xmrig | 94b10f678c862cee8b65e355ec439237d275ae4c53e02fa6e5673c78eee22f3b

Analysis

max time kernel
115s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ca269a50191c426d9f98e423eefa640N.exe
Size

1.9MB
MD5

3ca269a50191c426d9f98e423eefa640
SHA1

ca19f8d3b27b4bc19234357ec1eb4cb9617aec13
SHA256

94b10f678c862cee8b65e355ec439237d275ae4c53e02fa6e5673c78eee22f3b
SHA512

fc4a449dc3c2dfd3300b2ace7452aca2232390fc8eb730bed31440a49cc5c20f3edd0781539e29a72159f8b49e190ccd728734990dfb8153519c9f3015127ae7
SSDEEP

49152:knw9oUUEEDlOh516Q+oxxcdBDog6FhIVx:kQUEEr

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/4044-461-0x00007FF6C0CC0000-0x00007FF6C10B1000-memory.dmp	xmrig
behavioral2/memory/3144-463-0x00007FF748350000-0x00007FF748741000-memory.dmp	xmrig
behavioral2/memory/4456-17-0x00007FF72B9F0000-0x00007FF72BDE1000-memory.dmp	xmrig
behavioral2/memory/3912-11-0x00007FF61BA20000-0x00007FF61BE11000-memory.dmp	xmrig
behavioral2/memory/4996-470-0x00007FF62E7F0000-0x00007FF62EBE1000-memory.dmp	xmrig
behavioral2/memory/2784-475-0x00007FF68BE10000-0x00007FF68C201000-memory.dmp	xmrig
behavioral2/memory/840-479-0x00007FF6EEFA0000-0x00007FF6EF391000-memory.dmp	xmrig
behavioral2/memory/812-485-0x00007FF6B3BE0000-0x00007FF6B3FD1000-memory.dmp	xmrig
behavioral2/memory/4144-465-0x00007FF6536E0000-0x00007FF653AD1000-memory.dmp	xmrig
behavioral2/memory/3936-491-0x00007FF658D60000-0x00007FF659151000-memory.dmp	xmrig
behavioral2/memory/4256-494-0x00007FF7AA790000-0x00007FF7AAB81000-memory.dmp	xmrig
behavioral2/memory/1500-496-0x00007FF60D740000-0x00007FF60DB31000-memory.dmp	xmrig
behavioral2/memory/2836-502-0x00007FF6691E0000-0x00007FF6695D1000-memory.dmp	xmrig
behavioral2/memory/5044-497-0x00007FF7DA3E0000-0x00007FF7DA7D1000-memory.dmp	xmrig
behavioral2/memory/1308-511-0x00007FF6F4DE0000-0x00007FF6F51D1000-memory.dmp	xmrig
behavioral2/memory/2260-510-0x00007FF7508E0000-0x00007FF750CD1000-memory.dmp	xmrig
behavioral2/memory/2208-514-0x00007FF7087C0000-0x00007FF708BB1000-memory.dmp	xmrig
behavioral2/memory/4020-517-0x00007FF7DA3B0000-0x00007FF7DA7A1000-memory.dmp	xmrig
behavioral2/memory/2652-520-0x00007FF638FE0000-0x00007FF6393D1000-memory.dmp	xmrig
behavioral2/memory/5036-522-0x00007FF758FE0000-0x00007FF7593D1000-memory.dmp	xmrig
behavioral2/memory/644-519-0x00007FF798D00000-0x00007FF7990F1000-memory.dmp	xmrig
behavioral2/memory/1088-506-0x00007FF725030000-0x00007FF725421000-memory.dmp	xmrig
behavioral2/memory/3912-1075-0x00007FF61BA20000-0x00007FF61BE11000-memory.dmp	xmrig
behavioral2/memory/1624-1072-0x00007FF614270000-0x00007FF614661000-memory.dmp	xmrig
behavioral2/memory/4456-1188-0x00007FF72B9F0000-0x00007FF72BDE1000-memory.dmp	xmrig
behavioral2/memory/1876-1438-0x00007FF7D27E0000-0x00007FF7D2BD1000-memory.dmp	xmrig
behavioral2/memory/4776-1560-0x00007FF650AB0000-0x00007FF650EA1000-memory.dmp	xmrig
behavioral2/memory/3912-2145-0x00007FF61BA20000-0x00007FF61BE11000-memory.dmp	xmrig
behavioral2/memory/4456-2147-0x00007FF72B9F0000-0x00007FF72BDE1000-memory.dmp	xmrig
behavioral2/memory/4044-2175-0x00007FF6C0CC0000-0x00007FF6C10B1000-memory.dmp	xmrig
behavioral2/memory/3144-2181-0x00007FF748350000-0x00007FF748741000-memory.dmp	xmrig
behavioral2/memory/4996-2185-0x00007FF62E7F0000-0x00007FF62EBE1000-memory.dmp	xmrig
behavioral2/memory/840-2187-0x00007FF6EEFA0000-0x00007FF6EF391000-memory.dmp	xmrig
behavioral2/memory/2784-2191-0x00007FF68BE10000-0x00007FF68C201000-memory.dmp	xmrig
behavioral2/memory/3936-2195-0x00007FF658D60000-0x00007FF659151000-memory.dmp	xmrig
behavioral2/memory/4256-2193-0x00007FF7AA790000-0x00007FF7AAB81000-memory.dmp	xmrig
behavioral2/memory/812-2189-0x00007FF6B3BE0000-0x00007FF6B3FD1000-memory.dmp	xmrig
behavioral2/memory/4144-2183-0x00007FF6536E0000-0x00007FF653AD1000-memory.dmp	xmrig
behavioral2/memory/5036-2179-0x00007FF758FE0000-0x00007FF7593D1000-memory.dmp	xmrig
behavioral2/memory/4776-2177-0x00007FF650AB0000-0x00007FF650EA1000-memory.dmp	xmrig
behavioral2/memory/1088-2244-0x00007FF725030000-0x00007FF725421000-memory.dmp	xmrig
behavioral2/memory/644-2235-0x00007FF798D00000-0x00007FF7990F1000-memory.dmp	xmrig
behavioral2/memory/2652-2217-0x00007FF638FE0000-0x00007FF6393D1000-memory.dmp	xmrig
behavioral2/memory/1500-2199-0x00007FF60D740000-0x00007FF60DB31000-memory.dmp	xmrig
behavioral2/memory/5044-2197-0x00007FF7DA3E0000-0x00007FF7DA7D1000-memory.dmp	xmrig
behavioral2/memory/2208-2242-0x00007FF7087C0000-0x00007FF708BB1000-memory.dmp	xmrig
behavioral2/memory/2260-2240-0x00007FF7508E0000-0x00007FF750CD1000-memory.dmp	xmrig
behavioral2/memory/4020-2237-0x00007FF7DA3B0000-0x00007FF7DA7A1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3912	NDJFvVD.exe
4456	YDNrPnA.exe
1876	lPiuoLu.exe
4776	YGARXGN.exe
4044	wRJVTmY.exe
5036	UbgRRdG.exe
3144	BqksXfU.exe
4144	wPPiUaC.exe
4996	kZTIGWL.exe
2784	kIpyAja.exe
840	JJQkcBQ.exe
812	uPmhJHN.exe
3936	uTJwyNL.exe
4256	BeKhDef.exe
1500	AHiNWrZ.exe
5044	bUYMKdA.exe
2836	MRXtWIF.exe
1088	hKlbFpq.exe
2260	xkoGpzw.exe
1308	GEqlKTk.exe
2208	teNCwLh.exe
4020	frEsZZX.exe
644	bqeHTDK.exe
2652	lgcbqxJ.exe
4828	XGHWhgt.exe
3132	BDwAkzF.exe
5076	okiuBbT.exe
1824	YdJynjc.exe
4272	kvrcgde.exe
3232	ZXtKlPb.exe
2324	xjzCTsI.exe
968	MLpbKXf.exe
1728	foLFsUT.exe
4476	aenBlFG.exe
4528	sRgETFh.exe
2492	WTNqnlR.exe
1532	tRbRyYh.exe
1568	owZzXhC.exe
3848	bkiGeEY.exe
1608	iTwEAVl.exe
4048	shjTzMY.exe
4568	yvAqvwB.exe
4928	UzpyjHn.exe
3892	aKIkdTM.exe
4640	axenhqV.exe
1752	htwtutB.exe
1836	XNoQoJQ.exe
4824	CFdXTBR.exe
4040	TXIAoOH.exe
4984	JcoBiNC.exe
4396	CjQmTZc.exe
4768	mqTfFvq.exe
2536	UMmLugn.exe
2600	EJpWhYn.exe
4300	dyZqOEB.exe
2216	BfzOfDk.exe
1124	kFWzchs.exe
2844	doZLlFx.exe
3160	RlADJDi.exe
672	SHdOZJU.exe
1236	GZFoGVT.exe
4056	YLrysOh.exe
2352	hqsJmas.exe
4444	GvUqzhx.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1624-0-0x00007FF614270000-0x00007FF614661000-memory.dmp	upx
behavioral2/files/0x0008000000023493-5.dat	upx
behavioral2/files/0x0007000000023495-10.dat	upx
behavioral2/memory/1876-19-0x00007FF7D27E0000-0x00007FF7D2BD1000-memory.dmp	upx
behavioral2/files/0x0007000000023496-33.dat	upx
behavioral2/files/0x0007000000023498-38.dat	upx
behavioral2/files/0x0007000000023499-43.dat	upx
behavioral2/files/0x000700000002349b-47.dat	upx
behavioral2/files/0x000700000002349d-60.dat	upx
behavioral2/files/0x000700000002349e-65.dat	upx
behavioral2/files/0x00070000000234a1-80.dat	upx
behavioral2/files/0x00070000000234a4-95.dat	upx
behavioral2/files/0x00070000000234a5-103.dat	upx
behavioral2/files/0x00070000000234a9-120.dat	upx
behavioral2/files/0x00070000000234ab-133.dat	upx
behavioral2/files/0x00070000000234ad-143.dat	upx
behavioral2/memory/4044-461-0x00007FF6C0CC0000-0x00007FF6C10B1000-memory.dmp	upx
behavioral2/memory/3144-463-0x00007FF748350000-0x00007FF748741000-memory.dmp	upx
behavioral2/files/0x00070000000234b3-166.dat	upx
behavioral2/files/0x00070000000234b2-162.dat	upx
behavioral2/files/0x00070000000234b1-160.dat	upx
behavioral2/files/0x00070000000234b0-158.dat	upx
behavioral2/files/0x00070000000234af-153.dat	upx
behavioral2/files/0x00070000000234ae-148.dat	upx
behavioral2/files/0x00070000000234ac-136.dat	upx
behavioral2/files/0x00070000000234aa-128.dat	upx
behavioral2/files/0x00070000000234a8-115.dat	upx
behavioral2/files/0x00070000000234a7-110.dat	upx
behavioral2/files/0x00070000000234a6-105.dat	upx
behavioral2/files/0x00070000000234a3-93.dat	upx
behavioral2/files/0x00070000000234a2-85.dat	upx
behavioral2/files/0x00070000000234a0-78.dat	upx
behavioral2/files/0x000700000002349f-70.dat	upx
behavioral2/files/0x000700000002349c-55.dat	upx
behavioral2/files/0x000700000002349a-45.dat	upx
behavioral2/memory/4776-30-0x00007FF650AB0000-0x00007FF650EA1000-memory.dmp	upx
behavioral2/files/0x0007000000023497-27.dat	upx
behavioral2/memory/4456-17-0x00007FF72B9F0000-0x00007FF72BDE1000-memory.dmp	upx
behavioral2/files/0x0007000000023494-12.dat	upx
behavioral2/memory/3912-11-0x00007FF61BA20000-0x00007FF61BE11000-memory.dmp	upx
behavioral2/memory/4996-470-0x00007FF62E7F0000-0x00007FF62EBE1000-memory.dmp	upx
behavioral2/memory/2784-475-0x00007FF68BE10000-0x00007FF68C201000-memory.dmp	upx
behavioral2/memory/840-479-0x00007FF6EEFA0000-0x00007FF6EF391000-memory.dmp	upx
behavioral2/memory/812-485-0x00007FF6B3BE0000-0x00007FF6B3FD1000-memory.dmp	upx
behavioral2/memory/4144-465-0x00007FF6536E0000-0x00007FF653AD1000-memory.dmp	upx
behavioral2/memory/3936-491-0x00007FF658D60000-0x00007FF659151000-memory.dmp	upx
behavioral2/memory/4256-494-0x00007FF7AA790000-0x00007FF7AAB81000-memory.dmp	upx
behavioral2/memory/1500-496-0x00007FF60D740000-0x00007FF60DB31000-memory.dmp	upx
behavioral2/memory/2836-502-0x00007FF6691E0000-0x00007FF6695D1000-memory.dmp	upx
behavioral2/memory/5044-497-0x00007FF7DA3E0000-0x00007FF7DA7D1000-memory.dmp	upx
behavioral2/memory/1308-511-0x00007FF6F4DE0000-0x00007FF6F51D1000-memory.dmp	upx
behavioral2/memory/2260-510-0x00007FF7508E0000-0x00007FF750CD1000-memory.dmp	upx
behavioral2/memory/2208-514-0x00007FF7087C0000-0x00007FF708BB1000-memory.dmp	upx
behavioral2/memory/4020-517-0x00007FF7DA3B0000-0x00007FF7DA7A1000-memory.dmp	upx
behavioral2/memory/2652-520-0x00007FF638FE0000-0x00007FF6393D1000-memory.dmp	upx
behavioral2/memory/5036-522-0x00007FF758FE0000-0x00007FF7593D1000-memory.dmp	upx
behavioral2/memory/644-519-0x00007FF798D00000-0x00007FF7990F1000-memory.dmp	upx
behavioral2/memory/1088-506-0x00007FF725030000-0x00007FF725421000-memory.dmp	upx
behavioral2/memory/3912-1075-0x00007FF61BA20000-0x00007FF61BE11000-memory.dmp	upx
behavioral2/memory/1624-1072-0x00007FF614270000-0x00007FF614661000-memory.dmp	upx
behavioral2/memory/4456-1188-0x00007FF72B9F0000-0x00007FF72BDE1000-memory.dmp	upx
behavioral2/memory/1876-1438-0x00007FF7D27E0000-0x00007FF7D2BD1000-memory.dmp	upx
behavioral2/memory/4776-1560-0x00007FF650AB0000-0x00007FF650EA1000-memory.dmp	upx
behavioral2/memory/3912-2145-0x00007FF61BA20000-0x00007FF61BE11000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\ZXtKlPb.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\uXppCiz.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\HdXeNSS.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\nrQGkEH.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\prUvDyZ.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\QJJrvkd.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\bDBKMse.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\dyYyPil.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\JiRsPQb.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\bjdeXfO.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\dxgkqKk.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\hVkNLSX.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\ZxkNKFt.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\aenBlFG.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\KExEgVJ.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\VvvJAum.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\wxIqkMY.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\HeRcSWG.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\xtiFnRn.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\UrIrvkw.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\jkrcqbL.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\xhTjzNS.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\AUYioOG.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\ujAVCoD.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\DxhSqDL.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\AARCIsC.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\yIxlCAH.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\ZWMtSPm.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\hkazCPI.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\LACuKFS.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\LVknVqg.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\QiaGuQr.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\eKdwlkX.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\jaDcHgI.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\HAKKohH.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\rkPpVfN.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\WaIWZhl.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\MgkMmRk.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\LyNbMQm.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\OBfGXxm.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\pqNhzsW.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\iiUItLJ.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\SOoyHOk.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\GBOvOiL.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\XGHWhgt.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\eoVwSWk.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\BFymvPl.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\MnmXUsC.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\worBeyv.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\GQlKueH.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\eYmMiJC.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\IByiJmZ.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\uGuNAOk.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\lihaoFi.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\hVKizKB.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\eoEOlXU.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\UtMjbUL.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\BCIzbxg.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\ooXZMIj.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\UqOQVDz.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\NxRQqLy.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\OsVRxFp.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\JovNLBa.exe	3ca269a50191c426d9f98e423eefa640N.exe
File created	C:\Windows\System32\JUtEoJG.exe	3ca269a50191c426d9f98e423eefa640N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	14276	dwm.exe
Token: SeChangeNotifyPrivilege	14276	dwm.exe
Token: 33	14276	dwm.exe
Token: SeIncBasePriorityPrivilege	14276	dwm.exe
Token: SeShutdownPrivilege	14276	dwm.exe
Token: SeCreatePagefilePrivilege	14276	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 3912	1624	3ca269a50191c426d9f98e423eefa640N.exe	85
PID 1624 wrote to memory of 3912	1624	3ca269a50191c426d9f98e423eefa640N.exe	85
PID 1624 wrote to memory of 4456	1624	3ca269a50191c426d9f98e423eefa640N.exe	86
PID 1624 wrote to memory of 4456	1624	3ca269a50191c426d9f98e423eefa640N.exe	86
PID 1624 wrote to memory of 1876	1624	3ca269a50191c426d9f98e423eefa640N.exe	87
PID 1624 wrote to memory of 1876	1624	3ca269a50191c426d9f98e423eefa640N.exe	87
PID 1624 wrote to memory of 4776	1624	3ca269a50191c426d9f98e423eefa640N.exe	88
PID 1624 wrote to memory of 4776	1624	3ca269a50191c426d9f98e423eefa640N.exe	88
PID 1624 wrote to memory of 4044	1624	3ca269a50191c426d9f98e423eefa640N.exe	89
PID 1624 wrote to memory of 4044	1624	3ca269a50191c426d9f98e423eefa640N.exe	89
PID 1624 wrote to memory of 5036	1624	3ca269a50191c426d9f98e423eefa640N.exe	90
PID 1624 wrote to memory of 5036	1624	3ca269a50191c426d9f98e423eefa640N.exe	90
PID 1624 wrote to memory of 3144	1624	3ca269a50191c426d9f98e423eefa640N.exe	91
PID 1624 wrote to memory of 3144	1624	3ca269a50191c426d9f98e423eefa640N.exe	91
PID 1624 wrote to memory of 4144	1624	3ca269a50191c426d9f98e423eefa640N.exe	92
PID 1624 wrote to memory of 4144	1624	3ca269a50191c426d9f98e423eefa640N.exe	92
PID 1624 wrote to memory of 4996	1624	3ca269a50191c426d9f98e423eefa640N.exe	93
PID 1624 wrote to memory of 4996	1624	3ca269a50191c426d9f98e423eefa640N.exe	93
PID 1624 wrote to memory of 2784	1624	3ca269a50191c426d9f98e423eefa640N.exe	94
PID 1624 wrote to memory of 2784	1624	3ca269a50191c426d9f98e423eefa640N.exe	94
PID 1624 wrote to memory of 840	1624	3ca269a50191c426d9f98e423eefa640N.exe	95
PID 1624 wrote to memory of 840	1624	3ca269a50191c426d9f98e423eefa640N.exe	95
PID 1624 wrote to memory of 812	1624	3ca269a50191c426d9f98e423eefa640N.exe	96
PID 1624 wrote to memory of 812	1624	3ca269a50191c426d9f98e423eefa640N.exe	96
PID 1624 wrote to memory of 3936	1624	3ca269a50191c426d9f98e423eefa640N.exe	97
PID 1624 wrote to memory of 3936	1624	3ca269a50191c426d9f98e423eefa640N.exe	97
PID 1624 wrote to memory of 4256	1624	3ca269a50191c426d9f98e423eefa640N.exe	98
PID 1624 wrote to memory of 4256	1624	3ca269a50191c426d9f98e423eefa640N.exe	98
PID 1624 wrote to memory of 1500	1624	3ca269a50191c426d9f98e423eefa640N.exe	99
PID 1624 wrote to memory of 1500	1624	3ca269a50191c426d9f98e423eefa640N.exe	99
PID 1624 wrote to memory of 5044	1624	3ca269a50191c426d9f98e423eefa640N.exe	100
PID 1624 wrote to memory of 5044	1624	3ca269a50191c426d9f98e423eefa640N.exe	100
PID 1624 wrote to memory of 2836	1624	3ca269a50191c426d9f98e423eefa640N.exe	101
PID 1624 wrote to memory of 2836	1624	3ca269a50191c426d9f98e423eefa640N.exe	101
PID 1624 wrote to memory of 1088	1624	3ca269a50191c426d9f98e423eefa640N.exe	102
PID 1624 wrote to memory of 1088	1624	3ca269a50191c426d9f98e423eefa640N.exe	102
PID 1624 wrote to memory of 2260	1624	3ca269a50191c426d9f98e423eefa640N.exe	103
PID 1624 wrote to memory of 2260	1624	3ca269a50191c426d9f98e423eefa640N.exe	103
PID 1624 wrote to memory of 1308	1624	3ca269a50191c426d9f98e423eefa640N.exe	104
PID 1624 wrote to memory of 1308	1624	3ca269a50191c426d9f98e423eefa640N.exe	104
PID 1624 wrote to memory of 2208	1624	3ca269a50191c426d9f98e423eefa640N.exe	105
PID 1624 wrote to memory of 2208	1624	3ca269a50191c426d9f98e423eefa640N.exe	105
PID 1624 wrote to memory of 4020	1624	3ca269a50191c426d9f98e423eefa640N.exe	106
PID 1624 wrote to memory of 4020	1624	3ca269a50191c426d9f98e423eefa640N.exe	106
PID 1624 wrote to memory of 644	1624	3ca269a50191c426d9f98e423eefa640N.exe	107
PID 1624 wrote to memory of 644	1624	3ca269a50191c426d9f98e423eefa640N.exe	107
PID 1624 wrote to memory of 2652	1624	3ca269a50191c426d9f98e423eefa640N.exe	108
PID 1624 wrote to memory of 2652	1624	3ca269a50191c426d9f98e423eefa640N.exe	108
PID 1624 wrote to memory of 4828	1624	3ca269a50191c426d9f98e423eefa640N.exe	109
PID 1624 wrote to memory of 4828	1624	3ca269a50191c426d9f98e423eefa640N.exe	109
PID 1624 wrote to memory of 3132	1624	3ca269a50191c426d9f98e423eefa640N.exe	110
PID 1624 wrote to memory of 3132	1624	3ca269a50191c426d9f98e423eefa640N.exe	110
PID 1624 wrote to memory of 5076	1624	3ca269a50191c426d9f98e423eefa640N.exe	111
PID 1624 wrote to memory of 5076	1624	3ca269a50191c426d9f98e423eefa640N.exe	111
PID 1624 wrote to memory of 1824	1624	3ca269a50191c426d9f98e423eefa640N.exe	112
PID 1624 wrote to memory of 1824	1624	3ca269a50191c426d9f98e423eefa640N.exe	112
PID 1624 wrote to memory of 4272	1624	3ca269a50191c426d9f98e423eefa640N.exe	113
PID 1624 wrote to memory of 4272	1624	3ca269a50191c426d9f98e423eefa640N.exe	113
PID 1624 wrote to memory of 3232	1624	3ca269a50191c426d9f98e423eefa640N.exe	114
PID 1624 wrote to memory of 3232	1624	3ca269a50191c426d9f98e423eefa640N.exe	114
PID 1624 wrote to memory of 2324	1624	3ca269a50191c426d9f98e423eefa640N.exe	115
PID 1624 wrote to memory of 2324	1624	3ca269a50191c426d9f98e423eefa640N.exe	115
PID 1624 wrote to memory of 968	1624	3ca269a50191c426d9f98e423eefa640N.exe	116
PID 1624 wrote to memory of 968	1624	3ca269a50191c426d9f98e423eefa640N.exe	116

C:\Users\Admin\AppData\Local\Temp\3ca269a50191c426d9f98e423eefa640N.exe
"C:\Users\Admin\AppData\Local\Temp\3ca269a50191c426d9f98e423eefa640N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\System32\NDJFvVD.exe
  C:\Windows\System32\NDJFvVD.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System32\YDNrPnA.exe
  C:\Windows\System32\YDNrPnA.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System32\lPiuoLu.exe
  C:\Windows\System32\lPiuoLu.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System32\YGARXGN.exe
  C:\Windows\System32\YGARXGN.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System32\wRJVTmY.exe
  C:\Windows\System32\wRJVTmY.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System32\UbgRRdG.exe
  C:\Windows\System32\UbgRRdG.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System32\BqksXfU.exe
  C:\Windows\System32\BqksXfU.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System32\wPPiUaC.exe
  C:\Windows\System32\wPPiUaC.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System32\kZTIGWL.exe
  C:\Windows\System32\kZTIGWL.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System32\kIpyAja.exe
  C:\Windows\System32\kIpyAja.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System32\JJQkcBQ.exe
  C:\Windows\System32\JJQkcBQ.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System32\uPmhJHN.exe
  C:\Windows\System32\uPmhJHN.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System32\uTJwyNL.exe
  C:\Windows\System32\uTJwyNL.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System32\BeKhDef.exe
  C:\Windows\System32\BeKhDef.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System32\AHiNWrZ.exe
  C:\Windows\System32\AHiNWrZ.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System32\bUYMKdA.exe
  C:\Windows\System32\bUYMKdA.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System32\MRXtWIF.exe
  C:\Windows\System32\MRXtWIF.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System32\hKlbFpq.exe
  C:\Windows\System32\hKlbFpq.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System32\xkoGpzw.exe
  C:\Windows\System32\xkoGpzw.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System32\GEqlKTk.exe
  C:\Windows\System32\GEqlKTk.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System32\teNCwLh.exe
  C:\Windows\System32\teNCwLh.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System32\frEsZZX.exe
  C:\Windows\System32\frEsZZX.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System32\bqeHTDK.exe
  C:\Windows\System32\bqeHTDK.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\System32\lgcbqxJ.exe
  C:\Windows\System32\lgcbqxJ.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System32\XGHWhgt.exe
  C:\Windows\System32\XGHWhgt.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\BDwAkzF.exe
  C:\Windows\System32\BDwAkzF.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System32\okiuBbT.exe
  C:\Windows\System32\okiuBbT.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System32\YdJynjc.exe
  C:\Windows\System32\YdJynjc.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System32\kvrcgde.exe
  C:\Windows\System32\kvrcgde.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System32\ZXtKlPb.exe
  C:\Windows\System32\ZXtKlPb.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System32\xjzCTsI.exe
  C:\Windows\System32\xjzCTsI.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System32\MLpbKXf.exe
  C:\Windows\System32\MLpbKXf.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System32\foLFsUT.exe
  C:\Windows\System32\foLFsUT.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System32\aenBlFG.exe
  C:\Windows\System32\aenBlFG.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System32\sRgETFh.exe
  C:\Windows\System32\sRgETFh.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System32\WTNqnlR.exe
  C:\Windows\System32\WTNqnlR.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System32\tRbRyYh.exe
  C:\Windows\System32\tRbRyYh.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System32\owZzXhC.exe
  C:\Windows\System32\owZzXhC.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System32\bkiGeEY.exe
  C:\Windows\System32\bkiGeEY.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System32\iTwEAVl.exe
  C:\Windows\System32\iTwEAVl.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System32\shjTzMY.exe
  C:\Windows\System32\shjTzMY.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System32\yvAqvwB.exe
  C:\Windows\System32\yvAqvwB.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System32\UzpyjHn.exe
  C:\Windows\System32\UzpyjHn.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System32\aKIkdTM.exe
  C:\Windows\System32\aKIkdTM.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System32\axenhqV.exe
  C:\Windows\System32\axenhqV.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System32\htwtutB.exe
  C:\Windows\System32\htwtutB.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System32\XNoQoJQ.exe
  C:\Windows\System32\XNoQoJQ.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System32\CFdXTBR.exe
  C:\Windows\System32\CFdXTBR.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System32\TXIAoOH.exe
  C:\Windows\System32\TXIAoOH.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System32\JcoBiNC.exe
  C:\Windows\System32\JcoBiNC.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System32\CjQmTZc.exe
  C:\Windows\System32\CjQmTZc.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System32\mqTfFvq.exe
  C:\Windows\System32\mqTfFvq.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System32\UMmLugn.exe
  C:\Windows\System32\UMmLugn.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System32\EJpWhYn.exe
  C:\Windows\System32\EJpWhYn.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System32\dyZqOEB.exe
  C:\Windows\System32\dyZqOEB.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System32\BfzOfDk.exe
  C:\Windows\System32\BfzOfDk.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System32\kFWzchs.exe
  C:\Windows\System32\kFWzchs.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\System32\doZLlFx.exe
  C:\Windows\System32\doZLlFx.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System32\RlADJDi.exe
  C:\Windows\System32\RlADJDi.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System32\SHdOZJU.exe
  C:\Windows\System32\SHdOZJU.exe
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\System32\GZFoGVT.exe
  C:\Windows\System32\GZFoGVT.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System32\YLrysOh.exe
  C:\Windows\System32\YLrysOh.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System32\hqsJmas.exe
  C:\Windows\System32\hqsJmas.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System32\GvUqzhx.exe
  C:\Windows\System32\GvUqzhx.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System32\UUgCEia.exe
  C:\Windows\System32\UUgCEia.exe
  2⤵
  PID:1912
- C:\Windows\System32\MJkhMmT.exe
  C:\Windows\System32\MJkhMmT.exe
  2⤵
  PID:1740
- C:\Windows\System32\eoVwSWk.exe
  C:\Windows\System32\eoVwSWk.exe
  2⤵
  PID:4428
- C:\Windows\System32\cOOzHQJ.exe
  C:\Windows\System32\cOOzHQJ.exe
  2⤵
  PID:3124
- C:\Windows\System32\MrbrFwZ.exe
  C:\Windows\System32\MrbrFwZ.exe
  2⤵
  PID:4492
- C:\Windows\System32\oAumhdI.exe
  C:\Windows\System32\oAumhdI.exe
  2⤵
  PID:1352
- C:\Windows\System32\IEacEQe.exe
  C:\Windows\System32\IEacEQe.exe
  2⤵
  PID:3648
- C:\Windows\System32\XxDnHgX.exe
  C:\Windows\System32\XxDnHgX.exe
  2⤵
  PID:4956
- C:\Windows\System32\JTXTVPa.exe
  C:\Windows\System32\JTXTVPa.exe
  2⤵
  PID:1560
- C:\Windows\System32\ZbHgzZO.exe
  C:\Windows\System32\ZbHgzZO.exe
  2⤵
  PID:1880
- C:\Windows\System32\pBIdxfN.exe
  C:\Windows\System32\pBIdxfN.exe
  2⤵
  PID:4284
- C:\Windows\System32\BnuBcpN.exe
  C:\Windows\System32\BnuBcpN.exe
  2⤵
  PID:4924
- C:\Windows\System32\fAGMCxy.exe
  C:\Windows\System32\fAGMCxy.exe
  2⤵
  PID:4148
- C:\Windows\System32\lnkbfNT.exe
  C:\Windows\System32\lnkbfNT.exe
  2⤵
  PID:1288
- C:\Windows\System32\DwytLOc.exe
  C:\Windows\System32\DwytLOc.exe
  2⤵
  PID:3356
- C:\Windows\System32\LACuKFS.exe
  C:\Windows\System32\LACuKFS.exe
  2⤵
  PID:1464
- C:\Windows\System32\MxpqAuJ.exe
  C:\Windows\System32\MxpqAuJ.exe
  2⤵
  PID:5000
- C:\Windows\System32\jlAJQvJ.exe
  C:\Windows\System32\jlAJQvJ.exe
  2⤵
  PID:1784
- C:\Windows\System32\psJVLbF.exe
  C:\Windows\System32\psJVLbF.exe
  2⤵
  PID:3644
- C:\Windows\System32\wQFmlgC.exe
  C:\Windows\System32\wQFmlgC.exe
  2⤵
  PID:4092
- C:\Windows\System32\QwzYSAx.exe
  C:\Windows\System32\QwzYSAx.exe
  2⤵
  PID:2368
- C:\Windows\System32\bfaxaWp.exe
  C:\Windows\System32\bfaxaWp.exe
  2⤵
  PID:3168
- C:\Windows\System32\AMoyShx.exe
  C:\Windows\System32\AMoyShx.exe
  2⤵
  PID:3432
- C:\Windows\System32\ZTkkenC.exe
  C:\Windows\System32\ZTkkenC.exe
  2⤵
  PID:5144
- C:\Windows\System32\NIfXVQg.exe
  C:\Windows\System32\NIfXVQg.exe
  2⤵
  PID:5172
- C:\Windows\System32\lwrTWVD.exe
  C:\Windows\System32\lwrTWVD.exe
  2⤵
  PID:5200
- C:\Windows\System32\GPvTUGS.exe
  C:\Windows\System32\GPvTUGS.exe
  2⤵
  PID:5232
- C:\Windows\System32\oNZDkUs.exe
  C:\Windows\System32\oNZDkUs.exe
  2⤵
  PID:5256
- C:\Windows\System32\SVVwGZF.exe
  C:\Windows\System32\SVVwGZF.exe
  2⤵
  PID:5288
- C:\Windows\System32\ignKLNo.exe
  C:\Windows\System32\ignKLNo.exe
  2⤵
  PID:5316
- C:\Windows\System32\kfrvQUb.exe
  C:\Windows\System32\kfrvQUb.exe
  2⤵
  PID:5340
- C:\Windows\System32\HjSnzus.exe
  C:\Windows\System32\HjSnzus.exe
  2⤵
  PID:5376
- C:\Windows\System32\ZtLiBNZ.exe
  C:\Windows\System32\ZtLiBNZ.exe
  2⤵
  PID:5396
- C:\Windows\System32\aRNkQBv.exe
  C:\Windows\System32\aRNkQBv.exe
  2⤵
  PID:5424
- C:\Windows\System32\NLOGyhe.exe
  C:\Windows\System32\NLOGyhe.exe
  2⤵
  PID:5452
- C:\Windows\System32\xqNQQLD.exe
  C:\Windows\System32\xqNQQLD.exe
  2⤵
  PID:5484
- C:\Windows\System32\OlBrjSn.exe
  C:\Windows\System32\OlBrjSn.exe
  2⤵
  PID:5512
- C:\Windows\System32\rdRYzKe.exe
  C:\Windows\System32\rdRYzKe.exe
  2⤵
  PID:5540
- C:\Windows\System32\oUrFBjK.exe
  C:\Windows\System32\oUrFBjK.exe
  2⤵
  PID:5568
- C:\Windows\System32\JqiCEly.exe
  C:\Windows\System32\JqiCEly.exe
  2⤵
  PID:5596
- C:\Windows\System32\mFOQbsD.exe
  C:\Windows\System32\mFOQbsD.exe
  2⤵
  PID:5620
- C:\Windows\System32\iAKjFKW.exe
  C:\Windows\System32\iAKjFKW.exe
  2⤵
  PID:5660
- C:\Windows\System32\NnppjQG.exe
  C:\Windows\System32\NnppjQG.exe
  2⤵
  PID:5680
- C:\Windows\System32\tBXxGjo.exe
  C:\Windows\System32\tBXxGjo.exe
  2⤵
  PID:5708
- C:\Windows\System32\rWtFGTK.exe
  C:\Windows\System32\rWtFGTK.exe
  2⤵
  PID:5736
- C:\Windows\System32\ZohNMbF.exe
  C:\Windows\System32\ZohNMbF.exe
  2⤵
  PID:5764
- C:\Windows\System32\sKhxAFh.exe
  C:\Windows\System32\sKhxAFh.exe
  2⤵
  PID:5792
- C:\Windows\System32\kUTsOpI.exe
  C:\Windows\System32\kUTsOpI.exe
  2⤵
  PID:5820
- C:\Windows\System32\qGHCeJE.exe
  C:\Windows\System32\qGHCeJE.exe
  2⤵
  PID:5844
- C:\Windows\System32\OsVRxFp.exe
  C:\Windows\System32\OsVRxFp.exe
  2⤵
  PID:5876
- C:\Windows\System32\eoEOlXU.exe
  C:\Windows\System32\eoEOlXU.exe
  2⤵
  PID:5904
- C:\Windows\System32\XOIcgoW.exe
  C:\Windows\System32\XOIcgoW.exe
  2⤵
  PID:5928
- C:\Windows\System32\VMHocAw.exe
  C:\Windows\System32\VMHocAw.exe
  2⤵
  PID:5956
- C:\Windows\System32\LVknVqg.exe
  C:\Windows\System32\LVknVqg.exe
  2⤵
  PID:5984
- C:\Windows\System32\PluWYYl.exe
  C:\Windows\System32\PluWYYl.exe
  2⤵
  PID:6016
- C:\Windows\System32\BTJQlHR.exe
  C:\Windows\System32\BTJQlHR.exe
  2⤵
  PID:6052
- C:\Windows\System32\DxhSqDL.exe
  C:\Windows\System32\DxhSqDL.exe
  2⤵
  PID:6072
- C:\Windows\System32\vDolijb.exe
  C:\Windows\System32\vDolijb.exe
  2⤵
  PID:6100
- C:\Windows\System32\IbeLcFO.exe
  C:\Windows\System32\IbeLcFO.exe
  2⤵
  PID:6128
- C:\Windows\System32\LNRicEl.exe
  C:\Windows\System32\LNRicEl.exe
  2⤵
  PID:4756
- C:\Windows\System32\QbJpseR.exe
  C:\Windows\System32\QbJpseR.exe
  2⤵
  PID:2848
- C:\Windows\System32\qdFwgCS.exe
  C:\Windows\System32\qdFwgCS.exe
  2⤵
  PID:4264
- C:\Windows\System32\uRtWjqW.exe
  C:\Windows\System32\uRtWjqW.exe
  2⤵
  PID:4820
- C:\Windows\System32\QiaGuQr.exe
  C:\Windows\System32\QiaGuQr.exe
  2⤵
  PID:5156
- C:\Windows\System32\OYxGBwa.exe
  C:\Windows\System32\OYxGBwa.exe
  2⤵
  PID:5212
- C:\Windows\System32\YhcyArk.exe
  C:\Windows\System32\YhcyArk.exe
  2⤵
  PID:5264
- C:\Windows\System32\DyJvirR.exe
  C:\Windows\System32\DyJvirR.exe
  2⤵
  PID:5332
- C:\Windows\System32\ZxaNonB.exe
  C:\Windows\System32\ZxaNonB.exe
  2⤵
  PID:5492
- C:\Windows\System32\zSWMNZc.exe
  C:\Windows\System32\zSWMNZc.exe
  2⤵
  PID:5532
- C:\Windows\System32\tArmdyL.exe
  C:\Windows\System32\tArmdyL.exe
  2⤵
  PID:5576
- C:\Windows\System32\aQacxBg.exe
  C:\Windows\System32\aQacxBg.exe
  2⤵
  PID:5692
- C:\Windows\System32\pxDqzOO.exe
  C:\Windows\System32\pxDqzOO.exe
  2⤵
  PID:5748
- C:\Windows\System32\rdwlzCQ.exe
  C:\Windows\System32\rdwlzCQ.exe
  2⤵
  PID:5812
- C:\Windows\System32\TyCdcyc.exe
  C:\Windows\System32\TyCdcyc.exe
  2⤵
  PID:736
- C:\Windows\System32\JrBXQEx.exe
  C:\Windows\System32\JrBXQEx.exe
  2⤵
  PID:5952
- C:\Windows\System32\FLJETAV.exe
  C:\Windows\System32\FLJETAV.exe
  2⤵
  PID:5992
- C:\Windows\System32\UtMjbUL.exe
  C:\Windows\System32\UtMjbUL.exe
  2⤵
  PID:6036
- C:\Windows\System32\uXppCiz.exe
  C:\Windows\System32\uXppCiz.exe
  2⤵
  PID:6080
- C:\Windows\System32\PANODRE.exe
  C:\Windows\System32\PANODRE.exe
  2⤵
  PID:64
- C:\Windows\System32\aZZSTsO.exe
  C:\Windows\System32\aZZSTsO.exe
  2⤵
  PID:1008
- C:\Windows\System32\CgSwVhV.exe
  C:\Windows\System32\CgSwVhV.exe
  2⤵
  PID:864
- C:\Windows\System32\sKstNoH.exe
  C:\Windows\System32\sKstNoH.exe
  2⤵
  PID:5248
- C:\Windows\System32\duYvRXh.exe
  C:\Windows\System32\duYvRXh.exe
  2⤵
  PID:2568
- C:\Windows\System32\UMsHwXs.exe
  C:\Windows\System32\UMsHwXs.exe
  2⤵
  PID:4576
- C:\Windows\System32\QjYvbQM.exe
  C:\Windows\System32\QjYvbQM.exe
  2⤵
  PID:4888
- C:\Windows\System32\NaOzeYY.exe
  C:\Windows\System32\NaOzeYY.exe
  2⤵
  PID:5524
- C:\Windows\System32\fQdUJpZ.exe
  C:\Windows\System32\fQdUJpZ.exe
  2⤵
  PID:2164
- C:\Windows\System32\JbgSgJi.exe
  C:\Windows\System32\JbgSgJi.exe
  2⤵
  PID:5772
- C:\Windows\System32\EatYNxo.exe
  C:\Windows\System32\EatYNxo.exe
  2⤵
  PID:5936
- C:\Windows\System32\wCvUdfy.exe
  C:\Windows\System32\wCvUdfy.exe
  2⤵
  PID:5980
- C:\Windows\System32\YwdaVsH.exe
  C:\Windows\System32\YwdaVsH.exe
  2⤵
  PID:4636
- C:\Windows\System32\xwEtlVi.exe
  C:\Windows\System32\xwEtlVi.exe
  2⤵
  PID:1544
- C:\Windows\System32\wITeNkD.exe
  C:\Windows\System32\wITeNkD.exe
  2⤵
  PID:8
- C:\Windows\System32\UslSsDa.exe
  C:\Windows\System32\UslSsDa.exe
  2⤵
  PID:5604
- C:\Windows\System32\gWFJJtD.exe
  C:\Windows\System32\gWFJJtD.exe
  2⤵
  PID:3488
- C:\Windows\System32\fsAWlIc.exe
  C:\Windows\System32\fsAWlIc.exe
  2⤵
  PID:5716
- C:\Windows\System32\atyHVcf.exe
  C:\Windows\System32\atyHVcf.exe
  2⤵
  PID:6060
- C:\Windows\System32\OVqSEUk.exe
  C:\Windows\System32\OVqSEUk.exe
  2⤵
  PID:4104
- C:\Windows\System32\ueMraFm.exe
  C:\Windows\System32\ueMraFm.exe
  2⤵
  PID:4212
- C:\Windows\System32\BFymvPl.exe
  C:\Windows\System32\BFymvPl.exe
  2⤵
  PID:5804
- C:\Windows\System32\fSALWjY.exe
  C:\Windows\System32\fSALWjY.exe
  2⤵
  PID:5092
- C:\Windows\System32\bdTBizD.exe
  C:\Windows\System32\bdTBizD.exe
  2⤵
  PID:6148
- C:\Windows\System32\eGKHQSB.exe
  C:\Windows\System32\eGKHQSB.exe
  2⤵
  PID:6192
- C:\Windows\System32\QCpWRFF.exe
  C:\Windows\System32\QCpWRFF.exe
  2⤵
  PID:6208
- C:\Windows\System32\tsvgLtu.exe
  C:\Windows\System32\tsvgLtu.exe
  2⤵
  PID:6260
- C:\Windows\System32\ZStqcXa.exe
  C:\Windows\System32\ZStqcXa.exe
  2⤵
  PID:6292
- C:\Windows\System32\XXCfsJi.exe
  C:\Windows\System32\XXCfsJi.exe
  2⤵
  PID:6308
- C:\Windows\System32\miFXPRk.exe
  C:\Windows\System32\miFXPRk.exe
  2⤵
  PID:6328
- C:\Windows\System32\oxqBZkO.exe
  C:\Windows\System32\oxqBZkO.exe
  2⤵
  PID:6352
- C:\Windows\System32\PqlNSWm.exe
  C:\Windows\System32\PqlNSWm.exe
  2⤵
  PID:6368
- C:\Windows\System32\fdhtAlj.exe
  C:\Windows\System32\fdhtAlj.exe
  2⤵
  PID:6396
- C:\Windows\System32\dDavKwJ.exe
  C:\Windows\System32\dDavKwJ.exe
  2⤵
  PID:6416
- C:\Windows\System32\LRSAzdb.exe
  C:\Windows\System32\LRSAzdb.exe
  2⤵
  PID:6436
- C:\Windows\System32\PCTefYy.exe
  C:\Windows\System32\PCTefYy.exe
  2⤵
  PID:6456
- C:\Windows\System32\eKdwlkX.exe
  C:\Windows\System32\eKdwlkX.exe
  2⤵
  PID:6480
- C:\Windows\System32\yyAcjse.exe
  C:\Windows\System32\yyAcjse.exe
  2⤵
  PID:6568
- C:\Windows\System32\OOhOvQh.exe
  C:\Windows\System32\OOhOvQh.exe
  2⤵
  PID:6616
- C:\Windows\System32\jDiNJdp.exe
  C:\Windows\System32\jDiNJdp.exe
  2⤵
  PID:6632
- C:\Windows\System32\PvangLp.exe
  C:\Windows\System32\PvangLp.exe
  2⤵
  PID:6660
- C:\Windows\System32\FsrTTOk.exe
  C:\Windows\System32\FsrTTOk.exe
  2⤵
  PID:6684
- C:\Windows\System32\sAzNHic.exe
  C:\Windows\System32\sAzNHic.exe
  2⤵
  PID:6700
- C:\Windows\System32\YwsMwRM.exe
  C:\Windows\System32\YwsMwRM.exe
  2⤵
  PID:6728
- C:\Windows\System32\QiIxPCg.exe
  C:\Windows\System32\QiIxPCg.exe
  2⤵
  PID:6780
- C:\Windows\System32\xqIBHoH.exe
  C:\Windows\System32\xqIBHoH.exe
  2⤵
  PID:6804
- C:\Windows\System32\SuhYozK.exe
  C:\Windows\System32\SuhYozK.exe
  2⤵
  PID:6824
- C:\Windows\System32\FnaWfDY.exe
  C:\Windows\System32\FnaWfDY.exe
  2⤵
  PID:6840
- C:\Windows\System32\GUwsono.exe
  C:\Windows\System32\GUwsono.exe
  2⤵
  PID:6864
- C:\Windows\System32\BCIzbxg.exe
  C:\Windows\System32\BCIzbxg.exe
  2⤵
  PID:6888
- C:\Windows\System32\dYlPGwv.exe
  C:\Windows\System32\dYlPGwv.exe
  2⤵
  PID:6928
- C:\Windows\System32\QlwpFsf.exe
  C:\Windows\System32\QlwpFsf.exe
  2⤵
  PID:7016
- C:\Windows\System32\EBihfsk.exe
  C:\Windows\System32\EBihfsk.exe
  2⤵
  PID:7048
- C:\Windows\System32\YHFHDHJ.exe
  C:\Windows\System32\YHFHDHJ.exe
  2⤵
  PID:7068
- C:\Windows\System32\upxPCOi.exe
  C:\Windows\System32\upxPCOi.exe
  2⤵
  PID:7092
- C:\Windows\System32\MnmXUsC.exe
  C:\Windows\System32\MnmXUsC.exe
  2⤵
  PID:7112
- C:\Windows\System32\AggFeTY.exe
  C:\Windows\System32\AggFeTY.exe
  2⤵
  PID:7132
- C:\Windows\System32\opYjVUd.exe
  C:\Windows\System32\opYjVUd.exe
  2⤵
  PID:5840
- C:\Windows\System32\jxBQMRs.exe
  C:\Windows\System32\jxBQMRs.exe
  2⤵
  PID:3156
- C:\Windows\System32\QPtPWLM.exe
  C:\Windows\System32\QPtPWLM.exe
  2⤵
  PID:6164
- C:\Windows\System32\QXyAcUX.exe
  C:\Windows\System32\QXyAcUX.exe
  2⤵
  PID:6216
- C:\Windows\System32\CJmwudm.exe
  C:\Windows\System32\CJmwudm.exe
  2⤵
  PID:6304
- C:\Windows\System32\ZkuUnrW.exe
  C:\Windows\System32\ZkuUnrW.exe
  2⤵
  PID:6428
- C:\Windows\System32\gLcTajw.exe
  C:\Windows\System32\gLcTajw.exe
  2⤵
  PID:6492
- C:\Windows\System32\xXODbiU.exe
  C:\Windows\System32\xXODbiU.exe
  2⤵
  PID:6472
- C:\Windows\System32\BPAMSft.exe
  C:\Windows\System32\BPAMSft.exe
  2⤵
  PID:6580
- C:\Windows\System32\pWCJfCG.exe
  C:\Windows\System32\pWCJfCG.exe
  2⤵
  PID:6604
- C:\Windows\System32\AkYHzAD.exe
  C:\Windows\System32\AkYHzAD.exe
  2⤵
  PID:6668
- C:\Windows\System32\YwXOWiP.exe
  C:\Windows\System32\YwXOWiP.exe
  2⤵
  PID:6764
- C:\Windows\System32\RblYTKm.exe
  C:\Windows\System32\RblYTKm.exe
  2⤵
  PID:6836
- C:\Windows\System32\yfzZgTy.exe
  C:\Windows\System32\yfzZgTy.exe
  2⤵
  PID:6792
- C:\Windows\System32\QoWxeMP.exe
  C:\Windows\System32\QoWxeMP.exe
  2⤵
  PID:6788
- C:\Windows\System32\fwsTkuV.exe
  C:\Windows\System32\fwsTkuV.exe
  2⤵
  PID:6856
- C:\Windows\System32\EdxrnSJ.exe
  C:\Windows\System32\EdxrnSJ.exe
  2⤵
  PID:6968
- C:\Windows\System32\iinNxTp.exe
  C:\Windows\System32\iinNxTp.exe
  2⤵
  PID:7084
- C:\Windows\System32\rljXqUR.exe
  C:\Windows\System32\rljXqUR.exe
  2⤵
  PID:7144
- C:\Windows\System32\xhTjzNS.exe
  C:\Windows\System32\xhTjzNS.exe
  2⤵
  PID:3944
- C:\Windows\System32\YvmfVbw.exe
  C:\Windows\System32\YvmfVbw.exe
  2⤵
  PID:6236
- C:\Windows\System32\JEVPuuD.exe
  C:\Windows\System32\JEVPuuD.exe
  2⤵
  PID:4572
- C:\Windows\System32\lfYydHk.exe
  C:\Windows\System32\lfYydHk.exe
  2⤵
  PID:6448
- C:\Windows\System32\rMebaXX.exe
  C:\Windows\System32\rMebaXX.exe
  2⤵
  PID:6596
- C:\Windows\System32\SnuiMVT.exe
  C:\Windows\System32\SnuiMVT.exe
  2⤵
  PID:6776
- C:\Windows\System32\PAbDuMW.exe
  C:\Windows\System32\PAbDuMW.exe
  2⤵
  PID:7104
- C:\Windows\System32\eeJOeiz.exe
  C:\Windows\System32\eeJOeiz.exe
  2⤵
  PID:6672
- C:\Windows\System32\ORUmAjx.exe
  C:\Windows\System32\ORUmAjx.exe
  2⤵
  PID:6952
- C:\Windows\System32\jaDcHgI.exe
  C:\Windows\System32\jaDcHgI.exe
  2⤵
  PID:6300
- C:\Windows\System32\worBeyv.exe
  C:\Windows\System32\worBeyv.exe
  2⤵
  PID:7088
- C:\Windows\System32\gMEZpWo.exe
  C:\Windows\System32\gMEZpWo.exe
  2⤵
  PID:6552
- C:\Windows\System32\iQECvHh.exe
  C:\Windows\System32\iQECvHh.exe
  2⤵
  PID:7188
- C:\Windows\System32\GisIgvu.exe
  C:\Windows\System32\GisIgvu.exe
  2⤵
  PID:7216
- C:\Windows\System32\mGDhyLS.exe
  C:\Windows\System32\mGDhyLS.exe
  2⤵
  PID:7244
- C:\Windows\System32\jFgcJas.exe
  C:\Windows\System32\jFgcJas.exe
  2⤵
  PID:7272
- C:\Windows\System32\gRkbvMa.exe
  C:\Windows\System32\gRkbvMa.exe
  2⤵
  PID:7292
- C:\Windows\System32\pqNhzsW.exe
  C:\Windows\System32\pqNhzsW.exe
  2⤵
  PID:7308
- C:\Windows\System32\VkOPFYR.exe
  C:\Windows\System32\VkOPFYR.exe
  2⤵
  PID:7324
- C:\Windows\System32\ezXRLST.exe
  C:\Windows\System32\ezXRLST.exe
  2⤵
  PID:7340
- C:\Windows\System32\AUYioOG.exe
  C:\Windows\System32\AUYioOG.exe
  2⤵
  PID:7384
- C:\Windows\System32\KExEgVJ.exe
  C:\Windows\System32\KExEgVJ.exe
  2⤵
  PID:7420
- C:\Windows\System32\VvvJAum.exe
  C:\Windows\System32\VvvJAum.exe
  2⤵
  PID:7448
- C:\Windows\System32\TYCJKqS.exe
  C:\Windows\System32\TYCJKqS.exe
  2⤵
  PID:7492
- C:\Windows\System32\lVmcaQU.exe
  C:\Windows\System32\lVmcaQU.exe
  2⤵
  PID:7516
- C:\Windows\System32\KIiZBIj.exe
  C:\Windows\System32\KIiZBIj.exe
  2⤵
  PID:7536
- C:\Windows\System32\vlsrDyk.exe
  C:\Windows\System32\vlsrDyk.exe
  2⤵
  PID:7564
- C:\Windows\System32\phWrhZq.exe
  C:\Windows\System32\phWrhZq.exe
  2⤵
  PID:7584
- C:\Windows\System32\ccpMlei.exe
  C:\Windows\System32\ccpMlei.exe
  2⤵
  PID:7604
- C:\Windows\System32\AuWtcxe.exe
  C:\Windows\System32\AuWtcxe.exe
  2⤵
  PID:7648
- C:\Windows\System32\iiUItLJ.exe
  C:\Windows\System32\iiUItLJ.exe
  2⤵
  PID:7684
- C:\Windows\System32\gJAWzRc.exe
  C:\Windows\System32\gJAWzRc.exe
  2⤵
  PID:7712
- C:\Windows\System32\PemdtvB.exe
  C:\Windows\System32\PemdtvB.exe
  2⤵
  PID:7752
- C:\Windows\System32\wONtFRJ.exe
  C:\Windows\System32\wONtFRJ.exe
  2⤵
  PID:7768
- C:\Windows\System32\bDuSama.exe
  C:\Windows\System32\bDuSama.exe
  2⤵
  PID:7800
- C:\Windows\System32\SEhYqyG.exe
  C:\Windows\System32\SEhYqyG.exe
  2⤵
  PID:7816
- C:\Windows\System32\HdXeNSS.exe
  C:\Windows\System32\HdXeNSS.exe
  2⤵
  PID:7840
- C:\Windows\System32\GTyPRWU.exe
  C:\Windows\System32\GTyPRWU.exe
  2⤵
  PID:7868
- C:\Windows\System32\xTDUqok.exe
  C:\Windows\System32\xTDUqok.exe
  2⤵
  PID:7888
- C:\Windows\System32\bjdeXfO.exe
  C:\Windows\System32\bjdeXfO.exe
  2⤵
  PID:7936
- C:\Windows\System32\sSUpmdu.exe
  C:\Windows\System32\sSUpmdu.exe
  2⤵
  PID:7952
- C:\Windows\System32\JovNLBa.exe
  C:\Windows\System32\JovNLBa.exe
  2⤵
  PID:7968
- C:\Windows\System32\xuMMZRr.exe
  C:\Windows\System32\xuMMZRr.exe
  2⤵
  PID:8008
- C:\Windows\System32\MydoPYK.exe
  C:\Windows\System32\MydoPYK.exe
  2⤵
  PID:8036
- C:\Windows\System32\pcWyivU.exe
  C:\Windows\System32\pcWyivU.exe
  2⤵
  PID:8056
- C:\Windows\System32\WaRexMV.exe
  C:\Windows\System32\WaRexMV.exe
  2⤵
  PID:8084
- C:\Windows\System32\dxgkqKk.exe
  C:\Windows\System32\dxgkqKk.exe
  2⤵
  PID:8136
- C:\Windows\System32\gpIEeiI.exe
  C:\Windows\System32\gpIEeiI.exe
  2⤵
  PID:8160
- C:\Windows\System32\Xnwnirb.exe
  C:\Windows\System32\Xnwnirb.exe
  2⤵
  PID:5164
- C:\Windows\System32\ljaMUCj.exe
  C:\Windows\System32\ljaMUCj.exe
  2⤵
  PID:7172
- C:\Windows\System32\hguEYMg.exe
  C:\Windows\System32\hguEYMg.exe
  2⤵
  PID:7256
- C:\Windows\System32\ZBqllSG.exe
  C:\Windows\System32\ZBqllSG.exe
  2⤵
  PID:7380
- C:\Windows\System32\oRKMfQN.exe
  C:\Windows\System32\oRKMfQN.exe
  2⤵
  PID:7432
- C:\Windows\System32\kaLAvAm.exe
  C:\Windows\System32\kaLAvAm.exe
  2⤵
  PID:7456
- C:\Windows\System32\CYwnYUT.exe
  C:\Windows\System32\CYwnYUT.exe
  2⤵
  PID:7500
- C:\Windows\System32\YCdAbwa.exe
  C:\Windows\System32\YCdAbwa.exe
  2⤵
  PID:7528
- C:\Windows\System32\jMPrIoQ.exe
  C:\Windows\System32\jMPrIoQ.exe
  2⤵
  PID:7596
- C:\Windows\System32\UNcBFbG.exe
  C:\Windows\System32\UNcBFbG.exe
  2⤵
  PID:7668
- C:\Windows\System32\JUtEoJG.exe
  C:\Windows\System32\JUtEoJG.exe
  2⤵
  PID:7728
- C:\Windows\System32\oNrTKoL.exe
  C:\Windows\System32\oNrTKoL.exe
  2⤵
  PID:7760
- C:\Windows\System32\tvquWHW.exe
  C:\Windows\System32\tvquWHW.exe
  2⤵
  PID:7836
- C:\Windows\System32\PsTCgCP.exe
  C:\Windows\System32\PsTCgCP.exe
  2⤵
  PID:7896
- C:\Windows\System32\pSWyYeG.exe
  C:\Windows\System32\pSWyYeG.exe
  2⤵
  PID:7984
- C:\Windows\System32\JZkMcAW.exe
  C:\Windows\System32\JZkMcAW.exe
  2⤵
  PID:8000
- C:\Windows\System32\pEWzjdZ.exe
  C:\Windows\System32\pEWzjdZ.exe
  2⤵
  PID:8116
- C:\Windows\System32\JRrNZTO.exe
  C:\Windows\System32\JRrNZTO.exe
  2⤵
  PID:7224
- C:\Windows\System32\XlhyMHq.exe
  C:\Windows\System32\XlhyMHq.exe
  2⤵
  PID:7404
- C:\Windows\System32\GZjuyQH.exe
  C:\Windows\System32\GZjuyQH.exe
  2⤵
  PID:7572
- C:\Windows\System32\vVylLmk.exe
  C:\Windows\System32\vVylLmk.exe
  2⤵
  PID:7512
- C:\Windows\System32\QGVRBlE.exe
  C:\Windows\System32\QGVRBlE.exe
  2⤵
  PID:7832
- C:\Windows\System32\zTzgFBe.exe
  C:\Windows\System32\zTzgFBe.exe
  2⤵
  PID:7852
- C:\Windows\System32\RsQwhLI.exe
  C:\Windows\System32\RsQwhLI.exe
  2⤵
  PID:8188
- C:\Windows\System32\yinTcRL.exe
  C:\Windows\System32\yinTcRL.exe
  2⤵
  PID:8144
- C:\Windows\System32\yjeamWD.exe
  C:\Windows\System32\yjeamWD.exe
  2⤵
  PID:6676
- C:\Windows\System32\AIgRYNR.exe
  C:\Windows\System32\AIgRYNR.exe
  2⤵
  PID:7792
- C:\Windows\System32\PaYOcCq.exe
  C:\Windows\System32\PaYOcCq.exe
  2⤵
  PID:7932
- C:\Windows\System32\TIllVZh.exe
  C:\Windows\System32\TIllVZh.exe
  2⤵
  PID:8196
- C:\Windows\System32\AULddhG.exe
  C:\Windows\System32\AULddhG.exe
  2⤵
  PID:8220
- C:\Windows\System32\ErhXOrW.exe
  C:\Windows\System32\ErhXOrW.exe
  2⤵
  PID:8256
- C:\Windows\System32\WWgfkRM.exe
  C:\Windows\System32\WWgfkRM.exe
  2⤵
  PID:8316
- C:\Windows\System32\EYWRIfc.exe
  C:\Windows\System32\EYWRIfc.exe
  2⤵
  PID:8348
- C:\Windows\System32\pJBuLgH.exe
  C:\Windows\System32\pJBuLgH.exe
  2⤵
  PID:8380
- C:\Windows\System32\xcgTzHj.exe
  C:\Windows\System32\xcgTzHj.exe
  2⤵
  PID:8400
- C:\Windows\System32\fXEiMDt.exe
  C:\Windows\System32\fXEiMDt.exe
  2⤵
  PID:8428
- C:\Windows\System32\eeVvbdV.exe
  C:\Windows\System32\eeVvbdV.exe
  2⤵
  PID:8452
- C:\Windows\System32\vqikfqg.exe
  C:\Windows\System32\vqikfqg.exe
  2⤵
  PID:8468
- C:\Windows\System32\xsGTtQq.exe
  C:\Windows\System32\xsGTtQq.exe
  2⤵
  PID:8520
- C:\Windows\System32\fLZnHPE.exe
  C:\Windows\System32\fLZnHPE.exe
  2⤵
  PID:8548
- C:\Windows\System32\odwHhAM.exe
  C:\Windows\System32\odwHhAM.exe
  2⤵
  PID:8568
- C:\Windows\System32\oavHDZF.exe
  C:\Windows\System32\oavHDZF.exe
  2⤵
  PID:8616
- C:\Windows\System32\jkHJucx.exe
  C:\Windows\System32\jkHJucx.exe
  2⤵
  PID:8632
- C:\Windows\System32\tKFhZqt.exe
  C:\Windows\System32\tKFhZqt.exe
  2⤵
  PID:8684
- C:\Windows\System32\CxOclSX.exe
  C:\Windows\System32\CxOclSX.exe
  2⤵
  PID:8700
- C:\Windows\System32\jlSRCKP.exe
  C:\Windows\System32\jlSRCKP.exe
  2⤵
  PID:8720
- C:\Windows\System32\aXjfqgq.exe
  C:\Windows\System32\aXjfqgq.exe
  2⤵
  PID:8748
- C:\Windows\System32\lwtCxtm.exe
  C:\Windows\System32\lwtCxtm.exe
  2⤵
  PID:8772
- C:\Windows\System32\lfCUwyF.exe
  C:\Windows\System32\lfCUwyF.exe
  2⤵
  PID:8788
- C:\Windows\System32\iyBlPXU.exe
  C:\Windows\System32\iyBlPXU.exe
  2⤵
  PID:8820
- C:\Windows\System32\EpcOxxM.exe
  C:\Windows\System32\EpcOxxM.exe
  2⤵
  PID:8840
- C:\Windows\System32\NQDXpht.exe
  C:\Windows\System32\NQDXpht.exe
  2⤵
  PID:8876
- C:\Windows\System32\yCbQJqJ.exe
  C:\Windows\System32\yCbQJqJ.exe
  2⤵
  PID:8904
- C:\Windows\System32\uBFBZuu.exe
  C:\Windows\System32\uBFBZuu.exe
  2⤵
  PID:8924
- C:\Windows\System32\oAZtVSi.exe
  C:\Windows\System32\oAZtVSi.exe
  2⤵
  PID:8944
- C:\Windows\System32\qNGFnCX.exe
  C:\Windows\System32\qNGFnCX.exe
  2⤵
  PID:8968
- C:\Windows\System32\zreDaUj.exe
  C:\Windows\System32\zreDaUj.exe
  2⤵
  PID:9012
- C:\Windows\System32\bcwzuQs.exe
  C:\Windows\System32\bcwzuQs.exe
  2⤵
  PID:9064
- C:\Windows\System32\XstYWvy.exe
  C:\Windows\System32\XstYWvy.exe
  2⤵
  PID:9088
- C:\Windows\System32\WPdVFwO.exe
  C:\Windows\System32\WPdVFwO.exe
  2⤵
  PID:9112
- C:\Windows\System32\TmiXWPA.exe
  C:\Windows\System32\TmiXWPA.exe
  2⤵
  PID:9148
- C:\Windows\System32\oJDMPnh.exe
  C:\Windows\System32\oJDMPnh.exe
  2⤵
  PID:9188
- C:\Windows\System32\cQyfyIp.exe
  C:\Windows\System32\cQyfyIp.exe
  2⤵
  PID:8096
- C:\Windows\System32\AARCIsC.exe
  C:\Windows\System32\AARCIsC.exe
  2⤵
  PID:7740
- C:\Windows\System32\FMicVxW.exe
  C:\Windows\System32\FMicVxW.exe
  2⤵
  PID:7556
- C:\Windows\System32\iMdgBoB.exe
  C:\Windows\System32\iMdgBoB.exe
  2⤵
  PID:8232
- C:\Windows\System32\lJRNndB.exe
  C:\Windows\System32\lJRNndB.exe
  2⤵
  PID:8356
- C:\Windows\System32\jbSbPZk.exe
  C:\Windows\System32\jbSbPZk.exe
  2⤵
  PID:8416
- C:\Windows\System32\VioRSbq.exe
  C:\Windows\System32\VioRSbq.exe
  2⤵
  PID:8544
- C:\Windows\System32\mGsrpAm.exe
  C:\Windows\System32\mGsrpAm.exe
  2⤵
  PID:8576
- C:\Windows\System32\JYVJcHF.exe
  C:\Windows\System32\JYVJcHF.exe
  2⤵
  PID:8588
- C:\Windows\System32\wOvDZCr.exe
  C:\Windows\System32\wOvDZCr.exe
  2⤵
  PID:8656
- C:\Windows\System32\eUrfQJH.exe
  C:\Windows\System32\eUrfQJH.exe
  2⤵
  PID:8716
- C:\Windows\System32\tqaufZh.exe
  C:\Windows\System32\tqaufZh.exe
  2⤵
  PID:8804
- C:\Windows\System32\jiRKhiF.exe
  C:\Windows\System32\jiRKhiF.exe
  2⤵
  PID:8836
- C:\Windows\System32\TyEJxiv.exe
  C:\Windows\System32\TyEJxiv.exe
  2⤵
  PID:8940
- C:\Windows\System32\UtCgoOQ.exe
  C:\Windows\System32\UtCgoOQ.exe
  2⤵
  PID:8960
- C:\Windows\System32\CjFzzhD.exe
  C:\Windows\System32\CjFzzhD.exe
  2⤵
  PID:9120
- C:\Windows\System32\NExTSyI.exe
  C:\Windows\System32\NExTSyI.exe
  2⤵
  PID:9180
- C:\Windows\System32\bGJnIEN.exe
  C:\Windows\System32\bGJnIEN.exe
  2⤵
  PID:8212
- C:\Windows\System32\CnScxMq.exe
  C:\Windows\System32\CnScxMq.exe
  2⤵
  PID:8296
- C:\Windows\System32\fJKfJwh.exe
  C:\Windows\System32\fJKfJwh.exe
  2⤵
  PID:8372
- C:\Windows\System32\LrYKwsb.exe
  C:\Windows\System32\LrYKwsb.exe
  2⤵
  PID:8912
- C:\Windows\System32\aPoKreS.exe
  C:\Windows\System32\aPoKreS.exe
  2⤵
  PID:8600
- C:\Windows\System32\wpkTTim.exe
  C:\Windows\System32\wpkTTim.exe
  2⤵
  PID:8832
- C:\Windows\System32\nrQGkEH.exe
  C:\Windows\System32\nrQGkEH.exe
  2⤵
  PID:9008
- C:\Windows\System32\AUJtdDq.exe
  C:\Windows\System32\AUJtdDq.exe
  2⤵
  PID:9164
- C:\Windows\System32\AfocSIR.exe
  C:\Windows\System32\AfocSIR.exe
  2⤵
  PID:8268
- C:\Windows\System32\BEweNCD.exe
  C:\Windows\System32\BEweNCD.exe
  2⤵
  PID:8736
- C:\Windows\System32\cXwoRxf.exe
  C:\Windows\System32\cXwoRxf.exe
  2⤵
  PID:9020
- C:\Windows\System32\sIYcDnS.exe
  C:\Windows\System32\sIYcDnS.exe
  2⤵
  PID:8604
- C:\Windows\System32\AfaAuzt.exe
  C:\Windows\System32\AfaAuzt.exe
  2⤵
  PID:9160
- C:\Windows\System32\GAMsGZG.exe
  C:\Windows\System32\GAMsGZG.exe
  2⤵
  PID:9240
- C:\Windows\System32\prUvDyZ.exe
  C:\Windows\System32\prUvDyZ.exe
  2⤵
  PID:9268
- C:\Windows\System32\QwKIwzH.exe
  C:\Windows\System32\QwKIwzH.exe
  2⤵
  PID:9348
- C:\Windows\System32\YUZVVbY.exe
  C:\Windows\System32\YUZVVbY.exe
  2⤵
  PID:9376
- C:\Windows\System32\UcFxadk.exe
  C:\Windows\System32\UcFxadk.exe
  2⤵
  PID:9396
- C:\Windows\System32\eYmMiJC.exe
  C:\Windows\System32\eYmMiJC.exe
  2⤵
  PID:9412
- C:\Windows\System32\EyqJGpf.exe
  C:\Windows\System32\EyqJGpf.exe
  2⤵
  PID:9436
- C:\Windows\System32\WqEmMZU.exe
  C:\Windows\System32\WqEmMZU.exe
  2⤵
  PID:9464
- C:\Windows\System32\SntwGUg.exe
  C:\Windows\System32\SntwGUg.exe
  2⤵
  PID:9488
- C:\Windows\System32\HlSBMyB.exe
  C:\Windows\System32\HlSBMyB.exe
  2⤵
  PID:9508
- C:\Windows\System32\XsoVtHO.exe
  C:\Windows\System32\XsoVtHO.exe
  2⤵
  PID:9556
- C:\Windows\System32\jQxnVHR.exe
  C:\Windows\System32\jQxnVHR.exe
  2⤵
  PID:9588
- C:\Windows\System32\GKbgGOb.exe
  C:\Windows\System32\GKbgGOb.exe
  2⤵
  PID:9612
- C:\Windows\System32\sreABnj.exe
  C:\Windows\System32\sreABnj.exe
  2⤵
  PID:9640
- C:\Windows\System32\HJvGuAi.exe
  C:\Windows\System32\HJvGuAi.exe
  2⤵
  PID:9664
- C:\Windows\System32\SpzDEUz.exe
  C:\Windows\System32\SpzDEUz.exe
  2⤵
  PID:9688
- C:\Windows\System32\bMyFUQx.exe
  C:\Windows\System32\bMyFUQx.exe
  2⤵
  PID:9724
- C:\Windows\System32\ZmTPlLi.exe
  C:\Windows\System32\ZmTPlLi.exe
  2⤵
  PID:9768
- C:\Windows\System32\TvkmCDE.exe
  C:\Windows\System32\TvkmCDE.exe
  2⤵
  PID:9796
- C:\Windows\System32\ooXZMIj.exe
  C:\Windows\System32\ooXZMIj.exe
  2⤵
  PID:9816
- C:\Windows\System32\XxupsJz.exe
  C:\Windows\System32\XxupsJz.exe
  2⤵
  PID:9864
- C:\Windows\System32\FcftQav.exe
  C:\Windows\System32\FcftQav.exe
  2⤵
  PID:9880
- C:\Windows\System32\NDmgivl.exe
  C:\Windows\System32\NDmgivl.exe
  2⤵
  PID:9904
- C:\Windows\System32\RzLFLSd.exe
  C:\Windows\System32\RzLFLSd.exe
  2⤵
  PID:9932
- C:\Windows\System32\GJzyZvV.exe
  C:\Windows\System32\GJzyZvV.exe
  2⤵
  PID:9984
- C:\Windows\System32\yIxlCAH.exe
  C:\Windows\System32\yIxlCAH.exe
  2⤵
  PID:10016
- C:\Windows\System32\YxkeAQd.exe
  C:\Windows\System32\YxkeAQd.exe
  2⤵
  PID:10040
- C:\Windows\System32\phZmREy.exe
  C:\Windows\System32\phZmREy.exe
  2⤵
  PID:10068
- C:\Windows\System32\nipngKq.exe
  C:\Windows\System32\nipngKq.exe
  2⤵
  PID:10088
- C:\Windows\System32\jUnhsbi.exe
  C:\Windows\System32\jUnhsbi.exe
  2⤵
  PID:10132
- C:\Windows\System32\RDeJgxU.exe
  C:\Windows\System32\RDeJgxU.exe
  2⤵
  PID:10168
- C:\Windows\System32\ucVuHVT.exe
  C:\Windows\System32\ucVuHVT.exe
  2⤵
  PID:10192
- C:\Windows\System32\HbsMWdJ.exe
  C:\Windows\System32\HbsMWdJ.exe
  2⤵
  PID:10208
- C:\Windows\System32\ZoSrWiz.exe
  C:\Windows\System32\ZoSrWiz.exe
  2⤵
  PID:10228
- C:\Windows\System32\hyOePvS.exe
  C:\Windows\System32\hyOePvS.exe
  2⤵
  PID:8812
- C:\Windows\System32\wkebDKS.exe
  C:\Windows\System32\wkebDKS.exe
  2⤵
  PID:9224
- C:\Windows\System32\LnqTSHw.exe
  C:\Windows\System32\LnqTSHw.exe
  2⤵
  PID:9336
- C:\Windows\System32\hUGwnMs.exe
  C:\Windows\System32\hUGwnMs.exe
  2⤵
  PID:9424
- C:\Windows\System32\cTqYrYV.exe
  C:\Windows\System32\cTqYrYV.exe
  2⤵
  PID:9476
- C:\Windows\System32\GQlKueH.exe
  C:\Windows\System32\GQlKueH.exe
  2⤵
  PID:9500
- C:\Windows\System32\oPuOhPc.exe
  C:\Windows\System32\oPuOhPc.exe
  2⤵
  PID:9636
- C:\Windows\System32\AENHtAV.exe
  C:\Windows\System32\AENHtAV.exe
  2⤵
  PID:9580
- C:\Windows\System32\ZEonUWk.exe
  C:\Windows\System32\ZEonUWk.exe
  2⤵
  PID:8248
- C:\Windows\System32\kHBvsQA.exe
  C:\Windows\System32\kHBvsQA.exe
  2⤵
  PID:9748
- C:\Windows\System32\smgpdNd.exe
  C:\Windows\System32\smgpdNd.exe
  2⤵
  PID:9784
- C:\Windows\System32\QPTMVUa.exe
  C:\Windows\System32\QPTMVUa.exe
  2⤵
  PID:9952
- C:\Windows\System32\xaJucbr.exe
  C:\Windows\System32\xaJucbr.exe
  2⤵
  PID:10036
- C:\Windows\System32\HRDLEdB.exe
  C:\Windows\System32\HRDLEdB.exe
  2⤵
  PID:10140
- C:\Windows\System32\lOVbymW.exe
  C:\Windows\System32\lOVbymW.exe
  2⤵
  PID:10220
- C:\Windows\System32\sQoOoDa.exe
  C:\Windows\System32\sQoOoDa.exe
  2⤵
  PID:10236
- C:\Windows\System32\UqOQVDz.exe
  C:\Windows\System32\UqOQVDz.exe
  2⤵
  PID:9404
- C:\Windows\System32\hFLgeeA.exe
  C:\Windows\System32\hFLgeeA.exe
  2⤵
  PID:9544
- C:\Windows\System32\uweUBOh.exe
  C:\Windows\System32\uweUBOh.exe
  2⤵
  PID:9684
- C:\Windows\System32\Tpkhwyx.exe
  C:\Windows\System32\Tpkhwyx.exe
  2⤵
  PID:9736
- C:\Windows\System32\wapRGXk.exe
  C:\Windows\System32\wapRGXk.exe
  2⤵
  PID:10004
- C:\Windows\System32\TjwbXVy.exe
  C:\Windows\System32\TjwbXVy.exe
  2⤵
  PID:10148
- C:\Windows\System32\TkQtmgs.exe
  C:\Windows\System32\TkQtmgs.exe
  2⤵
  PID:9808
- C:\Windows\System32\pZgtIHy.exe
  C:\Windows\System32\pZgtIHy.exe
  2⤵
  PID:9872
- C:\Windows\System32\vAyqUeD.exe
  C:\Windows\System32\vAyqUeD.exe
  2⤵
  PID:10200
- C:\Windows\System32\anETtXz.exe
  C:\Windows\System32\anETtXz.exe
  2⤵
  PID:9732
- C:\Windows\System32\IbxzwSB.exe
  C:\Windows\System32\IbxzwSB.exe
  2⤵
  PID:10248
- C:\Windows\System32\SOoyHOk.exe
  C:\Windows\System32\SOoyHOk.exe
  2⤵
  PID:10280
- C:\Windows\System32\QaykJIN.exe
  C:\Windows\System32\QaykJIN.exe
  2⤵
  PID:10300
- C:\Windows\System32\mvvhklA.exe
  C:\Windows\System32\mvvhklA.exe
  2⤵
  PID:10328
- C:\Windows\System32\yHWbURT.exe
  C:\Windows\System32\yHWbURT.exe
  2⤵
  PID:10344
- C:\Windows\System32\qDJkLuC.exe
  C:\Windows\System32\qDJkLuC.exe
  2⤵
  PID:10364
- C:\Windows\System32\iHGlCRx.exe
  C:\Windows\System32\iHGlCRx.exe
  2⤵
  PID:10388
- C:\Windows\System32\heKJjxy.exe
  C:\Windows\System32\heKJjxy.exe
  2⤵
  PID:10436
- C:\Windows\System32\cVwXWGn.exe
  C:\Windows\System32\cVwXWGn.exe
  2⤵
  PID:10472
- C:\Windows\System32\CCznGnN.exe
  C:\Windows\System32\CCznGnN.exe
  2⤵
  PID:10488
- C:\Windows\System32\QwxCYuK.exe
  C:\Windows\System32\QwxCYuK.exe
  2⤵
  PID:10516
- C:\Windows\System32\HAKKohH.exe
  C:\Windows\System32\HAKKohH.exe
  2⤵
  PID:10576
- C:\Windows\System32\bPrGhpF.exe
  C:\Windows\System32\bPrGhpF.exe
  2⤵
  PID:10592
- C:\Windows\System32\jRwVTFR.exe
  C:\Windows\System32\jRwVTFR.exe
  2⤵
  PID:10616
- C:\Windows\System32\CfxvRkb.exe
  C:\Windows\System32\CfxvRkb.exe
  2⤵
  PID:10640
- C:\Windows\System32\ilaweiU.exe
  C:\Windows\System32\ilaweiU.exe
  2⤵
  PID:10688
- C:\Windows\System32\MpSuAEE.exe
  C:\Windows\System32\MpSuAEE.exe
  2⤵
  PID:10704
- C:\Windows\System32\ZWMtSPm.exe
  C:\Windows\System32\ZWMtSPm.exe
  2⤵
  PID:10720
- C:\Windows\System32\XrgNbwE.exe
  C:\Windows\System32\XrgNbwE.exe
  2⤵
  PID:10744
- C:\Windows\System32\NYABrwb.exe
  C:\Windows\System32\NYABrwb.exe
  2⤵
  PID:10768
- C:\Windows\System32\xrNbgyY.exe
  C:\Windows\System32\xrNbgyY.exe
  2⤵
  PID:10792
- C:\Windows\System32\XjwjuDg.exe
  C:\Windows\System32\XjwjuDg.exe
  2⤵
  PID:10812
- C:\Windows\System32\mGhyKXP.exe
  C:\Windows\System32\mGhyKXP.exe
  2⤵
  PID:10836
- C:\Windows\System32\stBNwyT.exe
  C:\Windows\System32\stBNwyT.exe
  2⤵
  PID:10876
- C:\Windows\System32\hkazCPI.exe
  C:\Windows\System32\hkazCPI.exe
  2⤵
  PID:10912
- C:\Windows\System32\qJAlhfv.exe
  C:\Windows\System32\qJAlhfv.exe
  2⤵
  PID:10964
- C:\Windows\System32\lzJEAUs.exe
  C:\Windows\System32\lzJEAUs.exe
  2⤵
  PID:10984
- C:\Windows\System32\HRSgZoN.exe
  C:\Windows\System32\HRSgZoN.exe
  2⤵
  PID:11008
- C:\Windows\System32\IMxBwRm.exe
  C:\Windows\System32\IMxBwRm.exe
  2⤵
  PID:11036
- C:\Windows\System32\GBOvOiL.exe
  C:\Windows\System32\GBOvOiL.exe
  2⤵
  PID:11092
- C:\Windows\System32\VBrbrEg.exe
  C:\Windows\System32\VBrbrEg.exe
  2⤵
  PID:11120
- C:\Windows\System32\HSztVdA.exe
  C:\Windows\System32\HSztVdA.exe
  2⤵
  PID:11136
- C:\Windows\System32\GZwKEwg.exe
  C:\Windows\System32\GZwKEwg.exe
  2⤵
  PID:11152
- C:\Windows\System32\JKQYegB.exe
  C:\Windows\System32\JKQYegB.exe
  2⤵
  PID:11172
- C:\Windows\System32\iIAZkZx.exe
  C:\Windows\System32\iIAZkZx.exe
  2⤵
  PID:11200
- C:\Windows\System32\rQDrpMF.exe
  C:\Windows\System32\rQDrpMF.exe
  2⤵
  PID:11252
- C:\Windows\System32\QMJxdIb.exe
  C:\Windows\System32\QMJxdIb.exe
  2⤵
  PID:10316
- C:\Windows\System32\KFRZijQ.exe
  C:\Windows\System32\KFRZijQ.exe
  2⤵
  PID:10288
- C:\Windows\System32\zjdGLrU.exe
  C:\Windows\System32\zjdGLrU.exe
  2⤵
  PID:10384
- C:\Windows\System32\PSzWIHm.exe
  C:\Windows\System32\PSzWIHm.exe
  2⤵
  PID:10452
- C:\Windows\System32\RSpsFcR.exe
  C:\Windows\System32\RSpsFcR.exe
  2⤵
  PID:10524
- C:\Windows\System32\FUSQQVb.exe
  C:\Windows\System32\FUSQQVb.exe
  2⤵
  PID:10588
- C:\Windows\System32\XODOlnn.exe
  C:\Windows\System32\XODOlnn.exe
  2⤵
  PID:9764
- C:\Windows\System32\vYbAnMf.exe
  C:\Windows\System32\vYbAnMf.exe
  2⤵
  PID:10752
- C:\Windows\System32\IqpUbZP.exe
  C:\Windows\System32\IqpUbZP.exe
  2⤵
  PID:10740
- C:\Windows\System32\aLKijXS.exe
  C:\Windows\System32\aLKijXS.exe
  2⤵
  PID:10780
- C:\Windows\System32\jDuWgQP.exe
  C:\Windows\System32\jDuWgQP.exe
  2⤵
  PID:10860
- C:\Windows\System32\zyUixBC.exe
  C:\Windows\System32\zyUixBC.exe
  2⤵
  PID:10940
- C:\Windows\System32\WZhIVYK.exe
  C:\Windows\System32\WZhIVYK.exe
  2⤵
  PID:11052
- C:\Windows\System32\wmKFusz.exe
  C:\Windows\System32\wmKFusz.exe
  2⤵
  PID:11020
- C:\Windows\System32\iaqQwKH.exe
  C:\Windows\System32\iaqQwKH.exe
  2⤵
  PID:11128
- C:\Windows\System32\BItSzhu.exe
  C:\Windows\System32\BItSzhu.exe
  2⤵
  PID:11180
- C:\Windows\System32\kaTnLsF.exe
  C:\Windows\System32\kaTnLsF.exe
  2⤵
  PID:11212
- C:\Windows\System32\eeTvqdf.exe
  C:\Windows\System32\eeTvqdf.exe
  2⤵
  PID:10420
- C:\Windows\System32\bDmWnWe.exe
  C:\Windows\System32\bDmWnWe.exe
  2⤵
  PID:10716
- C:\Windows\System32\moCXRoZ.exe
  C:\Windows\System32\moCXRoZ.exe
  2⤵
  PID:10800
- C:\Windows\System32\tCnGKEH.exe
  C:\Windows\System32\tCnGKEH.exe
  2⤵
  PID:10728
- C:\Windows\System32\RkwHvJC.exe
  C:\Windows\System32\RkwHvJC.exe
  2⤵
  PID:11164
- C:\Windows\System32\cLqytaO.exe
  C:\Windows\System32\cLqytaO.exe
  2⤵
  PID:11192
- C:\Windows\System32\FTubPlb.exe
  C:\Windows\System32\FTubPlb.exe
  2⤵
  PID:10308
- C:\Windows\System32\keAgOWj.exe
  C:\Windows\System32\keAgOWj.exe
  2⤵
  PID:10776
- C:\Windows\System32\WgtqOcn.exe
  C:\Windows\System32\WgtqOcn.exe
  2⤵
  PID:11004
- C:\Windows\System32\DkqEPOk.exe
  C:\Windows\System32\DkqEPOk.exe
  2⤵
  PID:11232
- C:\Windows\System32\sZpvhGp.exe
  C:\Windows\System32\sZpvhGp.exe
  2⤵
  PID:11280
- C:\Windows\System32\jILKMBy.exe
  C:\Windows\System32\jILKMBy.exe
  2⤵
  PID:11344
- C:\Windows\System32\rkPpVfN.exe
  C:\Windows\System32\rkPpVfN.exe
  2⤵
  PID:11364
- C:\Windows\System32\jVQvrkf.exe
  C:\Windows\System32\jVQvrkf.exe
  2⤵
  PID:11380
- C:\Windows\System32\jWiehsg.exe
  C:\Windows\System32\jWiehsg.exe
  2⤵
  PID:11396
- C:\Windows\System32\IByiJmZ.exe
  C:\Windows\System32\IByiJmZ.exe
  2⤵
  PID:11424
- C:\Windows\System32\jdyCkpe.exe
  C:\Windows\System32\jdyCkpe.exe
  2⤵
  PID:11444
- C:\Windows\System32\dGczUPv.exe
  C:\Windows\System32\dGczUPv.exe
  2⤵
  PID:11468
- C:\Windows\System32\eKouzhu.exe
  C:\Windows\System32\eKouzhu.exe
  2⤵
  PID:11496
- C:\Windows\System32\gjojbLJ.exe
  C:\Windows\System32\gjojbLJ.exe
  2⤵
  PID:11516
- C:\Windows\System32\uGuNAOk.exe
  C:\Windows\System32\uGuNAOk.exe
  2⤵
  PID:11564
- C:\Windows\System32\vggMebb.exe
  C:\Windows\System32\vggMebb.exe
  2⤵
  PID:11580
- C:\Windows\System32\ZefjwBX.exe
  C:\Windows\System32\ZefjwBX.exe
  2⤵
  PID:11596
- C:\Windows\System32\qucjXnu.exe
  C:\Windows\System32\qucjXnu.exe
  2⤵
  PID:11624
- C:\Windows\System32\uqtSsEA.exe
  C:\Windows\System32\uqtSsEA.exe
  2⤵
  PID:11732
- C:\Windows\System32\WaIWZhl.exe
  C:\Windows\System32\WaIWZhl.exe
  2⤵
  PID:11756
- C:\Windows\System32\xMvsPJG.exe
  C:\Windows\System32\xMvsPJG.exe
  2⤵
  PID:11776
- C:\Windows\System32\agyLYVA.exe
  C:\Windows\System32\agyLYVA.exe
  2⤵
  PID:11796
- C:\Windows\System32\QJJrvkd.exe
  C:\Windows\System32\QJJrvkd.exe
  2⤵
  PID:11828
- C:\Windows\System32\CexuOHG.exe
  C:\Windows\System32\CexuOHG.exe
  2⤵
  PID:11860
- C:\Windows\System32\dnHsxAD.exe
  C:\Windows\System32\dnHsxAD.exe
  2⤵
  PID:11892
- C:\Windows\System32\cxGojCX.exe
  C:\Windows\System32\cxGojCX.exe
  2⤵
  PID:11928
- C:\Windows\System32\dqWlReZ.exe
  C:\Windows\System32\dqWlReZ.exe
  2⤵
  PID:11960
- C:\Windows\System32\LRMxywb.exe
  C:\Windows\System32\LRMxywb.exe
  2⤵
  PID:11976
- C:\Windows\System32\zPYTCHp.exe
  C:\Windows\System32\zPYTCHp.exe
  2⤵
  PID:11996
- C:\Windows\System32\atgsOIY.exe
  C:\Windows\System32\atgsOIY.exe
  2⤵
  PID:12020
- C:\Windows\System32\MeAOqoQ.exe
  C:\Windows\System32\MeAOqoQ.exe
  2⤵
  PID:12044
- C:\Windows\System32\hwomIMW.exe
  C:\Windows\System32\hwomIMW.exe
  2⤵
  PID:12064
- C:\Windows\System32\uafizCy.exe
  C:\Windows\System32\uafizCy.exe
  2⤵
  PID:12120
- C:\Windows\System32\XCBHXMP.exe
  C:\Windows\System32\XCBHXMP.exe
  2⤵
  PID:12144
- C:\Windows\System32\BOTPqTB.exe
  C:\Windows\System32\BOTPqTB.exe
  2⤵
  PID:12172
- C:\Windows\System32\MgkMmRk.exe
  C:\Windows\System32\MgkMmRk.exe
  2⤵
  PID:12212
- C:\Windows\System32\tQDTemd.exe
  C:\Windows\System32\tQDTemd.exe
  2⤵
  PID:12232
- C:\Windows\System32\AOweFIl.exe
  C:\Windows\System32\AOweFIl.exe
  2⤵
  PID:12256
- C:\Windows\System32\UMJmgat.exe
  C:\Windows\System32\UMJmgat.exe
  2⤵
  PID:12276
- C:\Windows\System32\zhaGKBs.exe
  C:\Windows\System32\zhaGKBs.exe
  2⤵
  PID:11276
- C:\Windows\System32\ujAVCoD.exe
  C:\Windows\System32\ujAVCoD.exe
  2⤵
  PID:10612
- C:\Windows\System32\bDBKMse.exe
  C:\Windows\System32\bDBKMse.exe
  2⤵
  PID:11388
- C:\Windows\System32\irZcFcr.exe
  C:\Windows\System32\irZcFcr.exe
  2⤵
  PID:11476
- C:\Windows\System32\jwHFTJn.exe
  C:\Windows\System32\jwHFTJn.exe
  2⤵
  PID:11536
- C:\Windows\System32\eYZbDTQ.exe
  C:\Windows\System32\eYZbDTQ.exe
  2⤵
  PID:11572
- C:\Windows\System32\CjyoBHc.exe
  C:\Windows\System32\CjyoBHc.exe
  2⤵
  PID:11552
- C:\Windows\System32\PmMYkXL.exe
  C:\Windows\System32\PmMYkXL.exe
  2⤵
  PID:11644
- C:\Windows\System32\CuUtUpn.exe
  C:\Windows\System32\CuUtUpn.exe
  2⤵
  PID:11688
- C:\Windows\System32\qrrHVrT.exe
  C:\Windows\System32\qrrHVrT.exe
  2⤵
  PID:11000
- C:\Windows\System32\uJUBNrS.exe
  C:\Windows\System32\uJUBNrS.exe
  2⤵
  PID:11840
- C:\Windows\System32\bydbilW.exe
  C:\Windows\System32\bydbilW.exe
  2⤵
  PID:11888
- C:\Windows\System32\zdrIEeD.exe
  C:\Windows\System32\zdrIEeD.exe
  2⤵
  PID:11936
- C:\Windows\System32\qdLzQtM.exe
  C:\Windows\System32\qdLzQtM.exe
  2⤵
  PID:12040
- C:\Windows\System32\IdAeRjJ.exe
  C:\Windows\System32\IdAeRjJ.exe
  2⤵
  PID:12096
- C:\Windows\System32\BwMDaZB.exe
  C:\Windows\System32\BwMDaZB.exe
  2⤵
  PID:12200
- C:\Windows\System32\DoUwWVu.exe
  C:\Windows\System32\DoUwWVu.exe
  2⤵
  PID:12240
- C:\Windows\System32\wxFglil.exe
  C:\Windows\System32\wxFglil.exe
  2⤵
  PID:10504
- C:\Windows\System32\dyYyPil.exe
  C:\Windows\System32\dyYyPil.exe
  2⤵
  PID:11292
- C:\Windows\System32\zdzupVf.exe
  C:\Windows\System32\zdzupVf.exe
  2⤵
  PID:11556
- C:\Windows\System32\pnUvwGG.exe
  C:\Windows\System32\pnUvwGG.exe
  2⤵
  PID:11620
- C:\Windows\System32\XVVhmcc.exe
  C:\Windows\System32\XVVhmcc.exe
  2⤵
  PID:11876
- C:\Windows\System32\wxIqkMY.exe
  C:\Windows\System32\wxIqkMY.exe
  2⤵
  PID:12180
- C:\Windows\System32\AmbRRlv.exe
  C:\Windows\System32\AmbRRlv.exe
  2⤵
  PID:11144
- C:\Windows\System32\LsAOWzc.exe
  C:\Windows\System32\LsAOWzc.exe
  2⤵
  PID:12268
- C:\Windows\System32\FSvgqnQ.exe
  C:\Windows\System32\FSvgqnQ.exe
  2⤵
  PID:11820
- C:\Windows\System32\KUGmdyC.exe
  C:\Windows\System32\KUGmdyC.exe
  2⤵
  PID:11908
- C:\Windows\System32\HcziWFq.exe
  C:\Windows\System32\HcziWFq.exe
  2⤵
  PID:11680
- C:\Windows\System32\FnYZBcu.exe
  C:\Windows\System32\FnYZBcu.exe
  2⤵
  PID:12328
- C:\Windows\System32\qQHpTwp.exe
  C:\Windows\System32\qQHpTwp.exe
  2⤵
  PID:12348
- C:\Windows\System32\NxRQqLy.exe
  C:\Windows\System32\NxRQqLy.exe
  2⤵
  PID:12372
- C:\Windows\System32\dCxsPdj.exe
  C:\Windows\System32\dCxsPdj.exe
  2⤵
  PID:12400
- C:\Windows\System32\etqvgwz.exe
  C:\Windows\System32\etqvgwz.exe
  2⤵
  PID:12428
- C:\Windows\System32\ghsoOgZ.exe
  C:\Windows\System32\ghsoOgZ.exe
  2⤵
  PID:12456
- C:\Windows\System32\gKpFZdQ.exe
  C:\Windows\System32\gKpFZdQ.exe
  2⤵
  PID:12484
- C:\Windows\System32\QTdjbTp.exe
  C:\Windows\System32\QTdjbTp.exe
  2⤵
  PID:12504
- C:\Windows\System32\uQxcaDG.exe
  C:\Windows\System32\uQxcaDG.exe
  2⤵
  PID:12532
- C:\Windows\System32\zXDDMMm.exe
  C:\Windows\System32\zXDDMMm.exe
  2⤵
  PID:12556
- C:\Windows\System32\XiliyWW.exe
  C:\Windows\System32\XiliyWW.exe
  2⤵
  PID:12584
- C:\Windows\System32\ZGgjDyQ.exe
  C:\Windows\System32\ZGgjDyQ.exe
  2⤵
  PID:12604
- C:\Windows\System32\hVkNLSX.exe
  C:\Windows\System32\hVkNLSX.exe
  2⤵
  PID:12640
- C:\Windows\System32\MvvULHT.exe
  C:\Windows\System32\MvvULHT.exe
  2⤵
  PID:12668
- C:\Windows\System32\XUkhZKr.exe
  C:\Windows\System32\XUkhZKr.exe
  2⤵
  PID:12712
- C:\Windows\System32\REsKOZl.exe
  C:\Windows\System32\REsKOZl.exe
  2⤵
  PID:12732
- C:\Windows\System32\FDOcwsX.exe
  C:\Windows\System32\FDOcwsX.exe
  2⤵
  PID:12752
- C:\Windows\System32\QQxKaCb.exe
  C:\Windows\System32\QQxKaCb.exe
  2⤵
  PID:12780
- C:\Windows\System32\DNmOxxz.exe
  C:\Windows\System32\DNmOxxz.exe
  2⤵
  PID:12800
- C:\Windows\System32\gnAIoOd.exe
  C:\Windows\System32\gnAIoOd.exe
  2⤵
  PID:12824
- C:\Windows\System32\dzGSblq.exe
  C:\Windows\System32\dzGSblq.exe
  2⤵
  PID:12852
- C:\Windows\System32\QUAKTWY.exe
  C:\Windows\System32\QUAKTWY.exe
  2⤵
  PID:12868
- C:\Windows\System32\tGRxdjv.exe
  C:\Windows\System32\tGRxdjv.exe
  2⤵
  PID:12896
- C:\Windows\System32\elMZGUM.exe
  C:\Windows\System32\elMZGUM.exe
  2⤵
  PID:12912
- C:\Windows\System32\JWVxmaH.exe
  C:\Windows\System32\JWVxmaH.exe
  2⤵
  PID:12952
- C:\Windows\System32\myoISTi.exe
  C:\Windows\System32\myoISTi.exe
  2⤵
  PID:12976
- C:\Windows\System32\LyNbMQm.exe
  C:\Windows\System32\LyNbMQm.exe
  2⤵
  PID:12996
- C:\Windows\System32\kWSeuzS.exe
  C:\Windows\System32\kWSeuzS.exe
  2⤵
  PID:13036
- C:\Windows\System32\YidqmDX.exe
  C:\Windows\System32\YidqmDX.exe
  2⤵
  PID:13092
- C:\Windows\System32\zjwBgaQ.exe
  C:\Windows\System32\zjwBgaQ.exe
  2⤵
  PID:13120
- C:\Windows\System32\UXxeSYR.exe
  C:\Windows\System32\UXxeSYR.exe
  2⤵
  PID:13144
- C:\Windows\System32\EtpGdke.exe
  C:\Windows\System32\EtpGdke.exe
  2⤵
  PID:13268
- C:\Windows\System32\VzIucHo.exe
  C:\Windows\System32\VzIucHo.exe
  2⤵
  PID:13284
- C:\Windows\System32\ibnjZZZ.exe
  C:\Windows\System32\ibnjZZZ.exe
  2⤵
  PID:12224
- C:\Windows\System32\eYBQsEM.exe
  C:\Windows\System32\eYBQsEM.exe
  2⤵
  PID:12164
- C:\Windows\System32\ZxkNKFt.exe
  C:\Windows\System32\ZxkNKFt.exe
  2⤵
  PID:12392
- C:\Windows\System32\AkZuRge.exe
  C:\Windows\System32\AkZuRge.exe
  2⤵
  PID:12436
- C:\Windows\System32\OBfGXxm.exe
  C:\Windows\System32\OBfGXxm.exe
  2⤵
  PID:12564
- C:\Windows\System32\IGbTCJp.exe
  C:\Windows\System32\IGbTCJp.exe
  2⤵
  PID:12528
- C:\Windows\System32\zWdigcB.exe
  C:\Windows\System32\zWdigcB.exe
  2⤵
  PID:12624
- C:\Windows\System32\BHXtOHC.exe
  C:\Windows\System32\BHXtOHC.exe
  2⤵
  PID:12680
- C:\Windows\System32\VIsaXeM.exe
  C:\Windows\System32\VIsaXeM.exe
  2⤵
  PID:12812
- C:\Windows\System32\fdfJPCu.exe
  C:\Windows\System32\fdfJPCu.exe
  2⤵
  PID:2828
- C:\Windows\System32\OUVVQCw.exe
  C:\Windows\System32\OUVVQCw.exe
  2⤵
  PID:4268
- C:\Windows\System32\csLTZCD.exe
  C:\Windows\System32\csLTZCD.exe
  2⤵
  PID:12860
- C:\Windows\System32\XNOaqgz.exe
  C:\Windows\System32\XNOaqgz.exe
  2⤵
  PID:12968
- C:\Windows\System32\WXhXnzO.exe
  C:\Windows\System32\WXhXnzO.exe
  2⤵
  PID:13060
- C:\Windows\System32\IDsVXyR.exe
  C:\Windows\System32\IDsVXyR.exe
  2⤵
  PID:13084
- C:\Windows\System32\AKSCPFo.exe
  C:\Windows\System32\AKSCPFo.exe
  2⤵
  PID:13208
- C:\Windows\System32\MBzmMEA.exe
  C:\Windows\System32\MBzmMEA.exe
  2⤵
  PID:13176
- C:\Windows\System32\ZHSmUEz.exe
  C:\Windows\System32\ZHSmUEz.exe
  2⤵
  PID:13244
- C:\Windows\System32\JiRsPQb.exe
  C:\Windows\System32\JiRsPQb.exe
  2⤵
  PID:13132
- C:\Windows\System32\PHKDOWb.exe
  C:\Windows\System32\PHKDOWb.exe
  2⤵
  PID:12304
- C:\Windows\System32\xysDbUA.exe
  C:\Windows\System32\xysDbUA.exe
  2⤵
  PID:12448
- C:\Windows\System32\zgzNYVF.exe
  C:\Windows\System32\zgzNYVF.exe
  2⤵
  PID:12520
- C:\Windows\System32\dqkLvti.exe
  C:\Windows\System32\dqkLvti.exe
  2⤵
  PID:12664
- C:\Windows\System32\giRVKaC.exe
  C:\Windows\System32\giRVKaC.exe
  2⤵
  PID:12844
- C:\Windows\System32\kPNlJEu.exe
  C:\Windows\System32\kPNlJEu.exe
  2⤵
  PID:12944
- C:\Windows\System32\XtGscoI.exe
  C:\Windows\System32\XtGscoI.exe
  2⤵
  PID:13088
- C:\Windows\System32\Qgtsrel.exe
  C:\Windows\System32\Qgtsrel.exe
  2⤵
  PID:13152
- C:\Windows\System32\nnaTRQM.exe
  C:\Windows\System32\nnaTRQM.exe
  2⤵
  PID:13308
- C:\Windows\System32\PMmNtJW.exe
  C:\Windows\System32\PMmNtJW.exe
  2⤵
  PID:12476
- C:\Windows\System32\KYiVDzW.exe
  C:\Windows\System32\KYiVDzW.exe
  2⤵
  PID:12592
- C:\Windows\System32\shFXDsA.exe
  C:\Windows\System32\shFXDsA.exe
  2⤵
  PID:13260
- C:\Windows\System32\cgBrnfp.exe
  C:\Windows\System32\cgBrnfp.exe
  2⤵
  PID:12764
- C:\Windows\System32\DPJCrZo.exe
  C:\Windows\System32\DPJCrZo.exe
  2⤵
  PID:2036
- C:\Windows\System32\LsMACgV.exe
  C:\Windows\System32\LsMACgV.exe
  2⤵
  PID:12612
- C:\Windows\System32\lihaoFi.exe
  C:\Windows\System32\lihaoFi.exe
  2⤵
  PID:13372
- C:\Windows\System32\MKBaCOn.exe
  C:\Windows\System32\MKBaCOn.exe
  2⤵
  PID:13388
- C:\Windows\System32\QHRRPdi.exe
  C:\Windows\System32\QHRRPdi.exe
  2⤵
  PID:13404
- C:\Windows\System32\OuXMSNv.exe
  C:\Windows\System32\OuXMSNv.exe
  2⤵
  PID:13420
- C:\Windows\System32\vTnmAtS.exe
  C:\Windows\System32\vTnmAtS.exe
  2⤵
  PID:13452
- C:\Windows\System32\dRNGDoW.exe
  C:\Windows\System32\dRNGDoW.exe
  2⤵
  PID:13504
- C:\Windows\System32\AFCFfnf.exe
  C:\Windows\System32\AFCFfnf.exe
  2⤵
  PID:13520
- C:\Windows\System32\GCyzLYx.exe
  C:\Windows\System32\GCyzLYx.exe
  2⤵
  PID:13560
- C:\Windows\System32\ZxMeJYZ.exe
  C:\Windows\System32\ZxMeJYZ.exe
  2⤵
  PID:13620
- C:\Windows\System32\DncotZq.exe
  C:\Windows\System32\DncotZq.exe
  2⤵
  PID:13640
- C:\Windows\System32\JWxVWuY.exe
  C:\Windows\System32\JWxVWuY.exe
  2⤵
  PID:13660
- C:\Windows\System32\hVKizKB.exe
  C:\Windows\System32\hVKizKB.exe
  2⤵
  PID:13700
- C:\Windows\System32\AQrYNCl.exe
  C:\Windows\System32\AQrYNCl.exe
  2⤵
  PID:13724
- C:\Windows\System32\pUPTzQa.exe
  C:\Windows\System32\pUPTzQa.exe
  2⤵
  PID:13752
- C:\Windows\System32\yxTHDnH.exe
  C:\Windows\System32\yxTHDnH.exe
  2⤵
  PID:13772
- C:\Windows\System32\sfDTYgw.exe
  C:\Windows\System32\sfDTYgw.exe
  2⤵
  PID:13800

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AHiNWrZ.exe

Filesize
1.9MB

MD5
e350c55953e54f9e1f422a2d757fdee5

SHA1
9c38f35cdeb79a689c28d70f10f2ba94b132beeb

SHA256
86435649280c34b2bc094f21e4e6dcea12f72a0c2dd56b32df1946b071c809c7

SHA512
04b3bc1fa1c3155220a1ba6741e5868c5bdd31e7c16e44fc91f53d646419f138f6ae4e90733d7808b7a1803f282e555f15dab02a055936732983a3426554d872

Download Submit
C:\Windows\System32\BDwAkzF.exe

Filesize
1.9MB

MD5
b0a8a9ab024715b6877cc58ca1046774

SHA1
fe46c73eeecad116397f3b905ed05f63337b4e59

SHA256
f0db64bb6e9a885198fc457443a74471f21d8dca47aeb8ccd9f78485a8df539b

SHA512
14edf43013510435f74461f2c8b2c7a1a580ace25f9075dd64778e459294de47f96e42300f6ce1969eeccfd8a6ddac871a35aa5dcfbce31fc5039ce6f5266dd3

Download Submit
C:\Windows\System32\BeKhDef.exe

Filesize
1.9MB

MD5
46d705be1ba5c17cec0b3d6e963cadb3

SHA1
6ec9d20e5a0b0be89694bedb26401c5577fa0ea6

SHA256
b8bcd62bc604183213ed0bfcaade62f3dff3eabe746f817137df1f389f0e7451

SHA512
3fa6a689063788b48f8b23b37ea8935e06786caff4dcb0795e6ef5ee6fe1430e4d02665420a4579f183d8ef5e43bc1aefb7a32e25f203fe98e60fba5c4380d61

Download Submit
C:\Windows\System32\BqksXfU.exe

Filesize
1.9MB

MD5
219391f84ada8a99b5c0e5258826df75

SHA1
3ec2c8d78693235313418a70715bbb8afdb07675

SHA256
38273d890c0de03e928a047b919e065b7b2f690a2930a4d1042d4eb20cd3ac71

SHA512
465e2af069c2e8adf5b89219655305b88e1667131d9e8eb20f84bee90b6365c01b247c8b8e615cacc9b3bfb97498180f9ef59942464349a6a846ecd01c8bc49f

Download Submit
C:\Windows\System32\GEqlKTk.exe

Filesize
1.9MB

MD5
db9050ad1b52476c73dbd4a971f2973d

SHA1
a6a58efff50c8406ec081b6af01313fc30c037e3

SHA256
4336886329b9fcae22dfac0a124032e80d8e6da06d9cafab3059679a4299c40c

SHA512
790faa33b27c0112bae649e75e16bcefba3d45b106ea5065f9ecf3ebabc5881bf5a114647d08dfcf09936529d52538beccf64f5bc0126cf955836f8d615ec005

Download Submit
C:\Windows\System32\JJQkcBQ.exe

Filesize
1.9MB

MD5
8b555411a1b86c7dfc6700eaabfb0965

SHA1
85c6c9bf5e1eac04dc0cbcf23a566854da7c39ed

SHA256
bb45a2d2e16ae7b65cb86c21f32e9a3803856c1b19c95a788586397be4dd17de

SHA512
b7e52a99924af7355f00147a39f529268ff6bde3425a9ea907f70f09a3c84aff15662cf7223beb6e3adc9b31af634e4665ec49c9c933ba457dd6befa9a375eb8

Download Submit
C:\Windows\System32\MLpbKXf.exe

Filesize
1.9MB

MD5
95251c0ba74e933e0cbf87c53a36e4ff

SHA1
44a201bbca27d44be5f9ffc335122cfd4d41fd5a

SHA256
ce119bffbb0bd5a589423cce2b91f69ad75dad913f938cc66a3afb04d6763a26

SHA512
d9d3ab85ce793a23076fd858f2f91975fd6cdbcda5926c391e167afa723e52c4da5fa17600d1da2ab33fd29989acf343a02537bca7d23c9ef5a468876bb38fb6

Download Submit
C:\Windows\System32\MRXtWIF.exe

Filesize
1.9MB

MD5
1788d67eaa60879e19a957a390f11414

SHA1
0b73cef26f1d160b643ee14d39d736b5112ebf24

SHA256
8159e7074b3860f9354c710732de13db2a07ead1fb9978c31a893574f907b9b1

SHA512
b4d3cc8c5c01374a36675f7bc42e5702f9be02b78f7c264a5511e01443cb3b756294ec6f63532b24c8e57594db9d0ae13fca23636448b6a9400d51142e9f68bc

Download Submit
C:\Windows\System32\NDJFvVD.exe

Filesize
1.9MB

MD5
ef7d1304a9fc646e07d0d78e7d14609e

SHA1
92859c7afae97cb82941afc2bad3a260a6622661

SHA256
346bfde00735d2d3c6ceebf0ec5fe99554dfcda21054b8383e0b627f9143fd91

SHA512
60c979bf3902c5b7db6a98ee90e7febe0e722df144ec644d7ce4fcf058f92bf80f179a9412d4d82e3ae2ca770b07aca5f5383963e97612dbcabba9446284b305

Download Submit
C:\Windows\System32\UbgRRdG.exe

Filesize
1.9MB

MD5
52c691774630588c36ea863fc416ea66

SHA1
6dab4899d31105fa4a3f1c25a2438f98d5672844

SHA256
cabd5993a3afe4097c3fe24908e500619546be23bd8465092923b6b1adfb66f5

SHA512
44c6a7697d137c150ddd670bc5d1a81d4cfac4c89eae6d2640d53dfd18535f0336a4dc18d201a1d144efea83989c78c7c6760714a079793802e01e7699f99a2b

Download Submit
C:\Windows\System32\XGHWhgt.exe

Filesize
1.9MB

MD5
972561e182c25163ee8bd56c5532fb1d

SHA1
d8153e5da5203dfbb4ca76a66389a43e1cbce96f

SHA256
8d6cc752bee6e6966ed412d1095914f19a53eea027695b8c85412b2334300013

SHA512
a5b54ecba7c83967ec28cf69ea0bfa554ac3d6b441e0a0176132a33cad027ef84d31c4f709b537835f76cbcf2ee15fbe96bcb942255615699881e3be38e29aeb

Download Submit
C:\Windows\System32\YDNrPnA.exe

Filesize
1.9MB

MD5
a060c337fec135779c2576602962de88

SHA1
c22858a352979b0ea422e73c0770c3d199b74799

SHA256
a36eb0a68b6b7b53e8b219952a2afad2086411ef18199b2608c703b934e72bc5

SHA512
16e55c5932b73e5de9e887729b0e185ae6fe5bea1b0ddc1c8028aad8d6bc30a68bd27f534720573511f42da00a0ffaf94fcccbddd49556b94881105df5b2a26b

Download Submit
C:\Windows\System32\YGARXGN.exe

Filesize
1.9MB

MD5
23b49e6d3ea635cf364f0cb24df8e5e6

SHA1
f4f5d579f2761477ffc2c3645248afa7a5b9ecfa

SHA256
f307cac6ebd29426e11624a44d52394923703550fc87312d46dfa6e5f3968582

SHA512
da23e9b5e3a1f373899d1bbb365749cc68327e1d49e13e5c4f0775c7319ce7ffff64e4b22750c68ccd466a2d88468dc4c5657a970a140a028818e924d35195f2

Download Submit
C:\Windows\System32\YdJynjc.exe

Filesize
1.9MB

MD5
bd518a25662e648c6dfa64083bcd697a

SHA1
21ae78a62922c422661efff31247b4bb155dda6e

SHA256
51c5e1cadf99ad0d32ee8b60efeadaae1951a191d25b76751913572012489d77

SHA512
246406bbe9789ef76ec63c090a78538ee123e6f1c0a08a957f3f86969f8434090930cb7e3774b7bcd115d23c5fd06f9ac06949b5a19fac152d38517db9562654

Download Submit
C:\Windows\System32\ZXtKlPb.exe

Filesize
1.9MB

MD5
5101ea3f97539fe18cfa518eb76358b3

SHA1
27363164438005d2d6db8af58dd7f5f393e8aee5

SHA256
03f6cd0c5f39f9d166d4f46509b221e982c947bd2cb068e7966603b3f406a7d5

SHA512
481767117b0dfe407f86a4bccefd4e98294017aee8cf948f6c93d90aa6bf2f2e6915f26ffd5408d411de04d8f87f0c7082f0cb50aba82998982d1a120357f648

Download Submit
C:\Windows\System32\bUYMKdA.exe

Filesize
1.9MB

MD5
7689716dfc311fa7fca7c2479cc5b887

SHA1
4879875d0f023e05f3fc963454099809fbbf4626

SHA256
0897516e21e7be660f3fab84fb7cbdc24984f1882a876d8b3e19438d71517f69

SHA512
fd337d77226682cb9a5dfaf4a997bc7b236f80392ee034a83d95d5a49318da91067c863cb0907f2f97b400b6df38e12d44343e402452703565ebb4719b9e16b8

Download Submit
C:\Windows\System32\bqeHTDK.exe

Filesize
1.9MB

MD5
8d17c9b2a12adf6fe73ae84d35936ae4

SHA1
e5be557a20f4dcb10b2ea9702ba535ab7d20cab0

SHA256
03a92452b156fbbb71876b47001a6e9b6a1b0da8aed2ce5b6b55ceb39c65571a

SHA512
b6962c77acd9351361f9000de998c26dee5cf203c49406a24801066a809d44c4fc3f7b573881992a5aaaf3ead8444b3a48091d672c0c8505cd7099ab8413fc28

Download Submit
C:\Windows\System32\foLFsUT.exe

Filesize
1.9MB

MD5
9a9641f63087b9366796ca03f41d724d

SHA1
3b9b07d6801b6ac1f670ab08fc19d38ff24a5507

SHA256
7f126d5006921191b653b60c1f1d296a04e3f6a3f3e49eb010777681b523f22c

SHA512
ce1a797306d6333fa5637e6ff1b5755bd7f47eb2f6a2954301be7aa7b0e680df05cf14005fcaf083106b637649ccf1bf7fb76b55e87f50df21cdca35373fda4a

Download Submit
C:\Windows\System32\frEsZZX.exe

Filesize
1.9MB

MD5
6271a0fa2f957c9186de2ec1adc5a537

SHA1
28ad64a2d2c189b7ed9f1f7d332df8721d453e6a

SHA256
ad4c77d614880f25c6729a62e08f6c2f9c7a686ac232d7d77a87debbeca3a866

SHA512
42815405f439224718697cfac50f97a131c7bb7836d0cd113c5e514cad57634b39a356af6865da5c43c7bb1d26a75940d001a03d8e3bdb5eca7e838af31539e1

Download Submit
C:\Windows\System32\hKlbFpq.exe

Filesize
1.9MB

MD5
e85674930a6eee09988dea663d076e31

SHA1
9c5f21a40e1e8f234d3224832bbbf62c97862bf0

SHA256
98858cd3c1a76b5877ae8dc70cd9cf37435017c1037364bbf6739353f04ef9f5

SHA512
8708b273edb597f678d2c7fd1ca5fb495dfaa53966e3cc1889629a3d1045dbdea55d87797b041a08efdae54e5fbb8cdfaff6069770b4682c746fbb35c96c5ff5

Download Submit
C:\Windows\System32\kIpyAja.exe

Filesize
1.9MB

MD5
7723040e8b41c2eb00b9302ec8dbb6a6

SHA1
bf94aaabbc82e747239898d55153e25a84f171da

SHA256
724d45e317667185c4221cd850dd4265bb751e17f9ec995a39e8b9529d0ba991

SHA512
c0d3030189a8e1ac2210167a1289e5e1b8707108dff02ae43802f49c89ec11caceb8130757ef226cd697e033ad75fda28f9b6b5438568786a2b5300fc5c1c52a

Download Submit
C:\Windows\System32\kZTIGWL.exe

Filesize
1.9MB

MD5
d4d6dafcd54e031341bb8afd7dc33d21

SHA1
af0dcff4be54dcb7fe1ce7107ea569fc148ae701

SHA256
5551b53638306630a130afcf95e53f36d9ac3a0a6a30a12d4252b60d823b0534

SHA512
4590f521cf2a9d6a2a66d34bc99d34b457f73f652d20c4df3de10eeee3d7bf3aaf94665efda7055f1c8c40a42c8658e6b17d88f5a9e9ad7d488c04cfa7c5e9b2

Download Submit
C:\Windows\System32\kvrcgde.exe

Filesize
1.9MB

MD5
b82fdf21b7af2b67f9f671492117e1a9

SHA1
0f16759cac30260c80f9d164d0c3908f067c924c

SHA256
ff8426e53ffe8702fdd8a45980fbbafd7f090af1ebab81470ebc932382098f85

SHA512
3c6ef64df747e34deefb341cdb50d85faa53b3e4c208239c640bda3885afa75348181e23d6db814f935d9d67d7cb50c6342bc699bf3465ee68fbbaab6a708c25

Download Submit
C:\Windows\System32\lPiuoLu.exe

Filesize
1.9MB

MD5
9512dbe7d0af0c8890251b3f57de0a4c

SHA1
8c8e6c01a3ae57a4b78e26ee56e93ac6287e0a1b

SHA256
e58b46109942bdfae94bcd6f026e348dc80099be3217c8b49b0704b46a725621

SHA512
5285c3535988eb9a8430e774c66ffabf4a46929b70cd95beb1fe2d20b9c6a04592658dc5fbde5c48a2f4f7dea5cd87c02a67d43ee28f18bf1b4bb0370af59610

Download Submit
C:\Windows\System32\lgcbqxJ.exe

Filesize
1.9MB

MD5
2bda1705c6773770bc9add7590974911

SHA1
73acc9e58cea22d28339395e4550fcb53b1e9849

SHA256
035d179957d1038acb8b493c5dc37cf12774be0e3acce1e76b9dd845ca7f2d7e

SHA512
f36eca00aee15a2aab465d27e6c8873b77db527e3ad0c85b26111dfde85f4b8a4a009699423b750e17e2822b9a721063f5ebde563d6936b33aa62ec7a74f33e3

Download Submit
C:\Windows\System32\okiuBbT.exe

Filesize
1.9MB

MD5
ef41c229e770d6a050625c40bbd11b1e

SHA1
9f8671430ffab35f9b3bafbe12ceca36f4e4e583

SHA256
08d1047a35b12e0c050703ed6f8c141714d28f8eadd7009990e822511658acb0

SHA512
4dedd4f440fce12719e6dd3bb0978ef16af11cc055c10a73de466301eaf35e338e523f911fd28ff1a2c82a729da1d380d665bd73063983474d8f8df210322fdf

Download Submit
C:\Windows\System32\teNCwLh.exe

Filesize
1.9MB

MD5
c23407eda3a4107fecc76abe0bd16341

SHA1
49b798a7d2d2154881374a729dfaca03e56529db

SHA256
64cc34804fdd7090a18a49c15eda6f82222faf6b155aca722cd1b3688c1ae15f

SHA512
dd15094aa4d141ac5f27a9d15067a2b202dbe44223406ce32db8bcc14d7c22aea76d2137509ae788320550259861b50c27ac816d7983a22614d0d034c97ef6f6

Download Submit
C:\Windows\System32\uPmhJHN.exe

Filesize
1.9MB

MD5
a0f6ba36a84fe12828bcd92331d7a003

SHA1
ca401192d6d7fc22b9f37e20dfadb74d574b55ee

SHA256
5312755e8e0bac00c995c3f82ce313625d4ee235c5053dd99863532604f96495

SHA512
06eea50eb9f5ad21ec41a45e614f1db53e3381b8fb43ca528ecfbf96f6444b4d4b64c5d4a8b345c560e211fb50805d0ccd52cc0440b1958f99a6c6d0afeaae90

Download Submit
C:\Windows\System32\uTJwyNL.exe

Filesize
1.9MB

MD5
fce6d8190f0c29f3bef67d03d832a747

SHA1
298bcf45e8d2d959d42d840540f9d1a3648d27c1

SHA256
a2fb632169b897fbb2a0084514334721c514e5c58ca4551cff2122288b638f3c

SHA512
58f546f35b314643889c4f83bca9a445b65dd972d50aad0e4f27ba0980b4ebddd00bc72ab7e1136c7bb98d50bb126711619aa5622ae2a3fc6fb71c9d73cb6812

Download Submit
C:\Windows\System32\wPPiUaC.exe

Filesize
1.9MB

MD5
5f069ef35df44a38fbbeb32c9ee1015a

SHA1
546ee008a927aa847d3d009f7c9834c98bbf0c97

SHA256
87e7ed9d824d903aca2591160538954a2f338235644d81ebd0c39d4f89b2b532

SHA512
4947247a09618191b424583466cfea245d64cbc2f39a449450c29ec2c2be4569902203a3b3fed7de02d09f6d364e6aa44a9d55deda9fb09b355f053e6f971f0d

Download Submit
C:\Windows\System32\wRJVTmY.exe

Filesize
1.9MB

MD5
110148ef8f368fe242bfe0e73ad3cfd1

SHA1
fc648eec0daae0634d650c720835d63f68364b10

SHA256
261055533d2013c7c23bea5f3c0a5843945b243b0ea7ac1d6e6a9bec40957cbf

SHA512
88ed1f1705d84e9f61cecafcd66387c060c6c7088c3276dd5d9608a4c6e66df90f963becbcb66180be34f96ff3ed90adf479b0ea5267ef44bc0922699e69a8b3

Download Submit
C:\Windows\System32\xjzCTsI.exe

Filesize
1.9MB

MD5
d7324cc15864c9451ceeafa67d4f7638

SHA1
fceb9fd59916e6abd5d6679d2a51575e04a5df8c

SHA256
e15d7fba1380d73e2bb10a87530cd7e3b5546ce5ecd5cc3d0ffba3160d722f5d

SHA512
ffe0c1d7d870f748d343fffdb27bdc7639acc985465fa0adaa331ae4ac0b03faa3976e89959830087703231fa477865afc03b80b8dfa77ffd7ec803d8e2ab550

Download Submit
C:\Windows\System32\xkoGpzw.exe

Filesize
1.9MB

MD5
f4e1013c3bc2852de8f69ee75f4171b9

SHA1
2b31319d2ac6a461f0bc4ba15035188b48f8bd6a

SHA256
f0a863e5abc3d2f68b4e37fe673f45aab770d6c554fd0d6c826b2767a9a8b04b

SHA512
04e645bfd4291075e74b581a38176c6d73586b0cca4672119b3eab5ece1a8b7f6c813f382c31062933e8d2d8e61d4004a4f0b3f71012deedf4b0db5f7c0f719d

Download Submit
memory/644-2235-0x00007FF798D00000-0x00007FF7990F1000-memory.dmp

Filesize
3.9MB

Download
memory/644-519-0x00007FF798D00000-0x00007FF7990F1000-memory.dmp

Filesize
3.9MB

Download
memory/812-485-0x00007FF6B3BE0000-0x00007FF6B3FD1000-memory.dmp

Filesize
3.9MB

Download
memory/812-2189-0x00007FF6B3BE0000-0x00007FF6B3FD1000-memory.dmp

Filesize
3.9MB

Download
memory/840-2187-0x00007FF6EEFA0000-0x00007FF6EF391000-memory.dmp

Filesize
3.9MB

Download
memory/840-479-0x00007FF6EEFA0000-0x00007FF6EF391000-memory.dmp

Filesize
3.9MB

Download
memory/1088-506-0x00007FF725030000-0x00007FF725421000-memory.dmp

Filesize
3.9MB

Download
memory/1088-2244-0x00007FF725030000-0x00007FF725421000-memory.dmp

Filesize
3.9MB

Download
memory/1308-511-0x00007FF6F4DE0000-0x00007FF6F51D1000-memory.dmp

Filesize
3.9MB

Download
memory/1500-2199-0x00007FF60D740000-0x00007FF60DB31000-memory.dmp

Filesize
3.9MB

Download
memory/1500-496-0x00007FF60D740000-0x00007FF60DB31000-memory.dmp

Filesize
3.9MB

Download
memory/1624-1-0x0000020B31BE0000-0x0000020B31BF0000-memory.dmp

Filesize
64KB

Download
memory/1624-0-0x00007FF614270000-0x00007FF614661000-memory.dmp

Filesize
3.9MB

Download
memory/1624-1072-0x00007FF614270000-0x00007FF614661000-memory.dmp

Filesize
3.9MB

Download
memory/1876-1438-0x00007FF7D27E0000-0x00007FF7D2BD1000-memory.dmp

Filesize
3.9MB

Download
memory/1876-19-0x00007FF7D27E0000-0x00007FF7D2BD1000-memory.dmp

Filesize
3.9MB

Download
memory/2208-2242-0x00007FF7087C0000-0x00007FF708BB1000-memory.dmp

Filesize
3.9MB

Download
memory/2208-514-0x00007FF7087C0000-0x00007FF708BB1000-memory.dmp

Filesize
3.9MB

Download
memory/2260-510-0x00007FF7508E0000-0x00007FF750CD1000-memory.dmp

Filesize
3.9MB

Download
memory/2260-2240-0x00007FF7508E0000-0x00007FF750CD1000-memory.dmp

Filesize
3.9MB

Download
memory/2652-520-0x00007FF638FE0000-0x00007FF6393D1000-memory.dmp

Filesize
3.9MB

Download
memory/2652-2217-0x00007FF638FE0000-0x00007FF6393D1000-memory.dmp

Filesize
3.9MB

Download
memory/2784-475-0x00007FF68BE10000-0x00007FF68C201000-memory.dmp

Filesize
3.9MB

Download
memory/2784-2191-0x00007FF68BE10000-0x00007FF68C201000-memory.dmp

Filesize
3.9MB

Download
memory/2836-502-0x00007FF6691E0000-0x00007FF6695D1000-memory.dmp

Filesize
3.9MB

Download
memory/3144-2181-0x00007FF748350000-0x00007FF748741000-memory.dmp

Filesize
3.9MB

Download
memory/3144-463-0x00007FF748350000-0x00007FF748741000-memory.dmp

Filesize
3.9MB

Download
memory/3912-1075-0x00007FF61BA20000-0x00007FF61BE11000-memory.dmp

Filesize
3.9MB

Download
memory/3912-2145-0x00007FF61BA20000-0x00007FF61BE11000-memory.dmp

Filesize
3.9MB

Download
memory/3912-11-0x00007FF61BA20000-0x00007FF61BE11000-memory.dmp

Filesize
3.9MB

Download
memory/3936-2195-0x00007FF658D60000-0x00007FF659151000-memory.dmp

Filesize
3.9MB

Download
memory/3936-491-0x00007FF658D60000-0x00007FF659151000-memory.dmp

Filesize
3.9MB

Download
memory/4020-517-0x00007FF7DA3B0000-0x00007FF7DA7A1000-memory.dmp

Filesize
3.9MB

Download
memory/4020-2237-0x00007FF7DA3B0000-0x00007FF7DA7A1000-memory.dmp

Filesize
3.9MB

Download
memory/4044-2175-0x00007FF6C0CC0000-0x00007FF6C10B1000-memory.dmp

Filesize
3.9MB

Download
memory/4044-461-0x00007FF6C0CC0000-0x00007FF6C10B1000-memory.dmp

Filesize
3.9MB

Download
memory/4144-465-0x00007FF6536E0000-0x00007FF653AD1000-memory.dmp

Filesize
3.9MB

Download
memory/4144-2183-0x00007FF6536E0000-0x00007FF653AD1000-memory.dmp

Filesize
3.9MB

Download
memory/4256-494-0x00007FF7AA790000-0x00007FF7AAB81000-memory.dmp

Filesize
3.9MB

Download
memory/4256-2193-0x00007FF7AA790000-0x00007FF7AAB81000-memory.dmp

Filesize
3.9MB

Download
memory/4456-2147-0x00007FF72B9F0000-0x00007FF72BDE1000-memory.dmp

Filesize
3.9MB

Download
memory/4456-1188-0x00007FF72B9F0000-0x00007FF72BDE1000-memory.dmp

Filesize
3.9MB

Download
memory/4456-17-0x00007FF72B9F0000-0x00007FF72BDE1000-memory.dmp

Filesize
3.9MB

Download
memory/4776-1560-0x00007FF650AB0000-0x00007FF650EA1000-memory.dmp

Filesize
3.9MB

Download
memory/4776-2177-0x00007FF650AB0000-0x00007FF650EA1000-memory.dmp

Filesize
3.9MB

Download
memory/4776-30-0x00007FF650AB0000-0x00007FF650EA1000-memory.dmp

Filesize
3.9MB

Download
memory/4996-470-0x00007FF62E7F0000-0x00007FF62EBE1000-memory.dmp

Filesize
3.9MB

Download
memory/4996-2185-0x00007FF62E7F0000-0x00007FF62EBE1000-memory.dmp

Filesize
3.9MB

Download
memory/5036-2179-0x00007FF758FE0000-0x00007FF7593D1000-memory.dmp

Filesize
3.9MB

Download
memory/5036-522-0x00007FF758FE0000-0x00007FF7593D1000-memory.dmp

Filesize
3.9MB

Download
memory/5044-2197-0x00007FF7DA3E0000-0x00007FF7DA7D1000-memory.dmp

Filesize
3.9MB

Download
memory/5044-497-0x00007FF7DA3E0000-0x00007FF7DA7D1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads