.exe
  C:\Windows\System32\VjNHwYC.exe
  2⤵
  PID:8664
- C:\Windows\System32\OGefRTb.exe
  C:\Windows\System32\OGefRTb.exe
  2⤵
  PID:8684
- C:\Windows\System32\wCQxSrl.exe
  C:\Windows\System32\wCQxSrl.exe
  2⤵
  PID:8728
- C:\Windows\System32\jooXDHN.exe
  C:\Windows\System32\jooXDHN.exe
  2⤵
  PID:8752
- C:\Windows\System32\bNBhHaQ.exe
  C:\Windows\System32\bNBhHaQ.exe
  2⤵
  PID:8776
- C:\Windows\System32\UNctJef.exe
  C:\Windows\System32\UNctJef.exe
  2⤵
  PID:8804
- C:\Windows\System32\qlUaEsk.exe
  C:\Windows\System32\qlUaEsk.exe
  2⤵
  PID:8836
- C:\Windows\System32\sLPiJsd.exe
  C:\Windows\System32\sLPiJsd.exe
  2⤵
  PID:8856
- C:\Windows\System32\szVnbzg.exe
  C:\Windows\System32\szVnbzg.exe
  2⤵
  PID:8876
- C:\Windows\System32\UNXDnyy.exe
  C:\Windows\System32\UNXDnyy.exe
  2⤵
  PID:8916
- C:\Windows\System32\jbYiaEl.exe
  C:\Windows\System32\jbYiaEl.exe
  2⤵
  PID:8952
- C:\Windows\System32\zqNFjNP.exe
  C:\Windows\System32\zqNFjNP.exe
  2⤵
  PID:8980
- C:\Windows\System32\hVAtMaw.exe
  C:\Windows\System32\hVAtMaw.exe
  2⤵
  PID:9000
- C:\Windows\System32\VENMEUb.exe
  C:\Windows\System32\VENMEUb.exe
  2⤵
  PID:9028
- C:\Windows\System32\JTpZLBF.exe
  C:\Windows\System32\JTpZLBF.exe
  2⤵
  PID:9044
- C:\Windows\System32\BxCcvCR.exe
  C:\Windows\System32\BxCcvCR.exe
  2⤵
  PID:9076
- C:\Windows\System32\VMRPjUh.exe
  C:\Windows\System32\VMRPjUh.exe
  2⤵
  PID:9152
- C:\Windows\System32\FvmpAdQ.exe
  C:\Windows\System32\FvmpAdQ.exe
  2⤵
  PID:9196
- C:\Windows\System32\DgaxTbF.exe
  C:\Windows\System32\DgaxTbF.exe
  2⤵
  PID:8088
- C:\Windows\System32\YdpelmR.exe
  C:\Windows\System32\YdpelmR.exe
  2⤵
  PID:8312
- C:\Windows\System32\PilUuRl.exe
  C:\Windows\System32\PilUuRl.exe
  2⤵
  PID:8360
- C:\Windows\System32\ZlxSiai.exe
  C:\Windows\System32\ZlxSiai.exe
  2⤵
  PID:8596
- C:\Windows\System32\FOnwsXv.exe
  C:\Windows\System32\FOnwsXv.exe
  2⤵
  PID:8656
- C:\Windows\System32\kNRjOPX.exe
  C:\Windows\System32\kNRjOPX.exe
  2⤵
  PID:8720
- C:\Windows\System32\RgAOUGd.exe
  C:\Windows\System32\RgAOUGd.exe
  2⤵
  PID:8772
- C:\Windows\System32\oCgSZgN.exe
  C:\Windows\System32\oCgSZgN.exe
  2⤵
  PID:8820
- C:\Windows\System32\cGxGjuN.exe
  C:\Windows\System32\cGxGjuN.exe
  2⤵
  PID:8872
- C:\Windows\System32\DGVavJJ.exe
  C:\Windows\System32\DGVavJJ.exe
  2⤵
  PID:8972
- C:\Windows\System32\YKxsVoB.exe
  C:\Windows\System32\YKxsVoB.exe
  2⤵
  PID:9068
- C:\Windows\System32\bnPzGaK.exe
  C:\Windows\System32\bnPzGaK.exe
  2⤵
  PID:9104
- C:\Windows\System32\qrCyFWY.exe
  C:\Windows\System32\qrCyFWY.exe
  2⤵
  PID:9128
- C:\Windows\System32\GxvZMEE.exe
  C:\Windows\System32\GxvZMEE.exe
  2⤵
  PID:8200
- C:\Windows\System32\mMezBuh.exe
  C:\Windows\System32\mMezBuh.exe
  2⤵
  PID:9124
- C:\Windows\System32\KufyGoA.exe
  C:\Windows\System32\KufyGoA.exe
  2⤵
  PID:9188
- C:\Windows\System32\dTNtCqW.exe
  C:\Windows\System32\dTNtCqW.exe
  2⤵
  PID:8204
- C:\Windows\System32\mfoqWTU.exe
  C:\Windows\System32\mfoqWTU.exe
  2⤵
  PID:8432
- C:\Windows\System32\hJnVrNX.exe
  C:\Windows\System32\hJnVrNX.exe
  2⤵
  PID:8416
- C:\Windows\System32\hlAFqIx.exe
  C:\Windows\System32\hlAFqIx.exe
  2⤵
  PID:8480
- C:\Windows\System32\ikvnVzq.exe
  C:\Windows\System32\ikvnVzq.exe
  2⤵
  PID:8696
- C:\Windows\System32\pKZMwSG.exe
  C:\Windows\System32\pKZMwSG.exe
  2⤵
  PID:8812
- C:\Windows\System32\xIUiBgG.exe
  C:\Windows\System32\xIUiBgG.exe
  2⤵
  PID:8924
- C:\Windows\System32\kRmPnSm.exe
  C:\Windows\System32\kRmPnSm.exe
  2⤵
  PID:7500
- C:\Windows\System32\bzqREty.exe
  C:\Windows\System32\bzqREty.exe
  2⤵
  PID:8368
- C:\Windows\System32\UNkMmoL.exe
  C:\Windows\System32\UNkMmoL.exe
  2⤵
  PID:8636
- C:\Windows\System32\crUdkcJ.exe
  C:\Windows\System32\crUdkcJ.exe
  2⤵
  PID:9012
- C:\Windows\System32\eLuwNiA.exe
  C:\Windows\System32\eLuwNiA.exe
  2⤵
  PID:8908
- C:\Windows\System32\jucjuSx.exe
  C:\Windows\System32\jucjuSx.exe
  2⤵
  PID:8328
- C:\Windows\System32\OwWmlUS.exe
  C:\Windows\System32\OwWmlUS.exe
  2⤵
  PID:8704
- C:\Windows\System32\pYOMvsX.exe
  C:\Windows\System32\pYOMvsX.exe
  2⤵
  PID:9232
- C:\Windows\System32\EbZZxin.exe
  C:\Windows\System32\EbZZxin.exe
  2⤵
  PID:9276
- C:\Windows\System32\QJIhYei.exe
  C:\Windows\System32\QJIhYei.exe
  2⤵
  PID:9292
- C:\Windows\System32\WDzuBCE.exe
  C:\Windows\System32\WDzuBCE.exe
  2⤵
  PID:9312
- C:\Windows\System32\LapwNZa.exe
  C:\Windows\System32\LapwNZa.exe
  2⤵
  PID:9328
- C:\Windows\System32\Ikhqyyz.exe
  C:\Windows\System32\Ikhqyyz.exe
  2⤵
  PID:9352
- C:\Windows\System32\fvicBUl.exe
  C:\Windows\System32\fvicBUl.exe
  2⤵
  PID:9368
- C:\Windows\System32\YQysVVm.exe
  C:\Windows\System32\YQysVVm.exe
  2⤵
  PID:9420
- C:\Windows\System32\PFRRrbo.exe
  C:\Windows\System32\PFRRrbo.exe
  2⤵
  PID:9448
- C:\Windows\System32\ytBxoUO.exe
  C:\Windows\System32\ytBxoUO.exe
  2⤵
  PID:9476
- C:\Windows\System32\RFdFovr.exe
  C:\Windows\System32\RFdFovr.exe
  2⤵
  PID:9496
- C:\Windows\System32\xgaOPjn.exe
  C:\Windows\System32\xgaOPjn.exe
  2⤵
  PID:9516
- C:\Windows\System32\nwMyRGo.exe
  C:\Windows\System32\nwMyRGo.exe
  2⤵
  PID:9532
- C:\Windows\System32\WzkWbhe.exe
  C:\Windows\System32\WzkWbhe.exe
  2⤵
  PID:9556
- C:\Windows\System32\looskZY.exe
  C:\Windows\System32\looskZY.exe
  2⤵
  PID:9572
- C:\Windows\System32\WwVEKLX.exe
  C:\Windows\System32\WwVEKLX.exe
  2⤵
  PID:9596
- C:\Windows\System32\IHMlBDX.exe
  C:\Windows\System32\IHMlBDX.exe
  2⤵
  PID:9628
- C:\Windows\System32\yGyyVhX.exe
  C:\Windows\System32\yGyyVhX.exe
  2⤵
  PID:9692
- C:\Windows\System32\AkajQVS.exe
  C:\Windows\System32\AkajQVS.exe
  2⤵
  PID:9724
- C:\Windows\System32\dMVLBOr.exe
  C:\Windows\System32\dMVLBOr.exe
  2⤵
  PID:9740
- C:\Windows\System32\tvydXey.exe
  C:\Windows\System32\tvydXey.exe
  2⤵
  PID:9764
- C:\Windows\System32\vFIGesa.exe
  C:\Windows\System32\vFIGesa.exe
  2⤵
  PID:9800
- C:\Windows\System32\pSVAMVv.exe
  C:\Windows\System32\pSVAMVv.exe
  2⤵
  PID:9824
- C:\Windows\System32\LGgfyqi.exe
  C:\Windows\System32\LGgfyqi.exe
  2⤵
  PID:9844
- C:\Windows\System32\YKIHWZA.exe
  C:\Windows\System32\YKIHWZA.exe
  2⤵
  PID:9888
- C:\Windows\System32\xAySenp.exe
  C:\Windows\System32\xAySenp.exe
  2⤵
  PID:9940
- C:\Windows\System32\NxSiaew.exe
  C:\Windows\System32\NxSiaew.exe
  2⤵
  PID:9964
- C:\Windows\System32\FFfRXYl.exe
  C:\Windows\System32\FFfRXYl.exe
  2⤵
  PID:10000
- C:\Windows\System32\PprqNqZ.exe
  C:\Windows\System32\PprqNqZ.exe
  2⤵
  PID:10024
- C:\Windows\System32\MVdiynK.exe
  C:\Windows\System32\MVdiynK.exe
  2⤵
  PID:10064
- C:\Windows\System32\HlpMDbe.exe
  C:\Windows\System32\HlpMDbe.exe
  2⤵
  PID:10092
- C:\Windows\System32\cvBsFfi.exe
  C:\Windows\System32\cvBsFfi.exe
  2⤵
  PID:10108
- C:\Windows\System32\qYBZsyJ.exe
  C:\Windows\System32\qYBZsyJ.exe
  2⤵
  PID:10136
- C:\Windows\System32\cviWSED.exe
  C:\Windows\System32\cviWSED.exe
  2⤵
  PID:10160
- C:\Windows\System32\FAbFFTO.exe
  C:\Windows\System32\FAbFFTO.exe
  2⤵
  PID:10180
- C:\Windows\System32\SubHRHt.exe
  C:\Windows\System32\SubHRHt.exe
  2⤵
  PID:10200
- C:\Windows\System32\vKtTXdm.exe
  C:\Windows\System32\vKtTXdm.exe
  2⤵
  PID:10224
- C:\Windows\System32\GYLqIom.exe
  C:\Windows\System32\GYLqIom.exe
  2⤵
  PID:9256
- C:\Windows\System32\TAnXqKz.exe
  C:\Windows\System32\TAnXqKz.exe
  2⤵
  PID:9336
- C:\Windows\System32\jNWHpib.exe
  C:\Windows\System32\jNWHpib.exe
  2⤵
  PID:9384
- C:\Windows\System32\gAmuAhm.exe
  C:\Windows\System32\gAmuAhm.exe
  2⤵
  PID:9428
- C:\Windows\System32\yJxxnDg.exe
  C:\Windows\System32\yJxxnDg.exe
  2⤵
  PID:9540
- C:\Windows\System32\WZBTnZo.exe
  C:\Windows\System32\WZBTnZo.exe
  2⤵
  PID:9508
- C:\Windows\System32\MWehAZI.exe
  C:\Windows\System32\MWehAZI.exe
  2⤵
  PID:9548
- C:\Windows\System32\ynUVtxE.exe
  C:\Windows\System32\ynUVtxE.exe
  2⤵
  PID:9676
- C:\Windows\System32\UAeBdmd.exe
  C:\Windows\System32\UAeBdmd.exe
  2⤵
  PID:9748
- C:\Windows\System32\pzHjtAi.exe
  C:\Windows\System32\pzHjtAi.exe
  2⤵
  PID:9712
- C:\Windows\System32\AxdwkYr.exe
  C:\Windows\System32\AxdwkYr.exe
  2⤵
  PID:9908
- C:\Windows\System32\fRGBUqM.exe
  C:\Windows\System32\fRGBUqM.exe
  2⤵
  PID:9992
- C:\Windows\System32\EABBtxz.exe
  C:\Windows\System32\EABBtxz.exe
  2⤵
  PID:10056
- C:\Windows\System32\zLHPPbG.exe
  C:\Windows\System32\zLHPPbG.exe
  2⤵
  PID:10152
- C:\Windows\System32\FbHqOMt.exe
  C:\Windows\System32\FbHqOMt.exe
  2⤵
  PID:10220
- C:\Windows\System32\Wewnjqj.exe
  C:\Windows\System32\Wewnjqj.exe
  2⤵
  PID:10196
- C:\Windows\System32\WKhBFDX.exe
  C:\Windows\System32\WKhBFDX.exe
  2⤵
  PID:9392
- C:\Windows\System32\wYQruNS.exe
  C:\Windows\System32\wYQruNS.exe
  2⤵
  PID:9492
- C:\Windows\System32\mjxJIXu.exe
  C:\Windows\System32\mjxJIXu.exe
  2⤵
  PID:9604
- C:\Windows\System32\keqkgZX.exe
  C:\Windows\System32\keqkgZX.exe
  2⤵
  PID:9856
- C:\Windows\System32\hDuMLNX.exe
  C:\Windows\System32\hDuMLNX.exe
  2⤵
  PID:9840
- C:\Windows\System32\ZpIEBIj.exe
  C:\Windows\System32\ZpIEBIj.exe
  2⤵
  PID:9896
- C:\Windows\System32\hfWyZbp.exe
  C:\Windows\System32\hfWyZbp.exe
  2⤵
  PID:10132
- C:\Windows\System32\ASyGAXV.exe
  C:\Windows\System32\ASyGAXV.exe
  2⤵
  PID:9528
- C:\Windows\System32\czJTbZD.exe
  C:\Windows\System32\czJTbZD.exe
  2⤵
  PID:10048
- C:\Windows\System32\mwdhQSF.exe
  C:\Windows\System32\mwdhQSF.exe
  2⤵
  PID:7872
- C:\Windows\System32\tiVBvmx.exe
  C:\Windows\System32\tiVBvmx.exe
  2⤵
  PID:10192
- C:\Windows\System32\KRcRmpa.exe
  C:\Windows\System32\KRcRmpa.exe
  2⤵
  PID:10256
- C:\Windows\System32\ZoAHOMW.exe
  C:\Windows\System32\ZoAHOMW.exe
  2⤵
  PID:10280
- C:\Windows\System32\sbMUaVi.exe
  C:\Windows\System32\sbMUaVi.exe
  2⤵
  PID:10304
- C:\Windows\System32\ZtubXZP.exe
  C:\Windows\System32\ZtubXZP.exe
  2⤵
  PID:10320
- C:\Windows\System32\sCBpDaY.exe
  C:\Windows\System32\sCBpDaY.exe
  2⤵
  PID:10348
- C:\Windows\System32\qoFBWex.exe
  C:\Windows\System32\qoFBWex.exe
  2⤵
  PID:10364
- C:\Windows\System32\oTWwyXi.exe
  C:\Windows\System32\oTWwyXi.exe
  2⤵
  PID:10388
- C:\Windows\System32\ipadnGt.exe
  C:\Windows\System32\ipadnGt.exe
  2⤵
  PID:10416
- C:\Windows\System32\UgjPXhe.exe
  C:\Windows\System32\UgjPXhe.exe
  2⤵
  PID:10448
- C:\Windows\System32\YILuXwL.exe
  C:\Windows\System32\YILuXwL.exe
  2⤵
  PID:10544
- C:\Windows\System32\DUBHJcn.exe
  C:\Windows\System32\DUBHJcn.exe
  2⤵
  PID:10564
- C:\Windows\System32\ZHjXwzq.exe
  C:\Windows\System32\ZHjXwzq.exe
  2⤵
  PID:10588
- C:\Windows\System32\HuGnAxL.exe
  C:\Windows\System32\HuGnAxL.exe
  2⤵
  PID:10612
- C:\Windows\System32\mfrIKJO.exe
  C:\Windows\System32\mfrIKJO.exe
  2⤵
  PID:10636
- C:\Windows\System32\mmvomlk.exe
  C:\Windows\System32\mmvomlk.exe
  2⤵
  PID:10652
- C:\Windows\System32\YMIpSIL.exe
  C:\Windows\System32\YMIpSIL.exe
  2⤵
  PID:10672
- C:\Windows\System32\SmSOKZY.exe
  C:\Windows\System32\SmSOKZY.exe
  2⤵
  PID:10700
- C:\Windows\System32\FZTpiJO.exe
  C:\Windows\System32\FZTpiJO.exe
  2⤵
  PID:10756
- C:\Windows\System32\RlaqwUt.exe
  C:\Windows\System32\RlaqwUt.exe
  2⤵
  PID:10792
- C:\Windows\System32\JReyvMS.exe
  C:\Windows\System32\JReyvMS.exe
  2⤵
  PID:10812
- C:\Windows\System32\WYUmwgI.exe
  C:\Windows\System32\WYUmwgI.exe
  2⤵
  PID:10836
- C:\Windows\System32\USvVwRr.exe
  C:\Windows\System32\USvVwRr.exe
  2⤵
  PID:10864
- C:\Windows\System32\fAKqNrQ.exe
  C:\Windows\System32\fAKqNrQ.exe
  2⤵
  PID:10888
- C:\Windows\System32\HVzUtyW.exe
  C:\Windows\System32\HVzUtyW.exe
  2⤵
  PID:10904
- C:\Windows\System32\yWbatad.exe
  C:\Windows\System32\yWbatad.exe
  2⤵
  PID:10928
- C:\Windows\System32\SqDejec.exe
  C:\Windows\System32\SqDejec.exe
  2⤵
  PID:10956
- C:\Windows\System32\uLdTZlG.exe
  C:\Windows\System32\uLdTZlG.exe
  2⤵
  PID:10976
- C:\Windows\System32\ZWsrGzn.exe
  C:\Windows\System32\ZWsrGzn.exe
  2⤵
  PID:11008
- C:\Windows\System32\NNHUwfQ.exe
  C:\Windows\System32\NNHUwfQ.exe
  2⤵
  PID:11048
- C:\Windows\System32\hwsCkKN.exe
  C:\Windows\System32\hwsCkKN.exe
  2⤵
  PID:11088
- C:\Windows\System32\bYQprxt.exe
  C:\Windows\System32\bYQprxt.exe
  2⤵
  PID:11108
- C:\Windows\System32\mchmJZD.exe
  C:\Windows\System32\mchmJZD.exe
  2⤵
  PID:11144
- C:\Windows\System32\hiRYhBj.exe
  C:\Windows\System32\hiRYhBj.exe
  2⤵
  PID:11176
- C:\Windows\System32\XqrFaNx.exe
  C:\Windows\System32\XqrFaNx.exe
  2⤵
  PID:11216
- C:\Windows\System32\YLipOcC.exe
  C:\Windows\System32\YLipOcC.exe
  2⤵
  PID:11244
- C:\Windows\System32\uATyWMr.exe
  C:\Windows\System32\uATyWMr.exe
  2⤵
  PID:11260
- C:\Windows\System32\EyWySbW.exe
  C:\Windows\System32\EyWySbW.exe
  2⤵
  PID:10272
- C:\Windows\System32\wFVcZxq.exe
  C:\Windows\System32\wFVcZxq.exe
  2⤵
  PID:10384
- C:\Windows\System32\GzeorwZ.exe
  C:\Windows\System32\GzeorwZ.exe
  2⤵
  PID:10356
- C:\Windows\System32\TLRgzGZ.exe
  C:\Windows\System32\TLRgzGZ.exe
  2⤵
  PID:10472
- C:\Windows\System32\AxrVovx.exe
  C:\Windows\System32\AxrVovx.exe
  2⤵
  PID:10488
- C:\Windows\System32\UBThjPe.exe
  C:\Windows\System32\UBThjPe.exe
  2⤵
  PID:10624
- C:\Windows\System32\lvdfxKi.exe
  C:\Windows\System32\lvdfxKi.exe
  2⤵
  PID:10684
- C:\Windows\System32\zDxQUFM.exe
  C:\Windows\System32\zDxQUFM.exe
  2⤵
  PID:10696
- C:\Windows\System32\dPFKqfi.exe
  C:\Windows\System32\dPFKqfi.exe
  2⤵
  PID:10780
- C:\Windows\System32\knnhcmq.exe
  C:\Windows\System32\knnhcmq.exe
  2⤵
  PID:10800
- C:\Windows\System32\XSgjhip.exe
  C:\Windows\System32\XSgjhip.exe
  2⤵
  PID:10884
- C:\Windows\System32\eRsvhaJ.exe
  C:\Windows\System32\eRsvhaJ.exe
  2⤵
  PID:10944
- C:\Windows\System32\NgiFoyM.exe
  C:\Windows\System32\NgiFoyM.exe
  2⤵
  PID:11004
- C:\Windows\System32\NeIUuMe.exe
  C:\Windows\System32\NeIUuMe.exe
  2⤵
  PID:11080
- C:\Windows\System32\RilWioR.exe
  C:\Windows\System32\RilWioR.exe
  2⤵
  PID:11116
- C:\Windows\System32\mNyUHAr.exe
  C:\Windows\System32\mNyUHAr.exe
  2⤵
  PID:11200
- C:\Windows\System32\AriDCRv.exe
  C:\Windows\System32\AriDCRv.exe
  2⤵
  PID:9284
- C:\Windows\System32\kIeAxWK.exe
  C:\Windows\System32\kIeAxWK.exe
  2⤵
  PID:10328
- C:\Windows\System32\ZaABiOc.exe
  C:\Windows\System32\ZaABiOc.exe
  2⤵
  PID:10424
- C:\Windows\System32\EUSbyaF.exe
  C:\Windows\System32\EUSbyaF.exe
  2⤵
  PID:10808
- C:\Windows\System32\dawsTqo.exe
  C:\Windows\System32\dawsTqo.exe
  2⤵
  PID:10972
- C:\Windows\System32\KxoCVVD.exe
  C:\Windows\System32\KxoCVVD.exe
  2⤵
  PID:11120
- C:\Windows\System32\qrIHhEm.exe
  C:\Windows\System32\qrIHhEm.exe
  2⤵
  PID:11188
- C:\Windows\System32\FXCCBqE.exe
  C:\Windows\System32\FXCCBqE.exe
  2⤵
  PID:10340
- C:\Windows\System32\RYccuzV.exe
  C:\Windows\System32\RYccuzV.exe
  2⤵
  PID:10764
- C:\Windows\System32\kpsMJjr.exe
  C:\Windows\System32\kpsMJjr.exe
  2⤵
  PID:11152
- C:\Windows\System32\mgCGiqy.exe
  C:\Windows\System32\mgCGiqy.exe
  2⤵
  PID:10648
- C:\Windows\System32\IDetEpL.exe
  C:\Windows\System32\IDetEpL.exe
  2⤵
  PID:11288
- C:\Windows\System32\yPlUuRS.exe
  C:\Windows\System32\yPlUuRS.exe
  2⤵
  PID:11308
- C:\Windows\System32\PqjaGjz.exe
  C:\Windows\System32\PqjaGjz.exe
  2⤵
  PID:11324
- C:\Windows\System32\FYJJZtO.exe
  C:\Windows\System32\FYJJZtO.exe
  2⤵
  PID:11368
- C:\Windows\System32\pEsKVPD.exe
  C:\Windows\System32\pEsKVPD.exe
  2⤵
  PID:11416
- C:\Windows\System32\lWXOPUC.exe
  C:\Windows\System32\lWXOPUC.exe
  2⤵
  PID:11436
- C:\Windows\System32\eWrWJkd.exe
  C:\Windows\System32\eWrWJkd.exe
  2⤵
  PID:11460
- C:\Windows\System32\jdsKMNY.exe
  C:\Windows\System32\jdsKMNY.exe
  2⤵
  PID:11496
- C:\Windows\System32\zxkyMVT.exe
  C:\Windows\System32\zxkyMVT.exe
  2⤵
  PID:11516
- C:\Windows\System32\YMrfLLd.exe
  C:\Windows\System32\YMrfLLd.exe
  2⤵
  PID:11544
- C:\Windows\System32\GXxdcRK.exe
  C:\Windows\System32\GXxdcRK.exe
  2⤵
  PID:11580
- C:\Windows\System32\qimjUxv.exe
  C:\Windows\System32\qimjUxv.exe
  2⤵
  PID:11600
- C:\Windows\System32\ivGTwXv.exe
  C:\Windows\System32\ivGTwXv.exe
  2⤵
  PID:11628
- C:\Windows\System32\DMdAYGl.exe
  C:\Windows\System32\DMdAYGl.exe
  2⤵
  PID:11656
- C:\Windows\System32\thsClwj.exe
  C:\Windows\System32\thsClwj.exe
  2⤵
  PID:11684
- C:\Windows\System32\wJegkNx.exe
  C:\Windows\System32\wJegkNx.exe
  2⤵
  PID:11704
- C:\Windows\System32\uYLjIyr.exe
  C:\Windows\System32\uYLjIyr.exe
  2⤵
  PID:11728
- C:\Windows\System32\RVnuwvS.exe
  C:\Windows\System32\RVnuwvS.exe
  2⤵
  PID:11764
- C:\Windows\System32\ItNxOvg.exe
  C:\Windows\System32\ItNxOvg.exe
  2⤵
  PID:11796
- C:\Windows\System32\JerpyYI.exe
  C:\Windows\System32\JerpyYI.exe
  2⤵
  PID:11820
- C:\Windows\System32\TTWUZfv.exe
  C:\Windows\System32\TTWUZfv.exe
  2⤵
  PID:11836
- C:\Windows\System32\csbsQAN.exe
  C:\Windows\System32\csbsQAN.exe
  2⤵
  PID:11860
- C:\Windows\System32\gZCDhBc.exe
  C:\Windows\System32\gZCDhBc.exe
  2⤵
  PID:11900
- C:\Windows\System32\aBFWFIS.exe
  C:\Windows\System32\aBFWFIS.exe
  2⤵
  PID:11916
- C:\Windows\System32\yvTmaLp.exe
  C:\Windows\System32\yvTmaLp.exe
  2⤵
  PID:11952
- C:\Windows\System32\WRYIwzs.exe
  C:\Windows\System32\WRYIwzs.exe
  2⤵
  PID:11976
- C:\Windows\System32\nYtuenl.exe
  C:\Windows\System32\nYtuenl.exe
  2⤵
  PID:11992
- C:\Windows\System32\cwJMhWb.exe
  C:\Windows\System32\cwJMhWb.exe
  2⤵
  PID:12016
- C:\Windows\System32\LtoBKOD.exe
  C:\Windows\System32\LtoBKOD.exe
  2⤵
  PID:12032
- C:\Windows\System32\rFxDdjb.exe
  C:\Windows\System32\rFxDdjb.exe
  2⤵
  PID:12048
- C:\Windows\System32\IVWxDxh.exe
  C:\Windows\System32\IVWxDxh.exe
  2⤵
  PID:12108
- C:\Windows\System32\hZupjHk.exe
  C:\Windows\System32\hZupjHk.exe
  2⤵
  PID:12128
- C:\Windows\System32\pJHjepe.exe
  C:\Windows\System32\pJHjepe.exe
  2⤵
  PID:12144
- C:\Windows\System32\WtkjTOu.exe
  C:\Windows\System32\WtkjTOu.exe
  2⤵
  PID:12168
- C:\Windows\System32\LmlEFfK.exe
  C:\Windows\System32\LmlEFfK.exe
  2⤵
  PID:12184
- C:\Windows\System32\mutlkIG.exe
  C:\Windows\System32\mutlkIG.exe
  2⤵
  PID:12224
- C:\Windows\System32\AMfBacl.exe
  C:\Windows\System32\AMfBacl.exe
  2⤵
  PID:11320
- C:\Windows\System32\ZyMWfiQ.exe
  C:\Windows\System32\ZyMWfiQ.exe
  2⤵
  PID:11380
- C:\Windows\System32\drpwfZc.exe
  C:\Windows\System32\drpwfZc.exe
  2⤵
  PID:11448
- C:\Windows\System32\gDIzVGw.exe
  C:\Windows\System32\gDIzVGw.exe
  2⤵
  PID:11484
- C:\Windows\System32\WaRJvoP.exe
  C:\Windows\System32\WaRJvoP.exe
  2⤵
  PID:11528
- C:\Windows\System32\PAzqQIo.exe
  C:\Windows\System32\PAzqQIo.exe
  2⤵
  PID:11552
- C:\Windows\System32\KrmJKNT.exe
  C:\Windows\System32\KrmJKNT.exe
  2⤵
  PID:11608
- C:\Windows\System32\HmrxVVr.exe
  C:\Windows\System32\HmrxVVr.exe
  2⤵
  PID:11668
- C:\Windows\System32\oeAxxpx.exe
  C:\Windows\System32\oeAxxpx.exe
  2⤵
  PID:11700
- C:\Windows\System32\HeineyM.exe
  C:\Windows\System32\HeineyM.exe
  2⤵
  PID:11776
- C:\Windows\System32\dskfghn.exe
  C:\Windows\System32\dskfghn.exe
  2⤵
  PID:11892
- C:\Windows\System32\iGMayrZ.exe
  C:\Windows\System32\iGMayrZ.exe
  2⤵
  PID:12064
- C:\Windows\System32\YBFbIta.exe
  C:\Windows\System32\YBFbIta.exe
  2⤵
  PID:12040
- C:\Windows\System32\apUsLWl.exe
  C:\Windows\System32\apUsLWl.exe
  2⤵
  PID:12096
- C:\Windows\System32\fjVwZFE.exe
  C:\Windows\System32\fjVwZFE.exe
  2⤵
  PID:12212
- C:\Windows\System32\YpBmvAQ.exe
  C:\Windows\System32\YpBmvAQ.exe
  2⤵
  PID:3896
- C:\Windows\System32\BYzZjsa.exe
  C:\Windows\System32\BYzZjsa.exe
  2⤵
  PID:12244
- C:\Windows\System32\efqfWil.exe
  C:\Windows\System32\efqfWil.exe
  2⤵
  PID:11036
- C:\Windows\System32\ZkWFVwi.exe
  C:\Windows\System32\ZkWFVwi.exe
  2⤵
  PID:11376
- C:\Windows\System32\bpznnDe.exe
  C:\Windows\System32\bpznnDe.exe
  2⤵
  PID:11588
- C:\Windows\System32\CYlaaiQ.exe
  C:\Windows\System32\CYlaaiQ.exe
  2⤵
  PID:11532
- C:\Windows\System32\MXWXCLL.exe
  C:\Windows\System32\MXWXCLL.exe
  2⤵
  PID:11716
- C:\Windows\System32\jzKhVOW.exe
  C:\Windows\System32\jzKhVOW.exe
  2⤵
  PID:11832
- C:\Windows\System32\wcVfSmZ.exe
  C:\Windows\System32\wcVfSmZ.exe
  2⤵
  PID:11828
- C:\Windows\System32\OQKsJgp.exe
  C:\Windows\System32\OQKsJgp.exe
  2⤵
  PID:12092
- C:\Windows\System32\FxQHmRb.exe
  C:\Windows\System32\FxQHmRb.exe
  2⤵
  PID:4900
- C:\Windows\System32\mEapkWs.exe
  C:\Windows\System32\mEapkWs.exe
  2⤵
  PID:11564
- C:\Windows\System32\RuBJlVI.exe
  C:\Windows\System32\RuBJlVI.exe
  2⤵
  PID:11400
- C:\Windows\System32\nTwFryo.exe
  C:\Windows\System32\nTwFryo.exe
  2⤵
  PID:11744
- C:\Windows\System32\JPRVpRn.exe
  C:\Windows\System32\JPRVpRn.exe
  2⤵
  PID:12308
- C:\Windows\System32\UOEtjMc.exe
  C:\Windows\System32\UOEtjMc.exe
  2⤵
  PID:12328
- C:\Windows\System32\lFmiXXJ.exe
  C:\Windows\System32\lFmiXXJ.exe
  2⤵
  PID:12348
- C:\Windows\System32\IttfohF.exe
  C:\Windows\System32\IttfohF.exe
  2⤵
  PID:12400
- C:\Windows\System32\GtqExgO.exe
  C:\Windows\System32\GtqExgO.exe
  2⤵
  PID:12424
- C:\Windows\System32\MFFuJzt.exe
  C:\Windows\System32\MFFuJzt.exe
  2⤵
  PID:12444
- C:\Windows\System32\oBCHVSo.exe
  C:\Windows\System32\oBCHVSo.exe
  2⤵
  PID:12472
- C:\Windows\System32\BWCjjOI.exe
  C:\Windows\System32\BWCjjOI.exe
  2⤵
  PID:12504
- C:\Windows\System32\lFDOzIx.exe
  C:\Windows\System32\lFDOzIx.exe
  2⤵
  PID:12544
- C:\Windows\System32\UyVvMcF.exe
  C:\Windows\System32\UyVvMcF.exe
  2⤵
  PID:12560
- C:\Windows\System32\hZoipBN.exe
  C:\Windows\System32\hZoipBN.exe
  2⤵
  PID:12580
- C:\Windows\System32\ukYxNio.exe
  C:\Windows\System32\ukYxNio.exe
  2⤵
  PID:12604
- C:\Windows\System32\QSBeHoi.exe
  C:\Windows\System32\QSBeHoi.exe
  2⤵
  PID:12624
- C:\Windows\System32\VFgSJzK.exe
  C:\Windows\System32\VFgSJzK.exe
  2⤵
  PID:12640
- C:\Windows\System32\oGvKaMw.exe
  C:\Windows\System32\oGvKaMw.exe
  2⤵
  PID:12692
- C:\Windows\System32\MTFFNiK.exe
  C:\Windows\System32\MTFFNiK.exe
  2⤵
  PID:12732
- C:\Windows\System32\XfvEeJa.exe
  C:\Windows\System32\XfvEeJa.exe
  2⤵
  PID:12760
- C:\Windows\System32\wQEGkWe.exe
  C:\Windows\System32\wQEGkWe.exe
  2⤵
  PID:12784
- C:\Windows\System32\KXpFSvN.exe
  C:\Windows\System32\KXpFSvN.exe
  2⤵
  PID:12804
- C:\Windows\System32\MXhgYVU.exe
  C:\Windows\System32\MXhgYVU.exe
  2⤵
  PID:12836
- C:\Windows\System32\jYHqpeW.exe
  C:\Windows\System32\jYHqpeW.exe
  2⤵
  PID:12868
- C:\Windows\System32\WawgvyH.exe
  C:\Windows\System32\WawgvyH.exe
  2⤵
  PID:12888
- C:\Windows\System32\kTAEigQ.exe
  C:\Windows\System32\kTAEigQ.exe
  2⤵
  PID:12904
- C:\Windows\System32\GyktGzn.exe
  C:\Windows\System32\GyktGzn.exe
  2⤵
  PID:12928
- C:\Windows\System32\stltgDb.exe
  C:\Windows\System32\stltgDb.exe
  2⤵
  PID:12980
- C:\Windows\System32\MSoHfha.exe
  C:\Windows\System32\MSoHfha.exe
  2⤵
  PID:13016
- C:\Windows\System32\mNrOMVE.exe
  C:\Windows\System32\mNrOMVE.exe
  2⤵
  PID:13048
- C:\Windows\System32\AtHNCAU.exe
  C:\Windows\System32\AtHNCAU.exe
  2⤵
  PID:13064
- C:\Windows\System32\aMDiYcx.exe
  C:\Windows\System32\aMDiYcx.exe
  2⤵
  PID:13092
- C:\Windows\System32\xzfHZuP.exe
  C:\Windows\System32\xzfHZuP.exe
  2⤵
  PID:13128
- C:\Windows\System32\xDroIol.exe
  C:\Windows\System32\xDroIol.exe
  2⤵
  PID:13160
- C:\Windows\System32\cVNCSvd.exe
  C:\Windows\System32\cVNCSvd.exe
  2⤵
  PID:13176
- C:\Windows\System32\hCygNcO.exe
  C:\Windows\System32\hCygNcO.exe
  2⤵
  PID:13196
- C:\Windows\System32\GgYjhfm.exe
  C:\Windows\System32\GgYjhfm.exe
  2⤵
  PID:13212
- C:\Windows\System32\lldDRYQ.exe
  C:\Windows\System32\lldDRYQ.exe
  2⤵
  PID:13232

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AVoURAz.exe

Filesize
1.2MB

MD5
b8ba722fd6997db75f8523f225a775a4

SHA1
1f21a07f92a0c103495c2b6dd61f7c102ce74d60

SHA256
68ff44a5e46eee4132d399d56768f95bd74905a136ab2c891fd942aaf7533fc3

SHA512
4da4ebbab950909f858735d3fce6c15604b2443652c35c19d35097e3b72080a60fa1aee5e8ec10d9911b33711d1b0253612e3751d1ce9891b0bea5c5ac214f35

Download Submit
C:\Windows\System32\BVxagyS.exe

Filesize
1.2MB

MD5
e53b3305e69efdbe4ed922943e95be5b

SHA1
5c1dd46841ca1cf5fec075a59296f32c72ee9efa

SHA256
6042e4b1292c0e5f268068eb2e667cb1fc93eaffe015790942f732008d90e845

SHA512
bdfb6895a2e8432927031ef87c564d6a60610c6111758d37489a0007581e1d12f869cbaf9003f23c8819992f2fbac22f939c9b3b704b56f7997222aea3fb55c1

Download Submit
C:\Windows\System32\EWTsIng.exe

Filesize
1.2MB

MD5
f7b0efa1bf9878d714207543937949b0

SHA1
59f560af027502b2c151c18c040847a2237376a0

SHA256
4caf84196b4b585e0f46792de6f2e32a033b0ebed2dd2ba42f55782ec03f7dc4

SHA512
954f64188e9b2b1a0b7b9fcb164686f3209536c47a2daef7dea332baf58a5fffd0e00597137c54a1fcdc40f3844bbe68cfa582d65db44126c961828c2c49615e

Download Submit
C:\Windows\System32\FFRRKBP.exe

Filesize
1.2MB

MD5
2a9e1d853099c18944a99b3b734c580b

SHA1
309616956212e440e9b28c039b3fa5d12b11e318

SHA256
6b8bbd012f7b7e2a7de440f1f320fb135ca615a13bc405782453a4acbeb25354

SHA512
0c2be3b11975a418265ae6aae8c0bc8154cea64bdfe0a1e8c8b340c07c1da8a1e043b2d886d26a7872d6354a152578b547fcded727ca78d188c335a9caa1c3f1

Download Submit
C:\Windows\System32\GTwYxBv.exe

Filesize
1.2MB

MD5
6e7f67f46588ca8fdf21d9c5c59d9e98

SHA1
c0ddd711fbf6b99345bec8f3d46aa87a5ae81e3c

SHA256
29793d93a77bec757fc63ab609e81224cd03d9c6db6312b4299820499509f4f9

SHA512
b93023624159651c2e8113d4486ea495273d2e055419a808028140d7ef41c8e44a11ace923aa28c33297919478658232860889ddb1e403cfaa175c370c1685f5

Download Submit
C:\Windows\System32\IDukkME.exe

Filesize
1.2MB

MD5
83708601dd30a4784940a5d0847916cf

SHA1
ff0bb67585118baeaf147d5c1ed83f2a0ac432ca

SHA256
17bafb0b78478a676213f3ef4fb4cb4c5313bd592ffcbdaa3fbe95c7f9980b06

SHA512
bb81727b593e36a0316e834a0362c59569943a8a846ce56633e5792a4c1e6aa42a7c997c4209e52aa5a7bdb3772df201b550f7ed4e5a05f5f84a5f5cf225d02a

Download Submit
C:\Windows\System32\IZgmeRc.exe

Filesize
1.2MB

MD5
a2f4fafca7dbf48cbc1e313bca98ec59

SHA1
badceddd951f84ee29e9607ec3e11f1f8ed0c01c

SHA256
2dac121298c11c3362c9776968153c2ca608f3f5d983b4df84cf89327c3dd2a8

SHA512
9ef3daf83f9a57e74637d3b59d35778d353d5e850e522be840a41831f9d70ed599eefe127b507409e446b7ce9bccd83039f76fce949a8ba92fe09368ce0028c0

Download Submit
C:\Windows\System32\JIAywkr.exe

Filesize
1.2MB

MD5
e6f920658f655f6208bcd849db70c0b8

SHA1
07d0b01fc6247b2af85c54dbe9aa3d9b66b90c45

SHA256
e93ed498cffe51bef4f6bba9a1ec9d8aef326cfd69879e4bbab02f766fe70281

SHA512
f78c98e23709c9670e5045cf3491bc4cd654e01c682aa52ccc031f5a0590c132f457b4f6e40cb9066597cfb48c4497a89d8fee717a2ca500bab91c1e008cc1c2

Download Submit
C:\Windows\System32\LefxkrM.exe

Filesize
1.2MB

MD5
008f35532000b5f61a5aadb643d3003c

SHA1
8320992ade45d32e757dda59ba9474b6b517e0f7

SHA256
f956f23d27aff7eacd8a2c1fe19167b549a32bb105b56f8366b1542f183fe8f9

SHA512
240cc91125ed237042815d6c4222187e1daa1d044980531b11b2e4c42d8b6a751a8422413b4fbd0be5e30ab725e9c9e65615fde0418ff5f402245b665685aec1

Download Submit
C:\Windows\System32\OjqbpDB.exe

Filesize
1.2MB

MD5
1bda998db3bccd0ff9b9621d8b5ee42f

SHA1
1024a3868b34dbc8bf44e6a1808fa3d6f7fd2cb5

SHA256
d74b28de45ae2dfb1ffd4a04c146f9f57036db7495749b9dff6e14e00435f787

SHA512
4e89654105cbbf6bb6dc6b0d007067a59d2d9201884c0da10e8e6797c85e6840b4e9383376a0c45c5b6ede12c407b923d17bf645e060c047517b022352ccf542

Download Submit
C:\Windows\System32\QaRvOLz.exe

Filesize
1.2MB

MD5
5cd01b7b2f735d406316a41cb491e1b1

SHA1
61e20d78f668e10038a677d6ef9af8b7dd8d6471

SHA256
c342c13d9f6a168d3f21d12d3a662a1c72f680ae838762c86ce82781c8d60ed4

SHA512
b54f110e008b9e3f422d50458ca2c8744af92fe64779bfd023c14ad2809352100d1f0e9e77db60c4990dbab7c72f019cc0d4e9b72318493d26f604d554e5ce82

Download Submit
C:\Windows\System32\QweUqJT.exe

Filesize
1.2MB

MD5
6c2ff43c616bca9f96d7a5f987c32f0f

SHA1
8d504c15c64ce060d1b2a08d339768f5f0a5473c

SHA256
5436c304cc29aea1ec876c8e23098da66e8821e5f1ae03da2eafd188fa9122fb

SHA512
eb66d9a0a8629f4da87490351012e730c6c8c27e9da19647779daf795ae3bd0f846c69be29ee0bb2f650d4b2a32d98256e76849cb4d4f77a44c2e5d5a81b2fe9

Download Submit
C:\Windows\System32\RZydpSB.exe

Filesize
1.2MB

MD5
fe18939857b548e093477d5f3c44892c

SHA1
ead66c67b95b8b25ec0e94d62d967fd9b819e06d

SHA256
55fb64dba59773dfd367894aa263d6be5cd42fed8d6e36355172d01c0ec49936

SHA512
106b2db077bf185d256e9336201d4b9983d37372e86b61437e9cacc9d0b16c9a1b494534ccc23d5e1006a5ad69ee5a2eaa5315cce2768cf69aa72a0cfbd532e4

Download Submit
C:\Windows\System32\XKxZkWn.exe

Filesize
1.2MB

MD5
6f5e7573d4920dc0b03feee54d674ffa

SHA1
6a6cfb7b7efd4b9e3a2f0b4fcadd19773ceb403d

SHA256
751c2f6597ff8a30182047a3424776f706be4fe7bc214648c811371152326cd4

SHA512
e84d54d5c394720941306d67aaef269c94d896535d53c100cffd5c4ce043e35eee6ca4bc46001119588ad008c1213f003ddca37d9f886092c34ffb73406a71bb

Download Submit
C:\Windows\System32\YVNoCHx.exe

Filesize
1.2MB

MD5
3d00b8c696e03217b3a4b2057cc75839

SHA1
8c77dd849625d765373c3e4dca3654292bab3ebc

SHA256
3b450a44e78eacdc54136c9b1d66f3c16eeed47165af27396f45df9e813b599d

SHA512
aa175d82ec1694734ab7e996644cb85067b3b06ec720dd8ea6e0723d5c676d79cc53e0c8137fd544f1be78cc2f1cfc75ac446abed8d7d1b24d957c66f2bd2a3e

Download Submit
C:\Windows\System32\cfpkMrH.exe

Filesize
1.2MB

MD5
c76e1843d575a381f5f7d13282674c5e

SHA1
05980a04f7baa9b512c3e9f1f82f09096f76b538

SHA256
0b567a269f6de377adc5c6eaa311740ad99a29517a5f5615a5e7d2c984d1b7d3

SHA512
d660babf84a41934a98755640e873f7a2888db6df4703d51c87e07cd21968df29424f83e64e81bed5a4745bab3e785838dfc15dde147c30e3f969518e7164392

Download Submit
C:\Windows\System32\dkeVNmJ.exe

Filesize
1.2MB

MD5
0b005dd3a36fbf09ff25ac954d55cace

SHA1
e5630b82cf1501a47fcac63f865d623e2c8292d6

SHA256
1ede9c11ed6f8d4b97efca4afc57c9787f67805c990358f233b4a7ce948310b4

SHA512
70ecbce3fab97170d2c482bcee705b33e20c25ced4d0e510d79c8e4cf541049ea336b7531eab451ccd9cd3513e2e348396725eaecdbaaa282cb8a7260e3c7457

Download Submit
C:\Windows\System32\duqGyHp.exe

Filesize
1.2MB

MD5
7297bc124214d53511e89885e0d00fc6

SHA1
0ba57c73cf2acb657ba8ffed74d2629f1bf539b8

SHA256
239f10355b480e29919fc24e8acf9548565a248b02ef607b8996b733a797e317

SHA512
d594249215c74a338287eb4ba5bc17aacb9301d3bcc4d87ad2d59c5f88c7412a5c566c6cd2720a690240b57fd6b94e76c655c064b2e2e4061200701c320c5f09

Download Submit
C:\Windows\System32\hAzEuCA.exe

Filesize
1.2MB

MD5
247d55db1f8160af4632cec8e9ad170a

SHA1
6ee538177a8e00996f998764ded526d339aba586

SHA256
719df1015efc53da683c6e6bbb77ee308ed435e2bb9651b920cd49fff049ad17

SHA512
309d78468f900f3ea48de36c509fee2e7770c8e556bb5411aef81f568645c5e7104aeaa2897e329c70760a7e5d52c60cbf183a59e8c622415cfc397da07e433f

Download Submit
C:\Windows\System32\hcMnvlx.exe

Filesize
1.2MB

MD5
e9bc71ad613aff22eb170f7924f93725

SHA1
791c3477e32a591aadf9c98ca7c31b68f694c04d

SHA256
397668ae4628301bee8cfcc5e8d987386d1bf540940a724d12202b619ab6dada

SHA512
e5905772157d7883b8e2708017a03fe189e8812a070b2dde31dbcfa04bcb081d4bc50b59e6979f31ada63f05a75d851cd044053bfd4e2bad47f216482481160f

Download Submit
C:\Windows\System32\hzDPOlP.exe

Filesize
1.2MB

MD5
477d1aecd626f7b2770071cfda523573

SHA1
4b994f3987381b9d5a2bea658af6c5803be2cc18

SHA256
52696535763835fb0f3d565a7b73e7505cd2eb241f0e34736de14f44bd58e81e

SHA512
439af69c1ba88325e455e1b66fa5a8e1d97c45a7bbf0dd7eddb0c7e7c1f8dc86ba65a66a540659d68ed464bedd4a9191fd801fb06e8641ef20d27fad8b298c92

Download Submit
C:\Windows\System32\iTOVQpC.exe

Filesize
1.2MB

MD5
368a3c5c5e141e240426b8c0f85932f8

SHA1
ffe251e43f8a47d80ea07384c7977d69e830d6ae

SHA256
1a12e7e00b393033faf082dd0fcfde2b02e4d10bd15274053b47af1c9489c3df

SHA512
616dd1957a7cee54fb71b570fb69918fe705e59187c4d8f7a249321f297074c6a9f72291942bd51e2bb7f7d4d2ebd7f8c66aa4fd715ad5ac4f994df2673f1b1d

Download Submit
C:\Windows\System32\iucWLpl.exe

Filesize
1.2MB

MD5
83a7d638c0e7794d8b61ef4d52bad829

SHA1
87031b881d9097a62176e7db2e80e41bebcf9b6d

SHA256
7b41b6dc0c48f8a376c719c2b154932ac0c215faddce4b4d85ea73f11608ecf8

SHA512
dc139c82707f94afbc016bb3198212880d33760354462dbd9920310079719bb2a89d2b7e9c265a9448bd32075d385f3939cde6d56e9376f77766c6c640b89a06

Download Submit
C:\Windows\System32\lBeAkml.exe

Filesize
1.2MB

MD5
de676e0705b3d16b65e222412022c81c

SHA1
e4d7f7028d5d3963c4b6275664d8904521f5541e

SHA256
823067fcbec324c7f110fc9a4d46f4d16723e27eeb5ca195cd14e9cbe3974673

SHA512
dca4d2c929d73b950fd19dd7373fa37d974db97bc73856a1e707345cb7a781664bd335cbcee65e8ee9d609e26c600680f12ee2f2199fb150cbee878dc7d21c89

Download Submit
C:\Windows\System32\lUgpjih.exe

Filesize
1.2MB

MD5
16d5d3e9645cfebc2f63813c70da7365

SHA1
048de724a344431861a171073e5f447e23cbc86a

SHA256
5dd3c7740a87d749be1c3580070490a4e9df872e9a65cda85a219f09fbc439cd

SHA512
60117da2afa4a96656edef445ac658d5f42be70b40b23fc2247b19dc5544a4e3712d3f54731166e03ab9fea34f3f4dac1de42dcc8a1f237e74caf80497def1c2

Download Submit
C:\Windows\System32\oEHGHwm.exe

Filesize
1.2MB

MD5
5ebb6b2ad84b8a97b85d174c84ac3b27

SHA1
267acec11a43ddbae668388dd1d00a33585dae49

SHA256
b92b4bb0436f07e4ee2e448c55104201b1ff3bee4c35d7e635a8e61b20398afa

SHA512
afd1665d0cbd0c98c343962e7e8d93cde8af1d2de9d898f1ced0dd95cfb347a477d4fa5424b368b9949437609ecd4cc46ead474b44ef7536ad2655ab2411dd2e

Download Submit
C:\Windows\System32\owJvnGE.exe

Filesize
1.2MB

MD5
04dc549a86b171e2b5032c73e0637eb8

SHA1
c2919e83819eea405a2f7e325553682760e32af8

SHA256
5bf1330124cada0bf0039537688d4f360520b2f9df78db32e67bdf8e7f478fe6

SHA512
9f3e0cf8cb6e5bfa85c531e9c53eea09c569119e7975f87b6c0732d3c93b677d3a4f101412877e9192667eb8af038b0e136de1c0fa7feee35b299d67c2ccd51d

Download Submit
C:\Windows\System32\rzYurnJ.exe

Filesize
1.2MB

MD5
fd4f2c7e5ce5e5932fe251f3d17d9628

SHA1
1e8044f228e1409ee47e381f8571744b36e1925b

SHA256
f74f764a244e43704d6fc3ae79372be62f30f7d2e937c102b343b97e9392b7b3

SHA512
69dd40c5af3225c0c9792df981031f357127f56f65eab4d971e67871fcc99b922f25734fdc1ded4211839bf730e479374142decf714e9a38aaab5edfcea810f4

Download Submit
C:\Windows\System32\uvBbhCn.exe

Filesize
1.2MB

MD5
43be5e566dd3e5c57688584e2c64823f

SHA1
6309adc398ec5c6c6f95b767cc7c6f892a1ce156

SHA256
6bb04db07fb71d835f6015ef2afd15e11f810e2948dfd52ecc6e31ade28f0281

SHA512
2ca939aa2608b322ac5fe12015a895eb20ac58ba6e1f56cc7883d09cb34e87e21df7f940b3e99267773a62e0395409d14e900db02dc659216b5cf02e3f5ba783

Download Submit
C:\Windows\System32\wCbQzrE.exe

Filesize
1.2MB

MD5
7c72662d4529873c96b770898251207c

SHA1
66b5886e7378d52ed5716d9f210f93b294bfe898

SHA256
262070d7c4219501200c7ad235d1aac135e1dd3cb7302ba8189a969a92c2c2ca

SHA512
fd14f1f080db1d2fc5396248020491ef06434d4861e71093dcf27df29b5d1382d1d8cc1baf560012d2ceb57dbfb365e3a167ee1a08a03929cff86084eca5dcbc

Download Submit
C:\Windows\System32\wCxEKqR.exe

Filesize
1.2MB

MD5
b4ba0e765ac340ebf9feccb025e0487a

SHA1
a98981288c0ea6d5ffbc59e3eaef163d0e13fb4e

SHA256
ce82480bd4f3135d5757ed14bc0eb4e2447e6d8af3ca90a11b14b3f65e0910ac

SHA512
0b30a68037e6c7d96d417654bbccba88861577cd02fed68641a8222e1856b7754347ea672df14f3ce02e854366e5492775af454db775eacdf67bca345d6568bf

Download Submit
C:\Windows\System32\wvALIsl.exe

Filesize
1.2MB

MD5
45679ec2614f3c3f019a6a7a246c91cd

SHA1
33b95f44eca0144f8599999a68ada1751c9021dd

SHA256
e8fd2b190d4e4947319462f2095522b854ea824465f2462fd060c2937987ac1c

SHA512
f80704bf347b8e68e9f939a558b7e073d5e1a22b49bbd443c3c75f7abedeff7f8c9e6cd21fd4622613427a1b1f0948f46aa849a32ee2e36a01bca3e5ef3d2c1d

Download Submit
C:\Windows\System32\xEBmTHp.exe

Filesize
1.2MB

MD5
f7bb2360076c89d0ddb7cc79300a3c4b

SHA1
bc04d21a5a2ed8f16b61602a5eea03d84b105be3

SHA256
e88f93e8c5bd702d2c1b3e3465a0abc18b4c0311f62bfd0db4e67d1e375143f0

SHA512
b35994abc390ef0a69ef38f9ecc2ced329dc71049c3561d3249bc8be9a3ddb25abb76b52f42327ffe1ea4a40b014f5ac09f12342a798cc30445e6b7342871008

Download Submit
memory/224-81-0x00007FF6B4AD0000-0x00007FF6B4EC1000-memory.dmp

Filesize
3.9MB

Download
memory/224-2054-0x00007FF6B4AD0000-0x00007FF6B4EC1000-memory.dmp

Filesize
3.9MB

Download
memory/224-1998-0x00007FF6B4AD0000-0x00007FF6B4EC1000-memory.dmp

Filesize
3.9MB

Download
memory/932-2061-0x00007FF6058B0000-0x00007FF605CA1000-memory.dmp

Filesize
3.9MB

Download
memory/932-394-0x00007FF6058B0000-0x00007FF605CA1000-memory.dmp

Filesize
3.9MB

Download
memory/1208-2056-0x00007FF793900000-0x00007FF793CF1000-memory.dmp

Filesize
3.9MB

Download
memory/1208-400-0x00007FF793900000-0x00007FF793CF1000-memory.dmp

Filesize
3.9MB

Download
memory/1260-1978-0x00007FF7D49E0000-0x00007FF7D4DD1000-memory.dmp

Filesize
3.9MB

Download
memory/1260-66-0x00007FF7D49E0000-0x00007FF7D4DD1000-memory.dmp

Filesize
3.9MB

Download
memory/1260-2032-0x00007FF7D49E0000-0x00007FF7D4DD1000-memory.dmp

Filesize
3.9MB

Download
memory/1576-2062-0x00007FF77C420000-0x00007FF77C811000-memory.dmp

Filesize
3.9MB

Download
memory/1576-393-0x00007FF77C420000-0x00007FF77C811000-memory.dmp

Filesize
3.9MB

Download
memory/1760-2050-0x00007FF605050000-0x00007FF605441000-memory.dmp

Filesize
3.9MB

Download
memory/1760-399-0x00007FF605050000-0x00007FF605441000-memory.dmp

Filesize
3.9MB

Download
memory/2152-2044-0x00007FF6C4F90000-0x00007FF6C5381000-memory.dmp

Filesize
3.9MB

Download
memory/2152-398-0x00007FF6C4F90000-0x00007FF6C5381000-memory.dmp

Filesize
3.9MB

Download
memory/2196-62-0x00007FF7C8950000-0x00007FF7C8D41000-memory.dmp

Filesize
3.9MB

Download
memory/2196-2034-0x00007FF7C8950000-0x00007FF7C8D41000-memory.dmp

Filesize
3.9MB

Download
memory/2436-397-0x00007FF60D4C0000-0x00007FF60D8B1000-memory.dmp

Filesize
3.9MB

Download
memory/2436-2046-0x00007FF60D4C0000-0x00007FF60D8B1000-memory.dmp

Filesize
3.9MB

Download
memory/2620-1976-0x00007FF76E320000-0x00007FF76E711000-memory.dmp

Filesize
3.9MB

Download
memory/2620-72-0x00007FF76E320000-0x00007FF76E711000-memory.dmp

Filesize
3.9MB

Download
memory/2620-2038-0x00007FF76E320000-0x00007FF76E711000-memory.dmp

Filesize
3.9MB

Download
memory/2736-89-0x00007FF6B4720000-0x00007FF6B4B11000-memory.dmp

Filesize
3.9MB

Download
memory/2736-2042-0x00007FF6B4720000-0x00007FF6B4B11000-memory.dmp

Filesize
3.9MB

Download
memory/2736-2016-0x00007FF6B4720000-0x00007FF6B4B11000-memory.dmp

Filesize
3.9MB

Download
memory/2924-61-0x00007FF6FC930000-0x00007FF6FCD21000-memory.dmp

Filesize
3.9MB

Download
memory/2924-2036-0x00007FF6FC930000-0x00007FF6FCD21000-memory.dmp

Filesize
3.9MB

Download
memory/3100-2026-0x00007FF66D140000-0x00007FF66D531000-memory.dmp

Filesize
3.9MB

Download
memory/3100-1974-0x00007FF66D140000-0x00007FF66D531000-memory.dmp

Filesize
3.9MB

Download
memory/3100-33-0x00007FF66D140000-0x00007FF66D531000-memory.dmp

Filesize
3.9MB

Download
memory/3244-2024-0x00007FF7E39B0000-0x00007FF7E3DA1000-memory.dmp

Filesize
3.9MB

Download
memory/3244-56-0x00007FF7E39B0000-0x00007FF7E3DA1000-memory.dmp

Filesize
3.9MB

Download
memory/3692-55-0x00007FF64B410000-0x00007FF64B801000-memory.dmp

Filesize
3.9MB

Download
memory/3692-2030-0x00007FF64B410000-0x00007FF64B801000-memory.dmp

Filesize
3.9MB

Download
memory/4036-395-0x00007FF656BE0000-0x00007FF656FD1000-memory.dmp

Filesize
3.9MB

Download
memory/4036-2058-0x00007FF656BE0000-0x00007FF656FD1000-memory.dmp

Filesize
3.9MB

Download
memory/4112-396-0x00007FF7EEA80000-0x00007FF7EEE71000-memory.dmp

Filesize
3.9MB

Download
memory/4112-2048-0x00007FF7EEA80000-0x00007FF7EEE71000-memory.dmp

Filesize
3.9MB

Download
memory/4436-2064-0x00007FF7BA290000-0x00007FF7BA681000-memory.dmp

Filesize
3.9MB

Download
memory/4436-401-0x00007FF7BA290000-0x00007FF7BA681000-memory.dmp

Filesize
3.9MB

Download
memory/4540-87-0x00007FF6FC260000-0x00007FF6FC651000-memory.dmp

Filesize
3.9MB

Download
memory/4540-2007-0x00007FF6FC260000-0x00007FF6FC651000-memory.dmp

Filesize
3.9MB

Download
memory/4540-2174-0x00007FF6FC260000-0x00007FF6FC651000-memory.dmp

Filesize
3.9MB

Download
memory/4628-2020-0x00007FF70CAC0000-0x00007FF70CEB1000-memory.dmp

Filesize
3.9MB

Download
memory/4628-20-0x00007FF70CAC0000-0x00007FF70CEB1000-memory.dmp

Filesize
3.9MB

Download
memory/4676-80-0x00007FF6EE500000-0x00007FF6EE8F1000-memory.dmp

Filesize
3.9MB

Download
memory/4676-1997-0x00007FF6EE500000-0x00007FF6EE8F1000-memory.dmp

Filesize
3.9MB

Download
memory/4676-2040-0x00007FF6EE500000-0x00007FF6EE8F1000-memory.dmp

Filesize
3.9MB

Download
memory/4912-47-0x00007FF687D40000-0x00007FF688131000-memory.dmp

Filesize
3.9MB

Download
memory/4912-1975-0x00007FF687D40000-0x00007FF688131000-memory.dmp

Filesize
3.9MB

Download
memory/4912-2029-0x00007FF687D40000-0x00007FF688131000-memory.dmp

Filesize
3.9MB

Download
memory/4916-2022-0x00007FF6FC200000-0x00007FF6FC5F1000-memory.dmp

Filesize
3.9MB

Download
memory/4916-36-0x00007FF6FC200000-0x00007FF6FC5F1000-memory.dmp

Filesize
3.9MB

Download
memory/5040-73-0x00007FF74CA80000-0x00007FF74CE71000-memory.dmp

Filesize
3.9MB

Download
memory/5040-1977-0x00007FF74CA80000-0x00007FF74CE71000-memory.dmp

Filesize
3.9MB

Download
memory/5040-2052-0x00007FF74CA80000-0x00007FF74CE71000-memory.dmp

Filesize
3.9MB

Download
memory/5108-1973-0x00007FF73E0C0000-0x00007FF73E4B1000-memory.dmp

Filesize
3.9MB

Download
memory/5108-0-0x00007FF73E0C0000-0x00007FF73E4B1000-memory.dmp

Filesize
3.9MB

Download
memory/5108-1-0x0000020E18940000-0x0000020E18950000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads