xmrig | 718410e426e7e5d4aed2390b72730392df00f10dedd0b9f3cc3ced606be81ffa

Analysis

max time kernel
124s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2024, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

346f3faa5de487335ab17c38ee752610_NEAS.exe
Size

3.3MB
MD5

346f3faa5de487335ab17c38ee752610
SHA1

d7f9b01b2d6e87023f853d292f8686646208c3b4
SHA256

718410e426e7e5d4aed2390b72730392df00f10dedd0b9f3cc3ced606be81ffa
SHA512

130623258cd486679862d9e15e6a07015bd5e1ef85c816db3a983e9196aa58b2af4a2e08a5d871df33cd26718bbba364fc11c04a8c102bd634818ae3863a3d9b
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc401:NFWPClFk1

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4896-0-0x00007FF7CD0D0000-0x00007FF7CD4C5000-memory.dmp	xmrig
behavioral2/files/0x000d000000023b25-5.dat	xmrig
behavioral2/memory/756-11-0x00007FF7E9E50000-0x00007FF7EA245000-memory.dmp	xmrig
behavioral2/files/0x000b000000023b8b-15.dat	xmrig
behavioral2/files/0x000a000000023b91-28.dat	xmrig
behavioral2/files/0x000a000000023b92-33.dat	xmrig
behavioral2/files/0x000a000000023b93-38.dat	xmrig
behavioral2/files/0x000a000000023b96-51.dat	xmrig
behavioral2/files/0x000a000000023b9b-78.dat	xmrig
behavioral2/files/0x000a000000023b9d-86.dat	xmrig
behavioral2/files/0x000a000000023b9e-93.dat	xmrig
behavioral2/files/0x000a000000023ba1-106.dat	xmrig
behavioral2/files/0x000a000000023baa-148.dat	xmrig
behavioral2/files/0x000a000000023bad-163.dat	xmrig
behavioral2/memory/4640-768-0x00007FF7E6070000-0x00007FF7E6465000-memory.dmp	xmrig
behavioral2/files/0x000a000000023bac-158.dat	xmrig
behavioral2/files/0x000a000000023bab-153.dat	xmrig
behavioral2/files/0x000a000000023ba9-143.dat	xmrig
behavioral2/files/0x000a000000023ba8-138.dat	xmrig
behavioral2/files/0x000a000000023ba7-133.dat	xmrig
behavioral2/files/0x000a000000023ba5-128.dat	xmrig
behavioral2/files/0x000a000000023ba4-123.dat	xmrig
behavioral2/files/0x000a000000023ba3-118.dat	xmrig
behavioral2/files/0x000a000000023ba2-113.dat	xmrig
behavioral2/files/0x000a000000023ba0-103.dat	xmrig
behavioral2/files/0x000a000000023b9f-98.dat	xmrig
behavioral2/files/0x000a000000023b9c-83.dat	xmrig
behavioral2/files/0x000a000000023b9a-73.dat	xmrig
behavioral2/files/0x000a000000023b99-68.dat	xmrig
behavioral2/files/0x000a000000023b98-63.dat	xmrig
behavioral2/files/0x000a000000023b97-58.dat	xmrig
behavioral2/files/0x000a000000023b95-48.dat	xmrig
behavioral2/files/0x000a000000023b94-43.dat	xmrig
behavioral2/files/0x000a000000023b90-23.dat	xmrig
behavioral2/memory/1108-19-0x00007FF765C50000-0x00007FF766045000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b8f-16.dat	xmrig
behavioral2/memory/5044-771-0x00007FF6B3660000-0x00007FF6B3A55000-memory.dmp	xmrig
behavioral2/memory/4972-789-0x00007FF732CE0000-0x00007FF7330D5000-memory.dmp	xmrig
behavioral2/memory/4600-784-0x00007FF642AE0000-0x00007FF642ED5000-memory.dmp	xmrig
behavioral2/memory/3460-779-0x00007FF777A70000-0x00007FF777E65000-memory.dmp	xmrig
behavioral2/memory/4792-774-0x00007FF6B19C0000-0x00007FF6B1DB5000-memory.dmp	xmrig
behavioral2/memory/4140-795-0x00007FF7F8E30000-0x00007FF7F9225000-memory.dmp	xmrig
behavioral2/memory/3124-796-0x00007FF6B5DF0000-0x00007FF6B61E5000-memory.dmp	xmrig
behavioral2/memory/1840-799-0x00007FF61D3D0000-0x00007FF61D7C5000-memory.dmp	xmrig
behavioral2/memory/2416-806-0x00007FF7453E0000-0x00007FF7457D5000-memory.dmp	xmrig
behavioral2/memory/4352-813-0x00007FF7BA580000-0x00007FF7BA975000-memory.dmp	xmrig
behavioral2/memory/4644-814-0x00007FF605E00000-0x00007FF6061F5000-memory.dmp	xmrig
behavioral2/memory/3632-818-0x00007FF7F15A0000-0x00007FF7F1995000-memory.dmp	xmrig
behavioral2/memory/1920-865-0x00007FF6B39D0000-0x00007FF6B3DC5000-memory.dmp	xmrig
behavioral2/memory/3920-871-0x00007FF6AAEB0000-0x00007FF6AB2A5000-memory.dmp	xmrig
behavioral2/memory/3128-874-0x00007FF72A9B0000-0x00007FF72ADA5000-memory.dmp	xmrig
behavioral2/memory/4088-882-0x00007FF7BA230000-0x00007FF7BA625000-memory.dmp	xmrig
behavioral2/memory/3508-890-0x00007FF7AD660000-0x00007FF7ADA55000-memory.dmp	xmrig
behavioral2/memory/3540-896-0x00007FF68EEE0000-0x00007FF68F2D5000-memory.dmp	xmrig
behavioral2/memory/2696-904-0x00007FF7B24B0000-0x00007FF7B28A5000-memory.dmp	xmrig
behavioral2/memory/3768-900-0x00007FF608940000-0x00007FF608D35000-memory.dmp	xmrig
behavioral2/memory/4048-886-0x00007FF618730000-0x00007FF618B25000-memory.dmp	xmrig
behavioral2/memory/756-1910-0x00007FF7E9E50000-0x00007FF7EA245000-memory.dmp	xmrig
behavioral2/memory/756-1911-0x00007FF7E9E50000-0x00007FF7EA245000-memory.dmp	xmrig
behavioral2/memory/1108-1912-0x00007FF765C50000-0x00007FF766045000-memory.dmp	xmrig
behavioral2/memory/4640-1913-0x00007FF7E6070000-0x00007FF7E6465000-memory.dmp	xmrig
behavioral2/memory/3460-1919-0x00007FF777A70000-0x00007FF777E65000-memory.dmp	xmrig
behavioral2/memory/1840-1923-0x00007FF61D3D0000-0x00007FF61D7C5000-memory.dmp	xmrig
behavioral2/memory/4352-1922-0x00007FF7BA580000-0x00007FF7BA975000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
756	uzcbzld.exe
1108	Oenifhe.exe
4640	EgkvsYT.exe
2696	rFqFuDZ.exe
5044	pbFHGNn.exe
4792	TLuqAgs.exe
3460	FDZQuWW.exe
4600	kzGXinZ.exe
4972	hdfMPMM.exe
4140	YxfhzeX.exe
3124	NYUDBeG.exe
1840	dTIOUfB.exe
2416	cJyFhhU.exe
4352	ZPkxJLz.exe
4644	kslbdNT.exe
3632	nGSsTpN.exe
1920	iacGMbR.exe
3920	PgxTbue.exe
3128	wRChSwS.exe
4088	JdXrSUl.exe
4048	InjvSiN.exe
3508	WmtaQCp.exe
3540	dXKjxSE.exe
3768	XbcbUeH.exe
316	cvRNFrP.exe
2216	abkVnFz.exe
432	TITVXCp.exe
2956	dIbIjnD.exe
2524	nfGjWQk.exe
8	rcavZMw.exe
388	putywRU.exe
532	pJyTpoY.exe
3280	apQYntU.exe
3484	bWOEhdi.exe
3624	xaCdiFL.exe
3220	SUZMjYE.exe
436	oDVQhdw.exe
2128	FJGEBPE.exe
4940	iVeCoxY.exe
4304	TzKCaoK.exe
4332	citXPCT.exe
4208	oOjlXni.exe
3940	ESohghn.exe
3260	BNPBzdR.exe
2232	sLxCDao.exe
3452	SJynVRr.exe
1000	KnHqIvH.exe
4356	aYZHJbd.exe
4064	aaGEify.exe
1456	ZjeYDFW.exe
1476	TDzrjuY.exe
5096	ZMCwZZr.exe
2848	gYsNITb.exe
1668	VrUJelr.exe
1528	SKCxBvH.exe
4832	xWGVXrN.exe
904	WvZCBgC.exe
3000	ekMNcCW.exe
2968	SKPCDxK.exe
4560	ExbFmYr.exe
3364	QIuTfxh.exe
2584	UAUlfoy.exe
2096	bUuSMml.exe
1264	FMibuUg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4896-0-0x00007FF7CD0D0000-0x00007FF7CD4C5000-memory.dmp	upx
behavioral2/files/0x000d000000023b25-5.dat	upx
behavioral2/memory/756-11-0x00007FF7E9E50000-0x00007FF7EA245000-memory.dmp	upx
behavioral2/files/0x000b000000023b8b-15.dat	upx
behavioral2/files/0x000a000000023b91-28.dat	upx
behavioral2/files/0x000a000000023b92-33.dat	upx
behavioral2/files/0x000a000000023b93-38.dat	upx
behavioral2/files/0x000a000000023b96-51.dat	upx
behavioral2/files/0x000a000000023b9b-78.dat	upx
behavioral2/files/0x000a000000023b9d-86.dat	upx
behavioral2/files/0x000a000000023b9e-93.dat	upx
behavioral2/files/0x000a000000023ba1-106.dat	upx
behavioral2/files/0x000a000000023baa-148.dat	upx
behavioral2/files/0x000a000000023bad-163.dat	upx
behavioral2/memory/4640-768-0x00007FF7E6070000-0x00007FF7E6465000-memory.dmp	upx
behavioral2/files/0x000a000000023bac-158.dat	upx
behavioral2/files/0x000a000000023bab-153.dat	upx
behavioral2/files/0x000a000000023ba9-143.dat	upx
behavioral2/files/0x000a000000023ba8-138.dat	upx
behavioral2/files/0x000a000000023ba7-133.dat	upx
behavioral2/files/0x000a000000023ba5-128.dat	upx
behavioral2/files/0x000a000000023ba4-123.dat	upx
behavioral2/files/0x000a000000023ba3-118.dat	upx
behavioral2/files/0x000a000000023ba2-113.dat	upx
behavioral2/files/0x000a000000023ba0-103.dat	upx
behavioral2/files/0x000a000000023b9f-98.dat	upx
behavioral2/files/0x000a000000023b9c-83.dat	upx
behavioral2/files/0x000a000000023b9a-73.dat	upx
behavioral2/files/0x000a000000023b99-68.dat	upx
behavioral2/files/0x000a000000023b98-63.dat	upx
behavioral2/files/0x000a000000023b97-58.dat	upx
behavioral2/files/0x000a000000023b95-48.dat	upx
behavioral2/files/0x000a000000023b94-43.dat	upx
behavioral2/files/0x000a000000023b90-23.dat	upx
behavioral2/memory/1108-19-0x00007FF765C50000-0x00007FF766045000-memory.dmp	upx
behavioral2/files/0x000a000000023b8f-16.dat	upx
behavioral2/memory/5044-771-0x00007FF6B3660000-0x00007FF6B3A55000-memory.dmp	upx
behavioral2/memory/4972-789-0x00007FF732CE0000-0x00007FF7330D5000-memory.dmp	upx
behavioral2/memory/4600-784-0x00007FF642AE0000-0x00007FF642ED5000-memory.dmp	upx
behavioral2/memory/3460-779-0x00007FF777A70000-0x00007FF777E65000-memory.dmp	upx
behavioral2/memory/4792-774-0x00007FF6B19C0000-0x00007FF6B1DB5000-memory.dmp	upx
behavioral2/memory/4140-795-0x00007FF7F8E30000-0x00007FF7F9225000-memory.dmp	upx
behavioral2/memory/3124-796-0x00007FF6B5DF0000-0x00007FF6B61E5000-memory.dmp	upx
behavioral2/memory/1840-799-0x00007FF61D3D0000-0x00007FF61D7C5000-memory.dmp	upx
behavioral2/memory/2416-806-0x00007FF7453E0000-0x00007FF7457D5000-memory.dmp	upx
behavioral2/memory/4352-813-0x00007FF7BA580000-0x00007FF7BA975000-memory.dmp	upx
behavioral2/memory/4644-814-0x00007FF605E00000-0x00007FF6061F5000-memory.dmp	upx
behavioral2/memory/3632-818-0x00007FF7F15A0000-0x00007FF7F1995000-memory.dmp	upx
behavioral2/memory/1920-865-0x00007FF6B39D0000-0x00007FF6B3DC5000-memory.dmp	upx
behavioral2/memory/3920-871-0x00007FF6AAEB0000-0x00007FF6AB2A5000-memory.dmp	upx
behavioral2/memory/3128-874-0x00007FF72A9B0000-0x00007FF72ADA5000-memory.dmp	upx
behavioral2/memory/4088-882-0x00007FF7BA230000-0x00007FF7BA625000-memory.dmp	upx
behavioral2/memory/3508-890-0x00007FF7AD660000-0x00007FF7ADA55000-memory.dmp	upx
behavioral2/memory/3540-896-0x00007FF68EEE0000-0x00007FF68F2D5000-memory.dmp	upx
behavioral2/memory/2696-904-0x00007FF7B24B0000-0x00007FF7B28A5000-memory.dmp	upx
behavioral2/memory/3768-900-0x00007FF608940000-0x00007FF608D35000-memory.dmp	upx
behavioral2/memory/4048-886-0x00007FF618730000-0x00007FF618B25000-memory.dmp	upx
behavioral2/memory/756-1910-0x00007FF7E9E50000-0x00007FF7EA245000-memory.dmp	upx
behavioral2/memory/756-1911-0x00007FF7E9E50000-0x00007FF7EA245000-memory.dmp	upx
behavioral2/memory/1108-1912-0x00007FF765C50000-0x00007FF766045000-memory.dmp	upx
behavioral2/memory/4640-1913-0x00007FF7E6070000-0x00007FF7E6465000-memory.dmp	upx
behavioral2/memory/3460-1919-0x00007FF777A70000-0x00007FF777E65000-memory.dmp	upx
behavioral2/memory/1840-1923-0x00007FF61D3D0000-0x00007FF61D7C5000-memory.dmp	upx
behavioral2/memory/4352-1922-0x00007FF7BA580000-0x00007FF7BA975000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\CjGXkYJ.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\cmWSIgd.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\pvBCeoV.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\YJHCLDR.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\sGeOrSH.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\cJyFhhU.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\cclokEl.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\ydzotuW.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\byBSsCs.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\jWSuxvY.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\lrEOdFv.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\OvGYfwY.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\bMkQXjc.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\MMZMrye.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\MlZtveR.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\csVyZAI.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\MkdoBIX.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\WWaENwq.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\HTyOQbn.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\bYdUhfN.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\bUuSMml.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\CTUgWsX.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\lwQqUmu.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\SoHJhSR.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\jVFyDXf.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\KYsZHqJ.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\kWOnHAL.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\IVCxNwa.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\CVrKWfX.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\vAQlNLt.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\LqkEGMl.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\nNErcJn.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\YmhRqpE.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\GMqNXiw.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\cWiCQAJ.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\pKgTkXs.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\AlRbUsq.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\MBHxtAr.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\WolyKLy.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\VhOPpaY.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\oOjlXni.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\ZGIZdrE.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\onSobRc.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\XyDPLkx.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\KxPLtAV.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\AeYtNWD.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\fXVSYOU.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\UAUlfoy.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\JlxaMDt.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\NXjfaRv.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\tykqeyn.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\zWTQMaM.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\MumACkl.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\oDVQhdw.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\ESohghn.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\WvZCBgC.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\AnyHuUJ.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\SUZMjYE.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\XBWdSxf.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\ziLTXle.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\SyvCksW.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\JznmQlE.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\vQsZGPo.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe
File created	C:\Windows\System32\CNqlTUR.exe	346f3faa5de487335ab17c38ee752610_NEAS.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2932	dwm.exe
Token: SeChangeNotifyPrivilege	2932	dwm.exe
Token: 33	2932	dwm.exe
Token: SeIncBasePriorityPrivilege	2932	dwm.exe
Token: SeShutdownPrivilege	2932	dwm.exe
Token: SeCreatePagefilePrivilege	2932	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 756	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	84
PID 4896 wrote to memory of 756	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	84
PID 4896 wrote to memory of 1108	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	85
PID 4896 wrote to memory of 1108	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	85
PID 4896 wrote to memory of 4640	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	86
PID 4896 wrote to memory of 4640	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	86
PID 4896 wrote to memory of 2696	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	87
PID 4896 wrote to memory of 2696	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	87
PID 4896 wrote to memory of 5044	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	88
PID 4896 wrote to memory of 5044	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	88
PID 4896 wrote to memory of 4792	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	89
PID 4896 wrote to memory of 4792	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	89
PID 4896 wrote to memory of 3460	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	90
PID 4896 wrote to memory of 3460	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	90
PID 4896 wrote to memory of 4600	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	91
PID 4896 wrote to memory of 4600	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	91
PID 4896 wrote to memory of 4972	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	92
PID 4896 wrote to memory of 4972	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	92
PID 4896 wrote to memory of 4140	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	93
PID 4896 wrote to memory of 4140	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	93
PID 4896 wrote to memory of 3124	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	94
PID 4896 wrote to memory of 3124	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	94
PID 4896 wrote to memory of 1840	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	95
PID 4896 wrote to memory of 1840	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	95
PID 4896 wrote to memory of 2416	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	96
PID 4896 wrote to memory of 2416	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	96
PID 4896 wrote to memory of 4352	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	97
PID 4896 wrote to memory of 4352	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	97
PID 4896 wrote to memory of 4644	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	98
PID 4896 wrote to memory of 4644	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	98
PID 4896 wrote to memory of 3632	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	99
PID 4896 wrote to memory of 3632	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	99
PID 4896 wrote to memory of 1920	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	100
PID 4896 wrote to memory of 1920	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	100
PID 4896 wrote to memory of 3920	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	101
PID 4896 wrote to memory of 3920	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	101
PID 4896 wrote to memory of 3128	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	102
PID 4896 wrote to memory of 3128	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	102
PID 4896 wrote to memory of 4088	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	103
PID 4896 wrote to memory of 4088	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	103
PID 4896 wrote to memory of 4048	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	104
PID 4896 wrote to memory of 4048	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	104
PID 4896 wrote to memory of 3508	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	105
PID 4896 wrote to memory of 3508	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	105
PID 4896 wrote to memory of 3540	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	106
PID 4896 wrote to memory of 3540	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	106
PID 4896 wrote to memory of 3768	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	107
PID 4896 wrote to memory of 3768	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	107
PID 4896 wrote to memory of 316	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	108
PID 4896 wrote to memory of 316	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	108
PID 4896 wrote to memory of 2216	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	109
PID 4896 wrote to memory of 2216	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	109
PID 4896 wrote to memory of 432	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	110
PID 4896 wrote to memory of 432	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	110
PID 4896 wrote to memory of 2956	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	111
PID 4896 wrote to memory of 2956	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	111
PID 4896 wrote to memory of 2524	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	112
PID 4896 wrote to memory of 2524	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	112
PID 4896 wrote to memory of 8	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	113
PID 4896 wrote to memory of 8	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	113
PID 4896 wrote to memory of 388	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	114
PID 4896 wrote to memory of 388	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	114
PID 4896 wrote to memory of 532	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	115
PID 4896 wrote to memory of 532	4896	346f3faa5de487335ab17c38ee752610_NEAS.exe	115

C:\Users\Admin\AppData\Local\Temp\346f3faa5de487335ab17c38ee752610_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\346f3faa5de487335ab17c38ee752610_NEAS.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\System32\uzcbzld.exe
  C:\Windows\System32\uzcbzld.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System32\Oenifhe.exe
  C:\Windows\System32\Oenifhe.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System32\EgkvsYT.exe
  C:\Windows\System32\EgkvsYT.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System32\rFqFuDZ.exe
  C:\Windows\System32\rFqFuDZ.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System32\pbFHGNn.exe
  C:\Windows\System32\pbFHGNn.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System32\TLuqAgs.exe
  C:\Windows\System32\TLuqAgs.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System32\FDZQuWW.exe
  C:\Windows\System32\FDZQuWW.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System32\kzGXinZ.exe
  C:\Windows\System32\kzGXinZ.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System32\hdfMPMM.exe
  C:\Windows\System32\hdfMPMM.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System32\YxfhzeX.exe
  C:\Windows\System32\YxfhzeX.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System32\NYUDBeG.exe
  C:\Windows\System32\NYUDBeG.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System32\dTIOUfB.exe
  C:\Windows\System32\dTIOUfB.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System32\cJyFhhU.exe
  C:\Windows\System32\cJyFhhU.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System32\ZPkxJLz.exe
  C:\Windows\System32\ZPkxJLz.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System32\kslbdNT.exe
  C:\Windows\System32\kslbdNT.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System32\nGSsTpN.exe
  C:\Windows\System32\nGSsTpN.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System32\iacGMbR.exe
  C:\Windows\System32\iacGMbR.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System32\PgxTbue.exe
  C:\Windows\System32\PgxTbue.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System32\wRChSwS.exe
  C:\Windows\System32\wRChSwS.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System32\JdXrSUl.exe
  C:\Windows\System32\JdXrSUl.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System32\InjvSiN.exe
  C:\Windows\System32\InjvSiN.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System32\WmtaQCp.exe
  C:\Windows\System32\WmtaQCp.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System32\dXKjxSE.exe
  C:\Windows\System32\dXKjxSE.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System32\XbcbUeH.exe
  C:\Windows\System32\XbcbUeH.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System32\cvRNFrP.exe
  C:\Windows\System32\cvRNFrP.exe
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\System32\abkVnFz.exe
  C:\Windows\System32\abkVnFz.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System32\TITVXCp.exe
  C:\Windows\System32\TITVXCp.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System32\dIbIjnD.exe
  C:\Windows\System32\dIbIjnD.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System32\nfGjWQk.exe
  C:\Windows\System32\nfGjWQk.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System32\rcavZMw.exe
  C:\Windows\System32\rcavZMw.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System32\putywRU.exe
  C:\Windows\System32\putywRU.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System32\pJyTpoY.exe
  C:\Windows\System32\pJyTpoY.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System32\apQYntU.exe
  C:\Windows\System32\apQYntU.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System32\bWOEhdi.exe
  C:\Windows\System32\bWOEhdi.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System32\xaCdiFL.exe
  C:\Windows\System32\xaCdiFL.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System32\SUZMjYE.exe
  C:\Windows\System32\SUZMjYE.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System32\oDVQhdw.exe
  C:\Windows\System32\oDVQhdw.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\FJGEBPE.exe
  C:\Windows\System32\FJGEBPE.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System32\iVeCoxY.exe
  C:\Windows\System32\iVeCoxY.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System32\TzKCaoK.exe
  C:\Windows\System32\TzKCaoK.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System32\citXPCT.exe
  C:\Windows\System32\citXPCT.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System32\oOjlXni.exe
  C:\Windows\System32\oOjlXni.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System32\ESohghn.exe
  C:\Windows\System32\ESohghn.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System32\BNPBzdR.exe
  C:\Windows\System32\BNPBzdR.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System32\sLxCDao.exe
  C:\Windows\System32\sLxCDao.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System32\SJynVRr.exe
  C:\Windows\System32\SJynVRr.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System32\KnHqIvH.exe
  C:\Windows\System32\KnHqIvH.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System32\aYZHJbd.exe
  C:\Windows\System32\aYZHJbd.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System32\aaGEify.exe
  C:\Windows\System32\aaGEify.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System32\ZjeYDFW.exe
  C:\Windows\System32\ZjeYDFW.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System32\TDzrjuY.exe
  C:\Windows\System32\TDzrjuY.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System32\ZMCwZZr.exe
  C:\Windows\System32\ZMCwZZr.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System32\gYsNITb.exe
  C:\Windows\System32\gYsNITb.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System32\VrUJelr.exe
  C:\Windows\System32\VrUJelr.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System32\SKCxBvH.exe
  C:\Windows\System32\SKCxBvH.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System32\xWGVXrN.exe
  C:\Windows\System32\xWGVXrN.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System32\WvZCBgC.exe
  C:\Windows\System32\WvZCBgC.exe
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\System32\ekMNcCW.exe
  C:\Windows\System32\ekMNcCW.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System32\SKPCDxK.exe
  C:\Windows\System32\SKPCDxK.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System32\ExbFmYr.exe
  C:\Windows\System32\ExbFmYr.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System32\QIuTfxh.exe
  C:\Windows\System32\QIuTfxh.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System32\UAUlfoy.exe
  C:\Windows\System32\UAUlfoy.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System32\bUuSMml.exe
  C:\Windows\System32\bUuSMml.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System32\FMibuUg.exe
  C:\Windows\System32\FMibuUg.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System32\QCxTDKn.exe
  C:\Windows\System32\QCxTDKn.exe
  2⤵
  PID:3652
- C:\Windows\System32\jxplFIk.exe
  C:\Windows\System32\jxplFIk.exe
  2⤵
  PID:1268
- C:\Windows\System32\BXNjGQr.exe
  C:\Windows\System32\BXNjGQr.exe
  2⤵
  PID:3196
- C:\Windows\System32\SyvCksW.exe
  C:\Windows\System32\SyvCksW.exe
  2⤵
  PID:1160
- C:\Windows\System32\CTUgWsX.exe
  C:\Windows\System32\CTUgWsX.exe
  2⤵
  PID:220
- C:\Windows\System32\ZGIZdrE.exe
  C:\Windows\System32\ZGIZdrE.exe
  2⤵
  PID:1924
- C:\Windows\System32\XRwKkDM.exe
  C:\Windows\System32\XRwKkDM.exe
  2⤵
  PID:1008
- C:\Windows\System32\FQZWgrs.exe
  C:\Windows\System32\FQZWgrs.exe
  2⤵
  PID:5108
- C:\Windows\System32\JznmQlE.exe
  C:\Windows\System32\JznmQlE.exe
  2⤵
  PID:4584
- C:\Windows\System32\ZPQtDxq.exe
  C:\Windows\System32\ZPQtDxq.exe
  2⤵
  PID:3612
- C:\Windows\System32\yvXlYbn.exe
  C:\Windows\System32\yvXlYbn.exe
  2⤵
  PID:3064
- C:\Windows\System32\edTKGxx.exe
  C:\Windows\System32\edTKGxx.exe
  2⤵
  PID:4152
- C:\Windows\System32\csVyZAI.exe
  C:\Windows\System32\csVyZAI.exe
  2⤵
  PID:3080
- C:\Windows\System32\ZcYqxIU.exe
  C:\Windows\System32\ZcYqxIU.exe
  2⤵
  PID:3008
- C:\Windows\System32\fnxChzR.exe
  C:\Windows\System32\fnxChzR.exe
  2⤵
  PID:5132
- C:\Windows\System32\imyDbkA.exe
  C:\Windows\System32\imyDbkA.exe
  2⤵
  PID:5160
- C:\Windows\System32\uNIaFhI.exe
  C:\Windows\System32\uNIaFhI.exe
  2⤵
  PID:5188
- C:\Windows\System32\xAtScmb.exe
  C:\Windows\System32\xAtScmb.exe
  2⤵
  PID:5216
- C:\Windows\System32\wPfaNHz.exe
  C:\Windows\System32\wPfaNHz.exe
  2⤵
  PID:5244
- C:\Windows\System32\IcMyaHm.exe
  C:\Windows\System32\IcMyaHm.exe
  2⤵
  PID:5272
- C:\Windows\System32\JyWmldA.exe
  C:\Windows\System32\JyWmldA.exe
  2⤵
  PID:5300
- C:\Windows\System32\PqOpalq.exe
  C:\Windows\System32\PqOpalq.exe
  2⤵
  PID:5328
- C:\Windows\System32\qqVqppc.exe
  C:\Windows\System32\qqVqppc.exe
  2⤵
  PID:5364
- C:\Windows\System32\KxMCNIq.exe
  C:\Windows\System32\KxMCNIq.exe
  2⤵
  PID:5384
- C:\Windows\System32\kuloYtJ.exe
  C:\Windows\System32\kuloYtJ.exe
  2⤵
  PID:5412
- C:\Windows\System32\aTXPvWr.exe
  C:\Windows\System32\aTXPvWr.exe
  2⤵
  PID:5440
- C:\Windows\System32\aZhMfOf.exe
  C:\Windows\System32\aZhMfOf.exe
  2⤵
  PID:5468
- C:\Windows\System32\mrSaubN.exe
  C:\Windows\System32\mrSaubN.exe
  2⤵
  PID:5496
- C:\Windows\System32\TzmglEX.exe
  C:\Windows\System32\TzmglEX.exe
  2⤵
  PID:5524
- C:\Windows\System32\WmCVvTz.exe
  C:\Windows\System32\WmCVvTz.exe
  2⤵
  PID:5552
- C:\Windows\System32\mGAthAn.exe
  C:\Windows\System32\mGAthAn.exe
  2⤵
  PID:5580
- C:\Windows\System32\JlxaMDt.exe
  C:\Windows\System32\JlxaMDt.exe
  2⤵
  PID:5608
- C:\Windows\System32\jqkxQSy.exe
  C:\Windows\System32\jqkxQSy.exe
  2⤵
  PID:5636
- C:\Windows\System32\rdRZgVB.exe
  C:\Windows\System32\rdRZgVB.exe
  2⤵
  PID:5664
- C:\Windows\System32\KggXpHx.exe
  C:\Windows\System32\KggXpHx.exe
  2⤵
  PID:5692
- C:\Windows\System32\kcJqQgq.exe
  C:\Windows\System32\kcJqQgq.exe
  2⤵
  PID:5720
- C:\Windows\System32\Htxtobb.exe
  C:\Windows\System32\Htxtobb.exe
  2⤵
  PID:5756
- C:\Windows\System32\GDsxmuQ.exe
  C:\Windows\System32\GDsxmuQ.exe
  2⤵
  PID:5776
- C:\Windows\System32\sQSUAIl.exe
  C:\Windows\System32\sQSUAIl.exe
  2⤵
  PID:5804
- C:\Windows\System32\hMOwplL.exe
  C:\Windows\System32\hMOwplL.exe
  2⤵
  PID:5832
- C:\Windows\System32\tUjNtUq.exe
  C:\Windows\System32\tUjNtUq.exe
  2⤵
  PID:5860
- C:\Windows\System32\DemZSQJ.exe
  C:\Windows\System32\DemZSQJ.exe
  2⤵
  PID:5888
- C:\Windows\System32\fHVTOtI.exe
  C:\Windows\System32\fHVTOtI.exe
  2⤵
  PID:5916
- C:\Windows\System32\cPLRXoL.exe
  C:\Windows\System32\cPLRXoL.exe
  2⤵
  PID:5944
- C:\Windows\System32\YOhakOV.exe
  C:\Windows\System32\YOhakOV.exe
  2⤵
  PID:5972
- C:\Windows\System32\nnoIDEn.exe
  C:\Windows\System32\nnoIDEn.exe
  2⤵
  PID:6000
- C:\Windows\System32\LoPqdNK.exe
  C:\Windows\System32\LoPqdNK.exe
  2⤵
  PID:6028
- C:\Windows\System32\zavrFtn.exe
  C:\Windows\System32\zavrFtn.exe
  2⤵
  PID:6064
- C:\Windows\System32\lAlkjcx.exe
  C:\Windows\System32\lAlkjcx.exe
  2⤵
  PID:6084
- C:\Windows\System32\fHWSyel.exe
  C:\Windows\System32\fHWSyel.exe
  2⤵
  PID:6112
- C:\Windows\System32\DowbcHf.exe
  C:\Windows\System32\DowbcHf.exe
  2⤵
  PID:6140
- C:\Windows\System32\fqGkywY.exe
  C:\Windows\System32\fqGkywY.exe
  2⤵
  PID:1248
- C:\Windows\System32\XltUNlA.exe
  C:\Windows\System32\XltUNlA.exe
  2⤵
  PID:4120
- C:\Windows\System32\ddomMIg.exe
  C:\Windows\System32\ddomMIg.exe
  2⤵
  PID:2104
- C:\Windows\System32\kWOnHAL.exe
  C:\Windows\System32\kWOnHAL.exe
  2⤵
  PID:5144
- C:\Windows\System32\LAXLutO.exe
  C:\Windows\System32\LAXLutO.exe
  2⤵
  PID:5176
- C:\Windows\System32\vruAWwb.exe
  C:\Windows\System32\vruAWwb.exe
  2⤵
  PID:5256
- C:\Windows\System32\UCpCDKN.exe
  C:\Windows\System32\UCpCDKN.exe
  2⤵
  PID:5324
- C:\Windows\System32\HBjyqLY.exe
  C:\Windows\System32\HBjyqLY.exe
  2⤵
  PID:5376
- C:\Windows\System32\GRzmDCA.exe
  C:\Windows\System32\GRzmDCA.exe
  2⤵
  PID:5452
- C:\Windows\System32\FknnESK.exe
  C:\Windows\System32\FknnESK.exe
  2⤵
  PID:5520
- C:\Windows\System32\FvhSDYI.exe
  C:\Windows\System32\FvhSDYI.exe
  2⤵
  PID:5568
- C:\Windows\System32\LmAKqtu.exe
  C:\Windows\System32\LmAKqtu.exe
  2⤵
  PID:5648
- C:\Windows\System32\LKkWMad.exe
  C:\Windows\System32\LKkWMad.exe
  2⤵
  PID:5732
- C:\Windows\System32\HiRCsuu.exe
  C:\Windows\System32\HiRCsuu.exe
  2⤵
  PID:5800
- C:\Windows\System32\gAIZGyI.exe
  C:\Windows\System32\gAIZGyI.exe
  2⤵
  PID:5856
- C:\Windows\System32\TlbLyGC.exe
  C:\Windows\System32\TlbLyGC.exe
  2⤵
  PID:5912
- C:\Windows\System32\TBaZVYR.exe
  C:\Windows\System32\TBaZVYR.exe
  2⤵
  PID:5996
- C:\Windows\System32\rivBolu.exe
  C:\Windows\System32\rivBolu.exe
  2⤵
  PID:6044
- C:\Windows\System32\NbloWBB.exe
  C:\Windows\System32\NbloWBB.exe
  2⤵
  PID:6108
- C:\Windows\System32\SlVfqoQ.exe
  C:\Windows\System32\SlVfqoQ.exe
  2⤵
  PID:2760
- C:\Windows\System32\ilWagVz.exe
  C:\Windows\System32\ilWagVz.exe
  2⤵
  PID:4376
- C:\Windows\System32\wuuMUEl.exe
  C:\Windows\System32\wuuMUEl.exe
  2⤵
  PID:5232
- C:\Windows\System32\ndNFopM.exe
  C:\Windows\System32\ndNFopM.exe
  2⤵
  PID:5352
- C:\Windows\System32\jqjElOj.exe
  C:\Windows\System32\jqjElOj.exe
  2⤵
  PID:5548
- C:\Windows\System32\WUNSvat.exe
  C:\Windows\System32\WUNSvat.exe
  2⤵
  PID:5688
- C:\Windows\System32\UblwvEG.exe
  C:\Windows\System32\UblwvEG.exe
  2⤵
  PID:5820
- C:\Windows\System32\rHLZaYK.exe
  C:\Windows\System32\rHLZaYK.exe
  2⤵
  PID:6016
- C:\Windows\System32\vnEDSMB.exe
  C:\Windows\System32\vnEDSMB.exe
  2⤵
  PID:3140
- C:\Windows\System32\RqaHusp.exe
  C:\Windows\System32\RqaHusp.exe
  2⤵
  PID:5184
- C:\Windows\System32\AVDQTuI.exe
  C:\Windows\System32\AVDQTuI.exe
  2⤵
  PID:6156
- C:\Windows\System32\PfJWEdH.exe
  C:\Windows\System32\PfJWEdH.exe
  2⤵
  PID:6184
- C:\Windows\System32\NEQkfpg.exe
  C:\Windows\System32\NEQkfpg.exe
  2⤵
  PID:6212
- C:\Windows\System32\KFgHnDI.exe
  C:\Windows\System32\KFgHnDI.exe
  2⤵
  PID:6240
- C:\Windows\System32\uNRSNiV.exe
  C:\Windows\System32\uNRSNiV.exe
  2⤵
  PID:6268
- C:\Windows\System32\CjGXkYJ.exe
  C:\Windows\System32\CjGXkYJ.exe
  2⤵
  PID:6296
- C:\Windows\System32\JzGcpLi.exe
  C:\Windows\System32\JzGcpLi.exe
  2⤵
  PID:6324
- C:\Windows\System32\UfKChro.exe
  C:\Windows\System32\UfKChro.exe
  2⤵
  PID:6352
- C:\Windows\System32\CLoCbzk.exe
  C:\Windows\System32\CLoCbzk.exe
  2⤵
  PID:6380
- C:\Windows\System32\dbDcNhB.exe
  C:\Windows\System32\dbDcNhB.exe
  2⤵
  PID:6408
- C:\Windows\System32\ROjDgrE.exe
  C:\Windows\System32\ROjDgrE.exe
  2⤵
  PID:6436
- C:\Windows\System32\BDfaGBo.exe
  C:\Windows\System32\BDfaGBo.exe
  2⤵
  PID:6464
- C:\Windows\System32\UHXbDyx.exe
  C:\Windows\System32\UHXbDyx.exe
  2⤵
  PID:6492
- C:\Windows\System32\YmhRqpE.exe
  C:\Windows\System32\YmhRqpE.exe
  2⤵
  PID:6520
- C:\Windows\System32\KDqiqmt.exe
  C:\Windows\System32\KDqiqmt.exe
  2⤵
  PID:6548
- C:\Windows\System32\IVCxNwa.exe
  C:\Windows\System32\IVCxNwa.exe
  2⤵
  PID:6576
- C:\Windows\System32\dVQpIGq.exe
  C:\Windows\System32\dVQpIGq.exe
  2⤵
  PID:6604
- C:\Windows\System32\QzBklby.exe
  C:\Windows\System32\QzBklby.exe
  2⤵
  PID:6640
- C:\Windows\System32\saDKStR.exe
  C:\Windows\System32\saDKStR.exe
  2⤵
  PID:6668
- C:\Windows\System32\gVYeKot.exe
  C:\Windows\System32\gVYeKot.exe
  2⤵
  PID:6700
- C:\Windows\System32\rePCFKG.exe
  C:\Windows\System32\rePCFKG.exe
  2⤵
  PID:6716
- C:\Windows\System32\iaBBnIm.exe
  C:\Windows\System32\iaBBnIm.exe
  2⤵
  PID:6752
- C:\Windows\System32\lomUIGm.exe
  C:\Windows\System32\lomUIGm.exe
  2⤵
  PID:6772
- C:\Windows\System32\CVrKWfX.exe
  C:\Windows\System32\CVrKWfX.exe
  2⤵
  PID:6808
- C:\Windows\System32\lwQqUmu.exe
  C:\Windows\System32\lwQqUmu.exe
  2⤵
  PID:6836
- C:\Windows\System32\fGCiiQv.exe
  C:\Windows\System32\fGCiiQv.exe
  2⤵
  PID:6864
- C:\Windows\System32\isMWuDX.exe
  C:\Windows\System32\isMWuDX.exe
  2⤵
  PID:6884
- C:\Windows\System32\QPzYmOn.exe
  C:\Windows\System32\QPzYmOn.exe
  2⤵
  PID:6912
- C:\Windows\System32\kYZKTza.exe
  C:\Windows\System32\kYZKTza.exe
  2⤵
  PID:6940
- C:\Windows\System32\SatjtqP.exe
  C:\Windows\System32\SatjtqP.exe
  2⤵
  PID:6968
- C:\Windows\System32\PUBttOu.exe
  C:\Windows\System32\PUBttOu.exe
  2⤵
  PID:7008
- C:\Windows\System32\onSobRc.exe
  C:\Windows\System32\onSobRc.exe
  2⤵
  PID:7032
- C:\Windows\System32\KMsYVuS.exe
  C:\Windows\System32\KMsYVuS.exe
  2⤵
  PID:7060
- C:\Windows\System32\heTQHGa.exe
  C:\Windows\System32\heTQHGa.exe
  2⤵
  PID:7088
- C:\Windows\System32\YVGPnxC.exe
  C:\Windows\System32\YVGPnxC.exe
  2⤵
  PID:7108
- C:\Windows\System32\YKWeCLD.exe
  C:\Windows\System32\YKWeCLD.exe
  2⤵
  PID:7136
- C:\Windows\System32\OuXJBFd.exe
  C:\Windows\System32\OuXJBFd.exe
  2⤵
  PID:7164
- C:\Windows\System32\bhUNSXT.exe
  C:\Windows\System32\bhUNSXT.exe
  2⤵
  PID:908
- C:\Windows\System32\MkdoBIX.exe
  C:\Windows\System32\MkdoBIX.exe
  2⤵
  PID:6136
- C:\Windows\System32\yKGRKVZ.exe
  C:\Windows\System32\yKGRKVZ.exe
  2⤵
  PID:5424
- C:\Windows\System32\WIehzUl.exe
  C:\Windows\System32\WIehzUl.exe
  2⤵
  PID:6228
- C:\Windows\System32\NvMIxcg.exe
  C:\Windows\System32\NvMIxcg.exe
  2⤵
  PID:6292
- C:\Windows\System32\tcIROTI.exe
  C:\Windows\System32\tcIROTI.exe
  2⤵
  PID:6348
- C:\Windows\System32\GubhpOR.exe
  C:\Windows\System32\GubhpOR.exe
  2⤵
  PID:6420
- C:\Windows\System32\SkJgGJi.exe
  C:\Windows\System32\SkJgGJi.exe
  2⤵
  PID:6504
- C:\Windows\System32\Ugqijgz.exe
  C:\Windows\System32\Ugqijgz.exe
  2⤵
  PID:6536
- C:\Windows\System32\VmNEvXj.exe
  C:\Windows\System32\VmNEvXj.exe
  2⤵
  PID:6616
- C:\Windows\System32\kXPCFOd.exe
  C:\Windows\System32\kXPCFOd.exe
  2⤵
  PID:6680
- C:\Windows\System32\lYkHxGi.exe
  C:\Windows\System32\lYkHxGi.exe
  2⤵
  PID:6732
- C:\Windows\System32\JaNtogY.exe
  C:\Windows\System32\JaNtogY.exe
  2⤵
  PID:6804
- C:\Windows\System32\wHyXhtk.exe
  C:\Windows\System32\wHyXhtk.exe
  2⤵
  PID:6900
- C:\Windows\System32\CxYLnUt.exe
  C:\Windows\System32\CxYLnUt.exe
  2⤵
  PID:6936
- C:\Windows\System32\BgDyYvb.exe
  C:\Windows\System32\BgDyYvb.exe
  2⤵
  PID:6992
- C:\Windows\System32\fpeowTb.exe
  C:\Windows\System32\fpeowTb.exe
  2⤵
  PID:7056
- C:\Windows\System32\suHXRcY.exe
  C:\Windows\System32\suHXRcY.exe
  2⤵
  PID:7120
- C:\Windows\System32\sWTHeAg.exe
  C:\Windows\System32\sWTHeAg.exe
  2⤵
  PID:5596
- C:\Windows\System32\cLEXJcH.exe
  C:\Windows\System32\cLEXJcH.exe
  2⤵
  PID:4536
- C:\Windows\System32\cDEjcER.exe
  C:\Windows\System32\cDEjcER.exe
  2⤵
  PID:4532
- C:\Windows\System32\UsMzJHq.exe
  C:\Windows\System32\UsMzJHq.exe
  2⤵
  PID:6396
- C:\Windows\System32\HByUBCn.exe
  C:\Windows\System32\HByUBCn.exe
  2⤵
  PID:6544
- C:\Windows\System32\opSLbvI.exe
  C:\Windows\System32\opSLbvI.exe
  2⤵
  PID:6664
- C:\Windows\System32\QfWoqoW.exe
  C:\Windows\System32\QfWoqoW.exe
  2⤵
  PID:6784
- C:\Windows\System32\CFGriKe.exe
  C:\Windows\System32\CFGriKe.exe
  2⤵
  PID:6924
- C:\Windows\System32\NdcQHuy.exe
  C:\Windows\System32\NdcQHuy.exe
  2⤵
  PID:7028
- C:\Windows\System32\cnJVFPh.exe
  C:\Windows\System32\cnJVFPh.exe
  2⤵
  PID:7152
- C:\Windows\System32\NXjfaRv.exe
  C:\Windows\System32\NXjfaRv.exe
  2⤵
  PID:6236
- C:\Windows\System32\xQLfTro.exe
  C:\Windows\System32\xQLfTro.exe
  2⤵
  PID:7188
- C:\Windows\System32\lsHygtD.exe
  C:\Windows\System32\lsHygtD.exe
  2⤵
  PID:7216
- C:\Windows\System32\YQGPAdK.exe
  C:\Windows\System32\YQGPAdK.exe
  2⤵
  PID:7244
- C:\Windows\System32\bmdPazE.exe
  C:\Windows\System32\bmdPazE.exe
  2⤵
  PID:7272
- C:\Windows\System32\alPgVhB.exe
  C:\Windows\System32\alPgVhB.exe
  2⤵
  PID:7300
- C:\Windows\System32\fNFPqop.exe
  C:\Windows\System32\fNFPqop.exe
  2⤵
  PID:7328
- C:\Windows\System32\uxmmuUN.exe
  C:\Windows\System32\uxmmuUN.exe
  2⤵
  PID:7356
- C:\Windows\System32\omkbuqP.exe
  C:\Windows\System32\omkbuqP.exe
  2⤵
  PID:7392
- C:\Windows\System32\RSCwwuc.exe
  C:\Windows\System32\RSCwwuc.exe
  2⤵
  PID:7412
- C:\Windows\System32\aNwgtIU.exe
  C:\Windows\System32\aNwgtIU.exe
  2⤵
  PID:7440
- C:\Windows\System32\JCyeXur.exe
  C:\Windows\System32\JCyeXur.exe
  2⤵
  PID:7476
- C:\Windows\System32\kwDgEPS.exe
  C:\Windows\System32\kwDgEPS.exe
  2⤵
  PID:7496
- C:\Windows\System32\LpflEMn.exe
  C:\Windows\System32\LpflEMn.exe
  2⤵
  PID:7524
- C:\Windows\System32\vAQlNLt.exe
  C:\Windows\System32\vAQlNLt.exe
  2⤵
  PID:7552
- C:\Windows\System32\umCkdqm.exe
  C:\Windows\System32\umCkdqm.exe
  2⤵
  PID:7580
- C:\Windows\System32\eFxGhCc.exe
  C:\Windows\System32\eFxGhCc.exe
  2⤵
  PID:7608
- C:\Windows\System32\NgHdKdx.exe
  C:\Windows\System32\NgHdKdx.exe
  2⤵
  PID:7636
- C:\Windows\System32\ywGOgUF.exe
  C:\Windows\System32\ywGOgUF.exe
  2⤵
  PID:7664
- C:\Windows\System32\CiuMwHz.exe
  C:\Windows\System32\CiuMwHz.exe
  2⤵
  PID:7692
- C:\Windows\System32\fjcfcxI.exe
  C:\Windows\System32\fjcfcxI.exe
  2⤵
  PID:7720
- C:\Windows\System32\cSIbcox.exe
  C:\Windows\System32\cSIbcox.exe
  2⤵
  PID:7748
- C:\Windows\System32\YBltFna.exe
  C:\Windows\System32\YBltFna.exe
  2⤵
  PID:7776
- C:\Windows\System32\DqzRzvK.exe
  C:\Windows\System32\DqzRzvK.exe
  2⤵
  PID:7804
- C:\Windows\System32\GlfPlFL.exe
  C:\Windows\System32\GlfPlFL.exe
  2⤵
  PID:7832
- C:\Windows\System32\lUvuNiq.exe
  C:\Windows\System32\lUvuNiq.exe
  2⤵
  PID:7908
- C:\Windows\System32\XBWdSxf.exe
  C:\Windows\System32\XBWdSxf.exe
  2⤵
  PID:7928
- C:\Windows\System32\UeLvpuJ.exe
  C:\Windows\System32\UeLvpuJ.exe
  2⤵
  PID:7964
- C:\Windows\System32\cclokEl.exe
  C:\Windows\System32\cclokEl.exe
  2⤵
  PID:7992
- C:\Windows\System32\xlniBrc.exe
  C:\Windows\System32\xlniBrc.exe
  2⤵
  PID:8008
- C:\Windows\System32\GMqNXiw.exe
  C:\Windows\System32\GMqNXiw.exe
  2⤵
  PID:8060
- C:\Windows\System32\SNRGrLz.exe
  C:\Windows\System32\SNRGrLz.exe
  2⤵
  PID:8116
- C:\Windows\System32\vFhTFuz.exe
  C:\Windows\System32\vFhTFuz.exe
  2⤵
  PID:8136
- C:\Windows\System32\kKxVQtb.exe
  C:\Windows\System32\kKxVQtb.exe
  2⤵
  PID:8156
- C:\Windows\System32\SIdfvuy.exe
  C:\Windows\System32\SIdfvuy.exe
  2⤵
  PID:6340
- C:\Windows\System32\SvWGHOd.exe
  C:\Windows\System32\SvWGHOd.exe
  2⤵
  PID:4052
- C:\Windows\System32\PLWLgFn.exe
  C:\Windows\System32\PLWLgFn.exe
  2⤵
  PID:7048
- C:\Windows\System32\nXkXjQM.exe
  C:\Windows\System32\nXkXjQM.exe
  2⤵
  PID:7176
- C:\Windows\System32\cnJMJrQ.exe
  C:\Windows\System32\cnJMJrQ.exe
  2⤵
  PID:7204
- C:\Windows\System32\DzqhsDw.exe
  C:\Windows\System32\DzqhsDw.exe
  2⤵
  PID:2124
- C:\Windows\System32\WRTrQfp.exe
  C:\Windows\System32\WRTrQfp.exe
  2⤵
  PID:3148
- C:\Windows\System32\WaiGxlU.exe
  C:\Windows\System32\WaiGxlU.exe
  2⤵
  PID:7388
- C:\Windows\System32\ExlHznA.exe
  C:\Windows\System32\ExlHznA.exe
  2⤵
  PID:2356
- C:\Windows\System32\XPMJjVF.exe
  C:\Windows\System32\XPMJjVF.exe
  2⤵
  PID:7472
- C:\Windows\System32\hyNoEoz.exe
  C:\Windows\System32\hyNoEoz.exe
  2⤵
  PID:5104
- C:\Windows\System32\CUCVNty.exe
  C:\Windows\System32\CUCVNty.exe
  2⤵
  PID:7536
- C:\Windows\System32\GAAGTjc.exe
  C:\Windows\System32\GAAGTjc.exe
  2⤵
  PID:7596
- C:\Windows\System32\UfefuGv.exe
  C:\Windows\System32\UfefuGv.exe
  2⤵
  PID:7648
- C:\Windows\System32\uAOSwkq.exe
  C:\Windows\System32\uAOSwkq.exe
  2⤵
  PID:4452
- C:\Windows\System32\SoHJhSR.exe
  C:\Windows\System32\SoHJhSR.exe
  2⤵
  PID:1952
- C:\Windows\System32\PbSHpkm.exe
  C:\Windows\System32\PbSHpkm.exe
  2⤵
  PID:4404
- C:\Windows\System32\CPxgiHE.exe
  C:\Windows\System32\CPxgiHE.exe
  2⤵
  PID:7788
- C:\Windows\System32\sJlYxsu.exe
  C:\Windows\System32\sJlYxsu.exe
  2⤵
  PID:4440
- C:\Windows\System32\YdrtDva.exe
  C:\Windows\System32\YdrtDva.exe
  2⤵
  PID:2288
- C:\Windows\System32\qieAOtt.exe
  C:\Windows\System32\qieAOtt.exe
  2⤵
  PID:4776
- C:\Windows\System32\jVFyDXf.exe
  C:\Windows\System32\jVFyDXf.exe
  2⤵
  PID:7904
- C:\Windows\System32\pIokOnV.exe
  C:\Windows\System32\pIokOnV.exe
  2⤵
  PID:7944
- C:\Windows\System32\CCSeaJo.exe
  C:\Windows\System32\CCSeaJo.exe
  2⤵
  PID:8132
- C:\Windows\System32\zbiIXyC.exe
  C:\Windows\System32\zbiIXyC.exe
  2⤵
  PID:8180
- C:\Windows\System32\cXMPpCt.exe
  C:\Windows\System32\cXMPpCt.exe
  2⤵
  PID:4324
- C:\Windows\System32\SdrRzki.exe
  C:\Windows\System32\SdrRzki.exe
  2⤵
  PID:3556
- C:\Windows\System32\vBkaPaI.exe
  C:\Windows\System32\vBkaPaI.exe
  2⤵
  PID:7256
- C:\Windows\System32\koahHue.exe
  C:\Windows\System32\koahHue.exe
  2⤵
  PID:7368
- C:\Windows\System32\OvGYfwY.exe
  C:\Windows\System32\OvGYfwY.exe
  2⤵
  PID:7456
- C:\Windows\System32\rKSAijx.exe
  C:\Windows\System32\rKSAijx.exe
  2⤵
  PID:7512
- C:\Windows\System32\mVGXlcf.exe
  C:\Windows\System32\mVGXlcf.exe
  2⤵
  PID:3236
- C:\Windows\System32\PEisdwz.exe
  C:\Windows\System32\PEisdwz.exe
  2⤵
  PID:2404
- C:\Windows\System32\tqMIJhN.exe
  C:\Windows\System32\tqMIJhN.exe
  2⤵
  PID:3132
- C:\Windows\System32\eCnqNSU.exe
  C:\Windows\System32\eCnqNSU.exe
  2⤵
  PID:8188
- C:\Windows\System32\CuHjmfF.exe
  C:\Windows\System32\CuHjmfF.exe
  2⤵
  PID:8048
- C:\Windows\System32\iydYKmK.exe
  C:\Windows\System32\iydYKmK.exe
  2⤵
  PID:1656
- C:\Windows\System32\YFrCVtj.exe
  C:\Windows\System32\YFrCVtj.exe
  2⤵
  PID:528
- C:\Windows\System32\cmWSIgd.exe
  C:\Windows\System32\cmWSIgd.exe
  2⤵
  PID:7704
- C:\Windows\System32\sCLMCCL.exe
  C:\Windows\System32\sCLMCCL.exe
  2⤵
  PID:7988
- C:\Windows\System32\ppgCZyt.exe
  C:\Windows\System32\ppgCZyt.exe
  2⤵
  PID:7268
- C:\Windows\System32\bhldwbg.exe
  C:\Windows\System32\bhldwbg.exe
  2⤵
  PID:7212
- C:\Windows\System32\GzsOTQN.exe
  C:\Windows\System32\GzsOTQN.exe
  2⤵
  PID:4228
- C:\Windows\System32\ydzotuW.exe
  C:\Windows\System32\ydzotuW.exe
  2⤵
  PID:7800
- C:\Windows\System32\vvDaPrI.exe
  C:\Windows\System32\vvDaPrI.exe
  2⤵
  PID:7972
- C:\Windows\System32\coUhSeX.exe
  C:\Windows\System32\coUhSeX.exe
  2⤵
  PID:8080
- C:\Windows\System32\DnzWyfw.exe
  C:\Windows\System32\DnzWyfw.exe
  2⤵
  PID:8216
- C:\Windows\System32\ztXIrjs.exe
  C:\Windows\System32\ztXIrjs.exe
  2⤵
  PID:8244
- C:\Windows\System32\udwPyvv.exe
  C:\Windows\System32\udwPyvv.exe
  2⤵
  PID:8280
- C:\Windows\System32\VCiuNmD.exe
  C:\Windows\System32\VCiuNmD.exe
  2⤵
  PID:8312
- C:\Windows\System32\qePvWHU.exe
  C:\Windows\System32\qePvWHU.exe
  2⤵
  PID:8336
- C:\Windows\System32\pCeIBlS.exe
  C:\Windows\System32\pCeIBlS.exe
  2⤵
  PID:8352
- C:\Windows\System32\ChlQjFV.exe
  C:\Windows\System32\ChlQjFV.exe
  2⤵
  PID:8368
- C:\Windows\System32\GVSjfIE.exe
  C:\Windows\System32\GVSjfIE.exe
  2⤵
  PID:8432
- C:\Windows\System32\mIOyyzD.exe
  C:\Windows\System32\mIOyyzD.exe
  2⤵
  PID:8448
- C:\Windows\System32\VYkGFbQ.exe
  C:\Windows\System32\VYkGFbQ.exe
  2⤵
  PID:8464
- C:\Windows\System32\vQsZGPo.exe
  C:\Windows\System32\vQsZGPo.exe
  2⤵
  PID:8492
- C:\Windows\System32\MAmxIbA.exe
  C:\Windows\System32\MAmxIbA.exe
  2⤵
  PID:8532
- C:\Windows\System32\beMVzdd.exe
  C:\Windows\System32\beMVzdd.exe
  2⤵
  PID:8552
- C:\Windows\System32\ZnIquge.exe
  C:\Windows\System32\ZnIquge.exe
  2⤵
  PID:8580
- C:\Windows\System32\TVTaNwT.exe
  C:\Windows\System32\TVTaNwT.exe
  2⤵
  PID:8604
- C:\Windows\System32\rnmfdbS.exe
  C:\Windows\System32\rnmfdbS.exe
  2⤵
  PID:8620
- C:\Windows\System32\JUIquNz.exe
  C:\Windows\System32\JUIquNz.exe
  2⤵
  PID:8684
- C:\Windows\System32\lqOCzij.exe
  C:\Windows\System32\lqOCzij.exe
  2⤵
  PID:8700
- C:\Windows\System32\nLHCgAP.exe
  C:\Windows\System32\nLHCgAP.exe
  2⤵
  PID:8728
- C:\Windows\System32\VjmLGiJ.exe
  C:\Windows\System32\VjmLGiJ.exe
  2⤵
  PID:8760
- C:\Windows\System32\FeYTHUY.exe
  C:\Windows\System32\FeYTHUY.exe
  2⤵
  PID:8784
- C:\Windows\System32\LkRpJTW.exe
  C:\Windows\System32\LkRpJTW.exe
  2⤵
  PID:8812
- C:\Windows\System32\bMiYuyS.exe
  C:\Windows\System32\bMiYuyS.exe
  2⤵
  PID:8860
- C:\Windows\System32\SkFYVmE.exe
  C:\Windows\System32\SkFYVmE.exe
  2⤵
  PID:8876
- C:\Windows\System32\gKIyyUS.exe
  C:\Windows\System32\gKIyyUS.exe
  2⤵
  PID:8908
- C:\Windows\System32\Ewhbngy.exe
  C:\Windows\System32\Ewhbngy.exe
  2⤵
  PID:8936
- C:\Windows\System32\hSLIBLj.exe
  C:\Windows\System32\hSLIBLj.exe
  2⤵
  PID:8968
- C:\Windows\System32\QFpvuHT.exe
  C:\Windows\System32\QFpvuHT.exe
  2⤵
  PID:8996
- C:\Windows\System32\wTMNdfl.exe
  C:\Windows\System32\wTMNdfl.exe
  2⤵
  PID:9024
- C:\Windows\System32\oiJhejW.exe
  C:\Windows\System32\oiJhejW.exe
  2⤵
  PID:9052
- C:\Windows\System32\TRlHIyK.exe
  C:\Windows\System32\TRlHIyK.exe
  2⤵
  PID:9072
- C:\Windows\System32\KYsZHqJ.exe
  C:\Windows\System32\KYsZHqJ.exe
  2⤵
  PID:9108
- C:\Windows\System32\XylULag.exe
  C:\Windows\System32\XylULag.exe
  2⤵
  PID:9124
- C:\Windows\System32\MBMHQdN.exe
  C:\Windows\System32\MBMHQdN.exe
  2⤵
  PID:9140
- C:\Windows\System32\ynjyLPg.exe
  C:\Windows\System32\ynjyLPg.exe
  2⤵
  PID:9164
- C:\Windows\System32\gZvDSFs.exe
  C:\Windows\System32\gZvDSFs.exe
  2⤵
  PID:8204
- C:\Windows\System32\bXLSeJm.exe
  C:\Windows\System32\bXLSeJm.exe
  2⤵
  PID:8196
- C:\Windows\System32\qlWhVvZ.exe
  C:\Windows\System32\qlWhVvZ.exe
  2⤵
  PID:8292
- C:\Windows\System32\cWiCQAJ.exe
  C:\Windows\System32\cWiCQAJ.exe
  2⤵
  PID:8344
- C:\Windows\System32\kJmvgun.exe
  C:\Windows\System32\kJmvgun.exe
  2⤵
  PID:8444
- C:\Windows\System32\vJVTGhl.exe
  C:\Windows\System32\vJVTGhl.exe
  2⤵
  PID:8504
- C:\Windows\System32\ToZLWce.exe
  C:\Windows\System32\ToZLWce.exe
  2⤵
  PID:8568
- C:\Windows\System32\drCHMii.exe
  C:\Windows\System32\drCHMii.exe
  2⤵
  PID:8616
- C:\Windows\System32\xBsrBIp.exe
  C:\Windows\System32\xBsrBIp.exe
  2⤵
  PID:8696
- C:\Windows\System32\bMkQXjc.exe
  C:\Windows\System32\bMkQXjc.exe
  2⤵
  PID:8752
- C:\Windows\System32\yXsPjLb.exe
  C:\Windows\System32\yXsPjLb.exe
  2⤵
  PID:8796
- C:\Windows\System32\sHqAUMR.exe
  C:\Windows\System32\sHqAUMR.exe
  2⤵
  PID:8888
- C:\Windows\System32\XlizFUD.exe
  C:\Windows\System32\XlizFUD.exe
  2⤵
  PID:8956
- C:\Windows\System32\VAWikGb.exe
  C:\Windows\System32\VAWikGb.exe
  2⤵
  PID:9020
- C:\Windows\System32\XhjPdCd.exe
  C:\Windows\System32\XhjPdCd.exe
  2⤵
  PID:9060
- C:\Windows\System32\nCjJOud.exe
  C:\Windows\System32\nCjJOud.exe
  2⤵
  PID:9132
- C:\Windows\System32\HEvOgzA.exe
  C:\Windows\System32\HEvOgzA.exe
  2⤵
  PID:9180
- C:\Windows\System32\HAwUfEW.exe
  C:\Windows\System32\HAwUfEW.exe
  2⤵
  PID:8324
- C:\Windows\System32\TgSgaEq.exe
  C:\Windows\System32\TgSgaEq.exe
  2⤵
  PID:8472
- C:\Windows\System32\xWHWoqt.exe
  C:\Windows\System32\xWHWoqt.exe
  2⤵
  PID:8612
- C:\Windows\System32\oafLkuJ.exe
  C:\Windows\System32\oafLkuJ.exe
  2⤵
  PID:8712
- C:\Windows\System32\rwtBpUF.exe
  C:\Windows\System32\rwtBpUF.exe
  2⤵
  PID:8924
- C:\Windows\System32\YeJeGYt.exe
  C:\Windows\System32\YeJeGYt.exe
  2⤵
  PID:9080
- C:\Windows\System32\jHIFBor.exe
  C:\Windows\System32\jHIFBor.exe
  2⤵
  PID:8232
- C:\Windows\System32\oUypMuY.exe
  C:\Windows\System32\oUypMuY.exe
  2⤵
  PID:8588
- C:\Windows\System32\WQtuiJd.exe
  C:\Windows\System32\WQtuiJd.exe
  2⤵
  PID:8872
- C:\Windows\System32\QPKdfoK.exe
  C:\Windows\System32\QPKdfoK.exe
  2⤵
  PID:8380
- C:\Windows\System32\ziLTXle.exe
  C:\Windows\System32\ziLTXle.exe
  2⤵
  PID:8832
- C:\Windows\System32\FgxxXFS.exe
  C:\Windows\System32\FgxxXFS.exe
  2⤵
  PID:9204
- C:\Windows\System32\kBLCSCn.exe
  C:\Windows\System32\kBLCSCn.exe
  2⤵
  PID:9244
- C:\Windows\System32\JWugfXK.exe
  C:\Windows\System32\JWugfXK.exe
  2⤵
  PID:9260
- C:\Windows\System32\wYAAMex.exe
  C:\Windows\System32\wYAAMex.exe
  2⤵
  PID:9300
- C:\Windows\System32\RynBFOL.exe
  C:\Windows\System32\RynBFOL.exe
  2⤵
  PID:9328
- C:\Windows\System32\UTFPfjt.exe
  C:\Windows\System32\UTFPfjt.exe
  2⤵
  PID:9360
- C:\Windows\System32\cLLopnv.exe
  C:\Windows\System32\cLLopnv.exe
  2⤵
  PID:9396
- C:\Windows\System32\EVpYqce.exe
  C:\Windows\System32\EVpYqce.exe
  2⤵
  PID:9424
- C:\Windows\System32\YuArCwr.exe
  C:\Windows\System32\YuArCwr.exe
  2⤵
  PID:9464
- C:\Windows\System32\pPpUZbW.exe
  C:\Windows\System32\pPpUZbW.exe
  2⤵
  PID:9492
- C:\Windows\System32\xTemcpd.exe
  C:\Windows\System32\xTemcpd.exe
  2⤵
  PID:9532
- C:\Windows\System32\alwrCFr.exe
  C:\Windows\System32\alwrCFr.exe
  2⤵
  PID:9572
- C:\Windows\System32\hyOjJBh.exe
  C:\Windows\System32\hyOjJBh.exe
  2⤵
  PID:9600
- C:\Windows\System32\ZnycRSx.exe
  C:\Windows\System32\ZnycRSx.exe
  2⤵
  PID:9628
- C:\Windows\System32\LbcBHoi.exe
  C:\Windows\System32\LbcBHoi.exe
  2⤵
  PID:9656
- C:\Windows\System32\hlehatG.exe
  C:\Windows\System32\hlehatG.exe
  2⤵
  PID:9688
- C:\Windows\System32\WgdXHDO.exe
  C:\Windows\System32\WgdXHDO.exe
  2⤵
  PID:9716
- C:\Windows\System32\kKpSiFX.exe
  C:\Windows\System32\kKpSiFX.exe
  2⤵
  PID:9744
- C:\Windows\System32\WRDJclv.exe
  C:\Windows\System32\WRDJclv.exe
  2⤵
  PID:9772
- C:\Windows\System32\SngcCup.exe
  C:\Windows\System32\SngcCup.exe
  2⤵
  PID:9800
- C:\Windows\System32\Vmwxcmf.exe
  C:\Windows\System32\Vmwxcmf.exe
  2⤵
  PID:9816
- C:\Windows\System32\lXpulZG.exe
  C:\Windows\System32\lXpulZG.exe
  2⤵
  PID:9856
- C:\Windows\System32\mvSGsia.exe
  C:\Windows\System32\mvSGsia.exe
  2⤵
  PID:9884
- C:\Windows\System32\eRocYzr.exe
  C:\Windows\System32\eRocYzr.exe
  2⤵
  PID:9912
- C:\Windows\System32\vOKlaMC.exe
  C:\Windows\System32\vOKlaMC.exe
  2⤵
  PID:9936
- C:\Windows\System32\pimyxza.exe
  C:\Windows\System32\pimyxza.exe
  2⤵
  PID:9980
- C:\Windows\System32\pdpRCNg.exe
  C:\Windows\System32\pdpRCNg.exe
  2⤵
  PID:10020
- C:\Windows\System32\PYHfrio.exe
  C:\Windows\System32\PYHfrio.exe
  2⤵
  PID:10060
- C:\Windows\System32\ucWpTPV.exe
  C:\Windows\System32\ucWpTPV.exe
  2⤵
  PID:10096
- C:\Windows\System32\NJCFZCP.exe
  C:\Windows\System32\NJCFZCP.exe
  2⤵
  PID:10128
- C:\Windows\System32\JnIrUor.exe
  C:\Windows\System32\JnIrUor.exe
  2⤵
  PID:10148
- C:\Windows\System32\dRchjvH.exe
  C:\Windows\System32\dRchjvH.exe
  2⤵
  PID:10184
- C:\Windows\System32\SHkTgRk.exe
  C:\Windows\System32\SHkTgRk.exe
  2⤵
  PID:10220
- C:\Windows\System32\RnlOjGt.exe
  C:\Windows\System32\RnlOjGt.exe
  2⤵
  PID:9240
- C:\Windows\System32\ySvhoFp.exe
  C:\Windows\System32\ySvhoFp.exe
  2⤵
  PID:9344
- C:\Windows\System32\QIrUaiv.exe
  C:\Windows\System32\QIrUaiv.exe
  2⤵
  PID:9380
- C:\Windows\System32\dyfCdEL.exe
  C:\Windows\System32\dyfCdEL.exe
  2⤵
  PID:9448
- C:\Windows\System32\byBSsCs.exe
  C:\Windows\System32\byBSsCs.exe
  2⤵
  PID:9520
- C:\Windows\System32\KfghQtQ.exe
  C:\Windows\System32\KfghQtQ.exe
  2⤵
  PID:9648
- C:\Windows\System32\uKjAhsY.exe
  C:\Windows\System32\uKjAhsY.exe
  2⤵
  PID:9712
- C:\Windows\System32\vnWPpsl.exe
  C:\Windows\System32\vnWPpsl.exe
  2⤵
  PID:9828
- C:\Windows\System32\NRniocP.exe
  C:\Windows\System32\NRniocP.exe
  2⤵
  PID:9900
- C:\Windows\System32\plqUTCm.exe
  C:\Windows\System32\plqUTCm.exe
  2⤵
  PID:9972
- C:\Windows\System32\xpwxGWL.exe
  C:\Windows\System32\xpwxGWL.exe
  2⤵
  PID:10112
- C:\Windows\System32\pKgTkXs.exe
  C:\Windows\System32\pKgTkXs.exe
  2⤵
  PID:10156
- C:\Windows\System32\tWcXECP.exe
  C:\Windows\System32\tWcXECP.exe
  2⤵
  PID:3636
- C:\Windows\System32\vWsLIrX.exe
  C:\Windows\System32\vWsLIrX.exe
  2⤵
  PID:9292
- C:\Windows\System32\bhPCPXP.exe
  C:\Windows\System32\bhPCPXP.exe
  2⤵
  PID:9484
- C:\Windows\System32\RMpbfAI.exe
  C:\Windows\System32\RMpbfAI.exe
  2⤵
  PID:9356
- C:\Windows\System32\oyjMMHL.exe
  C:\Windows\System32\oyjMMHL.exe
  2⤵
  PID:9952
- C:\Windows\System32\MMZMrye.exe
  C:\Windows\System32\MMZMrye.exe
  2⤵
  PID:3500
- C:\Windows\System32\RyQwnsz.exe
  C:\Windows\System32\RyQwnsz.exe
  2⤵
  PID:9852
- C:\Windows\System32\wePBlnK.exe
  C:\Windows\System32\wePBlnK.exe
  2⤵
  PID:10248
- C:\Windows\System32\iMJgSFh.exe
  C:\Windows\System32\iMJgSFh.exe
  2⤵
  PID:10276
- C:\Windows\System32\bLwYLJs.exe
  C:\Windows\System32\bLwYLJs.exe
  2⤵
  PID:10324
- C:\Windows\System32\sTNpwUk.exe
  C:\Windows\System32\sTNpwUk.exe
  2⤵
  PID:10348
- C:\Windows\System32\DxiUIqB.exe
  C:\Windows\System32\DxiUIqB.exe
  2⤵
  PID:10380
- C:\Windows\System32\rfKeDpo.exe
  C:\Windows\System32\rfKeDpo.exe
  2⤵
  PID:10396
- C:\Windows\System32\AVXEhYr.exe
  C:\Windows\System32\AVXEhYr.exe
  2⤵
  PID:10452
- C:\Windows\System32\eOiohdm.exe
  C:\Windows\System32\eOiohdm.exe
  2⤵
  PID:10496
- C:\Windows\System32\tykqeyn.exe
  C:\Windows\System32\tykqeyn.exe
  2⤵
  PID:10532
- C:\Windows\System32\VHMBASi.exe
  C:\Windows\System32\VHMBASi.exe
  2⤵
  PID:10556
- C:\Windows\System32\ImowRFU.exe
  C:\Windows\System32\ImowRFU.exe
  2⤵
  PID:10584
- C:\Windows\System32\OcghhwG.exe
  C:\Windows\System32\OcghhwG.exe
  2⤵
  PID:10608
- C:\Windows\System32\AlRbUsq.exe
  C:\Windows\System32\AlRbUsq.exe
  2⤵
  PID:10640
- C:\Windows\System32\umTGsOK.exe
  C:\Windows\System32\umTGsOK.exe
  2⤵
  PID:10656
- C:\Windows\System32\zKZdUsz.exe
  C:\Windows\System32\zKZdUsz.exe
  2⤵
  PID:10696
- C:\Windows\System32\VcrnjZh.exe
  C:\Windows\System32\VcrnjZh.exe
  2⤵
  PID:10716
- C:\Windows\System32\NVyJWEB.exe
  C:\Windows\System32\NVyJWEB.exe
  2⤵
  PID:10752
- C:\Windows\System32\MBHxtAr.exe
  C:\Windows\System32\MBHxtAr.exe
  2⤵
  PID:10780
- C:\Windows\System32\BWfXKPx.exe
  C:\Windows\System32\BWfXKPx.exe
  2⤵
  PID:10796
- C:\Windows\System32\ywXZwhe.exe
  C:\Windows\System32\ywXZwhe.exe
  2⤵
  PID:10828
- C:\Windows\System32\sUeOyME.exe
  C:\Windows\System32\sUeOyME.exe
  2⤵
  PID:10872
- C:\Windows\System32\JdqcTlA.exe
  C:\Windows\System32\JdqcTlA.exe
  2⤵
  PID:10892
- C:\Windows\System32\sqdjFJl.exe
  C:\Windows\System32\sqdjFJl.exe
  2⤵
  PID:10924
- C:\Windows\System32\LzVlqaG.exe
  C:\Windows\System32\LzVlqaG.exe
  2⤵
  PID:10952
- C:\Windows\System32\xXHSplS.exe
  C:\Windows\System32\xXHSplS.exe
  2⤵
  PID:10984
- C:\Windows\System32\NpgxArK.exe
  C:\Windows\System32\NpgxArK.exe
  2⤵
  PID:11016
- C:\Windows\System32\TtTWUcz.exe
  C:\Windows\System32\TtTWUcz.exe
  2⤵
  PID:11032
- C:\Windows\System32\jlBocPX.exe
  C:\Windows\System32\jlBocPX.exe
  2⤵
  PID:11056
- C:\Windows\System32\IdEhBnn.exe
  C:\Windows\System32\IdEhBnn.exe
  2⤵
  PID:11080
- C:\Windows\System32\iwujHXp.exe
  C:\Windows\System32\iwujHXp.exe
  2⤵
  PID:11136
- C:\Windows\System32\LBFkDJO.exe
  C:\Windows\System32\LBFkDJO.exe
  2⤵
  PID:11168
- C:\Windows\System32\fOIJvLU.exe
  C:\Windows\System32\fOIJvLU.exe
  2⤵
  PID:11204
- C:\Windows\System32\Fqugolc.exe
  C:\Windows\System32\Fqugolc.exe
  2⤵
  PID:11224
- C:\Windows\System32\HydUcjR.exe
  C:\Windows\System32\HydUcjR.exe
  2⤵
  PID:11252
- C:\Windows\System32\KXlxaon.exe
  C:\Windows\System32\KXlxaon.exe
  2⤵
  PID:10288
- C:\Windows\System32\ptCZmhE.exe
  C:\Windows\System32\ptCZmhE.exe
  2⤵
  PID:10356
- C:\Windows\System32\zWTQMaM.exe
  C:\Windows\System32\zWTQMaM.exe
  2⤵
  PID:10436
- C:\Windows\System32\XSpPbvk.exe
  C:\Windows\System32\XSpPbvk.exe
  2⤵
  PID:10540
- C:\Windows\System32\XyDPLkx.exe
  C:\Windows\System32\XyDPLkx.exe
  2⤵
  PID:10604
- C:\Windows\System32\kojJppy.exe
  C:\Windows\System32\kojJppy.exe
  2⤵
  PID:10676
- C:\Windows\System32\LqkEGMl.exe
  C:\Windows\System32\LqkEGMl.exe
  2⤵
  PID:10732
- C:\Windows\System32\QgjbGhD.exe
  C:\Windows\System32\QgjbGhD.exe
  2⤵
  PID:10808
- C:\Windows\System32\AJOQuNh.exe
  C:\Windows\System32\AJOQuNh.exe
  2⤵
  PID:10880
- C:\Windows\System32\nNErcJn.exe
  C:\Windows\System32\nNErcJn.exe
  2⤵
  PID:10968
- C:\Windows\System32\kXkCxUI.exe
  C:\Windows\System32\kXkCxUI.exe
  2⤵
  PID:11048
- C:\Windows\System32\qkKZerd.exe
  C:\Windows\System32\qkKZerd.exe
  2⤵
  PID:11112
- C:\Windows\System32\wOzRHTH.exe
  C:\Windows\System32\wOzRHTH.exe
  2⤵
  PID:11188
- C:\Windows\System32\brKUIsz.exe
  C:\Windows\System32\brKUIsz.exe
  2⤵
  PID:11240
- C:\Windows\System32\nbwmFkR.exe
  C:\Windows\System32\nbwmFkR.exe
  2⤵
  PID:10392
- C:\Windows\System32\aTqmGqm.exe
  C:\Windows\System32\aTqmGqm.exe
  2⤵
  PID:10572
- C:\Windows\System32\AnyHuUJ.exe
  C:\Windows\System32\AnyHuUJ.exe
  2⤵
  PID:10740
- C:\Windows\System32\kVhfLum.exe
  C:\Windows\System32\kVhfLum.exe
  2⤵
  PID:10948
- C:\Windows\System32\UWolDCk.exe
  C:\Windows\System32\UWolDCk.exe
  2⤵
  PID:11068
- C:\Windows\System32\yRqOBwR.exe
  C:\Windows\System32\yRqOBwR.exe
  2⤵
  PID:10256
- C:\Windows\System32\zqsFPZe.exe
  C:\Windows\System32\zqsFPZe.exe
  2⤵
  PID:10848
- C:\Windows\System32\fEuqtNt.exe
  C:\Windows\System32\fEuqtNt.exe
  2⤵
  PID:10788
- C:\Windows\System32\JrmNoQz.exe
  C:\Windows\System32\JrmNoQz.exe
  2⤵
  PID:11272
- C:\Windows\System32\ClKrVpP.exe
  C:\Windows\System32\ClKrVpP.exe
  2⤵
  PID:11300
- C:\Windows\System32\jWSuxvY.exe
  C:\Windows\System32\jWSuxvY.exe
  2⤵
  PID:11328
- C:\Windows\System32\nfRmNsI.exe
  C:\Windows\System32\nfRmNsI.exe
  2⤵
  PID:11356
- C:\Windows\System32\KxPLtAV.exe
  C:\Windows\System32\KxPLtAV.exe
  2⤵
  PID:11384
- C:\Windows\System32\ToNfuxL.exe
  C:\Windows\System32\ToNfuxL.exe
  2⤵
  PID:11412
- C:\Windows\System32\lbMtoHn.exe
  C:\Windows\System32\lbMtoHn.exe
  2⤵
  PID:11440
- C:\Windows\System32\lrEOdFv.exe
  C:\Windows\System32\lrEOdFv.exe
  2⤵
  PID:11468
- C:\Windows\System32\ybQQcov.exe
  C:\Windows\System32\ybQQcov.exe
  2⤵
  PID:11496
- C:\Windows\System32\khAfxqw.exe
  C:\Windows\System32\khAfxqw.exe
  2⤵
  PID:11524
- C:\Windows\System32\BMJyDdv.exe
  C:\Windows\System32\BMJyDdv.exe
  2⤵
  PID:11552
- C:\Windows\System32\fvQkCzG.exe
  C:\Windows\System32\fvQkCzG.exe
  2⤵
  PID:11580
- C:\Windows\System32\AuVfLeW.exe
  C:\Windows\System32\AuVfLeW.exe
  2⤵
  PID:11608
- C:\Windows\System32\HtfrgAb.exe
  C:\Windows\System32\HtfrgAb.exe
  2⤵
  PID:11636
- C:\Windows\System32\wYjXZVX.exe
  C:\Windows\System32\wYjXZVX.exe
  2⤵
  PID:11664
- C:\Windows\System32\AeYtNWD.exe
  C:\Windows\System32\AeYtNWD.exe
  2⤵
  PID:11692
- C:\Windows\System32\XozkuUZ.exe
  C:\Windows\System32\XozkuUZ.exe
  2⤵
  PID:11720
- C:\Windows\System32\ZjPPDrw.exe
  C:\Windows\System32\ZjPPDrw.exe
  2⤵
  PID:11752
- C:\Windows\System32\FrGaTxS.exe
  C:\Windows\System32\FrGaTxS.exe
  2⤵
  PID:11780
- C:\Windows\System32\ilLzham.exe
  C:\Windows\System32\ilLzham.exe
  2⤵
  PID:11808
- C:\Windows\System32\hwcYyXD.exe
  C:\Windows\System32\hwcYyXD.exe
  2⤵
  PID:11836
- C:\Windows\System32\faIzHcf.exe
  C:\Windows\System32\faIzHcf.exe
  2⤵
  PID:11852
- C:\Windows\System32\JKtPszz.exe
  C:\Windows\System32\JKtPszz.exe
  2⤵
  PID:11892
- C:\Windows\System32\TVmZxnC.exe
  C:\Windows\System32\TVmZxnC.exe
  2⤵
  PID:11920
- C:\Windows\System32\oMxFqEL.exe
  C:\Windows\System32\oMxFqEL.exe
  2⤵
  PID:11952
- C:\Windows\System32\aFPdjgq.exe
  C:\Windows\System32\aFPdjgq.exe
  2⤵
  PID:11980
- C:\Windows\System32\MumACkl.exe
  C:\Windows\System32\MumACkl.exe
  2⤵
  PID:12008
- C:\Windows\System32\kzKmbMC.exe
  C:\Windows\System32\kzKmbMC.exe
  2⤵
  PID:12028
- C:\Windows\System32\GkawBQZ.exe
  C:\Windows\System32\GkawBQZ.exe
  2⤵
  PID:12060
- C:\Windows\System32\JTkQWZm.exe
  C:\Windows\System32\JTkQWZm.exe
  2⤵
  PID:12092
- C:\Windows\System32\IxVlojJ.exe
  C:\Windows\System32\IxVlojJ.exe
  2⤵
  PID:12120
- C:\Windows\System32\SQgIOLD.exe
  C:\Windows\System32\SQgIOLD.exe
  2⤵
  PID:12148
- C:\Windows\System32\WolyKLy.exe
  C:\Windows\System32\WolyKLy.exe
  2⤵
  PID:12184
- C:\Windows\System32\vRQRLLp.exe
  C:\Windows\System32\vRQRLLp.exe
  2⤵
  PID:12212
- C:\Windows\System32\mZdepXN.exe
  C:\Windows\System32\mZdepXN.exe
  2⤵
  PID:12244
- C:\Windows\System32\VhOPpaY.exe
  C:\Windows\System32\VhOPpaY.exe
  2⤵
  PID:12272
- C:\Windows\System32\PxiRXXJ.exe
  C:\Windows\System32\PxiRXXJ.exe
  2⤵
  PID:11292
- C:\Windows\System32\NCVgeme.exe
  C:\Windows\System32\NCVgeme.exe
  2⤵
  PID:11352
- C:\Windows\System32\woBcNYc.exe
  C:\Windows\System32\woBcNYc.exe
  2⤵
  PID:11432
- C:\Windows\System32\mmwgwwA.exe
  C:\Windows\System32\mmwgwwA.exe
  2⤵
  PID:11508
- C:\Windows\System32\FJmEmBx.exe
  C:\Windows\System32\FJmEmBx.exe
  2⤵
  PID:11572
- C:\Windows\System32\oikcDkS.exe
  C:\Windows\System32\oikcDkS.exe
  2⤵
  PID:11656
- C:\Windows\System32\hhMPdDM.exe
  C:\Windows\System32\hhMPdDM.exe
  2⤵
  PID:11716
- C:\Windows\System32\dZWeplP.exe
  C:\Windows\System32\dZWeplP.exe
  2⤵
  PID:11792
- C:\Windows\System32\RMTrNgs.exe
  C:\Windows\System32\RMTrNgs.exe
  2⤵
  PID:11876
- C:\Windows\System32\ZqdAbNa.exe
  C:\Windows\System32\ZqdAbNa.exe
  2⤵
  PID:11904
- C:\Windows\System32\pvBCeoV.exe
  C:\Windows\System32\pvBCeoV.exe
  2⤵
  PID:11964
- C:\Windows\System32\CNqlTUR.exe
  C:\Windows\System32\CNqlTUR.exe
  2⤵
  PID:12036
- C:\Windows\System32\xoMUHrp.exe
  C:\Windows\System32\xoMUHrp.exe
  2⤵
  PID:12144
- C:\Windows\System32\CpEEgHo.exe
  C:\Windows\System32\CpEEgHo.exe
  2⤵
  PID:12224
- C:\Windows\System32\FhvzYRE.exe
  C:\Windows\System32\FhvzYRE.exe
  2⤵
  PID:11344
- C:\Windows\System32\dpNuThb.exe
  C:\Windows\System32\dpNuThb.exe
  2⤵
  PID:11544
- C:\Windows\System32\AVuRumS.exe
  C:\Windows\System32\AVuRumS.exe
  2⤵
  PID:11704
- C:\Windows\System32\ABwtXeY.exe
  C:\Windows\System32\ABwtXeY.exe
  2⤵
  PID:11844
- C:\Windows\System32\yGcIYzN.exe
  C:\Windows\System32\yGcIYzN.exe
  2⤵
  PID:11996
- C:\Windows\System32\dvsfiOp.exe
  C:\Windows\System32\dvsfiOp.exe
  2⤵
  PID:12088
- C:\Windows\System32\lcabcvz.exe
  C:\Windows\System32\lcabcvz.exe
  2⤵
  PID:11428
- C:\Windows\System32\HWWDQSG.exe
  C:\Windows\System32\HWWDQSG.exe
  2⤵
  PID:11824
- C:\Windows\System32\JMezlav.exe
  C:\Windows\System32\JMezlav.exe
  2⤵
  PID:12076
- C:\Windows\System32\aHQDkRf.exe
  C:\Windows\System32\aHQDkRf.exe
  2⤵
  PID:508
- C:\Windows\System32\HTyOQbn.exe
  C:\Windows\System32\HTyOQbn.exe
  2⤵
  PID:11324
- C:\Windows\System32\UNPufKi.exe
  C:\Windows\System32\UNPufKi.exe
  2⤵
  PID:4076
- C:\Windows\System32\FvKvFZV.exe
  C:\Windows\System32\FvKvFZV.exe
  2⤵
  PID:11288
- C:\Windows\System32\fZfFHMM.exe
  C:\Windows\System32\fZfFHMM.exe
  2⤵
  PID:12296
- C:\Windows\System32\SkhnXuo.exe
  C:\Windows\System32\SkhnXuo.exe
  2⤵
  PID:12324
- C:\Windows\System32\dlAfuDc.exe
  C:\Windows\System32\dlAfuDc.exe
  2⤵
  PID:12352
- C:\Windows\System32\AMkHGqH.exe
  C:\Windows\System32\AMkHGqH.exe
  2⤵
  PID:12380
- C:\Windows\System32\TggJJuM.exe
  C:\Windows\System32\TggJJuM.exe
  2⤵
  PID:12408
- C:\Windows\System32\tzJNoHk.exe
  C:\Windows\System32\tzJNoHk.exe
  2⤵
  PID:12436
- C:\Windows\System32\FhUPLtu.exe
  C:\Windows\System32\FhUPLtu.exe
  2⤵
  PID:12464
- C:\Windows\System32\yOsPSKC.exe
  C:\Windows\System32\yOsPSKC.exe
  2⤵
  PID:12492
- C:\Windows\System32\HavriSv.exe
  C:\Windows\System32\HavriSv.exe
  2⤵
  PID:12520
- C:\Windows\System32\oIyfRzf.exe
  C:\Windows\System32\oIyfRzf.exe
  2⤵
  PID:12548
- C:\Windows\System32\XsXZDjl.exe
  C:\Windows\System32\XsXZDjl.exe
  2⤵
  PID:12576
- C:\Windows\System32\ZbusQhH.exe
  C:\Windows\System32\ZbusQhH.exe
  2⤵
  PID:12608
- C:\Windows\System32\OqJzaEj.exe
  C:\Windows\System32\OqJzaEj.exe
  2⤵
  PID:12636
- C:\Windows\System32\aAPcHhQ.exe
  C:\Windows\System32\aAPcHhQ.exe
  2⤵
  PID:12664
- C:\Windows\System32\rqKQTFE.exe
  C:\Windows\System32\rqKQTFE.exe
  2⤵
  PID:12692
- C:\Windows\System32\knAKoEr.exe
  C:\Windows\System32\knAKoEr.exe
  2⤵
  PID:12720
- C:\Windows\System32\DdMdlzE.exe
  C:\Windows\System32\DdMdlzE.exe
  2⤵
  PID:12748
- C:\Windows\System32\FprmVUm.exe
  C:\Windows\System32\FprmVUm.exe
  2⤵
  PID:12776
- C:\Windows\System32\LBxnzfj.exe
  C:\Windows\System32\LBxnzfj.exe
  2⤵
  PID:12804
- C:\Windows\System32\lCqbVFK.exe
  C:\Windows\System32\lCqbVFK.exe
  2⤵
  PID:12836
- C:\Windows\System32\yHSavMN.exe
  C:\Windows\System32\yHSavMN.exe
  2⤵
  PID:12864
- C:\Windows\System32\RpmIbVR.exe
  C:\Windows\System32\RpmIbVR.exe
  2⤵
  PID:12896
- C:\Windows\System32\BvzpxQg.exe
  C:\Windows\System32\BvzpxQg.exe
  2⤵
  PID:12924
- C:\Windows\System32\zuCpibq.exe
  C:\Windows\System32\zuCpibq.exe
  2⤵
  PID:12952
- C:\Windows\System32\AMcRIxU.exe
  C:\Windows\System32\AMcRIxU.exe
  2⤵
  PID:12980
- C:\Windows\System32\kDaiwRM.exe
  C:\Windows\System32\kDaiwRM.exe
  2⤵
  PID:13008
- C:\Windows\System32\WWaENwq.exe
  C:\Windows\System32\WWaENwq.exe
  2⤵
  PID:13036
- C:\Windows\System32\uIwkvTV.exe
  C:\Windows\System32\uIwkvTV.exe
  2⤵
  PID:13064
- C:\Windows\System32\qiJQlgt.exe
  C:\Windows\System32\qiJQlgt.exe
  2⤵
  PID:13092
- C:\Windows\System32\fmxcdvL.exe
  C:\Windows\System32\fmxcdvL.exe
  2⤵
  PID:13120
- C:\Windows\System32\FAzJcqC.exe
  C:\Windows\System32\FAzJcqC.exe
  2⤵
  PID:13148
- C:\Windows\System32\AzDQBTb.exe
  C:\Windows\System32\AzDQBTb.exe
  2⤵
  PID:13176
- C:\Windows\System32\gBODazB.exe
  C:\Windows\System32\gBODazB.exe
  2⤵
  PID:13204
- C:\Windows\System32\GcJKSex.exe
  C:\Windows\System32\GcJKSex.exe
  2⤵
  PID:13232
- C:\Windows\System32\vqUIPHw.exe
  C:\Windows\System32\vqUIPHw.exe
  2⤵
  PID:13260
- C:\Windows\System32\eCTQCDQ.exe
  C:\Windows\System32\eCTQCDQ.exe
  2⤵
  PID:13288
- C:\Windows\System32\XYYYAQQ.exe
  C:\Windows\System32\XYYYAQQ.exe
  2⤵
  PID:12292
- C:\Windows\System32\VObBeqV.exe
  C:\Windows\System32\VObBeqV.exe
  2⤵
  PID:12364
- C:\Windows\System32\YnReUjL.exe
  C:\Windows\System32\YnReUjL.exe
  2⤵
  PID:12432
- C:\Windows\System32\uqSQEbF.exe
  C:\Windows\System32\uqSQEbF.exe
  2⤵
  PID:12508
- C:\Windows\System32\MUKWWpx.exe
  C:\Windows\System32\MUKWWpx.exe
  2⤵
  PID:12540
- C:\Windows\System32\sPDwrGZ.exe
  C:\Windows\System32\sPDwrGZ.exe
  2⤵
  PID:2548
- C:\Windows\System32\aMOzKYb.exe
  C:\Windows\System32\aMOzKYb.exe
  2⤵
  PID:12660
- C:\Windows\System32\Otqcgpb.exe
  C:\Windows\System32\Otqcgpb.exe
  2⤵
  PID:12736
- C:\Windows\System32\ooQwyfS.exe
  C:\Windows\System32\ooQwyfS.exe
  2⤵
  PID:12796
- C:\Windows\System32\kPznLNk.exe
  C:\Windows\System32\kPznLNk.exe
  2⤵
  PID:12944
- C:\Windows\System32\jhaexcQ.exe
  C:\Windows\System32\jhaexcQ.exe
  2⤵
  PID:13000
- C:\Windows\System32\fXVSYOU.exe
  C:\Windows\System32\fXVSYOU.exe
  2⤵
  PID:13076
- C:\Windows\System32\bYdUhfN.exe
  C:\Windows\System32\bYdUhfN.exe
  2⤵
  PID:13160
- C:\Windows\System32\atNlWMQ.exe
  C:\Windows\System32\atNlWMQ.exe
  2⤵
  PID:13244
- C:\Windows\System32\mgPrZpi.exe
  C:\Windows\System32\mgPrZpi.exe
  2⤵
  PID:11632
- C:\Windows\System32\QrHeWhs.exe
  C:\Windows\System32\QrHeWhs.exe
  2⤵
  PID:12428
- C:\Windows\System32\ngLxwXi.exe
  C:\Windows\System32\ngLxwXi.exe
  2⤵
  PID:12592
- C:\Windows\System32\zhcSQko.exe
  C:\Windows\System32\zhcSQko.exe
  2⤵
  PID:12712
- C:\Windows\System32\NfVhmec.exe
  C:\Windows\System32\NfVhmec.exe
  2⤵
  PID:13308

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\EgkvsYT.exe

Filesize
3.3MB

MD5
73faad6502534d111ff5035c40db1bcf

SHA1
6d88c99cd36f7224b67f9073922d9597c7d06a48

SHA256
4df31e6f900b94abaebe328377a74c2507e0d4e87986e11c20806929bebcd744

SHA512
4765ea7e50c3c260c4f247bb9e9ad6fa0f55b69232cda4ae11661c2f70eec7ee861b9194ed1a8c674be2b4f562ec95d0305fbbbfc692e2dca1daf5123cbcd451

Download Submit
C:\Windows\System32\FDZQuWW.exe

Filesize
3.3MB

MD5
2b7dd8004ea42fbb6136c85cee14a398

SHA1
8044a6fe26cabcb027cff10bb5317497bf380b6b

SHA256
894eb94d7d1649856ceda50250b45b983ac2b17595d769612cd8e0b3479a198e

SHA512
9c35706713f27689d2a7fc793d58a1c9a66552a64a568f3d9413e5743665fbce0646ba5b53244a027be315bb8b50a1b1961424ece4c8a8295f8cb62cd1f38214

Download Submit
C:\Windows\System32\InjvSiN.exe

Filesize
3.3MB

MD5
d78a537a7e3ca064f1415cc901badec7

SHA1
72c89758dec9f019fff65e0b38eedd2316d21af9

SHA256
912c2e3e9a66dfa661cce8eebbd8a0bb8467dab008cabf53f25c1a80fc9860f8

SHA512
cbe94e8d84106a4987ee83f99307a3d10e8806cfe7b490a2111862b038b48e8169472faa3558a0b1f788114d908a426d2126e9d01050a13dcdc144ba4191233b

Download Submit
C:\Windows\System32\JdXrSUl.exe

Filesize
3.3MB

MD5
fd8e9be532c75d8380acc0aaf388c693

SHA1
c840464f516ad45903c04b486567229d4abbc6f7

SHA256
bfcfb5bcce38fc0668fb1f3dc6c15d2a13c8381ba302740f991ee7d5338b7602

SHA512
ba2a3b26259f0e010d9c89d8296d81500e54629c7ddd7117ab7327addb2027762fe6a58f0bdac1a5af86add48370b6d8219353c22e01bc28b59d78ae31c2df85

Download Submit
C:\Windows\System32\NYUDBeG.exe

Filesize
3.3MB

MD5
703c90ba20d9bd47018546bd4549a9f0

SHA1
9d26b54448af2c8b404c008ec9b53029c78670fc

SHA256
fcb1b4535442e971dad174d4f88426a733b29b88218a1918890e45f53285b97a

SHA512
cdce2f68b45490d7ac54f0bd835f9ac29d3ce707aca3c22a42e220a8d90ecc3c85f668b4c68a388e993e66f2d810027e5b69e673a075d46e5f733896da9718c9

Download Submit
C:\Windows\System32\Oenifhe.exe

Filesize
3.3MB

MD5
3a76eae9eacedc8e6dccaf552d1d1aea

SHA1
a4bdce0f1aebbd92008ddc198a47eb912ec4adc5

SHA256
eb085d18826b71dc7a5c4d86a925441445b6b09f368e63aec90acca9a20f2ee6

SHA512
ec97903f6fa206aa32454e00c1575643c0b8ed4f487c95fc13e18d8fc2e5071ef643b5aa0bbd48de9128c60a735e9049939967327f052d92e6090c14d976f5c0

Download Submit
C:\Windows\System32\PgxTbue.exe

Filesize
3.3MB

MD5
d71286e8a8feb61d19732dd442f4898e

SHA1
d4fda929615b7f799be7dcee4d84904440a7692c

SHA256
33f6dd38dfe6876e20819fb861726f37e0aef4226fc2c616f67149fd931399e1

SHA512
3c67eb5bf7f3b0bdb880b574de1eecf5a9a0649b44453be895a088e2dbea6e9824429924131eeab34a38ac8e8547994fb20749cbbcc0504ba6115bc6a9c0dea1

Download Submit
C:\Windows\System32\TITVXCp.exe

Filesize
3.3MB

MD5
0af7bf4460d859ff730956300a0a5642

SHA1
e467265d913e633298b39913b914a01187d67a48

SHA256
0d2a266d87da59fb2ad3abf6599355e14716982c0f95ab876c2e103ceaff9952

SHA512
4062d86570ed157aae6778cf7f2b7fe4cef3943457432e056346cad52c5b0c9ccd377cfdd64cabdfaf9fcdcbbf2f97abda30335f442442c7a1f50a4919f26663

Download Submit
C:\Windows\System32\TLuqAgs.exe

Filesize
3.3MB

MD5
a6cd242967684fafdabd56561eecff81

SHA1
a55665286309e9b40a77253af413a2fe918fbc40

SHA256
dbbda11a1b10399abebb7ff7b7b8c3babcfd80b603d625ce4b9431ec678e7c55

SHA512
4002e1fd86cc3ebc80774ce31550488e422b94b3d9cf5de3c5c0f6d51db3c365d2205e9f28f5c29bdeebd0abbb176bde54a790cc1ddf5e941703c7c5785d4c2f

Download Submit
C:\Windows\System32\WmtaQCp.exe

Filesize
3.3MB

MD5
a86c1e3b1b543b3d9c09580c2abf0886

SHA1
24236022d17c43dedd544c3b70545e481dee4982

SHA256
f37904e5cf803f986a13c6cb0d177b2b42a8455c015ba0fe0640de34c95e716c

SHA512
bc58286d2f311080a7e74f2652e572ee7b04e8fce0048b2f7b1bffb90808e399f6ffe41659e02906c24d867451a59e54814a85f79b160b974861482b9582dfc3

Download Submit
C:\Windows\System32\XbcbUeH.exe

Filesize
3.3MB

MD5
7f682e030fcc3fedaadf78a9169758e2

SHA1
d8c95d840e86203b632b8a0827b1a0ae8c697155

SHA256
0add5648e6610d9797288c03864584dd255d85a02ec92939b0f63f636d7e8442

SHA512
a86047fc2ab8c4c82c69fd409b7baa8f20ff3a6d2e27b05acc97c8deb5c6ea3660ed87f2387213b5f26348e38e62a78198ce19e42d4f4878d924b9776149bfba

Download Submit
C:\Windows\System32\YxfhzeX.exe

Filesize
3.3MB

MD5
3b39f24ae0084f771accfc0464d65ca6

SHA1
d2431433aad0ef92cb1d199e99dd28834134354b

SHA256
c58f504066bebb438f4636402062830f52ca59294c4f9b700c76b8947f7895d5

SHA512
6b8eb9fbd8340b4a8c4a75e2302efef24b1587c8575e7ecd4b645e054a2dbf0a718044ed349ba2b346fb0c7525b9868f1e07a051f00a5c4c8cf559ade8490aa4

Download Submit
C:\Windows\System32\ZPkxJLz.exe

Filesize
3.3MB

MD5
af0348efd3180ce83d1e1877cfd6f21b

SHA1
92f777feebb148566e0f9429129a92b91a2094fb

SHA256
8ffa8c6ca98e6985776561087818f2a1de23303ff181a1c1f2decf176ff82384

SHA512
f3b468f59462fd258171298d1c4f3e26295a6bdd5fd00c60fba55ca56696823e1c7cbe94488d7f737204896b97be400acadc981e0d6c88020fa99ff542023836

Download Submit
C:\Windows\System32\abkVnFz.exe

Filesize
3.3MB

MD5
f6e80529897dfa279fde5749359b603c

SHA1
e9a2ff50ffd3227c5638d8e04de17511134a9301

SHA256
bffe1406b992caf5e0e3c107d36871b406996adae7efae2c5172da3d288e812c

SHA512
39ffb650199e94aac95ca49ca606e7db80d61cf2a7a77cb586ef50a46f0695f8c9f7fac49048834a750a79ad584edb1a1c30d77e1c1a092a7988087dd014b8de

Download Submit
C:\Windows\System32\cJyFhhU.exe

Filesize
3.3MB

MD5
6d532334c42756bf3dfe20e23b81d7a5

SHA1
2f9a467c1c630ac4cd481136e04c20eca935798a

SHA256
9fbdc3f6c5a39ec1a0ca05d4345193b885a5e3bbfbc63df680c790c2032eb2e7

SHA512
6c3c780ef19d906c9f6435832c41efe2b213c91543aec2d87ca6e4e93ec2d8dd86ba07a927090ecaa0157c6ab8f255c14893790d77482b7eb40794d71628bdfc

Download Submit
C:\Windows\System32\cvRNFrP.exe

Filesize
3.3MB

MD5
dc24e8f886dd4e8f817d933d1e057102

SHA1
343cb6697e889b92afc90140d3b11ee1c8c68a24

SHA256
d3f39bc0df8531dbf3a5452c93cc13f3a4f133f47a8d54783e915009f87d7da5

SHA512
616a6b074102517f36defbb2a41ad2f96b06575080439d8385fa638bf506afb51a9094a545feee9249800f95e585f9313875934df4fc2036da8c520cb77e9587

Download Submit
C:\Windows\System32\dIbIjnD.exe

Filesize
3.3MB

MD5
beb0991f0f8a16d638d4298fda884508

SHA1
61c312b328d769e28c79fb86d1e892ddce4e14fc

SHA256
28eb4566bb9456e5043a01ff1175f3874f2b864e5c6a55f3a1e620c90cef2770

SHA512
e482cd103dac808a6fdc7d260faf7879d3b4c16c88e67032c8f4662163bea78f6443c790aed18a5c7f48a03ced7880026f57daab7278a9db668c24d815246804

Download Submit
C:\Windows\System32\dTIOUfB.exe

Filesize
3.3MB

MD5
c72202ec40182013d5af75588640cfad

SHA1
953e921c519e4caa234e1c6e0ea2f316fef98a5d

SHA256
ae453025400a695836b079bf25dbbe4da56fa50339ca990e0ad52dd3dbaba92b

SHA512
f2b54f9951002e80be21c080791b01eb8279f1724f3ddff76d412f8db801444a64c92a754b41b61768fcbeaf3bcf694d25a00d3878d12ac6d0403652e7657390

Download Submit
C:\Windows\System32\dXKjxSE.exe

Filesize
3.3MB

MD5
98d478f84858082e9bb77679febf3c53

SHA1
4f0389efde85eddffd50bd033cc4fc9975e631f0

SHA256
3dec5ad45a7603dbb2977ee136ff75bc7c4aa855e316f879ebdefeb5257d6dd8

SHA512
89e05464d85b8e57f6d421c876f61d9f75697e9c1db2f1560cebee5e1dd67cae14ec56a9aaf3bb8742ba99e90b03af6007ab0659c5bbf8ac2aa285df39efaca0

Download Submit
C:\Windows\System32\hdfMPMM.exe

Filesize
3.3MB

MD5
3107a750843f548bf0d6bb8f44bf880a

SHA1
5d7b30f8e6f2604123b6700d8d88e7e3cecfa701

SHA256
82091086dd068637a568f10d0c1411bf39c3345dfbf38abc857bfb5a03cb96cb

SHA512
2854effc6f292612b17d99e8fa974bc943dc7b8e5617675eaeb0cfc42cf39b7055ffee131597f4d400d41dc52846d800dfb98e214ba566f00afd7d12b5f7af34

Download Submit
C:\Windows\System32\iacGMbR.exe

Filesize
3.3MB

MD5
51f5f3878e7df082c6646ea02bcf56bb

SHA1
437cb9a2a97335eb79247a5d51b28867b9547f50

SHA256
cc6cc248d15a457ceae02d65f8bb70faca47877cde87b42e67ef26af4d4a329b

SHA512
a2d4d5225b9674ad92a582f7abb2f4613d9b88bf2b2f528b113bbd358116c50dd702cd5e9373eae86a9029a47b1cb640f48801d8e466015be70f7e1238c87532

Download Submit
C:\Windows\System32\kslbdNT.exe

Filesize
3.3MB

MD5
961d8c55a617db4f59372d23315464d4

SHA1
0a95c47a37a5f4bb04c551ed27e70c67a3268b91

SHA256
c01d0734135f57860f25e750a6dcf9c5206312df94253279b68ae83497174b35

SHA512
7db36ed00cbc7c6acaacb943e02b845c850e9e373ac9f520611b2dbcde3f3bced0d2713ec47da423b2349e03d18f46169a1a408f5d75d496d8e641e727f3a84a

Download Submit
C:\Windows\System32\kzGXinZ.exe

Filesize
3.3MB

MD5
d2927c737f40fc72b549611d60469abf

SHA1
74abe1f0aedfad3687be247a0eb8ee7a250372ce

SHA256
856d2793a4415fb49dd6059c44a28746f844080eabd775090f1d275cc7946f16

SHA512
944626bc516926875556cefd4c73f1521555affd9b4d52a7e54676320aeddf2e449859aebfc68dd9dc1b5e9bb7cee133673a6afcea993043cb48881f1a8cb0fc

Download Submit
C:\Windows\System32\nGSsTpN.exe

Filesize
3.3MB

MD5
fab9a04b64eb0b5a3c0c402a21d49864

SHA1
5de72aa1fc2a332c9c0af314308c65e650c6b653

SHA256
9b213dd87d8217a7176b0813e5f583cf41a95a707ec57af487681d8a2103dfcc

SHA512
68b3878fbfb6cdeb0aa9e41437c3f0dbd4bd3052e0b7a527fd3d0ec2e1d8659070f1e5c459f1ef71225f321fe4f4bf21e87f0b5020a1fbfc198e7d9cddab6f8f

Download Submit
C:\Windows\System32\nfGjWQk.exe

Filesize
3.3MB

MD5
300d240e3078d2dcfd2cc9dfe0296a90

SHA1
818645d6eddb0b92f111d7a5029af107358045f6

SHA256
9177526480e2b6b33d43a6f4a84c9d99b30738edfdc5f7f34bb6df95afdc80ea

SHA512
af451044cac411704f8db15e8df701cb98db950eb5ddc438bc77eb041ef32251dd7caee77d6255ae36fe47adefe91046a7b18a0d82eefeb5ac16b6eef3814eb7

Download Submit
C:\Windows\System32\pJyTpoY.exe

Filesize
3.3MB

MD5
1d778abd339f3bb67f4c97acb2093313

SHA1
a014bcca16fb69a2a63a446e473dbf2208d5a50e

SHA256
2a265c712a712e10a7fd3b9550d3210cc7e6b4a7bc55fbbc39961f778a3e4dcf

SHA512
badd5a6c2a2f505c2c679372412fb8006609ade8175ff3ff1e9872ba2ab5e9333d9ceb33fb4a85c1a3a9a91e4136443547abab7f7525183ec5cb01f4483882f6

Download Submit
C:\Windows\System32\pbFHGNn.exe

Filesize
3.3MB

MD5
98de5189755bc8eee9eec3c4d19b843e

SHA1
b7a8832610168025292bdc8ab2e82cb6659b2562

SHA256
6d0f43a106fc945898b965b61dfb9c1d3cfea02a232ba29c4fa9583b7e87eb63

SHA512
d925e3079c29affdcf514c50a21057e16443bc51f2a77a1728f7d9d97dcd12cc068f6f4461f1583aa4e0020325fa8d12b25304535e8e21098e5488d9bbaaa3d8

Download Submit
C:\Windows\System32\putywRU.exe

Filesize
3.3MB

MD5
8cf5873ebb5c74128bf608e68169c261

SHA1
5ce693d4f282f94e50b010342a5aa63b8d1264eb

SHA256
e13b78df77e2c9c7c90d0c747bb1e47d54b480005af0aacd694360dde08aa4f2

SHA512
a9fa9425e7661cbac7d98f7976b03e6911c094f0a3940af3e859ba41b2f7da4a39f95900fcb14e0675905a9a8f10aa3e61a8c14cd9c088a56b4afb9a82bbc915

Download Submit
C:\Windows\System32\rFqFuDZ.exe

Filesize
3.3MB

MD5
58e25b5341a06eb68bbe053f6d20826c

SHA1
bad19e8fdfb25fe89a35e063efa55579bd1615e4

SHA256
fc92672b8a026d9050ef74df1191e535553d41846fc26eec198d5c3f34fa1016

SHA512
00c67219445cf5a3da27e1224df5f6dc4f81edea50ce8623e0b5cf1cfb2cff4e92367215d2cd756502ed046b490209cb783bf1a8b67d435ae4d56a50e476e914

Download Submit
C:\Windows\System32\rcavZMw.exe

Filesize
3.3MB

MD5
3aff70ac07fb9b9c576be8a8ed4496bd

SHA1
b10db05e00fb161069e2b2f3c322aab82aeaa870

SHA256
fe19207be64e0be20607980394a4a14060436dbe5857357fdb319b2afaff530a

SHA512
5d870bccda46404f30eac6459f3c3676421161ca441cdbcf391d7d78e98d7fd810e0eab66bf8c3620a7edcecb21c74d23b0d5785cb3bc09f265810df47f3dff4

Download Submit
C:\Windows\System32\uzcbzld.exe

Filesize
3.3MB

MD5
5174fe846bb502a65674dade6c6812ee

SHA1
93c6e219bad734e1194ac0b3899d5c7ad3fce677

SHA256
94f8f6afef10fc76d18642b8027de2f48e6942d2f4053230c823fe3729d0b6a7

SHA512
03a0e335af7ade8e3a58190c77825c27d26eed88f65c8b50866678698a2f34a0f620459d05a52f3a8275ef3f6e018e45eecf3e51a4d39d937847633b404e3c92

Download Submit
C:\Windows\System32\wRChSwS.exe

Filesize
3.3MB

MD5
594308a12f96bcd3e63df55961b0a4bd

SHA1
c14149e01246aeaf2d1243f09b4bdcccdb88e816

SHA256
e5340c6cb00028ace60cf3b7b042cc7a49a40b3a1413e09ceef93f6e7ae04ab1

SHA512
f9f9a9ef3bfe07fd8dd80fd6c2ad2094d39190d8956ddcc49a9b6f8b2febd0edcb9a341923ae47d00f2e70d9f2e02cfce2b6120927f0167d41abe4578a2925fe

Download Submit
memory/756-11-0x00007FF7E9E50000-0x00007FF7EA245000-memory.dmp

Filesize
4.0MB

Download
memory/756-1911-0x00007FF7E9E50000-0x00007FF7EA245000-memory.dmp

Filesize
4.0MB

Download
memory/756-1910-0x00007FF7E9E50000-0x00007FF7EA245000-memory.dmp

Filesize
4.0MB

Download
memory/1108-1912-0x00007FF765C50000-0x00007FF766045000-memory.dmp

Filesize
4.0MB

Download
memory/1108-19-0x00007FF765C50000-0x00007FF766045000-memory.dmp

Filesize
4.0MB

Download
memory/1840-799-0x00007FF61D3D0000-0x00007FF61D7C5000-memory.dmp

Filesize
4.0MB

Download
memory/1840-1923-0x00007FF61D3D0000-0x00007FF61D7C5000-memory.dmp

Filesize
4.0MB

Download
memory/1920-1931-0x00007FF6B39D0000-0x00007FF6B3DC5000-memory.dmp

Filesize
4.0MB

Download
memory/1920-865-0x00007FF6B39D0000-0x00007FF6B3DC5000-memory.dmp

Filesize
4.0MB

Download
memory/2416-806-0x00007FF7453E0000-0x00007FF7457D5000-memory.dmp

Filesize
4.0MB

Download
memory/2416-1924-0x00007FF7453E0000-0x00007FF7457D5000-memory.dmp

Filesize
4.0MB

Download
memory/2696-904-0x00007FF7B24B0000-0x00007FF7B28A5000-memory.dmp

Filesize
4.0MB

Download
memory/2696-1914-0x00007FF7B24B0000-0x00007FF7B28A5000-memory.dmp

Filesize
4.0MB

Download
memory/3124-1920-0x00007FF6B5DF0000-0x00007FF6B61E5000-memory.dmp

Filesize
4.0MB

Download
memory/3124-796-0x00007FF6B5DF0000-0x00007FF6B61E5000-memory.dmp

Filesize
4.0MB

Download
memory/3128-874-0x00007FF72A9B0000-0x00007FF72ADA5000-memory.dmp

Filesize
4.0MB

Download
memory/3128-1933-0x00007FF72A9B0000-0x00007FF72ADA5000-memory.dmp

Filesize
4.0MB

Download
memory/3460-779-0x00007FF777A70000-0x00007FF777E65000-memory.dmp

Filesize
4.0MB

Download
memory/3460-1919-0x00007FF777A70000-0x00007FF777E65000-memory.dmp

Filesize
4.0MB

Download
memory/3508-1927-0x00007FF7AD660000-0x00007FF7ADA55000-memory.dmp

Filesize
4.0MB

Download
memory/3508-890-0x00007FF7AD660000-0x00007FF7ADA55000-memory.dmp

Filesize
4.0MB

Download
memory/3540-1926-0x00007FF68EEE0000-0x00007FF68F2D5000-memory.dmp

Filesize
4.0MB

Download
memory/3540-896-0x00007FF68EEE0000-0x00007FF68F2D5000-memory.dmp

Filesize
4.0MB

Download
memory/3632-818-0x00007FF7F15A0000-0x00007FF7F1995000-memory.dmp

Filesize
4.0MB

Download
memory/3632-1930-0x00007FF7F15A0000-0x00007FF7F1995000-memory.dmp

Filesize
4.0MB

Download
memory/3768-900-0x00007FF608940000-0x00007FF608D35000-memory.dmp

Filesize
4.0MB

Download
memory/3768-1928-0x00007FF608940000-0x00007FF608D35000-memory.dmp

Filesize
4.0MB

Download
memory/3920-1932-0x00007FF6AAEB0000-0x00007FF6AB2A5000-memory.dmp

Filesize
4.0MB

Download
memory/3920-871-0x00007FF6AAEB0000-0x00007FF6AB2A5000-memory.dmp

Filesize
4.0MB

Download
memory/4048-886-0x00007FF618730000-0x00007FF618B25000-memory.dmp

Filesize
4.0MB

Download
memory/4048-1925-0x00007FF618730000-0x00007FF618B25000-memory.dmp

Filesize
4.0MB

Download
memory/4088-1934-0x00007FF7BA230000-0x00007FF7BA625000-memory.dmp

Filesize
4.0MB

Download
memory/4088-882-0x00007FF7BA230000-0x00007FF7BA625000-memory.dmp

Filesize
4.0MB

Download
memory/4140-795-0x00007FF7F8E30000-0x00007FF7F9225000-memory.dmp

Filesize
4.0MB

Download
memory/4140-1921-0x00007FF7F8E30000-0x00007FF7F9225000-memory.dmp

Filesize
4.0MB

Download
memory/4352-1922-0x00007FF7BA580000-0x00007FF7BA975000-memory.dmp

Filesize
4.0MB

Download
memory/4352-813-0x00007FF7BA580000-0x00007FF7BA975000-memory.dmp

Filesize
4.0MB

Download
memory/4600-1918-0x00007FF642AE0000-0x00007FF642ED5000-memory.dmp

Filesize
4.0MB

Download
memory/4600-784-0x00007FF642AE0000-0x00007FF642ED5000-memory.dmp

Filesize
4.0MB

Download
memory/4640-768-0x00007FF7E6070000-0x00007FF7E6465000-memory.dmp

Filesize
4.0MB

Download
memory/4640-1913-0x00007FF7E6070000-0x00007FF7E6465000-memory.dmp

Filesize
4.0MB

Download
memory/4644-814-0x00007FF605E00000-0x00007FF6061F5000-memory.dmp

Filesize
4.0MB

Download
memory/4644-1929-0x00007FF605E00000-0x00007FF6061F5000-memory.dmp

Filesize
4.0MB

Download
memory/4792-1916-0x00007FF6B19C0000-0x00007FF6B1DB5000-memory.dmp

Filesize
4.0MB

Download
memory/4792-774-0x00007FF6B19C0000-0x00007FF6B1DB5000-memory.dmp

Filesize
4.0MB

Download
memory/4896-0-0x00007FF7CD0D0000-0x00007FF7CD4C5000-memory.dmp

Filesize
4.0MB

Download
memory/4896-1-0x000001BD9E330000-0x000001BD9E340000-memory.dmp

Filesize
64KB

Download
memory/4972-1915-0x00007FF732CE0000-0x00007FF7330D5000-memory.dmp

Filesize
4.0MB

Download
memory/4972-789-0x00007FF732CE0000-0x00007FF7330D5000-memory.dmp

Filesize
4.0MB

Download
memory/5044-1917-0x00007FF6B3660000-0x00007FF6B3A55000-memory.dmp

Filesize
4.0MB

Download
memory/5044-771-0x00007FF6B3660000-0x00007FF6B3A55000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads