xmrig | 32ab6f603583b589ddfe77fba1c276c7a56a802b548e3f5a71973d6b05dfa5b5

Analysis

max time kernel
114s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d0867d0e9a04356871b03f1cf30a560N.exe
Size

1.8MB
MD5

2d0867d0e9a04356871b03f1cf30a560
SHA1

66a4df6f43f60350b5567141527bf6bba9f60c01
SHA256

32ab6f603583b589ddfe77fba1c276c7a56a802b548e3f5a71973d6b05dfa5b5
SHA512

09a055d9b46ec983653d08af9c4f054548354c4721621fe85b34030627e5c51b85cdf24fc0146e5e3a5090a26009d57692c494f2296f3d3d37bdc8f115f94970
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zjP+sjI153gII/3OSJfAIDmYGBKNVN:knw9oUUEEDl37jcq4nPeyNIIKYt

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/4396-397-0x00007FF725F20000-0x00007FF726311000-memory.dmp	xmrig
behavioral2/memory/936-398-0x00007FF6F8A90000-0x00007FF6F8E81000-memory.dmp	xmrig
behavioral2/memory/4112-400-0x00007FF7C1470000-0x00007FF7C1861000-memory.dmp	xmrig
behavioral2/memory/3332-401-0x00007FF6CADA0000-0x00007FF6CB191000-memory.dmp	xmrig
behavioral2/memory/756-402-0x00007FF664310000-0x00007FF664701000-memory.dmp	xmrig
behavioral2/memory/2144-403-0x00007FF7ACAB0000-0x00007FF7ACEA1000-memory.dmp	xmrig
behavioral2/memory/4560-404-0x00007FF793170000-0x00007FF793561000-memory.dmp	xmrig
behavioral2/memory/4844-405-0x00007FF64A440000-0x00007FF64A831000-memory.dmp	xmrig
behavioral2/memory/968-407-0x00007FF688360000-0x00007FF688751000-memory.dmp	xmrig
behavioral2/memory/1104-408-0x00007FF79D360000-0x00007FF79D751000-memory.dmp	xmrig
behavioral2/memory/5032-438-0x00007FF7DAA00000-0x00007FF7DADF1000-memory.dmp	xmrig
behavioral2/memory/4504-420-0x00007FF7B4380000-0x00007FF7B4771000-memory.dmp	xmrig
behavioral2/memory/4548-416-0x00007FF671550000-0x00007FF671941000-memory.dmp	xmrig
behavioral2/memory/228-409-0x00007FF6DACE0000-0x00007FF6DB0D1000-memory.dmp	xmrig
behavioral2/memory/4568-406-0x00007FF7D1640000-0x00007FF7D1A31000-memory.dmp	xmrig
behavioral2/memory/4916-399-0x00007FF60EF60000-0x00007FF60F351000-memory.dmp	xmrig
behavioral2/memory/3288-396-0x00007FF700680000-0x00007FF700A71000-memory.dmp	xmrig
behavioral2/memory/2124-395-0x00007FF68B460000-0x00007FF68B851000-memory.dmp	xmrig
behavioral2/memory/3348-39-0x00007FF7AC430000-0x00007FF7AC821000-memory.dmp	xmrig
behavioral2/memory/2148-33-0x00007FF60A850000-0x00007FF60AC41000-memory.dmp	xmrig
behavioral2/memory/1520-1986-0x00007FF60F430000-0x00007FF60F821000-memory.dmp	xmrig
behavioral2/memory/3864-2002-0x00007FF75C2D0000-0x00007FF75C6C1000-memory.dmp	xmrig
behavioral2/memory/3052-2003-0x00007FF7FBB90000-0x00007FF7FBF81000-memory.dmp	xmrig
behavioral2/memory/3048-2004-0x00007FF764A60000-0x00007FF764E51000-memory.dmp	xmrig
behavioral2/memory/3348-2005-0x00007FF7AC430000-0x00007FF7AC821000-memory.dmp	xmrig
behavioral2/memory/2148-2038-0x00007FF60A850000-0x00007FF60AC41000-memory.dmp	xmrig
behavioral2/memory/3052-2036-0x00007FF7FBB90000-0x00007FF7FBF81000-memory.dmp	xmrig
behavioral2/memory/3864-2034-0x00007FF75C2D0000-0x00007FF75C6C1000-memory.dmp	xmrig
behavioral2/memory/1520-2032-0x00007FF60F430000-0x00007FF60F821000-memory.dmp	xmrig
behavioral2/memory/3048-2040-0x00007FF764A60000-0x00007FF764E51000-memory.dmp	xmrig
behavioral2/memory/3288-2048-0x00007FF700680000-0x00007FF700A71000-memory.dmp	xmrig
behavioral2/memory/4396-2054-0x00007FF725F20000-0x00007FF726311000-memory.dmp	xmrig
behavioral2/memory/936-2050-0x00007FF6F8A90000-0x00007FF6F8E81000-memory.dmp	xmrig
behavioral2/memory/4916-2044-0x00007FF60EF60000-0x00007FF60F351000-memory.dmp	xmrig
behavioral2/memory/3348-2042-0x00007FF7AC430000-0x00007FF7AC821000-memory.dmp	xmrig
behavioral2/memory/4112-2052-0x00007FF7C1470000-0x00007FF7C1861000-memory.dmp	xmrig
behavioral2/memory/2124-2046-0x00007FF68B460000-0x00007FF68B851000-memory.dmp	xmrig
behavioral2/memory/968-2080-0x00007FF688360000-0x00007FF688751000-memory.dmp	xmrig
behavioral2/memory/5032-2078-0x00007FF7DAA00000-0x00007FF7DADF1000-memory.dmp	xmrig
behavioral2/memory/4548-2068-0x00007FF671550000-0x00007FF671941000-memory.dmp	xmrig
behavioral2/memory/4560-2066-0x00007FF793170000-0x00007FF793561000-memory.dmp	xmrig
behavioral2/memory/228-2087-0x00007FF6DACE0000-0x00007FF6DB0D1000-memory.dmp	xmrig
behavioral2/memory/1104-2085-0x00007FF79D360000-0x00007FF79D751000-memory.dmp	xmrig
behavioral2/memory/2144-2064-0x00007FF7ACAB0000-0x00007FF7ACEA1000-memory.dmp	xmrig
behavioral2/memory/4504-2083-0x00007FF7B4380000-0x00007FF7B4771000-memory.dmp	xmrig
behavioral2/memory/3332-2062-0x00007FF6CADA0000-0x00007FF6CB191000-memory.dmp	xmrig
behavioral2/memory/756-2059-0x00007FF664310000-0x00007FF664701000-memory.dmp	xmrig
behavioral2/memory/4568-2058-0x00007FF7D1640000-0x00007FF7D1A31000-memory.dmp	xmrig
behavioral2/memory/4844-2061-0x00007FF64A440000-0x00007FF64A831000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1520	ycUrXDk.exe
3864	UYChFYI.exe
3052	SshUhYy.exe
2148	swpyMsL.exe
3048	OmjGTBW.exe
3348	ODTzEkm.exe
2124	vhRjehC.exe
3288	qIwGSiF.exe
4396	toOeCjG.exe
936	UEXCJCw.exe
4916	UJDjvHz.exe
4112	SIyZLrq.exe
3332	QiTyTlF.exe
756	WWmoKoJ.exe
2144	HebOWXn.exe
4560	JPgRhmU.exe
4844	OjCOlYQ.exe
4568	uUGfOUD.exe
968	xDoUoIy.exe
1104	rFaGnaR.exe
228	yOiJapw.exe
4548	ApoJGaz.exe
4504	TuUszpU.exe
5032	ZsSiwSN.exe
1488	dYWEpoo.exe
2484	QAUieZG.exe
1712	cVIxhjC.exe
436	LfsJkaX.exe
840	SaNtFbi.exe
4552	cNWMztv.exe
3080	kymiBNO.exe
3096	GJymWRP.exe
2388	SwCSWLY.exe
4736	ChVNxWG.exe
4404	prVdTLt.exe
4056	ZMfEmYS.exe
3220	UtiDgyw.exe
548	hQAjuEc.exe
4528	TLmYiYE.exe
3612	XpWOyYE.exe
2444	gcQUqtL.exe
3588	gfDINIt.exe
4144	daeZeME.exe
3196	PqLqoZg.exe
4636	scfZDtY.exe
2912	PQCxqbH.exe
1740	ENagyiQ.exe
4920	HUXPCTy.exe
4896	XKDFdGw.exe
3120	sDdrbSG.exe
5068	NVIXDcz.exe
808	HJbwmoY.exe
3640	hfIrrAr.exe
4684	ItfkpgZ.exe
3740	pdUjIQT.exe
2892	zjduYrm.exe
208	DklzlIs.exe
2452	jwShVnX.exe
4344	hVqsiQb.exe
4060	xMeycCX.exe
2348	oBtUlTr.exe
4864	UxubgEO.exe
2492	KgscmpH.exe
4624	MFUqTDL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3252-0-0x00007FF625560000-0x00007FF625951000-memory.dmp	upx
behavioral2/files/0x00080000000234a1-6.dat	upx
behavioral2/memory/1520-7-0x00007FF60F430000-0x00007FF60F821000-memory.dmp	upx
behavioral2/files/0x00070000000234a6-10.dat	upx
behavioral2/files/0x00070000000234a5-12.dat	upx
behavioral2/memory/3864-15-0x00007FF75C2D0000-0x00007FF75C6C1000-memory.dmp	upx
behavioral2/files/0x00070000000234a8-29.dat	upx
behavioral2/files/0x00070000000234a9-32.dat	upx
behavioral2/files/0x00070000000234aa-42.dat	upx
behavioral2/files/0x00070000000234ab-45.dat	upx
behavioral2/files/0x00070000000234ac-49.dat	upx
behavioral2/files/0x00070000000234ad-54.dat	upx
behavioral2/files/0x00070000000234ae-59.dat	upx
behavioral2/files/0x00070000000234af-70.dat	upx
behavioral2/files/0x00070000000234b1-80.dat	upx
behavioral2/files/0x00070000000234b5-93.dat	upx
behavioral2/files/0x00070000000234bd-133.dat	upx
behavioral2/memory/4396-397-0x00007FF725F20000-0x00007FF726311000-memory.dmp	upx
behavioral2/memory/936-398-0x00007FF6F8A90000-0x00007FF6F8E81000-memory.dmp	upx
behavioral2/memory/4112-400-0x00007FF7C1470000-0x00007FF7C1861000-memory.dmp	upx
behavioral2/memory/3332-401-0x00007FF6CADA0000-0x00007FF6CB191000-memory.dmp	upx
behavioral2/memory/756-402-0x00007FF664310000-0x00007FF664701000-memory.dmp	upx
behavioral2/memory/2144-403-0x00007FF7ACAB0000-0x00007FF7ACEA1000-memory.dmp	upx
behavioral2/memory/4560-404-0x00007FF793170000-0x00007FF793561000-memory.dmp	upx
behavioral2/memory/4844-405-0x00007FF64A440000-0x00007FF64A831000-memory.dmp	upx
behavioral2/memory/968-407-0x00007FF688360000-0x00007FF688751000-memory.dmp	upx
behavioral2/memory/1104-408-0x00007FF79D360000-0x00007FF79D751000-memory.dmp	upx
behavioral2/memory/5032-438-0x00007FF7DAA00000-0x00007FF7DADF1000-memory.dmp	upx
behavioral2/memory/4504-420-0x00007FF7B4380000-0x00007FF7B4771000-memory.dmp	upx
behavioral2/memory/4548-416-0x00007FF671550000-0x00007FF671941000-memory.dmp	upx
behavioral2/memory/228-409-0x00007FF6DACE0000-0x00007FF6DB0D1000-memory.dmp	upx
behavioral2/memory/4568-406-0x00007FF7D1640000-0x00007FF7D1A31000-memory.dmp	upx
behavioral2/memory/4916-399-0x00007FF60EF60000-0x00007FF60F351000-memory.dmp	upx
behavioral2/memory/3288-396-0x00007FF700680000-0x00007FF700A71000-memory.dmp	upx
behavioral2/memory/2124-395-0x00007FF68B460000-0x00007FF68B851000-memory.dmp	upx
behavioral2/files/0x00070000000234c4-168.dat	upx
behavioral2/files/0x00070000000234c2-165.dat	upx
behavioral2/files/0x00070000000234c3-163.dat	upx
behavioral2/files/0x00070000000234c1-160.dat	upx
behavioral2/files/0x00070000000234c0-155.dat	upx
behavioral2/files/0x00070000000234bf-150.dat	upx
behavioral2/files/0x00070000000234be-145.dat	upx
behavioral2/files/0x00070000000234bc-135.dat	upx
behavioral2/files/0x00070000000234bb-130.dat	upx
behavioral2/files/0x00070000000234ba-123.dat	upx
behavioral2/files/0x00070000000234b9-117.dat	upx
behavioral2/files/0x00070000000234b8-115.dat	upx
behavioral2/files/0x00070000000234b7-110.dat	upx
behavioral2/files/0x00070000000234b6-105.dat	upx
behavioral2/files/0x00070000000234b4-95.dat	upx
behavioral2/files/0x00070000000234b3-90.dat	upx
behavioral2/files/0x00070000000234b2-85.dat	upx
behavioral2/files/0x00070000000234b0-75.dat	upx
behavioral2/memory/3348-39-0x00007FF7AC430000-0x00007FF7AC821000-memory.dmp	upx
behavioral2/memory/3048-34-0x00007FF764A60000-0x00007FF764E51000-memory.dmp	upx
behavioral2/memory/2148-33-0x00007FF60A850000-0x00007FF60AC41000-memory.dmp	upx
behavioral2/files/0x00070000000234a7-24.dat	upx
behavioral2/memory/3052-21-0x00007FF7FBB90000-0x00007FF7FBF81000-memory.dmp	upx
behavioral2/memory/1520-1986-0x00007FF60F430000-0x00007FF60F821000-memory.dmp	upx
behavioral2/memory/3864-2002-0x00007FF75C2D0000-0x00007FF75C6C1000-memory.dmp	upx
behavioral2/memory/3052-2003-0x00007FF7FBB90000-0x00007FF7FBF81000-memory.dmp	upx
behavioral2/memory/3048-2004-0x00007FF764A60000-0x00007FF764E51000-memory.dmp	upx
behavioral2/memory/3348-2005-0x00007FF7AC430000-0x00007FF7AC821000-memory.dmp	upx
behavioral2/memory/2148-2038-0x00007FF60A850000-0x00007FF60AC41000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\pflJWHu.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\KTMqMEb.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\Twdejvf.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\jnvzdsG.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\xmwFTaw.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\VdkSywM.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\FsNSZkX.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\LPCJWpB.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\WDyOjmS.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\VwDEbbc.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\ZMfEmYS.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\PqLqoZg.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\ASNBgNX.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\BkWRmTX.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\cuTxPvl.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\LbnXcTA.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\YwVmuvs.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\cVKPsSF.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\EnZwiYb.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\QrvarnV.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\qclLfdO.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\lyZPIuU.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\yzpCQsw.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\roTZChk.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\msdQdIt.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\uUGfOUD.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\QuQsrQP.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\nleouGl.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\BwmuFsx.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\hsVGdMh.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\OwjmmUU.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\XpWOyYE.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\VWJbbGI.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\yjTJVhH.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\EYrUsiT.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\eacoggX.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\fcHDxnp.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\lFFVSmo.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\glyFnUz.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\JerRNIM.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\DVkLFkX.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\IGffvTb.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\UQBAcHl.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\WznHZxZ.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\ulVtvtG.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\tUZvnIN.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\ENagyiQ.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\ZlncyKU.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\zzeqpaF.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\mFDoXym.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\SsNByXw.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\qMFNnTF.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\oWOilDm.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\FHQwUFN.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\GDCgJyz.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\ZyTNtwF.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\XNvbwuU.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\EaCDHkb.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\cWRLtsE.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\KzIHiLf.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\HNjDJEk.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\xUacCWk.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\WfghEWN.exe	2d0867d0e9a04356871b03f1cf30a560N.exe
File created	C:\Windows\System32\EQqWcJz.exe	2d0867d0e9a04356871b03f1cf30a560N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12848	dwm.exe
Token: SeChangeNotifyPrivilege	12848	dwm.exe
Token: 33	12848	dwm.exe
Token: SeIncBasePriorityPrivilege	12848	dwm.exe
Token: SeShutdownPrivilege	12848	dwm.exe
Token: SeCreatePagefilePrivilege	12848	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 1520	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	85
PID 3252 wrote to memory of 1520	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	85
PID 3252 wrote to memory of 3864	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	86
PID 3252 wrote to memory of 3864	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	86
PID 3252 wrote to memory of 3052	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	87
PID 3252 wrote to memory of 3052	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	87
PID 3252 wrote to memory of 2148	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	88
PID 3252 wrote to memory of 2148	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	88
PID 3252 wrote to memory of 3048	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	89
PID 3252 wrote to memory of 3048	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	89
PID 3252 wrote to memory of 3348	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	90
PID 3252 wrote to memory of 3348	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	90
PID 3252 wrote to memory of 2124	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	91
PID 3252 wrote to memory of 2124	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	91
PID 3252 wrote to memory of 3288	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	92
PID 3252 wrote to memory of 3288	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	92
PID 3252 wrote to memory of 4396	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	93
PID 3252 wrote to memory of 4396	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	93
PID 3252 wrote to memory of 936	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	94
PID 3252 wrote to memory of 936	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	94
PID 3252 wrote to memory of 4916	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	95
PID 3252 wrote to memory of 4916	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	95
PID 3252 wrote to memory of 4112	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	96
PID 3252 wrote to memory of 4112	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	96
PID 3252 wrote to memory of 3332	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	97
PID 3252 wrote to memory of 3332	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	97
PID 3252 wrote to memory of 756	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	98
PID 3252 wrote to memory of 756	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	98
PID 3252 wrote to memory of 2144	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	99
PID 3252 wrote to memory of 2144	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	99
PID 3252 wrote to memory of 4560	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	100
PID 3252 wrote to memory of 4560	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	100
PID 3252 wrote to memory of 4844	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	101
PID 3252 wrote to memory of 4844	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	101
PID 3252 wrote to memory of 4568	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	102
PID 3252 wrote to memory of 4568	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	102
PID 3252 wrote to memory of 968	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	103
PID 3252 wrote to memory of 968	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	103
PID 3252 wrote to memory of 1104	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	104
PID 3252 wrote to memory of 1104	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	104
PID 3252 wrote to memory of 228	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	105
PID 3252 wrote to memory of 228	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	105
PID 3252 wrote to memory of 4548	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	106
PID 3252 wrote to memory of 4548	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	106
PID 3252 wrote to memory of 4504	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	107
PID 3252 wrote to memory of 4504	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	107
PID 3252 wrote to memory of 5032	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	108
PID 3252 wrote to memory of 5032	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	108
PID 3252 wrote to memory of 1488	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	109
PID 3252 wrote to memory of 1488	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	109
PID 3252 wrote to memory of 2484	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	110
PID 3252 wrote to memory of 2484	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	110
PID 3252 wrote to memory of 1712	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	111
PID 3252 wrote to memory of 1712	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	111
PID 3252 wrote to memory of 436	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	112
PID 3252 wrote to memory of 436	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	112
PID 3252 wrote to memory of 840	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	113
PID 3252 wrote to memory of 840	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	113
PID 3252 wrote to memory of 4552	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	114
PID 3252 wrote to memory of 4552	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	114
PID 3252 wrote to memory of 3080	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	115
PID 3252 wrote to memory of 3080	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	115
PID 3252 wrote to memory of 3096	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	116
PID 3252 wrote to memory of 3096	3252	2d0867d0e9a04356871b03f1cf30a560N.exe	116

C:\Users\Admin\AppData\Local\Temp\2d0867d0e9a04356871b03f1cf30a560N.exe
"C:\Users\Admin\AppData\Local\Temp\2d0867d0e9a04356871b03f1cf30a560N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\System32\ycUrXDk.exe
  C:\Windows\System32\ycUrXDk.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System32\UYChFYI.exe
  C:\Windows\System32\UYChFYI.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System32\SshUhYy.exe
  C:\Windows\System32\SshUhYy.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System32\swpyMsL.exe
  C:\Windows\System32\swpyMsL.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System32\OmjGTBW.exe
  C:\Windows\System32\OmjGTBW.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System32\ODTzEkm.exe
  C:\Windows\System32\ODTzEkm.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System32\vhRjehC.exe
  C:\Windows\System32\vhRjehC.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System32\qIwGSiF.exe
  C:\Windows\System32\qIwGSiF.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System32\toOeCjG.exe
  C:\Windows\System32\toOeCjG.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System32\UEXCJCw.exe
  C:\Windows\System32\UEXCJCw.exe
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\System32\UJDjvHz.exe
  C:\Windows\System32\UJDjvHz.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System32\SIyZLrq.exe
  C:\Windows\System32\SIyZLrq.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System32\QiTyTlF.exe
  C:\Windows\System32\QiTyTlF.exe
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Windows\System32\WWmoKoJ.exe
  C:\Windows\System32\WWmoKoJ.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System32\HebOWXn.exe
  C:\Windows\System32\HebOWXn.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System32\JPgRhmU.exe
  C:\Windows\System32\JPgRhmU.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System32\OjCOlYQ.exe
  C:\Windows\System32\OjCOlYQ.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System32\uUGfOUD.exe
  C:\Windows\System32\uUGfOUD.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System32\xDoUoIy.exe
  C:\Windows\System32\xDoUoIy.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System32\rFaGnaR.exe
  C:\Windows\System32\rFaGnaR.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System32\yOiJapw.exe
  C:\Windows\System32\yOiJapw.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System32\ApoJGaz.exe
  C:\Windows\System32\ApoJGaz.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System32\TuUszpU.exe
  C:\Windows\System32\TuUszpU.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System32\ZsSiwSN.exe
  C:\Windows\System32\ZsSiwSN.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System32\dYWEpoo.exe
  C:\Windows\System32\dYWEpoo.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System32\QAUieZG.exe
  C:\Windows\System32\QAUieZG.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System32\cVIxhjC.exe
  C:\Windows\System32\cVIxhjC.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System32\LfsJkaX.exe
  C:\Windows\System32\LfsJkaX.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\SaNtFbi.exe
  C:\Windows\System32\SaNtFbi.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System32\cNWMztv.exe
  C:\Windows\System32\cNWMztv.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System32\kymiBNO.exe
  C:\Windows\System32\kymiBNO.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System32\GJymWRP.exe
  C:\Windows\System32\GJymWRP.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System32\SwCSWLY.exe
  C:\Windows\System32\SwCSWLY.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System32\ChVNxWG.exe
  C:\Windows\System32\ChVNxWG.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System32\prVdTLt.exe
  C:\Windows\System32\prVdTLt.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System32\ZMfEmYS.exe
  C:\Windows\System32\ZMfEmYS.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System32\UtiDgyw.exe
  C:\Windows\System32\UtiDgyw.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System32\hQAjuEc.exe
  C:\Windows\System32\hQAjuEc.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System32\TLmYiYE.exe
  C:\Windows\System32\TLmYiYE.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System32\XpWOyYE.exe
  C:\Windows\System32\XpWOyYE.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System32\gcQUqtL.exe
  C:\Windows\System32\gcQUqtL.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System32\gfDINIt.exe
  C:\Windows\System32\gfDINIt.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System32\daeZeME.exe
  C:\Windows\System32\daeZeME.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System32\PqLqoZg.exe
  C:\Windows\System32\PqLqoZg.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System32\scfZDtY.exe
  C:\Windows\System32\scfZDtY.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System32\PQCxqbH.exe
  C:\Windows\System32\PQCxqbH.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System32\ENagyiQ.exe
  C:\Windows\System32\ENagyiQ.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System32\HUXPCTy.exe
  C:\Windows\System32\HUXPCTy.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System32\XKDFdGw.exe
  C:\Windows\System32\XKDFdGw.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System32\sDdrbSG.exe
  C:\Windows\System32\sDdrbSG.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System32\NVIXDcz.exe
  C:\Windows\System32\NVIXDcz.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System32\HJbwmoY.exe
  C:\Windows\System32\HJbwmoY.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System32\hfIrrAr.exe
  C:\Windows\System32\hfIrrAr.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System32\ItfkpgZ.exe
  C:\Windows\System32\ItfkpgZ.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System32\pdUjIQT.exe
  C:\Windows\System32\pdUjIQT.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System32\zjduYrm.exe
  C:\Windows\System32\zjduYrm.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System32\DklzlIs.exe
  C:\Windows\System32\DklzlIs.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System32\jwShVnX.exe
  C:\Windows\System32\jwShVnX.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System32\hVqsiQb.exe
  C:\Windows\System32\hVqsiQb.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System32\xMeycCX.exe
  C:\Windows\System32\xMeycCX.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System32\oBtUlTr.exe
  C:\Windows\System32\oBtUlTr.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System32\UxubgEO.exe
  C:\Windows\System32\UxubgEO.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System32\KgscmpH.exe
  C:\Windows\System32\KgscmpH.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System32\MFUqTDL.exe
  C:\Windows\System32\MFUqTDL.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System32\qHCSbQZ.exe
  C:\Windows\System32\qHCSbQZ.exe
  2⤵
  PID:1952
- C:\Windows\System32\GrNbDFX.exe
  C:\Windows\System32\GrNbDFX.exe
  2⤵
  PID:2500
- C:\Windows\System32\VWJbbGI.exe
  C:\Windows\System32\VWJbbGI.exe
  2⤵
  PID:3060
- C:\Windows\System32\DvfDKIJ.exe
  C:\Windows\System32\DvfDKIJ.exe
  2⤵
  PID:5036
- C:\Windows\System32\VCJwReB.exe
  C:\Windows\System32\VCJwReB.exe
  2⤵
  PID:1704
- C:\Windows\System32\wwnHzdG.exe
  C:\Windows\System32\wwnHzdG.exe
  2⤵
  PID:4884
- C:\Windows\System32\HWsUPKD.exe
  C:\Windows\System32\HWsUPKD.exe
  2⤵
  PID:1320
- C:\Windows\System32\hQftxIR.exe
  C:\Windows\System32\hQftxIR.exe
  2⤵
  PID:2328
- C:\Windows\System32\ndmcuPm.exe
  C:\Windows\System32\ndmcuPm.exe
  2⤵
  PID:1888
- C:\Windows\System32\QuQsrQP.exe
  C:\Windows\System32\QuQsrQP.exe
  2⤵
  PID:3564
- C:\Windows\System32\gDQEBcg.exe
  C:\Windows\System32\gDQEBcg.exe
  2⤵
  PID:1792
- C:\Windows\System32\HidOSjK.exe
  C:\Windows\System32\HidOSjK.exe
  2⤵
  PID:3712
- C:\Windows\System32\ASNBgNX.exe
  C:\Windows\System32\ASNBgNX.exe
  2⤵
  PID:4804
- C:\Windows\System32\KLtHRLP.exe
  C:\Windows\System32\KLtHRLP.exe
  2⤵
  PID:3484
- C:\Windows\System32\nleouGl.exe
  C:\Windows\System32\nleouGl.exe
  2⤵
  PID:4072
- C:\Windows\System32\oqLXGRO.exe
  C:\Windows\System32\oqLXGRO.exe
  2⤵
  PID:2340
- C:\Windows\System32\XiwjYCv.exe
  C:\Windows\System32\XiwjYCv.exe
  2⤵
  PID:1224
- C:\Windows\System32\QHiHONC.exe
  C:\Windows\System32\QHiHONC.exe
  2⤵
  PID:4484
- C:\Windows\System32\KjTwqOy.exe
  C:\Windows\System32\KjTwqOy.exe
  2⤵
  PID:4820
- C:\Windows\System32\lKVJiIC.exe
  C:\Windows\System32\lKVJiIC.exe
  2⤵
  PID:4860
- C:\Windows\System32\Exgklvr.exe
  C:\Windows\System32\Exgklvr.exe
  2⤵
  PID:4280
- C:\Windows\System32\oWOilDm.exe
  C:\Windows\System32\oWOilDm.exe
  2⤵
  PID:3944
- C:\Windows\System32\RgQXwMo.exe
  C:\Windows\System32\RgQXwMo.exe
  2⤵
  PID:3268
- C:\Windows\System32\sdkrJVH.exe
  C:\Windows\System32\sdkrJVH.exe
  2⤵
  PID:2408
- C:\Windows\System32\ZpKBTWP.exe
  C:\Windows\System32\ZpKBTWP.exe
  2⤵
  PID:760
- C:\Windows\System32\IYhnUhq.exe
  C:\Windows\System32\IYhnUhq.exe
  2⤵
  PID:3744
- C:\Windows\System32\lFFVSmo.exe
  C:\Windows\System32\lFFVSmo.exe
  2⤵
  PID:1976
- C:\Windows\System32\bOTNkEW.exe
  C:\Windows\System32\bOTNkEW.exe
  2⤵
  PID:5148
- C:\Windows\System32\GaFNVcd.exe
  C:\Windows\System32\GaFNVcd.exe
  2⤵
  PID:5176
- C:\Windows\System32\TXvpHGx.exe
  C:\Windows\System32\TXvpHGx.exe
  2⤵
  PID:5208
- C:\Windows\System32\hNouVMq.exe
  C:\Windows\System32\hNouVMq.exe
  2⤵
  PID:5232
- C:\Windows\System32\nnaGgEd.exe
  C:\Windows\System32\nnaGgEd.exe
  2⤵
  PID:5260
- C:\Windows\System32\yWxWGYX.exe
  C:\Windows\System32\yWxWGYX.exe
  2⤵
  PID:5284
- C:\Windows\System32\BkWRmTX.exe
  C:\Windows\System32\BkWRmTX.exe
  2⤵
  PID:5316
- C:\Windows\System32\VsGGnRS.exe
  C:\Windows\System32\VsGGnRS.exe
  2⤵
  PID:5344
- C:\Windows\System32\hxaWyrZ.exe
  C:\Windows\System32\hxaWyrZ.exe
  2⤵
  PID:5372
- C:\Windows\System32\EikRuap.exe
  C:\Windows\System32\EikRuap.exe
  2⤵
  PID:5404
- C:\Windows\System32\gccgSpC.exe
  C:\Windows\System32\gccgSpC.exe
  2⤵
  PID:5428
- C:\Windows\System32\FHoEmSJ.exe
  C:\Windows\System32\FHoEmSJ.exe
  2⤵
  PID:5460
- C:\Windows\System32\IBozvuI.exe
  C:\Windows\System32\IBozvuI.exe
  2⤵
  PID:5488
- C:\Windows\System32\ABTSeCP.exe
  C:\Windows\System32\ABTSeCP.exe
  2⤵
  PID:5516
- C:\Windows\System32\EektoYV.exe
  C:\Windows\System32\EektoYV.exe
  2⤵
  PID:5544
- C:\Windows\System32\NWvaQgG.exe
  C:\Windows\System32\NWvaQgG.exe
  2⤵
  PID:5572
- C:\Windows\System32\Twdejvf.exe
  C:\Windows\System32\Twdejvf.exe
  2⤵
  PID:5596
- C:\Windows\System32\OTQNuNF.exe
  C:\Windows\System32\OTQNuNF.exe
  2⤵
  PID:5676
- C:\Windows\System32\eOoHBbe.exe
  C:\Windows\System32\eOoHBbe.exe
  2⤵
  PID:5748
- C:\Windows\System32\gPKzkXY.exe
  C:\Windows\System32\gPKzkXY.exe
  2⤵
  PID:5768
- C:\Windows\System32\ZMKJUcm.exe
  C:\Windows\System32\ZMKJUcm.exe
  2⤵
  PID:5800
- C:\Windows\System32\BwmuFsx.exe
  C:\Windows\System32\BwmuFsx.exe
  2⤵
  PID:5824
- C:\Windows\System32\wqzhtLo.exe
  C:\Windows\System32\wqzhtLo.exe
  2⤵
  PID:5840
- C:\Windows\System32\vICETCi.exe
  C:\Windows\System32\vICETCi.exe
  2⤵
  PID:5860
- C:\Windows\System32\SNIJHJo.exe
  C:\Windows\System32\SNIJHJo.exe
  2⤵
  PID:5880
- C:\Windows\System32\TUGWqwX.exe
  C:\Windows\System32\TUGWqwX.exe
  2⤵
  PID:5896
- C:\Windows\System32\FlSfuZG.exe
  C:\Windows\System32\FlSfuZG.exe
  2⤵
  PID:5924
- C:\Windows\System32\yjTJVhH.exe
  C:\Windows\System32\yjTJVhH.exe
  2⤵
  PID:5944
- C:\Windows\System32\HXUEDXr.exe
  C:\Windows\System32\HXUEDXr.exe
  2⤵
  PID:5996
- C:\Windows\System32\WtdnKni.exe
  C:\Windows\System32\WtdnKni.exe
  2⤵
  PID:6028
- C:\Windows\System32\vpDJzxI.exe
  C:\Windows\System32\vpDJzxI.exe
  2⤵
  PID:6044
- C:\Windows\System32\FqXIIyq.exe
  C:\Windows\System32\FqXIIyq.exe
  2⤵
  PID:6068
- C:\Windows\System32\XzEdbFO.exe
  C:\Windows\System32\XzEdbFO.exe
  2⤵
  PID:6088
- C:\Windows\System32\pxAqfgY.exe
  C:\Windows\System32\pxAqfgY.exe
  2⤵
  PID:336
- C:\Windows\System32\pYNzUOM.exe
  C:\Windows\System32\pYNzUOM.exe
  2⤵
  PID:5168
- C:\Windows\System32\cuTxPvl.exe
  C:\Windows\System32\cuTxPvl.exe
  2⤵
  PID:5184
- C:\Windows\System32\hQVBeBK.exe
  C:\Windows\System32\hQVBeBK.exe
  2⤵
  PID:5240
- C:\Windows\System32\jnvzdsG.exe
  C:\Windows\System32\jnvzdsG.exe
  2⤵
  PID:5280
- C:\Windows\System32\TAjcGaT.exe
  C:\Windows\System32\TAjcGaT.exe
  2⤵
  PID:5336
- C:\Windows\System32\ICpPFFv.exe
  C:\Windows\System32\ICpPFFv.exe
  2⤵
  PID:5364
- C:\Windows\System32\UrbtguC.exe
  C:\Windows\System32\UrbtguC.exe
  2⤵
  PID:1516
- C:\Windows\System32\EQqWcJz.exe
  C:\Windows\System32\EQqWcJz.exe
  2⤵
  PID:844
- C:\Windows\System32\IqwZJAD.exe
  C:\Windows\System32\IqwZJAD.exe
  2⤵
  PID:5496
- C:\Windows\System32\XXijOWk.exe
  C:\Windows\System32\XXijOWk.exe
  2⤵
  PID:5552
- C:\Windows\System32\LbnXcTA.exe
  C:\Windows\System32\LbnXcTA.exe
  2⤵
  PID:5604
- C:\Windows\System32\LFIcmOW.exe
  C:\Windows\System32\LFIcmOW.exe
  2⤵
  PID:5580
- C:\Windows\System32\jjeRXKw.exe
  C:\Windows\System32\jjeRXKw.exe
  2⤵
  PID:4052
- C:\Windows\System32\nYiEMmj.exe
  C:\Windows\System32\nYiEMmj.exe
  2⤵
  PID:1012
- C:\Windows\System32\iwOelFF.exe
  C:\Windows\System32\iwOelFF.exe
  2⤵
  PID:3540
- C:\Windows\System32\uEgTmtf.exe
  C:\Windows\System32\uEgTmtf.exe
  2⤵
  PID:2060
- C:\Windows\System32\rJfTwcC.exe
  C:\Windows\System32\rJfTwcC.exe
  2⤵
  PID:5764
- C:\Windows\System32\kRWVujm.exe
  C:\Windows\System32\kRWVujm.exe
  2⤵
  PID:5796
- C:\Windows\System32\xTftgFu.exe
  C:\Windows\System32\xTftgFu.exe
  2⤵
  PID:5920
- C:\Windows\System32\pflJWHu.exe
  C:\Windows\System32\pflJWHu.exe
  2⤵
  PID:5872
- C:\Windows\System32\JmTOjcT.exe
  C:\Windows\System32\JmTOjcT.exe
  2⤵
  PID:6008
- C:\Windows\System32\eOvHwYs.exe
  C:\Windows\System32\eOvHwYs.exe
  2⤵
  PID:4368
- C:\Windows\System32\NEjXhto.exe
  C:\Windows\System32\NEjXhto.exe
  2⤵
  PID:1052
- C:\Windows\System32\xPLDFGM.exe
  C:\Windows\System32\xPLDFGM.exe
  2⤵
  PID:1804
- C:\Windows\System32\BInGTIR.exe
  C:\Windows\System32\BInGTIR.exe
  2⤵
  PID:696
- C:\Windows\System32\kOiFpyU.exe
  C:\Windows\System32\kOiFpyU.exe
  2⤵
  PID:5416
- C:\Windows\System32\qclLfdO.exe
  C:\Windows\System32\qclLfdO.exe
  2⤵
  PID:5044
- C:\Windows\System32\ibdIzDm.exe
  C:\Windows\System32\ibdIzDm.exe
  2⤵
  PID:5468
- C:\Windows\System32\wSFbjpo.exe
  C:\Windows\System32\wSFbjpo.exe
  2⤵
  PID:1756
- C:\Windows\System32\ZMSVkmx.exe
  C:\Windows\System32\ZMSVkmx.exe
  2⤵
  PID:4876
- C:\Windows\System32\IxpijkQ.exe
  C:\Windows\System32\IxpijkQ.exe
  2⤵
  PID:4520
- C:\Windows\System32\JBOJtdR.exe
  C:\Windows\System32\JBOJtdR.exe
  2⤵
  PID:5776
- C:\Windows\System32\mqFQDlm.exe
  C:\Windows\System32\mqFQDlm.exe
  2⤵
  PID:3660
- C:\Windows\System32\zxBwYuV.exe
  C:\Windows\System32\zxBwYuV.exe
  2⤵
  PID:3016
- C:\Windows\System32\sgvYHop.exe
  C:\Windows\System32\sgvYHop.exe
  2⤵
  PID:6080
- C:\Windows\System32\vUXEyXi.exe
  C:\Windows\System32\vUXEyXi.exe
  2⤵
  PID:5356
- C:\Windows\System32\glyFnUz.exe
  C:\Windows\System32\glyFnUz.exe
  2⤵
  PID:3256
- C:\Windows\System32\FHQwUFN.exe
  C:\Windows\System32\FHQwUFN.exe
  2⤵
  PID:400
- C:\Windows\System32\WfXJAII.exe
  C:\Windows\System32\WfXJAII.exe
  2⤵
  PID:5856
- C:\Windows\System32\WVBjFvo.exe
  C:\Windows\System32\WVBjFvo.exe
  2⤵
  PID:5228
- C:\Windows\System32\NQCSCvZ.exe
  C:\Windows\System32\NQCSCvZ.exe
  2⤵
  PID:1664
- C:\Windows\System32\sBpeZMe.exe
  C:\Windows\System32\sBpeZMe.exe
  2⤵
  PID:5852
- C:\Windows\System32\ALJjhau.exe
  C:\Windows\System32\ALJjhau.exe
  2⤵
  PID:1772
- C:\Windows\System32\iukpKXr.exe
  C:\Windows\System32\iukpKXr.exe
  2⤵
  PID:6164
- C:\Windows\System32\qgVWINv.exe
  C:\Windows\System32\qgVWINv.exe
  2⤵
  PID:6204
- C:\Windows\System32\DExSMsX.exe
  C:\Windows\System32\DExSMsX.exe
  2⤵
  PID:6228
- C:\Windows\System32\EzpgULr.exe
  C:\Windows\System32\EzpgULr.exe
  2⤵
  PID:6248
- C:\Windows\System32\uAFxTtd.exe
  C:\Windows\System32\uAFxTtd.exe
  2⤵
  PID:6264
- C:\Windows\System32\lghaHKM.exe
  C:\Windows\System32\lghaHKM.exe
  2⤵
  PID:6280
- C:\Windows\System32\qNflYwv.exe
  C:\Windows\System32\qNflYwv.exe
  2⤵
  PID:6304
- C:\Windows\System32\SPizmOj.exe
  C:\Windows\System32\SPizmOj.exe
  2⤵
  PID:6320
- C:\Windows\System32\bKPVdDG.exe
  C:\Windows\System32\bKPVdDG.exe
  2⤵
  PID:6340
- C:\Windows\System32\ObCmNmA.exe
  C:\Windows\System32\ObCmNmA.exe
  2⤵
  PID:6392
- C:\Windows\System32\JerRNIM.exe
  C:\Windows\System32\JerRNIM.exe
  2⤵
  PID:6428
- C:\Windows\System32\uJaPwFX.exe
  C:\Windows\System32\uJaPwFX.exe
  2⤵
  PID:6484
- C:\Windows\System32\AjhJfZt.exe
  C:\Windows\System32\AjhJfZt.exe
  2⤵
  PID:6516
- C:\Windows\System32\DVkLFkX.exe
  C:\Windows\System32\DVkLFkX.exe
  2⤵
  PID:6552
- C:\Windows\System32\zyARIzb.exe
  C:\Windows\System32\zyARIzb.exe
  2⤵
  PID:6588
- C:\Windows\System32\DhEXIjt.exe
  C:\Windows\System32\DhEXIjt.exe
  2⤵
  PID:6604
- C:\Windows\System32\yMSIeVp.exe
  C:\Windows\System32\yMSIeVp.exe
  2⤵
  PID:6628
- C:\Windows\System32\mhvdjwf.exe
  C:\Windows\System32\mhvdjwf.exe
  2⤵
  PID:6644
- C:\Windows\System32\NaMbvkQ.exe
  C:\Windows\System32\NaMbvkQ.exe
  2⤵
  PID:6676
- C:\Windows\System32\mPpNeDl.exe
  C:\Windows\System32\mPpNeDl.exe
  2⤵
  PID:6696
- C:\Windows\System32\JivAGVQ.exe
  C:\Windows\System32\JivAGVQ.exe
  2⤵
  PID:6720
- C:\Windows\System32\XfuBfnl.exe
  C:\Windows\System32\XfuBfnl.exe
  2⤵
  PID:6756
- C:\Windows\System32\mEwDoIC.exe
  C:\Windows\System32\mEwDoIC.exe
  2⤵
  PID:6784
- C:\Windows\System32\UiGodbG.exe
  C:\Windows\System32\UiGodbG.exe
  2⤵
  PID:6812
- C:\Windows\System32\pMiJKKb.exe
  C:\Windows\System32\pMiJKKb.exe
  2⤵
  PID:6840
- C:\Windows\System32\kgCWyPK.exe
  C:\Windows\System32\kgCWyPK.exe
  2⤵
  PID:6860
- C:\Windows\System32\BhBCtAN.exe
  C:\Windows\System32\BhBCtAN.exe
  2⤵
  PID:6896
- C:\Windows\System32\FnRxUeU.exe
  C:\Windows\System32\FnRxUeU.exe
  2⤵
  PID:6940
- C:\Windows\System32\OpAwfEf.exe
  C:\Windows\System32\OpAwfEf.exe
  2⤵
  PID:6964
- C:\Windows\System32\ZlncyKU.exe
  C:\Windows\System32\ZlncyKU.exe
  2⤵
  PID:6984
- C:\Windows\System32\ZlJYZoE.exe
  C:\Windows\System32\ZlJYZoE.exe
  2⤵
  PID:7004
- C:\Windows\System32\ZsHuNyV.exe
  C:\Windows\System32\ZsHuNyV.exe
  2⤵
  PID:7024
- C:\Windows\System32\fXIuxQi.exe
  C:\Windows\System32\fXIuxQi.exe
  2⤵
  PID:7040
- C:\Windows\System32\Fabestq.exe
  C:\Windows\System32\Fabestq.exe
  2⤵
  PID:7140
- C:\Windows\System32\hHZsEVl.exe
  C:\Windows\System32\hHZsEVl.exe
  2⤵
  PID:7160
- C:\Windows\System32\djdKuHt.exe
  C:\Windows\System32\djdKuHt.exe
  2⤵
  PID:5196
- C:\Windows\System32\ccfZRCu.exe
  C:\Windows\System32\ccfZRCu.exe
  2⤵
  PID:6276
- C:\Windows\System32\lIflOpx.exe
  C:\Windows\System32\lIflOpx.exe
  2⤵
  PID:6356
- C:\Windows\System32\WCBzAWo.exe
  C:\Windows\System32\WCBzAWo.exe
  2⤵
  PID:6388
- C:\Windows\System32\SrDOzZA.exe
  C:\Windows\System32\SrDOzZA.exe
  2⤵
  PID:6480
- C:\Windows\System32\IbThbWt.exe
  C:\Windows\System32\IbThbWt.exe
  2⤵
  PID:6532
- C:\Windows\System32\hHIJuOu.exe
  C:\Windows\System32\hHIJuOu.exe
  2⤵
  PID:6572
- C:\Windows\System32\pgvGUvl.exe
  C:\Windows\System32\pgvGUvl.exe
  2⤵
  PID:5684
- C:\Windows\System32\GLeCjEZ.exe
  C:\Windows\System32\GLeCjEZ.exe
  2⤵
  PID:6684
- C:\Windows\System32\yslhudn.exe
  C:\Windows\System32\yslhudn.exe
  2⤵
  PID:6768
- C:\Windows\System32\jTaXgao.exe
  C:\Windows\System32\jTaXgao.exe
  2⤵
  PID:6764
- C:\Windows\System32\DNRUAqc.exe
  C:\Windows\System32\DNRUAqc.exe
  2⤵
  PID:6852
- C:\Windows\System32\vmTXuCz.exe
  C:\Windows\System32\vmTXuCz.exe
  2⤵
  PID:6888
- C:\Windows\System32\ReiUfup.exe
  C:\Windows\System32\ReiUfup.exe
  2⤵
  PID:7036
- C:\Windows\System32\jXiHfmp.exe
  C:\Windows\System32\jXiHfmp.exe
  2⤵
  PID:7116
- C:\Windows\System32\gVrgLPA.exe
  C:\Windows\System32\gVrgLPA.exe
  2⤵
  PID:7152
- C:\Windows\System32\SRcBhDT.exe
  C:\Windows\System32\SRcBhDT.exe
  2⤵
  PID:6180
- C:\Windows\System32\imzVHHQ.exe
  C:\Windows\System32\imzVHHQ.exe
  2⤵
  PID:5724
- C:\Windows\System32\bWhUlvQ.exe
  C:\Windows\System32\bWhUlvQ.exe
  2⤵
  PID:5664
- C:\Windows\System32\CuPbWOJ.exe
  C:\Windows\System32\CuPbWOJ.exe
  2⤵
  PID:5720
- C:\Windows\System32\vDMHQNv.exe
  C:\Windows\System32\vDMHQNv.exe
  2⤵
  PID:6652
- C:\Windows\System32\WznHZxZ.exe
  C:\Windows\System32\WznHZxZ.exe
  2⤵
  PID:6820
- C:\Windows\System32\mMHkSeN.exe
  C:\Windows\System32\mMHkSeN.exe
  2⤵
  PID:6952
- C:\Windows\System32\jOCQbMd.exe
  C:\Windows\System32\jOCQbMd.exe
  2⤵
  PID:7088
- C:\Windows\System32\QWmBWwk.exe
  C:\Windows\System32\QWmBWwk.exe
  2⤵
  PID:5668
- C:\Windows\System32\zkjtKcA.exe
  C:\Windows\System32\zkjtKcA.exe
  2⤵
  PID:6500
- C:\Windows\System32\SRvbhxY.exe
  C:\Windows\System32\SRvbhxY.exe
  2⤵
  PID:6492
- C:\Windows\System32\gXbBPMH.exe
  C:\Windows\System32\gXbBPMH.exe
  2⤵
  PID:2992
- C:\Windows\System32\bDzboxi.exe
  C:\Windows\System32\bDzboxi.exe
  2⤵
  PID:5780
- C:\Windows\System32\VsDZsBz.exe
  C:\Windows\System32\VsDZsBz.exe
  2⤵
  PID:6640
- C:\Windows\System32\MpjrWeX.exe
  C:\Windows\System32\MpjrWeX.exe
  2⤵
  PID:7188
- C:\Windows\System32\RlMesVp.exe
  C:\Windows\System32\RlMesVp.exe
  2⤵
  PID:7216
- C:\Windows\System32\CmzMtlH.exe
  C:\Windows\System32\CmzMtlH.exe
  2⤵
  PID:7244
- C:\Windows\System32\uwOZhKC.exe
  C:\Windows\System32\uwOZhKC.exe
  2⤵
  PID:7264
- C:\Windows\System32\KTMqMEb.exe
  C:\Windows\System32\KTMqMEb.exe
  2⤵
  PID:7292
- C:\Windows\System32\EYrUsiT.exe
  C:\Windows\System32\EYrUsiT.exe
  2⤵
  PID:7316
- C:\Windows\System32\uwuIOxX.exe
  C:\Windows\System32\uwuIOxX.exe
  2⤵
  PID:7336
- C:\Windows\System32\jpfufmj.exe
  C:\Windows\System32\jpfufmj.exe
  2⤵
  PID:7352
- C:\Windows\System32\gAtXiFG.exe
  C:\Windows\System32\gAtXiFG.exe
  2⤵
  PID:7376
- C:\Windows\System32\VLZejTL.exe
  C:\Windows\System32\VLZejTL.exe
  2⤵
  PID:7424
- C:\Windows\System32\ourzsMX.exe
  C:\Windows\System32\ourzsMX.exe
  2⤵
  PID:7448
- C:\Windows\System32\gJwbkeJ.exe
  C:\Windows\System32\gJwbkeJ.exe
  2⤵
  PID:7496
- C:\Windows\System32\xmwFTaw.exe
  C:\Windows\System32\xmwFTaw.exe
  2⤵
  PID:7528
- C:\Windows\System32\tFPvbRT.exe
  C:\Windows\System32\tFPvbRT.exe
  2⤵
  PID:7544
- C:\Windows\System32\mzMtxoV.exe
  C:\Windows\System32\mzMtxoV.exe
  2⤵
  PID:7576
- C:\Windows\System32\jWmoqpo.exe
  C:\Windows\System32\jWmoqpo.exe
  2⤵
  PID:7616
- C:\Windows\System32\RnMRYTN.exe
  C:\Windows\System32\RnMRYTN.exe
  2⤵
  PID:7644
- C:\Windows\System32\YwVmuvs.exe
  C:\Windows\System32\YwVmuvs.exe
  2⤵
  PID:7664
- C:\Windows\System32\yDHHkXk.exe
  C:\Windows\System32\yDHHkXk.exe
  2⤵
  PID:7688
- C:\Windows\System32\UTqRWre.exe
  C:\Windows\System32\UTqRWre.exe
  2⤵
  PID:7712
- C:\Windows\System32\GDCgJyz.exe
  C:\Windows\System32\GDCgJyz.exe
  2⤵
  PID:7736
- C:\Windows\System32\OnMoDDs.exe
  C:\Windows\System32\OnMoDDs.exe
  2⤵
  PID:7760
- C:\Windows\System32\vrbeWqx.exe
  C:\Windows\System32\vrbeWqx.exe
  2⤵
  PID:7788
- C:\Windows\System32\URDpTbk.exe
  C:\Windows\System32\URDpTbk.exe
  2⤵
  PID:7840
- C:\Windows\System32\PPBGbdf.exe
  C:\Windows\System32\PPBGbdf.exe
  2⤵
  PID:7864
- C:\Windows\System32\diJgqhJ.exe
  C:\Windows\System32\diJgqhJ.exe
  2⤵
  PID:7900
- C:\Windows\System32\UElSHyh.exe
  C:\Windows\System32\UElSHyh.exe
  2⤵
  PID:7920
- C:\Windows\System32\DdyFEPZ.exe
  C:\Windows\System32\DdyFEPZ.exe
  2⤵
  PID:7952
- C:\Windows\System32\XkxJenp.exe
  C:\Windows\System32\XkxJenp.exe
  2⤵
  PID:7972
- C:\Windows\System32\HrGafxh.exe
  C:\Windows\System32\HrGafxh.exe
  2⤵
  PID:7996
- C:\Windows\System32\VwDEbbc.exe
  C:\Windows\System32\VwDEbbc.exe
  2⤵
  PID:8036
- C:\Windows\System32\ApOqDsy.exe
  C:\Windows\System32\ApOqDsy.exe
  2⤵
  PID:8072
- C:\Windows\System32\qgFqmJH.exe
  C:\Windows\System32\qgFqmJH.exe
  2⤵
  PID:8092
- C:\Windows\System32\DtfgRgM.exe
  C:\Windows\System32\DtfgRgM.exe
  2⤵
  PID:8116
- C:\Windows\System32\yDONbCl.exe
  C:\Windows\System32\yDONbCl.exe
  2⤵
  PID:8140
- C:\Windows\System32\GHqOqXe.exe
  C:\Windows\System32\GHqOqXe.exe
  2⤵
  PID:8172
- C:\Windows\System32\tHxFfHf.exe
  C:\Windows\System32\tHxFfHf.exe
  2⤵
  PID:7172
- C:\Windows\System32\ljOLBgy.exe
  C:\Windows\System32\ljOLBgy.exe
  2⤵
  PID:7232
- C:\Windows\System32\RlXMHSN.exe
  C:\Windows\System32\RlXMHSN.exe
  2⤵
  PID:7284
- C:\Windows\System32\wNzOUEk.exe
  C:\Windows\System32\wNzOUEk.exe
  2⤵
  PID:7372
- C:\Windows\System32\MepopKo.exe
  C:\Windows\System32\MepopKo.exe
  2⤵
  PID:7440
- C:\Windows\System32\DQrVhuj.exe
  C:\Windows\System32\DQrVhuj.exe
  2⤵
  PID:7456
- C:\Windows\System32\AigTJuf.exe
  C:\Windows\System32\AigTJuf.exe
  2⤵
  PID:7564
- C:\Windows\System32\OHYbNEg.exe
  C:\Windows\System32\OHYbNEg.exe
  2⤵
  PID:7588
- C:\Windows\System32\yvTxosP.exe
  C:\Windows\System32\yvTxosP.exe
  2⤵
  PID:7676
- C:\Windows\System32\sJHQzdM.exe
  C:\Windows\System32\sJHQzdM.exe
  2⤵
  PID:7940
- C:\Windows\System32\nXlDafX.exe
  C:\Windows\System32\nXlDafX.exe
  2⤵
  PID:7984
- C:\Windows\System32\VdkSywM.exe
  C:\Windows\System32\VdkSywM.exe
  2⤵
  PID:7968
- C:\Windows\System32\tDuKtcT.exe
  C:\Windows\System32\tDuKtcT.exe
  2⤵
  PID:8032
- C:\Windows\System32\zhxCYsl.exe
  C:\Windows\System32\zhxCYsl.exe
  2⤵
  PID:8080
- C:\Windows\System32\gmuaesu.exe
  C:\Windows\System32\gmuaesu.exe
  2⤵
  PID:8104
- C:\Windows\System32\besgtih.exe
  C:\Windows\System32\besgtih.exe
  2⤵
  PID:8148
- C:\Windows\System32\lOUivsm.exe
  C:\Windows\System32\lOUivsm.exe
  2⤵
  PID:6692
- C:\Windows\System32\zzTAXdx.exe
  C:\Windows\System32\zzTAXdx.exe
  2⤵
  PID:7328
- C:\Windows\System32\BhWJZaz.exe
  C:\Windows\System32\BhWJZaz.exe
  2⤵
  PID:7776
- C:\Windows\System32\WrJIbJc.exe
  C:\Windows\System32\WrJIbJc.exe
  2⤵
  PID:8160
- C:\Windows\System32\fGkmRVF.exe
  C:\Windows\System32\fGkmRVF.exe
  2⤵
  PID:7280
- C:\Windows\System32\lCMxmNF.exe
  C:\Windows\System32\lCMxmNF.exe
  2⤵
  PID:8184
- C:\Windows\System32\IGffvTb.exe
  C:\Windows\System32\IGffvTb.exe
  2⤵
  PID:7552
- C:\Windows\System32\MpxeHuz.exe
  C:\Windows\System32\MpxeHuz.exe
  2⤵
  PID:7796
- C:\Windows\System32\ZnhkWFH.exe
  C:\Windows\System32\ZnhkWFH.exe
  2⤵
  PID:7260
- C:\Windows\System32\eZfCsWo.exe
  C:\Windows\System32\eZfCsWo.exe
  2⤵
  PID:8136
- C:\Windows\System32\lyZPIuU.exe
  C:\Windows\System32\lyZPIuU.exe
  2⤵
  PID:7368
- C:\Windows\System32\VCpoyPT.exe
  C:\Windows\System32\VCpoyPT.exe
  2⤵
  PID:8200
- C:\Windows\System32\YIdHQEd.exe
  C:\Windows\System32\YIdHQEd.exe
  2⤵
  PID:8220
- C:\Windows\System32\ugmyaeq.exe
  C:\Windows\System32\ugmyaeq.exe
  2⤵
  PID:8260
- C:\Windows\System32\VeHVeuH.exe
  C:\Windows\System32\VeHVeuH.exe
  2⤵
  PID:8284
- C:\Windows\System32\kGPgYgp.exe
  C:\Windows\System32\kGPgYgp.exe
  2⤵
  PID:8312
- C:\Windows\System32\MHNJNgu.exe
  C:\Windows\System32\MHNJNgu.exe
  2⤵
  PID:8340
- C:\Windows\System32\UzZozUX.exe
  C:\Windows\System32\UzZozUX.exe
  2⤵
  PID:8360
- C:\Windows\System32\BTrhKIQ.exe
  C:\Windows\System32\BTrhKIQ.exe
  2⤵
  PID:8396
- C:\Windows\System32\QpoUxLo.exe
  C:\Windows\System32\QpoUxLo.exe
  2⤵
  PID:8416
- C:\Windows\System32\tqYQwVH.exe
  C:\Windows\System32\tqYQwVH.exe
  2⤵
  PID:8456
- C:\Windows\System32\dnTynTx.exe
  C:\Windows\System32\dnTynTx.exe
  2⤵
  PID:8484
- C:\Windows\System32\ToVZSdy.exe
  C:\Windows\System32\ToVZSdy.exe
  2⤵
  PID:8516
- C:\Windows\System32\niShfks.exe
  C:\Windows\System32\niShfks.exe
  2⤵
  PID:8540
- C:\Windows\System32\REeopnt.exe
  C:\Windows\System32\REeopnt.exe
  2⤵
  PID:8556
- C:\Windows\System32\FJYneFT.exe
  C:\Windows\System32\FJYneFT.exe
  2⤵
  PID:8580
- C:\Windows\System32\cjEeQCU.exe
  C:\Windows\System32\cjEeQCU.exe
  2⤵
  PID:8600
- C:\Windows\System32\eacoggX.exe
  C:\Windows\System32\eacoggX.exe
  2⤵
  PID:8636
- C:\Windows\System32\ewRYuXc.exe
  C:\Windows\System32\ewRYuXc.exe
  2⤵
  PID:8656
- C:\Windows\System32\RxaQfyO.exe
  C:\Windows\System32\RxaQfyO.exe
  2⤵
  PID:8676
- C:\Windows\System32\gAIGsWD.exe
  C:\Windows\System32\gAIGsWD.exe
  2⤵
  PID:8748
- C:\Windows\System32\jmJagOi.exe
  C:\Windows\System32\jmJagOi.exe
  2⤵
  PID:8772
- C:\Windows\System32\CIPlWox.exe
  C:\Windows\System32\CIPlWox.exe
  2⤵
  PID:8796
- C:\Windows\System32\fLtlOym.exe
  C:\Windows\System32\fLtlOym.exe
  2⤵
  PID:8816
- C:\Windows\System32\RLgYABn.exe
  C:\Windows\System32\RLgYABn.exe
  2⤵
  PID:8852
- C:\Windows\System32\kbanKzd.exe
  C:\Windows\System32\kbanKzd.exe
  2⤵
  PID:8872
- C:\Windows\System32\axwLVwe.exe
  C:\Windows\System32\axwLVwe.exe
  2⤵
  PID:8900
- C:\Windows\System32\BmNysVf.exe
  C:\Windows\System32\BmNysVf.exe
  2⤵
  PID:8920
- C:\Windows\System32\EqPtiXL.exe
  C:\Windows\System32\EqPtiXL.exe
  2⤵
  PID:8948
- C:\Windows\System32\XvwuyDZ.exe
  C:\Windows\System32\XvwuyDZ.exe
  2⤵
  PID:8964
- C:\Windows\System32\KIEwdTD.exe
  C:\Windows\System32\KIEwdTD.exe
  2⤵
  PID:9004
- C:\Windows\System32\HaeWQVH.exe
  C:\Windows\System32\HaeWQVH.exe
  2⤵
  PID:9048
- C:\Windows\System32\ZfHpWXd.exe
  C:\Windows\System32\ZfHpWXd.exe
  2⤵
  PID:9068
- C:\Windows\System32\LLrjJLi.exe
  C:\Windows\System32\LLrjJLi.exe
  2⤵
  PID:9088
- C:\Windows\System32\LhTSdpi.exe
  C:\Windows\System32\LhTSdpi.exe
  2⤵
  PID:9116
- C:\Windows\System32\nWtEPDW.exe
  C:\Windows\System32\nWtEPDW.exe
  2⤵
  PID:9136
- C:\Windows\System32\EblJCZR.exe
  C:\Windows\System32\EblJCZR.exe
  2⤵
  PID:9156
- C:\Windows\System32\qRVzHpk.exe
  C:\Windows\System32\qRVzHpk.exe
  2⤵
  PID:9176
- C:\Windows\System32\VTxWzRS.exe
  C:\Windows\System32\VTxWzRS.exe
  2⤵
  PID:9208
- C:\Windows\System32\hlZoKlk.exe
  C:\Windows\System32\hlZoKlk.exe
  2⤵
  PID:8280
- C:\Windows\System32\kiEsYEg.exe
  C:\Windows\System32\kiEsYEg.exe
  2⤵
  PID:8348
- C:\Windows\System32\qPOVPks.exe
  C:\Windows\System32\qPOVPks.exe
  2⤵
  PID:8404
- C:\Windows\System32\fEqKmCf.exe
  C:\Windows\System32\fEqKmCf.exe
  2⤵
  PID:8464
- C:\Windows\System32\srrvAGo.exe
  C:\Windows\System32\srrvAGo.exe
  2⤵
  PID:8576
- C:\Windows\System32\fynRFSF.exe
  C:\Windows\System32\fynRFSF.exe
  2⤵
  PID:8592
- C:\Windows\System32\FZXVwxI.exe
  C:\Windows\System32\FZXVwxI.exe
  2⤵
  PID:8704
- C:\Windows\System32\fzWVPYi.exe
  C:\Windows\System32\fzWVPYi.exe
  2⤵
  PID:8744
- C:\Windows\System32\XNvbwuU.exe
  C:\Windows\System32\XNvbwuU.exe
  2⤵
  PID:8812
- C:\Windows\System32\vaTHjNR.exe
  C:\Windows\System32\vaTHjNR.exe
  2⤵
  PID:8884
- C:\Windows\System32\iBlmcAf.exe
  C:\Windows\System32\iBlmcAf.exe
  2⤵
  PID:8916
- C:\Windows\System32\apXdjqU.exe
  C:\Windows\System32\apXdjqU.exe
  2⤵
  PID:9032
- C:\Windows\System32\gLCxdWI.exe
  C:\Windows\System32\gLCxdWI.exe
  2⤵
  PID:9080
- C:\Windows\System32\pvyQbNV.exe
  C:\Windows\System32\pvyQbNV.exe
  2⤵
  PID:9188
- C:\Windows\System32\nAhbdlQ.exe
  C:\Windows\System32\nAhbdlQ.exe
  2⤵
  PID:9192
- C:\Windows\System32\XfUOUvg.exe
  C:\Windows\System32\XfUOUvg.exe
  2⤵
  PID:8236
- C:\Windows\System32\cVKPsSF.exe
  C:\Windows\System32\cVKPsSF.exe
  2⤵
  PID:8304
- C:\Windows\System32\vOjqIYx.exe
  C:\Windows\System32\vOjqIYx.exe
  2⤵
  PID:8672
- C:\Windows\System32\yzpCQsw.exe
  C:\Windows\System32\yzpCQsw.exe
  2⤵
  PID:8708
- C:\Windows\System32\EnZwiYb.exe
  C:\Windows\System32\EnZwiYb.exe
  2⤵
  PID:8836
- C:\Windows\System32\yumReeW.exe
  C:\Windows\System32\yumReeW.exe
  2⤵
  PID:8980
- C:\Windows\System32\EaCDHkb.exe
  C:\Windows\System32\EaCDHkb.exe
  2⤵
  PID:9168
- C:\Windows\System32\kszSews.exe
  C:\Windows\System32\kszSews.exe
  2⤵
  PID:8496
- C:\Windows\System32\MpeULkb.exe
  C:\Windows\System32\MpeULkb.exe
  2⤵
  PID:8760
- C:\Windows\System32\QJmVBjp.exe
  C:\Windows\System32\QJmVBjp.exe
  2⤵
  PID:8928
- C:\Windows\System32\qUPSWDQ.exe
  C:\Windows\System32\qUPSWDQ.exe
  2⤵
  PID:9220
- C:\Windows\System32\SpIPXjr.exe
  C:\Windows\System32\SpIPXjr.exe
  2⤵
  PID:9240
- C:\Windows\System32\MaXLQix.exe
  C:\Windows\System32\MaXLQix.exe
  2⤵
  PID:9268
- C:\Windows\System32\qmgdRkA.exe
  C:\Windows\System32\qmgdRkA.exe
  2⤵
  PID:9288
- C:\Windows\System32\SKJUpiD.exe
  C:\Windows\System32\SKJUpiD.exe
  2⤵
  PID:9308
- C:\Windows\System32\ujIvcCf.exe
  C:\Windows\System32\ujIvcCf.exe
  2⤵
  PID:9372
- C:\Windows\System32\LnYZsLJ.exe
  C:\Windows\System32\LnYZsLJ.exe
  2⤵
  PID:9396
- C:\Windows\System32\FsNSZkX.exe
  C:\Windows\System32\FsNSZkX.exe
  2⤵
  PID:9416
- C:\Windows\System32\fybyUgg.exe
  C:\Windows\System32\fybyUgg.exe
  2⤵
  PID:9436
- C:\Windows\System32\itEwyLK.exe
  C:\Windows\System32\itEwyLK.exe
  2⤵
  PID:9468
- C:\Windows\System32\hQXoztN.exe
  C:\Windows\System32\hQXoztN.exe
  2⤵
  PID:9500
- C:\Windows\System32\odCeUzU.exe
  C:\Windows\System32\odCeUzU.exe
  2⤵
  PID:9544
- C:\Windows\System32\SKaMwBi.exe
  C:\Windows\System32\SKaMwBi.exe
  2⤵
  PID:9572
- C:\Windows\System32\uVdejbo.exe
  C:\Windows\System32\uVdejbo.exe
  2⤵
  PID:9596
- C:\Windows\System32\KvOhSSi.exe
  C:\Windows\System32\KvOhSSi.exe
  2⤵
  PID:9616
- C:\Windows\System32\NJzQHMH.exe
  C:\Windows\System32\NJzQHMH.exe
  2⤵
  PID:9636
- C:\Windows\System32\tBMYAAd.exe
  C:\Windows\System32\tBMYAAd.exe
  2⤵
  PID:9660
- C:\Windows\System32\JuUbaan.exe
  C:\Windows\System32\JuUbaan.exe
  2⤵
  PID:9688
- C:\Windows\System32\HIWTVcW.exe
  C:\Windows\System32\HIWTVcW.exe
  2⤵
  PID:9712
- C:\Windows\System32\mtELaGu.exe
  C:\Windows\System32\mtELaGu.exe
  2⤵
  PID:9756
- C:\Windows\System32\aifMoYW.exe
  C:\Windows\System32\aifMoYW.exe
  2⤵
  PID:9780
- C:\Windows\System32\YAojSuI.exe
  C:\Windows\System32\YAojSuI.exe
  2⤵
  PID:9820
- C:\Windows\System32\gNbHnxv.exe
  C:\Windows\System32\gNbHnxv.exe
  2⤵
  PID:9848
- C:\Windows\System32\ZrtJwSk.exe
  C:\Windows\System32\ZrtJwSk.exe
  2⤵
  PID:9872
- C:\Windows\System32\ulVtvtG.exe
  C:\Windows\System32\ulVtvtG.exe
  2⤵
  PID:9892
- C:\Windows\System32\ZKvqZRj.exe
  C:\Windows\System32\ZKvqZRj.exe
  2⤵
  PID:9944
- C:\Windows\System32\QlbTQkP.exe
  C:\Windows\System32\QlbTQkP.exe
  2⤵
  PID:9964
- C:\Windows\System32\zRJEnjQ.exe
  C:\Windows\System32\zRJEnjQ.exe
  2⤵
  PID:9988
- C:\Windows\System32\ZpPCDcN.exe
  C:\Windows\System32\ZpPCDcN.exe
  2⤵
  PID:10008
- C:\Windows\System32\CUqCaAD.exe
  C:\Windows\System32\CUqCaAD.exe
  2⤵
  PID:10028
- C:\Windows\System32\TtaAgpo.exe
  C:\Windows\System32\TtaAgpo.exe
  2⤵
  PID:10056
- C:\Windows\System32\QSsHoUk.exe
  C:\Windows\System32\QSsHoUk.exe
  2⤵
  PID:10080
- C:\Windows\System32\UEbOyxI.exe
  C:\Windows\System32\UEbOyxI.exe
  2⤵
  PID:10116
- C:\Windows\System32\PPBZJQq.exe
  C:\Windows\System32\PPBZJQq.exe
  2⤵
  PID:10152
- C:\Windows\System32\WgJuZdY.exe
  C:\Windows\System32\WgJuZdY.exe
  2⤵
  PID:10176
- C:\Windows\System32\PVgHTrm.exe
  C:\Windows\System32\PVgHTrm.exe
  2⤵
  PID:10192
- C:\Windows\System32\zzeqpaF.exe
  C:\Windows\System32\zzeqpaF.exe
  2⤵
  PID:10224
- C:\Windows\System32\hFcImcN.exe
  C:\Windows\System32\hFcImcN.exe
  2⤵
  PID:8804
- C:\Windows\System32\HHPZWdl.exe
  C:\Windows\System32\HHPZWdl.exe
  2⤵
  PID:9260
- C:\Windows\System32\nzCnRZK.exe
  C:\Windows\System32\nzCnRZK.exe
  2⤵
  PID:9300
- C:\Windows\System32\iiYpfyl.exe
  C:\Windows\System32\iiYpfyl.exe
  2⤵
  PID:9336
- C:\Windows\System32\RJyuunr.exe
  C:\Windows\System32\RJyuunr.exe
  2⤵
  PID:9404
- C:\Windows\System32\AlnMbCR.exe
  C:\Windows\System32\AlnMbCR.exe
  2⤵
  PID:9452
- C:\Windows\System32\AgrsrXn.exe
  C:\Windows\System32\AgrsrXn.exe
  2⤵
  PID:9508
- C:\Windows\System32\IrhxUan.exe
  C:\Windows\System32\IrhxUan.exe
  2⤵
  PID:9536
- C:\Windows\System32\PRiOoWN.exe
  C:\Windows\System32\PRiOoWN.exe
  2⤵
  PID:9604
- C:\Windows\System32\sIXzFnS.exe
  C:\Windows\System32\sIXzFnS.exe
  2⤵
  PID:9644
- C:\Windows\System32\qqCilGZ.exe
  C:\Windows\System32\qqCilGZ.exe
  2⤵
  PID:9684
- C:\Windows\System32\hsVGdMh.exe
  C:\Windows\System32\hsVGdMh.exe
  2⤵
  PID:9772
- C:\Windows\System32\AZpnxvS.exe
  C:\Windows\System32\AZpnxvS.exe
  2⤵
  PID:9856
- C:\Windows\System32\qyccaRi.exe
  C:\Windows\System32\qyccaRi.exe
  2⤵
  PID:10000
- C:\Windows\System32\YIQPsgt.exe
  C:\Windows\System32\YIQPsgt.exe
  2⤵
  PID:10108
- C:\Windows\System32\CZHMOHo.exe
  C:\Windows\System32\CZHMOHo.exe
  2⤵
  PID:10216
- C:\Windows\System32\qtzeWZJ.exe
  C:\Windows\System32\qtzeWZJ.exe
  2⤵
  PID:9248
- C:\Windows\System32\bxXTcFq.exe
  C:\Windows\System32\bxXTcFq.exe
  2⤵
  PID:9384
- C:\Windows\System32\rgPbbiV.exe
  C:\Windows\System32\rgPbbiV.exe
  2⤵
  PID:9564
- C:\Windows\System32\smgYbWN.exe
  C:\Windows\System32\smgYbWN.exe
  2⤵
  PID:9704
- C:\Windows\System32\skXyMin.exe
  C:\Windows\System32\skXyMin.exe
  2⤵
  PID:9528
- C:\Windows\System32\raueEcH.exe
  C:\Windows\System32\raueEcH.exe
  2⤵
  PID:9828
- C:\Windows\System32\vINggUp.exe
  C:\Windows\System32\vINggUp.exe
  2⤵
  PID:9960
- C:\Windows\System32\yLbFKEX.exe
  C:\Windows\System32\yLbFKEX.exe
  2⤵
  PID:10172
- C:\Windows\System32\KOhauvn.exe
  C:\Windows\System32\KOhauvn.exe
  2⤵
  PID:8412
- C:\Windows\System32\FQlBnZK.exe
  C:\Windows\System32\FQlBnZK.exe
  2⤵
  PID:10072
- C:\Windows\System32\wlHdUfT.exe
  C:\Windows\System32\wlHdUfT.exe
  2⤵
  PID:9904
- C:\Windows\System32\yZVFhtu.exe
  C:\Windows\System32\yZVFhtu.exe
  2⤵
  PID:9832
- C:\Windows\System32\NBSJTeA.exe
  C:\Windows\System32\NBSJTeA.exe
  2⤵
  PID:10276
- C:\Windows\System32\ffJrVqD.exe
  C:\Windows\System32\ffJrVqD.exe
  2⤵
  PID:10292
- C:\Windows\System32\eTTkNCp.exe
  C:\Windows\System32\eTTkNCp.exe
  2⤵
  PID:10312
- C:\Windows\System32\jfxYrFb.exe
  C:\Windows\System32\jfxYrFb.exe
  2⤵
  PID:10352
- C:\Windows\System32\LTKRRNb.exe
  C:\Windows\System32\LTKRRNb.exe
  2⤵
  PID:10396
- C:\Windows\System32\IcaSvAo.exe
  C:\Windows\System32\IcaSvAo.exe
  2⤵
  PID:10416
- C:\Windows\System32\vMceyHD.exe
  C:\Windows\System32\vMceyHD.exe
  2⤵
  PID:10444
- C:\Windows\System32\dbnavli.exe
  C:\Windows\System32\dbnavli.exe
  2⤵
  PID:10464
- C:\Windows\System32\NCpCulw.exe
  C:\Windows\System32\NCpCulw.exe
  2⤵
  PID:10520
- C:\Windows\System32\wMmwzOO.exe
  C:\Windows\System32\wMmwzOO.exe
  2⤵
  PID:10540
- C:\Windows\System32\WKYWdMq.exe
  C:\Windows\System32\WKYWdMq.exe
  2⤵
  PID:10556
- C:\Windows\System32\zRFxJEu.exe
  C:\Windows\System32\zRFxJEu.exe
  2⤵
  PID:10592
- C:\Windows\System32\jHxYUOX.exe
  C:\Windows\System32\jHxYUOX.exe
  2⤵
  PID:10612
- C:\Windows\System32\cWRLtsE.exe
  C:\Windows\System32\cWRLtsE.exe
  2⤵
  PID:10648
- C:\Windows\System32\fWAXDts.exe
  C:\Windows\System32\fWAXDts.exe
  2⤵
  PID:10668
- C:\Windows\System32\puQhkvk.exe
  C:\Windows\System32\puQhkvk.exe
  2⤵
  PID:10704
- C:\Windows\System32\ijKGmvq.exe
  C:\Windows\System32\ijKGmvq.exe
  2⤵
  PID:10732
- C:\Windows\System32\zundhRO.exe
  C:\Windows\System32\zundhRO.exe
  2⤵
  PID:10756
- C:\Windows\System32\KbVgNXR.exe
  C:\Windows\System32\KbVgNXR.exe
  2⤵
  PID:10780
- C:\Windows\System32\iQkqQIR.exe
  C:\Windows\System32\iQkqQIR.exe
  2⤵
  PID:10796
- C:\Windows\System32\BgErdSQ.exe
  C:\Windows\System32\BgErdSQ.exe
  2⤵
  PID:10816
- C:\Windows\System32\qjxTacV.exe
  C:\Windows\System32\qjxTacV.exe
  2⤵
  PID:10864
- C:\Windows\System32\IoDaBOG.exe
  C:\Windows\System32\IoDaBOG.exe
  2⤵
  PID:10888
- C:\Windows\System32\XJfesur.exe
  C:\Windows\System32\XJfesur.exe
  2⤵
  PID:10920
- C:\Windows\System32\klKrTyp.exe
  C:\Windows\System32\klKrTyp.exe
  2⤵
  PID:10948
- C:\Windows\System32\xEnjZgr.exe
  C:\Windows\System32\xEnjZgr.exe
  2⤵
  PID:10972
- C:\Windows\System32\RmJeTVy.exe
  C:\Windows\System32\RmJeTVy.exe
  2⤵
  PID:11004
- C:\Windows\System32\zECMAPj.exe
  C:\Windows\System32\zECMAPj.exe
  2⤵
  PID:11024
- C:\Windows\System32\kDcGayv.exe
  C:\Windows\System32\kDcGayv.exe
  2⤵
  PID:11056
- C:\Windows\System32\cSmquFZ.exe
  C:\Windows\System32\cSmquFZ.exe
  2⤵
  PID:11124
- C:\Windows\System32\ieDivBd.exe
  C:\Windows\System32\ieDivBd.exe
  2⤵
  PID:11144
- C:\Windows\System32\mzDTvLS.exe
  C:\Windows\System32\mzDTvLS.exe
  2⤵
  PID:11172
- C:\Windows\System32\cHuyAcf.exe
  C:\Windows\System32\cHuyAcf.exe
  2⤵
  PID:11188
- C:\Windows\System32\RKDNDDn.exe
  C:\Windows\System32\RKDNDDn.exe
  2⤵
  PID:11216
- C:\Windows\System32\uzuZnsn.exe
  C:\Windows\System32\uzuZnsn.exe
  2⤵
  PID:11244
- C:\Windows\System32\XlmdvaV.exe
  C:\Windows\System32\XlmdvaV.exe
  2⤵
  PID:9480
- C:\Windows\System32\UsEwWjE.exe
  C:\Windows\System32\UsEwWjE.exe
  2⤵
  PID:9252
- C:\Windows\System32\yMMBwEp.exe
  C:\Windows\System32\yMMBwEp.exe
  2⤵
  PID:10308
- C:\Windows\System32\BamrYvY.exe
  C:\Windows\System32\BamrYvY.exe
  2⤵
  PID:10304
- C:\Windows\System32\LEZxuBT.exe
  C:\Windows\System32\LEZxuBT.exe
  2⤵
  PID:10456
- C:\Windows\System32\cVhEPxr.exe
  C:\Windows\System32\cVhEPxr.exe
  2⤵
  PID:10512
- C:\Windows\System32\BsoOGsR.exe
  C:\Windows\System32\BsoOGsR.exe
  2⤵
  PID:10548
- C:\Windows\System32\oAEufkb.exe
  C:\Windows\System32\oAEufkb.exe
  2⤵
  PID:10640
- C:\Windows\System32\tUZvnIN.exe
  C:\Windows\System32\tUZvnIN.exe
  2⤵
  PID:10692
- C:\Windows\System32\wpxnuTN.exe
  C:\Windows\System32\wpxnuTN.exe
  2⤵
  PID:10720
- C:\Windows\System32\nJPGWkV.exe
  C:\Windows\System32\nJPGWkV.exe
  2⤵
  PID:10832
- C:\Windows\System32\OvGohxZ.exe
  C:\Windows\System32\OvGohxZ.exe
  2⤵
  PID:10896
- C:\Windows\System32\vEAsVPK.exe
  C:\Windows\System32\vEAsVPK.exe
  2⤵
  PID:10964
- C:\Windows\System32\DPWuZde.exe
  C:\Windows\System32\DPWuZde.exe
  2⤵
  PID:11076
- C:\Windows\System32\NdtiDdz.exe
  C:\Windows\System32\NdtiDdz.exe
  2⤵
  PID:11132
- C:\Windows\System32\UQBAcHl.exe
  C:\Windows\System32\UQBAcHl.exe
  2⤵
  PID:9324
- C:\Windows\System32\QzPWVZD.exe
  C:\Windows\System32\QzPWVZD.exe
  2⤵
  PID:11236
- C:\Windows\System32\dVQEoRU.exe
  C:\Windows\System32\dVQEoRU.exe
  2⤵
  PID:10328
- C:\Windows\System32\IDUWDJl.exe
  C:\Windows\System32\IDUWDJl.exe
  2⤵
  PID:10372
- C:\Windows\System32\LPCJWpB.exe
  C:\Windows\System32\LPCJWpB.exe
  2⤵
  PID:10488
- C:\Windows\System32\UcCNYdk.exe
  C:\Windows\System32\UcCNYdk.exe
  2⤵
  PID:10568
- C:\Windows\System32\HxvYkCH.exe
  C:\Windows\System32\HxvYkCH.exe
  2⤵
  PID:10980
- C:\Windows\System32\hpUUXgt.exe
  C:\Windows\System32\hpUUXgt.exe
  2⤵
  PID:11100
- C:\Windows\System32\mFDoXym.exe
  C:\Windows\System32\mFDoXym.exe
  2⤵
  PID:11180
- C:\Windows\System32\hsDQpSb.exe
  C:\Windows\System32\hsDQpSb.exe
  2⤵
  PID:11256
- C:\Windows\System32\QrvarnV.exe
  C:\Windows\System32\QrvarnV.exe
  2⤵
  PID:10536
- C:\Windows\System32\HTFgfRq.exe
  C:\Windows\System32\HTFgfRq.exe
  2⤵
  PID:11052
- C:\Windows\System32\wZGzfBU.exe
  C:\Windows\System32\wZGzfBU.exe
  2⤵
  PID:10900
- C:\Windows\System32\yIsUUjD.exe
  C:\Windows\System32\yIsUUjD.exe
  2⤵
  PID:11300
- C:\Windows\System32\Yhacabc.exe
  C:\Windows\System32\Yhacabc.exe
  2⤵
  PID:11316
- C:\Windows\System32\JCnibxT.exe
  C:\Windows\System32\JCnibxT.exe
  2⤵
  PID:11336
- C:\Windows\System32\AqCeSSQ.exe
  C:\Windows\System32\AqCeSSQ.exe
  2⤵
  PID:11368
- C:\Windows\System32\WNEqtmn.exe
  C:\Windows\System32\WNEqtmn.exe
  2⤵
  PID:11388
- C:\Windows\System32\nBLnLhQ.exe
  C:\Windows\System32\nBLnLhQ.exe
  2⤵
  PID:11416
- C:\Windows\System32\BJJOlMH.exe
  C:\Windows\System32\BJJOlMH.exe
  2⤵
  PID:11436
- C:\Windows\System32\qegfzAL.exe
  C:\Windows\System32\qegfzAL.exe
  2⤵
  PID:11452
- C:\Windows\System32\NqIdfuO.exe
  C:\Windows\System32\NqIdfuO.exe
  2⤵
  PID:11476
- C:\Windows\System32\KYtpxCl.exe
  C:\Windows\System32\KYtpxCl.exe
  2⤵
  PID:11524
- C:\Windows\System32\iPdvojt.exe
  C:\Windows\System32\iPdvojt.exe
  2⤵
  PID:11556
- C:\Windows\System32\fdyNAaG.exe
  C:\Windows\System32\fdyNAaG.exe
  2⤵
  PID:11584
- C:\Windows\System32\ZQOHNNq.exe
  C:\Windows\System32\ZQOHNNq.exe
  2⤵
  PID:11612
- C:\Windows\System32\QDEwqeI.exe
  C:\Windows\System32\QDEwqeI.exe
  2⤵
  PID:11632
- C:\Windows\System32\IhNgIJV.exe
  C:\Windows\System32\IhNgIJV.exe
  2⤵
  PID:11660
- C:\Windows\System32\agvrrZA.exe
  C:\Windows\System32\agvrrZA.exe
  2⤵
  PID:11684
- C:\Windows\System32\sSoVuLl.exe
  C:\Windows\System32\sSoVuLl.exe
  2⤵
  PID:11724
- C:\Windows\System32\TEncyKG.exe
  C:\Windows\System32\TEncyKG.exe
  2⤵
  PID:11748
- C:\Windows\System32\KzIHiLf.exe
  C:\Windows\System32\KzIHiLf.exe
  2⤵
  PID:11768
- C:\Windows\System32\Sozuptx.exe
  C:\Windows\System32\Sozuptx.exe
  2⤵
  PID:11800
- C:\Windows\System32\vXLjGCM.exe
  C:\Windows\System32\vXLjGCM.exe
  2⤵
  PID:11836
- C:\Windows\System32\RXjLyum.exe
  C:\Windows\System32\RXjLyum.exe
  2⤵
  PID:11872
- C:\Windows\System32\yaZVdRc.exe
  C:\Windows\System32\yaZVdRc.exe
  2⤵
  PID:11896
- C:\Windows\System32\ZyTNtwF.exe
  C:\Windows\System32\ZyTNtwF.exe
  2⤵
  PID:11920
- C:\Windows\System32\uJdrNDT.exe
  C:\Windows\System32\uJdrNDT.exe
  2⤵
  PID:11952
- C:\Windows\System32\vMzBAGO.exe
  C:\Windows\System32\vMzBAGO.exe
  2⤵
  PID:11972
- C:\Windows\System32\BJyySsw.exe
  C:\Windows\System32\BJyySsw.exe
  2⤵
  PID:11996
- C:\Windows\System32\OGSrwwy.exe
  C:\Windows\System32\OGSrwwy.exe
  2⤵
  PID:12024
- C:\Windows\System32\mPmwgxZ.exe
  C:\Windows\System32\mPmwgxZ.exe
  2⤵
  PID:12040
- C:\Windows\System32\uduiMgB.exe
  C:\Windows\System32\uduiMgB.exe
  2⤵
  PID:12080
- C:\Windows\System32\zosWyFH.exe
  C:\Windows\System32\zosWyFH.exe
  2⤵
  PID:12104
- C:\Windows\System32\qbRnZUz.exe
  C:\Windows\System32\qbRnZUz.exe
  2⤵
  PID:12144
- C:\Windows\System32\favMxJZ.exe
  C:\Windows\System32\favMxJZ.exe
  2⤵
  PID:12180
- C:\Windows\System32\unZYPnD.exe
  C:\Windows\System32\unZYPnD.exe
  2⤵
  PID:12204
- C:\Windows\System32\yyhkJZU.exe
  C:\Windows\System32\yyhkJZU.exe
  2⤵
  PID:12220
- C:\Windows\System32\QoZghSD.exe
  C:\Windows\System32\QoZghSD.exe
  2⤵
  PID:12280
- C:\Windows\System32\cTbCcIC.exe
  C:\Windows\System32\cTbCcIC.exe
  2⤵
  PID:10788
- C:\Windows\System32\tKHgynt.exe
  C:\Windows\System32\tKHgynt.exe
  2⤵
  PID:11344
- C:\Windows\System32\WiKLxhs.exe
  C:\Windows\System32\WiKLxhs.exe
  2⤵
  PID:11412
- C:\Windows\System32\ZqzOmoS.exe
  C:\Windows\System32\ZqzOmoS.exe
  2⤵
  PID:11448
- C:\Windows\System32\ftZUTop.exe
  C:\Windows\System32\ftZUTop.exe
  2⤵
  PID:11496
- C:\Windows\System32\lFugcZD.exe
  C:\Windows\System32\lFugcZD.exe
  2⤵
  PID:11604
- C:\Windows\System32\luaDqhP.exe
  C:\Windows\System32\luaDqhP.exe
  2⤵
  PID:11652
- C:\Windows\System32\mzwTpGS.exe
  C:\Windows\System32\mzwTpGS.exe
  2⤵
  PID:11672
- C:\Windows\System32\AWvONEb.exe
  C:\Windows\System32\AWvONEb.exe
  2⤵
  PID:11760
- C:\Windows\System32\ceJgRBX.exe
  C:\Windows\System32\ceJgRBX.exe
  2⤵
  PID:11816
- C:\Windows\System32\bfAjzUx.exe
  C:\Windows\System32\bfAjzUx.exe
  2⤵
  PID:11888
- C:\Windows\System32\YlIrIKS.exe
  C:\Windows\System32\YlIrIKS.exe
  2⤵
  PID:11944
- C:\Windows\System32\ADmPBnX.exe
  C:\Windows\System32\ADmPBnX.exe
  2⤵
  PID:12032
- C:\Windows\System32\XUlGZBd.exe
  C:\Windows\System32\XUlGZBd.exe
  2⤵
  PID:12052
- C:\Windows\System32\sfGwdpO.exe
  C:\Windows\System32\sfGwdpO.exe
  2⤵
  PID:12160
- C:\Windows\System32\vSzxNzG.exe
  C:\Windows\System32\vSzxNzG.exe
  2⤵
  PID:12188
- C:\Windows\System32\MGCNXZP.exe
  C:\Windows\System32\MGCNXZP.exe
  2⤵
  PID:10260
- C:\Windows\System32\WDyOjmS.exe
  C:\Windows\System32\WDyOjmS.exe
  2⤵
  PID:11380
- C:\Windows\System32\nSXGFAD.exe
  C:\Windows\System32\nSXGFAD.exe
  2⤵
  PID:11532
- C:\Windows\System32\jnCVDfh.exe
  C:\Windows\System32\jnCVDfh.exe
  2⤵
  PID:11696
- C:\Windows\System32\roTZChk.exe
  C:\Windows\System32\roTZChk.exe
  2⤵
  PID:11784
- C:\Windows\System32\QXunmpD.exe
  C:\Windows\System32\QXunmpD.exe
  2⤵
  PID:11988
- C:\Windows\System32\zZdJrRG.exe
  C:\Windows\System32\zZdJrRG.exe
  2⤵
  PID:12156
- C:\Windows\System32\kgxDnJO.exe
  C:\Windows\System32\kgxDnJO.exe
  2⤵
  PID:11488
- C:\Windows\System32\YiEQiHT.exe
  C:\Windows\System32\YiEQiHT.exe
  2⤵
  PID:3228
- C:\Windows\System32\dSRORHo.exe
  C:\Windows\System32\dSRORHo.exe
  2⤵
  PID:11904
- C:\Windows\System32\msdQdIt.exe
  C:\Windows\System32\msdQdIt.exe
  2⤵
  PID:12216
- C:\Windows\System32\uezzBGa.exe
  C:\Windows\System32\uezzBGa.exe
  2⤵
  PID:11376
- C:\Windows\System32\YZWipqW.exe
  C:\Windows\System32\YZWipqW.exe
  2⤵
  PID:11732
- C:\Windows\System32\lSINgLh.exe
  C:\Windows\System32\lSINgLh.exe
  2⤵
  PID:12012
- C:\Windows\System32\bYptWmq.exe
  C:\Windows\System32\bYptWmq.exe
  2⤵
  PID:12316
- C:\Windows\System32\acsFQll.exe
  C:\Windows\System32\acsFQll.exe
  2⤵
  PID:12352
- C:\Windows\System32\NvMillY.exe
  C:\Windows\System32\NvMillY.exe
  2⤵
  PID:12372
- C:\Windows\System32\iSxFjNo.exe
  C:\Windows\System32\iSxFjNo.exe
  2⤵
  PID:12404
- C:\Windows\System32\gjniunf.exe
  C:\Windows\System32\gjniunf.exe
  2⤵
  PID:12424
- C:\Windows\System32\OwjmmUU.exe
  C:\Windows\System32\OwjmmUU.exe
  2⤵
  PID:12440
- C:\Windows\System32\ZpJhFYg.exe
  C:\Windows\System32\ZpJhFYg.exe
  2⤵
  PID:12460
- C:\Windows\System32\bCPRUFP.exe
  C:\Windows\System32\bCPRUFP.exe
  2⤵
  PID:12484
- C:\Windows\System32\wEhifeu.exe
  C:\Windows\System32\wEhifeu.exe
  2⤵
  PID:12552
- C:\Windows\System32\nDhwJQs.exe
  C:\Windows\System32\nDhwJQs.exe
  2⤵
  PID:12592
- C:\Windows\System32\oFdPJFS.exe
  C:\Windows\System32\oFdPJFS.exe
  2⤵
  PID:12608
- C:\Windows\System32\saXtyGD.exe
  C:\Windows\System32\saXtyGD.exe
  2⤵
  PID:12628
- C:\Windows\System32\wqQlqcL.exe
  C:\Windows\System32\wqQlqcL.exe
  2⤵
  PID:12656
- C:\Windows\System32\qKRZBMd.exe
  C:\Windows\System32\qKRZBMd.exe
  2⤵
  PID:12680
- C:\Windows\System32\SsNByXw.exe
  C:\Windows\System32\SsNByXw.exe
  2⤵
  PID:12744
- C:\Windows\System32\eipbBfR.exe
  C:\Windows\System32\eipbBfR.exe
  2⤵
  PID:12760
- C:\Windows\System32\smhxcWf.exe
  C:\Windows\System32\smhxcWf.exe
  2⤵
  PID:12800
- C:\Windows\System32\QQtTXPA.exe
  C:\Windows\System32\QQtTXPA.exe
  2⤵
  PID:12824
- C:\Windows\System32\xyEFfUc.exe
  C:\Windows\System32\xyEFfUc.exe
  2⤵
  PID:12840
- C:\Windows\System32\QlnnAsv.exe
  C:\Windows\System32\QlnnAsv.exe
  2⤵
  PID:12860
- C:\Windows\System32\rtjwTOm.exe
  C:\Windows\System32\rtjwTOm.exe
  2⤵
  PID:12876
- C:\Windows\System32\eUpJEBf.exe
  C:\Windows\System32\eUpJEBf.exe
  2⤵
  PID:12904
- C:\Windows\System32\peGzkdI.exe
  C:\Windows\System32\peGzkdI.exe
  2⤵
  PID:12932
- C:\Windows\System32\opLBUoY.exe
  C:\Windows\System32\opLBUoY.exe
  2⤵
  PID:12972
- C:\Windows\System32\UBtBFeP.exe
  C:\Windows\System32\UBtBFeP.exe
  2⤵
  PID:12992
- C:\Windows\System32\ehqfKLp.exe
  C:\Windows\System32\ehqfKLp.exe
  2⤵
  PID:13024
- C:\Windows\System32\rsNFvZP.exe
  C:\Windows\System32\rsNFvZP.exe
  2⤵
  PID:13044
- C:\Windows\System32\qOZhCeO.exe
  C:\Windows\System32\qOZhCeO.exe
  2⤵
  PID:13068
- C:\Windows\System32\SaAvqbJ.exe
  C:\Windows\System32\SaAvqbJ.exe
  2⤵
  PID:13088
- C:\Windows\System32\qMFNnTF.exe
  C:\Windows\System32\qMFNnTF.exe
  2⤵
  PID:13140
- C:\Windows\System32\PzEIsJH.exe
  C:\Windows\System32\PzEIsJH.exe
  2⤵
  PID:13160
- C:\Windows\System32\ZMiHFow.exe
  C:\Windows\System32\ZMiHFow.exe
  2⤵
  PID:13192
- C:\Windows\System32\HNjDJEk.exe
  C:\Windows\System32\HNjDJEk.exe
  2⤵
  PID:13208
- C:\Windows\System32\VfMBsom.exe
  C:\Windows\System32\VfMBsom.exe
  2⤵
  PID:13224
- C:\Windows\System32\mpzNcha.exe
  C:\Windows\System32\mpzNcha.exe
  2⤵
  PID:13284
- C:\Windows\System32\uWPzMbQ.exe
  C:\Windows\System32\uWPzMbQ.exe
  2⤵
  PID:12296
- C:\Windows\System32\DsDrWho.exe
  C:\Windows\System32\DsDrWho.exe
  2⤵
  PID:12336
- C:\Windows\System32\umbhTfx.exe
  C:\Windows\System32\umbhTfx.exe
  2⤵
  PID:12364
- C:\Windows\System32\jBKrVkg.exe
  C:\Windows\System32\jBKrVkg.exe
  2⤵
  PID:12436

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ApoJGaz.exe

Filesize
1.8MB

MD5
e25d5340f0fe1ebb6f40ef0ca2bb7a36

SHA1
8f632d6eefb81be8becfa469cb45e841185e2cc4

SHA256
76f302db8893d57e7c780472bc6b3719d0763555088f53b4b4a39609ff592ff2

SHA512
c493d2d0106bf1d7abb0b07ab50474db5feae08116b340ec8b300aaa5246ab1d14b934ffbfed31e4bd9b2e8aa139ac5f63eabe2d1073b998fb450c1d2324b075

Download Submit
C:\Windows\System32\GJymWRP.exe

Filesize
1.8MB

MD5
e425e618a82f049827415974a3bf62ee

SHA1
efba4c42872e4b38cf38820ad7cb2ec01eb8312e

SHA256
908b3b7adbc4f1aa68dd094f81e50c25112eae61f368981edb9576831e283655

SHA512
9332a7d591982f5aa2ed176a86ce4cce62b0b6649a6b7d05ffe6b25589dd89bf28b047f79c35f5c4895d1eb9c7350bb58d50e68576081655d35b89b9d8b3bccb

Download Submit
C:\Windows\System32\HebOWXn.exe

Filesize
1.8MB

MD5
a60a71db2691ab475773642fc0acac71

SHA1
31794391fed97c6126e24f21df34efcfbea0d84a

SHA256
af50699a4f4cff45519e11c7c9035b8b1456cb1f3f435cbd7b8f17fe10375970

SHA512
1c8e7e2b05448852c385e43a5a6a37495a55422e9d88ceeea3b653acdbe81a3bbf06403ea5f20b2332e75331f4f8aed66961effa8caeda14e6a13f20f537a46a

Download Submit
C:\Windows\System32\JPgRhmU.exe

Filesize
1.8MB

MD5
ba456440893c91f518165d6cf7a83104

SHA1
27b0bfbb7029e618146ee7f43dc1e2608eb81bf1

SHA256
04e72ba07c143435429b18d4c234a5113f6a7fa08bc28afdadf03308e798f31c

SHA512
3e09e2b94c8623d51066c28db565ccad1fb2afdeaa9db0630e02cdd83b0524dec5b7af713ed89fd318fdf3f7f863c0f6b226778cebcbac6a7c9528e51b7dc2fb

Download Submit
C:\Windows\System32\LfsJkaX.exe

Filesize
1.8MB

MD5
349c8518513b7744c6cb01550d09a429

SHA1
7f53970f267359a01277b8e982ba8d0ddd01d899

SHA256
1a544bdde5d077193e13bc02ce7110aa3bc1fa60cb9b7eb924d79221746338ad

SHA512
10578e10e9c7f7835ac355b10482bfb163c7645b010e107d1b923a3f08fe389a0713e1cadeda983ded8cc39e18790c7daaa13f8a0ba56bac1bb5c0d01e5e41c1

Download Submit
C:\Windows\System32\ODTzEkm.exe

Filesize
1.8MB

MD5
41c6c583e5f1ac1e4dc2550b8bf37532

SHA1
83494c3fdfe3139a3ee723a46bff57cff18dc55f

SHA256
40d7a90cd86f44955218f31d7d43fef4ba683d51f61b352294ed70410b034ae5

SHA512
16ae10da2723ccefcafd15274bd87f530a0934b022c2ba1720ac2ba5875734a714a1e2e54622b6a3f72c71f73046f0a03d16ad601574e3659028889669640373

Download Submit
C:\Windows\System32\OjCOlYQ.exe

Filesize
1.8MB

MD5
5b4e8258675144a267ed693fcb61f482

SHA1
411422ed915f9ef5791df4f431fc98ef060a399c

SHA256
feb06281e089bd329093c52d946c92091d0da16e83bb08f22e34a9c0b782bc88

SHA512
03045e1e926652430eb69c238eda8073686d21a959f465bc822aec9a974f2457793be11cd908bdb0a9c8f0cdc433e8213fcbac8ed73b6aa1d1c06b15517cd835

Download Submit
C:\Windows\System32\OmjGTBW.exe

Filesize
1.8MB

MD5
b6e22349193d4a8fafbc42c92a9d0c0f

SHA1
74576b27ca6b8edc3ea37075cec1435c2dd8cf21

SHA256
744de85e28ff34105277a23728689e60c9263a38a763331874679243b94b206b

SHA512
b7190bd3df50b3321639f6a34f92e39245843931b144c4c44161474d78a6367130fbe1d218586d9494cdcadebc1777f079d5f3b26ed26fd20663499b7e5631e8

Download Submit
C:\Windows\System32\QAUieZG.exe

Filesize
1.8MB

MD5
1077fe41216e9b38504ef3af04c60be2

SHA1
a5217376992d5f0d7bebec0615e69cd6cf67cdd0

SHA256
5d319e0cab13013b1c97168de2c3f397f7510a822ed0b3876c3d3f010f81f8c0

SHA512
8d6b244b7e8613190d7bcfe99037fb52c50b15bb8eb45f8994df9cee4cd2222359ad85013f895ca83404fdfdb47e24f383faa0a2dba96398cc8d52c9e684ece5

Download Submit
C:\Windows\System32\QiTyTlF.exe

Filesize
1.8MB

MD5
0efcfc21dabe3e5183eb80f129a8c2de

SHA1
7d9bcc336326cdd00043c6ec15b4d4a2938456bb

SHA256
6c74a80efa4bd7053c241639e28493850528396ab112714277af0c1a06414ba5

SHA512
3f50ad37e78fe5dc91cd41fcbad3c45a7907e1d7f2c127a3b9f8384eaa6d4731da72b77dd9698b9aeda21f61473b37e74d6e339e40f3828747820fe1ba79955e

Download Submit
C:\Windows\System32\SIyZLrq.exe

Filesize
1.8MB

MD5
b1108425ef9a425ded25ca4f9c39e1f2

SHA1
3241b5809418f94dc06e1fa3f67d4f3a4945645a

SHA256
c9c4e1bd8cab776a39c73a8722a8649c1b9a794924915355662ebb6d91119ef4

SHA512
ddfab1b92170878d85f47e5cf1722e4838ee9a44a30bb29235a54c203cf83f6fb5a6542879e2ba9874ffbb979dd8b0eb2148a1d7caa72698b33cda4fc1bcf148

Download Submit
C:\Windows\System32\SaNtFbi.exe

Filesize
1.8MB

MD5
90d74d4047e6592764f6509257e9092d

SHA1
c875523d1f8fd47f9055cc347b282c314ddc7e31

SHA256
e7fd035f4f1879f0541a6536b1891ab7ee8425de43b4f26fed7503218bdf7f74

SHA512
a44b0cf0604764df049c124cef7f344ac0318a0fb5f8c23ed35c5733807e1cc811e196ca6e3521a3f6499a54b9cb6ef5c327b18abcb02fce8e02d43d0b2be2f9

Download Submit
C:\Windows\System32\SshUhYy.exe

Filesize
1.8MB

MD5
9201c17b1362626fe1d9228aaf8c0c75

SHA1
f322bec3e7252c1a44d3293e87dd69f0a77787a5

SHA256
a32a2e11321c5859f7d7451ec7f30668f3bed10474ce183831994a5cc2924199

SHA512
29ce8fa50a5652e14e5ad48f5e664fcfc000eda462933745095882ec71f4bd756ae32e34682f7501d2e754f3a6c8c31a7b3b739c241fdbd4f514b64e02675344

Download Submit
C:\Windows\System32\SwCSWLY.exe

Filesize
1.8MB

MD5
6e1361bd293c92196acd632e03b091c8

SHA1
594287cadda93ddd9b7daa499f829d39db423b96

SHA256
a84b17a6d9f0d69c14d089a7fa0af4890dc9a6f7298080f2188edbffce7339d3

SHA512
93460d3b6e0b27aeda15a0925682449cc18dbd9d3332ccdf2e823bb78b563221ece46ef75fd396afef702d2900c80b7cf6bfc907af8d1039cee460c6b7efd18c

Download Submit
C:\Windows\System32\TuUszpU.exe

Filesize
1.8MB

MD5
36050c4c182147efd9169eb495ce2d89

SHA1
5175395be1f2f90d7dcea8d7e71cc427dc2cbf4d

SHA256
8fd2b7acf8fa993ba5fa569c531935cc697cbc512f41ae932d0e7f2e6f5981cb

SHA512
1053ab0b06d5afb53091df45276d6e3bfb8b6b98535741f6e30d4e614787c0960fb29219d948441779c1b1faa9cc45bdbee01f8739cce1d846c557f7626ebbc8

Download Submit
C:\Windows\System32\UEXCJCw.exe

Filesize
1.8MB

MD5
59ad270634533b2026ec0c3e7bc9c750

SHA1
8ae69da752027d237f5470a33eb4ff40076eb80b

SHA256
8db4129e6d82a66af6c2161322406b9e4f2807bd11f7e4103317bda8d9f03d52

SHA512
f92a692d5ac164332ef7e3744298c81ae14faff0301cd3efa1d70363672ba50aad1d91cc1701b52dd8b9ff4bd36e1ab490bfe77c17311599f8cd069e1e37b029

Download Submit
C:\Windows\System32\UJDjvHz.exe

Filesize
1.8MB

MD5
d38ec3a7e91b6ea2d8909f7e698ba4b6

SHA1
337b73247bc9791f1281504653ab6101c48c61a4

SHA256
634779da5bf567f31b654a530a3f1b0f6c23c6661d4c6614878918330a0ae032

SHA512
d84ab78fb54fa6e17565410684e91a4a3ce5c4b5980fd76514b02986b00ba2adebb24c1401f0b87e0cd17169a586e21a4cd6ca87662695f3698435189f1910cc

Download Submit
C:\Windows\System32\UYChFYI.exe

Filesize
1.8MB

MD5
2eb1c51f9cd68cd74818da52b7c496b9

SHA1
99decfa35228b12bce622ea503de965dda678305

SHA256
8092683d275d55b68d743e24ffa6c81374115508bed0dd63e780d6ebe54b1d6a

SHA512
3910880ca1f2f82ff5420d3df998daba189277de3cce0c0d8f9c21f8e90e197a5657696d7c5c3a7698ea79eb3d97730375b281a4e5a727cfdaefe7425cbd6779

Download Submit
C:\Windows\System32\WWmoKoJ.exe

Filesize
1.8MB

MD5
cc2dd5e2cdf335a317847ad1747bda34

SHA1
7e3b12a915b616ac0aee932ec17325319da99e5d

SHA256
896388141f286876c2cd9b329d0acb5b8719e6afef51ae51ac6bf9b4594be8fe

SHA512
0de5dc305d7e2b5d148628a0c2ac56a6544161dc52162ffb6f270522ea001fa2de6d65706f9f02c6cd79998ccb56a8e8450ba257bc72db503b898c6baf963bb5

Download Submit
C:\Windows\System32\ZsSiwSN.exe

Filesize
1.8MB

MD5
bd1e13f956f5d869f1b5df48adb8d71c

SHA1
581a7b23add78db3a4ee7263e477de332dc41915

SHA256
72a1825e9857d4d203aec5f88e4a60356a9e10eda78d93ec39a467ac2d4ae25d

SHA512
e46a6d228e0188e3bcc30fde7b74d10926c08205336483a72517d8769478efe8cd10dcdc889d065a2b887b5c4041b305bb81b577d48254de2fa0826d26d828c4

Download Submit
C:\Windows\System32\cNWMztv.exe

Filesize
1.8MB

MD5
6a631cdb0d1da9517e63f2f6c25140af

SHA1
3c041004b4532ba1194f8b09bba07dd74d42a1ba

SHA256
74f6812691de3c0abbb40e5f883973ee59c4ef8d6a70c06094de23477e6a375a

SHA512
60eea0d857b84a6965dfc1ef5eb2ff0e115e601950092f30b397caf1acaada97d4d65683de4244fd3fab9ddab3b8e59df1fbb07423605a1a0263e8775863a998

Download Submit
C:\Windows\System32\cVIxhjC.exe

Filesize
1.8MB

MD5
0b01cb8808f542c5c3f2667a8fe1e72f

SHA1
9946ba2c898a78a3a87e5540c4476845a6ac1402

SHA256
81b472e2a78b675c9c86ed25cca38a4aaf1b0f1f6159b642cd04f050e80f34c8

SHA512
414bdd1873933f3a5d86dd3b558a27a0f004049b185135050b13ba970520cf11dbb5175eade9992caaf4cfcf73024bb7eac1f65c251b8e054551014f36f9d4c4

Download Submit
C:\Windows\System32\dYWEpoo.exe

Filesize
1.8MB

MD5
0212f0e008718702c8032af895b0c3a1

SHA1
1b742b0333e85e2a664bf00142142eecd933654b

SHA256
8e60b927d3879ae3d32c0fc67d117fb9a4ac2a14504d387ba3557cc6652ac19b

SHA512
5a0908c671e76c28f0b04a664843a7c2076ac0c597e1c13c2bd26b147e6d2d687d43b5e2637bd18feea1d0d06c8985dec5823fac3790309d02350592310c1525

Download Submit
C:\Windows\System32\kymiBNO.exe

Filesize
1.8MB

MD5
0fc06165ff27f511b1fb95e039779ae1

SHA1
f30ad7ef25de39a6e0b784f2a4dd85391b7578ba

SHA256
d6bbe5f351ae95018f988cbc23abd1d32ca647d80a424e104ae0557975daa2d5

SHA512
1d9df5929822140980cd55eb02becab1c13a73eb77b49d4742dcabfa97f3de237b079f5342e5187ba24bac81ba71ae88212f25177f50a93051e21ee2417329ec

Download Submit
C:\Windows\System32\qIwGSiF.exe

Filesize
1.8MB

MD5
445d9726709edb39e14231bae4c76461

SHA1
0f2d0e1c81b8f9038fee38804bf61935db8f61fc

SHA256
8e4bd46684b534736037c2762d3d7e8ff4081d657b007b38baf2de35957f44ce

SHA512
1e2c2a2fc537412749a5991d83598cbee20f86f6a4b259c21e70dc8a7abbef9681823309e10e9adc9cd123a3aec26a2d360ee210188ac2f3a76344bda5d4956a

Download Submit
C:\Windows\System32\rFaGnaR.exe

Filesize
1.8MB

MD5
c457ffa29815ff2621408b803b0de26b

SHA1
1d3fa7041cfe273ca2181a7359bc50faf96ffeda

SHA256
219120970fee0360f4c24356fa8782a6731714552e4c268642d38a4667523c5e

SHA512
f60305a669949194ec80fdefdd671537a01573b9d7c98249fa74a7a3969cb2226da07106ab976745d4f328a7651c5faa9800795d5bec642728d4891d76eb9174

Download Submit
C:\Windows\System32\swpyMsL.exe

Filesize
1.8MB

MD5
33aea8906427a1b1e6fcaa4a86e433a7

SHA1
6e86d8fd10a44f8832f6327f0db9bdd9237b5d0d

SHA256
8a9bc2d8023d83c3a91d831b95849ee807e61509352378413f7560080669cd7f

SHA512
c3bff8b6d2ac127bacb3cf0c32f6a5e50046664ceae8d0f75223260b374b817be773fabbf7bc0826dfadea1b62970664f05b8fa5a6811da59e4d4346f21516ab

Download Submit
C:\Windows\System32\toOeCjG.exe

Filesize
1.8MB

MD5
b56556b19001399fd100fe30ee2eae66

SHA1
f9f81051a351cbbacc5b8db0076d8f69f4a121f7

SHA256
1982425f1e059dcd8d6a59ea6adb1e8dd12b6d5d817455d47f8dc66ebdf83f55

SHA512
04a8f913a5e21106918b9e00009cafb28ac9236a5b2dae94b3c176da290f6957bd749ba0aa24ebab0a605524b55027e2d78d014ad7d88b1c7bb78f15302490e9

Download Submit
C:\Windows\System32\uUGfOUD.exe

Filesize
1.8MB

MD5
fe0868324fac3b75373909336dfe6c48

SHA1
0ce047b658dec0fc84e7503c653a4e1fb1515a33

SHA256
633bc215f893efb9fadbd224dfe7713c2f8a4ca5fa5c116fcd67c8318bafa4e5

SHA512
f8981ca4319812851b5b7c15e4e0099edef87b3f299a6473f09ba819a6db17702f91f2942896f51088c025c1a153664d1e8922c49295dd21479137ffa81eb174

Download Submit
C:\Windows\System32\vhRjehC.exe

Filesize
1.8MB

MD5
24d52747b33990a9bd887c2b9336b67f

SHA1
1c75392bc62626ca962d10c035febf7dd779c1ca

SHA256
2bb746231f9034017a93ce26efdf34418857226bebf7d21818562526af6e20fe

SHA512
b1bfdd4b02fa801316249d74030a2ac4f9278da5323718bf0b3dc4209cf7f9587696d3e84e0c4cebe51c5dd300f66753b3c10f27dd937692c91d0328dac62feb

Download Submit
C:\Windows\System32\xDoUoIy.exe

Filesize
1.8MB

MD5
61c4a18ed5d0a0d65ca079ac694718e3

SHA1
cb7f1437c84df8b37f10abc07a12ab9b82f1e161

SHA256
460d84155b9622ba58c681830048a1801b670c1e355bb3a050fc2e7b97e91093

SHA512
1094c30e98467bdbb12bec0f7c334717cae1c205e32d4255f1c2769efc2e1cf490f608bd9da829e8f13fb09d4388c33ca3032ea15972fa7bfaf98836b88342dd

Download Submit
C:\Windows\System32\yOiJapw.exe

Filesize
1.8MB

MD5
3fa628553b68323a51a6c87e91508006

SHA1
432d1545edef8393f598a607dca20404f96f9514

SHA256
af9c40261d0e21b767b8f44a53e269e1570bf6f134c1e7eef7c3ce0a1d308864

SHA512
f813e01cdf6fdbc9c6091aeebab5e2723f988e9d96be7077e0a7399ad3809531a6f5742fa69344f795ea6dbdac7ef4d25dc6b3a524ed9e9846ecc3d001abb7ca

Download Submit
C:\Windows\System32\ycUrXDk.exe

Filesize
1.8MB

MD5
48edcc318eab9df899f0bbfd7ef12962

SHA1
1cd03546c0412ee8501bb6d85033bec648abb11e

SHA256
24014843f5ab1ce0d09ccdbb52d32b212b57247a8f448536e0ecf8af72d8c3cc

SHA512
2e92d22bffd2f51306e8b075d1989ff760d0e6f7ea2b632654bbf1dec619c3051fe0b8ee020846be1555a62de26583d63f3b968ad5c023f4ac423839ebd58ece

Download Submit
memory/228-409-0x00007FF6DACE0000-0x00007FF6DB0D1000-memory.dmp

Filesize
3.9MB

Download
memory/228-2087-0x00007FF6DACE0000-0x00007FF6DB0D1000-memory.dmp

Filesize
3.9MB

Download
memory/756-2059-0x00007FF664310000-0x00007FF664701000-memory.dmp

Filesize
3.9MB

Download
memory/756-402-0x00007FF664310000-0x00007FF664701000-memory.dmp

Filesize
3.9MB

Download
memory/936-2050-0x00007FF6F8A90000-0x00007FF6F8E81000-memory.dmp

Filesize
3.9MB

Download
memory/936-398-0x00007FF6F8A90000-0x00007FF6F8E81000-memory.dmp

Filesize
3.9MB

Download
memory/968-2080-0x00007FF688360000-0x00007FF688751000-memory.dmp

Filesize
3.9MB

Download
memory/968-407-0x00007FF688360000-0x00007FF688751000-memory.dmp

Filesize
3.9MB

Download
memory/1104-2085-0x00007FF79D360000-0x00007FF79D751000-memory.dmp

Filesize
3.9MB

Download
memory/1104-408-0x00007FF79D360000-0x00007FF79D751000-memory.dmp

Filesize
3.9MB

Download
memory/1520-7-0x00007FF60F430000-0x00007FF60F821000-memory.dmp

Filesize
3.9MB

Download
memory/1520-2032-0x00007FF60F430000-0x00007FF60F821000-memory.dmp

Filesize
3.9MB

Download
memory/1520-1986-0x00007FF60F430000-0x00007FF60F821000-memory.dmp

Filesize
3.9MB

Download
memory/2124-2046-0x00007FF68B460000-0x00007FF68B851000-memory.dmp

Filesize
3.9MB

Download
memory/2124-395-0x00007FF68B460000-0x00007FF68B851000-memory.dmp

Filesize
3.9MB

Download
memory/2144-403-0x00007FF7ACAB0000-0x00007FF7ACEA1000-memory.dmp

Filesize
3.9MB

Download
memory/2144-2064-0x00007FF7ACAB0000-0x00007FF7ACEA1000-memory.dmp

Filesize
3.9MB

Download
memory/2148-2038-0x00007FF60A850000-0x00007FF60AC41000-memory.dmp

Filesize
3.9MB

Download
memory/2148-33-0x00007FF60A850000-0x00007FF60AC41000-memory.dmp

Filesize
3.9MB

Download
memory/3048-34-0x00007FF764A60000-0x00007FF764E51000-memory.dmp

Filesize
3.9MB

Download
memory/3048-2040-0x00007FF764A60000-0x00007FF764E51000-memory.dmp

Filesize
3.9MB

Download
memory/3048-2004-0x00007FF764A60000-0x00007FF764E51000-memory.dmp

Filesize
3.9MB

Download
memory/3052-2036-0x00007FF7FBB90000-0x00007FF7FBF81000-memory.dmp

Filesize
3.9MB

Download
memory/3052-21-0x00007FF7FBB90000-0x00007FF7FBF81000-memory.dmp

Filesize
3.9MB

Download
memory/3052-2003-0x00007FF7FBB90000-0x00007FF7FBF81000-memory.dmp

Filesize
3.9MB

Download
memory/3252-0-0x00007FF625560000-0x00007FF625951000-memory.dmp

Filesize
3.9MB

Download
memory/3252-1-0x0000017FF0870000-0x0000017FF0880000-memory.dmp

Filesize
64KB

Download
memory/3288-2048-0x00007FF700680000-0x00007FF700A71000-memory.dmp

Filesize
3.9MB

Download
memory/3288-396-0x00007FF700680000-0x00007FF700A71000-memory.dmp

Filesize
3.9MB

Download
memory/3332-401-0x00007FF6CADA0000-0x00007FF6CB191000-memory.dmp

Filesize
3.9MB

Download
memory/3332-2062-0x00007FF6CADA0000-0x00007FF6CB191000-memory.dmp

Filesize
3.9MB

Download
memory/3348-2005-0x00007FF7AC430000-0x00007FF7AC821000-memory.dmp

Filesize
3.9MB

Download
memory/3348-39-0x00007FF7AC430000-0x00007FF7AC821000-memory.dmp

Filesize
3.9MB

Download
memory/3348-2042-0x00007FF7AC430000-0x00007FF7AC821000-memory.dmp

Filesize
3.9MB

Download
memory/3864-2002-0x00007FF75C2D0000-0x00007FF75C6C1000-memory.dmp

Filesize
3.9MB

Download
memory/3864-2034-0x00007FF75C2D0000-0x00007FF75C6C1000-memory.dmp

Filesize
3.9MB

Download
memory/3864-15-0x00007FF75C2D0000-0x00007FF75C6C1000-memory.dmp

Filesize
3.9MB

Download
memory/4112-400-0x00007FF7C1470000-0x00007FF7C1861000-memory.dmp

Filesize
3.9MB

Download
memory/4112-2052-0x00007FF7C1470000-0x00007FF7C1861000-memory.dmp

Filesize
3.9MB

Download
memory/4396-397-0x00007FF725F20000-0x00007FF726311000-memory.dmp

Filesize
3.9MB

Download
memory/4396-2054-0x00007FF725F20000-0x00007FF726311000-memory.dmp

Filesize
3.9MB

Download
memory/4504-2083-0x00007FF7B4380000-0x00007FF7B4771000-memory.dmp

Filesize
3.9MB

Download
memory/4504-420-0x00007FF7B4380000-0x00007FF7B4771000-memory.dmp

Filesize
3.9MB

Download
memory/4548-2068-0x00007FF671550000-0x00007FF671941000-memory.dmp

Filesize
3.9MB

Download
memory/4548-416-0x00007FF671550000-0x00007FF671941000-memory.dmp

Filesize
3.9MB

Download
memory/4560-2066-0x00007FF793170000-0x00007FF793561000-memory.dmp

Filesize
3.9MB

Download
memory/4560-404-0x00007FF793170000-0x00007FF793561000-memory.dmp

Filesize
3.9MB

Download
memory/4568-406-0x00007FF7D1640000-0x00007FF7D1A31000-memory.dmp

Filesize
3.9MB

Download
memory/4568-2058-0x00007FF7D1640000-0x00007FF7D1A31000-memory.dmp

Filesize
3.9MB

Download
memory/4844-405-0x00007FF64A440000-0x00007FF64A831000-memory.dmp

Filesize
3.9MB

Download
memory/4844-2061-0x00007FF64A440000-0x00007FF64A831000-memory.dmp

Filesize
3.9MB

Download
memory/4916-2044-0x00007FF60EF60000-0x00007FF60F351000-memory.dmp

Filesize
3.9MB

Download
memory/4916-399-0x00007FF60EF60000-0x00007FF60F351000-memory.dmp

Filesize
3.9MB

Download
memory/5032-2078-0x00007FF7DAA00000-0x00007FF7DADF1000-memory.dmp

Filesize
3.9MB

Download
memory/5032-438-0x00007FF7DAA00000-0x00007FF7DADF1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads