xmrig | 018a9c9de6ac16d56b2089b7657a80e349fa1d5ff49f5aff4169fb234bca9511

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76eafd635cf34785595268d4cdf42dc0N.exe
Size

1.4MB
MD5

76eafd635cf34785595268d4cdf42dc0
SHA1

b16d794aedb434a11a5f26eeb470441ce49876f1
SHA256

018a9c9de6ac16d56b2089b7657a80e349fa1d5ff49f5aff4169fb234bca9511
SHA512

6179dabe3e7b6a90db2a141343767f6759844ffb0c4e1d230a4fc5d6c588862f1f345ea3c235531bc36723b3a0a0fd8bb142d4418fc17c0160135fa2fef53cc0
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIHbAYhbcZ4GhX/dERVwURIGWjdgZmS+W8:knw9oUUEEDlGUJ8Y9ctYVk3jdIn+L

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/5040-43-0x00007FF6E9940000-0x00007FF6E9D31000-memory.dmp	xmrig
behavioral2/memory/2836-44-0x00007FF65D020000-0x00007FF65D411000-memory.dmp	xmrig
behavioral2/memory/2112-376-0x00007FF706F10000-0x00007FF707301000-memory.dmp	xmrig
behavioral2/memory/3764-384-0x00007FF7DE0B0000-0x00007FF7DE4A1000-memory.dmp	xmrig
behavioral2/memory/4816-383-0x00007FF7D7130000-0x00007FF7D7521000-memory.dmp	xmrig
behavioral2/memory/3540-381-0x00007FF69C2C0000-0x00007FF69C6B1000-memory.dmp	xmrig
behavioral2/memory/3604-412-0x00007FF6A15B0000-0x00007FF6A19A1000-memory.dmp	xmrig
behavioral2/memory/4376-400-0x00007FF6DFDA0000-0x00007FF6E0191000-memory.dmp	xmrig
behavioral2/memory/3312-392-0x00007FF6BF190000-0x00007FF6BF581000-memory.dmp	xmrig
behavioral2/memory/3152-46-0x00007FF632830000-0x00007FF632C21000-memory.dmp	xmrig
behavioral2/memory/2792-24-0x00007FF75C2F0000-0x00007FF75C6E1000-memory.dmp	xmrig
behavioral2/memory/5096-21-0x00007FF728F00000-0x00007FF7292F1000-memory.dmp	xmrig
behavioral2/memory/3892-409-0x00007FF75C590000-0x00007FF75C981000-memory.dmp	xmrig
behavioral2/memory/4852-415-0x00007FF6E13C0000-0x00007FF6E17B1000-memory.dmp	xmrig
behavioral2/memory/2776-417-0x00007FF782B30000-0x00007FF782F21000-memory.dmp	xmrig
behavioral2/memory/3712-418-0x00007FF787750000-0x00007FF787B41000-memory.dmp	xmrig
behavioral2/memory/3032-421-0x00007FF627230000-0x00007FF627621000-memory.dmp	xmrig
behavioral2/memory/4460-423-0x00007FF750680000-0x00007FF750A71000-memory.dmp	xmrig
behavioral2/memory/1728-422-0x00007FF752FA0000-0x00007FF753391000-memory.dmp	xmrig
behavioral2/memory/3876-425-0x00007FF7D9810000-0x00007FF7D9C01000-memory.dmp	xmrig
behavioral2/memory/2208-424-0x00007FF6D5AD0000-0x00007FF6D5EC1000-memory.dmp	xmrig
behavioral2/memory/1736-420-0x00007FF6FE640000-0x00007FF6FEA31000-memory.dmp	xmrig
behavioral2/memory/64-419-0x00007FF7BCEF0000-0x00007FF7BD2E1000-memory.dmp	xmrig
behavioral2/memory/4496-416-0x00007FF68E810000-0x00007FF68EC01000-memory.dmp	xmrig
behavioral2/memory/5096-2028-0x00007FF728F00000-0x00007FF7292F1000-memory.dmp	xmrig
behavioral2/memory/2792-2030-0x00007FF75C2F0000-0x00007FF75C6E1000-memory.dmp	xmrig
behavioral2/memory/2836-2034-0x00007FF65D020000-0x00007FF65D411000-memory.dmp	xmrig
behavioral2/memory/2208-2036-0x00007FF6D5AD0000-0x00007FF6D5EC1000-memory.dmp	xmrig
behavioral2/memory/5040-2038-0x00007FF6E9940000-0x00007FF6E9D31000-memory.dmp	xmrig
behavioral2/memory/4460-2032-0x00007FF750680000-0x00007FF750A71000-memory.dmp	xmrig
behavioral2/memory/4852-2058-0x00007FF6E13C0000-0x00007FF6E17B1000-memory.dmp	xmrig
behavioral2/memory/3712-2062-0x00007FF787750000-0x00007FF787B41000-memory.dmp	xmrig
behavioral2/memory/1736-2072-0x00007FF6FE640000-0x00007FF6FEA31000-memory.dmp	xmrig
behavioral2/memory/1728-2074-0x00007FF752FA0000-0x00007FF753391000-memory.dmp	xmrig
behavioral2/memory/3032-2068-0x00007FF627230000-0x00007FF627621000-memory.dmp	xmrig
behavioral2/memory/2776-2066-0x00007FF782B30000-0x00007FF782F21000-memory.dmp	xmrig
behavioral2/memory/64-2070-0x00007FF7BCEF0000-0x00007FF7BD2E1000-memory.dmp	xmrig
behavioral2/memory/4496-2064-0x00007FF68E810000-0x00007FF68EC01000-memory.dmp	xmrig
behavioral2/memory/3604-2060-0x00007FF6A15B0000-0x00007FF6A19A1000-memory.dmp	xmrig
behavioral2/memory/2112-2056-0x00007FF706F10000-0x00007FF707301000-memory.dmp	xmrig
behavioral2/memory/3764-2052-0x00007FF7DE0B0000-0x00007FF7DE4A1000-memory.dmp	xmrig
behavioral2/memory/3540-2050-0x00007FF69C2C0000-0x00007FF69C6B1000-memory.dmp	xmrig
behavioral2/memory/4816-2048-0x00007FF7D7130000-0x00007FF7D7521000-memory.dmp	xmrig
behavioral2/memory/4376-2046-0x00007FF6DFDA0000-0x00007FF6E0191000-memory.dmp	xmrig
behavioral2/memory/3892-2044-0x00007FF75C590000-0x00007FF75C981000-memory.dmp	xmrig
behavioral2/memory/3312-2042-0x00007FF6BF190000-0x00007FF6BF581000-memory.dmp	xmrig
behavioral2/memory/3876-2055-0x00007FF7D9810000-0x00007FF7D9C01000-memory.dmp	xmrig
behavioral2/memory/3152-2040-0x00007FF632830000-0x00007FF632C21000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
5096	rGNBsAz.exe
4460	BqydDIE.exe
2792	viGbXsk.exe
5040	AXoJrlD.exe
2208	WXyNwps.exe
2836	YKDDOFN.exe
3152	PssgefV.exe
2112	XZkTBEn.exe
3876	jURKVnH.exe
3540	cERThYu.exe
4816	MvLxYXu.exe
3764	LJGLlib.exe
3312	NTwLGSx.exe
4376	HSEcGEh.exe
3892	TzhtEVb.exe
3604	wFNfavu.exe
4852	pkRXEPQ.exe
4496	IPSsTSx.exe
2776	wZyYjXA.exe
3712	cdkIvqv.exe
64	NIEGJUF.exe
1736	pRThMnB.exe
3032	fnwfDnn.exe
1728	UkMDReY.exe
4172	iEnkVty.exe
3792	pAHmwEE.exe
3240	KtkCelj.exe
3412	vfQApFI.exe
3820	dJRfAhE.exe
2732	EGrZuLR.exe
2292	SgnKPHN.exe
2940	yHjRXME.exe
4796	KTMLvEr.exe
1116	EKchBtL.exe
1832	jRvdyCr.exe
704	iRBEnwr.exe
2396	sDWeCqQ.exe
1536	wxEPHHu.exe
1296	jIxksLL.exe
3720	BtMRFIb.exe
844	VRapDmL.exe
4944	GqnuKwN.exe
4872	WVxozja.exe
4108	Ojnorzg.exe
4024	naYmGZA.exe
2640	mLEFppS.exe
688	DyLQHJL.exe
2268	ykskvTT.exe
4196	bWaKgNV.exe
624	zJdrnmo.exe
3196	CLpxlSc.exe
4652	SvYdsIU.exe
3504	rQRHzEJ.exe
4940	hyKBGXO.exe
1836	OQXufQG.exe
4116	bSWsClY.exe
3832	xrsjGnJ.exe
4336	GFlxEXt.exe
1884	npJkKZh.exe
2248	gUBFKZL.exe
2148	bidcfHb.exe
4732	bfgJTiL.exe
4596	hBChPGd.exe
4716	YmCUmPJ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2420-0-0x00007FF715F40000-0x00007FF716331000-memory.dmp	upx
behavioral2/files/0x000a0000000233f8-4.dat	upx
behavioral2/files/0x00070000000233fd-8.dat	upx
behavioral2/files/0x00070000000233fc-11.dat	upx
behavioral2/files/0x00070000000233fe-20.dat	upx
behavioral2/files/0x00070000000233ff-26.dat	upx
behavioral2/files/0x0007000000023400-36.dat	upx
behavioral2/files/0x0007000000023401-34.dat	upx
behavioral2/memory/5040-43-0x00007FF6E9940000-0x00007FF6E9D31000-memory.dmp	upx
behavioral2/memory/2836-44-0x00007FF65D020000-0x00007FF65D411000-memory.dmp	upx
behavioral2/files/0x0007000000023402-49.dat	upx
behavioral2/files/0x0007000000023404-53.dat	upx
behavioral2/files/0x0007000000023405-58.dat	upx
behavioral2/files/0x0007000000023406-63.dat	upx
behavioral2/files/0x000700000002340a-89.dat	upx
behavioral2/files/0x000700000002340d-97.dat	upx
behavioral2/files/0x0007000000023414-132.dat	upx
behavioral2/files/0x0007000000023415-144.dat	upx
behavioral2/files/0x0007000000023418-153.dat	upx
behavioral2/files/0x000700000002341a-166.dat	upx
behavioral2/memory/2112-376-0x00007FF706F10000-0x00007FF707301000-memory.dmp	upx
behavioral2/memory/3764-384-0x00007FF7DE0B0000-0x00007FF7DE4A1000-memory.dmp	upx
behavioral2/memory/4816-383-0x00007FF7D7130000-0x00007FF7D7521000-memory.dmp	upx
behavioral2/memory/3540-381-0x00007FF69C2C0000-0x00007FF69C6B1000-memory.dmp	upx
behavioral2/memory/3604-412-0x00007FF6A15B0000-0x00007FF6A19A1000-memory.dmp	upx
behavioral2/memory/4376-400-0x00007FF6DFDA0000-0x00007FF6E0191000-memory.dmp	upx
behavioral2/memory/3312-392-0x00007FF6BF190000-0x00007FF6BF581000-memory.dmp	upx
behavioral2/files/0x0007000000023419-164.dat	upx
behavioral2/files/0x0007000000023417-151.dat	upx
behavioral2/files/0x0007000000023416-149.dat	upx
behavioral2/files/0x0007000000023413-134.dat	upx
behavioral2/files/0x0007000000023412-126.dat	upx
behavioral2/files/0x0007000000023411-121.dat	upx
behavioral2/files/0x0007000000023410-119.dat	upx
behavioral2/files/0x000700000002340f-111.dat	upx
behavioral2/files/0x000700000002340e-109.dat	upx
behavioral2/files/0x000700000002340c-99.dat	upx
behavioral2/files/0x000700000002340b-94.dat	upx
behavioral2/files/0x0007000000023409-81.dat	upx
behavioral2/files/0x0007000000023408-76.dat	upx
behavioral2/files/0x0007000000023407-71.dat	upx
behavioral2/files/0x0007000000023403-51.dat	upx
behavioral2/memory/3152-46-0x00007FF632830000-0x00007FF632C21000-memory.dmp	upx
behavioral2/memory/2792-24-0x00007FF75C2F0000-0x00007FF75C6E1000-memory.dmp	upx
behavioral2/memory/5096-21-0x00007FF728F00000-0x00007FF7292F1000-memory.dmp	upx
behavioral2/memory/3892-409-0x00007FF75C590000-0x00007FF75C981000-memory.dmp	upx
behavioral2/memory/4852-415-0x00007FF6E13C0000-0x00007FF6E17B1000-memory.dmp	upx
behavioral2/memory/2776-417-0x00007FF782B30000-0x00007FF782F21000-memory.dmp	upx
behavioral2/memory/3712-418-0x00007FF787750000-0x00007FF787B41000-memory.dmp	upx
behavioral2/memory/3032-421-0x00007FF627230000-0x00007FF627621000-memory.dmp	upx
behavioral2/memory/4460-423-0x00007FF750680000-0x00007FF750A71000-memory.dmp	upx
behavioral2/memory/1728-422-0x00007FF752FA0000-0x00007FF753391000-memory.dmp	upx
behavioral2/memory/3876-425-0x00007FF7D9810000-0x00007FF7D9C01000-memory.dmp	upx
behavioral2/memory/2208-424-0x00007FF6D5AD0000-0x00007FF6D5EC1000-memory.dmp	upx
behavioral2/memory/1736-420-0x00007FF6FE640000-0x00007FF6FEA31000-memory.dmp	upx
behavioral2/memory/64-419-0x00007FF7BCEF0000-0x00007FF7BD2E1000-memory.dmp	upx
behavioral2/memory/4496-416-0x00007FF68E810000-0x00007FF68EC01000-memory.dmp	upx
behavioral2/memory/5096-2028-0x00007FF728F00000-0x00007FF7292F1000-memory.dmp	upx
behavioral2/memory/2792-2030-0x00007FF75C2F0000-0x00007FF75C6E1000-memory.dmp	upx
behavioral2/memory/2836-2034-0x00007FF65D020000-0x00007FF65D411000-memory.dmp	upx
behavioral2/memory/2208-2036-0x00007FF6D5AD0000-0x00007FF6D5EC1000-memory.dmp	upx
behavioral2/memory/5040-2038-0x00007FF6E9940000-0x00007FF6E9D31000-memory.dmp	upx
behavioral2/memory/4460-2032-0x00007FF750680000-0x00007FF750A71000-memory.dmp	upx
behavioral2/memory/4852-2058-0x00007FF6E13C0000-0x00007FF6E17B1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\NnbIfon.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\vpRYpwt.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\fBQcEBx.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\jEudAHg.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\cuFkdLO.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\vQSdOzo.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\fnwfDnn.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\SvYdsIU.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\hTgxnfZ.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\uAaRRyM.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\wTiJrVt.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\qkmeXjc.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\UFOLlfo.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\cRvdQGo.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\mMLrNQk.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\rasQaea.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\OpMVxGi.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\kxxVzrw.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\SMqMRSK.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\qDbcskh.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\viGbXsk.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\KtkCelj.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\AbipkJa.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\radnljO.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\FXUuCHs.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\CAbRFfo.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\OPVHovi.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\ByPAoCL.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\NIEGJUF.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\nvQceKd.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\PGKFrsu.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\IUzJhMl.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\sWHJuga.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\gvRibBl.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\HmBQElr.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\QysNEPW.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\VvrhasC.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\DCzIlQz.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\IvpsEXu.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\Msdwxed.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\feoZUkW.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\JkSwEsG.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\eaYtARC.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\ItgYsui.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\pABINGv.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\OlfMZnI.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\vAKeZIt.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\qEQGPMm.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\eSViQMb.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\ygabEkB.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\bNNGzLa.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\yHjRXME.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\casazSb.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\fnpJyjN.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\woPBGZR.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\lGxgZdS.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\xWNUOJn.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\sDWeCqQ.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\lOPymPN.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\QhWysXw.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\oRXmfEz.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\nznkTXa.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\QVTOEQI.exe	76eafd635cf34785595268d4cdf42dc0N.exe
File created	C:\Windows\System32\FJnuOUb.exe	76eafd635cf34785595268d4cdf42dc0N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	4352	dwm.exe
Token: SeChangeNotifyPrivilege	4352	dwm.exe
Token: 33	4352	dwm.exe
Token: SeIncBasePriorityPrivilege	4352	dwm.exe
Token: SeShutdownPrivilege	4352	dwm.exe
Token: SeCreatePagefilePrivilege	4352	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 5096	2420	76eafd635cf34785595268d4cdf42dc0N.exe	85
PID 2420 wrote to memory of 5096	2420	76eafd635cf34785595268d4cdf42dc0N.exe	85
PID 2420 wrote to memory of 4460	2420	76eafd635cf34785595268d4cdf42dc0N.exe	86
PID 2420 wrote to memory of 4460	2420	76eafd635cf34785595268d4cdf42dc0N.exe	86
PID 2420 wrote to memory of 2792	2420	76eafd635cf34785595268d4cdf42dc0N.exe	87
PID 2420 wrote to memory of 2792	2420	76eafd635cf34785595268d4cdf42dc0N.exe	87
PID 2420 wrote to memory of 5040	2420	76eafd635cf34785595268d4cdf42dc0N.exe	88
PID 2420 wrote to memory of 5040	2420	76eafd635cf34785595268d4cdf42dc0N.exe	88
PID 2420 wrote to memory of 2208	2420	76eafd635cf34785595268d4cdf42dc0N.exe	89
PID 2420 wrote to memory of 2208	2420	76eafd635cf34785595268d4cdf42dc0N.exe	89
PID 2420 wrote to memory of 2836	2420	76eafd635cf34785595268d4cdf42dc0N.exe	90
PID 2420 wrote to memory of 2836	2420	76eafd635cf34785595268d4cdf42dc0N.exe	90
PID 2420 wrote to memory of 3152	2420	76eafd635cf34785595268d4cdf42dc0N.exe	91
PID 2420 wrote to memory of 3152	2420	76eafd635cf34785595268d4cdf42dc0N.exe	91
PID 2420 wrote to memory of 2112	2420	76eafd635cf34785595268d4cdf42dc0N.exe	92
PID 2420 wrote to memory of 2112	2420	76eafd635cf34785595268d4cdf42dc0N.exe	92
PID 2420 wrote to memory of 3876	2420	76eafd635cf34785595268d4cdf42dc0N.exe	93
PID 2420 wrote to memory of 3876	2420	76eafd635cf34785595268d4cdf42dc0N.exe	93
PID 2420 wrote to memory of 3540	2420	76eafd635cf34785595268d4cdf42dc0N.exe	94
PID 2420 wrote to memory of 3540	2420	76eafd635cf34785595268d4cdf42dc0N.exe	94
PID 2420 wrote to memory of 4816	2420	76eafd635cf34785595268d4cdf42dc0N.exe	95
PID 2420 wrote to memory of 4816	2420	76eafd635cf34785595268d4cdf42dc0N.exe	95
PID 2420 wrote to memory of 3764	2420	76eafd635cf34785595268d4cdf42dc0N.exe	96
PID 2420 wrote to memory of 3764	2420	76eafd635cf34785595268d4cdf42dc0N.exe	96
PID 2420 wrote to memory of 3312	2420	76eafd635cf34785595268d4cdf42dc0N.exe	97
PID 2420 wrote to memory of 3312	2420	76eafd635cf34785595268d4cdf42dc0N.exe	97
PID 2420 wrote to memory of 4376	2420	76eafd635cf34785595268d4cdf42dc0N.exe	98
PID 2420 wrote to memory of 4376	2420	76eafd635cf34785595268d4cdf42dc0N.exe	98
PID 2420 wrote to memory of 3892	2420	76eafd635cf34785595268d4cdf42dc0N.exe	99
PID 2420 wrote to memory of 3892	2420	76eafd635cf34785595268d4cdf42dc0N.exe	99
PID 2420 wrote to memory of 3604	2420	76eafd635cf34785595268d4cdf42dc0N.exe	100
PID 2420 wrote to memory of 3604	2420	76eafd635cf34785595268d4cdf42dc0N.exe	100
PID 2420 wrote to memory of 4852	2420	76eafd635cf34785595268d4cdf42dc0N.exe	101
PID 2420 wrote to memory of 4852	2420	76eafd635cf34785595268d4cdf42dc0N.exe	101
PID 2420 wrote to memory of 4496	2420	76eafd635cf34785595268d4cdf42dc0N.exe	102
PID 2420 wrote to memory of 4496	2420	76eafd635cf34785595268d4cdf42dc0N.exe	102
PID 2420 wrote to memory of 2776	2420	76eafd635cf34785595268d4cdf42dc0N.exe	103
PID 2420 wrote to memory of 2776	2420	76eafd635cf34785595268d4cdf42dc0N.exe	103
PID 2420 wrote to memory of 3712	2420	76eafd635cf34785595268d4cdf42dc0N.exe	104
PID 2420 wrote to memory of 3712	2420	76eafd635cf34785595268d4cdf42dc0N.exe	104
PID 2420 wrote to memory of 64	2420	76eafd635cf34785595268d4cdf42dc0N.exe	105
PID 2420 wrote to memory of 64	2420	76eafd635cf34785595268d4cdf42dc0N.exe	105
PID 2420 wrote to memory of 1736	2420	76eafd635cf34785595268d4cdf42dc0N.exe	106
PID 2420 wrote to memory of 1736	2420	76eafd635cf34785595268d4cdf42dc0N.exe	106
PID 2420 wrote to memory of 3032	2420	76eafd635cf34785595268d4cdf42dc0N.exe	107
PID 2420 wrote to memory of 3032	2420	76eafd635cf34785595268d4cdf42dc0N.exe	107
PID 2420 wrote to memory of 1728	2420	76eafd635cf34785595268d4cdf42dc0N.exe	108
PID 2420 wrote to memory of 1728	2420	76eafd635cf34785595268d4cdf42dc0N.exe	108
PID 2420 wrote to memory of 4172	2420	76eafd635cf34785595268d4cdf42dc0N.exe	109
PID 2420 wrote to memory of 4172	2420	76eafd635cf34785595268d4cdf42dc0N.exe	109
PID 2420 wrote to memory of 3792	2420	76eafd635cf34785595268d4cdf42dc0N.exe	110
PID 2420 wrote to memory of 3792	2420	76eafd635cf34785595268d4cdf42dc0N.exe	110
PID 2420 wrote to memory of 3240	2420	76eafd635cf34785595268d4cdf42dc0N.exe	111
PID 2420 wrote to memory of 3240	2420	76eafd635cf34785595268d4cdf42dc0N.exe	111
PID 2420 wrote to memory of 3412	2420	76eafd635cf34785595268d4cdf42dc0N.exe	112
PID 2420 wrote to memory of 3412	2420	76eafd635cf34785595268d4cdf42dc0N.exe	112
PID 2420 wrote to memory of 3820	2420	76eafd635cf34785595268d4cdf42dc0N.exe	113
PID 2420 wrote to memory of 3820	2420	76eafd635cf34785595268d4cdf42dc0N.exe	113
PID 2420 wrote to memory of 2732	2420	76eafd635cf34785595268d4cdf42dc0N.exe	114
PID 2420 wrote to memory of 2732	2420	76eafd635cf34785595268d4cdf42dc0N.exe	114
PID 2420 wrote to memory of 2292	2420	76eafd635cf34785595268d4cdf42dc0N.exe	115
PID 2420 wrote to memory of 2292	2420	76eafd635cf34785595268d4cdf42dc0N.exe	115
PID 2420 wrote to memory of 2940	2420	76eafd635cf34785595268d4cdf42dc0N.exe	116
PID 2420 wrote to memory of 2940	2420	76eafd635cf34785595268d4cdf42dc0N.exe	116

C:\Users\Admin\AppData\Local\Temp\76eafd635cf34785595268d4cdf42dc0N.exe
"C:\Users\Admin\AppData\Local\Temp\76eafd635cf34785595268d4cdf42dc0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\System32\rGNBsAz.exe
  C:\Windows\System32\rGNBsAz.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System32\BqydDIE.exe
  C:\Windows\System32\BqydDIE.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System32\viGbXsk.exe
  C:\Windows\System32\viGbXsk.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System32\AXoJrlD.exe
  C:\Windows\System32\AXoJrlD.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System32\WXyNwps.exe
  C:\Windows\System32\WXyNwps.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System32\YKDDOFN.exe
  C:\Windows\System32\YKDDOFN.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System32\PssgefV.exe
  C:\Windows\System32\PssgefV.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System32\XZkTBEn.exe
  C:\Windows\System32\XZkTBEn.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System32\jURKVnH.exe
  C:\Windows\System32\jURKVnH.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System32\cERThYu.exe
  C:\Windows\System32\cERThYu.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System32\MvLxYXu.exe
  C:\Windows\System32\MvLxYXu.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System32\LJGLlib.exe
  C:\Windows\System32\LJGLlib.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System32\NTwLGSx.exe
  C:\Windows\System32\NTwLGSx.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System32\HSEcGEh.exe
  C:\Windows\System32\HSEcGEh.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System32\TzhtEVb.exe
  C:\Windows\System32\TzhtEVb.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System32\wFNfavu.exe
  C:\Windows\System32\wFNfavu.exe
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Windows\System32\pkRXEPQ.exe
  C:\Windows\System32\pkRXEPQ.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System32\IPSsTSx.exe
  C:\Windows\System32\IPSsTSx.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System32\wZyYjXA.exe
  C:\Windows\System32\wZyYjXA.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System32\cdkIvqv.exe
  C:\Windows\System32\cdkIvqv.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System32\NIEGJUF.exe
  C:\Windows\System32\NIEGJUF.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System32\pRThMnB.exe
  C:\Windows\System32\pRThMnB.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System32\fnwfDnn.exe
  C:\Windows\System32\fnwfDnn.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System32\UkMDReY.exe
  C:\Windows\System32\UkMDReY.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System32\iEnkVty.exe
  C:\Windows\System32\iEnkVty.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System32\pAHmwEE.exe
  C:\Windows\System32\pAHmwEE.exe
  2⤵
  - Executes dropped EXE
  PID:3792
- C:\Windows\System32\KtkCelj.exe
  C:\Windows\System32\KtkCelj.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System32\vfQApFI.exe
  C:\Windows\System32\vfQApFI.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System32\dJRfAhE.exe
  C:\Windows\System32\dJRfAhE.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System32\EGrZuLR.exe
  C:\Windows\System32\EGrZuLR.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System32\SgnKPHN.exe
  C:\Windows\System32\SgnKPHN.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System32\yHjRXME.exe
  C:\Windows\System32\yHjRXME.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System32\KTMLvEr.exe
  C:\Windows\System32\KTMLvEr.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System32\EKchBtL.exe
  C:\Windows\System32\EKchBtL.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System32\jRvdyCr.exe
  C:\Windows\System32\jRvdyCr.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System32\iRBEnwr.exe
  C:\Windows\System32\iRBEnwr.exe
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\System32\sDWeCqQ.exe
  C:\Windows\System32\sDWeCqQ.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System32\wxEPHHu.exe
  C:\Windows\System32\wxEPHHu.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System32\jIxksLL.exe
  C:\Windows\System32\jIxksLL.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System32\BtMRFIb.exe
  C:\Windows\System32\BtMRFIb.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System32\VRapDmL.exe
  C:\Windows\System32\VRapDmL.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System32\GqnuKwN.exe
  C:\Windows\System32\GqnuKwN.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System32\WVxozja.exe
  C:\Windows\System32\WVxozja.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System32\Ojnorzg.exe
  C:\Windows\System32\Ojnorzg.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System32\naYmGZA.exe
  C:\Windows\System32\naYmGZA.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System32\mLEFppS.exe
  C:\Windows\System32\mLEFppS.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System32\DyLQHJL.exe
  C:\Windows\System32\DyLQHJL.exe
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Windows\System32\ykskvTT.exe
  C:\Windows\System32\ykskvTT.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System32\bWaKgNV.exe
  C:\Windows\System32\bWaKgNV.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System32\zJdrnmo.exe
  C:\Windows\System32\zJdrnmo.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System32\CLpxlSc.exe
  C:\Windows\System32\CLpxlSc.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System32\SvYdsIU.exe
  C:\Windows\System32\SvYdsIU.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System32\rQRHzEJ.exe
  C:\Windows\System32\rQRHzEJ.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System32\hyKBGXO.exe
  C:\Windows\System32\hyKBGXO.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System32\OQXufQG.exe
  C:\Windows\System32\OQXufQG.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System32\bSWsClY.exe
  C:\Windows\System32\bSWsClY.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System32\xrsjGnJ.exe
  C:\Windows\System32\xrsjGnJ.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System32\GFlxEXt.exe
  C:\Windows\System32\GFlxEXt.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System32\npJkKZh.exe
  C:\Windows\System32\npJkKZh.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System32\gUBFKZL.exe
  C:\Windows\System32\gUBFKZL.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System32\bidcfHb.exe
  C:\Windows\System32\bidcfHb.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System32\bfgJTiL.exe
  C:\Windows\System32\bfgJTiL.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System32\hBChPGd.exe
  C:\Windows\System32\hBChPGd.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System32\YmCUmPJ.exe
  C:\Windows\System32\YmCUmPJ.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System32\ZNDesyB.exe
  C:\Windows\System32\ZNDesyB.exe
  2⤵
  PID:3372
- C:\Windows\System32\NDIrEUu.exe
  C:\Windows\System32\NDIrEUu.exe
  2⤵
  PID:1948
- C:\Windows\System32\BubsZPf.exe
  C:\Windows\System32\BubsZPf.exe
  2⤵
  PID:744
- C:\Windows\System32\TgHoRUR.exe
  C:\Windows\System32\TgHoRUR.exe
  2⤵
  PID:4104
- C:\Windows\System32\fEoULzD.exe
  C:\Windows\System32\fEoULzD.exe
  2⤵
  PID:1808
- C:\Windows\System32\dJFHaKZ.exe
  C:\Windows\System32\dJFHaKZ.exe
  2⤵
  PID:4764
- C:\Windows\System32\dcmxcUS.exe
  C:\Windows\System32\dcmxcUS.exe
  2⤵
  PID:2880
- C:\Windows\System32\bkuKvop.exe
  C:\Windows\System32\bkuKvop.exe
  2⤵
  PID:4676
- C:\Windows\System32\jYNtQgm.exe
  C:\Windows\System32\jYNtQgm.exe
  2⤵
  PID:664
- C:\Windows\System32\jDdIUnJ.exe
  C:\Windows\System32\jDdIUnJ.exe
  2⤵
  PID:1232
- C:\Windows\System32\tDUnOaR.exe
  C:\Windows\System32\tDUnOaR.exe
  2⤵
  PID:4744
- C:\Windows\System32\AOrVKFt.exe
  C:\Windows\System32\AOrVKFt.exe
  2⤵
  PID:4412
- C:\Windows\System32\XSLSATE.exe
  C:\Windows\System32\XSLSATE.exe
  2⤵
  PID:1796
- C:\Windows\System32\pfHAkSi.exe
  C:\Windows\System32\pfHAkSi.exe
  2⤵
  PID:4452
- C:\Windows\System32\ZULijCY.exe
  C:\Windows\System32\ZULijCY.exe
  2⤵
  PID:2508
- C:\Windows\System32\aaWWtSr.exe
  C:\Windows\System32\aaWWtSr.exe
  2⤵
  PID:1192
- C:\Windows\System32\bcEzfMK.exe
  C:\Windows\System32\bcEzfMK.exe
  2⤵
  PID:964
- C:\Windows\System32\nvQceKd.exe
  C:\Windows\System32\nvQceKd.exe
  2⤵
  PID:3648
- C:\Windows\System32\TWkxdob.exe
  C:\Windows\System32\TWkxdob.exe
  2⤵
  PID:208
- C:\Windows\System32\dbaLqOt.exe
  C:\Windows\System32\dbaLqOt.exe
  2⤵
  PID:5036
- C:\Windows\System32\QjZWkQi.exe
  C:\Windows\System32\QjZWkQi.exe
  2⤵
  PID:4784
- C:\Windows\System32\OTaXjXc.exe
  C:\Windows\System32\OTaXjXc.exe
  2⤵
  PID:1616
- C:\Windows\System32\mMLrNQk.exe
  C:\Windows\System32\mMLrNQk.exe
  2⤵
  PID:4180
- C:\Windows\System32\QiulwKo.exe
  C:\Windows\System32\QiulwKo.exe
  2⤵
  PID:2560
- C:\Windows\System32\zLQmgyC.exe
  C:\Windows\System32\zLQmgyC.exe
  2⤵
  PID:116
- C:\Windows\System32\ErrvkPe.exe
  C:\Windows\System32\ErrvkPe.exe
  2⤵
  PID:3292
- C:\Windows\System32\HMGMjIt.exe
  C:\Windows\System32\HMGMjIt.exe
  2⤵
  PID:2724
- C:\Windows\System32\VvrhasC.exe
  C:\Windows\System32\VvrhasC.exe
  2⤵
  PID:1184
- C:\Windows\System32\CfaEsRY.exe
  C:\Windows\System32\CfaEsRY.exe
  2⤵
  PID:4540
- C:\Windows\System32\ItgYsui.exe
  C:\Windows\System32\ItgYsui.exe
  2⤵
  PID:4896
- C:\Windows\System32\sMGsdgA.exe
  C:\Windows\System32\sMGsdgA.exe
  2⤵
  PID:1408
- C:\Windows\System32\GxWkXVm.exe
  C:\Windows\System32\GxWkXVm.exe
  2⤵
  PID:2540
- C:\Windows\System32\DgJSvqe.exe
  C:\Windows\System32\DgJSvqe.exe
  2⤵
  PID:3144
- C:\Windows\System32\IbDhsmq.exe
  C:\Windows\System32\IbDhsmq.exe
  2⤵
  PID:1632
- C:\Windows\System32\pABINGv.exe
  C:\Windows\System32\pABINGv.exe
  2⤵
  PID:1436
- C:\Windows\System32\cxcoJLJ.exe
  C:\Windows\System32\cxcoJLJ.exe
  2⤵
  PID:2040
- C:\Windows\System32\jOjegiy.exe
  C:\Windows\System32\jOjegiy.exe
  2⤵
  PID:5048
- C:\Windows\System32\UDOcgEj.exe
  C:\Windows\System32\UDOcgEj.exe
  2⤵
  PID:3164
- C:\Windows\System32\elhtEmy.exe
  C:\Windows\System32\elhtEmy.exe
  2⤵
  PID:4244
- C:\Windows\System32\yUPHcdH.exe
  C:\Windows\System32\yUPHcdH.exe
  2⤵
  PID:4456
- C:\Windows\System32\tecHxwB.exe
  C:\Windows\System32\tecHxwB.exe
  2⤵
  PID:4584
- C:\Windows\System32\fISIziH.exe
  C:\Windows\System32\fISIziH.exe
  2⤵
  PID:4656
- C:\Windows\System32\NGZWdRF.exe
  C:\Windows\System32\NGZWdRF.exe
  2⤵
  PID:932
- C:\Windows\System32\gRiuGIU.exe
  C:\Windows\System32\gRiuGIU.exe
  2⤵
  PID:5128
- C:\Windows\System32\OlfMZnI.exe
  C:\Windows\System32\OlfMZnI.exe
  2⤵
  PID:5144
- C:\Windows\System32\xAElymh.exe
  C:\Windows\System32\xAElymh.exe
  2⤵
  PID:5160
- C:\Windows\System32\clguWrE.exe
  C:\Windows\System32\clguWrE.exe
  2⤵
  PID:5180
- C:\Windows\System32\lLMDZgf.exe
  C:\Windows\System32\lLMDZgf.exe
  2⤵
  PID:5196
- C:\Windows\System32\casazSb.exe
  C:\Windows\System32\casazSb.exe
  2⤵
  PID:5212
- C:\Windows\System32\GBrhffR.exe
  C:\Windows\System32\GBrhffR.exe
  2⤵
  PID:5228
- C:\Windows\System32\hMXMcfY.exe
  C:\Windows\System32\hMXMcfY.exe
  2⤵
  PID:5256
- C:\Windows\System32\CfalAgT.exe
  C:\Windows\System32\CfalAgT.exe
  2⤵
  PID:5332
- C:\Windows\System32\LBksyXQ.exe
  C:\Windows\System32\LBksyXQ.exe
  2⤵
  PID:5444
- C:\Windows\System32\lTcnRve.exe
  C:\Windows\System32\lTcnRve.exe
  2⤵
  PID:5472
- C:\Windows\System32\TJYpujJ.exe
  C:\Windows\System32\TJYpujJ.exe
  2⤵
  PID:5488
- C:\Windows\System32\jgUvnNS.exe
  C:\Windows\System32\jgUvnNS.exe
  2⤵
  PID:5504
- C:\Windows\System32\LAbAHBD.exe
  C:\Windows\System32\LAbAHBD.exe
  2⤵
  PID:5520
- C:\Windows\System32\HnnyYta.exe
  C:\Windows\System32\HnnyYta.exe
  2⤵
  PID:5564
- C:\Windows\System32\CGNlWHP.exe
  C:\Windows\System32\CGNlWHP.exe
  2⤵
  PID:5596
- C:\Windows\System32\zJCeBeY.exe
  C:\Windows\System32\zJCeBeY.exe
  2⤵
  PID:5632
- C:\Windows\System32\JgMszsd.exe
  C:\Windows\System32\JgMszsd.exe
  2⤵
  PID:5652
- C:\Windows\System32\XkjXTmW.exe
  C:\Windows\System32\XkjXTmW.exe
  2⤵
  PID:5680
- C:\Windows\System32\OPFkNfZ.exe
  C:\Windows\System32\OPFkNfZ.exe
  2⤵
  PID:5704
- C:\Windows\System32\pyAYBzu.exe
  C:\Windows\System32\pyAYBzu.exe
  2⤵
  PID:5724
- C:\Windows\System32\QVTOEQI.exe
  C:\Windows\System32\QVTOEQI.exe
  2⤵
  PID:5752
- C:\Windows\System32\NpUVMaT.exe
  C:\Windows\System32\NpUVMaT.exe
  2⤵
  PID:5768
- C:\Windows\System32\bBNVSAJ.exe
  C:\Windows\System32\bBNVSAJ.exe
  2⤵
  PID:5824
- C:\Windows\System32\gPKugnX.exe
  C:\Windows\System32\gPKugnX.exe
  2⤵
  PID:5848
- C:\Windows\System32\kkwkMqa.exe
  C:\Windows\System32\kkwkMqa.exe
  2⤵
  PID:5872
- C:\Windows\System32\nKiFLDq.exe
  C:\Windows\System32\nKiFLDq.exe
  2⤵
  PID:5928
- C:\Windows\System32\ZXHMeBc.exe
  C:\Windows\System32\ZXHMeBc.exe
  2⤵
  PID:5968
- C:\Windows\System32\gjJyTyT.exe
  C:\Windows\System32\gjJyTyT.exe
  2⤵
  PID:5984
- C:\Windows\System32\cOfPAoC.exe
  C:\Windows\System32\cOfPAoC.exe
  2⤵
  PID:6004
- C:\Windows\System32\yfCHgQD.exe
  C:\Windows\System32\yfCHgQD.exe
  2⤵
  PID:6024
- C:\Windows\System32\GeDGjqQ.exe
  C:\Windows\System32\GeDGjqQ.exe
  2⤵
  PID:6044
- C:\Windows\System32\SoTynEp.exe
  C:\Windows\System32\SoTynEp.exe
  2⤵
  PID:6084
- C:\Windows\System32\qlyKMFV.exe
  C:\Windows\System32\qlyKMFV.exe
  2⤵
  PID:6108
- C:\Windows\System32\dIqnHsH.exe
  C:\Windows\System32\dIqnHsH.exe
  2⤵
  PID:6124
- C:\Windows\System32\dOIVGfN.exe
  C:\Windows\System32\dOIVGfN.exe
  2⤵
  PID:3676
- C:\Windows\System32\EvJJDhC.exe
  C:\Windows\System32\EvJJDhC.exe
  2⤵
  PID:5140
- C:\Windows\System32\DbBEbYU.exe
  C:\Windows\System32\DbBEbYU.exe
  2⤵
  PID:5276
- C:\Windows\System32\ubjFzUY.exe
  C:\Windows\System32\ubjFzUY.exe
  2⤵
  PID:4468
- C:\Windows\System32\HOjShqV.exe
  C:\Windows\System32\HOjShqV.exe
  2⤵
  PID:5388
- C:\Windows\System32\ZrHFpKp.exe
  C:\Windows\System32\ZrHFpKp.exe
  2⤵
  PID:5428
- C:\Windows\System32\Kpbbaxl.exe
  C:\Windows\System32\Kpbbaxl.exe
  2⤵
  PID:5464
- C:\Windows\System32\eWkbTrB.exe
  C:\Windows\System32\eWkbTrB.exe
  2⤵
  PID:3100
- C:\Windows\System32\AGOxzMu.exe
  C:\Windows\System32\AGOxzMu.exe
  2⤵
  PID:5236
- C:\Windows\System32\EcAPyPE.exe
  C:\Windows\System32\EcAPyPE.exe
  2⤵
  PID:5304
- C:\Windows\System32\aslKHeS.exe
  C:\Windows\System32\aslKHeS.exe
  2⤵
  PID:5604
- C:\Windows\System32\cLpFrMq.exe
  C:\Windows\System32\cLpFrMq.exe
  2⤵
  PID:5644
- C:\Windows\System32\YfZluli.exe
  C:\Windows\System32\YfZluli.exe
  2⤵
  PID:5688
- C:\Windows\System32\xdJMbbd.exe
  C:\Windows\System32\xdJMbbd.exe
  2⤵
  PID:5808
- C:\Windows\System32\PNxzZbQ.exe
  C:\Windows\System32\PNxzZbQ.exe
  2⤵
  PID:5920
- C:\Windows\System32\dyMmrIc.exe
  C:\Windows\System32\dyMmrIc.exe
  2⤵
  PID:5944
- C:\Windows\System32\IBgRDXd.exe
  C:\Windows\System32\IBgRDXd.exe
  2⤵
  PID:6076
- C:\Windows\System32\GUfZibS.exe
  C:\Windows\System32\GUfZibS.exe
  2⤵
  PID:5172
- C:\Windows\System32\BPFHXPB.exe
  C:\Windows\System32\BPFHXPB.exe
  2⤵
  PID:4696
- C:\Windows\System32\YsrqBBl.exe
  C:\Windows\System32\YsrqBBl.exe
  2⤵
  PID:5152
- C:\Windows\System32\XgHAncj.exe
  C:\Windows\System32\XgHAncj.exe
  2⤵
  PID:5380
- C:\Windows\System32\YvfbQug.exe
  C:\Windows\System32\YvfbQug.exe
  2⤵
  PID:5516
- C:\Windows\System32\SwleIUg.exe
  C:\Windows\System32\SwleIUg.exe
  2⤵
  PID:2224
- C:\Windows\System32\qHmIQoc.exe
  C:\Windows\System32\qHmIQoc.exe
  2⤵
  PID:5316
- C:\Windows\System32\bdbfMhv.exe
  C:\Windows\System32\bdbfMhv.exe
  2⤵
  PID:5720
- C:\Windows\System32\DGLJNYS.exe
  C:\Windows\System32\DGLJNYS.exe
  2⤵
  PID:5900
- C:\Windows\System32\wBsoumk.exe
  C:\Windows\System32\wBsoumk.exe
  2⤵
  PID:5980
- C:\Windows\System32\sVFTedp.exe
  C:\Windows\System32\sVFTedp.exe
  2⤵
  PID:2000
- C:\Windows\System32\AbipkJa.exe
  C:\Windows\System32\AbipkJa.exe
  2⤵
  PID:5436
- C:\Windows\System32\jwnmtpa.exe
  C:\Windows\System32\jwnmtpa.exe
  2⤵
  PID:4552
- C:\Windows\System32\govSKav.exe
  C:\Windows\System32\govSKav.exe
  2⤵
  PID:5320
- C:\Windows\System32\eHEzCtR.exe
  C:\Windows\System32\eHEzCtR.exe
  2⤵
  PID:5992
- C:\Windows\System32\radnljO.exe
  C:\Windows\System32\radnljO.exe
  2⤵
  PID:6208
- C:\Windows\System32\hVdqanL.exe
  C:\Windows\System32\hVdqanL.exe
  2⤵
  PID:6224
- C:\Windows\System32\fnpJyjN.exe
  C:\Windows\System32\fnpJyjN.exe
  2⤵
  PID:6256
- C:\Windows\System32\pZWQOJS.exe
  C:\Windows\System32\pZWQOJS.exe
  2⤵
  PID:6280
- C:\Windows\System32\AcbMhOg.exe
  C:\Windows\System32\AcbMhOg.exe
  2⤵
  PID:6324
- C:\Windows\System32\htrjHkf.exe
  C:\Windows\System32\htrjHkf.exe
  2⤵
  PID:6344
- C:\Windows\System32\AxRFjDP.exe
  C:\Windows\System32\AxRFjDP.exe
  2⤵
  PID:6368
- C:\Windows\System32\wNFFcjE.exe
  C:\Windows\System32\wNFFcjE.exe
  2⤵
  PID:6384
- C:\Windows\System32\JMlfaNm.exe
  C:\Windows\System32\JMlfaNm.exe
  2⤵
  PID:6404
- C:\Windows\System32\DCzIlQz.exe
  C:\Windows\System32\DCzIlQz.exe
  2⤵
  PID:6432
- C:\Windows\System32\HidUJDH.exe
  C:\Windows\System32\HidUJDH.exe
  2⤵
  PID:6468
- C:\Windows\System32\lInciVz.exe
  C:\Windows\System32\lInciVz.exe
  2⤵
  PID:6512
- C:\Windows\System32\ZXjHUHX.exe
  C:\Windows\System32\ZXjHUHX.exe
  2⤵
  PID:6548
- C:\Windows\System32\IvpsEXu.exe
  C:\Windows\System32\IvpsEXu.exe
  2⤵
  PID:6572
- C:\Windows\System32\SGfNCqW.exe
  C:\Windows\System32\SGfNCqW.exe
  2⤵
  PID:6588
- C:\Windows\System32\VqswUuv.exe
  C:\Windows\System32\VqswUuv.exe
  2⤵
  PID:6608
- C:\Windows\System32\erOqfCm.exe
  C:\Windows\System32\erOqfCm.exe
  2⤵
  PID:6624
- C:\Windows\System32\vOLRCoe.exe
  C:\Windows\System32\vOLRCoe.exe
  2⤵
  PID:6664
- C:\Windows\System32\KObtdVt.exe
  C:\Windows\System32\KObtdVt.exe
  2⤵
  PID:6684
- C:\Windows\System32\pyFMCao.exe
  C:\Windows\System32\pyFMCao.exe
  2⤵
  PID:6708
- C:\Windows\System32\mAPzkuq.exe
  C:\Windows\System32\mAPzkuq.exe
  2⤵
  PID:6736
- C:\Windows\System32\DozWWCa.exe
  C:\Windows\System32\DozWWCa.exe
  2⤵
  PID:6756
- C:\Windows\System32\BcIEgDj.exe
  C:\Windows\System32\BcIEgDj.exe
  2⤵
  PID:6784
- C:\Windows\System32\tZyebvJ.exe
  C:\Windows\System32\tZyebvJ.exe
  2⤵
  PID:6836
- C:\Windows\System32\zvTKUtH.exe
  C:\Windows\System32\zvTKUtH.exe
  2⤵
  PID:6880
- C:\Windows\System32\huBHFOo.exe
  C:\Windows\System32\huBHFOo.exe
  2⤵
  PID:6900
- C:\Windows\System32\guSXkTA.exe
  C:\Windows\System32\guSXkTA.exe
  2⤵
  PID:6920
- C:\Windows\System32\qWEiSSA.exe
  C:\Windows\System32\qWEiSSA.exe
  2⤵
  PID:6948
- C:\Windows\System32\blbpNVR.exe
  C:\Windows\System32\blbpNVR.exe
  2⤵
  PID:6988
- C:\Windows\System32\PkTZADZ.exe
  C:\Windows\System32\PkTZADZ.exe
  2⤵
  PID:7008
- C:\Windows\System32\UcrbaZq.exe
  C:\Windows\System32\UcrbaZq.exe
  2⤵
  PID:7040
- C:\Windows\System32\fwrNJGq.exe
  C:\Windows\System32\fwrNJGq.exe
  2⤵
  PID:7080
- C:\Windows\System32\PScnFkb.exe
  C:\Windows\System32\PScnFkb.exe
  2⤵
  PID:7100
- C:\Windows\System32\hTgxnfZ.exe
  C:\Windows\System32\hTgxnfZ.exe
  2⤵
  PID:7128
- C:\Windows\System32\ZvehmFj.exe
  C:\Windows\System32\ZvehmFj.exe
  2⤵
  PID:7148
- C:\Windows\System32\RbjqrrL.exe
  C:\Windows\System32\RbjqrrL.exe
  2⤵
  PID:5936
- C:\Windows\System32\WWnoMiG.exe
  C:\Windows\System32\WWnoMiG.exe
  2⤵
  PID:6148
- C:\Windows\System32\KgkVsON.exe
  C:\Windows\System32\KgkVsON.exe
  2⤵
  PID:6204
- C:\Windows\System32\VXqNNZL.exe
  C:\Windows\System32\VXqNNZL.exe
  2⤵
  PID:6336
- C:\Windows\System32\rnBRSyD.exe
  C:\Windows\System32\rnBRSyD.exe
  2⤵
  PID:6356
- C:\Windows\System32\zxIaBpa.exe
  C:\Windows\System32\zxIaBpa.exe
  2⤵
  PID:6412
- C:\Windows\System32\YhYthuO.exe
  C:\Windows\System32\YhYthuO.exe
  2⤵
  PID:6520
- C:\Windows\System32\PDlZTNQ.exe
  C:\Windows\System32\PDlZTNQ.exe
  2⤵
  PID:6620
- C:\Windows\System32\zmbrIzK.exe
  C:\Windows\System32\zmbrIzK.exe
  2⤵
  PID:6656
- C:\Windows\System32\tihgsEK.exe
  C:\Windows\System32\tihgsEK.exe
  2⤵
  PID:6692
- C:\Windows\System32\PMWmgZG.exe
  C:\Windows\System32\PMWmgZG.exe
  2⤵
  PID:6724
- C:\Windows\System32\pXJSNKi.exe
  C:\Windows\System32\pXJSNKi.exe
  2⤵
  PID:6800
- C:\Windows\System32\BtvmidH.exe
  C:\Windows\System32\BtvmidH.exe
  2⤵
  PID:6940
- C:\Windows\System32\fjpwNja.exe
  C:\Windows\System32\fjpwNja.exe
  2⤵
  PID:6972
- C:\Windows\System32\NyIayvy.exe
  C:\Windows\System32\NyIayvy.exe
  2⤵
  PID:7000
- C:\Windows\System32\ivVfYlq.exe
  C:\Windows\System32\ivVfYlq.exe
  2⤵
  PID:7116
- C:\Windows\System32\JJgUMxj.exe
  C:\Windows\System32\JJgUMxj.exe
  2⤵
  PID:6116
- C:\Windows\System32\aDCkPnm.exe
  C:\Windows\System32\aDCkPnm.exe
  2⤵
  PID:6232
- C:\Windows\System32\mCIJmIE.exe
  C:\Windows\System32\mCIJmIE.exe
  2⤵
  PID:6168
- C:\Windows\System32\NKgPyMi.exe
  C:\Windows\System32\NKgPyMi.exe
  2⤵
  PID:6352
- C:\Windows\System32\yAyaIwY.exe
  C:\Windows\System32\yAyaIwY.exe
  2⤵
  PID:6732
- C:\Windows\System32\uKFdcvw.exe
  C:\Windows\System32\uKFdcvw.exe
  2⤵
  PID:6932
- C:\Windows\System32\MBswssw.exe
  C:\Windows\System32\MBswssw.exe
  2⤵
  PID:7020
- C:\Windows\System32\JREIcrk.exe
  C:\Windows\System32\JREIcrk.exe
  2⤵
  PID:7056
- C:\Windows\System32\OmeOgaV.exe
  C:\Windows\System32\OmeOgaV.exe
  2⤵
  PID:5308
- C:\Windows\System32\LMYtOin.exe
  C:\Windows\System32\LMYtOin.exe
  2⤵
  PID:6376
- C:\Windows\System32\hhUpMtV.exe
  C:\Windows\System32\hhUpMtV.exe
  2⤵
  PID:6696
- C:\Windows\System32\PCwdCed.exe
  C:\Windows\System32\PCwdCed.exe
  2⤵
  PID:6464
- C:\Windows\System32\dPbgTdz.exe
  C:\Windows\System32\dPbgTdz.exe
  2⤵
  PID:6752
- C:\Windows\System32\IphqZMd.exe
  C:\Windows\System32\IphqZMd.exe
  2⤵
  PID:7172
- C:\Windows\System32\NnmSJrp.exe
  C:\Windows\System32\NnmSJrp.exe
  2⤵
  PID:7204
- C:\Windows\System32\QKxzGve.exe
  C:\Windows\System32\QKxzGve.exe
  2⤵
  PID:7224
- C:\Windows\System32\BVLYqFC.exe
  C:\Windows\System32\BVLYqFC.exe
  2⤵
  PID:7260
- C:\Windows\System32\gQYsZzO.exe
  C:\Windows\System32\gQYsZzO.exe
  2⤵
  PID:7284
- C:\Windows\System32\dxHZejc.exe
  C:\Windows\System32\dxHZejc.exe
  2⤵
  PID:7324
- C:\Windows\System32\VcObxeF.exe
  C:\Windows\System32\VcObxeF.exe
  2⤵
  PID:7360
- C:\Windows\System32\MYKhQqi.exe
  C:\Windows\System32\MYKhQqi.exe
  2⤵
  PID:7376
- C:\Windows\System32\OIETLTI.exe
  C:\Windows\System32\OIETLTI.exe
  2⤵
  PID:7396
- C:\Windows\System32\PfHByDv.exe
  C:\Windows\System32\PfHByDv.exe
  2⤵
  PID:7416
- C:\Windows\System32\FJnuOUb.exe
  C:\Windows\System32\FJnuOUb.exe
  2⤵
  PID:7436
- C:\Windows\System32\iREGmOG.exe
  C:\Windows\System32\iREGmOG.exe
  2⤵
  PID:7464
- C:\Windows\System32\UcqiFxL.exe
  C:\Windows\System32\UcqiFxL.exe
  2⤵
  PID:7480
- C:\Windows\System32\TwUKjHh.exe
  C:\Windows\System32\TwUKjHh.exe
  2⤵
  PID:7540
- C:\Windows\System32\UbfiXqK.exe
  C:\Windows\System32\UbfiXqK.exe
  2⤵
  PID:7572
- C:\Windows\System32\uVNfVVA.exe
  C:\Windows\System32\uVNfVVA.exe
  2⤵
  PID:7592
- C:\Windows\System32\kMvLdSN.exe
  C:\Windows\System32\kMvLdSN.exe
  2⤵
  PID:7612
- C:\Windows\System32\lOPymPN.exe
  C:\Windows\System32\lOPymPN.exe
  2⤵
  PID:7636
- C:\Windows\System32\KFyWhmW.exe
  C:\Windows\System32\KFyWhmW.exe
  2⤵
  PID:7672
- C:\Windows\System32\qKzMSjv.exe
  C:\Windows\System32\qKzMSjv.exe
  2⤵
  PID:7720
- C:\Windows\System32\MTfKdyO.exe
  C:\Windows\System32\MTfKdyO.exe
  2⤵
  PID:7756
- C:\Windows\System32\cmgBkcn.exe
  C:\Windows\System32\cmgBkcn.exe
  2⤵
  PID:7772
- C:\Windows\System32\uAaRRyM.exe
  C:\Windows\System32\uAaRRyM.exe
  2⤵
  PID:7792
- C:\Windows\System32\QhWysXw.exe
  C:\Windows\System32\QhWysXw.exe
  2⤵
  PID:7820
- C:\Windows\System32\MJCzmCX.exe
  C:\Windows\System32\MJCzmCX.exe
  2⤵
  PID:7844
- C:\Windows\System32\rEjIxvD.exe
  C:\Windows\System32\rEjIxvD.exe
  2⤵
  PID:7864
- C:\Windows\System32\ODfObyH.exe
  C:\Windows\System32\ODfObyH.exe
  2⤵
  PID:7880
- C:\Windows\System32\dxLFPBA.exe
  C:\Windows\System32\dxLFPBA.exe
  2⤵
  PID:7904
- C:\Windows\System32\woPBGZR.exe
  C:\Windows\System32\woPBGZR.exe
  2⤵
  PID:7936
- C:\Windows\System32\lGxgZdS.exe
  C:\Windows\System32\lGxgZdS.exe
  2⤵
  PID:7984
- C:\Windows\System32\rasQaea.exe
  C:\Windows\System32\rasQaea.exe
  2⤵
  PID:8028
- C:\Windows\System32\HdzlIDW.exe
  C:\Windows\System32\HdzlIDW.exe
  2⤵
  PID:8060
- C:\Windows\System32\HsELAYr.exe
  C:\Windows\System32\HsELAYr.exe
  2⤵
  PID:8100
- C:\Windows\System32\jeImpuH.exe
  C:\Windows\System32\jeImpuH.exe
  2⤵
  PID:8120
- C:\Windows\System32\NEyoONA.exe
  C:\Windows\System32\NEyoONA.exe
  2⤵
  PID:8144
- C:\Windows\System32\IbwAQTE.exe
  C:\Windows\System32\IbwAQTE.exe
  2⤵
  PID:8176
- C:\Windows\System32\OKdfwIq.exe
  C:\Windows\System32\OKdfwIq.exe
  2⤵
  PID:6928
- C:\Windows\System32\OaDTwln.exe
  C:\Windows\System32\OaDTwln.exe
  2⤵
  PID:7188
- C:\Windows\System32\EQmHHyB.exe
  C:\Windows\System32\EQmHHyB.exe
  2⤵
  PID:7236
- C:\Windows\System32\DFBPiFe.exe
  C:\Windows\System32\DFBPiFe.exe
  2⤵
  PID:7432
- C:\Windows\System32\JehFjBy.exe
  C:\Windows\System32\JehFjBy.exe
  2⤵
  PID:7404
- C:\Windows\System32\EOcxPjM.exe
  C:\Windows\System32\EOcxPjM.exe
  2⤵
  PID:7444
- C:\Windows\System32\KIcSfEz.exe
  C:\Windows\System32\KIcSfEz.exe
  2⤵
  PID:7516
- C:\Windows\System32\PdrabDJ.exe
  C:\Windows\System32\PdrabDJ.exe
  2⤵
  PID:7604
- C:\Windows\System32\WdKrvJi.exe
  C:\Windows\System32\WdKrvJi.exe
  2⤵
  PID:7600
- C:\Windows\System32\PtTjRzo.exe
  C:\Windows\System32\PtTjRzo.exe
  2⤵
  PID:7644
- C:\Windows\System32\jcipvLo.exe
  C:\Windows\System32\jcipvLo.exe
  2⤵
  PID:7748
- C:\Windows\System32\umJtQCD.exe
  C:\Windows\System32\umJtQCD.exe
  2⤵
  PID:7764
- C:\Windows\System32\onBmYOZ.exe
  C:\Windows\System32\onBmYOZ.exe
  2⤵
  PID:7840
- C:\Windows\System32\VLbjZYw.exe
  C:\Windows\System32\VLbjZYw.exe
  2⤵
  PID:7900
- C:\Windows\System32\dVQmQFw.exe
  C:\Windows\System32\dVQmQFw.exe
  2⤵
  PID:7968
- C:\Windows\System32\VtDaZcU.exe
  C:\Windows\System32\VtDaZcU.exe
  2⤵
  PID:8132
- C:\Windows\System32\oiHlsAk.exe
  C:\Windows\System32\oiHlsAk.exe
  2⤵
  PID:7248
- C:\Windows\System32\GnUuIOh.exe
  C:\Windows\System32\GnUuIOh.exe
  2⤵
  PID:7408
- C:\Windows\System32\QblETNC.exe
  C:\Windows\System32\QblETNC.exe
  2⤵
  PID:7412
- C:\Windows\System32\tbdXREE.exe
  C:\Windows\System32\tbdXREE.exe
  2⤵
  PID:7568
- C:\Windows\System32\nUilgtD.exe
  C:\Windows\System32\nUilgtD.exe
  2⤵
  PID:7708
- C:\Windows\System32\VGGDxeV.exe
  C:\Windows\System32\VGGDxeV.exe
  2⤵
  PID:7788
- C:\Windows\System32\PvjueYt.exe
  C:\Windows\System32\PvjueYt.exe
  2⤵
  PID:7972
- C:\Windows\System32\cLQCPoJ.exe
  C:\Windows\System32\cLQCPoJ.exe
  2⤵
  PID:8044
- C:\Windows\System32\KwQpWRb.exe
  C:\Windows\System32\KwQpWRb.exe
  2⤵
  PID:7696
- C:\Windows\System32\sfsGHRF.exe
  C:\Windows\System32\sfsGHRF.exe
  2⤵
  PID:8116
- C:\Windows\System32\aMXlnJj.exe
  C:\Windows\System32\aMXlnJj.exe
  2⤵
  PID:7688
- C:\Windows\System32\mJxbEwx.exe
  C:\Windows\System32\mJxbEwx.exe
  2⤵
  PID:7548
- C:\Windows\System32\ACILsYR.exe
  C:\Windows\System32\ACILsYR.exe
  2⤵
  PID:8224
- C:\Windows\System32\RJZXTNf.exe
  C:\Windows\System32\RJZXTNf.exe
  2⤵
  PID:8244
- C:\Windows\System32\cKIzlrL.exe
  C:\Windows\System32\cKIzlrL.exe
  2⤵
  PID:8264
- C:\Windows\System32\Msdwxed.exe
  C:\Windows\System32\Msdwxed.exe
  2⤵
  PID:8284
- C:\Windows\System32\cQiRyFA.exe
  C:\Windows\System32\cQiRyFA.exe
  2⤵
  PID:8308
- C:\Windows\System32\ofWFumz.exe
  C:\Windows\System32\ofWFumz.exe
  2⤵
  PID:8328
- C:\Windows\System32\igdFStW.exe
  C:\Windows\System32\igdFStW.exe
  2⤵
  PID:8352
- C:\Windows\System32\vmtLAMN.exe
  C:\Windows\System32\vmtLAMN.exe
  2⤵
  PID:8424
- C:\Windows\System32\dizyrBH.exe
  C:\Windows\System32\dizyrBH.exe
  2⤵
  PID:8448
- C:\Windows\System32\rMkqkZW.exe
  C:\Windows\System32\rMkqkZW.exe
  2⤵
  PID:8480
- C:\Windows\System32\WrHnIRV.exe
  C:\Windows\System32\WrHnIRV.exe
  2⤵
  PID:8520
- C:\Windows\System32\YRSuoxJ.exe
  C:\Windows\System32\YRSuoxJ.exe
  2⤵
  PID:8548
- C:\Windows\System32\sMNObYK.exe
  C:\Windows\System32\sMNObYK.exe
  2⤵
  PID:8568
- C:\Windows\System32\wKeOCfm.exe
  C:\Windows\System32\wKeOCfm.exe
  2⤵
  PID:8592
- C:\Windows\System32\eENwuUB.exe
  C:\Windows\System32\eENwuUB.exe
  2⤵
  PID:8612
- C:\Windows\System32\BTcOhQv.exe
  C:\Windows\System32\BTcOhQv.exe
  2⤵
  PID:8628
- C:\Windows\System32\wzuWwJg.exe
  C:\Windows\System32\wzuWwJg.exe
  2⤵
  PID:8656
- C:\Windows\System32\XeoUIfT.exe
  C:\Windows\System32\XeoUIfT.exe
  2⤵
  PID:8672
- C:\Windows\System32\ratCKHA.exe
  C:\Windows\System32\ratCKHA.exe
  2⤵
  PID:8808
- C:\Windows\System32\yCGlQmi.exe
  C:\Windows\System32\yCGlQmi.exe
  2⤵
  PID:8828
- C:\Windows\System32\feoZUkW.exe
  C:\Windows\System32\feoZUkW.exe
  2⤵
  PID:8844
- C:\Windows\System32\DyALfiF.exe
  C:\Windows\System32\DyALfiF.exe
  2⤵
  PID:8860
- C:\Windows\System32\PndHkmA.exe
  C:\Windows\System32\PndHkmA.exe
  2⤵
  PID:8892
- C:\Windows\System32\peAsELh.exe
  C:\Windows\System32\peAsELh.exe
  2⤵
  PID:8924
- C:\Windows\System32\CAoywdU.exe
  C:\Windows\System32\CAoywdU.exe
  2⤵
  PID:8944
- C:\Windows\System32\EZNGPqe.exe
  C:\Windows\System32\EZNGPqe.exe
  2⤵
  PID:8960
- C:\Windows\System32\SZjjfhL.exe
  C:\Windows\System32\SZjjfhL.exe
  2⤵
  PID:9040
- C:\Windows\System32\FXUuCHs.exe
  C:\Windows\System32\FXUuCHs.exe
  2⤵
  PID:9084
- C:\Windows\System32\yahdZnp.exe
  C:\Windows\System32\yahdZnp.exe
  2⤵
  PID:9100
- C:\Windows\System32\ihfkaiJ.exe
  C:\Windows\System32\ihfkaiJ.exe
  2⤵
  PID:9148
- C:\Windows\System32\uYbOhat.exe
  C:\Windows\System32\uYbOhat.exe
  2⤵
  PID:9164
- C:\Windows\System32\NnbIfon.exe
  C:\Windows\System32\NnbIfon.exe
  2⤵
  PID:9188
- C:\Windows\System32\eHOeQEM.exe
  C:\Windows\System32\eHOeQEM.exe
  2⤵
  PID:9208
- C:\Windows\System32\teyDFvo.exe
  C:\Windows\System32\teyDFvo.exe
  2⤵
  PID:8240
- C:\Windows\System32\IHVhdwq.exe
  C:\Windows\System32\IHVhdwq.exe
  2⤵
  PID:8320
- C:\Windows\System32\EmOjQaM.exe
  C:\Windows\System32\EmOjQaM.exe
  2⤵
  PID:8412
- C:\Windows\System32\xxreqbl.exe
  C:\Windows\System32\xxreqbl.exe
  2⤵
  PID:8472
- C:\Windows\System32\PGKFrsu.exe
  C:\Windows\System32\PGKFrsu.exe
  2⤵
  PID:8532
- C:\Windows\System32\LOvqTIB.exe
  C:\Windows\System32\LOvqTIB.exe
  2⤵
  PID:8696
- C:\Windows\System32\JykTNsy.exe
  C:\Windows\System32\JykTNsy.exe
  2⤵
  PID:8788
- C:\Windows\System32\pVdHZQM.exe
  C:\Windows\System32\pVdHZQM.exe
  2⤵
  PID:8712
- C:\Windows\System32\wTiJrVt.exe
  C:\Windows\System32\wTiJrVt.exe
  2⤵
  PID:8740
- C:\Windows\System32\AqqbDDP.exe
  C:\Windows\System32\AqqbDDP.exe
  2⤵
  PID:8768
- C:\Windows\System32\LrHJcNn.exe
  C:\Windows\System32\LrHJcNn.exe
  2⤵
  PID:8700
- C:\Windows\System32\gbwWQTw.exe
  C:\Windows\System32\gbwWQTw.exe
  2⤵
  PID:8820
- C:\Windows\System32\NEmfXBf.exe
  C:\Windows\System32\NEmfXBf.exe
  2⤵
  PID:8920
- C:\Windows\System32\NFwJDSV.exe
  C:\Windows\System32\NFwJDSV.exe
  2⤵
  PID:9020
- C:\Windows\System32\qkmeXjc.exe
  C:\Windows\System32\qkmeXjc.exe
  2⤵
  PID:9000
- C:\Windows\System32\vhILuZd.exe
  C:\Windows\System32\vhILuZd.exe
  2⤵
  PID:9052
- C:\Windows\System32\dRDRGoO.exe
  C:\Windows\System32\dRDRGoO.exe
  2⤵
  PID:9092
- C:\Windows\System32\aoBHhGr.exe
  C:\Windows\System32\aoBHhGr.exe
  2⤵
  PID:8196
- C:\Windows\System32\hxrFErF.exe
  C:\Windows\System32\hxrFErF.exe
  2⤵
  PID:8340
- C:\Windows\System32\fIwiUON.exe
  C:\Windows\System32\fIwiUON.exe
  2⤵
  PID:8436
- C:\Windows\System32\YisFLcD.exe
  C:\Windows\System32\YisFLcD.exe
  2⤵
  PID:8668
- C:\Windows\System32\vAKeZIt.exe
  C:\Windows\System32\vAKeZIt.exe
  2⤵
  PID:8748
- C:\Windows\System32\BLXnaXN.exe
  C:\Windows\System32\BLXnaXN.exe
  2⤵
  PID:8840
- C:\Windows\System32\fVmkhSz.exe
  C:\Windows\System32\fVmkhSz.exe
  2⤵
  PID:8952
- C:\Windows\System32\bkdrIOW.exe
  C:\Windows\System32\bkdrIOW.exe
  2⤵
  PID:9204
- C:\Windows\System32\oSoTQdT.exe
  C:\Windows\System32\oSoTQdT.exe
  2⤵
  PID:7872
- C:\Windows\System32\pbnjRFE.exe
  C:\Windows\System32\pbnjRFE.exe
  2⤵
  PID:8868
- C:\Windows\System32\WwwGohm.exe
  C:\Windows\System32\WwwGohm.exe
  2⤵
  PID:8884
- C:\Windows\System32\qEQGPMm.exe
  C:\Windows\System32\qEQGPMm.exe
  2⤵
  PID:8908
- C:\Windows\System32\ViGtbtT.exe
  C:\Windows\System32\ViGtbtT.exe
  2⤵
  PID:8440
- C:\Windows\System32\pIWOVil.exe
  C:\Windows\System32\pIWOVil.exe
  2⤵
  PID:9228
- C:\Windows\System32\JkSwEsG.exe
  C:\Windows\System32\JkSwEsG.exe
  2⤵
  PID:9252
- C:\Windows\System32\xWNUOJn.exe
  C:\Windows\System32\xWNUOJn.exe
  2⤵
  PID:9268
- C:\Windows\System32\VMvKJSh.exe
  C:\Windows\System32\VMvKJSh.exe
  2⤵
  PID:9304
- C:\Windows\System32\EjEBiiX.exe
  C:\Windows\System32\EjEBiiX.exe
  2⤵
  PID:9340
- C:\Windows\System32\PLZXRpB.exe
  C:\Windows\System32\PLZXRpB.exe
  2⤵
  PID:9356
- C:\Windows\System32\NqsPRpC.exe
  C:\Windows\System32\NqsPRpC.exe
  2⤵
  PID:9380
- C:\Windows\System32\cuFkdLO.exe
  C:\Windows\System32\cuFkdLO.exe
  2⤵
  PID:9420
- C:\Windows\System32\slwJfnW.exe
  C:\Windows\System32\slwJfnW.exe
  2⤵
  PID:9460
- C:\Windows\System32\CyEPvDr.exe
  C:\Windows\System32\CyEPvDr.exe
  2⤵
  PID:9480
- C:\Windows\System32\AsnEZMo.exe
  C:\Windows\System32\AsnEZMo.exe
  2⤵
  PID:9504
- C:\Windows\System32\ICTGeKn.exe
  C:\Windows\System32\ICTGeKn.exe
  2⤵
  PID:9524
- C:\Windows\System32\WZOxgau.exe
  C:\Windows\System32\WZOxgau.exe
  2⤵
  PID:9540
- C:\Windows\System32\fISiftM.exe
  C:\Windows\System32\fISiftM.exe
  2⤵
  PID:9568
- C:\Windows\System32\fZzFCaP.exe
  C:\Windows\System32\fZzFCaP.exe
  2⤵
  PID:9584
- C:\Windows\System32\oRXmfEz.exe
  C:\Windows\System32\oRXmfEz.exe
  2⤵
  PID:9620
- C:\Windows\System32\KpvfmeX.exe
  C:\Windows\System32\KpvfmeX.exe
  2⤵
  PID:9640
- C:\Windows\System32\CUJMyDV.exe
  C:\Windows\System32\CUJMyDV.exe
  2⤵
  PID:9668
- C:\Windows\System32\tlzbDVR.exe
  C:\Windows\System32\tlzbDVR.exe
  2⤵
  PID:9712
- C:\Windows\System32\vQSdOzo.exe
  C:\Windows\System32\vQSdOzo.exe
  2⤵
  PID:9772
- C:\Windows\System32\zOGOdzw.exe
  C:\Windows\System32\zOGOdzw.exe
  2⤵
  PID:9796
- C:\Windows\System32\CAbRFfo.exe
  C:\Windows\System32\CAbRFfo.exe
  2⤵
  PID:9816
- C:\Windows\System32\ALvTJoH.exe
  C:\Windows\System32\ALvTJoH.exe
  2⤵
  PID:9844
- C:\Windows\System32\MyttmcH.exe
  C:\Windows\System32\MyttmcH.exe
  2⤵
  PID:9864
- C:\Windows\System32\cqCRVWf.exe
  C:\Windows\System32\cqCRVWf.exe
  2⤵
  PID:9884
- C:\Windows\System32\aZGJiVL.exe
  C:\Windows\System32\aZGJiVL.exe
  2⤵
  PID:9928
- C:\Windows\System32\BylEsqM.exe
  C:\Windows\System32\BylEsqM.exe
  2⤵
  PID:9980
- C:\Windows\System32\oWDwfsP.exe
  C:\Windows\System32\oWDwfsP.exe
  2⤵
  PID:10004
- C:\Windows\System32\tRtnCiO.exe
  C:\Windows\System32\tRtnCiO.exe
  2⤵
  PID:10024
- C:\Windows\System32\vwtTCyM.exe
  C:\Windows\System32\vwtTCyM.exe
  2⤵
  PID:10060
- C:\Windows\System32\dOPQQjJ.exe
  C:\Windows\System32\dOPQQjJ.exe
  2⤵
  PID:10080
- C:\Windows\System32\JenJdSj.exe
  C:\Windows\System32\JenJdSj.exe
  2⤵
  PID:10108
- C:\Windows\System32\qoOpuQK.exe
  C:\Windows\System32\qoOpuQK.exe
  2⤵
  PID:10132
- C:\Windows\System32\yogoIjt.exe
  C:\Windows\System32\yogoIjt.exe
  2⤵
  PID:10156
- C:\Windows\System32\TREsUpM.exe
  C:\Windows\System32\TREsUpM.exe
  2⤵
  PID:10176
- C:\Windows\System32\IUzJhMl.exe
  C:\Windows\System32\IUzJhMl.exe
  2⤵
  PID:10200
- C:\Windows\System32\DQFiyCw.exe
  C:\Windows\System32\DQFiyCw.exe
  2⤵
  PID:10232
- C:\Windows\System32\FsyqHPf.exe
  C:\Windows\System32\FsyqHPf.exe
  2⤵
  PID:9264
- C:\Windows\System32\jAslTqi.exe
  C:\Windows\System32\jAslTqi.exe
  2⤵
  PID:9236
- C:\Windows\System32\zeWdppp.exe
  C:\Windows\System32\zeWdppp.exe
  2⤵
  PID:9364
- C:\Windows\System32\pLSZFyn.exe
  C:\Windows\System32\pLSZFyn.exe
  2⤵
  PID:9388
- C:\Windows\System32\vpgEkIi.exe
  C:\Windows\System32\vpgEkIi.exe
  2⤵
  PID:9536
- C:\Windows\System32\hHNxMVk.exe
  C:\Windows\System32\hHNxMVk.exe
  2⤵
  PID:9560
- C:\Windows\System32\LGXFnKQ.exe
  C:\Windows\System32\LGXFnKQ.exe
  2⤵
  PID:9700
- C:\Windows\System32\aFtpAMZ.exe
  C:\Windows\System32\aFtpAMZ.exe
  2⤵
  PID:9720
- C:\Windows\System32\FkLDwWh.exe
  C:\Windows\System32\FkLDwWh.exe
  2⤵
  PID:8888
- C:\Windows\System32\mcAFQeb.exe
  C:\Windows\System32\mcAFQeb.exe
  2⤵
  PID:9828
- C:\Windows\System32\bxPeBSp.exe
  C:\Windows\System32\bxPeBSp.exe
  2⤵
  PID:9896
- C:\Windows\System32\wPLGqLb.exe
  C:\Windows\System32\wPLGqLb.exe
  2⤵
  PID:10012
- C:\Windows\System32\EMiOZAG.exe
  C:\Windows\System32\EMiOZAG.exe
  2⤵
  PID:10076
- C:\Windows\System32\udsQpQn.exe
  C:\Windows\System32\udsQpQn.exe
  2⤵
  PID:10152
- C:\Windows\System32\xKifimL.exe
  C:\Windows\System32\xKifimL.exe
  2⤵
  PID:10220
- C:\Windows\System32\GRPYqVc.exe
  C:\Windows\System32\GRPYqVc.exe
  2⤵
  PID:9224
- C:\Windows\System32\uWntrrR.exe
  C:\Windows\System32\uWntrrR.exe
  2⤵
  PID:9456
- C:\Windows\System32\MuaeGqO.exe
  C:\Windows\System32\MuaeGqO.exe
  2⤵
  PID:9244
- C:\Windows\System32\atFpKFs.exe
  C:\Windows\System32\atFpKFs.exe
  2⤵
  PID:9500
- C:\Windows\System32\LiQNOWP.exe
  C:\Windows\System32\LiQNOWP.exe
  2⤵
  PID:9696
- C:\Windows\System32\wqdJpUI.exe
  C:\Windows\System32\wqdJpUI.exe
  2⤵
  PID:9680
- C:\Windows\System32\IthsyzK.exe
  C:\Windows\System32\IthsyzK.exe
  2⤵
  PID:9916
- C:\Windows\System32\AUlGGyD.exe
  C:\Windows\System32\AUlGGyD.exe
  2⤵
  PID:10068
- C:\Windows\System32\TPvYVOS.exe
  C:\Windows\System32\TPvYVOS.exe
  2⤵
  PID:10128
- C:\Windows\System32\ygabEkB.exe
  C:\Windows\System32\ygabEkB.exe
  2⤵
  PID:9296
- C:\Windows\System32\WZChWfA.exe
  C:\Windows\System32\WZChWfA.exe
  2⤵
  PID:9876
- C:\Windows\System32\ofWiwef.exe
  C:\Windows\System32\ofWiwef.exe
  2⤵
  PID:10256
- C:\Windows\System32\bpyyOoW.exe
  C:\Windows\System32\bpyyOoW.exe
  2⤵
  PID:10276
- C:\Windows\System32\xoffgvV.exe
  C:\Windows\System32\xoffgvV.exe
  2⤵
  PID:10292
- C:\Windows\System32\tTumzmr.exe
  C:\Windows\System32\tTumzmr.exe
  2⤵
  PID:10320
- C:\Windows\System32\ZQtIJtY.exe
  C:\Windows\System32\ZQtIJtY.exe
  2⤵
  PID:10352
- C:\Windows\System32\nSoONSo.exe
  C:\Windows\System32\nSoONSo.exe
  2⤵
  PID:10368
- C:\Windows\System32\nSxFzWh.exe
  C:\Windows\System32\nSxFzWh.exe
  2⤵
  PID:10392
- C:\Windows\System32\oyittfD.exe
  C:\Windows\System32\oyittfD.exe
  2⤵
  PID:10412
- C:\Windows\System32\FxWoGOl.exe
  C:\Windows\System32\FxWoGOl.exe
  2⤵
  PID:10440
- C:\Windows\System32\LpCIzFI.exe
  C:\Windows\System32\LpCIzFI.exe
  2⤵
  PID:10464
- C:\Windows\System32\VXVTEgd.exe
  C:\Windows\System32\VXVTEgd.exe
  2⤵
  PID:10484
- C:\Windows\System32\wAqfsJG.exe
  C:\Windows\System32\wAqfsJG.exe
  2⤵
  PID:10508
- C:\Windows\System32\paCsoCX.exe
  C:\Windows\System32\paCsoCX.exe
  2⤵
  PID:10556
- C:\Windows\System32\wVaSPoX.exe
  C:\Windows\System32\wVaSPoX.exe
  2⤵
  PID:10596
- C:\Windows\System32\TsIiGDV.exe
  C:\Windows\System32\TsIiGDV.exe
  2⤵
  PID:10616
- C:\Windows\System32\NeDyddC.exe
  C:\Windows\System32\NeDyddC.exe
  2⤵
  PID:10644
- C:\Windows\System32\OdnByth.exe
  C:\Windows\System32\OdnByth.exe
  2⤵
  PID:10672
- C:\Windows\System32\tWharFM.exe
  C:\Windows\System32\tWharFM.exe
  2⤵
  PID:10692
- C:\Windows\System32\GWXtFWG.exe
  C:\Windows\System32\GWXtFWG.exe
  2⤵
  PID:10712
- C:\Windows\System32\DDGqFVd.exe
  C:\Windows\System32\DDGqFVd.exe
  2⤵
  PID:10752
- C:\Windows\System32\OweGfvl.exe
  C:\Windows\System32\OweGfvl.exe
  2⤵
  PID:10788
- C:\Windows\System32\HGjLrZt.exe
  C:\Windows\System32\HGjLrZt.exe
  2⤵
  PID:10816
- C:\Windows\System32\cGKBwQG.exe
  C:\Windows\System32\cGKBwQG.exe
  2⤵
  PID:10844
- C:\Windows\System32\UKxqQRr.exe
  C:\Windows\System32\UKxqQRr.exe
  2⤵
  PID:10864
- C:\Windows\System32\dMmYVUt.exe
  C:\Windows\System32\dMmYVUt.exe
  2⤵
  PID:10888
- C:\Windows\System32\CfydaJG.exe
  C:\Windows\System32\CfydaJG.exe
  2⤵
  PID:10908
- C:\Windows\System32\pMnZJQO.exe
  C:\Windows\System32\pMnZJQO.exe
  2⤵
  PID:10960
- C:\Windows\System32\XbSLixe.exe
  C:\Windows\System32\XbSLixe.exe
  2⤵
  PID:11016
- C:\Windows\System32\UglqXGK.exe
  C:\Windows\System32\UglqXGK.exe
  2⤵
  PID:11036
- C:\Windows\System32\JnUwVKQ.exe
  C:\Windows\System32\JnUwVKQ.exe
  2⤵
  PID:11064
- C:\Windows\System32\RhhkOzt.exe
  C:\Windows\System32\RhhkOzt.exe
  2⤵
  PID:11092
- C:\Windows\System32\GNDWlQq.exe
  C:\Windows\System32\GNDWlQq.exe
  2⤵
  PID:11116
- C:\Windows\System32\AvUIMJg.exe
  C:\Windows\System32\AvUIMJg.exe
  2⤵
  PID:11140
- C:\Windows\System32\YGDJBQN.exe
  C:\Windows\System32\YGDJBQN.exe
  2⤵
  PID:11160
- C:\Windows\System32\drUUvHw.exe
  C:\Windows\System32\drUUvHw.exe
  2⤵
  PID:11180
- C:\Windows\System32\mvUPkSA.exe
  C:\Windows\System32\mvUPkSA.exe
  2⤵
  PID:11200
- C:\Windows\System32\DboYhmI.exe
  C:\Windows\System32\DboYhmI.exe
  2⤵
  PID:11252
- C:\Windows\System32\HjSGuHn.exe
  C:\Windows\System32\HjSGuHn.exe
  2⤵
  PID:10272
- C:\Windows\System32\hbLvCGp.exe
  C:\Windows\System32\hbLvCGp.exe
  2⤵
  PID:10304
- C:\Windows\System32\lUZvvkc.exe
  C:\Windows\System32\lUZvvkc.exe
  2⤵
  PID:10420
- C:\Windows\System32\unVxZTg.exe
  C:\Windows\System32\unVxZTg.exe
  2⤵
  PID:10404
- C:\Windows\System32\fvoapTN.exe
  C:\Windows\System32\fvoapTN.exe
  2⤵
  PID:10492
- C:\Windows\System32\bzzHWXq.exe
  C:\Windows\System32\bzzHWXq.exe
  2⤵
  PID:10520
- C:\Windows\System32\JPNeALb.exe
  C:\Windows\System32\JPNeALb.exe
  2⤵
  PID:10584
- C:\Windows\System32\ZrfXvUr.exe
  C:\Windows\System32\ZrfXvUr.exe
  2⤵
  PID:10652
- C:\Windows\System32\OqUeFRp.exe
  C:\Windows\System32\OqUeFRp.exe
  2⤵
  PID:10700
- C:\Windows\System32\PugICYi.exe
  C:\Windows\System32\PugICYi.exe
  2⤵
  PID:10812
- C:\Windows\System32\AaqRGfI.exe
  C:\Windows\System32\AaqRGfI.exe
  2⤵
  PID:10872
- C:\Windows\System32\RVkYxQE.exe
  C:\Windows\System32\RVkYxQE.exe
  2⤵
  PID:10920
- C:\Windows\System32\glvZqfG.exe
  C:\Windows\System32\glvZqfG.exe
  2⤵
  PID:10984
- C:\Windows\System32\fxQwcSB.exe
  C:\Windows\System32\fxQwcSB.exe
  2⤵
  PID:11008
- C:\Windows\System32\muekqHT.exe
  C:\Windows\System32\muekqHT.exe
  2⤵
  PID:11072
- C:\Windows\System32\qNyZjSE.exe
  C:\Windows\System32\qNyZjSE.exe
  2⤵
  PID:11156
- C:\Windows\System32\LspwlIu.exe
  C:\Windows\System32\LspwlIu.exe
  2⤵
  PID:11208
- C:\Windows\System32\dLnPbIc.exe
  C:\Windows\System32\dLnPbIc.exe
  2⤵
  PID:11244
- C:\Windows\System32\HAwmRHn.exe
  C:\Windows\System32\HAwmRHn.exe
  2⤵
  PID:10284
- C:\Windows\System32\KxJwZTl.exe
  C:\Windows\System32\KxJwZTl.exe
  2⤵
  PID:10668
- C:\Windows\System32\oJsWHFr.exe
  C:\Windows\System32\oJsWHFr.exe
  2⤵
  PID:10684
- C:\Windows\System32\sWHJuga.exe
  C:\Windows\System32\sWHJuga.exe
  2⤵
  PID:11024
- C:\Windows\System32\GifpRaI.exe
  C:\Windows\System32\GifpRaI.exe
  2⤵
  PID:2832
- C:\Windows\System32\xSSAQJf.exe
  C:\Windows\System32\xSSAQJf.exe
  2⤵
  PID:11196
- C:\Windows\System32\JCQGrmX.exe
  C:\Windows\System32\JCQGrmX.exe
  2⤵
  PID:10288
- C:\Windows\System32\lzNtuXu.exe
  C:\Windows\System32\lzNtuXu.exe
  2⤵
  PID:10740
- C:\Windows\System32\kBnqqig.exe
  C:\Windows\System32\kBnqqig.exe
  2⤵
  PID:11124
- C:\Windows\System32\vIoEImS.exe
  C:\Windows\System32\vIoEImS.exe
  2⤵
  PID:11136
- C:\Windows\System32\SQtKbGH.exe
  C:\Windows\System32\SQtKbGH.exe
  2⤵
  PID:11280
- C:\Windows\System32\CdnAnyI.exe
  C:\Windows\System32\CdnAnyI.exe
  2⤵
  PID:11304
- C:\Windows\System32\tbNdndS.exe
  C:\Windows\System32\tbNdndS.exe
  2⤵
  PID:11336
- C:\Windows\System32\vpRYpwt.exe
  C:\Windows\System32\vpRYpwt.exe
  2⤵
  PID:11352
- C:\Windows\System32\jcJtSds.exe
  C:\Windows\System32\jcJtSds.exe
  2⤵
  PID:11376
- C:\Windows\System32\DUKwLKs.exe
  C:\Windows\System32\DUKwLKs.exe
  2⤵
  PID:11396
- C:\Windows\System32\RBiRpJt.exe
  C:\Windows\System32\RBiRpJt.exe
  2⤵
  PID:11416
- C:\Windows\System32\yfIpOvo.exe
  C:\Windows\System32\yfIpOvo.exe
  2⤵
  PID:11504
- C:\Windows\System32\cbLLbue.exe
  C:\Windows\System32\cbLLbue.exe
  2⤵
  PID:11520
- C:\Windows\System32\eSViQMb.exe
  C:\Windows\System32\eSViQMb.exe
  2⤵
  PID:11548
- C:\Windows\System32\pTbrtva.exe
  C:\Windows\System32\pTbrtva.exe
  2⤵
  PID:11576
- C:\Windows\System32\oYoVbqA.exe
  C:\Windows\System32\oYoVbqA.exe
  2⤵
  PID:11592
- C:\Windows\System32\KEcvvsD.exe
  C:\Windows\System32\KEcvvsD.exe
  2⤵
  PID:11616
- C:\Windows\System32\rvnrfnR.exe
  C:\Windows\System32\rvnrfnR.exe
  2⤵
  PID:11648
- C:\Windows\System32\gRWiRUh.exe
  C:\Windows\System32\gRWiRUh.exe
  2⤵
  PID:11676
- C:\Windows\System32\gNwxLTl.exe
  C:\Windows\System32\gNwxLTl.exe
  2⤵
  PID:11700
- C:\Windows\System32\SMqMRSK.exe
  C:\Windows\System32\SMqMRSK.exe
  2⤵
  PID:11720
- C:\Windows\System32\sOUwMgh.exe
  C:\Windows\System32\sOUwMgh.exe
  2⤵
  PID:11740
- C:\Windows\System32\SqDGBCR.exe
  C:\Windows\System32\SqDGBCR.exe
  2⤵
  PID:11780
- C:\Windows\System32\uOyuoLS.exe
  C:\Windows\System32\uOyuoLS.exe
  2⤵
  PID:11828
- C:\Windows\System32\olRucVZ.exe
  C:\Windows\System32\olRucVZ.exe
  2⤵
  PID:11848
- C:\Windows\System32\YrXeGvX.exe
  C:\Windows\System32\YrXeGvX.exe
  2⤵
  PID:11884
- C:\Windows\System32\Orfrnug.exe
  C:\Windows\System32\Orfrnug.exe
  2⤵
  PID:11916
- C:\Windows\System32\zaloXBa.exe
  C:\Windows\System32\zaloXBa.exe
  2⤵
  PID:11940
- C:\Windows\System32\FdmfPjG.exe
  C:\Windows\System32\FdmfPjG.exe
  2⤵
  PID:11956
- C:\Windows\System32\mIiEnCv.exe
  C:\Windows\System32\mIiEnCv.exe
  2⤵
  PID:11980
- C:\Windows\System32\pYgLzoi.exe
  C:\Windows\System32\pYgLzoi.exe
  2⤵
  PID:12028
- C:\Windows\System32\qDbcskh.exe
  C:\Windows\System32\qDbcskh.exe
  2⤵
  PID:12048
- C:\Windows\System32\VQsKqZt.exe
  C:\Windows\System32\VQsKqZt.exe
  2⤵
  PID:12076
- C:\Windows\System32\PKSbPFC.exe
  C:\Windows\System32\PKSbPFC.exe
  2⤵
  PID:12128
- C:\Windows\System32\hZCaHhH.exe
  C:\Windows\System32\hZCaHhH.exe
  2⤵
  PID:12156
- C:\Windows\System32\rMKwJVs.exe
  C:\Windows\System32\rMKwJVs.exe
  2⤵
  PID:12180
- C:\Windows\System32\RtcUAcx.exe
  C:\Windows\System32\RtcUAcx.exe
  2⤵
  PID:12204
- C:\Windows\System32\ZDALDVB.exe
  C:\Windows\System32\ZDALDVB.exe
  2⤵
  PID:12224
- C:\Windows\System32\oNhKzzW.exe
  C:\Windows\System32\oNhKzzW.exe
  2⤵
  PID:12244
- C:\Windows\System32\cXUKFRa.exe
  C:\Windows\System32\cXUKFRa.exe
  2⤵
  PID:12260
- C:\Windows\System32\LZsOkbt.exe
  C:\Windows\System32\LZsOkbt.exe
  2⤵
  PID:11268
- C:\Windows\System32\FFtQTaZ.exe
  C:\Windows\System32\FFtQTaZ.exe
  2⤵
  PID:11368
- C:\Windows\System32\httgvOK.exe
  C:\Windows\System32\httgvOK.exe
  2⤵
  PID:11392
- C:\Windows\System32\ijGmASK.exe
  C:\Windows\System32\ijGmASK.exe
  2⤵
  PID:11512
- C:\Windows\System32\zgAStVg.exe
  C:\Windows\System32\zgAStVg.exe
  2⤵
  PID:11560
- C:\Windows\System32\RDkJtxr.exe
  C:\Windows\System32\RDkJtxr.exe
  2⤵
  PID:11624
- C:\Windows\System32\WqrUPKe.exe
  C:\Windows\System32\WqrUPKe.exe
  2⤵
  PID:11692
- C:\Windows\System32\JaDzLFO.exe
  C:\Windows\System32\JaDzLFO.exe
  2⤵
  PID:11776
- C:\Windows\System32\LLkHNwJ.exe
  C:\Windows\System32\LLkHNwJ.exe
  2⤵
  PID:11820
- C:\Windows\System32\ZDORGuS.exe
  C:\Windows\System32\ZDORGuS.exe
  2⤵
  PID:11856
- C:\Windows\System32\JeXcLbO.exe
  C:\Windows\System32\JeXcLbO.exe
  2⤵
  PID:11964
- C:\Windows\System32\bNNGzLa.exe
  C:\Windows\System32\bNNGzLa.exe
  2⤵
  PID:11968
- C:\Windows\System32\aYBfhXL.exe
  C:\Windows\System32\aYBfhXL.exe
  2⤵
  PID:12084
- C:\Windows\System32\IkBxffk.exe
  C:\Windows\System32\IkBxffk.exe
  2⤵
  PID:12092
- C:\Windows\System32\yKVwxrX.exe
  C:\Windows\System32\yKVwxrX.exe
  2⤵
  PID:12268
- C:\Windows\System32\xVtLotP.exe
  C:\Windows\System32\xVtLotP.exe
  2⤵
  PID:10364
- C:\Windows\System32\gHQhTQU.exe
  C:\Windows\System32\gHQhTQU.exe
  2⤵
  PID:11428
- C:\Windows\System32\IEAPJEe.exe
  C:\Windows\System32\IEAPJEe.exe
  2⤵
  PID:11424
- C:\Windows\System32\YoRFwzE.exe
  C:\Windows\System32\YoRFwzE.exe
  2⤵
  PID:11808
- C:\Windows\System32\dVOwBvK.exe
  C:\Windows\System32\dVOwBvK.exe
  2⤵
  PID:11908
- C:\Windows\System32\DLEhgTv.exe
  C:\Windows\System32\DLEhgTv.exe
  2⤵
  PID:12068
- C:\Windows\System32\yzgcKpF.exe
  C:\Windows\System32\yzgcKpF.exe
  2⤵
  PID:12124
- C:\Windows\System32\rqlLfzW.exe
  C:\Windows\System32\rqlLfzW.exe
  2⤵
  PID:12212
- C:\Windows\System32\sLZZitd.exe
  C:\Windows\System32\sLZZitd.exe
  2⤵
  PID:11320
- C:\Windows\System32\PVWYTfc.exe
  C:\Windows\System32\PVWYTfc.exe
  2⤵
  PID:11904
- C:\Windows\System32\lONUfBW.exe
  C:\Windows\System32\lONUfBW.exe
  2⤵
  PID:12276
- C:\Windows\System32\cCYyJIM.exe
  C:\Windows\System32\cCYyJIM.exe
  2⤵
  PID:11976
- C:\Windows\System32\GVXSKHk.exe
  C:\Windows\System32\GVXSKHk.exe
  2⤵
  PID:12304
- C:\Windows\System32\coowtMq.exe
  C:\Windows\System32\coowtMq.exe
  2⤵
  PID:12320
- C:\Windows\System32\aorcvVZ.exe
  C:\Windows\System32\aorcvVZ.exe
  2⤵
  PID:12356
- C:\Windows\System32\ebAAglc.exe
  C:\Windows\System32\ebAAglc.exe
  2⤵
  PID:12380
- C:\Windows\System32\nglvtyP.exe
  C:\Windows\System32\nglvtyP.exe
  2⤵
  PID:12404
- C:\Windows\System32\rWvzBJc.exe
  C:\Windows\System32\rWvzBJc.exe
  2⤵
  PID:12448
- C:\Windows\System32\raIUJie.exe
  C:\Windows\System32\raIUJie.exe
  2⤵
  PID:12472
- C:\Windows\System32\UFOLlfo.exe
  C:\Windows\System32\UFOLlfo.exe
  2⤵
  PID:12496
- C:\Windows\System32\oBzOLdB.exe
  C:\Windows\System32\oBzOLdB.exe
  2⤵
  PID:12516
- C:\Windows\System32\nznkTXa.exe
  C:\Windows\System32\nznkTXa.exe
  2⤵
  PID:12544
- C:\Windows\System32\lfIbJZa.exe
  C:\Windows\System32\lfIbJZa.exe
  2⤵
  PID:12564
- C:\Windows\System32\OPVHovi.exe
  C:\Windows\System32\OPVHovi.exe
  2⤵
  PID:12584
- C:\Windows\System32\NclAtpO.exe
  C:\Windows\System32\NclAtpO.exe
  2⤵
  PID:12628
- C:\Windows\System32\EraQWFi.exe
  C:\Windows\System32\EraQWFi.exe
  2⤵
  PID:12652
- C:\Windows\System32\XGPVutI.exe
  C:\Windows\System32\XGPVutI.exe
  2⤵
  PID:12672
- C:\Windows\System32\OpMVxGi.exe
  C:\Windows\System32\OpMVxGi.exe
  2⤵
  PID:12712
- C:\Windows\System32\qISRWLp.exe
  C:\Windows\System32\qISRWLp.exe
  2⤵
  PID:12744
- C:\Windows\System32\tgbdywm.exe
  C:\Windows\System32\tgbdywm.exe
  2⤵
  PID:12784
- C:\Windows\System32\gvRibBl.exe
  C:\Windows\System32\gvRibBl.exe
  2⤵
  PID:12808
- C:\Windows\System32\gEAaQpg.exe
  C:\Windows\System32\gEAaQpg.exe
  2⤵
  PID:12824
- C:\Windows\System32\QJhEZyd.exe
  C:\Windows\System32\QJhEZyd.exe
  2⤵
  PID:12852
- C:\Windows\System32\NPdVKis.exe
  C:\Windows\System32\NPdVKis.exe
  2⤵
  PID:12872
- C:\Windows\System32\bIEIFbP.exe
  C:\Windows\System32\bIEIFbP.exe
  2⤵
  PID:12896
- C:\Windows\System32\JtXMuir.exe
  C:\Windows\System32\JtXMuir.exe
  2⤵
  PID:12924
- C:\Windows\System32\AswIjby.exe
  C:\Windows\System32\AswIjby.exe
  2⤵
  PID:12984
- C:\Windows\System32\HmBQElr.exe
  C:\Windows\System32\HmBQElr.exe
  2⤵
  PID:13008
- C:\Windows\System32\leJOOEF.exe
  C:\Windows\System32\leJOOEF.exe
  2⤵
  PID:13032
- C:\Windows\System32\akLrtyt.exe
  C:\Windows\System32\akLrtyt.exe
  2⤵
  PID:13060
- C:\Windows\System32\fBQcEBx.exe
  C:\Windows\System32\fBQcEBx.exe
  2⤵
  PID:13080
- C:\Windows\System32\hRARGhA.exe
  C:\Windows\System32\hRARGhA.exe
  2⤵
  PID:13104
- C:\Windows\System32\pTZqKte.exe
  C:\Windows\System32\pTZqKte.exe
  2⤵
  PID:13124
- C:\Windows\System32\argCxNT.exe
  C:\Windows\System32\argCxNT.exe
  2⤵
  PID:13168
- C:\Windows\System32\jEudAHg.exe
  C:\Windows\System32\jEudAHg.exe
  2⤵
  PID:13208
- C:\Windows\System32\kGQpwfn.exe
  C:\Windows\System32\kGQpwfn.exe
  2⤵
  PID:13228
- C:\Windows\System32\YdbUDoC.exe
  C:\Windows\System32\YdbUDoC.exe
  2⤵
  PID:13268
- C:\Windows\System32\vnbRQPs.exe
  C:\Windows\System32\vnbRQPs.exe
  2⤵
  PID:13288
- C:\Windows\System32\DgoSRLs.exe
  C:\Windows\System32\DgoSRLs.exe
  2⤵
  PID:12112
- C:\Windows\System32\LiGHwrq.exe
  C:\Windows\System32\LiGHwrq.exe
  2⤵
  PID:12340
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 12340 -s 248
    3⤵
    PID:12736

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AXoJrlD.exe

Filesize
1.4MB

MD5
1fc3cd905a5d5559ff5271575732902f

SHA1
a5d78d1effff9abc7484af543344e2a92f55d6c4

SHA256
1393bf9c002c8d307a210b101cb430ea79f40ee0d8d957ee6ff6b61b0b5ae1fc

SHA512
77af41a71b6555de7015e16baffa15636d267575dabdfc448c44a02a8dcfd4c5b61e86df3b26967f0813084f0e8410430093d382b7fcb1dd982ec128d0df1e87

Download Submit
C:\Windows\System32\BqydDIE.exe

Filesize
1.4MB

MD5
1525e774c1e57793040e6cd8df9b9272

SHA1
78e66e653796a38679ab93590f253c1c25becc28

SHA256
0d8e25608f7b12835e02e8ea74500a62a963d6094340e92fa961a2a1fe486d16

SHA512
8774b6dbc3e3b78a56453314f354acdc0dc9270d8bec652c2fd32dc8f5e9e9651b68cc83d1d5fe738ff19476dc8e058dc829e114953805fedda28f07ad76bf53

Download Submit
C:\Windows\System32\EGrZuLR.exe

Filesize
1.4MB

MD5
70ab8c24f59e95e3b61577733f58a587

SHA1
09fc7af8d01f86e1d3c863a121cae6bcc9540a18

SHA256
7bac4aa145cb7e75a081862b630dcebee056246053684fa77a1fcbc7a35eac59

SHA512
fb53eae886b109f5fc734ef6b4e12a088e3a6a5c1d61276ae87e060ea62d86b3c0f048aec29ce16209b09e271f95af6e54fcee7e1c29b10b274a30abc78aab47

Download Submit
C:\Windows\System32\HSEcGEh.exe

Filesize
1.4MB

MD5
b85b1e93ea963f04391483fe21154d9b

SHA1
0a8eccd2c074451363e4dade723236a2a792043d

SHA256
9b62d7c76a1b4dd8cbccf5c3bcd555ad9f643a70ef557ca65501f636c7ca91d4

SHA512
2a80ee04768e3ad63fc2cf649ada033a9293c757590dd1eafc24e6ee7d643b262afe9f0d904b2eaaeb57bfae368f1d563054734c4c32034fdeb1bd9af404022a

Download Submit
C:\Windows\System32\IPSsTSx.exe

Filesize
1.4MB

MD5
7b30f25b5b148e4d9a518348f82a34c9

SHA1
99df14e9ee4efd6486dcbc39d52296fcc8829d6d

SHA256
6b54d08b7bc060b2826515983c975e6033fd8670398db8ac283e2700e91a0617

SHA512
b380c1688e619ca6c9e2caefee9b7cd9d1b283c0883037805321740b9ed773bde6b5a9695c89b5472b6072153851fa70bd8f0baf41eaf1da503b421eb3d4de95

Download Submit
C:\Windows\System32\KtkCelj.exe

Filesize
1.4MB

MD5
7eb70406ca55e188b4b9a61e96a1d14f

SHA1
b780f575d108a23a7a263c00d07ea72ed08ea0e6

SHA256
6b67bfba6688c3820df03814b39ea0a7b599b5ea176e298acf273b947ff67965

SHA512
f0dff97014dd9928e725064a52403248017f6179c0918a25ebec59ed00d34cf9ddfd4ef5239262b6b57a1088213570b7b27f6c40744305b279168aebddf00499

Download Submit
C:\Windows\System32\LJGLlib.exe

Filesize
1.4MB

MD5
1263ffe3d7272f77fa352e57c94d552f

SHA1
6c330f5dffd30e0d873bd1410f55dd4a528fe3b5

SHA256
ca353e301fd359eecbac3a293f07dc63de2958080dc131defe5dc19c7f9b5dbb

SHA512
ed7254917fa973a599741b44e5e9dfa259452dabdd13f9742eaebbbaf5eea812dc3c03468dbf19e0fa9390581d2f6cf0cc5fa558890d4cf46b61f31889b8ee2b

Download Submit
C:\Windows\System32\MvLxYXu.exe

Filesize
1.4MB

MD5
eaaf61292a7fe700fb8898a115dfde06

SHA1
37a53927d8c9321ede307666c8492ea885c84aaa

SHA256
729ee62ac14ff7eb7c038c09ce2b73e3a43da6f16aea6bb8d8c35343ae4ecb92

SHA512
06f926f51897bbc84abdf2781ae37569654a57f6b0a43218741f2a8bca1a7ea5cc64f623b69724e8634bd639bddb0ff184aa054f15019d5d1fe537b50af7aaa7

Download Submit
C:\Windows\System32\NIEGJUF.exe

Filesize
1.4MB

MD5
616b9a3db8649825355a0df9f5d8c0cd

SHA1
30cb3b4c4dd07a3cde530d58a297840bcf7c9950

SHA256
d5ebd2270b0f3f67ef0968bab8eb62942973b20116c1848c0648e61ac3eb3eba

SHA512
31c4e30256aafedd93b5961dc380875a8333dad70e2d737bb430a80c7b99678b97d889ff04dc6a0bbb28dac69091299b500f2d7ea7a7d589d2e4bd6a17b8ff1b

Download Submit
C:\Windows\System32\NTwLGSx.exe

Filesize
1.4MB

MD5
6edfcab5107845b4c80d883f2128ee2b

SHA1
1d632b204423bedae048de8f8c5357c6d63b79e1

SHA256
62dba00a75e42a352c4a980127cd16e01a43a04c93eada16ef2ed98c8a7ec0d7

SHA512
b583f37094a2ebd4a42ef3c04f1569ce16c4df014fe25114c2594042f4bacd21fb08d5e0cfb7e2274370a80cb30c35feebae908a2ef7e8f017363d746579a0c8

Download Submit
C:\Windows\System32\PssgefV.exe

Filesize
1.4MB

MD5
644fc0f52a57ab0cbb5a9543e0deab49

SHA1
c1bf5105bb44837a983ab4c9e09c936c373dc8b8

SHA256
959c7c3e40764f62bac46538f27c950cb5eb0492433947b134cecccdc310e35b

SHA512
6933dbff9d04778b3f536e6ca3d402b4ec1d1b23796aef119cdbdb95a4ed735574c4a3199e810b3130057de05853e3e02012dd1541f1f57e45c9fe0d95a522f6

Download Submit
C:\Windows\System32\SgnKPHN.exe

Filesize
1.4MB

MD5
cf591d813fb29f7188906d4fed661732

SHA1
06e14dc6dd808a901397ab8edc45be55f55c64a4

SHA256
a6b6204015ec46cb0df642fab9839cf75b507ca944c877ee349c29de81cf6801

SHA512
b1f6f3e7dc4f232a91bf8d346c77c61854294171b64d76334923cd7ca9b09916989831ceec0939d1c1dc63584ad42f3e725de8c06e808e8c445f5501ddc302e3

Download Submit
C:\Windows\System32\TzhtEVb.exe

Filesize
1.4MB

MD5
a4e91cccb5cb31ed5d7f25c496db94cb

SHA1
a9345be6c54aa189c6fcc3f0ade0fb854ff01383

SHA256
04ea356512925ac729cd5ca8aa9b3702a6df424c95e935a04c77a68a2fd6bd7e

SHA512
c6568e285d945af39034f27a1f6d94c5fe35b43b70c84c56319ac0ce89998c4d936a2e5c6abef6fbea1cffcd66b3c6732b9e994b131e271bd0954cf7b3db4306

Download Submit
C:\Windows\System32\UkMDReY.exe

Filesize
1.4MB

MD5
2dd9e24aa52778f3726e6e2545e745b2

SHA1
4d4276ba2d44d940a3cb3ac5dc946d7b3245e4cb

SHA256
b284b69565d59adfee55ddd3eeb251e26547b04437b5809aa45bce8ce90472f9

SHA512
52d13f85925a7e93fc45e66544d3dc1955cdc5d9888a1f148b505a184d941ade921c718e0e669e0e6ad64075572abf3f12899ac294187111f2a3c95d383a7047

Download Submit
C:\Windows\System32\WXyNwps.exe

Filesize
1.4MB

MD5
d84dbdd7e4e06ae71b5d76016abe38ee

SHA1
c401d5115170001835ac7be23384305fe90e6777

SHA256
1b14b72a990d778fe567c1359323adac66d6b095d62ed9a03ce199bc60839815

SHA512
c376760865549a092e9875b5c08fbcc3797f06efa3805f753ff6ba1aaaa7fa08a010d0a5463ec0bbc88d3fade2d550719c969ba666d46be77808e3ec7c557e67

Download Submit
C:\Windows\System32\XZkTBEn.exe

Filesize
1.4MB

MD5
0ea3d4238fab3c8d9ab255bf1346fa66

SHA1
7c40ffaa8f6e3d5392cc7c1535c891336a45c3ab

SHA256
b58d108bd4d6ee39090f2b66c46547cfa033ad241c8d390a4a7d243451f2d39f

SHA512
53224390b0ee60b96364e5eafc9100791224c95965b2eb525077d1d1d81aa7d1dec0da49d2157afef7d4e390ef88255672375663a28c03841c770a5c257077f2

Download Submit
C:\Windows\System32\YKDDOFN.exe

Filesize
1.4MB

MD5
9c2b49ce06b8d890d0280defd48969e3

SHA1
e810c512f043c6b7f9c0a7e467624bdb700510c9

SHA256
37a6bcf364523dfe2a8621e1b545f048c6635eae66c11c8bd5e61ac026e25ade

SHA512
7b808ea9d6e3996e84ea2a1b65a146e14a7d5fd3f64c40fc6f336007d18cbae93e79b5ab24fc3ae2d8bba79d8b1252c0c9727b002e50a9033f8a9790b0976dd7

Download Submit
C:\Windows\System32\cERThYu.exe

Filesize
1.4MB

MD5
9b91ac60af715d8f12d229807fed9659

SHA1
849fe1ba27849e9186593d922a4e6bbbd3eae484

SHA256
3c51fb14f47b60473188747c82d456f7a1917940aca287cd51610d8e1f9dd8d7

SHA512
274b93e5c6339fc307364c5e463827d8a531f42a5a20ef58d16d9bf9bd73d65096193d11f8d67c1c22ea29f81bd779acd0aae7b3e2f11f672c9cfbf38ee8f115

Download Submit
C:\Windows\System32\cdkIvqv.exe

Filesize
1.4MB

MD5
337406abbd06365ea22f2aed975da68d

SHA1
dc488fa644e80871474545771b1a1f81eda29d59

SHA256
3e5d0587a372694c8abd46e7fdfecd0148bc3dd06560d8d0737582ffd867ecba

SHA512
10073f19567076501d8069ff264ba945d0ac4841a64ef01691728f5aaae311ba7bf18dff9e40e6bc1ee2bbd4ff290205be85b8a0d360535441a89d291673cb3e

Download Submit
C:\Windows\System32\dJRfAhE.exe

Filesize
1.4MB

MD5
367bfa7126d3db951149b1b6bc9f330a

SHA1
d9642d882d7a486d7b25f8e3abcb9d977aca73df

SHA256
3769a4fca63cbb7a6767ca45040d12c7002336167b48b8b1bc21edb491f6e9f8

SHA512
2993fec230a85cadc7d8654643ffd442133d6d6513ff284dd53bb1e03cec32e66c620665e5c1ae554c442128435adeca0b6ac58e3db88de8acae6de884a23404

Download Submit
C:\Windows\System32\fnwfDnn.exe

Filesize
1.4MB

MD5
eff62d48d431a992fa021ab7c59a29d0

SHA1
9b7011c4feccd3a7f7ddf7667c20f8a64c68e60e

SHA256
5d743f01bec898ce5663808dbb6bae8f3d73f140a5dafab08c7e819007618a94

SHA512
e3798f885174649472beb6e41c5ae4c089139c95873dcf5be730057ef1816239573bb33e26158d21d38b54e93551027ba2692a44ea4ad2dc635eff1c74019011

Download Submit
C:\Windows\System32\iEnkVty.exe

Filesize
1.4MB

MD5
405315271597de3070d3792747c966cf

SHA1
e5e300d2ae2e12c371c008de4765146708539d17

SHA256
ce8070f55738059a1b6f8ca79e960d4f34d0fd779b9d44bfa6183c511f2248f6

SHA512
b744a64291dfb3f46641a36ffb71eba6452c8872cd0b4134bce9fd6aaddc94987d65184ee8db88eb542dce2368bfb6ffbc82120cb5bd0b80bd502671fb4fc847

Download Submit
C:\Windows\System32\jURKVnH.exe

Filesize
1.4MB

MD5
d23eeba89dcee8a3cea9b3b73cb776ae

SHA1
e05f58e03d25e21add52099bf1ff39f5bb1d4be4

SHA256
7d5a932f2bb113b114fbae3aca1104804131001531e0eea4942697c1f4293896

SHA512
ca82aec6baac8d690179f7d3e2d4c6b81f45bd3448826037158d165813d635ce4270af16bd7d12139fb00d2424b1a558cddb074d2fb4c6c567a59f71a9f5655a

Download Submit
C:\Windows\System32\pAHmwEE.exe

Filesize
1.4MB

MD5
0b1e26027594a4a8ac082dcf33004a0b

SHA1
cc9ea8b07f3b08e121c21d55635c3dc51801d2df

SHA256
070c449c4cb2837cb945285d51375030ac3ea5b482ec044023eca98ed8e6cce8

SHA512
775c93f106df5afa0007f5b08fdff84749712c7e12f9fe547a6b395f9fb8ae01d58df94d8353e923c733c85046917cd9c3e1462d563473198e4270a0f5f96c6b

Download Submit
C:\Windows\System32\pRThMnB.exe

Filesize
1.4MB

MD5
56bf186e1acca06723f21b81abb76bc0

SHA1
1fc4492f1d2f8a2d2dd6aba395aa8664c75c2bf0

SHA256
9bd0980f724400eb7b70000ce38af06dfc5b3f2aca69fbaa6815589f217a2892

SHA512
0c843cc07335f71fc587f36fdbbfd30c911ae1e16c6c7b66e72bac9aded92b6ec3ac067a50bbdc1a59b426797a6626814d3b44357271a7f6220fef621bfa81b5

Download Submit
C:\Windows\System32\pkRXEPQ.exe

Filesize
1.4MB

MD5
951213207b2b9e82ab34293cfba7e52a

SHA1
f10eba94986dda840888244ca34bc42fa65f46ad

SHA256
13097b67a6c3a60a47e1ee3ddd89e919acbe6e3a042d8d38efa720e46f5ac16e

SHA512
525ac1c564459fa43b5cbc90d7322053ccfc6a4a4727237a0f8ca7a82f773fefc47b488934a900cee8e9fdba14087a034bf72145ee67a73679c19ef038aae7ef

Download Submit
C:\Windows\System32\rGNBsAz.exe

Filesize
1.4MB

MD5
ffb38cff36b5a60ec5184ed62b71591a

SHA1
e15cf08b380137c92a87526be5eaa58dbdc7f4f8

SHA256
33f2d74dd8ec361b0c8c811d2d04187fe899f98f9418dd519008340f1fee496f

SHA512
061c7152970ad2e54a613c6d4d6739c3575b8f87dee174ac34e7e35ca1758ed39be7aa7ddcbbcb7a558838f8faf9316662b280ecceb0b7937d9fd0d5c4c2816f

Download Submit
C:\Windows\System32\vfQApFI.exe

Filesize
1.4MB

MD5
02e124af23930afba15509655f3f557e

SHA1
158e8518b0231be4ab4d10bd24165b74a79ba40f

SHA256
90ac588559a2d467334532bb57e03fd2e8f0f2079a6b4cba916ee09ab67fc36c

SHA512
4b6b9a80fb3262cdf9e2d510b5790582a72d5b632bb0f7cd4a921aacd3dbc58679099256780c6cc005139679ed79079902d7aa734b52c0bbcb9341383b0c72c9

Download Submit
C:\Windows\System32\viGbXsk.exe

Filesize
1.4MB

MD5
f20aba9f25e010117d9f3cd87c97eadd

SHA1
4fed626344194125fa93781317643aa11e89760c

SHA256
9172dd049ebe3516807c2a95166400a0c271f3593b114c6f57ead6af5c1628a6

SHA512
2c38aa603f774a6b2deef0adfdd7f3c365873dc3979db746773c3623c56f4dc0f07a07a2902288c5dd2a229590a264711586aada9c815fd96e34a0268c59b682

Download Submit
C:\Windows\System32\wFNfavu.exe

Filesize
1.4MB

MD5
c0580b430705cedae2cfbc727b971db9

SHA1
5beebf2d8649462c45a467ac1c88a0d15a29b06e

SHA256
12a0f45f7f12673b628487c565b03510a63bf94984e57be163290d5351c9c076

SHA512
807f729f962dd862fc86fe3c440fdf80b11be50683eb7fb2336f1f72d1828d63c9183d7b74f0f22230839eb84275649c427e5f77dbaa47f52af612b02e789edd

Download Submit
C:\Windows\System32\wZyYjXA.exe

Filesize
1.4MB

MD5
7d340ef79cfa3d281f507676e0e2d54b

SHA1
abdc1acdbd94e7efcab15d059ef919885fe4107a

SHA256
599955aef8c40f94519b677c3361eba537cac27e9806efd9c0018699d13304bc

SHA512
c20f211345d895751c206c84af9ed0f23f0eb93ac5bd208c5a6d2bc21497070cb0595181ecf32efb19a15e8bbaa2f7a86c928d7c1295de8635af4d558cde9313

Download Submit
C:\Windows\System32\yHjRXME.exe

Filesize
1.4MB

MD5
ebb5fe4d13607baa10624d7e99cafd16

SHA1
661076867216cdf47c080c5d9bcb64065dc41b81

SHA256
93ea2a52690cbfe844f82f87060e6a841a2771cf4cb209b4e69470dd966801fd

SHA512
cb85b542db7f91177640ab9b024914c355757de5a0eb30dedd9fd6ab8d32c91c3377cbf160e0c470f04281eb897f06ddebc6635c8b614848545ad39ef2792c3d

Download Submit
memory/64-2070-0x00007FF7BCEF0000-0x00007FF7BD2E1000-memory.dmp

Filesize
3.9MB

Download
memory/64-419-0x00007FF7BCEF0000-0x00007FF7BD2E1000-memory.dmp

Filesize
3.9MB

Download
memory/1728-422-0x00007FF752FA0000-0x00007FF753391000-memory.dmp

Filesize
3.9MB

Download
memory/1728-2074-0x00007FF752FA0000-0x00007FF753391000-memory.dmp

Filesize
3.9MB

Download
memory/1736-2072-0x00007FF6FE640000-0x00007FF6FEA31000-memory.dmp

Filesize
3.9MB

Download
memory/1736-420-0x00007FF6FE640000-0x00007FF6FEA31000-memory.dmp

Filesize
3.9MB

Download
memory/2112-2056-0x00007FF706F10000-0x00007FF707301000-memory.dmp

Filesize
3.9MB

Download
memory/2112-376-0x00007FF706F10000-0x00007FF707301000-memory.dmp

Filesize
3.9MB

Download
memory/2208-2036-0x00007FF6D5AD0000-0x00007FF6D5EC1000-memory.dmp

Filesize
3.9MB

Download
memory/2208-424-0x00007FF6D5AD0000-0x00007FF6D5EC1000-memory.dmp

Filesize
3.9MB

Download
memory/2420-0-0x00007FF715F40000-0x00007FF716331000-memory.dmp

Filesize
3.9MB

Download
memory/2420-1-0x00000226C3C60000-0x00000226C3C70000-memory.dmp

Filesize
64KB

Download
memory/2776-2066-0x00007FF782B30000-0x00007FF782F21000-memory.dmp

Filesize
3.9MB

Download
memory/2776-417-0x00007FF782B30000-0x00007FF782F21000-memory.dmp

Filesize
3.9MB

Download
memory/2792-24-0x00007FF75C2F0000-0x00007FF75C6E1000-memory.dmp

Filesize
3.9MB

Download
memory/2792-2030-0x00007FF75C2F0000-0x00007FF75C6E1000-memory.dmp

Filesize
3.9MB

Download
memory/2836-2034-0x00007FF65D020000-0x00007FF65D411000-memory.dmp

Filesize
3.9MB

Download
memory/2836-44-0x00007FF65D020000-0x00007FF65D411000-memory.dmp

Filesize
3.9MB

Download
memory/3032-421-0x00007FF627230000-0x00007FF627621000-memory.dmp

Filesize
3.9MB

Download
memory/3032-2068-0x00007FF627230000-0x00007FF627621000-memory.dmp

Filesize
3.9MB

Download
memory/3152-46-0x00007FF632830000-0x00007FF632C21000-memory.dmp

Filesize
3.9MB

Download
memory/3152-2040-0x00007FF632830000-0x00007FF632C21000-memory.dmp

Filesize
3.9MB

Download
memory/3312-392-0x00007FF6BF190000-0x00007FF6BF581000-memory.dmp

Filesize
3.9MB

Download
memory/3312-2042-0x00007FF6BF190000-0x00007FF6BF581000-memory.dmp

Filesize
3.9MB

Download
memory/3540-2050-0x00007FF69C2C0000-0x00007FF69C6B1000-memory.dmp

Filesize
3.9MB

Download
memory/3540-381-0x00007FF69C2C0000-0x00007FF69C6B1000-memory.dmp

Filesize
3.9MB

Download
memory/3604-2060-0x00007FF6A15B0000-0x00007FF6A19A1000-memory.dmp

Filesize
3.9MB

Download
memory/3604-412-0x00007FF6A15B0000-0x00007FF6A19A1000-memory.dmp

Filesize
3.9MB

Download
memory/3712-2062-0x00007FF787750000-0x00007FF787B41000-memory.dmp

Filesize
3.9MB

Download
memory/3712-418-0x00007FF787750000-0x00007FF787B41000-memory.dmp

Filesize
3.9MB

Download
memory/3764-384-0x00007FF7DE0B0000-0x00007FF7DE4A1000-memory.dmp

Filesize
3.9MB

Download
memory/3764-2052-0x00007FF7DE0B0000-0x00007FF7DE4A1000-memory.dmp

Filesize
3.9MB

Download
memory/3876-2055-0x00007FF7D9810000-0x00007FF7D9C01000-memory.dmp

Filesize
3.9MB

Download
memory/3876-425-0x00007FF7D9810000-0x00007FF7D9C01000-memory.dmp

Filesize
3.9MB

Download
memory/3892-409-0x00007FF75C590000-0x00007FF75C981000-memory.dmp

Filesize
3.9MB

Download
memory/3892-2044-0x00007FF75C590000-0x00007FF75C981000-memory.dmp

Filesize
3.9MB

Download
memory/4376-2046-0x00007FF6DFDA0000-0x00007FF6E0191000-memory.dmp

Filesize
3.9MB

Download
memory/4376-400-0x00007FF6DFDA0000-0x00007FF6E0191000-memory.dmp

Filesize
3.9MB

Download
memory/4460-423-0x00007FF750680000-0x00007FF750A71000-memory.dmp

Filesize
3.9MB

Download
memory/4460-2032-0x00007FF750680000-0x00007FF750A71000-memory.dmp

Filesize
3.9MB

Download
memory/4496-2064-0x00007FF68E810000-0x00007FF68EC01000-memory.dmp

Filesize
3.9MB

Download
memory/4496-416-0x00007FF68E810000-0x00007FF68EC01000-memory.dmp

Filesize
3.9MB

Download
memory/4816-383-0x00007FF7D7130000-0x00007FF7D7521000-memory.dmp

Filesize
3.9MB

Download
memory/4816-2048-0x00007FF7D7130000-0x00007FF7D7521000-memory.dmp

Filesize
3.9MB

Download
memory/4852-2058-0x00007FF6E13C0000-0x00007FF6E17B1000-memory.dmp

Filesize
3.9MB

Download
memory/4852-415-0x00007FF6E13C0000-0x00007FF6E17B1000-memory.dmp

Filesize
3.9MB

Download
memory/5040-43-0x00007FF6E9940000-0x00007FF6E9D31000-memory.dmp

Filesize
3.9MB

Download
memory/5040-2038-0x00007FF6E9940000-0x00007FF6E9D31000-memory.dmp

Filesize
3.9MB

Download
memory/5096-21-0x00007FF728F00000-0x00007FF7292F1000-memory.dmp

Filesize
3.9MB

Download
memory/5096-2028-0x00007FF728F00000-0x00007FF7292F1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads