xmrig | 55f276703a88f234e31b4ffeab0047292f86e11665d3f4d104bdf38d6d2c1478

Analysis

max time kernel
99s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85b86af2dd5a96fae3a2c78e3ef409d0N.exe
Size

1.9MB
MD5

85b86af2dd5a96fae3a2c78e3ef409d0
SHA1

1a6b2847cfcab6639b3ab8713347ab4e49c88ecd
SHA256

55f276703a88f234e31b4ffeab0047292f86e11665d3f4d104bdf38d6d2c1478
SHA512

a7da1a251bc47d40b31649fca427a34f44c7d2ba9fb3c48cc25e091895c162e6fd4b9c1cbe7abb7489a8213440ea38cc3b78623fc261d206773083f40963a89f
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlOqzJO0L0+Eqq31vkMOexG4GOlwQf6zErfc80srt10:knw9oUUEEDlOuJUJGFQfKErftt3aGxSp

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/3608-23-0x00007FF7CD830000-0x00007FF7CDC21000-memory.dmp	xmrig
behavioral2/memory/4264-35-0x00007FF71C390000-0x00007FF71C781000-memory.dmp	xmrig
behavioral2/memory/2484-422-0x00007FF6ED8C0000-0x00007FF6EDCB1000-memory.dmp	xmrig
behavioral2/memory/3484-421-0x00007FF7D2160000-0x00007FF7D2551000-memory.dmp	xmrig
behavioral2/memory/1352-437-0x00007FF752580000-0x00007FF752971000-memory.dmp	xmrig
behavioral2/memory/2968-442-0x00007FF60D340000-0x00007FF60D731000-memory.dmp	xmrig
behavioral2/memory/3704-466-0x00007FF69B460000-0x00007FF69B851000-memory.dmp	xmrig
behavioral2/memory/440-468-0x00007FF7D2C80000-0x00007FF7D3071000-memory.dmp	xmrig
behavioral2/memory/3408-487-0x00007FF7F9E80000-0x00007FF7FA271000-memory.dmp	xmrig
behavioral2/memory/4132-488-0x00007FF72FED0000-0x00007FF7302C1000-memory.dmp	xmrig
behavioral2/memory/3920-477-0x00007FF75A800000-0x00007FF75ABF1000-memory.dmp	xmrig
behavioral2/memory/4712-471-0x00007FF7B04B0000-0x00007FF7B08A1000-memory.dmp	xmrig
behavioral2/memory/4672-465-0x00007FF7129E0000-0x00007FF712DD1000-memory.dmp	xmrig
behavioral2/memory/4892-460-0x00007FF7F5A20000-0x00007FF7F5E11000-memory.dmp	xmrig
behavioral2/memory/1592-457-0x00007FF7390D0000-0x00007FF7394C1000-memory.dmp	xmrig
behavioral2/memory/3848-450-0x00007FF74B630000-0x00007FF74BA21000-memory.dmp	xmrig
behavioral2/memory/1284-434-0x00007FF67CC20000-0x00007FF67D011000-memory.dmp	xmrig
behavioral2/memory/5044-429-0x00007FF737040000-0x00007FF737431000-memory.dmp	xmrig
behavioral2/memory/2888-427-0x00007FF64D570000-0x00007FF64D961000-memory.dmp	xmrig
behavioral2/memory/4404-1790-0x00007FF71DEF0000-0x00007FF71E2E1000-memory.dmp	xmrig
behavioral2/memory/2380-1956-0x00007FF69B030000-0x00007FF69B421000-memory.dmp	xmrig
behavioral2/memory/432-1957-0x00007FF78BCC0000-0x00007FF78C0B1000-memory.dmp	xmrig
behavioral2/memory/4780-1990-0x00007FF653850000-0x00007FF653C41000-memory.dmp	xmrig
behavioral2/memory/4404-1992-0x00007FF71DEF0000-0x00007FF71E2E1000-memory.dmp	xmrig
behavioral2/memory/4440-1997-0x00007FF7655F0000-0x00007FF7659E1000-memory.dmp	xmrig
behavioral2/memory/3608-1999-0x00007FF7CD830000-0x00007FF7CDC21000-memory.dmp	xmrig
behavioral2/memory/2380-2001-0x00007FF69B030000-0x00007FF69B421000-memory.dmp	xmrig
behavioral2/memory/432-2003-0x00007FF78BCC0000-0x00007FF78C0B1000-memory.dmp	xmrig
behavioral2/memory/4264-2005-0x00007FF71C390000-0x00007FF71C781000-memory.dmp	xmrig
behavioral2/memory/4780-2009-0x00007FF653850000-0x00007FF653C41000-memory.dmp	xmrig
behavioral2/memory/708-2007-0x00007FF659680000-0x00007FF659A71000-memory.dmp	xmrig
behavioral2/memory/2484-2013-0x00007FF6ED8C0000-0x00007FF6EDCB1000-memory.dmp	xmrig
behavioral2/memory/3484-2011-0x00007FF7D2160000-0x00007FF7D2551000-memory.dmp	xmrig
behavioral2/memory/2888-2015-0x00007FF64D570000-0x00007FF64D961000-memory.dmp	xmrig
behavioral2/memory/5044-2017-0x00007FF737040000-0x00007FF737431000-memory.dmp	xmrig
behavioral2/memory/1284-2019-0x00007FF67CC20000-0x00007FF67D011000-memory.dmp	xmrig
behavioral2/memory/1352-2027-0x00007FF752580000-0x00007FF752971000-memory.dmp	xmrig
behavioral2/memory/4132-2039-0x00007FF72FED0000-0x00007FF7302C1000-memory.dmp	xmrig
behavioral2/memory/3920-2043-0x00007FF75A800000-0x00007FF75ABF1000-memory.dmp	xmrig
behavioral2/memory/3408-2041-0x00007FF7F9E80000-0x00007FF7FA271000-memory.dmp	xmrig
behavioral2/memory/4712-2037-0x00007FF7B04B0000-0x00007FF7B08A1000-memory.dmp	xmrig
behavioral2/memory/440-2035-0x00007FF7D2C80000-0x00007FF7D3071000-memory.dmp	xmrig
behavioral2/memory/3704-2033-0x00007FF69B460000-0x00007FF69B851000-memory.dmp	xmrig
behavioral2/memory/4672-2031-0x00007FF7129E0000-0x00007FF712DD1000-memory.dmp	xmrig
behavioral2/memory/4892-2029-0x00007FF7F5A20000-0x00007FF7F5E11000-memory.dmp	xmrig
behavioral2/memory/2968-2025-0x00007FF60D340000-0x00007FF60D731000-memory.dmp	xmrig
behavioral2/memory/1592-2021-0x00007FF7390D0000-0x00007FF7394C1000-memory.dmp	xmrig
behavioral2/memory/3848-2023-0x00007FF74B630000-0x00007FF74BA21000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4440	bpwdBPA.exe
2380	TWYkuWR.exe
3608	csYaPCT.exe
432	eAEKYFv.exe
4264	wRzkIyP.exe
708	UnJFrsP.exe
4780	BmXSjWo.exe
3484	JIJdMQU.exe
2484	DNfNPNi.exe
2888	YPlJwmc.exe
5044	RJoLmwN.exe
1284	eeuZIHu.exe
1352	AWhJuIe.exe
2968	reZakfE.exe
3848	CANcMyg.exe
1592	JBYSxge.exe
4892	uBPlAmF.exe
4672	LMbLUvJ.exe
3704	dDzwwuK.exe
440	zbxtvns.exe
4712	tuqPCls.exe
3920	iEcINDT.exe
3408	tLOXsPU.exe
4132	LwGQEcY.exe
4800	PVVhCKY.exe
1032	hDJbDkr.exe
4776	CMsCSBe.exe
1048	KYsPjoQ.exe
3540	OEyejaa.exe
1408	BmoxvfW.exe
1344	dZQzlpF.exe
3980	bgypztg.exe
1304	HtFBxvT.exe
2392	XEnhono.exe
3952	sgNJuPX.exe
4804	qxgSPHR.exe
2476	oIOyVOa.exe
3432	SFMlOzT.exe
2940	NuNePtI.exe
4512	yKMZLbC.exe
3712	nWVriyd.exe
3616	yWAaCeN.exe
4588	iiWHTAU.exe
2192	tcnUwus.exe
4640	rWAoWHD.exe
4384	cHhepqE.exe
864	HbqEYhi.exe
3512	vJxcCQk.exe
1872	gIKtLxl.exe
64	WGLqbYL.exe
4412	QfKxtUD.exe
4300	GocstyY.exe
3400	LievCWE.exe
1772	ORFXDiw.exe
3672	XZWBLcO.exe
1148	ilCxOnX.exe
3588	TWjHOTq.exe
692	QbsZXda.exe
3128	VABHhRX.exe
3304	VGSKUYq.exe
3108	EMyHbxH.exe
4544	NZSyzLz.exe
4140	AzSKIcd.exe
376	ItvqkWy.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4404-0-0x00007FF71DEF0000-0x00007FF71E2E1000-memory.dmp	upx
behavioral2/files/0x00080000000234b9-5.dat	upx
behavioral2/files/0x00070000000234bd-8.dat	upx
behavioral2/memory/3608-23-0x00007FF7CD830000-0x00007FF7CDC21000-memory.dmp	upx
behavioral2/files/0x00070000000234be-25.dat	upx
behavioral2/memory/432-24-0x00007FF78BCC0000-0x00007FF78C0B1000-memory.dmp	upx
behavioral2/files/0x00070000000234bf-28.dat	upx
behavioral2/memory/4264-35-0x00007FF71C390000-0x00007FF71C781000-memory.dmp	upx
behavioral2/files/0x00070000000234c0-38.dat	upx
behavioral2/files/0x00070000000234c1-41.dat	upx
behavioral2/files/0x00070000000234c3-53.dat	upx
behavioral2/files/0x00070000000234c4-58.dat	upx
behavioral2/files/0x00070000000234c5-63.dat	upx
behavioral2/files/0x00070000000234c7-76.dat	upx
behavioral2/files/0x00070000000234c8-81.dat	upx
behavioral2/files/0x00070000000234cb-91.dat	upx
behavioral2/files/0x00070000000234cd-101.dat	upx
behavioral2/files/0x00070000000234cf-113.dat	upx
behavioral2/files/0x00070000000234d5-143.dat	upx
behavioral2/files/0x00070000000234d8-158.dat	upx
behavioral2/memory/2484-422-0x00007FF6ED8C0000-0x00007FF6EDCB1000-memory.dmp	upx
behavioral2/memory/3484-421-0x00007FF7D2160000-0x00007FF7D2551000-memory.dmp	upx
behavioral2/memory/1352-437-0x00007FF752580000-0x00007FF752971000-memory.dmp	upx
behavioral2/memory/2968-442-0x00007FF60D340000-0x00007FF60D731000-memory.dmp	upx
behavioral2/memory/3704-466-0x00007FF69B460000-0x00007FF69B851000-memory.dmp	upx
behavioral2/memory/440-468-0x00007FF7D2C80000-0x00007FF7D3071000-memory.dmp	upx
behavioral2/memory/3408-487-0x00007FF7F9E80000-0x00007FF7FA271000-memory.dmp	upx
behavioral2/memory/4132-488-0x00007FF72FED0000-0x00007FF7302C1000-memory.dmp	upx
behavioral2/memory/3920-477-0x00007FF75A800000-0x00007FF75ABF1000-memory.dmp	upx
behavioral2/memory/4712-471-0x00007FF7B04B0000-0x00007FF7B08A1000-memory.dmp	upx
behavioral2/memory/4672-465-0x00007FF7129E0000-0x00007FF712DD1000-memory.dmp	upx
behavioral2/memory/4892-460-0x00007FF7F5A20000-0x00007FF7F5E11000-memory.dmp	upx
behavioral2/memory/1592-457-0x00007FF7390D0000-0x00007FF7394C1000-memory.dmp	upx
behavioral2/memory/3848-450-0x00007FF74B630000-0x00007FF74BA21000-memory.dmp	upx
behavioral2/memory/1284-434-0x00007FF67CC20000-0x00007FF67D011000-memory.dmp	upx
behavioral2/memory/5044-429-0x00007FF737040000-0x00007FF737431000-memory.dmp	upx
behavioral2/memory/2888-427-0x00007FF64D570000-0x00007FF64D961000-memory.dmp	upx
behavioral2/files/0x00070000000234da-168.dat	upx
behavioral2/files/0x00070000000234d9-166.dat	upx
behavioral2/files/0x00070000000234d7-153.dat	upx
behavioral2/files/0x00070000000234d6-148.dat	upx
behavioral2/files/0x00070000000234d4-138.dat	upx
behavioral2/files/0x00070000000234d3-133.dat	upx
behavioral2/files/0x00070000000234d2-128.dat	upx
behavioral2/files/0x00070000000234d1-123.dat	upx
behavioral2/files/0x00070000000234d0-118.dat	upx
behavioral2/files/0x00070000000234ce-108.dat	upx
behavioral2/files/0x00070000000234cc-98.dat	upx
behavioral2/files/0x00070000000234ca-88.dat	upx
behavioral2/files/0x00070000000234c9-83.dat	upx
behavioral2/files/0x00070000000234c6-68.dat	upx
behavioral2/files/0x00070000000234c2-48.dat	upx
behavioral2/memory/4780-42-0x00007FF653850000-0x00007FF653C41000-memory.dmp	upx
behavioral2/memory/708-39-0x00007FF659680000-0x00007FF659A71000-memory.dmp	upx
behavioral2/memory/2380-18-0x00007FF69B030000-0x00007FF69B421000-memory.dmp	upx
behavioral2/files/0x00080000000234bc-15.dat	upx
behavioral2/memory/4440-10-0x00007FF7655F0000-0x00007FF7659E1000-memory.dmp	upx
behavioral2/memory/4404-1790-0x00007FF71DEF0000-0x00007FF71E2E1000-memory.dmp	upx
behavioral2/memory/2380-1956-0x00007FF69B030000-0x00007FF69B421000-memory.dmp	upx
behavioral2/memory/432-1957-0x00007FF78BCC0000-0x00007FF78C0B1000-memory.dmp	upx
behavioral2/memory/4780-1990-0x00007FF653850000-0x00007FF653C41000-memory.dmp	upx
behavioral2/memory/4404-1992-0x00007FF71DEF0000-0x00007FF71E2E1000-memory.dmp	upx
behavioral2/memory/4440-1997-0x00007FF7655F0000-0x00007FF7659E1000-memory.dmp	upx
behavioral2/memory/3608-1999-0x00007FF7CD830000-0x00007FF7CDC21000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\GZVkBUi.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\NrjoMot.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\sJKvsnP.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\tvfEpPe.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\zXFaqME.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\vpcEcll.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\rkEfDLi.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\paTAhQm.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\lgYUYLu.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\XhHWbOf.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\LJWrefG.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\qHzyBwj.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\iKJYQwX.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\dHnJbNf.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\iAGPFgN.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\BoCiyDS.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\qWObtRa.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\pCHGANf.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\FzQXybY.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\inyRPsw.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\yAdbkIv.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\hQIRCgX.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\slLYLrl.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\gIKtLxl.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\ORFXDiw.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\AQVkpbv.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\GZkFxnG.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\lSnLQTj.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\AVJMIkB.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\YHNpFbs.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\pxKJboo.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\cFzRYGz.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\TBSuMaV.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\FDYLEPV.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\vIOrusF.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\JLjfyWL.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\QHtDTyu.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\jeXZqrX.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\BmoxvfW.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\ljfuyvI.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\ifwPSzE.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\TjykvQz.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\lsTzBkj.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\dDzwwuK.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\tLOXsPU.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\wmgSwbQ.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\wKhMysh.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\Ksybbey.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\JxKAkqB.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\ikLcwjF.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\nAUmadt.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\lvePCDb.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\AOLqYca.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\eeuZIHu.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\ZiUKzal.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\VRKdhnt.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\ESHLXbq.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\etZzCLw.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\fbIiHYX.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\OKYuJnj.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\yVfVYrU.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\AYQBMDX.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\NQSNUgM.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe
File created	C:\Windows\System32\KtQBEcb.exe	85b86af2dd5a96fae3a2c78e3ef409d0N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12520	dwm.exe
Token: SeChangeNotifyPrivilege	12520	dwm.exe
Token: 33	12520	dwm.exe
Token: SeIncBasePriorityPrivilege	12520	dwm.exe
Token: SeShutdownPrivilege	12520	dwm.exe
Token: SeCreatePagefilePrivilege	12520	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 4440	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	87
PID 4404 wrote to memory of 4440	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	87
PID 4404 wrote to memory of 2380	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	88
PID 4404 wrote to memory of 2380	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	88
PID 4404 wrote to memory of 3608	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	89
PID 4404 wrote to memory of 3608	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	89
PID 4404 wrote to memory of 432	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	90
PID 4404 wrote to memory of 432	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	90
PID 4404 wrote to memory of 4264	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	91
PID 4404 wrote to memory of 4264	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	91
PID 4404 wrote to memory of 708	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	92
PID 4404 wrote to memory of 708	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	92
PID 4404 wrote to memory of 4780	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	93
PID 4404 wrote to memory of 4780	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	93
PID 4404 wrote to memory of 3484	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	94
PID 4404 wrote to memory of 3484	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	94
PID 4404 wrote to memory of 2484	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	95
PID 4404 wrote to memory of 2484	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	95
PID 4404 wrote to memory of 2888	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	96
PID 4404 wrote to memory of 2888	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	96
PID 4404 wrote to memory of 5044	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	97
PID 4404 wrote to memory of 5044	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	97
PID 4404 wrote to memory of 1284	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	98
PID 4404 wrote to memory of 1284	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	98
PID 4404 wrote to memory of 1352	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	99
PID 4404 wrote to memory of 1352	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	99
PID 4404 wrote to memory of 2968	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	100
PID 4404 wrote to memory of 2968	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	100
PID 4404 wrote to memory of 3848	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	101
PID 4404 wrote to memory of 3848	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	101
PID 4404 wrote to memory of 1592	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	102
PID 4404 wrote to memory of 1592	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	102
PID 4404 wrote to memory of 4892	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	103
PID 4404 wrote to memory of 4892	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	103
PID 4404 wrote to memory of 4672	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	104
PID 4404 wrote to memory of 4672	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	104
PID 4404 wrote to memory of 3704	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	105
PID 4404 wrote to memory of 3704	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	105
PID 4404 wrote to memory of 440	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	106
PID 4404 wrote to memory of 440	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	106
PID 4404 wrote to memory of 4712	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	107
PID 4404 wrote to memory of 4712	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	107
PID 4404 wrote to memory of 3920	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	108
PID 4404 wrote to memory of 3920	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	108
PID 4404 wrote to memory of 3408	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	109
PID 4404 wrote to memory of 3408	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	109
PID 4404 wrote to memory of 4132	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	110
PID 4404 wrote to memory of 4132	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	110
PID 4404 wrote to memory of 4800	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	111
PID 4404 wrote to memory of 4800	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	111
PID 4404 wrote to memory of 1032	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	112
PID 4404 wrote to memory of 1032	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	112
PID 4404 wrote to memory of 4776	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	113
PID 4404 wrote to memory of 4776	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	113
PID 4404 wrote to memory of 1048	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	114
PID 4404 wrote to memory of 1048	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	114
PID 4404 wrote to memory of 3540	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	115
PID 4404 wrote to memory of 3540	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	115
PID 4404 wrote to memory of 1408	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	116
PID 4404 wrote to memory of 1408	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	116
PID 4404 wrote to memory of 1344	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	117
PID 4404 wrote to memory of 1344	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	117
PID 4404 wrote to memory of 3980	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	118
PID 4404 wrote to memory of 3980	4404	85b86af2dd5a96fae3a2c78e3ef409d0N.exe	118

C:\Users\Admin\AppData\Local\Temp\85b86af2dd5a96fae3a2c78e3ef409d0N.exe
"C:\Users\Admin\AppData\Local\Temp\85b86af2dd5a96fae3a2c78e3ef409d0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\System32\bpwdBPA.exe
  C:\Windows\System32\bpwdBPA.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System32\TWYkuWR.exe
  C:\Windows\System32\TWYkuWR.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System32\csYaPCT.exe
  C:\Windows\System32\csYaPCT.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System32\eAEKYFv.exe
  C:\Windows\System32\eAEKYFv.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System32\wRzkIyP.exe
  C:\Windows\System32\wRzkIyP.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System32\UnJFrsP.exe
  C:\Windows\System32\UnJFrsP.exe
  2⤵
  - Executes dropped EXE
  PID:708
- C:\Windows\System32\BmXSjWo.exe
  C:\Windows\System32\BmXSjWo.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\JIJdMQU.exe
  C:\Windows\System32\JIJdMQU.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System32\DNfNPNi.exe
  C:\Windows\System32\DNfNPNi.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System32\YPlJwmc.exe
  C:\Windows\System32\YPlJwmc.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System32\RJoLmwN.exe
  C:\Windows\System32\RJoLmwN.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System32\eeuZIHu.exe
  C:\Windows\System32\eeuZIHu.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\System32\AWhJuIe.exe
  C:\Windows\System32\AWhJuIe.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\System32\reZakfE.exe
  C:\Windows\System32\reZakfE.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System32\CANcMyg.exe
  C:\Windows\System32\CANcMyg.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System32\JBYSxge.exe
  C:\Windows\System32\JBYSxge.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System32\uBPlAmF.exe
  C:\Windows\System32\uBPlAmF.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System32\LMbLUvJ.exe
  C:\Windows\System32\LMbLUvJ.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System32\dDzwwuK.exe
  C:\Windows\System32\dDzwwuK.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System32\zbxtvns.exe
  C:\Windows\System32\zbxtvns.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System32\tuqPCls.exe
  C:\Windows\System32\tuqPCls.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System32\iEcINDT.exe
  C:\Windows\System32\iEcINDT.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System32\tLOXsPU.exe
  C:\Windows\System32\tLOXsPU.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System32\LwGQEcY.exe
  C:\Windows\System32\LwGQEcY.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System32\PVVhCKY.exe
  C:\Windows\System32\PVVhCKY.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System32\hDJbDkr.exe
  C:\Windows\System32\hDJbDkr.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System32\CMsCSBe.exe
  C:\Windows\System32\CMsCSBe.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System32\KYsPjoQ.exe
  C:\Windows\System32\KYsPjoQ.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System32\OEyejaa.exe
  C:\Windows\System32\OEyejaa.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System32\BmoxvfW.exe
  C:\Windows\System32\BmoxvfW.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System32\dZQzlpF.exe
  C:\Windows\System32\dZQzlpF.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System32\bgypztg.exe
  C:\Windows\System32\bgypztg.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System32\HtFBxvT.exe
  C:\Windows\System32\HtFBxvT.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\System32\XEnhono.exe
  C:\Windows\System32\XEnhono.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System32\sgNJuPX.exe
  C:\Windows\System32\sgNJuPX.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System32\qxgSPHR.exe
  C:\Windows\System32\qxgSPHR.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\oIOyVOa.exe
  C:\Windows\System32\oIOyVOa.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System32\SFMlOzT.exe
  C:\Windows\System32\SFMlOzT.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\System32\NuNePtI.exe
  C:\Windows\System32\NuNePtI.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System32\yKMZLbC.exe
  C:\Windows\System32\yKMZLbC.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\nWVriyd.exe
  C:\Windows\System32\nWVriyd.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System32\yWAaCeN.exe
  C:\Windows\System32\yWAaCeN.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System32\iiWHTAU.exe
  C:\Windows\System32\iiWHTAU.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System32\tcnUwus.exe
  C:\Windows\System32\tcnUwus.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System32\rWAoWHD.exe
  C:\Windows\System32\rWAoWHD.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System32\cHhepqE.exe
  C:\Windows\System32\cHhepqE.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System32\HbqEYhi.exe
  C:\Windows\System32\HbqEYhi.exe
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\System32\vJxcCQk.exe
  C:\Windows\System32\vJxcCQk.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System32\gIKtLxl.exe
  C:\Windows\System32\gIKtLxl.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System32\WGLqbYL.exe
  C:\Windows\System32\WGLqbYL.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System32\QfKxtUD.exe
  C:\Windows\System32\QfKxtUD.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System32\GocstyY.exe
  C:\Windows\System32\GocstyY.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System32\LievCWE.exe
  C:\Windows\System32\LievCWE.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System32\ORFXDiw.exe
  C:\Windows\System32\ORFXDiw.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System32\XZWBLcO.exe
  C:\Windows\System32\XZWBLcO.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System32\ilCxOnX.exe
  C:\Windows\System32\ilCxOnX.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System32\TWjHOTq.exe
  C:\Windows\System32\TWjHOTq.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System32\QbsZXda.exe
  C:\Windows\System32\QbsZXda.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System32\VABHhRX.exe
  C:\Windows\System32\VABHhRX.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System32\VGSKUYq.exe
  C:\Windows\System32\VGSKUYq.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System32\EMyHbxH.exe
  C:\Windows\System32\EMyHbxH.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System32\NZSyzLz.exe
  C:\Windows\System32\NZSyzLz.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System32\AzSKIcd.exe
  C:\Windows\System32\AzSKIcd.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System32\ItvqkWy.exe
  C:\Windows\System32\ItvqkWy.exe
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\System32\IZqBtyA.exe
  C:\Windows\System32\IZqBtyA.exe
  2⤵
  PID:936
- C:\Windows\System32\JPovspU.exe
  C:\Windows\System32\JPovspU.exe
  2⤵
  PID:2448
- C:\Windows\System32\iLlTXNQ.exe
  C:\Windows\System32\iLlTXNQ.exe
  2⤵
  PID:2084
- C:\Windows\System32\felZYCh.exe
  C:\Windows\System32\felZYCh.exe
  2⤵
  PID:5028
- C:\Windows\System32\FXrPJyz.exe
  C:\Windows\System32\FXrPJyz.exe
  2⤵
  PID:4960
- C:\Windows\System32\EPgdXjR.exe
  C:\Windows\System32\EPgdXjR.exe
  2⤵
  PID:2088
- C:\Windows\System32\YCiAMoK.exe
  C:\Windows\System32\YCiAMoK.exe
  2⤵
  PID:4088
- C:\Windows\System32\juUeMxk.exe
  C:\Windows\System32\juUeMxk.exe
  2⤵
  PID:4444
- C:\Windows\System32\kXQqMrj.exe
  C:\Windows\System32\kXQqMrj.exe
  2⤵
  PID:4832
- C:\Windows\System32\bjvHpkn.exe
  C:\Windows\System32\bjvHpkn.exe
  2⤵
  PID:2324
- C:\Windows\System32\hVxJgYT.exe
  C:\Windows\System32\hVxJgYT.exe
  2⤵
  PID:3020
- C:\Windows\System32\TxBmCoN.exe
  C:\Windows\System32\TxBmCoN.exe
  2⤵
  PID:1176
- C:\Windows\System32\NLJPsgZ.exe
  C:\Windows\System32\NLJPsgZ.exe
  2⤵
  PID:4956
- C:\Windows\System32\GZKpaVm.exe
  C:\Windows\System32\GZKpaVm.exe
  2⤵
  PID:5000
- C:\Windows\System32\aQcJNuZ.exe
  C:\Windows\System32\aQcJNuZ.exe
  2⤵
  PID:4728
- C:\Windows\System32\lWeyxxA.exe
  C:\Windows\System32\lWeyxxA.exe
  2⤵
  PID:2244
- C:\Windows\System32\stTxvKp.exe
  C:\Windows\System32\stTxvKp.exe
  2⤵
  PID:2300
- C:\Windows\System32\saoWQUd.exe
  C:\Windows\System32\saoWQUd.exe
  2⤵
  PID:1744
- C:\Windows\System32\FBtAsVj.exe
  C:\Windows\System32\FBtAsVj.exe
  2⤵
  PID:4480
- C:\Windows\System32\TwtBYXA.exe
  C:\Windows\System32\TwtBYXA.exe
  2⤵
  PID:3132
- C:\Windows\System32\AslBcSp.exe
  C:\Windows\System32\AslBcSp.exe
  2⤵
  PID:4392
- C:\Windows\System32\DBAbBsR.exe
  C:\Windows\System32\DBAbBsR.exe
  2⤵
  PID:4316
- C:\Windows\System32\FQPfOfj.exe
  C:\Windows\System32\FQPfOfj.exe
  2⤵
  PID:4104
- C:\Windows\System32\ITFpuvq.exe
  C:\Windows\System32\ITFpuvq.exe
  2⤵
  PID:2092
- C:\Windows\System32\KRYvsvC.exe
  C:\Windows\System32\KRYvsvC.exe
  2⤵
  PID:116
- C:\Windows\System32\ZiUKzal.exe
  C:\Windows\System32\ZiUKzal.exe
  2⤵
  PID:3244
- C:\Windows\System32\SqiCbvK.exe
  C:\Windows\System32\SqiCbvK.exe
  2⤵
  PID:5160
- C:\Windows\System32\lFKVBks.exe
  C:\Windows\System32\lFKVBks.exe
  2⤵
  PID:5188
- C:\Windows\System32\inyRPsw.exe
  C:\Windows\System32\inyRPsw.exe
  2⤵
  PID:5204
- C:\Windows\System32\vvndIvF.exe
  C:\Windows\System32\vvndIvF.exe
  2⤵
  PID:5232
- C:\Windows\System32\fOpxVaX.exe
  C:\Windows\System32\fOpxVaX.exe
  2⤵
  PID:5272
- C:\Windows\System32\yVfVYrU.exe
  C:\Windows\System32\yVfVYrU.exe
  2⤵
  PID:5288
- C:\Windows\System32\IEMkmSU.exe
  C:\Windows\System32\IEMkmSU.exe
  2⤵
  PID:5328
- C:\Windows\System32\RudkQgB.exe
  C:\Windows\System32\RudkQgB.exe
  2⤵
  PID:5344
- C:\Windows\System32\jHDGIwj.exe
  C:\Windows\System32\jHDGIwj.exe
  2⤵
  PID:5372
- C:\Windows\System32\ArePUFw.exe
  C:\Windows\System32\ArePUFw.exe
  2⤵
  PID:5412
- C:\Windows\System32\rNayiST.exe
  C:\Windows\System32\rNayiST.exe
  2⤵
  PID:5440
- C:\Windows\System32\esAPALK.exe
  C:\Windows\System32\esAPALK.exe
  2⤵
  PID:5468
- C:\Windows\System32\JsqpjGe.exe
  C:\Windows\System32\JsqpjGe.exe
  2⤵
  PID:5496
- C:\Windows\System32\kQhBded.exe
  C:\Windows\System32\kQhBded.exe
  2⤵
  PID:5512
- C:\Windows\System32\GmIBOnm.exe
  C:\Windows\System32\GmIBOnm.exe
  2⤵
  PID:5540
- C:\Windows\System32\kReliFU.exe
  C:\Windows\System32\kReliFU.exe
  2⤵
  PID:5576
- C:\Windows\System32\lEXCRUK.exe
  C:\Windows\System32\lEXCRUK.exe
  2⤵
  PID:5596
- C:\Windows\System32\MpldtWP.exe
  C:\Windows\System32\MpldtWP.exe
  2⤵
  PID:5636
- C:\Windows\System32\tYuOWGZ.exe
  C:\Windows\System32\tYuOWGZ.exe
  2⤵
  PID:5652
- C:\Windows\System32\uLIRZCp.exe
  C:\Windows\System32\uLIRZCp.exe
  2⤵
  PID:5688
- C:\Windows\System32\EINIOFJ.exe
  C:\Windows\System32\EINIOFJ.exe
  2⤵
  PID:5708
- C:\Windows\System32\LQnZOEP.exe
  C:\Windows\System32\LQnZOEP.exe
  2⤵
  PID:5736
- C:\Windows\System32\Ksybbey.exe
  C:\Windows\System32\Ksybbey.exe
  2⤵
  PID:5772
- C:\Windows\System32\UxdBxfq.exe
  C:\Windows\System32\UxdBxfq.exe
  2⤵
  PID:5792
- C:\Windows\System32\GaZtToK.exe
  C:\Windows\System32\GaZtToK.exe
  2⤵
  PID:5820
- C:\Windows\System32\PtpfgzV.exe
  C:\Windows\System32\PtpfgzV.exe
  2⤵
  PID:5848
- C:\Windows\System32\FDYLEPV.exe
  C:\Windows\System32\FDYLEPV.exe
  2⤵
  PID:5876
- C:\Windows\System32\HmWRAIL.exe
  C:\Windows\System32\HmWRAIL.exe
  2⤵
  PID:5936
- C:\Windows\System32\NQSNUgM.exe
  C:\Windows\System32\NQSNUgM.exe
  2⤵
  PID:5952
- C:\Windows\System32\QZyGbYf.exe
  C:\Windows\System32\QZyGbYf.exe
  2⤵
  PID:5988
- C:\Windows\System32\IYQJPOD.exe
  C:\Windows\System32\IYQJPOD.exe
  2⤵
  PID:6008
- C:\Windows\System32\LAOGPjB.exe
  C:\Windows\System32\LAOGPjB.exe
  2⤵
  PID:6032
- C:\Windows\System32\IxbRTbA.exe
  C:\Windows\System32\IxbRTbA.exe
  2⤵
  PID:6072
- C:\Windows\System32\apaAZix.exe
  C:\Windows\System32\apaAZix.exe
  2⤵
  PID:6092
- C:\Windows\System32\UEztNFH.exe
  C:\Windows\System32\UEztNFH.exe
  2⤵
  PID:6112
- C:\Windows\System32\VPMDoSB.exe
  C:\Windows\System32\VPMDoSB.exe
  2⤵
  PID:4664
- C:\Windows\System32\ONDOhOr.exe
  C:\Windows\System32\ONDOhOr.exe
  2⤵
  PID:2256
- C:\Windows\System32\mFkitDG.exe
  C:\Windows\System32\mFkitDG.exe
  2⤵
  PID:1716
- C:\Windows\System32\lktSTTW.exe
  C:\Windows\System32\lktSTTW.exe
  2⤵
  PID:5152
- C:\Windows\System32\MtIIaUz.exe
  C:\Windows\System32\MtIIaUz.exe
  2⤵
  PID:5244
- C:\Windows\System32\rkEfDLi.exe
  C:\Windows\System32\rkEfDLi.exe
  2⤵
  PID:5280
- C:\Windows\System32\gYjgzES.exe
  C:\Windows\System32\gYjgzES.exe
  2⤵
  PID:5304
- C:\Windows\System32\HOCciSE.exe
  C:\Windows\System32\HOCciSE.exe
  2⤵
  PID:5384
- C:\Windows\System32\VCENiUN.exe
  C:\Windows\System32\VCENiUN.exe
  2⤵
  PID:5424
- C:\Windows\System32\yAdbkIv.exe
  C:\Windows\System32\yAdbkIv.exe
  2⤵
  PID:5448
- C:\Windows\System32\apeGpaR.exe
  C:\Windows\System32\apeGpaR.exe
  2⤵
  PID:5032
- C:\Windows\System32\VmyQIIg.exe
  C:\Windows\System32\VmyQIIg.exe
  2⤵
  PID:4020
- C:\Windows\System32\oVJMuzc.exe
  C:\Windows\System32\oVJMuzc.exe
  2⤵
  PID:5664
- C:\Windows\System32\fmCausV.exe
  C:\Windows\System32\fmCausV.exe
  2⤵
  PID:5704
- C:\Windows\System32\kPZLZbr.exe
  C:\Windows\System32\kPZLZbr.exe
  2⤵
  PID:2668
- C:\Windows\System32\fqVUCQi.exe
  C:\Windows\System32\fqVUCQi.exe
  2⤵
  PID:8
- C:\Windows\System32\SfQpZdw.exe
  C:\Windows\System32\SfQpZdw.exe
  2⤵
  PID:2116
- C:\Windows\System32\btQbYza.exe
  C:\Windows\System32\btQbYza.exe
  2⤵
  PID:1760
- C:\Windows\System32\oIHoqRg.exe
  C:\Windows\System32\oIHoqRg.exe
  2⤵
  PID:4048
- C:\Windows\System32\ilTWkYD.exe
  C:\Windows\System32\ilTWkYD.exe
  2⤵
  PID:4452
- C:\Windows\System32\IWnBdpP.exe
  C:\Windows\System32\IWnBdpP.exe
  2⤵
  PID:1396
- C:\Windows\System32\PtCTcjJ.exe
  C:\Windows\System32\PtCTcjJ.exe
  2⤵
  PID:3628
- C:\Windows\System32\cEvWchO.exe
  C:\Windows\System32\cEvWchO.exe
  2⤵
  PID:6000
- C:\Windows\System32\ljfuyvI.exe
  C:\Windows\System32\ljfuyvI.exe
  2⤵
  PID:5984
- C:\Windows\System32\JxKAkqB.exe
  C:\Windows\System32\JxKAkqB.exe
  2⤵
  PID:2408
- C:\Windows\System32\mhKPSGl.exe
  C:\Windows\System32\mhKPSGl.exe
  2⤵
  PID:1292
- C:\Windows\System32\bEmKEOa.exe
  C:\Windows\System32\bEmKEOa.exe
  2⤵
  PID:5036
- C:\Windows\System32\CmcWkhz.exe
  C:\Windows\System32\CmcWkhz.exe
  2⤵
  PID:5312
- C:\Windows\System32\WqrVXvN.exe
  C:\Windows\System32\WqrVXvN.exe
  2⤵
  PID:5504
- C:\Windows\System32\tibUkug.exe
  C:\Windows\System32\tibUkug.exe
  2⤵
  PID:5916
- C:\Windows\System32\Ydgnxea.exe
  C:\Windows\System32\Ydgnxea.exe
  2⤵
  PID:5356
- C:\Windows\System32\QHtDTyu.exe
  C:\Windows\System32\QHtDTyu.exe
  2⤵
  PID:4508
- C:\Windows\System32\pCHGANf.exe
  C:\Windows\System32\pCHGANf.exe
  2⤵
  PID:5960
- C:\Windows\System32\JfCDsNr.exe
  C:\Windows\System32\JfCDsNr.exe
  2⤵
  PID:5804
- C:\Windows\System32\vIOrusF.exe
  C:\Windows\System32\vIOrusF.exe
  2⤵
  PID:3000
- C:\Windows\System32\qjwzxIU.exe
  C:\Windows\System32\qjwzxIU.exe
  2⤵
  PID:216
- C:\Windows\System32\mBOxNkT.exe
  C:\Windows\System32\mBOxNkT.exe
  2⤵
  PID:1188
- C:\Windows\System32\hQIRCgX.exe
  C:\Windows\System32\hQIRCgX.exe
  2⤵
  PID:5980
- C:\Windows\System32\lxAoski.exe
  C:\Windows\System32\lxAoski.exe
  2⤵
  PID:6100
- C:\Windows\System32\JXlJbqh.exe
  C:\Windows\System32\JXlJbqh.exe
  2⤵
  PID:5524
- C:\Windows\System32\TYJCYJQ.exe
  C:\Windows\System32\TYJCYJQ.exe
  2⤵
  PID:5388
- C:\Windows\System32\mEkgKhS.exe
  C:\Windows\System32\mEkgKhS.exe
  2⤵
  PID:4920
- C:\Windows\System32\tIEofYk.exe
  C:\Windows\System32\tIEofYk.exe
  2⤵
  PID:2828
- C:\Windows\System32\aOYjVCd.exe
  C:\Windows\System32\aOYjVCd.exe
  2⤵
  PID:1524
- C:\Windows\System32\YWXHgLV.exe
  C:\Windows\System32\YWXHgLV.exe
  2⤵
  PID:5924
- C:\Windows\System32\ikLcwjF.exe
  C:\Windows\System32\ikLcwjF.exe
  2⤵
  PID:5520
- C:\Windows\System32\ztkrfcQ.exe
  C:\Windows\System32\ztkrfcQ.exe
  2⤵
  PID:2700
- C:\Windows\System32\UYemvzU.exe
  C:\Windows\System32\UYemvzU.exe
  2⤵
  PID:2588
- C:\Windows\System32\oDNyMkq.exe
  C:\Windows\System32\oDNyMkq.exe
  2⤵
  PID:6088
- C:\Windows\System32\wvCQSvL.exe
  C:\Windows\System32\wvCQSvL.exe
  2⤵
  PID:6148
- C:\Windows\System32\MNnVHzX.exe
  C:\Windows\System32\MNnVHzX.exe
  2⤵
  PID:6164
- C:\Windows\System32\YsjvOpl.exe
  C:\Windows\System32\YsjvOpl.exe
  2⤵
  PID:6204
- C:\Windows\System32\cmeDTRn.exe
  C:\Windows\System32\cmeDTRn.exe
  2⤵
  PID:6228
- C:\Windows\System32\VbAPNUX.exe
  C:\Windows\System32\VbAPNUX.exe
  2⤵
  PID:6248
- C:\Windows\System32\zifzdtV.exe
  C:\Windows\System32\zifzdtV.exe
  2⤵
  PID:6264
- C:\Windows\System32\xVytOoo.exe
  C:\Windows\System32\xVytOoo.exe
  2⤵
  PID:6324
- C:\Windows\System32\NrQAoro.exe
  C:\Windows\System32\NrQAoro.exe
  2⤵
  PID:6352
- C:\Windows\System32\saPJQNd.exe
  C:\Windows\System32\saPJQNd.exe
  2⤵
  PID:6372
- C:\Windows\System32\cqVNHlN.exe
  C:\Windows\System32\cqVNHlN.exe
  2⤵
  PID:6416
- C:\Windows\System32\eGzNWAw.exe
  C:\Windows\System32\eGzNWAw.exe
  2⤵
  PID:6448
- C:\Windows\System32\HPsyrcB.exe
  C:\Windows\System32\HPsyrcB.exe
  2⤵
  PID:6468
- C:\Windows\System32\tYEccea.exe
  C:\Windows\System32\tYEccea.exe
  2⤵
  PID:6492
- C:\Windows\System32\rHHfEPD.exe
  C:\Windows\System32\rHHfEPD.exe
  2⤵
  PID:6512
- C:\Windows\System32\gBIGUph.exe
  C:\Windows\System32\gBIGUph.exe
  2⤵
  PID:6536
- C:\Windows\System32\BJSgGnT.exe
  C:\Windows\System32\BJSgGnT.exe
  2⤵
  PID:6568
- C:\Windows\System32\MRVydJV.exe
  C:\Windows\System32\MRVydJV.exe
  2⤵
  PID:6608
- C:\Windows\System32\iGXyTEc.exe
  C:\Windows\System32\iGXyTEc.exe
  2⤵
  PID:6632
- C:\Windows\System32\qmqzbNk.exe
  C:\Windows\System32\qmqzbNk.exe
  2⤵
  PID:6660
- C:\Windows\System32\OSndkKg.exe
  C:\Windows\System32\OSndkKg.exe
  2⤵
  PID:6680
- C:\Windows\System32\OOXaLdV.exe
  C:\Windows\System32\OOXaLdV.exe
  2⤵
  PID:6700
- C:\Windows\System32\ipSvfYa.exe
  C:\Windows\System32\ipSvfYa.exe
  2⤵
  PID:6724
- C:\Windows\System32\UDVYPFa.exe
  C:\Windows\System32\UDVYPFa.exe
  2⤵
  PID:6752
- C:\Windows\System32\ZSOivPJ.exe
  C:\Windows\System32\ZSOivPJ.exe
  2⤵
  PID:6772
- C:\Windows\System32\JbCPdJT.exe
  C:\Windows\System32\JbCPdJT.exe
  2⤵
  PID:6820
- C:\Windows\System32\QOLgtyv.exe
  C:\Windows\System32\QOLgtyv.exe
  2⤵
  PID:6844
- C:\Windows\System32\rEEGNxH.exe
  C:\Windows\System32\rEEGNxH.exe
  2⤵
  PID:6876
- C:\Windows\System32\QdWrzpZ.exe
  C:\Windows\System32\QdWrzpZ.exe
  2⤵
  PID:6896
- C:\Windows\System32\ehOhZDg.exe
  C:\Windows\System32\ehOhZDg.exe
  2⤵
  PID:6928
- C:\Windows\System32\pxKJboo.exe
  C:\Windows\System32\pxKJboo.exe
  2⤵
  PID:6956
- C:\Windows\System32\kbPnkIH.exe
  C:\Windows\System32\kbPnkIH.exe
  2⤵
  PID:7004
- C:\Windows\System32\SAzCyek.exe
  C:\Windows\System32\SAzCyek.exe
  2⤵
  PID:7032
- C:\Windows\System32\woeCpiy.exe
  C:\Windows\System32\woeCpiy.exe
  2⤵
  PID:7064
- C:\Windows\System32\IbHZSkg.exe
  C:\Windows\System32\IbHZSkg.exe
  2⤵
  PID:7080
- C:\Windows\System32\AVJMIkB.exe
  C:\Windows\System32\AVJMIkB.exe
  2⤵
  PID:7128
- C:\Windows\System32\ZAyyBtq.exe
  C:\Windows\System32\ZAyyBtq.exe
  2⤵
  PID:7160
- C:\Windows\System32\zvfsFIY.exe
  C:\Windows\System32\zvfsFIY.exe
  2⤵
  PID:3960
- C:\Windows\System32\AFFUaAo.exe
  C:\Windows\System32\AFFUaAo.exe
  2⤵
  PID:6192
- C:\Windows\System32\AYQBMDX.exe
  C:\Windows\System32\AYQBMDX.exe
  2⤵
  PID:6244
- C:\Windows\System32\fGpxASx.exe
  C:\Windows\System32\fGpxASx.exe
  2⤵
  PID:6284
- C:\Windows\System32\flxwkih.exe
  C:\Windows\System32\flxwkih.exe
  2⤵
  PID:6368
- C:\Windows\System32\AKPFPge.exe
  C:\Windows\System32\AKPFPge.exe
  2⤵
  PID:6464
- C:\Windows\System32\lxJVaFr.exe
  C:\Windows\System32\lxJVaFr.exe
  2⤵
  PID:6500
- C:\Windows\System32\WQAaEEK.exe
  C:\Windows\System32\WQAaEEK.exe
  2⤵
  PID:6584
- C:\Windows\System32\xnYxSbT.exe
  C:\Windows\System32\xnYxSbT.exe
  2⤵
  PID:6616
- C:\Windows\System32\jdDufVI.exe
  C:\Windows\System32\jdDufVI.exe
  2⤵
  PID:6736
- C:\Windows\System32\ESHLXbq.exe
  C:\Windows\System32\ESHLXbq.exe
  2⤵
  PID:6828
- C:\Windows\System32\nqwISUk.exe
  C:\Windows\System32\nqwISUk.exe
  2⤵
  PID:6836
- C:\Windows\System32\TsZlMZK.exe
  C:\Windows\System32\TsZlMZK.exe
  2⤵
  PID:6916
- C:\Windows\System32\eAdDson.exe
  C:\Windows\System32\eAdDson.exe
  2⤵
  PID:6976
- C:\Windows\System32\zekbWXb.exe
  C:\Windows\System32\zekbWXb.exe
  2⤵
  PID:7076
- C:\Windows\System32\paTAhQm.exe
  C:\Windows\System32\paTAhQm.exe
  2⤵
  PID:7144
- C:\Windows\System32\VjEDBXd.exe
  C:\Windows\System32\VjEDBXd.exe
  2⤵
  PID:752
- C:\Windows\System32\yCoeiIg.exe
  C:\Windows\System32\yCoeiIg.exe
  2⤵
  PID:6340
- C:\Windows\System32\oGueoRj.exe
  C:\Windows\System32\oGueoRj.exe
  2⤵
  PID:6460
- C:\Windows\System32\QDnhGFt.exe
  C:\Windows\System32\QDnhGFt.exe
  2⤵
  PID:6648
- C:\Windows\System32\vdQYOBW.exe
  C:\Windows\System32\vdQYOBW.exe
  2⤵
  PID:6644
- C:\Windows\System32\PubqCLp.exe
  C:\Windows\System32\PubqCLp.exe
  2⤵
  PID:6908
- C:\Windows\System32\BeiplKE.exe
  C:\Windows\System32\BeiplKE.exe
  2⤵
  PID:7096
- C:\Windows\System32\XNYghVX.exe
  C:\Windows\System32\XNYghVX.exe
  2⤵
  PID:6336
- C:\Windows\System32\NWmFays.exe
  C:\Windows\System32\NWmFays.exe
  2⤵
  PID:6480
- C:\Windows\System32\mpjhwMV.exe
  C:\Windows\System32\mpjhwMV.exe
  2⤵
  PID:7028
- C:\Windows\System32\WymNfRE.exe
  C:\Windows\System32\WymNfRE.exe
  2⤵
  PID:6436
- C:\Windows\System32\OqGvwgi.exe
  C:\Windows\System32\OqGvwgi.exe
  2⤵
  PID:6548
- C:\Windows\System32\JHYNIvl.exe
  C:\Windows\System32\JHYNIvl.exe
  2⤵
  PID:7184
- C:\Windows\System32\IDbrETA.exe
  C:\Windows\System32\IDbrETA.exe
  2⤵
  PID:7200
- C:\Windows\System32\ynhKXNt.exe
  C:\Windows\System32\ynhKXNt.exe
  2⤵
  PID:7228
- C:\Windows\System32\mcXrGfo.exe
  C:\Windows\System32\mcXrGfo.exe
  2⤵
  PID:7268
- C:\Windows\System32\KZqQzIZ.exe
  C:\Windows\System32\KZqQzIZ.exe
  2⤵
  PID:7284
- C:\Windows\System32\LaazoBo.exe
  C:\Windows\System32\LaazoBo.exe
  2⤵
  PID:7304
- C:\Windows\System32\XZOuYQZ.exe
  C:\Windows\System32\XZOuYQZ.exe
  2⤵
  PID:7328
- C:\Windows\System32\XrQbxrC.exe
  C:\Windows\System32\XrQbxrC.exe
  2⤵
  PID:7372
- C:\Windows\System32\LloKRYd.exe
  C:\Windows\System32\LloKRYd.exe
  2⤵
  PID:7392
- C:\Windows\System32\HNMgPht.exe
  C:\Windows\System32\HNMgPht.exe
  2⤵
  PID:7416
- C:\Windows\System32\voOggbg.exe
  C:\Windows\System32\voOggbg.exe
  2⤵
  PID:7440
- C:\Windows\System32\mgJNIBP.exe
  C:\Windows\System32\mgJNIBP.exe
  2⤵
  PID:7460
- C:\Windows\System32\RQILyvd.exe
  C:\Windows\System32\RQILyvd.exe
  2⤵
  PID:7500
- C:\Windows\System32\htxOpFt.exe
  C:\Windows\System32\htxOpFt.exe
  2⤵
  PID:7524
- C:\Windows\System32\RELhGAL.exe
  C:\Windows\System32\RELhGAL.exe
  2⤵
  PID:7556
- C:\Windows\System32\BiyGQpw.exe
  C:\Windows\System32\BiyGQpw.exe
  2⤵
  PID:7580
- C:\Windows\System32\mSVDrKW.exe
  C:\Windows\System32\mSVDrKW.exe
  2⤵
  PID:7644
- C:\Windows\System32\sdxMAUy.exe
  C:\Windows\System32\sdxMAUy.exe
  2⤵
  PID:7660
- C:\Windows\System32\AtPtBxB.exe
  C:\Windows\System32\AtPtBxB.exe
  2⤵
  PID:7680
- C:\Windows\System32\mTOQDIZ.exe
  C:\Windows\System32\mTOQDIZ.exe
  2⤵
  PID:7716
- C:\Windows\System32\rtQEPzh.exe
  C:\Windows\System32\rtQEPzh.exe
  2⤵
  PID:7740
- C:\Windows\System32\XqngWhN.exe
  C:\Windows\System32\XqngWhN.exe
  2⤵
  PID:7768
- C:\Windows\System32\HBWmEIN.exe
  C:\Windows\System32\HBWmEIN.exe
  2⤵
  PID:7792
- C:\Windows\System32\etZzCLw.exe
  C:\Windows\System32\etZzCLw.exe
  2⤵
  PID:7824
- C:\Windows\System32\ENsPVIa.exe
  C:\Windows\System32\ENsPVIa.exe
  2⤵
  PID:7860
- C:\Windows\System32\zsjNhKO.exe
  C:\Windows\System32\zsjNhKO.exe
  2⤵
  PID:7892
- C:\Windows\System32\RBUZVVG.exe
  C:\Windows\System32\RBUZVVG.exe
  2⤵
  PID:7912
- C:\Windows\System32\ZyyigyY.exe
  C:\Windows\System32\ZyyigyY.exe
  2⤵
  PID:7936
- C:\Windows\System32\IKMnXNR.exe
  C:\Windows\System32\IKMnXNR.exe
  2⤵
  PID:7964
- C:\Windows\System32\ifwPSzE.exe
  C:\Windows\System32\ifwPSzE.exe
  2⤵
  PID:7996
- C:\Windows\System32\HRQNXbi.exe
  C:\Windows\System32\HRQNXbi.exe
  2⤵
  PID:8016
- C:\Windows\System32\CBTfKAQ.exe
  C:\Windows\System32\CBTfKAQ.exe
  2⤵
  PID:8036
- C:\Windows\System32\VwgxMzt.exe
  C:\Windows\System32\VwgxMzt.exe
  2⤵
  PID:8072
- C:\Windows\System32\fpylHXK.exe
  C:\Windows\System32\fpylHXK.exe
  2⤵
  PID:8104
- C:\Windows\System32\nAUmadt.exe
  C:\Windows\System32\nAUmadt.exe
  2⤵
  PID:8128
- C:\Windows\System32\krceWtS.exe
  C:\Windows\System32\krceWtS.exe
  2⤵
  PID:8152
- C:\Windows\System32\SKywtyl.exe
  C:\Windows\System32\SKywtyl.exe
  2⤵
  PID:8184
- C:\Windows\System32\VxBSbRB.exe
  C:\Windows\System32\VxBSbRB.exe
  2⤵
  PID:7196
- C:\Windows\System32\FzQXybY.exe
  C:\Windows\System32\FzQXybY.exe
  2⤵
  PID:7264
- C:\Windows\System32\xJZyPkj.exe
  C:\Windows\System32\xJZyPkj.exe
  2⤵
  PID:7412
- C:\Windows\System32\TVRRZDF.exe
  C:\Windows\System32\TVRRZDF.exe
  2⤵
  PID:7384
- C:\Windows\System32\fifSxmw.exe
  C:\Windows\System32\fifSxmw.exe
  2⤵
  PID:7408
- C:\Windows\System32\FpvFqDa.exe
  C:\Windows\System32\FpvFqDa.exe
  2⤵
  PID:7492
- C:\Windows\System32\sktWwNA.exe
  C:\Windows\System32\sktWwNA.exe
  2⤵
  PID:7564
- C:\Windows\System32\IKIdDlC.exe
  C:\Windows\System32\IKIdDlC.exe
  2⤵
  PID:7640
- C:\Windows\System32\jJYSnuR.exe
  C:\Windows\System32\jJYSnuR.exe
  2⤵
  PID:7696
- C:\Windows\System32\KtQBEcb.exe
  C:\Windows\System32\KtQBEcb.exe
  2⤵
  PID:7732
- C:\Windows\System32\FZvXamZ.exe
  C:\Windows\System32\FZvXamZ.exe
  2⤵
  PID:7776
- C:\Windows\System32\JcpcLTV.exe
  C:\Windows\System32\JcpcLTV.exe
  2⤵
  PID:7856
- C:\Windows\System32\TWXLhEW.exe
  C:\Windows\System32\TWXLhEW.exe
  2⤵
  PID:7908
- C:\Windows\System32\AweTikq.exe
  C:\Windows\System32\AweTikq.exe
  2⤵
  PID:7952
- C:\Windows\System32\qNffKsO.exe
  C:\Windows\System32\qNffKsO.exe
  2⤵
  PID:7984
- C:\Windows\System32\jcnUbPH.exe
  C:\Windows\System32\jcnUbPH.exe
  2⤵
  PID:7456
- C:\Windows\System32\YHNpFbs.exe
  C:\Windows\System32\YHNpFbs.exe
  2⤵
  PID:7752
- C:\Windows\System32\qHzyBwj.exe
  C:\Windows\System32\qHzyBwj.exe
  2⤵
  PID:7884
- C:\Windows\System32\VSCtaCy.exe
  C:\Windows\System32\VSCtaCy.exe
  2⤵
  PID:8012
- C:\Windows\System32\ktQMpXs.exe
  C:\Windows\System32\ktQMpXs.exe
  2⤵
  PID:8028
- C:\Windows\System32\kVhCIwL.exe
  C:\Windows\System32\kVhCIwL.exe
  2⤵
  PID:7324
- C:\Windows\System32\hBgBUsi.exe
  C:\Windows\System32\hBgBUsi.exe
  2⤵
  PID:1852
- C:\Windows\System32\nNDcWKL.exe
  C:\Windows\System32\nNDcWKL.exe
  2⤵
  PID:7548
- C:\Windows\System32\GZVkBUi.exe
  C:\Windows\System32\GZVkBUi.exe
  2⤵
  PID:7804
- C:\Windows\System32\twMwatU.exe
  C:\Windows\System32\twMwatU.exe
  2⤵
  PID:8168
- C:\Windows\System32\CRVGPaF.exe
  C:\Windows\System32\CRVGPaF.exe
  2⤵
  PID:7552
- C:\Windows\System32\gVZMnKB.exe
  C:\Windows\System32\gVZMnKB.exe
  2⤵
  PID:8096
- C:\Windows\System32\zazmlch.exe
  C:\Windows\System32\zazmlch.exe
  2⤵
  PID:7180
- C:\Windows\System32\SAiwlie.exe
  C:\Windows\System32\SAiwlie.exe
  2⤵
  PID:8220
- C:\Windows\System32\hOsPxbr.exe
  C:\Windows\System32\hOsPxbr.exe
  2⤵
  PID:8240
- C:\Windows\System32\jUiWolL.exe
  C:\Windows\System32\jUiWolL.exe
  2⤵
  PID:8268
- C:\Windows\System32\OBDHKvE.exe
  C:\Windows\System32\OBDHKvE.exe
  2⤵
  PID:8288
- C:\Windows\System32\wiObqDS.exe
  C:\Windows\System32\wiObqDS.exe
  2⤵
  PID:8340
- C:\Windows\System32\XjWhLsW.exe
  C:\Windows\System32\XjWhLsW.exe
  2⤵
  PID:8364
- C:\Windows\System32\RWcLlSi.exe
  C:\Windows\System32\RWcLlSi.exe
  2⤵
  PID:8384
- C:\Windows\System32\NrjoMot.exe
  C:\Windows\System32\NrjoMot.exe
  2⤵
  PID:8424
- C:\Windows\System32\ridpgYF.exe
  C:\Windows\System32\ridpgYF.exe
  2⤵
  PID:8444
- C:\Windows\System32\NljFHjT.exe
  C:\Windows\System32\NljFHjT.exe
  2⤵
  PID:8472
- C:\Windows\System32\PHimAtp.exe
  C:\Windows\System32\PHimAtp.exe
  2⤵
  PID:8508
- C:\Windows\System32\OWLPbpi.exe
  C:\Windows\System32\OWLPbpi.exe
  2⤵
  PID:8536
- C:\Windows\System32\WWgOcNt.exe
  C:\Windows\System32\WWgOcNt.exe
  2⤵
  PID:8552
- C:\Windows\System32\sJKvsnP.exe
  C:\Windows\System32\sJKvsnP.exe
  2⤵
  PID:8576
- C:\Windows\System32\dHnJbNf.exe
  C:\Windows\System32\dHnJbNf.exe
  2⤵
  PID:8592
- C:\Windows\System32\cytlndq.exe
  C:\Windows\System32\cytlndq.exe
  2⤵
  PID:8620
- C:\Windows\System32\cCvECka.exe
  C:\Windows\System32\cCvECka.exe
  2⤵
  PID:8668
- C:\Windows\System32\lruUlHJ.exe
  C:\Windows\System32\lruUlHJ.exe
  2⤵
  PID:8688
- C:\Windows\System32\oHXhCxs.exe
  C:\Windows\System32\oHXhCxs.exe
  2⤵
  PID:8724
- C:\Windows\System32\iKJYQwX.exe
  C:\Windows\System32\iKJYQwX.exe
  2⤵
  PID:8748
- C:\Windows\System32\tXExHwn.exe
  C:\Windows\System32\tXExHwn.exe
  2⤵
  PID:8772
- C:\Windows\System32\LJWrefG.exe
  C:\Windows\System32\LJWrefG.exe
  2⤵
  PID:8800
- C:\Windows\System32\PfQdgZS.exe
  C:\Windows\System32\PfQdgZS.exe
  2⤵
  PID:8852
- C:\Windows\System32\LDwEjVA.exe
  C:\Windows\System32\LDwEjVA.exe
  2⤵
  PID:8876
- C:\Windows\System32\JMzNiqv.exe
  C:\Windows\System32\JMzNiqv.exe
  2⤵
  PID:8900
- C:\Windows\System32\aSFEjmL.exe
  C:\Windows\System32\aSFEjmL.exe
  2⤵
  PID:8916
- C:\Windows\System32\ldAKSoc.exe
  C:\Windows\System32\ldAKSoc.exe
  2⤵
  PID:8948
- C:\Windows\System32\QUqISHL.exe
  C:\Windows\System32\QUqISHL.exe
  2⤵
  PID:8976
- C:\Windows\System32\UYXfAPv.exe
  C:\Windows\System32\UYXfAPv.exe
  2⤵
  PID:9008
- C:\Windows\System32\LZJqJOO.exe
  C:\Windows\System32\LZJqJOO.exe
  2⤵
  PID:9048
- C:\Windows\System32\LGUJMFu.exe
  C:\Windows\System32\LGUJMFu.exe
  2⤵
  PID:9064
- C:\Windows\System32\OHwMqJO.exe
  C:\Windows\System32\OHwMqJO.exe
  2⤵
  PID:9092
- C:\Windows\System32\oQZvcyV.exe
  C:\Windows\System32\oQZvcyV.exe
  2⤵
  PID:9120
- C:\Windows\System32\NXrxSId.exe
  C:\Windows\System32\NXrxSId.exe
  2⤵
  PID:9160
- C:\Windows\System32\qQlseUj.exe
  C:\Windows\System32\qQlseUj.exe
  2⤵
  PID:9180
- C:\Windows\System32\OuZXBTW.exe
  C:\Windows\System32\OuZXBTW.exe
  2⤵
  PID:8204
- C:\Windows\System32\NYOWFMx.exe
  C:\Windows\System32\NYOWFMx.exe
  2⤵
  PID:8264
- C:\Windows\System32\tvfEpPe.exe
  C:\Windows\System32\tvfEpPe.exe
  2⤵
  PID:8312
- C:\Windows\System32\PVehUfJ.exe
  C:\Windows\System32\PVehUfJ.exe
  2⤵
  PID:8376
- C:\Windows\System32\kdfPvCs.exe
  C:\Windows\System32\kdfPvCs.exe
  2⤵
  PID:8464
- C:\Windows\System32\tLmDUsf.exe
  C:\Windows\System32\tLmDUsf.exe
  2⤵
  PID:8484
- C:\Windows\System32\pcOidqN.exe
  C:\Windows\System32\pcOidqN.exe
  2⤵
  PID:8544
- C:\Windows\System32\klAwElD.exe
  C:\Windows\System32\klAwElD.exe
  2⤵
  PID:8612
- C:\Windows\System32\obCnxur.exe
  C:\Windows\System32\obCnxur.exe
  2⤵
  PID:8664
- C:\Windows\System32\iAGPFgN.exe
  C:\Windows\System32\iAGPFgN.exe
  2⤵
  PID:8740
- C:\Windows\System32\CflfIRN.exe
  C:\Windows\System32\CflfIRN.exe
  2⤵
  PID:8812
- C:\Windows\System32\skqKJsY.exe
  C:\Windows\System32\skqKJsY.exe
  2⤵
  PID:8840
- C:\Windows\System32\HoNogvz.exe
  C:\Windows\System32\HoNogvz.exe
  2⤵
  PID:8892
- C:\Windows\System32\DRZcvci.exe
  C:\Windows\System32\DRZcvci.exe
  2⤵
  PID:8936
- C:\Windows\System32\SxiMPqT.exe
  C:\Windows\System32\SxiMPqT.exe
  2⤵
  PID:8996
- C:\Windows\System32\dNCAmQk.exe
  C:\Windows\System32\dNCAmQk.exe
  2⤵
  PID:9116
- C:\Windows\System32\nOiDqKP.exe
  C:\Windows\System32\nOiDqKP.exe
  2⤵
  PID:9204
- C:\Windows\System32\JnPonfo.exe
  C:\Windows\System32\JnPonfo.exe
  2⤵
  PID:8360
- C:\Windows\System32\OSzEKmA.exe
  C:\Windows\System32\OSzEKmA.exe
  2⤵
  PID:8404
- C:\Windows\System32\CIzlcwR.exe
  C:\Windows\System32\CIzlcwR.exe
  2⤵
  PID:8524
- C:\Windows\System32\BoCiyDS.exe
  C:\Windows\System32\BoCiyDS.exe
  2⤵
  PID:8796
- C:\Windows\System32\niRZbOq.exe
  C:\Windows\System32\niRZbOq.exe
  2⤵
  PID:8924
- C:\Windows\System32\twTMpYQ.exe
  C:\Windows\System32\twTMpYQ.exe
  2⤵
  PID:9192
- C:\Windows\System32\qieGAvf.exe
  C:\Windows\System32\qieGAvf.exe
  2⤵
  PID:8316
- C:\Windows\System32\ZiaaYek.exe
  C:\Windows\System32\ZiaaYek.exe
  2⤵
  PID:8684
- C:\Windows\System32\tvCYjEH.exe
  C:\Windows\System32\tvCYjEH.exe
  2⤵
  PID:8848
- C:\Windows\System32\wmgSwbQ.exe
  C:\Windows\System32\wmgSwbQ.exe
  2⤵
  PID:8280
- C:\Windows\System32\ikIPMZn.exe
  C:\Windows\System32\ikIPMZn.exe
  2⤵
  PID:9228
- C:\Windows\System32\slLYLrl.exe
  C:\Windows\System32\slLYLrl.exe
  2⤵
  PID:9252
- C:\Windows\System32\aNUjSZu.exe
  C:\Windows\System32\aNUjSZu.exe
  2⤵
  PID:9268
- C:\Windows\System32\spRAiLY.exe
  C:\Windows\System32\spRAiLY.exe
  2⤵
  PID:9292
- C:\Windows\System32\xSZDfOP.exe
  C:\Windows\System32\xSZDfOP.exe
  2⤵
  PID:9328
- C:\Windows\System32\EKndEGU.exe
  C:\Windows\System32\EKndEGU.exe
  2⤵
  PID:9360
- C:\Windows\System32\NNAddzY.exe
  C:\Windows\System32\NNAddzY.exe
  2⤵
  PID:9396
- C:\Windows\System32\CaZDBvY.exe
  C:\Windows\System32\CaZDBvY.exe
  2⤵
  PID:9424
- C:\Windows\System32\TmKkHKF.exe
  C:\Windows\System32\TmKkHKF.exe
  2⤵
  PID:9444
- C:\Windows\System32\gIPPSCs.exe
  C:\Windows\System32\gIPPSCs.exe
  2⤵
  PID:9468
- C:\Windows\System32\NAGYVQq.exe
  C:\Windows\System32\NAGYVQq.exe
  2⤵
  PID:9508
- C:\Windows\System32\nyZWwVN.exe
  C:\Windows\System32\nyZWwVN.exe
  2⤵
  PID:9524
- C:\Windows\System32\CfhRFZZ.exe
  C:\Windows\System32\CfhRFZZ.exe
  2⤵
  PID:9576
- C:\Windows\System32\yNRDZKf.exe
  C:\Windows\System32\yNRDZKf.exe
  2⤵
  PID:9596
- C:\Windows\System32\rzsjqGR.exe
  C:\Windows\System32\rzsjqGR.exe
  2⤵
  PID:9620
- C:\Windows\System32\pTAQraP.exe
  C:\Windows\System32\pTAQraP.exe
  2⤵
  PID:9648
- C:\Windows\System32\BrlwMvW.exe
  C:\Windows\System32\BrlwMvW.exe
  2⤵
  PID:9672
- C:\Windows\System32\qWObtRa.exe
  C:\Windows\System32\qWObtRa.exe
  2⤵
  PID:9696
- C:\Windows\System32\jgEjsse.exe
  C:\Windows\System32\jgEjsse.exe
  2⤵
  PID:9736
- C:\Windows\System32\DEOMcmM.exe
  C:\Windows\System32\DEOMcmM.exe
  2⤵
  PID:9752
- C:\Windows\System32\gInSsLs.exe
  C:\Windows\System32\gInSsLs.exe
  2⤵
  PID:9788
- C:\Windows\System32\vtJaUYZ.exe
  C:\Windows\System32\vtJaUYZ.exe
  2⤵
  PID:9816
- C:\Windows\System32\SzLWyNs.exe
  C:\Windows\System32\SzLWyNs.exe
  2⤵
  PID:9836
- C:\Windows\System32\iryDHhf.exe
  C:\Windows\System32\iryDHhf.exe
  2⤵
  PID:9872
- C:\Windows\System32\wFlQDwf.exe
  C:\Windows\System32\wFlQDwf.exe
  2⤵
  PID:9892
- C:\Windows\System32\SYYRToO.exe
  C:\Windows\System32\SYYRToO.exe
  2⤵
  PID:9916
- C:\Windows\System32\hCZbDVR.exe
  C:\Windows\System32\hCZbDVR.exe
  2⤵
  PID:9948
- C:\Windows\System32\YLnxfAs.exe
  C:\Windows\System32\YLnxfAs.exe
  2⤵
  PID:9988
- C:\Windows\System32\WtjeXdg.exe
  C:\Windows\System32\WtjeXdg.exe
  2⤵
  PID:10008
- C:\Windows\System32\bIUrBBZ.exe
  C:\Windows\System32\bIUrBBZ.exe
  2⤵
  PID:10032
- C:\Windows\System32\pBMLUEx.exe
  C:\Windows\System32\pBMLUEx.exe
  2⤵
  PID:10068
- C:\Windows\System32\GvhBUUL.exe
  C:\Windows\System32\GvhBUUL.exe
  2⤵
  PID:10088
- C:\Windows\System32\bWGMMSg.exe
  C:\Windows\System32\bWGMMSg.exe
  2⤵
  PID:10116
- C:\Windows\System32\zxdJVBX.exe
  C:\Windows\System32\zxdJVBX.exe
  2⤵
  PID:10136
- C:\Windows\System32\nhOYpdV.exe
  C:\Windows\System32\nhOYpdV.exe
  2⤵
  PID:10172
- C:\Windows\System32\cdcJgpI.exe
  C:\Windows\System32\cdcJgpI.exe
  2⤵
  PID:10208
- C:\Windows\System32\Wuxpbjx.exe
  C:\Windows\System32\Wuxpbjx.exe
  2⤵
  PID:10224
- C:\Windows\System32\lgLUuXV.exe
  C:\Windows\System32\lgLUuXV.exe
  2⤵
  PID:9004
- C:\Windows\System32\mnEpNMY.exe
  C:\Windows\System32\mnEpNMY.exe
  2⤵
  PID:9344
- C:\Windows\System32\axSjHGF.exe
  C:\Windows\System32\axSjHGF.exe
  2⤵
  PID:540
- C:\Windows\System32\BkUMLIy.exe
  C:\Windows\System32\BkUMLIy.exe
  2⤵
  PID:9404
- C:\Windows\System32\tcpaEHf.exe
  C:\Windows\System32\tcpaEHf.exe
  2⤵
  PID:9536
- C:\Windows\System32\QOcynBH.exe
  C:\Windows\System32\QOcynBH.exe
  2⤵
  PID:9564
- C:\Windows\System32\BvbwpLG.exe
  C:\Windows\System32\BvbwpLG.exe
  2⤵
  PID:9628
- C:\Windows\System32\yYzFFdX.exe
  C:\Windows\System32\yYzFFdX.exe
  2⤵
  PID:9732
- C:\Windows\System32\PRYwjvF.exe
  C:\Windows\System32\PRYwjvF.exe
  2⤵
  PID:9808
- C:\Windows\System32\ifoIGNQ.exe
  C:\Windows\System32\ifoIGNQ.exe
  2⤵
  PID:9864
- C:\Windows\System32\BqUTxil.exe
  C:\Windows\System32\BqUTxil.exe
  2⤵
  PID:9880
- C:\Windows\System32\SevtdVT.exe
  C:\Windows\System32\SevtdVT.exe
  2⤵
  PID:9944
- C:\Windows\System32\RfblzoT.exe
  C:\Windows\System32\RfblzoT.exe
  2⤵
  PID:10060
- C:\Windows\System32\cORNxDb.exe
  C:\Windows\System32\cORNxDb.exe
  2⤵
  PID:10100
- C:\Windows\System32\Aveijuw.exe
  C:\Windows\System32\Aveijuw.exe
  2⤵
  PID:10128
- C:\Windows\System32\GzcLfnC.exe
  C:\Windows\System32\GzcLfnC.exe
  2⤵
  PID:8932
- C:\Windows\System32\NlPREsw.exe
  C:\Windows\System32\NlPREsw.exe
  2⤵
  PID:9352
- C:\Windows\System32\TjykvQz.exe
  C:\Windows\System32\TjykvQz.exe
  2⤵
  PID:9504
- C:\Windows\System32\ATihQUb.exe
  C:\Windows\System32\ATihQUb.exe
  2⤵
  PID:9592
- C:\Windows\System32\HCYSsds.exe
  C:\Windows\System32\HCYSsds.exe
  2⤵
  PID:9764
- C:\Windows\System32\ifprdsn.exe
  C:\Windows\System32\ifprdsn.exe
  2⤵
  PID:9936
- C:\Windows\System32\sQtTyPa.exe
  C:\Windows\System32\sQtTyPa.exe
  2⤵
  PID:10076
- C:\Windows\System32\pXMdEOE.exe
  C:\Windows\System32\pXMdEOE.exe
  2⤵
  PID:9080
- C:\Windows\System32\bajuRww.exe
  C:\Windows\System32\bajuRww.exe
  2⤵
  PID:9688
- C:\Windows\System32\uJTjjcv.exe
  C:\Windows\System32\uJTjjcv.exe
  2⤵
  PID:9832
- C:\Windows\System32\wKhMysh.exe
  C:\Windows\System32\wKhMysh.exe
  2⤵
  PID:9392
- C:\Windows\System32\AQVkpbv.exe
  C:\Windows\System32\AQVkpbv.exe
  2⤵
  PID:9800
- C:\Windows\System32\VeZFXuR.exe
  C:\Windows\System32\VeZFXuR.exe
  2⤵
  PID:10252
- C:\Windows\System32\VXUngYT.exe
  C:\Windows\System32\VXUngYT.exe
  2⤵
  PID:10292
- C:\Windows\System32\ktBRXDD.exe
  C:\Windows\System32\ktBRXDD.exe
  2⤵
  PID:10308
- C:\Windows\System32\CLmGtYY.exe
  C:\Windows\System32\CLmGtYY.exe
  2⤵
  PID:10328
- C:\Windows\System32\CVLcqzv.exe
  C:\Windows\System32\CVLcqzv.exe
  2⤵
  PID:10360
- C:\Windows\System32\HpjiLQF.exe
  C:\Windows\System32\HpjiLQF.exe
  2⤵
  PID:10400
- C:\Windows\System32\iAevezp.exe
  C:\Windows\System32\iAevezp.exe
  2⤵
  PID:10420
- C:\Windows\System32\mHfQXCb.exe
  C:\Windows\System32\mHfQXCb.exe
  2⤵
  PID:10448
- C:\Windows\System32\FgQxzMA.exe
  C:\Windows\System32\FgQxzMA.exe
  2⤵
  PID:10468
- C:\Windows\System32\IRFttal.exe
  C:\Windows\System32\IRFttal.exe
  2⤵
  PID:10492
- C:\Windows\System32\uECLird.exe
  C:\Windows\System32\uECLird.exe
  2⤵
  PID:10532
- C:\Windows\System32\JuAzAtK.exe
  C:\Windows\System32\JuAzAtK.exe
  2⤵
  PID:10568
- C:\Windows\System32\MAHsFZN.exe
  C:\Windows\System32\MAHsFZN.exe
  2⤵
  PID:10584
- C:\Windows\System32\EmnRbCa.exe
  C:\Windows\System32\EmnRbCa.exe
  2⤵
  PID:10604
- C:\Windows\System32\dUuIRpg.exe
  C:\Windows\System32\dUuIRpg.exe
  2⤵
  PID:10628
- C:\Windows\System32\BDBnGQZ.exe
  C:\Windows\System32\BDBnGQZ.exe
  2⤵
  PID:10684
- C:\Windows\System32\iHYAAaU.exe
  C:\Windows\System32\iHYAAaU.exe
  2⤵
  PID:10700
- C:\Windows\System32\NZVKVHA.exe
  C:\Windows\System32\NZVKVHA.exe
  2⤵
  PID:10740
- C:\Windows\System32\zskBqzI.exe
  C:\Windows\System32\zskBqzI.exe
  2⤵
  PID:10772
- C:\Windows\System32\QtSMgTy.exe
  C:\Windows\System32\QtSMgTy.exe
  2⤵
  PID:10792
- C:\Windows\System32\aOvYLHJ.exe
  C:\Windows\System32\aOvYLHJ.exe
  2⤵
  PID:10820
- C:\Windows\System32\iecLJFZ.exe
  C:\Windows\System32\iecLJFZ.exe
  2⤵
  PID:10848
- C:\Windows\System32\grDUXjc.exe
  C:\Windows\System32\grDUXjc.exe
  2⤵
  PID:10872
- C:\Windows\System32\PWtxRXS.exe
  C:\Windows\System32\PWtxRXS.exe
  2⤵
  PID:10900
- C:\Windows\System32\tvDbkNP.exe
  C:\Windows\System32\tvDbkNP.exe
  2⤵
  PID:10928
- C:\Windows\System32\htRAlMe.exe
  C:\Windows\System32\htRAlMe.exe
  2⤵
  PID:10960
- C:\Windows\System32\jlvMEcz.exe
  C:\Windows\System32\jlvMEcz.exe
  2⤵
  PID:10996
- C:\Windows\System32\SXOhpMU.exe
  C:\Windows\System32\SXOhpMU.exe
  2⤵
  PID:11020
- C:\Windows\System32\yrMHxVO.exe
  C:\Windows\System32\yrMHxVO.exe
  2⤵
  PID:11044
- C:\Windows\System32\TRcZorR.exe
  C:\Windows\System32\TRcZorR.exe
  2⤵
  PID:11060
- C:\Windows\System32\bGeLCIv.exe
  C:\Windows\System32\bGeLCIv.exe
  2⤵
  PID:11108
- C:\Windows\System32\QGwfjSF.exe
  C:\Windows\System32\QGwfjSF.exe
  2⤵
  PID:11136
- C:\Windows\System32\TOGXuex.exe
  C:\Windows\System32\TOGXuex.exe
  2⤵
  PID:11176
- C:\Windows\System32\pLuWTeg.exe
  C:\Windows\System32\pLuWTeg.exe
  2⤵
  PID:11192
- C:\Windows\System32\MvTHObq.exe
  C:\Windows\System32\MvTHObq.exe
  2⤵
  PID:11208
- C:\Windows\System32\TDLBgHO.exe
  C:\Windows\System32\TDLBgHO.exe
  2⤵
  PID:11236
- C:\Windows\System32\fGlEIml.exe
  C:\Windows\System32\fGlEIml.exe
  2⤵
  PID:11260
- C:\Windows\System32\KUDYDEN.exe
  C:\Windows\System32\KUDYDEN.exe
  2⤵
  PID:10336
- C:\Windows\System32\LOvCoOS.exe
  C:\Windows\System32\LOvCoOS.exe
  2⤵
  PID:10320
- C:\Windows\System32\OdLpixV.exe
  C:\Windows\System32\OdLpixV.exe
  2⤵
  PID:10412
- C:\Windows\System32\PPHrEqm.exe
  C:\Windows\System32\PPHrEqm.exe
  2⤵
  PID:10464
- C:\Windows\System32\HvFtzlk.exe
  C:\Windows\System32\HvFtzlk.exe
  2⤵
  PID:10512
- C:\Windows\System32\aravBWI.exe
  C:\Windows\System32\aravBWI.exe
  2⤵
  PID:10600
- C:\Windows\System32\VhchACD.exe
  C:\Windows\System32\VhchACD.exe
  2⤵
  PID:10660
- C:\Windows\System32\PcBVWQQ.exe
  C:\Windows\System32\PcBVWQQ.exe
  2⤵
  PID:10768
- C:\Windows\System32\QRxnxvh.exe
  C:\Windows\System32\QRxnxvh.exe
  2⤵
  PID:10816
- C:\Windows\System32\laoBYyn.exe
  C:\Windows\System32\laoBYyn.exe
  2⤵
  PID:10868
- C:\Windows\System32\SGrlaeZ.exe
  C:\Windows\System32\SGrlaeZ.exe
  2⤵
  PID:10924
- C:\Windows\System32\wQlWsHY.exe
  C:\Windows\System32\wQlWsHY.exe
  2⤵
  PID:11012
- C:\Windows\System32\EObexHL.exe
  C:\Windows\System32\EObexHL.exe
  2⤵
  PID:11056
- C:\Windows\System32\ghEcnSO.exe
  C:\Windows\System32\ghEcnSO.exe
  2⤵
  PID:11120
- C:\Windows\System32\VofEIgQ.exe
  C:\Windows\System32\VofEIgQ.exe
  2⤵
  PID:11232
- C:\Windows\System32\tyZhcBa.exe
  C:\Windows\System32\tyZhcBa.exe
  2⤵
  PID:10260
- C:\Windows\System32\OHoaTCC.exe
  C:\Windows\System32\OHoaTCC.exe
  2⤵
  PID:10376
- C:\Windows\System32\dTjcpHN.exe
  C:\Windows\System32\dTjcpHN.exe
  2⤵
  PID:10444
- C:\Windows\System32\chVBFyW.exe
  C:\Windows\System32\chVBFyW.exe
  2⤵
  PID:10552
- C:\Windows\System32\scLQzjC.exe
  C:\Windows\System32\scLQzjC.exe
  2⤵
  PID:10648
- C:\Windows\System32\XyZSnrb.exe
  C:\Windows\System32\XyZSnrb.exe
  2⤵
  PID:10788
- C:\Windows\System32\bFknlUI.exe
  C:\Windows\System32\bFknlUI.exe
  2⤵
  PID:10940
- C:\Windows\System32\hpayRJb.exe
  C:\Windows\System32\hpayRJb.exe
  2⤵
  PID:11248
- C:\Windows\System32\tyQpDEn.exe
  C:\Windows\System32\tyQpDEn.exe
  2⤵
  PID:10668
- C:\Windows\System32\KRLmOeQ.exe
  C:\Windows\System32\KRLmOeQ.exe
  2⤵
  PID:11032
- C:\Windows\System32\UJNFDuO.exe
  C:\Windows\System32\UJNFDuO.exe
  2⤵
  PID:11188
- C:\Windows\System32\aARySXo.exe
  C:\Windows\System32\aARySXo.exe
  2⤵
  PID:10952
- C:\Windows\System32\PITVcYZ.exe
  C:\Windows\System32\PITVcYZ.exe
  2⤵
  PID:11280
- C:\Windows\System32\zFLqnON.exe
  C:\Windows\System32\zFLqnON.exe
  2⤵
  PID:11304
- C:\Windows\System32\QOpasFY.exe
  C:\Windows\System32\QOpasFY.exe
  2⤵
  PID:11324
- C:\Windows\System32\ZVFFfbc.exe
  C:\Windows\System32\ZVFFfbc.exe
  2⤵
  PID:11344
- C:\Windows\System32\BCcWNgN.exe
  C:\Windows\System32\BCcWNgN.exe
  2⤵
  PID:11364
- C:\Windows\System32\BeNtWiI.exe
  C:\Windows\System32\BeNtWiI.exe
  2⤵
  PID:11404
- C:\Windows\System32\qHqxCCI.exe
  C:\Windows\System32\qHqxCCI.exe
  2⤵
  PID:11428
- C:\Windows\System32\ptcDeVQ.exe
  C:\Windows\System32\ptcDeVQ.exe
  2⤵
  PID:11484
- C:\Windows\System32\XLkPdHF.exe
  C:\Windows\System32\XLkPdHF.exe
  2⤵
  PID:11508
- C:\Windows\System32\vqzZvrq.exe
  C:\Windows\System32\vqzZvrq.exe
  2⤵
  PID:11536
- C:\Windows\System32\AqMXStA.exe
  C:\Windows\System32\AqMXStA.exe
  2⤵
  PID:11556
- C:\Windows\System32\bqMqyuq.exe
  C:\Windows\System32\bqMqyuq.exe
  2⤵
  PID:11584
- C:\Windows\System32\rIZsSMz.exe
  C:\Windows\System32\rIZsSMz.exe
  2⤵
  PID:11604
- C:\Windows\System32\gtPKpTy.exe
  C:\Windows\System32\gtPKpTy.exe
  2⤵
  PID:11648
- C:\Windows\System32\fEEmHlq.exe
  C:\Windows\System32\fEEmHlq.exe
  2⤵
  PID:11680
- C:\Windows\System32\jEJBRWA.exe
  C:\Windows\System32\jEJBRWA.exe
  2⤵
  PID:11716
- C:\Windows\System32\eHYFJTi.exe
  C:\Windows\System32\eHYFJTi.exe
  2⤵
  PID:11744
- C:\Windows\System32\DMZJbDC.exe
  C:\Windows\System32\DMZJbDC.exe
  2⤵
  PID:11764
- C:\Windows\System32\OlLmtCb.exe
  C:\Windows\System32\OlLmtCb.exe
  2⤵
  PID:11800
- C:\Windows\System32\WWksXdI.exe
  C:\Windows\System32\WWksXdI.exe
  2⤵
  PID:11828
- C:\Windows\System32\zXFaqME.exe
  C:\Windows\System32\zXFaqME.exe
  2⤵
  PID:11856
- C:\Windows\System32\AoKzmtB.exe
  C:\Windows\System32\AoKzmtB.exe
  2⤵
  PID:11872
- C:\Windows\System32\yDzPaDU.exe
  C:\Windows\System32\yDzPaDU.exe
  2⤵
  PID:11912
- C:\Windows\System32\jLLeSBe.exe
  C:\Windows\System32\jLLeSBe.exe
  2⤵
  PID:11928
- C:\Windows\System32\DdDjwIr.exe
  C:\Windows\System32\DdDjwIr.exe
  2⤵
  PID:11952
- C:\Windows\System32\oacCixW.exe
  C:\Windows\System32\oacCixW.exe
  2⤵
  PID:12004
- C:\Windows\System32\faPgNWH.exe
  C:\Windows\System32\faPgNWH.exe
  2⤵
  PID:12024
- C:\Windows\System32\MsvzpGL.exe
  C:\Windows\System32\MsvzpGL.exe
  2⤵
  PID:12040
- C:\Windows\System32\MbMADdS.exe
  C:\Windows\System32\MbMADdS.exe
  2⤵
  PID:12076
- C:\Windows\System32\GMXNLsC.exe
  C:\Windows\System32\GMXNLsC.exe
  2⤵
  PID:12096
- C:\Windows\System32\FyEkuZQ.exe
  C:\Windows\System32\FyEkuZQ.exe
  2⤵
  PID:12128
- C:\Windows\System32\fHKoaEY.exe
  C:\Windows\System32\fHKoaEY.exe
  2⤵
  PID:12152
- C:\Windows\System32\UiKrGzF.exe
  C:\Windows\System32\UiKrGzF.exe
  2⤵
  PID:12172
- C:\Windows\System32\eBpfTRn.exe
  C:\Windows\System32\eBpfTRn.exe
  2⤵
  PID:12196
- C:\Windows\System32\HnveDZh.exe
  C:\Windows\System32\HnveDZh.exe
  2⤵
  PID:12216
- C:\Windows\System32\WNaVOWb.exe
  C:\Windows\System32\WNaVOWb.exe
  2⤵
  PID:12264
- C:\Windows\System32\PILWNwt.exe
  C:\Windows\System32\PILWNwt.exe
  2⤵
  PID:12284
- C:\Windows\System32\NiDTgzK.exe
  C:\Windows\System32\NiDTgzK.exe
  2⤵
  PID:11292
- C:\Windows\System32\kVjWpxL.exe
  C:\Windows\System32\kVjWpxL.exe
  2⤵
  PID:11412
- C:\Windows\System32\cuMyQzS.exe
  C:\Windows\System32\cuMyQzS.exe
  2⤵
  PID:11492
- C:\Windows\System32\hxwnrap.exe
  C:\Windows\System32\hxwnrap.exe
  2⤵
  PID:11532
- C:\Windows\System32\kmSZPJQ.exe
  C:\Windows\System32\kmSZPJQ.exe
  2⤵
  PID:11628
- C:\Windows\System32\StOPMCK.exe
  C:\Windows\System32\StOPMCK.exe
  2⤵
  PID:11712
- C:\Windows\System32\BDngVub.exe
  C:\Windows\System32\BDngVub.exe
  2⤵
  PID:11760
- C:\Windows\System32\lvePCDb.exe
  C:\Windows\System32\lvePCDb.exe
  2⤵
  PID:11812
- C:\Windows\System32\LaVJDQd.exe
  C:\Windows\System32\LaVJDQd.exe
  2⤵
  PID:11864
- C:\Windows\System32\dINsRCg.exe
  C:\Windows\System32\dINsRCg.exe
  2⤵
  PID:11944
- C:\Windows\System32\oZpmXhP.exe
  C:\Windows\System32\oZpmXhP.exe
  2⤵
  PID:12012
- C:\Windows\System32\vtLHQaV.exe
  C:\Windows\System32\vtLHQaV.exe
  2⤵
  PID:12068
- C:\Windows\System32\KdfwocP.exe
  C:\Windows\System32\KdfwocP.exe
  2⤵
  PID:12136
- C:\Windows\System32\BlXCiFZ.exe
  C:\Windows\System32\BlXCiFZ.exe
  2⤵
  PID:12164
- C:\Windows\System32\zNizErD.exe
  C:\Windows\System32\zNizErD.exe
  2⤵
  PID:11296
- C:\Windows\System32\zjpGpvD.exe
  C:\Windows\System32\zjpGpvD.exe
  2⤵
  PID:11336
- C:\Windows\System32\IBshiAR.exe
  C:\Windows\System32\IBshiAR.exe
  2⤵
  PID:11500
- C:\Windows\System32\rSYNVoS.exe
  C:\Windows\System32\rSYNVoS.exe
  2⤵
  PID:11580
- C:\Windows\System32\vkqbXsO.exe
  C:\Windows\System32\vkqbXsO.exe
  2⤵
  PID:2184
- C:\Windows\System32\mtLCICT.exe
  C:\Windows\System32\mtLCICT.exe
  2⤵
  PID:11904
- C:\Windows\System32\QBaJmrz.exe
  C:\Windows\System32\QBaJmrz.exe
  2⤵
  PID:11920
- C:\Windows\System32\AOLqYca.exe
  C:\Windows\System32\AOLqYca.exe
  2⤵
  PID:12112
- C:\Windows\System32\JfBQVZu.exe
  C:\Windows\System32\JfBQVZu.exe
  2⤵
  PID:12252
- C:\Windows\System32\epovdgP.exe
  C:\Windows\System32\epovdgP.exe
  2⤵
  PID:11268
- C:\Windows\System32\zvpkJal.exe
  C:\Windows\System32\zvpkJal.exe
  2⤵
  PID:11616
- C:\Windows\System32\InHKbqf.exe
  C:\Windows\System32\InHKbqf.exe
  2⤵
  PID:11792
- C:\Windows\System32\SmZFDKq.exe
  C:\Windows\System32\SmZFDKq.exe
  2⤵
  PID:11600
- C:\Windows\System32\GZeFLIZ.exe
  C:\Windows\System32\GZeFLIZ.exe
  2⤵
  PID:12296
- C:\Windows\System32\ELSyQqe.exe
  C:\Windows\System32\ELSyQqe.exe
  2⤵
  PID:12312
- C:\Windows\System32\exVSteP.exe
  C:\Windows\System32\exVSteP.exe
  2⤵
  PID:12356
- C:\Windows\System32\YDxYqQT.exe
  C:\Windows\System32\YDxYqQT.exe
  2⤵
  PID:12372
- C:\Windows\System32\eMccEcI.exe
  C:\Windows\System32\eMccEcI.exe
  2⤵
  PID:12408
- C:\Windows\System32\lsTzBkj.exe
  C:\Windows\System32\lsTzBkj.exe
  2⤵
  PID:12436
- C:\Windows\System32\cFzRYGz.exe
  C:\Windows\System32\cFzRYGz.exe
  2⤵
  PID:12484
- C:\Windows\System32\GZkFxnG.exe
  C:\Windows\System32\GZkFxnG.exe
  2⤵
  PID:12508
- C:\Windows\System32\CVBdNYq.exe
  C:\Windows\System32\CVBdNYq.exe
  2⤵
  PID:12524
- C:\Windows\System32\aeiFfGy.exe
  C:\Windows\System32\aeiFfGy.exe
  2⤵
  PID:12552
- C:\Windows\System32\pdCbUwN.exe
  C:\Windows\System32\pdCbUwN.exe
  2⤵
  PID:12572
- C:\Windows\System32\NuJlhmB.exe
  C:\Windows\System32\NuJlhmB.exe
  2⤵
  PID:12600
- C:\Windows\System32\ldVkXnK.exe
  C:\Windows\System32\ldVkXnK.exe
  2⤵
  PID:12636
- C:\Windows\System32\CVztfej.exe
  C:\Windows\System32\CVztfej.exe
  2⤵
  PID:12668
- C:\Windows\System32\hkktHHj.exe
  C:\Windows\System32\hkktHHj.exe
  2⤵
  PID:12700
- C:\Windows\System32\nXdZccw.exe
  C:\Windows\System32\nXdZccw.exe
  2⤵
  PID:12724
- C:\Windows\System32\beOaNFy.exe
  C:\Windows\System32\beOaNFy.exe
  2⤵
  PID:12764
- C:\Windows\System32\OWtBTcu.exe
  C:\Windows\System32\OWtBTcu.exe
  2⤵
  PID:12784
- C:\Windows\System32\PVtNDwQ.exe
  C:\Windows\System32\PVtNDwQ.exe
  2⤵
  PID:12808
- C:\Windows\System32\UvEBsdE.exe
  C:\Windows\System32\UvEBsdE.exe
  2⤵
  PID:12836
- C:\Windows\System32\RprKFcr.exe
  C:\Windows\System32\RprKFcr.exe
  2⤵
  PID:12856
- C:\Windows\System32\fbIiHYX.exe
  C:\Windows\System32\fbIiHYX.exe
  2⤵
  PID:12888
- C:\Windows\System32\YqFmTxD.exe
  C:\Windows\System32\YqFmTxD.exe
  2⤵
  PID:12924
- C:\Windows\System32\YNIqQyf.exe
  C:\Windows\System32\YNIqQyf.exe
  2⤵
  PID:12940
- C:\Windows\System32\YWjoaIV.exe
  C:\Windows\System32\YWjoaIV.exe
  2⤵
  PID:12972
- C:\Windows\System32\becyIQl.exe
  C:\Windows\System32\becyIQl.exe
  2⤵
  PID:13004
- C:\Windows\System32\ehLuGVo.exe
  C:\Windows\System32\ehLuGVo.exe
  2⤵
  PID:13028
- C:\Windows\System32\rrcBwed.exe
  C:\Windows\System32\rrcBwed.exe
  2⤵
  PID:13064
- C:\Windows\System32\QcnvthO.exe
  C:\Windows\System32\QcnvthO.exe
  2⤵
  PID:13108
- C:\Windows\System32\GticWtc.exe
  C:\Windows\System32\GticWtc.exe
  2⤵
  PID:13140
- C:\Windows\System32\OKYuJnj.exe
  C:\Windows\System32\OKYuJnj.exe
  2⤵
  PID:13164
- C:\Windows\System32\ANrHtxR.exe
  C:\Windows\System32\ANrHtxR.exe
  2⤵
  PID:13208
- C:\Windows\System32\ldkvMSI.exe
  C:\Windows\System32\ldkvMSI.exe
  2⤵
  PID:13224
- C:\Windows\System32\snOlpCR.exe
  C:\Windows\System32\snOlpCR.exe
  2⤵
  PID:13252

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AWhJuIe.exe

Filesize
1.9MB

MD5
cc75c8cfa570ffecddd04f4a76747417

SHA1
2287e7abe6a5b29ff838eca1897a40cce21155df

SHA256
6c1054a1a6149786a5aa73b2ec59ead9a56b097dfa2dff386de81bd5f9d44535

SHA512
d1a27bb1a4beb83c9522b27c002edbc99505640a72ea7a18a00f2e82d9f38656b7f1449fac96eb6dc52fc69d8d5f6c7e9847ed6d2bfac5eb152783269273f5cb

Download Submit
C:\Windows\System32\BmXSjWo.exe

Filesize
1.9MB

MD5
45896e7a37fcea994b0887a44b44878e

SHA1
fae744bfdc01ca5ce6450b464257c95c3faec24c

SHA256
338f53a5d6b9c1183618580478043049085885266d3215021c774d18f56e5952

SHA512
65f7c23eddd1bdd6985317101697e896e129502f7d8a5b68d12a525cb1c82831328154dbfff92a8b3cf6d9b120465f7cb04357a6800df70017b6524fbaf80586

Download Submit
C:\Windows\System32\BmoxvfW.exe

Filesize
1.9MB

MD5
8b5bb0308337a714e86751ca9cd4aa97

SHA1
815ed2b64542b165fc3746bd5ca55d55cea1b787

SHA256
883a5a35b2196132645722441f387c68e1c508abe46c69dda6ead7b18ff02b93

SHA512
cb90bd35b857504ab170a7693914d08ad72088bfb2cd404714f7fca9075161b43e27852f26b98b81f0dfc58da73bd39ba6dbbe84c48bdf19f4eb44d1df7f223a

Download Submit
C:\Windows\System32\CANcMyg.exe

Filesize
1.9MB

MD5
d6a0d067b2b6c814d1203b10086f962c

SHA1
6fd8072d67b4e4485576f04b1e9c10a7112612f9

SHA256
a239e371b9ac3e50c60c43b6d2795c7a25d2f0a80c3b0ba7f32917ba0fa79936

SHA512
8d6edcdb5fa3549f3983ed06902d3052269746457c8bff295bbd53a12275913ea12e80d1775bc8edbdbd1587a53c1c1806babecb18093d0706837c1c56adc065

Download Submit
C:\Windows\System32\CMsCSBe.exe

Filesize
1.9MB

MD5
6442246cd7827178b31fca054b689e7d

SHA1
dbef1722c697d2522906d915ff3e3549e3a1f626

SHA256
8085588d82f67645eff0da73e6e3ac801dcee28d1a83f063d00226c323c9237c

SHA512
37a4984b7e88561eb1e81f775a1a2c62285d5b842f6752acc983427ca649e8d16a689e0be42286355b1a50f7ae8d1cd4dd52fa3a8c97552e7d0ef32125050f4e

Download Submit
C:\Windows\System32\DNfNPNi.exe

Filesize
1.9MB

MD5
c3208576a7df690231d816bff1e7e206

SHA1
b9a9707163dc60da717b271e4a522cbecb3dc98c

SHA256
66acbd581e1aa9c0e390a460b7ac470cf09e8091c6b12333bfa996f5d70ba7b3

SHA512
db6d609f09c74c4dec052ed20021958dcb2580eaa0ddf9f91b1d15e86bcfd54b64306cd44c20f29167c7703d8ac71353a462b197f2e2f85059be35462805af48

Download Submit
C:\Windows\System32\JBYSxge.exe

Filesize
1.9MB

MD5
d37776a6de33bf091adbbd12ae09fad1

SHA1
199e6b42d4d9a2c61fd2574b459ecadd8c1e4ad1

SHA256
0ba1813b489126239f662467190663924c4cd50c949d410aa7e674f036b9300f

SHA512
b7c713dddac2bdc4dfaab6e9ed003c598e3e7fbc68383765e5a73fa1cd1909a13f0ac42902f8e2e0d4c74141c2aca33baad50abcc4cf09f8fea661945dffc8bf

Download Submit
C:\Windows\System32\JIJdMQU.exe

Filesize
1.9MB

MD5
6e7ab5135641ac6a654e7361049d31cb

SHA1
37926661f70a4907b144d658399d74075170fb61

SHA256
82baeda840ee5aaa77189d9f857faaac19abb8cab88135747ca69dbb1ba913f8

SHA512
3a53d6af9ffeb6e3593a8e30e8240ad984e113577e3e00a9756cf2fc705091196f1d108b63c840de95e82c3d17404c379c928578345f5f957551537125b24dc4

Download Submit
C:\Windows\System32\KYsPjoQ.exe

Filesize
1.9MB

MD5
f8b856748d85145bae545bc8a048c895

SHA1
d0b1e34740fb18a68ee6f37abe6568f7e8a6337c

SHA256
2b942dbc60bdaa95613c3777ebbc6d647885aa99d40b71489f83789f9ae1c48c

SHA512
34989a2b24693fe9a8d64976893f7b636bff13f1e0f251148b3bd5be7e9c27c3012eab3e7518ed4d0886ad0e36e9673e164cf2c535de01d343ae8958ae5fc9c4

Download Submit
C:\Windows\System32\LMbLUvJ.exe

Filesize
1.9MB

MD5
ec5e6f3c30aa4fbe855961247e853338

SHA1
0d6a5ffa9bec0049d3d31c700295145efb5cf89b

SHA256
cff8c0503b6f4c992f3ea54bd725db68ffc001916f69aa7dc621a4a2b622579b

SHA512
3a92160cb98c638b52c2c614b2eecc0ec2963a511a5655838dc1367a205514d402547f18e0c8aa19b99af3cce12578e38142463629c2911429a51f46be0b8a40

Download Submit
C:\Windows\System32\LwGQEcY.exe

Filesize
1.9MB

MD5
ab45aba5d5bbc90615046f3f5e3ba028

SHA1
e29af18b5d7946179bbfbb73a6e098b73a93bc51

SHA256
7f92e34cb3ca27cf28749662d3120c526281a10c4622524510546cbcd322490c

SHA512
36baabc674bc518ab070dcc6c3af20a835013ba32d11e0025d085bfde259d1d50bfe3b0fc7e7782a3bde44be5c248d2b0f299236fad8a25ed3d1d368e06cdb21

Download Submit
C:\Windows\System32\OEyejaa.exe

Filesize
1.9MB

MD5
dae45b07edb9bfc37317e9afcbe579f6

SHA1
d98891d9988856d39a6ce3d32da0ef0a75df23e3

SHA256
4428c9a99023cae3b5e410f64b75cfaa8a5548b6d3da81d2d27515330d31edfe

SHA512
e6b79bed81d3a831b42a4fea2612889d269a28ede0d4225490d231369c2e22366682f9efc7d97b2e5831d4cbc5de7d398874068271f824330aa3a20ab2e491ff

Download Submit
C:\Windows\System32\PVVhCKY.exe

Filesize
1.9MB

MD5
cb49f9a24f615d8b22668373cca79556

SHA1
6e45444195374b29cf6ba093c3939d45b9a89ab9

SHA256
4c920e01116d2ed8832bdb6372c4b407083eea5081b40f7312b17b9d4b1be7f3

SHA512
d53949d1e56a0d32fe454870204871490540d0e34bd10842ca6c3a42c73998205fdcc9e283746b32b2ba233bf887441bec13392953397d671e7c9aee1b1adf7d

Download Submit
C:\Windows\System32\RJoLmwN.exe

Filesize
1.9MB

MD5
a2a3103c3a3cc8c251b7fe1173933a55

SHA1
2eac2f8cf692b3062e36a6471b7f29724d4530c2

SHA256
6bb90ddae168ed796b54171c90a1e94b814d68bd1a41af5f6f88c08c7e2d678c

SHA512
8de4a4a1d7def4ad209bec830d118f9bf55dcf161a4145bdcee2a054f7f27a57692451a2ef500e484f68811ae32b450d3a17caaaeef134b69f47f3f84811907e

Download Submit
C:\Windows\System32\TWYkuWR.exe

Filesize
1.9MB

MD5
3d46754a47f6ec217cf3ffb52ec62f0a

SHA1
49f10fe0c33c609b1c5714a5196976d16888da1f

SHA256
c2905fef009a2a6670637062c75fe9dc39d0a9023c448feb8a5b92824265d81a

SHA512
7d6cb7e1dfe13022734d182a18a307e9f0a2a5d39d3781c06cce0b1e2a735605a0131a2437281361dc549799553a8716d606a6428b43e2ea9dcc0ad546c27646

Download Submit
C:\Windows\System32\UnJFrsP.exe

Filesize
1.9MB

MD5
78649cbe0080317d970221e3f0413045

SHA1
5c9e5c53e2387453ebd59649fab44e23c5d2705e

SHA256
b852e571f2b495bd8030e7eb7bcd4269fb3dbeac67fab058c0598077b5751315

SHA512
6d485211d4ce78f3e52e9ec6edf7833b5ee698f748a159e56108f232aa8ff038e101f5b9518429f4df52afde82092facfbe5bf38c94183d71e89a70d844cf212

Download Submit
C:\Windows\System32\YPlJwmc.exe

Filesize
1.9MB

MD5
21e4ffd6470b2ed16a773b0c928003d1

SHA1
6799ab5a7154c0400cf3978efdcbc7075164a625

SHA256
d410c6e8c985f85a2c1f97bc105279ffd1173194cad67b31ca5f23130e8a849b

SHA512
90b8735d66972b0091c9a1c42cb47c3b7e2375d41f5c24b93c8bdc447a34492de0d0321836b501582d66a7b6cb699aae08875e27d320c53929a66a656db23c13

Download Submit
C:\Windows\System32\bgypztg.exe

Filesize
1.9MB

MD5
8de53c3c785fe1fc88e051c1b8ac8b52

SHA1
a60b5124e80a87fba3edbd1a902378b62f9b26c4

SHA256
deba2cc10b623fb8b102bbef1dfd107afd38505cfd1e2bc2ec24dfa0c6ca5d41

SHA512
73ba3abd8b3ad8be7115b412563dfbf9af9a48ca05abdd73a0c0738da0861ae2d2e53e691b58c7a9a3128d7ce3d65846cb0bc02f4116deb3e5ebaa1c0141ebeb

Download Submit
C:\Windows\System32\bpwdBPA.exe

Filesize
1.9MB

MD5
28aa4cc5ed0becf81f3ae44a26d5b5e0

SHA1
58d9c5e2550246a0e4a39b75b16eb9544e9a4a71

SHA256
b89a640f944beec38e62a749152bfca07f795ef09c49ff43b8880092aca2a811

SHA512
3eaa458434971fd00f6e0a977eb9c18858496be4de9e7850454c29d8eca844fc8c1f9d1c76949efc29756bade754013437326b2508a2d4e46d0f268dd0b36c29

Download Submit
C:\Windows\System32\csYaPCT.exe

Filesize
1.9MB

MD5
b0f6604f465efc0fe91d686a987b7d78

SHA1
03830481e65ad3860248a53886b66223fd93d324

SHA256
27615cc277686e12bbe508ba91060cdea2f12e435813f3d554fc16a70ef3cbb9

SHA512
2f0a882ab732b0ed411eaec6f27864fd8ca0981cc000e5e6199145a0618aaf27e6c3fe11ff017370a63d87dab555055285d91e5b7909338c49e1899f6ff1e036

Download Submit
C:\Windows\System32\dDzwwuK.exe

Filesize
1.9MB

MD5
4b0c0fb3756b10b161cdc43d3586e5d4

SHA1
65811297c1afad01d3d65bdc2db4ba7c0c38fe76

SHA256
66e2ba65805682d795a01f1a976f55e82b72923f7ba506453502b286b64dc328

SHA512
ae7ced85d29f27a4a4b17b2be253f9bfaf4bf5de9feab128b86500b42231e28d25044a4f52380c67d4d92a794ab4f62d47167e81bc19c75d063f870c7c4f8575

Download Submit
C:\Windows\System32\dZQzlpF.exe

Filesize
1.9MB

MD5
a3deb0f6be755ec9baadabc7aab0baf6

SHA1
d7cb4fe1d96bbcc20659155e44185dd9f02fab80

SHA256
bc6038710f894883a5f9b1b03c5b4622136af134c629c956ff0c24d3a7341ab1

SHA512
f473ba02419ba10dc2858c68ffce6f3527d3441d8c4bfa9ca678875d8b883c76010ce064f7b3689bcfc0faef6ba0b745538551b04cb921715a397c7df943a673

Download Submit
C:\Windows\System32\eAEKYFv.exe

Filesize
1.9MB

MD5
c9895744b7c56bd3765ac374880bca22

SHA1
3dc6723637d7fa5476f39324aff2bd36be4294bb

SHA256
c18c2118c933c59d1c78a2f31c3cec811d34b4f13ed9c0eacebc8a0b9c9fca0c

SHA512
417ca64d7f35ca6938d3b3ba4d87c8482dca8d52bc21f8fade0c2436a195184f87a2bd614dce61a995c1141df71ed790d99df74fc2e0315381ccd9783fa66b2a

Download Submit
C:\Windows\System32\eeuZIHu.exe

Filesize
1.9MB

MD5
ba221d91309b2ad076aaacf075095e3d

SHA1
ca71cae96ceb1a5a64cb37cf0d705cb46cc83be2

SHA256
202d2bb8e3a0f725fbbcd5888cf7ccd7a27f98ade4965e4ffebdac55fb4c7106

SHA512
7dc6df56093e40b5ab1ed763c333a9508d97e3471a38392e6cb4931d16df2c973525dd1172cea7ab4543c4596abc46eb395c99f4c5c443480899ac029d5ca246

Download Submit
C:\Windows\System32\hDJbDkr.exe

Filesize
1.9MB

MD5
964b8100fc4e5daf65004434bcc66185

SHA1
60617183760bea9f0eff8c912ff1ae2eaf26dd21

SHA256
468c6990bd5e77b4162868c9387791aa505f4f4d1f075ee9ae1da7432d86dd73

SHA512
3301438dbd5a26de34f247241e6741b4d0a17c70dc1142d4e67519219dbcdfc6a58b97910f364dd12415f5a93cc58b77095a420d4df92ec4999e1cd7e51ebd11

Download Submit
C:\Windows\System32\iEcINDT.exe

Filesize
1.9MB

MD5
59c2db0a015ad832d07fecede91439cd

SHA1
3e13a93af2db634971029a6600eba391c1dc84ee

SHA256
1b0c20fdf81c0c2aff1b5ab75ab33d2826f71a1b1f84b690be547fdf619f7354

SHA512
aab657ea731d82d963f3adebacb24ac30540541c4c033646f438d79736fb19168f37a10924b9701fd6cee3ac9ac4e2b89ef56ab16f2e1f45638997caf79be052

Download Submit
C:\Windows\System32\reZakfE.exe

Filesize
1.9MB

MD5
710ce378fb2f0d809450a82333cca0e9

SHA1
de09dfe4a335c92674e82d013237449b3e98320e

SHA256
f832d97599e79409d19f699015cd16a6f06a9306775200f4c770d887a862b3e0

SHA512
1c61af07c1e3a5aff46ce9059011e002f3a26ccefa07294f5181dbfb4b4acab89384b1cd9e22828bb8ed05b930a12898e3e13d8a9d4841113dd84032962c0510

Download Submit
C:\Windows\System32\tLOXsPU.exe

Filesize
1.9MB

MD5
d766bff460fd0cd7938bc1674d2a5cef

SHA1
ce1c76701d1e4d3e90b47ba604ba6912e2cf8370

SHA256
89308247a3c66fe93ebfdedef9f2d9bd6bbc38891e3b183277debe38eafe523d

SHA512
917c980d53d13ee91e93fd4af99aa00a2fbb254066c7565af1c4db170faa2493b3c98ea41c458aa1a68e965370df6a2cd23dc5a2d535ed0773424b60ecfa013f

Download Submit
C:\Windows\System32\tuqPCls.exe

Filesize
1.9MB

MD5
788406f9d67fcd2027a828bf9cbd2ddc

SHA1
d5ad0250001af64570410d6bb66198655a8ecda2

SHA256
3688656d1b91335f1349efefa9e1a860acf186f1cf2de11af2a405bab61d9b9d

SHA512
c54d7a9e9aa5e8f4b4023c64fd56b263e1bab651c41ce7f4e644c4c3a51c2d9e3eff4adeb0032c8e369bde470aa2b326d334be0576d5839cbcda92e9bcbf8383

Download Submit
C:\Windows\System32\uBPlAmF.exe

Filesize
1.9MB

MD5
4f9149681ab8ca466b8f170429ea61e2

SHA1
1af1a391a4d2180de5c497ebea2b8b947b8eac48

SHA256
367dc5ebfc5860e2e121c9eb2a6a055f4ee5517f32cab71976e7a2318afa939c

SHA512
a577284352ed73bb8bcd2fa250f3c6571a4ce767b09c12ffa5be71c9fad6c9fe94c04a1cac2376779a0d6394ee1d561941049d373bd35c4d751a816694043bd9

Download Submit
C:\Windows\System32\wRzkIyP.exe

Filesize
1.9MB

MD5
314dcaf4e38275184e6d4d7fe3148252

SHA1
a218d36aa824b2ba1cc2656a148184dd8f0cb7cc

SHA256
fdda368d5f6e81a2225a99a94407d257852ddd2757d1133e1b0766e9666e4fbc

SHA512
a4fc3d0e871c3ff56e0c21b9c03bacf1e0d6b5eba8d0f6437f2e8bc548029c700624443cc60bb50a2e969073b6694887c0ac0a59d951d689f1e83bee600ebe59

Download Submit
C:\Windows\System32\zbxtvns.exe

Filesize
1.9MB

MD5
ae32e2f299ba0b58a1fcb439a2655ae3

SHA1
416ad95c11ccca953af0cb69a7dab6f191a9b7ad

SHA256
ec150b650fb967f730982630fdb31faa8c8b70d69064209fdee46fb9b71d2ed0

SHA512
1adbaf8208101d5283abc46ee2c40476d10252716d73bb4814b81ad50a43ff1e31d4e6ee55112d7f6c1eaaa37a2dc55b716e2a25c116eee23a34d02cf651de80

Download Submit
memory/432-2003-0x00007FF78BCC0000-0x00007FF78C0B1000-memory.dmp

Filesize
3.9MB

Download
memory/432-24-0x00007FF78BCC0000-0x00007FF78C0B1000-memory.dmp

Filesize
3.9MB

Download
memory/432-1957-0x00007FF78BCC0000-0x00007FF78C0B1000-memory.dmp

Filesize
3.9MB

Download
memory/440-468-0x00007FF7D2C80000-0x00007FF7D3071000-memory.dmp

Filesize
3.9MB

Download
memory/440-2035-0x00007FF7D2C80000-0x00007FF7D3071000-memory.dmp

Filesize
3.9MB

Download
memory/708-39-0x00007FF659680000-0x00007FF659A71000-memory.dmp

Filesize
3.9MB

Download
memory/708-2007-0x00007FF659680000-0x00007FF659A71000-memory.dmp

Filesize
3.9MB

Download
memory/1284-434-0x00007FF67CC20000-0x00007FF67D011000-memory.dmp

Filesize
3.9MB

Download
memory/1284-2019-0x00007FF67CC20000-0x00007FF67D011000-memory.dmp

Filesize
3.9MB

Download
memory/1352-2027-0x00007FF752580000-0x00007FF752971000-memory.dmp

Filesize
3.9MB

Download
memory/1352-437-0x00007FF752580000-0x00007FF752971000-memory.dmp

Filesize
3.9MB

Download
memory/1592-457-0x00007FF7390D0000-0x00007FF7394C1000-memory.dmp

Filesize
3.9MB

Download
memory/1592-2021-0x00007FF7390D0000-0x00007FF7394C1000-memory.dmp

Filesize
3.9MB

Download
memory/2380-18-0x00007FF69B030000-0x00007FF69B421000-memory.dmp

Filesize
3.9MB

Download
memory/2380-1956-0x00007FF69B030000-0x00007FF69B421000-memory.dmp

Filesize
3.9MB

Download
memory/2380-2001-0x00007FF69B030000-0x00007FF69B421000-memory.dmp

Filesize
3.9MB

Download
memory/2484-422-0x00007FF6ED8C0000-0x00007FF6EDCB1000-memory.dmp

Filesize
3.9MB

Download
memory/2484-2013-0x00007FF6ED8C0000-0x00007FF6EDCB1000-memory.dmp

Filesize
3.9MB

Download
memory/2888-427-0x00007FF64D570000-0x00007FF64D961000-memory.dmp

Filesize
3.9MB

Download
memory/2888-2015-0x00007FF64D570000-0x00007FF64D961000-memory.dmp

Filesize
3.9MB

Download
memory/2968-442-0x00007FF60D340000-0x00007FF60D731000-memory.dmp

Filesize
3.9MB

Download
memory/2968-2025-0x00007FF60D340000-0x00007FF60D731000-memory.dmp

Filesize
3.9MB

Download
memory/3408-487-0x00007FF7F9E80000-0x00007FF7FA271000-memory.dmp

Filesize
3.9MB

Download
memory/3408-2041-0x00007FF7F9E80000-0x00007FF7FA271000-memory.dmp

Filesize
3.9MB

Download
memory/3484-421-0x00007FF7D2160000-0x00007FF7D2551000-memory.dmp

Filesize
3.9MB

Download
memory/3484-2011-0x00007FF7D2160000-0x00007FF7D2551000-memory.dmp

Filesize
3.9MB

Download
memory/3608-23-0x00007FF7CD830000-0x00007FF7CDC21000-memory.dmp

Filesize
3.9MB

Download
memory/3608-1999-0x00007FF7CD830000-0x00007FF7CDC21000-memory.dmp

Filesize
3.9MB

Download
memory/3704-2033-0x00007FF69B460000-0x00007FF69B851000-memory.dmp

Filesize
3.9MB

Download
memory/3704-466-0x00007FF69B460000-0x00007FF69B851000-memory.dmp

Filesize
3.9MB

Download
memory/3848-450-0x00007FF74B630000-0x00007FF74BA21000-memory.dmp

Filesize
3.9MB

Download
memory/3848-2023-0x00007FF74B630000-0x00007FF74BA21000-memory.dmp

Filesize
3.9MB

Download
memory/3920-2043-0x00007FF75A800000-0x00007FF75ABF1000-memory.dmp

Filesize
3.9MB

Download
memory/3920-477-0x00007FF75A800000-0x00007FF75ABF1000-memory.dmp

Filesize
3.9MB

Download
memory/4132-488-0x00007FF72FED0000-0x00007FF7302C1000-memory.dmp

Filesize
3.9MB

Download
memory/4132-2039-0x00007FF72FED0000-0x00007FF7302C1000-memory.dmp

Filesize
3.9MB

Download
memory/4264-2005-0x00007FF71C390000-0x00007FF71C781000-memory.dmp

Filesize
3.9MB

Download
memory/4264-35-0x00007FF71C390000-0x00007FF71C781000-memory.dmp

Filesize
3.9MB

Download
memory/4404-1992-0x00007FF71DEF0000-0x00007FF71E2E1000-memory.dmp

Filesize
3.9MB

Download
memory/4404-1-0x000002F1AD3F0000-0x000002F1AD400000-memory.dmp

Filesize
64KB

Download
memory/4404-0-0x00007FF71DEF0000-0x00007FF71E2E1000-memory.dmp

Filesize
3.9MB

Download
memory/4404-1790-0x00007FF71DEF0000-0x00007FF71E2E1000-memory.dmp

Filesize
3.9MB

Download
memory/4440-1997-0x00007FF7655F0000-0x00007FF7659E1000-memory.dmp

Filesize
3.9MB

Download
memory/4440-10-0x00007FF7655F0000-0x00007FF7659E1000-memory.dmp

Filesize
3.9MB

Download
memory/4672-465-0x00007FF7129E0000-0x00007FF712DD1000-memory.dmp

Filesize
3.9MB

Download
memory/4672-2031-0x00007FF7129E0000-0x00007FF712DD1000-memory.dmp

Filesize
3.9MB

Download
memory/4712-471-0x00007FF7B04B0000-0x00007FF7B08A1000-memory.dmp

Filesize
3.9MB

Download
memory/4712-2037-0x00007FF7B04B0000-0x00007FF7B08A1000-memory.dmp

Filesize
3.9MB

Download
memory/4780-42-0x00007FF653850000-0x00007FF653C41000-memory.dmp

Filesize
3.9MB

Download
memory/4780-2009-0x00007FF653850000-0x00007FF653C41000-memory.dmp

Filesize
3.9MB

Download
memory/4780-1990-0x00007FF653850000-0x00007FF653C41000-memory.dmp

Filesize
3.9MB

Download
memory/4892-2029-0x00007FF7F5A20000-0x00007FF7F5E11000-memory.dmp

Filesize
3.9MB

Download
memory/4892-460-0x00007FF7F5A20000-0x00007FF7F5E11000-memory.dmp

Filesize
3.9MB

Download
memory/5044-2017-0x00007FF737040000-0x00007FF737431000-memory.dmp

Filesize
3.9MB

Download
memory/5044-429-0x00007FF737040000-0x00007FF737431000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads