xmrig | 765d24483c9936b9579f1758694398bc96461399a26fdf70b1c419f86e2fffdf

Analysis

max time kernel
146s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
Size

3.3MB
MD5

8d91a5c6d25219a40c6673a3f55f59f0
SHA1

83e72a3825ae2f93a67c313d22437a3d25bd5275
SHA256

765d24483c9936b9579f1758694398bc96461399a26fdf70b1c419f86e2fffdf
SHA512

b39fa2b1b4c4044bbc83d9daa5d385a8d2423b9e5a52976626f90d86c41b288a19d3087b2d7724ad308cffe25a6e0205bcd677b80225df7aa8c74b2cfe0fff22
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc40C:NFWPClFkC

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/8-0-0x00007FF7697D0000-0x00007FF769BC5000-memory.dmp	xmrig
behavioral2/files/0x000d000000023b87-5.dat	xmrig
behavioral2/files/0x000b000000023b95-11.dat	xmrig
behavioral2/memory/4824-10-0x00007FF69B6B0000-0x00007FF69BAA5000-memory.dmp	xmrig
behavioral2/memory/4900-12-0x00007FF79D400000-0x00007FF79D7F5000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b9b-7.dat	xmrig
behavioral2/files/0x000a000000023b9e-26.dat	xmrig
behavioral2/files/0x000a000000023b9f-31.dat	xmrig
behavioral2/memory/1700-32-0x00007FF7FA620000-0x00007FF7FAA15000-memory.dmp	xmrig
behavioral2/files/0x000a000000023ba0-40.dat	xmrig
behavioral2/files/0x000a000000023ba2-57.dat	xmrig
behavioral2/files/0x000a000000023ba3-62.dat	xmrig
behavioral2/files/0x000a000000023ba5-70.dat	xmrig
behavioral2/files/0x000a000000023ba8-87.dat	xmrig
behavioral2/files/0x000a000000023bab-100.dat	xmrig
behavioral2/files/0x000a000000023bb0-127.dat	xmrig
behavioral2/files/0x000a000000023bb3-142.dat	xmrig
behavioral2/files/0x000a000000023bb8-168.dat	xmrig
behavioral2/files/0x000a000000023bb7-162.dat	xmrig
behavioral2/files/0x000a000000023bb6-157.dat	xmrig
behavioral2/files/0x000a000000023bb5-152.dat	xmrig
behavioral2/files/0x000a000000023bb4-147.dat	xmrig
behavioral2/files/0x000a000000023bb2-137.dat	xmrig
behavioral2/files/0x000a000000023bb1-132.dat	xmrig
behavioral2/files/0x000a000000023baf-122.dat	xmrig
behavioral2/files/0x000a000000023bae-117.dat	xmrig
behavioral2/files/0x000a000000023bad-112.dat	xmrig
behavioral2/files/0x000a000000023bac-107.dat	xmrig
behavioral2/files/0x000a000000023baa-97.dat	xmrig
behavioral2/files/0x000a000000023ba9-92.dat	xmrig
behavioral2/files/0x000a000000023ba7-82.dat	xmrig
behavioral2/files/0x000a000000023ba6-77.dat	xmrig
behavioral2/files/0x000a000000023ba4-67.dat	xmrig
behavioral2/files/0x000a000000023ba1-52.dat	xmrig
behavioral2/files/0x000c000000023b88-47.dat	xmrig
behavioral2/memory/4916-34-0x00007FF6BC960000-0x00007FF6BCD55000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b9d-29.dat	xmrig
behavioral2/memory/2200-28-0x00007FF65E9E0000-0x00007FF65EDD5000-memory.dmp	xmrig
behavioral2/memory/4864-25-0x00007FF712E20000-0x00007FF713215000-memory.dmp	xmrig
behavioral2/memory/3848-704-0x00007FF69C440000-0x00007FF69C835000-memory.dmp	xmrig
behavioral2/memory/3264-712-0x00007FF6E0FA0000-0x00007FF6E1395000-memory.dmp	xmrig
behavioral2/memory/4780-722-0x00007FF6B47C0000-0x00007FF6B4BB5000-memory.dmp	xmrig
behavioral2/memory/5092-730-0x00007FF6FFDC0000-0x00007FF7001B5000-memory.dmp	xmrig
behavioral2/memory/4964-726-0x00007FF702F30000-0x00007FF703325000-memory.dmp	xmrig
behavioral2/memory/4388-738-0x00007FF6862E0000-0x00007FF6866D5000-memory.dmp	xmrig
behavioral2/memory/2396-749-0x00007FF7FD550000-0x00007FF7FD945000-memory.dmp	xmrig
behavioral2/memory/4812-743-0x00007FF65C5A0000-0x00007FF65C995000-memory.dmp	xmrig
behavioral2/memory/3964-758-0x00007FF70FC40000-0x00007FF710035000-memory.dmp	xmrig
behavioral2/memory/4136-763-0x00007FF654700000-0x00007FF654AF5000-memory.dmp	xmrig
behavioral2/memory/1540-768-0x00007FF76BF20000-0x00007FF76C315000-memory.dmp	xmrig
behavioral2/memory/1884-777-0x00007FF695DC0000-0x00007FF6961B5000-memory.dmp	xmrig
behavioral2/memory/4828-783-0x00007FF79D820000-0x00007FF79DC15000-memory.dmp	xmrig
behavioral2/memory/4880-780-0x00007FF6B41B0000-0x00007FF6B45A5000-memory.dmp	xmrig
behavioral2/memory/3260-786-0x00007FF600280000-0x00007FF600675000-memory.dmp	xmrig
behavioral2/memory/4356-790-0x00007FF688940000-0x00007FF688D35000-memory.dmp	xmrig
behavioral2/memory/1184-791-0x00007FF617E30000-0x00007FF618225000-memory.dmp	xmrig
behavioral2/memory/3212-794-0x00007FF629100000-0x00007FF6294F5000-memory.dmp	xmrig
behavioral2/memory/8-1885-0x00007FF7697D0000-0x00007FF769BC5000-memory.dmp	xmrig
behavioral2/memory/4900-1886-0x00007FF79D400000-0x00007FF79D7F5000-memory.dmp	xmrig
behavioral2/memory/2200-1887-0x00007FF65E9E0000-0x00007FF65EDD5000-memory.dmp	xmrig
behavioral2/memory/4916-1888-0x00007FF6BC960000-0x00007FF6BCD55000-memory.dmp	xmrig
behavioral2/memory/8-1889-0x00007FF7697D0000-0x00007FF769BC5000-memory.dmp	xmrig
behavioral2/memory/4824-1890-0x00007FF69B6B0000-0x00007FF69BAA5000-memory.dmp	xmrig
behavioral2/memory/4900-1891-0x00007FF79D400000-0x00007FF79D7F5000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4824	ATEXJkF.exe
4900	NvOnfgp.exe
4864	dTKVmTZ.exe
1700	aCMHxxi.exe
2200	jmTLcaU.exe
4916	HQqZZaC.exe
3212	qdsrREd.exe
3848	YhLBzio.exe
3264	kzOsAFJ.exe
4780	QxubNmQ.exe
4964	AAioUSP.exe
5092	TJFKZFv.exe
4388	RbpbHSw.exe
4812	nmXwqkV.exe
2396	tvVJEkz.exe
3964	bqZRdVg.exe
4136	tRLnOjx.exe
1540	HHkZErs.exe
1884	jSBqVsh.exe
4880	UvuHHcn.exe
4828	OvFUjws.exe
3260	WaGPXsA.exe
4356	ODWSXFm.exe
1184	abumcwS.exe
4568	igLciYQ.exe
3536	KNLnxUp.exe
2964	REHhSJx.exe
4632	DcqHrna.exe
4076	tuslTYB.exe
736	bZhhBiN.exe
2936	IWWpCcj.exe
3204	JGKuFqc.exe
4696	NWsrAGj.exe
936	dXEjHuQ.exe
3768	xouKRQg.exe
3236	MpdimLp.exe
2516	bDFTiGg.exe
372	uhAKROA.exe
2328	QZelvYI.exe
3640	aMvcvkP.exe
4624	JnHlAdS.exe
4616	MmniZoO.exe
4560	KRAAmGN.exe
3916	TAufpUd.exe
4852	MrvMjcU.exe
4384	PrJakZn.exe
3388	iXLeeIr.exe
4768	gmdRICv.exe
2596	hNORdbC.exe
836	HMdPDQS.exe
1372	cuBVdZt.exe
4092	qgSkidS.exe
5108	EpIBCPx.exe
2924	jLcLYBt.exe
4268	hAbzprf.exe
1852	xQmuTAM.exe
4944	yiwqjkZ.exe
2260	kmoaJwf.exe
4888	JCFBzHD.exe
3256	pmrgQWM.exe
2292	ifhMqwV.exe
1744	AGYRbRF.exe
4176	DWfZgJr.exe
2096	dMbjAhX.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/8-0-0x00007FF7697D0000-0x00007FF769BC5000-memory.dmp	upx
behavioral2/files/0x000d000000023b87-5.dat	upx
behavioral2/files/0x000b000000023b95-11.dat	upx
behavioral2/memory/4824-10-0x00007FF69B6B0000-0x00007FF69BAA5000-memory.dmp	upx
behavioral2/memory/4900-12-0x00007FF79D400000-0x00007FF79D7F5000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-7.dat	upx
behavioral2/files/0x000a000000023b9e-26.dat	upx
behavioral2/files/0x000a000000023b9f-31.dat	upx
behavioral2/memory/1700-32-0x00007FF7FA620000-0x00007FF7FAA15000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-40.dat	upx
behavioral2/files/0x000a000000023ba2-57.dat	upx
behavioral2/files/0x000a000000023ba3-62.dat	upx
behavioral2/files/0x000a000000023ba5-70.dat	upx
behavioral2/files/0x000a000000023ba8-87.dat	upx
behavioral2/files/0x000a000000023bab-100.dat	upx
behavioral2/files/0x000a000000023bb0-127.dat	upx
behavioral2/files/0x000a000000023bb3-142.dat	upx
behavioral2/files/0x000a000000023bb8-168.dat	upx
behavioral2/files/0x000a000000023bb7-162.dat	upx
behavioral2/files/0x000a000000023bb6-157.dat	upx
behavioral2/files/0x000a000000023bb5-152.dat	upx
behavioral2/files/0x000a000000023bb4-147.dat	upx
behavioral2/files/0x000a000000023bb2-137.dat	upx
behavioral2/files/0x000a000000023bb1-132.dat	upx
behavioral2/files/0x000a000000023baf-122.dat	upx
behavioral2/files/0x000a000000023bae-117.dat	upx
behavioral2/files/0x000a000000023bad-112.dat	upx
behavioral2/files/0x000a000000023bac-107.dat	upx
behavioral2/files/0x000a000000023baa-97.dat	upx
behavioral2/files/0x000a000000023ba9-92.dat	upx
behavioral2/files/0x000a000000023ba7-82.dat	upx
behavioral2/files/0x000a000000023ba6-77.dat	upx
behavioral2/files/0x000a000000023ba4-67.dat	upx
behavioral2/files/0x000a000000023ba1-52.dat	upx
behavioral2/files/0x000c000000023b88-47.dat	upx
behavioral2/memory/4916-34-0x00007FF6BC960000-0x00007FF6BCD55000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-29.dat	upx
behavioral2/memory/2200-28-0x00007FF65E9E0000-0x00007FF65EDD5000-memory.dmp	upx
behavioral2/memory/4864-25-0x00007FF712E20000-0x00007FF713215000-memory.dmp	upx
behavioral2/memory/3848-704-0x00007FF69C440000-0x00007FF69C835000-memory.dmp	upx
behavioral2/memory/3264-712-0x00007FF6E0FA0000-0x00007FF6E1395000-memory.dmp	upx
behavioral2/memory/4780-722-0x00007FF6B47C0000-0x00007FF6B4BB5000-memory.dmp	upx
behavioral2/memory/5092-730-0x00007FF6FFDC0000-0x00007FF7001B5000-memory.dmp	upx
behavioral2/memory/4964-726-0x00007FF702F30000-0x00007FF703325000-memory.dmp	upx
behavioral2/memory/4388-738-0x00007FF6862E0000-0x00007FF6866D5000-memory.dmp	upx
behavioral2/memory/2396-749-0x00007FF7FD550000-0x00007FF7FD945000-memory.dmp	upx
behavioral2/memory/4812-743-0x00007FF65C5A0000-0x00007FF65C995000-memory.dmp	upx
behavioral2/memory/3964-758-0x00007FF70FC40000-0x00007FF710035000-memory.dmp	upx
behavioral2/memory/4136-763-0x00007FF654700000-0x00007FF654AF5000-memory.dmp	upx
behavioral2/memory/1540-768-0x00007FF76BF20000-0x00007FF76C315000-memory.dmp	upx
behavioral2/memory/1884-777-0x00007FF695DC0000-0x00007FF6961B5000-memory.dmp	upx
behavioral2/memory/4828-783-0x00007FF79D820000-0x00007FF79DC15000-memory.dmp	upx
behavioral2/memory/4880-780-0x00007FF6B41B0000-0x00007FF6B45A5000-memory.dmp	upx
behavioral2/memory/3260-786-0x00007FF600280000-0x00007FF600675000-memory.dmp	upx
behavioral2/memory/4356-790-0x00007FF688940000-0x00007FF688D35000-memory.dmp	upx
behavioral2/memory/1184-791-0x00007FF617E30000-0x00007FF618225000-memory.dmp	upx
behavioral2/memory/3212-794-0x00007FF629100000-0x00007FF6294F5000-memory.dmp	upx
behavioral2/memory/8-1885-0x00007FF7697D0000-0x00007FF769BC5000-memory.dmp	upx
behavioral2/memory/4900-1886-0x00007FF79D400000-0x00007FF79D7F5000-memory.dmp	upx
behavioral2/memory/2200-1887-0x00007FF65E9E0000-0x00007FF65EDD5000-memory.dmp	upx
behavioral2/memory/4916-1888-0x00007FF6BC960000-0x00007FF6BCD55000-memory.dmp	upx
behavioral2/memory/8-1889-0x00007FF7697D0000-0x00007FF769BC5000-memory.dmp	upx
behavioral2/memory/4824-1890-0x00007FF69B6B0000-0x00007FF69BAA5000-memory.dmp	upx
behavioral2/memory/4900-1891-0x00007FF79D400000-0x00007FF79D7F5000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\kFdZXof.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\egMJLhE.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\dZBKnRp.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\xZkKhfE.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\TpSeSlm.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\kvOsMhC.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\DnvIOMB.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\iUJRuLp.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\zAEuzkp.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\GfRpSUi.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\MSVFIew.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\HEWkDZa.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\CvKeYrx.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\rRpAsRW.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\DEounFb.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\QBouPNV.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\IFLPtoK.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\nGaIUaH.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\cqfPSLe.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\OvFUjws.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\QZelvYI.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\yiwqjkZ.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\qqeVHZD.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\BXhzGie.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\USRVgWB.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\HQqZZaC.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\WaGPXsA.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\NWsrAGj.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\hcWRsTI.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\ATyxinl.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\ohCGLEO.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\GqZmHcE.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\rcNhGpD.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\XuPdpjJ.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\xWfmGOi.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\GMgyptQ.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\cuBVdZt.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\cvAdlpp.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\keZlISo.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\KphOddA.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\uVOCdwL.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\JfkdOQw.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\snPdnzQ.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\RgrpdZO.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\yiDhugG.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\NBEScYq.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\dtqYPWm.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\WleNPge.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\VaXnUQl.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\PbLnPQl.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\cyavZUb.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\vezalEK.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\ChUqWeo.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\lwyDsNj.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\HHnqBzm.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\yxOYtKT.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\QJVwLmh.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\VjuarmU.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\YTiNaDJ.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\rVGYlCd.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\cMZaXhn.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\aFyxytN.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\CcmnCYA.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
File created	C:\Windows\System32\dqdYjse.exe	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13836	dwm.exe
Token: SeChangeNotifyPrivilege	13836	dwm.exe
Token: 33	13836	dwm.exe
Token: SeIncBasePriorityPrivilege	13836	dwm.exe
Token: SeShutdownPrivilege	13836	dwm.exe
Token: SeCreatePagefilePrivilege	13836	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 4824	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	84
PID 8 wrote to memory of 4824	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	84
PID 8 wrote to memory of 4900	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	85
PID 8 wrote to memory of 4900	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	85
PID 8 wrote to memory of 4864	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	86
PID 8 wrote to memory of 4864	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	86
PID 8 wrote to memory of 1700	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	87
PID 8 wrote to memory of 1700	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	87
PID 8 wrote to memory of 2200	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	88
PID 8 wrote to memory of 2200	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	88
PID 8 wrote to memory of 4916	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	89
PID 8 wrote to memory of 4916	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	89
PID 8 wrote to memory of 3212	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	90
PID 8 wrote to memory of 3212	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	90
PID 8 wrote to memory of 3848	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	91
PID 8 wrote to memory of 3848	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	91
PID 8 wrote to memory of 3264	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	92
PID 8 wrote to memory of 3264	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	92
PID 8 wrote to memory of 4780	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	93
PID 8 wrote to memory of 4780	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	93
PID 8 wrote to memory of 4964	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	94
PID 8 wrote to memory of 4964	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	94
PID 8 wrote to memory of 5092	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	95
PID 8 wrote to memory of 5092	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	95
PID 8 wrote to memory of 4388	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	96
PID 8 wrote to memory of 4388	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	96
PID 8 wrote to memory of 4812	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	97
PID 8 wrote to memory of 4812	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	97
PID 8 wrote to memory of 2396	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	98
PID 8 wrote to memory of 2396	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	98
PID 8 wrote to memory of 3964	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	99
PID 8 wrote to memory of 3964	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	99
PID 8 wrote to memory of 4136	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	100
PID 8 wrote to memory of 4136	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	100
PID 8 wrote to memory of 1540	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	101
PID 8 wrote to memory of 1540	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	101
PID 8 wrote to memory of 1884	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	102
PID 8 wrote to memory of 1884	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	102
PID 8 wrote to memory of 4880	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	103
PID 8 wrote to memory of 4880	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	103
PID 8 wrote to memory of 4828	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	104
PID 8 wrote to memory of 4828	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	104
PID 8 wrote to memory of 3260	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	105
PID 8 wrote to memory of 3260	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	105
PID 8 wrote to memory of 4356	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	106
PID 8 wrote to memory of 4356	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	106
PID 8 wrote to memory of 1184	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	107
PID 8 wrote to memory of 1184	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	107
PID 8 wrote to memory of 4568	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	108
PID 8 wrote to memory of 4568	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	108
PID 8 wrote to memory of 3536	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	109
PID 8 wrote to memory of 3536	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	109
PID 8 wrote to memory of 2964	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	110
PID 8 wrote to memory of 2964	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	110
PID 8 wrote to memory of 4632	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	111
PID 8 wrote to memory of 4632	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	111
PID 8 wrote to memory of 4076	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	112
PID 8 wrote to memory of 4076	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	112
PID 8 wrote to memory of 736	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	113
PID 8 wrote to memory of 736	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	113
PID 8 wrote to memory of 2936	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	114
PID 8 wrote to memory of 2936	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	114
PID 8 wrote to memory of 3204	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	115
PID 8 wrote to memory of 3204	8	8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe	115

C:\Users\Admin\AppData\Local\Temp\8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\8d91a5c6d25219a40c6673a3f55f59f0_NEAS.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\System32\ATEXJkF.exe
  C:\Windows\System32\ATEXJkF.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System32\NvOnfgp.exe
  C:\Windows\System32\NvOnfgp.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System32\dTKVmTZ.exe
  C:\Windows\System32\dTKVmTZ.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System32\aCMHxxi.exe
  C:\Windows\System32\aCMHxxi.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System32\jmTLcaU.exe
  C:\Windows\System32\jmTLcaU.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System32\HQqZZaC.exe
  C:\Windows\System32\HQqZZaC.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System32\qdsrREd.exe
  C:\Windows\System32\qdsrREd.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System32\YhLBzio.exe
  C:\Windows\System32\YhLBzio.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System32\kzOsAFJ.exe
  C:\Windows\System32\kzOsAFJ.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System32\QxubNmQ.exe
  C:\Windows\System32\QxubNmQ.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\AAioUSP.exe
  C:\Windows\System32\AAioUSP.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System32\TJFKZFv.exe
  C:\Windows\System32\TJFKZFv.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System32\RbpbHSw.exe
  C:\Windows\System32\RbpbHSw.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System32\nmXwqkV.exe
  C:\Windows\System32\nmXwqkV.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System32\tvVJEkz.exe
  C:\Windows\System32\tvVJEkz.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System32\bqZRdVg.exe
  C:\Windows\System32\bqZRdVg.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System32\tRLnOjx.exe
  C:\Windows\System32\tRLnOjx.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System32\HHkZErs.exe
  C:\Windows\System32\HHkZErs.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System32\jSBqVsh.exe
  C:\Windows\System32\jSBqVsh.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System32\UvuHHcn.exe
  C:\Windows\System32\UvuHHcn.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System32\OvFUjws.exe
  C:\Windows\System32\OvFUjws.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\WaGPXsA.exe
  C:\Windows\System32\WaGPXsA.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System32\ODWSXFm.exe
  C:\Windows\System32\ODWSXFm.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System32\abumcwS.exe
  C:\Windows\System32\abumcwS.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System32\igLciYQ.exe
  C:\Windows\System32\igLciYQ.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System32\KNLnxUp.exe
  C:\Windows\System32\KNLnxUp.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System32\REHhSJx.exe
  C:\Windows\System32\REHhSJx.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System32\DcqHrna.exe
  C:\Windows\System32\DcqHrna.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System32\tuslTYB.exe
  C:\Windows\System32\tuslTYB.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System32\bZhhBiN.exe
  C:\Windows\System32\bZhhBiN.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\System32\IWWpCcj.exe
  C:\Windows\System32\IWWpCcj.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System32\JGKuFqc.exe
  C:\Windows\System32\JGKuFqc.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System32\NWsrAGj.exe
  C:\Windows\System32\NWsrAGj.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System32\dXEjHuQ.exe
  C:\Windows\System32\dXEjHuQ.exe
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\System32\xouKRQg.exe
  C:\Windows\System32\xouKRQg.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System32\MpdimLp.exe
  C:\Windows\System32\MpdimLp.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System32\bDFTiGg.exe
  C:\Windows\System32\bDFTiGg.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System32\uhAKROA.exe
  C:\Windows\System32\uhAKROA.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System32\QZelvYI.exe
  C:\Windows\System32\QZelvYI.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System32\aMvcvkP.exe
  C:\Windows\System32\aMvcvkP.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System32\JnHlAdS.exe
  C:\Windows\System32\JnHlAdS.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System32\MmniZoO.exe
  C:\Windows\System32\MmniZoO.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System32\KRAAmGN.exe
  C:\Windows\System32\KRAAmGN.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System32\TAufpUd.exe
  C:\Windows\System32\TAufpUd.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System32\MrvMjcU.exe
  C:\Windows\System32\MrvMjcU.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System32\PrJakZn.exe
  C:\Windows\System32\PrJakZn.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System32\iXLeeIr.exe
  C:\Windows\System32\iXLeeIr.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System32\gmdRICv.exe
  C:\Windows\System32\gmdRICv.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System32\hNORdbC.exe
  C:\Windows\System32\hNORdbC.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System32\HMdPDQS.exe
  C:\Windows\System32\HMdPDQS.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System32\cuBVdZt.exe
  C:\Windows\System32\cuBVdZt.exe
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\System32\qgSkidS.exe
  C:\Windows\System32\qgSkidS.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System32\EpIBCPx.exe
  C:\Windows\System32\EpIBCPx.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System32\jLcLYBt.exe
  C:\Windows\System32\jLcLYBt.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System32\hAbzprf.exe
  C:\Windows\System32\hAbzprf.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System32\xQmuTAM.exe
  C:\Windows\System32\xQmuTAM.exe
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\System32\yiwqjkZ.exe
  C:\Windows\System32\yiwqjkZ.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System32\kmoaJwf.exe
  C:\Windows\System32\kmoaJwf.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System32\JCFBzHD.exe
  C:\Windows\System32\JCFBzHD.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System32\pmrgQWM.exe
  C:\Windows\System32\pmrgQWM.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System32\ifhMqwV.exe
  C:\Windows\System32\ifhMqwV.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System32\AGYRbRF.exe
  C:\Windows\System32\AGYRbRF.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System32\DWfZgJr.exe
  C:\Windows\System32\DWfZgJr.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System32\dMbjAhX.exe
  C:\Windows\System32\dMbjAhX.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System32\cvAdlpp.exe
  C:\Windows\System32\cvAdlpp.exe
  2⤵
  PID:2244
- C:\Windows\System32\wPtQPvf.exe
  C:\Windows\System32\wPtQPvf.exe
  2⤵
  PID:5100
- C:\Windows\System32\XOBvgcY.exe
  C:\Windows\System32\XOBvgcY.exe
  2⤵
  PID:1428
- C:\Windows\System32\MedmquM.exe
  C:\Windows\System32\MedmquM.exe
  2⤵
  PID:4376
- C:\Windows\System32\NAelvIY.exe
  C:\Windows\System32\NAelvIY.exe
  2⤵
  PID:4072
- C:\Windows\System32\iTzIcVN.exe
  C:\Windows\System32\iTzIcVN.exe
  2⤵
  PID:4184
- C:\Windows\System32\YeLsUny.exe
  C:\Windows\System32\YeLsUny.exe
  2⤵
  PID:3736
- C:\Windows\System32\keZlISo.exe
  C:\Windows\System32\keZlISo.exe
  2⤵
  PID:3748
- C:\Windows\System32\oSgZHqs.exe
  C:\Windows\System32\oSgZHqs.exe
  2⤵
  PID:4244
- C:\Windows\System32\dFAPWWZ.exe
  C:\Windows\System32\dFAPWWZ.exe
  2⤵
  PID:4232
- C:\Windows\System32\WShQdQG.exe
  C:\Windows\System32\WShQdQG.exe
  2⤵
  PID:4860
- C:\Windows\System32\YsaEiSi.exe
  C:\Windows\System32\YsaEiSi.exe
  2⤵
  PID:3504
- C:\Windows\System32\KPfKSQY.exe
  C:\Windows\System32\KPfKSQY.exe
  2⤵
  PID:1808
- C:\Windows\System32\SWDSODm.exe
  C:\Windows\System32\SWDSODm.exe
  2⤵
  PID:2676
- C:\Windows\System32\SRWXEmp.exe
  C:\Windows\System32\SRWXEmp.exe
  2⤵
  PID:5148
- C:\Windows\System32\ucyhLvy.exe
  C:\Windows\System32\ucyhLvy.exe
  2⤵
  PID:5164
- C:\Windows\System32\FofEaVS.exe
  C:\Windows\System32\FofEaVS.exe
  2⤵
  PID:5200
- C:\Windows\System32\dzcsEpb.exe
  C:\Windows\System32\dzcsEpb.exe
  2⤵
  PID:5220
- C:\Windows\System32\GkqjJrj.exe
  C:\Windows\System32\GkqjJrj.exe
  2⤵
  PID:5248
- C:\Windows\System32\wAMOOxv.exe
  C:\Windows\System32\wAMOOxv.exe
  2⤵
  PID:5288
- C:\Windows\System32\DVfCRRM.exe
  C:\Windows\System32\DVfCRRM.exe
  2⤵
  PID:5304
- C:\Windows\System32\YnsOFZM.exe
  C:\Windows\System32\YnsOFZM.exe
  2⤵
  PID:5332
- C:\Windows\System32\wDALzuZ.exe
  C:\Windows\System32\wDALzuZ.exe
  2⤵
  PID:5360
- C:\Windows\System32\jBZLRvW.exe
  C:\Windows\System32\jBZLRvW.exe
  2⤵
  PID:5388
- C:\Windows\System32\XuPdpjJ.exe
  C:\Windows\System32\XuPdpjJ.exe
  2⤵
  PID:5416
- C:\Windows\System32\EmjJTRM.exe
  C:\Windows\System32\EmjJTRM.exe
  2⤵
  PID:5444
- C:\Windows\System32\gJQvMcn.exe
  C:\Windows\System32\gJQvMcn.exe
  2⤵
  PID:5472
- C:\Windows\System32\jLMwcyn.exe
  C:\Windows\System32\jLMwcyn.exe
  2⤵
  PID:5500
- C:\Windows\System32\ubztzJD.exe
  C:\Windows\System32\ubztzJD.exe
  2⤵
  PID:5528
- C:\Windows\System32\tBqnGzf.exe
  C:\Windows\System32\tBqnGzf.exe
  2⤵
  PID:5556
- C:\Windows\System32\cXPqlnu.exe
  C:\Windows\System32\cXPqlnu.exe
  2⤵
  PID:5584
- C:\Windows\System32\iJjGKXS.exe
  C:\Windows\System32\iJjGKXS.exe
  2⤵
  PID:5612
- C:\Windows\System32\ptfJxrz.exe
  C:\Windows\System32\ptfJxrz.exe
  2⤵
  PID:5640
- C:\Windows\System32\xWfmGOi.exe
  C:\Windows\System32\xWfmGOi.exe
  2⤵
  PID:5668
- C:\Windows\System32\Efooqvf.exe
  C:\Windows\System32\Efooqvf.exe
  2⤵
  PID:5696
- C:\Windows\System32\CdoMsFG.exe
  C:\Windows\System32\CdoMsFG.exe
  2⤵
  PID:5724
- C:\Windows\System32\RzdXhor.exe
  C:\Windows\System32\RzdXhor.exe
  2⤵
  PID:5752
- C:\Windows\System32\RnZZBRa.exe
  C:\Windows\System32\RnZZBRa.exe
  2⤵
  PID:5780
- C:\Windows\System32\FXvsKtO.exe
  C:\Windows\System32\FXvsKtO.exe
  2⤵
  PID:5808
- C:\Windows\System32\kFdZXof.exe
  C:\Windows\System32\kFdZXof.exe
  2⤵
  PID:5836
- C:\Windows\System32\LbicNgr.exe
  C:\Windows\System32\LbicNgr.exe
  2⤵
  PID:5864
- C:\Windows\System32\FkjBvcC.exe
  C:\Windows\System32\FkjBvcC.exe
  2⤵
  PID:5904
- C:\Windows\System32\QeZuPkz.exe
  C:\Windows\System32\QeZuPkz.exe
  2⤵
  PID:5920
- C:\Windows\System32\FEwqBLd.exe
  C:\Windows\System32\FEwqBLd.exe
  2⤵
  PID:5948
- C:\Windows\System32\zXIjMPZ.exe
  C:\Windows\System32\zXIjMPZ.exe
  2⤵
  PID:5976
- C:\Windows\System32\XZtdYWu.exe
  C:\Windows\System32\XZtdYWu.exe
  2⤵
  PID:6004
- C:\Windows\System32\rMXYnZt.exe
  C:\Windows\System32\rMXYnZt.exe
  2⤵
  PID:6044
- C:\Windows\System32\jjcHKYH.exe
  C:\Windows\System32\jjcHKYH.exe
  2⤵
  PID:6060
- C:\Windows\System32\BWRyipv.exe
  C:\Windows\System32\BWRyipv.exe
  2⤵
  PID:6088
- C:\Windows\System32\fRZDSTi.exe
  C:\Windows\System32\fRZDSTi.exe
  2⤵
  PID:6116
- C:\Windows\System32\RcGaDlP.exe
  C:\Windows\System32\RcGaDlP.exe
  2⤵
  PID:3208
- C:\Windows\System32\isgkeKT.exe
  C:\Windows\System32\isgkeKT.exe
  2⤵
  PID:4648
- C:\Windows\System32\RREdkDd.exe
  C:\Windows\System32\RREdkDd.exe
  2⤵
  PID:4612
- C:\Windows\System32\tPhRTeF.exe
  C:\Windows\System32\tPhRTeF.exe
  2⤵
  PID:408
- C:\Windows\System32\eBNBYGL.exe
  C:\Windows\System32\eBNBYGL.exe
  2⤵
  PID:5132
- C:\Windows\System32\vGNwvMZ.exe
  C:\Windows\System32\vGNwvMZ.exe
  2⤵
  PID:5208
- C:\Windows\System32\JSQhdVs.exe
  C:\Windows\System32\JSQhdVs.exe
  2⤵
  PID:5272
- C:\Windows\System32\GWazfLx.exe
  C:\Windows\System32\GWazfLx.exe
  2⤵
  PID:5348
- C:\Windows\System32\btYuRlA.exe
  C:\Windows\System32\btYuRlA.exe
  2⤵
  PID:5396
- C:\Windows\System32\YOKzkvm.exe
  C:\Windows\System32\YOKzkvm.exe
  2⤵
  PID:5464
- C:\Windows\System32\MpAYoDz.exe
  C:\Windows\System32\MpAYoDz.exe
  2⤵
  PID:5544
- C:\Windows\System32\UQpNHYx.exe
  C:\Windows\System32\UQpNHYx.exe
  2⤵
  PID:5620
- C:\Windows\System32\vBXJNgx.exe
  C:\Windows\System32\vBXJNgx.exe
  2⤵
  PID:5660
- C:\Windows\System32\aFyxytN.exe
  C:\Windows\System32\aFyxytN.exe
  2⤵
  PID:5740
- C:\Windows\System32\VANvEeI.exe
  C:\Windows\System32\VANvEeI.exe
  2⤵
  PID:5788
- C:\Windows\System32\BGcvcgC.exe
  C:\Windows\System32\BGcvcgC.exe
  2⤵
  PID:5844
- C:\Windows\System32\QNXRDAj.exe
  C:\Windows\System32\QNXRDAj.exe
  2⤵
  PID:5916
- C:\Windows\System32\rBCAVTJ.exe
  C:\Windows\System32\rBCAVTJ.exe
  2⤵
  PID:5992
- C:\Windows\System32\KBEPBQl.exe
  C:\Windows\System32\KBEPBQl.exe
  2⤵
  PID:6052
- C:\Windows\System32\ukqblxz.exe
  C:\Windows\System32\ukqblxz.exe
  2⤵
  PID:6108
- C:\Windows\System32\vFNAGXO.exe
  C:\Windows\System32\vFNAGXO.exe
  2⤵
  PID:4272
- C:\Windows\System32\EXPfGjk.exe
  C:\Windows\System32\EXPfGjk.exe
  2⤵
  PID:4380
- C:\Windows\System32\WfICQfX.exe
  C:\Windows\System32\WfICQfX.exe
  2⤵
  PID:5264
- C:\Windows\System32\FIDAUAw.exe
  C:\Windows\System32\FIDAUAw.exe
  2⤵
  PID:5436
- C:\Windows\System32\XFMAydr.exe
  C:\Windows\System32\XFMAydr.exe
  2⤵
  PID:5564
- C:\Windows\System32\YVEBRvE.exe
  C:\Windows\System32\YVEBRvE.exe
  2⤵
  PID:5676
- C:\Windows\System32\GfRpSUi.exe
  C:\Windows\System32\GfRpSUi.exe
  2⤵
  PID:5828
- C:\Windows\System32\QRIHNyC.exe
  C:\Windows\System32\QRIHNyC.exe
  2⤵
  PID:5956
- C:\Windows\System32\ohIoKbz.exe
  C:\Windows\System32\ohIoKbz.exe
  2⤵
  PID:5036
- C:\Windows\System32\LPTipoy.exe
  C:\Windows\System32\LPTipoy.exe
  2⤵
  PID:5172
- C:\Windows\System32\JARoUrK.exe
  C:\Windows\System32\JARoUrK.exe
  2⤵
  PID:5460
- C:\Windows\System32\GwrQFFb.exe
  C:\Windows\System32\GwrQFFb.exe
  2⤵
  PID:6160
- C:\Windows\System32\RuXEzYy.exe
  C:\Windows\System32\RuXEzYy.exe
  2⤵
  PID:6188
- C:\Windows\System32\AvtZXlY.exe
  C:\Windows\System32\AvtZXlY.exe
  2⤵
  PID:6216
- C:\Windows\System32\yKpJXQS.exe
  C:\Windows\System32\yKpJXQS.exe
  2⤵
  PID:6244
- C:\Windows\System32\PPHLCRj.exe
  C:\Windows\System32\PPHLCRj.exe
  2⤵
  PID:6272
- C:\Windows\System32\cyavZUb.exe
  C:\Windows\System32\cyavZUb.exe
  2⤵
  PID:6300
- C:\Windows\System32\SQEaksE.exe
  C:\Windows\System32\SQEaksE.exe
  2⤵
  PID:6328
- C:\Windows\System32\AWgiDzC.exe
  C:\Windows\System32\AWgiDzC.exe
  2⤵
  PID:6356
- C:\Windows\System32\JkroWDt.exe
  C:\Windows\System32\JkroWDt.exe
  2⤵
  PID:6396
- C:\Windows\System32\BZtSjWu.exe
  C:\Windows\System32\BZtSjWu.exe
  2⤵
  PID:6412
- C:\Windows\System32\gLUhwtj.exe
  C:\Windows\System32\gLUhwtj.exe
  2⤵
  PID:6440
- C:\Windows\System32\eUiNLpi.exe
  C:\Windows\System32\eUiNLpi.exe
  2⤵
  PID:6468
- C:\Windows\System32\sHQLGMm.exe
  C:\Windows\System32\sHQLGMm.exe
  2⤵
  PID:6496
- C:\Windows\System32\VRmqbJc.exe
  C:\Windows\System32\VRmqbJc.exe
  2⤵
  PID:6524
- C:\Windows\System32\nssMzuL.exe
  C:\Windows\System32\nssMzuL.exe
  2⤵
  PID:6552
- C:\Windows\System32\vezalEK.exe
  C:\Windows\System32\vezalEK.exe
  2⤵
  PID:6580
- C:\Windows\System32\Emxxdwi.exe
  C:\Windows\System32\Emxxdwi.exe
  2⤵
  PID:6608
- C:\Windows\System32\SeWnfkI.exe
  C:\Windows\System32\SeWnfkI.exe
  2⤵
  PID:6636
- C:\Windows\System32\KKEaFuU.exe
  C:\Windows\System32\KKEaFuU.exe
  2⤵
  PID:6664
- C:\Windows\System32\FuBoYTv.exe
  C:\Windows\System32\FuBoYTv.exe
  2⤵
  PID:6692
- C:\Windows\System32\NWuvMJY.exe
  C:\Windows\System32\NWuvMJY.exe
  2⤵
  PID:6720
- C:\Windows\System32\XbpaLXx.exe
  C:\Windows\System32\XbpaLXx.exe
  2⤵
  PID:6748
- C:\Windows\System32\tGTDHTE.exe
  C:\Windows\System32\tGTDHTE.exe
  2⤵
  PID:6776
- C:\Windows\System32\TVrayjn.exe
  C:\Windows\System32\TVrayjn.exe
  2⤵
  PID:6804
- C:\Windows\System32\AyPNFBX.exe
  C:\Windows\System32\AyPNFBX.exe
  2⤵
  PID:6844
- C:\Windows\System32\TadlkfO.exe
  C:\Windows\System32\TadlkfO.exe
  2⤵
  PID:6860
- C:\Windows\System32\VzHkLDV.exe
  C:\Windows\System32\VzHkLDV.exe
  2⤵
  PID:6888
- C:\Windows\System32\sruTzMj.exe
  C:\Windows\System32\sruTzMj.exe
  2⤵
  PID:6916
- C:\Windows\System32\dIHguXs.exe
  C:\Windows\System32\dIHguXs.exe
  2⤵
  PID:6944
- C:\Windows\System32\tTYxSnK.exe
  C:\Windows\System32\tTYxSnK.exe
  2⤵
  PID:6972
- C:\Windows\System32\oAivYci.exe
  C:\Windows\System32\oAivYci.exe
  2⤵
  PID:7000
- C:\Windows\System32\hCROGnn.exe
  C:\Windows\System32\hCROGnn.exe
  2⤵
  PID:7028
- C:\Windows\System32\xNMzqQj.exe
  C:\Windows\System32\xNMzqQj.exe
  2⤵
  PID:7056
- C:\Windows\System32\xuHZvfH.exe
  C:\Windows\System32\xuHZvfH.exe
  2⤵
  PID:7084
- C:\Windows\System32\KiTWQaH.exe
  C:\Windows\System32\KiTWQaH.exe
  2⤵
  PID:7112
- C:\Windows\System32\IgoyWIF.exe
  C:\Windows\System32\IgoyWIF.exe
  2⤵
  PID:7140
- C:\Windows\System32\YSDiePc.exe
  C:\Windows\System32\YSDiePc.exe
  2⤵
  PID:5772
- C:\Windows\System32\MtoziOP.exe
  C:\Windows\System32\MtoziOP.exe
  2⤵
  PID:5996
- C:\Windows\System32\LVwbXig.exe
  C:\Windows\System32\LVwbXig.exe
  2⤵
  PID:5480
- C:\Windows\System32\BbDjiDC.exe
  C:\Windows\System32\BbDjiDC.exe
  2⤵
  PID:6204
- C:\Windows\System32\pyIBfdx.exe
  C:\Windows\System32\pyIBfdx.exe
  2⤵
  PID:6252
- C:\Windows\System32\PvqzcVS.exe
  C:\Windows\System32\PvqzcVS.exe
  2⤵
  PID:6320
- C:\Windows\System32\DfmxUUk.exe
  C:\Windows\System32\DfmxUUk.exe
  2⤵
  PID:6380
- C:\Windows\System32\deqdfEj.exe
  C:\Windows\System32\deqdfEj.exe
  2⤵
  PID:6432
- C:\Windows\System32\yTBzGbp.exe
  C:\Windows\System32\yTBzGbp.exe
  2⤵
  PID:6488
- C:\Windows\System32\cTVJgTb.exe
  C:\Windows\System32\cTVJgTb.exe
  2⤵
  PID:4896
- C:\Windows\System32\VKRNDTw.exe
  C:\Windows\System32\VKRNDTw.exe
  2⤵
  PID:6600
- C:\Windows\System32\KoEDZzj.exe
  C:\Windows\System32\KoEDZzj.exe
  2⤵
  PID:6644
- C:\Windows\System32\lGTHVTK.exe
  C:\Windows\System32\lGTHVTK.exe
  2⤵
  PID:6700
- C:\Windows\System32\rIAVTid.exe
  C:\Windows\System32\rIAVTid.exe
  2⤵
  PID:6768
- C:\Windows\System32\ulqZnFC.exe
  C:\Windows\System32\ulqZnFC.exe
  2⤵
  PID:6836
- C:\Windows\System32\eXBPJft.exe
  C:\Windows\System32\eXBPJft.exe
  2⤵
  PID:6896
- C:\Windows\System32\KjOJJdB.exe
  C:\Windows\System32\KjOJJdB.exe
  2⤵
  PID:6952
- C:\Windows\System32\nSQYGGK.exe
  C:\Windows\System32\nSQYGGK.exe
  2⤵
  PID:7020
- C:\Windows\System32\ewFpBHL.exe
  C:\Windows\System32\ewFpBHL.exe
  2⤵
  PID:7100
- C:\Windows\System32\keWBLdt.exe
  C:\Windows\System32\keWBLdt.exe
  2⤵
  PID:7156
- C:\Windows\System32\PUEnKtY.exe
  C:\Windows\System32\PUEnKtY.exe
  2⤵
  PID:2192
- C:\Windows\System32\CvKeYrx.exe
  C:\Windows\System32\CvKeYrx.exe
  2⤵
  PID:6208
- C:\Windows\System32\GAUkfld.exe
  C:\Windows\System32\GAUkfld.exe
  2⤵
  PID:6344
- C:\Windows\System32\xnCyTrF.exe
  C:\Windows\System32\xnCyTrF.exe
  2⤵
  PID:5072
- C:\Windows\System32\wqeTOVf.exe
  C:\Windows\System32\wqeTOVf.exe
  2⤵
  PID:6560
- C:\Windows\System32\egMJLhE.exe
  C:\Windows\System32\egMJLhE.exe
  2⤵
  PID:2088
- C:\Windows\System32\XuHhUbn.exe
  C:\Windows\System32\XuHhUbn.exe
  2⤵
  PID:2732
- C:\Windows\System32\NLwDExG.exe
  C:\Windows\System32\NLwDExG.exe
  2⤵
  PID:6868
- C:\Windows\System32\ppbNXQK.exe
  C:\Windows\System32\ppbNXQK.exe
  2⤵
  PID:6988
- C:\Windows\System32\uMEnUXS.exe
  C:\Windows\System32\uMEnUXS.exe
  2⤵
  PID:6348
- C:\Windows\System32\AgDPiqc.exe
  C:\Windows\System32\AgDPiqc.exe
  2⤵
  PID:6388
- C:\Windows\System32\RgrpdZO.exe
  C:\Windows\System32\RgrpdZO.exe
  2⤵
  PID:6504
- C:\Windows\System32\eAAEWia.exe
  C:\Windows\System32\eAAEWia.exe
  2⤵
  PID:2648
- C:\Windows\System32\wzrWepM.exe
  C:\Windows\System32\wzrWepM.exe
  2⤵
  PID:888
- C:\Windows\System32\gmHpuXY.exe
  C:\Windows\System32\gmHpuXY.exe
  2⤵
  PID:532
- C:\Windows\System32\qtXpvuC.exe
  C:\Windows\System32\qtXpvuC.exe
  2⤵
  PID:6764
- C:\Windows\System32\kGvBlIE.exe
  C:\Windows\System32\kGvBlIE.exe
  2⤵
  PID:3140
- C:\Windows\System32\JSBBilf.exe
  C:\Windows\System32\JSBBilf.exe
  2⤵
  PID:4304
- C:\Windows\System32\qChczcS.exe
  C:\Windows\System32\qChczcS.exe
  2⤵
  PID:3460
- C:\Windows\System32\lKQnMnS.exe
  C:\Windows\System32\lKQnMnS.exe
  2⤵
  PID:3224
- C:\Windows\System32\oogncFc.exe
  C:\Windows\System32\oogncFc.exe
  2⤵
  PID:3996
- C:\Windows\System32\KmbiEIe.exe
  C:\Windows\System32\KmbiEIe.exe
  2⤵
  PID:4656
- C:\Windows\System32\lzJqanw.exe
  C:\Windows\System32\lzJqanw.exe
  2⤵
  PID:4484
- C:\Windows\System32\QBouPNV.exe
  C:\Windows\System32\QBouPNV.exe
  2⤵
  PID:4672
- C:\Windows\System32\tWsOtIv.exe
  C:\Windows\System32\tWsOtIv.exe
  2⤵
  PID:7176
- C:\Windows\System32\KZjDtmC.exe
  C:\Windows\System32\KZjDtmC.exe
  2⤵
  PID:7212
- C:\Windows\System32\VaXnUQl.exe
  C:\Windows\System32\VaXnUQl.exe
  2⤵
  PID:7228
- C:\Windows\System32\gKcGsUl.exe
  C:\Windows\System32\gKcGsUl.exe
  2⤵
  PID:7264
- C:\Windows\System32\tpuJJlS.exe
  C:\Windows\System32\tpuJJlS.exe
  2⤵
  PID:7304
- C:\Windows\System32\Vlpjise.exe
  C:\Windows\System32\Vlpjise.exe
  2⤵
  PID:7396
- C:\Windows\System32\oINFMsQ.exe
  C:\Windows\System32\oINFMsQ.exe
  2⤵
  PID:7436
- C:\Windows\System32\TBxzpjQ.exe
  C:\Windows\System32\TBxzpjQ.exe
  2⤵
  PID:7460
- C:\Windows\System32\mEuOXAT.exe
  C:\Windows\System32\mEuOXAT.exe
  2⤵
  PID:7484
- C:\Windows\System32\mzltulH.exe
  C:\Windows\System32\mzltulH.exe
  2⤵
  PID:7556
- C:\Windows\System32\YHzxhup.exe
  C:\Windows\System32\YHzxhup.exe
  2⤵
  PID:7584
- C:\Windows\System32\osXoyMr.exe
  C:\Windows\System32\osXoyMr.exe
  2⤵
  PID:7604
- C:\Windows\System32\eTadPcy.exe
  C:\Windows\System32\eTadPcy.exe
  2⤵
  PID:7632
- C:\Windows\System32\PgyNZFT.exe
  C:\Windows\System32\PgyNZFT.exe
  2⤵
  PID:7672
- C:\Windows\System32\rRpAsRW.exe
  C:\Windows\System32\rRpAsRW.exe
  2⤵
  PID:7704
- C:\Windows\System32\qvrcQdj.exe
  C:\Windows\System32\qvrcQdj.exe
  2⤵
  PID:7732
- C:\Windows\System32\yiDhugG.exe
  C:\Windows\System32\yiDhugG.exe
  2⤵
  PID:7764
- C:\Windows\System32\nobYzTY.exe
  C:\Windows\System32\nobYzTY.exe
  2⤵
  PID:7796
- C:\Windows\System32\zWgoNLm.exe
  C:\Windows\System32\zWgoNLm.exe
  2⤵
  PID:7812
- C:\Windows\System32\JEntlxk.exe
  C:\Windows\System32\JEntlxk.exe
  2⤵
  PID:7828
- C:\Windows\System32\UiXuiIS.exe
  C:\Windows\System32\UiXuiIS.exe
  2⤵
  PID:7864
- C:\Windows\System32\ebyQaar.exe
  C:\Windows\System32\ebyQaar.exe
  2⤵
  PID:7908
- C:\Windows\System32\fTKPQed.exe
  C:\Windows\System32\fTKPQed.exe
  2⤵
  PID:7936
- C:\Windows\System32\BfGYWUY.exe
  C:\Windows\System32\BfGYWUY.exe
  2⤵
  PID:7952
- C:\Windows\System32\ISJoGBe.exe
  C:\Windows\System32\ISJoGBe.exe
  2⤵
  PID:7980
- C:\Windows\System32\yyxxUUx.exe
  C:\Windows\System32\yyxxUUx.exe
  2⤵
  PID:8020
- C:\Windows\System32\vPgaCBu.exe
  C:\Windows\System32\vPgaCBu.exe
  2⤵
  PID:8048
- C:\Windows\System32\JcUEyDU.exe
  C:\Windows\System32\JcUEyDU.exe
  2⤵
  PID:8068
- C:\Windows\System32\QJVwLmh.exe
  C:\Windows\System32\QJVwLmh.exe
  2⤵
  PID:8104
- C:\Windows\System32\yfIMiah.exe
  C:\Windows\System32\yfIMiah.exe
  2⤵
  PID:8132
- C:\Windows\System32\XXryagQ.exe
  C:\Windows\System32\XXryagQ.exe
  2⤵
  PID:8160
- C:\Windows\System32\duMLBAS.exe
  C:\Windows\System32\duMLBAS.exe
  2⤵
  PID:8188
- C:\Windows\System32\syZUIgp.exe
  C:\Windows\System32\syZUIgp.exe
  2⤵
  PID:7224
- C:\Windows\System32\VjuarmU.exe
  C:\Windows\System32\VjuarmU.exe
  2⤵
  PID:7200
- C:\Windows\System32\jYzOYLf.exe
  C:\Windows\System32\jYzOYLf.exe
  2⤵
  PID:7272
- C:\Windows\System32\AsOwpvt.exe
  C:\Windows\System32\AsOwpvt.exe
  2⤵
  PID:7356
- C:\Windows\System32\DEounFb.exe
  C:\Windows\System32\DEounFb.exe
  2⤵
  PID:3632
- C:\Windows\System32\kdZupSp.exe
  C:\Windows\System32\kdZupSp.exe
  2⤵
  PID:7444
- C:\Windows\System32\flyEwlb.exe
  C:\Windows\System32\flyEwlb.exe
  2⤵
  PID:7520
- C:\Windows\System32\ObJkuir.exe
  C:\Windows\System32\ObJkuir.exe
  2⤵
  PID:7492
- C:\Windows\System32\gAqqhrW.exe
  C:\Windows\System32\gAqqhrW.exe
  2⤵
  PID:7648
- C:\Windows\System32\MqcgfMN.exe
  C:\Windows\System32\MqcgfMN.exe
  2⤵
  PID:7688
- C:\Windows\System32\AmRTsGr.exe
  C:\Windows\System32\AmRTsGr.exe
  2⤵
  PID:7784
- C:\Windows\System32\Cgfbgcm.exe
  C:\Windows\System32\Cgfbgcm.exe
  2⤵
  PID:7820
- C:\Windows\System32\ohCGLEO.exe
  C:\Windows\System32\ohCGLEO.exe
  2⤵
  PID:7872
- C:\Windows\System32\lAOYzro.exe
  C:\Windows\System32\lAOYzro.exe
  2⤵
  PID:7948
- C:\Windows\System32\qJncQEi.exe
  C:\Windows\System32\qJncQEi.exe
  2⤵
  PID:7992
- C:\Windows\System32\bfQBEbi.exe
  C:\Windows\System32\bfQBEbi.exe
  2⤵
  PID:8088
- C:\Windows\System32\QVWrtkt.exe
  C:\Windows\System32\QVWrtkt.exe
  2⤵
  PID:8148
- C:\Windows\System32\xqwvLQZ.exe
  C:\Windows\System32\xqwvLQZ.exe
  2⤵
  PID:7208
- C:\Windows\System32\qDagtaz.exe
  C:\Windows\System32\qDagtaz.exe
  2⤵
  PID:7340
- C:\Windows\System32\yWsqUkj.exe
  C:\Windows\System32\yWsqUkj.exe
  2⤵
  PID:7236
- C:\Windows\System32\GEzYYLd.exe
  C:\Windows\System32\GEzYYLd.exe
  2⤵
  PID:7600
- C:\Windows\System32\EthAGTC.exe
  C:\Windows\System32\EthAGTC.exe
  2⤵
  PID:7792
- C:\Windows\System32\gEFOSwe.exe
  C:\Windows\System32\gEFOSwe.exe
  2⤵
  PID:7888
- C:\Windows\System32\RJsciee.exe
  C:\Windows\System32\RJsciee.exe
  2⤵
  PID:8056
- C:\Windows\System32\CcmnCYA.exe
  C:\Windows\System32\CcmnCYA.exe
  2⤵
  PID:8128
- C:\Windows\System32\MThydiZ.exe
  C:\Windows\System32\MThydiZ.exe
  2⤵
  PID:7456
- C:\Windows\System32\grgjcsm.exe
  C:\Windows\System32\grgjcsm.exe
  2⤵
  PID:7724
- C:\Windows\System32\NXKWVnY.exe
  C:\Windows\System32\NXKWVnY.exe
  2⤵
  PID:6740
- C:\Windows\System32\syVKdiG.exe
  C:\Windows\System32\syVKdiG.exe
  2⤵
  PID:7944
- C:\Windows\System32\QRxYfbE.exe
  C:\Windows\System32\QRxYfbE.exe
  2⤵
  PID:8116
- C:\Windows\System32\DOlmgyc.exe
  C:\Windows\System32\DOlmgyc.exe
  2⤵
  PID:8212
- C:\Windows\System32\jWXVIHL.exe
  C:\Windows\System32\jWXVIHL.exe
  2⤵
  PID:8228
- C:\Windows\System32\dWCrxur.exe
  C:\Windows\System32\dWCrxur.exe
  2⤵
  PID:8288
- C:\Windows\System32\xUQNwXW.exe
  C:\Windows\System32\xUQNwXW.exe
  2⤵
  PID:8320
- C:\Windows\System32\yojyuNx.exe
  C:\Windows\System32\yojyuNx.exe
  2⤵
  PID:8344
- C:\Windows\System32\Cejtsgd.exe
  C:\Windows\System32\Cejtsgd.exe
  2⤵
  PID:8380
- C:\Windows\System32\mFDVdlY.exe
  C:\Windows\System32\mFDVdlY.exe
  2⤵
  PID:8400
- C:\Windows\System32\YmGzpaU.exe
  C:\Windows\System32\YmGzpaU.exe
  2⤵
  PID:8428
- C:\Windows\System32\WlWppXl.exe
  C:\Windows\System32\WlWppXl.exe
  2⤵
  PID:8456
- C:\Windows\System32\svdTCrP.exe
  C:\Windows\System32\svdTCrP.exe
  2⤵
  PID:8488
- C:\Windows\System32\KWmMHWr.exe
  C:\Windows\System32\KWmMHWr.exe
  2⤵
  PID:8532
- C:\Windows\System32\DIBjJRq.exe
  C:\Windows\System32\DIBjJRq.exe
  2⤵
  PID:8576
- C:\Windows\System32\dVuGxhg.exe
  C:\Windows\System32\dVuGxhg.exe
  2⤵
  PID:8604
- C:\Windows\System32\XwcjxOE.exe
  C:\Windows\System32\XwcjxOE.exe
  2⤵
  PID:8636
- C:\Windows\System32\RXbyKxo.exe
  C:\Windows\System32\RXbyKxo.exe
  2⤵
  PID:8664
- C:\Windows\System32\uPjYdDY.exe
  C:\Windows\System32\uPjYdDY.exe
  2⤵
  PID:8692
- C:\Windows\System32\ZWfdwNU.exe
  C:\Windows\System32\ZWfdwNU.exe
  2⤵
  PID:8716
- C:\Windows\System32\AbPyxPW.exe
  C:\Windows\System32\AbPyxPW.exe
  2⤵
  PID:8768
- C:\Windows\System32\uvWcSNn.exe
  C:\Windows\System32\uvWcSNn.exe
  2⤵
  PID:8788
- C:\Windows\System32\AKrRgKY.exe
  C:\Windows\System32\AKrRgKY.exe
  2⤵
  PID:8816
- C:\Windows\System32\tIeANoq.exe
  C:\Windows\System32\tIeANoq.exe
  2⤵
  PID:8844
- C:\Windows\System32\hcWRsTI.exe
  C:\Windows\System32\hcWRsTI.exe
  2⤵
  PID:8872
- C:\Windows\System32\wFcJSdN.exe
  C:\Windows\System32\wFcJSdN.exe
  2⤵
  PID:8908
- C:\Windows\System32\VbZwNdW.exe
  C:\Windows\System32\VbZwNdW.exe
  2⤵
  PID:8932
- C:\Windows\System32\wqsFeBj.exe
  C:\Windows\System32\wqsFeBj.exe
  2⤵
  PID:8952
- C:\Windows\System32\KcwAoOS.exe
  C:\Windows\System32\KcwAoOS.exe
  2⤵
  PID:8976
- C:\Windows\System32\dWWZfbJ.exe
  C:\Windows\System32\dWWZfbJ.exe
  2⤵
  PID:9016
- C:\Windows\System32\sZCZAwe.exe
  C:\Windows\System32\sZCZAwe.exe
  2⤵
  PID:9044
- C:\Windows\System32\YZwrrLf.exe
  C:\Windows\System32\YZwrrLf.exe
  2⤵
  PID:9064
- C:\Windows\System32\rRWPqoL.exe
  C:\Windows\System32\rRWPqoL.exe
  2⤵
  PID:9104
- C:\Windows\System32\GNAdXtZ.exe
  C:\Windows\System32\GNAdXtZ.exe
  2⤵
  PID:9124
- C:\Windows\System32\EFVmSJD.exe
  C:\Windows\System32\EFVmSJD.exe
  2⤵
  PID:9148
- C:\Windows\System32\gYhwFav.exe
  C:\Windows\System32\gYhwFav.exe
  2⤵
  PID:9168
- C:\Windows\System32\jHeZjld.exe
  C:\Windows\System32\jHeZjld.exe
  2⤵
  PID:9212
- C:\Windows\System32\NOqfiXl.exe
  C:\Windows\System32\NOqfiXl.exe
  2⤵
  PID:8224
- C:\Windows\System32\FGOMooc.exe
  C:\Windows\System32\FGOMooc.exe
  2⤵
  PID:8340
- C:\Windows\System32\spONXEX.exe
  C:\Windows\System32\spONXEX.exe
  2⤵
  PID:8440
- C:\Windows\System32\JmvKdWw.exe
  C:\Windows\System32\JmvKdWw.exe
  2⤵
  PID:8560
- C:\Windows\System32\sDACQhE.exe
  C:\Windows\System32\sDACQhE.exe
  2⤵
  PID:8600
- C:\Windows\System32\hvzMWKZ.exe
  C:\Windows\System32\hvzMWKZ.exe
  2⤵
  PID:8688
- C:\Windows\System32\KDXRYBt.exe
  C:\Windows\System32\KDXRYBt.exe
  2⤵
  PID:8780
- C:\Windows\System32\JGeOfss.exe
  C:\Windows\System32\JGeOfss.exe
  2⤵
  PID:8828
- C:\Windows\System32\AlHLBUK.exe
  C:\Windows\System32\AlHLBUK.exe
  2⤵
  PID:8916
- C:\Windows\System32\sNlQCHH.exe
  C:\Windows\System32\sNlQCHH.exe
  2⤵
  PID:9004
- C:\Windows\System32\nNEVvgA.exe
  C:\Windows\System32\nNEVvgA.exe
  2⤵
  PID:9072
- C:\Windows\System32\ChUqWeo.exe
  C:\Windows\System32\ChUqWeo.exe
  2⤵
  PID:9132
- C:\Windows\System32\xPoMNEK.exe
  C:\Windows\System32\xPoMNEK.exe
  2⤵
  PID:8220
- C:\Windows\System32\QaBPxVB.exe
  C:\Windows\System32\QaBPxVB.exe
  2⤵
  PID:8420
- C:\Windows\System32\ABXAEif.exe
  C:\Windows\System32\ABXAEif.exe
  2⤵
  PID:8612
- C:\Windows\System32\lujDyyB.exe
  C:\Windows\System32\lujDyyB.exe
  2⤵
  PID:8752
- C:\Windows\System32\xORLkDX.exe
  C:\Windows\System32\xORLkDX.exe
  2⤵
  PID:9036
- C:\Windows\System32\rAclSUt.exe
  C:\Windows\System32\rAclSUt.exe
  2⤵
  PID:8300
- C:\Windows\System32\UhzcyXC.exe
  C:\Windows\System32\UhzcyXC.exe
  2⤵
  PID:9236
- C:\Windows\System32\NvpEMFe.exe
  C:\Windows\System32\NvpEMFe.exe
  2⤵
  PID:9260
- C:\Windows\System32\HufvJAT.exe
  C:\Windows\System32\HufvJAT.exe
  2⤵
  PID:9284
- C:\Windows\System32\lqhWsNH.exe
  C:\Windows\System32\lqhWsNH.exe
  2⤵
  PID:9300
- C:\Windows\System32\DnvIOMB.exe
  C:\Windows\System32\DnvIOMB.exe
  2⤵
  PID:9320
- C:\Windows\System32\wAatUxF.exe
  C:\Windows\System32\wAatUxF.exe
  2⤵
  PID:9400
- C:\Windows\System32\efdCqVe.exe
  C:\Windows\System32\efdCqVe.exe
  2⤵
  PID:9460
- C:\Windows\System32\hggkyqh.exe
  C:\Windows\System32\hggkyqh.exe
  2⤵
  PID:9496
- C:\Windows\System32\vCRdELZ.exe
  C:\Windows\System32\vCRdELZ.exe
  2⤵
  PID:9520
- C:\Windows\System32\ptbGTqQ.exe
  C:\Windows\System32\ptbGTqQ.exe
  2⤵
  PID:9560
- C:\Windows\System32\pXskkDT.exe
  C:\Windows\System32\pXskkDT.exe
  2⤵
  PID:9588
- C:\Windows\System32\uSwuVKp.exe
  C:\Windows\System32\uSwuVKp.exe
  2⤵
  PID:9608
- C:\Windows\System32\zVMOssR.exe
  C:\Windows\System32\zVMOssR.exe
  2⤵
  PID:9644
- C:\Windows\System32\ihcXMwi.exe
  C:\Windows\System32\ihcXMwi.exe
  2⤵
  PID:9668
- C:\Windows\System32\fWvimSj.exe
  C:\Windows\System32\fWvimSj.exe
  2⤵
  PID:9688
- C:\Windows\System32\fslznan.exe
  C:\Windows\System32\fslznan.exe
  2⤵
  PID:9724
- C:\Windows\System32\roAJXXB.exe
  C:\Windows\System32\roAJXXB.exe
  2⤵
  PID:9744
- C:\Windows\System32\uWGiFau.exe
  C:\Windows\System32\uWGiFau.exe
  2⤵
  PID:9804
- C:\Windows\System32\gTBxzBF.exe
  C:\Windows\System32\gTBxzBF.exe
  2⤵
  PID:9824
- C:\Windows\System32\LYuuOsR.exe
  C:\Windows\System32\LYuuOsR.exe
  2⤵
  PID:9856
- C:\Windows\System32\bLXbHcn.exe
  C:\Windows\System32\bLXbHcn.exe
  2⤵
  PID:9880
- C:\Windows\System32\JTnnLej.exe
  C:\Windows\System32\JTnnLej.exe
  2⤵
  PID:9912
- C:\Windows\System32\BsEbLql.exe
  C:\Windows\System32\BsEbLql.exe
  2⤵
  PID:9940
- C:\Windows\System32\DphxJTO.exe
  C:\Windows\System32\DphxJTO.exe
  2⤵
  PID:9976
- C:\Windows\System32\qqeVHZD.exe
  C:\Windows\System32\qqeVHZD.exe
  2⤵
  PID:10000
- C:\Windows\System32\UxsSqJg.exe
  C:\Windows\System32\UxsSqJg.exe
  2⤵
  PID:10016
- C:\Windows\System32\QBdaUXd.exe
  C:\Windows\System32\QBdaUXd.exe
  2⤵
  PID:10032
- C:\Windows\System32\KphOddA.exe
  C:\Windows\System32\KphOddA.exe
  2⤵
  PID:10052
- C:\Windows\System32\WoUAQDY.exe
  C:\Windows\System32\WoUAQDY.exe
  2⤵
  PID:10100
- C:\Windows\System32\GEsbsWd.exe
  C:\Windows\System32\GEsbsWd.exe
  2⤵
  PID:10144
- C:\Windows\System32\QcdAbRp.exe
  C:\Windows\System32\QcdAbRp.exe
  2⤵
  PID:10176
- C:\Windows\System32\nwTXlSA.exe
  C:\Windows\System32\nwTXlSA.exe
  2⤵
  PID:10224
- C:\Windows\System32\XxCIXct.exe
  C:\Windows\System32\XxCIXct.exe
  2⤵
  PID:8840
- C:\Windows\System32\YEgpoXp.exe
  C:\Windows\System32\YEgpoXp.exe
  2⤵
  PID:9268
- C:\Windows\System32\BmrAwWv.exe
  C:\Windows\System32\BmrAwWv.exe
  2⤵
  PID:9340
- C:\Windows\System32\dZBKnRp.exe
  C:\Windows\System32\dZBKnRp.exe
  2⤵
  PID:9472
- C:\Windows\System32\lwyDsNj.exe
  C:\Windows\System32\lwyDsNj.exe
  2⤵
  PID:9536
- C:\Windows\System32\rgLrhAr.exe
  C:\Windows\System32\rgLrhAr.exe
  2⤵
  PID:9616
- C:\Windows\System32\NyDKcoW.exe
  C:\Windows\System32\NyDKcoW.exe
  2⤵
  PID:9628
- C:\Windows\System32\FIXpIzF.exe
  C:\Windows\System32\FIXpIzF.exe
  2⤵
  PID:9732
- C:\Windows\System32\xVlOiET.exe
  C:\Windows\System32\xVlOiET.exe
  2⤵
  PID:9844
- C:\Windows\System32\kbPQmQr.exe
  C:\Windows\System32\kbPQmQr.exe
  2⤵
  PID:9868
- C:\Windows\System32\lSgAGxA.exe
  C:\Windows\System32\lSgAGxA.exe
  2⤵
  PID:9932
- C:\Windows\System32\XpLbZMU.exe
  C:\Windows\System32\XpLbZMU.exe
  2⤵
  PID:9988
- C:\Windows\System32\suKEMLz.exe
  C:\Windows\System32\suKEMLz.exe
  2⤵
  PID:10092
- C:\Windows\System32\zBRfQrv.exe
  C:\Windows\System32\zBRfQrv.exe
  2⤵
  PID:10128
- C:\Windows\System32\xaUSmMz.exe
  C:\Windows\System32\xaUSmMz.exe
  2⤵
  PID:10232
- C:\Windows\System32\IFLPtoK.exe
  C:\Windows\System32\IFLPtoK.exe
  2⤵
  PID:9308
- C:\Windows\System32\FsmcxuH.exe
  C:\Windows\System32\FsmcxuH.exe
  2⤵
  PID:9432
- C:\Windows\System32\RUkJuDw.exe
  C:\Windows\System32\RUkJuDw.exe
  2⤵
  PID:9684
- C:\Windows\System32\mAaBEFd.exe
  C:\Windows\System32\mAaBEFd.exe
  2⤵
  PID:9820
- C:\Windows\System32\iCvNfqH.exe
  C:\Windows\System32\iCvNfqH.exe
  2⤵
  PID:9920
- C:\Windows\System32\MpMHgnM.exe
  C:\Windows\System32\MpMHgnM.exe
  2⤵
  PID:10112
- C:\Windows\System32\BXhzGie.exe
  C:\Windows\System32\BXhzGie.exe
  2⤵
  PID:9356
- C:\Windows\System32\DpXAxrv.exe
  C:\Windows\System32\DpXAxrv.exe
  2⤵
  PID:9580
- C:\Windows\System32\fIHRucC.exe
  C:\Windows\System32\fIHRucC.exe
  2⤵
  PID:9676
- C:\Windows\System32\OjJSNdU.exe
  C:\Windows\System32\OjJSNdU.exe
  2⤵
  PID:10008
- C:\Windows\System32\xZkKhfE.exe
  C:\Windows\System32\xZkKhfE.exe
  2⤵
  PID:10256
- C:\Windows\System32\myHmzrx.exe
  C:\Windows\System32\myHmzrx.exe
  2⤵
  PID:10272
- C:\Windows\System32\YTiNaDJ.exe
  C:\Windows\System32\YTiNaDJ.exe
  2⤵
  PID:10292
- C:\Windows\System32\kgmmoEh.exe
  C:\Windows\System32\kgmmoEh.exe
  2⤵
  PID:10340
- C:\Windows\System32\nzrwHAA.exe
  C:\Windows\System32\nzrwHAA.exe
  2⤵
  PID:10364
- C:\Windows\System32\MPngUYq.exe
  C:\Windows\System32\MPngUYq.exe
  2⤵
  PID:10396
- C:\Windows\System32\kirPpNq.exe
  C:\Windows\System32\kirPpNq.exe
  2⤵
  PID:10416
- C:\Windows\System32\KFGARoR.exe
  C:\Windows\System32\KFGARoR.exe
  2⤵
  PID:10452
- C:\Windows\System32\bedMUcO.exe
  C:\Windows\System32\bedMUcO.exe
  2⤵
  PID:10480
- C:\Windows\System32\MSVFIew.exe
  C:\Windows\System32\MSVFIew.exe
  2⤵
  PID:10508
- C:\Windows\System32\rRKKtzQ.exe
  C:\Windows\System32\rRKKtzQ.exe
  2⤵
  PID:10524
- C:\Windows\System32\JRFzilW.exe
  C:\Windows\System32\JRFzilW.exe
  2⤵
  PID:10548
- C:\Windows\System32\IdOKYJo.exe
  C:\Windows\System32\IdOKYJo.exe
  2⤵
  PID:10576
- C:\Windows\System32\NBEScYq.exe
  C:\Windows\System32\NBEScYq.exe
  2⤵
  PID:10604
- C:\Windows\System32\dhcALPK.exe
  C:\Windows\System32\dhcALPK.exe
  2⤵
  PID:10664
- C:\Windows\System32\yTPSbbz.exe
  C:\Windows\System32\yTPSbbz.exe
  2⤵
  PID:10692
- C:\Windows\System32\LrIQOeR.exe
  C:\Windows\System32\LrIQOeR.exe
  2⤵
  PID:10720
- C:\Windows\System32\jehBqRE.exe
  C:\Windows\System32\jehBqRE.exe
  2⤵
  PID:10744
- C:\Windows\System32\RNZytpK.exe
  C:\Windows\System32\RNZytpK.exe
  2⤵
  PID:10776
- C:\Windows\System32\WpfsIrU.exe
  C:\Windows\System32\WpfsIrU.exe
  2⤵
  PID:10792
- C:\Windows\System32\aCyhuqL.exe
  C:\Windows\System32\aCyhuqL.exe
  2⤵
  PID:10832
- C:\Windows\System32\FGgaINe.exe
  C:\Windows\System32\FGgaINe.exe
  2⤵
  PID:10860
- C:\Windows\System32\YbZnbDu.exe
  C:\Windows\System32\YbZnbDu.exe
  2⤵
  PID:10876
- C:\Windows\System32\lSTUiRN.exe
  C:\Windows\System32\lSTUiRN.exe
  2⤵
  PID:10916
- C:\Windows\System32\FqQsWah.exe
  C:\Windows\System32\FqQsWah.exe
  2⤵
  PID:10944
- C:\Windows\System32\SjFkAmV.exe
  C:\Windows\System32\SjFkAmV.exe
  2⤵
  PID:10976
- C:\Windows\System32\rVGYlCd.exe
  C:\Windows\System32\rVGYlCd.exe
  2⤵
  PID:11004
- C:\Windows\System32\qIHNinj.exe
  C:\Windows\System32\qIHNinj.exe
  2⤵
  PID:11032
- C:\Windows\System32\viaJJCC.exe
  C:\Windows\System32\viaJJCC.exe
  2⤵
  PID:11060
- C:\Windows\System32\jznDTsR.exe
  C:\Windows\System32\jznDTsR.exe
  2⤵
  PID:11088
- C:\Windows\System32\dyYEJXQ.exe
  C:\Windows\System32\dyYEJXQ.exe
  2⤵
  PID:11120
- C:\Windows\System32\TsbEtBx.exe
  C:\Windows\System32\TsbEtBx.exe
  2⤵
  PID:11152
- C:\Windows\System32\MuIfLjg.exe
  C:\Windows\System32\MuIfLjg.exe
  2⤵
  PID:11188
- C:\Windows\System32\YluhpAu.exe
  C:\Windows\System32\YluhpAu.exe
  2⤵
  PID:11208
- C:\Windows\System32\SAdkHno.exe
  C:\Windows\System32\SAdkHno.exe
  2⤵
  PID:11236
- C:\Windows\System32\tFpZlbt.exe
  C:\Windows\System32\tFpZlbt.exe
  2⤵
  PID:10248
- C:\Windows\System32\VonwaUQ.exe
  C:\Windows\System32\VonwaUQ.exe
  2⤵
  PID:10308
- C:\Windows\System32\BdHBlDl.exe
  C:\Windows\System32\BdHBlDl.exe
  2⤵
  PID:10388
- C:\Windows\System32\NnCxfpz.exe
  C:\Windows\System32\NnCxfpz.exe
  2⤵
  PID:10500
- C:\Windows\System32\KEzvglP.exe
  C:\Windows\System32\KEzvglP.exe
  2⤵
  PID:10544
- C:\Windows\System32\ywrLdBE.exe
  C:\Windows\System32\ywrLdBE.exe
  2⤵
  PID:10628
- C:\Windows\System32\LJoVhns.exe
  C:\Windows\System32\LJoVhns.exe
  2⤵
  PID:10728
- C:\Windows\System32\ZtjBLJL.exe
  C:\Windows\System32\ZtjBLJL.exe
  2⤵
  PID:10852
- C:\Windows\System32\PbLnPQl.exe
  C:\Windows\System32\PbLnPQl.exe
  2⤵
  PID:10912
- C:\Windows\System32\miQSlFw.exe
  C:\Windows\System32\miQSlFw.exe
  2⤵
  PID:10988
- C:\Windows\System32\rnXxaWh.exe
  C:\Windows\System32\rnXxaWh.exe
  2⤵
  PID:11052
- C:\Windows\System32\ALUbBYp.exe
  C:\Windows\System32\ALUbBYp.exe
  2⤵
  PID:11116
- C:\Windows\System32\XnAlQeY.exe
  C:\Windows\System32\XnAlQeY.exe
  2⤵
  PID:8264
- C:\Windows\System32\XRIOHFy.exe
  C:\Windows\System32\XRIOHFy.exe
  2⤵
  PID:11172
- C:\Windows\System32\ZKpLDQL.exe
  C:\Windows\System32\ZKpLDQL.exe
  2⤵
  PID:11196
- C:\Windows\System32\iHPnfDE.exe
  C:\Windows\System32\iHPnfDE.exe
  2⤵
  PID:9632
- C:\Windows\System32\mrzcNRw.exe
  C:\Windows\System32\mrzcNRw.exe
  2⤵
  PID:10332
- C:\Windows\System32\PBXkcFc.exe
  C:\Windows\System32\PBXkcFc.exe
  2⤵
  PID:1796
- C:\Windows\System32\XCxSGAu.exe
  C:\Windows\System32\XCxSGAu.exe
  2⤵
  PID:10828
- C:\Windows\System32\StXbPue.exe
  C:\Windows\System32\StXbPue.exe
  2⤵
  PID:10968
- C:\Windows\System32\flklpUf.exe
  C:\Windows\System32\flklpUf.exe
  2⤵
  PID:11080
- C:\Windows\System32\DzIdMix.exe
  C:\Windows\System32\DzIdMix.exe
  2⤵
  PID:9092
- C:\Windows\System32\ZIZALKV.exe
  C:\Windows\System32\ZIZALKV.exe
  2⤵
  PID:10348
- C:\Windows\System32\NwIRFCm.exe
  C:\Windows\System32\NwIRFCm.exe
  2⤵
  PID:10572
- C:\Windows\System32\dyYJhDp.exe
  C:\Windows\System32\dyYJhDp.exe
  2⤵
  PID:11164
- C:\Windows\System32\NDFfcAG.exe
  C:\Windows\System32\NDFfcAG.exe
  2⤵
  PID:4548
- C:\Windows\System32\UtTjuMh.exe
  C:\Windows\System32\UtTjuMh.exe
  2⤵
  PID:10540
- C:\Windows\System32\BoTXigT.exe
  C:\Windows\System32\BoTXigT.exe
  2⤵
  PID:11284
- C:\Windows\System32\GbcPKPN.exe
  C:\Windows\System32\GbcPKPN.exe
  2⤵
  PID:11312
- C:\Windows\System32\yCQPISR.exe
  C:\Windows\System32\yCQPISR.exe
  2⤵
  PID:11340
- C:\Windows\System32\MncuXDP.exe
  C:\Windows\System32\MncuXDP.exe
  2⤵
  PID:11368
- C:\Windows\System32\tKRCNmI.exe
  C:\Windows\System32\tKRCNmI.exe
  2⤵
  PID:11396
- C:\Windows\System32\iUJRuLp.exe
  C:\Windows\System32\iUJRuLp.exe
  2⤵
  PID:11432
- C:\Windows\System32\SWsLGnG.exe
  C:\Windows\System32\SWsLGnG.exe
  2⤵
  PID:11456
- C:\Windows\System32\elBRMHz.exe
  C:\Windows\System32\elBRMHz.exe
  2⤵
  PID:11488
- C:\Windows\System32\TpSeSlm.exe
  C:\Windows\System32\TpSeSlm.exe
  2⤵
  PID:11516
- C:\Windows\System32\KieejxU.exe
  C:\Windows\System32\KieejxU.exe
  2⤵
  PID:11544
- C:\Windows\System32\oUBoFmc.exe
  C:\Windows\System32\oUBoFmc.exe
  2⤵
  PID:11572
- C:\Windows\System32\iYgKWri.exe
  C:\Windows\System32\iYgKWri.exe
  2⤵
  PID:11648
- C:\Windows\System32\SLlagpg.exe
  C:\Windows\System32\SLlagpg.exe
  2⤵
  PID:11664
- C:\Windows\System32\FoKrcBY.exe
  C:\Windows\System32\FoKrcBY.exe
  2⤵
  PID:11692
- C:\Windows\System32\cYoCnBH.exe
  C:\Windows\System32\cYoCnBH.exe
  2⤵
  PID:11732
- C:\Windows\System32\znCriBf.exe
  C:\Windows\System32\znCriBf.exe
  2⤵
  PID:11748
- C:\Windows\System32\HGGIUHG.exe
  C:\Windows\System32\HGGIUHG.exe
  2⤵
  PID:11776
- C:\Windows\System32\GyWOEvB.exe
  C:\Windows\System32\GyWOEvB.exe
  2⤵
  PID:11804
- C:\Windows\System32\klNaZpE.exe
  C:\Windows\System32\klNaZpE.exe
  2⤵
  PID:11832
- C:\Windows\System32\JXYFrTk.exe
  C:\Windows\System32\JXYFrTk.exe
  2⤵
  PID:11860
- C:\Windows\System32\hCwiAJn.exe
  C:\Windows\System32\hCwiAJn.exe
  2⤵
  PID:11888
- C:\Windows\System32\jwavoFg.exe
  C:\Windows\System32\jwavoFg.exe
  2⤵
  PID:11920
- C:\Windows\System32\aKSlbzV.exe
  C:\Windows\System32\aKSlbzV.exe
  2⤵
  PID:11948
- C:\Windows\System32\QqdHida.exe
  C:\Windows\System32\QqdHida.exe
  2⤵
  PID:11976
- C:\Windows\System32\Lutjnnz.exe
  C:\Windows\System32\Lutjnnz.exe
  2⤵
  PID:12004
- C:\Windows\System32\TGgFQPY.exe
  C:\Windows\System32\TGgFQPY.exe
  2⤵
  PID:12032
- C:\Windows\System32\GymmwgJ.exe
  C:\Windows\System32\GymmwgJ.exe
  2⤵
  PID:12060
- C:\Windows\System32\FifuEuN.exe
  C:\Windows\System32\FifuEuN.exe
  2⤵
  PID:12088
- C:\Windows\System32\vLRWrQx.exe
  C:\Windows\System32\vLRWrQx.exe
  2⤵
  PID:12116
- C:\Windows\System32\oaHEmQl.exe
  C:\Windows\System32\oaHEmQl.exe
  2⤵
  PID:12144
- C:\Windows\System32\uuzXTSw.exe
  C:\Windows\System32\uuzXTSw.exe
  2⤵
  PID:12172
- C:\Windows\System32\oNBJkkT.exe
  C:\Windows\System32\oNBJkkT.exe
  2⤵
  PID:12200
- C:\Windows\System32\HECVKWg.exe
  C:\Windows\System32\HECVKWg.exe
  2⤵
  PID:12228
- C:\Windows\System32\uVOCdwL.exe
  C:\Windows\System32\uVOCdwL.exe
  2⤵
  PID:12264
- C:\Windows\System32\HXwEoXL.exe
  C:\Windows\System32\HXwEoXL.exe
  2⤵
  PID:12284
- C:\Windows\System32\AEjzsaO.exe
  C:\Windows\System32\AEjzsaO.exe
  2⤵
  PID:11324
- C:\Windows\System32\nGaIUaH.exe
  C:\Windows\System32\nGaIUaH.exe
  2⤵
  PID:11392
- C:\Windows\System32\PfmmDmn.exe
  C:\Windows\System32\PfmmDmn.exe
  2⤵
  PID:11468
- C:\Windows\System32\cqfPSLe.exe
  C:\Windows\System32\cqfPSLe.exe
  2⤵
  PID:11536
- C:\Windows\System32\YOVswrv.exe
  C:\Windows\System32\YOVswrv.exe
  2⤵
  PID:11596
- C:\Windows\System32\OJJBdOz.exe
  C:\Windows\System32\OJJBdOz.exe
  2⤵
  PID:11712
- C:\Windows\System32\CIypbam.exe
  C:\Windows\System32\CIypbam.exe
  2⤵
  PID:11772
- C:\Windows\System32\qYYmKip.exe
  C:\Windows\System32\qYYmKip.exe
  2⤵
  PID:11844
- C:\Windows\System32\dOSaoFp.exe
  C:\Windows\System32\dOSaoFp.exe
  2⤵
  PID:2376
- C:\Windows\System32\uDHKCtV.exe
  C:\Windows\System32\uDHKCtV.exe
  2⤵
  PID:11944
- C:\Windows\System32\NKgPzBM.exe
  C:\Windows\System32\NKgPzBM.exe
  2⤵
  PID:12016
- C:\Windows\System32\geevjvd.exe
  C:\Windows\System32\geevjvd.exe
  2⤵
  PID:12080
- C:\Windows\System32\kHfdcrA.exe
  C:\Windows\System32\kHfdcrA.exe
  2⤵
  PID:12140
- C:\Windows\System32\WrtanKD.exe
  C:\Windows\System32\WrtanKD.exe
  2⤵
  PID:12212
- C:\Windows\System32\pfJqQcI.exe
  C:\Windows\System32\pfJqQcI.exe
  2⤵
  PID:12276
- C:\Windows\System32\uzAFdpJ.exe
  C:\Windows\System32\uzAFdpJ.exe
  2⤵
  PID:11380
- C:\Windows\System32\eoUVXwR.exe
  C:\Windows\System32\eoUVXwR.exe
  2⤵
  PID:11564
- C:\Windows\System32\OTdvIyx.exe
  C:\Windows\System32\OTdvIyx.exe
  2⤵
  PID:792
- C:\Windows\System32\OxUiOmr.exe
  C:\Windows\System32\OxUiOmr.exe
  2⤵
  PID:11760
- C:\Windows\System32\vUtYyml.exe
  C:\Windows\System32\vUtYyml.exe
  2⤵
  PID:11884
- C:\Windows\System32\QyBkedr.exe
  C:\Windows\System32\QyBkedr.exe
  2⤵
  PID:12000
- C:\Windows\System32\ugjMmuM.exe
  C:\Windows\System32\ugjMmuM.exe
  2⤵
  PID:12192
- C:\Windows\System32\OlzeseW.exe
  C:\Windows\System32\OlzeseW.exe
  2⤵
  PID:11364
- C:\Windows\System32\TpszXbd.exe
  C:\Windows\System32\TpszXbd.exe
  2⤵
  PID:11828
- C:\Windows\System32\USRVgWB.exe
  C:\Windows\System32\USRVgWB.exe
  2⤵
  PID:12072
- C:\Windows\System32\XzbADqA.exe
  C:\Windows\System32\XzbADqA.exe
  2⤵
  PID:4872
- C:\Windows\System32\EkgpXpr.exe
  C:\Windows\System32\EkgpXpr.exe
  2⤵
  PID:12252
- C:\Windows\System32\WUWCdOv.exe
  C:\Windows\System32\WUWCdOv.exe
  2⤵
  PID:12296
- C:\Windows\System32\zWPTrzW.exe
  C:\Windows\System32\zWPTrzW.exe
  2⤵
  PID:12328
- C:\Windows\System32\iXUyXFF.exe
  C:\Windows\System32\iXUyXFF.exe
  2⤵
  PID:12356
- C:\Windows\System32\GMgyptQ.exe
  C:\Windows\System32\GMgyptQ.exe
  2⤵
  PID:12384
- C:\Windows\System32\KHzCgPR.exe
  C:\Windows\System32\KHzCgPR.exe
  2⤵
  PID:12432
- C:\Windows\System32\HHnqBzm.exe
  C:\Windows\System32\HHnqBzm.exe
  2⤵
  PID:12464
- C:\Windows\System32\GqZmHcE.exe
  C:\Windows\System32\GqZmHcE.exe
  2⤵
  PID:12492
- C:\Windows\System32\UrMIwsn.exe
  C:\Windows\System32\UrMIwsn.exe
  2⤵
  PID:12520
- C:\Windows\System32\KjDCgiw.exe
  C:\Windows\System32\KjDCgiw.exe
  2⤵
  PID:12536
- C:\Windows\System32\ruqcFwd.exe
  C:\Windows\System32\ruqcFwd.exe
  2⤵
  PID:12576
- C:\Windows\System32\dzdTyzX.exe
  C:\Windows\System32\dzdTyzX.exe
  2⤵
  PID:12604
- C:\Windows\System32\mqQEQiu.exe
  C:\Windows\System32\mqQEQiu.exe
  2⤵
  PID:12620
- C:\Windows\System32\bSdKPaQ.exe
  C:\Windows\System32\bSdKPaQ.exe
  2⤵
  PID:12660
- C:\Windows\System32\cMZaXhn.exe
  C:\Windows\System32\cMZaXhn.exe
  2⤵
  PID:12688
- C:\Windows\System32\VmdZSzk.exe
  C:\Windows\System32\VmdZSzk.exe
  2⤵
  PID:12716
- C:\Windows\System32\kbaMqDU.exe
  C:\Windows\System32\kbaMqDU.exe
  2⤵
  PID:12744
- C:\Windows\System32\mxPhwRF.exe
  C:\Windows\System32\mxPhwRF.exe
  2⤵
  PID:12772
- C:\Windows\System32\jazVIRS.exe
  C:\Windows\System32\jazVIRS.exe
  2⤵
  PID:12800
- C:\Windows\System32\MMpBuNS.exe
  C:\Windows\System32\MMpBuNS.exe
  2⤵
  PID:12828
- C:\Windows\System32\XLgBIuf.exe
  C:\Windows\System32\XLgBIuf.exe
  2⤵
  PID:12856
- C:\Windows\System32\wPVKppp.exe
  C:\Windows\System32\wPVKppp.exe
  2⤵
  PID:12884
- C:\Windows\System32\wCAZmoB.exe
  C:\Windows\System32\wCAZmoB.exe
  2⤵
  PID:12912
- C:\Windows\System32\epdFmUL.exe
  C:\Windows\System32\epdFmUL.exe
  2⤵
  PID:12940
- C:\Windows\System32\HoVTJxu.exe
  C:\Windows\System32\HoVTJxu.exe
  2⤵
  PID:12968
- C:\Windows\System32\zzchXJa.exe
  C:\Windows\System32\zzchXJa.exe
  2⤵
  PID:13012
- C:\Windows\System32\nWmFtgc.exe
  C:\Windows\System32\nWmFtgc.exe
  2⤵
  PID:13060
- C:\Windows\System32\sWAJYQd.exe
  C:\Windows\System32\sWAJYQd.exe
  2⤵
  PID:13100
- C:\Windows\System32\eQWtghn.exe
  C:\Windows\System32\eQWtghn.exe
  2⤵
  PID:13136
- C:\Windows\System32\SyIWTID.exe
  C:\Windows\System32\SyIWTID.exe
  2⤵
  PID:13164
- C:\Windows\System32\dPjnmKh.exe
  C:\Windows\System32\dPjnmKh.exe
  2⤵
  PID:13216
- C:\Windows\System32\JsdeoWJ.exe
  C:\Windows\System32\JsdeoWJ.exe
  2⤵
  PID:13268
- C:\Windows\System32\ggvlirc.exe
  C:\Windows\System32\ggvlirc.exe
  2⤵
  PID:13304
- C:\Windows\System32\dtqYPWm.exe
  C:\Windows\System32\dtqYPWm.exe
  2⤵
  PID:12340
- C:\Windows\System32\fwaTeyO.exe
  C:\Windows\System32\fwaTeyO.exe
  2⤵
  PID:12428
- C:\Windows\System32\ypYTbyp.exe
  C:\Windows\System32\ypYTbyp.exe
  2⤵
  PID:12476
- C:\Windows\System32\McnbnsZ.exe
  C:\Windows\System32\McnbnsZ.exe
  2⤵
  PID:12532
- C:\Windows\System32\QAbPqtv.exe
  C:\Windows\System32\QAbPqtv.exe
  2⤵
  PID:12672
- C:\Windows\System32\NBnQaMG.exe
  C:\Windows\System32\NBnQaMG.exe
  2⤵
  PID:12732
- C:\Windows\System32\dqdYjse.exe
  C:\Windows\System32\dqdYjse.exe
  2⤵
  PID:12792
- C:\Windows\System32\kVmwFGI.exe
  C:\Windows\System32\kVmwFGI.exe
  2⤵
  PID:12852
- C:\Windows\System32\UDttyiw.exe
  C:\Windows\System32\UDttyiw.exe
  2⤵
  PID:12908
- C:\Windows\System32\yguDHxa.exe
  C:\Windows\System32\yguDHxa.exe
  2⤵
  PID:12980
- C:\Windows\System32\dgbnpZl.exe
  C:\Windows\System32\dgbnpZl.exe
  2⤵
  PID:13088
- C:\Windows\System32\ivfaeEI.exe
  C:\Windows\System32\ivfaeEI.exe
  2⤵
  PID:13192
- C:\Windows\System32\pRqzMJI.exe
  C:\Windows\System32\pRqzMJI.exe
  2⤵
  PID:13276
- C:\Windows\System32\PduyOKq.exe
  C:\Windows\System32\PduyOKq.exe
  2⤵
  PID:12380
- C:\Windows\System32\vHQKzOD.exe
  C:\Windows\System32\vHQKzOD.exe
  2⤵
  PID:12612
- C:\Windows\System32\lVRpzwA.exe
  C:\Windows\System32\lVRpzwA.exe
  2⤵
  PID:12764
- C:\Windows\System32\UwywIaR.exe
  C:\Windows\System32\UwywIaR.exe
  2⤵
  PID:12896
- C:\Windows\System32\Qknhnlm.exe
  C:\Windows\System32\Qknhnlm.exe
  2⤵
  PID:13080
- C:\Windows\System32\SOhyanb.exe
  C:\Windows\System32\SOhyanb.exe
  2⤵
  PID:12292
- C:\Windows\System32\AiHrMmP.exe
  C:\Windows\System32\AiHrMmP.exe
  2⤵
  PID:12460
- C:\Windows\System32\WlwhPqH.exe
  C:\Windows\System32\WlwhPqH.exe
  2⤵
  PID:13020
- C:\Windows\System32\DdhGqoD.exe
  C:\Windows\System32\DdhGqoD.exe
  2⤵
  PID:12676
- C:\Windows\System32\flEljqF.exe
  C:\Windows\System32\flEljqF.exe
  2⤵
  PID:12960

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AAioUSP.exe

Filesize
3.3MB

MD5
c6463db6099efb5bad4bab6df17586ac

SHA1
fde17309e5b25339b2bea252e15a0b7cf2f9f39b

SHA256
9094a6baa62ec36df9ec044f9851614bc3900ac518f32d39086ffda5ef8d4cb0

SHA512
cef669788e1d85189c66b89d08cba987ca85453db81df9b57384a9a991c8d7466ea8f2831ac5a4a35861964391c7c74645e1d1921578cca17a670d478981eccb

Download Submit
C:\Windows\System32\ATEXJkF.exe

Filesize
3.3MB

MD5
dbb07d81a6f3f9722ab8906e07d1f5ab

SHA1
b0adab47ab8a82975c628f0e74fb25fbafcd62c5

SHA256
3a5beac897d7e85c013d2abdd981c26deeccc485ee5c4fd7c81e91bbd42d3533

SHA512
e8c2fd61a1839799479042b01e147c896ca4674cae3099c8496f6b433010cec6ccc8dcdbcae2be84e1f3097367a212fe2275346a1636d679612a574be34b77bd

Download Submit
C:\Windows\System32\DcqHrna.exe

Filesize
3.3MB

MD5
86830ba6618c1df7bf4f13d16e5cde2f

SHA1
38832a6b0abf04d65ec568b6a43f5d3b55b37174

SHA256
ab207c5016d432d189f28324a055ec55c728fa7c83a16bb7510c55ea7e088676

SHA512
6815c130ead698ce77a0d6a375ec0607697cb91d7ada6e8d1bd8a2277c9922a68b989a09d15c73ac62e3837ee7d37f8e0fac2cbcd0c9bc0d81e0325af10d4fb2

Download Submit
C:\Windows\System32\HHkZErs.exe

Filesize
3.3MB

MD5
b623d9daa549891bcbb58b0f7c446ae3

SHA1
2da5ee36464bd06ca62f2786bc826ec5210599ee

SHA256
45c1b497a84b377e93404f3c8c9f55c8309b75a9beeff7a18996ea81eb0cfd7d

SHA512
3a6f8ac210a3c27745e1839eed0597275d38a0c4be039e8ac247ebcb70be851c96fc14101351bbaeb9f4f4a048e0ee00a4d6a5b815e27f2f0b953fffd0d7c6ca

Download Submit
C:\Windows\System32\HQqZZaC.exe

Filesize
3.3MB

MD5
3d693e454d11b7b7460e21d299096de2

SHA1
42c377dffb2017e0ba5f44b1099754df6b9a0a6a

SHA256
c1eeea8d12f8e361fd391bc3e943ed8b4824eaacc4953af164ac1049da9de83f

SHA512
53e5f7e3176d65800b0c834567ff0d619e3c8e56f572501f40233f3a83d6e10394ae5d1e846eb8117b633690dec316c07b7209ca67523255d7907943e74afe87

Download Submit
C:\Windows\System32\IWWpCcj.exe

Filesize
3.3MB

MD5
91cb4bf6af7fc75cc4ae614c7a8588ce

SHA1
59f0a414478d7e35f8e42f767f7e8d890a0bb639

SHA256
f4c7ce6903045db16def9877c653cf70efc4bd7a7e1536cf382e9523b052dd92

SHA512
b648b6248c350dd7f74053d28ac8ea70b7a263c0e28c9ef4a94ef3622f9c568344242355f3b43ccf7fff53c1881f4f3e3c35fdae43a95ceea71a9a2b24efffae

Download Submit
C:\Windows\System32\JGKuFqc.exe

Filesize
3.3MB

MD5
6663ee0284bbb9f2f4ec58879921ef9a

SHA1
89952f92f619ebf780c3f6d280eb4fdae54963d7

SHA256
c7979703b659f3246f3606e531c6a43c7c7cfa218052b46d1ce6268a0cb65f7a

SHA512
e8643a93fcf560fbb546b717dbae1e4b89412770af46e1953a716e5291ca819e36f8a5cb2c93802cdcc01c3de50b97b8ea38fa781da64788e76585ffb0d1f77d

Download Submit
C:\Windows\System32\KNLnxUp.exe

Filesize
3.3MB

MD5
1bd93bc6502468fc329217ad866371c4

SHA1
567fe9eec81cff1968e5e0700d3d923d89a0e416

SHA256
0201a8beefd439333373ff16dfc1968e926751b0d7dafb4826d3b3452bfc67f3

SHA512
836286661a032664e2215ccc6feb8572712296db715bdff5a357131db3f2376f1f39341063bddbdbf7f5fb6c4825c5089510a57bd0b1efb40686856de9e85670

Download Submit
C:\Windows\System32\NvOnfgp.exe

Filesize
3.3MB

MD5
9954728239456b418e92370211a9ac9d

SHA1
ecec1210f759b9a8992ddc5d81d12585c9a8ea98

SHA256
b7e66fb70209c34eabff00af8a476513a8eb165a6d30c5bcae8a40a5029ab8c6

SHA512
205fe11c018801ec39ddc16da753e1326daedaceb3d18658a71c7a679629165b5aff15bc30420028419297f574e8e4be799c0a9037163bbd6a731b5e9c55a6e1

Download Submit
C:\Windows\System32\ODWSXFm.exe

Filesize
3.3MB

MD5
043fdc83032d4a1bbf79c2a078b8c3c8

SHA1
8c621bec5b2ef77261a528c803765d389de4c086

SHA256
e85d3f323ee6aafecde5ea18291c5ead0108e57c44024938a8dff4bfc13b62d0

SHA512
992e76979d8069f710b2bd22a982bb3aeaa59e2002deed9da1afb2bb589d605eb75c409d5591760bdd3b18591bca048b60e1dc50760e90440b629c0e89a5ce0f

Download Submit
C:\Windows\System32\OvFUjws.exe

Filesize
3.3MB

MD5
59fb8bafeba62372abafa499538cd182

SHA1
b53ff728dd4c388fe106a2467bc88f792b0c90cb

SHA256
b4b3d58253dcd391b1f8823188ed9898b6ad3434dbc7531a934e19cd1e7beeec

SHA512
323dfba88b67620cfe661c0d09b980c93f29cea6385d926e9d4eac79bb26abbb38857c05955f5cbb9785e7236b95629da8a707e8f4b173db3629ffa701e72453

Download Submit
C:\Windows\System32\QxubNmQ.exe

Filesize
3.3MB

MD5
0332e767e1bdfab66cbd15b34e35081b

SHA1
cda4f774701a64e1ca1920a8402ac99ff2c56a41

SHA256
b85480ba43a80971352635db959827e939a18125d26e37ec308e00d5916fc234

SHA512
e786befbcc9a98e432a2107ee85b6cead4d6750b9e268b6826b0647f00d255d6357e6f63adb979996f40abdc1a1d0b29ab944be5ba8f977304fac6ee19c3246d

Download Submit
C:\Windows\System32\REHhSJx.exe

Filesize
3.3MB

MD5
07f8c690b00ed3847c98ee28c9b94312

SHA1
bf98c0a23b8db9d3bce661c9b31d9cb5dcfe3af4

SHA256
c40b7809a0cba9782995ebad46cf15fd599a908744cd1f866fcb2945be9cb7b6

SHA512
12b53fbddb7dd7cf2ccdeb8b4a5434c5e6baaf2363ad52a3325fd67ad250ee16e4c06f4b2d3a9aac2ba4cde26c383ebd59e67a5d17d1d434722833e5b9c1c29e

Download Submit
C:\Windows\System32\RbpbHSw.exe

Filesize
3.3MB

MD5
298ecaa14ce76a75220335dca1dcec7f

SHA1
9f7a488810756472cc384f79aede6fc97207e1d9

SHA256
134b54f7fc67bac418590c772ff78c05b6acef60dcf28fee5610ec1538ffee53

SHA512
1bb5f279b24e09006275e9f02237cb242bb5cf80814820883f0a9640f228f601d8a2cade2e7ec98d444046bf470bf307d94da8d6bd26a3bea912fe8465532d49

Download Submit
C:\Windows\System32\TJFKZFv.exe

Filesize
3.3MB

MD5
c432e3d2ee99e74f485de75933769db6

SHA1
13af87efb3bdce61424d7dd9c783e156e5d70492

SHA256
9814f26a22efd25cd133a401139f7f10fff529fc0e914a60f31c3b8e7cb6b483

SHA512
95816cb6a9993c3588a35585f75a68494a49d6f16dc032605351906fce99f78768a78c2650e0e556da69e37885fec83cbc819987709ede65945044339567a7ec

Download Submit
C:\Windows\System32\UvuHHcn.exe

Filesize
3.3MB

MD5
7f86274b404ae314e5fa712eb6d11005

SHA1
ec21a99d6bd5eb079b9629e7fbc7fb0e7b551cb7

SHA256
e4a1326c2d6917ea157488e8d181e4a3a4903dcd9abf3e949c2f849160a1b096

SHA512
09da8992b02699cbad16d5cf6aad6511a8821d25ecd06a4c8a136f5de5e5eb0972ac310fd9a5defebe0f312dccc6c836d4fc952a93e12c215e71f59cdabf9308

Download Submit
C:\Windows\System32\WaGPXsA.exe

Filesize
3.3MB

MD5
7927f1c397b6d828c09ac7891a4aa62c

SHA1
ca3f3109ce0eca1894e0559c59f33fc29a2534e9

SHA256
3701067703820f971e476fb2b24651910e0d8eb001e19319cebb18bcb04d5bf9

SHA512
67892e51be82c1f45d86e86d9bcac0d6f3ae55940ee77359517c6813e7d957425617609429e4497b1603c8fffb2cf56a9e7296967f76614b239b676a72c8ede9

Download Submit
C:\Windows\System32\YhLBzio.exe

Filesize
3.3MB

MD5
3ac563849d2c9624c7b7e218aca770f3

SHA1
f7250baab185da0c0d499eab79a3c1174721a126

SHA256
4fcdd6dc3b7c1aa87a41cda4ea123f28384d789a2ab6507a17ad07181d770655

SHA512
4c095e5bca0f4756ae509b273e552c96e4fdb81721b66d330211bc0ef3d675f479688c9c2193f401060a85a73acc6de3f544f0ed6419e28c32d3b4017edda227

Download Submit
C:\Windows\System32\aCMHxxi.exe

Filesize
3.3MB

MD5
c79ffb59c94db6132685e67d69001e70

SHA1
78fb39a581f2f732acfbaef0ad44511a8c851d29

SHA256
743b95bcad3e6cbf45ad6fd0ff4e5d12bf7b25dbdf4a2952a823482d04dbfd49

SHA512
011ea3be240b452be69cb5b3d8d7fcde8f0ec70d0c1251abed9d5518eeb1cc562e897c3bbe090228ed8b55b554141e675d9e8f9c211843a352a1a2bdfba6f44b

Download Submit
C:\Windows\System32\abumcwS.exe

Filesize
3.3MB

MD5
a35f6027cc4e74e47b37e755bacdfce7

SHA1
b73e692ffc91175db4beed7844de0224921a14d6

SHA256
6342ee5637716e2bb62348d7a11f6237b6f125831fcca0a184ea83349ddd395f

SHA512
ec4c4a1e6bcb767b39f0b4b0b4f631b419afdcda0b00123e937a7b6b7ca8926354ea249502ced8dfcac752184b98763ae46af666c7ef6f2b66fae35fa3eede7f

Download Submit
C:\Windows\System32\bZhhBiN.exe

Filesize
3.3MB

MD5
164460e88e7de91599cc1e04c539313a

SHA1
3ccf1b106c659890689ac555f8440c0d6f653320

SHA256
b6f9e60a9853b2246bb9ccfed8003356a7a6c92059f4c4e0f254ebe79dada520

SHA512
7ddc0cc4c5cef5aa01238fe59d9965fbc71c8f6777e533b9ad3533ea34ec79b98d49571bc392af783670a8aba42afbceee62781c7c4ca8169de9f19c0ca6cd42

Download Submit
C:\Windows\System32\bqZRdVg.exe

Filesize
3.3MB

MD5
63cf9a93e6c5153835fcd6e5c5dd5a97

SHA1
eada477eecbce7ad89f67eb19034df28d0483c41

SHA256
4bf7d0b167212e323aed8386e84c82e95e315c9aeb12042505d952c12b627ad5

SHA512
aa06c8ccfbd700d11927583e9a3cbf1f3b4d8365e6fd7186e066b46ac3e3749001c8b1036da4817668d30abc762f44052ab855e0b5960326b0319f13beb0f875

Download Submit
C:\Windows\System32\dTKVmTZ.exe

Filesize
3.3MB

MD5
dcf6da3bbebd5d3b284f24f7aa80b092

SHA1
7e915e6ae3e9e71b4cab64e57981c861b99a9f25

SHA256
2e9b773fa65a728094e8da0e1ff049889776ba17aba0f0a33d23033356a9afbc

SHA512
914cc47d197713586dba2fa51852fabae0e724597ff67e82a428978083a8778eb1216907b46e7653a2dcca296f0faa5800ee2bf6b3b63d596c31efc34db0bf63

Download Submit
C:\Windows\System32\igLciYQ.exe

Filesize
3.3MB

MD5
8e4233dcbfbc967bdb1e46a3c3e05c5e

SHA1
8eaa59ccf28bc833f811c7b5156c4d6e5a832c02

SHA256
ad7d8ab419f4eff1188ee4789eaffaf4afacb3e6279a27def4c92bd911218230

SHA512
174a37e691cdbf788f8d5972f19c25ee1e701f0bbcc08a47990e4551b15fea62be7a62745c4e0875a46e45045dd14d69ac1b52b0e2d1cb274f6b8f7e71c17877

Download Submit
C:\Windows\System32\jSBqVsh.exe

Filesize
3.3MB

MD5
38e676af94744a19a524f850deaf3cc3

SHA1
e1a521a9166fed5ee4c41d6c9bc188500b493350

SHA256
320c656fa32c1d9a936476d18ae600c1d82c9a166e4d758f0cc62f26ec6724f5

SHA512
0a64fc8f64f97135da57e03398ca1785c11cf3fc3a7645350c96cb026d49601bdb6b313fca3de35151c2c5487a6da129f69612a5806de51c117d694799312d99

Download Submit
C:\Windows\System32\jmTLcaU.exe

Filesize
3.3MB

MD5
d9ba80209ca8bdc95fa86af625024673

SHA1
3c3f79af80b050cd6eb598f7ac939050b1ec1463

SHA256
a2bc9039b7df03b22675ae96d51fc389c5eebb20015cd883af444cef03c97ba1

SHA512
6addd8499f797a1935e333df8af05beee2970125940a1e75e7950c0fe7edd53ff9d763be44ae776de378dd798383934c8a805268563466063a1458a4af4be436

Download Submit
C:\Windows\System32\kzOsAFJ.exe

Filesize
3.3MB

MD5
2d445bb3b417c1378034318c9fce4124

SHA1
b021e3e0ae85fd8d69993588073b110d8b8623bb

SHA256
12e3f8ce234cb501d046555b0f6c16f614e9cf131e8b052e270d578c93a64c14

SHA512
637daabcf582136b9dea21e4b8cf7824a55a2f18be88a927aa731215913c5f3851173f7aba1c7ee442d79c0aabbcead4adfbe44f04fa07197c06164ec1ee7265

Download Submit
C:\Windows\System32\nmXwqkV.exe

Filesize
3.3MB

MD5
6ec0d7c57f34ae4b64c7681e337e7375

SHA1
8742ed1029d25018fbf011bf7a214d5bb3696131

SHA256
9194a79438c76ecef08c68ac989dc1e557e4e2cae1e6eddefdb42251aafd59cd

SHA512
7c5152f3a50a7aca9b0b799341c7a0514e744d1439b08cecc26926a17c18356148a034c38b884c7946c458e0b20bf96ebb4cbf20effc67201ea457fee5472e19

Download Submit
C:\Windows\System32\qdsrREd.exe

Filesize
3.3MB

MD5
ca8eccab79c8f4bee606451d7db03a38

SHA1
9bfc2187c283050cad6467f5902c7bc1337bc778

SHA256
3ae7ea07c6fa5c9070cd600632c7af6b704c4f420c6fd7e21b87b5689a8556ba

SHA512
42ac16d6c2052319cb052d0891692d4c65518c29ee7d39bd46f0884d28f63523ea8444c5ea3a364927c3fb5120b88be812a9fc7c66296880fadb7425f48e3a02

Download Submit
C:\Windows\System32\tRLnOjx.exe

Filesize
3.3MB

MD5
e9dec5e625543c6967ee7e663cbeb5a5

SHA1
05e178316a63ad052a6c5feef66fc0eba5bbf266

SHA256
452cfb588e4ce2b92ecd0505c208ef099d534225790a939372a119bf42ee17a5

SHA512
9a85175ace89d5752b0aa1c93dd21bd24ae43e769303a8767771f8437b6d325da302aed2c2df17746e365de2c9cf054c495b454fcbe3a5c79b4dceefe602701e

Download Submit
C:\Windows\System32\tuslTYB.exe

Filesize
3.3MB

MD5
e7489d0c1fdc003a949022529a42b645

SHA1
d6dbc23c807c89d6acd93a9118c164dbc0c63d62

SHA256
7865fab0ce1d35a76cdf74e1d756f7191d5f19d281e2c542f823ffdee8ed01cf

SHA512
dfe8db3209449d6400cd7e6eb5323da850779236c501c5b6f4d57bd1d89e48e0dcf63b81d5fd28668d07e9a3f7c608d8dbc03707eebf84adea062e2523b1e9ad

Download Submit
C:\Windows\System32\tvVJEkz.exe

Filesize
3.3MB

MD5
4320b689e556bf2a1ff33fee133c114c

SHA1
a0fd2595aabc3b4e9178789f9b131a2ed2465cb3

SHA256
64b3eaea15e3871dad581291105fd9ca9969b88e1cc4ad53c6f937f1d2992480

SHA512
a041dc6e9e1110dbfd28e9fffe4e389fe535268cbb4d2bce13aff86c760233a5d01af4c78b8473003be420daf3535ccc5af24055febe53b5ab4edac93a96a869

Download Submit
memory/8-1885-0x00007FF7697D0000-0x00007FF769BC5000-memory.dmp

Filesize
4.0MB

Download
memory/8-0-0x00007FF7697D0000-0x00007FF769BC5000-memory.dmp

Filesize
4.0MB

Download
memory/8-1-0x00000186C81F0000-0x00000186C8200000-memory.dmp

Filesize
64KB

Download
memory/8-1889-0x00007FF7697D0000-0x00007FF769BC5000-memory.dmp

Filesize
4.0MB

Download
memory/1184-1912-0x00007FF617E30000-0x00007FF618225000-memory.dmp

Filesize
4.0MB

Download
memory/1184-791-0x00007FF617E30000-0x00007FF618225000-memory.dmp

Filesize
4.0MB

Download
memory/1540-768-0x00007FF76BF20000-0x00007FF76C315000-memory.dmp

Filesize
4.0MB

Download
memory/1540-1908-0x00007FF76BF20000-0x00007FF76C315000-memory.dmp

Filesize
4.0MB

Download
memory/1700-32-0x00007FF7FA620000-0x00007FF7FAA15000-memory.dmp

Filesize
4.0MB

Download
memory/1700-1893-0x00007FF7FA620000-0x00007FF7FAA15000-memory.dmp

Filesize
4.0MB

Download
memory/1884-1905-0x00007FF695DC0000-0x00007FF6961B5000-memory.dmp

Filesize
4.0MB

Download
memory/1884-777-0x00007FF695DC0000-0x00007FF6961B5000-memory.dmp

Filesize
4.0MB

Download
memory/2200-1895-0x00007FF65E9E0000-0x00007FF65EDD5000-memory.dmp

Filesize
4.0MB

Download
memory/2200-28-0x00007FF65E9E0000-0x00007FF65EDD5000-memory.dmp

Filesize
4.0MB

Download
memory/2200-1887-0x00007FF65E9E0000-0x00007FF65EDD5000-memory.dmp

Filesize
4.0MB

Download
memory/2396-749-0x00007FF7FD550000-0x00007FF7FD945000-memory.dmp

Filesize
4.0MB

Download
memory/2396-1904-0x00007FF7FD550000-0x00007FF7FD945000-memory.dmp

Filesize
4.0MB

Download
memory/3212-1897-0x00007FF629100000-0x00007FF6294F5000-memory.dmp

Filesize
4.0MB

Download
memory/3212-794-0x00007FF629100000-0x00007FF6294F5000-memory.dmp

Filesize
4.0MB

Download
memory/3260-1906-0x00007FF600280000-0x00007FF600675000-memory.dmp

Filesize
4.0MB

Download
memory/3260-786-0x00007FF600280000-0x00007FF600675000-memory.dmp

Filesize
4.0MB

Download
memory/3264-712-0x00007FF6E0FA0000-0x00007FF6E1395000-memory.dmp

Filesize
4.0MB

Download
memory/3264-1896-0x00007FF6E0FA0000-0x00007FF6E1395000-memory.dmp

Filesize
4.0MB

Download
memory/3848-704-0x00007FF69C440000-0x00007FF69C835000-memory.dmp

Filesize
4.0MB

Download
memory/3848-1898-0x00007FF69C440000-0x00007FF69C835000-memory.dmp

Filesize
4.0MB

Download
memory/3964-1909-0x00007FF70FC40000-0x00007FF710035000-memory.dmp

Filesize
4.0MB

Download
memory/3964-758-0x00007FF70FC40000-0x00007FF710035000-memory.dmp

Filesize
4.0MB

Download
memory/4136-1901-0x00007FF654700000-0x00007FF654AF5000-memory.dmp

Filesize
4.0MB

Download
memory/4136-763-0x00007FF654700000-0x00007FF654AF5000-memory.dmp

Filesize
4.0MB

Download
memory/4356-790-0x00007FF688940000-0x00007FF688D35000-memory.dmp

Filesize
4.0MB

Download
memory/4356-1913-0x00007FF688940000-0x00007FF688D35000-memory.dmp

Filesize
4.0MB

Download
memory/4388-738-0x00007FF6862E0000-0x00007FF6866D5000-memory.dmp

Filesize
4.0MB

Download
memory/4388-1907-0x00007FF6862E0000-0x00007FF6866D5000-memory.dmp

Filesize
4.0MB

Download
memory/4780-722-0x00007FF6B47C0000-0x00007FF6B4BB5000-memory.dmp

Filesize
4.0MB

Download
memory/4780-1902-0x00007FF6B47C0000-0x00007FF6B4BB5000-memory.dmp

Filesize
4.0MB

Download
memory/4812-1900-0x00007FF65C5A0000-0x00007FF65C995000-memory.dmp

Filesize
4.0MB

Download
memory/4812-743-0x00007FF65C5A0000-0x00007FF65C995000-memory.dmp

Filesize
4.0MB

Download
memory/4824-10-0x00007FF69B6B0000-0x00007FF69BAA5000-memory.dmp

Filesize
4.0MB

Download
memory/4824-1890-0x00007FF69B6B0000-0x00007FF69BAA5000-memory.dmp

Filesize
4.0MB

Download
memory/4828-1910-0x00007FF79D820000-0x00007FF79DC15000-memory.dmp

Filesize
4.0MB

Download
memory/4828-783-0x00007FF79D820000-0x00007FF79DC15000-memory.dmp

Filesize
4.0MB

Download
memory/4864-25-0x00007FF712E20000-0x00007FF713215000-memory.dmp

Filesize
4.0MB

Download
memory/4864-1892-0x00007FF712E20000-0x00007FF713215000-memory.dmp

Filesize
4.0MB

Download
memory/4880-780-0x00007FF6B41B0000-0x00007FF6B45A5000-memory.dmp

Filesize
4.0MB

Download
memory/4880-1911-0x00007FF6B41B0000-0x00007FF6B45A5000-memory.dmp

Filesize
4.0MB

Download
memory/4900-1886-0x00007FF79D400000-0x00007FF79D7F5000-memory.dmp

Filesize
4.0MB

Download
memory/4900-12-0x00007FF79D400000-0x00007FF79D7F5000-memory.dmp

Filesize
4.0MB

Download
memory/4900-1891-0x00007FF79D400000-0x00007FF79D7F5000-memory.dmp

Filesize
4.0MB

Download
memory/4916-1888-0x00007FF6BC960000-0x00007FF6BCD55000-memory.dmp

Filesize
4.0MB

Download
memory/4916-1894-0x00007FF6BC960000-0x00007FF6BCD55000-memory.dmp

Filesize
4.0MB

Download
memory/4916-34-0x00007FF6BC960000-0x00007FF6BCD55000-memory.dmp

Filesize
4.0MB

Download
memory/4964-726-0x00007FF702F30000-0x00007FF703325000-memory.dmp

Filesize
4.0MB

Download
memory/4964-1899-0x00007FF702F30000-0x00007FF703325000-memory.dmp

Filesize
4.0MB

Download
memory/5092-730-0x00007FF6FFDC0000-0x00007FF7001B5000-memory.dmp

Filesize
4.0MB

Download
memory/5092-1903-0x00007FF6FFDC0000-0x00007FF7001B5000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads