xmrig | 3e0722daf231ffc2dc7e84e822733b6cfe31a41b53070e73864a7b850595b9cf

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
Size

1.6MB
MD5

4a6b08c563ddbeb4e6b14887ab2f5bf0
SHA1

3c979cbb9fe2182e858b9ae81b1a11d6af15c405
SHA256

3e0722daf231ffc2dc7e84e822733b6cfe31a41b53070e73864a7b850595b9cf
SHA512

e62e4554f4c9517d788d80c6c1746da12d8e281c9fc481dfb194babcb7e0b666676c98946a5f3673146a0f081669183c09b5c87f2d84c46ee87f91ec256572d8
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zjP+sjI1dGc15B3zpGVQb9rwN1We:knw9oUUEEDl37jcq4nP7mxrZi

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral2/memory/4568-34-0x00007FF7A5FB0000-0x00007FF7A63A1000-memory.dmp	xmrig
behavioral2/memory/2836-534-0x00007FF6BD290000-0x00007FF6BD681000-memory.dmp	xmrig
behavioral2/memory/4228-535-0x00007FF73E1B0000-0x00007FF73E5A1000-memory.dmp	xmrig
behavioral2/memory/1436-536-0x00007FF698960000-0x00007FF698D51000-memory.dmp	xmrig
behavioral2/memory/1432-537-0x00007FF7BA6F0000-0x00007FF7BAAE1000-memory.dmp	xmrig
behavioral2/memory/4172-31-0x00007FF6C4510000-0x00007FF6C4901000-memory.dmp	xmrig
behavioral2/memory/1684-538-0x00007FF63F230000-0x00007FF63F621000-memory.dmp	xmrig
behavioral2/memory/2128-541-0x00007FF610B20000-0x00007FF610F11000-memory.dmp	xmrig
behavioral2/memory/4392-540-0x00007FF7452C0000-0x00007FF7456B1000-memory.dmp	xmrig
behavioral2/memory/1972-539-0x00007FF70F9C0000-0x00007FF70FDB1000-memory.dmp	xmrig
behavioral2/memory/4240-542-0x00007FF7F40C0000-0x00007FF7F44B1000-memory.dmp	xmrig
behavioral2/memory/772-543-0x00007FF71E820000-0x00007FF71EC11000-memory.dmp	xmrig
behavioral2/memory/3720-556-0x00007FF79E480000-0x00007FF79E871000-memory.dmp	xmrig
behavioral2/memory/2868-558-0x00007FF6E3580000-0x00007FF6E3971000-memory.dmp	xmrig
behavioral2/memory/4256-560-0x00007FF6ACBF0000-0x00007FF6ACFE1000-memory.dmp	xmrig
behavioral2/memory/2320-574-0x00007FF7446C0000-0x00007FF744AB1000-memory.dmp	xmrig
behavioral2/memory/4120-578-0x00007FF6C92F0000-0x00007FF6C96E1000-memory.dmp	xmrig
behavioral2/memory/392-591-0x00007FF729F40000-0x00007FF72A331000-memory.dmp	xmrig
behavioral2/memory/3704-595-0x00007FF6585A0000-0x00007FF658991000-memory.dmp	xmrig
behavioral2/memory/4164-600-0x00007FF6CF830000-0x00007FF6CFC21000-memory.dmp	xmrig
behavioral2/memory/3120-601-0x00007FF6CA460000-0x00007FF6CA851000-memory.dmp	xmrig
behavioral2/memory/2972-573-0x00007FF6F5F90000-0x00007FF6F6381000-memory.dmp	xmrig
behavioral2/memory/2016-1551-0x00007FF63A080000-0x00007FF63A471000-memory.dmp	xmrig
behavioral2/memory/3196-1548-0x00007FF726180000-0x00007FF726571000-memory.dmp	xmrig
behavioral2/memory/2832-1664-0x00007FF7DE560000-0x00007FF7DE951000-memory.dmp	xmrig
behavioral2/memory/4172-2069-0x00007FF6C4510000-0x00007FF6C4901000-memory.dmp	xmrig
behavioral2/memory/4568-2071-0x00007FF7A5FB0000-0x00007FF7A63A1000-memory.dmp	xmrig
behavioral2/memory/2836-2077-0x00007FF6BD290000-0x00007FF6BD681000-memory.dmp	xmrig
behavioral2/memory/3704-2075-0x00007FF6585A0000-0x00007FF658991000-memory.dmp	xmrig
behavioral2/memory/2016-2073-0x00007FF63A080000-0x00007FF63A471000-memory.dmp	xmrig
behavioral2/memory/2868-2118-0x00007FF6E3580000-0x00007FF6E3971000-memory.dmp	xmrig
behavioral2/memory/772-2114-0x00007FF71E820000-0x00007FF71EC11000-memory.dmp	xmrig
behavioral2/memory/4120-2127-0x00007FF6C92F0000-0x00007FF6C96E1000-memory.dmp	xmrig
behavioral2/memory/1432-2134-0x00007FF7BA6F0000-0x00007FF7BAAE1000-memory.dmp	xmrig
behavioral2/memory/4164-2131-0x00007FF6CF830000-0x00007FF6CFC21000-memory.dmp	xmrig
behavioral2/memory/4392-2125-0x00007FF7452C0000-0x00007FF7456B1000-memory.dmp	xmrig
behavioral2/memory/3720-2112-0x00007FF79E480000-0x00007FF79E871000-memory.dmp	xmrig
behavioral2/memory/4256-2110-0x00007FF6ACBF0000-0x00007FF6ACFE1000-memory.dmp	xmrig
behavioral2/memory/2832-2106-0x00007FF7DE560000-0x00007FF7DE951000-memory.dmp	xmrig
behavioral2/memory/2128-2116-0x00007FF610B20000-0x00007FF610F11000-memory.dmp	xmrig
behavioral2/memory/2972-2108-0x00007FF6F5F90000-0x00007FF6F6381000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2016	RALBHsf.exe
4172	LisZixN.exe
3704	eoapnny.exe
4568	eQXTZMr.exe
2832	YDCwtaw.exe
2836	MuyDmfn.exe
4164	GsnNkxM.exe
3120	QdtgeUN.exe
4228	vHuwzlU.exe
1436	SYsxvrl.exe
1432	IaHvdxm.exe
1684	tpJdDba.exe
1972	gDyYIaE.exe
4392	LydRLBH.exe
2128	keaVPvS.exe
4240	meIOglY.exe
772	SEbklve.exe
3720	zPbbXfo.exe
2868	jarJCGo.exe
4256	sVuhsIG.exe
2972	HgGElUP.exe
2320	mEGqPKF.exe
4120	hflvmJo.exe
392	ThjhEEG.exe
2296	GXGBiJr.exe
1304	TuZFagt.exe
3592	KFSVExV.exe
4984	fQvbnsa.exe
2216	LRToKay.exe
452	iMgkGEc.exe
4332	fHALQuW.exe
2192	aCwZmBm.exe
2328	NkfglWm.exe
3088	ycGQlrP.exe
984	wCubJMA.exe
1652	qlBKIXe.exe
1172	vEVgUgh.exe
3672	MuayWwl.exe
3472	KTHPESe.exe
5096	MuAeEkp.exe
4340	BccHJKk.exe
744	JKUvwJF.exe
3784	sPZxrkb.exe
3624	YWgMsMu.exe
4520	Cwnbzps.exe
1940	BXfEBZw.exe
5136	QYVlVBn.exe
5160	NmWlmsw.exe
5188	ssPrCax.exe
5216	COaRIIq.exe
5244	VSNgTaL.exe
5276	mQlpEpO.exe
5300	HujHvAm.exe
5328	rZtaKok.exe
5356	VjwmgDQ.exe
5388	OjjiEWi.exe
5416	SrAvPCU.exe
5440	qDpNYsT.exe
5468	lpQusWz.exe
5496	jfvVpUk.exe
5532	MkbWWTj.exe
5556	kloohGk.exe
5580	byIadln.exe
5612	uPzIHbI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3196-0-0x00007FF726180000-0x00007FF726571000-memory.dmp	upx
behavioral2/files/0x0007000000023624-15.dat	upx
behavioral2/files/0x0007000000023627-24.dat	upx
behavioral2/memory/2016-27-0x00007FF63A080000-0x00007FF63A471000-memory.dmp	upx
behavioral2/memory/4568-34-0x00007FF7A5FB0000-0x00007FF7A63A1000-memory.dmp	upx
behavioral2/files/0x0007000000023626-37.dat	upx
behavioral2/files/0x0007000000023629-40.dat	upx
behavioral2/files/0x000700000002362b-55.dat	upx
behavioral2/files/0x000700000002362c-63.dat	upx
behavioral2/files/0x000700000002362e-73.dat	upx
behavioral2/files/0x0007000000023635-108.dat	upx
behavioral2/files/0x000700000002363b-135.dat	upx
behavioral2/files/0x000700000002363f-151.dat	upx
behavioral2/memory/2836-534-0x00007FF6BD290000-0x00007FF6BD681000-memory.dmp	upx
behavioral2/memory/4228-535-0x00007FF73E1B0000-0x00007FF73E5A1000-memory.dmp	upx
behavioral2/memory/1436-536-0x00007FF698960000-0x00007FF698D51000-memory.dmp	upx
behavioral2/memory/1432-537-0x00007FF7BA6F0000-0x00007FF7BAAE1000-memory.dmp	upx
behavioral2/files/0x0007000000023641-165.dat	upx
behavioral2/files/0x0007000000023640-160.dat	upx
behavioral2/files/0x000700000002363e-153.dat	upx
behavioral2/files/0x000700000002363d-148.dat	upx
behavioral2/files/0x000700000002363c-140.dat	upx
behavioral2/files/0x000700000002363a-130.dat	upx
behavioral2/files/0x0007000000023639-128.dat	upx
behavioral2/files/0x0007000000023638-123.dat	upx
behavioral2/files/0x0007000000023637-118.dat	upx
behavioral2/files/0x0007000000023636-110.dat	upx
behavioral2/files/0x0007000000023634-101.dat	upx
behavioral2/files/0x0007000000023633-98.dat	upx
behavioral2/files/0x0007000000023632-90.dat	upx
behavioral2/files/0x0007000000023631-86.dat	upx
behavioral2/files/0x0007000000023630-80.dat	upx
behavioral2/files/0x000700000002362f-75.dat	upx
behavioral2/files/0x000700000002362d-68.dat	upx
behavioral2/files/0x000700000002362a-53.dat	upx
behavioral2/files/0x0007000000023628-43.dat	upx
behavioral2/memory/2832-39-0x00007FF7DE560000-0x00007FF7DE951000-memory.dmp	upx
behavioral2/memory/4172-31-0x00007FF6C4510000-0x00007FF6C4901000-memory.dmp	upx
behavioral2/memory/1684-538-0x00007FF63F230000-0x00007FF63F621000-memory.dmp	upx
behavioral2/files/0x0008000000023622-20.dat	upx
behavioral2/memory/2128-541-0x00007FF610B20000-0x00007FF610F11000-memory.dmp	upx
behavioral2/memory/4392-540-0x00007FF7452C0000-0x00007FF7456B1000-memory.dmp	upx
behavioral2/memory/1972-539-0x00007FF70F9C0000-0x00007FF70FDB1000-memory.dmp	upx
behavioral2/files/0x0007000000023625-19.dat	upx
behavioral2/files/0x0007000000023623-9.dat	upx
behavioral2/memory/4240-542-0x00007FF7F40C0000-0x00007FF7F44B1000-memory.dmp	upx
behavioral2/memory/772-543-0x00007FF71E820000-0x00007FF71EC11000-memory.dmp	upx
behavioral2/memory/3720-556-0x00007FF79E480000-0x00007FF79E871000-memory.dmp	upx
behavioral2/memory/2868-558-0x00007FF6E3580000-0x00007FF6E3971000-memory.dmp	upx
behavioral2/memory/4256-560-0x00007FF6ACBF0000-0x00007FF6ACFE1000-memory.dmp	upx
behavioral2/memory/2320-574-0x00007FF7446C0000-0x00007FF744AB1000-memory.dmp	upx
behavioral2/memory/4120-578-0x00007FF6C92F0000-0x00007FF6C96E1000-memory.dmp	upx
behavioral2/memory/392-591-0x00007FF729F40000-0x00007FF72A331000-memory.dmp	upx
behavioral2/memory/3704-595-0x00007FF6585A0000-0x00007FF658991000-memory.dmp	upx
behavioral2/memory/4164-600-0x00007FF6CF830000-0x00007FF6CFC21000-memory.dmp	upx
behavioral2/memory/3120-601-0x00007FF6CA460000-0x00007FF6CA851000-memory.dmp	upx
behavioral2/memory/2972-573-0x00007FF6F5F90000-0x00007FF6F6381000-memory.dmp	upx
behavioral2/memory/2016-1551-0x00007FF63A080000-0x00007FF63A471000-memory.dmp	upx
behavioral2/memory/3196-1548-0x00007FF726180000-0x00007FF726571000-memory.dmp	upx
behavioral2/memory/2832-1664-0x00007FF7DE560000-0x00007FF7DE951000-memory.dmp	upx
behavioral2/memory/4172-2069-0x00007FF6C4510000-0x00007FF6C4901000-memory.dmp	upx
behavioral2/memory/4568-2071-0x00007FF7A5FB0000-0x00007FF7A63A1000-memory.dmp	upx
behavioral2/memory/2836-2077-0x00007FF6BD290000-0x00007FF6BD681000-memory.dmp	upx
behavioral2/memory/3704-2075-0x00007FF6585A0000-0x00007FF658991000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\NJHvHFF.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\hlGowXr.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\nXbGKMJ.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\DNrgJpP.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\eQoZepX.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\OhSiIAs.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\SJGIGUU.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\eoapnny.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\MuayWwl.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\INGHBmR.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\RdLqbYM.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\yXIOSKq.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\LuGQTHI.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\ffwLpzQ.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\pBwdPgZ.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\SYTILdZ.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\RBAGRyO.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\ODgMeyj.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\JKUvwJF.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\oWBOaSJ.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\pcVJTog.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\fVcytDD.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\uFtMXTx.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\Mlksali.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\HGsVlFA.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\JwFjXWE.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\zJigSeq.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\RInviWQ.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\gaBPdYC.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\dkaBECm.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\fcTaIRy.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\acxHKkW.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\jFadWat.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\tpJdDba.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\BXfEBZw.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\eUpknmT.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\DOVJfyj.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\Yoyeqyt.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\rYOJDlZ.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\WizWgTQ.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\YaHVURL.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\nJlpSCz.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\jyhCkZr.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\LLEUILa.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\veIphmx.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\AwJwZgO.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\YOKTmaO.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\PCZEfNK.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\TuZFagt.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\iMgkGEc.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\ycGQlrP.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\gRYWcBr.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\KLkqhxt.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\pmFsZYD.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\uJkUpRZ.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\sVuhsIG.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\VSNgTaL.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\NtqXbdc.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\BvOUFfz.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\TcoakEN.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\pEIKFYL.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\wCcksOU.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\ugpyzEB.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
File created	C:\Windows\System32\FdmBNZP.exe	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13628	dwm.exe
Token: SeChangeNotifyPrivilege	13628	dwm.exe
Token: 33	13628	dwm.exe
Token: SeIncBasePriorityPrivilege	13628	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 2016	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	92
PID 3196 wrote to memory of 2016	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	92
PID 3196 wrote to memory of 4172	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	93
PID 3196 wrote to memory of 4172	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	93
PID 3196 wrote to memory of 3704	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	94
PID 3196 wrote to memory of 3704	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	94
PID 3196 wrote to memory of 4568	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	95
PID 3196 wrote to memory of 4568	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	95
PID 3196 wrote to memory of 2832	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	96
PID 3196 wrote to memory of 2832	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	96
PID 3196 wrote to memory of 2836	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	97
PID 3196 wrote to memory of 2836	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	97
PID 3196 wrote to memory of 4164	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	98
PID 3196 wrote to memory of 4164	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	98
PID 3196 wrote to memory of 3120	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	99
PID 3196 wrote to memory of 3120	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	99
PID 3196 wrote to memory of 4228	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	100
PID 3196 wrote to memory of 4228	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	100
PID 3196 wrote to memory of 1436	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	101
PID 3196 wrote to memory of 1436	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	101
PID 3196 wrote to memory of 1432	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	102
PID 3196 wrote to memory of 1432	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	102
PID 3196 wrote to memory of 1684	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	103
PID 3196 wrote to memory of 1684	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	103
PID 3196 wrote to memory of 1972	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	104
PID 3196 wrote to memory of 1972	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	104
PID 3196 wrote to memory of 4392	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	105
PID 3196 wrote to memory of 4392	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	105
PID 3196 wrote to memory of 2128	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	106
PID 3196 wrote to memory of 2128	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	106
PID 3196 wrote to memory of 4240	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	107
PID 3196 wrote to memory of 4240	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	107
PID 3196 wrote to memory of 772	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	108
PID 3196 wrote to memory of 772	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	108
PID 3196 wrote to memory of 3720	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	109
PID 3196 wrote to memory of 3720	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	109
PID 3196 wrote to memory of 2868	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	110
PID 3196 wrote to memory of 2868	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	110
PID 3196 wrote to memory of 4256	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	111
PID 3196 wrote to memory of 4256	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	111
PID 3196 wrote to memory of 2972	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	112
PID 3196 wrote to memory of 2972	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	112
PID 3196 wrote to memory of 2320	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	113
PID 3196 wrote to memory of 2320	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	113
PID 3196 wrote to memory of 4120	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	114
PID 3196 wrote to memory of 4120	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	114
PID 3196 wrote to memory of 392	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	115
PID 3196 wrote to memory of 392	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	115
PID 3196 wrote to memory of 2296	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	116
PID 3196 wrote to memory of 2296	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	116
PID 3196 wrote to memory of 1304	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	117
PID 3196 wrote to memory of 1304	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	117
PID 3196 wrote to memory of 3592	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	118
PID 3196 wrote to memory of 3592	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	118
PID 3196 wrote to memory of 4984	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	119
PID 3196 wrote to memory of 4984	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	119
PID 3196 wrote to memory of 2216	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	120
PID 3196 wrote to memory of 2216	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	120
PID 3196 wrote to memory of 452	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	121
PID 3196 wrote to memory of 452	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	121
PID 3196 wrote to memory of 4332	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	122
PID 3196 wrote to memory of 4332	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	122
PID 3196 wrote to memory of 2192	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	123
PID 3196 wrote to memory of 2192	3196	4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe	123

C:\Users\Admin\AppData\Local\Temp\4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe
"C:\Users\Admin\AppData\Local\Temp\4a6b08c563ddbeb4e6b14887ab2f5bf0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\System32\RALBHsf.exe
  C:\Windows\System32\RALBHsf.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System32\LisZixN.exe
  C:\Windows\System32\LisZixN.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System32\eoapnny.exe
  C:\Windows\System32\eoapnny.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System32\eQXTZMr.exe
  C:\Windows\System32\eQXTZMr.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System32\YDCwtaw.exe
  C:\Windows\System32\YDCwtaw.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System32\MuyDmfn.exe
  C:\Windows\System32\MuyDmfn.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System32\GsnNkxM.exe
  C:\Windows\System32\GsnNkxM.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System32\QdtgeUN.exe
  C:\Windows\System32\QdtgeUN.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System32\vHuwzlU.exe
  C:\Windows\System32\vHuwzlU.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System32\SYsxvrl.exe
  C:\Windows\System32\SYsxvrl.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System32\IaHvdxm.exe
  C:\Windows\System32\IaHvdxm.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System32\tpJdDba.exe
  C:\Windows\System32\tpJdDba.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System32\gDyYIaE.exe
  C:\Windows\System32\gDyYIaE.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System32\LydRLBH.exe
  C:\Windows\System32\LydRLBH.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System32\keaVPvS.exe
  C:\Windows\System32\keaVPvS.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System32\meIOglY.exe
  C:\Windows\System32\meIOglY.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System32\SEbklve.exe
  C:\Windows\System32\SEbklve.exe
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\System32\zPbbXfo.exe
  C:\Windows\System32\zPbbXfo.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System32\jarJCGo.exe
  C:\Windows\System32\jarJCGo.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System32\sVuhsIG.exe
  C:\Windows\System32\sVuhsIG.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System32\HgGElUP.exe
  C:\Windows\System32\HgGElUP.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System32\mEGqPKF.exe
  C:\Windows\System32\mEGqPKF.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System32\hflvmJo.exe
  C:\Windows\System32\hflvmJo.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System32\ThjhEEG.exe
  C:\Windows\System32\ThjhEEG.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System32\GXGBiJr.exe
  C:\Windows\System32\GXGBiJr.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System32\TuZFagt.exe
  C:\Windows\System32\TuZFagt.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\System32\KFSVExV.exe
  C:\Windows\System32\KFSVExV.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System32\fQvbnsa.exe
  C:\Windows\System32\fQvbnsa.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System32\LRToKay.exe
  C:\Windows\System32\LRToKay.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System32\iMgkGEc.exe
  C:\Windows\System32\iMgkGEc.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System32\fHALQuW.exe
  C:\Windows\System32\fHALQuW.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System32\aCwZmBm.exe
  C:\Windows\System32\aCwZmBm.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System32\NkfglWm.exe
  C:\Windows\System32\NkfglWm.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System32\ycGQlrP.exe
  C:\Windows\System32\ycGQlrP.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System32\wCubJMA.exe
  C:\Windows\System32\wCubJMA.exe
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\System32\qlBKIXe.exe
  C:\Windows\System32\qlBKIXe.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System32\vEVgUgh.exe
  C:\Windows\System32\vEVgUgh.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System32\MuayWwl.exe
  C:\Windows\System32\MuayWwl.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System32\KTHPESe.exe
  C:\Windows\System32\KTHPESe.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System32\MuAeEkp.exe
  C:\Windows\System32\MuAeEkp.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System32\BccHJKk.exe
  C:\Windows\System32\BccHJKk.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System32\JKUvwJF.exe
  C:\Windows\System32\JKUvwJF.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System32\sPZxrkb.exe
  C:\Windows\System32\sPZxrkb.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System32\YWgMsMu.exe
  C:\Windows\System32\YWgMsMu.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System32\Cwnbzps.exe
  C:\Windows\System32\Cwnbzps.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System32\BXfEBZw.exe
  C:\Windows\System32\BXfEBZw.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System32\QYVlVBn.exe
  C:\Windows\System32\QYVlVBn.exe
  2⤵
  - Executes dropped EXE
  PID:5136
- C:\Windows\System32\NmWlmsw.exe
  C:\Windows\System32\NmWlmsw.exe
  2⤵
  - Executes dropped EXE
  PID:5160
- C:\Windows\System32\ssPrCax.exe
  C:\Windows\System32\ssPrCax.exe
  2⤵
  - Executes dropped EXE
  PID:5188
- C:\Windows\System32\COaRIIq.exe
  C:\Windows\System32\COaRIIq.exe
  2⤵
  - Executes dropped EXE
  PID:5216
- C:\Windows\System32\VSNgTaL.exe
  C:\Windows\System32\VSNgTaL.exe
  2⤵
  - Executes dropped EXE
  PID:5244
- C:\Windows\System32\mQlpEpO.exe
  C:\Windows\System32\mQlpEpO.exe
  2⤵
  - Executes dropped EXE
  PID:5276
- C:\Windows\System32\HujHvAm.exe
  C:\Windows\System32\HujHvAm.exe
  2⤵
  - Executes dropped EXE
  PID:5300
- C:\Windows\System32\rZtaKok.exe
  C:\Windows\System32\rZtaKok.exe
  2⤵
  - Executes dropped EXE
  PID:5328
- C:\Windows\System32\VjwmgDQ.exe
  C:\Windows\System32\VjwmgDQ.exe
  2⤵
  - Executes dropped EXE
  PID:5356
- C:\Windows\System32\OjjiEWi.exe
  C:\Windows\System32\OjjiEWi.exe
  2⤵
  - Executes dropped EXE
  PID:5388
- C:\Windows\System32\SrAvPCU.exe
  C:\Windows\System32\SrAvPCU.exe
  2⤵
  - Executes dropped EXE
  PID:5416
- C:\Windows\System32\qDpNYsT.exe
  C:\Windows\System32\qDpNYsT.exe
  2⤵
  - Executes dropped EXE
  PID:5440
- C:\Windows\System32\lpQusWz.exe
  C:\Windows\System32\lpQusWz.exe
  2⤵
  - Executes dropped EXE
  PID:5468
- C:\Windows\System32\jfvVpUk.exe
  C:\Windows\System32\jfvVpUk.exe
  2⤵
  - Executes dropped EXE
  PID:5496
- C:\Windows\System32\MkbWWTj.exe
  C:\Windows\System32\MkbWWTj.exe
  2⤵
  - Executes dropped EXE
  PID:5532
- C:\Windows\System32\kloohGk.exe
  C:\Windows\System32\kloohGk.exe
  2⤵
  - Executes dropped EXE
  PID:5556
- C:\Windows\System32\byIadln.exe
  C:\Windows\System32\byIadln.exe
  2⤵
  - Executes dropped EXE
  PID:5580
- C:\Windows\System32\uPzIHbI.exe
  C:\Windows\System32\uPzIHbI.exe
  2⤵
  - Executes dropped EXE
  PID:5612
- C:\Windows\System32\ONYheAL.exe
  C:\Windows\System32\ONYheAL.exe
  2⤵
  PID:5636
- C:\Windows\System32\luCCNsu.exe
  C:\Windows\System32\luCCNsu.exe
  2⤵
  PID:5664
- C:\Windows\System32\OEUxxeo.exe
  C:\Windows\System32\OEUxxeo.exe
  2⤵
  PID:5692
- C:\Windows\System32\ywnXoBX.exe
  C:\Windows\System32\ywnXoBX.exe
  2⤵
  PID:5720
- C:\Windows\System32\lsMzXqf.exe
  C:\Windows\System32\lsMzXqf.exe
  2⤵
  PID:5744
- C:\Windows\System32\coyfRsN.exe
  C:\Windows\System32\coyfRsN.exe
  2⤵
  PID:5800
- C:\Windows\System32\RfXhnNA.exe
  C:\Windows\System32\RfXhnNA.exe
  2⤵
  PID:5820
- C:\Windows\System32\qxjypEk.exe
  C:\Windows\System32\qxjypEk.exe
  2⤵
  PID:5848
- C:\Windows\System32\PsrNslL.exe
  C:\Windows\System32\PsrNslL.exe
  2⤵
  PID:5872
- C:\Windows\System32\iQSaiHp.exe
  C:\Windows\System32\iQSaiHp.exe
  2⤵
  PID:5896
- C:\Windows\System32\HWKqUBR.exe
  C:\Windows\System32\HWKqUBR.exe
  2⤵
  PID:5916
- C:\Windows\System32\BvOUFfz.exe
  C:\Windows\System32\BvOUFfz.exe
  2⤵
  PID:5944
- C:\Windows\System32\HOlSaSv.exe
  C:\Windows\System32\HOlSaSv.exe
  2⤵
  PID:5968
- C:\Windows\System32\gODenBk.exe
  C:\Windows\System32\gODenBk.exe
  2⤵
  PID:5996
- C:\Windows\System32\YSAspsT.exe
  C:\Windows\System32\YSAspsT.exe
  2⤵
  PID:6028
- C:\Windows\System32\lHdemPf.exe
  C:\Windows\System32\lHdemPf.exe
  2⤵
  PID:6052
- C:\Windows\System32\MwemVDD.exe
  C:\Windows\System32\MwemVDD.exe
  2⤵
  PID:6088
- C:\Windows\System32\nPMJTtk.exe
  C:\Windows\System32\nPMJTtk.exe
  2⤵
  PID:6112
- C:\Windows\System32\eUpknmT.exe
  C:\Windows\System32\eUpknmT.exe
  2⤵
  PID:6140
- C:\Windows\System32\CaGEnHm.exe
  C:\Windows\System32\CaGEnHm.exe
  2⤵
  PID:3280
- C:\Windows\System32\JwFjXWE.exe
  C:\Windows\System32\JwFjXWE.exe
  2⤵
  PID:2108
- C:\Windows\System32\eUoJwjC.exe
  C:\Windows\System32\eUoJwjC.exe
  2⤵
  PID:2632
- C:\Windows\System32\SpUGHyr.exe
  C:\Windows\System32\SpUGHyr.exe
  2⤵
  PID:1140
- C:\Windows\System32\iNIshGs.exe
  C:\Windows\System32\iNIshGs.exe
  2⤵
  PID:5144
- C:\Windows\System32\Qzelgel.exe
  C:\Windows\System32\Qzelgel.exe
  2⤵
  PID:5200
- C:\Windows\System32\pLisvUi.exe
  C:\Windows\System32\pLisvUi.exe
  2⤵
  PID:5252
- C:\Windows\System32\XSxbdlI.exe
  C:\Windows\System32\XSxbdlI.exe
  2⤵
  PID:5308
- C:\Windows\System32\gRYWcBr.exe
  C:\Windows\System32\gRYWcBr.exe
  2⤵
  PID:5376
- C:\Windows\System32\fIjWRow.exe
  C:\Windows\System32\fIjWRow.exe
  2⤵
  PID:5460
- C:\Windows\System32\ZqpkQip.exe
  C:\Windows\System32\ZqpkQip.exe
  2⤵
  PID:5516
- C:\Windows\System32\vCksnkS.exe
  C:\Windows\System32\vCksnkS.exe
  2⤵
  PID:5564
- C:\Windows\System32\NrbRgqS.exe
  C:\Windows\System32\NrbRgqS.exe
  2⤵
  PID:5628
- C:\Windows\System32\agSjgBl.exe
  C:\Windows\System32\agSjgBl.exe
  2⤵
  PID:5728
- C:\Windows\System32\xbbIxXG.exe
  C:\Windows\System32\xbbIxXG.exe
  2⤵
  PID:5752
- C:\Windows\System32\ZKLLNfd.exe
  C:\Windows\System32\ZKLLNfd.exe
  2⤵
  PID:5832
- C:\Windows\System32\FIfUMuN.exe
  C:\Windows\System32\FIfUMuN.exe
  2⤵
  PID:5892
- C:\Windows\System32\zejRFOa.exe
  C:\Windows\System32\zejRFOa.exe
  2⤵
  PID:5952
- C:\Windows\System32\fKXKFML.exe
  C:\Windows\System32\fKXKFML.exe
  2⤵
  PID:6012
- C:\Windows\System32\LrTPVrW.exe
  C:\Windows\System32\LrTPVrW.exe
  2⤵
  PID:6076
- C:\Windows\System32\bpRQwHA.exe
  C:\Windows\System32\bpRQwHA.exe
  2⤵
  PID:6124
- C:\Windows\System32\uFtMXTx.exe
  C:\Windows\System32\uFtMXTx.exe
  2⤵
  PID:1272
- C:\Windows\System32\HjXylkT.exe
  C:\Windows\System32\HjXylkT.exe
  2⤵
  PID:2864
- C:\Windows\System32\RkYaJWk.exe
  C:\Windows\System32\RkYaJWk.exe
  2⤵
  PID:5224
- C:\Windows\System32\CJlFhdB.exe
  C:\Windows\System32\CJlFhdB.exe
  2⤵
  PID:5408
- C:\Windows\System32\tKUVmZs.exe
  C:\Windows\System32\tKUVmZs.exe
  2⤵
  PID:5452
- C:\Windows\System32\DOVJfyj.exe
  C:\Windows\System32\DOVJfyj.exe
  2⤵
  PID:5576
- C:\Windows\System32\LmJyvuf.exe
  C:\Windows\System32\LmJyvuf.exe
  2⤵
  PID:5768
- C:\Windows\System32\PpAbfJV.exe
  C:\Windows\System32\PpAbfJV.exe
  2⤵
  PID:5936
- C:\Windows\System32\VKgEKOh.exe
  C:\Windows\System32\VKgEKOh.exe
  2⤵
  PID:6036
- C:\Windows\System32\KqpiCOF.exe
  C:\Windows\System32\KqpiCOF.exe
  2⤵
  PID:4888
- C:\Windows\System32\BAteuzS.exe
  C:\Windows\System32\BAteuzS.exe
  2⤵
  PID:4048
- C:\Windows\System32\QGHnPPO.exe
  C:\Windows\System32\QGHnPPO.exe
  2⤵
  PID:6164
- C:\Windows\System32\bPjjBgl.exe
  C:\Windows\System32\bPjjBgl.exe
  2⤵
  PID:6192
- C:\Windows\System32\CDhjPMM.exe
  C:\Windows\System32\CDhjPMM.exe
  2⤵
  PID:6232
- C:\Windows\System32\zmzFAtY.exe
  C:\Windows\System32\zmzFAtY.exe
  2⤵
  PID:6252
- C:\Windows\System32\SLydKdA.exe
  C:\Windows\System32\SLydKdA.exe
  2⤵
  PID:6280
- C:\Windows\System32\VmQbAln.exe
  C:\Windows\System32\VmQbAln.exe
  2⤵
  PID:6304
- C:\Windows\System32\veIphmx.exe
  C:\Windows\System32\veIphmx.exe
  2⤵
  PID:6336
- C:\Windows\System32\FzjpRYk.exe
  C:\Windows\System32\FzjpRYk.exe
  2⤵
  PID:6364
- C:\Windows\System32\KxvFsLm.exe
  C:\Windows\System32\KxvFsLm.exe
  2⤵
  PID:6400
- C:\Windows\System32\xujIXeN.exe
  C:\Windows\System32\xujIXeN.exe
  2⤵
  PID:6420
- C:\Windows\System32\AwJwZgO.exe
  C:\Windows\System32\AwJwZgO.exe
  2⤵
  PID:6444
- C:\Windows\System32\PyGKpiG.exe
  C:\Windows\System32\PyGKpiG.exe
  2⤵
  PID:6472
- C:\Windows\System32\YKLRdRu.exe
  C:\Windows\System32\YKLRdRu.exe
  2⤵
  PID:6504
- C:\Windows\System32\dLRyiiU.exe
  C:\Windows\System32\dLRyiiU.exe
  2⤵
  PID:6532
- C:\Windows\System32\ZEmuPzx.exe
  C:\Windows\System32\ZEmuPzx.exe
  2⤵
  PID:6560
- C:\Windows\System32\vHrlhVF.exe
  C:\Windows\System32\vHrlhVF.exe
  2⤵
  PID:6588
- C:\Windows\System32\IZzHZXl.exe
  C:\Windows\System32\IZzHZXl.exe
  2⤵
  PID:6616
- C:\Windows\System32\vCrpDuF.exe
  C:\Windows\System32\vCrpDuF.exe
  2⤵
  PID:6644
- C:\Windows\System32\NiJpmTy.exe
  C:\Windows\System32\NiJpmTy.exe
  2⤵
  PID:6672
- C:\Windows\System32\vvTGWTR.exe
  C:\Windows\System32\vvTGWTR.exe
  2⤵
  PID:6700
- C:\Windows\System32\ZHacKbn.exe
  C:\Windows\System32\ZHacKbn.exe
  2⤵
  PID:6724
- C:\Windows\System32\ugEWUuU.exe
  C:\Windows\System32\ugEWUuU.exe
  2⤵
  PID:6756
- C:\Windows\System32\GmuiDgh.exe
  C:\Windows\System32\GmuiDgh.exe
  2⤵
  PID:6792
- C:\Windows\System32\rkzpWdA.exe
  C:\Windows\System32\rkzpWdA.exe
  2⤵
  PID:6812
- C:\Windows\System32\YaHVURL.exe
  C:\Windows\System32\YaHVURL.exe
  2⤵
  PID:6848
- C:\Windows\System32\nqEHiGO.exe
  C:\Windows\System32\nqEHiGO.exe
  2⤵
  PID:6868
- C:\Windows\System32\sNJfkzs.exe
  C:\Windows\System32\sNJfkzs.exe
  2⤵
  PID:6896
- C:\Windows\System32\falsogO.exe
  C:\Windows\System32\falsogO.exe
  2⤵
  PID:6924
- C:\Windows\System32\dLABqNZ.exe
  C:\Windows\System32\dLABqNZ.exe
  2⤵
  PID:6960
- C:\Windows\System32\IMJhSWj.exe
  C:\Windows\System32\IMJhSWj.exe
  2⤵
  PID:6980
- C:\Windows\System32\juSJTPG.exe
  C:\Windows\System32\juSJTPG.exe
  2⤵
  PID:7016
- C:\Windows\System32\CxpGrLB.exe
  C:\Windows\System32\CxpGrLB.exe
  2⤵
  PID:7036
- C:\Windows\System32\TaqhKwp.exe
  C:\Windows\System32\TaqhKwp.exe
  2⤵
  PID:7064
- C:\Windows\System32\fqqYUII.exe
  C:\Windows\System32\fqqYUII.exe
  2⤵
  PID:7088
- C:\Windows\System32\IZRFpzR.exe
  C:\Windows\System32\IZRFpzR.exe
  2⤵
  PID:7116
- C:\Windows\System32\psrHNRk.exe
  C:\Windows\System32\psrHNRk.exe
  2⤵
  PID:7148
- C:\Windows\System32\fUJyolp.exe
  C:\Windows\System32\fUJyolp.exe
  2⤵
  PID:5340
- C:\Windows\System32\YySafye.exe
  C:\Windows\System32\YySafye.exe
  2⤵
  PID:5588
- C:\Windows\System32\YLJNGBF.exe
  C:\Windows\System32\YLJNGBF.exe
  2⤵
  PID:5856
- C:\Windows\System32\Mlksali.exe
  C:\Windows\System32\Mlksali.exe
  2⤵
  PID:2780
- C:\Windows\System32\VrbGxdi.exe
  C:\Windows\System32\VrbGxdi.exe
  2⤵
  PID:6432
- C:\Windows\System32\EmagzPq.exe
  C:\Windows\System32\EmagzPq.exe
  2⤵
  PID:6468
- C:\Windows\System32\qleZeho.exe
  C:\Windows\System32\qleZeho.exe
  2⤵
  PID:6516
- C:\Windows\System32\HQUafAb.exe
  C:\Windows\System32\HQUafAb.exe
  2⤵
  PID:6552
- C:\Windows\System32\GCzgZqb.exe
  C:\Windows\System32\GCzgZqb.exe
  2⤵
  PID:6580
- C:\Windows\System32\QExqEmo.exe
  C:\Windows\System32\QExqEmo.exe
  2⤵
  PID:6708
- C:\Windows\System32\NISwAGq.exe
  C:\Windows\System32\NISwAGq.exe
  2⤵
  PID:6748
- C:\Windows\System32\yXIOSKq.exe
  C:\Windows\System32\yXIOSKq.exe
  2⤵
  PID:6768
- C:\Windows\System32\HqcvBEW.exe
  C:\Windows\System32\HqcvBEW.exe
  2⤵
  PID:1084
- C:\Windows\System32\XVoYwcm.exe
  C:\Windows\System32\XVoYwcm.exe
  2⤵
  PID:6856
- C:\Windows\System32\kKAOyuC.exe
  C:\Windows\System32\kKAOyuC.exe
  2⤵
  PID:6932
- C:\Windows\System32\VDbVvRY.exe
  C:\Windows\System32\VDbVvRY.exe
  2⤵
  PID:7032
- C:\Windows\System32\WWHVujO.exe
  C:\Windows\System32\WWHVujO.exe
  2⤵
  PID:1500
- C:\Windows\System32\OldXTee.exe
  C:\Windows\System32\OldXTee.exe
  2⤵
  PID:1820
- C:\Windows\System32\WCAzyfd.exe
  C:\Windows\System32\WCAzyfd.exe
  2⤵
  PID:7096
- C:\Windows\System32\PzqPKgR.exe
  C:\Windows\System32\PzqPKgR.exe
  2⤵
  PID:5432
- C:\Windows\System32\ugpyzEB.exe
  C:\Windows\System32\ugpyzEB.exe
  2⤵
  PID:628
- C:\Windows\System32\VOjBTZW.exe
  C:\Windows\System32\VOjBTZW.exe
  2⤵
  PID:2240
- C:\Windows\System32\BSnwGdP.exe
  C:\Windows\System32\BSnwGdP.exe
  2⤵
  PID:6376
- C:\Windows\System32\pBwdPgZ.exe
  C:\Windows\System32\pBwdPgZ.exe
  2⤵
  PID:3296
- C:\Windows\System32\NJHvHFF.exe
  C:\Windows\System32\NJHvHFF.exe
  2⤵
  PID:2520
- C:\Windows\System32\hUBCfzj.exe
  C:\Windows\System32\hUBCfzj.exe
  2⤵
  PID:6452
- C:\Windows\System32\LvmXGob.exe
  C:\Windows\System32\LvmXGob.exe
  2⤵
  PID:436
- C:\Windows\System32\NkUkrTM.exe
  C:\Windows\System32\NkUkrTM.exe
  2⤵
  PID:6488
- C:\Windows\System32\AhsmPDn.exe
  C:\Windows\System32\AhsmPDn.exe
  2⤵
  PID:6800
- C:\Windows\System32\QScbhUz.exe
  C:\Windows\System32\QScbhUz.exe
  2⤵
  PID:1484
- C:\Windows\System32\IdYahnF.exe
  C:\Windows\System32\IdYahnF.exe
  2⤵
  PID:7048
- C:\Windows\System32\QUdKcSB.exe
  C:\Windows\System32\QUdKcSB.exe
  2⤵
  PID:4000
- C:\Windows\System32\XYmHmXR.exe
  C:\Windows\System32\XYmHmXR.exe
  2⤵
  PID:5644
- C:\Windows\System32\HGsVlFA.exe
  C:\Windows\System32\HGsVlFA.exe
  2⤵
  PID:6348
- C:\Windows\System32\gqEpEJD.exe
  C:\Windows\System32\gqEpEJD.exe
  2⤵
  PID:4416
- C:\Windows\System32\lwEfcZM.exe
  C:\Windows\System32\lwEfcZM.exe
  2⤵
  PID:6624
- C:\Windows\System32\UratDrF.exe
  C:\Windows\System32\UratDrF.exe
  2⤵
  PID:2052
- C:\Windows\System32\mnQdGhz.exe
  C:\Windows\System32\mnQdGhz.exe
  2⤵
  PID:4980
- C:\Windows\System32\DTuiCVW.exe
  C:\Windows\System32\DTuiCVW.exe
  2⤵
  PID:4864
- C:\Windows\System32\qffTWSm.exe
  C:\Windows\System32\qffTWSm.exe
  2⤵
  PID:1572
- C:\Windows\System32\mCgxBUM.exe
  C:\Windows\System32\mCgxBUM.exe
  2⤵
  PID:4496
- C:\Windows\System32\zJigSeq.exe
  C:\Windows\System32\zJigSeq.exe
  2⤵
  PID:6260
- C:\Windows\System32\ZMXRffZ.exe
  C:\Windows\System32\ZMXRffZ.exe
  2⤵
  PID:6540
- C:\Windows\System32\QrkDIxK.exe
  C:\Windows\System32\QrkDIxK.exe
  2⤵
  PID:6628
- C:\Windows\System32\hlmlqUN.exe
  C:\Windows\System32\hlmlqUN.exe
  2⤵
  PID:5880
- C:\Windows\System32\WmUutuz.exe
  C:\Windows\System32\WmUutuz.exe
  2⤵
  PID:7160
- C:\Windows\System32\aoUESoj.exe
  C:\Windows\System32\aoUESoj.exe
  2⤵
  PID:7188
- C:\Windows\System32\TyWwTDb.exe
  C:\Windows\System32\TyWwTDb.exe
  2⤵
  PID:7216
- C:\Windows\System32\lTrsGHd.exe
  C:\Windows\System32\lTrsGHd.exe
  2⤵
  PID:7252
- C:\Windows\System32\nJlpSCz.exe
  C:\Windows\System32\nJlpSCz.exe
  2⤵
  PID:7272
- C:\Windows\System32\TisdqUc.exe
  C:\Windows\System32\TisdqUc.exe
  2⤵
  PID:7300
- C:\Windows\System32\zENPaJy.exe
  C:\Windows\System32\zENPaJy.exe
  2⤵
  PID:7320
- C:\Windows\System32\OxMHQqI.exe
  C:\Windows\System32\OxMHQqI.exe
  2⤵
  PID:7356
- C:\Windows\System32\INGHBmR.exe
  C:\Windows\System32\INGHBmR.exe
  2⤵
  PID:7384
- C:\Windows\System32\GdTednR.exe
  C:\Windows\System32\GdTednR.exe
  2⤵
  PID:7404
- C:\Windows\System32\hvWlYuz.exe
  C:\Windows\System32\hvWlYuz.exe
  2⤵
  PID:7436
- C:\Windows\System32\yhVDJwo.exe
  C:\Windows\System32\yhVDJwo.exe
  2⤵
  PID:7452
- C:\Windows\System32\nHMmvOk.exe
  C:\Windows\System32\nHMmvOk.exe
  2⤵
  PID:7488
- C:\Windows\System32\MyOFgFQ.exe
  C:\Windows\System32\MyOFgFQ.exe
  2⤵
  PID:7540
- C:\Windows\System32\GZGnKHW.exe
  C:\Windows\System32\GZGnKHW.exe
  2⤵
  PID:7564
- C:\Windows\System32\TLFTKTN.exe
  C:\Windows\System32\TLFTKTN.exe
  2⤵
  PID:7584
- C:\Windows\System32\aOdSDuU.exe
  C:\Windows\System32\aOdSDuU.exe
  2⤵
  PID:7604
- C:\Windows\System32\JxmyrVx.exe
  C:\Windows\System32\JxmyrVx.exe
  2⤵
  PID:7632
- C:\Windows\System32\vPJUfTO.exe
  C:\Windows\System32\vPJUfTO.exe
  2⤵
  PID:7652
- C:\Windows\System32\gEVLVgj.exe
  C:\Windows\System32\gEVLVgj.exe
  2⤵
  PID:7692
- C:\Windows\System32\LuGQTHI.exe
  C:\Windows\System32\LuGQTHI.exe
  2⤵
  PID:7724
- C:\Windows\System32\jsCTAGV.exe
  C:\Windows\System32\jsCTAGV.exe
  2⤵
  PID:7740
- C:\Windows\System32\XnaHIZh.exe
  C:\Windows\System32\XnaHIZh.exe
  2⤵
  PID:7780
- C:\Windows\System32\EFnnney.exe
  C:\Windows\System32\EFnnney.exe
  2⤵
  PID:7808
- C:\Windows\System32\mNiIgCI.exe
  C:\Windows\System32\mNiIgCI.exe
  2⤵
  PID:7836
- C:\Windows\System32\zkSHNvE.exe
  C:\Windows\System32\zkSHNvE.exe
  2⤵
  PID:7852
- C:\Windows\System32\dazFcvL.exe
  C:\Windows\System32\dazFcvL.exe
  2⤵
  PID:7872
- C:\Windows\System32\WkRqJbj.exe
  C:\Windows\System32\WkRqJbj.exe
  2⤵
  PID:7900
- C:\Windows\System32\WsAjEdC.exe
  C:\Windows\System32\WsAjEdC.exe
  2⤵
  PID:7928
- C:\Windows\System32\dLCXKRZ.exe
  C:\Windows\System32\dLCXKRZ.exe
  2⤵
  PID:7952
- C:\Windows\System32\vDcEfZz.exe
  C:\Windows\System32\vDcEfZz.exe
  2⤵
  PID:8004
- C:\Windows\System32\XhFTaMd.exe
  C:\Windows\System32\XhFTaMd.exe
  2⤵
  PID:8056
- C:\Windows\System32\YOKTmaO.exe
  C:\Windows\System32\YOKTmaO.exe
  2⤵
  PID:8076
- C:\Windows\System32\LDZrrCr.exe
  C:\Windows\System32\LDZrrCr.exe
  2⤵
  PID:8092
- C:\Windows\System32\DieYxmH.exe
  C:\Windows\System32\DieYxmH.exe
  2⤵
  PID:8112
- C:\Windows\System32\Oqrdojg.exe
  C:\Windows\System32\Oqrdojg.exe
  2⤵
  PID:8140
- C:\Windows\System32\VimyGLa.exe
  C:\Windows\System32\VimyGLa.exe
  2⤵
  PID:8156
- C:\Windows\System32\mHCwJdj.exe
  C:\Windows\System32\mHCwJdj.exe
  2⤵
  PID:7176
- C:\Windows\System32\ykJTduJ.exe
  C:\Windows\System32\ykJTduJ.exe
  2⤵
  PID:7200
- C:\Windows\System32\FjutpRz.exe
  C:\Windows\System32\FjutpRz.exe
  2⤵
  PID:7260
- C:\Windows\System32\SYTILdZ.exe
  C:\Windows\System32\SYTILdZ.exe
  2⤵
  PID:7344
- C:\Windows\System32\hiQbdCV.exe
  C:\Windows\System32\hiQbdCV.exe
  2⤵
  PID:7416
- C:\Windows\System32\eDHgOhM.exe
  C:\Windows\System32\eDHgOhM.exe
  2⤵
  PID:7500
- C:\Windows\System32\QgwnhSt.exe
  C:\Windows\System32\QgwnhSt.exe
  2⤵
  PID:7560
- C:\Windows\System32\TmdlxTn.exe
  C:\Windows\System32\TmdlxTn.exe
  2⤵
  PID:7620
- C:\Windows\System32\cbdeJfp.exe
  C:\Windows\System32\cbdeJfp.exe
  2⤵
  PID:7644
- C:\Windows\System32\RanFcbJ.exe
  C:\Windows\System32\RanFcbJ.exe
  2⤵
  PID:7712
- C:\Windows\System32\XcpOThG.exe
  C:\Windows\System32\XcpOThG.exe
  2⤵
  PID:7800
- C:\Windows\System32\RvgdrEx.exe
  C:\Windows\System32\RvgdrEx.exe
  2⤵
  PID:7844
- C:\Windows\System32\YbqSTIg.exe
  C:\Windows\System32\YbqSTIg.exe
  2⤵
  PID:7864
- C:\Windows\System32\rDnUcso.exe
  C:\Windows\System32\rDnUcso.exe
  2⤵
  PID:7960
- C:\Windows\System32\cglQNKS.exe
  C:\Windows\System32\cglQNKS.exe
  2⤵
  PID:8128
- C:\Windows\System32\HGrkXcT.exe
  C:\Windows\System32\HGrkXcT.exe
  2⤵
  PID:8148
- C:\Windows\System32\tJBHhoU.exe
  C:\Windows\System32\tJBHhoU.exe
  2⤵
  PID:2872
- C:\Windows\System32\BvidSMc.exe
  C:\Windows\System32\BvidSMc.exe
  2⤵
  PID:7204
- C:\Windows\System32\JdlHYmW.exe
  C:\Windows\System32\JdlHYmW.exe
  2⤵
  PID:7524
- C:\Windows\System32\UVrFcUl.exe
  C:\Windows\System32\UVrFcUl.exe
  2⤵
  PID:7736
- C:\Windows\System32\liiVgoD.exe
  C:\Windows\System32\liiVgoD.exe
  2⤵
  PID:7732
- C:\Windows\System32\zzUxbLY.exe
  C:\Windows\System32\zzUxbLY.exe
  2⤵
  PID:7828
- C:\Windows\System32\dkaBECm.exe
  C:\Windows\System32\dkaBECm.exe
  2⤵
  PID:7948
- C:\Windows\System32\gvbbbYX.exe
  C:\Windows\System32\gvbbbYX.exe
  2⤵
  PID:7228
- C:\Windows\System32\VyCoVao.exe
  C:\Windows\System32\VyCoVao.exe
  2⤵
  PID:7396
- C:\Windows\System32\uOqVaQu.exe
  C:\Windows\System32\uOqVaQu.exe
  2⤵
  PID:7820
- C:\Windows\System32\JuVfffu.exe
  C:\Windows\System32\JuVfffu.exe
  2⤵
  PID:8132
- C:\Windows\System32\RhDfHjd.exe
  C:\Windows\System32\RhDfHjd.exe
  2⤵
  PID:7552
- C:\Windows\System32\xOncYcH.exe
  C:\Windows\System32\xOncYcH.exe
  2⤵
  PID:8212
- C:\Windows\System32\KylPbNE.exe
  C:\Windows\System32\KylPbNE.exe
  2⤵
  PID:8252
- C:\Windows\System32\hlGowXr.exe
  C:\Windows\System32\hlGowXr.exe
  2⤵
  PID:8272
- C:\Windows\System32\jyhCkZr.exe
  C:\Windows\System32\jyhCkZr.exe
  2⤵
  PID:8300
- C:\Windows\System32\hQToBhg.exe
  C:\Windows\System32\hQToBhg.exe
  2⤵
  PID:8320
- C:\Windows\System32\wuBhRNA.exe
  C:\Windows\System32\wuBhRNA.exe
  2⤵
  PID:8344
- C:\Windows\System32\aMwGtQS.exe
  C:\Windows\System32\aMwGtQS.exe
  2⤵
  PID:8408
- C:\Windows\System32\xaFGGiD.exe
  C:\Windows\System32\xaFGGiD.exe
  2⤵
  PID:8428
- C:\Windows\System32\PtUyief.exe
  C:\Windows\System32\PtUyief.exe
  2⤵
  PID:8452
- C:\Windows\System32\tnPvYCF.exe
  C:\Windows\System32\tnPvYCF.exe
  2⤵
  PID:8472
- C:\Windows\System32\bgXMrmB.exe
  C:\Windows\System32\bgXMrmB.exe
  2⤵
  PID:8508
- C:\Windows\System32\UzePpNS.exe
  C:\Windows\System32\UzePpNS.exe
  2⤵
  PID:8528
- C:\Windows\System32\epYklQe.exe
  C:\Windows\System32\epYklQe.exe
  2⤵
  PID:8552
- C:\Windows\System32\DuRYonU.exe
  C:\Windows\System32\DuRYonU.exe
  2⤵
  PID:8596
- C:\Windows\System32\tMkZvUK.exe
  C:\Windows\System32\tMkZvUK.exe
  2⤵
  PID:8620
- C:\Windows\System32\pApWFJw.exe
  C:\Windows\System32\pApWFJw.exe
  2⤵
  PID:8644
- C:\Windows\System32\FdmBNZP.exe
  C:\Windows\System32\FdmBNZP.exe
  2⤵
  PID:8668
- C:\Windows\System32\LtHDqSZ.exe
  C:\Windows\System32\LtHDqSZ.exe
  2⤵
  PID:8688
- C:\Windows\System32\NXOYBfz.exe
  C:\Windows\System32\NXOYBfz.exe
  2⤵
  PID:8712
- C:\Windows\System32\JmpMzvn.exe
  C:\Windows\System32\JmpMzvn.exe
  2⤵
  PID:8728
- C:\Windows\System32\HgljNOU.exe
  C:\Windows\System32\HgljNOU.exe
  2⤵
  PID:8748
- C:\Windows\System32\VHxOelb.exe
  C:\Windows\System32\VHxOelb.exe
  2⤵
  PID:8764
- C:\Windows\System32\mjGptuB.exe
  C:\Windows\System32\mjGptuB.exe
  2⤵
  PID:8832
- C:\Windows\System32\czfsTBp.exe
  C:\Windows\System32\czfsTBp.exe
  2⤵
  PID:8864
- C:\Windows\System32\JvaSxby.exe
  C:\Windows\System32\JvaSxby.exe
  2⤵
  PID:8888
- C:\Windows\System32\xtetBjz.exe
  C:\Windows\System32\xtetBjz.exe
  2⤵
  PID:8936
- C:\Windows\System32\AnUfvTm.exe
  C:\Windows\System32\AnUfvTm.exe
  2⤵
  PID:8964
- C:\Windows\System32\GQClxmV.exe
  C:\Windows\System32\GQClxmV.exe
  2⤵
  PID:8988
- C:\Windows\System32\tIgNqRw.exe
  C:\Windows\System32\tIgNqRw.exe
  2⤵
  PID:9004
- C:\Windows\System32\tFBtmJb.exe
  C:\Windows\System32\tFBtmJb.exe
  2⤵
  PID:9024
- C:\Windows\System32\KgelchB.exe
  C:\Windows\System32\KgelchB.exe
  2⤵
  PID:9048
- C:\Windows\System32\tONJXoR.exe
  C:\Windows\System32\tONJXoR.exe
  2⤵
  PID:9084
- C:\Windows\System32\CjZGZlR.exe
  C:\Windows\System32\CjZGZlR.exe
  2⤵
  PID:9108
- C:\Windows\System32\rqdTJOp.exe
  C:\Windows\System32\rqdTJOp.exe
  2⤵
  PID:9156
- C:\Windows\System32\LLEUILa.exe
  C:\Windows\System32\LLEUILa.exe
  2⤵
  PID:9188
- C:\Windows\System32\aXanben.exe
  C:\Windows\System32\aXanben.exe
  2⤵
  PID:9212
- C:\Windows\System32\KWCwOUA.exe
  C:\Windows\System32\KWCwOUA.exe
  2⤵
  PID:8224
- C:\Windows\System32\tbtxswN.exe
  C:\Windows\System32\tbtxswN.exe
  2⤵
  PID:8328
- C:\Windows\System32\KmCUAFu.exe
  C:\Windows\System32\KmCUAFu.exe
  2⤵
  PID:8352
- C:\Windows\System32\AwJLWJv.exe
  C:\Windows\System32\AwJLWJv.exe
  2⤵
  PID:8404
- C:\Windows\System32\XfZklGg.exe
  C:\Windows\System32\XfZklGg.exe
  2⤵
  PID:8484
- C:\Windows\System32\heWxndd.exe
  C:\Windows\System32\heWxndd.exe
  2⤵
  PID:8536
- C:\Windows\System32\HZTGaGU.exe
  C:\Windows\System32\HZTGaGU.exe
  2⤵
  PID:8604
- C:\Windows\System32\wQmNDUp.exe
  C:\Windows\System32\wQmNDUp.exe
  2⤵
  PID:8664
- C:\Windows\System32\KJplLhb.exe
  C:\Windows\System32\KJplLhb.exe
  2⤵
  PID:8704
- C:\Windows\System32\DDpBigO.exe
  C:\Windows\System32\DDpBigO.exe
  2⤵
  PID:8804
- C:\Windows\System32\tXWIJRe.exe
  C:\Windows\System32\tXWIJRe.exe
  2⤵
  PID:8872
- C:\Windows\System32\zihrxgq.exe
  C:\Windows\System32\zihrxgq.exe
  2⤵
  PID:8928
- C:\Windows\System32\fSxnWjV.exe
  C:\Windows\System32\fSxnWjV.exe
  2⤵
  PID:8996
- C:\Windows\System32\ZmJLyZZ.exe
  C:\Windows\System32\ZmJLyZZ.exe
  2⤵
  PID:9072
- C:\Windows\System32\mqcsGVv.exe
  C:\Windows\System32\mqcsGVv.exe
  2⤵
  PID:9168
- C:\Windows\System32\aiKMaEo.exe
  C:\Windows\System32\aiKMaEo.exe
  2⤵
  PID:7704
- C:\Windows\System32\gKUBteB.exe
  C:\Windows\System32\gKUBteB.exe
  2⤵
  PID:8292
- C:\Windows\System32\bAidDSo.exe
  C:\Windows\System32\bAidDSo.exe
  2⤵
  PID:8364
- C:\Windows\System32\QvMOAHl.exe
  C:\Windows\System32\QvMOAHl.exe
  2⤵
  PID:8632
- C:\Windows\System32\nKntgzO.exe
  C:\Windows\System32\nKntgzO.exe
  2⤵
  PID:8696
- C:\Windows\System32\lhqwuVF.exe
  C:\Windows\System32\lhqwuVF.exe
  2⤵
  PID:8876
- C:\Windows\System32\vIcPEfk.exe
  C:\Windows\System32\vIcPEfk.exe
  2⤵
  PID:4772
- C:\Windows\System32\ZQvXilb.exe
  C:\Windows\System32\ZQvXilb.exe
  2⤵
  PID:9060
- C:\Windows\System32\sVTsook.exe
  C:\Windows\System32\sVTsook.exe
  2⤵
  PID:9116
- C:\Windows\System32\ySvFHCC.exe
  C:\Windows\System32\ySvFHCC.exe
  2⤵
  PID:8316
- C:\Windows\System32\RPWaSry.exe
  C:\Windows\System32\RPWaSry.exe
  2⤵
  PID:9196
- C:\Windows\System32\HXUfBgJ.exe
  C:\Windows\System32\HXUfBgJ.exe
  2⤵
  PID:8956
- C:\Windows\System32\hqsinDW.exe
  C:\Windows\System32\hqsinDW.exe
  2⤵
  PID:9236
- C:\Windows\System32\LZdVKlc.exe
  C:\Windows\System32\LZdVKlc.exe
  2⤵
  PID:9276
- C:\Windows\System32\DuAElZG.exe
  C:\Windows\System32\DuAElZG.exe
  2⤵
  PID:9304
- C:\Windows\System32\qOOblbZ.exe
  C:\Windows\System32\qOOblbZ.exe
  2⤵
  PID:9332
- C:\Windows\System32\iSkPvhx.exe
  C:\Windows\System32\iSkPvhx.exe
  2⤵
  PID:9348
- C:\Windows\System32\bMTJlyy.exe
  C:\Windows\System32\bMTJlyy.exe
  2⤵
  PID:9368
- C:\Windows\System32\xLKJGRC.exe
  C:\Windows\System32\xLKJGRC.exe
  2⤵
  PID:9392
- C:\Windows\System32\BYAWawX.exe
  C:\Windows\System32\BYAWawX.exe
  2⤵
  PID:9420
- C:\Windows\System32\fyywWSV.exe
  C:\Windows\System32\fyywWSV.exe
  2⤵
  PID:9440
- C:\Windows\System32\XeVjxur.exe
  C:\Windows\System32\XeVjxur.exe
  2⤵
  PID:9504
- C:\Windows\System32\TcoakEN.exe
  C:\Windows\System32\TcoakEN.exe
  2⤵
  PID:9540
- C:\Windows\System32\dmylzBi.exe
  C:\Windows\System32\dmylzBi.exe
  2⤵
  PID:9560
- C:\Windows\System32\RYgCzaH.exe
  C:\Windows\System32\RYgCzaH.exe
  2⤵
  PID:9576
- C:\Windows\System32\suPfbTs.exe
  C:\Windows\System32\suPfbTs.exe
  2⤵
  PID:9616
- C:\Windows\System32\hNlzgYN.exe
  C:\Windows\System32\hNlzgYN.exe
  2⤵
  PID:9632
- C:\Windows\System32\SRaOMAV.exe
  C:\Windows\System32\SRaOMAV.exe
  2⤵
  PID:9668
- C:\Windows\System32\ZAfNizj.exe
  C:\Windows\System32\ZAfNizj.exe
  2⤵
  PID:9688
- C:\Windows\System32\XmGElrv.exe
  C:\Windows\System32\XmGElrv.exe
  2⤵
  PID:9732
- C:\Windows\System32\jYVSGIP.exe
  C:\Windows\System32\jYVSGIP.exe
  2⤵
  PID:9760
- C:\Windows\System32\fkAHYOE.exe
  C:\Windows\System32\fkAHYOE.exe
  2⤵
  PID:9784
- C:\Windows\System32\dyzIsYo.exe
  C:\Windows\System32\dyzIsYo.exe
  2⤵
  PID:9824
- C:\Windows\System32\bGRydvD.exe
  C:\Windows\System32\bGRydvD.exe
  2⤵
  PID:9848
- C:\Windows\System32\NBmhelA.exe
  C:\Windows\System32\NBmhelA.exe
  2⤵
  PID:9864
- C:\Windows\System32\eulVtQc.exe
  C:\Windows\System32\eulVtQc.exe
  2⤵
  PID:9884
- C:\Windows\System32\byOvhVK.exe
  C:\Windows\System32\byOvhVK.exe
  2⤵
  PID:9916
- C:\Windows\System32\fDWHyhJ.exe
  C:\Windows\System32\fDWHyhJ.exe
  2⤵
  PID:9948
- C:\Windows\System32\RkoDXKR.exe
  C:\Windows\System32\RkoDXKR.exe
  2⤵
  PID:9972
- C:\Windows\System32\qEGXYUF.exe
  C:\Windows\System32\qEGXYUF.exe
  2⤵
  PID:10004
- C:\Windows\System32\BgYkHOd.exe
  C:\Windows\System32\BgYkHOd.exe
  2⤵
  PID:10028
- C:\Windows\System32\fcTaIRy.exe
  C:\Windows\System32\fcTaIRy.exe
  2⤵
  PID:10052
- C:\Windows\System32\MlwyjYj.exe
  C:\Windows\System32\MlwyjYj.exe
  2⤵
  PID:10088
- C:\Windows\System32\rLrLPNm.exe
  C:\Windows\System32\rLrLPNm.exe
  2⤵
  PID:10120
- C:\Windows\System32\YgWuaXo.exe
  C:\Windows\System32\YgWuaXo.exe
  2⤵
  PID:10140
- C:\Windows\System32\brtiXFl.exe
  C:\Windows\System32\brtiXFl.exe
  2⤵
  PID:10160
- C:\Windows\System32\yCroYTj.exe
  C:\Windows\System32\yCroYTj.exe
  2⤵
  PID:10184
- C:\Windows\System32\oSLHOjL.exe
  C:\Windows\System32\oSLHOjL.exe
  2⤵
  PID:10204
- C:\Windows\System32\WItdcMR.exe
  C:\Windows\System32\WItdcMR.exe
  2⤵
  PID:10224
- C:\Windows\System32\arLjajU.exe
  C:\Windows\System32\arLjajU.exe
  2⤵
  PID:8820
- C:\Windows\System32\MFHDUPA.exe
  C:\Windows\System32\MFHDUPA.exe
  2⤵
  PID:9344
- C:\Windows\System32\uNJdPmH.exe
  C:\Windows\System32\uNJdPmH.exe
  2⤵
  PID:9376
- C:\Windows\System32\ajEJwhJ.exe
  C:\Windows\System32\ajEJwhJ.exe
  2⤵
  PID:9452
- C:\Windows\System32\gLadyzp.exe
  C:\Windows\System32\gLadyzp.exe
  2⤵
  PID:9572
- C:\Windows\System32\LxEnIiI.exe
  C:\Windows\System32\LxEnIiI.exe
  2⤵
  PID:8904
- C:\Windows\System32\bAQMhjP.exe
  C:\Windows\System32\bAQMhjP.exe
  2⤵
  PID:9624
- C:\Windows\System32\vGxaGYM.exe
  C:\Windows\System32\vGxaGYM.exe
  2⤵
  PID:9680
- C:\Windows\System32\RdLqbYM.exe
  C:\Windows\System32\RdLqbYM.exe
  2⤵
  PID:9768
- C:\Windows\System32\ZBIMEkL.exe
  C:\Windows\System32\ZBIMEkL.exe
  2⤵
  PID:9808
- C:\Windows\System32\puOmecQ.exe
  C:\Windows\System32\puOmecQ.exe
  2⤵
  PID:9900
- C:\Windows\System32\RPbEpxP.exe
  C:\Windows\System32\RPbEpxP.exe
  2⤵
  PID:9924
- C:\Windows\System32\tIGtpwv.exe
  C:\Windows\System32\tIGtpwv.exe
  2⤵
  PID:10016
- C:\Windows\System32\dVXrfrD.exe
  C:\Windows\System32\dVXrfrD.exe
  2⤵
  PID:10048
- C:\Windows\System32\xCmbjcH.exe
  C:\Windows\System32\xCmbjcH.exe
  2⤵
  PID:10112
- C:\Windows\System32\XuotZfS.exe
  C:\Windows\System32\XuotZfS.exe
  2⤵
  PID:10192
- C:\Windows\System32\etJiIJp.exe
  C:\Windows\System32\etJiIJp.exe
  2⤵
  PID:10236
- C:\Windows\System32\QXwRTYk.exe
  C:\Windows\System32\QXwRTYk.exe
  2⤵
  PID:8436
- C:\Windows\System32\aWrKaSS.exe
  C:\Windows\System32\aWrKaSS.exe
  2⤵
  PID:9480
- C:\Windows\System32\KxNrUOO.exe
  C:\Windows\System32\KxNrUOO.exe
  2⤵
  PID:9796
- C:\Windows\System32\fUiZtMK.exe
  C:\Windows\System32\fUiZtMK.exe
  2⤵
  PID:9876
- C:\Windows\System32\CtkImtF.exe
  C:\Windows\System32\CtkImtF.exe
  2⤵
  PID:10060
- C:\Windows\System32\NflVuYE.exe
  C:\Windows\System32\NflVuYE.exe
  2⤵
  PID:9244
- C:\Windows\System32\SIKJCCA.exe
  C:\Windows\System32\SIKJCCA.exe
  2⤵
  PID:10176
- C:\Windows\System32\Apdiqiw.exe
  C:\Windows\System32\Apdiqiw.exe
  2⤵
  PID:9704
- C:\Windows\System32\kmbJlPy.exe
  C:\Windows\System32\kmbJlPy.exe
  2⤵
  PID:9964
- C:\Windows\System32\wQGIcDV.exe
  C:\Windows\System32\wQGIcDV.exe
  2⤵
  PID:9260
- C:\Windows\System32\KZqVewL.exe
  C:\Windows\System32\KZqVewL.exe
  2⤵
  PID:9776
- C:\Windows\System32\zXqModP.exe
  C:\Windows\System32\zXqModP.exe
  2⤵
  PID:10248
- C:\Windows\System32\IqeNPPF.exe
  C:\Windows\System32\IqeNPPF.exe
  2⤵
  PID:10280
- C:\Windows\System32\YwspxHG.exe
  C:\Windows\System32\YwspxHG.exe
  2⤵
  PID:10304
- C:\Windows\System32\LTQFuTM.exe
  C:\Windows\System32\LTQFuTM.exe
  2⤵
  PID:10328
- C:\Windows\System32\inmOBXl.exe
  C:\Windows\System32\inmOBXl.exe
  2⤵
  PID:10380
- C:\Windows\System32\LlRtWVM.exe
  C:\Windows\System32\LlRtWVM.exe
  2⤵
  PID:10416
- C:\Windows\System32\qXDIjTs.exe
  C:\Windows\System32\qXDIjTs.exe
  2⤵
  PID:10452
- C:\Windows\System32\xTgJZGX.exe
  C:\Windows\System32\xTgJZGX.exe
  2⤵
  PID:10476
- C:\Windows\System32\OydNclZ.exe
  C:\Windows\System32\OydNclZ.exe
  2⤵
  PID:10516
- C:\Windows\System32\ANIfaJL.exe
  C:\Windows\System32\ANIfaJL.exe
  2⤵
  PID:10536
- C:\Windows\System32\fKQkGoL.exe
  C:\Windows\System32\fKQkGoL.exe
  2⤵
  PID:10556
- C:\Windows\System32\bIyyzRQ.exe
  C:\Windows\System32\bIyyzRQ.exe
  2⤵
  PID:10600
- C:\Windows\System32\DNfAhlV.exe
  C:\Windows\System32\DNfAhlV.exe
  2⤵
  PID:10628
- C:\Windows\System32\nXbGKMJ.exe
  C:\Windows\System32\nXbGKMJ.exe
  2⤵
  PID:10648
- C:\Windows\System32\NStfOZm.exe
  C:\Windows\System32\NStfOZm.exe
  2⤵
  PID:10672
- C:\Windows\System32\GbuzxCW.exe
  C:\Windows\System32\GbuzxCW.exe
  2⤵
  PID:10708
- C:\Windows\System32\UyahUvA.exe
  C:\Windows\System32\UyahUvA.exe
  2⤵
  PID:10728
- C:\Windows\System32\YniLysy.exe
  C:\Windows\System32\YniLysy.exe
  2⤵
  PID:10748
- C:\Windows\System32\qXBOqNE.exe
  C:\Windows\System32\qXBOqNE.exe
  2⤵
  PID:10784
- C:\Windows\System32\oqGeyYz.exe
  C:\Windows\System32\oqGeyYz.exe
  2⤵
  PID:10812
- C:\Windows\System32\leSdHkp.exe
  C:\Windows\System32\leSdHkp.exe
  2⤵
  PID:10828
- C:\Windows\System32\RBAGRyO.exe
  C:\Windows\System32\RBAGRyO.exe
  2⤵
  PID:10848
- C:\Windows\System32\RgPdUYd.exe
  C:\Windows\System32\RgPdUYd.exe
  2⤵
  PID:10872
- C:\Windows\System32\PIvFBkq.exe
  C:\Windows\System32\PIvFBkq.exe
  2⤵
  PID:10900
- C:\Windows\System32\PCZEfNK.exe
  C:\Windows\System32\PCZEfNK.exe
  2⤵
  PID:10924
- C:\Windows\System32\OrSqGjB.exe
  C:\Windows\System32\OrSqGjB.exe
  2⤵
  PID:10956
- C:\Windows\System32\EUEmclQ.exe
  C:\Windows\System32\EUEmclQ.exe
  2⤵
  PID:10976
- C:\Windows\System32\uAuouDM.exe
  C:\Windows\System32\uAuouDM.exe
  2⤵
  PID:10992
- C:\Windows\System32\NlcaFIc.exe
  C:\Windows\System32\NlcaFIc.exe
  2⤵
  PID:11016
- C:\Windows\System32\MvEBwcX.exe
  C:\Windows\System32\MvEBwcX.exe
  2⤵
  PID:11040
- C:\Windows\System32\HOLaawR.exe
  C:\Windows\System32\HOLaawR.exe
  2⤵
  PID:11060
- C:\Windows\System32\bcZSoxf.exe
  C:\Windows\System32\bcZSoxf.exe
  2⤵
  PID:11112
- C:\Windows\System32\acxHKkW.exe
  C:\Windows\System32\acxHKkW.exe
  2⤵
  PID:11164
- C:\Windows\System32\AyFKlKs.exe
  C:\Windows\System32\AyFKlKs.exe
  2⤵
  PID:11196
- C:\Windows\System32\OMsUTjQ.exe
  C:\Windows\System32\OMsUTjQ.exe
  2⤵
  PID:11232
- C:\Windows\System32\JJoAuzF.exe
  C:\Windows\System32\JJoAuzF.exe
  2⤵
  PID:11248
- C:\Windows\System32\EfKOpqI.exe
  C:\Windows\System32\EfKOpqI.exe
  2⤵
  PID:10256
- C:\Windows\System32\JkPEYVI.exe
  C:\Windows\System32\JkPEYVI.exe
  2⤵
  PID:10300
- C:\Windows\System32\ZhsTTeq.exe
  C:\Windows\System32\ZhsTTeq.exe
  2⤵
  PID:10360
- C:\Windows\System32\EjGdQVy.exe
  C:\Windows\System32\EjGdQVy.exe
  2⤵
  PID:10440
- C:\Windows\System32\cjmovPb.exe
  C:\Windows\System32\cjmovPb.exe
  2⤵
  PID:10488
- C:\Windows\System32\DgyWKRN.exe
  C:\Windows\System32\DgyWKRN.exe
  2⤵
  PID:10572
- C:\Windows\System32\oVaJcEK.exe
  C:\Windows\System32\oVaJcEK.exe
  2⤵
  PID:10660
- C:\Windows\System32\dFRQBmo.exe
  C:\Windows\System32\dFRQBmo.exe
  2⤵
  PID:10684
- C:\Windows\System32\wrbHGvV.exe
  C:\Windows\System32\wrbHGvV.exe
  2⤵
  PID:10720
- C:\Windows\System32\MGhuPdv.exe
  C:\Windows\System32\MGhuPdv.exe
  2⤵
  PID:10804
- C:\Windows\System32\vJWqANs.exe
  C:\Windows\System32\vJWqANs.exe
  2⤵
  PID:10836
- C:\Windows\System32\MbzkfSs.exe
  C:\Windows\System32\MbzkfSs.exe
  2⤵
  PID:11024
- C:\Windows\System32\dzAIyXP.exe
  C:\Windows\System32\dzAIyXP.exe
  2⤵
  PID:11096
- C:\Windows\System32\AQIdOor.exe
  C:\Windows\System32\AQIdOor.exe
  2⤵
  PID:11068
- C:\Windows\System32\IkthlLH.exe
  C:\Windows\System32\IkthlLH.exe
  2⤵
  PID:10264
- C:\Windows\System32\rmHHZAZ.exe
  C:\Windows\System32\rmHHZAZ.exe
  2⤵
  PID:10392
- C:\Windows\System32\GSYyKNS.exe
  C:\Windows\System32\GSYyKNS.exe
  2⤵
  PID:10336
- C:\Windows\System32\fMTcxTP.exe
  C:\Windows\System32\fMTcxTP.exe
  2⤵
  PID:10552
- C:\Windows\System32\WcFzsfw.exe
  C:\Windows\System32\WcFzsfw.exe
  2⤵
  PID:10772
- C:\Windows\System32\SaZpJqj.exe
  C:\Windows\System32\SaZpJqj.exe
  2⤵
  PID:10780
- C:\Windows\System32\tsRnwBE.exe
  C:\Windows\System32\tsRnwBE.exe
  2⤵
  PID:10916
- C:\Windows\System32\fmohZxL.exe
  C:\Windows\System32\fmohZxL.exe
  2⤵
  PID:11052
- C:\Windows\System32\mEASZTJ.exe
  C:\Windows\System32\mEASZTJ.exe
  2⤵
  PID:10448
- C:\Windows\System32\OyOkVXt.exe
  C:\Windows\System32\OyOkVXt.exe
  2⤵
  PID:10696
- C:\Windows\System32\WxxFVVK.exe
  C:\Windows\System32\WxxFVVK.exe
  2⤵
  PID:11120
- C:\Windows\System32\UDuIzvR.exe
  C:\Windows\System32\UDuIzvR.exe
  2⤵
  PID:11036
- C:\Windows\System32\jpYeEAv.exe
  C:\Windows\System32\jpYeEAv.exe
  2⤵
  PID:11276
- C:\Windows\System32\DedWPgY.exe
  C:\Windows\System32\DedWPgY.exe
  2⤵
  PID:11292
- C:\Windows\System32\mysHwCf.exe
  C:\Windows\System32\mysHwCf.exe
  2⤵
  PID:11316
- C:\Windows\System32\iCMguIm.exe
  C:\Windows\System32\iCMguIm.exe
  2⤵
  PID:11368
- C:\Windows\System32\uRTaAbH.exe
  C:\Windows\System32\uRTaAbH.exe
  2⤵
  PID:11392
- C:\Windows\System32\zVTJeIB.exe
  C:\Windows\System32\zVTJeIB.exe
  2⤵
  PID:11432
- C:\Windows\System32\qzRejQb.exe
  C:\Windows\System32\qzRejQb.exe
  2⤵
  PID:11460
- C:\Windows\System32\uGKzZqh.exe
  C:\Windows\System32\uGKzZqh.exe
  2⤵
  PID:11484
- C:\Windows\System32\KGiSajI.exe
  C:\Windows\System32\KGiSajI.exe
  2⤵
  PID:11504
- C:\Windows\System32\ojglzHU.exe
  C:\Windows\System32\ojglzHU.exe
  2⤵
  PID:11544
- C:\Windows\System32\bLJNTOU.exe
  C:\Windows\System32\bLJNTOU.exe
  2⤵
  PID:11572
- C:\Windows\System32\AGXIgTG.exe
  C:\Windows\System32\AGXIgTG.exe
  2⤵
  PID:11592
- C:\Windows\System32\eFDDTPk.exe
  C:\Windows\System32\eFDDTPk.exe
  2⤵
  PID:11616
- C:\Windows\System32\RInviWQ.exe
  C:\Windows\System32\RInviWQ.exe
  2⤵
  PID:11632
- C:\Windows\System32\LSiQhgm.exe
  C:\Windows\System32\LSiQhgm.exe
  2⤵
  PID:11660
- C:\Windows\System32\COuUPNl.exe
  C:\Windows\System32\COuUPNl.exe
  2⤵
  PID:11692
- C:\Windows\System32\zLeNdll.exe
  C:\Windows\System32\zLeNdll.exe
  2⤵
  PID:11736
- C:\Windows\System32\XTbVDkk.exe
  C:\Windows\System32\XTbVDkk.exe
  2⤵
  PID:11756
- C:\Windows\System32\AXRGRNr.exe
  C:\Windows\System32\AXRGRNr.exe
  2⤵
  PID:11792
- C:\Windows\System32\FbPRfuO.exe
  C:\Windows\System32\FbPRfuO.exe
  2⤵
  PID:11816
- C:\Windows\System32\CYPAisM.exe
  C:\Windows\System32\CYPAisM.exe
  2⤵
  PID:11840
- C:\Windows\System32\xmjNYyk.exe
  C:\Windows\System32\xmjNYyk.exe
  2⤵
  PID:11856
- C:\Windows\System32\CcKikSf.exe
  C:\Windows\System32\CcKikSf.exe
  2⤵
  PID:11876
- C:\Windows\System32\WvIWCSb.exe
  C:\Windows\System32\WvIWCSb.exe
  2⤵
  PID:11920
- C:\Windows\System32\rvtXhmY.exe
  C:\Windows\System32\rvtXhmY.exe
  2⤵
  PID:11952
- C:\Windows\System32\fQuaknv.exe
  C:\Windows\System32\fQuaknv.exe
  2⤵
  PID:11968
- C:\Windows\System32\FCYrlXh.exe
  C:\Windows\System32\FCYrlXh.exe
  2⤵
  PID:11988
- C:\Windows\System32\jKDVNeL.exe
  C:\Windows\System32\jKDVNeL.exe
  2⤵
  PID:12008
- C:\Windows\System32\EKdpiiT.exe
  C:\Windows\System32\EKdpiiT.exe
  2⤵
  PID:12028
- C:\Windows\System32\OhzFdiI.exe
  C:\Windows\System32\OhzFdiI.exe
  2⤵
  PID:12044
- C:\Windows\System32\LlPZpsu.exe
  C:\Windows\System32\LlPZpsu.exe
  2⤵
  PID:12064
- C:\Windows\System32\MPSYTse.exe
  C:\Windows\System32\MPSYTse.exe
  2⤵
  PID:12116
- C:\Windows\System32\KGCvWUS.exe
  C:\Windows\System32\KGCvWUS.exe
  2⤵
  PID:12144
- C:\Windows\System32\mihlRwN.exe
  C:\Windows\System32\mihlRwN.exe
  2⤵
  PID:12200
- C:\Windows\System32\FJclGRa.exe
  C:\Windows\System32\FJclGRa.exe
  2⤵
  PID:12232
- C:\Windows\System32\kvvRyAO.exe
  C:\Windows\System32\kvvRyAO.exe
  2⤵
  PID:12256
- C:\Windows\System32\JcmNvPB.exe
  C:\Windows\System32\JcmNvPB.exe
  2⤵
  PID:12276
- C:\Windows\System32\SGrsApH.exe
  C:\Windows\System32\SGrsApH.exe
  2⤵
  PID:11144
- C:\Windows\System32\eUDzvJc.exe
  C:\Windows\System32\eUDzvJc.exe
  2⤵
  PID:11348
- C:\Windows\System32\meFVWYG.exe
  C:\Windows\System32\meFVWYG.exe
  2⤵
  PID:11428
- C:\Windows\System32\eInqjIC.exe
  C:\Windows\System32\eInqjIC.exe
  2⤵
  PID:11472
- C:\Windows\System32\ciJFeab.exe
  C:\Windows\System32\ciJFeab.exe
  2⤵
  PID:11532
- C:\Windows\System32\SsyMxBT.exe
  C:\Windows\System32\SsyMxBT.exe
  2⤵
  PID:11568
- C:\Windows\System32\PncyAbK.exe
  C:\Windows\System32\PncyAbK.exe
  2⤵
  PID:4996
- C:\Windows\System32\egWBkNR.exe
  C:\Windows\System32\egWBkNR.exe
  2⤵
  PID:11732
- C:\Windows\System32\ODgMeyj.exe
  C:\Windows\System32\ODgMeyj.exe
  2⤵
  PID:11788
- C:\Windows\System32\rfAfzOO.exe
  C:\Windows\System32\rfAfzOO.exe
  2⤵
  PID:11836
- C:\Windows\System32\vYnTCmD.exe
  C:\Windows\System32\vYnTCmD.exe
  2⤵
  PID:11896
- C:\Windows\System32\lMJzrTd.exe
  C:\Windows\System32\lMJzrTd.exe
  2⤵
  PID:11936
- C:\Windows\System32\UUdPleo.exe
  C:\Windows\System32\UUdPleo.exe
  2⤵
  PID:11984
- C:\Windows\System32\cuBUmwd.exe
  C:\Windows\System32\cuBUmwd.exe
  2⤵
  PID:12040
- C:\Windows\System32\avoPZTU.exe
  C:\Windows\System32\avoPZTU.exe
  2⤵
  PID:12060
- C:\Windows\System32\owuGbXa.exe
  C:\Windows\System32\owuGbXa.exe
  2⤵
  PID:3528
- C:\Windows\System32\imIXCzO.exe
  C:\Windows\System32\imIXCzO.exe
  2⤵
  PID:12188
- C:\Windows\System32\qNMVKwt.exe
  C:\Windows\System32\qNMVKwt.exe
  2⤵
  PID:2084
- C:\Windows\System32\KLkqhxt.exe
  C:\Windows\System32\KLkqhxt.exe
  2⤵
  PID:11324
- C:\Windows\System32\NHfdPef.exe
  C:\Windows\System32\NHfdPef.exe
  2⤵
  PID:11624
- C:\Windows\System32\alaVyVa.exe
  C:\Windows\System32\alaVyVa.exe
  2⤵
  PID:3536
- C:\Windows\System32\ljkeEgD.exe
  C:\Windows\System32\ljkeEgD.exe
  2⤵
  PID:3660
- C:\Windows\System32\ffwLpzQ.exe
  C:\Windows\System32\ffwLpzQ.exe
  2⤵
  PID:4588
- C:\Windows\System32\oWBOaSJ.exe
  C:\Windows\System32\oWBOaSJ.exe
  2⤵
  PID:12128
- C:\Windows\System32\GIBkcKY.exe
  C:\Windows\System32\GIBkcKY.exe
  2⤵
  PID:12212
- C:\Windows\System32\xAvcydA.exe
  C:\Windows\System32\xAvcydA.exe
  2⤵
  PID:12284
- C:\Windows\System32\YCLSjDY.exe
  C:\Windows\System32\YCLSjDY.exe
  2⤵
  PID:5084
- C:\Windows\System32\ljhJAnv.exe
  C:\Windows\System32\ljhJAnv.exe
  2⤵
  PID:11832
- C:\Windows\System32\NtqXbdc.exe
  C:\Windows\System32\NtqXbdc.exe
  2⤵
  PID:11496
- C:\Windows\System32\rBJYUCl.exe
  C:\Windows\System32\rBJYUCl.exe
  2⤵
  PID:11980
- C:\Windows\System32\YnOndKB.exe
  C:\Windows\System32\YnOndKB.exe
  2⤵
  PID:12220
- C:\Windows\System32\pEIKFYL.exe
  C:\Windows\System32\pEIKFYL.exe
  2⤵
  PID:11268
- C:\Windows\System32\VyBtbSI.exe
  C:\Windows\System32\VyBtbSI.exe
  2⤵
  PID:11388
- C:\Windows\System32\GunZgVR.exe
  C:\Windows\System32\GunZgVR.exe
  2⤵
  PID:11524
- C:\Windows\System32\pdQFKHF.exe
  C:\Windows\System32\pdQFKHF.exe
  2⤵
  PID:12304
- C:\Windows\System32\xutygeF.exe
  C:\Windows\System32\xutygeF.exe
  2⤵
  PID:12348
- C:\Windows\System32\kYqlTbN.exe
  C:\Windows\System32\kYqlTbN.exe
  2⤵
  PID:12372
- C:\Windows\System32\mjFhQYd.exe
  C:\Windows\System32\mjFhQYd.exe
  2⤵
  PID:12388
- C:\Windows\System32\vvrvmYP.exe
  C:\Windows\System32\vvrvmYP.exe
  2⤵
  PID:12424
- C:\Windows\System32\yRPlzGE.exe
  C:\Windows\System32\yRPlzGE.exe
  2⤵
  PID:12452
- C:\Windows\System32\BpcFHFt.exe
  C:\Windows\System32\BpcFHFt.exe
  2⤵
  PID:12476
- C:\Windows\System32\zhGcYPq.exe
  C:\Windows\System32\zhGcYPq.exe
  2⤵
  PID:12500
- C:\Windows\System32\GEgJLOt.exe
  C:\Windows\System32\GEgJLOt.exe
  2⤵
  PID:12552
- C:\Windows\System32\oZgAoHx.exe
  C:\Windows\System32\oZgAoHx.exe
  2⤵
  PID:12596
- C:\Windows\System32\paapAju.exe
  C:\Windows\System32\paapAju.exe
  2⤵
  PID:12640
- C:\Windows\System32\eQoZepX.exe
  C:\Windows\System32\eQoZepX.exe
  2⤵
  PID:12684
- C:\Windows\System32\wCcksOU.exe
  C:\Windows\System32\wCcksOU.exe
  2⤵
  PID:12700
- C:\Windows\System32\CMqlsLf.exe
  C:\Windows\System32\CMqlsLf.exe
  2⤵
  PID:12720
- C:\Windows\System32\NqBZHGW.exe
  C:\Windows\System32\NqBZHGW.exe
  2⤵
  PID:12744
- C:\Windows\System32\xkXbzPV.exe
  C:\Windows\System32\xkXbzPV.exe
  2⤵
  PID:12772
- C:\Windows\System32\nviWmPn.exe
  C:\Windows\System32\nviWmPn.exe
  2⤵
  PID:12788
- C:\Windows\System32\TpimCvJ.exe
  C:\Windows\System32\TpimCvJ.exe
  2⤵
  PID:12812
- C:\Windows\System32\ALKWKri.exe
  C:\Windows\System32\ALKWKri.exe
  2⤵
  PID:12832
- C:\Windows\System32\rtXmvkG.exe
  C:\Windows\System32\rtXmvkG.exe
  2⤵
  PID:12860
- C:\Windows\System32\qVFatDC.exe
  C:\Windows\System32\qVFatDC.exe
  2⤵
  PID:12928
- C:\Windows\System32\gCTaXft.exe
  C:\Windows\System32\gCTaXft.exe
  2⤵
  PID:12956
- C:\Windows\System32\lFPrssJ.exe
  C:\Windows\System32\lFPrssJ.exe
  2⤵
  PID:12980
- C:\Windows\System32\niADEIf.exe
  C:\Windows\System32\niADEIf.exe
  2⤵
  PID:12996
- C:\Windows\System32\txOVAsE.exe
  C:\Windows\System32\txOVAsE.exe
  2⤵
  PID:13016
- C:\Windows\System32\jFadWat.exe
  C:\Windows\System32\jFadWat.exe
  2⤵
  PID:13032
- C:\Windows\System32\SCgEojj.exe
  C:\Windows\System32\SCgEojj.exe
  2⤵
  PID:13060
- C:\Windows\System32\qSTIaku.exe
  C:\Windows\System32\qSTIaku.exe
  2⤵
  PID:13076
- C:\Windows\System32\OTZKDbp.exe
  C:\Windows\System32\OTZKDbp.exe
  2⤵
  PID:13128
- C:\Windows\System32\sqOkdQJ.exe
  C:\Windows\System32\sqOkdQJ.exe
  2⤵
  PID:13156
- C:\Windows\System32\lcmNjov.exe
  C:\Windows\System32\lcmNjov.exe
  2⤵
  PID:13180
- C:\Windows\System32\EExjfps.exe
  C:\Windows\System32\EExjfps.exe
  2⤵
  PID:13216
- C:\Windows\System32\rycACiB.exe
  C:\Windows\System32\rycACiB.exe
  2⤵
  PID:13236
- C:\Windows\System32\GwamlHk.exe
  C:\Windows\System32\GwamlHk.exe
  2⤵
  PID:13252
- C:\Windows\System32\AWRkQvA.exe
  C:\Windows\System32\AWRkQvA.exe
  2⤵
  PID:13292
- C:\Windows\System32\rYOJDlZ.exe
  C:\Windows\System32\rYOJDlZ.exe
  2⤵
  PID:11888
- C:\Windows\System32\QWRbzaO.exe
  C:\Windows\System32\QWRbzaO.exe
  2⤵
  PID:3616
- C:\Windows\System32\kmnNMyK.exe
  C:\Windows\System32\kmnNMyK.exe
  2⤵
  PID:12296
- C:\Windows\System32\lSOwOIL.exe
  C:\Windows\System32\lSOwOIL.exe
  2⤵
  PID:12448
- C:\Windows\System32\ghDurJy.exe
  C:\Windows\System32\ghDurJy.exe
  2⤵
  PID:12580
- C:\Windows\System32\Hlrobvz.exe
  C:\Windows\System32\Hlrobvz.exe
  2⤵
  PID:12636
- C:\Windows\System32\pcVJTog.exe
  C:\Windows\System32\pcVJTog.exe
  2⤵
  PID:12680
- C:\Windows\System32\kYtVFjQ.exe
  C:\Windows\System32\kYtVFjQ.exe
  2⤵
  PID:12760
- C:\Windows\System32\OhSiIAs.exe
  C:\Windows\System32\OhSiIAs.exe
  2⤵
  PID:11868
- C:\Windows\System32\qvZPlFv.exe
  C:\Windows\System32\qvZPlFv.exe
  2⤵
  PID:12828
- C:\Windows\System32\krQjjqy.exe
  C:\Windows\System32\krQjjqy.exe
  2⤵
  PID:12880
- C:\Windows\System32\LjuXrAJ.exe
  C:\Windows\System32\LjuXrAJ.exe
  2⤵
  PID:12824
- C:\Windows\System32\ryObEjJ.exe
  C:\Windows\System32\ryObEjJ.exe
  2⤵
  PID:12976
- C:\Windows\System32\yAiXswQ.exe
  C:\Windows\System32\yAiXswQ.exe
  2⤵
  PID:13024
- C:\Windows\System32\eCMlqMF.exe
  C:\Windows\System32\eCMlqMF.exe
  2⤵
  PID:13136
- C:\Windows\System32\nOFZlRS.exe
  C:\Windows\System32\nOFZlRS.exe
  2⤵
  PID:13168
- C:\Windows\System32\fXmXNyg.exe
  C:\Windows\System32\fXmXNyg.exe
  2⤵
  PID:13224
- C:\Windows\System32\FcfjBjO.exe
  C:\Windows\System32\FcfjBjO.exe
  2⤵
  PID:13288
- C:\Windows\System32\yvgZPJh.exe
  C:\Windows\System32\yvgZPJh.exe
  2⤵
  PID:12312
- C:\Windows\System32\wHnsQWo.exe
  C:\Windows\System32\wHnsQWo.exe
  2⤵
  PID:12616
- C:\Windows\System32\ZVeOGyN.exe
  C:\Windows\System32\ZVeOGyN.exe
  2⤵
  PID:12800
- C:\Windows\System32\twOgSvr.exe
  C:\Windows\System32\twOgSvr.exe
  2⤵
  PID:12804
- C:\Windows\System32\ygPFsVQ.exe
  C:\Windows\System32\ygPFsVQ.exe
  2⤵
  PID:13228
- C:\Windows\System32\vGNTlOo.exe
  C:\Windows\System32\vGNTlOo.exe
  2⤵
  PID:13280
- C:\Windows\System32\PApxIgV.exe
  C:\Windows\System32\PApxIgV.exe
  2⤵
  PID:12696
- C:\Windows\System32\gzrMpzy.exe
  C:\Windows\System32\gzrMpzy.exe
  2⤵
  PID:11556
- C:\Windows\System32\dpjZkMT.exe
  C:\Windows\System32\dpjZkMT.exe
  2⤵
  PID:13108
- C:\Windows\System32\mPsnsPk.exe
  C:\Windows\System32\mPsnsPk.exe
  2⤵
  PID:12104
- C:\Windows\System32\DjWHPni.exe
  C:\Windows\System32\DjWHPni.exe
  2⤵
  PID:12808
- C:\Windows\System32\xakOifN.exe
  C:\Windows\System32\xakOifN.exe
  2⤵
  PID:13348
- C:\Windows\System32\WizWgTQ.exe
  C:\Windows\System32\WizWgTQ.exe
  2⤵
  PID:13364
- C:\Windows\System32\UkRkhAR.exe
  C:\Windows\System32\UkRkhAR.exe
  2⤵
  PID:13396
- C:\Windows\System32\UAIDoBk.exe
  C:\Windows\System32\UAIDoBk.exe
  2⤵
  PID:13444
- C:\Windows\System32\Yoyeqyt.exe
  C:\Windows\System32\Yoyeqyt.exe
  2⤵
  PID:13484
- C:\Windows\System32\WrdZuNY.exe
  C:\Windows\System32\WrdZuNY.exe
  2⤵
  PID:13504
- C:\Windows\System32\rywUEmQ.exe
  C:\Windows\System32\rywUEmQ.exe
  2⤵
  PID:13548
- C:\Windows\System32\vSvjCnG.exe
  C:\Windows\System32\vSvjCnG.exe
  2⤵
  PID:13568
- C:\Windows\System32\OoaxWLV.exe
  C:\Windows\System32\OoaxWLV.exe
  2⤵
  PID:13596
- C:\Windows\System32\fmdRUje.exe
  C:\Windows\System32\fmdRUje.exe
  2⤵
  PID:13616
- C:\Windows\System32\sXOxPCY.exe
  C:\Windows\System32\sXOxPCY.exe
  2⤵
  PID:13672
- C:\Windows\System32\DhOVAAh.exe
  C:\Windows\System32\DhOVAAh.exe
  2⤵
  PID:13704
- C:\Windows\System32\ytworMg.exe
  C:\Windows\System32\ytworMg.exe
  2⤵
  PID:13724
- C:\Windows\System32\eZLtiju.exe
  C:\Windows\System32\eZLtiju.exe
  2⤵
  PID:13756
- C:\Windows\System32\IDymmBV.exe
  C:\Windows\System32\IDymmBV.exe
  2⤵
  PID:13780
- C:\Windows\System32\gaBPdYC.exe
  C:\Windows\System32\gaBPdYC.exe
  2⤵
  PID:13796
- C:\Windows\System32\pmFsZYD.exe
  C:\Windows\System32\pmFsZYD.exe
  2⤵
  PID:13820
- C:\Windows\System32\CsoGktr.exe
  C:\Windows\System32\CsoGktr.exe
  2⤵
  PID:13848
- C:\Windows\System32\lPPqOfy.exe
  C:\Windows\System32\lPPqOfy.exe
  2⤵
  PID:13904
- C:\Windows\System32\HZJDOGg.exe
  C:\Windows\System32\HZJDOGg.exe
  2⤵
  PID:13920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4408,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:8
1⤵
PID:6408

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\GXGBiJr.exe

Filesize
1.7MB

MD5
a09a194e882cdf5b2a5c78840226d58e

SHA1
1f4034d0481f66dcb7f411d085f094ba7ee3dcae

SHA256
a21663d1c0d38b4b84cd813f386c15124bcdd112f2aa9b77c8e29fdc067a6d31

SHA512
9197da9681094b666145d2776115f8ee4f6209641c0c1f103c2c4521348c427e6e09af1000c3cab0b7f7ea9b8c1db6be541fcaacde61cc3c33eddc5adb084ee0

Download Submit
C:\Windows\System32\GsnNkxM.exe

Filesize
1.6MB

MD5
99e4a51d67efd48bbec9cdb783f3e4fe

SHA1
84156fbd1135c487eadf8dc4ce2465995f927a54

SHA256
3f34890e269868d4c54545713096a3538462ea2b833859ac63588bcd46e249d8

SHA512
8636e6b0927e757b082cff85d150ab0f78dd71dd6832b1812300f34e6e1321a21928f45c6c031871dc996eda13110e5f24dddd4c29b9a57bbb3ed5b3eeefd8d7

Download Submit
C:\Windows\System32\HgGElUP.exe

Filesize
1.6MB

MD5
e2dd48bde9244a50501d8338cb5c738d

SHA1
9399781f7c85474980205981445d400fa96ba632

SHA256
a46d998adcb58e8fee3766fd29b4e7dc1de9dda5a1d854035561c50fd2827b2b

SHA512
9d584d122db7344f30f92604c9c46cfa4c57ba1540d2b996b66c8fa111f01ccfa85afc63990318329897263eaa9d7392ed8e5a98aa09989ebcbc69a43dc8eae1

Download Submit
C:\Windows\System32\IaHvdxm.exe

Filesize
1.6MB

MD5
eeb17cdb1aec2130aec147feaa6f3848

SHA1
887d18b30300e1447aa1b948c08e2ab60607f0e2

SHA256
daf0951d71afd4548175ab0fb6addca56ef69a999263ac03f7c42118a3ddd2bd

SHA512
eb3c9e1654e8e2ae20257fcb0725acc505d2d1f2dcbf94a71f20b7b7195f8e8897c60fc821366d2b4e3cffdfe254d67344e64082aa359d87aebda9e6d315348d

Download Submit
C:\Windows\System32\KFSVExV.exe

Filesize
1.7MB

MD5
8e2f6ffbf9281302e6c05b2634ef614a

SHA1
1656b1e8f85b44edf3008f114e8c2f84b8e20fdc

SHA256
e721e4b86d3ffbb93986f0701d3bc32d4cf1bba9a4bcebaefb69496703adee1f

SHA512
14920449f7b6891576e834306d32bcbd9768dc666ea1c57ddea8ec3f2ae4104666db2c3960c1f85895192cfe604c46f02fcb5c49ab3bb145e0449094e8a78fdb

Download Submit
C:\Windows\System32\LRToKay.exe

Filesize
1.7MB

MD5
49d426996babfe72350bcdd8c58948c4

SHA1
f6fca622205a889f9b4e1f0978e2756f94a6a17d

SHA256
794159f8f9ce116c888a699a186b7bea0fb62ba06c3854a89a18b8cf089774e2

SHA512
50ff87ff59c8313d5164a2791097d47af0cc9d45ee63b2aecff5a7e991ac6c09ee772e6c193f67740c6a2532a2a347a94751875a6a848bb3364f38f398ab53b6

Download Submit
C:\Windows\System32\LisZixN.exe

Filesize
1.6MB

MD5
a03650b63a25cadccf01e7b21d06cce7

SHA1
b83311bf4cdd60cac83429c0cc7152e1328f3f68

SHA256
3ffb47b253619ec06dccef50b03efc847e9a22f54f99d038391987c3a31b0378

SHA512
c802f821cb3b0808915fc5e36c340aa982b6255d84d755856b9579838e11276753f630910afcfceca9c6146706035325e5de5b014eda3c42e57dc1f91d5816f7

Download Submit
C:\Windows\System32\LydRLBH.exe

Filesize
1.6MB

MD5
e7ca0fc1f7c33fa122663ab291372166

SHA1
6399fac725610046fe3cf4e5a837e2d329535adb

SHA256
ada135aaa7276e0616823e206f693cc71adf062e08b8014f5614929156857e25

SHA512
b226c6d20d6fab3f48a5f94201d00019bbf3efca59556927dc19c86b8f6934c741bd6e937848b40382ab1624d7ab39488f6e7a7356d1dbbe583b55507bfe22dd

Download Submit
C:\Windows\System32\MuyDmfn.exe

Filesize
1.6MB

MD5
54ec4648c44ea4ce0150483207cfa99b

SHA1
95fe552717fa5fe2f94f854c63ac654526ca3fa3

SHA256
1956a5ab3f22bafcab27a70dd0f7b2f4b6893b09b646b782015f3d8634e3d2ed

SHA512
a1f7a481e2cd707c4354399d97d7eb77c712fb4d5ed7642fd59e50b889f0fe5e86bbe862781e6c2dc3013304c4e46afa40d477e17ae7fc1304db223a208ff067

Download Submit
C:\Windows\System32\QdtgeUN.exe

Filesize
1.6MB

MD5
5ad6162fadf4421cb64c09729b3f0423

SHA1
ec809727d7c5c183db8ad0b3e77562a539c60939

SHA256
5b4ffad6c79ac56907676846e75c5932c15deea381f595e9722e5eb9bcb09a53

SHA512
96d091e19ded548af53ce575d4e49fd4e2630be933a12f56d103371fad3c0085011c7fc929568fce0d78e958e3b8f4ce79ce22ef8ae34c00e37042ef619cb266

Download Submit
C:\Windows\System32\RALBHsf.exe

Filesize
1.6MB

MD5
50fa767d64d4506c905e433c76dc6d0c

SHA1
4b9edd45d813880949a2cae339429960afc4825e

SHA256
d44e50c7d41e88c844a9cb3868a5acd9c59d4e6c596131fed3d0a86834b4b92d

SHA512
4703efe32e853ef5154852330f72a1fd07c878cea326368ec4e49357abc48001f9970e2795e3bb77dc35b8092d26baeff6752db996559da15a5e41ce2bc94bfd

Download Submit
C:\Windows\System32\SEbklve.exe

Filesize
1.6MB

MD5
3b9f989c9b41b3dbb47ef0e1c99eb529

SHA1
7b8e4adcbd15378c9a58f95064f8f655e4725fc3

SHA256
4619d4f97e36349d4af8d257615dab498c5b3f10abe1c2d676eb55f786ede42d

SHA512
6a276ec7b556962de4c19729ef7f2c20e89bc9a1d77fda3dbef6fe28c66d7ac6bd5a93b37aec8286f507afb127b64e9aaa904699d078ca09095c37bf074b1f9a

Download Submit
C:\Windows\System32\SYsxvrl.exe

Filesize
1.6MB

MD5
7b0f7d291c93f8744c3bfea31316082e

SHA1
0533b93d8caa88a87fba12a337dc0063ca0d529b

SHA256
f3d70395a089c5f42012f53f1dfc2c71061c1f3e6eb912f730d53777204c70a1

SHA512
2697b5a18ef090e1769c15dd6a103fc58dfd880b24ac9500febe395b3b1a0777493ac2f402fe27c913107951fb3e74e382945bcf52f8f15848962821010ed905

Download Submit
C:\Windows\System32\ThjhEEG.exe

Filesize
1.7MB

MD5
bae55ee2811ebe1cb0d36ed491774efa

SHA1
4bbb71c8daa2d959dd709f2c8c08510b879d8be4

SHA256
90d62bcefdd1aabff1fc946f29fa700a49c3d017e79f4fae371b01acbd9e0729

SHA512
28e6b80020e86689d0706fc8f1bf21a5d6acb610102cc9a8923ce667ce2a530ff10196c57a483edb8e6d6d584427d114255cec18ef80cfb4b60cdcd436cf315e

Download Submit
C:\Windows\System32\TuZFagt.exe

Filesize
1.7MB

MD5
c03cc7a5f124b97ab3b6efc8e28ca65d

SHA1
8a464f9fcd42410f397c7eafef6854395dc960dd

SHA256
6b673091c9e176830e8cdebd6ffbf700b1741e545d15363af28581e815fef285

SHA512
21709a7fd4ce8027ff228245e91b8fa5eda69e907397d001af98f6d1cb7eaf561d930fa2804737c5d86d8566b8975e619ad11fa18256a67f82d3307b2b9a2236

Download Submit
C:\Windows\System32\YDCwtaw.exe

Filesize
1.6MB

MD5
c8f137e1e3e7511040e433ea78980841

SHA1
000aa9efd97572ea75458999290155496c7b2cf0

SHA256
fc16e2acc5d56dbc022d11a51be53889ae7b923bc82fe917d7f8fb3c47591e76

SHA512
5504410e3ef4fef6b99247cefe3541dce27249c2b838c1569781300540ca5f6e10c68478dd6a827a12ac624ffc9b99a444f8edf93c34479331e2b903cca27ed3

Download Submit
C:\Windows\System32\aCwZmBm.exe

Filesize
1.7MB

MD5
a246eceba3ee06cc81b8dea65ec9a12f

SHA1
b152b5de17dc1071187535d2a87ed1ac31e09bfb

SHA256
dd94a275f31da39c10c6f4912fb015ba3abcf4c654b934647cf56ca58b94c8c6

SHA512
29559fe4d9cc000f6d95629ee99d5582c123ff49a565429756fdf9cd4e2817d9407fecec024ef1eebac574b333040ed06e096199cc1105a6f5555037b1c99808

Download Submit
C:\Windows\System32\eQXTZMr.exe

Filesize
1.6MB

MD5
75209d55ba20a592c300675189e22f99

SHA1
1ab78099c0d4d7985371300bde293effaff7a508

SHA256
07fe95412a9e3fdccd718aecbb6d251b2754142bb13a32589defec2287995217

SHA512
edc300ae99aa4c2bd9dec06b30ed50f169175f128e7f2fc35834ac26bb9430b239766a02ebecf63ba434a8f288d28caca0188f9dd31a9eae6b9e8d353ab21100

Download Submit
C:\Windows\System32\eoapnny.exe

Filesize
1.6MB

MD5
00cf2416a9ba93534c4e6b4f3a0453af

SHA1
b52ac4848c67d04d3120a378f7f0a142b1426a06

SHA256
fe9d502c478c08338ac619b74948b4730a1c0d1ca9a1fd2662f5f26771229d89

SHA512
5480c36fc8a3087e042e5f9cf7698e2eb16a00ec98f0733d1e6624e6a12388db5ea850b4e1cba863eed6036d4d5df08414d70db047d6cfd09ca719f93cb5523b

Download Submit
C:\Windows\System32\fHALQuW.exe

Filesize
1.7MB

MD5
6d2b233dbaed1cd8e96b1ae00e6a02e6

SHA1
766138aa43943b6774bf5cf9a5202088d86a75f1

SHA256
7dfdbced50500be1fd50ca2ea6d0703f601efe02ede15c3f523cb83e48903724

SHA512
072e447f918200c169d2bdfa32117eeceb6513fcadb870e87b5b3ba7097dc112f690b9f042de8fba7386e43687810d32406f9e400426ecfd1ae499c5b30e3a84

Download Submit
C:\Windows\System32\fQvbnsa.exe

Filesize
1.7MB

MD5
8a8c06001739ec7e616e6a8414e2d6dd

SHA1
6128fecbb64ad78d3ff642d3ebdc603a586a6d9b

SHA256
980666278e0205a834e619ba353f7387334c2826ef0a4ec327bb516ebfec0f1e

SHA512
94741336465debed8bbe4200d4dcea089b45dedfcdb77e9f54a27d0d40bc18b9a21be2aefd32debaa85faa47eec067ea86638d721551e19ef7415dbc8c1f328e

Download Submit
C:\Windows\System32\gDyYIaE.exe

Filesize
1.6MB

MD5
5f487e0647d03c53be839174bc5790a6

SHA1
bb4a49b64f6a381e5bd50cdb96e9ab244077530d

SHA256
06bd59d7f9d7684a0a66c9e3f4082f1c5f2467ac413c2f9d1cdde303f60237be

SHA512
f048306fad8219ee1ba7d0d41882136a559bc31989e028989c634d3c8813a64a36a4f8ba6fcb7d055ae32681a8c93d520c7649e693f9622d9b38c5bc41387e99

Download Submit
C:\Windows\System32\hflvmJo.exe

Filesize
1.7MB

MD5
c591e4afba1eb0f05b72b20d996b0d48

SHA1
776b7ffa4f3589222555d584f92f41e76b343169

SHA256
87ad2c6ee59987552fe00a6c86b8a33a71cec44be8811ba6ee1f47188068a409

SHA512
ffa52fc479a3ebf4a5bbfd7f403df34a92c4cba66f7168db6f6d70aeff456fbdc0b54f19d654fb3b1102f8cc0c9145724589c54816232196f1539d8f8ef760fa

Download Submit
C:\Windows\System32\iMgkGEc.exe

Filesize
1.7MB

MD5
3f904849a94bc5ce2bcdc1fd81e7024b

SHA1
72de077723e15dd9e6cd27fc0547b0c14e7d6cd2

SHA256
e6f9ad0156f445c739ee974803befa6ca31a304dcf535c95a49cf6e297f073ad

SHA512
bf0d730df534fd7b4fc93a9d91bc27202944156b728607db589e9a513f0278a0342e44ee1f13c09cca4cf44c6bb823702641d70bf809e6297d5ed930652ae99d

Download Submit
C:\Windows\System32\jarJCGo.exe

Filesize
1.6MB

MD5
226d56fbd2711c803031eab3cb9464d4

SHA1
71eec56041aec0ccc3e87840c4eb7e40681edc8f

SHA256
6a49f314a76478907f7afa5ecf462ae39be08c72e5881b417ca1eb6cefc2d3c9

SHA512
ffed83769d3ad8fe59988a00a98e1ae3dd0d90a2d3c46cdbc6dcaf3aa2fb2b4bdad928f4383e1ef4f4efef761bee67a801896dc2e9614903551100aea1f6d7d8

Download Submit
C:\Windows\System32\keaVPvS.exe

Filesize
1.6MB

MD5
d2f6a3abe12ac2cc4a27bcde74cf541f

SHA1
ae1544f4199279ae3b811e8a9e5fcf9c7ed4eee4

SHA256
818303d22dac509d4dc0092d748221995e0b5bdb677ab5327b3dabc7ab48ae9b

SHA512
476d8d3c6d9bfac69a59ff57611ec510452bd3204432611e0692dfa5121f65a6ffd146295c3b5b48a5aa1b850ba511078475eeaa989d66d330a5c78d948c6e82

Download Submit
C:\Windows\System32\mEGqPKF.exe

Filesize
1.7MB

MD5
f9b0aaaf260f439780a5178cb9371d95

SHA1
ffd114a4433fcc9f7847195eae77844128b9ef1c

SHA256
cfbb2b2ae267617cd5e31209d27a2cb60d54e1de06324aad7763e7a77d88246d

SHA512
2a70949f1661a7bc362a04b340795555c03bd48be0e6f305022390d37709b85344f9613cb6421373b24ddaf21fd8b992c11dd333e56c67605c1fa688d8713517

Download Submit
C:\Windows\System32\meIOglY.exe

Filesize
1.6MB

MD5
9cf04a1cdde245211d0fb8ac9808ae93

SHA1
efc853528067d289244542aa0cdc5ff4ad2bee5b

SHA256
d2df082ae79e6aa983ea66d3f138cc1508cb3c74f2b4989c265dab10509b5e60

SHA512
da7c6a6f6c2cc5e25b3a8af10c309add048547eae175cd6f4f99fc04cd7e829e207818c8d5963fa514c9e6ae5ce3a930e12982cc2007f449f855871386313de0

Download Submit
C:\Windows\System32\sVuhsIG.exe

Filesize
1.6MB

MD5
e2db4296c10fdfa43e3415bbba1c41cb

SHA1
5abc1e1dc5797b50f8ea03ba9334465c50b8ef10

SHA256
436f36a87ddf264992d24fa3fd10178bdb42e8ddd6ba39d379f243572d94327b

SHA512
cb03860662bde37b60ef6bc81cfc1b798b64c325500d88798ebc967bd6a91f45763c633a2510213479d856a25b12578f7723be79c6663fb5c93431525866bb39

Download Submit
C:\Windows\System32\tpJdDba.exe

Filesize
1.6MB

MD5
3cd5ed7dfa1b1a1c0b1584b5a7d30add

SHA1
537274d9cbee938185a0235e936fb4194592d22f

SHA256
e427bbe98f1713df6f1c7deccc9e6674bf483684dd94b615dd9f9b4b08b7dac7

SHA512
0f10fff85c94996b6f6d8af8d50e3f54a17cc7e049f46e0406405ea9bf9a2a1c651a9037cc11a5a07c28e3d9361729f2ecfeac2de43900a18c1fcd658188f789

Download Submit
C:\Windows\System32\vHuwzlU.exe

Filesize
1.6MB

MD5
e3fefeed8020d138f33ff90c727ad383

SHA1
1f367e918b8e0a8eccf42692406739228d895770

SHA256
7034317f756efba9dba9aa75186239695d676cec1b678104248bbac7851352db

SHA512
7af56439eaad9d8b392e2f643dd76f5934d80a71a739aec931dc300800ad9ab5412850085b5e5d12ba49c08d7193a7ac70acb9c595827dec3ee85bd6e8a6522f

Download Submit
C:\Windows\System32\zPbbXfo.exe

Filesize
1.6MB

MD5
dd3b6f0c29744e0753086700a48e41e9

SHA1
0989feb0622ca528f2f5bc5832588c2ff1c3825e

SHA256
25b862960e91c7a7c2a84b18697115b93dc36993aeab1b624216a32ce1fe57dd

SHA512
12d6d6b7ecb0dc72c904b766c023e9cd248fdfb53d47ae31fc5f5912b703416bf36d8acddfc6a711efcd1334c8b0756d7fcb5a7faad47caf48655404635e51d1

Download Submit
memory/392-591-0x00007FF729F40000-0x00007FF72A331000-memory.dmp

Filesize
3.9MB

Download
memory/772-543-0x00007FF71E820000-0x00007FF71EC11000-memory.dmp

Filesize
3.9MB

Download
memory/772-2114-0x00007FF71E820000-0x00007FF71EC11000-memory.dmp

Filesize
3.9MB

Download
memory/1432-537-0x00007FF7BA6F0000-0x00007FF7BAAE1000-memory.dmp

Filesize
3.9MB

Download
memory/1432-2134-0x00007FF7BA6F0000-0x00007FF7BAAE1000-memory.dmp

Filesize
3.9MB

Download
memory/1436-536-0x00007FF698960000-0x00007FF698D51000-memory.dmp

Filesize
3.9MB

Download
memory/1684-538-0x00007FF63F230000-0x00007FF63F621000-memory.dmp

Filesize
3.9MB

Download
memory/1972-539-0x00007FF70F9C0000-0x00007FF70FDB1000-memory.dmp

Filesize
3.9MB

Download
memory/2016-27-0x00007FF63A080000-0x00007FF63A471000-memory.dmp

Filesize
3.9MB

Download
memory/2016-2073-0x00007FF63A080000-0x00007FF63A471000-memory.dmp

Filesize
3.9MB

Download
memory/2016-1551-0x00007FF63A080000-0x00007FF63A471000-memory.dmp

Filesize
3.9MB

Download
memory/2128-2116-0x00007FF610B20000-0x00007FF610F11000-memory.dmp

Filesize
3.9MB

Download
memory/2128-541-0x00007FF610B20000-0x00007FF610F11000-memory.dmp

Filesize
3.9MB

Download
memory/2320-574-0x00007FF7446C0000-0x00007FF744AB1000-memory.dmp

Filesize
3.9MB

Download
memory/2832-2106-0x00007FF7DE560000-0x00007FF7DE951000-memory.dmp

Filesize
3.9MB

Download
memory/2832-39-0x00007FF7DE560000-0x00007FF7DE951000-memory.dmp

Filesize
3.9MB

Download
memory/2832-1664-0x00007FF7DE560000-0x00007FF7DE951000-memory.dmp

Filesize
3.9MB

Download
memory/2836-534-0x00007FF6BD290000-0x00007FF6BD681000-memory.dmp

Filesize
3.9MB

Download
memory/2836-2077-0x00007FF6BD290000-0x00007FF6BD681000-memory.dmp

Filesize
3.9MB

Download
memory/2868-2118-0x00007FF6E3580000-0x00007FF6E3971000-memory.dmp

Filesize
3.9MB

Download
memory/2868-558-0x00007FF6E3580000-0x00007FF6E3971000-memory.dmp

Filesize
3.9MB

Download
memory/2972-573-0x00007FF6F5F90000-0x00007FF6F6381000-memory.dmp

Filesize
3.9MB

Download
memory/2972-2108-0x00007FF6F5F90000-0x00007FF6F6381000-memory.dmp

Filesize
3.9MB

Download
memory/3120-601-0x00007FF6CA460000-0x00007FF6CA851000-memory.dmp

Filesize
3.9MB

Download
memory/3196-1-0x00000186A57B0000-0x00000186A57C0000-memory.dmp

Filesize
64KB

Download
memory/3196-1548-0x00007FF726180000-0x00007FF726571000-memory.dmp

Filesize
3.9MB

Download
memory/3196-0-0x00007FF726180000-0x00007FF726571000-memory.dmp

Filesize
3.9MB

Download
memory/3704-2075-0x00007FF6585A0000-0x00007FF658991000-memory.dmp

Filesize
3.9MB

Download
memory/3704-595-0x00007FF6585A0000-0x00007FF658991000-memory.dmp

Filesize
3.9MB

Download
memory/3720-2112-0x00007FF79E480000-0x00007FF79E871000-memory.dmp

Filesize
3.9MB

Download
memory/3720-556-0x00007FF79E480000-0x00007FF79E871000-memory.dmp

Filesize
3.9MB

Download
memory/4120-578-0x00007FF6C92F0000-0x00007FF6C96E1000-memory.dmp

Filesize
3.9MB

Download
memory/4120-2127-0x00007FF6C92F0000-0x00007FF6C96E1000-memory.dmp

Filesize
3.9MB

Download
memory/4164-600-0x00007FF6CF830000-0x00007FF6CFC21000-memory.dmp

Filesize
3.9MB

Download
memory/4164-2131-0x00007FF6CF830000-0x00007FF6CFC21000-memory.dmp

Filesize
3.9MB

Download
memory/4172-2069-0x00007FF6C4510000-0x00007FF6C4901000-memory.dmp

Filesize
3.9MB

Download
memory/4172-31-0x00007FF6C4510000-0x00007FF6C4901000-memory.dmp

Filesize
3.9MB

Download
memory/4228-535-0x00007FF73E1B0000-0x00007FF73E5A1000-memory.dmp

Filesize
3.9MB

Download
memory/4240-542-0x00007FF7F40C0000-0x00007FF7F44B1000-memory.dmp

Filesize
3.9MB

Download
memory/4256-560-0x00007FF6ACBF0000-0x00007FF6ACFE1000-memory.dmp

Filesize
3.9MB

Download
memory/4256-2110-0x00007FF6ACBF0000-0x00007FF6ACFE1000-memory.dmp

Filesize
3.9MB

Download
memory/4392-540-0x00007FF7452C0000-0x00007FF7456B1000-memory.dmp

Filesize
3.9MB

Download
memory/4392-2125-0x00007FF7452C0000-0x00007FF7456B1000-memory.dmp

Filesize
3.9MB

Download
memory/4568-2071-0x00007FF7A5FB0000-0x00007FF7A63A1000-memory.dmp

Filesize
3.9MB

Download
memory/4568-34-0x00007FF7A5FB0000-0x00007FF7A63A1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads