xmrig | ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc

Analysis

max time kernel
124s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
Size

2.9MB
MD5

2e8a2338fbc9120c5cc2d9a8b3ddb8fb
SHA1

1419800aaa2309b4075744fabb561f7c96e7f05e
SHA256

ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc
SHA512

4a6fa1db672c844d497b9fe995f48ed62db0e88bf75bff5ce10eee06ddb8db3255fc27a41b20a68b4ff7492bc90ed314685f6565a02046f2ea59c46d6558e12e
SSDEEP

49152:w0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8DzJuJvhV/yl14P9nB:w0GnJMOWPClFdx6e0EALKWVTffZiPAcI

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3832-0-0x00007FF6A2580000-0x00007FF6A2975000-memory.dmp	xmrig
behavioral2/files/0x000900000002345a-4.dat	xmrig
behavioral2/files/0x0007000000023460-10.dat	xmrig
behavioral2/files/0x0007000000023461-16.dat	xmrig
behavioral2/files/0x0007000000023462-22.dat	xmrig
behavioral2/files/0x0007000000023463-28.dat	xmrig
behavioral2/files/0x0007000000023467-46.dat	xmrig
behavioral2/files/0x0007000000023468-53.dat	xmrig
behavioral2/files/0x000700000002346b-68.dat	xmrig
behavioral2/files/0x000700000002346d-76.dat	xmrig
behavioral2/files/0x0007000000023470-93.dat	xmrig
behavioral2/files/0x0007000000023472-103.dat	xmrig
behavioral2/files/0x0007000000023477-128.dat	xmrig
behavioral2/files/0x000700000002347d-158.dat	xmrig
behavioral2/memory/1512-770-0x00007FF7E9570000-0x00007FF7E9965000-memory.dmp	xmrig
behavioral2/files/0x000700000002347e-163.dat	xmrig
behavioral2/files/0x000700000002347c-153.dat	xmrig
behavioral2/files/0x000700000002347b-148.dat	xmrig
behavioral2/files/0x000700000002347a-143.dat	xmrig
behavioral2/files/0x0007000000023479-138.dat	xmrig
behavioral2/files/0x0007000000023478-133.dat	xmrig
behavioral2/files/0x0007000000023476-123.dat	xmrig
behavioral2/files/0x0007000000023475-118.dat	xmrig
behavioral2/files/0x0007000000023474-113.dat	xmrig
behavioral2/files/0x0007000000023473-108.dat	xmrig
behavioral2/files/0x0007000000023471-98.dat	xmrig
behavioral2/files/0x000700000002346f-88.dat	xmrig
behavioral2/files/0x000700000002346e-83.dat	xmrig
behavioral2/files/0x000700000002346c-73.dat	xmrig
behavioral2/files/0x000700000002346a-63.dat	xmrig
behavioral2/files/0x0007000000023469-58.dat	xmrig
behavioral2/files/0x0007000000023466-43.dat	xmrig
behavioral2/files/0x0007000000023465-38.dat	xmrig
behavioral2/files/0x0007000000023464-33.dat	xmrig
behavioral2/memory/4744-15-0x00007FF6D5020000-0x00007FF6D5415000-memory.dmp	xmrig
behavioral2/memory/2176-6-0x00007FF7791A0000-0x00007FF779595000-memory.dmp	xmrig
behavioral2/memory/1572-771-0x00007FF65E300000-0x00007FF65E6F5000-memory.dmp	xmrig
behavioral2/memory/2532-772-0x00007FF696060000-0x00007FF696455000-memory.dmp	xmrig
behavioral2/memory/4152-773-0x00007FF7724D0000-0x00007FF7728C5000-memory.dmp	xmrig
behavioral2/memory/1944-774-0x00007FF6778C0000-0x00007FF677CB5000-memory.dmp	xmrig
behavioral2/memory/2320-775-0x00007FF772360000-0x00007FF772755000-memory.dmp	xmrig
behavioral2/memory/2756-776-0x00007FF755AE0000-0x00007FF755ED5000-memory.dmp	xmrig
behavioral2/memory/628-777-0x00007FF7DCA90000-0x00007FF7DCE85000-memory.dmp	xmrig
behavioral2/memory/4960-778-0x00007FF66B1B0000-0x00007FF66B5A5000-memory.dmp	xmrig
behavioral2/memory/220-779-0x00007FF723D80000-0x00007FF724175000-memory.dmp	xmrig
behavioral2/memory/2776-784-0x00007FF7741F0000-0x00007FF7745E5000-memory.dmp	xmrig
behavioral2/memory/4296-789-0x00007FF7FCAC0000-0x00007FF7FCEB5000-memory.dmp	xmrig
behavioral2/memory/4448-799-0x00007FF645A10000-0x00007FF645E05000-memory.dmp	xmrig
behavioral2/memory/4640-804-0x00007FF69E320000-0x00007FF69E715000-memory.dmp	xmrig
behavioral2/memory/4528-793-0x00007FF7E40A0000-0x00007FF7E4495000-memory.dmp	xmrig
behavioral2/memory/3676-810-0x00007FF74FB90000-0x00007FF74FF85000-memory.dmp	xmrig
behavioral2/memory/1032-815-0x00007FF6B84E0000-0x00007FF6B88D5000-memory.dmp	xmrig
behavioral2/memory/4728-832-0x00007FF624300000-0x00007FF6246F5000-memory.dmp	xmrig
behavioral2/memory/1592-834-0x00007FF665EC0000-0x00007FF6662B5000-memory.dmp	xmrig
behavioral2/memory/228-827-0x00007FF6B0040000-0x00007FF6B0435000-memory.dmp	xmrig
behavioral2/memory/3384-824-0x00007FF741AE0000-0x00007FF741ED5000-memory.dmp	xmrig
behavioral2/memory/3776-820-0x00007FF79F790000-0x00007FF79FB85000-memory.dmp	xmrig
behavioral2/memory/3832-1882-0x00007FF6A2580000-0x00007FF6A2975000-memory.dmp	xmrig
behavioral2/memory/2176-1883-0x00007FF7791A0000-0x00007FF779595000-memory.dmp	xmrig
behavioral2/memory/2176-1885-0x00007FF7791A0000-0x00007FF779595000-memory.dmp	xmrig
behavioral2/memory/4744-1884-0x00007FF6D5020000-0x00007FF6D5415000-memory.dmp	xmrig
behavioral2/memory/1512-1886-0x00007FF7E9570000-0x00007FF7E9965000-memory.dmp	xmrig
behavioral2/memory/1592-1888-0x00007FF665EC0000-0x00007FF6662B5000-memory.dmp	xmrig
behavioral2/memory/2532-1889-0x00007FF696060000-0x00007FF696455000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2176	mFTFjTr.exe
4744	CZPqcbI.exe
1512	cDEkCly.exe
1592	cCperBt.exe
1572	HRyQAmW.exe
2532	DFpsqiU.exe
4152	ufdtDDK.exe
1944	tySMnbs.exe
2320	VgGAguj.exe
2756	XlVUecf.exe
628	ZkZcGqm.exe
4960	FKcXmuu.exe
220	gUjXSQS.exe
2776	monWeCk.exe
4296	htwgSdd.exe
4528	LLGCVxm.exe
4448	uilbRmt.exe
4640	ZZyDOLF.exe
3676	eROTMcZ.exe
1032	yAXmIYx.exe
3776	OxmIUiP.exe
3384	wCKMSCj.exe
228	JKGypGm.exe
4728	nCktdiH.exe
1952	WWudEGx.exe
2872	NKcukXW.exe
1064	xGHDiWy.exe
3860	lynXwiN.exe
3504	DFBUKNa.exe
4552	fTHrvYL.exe
3648	FSlVSuu.exe
1644	CjgAckB.exe
3684	SPqCyIT.exe
2172	VRlzNgF.exe
1004	TqwdoNb.exe
4088	LlTRPnk.exe
4304	hbrPSuN.exe
3568	oDlDyVp.exe
2400	qeDIWMm.exe
2956	VsuhcBF.exe
3660	XazCfWk.exe
3756	bTRhkfv.exe
5084	NuoyVxb.exe
2052	ibXJrXQ.exe
3800	XvsWIVe.exe
4320	byfdNaR.exe
1148	tauqMHE.exe
4832	MsqaTtT.exe
3856	EJUpdnr.exe
3236	PJbiqEH.exe
3596	ZqyyGJU.exe
1212	MKyqgoL.exe
2712	kAKQuyf.exe
1964	rWCXSer.exe
1800	dvyydIL.exe
2264	FQTwVEw.exe
1504	fLsqGtg.exe
392	EcWbtVr.exe
5092	ofBuoXg.exe
3364	ICeMQmO.exe
2488	BtYZbGe.exe
3392	JAxnnex.exe
2988	XcroKJA.exe
4420	rtQKKMZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3832-0-0x00007FF6A2580000-0x00007FF6A2975000-memory.dmp	upx
behavioral2/files/0x000900000002345a-4.dat	upx
behavioral2/files/0x0007000000023460-10.dat	upx
behavioral2/files/0x0007000000023461-16.dat	upx
behavioral2/files/0x0007000000023462-22.dat	upx
behavioral2/files/0x0007000000023463-28.dat	upx
behavioral2/files/0x0007000000023467-46.dat	upx
behavioral2/files/0x0007000000023468-53.dat	upx
behavioral2/files/0x000700000002346b-68.dat	upx
behavioral2/files/0x000700000002346d-76.dat	upx
behavioral2/files/0x0007000000023470-93.dat	upx
behavioral2/files/0x0007000000023472-103.dat	upx
behavioral2/files/0x0007000000023477-128.dat	upx
behavioral2/files/0x000700000002347d-158.dat	upx
behavioral2/memory/1512-770-0x00007FF7E9570000-0x00007FF7E9965000-memory.dmp	upx
behavioral2/files/0x000700000002347e-163.dat	upx
behavioral2/files/0x000700000002347c-153.dat	upx
behavioral2/files/0x000700000002347b-148.dat	upx
behavioral2/files/0x000700000002347a-143.dat	upx
behavioral2/files/0x0007000000023479-138.dat	upx
behavioral2/files/0x0007000000023478-133.dat	upx
behavioral2/files/0x0007000000023476-123.dat	upx
behavioral2/files/0x0007000000023475-118.dat	upx
behavioral2/files/0x0007000000023474-113.dat	upx
behavioral2/files/0x0007000000023473-108.dat	upx
behavioral2/files/0x0007000000023471-98.dat	upx
behavioral2/files/0x000700000002346f-88.dat	upx
behavioral2/files/0x000700000002346e-83.dat	upx
behavioral2/files/0x000700000002346c-73.dat	upx
behavioral2/files/0x000700000002346a-63.dat	upx
behavioral2/files/0x0007000000023469-58.dat	upx
behavioral2/files/0x0007000000023466-43.dat	upx
behavioral2/files/0x0007000000023465-38.dat	upx
behavioral2/files/0x0007000000023464-33.dat	upx
behavioral2/memory/4744-15-0x00007FF6D5020000-0x00007FF6D5415000-memory.dmp	upx
behavioral2/memory/2176-6-0x00007FF7791A0000-0x00007FF779595000-memory.dmp	upx
behavioral2/memory/1572-771-0x00007FF65E300000-0x00007FF65E6F5000-memory.dmp	upx
behavioral2/memory/2532-772-0x00007FF696060000-0x00007FF696455000-memory.dmp	upx
behavioral2/memory/4152-773-0x00007FF7724D0000-0x00007FF7728C5000-memory.dmp	upx
behavioral2/memory/1944-774-0x00007FF6778C0000-0x00007FF677CB5000-memory.dmp	upx
behavioral2/memory/2320-775-0x00007FF772360000-0x00007FF772755000-memory.dmp	upx
behavioral2/memory/2756-776-0x00007FF755AE0000-0x00007FF755ED5000-memory.dmp	upx
behavioral2/memory/628-777-0x00007FF7DCA90000-0x00007FF7DCE85000-memory.dmp	upx
behavioral2/memory/4960-778-0x00007FF66B1B0000-0x00007FF66B5A5000-memory.dmp	upx
behavioral2/memory/220-779-0x00007FF723D80000-0x00007FF724175000-memory.dmp	upx
behavioral2/memory/2776-784-0x00007FF7741F0000-0x00007FF7745E5000-memory.dmp	upx
behavioral2/memory/4296-789-0x00007FF7FCAC0000-0x00007FF7FCEB5000-memory.dmp	upx
behavioral2/memory/4448-799-0x00007FF645A10000-0x00007FF645E05000-memory.dmp	upx
behavioral2/memory/4640-804-0x00007FF69E320000-0x00007FF69E715000-memory.dmp	upx
behavioral2/memory/4528-793-0x00007FF7E40A0000-0x00007FF7E4495000-memory.dmp	upx
behavioral2/memory/3676-810-0x00007FF74FB90000-0x00007FF74FF85000-memory.dmp	upx
behavioral2/memory/1032-815-0x00007FF6B84E0000-0x00007FF6B88D5000-memory.dmp	upx
behavioral2/memory/4728-832-0x00007FF624300000-0x00007FF6246F5000-memory.dmp	upx
behavioral2/memory/1592-834-0x00007FF665EC0000-0x00007FF6662B5000-memory.dmp	upx
behavioral2/memory/228-827-0x00007FF6B0040000-0x00007FF6B0435000-memory.dmp	upx
behavioral2/memory/3384-824-0x00007FF741AE0000-0x00007FF741ED5000-memory.dmp	upx
behavioral2/memory/3776-820-0x00007FF79F790000-0x00007FF79FB85000-memory.dmp	upx
behavioral2/memory/3832-1882-0x00007FF6A2580000-0x00007FF6A2975000-memory.dmp	upx
behavioral2/memory/2176-1883-0x00007FF7791A0000-0x00007FF779595000-memory.dmp	upx
behavioral2/memory/2176-1885-0x00007FF7791A0000-0x00007FF779595000-memory.dmp	upx
behavioral2/memory/4744-1884-0x00007FF6D5020000-0x00007FF6D5415000-memory.dmp	upx
behavioral2/memory/1512-1886-0x00007FF7E9570000-0x00007FF7E9965000-memory.dmp	upx
behavioral2/memory/1592-1888-0x00007FF665EC0000-0x00007FF6662B5000-memory.dmp	upx
behavioral2/memory/2532-1889-0x00007FF696060000-0x00007FF696455000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\lGRYkxX.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\iVpunbQ.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\jvggLNd.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\XEyDBik.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\ofBuoXg.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\jXeoBtE.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\WeyjpWn.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\mkGilbT.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\opqRqQm.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\eRVAKrv.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\CZPqcbI.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\XSVUOgh.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\GBZHGnD.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\YYkvILw.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\OwxOIXC.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\iJsLGvx.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\pDyaJnw.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\RMbuTbI.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\TCBnSpL.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\HauYmrJ.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\hGdhvBj.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\RRGKsXN.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\PndvUdE.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\SnWXvQh.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\JGzUMGh.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\fAOomXs.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\SoBeeJU.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\RdeLpcJ.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\ppAElgQ.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\qPKtKxF.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\VgGAguj.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\fgUsMeC.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\VJetkAI.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\HRpSKjF.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\tvQGoJs.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\ryDhyDB.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\seTzVyG.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\WWudEGx.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\BtYZbGe.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\DLolLQd.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\YmyTwtM.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\DajpUma.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\usteFYh.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\kOHHhUI.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\mPPSirb.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\KSIfYPL.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\QEAbLpU.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\SBJfRAV.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\IEGTOaM.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\byKAucz.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\Oljxtzy.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\DFpAzyf.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\taaNLsb.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\QGjqAMl.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\YVoCLpU.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\hpMSTsl.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\wyeCYDQ.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\VRlzNgF.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\OKqSaqn.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\gMElKsU.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\RMpBARS.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\gEVMCNN.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\fNRnCgY.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
File created	C:\Windows\System32\XyCKPEs.exe	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	4316	dwm.exe
Token: SeChangeNotifyPrivilege	4316	dwm.exe
Token: 33	4316	dwm.exe
Token: SeIncBasePriorityPrivilege	4316	dwm.exe
Token: SeShutdownPrivilege	4316	dwm.exe
Token: SeCreatePagefilePrivilege	4316	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 2176	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	85
PID 3832 wrote to memory of 2176	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	85
PID 3832 wrote to memory of 4744	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	86
PID 3832 wrote to memory of 4744	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	86
PID 3832 wrote to memory of 1512	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	87
PID 3832 wrote to memory of 1512	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	87
PID 3832 wrote to memory of 1592	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	88
PID 3832 wrote to memory of 1592	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	88
PID 3832 wrote to memory of 1572	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	89
PID 3832 wrote to memory of 1572	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	89
PID 3832 wrote to memory of 2532	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	90
PID 3832 wrote to memory of 2532	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	90
PID 3832 wrote to memory of 4152	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	91
PID 3832 wrote to memory of 4152	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	91
PID 3832 wrote to memory of 1944	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	92
PID 3832 wrote to memory of 1944	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	92
PID 3832 wrote to memory of 2320	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	93
PID 3832 wrote to memory of 2320	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	93
PID 3832 wrote to memory of 2756	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	94
PID 3832 wrote to memory of 2756	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	94
PID 3832 wrote to memory of 628	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	95
PID 3832 wrote to memory of 628	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	95
PID 3832 wrote to memory of 4960	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	96
PID 3832 wrote to memory of 4960	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	96
PID 3832 wrote to memory of 220	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	97
PID 3832 wrote to memory of 220	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	97
PID 3832 wrote to memory of 2776	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	98
PID 3832 wrote to memory of 2776	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	98
PID 3832 wrote to memory of 4296	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	99
PID 3832 wrote to memory of 4296	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	99
PID 3832 wrote to memory of 4528	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	100
PID 3832 wrote to memory of 4528	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	100
PID 3832 wrote to memory of 4448	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	101
PID 3832 wrote to memory of 4448	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	101
PID 3832 wrote to memory of 4640	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	102
PID 3832 wrote to memory of 4640	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	102
PID 3832 wrote to memory of 3676	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	103
PID 3832 wrote to memory of 3676	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	103
PID 3832 wrote to memory of 1032	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	104
PID 3832 wrote to memory of 1032	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	104
PID 3832 wrote to memory of 3776	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	105
PID 3832 wrote to memory of 3776	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	105
PID 3832 wrote to memory of 3384	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	106
PID 3832 wrote to memory of 3384	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	106
PID 3832 wrote to memory of 228	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	107
PID 3832 wrote to memory of 228	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	107
PID 3832 wrote to memory of 4728	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	108
PID 3832 wrote to memory of 4728	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	108
PID 3832 wrote to memory of 1952	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	109
PID 3832 wrote to memory of 1952	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	109
PID 3832 wrote to memory of 2872	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	110
PID 3832 wrote to memory of 2872	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	110
PID 3832 wrote to memory of 1064	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	111
PID 3832 wrote to memory of 1064	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	111
PID 3832 wrote to memory of 3860	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	112
PID 3832 wrote to memory of 3860	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	112
PID 3832 wrote to memory of 3504	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	113
PID 3832 wrote to memory of 3504	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	113
PID 3832 wrote to memory of 4552	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	114
PID 3832 wrote to memory of 4552	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	114
PID 3832 wrote to memory of 3648	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	115
PID 3832 wrote to memory of 3648	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	115
PID 3832 wrote to memory of 1644	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	116
PID 3832 wrote to memory of 1644	3832	ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe	116

C:\Users\Admin\AppData\Local\Temp\ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe
"C:\Users\Admin\AppData\Local\Temp\ce39cec707fbd016cf68fa9980da83298e31ca4c065ae41271183ee2d53e99fc.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\System32\mFTFjTr.exe
  C:\Windows\System32\mFTFjTr.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System32\CZPqcbI.exe
  C:\Windows\System32\CZPqcbI.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System32\cDEkCly.exe
  C:\Windows\System32\cDEkCly.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System32\cCperBt.exe
  C:\Windows\System32\cCperBt.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System32\HRyQAmW.exe
  C:\Windows\System32\HRyQAmW.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System32\DFpsqiU.exe
  C:\Windows\System32\DFpsqiU.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System32\ufdtDDK.exe
  C:\Windows\System32\ufdtDDK.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System32\tySMnbs.exe
  C:\Windows\System32\tySMnbs.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System32\VgGAguj.exe
  C:\Windows\System32\VgGAguj.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System32\XlVUecf.exe
  C:\Windows\System32\XlVUecf.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System32\ZkZcGqm.exe
  C:\Windows\System32\ZkZcGqm.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System32\FKcXmuu.exe
  C:\Windows\System32\FKcXmuu.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System32\gUjXSQS.exe
  C:\Windows\System32\gUjXSQS.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System32\monWeCk.exe
  C:\Windows\System32\monWeCk.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System32\htwgSdd.exe
  C:\Windows\System32\htwgSdd.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System32\LLGCVxm.exe
  C:\Windows\System32\LLGCVxm.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System32\uilbRmt.exe
  C:\Windows\System32\uilbRmt.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System32\ZZyDOLF.exe
  C:\Windows\System32\ZZyDOLF.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System32\eROTMcZ.exe
  C:\Windows\System32\eROTMcZ.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System32\yAXmIYx.exe
  C:\Windows\System32\yAXmIYx.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System32\OxmIUiP.exe
  C:\Windows\System32\OxmIUiP.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System32\wCKMSCj.exe
  C:\Windows\System32\wCKMSCj.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System32\JKGypGm.exe
  C:\Windows\System32\JKGypGm.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System32\nCktdiH.exe
  C:\Windows\System32\nCktdiH.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System32\WWudEGx.exe
  C:\Windows\System32\WWudEGx.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System32\NKcukXW.exe
  C:\Windows\System32\NKcukXW.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System32\xGHDiWy.exe
  C:\Windows\System32\xGHDiWy.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\System32\lynXwiN.exe
  C:\Windows\System32\lynXwiN.exe
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\System32\DFBUKNa.exe
  C:\Windows\System32\DFBUKNa.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System32\fTHrvYL.exe
  C:\Windows\System32\fTHrvYL.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System32\FSlVSuu.exe
  C:\Windows\System32\FSlVSuu.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System32\CjgAckB.exe
  C:\Windows\System32\CjgAckB.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System32\SPqCyIT.exe
  C:\Windows\System32\SPqCyIT.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System32\VRlzNgF.exe
  C:\Windows\System32\VRlzNgF.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System32\TqwdoNb.exe
  C:\Windows\System32\TqwdoNb.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System32\LlTRPnk.exe
  C:\Windows\System32\LlTRPnk.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System32\hbrPSuN.exe
  C:\Windows\System32\hbrPSuN.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System32\oDlDyVp.exe
  C:\Windows\System32\oDlDyVp.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System32\qeDIWMm.exe
  C:\Windows\System32\qeDIWMm.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System32\VsuhcBF.exe
  C:\Windows\System32\VsuhcBF.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System32\XazCfWk.exe
  C:\Windows\System32\XazCfWk.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System32\bTRhkfv.exe
  C:\Windows\System32\bTRhkfv.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\System32\NuoyVxb.exe
  C:\Windows\System32\NuoyVxb.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System32\ibXJrXQ.exe
  C:\Windows\System32\ibXJrXQ.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System32\XvsWIVe.exe
  C:\Windows\System32\XvsWIVe.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\System32\byfdNaR.exe
  C:\Windows\System32\byfdNaR.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System32\tauqMHE.exe
  C:\Windows\System32\tauqMHE.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System32\MsqaTtT.exe
  C:\Windows\System32\MsqaTtT.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System32\EJUpdnr.exe
  C:\Windows\System32\EJUpdnr.exe
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\System32\PJbiqEH.exe
  C:\Windows\System32\PJbiqEH.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System32\ZqyyGJU.exe
  C:\Windows\System32\ZqyyGJU.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System32\MKyqgoL.exe
  C:\Windows\System32\MKyqgoL.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System32\kAKQuyf.exe
  C:\Windows\System32\kAKQuyf.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System32\rWCXSer.exe
  C:\Windows\System32\rWCXSer.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System32\dvyydIL.exe
  C:\Windows\System32\dvyydIL.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System32\FQTwVEw.exe
  C:\Windows\System32\FQTwVEw.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System32\fLsqGtg.exe
  C:\Windows\System32\fLsqGtg.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System32\EcWbtVr.exe
  C:\Windows\System32\EcWbtVr.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System32\ofBuoXg.exe
  C:\Windows\System32\ofBuoXg.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System32\ICeMQmO.exe
  C:\Windows\System32\ICeMQmO.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System32\BtYZbGe.exe
  C:\Windows\System32\BtYZbGe.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System32\JAxnnex.exe
  C:\Windows\System32\JAxnnex.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System32\XcroKJA.exe
  C:\Windows\System32\XcroKJA.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System32\rtQKKMZ.exe
  C:\Windows\System32\rtQKKMZ.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System32\PcJdKID.exe
  C:\Windows\System32\PcJdKID.exe
  2⤵
  PID:2136
- C:\Windows\System32\eHVFlPQ.exe
  C:\Windows\System32\eHVFlPQ.exe
  2⤵
  PID:4672
- C:\Windows\System32\VMBOwKe.exe
  C:\Windows\System32\VMBOwKe.exe
  2⤵
  PID:2656
- C:\Windows\System32\PMCFqrk.exe
  C:\Windows\System32\PMCFqrk.exe
  2⤵
  PID:4816
- C:\Windows\System32\IuQxReI.exe
  C:\Windows\System32\IuQxReI.exe
  2⤵
  PID:736
- C:\Windows\System32\KNmwhDE.exe
  C:\Windows\System32\KNmwhDE.exe
  2⤵
  PID:5020
- C:\Windows\System32\KzIEyrj.exe
  C:\Windows\System32\KzIEyrj.exe
  2⤵
  PID:3524
- C:\Windows\System32\cxyEllV.exe
  C:\Windows\System32\cxyEllV.exe
  2⤵
  PID:4220
- C:\Windows\System32\EZOUBYX.exe
  C:\Windows\System32\EZOUBYX.exe
  2⤵
  PID:2524
- C:\Windows\System32\mBDoyNR.exe
  C:\Windows\System32\mBDoyNR.exe
  2⤵
  PID:2720
- C:\Windows\System32\WdXRtzq.exe
  C:\Windows\System32\WdXRtzq.exe
  2⤵
  PID:4572
- C:\Windows\System32\rXBoJpG.exe
  C:\Windows\System32\rXBoJpG.exe
  2⤵
  PID:5132
- C:\Windows\System32\MNSaNrf.exe
  C:\Windows\System32\MNSaNrf.exe
  2⤵
  PID:5160
- C:\Windows\System32\DFpAzyf.exe
  C:\Windows\System32\DFpAzyf.exe
  2⤵
  PID:5188
- C:\Windows\System32\hRXARdD.exe
  C:\Windows\System32\hRXARdD.exe
  2⤵
  PID:5216
- C:\Windows\System32\TZFkBwg.exe
  C:\Windows\System32\TZFkBwg.exe
  2⤵
  PID:5256
- C:\Windows\System32\tNNGGub.exe
  C:\Windows\System32\tNNGGub.exe
  2⤵
  PID:5272
- C:\Windows\System32\FfCTyhI.exe
  C:\Windows\System32\FfCTyhI.exe
  2⤵
  PID:5312
- C:\Windows\System32\QHEAwhG.exe
  C:\Windows\System32\QHEAwhG.exe
  2⤵
  PID:5328
- C:\Windows\System32\CBhZvww.exe
  C:\Windows\System32\CBhZvww.exe
  2⤵
  PID:5356
- C:\Windows\System32\NZVVXHH.exe
  C:\Windows\System32\NZVVXHH.exe
  2⤵
  PID:5384
- C:\Windows\System32\CXZrJmW.exe
  C:\Windows\System32\CXZrJmW.exe
  2⤵
  PID:5424
- C:\Windows\System32\wkQxsuu.exe
  C:\Windows\System32\wkQxsuu.exe
  2⤵
  PID:5452
- C:\Windows\System32\lRCrOSi.exe
  C:\Windows\System32\lRCrOSi.exe
  2⤵
  PID:5468
- C:\Windows\System32\octAQxc.exe
  C:\Windows\System32\octAQxc.exe
  2⤵
  PID:5508
- C:\Windows\System32\bfhkYPY.exe
  C:\Windows\System32\bfhkYPY.exe
  2⤵
  PID:5536
- C:\Windows\System32\eAZHxZJ.exe
  C:\Windows\System32\eAZHxZJ.exe
  2⤵
  PID:5552
- C:\Windows\System32\rAXQDJc.exe
  C:\Windows\System32\rAXQDJc.exe
  2⤵
  PID:5580
- C:\Windows\System32\GNiBseJ.exe
  C:\Windows\System32\GNiBseJ.exe
  2⤵
  PID:5620
- C:\Windows\System32\PawVYJa.exe
  C:\Windows\System32\PawVYJa.exe
  2⤵
  PID:5636
- C:\Windows\System32\XWtUsxC.exe
  C:\Windows\System32\XWtUsxC.exe
  2⤵
  PID:5664
- C:\Windows\System32\xvQfSoF.exe
  C:\Windows\System32\xvQfSoF.exe
  2⤵
  PID:5704
- C:\Windows\System32\NhiSQCx.exe
  C:\Windows\System32\NhiSQCx.exe
  2⤵
  PID:5720
- C:\Windows\System32\pcNvfSN.exe
  C:\Windows\System32\pcNvfSN.exe
  2⤵
  PID:5748
- C:\Windows\System32\dbHvLja.exe
  C:\Windows\System32\dbHvLja.exe
  2⤵
  PID:5776
- C:\Windows\System32\BXKfSqp.exe
  C:\Windows\System32\BXKfSqp.exe
  2⤵
  PID:5804
- C:\Windows\System32\AnWrVmI.exe
  C:\Windows\System32\AnWrVmI.exe
  2⤵
  PID:5844
- C:\Windows\System32\WfweeSU.exe
  C:\Windows\System32\WfweeSU.exe
  2⤵
  PID:5860
- C:\Windows\System32\rzJRPET.exe
  C:\Windows\System32\rzJRPET.exe
  2⤵
  PID:5900
- C:\Windows\System32\DLolLQd.exe
  C:\Windows\System32\DLolLQd.exe
  2⤵
  PID:5928
- C:\Windows\System32\rNXYKCM.exe
  C:\Windows\System32\rNXYKCM.exe
  2⤵
  PID:5956
- C:\Windows\System32\vOXAici.exe
  C:\Windows\System32\vOXAici.exe
  2⤵
  PID:5972
- C:\Windows\System32\oCXvCps.exe
  C:\Windows\System32\oCXvCps.exe
  2⤵
  PID:6000
- C:\Windows\System32\pxToEpw.exe
  C:\Windows\System32\pxToEpw.exe
  2⤵
  PID:6040
- C:\Windows\System32\XFJjkCt.exe
  C:\Windows\System32\XFJjkCt.exe
  2⤵
  PID:6056
- C:\Windows\System32\BxZtEiA.exe
  C:\Windows\System32\BxZtEiA.exe
  2⤵
  PID:6084
- C:\Windows\System32\UqyaODZ.exe
  C:\Windows\System32\UqyaODZ.exe
  2⤵
  PID:6124
- C:\Windows\System32\KJebCdv.exe
  C:\Windows\System32\KJebCdv.exe
  2⤵
  PID:6140
- C:\Windows\System32\pLxoHcr.exe
  C:\Windows\System32\pLxoHcr.exe
  2⤵
  PID:3084
- C:\Windows\System32\GkFDLcd.exe
  C:\Windows\System32\GkFDLcd.exe
  2⤵
  PID:3812
- C:\Windows\System32\jIpUPPc.exe
  C:\Windows\System32\jIpUPPc.exe
  2⤵
  PID:4132
- C:\Windows\System32\frltTYY.exe
  C:\Windows\System32\frltTYY.exe
  2⤵
  PID:2996
- C:\Windows\System32\BGjYDDY.exe
  C:\Windows\System32\BGjYDDY.exe
  2⤵
  PID:4504
- C:\Windows\System32\MSrugSc.exe
  C:\Windows\System32\MSrugSc.exe
  2⤵
  PID:5228
- C:\Windows\System32\eSDfdcT.exe
  C:\Windows\System32\eSDfdcT.exe
  2⤵
  PID:5264
- C:\Windows\System32\DfzarpP.exe
  C:\Windows\System32\DfzarpP.exe
  2⤵
  PID:5320
- C:\Windows\System32\OvGHEGE.exe
  C:\Windows\System32\OvGHEGE.exe
  2⤵
  PID:5416
- C:\Windows\System32\ojbowcu.exe
  C:\Windows\System32\ojbowcu.exe
  2⤵
  PID:5492
- C:\Windows\System32\bfvlqyZ.exe
  C:\Windows\System32\bfvlqyZ.exe
  2⤵
  PID:5544
- C:\Windows\System32\buFztQZ.exe
  C:\Windows\System32\buFztQZ.exe
  2⤵
  PID:5596
- C:\Windows\System32\XaAraxU.exe
  C:\Windows\System32\XaAraxU.exe
  2⤵
  PID:5652
- C:\Windows\System32\qERrWmD.exe
  C:\Windows\System32\qERrWmD.exe
  2⤵
  PID:5736
- C:\Windows\System32\NMsLQoC.exe
  C:\Windows\System32\NMsLQoC.exe
  2⤵
  PID:5788
- C:\Windows\System32\PwhDHgW.exe
  C:\Windows\System32\PwhDHgW.exe
  2⤵
  PID:3668
- C:\Windows\System32\JNjFESg.exe
  C:\Windows\System32\JNjFESg.exe
  2⤵
  PID:5940
- C:\Windows\System32\aDzKkGk.exe
  C:\Windows\System32\aDzKkGk.exe
  2⤵
  PID:5968
- C:\Windows\System32\CJHVFiZ.exe
  C:\Windows\System32\CJHVFiZ.exe
  2⤵
  PID:6032
- C:\Windows\System32\wqPncnX.exe
  C:\Windows\System32\wqPncnX.exe
  2⤵
  PID:6132
- C:\Windows\System32\lpcIeNo.exe
  C:\Windows\System32\lpcIeNo.exe
  2⤵
  PID:8
- C:\Windows\System32\IEGbNER.exe
  C:\Windows\System32\IEGbNER.exe
  2⤵
  PID:1972
- C:\Windows\System32\YmyTwtM.exe
  C:\Windows\System32\YmyTwtM.exe
  2⤵
  PID:5176
- C:\Windows\System32\WaGSxmU.exe
  C:\Windows\System32\WaGSxmU.exe
  2⤵
  PID:5324
- C:\Windows\System32\Ahxvdgg.exe
  C:\Windows\System32\Ahxvdgg.exe
  2⤵
  PID:5520
- C:\Windows\System32\kmVljhq.exe
  C:\Windows\System32\kmVljhq.exe
  2⤵
  PID:5696
- C:\Windows\System32\zoycJfc.exe
  C:\Windows\System32\zoycJfc.exe
  2⤵
  PID:5828
- C:\Windows\System32\nKNJjGS.exe
  C:\Windows\System32\nKNJjGS.exe
  2⤵
  PID:5876
- C:\Windows\System32\vraIeaC.exe
  C:\Windows\System32\vraIeaC.exe
  2⤵
  PID:6164
- C:\Windows\System32\taaNLsb.exe
  C:\Windows\System32\taaNLsb.exe
  2⤵
  PID:6204
- C:\Windows\System32\fgUsMeC.exe
  C:\Windows\System32\fgUsMeC.exe
  2⤵
  PID:6232
- C:\Windows\System32\oYFkiPN.exe
  C:\Windows\System32\oYFkiPN.exe
  2⤵
  PID:6248
- C:\Windows\System32\uIQSrbK.exe
  C:\Windows\System32\uIQSrbK.exe
  2⤵
  PID:6288
- C:\Windows\System32\DajpUma.exe
  C:\Windows\System32\DajpUma.exe
  2⤵
  PID:6304
- C:\Windows\System32\KSKTeFS.exe
  C:\Windows\System32\KSKTeFS.exe
  2⤵
  PID:6344
- C:\Windows\System32\beFIXdj.exe
  C:\Windows\System32\beFIXdj.exe
  2⤵
  PID:6372
- C:\Windows\System32\QOCZfkR.exe
  C:\Windows\System32\QOCZfkR.exe
  2⤵
  PID:6388
- C:\Windows\System32\CTvVDjd.exe
  C:\Windows\System32\CTvVDjd.exe
  2⤵
  PID:6416
- C:\Windows\System32\mFNziNi.exe
  C:\Windows\System32\mFNziNi.exe
  2⤵
  PID:6444
- C:\Windows\System32\usteFYh.exe
  C:\Windows\System32\usteFYh.exe
  2⤵
  PID:6472
- C:\Windows\System32\kOHHhUI.exe
  C:\Windows\System32\kOHHhUI.exe
  2⤵
  PID:6500
- C:\Windows\System32\BYuwlSV.exe
  C:\Windows\System32\BYuwlSV.exe
  2⤵
  PID:6528
- C:\Windows\System32\KmjJqsb.exe
  C:\Windows\System32\KmjJqsb.exe
  2⤵
  PID:6556
- C:\Windows\System32\aZdhZWQ.exe
  C:\Windows\System32\aZdhZWQ.exe
  2⤵
  PID:6584
- C:\Windows\System32\oPkQsyD.exe
  C:\Windows\System32\oPkQsyD.exe
  2⤵
  PID:6612
- C:\Windows\System32\hQfWNYF.exe
  C:\Windows\System32\hQfWNYF.exe
  2⤵
  PID:6652
- C:\Windows\System32\biAbpSv.exe
  C:\Windows\System32\biAbpSv.exe
  2⤵
  PID:6668
- C:\Windows\System32\fNRnCgY.exe
  C:\Windows\System32\fNRnCgY.exe
  2⤵
  PID:6708
- C:\Windows\System32\OKpiqUA.exe
  C:\Windows\System32\OKpiqUA.exe
  2⤵
  PID:6724
- C:\Windows\System32\JMSBjvc.exe
  C:\Windows\System32\JMSBjvc.exe
  2⤵
  PID:6764
- C:\Windows\System32\FNPoghc.exe
  C:\Windows\System32\FNPoghc.exe
  2⤵
  PID:6780
- C:\Windows\System32\AVIRRCW.exe
  C:\Windows\System32\AVIRRCW.exe
  2⤵
  PID:6808
- C:\Windows\System32\LsJVFsG.exe
  C:\Windows\System32\LsJVFsG.exe
  2⤵
  PID:6848
- C:\Windows\System32\rqZyVAM.exe
  C:\Windows\System32\rqZyVAM.exe
  2⤵
  PID:6864
- C:\Windows\System32\uvqaXsV.exe
  C:\Windows\System32\uvqaXsV.exe
  2⤵
  PID:6892
- C:\Windows\System32\WkTkjOz.exe
  C:\Windows\System32\WkTkjOz.exe
  2⤵
  PID:6920
- C:\Windows\System32\sORpQAx.exe
  C:\Windows\System32\sORpQAx.exe
  2⤵
  PID:6960
- C:\Windows\System32\XSVUOgh.exe
  C:\Windows\System32\XSVUOgh.exe
  2⤵
  PID:6976
- C:\Windows\System32\zjeFFFE.exe
  C:\Windows\System32\zjeFFFE.exe
  2⤵
  PID:7016
- C:\Windows\System32\GquAwQZ.exe
  C:\Windows\System32\GquAwQZ.exe
  2⤵
  PID:7032
- C:\Windows\System32\OYLKeeI.exe
  C:\Windows\System32\OYLKeeI.exe
  2⤵
  PID:7060
- C:\Windows\System32\sXdBuKp.exe
  C:\Windows\System32\sXdBuKp.exe
  2⤵
  PID:7100
- C:\Windows\System32\NAheNxK.exe
  C:\Windows\System32\NAheNxK.exe
  2⤵
  PID:7116
- C:\Windows\System32\ojKqenV.exe
  C:\Windows\System32\ojKqenV.exe
  2⤵
  PID:7156
- C:\Windows\System32\BVCvYew.exe
  C:\Windows\System32\BVCvYew.exe
  2⤵
  PID:6016
- C:\Windows\System32\JEnKWHP.exe
  C:\Windows\System32\JEnKWHP.exe
  2⤵
  PID:2072
- C:\Windows\System32\JwRYBZf.exe
  C:\Windows\System32\JwRYBZf.exe
  2⤵
  PID:5232
- C:\Windows\System32\mHzQjJG.exe
  C:\Windows\System32\mHzQjJG.exe
  2⤵
  PID:5772
- C:\Windows\System32\aJHHSeY.exe
  C:\Windows\System32\aJHHSeY.exe
  2⤵
  PID:5916
- C:\Windows\System32\HauYmrJ.exe
  C:\Windows\System32\HauYmrJ.exe
  2⤵
  PID:6180
- C:\Windows\System32\EofzthL.exe
  C:\Windows\System32\EofzthL.exe
  2⤵
  PID:6296
- C:\Windows\System32\QEAbLpU.exe
  C:\Windows\System32\QEAbLpU.exe
  2⤵
  PID:6336
- C:\Windows\System32\evLRewE.exe
  C:\Windows\System32\evLRewE.exe
  2⤵
  PID:6428
- C:\Windows\System32\sXtTwzN.exe
  C:\Windows\System32\sXtTwzN.exe
  2⤵
  PID:6468
- C:\Windows\System32\llJqlcM.exe
  C:\Windows\System32\llJqlcM.exe
  2⤵
  PID:6516
- C:\Windows\System32\zoqiZjt.exe
  C:\Windows\System32\zoqiZjt.exe
  2⤵
  PID:6624
- C:\Windows\System32\tkoEnXN.exe
  C:\Windows\System32\tkoEnXN.exe
  2⤵
  PID:6660
- C:\Windows\System32\oMcXErT.exe
  C:\Windows\System32\oMcXErT.exe
  2⤵
  PID:6720
- C:\Windows\System32\UcNuJCq.exe
  C:\Windows\System32\UcNuJCq.exe
  2⤵
  PID:6792
- C:\Windows\System32\jsSzyTa.exe
  C:\Windows\System32\jsSzyTa.exe
  2⤵
  PID:6840
- C:\Windows\System32\dKvhuld.exe
  C:\Windows\System32\dKvhuld.exe
  2⤵
  PID:6880
- C:\Windows\System32\GQONwNN.exe
  C:\Windows\System32\GQONwNN.exe
  2⤵
  PID:6936
- C:\Windows\System32\vABDyta.exe
  C:\Windows\System32\vABDyta.exe
  2⤵
  PID:7048
- C:\Windows\System32\OjaNbbH.exe
  C:\Windows\System32\OjaNbbH.exe
  2⤵
  PID:7084
- C:\Windows\System32\JMfBKUU.exe
  C:\Windows\System32\JMfBKUU.exe
  2⤵
  PID:5988
- C:\Windows\System32\XPJfgPH.exe
  C:\Windows\System32\XPJfgPH.exe
  2⤵
  PID:5368
- C:\Windows\System32\gMLOCkF.exe
  C:\Windows\System32\gMLOCkF.exe
  2⤵
  PID:2272
- C:\Windows\System32\cXzGOVO.exe
  C:\Windows\System32\cXzGOVO.exe
  2⤵
  PID:6260
- C:\Windows\System32\mIvWJIp.exe
  C:\Windows\System32\mIvWJIp.exe
  2⤵
  PID:6412
- C:\Windows\System32\WgfdVom.exe
  C:\Windows\System32\WgfdVom.exe
  2⤵
  PID:4624
- C:\Windows\System32\LXaSfeN.exe
  C:\Windows\System32\LXaSfeN.exe
  2⤵
  PID:6756
- C:\Windows\System32\VQvPFvP.exe
  C:\Windows\System32\VQvPFvP.exe
  2⤵
  PID:6832
- C:\Windows\System32\KvaAsvs.exe
  C:\Windows\System32\KvaAsvs.exe
  2⤵
  PID:7024
- C:\Windows\System32\RdpXzHI.exe
  C:\Windows\System32\RdpXzHI.exe
  2⤵
  PID:3564
- C:\Windows\System32\fawUKgt.exe
  C:\Windows\System32\fawUKgt.exe
  2⤵
  PID:1452
- C:\Windows\System32\rJVqxxx.exe
  C:\Windows\System32\rJVqxxx.exe
  2⤵
  PID:6224
- C:\Windows\System32\sBSlsJm.exe
  C:\Windows\System32\sBSlsJm.exe
  2⤵
  PID:7200
- C:\Windows\System32\eunuMaL.exe
  C:\Windows\System32\eunuMaL.exe
  2⤵
  PID:7228
- C:\Windows\System32\IKcQxEA.exe
  C:\Windows\System32\IKcQxEA.exe
  2⤵
  PID:7256
- C:\Windows\System32\RNXQqTf.exe
  C:\Windows\System32\RNXQqTf.exe
  2⤵
  PID:7272
- C:\Windows\System32\GUvixjG.exe
  C:\Windows\System32\GUvixjG.exe
  2⤵
  PID:7312
- C:\Windows\System32\XiLjVpJ.exe
  C:\Windows\System32\XiLjVpJ.exe
  2⤵
  PID:7340
- C:\Windows\System32\hcYWksz.exe
  C:\Windows\System32\hcYWksz.exe
  2⤵
  PID:7364
- C:\Windows\System32\PBogGip.exe
  C:\Windows\System32\PBogGip.exe
  2⤵
  PID:7384
- C:\Windows\System32\tGnzBBs.exe
  C:\Windows\System32\tGnzBBs.exe
  2⤵
  PID:7424
- C:\Windows\System32\rrgutsB.exe
  C:\Windows\System32\rrgutsB.exe
  2⤵
  PID:7440
- C:\Windows\System32\XWKRwaY.exe
  C:\Windows\System32\XWKRwaY.exe
  2⤵
  PID:7468
- C:\Windows\System32\rdlenIM.exe
  C:\Windows\System32\rdlenIM.exe
  2⤵
  PID:7508
- C:\Windows\System32\OKqSaqn.exe
  C:\Windows\System32\OKqSaqn.exe
  2⤵
  PID:7524
- C:\Windows\System32\UaxMNTB.exe
  C:\Windows\System32\UaxMNTB.exe
  2⤵
  PID:7552
- C:\Windows\System32\FxyGWnN.exe
  C:\Windows\System32\FxyGWnN.exe
  2⤵
  PID:7592
- C:\Windows\System32\wUvOoWd.exe
  C:\Windows\System32\wUvOoWd.exe
  2⤵
  PID:7620
- C:\Windows\System32\ViiKgAg.exe
  C:\Windows\System32\ViiKgAg.exe
  2⤵
  PID:7636
- C:\Windows\System32\QGjqAMl.exe
  C:\Windows\System32\QGjqAMl.exe
  2⤵
  PID:7676
- C:\Windows\System32\qJcazdN.exe
  C:\Windows\System32\qJcazdN.exe
  2⤵
  PID:7704
- C:\Windows\System32\BFgkznh.exe
  C:\Windows\System32\BFgkznh.exe
  2⤵
  PID:7732
- C:\Windows\System32\JiWxrqm.exe
  C:\Windows\System32\JiWxrqm.exe
  2⤵
  PID:7748
- C:\Windows\System32\dnFVgLM.exe
  C:\Windows\System32\dnFVgLM.exe
  2⤵
  PID:7788
- C:\Windows\System32\eLOPmBr.exe
  C:\Windows\System32\eLOPmBr.exe
  2⤵
  PID:7804
- C:\Windows\System32\fajeSEh.exe
  C:\Windows\System32\fajeSEh.exe
  2⤵
  PID:7844
- C:\Windows\System32\GjWrevz.exe
  C:\Windows\System32\GjWrevz.exe
  2⤵
  PID:7860
- C:\Windows\System32\vSYDUCu.exe
  C:\Windows\System32\vSYDUCu.exe
  2⤵
  PID:7888
- C:\Windows\System32\JJuyeMy.exe
  C:\Windows\System32\JJuyeMy.exe
  2⤵
  PID:7928
- C:\Windows\System32\wyHLoku.exe
  C:\Windows\System32\wyHLoku.exe
  2⤵
  PID:8036
- C:\Windows\System32\pYCDNpp.exe
  C:\Windows\System32\pYCDNpp.exe
  2⤵
  PID:8056
- C:\Windows\System32\hcHEYsN.exe
  C:\Windows\System32\hcHEYsN.exe
  2⤵
  PID:8084
- C:\Windows\System32\XyCKPEs.exe
  C:\Windows\System32\XyCKPEs.exe
  2⤵
  PID:8112
- C:\Windows\System32\yavXYJm.exe
  C:\Windows\System32\yavXYJm.exe
  2⤵
  PID:8132
- C:\Windows\System32\SLlCAdq.exe
  C:\Windows\System32\SLlCAdq.exe
  2⤵
  PID:8160
- C:\Windows\System32\DwHwKVG.exe
  C:\Windows\System32\DwHwKVG.exe
  2⤵
  PID:5108
- C:\Windows\System32\ioSCJVA.exe
  C:\Windows\System32\ioSCJVA.exe
  2⤵
  PID:6524
- C:\Windows\System32\oajYaUA.exe
  C:\Windows\System32\oajYaUA.exe
  2⤵
  PID:6568
- C:\Windows\System32\mBsfjRa.exe
  C:\Windows\System32\mBsfjRa.exe
  2⤵
  PID:4456
- C:\Windows\System32\jonTEGM.exe
  C:\Windows\System32\jonTEGM.exe
  2⤵
  PID:7172
- C:\Windows\System32\ghiIBuA.exe
  C:\Windows\System32\ghiIBuA.exe
  2⤵
  PID:7284
- C:\Windows\System32\VJetkAI.exe
  C:\Windows\System32\VJetkAI.exe
  2⤵
  PID:7324
- C:\Windows\System32\slrmYLg.exe
  C:\Windows\System32\slrmYLg.exe
  2⤵
  PID:7376
- C:\Windows\System32\DcLkusR.exe
  C:\Windows\System32\DcLkusR.exe
  2⤵
  PID:7416
- C:\Windows\System32\jTUVSqK.exe
  C:\Windows\System32\jTUVSqK.exe
  2⤵
  PID:7464
- C:\Windows\System32\FKiVFTC.exe
  C:\Windows\System32\FKiVFTC.exe
  2⤵
  PID:1388
- C:\Windows\System32\bzIbhYx.exe
  C:\Windows\System32\bzIbhYx.exe
  2⤵
  PID:3908
- C:\Windows\System32\AOJTacP.exe
  C:\Windows\System32\AOJTacP.exe
  2⤵
  PID:4388
- C:\Windows\System32\IeQVuwG.exe
  C:\Windows\System32\IeQVuwG.exe
  2⤵
  PID:1688
- C:\Windows\System32\yZAcqtA.exe
  C:\Windows\System32\yZAcqtA.exe
  2⤵
  PID:7740
- C:\Windows\System32\OWOmzZf.exe
  C:\Windows\System32\OWOmzZf.exe
  2⤵
  PID:7772
- C:\Windows\System32\xupWSfu.exe
  C:\Windows\System32\xupWSfu.exe
  2⤵
  PID:7836
- C:\Windows\System32\DYcCyzK.exe
  C:\Windows\System32\DYcCyzK.exe
  2⤵
  PID:1484
- C:\Windows\System32\OPQUdhD.exe
  C:\Windows\System32\OPQUdhD.exe
  2⤵
  PID:1796
- C:\Windows\System32\llQIrld.exe
  C:\Windows\System32\llQIrld.exe
  2⤵
  PID:1820
- C:\Windows\System32\QsmyuKh.exe
  C:\Windows\System32\QsmyuKh.exe
  2⤵
  PID:2588
- C:\Windows\System32\NZepnQQ.exe
  C:\Windows\System32\NZepnQQ.exe
  2⤵
  PID:1316
- C:\Windows\System32\KeNoRUD.exe
  C:\Windows\System32\KeNoRUD.exe
  2⤵
  PID:2592
- C:\Windows\System32\JyTOtqv.exe
  C:\Windows\System32\JyTOtqv.exe
  2⤵
  PID:4840
- C:\Windows\System32\nsTeiqt.exe
  C:\Windows\System32\nsTeiqt.exe
  2⤵
  PID:7996
- C:\Windows\System32\bUaSudA.exe
  C:\Windows\System32\bUaSudA.exe
  2⤵
  PID:808
- C:\Windows\System32\UqgcLip.exe
  C:\Windows\System32\UqgcLip.exe
  2⤵
  PID:4272
- C:\Windows\System32\FPrvIIA.exe
  C:\Windows\System32\FPrvIIA.exe
  2⤵
  PID:8016
- C:\Windows\System32\fITZzDd.exe
  C:\Windows\System32\fITZzDd.exe
  2⤵
  PID:8128
- C:\Windows\System32\knHcnQe.exe
  C:\Windows\System32\knHcnQe.exe
  2⤵
  PID:8100
- C:\Windows\System32\zSmWayL.exe
  C:\Windows\System32\zSmWayL.exe
  2⤵
  PID:8188
- C:\Windows\System32\gmiMENO.exe
  C:\Windows\System32\gmiMENO.exe
  2⤵
  PID:6916
- C:\Windows\System32\czxZhuK.exe
  C:\Windows\System32\czxZhuK.exe
  2⤵
  PID:7240
- C:\Windows\System32\BHfzWGg.exe
  C:\Windows\System32\BHfzWGg.exe
  2⤵
  PID:7396
- C:\Windows\System32\OcBThak.exe
  C:\Windows\System32\OcBThak.exe
  2⤵
  PID:7456
- C:\Windows\System32\UrIGcdV.exe
  C:\Windows\System32\UrIGcdV.exe
  2⤵
  PID:3156
- C:\Windows\System32\iYWWvgi.exe
  C:\Windows\System32\iYWWvgi.exe
  2⤵
  PID:7296
- C:\Windows\System32\BjqFlkA.exe
  C:\Windows\System32\BjqFlkA.exe
  2⤵
  PID:1448
- C:\Windows\System32\gjovAfl.exe
  C:\Windows\System32\gjovAfl.exe
  2⤵
  PID:1712
- C:\Windows\System32\oauPIjN.exe
  C:\Windows\System32\oauPIjN.exe
  2⤵
  PID:7796
- C:\Windows\System32\MCaKtRn.exe
  C:\Windows\System32\MCaKtRn.exe
  2⤵
  PID:4520
- C:\Windows\System32\ObhLYjH.exe
  C:\Windows\System32\ObhLYjH.exe
  2⤵
  PID:7912
- C:\Windows\System32\WABTBiR.exe
  C:\Windows\System32\WABTBiR.exe
  2⤵
  PID:2300
- C:\Windows\System32\gSpSVMi.exe
  C:\Windows\System32\gSpSVMi.exe
  2⤵
  PID:1084
- C:\Windows\System32\BCxWszl.exe
  C:\Windows\System32\BCxWszl.exe
  2⤵
  PID:8044
- C:\Windows\System32\dDiWPSP.exe
  C:\Windows\System32\dDiWPSP.exe
  2⤵
  PID:8184
- C:\Windows\System32\CnRmjQd.exe
  C:\Windows\System32\CnRmjQd.exe
  2⤵
  PID:2752
- C:\Windows\System32\tCmrdgo.exe
  C:\Windows\System32\tCmrdgo.exe
  2⤵
  PID:7352
- C:\Windows\System32\vMBUKnc.exe
  C:\Windows\System32\vMBUKnc.exe
  2⤵
  PID:4268
- C:\Windows\System32\KZJzLJw.exe
  C:\Windows\System32\KZJzLJw.exe
  2⤵
  PID:4708
- C:\Windows\System32\cxHmNlz.exe
  C:\Windows\System32\cxHmNlz.exe
  2⤵
  PID:7980
- C:\Windows\System32\yxGDPUZ.exe
  C:\Windows\System32\yxGDPUZ.exe
  2⤵
  PID:856
- C:\Windows\System32\gMElKsU.exe
  C:\Windows\System32\gMElKsU.exe
  2⤵
  PID:6432
- C:\Windows\System32\kCxsmsF.exe
  C:\Windows\System32\kCxsmsF.exe
  2⤵
  PID:1940
- C:\Windows\System32\FGvhtwx.exe
  C:\Windows\System32\FGvhtwx.exe
  2⤵
  PID:3304
- C:\Windows\System32\TSOkjbR.exe
  C:\Windows\System32\TSOkjbR.exe
  2⤵
  PID:3984
- C:\Windows\System32\isLkTMi.exe
  C:\Windows\System32\isLkTMi.exe
  2⤵
  PID:8224
- C:\Windows\System32\PYXtMez.exe
  C:\Windows\System32\PYXtMez.exe
  2⤵
  PID:8248
- C:\Windows\System32\YVoCLpU.exe
  C:\Windows\System32\YVoCLpU.exe
  2⤵
  PID:8280
- C:\Windows\System32\HRpSKjF.exe
  C:\Windows\System32\HRpSKjF.exe
  2⤵
  PID:8312
- C:\Windows\System32\LogkGur.exe
  C:\Windows\System32\LogkGur.exe
  2⤵
  PID:8340
- C:\Windows\System32\rjKfoUG.exe
  C:\Windows\System32\rjKfoUG.exe
  2⤵
  PID:8360
- C:\Windows\System32\DKkboBW.exe
  C:\Windows\System32\DKkboBW.exe
  2⤵
  PID:8388
- C:\Windows\System32\RjHGIVx.exe
  C:\Windows\System32\RjHGIVx.exe
  2⤵
  PID:8412
- C:\Windows\System32\JGzUMGh.exe
  C:\Windows\System32\JGzUMGh.exe
  2⤵
  PID:8456
- C:\Windows\System32\XGPejZU.exe
  C:\Windows\System32\XGPejZU.exe
  2⤵
  PID:8484
- C:\Windows\System32\rgxDMnH.exe
  C:\Windows\System32\rgxDMnH.exe
  2⤵
  PID:8500
- C:\Windows\System32\xzGCdPT.exe
  C:\Windows\System32\xzGCdPT.exe
  2⤵
  PID:8528
- C:\Windows\System32\RWYGRBn.exe
  C:\Windows\System32\RWYGRBn.exe
  2⤵
  PID:8568
- C:\Windows\System32\xeXpsBu.exe
  C:\Windows\System32\xeXpsBu.exe
  2⤵
  PID:8592
- C:\Windows\System32\pPcqDOL.exe
  C:\Windows\System32\pPcqDOL.exe
  2⤵
  PID:8616
- C:\Windows\System32\YmhcFQJ.exe
  C:\Windows\System32\YmhcFQJ.exe
  2⤵
  PID:8652
- C:\Windows\System32\OuJPOJF.exe
  C:\Windows\System32\OuJPOJF.exe
  2⤵
  PID:8668
- C:\Windows\System32\pLoSRnS.exe
  C:\Windows\System32\pLoSRnS.exe
  2⤵
  PID:8704
- C:\Windows\System32\VPVckNb.exe
  C:\Windows\System32\VPVckNb.exe
  2⤵
  PID:8736
- C:\Windows\System32\MAhHCIn.exe
  C:\Windows\System32\MAhHCIn.exe
  2⤵
  PID:8752
- C:\Windows\System32\yMhPITn.exe
  C:\Windows\System32\yMhPITn.exe
  2⤵
  PID:8780
- C:\Windows\System32\PcOEinu.exe
  C:\Windows\System32\PcOEinu.exe
  2⤵
  PID:8820
- C:\Windows\System32\iLyMYPi.exe
  C:\Windows\System32\iLyMYPi.exe
  2⤵
  PID:8868
- C:\Windows\System32\dVnyUym.exe
  C:\Windows\System32\dVnyUym.exe
  2⤵
  PID:8892
- C:\Windows\System32\jphSxAN.exe
  C:\Windows\System32\jphSxAN.exe
  2⤵
  PID:8920
- C:\Windows\System32\jdrMvkp.exe
  C:\Windows\System32\jdrMvkp.exe
  2⤵
  PID:8940
- C:\Windows\System32\kyYqmkI.exe
  C:\Windows\System32\kyYqmkI.exe
  2⤵
  PID:8964
- C:\Windows\System32\RXVSJeC.exe
  C:\Windows\System32\RXVSJeC.exe
  2⤵
  PID:8992
- C:\Windows\System32\yFmCwXM.exe
  C:\Windows\System32\yFmCwXM.exe
  2⤵
  PID:9032
- C:\Windows\System32\ANswdtL.exe
  C:\Windows\System32\ANswdtL.exe
  2⤵
  PID:9060
- C:\Windows\System32\HesUuSq.exe
  C:\Windows\System32\HesUuSq.exe
  2⤵
  PID:9088
- C:\Windows\System32\yzmOAMR.exe
  C:\Windows\System32\yzmOAMR.exe
  2⤵
  PID:9116
- C:\Windows\System32\ggauwQm.exe
  C:\Windows\System32\ggauwQm.exe
  2⤵
  PID:9176
- C:\Windows\System32\TKXHPKH.exe
  C:\Windows\System32\TKXHPKH.exe
  2⤵
  PID:9200
- C:\Windows\System32\tTHNoFP.exe
  C:\Windows\System32\tTHNoFP.exe
  2⤵
  PID:3960
- C:\Windows\System32\Lpgzqsn.exe
  C:\Windows\System32\Lpgzqsn.exe
  2⤵
  PID:8296
- C:\Windows\System32\qxzTvlf.exe
  C:\Windows\System32\qxzTvlf.exe
  2⤵
  PID:8352
- C:\Windows\System32\iwARxsK.exe
  C:\Windows\System32\iwARxsK.exe
  2⤵
  PID:8472
- C:\Windows\System32\WlsRliI.exe
  C:\Windows\System32\WlsRliI.exe
  2⤵
  PID:8540
- C:\Windows\System32\lGRYkxX.exe
  C:\Windows\System32\lGRYkxX.exe
  2⤵
  PID:8600
- C:\Windows\System32\qGzCsJv.exe
  C:\Windows\System32\qGzCsJv.exe
  2⤵
  PID:8680
- C:\Windows\System32\eBrsQzf.exe
  C:\Windows\System32\eBrsQzf.exe
  2⤵
  PID:8728
- C:\Windows\System32\HudnMqN.exe
  C:\Windows\System32\HudnMqN.exe
  2⤵
  PID:8808
- C:\Windows\System32\lbvQpXb.exe
  C:\Windows\System32\lbvQpXb.exe
  2⤵
  PID:8856
- C:\Windows\System32\nOshwsn.exe
  C:\Windows\System32\nOshwsn.exe
  2⤵
  PID:8948
- C:\Windows\System32\rdSFKGC.exe
  C:\Windows\System32\rdSFKGC.exe
  2⤵
  PID:9012
- C:\Windows\System32\IeFhgGW.exe
  C:\Windows\System32\IeFhgGW.exe
  2⤵
  PID:9056
- C:\Windows\System32\BpMubuK.exe
  C:\Windows\System32\BpMubuK.exe
  2⤵
  PID:9168
- C:\Windows\System32\RvFgQxM.exe
  C:\Windows\System32\RvFgQxM.exe
  2⤵
  PID:9208
- C:\Windows\System32\SBJfRAV.exe
  C:\Windows\System32\SBJfRAV.exe
  2⤵
  PID:8264
- C:\Windows\System32\OjbBGmL.exe
  C:\Windows\System32\OjbBGmL.exe
  2⤵
  PID:8644
- C:\Windows\System32\hHFUaCI.exe
  C:\Windows\System32\hHFUaCI.exe
  2⤵
  PID:8764
- C:\Windows\System32\IVcEodC.exe
  C:\Windows\System32\IVcEodC.exe
  2⤵
  PID:8916
- C:\Windows\System32\akhpPuC.exe
  C:\Windows\System32\akhpPuC.exe
  2⤵
  PID:9136
- C:\Windows\System32\eogRApr.exe
  C:\Windows\System32\eogRApr.exe
  2⤵
  PID:8448
- C:\Windows\System32\fkNnuuZ.exe
  C:\Windows\System32\fkNnuuZ.exe
  2⤵
  PID:8684
- C:\Windows\System32\eofkrRb.exe
  C:\Windows\System32\eofkrRb.exe
  2⤵
  PID:9144
- C:\Windows\System32\lzvKdkK.exe
  C:\Windows\System32\lzvKdkK.exe
  2⤵
  PID:8888
- C:\Windows\System32\APthyFP.exe
  C:\Windows\System32\APthyFP.exe
  2⤵
  PID:9240
- C:\Windows\System32\sNEkxwv.exe
  C:\Windows\System32\sNEkxwv.exe
  2⤵
  PID:9268
- C:\Windows\System32\RMpBARS.exe
  C:\Windows\System32\RMpBARS.exe
  2⤵
  PID:9284
- C:\Windows\System32\UHylwkg.exe
  C:\Windows\System32\UHylwkg.exe
  2⤵
  PID:9312
- C:\Windows\System32\GejmGsD.exe
  C:\Windows\System32\GejmGsD.exe
  2⤵
  PID:9352
- C:\Windows\System32\ZFUasJY.exe
  C:\Windows\System32\ZFUasJY.exe
  2⤵
  PID:9384
- C:\Windows\System32\tvQGoJs.exe
  C:\Windows\System32\tvQGoJs.exe
  2⤵
  PID:9428
- C:\Windows\System32\YlEGEff.exe
  C:\Windows\System32\YlEGEff.exe
  2⤵
  PID:9452
- C:\Windows\System32\araWerb.exe
  C:\Windows\System32\araWerb.exe
  2⤵
  PID:9488
- C:\Windows\System32\xDQAolD.exe
  C:\Windows\System32\xDQAolD.exe
  2⤵
  PID:9548
- C:\Windows\System32\nHAcnqp.exe
  C:\Windows\System32\nHAcnqp.exe
  2⤵
  PID:9596
- C:\Windows\System32\VvNrdFS.exe
  C:\Windows\System32\VvNrdFS.exe
  2⤵
  PID:9616
- C:\Windows\System32\jXeoBtE.exe
  C:\Windows\System32\jXeoBtE.exe
  2⤵
  PID:9660
- C:\Windows\System32\BOPpAKw.exe
  C:\Windows\System32\BOPpAKw.exe
  2⤵
  PID:9696
- C:\Windows\System32\yVvmQOa.exe
  C:\Windows\System32\yVvmQOa.exe
  2⤵
  PID:9724
- C:\Windows\System32\gFplizv.exe
  C:\Windows\System32\gFplizv.exe
  2⤵
  PID:9760
- C:\Windows\System32\QdbzjIG.exe
  C:\Windows\System32\QdbzjIG.exe
  2⤵
  PID:9784
- C:\Windows\System32\teNflEu.exe
  C:\Windows\System32\teNflEu.exe
  2⤵
  PID:9824
- C:\Windows\System32\NPLYmWe.exe
  C:\Windows\System32\NPLYmWe.exe
  2⤵
  PID:9844
- C:\Windows\System32\AxXjfVV.exe
  C:\Windows\System32\AxXjfVV.exe
  2⤵
  PID:9872
- C:\Windows\System32\hnjVcUE.exe
  C:\Windows\System32\hnjVcUE.exe
  2⤵
  PID:9892
- C:\Windows\System32\RLyGqxD.exe
  C:\Windows\System32\RLyGqxD.exe
  2⤵
  PID:9936
- C:\Windows\System32\hGdhvBj.exe
  C:\Windows\System32\hGdhvBj.exe
  2⤵
  PID:9988
- C:\Windows\System32\KfkyBee.exe
  C:\Windows\System32\KfkyBee.exe
  2⤵
  PID:10016
- C:\Windows\System32\STmozbl.exe
  C:\Windows\System32\STmozbl.exe
  2⤵
  PID:10044
- C:\Windows\System32\RpbyLLc.exe
  C:\Windows\System32\RpbyLLc.exe
  2⤵
  PID:10072
- C:\Windows\System32\GtLPRvp.exe
  C:\Windows\System32\GtLPRvp.exe
  2⤵
  PID:10088
- C:\Windows\System32\fAOomXs.exe
  C:\Windows\System32\fAOomXs.exe
  2⤵
  PID:10116
- C:\Windows\System32\QXeKsTa.exe
  C:\Windows\System32\QXeKsTa.exe
  2⤵
  PID:10144
- C:\Windows\System32\eDLnVpx.exe
  C:\Windows\System32\eDLnVpx.exe
  2⤵
  PID:10180
- C:\Windows\System32\mhWTjQu.exe
  C:\Windows\System32\mhWTjQu.exe
  2⤵
  PID:10216
- C:\Windows\System32\KjowKgq.exe
  C:\Windows\System32\KjowKgq.exe
  2⤵
  PID:9220
- C:\Windows\System32\LAvlrsS.exe
  C:\Windows\System32\LAvlrsS.exe
  2⤵
  PID:9280
- C:\Windows\System32\oWXJtmJ.exe
  C:\Windows\System32\oWXJtmJ.exe
  2⤵
  PID:9364
- C:\Windows\System32\SoBeeJU.exe
  C:\Windows\System32\SoBeeJU.exe
  2⤵
  PID:9444
- C:\Windows\System32\AJcDJYS.exe
  C:\Windows\System32\AJcDJYS.exe
  2⤵
  PID:9528
- C:\Windows\System32\oCDvIoQ.exe
  C:\Windows\System32\oCDvIoQ.exe
  2⤵
  PID:9656
- C:\Windows\System32\prsebko.exe
  C:\Windows\System32\prsebko.exe
  2⤵
  PID:9708
- C:\Windows\System32\tufcbYy.exe
  C:\Windows\System32\tufcbYy.exe
  2⤵
  PID:8408
- C:\Windows\System32\GBZHGnD.exe
  C:\Windows\System32\GBZHGnD.exe
  2⤵
  PID:9804
- C:\Windows\System32\LiNnhWe.exe
  C:\Windows\System32\LiNnhWe.exe
  2⤵
  PID:9836
- C:\Windows\System32\RwOFxvc.exe
  C:\Windows\System32\RwOFxvc.exe
  2⤵
  PID:9912
- C:\Windows\System32\ryDhyDB.exe
  C:\Windows\System32\ryDhyDB.exe
  2⤵
  PID:10012
- C:\Windows\System32\PjQNySg.exe
  C:\Windows\System32\PjQNySg.exe
  2⤵
  PID:10084
- C:\Windows\System32\IdaNFeT.exe
  C:\Windows\System32\IdaNFeT.exe
  2⤵
  PID:10156
- C:\Windows\System32\FlfTcDs.exe
  C:\Windows\System32\FlfTcDs.exe
  2⤵
  PID:10188
- C:\Windows\System32\zFCttSA.exe
  C:\Windows\System32\zFCttSA.exe
  2⤵
  PID:9252
- C:\Windows\System32\aErsJrB.exe
  C:\Windows\System32\aErsJrB.exe
  2⤵
  PID:9416
- C:\Windows\System32\DXfXqHD.exe
  C:\Windows\System32\DXfXqHD.exe
  2⤵
  PID:9652
- C:\Windows\System32\vIlwAnA.exe
  C:\Windows\System32\vIlwAnA.exe
  2⤵
  PID:8512
- C:\Windows\System32\iqAIlps.exe
  C:\Windows\System32\iqAIlps.exe
  2⤵
  PID:9976
- C:\Windows\System32\rexAnIF.exe
  C:\Windows\System32\rexAnIF.exe
  2⤵
  PID:10224
- C:\Windows\System32\AmaZGxf.exe
  C:\Windows\System32\AmaZGxf.exe
  2⤵
  PID:9752
- C:\Windows\System32\zDUGeuM.exe
  C:\Windows\System32\zDUGeuM.exe
  2⤵
  PID:9880
- C:\Windows\System32\GdFlAsn.exe
  C:\Windows\System32\GdFlAsn.exe
  2⤵
  PID:9636
- C:\Windows\System32\RRGKsXN.exe
  C:\Windows\System32\RRGKsXN.exe
  2⤵
  PID:10276
- C:\Windows\System32\YsEeXsh.exe
  C:\Windows\System32\YsEeXsh.exe
  2⤵
  PID:10324
- C:\Windows\System32\qpdMZLU.exe
  C:\Windows\System32\qpdMZLU.exe
  2⤵
  PID:10372
- C:\Windows\System32\MUeOLDQ.exe
  C:\Windows\System32\MUeOLDQ.exe
  2⤵
  PID:10420
- C:\Windows\System32\tcjNbPu.exe
  C:\Windows\System32\tcjNbPu.exe
  2⤵
  PID:10436
- C:\Windows\System32\PmraitI.exe
  C:\Windows\System32\PmraitI.exe
  2⤵
  PID:10464
- C:\Windows\System32\naOcuNK.exe
  C:\Windows\System32\naOcuNK.exe
  2⤵
  PID:10500
- C:\Windows\System32\cVKPtDc.exe
  C:\Windows\System32\cVKPtDc.exe
  2⤵
  PID:10544
- C:\Windows\System32\hZlvpuD.exe
  C:\Windows\System32\hZlvpuD.exe
  2⤵
  PID:10572
- C:\Windows\System32\qVxQDRn.exe
  C:\Windows\System32\qVxQDRn.exe
  2⤵
  PID:10600
- C:\Windows\System32\xLKyMvn.exe
  C:\Windows\System32\xLKyMvn.exe
  2⤵
  PID:10652
- C:\Windows\System32\cQddmgE.exe
  C:\Windows\System32\cQddmgE.exe
  2⤵
  PID:10684
- C:\Windows\System32\FQOqnts.exe
  C:\Windows\System32\FQOqnts.exe
  2⤵
  PID:10716
- C:\Windows\System32\vnBuVmM.exe
  C:\Windows\System32\vnBuVmM.exe
  2⤵
  PID:10752
- C:\Windows\System32\wbxwdXP.exe
  C:\Windows\System32\wbxwdXP.exe
  2⤵
  PID:10768
- C:\Windows\System32\vAYIitV.exe
  C:\Windows\System32\vAYIitV.exe
  2⤵
  PID:10792
- C:\Windows\System32\ReeJtPF.exe
  C:\Windows\System32\ReeJtPF.exe
  2⤵
  PID:10848
- C:\Windows\System32\BhnpVTy.exe
  C:\Windows\System32\BhnpVTy.exe
  2⤵
  PID:10880
- C:\Windows\System32\PndvUdE.exe
  C:\Windows\System32\PndvUdE.exe
  2⤵
  PID:10896
- C:\Windows\System32\xODBUrU.exe
  C:\Windows\System32\xODBUrU.exe
  2⤵
  PID:10924
- C:\Windows\System32\kWewCft.exe
  C:\Windows\System32\kWewCft.exe
  2⤵
  PID:10952
- C:\Windows\System32\oZhsoYB.exe
  C:\Windows\System32\oZhsoYB.exe
  2⤵
  PID:10992
- C:\Windows\System32\DZSdrIr.exe
  C:\Windows\System32\DZSdrIr.exe
  2⤵
  PID:11020
- C:\Windows\System32\TtEKqdF.exe
  C:\Windows\System32\TtEKqdF.exe
  2⤵
  PID:11048
- C:\Windows\System32\IBspXxs.exe
  C:\Windows\System32\IBspXxs.exe
  2⤵
  PID:11088
- C:\Windows\System32\WeyjpWn.exe
  C:\Windows\System32\WeyjpWn.exe
  2⤵
  PID:11112
- C:\Windows\System32\HpQGOUQ.exe
  C:\Windows\System32\HpQGOUQ.exe
  2⤵
  PID:11144
- C:\Windows\System32\WLsDboq.exe
  C:\Windows\System32\WLsDboq.exe
  2⤵
  PID:11176
- C:\Windows\System32\lQtwhCM.exe
  C:\Windows\System32\lQtwhCM.exe
  2⤵
  PID:11196
- C:\Windows\System32\QveOasA.exe
  C:\Windows\System32\QveOasA.exe
  2⤵
  PID:11240
- C:\Windows\System32\oKWYXYa.exe
  C:\Windows\System32\oKWYXYa.exe
  2⤵
  PID:9736
- C:\Windows\System32\jupIOAk.exe
  C:\Windows\System32\jupIOAk.exe
  2⤵
  PID:10392
- C:\Windows\System32\jZVbDNj.exe
  C:\Windows\System32\jZVbDNj.exe
  2⤵
  PID:10448
- C:\Windows\System32\pOiLmfv.exe
  C:\Windows\System32\pOiLmfv.exe
  2⤵
  PID:10556
- C:\Windows\System32\WsCrbxc.exe
  C:\Windows\System32\WsCrbxc.exe
  2⤵
  PID:10632
- C:\Windows\System32\DFszhNP.exe
  C:\Windows\System32\DFszhNP.exe
  2⤵
  PID:10736
- C:\Windows\System32\gEVMCNN.exe
  C:\Windows\System32\gEVMCNN.exe
  2⤵
  PID:10816
- C:\Windows\System32\DDxmZPI.exe
  C:\Windows\System32\DDxmZPI.exe
  2⤵
  PID:10872
- C:\Windows\System32\RdeLpcJ.exe
  C:\Windows\System32\RdeLpcJ.exe
  2⤵
  PID:10892
- C:\Windows\System32\gDTXJzT.exe
  C:\Windows\System32\gDTXJzT.exe
  2⤵
  PID:10972
- C:\Windows\System32\pWIuSMS.exe
  C:\Windows\System32\pWIuSMS.exe
  2⤵
  PID:11032
- C:\Windows\System32\TmYocVA.exe
  C:\Windows\System32\TmYocVA.exe
  2⤵
  PID:11096
- C:\Windows\System32\zehrjtn.exe
  C:\Windows\System32\zehrjtn.exe
  2⤵
  PID:11188
- C:\Windows\System32\kHCecoA.exe
  C:\Windows\System32\kHCecoA.exe
  2⤵
  PID:10212
- C:\Windows\System32\mPPSirb.exe
  C:\Windows\System32\mPPSirb.exe
  2⤵
  PID:10480
- C:\Windows\System32\RcmDbsd.exe
  C:\Windows\System32\RcmDbsd.exe
  2⤵
  PID:10664
- C:\Windows\System32\mHIeedM.exe
  C:\Windows\System32\mHIeedM.exe
  2⤵
  PID:10832
- C:\Windows\System32\ppAElgQ.exe
  C:\Windows\System32\ppAElgQ.exe
  2⤵
  PID:11008
- C:\Windows\System32\FxvBWyH.exe
  C:\Windows\System32\FxvBWyH.exe
  2⤵
  PID:11076
- C:\Windows\System32\MFqtCMu.exe
  C:\Windows\System32\MFqtCMu.exe
  2⤵
  PID:10356
- C:\Windows\System32\bAVGKZd.exe
  C:\Windows\System32\bAVGKZd.exe
  2⤵
  PID:10732
- C:\Windows\System32\aqsTcGc.exe
  C:\Windows\System32\aqsTcGc.exe
  2⤵
  PID:11224
- C:\Windows\System32\RCnGShe.exe
  C:\Windows\System32\RCnGShe.exe
  2⤵
  PID:10964
- C:\Windows\System32\KVNAiUV.exe
  C:\Windows\System32\KVNAiUV.exe
  2⤵
  PID:11300
- C:\Windows\System32\dDHDbiu.exe
  C:\Windows\System32\dDHDbiu.exe
  2⤵
  PID:11316
- C:\Windows\System32\waeSnbv.exe
  C:\Windows\System32\waeSnbv.exe
  2⤵
  PID:11344
- C:\Windows\System32\GxYRiaO.exe
  C:\Windows\System32\GxYRiaO.exe
  2⤵
  PID:11372
- C:\Windows\System32\gTcrHtB.exe
  C:\Windows\System32\gTcrHtB.exe
  2⤵
  PID:11400
- C:\Windows\System32\raxGQHv.exe
  C:\Windows\System32\raxGQHv.exe
  2⤵
  PID:11432
- C:\Windows\System32\eSTnZvX.exe
  C:\Windows\System32\eSTnZvX.exe
  2⤵
  PID:11460
- C:\Windows\System32\pfDjToQ.exe
  C:\Windows\System32\pfDjToQ.exe
  2⤵
  PID:11488
- C:\Windows\System32\vnAXNgu.exe
  C:\Windows\System32\vnAXNgu.exe
  2⤵
  PID:11516
- C:\Windows\System32\eUPqAvb.exe
  C:\Windows\System32\eUPqAvb.exe
  2⤵
  PID:11548
- C:\Windows\System32\KcBABHp.exe
  C:\Windows\System32\KcBABHp.exe
  2⤵
  PID:11576
- C:\Windows\System32\klfSZdU.exe
  C:\Windows\System32\klfSZdU.exe
  2⤵
  PID:11604
- C:\Windows\System32\wVboXys.exe
  C:\Windows\System32\wVboXys.exe
  2⤵
  PID:11632
- C:\Windows\System32\mkGilbT.exe
  C:\Windows\System32\mkGilbT.exe
  2⤵
  PID:11660
- C:\Windows\System32\eCLJdru.exe
  C:\Windows\System32\eCLJdru.exe
  2⤵
  PID:11688
- C:\Windows\System32\FoHgmxa.exe
  C:\Windows\System32\FoHgmxa.exe
  2⤵
  PID:11716
- C:\Windows\System32\nlwWSNk.exe
  C:\Windows\System32\nlwWSNk.exe
  2⤵
  PID:11744
- C:\Windows\System32\kbqNeRt.exe
  C:\Windows\System32\kbqNeRt.exe
  2⤵
  PID:11772
- C:\Windows\System32\WLuTkjf.exe
  C:\Windows\System32\WLuTkjf.exe
  2⤵
  PID:11800
- C:\Windows\System32\MlJeGfi.exe
  C:\Windows\System32\MlJeGfi.exe
  2⤵
  PID:11828
- C:\Windows\System32\KSIfYPL.exe
  C:\Windows\System32\KSIfYPL.exe
  2⤵
  PID:11868
- C:\Windows\System32\FKAbwOq.exe
  C:\Windows\System32\FKAbwOq.exe
  2⤵
  PID:11896
- C:\Windows\System32\UCHFvXm.exe
  C:\Windows\System32\UCHFvXm.exe
  2⤵
  PID:11924
- C:\Windows\System32\IEAINLt.exe
  C:\Windows\System32\IEAINLt.exe
  2⤵
  PID:11956
- C:\Windows\System32\HefwiQM.exe
  C:\Windows\System32\HefwiQM.exe
  2⤵
  PID:11988
- C:\Windows\System32\lEMmpbL.exe
  C:\Windows\System32\lEMmpbL.exe
  2⤵
  PID:12016
- C:\Windows\System32\hNuLWFF.exe
  C:\Windows\System32\hNuLWFF.exe
  2⤵
  PID:12044
- C:\Windows\System32\VBAaAex.exe
  C:\Windows\System32\VBAaAex.exe
  2⤵
  PID:12072
- C:\Windows\System32\uRLxffa.exe
  C:\Windows\System32\uRLxffa.exe
  2⤵
  PID:12108
- C:\Windows\System32\cTqlulX.exe
  C:\Windows\System32\cTqlulX.exe
  2⤵
  PID:12136
- C:\Windows\System32\pXoVQtX.exe
  C:\Windows\System32\pXoVQtX.exe
  2⤵
  PID:12164
- C:\Windows\System32\NYKUeDu.exe
  C:\Windows\System32\NYKUeDu.exe
  2⤵
  PID:12192
- C:\Windows\System32\kJIZYKY.exe
  C:\Windows\System32\kJIZYKY.exe
  2⤵
  PID:12220
- C:\Windows\System32\XmbpawM.exe
  C:\Windows\System32\XmbpawM.exe
  2⤵
  PID:12256
- C:\Windows\System32\cvqkJgI.exe
  C:\Windows\System32\cvqkJgI.exe
  2⤵
  PID:10596
- C:\Windows\System32\AyvwmuM.exe
  C:\Windows\System32\AyvwmuM.exe
  2⤵
  PID:11328
- C:\Windows\System32\SmNjGxT.exe
  C:\Windows\System32\SmNjGxT.exe
  2⤵
  PID:11392
- C:\Windows\System32\WuEXlTd.exe
  C:\Windows\System32\WuEXlTd.exe
  2⤵
  PID:11456
- C:\Windows\System32\VaAGnrH.exe
  C:\Windows\System32\VaAGnrH.exe
  2⤵
  PID:11532
- C:\Windows\System32\riuFMNf.exe
  C:\Windows\System32\riuFMNf.exe
  2⤵
  PID:11596
- C:\Windows\System32\opqRqQm.exe
  C:\Windows\System32\opqRqQm.exe
  2⤵
  PID:11192
- C:\Windows\System32\hpMSTsl.exe
  C:\Windows\System32\hpMSTsl.exe
  2⤵
  PID:11708
- C:\Windows\System32\lYRaeyH.exe
  C:\Windows\System32\lYRaeyH.exe
  2⤵
  PID:11768
- C:\Windows\System32\TIrHinU.exe
  C:\Windows\System32\TIrHinU.exe
  2⤵
  PID:11848
- C:\Windows\System32\NJRXMkX.exe
  C:\Windows\System32\NJRXMkX.exe
  2⤵
  PID:11936
- C:\Windows\System32\OwxOIXC.exe
  C:\Windows\System32\OwxOIXC.exe
  2⤵
  PID:12008
- C:\Windows\System32\iJsLGvx.exe
  C:\Windows\System32\iJsLGvx.exe
  2⤵
  PID:12068
- C:\Windows\System32\LzbDRUk.exe
  C:\Windows\System32\LzbDRUk.exe
  2⤵
  PID:12148
- C:\Windows\System32\UhSIwaR.exe
  C:\Windows\System32\UhSIwaR.exe
  2⤵
  PID:12216
- C:\Windows\System32\BRfgRdR.exe
  C:\Windows\System32\BRfgRdR.exe
  2⤵
  PID:12284
- C:\Windows\System32\WdFsGhu.exe
  C:\Windows\System32\WdFsGhu.exe
  2⤵
  PID:11428
- C:\Windows\System32\wyeCYDQ.exe
  C:\Windows\System32\wyeCYDQ.exe
  2⤵
  PID:11572
- C:\Windows\System32\qyAHNLz.exe
  C:\Windows\System32\qyAHNLz.exe
  2⤵
  PID:11700
- C:\Windows\System32\hfouTvn.exe
  C:\Windows\System32\hfouTvn.exe
  2⤵
  PID:11880
- C:\Windows\System32\nlaeRQx.exe
  C:\Windows\System32\nlaeRQx.exe
  2⤵
  PID:12056
- C:\Windows\System32\SRRGOcb.exe
  C:\Windows\System32\SRRGOcb.exe
  2⤵
  PID:12204
- C:\Windows\System32\pDyaJnw.exe
  C:\Windows\System32\pDyaJnw.exe
  2⤵
  PID:11508
- C:\Windows\System32\MRzWAvI.exe
  C:\Windows\System32\MRzWAvI.exe
  2⤵
  PID:11824
- C:\Windows\System32\NlOjYPl.exe
  C:\Windows\System32\NlOjYPl.exe
  2⤵
  PID:11356
- C:\Windows\System32\TmeiMdZ.exe
  C:\Windows\System32\TmeiMdZ.exe
  2⤵
  PID:12036
- C:\Windows\System32\JMRuWTW.exe
  C:\Windows\System32\JMRuWTW.exe
  2⤵
  PID:2364
- C:\Windows\System32\gNIlgSs.exe
  C:\Windows\System32\gNIlgSs.exe
  2⤵
  PID:11820
- C:\Windows\System32\iVpunbQ.exe
  C:\Windows\System32\iVpunbQ.exe
  2⤵
  PID:12296
- C:\Windows\System32\EYELaBo.exe
  C:\Windows\System32\EYELaBo.exe
  2⤵
  PID:12312
- C:\Windows\System32\QnRAuSi.exe
  C:\Windows\System32\QnRAuSi.exe
  2⤵
  PID:12344
- C:\Windows\System32\IEGTOaM.exe
  C:\Windows\System32\IEGTOaM.exe
  2⤵
  PID:12372
- C:\Windows\System32\oYudDPw.exe
  C:\Windows\System32\oYudDPw.exe
  2⤵
  PID:12400
- C:\Windows\System32\qPKtKxF.exe
  C:\Windows\System32\qPKtKxF.exe
  2⤵
  PID:12436
- C:\Windows\System32\zqcXVtl.exe
  C:\Windows\System32\zqcXVtl.exe
  2⤵
  PID:12492
- C:\Windows\System32\EGpWSml.exe
  C:\Windows\System32\EGpWSml.exe
  2⤵
  PID:12524
- C:\Windows\System32\zcIuJHW.exe
  C:\Windows\System32\zcIuJHW.exe
  2⤵
  PID:12552
- C:\Windows\System32\QeTbTZU.exe
  C:\Windows\System32\QeTbTZU.exe
  2⤵
  PID:12580
- C:\Windows\System32\mCGEyRc.exe
  C:\Windows\System32\mCGEyRc.exe
  2⤵
  PID:12608
- C:\Windows\System32\YlAGXSr.exe
  C:\Windows\System32\YlAGXSr.exe
  2⤵
  PID:12636
- C:\Windows\System32\moygxda.exe
  C:\Windows\System32\moygxda.exe
  2⤵
  PID:12664
- C:\Windows\System32\qTZVTzS.exe
  C:\Windows\System32\qTZVTzS.exe
  2⤵
  PID:12696
- C:\Windows\System32\ZRhKHdb.exe
  C:\Windows\System32\ZRhKHdb.exe
  2⤵
  PID:12724
- C:\Windows\System32\qQDWjSJ.exe
  C:\Windows\System32\qQDWjSJ.exe
  2⤵
  PID:12752
- C:\Windows\System32\SnWXvQh.exe
  C:\Windows\System32\SnWXvQh.exe
  2⤵
  PID:12780
- C:\Windows\System32\byKAucz.exe
  C:\Windows\System32\byKAucz.exe
  2⤵
  PID:12808
- C:\Windows\System32\Pmcvwvz.exe
  C:\Windows\System32\Pmcvwvz.exe
  2⤵
  PID:12836
- C:\Windows\System32\bXsGKzj.exe
  C:\Windows\System32\bXsGKzj.exe
  2⤵
  PID:12864
- C:\Windows\System32\HiGGKvC.exe
  C:\Windows\System32\HiGGKvC.exe
  2⤵
  PID:12892
- C:\Windows\System32\eOEvkLA.exe
  C:\Windows\System32\eOEvkLA.exe
  2⤵
  PID:12920
- C:\Windows\System32\PClyANl.exe
  C:\Windows\System32\PClyANl.exe
  2⤵
  PID:12952
- C:\Windows\System32\OZERXXQ.exe
  C:\Windows\System32\OZERXXQ.exe
  2⤵
  PID:12980
- C:\Windows\System32\eDkxMsB.exe
  C:\Windows\System32\eDkxMsB.exe
  2⤵
  PID:13008
- C:\Windows\System32\cIplrai.exe
  C:\Windows\System32\cIplrai.exe
  2⤵
  PID:13024
- C:\Windows\System32\rttLwRD.exe
  C:\Windows\System32\rttLwRD.exe
  2⤵
  PID:13052
- C:\Windows\System32\oMLYpTv.exe
  C:\Windows\System32\oMLYpTv.exe
  2⤵
  PID:13092
- C:\Windows\System32\zgAckXj.exe
  C:\Windows\System32\zgAckXj.exe
  2⤵
  PID:13120
- C:\Windows\System32\iRfpxcJ.exe
  C:\Windows\System32\iRfpxcJ.exe
  2⤵
  PID:13148
- C:\Windows\System32\dRmBZZX.exe
  C:\Windows\System32\dRmBZZX.exe
  2⤵
  PID:13176
- C:\Windows\System32\dNLBVUi.exe
  C:\Windows\System32\dNLBVUi.exe
  2⤵
  PID:13204
- C:\Windows\System32\pEftswD.exe
  C:\Windows\System32\pEftswD.exe
  2⤵
  PID:13232
- C:\Windows\System32\ftJJOff.exe
  C:\Windows\System32\ftJJOff.exe
  2⤵
  PID:13260
- C:\Windows\System32\QFAJeTS.exe
  C:\Windows\System32\QFAJeTS.exe
  2⤵
  PID:13288
- C:\Windows\System32\ETExpMp.exe
  C:\Windows\System32\ETExpMp.exe
  2⤵
  PID:2896
- C:\Windows\System32\NJMohtU.exe
  C:\Windows\System32\NJMohtU.exe
  2⤵
  PID:12356
- C:\Windows\System32\rczFGGK.exe
  C:\Windows\System32\rczFGGK.exe
  2⤵
  PID:12428
- C:\Windows\System32\vwWfXVN.exe
  C:\Windows\System32\vwWfXVN.exe
  2⤵
  PID:12508
- C:\Windows\System32\AksXyWg.exe
  C:\Windows\System32\AksXyWg.exe
  2⤵
  PID:12604
- C:\Windows\System32\RMbuTbI.exe
  C:\Windows\System32\RMbuTbI.exe
  2⤵
  PID:12652
- C:\Windows\System32\rPWPVwE.exe
  C:\Windows\System32\rPWPVwE.exe
  2⤵
  PID:12716
- C:\Windows\System32\zQnLgHr.exe
  C:\Windows\System32\zQnLgHr.exe
  2⤵
  PID:12776
- C:\Windows\System32\jvggLNd.exe
  C:\Windows\System32\jvggLNd.exe
  2⤵
  PID:12848
- C:\Windows\System32\reTKIPJ.exe
  C:\Windows\System32\reTKIPJ.exe
  2⤵
  PID:12912
- C:\Windows\System32\EYBtHgT.exe
  C:\Windows\System32\EYBtHgT.exe
  2⤵
  PID:12976
- C:\Windows\System32\buKPCmu.exe
  C:\Windows\System32\buKPCmu.exe
  2⤵
  PID:13044
- C:\Windows\System32\eRVAKrv.exe
  C:\Windows\System32\eRVAKrv.exe
  2⤵
  PID:13112
- C:\Windows\System32\KvrcmWc.exe
  C:\Windows\System32\KvrcmWc.exe
  2⤵
  PID:13172
- C:\Windows\System32\gdLzMHP.exe
  C:\Windows\System32\gdLzMHP.exe
  2⤵
  PID:13248
- C:\Windows\System32\KgTBZcF.exe
  C:\Windows\System32\KgTBZcF.exe
  2⤵
  PID:13308
- C:\Windows\System32\Oljxtzy.exe
  C:\Windows\System32\Oljxtzy.exe
  2⤵
  PID:12396
- C:\Windows\System32\blMYkaj.exe
  C:\Windows\System32\blMYkaj.exe
  2⤵
  PID:12544
- C:\Windows\System32\GscFLQp.exe
  C:\Windows\System32\GscFLQp.exe
  2⤵
  PID:12764
- C:\Windows\System32\SejmlWf.exe
  C:\Windows\System32\SejmlWf.exe
  2⤵
  PID:12908

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\CZPqcbI.exe

Filesize
2.9MB

MD5
9b400eed8492f508dd3970909f3570ae

SHA1
94f146fea8ae2d9710775df32e4be7e574e5e07a

SHA256
61ed84a14b24e846bdddac03d422b5dab02f1f045ff4d4a86b70b4f821b23bc0

SHA512
514f90a3639cc4ab3f972cd0af930266f3f0378fbe56336caf25d2c35162c4902685a19a5c14e0396e5c37901f42649c718261c795e292a035f3cd0eede16e23

Download Submit
C:\Windows\System32\CjgAckB.exe

Filesize
2.9MB

MD5
42e6da3ddf7f49b68a7dc73dde5ed9aa

SHA1
06595391c2531c57ae63455ec9911837eea47553

SHA256
97e267aba2e8319489222e6a1ba61db92d976937bf29878f11bcf40cb6d2c321

SHA512
d1d99d359f04f0eb0394b791fd9e21505ee0910826bc665b0977d939ec4c06e767cb089d5702cd4827902a77961a8eb4c4683398ab2e9e36b16fa6351c832e2a

Download Submit
C:\Windows\System32\DFBUKNa.exe

Filesize
2.9MB

MD5
c8a2a4c5e1bec96632b23fc4acb04b1e

SHA1
de4e46e8589f9b22d9ebb491869f9f9df814c05d

SHA256
59e14dc81bf20d3fc9d34f312ada55dcf2e2cd3ef370235bc775737e6716cc64

SHA512
d8d2b2ba5bde1760ecc7deffbd390b69f9e0f0e52a6be7b619266c090b0ad44499c5bad1b49522f310723a57d355a10ff5ae1cfc2bff4253b842de279b502f17

Download Submit
C:\Windows\System32\DFpsqiU.exe

Filesize
2.9MB

MD5
d106a10c1ccbb6b93f1b946cea6b18f5

SHA1
1cdc01287d7c0a00723586cbe2dfa5de044c1d05

SHA256
2892d785ebe5fc328a9d074fcdb3c6c64a6001fc8e6b060316d9d56f8bdf2166

SHA512
038dfabe05f56d5becab23507a8944fa7b78d639e8e6e06ab99fa9fa7c1f6c00d3384dcfe1055894ea4468fcde40730f584884e4373bf21ed3efe7df7fe01854

Download Submit
C:\Windows\System32\FKcXmuu.exe

Filesize
2.9MB

MD5
b257973dbcd1845eaf9e7a7389c7a893

SHA1
c14917fb87e792c7732e917f03b24ce9dd05d76f

SHA256
ca3ff922834220329dbfec5f967009f52a1b50c7f09070776074807db527adff

SHA512
6aae8d6b4f26a7c9840a1672ae9121e9e3369a6255506051ee533d018cc31743cc1bf196709aeb9fbaac35b8deef9f2ea0bad63b948b2c456d9aeaaa3dc51c99

Download Submit
C:\Windows\System32\FSlVSuu.exe

Filesize
2.9MB

MD5
85a29c5c8d124520e7811c35fb07aa3b

SHA1
5139d5c3d3cfa83cee319f523b71d3d61d169009

SHA256
b00418dd1b3042af9074095d24e1f60f1ade0174d94e57161824d59ac8b72d1c

SHA512
551d842a5e0fb797d4cd4a2f40287ce4565323769478a871283dfaef43f17c219a4d5e7eab70db4fc41f1db3e60e5dd9b6b7e3d283d9174196933292f69637b2

Download Submit
C:\Windows\System32\HRyQAmW.exe

Filesize
2.9MB

MD5
9cdb9f5dc2cd327986dab98f2ab9bcb8

SHA1
377b61fbe7c60ac59e03b7535e8e1e042470ffc0

SHA256
b8958a116d47bbe25c3e3c9c1f38446c06679986c9a25a1965666dee0f062177

SHA512
077e8ce61568b09d344e53030ee9a874bb5df3e334542553a7a275078c9aaac3ec5a0f5f881d644456b4bfeff3044634f10c8aea6ca200836dea2655997dfa7b

Download Submit
C:\Windows\System32\JKGypGm.exe

Filesize
2.9MB

MD5
45ec348db99953dc67d66f7722ae380b

SHA1
cf9dd5d898ce7d49d4c5070b21bf9ab2c56933b2

SHA256
a76f63b4a5160ba05bc31c34bb9a96b595684a8100d87c796ba6daa69d6b8db6

SHA512
38ff62373d4c4f4b5df99610b5dbc99b81652b7013db8500208b359608964fe74caa2f1c02a5b1c460055caffb99a523d0483bafc407547c197bc34d7a3ad604

Download Submit
C:\Windows\System32\LLGCVxm.exe

Filesize
2.9MB

MD5
ea585dfe6b44d286401993b9f2e858a2

SHA1
2fd1eb82a90e56c47dcd4004487e592d45fc1651

SHA256
ba27045590aa2524c334a8965890c293b919d9e115112049fd94d80ca456d56b

SHA512
1f024240ca4726c2e786ed83f978bf5ac07618e3e4a2f417f4c9f4e1433cc2a596331ededdf91e42595a54d4ef96493af348715a355a1cff211bbe2986890ae2

Download Submit
C:\Windows\System32\NKcukXW.exe

Filesize
2.9MB

MD5
35b66bdbda5b181d3016ef880a90ce45

SHA1
2735b73bba84c36a5b6109adfe4c7015cf8bb746

SHA256
82772a953acfe28cb44c6d98fecdc1cf7be26ccc1a96b35329b80113460f5a53

SHA512
9717a6cd62077e6210354a7658481797341476bd3463745d2be79c37e0b62c5392803bd84f4233fd61c8d82eea68de0ae64b7a7339c29aa421c9bc4b4910a23a

Download Submit
C:\Windows\System32\OxmIUiP.exe

Filesize
2.9MB

MD5
d809496bcabd06e8596b50b5073ec868

SHA1
01b96bfc1784fee23f58d01b3aa831b1021c0fca

SHA256
01b6d3e4509db5fa5a7a7c93798f0918c8e3e03b8c80b4edc009a14da2a94212

SHA512
fdddcd1d01006b0ce54953911c032effd5bd07783186433f7f481dafa83b747a826a0427d63d71b44f538df580d868bc8f5486f9a74e87e389b4e44a03693575

Download Submit
C:\Windows\System32\VgGAguj.exe

Filesize
2.9MB

MD5
f521d5b5bdf2136e25de4fbc8ed81221

SHA1
3e9613bceab468d064fcfd0b249806b9ac46fa41

SHA256
48e5eb5b3f3715b6cfbd54a1204eaea9a2f61f47960d27fce2fb18f6256edfaa

SHA512
ab3598216cec5b0d3af4f3c142198b464a964e0d563076b4c6bc2e80166a69bcdac477ac7fc8f3ba5d9172a847816705fce850231dab131839a9c357bbfd499c

Download Submit
C:\Windows\System32\WWudEGx.exe

Filesize
2.9MB

MD5
0beef8ef9d13f4209525d841199a9555

SHA1
4769b463de68ec446aa42e768c8f6b707d3d2c70

SHA256
508cc12c18d1fb87cc2bdcce617bae09f922717355780f50b861b0e634f4c61c

SHA512
0b7b6f900264914edcac6a9d2ea6915f01cb3ec80e7dc517396b5f79ee849f406f3c50b489efa7ff2d8a87f88fbed1775f65ccc30e0099d8c6107513b124110b

Download Submit
C:\Windows\System32\XlVUecf.exe

Filesize
2.9MB

MD5
dfbbe2b958ec59321ce1189993bbac8f

SHA1
c9730d41c73dc4cdefda7ac220afdeb182d94779

SHA256
98aff32d4f86b97b455891b239330df80bf3797dc7542cbc84d2716a99c3f0a4

SHA512
a08ee3c432b59eff825f2405489abe1746a4fe32bfb4cdfaf37c1667d6869c3ec0649315b0484ecbe6b540f55479d1fbd198d861d076e1cc86829d3e22ae6918

Download Submit
C:\Windows\System32\ZZyDOLF.exe

Filesize
2.9MB

MD5
8348e1d9891a5bff3cc39bba1f01d876

SHA1
97017a3a0a13038f85b5bc299af50ae8581e16ac

SHA256
54dac40b665f110edb7f96dddaa21f433c707f931cff5c20a3ea14772d33c1cf

SHA512
0edb20974832bc4fdc1ad3ad4a6624555dde480ec187c5cba04cca7bc9b3e5186874dfd0d0f0ee8488e446e337d1326b5769916520937b9b0853677ad19d6888

Download Submit
C:\Windows\System32\ZkZcGqm.exe

Filesize
2.9MB

MD5
f3b3519455d0b39584a955c77a51fb0e

SHA1
d24e5634cafddb5e4e8ec82646f60a9e23a3e97b

SHA256
aa9dc433707fcad1ef6fb4e8cd2b0071a743c29726547c311cdbdbdd9257ee3b

SHA512
6113c4289430d832b839a10bc086ce046bbdfd8f82bd2a8221c29a7ab17170c87b37397a7f4d8687053337dbc8ebe342d1193f2f28d5da4b54909fcd8e93ab5c

Download Submit
C:\Windows\System32\cCperBt.exe

Filesize
2.9MB

MD5
5a1841e0033a9b6ea621caf45f1d8542

SHA1
904e51d8fdc6127d3e9115cc3809203ac4bb9138

SHA256
536babc1fd05d3547ce1ffb5a8bb8252470b3806c95739066290fe7e2659c248

SHA512
a21ba5aa51f71ccb616be5c9a32aeefdd619ca529b53377275d7f40c3681602ee1b8d4ba059a2b622211fa19f73385b51edb09e8f9e60a470b25f3c004b5a89b

Download Submit
C:\Windows\System32\cDEkCly.exe

Filesize
2.9MB

MD5
275c1ca3ccc268cf18ae45b56f19aac8

SHA1
19330821c7518188978d4d0561c1de5a1d21208c

SHA256
8e31558f03e40bff4099ed2c552f65a849adb565916341e511b56a68b831a998

SHA512
41168c805f3cb3c8147c39f8226112e910dfdbc792f0ff0d6c9622c830301983e54d3c24b1f7181515eaa84fd9933eb0ea992e6f0d8782e9f8c58feea68f807c

Download Submit
C:\Windows\System32\eROTMcZ.exe

Filesize
2.9MB

MD5
d51fe2d7985db61639d71ec2a0b992b8

SHA1
ff143ce8315a941611fed1d02b00a5a790635083

SHA256
2ca85cfdb4cea08818ba5025477a92ae6875999a4546cabf107304c028a983a8

SHA512
c69c9fbc7ee8b2fbb6134ebfb94afb22e61ecf79d06e0515bbfb326241f8eff3a5e8c1a449f9d842375504e69514c31962a2cc15acebdcfbd677ca3fd943611e

Download Submit
C:\Windows\System32\fTHrvYL.exe

Filesize
2.9MB

MD5
23a4afb3c7b401af4538dcdc413419fd

SHA1
64070f372cc44bcc45a6604805cbde0a648297af

SHA256
d06eb5888444265213d7af1f95b39959117c0bfed9df91c2aac1813290828bde

SHA512
6bd5248d98cd3a639123aad164386aaac0919b383ab1c56e80caa828fb74ad2888de883fcb9f6504ac089f718ab3868bd85da3e769c5e1318b70e08942c01c3b

Download Submit
C:\Windows\System32\gUjXSQS.exe

Filesize
2.9MB

MD5
660809e6022f1e34ccf8d36dbc0367d9

SHA1
09aff10f38f7601680ad9884bb15194655a5bb20

SHA256
cde7ece59517f25986fe4cf705a65ef064632641a70f52963b38805ed0409bbe

SHA512
8c3df9cf5a8ce8ee71f4b6dd70cd3e0af2751d6cd6fc5258a3b2be0f2cdc612846275d904981ece4f19974f61b83b3a090c1f801cfeb7888539e2051c7be50b6

Download Submit
C:\Windows\System32\htwgSdd.exe

Filesize
2.9MB

MD5
a64491782b7b2fde13300dbe75827d44

SHA1
99d58b7e23deb4f3033c41511918ff7529779abe

SHA256
7759d4a55f5a0acf7549c00b1158c810001a73ea553ba7dd1ddd90699d89af56

SHA512
5ddb8657ee82f03f2aa02892d81440b611b88325a67e998f2a86ffdf68e53098a9b007dc96762c3d06bf4c29cdb92b9c46a978a6b024254e11e82da22644d756

Download Submit
C:\Windows\System32\lynXwiN.exe

Filesize
2.9MB

MD5
bf573e2959465d8aee4a61080ba99471

SHA1
8b93d4661c74ceeb6d263cd253f749fd9267ae43

SHA256
8b623d6e4e7e6e00c5df36191e2cc4dedb9a3c42a6329329a0c82ae6aadbe4e6

SHA512
ff0397d050b371b09a52f2e7881a48f9525e68486d6caf7b15ef10155034e9c9dbec309549d000e62103303c91a6a6ca9c72a4bb9fedc982e88d123bf8c7b19c

Download Submit
C:\Windows\System32\mFTFjTr.exe

Filesize
2.9MB

MD5
597e487b39464e40815715d0070d2ea1

SHA1
4645a65cb1181ec6b078bffb27f01c3e5816b07f

SHA256
5d1710a8024a1b730551a502d804c0181c4e143a4414a1420cbf8068e5941448

SHA512
036bf4bb9d413f115ed32cdf0081fef3e44ea066bd713abf02365acaf54954ec15cfc89b53ae6722c28a82b7e00948e0ef4058e29b1fbd866ff1da64a86b39a3

Download Submit
C:\Windows\System32\monWeCk.exe

Filesize
2.9MB

MD5
e7844cedd4995d1b216964ca1a8f64fe

SHA1
a86f82579b72294e76c42bfce3a0f0f80d8dd408

SHA256
494e764b2efb0f1567936a044e9d94c2ed473613ed363d34716c5a39e64b975b

SHA512
188ce6a872817dccc45e6fede3a1a82f862b3474763058ea2372b9d3ff6e91c7f010fb1cbaa5c7452f26faf17238d703059eb7c83f97bf8dc939fff15611a43d

Download Submit
C:\Windows\System32\nCktdiH.exe

Filesize
2.9MB

MD5
637816872e41f82c5f5d11bfdaa3000a

SHA1
31161d3bc29c68e614819036da5319017c9d4444

SHA256
422ef3ca6e58b78b9d5a8faaea00ba792a28051dbf3c64cb52743e125f314791

SHA512
78dbf07e3a24cea86a88997f57fb36eb50388b9a1ff1a536bc0428aeb6dcb67ba3f3f2441116129ee27be30ad47447eb5ca22f552fe0ab131dd6df4e3e5d20d3

Download Submit
C:\Windows\System32\tySMnbs.exe

Filesize
2.9MB

MD5
a249a6487c68e18d859b94e1b3636dcd

SHA1
61ccd75e1a0c2ffb99bac4e3a4cc2dd39dc5c9bd

SHA256
a66cb7d7553fa478e45a96c9683ef07b2f47e80fb65030b90a59e7cc3b2fdc61

SHA512
e25ecf3a5824bc5a931e88c3a29c10d0d2f4e07dd8d1aa60330aac1e01eebf0fa7732347b5bf5485fe29f8a677b61bc3b85fc91990fdeba2397f1f3f8b7acc0e

Download Submit
C:\Windows\System32\ufdtDDK.exe

Filesize
2.9MB

MD5
02e253daea8cfd317e4e97861365b07c

SHA1
652a39605fbf9917794f097eb0b122f2babde8bc

SHA256
b50e35738261e2d8301b75b0c3c397d43cb57d7bf689debf188e4096436085e5

SHA512
4d9080536a652017ba2cbfc3c74f7b4711a8dba0b7f201842296712ca54bb1c1eb2c2d7b9e67ff81c244a201343817bd1b4eba9a24ce2d510ddf88dc166fa662

Download Submit
C:\Windows\System32\uilbRmt.exe

Filesize
2.9MB

MD5
2ad427fec12a331ae9bdd633e6407b41

SHA1
10141d589c5131e0bbacda77a6d8f755ad9b6e76

SHA256
7d75e92eeccaab716890c3e7083fd721c7871bfa84749f6153a17059258f8404

SHA512
820a562e286cdb9bba60c18c1580e8fe87805f913363789df378551fe9fa717d676321e3152455381772c6cfcb3342426866d360f2c732c1572a459a93821a22

Download Submit
C:\Windows\System32\wCKMSCj.exe

Filesize
2.9MB

MD5
975fa5e9a76ca152b7af47cae9f2ce66

SHA1
e21b93edac19d7c9cae24bebed3b5eb2eff7bdc6

SHA256
346306acb3b8c677914404d0a69e4bcedca6064f061ade2d203a04146ccb3b8b

SHA512
755148ba2effb839d4c03f6254292d0ca2b644ffbfc10dc34573385b73037aab1124a7ef40be6c7ae8ebea32aa364e7151cdcecd62cba1b98ddbf52badce0003

Download Submit
C:\Windows\System32\xGHDiWy.exe

Filesize
2.9MB

MD5
be3fd85767e0ce144280a8391a57897a

SHA1
99efdb7b6c30f6ec48bd1cd9e26156343c85382a

SHA256
4e7d10c174372b3713a5b7164efcb23fe3d6201ee9f874549976b5d1d202b6eb

SHA512
547fbf45f6253b466a50f8be294672105dbe3484b772c26df809f7593c85610f9fbe04fbb43a8c3f1e690f9707cd0176e528b08d6b2a0d67a600d0df6cf4466a

Download Submit
C:\Windows\System32\yAXmIYx.exe

Filesize
2.9MB

MD5
3c08f200c26bbe660ccaa4e33c5a85a8

SHA1
f44532d78a6d4266bb193df134db3a4406a1255e

SHA256
442efe0bc2622bf4ade5b35f7e9882fb258722c4a960a85e08538abdc4466543

SHA512
64b3a2b8173cdbdda298e4c7ed88b2fb45cf58afee80f0ba5af145adadf65f7d4fdaa42142c283dd6390e8005c1c5c477d63e2f8bf4e1567e1908d36028efb58

Download Submit
memory/220-1894-0x00007FF723D80000-0x00007FF724175000-memory.dmp

Filesize
4.0MB

Download
memory/220-779-0x00007FF723D80000-0x00007FF724175000-memory.dmp

Filesize
4.0MB

Download
memory/228-827-0x00007FF6B0040000-0x00007FF6B0435000-memory.dmp

Filesize
4.0MB

Download
memory/228-1902-0x00007FF6B0040000-0x00007FF6B0435000-memory.dmp

Filesize
4.0MB

Download
memory/628-1896-0x00007FF7DCA90000-0x00007FF7DCE85000-memory.dmp

Filesize
4.0MB

Download
memory/628-777-0x00007FF7DCA90000-0x00007FF7DCE85000-memory.dmp

Filesize
4.0MB

Download
memory/1032-1900-0x00007FF6B84E0000-0x00007FF6B88D5000-memory.dmp

Filesize
4.0MB

Download
memory/1032-815-0x00007FF6B84E0000-0x00007FF6B88D5000-memory.dmp

Filesize
4.0MB

Download
memory/1512-1886-0x00007FF7E9570000-0x00007FF7E9965000-memory.dmp

Filesize
4.0MB

Download
memory/1512-770-0x00007FF7E9570000-0x00007FF7E9965000-memory.dmp

Filesize
4.0MB

Download
memory/1572-771-0x00007FF65E300000-0x00007FF65E6F5000-memory.dmp

Filesize
4.0MB

Download
memory/1572-1887-0x00007FF65E300000-0x00007FF65E6F5000-memory.dmp

Filesize
4.0MB

Download
memory/1592-1888-0x00007FF665EC0000-0x00007FF6662B5000-memory.dmp

Filesize
4.0MB

Download
memory/1592-834-0x00007FF665EC0000-0x00007FF6662B5000-memory.dmp

Filesize
4.0MB

Download
memory/1944-1892-0x00007FF6778C0000-0x00007FF677CB5000-memory.dmp

Filesize
4.0MB

Download
memory/1944-774-0x00007FF6778C0000-0x00007FF677CB5000-memory.dmp

Filesize
4.0MB

Download
memory/2176-6-0x00007FF7791A0000-0x00007FF779595000-memory.dmp

Filesize
4.0MB

Download
memory/2176-1885-0x00007FF7791A0000-0x00007FF779595000-memory.dmp

Filesize
4.0MB

Download
memory/2176-1883-0x00007FF7791A0000-0x00007FF779595000-memory.dmp

Filesize
4.0MB

Download
memory/2320-775-0x00007FF772360000-0x00007FF772755000-memory.dmp

Filesize
4.0MB

Download
memory/2320-1890-0x00007FF772360000-0x00007FF772755000-memory.dmp

Filesize
4.0MB

Download
memory/2532-772-0x00007FF696060000-0x00007FF696455000-memory.dmp

Filesize
4.0MB

Download
memory/2532-1889-0x00007FF696060000-0x00007FF696455000-memory.dmp

Filesize
4.0MB

Download
memory/2756-1891-0x00007FF755AE0000-0x00007FF755ED5000-memory.dmp

Filesize
4.0MB

Download
memory/2756-776-0x00007FF755AE0000-0x00007FF755ED5000-memory.dmp

Filesize
4.0MB

Download
memory/2776-1895-0x00007FF7741F0000-0x00007FF7745E5000-memory.dmp

Filesize
4.0MB

Download
memory/2776-784-0x00007FF7741F0000-0x00007FF7745E5000-memory.dmp

Filesize
4.0MB

Download
memory/3384-1903-0x00007FF741AE0000-0x00007FF741ED5000-memory.dmp

Filesize
4.0MB

Download
memory/3384-824-0x00007FF741AE0000-0x00007FF741ED5000-memory.dmp

Filesize
4.0MB

Download
memory/3676-810-0x00007FF74FB90000-0x00007FF74FF85000-memory.dmp

Filesize
4.0MB

Download
memory/3676-1905-0x00007FF74FB90000-0x00007FF74FF85000-memory.dmp

Filesize
4.0MB

Download
memory/3776-820-0x00007FF79F790000-0x00007FF79FB85000-memory.dmp

Filesize
4.0MB

Download
memory/3776-1904-0x00007FF79F790000-0x00007FF79FB85000-memory.dmp

Filesize
4.0MB

Download
memory/3832-1882-0x00007FF6A2580000-0x00007FF6A2975000-memory.dmp

Filesize
4.0MB

Download
memory/3832-1-0x00000211BFE70000-0x00000211BFE80000-memory.dmp

Filesize
64KB

Download
memory/3832-0-0x00007FF6A2580000-0x00007FF6A2975000-memory.dmp

Filesize
4.0MB

Download
memory/4152-1893-0x00007FF7724D0000-0x00007FF7728C5000-memory.dmp

Filesize
4.0MB

Download
memory/4152-773-0x00007FF7724D0000-0x00007FF7728C5000-memory.dmp

Filesize
4.0MB

Download
memory/4296-789-0x00007FF7FCAC0000-0x00007FF7FCEB5000-memory.dmp

Filesize
4.0MB

Download
memory/4296-1907-0x00007FF7FCAC0000-0x00007FF7FCEB5000-memory.dmp

Filesize
4.0MB

Download
memory/4448-799-0x00007FF645A10000-0x00007FF645E05000-memory.dmp

Filesize
4.0MB

Download
memory/4448-1898-0x00007FF645A10000-0x00007FF645E05000-memory.dmp

Filesize
4.0MB

Download
memory/4528-1906-0x00007FF7E40A0000-0x00007FF7E4495000-memory.dmp

Filesize
4.0MB

Download
memory/4528-793-0x00007FF7E40A0000-0x00007FF7E4495000-memory.dmp

Filesize
4.0MB

Download
memory/4640-804-0x00007FF69E320000-0x00007FF69E715000-memory.dmp

Filesize
4.0MB

Download
memory/4640-1899-0x00007FF69E320000-0x00007FF69E715000-memory.dmp

Filesize
4.0MB

Download
memory/4728-832-0x00007FF624300000-0x00007FF6246F5000-memory.dmp

Filesize
4.0MB

Download
memory/4728-1901-0x00007FF624300000-0x00007FF6246F5000-memory.dmp

Filesize
4.0MB

Download
memory/4744-15-0x00007FF6D5020000-0x00007FF6D5415000-memory.dmp

Filesize
4.0MB

Download
memory/4744-1884-0x00007FF6D5020000-0x00007FF6D5415000-memory.dmp

Filesize
4.0MB

Download
memory/4960-1897-0x00007FF66B1B0000-0x00007FF66B5A5000-memory.dmp

Filesize
4.0MB

Download
memory/4960-778-0x00007FF66B1B0000-0x00007FF66B5A5000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads