xmrig | 1a245b322d5920726081604260c0e334c06f357247427b3773770a101d02ae63

Analysis

max time kernel
102s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b8f376bd8df9a375241e6506ed5b920N.exe
Size

1.3MB
MD5

7b8f376bd8df9a375241e6506ed5b920
SHA1

97638c965af7769c5e0695010e05fbd220cf8677
SHA256

1a245b322d5920726081604260c0e334c06f357247427b3773770a101d02ae63
SHA512

643997bd67948016183cdba53a05112e2083bab162236d5e5fb69cae0c92a7c84e4e8e556a4aca1edbc4765cf1cc6e645ac7e06f4d67eba09057008a568fb8ce
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcqdIzWokCiHovICQX9fY6Be4F2Y5H:knw9oUUEEDl37jcqdI9Q/XzRlV

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/1624-61-0x00007FF718050000-0x00007FF718441000-memory.dmp	xmrig
behavioral2/memory/400-59-0x00007FF6CD310000-0x00007FF6CD701000-memory.dmp	xmrig
behavioral2/memory/1920-40-0x00007FF7DC0A0000-0x00007FF7DC491000-memory.dmp	xmrig
behavioral2/memory/3340-33-0x00007FF70F010000-0x00007FF70F401000-memory.dmp	xmrig
behavioral2/memory/5088-111-0x00007FF63AD10000-0x00007FF63B101000-memory.dmp	xmrig
behavioral2/memory/3664-187-0x00007FF6F9390000-0x00007FF6F9781000-memory.dmp	xmrig
behavioral2/memory/960-186-0x00007FF610840000-0x00007FF610C31000-memory.dmp	xmrig
behavioral2/memory/2256-183-0x00007FF7AE810000-0x00007FF7AEC01000-memory.dmp	xmrig
behavioral2/memory/1376-181-0x00007FF679B20000-0x00007FF679F11000-memory.dmp	xmrig
behavioral2/memory/1204-180-0x00007FF685440000-0x00007FF685831000-memory.dmp	xmrig
behavioral2/memory/4264-164-0x00007FF6C6E40000-0x00007FF6C7231000-memory.dmp	xmrig
behavioral2/memory/4060-142-0x00007FF6CDBA0000-0x00007FF6CDF91000-memory.dmp	xmrig
behavioral2/memory/2160-139-0x00007FF696750000-0x00007FF696B41000-memory.dmp	xmrig
behavioral2/memory/1292-121-0x00007FF7E77C0000-0x00007FF7E7BB1000-memory.dmp	xmrig
behavioral2/memory/320-120-0x00007FF6E7530000-0x00007FF6E7921000-memory.dmp	xmrig
behavioral2/memory/3116-112-0x00007FF6470A0000-0x00007FF647491000-memory.dmp	xmrig
behavioral2/memory/4216-108-0x00007FF769440000-0x00007FF769831000-memory.dmp	xmrig
behavioral2/memory/2148-1158-0x00007FF765140000-0x00007FF765531000-memory.dmp	xmrig
behavioral2/memory/3340-1717-0x00007FF70F010000-0x00007FF70F401000-memory.dmp	xmrig
behavioral2/memory/852-1997-0x00007FF7C4AA0000-0x00007FF7C4E91000-memory.dmp	xmrig
behavioral2/memory/1756-2006-0x00007FF6B9F30000-0x00007FF6BA321000-memory.dmp	xmrig
behavioral2/memory/1844-2011-0x00007FF619A40000-0x00007FF619E31000-memory.dmp	xmrig
behavioral2/memory/3276-2012-0x00007FF763C00000-0x00007FF763FF1000-memory.dmp	xmrig
behavioral2/memory/4656-2013-0x00007FF6C0880000-0x00007FF6C0C71000-memory.dmp	xmrig
behavioral2/memory/4896-2034-0x00007FF7807B0000-0x00007FF780BA1000-memory.dmp	xmrig
behavioral2/memory/4216-2036-0x00007FF769440000-0x00007FF769831000-memory.dmp	xmrig
behavioral2/memory/5088-2052-0x00007FF63AD10000-0x00007FF63B101000-memory.dmp	xmrig
behavioral2/memory/3340-2054-0x00007FF70F010000-0x00007FF70F401000-memory.dmp	xmrig
behavioral2/memory/2148-2057-0x00007FF765140000-0x00007FF765531000-memory.dmp	xmrig
behavioral2/memory/1920-2060-0x00007FF7DC0A0000-0x00007FF7DC491000-memory.dmp	xmrig
behavioral2/memory/1376-2058-0x00007FF679B20000-0x00007FF679F11000-memory.dmp	xmrig
behavioral2/memory/1552-2068-0x00007FF763DA0000-0x00007FF764191000-memory.dmp	xmrig
behavioral2/memory/852-2066-0x00007FF7C4AA0000-0x00007FF7C4E91000-memory.dmp	xmrig
behavioral2/memory/400-2065-0x00007FF6CD310000-0x00007FF6CD701000-memory.dmp	xmrig
behavioral2/memory/1624-2063-0x00007FF718050000-0x00007FF718441000-memory.dmp	xmrig
behavioral2/memory/4264-2110-0x00007FF6C6E40000-0x00007FF6C7231000-memory.dmp	xmrig
behavioral2/memory/320-2108-0x00007FF6E7530000-0x00007FF6E7921000-memory.dmp	xmrig
behavioral2/memory/3116-2106-0x00007FF6470A0000-0x00007FF647491000-memory.dmp	xmrig
behavioral2/memory/3276-2104-0x00007FF763C00000-0x00007FF763FF1000-memory.dmp	xmrig
behavioral2/memory/1844-2102-0x00007FF619A40000-0x00007FF619E31000-memory.dmp	xmrig
behavioral2/memory/1756-2100-0x00007FF6B9F30000-0x00007FF6BA321000-memory.dmp	xmrig
behavioral2/memory/1292-2114-0x00007FF7E77C0000-0x00007FF7E7BB1000-memory.dmp	xmrig
behavioral2/memory/1204-2118-0x00007FF685440000-0x00007FF685831000-memory.dmp	xmrig
behavioral2/memory/4060-2120-0x00007FF6CDBA0000-0x00007FF6CDF91000-memory.dmp	xmrig
behavioral2/memory/2160-2122-0x00007FF696750000-0x00007FF696B41000-memory.dmp	xmrig
behavioral2/memory/4896-2116-0x00007FF7807B0000-0x00007FF780BA1000-memory.dmp	xmrig
behavioral2/memory/4656-2112-0x00007FF6C0880000-0x00007FF6C0C71000-memory.dmp	xmrig
behavioral2/memory/960-2124-0x00007FF610840000-0x00007FF610C31000-memory.dmp	xmrig
behavioral2/memory/3664-2133-0x00007FF6F9390000-0x00007FF6F9781000-memory.dmp	xmrig
behavioral2/memory/2256-2126-0x00007FF7AE810000-0x00007FF7AEC01000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
5088	JeXuTJY.exe
1376	NJymTsO.exe
2148	wKTsbZN.exe
3340	YvNBiQY.exe
1920	ITQBQzo.exe
1552	lGuxABI.exe
852	pwdaZOa.exe
400	SMNnoMD.exe
1624	XKoytjc.exe
1756	zJghFok.exe
1844	QIODrey.exe
3276	ImPeIBc.exe
3116	ibsJhRU.exe
4656	vBwwKWR.exe
320	rSlMvii.exe
4264	gEtDGLE.exe
1292	GcCHLcB.exe
4896	LVOnVAB.exe
2160	uKmFqOO.exe
4060	ljrVFFH.exe
1204	XbHlsWF.exe
2256	rqVFZIQ.exe
960	loZrRBI.exe
3664	AaCpwaF.exe
4948	MhQyxoE.exe
2724	EOjVSKm.exe
3356	uQWjEYk.exe
1792	brRaMTP.exe
4556	NiznJSz.exe
3172	umvFLPE.exe
3252	LlFIjhh.exe
1064	yCWAgVg.exe
2704	osMYBtX.exe
3760	bvrPYjT.exe
1668	JkeAUrz.exe
2036	tdaMuYi.exe
3216	gEihHiQ.exe
376	HfvQmHN.exe
3556	VFunPQC.exe
4152	JKBaYQu.exe
1948	NljilBC.exe
4668	yZExFPL.exe
1676	IpDrIrk.exe
2384	xdZeLxU.exe
2320	WVZKYce.exe
1876	LgfOOgJ.exe
4464	gZuUMzO.exe
4424	bDUDKit.exe
736	yeuWqDn.exe
4640	tqDhJfb.exe
2788	MYyoLDW.exe
3308	UKHGLxR.exe
2804	OlvknAV.exe
1500	SPktoRB.exe
4044	TUhzHgA.exe
640	gSBpnDV.exe
1352	SIzjgZz.exe
1724	CuZoUXD.exe
1908	xFRNfqe.exe
4700	HAIkmBV.exe
1776	CHchLaC.exe
2760	HIIetmj.exe
1264	xyMhQld.exe
2368	dFQLoec.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4216-0-0x00007FF769440000-0x00007FF769831000-memory.dmp	upx
behavioral2/files/0x00090000000234c7-10.dat	upx
behavioral2/files/0x00090000000234b1-4.dat	upx
behavioral2/files/0x00070000000234cb-7.dat	upx
behavioral2/memory/1376-16-0x00007FF679B20000-0x00007FF679F11000-memory.dmp	upx
behavioral2/memory/2148-22-0x00007FF765140000-0x00007FF765531000-memory.dmp	upx
behavioral2/files/0x00070000000234cd-30.dat	upx
behavioral2/files/0x00070000000234cf-39.dat	upx
behavioral2/memory/852-47-0x00007FF7C4AA0000-0x00007FF7C4E91000-memory.dmp	upx
behavioral2/files/0x00070000000234d2-53.dat	upx
behavioral2/files/0x00070000000234d0-56.dat	upx
behavioral2/memory/1624-61-0x00007FF718050000-0x00007FF718441000-memory.dmp	upx
behavioral2/memory/1756-62-0x00007FF6B9F30000-0x00007FF6BA321000-memory.dmp	upx
behavioral2/memory/1844-63-0x00007FF619A40000-0x00007FF619E31000-memory.dmp	upx
behavioral2/files/0x00070000000234d3-60.dat	upx
behavioral2/memory/400-59-0x00007FF6CD310000-0x00007FF6CD701000-memory.dmp	upx
behavioral2/files/0x00070000000234d1-52.dat	upx
behavioral2/memory/1920-40-0x00007FF7DC0A0000-0x00007FF7DC491000-memory.dmp	upx
behavioral2/files/0x00070000000234ce-37.dat	upx
behavioral2/memory/1552-35-0x00007FF763DA0000-0x00007FF764191000-memory.dmp	upx
behavioral2/memory/3340-33-0x00007FF70F010000-0x00007FF70F401000-memory.dmp	upx
behavioral2/files/0x00070000000234cc-21.dat	upx
behavioral2/memory/5088-14-0x00007FF63AD10000-0x00007FF63B101000-memory.dmp	upx
behavioral2/files/0x00070000000234d4-74.dat	upx
behavioral2/memory/3276-79-0x00007FF763C00000-0x00007FF763FF1000-memory.dmp	upx
behavioral2/files/0x00070000000234d6-85.dat	upx
behavioral2/files/0x00070000000234d8-96.dat	upx
behavioral2/memory/5088-111-0x00007FF63AD10000-0x00007FF63B101000-memory.dmp	upx
behavioral2/files/0x00070000000234de-119.dat	upx
behavioral2/files/0x00070000000234da-124.dat	upx
behavioral2/files/0x00070000000234db-130.dat	upx
behavioral2/files/0x00070000000234e1-140.dat	upx
behavioral2/files/0x00070000000234e5-173.dat	upx
behavioral2/files/0x00070000000234ec-184.dat	upx
behavioral2/files/0x00070000000234ea-192.dat	upx
behavioral2/files/0x00070000000234e2-190.dat	upx
behavioral2/files/0x00070000000234eb-188.dat	upx
behavioral2/memory/3664-187-0x00007FF6F9390000-0x00007FF6F9781000-memory.dmp	upx
behavioral2/memory/960-186-0x00007FF610840000-0x00007FF610C31000-memory.dmp	upx
behavioral2/memory/2256-183-0x00007FF7AE810000-0x00007FF7AEC01000-memory.dmp	upx
behavioral2/memory/1376-181-0x00007FF679B20000-0x00007FF679F11000-memory.dmp	upx
behavioral2/memory/1204-180-0x00007FF685440000-0x00007FF685831000-memory.dmp	upx
behavioral2/files/0x00070000000234e9-177.dat	upx
behavioral2/files/0x00070000000234e8-176.dat	upx
behavioral2/files/0x00070000000234e7-175.dat	upx
behavioral2/files/0x00070000000234e6-174.dat	upx
behavioral2/files/0x00070000000234e4-172.dat	upx
behavioral2/files/0x00070000000234e3-171.dat	upx
behavioral2/memory/4264-164-0x00007FF6C6E40000-0x00007FF6C7231000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-144.dat	upx
behavioral2/memory/4060-142-0x00007FF6CDBA0000-0x00007FF6CDF91000-memory.dmp	upx
behavioral2/memory/2160-139-0x00007FF696750000-0x00007FF696B41000-memory.dmp	upx
behavioral2/memory/4896-138-0x00007FF7807B0000-0x00007FF780BA1000-memory.dmp	upx
behavioral2/files/0x00070000000234df-133.dat	upx
behavioral2/files/0x00070000000234dc-128.dat	upx
behavioral2/files/0x00070000000234dd-126.dat	upx
behavioral2/memory/1292-121-0x00007FF7E77C0000-0x00007FF7E7BB1000-memory.dmp	upx
behavioral2/memory/320-120-0x00007FF6E7530000-0x00007FF6E7921000-memory.dmp	upx
behavioral2/files/0x00070000000234d9-113.dat	upx
behavioral2/memory/3116-112-0x00007FF6470A0000-0x00007FF647491000-memory.dmp	upx
behavioral2/memory/4216-108-0x00007FF769440000-0x00007FF769831000-memory.dmp	upx
behavioral2/files/0x00070000000234d7-105.dat	upx
behavioral2/memory/4656-90-0x00007FF6C0880000-0x00007FF6C0C71000-memory.dmp	upx
behavioral2/files/0x00080000000234c8-84.dat	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\ljrVFFH.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\DLjtbSq.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\PEvLqrw.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\EUZzkvS.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\ZSofYmH.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\ryDgqXx.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\yMNCMEI.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\JQgqWPF.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\DdpAQNC.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\gvHUzoJ.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\ZdjIFfh.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\DhclFKO.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\zJghFok.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\dBjizJW.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\zKlgHPJ.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\nLAbeXH.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\PYjOdKS.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\eoakOCu.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\ukZRYfc.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\XAHgNSH.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\pJRlIYu.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\pTvemcr.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\bagmhng.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\KHoRAsq.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\QIODrey.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\VKRxbgP.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\GCnbowI.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\ZrPEgDv.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\KgtgOCv.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\NaOBIVI.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\rPZebtE.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\vjorack.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\ZidvKgg.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\BQwNOUM.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\ztKCuPr.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\sSYBhEf.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\kbsGFeu.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\wuRKDjL.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\sxfNNuA.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\FtvNRcd.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\LEfxNKu.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\yZExFPL.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\ZkQtRid.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\QMgevBX.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\bqdBHrH.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\FnmgPbp.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\GiUdXCX.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\LgbITkl.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\LnPpBsa.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\zzHBYOx.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\yeuWqDn.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\NBCaqcp.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\aSerAPN.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\QzVfaOi.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\rpgJYkD.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\yqSwMAM.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\XauvJFt.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\KYbNVUj.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\SPktoRB.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\gSBpnDV.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\ousLvXj.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\BAUZLjh.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\NYpNKOQ.exe	7b8f376bd8df9a375241e6506ed5b920N.exe
File created	C:\Windows\System32\xsdTfxb.exe	7b8f376bd8df9a375241e6506ed5b920N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12896	dwm.exe
Token: SeChangeNotifyPrivilege	12896	dwm.exe
Token: 33	12896	dwm.exe
Token: SeIncBasePriorityPrivilege	12896	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 5088	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	85
PID 4216 wrote to memory of 5088	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	85
PID 4216 wrote to memory of 1376	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	86
PID 4216 wrote to memory of 1376	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	86
PID 4216 wrote to memory of 2148	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	87
PID 4216 wrote to memory of 2148	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	87
PID 4216 wrote to memory of 3340	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	88
PID 4216 wrote to memory of 3340	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	88
PID 4216 wrote to memory of 1920	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	89
PID 4216 wrote to memory of 1920	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	89
PID 4216 wrote to memory of 1552	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	90
PID 4216 wrote to memory of 1552	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	90
PID 4216 wrote to memory of 852	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	91
PID 4216 wrote to memory of 852	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	91
PID 4216 wrote to memory of 400	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	92
PID 4216 wrote to memory of 400	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	92
PID 4216 wrote to memory of 1624	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	93
PID 4216 wrote to memory of 1624	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	93
PID 4216 wrote to memory of 1756	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	94
PID 4216 wrote to memory of 1756	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	94
PID 4216 wrote to memory of 1844	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	95
PID 4216 wrote to memory of 1844	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	95
PID 4216 wrote to memory of 3276	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	96
PID 4216 wrote to memory of 3276	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	96
PID 4216 wrote to memory of 3116	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	97
PID 4216 wrote to memory of 3116	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	97
PID 4216 wrote to memory of 4656	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	98
PID 4216 wrote to memory of 4656	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	98
PID 4216 wrote to memory of 320	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	99
PID 4216 wrote to memory of 320	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	99
PID 4216 wrote to memory of 4264	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	100
PID 4216 wrote to memory of 4264	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	100
PID 4216 wrote to memory of 1292	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	101
PID 4216 wrote to memory of 1292	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	101
PID 4216 wrote to memory of 4896	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	102
PID 4216 wrote to memory of 4896	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	102
PID 4216 wrote to memory of 2160	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	103
PID 4216 wrote to memory of 2160	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	103
PID 4216 wrote to memory of 4060	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	104
PID 4216 wrote to memory of 4060	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	104
PID 4216 wrote to memory of 1204	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	105
PID 4216 wrote to memory of 1204	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	105
PID 4216 wrote to memory of 2256	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	106
PID 4216 wrote to memory of 2256	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	106
PID 4216 wrote to memory of 960	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	107
PID 4216 wrote to memory of 960	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	107
PID 4216 wrote to memory of 3664	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	108
PID 4216 wrote to memory of 3664	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	108
PID 4216 wrote to memory of 4948	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	109
PID 4216 wrote to memory of 4948	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	109
PID 4216 wrote to memory of 2724	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	110
PID 4216 wrote to memory of 2724	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	110
PID 4216 wrote to memory of 3356	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	111
PID 4216 wrote to memory of 3356	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	111
PID 4216 wrote to memory of 1792	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	112
PID 4216 wrote to memory of 1792	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	112
PID 4216 wrote to memory of 4556	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	113
PID 4216 wrote to memory of 4556	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	113
PID 4216 wrote to memory of 3172	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	114
PID 4216 wrote to memory of 3172	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	114
PID 4216 wrote to memory of 3252	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	115
PID 4216 wrote to memory of 3252	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	115
PID 4216 wrote to memory of 1064	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	116
PID 4216 wrote to memory of 1064	4216	7b8f376bd8df9a375241e6506ed5b920N.exe	116

C:\Users\Admin\AppData\Local\Temp\7b8f376bd8df9a375241e6506ed5b920N.exe
"C:\Users\Admin\AppData\Local\Temp\7b8f376bd8df9a375241e6506ed5b920N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\System32\JeXuTJY.exe
  C:\Windows\System32\JeXuTJY.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System32\NJymTsO.exe
  C:\Windows\System32\NJymTsO.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System32\wKTsbZN.exe
  C:\Windows\System32\wKTsbZN.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System32\YvNBiQY.exe
  C:\Windows\System32\YvNBiQY.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System32\ITQBQzo.exe
  C:\Windows\System32\ITQBQzo.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System32\lGuxABI.exe
  C:\Windows\System32\lGuxABI.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System32\pwdaZOa.exe
  C:\Windows\System32\pwdaZOa.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System32\SMNnoMD.exe
  C:\Windows\System32\SMNnoMD.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System32\XKoytjc.exe
  C:\Windows\System32\XKoytjc.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System32\zJghFok.exe
  C:\Windows\System32\zJghFok.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System32\QIODrey.exe
  C:\Windows\System32\QIODrey.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System32\ImPeIBc.exe
  C:\Windows\System32\ImPeIBc.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System32\ibsJhRU.exe
  C:\Windows\System32\ibsJhRU.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System32\vBwwKWR.exe
  C:\Windows\System32\vBwwKWR.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System32\rSlMvii.exe
  C:\Windows\System32\rSlMvii.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\System32\gEtDGLE.exe
  C:\Windows\System32\gEtDGLE.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System32\GcCHLcB.exe
  C:\Windows\System32\GcCHLcB.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System32\LVOnVAB.exe
  C:\Windows\System32\LVOnVAB.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System32\uKmFqOO.exe
  C:\Windows\System32\uKmFqOO.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System32\ljrVFFH.exe
  C:\Windows\System32\ljrVFFH.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System32\XbHlsWF.exe
  C:\Windows\System32\XbHlsWF.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System32\rqVFZIQ.exe
  C:\Windows\System32\rqVFZIQ.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System32\loZrRBI.exe
  C:\Windows\System32\loZrRBI.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System32\AaCpwaF.exe
  C:\Windows\System32\AaCpwaF.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System32\MhQyxoE.exe
  C:\Windows\System32\MhQyxoE.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System32\EOjVSKm.exe
  C:\Windows\System32\EOjVSKm.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System32\uQWjEYk.exe
  C:\Windows\System32\uQWjEYk.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System32\brRaMTP.exe
  C:\Windows\System32\brRaMTP.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System32\NiznJSz.exe
  C:\Windows\System32\NiznJSz.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System32\umvFLPE.exe
  C:\Windows\System32\umvFLPE.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System32\LlFIjhh.exe
  C:\Windows\System32\LlFIjhh.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System32\yCWAgVg.exe
  C:\Windows\System32\yCWAgVg.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\System32\osMYBtX.exe
  C:\Windows\System32\osMYBtX.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System32\bvrPYjT.exe
  C:\Windows\System32\bvrPYjT.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System32\JkeAUrz.exe
  C:\Windows\System32\JkeAUrz.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System32\tdaMuYi.exe
  C:\Windows\System32\tdaMuYi.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System32\gEihHiQ.exe
  C:\Windows\System32\gEihHiQ.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System32\HfvQmHN.exe
  C:\Windows\System32\HfvQmHN.exe
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\System32\VFunPQC.exe
  C:\Windows\System32\VFunPQC.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System32\JKBaYQu.exe
  C:\Windows\System32\JKBaYQu.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System32\NljilBC.exe
  C:\Windows\System32\NljilBC.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System32\yZExFPL.exe
  C:\Windows\System32\yZExFPL.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System32\IpDrIrk.exe
  C:\Windows\System32\IpDrIrk.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System32\xdZeLxU.exe
  C:\Windows\System32\xdZeLxU.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System32\WVZKYce.exe
  C:\Windows\System32\WVZKYce.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System32\LgfOOgJ.exe
  C:\Windows\System32\LgfOOgJ.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System32\gZuUMzO.exe
  C:\Windows\System32\gZuUMzO.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System32\bDUDKit.exe
  C:\Windows\System32\bDUDKit.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System32\yeuWqDn.exe
  C:\Windows\System32\yeuWqDn.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\System32\tqDhJfb.exe
  C:\Windows\System32\tqDhJfb.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System32\MYyoLDW.exe
  C:\Windows\System32\MYyoLDW.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System32\UKHGLxR.exe
  C:\Windows\System32\UKHGLxR.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System32\OlvknAV.exe
  C:\Windows\System32\OlvknAV.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System32\SPktoRB.exe
  C:\Windows\System32\SPktoRB.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System32\TUhzHgA.exe
  C:\Windows\System32\TUhzHgA.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System32\gSBpnDV.exe
  C:\Windows\System32\gSBpnDV.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\SIzjgZz.exe
  C:\Windows\System32\SIzjgZz.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\System32\CuZoUXD.exe
  C:\Windows\System32\CuZoUXD.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System32\xFRNfqe.exe
  C:\Windows\System32\xFRNfqe.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System32\HAIkmBV.exe
  C:\Windows\System32\HAIkmBV.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System32\CHchLaC.exe
  C:\Windows\System32\CHchLaC.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System32\HIIetmj.exe
  C:\Windows\System32\HIIetmj.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System32\xyMhQld.exe
  C:\Windows\System32\xyMhQld.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System32\dFQLoec.exe
  C:\Windows\System32\dFQLoec.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System32\iEvlNgy.exe
  C:\Windows\System32\iEvlNgy.exe
  2⤵
  PID:4860
- C:\Windows\System32\uwxDIsL.exe
  C:\Windows\System32\uwxDIsL.exe
  2⤵
  PID:2860
- C:\Windows\System32\sEicmEM.exe
  C:\Windows\System32\sEicmEM.exe
  2⤵
  PID:4964
- C:\Windows\System32\ukZRYfc.exe
  C:\Windows\System32\ukZRYfc.exe
  2⤵
  PID:4140
- C:\Windows\System32\QjmEfwo.exe
  C:\Windows\System32\QjmEfwo.exe
  2⤵
  PID:4028
- C:\Windows\System32\VKRxbgP.exe
  C:\Windows\System32\VKRxbgP.exe
  2⤵
  PID:4076
- C:\Windows\System32\QrkxlLc.exe
  C:\Windows\System32\QrkxlLc.exe
  2⤵
  PID:1452
- C:\Windows\System32\ZATLdkO.exe
  C:\Windows\System32\ZATLdkO.exe
  2⤵
  PID:4644
- C:\Windows\System32\DWxSVWQ.exe
  C:\Windows\System32\DWxSVWQ.exe
  2⤵
  PID:2172
- C:\Windows\System32\RUZbWel.exe
  C:\Windows\System32\RUZbWel.exe
  2⤵
  PID:1468
- C:\Windows\System32\pMvvJWc.exe
  C:\Windows\System32\pMvvJWc.exe
  2⤵
  PID:972
- C:\Windows\System32\vPYdzyW.exe
  C:\Windows\System32\vPYdzyW.exe
  2⤵
  PID:1140
- C:\Windows\System32\dBjizJW.exe
  C:\Windows\System32\dBjizJW.exe
  2⤵
  PID:3572
- C:\Windows\System32\jaTQdJO.exe
  C:\Windows\System32\jaTQdJO.exe
  2⤵
  PID:220
- C:\Windows\System32\lhXOhSY.exe
  C:\Windows\System32\lhXOhSY.exe
  2⤵
  PID:4012
- C:\Windows\System32\mJfMkBR.exe
  C:\Windows\System32\mJfMkBR.exe
  2⤵
  PID:4280
- C:\Windows\System32\cFZDMKP.exe
  C:\Windows\System32\cFZDMKP.exe
  2⤵
  PID:4576
- C:\Windows\System32\jwqpDni.exe
  C:\Windows\System32\jwqpDni.exe
  2⤵
  PID:4940
- C:\Windows\System32\nqhozoq.exe
  C:\Windows\System32\nqhozoq.exe
  2⤵
  PID:464
- C:\Windows\System32\hFbMAKO.exe
  C:\Windows\System32\hFbMAKO.exe
  2⤵
  PID:404
- C:\Windows\System32\MTxgAmA.exe
  C:\Windows\System32\MTxgAmA.exe
  2⤵
  PID:4516
- C:\Windows\System32\WZHinqc.exe
  C:\Windows\System32\WZHinqc.exe
  2⤵
  PID:3604
- C:\Windows\System32\hgPoELE.exe
  C:\Windows\System32\hgPoELE.exe
  2⤵
  PID:912
- C:\Windows\System32\WWxeyvo.exe
  C:\Windows\System32\WWxeyvo.exe
  2⤵
  PID:4572
- C:\Windows\System32\NxcjAfm.exe
  C:\Windows\System32\NxcjAfm.exe
  2⤵
  PID:3580
- C:\Windows\System32\SmedCeH.exe
  C:\Windows\System32\SmedCeH.exe
  2⤵
  PID:3744
- C:\Windows\System32\nNtBYEn.exe
  C:\Windows\System32\nNtBYEn.exe
  2⤵
  PID:5084
- C:\Windows\System32\YctKzMH.exe
  C:\Windows\System32\YctKzMH.exe
  2⤵
  PID:2848
- C:\Windows\System32\ukPFITF.exe
  C:\Windows\System32\ukPFITF.exe
  2⤵
  PID:1000
- C:\Windows\System32\Pzayfyq.exe
  C:\Windows\System32\Pzayfyq.exe
  2⤵
  PID:5140
- C:\Windows\System32\yMNCMEI.exe
  C:\Windows\System32\yMNCMEI.exe
  2⤵
  PID:5168
- C:\Windows\System32\GiUdXCX.exe
  C:\Windows\System32\GiUdXCX.exe
  2⤵
  PID:5196
- C:\Windows\System32\MuHivdB.exe
  C:\Windows\System32\MuHivdB.exe
  2⤵
  PID:5228
- C:\Windows\System32\DHCEZYJ.exe
  C:\Windows\System32\DHCEZYJ.exe
  2⤵
  PID:5252
- C:\Windows\System32\JjqxwkP.exe
  C:\Windows\System32\JjqxwkP.exe
  2⤵
  PID:5280
- C:\Windows\System32\VqSbIoS.exe
  C:\Windows\System32\VqSbIoS.exe
  2⤵
  PID:5308
- C:\Windows\System32\FEeOhAP.exe
  C:\Windows\System32\FEeOhAP.exe
  2⤵
  PID:5328
- C:\Windows\System32\dcBPSkQ.exe
  C:\Windows\System32\dcBPSkQ.exe
  2⤵
  PID:5380
- C:\Windows\System32\UWmDnUu.exe
  C:\Windows\System32\UWmDnUu.exe
  2⤵
  PID:5412
- C:\Windows\System32\YfbeNKX.exe
  C:\Windows\System32\YfbeNKX.exe
  2⤵
  PID:5436
- C:\Windows\System32\VXNzTjE.exe
  C:\Windows\System32\VXNzTjE.exe
  2⤵
  PID:5468
- C:\Windows\System32\mrPloFS.exe
  C:\Windows\System32\mrPloFS.exe
  2⤵
  PID:5496
- C:\Windows\System32\eAuxNPW.exe
  C:\Windows\System32\eAuxNPW.exe
  2⤵
  PID:5520
- C:\Windows\System32\sNTaIlo.exe
  C:\Windows\System32\sNTaIlo.exe
  2⤵
  PID:5548
- C:\Windows\System32\JQgqWPF.exe
  C:\Windows\System32\JQgqWPF.exe
  2⤵
  PID:5576
- C:\Windows\System32\UwbKnFP.exe
  C:\Windows\System32\UwbKnFP.exe
  2⤵
  PID:5604
- C:\Windows\System32\olzRKsE.exe
  C:\Windows\System32\olzRKsE.exe
  2⤵
  PID:5632
- C:\Windows\System32\vfcBvBo.exe
  C:\Windows\System32\vfcBvBo.exe
  2⤵
  PID:5668
- C:\Windows\System32\DLjtbSq.exe
  C:\Windows\System32\DLjtbSq.exe
  2⤵
  PID:5692
- C:\Windows\System32\YSLPXpt.exe
  C:\Windows\System32\YSLPXpt.exe
  2⤵
  PID:5716
- C:\Windows\System32\tolbuqf.exe
  C:\Windows\System32\tolbuqf.exe
  2⤵
  PID:5744
- C:\Windows\System32\PEvLqrw.exe
  C:\Windows\System32\PEvLqrw.exe
  2⤵
  PID:5772
- C:\Windows\System32\IQYJBJL.exe
  C:\Windows\System32\IQYJBJL.exe
  2⤵
  PID:5800
- C:\Windows\System32\YDBIewZ.exe
  C:\Windows\System32\YDBIewZ.exe
  2⤵
  PID:5828
- C:\Windows\System32\rCUlodG.exe
  C:\Windows\System32\rCUlodG.exe
  2⤵
  PID:5856
- C:\Windows\System32\VEEaedN.exe
  C:\Windows\System32\VEEaedN.exe
  2⤵
  PID:5884
- C:\Windows\System32\LzpyNng.exe
  C:\Windows\System32\LzpyNng.exe
  2⤵
  PID:5912
- C:\Windows\System32\apemarw.exe
  C:\Windows\System32\apemarw.exe
  2⤵
  PID:5940
- C:\Windows\System32\fcKprDU.exe
  C:\Windows\System32\fcKprDU.exe
  2⤵
  PID:5968
- C:\Windows\System32\sjlRGCn.exe
  C:\Windows\System32\sjlRGCn.exe
  2⤵
  PID:5996
- C:\Windows\System32\jywfzZV.exe
  C:\Windows\System32\jywfzZV.exe
  2⤵
  PID:6032
- C:\Windows\System32\BQwNOUM.exe
  C:\Windows\System32\BQwNOUM.exe
  2⤵
  PID:6072
- C:\Windows\System32\OJrLNeQ.exe
  C:\Windows\System32\OJrLNeQ.exe
  2⤵
  PID:6100
- C:\Windows\System32\KEzhJsK.exe
  C:\Windows\System32\KEzhJsK.exe
  2⤵
  PID:6124
- C:\Windows\System32\VelOHEs.exe
  C:\Windows\System32\VelOHEs.exe
  2⤵
  PID:1044
- C:\Windows\System32\qhcwqUy.exe
  C:\Windows\System32\qhcwqUy.exe
  2⤵
  PID:1392
- C:\Windows\System32\jExxtkR.exe
  C:\Windows\System32\jExxtkR.exe
  2⤵
  PID:532
- C:\Windows\System32\oKUzRQQ.exe
  C:\Windows\System32\oKUzRQQ.exe
  2⤵
  PID:3048
- C:\Windows\System32\WzJHzan.exe
  C:\Windows\System32\WzJHzan.exe
  2⤵
  PID:4036
- C:\Windows\System32\xDyvuOC.exe
  C:\Windows\System32\xDyvuOC.exe
  2⤵
  PID:5152
- C:\Windows\System32\Lzcqrea.exe
  C:\Windows\System32\Lzcqrea.exe
  2⤵
  PID:5208
- C:\Windows\System32\rPZebtE.exe
  C:\Windows\System32\rPZebtE.exe
  2⤵
  PID:2712
- C:\Windows\System32\PfkQgzp.exe
  C:\Windows\System32\PfkQgzp.exe
  2⤵
  PID:5960
- C:\Windows\System32\euzpctX.exe
  C:\Windows\System32\euzpctX.exe
  2⤵
  PID:5924
- C:\Windows\System32\tasKkuA.exe
  C:\Windows\System32\tasKkuA.exe
  2⤵
  PID:5892
- C:\Windows\System32\XQrdlxw.exe
  C:\Windows\System32\XQrdlxw.exe
  2⤵
  PID:5808
- C:\Windows\System32\ztKCuPr.exe
  C:\Windows\System32\ztKCuPr.exe
  2⤵
  PID:5756
- C:\Windows\System32\VgZVsCy.exe
  C:\Windows\System32\VgZVsCy.exe
  2⤵
  PID:5656
- C:\Windows\System32\VuGOboW.exe
  C:\Windows\System32\VuGOboW.exe
  2⤵
  PID:5616
- C:\Windows\System32\uYtMnsv.exe
  C:\Windows\System32\uYtMnsv.exe
  2⤵
  PID:5568
- C:\Windows\System32\fKtcBzf.exe
  C:\Windows\System32\fKtcBzf.exe
  2⤵
  PID:5480
- C:\Windows\System32\NBCaqcp.exe
  C:\Windows\System32\NBCaqcp.exe
  2⤵
  PID:5428
- C:\Windows\System32\nQXkqad.exe
  C:\Windows\System32\nQXkqad.exe
  2⤵
  PID:5980
- C:\Windows\System32\isrkLkV.exe
  C:\Windows\System32\isrkLkV.exe
  2⤵
  PID:6016
- C:\Windows\System32\wlMbMoN.exe
  C:\Windows\System32\wlMbMoN.exe
  2⤵
  PID:872
- C:\Windows\System32\fNXkojI.exe
  C:\Windows\System32\fNXkojI.exe
  2⤵
  PID:6044
- C:\Windows\System32\OcoWGXw.exe
  C:\Windows\System32\OcoWGXw.exe
  2⤵
  PID:6096
- C:\Windows\System32\HpwChDx.exe
  C:\Windows\System32\HpwChDx.exe
  2⤵
  PID:1380
- C:\Windows\System32\jWqXTNw.exe
  C:\Windows\System32\jWqXTNw.exe
  2⤵
  PID:4068
- C:\Windows\System32\DdZBOqG.exe
  C:\Windows\System32\DdZBOqG.exe
  2⤵
  PID:5128
- C:\Windows\System32\WAgNaNI.exe
  C:\Windows\System32\WAgNaNI.exe
  2⤵
  PID:5244
- C:\Windows\System32\JNAEJAz.exe
  C:\Windows\System32\JNAEJAz.exe
  2⤵
  PID:5848
- C:\Windows\System32\TAwqQAJ.exe
  C:\Windows\System32\TAwqQAJ.exe
  2⤵
  PID:5584
- C:\Windows\System32\FtvNRcd.exe
  C:\Windows\System32\FtvNRcd.exe
  2⤵
  PID:5476
- C:\Windows\System32\qQXOoOH.exe
  C:\Windows\System32\qQXOoOH.exe
  2⤵
  PID:5640
- C:\Windows\System32\YsGVzgo.exe
  C:\Windows\System32\YsGVzgo.exe
  2⤵
  PID:5260
- C:\Windows\System32\lVgSBbb.exe
  C:\Windows\System32\lVgSBbb.exe
  2⤵
  PID:3860
- C:\Windows\System32\zKlgHPJ.exe
  C:\Windows\System32\zKlgHPJ.exe
  2⤵
  PID:6068
- C:\Windows\System32\UkxFEqi.exe
  C:\Windows\System32\UkxFEqi.exe
  2⤵
  PID:6140
- C:\Windows\System32\XAHgNSH.exe
  C:\Windows\System32\XAHgNSH.exe
  2⤵
  PID:5240
- C:\Windows\System32\snrXUaw.exe
  C:\Windows\System32\snrXUaw.exe
  2⤵
  PID:5932
- C:\Windows\System32\AFtTcmb.exe
  C:\Windows\System32\AFtTcmb.exe
  2⤵
  PID:5396
- C:\Windows\System32\opfwPza.exe
  C:\Windows\System32\opfwPza.exe
  2⤵
  PID:432
- C:\Windows\System32\ycFtftF.exe
  C:\Windows\System32\ycFtftF.exe
  2⤵
  PID:6152
- C:\Windows\System32\aettoAq.exe
  C:\Windows\System32\aettoAq.exe
  2⤵
  PID:6244
- C:\Windows\System32\pNflJcQ.exe
  C:\Windows\System32\pNflJcQ.exe
  2⤵
  PID:6284
- C:\Windows\System32\ISVGXzB.exe
  C:\Windows\System32\ISVGXzB.exe
  2⤵
  PID:6300
- C:\Windows\System32\VkfDorM.exe
  C:\Windows\System32\VkfDorM.exe
  2⤵
  PID:6328
- C:\Windows\System32\CqIzySL.exe
  C:\Windows\System32\CqIzySL.exe
  2⤵
  PID:6348
- C:\Windows\System32\ycdlAWC.exe
  C:\Windows\System32\ycdlAWC.exe
  2⤵
  PID:6368
- C:\Windows\System32\CuGgLki.exe
  C:\Windows\System32\CuGgLki.exe
  2⤵
  PID:6404
- C:\Windows\System32\ZZvTloq.exe
  C:\Windows\System32\ZZvTloq.exe
  2⤵
  PID:6424
- C:\Windows\System32\oJmFTAV.exe
  C:\Windows\System32\oJmFTAV.exe
  2⤵
  PID:6444
- C:\Windows\System32\LgbITkl.exe
  C:\Windows\System32\LgbITkl.exe
  2⤵
  PID:6472
- C:\Windows\System32\hcbGlmT.exe
  C:\Windows\System32\hcbGlmT.exe
  2⤵
  PID:6496
- C:\Windows\System32\uMtfQbI.exe
  C:\Windows\System32\uMtfQbI.exe
  2⤵
  PID:6524
- C:\Windows\System32\KNZeMmb.exe
  C:\Windows\System32\KNZeMmb.exe
  2⤵
  PID:6576
- C:\Windows\System32\LPsVbri.exe
  C:\Windows\System32\LPsVbri.exe
  2⤵
  PID:6592
- C:\Windows\System32\BdNEbNQ.exe
  C:\Windows\System32\BdNEbNQ.exe
  2⤵
  PID:6620
- C:\Windows\System32\CEXOdhL.exe
  C:\Windows\System32\CEXOdhL.exe
  2⤵
  PID:6644
- C:\Windows\System32\pGwWCFc.exe
  C:\Windows\System32\pGwWCFc.exe
  2⤵
  PID:6668
- C:\Windows\System32\wvzXFXi.exe
  C:\Windows\System32\wvzXFXi.exe
  2⤵
  PID:6688
- C:\Windows\System32\ornfncL.exe
  C:\Windows\System32\ornfncL.exe
  2⤵
  PID:6728
- C:\Windows\System32\urtUqhZ.exe
  C:\Windows\System32\urtUqhZ.exe
  2⤵
  PID:6776
- C:\Windows\System32\zHBYERC.exe
  C:\Windows\System32\zHBYERC.exe
  2⤵
  PID:6796
- C:\Windows\System32\ggGwWVw.exe
  C:\Windows\System32\ggGwWVw.exe
  2⤵
  PID:6828
- C:\Windows\System32\EZoFJtL.exe
  C:\Windows\System32\EZoFJtL.exe
  2⤵
  PID:6848
- C:\Windows\System32\qNrPIXP.exe
  C:\Windows\System32\qNrPIXP.exe
  2⤵
  PID:6872
- C:\Windows\System32\pJRlIYu.exe
  C:\Windows\System32\pJRlIYu.exe
  2⤵
  PID:6896
- C:\Windows\System32\NGHAZRT.exe
  C:\Windows\System32\NGHAZRT.exe
  2⤵
  PID:6912
- C:\Windows\System32\izxhOsZ.exe
  C:\Windows\System32\izxhOsZ.exe
  2⤵
  PID:6936
- C:\Windows\System32\IkEribp.exe
  C:\Windows\System32\IkEribp.exe
  2⤵
  PID:6972
- C:\Windows\System32\EJktMJL.exe
  C:\Windows\System32\EJktMJL.exe
  2⤵
  PID:7000
- C:\Windows\System32\yUqSIOp.exe
  C:\Windows\System32\yUqSIOp.exe
  2⤵
  PID:7024
- C:\Windows\System32\MYvYMJw.exe
  C:\Windows\System32\MYvYMJw.exe
  2⤵
  PID:7040
- C:\Windows\System32\ENcFBmH.exe
  C:\Windows\System32\ENcFBmH.exe
  2⤵
  PID:7060
- C:\Windows\System32\JItzmrd.exe
  C:\Windows\System32\JItzmrd.exe
  2⤵
  PID:7084
- C:\Windows\System32\mTsGDYQ.exe
  C:\Windows\System32\mTsGDYQ.exe
  2⤵
  PID:7108
- C:\Windows\System32\oLNwFTH.exe
  C:\Windows\System32\oLNwFTH.exe
  2⤵
  PID:5764
- C:\Windows\System32\ousLvXj.exe
  C:\Windows\System32\ousLvXj.exe
  2⤵
  PID:3748
- C:\Windows\System32\ggaXCtd.exe
  C:\Windows\System32\ggaXCtd.exe
  2⤵
  PID:1528
- C:\Windows\System32\PncxmFT.exe
  C:\Windows\System32\PncxmFT.exe
  2⤵
  PID:5124
- C:\Windows\System32\VjMXPsQ.exe
  C:\Windows\System32\VjMXPsQ.exe
  2⤵
  PID:6384
- C:\Windows\System32\GCnbowI.exe
  C:\Windows\System32\GCnbowI.exe
  2⤵
  PID:6420
- C:\Windows\System32\vgvfpaW.exe
  C:\Windows\System32\vgvfpaW.exe
  2⤵
  PID:6436
- C:\Windows\System32\zpaXGlV.exe
  C:\Windows\System32\zpaXGlV.exe
  2⤵
  PID:6532
- C:\Windows\System32\eMyKWYm.exe
  C:\Windows\System32\eMyKWYm.exe
  2⤵
  PID:6604
- C:\Windows\System32\MjkCUux.exe
  C:\Windows\System32\MjkCUux.exe
  2⤵
  PID:6600
- C:\Windows\System32\rBSxKRE.exe
  C:\Windows\System32\rBSxKRE.exe
  2⤵
  PID:6664
- C:\Windows\System32\sZlnFnR.exe
  C:\Windows\System32\sZlnFnR.exe
  2⤵
  PID:6716
- C:\Windows\System32\MdKyzyg.exe
  C:\Windows\System32\MdKyzyg.exe
  2⤵
  PID:6784
- C:\Windows\System32\jqnqdZM.exe
  C:\Windows\System32\jqnqdZM.exe
  2⤵
  PID:6864
- C:\Windows\System32\eHnLlav.exe
  C:\Windows\System32\eHnLlav.exe
  2⤵
  PID:7036
- C:\Windows\System32\nLxoEXD.exe
  C:\Windows\System32\nLxoEXD.exe
  2⤵
  PID:7032
- C:\Windows\System32\tdPuVni.exe
  C:\Windows\System32\tdPuVni.exe
  2⤵
  PID:7128
- C:\Windows\System32\zYxvyWo.exe
  C:\Windows\System32\zYxvyWo.exe
  2⤵
  PID:6224
- C:\Windows\System32\nLAbeXH.exe
  C:\Windows\System32\nLAbeXH.exe
  2⤵
  PID:6260
- C:\Windows\System32\pUyGPMX.exe
  C:\Windows\System32\pUyGPMX.exe
  2⤵
  PID:6484
- C:\Windows\System32\acTEjqP.exe
  C:\Windows\System32\acTEjqP.exe
  2⤵
  PID:6628
- C:\Windows\System32\assAMHX.exe
  C:\Windows\System32\assAMHX.exe
  2⤵
  PID:6544
- C:\Windows\System32\ggzLdch.exe
  C:\Windows\System32\ggzLdch.exe
  2⤵
  PID:6708
- C:\Windows\System32\JoYULGU.exe
  C:\Windows\System32\JoYULGU.exe
  2⤵
  PID:6816
- C:\Windows\System32\WBxlFtG.exe
  C:\Windows\System32\WBxlFtG.exe
  2⤵
  PID:6888
- C:\Windows\System32\xzHapbH.exe
  C:\Windows\System32\xzHapbH.exe
  2⤵
  PID:6964
- C:\Windows\System32\IMrDwlg.exe
  C:\Windows\System32\IMrDwlg.exe
  2⤵
  PID:6216
- C:\Windows\System32\sSYBhEf.exe
  C:\Windows\System32\sSYBhEf.exe
  2⤵
  PID:6552
- C:\Windows\System32\isvDyEG.exe
  C:\Windows\System32\isvDyEG.exe
  2⤵
  PID:5348
- C:\Windows\System32\WnczOAq.exe
  C:\Windows\System32\WnczOAq.exe
  2⤵
  PID:5444
- C:\Windows\System32\RJjFzXV.exe
  C:\Windows\System32\RJjFzXV.exe
  2⤵
  PID:6548
- C:\Windows\System32\uVeQnUM.exe
  C:\Windows\System32\uVeQnUM.exe
  2⤵
  PID:7192
- C:\Windows\System32\EaxuyYq.exe
  C:\Windows\System32\EaxuyYq.exe
  2⤵
  PID:7216
- C:\Windows\System32\CFyqugE.exe
  C:\Windows\System32\CFyqugE.exe
  2⤵
  PID:7288
- C:\Windows\System32\Durmyzi.exe
  C:\Windows\System32\Durmyzi.exe
  2⤵
  PID:7344
- C:\Windows\System32\cBqJrBR.exe
  C:\Windows\System32\cBqJrBR.exe
  2⤵
  PID:7368
- C:\Windows\System32\FreEnKc.exe
  C:\Windows\System32\FreEnKc.exe
  2⤵
  PID:7392
- C:\Windows\System32\qyrhUEV.exe
  C:\Windows\System32\qyrhUEV.exe
  2⤵
  PID:7420
- C:\Windows\System32\vjorack.exe
  C:\Windows\System32\vjorack.exe
  2⤵
  PID:7472
- C:\Windows\System32\UpndYjn.exe
  C:\Windows\System32\UpndYjn.exe
  2⤵
  PID:7492
- C:\Windows\System32\XKONKzt.exe
  C:\Windows\System32\XKONKzt.exe
  2⤵
  PID:7528
- C:\Windows\System32\rTmfQhr.exe
  C:\Windows\System32\rTmfQhr.exe
  2⤵
  PID:7544
- C:\Windows\System32\nVNyIJN.exe
  C:\Windows\System32\nVNyIJN.exe
  2⤵
  PID:7572
- C:\Windows\System32\fwFLLIW.exe
  C:\Windows\System32\fwFLLIW.exe
  2⤵
  PID:7600
- C:\Windows\System32\nUhUyPm.exe
  C:\Windows\System32\nUhUyPm.exe
  2⤵
  PID:7616
- C:\Windows\System32\pTvemcr.exe
  C:\Windows\System32\pTvemcr.exe
  2⤵
  PID:7648
- C:\Windows\System32\FBKAZtM.exe
  C:\Windows\System32\FBKAZtM.exe
  2⤵
  PID:7668
- C:\Windows\System32\GcNgRMu.exe
  C:\Windows\System32\GcNgRMu.exe
  2⤵
  PID:7684
- C:\Windows\System32\JwheQPF.exe
  C:\Windows\System32\JwheQPF.exe
  2⤵
  PID:7708
- C:\Windows\System32\ZrPEgDv.exe
  C:\Windows\System32\ZrPEgDv.exe
  2⤵
  PID:7752
- C:\Windows\System32\rvlJaFp.exe
  C:\Windows\System32\rvlJaFp.exe
  2⤵
  PID:7788
- C:\Windows\System32\wNiapFx.exe
  C:\Windows\System32\wNiapFx.exe
  2⤵
  PID:7816
- C:\Windows\System32\AtgKEyX.exe
  C:\Windows\System32\AtgKEyX.exe
  2⤵
  PID:7836
- C:\Windows\System32\ONrAPyp.exe
  C:\Windows\System32\ONrAPyp.exe
  2⤵
  PID:7860
- C:\Windows\System32\SVPVQeo.exe
  C:\Windows\System32\SVPVQeo.exe
  2⤵
  PID:7884
- C:\Windows\System32\bMWUVaD.exe
  C:\Windows\System32\bMWUVaD.exe
  2⤵
  PID:7904
- C:\Windows\System32\DdpAQNC.exe
  C:\Windows\System32\DdpAQNC.exe
  2⤵
  PID:7952
- C:\Windows\System32\tLLkyOV.exe
  C:\Windows\System32\tLLkyOV.exe
  2⤵
  PID:7984
- C:\Windows\System32\kVyXaMW.exe
  C:\Windows\System32\kVyXaMW.exe
  2⤵
  PID:8000
- C:\Windows\System32\BCbzJUt.exe
  C:\Windows\System32\BCbzJUt.exe
  2⤵
  PID:8016
- C:\Windows\System32\SxEgBZX.exe
  C:\Windows\System32\SxEgBZX.exe
  2⤵
  PID:8056
- C:\Windows\System32\JdWkVkJ.exe
  C:\Windows\System32\JdWkVkJ.exe
  2⤵
  PID:8076
- C:\Windows\System32\UGMMjma.exe
  C:\Windows\System32\UGMMjma.exe
  2⤵
  PID:8096
- C:\Windows\System32\ZaJHQhj.exe
  C:\Windows\System32\ZaJHQhj.exe
  2⤵
  PID:8144
- C:\Windows\System32\afPDXQP.exe
  C:\Windows\System32\afPDXQP.exe
  2⤵
  PID:8172
- C:\Windows\System32\PlnrbLp.exe
  C:\Windows\System32\PlnrbLp.exe
  2⤵
  PID:7140
- C:\Windows\System32\gKhCfrS.exe
  C:\Windows\System32\gKhCfrS.exe
  2⤵
  PID:6724
- C:\Windows\System32\aCGxLUf.exe
  C:\Windows\System32\aCGxLUf.exe
  2⤵
  PID:7308
- C:\Windows\System32\DUIWTgP.exe
  C:\Windows\System32\DUIWTgP.exe
  2⤵
  PID:7336
- C:\Windows\System32\RWRDisr.exe
  C:\Windows\System32\RWRDisr.exe
  2⤵
  PID:7444
- C:\Windows\System32\sXcMYHN.exe
  C:\Windows\System32\sXcMYHN.exe
  2⤵
  PID:7468
- C:\Windows\System32\AzuUPaM.exe
  C:\Windows\System32\AzuUPaM.exe
  2⤵
  PID:7504
- C:\Windows\System32\BAUZLjh.exe
  C:\Windows\System32\BAUZLjh.exe
  2⤵
  PID:7536
- C:\Windows\System32\rkLaxCI.exe
  C:\Windows\System32\rkLaxCI.exe
  2⤵
  PID:7584
- C:\Windows\System32\WcVLcMN.exe
  C:\Windows\System32\WcVLcMN.exe
  2⤵
  PID:7644
- C:\Windows\System32\DitFFxd.exe
  C:\Windows\System32\DitFFxd.exe
  2⤵
  PID:7720
- C:\Windows\System32\fGuLAfJ.exe
  C:\Windows\System32\fGuLAfJ.exe
  2⤵
  PID:7856
- C:\Windows\System32\ayehOzN.exe
  C:\Windows\System32\ayehOzN.exe
  2⤵
  PID:7912
- C:\Windows\System32\mhmWWlh.exe
  C:\Windows\System32\mhmWWlh.exe
  2⤵
  PID:7928
- C:\Windows\System32\GrgXGAb.exe
  C:\Windows\System32\GrgXGAb.exe
  2⤵
  PID:8072
- C:\Windows\System32\DiryRqr.exe
  C:\Windows\System32\DiryRqr.exe
  2⤵
  PID:8088
- C:\Windows\System32\bfbdiDw.exe
  C:\Windows\System32\bfbdiDw.exe
  2⤵
  PID:8184
- C:\Windows\System32\KARkQNf.exe
  C:\Windows\System32\KARkQNf.exe
  2⤵
  PID:8180
- C:\Windows\System32\eIDMULi.exe
  C:\Windows\System32\eIDMULi.exe
  2⤵
  PID:6504
- C:\Windows\System32\cYxLKdS.exe
  C:\Windows\System32\cYxLKdS.exe
  2⤵
  PID:7408
- C:\Windows\System32\OjSfOqY.exe
  C:\Windows\System32\OjSfOqY.exe
  2⤵
  PID:7512
- C:\Windows\System32\XcACZrM.exe
  C:\Windows\System32\XcACZrM.exe
  2⤵
  PID:7680
- C:\Windows\System32\rUEgrRs.exe
  C:\Windows\System32\rUEgrRs.exe
  2⤵
  PID:7716
- C:\Windows\System32\XgYozEc.exe
  C:\Windows\System32\XgYozEc.exe
  2⤵
  PID:7852
- C:\Windows\System32\gihOMbY.exe
  C:\Windows\System32\gihOMbY.exe
  2⤵
  PID:7976
- C:\Windows\System32\yswTtVC.exe
  C:\Windows\System32\yswTtVC.exe
  2⤵
  PID:8012
- C:\Windows\System32\RdsdeEC.exe
  C:\Windows\System32\RdsdeEC.exe
  2⤵
  PID:7328
- C:\Windows\System32\wDdsgEC.exe
  C:\Windows\System32\wDdsgEC.exe
  2⤵
  PID:7812
- C:\Windows\System32\iluqqtt.exe
  C:\Windows\System32\iluqqtt.exe
  2⤵
  PID:1440
- C:\Windows\System32\wxvPOxE.exe
  C:\Windows\System32\wxvPOxE.exe
  2⤵
  PID:8008
- C:\Windows\System32\DzqTShu.exe
  C:\Windows\System32\DzqTShu.exe
  2⤵
  PID:8116
- C:\Windows\System32\oNwenCO.exe
  C:\Windows\System32\oNwenCO.exe
  2⤵
  PID:8200
- C:\Windows\System32\NaWSMIt.exe
  C:\Windows\System32\NaWSMIt.exe
  2⤵
  PID:8256
- C:\Windows\System32\HVnKQfU.exe
  C:\Windows\System32\HVnKQfU.exe
  2⤵
  PID:8292
- C:\Windows\System32\MzUqOOz.exe
  C:\Windows\System32\MzUqOOz.exe
  2⤵
  PID:8312
- C:\Windows\System32\mZpeGib.exe
  C:\Windows\System32\mZpeGib.exe
  2⤵
  PID:8344
- C:\Windows\System32\TqsyRsv.exe
  C:\Windows\System32\TqsyRsv.exe
  2⤵
  PID:8384
- C:\Windows\System32\bagmhng.exe
  C:\Windows\System32\bagmhng.exe
  2⤵
  PID:8400
- C:\Windows\System32\NVjVhzP.exe
  C:\Windows\System32\NVjVhzP.exe
  2⤵
  PID:8416
- C:\Windows\System32\FSljfVF.exe
  C:\Windows\System32\FSljfVF.exe
  2⤵
  PID:8448
- C:\Windows\System32\NgomtXn.exe
  C:\Windows\System32\NgomtXn.exe
  2⤵
  PID:8488
- C:\Windows\System32\HAyeWzJ.exe
  C:\Windows\System32\HAyeWzJ.exe
  2⤵
  PID:8520
- C:\Windows\System32\YpUveIq.exe
  C:\Windows\System32\YpUveIq.exe
  2⤵
  PID:8544
- C:\Windows\System32\bPGbcwc.exe
  C:\Windows\System32\bPGbcwc.exe
  2⤵
  PID:8560
- C:\Windows\System32\QAWhjli.exe
  C:\Windows\System32\QAWhjli.exe
  2⤵
  PID:8580
- C:\Windows\System32\aSerAPN.exe
  C:\Windows\System32\aSerAPN.exe
  2⤵
  PID:8604
- C:\Windows\System32\vTCFHCd.exe
  C:\Windows\System32\vTCFHCd.exe
  2⤵
  PID:8624
- C:\Windows\System32\ULCIbpp.exe
  C:\Windows\System32\ULCIbpp.exe
  2⤵
  PID:8640
- C:\Windows\System32\JdPKCre.exe
  C:\Windows\System32\JdPKCre.exe
  2⤵
  PID:8676
- C:\Windows\System32\RlCZhCC.exe
  C:\Windows\System32\RlCZhCC.exe
  2⤵
  PID:8712
- C:\Windows\System32\NXUpIPi.exe
  C:\Windows\System32\NXUpIPi.exe
  2⤵
  PID:8760
- C:\Windows\System32\wWpQuvi.exe
  C:\Windows\System32\wWpQuvi.exe
  2⤵
  PID:8776
- C:\Windows\System32\IDApsVd.exe
  C:\Windows\System32\IDApsVd.exe
  2⤵
  PID:8812
- C:\Windows\System32\YxLrQLH.exe
  C:\Windows\System32\YxLrQLH.exe
  2⤵
  PID:8828
- C:\Windows\System32\ZidvKgg.exe
  C:\Windows\System32\ZidvKgg.exe
  2⤵
  PID:8908
- C:\Windows\System32\wFEbnPC.exe
  C:\Windows\System32\wFEbnPC.exe
  2⤵
  PID:8932
- C:\Windows\System32\nrgTRjm.exe
  C:\Windows\System32\nrgTRjm.exe
  2⤵
  PID:8948
- C:\Windows\System32\AUxJeUv.exe
  C:\Windows\System32\AUxJeUv.exe
  2⤵
  PID:8976
- C:\Windows\System32\gNvuhGc.exe
  C:\Windows\System32\gNvuhGc.exe
  2⤵
  PID:8992
- C:\Windows\System32\tjfaJRZ.exe
  C:\Windows\System32\tjfaJRZ.exe
  2⤵
  PID:9028
- C:\Windows\System32\YQwKerd.exe
  C:\Windows\System32\YQwKerd.exe
  2⤵
  PID:9044
- C:\Windows\System32\EUZzkvS.exe
  C:\Windows\System32\EUZzkvS.exe
  2⤵
  PID:9092
- C:\Windows\System32\YkTUpBk.exe
  C:\Windows\System32\YkTUpBk.exe
  2⤵
  PID:9112
- C:\Windows\System32\ntscuqa.exe
  C:\Windows\System32\ntscuqa.exe
  2⤵
  PID:9152
- C:\Windows\System32\KgtgOCv.exe
  C:\Windows\System32\KgtgOCv.exe
  2⤵
  PID:9184
- C:\Windows\System32\MKNOOLt.exe
  C:\Windows\System32\MKNOOLt.exe
  2⤵
  PID:9200
- C:\Windows\System32\TWNkfRs.exe
  C:\Windows\System32\TWNkfRs.exe
  2⤵
  PID:5948
- C:\Windows\System32\yKOHeql.exe
  C:\Windows\System32\yKOHeql.exe
  2⤵
  PID:7664
- C:\Windows\System32\jiLClZD.exe
  C:\Windows\System32\jiLClZD.exe
  2⤵
  PID:8264
- C:\Windows\System32\DKPKiQR.exe
  C:\Windows\System32\DKPKiQR.exe
  2⤵
  PID:8320
- C:\Windows\System32\FEbcKIm.exe
  C:\Windows\System32\FEbcKIm.exe
  2⤵
  PID:8500
- C:\Windows\System32\KWffizm.exe
  C:\Windows\System32\KWffizm.exe
  2⤵
  PID:8596
- C:\Windows\System32\XoUDwIY.exe
  C:\Windows\System32\XoUDwIY.exe
  2⤵
  PID:8656
- C:\Windows\System32\jawpwDV.exe
  C:\Windows\System32\jawpwDV.exe
  2⤵
  PID:8664
- C:\Windows\System32\TIDMLqa.exe
  C:\Windows\System32\TIDMLqa.exe
  2⤵
  PID:8748
- C:\Windows\System32\DoxKHHN.exe
  C:\Windows\System32\DoxKHHN.exe
  2⤵
  PID:8736
- C:\Windows\System32\AFmwpqZ.exe
  C:\Windows\System32\AFmwpqZ.exe
  2⤵
  PID:8768
- C:\Windows\System32\wvCyCno.exe
  C:\Windows\System32\wvCyCno.exe
  2⤵
  PID:8984
- C:\Windows\System32\gNcCCex.exe
  C:\Windows\System32\gNcCCex.exe
  2⤵
  PID:9036
- C:\Windows\System32\cpeqOli.exe
  C:\Windows\System32\cpeqOli.exe
  2⤵
  PID:8248
- C:\Windows\System32\DmALVPF.exe
  C:\Windows\System32\DmALVPF.exe
  2⤵
  PID:8540
- C:\Windows\System32\goCkQVK.exe
  C:\Windows\System32\goCkQVK.exe
  2⤵
  PID:8424
- C:\Windows\System32\rQOIkUx.exe
  C:\Windows\System32\rQOIkUx.exe
  2⤵
  PID:8824
- C:\Windows\System32\PuiQIHi.exe
  C:\Windows\System32\PuiQIHi.exe
  2⤵
  PID:8968
- C:\Windows\System32\yJkOhmk.exe
  C:\Windows\System32\yJkOhmk.exe
  2⤵
  PID:8476
- C:\Windows\System32\gksXUxi.exe
  C:\Windows\System32\gksXUxi.exe
  2⤵
  PID:8572
- C:\Windows\System32\IuDfNyD.exe
  C:\Windows\System32\IuDfNyD.exe
  2⤵
  PID:9176
- C:\Windows\System32\HdwDXIp.exe
  C:\Windows\System32\HdwDXIp.exe
  2⤵
  PID:8916
- C:\Windows\System32\JqtcndE.exe
  C:\Windows\System32\JqtcndE.exe
  2⤵
  PID:1532
- C:\Windows\System32\DixuPtN.exe
  C:\Windows\System32\DixuPtN.exe
  2⤵
  PID:8940
- C:\Windows\System32\PYjOdKS.exe
  C:\Windows\System32\PYjOdKS.exe
  2⤵
  PID:8820
- C:\Windows\System32\PTtiGzH.exe
  C:\Windows\System32\PTtiGzH.exe
  2⤵
  PID:8516
- C:\Windows\System32\FFhssue.exe
  C:\Windows\System32\FFhssue.exe
  2⤵
  PID:7896
- C:\Windows\System32\huezUlG.exe
  C:\Windows\System32\huezUlG.exe
  2⤵
  PID:8436
- C:\Windows\System32\zVpyKui.exe
  C:\Windows\System32\zVpyKui.exe
  2⤵
  PID:9292
- C:\Windows\System32\LrYmowP.exe
  C:\Windows\System32\LrYmowP.exe
  2⤵
  PID:9344
- C:\Windows\System32\ZkQtRid.exe
  C:\Windows\System32\ZkQtRid.exe
  2⤵
  PID:9372
- C:\Windows\System32\iebRvps.exe
  C:\Windows\System32\iebRvps.exe
  2⤵
  PID:9396
- C:\Windows\System32\mxtuMLm.exe
  C:\Windows\System32\mxtuMLm.exe
  2⤵
  PID:9416
- C:\Windows\System32\TcKpVSu.exe
  C:\Windows\System32\TcKpVSu.exe
  2⤵
  PID:9440
- C:\Windows\System32\TJMyOuX.exe
  C:\Windows\System32\TJMyOuX.exe
  2⤵
  PID:9456
- C:\Windows\System32\MiiPfFr.exe
  C:\Windows\System32\MiiPfFr.exe
  2⤵
  PID:9516
- C:\Windows\System32\crslEjp.exe
  C:\Windows\System32\crslEjp.exe
  2⤵
  PID:9548
- C:\Windows\System32\PZQxCrr.exe
  C:\Windows\System32\PZQxCrr.exe
  2⤵
  PID:9588
- C:\Windows\System32\XZUyUOX.exe
  C:\Windows\System32\XZUyUOX.exe
  2⤵
  PID:9612
- C:\Windows\System32\WpnxgXE.exe
  C:\Windows\System32\WpnxgXE.exe
  2⤵
  PID:9636
- C:\Windows\System32\PbdZtOb.exe
  C:\Windows\System32\PbdZtOb.exe
  2⤵
  PID:9652
- C:\Windows\System32\vYuGtfr.exe
  C:\Windows\System32\vYuGtfr.exe
  2⤵
  PID:9668
- C:\Windows\System32\eoakOCu.exe
  C:\Windows\System32\eoakOCu.exe
  2⤵
  PID:9696
- C:\Windows\System32\IPzQOlu.exe
  C:\Windows\System32\IPzQOlu.exe
  2⤵
  PID:9720
- C:\Windows\System32\qdsVFYu.exe
  C:\Windows\System32\qdsVFYu.exe
  2⤵
  PID:9736
- C:\Windows\System32\fOUBfFT.exe
  C:\Windows\System32\fOUBfFT.exe
  2⤵
  PID:9788
- C:\Windows\System32\SXNdDqw.exe
  C:\Windows\System32\SXNdDqw.exe
  2⤵
  PID:9820
- C:\Windows\System32\LnPpBsa.exe
  C:\Windows\System32\LnPpBsa.exe
  2⤵
  PID:9844
- C:\Windows\System32\EiJJlIz.exe
  C:\Windows\System32\EiJJlIz.exe
  2⤵
  PID:9888
- C:\Windows\System32\GIpATey.exe
  C:\Windows\System32\GIpATey.exe
  2⤵
  PID:9908
- C:\Windows\System32\KUAmySQ.exe
  C:\Windows\System32\KUAmySQ.exe
  2⤵
  PID:9924
- C:\Windows\System32\bNSOyqh.exe
  C:\Windows\System32\bNSOyqh.exe
  2⤵
  PID:9948
- C:\Windows\System32\JqtuITQ.exe
  C:\Windows\System32\JqtuITQ.exe
  2⤵
  PID:9964
- C:\Windows\System32\QMgevBX.exe
  C:\Windows\System32\QMgevBX.exe
  2⤵
  PID:9988
- C:\Windows\System32\SfnIzCD.exe
  C:\Windows\System32\SfnIzCD.exe
  2⤵
  PID:10004
- C:\Windows\System32\HuAqzUu.exe
  C:\Windows\System32\HuAqzUu.exe
  2⤵
  PID:10044
- C:\Windows\System32\xsVOIuw.exe
  C:\Windows\System32\xsVOIuw.exe
  2⤵
  PID:10068
- C:\Windows\System32\lBMhjLP.exe
  C:\Windows\System32\lBMhjLP.exe
  2⤵
  PID:10092
- C:\Windows\System32\vGrocGb.exe
  C:\Windows\System32\vGrocGb.exe
  2⤵
  PID:10136
- C:\Windows\System32\ZLNbTfb.exe
  C:\Windows\System32\ZLNbTfb.exe
  2⤵
  PID:10184
- C:\Windows\System32\qRdAYXk.exe
  C:\Windows\System32\qRdAYXk.exe
  2⤵
  PID:10232
- C:\Windows\System32\gquCWRe.exe
  C:\Windows\System32\gquCWRe.exe
  2⤵
  PID:8576
- C:\Windows\System32\mwMjdoe.exe
  C:\Windows\System32\mwMjdoe.exe
  2⤵
  PID:8552
- C:\Windows\System32\WRFFtTi.exe
  C:\Windows\System32\WRFFtTi.exe
  2⤵
  PID:9288
- C:\Windows\System32\gvHUzoJ.exe
  C:\Windows\System32\gvHUzoJ.exe
  2⤵
  PID:9364
- C:\Windows\System32\uRCJoOU.exe
  C:\Windows\System32\uRCJoOU.exe
  2⤵
  PID:9452
- C:\Windows\System32\pbaYdCu.exe
  C:\Windows\System32\pbaYdCu.exe
  2⤵
  PID:9448
- C:\Windows\System32\OeoGXzE.exe
  C:\Windows\System32\OeoGXzE.exe
  2⤵
  PID:9532
- C:\Windows\System32\AkrMdvp.exe
  C:\Windows\System32\AkrMdvp.exe
  2⤵
  PID:9620
- C:\Windows\System32\beWlJMh.exe
  C:\Windows\System32\beWlJMh.exe
  2⤵
  PID:9648
- C:\Windows\System32\VGseftc.exe
  C:\Windows\System32\VGseftc.exe
  2⤵
  PID:9660
- C:\Windows\System32\wLjWlTW.exe
  C:\Windows\System32\wLjWlTW.exe
  2⤵
  PID:9800
- C:\Windows\System32\crrMpyW.exe
  C:\Windows\System32\crrMpyW.exe
  2⤵
  PID:9904
- C:\Windows\System32\QzVfaOi.exe
  C:\Windows\System32\QzVfaOi.exe
  2⤵
  PID:9972
- C:\Windows\System32\RmSLQVu.exe
  C:\Windows\System32\RmSLQVu.exe
  2⤵
  PID:9940
- C:\Windows\System32\WzFAqoP.exe
  C:\Windows\System32\WzFAqoP.exe
  2⤵
  PID:10000
- C:\Windows\System32\NSIkXcQ.exe
  C:\Windows\System32\NSIkXcQ.exe
  2⤵
  PID:10064
- C:\Windows\System32\NaOBIVI.exe
  C:\Windows\System32\NaOBIVI.exe
  2⤵
  PID:10120
- C:\Windows\System32\pevkTNN.exe
  C:\Windows\System32\pevkTNN.exe
  2⤵
  PID:10164
- C:\Windows\System32\myGEpNi.exe
  C:\Windows\System32\myGEpNi.exe
  2⤵
  PID:8636
- C:\Windows\System32\OAYlPZw.exe
  C:\Windows\System32\OAYlPZw.exe
  2⤵
  PID:9272
- C:\Windows\System32\QARHknK.exe
  C:\Windows\System32\QARHknK.exe
  2⤵
  PID:9536
- C:\Windows\System32\ZdjIFfh.exe
  C:\Windows\System32\ZdjIFfh.exe
  2⤵
  PID:9644
- C:\Windows\System32\KBxFCKh.exe
  C:\Windows\System32\KBxFCKh.exe
  2⤵
  PID:9936
- C:\Windows\System32\EkjOUbs.exe
  C:\Windows\System32\EkjOUbs.exe
  2⤵
  PID:9932
- C:\Windows\System32\HVYGDJQ.exe
  C:\Windows\System32\HVYGDJQ.exe
  2⤵
  PID:10176
- C:\Windows\System32\PijXQah.exe
  C:\Windows\System32\PijXQah.exe
  2⤵
  PID:10224
- C:\Windows\System32\QPLpKqL.exe
  C:\Windows\System32\QPLpKqL.exe
  2⤵
  PID:9524
- C:\Windows\System32\KHoRAsq.exe
  C:\Windows\System32\KHoRAsq.exe
  2⤵
  PID:9284
- C:\Windows\System32\gMTfmcn.exe
  C:\Windows\System32\gMTfmcn.exe
  2⤵
  PID:9576
- C:\Windows\System32\cQTdnDN.exe
  C:\Windows\System32\cQTdnDN.exe
  2⤵
  PID:9752
- C:\Windows\System32\SPCMFhJ.exe
  C:\Windows\System32\SPCMFhJ.exe
  2⤵
  PID:10260
- C:\Windows\System32\XBtovQp.exe
  C:\Windows\System32\XBtovQp.exe
  2⤵
  PID:10296
- C:\Windows\System32\NHfZWzP.exe
  C:\Windows\System32\NHfZWzP.exe
  2⤵
  PID:10316
- C:\Windows\System32\eaJAmjG.exe
  C:\Windows\System32\eaJAmjG.exe
  2⤵
  PID:10344
- C:\Windows\System32\EnvQzvi.exe
  C:\Windows\System32\EnvQzvi.exe
  2⤵
  PID:10368
- C:\Windows\System32\kUQGZBR.exe
  C:\Windows\System32\kUQGZBR.exe
  2⤵
  PID:10388
- C:\Windows\System32\NnNeibt.exe
  C:\Windows\System32\NnNeibt.exe
  2⤵
  PID:10428
- C:\Windows\System32\FGUXRzR.exe
  C:\Windows\System32\FGUXRzR.exe
  2⤵
  PID:10448
- C:\Windows\System32\qyeqvpH.exe
  C:\Windows\System32\qyeqvpH.exe
  2⤵
  PID:10464
- C:\Windows\System32\nooFhsR.exe
  C:\Windows\System32\nooFhsR.exe
  2⤵
  PID:10500
- C:\Windows\System32\TnfKWyr.exe
  C:\Windows\System32\TnfKWyr.exe
  2⤵
  PID:10528
- C:\Windows\System32\PyvcmBj.exe
  C:\Windows\System32\PyvcmBj.exe
  2⤵
  PID:10544
- C:\Windows\System32\oZYUnrc.exe
  C:\Windows\System32\oZYUnrc.exe
  2⤵
  PID:10580
- C:\Windows\System32\qqJUePQ.exe
  C:\Windows\System32\qqJUePQ.exe
  2⤵
  PID:10596
- C:\Windows\System32\lpPwlNR.exe
  C:\Windows\System32\lpPwlNR.exe
  2⤵
  PID:10620
- C:\Windows\System32\LbxmGjp.exe
  C:\Windows\System32\LbxmGjp.exe
  2⤵
  PID:10636
- C:\Windows\System32\PEHiKED.exe
  C:\Windows\System32\PEHiKED.exe
  2⤵
  PID:10684
- C:\Windows\System32\ZqWNVbd.exe
  C:\Windows\System32\ZqWNVbd.exe
  2⤵
  PID:10700
- C:\Windows\System32\ZXZanVU.exe
  C:\Windows\System32\ZXZanVU.exe
  2⤵
  PID:10748
- C:\Windows\System32\xpZWbIL.exe
  C:\Windows\System32\xpZWbIL.exe
  2⤵
  PID:10776
- C:\Windows\System32\YvYpvSb.exe
  C:\Windows\System32\YvYpvSb.exe
  2⤵
  PID:10800
- C:\Windows\System32\XpfUCDw.exe
  C:\Windows\System32\XpfUCDw.exe
  2⤵
  PID:10820
- C:\Windows\System32\VyqpvHi.exe
  C:\Windows\System32\VyqpvHi.exe
  2⤵
  PID:10844
- C:\Windows\System32\ackOsTc.exe
  C:\Windows\System32\ackOsTc.exe
  2⤵
  PID:10908
- C:\Windows\System32\griPAwo.exe
  C:\Windows\System32\griPAwo.exe
  2⤵
  PID:10940
- C:\Windows\System32\NIMBsOi.exe
  C:\Windows\System32\NIMBsOi.exe
  2⤵
  PID:10964
- C:\Windows\System32\rpgJYkD.exe
  C:\Windows\System32\rpgJYkD.exe
  2⤵
  PID:11012
- C:\Windows\System32\CwIeIog.exe
  C:\Windows\System32\CwIeIog.exe
  2⤵
  PID:11056
- C:\Windows\System32\ZSofYmH.exe
  C:\Windows\System32\ZSofYmH.exe
  2⤵
  PID:11072
- C:\Windows\System32\HgVLSkw.exe
  C:\Windows\System32\HgVLSkw.exe
  2⤵
  PID:11088
- C:\Windows\System32\yoXGRPG.exe
  C:\Windows\System32\yoXGRPG.exe
  2⤵
  PID:11108
- C:\Windows\System32\caWVDNP.exe
  C:\Windows\System32\caWVDNP.exe
  2⤵
  PID:11124
- C:\Windows\System32\IHutayQ.exe
  C:\Windows\System32\IHutayQ.exe
  2⤵
  PID:11160
- C:\Windows\System32\KoncoVV.exe
  C:\Windows\System32\KoncoVV.exe
  2⤵
  PID:11176
- C:\Windows\System32\USoTPYJ.exe
  C:\Windows\System32\USoTPYJ.exe
  2⤵
  PID:11196
- C:\Windows\System32\INmsnEV.exe
  C:\Windows\System32\INmsnEV.exe
  2⤵
  PID:11220
- C:\Windows\System32\QjpzaTF.exe
  C:\Windows\System32\QjpzaTF.exe
  2⤵
  PID:10256
- C:\Windows\System32\LEfxNKu.exe
  C:\Windows\System32\LEfxNKu.exe
  2⤵
  PID:10328
- C:\Windows\System32\TxABlZn.exe
  C:\Windows\System32\TxABlZn.exe
  2⤵
  PID:10408
- C:\Windows\System32\JIgKKQg.exe
  C:\Windows\System32\JIgKKQg.exe
  2⤵
  PID:10460
- C:\Windows\System32\HmLrHQg.exe
  C:\Windows\System32\HmLrHQg.exe
  2⤵
  PID:10512
- C:\Windows\System32\eyoAmaa.exe
  C:\Windows\System32\eyoAmaa.exe
  2⤵
  PID:10572
- C:\Windows\System32\DlJWtpW.exe
  C:\Windows\System32\DlJWtpW.exe
  2⤵
  PID:10628
- C:\Windows\System32\bjWrtVo.exe
  C:\Windows\System32\bjWrtVo.exe
  2⤵
  PID:10656
- C:\Windows\System32\kKnTLji.exe
  C:\Windows\System32\kKnTLji.exe
  2⤵
  PID:10756
- C:\Windows\System32\iCWKfEv.exe
  C:\Windows\System32\iCWKfEv.exe
  2⤵
  PID:10788
- C:\Windows\System32\byIFAnq.exe
  C:\Windows\System32\byIFAnq.exe
  2⤵
  PID:10872
- C:\Windows\System32\uKVRApy.exe
  C:\Windows\System32\uKVRApy.exe
  2⤵
  PID:10924
- C:\Windows\System32\KfCLwva.exe
  C:\Windows\System32\KfCLwva.exe
  2⤵
  PID:11048
- C:\Windows\System32\mqbOlAm.exe
  C:\Windows\System32\mqbOlAm.exe
  2⤵
  PID:11144
- C:\Windows\System32\QvmooBD.exe
  C:\Windows\System32\QvmooBD.exe
  2⤵
  PID:11116
- C:\Windows\System32\kbsGFeu.exe
  C:\Windows\System32\kbsGFeu.exe
  2⤵
  PID:11192
- C:\Windows\System32\GfncLRB.exe
  C:\Windows\System32\GfncLRB.exe
  2⤵
  PID:11188
- C:\Windows\System32\KGPIBbX.exe
  C:\Windows\System32\KGPIBbX.exe
  2⤵
  PID:10304
- C:\Windows\System32\NGJHgCm.exe
  C:\Windows\System32\NGJHgCm.exe
  2⤵
  PID:10484
- C:\Windows\System32\sIdPLEt.exe
  C:\Windows\System32\sIdPLEt.exe
  2⤵
  PID:10556
- C:\Windows\System32\NzJNvlL.exe
  C:\Windows\System32\NzJNvlL.exe
  2⤵
  PID:10852
- C:\Windows\System32\vASgcMf.exe
  C:\Windows\System32\vASgcMf.exe
  2⤵
  PID:10808
- C:\Windows\System32\BMskZCt.exe
  C:\Windows\System32\BMskZCt.exe
  2⤵
  PID:11240
- C:\Windows\System32\RLzEpZy.exe
  C:\Windows\System32\RLzEpZy.exe
  2⤵
  PID:10284
- C:\Windows\System32\XvUEqHP.exe
  C:\Windows\System32\XvUEqHP.exe
  2⤵
  PID:10612
- C:\Windows\System32\TLjtuPZ.exe
  C:\Windows\System32\TLjtuPZ.exe
  2⤵
  PID:11216
- C:\Windows\System32\SVsAWoc.exe
  C:\Windows\System32\SVsAWoc.exe
  2⤵
  PID:11104
- C:\Windows\System32\hhmPbpK.exe
  C:\Windows\System32\hhmPbpK.exe
  2⤵
  PID:11284
- C:\Windows\System32\NplbJiM.exe
  C:\Windows\System32\NplbJiM.exe
  2⤵
  PID:11308
- C:\Windows\System32\tnJdimV.exe
  C:\Windows\System32\tnJdimV.exe
  2⤵
  PID:11380
- C:\Windows\System32\ryDgqXx.exe
  C:\Windows\System32\ryDgqXx.exe
  2⤵
  PID:11404
- C:\Windows\System32\kZgepba.exe
  C:\Windows\System32\kZgepba.exe
  2⤵
  PID:11432
- C:\Windows\System32\FlLeZeq.exe
  C:\Windows\System32\FlLeZeq.exe
  2⤵
  PID:11472
- C:\Windows\System32\XLJpdfE.exe
  C:\Windows\System32\XLJpdfE.exe
  2⤵
  PID:11500
- C:\Windows\System32\pSTBfAj.exe
  C:\Windows\System32\pSTBfAj.exe
  2⤵
  PID:11516
- C:\Windows\System32\bttnwed.exe
  C:\Windows\System32\bttnwed.exe
  2⤵
  PID:11544
- C:\Windows\System32\tvYiPUD.exe
  C:\Windows\System32\tvYiPUD.exe
  2⤵
  PID:11572
- C:\Windows\System32\NYpNKOQ.exe
  C:\Windows\System32\NYpNKOQ.exe
  2⤵
  PID:11600
- C:\Windows\System32\qQyIDJq.exe
  C:\Windows\System32\qQyIDJq.exe
  2⤵
  PID:11620
- C:\Windows\System32\oVUTvyb.exe
  C:\Windows\System32\oVUTvyb.exe
  2⤵
  PID:11648
- C:\Windows\System32\qnOLYPD.exe
  C:\Windows\System32\qnOLYPD.exe
  2⤵
  PID:11676
- C:\Windows\System32\XxaZvCZ.exe
  C:\Windows\System32\XxaZvCZ.exe
  2⤵
  PID:11708
- C:\Windows\System32\oyHfZBo.exe
  C:\Windows\System32\oyHfZBo.exe
  2⤵
  PID:11732
- C:\Windows\System32\nopwfal.exe
  C:\Windows\System32\nopwfal.exe
  2⤵
  PID:11756
- C:\Windows\System32\PWauCDE.exe
  C:\Windows\System32\PWauCDE.exe
  2⤵
  PID:11776
- C:\Windows\System32\DhclFKO.exe
  C:\Windows\System32\DhclFKO.exe
  2⤵
  PID:11796
- C:\Windows\System32\qGjztOK.exe
  C:\Windows\System32\qGjztOK.exe
  2⤵
  PID:11812
- C:\Windows\System32\AkvlGoe.exe
  C:\Windows\System32\AkvlGoe.exe
  2⤵
  PID:11836
- C:\Windows\System32\INtopRb.exe
  C:\Windows\System32\INtopRb.exe
  2⤵
  PID:11860
- C:\Windows\System32\oksgGJJ.exe
  C:\Windows\System32\oksgGJJ.exe
  2⤵
  PID:11904
- C:\Windows\System32\xViEbDW.exe
  C:\Windows\System32\xViEbDW.exe
  2⤵
  PID:11968
- C:\Windows\System32\iGRGUor.exe
  C:\Windows\System32\iGRGUor.exe
  2⤵
  PID:11984
- C:\Windows\System32\hldagwX.exe
  C:\Windows\System32\hldagwX.exe
  2⤵
  PID:12008
- C:\Windows\System32\cCwfAei.exe
  C:\Windows\System32\cCwfAei.exe
  2⤵
  PID:12024
- C:\Windows\System32\hOELSLh.exe
  C:\Windows\System32\hOELSLh.exe
  2⤵
  PID:12068
- C:\Windows\System32\UxHuYpV.exe
  C:\Windows\System32\UxHuYpV.exe
  2⤵
  PID:12096
- C:\Windows\System32\CiHwXvm.exe
  C:\Windows\System32\CiHwXvm.exe
  2⤵
  PID:12116
- C:\Windows\System32\ONzzQJb.exe
  C:\Windows\System32\ONzzQJb.exe
  2⤵
  PID:12140
- C:\Windows\System32\IQptDzF.exe
  C:\Windows\System32\IQptDzF.exe
  2⤵
  PID:12180
- C:\Windows\System32\ltYSsSx.exe
  C:\Windows\System32\ltYSsSx.exe
  2⤵
  PID:12248
- C:\Windows\System32\frmpkzx.exe
  C:\Windows\System32\frmpkzx.exe
  2⤵
  PID:12280
- C:\Windows\System32\mGtsFbo.exe
  C:\Windows\System32\mGtsFbo.exe
  2⤵
  PID:10536
- C:\Windows\System32\mMikxcC.exe
  C:\Windows\System32\mMikxcC.exe
  2⤵
  PID:11268
- C:\Windows\System32\TqGyEHX.exe
  C:\Windows\System32\TqGyEHX.exe
  2⤵
  PID:11320
- C:\Windows\System32\lrhdIUe.exe
  C:\Windows\System32\lrhdIUe.exe
  2⤵
  PID:11348
- C:\Windows\System32\bqdBHrH.exe
  C:\Windows\System32\bqdBHrH.exe
  2⤵
  PID:11416
- C:\Windows\System32\xxlGBHS.exe
  C:\Windows\System32\xxlGBHS.exe
  2⤵
  PID:11440
- C:\Windows\System32\ZHLkEHv.exe
  C:\Windows\System32\ZHLkEHv.exe
  2⤵
  PID:11524
- C:\Windows\System32\FPEWLMo.exe
  C:\Windows\System32\FPEWLMo.exe
  2⤵
  PID:11612
- C:\Windows\System32\wTkbcuO.exe
  C:\Windows\System32\wTkbcuO.exe
  2⤵
  PID:11656
- C:\Windows\System32\NDwfrSy.exe
  C:\Windows\System32\NDwfrSy.exe
  2⤵
  PID:11792
- C:\Windows\System32\jydNqAc.exe
  C:\Windows\System32\jydNqAc.exe
  2⤵
  PID:11820
- C:\Windows\System32\PcuPaIj.exe
  C:\Windows\System32\PcuPaIj.exe
  2⤵
  PID:11948
- C:\Windows\System32\pRyCrJs.exe
  C:\Windows\System32\pRyCrJs.exe
  2⤵
  PID:12040
- C:\Windows\System32\WCtFJrH.exe
  C:\Windows\System32\WCtFJrH.exe
  2⤵
  PID:12076
- C:\Windows\System32\SxpviRc.exe
  C:\Windows\System32\SxpviRc.exe
  2⤵
  PID:12136
- C:\Windows\System32\CjxkaNN.exe
  C:\Windows\System32\CjxkaNN.exe
  2⤵
  PID:12200
- C:\Windows\System32\aRfvwjW.exe
  C:\Windows\System32\aRfvwjW.exe
  2⤵
  PID:12272
- C:\Windows\System32\PRWbgKI.exe
  C:\Windows\System32\PRWbgKI.exe
  2⤵
  PID:11132
- C:\Windows\System32\oAclWur.exe
  C:\Windows\System32\oAclWur.exe
  2⤵
  PID:11388
- C:\Windows\System32\aLxjSzl.exe
  C:\Windows\System32\aLxjSzl.exe
  2⤵
  PID:11484
- C:\Windows\System32\wwdlLpu.exe
  C:\Windows\System32\wwdlLpu.exe
  2⤵
  PID:3500
- C:\Windows\System32\nZcZbnu.exe
  C:\Windows\System32\nZcZbnu.exe
  2⤵
  PID:11684
- C:\Windows\System32\hiIEFOn.exe
  C:\Windows\System32\hiIEFOn.exe
  2⤵
  PID:11844
- C:\Windows\System32\lpqaXXy.exe
  C:\Windows\System32\lpqaXXy.exe
  2⤵
  PID:11912
- C:\Windows\System32\KCOeFig.exe
  C:\Windows\System32\KCOeFig.exe
  2⤵
  PID:12108
- C:\Windows\System32\DGdCUsc.exe
  C:\Windows\System32\DGdCUsc.exe
  2⤵
  PID:11100
- C:\Windows\System32\dRhTRsT.exe
  C:\Windows\System32\dRhTRsT.exe
  2⤵
  PID:11616
- C:\Windows\System32\CmZisRy.exe
  C:\Windows\System32\CmZisRy.exe
  2⤵
  PID:11936
- C:\Windows\System32\sQsgjah.exe
  C:\Windows\System32\sQsgjah.exe
  2⤵
  PID:11628
- C:\Windows\System32\EEubEHR.exe
  C:\Windows\System32\EEubEHR.exe
  2⤵
  PID:12312
- C:\Windows\System32\ZyBLbcF.exe
  C:\Windows\System32\ZyBLbcF.exe
  2⤵
  PID:12336
- C:\Windows\System32\pghbxHD.exe
  C:\Windows\System32\pghbxHD.exe
  2⤵
  PID:12356
- C:\Windows\System32\qApvhBs.exe
  C:\Windows\System32\qApvhBs.exe
  2⤵
  PID:12384
- C:\Windows\System32\jwzPvrN.exe
  C:\Windows\System32\jwzPvrN.exe
  2⤵
  PID:12412
- C:\Windows\System32\AEklfRj.exe
  C:\Windows\System32\AEklfRj.exe
  2⤵
  PID:12456
- C:\Windows\System32\mnvwXZw.exe
  C:\Windows\System32\mnvwXZw.exe
  2⤵
  PID:12472
- C:\Windows\System32\ofARsjT.exe
  C:\Windows\System32\ofARsjT.exe
  2⤵
  PID:12496
- C:\Windows\System32\GzWZTDa.exe
  C:\Windows\System32\GzWZTDa.exe
  2⤵
  PID:12516
- C:\Windows\System32\oQRWtVs.exe
  C:\Windows\System32\oQRWtVs.exe
  2⤵
  PID:12540
- C:\Windows\System32\eMsoqev.exe
  C:\Windows\System32\eMsoqev.exe
  2⤵
  PID:12584
- C:\Windows\System32\yqSwMAM.exe
  C:\Windows\System32\yqSwMAM.exe
  2⤵
  PID:12620
- C:\Windows\System32\pPVgJJG.exe
  C:\Windows\System32\pPVgJJG.exe
  2⤵
  PID:12640
- C:\Windows\System32\nUrIoWP.exe
  C:\Windows\System32\nUrIoWP.exe
  2⤵
  PID:12664
- C:\Windows\System32\aMbJepn.exe
  C:\Windows\System32\aMbJepn.exe
  2⤵
  PID:12696
- C:\Windows\System32\VZCYPgm.exe
  C:\Windows\System32\VZCYPgm.exe
  2⤵
  PID:12724
- C:\Windows\System32\gYlcztb.exe
  C:\Windows\System32\gYlcztb.exe
  2⤵
  PID:12764
- C:\Windows\System32\iAtmBMQ.exe
  C:\Windows\System32\iAtmBMQ.exe
  2⤵
  PID:12800
- C:\Windows\System32\cxWkusl.exe
  C:\Windows\System32\cxWkusl.exe
  2⤵
  PID:12816
- C:\Windows\System32\FnmgPbp.exe
  C:\Windows\System32\FnmgPbp.exe
  2⤵
  PID:12848
- C:\Windows\System32\CUVQgDO.exe
  C:\Windows\System32\CUVQgDO.exe
  2⤵
  PID:12876
- C:\Windows\System32\RcjesXx.exe
  C:\Windows\System32\RcjesXx.exe
  2⤵
  PID:12908
- C:\Windows\System32\XauvJFt.exe
  C:\Windows\System32\XauvJFt.exe
  2⤵
  PID:12932
- C:\Windows\System32\eRexNea.exe
  C:\Windows\System32\eRexNea.exe
  2⤵
  PID:12976
- C:\Windows\System32\KMwVBCi.exe
  C:\Windows\System32\KMwVBCi.exe
  2⤵
  PID:12992
- C:\Windows\System32\hTmxROU.exe
  C:\Windows\System32\hTmxROU.exe
  2⤵
  PID:13012
- C:\Windows\System32\kHdScsG.exe
  C:\Windows\System32\kHdScsG.exe
  2⤵
  PID:13040
- C:\Windows\System32\ONYByag.exe
  C:\Windows\System32\ONYByag.exe
  2⤵
  PID:13080
- C:\Windows\System32\iYlsCrd.exe
  C:\Windows\System32\iYlsCrd.exe
  2⤵
  PID:13100
- C:\Windows\System32\ejpTrxi.exe
  C:\Windows\System32\ejpTrxi.exe
  2⤵
  PID:13116
- C:\Windows\System32\ujuoDKX.exe
  C:\Windows\System32\ujuoDKX.exe
  2⤵
  PID:13140
- C:\Windows\System32\OSfAktP.exe
  C:\Windows\System32\OSfAktP.exe
  2⤵
  PID:13156
- C:\Windows\System32\HoIhvNw.exe
  C:\Windows\System32\HoIhvNw.exe
  2⤵
  PID:13172
- C:\Windows\System32\hrrTRbW.exe
  C:\Windows\System32\hrrTRbW.exe
  2⤵
  PID:13196
- C:\Windows\System32\DorKVXv.exe
  C:\Windows\System32\DorKVXv.exe
  2⤵
  PID:13228
- C:\Windows\System32\dGbzbna.exe
  C:\Windows\System32\dGbzbna.exe
  2⤵
  PID:13300
- C:\Windows\System32\EFUcMsd.exe
  C:\Windows\System32\EFUcMsd.exe
  2⤵
  PID:11552
- C:\Windows\System32\PAEyodK.exe
  C:\Windows\System32\PAEyodK.exe
  2⤵
  PID:12300
- C:\Windows\System32\NiFnnyB.exe
  C:\Windows\System32\NiFnnyB.exe
  2⤵
  PID:12324
- C:\Windows\System32\kcRSYyB.exe
  C:\Windows\System32\kcRSYyB.exe
  2⤵
  PID:12404
- C:\Windows\System32\gJXpEUF.exe
  C:\Windows\System32\gJXpEUF.exe
  2⤵
  PID:12448
- C:\Windows\System32\vQllDDo.exe
  C:\Windows\System32\vQllDDo.exe
  2⤵
  PID:12464
- C:\Windows\System32\YZXTxbY.exe
  C:\Windows\System32\YZXTxbY.exe
  2⤵
  PID:12504
- C:\Windows\System32\wuRKDjL.exe
  C:\Windows\System32\wuRKDjL.exe
  2⤵
  PID:12576
- C:\Windows\System32\cLYsKRv.exe
  C:\Windows\System32\cLYsKRv.exe
  2⤵
  PID:12648
- C:\Windows\System32\UljluZw.exe
  C:\Windows\System32\UljluZw.exe
  2⤵
  PID:12744
- C:\Windows\System32\xsdTfxb.exe
  C:\Windows\System32\xsdTfxb.exe
  2⤵
  PID:12868

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AaCpwaF.exe

Filesize
1.3MB

MD5
b10789555017478870e3ff9d8c8cbbec

SHA1
ae6e42a52403e4c730404339a48a12b58003e818

SHA256
7867aff1ae2eabe0b2ef6cff6755837aa98bbe6118c3af0621358390c77dcadf

SHA512
578198558bfeb82444c4f66baf7f2a3962c0a91c4423042ee7cc27eb43c5bfa3a5a2ab472618614fe9f357154fc981b45803d8fac7b957b462c33bb25308c43c

Download Submit
C:\Windows\System32\EOjVSKm.exe

Filesize
1.3MB

MD5
eca12936baf05e63feacea80378a8201

SHA1
6aafb8fc754c2ae383c684a4bac1529f98e98b98

SHA256
709dd9a170b77bf31c441eb2618944f7f8dd80a190d688fab0de86133b3ee728

SHA512
8c46a085fb9c9f0a4ab29880a31f65c1971811c96859677b31299ba85c107d1f7850202e35cb0a86b1daa0bf8816e4ae38d7313746ee9d88d46d93e595a469bc

Download Submit
C:\Windows\System32\GcCHLcB.exe

Filesize
1.3MB

MD5
fe4f03236b2451882ab63cb1948c8049

SHA1
028b33490dea5852ed446b291557fe9741e0c8ec

SHA256
e47e8e4517142d3ce93b1f7d6d0cb364bcaf21f55bd7d277e8523ff854d8c32c

SHA512
af2c9848f4f95a7b86b549b82f3c85330c5922612a9eaac743b3d693311a8f777407ca9a07e93a01bcb1231752ff0375187757c08742e05edad63e38099f25a7

Download Submit
C:\Windows\System32\ITQBQzo.exe

Filesize
1.3MB

MD5
792157f5b77c1bd03b47dbb63c87e5f7

SHA1
23ac8554368c0dfd1398776a8ea01a664a52d26b

SHA256
b8888b2a903153046c52ae0e4499f5ec3d4db01a347c2ceb6d72d93e725a237f

SHA512
5e17bf47c3b31ddc444a59c4e3d6831e9d7dd06ed291c521905d8e05f8fad694b70508eb92ecd69b4173c66205d8954021b043668bdceddd169bbbc7896a8928

Download Submit
C:\Windows\System32\ImPeIBc.exe

Filesize
1.3MB

MD5
45bbc2965f7c2a19c070177359b16886

SHA1
6f2f920cab70553197a41ba4cc8b7a02f9fa5e9b

SHA256
727243c18c147641485a072fcdf06641f6a55ca40da48bfaeacd344c9c986cb9

SHA512
ed3e5406a6e9e47e67c8813a6d0e5a42ba6ac638dc97031793e9eb9ea58082cd25e1646ec395b2488ecf437404dceda4ce2e6b3a8da400fad3ca23543b44d5a7

Download Submit
C:\Windows\System32\JeXuTJY.exe

Filesize
1.3MB

MD5
af082042767aac93af6ccaa7be5d6f70

SHA1
54f4bcb20b6747fd05d1876117db7f3bdeb54f2f

SHA256
da1c717a547cf6b4c6c6506c023df4b1b5378f2615a1211286547bbe01989b23

SHA512
de263e703595051be598816db13bbddce0833362b1595481db8b231384ab3e1f8492a860c87f49de89dcd8a4cde333d80efde3fc44662f342a4f83859e9668ac

Download Submit
C:\Windows\System32\JkeAUrz.exe

Filesize
1.3MB

MD5
5f8e881d5a9362dff0c93f6308b5a9c0

SHA1
20484444d7075379578ec06da3963a34aca4fb67

SHA256
ca46f7c671736aaab5259ea995fc5ed8eab6ac41da9c0d052fafc7d3c420e69e

SHA512
fd4fcbc846e373cddac940881d503e5b8b3552fd0419fb4dcfbadcba67e154873ad385f894e2d0fd56b90bbee8b906871a1133b7630ad28c019104901c0df0d1

Download Submit
C:\Windows\System32\LVOnVAB.exe

Filesize
1.3MB

MD5
98cc22d18bb701bb73c64173c96117c9

SHA1
b2532c43d3bf8688c07a4f7510ef035c3a2a216c

SHA256
0f3578205728cc2c158d4858cccc6fc930cc13925cf70fe9c16edfc3c55d722b

SHA512
ef367f46425cb782afc8b03404fc578c12ecaaf6258bfe41ff61596ec56682f4f49c5a8d7a2446ae143a04d06c906320e7fefa06a45c3565491072566c92432c

Download Submit
C:\Windows\System32\LlFIjhh.exe

Filesize
1.3MB

MD5
b31720d58e1eade8cc37534138250d54

SHA1
bd07f97b6c480481756edd99b6b101695a54cdab

SHA256
77f0709b2c4b7a3305d3c444075cd7a9ba63d3e21f339d84fb0748730d2a4f7b

SHA512
4f8ffdc385d9fd255d0b1436f1c54bd57ec6260ed9d417257693968847086494795e6243fefd8569597fdb62f86efce4ca03ce79696e0db11c213b2ca8cfcd32

Download Submit
C:\Windows\System32\MhQyxoE.exe

Filesize
1.3MB

MD5
03818c27e7ff46473005f7a22fc63eb0

SHA1
bdd0ab5eac8a991dfcb8c10b9bd694586b43dd51

SHA256
b15ece7e317e601c1db10e219ad665321dc5e73973082b23226e0000b79d39e8

SHA512
0401e951d0346ebc3dcd7ed2d73f021a968ceb931975b5b2bda2315430702b84e5d38f2dfb2dbd5946be236061d67a31b5def62e6cac4b7916a3341aaf1a6ee7

Download Submit
C:\Windows\System32\NJymTsO.exe

Filesize
1.3MB

MD5
4c7e0f155af11ad0eeeeed5430326c65

SHA1
fac35b7592c412116e860be4084e9e85abb1be67

SHA256
a2e1fa55ffcaa11110b3e853930d2de96600df85c2a19cea254db725827a9451

SHA512
f87b5d824ba88477ec9e56769373f08ae42d7fa888cce5682be656d11fbea80e8df9bac9b6e4271db9a32de30312cc6440d5196575fc013ca64d6c569924e95c

Download Submit
C:\Windows\System32\NiznJSz.exe

Filesize
1.3MB

MD5
9d8f1148907b022a99ac3e4d0fe319e6

SHA1
b627b29adc640c8f100137258714d149f1fd963a

SHA256
072e61cc611667db2d930ade895009f2dc78a65dbbcb3e44c9d2cf53a892afc0

SHA512
2a723e7c91ed9276740eea924b8aaa159245c4d410236fce1d159061069945994370b71d5439c6ce853decb5cc185d77bc48f2d4d833671d752002d2449616d2

Download Submit
C:\Windows\System32\QIODrey.exe

Filesize
1.3MB

MD5
44b1987c793491d2717863d40dfa727f

SHA1
99d71fc7f5d9922b98f9b8d2a0637ea73885ebbc

SHA256
2c82294c44439ad2c74a5ea17bf3a6d0098cd7d3c946dae6ecaf53cf3f373372

SHA512
5a7838ef4725b6377190638ba673b2279afad69acafe8190d221a6c366be365335db302f931b6e6047223d4d7bc612ef91e1564d9b17c44be2be15eeb7ab2c84

Download Submit
C:\Windows\System32\SMNnoMD.exe

Filesize
1.3MB

MD5
856d0202fe04e6e851b13b0351d3ab8f

SHA1
82d153264b1b94c97d0b4912a7a60454cb7b0c5d

SHA256
0d072948947619ae0828c0e3ecba91df9293e92a6c40eada806b2f0a680a6457

SHA512
50b87566345270ee9f984e721be61115c96ef67bee8491415c9cd2872778956e7d1cca6784e32691abbc3afbcfa736174c8cb95705332d4187a9a528f469c046

Download Submit
C:\Windows\System32\XKoytjc.exe

Filesize
1.3MB

MD5
d7f3a546d727c507e5cf0cdfe2f5cfaf

SHA1
d3eb4a53dd0b0f12417f44f6cd95e8e558109818

SHA256
b748adde1fe04386ed301cba4db07d51a462b800a5cf786ae20bb0145699d4d3

SHA512
e007f72b0cff7336b8638885a88bb7b50c7c695287ebc0e702b52dd26fa9ca5b2a6b6cc6f77c6022e4021a702d9e5e6356a9ee322f81fcdc563d3b84598c41a5

Download Submit
C:\Windows\System32\XbHlsWF.exe

Filesize
1.3MB

MD5
c7bee146a0a9082295f11d5a6124a68c

SHA1
931cc85a8872c55c2f4807ea9159ee5a8006cf89

SHA256
cc86f8a3c89ccd26b08a7bbcc5af3a6a92059f52d507cc262d4662ea01d35991

SHA512
8c873ab8bed34c40af91f92ae6bb5767dec03021a558e259811674b17674cd9e1646c9d1908e3600e2c128e36012867abb5469ce9f6143b41c0a328b62a85a37

Download Submit
C:\Windows\System32\YvNBiQY.exe

Filesize
1.3MB

MD5
f74451584c0ceb271e5eb2a74bed4194

SHA1
9d1abca536fc804d09c99a00e56b3f830c14f7ba

SHA256
0f6464822d3f6088902e2a46374474e1d27d165d43c380f64810efbed53df953

SHA512
17d1495bd2ae466bbe8baaf93e0bbc774e700263cb88d2a2c37136fdaec96f42ffb16e185b3341d9c15cd9da86ee06bbbe0814cc3e80a748b21a84b82b52d325

Download Submit
C:\Windows\System32\brRaMTP.exe

Filesize
1.3MB

MD5
a1d8118c366b17ad4cb6d0cc73d469dd

SHA1
4203eae6c3ce02e71de435d3567349dc65782213

SHA256
3e4b63270f67d48a63f8d0d1020c17d1f153d485f71bf4b239129d0dd45e3c90

SHA512
e030b8747ebc12c208500e268862e7ff69298fca8a75454cbfe7e669014addb83bc7aefd715f68ab7621dcb53fbd56ec031759c274492f67a8d052962f586d81

Download Submit
C:\Windows\System32\bvrPYjT.exe

Filesize
1.3MB

MD5
8fe122d3881b8dfc385102251ab787b5

SHA1
5fc0590961aa0262b3dc1cc08349fb42172c898d

SHA256
cd2cf6161cc0b72439e7f131955abbfe0a9810f1c51ccd993d66aae0ce37f90f

SHA512
a62d67c2cde4a5d2102454ee769e2c361a5da6b56924d25851f223035f15bc5568950c6dd5b55bb8d0a662b9847c11fd38aba6e2195e76845abac208d0dfeabc

Download Submit
C:\Windows\System32\gEtDGLE.exe

Filesize
1.3MB

MD5
f27a43504c1b6d19db69d14c5b82aa4f

SHA1
7a4e55307c24d29e9467a29884e5de841d09965a

SHA256
87559987a8cedaa1250561ee5ff58bef2a8832539d56d03aad58b6d646f59d4b

SHA512
53195b3dd0f0d1fc91288f2e9202906511f098bb8800926ce38e12faaae1741dfedcd0788680f2cc58f0df136d88add503a2d97eae095919e4d6c8d54750ac10

Download Submit
C:\Windows\System32\ibsJhRU.exe

Filesize
1.3MB

MD5
2afc164efa2040ef3f74a83827f42a63

SHA1
69d86736b651f28d850068b722bb78dafb12e232

SHA256
50efe9d92508ae6bb8cb00a00c670b76023fb8c327b36068425d44780fa10f2d

SHA512
eca1e7b14cb000dd95cd2bf5ad15f9ea73adba25698d44e1f4123db90b8468a3b2701bcf9a0dda73f46872ff753970dba7c159573a86103f53bd8c51605769a0

Download Submit
C:\Windows\System32\lGuxABI.exe

Filesize
1.3MB

MD5
ada66b224583be1d3fc85895b040f64c

SHA1
ee96fc2fd2347362526897080c39127db839e7b0

SHA256
239092e9529b4106e20ceaeabc07a2991394b9d3c865a495d301ffbab70579fb

SHA512
63862a973199723d1b19daea689028a94f4204e3dddafa5b686cd0ed33abf24c7b64c9803857f551286659b00c54b150dd505ddcd5644fdea81a5f0e5b4d2748

Download Submit
C:\Windows\System32\ljrVFFH.exe

Filesize
1.3MB

MD5
f9637ddf25ac27946b288390f371aeda

SHA1
90ed2b8abd1b1dc20fd610b188ffe1a261411cb5

SHA256
d6f993bc8b8f05a44d5d14eb26f05ae0f9e38517a32d731bd89f0afa032901c9

SHA512
9302844e020d99cfc185d057ce7061bb6b1420ffd1fac8358603a20a4cc86e3ecf3f560c0a4b199997254bade8f09db6ff8026b3559a268e5ac70844f559c71d

Download Submit
C:\Windows\System32\loZrRBI.exe

Filesize
1.3MB

MD5
24eec0fd2fe241e35b3f75df8d1c6d12

SHA1
23fbba3f1406dfe70bbf1f2f89251a95bca9743d

SHA256
e28a2c249fc19c2760e5bb305333757e434b49d30d605932e25e84a6cc0ab006

SHA512
b8b692112e3a967d80453a012d53c5ec245117d2af88db7cc4767f61e2358f805824a8f37cd9d860de7d3a804d6dcb17ef4440d860a1e5d40ae8b0e2610be0ca

Download Submit
C:\Windows\System32\osMYBtX.exe

Filesize
1.3MB

MD5
4aebb1f977f0d1b60597177da0ac43c0

SHA1
317fc088a44668ad6d42b1cdac035178d369fa78

SHA256
66d42d4652c57a199e102c0a7b5ae562b61abf7cd19ddd594587917beefef8fc

SHA512
41018345c9738eeee4c854e8d9ac36b41e1498d2b2cd829f88f740cc91c10fc07d56ba67f0b79530b032d55b9bdb6029ab09c97ed851349a990684294072eace

Download Submit
C:\Windows\System32\pwdaZOa.exe

Filesize
1.3MB

MD5
1c19306909bfd1495b470e54b8a64b82

SHA1
67c2e0f77669466c4197b6013efd12d8ba63cb3c

SHA256
341154e54c884be40e064a375b69562d42cf2b5fdc01978bf4f3aa2e0f58bf18

SHA512
0a9b0ab3da3745fc8fa130497b69cec433fff441a1e48a208a4e313e64ac37a342eb6f013e1ff66ba367136d8f8ec92404be95e8e97ce531e609c044bd1bf3e7

Download Submit
C:\Windows\System32\rSlMvii.exe

Filesize
1.3MB

MD5
28f90b8a447e25f6239001a200528b49

SHA1
a693c1327da3be137f76af9a8c0c411c377a256e

SHA256
a27afe59364dc7fc49353cadbc611777e6dcb88ded04f993d99a27d724287268

SHA512
f5577bbbac45d9ca621d5d37eeb57bffde9e65f88c6cfdcd48a1e1bbb21811030eda0bd37cec5aa51e7b44c8089466bc5b6485966e40c78c4e71cf61173171a2

Download Submit
C:\Windows\System32\rqVFZIQ.exe

Filesize
1.3MB

MD5
6026b8dceef605ebefe92ed2e0770777

SHA1
0c13bdf32e49392cbefe25476ec9a341da631660

SHA256
600a5e6c09fb13458052fb6f4d580dc009ac0a95ac770bf3c39168a925561c30

SHA512
7bdb6b9f63d9d679bea437098c83a9583d5af5d0d3965922702133c1b66faa237e65ac33dd673a3da1a800ea9b3490f14cecf31a20666b3d622b000cd0abb3c6

Download Submit
C:\Windows\System32\tdaMuYi.exe

Filesize
1.3MB

MD5
fbb303b113e2291bbde94c5e33345a8b

SHA1
968fff7575ba7299aaacc731c0f160b2e23f69b7

SHA256
ab77f02ef48db2e7007445699a0c3255901f76e05b391cec3f8d38c7af48328d

SHA512
6e86ad59d38800327079bd80c5dc9ebf76a5503f60e750a272c932646c6327be845ce4491623a0d61678c887bc7ad9c67c0af4eaabcef1f451834f3902e3d383

Download Submit
C:\Windows\System32\uKmFqOO.exe

Filesize
1.3MB

MD5
0d50316b33d52faa88274f9d1aec00cb

SHA1
17ed1fd8fc375cba20adf3590dd5e2f46f79354c

SHA256
edd2dd74f59feb123e345d0596f7ebbff7a8bdd20f31ca3ffe63a9ba0d6f7995

SHA512
3969cf8202745c976589fb33a6515bebe2730ba3e4fe1f18ab8c62c32b1386412118e2414145596f5bbd0f72a25c7ef00e93196c1cefc22e0977c30d525e0afd

Download Submit
C:\Windows\System32\uQWjEYk.exe

Filesize
1.3MB

MD5
967cbcf8e0da9124eeef70f15f3d9223

SHA1
93abf2af4a50ce562f67269202bfd66b969dee60

SHA256
8af716525d749c5ac5c542c58220e28fa403d77be2a0c6bb85ba42a56fe8456a

SHA512
44e1cd3a19c7875807201ba1984e57804dc88b4b6a36eaa176f744a3f640bcd0cc090556d38f9d01821eae663428918c390ed64d2686faa84b616d41f427625b

Download Submit
C:\Windows\System32\umvFLPE.exe

Filesize
1.3MB

MD5
f5913cd18b8b1bad2ed3c74aaac60643

SHA1
6b2305d79ad3439350682d08c8632a0116797a08

SHA256
f2f9049a397dc644015cdc44e8443319a4d85818bdab6f5739bca9ccc9825654

SHA512
0846185eeb8d894441dc615062baed84c6eeef54c032c116bae6e730057c6ac0336ee312d9081b3e7a2fc9fcac598837f76a7bbe55c0fe4fdcd56f4d42eb0738

Download Submit
C:\Windows\System32\vBwwKWR.exe

Filesize
1.3MB

MD5
e334e6ef96220808008fed199e612d3f

SHA1
841baa1abe94654cf83c518b4faec69a2a44f830

SHA256
ba66301cc767326c4332796437cfb6d71a7530a45a2d38b45927f349943c778a

SHA512
e9d546ff01a383ecc7db93fa3262b78e79caa932fbd2f51bfe4eeca89278fdf945242c47c570952df7a04f363b9637ca075af0ddec7745ee57d4144af8b14e7a

Download Submit
C:\Windows\System32\wKTsbZN.exe

Filesize
1.3MB

MD5
142587553d43f11ea70256cbfbaa6211

SHA1
4297c86afd77c24ecc329a0825f97d9509ebcdc0

SHA256
9b6a0455fe9f6f4a2bb6804ad11a13e0c1113db5dc311d299ca528d3cfd987a5

SHA512
d3d67251bc3e707139447c956161a9c3d4ee283b23c9f89e99ccfc77c3acb3388b7c3d03d3ab5c90c3e3a15de8f8f3c7c46a56e00d2e7e9fe4ba5ba96a40a704

Download Submit
C:\Windows\System32\yCWAgVg.exe

Filesize
1.3MB

MD5
ed165964af03c7bff35c5ab2e28e3f09

SHA1
11107d5d04935299fd5ed4c68c09bbc136ede48b

SHA256
ef4952634bb0d7a576b98be5306e30473153c7d4cc785f4e40e4fc1c96a25b23

SHA512
9a45d530d1d535f7e0c7d955cb53b38c8600246ba16052345913de07cad47d167ff11ddfd0881790b1ca457b85ae5652d0bedb8e7875765af198ce8442440e81

Download Submit
C:\Windows\System32\zJghFok.exe

Filesize
1.3MB

MD5
9ca584b82e9ff3c9a66d6459f92daa78

SHA1
d5518d80264b18ab9d5f1e2d3bbb271a30c97192

SHA256
4d0f20b70138f64a7cd682e5dfc8662127cb7cc7c4ae9b94edac1d0505ff997d

SHA512
069accb97ebb385d3da5a80c910c24e21b02e819184dd775836b5b68187710a0a73ad69672d198f666194a9703d56d3646583bd0f28b0c4172d2f58844de04f1

Download Submit
memory/320-120-0x00007FF6E7530000-0x00007FF6E7921000-memory.dmp

Filesize
3.9MB

Download
memory/320-2108-0x00007FF6E7530000-0x00007FF6E7921000-memory.dmp

Filesize
3.9MB

Download
memory/400-2065-0x00007FF6CD310000-0x00007FF6CD701000-memory.dmp

Filesize
3.9MB

Download
memory/400-59-0x00007FF6CD310000-0x00007FF6CD701000-memory.dmp

Filesize
3.9MB

Download
memory/852-47-0x00007FF7C4AA0000-0x00007FF7C4E91000-memory.dmp

Filesize
3.9MB

Download
memory/852-1997-0x00007FF7C4AA0000-0x00007FF7C4E91000-memory.dmp

Filesize
3.9MB

Download
memory/852-2066-0x00007FF7C4AA0000-0x00007FF7C4E91000-memory.dmp

Filesize
3.9MB

Download
memory/960-186-0x00007FF610840000-0x00007FF610C31000-memory.dmp

Filesize
3.9MB

Download
memory/960-2124-0x00007FF610840000-0x00007FF610C31000-memory.dmp

Filesize
3.9MB

Download
memory/1204-2118-0x00007FF685440000-0x00007FF685831000-memory.dmp

Filesize
3.9MB

Download
memory/1204-180-0x00007FF685440000-0x00007FF685831000-memory.dmp

Filesize
3.9MB

Download
memory/1292-2114-0x00007FF7E77C0000-0x00007FF7E7BB1000-memory.dmp

Filesize
3.9MB

Download
memory/1292-121-0x00007FF7E77C0000-0x00007FF7E7BB1000-memory.dmp

Filesize
3.9MB

Download
memory/1376-16-0x00007FF679B20000-0x00007FF679F11000-memory.dmp

Filesize
3.9MB

Download
memory/1376-181-0x00007FF679B20000-0x00007FF679F11000-memory.dmp

Filesize
3.9MB

Download
memory/1376-2058-0x00007FF679B20000-0x00007FF679F11000-memory.dmp

Filesize
3.9MB

Download
memory/1552-2068-0x00007FF763DA0000-0x00007FF764191000-memory.dmp

Filesize
3.9MB

Download
memory/1552-35-0x00007FF763DA0000-0x00007FF764191000-memory.dmp

Filesize
3.9MB

Download
memory/1624-2063-0x00007FF718050000-0x00007FF718441000-memory.dmp

Filesize
3.9MB

Download
memory/1624-61-0x00007FF718050000-0x00007FF718441000-memory.dmp

Filesize
3.9MB

Download
memory/1756-62-0x00007FF6B9F30000-0x00007FF6BA321000-memory.dmp

Filesize
3.9MB

Download
memory/1756-2100-0x00007FF6B9F30000-0x00007FF6BA321000-memory.dmp

Filesize
3.9MB

Download
memory/1756-2006-0x00007FF6B9F30000-0x00007FF6BA321000-memory.dmp

Filesize
3.9MB

Download
memory/1844-63-0x00007FF619A40000-0x00007FF619E31000-memory.dmp

Filesize
3.9MB

Download
memory/1844-2102-0x00007FF619A40000-0x00007FF619E31000-memory.dmp

Filesize
3.9MB

Download
memory/1844-2011-0x00007FF619A40000-0x00007FF619E31000-memory.dmp

Filesize
3.9MB

Download
memory/1920-2060-0x00007FF7DC0A0000-0x00007FF7DC491000-memory.dmp

Filesize
3.9MB

Download
memory/1920-40-0x00007FF7DC0A0000-0x00007FF7DC491000-memory.dmp

Filesize
3.9MB

Download
memory/2148-2057-0x00007FF765140000-0x00007FF765531000-memory.dmp

Filesize
3.9MB

Download
memory/2148-22-0x00007FF765140000-0x00007FF765531000-memory.dmp

Filesize
3.9MB

Download
memory/2148-1158-0x00007FF765140000-0x00007FF765531000-memory.dmp

Filesize
3.9MB

Download
memory/2160-139-0x00007FF696750000-0x00007FF696B41000-memory.dmp

Filesize
3.9MB

Download
memory/2160-2122-0x00007FF696750000-0x00007FF696B41000-memory.dmp

Filesize
3.9MB

Download
memory/2256-183-0x00007FF7AE810000-0x00007FF7AEC01000-memory.dmp

Filesize
3.9MB

Download
memory/2256-2126-0x00007FF7AE810000-0x00007FF7AEC01000-memory.dmp

Filesize
3.9MB

Download
memory/3116-112-0x00007FF6470A0000-0x00007FF647491000-memory.dmp

Filesize
3.9MB

Download
memory/3116-2106-0x00007FF6470A0000-0x00007FF647491000-memory.dmp

Filesize
3.9MB

Download
memory/3276-79-0x00007FF763C00000-0x00007FF763FF1000-memory.dmp

Filesize
3.9MB

Download
memory/3276-2012-0x00007FF763C00000-0x00007FF763FF1000-memory.dmp

Filesize
3.9MB

Download
memory/3276-2104-0x00007FF763C00000-0x00007FF763FF1000-memory.dmp

Filesize
3.9MB

Download
memory/3340-1717-0x00007FF70F010000-0x00007FF70F401000-memory.dmp

Filesize
3.9MB

Download
memory/3340-2054-0x00007FF70F010000-0x00007FF70F401000-memory.dmp

Filesize
3.9MB

Download
memory/3340-33-0x00007FF70F010000-0x00007FF70F401000-memory.dmp

Filesize
3.9MB

Download
memory/3664-2133-0x00007FF6F9390000-0x00007FF6F9781000-memory.dmp

Filesize
3.9MB

Download
memory/3664-187-0x00007FF6F9390000-0x00007FF6F9781000-memory.dmp

Filesize
3.9MB

Download
memory/4060-142-0x00007FF6CDBA0000-0x00007FF6CDF91000-memory.dmp

Filesize
3.9MB

Download
memory/4060-2120-0x00007FF6CDBA0000-0x00007FF6CDF91000-memory.dmp

Filesize
3.9MB

Download
memory/4216-0-0x00007FF769440000-0x00007FF769831000-memory.dmp

Filesize
3.9MB

Download
memory/4216-2036-0x00007FF769440000-0x00007FF769831000-memory.dmp

Filesize
3.9MB

Download
memory/4216-108-0x00007FF769440000-0x00007FF769831000-memory.dmp

Filesize
3.9MB

Download
memory/4216-1-0x000002C228100000-0x000002C228110000-memory.dmp

Filesize
64KB

Download
memory/4264-164-0x00007FF6C6E40000-0x00007FF6C7231000-memory.dmp

Filesize
3.9MB

Download
memory/4264-2110-0x00007FF6C6E40000-0x00007FF6C7231000-memory.dmp

Filesize
3.9MB

Download
memory/4656-2013-0x00007FF6C0880000-0x00007FF6C0C71000-memory.dmp

Filesize
3.9MB

Download
memory/4656-2112-0x00007FF6C0880000-0x00007FF6C0C71000-memory.dmp

Filesize
3.9MB

Download
memory/4656-90-0x00007FF6C0880000-0x00007FF6C0C71000-memory.dmp

Filesize
3.9MB

Download
memory/4896-138-0x00007FF7807B0000-0x00007FF780BA1000-memory.dmp

Filesize
3.9MB

Download
memory/4896-2116-0x00007FF7807B0000-0x00007FF780BA1000-memory.dmp

Filesize
3.9MB

Download
memory/4896-2034-0x00007FF7807B0000-0x00007FF780BA1000-memory.dmp

Filesize
3.9MB

Download
memory/5088-111-0x00007FF63AD10000-0x00007FF63B101000-memory.dmp

Filesize
3.9MB

Download
memory/5088-14-0x00007FF63AD10000-0x00007FF63B101000-memory.dmp

Filesize
3.9MB

Download
memory/5088-2052-0x00007FF63AD10000-0x00007FF63B101000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads