xmrig | 1abb254682a79e8c7f5cac793297d1b6e459ec9cde58652c028a6093fefbd843

Analysis

max time kernel
98s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6333cad92b317a1aac478c68d67fb80N.exe
Size

1.7MB
MD5

d6333cad92b317a1aac478c68d67fb80
SHA1

624ec9e03556114f519138891766aae68bcaec7d
SHA256

1abb254682a79e8c7f5cac793297d1b6e459ec9cde58652c028a6093fefbd843
SHA512

f5b46a2dd7f7c78de61f4e65aca42c3589a26ca40da344d3208164019a08e0db165eaa1f18ffce255947303b69e667ced27fa8b4ea58d2a689a55d7a5fd0aa32
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zMWfmDzrmXYVZ120/rRWAKPNb+8:knw9oUUEEDl37jcq4QXD3IAR8

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/2308-444-0x00007FF6A5410000-0x00007FF6A5801000-memory.dmp	xmrig
behavioral2/memory/3704-33-0x00007FF6C5960000-0x00007FF6C5D51000-memory.dmp	xmrig
behavioral2/memory/2268-22-0x00007FF747020000-0x00007FF747411000-memory.dmp	xmrig
behavioral2/memory/4224-445-0x00007FF75FC30000-0x00007FF760021000-memory.dmp	xmrig
behavioral2/memory/4136-446-0x00007FF763B70000-0x00007FF763F61000-memory.dmp	xmrig
behavioral2/memory/5056-447-0x00007FF6A1FB0000-0x00007FF6A23A1000-memory.dmp	xmrig
behavioral2/memory/4784-472-0x00007FF7F0980000-0x00007FF7F0D71000-memory.dmp	xmrig
behavioral2/memory/1816-458-0x00007FF78B970000-0x00007FF78BD61000-memory.dmp	xmrig
behavioral2/memory/2184-450-0x00007FF6D1620000-0x00007FF6D1A11000-memory.dmp	xmrig
behavioral2/memory/3900-474-0x00007FF7BE100000-0x00007FF7BE4F1000-memory.dmp	xmrig
behavioral2/memory/4932-492-0x00007FF606DA0000-0x00007FF607191000-memory.dmp	xmrig
behavioral2/memory/1724-504-0x00007FF6E71A0000-0x00007FF6E7591000-memory.dmp	xmrig
behavioral2/memory/4660-529-0x00007FF63C930000-0x00007FF63CD21000-memory.dmp	xmrig
behavioral2/memory/4236-522-0x00007FF75C160000-0x00007FF75C551000-memory.dmp	xmrig
behavioral2/memory/2296-535-0x00007FF75A080000-0x00007FF75A471000-memory.dmp	xmrig
behavioral2/memory/948-539-0x00007FF6FF320000-0x00007FF6FF711000-memory.dmp	xmrig
behavioral2/memory/3968-541-0x00007FF77BBE0000-0x00007FF77BFD1000-memory.dmp	xmrig
behavioral2/memory/1932-544-0x00007FF676C60000-0x00007FF677051000-memory.dmp	xmrig
behavioral2/memory/3676-533-0x00007FF6A51F0000-0x00007FF6A55E1000-memory.dmp	xmrig
behavioral2/memory/4240-519-0x00007FF7858C0000-0x00007FF785CB1000-memory.dmp	xmrig
behavioral2/memory/2768-515-0x00007FF6D3B40000-0x00007FF6D3F31000-memory.dmp	xmrig
behavioral2/memory/1584-488-0x00007FF79E440000-0x00007FF79E831000-memory.dmp	xmrig
behavioral2/memory/1192-1984-0x00007FF76F9E0000-0x00007FF76FDD1000-memory.dmp	xmrig
behavioral2/memory/1192-1992-0x00007FF76F9E0000-0x00007FF76FDD1000-memory.dmp	xmrig
behavioral2/memory/3560-1994-0x00007FF6E5110000-0x00007FF6E5501000-memory.dmp	xmrig
behavioral2/memory/2268-1996-0x00007FF747020000-0x00007FF747411000-memory.dmp	xmrig
behavioral2/memory/3704-2000-0x00007FF6C5960000-0x00007FF6C5D51000-memory.dmp	xmrig
behavioral2/memory/1932-2002-0x00007FF676C60000-0x00007FF677051000-memory.dmp	xmrig
behavioral2/memory/2308-1998-0x00007FF6A5410000-0x00007FF6A5801000-memory.dmp	xmrig
behavioral2/memory/4136-2006-0x00007FF763B70000-0x00007FF763F61000-memory.dmp	xmrig
behavioral2/memory/2184-2014-0x00007FF6D1620000-0x00007FF6D1A11000-memory.dmp	xmrig
behavioral2/memory/4932-2020-0x00007FF606DA0000-0x00007FF607191000-memory.dmp	xmrig
behavioral2/memory/1724-2022-0x00007FF6E71A0000-0x00007FF6E7591000-memory.dmp	xmrig
behavioral2/memory/4240-2028-0x00007FF7858C0000-0x00007FF785CB1000-memory.dmp	xmrig
behavioral2/memory/4236-2026-0x00007FF75C160000-0x00007FF75C551000-memory.dmp	xmrig
behavioral2/memory/2768-2024-0x00007FF6D3B40000-0x00007FF6D3F31000-memory.dmp	xmrig
behavioral2/memory/1584-2018-0x00007FF79E440000-0x00007FF79E831000-memory.dmp	xmrig
behavioral2/memory/3900-2012-0x00007FF7BE100000-0x00007FF7BE4F1000-memory.dmp	xmrig
behavioral2/memory/4784-2010-0x00007FF7F0980000-0x00007FF7F0D71000-memory.dmp	xmrig
behavioral2/memory/1816-2016-0x00007FF78B970000-0x00007FF78BD61000-memory.dmp	xmrig
behavioral2/memory/5056-2008-0x00007FF6A1FB0000-0x00007FF6A23A1000-memory.dmp	xmrig
behavioral2/memory/4224-2004-0x00007FF75FC30000-0x00007FF760021000-memory.dmp	xmrig
behavioral2/memory/3968-2068-0x00007FF77BBE0000-0x00007FF77BFD1000-memory.dmp	xmrig
behavioral2/memory/2296-2039-0x00007FF75A080000-0x00007FF75A471000-memory.dmp	xmrig
behavioral2/memory/948-2035-0x00007FF6FF320000-0x00007FF6FF711000-memory.dmp	xmrig
behavioral2/memory/4660-2032-0x00007FF63C930000-0x00007FF63CD21000-memory.dmp	xmrig
behavioral2/memory/3676-2030-0x00007FF6A51F0000-0x00007FF6A55E1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1192	DfsUzsz.exe
3560	BhCVBGe.exe
2268	upCJwtw.exe
3704	YFLAIws.exe
2308	EmBGCkK.exe
1932	HIqPovP.exe
4224	UvYKdXR.exe
4136	cdwRraY.exe
5056	nIbKcbK.exe
2184	SOecqLy.exe
1816	nUvstba.exe
4784	MlqTsOt.exe
3900	oDvbRFH.exe
1584	YJtHvKL.exe
4932	kGuKPlI.exe
1724	iZTkAGe.exe
2768	gYKlVCr.exe
4240	XtHuCjM.exe
4236	jRzlSgV.exe
4660	ZlVIMhC.exe
3676	QefAzWA.exe
2296	MfwJnnj.exe
948	mDnfrvU.exe
3968	NXVcDxG.exe
2580	xlTtLlS.exe
3716	lvfYsvs.exe
2076	CDWDXpK.exe
968	UNZqjLp.exe
3960	aJwePoU.exe
3376	ftvtQEC.exe
1164	MkpufIK.exe
1432	oWeGoDL.exe
4192	AWickVU.exe
624	OaxNTvP.exe
4780	AhgKgFr.exe
2952	YVYFtvg.exe
316	OEpUSwF.exe
3876	iKiMyky.exe
1304	aqdiaVu.exe
4796	FCxtdBi.exe
2472	NauiCMs.exe
3692	sPOrLow.exe
4556	HWRwsor.exe
4900	WyyIssR.exe
740	igGcnnv.exe
4532	QpZyalz.exe
4424	qKOprKk.exe
924	ttxEqnM.exe
4104	jNMEZHq.exe
3808	aqEZevY.exe
760	JmIXgkb.exe
100	xhvNmrk.exe
2728	jGYToXN.exe
2312	lcIREkj.exe
4948	XfEhXRf.exe
208	EAIwrOv.exe
392	oGNNGgN.exe
768	wdkDFEH.exe
1860	PbgKuhR.exe
1356	EKJXjjt.exe
2652	ibcaLJP.exe
2788	SOgnOGQ.exe
456	oDpYJSk.exe
1464	NwNXMRU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4652-0-0x00007FF6466A0000-0x00007FF646A91000-memory.dmp	upx
behavioral2/files/0x00090000000234ce-5.dat	upx
behavioral2/memory/3560-18-0x00007FF6E5110000-0x00007FF6E5501000-memory.dmp	upx
behavioral2/files/0x00070000000234e8-23.dat	upx
behavioral2/files/0x00070000000234e9-26.dat	upx
behavioral2/files/0x00070000000234ea-35.dat	upx
behavioral2/files/0x00070000000234eb-40.dat	upx
behavioral2/files/0x00070000000234ec-43.dat	upx
behavioral2/files/0x00070000000234ed-47.dat	upx
behavioral2/files/0x00070000000234f0-65.dat	upx
behavioral2/files/0x00070000000234f2-72.dat	upx
behavioral2/files/0x00070000000234f3-80.dat	upx
behavioral2/files/0x00070000000234f7-97.dat	upx
behavioral2/files/0x00070000000234f8-105.dat	upx
behavioral2/files/0x00070000000234fa-115.dat	upx
behavioral2/files/0x0007000000023505-166.dat	upx
behavioral2/files/0x0007000000023504-164.dat	upx
behavioral2/files/0x0007000000023503-160.dat	upx
behavioral2/files/0x0007000000023502-155.dat	upx
behavioral2/files/0x0007000000023501-150.dat	upx
behavioral2/files/0x0007000000023500-145.dat	upx
behavioral2/files/0x00070000000234ff-140.dat	upx
behavioral2/memory/2308-444-0x00007FF6A5410000-0x00007FF6A5801000-memory.dmp	upx
behavioral2/files/0x00070000000234fe-138.dat	upx
behavioral2/files/0x00070000000234fd-130.dat	upx
behavioral2/files/0x00070000000234fc-125.dat	upx
behavioral2/files/0x00070000000234fb-120.dat	upx
behavioral2/files/0x00070000000234f9-110.dat	upx
behavioral2/files/0x00070000000234f6-95.dat	upx
behavioral2/files/0x00070000000234f5-90.dat	upx
behavioral2/files/0x00070000000234f4-85.dat	upx
behavioral2/files/0x00070000000234f1-70.dat	upx
behavioral2/files/0x00070000000234ef-60.dat	upx
behavioral2/files/0x00070000000234ee-55.dat	upx
behavioral2/memory/3704-33-0x00007FF6C5960000-0x00007FF6C5D51000-memory.dmp	upx
behavioral2/memory/2268-22-0x00007FF747020000-0x00007FF747411000-memory.dmp	upx
behavioral2/files/0x00070000000234e7-17.dat	upx
behavioral2/memory/1192-14-0x00007FF76F9E0000-0x00007FF76FDD1000-memory.dmp	upx
behavioral2/files/0x00080000000234e6-13.dat	upx
behavioral2/memory/4224-445-0x00007FF75FC30000-0x00007FF760021000-memory.dmp	upx
behavioral2/memory/4136-446-0x00007FF763B70000-0x00007FF763F61000-memory.dmp	upx
behavioral2/memory/5056-447-0x00007FF6A1FB0000-0x00007FF6A23A1000-memory.dmp	upx
behavioral2/memory/4784-472-0x00007FF7F0980000-0x00007FF7F0D71000-memory.dmp	upx
behavioral2/memory/1816-458-0x00007FF78B970000-0x00007FF78BD61000-memory.dmp	upx
behavioral2/memory/2184-450-0x00007FF6D1620000-0x00007FF6D1A11000-memory.dmp	upx
behavioral2/memory/3900-474-0x00007FF7BE100000-0x00007FF7BE4F1000-memory.dmp	upx
behavioral2/memory/4932-492-0x00007FF606DA0000-0x00007FF607191000-memory.dmp	upx
behavioral2/memory/1724-504-0x00007FF6E71A0000-0x00007FF6E7591000-memory.dmp	upx
behavioral2/memory/4660-529-0x00007FF63C930000-0x00007FF63CD21000-memory.dmp	upx
behavioral2/memory/4236-522-0x00007FF75C160000-0x00007FF75C551000-memory.dmp	upx
behavioral2/memory/2296-535-0x00007FF75A080000-0x00007FF75A471000-memory.dmp	upx
behavioral2/memory/948-539-0x00007FF6FF320000-0x00007FF6FF711000-memory.dmp	upx
behavioral2/memory/3968-541-0x00007FF77BBE0000-0x00007FF77BFD1000-memory.dmp	upx
behavioral2/memory/1932-544-0x00007FF676C60000-0x00007FF677051000-memory.dmp	upx
behavioral2/memory/3676-533-0x00007FF6A51F0000-0x00007FF6A55E1000-memory.dmp	upx
behavioral2/memory/4240-519-0x00007FF7858C0000-0x00007FF785CB1000-memory.dmp	upx
behavioral2/memory/2768-515-0x00007FF6D3B40000-0x00007FF6D3F31000-memory.dmp	upx
behavioral2/memory/1584-488-0x00007FF79E440000-0x00007FF79E831000-memory.dmp	upx
behavioral2/memory/1192-1984-0x00007FF76F9E0000-0x00007FF76FDD1000-memory.dmp	upx
behavioral2/memory/1192-1992-0x00007FF76F9E0000-0x00007FF76FDD1000-memory.dmp	upx
behavioral2/memory/3560-1994-0x00007FF6E5110000-0x00007FF6E5501000-memory.dmp	upx
behavioral2/memory/2268-1996-0x00007FF747020000-0x00007FF747411000-memory.dmp	upx
behavioral2/memory/3704-2000-0x00007FF6C5960000-0x00007FF6C5D51000-memory.dmp	upx
behavioral2/memory/1932-2002-0x00007FF676C60000-0x00007FF677051000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\oDvbRFH.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\fUXQHUw.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\FCSsdXw.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\kAWgxzx.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\Lrxrbcd.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\MjKGzlx.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\HWRwsor.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\ttxEqnM.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\AcsGgUv.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\upULdkE.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\MHwOruN.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\eJfkKAH.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\tgfIHkw.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\PEDYCJc.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\dkybnfA.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\zJLoJhZ.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\iEQdUGc.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\bEUQDLR.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\YVYFtvg.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\sUShhVU.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\KgVXvjV.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\OQPVGdq.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\AmBuUmZ.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\weMMlzy.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\QkpZmAb.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\EKJXjjt.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\YOdTvNz.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\pCDqbeA.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\MWiGEHn.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\nyIBGhb.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\vFoewQa.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\XfEhXRf.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\YswKmUk.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\FgvyauR.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\YAOehGj.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\vmIKyKo.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\LERVpCx.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\nIbKcbK.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\KqmPGjG.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\xGbEKwU.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\YSgKzgK.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\Tomhbeg.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\KilcrRC.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\mDnfrvU.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\XIJfgEd.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\SslaSFR.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\ckdQPbf.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\oVlIEkJ.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\kGuKPlI.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\iKiMyky.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\CNswNPH.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\QESaojd.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\uNpwVdM.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\bBKWQaD.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\CkvSokO.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\tIoYzdv.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\PaswGfK.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\dSghQGf.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\zIfdskh.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\cgklIsd.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\LbsXQws.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\nNBnGyM.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\WGgiZXX.exe	d6333cad92b317a1aac478c68d67fb80N.exe
File created	C:\Windows\System32\hZDIypU.exe	d6333cad92b317a1aac478c68d67fb80N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12332	dwm.exe
Token: SeChangeNotifyPrivilege	12332	dwm.exe
Token: 33	12332	dwm.exe
Token: SeIncBasePriorityPrivilege	12332	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 1192	4652	d6333cad92b317a1aac478c68d67fb80N.exe	86
PID 4652 wrote to memory of 1192	4652	d6333cad92b317a1aac478c68d67fb80N.exe	86
PID 4652 wrote to memory of 3560	4652	d6333cad92b317a1aac478c68d67fb80N.exe	87
PID 4652 wrote to memory of 3560	4652	d6333cad92b317a1aac478c68d67fb80N.exe	87
PID 4652 wrote to memory of 2268	4652	d6333cad92b317a1aac478c68d67fb80N.exe	88
PID 4652 wrote to memory of 2268	4652	d6333cad92b317a1aac478c68d67fb80N.exe	88
PID 4652 wrote to memory of 3704	4652	d6333cad92b317a1aac478c68d67fb80N.exe	89
PID 4652 wrote to memory of 3704	4652	d6333cad92b317a1aac478c68d67fb80N.exe	89
PID 4652 wrote to memory of 2308	4652	d6333cad92b317a1aac478c68d67fb80N.exe	90
PID 4652 wrote to memory of 2308	4652	d6333cad92b317a1aac478c68d67fb80N.exe	90
PID 4652 wrote to memory of 1932	4652	d6333cad92b317a1aac478c68d67fb80N.exe	91
PID 4652 wrote to memory of 1932	4652	d6333cad92b317a1aac478c68d67fb80N.exe	91
PID 4652 wrote to memory of 4224	4652	d6333cad92b317a1aac478c68d67fb80N.exe	92
PID 4652 wrote to memory of 4224	4652	d6333cad92b317a1aac478c68d67fb80N.exe	92
PID 4652 wrote to memory of 4136	4652	d6333cad92b317a1aac478c68d67fb80N.exe	93
PID 4652 wrote to memory of 4136	4652	d6333cad92b317a1aac478c68d67fb80N.exe	93
PID 4652 wrote to memory of 5056	4652	d6333cad92b317a1aac478c68d67fb80N.exe	94
PID 4652 wrote to memory of 5056	4652	d6333cad92b317a1aac478c68d67fb80N.exe	94
PID 4652 wrote to memory of 2184	4652	d6333cad92b317a1aac478c68d67fb80N.exe	95
PID 4652 wrote to memory of 2184	4652	d6333cad92b317a1aac478c68d67fb80N.exe	95
PID 4652 wrote to memory of 1816	4652	d6333cad92b317a1aac478c68d67fb80N.exe	96
PID 4652 wrote to memory of 1816	4652	d6333cad92b317a1aac478c68d67fb80N.exe	96
PID 4652 wrote to memory of 4784	4652	d6333cad92b317a1aac478c68d67fb80N.exe	97
PID 4652 wrote to memory of 4784	4652	d6333cad92b317a1aac478c68d67fb80N.exe	97
PID 4652 wrote to memory of 3900	4652	d6333cad92b317a1aac478c68d67fb80N.exe	98
PID 4652 wrote to memory of 3900	4652	d6333cad92b317a1aac478c68d67fb80N.exe	98
PID 4652 wrote to memory of 1584	4652	d6333cad92b317a1aac478c68d67fb80N.exe	99
PID 4652 wrote to memory of 1584	4652	d6333cad92b317a1aac478c68d67fb80N.exe	99
PID 4652 wrote to memory of 4932	4652	d6333cad92b317a1aac478c68d67fb80N.exe	100
PID 4652 wrote to memory of 4932	4652	d6333cad92b317a1aac478c68d67fb80N.exe	100
PID 4652 wrote to memory of 1724	4652	d6333cad92b317a1aac478c68d67fb80N.exe	101
PID 4652 wrote to memory of 1724	4652	d6333cad92b317a1aac478c68d67fb80N.exe	101
PID 4652 wrote to memory of 2768	4652	d6333cad92b317a1aac478c68d67fb80N.exe	102
PID 4652 wrote to memory of 2768	4652	d6333cad92b317a1aac478c68d67fb80N.exe	102
PID 4652 wrote to memory of 4240	4652	d6333cad92b317a1aac478c68d67fb80N.exe	103
PID 4652 wrote to memory of 4240	4652	d6333cad92b317a1aac478c68d67fb80N.exe	103
PID 4652 wrote to memory of 4236	4652	d6333cad92b317a1aac478c68d67fb80N.exe	104
PID 4652 wrote to memory of 4236	4652	d6333cad92b317a1aac478c68d67fb80N.exe	104
PID 4652 wrote to memory of 4660	4652	d6333cad92b317a1aac478c68d67fb80N.exe	105
PID 4652 wrote to memory of 4660	4652	d6333cad92b317a1aac478c68d67fb80N.exe	105
PID 4652 wrote to memory of 3676	4652	d6333cad92b317a1aac478c68d67fb80N.exe	106
PID 4652 wrote to memory of 3676	4652	d6333cad92b317a1aac478c68d67fb80N.exe	106
PID 4652 wrote to memory of 2296	4652	d6333cad92b317a1aac478c68d67fb80N.exe	107
PID 4652 wrote to memory of 2296	4652	d6333cad92b317a1aac478c68d67fb80N.exe	107
PID 4652 wrote to memory of 948	4652	d6333cad92b317a1aac478c68d67fb80N.exe	108
PID 4652 wrote to memory of 948	4652	d6333cad92b317a1aac478c68d67fb80N.exe	108
PID 4652 wrote to memory of 3968	4652	d6333cad92b317a1aac478c68d67fb80N.exe	109
PID 4652 wrote to memory of 3968	4652	d6333cad92b317a1aac478c68d67fb80N.exe	109
PID 4652 wrote to memory of 2580	4652	d6333cad92b317a1aac478c68d67fb80N.exe	110
PID 4652 wrote to memory of 2580	4652	d6333cad92b317a1aac478c68d67fb80N.exe	110
PID 4652 wrote to memory of 3716	4652	d6333cad92b317a1aac478c68d67fb80N.exe	111
PID 4652 wrote to memory of 3716	4652	d6333cad92b317a1aac478c68d67fb80N.exe	111
PID 4652 wrote to memory of 2076	4652	d6333cad92b317a1aac478c68d67fb80N.exe	112
PID 4652 wrote to memory of 2076	4652	d6333cad92b317a1aac478c68d67fb80N.exe	112
PID 4652 wrote to memory of 968	4652	d6333cad92b317a1aac478c68d67fb80N.exe	113
PID 4652 wrote to memory of 968	4652	d6333cad92b317a1aac478c68d67fb80N.exe	113
PID 4652 wrote to memory of 3960	4652	d6333cad92b317a1aac478c68d67fb80N.exe	114
PID 4652 wrote to memory of 3960	4652	d6333cad92b317a1aac478c68d67fb80N.exe	114
PID 4652 wrote to memory of 3376	4652	d6333cad92b317a1aac478c68d67fb80N.exe	115
PID 4652 wrote to memory of 3376	4652	d6333cad92b317a1aac478c68d67fb80N.exe	115
PID 4652 wrote to memory of 1164	4652	d6333cad92b317a1aac478c68d67fb80N.exe	116
PID 4652 wrote to memory of 1164	4652	d6333cad92b317a1aac478c68d67fb80N.exe	116
PID 4652 wrote to memory of 1432	4652	d6333cad92b317a1aac478c68d67fb80N.exe	117
PID 4652 wrote to memory of 1432	4652	d6333cad92b317a1aac478c68d67fb80N.exe	117

C:\Users\Admin\AppData\Local\Temp\d6333cad92b317a1aac478c68d67fb80N.exe
"C:\Users\Admin\AppData\Local\Temp\d6333cad92b317a1aac478c68d67fb80N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\System32\DfsUzsz.exe
  C:\Windows\System32\DfsUzsz.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System32\BhCVBGe.exe
  C:\Windows\System32\BhCVBGe.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System32\upCJwtw.exe
  C:\Windows\System32\upCJwtw.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System32\YFLAIws.exe
  C:\Windows\System32\YFLAIws.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System32\EmBGCkK.exe
  C:\Windows\System32\EmBGCkK.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System32\HIqPovP.exe
  C:\Windows\System32\HIqPovP.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System32\UvYKdXR.exe
  C:\Windows\System32\UvYKdXR.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System32\cdwRraY.exe
  C:\Windows\System32\cdwRraY.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System32\nIbKcbK.exe
  C:\Windows\System32\nIbKcbK.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\SOecqLy.exe
  C:\Windows\System32\SOecqLy.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System32\nUvstba.exe
  C:\Windows\System32\nUvstba.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System32\MlqTsOt.exe
  C:\Windows\System32\MlqTsOt.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System32\oDvbRFH.exe
  C:\Windows\System32\oDvbRFH.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System32\YJtHvKL.exe
  C:\Windows\System32\YJtHvKL.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System32\kGuKPlI.exe
  C:\Windows\System32\kGuKPlI.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System32\iZTkAGe.exe
  C:\Windows\System32\iZTkAGe.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System32\gYKlVCr.exe
  C:\Windows\System32\gYKlVCr.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System32\XtHuCjM.exe
  C:\Windows\System32\XtHuCjM.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System32\jRzlSgV.exe
  C:\Windows\System32\jRzlSgV.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System32\ZlVIMhC.exe
  C:\Windows\System32\ZlVIMhC.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System32\QefAzWA.exe
  C:\Windows\System32\QefAzWA.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System32\MfwJnnj.exe
  C:\Windows\System32\MfwJnnj.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System32\mDnfrvU.exe
  C:\Windows\System32\mDnfrvU.exe
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\System32\NXVcDxG.exe
  C:\Windows\System32\NXVcDxG.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System32\xlTtLlS.exe
  C:\Windows\System32\xlTtLlS.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System32\lvfYsvs.exe
  C:\Windows\System32\lvfYsvs.exe
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Windows\System32\CDWDXpK.exe
  C:\Windows\System32\CDWDXpK.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System32\UNZqjLp.exe
  C:\Windows\System32\UNZqjLp.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System32\aJwePoU.exe
  C:\Windows\System32\aJwePoU.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System32\ftvtQEC.exe
  C:\Windows\System32\ftvtQEC.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System32\MkpufIK.exe
  C:\Windows\System32\MkpufIK.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System32\oWeGoDL.exe
  C:\Windows\System32\oWeGoDL.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System32\AWickVU.exe
  C:\Windows\System32\AWickVU.exe
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\System32\OaxNTvP.exe
  C:\Windows\System32\OaxNTvP.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System32\AhgKgFr.exe
  C:\Windows\System32\AhgKgFr.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\YVYFtvg.exe
  C:\Windows\System32\YVYFtvg.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System32\OEpUSwF.exe
  C:\Windows\System32\OEpUSwF.exe
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\System32\iKiMyky.exe
  C:\Windows\System32\iKiMyky.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System32\aqdiaVu.exe
  C:\Windows\System32\aqdiaVu.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\System32\FCxtdBi.exe
  C:\Windows\System32\FCxtdBi.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System32\NauiCMs.exe
  C:\Windows\System32\NauiCMs.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System32\sPOrLow.exe
  C:\Windows\System32\sPOrLow.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System32\HWRwsor.exe
  C:\Windows\System32\HWRwsor.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System32\WyyIssR.exe
  C:\Windows\System32\WyyIssR.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System32\igGcnnv.exe
  C:\Windows\System32\igGcnnv.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System32\QpZyalz.exe
  C:\Windows\System32\QpZyalz.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System32\qKOprKk.exe
  C:\Windows\System32\qKOprKk.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System32\ttxEqnM.exe
  C:\Windows\System32\ttxEqnM.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System32\jNMEZHq.exe
  C:\Windows\System32\jNMEZHq.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System32\aqEZevY.exe
  C:\Windows\System32\aqEZevY.exe
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Windows\System32\JmIXgkb.exe
  C:\Windows\System32\JmIXgkb.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System32\xhvNmrk.exe
  C:\Windows\System32\xhvNmrk.exe
  2⤵
  - Executes dropped EXE
  PID:100
- C:\Windows\System32\jGYToXN.exe
  C:\Windows\System32\jGYToXN.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System32\lcIREkj.exe
  C:\Windows\System32\lcIREkj.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System32\XfEhXRf.exe
  C:\Windows\System32\XfEhXRf.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System32\EAIwrOv.exe
  C:\Windows\System32\EAIwrOv.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System32\oGNNGgN.exe
  C:\Windows\System32\oGNNGgN.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System32\wdkDFEH.exe
  C:\Windows\System32\wdkDFEH.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System32\PbgKuhR.exe
  C:\Windows\System32\PbgKuhR.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System32\EKJXjjt.exe
  C:\Windows\System32\EKJXjjt.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System32\ibcaLJP.exe
  C:\Windows\System32\ibcaLJP.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System32\SOgnOGQ.exe
  C:\Windows\System32\SOgnOGQ.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System32\oDpYJSk.exe
  C:\Windows\System32\oDpYJSk.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System32\NwNXMRU.exe
  C:\Windows\System32\NwNXMRU.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System32\Lrxrbcd.exe
  C:\Windows\System32\Lrxrbcd.exe
  2⤵
  PID:4732
- C:\Windows\System32\UBYReDb.exe
  C:\Windows\System32\UBYReDb.exe
  2⤵
  PID:64
- C:\Windows\System32\gvyPDHn.exe
  C:\Windows\System32\gvyPDHn.exe
  2⤵
  PID:2604
- C:\Windows\System32\sUShhVU.exe
  C:\Windows\System32\sUShhVU.exe
  2⤵
  PID:2300
- C:\Windows\System32\IUYYlCW.exe
  C:\Windows\System32\IUYYlCW.exe
  2⤵
  PID:4820
- C:\Windows\System32\wPgRWrh.exe
  C:\Windows\System32\wPgRWrh.exe
  2⤵
  PID:748
- C:\Windows\System32\rNKlIOG.exe
  C:\Windows\System32\rNKlIOG.exe
  2⤵
  PID:752
- C:\Windows\System32\NDzwZse.exe
  C:\Windows\System32\NDzwZse.exe
  2⤵
  PID:4792
- C:\Windows\System32\fUXQHUw.exe
  C:\Windows\System32\fUXQHUw.exe
  2⤵
  PID:4540
- C:\Windows\System32\NIYTJBx.exe
  C:\Windows\System32\NIYTJBx.exe
  2⤵
  PID:1692
- C:\Windows\System32\UWPLGrG.exe
  C:\Windows\System32\UWPLGrG.exe
  2⤵
  PID:3384
- C:\Windows\System32\HJfUgoI.exe
  C:\Windows\System32\HJfUgoI.exe
  2⤵
  PID:4656
- C:\Windows\System32\WQZJdkK.exe
  C:\Windows\System32\WQZJdkK.exe
  2⤵
  PID:3016
- C:\Windows\System32\EAkKnDs.exe
  C:\Windows\System32\EAkKnDs.exe
  2⤵
  PID:2928
- C:\Windows\System32\JytuXYT.exe
  C:\Windows\System32\JytuXYT.exe
  2⤵
  PID:1372
- C:\Windows\System32\acwuOMT.exe
  C:\Windows\System32\acwuOMT.exe
  2⤵
  PID:3636
- C:\Windows\System32\EfSAwdf.exe
  C:\Windows\System32\EfSAwdf.exe
  2⤵
  PID:5048
- C:\Windows\System32\lEiKYcZ.exe
  C:\Windows\System32\lEiKYcZ.exe
  2⤵
  PID:860
- C:\Windows\System32\CkvSokO.exe
  C:\Windows\System32\CkvSokO.exe
  2⤵
  PID:4456
- C:\Windows\System32\PRIPnAh.exe
  C:\Windows\System32\PRIPnAh.exe
  2⤵
  PID:540
- C:\Windows\System32\maKSnnS.exe
  C:\Windows\System32\maKSnnS.exe
  2⤵
  PID:2404
- C:\Windows\System32\JpcHoum.exe
  C:\Windows\System32\JpcHoum.exe
  2⤵
  PID:464
- C:\Windows\System32\extQVer.exe
  C:\Windows\System32\extQVer.exe
  2⤵
  PID:2344
- C:\Windows\System32\EcKUPPb.exe
  C:\Windows\System32\EcKUPPb.exe
  2⤵
  PID:1924
- C:\Windows\System32\eJfkKAH.exe
  C:\Windows\System32\eJfkKAH.exe
  2⤵
  PID:2844
- C:\Windows\System32\LxblRGb.exe
  C:\Windows\System32\LxblRGb.exe
  2⤵
  PID:3236
- C:\Windows\System32\GVUDaCj.exe
  C:\Windows\System32\GVUDaCj.exe
  2⤵
  PID:4544
- C:\Windows\System32\BCqxjlu.exe
  C:\Windows\System32\BCqxjlu.exe
  2⤵
  PID:2124
- C:\Windows\System32\ONPhcjz.exe
  C:\Windows\System32\ONPhcjz.exe
  2⤵
  PID:3004
- C:\Windows\System32\IcmKopy.exe
  C:\Windows\System32\IcmKopy.exe
  2⤵
  PID:5124
- C:\Windows\System32\xYLOqTq.exe
  C:\Windows\System32\xYLOqTq.exe
  2⤵
  PID:5140
- C:\Windows\System32\qsYHPhu.exe
  C:\Windows\System32\qsYHPhu.exe
  2⤵
  PID:5168
- C:\Windows\System32\OSuOUJW.exe
  C:\Windows\System32\OSuOUJW.exe
  2⤵
  PID:5196
- C:\Windows\System32\dyjcUOl.exe
  C:\Windows\System32\dyjcUOl.exe
  2⤵
  PID:5224
- C:\Windows\System32\tIoYzdv.exe
  C:\Windows\System32\tIoYzdv.exe
  2⤵
  PID:5252
- C:\Windows\System32\yFacmiU.exe
  C:\Windows\System32\yFacmiU.exe
  2⤵
  PID:5288
- C:\Windows\System32\Hhisfig.exe
  C:\Windows\System32\Hhisfig.exe
  2⤵
  PID:5308
- C:\Windows\System32\xKGVcIs.exe
  C:\Windows\System32\xKGVcIs.exe
  2⤵
  PID:5336
- C:\Windows\System32\mmkOOnh.exe
  C:\Windows\System32\mmkOOnh.exe
  2⤵
  PID:5372
- C:\Windows\System32\scUAwBJ.exe
  C:\Windows\System32\scUAwBJ.exe
  2⤵
  PID:5392
- C:\Windows\System32\RpTtnRd.exe
  C:\Windows\System32\RpTtnRd.exe
  2⤵
  PID:5420
- C:\Windows\System32\ksDrAqO.exe
  C:\Windows\System32\ksDrAqO.exe
  2⤵
  PID:5448
- C:\Windows\System32\dLnZron.exe
  C:\Windows\System32\dLnZron.exe
  2⤵
  PID:5480
- C:\Windows\System32\GZdCyZS.exe
  C:\Windows\System32\GZdCyZS.exe
  2⤵
  PID:5504
- C:\Windows\System32\PXkCLYg.exe
  C:\Windows\System32\PXkCLYg.exe
  2⤵
  PID:5536
- C:\Windows\System32\YOdTvNz.exe
  C:\Windows\System32\YOdTvNz.exe
  2⤵
  PID:5560
- C:\Windows\System32\tLcoLGv.exe
  C:\Windows\System32\tLcoLGv.exe
  2⤵
  PID:5592
- C:\Windows\System32\HchAvOU.exe
  C:\Windows\System32\HchAvOU.exe
  2⤵
  PID:5620
- C:\Windows\System32\qcfSHLJ.exe
  C:\Windows\System32\qcfSHLJ.exe
  2⤵
  PID:5648
- C:\Windows\System32\MmvqgbG.exe
  C:\Windows\System32\MmvqgbG.exe
  2⤵
  PID:5672
- C:\Windows\System32\XHXPTyN.exe
  C:\Windows\System32\XHXPTyN.exe
  2⤵
  PID:5704
- C:\Windows\System32\OVVvLbP.exe
  C:\Windows\System32\OVVvLbP.exe
  2⤵
  PID:5732
- C:\Windows\System32\fOtSWYe.exe
  C:\Windows\System32\fOtSWYe.exe
  2⤵
  PID:5760
- C:\Windows\System32\tbrmANK.exe
  C:\Windows\System32\tbrmANK.exe
  2⤵
  PID:5788
- C:\Windows\System32\orbXPMQ.exe
  C:\Windows\System32\orbXPMQ.exe
  2⤵
  PID:5812
- C:\Windows\System32\CvkwDqW.exe
  C:\Windows\System32\CvkwDqW.exe
  2⤵
  PID:5844
- C:\Windows\System32\tVVhSCc.exe
  C:\Windows\System32\tVVhSCc.exe
  2⤵
  PID:5872
- C:\Windows\System32\gTyFJHl.exe
  C:\Windows\System32\gTyFJHl.exe
  2⤵
  PID:5896
- C:\Windows\System32\cIMhcTg.exe
  C:\Windows\System32\cIMhcTg.exe
  2⤵
  PID:5924
- C:\Windows\System32\tFbeRER.exe
  C:\Windows\System32\tFbeRER.exe
  2⤵
  PID:5952
- C:\Windows\System32\mNvNQXg.exe
  C:\Windows\System32\mNvNQXg.exe
  2⤵
  PID:5984
- C:\Windows\System32\gXkUvqG.exe
  C:\Windows\System32\gXkUvqG.exe
  2⤵
  PID:6072
- C:\Windows\System32\obekjWw.exe
  C:\Windows\System32\obekjWw.exe
  2⤵
  PID:6092
- C:\Windows\System32\tilmZLy.exe
  C:\Windows\System32\tilmZLy.exe
  2⤵
  PID:6112
- C:\Windows\System32\gTdAees.exe
  C:\Windows\System32\gTdAees.exe
  2⤵
  PID:6132
- C:\Windows\System32\PCaAfYO.exe
  C:\Windows\System32\PCaAfYO.exe
  2⤵
  PID:920
- C:\Windows\System32\BbHtPuw.exe
  C:\Windows\System32\BbHtPuw.exe
  2⤵
  PID:1632
- C:\Windows\System32\cDzjFBX.exe
  C:\Windows\System32\cDzjFBX.exe
  2⤵
  PID:4348
- C:\Windows\System32\PcbupAE.exe
  C:\Windows\System32\PcbupAE.exe
  2⤵
  PID:1784
- C:\Windows\System32\WfjIzAj.exe
  C:\Windows\System32\WfjIzAj.exe
  2⤵
  PID:3632
- C:\Windows\System32\Psvutff.exe
  C:\Windows\System32\Psvutff.exe
  2⤵
  PID:5148
- C:\Windows\System32\ITXKFbC.exe
  C:\Windows\System32\ITXKFbC.exe
  2⤵
  PID:5216
- C:\Windows\System32\vFSDFFv.exe
  C:\Windows\System32\vFSDFFv.exe
  2⤵
  PID:5236
- C:\Windows\System32\iwuJwvC.exe
  C:\Windows\System32\iwuJwvC.exe
  2⤵
  PID:5380
- C:\Windows\System32\ruvxsUw.exe
  C:\Windows\System32\ruvxsUw.exe
  2⤵
  PID:5404
- C:\Windows\System32\bvvnQgY.exe
  C:\Windows\System32\bvvnQgY.exe
  2⤵
  PID:5464
- C:\Windows\System32\roTqGnc.exe
  C:\Windows\System32\roTqGnc.exe
  2⤵
  PID:3924
- C:\Windows\System32\drpUXSC.exe
  C:\Windows\System32\drpUXSC.exe
  2⤵
  PID:5084
- C:\Windows\System32\rDzAWBy.exe
  C:\Windows\System32\rDzAWBy.exe
  2⤵
  PID:3584
- C:\Windows\System32\KqmPGjG.exe
  C:\Windows\System32\KqmPGjG.exe
  2⤵
  PID:1016
- C:\Windows\System32\xCsJOnq.exe
  C:\Windows\System32\xCsJOnq.exe
  2⤵
  PID:5668
- C:\Windows\System32\eFtXCaP.exe
  C:\Windows\System32\eFtXCaP.exe
  2⤵
  PID:5712
- C:\Windows\System32\reCSYFV.exe
  C:\Windows\System32\reCSYFV.exe
  2⤵
  PID:5744
- C:\Windows\System32\SlKgICA.exe
  C:\Windows\System32\SlKgICA.exe
  2⤵
  PID:5940
- C:\Windows\System32\LBNXfcy.exe
  C:\Windows\System32\LBNXfcy.exe
  2⤵
  PID:1556
- C:\Windows\System32\XIJfgEd.exe
  C:\Windows\System32\XIJfgEd.exe
  2⤵
  PID:2668
- C:\Windows\System32\LotSLoK.exe
  C:\Windows\System32\LotSLoK.exe
  2⤵
  PID:5976
- C:\Windows\System32\ykuEgFH.exe
  C:\Windows\System32\ykuEgFH.exe
  2⤵
  PID:5024
- C:\Windows\System32\byZdQpw.exe
  C:\Windows\System32\byZdQpw.exe
  2⤵
  PID:4352
- C:\Windows\System32\pGARTOs.exe
  C:\Windows\System32\pGARTOs.exe
  2⤵
  PID:2168
- C:\Windows\System32\NeqnWMW.exe
  C:\Windows\System32\NeqnWMW.exe
  2⤵
  PID:4888
- C:\Windows\System32\ezZZGeE.exe
  C:\Windows\System32\ezZZGeE.exe
  2⤵
  PID:5320
- C:\Windows\System32\KgVXvjV.exe
  C:\Windows\System32\KgVXvjV.exe
  2⤵
  PID:5180
- C:\Windows\System32\WTjFbhd.exe
  C:\Windows\System32\WTjFbhd.exe
  2⤵
  PID:5244
- C:\Windows\System32\bUfYPEq.exe
  C:\Windows\System32\bUfYPEq.exe
  2⤵
  PID:5584
- C:\Windows\System32\ExllfbU.exe
  C:\Windows\System32\ExllfbU.exe
  2⤵
  PID:5412
- C:\Windows\System32\lfVpGxF.exe
  C:\Windows\System32\lfVpGxF.exe
  2⤵
  PID:4620
- C:\Windows\System32\fRFoqGW.exe
  C:\Windows\System32\fRFoqGW.exe
  2⤵
  PID:5612
- C:\Windows\System32\OxJdQSJ.exe
  C:\Windows\System32\OxJdQSJ.exe
  2⤵
  PID:5772
- C:\Windows\System32\aUGWajz.exe
  C:\Windows\System32\aUGWajz.exe
  2⤵
  PID:2284
- C:\Windows\System32\ANHHKtx.exe
  C:\Windows\System32\ANHHKtx.exe
  2⤵
  PID:5780
- C:\Windows\System32\ubFfdbS.exe
  C:\Windows\System32\ubFfdbS.exe
  2⤵
  PID:1384
- C:\Windows\System32\GnichoA.exe
  C:\Windows\System32\GnichoA.exe
  2⤵
  PID:6088
- C:\Windows\System32\XxcrEKr.exe
  C:\Windows\System32\XxcrEKr.exe
  2⤵
  PID:396
- C:\Windows\System32\OQPVGdq.exe
  C:\Windows\System32\OQPVGdq.exe
  2⤵
  PID:6080
- C:\Windows\System32\jAbcSlp.exe
  C:\Windows\System32\jAbcSlp.exe
  2⤵
  PID:4016
- C:\Windows\System32\GKhRsVs.exe
  C:\Windows\System32\GKhRsVs.exe
  2⤵
  PID:3880
- C:\Windows\System32\eFqSqQA.exe
  C:\Windows\System32\eFqSqQA.exe
  2⤵
  PID:4100
- C:\Windows\System32\kvurNGf.exe
  C:\Windows\System32\kvurNGf.exe
  2⤵
  PID:5492
- C:\Windows\System32\qkAdskO.exe
  C:\Windows\System32\qkAdskO.exe
  2⤵
  PID:1880
- C:\Windows\System32\yAZRBVW.exe
  C:\Windows\System32\yAZRBVW.exe
  2⤵
  PID:452
- C:\Windows\System32\olsXVJn.exe
  C:\Windows\System32\olsXVJn.exe
  2⤵
  PID:3100
- C:\Windows\System32\RIAiQmp.exe
  C:\Windows\System32\RIAiQmp.exe
  2⤵
  PID:1884
- C:\Windows\System32\tRGKjee.exe
  C:\Windows\System32\tRGKjee.exe
  2⤵
  PID:5136
- C:\Windows\System32\kCvjnFB.exe
  C:\Windows\System32\kCvjnFB.exe
  2⤵
  PID:4232
- C:\Windows\System32\XKmuEuS.exe
  C:\Windows\System32\XKmuEuS.exe
  2⤵
  PID:6152
- C:\Windows\System32\OAPdppu.exe
  C:\Windows\System32\OAPdppu.exe
  2⤵
  PID:6172
- C:\Windows\System32\KmkRova.exe
  C:\Windows\System32\KmkRova.exe
  2⤵
  PID:6208
- C:\Windows\System32\SslaSFR.exe
  C:\Windows\System32\SslaSFR.exe
  2⤵
  PID:6224
- C:\Windows\System32\MfhrNjW.exe
  C:\Windows\System32\MfhrNjW.exe
  2⤵
  PID:6244
- C:\Windows\System32\swkLiqn.exe
  C:\Windows\System32\swkLiqn.exe
  2⤵
  PID:6264
- C:\Windows\System32\XfEkpfV.exe
  C:\Windows\System32\XfEkpfV.exe
  2⤵
  PID:6284
- C:\Windows\System32\RkdXKFW.exe
  C:\Windows\System32\RkdXKFW.exe
  2⤵
  PID:6312
- C:\Windows\System32\vJDbtMo.exe
  C:\Windows\System32\vJDbtMo.exe
  2⤵
  PID:6344
- C:\Windows\System32\SVSXLxS.exe
  C:\Windows\System32\SVSXLxS.exe
  2⤵
  PID:6364
- C:\Windows\System32\uNGMEuj.exe
  C:\Windows\System32\uNGMEuj.exe
  2⤵
  PID:6384
- C:\Windows\System32\FTyRVdc.exe
  C:\Windows\System32\FTyRVdc.exe
  2⤵
  PID:6400
- C:\Windows\System32\sSEOvpn.exe
  C:\Windows\System32\sSEOvpn.exe
  2⤵
  PID:6424
- C:\Windows\System32\WMmyguu.exe
  C:\Windows\System32\WMmyguu.exe
  2⤵
  PID:6448
- C:\Windows\System32\xvcrdWA.exe
  C:\Windows\System32\xvcrdWA.exe
  2⤵
  PID:6468
- C:\Windows\System32\tCLeYVU.exe
  C:\Windows\System32\tCLeYVU.exe
  2⤵
  PID:6508
- C:\Windows\System32\OLGLxgv.exe
  C:\Windows\System32\OLGLxgv.exe
  2⤵
  PID:6528
- C:\Windows\System32\WHiDOjw.exe
  C:\Windows\System32\WHiDOjw.exe
  2⤵
  PID:6548
- C:\Windows\System32\hwMhEFm.exe
  C:\Windows\System32\hwMhEFm.exe
  2⤵
  PID:6568
- C:\Windows\System32\oHOEmbo.exe
  C:\Windows\System32\oHOEmbo.exe
  2⤵
  PID:6656
- C:\Windows\System32\ChzxqaA.exe
  C:\Windows\System32\ChzxqaA.exe
  2⤵
  PID:6672
- C:\Windows\System32\BSKAqsS.exe
  C:\Windows\System32\BSKAqsS.exe
  2⤵
  PID:6692
- C:\Windows\System32\LrZDZqx.exe
  C:\Windows\System32\LrZDZqx.exe
  2⤵
  PID:6788
- C:\Windows\System32\CxPrPdd.exe
  C:\Windows\System32\CxPrPdd.exe
  2⤵
  PID:6804
- C:\Windows\System32\gsljeKs.exe
  C:\Windows\System32\gsljeKs.exe
  2⤵
  PID:6852
- C:\Windows\System32\XeJbgAU.exe
  C:\Windows\System32\XeJbgAU.exe
  2⤵
  PID:6876
- C:\Windows\System32\rTlTtAL.exe
  C:\Windows\System32\rTlTtAL.exe
  2⤵
  PID:6892
- C:\Windows\System32\GdPPESR.exe
  C:\Windows\System32\GdPPESR.exe
  2⤵
  PID:6948
- C:\Windows\System32\pznwWTv.exe
  C:\Windows\System32\pznwWTv.exe
  2⤵
  PID:6964
- C:\Windows\System32\PaswGfK.exe
  C:\Windows\System32\PaswGfK.exe
  2⤵
  PID:6992
- C:\Windows\System32\rFRTmgA.exe
  C:\Windows\System32\rFRTmgA.exe
  2⤵
  PID:7008
- C:\Windows\System32\AmBuUmZ.exe
  C:\Windows\System32\AmBuUmZ.exe
  2⤵
  PID:7024
- C:\Windows\System32\yXSGsKL.exe
  C:\Windows\System32\yXSGsKL.exe
  2⤵
  PID:7052
- C:\Windows\System32\znNYkiB.exe
  C:\Windows\System32\znNYkiB.exe
  2⤵
  PID:7092
- C:\Windows\System32\iEJMvgc.exe
  C:\Windows\System32\iEJMvgc.exe
  2⤵
  PID:7112
- C:\Windows\System32\BMHmcNt.exe
  C:\Windows\System32\BMHmcNt.exe
  2⤵
  PID:7140
- C:\Windows\System32\LinDekh.exe
  C:\Windows\System32\LinDekh.exe
  2⤵
  PID:7156
- C:\Windows\System32\KMNPUxp.exe
  C:\Windows\System32\KMNPUxp.exe
  2⤵
  PID:6168
- C:\Windows\System32\lqUNyeM.exe
  C:\Windows\System32\lqUNyeM.exe
  2⤵
  PID:6192
- C:\Windows\System32\wuIDAvm.exe
  C:\Windows\System32\wuIDAvm.exe
  2⤵
  PID:6260
- C:\Windows\System32\UJXjIhO.exe
  C:\Windows\System32\UJXjIhO.exe
  2⤵
  PID:6328
- C:\Windows\System32\lSsgavY.exe
  C:\Windows\System32\lSsgavY.exe
  2⤵
  PID:6356
- C:\Windows\System32\djydOAd.exe
  C:\Windows\System32\djydOAd.exe
  2⤵
  PID:6420
- C:\Windows\System32\SxVMwga.exe
  C:\Windows\System32\SxVMwga.exe
  2⤵
  PID:6524
- C:\Windows\System32\pATFolQ.exe
  C:\Windows\System32\pATFolQ.exe
  2⤵
  PID:6624
- C:\Windows\System32\RoZCIro.exe
  C:\Windows\System32\RoZCIro.exe
  2⤵
  PID:6680
- C:\Windows\System32\QrjWliA.exe
  C:\Windows\System32\QrjWliA.exe
  2⤵
  PID:6780
- C:\Windows\System32\hpVCJfB.exe
  C:\Windows\System32\hpVCJfB.exe
  2⤵
  PID:6796
- C:\Windows\System32\ulcQaTX.exe
  C:\Windows\System32\ulcQaTX.exe
  2⤵
  PID:6900
- C:\Windows\System32\YswKmUk.exe
  C:\Windows\System32\YswKmUk.exe
  2⤵
  PID:6956
- C:\Windows\System32\nEpflll.exe
  C:\Windows\System32\nEpflll.exe
  2⤵
  PID:7004
- C:\Windows\System32\MpWzgXH.exe
  C:\Windows\System32\MpWzgXH.exe
  2⤵
  PID:7048
- C:\Windows\System32\FtEFWbG.exe
  C:\Windows\System32\FtEFWbG.exe
  2⤵
  PID:7124
- C:\Windows\System32\QbEPVPL.exe
  C:\Windows\System32\QbEPVPL.exe
  2⤵
  PID:7164
- C:\Windows\System32\mivUKIP.exe
  C:\Windows\System32\mivUKIP.exe
  2⤵
  PID:6236
- C:\Windows\System32\CNswNPH.exe
  C:\Windows\System32\CNswNPH.exe
  2⤵
  PID:6460
- C:\Windows\System32\QtADGOe.exe
  C:\Windows\System32\QtADGOe.exe
  2⤵
  PID:6648
- C:\Windows\System32\LbsXQws.exe
  C:\Windows\System32\LbsXQws.exe
  2⤵
  PID:6684
- C:\Windows\System32\IuwdFpC.exe
  C:\Windows\System32\IuwdFpC.exe
  2⤵
  PID:7036
- C:\Windows\System32\jmIPLHe.exe
  C:\Windows\System32\jmIPLHe.exe
  2⤵
  PID:7076
- C:\Windows\System32\NhcytIL.exe
  C:\Windows\System32\NhcytIL.exe
  2⤵
  PID:7120
- C:\Windows\System32\alzvQgx.exe
  C:\Windows\System32\alzvQgx.exe
  2⤵
  PID:6544
- C:\Windows\System32\lSRRXvk.exe
  C:\Windows\System32\lSRRXvk.exe
  2⤵
  PID:6916
- C:\Windows\System32\kzKnMla.exe
  C:\Windows\System32\kzKnMla.exe
  2⤵
  PID:7088
- C:\Windows\System32\qTNLYPF.exe
  C:\Windows\System32\qTNLYPF.exe
  2⤵
  PID:6884
- C:\Windows\System32\XRMwBEz.exe
  C:\Windows\System32\XRMwBEz.exe
  2⤵
  PID:7200
- C:\Windows\System32\XmTtCRV.exe
  C:\Windows\System32\XmTtCRV.exe
  2⤵
  PID:7220
- C:\Windows\System32\haErUNm.exe
  C:\Windows\System32\haErUNm.exe
  2⤵
  PID:7244
- C:\Windows\System32\MjKGzlx.exe
  C:\Windows\System32\MjKGzlx.exe
  2⤵
  PID:7280
- C:\Windows\System32\rwZOkNS.exe
  C:\Windows\System32\rwZOkNS.exe
  2⤵
  PID:7304
- C:\Windows\System32\BafePHA.exe
  C:\Windows\System32\BafePHA.exe
  2⤵
  PID:7336
- C:\Windows\System32\JftwKYC.exe
  C:\Windows\System32\JftwKYC.exe
  2⤵
  PID:7356
- C:\Windows\System32\mNBOhys.exe
  C:\Windows\System32\mNBOhys.exe
  2⤵
  PID:7376
- C:\Windows\System32\ckdQPbf.exe
  C:\Windows\System32\ckdQPbf.exe
  2⤵
  PID:7400
- C:\Windows\System32\GXKFgMN.exe
  C:\Windows\System32\GXKFgMN.exe
  2⤵
  PID:7420
- C:\Windows\System32\fgLDVqZ.exe
  C:\Windows\System32\fgLDVqZ.exe
  2⤵
  PID:7448
- C:\Windows\System32\yQYsncK.exe
  C:\Windows\System32\yQYsncK.exe
  2⤵
  PID:7504
- C:\Windows\System32\BaKapml.exe
  C:\Windows\System32\BaKapml.exe
  2⤵
  PID:7528
- C:\Windows\System32\FefilJX.exe
  C:\Windows\System32\FefilJX.exe
  2⤵
  PID:7548
- C:\Windows\System32\QroXHIh.exe
  C:\Windows\System32\QroXHIh.exe
  2⤵
  PID:7580
- C:\Windows\System32\dgDdUxo.exe
  C:\Windows\System32\dgDdUxo.exe
  2⤵
  PID:7596
- C:\Windows\System32\TphYdbW.exe
  C:\Windows\System32\TphYdbW.exe
  2⤵
  PID:7632
- C:\Windows\System32\RVMgXQo.exe
  C:\Windows\System32\RVMgXQo.exe
  2⤵
  PID:7680
- C:\Windows\System32\SPCVmFZ.exe
  C:\Windows\System32\SPCVmFZ.exe
  2⤵
  PID:7708
- C:\Windows\System32\PWPLctE.exe
  C:\Windows\System32\PWPLctE.exe
  2⤵
  PID:7732
- C:\Windows\System32\wsFDqGF.exe
  C:\Windows\System32\wsFDqGF.exe
  2⤵
  PID:7764
- C:\Windows\System32\PhvBraa.exe
  C:\Windows\System32\PhvBraa.exe
  2⤵
  PID:7780
- C:\Windows\System32\jmXcbLL.exe
  C:\Windows\System32\jmXcbLL.exe
  2⤵
  PID:7808
- C:\Windows\System32\ibUVrwj.exe
  C:\Windows\System32\ibUVrwj.exe
  2⤵
  PID:7828
- C:\Windows\System32\yznbnQi.exe
  C:\Windows\System32\yznbnQi.exe
  2⤵
  PID:7852
- C:\Windows\System32\GESrfJx.exe
  C:\Windows\System32\GESrfJx.exe
  2⤵
  PID:7892
- C:\Windows\System32\OjUUVFV.exe
  C:\Windows\System32\OjUUVFV.exe
  2⤵
  PID:7908
- C:\Windows\System32\jatsMXG.exe
  C:\Windows\System32\jatsMXG.exe
  2⤵
  PID:7948
- C:\Windows\System32\SPOIWWa.exe
  C:\Windows\System32\SPOIWWa.exe
  2⤵
  PID:7968
- C:\Windows\System32\GwQyPDX.exe
  C:\Windows\System32\GwQyPDX.exe
  2⤵
  PID:7984
- C:\Windows\System32\QJhmaME.exe
  C:\Windows\System32\QJhmaME.exe
  2⤵
  PID:8020
- C:\Windows\System32\PtbaoFW.exe
  C:\Windows\System32\PtbaoFW.exe
  2⤵
  PID:8040
- C:\Windows\System32\LLwtjhh.exe
  C:\Windows\System32\LLwtjhh.exe
  2⤵
  PID:8056
- C:\Windows\System32\CRIwleI.exe
  C:\Windows\System32\CRIwleI.exe
  2⤵
  PID:8092
- C:\Windows\System32\tgfIHkw.exe
  C:\Windows\System32\tgfIHkw.exe
  2⤵
  PID:8136
- C:\Windows\System32\LnkptgE.exe
  C:\Windows\System32\LnkptgE.exe
  2⤵
  PID:8172
- C:\Windows\System32\auXMQMS.exe
  C:\Windows\System32\auXMQMS.exe
  2⤵
  PID:7176
- C:\Windows\System32\VctxPax.exe
  C:\Windows\System32\VctxPax.exe
  2⤵
  PID:7232
- C:\Windows\System32\FgvyauR.exe
  C:\Windows\System32\FgvyauR.exe
  2⤵
  PID:7300
- C:\Windows\System32\gASGpnQ.exe
  C:\Windows\System32\gASGpnQ.exe
  2⤵
  PID:7348
- C:\Windows\System32\nPXWzoa.exe
  C:\Windows\System32\nPXWzoa.exe
  2⤵
  PID:7384
- C:\Windows\System32\lUTnzBB.exe
  C:\Windows\System32\lUTnzBB.exe
  2⤵
  PID:7428
- C:\Windows\System32\yaKKkjX.exe
  C:\Windows\System32\yaKKkjX.exe
  2⤵
  PID:7536
- C:\Windows\System32\xaoGCIO.exe
  C:\Windows\System32\xaoGCIO.exe
  2⤵
  PID:7576
- C:\Windows\System32\riMZsXL.exe
  C:\Windows\System32\riMZsXL.exe
  2⤵
  PID:7648
- C:\Windows\System32\BTiJVzV.exe
  C:\Windows\System32\BTiJVzV.exe
  2⤵
  PID:7676
- C:\Windows\System32\IkurYZb.exe
  C:\Windows\System32\IkurYZb.exe
  2⤵
  PID:7772
- C:\Windows\System32\syodsVU.exe
  C:\Windows\System32\syodsVU.exe
  2⤵
  PID:7792
- C:\Windows\System32\nNeUvHZ.exe
  C:\Windows\System32\nNeUvHZ.exe
  2⤵
  PID:7836
- C:\Windows\System32\alMIslT.exe
  C:\Windows\System32\alMIslT.exe
  2⤵
  PID:7980
- C:\Windows\System32\DPksZtO.exe
  C:\Windows\System32\DPksZtO.exe
  2⤵
  PID:7960
- C:\Windows\System32\qYsuMhP.exe
  C:\Windows\System32\qYsuMhP.exe
  2⤵
  PID:8072
- C:\Windows\System32\cMQLHIA.exe
  C:\Windows\System32\cMQLHIA.exe
  2⤵
  PID:8088
- C:\Windows\System32\XXwnasj.exe
  C:\Windows\System32\XXwnasj.exe
  2⤵
  PID:8148
- C:\Windows\System32\GZaLUJw.exe
  C:\Windows\System32\GZaLUJw.exe
  2⤵
  PID:7228
- C:\Windows\System32\PKluNTA.exe
  C:\Windows\System32\PKluNTA.exe
  2⤵
  PID:7468
- C:\Windows\System32\eVuPPkT.exe
  C:\Windows\System32\eVuPPkT.exe
  2⤵
  PID:7624
- C:\Windows\System32\zhvmQNS.exe
  C:\Windows\System32\zhvmQNS.exe
  2⤵
  PID:7804
- C:\Windows\System32\OdVvHXt.exe
  C:\Windows\System32\OdVvHXt.exe
  2⤵
  PID:8012
- C:\Windows\System32\gfHEVRB.exe
  C:\Windows\System32\gfHEVRB.exe
  2⤵
  PID:7264
- C:\Windows\System32\cSICAsc.exe
  C:\Windows\System32\cSICAsc.exe
  2⤵
  PID:8036
- C:\Windows\System32\oKpNJwE.exe
  C:\Windows\System32\oKpNJwE.exe
  2⤵
  PID:8120
- C:\Windows\System32\vMyLSdm.exe
  C:\Windows\System32\vMyLSdm.exe
  2⤵
  PID:7516
- C:\Windows\System32\KyWqbfQ.exe
  C:\Windows\System32\KyWqbfQ.exe
  2⤵
  PID:8208
- C:\Windows\System32\UhVHaHT.exe
  C:\Windows\System32\UhVHaHT.exe
  2⤵
  PID:8252
- C:\Windows\System32\KbUjQJZ.exe
  C:\Windows\System32\KbUjQJZ.exe
  2⤵
  PID:8288
- C:\Windows\System32\lktxCvQ.exe
  C:\Windows\System32\lktxCvQ.exe
  2⤵
  PID:8308
- C:\Windows\System32\wBXlHzO.exe
  C:\Windows\System32\wBXlHzO.exe
  2⤵
  PID:8356
- C:\Windows\System32\kkxDaXR.exe
  C:\Windows\System32\kkxDaXR.exe
  2⤵
  PID:8376
- C:\Windows\System32\iYqzmQc.exe
  C:\Windows\System32\iYqzmQc.exe
  2⤵
  PID:8412
- C:\Windows\System32\MIFhTEg.exe
  C:\Windows\System32\MIFhTEg.exe
  2⤵
  PID:8452
- C:\Windows\System32\OGlKYYo.exe
  C:\Windows\System32\OGlKYYo.exe
  2⤵
  PID:8476
- C:\Windows\System32\CuEhAHV.exe
  C:\Windows\System32\CuEhAHV.exe
  2⤵
  PID:8492
- C:\Windows\System32\zWAQjcP.exe
  C:\Windows\System32\zWAQjcP.exe
  2⤵
  PID:8512
- C:\Windows\System32\hKmYVuB.exe
  C:\Windows\System32\hKmYVuB.exe
  2⤵
  PID:8540
- C:\Windows\System32\gOQSIPL.exe
  C:\Windows\System32\gOQSIPL.exe
  2⤵
  PID:8556
- C:\Windows\System32\VMjPVvM.exe
  C:\Windows\System32\VMjPVvM.exe
  2⤵
  PID:8604
- C:\Windows\System32\hwFsWgd.exe
  C:\Windows\System32\hwFsWgd.exe
  2⤵
  PID:8624
- C:\Windows\System32\uPcjeJo.exe
  C:\Windows\System32\uPcjeJo.exe
  2⤵
  PID:8652
- C:\Windows\System32\xGbEKwU.exe
  C:\Windows\System32\xGbEKwU.exe
  2⤵
  PID:8676
- C:\Windows\System32\oKxkgLS.exe
  C:\Windows\System32\oKxkgLS.exe
  2⤵
  PID:8700
- C:\Windows\System32\GXagaxv.exe
  C:\Windows\System32\GXagaxv.exe
  2⤵
  PID:8744
- C:\Windows\System32\xglCZqS.exe
  C:\Windows\System32\xglCZqS.exe
  2⤵
  PID:8776
- C:\Windows\System32\USvMHWX.exe
  C:\Windows\System32\USvMHWX.exe
  2⤵
  PID:8792
- C:\Windows\System32\wntTSvU.exe
  C:\Windows\System32\wntTSvU.exe
  2⤵
  PID:8816
- C:\Windows\System32\GxmbGWt.exe
  C:\Windows\System32\GxmbGWt.exe
  2⤵
  PID:8836
- C:\Windows\System32\QyIlUmX.exe
  C:\Windows\System32\QyIlUmX.exe
  2⤵
  PID:8872
- C:\Windows\System32\mSipoXP.exe
  C:\Windows\System32\mSipoXP.exe
  2⤵
  PID:8916
- C:\Windows\System32\kWVzAKX.exe
  C:\Windows\System32\kWVzAKX.exe
  2⤵
  PID:8940
- C:\Windows\System32\yJmKzwP.exe
  C:\Windows\System32\yJmKzwP.exe
  2⤵
  PID:8976
- C:\Windows\System32\TeAnBDQ.exe
  C:\Windows\System32\TeAnBDQ.exe
  2⤵
  PID:8996
- C:\Windows\System32\ocftHXk.exe
  C:\Windows\System32\ocftHXk.exe
  2⤵
  PID:9012
- C:\Windows\System32\SJGSNHN.exe
  C:\Windows\System32\SJGSNHN.exe
  2⤵
  PID:9032
- C:\Windows\System32\JdzlFel.exe
  C:\Windows\System32\JdzlFel.exe
  2⤵
  PID:9068
- C:\Windows\System32\fLdtMTh.exe
  C:\Windows\System32\fLdtMTh.exe
  2⤵
  PID:9104
- C:\Windows\System32\KXXsHil.exe
  C:\Windows\System32\KXXsHil.exe
  2⤵
  PID:9136
- C:\Windows\System32\ZqfFbws.exe
  C:\Windows\System32\ZqfFbws.exe
  2⤵
  PID:9156
- C:\Windows\System32\IeAsHAc.exe
  C:\Windows\System32\IeAsHAc.exe
  2⤵
  PID:9184
- C:\Windows\System32\tIGHGmc.exe
  C:\Windows\System32\tIGHGmc.exe
  2⤵
  PID:8200
- C:\Windows\System32\zapUtpe.exe
  C:\Windows\System32\zapUtpe.exe
  2⤵
  PID:8280
- C:\Windows\System32\kAjhgdb.exe
  C:\Windows\System32\kAjhgdb.exe
  2⤵
  PID:8300
- C:\Windows\System32\oVlIEkJ.exe
  C:\Windows\System32\oVlIEkJ.exe
  2⤵
  PID:8436
- C:\Windows\System32\uUNNSeW.exe
  C:\Windows\System32\uUNNSeW.exe
  2⤵
  PID:8484
- C:\Windows\System32\VPrrBcq.exe
  C:\Windows\System32\VPrrBcq.exe
  2⤵
  PID:8564
- C:\Windows\System32\wynDQuJ.exe
  C:\Windows\System32\wynDQuJ.exe
  2⤵
  PID:8632
- C:\Windows\System32\bambkFM.exe
  C:\Windows\System32\bambkFM.exe
  2⤵
  PID:8616
- C:\Windows\System32\MUQhLUr.exe
  C:\Windows\System32\MUQhLUr.exe
  2⤵
  PID:8720
- C:\Windows\System32\QbyyRYC.exe
  C:\Windows\System32\QbyyRYC.exe
  2⤵
  PID:8768
- C:\Windows\System32\mhxZAWR.exe
  C:\Windows\System32\mhxZAWR.exe
  2⤵
  PID:8844
- C:\Windows\System32\cucTXBb.exe
  C:\Windows\System32\cucTXBb.exe
  2⤵
  PID:8904
- C:\Windows\System32\uxjPUQk.exe
  C:\Windows\System32\uxjPUQk.exe
  2⤵
  PID:9040
- C:\Windows\System32\WHfDNqY.exe
  C:\Windows\System32\WHfDNqY.exe
  2⤵
  PID:9096
- C:\Windows\System32\CQPeRwo.exe
  C:\Windows\System32\CQPeRwo.exe
  2⤵
  PID:8204
- C:\Windows\System32\CDlomIa.exe
  C:\Windows\System32\CDlomIa.exe
  2⤵
  PID:8528
- C:\Windows\System32\CCMvKdC.exe
  C:\Windows\System32\CCMvKdC.exe
  2⤵
  PID:8576
- C:\Windows\System32\SFEEwsX.exe
  C:\Windows\System32\SFEEwsX.exe
  2⤵
  PID:8684
- C:\Windows\System32\shOEUYh.exe
  C:\Windows\System32\shOEUYh.exe
  2⤵
  PID:8756
- C:\Windows\System32\UHVbsQS.exe
  C:\Windows\System32\UHVbsQS.exe
  2⤵
  PID:8852
- C:\Windows\System32\QZdSMUs.exe
  C:\Windows\System32\QZdSMUs.exe
  2⤵
  PID:8988
- C:\Windows\System32\bEUePWG.exe
  C:\Windows\System32\bEUePWG.exe
  2⤵
  PID:9132
- C:\Windows\System32\sqAbUTs.exe
  C:\Windows\System32\sqAbUTs.exe
  2⤵
  PID:9268
- C:\Windows\System32\EokRKLG.exe
  C:\Windows\System32\EokRKLG.exe
  2⤵
  PID:9284
- C:\Windows\System32\GQwtTWN.exe
  C:\Windows\System32\GQwtTWN.exe
  2⤵
  PID:9392
- C:\Windows\System32\DRXWWyO.exe
  C:\Windows\System32\DRXWWyO.exe
  2⤵
  PID:9428
- C:\Windows\System32\bHfvaHo.exe
  C:\Windows\System32\bHfvaHo.exe
  2⤵
  PID:9444
- C:\Windows\System32\qRQQPGa.exe
  C:\Windows\System32\qRQQPGa.exe
  2⤵
  PID:9468
- C:\Windows\System32\uzSCZGA.exe
  C:\Windows\System32\uzSCZGA.exe
  2⤵
  PID:9508
- C:\Windows\System32\nNBnGyM.exe
  C:\Windows\System32\nNBnGyM.exe
  2⤵
  PID:9536
- C:\Windows\System32\szDBdSl.exe
  C:\Windows\System32\szDBdSl.exe
  2⤵
  PID:9556
- C:\Windows\System32\qtPblfY.exe
  C:\Windows\System32\qtPblfY.exe
  2⤵
  PID:9580
- C:\Windows\System32\Gztdywl.exe
  C:\Windows\System32\Gztdywl.exe
  2⤵
  PID:9628
- C:\Windows\System32\nqQrsWd.exe
  C:\Windows\System32\nqQrsWd.exe
  2⤵
  PID:9676
- C:\Windows\System32\WOGSWIs.exe
  C:\Windows\System32\WOGSWIs.exe
  2⤵
  PID:9708
- C:\Windows\System32\KkIcSpn.exe
  C:\Windows\System32\KkIcSpn.exe
  2⤵
  PID:9728
- C:\Windows\System32\isaupUE.exe
  C:\Windows\System32\isaupUE.exe
  2⤵
  PID:9748
- C:\Windows\System32\gcEoCXc.exe
  C:\Windows\System32\gcEoCXc.exe
  2⤵
  PID:9772
- C:\Windows\System32\OOfOOue.exe
  C:\Windows\System32\OOfOOue.exe
  2⤵
  PID:9792
- C:\Windows\System32\JiZVdnN.exe
  C:\Windows\System32\JiZVdnN.exe
  2⤵
  PID:9816
- C:\Windows\System32\WwQuflK.exe
  C:\Windows\System32\WwQuflK.exe
  2⤵
  PID:9836
- C:\Windows\System32\weMMlzy.exe
  C:\Windows\System32\weMMlzy.exe
  2⤵
  PID:9872
- C:\Windows\System32\yjfCJYH.exe
  C:\Windows\System32\yjfCJYH.exe
  2⤵
  PID:9904
- C:\Windows\System32\EokGAkB.exe
  C:\Windows\System32\EokGAkB.exe
  2⤵
  PID:9924
- C:\Windows\System32\jJtPHWG.exe
  C:\Windows\System32\jJtPHWG.exe
  2⤵
  PID:9968
- C:\Windows\System32\qMYJXjw.exe
  C:\Windows\System32\qMYJXjw.exe
  2⤵
  PID:10008
- C:\Windows\System32\QlskNzA.exe
  C:\Windows\System32\QlskNzA.exe
  2⤵
  PID:10028
- C:\Windows\System32\USuKgOt.exe
  C:\Windows\System32\USuKgOt.exe
  2⤵
  PID:10052
- C:\Windows\System32\GZiGwCA.exe
  C:\Windows\System32\GZiGwCA.exe
  2⤵
  PID:10068
- C:\Windows\System32\ctTJLHv.exe
  C:\Windows\System32\ctTJLHv.exe
  2⤵
  PID:10112
- C:\Windows\System32\dSghQGf.exe
  C:\Windows\System32\dSghQGf.exe
  2⤵
  PID:10136
- C:\Windows\System32\QUNMXCa.exe
  C:\Windows\System32\QUNMXCa.exe
  2⤵
  PID:10164
- C:\Windows\System32\kZAumZG.exe
  C:\Windows\System32\kZAumZG.exe
  2⤵
  PID:10184
- C:\Windows\System32\CWPiQOU.exe
  C:\Windows\System32\CWPiQOU.exe
  2⤵
  PID:10228
- C:\Windows\System32\KEHntQZ.exe
  C:\Windows\System32\KEHntQZ.exe
  2⤵
  PID:8952
- C:\Windows\System32\LrUpLOl.exe
  C:\Windows\System32\LrUpLOl.exe
  2⤵
  PID:8224
- C:\Windows\System32\FCSsdXw.exe
  C:\Windows\System32\FCSsdXw.exe
  2⤵
  PID:8472
- C:\Windows\System32\ZhZYHpb.exe
  C:\Windows\System32\ZhZYHpb.exe
  2⤵
  PID:8984
- C:\Windows\System32\MTIBjry.exe
  C:\Windows\System32\MTIBjry.exe
  2⤵
  PID:8808
- C:\Windows\System32\ndXgsKU.exe
  C:\Windows\System32\ndXgsKU.exe
  2⤵
  PID:9192
- C:\Windows\System32\NzZEYWg.exe
  C:\Windows\System32\NzZEYWg.exe
  2⤵
  PID:9292
- C:\Windows\System32\RSefdOp.exe
  C:\Windows\System32\RSefdOp.exe
  2⤵
  PID:9340
- C:\Windows\System32\zIfdskh.exe
  C:\Windows\System32\zIfdskh.exe
  2⤵
  PID:9404
- C:\Windows\System32\irGnzgT.exe
  C:\Windows\System32\irGnzgT.exe
  2⤵
  PID:9460
- C:\Windows\System32\rKSUIuT.exe
  C:\Windows\System32\rKSUIuT.exe
  2⤵
  PID:9484
- C:\Windows\System32\dIqCXaT.exe
  C:\Windows\System32\dIqCXaT.exe
  2⤵
  PID:8396
- C:\Windows\System32\KAZFyQI.exe
  C:\Windows\System32\KAZFyQI.exe
  2⤵
  PID:9600
- C:\Windows\System32\OZefPdb.exe
  C:\Windows\System32\OZefPdb.exe
  2⤵
  PID:9640
- C:\Windows\System32\uUgoeKJ.exe
  C:\Windows\System32\uUgoeKJ.exe
  2⤵
  PID:9720
- C:\Windows\System32\nLXKNnQ.exe
  C:\Windows\System32\nLXKNnQ.exe
  2⤵
  PID:9800
- C:\Windows\System32\AYGbzML.exe
  C:\Windows\System32\AYGbzML.exe
  2⤵
  PID:9916
- C:\Windows\System32\BwYkPTw.exe
  C:\Windows\System32\BwYkPTw.exe
  2⤵
  PID:9992
- C:\Windows\System32\WjNCdAQ.exe
  C:\Windows\System32\WjNCdAQ.exe
  2⤵
  PID:10048
- C:\Windows\System32\eOIKlhg.exe
  C:\Windows\System32\eOIKlhg.exe
  2⤵
  PID:10064
- C:\Windows\System32\VUjPbQp.exe
  C:\Windows\System32\VUjPbQp.exe
  2⤵
  PID:10192
- C:\Windows\System32\rsTZBbU.exe
  C:\Windows\System32\rsTZBbU.exe
  2⤵
  PID:10216
- C:\Windows\System32\flEvtnb.exe
  C:\Windows\System32\flEvtnb.exe
  2⤵
  PID:8864
- C:\Windows\System32\KOruuCQ.exe
  C:\Windows\System32\KOruuCQ.exe
  2⤵
  PID:8664
- C:\Windows\System32\LrhEENC.exe
  C:\Windows\System32\LrhEENC.exe
  2⤵
  PID:9264
- C:\Windows\System32\mqAkreJ.exe
  C:\Windows\System32\mqAkreJ.exe
  2⤵
  PID:9360
- C:\Windows\System32\rtibaQN.exe
  C:\Windows\System32\rtibaQN.exe
  2⤵
  PID:9532
- C:\Windows\System32\NtIRZrg.exe
  C:\Windows\System32\NtIRZrg.exe
  2⤵
  PID:9740
- C:\Windows\System32\CWKTwHT.exe
  C:\Windows\System32\CWKTwHT.exe
  2⤵
  PID:9760
- C:\Windows\System32\oRqCzxG.exe
  C:\Windows\System32\oRqCzxG.exe
  2⤵
  PID:9940
- C:\Windows\System32\JDnVBMy.exe
  C:\Windows\System32\JDnVBMy.exe
  2⤵
  PID:10152
- C:\Windows\System32\IiNgxos.exe
  C:\Windows\System32\IiNgxos.exe
  2⤵
  PID:9028
- C:\Windows\System32\lZuPScI.exe
  C:\Windows\System32\lZuPScI.exe
  2⤵
  PID:9280
- C:\Windows\System32\axnuDEK.exe
  C:\Windows\System32\axnuDEK.exe
  2⤵
  PID:10024
- C:\Windows\System32\CPhUuwt.exe
  C:\Windows\System32\CPhUuwt.exe
  2⤵
  PID:9684
- C:\Windows\System32\ZRvgFns.exe
  C:\Windows\System32\ZRvgFns.exe
  2⤵
  PID:8508
- C:\Windows\System32\LKptsol.exe
  C:\Windows\System32\LKptsol.exe
  2⤵
  PID:10244
- C:\Windows\System32\YSgKzgK.exe
  C:\Windows\System32\YSgKzgK.exe
  2⤵
  PID:10260
- C:\Windows\System32\kAWgxzx.exe
  C:\Windows\System32\kAWgxzx.exe
  2⤵
  PID:10288
- C:\Windows\System32\BAKtvzP.exe
  C:\Windows\System32\BAKtvzP.exe
  2⤵
  PID:10308
- C:\Windows\System32\ocMuMat.exe
  C:\Windows\System32\ocMuMat.exe
  2⤵
  PID:10328
- C:\Windows\System32\fnNcRAc.exe
  C:\Windows\System32\fnNcRAc.exe
  2⤵
  PID:10412
- C:\Windows\System32\cHSvuUb.exe
  C:\Windows\System32\cHSvuUb.exe
  2⤵
  PID:10428
- C:\Windows\System32\FJltali.exe
  C:\Windows\System32\FJltali.exe
  2⤵
  PID:10444
- C:\Windows\System32\tTtOKDf.exe
  C:\Windows\System32\tTtOKDf.exe
  2⤵
  PID:10484
- C:\Windows\System32\WHfRPsQ.exe
  C:\Windows\System32\WHfRPsQ.exe
  2⤵
  PID:10508
- C:\Windows\System32\cjvfVVS.exe
  C:\Windows\System32\cjvfVVS.exe
  2⤵
  PID:10528
- C:\Windows\System32\aKVYDuM.exe
  C:\Windows\System32\aKVYDuM.exe
  2⤵
  PID:10548
- C:\Windows\System32\yFTKWzl.exe
  C:\Windows\System32\yFTKWzl.exe
  2⤵
  PID:10572
- C:\Windows\System32\IafDKxL.exe
  C:\Windows\System32\IafDKxL.exe
  2⤵
  PID:10592
- C:\Windows\System32\bHTdhyv.exe
  C:\Windows\System32\bHTdhyv.exe
  2⤵
  PID:10640
- C:\Windows\System32\AcsGgUv.exe
  C:\Windows\System32\AcsGgUv.exe
  2⤵
  PID:10668
- C:\Windows\System32\wzlLvrC.exe
  C:\Windows\System32\wzlLvrC.exe
  2⤵
  PID:10704
- C:\Windows\System32\DrWDHBT.exe
  C:\Windows\System32\DrWDHBT.exe
  2⤵
  PID:10728
- C:\Windows\System32\AnqDkvq.exe
  C:\Windows\System32\AnqDkvq.exe
  2⤵
  PID:10748
- C:\Windows\System32\VeYzDAR.exe
  C:\Windows\System32\VeYzDAR.exe
  2⤵
  PID:10768
- C:\Windows\System32\XyUAfht.exe
  C:\Windows\System32\XyUAfht.exe
  2⤵
  PID:10784
- C:\Windows\System32\AtIWwEk.exe
  C:\Windows\System32\AtIWwEk.exe
  2⤵
  PID:10804
- C:\Windows\System32\rTObNgx.exe
  C:\Windows\System32\rTObNgx.exe
  2⤵
  PID:10820
- C:\Windows\System32\uSnmIEi.exe
  C:\Windows\System32\uSnmIEi.exe
  2⤵
  PID:10848
- C:\Windows\System32\redxizb.exe
  C:\Windows\System32\redxizb.exe
  2⤵
  PID:10880
- C:\Windows\System32\WlwgMsi.exe
  C:\Windows\System32\WlwgMsi.exe
  2⤵
  PID:10904
- C:\Windows\System32\ziNaSlT.exe
  C:\Windows\System32\ziNaSlT.exe
  2⤵
  PID:10960
- C:\Windows\System32\EWFpqro.exe
  C:\Windows\System32\EWFpqro.exe
  2⤵
  PID:11016
- C:\Windows\System32\WZZecnN.exe
  C:\Windows\System32\WZZecnN.exe
  2⤵
  PID:11040
- C:\Windows\System32\ZxMnmiv.exe
  C:\Windows\System32\ZxMnmiv.exe
  2⤵
  PID:11072
- C:\Windows\System32\pCDqbeA.exe
  C:\Windows\System32\pCDqbeA.exe
  2⤵
  PID:11100
- C:\Windows\System32\MkncUfd.exe
  C:\Windows\System32\MkncUfd.exe
  2⤵
  PID:11120
- C:\Windows\System32\nFxOYCG.exe
  C:\Windows\System32\nFxOYCG.exe
  2⤵
  PID:11144
- C:\Windows\System32\kofisbJ.exe
  C:\Windows\System32\kofisbJ.exe
  2⤵
  PID:11172
- C:\Windows\System32\uaVvVtp.exe
  C:\Windows\System32\uaVvVtp.exe
  2⤵
  PID:11200
- C:\Windows\System32\uqWQxhM.exe
  C:\Windows\System32\uqWQxhM.exe
  2⤵
  PID:11228
- C:\Windows\System32\PEDYCJc.exe
  C:\Windows\System32\PEDYCJc.exe
  2⤵
  PID:11256
- C:\Windows\System32\CiTzfOH.exe
  C:\Windows\System32\CiTzfOH.exe
  2⤵
  PID:10252
- C:\Windows\System32\igNGyJj.exe
  C:\Windows\System32\igNGyJj.exe
  2⤵
  PID:10324
- C:\Windows\System32\jJsoJgJ.exe
  C:\Windows\System32\jJsoJgJ.exe
  2⤵
  PID:10424
- C:\Windows\System32\GsKSfLS.exe
  C:\Windows\System32\GsKSfLS.exe
  2⤵
  PID:10472
- C:\Windows\System32\XrjKWQD.exe
  C:\Windows\System32\XrjKWQD.exe
  2⤵
  PID:10568
- C:\Windows\System32\MWiGEHn.exe
  C:\Windows\System32\MWiGEHn.exe
  2⤵
  PID:10620
- C:\Windows\System32\SMhGPgW.exe
  C:\Windows\System32\SMhGPgW.exe
  2⤵
  PID:10716
- C:\Windows\System32\IohjbTP.exe
  C:\Windows\System32\IohjbTP.exe
  2⤵
  PID:10764
- C:\Windows\System32\hafrehJ.exe
  C:\Windows\System32\hafrehJ.exe
  2⤵
  PID:10792
- C:\Windows\System32\SaAkzbN.exe
  C:\Windows\System32\SaAkzbN.exe
  2⤵
  PID:10832
- C:\Windows\System32\Tomhbeg.exe
  C:\Windows\System32\Tomhbeg.exe
  2⤵
  PID:10876
- C:\Windows\System32\OwIKRhY.exe
  C:\Windows\System32\OwIKRhY.exe
  2⤵
  PID:11048
- C:\Windows\System32\YAOehGj.exe
  C:\Windows\System32\YAOehGj.exe
  2⤵
  PID:11060
- C:\Windows\System32\HjxKnrX.exe
  C:\Windows\System32\HjxKnrX.exe
  2⤵
  PID:11128
- C:\Windows\System32\LpOwGQZ.exe
  C:\Windows\System32\LpOwGQZ.exe
  2⤵
  PID:11180
- C:\Windows\System32\QESaojd.exe
  C:\Windows\System32\QESaojd.exe
  2⤵
  PID:11236
- C:\Windows\System32\oWBXkWI.exe
  C:\Windows\System32\oWBXkWI.exe
  2⤵
  PID:10440
- C:\Windows\System32\StiJFqR.exe
  C:\Windows\System32\StiJFqR.exe
  2⤵
  PID:10588
- C:\Windows\System32\YvQFyjg.exe
  C:\Windows\System32\YvQFyjg.exe
  2⤵
  PID:10760
- C:\Windows\System32\tYMXzkI.exe
  C:\Windows\System32\tYMXzkI.exe
  2⤵
  PID:10740
- C:\Windows\System32\KafALHJ.exe
  C:\Windows\System32\KafALHJ.exe
  2⤵
  PID:10896
- C:\Windows\System32\afqDLAh.exe
  C:\Windows\System32\afqDLAh.exe
  2⤵
  PID:11000
- C:\Windows\System32\mcZMpYf.exe
  C:\Windows\System32\mcZMpYf.exe
  2⤵
  PID:11164
- C:\Windows\System32\xXdiCpx.exe
  C:\Windows\System32\xXdiCpx.exe
  2⤵
  PID:10544
- C:\Windows\System32\pRYIcIW.exe
  C:\Windows\System32\pRYIcIW.exe
  2⤵
  PID:10928
- C:\Windows\System32\cgklIsd.exe
  C:\Windows\System32\cgklIsd.exe
  2⤵
  PID:10520
- C:\Windows\System32\enrVJqN.exe
  C:\Windows\System32\enrVJqN.exe
  2⤵
  PID:10944
- C:\Windows\System32\cRgldtt.exe
  C:\Windows\System32\cRgldtt.exe
  2⤵
  PID:10912
- C:\Windows\System32\UKQJInl.exe
  C:\Windows\System32\UKQJInl.exe
  2⤵
  PID:11288
- C:\Windows\System32\YceznRv.exe
  C:\Windows\System32\YceznRv.exe
  2⤵
  PID:11304
- C:\Windows\System32\kAtsonX.exe
  C:\Windows\System32\kAtsonX.exe
  2⤵
  PID:11332
- C:\Windows\System32\WsScdnj.exe
  C:\Windows\System32\WsScdnj.exe
  2⤵
  PID:11352
- C:\Windows\System32\upULdkE.exe
  C:\Windows\System32\upULdkE.exe
  2⤵
  PID:11376
- C:\Windows\System32\QjuaYqY.exe
  C:\Windows\System32\QjuaYqY.exe
  2⤵
  PID:11436
- C:\Windows\System32\WvOyVVm.exe
  C:\Windows\System32\WvOyVVm.exe
  2⤵
  PID:11464
- C:\Windows\System32\dOPcBIn.exe
  C:\Windows\System32\dOPcBIn.exe
  2⤵
  PID:11496
- C:\Windows\System32\hsaqxib.exe
  C:\Windows\System32\hsaqxib.exe
  2⤵
  PID:11520
- C:\Windows\System32\oozDlmP.exe
  C:\Windows\System32\oozDlmP.exe
  2⤵
  PID:11552
- C:\Windows\System32\thIZLHl.exe
  C:\Windows\System32\thIZLHl.exe
  2⤵
  PID:11568
- C:\Windows\System32\NfWmSQe.exe
  C:\Windows\System32\NfWmSQe.exe
  2⤵
  PID:11596
- C:\Windows\System32\MHwOruN.exe
  C:\Windows\System32\MHwOruN.exe
  2⤵
  PID:11628
- C:\Windows\System32\dTRuiqw.exe
  C:\Windows\System32\dTRuiqw.exe
  2⤵
  PID:11684
- C:\Windows\System32\HJIDYaK.exe
  C:\Windows\System32\HJIDYaK.exe
  2⤵
  PID:11700
- C:\Windows\System32\kHxxhxh.exe
  C:\Windows\System32\kHxxhxh.exe
  2⤵
  PID:11728
- C:\Windows\System32\AYtVvSD.exe
  C:\Windows\System32\AYtVvSD.exe
  2⤵
  PID:11748
- C:\Windows\System32\TuDqbSg.exe
  C:\Windows\System32\TuDqbSg.exe
  2⤵
  PID:11772
- C:\Windows\System32\whSTSDV.exe
  C:\Windows\System32\whSTSDV.exe
  2⤵
  PID:11788
- C:\Windows\System32\VqAPFrn.exe
  C:\Windows\System32\VqAPFrn.exe
  2⤵
  PID:11828
- C:\Windows\System32\gJgroaf.exe
  C:\Windows\System32\gJgroaf.exe
  2⤵
  PID:11848
- C:\Windows\System32\WZjBSpP.exe
  C:\Windows\System32\WZjBSpP.exe
  2⤵
  PID:11872
- C:\Windows\System32\UlPinLT.exe
  C:\Windows\System32\UlPinLT.exe
  2⤵
  PID:11892
- C:\Windows\System32\GSgePoi.exe
  C:\Windows\System32\GSgePoi.exe
  2⤵
  PID:11908
- C:\Windows\System32\qGbNiqb.exe
  C:\Windows\System32\qGbNiqb.exe
  2⤵
  PID:11956
- C:\Windows\System32\mKeaTiq.exe
  C:\Windows\System32\mKeaTiq.exe
  2⤵
  PID:12024
- C:\Windows\System32\vvliELs.exe
  C:\Windows\System32\vvliELs.exe
  2⤵
  PID:12052
- C:\Windows\System32\iEQdUGc.exe
  C:\Windows\System32\iEQdUGc.exe
  2⤵
  PID:12068
- C:\Windows\System32\FduGJqx.exe
  C:\Windows\System32\FduGJqx.exe
  2⤵
  PID:12088
- C:\Windows\System32\dCFxJrr.exe
  C:\Windows\System32\dCFxJrr.exe
  2⤵
  PID:12112
- C:\Windows\System32\HuFLflV.exe
  C:\Windows\System32\HuFLflV.exe
  2⤵
  PID:12132
- C:\Windows\System32\qNDdVou.exe
  C:\Windows\System32\qNDdVou.exe
  2⤵
  PID:12156
- C:\Windows\System32\kVPcOMh.exe
  C:\Windows\System32\kVPcOMh.exe
  2⤵
  PID:12192
- C:\Windows\System32\bPxhjCd.exe
  C:\Windows\System32\bPxhjCd.exe
  2⤵
  PID:12224
- C:\Windows\System32\vmIKyKo.exe
  C:\Windows\System32\vmIKyKo.exe
  2⤵
  PID:12244
- C:\Windows\System32\rrGslON.exe
  C:\Windows\System32\rrGslON.exe
  2⤵
  PID:12260
- C:\Windows\System32\nJVQyXP.exe
  C:\Windows\System32\nJVQyXP.exe
  2⤵
  PID:10604
- C:\Windows\System32\eWyWyHX.exe
  C:\Windows\System32\eWyWyHX.exe
  2⤵
  PID:11312
- C:\Windows\System32\LERVpCx.exe
  C:\Windows\System32\LERVpCx.exe
  2⤵
  PID:11372
- C:\Windows\System32\mkQdEUf.exe
  C:\Windows\System32\mkQdEUf.exe
  2⤵
  PID:11424
- C:\Windows\System32\bEUQDLR.exe
  C:\Windows\System32\bEUQDLR.exe
  2⤵
  PID:11508
- C:\Windows\System32\KilcrRC.exe
  C:\Windows\System32\KilcrRC.exe
  2⤵
  PID:11544
- C:\Windows\System32\uNpwVdM.exe
  C:\Windows\System32\uNpwVdM.exe
  2⤵
  PID:11612
- C:\Windows\System32\qftXUKF.exe
  C:\Windows\System32\qftXUKF.exe
  2⤵
  PID:11644
- C:\Windows\System32\JmBYEsl.exe
  C:\Windows\System32\JmBYEsl.exe
  2⤵
  PID:11760
- C:\Windows\System32\nioYHAS.exe
  C:\Windows\System32\nioYHAS.exe
  2⤵
  PID:11808
- C:\Windows\System32\LkEopMC.exe
  C:\Windows\System32\LkEopMC.exe
  2⤵
  PID:11944
- C:\Windows\System32\UkIvCUT.exe
  C:\Windows\System32\UkIvCUT.exe
  2⤵
  PID:11980
- C:\Windows\System32\RjsjFVs.exe
  C:\Windows\System32\RjsjFVs.exe
  2⤵
  PID:12048
- C:\Windows\System32\KkCBfLe.exe
  C:\Windows\System32\KkCBfLe.exe
  2⤵
  PID:12128
- C:\Windows\System32\dYHixVy.exe
  C:\Windows\System32\dYHixVy.exe
  2⤵
  PID:12140
- C:\Windows\System32\DfsfKpL.exe
  C:\Windows\System32\DfsfKpL.exe
  2⤵
  PID:12220
- C:\Windows\System32\AOYzbxP.exe
  C:\Windows\System32\AOYzbxP.exe
  2⤵
  PID:12232
- C:\Windows\System32\NWIwrSI.exe
  C:\Windows\System32\NWIwrSI.exe
  2⤵
  PID:11316
- C:\Windows\System32\JEpJNzK.exe
  C:\Windows\System32\JEpJNzK.exe
  2⤵
  PID:11764
- C:\Windows\System32\pDQlJbG.exe
  C:\Windows\System32\pDQlJbG.exe
  2⤵
  PID:11812
- C:\Windows\System32\dxISMxx.exe
  C:\Windows\System32\dxISMxx.exe
  2⤵
  PID:11784
- C:\Windows\System32\WiFpqdv.exe
  C:\Windows\System32\WiFpqdv.exe
  2⤵
  PID:11964
- C:\Windows\System32\GAqpFfF.exe
  C:\Windows\System32\GAqpFfF.exe
  2⤵
  PID:12004
- C:\Windows\System32\xELlmWZ.exe
  C:\Windows\System32\xELlmWZ.exe
  2⤵
  PID:12164
- C:\Windows\System32\pfvccTO.exe
  C:\Windows\System32\pfvccTO.exe
  2⤵
  PID:12204
- C:\Windows\System32\MdhnFnV.exe
  C:\Windows\System32\MdhnFnV.exe
  2⤵
  PID:12256
- C:\Windows\System32\GwTSidM.exe
  C:\Windows\System32\GwTSidM.exe
  2⤵
  PID:11460
- C:\Windows\System32\GUyfZHR.exe
  C:\Windows\System32\GUyfZHR.exe
  2⤵
  PID:2692
- C:\Windows\System32\AtHmmTC.exe
  C:\Windows\System32\AtHmmTC.exe
  2⤵
  PID:12212
- C:\Windows\System32\EDatNYH.exe
  C:\Windows\System32\EDatNYH.exe
  2⤵
  PID:12356
- C:\Windows\System32\QxfKLSr.exe
  C:\Windows\System32\QxfKLSr.exe
  2⤵
  PID:12400
- C:\Windows\System32\nyIBGhb.exe
  C:\Windows\System32\nyIBGhb.exe
  2⤵
  PID:12420
- C:\Windows\System32\dkybnfA.exe
  C:\Windows\System32\dkybnfA.exe
  2⤵
  PID:12440
- C:\Windows\System32\soUPizW.exe
  C:\Windows\System32\soUPizW.exe
  2⤵
  PID:12456
- C:\Windows\System32\rgYHhOH.exe
  C:\Windows\System32\rgYHhOH.exe
  2⤵
  PID:12488
- C:\Windows\System32\CInEHhi.exe
  C:\Windows\System32\CInEHhi.exe
  2⤵
  PID:12512
- C:\Windows\System32\jRNeMaA.exe
  C:\Windows\System32\jRNeMaA.exe
  2⤵
  PID:12532
- C:\Windows\System32\UsUuXwd.exe
  C:\Windows\System32\UsUuXwd.exe
  2⤵
  PID:12552
- C:\Windows\System32\StIwmDl.exe
  C:\Windows\System32\StIwmDl.exe
  2⤵
  PID:12584
- C:\Windows\System32\jvCaoSJ.exe
  C:\Windows\System32\jvCaoSJ.exe
  2⤵
  PID:12608
- C:\Windows\System32\hZDIypU.exe
  C:\Windows\System32\hZDIypU.exe
  2⤵
  PID:12684
- C:\Windows\System32\wDNhmwp.exe
  C:\Windows\System32\wDNhmwp.exe
  2⤵
  PID:12700
- C:\Windows\System32\xtYgics.exe
  C:\Windows\System32\xtYgics.exe
  2⤵
  PID:12732
- C:\Windows\System32\QwnxllF.exe
  C:\Windows\System32\QwnxllF.exe
  2⤵
  PID:12756
- C:\Windows\System32\QFstwAN.exe
  C:\Windows\System32\QFstwAN.exe
  2⤵
  PID:12776
- C:\Windows\System32\KFARXMY.exe
  C:\Windows\System32\KFARXMY.exe
  2⤵
  PID:12808
- C:\Windows\System32\RZKVFCy.exe
  C:\Windows\System32\RZKVFCy.exe
  2⤵
  PID:12844
- C:\Windows\System32\ipMuRxA.exe
  C:\Windows\System32\ipMuRxA.exe
  2⤵
  PID:12864
- C:\Windows\System32\utqKwCS.exe
  C:\Windows\System32\utqKwCS.exe
  2⤵
  PID:12892
- C:\Windows\System32\SsmOBNZ.exe
  C:\Windows\System32\SsmOBNZ.exe
  2⤵
  PID:12908
- C:\Windows\System32\BQEuChu.exe
  C:\Windows\System32\BQEuChu.exe
  2⤵
  PID:12940
- C:\Windows\System32\zTuNyXa.exe
  C:\Windows\System32\zTuNyXa.exe
  2⤵
  PID:12964
- C:\Windows\System32\GsOFqUr.exe
  C:\Windows\System32\GsOFqUr.exe
  2⤵
  PID:12992
- C:\Windows\System32\bQrSgLb.exe
  C:\Windows\System32\bQrSgLb.exe
  2⤵
  PID:13032
- C:\Windows\System32\zJLoJhZ.exe
  C:\Windows\System32\zJLoJhZ.exe
  2⤵
  PID:13068
- C:\Windows\System32\tSPgMGZ.exe
  C:\Windows\System32\tSPgMGZ.exe
  2⤵
  PID:13088
- C:\Windows\System32\VUeruPY.exe
  C:\Windows\System32\VUeruPY.exe
  2⤵
  PID:13108
- C:\Windows\System32\TolGqTQ.exe
  C:\Windows\System32\TolGqTQ.exe
  2⤵
  PID:13132
- C:\Windows\System32\YuHGmMb.exe
  C:\Windows\System32\YuHGmMb.exe
  2⤵
  PID:13192

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AWickVU.exe

Filesize
1.8MB

MD5
5cc4f3faf732243fb12fb316cfd4480f

SHA1
3516d50d957bff1ec7fe2556c2ddb5656ceea5a1

SHA256
ce285fb7c62379134842490826c1acbfb8d436899b618db19ab8bc3ff7a5b8c6

SHA512
9614d67859225cf42f0e2e0179717d8121422aec809da4211bca45d24b4586d4ffcffb9964886bcca9df97f4854a459122079331631ca79659be7eb1cc1a1a5a

Download Submit
C:\Windows\System32\BhCVBGe.exe

Filesize
1.7MB

MD5
471b375e638d47ae0ed4e6c14f9a60cd

SHA1
ea95dbfed75c972a809c5fdcf42acc2c199305cc

SHA256
0172f45bf8ca9d05baeddd08571510e408e0ed6cb2b9d5e89bc3b699361e0b5b

SHA512
910e1cda4a63b56943c1395363207bff03582bb9a7df4f591a77ada03d3d6dfe36ab9a28007924bdf8bffa11e24b6b6a53d67f450a1ed3ad1b2819e2e24830a1

Download Submit
C:\Windows\System32\CDWDXpK.exe

Filesize
1.8MB

MD5
4fbb447a2351d36eaf93c2bbbda13355

SHA1
8ad1e801402f6232f4f35e2ce00ba4f9788cf316

SHA256
732c1ee8b1b32a630993880bca228aecb39a70d65d6b012c8b67ee09f1c77ab1

SHA512
b2d4edc6173a408a0f1e89cba10b0418ac0d79ccdea9ac54979691b9488da60010bb2dedcb0e36eb01387b588627a8b2510a5c7d6bfd7813fdad213394ccd8c8

Download Submit
C:\Windows\System32\DfsUzsz.exe

Filesize
1.7MB

MD5
4cd77eaabfbee6176fd2c372c2009c06

SHA1
3fc95a998a02fb9b39fff7e0c761645108bec3e2

SHA256
eb1067a76636715918b33f48c8c4b3bf61b26ea0b0040893ca59c876721dc7af

SHA512
61b6b38a666a5dc3db0651dfb4197bc85fc5eedade3704a93cac515836b571b2980c4fc619a7114a9f6b9d44e6d8fcf6c34f97a1763db3cb94fed9accaa3531f

Download Submit
C:\Windows\System32\EmBGCkK.exe

Filesize
1.7MB

MD5
77fb23d69782cbbb6f8341c07b6fae19

SHA1
1a4ac1b52a5f9dd9e94b84aa87c08d56045cec00

SHA256
5520603c68b2857105485cc3500f7b62d7b394d062b46872c112f1509b8e0ddb

SHA512
2b28d404fcf6c270adf45ce38e862c0739a0eef2fc3f2c8cb24a3d6c384d3596f2f62789db680efd29365fce672cfc9635fd346b35b1312412d5bcb74ba6dde6

Download Submit
C:\Windows\System32\HIqPovP.exe

Filesize
1.7MB

MD5
8b5d919d55e8e2032cef6b2b389fcd6e

SHA1
b98fc563cefd151c06cfb31f0d30abc3448f46d5

SHA256
2350b60dcdcf361fb3cdb36407481b44c47b8ac2f1d6fb0ac447078901474dae

SHA512
385c8c78c0423313cd488f86fc2d045c6bc3025d89b2e74b104df32100ba892e6b3131b6ac62fa0fe971860c6041aa5c784bedad0cae6d70bf6868a72850b797

Download Submit
C:\Windows\System32\MfwJnnj.exe

Filesize
1.7MB

MD5
15f097f676b3ddb71f2bfaa1fc4d6a42

SHA1
9eba39f12d41416e7861bb77b797ca889875f22a

SHA256
038017c9a87b0f08aebb8683bfac1847196c210354b2fb5a1a9067efce925434

SHA512
06a1a1a442467cb1194d57b713715835b37d334e1b86d30a3329d5264ae979fb510b8dbfcc7ecce4eb960990af796d7da878f4ae04eba55e81a4fd02c4e9b253

Download Submit
C:\Windows\System32\MkpufIK.exe

Filesize
1.8MB

MD5
4fe6abdf4b74d3d2533cf09eeb1d2135

SHA1
2f865cfe06494a48e7d96447709ef3255b810ed1

SHA256
58e278684b729d163b81bfa082c16c9f4afafccfa33fdd8d4b3644a13da6f667

SHA512
d7fbbe1aa3f52a271caab0aba1a2c754f930a80e792c4c7377636dd5b8d03875842b518189e046c42b880dbcdfce076e283f9ad9933b639bc01042f84deb4d92

Download Submit
C:\Windows\System32\MlqTsOt.exe

Filesize
1.7MB

MD5
48e3bfed8dec708cfd3295367a2a9981

SHA1
cfddbbc38770c6040a7597d59139bfdadce46f0e

SHA256
6214d7cf2f099506454aae7148ec06ab53b4856d44b277453db1b87c2b200a6a

SHA512
51aa8ce83e03bcec6d663654a35ea9ce22bb28ac1b966a544f77f9fe65499aa4137c4a18e94852346e5f9ea69e4eb6b574db53bbccab8558208dfb1243254784

Download Submit
C:\Windows\System32\NXVcDxG.exe

Filesize
1.7MB

MD5
5fc5677af975469753a53d43bcf07aa6

SHA1
ba066d84043d5b5fb828aaa9a6e9710e92666165

SHA256
b37f13ecfaa77a58f0a8f1eceb01af8a76d42e4ae1fcd3ae56cedb1a5b71ebba

SHA512
21043bc754033663abdf94e7d19f2fba380e1034ef474f0d7821bc4c3f30fed74f5edc2fdbcc41e7f47fe08d7aef3c150fd64655b01f9baf6c9c0afde990eccf

Download Submit
C:\Windows\System32\QefAzWA.exe

Filesize
1.7MB

MD5
805c049f898bb3b85ce8b6fc84dc4b91

SHA1
4fb5a7c21072b11d97ca0d6cd4cda494078844b7

SHA256
d6556b0369f1c33dbd4bd1a5cc4043aa0fcbf8dc286dcc989947f2a1e3941710

SHA512
3c149e45c8dc9167459a1010edd261839c5d1c4229823056e5d8b1028ba6e38cc7acb6035d67df11df60aef7feb4859a77bd7c6b97c83c75c9c35fbe2fc2cfc2

Download Submit
C:\Windows\System32\SOecqLy.exe

Filesize
1.7MB

MD5
ba8f87683462fb1dd2dd0c551db7863e

SHA1
9f22c294bd73b042e1c864be32c3d3ff3305d508

SHA256
d05bf506440ae903d3fcc7d13335a6f9469e455705c670c08c4864cc276e08d8

SHA512
8dee33505bc3818db5a063fe507c3acc51a4a349f931881e80189f7e8f7e29e422f9b7c6bcacbbe4ff8479b872bfdc297462ce3c64d55936eda815a7e6fd78cd

Download Submit
C:\Windows\System32\UNZqjLp.exe

Filesize
1.8MB

MD5
e2d947150421d8bd914a1298a7b209f9

SHA1
7b3ddb32cfa0b20508eb7e92af7d3b36b0613536

SHA256
c9dcf0580f213e8273fe02799419d1f6635993092f1ead77af07b25afd1f1ca7

SHA512
a40f77e663428344b4be65ae56421fe924fc733dfdd419505de2791f1d5786f6deb236e23de357e5d954dd6123bde0c562e4369d72e42cc8cf4f1c289db65a3d

Download Submit
C:\Windows\System32\UvYKdXR.exe

Filesize
1.7MB

MD5
67e0aa1c999ae40925179524d3b3e51a

SHA1
e6f2b8e7ee816836120fec19e9b0e42fb3167320

SHA256
b635ec214de7599e019845ea65b5daee6762942430ec4e827125a8ca43fbad1e

SHA512
c96c414486d8fbd4ee6a68604be1be767d85524ff008e1e02949764ae6ae9af66c2665e73805cede5f388aac96e910414533300623dbbb55cfb8ae503cc334bf

Download Submit
C:\Windows\System32\XtHuCjM.exe

Filesize
1.7MB

MD5
26c634f57ff047cb625e882a6b509060

SHA1
a9238b1180b61326510b1f92575697f804885712

SHA256
6a332cea4ec067c69d26fe4b41321613af7e9292d1fbf9e2d06623a182977f72

SHA512
04c826b2cd2cbbf9412018068c2cd6f0441c86e71b358089d6758132ebd681f864cf9e809bf6c1459d6d32b279e0b57ed59246fccab60957e1ec04b5d236fd3d

Download Submit
C:\Windows\System32\YFLAIws.exe

Filesize
1.7MB

MD5
66e79405b940d2c8f95bd793a57a1778

SHA1
f4e593aca13e7de3a8dc4dab245ecffb2a0b03da

SHA256
e02d77d8156e571b16c6dc3be38ce7bcf784f78b7bc323b2012adad42ae7adf7

SHA512
f48c8dab7eb9f053177e404be00fbcc35a882ff262df7c8a03891487f78280e24980ae9cc2eef5a8cf566a27e09d36d0082b97801f3f62a9ca557bae7bb5df19

Download Submit
C:\Windows\System32\YJtHvKL.exe

Filesize
1.7MB

MD5
3a4c3f4a66053d4da109c4a06b2fa16c

SHA1
a852ccd5469a055f1f02e8004e6085990ad14e5f

SHA256
a269a007ef30a390130b1627189dd05420b46a0ab0b7d1ec6d846d6f05a5e4ba

SHA512
953fa741309b760631c3ac958a441fae534470a8b68ed3fd0f70cf56396814a31af941d788de049a900e002f2bb4a53aabbeb81b39b79adf09388501007263aa

Download Submit
C:\Windows\System32\ZlVIMhC.exe

Filesize
1.7MB

MD5
6ddd2c75bcd4b2bb7e42366fda1c04d1

SHA1
0c8f189d5b5545870c112251f9903d4609310eb7

SHA256
eaf3dfa00b3ec2ac687c1f30708f4cda6e1090178a4d9b30188ed0538362bbd5

SHA512
073f1290c82b6fcdcf80debf229e0916d32dcbef2f51cfe63267eb527e8e5d25badf7f6120036540485b2eb61ff9dd4946fc0db52d7f876c0716cd2b76903b37

Download Submit
C:\Windows\System32\aJwePoU.exe

Filesize
1.8MB

MD5
5b0d9781002ea83b1208b9fae18acc88

SHA1
936edfa9f1c038ab2fae87d0670493312264ef00

SHA256
6f1c4351730eaf24f0befc73767684cbf5515fc2c51381b2790fa56d8afbdd28

SHA512
f3b36a7dfb718d2deb3e2b55711a7d63cb457e02161de03a661b6a0e4c78d3f32a2a054e2161e5ce20b5a111cf8081cde96ee616f86491ab04e5c35044119e35

Download Submit
C:\Windows\System32\cdwRraY.exe

Filesize
1.7MB

MD5
756e4aa00c9dd9dbdce2fdaaa5e76c4e

SHA1
bd94f5cf10a6687e26e0563c4039eaa700137069

SHA256
de811b7aa92d6d67cc6ecf8a9b0a09afe1f99a4f2df9d5432f47c4df0ad2dab5

SHA512
edb19eb642b4c002183501053735385a446053a222bf91e57a3b29a94ab36dadaee68af0c7a74abefef0e8ddd25ecebbb60b154afefb8948b539f6d85a5966f8

Download Submit
C:\Windows\System32\ftvtQEC.exe

Filesize
1.8MB

MD5
39ffae079ec341b6c612902372875110

SHA1
46c59a8e74d176535e5b78884e88194b8b6a7889

SHA256
21803aa3a77195149073ee8d15efaa218ad1d20dc36ca15208286019454c66e0

SHA512
1054c2fcaa963d10a4fdf67d6a071fd54888653b3840d880468bf7d33006a4778bdb52c36de8e96a90099f695452ac31885cdbccd02f5f9168172cfb01f78c19

Download Submit
C:\Windows\System32\gYKlVCr.exe

Filesize
1.7MB

MD5
986e4d338d582a4d41e3cecba77d2a85

SHA1
1a21ffe9760c1e59d95bc7ddf11483ed0bc8ab66

SHA256
ffb953c423b1c2c19633462b764136858319629db165acb13b27811ab86de1d5

SHA512
07a3ffb1ec66d0baa7008380c227701b766393f3ec33f14c147c2c1e9656783e2b126cfef9ec79226590975d4d8601cf98fa7eaa38844a80a5855e82a1bfe1f3

Download Submit
C:\Windows\System32\iZTkAGe.exe

Filesize
1.7MB

MD5
550e4491049952c73bcca9805bbef137

SHA1
02f328687f6d4aa88eda5f76202dcc5e157a003f

SHA256
48f0fa15d14e24b1f91840a431af5e8a8a1045ba67dee1808fbec6876e612bc4

SHA512
45e784a59b600aa742799afcc95a67a43c926d6fc7bcb5ba22e23a6574ab6c1d054e3cdc398b85612fdcea0c04b2ecb77084db77adbec2ae2106428242906ba8

Download Submit
C:\Windows\System32\jRzlSgV.exe

Filesize
1.7MB

MD5
1ffa984932adda08f77355ecd883d397

SHA1
6438bdc0bf70c52cc768adebc5634884d8af60d8

SHA256
0fef67ff8aefa1a82f7f26e6ecc0077ca68a472a106df2832fc55909ce29b45a

SHA512
8a8fa1f3e2f94ebbe06f9d5ba7d5f735951e14a49984e145b8f476baeaaf42f3bcb2b9acf4bee7cfc49b819176e5e37a6b20291ebaa38805fb1234e1f2a6a01a

Download Submit
C:\Windows\System32\kGuKPlI.exe

Filesize
1.7MB

MD5
6ab0d23e6cfa9e595969657ab85eaade

SHA1
d52f3b12aa5ff5df71966388c60e47e8b8cf1464

SHA256
1e2779b1334c327166c1e58b84dfa8b4039987329173aa0a61fd2efebe6997bf

SHA512
bf27882566bff9c99234cb7c5b0b100684ca606f946522d53310e1cf3bed077602f4ecc9599fc8cf48878b9d3c598bf5adf3302ddedcd12fe025c3cd1ae62981

Download Submit
C:\Windows\System32\lvfYsvs.exe

Filesize
1.8MB

MD5
9f256486915a0cae1e26b8e3550056d6

SHA1
adc860102ebc3db252a41fdaec02a1c453147f71

SHA256
d2efe1315c189670d5c6d1c7374ce51b18ac939e2c22a542bf17c835fbd27b73

SHA512
cd446bbf7ce01e2f2194971b11316216616c05dd71717bd11bfe6ab0dabf02124ead057fe22b63bc8d7845c1a284c6982d221e0bbc6fcbc6b2325d0da69391b8

Download Submit
C:\Windows\System32\mDnfrvU.exe

Filesize
1.7MB

MD5
071db78b36257b8306f2da2a0c93248a

SHA1
4a0746856c31fca5ef21c04bf0f7c00331a17e39

SHA256
46313977a8aa1d1c7f59b6ef7ec75401d2d740a0fbac5f3dd9cc545d4ac0da41

SHA512
ce1f06d44a07d8324b7be4f70b8de5db61b0faa8b4ca466ed4929425bf15ca66371aafcef31ffc77b621ad9bc7d695f14a32c6d870f8759be306713b553b1128

Download Submit
C:\Windows\System32\nIbKcbK.exe

Filesize
1.7MB

MD5
3ad73802c6422ca5cc07f7e00db9602b

SHA1
eb366640d80cc9fcecad1dea127d64d039b1ef7b

SHA256
d0bd1c1e386a072398ecbc5f04db60b22dc19495128c81b9e9e5ead2f9e7dccd

SHA512
26fae04ae737b3ace9ff5f6283f4bd0f833d7ff11ea733ba4b5cf25412334aec1e3e88d7b4e5650feb5ee7cdb48578215cbccb0796c8fe5b46d4cabd95c49876

Download Submit
C:\Windows\System32\nUvstba.exe

Filesize
1.7MB

MD5
3a7044c6e75b72ae0abb420a8abed892

SHA1
c99a2b26a3cd0570fb4c69b13b61ec39157b6d27

SHA256
c601059b6051646d43214d885dbf10892f020003a6b615a4d7910c68102a69c2

SHA512
82f9d3a518d89162679af750637588e2884e393462654a68ecea3fb4702ab7739f4f6411fcdb1bc3a12c3c0a1c8cccab37e21fd9828951cee22becb5bbb5735f

Download Submit
C:\Windows\System32\oDvbRFH.exe

Filesize
1.7MB

MD5
1b047ffdcfad06fca32cd056743ad56e

SHA1
6df6c14d6a0b36f3613f74556a4ede4a1484f455

SHA256
74529ab084e091bfdefd57d35f67615d67da4ead9b85bd1b56b3c6e7ec964cfe

SHA512
dda4fc003130af2eda71720cb5c50e1a8e05f9b7c7407e6d25b6f52875a4cae11f43461a2083e64305c054c5b80b734ed54de37f2589e9482d3d9481679b8fdf

Download Submit
C:\Windows\System32\oWeGoDL.exe

Filesize
1.8MB

MD5
c49945d6f0face69b2d5f4c54349776a

SHA1
ba7f2c196fc27731f8d9cadeecd980a265c1ffa5

SHA256
b32b73acc544c28b8c8ddc5ac3da93f3a1f7b55118619eb38f8cc333d0d77028

SHA512
5a665780c3c01d54c13d17e23cf9a656d09872ac643e91cfbbb83366b0a4fc2d6d008ea1d1340fcb42a3d422940435026b65a9ee20f33847adc3cb1db1405ceb

Download Submit
C:\Windows\System32\upCJwtw.exe

Filesize
1.7MB

MD5
6f90fe4525d758fb7c1c8b426fcf2b7b

SHA1
cf5a3234dec7f3f5c25a226d78e0cb230e47680e

SHA256
619e22e05514dc13c270b21b4fe38475e7bbe601cfd7536f054085974cad92d2

SHA512
2ce2306b4183d7bfe9b0cf22dddbbdbd4794391b3afe71a547cdb3b1eb979006152f6665222fe7346058c230103bb0b74d708d09028f922ba65a0f16e989e82d

Download Submit
C:\Windows\System32\xlTtLlS.exe

Filesize
1.8MB

MD5
05d783302298a644224e334ecaa5ab3f

SHA1
18542607abf2ffd68b34c87655c56ce31c7a1214

SHA256
41749f75d2c55fdfaec0dcf65ab998afbeec9b5bb502e0f98c62fb5baa682d46

SHA512
2a20c63b1dd62a94e581e33ff4f99a6022c11571e7aa1da2adf5b7be2078463d47d75254c205d489a9bf9074f6d521676d928b802983cb11dda57e37a66803b3

Download Submit
memory/948-539-0x00007FF6FF320000-0x00007FF6FF711000-memory.dmp

Filesize
3.9MB

Download
memory/948-2035-0x00007FF6FF320000-0x00007FF6FF711000-memory.dmp

Filesize
3.9MB

Download
memory/1192-1992-0x00007FF76F9E0000-0x00007FF76FDD1000-memory.dmp

Filesize
3.9MB

Download
memory/1192-14-0x00007FF76F9E0000-0x00007FF76FDD1000-memory.dmp

Filesize
3.9MB

Download
memory/1192-1984-0x00007FF76F9E0000-0x00007FF76FDD1000-memory.dmp

Filesize
3.9MB

Download
memory/1584-2018-0x00007FF79E440000-0x00007FF79E831000-memory.dmp

Filesize
3.9MB

Download
memory/1584-488-0x00007FF79E440000-0x00007FF79E831000-memory.dmp

Filesize
3.9MB

Download
memory/1724-2022-0x00007FF6E71A0000-0x00007FF6E7591000-memory.dmp

Filesize
3.9MB

Download
memory/1724-504-0x00007FF6E71A0000-0x00007FF6E7591000-memory.dmp

Filesize
3.9MB

Download
memory/1816-2016-0x00007FF78B970000-0x00007FF78BD61000-memory.dmp

Filesize
3.9MB

Download
memory/1816-458-0x00007FF78B970000-0x00007FF78BD61000-memory.dmp

Filesize
3.9MB

Download
memory/1932-2002-0x00007FF676C60000-0x00007FF677051000-memory.dmp

Filesize
3.9MB

Download
memory/1932-544-0x00007FF676C60000-0x00007FF677051000-memory.dmp

Filesize
3.9MB

Download
memory/2184-2014-0x00007FF6D1620000-0x00007FF6D1A11000-memory.dmp

Filesize
3.9MB

Download
memory/2184-450-0x00007FF6D1620000-0x00007FF6D1A11000-memory.dmp

Filesize
3.9MB

Download
memory/2268-1996-0x00007FF747020000-0x00007FF747411000-memory.dmp

Filesize
3.9MB

Download
memory/2268-22-0x00007FF747020000-0x00007FF747411000-memory.dmp

Filesize
3.9MB

Download
memory/2296-2039-0x00007FF75A080000-0x00007FF75A471000-memory.dmp

Filesize
3.9MB

Download
memory/2296-535-0x00007FF75A080000-0x00007FF75A471000-memory.dmp

Filesize
3.9MB

Download
memory/2308-444-0x00007FF6A5410000-0x00007FF6A5801000-memory.dmp

Filesize
3.9MB

Download
memory/2308-1998-0x00007FF6A5410000-0x00007FF6A5801000-memory.dmp

Filesize
3.9MB

Download
memory/2768-2024-0x00007FF6D3B40000-0x00007FF6D3F31000-memory.dmp

Filesize
3.9MB

Download
memory/2768-515-0x00007FF6D3B40000-0x00007FF6D3F31000-memory.dmp

Filesize
3.9MB

Download
memory/3560-18-0x00007FF6E5110000-0x00007FF6E5501000-memory.dmp

Filesize
3.9MB

Download
memory/3560-1994-0x00007FF6E5110000-0x00007FF6E5501000-memory.dmp

Filesize
3.9MB

Download
memory/3676-533-0x00007FF6A51F0000-0x00007FF6A55E1000-memory.dmp

Filesize
3.9MB

Download
memory/3676-2030-0x00007FF6A51F0000-0x00007FF6A55E1000-memory.dmp

Filesize
3.9MB

Download
memory/3704-33-0x00007FF6C5960000-0x00007FF6C5D51000-memory.dmp

Filesize
3.9MB

Download
memory/3704-2000-0x00007FF6C5960000-0x00007FF6C5D51000-memory.dmp

Filesize
3.9MB

Download
memory/3900-2012-0x00007FF7BE100000-0x00007FF7BE4F1000-memory.dmp

Filesize
3.9MB

Download
memory/3900-474-0x00007FF7BE100000-0x00007FF7BE4F1000-memory.dmp

Filesize
3.9MB

Download
memory/3968-541-0x00007FF77BBE0000-0x00007FF77BFD1000-memory.dmp

Filesize
3.9MB

Download
memory/3968-2068-0x00007FF77BBE0000-0x00007FF77BFD1000-memory.dmp

Filesize
3.9MB

Download
memory/4136-446-0x00007FF763B70000-0x00007FF763F61000-memory.dmp

Filesize
3.9MB

Download
memory/4136-2006-0x00007FF763B70000-0x00007FF763F61000-memory.dmp

Filesize
3.9MB

Download
memory/4224-2004-0x00007FF75FC30000-0x00007FF760021000-memory.dmp

Filesize
3.9MB

Download
memory/4224-445-0x00007FF75FC30000-0x00007FF760021000-memory.dmp

Filesize
3.9MB

Download
memory/4236-522-0x00007FF75C160000-0x00007FF75C551000-memory.dmp

Filesize
3.9MB

Download
memory/4236-2026-0x00007FF75C160000-0x00007FF75C551000-memory.dmp

Filesize
3.9MB

Download
memory/4240-519-0x00007FF7858C0000-0x00007FF785CB1000-memory.dmp

Filesize
3.9MB

Download
memory/4240-2028-0x00007FF7858C0000-0x00007FF785CB1000-memory.dmp

Filesize
3.9MB

Download
memory/4652-0-0x00007FF6466A0000-0x00007FF646A91000-memory.dmp

Filesize
3.9MB

Download
memory/4652-1-0x0000016166350000-0x0000016166360000-memory.dmp

Filesize
64KB

Download
memory/4660-529-0x00007FF63C930000-0x00007FF63CD21000-memory.dmp

Filesize
3.9MB

Download
memory/4660-2032-0x00007FF63C930000-0x00007FF63CD21000-memory.dmp

Filesize
3.9MB

Download
memory/4784-2010-0x00007FF7F0980000-0x00007FF7F0D71000-memory.dmp

Filesize
3.9MB

Download
memory/4784-472-0x00007FF7F0980000-0x00007FF7F0D71000-memory.dmp

Filesize
3.9MB

Download
memory/4932-2020-0x00007FF606DA0000-0x00007FF607191000-memory.dmp

Filesize
3.9MB

Download
memory/4932-492-0x00007FF606DA0000-0x00007FF607191000-memory.dmp

Filesize
3.9MB

Download
memory/5056-447-0x00007FF6A1FB0000-0x00007FF6A23A1000-memory.dmp

Filesize
3.9MB

Download
memory/5056-2008-0x00007FF6A1FB0000-0x00007FF6A23A1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads