xmrig | 06d08288746bc7849071b302097d724fbb7c36052c9825228f4ccf2bc0f645bf

Analysis

max time kernel
105s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b90af737beed084cb594af593e9c8b20N.exe
Size

1.3MB
MD5

b90af737beed084cb594af593e9c8b20
SHA1

ef148dc708242d814223caa313502483b053646b
SHA256

06d08288746bc7849071b302097d724fbb7c36052c9825228f4ccf2bc0f645bf
SHA512

6d5784b1769a41f32df5869cda97004732d95a00d78c2738571d82af6e69f4f065cd69b4e8baba836a133cecac68cadef7e48fc40be011a348938abdeda8c4b0
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlOqzJO0Rb8bodJj82hokiS2D50zaq7:knw9oUUEEDlOuJPHjlPiS6477

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral2/memory/3208-413-0x00007FF6AC240000-0x00007FF6AC631000-memory.dmp	xmrig
behavioral2/memory/672-418-0x00007FF66D8A0000-0x00007FF66DC91000-memory.dmp	xmrig
behavioral2/memory/4432-424-0x00007FF6CAFF0000-0x00007FF6CB3E1000-memory.dmp	xmrig
behavioral2/memory/464-421-0x00007FF751D20000-0x00007FF752111000-memory.dmp	xmrig
behavioral2/memory/4824-28-0x00007FF729DD0000-0x00007FF72A1C1000-memory.dmp	xmrig
behavioral2/memory/1624-431-0x00007FF61ACC0000-0x00007FF61B0B1000-memory.dmp	xmrig
behavioral2/memory/224-435-0x00007FF796AE0000-0x00007FF796ED1000-memory.dmp	xmrig
behavioral2/memory/1864-437-0x00007FF7480F0000-0x00007FF7484E1000-memory.dmp	xmrig
behavioral2/memory/5020-447-0x00007FF6DB660000-0x00007FF6DBA51000-memory.dmp	xmrig
behavioral2/memory/4356-460-0x00007FF7E3940000-0x00007FF7E3D31000-memory.dmp	xmrig
behavioral2/memory/4812-467-0x00007FF6C5A50000-0x00007FF6C5E41000-memory.dmp	xmrig
behavioral2/memory/2644-454-0x00007FF757400000-0x00007FF7577F1000-memory.dmp	xmrig
behavioral2/memory/4224-480-0x00007FF76EFE0000-0x00007FF76F3D1000-memory.dmp	xmrig
behavioral2/memory/4436-488-0x00007FF6B2D70000-0x00007FF6B3161000-memory.dmp	xmrig
behavioral2/memory/956-489-0x00007FF769150000-0x00007FF769541000-memory.dmp	xmrig
behavioral2/memory/4228-500-0x00007FF66D3F0000-0x00007FF66D7E1000-memory.dmp	xmrig
behavioral2/memory/668-477-0x00007FF76D560000-0x00007FF76D951000-memory.dmp	xmrig
behavioral2/memory/1188-827-0x00007FF7E95E0000-0x00007FF7E99D1000-memory.dmp	xmrig
behavioral2/memory/3764-1110-0x00007FF656720000-0x00007FF656B11000-memory.dmp	xmrig
behavioral2/memory/3992-1116-0x00007FF6EC980000-0x00007FF6ECD71000-memory.dmp	xmrig
behavioral2/memory/4736-1113-0x00007FF728E70000-0x00007FF729261000-memory.dmp	xmrig
behavioral2/memory/5096-1337-0x00007FF7C56D0000-0x00007FF7C5AC1000-memory.dmp	xmrig
behavioral2/memory/3556-1340-0x00007FF7F1AF0000-0x00007FF7F1EE1000-memory.dmp	xmrig
behavioral2/memory/3000-1439-0x00007FF777710000-0x00007FF777B01000-memory.dmp	xmrig
behavioral2/memory/3316-1442-0x00007FF6BC970000-0x00007FF6BCD61000-memory.dmp	xmrig
behavioral2/memory/3764-2147-0x00007FF656720000-0x00007FF656B11000-memory.dmp	xmrig
behavioral2/memory/4736-2149-0x00007FF728E70000-0x00007FF729261000-memory.dmp	xmrig
behavioral2/memory/4824-2151-0x00007FF729DD0000-0x00007FF72A1C1000-memory.dmp	xmrig
behavioral2/memory/3992-2153-0x00007FF6EC980000-0x00007FF6ECD71000-memory.dmp	xmrig
behavioral2/memory/5096-2179-0x00007FF7C56D0000-0x00007FF7C5AC1000-memory.dmp	xmrig
behavioral2/memory/3316-2183-0x00007FF6BC970000-0x00007FF6BCD61000-memory.dmp	xmrig
behavioral2/memory/4228-2185-0x00007FF66D3F0000-0x00007FF66D7E1000-memory.dmp	xmrig
behavioral2/memory/3208-2187-0x00007FF6AC240000-0x00007FF6AC631000-memory.dmp	xmrig
behavioral2/memory/672-2189-0x00007FF66D8A0000-0x00007FF66DC91000-memory.dmp	xmrig
behavioral2/memory/3000-2181-0x00007FF777710000-0x00007FF777B01000-memory.dmp	xmrig
behavioral2/memory/1864-2219-0x00007FF7480F0000-0x00007FF7484E1000-memory.dmp	xmrig
behavioral2/memory/1624-2223-0x00007FF61ACC0000-0x00007FF61B0B1000-memory.dmp	xmrig
behavioral2/memory/224-2221-0x00007FF796AE0000-0x00007FF796ED1000-memory.dmp	xmrig
behavioral2/memory/668-2212-0x00007FF76D560000-0x00007FF76D951000-memory.dmp	xmrig
behavioral2/memory/4356-2216-0x00007FF7E3940000-0x00007FF7E3D31000-memory.dmp	xmrig
behavioral2/memory/4812-2214-0x00007FF6C5A50000-0x00007FF6C5E41000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3764	DFVEndF.exe
4736	dByDmrb.exe
4824	HCzfnOG.exe
5096	DKnFfcu.exe
3992	vojsMOM.exe
3556	lRiNdar.exe
3000	hCgrovu.exe
3316	vGkFmDw.exe
4228	KQJPesB.exe
3208	JmlrTRA.exe
672	oJXEQYN.exe
464	NuJuhSY.exe
4432	ZSUNfDs.exe
1624	MaCxrmb.exe
224	ILiPVmN.exe
1864	FHhtkdw.exe
5020	tOVNamy.exe
2644	GmkFazh.exe
4356	XizZIHZ.exe
4812	eEbMGYq.exe
668	oDGaBOy.exe
4224	UzreiZx.exe
4436	MWdmdbi.exe
956	rWxmbrC.exe
4564	BRcNTVU.exe
1204	iCkvMoz.exe
5076	QXOmIlo.exe
1028	aEybkMX.exe
3692	kuvlcGk.exe
4132	bbKXBLc.exe
2808	hjOpqGM.exe
1824	RQxxDqB.exe
3744	wYrNVlz.exe
2416	iVocrnI.exe
1672	eoFAVUF.exe
4368	EikBISd.exe
4552	QUOTfhA.exe
4340	etgzXBo.exe
1896	EmXVUsB.exe
2256	YMMTxZe.exe
4180	QDbQxaa.exe
3252	wCOqHiP.exe
5012	EKmkiNM.exe
3568	mLyYExz.exe
3720	wFukahN.exe
4780	SdQtUoz.exe
2056	dCLLeap.exe
4652	BLeQPzq.exe
4312	TILOSGX.exe
4956	LFtgAxy.exe
1848	fLOsLGm.exe
4712	ARgZuHR.exe
2340	elwclXw.exe
2864	OzijtUZ.exe
5104	zkgSinQ.exe
4868	MPIOxBv.exe
3260	xtIOJkM.exe
2352	sDUAhOf.exe
3204	fdjbfLh.exe
3068	VJRVsIY.exe
2128	oIwlbpA.exe
3540	dsVAXoQ.exe
1732	OvfgojL.exe
2792	RihHUCI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1188-0-0x00007FF7E95E0000-0x00007FF7E99D1000-memory.dmp	upx
behavioral2/files/0x00090000000233f7-11.dat	upx
behavioral2/memory/3764-10-0x00007FF656720000-0x00007FF656B11000-memory.dmp	upx
behavioral2/files/0x0008000000023455-13.dat	upx
behavioral2/files/0x000700000002345b-25.dat	upx
behavioral2/files/0x000700000002345c-29.dat	upx
behavioral2/memory/5096-32-0x00007FF7C56D0000-0x00007FF7C5AC1000-memory.dmp	upx
behavioral2/memory/3000-44-0x00007FF777710000-0x00007FF777B01000-memory.dmp	upx
behavioral2/files/0x000700000002345e-51.dat	upx
behavioral2/files/0x0007000000023460-56.dat	upx
behavioral2/files/0x0007000000023461-60.dat	upx
behavioral2/files/0x0007000000023462-65.dat	upx
behavioral2/files/0x0007000000023463-77.dat	upx
behavioral2/files/0x0007000000023468-96.dat	upx
behavioral2/files/0x000700000002346a-105.dat	upx
behavioral2/files/0x000700000002346b-117.dat	upx
behavioral2/files/0x0007000000023472-152.dat	upx
behavioral2/memory/3208-413-0x00007FF6AC240000-0x00007FF6AC631000-memory.dmp	upx
behavioral2/memory/672-418-0x00007FF66D8A0000-0x00007FF66DC91000-memory.dmp	upx
behavioral2/files/0x0007000000023477-170.dat	upx
behavioral2/files/0x0007000000023475-167.dat	upx
behavioral2/files/0x0007000000023476-165.dat	upx
behavioral2/files/0x0007000000023474-162.dat	upx
behavioral2/files/0x0007000000023473-157.dat	upx
behavioral2/files/0x0007000000023471-144.dat	upx
behavioral2/files/0x0007000000023470-142.dat	upx
behavioral2/memory/4432-424-0x00007FF6CAFF0000-0x00007FF6CB3E1000-memory.dmp	upx
behavioral2/memory/464-421-0x00007FF751D20000-0x00007FF752111000-memory.dmp	upx
behavioral2/files/0x000700000002346f-135.dat	upx
behavioral2/files/0x000700000002346e-132.dat	upx
behavioral2/files/0x000700000002346d-127.dat	upx
behavioral2/files/0x000700000002346c-122.dat	upx
behavioral2/files/0x0007000000023469-107.dat	upx
behavioral2/files/0x0007000000023467-95.dat	upx
behavioral2/files/0x0007000000023466-92.dat	upx
behavioral2/files/0x0007000000023465-87.dat	upx
behavioral2/files/0x0007000000023464-82.dat	upx
behavioral2/files/0x000700000002345f-54.dat	upx
behavioral2/files/0x000700000002345d-50.dat	upx
behavioral2/memory/3316-47-0x00007FF6BC970000-0x00007FF6BCD61000-memory.dmp	upx
behavioral2/memory/3556-38-0x00007FF7F1AF0000-0x00007FF7F1EE1000-memory.dmp	upx
behavioral2/memory/3992-31-0x00007FF6EC980000-0x00007FF6ECD71000-memory.dmp	upx
behavioral2/files/0x000700000002345a-33.dat	upx
behavioral2/memory/4824-28-0x00007FF729DD0000-0x00007FF72A1C1000-memory.dmp	upx
behavioral2/memory/4736-27-0x00007FF728E70000-0x00007FF729261000-memory.dmp	upx
behavioral2/files/0x0007000000023459-21.dat	upx
behavioral2/memory/1624-431-0x00007FF61ACC0000-0x00007FF61B0B1000-memory.dmp	upx
behavioral2/memory/224-435-0x00007FF796AE0000-0x00007FF796ED1000-memory.dmp	upx
behavioral2/memory/1864-437-0x00007FF7480F0000-0x00007FF7484E1000-memory.dmp	upx
behavioral2/memory/5020-447-0x00007FF6DB660000-0x00007FF6DBA51000-memory.dmp	upx
behavioral2/memory/4356-460-0x00007FF7E3940000-0x00007FF7E3D31000-memory.dmp	upx
behavioral2/memory/4812-467-0x00007FF6C5A50000-0x00007FF6C5E41000-memory.dmp	upx
behavioral2/memory/2644-454-0x00007FF757400000-0x00007FF7577F1000-memory.dmp	upx
behavioral2/memory/4224-480-0x00007FF76EFE0000-0x00007FF76F3D1000-memory.dmp	upx
behavioral2/memory/4436-488-0x00007FF6B2D70000-0x00007FF6B3161000-memory.dmp	upx
behavioral2/memory/956-489-0x00007FF769150000-0x00007FF769541000-memory.dmp	upx
behavioral2/memory/4228-500-0x00007FF66D3F0000-0x00007FF66D7E1000-memory.dmp	upx
behavioral2/memory/668-477-0x00007FF76D560000-0x00007FF76D951000-memory.dmp	upx
behavioral2/memory/1188-827-0x00007FF7E95E0000-0x00007FF7E99D1000-memory.dmp	upx
behavioral2/memory/3764-1110-0x00007FF656720000-0x00007FF656B11000-memory.dmp	upx
behavioral2/memory/3992-1116-0x00007FF6EC980000-0x00007FF6ECD71000-memory.dmp	upx
behavioral2/memory/4736-1113-0x00007FF728E70000-0x00007FF729261000-memory.dmp	upx
behavioral2/memory/5096-1337-0x00007FF7C56D0000-0x00007FF7C5AC1000-memory.dmp	upx
behavioral2/memory/3556-1340-0x00007FF7F1AF0000-0x00007FF7F1EE1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\UkhTcAB.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\uJNqLUi.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\DcSsXSv.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\iXmucrh.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\WFnCMzf.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\HGWQvGK.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\TFdSVIa.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\PpYmuIg.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\plVInFG.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\nkkYiLg.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\kJVMtWs.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\UHrTobY.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\MHJagDr.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\bbKXBLc.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\rhZMDAZ.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\KFRSgRs.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\ILiPVmN.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\qvozqKZ.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\ureYIYc.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\sMGyLQC.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\uJFEpJl.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\dIQYmGt.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\aZOvtYI.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\iUUZZus.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\oiaEamD.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\DKFoiQY.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\HmqtHxL.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\gEOVrSz.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\oikPGSq.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\tjVePFH.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\HUXTHZP.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\QrIHDzp.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\MuJOLUT.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\qGTAssw.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\OOfvSHU.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\kImcrjh.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\wYrNVlz.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\nhyaaxz.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\mOmgwSn.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\EwjWDzH.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\Xzkruxh.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\ZYIyiVu.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\yNNmquy.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\GpaZmIa.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\dmoPoBH.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\IBHgFMP.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\VKdWLWP.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\EHSpZLO.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\GluhAFi.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\AcouEAr.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\PsMHOND.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\DVsArBt.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\YNrZGoX.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\ZauFnqA.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\GpcYQyn.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\iWNRaQX.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\ilDIeKS.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\QEhICjH.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\TxwKaVH.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\yyvCrSc.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\VZYYNYi.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\pdpuhcj.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\sqGabwV.exe	b90af737beed084cb594af593e9c8b20N.exe
File created	C:\Windows\System32\ZGFbXVX.exe	b90af737beed084cb594af593e9c8b20N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13400	dwm.exe
Token: SeChangeNotifyPrivilege	13400	dwm.exe
Token: 33	13400	dwm.exe
Token: SeIncBasePriorityPrivilege	13400	dwm.exe
Token: SeShutdownPrivilege	13400	dwm.exe
Token: SeCreatePagefilePrivilege	13400	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 3764	1188	b90af737beed084cb594af593e9c8b20N.exe	85
PID 1188 wrote to memory of 3764	1188	b90af737beed084cb594af593e9c8b20N.exe	85
PID 1188 wrote to memory of 4824	1188	b90af737beed084cb594af593e9c8b20N.exe	86
PID 1188 wrote to memory of 4824	1188	b90af737beed084cb594af593e9c8b20N.exe	86
PID 1188 wrote to memory of 4736	1188	b90af737beed084cb594af593e9c8b20N.exe	87
PID 1188 wrote to memory of 4736	1188	b90af737beed084cb594af593e9c8b20N.exe	87
PID 1188 wrote to memory of 5096	1188	b90af737beed084cb594af593e9c8b20N.exe	88
PID 1188 wrote to memory of 5096	1188	b90af737beed084cb594af593e9c8b20N.exe	88
PID 1188 wrote to memory of 3992	1188	b90af737beed084cb594af593e9c8b20N.exe	89
PID 1188 wrote to memory of 3992	1188	b90af737beed084cb594af593e9c8b20N.exe	89
PID 1188 wrote to memory of 3556	1188	b90af737beed084cb594af593e9c8b20N.exe	90
PID 1188 wrote to memory of 3556	1188	b90af737beed084cb594af593e9c8b20N.exe	90
PID 1188 wrote to memory of 3000	1188	b90af737beed084cb594af593e9c8b20N.exe	91
PID 1188 wrote to memory of 3000	1188	b90af737beed084cb594af593e9c8b20N.exe	91
PID 1188 wrote to memory of 3316	1188	b90af737beed084cb594af593e9c8b20N.exe	92
PID 1188 wrote to memory of 3316	1188	b90af737beed084cb594af593e9c8b20N.exe	92
PID 1188 wrote to memory of 4228	1188	b90af737beed084cb594af593e9c8b20N.exe	93
PID 1188 wrote to memory of 4228	1188	b90af737beed084cb594af593e9c8b20N.exe	93
PID 1188 wrote to memory of 3208	1188	b90af737beed084cb594af593e9c8b20N.exe	94
PID 1188 wrote to memory of 3208	1188	b90af737beed084cb594af593e9c8b20N.exe	94
PID 1188 wrote to memory of 672	1188	b90af737beed084cb594af593e9c8b20N.exe	95
PID 1188 wrote to memory of 672	1188	b90af737beed084cb594af593e9c8b20N.exe	95
PID 1188 wrote to memory of 464	1188	b90af737beed084cb594af593e9c8b20N.exe	96
PID 1188 wrote to memory of 464	1188	b90af737beed084cb594af593e9c8b20N.exe	96
PID 1188 wrote to memory of 4432	1188	b90af737beed084cb594af593e9c8b20N.exe	97
PID 1188 wrote to memory of 4432	1188	b90af737beed084cb594af593e9c8b20N.exe	97
PID 1188 wrote to memory of 1624	1188	b90af737beed084cb594af593e9c8b20N.exe	98
PID 1188 wrote to memory of 1624	1188	b90af737beed084cb594af593e9c8b20N.exe	98
PID 1188 wrote to memory of 224	1188	b90af737beed084cb594af593e9c8b20N.exe	99
PID 1188 wrote to memory of 224	1188	b90af737beed084cb594af593e9c8b20N.exe	99
PID 1188 wrote to memory of 1864	1188	b90af737beed084cb594af593e9c8b20N.exe	100
PID 1188 wrote to memory of 1864	1188	b90af737beed084cb594af593e9c8b20N.exe	100
PID 1188 wrote to memory of 5020	1188	b90af737beed084cb594af593e9c8b20N.exe	101
PID 1188 wrote to memory of 5020	1188	b90af737beed084cb594af593e9c8b20N.exe	101
PID 1188 wrote to memory of 2644	1188	b90af737beed084cb594af593e9c8b20N.exe	102
PID 1188 wrote to memory of 2644	1188	b90af737beed084cb594af593e9c8b20N.exe	102
PID 1188 wrote to memory of 4356	1188	b90af737beed084cb594af593e9c8b20N.exe	103
PID 1188 wrote to memory of 4356	1188	b90af737beed084cb594af593e9c8b20N.exe	103
PID 1188 wrote to memory of 4812	1188	b90af737beed084cb594af593e9c8b20N.exe	104
PID 1188 wrote to memory of 4812	1188	b90af737beed084cb594af593e9c8b20N.exe	104
PID 1188 wrote to memory of 668	1188	b90af737beed084cb594af593e9c8b20N.exe	105
PID 1188 wrote to memory of 668	1188	b90af737beed084cb594af593e9c8b20N.exe	105
PID 1188 wrote to memory of 4224	1188	b90af737beed084cb594af593e9c8b20N.exe	106
PID 1188 wrote to memory of 4224	1188	b90af737beed084cb594af593e9c8b20N.exe	106
PID 1188 wrote to memory of 4436	1188	b90af737beed084cb594af593e9c8b20N.exe	107
PID 1188 wrote to memory of 4436	1188	b90af737beed084cb594af593e9c8b20N.exe	107
PID 1188 wrote to memory of 956	1188	b90af737beed084cb594af593e9c8b20N.exe	108
PID 1188 wrote to memory of 956	1188	b90af737beed084cb594af593e9c8b20N.exe	108
PID 1188 wrote to memory of 4564	1188	b90af737beed084cb594af593e9c8b20N.exe	109
PID 1188 wrote to memory of 4564	1188	b90af737beed084cb594af593e9c8b20N.exe	109
PID 1188 wrote to memory of 1204	1188	b90af737beed084cb594af593e9c8b20N.exe	110
PID 1188 wrote to memory of 1204	1188	b90af737beed084cb594af593e9c8b20N.exe	110
PID 1188 wrote to memory of 5076	1188	b90af737beed084cb594af593e9c8b20N.exe	111
PID 1188 wrote to memory of 5076	1188	b90af737beed084cb594af593e9c8b20N.exe	111
PID 1188 wrote to memory of 1028	1188	b90af737beed084cb594af593e9c8b20N.exe	112
PID 1188 wrote to memory of 1028	1188	b90af737beed084cb594af593e9c8b20N.exe	112
PID 1188 wrote to memory of 3692	1188	b90af737beed084cb594af593e9c8b20N.exe	113
PID 1188 wrote to memory of 3692	1188	b90af737beed084cb594af593e9c8b20N.exe	113
PID 1188 wrote to memory of 4132	1188	b90af737beed084cb594af593e9c8b20N.exe	114
PID 1188 wrote to memory of 4132	1188	b90af737beed084cb594af593e9c8b20N.exe	114
PID 1188 wrote to memory of 2808	1188	b90af737beed084cb594af593e9c8b20N.exe	115
PID 1188 wrote to memory of 2808	1188	b90af737beed084cb594af593e9c8b20N.exe	115
PID 1188 wrote to memory of 1824	1188	b90af737beed084cb594af593e9c8b20N.exe	116
PID 1188 wrote to memory of 1824	1188	b90af737beed084cb594af593e9c8b20N.exe	116

C:\Users\Admin\AppData\Local\Temp\b90af737beed084cb594af593e9c8b20N.exe
"C:\Users\Admin\AppData\Local\Temp\b90af737beed084cb594af593e9c8b20N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\System32\DFVEndF.exe
  C:\Windows\System32\DFVEndF.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System32\HCzfnOG.exe
  C:\Windows\System32\HCzfnOG.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System32\dByDmrb.exe
  C:\Windows\System32\dByDmrb.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System32\DKnFfcu.exe
  C:\Windows\System32\DKnFfcu.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System32\vojsMOM.exe
  C:\Windows\System32\vojsMOM.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System32\lRiNdar.exe
  C:\Windows\System32\lRiNdar.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System32\hCgrovu.exe
  C:\Windows\System32\hCgrovu.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System32\vGkFmDw.exe
  C:\Windows\System32\vGkFmDw.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System32\KQJPesB.exe
  C:\Windows\System32\KQJPesB.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System32\JmlrTRA.exe
  C:\Windows\System32\JmlrTRA.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System32\oJXEQYN.exe
  C:\Windows\System32\oJXEQYN.exe
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\System32\NuJuhSY.exe
  C:\Windows\System32\NuJuhSY.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System32\ZSUNfDs.exe
  C:\Windows\System32\ZSUNfDs.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System32\MaCxrmb.exe
  C:\Windows\System32\MaCxrmb.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System32\ILiPVmN.exe
  C:\Windows\System32\ILiPVmN.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System32\FHhtkdw.exe
  C:\Windows\System32\FHhtkdw.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System32\tOVNamy.exe
  C:\Windows\System32\tOVNamy.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System32\GmkFazh.exe
  C:\Windows\System32\GmkFazh.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System32\XizZIHZ.exe
  C:\Windows\System32\XizZIHZ.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System32\eEbMGYq.exe
  C:\Windows\System32\eEbMGYq.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System32\oDGaBOy.exe
  C:\Windows\System32\oDGaBOy.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System32\UzreiZx.exe
  C:\Windows\System32\UzreiZx.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System32\MWdmdbi.exe
  C:\Windows\System32\MWdmdbi.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\rWxmbrC.exe
  C:\Windows\System32\rWxmbrC.exe
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Windows\System32\BRcNTVU.exe
  C:\Windows\System32\BRcNTVU.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System32\iCkvMoz.exe
  C:\Windows\System32\iCkvMoz.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System32\QXOmIlo.exe
  C:\Windows\System32\QXOmIlo.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System32\aEybkMX.exe
  C:\Windows\System32\aEybkMX.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System32\kuvlcGk.exe
  C:\Windows\System32\kuvlcGk.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System32\bbKXBLc.exe
  C:\Windows\System32\bbKXBLc.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System32\hjOpqGM.exe
  C:\Windows\System32\hjOpqGM.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System32\RQxxDqB.exe
  C:\Windows\System32\RQxxDqB.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System32\wYrNVlz.exe
  C:\Windows\System32\wYrNVlz.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System32\iVocrnI.exe
  C:\Windows\System32\iVocrnI.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System32\eoFAVUF.exe
  C:\Windows\System32\eoFAVUF.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System32\EikBISd.exe
  C:\Windows\System32\EikBISd.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System32\QUOTfhA.exe
  C:\Windows\System32\QUOTfhA.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System32\etgzXBo.exe
  C:\Windows\System32\etgzXBo.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System32\EmXVUsB.exe
  C:\Windows\System32\EmXVUsB.exe
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\System32\YMMTxZe.exe
  C:\Windows\System32\YMMTxZe.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System32\QDbQxaa.exe
  C:\Windows\System32\QDbQxaa.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System32\wCOqHiP.exe
  C:\Windows\System32\wCOqHiP.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System32\EKmkiNM.exe
  C:\Windows\System32\EKmkiNM.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System32\mLyYExz.exe
  C:\Windows\System32\mLyYExz.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System32\wFukahN.exe
  C:\Windows\System32\wFukahN.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System32\SdQtUoz.exe
  C:\Windows\System32\SdQtUoz.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\dCLLeap.exe
  C:\Windows\System32\dCLLeap.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System32\BLeQPzq.exe
  C:\Windows\System32\BLeQPzq.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System32\TILOSGX.exe
  C:\Windows\System32\TILOSGX.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System32\LFtgAxy.exe
  C:\Windows\System32\LFtgAxy.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System32\fLOsLGm.exe
  C:\Windows\System32\fLOsLGm.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System32\ARgZuHR.exe
  C:\Windows\System32\ARgZuHR.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System32\elwclXw.exe
  C:\Windows\System32\elwclXw.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System32\OzijtUZ.exe
  C:\Windows\System32\OzijtUZ.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System32\zkgSinQ.exe
  C:\Windows\System32\zkgSinQ.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System32\MPIOxBv.exe
  C:\Windows\System32\MPIOxBv.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System32\xtIOJkM.exe
  C:\Windows\System32\xtIOJkM.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System32\sDUAhOf.exe
  C:\Windows\System32\sDUAhOf.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System32\fdjbfLh.exe
  C:\Windows\System32\fdjbfLh.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System32\VJRVsIY.exe
  C:\Windows\System32\VJRVsIY.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System32\oIwlbpA.exe
  C:\Windows\System32\oIwlbpA.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System32\dsVAXoQ.exe
  C:\Windows\System32\dsVAXoQ.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System32\OvfgojL.exe
  C:\Windows\System32\OvfgojL.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System32\RihHUCI.exe
  C:\Windows\System32\RihHUCI.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System32\iXmucrh.exe
  C:\Windows\System32\iXmucrh.exe
  2⤵
  PID:1372
- C:\Windows\System32\lhmWZPE.exe
  C:\Windows\System32\lhmWZPE.exe
  2⤵
  PID:1700
- C:\Windows\System32\WekNykZ.exe
  C:\Windows\System32\WekNykZ.exe
  2⤵
  PID:4512
- C:\Windows\System32\GjhFqVL.exe
  C:\Windows\System32\GjhFqVL.exe
  2⤵
  PID:4676
- C:\Windows\System32\FtrNyYe.exe
  C:\Windows\System32\FtrNyYe.exe
  2⤵
  PID:316
- C:\Windows\System32\dipVguB.exe
  C:\Windows\System32\dipVguB.exe
  2⤵
  PID:628
- C:\Windows\System32\KhSZCuq.exe
  C:\Windows\System32\KhSZCuq.exe
  2⤵
  PID:5112
- C:\Windows\System32\SJVkETI.exe
  C:\Windows\System32\SJVkETI.exe
  2⤵
  PID:3612
- C:\Windows\System32\MVkLgiN.exe
  C:\Windows\System32\MVkLgiN.exe
  2⤵
  PID:644
- C:\Windows\System32\bUESGWN.exe
  C:\Windows\System32\bUESGWN.exe
  2⤵
  PID:4176
- C:\Windows\System32\KTMjBrh.exe
  C:\Windows\System32\KTMjBrh.exe
  2⤵
  PID:4336
- C:\Windows\System32\HALFjBF.exe
  C:\Windows\System32\HALFjBF.exe
  2⤵
  PID:2332
- C:\Windows\System32\uYvDsCo.exe
  C:\Windows\System32\uYvDsCo.exe
  2⤵
  PID:2840
- C:\Windows\System32\OZxaBYs.exe
  C:\Windows\System32\OZxaBYs.exe
  2⤵
  PID:3704
- C:\Windows\System32\awndhaX.exe
  C:\Windows\System32\awndhaX.exe
  2⤵
  PID:5072
- C:\Windows\System32\VZYYNYi.exe
  C:\Windows\System32\VZYYNYi.exe
  2⤵
  PID:3684
- C:\Windows\System32\nJtNUvD.exe
  C:\Windows\System32\nJtNUvD.exe
  2⤵
  PID:1476
- C:\Windows\System32\ZvsKubC.exe
  C:\Windows\System32\ZvsKubC.exe
  2⤵
  PID:3524
- C:\Windows\System32\MrPSSYE.exe
  C:\Windows\System32\MrPSSYE.exe
  2⤵
  PID:3740
- C:\Windows\System32\plVInFG.exe
  C:\Windows\System32\plVInFG.exe
  2⤵
  PID:4588
- C:\Windows\System32\RxaIUae.exe
  C:\Windows\System32\RxaIUae.exe
  2⤵
  PID:1676
- C:\Windows\System32\rREHann.exe
  C:\Windows\System32\rREHann.exe
  2⤵
  PID:2896
- C:\Windows\System32\YJpbAFH.exe
  C:\Windows\System32\YJpbAFH.exe
  2⤵
  PID:3964
- C:\Windows\System32\RGrvUOO.exe
  C:\Windows\System32\RGrvUOO.exe
  2⤵
  PID:4088
- C:\Windows\System32\OFNLhfC.exe
  C:\Windows\System32\OFNLhfC.exe
  2⤵
  PID:5036
- C:\Windows\System32\JAmkbFA.exe
  C:\Windows\System32\JAmkbFA.exe
  2⤵
  PID:5128
- C:\Windows\System32\TtBbZrZ.exe
  C:\Windows\System32\TtBbZrZ.exe
  2⤵
  PID:5152
- C:\Windows\System32\yBLQsWG.exe
  C:\Windows\System32\yBLQsWG.exe
  2⤵
  PID:5176
- C:\Windows\System32\ZWPEJwj.exe
  C:\Windows\System32\ZWPEJwj.exe
  2⤵
  PID:5204
- C:\Windows\System32\ABJNVFP.exe
  C:\Windows\System32\ABJNVFP.exe
  2⤵
  PID:5232
- C:\Windows\System32\pHxkydK.exe
  C:\Windows\System32\pHxkydK.exe
  2⤵
  PID:5264
- C:\Windows\System32\wzMMyXh.exe
  C:\Windows\System32\wzMMyXh.exe
  2⤵
  PID:5288
- C:\Windows\System32\NCfcive.exe
  C:\Windows\System32\NCfcive.exe
  2⤵
  PID:5320
- C:\Windows\System32\seTdVUy.exe
  C:\Windows\System32\seTdVUy.exe
  2⤵
  PID:5344
- C:\Windows\System32\DgjCxBz.exe
  C:\Windows\System32\DgjCxBz.exe
  2⤵
  PID:5368
- C:\Windows\System32\ZYIyiVu.exe
  C:\Windows\System32\ZYIyiVu.exe
  2⤵
  PID:5400
- C:\Windows\System32\DekjilA.exe
  C:\Windows\System32\DekjilA.exe
  2⤵
  PID:5440
- C:\Windows\System32\RPyoVHa.exe
  C:\Windows\System32\RPyoVHa.exe
  2⤵
  PID:5464
- C:\Windows\System32\tNRtWMi.exe
  C:\Windows\System32\tNRtWMi.exe
  2⤵
  PID:5488
- C:\Windows\System32\JBoUPhH.exe
  C:\Windows\System32\JBoUPhH.exe
  2⤵
  PID:5512
- C:\Windows\System32\ekuWPho.exe
  C:\Windows\System32\ekuWPho.exe
  2⤵
  PID:5544
- C:\Windows\System32\DZnMktX.exe
  C:\Windows\System32\DZnMktX.exe
  2⤵
  PID:5564
- C:\Windows\System32\iVBxeOr.exe
  C:\Windows\System32\iVBxeOr.exe
  2⤵
  PID:5596
- C:\Windows\System32\rxpKwYC.exe
  C:\Windows\System32\rxpKwYC.exe
  2⤵
  PID:5628
- C:\Windows\System32\zFUWLgF.exe
  C:\Windows\System32\zFUWLgF.exe
  2⤵
  PID:5656
- C:\Windows\System32\QzIETme.exe
  C:\Windows\System32\QzIETme.exe
  2⤵
  PID:5684
- C:\Windows\System32\RVyNlWu.exe
  C:\Windows\System32\RVyNlWu.exe
  2⤵
  PID:5716
- C:\Windows\System32\GpaZmIa.exe
  C:\Windows\System32\GpaZmIa.exe
  2⤵
  PID:5740
- C:\Windows\System32\SdOuTLI.exe
  C:\Windows\System32\SdOuTLI.exe
  2⤵
  PID:5772
- C:\Windows\System32\pdpuhcj.exe
  C:\Windows\System32\pdpuhcj.exe
  2⤵
  PID:5876
- C:\Windows\System32\SvyDpTS.exe
  C:\Windows\System32\SvyDpTS.exe
  2⤵
  PID:5900
- C:\Windows\System32\NvVdWrF.exe
  C:\Windows\System32\NvVdWrF.exe
  2⤵
  PID:5948
- C:\Windows\System32\lsCVGpH.exe
  C:\Windows\System32\lsCVGpH.exe
  2⤵
  PID:5964
- C:\Windows\System32\mzWZssQ.exe
  C:\Windows\System32\mzWZssQ.exe
  2⤵
  PID:5988
- C:\Windows\System32\PHNVeiP.exe
  C:\Windows\System32\PHNVeiP.exe
  2⤵
  PID:6012
- C:\Windows\System32\OjBkiwk.exe
  C:\Windows\System32\OjBkiwk.exe
  2⤵
  PID:6068
- C:\Windows\System32\KxGnNDj.exe
  C:\Windows\System32\KxGnNDj.exe
  2⤵
  PID:6088
- C:\Windows\System32\FWCkeYf.exe
  C:\Windows\System32\FWCkeYf.exe
  2⤵
  PID:6108
- C:\Windows\System32\nkkYiLg.exe
  C:\Windows\System32\nkkYiLg.exe
  2⤵
  PID:6124
- C:\Windows\System32\NufExOo.exe
  C:\Windows\System32\NufExOo.exe
  2⤵
  PID:3184
- C:\Windows\System32\rfbBzPf.exe
  C:\Windows\System32\rfbBzPf.exe
  2⤵
  PID:984
- C:\Windows\System32\LxwRUOM.exe
  C:\Windows\System32\LxwRUOM.exe
  2⤵
  PID:1628
- C:\Windows\System32\Ioskvpd.exe
  C:\Windows\System32\Ioskvpd.exe
  2⤵
  PID:2900
- C:\Windows\System32\KxllYZL.exe
  C:\Windows\System32\KxllYZL.exe
  2⤵
  PID:2956
- C:\Windows\System32\tTVpXEE.exe
  C:\Windows\System32\tTVpXEE.exe
  2⤵
  PID:5196
- C:\Windows\System32\BNYELze.exe
  C:\Windows\System32\BNYELze.exe
  2⤵
  PID:5284
- C:\Windows\System32\GMtRHYf.exe
  C:\Windows\System32\GMtRHYf.exe
  2⤵
  PID:5364
- C:\Windows\System32\tDoiffE.exe
  C:\Windows\System32\tDoiffE.exe
  2⤵
  PID:5412
- C:\Windows\System32\IcPlDKA.exe
  C:\Windows\System32\IcPlDKA.exe
  2⤵
  PID:3016
- C:\Windows\System32\yNNmquy.exe
  C:\Windows\System32\yNNmquy.exe
  2⤵
  PID:220
- C:\Windows\System32\nFYsdWJ.exe
  C:\Windows\System32\nFYsdWJ.exe
  2⤵
  PID:5508
- C:\Windows\System32\iMpuuya.exe
  C:\Windows\System32\iMpuuya.exe
  2⤵
  PID:2096
- C:\Windows\System32\elrbvXI.exe
  C:\Windows\System32\elrbvXI.exe
  2⤵
  PID:5604
- C:\Windows\System32\UtnAdms.exe
  C:\Windows\System32\UtnAdms.exe
  2⤵
  PID:5620
- C:\Windows\System32\lHRQrxW.exe
  C:\Windows\System32\lHRQrxW.exe
  2⤵
  PID:5636
- C:\Windows\System32\EhuhrkV.exe
  C:\Windows\System32\EhuhrkV.exe
  2⤵
  PID:5676
- C:\Windows\System32\YcFSBkA.exe
  C:\Windows\System32\YcFSBkA.exe
  2⤵
  PID:1956
- C:\Windows\System32\FHNPWkc.exe
  C:\Windows\System32\FHNPWkc.exe
  2⤵
  PID:656
- C:\Windows\System32\gJYDCJo.exe
  C:\Windows\System32\gJYDCJo.exe
  2⤵
  PID:3428
- C:\Windows\System32\TUJEKbN.exe
  C:\Windows\System32\TUJEKbN.exe
  2⤵
  PID:5828
- C:\Windows\System32\gEOVrSz.exe
  C:\Windows\System32\gEOVrSz.exe
  2⤵
  PID:4860
- C:\Windows\System32\yajdrGc.exe
  C:\Windows\System32\yajdrGc.exe
  2⤵
  PID:724
- C:\Windows\System32\yyvCrSc.exe
  C:\Windows\System32\yyvCrSc.exe
  2⤵
  PID:5996
- C:\Windows\System32\wJUQbMx.exe
  C:\Windows\System32\wJUQbMx.exe
  2⤵
  PID:5980
- C:\Windows\System32\laGQsSX.exe
  C:\Windows\System32\laGQsSX.exe
  2⤵
  PID:6104
- C:\Windows\System32\BzvFwel.exe
  C:\Windows\System32\BzvFwel.exe
  2⤵
  PID:1796
- C:\Windows\System32\cjrYJJE.exe
  C:\Windows\System32\cjrYJJE.exe
  2⤵
  PID:5160
- C:\Windows\System32\PpYmuIg.exe
  C:\Windows\System32\PpYmuIg.exe
  2⤵
  PID:4004
- C:\Windows\System32\bcQKeHD.exe
  C:\Windows\System32\bcQKeHD.exe
  2⤵
  PID:2172
- C:\Windows\System32\vcmoSlv.exe
  C:\Windows\System32\vcmoSlv.exe
  2⤵
  PID:5008
- C:\Windows\System32\cBnGbyK.exe
  C:\Windows\System32\cBnGbyK.exe
  2⤵
  PID:844
- C:\Windows\System32\nhyaaxz.exe
  C:\Windows\System32\nhyaaxz.exe
  2⤵
  PID:6052
- C:\Windows\System32\QEOdRFH.exe
  C:\Windows\System32\QEOdRFH.exe
  2⤵
  PID:5668
- C:\Windows\System32\JiIQvgR.exe
  C:\Windows\System32\JiIQvgR.exe
  2⤵
  PID:5144
- C:\Windows\System32\xWMQcGM.exe
  C:\Windows\System32\xWMQcGM.exe
  2⤵
  PID:5896
- C:\Windows\System32\iwNWocy.exe
  C:\Windows\System32\iwNWocy.exe
  2⤵
  PID:5984
- C:\Windows\System32\GVAvsax.exe
  C:\Windows\System32\GVAvsax.exe
  2⤵
  PID:6116
- C:\Windows\System32\rhZMDAZ.exe
  C:\Windows\System32\rhZMDAZ.exe
  2⤵
  PID:5552
- C:\Windows\System32\ilDIeKS.exe
  C:\Windows\System32\ilDIeKS.exe
  2⤵
  PID:5244
- C:\Windows\System32\yeZPuXR.exe
  C:\Windows\System32\yeZPuXR.exe
  2⤵
  PID:3672
- C:\Windows\System32\AaluKwS.exe
  C:\Windows\System32\AaluKwS.exe
  2⤵
  PID:5240
- C:\Windows\System32\bIhBSPj.exe
  C:\Windows\System32\bIhBSPj.exe
  2⤵
  PID:5804
- C:\Windows\System32\qcUrute.exe
  C:\Windows\System32\qcUrute.exe
  2⤵
  PID:5920
- C:\Windows\System32\xLnHJYm.exe
  C:\Windows\System32\xLnHJYm.exe
  2⤵
  PID:216
- C:\Windows\System32\wsKprLt.exe
  C:\Windows\System32\wsKprLt.exe
  2⤵
  PID:5328
- C:\Windows\System32\FGIhhLA.exe
  C:\Windows\System32\FGIhhLA.exe
  2⤵
  PID:2804
- C:\Windows\System32\jSrihaj.exe
  C:\Windows\System32\jSrihaj.exe
  2⤵
  PID:6152
- C:\Windows\System32\JKcoaVb.exe
  C:\Windows\System32\JKcoaVb.exe
  2⤵
  PID:6180
- C:\Windows\System32\oHaHROq.exe
  C:\Windows\System32\oHaHROq.exe
  2⤵
  PID:6204
- C:\Windows\System32\LNJzpXw.exe
  C:\Windows\System32\LNJzpXw.exe
  2⤵
  PID:6224
- C:\Windows\System32\VAusJPj.exe
  C:\Windows\System32\VAusJPj.exe
  2⤵
  PID:6260
- C:\Windows\System32\hdBZJtr.exe
  C:\Windows\System32\hdBZJtr.exe
  2⤵
  PID:6276
- C:\Windows\System32\JFBeisX.exe
  C:\Windows\System32\JFBeisX.exe
  2⤵
  PID:6300
- C:\Windows\System32\FmEHOfa.exe
  C:\Windows\System32\FmEHOfa.exe
  2⤵
  PID:6328
- C:\Windows\System32\sIFMiFe.exe
  C:\Windows\System32\sIFMiFe.exe
  2⤵
  PID:6380
- C:\Windows\System32\WNHhhBP.exe
  C:\Windows\System32\WNHhhBP.exe
  2⤵
  PID:6404
- C:\Windows\System32\ZWLJkyH.exe
  C:\Windows\System32\ZWLJkyH.exe
  2⤵
  PID:6432
- C:\Windows\System32\LCvPNKZ.exe
  C:\Windows\System32\LCvPNKZ.exe
  2⤵
  PID:6452
- C:\Windows\System32\PJTYwXK.exe
  C:\Windows\System32\PJTYwXK.exe
  2⤵
  PID:6480
- C:\Windows\System32\CAulPqm.exe
  C:\Windows\System32\CAulPqm.exe
  2⤵
  PID:6508
- C:\Windows\System32\LkiQjIi.exe
  C:\Windows\System32\LkiQjIi.exe
  2⤵
  PID:6528
- C:\Windows\System32\kikMkvg.exe
  C:\Windows\System32\kikMkvg.exe
  2⤵
  PID:6552
- C:\Windows\System32\lgoHyLk.exe
  C:\Windows\System32\lgoHyLk.exe
  2⤵
  PID:6592
- C:\Windows\System32\mOmgwSn.exe
  C:\Windows\System32\mOmgwSn.exe
  2⤵
  PID:6608
- C:\Windows\System32\FUGUjYA.exe
  C:\Windows\System32\FUGUjYA.exe
  2⤵
  PID:6632
- C:\Windows\System32\UGQXMaQ.exe
  C:\Windows\System32\UGQXMaQ.exe
  2⤵
  PID:6652
- C:\Windows\System32\SoGcQhC.exe
  C:\Windows\System32\SoGcQhC.exe
  2⤵
  PID:6728
- C:\Windows\System32\ZnYKdTK.exe
  C:\Windows\System32\ZnYKdTK.exe
  2⤵
  PID:6748
- C:\Windows\System32\lfIZdGi.exe
  C:\Windows\System32\lfIZdGi.exe
  2⤵
  PID:6768
- C:\Windows\System32\EHSpZLO.exe
  C:\Windows\System32\EHSpZLO.exe
  2⤵
  PID:6784
- C:\Windows\System32\FcJzExz.exe
  C:\Windows\System32\FcJzExz.exe
  2⤵
  PID:6812
- C:\Windows\System32\wjMQqXD.exe
  C:\Windows\System32\wjMQqXD.exe
  2⤵
  PID:6872
- C:\Windows\System32\aZOvtYI.exe
  C:\Windows\System32\aZOvtYI.exe
  2⤵
  PID:6900
- C:\Windows\System32\GRKjtNn.exe
  C:\Windows\System32\GRKjtNn.exe
  2⤵
  PID:6920
- C:\Windows\System32\dQMcWJf.exe
  C:\Windows\System32\dQMcWJf.exe
  2⤵
  PID:6944
- C:\Windows\System32\daoHUld.exe
  C:\Windows\System32\daoHUld.exe
  2⤵
  PID:6968
- C:\Windows\System32\hhvwUNH.exe
  C:\Windows\System32\hhvwUNH.exe
  2⤵
  PID:6992
- C:\Windows\System32\qSJAMGr.exe
  C:\Windows\System32\qSJAMGr.exe
  2⤵
  PID:7008
- C:\Windows\System32\rtYjYTt.exe
  C:\Windows\System32\rtYjYTt.exe
  2⤵
  PID:7056
- C:\Windows\System32\KynBaOU.exe
  C:\Windows\System32\KynBaOU.exe
  2⤵
  PID:7076
- C:\Windows\System32\oBzBDCC.exe
  C:\Windows\System32\oBzBDCC.exe
  2⤵
  PID:7092
- C:\Windows\System32\HxGcttM.exe
  C:\Windows\System32\HxGcttM.exe
  2⤵
  PID:7128
- C:\Windows\System32\JezKZZo.exe
  C:\Windows\System32\JezKZZo.exe
  2⤵
  PID:7164
- C:\Windows\System32\bFeMPKR.exe
  C:\Windows\System32\bFeMPKR.exe
  2⤵
  PID:6176
- C:\Windows\System32\BmDyBCu.exe
  C:\Windows\System32\BmDyBCu.exe
  2⤵
  PID:6200
- C:\Windows\System32\RuevcAk.exe
  C:\Windows\System32\RuevcAk.exe
  2⤵
  PID:6292
- C:\Windows\System32\zSyYNfx.exe
  C:\Windows\System32\zSyYNfx.exe
  2⤵
  PID:6392
- C:\Windows\System32\LYksVcf.exe
  C:\Windows\System32\LYksVcf.exe
  2⤵
  PID:6496
- C:\Windows\System32\ekYbLpK.exe
  C:\Windows\System32\ekYbLpK.exe
  2⤵
  PID:6540
- C:\Windows\System32\Ecingav.exe
  C:\Windows\System32\Ecingav.exe
  2⤵
  PID:6576
- C:\Windows\System32\AFiOIrU.exe
  C:\Windows\System32\AFiOIrU.exe
  2⤵
  PID:6604
- C:\Windows\System32\eBoAftm.exe
  C:\Windows\System32\eBoAftm.exe
  2⤵
  PID:6692
- C:\Windows\System32\MjgNthf.exe
  C:\Windows\System32\MjgNthf.exe
  2⤵
  PID:6736
- C:\Windows\System32\zRCXKFq.exe
  C:\Windows\System32\zRCXKFq.exe
  2⤵
  PID:6824
- C:\Windows\System32\bCVlQwB.exe
  C:\Windows\System32\bCVlQwB.exe
  2⤵
  PID:6896
- C:\Windows\System32\PVhkjaE.exe
  C:\Windows\System32\PVhkjaE.exe
  2⤵
  PID:7000
- C:\Windows\System32\dPsZRSY.exe
  C:\Windows\System32\dPsZRSY.exe
  2⤵
  PID:7032
- C:\Windows\System32\zrNgTAW.exe
  C:\Windows\System32\zrNgTAW.exe
  2⤵
  PID:7084
- C:\Windows\System32\pQxQXVJ.exe
  C:\Windows\System32\pQxQXVJ.exe
  2⤵
  PID:7140
- C:\Windows\System32\SyhSHUg.exe
  C:\Windows\System32\SyhSHUg.exe
  2⤵
  PID:6420
- C:\Windows\System32\ArqvBvL.exe
  C:\Windows\System32\ArqvBvL.exe
  2⤵
  PID:5692
- C:\Windows\System32\FKPKNXW.exe
  C:\Windows\System32\FKPKNXW.exe
  2⤵
  PID:6640
- C:\Windows\System32\HcrMDeC.exe
  C:\Windows\System32\HcrMDeC.exe
  2⤵
  PID:6676
- C:\Windows\System32\PMYdxlA.exe
  C:\Windows\System32\PMYdxlA.exe
  2⤵
  PID:6756
- C:\Windows\System32\TIFkxME.exe
  C:\Windows\System32\TIFkxME.exe
  2⤵
  PID:6828
- C:\Windows\System32\CydmkoX.exe
  C:\Windows\System32\CydmkoX.exe
  2⤵
  PID:7004
- C:\Windows\System32\jPohFUW.exe
  C:\Windows\System32\jPohFUW.exe
  2⤵
  PID:6980
- C:\Windows\System32\vMCdsyR.exe
  C:\Windows\System32\vMCdsyR.exe
  2⤵
  PID:7188
- C:\Windows\System32\XYjYGdJ.exe
  C:\Windows\System32\XYjYGdJ.exe
  2⤵
  PID:7208
- C:\Windows\System32\ApLwytm.exe
  C:\Windows\System32\ApLwytm.exe
  2⤵
  PID:7224
- C:\Windows\System32\iUUZZus.exe
  C:\Windows\System32\iUUZZus.exe
  2⤵
  PID:7240
- C:\Windows\System32\SHtiZLg.exe
  C:\Windows\System32\SHtiZLg.exe
  2⤵
  PID:7256
- C:\Windows\System32\YHjzegp.exe
  C:\Windows\System32\YHjzegp.exe
  2⤵
  PID:7272
- C:\Windows\System32\ZfuXFZZ.exe
  C:\Windows\System32\ZfuXFZZ.exe
  2⤵
  PID:7288
- C:\Windows\System32\dfXDDGX.exe
  C:\Windows\System32\dfXDDGX.exe
  2⤵
  PID:7304
- C:\Windows\System32\OvzgIxm.exe
  C:\Windows\System32\OvzgIxm.exe
  2⤵
  PID:7336
- C:\Windows\System32\hJZMnQe.exe
  C:\Windows\System32\hJZMnQe.exe
  2⤵
  PID:7368
- C:\Windows\System32\blyibGK.exe
  C:\Windows\System32\blyibGK.exe
  2⤵
  PID:7392
- C:\Windows\System32\cYkbkOH.exe
  C:\Windows\System32\cYkbkOH.exe
  2⤵
  PID:7420
- C:\Windows\System32\LPSeCER.exe
  C:\Windows\System32\LPSeCER.exe
  2⤵
  PID:7516
- C:\Windows\System32\oAjfiDA.exe
  C:\Windows\System32\oAjfiDA.exe
  2⤵
  PID:7532
- C:\Windows\System32\kNRexSK.exe
  C:\Windows\System32\kNRexSK.exe
  2⤵
  PID:7548
- C:\Windows\System32\LmTckRD.exe
  C:\Windows\System32\LmTckRD.exe
  2⤵
  PID:7564
- C:\Windows\System32\dzNkgbE.exe
  C:\Windows\System32\dzNkgbE.exe
  2⤵
  PID:7588
- C:\Windows\System32\ZauFnqA.exe
  C:\Windows\System32\ZauFnqA.exe
  2⤵
  PID:7644
- C:\Windows\System32\BEGetcq.exe
  C:\Windows\System32\BEGetcq.exe
  2⤵
  PID:7700
- C:\Windows\System32\yarsBXZ.exe
  C:\Windows\System32\yarsBXZ.exe
  2⤵
  PID:7720
- C:\Windows\System32\HSHBWAm.exe
  C:\Windows\System32\HSHBWAm.exe
  2⤵
  PID:7740
- C:\Windows\System32\VCHJgBO.exe
  C:\Windows\System32\VCHJgBO.exe
  2⤵
  PID:7844
- C:\Windows\System32\CrChFbX.exe
  C:\Windows\System32\CrChFbX.exe
  2⤵
  PID:7904
- C:\Windows\System32\AJREDmX.exe
  C:\Windows\System32\AJREDmX.exe
  2⤵
  PID:7920
- C:\Windows\System32\ZCKyvOv.exe
  C:\Windows\System32\ZCKyvOv.exe
  2⤵
  PID:7948
- C:\Windows\System32\EDRNUmP.exe
  C:\Windows\System32\EDRNUmP.exe
  2⤵
  PID:7972
- C:\Windows\System32\pevEHGD.exe
  C:\Windows\System32\pevEHGD.exe
  2⤵
  PID:7988
- C:\Windows\System32\tiAcgxw.exe
  C:\Windows\System32\tiAcgxw.exe
  2⤵
  PID:8008
- C:\Windows\System32\jChuDxJ.exe
  C:\Windows\System32\jChuDxJ.exe
  2⤵
  PID:8028
- C:\Windows\System32\ijLULxe.exe
  C:\Windows\System32\ijLULxe.exe
  2⤵
  PID:8056
- C:\Windows\System32\jgtZrpW.exe
  C:\Windows\System32\jgtZrpW.exe
  2⤵
  PID:8184
- C:\Windows\System32\mKskOUk.exe
  C:\Windows\System32\mKskOUk.exe
  2⤵
  PID:7116
- C:\Windows\System32\ytiyznt.exe
  C:\Windows\System32\ytiyznt.exe
  2⤵
  PID:6320
- C:\Windows\System32\rppWEVM.exe
  C:\Windows\System32\rppWEVM.exe
  2⤵
  PID:7220
- C:\Windows\System32\DKunnOU.exe
  C:\Windows\System32\DKunnOU.exe
  2⤵
  PID:7252
- C:\Windows\System32\HEjiKVJ.exe
  C:\Windows\System32\HEjiKVJ.exe
  2⤵
  PID:7172
- C:\Windows\System32\nTsGjFe.exe
  C:\Windows\System32\nTsGjFe.exe
  2⤵
  PID:6916
- C:\Windows\System32\vnfWMMp.exe
  C:\Windows\System32\vnfWMMp.exe
  2⤵
  PID:7404
- C:\Windows\System32\GjRWGYb.exe
  C:\Windows\System32\GjRWGYb.exe
  2⤵
  PID:7248
- C:\Windows\System32\YeuevTz.exe
  C:\Windows\System32\YeuevTz.exe
  2⤵
  PID:7380
- C:\Windows\System32\dzCCkUO.exe
  C:\Windows\System32\dzCCkUO.exe
  2⤵
  PID:7364
- C:\Windows\System32\nAGnuUg.exe
  C:\Windows\System32\nAGnuUg.exe
  2⤵
  PID:7320
- C:\Windows\System32\qcXYRbA.exe
  C:\Windows\System32\qcXYRbA.exe
  2⤵
  PID:7456
- C:\Windows\System32\SlztrsH.exe
  C:\Windows\System32\SlztrsH.exe
  2⤵
  PID:7508
- C:\Windows\System32\rQWOIPV.exe
  C:\Windows\System32\rQWOIPV.exe
  2⤵
  PID:7656
- C:\Windows\System32\GHKMbAl.exe
  C:\Windows\System32\GHKMbAl.exe
  2⤵
  PID:7796
- C:\Windows\System32\PNfyPNb.exe
  C:\Windows\System32\PNfyPNb.exe
  2⤵
  PID:7852
- C:\Windows\System32\gOucNqX.exe
  C:\Windows\System32\gOucNqX.exe
  2⤵
  PID:7712
- C:\Windows\System32\fOeRYHl.exe
  C:\Windows\System32\fOeRYHl.exe
  2⤵
  PID:7824
- C:\Windows\System32\NOVBHML.exe
  C:\Windows\System32\NOVBHML.exe
  2⤵
  PID:7968
- C:\Windows\System32\mYsNFxn.exe
  C:\Windows\System32\mYsNFxn.exe
  2⤵
  PID:8004
- C:\Windows\System32\tMxWuJF.exe
  C:\Windows\System32\tMxWuJF.exe
  2⤵
  PID:8152
- C:\Windows\System32\IYWzVgc.exe
  C:\Windows\System32\IYWzVgc.exe
  2⤵
  PID:8176
- C:\Windows\System32\QEhICjH.exe
  C:\Windows\System32\QEhICjH.exe
  2⤵
  PID:6220
- C:\Windows\System32\UvXUdDy.exe
  C:\Windows\System32\UvXUdDy.exe
  2⤵
  PID:7284
- C:\Windows\System32\dCPRKJd.exe
  C:\Windows\System32\dCPRKJd.exe
  2⤵
  PID:7356
- C:\Windows\System32\IyFxLwj.exe
  C:\Windows\System32\IyFxLwj.exe
  2⤵
  PID:7544
- C:\Windows\System32\FRRQTeU.exe
  C:\Windows\System32\FRRQTeU.exe
  2⤵
  PID:7688
- C:\Windows\System32\EwjWDzH.exe
  C:\Windows\System32\EwjWDzH.exe
  2⤵
  PID:7572
- C:\Windows\System32\KFRSgRs.exe
  C:\Windows\System32\KFRSgRs.exe
  2⤵
  PID:8044
- C:\Windows\System32\QdsnFyO.exe
  C:\Windows\System32\QdsnFyO.exe
  2⤵
  PID:7316
- C:\Windows\System32\kjlQtzE.exe
  C:\Windows\System32\kjlQtzE.exe
  2⤵
  PID:7236
- C:\Windows\System32\NyacRTO.exe
  C:\Windows\System32\NyacRTO.exe
  2⤵
  PID:7360
- C:\Windows\System32\hRNXpNx.exe
  C:\Windows\System32\hRNXpNx.exe
  2⤵
  PID:8016
- C:\Windows\System32\KmEhqRK.exe
  C:\Windows\System32\KmEhqRK.exe
  2⤵
  PID:7928
- C:\Windows\System32\xrNkHqo.exe
  C:\Windows\System32\xrNkHqo.exe
  2⤵
  PID:6620
- C:\Windows\System32\OFViXGR.exe
  C:\Windows\System32\OFViXGR.exe
  2⤵
  PID:7496
- C:\Windows\System32\eAxqoNy.exe
  C:\Windows\System32\eAxqoNy.exe
  2⤵
  PID:8204
- C:\Windows\System32\EjvNbLb.exe
  C:\Windows\System32\EjvNbLb.exe
  2⤵
  PID:8224
- C:\Windows\System32\SpXFQGY.exe
  C:\Windows\System32\SpXFQGY.exe
  2⤵
  PID:8284
- C:\Windows\System32\MtBDzJt.exe
  C:\Windows\System32\MtBDzJt.exe
  2⤵
  PID:8304
- C:\Windows\System32\RZNXQPV.exe
  C:\Windows\System32\RZNXQPV.exe
  2⤵
  PID:8324
- C:\Windows\System32\VKBWnNJ.exe
  C:\Windows\System32\VKBWnNJ.exe
  2⤵
  PID:8344
- C:\Windows\System32\YNrZGoX.exe
  C:\Windows\System32\YNrZGoX.exe
  2⤵
  PID:8360
- C:\Windows\System32\HCLpgke.exe
  C:\Windows\System32\HCLpgke.exe
  2⤵
  PID:8388
- C:\Windows\System32\ZNxpSOq.exe
  C:\Windows\System32\ZNxpSOq.exe
  2⤵
  PID:8404
- C:\Windows\System32\NIOHxxO.exe
  C:\Windows\System32\NIOHxxO.exe
  2⤵
  PID:8424
- C:\Windows\System32\cNGYgQG.exe
  C:\Windows\System32\cNGYgQG.exe
  2⤵
  PID:8460
- C:\Windows\System32\xUcFGnm.exe
  C:\Windows\System32\xUcFGnm.exe
  2⤵
  PID:8508
- C:\Windows\System32\MgndqpX.exe
  C:\Windows\System32\MgndqpX.exe
  2⤵
  PID:8548
- C:\Windows\System32\xPYuWoM.exe
  C:\Windows\System32\xPYuWoM.exe
  2⤵
  PID:8604
- C:\Windows\System32\mJkPVaw.exe
  C:\Windows\System32\mJkPVaw.exe
  2⤵
  PID:8628
- C:\Windows\System32\YwOXuSV.exe
  C:\Windows\System32\YwOXuSV.exe
  2⤵
  PID:8676
- C:\Windows\System32\MNhhBms.exe
  C:\Windows\System32\MNhhBms.exe
  2⤵
  PID:8724
- C:\Windows\System32\vhAGZbj.exe
  C:\Windows\System32\vhAGZbj.exe
  2⤵
  PID:8748
- C:\Windows\System32\EOMJwNo.exe
  C:\Windows\System32\EOMJwNo.exe
  2⤵
  PID:8764
- C:\Windows\System32\jckfAzZ.exe
  C:\Windows\System32\jckfAzZ.exe
  2⤵
  PID:8780
- C:\Windows\System32\GluhAFi.exe
  C:\Windows\System32\GluhAFi.exe
  2⤵
  PID:8804
- C:\Windows\System32\oHrwAHB.exe
  C:\Windows\System32\oHrwAHB.exe
  2⤵
  PID:8844
- C:\Windows\System32\sbjWeTM.exe
  C:\Windows\System32\sbjWeTM.exe
  2⤵
  PID:8864
- C:\Windows\System32\vcDSRNi.exe
  C:\Windows\System32\vcDSRNi.exe
  2⤵
  PID:8908
- C:\Windows\System32\rqWkVUG.exe
  C:\Windows\System32\rqWkVUG.exe
  2⤵
  PID:8928
- C:\Windows\System32\fdncCQn.exe
  C:\Windows\System32\fdncCQn.exe
  2⤵
  PID:8952
- C:\Windows\System32\dPEwpds.exe
  C:\Windows\System32\dPEwpds.exe
  2⤵
  PID:8972
- C:\Windows\System32\YGZYTmt.exe
  C:\Windows\System32\YGZYTmt.exe
  2⤵
  PID:9012
- C:\Windows\System32\XdCpoWs.exe
  C:\Windows\System32\XdCpoWs.exe
  2⤵
  PID:9064
- C:\Windows\System32\pybHlev.exe
  C:\Windows\System32\pybHlev.exe
  2⤵
  PID:9084
- C:\Windows\System32\dIQYmGt.exe
  C:\Windows\System32\dIQYmGt.exe
  2⤵
  PID:9104
- C:\Windows\System32\qHiQetR.exe
  C:\Windows\System32\qHiQetR.exe
  2⤵
  PID:9120
- C:\Windows\System32\dBhPkWZ.exe
  C:\Windows\System32\dBhPkWZ.exe
  2⤵
  PID:9136
- C:\Windows\System32\dvnUeOT.exe
  C:\Windows\System32\dvnUeOT.exe
  2⤵
  PID:9176
- C:\Windows\System32\wkrtSCN.exe
  C:\Windows\System32\wkrtSCN.exe
  2⤵
  PID:9208
- C:\Windows\System32\UQoZNwQ.exe
  C:\Windows\System32\UQoZNwQ.exe
  2⤵
  PID:8024
- C:\Windows\System32\uaPGnGl.exe
  C:\Windows\System32\uaPGnGl.exe
  2⤵
  PID:7964
- C:\Windows\System32\uMdXlCc.exe
  C:\Windows\System32\uMdXlCc.exe
  2⤵
  PID:8352
- C:\Windows\System32\ZNfpMsR.exe
  C:\Windows\System32\ZNfpMsR.exe
  2⤵
  PID:8412
- C:\Windows\System32\ycgYKlN.exe
  C:\Windows\System32\ycgYKlN.exe
  2⤵
  PID:8468
- C:\Windows\System32\zIMkFgG.exe
  C:\Windows\System32\zIMkFgG.exe
  2⤵
  PID:8504
- C:\Windows\System32\qvozqKZ.exe
  C:\Windows\System32\qvozqKZ.exe
  2⤵
  PID:8660
- C:\Windows\System32\khTpffZ.exe
  C:\Windows\System32\khTpffZ.exe
  2⤵
  PID:8760
- C:\Windows\System32\aelujJG.exe
  C:\Windows\System32\aelujJG.exe
  2⤵
  PID:8840
- C:\Windows\System32\NvPjIvF.exe
  C:\Windows\System32\NvPjIvF.exe
  2⤵
  PID:8872
- C:\Windows\System32\HxlUyMy.exe
  C:\Windows\System32\HxlUyMy.exe
  2⤵
  PID:8968
- C:\Windows\System32\LoXZCYN.exe
  C:\Windows\System32\LoXZCYN.exe
  2⤵
  PID:9032
- C:\Windows\System32\mZylAMZ.exe
  C:\Windows\System32\mZylAMZ.exe
  2⤵
  PID:9092
- C:\Windows\System32\sRZxcGy.exe
  C:\Windows\System32\sRZxcGy.exe
  2⤵
  PID:9152
- C:\Windows\System32\hoYXFxb.exe
  C:\Windows\System32\hoYXFxb.exe
  2⤵
  PID:9164
- C:\Windows\System32\hjBhfDC.exe
  C:\Windows\System32\hjBhfDC.exe
  2⤵
  PID:5932
- C:\Windows\System32\OYVRyba.exe
  C:\Windows\System32\OYVRyba.exe
  2⤵
  PID:8396
- C:\Windows\System32\VMqeWCc.exe
  C:\Windows\System32\VMqeWCc.exe
  2⤵
  PID:8472
- C:\Windows\System32\wcEGOkQ.exe
  C:\Windows\System32\wcEGOkQ.exe
  2⤵
  PID:7184
- C:\Windows\System32\vySVwqY.exe
  C:\Windows\System32\vySVwqY.exe
  2⤵
  PID:8696
- C:\Windows\System32\SQWdtGO.exe
  C:\Windows\System32\SQWdtGO.exe
  2⤵
  PID:8856
- C:\Windows\System32\kbnHxla.exe
  C:\Windows\System32\kbnHxla.exe
  2⤵
  PID:9144
- C:\Windows\System32\yewCPwU.exe
  C:\Windows\System32\yewCPwU.exe
  2⤵
  PID:8200
- C:\Windows\System32\wLjDttd.exe
  C:\Windows\System32\wLjDttd.exe
  2⤵
  PID:8740
- C:\Windows\System32\oLQHgTw.exe
  C:\Windows\System32\oLQHgTw.exe
  2⤵
  PID:8816
- C:\Windows\System32\uUgjoPq.exe
  C:\Windows\System32\uUgjoPq.exe
  2⤵
  PID:9128
- C:\Windows\System32\kJVMtWs.exe
  C:\Windows\System32\kJVMtWs.exe
  2⤵
  PID:9196
- C:\Windows\System32\LrdtVMm.exe
  C:\Windows\System32\LrdtVMm.exe
  2⤵
  PID:9236
- C:\Windows\System32\qXHfdjR.exe
  C:\Windows\System32\qXHfdjR.exe
  2⤵
  PID:9260
- C:\Windows\System32\pWQSMMK.exe
  C:\Windows\System32\pWQSMMK.exe
  2⤵
  PID:9296
- C:\Windows\System32\qXzFzxq.exe
  C:\Windows\System32\qXzFzxq.exe
  2⤵
  PID:9324
- C:\Windows\System32\eoyeyrV.exe
  C:\Windows\System32\eoyeyrV.exe
  2⤵
  PID:9352
- C:\Windows\System32\ryucrig.exe
  C:\Windows\System32\ryucrig.exe
  2⤵
  PID:9380
- C:\Windows\System32\FqkwDhr.exe
  C:\Windows\System32\FqkwDhr.exe
  2⤵
  PID:9400
- C:\Windows\System32\PDFybFy.exe
  C:\Windows\System32\PDFybFy.exe
  2⤵
  PID:9416
- C:\Windows\System32\kYCkjXs.exe
  C:\Windows\System32\kYCkjXs.exe
  2⤵
  PID:9444
- C:\Windows\System32\xgThpuV.exe
  C:\Windows\System32\xgThpuV.exe
  2⤵
  PID:9464
- C:\Windows\System32\FUamMju.exe
  C:\Windows\System32\FUamMju.exe
  2⤵
  PID:9484
- C:\Windows\System32\udjOeDK.exe
  C:\Windows\System32\udjOeDK.exe
  2⤵
  PID:9556
- C:\Windows\System32\LDYHadV.exe
  C:\Windows\System32\LDYHadV.exe
  2⤵
  PID:9576
- C:\Windows\System32\euVdGmQ.exe
  C:\Windows\System32\euVdGmQ.exe
  2⤵
  PID:9616
- C:\Windows\System32\Idljevb.exe
  C:\Windows\System32\Idljevb.exe
  2⤵
  PID:9644
- C:\Windows\System32\EVlvHtG.exe
  C:\Windows\System32\EVlvHtG.exe
  2⤵
  PID:9660
- C:\Windows\System32\IjmapjQ.exe
  C:\Windows\System32\IjmapjQ.exe
  2⤵
  PID:9688
- C:\Windows\System32\KitKYrK.exe
  C:\Windows\System32\KitKYrK.exe
  2⤵
  PID:9708
- C:\Windows\System32\MKSIFRI.exe
  C:\Windows\System32\MKSIFRI.exe
  2⤵
  PID:9732
- C:\Windows\System32\oUesWsY.exe
  C:\Windows\System32\oUesWsY.exe
  2⤵
  PID:9784
- C:\Windows\System32\EnsMJRQ.exe
  C:\Windows\System32\EnsMJRQ.exe
  2⤵
  PID:9816
- C:\Windows\System32\lcrbmvq.exe
  C:\Windows\System32\lcrbmvq.exe
  2⤵
  PID:9832
- C:\Windows\System32\hAXjjFx.exe
  C:\Windows\System32\hAXjjFx.exe
  2⤵
  PID:9852
- C:\Windows\System32\ZpLUppQ.exe
  C:\Windows\System32\ZpLUppQ.exe
  2⤵
  PID:9868
- C:\Windows\System32\oiaEamD.exe
  C:\Windows\System32\oiaEamD.exe
  2⤵
  PID:9900
- C:\Windows\System32\sqGabwV.exe
  C:\Windows\System32\sqGabwV.exe
  2⤵
  PID:9916
- C:\Windows\System32\QrIHDzp.exe
  C:\Windows\System32\QrIHDzp.exe
  2⤵
  PID:9936
- C:\Windows\System32\ecngMJo.exe
  C:\Windows\System32\ecngMJo.exe
  2⤵
  PID:9952
- C:\Windows\System32\dwBafGL.exe
  C:\Windows\System32\dwBafGL.exe
  2⤵
  PID:10028
- C:\Windows\System32\tAlbNin.exe
  C:\Windows\System32\tAlbNin.exe
  2⤵
  PID:10052
- C:\Windows\System32\ZGFbXVX.exe
  C:\Windows\System32\ZGFbXVX.exe
  2⤵
  PID:10076
- C:\Windows\System32\GYEAkDt.exe
  C:\Windows\System32\GYEAkDt.exe
  2⤵
  PID:10116
- C:\Windows\System32\APQruxg.exe
  C:\Windows\System32\APQruxg.exe
  2⤵
  PID:10144
- C:\Windows\System32\DKFoiQY.exe
  C:\Windows\System32\DKFoiQY.exe
  2⤵
  PID:10184
- C:\Windows\System32\hLGGyXT.exe
  C:\Windows\System32\hLGGyXT.exe
  2⤵
  PID:10212
- C:\Windows\System32\nvLWDwQ.exe
  C:\Windows\System32\nvLWDwQ.exe
  2⤵
  PID:10228
- C:\Windows\System32\nCGTUjD.exe
  C:\Windows\System32\nCGTUjD.exe
  2⤵
  PID:8380
- C:\Windows\System32\XZlVqPJ.exe
  C:\Windows\System32\XZlVqPJ.exe
  2⤵
  PID:9272
- C:\Windows\System32\QqNztbP.exe
  C:\Windows\System32\QqNztbP.exe
  2⤵
  PID:9408
- C:\Windows\System32\cxbKjzb.exe
  C:\Windows\System32\cxbKjzb.exe
  2⤵
  PID:9460
- C:\Windows\System32\SOIccdt.exe
  C:\Windows\System32\SOIccdt.exe
  2⤵
  PID:9528
- C:\Windows\System32\fRgyEeg.exe
  C:\Windows\System32\fRgyEeg.exe
  2⤵
  PID:9472
- C:\Windows\System32\myJDnFa.exe
  C:\Windows\System32\myJDnFa.exe
  2⤵
  PID:9628
- C:\Windows\System32\KNkWqQl.exe
  C:\Windows\System32\KNkWqQl.exe
  2⤵
  PID:9704
- C:\Windows\System32\HUXTHZP.exe
  C:\Windows\System32\HUXTHZP.exe
  2⤵
  PID:9752
- C:\Windows\System32\pOICybJ.exe
  C:\Windows\System32\pOICybJ.exe
  2⤵
  PID:9808
- C:\Windows\System32\ecNzFlS.exe
  C:\Windows\System32\ecNzFlS.exe
  2⤵
  PID:9860
- C:\Windows\System32\EWiWjYM.exe
  C:\Windows\System32\EWiWjYM.exe
  2⤵
  PID:9924
- C:\Windows\System32\ICKCnHX.exe
  C:\Windows\System32\ICKCnHX.exe
  2⤵
  PID:9992
- C:\Windows\System32\UHrTobY.exe
  C:\Windows\System32\UHrTobY.exe
  2⤵
  PID:10068
- C:\Windows\System32\xuwQdTk.exe
  C:\Windows\System32\xuwQdTk.exe
  2⤵
  PID:10112
- C:\Windows\System32\aCDLsWl.exe
  C:\Windows\System32\aCDLsWl.exe
  2⤵
  PID:10168
- C:\Windows\System32\gHhtcXL.exe
  C:\Windows\System32\gHhtcXL.exe
  2⤵
  PID:8772
- C:\Windows\System32\UkhTcAB.exe
  C:\Windows\System32\UkhTcAB.exe
  2⤵
  PID:9368
- C:\Windows\System32\RiScciu.exe
  C:\Windows\System32\RiScciu.exe
  2⤵
  PID:9412
- C:\Windows\System32\CnpeZDd.exe
  C:\Windows\System32\CnpeZDd.exe
  2⤵
  PID:9876
- C:\Windows\System32\ZLrPfkH.exe
  C:\Windows\System32\ZLrPfkH.exe
  2⤵
  PID:9976
- C:\Windows\System32\OWVPboa.exe
  C:\Windows\System32\OWVPboa.exe
  2⤵
  PID:10136
- C:\Windows\System32\XbwbCkm.exe
  C:\Windows\System32\XbwbCkm.exe
  2⤵
  PID:10020
- C:\Windows\System32\gTSSUEE.exe
  C:\Windows\System32\gTSSUEE.exe
  2⤵
  PID:9280
- C:\Windows\System32\FCtgdDD.exe
  C:\Windows\System32\FCtgdDD.exe
  2⤵
  PID:2712
- C:\Windows\System32\Xzkruxh.exe
  C:\Windows\System32\Xzkruxh.exe
  2⤵
  PID:9596
- C:\Windows\System32\cFLyBrX.exe
  C:\Windows\System32\cFLyBrX.exe
  2⤵
  PID:10208
- C:\Windows\System32\MuJOLUT.exe
  C:\Windows\System32\MuJOLUT.exe
  2⤵
  PID:9792
- C:\Windows\System32\yZROycr.exe
  C:\Windows\System32\yZROycr.exe
  2⤵
  PID:9748
- C:\Windows\System32\kPoyiAa.exe
  C:\Windows\System32\kPoyiAa.exe
  2⤵
  PID:10260
- C:\Windows\System32\epLJITW.exe
  C:\Windows\System32\epLJITW.exe
  2⤵
  PID:10276
- C:\Windows\System32\wnDuRIs.exe
  C:\Windows\System32\wnDuRIs.exe
  2⤵
  PID:10312
- C:\Windows\System32\jVRKssn.exe
  C:\Windows\System32\jVRKssn.exe
  2⤵
  PID:10328
- C:\Windows\System32\OPfSNFH.exe
  C:\Windows\System32\OPfSNFH.exe
  2⤵
  PID:10352
- C:\Windows\System32\aEtdkVE.exe
  C:\Windows\System32\aEtdkVE.exe
  2⤵
  PID:10408
- C:\Windows\System32\GalMSMo.exe
  C:\Windows\System32\GalMSMo.exe
  2⤵
  PID:10424
- C:\Windows\System32\UTpXvPk.exe
  C:\Windows\System32\UTpXvPk.exe
  2⤵
  PID:10452
- C:\Windows\System32\yBGNKzM.exe
  C:\Windows\System32\yBGNKzM.exe
  2⤵
  PID:10484
- C:\Windows\System32\LYpKeSD.exe
  C:\Windows\System32\LYpKeSD.exe
  2⤵
  PID:10520
- C:\Windows\System32\gdZAFHB.exe
  C:\Windows\System32\gdZAFHB.exe
  2⤵
  PID:10536
- C:\Windows\System32\YHGBoNF.exe
  C:\Windows\System32\YHGBoNF.exe
  2⤵
  PID:10556
- C:\Windows\System32\XcbtDXD.exe
  C:\Windows\System32\XcbtDXD.exe
  2⤵
  PID:10572
- C:\Windows\System32\NtkJBqd.exe
  C:\Windows\System32\NtkJBqd.exe
  2⤵
  PID:10632
- C:\Windows\System32\opuWNmk.exe
  C:\Windows\System32\opuWNmk.exe
  2⤵
  PID:10652
- C:\Windows\System32\hkmxcmU.exe
  C:\Windows\System32\hkmxcmU.exe
  2⤵
  PID:10692
- C:\Windows\System32\RtcMFvH.exe
  C:\Windows\System32\RtcMFvH.exe
  2⤵
  PID:10716
- C:\Windows\System32\bxSVBgQ.exe
  C:\Windows\System32\bxSVBgQ.exe
  2⤵
  PID:10756
- C:\Windows\System32\ZfyzSDo.exe
  C:\Windows\System32\ZfyzSDo.exe
  2⤵
  PID:10788
- C:\Windows\System32\WGftaRN.exe
  C:\Windows\System32\WGftaRN.exe
  2⤵
  PID:10828
- C:\Windows\System32\nrsnCau.exe
  C:\Windows\System32\nrsnCau.exe
  2⤵
  PID:10860
- C:\Windows\System32\zsSBBAP.exe
  C:\Windows\System32\zsSBBAP.exe
  2⤵
  PID:10880
- C:\Windows\System32\sFGwjis.exe
  C:\Windows\System32\sFGwjis.exe
  2⤵
  PID:10904
- C:\Windows\System32\MlGGgnm.exe
  C:\Windows\System32\MlGGgnm.exe
  2⤵
  PID:10932
- C:\Windows\System32\PTohxKp.exe
  C:\Windows\System32\PTohxKp.exe
  2⤵
  PID:10972
- C:\Windows\System32\WZkkwuV.exe
  C:\Windows\System32\WZkkwuV.exe
  2⤵
  PID:10988
- C:\Windows\System32\qGTAssw.exe
  C:\Windows\System32\qGTAssw.exe
  2⤵
  PID:11020
- C:\Windows\System32\gzgjtik.exe
  C:\Windows\System32\gzgjtik.exe
  2⤵
  PID:11048
- C:\Windows\System32\aOXbhXr.exe
  C:\Windows\System32\aOXbhXr.exe
  2⤵
  PID:11068
- C:\Windows\System32\XEZZxSa.exe
  C:\Windows\System32\XEZZxSa.exe
  2⤵
  PID:11116
- C:\Windows\System32\dwLbjZx.exe
  C:\Windows\System32\dwLbjZx.exe
  2⤵
  PID:11140
- C:\Windows\System32\KpRWQtf.exe
  C:\Windows\System32\KpRWQtf.exe
  2⤵
  PID:11164
- C:\Windows\System32\OOfvSHU.exe
  C:\Windows\System32\OOfvSHU.exe
  2⤵
  PID:11200
- C:\Windows\System32\LPWcITC.exe
  C:\Windows\System32\LPWcITC.exe
  2⤵
  PID:11220
- C:\Windows\System32\FvgJugf.exe
  C:\Windows\System32\FvgJugf.exe
  2⤵
  PID:11256
- C:\Windows\System32\QJQAqTt.exe
  C:\Windows\System32\QJQAqTt.exe
  2⤵
  PID:9524
- C:\Windows\System32\OurFRih.exe
  C:\Windows\System32\OurFRih.exe
  2⤵
  PID:10252
- C:\Windows\System32\OJYxYuf.exe
  C:\Windows\System32\OJYxYuf.exe
  2⤵
  PID:10420
- C:\Windows\System32\hpwQMEU.exe
  C:\Windows\System32\hpwQMEU.exe
  2⤵
  PID:10440
- C:\Windows\System32\wvivbEx.exe
  C:\Windows\System32\wvivbEx.exe
  2⤵
  PID:10516
- C:\Windows\System32\TcTCtEQ.exe
  C:\Windows\System32\TcTCtEQ.exe
  2⤵
  PID:10552
- C:\Windows\System32\fFYLOow.exe
  C:\Windows\System32\fFYLOow.exe
  2⤵
  PID:10664
- C:\Windows\System32\VMxplrD.exe
  C:\Windows\System32\VMxplrD.exe
  2⤵
  PID:10784
- C:\Windows\System32\tUKpbDO.exe
  C:\Windows\System32\tUKpbDO.exe
  2⤵
  PID:10808
- C:\Windows\System32\oikPGSq.exe
  C:\Windows\System32\oikPGSq.exe
  2⤵
  PID:10868
- C:\Windows\System32\KcJbdly.exe
  C:\Windows\System32\KcJbdly.exe
  2⤵
  PID:10984
- C:\Windows\System32\EVCvFpm.exe
  C:\Windows\System32\EVCvFpm.exe
  2⤵
  PID:11028
- C:\Windows\System32\mzeQrTr.exe
  C:\Windows\System32\mzeQrTr.exe
  2⤵
  PID:11060
- C:\Windows\System32\FzjgMhc.exe
  C:\Windows\System32\FzjgMhc.exe
  2⤵
  PID:11104
- C:\Windows\System32\FCWAvro.exe
  C:\Windows\System32\FCWAvro.exe
  2⤵
  PID:11160
- C:\Windows\System32\DRDYlaz.exe
  C:\Windows\System32\DRDYlaz.exe
  2⤵
  PID:11176
- C:\Windows\System32\utkAdfk.exe
  C:\Windows\System32\utkAdfk.exe
  2⤵
  PID:10416
- C:\Windows\System32\CTKtNQy.exe
  C:\Windows\System32\CTKtNQy.exe
  2⤵
  PID:10528
- C:\Windows\System32\OvLPtHT.exe
  C:\Windows\System32\OvLPtHT.exe
  2⤵
  PID:10480
- C:\Windows\System32\akellKQ.exe
  C:\Windows\System32\akellKQ.exe
  2⤵
  PID:10648
- C:\Windows\System32\zEOhEPF.exe
  C:\Windows\System32\zEOhEPF.exe
  2⤵
  PID:10916
- C:\Windows\System32\ktHnKST.exe
  C:\Windows\System32\ktHnKST.exe
  2⤵
  PID:10928
- C:\Windows\System32\VFwpLSW.exe
  C:\Windows\System32\VFwpLSW.exe
  2⤵
  PID:11080
- C:\Windows\System32\tjVePFH.exe
  C:\Windows\System32\tjVePFH.exe
  2⤵
  PID:11096
- C:\Windows\System32\RJONOtK.exe
  C:\Windows\System32\RJONOtK.exe
  2⤵
  PID:10372
- C:\Windows\System32\rHgHNdy.exe
  C:\Windows\System32\rHgHNdy.exe
  2⤵
  PID:10896
- C:\Windows\System32\dmoPoBH.exe
  C:\Windows\System32\dmoPoBH.exe
  2⤵
  PID:10856
- C:\Windows\System32\TxwKaVH.exe
  C:\Windows\System32\TxwKaVH.exe
  2⤵
  PID:11292
- C:\Windows\System32\ZQDwtpA.exe
  C:\Windows\System32\ZQDwtpA.exe
  2⤵
  PID:11316
- C:\Windows\System32\ocYMQRt.exe
  C:\Windows\System32\ocYMQRt.exe
  2⤵
  PID:11336
- C:\Windows\System32\KCkbkxw.exe
  C:\Windows\System32\KCkbkxw.exe
  2⤵
  PID:11388
- C:\Windows\System32\eiBvpJt.exe
  C:\Windows\System32\eiBvpJt.exe
  2⤵
  PID:11412
- C:\Windows\System32\jfaYqte.exe
  C:\Windows\System32\jfaYqte.exe
  2⤵
  PID:11440
- C:\Windows\System32\NfVlNic.exe
  C:\Windows\System32\NfVlNic.exe
  2⤵
  PID:11456
- C:\Windows\System32\aFCHHGY.exe
  C:\Windows\System32\aFCHHGY.exe
  2⤵
  PID:11488
- C:\Windows\System32\AmMGCDb.exe
  C:\Windows\System32\AmMGCDb.exe
  2⤵
  PID:11536
- C:\Windows\System32\EeqqUVX.exe
  C:\Windows\System32\EeqqUVX.exe
  2⤵
  PID:11564
- C:\Windows\System32\pSxnAMU.exe
  C:\Windows\System32\pSxnAMU.exe
  2⤵
  PID:11580
- C:\Windows\System32\AKEkhCV.exe
  C:\Windows\System32\AKEkhCV.exe
  2⤵
  PID:11608
- C:\Windows\System32\aZoMWFb.exe
  C:\Windows\System32\aZoMWFb.exe
  2⤵
  PID:11628
- C:\Windows\System32\jIqeuci.exe
  C:\Windows\System32\jIqeuci.exe
  2⤵
  PID:11652
- C:\Windows\System32\gaZfDJg.exe
  C:\Windows\System32\gaZfDJg.exe
  2⤵
  PID:11672
- C:\Windows\System32\yJYDJPD.exe
  C:\Windows\System32\yJYDJPD.exe
  2⤵
  PID:11696
- C:\Windows\System32\fiCkDGv.exe
  C:\Windows\System32\fiCkDGv.exe
  2⤵
  PID:11716
- C:\Windows\System32\vmLBYXK.exe
  C:\Windows\System32\vmLBYXK.exe
  2⤵
  PID:11760
- C:\Windows\System32\rtlFPIi.exe
  C:\Windows\System32\rtlFPIi.exe
  2⤵
  PID:11796
- C:\Windows\System32\EJWxBaC.exe
  C:\Windows\System32\EJWxBaC.exe
  2⤵
  PID:11824
- C:\Windows\System32\WFnCMzf.exe
  C:\Windows\System32\WFnCMzf.exe
  2⤵
  PID:11848
- C:\Windows\System32\jzStzZw.exe
  C:\Windows\System32\jzStzZw.exe
  2⤵
  PID:11868
- C:\Windows\System32\pXtzfiJ.exe
  C:\Windows\System32\pXtzfiJ.exe
  2⤵
  PID:11888
- C:\Windows\System32\ureYIYc.exe
  C:\Windows\System32\ureYIYc.exe
  2⤵
  PID:11916
- C:\Windows\System32\mXVmMPF.exe
  C:\Windows\System32\mXVmMPF.exe
  2⤵
  PID:11984
- C:\Windows\System32\AfbNkJk.exe
  C:\Windows\System32\AfbNkJk.exe
  2⤵
  PID:12004
- C:\Windows\System32\clxjkwz.exe
  C:\Windows\System32\clxjkwz.exe
  2⤵
  PID:12044
- C:\Windows\System32\HiAgVwy.exe
  C:\Windows\System32\HiAgVwy.exe
  2⤵
  PID:12060
- C:\Windows\System32\CMhMBUT.exe
  C:\Windows\System32\CMhMBUT.exe
  2⤵
  PID:12080
- C:\Windows\System32\YcmKPJh.exe
  C:\Windows\System32\YcmKPJh.exe
  2⤵
  PID:12100
- C:\Windows\System32\UoGTUZf.exe
  C:\Windows\System32\UoGTUZf.exe
  2⤵
  PID:12120
- C:\Windows\System32\IBHgFMP.exe
  C:\Windows\System32\IBHgFMP.exe
  2⤵
  PID:12148
- C:\Windows\System32\miaYlSR.exe
  C:\Windows\System32\miaYlSR.exe
  2⤵
  PID:12164
- C:\Windows\System32\JInGMnV.exe
  C:\Windows\System32\JInGMnV.exe
  2⤵
  PID:12212
- C:\Windows\System32\TodYhFp.exe
  C:\Windows\System32\TodYhFp.exe
  2⤵
  PID:12244
- C:\Windows\System32\XhNRKMz.exe
  C:\Windows\System32\XhNRKMz.exe
  2⤵
  PID:12260
- C:\Windows\System32\HGWQvGK.exe
  C:\Windows\System32\HGWQvGK.exe
  2⤵
  PID:12284
- C:\Windows\System32\TqlkQsZ.exe
  C:\Windows\System32\TqlkQsZ.exe
  2⤵
  PID:11180
- C:\Windows\System32\VqOWWEQ.exe
  C:\Windows\System32\VqOWWEQ.exe
  2⤵
  PID:11332
- C:\Windows\System32\VwMHTav.exe
  C:\Windows\System32\VwMHTav.exe
  2⤵
  PID:11404
- C:\Windows\System32\MqUBeht.exe
  C:\Windows\System32\MqUBeht.exe
  2⤵
  PID:11500
- C:\Windows\System32\SrqrXBw.exe
  C:\Windows\System32\SrqrXBw.exe
  2⤵
  PID:11604
- C:\Windows\System32\kIZazlV.exe
  C:\Windows\System32\kIZazlV.exe
  2⤵
  PID:11668
- C:\Windows\System32\miKrEUu.exe
  C:\Windows\System32\miKrEUu.exe
  2⤵
  PID:11724
- C:\Windows\System32\JtXFNjN.exe
  C:\Windows\System32\JtXFNjN.exe
  2⤵
  PID:11772
- C:\Windows\System32\GKoZQRC.exe
  C:\Windows\System32\GKoZQRC.exe
  2⤵
  PID:4284
- C:\Windows\System32\IJOlhDz.exe
  C:\Windows\System32\IJOlhDz.exe
  2⤵
  PID:11860
- C:\Windows\System32\fYJYSTd.exe
  C:\Windows\System32\fYJYSTd.exe
  2⤵
  PID:11948
- C:\Windows\System32\uJNqLUi.exe
  C:\Windows\System32\uJNqLUi.exe
  2⤵
  PID:12032
- C:\Windows\System32\AcouEAr.exe
  C:\Windows\System32\AcouEAr.exe
  2⤵
  PID:12156
- C:\Windows\System32\kImcrjh.exe
  C:\Windows\System32\kImcrjh.exe
  2⤵
  PID:12276
- C:\Windows\System32\bvLwGjs.exe
  C:\Windows\System32\bvLwGjs.exe
  2⤵
  PID:11100
- C:\Windows\System32\MHJagDr.exe
  C:\Windows\System32\MHJagDr.exe
  2⤵
  PID:11348
- C:\Windows\System32\KtZNSKD.exe
  C:\Windows\System32\KtZNSKD.exe
  2⤵
  PID:11544
- C:\Windows\System32\EeBYcdH.exe
  C:\Windows\System32\EeBYcdH.exe
  2⤵
  PID:11620
- C:\Windows\System32\qXCybyU.exe
  C:\Windows\System32\qXCybyU.exe
  2⤵
  PID:11708
- C:\Windows\System32\UDiWwVQ.exe
  C:\Windows\System32\UDiWwVQ.exe
  2⤵
  PID:11884
- C:\Windows\System32\BEaArov.exe
  C:\Windows\System32\BEaArov.exe
  2⤵
  PID:12012
- C:\Windows\System32\EeMqQQZ.exe
  C:\Windows\System32\EeMqQQZ.exe
  2⤵
  PID:12128
- C:\Windows\System32\RoTeNVc.exe
  C:\Windows\System32\RoTeNVc.exe
  2⤵
  PID:12236
- C:\Windows\System32\zDGXUMa.exe
  C:\Windows\System32\zDGXUMa.exe
  2⤵
  PID:11780
- C:\Windows\System32\STybeLa.exe
  C:\Windows\System32\STybeLa.exe
  2⤵
  PID:12220
- C:\Windows\System32\aKCMyul.exe
  C:\Windows\System32\aKCMyul.exe
  2⤵
  PID:11904
- C:\Windows\System32\brWgxMa.exe
  C:\Windows\System32\brWgxMa.exe
  2⤵
  PID:12292
- C:\Windows\System32\vWSdhio.exe
  C:\Windows\System32\vWSdhio.exe
  2⤵
  PID:12320
- C:\Windows\System32\QFRmrgr.exe
  C:\Windows\System32\QFRmrgr.exe
  2⤵
  PID:12344
- C:\Windows\System32\mbvZapE.exe
  C:\Windows\System32\mbvZapE.exe
  2⤵
  PID:12360
- C:\Windows\System32\rRxXEbT.exe
  C:\Windows\System32\rRxXEbT.exe
  2⤵
  PID:12384
- C:\Windows\System32\sxjpkjq.exe
  C:\Windows\System32\sxjpkjq.exe
  2⤵
  PID:12400
- C:\Windows\System32\GHfFQtC.exe
  C:\Windows\System32\GHfFQtC.exe
  2⤵
  PID:12452
- C:\Windows\System32\kHVwMAJ.exe
  C:\Windows\System32\kHVwMAJ.exe
  2⤵
  PID:12480
- C:\Windows\System32\TlNlstQ.exe
  C:\Windows\System32\TlNlstQ.exe
  2⤵
  PID:12500
- C:\Windows\System32\ssFqpqP.exe
  C:\Windows\System32\ssFqpqP.exe
  2⤵
  PID:12532
- C:\Windows\System32\cMYDQEu.exe
  C:\Windows\System32\cMYDQEu.exe
  2⤵
  PID:12580
- C:\Windows\System32\JRyjpFN.exe
  C:\Windows\System32\JRyjpFN.exe
  2⤵
  PID:12620
- C:\Windows\System32\CtWQLRE.exe
  C:\Windows\System32\CtWQLRE.exe
  2⤵
  PID:12636
- C:\Windows\System32\kRtwdcZ.exe
  C:\Windows\System32\kRtwdcZ.exe
  2⤵
  PID:12668
- C:\Windows\System32\EPqZYkR.exe
  C:\Windows\System32\EPqZYkR.exe
  2⤵
  PID:12692
- C:\Windows\System32\mLlBBgA.exe
  C:\Windows\System32\mLlBBgA.exe
  2⤵
  PID:12708
- C:\Windows\System32\HpFbkRU.exe
  C:\Windows\System32\HpFbkRU.exe
  2⤵
  PID:12732
- C:\Windows\System32\ENBRtdQ.exe
  C:\Windows\System32\ENBRtdQ.exe
  2⤵
  PID:12748
- C:\Windows\System32\VKdWLWP.exe
  C:\Windows\System32\VKdWLWP.exe
  2⤵
  PID:12776
- C:\Windows\System32\XPqkJkq.exe
  C:\Windows\System32\XPqkJkq.exe
  2⤵
  PID:12860
- C:\Windows\System32\bjkIZUt.exe
  C:\Windows\System32\bjkIZUt.exe
  2⤵
  PID:12888
- C:\Windows\System32\nHteARJ.exe
  C:\Windows\System32\nHteARJ.exe
  2⤵
  PID:12916
- C:\Windows\System32\aebbYQb.exe
  C:\Windows\System32\aebbYQb.exe
  2⤵
  PID:12932
- C:\Windows\System32\LSEYbUo.exe
  C:\Windows\System32\LSEYbUo.exe
  2⤵
  PID:12992
- C:\Windows\System32\sNbMyNY.exe
  C:\Windows\System32\sNbMyNY.exe
  2⤵
  PID:13008
- C:\Windows\System32\ZaTGWLY.exe
  C:\Windows\System32\ZaTGWLY.exe
  2⤵
  PID:13032
- C:\Windows\System32\QtugSlV.exe
  C:\Windows\System32\QtugSlV.exe
  2⤵
  PID:13052
- C:\Windows\System32\EZOLfKS.exe
  C:\Windows\System32\EZOLfKS.exe
  2⤵
  PID:13104
- C:\Windows\System32\avKWTzV.exe
  C:\Windows\System32\avKWTzV.exe
  2⤵
  PID:13124
- C:\Windows\System32\WikltmZ.exe
  C:\Windows\System32\WikltmZ.exe
  2⤵
  PID:13152
- C:\Windows\System32\vWAUOVo.exe
  C:\Windows\System32\vWAUOVo.exe
  2⤵
  PID:13192
- C:\Windows\System32\BRigcVG.exe
  C:\Windows\System32\BRigcVG.exe
  2⤵
  PID:13220
- C:\Windows\System32\uGFTYgY.exe
  C:\Windows\System32\uGFTYgY.exe
  2⤵
  PID:13236
- C:\Windows\System32\GpcYQyn.exe
  C:\Windows\System32\GpcYQyn.exe
  2⤵
  PID:13268
- C:\Windows\System32\kdGfGzi.exe
  C:\Windows\System32\kdGfGzi.exe
  2⤵
  PID:13300
- C:\Windows\System32\GQNEVDD.exe
  C:\Windows\System32\GQNEVDD.exe
  2⤵
  PID:12300
- C:\Windows\System32\pdckAnk.exe
  C:\Windows\System32\pdckAnk.exe
  2⤵
  PID:12336
- C:\Windows\System32\RBdcXBY.exe
  C:\Windows\System32\RBdcXBY.exe
  2⤵
  PID:12396
- C:\Windows\System32\cVdOKkF.exe
  C:\Windows\System32\cVdOKkF.exe
  2⤵
  PID:12380
- C:\Windows\System32\RyaHGLS.exe
  C:\Windows\System32\RyaHGLS.exe
  2⤵
  PID:12492
- C:\Windows\System32\kuluDUu.exe
  C:\Windows\System32\kuluDUu.exe
  2⤵
  PID:12540
- C:\Windows\System32\NdvMcVQ.exe
  C:\Windows\System32\NdvMcVQ.exe
  2⤵
  PID:12688
- C:\Windows\System32\VzqIerZ.exe
  C:\Windows\System32\VzqIerZ.exe
  2⤵
  PID:12724
- C:\Windows\System32\kGiEMFD.exe
  C:\Windows\System32\kGiEMFD.exe
  2⤵
  PID:12872
- C:\Windows\System32\vYQJPOa.exe
  C:\Windows\System32\vYQJPOa.exe
  2⤵
  PID:12908
- C:\Windows\System32\NjihLty.exe
  C:\Windows\System32\NjihLty.exe
  2⤵
  PID:11976
- C:\Windows\System32\EexAsyX.exe
  C:\Windows\System32\EexAsyX.exe
  2⤵
  PID:12984
- C:\Windows\System32\PsMHOND.exe
  C:\Windows\System32\PsMHOND.exe
  2⤵
  PID:13100
- C:\Windows\System32\QUnmmic.exe
  C:\Windows\System32\QUnmmic.exe
  2⤵
  PID:4104
- C:\Windows\System32\yKQURsT.exe
  C:\Windows\System32\yKQURsT.exe
  2⤵
  PID:1060
- C:\Windows\System32\qFSdgzS.exe
  C:\Windows\System32\qFSdgzS.exe
  2⤵
  PID:13148
- C:\Windows\System32\YvBLLRc.exe
  C:\Windows\System32\YvBLLRc.exe
  2⤵
  PID:13160
- C:\Windows\System32\DmbGkzC.exe
  C:\Windows\System32\DmbGkzC.exe
  2⤵
  PID:13228
- C:\Windows\System32\VFTMQFr.exe
  C:\Windows\System32\VFTMQFr.exe
  2⤵
  PID:13284
- C:\Windows\System32\HmqtHxL.exe
  C:\Windows\System32\HmqtHxL.exe
  2⤵
  PID:12436
- C:\Windows\System32\ONgclLf.exe
  C:\Windows\System32\ONgclLf.exe
  2⤵
  PID:12572
- C:\Windows\System32\zYtKoyf.exe
  C:\Windows\System32\zYtKoyf.exe
  2⤵
  PID:12524
- C:\Windows\System32\NrmeAnF.exe
  C:\Windows\System32\NrmeAnF.exe
  2⤵
  PID:12900
- C:\Windows\System32\ncjkcTD.exe
  C:\Windows\System32\ncjkcTD.exe
  2⤵
  PID:13076
- C:\Windows\System32\DVsArBt.exe
  C:\Windows\System32\DVsArBt.exe
  2⤵
  PID:13248
- C:\Windows\System32\fNFCCWn.exe
  C:\Windows\System32\fNFCCWn.exe
  2⤵
  PID:2504
- C:\Windows\System32\NSnQXhg.exe
  C:\Windows\System32\NSnQXhg.exe
  2⤵
  PID:12512
- C:\Windows\System32\iWNRaQX.exe
  C:\Windows\System32\iWNRaQX.exe
  2⤵
  PID:12608
- C:\Windows\System32\aJkJiFM.exe
  C:\Windows\System32\aJkJiFM.exe
  2⤵
  PID:13352
- C:\Windows\System32\ZQgWcgA.exe
  C:\Windows\System32\ZQgWcgA.exe
  2⤵
  PID:13376
- C:\Windows\System32\GQbmEya.exe
  C:\Windows\System32\GQbmEya.exe
  2⤵
  PID:13404
- C:\Windows\System32\nHZpeVy.exe
  C:\Windows\System32\nHZpeVy.exe
  2⤵
  PID:13424
- C:\Windows\System32\CPZAUYp.exe
  C:\Windows\System32\CPZAUYp.exe
  2⤵
  PID:13452
- C:\Windows\System32\SFhmVEW.exe
  C:\Windows\System32\SFhmVEW.exe
  2⤵
  PID:13488
- C:\Windows\System32\mwnfgfl.exe
  C:\Windows\System32\mwnfgfl.exe
  2⤵
  PID:13508
- C:\Windows\System32\qdOsmRn.exe
  C:\Windows\System32\qdOsmRn.exe
  2⤵
  PID:13532
- C:\Windows\System32\LbNDwAh.exe
  C:\Windows\System32\LbNDwAh.exe
  2⤵
  PID:13552
- C:\Windows\System32\AyFYTma.exe
  C:\Windows\System32\AyFYTma.exe
  2⤵
  PID:13576
- C:\Windows\System32\WUOYxYc.exe
  C:\Windows\System32\WUOYxYc.exe
  2⤵
  PID:13616
- C:\Windows\System32\IuYIGZz.exe
  C:\Windows\System32\IuYIGZz.exe
  2⤵
  PID:13636
- C:\Windows\System32\cqfnTRo.exe
  C:\Windows\System32\cqfnTRo.exe
  2⤵
  PID:13664
- C:\Windows\System32\GergqYw.exe
  C:\Windows\System32\GergqYw.exe
  2⤵
  PID:13708
- C:\Windows\System32\GASlzJZ.exe
  C:\Windows\System32\GASlzJZ.exe
  2⤵
  PID:13780
- C:\Windows\System32\oPNPTvM.exe
  C:\Windows\System32\oPNPTvM.exe
  2⤵
  PID:13800
- C:\Windows\System32\vkebxGr.exe
  C:\Windows\System32\vkebxGr.exe
  2⤵
  PID:13820
- C:\Windows\System32\QdPKVWo.exe
  C:\Windows\System32\QdPKVWo.exe
  2⤵
  PID:13844

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BRcNTVU.exe

Filesize
1.3MB

MD5
0128877532a3a78c6413f90c93e1bef5

SHA1
c9584d04bb899d7adfd5c5f138eb36c4922af0be

SHA256
f3bf43c1e204072d9805329427304b0d2ee8bf4a1b04f2c2748ba3f78c17a115

SHA512
d537033b38a112ca260d9a268212d2b7a96937414d76e50b475e1aa91a695420dd76860c627f634e7c983d944c674be299dd38636c2691bd18c57e7bb61f13e5

Download Submit
C:\Windows\System32\DFVEndF.exe

Filesize
1.3MB

MD5
a1093f52d77b3d23d94afbdfaa5913ac

SHA1
dfcfe0848e72d40c0cb9bb411a2c888003d66620

SHA256
1959e4d021fd67698153d6552a63489a3e50c7aeb05b3ada482c6ed87c5f5b70

SHA512
e03484d74f149554c670d25af3aedc6e6ec6e51b8b49faa95266744e89b2ec7ce19bd14007531fe6980f5aa70d822d609cefb3bbf40b619db3f215bbaeaee1c8

Download Submit
C:\Windows\System32\DKnFfcu.exe

Filesize
1.3MB

MD5
dc84cf8dd8ad3b4e1b4b94b860d946bf

SHA1
89ab70abfcd145ece00feac481fe19b6817803d3

SHA256
b647d084f1390a760c1447690f63e034f70dad9a2573b4f7ab9d6513829bff12

SHA512
05e5c569ba2c33117a37fc06c869147ac7910e4fc2c4e944828853e0874de0fdd52000e1b2e71a1e4c70dbf129c6110a798619a73ce61c449505fbd6ab3575fd

Download Submit
C:\Windows\System32\FHhtkdw.exe

Filesize
1.3MB

MD5
a614ed77b0154b14f5af7bb49a72328f

SHA1
4b3be3530efa546c0ba855ac2d950fe7ea76858b

SHA256
7e46e5f733d1b24db6a5db2c7c47c322b1cc9d591cdb5a834ae048659ccd4fcf

SHA512
af4861c077068807894a10a838f3278c4bb6ae76e586b89afb08cafb5d420b8c03756ab1e91a164bf93bce5beeeb454ececc33fe27f3ca3a66feb3e1c0408f4f

Download Submit
C:\Windows\System32\GmkFazh.exe

Filesize
1.3MB

MD5
e3344d2d18897eacf6ea5b2681a06534

SHA1
874f95ff33f3d15cd3e45b65794555a928bfba96

SHA256
7972d458353676517bf18b839d471587c91c265d058a816d8f7fb039aaae2183

SHA512
7fe29f0d2f5087baa5a7fd986dd60f6af30867e79a50cb151b850848b8746ba8961624e2a2c77aba21d897709fc622b7ea2f3d1c3c49c05d73864eee940ef48a

Download Submit
C:\Windows\System32\HCzfnOG.exe

Filesize
1.3MB

MD5
1b572c243e73459d8baab899e14b83d6

SHA1
24273b48d3f8906544b5b946aad0c4cc71a78121

SHA256
d8a900d448ef0be40473b602ed06efae02187e1fedcc739afb2e802e58f21f8a

SHA512
58f82656bd5c5b681429f16abeef13deeda9627ce449361fb7251f8383fe9b2db00c50dc359e0a8ab6a8eca38741735c314ebd9d4a68416fd4b77a7b87339138

Download Submit
C:\Windows\System32\ILiPVmN.exe

Filesize
1.3MB

MD5
f5cb8f3dbbb7de1c904071a3c9d91f8f

SHA1
46d479c677f66e06ef4883e79d3b086c5d574694

SHA256
709e2a18ad6ef64e3a9622fda29f9426e6be762d5740a703f72701a1c3b44ea9

SHA512
db341fc797b12796006da44693863f213a33b275325e6ac1242bcabe74b21f2333a2a409855216ca8b53140a2f89d4708376595ef57474a7f11efa04776a28ba

Download Submit
C:\Windows\System32\JmlrTRA.exe

Filesize
1.3MB

MD5
babe05b5d9a7caf575edcd167544cb32

SHA1
a4e2403aea04dbd235de635f46e404117691c727

SHA256
f6a98682a1e539fc1306e347af5ecc1ab6c039937f937aa31bb4bd6462d64d3c

SHA512
b167b8c6b2613f2980229b49118ce1a80d8cd0105b65cfa9792549791c9e8fe5012e27c6b65741297f39affa2b996eddea57100aed80a0c59c9d342a67a3e0e8

Download Submit
C:\Windows\System32\KQJPesB.exe

Filesize
1.3MB

MD5
7a1061c35f9a9ffc5cc791b77195ef90

SHA1
dcc47d75f4877a9465392be1f41e178d585ef615

SHA256
e6cecf71a0b036a2fca788cf3673bf29795a2d60259b4b7d3630e0be5d3a0e82

SHA512
c737e7cb5e2150c4ab87028c07a9fe476f2fc68b5da89a6d4aabfe5fa4d17c3fbc0ac122f422ba2d55b3b65a8985c61266d87913e004cdeb65e48410d44f39c6

Download Submit
C:\Windows\System32\MWdmdbi.exe

Filesize
1.3MB

MD5
94899f3107127cf41ea3c73a47378373

SHA1
578130ad6623f2630e41cb197aec307a499eff4e

SHA256
8f826c0ae362b4f8a3e7b0e9e1f9f82315e8e43744d994d02abf65aa13fee0cb

SHA512
d35886765a0b1ad3f1ab235e89867a6ed278aa839ea954858449dfeb9b32af47961a382b919aa7f021d21d72fb47928475239dbf7615711b79fca7b65fe8ae0a

Download Submit
C:\Windows\System32\MaCxrmb.exe

Filesize
1.3MB

MD5
858eb3db80530ed82fa9e98797d4ca2a

SHA1
6e58a57deb106e80392602902542c1147a947ce2

SHA256
b79752fb708352cbdc7212411442ddb23462f27d57e72e728f1d25f7ed6a900b

SHA512
0628a8b716ae09b83bef366dad40a2a9092416b1feff8014228dae8d6121a96949429a26d5b91e1dda9b5f0035ef23aa6e21356e71b76352315dfc6e6022bec5

Download Submit
C:\Windows\System32\NuJuhSY.exe

Filesize
1.3MB

MD5
17a3ab560fbb71b8246dde46bbfbadbc

SHA1
5ccb4bf5397e655c870df81168517e3de71a9234

SHA256
00fe6c734c5d1ee5486ccdac11537755ca09d486f3ba39efdd6b24735f535c63

SHA512
3c12a3003b00dd9f6fae2434440110c75af704da24e01aa764ffb574cff83ca23a5589db20fc42d21e0d24baa2c1a039dbea10a525a287777a3b5e4ff2100d21

Download Submit
C:\Windows\System32\QXOmIlo.exe

Filesize
1.3MB

MD5
1ff1d079496eba8aa86a633844fde6c4

SHA1
7e979af0bfc7acd244d32c2fca0eac3f075e00bc

SHA256
78425d6bb679d627cb32940ae0ceecd639adafc27d36d703506389cd17c21244

SHA512
6430d848f706388bb8a88165acb5bf70d23ecb160deaf94b6d655c5089a431b5334d02dcfed40c377325906a3c7ec7433708db9731163a230d7d5bd071cb9606

Download Submit
C:\Windows\System32\RQxxDqB.exe

Filesize
1.3MB

MD5
590fd723a2173f7dd4f4f43627754924

SHA1
6168d67e571ca8cff0f90591aa2bbb7a1c244ac2

SHA256
f8093b13b821c9259d1f8b644af827bcfad81152ba1ea17b5d1dbc7600136000

SHA512
461dc47c1d6a5f7771bef463990135fef65c5eb9e8bd7b0126fcd9d4d92173bcb822ea5de2da68e62f21880691df9e07e397e941a7ad9a0ee6480a0918cd5751

Download Submit
C:\Windows\System32\UzreiZx.exe

Filesize
1.3MB

MD5
866c46db2b279bfb3713ff9978ff8af7

SHA1
264909c8c47e8ccf7710059077ccd9c4e2d52d3c

SHA256
f9fde8ef67cce2efc5bda85b948174df212965f7823e25360a19e6b765abd554

SHA512
6fa37a22543566d3a29079f5d44138f229171f7b9ea41c142ccfe88b7216c69f8654dc328966feb0b8037dc487bc863ac4e48c8e1b7f8598505c6044c484fd44

Download Submit
C:\Windows\System32\XizZIHZ.exe

Filesize
1.3MB

MD5
28d8490a861ba1cc0cce0adbd1ea22ec

SHA1
fffc28f7800a5fb03f9cd16d34b016263cba640f

SHA256
c437b3bbe2ad208d1859ff71be6dc5526966701fdd6b8e4a26e9d6c557324394

SHA512
fb5ef498749fe75b52ce1872f7da308b3b3033d0a545eeb6075ebc140e39cb056955aeaaa2542f291789189d6025cf7847adc41d0e55ec43b72de844bca460fc

Download Submit
C:\Windows\System32\ZSUNfDs.exe

Filesize
1.3MB

MD5
ef431cb5bb09ac42ab8b20a26d6954e8

SHA1
d4ed95ccdc940fec790fda961532fc71e5e8717b

SHA256
81c040c07b88371998e7a8dd7b3fcb5f5cb5e8330d8f28442834e3368e257dde

SHA512
303a34674dbc0e9aae77ac534bde0fec3a9e051e9ced9059acd575dbe503f35db14025287551396bd571af3e0b06f73645e0b09a79cf1791c08e2ad22f8a6690

Download Submit
C:\Windows\System32\aEybkMX.exe

Filesize
1.3MB

MD5
9fff19f774abaf717986cca751619fe3

SHA1
c6b8ee71f3f11b3ce57a915ce5b0537fe82dce2c

SHA256
f33bf82b601d5190bb61ba972f20d40f6d456ab05bf7d3ad4fe4b43d26107ef7

SHA512
a5e97914e900f7c4184c1e2e9d16b138fabcbd1b1a0e6d2978aaa19f9457086d95b3ef03daff214a2b015e1ab3ccaadb20a55a69de258d884532dc1275ebaef4

Download Submit
C:\Windows\System32\bbKXBLc.exe

Filesize
1.3MB

MD5
3c6faa8ad58e4e30eea7651e23421e29

SHA1
93ecdb53a099a41d848491e54466eb55872ba20a

SHA256
0f27272713161bb82780fc856edda174340cc28bd01f5f200a60d980b81c1a40

SHA512
123bb819094f5966b478a9d701ad655fadd1c9e42e6f3b605213d72bf6800cfc6925b488b6c90e9539a858192646ce1b0f4c5984867539018d0bf40e2c8a0353

Download Submit
C:\Windows\System32\dByDmrb.exe

Filesize
1.3MB

MD5
c00b928386005c8620d9eca0dacc937e

SHA1
b695c85519e19ba57d877308f6ce986c04f1a2d7

SHA256
822062e3d16b531094bb4159638a8bb6ad0de60103e008bd385d526af1ed5dae

SHA512
e8bc4d911a32a4a41a436f4dfe32b0284de6c8dc8965a6d623cb34b636f654ee4bc882c2b453929f3eab81dbcfb25f9a51f23f2e4db8053ea21b5fa7609e308e

Download Submit
C:\Windows\System32\eEbMGYq.exe

Filesize
1.3MB

MD5
931acfd2299a0abd66a663a1c0bbfdcd

SHA1
f2d373157234eee8b573c510ffb2ac6c644b60af

SHA256
fb5e9cec9e1a5c83d6c1e13caefe7bddf2ce76e3633a7762bf298770b4f50c7a

SHA512
540fdc17d5b0711e2bcca798a673f4664e7eb97e47bdfb67067e512ca91ae585406cd4199b6440258f59478ad41609c09d2eba7ffa8f0279c214176f601b855b

Download Submit
C:\Windows\System32\hCgrovu.exe

Filesize
1.3MB

MD5
1707d6b3527d7f5731c57fff815a08db

SHA1
9c776fa6d7eba3ca9e836ea2deb489ea70c47c3b

SHA256
9de2424f30f7b70b5fc4e12e00d414ae263888939d79b0f4990ab608f3769334

SHA512
14454a0a1c3168b7cba810fcaa87ca8b74a578104e5f52b2b993c53b3b3fd7beb24f644450c749cca97200e942fc97b0a6100b000363e21faebd26a31416d460

Download Submit
C:\Windows\System32\hjOpqGM.exe

Filesize
1.3MB

MD5
01f2c55ec05409a48babc8de962849a4

SHA1
168076b5f781dbffcf947f39e72eb3cf20958b11

SHA256
fee1589bc3980cde7296f19f0c73eb9dc9587bbd24f4b163147e263302ff38d0

SHA512
6440512f2e04f792feea1f9b551ed6973e2fbdc8f2582a02136a31c9a4ff9078ee0ba62142e25975cc6e008dc6c6eb76f65fa15965e3fd2813eaa88e7bfa24db

Download Submit
C:\Windows\System32\iCkvMoz.exe

Filesize
1.3MB

MD5
0809561c91ec4bd100c4e2a6bfe76baa

SHA1
1f3ecd34bd03d07b97438599a51d9b7095f56277

SHA256
b94a34f4bec345c27eb0319674fa252847d18f9b5fa4e8a0fa6e83193be1cf69

SHA512
0ae81f87dd9869b62be8da831feb1276208b8a33f43b332bb50ea02b21224ee352ff890fa2091164bdfa6d67272ca4c23258b11021833b7aafde185f671387b7

Download Submit
C:\Windows\System32\kuvlcGk.exe

Filesize
1.3MB

MD5
7385bcb5bb359802b2523daa2149c0d4

SHA1
77dfa00be90a17e4883802c8640f657084591e9d

SHA256
17f59cef76d7dc01b373d86d8508f9284e56949a7b18de45edb63ea14f5349a2

SHA512
24398b68fa703f9a51d1eabb9bffc97277a3e4d55819747d96e82bf41fa5cd1411eda1e909d526edb2e5cfab612a0ba19f9dfc25a0f0be5a5c2029c2b7f8b4a6

Download Submit
C:\Windows\System32\lRiNdar.exe

Filesize
1.3MB

MD5
f5d2c5954c5bb1b4601fa3a4176cba33

SHA1
2a30051b5d7732bc99069f83dd440fe005c63dbd

SHA256
673dafbcabd312276ac48ab1250edc07e00a86cc36c07b875da4de04a9b0b65d

SHA512
de73329b1d55345d030431db79705317b51949eca8b506ced9ca9b4b8ba5bc28204415c1563f78a8044c7daae6846f21a0799de089819042054facc074085742

Download Submit
C:\Windows\System32\oDGaBOy.exe

Filesize
1.3MB

MD5
c25b2386d4f35e1f4b2774df146a6fbe

SHA1
fa07dfa35f3876e78c8ab448ed6c18f746ad33a8

SHA256
52a595eaef45f876173bfc09954fabe3ba75ccffe1997cfe9df785e0dadbe5bf

SHA512
391ecfe060afc0ee07f30d7908b728ce33deb841d80ed6c7bc428e08aec480a17d432d8e694d04ee43de45a855b34bc24e41e83b62267cfab45a1d5b47a370ec

Download Submit
C:\Windows\System32\oJXEQYN.exe

Filesize
1.3MB

MD5
24c9e48d68c2b66c06e7f2acd852f1d2

SHA1
d5149efaa01fabe6799770a360a7337b050f98c3

SHA256
d983425f0dfc0f118f148d281ebbc2ac787decbd25847fe271073781ccbe5ea2

SHA512
164690d8d38ea3d28a63aacfce4a4bef8e885bb75ab55f4b443f000d88d247d700bbece18f8abb5ac741b4c5967bef2b995b9b631a4bca3b0d8aa31c66ec6059

Download Submit
C:\Windows\System32\rWxmbrC.exe

Filesize
1.3MB

MD5
16e634b369191684357d8e585019727e

SHA1
95439e8113d716317ca0aed2863445a0d321da77

SHA256
5db232c5c175be434a5bdd2ed56ceae704e8e3d798f6b0e0a03cd6a4939410d2

SHA512
493c704bb88be75ba96f5cb4e6320a1d1aa5ec8608ddd3a4e602325e18e9f6ed9b9f7d5a24504e1a6397c976d9cce98e079d5046c39eb2cd9ebf0b23da6690fa

Download Submit
C:\Windows\System32\tOVNamy.exe

Filesize
1.3MB

MD5
b9d1ac22ea207b3a3b88ee19a493ed2f

SHA1
e20a52c8b9adf4daf5f43d962f77548038e8b870

SHA256
f0ae7d249f46fc481cf8dab88933215e3d99ca43cf1fbac810b417e51ac91a3b

SHA512
1ec9b7d420dd04674fd5975991baeca7fc7cc451963c3578c35044ecd8acacd1a427ae8e0090f3a2ae8a6e2519c3b21798d57c8fbf889b0aea243fe1f11b79a0

Download Submit
C:\Windows\System32\vGkFmDw.exe

Filesize
1.3MB

MD5
1e4bfc6c01dabdbca199cb4f3a9eae1b

SHA1
6fd6435fc1595fb35cc8b28949cb94f352b4105b

SHA256
3fabe71b7933e7573ce10f345da3ee72d3215af9f7ae28f00f42816655fdbb1b

SHA512
37d6ec7d995808d8dc150407be6a2ad61da99651c4e706233398d43fe68f75c1f48df9f3e349a4d06c501ce93512f93b8777825368b5809b60b155fb5d571aef

Download Submit
C:\Windows\System32\vojsMOM.exe

Filesize
1.3MB

MD5
eba6247ee1f2fef19d57c8325033b865

SHA1
b5db697fac833ec8bec21101ff43f02f6960aa02

SHA256
519278d5e187bcb002e89631d73b73d8d9724f05d6ed8e3ea267399d9e41fdf6

SHA512
a8cc0abe028fe607e8949651222155e83973ff9061709f145f82b4c977f1f8919083944f2279bc42158c69980091c9ba8d209a5bea8789b9e7104abeefcf83c6

Download Submit
C:\Windows\System32\wYrNVlz.exe

Filesize
1.3MB

MD5
a5d1815123e352af595a60d3c513bfc2

SHA1
e0b03c52066b138c8a53b355a6484cb0f529cc9f

SHA256
650ebefcc62176d937a844903a0f3d6d470316b64dfb94a9cba2b4e8e979f96a

SHA512
1a54330417568e2f2834d7ca75c5e46847a043bce38164e877f6e3d226f50c9efd70ea548f8ddaeb4d6001c2a4b836acc486323b25ae9753d0fe0a3819cb767f

Download Submit
memory/224-2221-0x00007FF796AE0000-0x00007FF796ED1000-memory.dmp

Filesize
3.9MB

Download
memory/224-435-0x00007FF796AE0000-0x00007FF796ED1000-memory.dmp

Filesize
3.9MB

Download
memory/464-421-0x00007FF751D20000-0x00007FF752111000-memory.dmp

Filesize
3.9MB

Download
memory/668-477-0x00007FF76D560000-0x00007FF76D951000-memory.dmp

Filesize
3.9MB

Download
memory/668-2212-0x00007FF76D560000-0x00007FF76D951000-memory.dmp

Filesize
3.9MB

Download
memory/672-2189-0x00007FF66D8A0000-0x00007FF66DC91000-memory.dmp

Filesize
3.9MB

Download
memory/672-418-0x00007FF66D8A0000-0x00007FF66DC91000-memory.dmp

Filesize
3.9MB

Download
memory/956-489-0x00007FF769150000-0x00007FF769541000-memory.dmp

Filesize
3.9MB

Download
memory/1188-827-0x00007FF7E95E0000-0x00007FF7E99D1000-memory.dmp

Filesize
3.9MB

Download
memory/1188-0-0x00007FF7E95E0000-0x00007FF7E99D1000-memory.dmp

Filesize
3.9MB

Download
memory/1188-1-0x0000015D3A070000-0x0000015D3A080000-memory.dmp

Filesize
64KB

Download
memory/1624-431-0x00007FF61ACC0000-0x00007FF61B0B1000-memory.dmp

Filesize
3.9MB

Download
memory/1624-2223-0x00007FF61ACC0000-0x00007FF61B0B1000-memory.dmp

Filesize
3.9MB

Download
memory/1864-2219-0x00007FF7480F0000-0x00007FF7484E1000-memory.dmp

Filesize
3.9MB

Download
memory/1864-437-0x00007FF7480F0000-0x00007FF7484E1000-memory.dmp

Filesize
3.9MB

Download
memory/2644-454-0x00007FF757400000-0x00007FF7577F1000-memory.dmp

Filesize
3.9MB

Download
memory/3000-2181-0x00007FF777710000-0x00007FF777B01000-memory.dmp

Filesize
3.9MB

Download
memory/3000-1439-0x00007FF777710000-0x00007FF777B01000-memory.dmp

Filesize
3.9MB

Download
memory/3000-44-0x00007FF777710000-0x00007FF777B01000-memory.dmp

Filesize
3.9MB

Download
memory/3208-2187-0x00007FF6AC240000-0x00007FF6AC631000-memory.dmp

Filesize
3.9MB

Download
memory/3208-413-0x00007FF6AC240000-0x00007FF6AC631000-memory.dmp

Filesize
3.9MB

Download
memory/3316-47-0x00007FF6BC970000-0x00007FF6BCD61000-memory.dmp

Filesize
3.9MB

Download
memory/3316-2183-0x00007FF6BC970000-0x00007FF6BCD61000-memory.dmp

Filesize
3.9MB

Download
memory/3316-1442-0x00007FF6BC970000-0x00007FF6BCD61000-memory.dmp

Filesize
3.9MB

Download
memory/3556-1340-0x00007FF7F1AF0000-0x00007FF7F1EE1000-memory.dmp

Filesize
3.9MB

Download
memory/3556-38-0x00007FF7F1AF0000-0x00007FF7F1EE1000-memory.dmp

Filesize
3.9MB

Download
memory/3764-2147-0x00007FF656720000-0x00007FF656B11000-memory.dmp

Filesize
3.9MB

Download
memory/3764-1110-0x00007FF656720000-0x00007FF656B11000-memory.dmp

Filesize
3.9MB

Download
memory/3764-10-0x00007FF656720000-0x00007FF656B11000-memory.dmp

Filesize
3.9MB

Download
memory/3992-1116-0x00007FF6EC980000-0x00007FF6ECD71000-memory.dmp

Filesize
3.9MB

Download
memory/3992-31-0x00007FF6EC980000-0x00007FF6ECD71000-memory.dmp

Filesize
3.9MB

Download
memory/3992-2153-0x00007FF6EC980000-0x00007FF6ECD71000-memory.dmp

Filesize
3.9MB

Download
memory/4224-480-0x00007FF76EFE0000-0x00007FF76F3D1000-memory.dmp

Filesize
3.9MB

Download
memory/4228-500-0x00007FF66D3F0000-0x00007FF66D7E1000-memory.dmp

Filesize
3.9MB

Download
memory/4228-2185-0x00007FF66D3F0000-0x00007FF66D7E1000-memory.dmp

Filesize
3.9MB

Download
memory/4356-460-0x00007FF7E3940000-0x00007FF7E3D31000-memory.dmp

Filesize
3.9MB

Download
memory/4356-2216-0x00007FF7E3940000-0x00007FF7E3D31000-memory.dmp

Filesize
3.9MB

Download
memory/4432-424-0x00007FF6CAFF0000-0x00007FF6CB3E1000-memory.dmp

Filesize
3.9MB

Download
memory/4436-488-0x00007FF6B2D70000-0x00007FF6B3161000-memory.dmp

Filesize
3.9MB

Download
memory/4736-1113-0x00007FF728E70000-0x00007FF729261000-memory.dmp

Filesize
3.9MB

Download
memory/4736-27-0x00007FF728E70000-0x00007FF729261000-memory.dmp

Filesize
3.9MB

Download
memory/4736-2149-0x00007FF728E70000-0x00007FF729261000-memory.dmp

Filesize
3.9MB

Download
memory/4812-467-0x00007FF6C5A50000-0x00007FF6C5E41000-memory.dmp

Filesize
3.9MB

Download
memory/4812-2214-0x00007FF6C5A50000-0x00007FF6C5E41000-memory.dmp

Filesize
3.9MB

Download
memory/4824-28-0x00007FF729DD0000-0x00007FF72A1C1000-memory.dmp

Filesize
3.9MB

Download
memory/4824-2151-0x00007FF729DD0000-0x00007FF72A1C1000-memory.dmp

Filesize
3.9MB

Download
memory/5020-447-0x00007FF6DB660000-0x00007FF6DBA51000-memory.dmp

Filesize
3.9MB

Download
memory/5096-2179-0x00007FF7C56D0000-0x00007FF7C5AC1000-memory.dmp

Filesize
3.9MB

Download
memory/5096-32-0x00007FF7C56D0000-0x00007FF7C5AC1000-memory.dmp

Filesize
3.9MB

Download
memory/5096-1337-0x00007FF7C56D0000-0x00007FF7C5AC1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads