xmrig | dbcdbe870bd9540af8cc19e86ca0f962f93ab6bf7306b796f9db703ba323f0b3

Analysis

max time kernel
110s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c66b68b298373b70fb8f4385bb490190N.exe
Size

1.0MB
MD5

c66b68b298373b70fb8f4385bb490190
SHA1

769bb7562f546374731b51b631a670f668e500cc
SHA256

dbcdbe870bd9540af8cc19e86ca0f962f93ab6bf7306b796f9db703ba323f0b3
SHA512

d61135e8665505282941d46e329c650068cbc7d7779eb7cc58be40670d0174f91dae7e354c61480f1c13b06eaab2d0797c4e363646b3b69fa1dbe6d9495248d8
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlOqzJO0Rb8bodJjquS/:knw9oUUEEDlOuJPHj8/

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/2884-310-0x00007FF7F3E00000-0x00007FF7F41F1000-memory.dmp	xmrig
behavioral2/memory/2296-311-0x00007FF6250C0000-0x00007FF6254B1000-memory.dmp	xmrig
behavioral2/memory/436-312-0x00007FF635FC0000-0x00007FF6363B1000-memory.dmp	xmrig
behavioral2/memory/5104-313-0x00007FF6DBA30000-0x00007FF6DBE21000-memory.dmp	xmrig
behavioral2/memory/3288-314-0x00007FF74CEF0000-0x00007FF74D2E1000-memory.dmp	xmrig
behavioral2/memory/4036-315-0x00007FF744D40000-0x00007FF745131000-memory.dmp	xmrig
behavioral2/memory/3828-316-0x00007FF7E3660000-0x00007FF7E3A51000-memory.dmp	xmrig
behavioral2/memory/4828-321-0x00007FF643CA0000-0x00007FF644091000-memory.dmp	xmrig
behavioral2/memory/2788-324-0x00007FF6B4150000-0x00007FF6B4541000-memory.dmp	xmrig
behavioral2/memory/1144-329-0x00007FF7A9F70000-0x00007FF7AA361000-memory.dmp	xmrig
behavioral2/memory/2768-333-0x00007FF6774E0000-0x00007FF6778D1000-memory.dmp	xmrig
behavioral2/memory/3296-338-0x00007FF6D6E10000-0x00007FF6D7201000-memory.dmp	xmrig
behavioral2/memory/4332-345-0x00007FF72FCB0000-0x00007FF7300A1000-memory.dmp	xmrig
behavioral2/memory/4164-353-0x00007FF7B9A90000-0x00007FF7B9E81000-memory.dmp	xmrig
behavioral2/memory/3528-30-0x00007FF6FDE60000-0x00007FF6FE251000-memory.dmp	xmrig
behavioral2/memory/1916-29-0x00007FF62B570000-0x00007FF62B961000-memory.dmp	xmrig
behavioral2/memory/1380-361-0x00007FF681020000-0x00007FF681411000-memory.dmp	xmrig
behavioral2/memory/2252-370-0x00007FF68FFD0000-0x00007FF6903C1000-memory.dmp	xmrig
behavioral2/memory/4668-372-0x00007FF69EAD0000-0x00007FF69EEC1000-memory.dmp	xmrig
behavioral2/memory/2064-383-0x00007FF6EED10000-0x00007FF6EF101000-memory.dmp	xmrig
behavioral2/memory/1636-1973-0x00007FF603810000-0x00007FF603C01000-memory.dmp	xmrig
behavioral2/memory/4944-1974-0x00007FF6E9100000-0x00007FF6E94F1000-memory.dmp	xmrig
behavioral2/memory/3712-2009-0x00007FF6E6170000-0x00007FF6E6561000-memory.dmp	xmrig
behavioral2/memory/3712-2051-0x00007FF6E6170000-0x00007FF6E6561000-memory.dmp	xmrig
behavioral2/memory/3288-2061-0x00007FF74CEF0000-0x00007FF74D2E1000-memory.dmp	xmrig
behavioral2/memory/5104-2063-0x00007FF6DBA30000-0x00007FF6DBE21000-memory.dmp	xmrig
behavioral2/memory/3828-2065-0x00007FF7E3660000-0x00007FF7E3A51000-memory.dmp	xmrig
behavioral2/memory/1144-2075-0x00007FF7A9F70000-0x00007FF7AA361000-memory.dmp	xmrig
behavioral2/memory/3296-2077-0x00007FF6D6E10000-0x00007FF6D7201000-memory.dmp	xmrig
behavioral2/memory/2788-2073-0x00007FF6B4150000-0x00007FF6B4541000-memory.dmp	xmrig
behavioral2/memory/2768-2071-0x00007FF6774E0000-0x00007FF6778D1000-memory.dmp	xmrig
behavioral2/memory/4828-2069-0x00007FF643CA0000-0x00007FF644091000-memory.dmp	xmrig
behavioral2/memory/4036-2067-0x00007FF744D40000-0x00007FF745131000-memory.dmp	xmrig
behavioral2/memory/436-2059-0x00007FF635FC0000-0x00007FF6363B1000-memory.dmp	xmrig
behavioral2/memory/2296-2057-0x00007FF6250C0000-0x00007FF6254B1000-memory.dmp	xmrig
behavioral2/memory/2884-2055-0x00007FF7F3E00000-0x00007FF7F41F1000-memory.dmp	xmrig
behavioral2/memory/1932-2053-0x00007FF68CC80000-0x00007FF68D071000-memory.dmp	xmrig
behavioral2/memory/1636-2049-0x00007FF603810000-0x00007FF603C01000-memory.dmp	xmrig
behavioral2/memory/4944-2047-0x00007FF6E9100000-0x00007FF6E94F1000-memory.dmp	xmrig
behavioral2/memory/3528-2045-0x00007FF6FDE60000-0x00007FF6FE251000-memory.dmp	xmrig
behavioral2/memory/1916-2043-0x00007FF62B570000-0x00007FF62B961000-memory.dmp	xmrig
behavioral2/memory/2252-2085-0x00007FF68FFD0000-0x00007FF6903C1000-memory.dmp	xmrig
behavioral2/memory/2064-2101-0x00007FF6EED10000-0x00007FF6EF101000-memory.dmp	xmrig
behavioral2/memory/4668-2097-0x00007FF69EAD0000-0x00007FF69EEC1000-memory.dmp	xmrig
behavioral2/memory/1380-2089-0x00007FF681020000-0x00007FF681411000-memory.dmp	xmrig
behavioral2/memory/4164-2083-0x00007FF7B9A90000-0x00007FF7B9E81000-memory.dmp	xmrig
behavioral2/memory/4332-2079-0x00007FF72FCB0000-0x00007FF7300A1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1932	qbWulsX.exe
1916	TZzoMQb.exe
1636	JLzbznV.exe
3528	ZNEEUJY.exe
4944	FDZcXSv.exe
3712	FicOyoX.exe
2884	zDypkwj.exe
2296	IJyiXLd.exe
436	tytjGdZ.exe
5104	ALvcGja.exe
3288	RfyRcZk.exe
4036	hWoJros.exe
3828	PBqBsBf.exe
4828	ZyzcVRm.exe
2788	baVazGz.exe
1144	ofkkUDn.exe
2768	NdTtrsk.exe
3296	UkbgZlG.exe
4332	rHEubpQ.exe
4164	YhfhlFI.exe
1380	xQcSnwz.exe
2252	uqdEAMb.exe
4668	aQvTPGR.exe
2064	XyYEPQY.exe
2640	zBtKUHg.exe
1388	BUGoJDw.exe
3992	RLKinNl.exe
2288	TSleTnU.exe
2364	nxFtEMp.exe
2544	PiNvShJ.exe
5008	kVZvACM.exe
744	GHNRwWP.exe
2108	lWiVixd.exe
4236	ywojlks.exe
1460	sUhLCgJ.exe
3720	mqIRtZc.exe
1684	NHYKIkG.exe
1300	DtUTepl.exe
2532	QXlEMnr.exe
2944	EfMlJeP.exe
2380	mgOkgeP.exe
1228	IqkTQNo.exe
2648	bQAibQr.exe
2612	qylyfoJ.exe
4804	tWlFfyb.exe
3716	TWoyQbE.exe
3012	kFjudkt.exe
1812	kKLvDRc.exe
3724	KsMcvCH.exe
1208	eoNCmfC.exe
3452	lbvmjwF.exe
1224	WQNyZTW.exe
3836	bDHYrhU.exe
4448	NfTyyHB.exe
2424	JospqlK.exe
2472	hBGSpYO.exe
3952	fFlMvpO.exe
2436	RoCPJPE.exe
3924	cmcfwGe.exe
1800	YMijTow.exe
692	TuoDKOM.exe
1756	IWXwEUs.exe
4996	RhcbYIL.exe
5092	zwQQejU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3860-0-0x00007FF6A8530000-0x00007FF6A8921000-memory.dmp	upx
behavioral2/files/0x000700000002344c-7.dat	upx
behavioral2/files/0x000700000002344e-27.dat	upx
behavioral2/memory/4944-25-0x00007FF6E9100000-0x00007FF6E94F1000-memory.dmp	upx
behavioral2/files/0x0007000000023450-39.dat	upx
behavioral2/files/0x0007000000023452-48.dat	upx
behavioral2/files/0x0007000000023453-54.dat	upx
behavioral2/files/0x0007000000023454-61.dat	upx
behavioral2/files/0x0007000000023455-67.dat	upx
behavioral2/files/0x0007000000023458-82.dat	upx
behavioral2/files/0x000700000002345e-112.dat	upx
behavioral2/files/0x0007000000023460-125.dat	upx
behavioral2/files/0x0007000000023463-140.dat	upx
behavioral2/files/0x0007000000023468-162.dat	upx
behavioral2/memory/2884-310-0x00007FF7F3E00000-0x00007FF7F41F1000-memory.dmp	upx
behavioral2/memory/2296-311-0x00007FF6250C0000-0x00007FF6254B1000-memory.dmp	upx
behavioral2/memory/436-312-0x00007FF635FC0000-0x00007FF6363B1000-memory.dmp	upx
behavioral2/memory/5104-313-0x00007FF6DBA30000-0x00007FF6DBE21000-memory.dmp	upx
behavioral2/files/0x000700000002346a-168.dat	upx
behavioral2/files/0x0007000000023469-164.dat	upx
behavioral2/files/0x0007000000023467-157.dat	upx
behavioral2/files/0x0007000000023466-155.dat	upx
behavioral2/files/0x0007000000023465-150.dat	upx
behavioral2/files/0x0007000000023464-145.dat	upx
behavioral2/memory/3288-314-0x00007FF74CEF0000-0x00007FF74D2E1000-memory.dmp	upx
behavioral2/files/0x0007000000023462-135.dat	upx
behavioral2/files/0x0007000000023461-127.dat	upx
behavioral2/memory/4036-315-0x00007FF744D40000-0x00007FF745131000-memory.dmp	upx
behavioral2/memory/3828-316-0x00007FF7E3660000-0x00007FF7E3A51000-memory.dmp	upx
behavioral2/files/0x000700000002345f-120.dat	upx
behavioral2/files/0x000700000002345d-107.dat	upx
behavioral2/files/0x000700000002345c-105.dat	upx
behavioral2/files/0x000700000002345b-97.dat	upx
behavioral2/files/0x000700000002345a-95.dat	upx
behavioral2/memory/4828-321-0x00007FF643CA0000-0x00007FF644091000-memory.dmp	upx
behavioral2/memory/2788-324-0x00007FF6B4150000-0x00007FF6B4541000-memory.dmp	upx
behavioral2/memory/1144-329-0x00007FF7A9F70000-0x00007FF7AA361000-memory.dmp	upx
behavioral2/memory/2768-333-0x00007FF6774E0000-0x00007FF6778D1000-memory.dmp	upx
behavioral2/memory/3296-338-0x00007FF6D6E10000-0x00007FF6D7201000-memory.dmp	upx
behavioral2/files/0x0007000000023459-87.dat	upx
behavioral2/files/0x0007000000023457-77.dat	upx
behavioral2/memory/4332-345-0x00007FF72FCB0000-0x00007FF7300A1000-memory.dmp	upx
behavioral2/memory/4164-353-0x00007FF7B9A90000-0x00007FF7B9E81000-memory.dmp	upx
behavioral2/files/0x0007000000023456-75.dat	upx
behavioral2/files/0x0007000000023451-50.dat	upx
behavioral2/files/0x000700000002344f-37.dat	upx
behavioral2/memory/3712-36-0x00007FF6E6170000-0x00007FF6E6561000-memory.dmp	upx
behavioral2/memory/3528-30-0x00007FF6FDE60000-0x00007FF6FE251000-memory.dmp	upx
behavioral2/memory/1916-29-0x00007FF62B570000-0x00007FF62B961000-memory.dmp	upx
behavioral2/files/0x000700000002344d-24.dat	upx
behavioral2/memory/1636-22-0x00007FF603810000-0x00007FF603C01000-memory.dmp	upx
behavioral2/files/0x000800000002344b-19.dat	upx
behavioral2/files/0x00090000000233e8-11.dat	upx
behavioral2/memory/1932-16-0x00007FF68CC80000-0x00007FF68D071000-memory.dmp	upx
behavioral2/memory/1380-361-0x00007FF681020000-0x00007FF681411000-memory.dmp	upx
behavioral2/memory/2252-370-0x00007FF68FFD0000-0x00007FF6903C1000-memory.dmp	upx
behavioral2/memory/4668-372-0x00007FF69EAD0000-0x00007FF69EEC1000-memory.dmp	upx
behavioral2/memory/2064-383-0x00007FF6EED10000-0x00007FF6EF101000-memory.dmp	upx
behavioral2/memory/1636-1973-0x00007FF603810000-0x00007FF603C01000-memory.dmp	upx
behavioral2/memory/4944-1974-0x00007FF6E9100000-0x00007FF6E94F1000-memory.dmp	upx
behavioral2/memory/3712-2009-0x00007FF6E6170000-0x00007FF6E6561000-memory.dmp	upx
behavioral2/memory/3712-2051-0x00007FF6E6170000-0x00007FF6E6561000-memory.dmp	upx
behavioral2/memory/3288-2061-0x00007FF74CEF0000-0x00007FF74D2E1000-memory.dmp	upx
behavioral2/memory/5104-2063-0x00007FF6DBA30000-0x00007FF6DBE21000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\uqdEAMb.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\HHEqWRe.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\fLQgNES.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\LamuYAb.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\DWYwFUs.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\vbgDbZl.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\wKpIgTF.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\lIesjIb.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\jjtWEwK.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\EIUVkuP.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\YHvYPto.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\ClPKKzY.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\xlqoiAw.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\LYLxuiF.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\TQLPQwg.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\DPRFIyF.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\ufzeIel.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\VKMAtMk.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\evNLEXe.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\agkIzXQ.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\iUxHffk.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\vvqTutV.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\uBSgZFz.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\vhVOvZt.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\tlukrnk.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\afcLaLp.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\wRcvlkh.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\HaoxsvN.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\qbWulsX.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\kuFnbSb.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\YtMkpIh.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\xXhUCAk.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\nRdksVT.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\rYPrYKO.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\SNEoLcj.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\gqyXfPI.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\etVIKIS.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\NzSPKQk.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\ANzhfUt.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\nfgDVGa.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\aQvTPGR.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\XvWTWpg.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\rTCHiRL.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\EhnORnx.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\xQcSnwz.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\gChLISl.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\snQAgJP.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\zqhabYT.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\YsCUKON.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\cWYrPQm.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\PBqBsBf.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\GtSXdcy.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\yUNZmIN.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\cbQknaU.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\hCBnkuS.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\gmIJXTJ.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\RRMXEKG.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\vPsZuuU.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\ntfwiEu.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\WQqUqHw.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\mosXzIk.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\rDfYrSs.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\vdNFOxm.exe	c66b68b298373b70fb8f4385bb490190N.exe
File created	C:\Windows\System32\BZHznJq.exe	c66b68b298373b70fb8f4385bb490190N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12788	dwm.exe
Token: SeChangeNotifyPrivilege	12788	dwm.exe
Token: 33	12788	dwm.exe
Token: SeIncBasePriorityPrivilege	12788	dwm.exe
Token: SeShutdownPrivilege	12788	dwm.exe
Token: SeCreatePagefilePrivilege	12788	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 1932	3860	c66b68b298373b70fb8f4385bb490190N.exe	84
PID 3860 wrote to memory of 1932	3860	c66b68b298373b70fb8f4385bb490190N.exe	84
PID 3860 wrote to memory of 1916	3860	c66b68b298373b70fb8f4385bb490190N.exe	85
PID 3860 wrote to memory of 1916	3860	c66b68b298373b70fb8f4385bb490190N.exe	85
PID 3860 wrote to memory of 1636	3860	c66b68b298373b70fb8f4385bb490190N.exe	86
PID 3860 wrote to memory of 1636	3860	c66b68b298373b70fb8f4385bb490190N.exe	86
PID 3860 wrote to memory of 3528	3860	c66b68b298373b70fb8f4385bb490190N.exe	87
PID 3860 wrote to memory of 3528	3860	c66b68b298373b70fb8f4385bb490190N.exe	87
PID 3860 wrote to memory of 4944	3860	c66b68b298373b70fb8f4385bb490190N.exe	88
PID 3860 wrote to memory of 4944	3860	c66b68b298373b70fb8f4385bb490190N.exe	88
PID 3860 wrote to memory of 3712	3860	c66b68b298373b70fb8f4385bb490190N.exe	89
PID 3860 wrote to memory of 3712	3860	c66b68b298373b70fb8f4385bb490190N.exe	89
PID 3860 wrote to memory of 2884	3860	c66b68b298373b70fb8f4385bb490190N.exe	91
PID 3860 wrote to memory of 2884	3860	c66b68b298373b70fb8f4385bb490190N.exe	91
PID 3860 wrote to memory of 2296	3860	c66b68b298373b70fb8f4385bb490190N.exe	92
PID 3860 wrote to memory of 2296	3860	c66b68b298373b70fb8f4385bb490190N.exe	92
PID 3860 wrote to memory of 436	3860	c66b68b298373b70fb8f4385bb490190N.exe	93
PID 3860 wrote to memory of 436	3860	c66b68b298373b70fb8f4385bb490190N.exe	93
PID 3860 wrote to memory of 5104	3860	c66b68b298373b70fb8f4385bb490190N.exe	94
PID 3860 wrote to memory of 5104	3860	c66b68b298373b70fb8f4385bb490190N.exe	94
PID 3860 wrote to memory of 3288	3860	c66b68b298373b70fb8f4385bb490190N.exe	95
PID 3860 wrote to memory of 3288	3860	c66b68b298373b70fb8f4385bb490190N.exe	95
PID 3860 wrote to memory of 4036	3860	c66b68b298373b70fb8f4385bb490190N.exe	96
PID 3860 wrote to memory of 4036	3860	c66b68b298373b70fb8f4385bb490190N.exe	96
PID 3860 wrote to memory of 3828	3860	c66b68b298373b70fb8f4385bb490190N.exe	97
PID 3860 wrote to memory of 3828	3860	c66b68b298373b70fb8f4385bb490190N.exe	97
PID 3860 wrote to memory of 4828	3860	c66b68b298373b70fb8f4385bb490190N.exe	98
PID 3860 wrote to memory of 4828	3860	c66b68b298373b70fb8f4385bb490190N.exe	98
PID 3860 wrote to memory of 2788	3860	c66b68b298373b70fb8f4385bb490190N.exe	99
PID 3860 wrote to memory of 2788	3860	c66b68b298373b70fb8f4385bb490190N.exe	99
PID 3860 wrote to memory of 1144	3860	c66b68b298373b70fb8f4385bb490190N.exe	100
PID 3860 wrote to memory of 1144	3860	c66b68b298373b70fb8f4385bb490190N.exe	100
PID 3860 wrote to memory of 2768	3860	c66b68b298373b70fb8f4385bb490190N.exe	101
PID 3860 wrote to memory of 2768	3860	c66b68b298373b70fb8f4385bb490190N.exe	101
PID 3860 wrote to memory of 3296	3860	c66b68b298373b70fb8f4385bb490190N.exe	102
PID 3860 wrote to memory of 3296	3860	c66b68b298373b70fb8f4385bb490190N.exe	102
PID 3860 wrote to memory of 4332	3860	c66b68b298373b70fb8f4385bb490190N.exe	103
PID 3860 wrote to memory of 4332	3860	c66b68b298373b70fb8f4385bb490190N.exe	103
PID 3860 wrote to memory of 4164	3860	c66b68b298373b70fb8f4385bb490190N.exe	104
PID 3860 wrote to memory of 4164	3860	c66b68b298373b70fb8f4385bb490190N.exe	104
PID 3860 wrote to memory of 1380	3860	c66b68b298373b70fb8f4385bb490190N.exe	105
PID 3860 wrote to memory of 1380	3860	c66b68b298373b70fb8f4385bb490190N.exe	105
PID 3860 wrote to memory of 2252	3860	c66b68b298373b70fb8f4385bb490190N.exe	106
PID 3860 wrote to memory of 2252	3860	c66b68b298373b70fb8f4385bb490190N.exe	106
PID 3860 wrote to memory of 4668	3860	c66b68b298373b70fb8f4385bb490190N.exe	107
PID 3860 wrote to memory of 4668	3860	c66b68b298373b70fb8f4385bb490190N.exe	107
PID 3860 wrote to memory of 2064	3860	c66b68b298373b70fb8f4385bb490190N.exe	108
PID 3860 wrote to memory of 2064	3860	c66b68b298373b70fb8f4385bb490190N.exe	108
PID 3860 wrote to memory of 2640	3860	c66b68b298373b70fb8f4385bb490190N.exe	109
PID 3860 wrote to memory of 2640	3860	c66b68b298373b70fb8f4385bb490190N.exe	109
PID 3860 wrote to memory of 1388	3860	c66b68b298373b70fb8f4385bb490190N.exe	110
PID 3860 wrote to memory of 1388	3860	c66b68b298373b70fb8f4385bb490190N.exe	110
PID 3860 wrote to memory of 3992	3860	c66b68b298373b70fb8f4385bb490190N.exe	111
PID 3860 wrote to memory of 3992	3860	c66b68b298373b70fb8f4385bb490190N.exe	111
PID 3860 wrote to memory of 2288	3860	c66b68b298373b70fb8f4385bb490190N.exe	112
PID 3860 wrote to memory of 2288	3860	c66b68b298373b70fb8f4385bb490190N.exe	112
PID 3860 wrote to memory of 2364	3860	c66b68b298373b70fb8f4385bb490190N.exe	113
PID 3860 wrote to memory of 2364	3860	c66b68b298373b70fb8f4385bb490190N.exe	113
PID 3860 wrote to memory of 2544	3860	c66b68b298373b70fb8f4385bb490190N.exe	114
PID 3860 wrote to memory of 2544	3860	c66b68b298373b70fb8f4385bb490190N.exe	114
PID 3860 wrote to memory of 5008	3860	c66b68b298373b70fb8f4385bb490190N.exe	115
PID 3860 wrote to memory of 5008	3860	c66b68b298373b70fb8f4385bb490190N.exe	115
PID 3860 wrote to memory of 744	3860	c66b68b298373b70fb8f4385bb490190N.exe	116
PID 3860 wrote to memory of 744	3860	c66b68b298373b70fb8f4385bb490190N.exe	116

C:\Users\Admin\AppData\Local\Temp\c66b68b298373b70fb8f4385bb490190N.exe
"C:\Users\Admin\AppData\Local\Temp\c66b68b298373b70fb8f4385bb490190N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Windows\System32\qbWulsX.exe
  C:\Windows\System32\qbWulsX.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System32\TZzoMQb.exe
  C:\Windows\System32\TZzoMQb.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System32\JLzbznV.exe
  C:\Windows\System32\JLzbznV.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System32\ZNEEUJY.exe
  C:\Windows\System32\ZNEEUJY.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System32\FDZcXSv.exe
  C:\Windows\System32\FDZcXSv.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System32\FicOyoX.exe
  C:\Windows\System32\FicOyoX.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System32\zDypkwj.exe
  C:\Windows\System32\zDypkwj.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System32\IJyiXLd.exe
  C:\Windows\System32\IJyiXLd.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System32\tytjGdZ.exe
  C:\Windows\System32\tytjGdZ.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\ALvcGja.exe
  C:\Windows\System32\ALvcGja.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System32\RfyRcZk.exe
  C:\Windows\System32\RfyRcZk.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System32\hWoJros.exe
  C:\Windows\System32\hWoJros.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System32\PBqBsBf.exe
  C:\Windows\System32\PBqBsBf.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System32\ZyzcVRm.exe
  C:\Windows\System32\ZyzcVRm.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\baVazGz.exe
  C:\Windows\System32\baVazGz.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System32\ofkkUDn.exe
  C:\Windows\System32\ofkkUDn.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System32\NdTtrsk.exe
  C:\Windows\System32\NdTtrsk.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System32\UkbgZlG.exe
  C:\Windows\System32\UkbgZlG.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System32\rHEubpQ.exe
  C:\Windows\System32\rHEubpQ.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System32\YhfhlFI.exe
  C:\Windows\System32\YhfhlFI.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System32\xQcSnwz.exe
  C:\Windows\System32\xQcSnwz.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System32\uqdEAMb.exe
  C:\Windows\System32\uqdEAMb.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System32\aQvTPGR.exe
  C:\Windows\System32\aQvTPGR.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System32\XyYEPQY.exe
  C:\Windows\System32\XyYEPQY.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System32\zBtKUHg.exe
  C:\Windows\System32\zBtKUHg.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System32\BUGoJDw.exe
  C:\Windows\System32\BUGoJDw.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System32\RLKinNl.exe
  C:\Windows\System32\RLKinNl.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System32\TSleTnU.exe
  C:\Windows\System32\TSleTnU.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System32\nxFtEMp.exe
  C:\Windows\System32\nxFtEMp.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System32\PiNvShJ.exe
  C:\Windows\System32\PiNvShJ.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System32\kVZvACM.exe
  C:\Windows\System32\kVZvACM.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System32\GHNRwWP.exe
  C:\Windows\System32\GHNRwWP.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System32\lWiVixd.exe
  C:\Windows\System32\lWiVixd.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System32\ywojlks.exe
  C:\Windows\System32\ywojlks.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System32\sUhLCgJ.exe
  C:\Windows\System32\sUhLCgJ.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System32\mqIRtZc.exe
  C:\Windows\System32\mqIRtZc.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System32\NHYKIkG.exe
  C:\Windows\System32\NHYKIkG.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System32\DtUTepl.exe
  C:\Windows\System32\DtUTepl.exe
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\System32\QXlEMnr.exe
  C:\Windows\System32\QXlEMnr.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System32\EfMlJeP.exe
  C:\Windows\System32\EfMlJeP.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System32\mgOkgeP.exe
  C:\Windows\System32\mgOkgeP.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System32\IqkTQNo.exe
  C:\Windows\System32\IqkTQNo.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System32\bQAibQr.exe
  C:\Windows\System32\bQAibQr.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System32\qylyfoJ.exe
  C:\Windows\System32\qylyfoJ.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System32\tWlFfyb.exe
  C:\Windows\System32\tWlFfyb.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\TWoyQbE.exe
  C:\Windows\System32\TWoyQbE.exe
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Windows\System32\kFjudkt.exe
  C:\Windows\System32\kFjudkt.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System32\kKLvDRc.exe
  C:\Windows\System32\kKLvDRc.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System32\KsMcvCH.exe
  C:\Windows\System32\KsMcvCH.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\Windows\System32\eoNCmfC.exe
  C:\Windows\System32\eoNCmfC.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System32\lbvmjwF.exe
  C:\Windows\System32\lbvmjwF.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System32\WQNyZTW.exe
  C:\Windows\System32\WQNyZTW.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System32\bDHYrhU.exe
  C:\Windows\System32\bDHYrhU.exe
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\System32\NfTyyHB.exe
  C:\Windows\System32\NfTyyHB.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System32\JospqlK.exe
  C:\Windows\System32\JospqlK.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System32\hBGSpYO.exe
  C:\Windows\System32\hBGSpYO.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System32\fFlMvpO.exe
  C:\Windows\System32\fFlMvpO.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System32\RoCPJPE.exe
  C:\Windows\System32\RoCPJPE.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System32\cmcfwGe.exe
  C:\Windows\System32\cmcfwGe.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System32\YMijTow.exe
  C:\Windows\System32\YMijTow.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System32\TuoDKOM.exe
  C:\Windows\System32\TuoDKOM.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System32\IWXwEUs.exe
  C:\Windows\System32\IWXwEUs.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System32\RhcbYIL.exe
  C:\Windows\System32\RhcbYIL.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System32\zwQQejU.exe
  C:\Windows\System32\zwQQejU.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System32\IXZqtJh.exe
  C:\Windows\System32\IXZqtJh.exe
  2⤵
  PID:4628
- C:\Windows\System32\DWbaTEp.exe
  C:\Windows\System32\DWbaTEp.exe
  2⤵
  PID:3604
- C:\Windows\System32\NJsWGIO.exe
  C:\Windows\System32\NJsWGIO.exe
  2⤵
  PID:1996
- C:\Windows\System32\BOPPEkC.exe
  C:\Windows\System32\BOPPEkC.exe
  2⤵
  PID:4700
- C:\Windows\System32\CCQZwIE.exe
  C:\Windows\System32\CCQZwIE.exe
  2⤵
  PID:2996
- C:\Windows\System32\YzMvrOl.exe
  C:\Windows\System32\YzMvrOl.exe
  2⤵
  PID:2192
- C:\Windows\System32\SivwlhE.exe
  C:\Windows\System32\SivwlhE.exe
  2⤵
  PID:4652
- C:\Windows\System32\YrBSuTc.exe
  C:\Windows\System32\YrBSuTc.exe
  2⤵
  PID:3616
- C:\Windows\System32\LTXJwTw.exe
  C:\Windows\System32\LTXJwTw.exe
  2⤵
  PID:860
- C:\Windows\System32\pFUSrVU.exe
  C:\Windows\System32\pFUSrVU.exe
  2⤵
  PID:3672
- C:\Windows\System32\pwImYph.exe
  C:\Windows\System32\pwImYph.exe
  2⤵
  PID:4608
- C:\Windows\System32\gNVwrGL.exe
  C:\Windows\System32\gNVwrGL.exe
  2⤵
  PID:3800
- C:\Windows\System32\kuFnbSb.exe
  C:\Windows\System32\kuFnbSb.exe
  2⤵
  PID:4904
- C:\Windows\System32\CWIueGI.exe
  C:\Windows\System32\CWIueGI.exe
  2⤵
  PID:1844
- C:\Windows\System32\BwSpirH.exe
  C:\Windows\System32\BwSpirH.exe
  2⤵
  PID:1068
- C:\Windows\System32\OdlNToj.exe
  C:\Windows\System32\OdlNToj.exe
  2⤵
  PID:3816
- C:\Windows\System32\nBXUytx.exe
  C:\Windows\System32\nBXUytx.exe
  2⤵
  PID:3304
- C:\Windows\System32\buOdpzt.exe
  C:\Windows\System32\buOdpzt.exe
  2⤵
  PID:1264
- C:\Windows\System32\rECqVBo.exe
  C:\Windows\System32\rECqVBo.exe
  2⤵
  PID:4328
- C:\Windows\System32\aolwFKg.exe
  C:\Windows\System32\aolwFKg.exe
  2⤵
  PID:3812
- C:\Windows\System32\UjVJQrc.exe
  C:\Windows\System32\UjVJQrc.exe
  2⤵
  PID:2308
- C:\Windows\System32\dvqMouI.exe
  C:\Windows\System32\dvqMouI.exe
  2⤵
  PID:5032
- C:\Windows\System32\vhVOvZt.exe
  C:\Windows\System32\vhVOvZt.exe
  2⤵
  PID:1524
- C:\Windows\System32\pIiTPxA.exe
  C:\Windows\System32\pIiTPxA.exe
  2⤵
  PID:4528
- C:\Windows\System32\GjEsNaI.exe
  C:\Windows\System32\GjEsNaI.exe
  2⤵
  PID:2176
- C:\Windows\System32\VvWLorY.exe
  C:\Windows\System32\VvWLorY.exe
  2⤵
  PID:2824
- C:\Windows\System32\qlcoqno.exe
  C:\Windows\System32\qlcoqno.exe
  2⤵
  PID:4416
- C:\Windows\System32\QGjoqmv.exe
  C:\Windows\System32\QGjoqmv.exe
  2⤵
  PID:1220
- C:\Windows\System32\eeyujdW.exe
  C:\Windows\System32\eeyujdW.exe
  2⤵
  PID:4348
- C:\Windows\System32\KILRGgA.exe
  C:\Windows\System32\KILRGgA.exe
  2⤵
  PID:4316
- C:\Windows\System32\tDHVuuO.exe
  C:\Windows\System32\tDHVuuO.exe
  2⤵
  PID:1548
- C:\Windows\System32\agkIzXQ.exe
  C:\Windows\System32\agkIzXQ.exe
  2⤵
  PID:4824
- C:\Windows\System32\tQglSAP.exe
  C:\Windows\System32\tQglSAP.exe
  2⤵
  PID:4276
- C:\Windows\System32\xQPmwsS.exe
  C:\Windows\System32\xQPmwsS.exe
  2⤵
  PID:2540
- C:\Windows\System32\bBZAlQv.exe
  C:\Windows\System32\bBZAlQv.exe
  2⤵
  PID:1584
- C:\Windows\System32\UpOEILi.exe
  C:\Windows\System32\UpOEILi.exe
  2⤵
  PID:644
- C:\Windows\System32\jjtWEwK.exe
  C:\Windows\System32\jjtWEwK.exe
  2⤵
  PID:1032
- C:\Windows\System32\QwHkqOz.exe
  C:\Windows\System32\QwHkqOz.exe
  2⤵
  PID:4616
- C:\Windows\System32\XXfBemF.exe
  C:\Windows\System32\XXfBemF.exe
  2⤵
  PID:2804
- C:\Windows\System32\rYPrYKO.exe
  C:\Windows\System32\rYPrYKO.exe
  2⤵
  PID:968
- C:\Windows\System32\IhApHoc.exe
  C:\Windows\System32\IhApHoc.exe
  2⤵
  PID:924
- C:\Windows\System32\OhSwHBB.exe
  C:\Windows\System32\OhSwHBB.exe
  2⤵
  PID:972
- C:\Windows\System32\suYDVty.exe
  C:\Windows\System32\suYDVty.exe
  2⤵
  PID:572
- C:\Windows\System32\FyvDkGu.exe
  C:\Windows\System32\FyvDkGu.exe
  2⤵
  PID:4272
- C:\Windows\System32\gBDgqWL.exe
  C:\Windows\System32\gBDgqWL.exe
  2⤵
  PID:312
- C:\Windows\System32\VTBOTWU.exe
  C:\Windows\System32\VTBOTWU.exe
  2⤵
  PID:5136
- C:\Windows\System32\HJbBDrc.exe
  C:\Windows\System32\HJbBDrc.exe
  2⤵
  PID:5152
- C:\Windows\System32\HdSWQMk.exe
  C:\Windows\System32\HdSWQMk.exe
  2⤵
  PID:5176
- C:\Windows\System32\KSiPdeQ.exe
  C:\Windows\System32\KSiPdeQ.exe
  2⤵
  PID:5240
- C:\Windows\System32\ntfwiEu.exe
  C:\Windows\System32\ntfwiEu.exe
  2⤵
  PID:5256
- C:\Windows\System32\ZfxkGkK.exe
  C:\Windows\System32\ZfxkGkK.exe
  2⤵
  PID:5272
- C:\Windows\System32\qVOeoHR.exe
  C:\Windows\System32\qVOeoHR.exe
  2⤵
  PID:5292
- C:\Windows\System32\XvWTWpg.exe
  C:\Windows\System32\XvWTWpg.exe
  2⤵
  PID:5308
- C:\Windows\System32\GtSXdcy.exe
  C:\Windows\System32\GtSXdcy.exe
  2⤵
  PID:5340
- C:\Windows\System32\ZRHvHhn.exe
  C:\Windows\System32\ZRHvHhn.exe
  2⤵
  PID:5356
- C:\Windows\System32\TOQLdNG.exe
  C:\Windows\System32\TOQLdNG.exe
  2⤵
  PID:5376
- C:\Windows\System32\ybYFJFL.exe
  C:\Windows\System32\ybYFJFL.exe
  2⤵
  PID:5416
- C:\Windows\System32\ndQpaJH.exe
  C:\Windows\System32\ndQpaJH.exe
  2⤵
  PID:5460
- C:\Windows\System32\RZzclhA.exe
  C:\Windows\System32\RZzclhA.exe
  2⤵
  PID:5480
- C:\Windows\System32\QElYkkY.exe
  C:\Windows\System32\QElYkkY.exe
  2⤵
  PID:5552
- C:\Windows\System32\ZSNOZLG.exe
  C:\Windows\System32\ZSNOZLG.exe
  2⤵
  PID:5572
- C:\Windows\System32\WQqUqHw.exe
  C:\Windows\System32\WQqUqHw.exe
  2⤵
  PID:5588
- C:\Windows\System32\YpwFtUM.exe
  C:\Windows\System32\YpwFtUM.exe
  2⤵
  PID:5612
- C:\Windows\System32\QGBazqT.exe
  C:\Windows\System32\QGBazqT.exe
  2⤵
  PID:5640
- C:\Windows\System32\CHyGwPL.exe
  C:\Windows\System32\CHyGwPL.exe
  2⤵
  PID:5672
- C:\Windows\System32\FJqGSsE.exe
  C:\Windows\System32\FJqGSsE.exe
  2⤵
  PID:5704
- C:\Windows\System32\HZIYVpJ.exe
  C:\Windows\System32\HZIYVpJ.exe
  2⤵
  PID:5752
- C:\Windows\System32\djMySNs.exe
  C:\Windows\System32\djMySNs.exe
  2⤵
  PID:5780
- C:\Windows\System32\BPShqna.exe
  C:\Windows\System32\BPShqna.exe
  2⤵
  PID:5808
- C:\Windows\System32\DUBQzpX.exe
  C:\Windows\System32\DUBQzpX.exe
  2⤵
  PID:5840
- C:\Windows\System32\KuiHvdD.exe
  C:\Windows\System32\KuiHvdD.exe
  2⤵
  PID:5856
- C:\Windows\System32\KmYshzA.exe
  C:\Windows\System32\KmYshzA.exe
  2⤵
  PID:5876
- C:\Windows\System32\JjFUwKj.exe
  C:\Windows\System32\JjFUwKj.exe
  2⤵
  PID:5904
- C:\Windows\System32\ZRUXAaI.exe
  C:\Windows\System32\ZRUXAaI.exe
  2⤵
  PID:5924
- C:\Windows\System32\QfhmeIv.exe
  C:\Windows\System32\QfhmeIv.exe
  2⤵
  PID:5964
- C:\Windows\System32\YsTzZFt.exe
  C:\Windows\System32\YsTzZFt.exe
  2⤵
  PID:5988
- C:\Windows\System32\rYDcxNk.exe
  C:\Windows\System32\rYDcxNk.exe
  2⤵
  PID:6008
- C:\Windows\System32\ojDFime.exe
  C:\Windows\System32\ojDFime.exe
  2⤵
  PID:6036
- C:\Windows\System32\SCddkZV.exe
  C:\Windows\System32\SCddkZV.exe
  2⤵
  PID:6052
- C:\Windows\System32\zJmwush.exe
  C:\Windows\System32\zJmwush.exe
  2⤵
  PID:6080
- C:\Windows\System32\yJLXnwe.exe
  C:\Windows\System32\yJLXnwe.exe
  2⤵
  PID:6096
- C:\Windows\System32\jRUxBwZ.exe
  C:\Windows\System32\jRUxBwZ.exe
  2⤵
  PID:6120
- C:\Windows\System32\CifmMZC.exe
  C:\Windows\System32\CifmMZC.exe
  2⤵
  PID:6140
- C:\Windows\System32\cLwlbOm.exe
  C:\Windows\System32\cLwlbOm.exe
  2⤵
  PID:5148
- C:\Windows\System32\gPdQhRC.exe
  C:\Windows\System32\gPdQhRC.exe
  2⤵
  PID:5192
- C:\Windows\System32\cYkFqOt.exe
  C:\Windows\System32\cYkFqOt.exe
  2⤵
  PID:5300
- C:\Windows\System32\YZVGxFY.exe
  C:\Windows\System32\YZVGxFY.exe
  2⤵
  PID:5388
- C:\Windows\System32\ufzeIel.exe
  C:\Windows\System32\ufzeIel.exe
  2⤵
  PID:5372
- C:\Windows\System32\JJPjlin.exe
  C:\Windows\System32\JJPjlin.exe
  2⤵
  PID:5636
- C:\Windows\System32\YAzsXaG.exe
  C:\Windows\System32\YAzsXaG.exe
  2⤵
  PID:5604
- C:\Windows\System32\YtMkpIh.exe
  C:\Windows\System32\YtMkpIh.exe
  2⤵
  PID:5668
- C:\Windows\System32\omiYMKF.exe
  C:\Windows\System32\omiYMKF.exe
  2⤵
  PID:5696
- C:\Windows\System32\zwfDmmk.exe
  C:\Windows\System32\zwfDmmk.exe
  2⤵
  PID:5768
- C:\Windows\System32\NxzQJJt.exe
  C:\Windows\System32\NxzQJJt.exe
  2⤵
  PID:5800
- C:\Windows\System32\CNVoWFw.exe
  C:\Windows\System32\CNVoWFw.exe
  2⤵
  PID:5888
- C:\Windows\System32\IzfmSzK.exe
  C:\Windows\System32\IzfmSzK.exe
  2⤵
  PID:5940
- C:\Windows\System32\eWDOoVx.exe
  C:\Windows\System32\eWDOoVx.exe
  2⤵
  PID:6016
- C:\Windows\System32\juygIgi.exe
  C:\Windows\System32\juygIgi.exe
  2⤵
  PID:6136
- C:\Windows\System32\BghXJlK.exe
  C:\Windows\System32\BghXJlK.exe
  2⤵
  PID:2752
- C:\Windows\System32\KEhztSn.exe
  C:\Windows\System32\KEhztSn.exe
  2⤵
  PID:5208
- C:\Windows\System32\zxZtTgC.exe
  C:\Windows\System32\zxZtTgC.exe
  2⤵
  PID:5280
- C:\Windows\System32\lbrqFMl.exe
  C:\Windows\System32\lbrqFMl.exe
  2⤵
  PID:5456
- C:\Windows\System32\fuKqJCe.exe
  C:\Windows\System32\fuKqJCe.exe
  2⤵
  PID:5648
- C:\Windows\System32\cSwfnyf.exe
  C:\Windows\System32\cSwfnyf.exe
  2⤵
  PID:5848
- C:\Windows\System32\umXyQMZ.exe
  C:\Windows\System32\umXyQMZ.exe
  2⤵
  PID:5900
- C:\Windows\System32\SNEoLcj.exe
  C:\Windows\System32\SNEoLcj.exe
  2⤵
  PID:6108
- C:\Windows\System32\EhWCtCL.exe
  C:\Windows\System32\EhWCtCL.exe
  2⤵
  PID:5160
- C:\Windows\System32\dxqcHqi.exe
  C:\Windows\System32\dxqcHqi.exe
  2⤵
  PID:6064
- C:\Windows\System32\CawfMxV.exe
  C:\Windows\System32\CawfMxV.exe
  2⤵
  PID:5508
- C:\Windows\System32\Xnszzyw.exe
  C:\Windows\System32\Xnszzyw.exe
  2⤵
  PID:6092
- C:\Windows\System32\ClsRoAC.exe
  C:\Windows\System32\ClsRoAC.exe
  2⤵
  PID:6160
- C:\Windows\System32\phVUleM.exe
  C:\Windows\System32\phVUleM.exe
  2⤵
  PID:6176
- C:\Windows\System32\aEyohXU.exe
  C:\Windows\System32\aEyohXU.exe
  2⤵
  PID:6228
- C:\Windows\System32\HHEqWRe.exe
  C:\Windows\System32\HHEqWRe.exe
  2⤵
  PID:6276
- C:\Windows\System32\zgFEIvJ.exe
  C:\Windows\System32\zgFEIvJ.exe
  2⤵
  PID:6300
- C:\Windows\System32\DJzDdND.exe
  C:\Windows\System32\DJzDdND.exe
  2⤵
  PID:6328
- C:\Windows\System32\VYPUSxt.exe
  C:\Windows\System32\VYPUSxt.exe
  2⤵
  PID:6344
- C:\Windows\System32\vgWXGef.exe
  C:\Windows\System32\vgWXGef.exe
  2⤵
  PID:6388
- C:\Windows\System32\WVjcGmA.exe
  C:\Windows\System32\WVjcGmA.exe
  2⤵
  PID:6412
- C:\Windows\System32\eoEjKyQ.exe
  C:\Windows\System32\eoEjKyQ.exe
  2⤵
  PID:6436
- C:\Windows\System32\BklqRCD.exe
  C:\Windows\System32\BklqRCD.exe
  2⤵
  PID:6468
- C:\Windows\System32\eLqVTOc.exe
  C:\Windows\System32\eLqVTOc.exe
  2⤵
  PID:6496
- C:\Windows\System32\BlREjMH.exe
  C:\Windows\System32\BlREjMH.exe
  2⤵
  PID:6512
- C:\Windows\System32\VotijxM.exe
  C:\Windows\System32\VotijxM.exe
  2⤵
  PID:6532
- C:\Windows\System32\hcdAZHs.exe
  C:\Windows\System32\hcdAZHs.exe
  2⤵
  PID:6548
- C:\Windows\System32\RBqxGNb.exe
  C:\Windows\System32\RBqxGNb.exe
  2⤵
  PID:6568
- C:\Windows\System32\oFqgIZR.exe
  C:\Windows\System32\oFqgIZR.exe
  2⤵
  PID:6596
- C:\Windows\System32\kGlnkEs.exe
  C:\Windows\System32\kGlnkEs.exe
  2⤵
  PID:6612
- C:\Windows\System32\Evkbxbg.exe
  C:\Windows\System32\Evkbxbg.exe
  2⤵
  PID:6632
- C:\Windows\System32\VKMAtMk.exe
  C:\Windows\System32\VKMAtMk.exe
  2⤵
  PID:6648
- C:\Windows\System32\PvUwxpg.exe
  C:\Windows\System32\PvUwxpg.exe
  2⤵
  PID:6676
- C:\Windows\System32\WkOKVbM.exe
  C:\Windows\System32\WkOKVbM.exe
  2⤵
  PID:6708
- C:\Windows\System32\yhEjcEd.exe
  C:\Windows\System32\yhEjcEd.exe
  2⤵
  PID:6728
- C:\Windows\System32\qggCkaI.exe
  C:\Windows\System32\qggCkaI.exe
  2⤵
  PID:6776
- C:\Windows\System32\aNNvglF.exe
  C:\Windows\System32\aNNvglF.exe
  2⤵
  PID:6828
- C:\Windows\System32\yjxSsKk.exe
  C:\Windows\System32\yjxSsKk.exe
  2⤵
  PID:6852
- C:\Windows\System32\zAZnWrV.exe
  C:\Windows\System32\zAZnWrV.exe
  2⤵
  PID:6868
- C:\Windows\System32\SybyufY.exe
  C:\Windows\System32\SybyufY.exe
  2⤵
  PID:6904
- C:\Windows\System32\FjtETzf.exe
  C:\Windows\System32\FjtETzf.exe
  2⤵
  PID:6920
- C:\Windows\System32\rTCHiRL.exe
  C:\Windows\System32\rTCHiRL.exe
  2⤵
  PID:6940
- C:\Windows\System32\PskcTJW.exe
  C:\Windows\System32\PskcTJW.exe
  2⤵
  PID:6964
- C:\Windows\System32\CjqkLyP.exe
  C:\Windows\System32\CjqkLyP.exe
  2⤵
  PID:6980
- C:\Windows\System32\UIkxvsy.exe
  C:\Windows\System32\UIkxvsy.exe
  2⤵
  PID:7004
- C:\Windows\System32\muOxlBY.exe
  C:\Windows\System32\muOxlBY.exe
  2⤵
  PID:7032
- C:\Windows\System32\QUOYbgF.exe
  C:\Windows\System32\QUOYbgF.exe
  2⤵
  PID:7060
- C:\Windows\System32\WaxzJAa.exe
  C:\Windows\System32\WaxzJAa.exe
  2⤵
  PID:7080
- C:\Windows\System32\fPjsOwZ.exe
  C:\Windows\System32\fPjsOwZ.exe
  2⤵
  PID:7108
- C:\Windows\System32\aJMijCY.exe
  C:\Windows\System32\aJMijCY.exe
  2⤵
  PID:7136
- C:\Windows\System32\rxQJved.exe
  C:\Windows\System32\rxQJved.exe
  2⤵
  PID:7156
- C:\Windows\System32\LkKqqLY.exe
  C:\Windows\System32\LkKqqLY.exe
  2⤵
  PID:5716
- C:\Windows\System32\xRCGNra.exe
  C:\Windows\System32\xRCGNra.exe
  2⤵
  PID:6244
- C:\Windows\System32\BwTPkCf.exe
  C:\Windows\System32\BwTPkCf.exe
  2⤵
  PID:6288
- C:\Windows\System32\YuEjydU.exe
  C:\Windows\System32\YuEjydU.exe
  2⤵
  PID:6420
- C:\Windows\System32\dbCQLtJ.exe
  C:\Windows\System32\dbCQLtJ.exe
  2⤵
  PID:6524
- C:\Windows\System32\QagrBZm.exe
  C:\Windows\System32\QagrBZm.exe
  2⤵
  PID:6564
- C:\Windows\System32\tajIMIG.exe
  C:\Windows\System32\tajIMIG.exe
  2⤵
  PID:6688
- C:\Windows\System32\PkLWZjr.exe
  C:\Windows\System32\PkLWZjr.exe
  2⤵
  PID:6684
- C:\Windows\System32\PqDgOnW.exe
  C:\Windows\System32\PqDgOnW.exe
  2⤵
  PID:6720
- C:\Windows\System32\wvBPsNg.exe
  C:\Windows\System32\wvBPsNg.exe
  2⤵
  PID:6876
- C:\Windows\System32\UYpahLR.exe
  C:\Windows\System32\UYpahLR.exe
  2⤵
  PID:6844
- C:\Windows\System32\CPAnUgJ.exe
  C:\Windows\System32\CPAnUgJ.exe
  2⤵
  PID:6972
- C:\Windows\System32\uJsgPEO.exe
  C:\Windows\System32\uJsgPEO.exe
  2⤵
  PID:6996
- C:\Windows\System32\EtMhAVa.exe
  C:\Windows\System32\EtMhAVa.exe
  2⤵
  PID:7044
- C:\Windows\System32\gqyXfPI.exe
  C:\Windows\System32\gqyXfPI.exe
  2⤵
  PID:7056
- C:\Windows\System32\mosXzIk.exe
  C:\Windows\System32\mosXzIk.exe
  2⤵
  PID:6424
- C:\Windows\System32\qVsolXp.exe
  C:\Windows\System32\qVsolXp.exe
  2⤵
  PID:6584
- C:\Windows\System32\nliNjfJ.exe
  C:\Windows\System32\nliNjfJ.exe
  2⤵
  PID:6724
- C:\Windows\System32\fxBibJs.exe
  C:\Windows\System32\fxBibJs.exe
  2⤵
  PID:6640
- C:\Windows\System32\UqzEDKp.exe
  C:\Windows\System32\UqzEDKp.exe
  2⤵
  PID:6896
- C:\Windows\System32\gMVLmjS.exe
  C:\Windows\System32\gMVLmjS.exe
  2⤵
  PID:6604
- C:\Windows\System32\SGcEMXR.exe
  C:\Windows\System32\SGcEMXR.exe
  2⤵
  PID:6196
- C:\Windows\System32\sndGVfl.exe
  C:\Windows\System32\sndGVfl.exe
  2⤵
  PID:7188
- C:\Windows\System32\ihpfmNf.exe
  C:\Windows\System32\ihpfmNf.exe
  2⤵
  PID:7204
- C:\Windows\System32\VbYVOHi.exe
  C:\Windows\System32\VbYVOHi.exe
  2⤵
  PID:7228
- C:\Windows\System32\KkSKTmL.exe
  C:\Windows\System32\KkSKTmL.exe
  2⤵
  PID:7244
- C:\Windows\System32\RjWVqgR.exe
  C:\Windows\System32\RjWVqgR.exe
  2⤵
  PID:7260
- C:\Windows\System32\fRyYQOz.exe
  C:\Windows\System32\fRyYQOz.exe
  2⤵
  PID:7284
- C:\Windows\System32\VGthqOQ.exe
  C:\Windows\System32\VGthqOQ.exe
  2⤵
  PID:7300
- C:\Windows\System32\SrtEays.exe
  C:\Windows\System32\SrtEays.exe
  2⤵
  PID:7328
- C:\Windows\System32\LqOVxho.exe
  C:\Windows\System32\LqOVxho.exe
  2⤵
  PID:7344
- C:\Windows\System32\pKgBtRb.exe
  C:\Windows\System32\pKgBtRb.exe
  2⤵
  PID:7360
- C:\Windows\System32\ISoVhuy.exe
  C:\Windows\System32\ISoVhuy.exe
  2⤵
  PID:7384
- C:\Windows\System32\HdkPbdQ.exe
  C:\Windows\System32\HdkPbdQ.exe
  2⤵
  PID:7408
- C:\Windows\System32\sksFaea.exe
  C:\Windows\System32\sksFaea.exe
  2⤵
  PID:7504
- C:\Windows\System32\YlCAMBO.exe
  C:\Windows\System32\YlCAMBO.exe
  2⤵
  PID:7540
- C:\Windows\System32\gCeppzd.exe
  C:\Windows\System32\gCeppzd.exe
  2⤵
  PID:7580
- C:\Windows\System32\ywKOwzz.exe
  C:\Windows\System32\ywKOwzz.exe
  2⤵
  PID:7608
- C:\Windows\System32\RIKIMQD.exe
  C:\Windows\System32\RIKIMQD.exe
  2⤵
  PID:7624
- C:\Windows\System32\wDdoEAM.exe
  C:\Windows\System32\wDdoEAM.exe
  2⤵
  PID:7640
- C:\Windows\System32\UVvzMIC.exe
  C:\Windows\System32\UVvzMIC.exe
  2⤵
  PID:7668
- C:\Windows\System32\rsAwFAB.exe
  C:\Windows\System32\rsAwFAB.exe
  2⤵
  PID:7708
- C:\Windows\System32\xoxSVCZ.exe
  C:\Windows\System32\xoxSVCZ.exe
  2⤵
  PID:7728
- C:\Windows\System32\jCrBMtg.exe
  C:\Windows\System32\jCrBMtg.exe
  2⤵
  PID:7760
- C:\Windows\System32\oMBeFYZ.exe
  C:\Windows\System32\oMBeFYZ.exe
  2⤵
  PID:7784
- C:\Windows\System32\SSarcVt.exe
  C:\Windows\System32\SSarcVt.exe
  2⤵
  PID:7808
- C:\Windows\System32\iUxHffk.exe
  C:\Windows\System32\iUxHffk.exe
  2⤵
  PID:7828
- C:\Windows\System32\WVUMZym.exe
  C:\Windows\System32\WVUMZym.exe
  2⤵
  PID:7864
- C:\Windows\System32\RYUAQUA.exe
  C:\Windows\System32\RYUAQUA.exe
  2⤵
  PID:7892
- C:\Windows\System32\yHWobEP.exe
  C:\Windows\System32\yHWobEP.exe
  2⤵
  PID:7924
- C:\Windows\System32\wthmQyS.exe
  C:\Windows\System32\wthmQyS.exe
  2⤵
  PID:7952
- C:\Windows\System32\REmLaNr.exe
  C:\Windows\System32\REmLaNr.exe
  2⤵
  PID:7972
- C:\Windows\System32\RJqEQgi.exe
  C:\Windows\System32\RJqEQgi.exe
  2⤵
  PID:7988
- C:\Windows\System32\EIUVkuP.exe
  C:\Windows\System32\EIUVkuP.exe
  2⤵
  PID:8016
- C:\Windows\System32\jZDHEEX.exe
  C:\Windows\System32\jZDHEEX.exe
  2⤵
  PID:8052
- C:\Windows\System32\yJwGSYZ.exe
  C:\Windows\System32\yJwGSYZ.exe
  2⤵
  PID:8076
- C:\Windows\System32\YHvYPto.exe
  C:\Windows\System32\YHvYPto.exe
  2⤵
  PID:8096
- C:\Windows\System32\SVJmVyv.exe
  C:\Windows\System32\SVJmVyv.exe
  2⤵
  PID:8112
- C:\Windows\System32\uNxpYAo.exe
  C:\Windows\System32\uNxpYAo.exe
  2⤵
  PID:8132
- C:\Windows\System32\WnFxoGw.exe
  C:\Windows\System32\WnFxoGw.exe
  2⤵
  PID:8152
- C:\Windows\System32\PQxweJl.exe
  C:\Windows\System32\PQxweJl.exe
  2⤵
  PID:8172
- C:\Windows\System32\qsXURTl.exe
  C:\Windows\System32\qsXURTl.exe
  2⤵
  PID:8188
- C:\Windows\System32\xXhUCAk.exe
  C:\Windows\System32\xXhUCAk.exe
  2⤵
  PID:7200
- C:\Windows\System32\UULwZUO.exe
  C:\Windows\System32\UULwZUO.exe
  2⤵
  PID:7312
- C:\Windows\System32\WsiQQCH.exe
  C:\Windows\System32\WsiQQCH.exe
  2⤵
  PID:7416
- C:\Windows\System32\twwXbDU.exe
  C:\Windows\System32\twwXbDU.exe
  2⤵
  PID:7536
- C:\Windows\System32\Zzzjwqm.exe
  C:\Windows\System32\Zzzjwqm.exe
  2⤵
  PID:7604
- C:\Windows\System32\vvqTutV.exe
  C:\Windows\System32\vvqTutV.exe
  2⤵
  PID:7692
- C:\Windows\System32\cUQTKIw.exe
  C:\Windows\System32\cUQTKIw.exe
  2⤵
  PID:7820
- C:\Windows\System32\qmDFgKF.exe
  C:\Windows\System32\qmDFgKF.exe
  2⤵
  PID:7844
- C:\Windows\System32\etVIKIS.exe
  C:\Windows\System32\etVIKIS.exe
  2⤵
  PID:7904
- C:\Windows\System32\geePtvA.exe
  C:\Windows\System32\geePtvA.exe
  2⤵
  PID:7980
- C:\Windows\System32\GjdYGju.exe
  C:\Windows\System32\GjdYGju.exe
  2⤵
  PID:7968
- C:\Windows\System32\mIOvojP.exe
  C:\Windows\System32\mIOvojP.exe
  2⤵
  PID:8028
- C:\Windows\System32\CmKZYfB.exe
  C:\Windows\System32\CmKZYfB.exe
  2⤵
  PID:8128
- C:\Windows\System32\yUNZmIN.exe
  C:\Windows\System32\yUNZmIN.exe
  2⤵
  PID:7184
- C:\Windows\System32\zilDmvc.exe
  C:\Windows\System32\zilDmvc.exe
  2⤵
  PID:8164
- C:\Windows\System32\pbyhAxU.exe
  C:\Windows\System32\pbyhAxU.exe
  2⤵
  PID:7404
- C:\Windows\System32\TcXgUqL.exe
  C:\Windows\System32\TcXgUqL.exe
  2⤵
  PID:7736
- C:\Windows\System32\ypWfbLD.exe
  C:\Windows\System32\ypWfbLD.exe
  2⤵
  PID:7876
- C:\Windows\System32\jCSvUJZ.exe
  C:\Windows\System32\jCSvUJZ.exe
  2⤵
  PID:8012
- C:\Windows\System32\rDfYrSs.exe
  C:\Windows\System32\rDfYrSs.exe
  2⤵
  PID:7984
- C:\Windows\System32\NuRruEr.exe
  C:\Windows\System32\NuRruEr.exe
  2⤵
  PID:7352
- C:\Windows\System32\uBtyEtz.exe
  C:\Windows\System32\uBtyEtz.exe
  2⤵
  PID:7436
- C:\Windows\System32\FzpUmlq.exe
  C:\Windows\System32\FzpUmlq.exe
  2⤵
  PID:7656
- C:\Windows\System32\yFcMjUh.exe
  C:\Windows\System32\yFcMjUh.exe
  2⤵
  PID:8204
- C:\Windows\System32\spuNsrH.exe
  C:\Windows\System32\spuNsrH.exe
  2⤵
  PID:8224
- C:\Windows\System32\EJtHdzH.exe
  C:\Windows\System32\EJtHdzH.exe
  2⤵
  PID:8248
- C:\Windows\System32\nWVfPrk.exe
  C:\Windows\System32\nWVfPrk.exe
  2⤵
  PID:8264
- C:\Windows\System32\WYlDfOv.exe
  C:\Windows\System32\WYlDfOv.exe
  2⤵
  PID:8284
- C:\Windows\System32\zvHpPCD.exe
  C:\Windows\System32\zvHpPCD.exe
  2⤵
  PID:8304
- C:\Windows\System32\HaoxsvN.exe
  C:\Windows\System32\HaoxsvN.exe
  2⤵
  PID:8324
- C:\Windows\System32\xfNojyf.exe
  C:\Windows\System32\xfNojyf.exe
  2⤵
  PID:8392
- C:\Windows\System32\MLMiJBE.exe
  C:\Windows\System32\MLMiJBE.exe
  2⤵
  PID:8412
- C:\Windows\System32\wZybuyA.exe
  C:\Windows\System32\wZybuyA.exe
  2⤵
  PID:8432
- C:\Windows\System32\fLQgNES.exe
  C:\Windows\System32\fLQgNES.exe
  2⤵
  PID:8456
- C:\Windows\System32\hzyfCkQ.exe
  C:\Windows\System32\hzyfCkQ.exe
  2⤵
  PID:8476
- C:\Windows\System32\AQTmipS.exe
  C:\Windows\System32\AQTmipS.exe
  2⤵
  PID:8560
- C:\Windows\System32\UqLGTum.exe
  C:\Windows\System32\UqLGTum.exe
  2⤵
  PID:8588
- C:\Windows\System32\gChLISl.exe
  C:\Windows\System32\gChLISl.exe
  2⤵
  PID:8604
- C:\Windows\System32\oPyTLbD.exe
  C:\Windows\System32\oPyTLbD.exe
  2⤵
  PID:8648
- C:\Windows\System32\VITLFRV.exe
  C:\Windows\System32\VITLFRV.exe
  2⤵
  PID:8688
- C:\Windows\System32\STobbFY.exe
  C:\Windows\System32\STobbFY.exe
  2⤵
  PID:8716
- C:\Windows\System32\VHXrEPh.exe
  C:\Windows\System32\VHXrEPh.exe
  2⤵
  PID:8768
- C:\Windows\System32\LamuYAb.exe
  C:\Windows\System32\LamuYAb.exe
  2⤵
  PID:8788
- C:\Windows\System32\TjPoIBo.exe
  C:\Windows\System32\TjPoIBo.exe
  2⤵
  PID:8812
- C:\Windows\System32\VnjliTM.exe
  C:\Windows\System32\VnjliTM.exe
  2⤵
  PID:8832
- C:\Windows\System32\pxTodUL.exe
  C:\Windows\System32\pxTodUL.exe
  2⤵
  PID:8848
- C:\Windows\System32\lPKmorr.exe
  C:\Windows\System32\lPKmorr.exe
  2⤵
  PID:8876
- C:\Windows\System32\qXwRwRD.exe
  C:\Windows\System32\qXwRwRD.exe
  2⤵
  PID:8892
- C:\Windows\System32\HoREXxH.exe
  C:\Windows\System32\HoREXxH.exe
  2⤵
  PID:8916
- C:\Windows\System32\XLYPbzb.exe
  C:\Windows\System32\XLYPbzb.exe
  2⤵
  PID:8944
- C:\Windows\System32\IcooCQf.exe
  C:\Windows\System32\IcooCQf.exe
  2⤵
  PID:8980
- C:\Windows\System32\SOzJbkj.exe
  C:\Windows\System32\SOzJbkj.exe
  2⤵
  PID:9028
- C:\Windows\System32\NBhgHYV.exe
  C:\Windows\System32\NBhgHYV.exe
  2⤵
  PID:9068
- C:\Windows\System32\snQAgJP.exe
  C:\Windows\System32\snQAgJP.exe
  2⤵
  PID:9100
- C:\Windows\System32\DWYwFUs.exe
  C:\Windows\System32\DWYwFUs.exe
  2⤵
  PID:9140
- C:\Windows\System32\NAeZlMJ.exe
  C:\Windows\System32\NAeZlMJ.exe
  2⤵
  PID:9160
- C:\Windows\System32\bXYkhcr.exe
  C:\Windows\System32\bXYkhcr.exe
  2⤵
  PID:9188
- C:\Windows\System32\sJHSUXl.exe
  C:\Windows\System32\sJHSUXl.exe
  2⤵
  PID:9212
- C:\Windows\System32\SuMpVxv.exe
  C:\Windows\System32\SuMpVxv.exe
  2⤵
  PID:8108
- C:\Windows\System32\zqOopVP.exe
  C:\Windows\System32\zqOopVP.exe
  2⤵
  PID:8212
- C:\Windows\System32\RZsYPgN.exe
  C:\Windows\System32\RZsYPgN.exe
  2⤵
  PID:8276
- C:\Windows\System32\pGFmUNW.exe
  C:\Windows\System32\pGFmUNW.exe
  2⤵
  PID:8352
- C:\Windows\System32\GMMAydw.exe
  C:\Windows\System32\GMMAydw.exe
  2⤵
  PID:8236
- C:\Windows\System32\XYdQXNK.exe
  C:\Windows\System32\XYdQXNK.exe
  2⤵
  PID:8424
- C:\Windows\System32\nBkqGAM.exe
  C:\Windows\System32\nBkqGAM.exe
  2⤵
  PID:8516
- C:\Windows\System32\ztMHTpU.exe
  C:\Windows\System32\ztMHTpU.exe
  2⤵
  PID:8532
- C:\Windows\System32\KAzOwPZ.exe
  C:\Windows\System32\KAzOwPZ.exe
  2⤵
  PID:8580
- C:\Windows\System32\jQrIkIo.exe
  C:\Windows\System32\jQrIkIo.exe
  2⤵
  PID:8660
- C:\Windows\System32\ZIdFliq.exe
  C:\Windows\System32\ZIdFliq.exe
  2⤵
  PID:8704
- C:\Windows\System32\STeUTGZ.exe
  C:\Windows\System32\STeUTGZ.exe
  2⤵
  PID:8780
- C:\Windows\System32\dqBYCaZ.exe
  C:\Windows\System32\dqBYCaZ.exe
  2⤵
  PID:8808
- C:\Windows\System32\nupljGx.exe
  C:\Windows\System32\nupljGx.exe
  2⤵
  PID:8840
- C:\Windows\System32\zozxmGi.exe
  C:\Windows\System32\zozxmGi.exe
  2⤵
  PID:8968
- C:\Windows\System32\kuEUhyF.exe
  C:\Windows\System32\kuEUhyF.exe
  2⤵
  PID:9104
- C:\Windows\System32\aHoBDEh.exe
  C:\Windows\System32\aHoBDEh.exe
  2⤵
  PID:9184
- C:\Windows\System32\wxwwuSK.exe
  C:\Windows\System32\wxwwuSK.exe
  2⤵
  PID:8256
- C:\Windows\System32\XOSuILa.exe
  C:\Windows\System32\XOSuILa.exe
  2⤵
  PID:8844
- C:\Windows\System32\rtkoOqT.exe
  C:\Windows\System32\rtkoOqT.exe
  2⤵
  PID:8992
- C:\Windows\System32\TsVEKuX.exe
  C:\Windows\System32\TsVEKuX.exe
  2⤵
  PID:9132
- C:\Windows\System32\dXnUUgu.exe
  C:\Windows\System32\dXnUUgu.exe
  2⤵
  PID:8724
- C:\Windows\System32\dSSGrDx.exe
  C:\Windows\System32\dSSGrDx.exe
  2⤵
  PID:8472
- C:\Windows\System32\pvnKmqr.exe
  C:\Windows\System32\pvnKmqr.exe
  2⤵
  PID:8180
- C:\Windows\System32\EUazJzY.exe
  C:\Windows\System32\EUazJzY.exe
  2⤵
  PID:8512
- C:\Windows\System32\nWWvJLP.exe
  C:\Windows\System32\nWWvJLP.exe
  2⤵
  PID:8240
- C:\Windows\System32\cxVLSva.exe
  C:\Windows\System32\cxVLSva.exe
  2⤵
  PID:8004
- C:\Windows\System32\lNPNrGR.exe
  C:\Windows\System32\lNPNrGR.exe
  2⤵
  PID:8700
- C:\Windows\System32\whNICLY.exe
  C:\Windows\System32\whNICLY.exe
  2⤵
  PID:9244
- C:\Windows\System32\ApQjjYZ.exe
  C:\Windows\System32\ApQjjYZ.exe
  2⤵
  PID:9276
- C:\Windows\System32\oroUaHQ.exe
  C:\Windows\System32\oroUaHQ.exe
  2⤵
  PID:9300
- C:\Windows\System32\cbQknaU.exe
  C:\Windows\System32\cbQknaU.exe
  2⤵
  PID:9328
- C:\Windows\System32\RNAWBUF.exe
  C:\Windows\System32\RNAWBUF.exe
  2⤵
  PID:9356
- C:\Windows\System32\OaNBysm.exe
  C:\Windows\System32\OaNBysm.exe
  2⤵
  PID:9380
- C:\Windows\System32\fAfLVrf.exe
  C:\Windows\System32\fAfLVrf.exe
  2⤵
  PID:9400
- C:\Windows\System32\YTvTHVb.exe
  C:\Windows\System32\YTvTHVb.exe
  2⤵
  PID:9424
- C:\Windows\System32\LOYRbSD.exe
  C:\Windows\System32\LOYRbSD.exe
  2⤵
  PID:9440
- C:\Windows\System32\sdmiYPa.exe
  C:\Windows\System32\sdmiYPa.exe
  2⤵
  PID:9464
- C:\Windows\System32\wBfZSEf.exe
  C:\Windows\System32\wBfZSEf.exe
  2⤵
  PID:9484
- C:\Windows\System32\LInlpCu.exe
  C:\Windows\System32\LInlpCu.exe
  2⤵
  PID:9516
- C:\Windows\System32\zZqWqfi.exe
  C:\Windows\System32\zZqWqfi.exe
  2⤵
  PID:9536
- C:\Windows\System32\FnbWwUI.exe
  C:\Windows\System32\FnbWwUI.exe
  2⤵
  PID:9556
- C:\Windows\System32\ytVufqb.exe
  C:\Windows\System32\ytVufqb.exe
  2⤵
  PID:9604
- C:\Windows\System32\zqhabYT.exe
  C:\Windows\System32\zqhabYT.exe
  2⤵
  PID:9644
- C:\Windows\System32\XyxnVHr.exe
  C:\Windows\System32\XyxnVHr.exe
  2⤵
  PID:9676
- C:\Windows\System32\jmCzzDH.exe
  C:\Windows\System32\jmCzzDH.exe
  2⤵
  PID:9692
- C:\Windows\System32\DKDWQTJ.exe
  C:\Windows\System32\DKDWQTJ.exe
  2⤵
  PID:9716
- C:\Windows\System32\ruxZTnj.exe
  C:\Windows\System32\ruxZTnj.exe
  2⤵
  PID:9756
- C:\Windows\System32\qqhlrrk.exe
  C:\Windows\System32\qqhlrrk.exe
  2⤵
  PID:9784
- C:\Windows\System32\XCQVenm.exe
  C:\Windows\System32\XCQVenm.exe
  2⤵
  PID:9816
- C:\Windows\System32\uTBtcFw.exe
  C:\Windows\System32\uTBtcFw.exe
  2⤵
  PID:9840
- C:\Windows\System32\kDAjosB.exe
  C:\Windows\System32\kDAjosB.exe
  2⤵
  PID:9868
- C:\Windows\System32\nRdksVT.exe
  C:\Windows\System32\nRdksVT.exe
  2⤵
  PID:9920
- C:\Windows\System32\NyFNzIu.exe
  C:\Windows\System32\NyFNzIu.exe
  2⤵
  PID:9944
- C:\Windows\System32\njiahMR.exe
  C:\Windows\System32\njiahMR.exe
  2⤵
  PID:9968
- C:\Windows\System32\zOnWRbq.exe
  C:\Windows\System32\zOnWRbq.exe
  2⤵
  PID:9984
- C:\Windows\System32\kXOYpqu.exe
  C:\Windows\System32\kXOYpqu.exe
  2⤵
  PID:10008
- C:\Windows\System32\qjGDORH.exe
  C:\Windows\System32\qjGDORH.exe
  2⤵
  PID:10032
- C:\Windows\System32\wHECbHW.exe
  C:\Windows\System32\wHECbHW.exe
  2⤵
  PID:10052
- C:\Windows\System32\SOLqkbK.exe
  C:\Windows\System32\SOLqkbK.exe
  2⤵
  PID:10092
- C:\Windows\System32\TAUMfAg.exe
  C:\Windows\System32\TAUMfAg.exe
  2⤵
  PID:10116
- C:\Windows\System32\gRnnDKI.exe
  C:\Windows\System32\gRnnDKI.exe
  2⤵
  PID:10140
- C:\Windows\System32\rVDavtO.exe
  C:\Windows\System32\rVDavtO.exe
  2⤵
  PID:10156
- C:\Windows\System32\nVONXdf.exe
  C:\Windows\System32\nVONXdf.exe
  2⤵
  PID:10176
- C:\Windows\System32\EhnORnx.exe
  C:\Windows\System32\EhnORnx.exe
  2⤵
  PID:10204
- C:\Windows\System32\RDJiDJx.exe
  C:\Windows\System32\RDJiDJx.exe
  2⤵
  PID:10236
- C:\Windows\System32\HfVBbvL.exe
  C:\Windows\System32\HfVBbvL.exe
  2⤵
  PID:9296
- C:\Windows\System32\kYSRerr.exe
  C:\Windows\System32\kYSRerr.exe
  2⤵
  PID:9348
- C:\Windows\System32\MCfGHot.exe
  C:\Windows\System32\MCfGHot.exe
  2⤵
  PID:9368
- C:\Windows\System32\ClPKKzY.exe
  C:\Windows\System32\ClPKKzY.exe
  2⤵
  PID:9492
- C:\Windows\System32\KWDJFGj.exe
  C:\Windows\System32\KWDJFGj.exe
  2⤵
  PID:9504
- C:\Windows\System32\BwZbxtm.exe
  C:\Windows\System32\BwZbxtm.exe
  2⤵
  PID:9568
- C:\Windows\System32\NDOZzhW.exe
  C:\Windows\System32\NDOZzhW.exe
  2⤵
  PID:9740
- C:\Windows\System32\wuXGmTQ.exe
  C:\Windows\System32\wuXGmTQ.exe
  2⤵
  PID:9768
- C:\Windows\System32\iezSWhQ.exe
  C:\Windows\System32\iezSWhQ.exe
  2⤵
  PID:9828
- C:\Windows\System32\uzeaPxh.exe
  C:\Windows\System32\uzeaPxh.exe
  2⤵
  PID:9880
- C:\Windows\System32\xlqoiAw.exe
  C:\Windows\System32\xlqoiAw.exe
  2⤵
  PID:9992
- C:\Windows\System32\ChGgHWu.exe
  C:\Windows\System32\ChGgHWu.exe
  2⤵
  PID:10020
- C:\Windows\System32\YPzfwsU.exe
  C:\Windows\System32\YPzfwsU.exe
  2⤵
  PID:10064
- C:\Windows\System32\aDBvMtI.exe
  C:\Windows\System32\aDBvMtI.exe
  2⤵
  PID:10164
- C:\Windows\System32\FrsafIc.exe
  C:\Windows\System32\FrsafIc.exe
  2⤵
  PID:10216
- C:\Windows\System32\aNvFnnH.exe
  C:\Windows\System32\aNvFnnH.exe
  2⤵
  PID:9224
- C:\Windows\System32\OLdCrGF.exe
  C:\Windows\System32\OLdCrGF.exe
  2⤵
  PID:9320
- C:\Windows\System32\YxzkEux.exe
  C:\Windows\System32\YxzkEux.exe
  2⤵
  PID:9480
- C:\Windows\System32\toQcxdL.exe
  C:\Windows\System32\toQcxdL.exe
  2⤵
  PID:9616
- C:\Windows\System32\TwMhjbi.exe
  C:\Windows\System32\TwMhjbi.exe
  2⤵
  PID:9800
- C:\Windows\System32\YTecRcD.exe
  C:\Windows\System32\YTecRcD.exe
  2⤵
  PID:9916
- C:\Windows\System32\GTrPOcg.exe
  C:\Windows\System32\GTrPOcg.exe
  2⤵
  PID:10152
- C:\Windows\System32\mdKzcUu.exe
  C:\Windows\System32\mdKzcUu.exe
  2⤵
  PID:9340
- C:\Windows\System32\DvRfpqI.exe
  C:\Windows\System32\DvRfpqI.exe
  2⤵
  PID:9808
- C:\Windows\System32\ORjluJz.exe
  C:\Windows\System32\ORjluJz.exe
  2⤵
  PID:10112
- C:\Windows\System32\fETlAhK.exe
  C:\Windows\System32\fETlAhK.exe
  2⤵
  PID:9268
- C:\Windows\System32\loHLmhi.exe
  C:\Windows\System32\loHLmhi.exe
  2⤵
  PID:10248
- C:\Windows\System32\cTvBqTy.exe
  C:\Windows\System32\cTvBqTy.exe
  2⤵
  PID:10264
- C:\Windows\System32\oBwgNiA.exe
  C:\Windows\System32\oBwgNiA.exe
  2⤵
  PID:10292
- C:\Windows\System32\jTKNecK.exe
  C:\Windows\System32\jTKNecK.exe
  2⤵
  PID:10340
- C:\Windows\System32\LYLxuiF.exe
  C:\Windows\System32\LYLxuiF.exe
  2⤵
  PID:10364
- C:\Windows\System32\SBebrcR.exe
  C:\Windows\System32\SBebrcR.exe
  2⤵
  PID:10388
- C:\Windows\System32\NzSPKQk.exe
  C:\Windows\System32\NzSPKQk.exe
  2⤵
  PID:10408
- C:\Windows\System32\pbXSYlD.exe
  C:\Windows\System32\pbXSYlD.exe
  2⤵
  PID:10428
- C:\Windows\System32\kfyssRt.exe
  C:\Windows\System32\kfyssRt.exe
  2⤵
  PID:10460
- C:\Windows\System32\flHGzZd.exe
  C:\Windows\System32\flHGzZd.exe
  2⤵
  PID:10520
- C:\Windows\System32\NktVAZG.exe
  C:\Windows\System32\NktVAZG.exe
  2⤵
  PID:10544
- C:\Windows\System32\twdhFBY.exe
  C:\Windows\System32\twdhFBY.exe
  2⤵
  PID:10572
- C:\Windows\System32\cCzdXEy.exe
  C:\Windows\System32\cCzdXEy.exe
  2⤵
  PID:10588
- C:\Windows\System32\fOniTjR.exe
  C:\Windows\System32\fOniTjR.exe
  2⤵
  PID:10608
- C:\Windows\System32\jGWwgVd.exe
  C:\Windows\System32\jGWwgVd.exe
  2⤵
  PID:10656
- C:\Windows\System32\nOCSQYf.exe
  C:\Windows\System32\nOCSQYf.exe
  2⤵
  PID:10688
- C:\Windows\System32\HHnyfng.exe
  C:\Windows\System32\HHnyfng.exe
  2⤵
  PID:10720
- C:\Windows\System32\vVZRMJj.exe
  C:\Windows\System32\vVZRMJj.exe
  2⤵
  PID:10736
- C:\Windows\System32\UEsnPTd.exe
  C:\Windows\System32\UEsnPTd.exe
  2⤵
  PID:10756
- C:\Windows\System32\IVpdXyn.exe
  C:\Windows\System32\IVpdXyn.exe
  2⤵
  PID:10800
- C:\Windows\System32\tlukrnk.exe
  C:\Windows\System32\tlukrnk.exe
  2⤵
  PID:10836
- C:\Windows\System32\zMNPmWz.exe
  C:\Windows\System32\zMNPmWz.exe
  2⤵
  PID:10860
- C:\Windows\System32\GlqtNyt.exe
  C:\Windows\System32\GlqtNyt.exe
  2⤵
  PID:10888
- C:\Windows\System32\TlGqaPn.exe
  C:\Windows\System32\TlGqaPn.exe
  2⤵
  PID:10908
- C:\Windows\System32\EkEOjUD.exe
  C:\Windows\System32\EkEOjUD.exe
  2⤵
  PID:10936
- C:\Windows\System32\aKQIDve.exe
  C:\Windows\System32\aKQIDve.exe
  2⤵
  PID:10956
- C:\Windows\System32\wCtYNln.exe
  C:\Windows\System32\wCtYNln.exe
  2⤵
  PID:10976
- C:\Windows\System32\xrVSHQp.exe
  C:\Windows\System32\xrVSHQp.exe
  2⤵
  PID:11012
- C:\Windows\System32\TSpgYln.exe
  C:\Windows\System32\TSpgYln.exe
  2⤵
  PID:11060
- C:\Windows\System32\LRelPYq.exe
  C:\Windows\System32\LRelPYq.exe
  2⤵
  PID:11076
- C:\Windows\System32\oauSXxb.exe
  C:\Windows\System32\oauSXxb.exe
  2⤵
  PID:11096
- C:\Windows\System32\BVPgnXp.exe
  C:\Windows\System32\BVPgnXp.exe
  2⤵
  PID:11124
- C:\Windows\System32\hEQpdzd.exe
  C:\Windows\System32\hEQpdzd.exe
  2⤵
  PID:11160
- C:\Windows\System32\ZYEchAA.exe
  C:\Windows\System32\ZYEchAA.exe
  2⤵
  PID:11184
- C:\Windows\System32\PaPkApk.exe
  C:\Windows\System32\PaPkApk.exe
  2⤵
  PID:11208
- C:\Windows\System32\UsjjeXx.exe
  C:\Windows\System32\UsjjeXx.exe
  2⤵
  PID:11232
- C:\Windows\System32\WnHALqn.exe
  C:\Windows\System32\WnHALqn.exe
  2⤵
  PID:11248
- C:\Windows\System32\vzxFXPX.exe
  C:\Windows\System32\vzxFXPX.exe
  2⤵
  PID:9976
- C:\Windows\System32\iDuFWeC.exe
  C:\Windows\System32\iDuFWeC.exe
  2⤵
  PID:10132
- C:\Windows\System32\HWNPKFL.exe
  C:\Windows\System32\HWNPKFL.exe
  2⤵
  PID:10396
- C:\Windows\System32\TlgDwjP.exe
  C:\Windows\System32\TlgDwjP.exe
  2⤵
  PID:10376
- C:\Windows\System32\HjDGdBY.exe
  C:\Windows\System32\HjDGdBY.exe
  2⤵
  PID:10532
- C:\Windows\System32\tXQIKhR.exe
  C:\Windows\System32\tXQIKhR.exe
  2⤵
  PID:10604
- C:\Windows\System32\AswPnhy.exe
  C:\Windows\System32\AswPnhy.exe
  2⤵
  PID:10680
- C:\Windows\System32\xylRbpa.exe
  C:\Windows\System32\xylRbpa.exe
  2⤵
  PID:10728
- C:\Windows\System32\ZtYNToe.exe
  C:\Windows\System32\ZtYNToe.exe
  2⤵
  PID:10764
- C:\Windows\System32\RlrdnID.exe
  C:\Windows\System32\RlrdnID.exe
  2⤵
  PID:10784
- C:\Windows\System32\ujfgFiT.exe
  C:\Windows\System32\ujfgFiT.exe
  2⤵
  PID:10928
- C:\Windows\System32\mLamWhL.exe
  C:\Windows\System32\mLamWhL.exe
  2⤵
  PID:10964
- C:\Windows\System32\bZnejpF.exe
  C:\Windows\System32\bZnejpF.exe
  2⤵
  PID:11020
- C:\Windows\System32\xdwJENq.exe
  C:\Windows\System32\xdwJENq.exe
  2⤵
  PID:11068
- C:\Windows\System32\mCiIYEw.exe
  C:\Windows\System32\mCiIYEw.exe
  2⤵
  PID:11088
- C:\Windows\System32\ACdwAkB.exe
  C:\Windows\System32\ACdwAkB.exe
  2⤵
  PID:11152
- C:\Windows\System32\cWnHydQ.exe
  C:\Windows\System32\cWnHydQ.exe
  2⤵
  PID:11204
- C:\Windows\System32\DiLFjIk.exe
  C:\Windows\System32\DiLFjIk.exe
  2⤵
  PID:11244
- C:\Windows\System32\BtkgRvm.exe
  C:\Windows\System32\BtkgRvm.exe
  2⤵
  PID:10260
- C:\Windows\System32\xaKGRLo.exe
  C:\Windows\System32\xaKGRLo.exe
  2⤵
  PID:10516
- C:\Windows\System32\KbvBDqS.exe
  C:\Windows\System32\KbvBDqS.exe
  2⤵
  PID:10920
- C:\Windows\System32\TQLPQwg.exe
  C:\Windows\System32\TQLPQwg.exe
  2⤵
  PID:11044
- C:\Windows\System32\dlLTHCG.exe
  C:\Windows\System32\dlLTHCG.exe
  2⤵
  PID:11180
- C:\Windows\System32\jCccJGD.exe
  C:\Windows\System32\jCccJGD.exe
  2⤵
  PID:11200
- C:\Windows\System32\QVSkPuo.exe
  C:\Windows\System32\QVSkPuo.exe
  2⤵
  PID:10600
- C:\Windows\System32\afcLaLp.exe
  C:\Windows\System32\afcLaLp.exe
  2⤵
  PID:10904
- C:\Windows\System32\eGzlgZq.exe
  C:\Windows\System32\eGzlgZq.exe
  2⤵
  PID:10628
- C:\Windows\System32\bJUUOut.exe
  C:\Windows\System32\bJUUOut.exe
  2⤵
  PID:11192
- C:\Windows\System32\PLpdand.exe
  C:\Windows\System32\PLpdand.exe
  2⤵
  PID:11292
- C:\Windows\System32\QucRHiI.exe
  C:\Windows\System32\QucRHiI.exe
  2⤵
  PID:11312
- C:\Windows\System32\DcTEFup.exe
  C:\Windows\System32\DcTEFup.exe
  2⤵
  PID:11336
- C:\Windows\System32\tazlyms.exe
  C:\Windows\System32\tazlyms.exe
  2⤵
  PID:11352
- C:\Windows\System32\qbpSONu.exe
  C:\Windows\System32\qbpSONu.exe
  2⤵
  PID:11380
- C:\Windows\System32\BfIjoNu.exe
  C:\Windows\System32\BfIjoNu.exe
  2⤵
  PID:11396
- C:\Windows\System32\OTYpLjf.exe
  C:\Windows\System32\OTYpLjf.exe
  2⤵
  PID:11440
- C:\Windows\System32\GhLiFEj.exe
  C:\Windows\System32\GhLiFEj.exe
  2⤵
  PID:11468
- C:\Windows\System32\HPPLyTx.exe
  C:\Windows\System32\HPPLyTx.exe
  2⤵
  PID:11484
- C:\Windows\System32\qDAUXXv.exe
  C:\Windows\System32\qDAUXXv.exe
  2⤵
  PID:11508
- C:\Windows\System32\GRyUZvG.exe
  C:\Windows\System32\GRyUZvG.exe
  2⤵
  PID:11524
- C:\Windows\System32\mOkNbvm.exe
  C:\Windows\System32\mOkNbvm.exe
  2⤵
  PID:11612
- C:\Windows\System32\QgBrRpa.exe
  C:\Windows\System32\QgBrRpa.exe
  2⤵
  PID:11628
- C:\Windows\System32\NEiBpkM.exe
  C:\Windows\System32\NEiBpkM.exe
  2⤵
  PID:11664
- C:\Windows\System32\yCkfvOX.exe
  C:\Windows\System32\yCkfvOX.exe
  2⤵
  PID:11684
- C:\Windows\System32\CRtQJWF.exe
  C:\Windows\System32\CRtQJWF.exe
  2⤵
  PID:11700
- C:\Windows\System32\lKHKWWU.exe
  C:\Windows\System32\lKHKWWU.exe
  2⤵
  PID:11720
- C:\Windows\System32\hKdLEEt.exe
  C:\Windows\System32\hKdLEEt.exe
  2⤵
  PID:11744
- C:\Windows\System32\zXlQfFr.exe
  C:\Windows\System32\zXlQfFr.exe
  2⤵
  PID:11780
- C:\Windows\System32\BpPROYH.exe
  C:\Windows\System32\BpPROYH.exe
  2⤵
  PID:11808
- C:\Windows\System32\jGAZnkn.exe
  C:\Windows\System32\jGAZnkn.exe
  2⤵
  PID:11832
- C:\Windows\System32\gVpivWf.exe
  C:\Windows\System32\gVpivWf.exe
  2⤵
  PID:11852
- C:\Windows\System32\WXdfNnj.exe
  C:\Windows\System32\WXdfNnj.exe
  2⤵
  PID:11880
- C:\Windows\System32\PICKjaJ.exe
  C:\Windows\System32\PICKjaJ.exe
  2⤵
  PID:11896
- C:\Windows\System32\Rgzubln.exe
  C:\Windows\System32\Rgzubln.exe
  2⤵
  PID:11948
- C:\Windows\System32\VJsTIrj.exe
  C:\Windows\System32\VJsTIrj.exe
  2⤵
  PID:11968
- C:\Windows\System32\FlmWhQS.exe
  C:\Windows\System32\FlmWhQS.exe
  2⤵
  PID:11988
- C:\Windows\System32\LcVNsOM.exe
  C:\Windows\System32\LcVNsOM.exe
  2⤵
  PID:12004
- C:\Windows\System32\PePwrls.exe
  C:\Windows\System32\PePwrls.exe
  2⤵
  PID:12056
- C:\Windows\System32\jnfIvCy.exe
  C:\Windows\System32\jnfIvCy.exe
  2⤵
  PID:12080
- C:\Windows\System32\LIkmTXy.exe
  C:\Windows\System32\LIkmTXy.exe
  2⤵
  PID:12116
- C:\Windows\System32\RaDSTOH.exe
  C:\Windows\System32\RaDSTOH.exe
  2⤵
  PID:12144
- C:\Windows\System32\pEXAqZB.exe
  C:\Windows\System32\pEXAqZB.exe
  2⤵
  PID:12168
- C:\Windows\System32\vbgDbZl.exe
  C:\Windows\System32\vbgDbZl.exe
  2⤵
  PID:12184
- C:\Windows\System32\YkcktZx.exe
  C:\Windows\System32\YkcktZx.exe
  2⤵
  PID:12212
- C:\Windows\System32\lZUGnbQ.exe
  C:\Windows\System32\lZUGnbQ.exe
  2⤵
  PID:12232
- C:\Windows\System32\SHiUtfd.exe
  C:\Windows\System32\SHiUtfd.exe
  2⤵
  PID:12248
- C:\Windows\System32\rIxsuYm.exe
  C:\Windows\System32\rIxsuYm.exe
  2⤵
  PID:12272
- C:\Windows\System32\egVnAqT.exe
  C:\Windows\System32\egVnAqT.exe
  2⤵
  PID:11308
- C:\Windows\System32\hCBnkuS.exe
  C:\Windows\System32\hCBnkuS.exe
  2⤵
  PID:11476
- C:\Windows\System32\XcXNkeg.exe
  C:\Windows\System32\XcXNkeg.exe
  2⤵
  PID:11520
- C:\Windows\System32\scaZdmq.exe
  C:\Windows\System32\scaZdmq.exe
  2⤵
  PID:11600
- C:\Windows\System32\uyLxBFn.exe
  C:\Windows\System32\uyLxBFn.exe
  2⤵
  PID:11640
- C:\Windows\System32\UQZFqyG.exe
  C:\Windows\System32\UQZFqyG.exe
  2⤵
  PID:11756
- C:\Windows\System32\nnmEqWU.exe
  C:\Windows\System32\nnmEqWU.exe
  2⤵
  PID:11804
- C:\Windows\System32\mabPETK.exe
  C:\Windows\System32\mabPETK.exe
  2⤵
  PID:11872
- C:\Windows\System32\FueXZYM.exe
  C:\Windows\System32\FueXZYM.exe
  2⤵
  PID:11904
- C:\Windows\System32\CdYUCKD.exe
  C:\Windows\System32\CdYUCKD.exe
  2⤵
  PID:11932
- C:\Windows\System32\tfeKOEg.exe
  C:\Windows\System32\tfeKOEg.exe
  2⤵
  PID:11984
- C:\Windows\System32\qrSUHDW.exe
  C:\Windows\System32\qrSUHDW.exe
  2⤵
  PID:12124
- C:\Windows\System32\wKpIgTF.exe
  C:\Windows\System32\wKpIgTF.exe
  2⤵
  PID:12244
- C:\Windows\System32\AVkCcPl.exe
  C:\Windows\System32\AVkCcPl.exe
  2⤵
  PID:12268
- C:\Windows\System32\yVAyais.exe
  C:\Windows\System32\yVAyais.exe
  2⤵
  PID:10816
- C:\Windows\System32\ZrpWjTB.exe
  C:\Windows\System32\ZrpWjTB.exe
  2⤵
  PID:11496
- C:\Windows\System32\uYaEDOq.exe
  C:\Windows\System32\uYaEDOq.exe
  2⤵
  PID:11556
- C:\Windows\System32\LKMsVUy.exe
  C:\Windows\System32\LKMsVUy.exe
  2⤵
  PID:11732
- C:\Windows\System32\skCIrUE.exe
  C:\Windows\System32\skCIrUE.exe
  2⤵
  PID:11840
- C:\Windows\System32\CVBmBZQ.exe
  C:\Windows\System32\CVBmBZQ.exe
  2⤵
  PID:12068
- C:\Windows\System32\CwleDkR.exe
  C:\Windows\System32\CwleDkR.exe
  2⤵
  PID:12256
- C:\Windows\System32\lqmJgiv.exe
  C:\Windows\System32\lqmJgiv.exe
  2⤵
  PID:11364
- C:\Windows\System32\MJXtLng.exe
  C:\Windows\System32\MJXtLng.exe
  2⤵
  PID:11320
- C:\Windows\System32\kfJKCYk.exe
  C:\Windows\System32\kfJKCYk.exe
  2⤵
  PID:11328
- C:\Windows\System32\VFpiRrF.exe
  C:\Windows\System32\VFpiRrF.exe
  2⤵
  PID:12000
- C:\Windows\System32\ZzBMKzq.exe
  C:\Windows\System32\ZzBMKzq.exe
  2⤵
  PID:4672
- C:\Windows\System32\LIGQyyw.exe
  C:\Windows\System32\LIGQyyw.exe
  2⤵
  PID:11620
- C:\Windows\System32\cCZKvrK.exe
  C:\Windows\System32\cCZKvrK.exe
  2⤵
  PID:12328
- C:\Windows\System32\abfCELt.exe
  C:\Windows\System32\abfCELt.exe
  2⤵
  PID:12356
- C:\Windows\System32\QcdSLAS.exe
  C:\Windows\System32\QcdSLAS.exe
  2⤵
  PID:12376
- C:\Windows\System32\CcESovr.exe
  C:\Windows\System32\CcESovr.exe
  2⤵
  PID:12408
- C:\Windows\System32\IZNtStE.exe
  C:\Windows\System32\IZNtStE.exe
  2⤵
  PID:12448
- C:\Windows\System32\ryuxkiO.exe
  C:\Windows\System32\ryuxkiO.exe
  2⤵
  PID:12464
- C:\Windows\System32\ntPzSrP.exe
  C:\Windows\System32\ntPzSrP.exe
  2⤵
  PID:12492
- C:\Windows\System32\iqvshoW.exe
  C:\Windows\System32\iqvshoW.exe
  2⤵
  PID:12516
- C:\Windows\System32\HlMhFiU.exe
  C:\Windows\System32\HlMhFiU.exe
  2⤵
  PID:12536
- C:\Windows\System32\sQXBGwC.exe
  C:\Windows\System32\sQXBGwC.exe
  2⤵
  PID:12560
- C:\Windows\System32\siPJRLJ.exe
  C:\Windows\System32\siPJRLJ.exe
  2⤵
  PID:12592
- C:\Windows\System32\KusohYB.exe
  C:\Windows\System32\KusohYB.exe
  2⤵
  PID:12612
- C:\Windows\System32\REiZiax.exe
  C:\Windows\System32\REiZiax.exe
  2⤵
  PID:12644
- C:\Windows\System32\iVXIsBG.exe
  C:\Windows\System32\iVXIsBG.exe
  2⤵
  PID:12668
- C:\Windows\System32\eRdxHZc.exe
  C:\Windows\System32\eRdxHZc.exe
  2⤵
  PID:12688
- C:\Windows\System32\ZksKkTq.exe
  C:\Windows\System32\ZksKkTq.exe
  2⤵
  PID:12708
- C:\Windows\System32\XPkZELH.exe
  C:\Windows\System32\XPkZELH.exe
  2⤵
  PID:12732
- C:\Windows\System32\gmIJXTJ.exe
  C:\Windows\System32\gmIJXTJ.exe
  2⤵
  PID:12764
- C:\Windows\System32\sESFqrZ.exe
  C:\Windows\System32\sESFqrZ.exe
  2⤵
  PID:12780
- C:\Windows\System32\wAMQTXf.exe
  C:\Windows\System32\wAMQTXf.exe
  2⤵
  PID:12796
- C:\Windows\System32\EHkDVCe.exe
  C:\Windows\System32\EHkDVCe.exe
  2⤵
  PID:12820
- C:\Windows\System32\lIesjIb.exe
  C:\Windows\System32\lIesjIb.exe
  2⤵
  PID:12836
- C:\Windows\System32\IyfMPfg.exe
  C:\Windows\System32\IyfMPfg.exe
  2⤵
  PID:12924
- C:\Windows\System32\KLCqEHF.exe
  C:\Windows\System32\KLCqEHF.exe
  2⤵
  PID:12952
- C:\Windows\System32\evNLEXe.exe
  C:\Windows\System32\evNLEXe.exe
  2⤵
  PID:12996
- C:\Windows\System32\nFOQgrU.exe
  C:\Windows\System32\nFOQgrU.exe
  2⤵
  PID:13024
- C:\Windows\System32\PKzXetH.exe
  C:\Windows\System32\PKzXetH.exe
  2⤵
  PID:13040
- C:\Windows\System32\kvikQcJ.exe
  C:\Windows\System32\kvikQcJ.exe
  2⤵
  PID:13060
- C:\Windows\System32\ANzhfUt.exe
  C:\Windows\System32\ANzhfUt.exe
  2⤵
  PID:13076
- C:\Windows\System32\OmHGOqr.exe
  C:\Windows\System32\OmHGOqr.exe
  2⤵
  PID:13100
- C:\Windows\System32\vdNFOxm.exe
  C:\Windows\System32\vdNFOxm.exe
  2⤵
  PID:13144
- C:\Windows\System32\mqqWQmP.exe
  C:\Windows\System32\mqqWQmP.exe
  2⤵
  PID:13168
- C:\Windows\System32\wMaKcQN.exe
  C:\Windows\System32\wMaKcQN.exe
  2⤵
  PID:13192
- C:\Windows\System32\RRMXEKG.exe
  C:\Windows\System32\RRMXEKG.exe
  2⤵
  PID:13216
- C:\Windows\System32\XLytlxo.exe
  C:\Windows\System32\XLytlxo.exe
  2⤵
  PID:13240
- C:\Windows\System32\wCsEKxl.exe
  C:\Windows\System32\wCsEKxl.exe
  2⤵
  PID:13264
- C:\Windows\System32\vPsZuuU.exe
  C:\Windows\System32\vPsZuuU.exe
  2⤵
  PID:13300

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ALvcGja.exe

Filesize
1.0MB

MD5
ffa711c186d227bf7a9b3f8a31ba5035

SHA1
502a74fd8f9a867fd49d8a7cae03dff5a7766b83

SHA256
52ce636b9a433c2ffe4977dc0412f3f8fbf140284b639c6750e4e58973b0c9ac

SHA512
1008b21d926d49222f0d1de470c33264f7332d4e5188f7909f8cd1eb297272b4eba41aecc66afb0f8c548e888651cade8ec72fb679c3f614b47668a72e7af93c

Download Submit
C:\Windows\System32\BUGoJDw.exe

Filesize
1.0MB

MD5
0e3d0df3f19ac42c0c39f6cad656257b

SHA1
e8db45507ce95893ae4485040ced9a41eb6ef287

SHA256
490b7095d79b2917de084bc0db501552f5b6010070bdc543653e014cfc3e8c23

SHA512
01e994e96e133b603205ee9d4be45209e3fd47eb8e85aff1a1aee82e0395c4a40471deec631cef78ef5042765149a0a44a554160b354d7e98aba7ea244241211

Download Submit
C:\Windows\System32\FDZcXSv.exe

Filesize
1.0MB

MD5
991da2b85b7cf11dee447319cae98849

SHA1
a2eb6a74c16b5b25ecc5ab1997fa8e5528584fe3

SHA256
5ef64313e956e0cfd672334d53a13be298bb64ef7346b9e0b1706f1242a95795

SHA512
612c1709573e5c317e25499d1297a83bc8601d5f18e19ed89cfb3f49f81259b7144c2c8115069d0128e6d618956852b988c0251a251bb58c0dbc15d9dec72528

Download Submit
C:\Windows\System32\FicOyoX.exe

Filesize
1.0MB

MD5
405de6b683aba8957dcec7a2817c79ac

SHA1
0b458156cdc66612c29a5061832abab5f138627c

SHA256
111a0cbcd97f16429cbace72355b5951e43b791059a0ea7daf0264fd640e41ba

SHA512
e874b54603eaeffae2377cea0294ad11032aa5a5d9979685eb28b735f7c8b789b3010691a77b74827f923d885ee465ac51e3ce5d201eb4de4b8cadd88e93b394

Download Submit
C:\Windows\System32\GHNRwWP.exe

Filesize
1.0MB

MD5
56a975bb272c073cd6098ef86afb881c

SHA1
0d98582589b35e23dac8131ce765864d50837e86

SHA256
78b4270a29e8385f0fa1d16f2d0f2a54c38556d2270694020a52f29b42a63e34

SHA512
cf41aa79035a4c8396e2417183225c3711cf9dee034ba9b35c634b406d62193886613305ede9274bd5aae820bf1110d876fe213ea521fcd6eda60097e03b2fcf

Download Submit
C:\Windows\System32\IJyiXLd.exe

Filesize
1.0MB

MD5
ffdc6526363e6ffd59644c2bdf1c7bdc

SHA1
ad5d279d66394056716656a4953d4187fa543e09

SHA256
7ec61a07e83930e419440cd0841c93cefaa60bb66ba6361c4209753695bcd705

SHA512
82e301ba9da40ab4052cfccab2f5dc470cd9c3314b3ba6ea005c6c557fc8436d8a1864b497748818cb308f435eed14cee2cbcf9cfb60c73d7e4bd56a9077eb27

Download Submit
C:\Windows\System32\JLzbznV.exe

Filesize
1.0MB

MD5
c9bf8ad019ba38eedb5719161f8e7b96

SHA1
bb43ca091cf06881aba052b0dca7da7a77b391fa

SHA256
62ea326fa9742618176f410fb9c3086a5d4f03b7b6cb5dc3722ff37b8f8ef6df

SHA512
1da7904812ad98c0877adc2e9a64cdac98e3eff0f38b376c33230d46e998b1b9b46f9aa2227eb9be3b07477c82e6054503895aa947a2e39e4b96ce3163ac4db7

Download Submit
C:\Windows\System32\NdTtrsk.exe

Filesize
1.0MB

MD5
b19011fcb4605105bfeb8f9456bad3e2

SHA1
77d691a1e554296d1d37d30622e6209d3f58fadf

SHA256
68b53d6d30f7072643711fd4a66c9ebebd33b94e92166ecd0b28660f70d57342

SHA512
78d3c35504f98fd9c8908442964bea42919f85c5e9f9411fea02e41d115bafbbd9b4d7e9e9ed347d45689fbd9b0500e5a1e9059332eb4e69cbd019ca6a9151af

Download Submit
C:\Windows\System32\PBqBsBf.exe

Filesize
1.0MB

MD5
9e287046debdfd67949a015323bd4006

SHA1
4d5b8b7f4468c848bc21c4db19febda121120a16

SHA256
2688ee01b04affd8be0a2f7a612f3fd034015380f7768ddc4f02c9643e5f8177

SHA512
f93ccce7a425419c6b1db2ea9d6431b6fee7f0237eabbb14c20ab546f2cfbdb3ff029df07cc15664ae5c8040b854b43b1e8b2416c29b9d95cf91505a02ec8b78

Download Submit
C:\Windows\System32\PiNvShJ.exe

Filesize
1.0MB

MD5
cc5c8485ac872f23fbda0beea0ac2e8d

SHA1
87b24d9c78573b778288d358a3030e12f04b0f2e

SHA256
32006e37938c104c1092b226022d8135579133372fd696fa81d3b93716b2e7e7

SHA512
49f6978d65cdb3f0dc165e7169b0b238b7979578f3be843fb60aab5ffa1f556e03c81d8a6b5c92cdc91c3ff929d9a00ffb439494c432e4f53fac1568f3359202

Download Submit
C:\Windows\System32\RLKinNl.exe

Filesize
1.0MB

MD5
5cea43d8f562ee11da5638f68d312664

SHA1
b666fd8588b77e19510054e77fc897ccba0d19f2

SHA256
d21b376a0dfec157df8fc3277f6d7a53749715837721de899880d2787f77e4fa

SHA512
b684f5d6e6705789730cb71f0383e1ad1482aa62aa6a436eeeaf5c1fc673bbf0f8cd5c4dcf8a716055e751a1c25d28e46f8bce8cdffb544790fe689dc0296500

Download Submit
C:\Windows\System32\RfyRcZk.exe

Filesize
1.0MB

MD5
03a8531ec6f8c84dcab4360b84aae906

SHA1
811d0bf574ad7340f920d1ebed65b0aab8138bec

SHA256
0389327fbed3746ad10d43a2964042f2521b5012f950b41a36e254fbfd1d41a8

SHA512
1aa4cdc45b729f6e7fdd816023b2d3145039959c41b0d9292243d4d2830fc7ad28141bed9afb791657cf01c57ba4c384963775e87cce02f39350cc54a2f90d18

Download Submit
C:\Windows\System32\TSleTnU.exe

Filesize
1.0MB

MD5
fccb91ed6e038282a4b60f53e9916d9e

SHA1
2835b21bca48de96e315f2aed50e6d3f395c69bc

SHA256
720b8825789ebbe2babbafcadc1b5b8ff4bac1b2fa2da0caddd9b5d67237a4f9

SHA512
0cf009acf28d401f4e8a4f06d172dbed9146a4cac10602d8a02e2a9a1e8207185fa5027fe6e07404c9173517851c841111b58d68939673261a35b03fc35f5eb1

Download Submit
C:\Windows\System32\TZzoMQb.exe

Filesize
1.0MB

MD5
1f77260a7f6961939c9e4637a0253645

SHA1
1e44bccbda2306d1b1be40fc52e89ffb724fc45a

SHA256
86db4a562490a2af613ed61aad35ff593fd28f016e4d7e8320346be84edcbb4c

SHA512
701e4a215da5c1fe4408dbd10b621e32ae301c3864eae92b121987b361000b0042acdb2453e85f3b9c0ac85afc8fb86bbe99311c67d5a044181092cc347230cd

Download Submit
C:\Windows\System32\UkbgZlG.exe

Filesize
1.0MB

MD5
c3dd917b129c91b01adb000dd6bc9789

SHA1
94798edb3f9672349d403fb617d3dcf4d6dd070c

SHA256
d5c6a7ae8b2c2f9915f0b7406fca7169c6f8211f0f5e5bda1a092fffaeaf67ed

SHA512
6ea60810a180676b45c65b302cb1f8eec861b65eddccde08eec778ebae66c7f00fcf92d14f159d1e2373f01d8ff888f8d3f672e7220c5e683bc4b8050d6d060b

Download Submit
C:\Windows\System32\XyYEPQY.exe

Filesize
1.0MB

MD5
97400814a464f604c3fb99a0ebb3bba7

SHA1
4b23123ca1e6f1da1cd60552e6e08fd7bf952b8d

SHA256
9a5107e8ecc51ed124f443d506acd4da8c767a7d5495fa37df789ce6ca923f65

SHA512
6d0dbe00c2e38978aa965119f0f512e2a18806c0e9ca3b8cb8adef6fa895235ca9b0b92ceaffe81d7a6d6d2dee9b9a79f158824b38c4fbcf721dab07c232f26c

Download Submit
C:\Windows\System32\YhfhlFI.exe

Filesize
1.0MB

MD5
874aaf9285f967202603f5aeab1cbd33

SHA1
889a6d5cd8e1aa3ef3536fa0d9dc049dc77f0888

SHA256
719ac2708974ced31ff697805b597817bede933e233957a3964cafd53cb53151

SHA512
2098f9675dececb258e409b738c92c54efadd21b3c74c4083802040017615070f47b243ca7079ae310adec6ef85d92fd8928ba40266d01f269ce5eaad9ec3913

Download Submit
C:\Windows\System32\ZNEEUJY.exe

Filesize
1.0MB

MD5
3eb6610ac5944dc834d1ba957c16dba4

SHA1
c8625646f8924716a730ee2098b175f2194d82f7

SHA256
a6a8cca3963dafdbe1985fc0012e73efdc9379f17a1aa1cfb4290265a3861bfa

SHA512
28c3801b6f3d2f8f35dcd71f5611f77b36e76a30ff9cc47a641f4eead83fca20233408f9d49a778fb2c1b693b67af08bc7763cca6757823ddb57b127ac1a22a0

Download Submit
C:\Windows\System32\ZyzcVRm.exe

Filesize
1.0MB

MD5
67f844568bcb5e5de9d4f38f1e1a8b35

SHA1
dc385889bf92810c59f6a0e680ede05a5d5deb2c

SHA256
cf8c342bf7f343c4d238b983b7777498ae13a414346a48eb253fcc680d23cf1a

SHA512
df766998042b2fed7b6bedf2941be6a2f77b2d59ba57604570bd9214b1c1554e1da961f5b80a82f57875691f1e953f2934a49510efcc081467c5875922fe1ed8

Download Submit
C:\Windows\System32\aQvTPGR.exe

Filesize
1.0MB

MD5
ae109e80ea1b9bb53d0ef9a1276cc835

SHA1
6a863fbe293e15d21450c76b4d5f6a062c92bb8f

SHA256
1ff05599441e67976866335fc7f52807ad91302318813c0082c012ce93a1ea78

SHA512
7d8f24c994106a99704dcfe310010b533da11fdfe0a26c8bf29d3564637ff49fb96bc3990eb27af3aade34f28b666f5ae7ca45a9f814875579d552852ccbbea7

Download Submit
C:\Windows\System32\baVazGz.exe

Filesize
1.0MB

MD5
43effe862866bd3960d178092ed9cc3d

SHA1
8cafeb23bc621d47c4d930c61ee479c5039ec63b

SHA256
5881d4a6e09ae52c16a0e9d5e31c063807d8a4e28f72bc545ef3da4fe5c929f7

SHA512
efa55af515a3012ffec94753ecc8639515f21dbf4599168bc3f561b20140b292c99532b28f270953c9bcc7d1be4c7fddf6a882ff42dfef52c469f8a4d24cda55

Download Submit
C:\Windows\System32\hWoJros.exe

Filesize
1.0MB

MD5
5fff6ea628276746026d07f64d56f621

SHA1
ebf0fccf5c076f2a94b2abaeeab3f5c14b04eebd

SHA256
959f617b14fddf2eb29567d5e2ba8548c40974cb738984103422e4dd824822a2

SHA512
f57746008f1c84f31ffc733d54014b701f84d53e372f519d1248dc5361ac3d081cae3d91fc540e0308d4587aa4167afc6d78a2fcce825a71b55a62b64fb3e47d

Download Submit
C:\Windows\System32\kVZvACM.exe

Filesize
1.0MB

MD5
ccbe007667607e98fb56b4a32ca35926

SHA1
62704e203cfae2d2092e32b06aa7a9efd574cca3

SHA256
cf318f013741776f072d28203557d2e6b40912691b7210805e2b521d65b0af77

SHA512
cf970c5b415e25f70ce545e8cad6f7bc536fd1f0246fd98662b6d36ba838deeb0683459eb0912d5fc3ba0e6aeead758f4e92f002be14e425d990e2e380f32074

Download Submit
C:\Windows\System32\lWiVixd.exe

Filesize
1.0MB

MD5
eb5c4f965706c958a3f57c0830b8de31

SHA1
e898fa5eacfd7de43c15b7ae780fe053b40e7c28

SHA256
34ce08a746f97b1afb21370f4eacc0bdbcbf731594f5d8f5cda3d340ce2f9eab

SHA512
a836449bf00d1e27f33c0ee6748d1832d641e4bcffbcd59b3e0508f8c9f581f2ccf692af9f1a87b71b9c4339608f084425162ceb57783d0e6033aec2ff94d185

Download Submit
C:\Windows\System32\nxFtEMp.exe

Filesize
1.0MB

MD5
e618d8ccf74a3cd9354ff39523fab858

SHA1
41e6950d0056da72c23c7d20ec97f665c6d7f7c4

SHA256
cdc74fc155c406dff31ccb1cbca7162cd6c76807a626c4b7e5d534c85516d43a

SHA512
de7c77459bf2e7f48b8b228a303963b976b980a1a3dbabc2640589d3c016b8b0808f16b4ff09ba819a4811665174e448c7c168a437df495c8b579e092c231040

Download Submit
C:\Windows\System32\ofkkUDn.exe

Filesize
1.0MB

MD5
9987734abed9d910e483c8f392b7d808

SHA1
0ce0ff53662aa04837fabf5db5dd8f6c89a3fed9

SHA256
c3e94fd1c372548aaec1602fe16e165be06f977970eb180b83e44400beeb402e

SHA512
85346b1bfc6f15ba1d3ccd2169e9808a0c83ada14adeab74feb02ee8684ac6c198d5cc60e4dd8f474f3c8c6494a8f8018d7c99c32888e56427c0bfa5f76a8323

Download Submit
C:\Windows\System32\qbWulsX.exe

Filesize
1.0MB

MD5
f07a4abd91a440417e46ede00df943ce

SHA1
f4c6336b61e03685ae452dad3353a1418b5c1b34

SHA256
8c86e82440946c2a5ce12dc156d854874a9ee50e734aeb8e87ab162d7da60878

SHA512
7934b9dd3f56eeadb761483224d283af0bfb766297506447187288c729edc0f466b077d14107f6884f7bdcb8327b355c840d6375540a9efa60d1c0b0a964aba1

Download Submit
C:\Windows\System32\rHEubpQ.exe

Filesize
1.0MB

MD5
fd300f11fd9e99259be4fa1877f8b5f7

SHA1
87ca054b564aa661caf3ba26beb0b2316dab019e

SHA256
7e9b8e334f27884b6eb715c61876c60379471735382e36966790395bd4d28e70

SHA512
bf169903f480b779006e053d8950ed6527797192d63845e1f6b1af1f107e43125bd715bb9e83f3f56d365dab3ed3146bc6ad17dff51625831a744281aa07ca94

Download Submit
C:\Windows\System32\tytjGdZ.exe

Filesize
1.0MB

MD5
966b356830e3cd0a7be4bfb776a33168

SHA1
50aa0bf69b4e7f3a7c965f83c819dbdda103cf06

SHA256
0bfad03993666dfd84741de14af23f916bc5846a6569f548ffba7b85baeff2b1

SHA512
c8a0069fcc42a19fca1a96a2db537815c99a84db8267f2907295432df1b0debb893c4d95303b948ac3d6758688113b908b787242bc7f5be4822d45d72d20f538

Download Submit
C:\Windows\System32\uqdEAMb.exe

Filesize
1.0MB

MD5
1d841254c2b4e7220af39feb8a178547

SHA1
f6b3ee660e6ee42c92ef77bd37efee5cd7f516f9

SHA256
e569e541ea0bd318849f1f8c82cb2f41c6fc5ba63b11b709506e12d0c60094de

SHA512
d76dec33fd5b874dd4e1db53b1f8db8445ab259780162f0c5f70d17a16dae8a19512842e4ad0869fd9f23f4fb04b0ce4c71abedb485fc364d99cbd4e4537f200

Download Submit
C:\Windows\System32\xQcSnwz.exe

Filesize
1.0MB

MD5
bb6e6c95be79762ac2c3214d63f7ca49

SHA1
e15659ec89cf71a3717c0604c39211de8088fb11

SHA256
c5bbc5b3f1652f558c7347b553217fec20140f0589691598aef5fc7dca492f30

SHA512
f179832325a7a137fe1f2e16eda4b76551bc8b8d056588fd980a48296b58f23dc72e9f37ea38a0a0dbd8256cd73e36560bd7d09c0b7e8d5ac52bab990475b969

Download Submit
C:\Windows\System32\zBtKUHg.exe

Filesize
1.0MB

MD5
0707a8d261a8bea23a9f608548c8e157

SHA1
2e5770a2da2446f24908dae157100acbd394b23b

SHA256
ed6d321b3d3e9163dd40062df34198f4f3e1229fbfb81130022dffeb9857ef30

SHA512
58bf7190350c02663fcb7d8594ef3a6243df23cc2d1fc830dd67f73184c965d0899b2121312a26f13609e6806bcd511623058fe8d29e6dbc5393583b1c18aa7f

Download Submit
C:\Windows\System32\zDypkwj.exe

Filesize
1.0MB

MD5
dfb691bcfe09c1c6c7e40ca133d72f93

SHA1
2395e5cbd1e5e4ff9049bfd7b067dca411a16cab

SHA256
3e5b97d7b1594e36573fc227a5ac97dc369b34f69382a28c73b7ba9633a213a7

SHA512
de840a4b4eb33b6e09357dc90349fd279c1093a4172149c628e6b17131744e3ba8e8b95a4b3be6605356c16867ca2fab6c130a7763e554bcad58de0bcbfeeacb

Download Submit
memory/436-312-0x00007FF635FC0000-0x00007FF6363B1000-memory.dmp

Filesize
3.9MB

Download
memory/436-2059-0x00007FF635FC0000-0x00007FF6363B1000-memory.dmp

Filesize
3.9MB

Download
memory/1144-2075-0x00007FF7A9F70000-0x00007FF7AA361000-memory.dmp

Filesize
3.9MB

Download
memory/1144-329-0x00007FF7A9F70000-0x00007FF7AA361000-memory.dmp

Filesize
3.9MB

Download
memory/1380-2089-0x00007FF681020000-0x00007FF681411000-memory.dmp

Filesize
3.9MB

Download
memory/1380-361-0x00007FF681020000-0x00007FF681411000-memory.dmp

Filesize
3.9MB

Download
memory/1636-2049-0x00007FF603810000-0x00007FF603C01000-memory.dmp

Filesize
3.9MB

Download
memory/1636-1973-0x00007FF603810000-0x00007FF603C01000-memory.dmp

Filesize
3.9MB

Download
memory/1636-22-0x00007FF603810000-0x00007FF603C01000-memory.dmp

Filesize
3.9MB

Download
memory/1916-2043-0x00007FF62B570000-0x00007FF62B961000-memory.dmp

Filesize
3.9MB

Download
memory/1916-29-0x00007FF62B570000-0x00007FF62B961000-memory.dmp

Filesize
3.9MB

Download
memory/1932-16-0x00007FF68CC80000-0x00007FF68D071000-memory.dmp

Filesize
3.9MB

Download
memory/1932-2053-0x00007FF68CC80000-0x00007FF68D071000-memory.dmp

Filesize
3.9MB

Download
memory/2064-383-0x00007FF6EED10000-0x00007FF6EF101000-memory.dmp

Filesize
3.9MB

Download
memory/2064-2101-0x00007FF6EED10000-0x00007FF6EF101000-memory.dmp

Filesize
3.9MB

Download
memory/2252-370-0x00007FF68FFD0000-0x00007FF6903C1000-memory.dmp

Filesize
3.9MB

Download
memory/2252-2085-0x00007FF68FFD0000-0x00007FF6903C1000-memory.dmp

Filesize
3.9MB

Download
memory/2296-311-0x00007FF6250C0000-0x00007FF6254B1000-memory.dmp

Filesize
3.9MB

Download
memory/2296-2057-0x00007FF6250C0000-0x00007FF6254B1000-memory.dmp

Filesize
3.9MB

Download
memory/2768-2071-0x00007FF6774E0000-0x00007FF6778D1000-memory.dmp

Filesize
3.9MB

Download
memory/2768-333-0x00007FF6774E0000-0x00007FF6778D1000-memory.dmp

Filesize
3.9MB

Download
memory/2788-324-0x00007FF6B4150000-0x00007FF6B4541000-memory.dmp

Filesize
3.9MB

Download
memory/2788-2073-0x00007FF6B4150000-0x00007FF6B4541000-memory.dmp

Filesize
3.9MB

Download
memory/2884-2055-0x00007FF7F3E00000-0x00007FF7F41F1000-memory.dmp

Filesize
3.9MB

Download
memory/2884-310-0x00007FF7F3E00000-0x00007FF7F41F1000-memory.dmp

Filesize
3.9MB

Download
memory/3288-2061-0x00007FF74CEF0000-0x00007FF74D2E1000-memory.dmp

Filesize
3.9MB

Download
memory/3288-314-0x00007FF74CEF0000-0x00007FF74D2E1000-memory.dmp

Filesize
3.9MB

Download
memory/3296-338-0x00007FF6D6E10000-0x00007FF6D7201000-memory.dmp

Filesize
3.9MB

Download
memory/3296-2077-0x00007FF6D6E10000-0x00007FF6D7201000-memory.dmp

Filesize
3.9MB

Download
memory/3528-2045-0x00007FF6FDE60000-0x00007FF6FE251000-memory.dmp

Filesize
3.9MB

Download
memory/3528-30-0x00007FF6FDE60000-0x00007FF6FE251000-memory.dmp

Filesize
3.9MB

Download
memory/3712-2051-0x00007FF6E6170000-0x00007FF6E6561000-memory.dmp

Filesize
3.9MB

Download
memory/3712-36-0x00007FF6E6170000-0x00007FF6E6561000-memory.dmp

Filesize
3.9MB

Download
memory/3712-2009-0x00007FF6E6170000-0x00007FF6E6561000-memory.dmp

Filesize
3.9MB

Download
memory/3828-316-0x00007FF7E3660000-0x00007FF7E3A51000-memory.dmp

Filesize
3.9MB

Download
memory/3828-2065-0x00007FF7E3660000-0x00007FF7E3A51000-memory.dmp

Filesize
3.9MB

Download
memory/3860-0-0x00007FF6A8530000-0x00007FF6A8921000-memory.dmp

Filesize
3.9MB

Download
memory/3860-1-0x0000021532860000-0x0000021532870000-memory.dmp

Filesize
64KB

Download
memory/4036-2067-0x00007FF744D40000-0x00007FF745131000-memory.dmp

Filesize
3.9MB

Download
memory/4036-315-0x00007FF744D40000-0x00007FF745131000-memory.dmp

Filesize
3.9MB

Download
memory/4164-353-0x00007FF7B9A90000-0x00007FF7B9E81000-memory.dmp

Filesize
3.9MB

Download
memory/4164-2083-0x00007FF7B9A90000-0x00007FF7B9E81000-memory.dmp

Filesize
3.9MB

Download
memory/4332-345-0x00007FF72FCB0000-0x00007FF7300A1000-memory.dmp

Filesize
3.9MB

Download
memory/4332-2079-0x00007FF72FCB0000-0x00007FF7300A1000-memory.dmp

Filesize
3.9MB

Download
memory/4668-372-0x00007FF69EAD0000-0x00007FF69EEC1000-memory.dmp

Filesize
3.9MB

Download
memory/4668-2097-0x00007FF69EAD0000-0x00007FF69EEC1000-memory.dmp

Filesize
3.9MB

Download
memory/4828-2069-0x00007FF643CA0000-0x00007FF644091000-memory.dmp

Filesize
3.9MB

Download
memory/4828-321-0x00007FF643CA0000-0x00007FF644091000-memory.dmp

Filesize
3.9MB

Download
memory/4944-25-0x00007FF6E9100000-0x00007FF6E94F1000-memory.dmp

Filesize
3.9MB

Download
memory/4944-2047-0x00007FF6E9100000-0x00007FF6E94F1000-memory.dmp

Filesize
3.9MB

Download
memory/4944-1974-0x00007FF6E9100000-0x00007FF6E94F1000-memory.dmp

Filesize
3.9MB

Download
memory/5104-313-0x00007FF6DBA30000-0x00007FF6DBE21000-memory.dmp

Filesize
3.9MB

Download
memory/5104-2063-0x00007FF6DBA30000-0x00007FF6DBE21000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads