xmrig | fbed0e74560cc64328b8e40a3f2d1e3b22a8d93eab597a39be84d3985198d711

Analysis

max time kernel
102s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e33f09a1b05b342c7f474ee413b22980_NEAS.exe
Size

3.0MB
MD5

e33f09a1b05b342c7f474ee413b22980
SHA1

77b962b9c11fafaa288081721ae7299cedba94ff
SHA256

fbed0e74560cc64328b8e40a3f2d1e3b22a8d93eab597a39be84d3985198d711
SHA512

cf26dfaa9a4967584caa81f6f0668f44dd494c64594038bedc563eea490680756485d16ddd3a2d1f2976be866d9fd7eb8fdbb02b0e94f550e5a5cb1ecca8f26a
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc43:NFWPClFH

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/464-0-0x00007FF727F50000-0x00007FF728345000-memory.dmp	xmrig
behavioral2/files/0x000c000000023b34-5.dat	xmrig
behavioral2/files/0x000a000000023b91-8.dat	xmrig
behavioral2/files/0x000b000000023b90-16.dat	xmrig
behavioral2/files/0x000a000000023b93-29.dat	xmrig
behavioral2/files/0x000a000000023b94-32.dat	xmrig
behavioral2/files/0x000a000000023b95-39.dat	xmrig
behavioral2/files/0x000a000000023b96-42.dat	xmrig
behavioral2/files/0x000a000000023b9b-67.dat	xmrig
behavioral2/files/0x000a000000023ba0-94.dat	xmrig
behavioral2/files/0x000a000000023ba3-109.dat	xmrig
behavioral2/files/0x000a000000023ba6-122.dat	xmrig
behavioral2/files/0x000a000000023ba8-134.dat	xmrig
behavioral2/memory/4948-801-0x00007FF721C70000-0x00007FF722065000-memory.dmp	xmrig
behavioral2/memory/372-802-0x00007FF651CD0000-0x00007FF6520C5000-memory.dmp	xmrig
behavioral2/files/0x000a000000023bae-164.dat	xmrig
behavioral2/files/0x000a000000023bad-159.dat	xmrig
behavioral2/files/0x000a000000023bac-154.dat	xmrig
behavioral2/files/0x000a000000023bab-149.dat	xmrig
behavioral2/files/0x000a000000023baa-144.dat	xmrig
behavioral2/files/0x000a000000023ba9-139.dat	xmrig
behavioral2/files/0x000a000000023ba7-129.dat	xmrig
behavioral2/files/0x000a000000023ba5-119.dat	xmrig
behavioral2/files/0x000a000000023ba4-114.dat	xmrig
behavioral2/files/0x000a000000023ba2-104.dat	xmrig
behavioral2/files/0x000a000000023ba1-99.dat	xmrig
behavioral2/files/0x000a000000023b9f-89.dat	xmrig
behavioral2/files/0x000a000000023b9e-84.dat	xmrig
behavioral2/files/0x000a000000023b9d-79.dat	xmrig
behavioral2/files/0x000a000000023b9c-74.dat	xmrig
behavioral2/files/0x000a000000023b9a-64.dat	xmrig
behavioral2/files/0x000a000000023b99-59.dat	xmrig
behavioral2/files/0x000a000000023b98-54.dat	xmrig
behavioral2/files/0x000a000000023b97-49.dat	xmrig
behavioral2/files/0x000a000000023b92-24.dat	xmrig
behavioral2/memory/4472-23-0x00007FF717B90000-0x00007FF717F85000-memory.dmp	xmrig
behavioral2/memory/3532-20-0x00007FF786840000-0x00007FF786C35000-memory.dmp	xmrig
behavioral2/memory/2192-14-0x00007FF7B6430000-0x00007FF7B6825000-memory.dmp	xmrig
behavioral2/memory/1084-805-0x00007FF6BFCA0000-0x00007FF6C0095000-memory.dmp	xmrig
behavioral2/memory/4444-833-0x00007FF7246F0000-0x00007FF724AE5000-memory.dmp	xmrig
behavioral2/memory/3372-839-0x00007FF6496F0000-0x00007FF649AE5000-memory.dmp	xmrig
behavioral2/memory/2908-850-0x00007FF630E80000-0x00007FF631275000-memory.dmp	xmrig
behavioral2/memory/4704-856-0x00007FF62EE70000-0x00007FF62F265000-memory.dmp	xmrig
behavioral2/memory/3796-849-0x00007FF746F00000-0x00007FF7472F5000-memory.dmp	xmrig
behavioral2/memory/4648-843-0x00007FF635590000-0x00007FF635985000-memory.dmp	xmrig
behavioral2/memory/2768-823-0x00007FF692B40000-0x00007FF692F35000-memory.dmp	xmrig
behavioral2/memory/4240-818-0x00007FF7A1CA0000-0x00007FF7A2095000-memory.dmp	xmrig
behavioral2/memory/1284-812-0x00007FF64C630000-0x00007FF64CA25000-memory.dmp	xmrig
behavioral2/memory/708-861-0x00007FF6701E0000-0x00007FF6705D5000-memory.dmp	xmrig
behavioral2/memory/3144-864-0x00007FF7C6EE0000-0x00007FF7C72D5000-memory.dmp	xmrig
behavioral2/memory/2976-873-0x00007FF772C30000-0x00007FF773025000-memory.dmp	xmrig
behavioral2/memory/2484-878-0x00007FF687D60000-0x00007FF688155000-memory.dmp	xmrig
behavioral2/memory/4580-883-0x00007FF767C00000-0x00007FF767FF5000-memory.dmp	xmrig
behavioral2/memory/4076-901-0x00007FF6D9FE0000-0x00007FF6DA3D5000-memory.dmp	xmrig
behavioral2/memory/3972-907-0x00007FF7F5DA0000-0x00007FF7F6195000-memory.dmp	xmrig
behavioral2/memory/976-892-0x00007FF6BC9D0000-0x00007FF6BCDC5000-memory.dmp	xmrig
behavioral2/memory/2300-888-0x00007FF6F0BE0000-0x00007FF6F0FD5000-memory.dmp	xmrig
behavioral2/memory/464-1888-0x00007FF727F50000-0x00007FF728345000-memory.dmp	xmrig
behavioral2/memory/4948-1889-0x00007FF721C70000-0x00007FF722065000-memory.dmp	xmrig
behavioral2/memory/2192-1890-0x00007FF7B6430000-0x00007FF7B6825000-memory.dmp	xmrig
behavioral2/memory/3532-1891-0x00007FF786840000-0x00007FF786C35000-memory.dmp	xmrig
behavioral2/memory/4472-1892-0x00007FF717B90000-0x00007FF717F85000-memory.dmp	xmrig
behavioral2/memory/3372-1894-0x00007FF6496F0000-0x00007FF649AE5000-memory.dmp	xmrig
behavioral2/memory/1284-1900-0x00007FF64C630000-0x00007FF64CA25000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2192	lTvKYzR.exe
4472	RwkPhgo.exe
3532	ndEcOGB.exe
4948	lnFLjsd.exe
3972	vbtkffA.exe
372	XhowHKy.exe
1084	fgEqcYn.exe
1284	WYMpWeS.exe
4240	YOnZkKG.exe
2768	DxwEWgP.exe
4444	LWBhsuc.exe
3372	ItnnJaJ.exe
4648	hGLyWFn.exe
3796	ukjMOMs.exe
2908	KZsWmqS.exe
4704	JdCNYPp.exe
708	uamwZKu.exe
3144	uIMlMHx.exe
2976	wXfqCqY.exe
2484	quHkJMz.exe
4580	XvAzhKd.exe
2300	CEaHPsn.exe
976	jWZqmMv.exe
4076	rbrbmgg.exe
4432	GJSKDZN.exe
3280	LoWFiLN.exe
3108	dMYsqWJ.exe
5080	YVIpcwj.exe
4956	nUqTVeN.exe
536	UitJYXj.exe
2828	nETKrsX.exe
392	NOZLlcw.exe
2180	PpbXRco.exe
2124	rSBCnFb.exe
3168	tcaFrox.exe
5000	auWZTlp.exe
432	ZlLLRoa.exe
4364	XqqVvtB.exe
3244	Ghxyapy.exe
4932	MBZttrl.exe
3052	jPkZzCz.exe
920	VdHDrBh.exe
4320	qUwQuSs.exe
1964	HATwXgi.exe
376	vPMSSwK.exe
4780	sUSnfId.exe
3988	kGggEYB.exe
2080	THogopI.exe
2824	MInZmtg.exe
3432	mWXusFy.exe
4460	pmMVfHx.exe
3852	weyPiju.exe
756	nhczZhS.exe
3668	SQidqdJ.exe
4692	eNsBMRi.exe
1772	SJuIgZG.exe
2372	ohLAQMk.exe
532	TbXlQIl.exe
4396	hgIINnj.exe
4696	qQMiQME.exe
4080	kOfTIUV.exe
1264	CpinhTz.exe
4832	KhFMbcx.exe
4732	CvRnGnW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/464-0-0x00007FF727F50000-0x00007FF728345000-memory.dmp	upx
behavioral2/files/0x000c000000023b34-5.dat	upx
behavioral2/files/0x000a000000023b91-8.dat	upx
behavioral2/files/0x000b000000023b90-16.dat	upx
behavioral2/files/0x000a000000023b93-29.dat	upx
behavioral2/files/0x000a000000023b94-32.dat	upx
behavioral2/files/0x000a000000023b95-39.dat	upx
behavioral2/files/0x000a000000023b96-42.dat	upx
behavioral2/files/0x000a000000023b9b-67.dat	upx
behavioral2/files/0x000a000000023ba0-94.dat	upx
behavioral2/files/0x000a000000023ba3-109.dat	upx
behavioral2/files/0x000a000000023ba6-122.dat	upx
behavioral2/files/0x000a000000023ba8-134.dat	upx
behavioral2/memory/4948-801-0x00007FF721C70000-0x00007FF722065000-memory.dmp	upx
behavioral2/memory/372-802-0x00007FF651CD0000-0x00007FF6520C5000-memory.dmp	upx
behavioral2/files/0x000a000000023bae-164.dat	upx
behavioral2/files/0x000a000000023bad-159.dat	upx
behavioral2/files/0x000a000000023bac-154.dat	upx
behavioral2/files/0x000a000000023bab-149.dat	upx
behavioral2/files/0x000a000000023baa-144.dat	upx
behavioral2/files/0x000a000000023ba9-139.dat	upx
behavioral2/files/0x000a000000023ba7-129.dat	upx
behavioral2/files/0x000a000000023ba5-119.dat	upx
behavioral2/files/0x000a000000023ba4-114.dat	upx
behavioral2/files/0x000a000000023ba2-104.dat	upx
behavioral2/files/0x000a000000023ba1-99.dat	upx
behavioral2/files/0x000a000000023b9f-89.dat	upx
behavioral2/files/0x000a000000023b9e-84.dat	upx
behavioral2/files/0x000a000000023b9d-79.dat	upx
behavioral2/files/0x000a000000023b9c-74.dat	upx
behavioral2/files/0x000a000000023b9a-64.dat	upx
behavioral2/files/0x000a000000023b99-59.dat	upx
behavioral2/files/0x000a000000023b98-54.dat	upx
behavioral2/files/0x000a000000023b97-49.dat	upx
behavioral2/files/0x000a000000023b92-24.dat	upx
behavioral2/memory/4472-23-0x00007FF717B90000-0x00007FF717F85000-memory.dmp	upx
behavioral2/memory/3532-20-0x00007FF786840000-0x00007FF786C35000-memory.dmp	upx
behavioral2/memory/2192-14-0x00007FF7B6430000-0x00007FF7B6825000-memory.dmp	upx
behavioral2/memory/1084-805-0x00007FF6BFCA0000-0x00007FF6C0095000-memory.dmp	upx
behavioral2/memory/4444-833-0x00007FF7246F0000-0x00007FF724AE5000-memory.dmp	upx
behavioral2/memory/3372-839-0x00007FF6496F0000-0x00007FF649AE5000-memory.dmp	upx
behavioral2/memory/2908-850-0x00007FF630E80000-0x00007FF631275000-memory.dmp	upx
behavioral2/memory/4704-856-0x00007FF62EE70000-0x00007FF62F265000-memory.dmp	upx
behavioral2/memory/3796-849-0x00007FF746F00000-0x00007FF7472F5000-memory.dmp	upx
behavioral2/memory/4648-843-0x00007FF635590000-0x00007FF635985000-memory.dmp	upx
behavioral2/memory/2768-823-0x00007FF692B40000-0x00007FF692F35000-memory.dmp	upx
behavioral2/memory/4240-818-0x00007FF7A1CA0000-0x00007FF7A2095000-memory.dmp	upx
behavioral2/memory/1284-812-0x00007FF64C630000-0x00007FF64CA25000-memory.dmp	upx
behavioral2/memory/708-861-0x00007FF6701E0000-0x00007FF6705D5000-memory.dmp	upx
behavioral2/memory/3144-864-0x00007FF7C6EE0000-0x00007FF7C72D5000-memory.dmp	upx
behavioral2/memory/2976-873-0x00007FF772C30000-0x00007FF773025000-memory.dmp	upx
behavioral2/memory/2484-878-0x00007FF687D60000-0x00007FF688155000-memory.dmp	upx
behavioral2/memory/4580-883-0x00007FF767C00000-0x00007FF767FF5000-memory.dmp	upx
behavioral2/memory/4076-901-0x00007FF6D9FE0000-0x00007FF6DA3D5000-memory.dmp	upx
behavioral2/memory/3972-907-0x00007FF7F5DA0000-0x00007FF7F6195000-memory.dmp	upx
behavioral2/memory/976-892-0x00007FF6BC9D0000-0x00007FF6BCDC5000-memory.dmp	upx
behavioral2/memory/2300-888-0x00007FF6F0BE0000-0x00007FF6F0FD5000-memory.dmp	upx
behavioral2/memory/464-1888-0x00007FF727F50000-0x00007FF728345000-memory.dmp	upx
behavioral2/memory/4948-1889-0x00007FF721C70000-0x00007FF722065000-memory.dmp	upx
behavioral2/memory/2192-1890-0x00007FF7B6430000-0x00007FF7B6825000-memory.dmp	upx
behavioral2/memory/3532-1891-0x00007FF786840000-0x00007FF786C35000-memory.dmp	upx
behavioral2/memory/4472-1892-0x00007FF717B90000-0x00007FF717F85000-memory.dmp	upx
behavioral2/memory/3372-1894-0x00007FF6496F0000-0x00007FF649AE5000-memory.dmp	upx
behavioral2/memory/1284-1900-0x00007FF64C630000-0x00007FF64CA25000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\sUUHLwF.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\bUqbXbd.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\MPfDXpP.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\VzBirDy.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\DxwEWgP.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\vPMSSwK.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\nCmqust.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\lELiBKo.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\MxOTEqM.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\cIlXnio.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\hAjuTcL.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\ahLeeUK.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\piFuCUf.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\wSpskkz.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\PKtcUsp.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\RwkPhgo.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\jPkZzCz.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\tbleCAl.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\HKmKlgT.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\atOwmKX.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\dpFUlCz.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\oMtWVyi.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\EMAoECy.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\rbrbmgg.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\nUqTVeN.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\VdHDrBh.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\QBDrMHS.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\fsWiDte.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\SQidqdJ.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\rZDmGBT.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\RdQVZMm.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\wgceXSJ.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\rSBCnFb.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\dyCmjWh.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\iLvoDpb.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\QUENdPr.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\DjgQEBc.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\ZYKVnEL.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\TbXlQIl.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\HBiSsyl.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\cODaIZT.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\bpbdhwu.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\LoWFiLN.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\HATwXgi.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\jMtwgIh.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\YcbaNYA.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\sUSnfId.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\bZybDuY.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\chXIgkC.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\mPPkZcR.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\DvsUCDN.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\YVIpcwj.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\VMWRQLK.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\hTvzJHY.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\XmSvPgL.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\HvEkQLR.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\MYEBsrv.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\vuACRNt.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\aoLYgzS.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\zYZoCZH.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\RqoDWGe.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\tyYxTzB.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\qkuxzdw.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe
File created	C:\Windows\System32\llizfwi.exe	e33f09a1b05b342c7f474ee413b22980_NEAS.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13780	dwm.exe
Token: SeChangeNotifyPrivilege	13780	dwm.exe
Token: 33	13780	dwm.exe
Token: SeIncBasePriorityPrivilege	13780	dwm.exe
Token: SeShutdownPrivilege	13780	dwm.exe
Token: SeCreatePagefilePrivilege	13780	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 2192	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	86
PID 464 wrote to memory of 2192	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	86
PID 464 wrote to memory of 3532	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	87
PID 464 wrote to memory of 3532	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	87
PID 464 wrote to memory of 4472	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	88
PID 464 wrote to memory of 4472	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	88
PID 464 wrote to memory of 4948	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	89
PID 464 wrote to memory of 4948	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	89
PID 464 wrote to memory of 3972	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	90
PID 464 wrote to memory of 3972	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	90
PID 464 wrote to memory of 372	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	91
PID 464 wrote to memory of 372	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	91
PID 464 wrote to memory of 1084	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	92
PID 464 wrote to memory of 1084	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	92
PID 464 wrote to memory of 1284	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	93
PID 464 wrote to memory of 1284	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	93
PID 464 wrote to memory of 4240	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	94
PID 464 wrote to memory of 4240	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	94
PID 464 wrote to memory of 2768	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	95
PID 464 wrote to memory of 2768	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	95
PID 464 wrote to memory of 4444	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	96
PID 464 wrote to memory of 4444	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	96
PID 464 wrote to memory of 3372	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	97
PID 464 wrote to memory of 3372	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	97
PID 464 wrote to memory of 4648	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	98
PID 464 wrote to memory of 4648	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	98
PID 464 wrote to memory of 3796	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	99
PID 464 wrote to memory of 3796	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	99
PID 464 wrote to memory of 2908	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	100
PID 464 wrote to memory of 2908	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	100
PID 464 wrote to memory of 4704	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	101
PID 464 wrote to memory of 4704	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	101
PID 464 wrote to memory of 708	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	102
PID 464 wrote to memory of 708	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	102
PID 464 wrote to memory of 3144	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	103
PID 464 wrote to memory of 3144	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	103
PID 464 wrote to memory of 2976	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	104
PID 464 wrote to memory of 2976	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	104
PID 464 wrote to memory of 2484	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	105
PID 464 wrote to memory of 2484	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	105
PID 464 wrote to memory of 4580	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	106
PID 464 wrote to memory of 4580	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	106
PID 464 wrote to memory of 2300	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	107
PID 464 wrote to memory of 2300	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	107
PID 464 wrote to memory of 976	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	108
PID 464 wrote to memory of 976	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	108
PID 464 wrote to memory of 4076	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	109
PID 464 wrote to memory of 4076	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	109
PID 464 wrote to memory of 4432	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	110
PID 464 wrote to memory of 4432	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	110
PID 464 wrote to memory of 3280	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	111
PID 464 wrote to memory of 3280	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	111
PID 464 wrote to memory of 3108	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	112
PID 464 wrote to memory of 3108	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	112
PID 464 wrote to memory of 5080	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	113
PID 464 wrote to memory of 5080	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	113
PID 464 wrote to memory of 4956	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	114
PID 464 wrote to memory of 4956	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	114
PID 464 wrote to memory of 536	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	115
PID 464 wrote to memory of 536	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	115
PID 464 wrote to memory of 2828	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	116
PID 464 wrote to memory of 2828	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	116
PID 464 wrote to memory of 392	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	117
PID 464 wrote to memory of 392	464	e33f09a1b05b342c7f474ee413b22980_NEAS.exe	117

C:\Users\Admin\AppData\Local\Temp\e33f09a1b05b342c7f474ee413b22980_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\e33f09a1b05b342c7f474ee413b22980_NEAS.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\System32\lTvKYzR.exe
  C:\Windows\System32\lTvKYzR.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System32\ndEcOGB.exe
  C:\Windows\System32\ndEcOGB.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System32\RwkPhgo.exe
  C:\Windows\System32\RwkPhgo.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System32\lnFLjsd.exe
  C:\Windows\System32\lnFLjsd.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System32\vbtkffA.exe
  C:\Windows\System32\vbtkffA.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System32\XhowHKy.exe
  C:\Windows\System32\XhowHKy.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System32\fgEqcYn.exe
  C:\Windows\System32\fgEqcYn.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System32\WYMpWeS.exe
  C:\Windows\System32\WYMpWeS.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\System32\YOnZkKG.exe
  C:\Windows\System32\YOnZkKG.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System32\DxwEWgP.exe
  C:\Windows\System32\DxwEWgP.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System32\LWBhsuc.exe
  C:\Windows\System32\LWBhsuc.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System32\ItnnJaJ.exe
  C:\Windows\System32\ItnnJaJ.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System32\hGLyWFn.exe
  C:\Windows\System32\hGLyWFn.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System32\ukjMOMs.exe
  C:\Windows\System32\ukjMOMs.exe
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Windows\System32\KZsWmqS.exe
  C:\Windows\System32\KZsWmqS.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System32\JdCNYPp.exe
  C:\Windows\System32\JdCNYPp.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System32\uamwZKu.exe
  C:\Windows\System32\uamwZKu.exe
  2⤵
  - Executes dropped EXE
  PID:708
- C:\Windows\System32\uIMlMHx.exe
  C:\Windows\System32\uIMlMHx.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System32\wXfqCqY.exe
  C:\Windows\System32\wXfqCqY.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System32\quHkJMz.exe
  C:\Windows\System32\quHkJMz.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System32\XvAzhKd.exe
  C:\Windows\System32\XvAzhKd.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System32\CEaHPsn.exe
  C:\Windows\System32\CEaHPsn.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System32\jWZqmMv.exe
  C:\Windows\System32\jWZqmMv.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System32\rbrbmgg.exe
  C:\Windows\System32\rbrbmgg.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System32\GJSKDZN.exe
  C:\Windows\System32\GJSKDZN.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System32\LoWFiLN.exe
  C:\Windows\System32\LoWFiLN.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System32\dMYsqWJ.exe
  C:\Windows\System32\dMYsqWJ.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System32\YVIpcwj.exe
  C:\Windows\System32\YVIpcwj.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System32\nUqTVeN.exe
  C:\Windows\System32\nUqTVeN.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System32\UitJYXj.exe
  C:\Windows\System32\UitJYXj.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System32\nETKrsX.exe
  C:\Windows\System32\nETKrsX.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System32\NOZLlcw.exe
  C:\Windows\System32\NOZLlcw.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System32\PpbXRco.exe
  C:\Windows\System32\PpbXRco.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System32\rSBCnFb.exe
  C:\Windows\System32\rSBCnFb.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System32\tcaFrox.exe
  C:\Windows\System32\tcaFrox.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System32\auWZTlp.exe
  C:\Windows\System32\auWZTlp.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System32\ZlLLRoa.exe
  C:\Windows\System32\ZlLLRoa.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System32\XqqVvtB.exe
  C:\Windows\System32\XqqVvtB.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System32\Ghxyapy.exe
  C:\Windows\System32\Ghxyapy.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System32\MBZttrl.exe
  C:\Windows\System32\MBZttrl.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System32\jPkZzCz.exe
  C:\Windows\System32\jPkZzCz.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System32\VdHDrBh.exe
  C:\Windows\System32\VdHDrBh.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System32\qUwQuSs.exe
  C:\Windows\System32\qUwQuSs.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System32\HATwXgi.exe
  C:\Windows\System32\HATwXgi.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System32\vPMSSwK.exe
  C:\Windows\System32\vPMSSwK.exe
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\System32\sUSnfId.exe
  C:\Windows\System32\sUSnfId.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\kGggEYB.exe
  C:\Windows\System32\kGggEYB.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System32\THogopI.exe
  C:\Windows\System32\THogopI.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System32\MInZmtg.exe
  C:\Windows\System32\MInZmtg.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System32\mWXusFy.exe
  C:\Windows\System32\mWXusFy.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\System32\pmMVfHx.exe
  C:\Windows\System32\pmMVfHx.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System32\weyPiju.exe
  C:\Windows\System32\weyPiju.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System32\nhczZhS.exe
  C:\Windows\System32\nhczZhS.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System32\SQidqdJ.exe
  C:\Windows\System32\SQidqdJ.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System32\eNsBMRi.exe
  C:\Windows\System32\eNsBMRi.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System32\SJuIgZG.exe
  C:\Windows\System32\SJuIgZG.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System32\ohLAQMk.exe
  C:\Windows\System32\ohLAQMk.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System32\TbXlQIl.exe
  C:\Windows\System32\TbXlQIl.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System32\hgIINnj.exe
  C:\Windows\System32\hgIINnj.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System32\qQMiQME.exe
  C:\Windows\System32\qQMiQME.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System32\kOfTIUV.exe
  C:\Windows\System32\kOfTIUV.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System32\CpinhTz.exe
  C:\Windows\System32\CpinhTz.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System32\KhFMbcx.exe
  C:\Windows\System32\KhFMbcx.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System32\CvRnGnW.exe
  C:\Windows\System32\CvRnGnW.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System32\eoXONKe.exe
  C:\Windows\System32\eoXONKe.exe
  2⤵
  PID:1896
- C:\Windows\System32\MnMRbcg.exe
  C:\Windows\System32\MnMRbcg.exe
  2⤵
  PID:2984
- C:\Windows\System32\dCKgvxC.exe
  C:\Windows\System32\dCKgvxC.exe
  2⤵
  PID:3232
- C:\Windows\System32\ndGbvXO.exe
  C:\Windows\System32\ndGbvXO.exe
  2⤵
  PID:2332
- C:\Windows\System32\lEqGMWj.exe
  C:\Windows\System32\lEqGMWj.exe
  2⤵
  PID:3964
- C:\Windows\System32\ZXUBXEq.exe
  C:\Windows\System32\ZXUBXEq.exe
  2⤵
  PID:4596
- C:\Windows\System32\tZlzedX.exe
  C:\Windows\System32\tZlzedX.exe
  2⤵
  PID:5144
- C:\Windows\System32\VMWRQLK.exe
  C:\Windows\System32\VMWRQLK.exe
  2⤵
  PID:5172
- C:\Windows\System32\pwTEaEA.exe
  C:\Windows\System32\pwTEaEA.exe
  2⤵
  PID:5200
- C:\Windows\System32\cvdpvQl.exe
  C:\Windows\System32\cvdpvQl.exe
  2⤵
  PID:5228
- C:\Windows\System32\zyjYdbz.exe
  C:\Windows\System32\zyjYdbz.exe
  2⤵
  PID:5256
- C:\Windows\System32\mXPdohf.exe
  C:\Windows\System32\mXPdohf.exe
  2⤵
  PID:5284
- C:\Windows\System32\tLwAtLv.exe
  C:\Windows\System32\tLwAtLv.exe
  2⤵
  PID:5312
- C:\Windows\System32\JxSJxpx.exe
  C:\Windows\System32\JxSJxpx.exe
  2⤵
  PID:5340
- C:\Windows\System32\KJmVjUs.exe
  C:\Windows\System32\KJmVjUs.exe
  2⤵
  PID:5368
- C:\Windows\System32\qPKtmWQ.exe
  C:\Windows\System32\qPKtmWQ.exe
  2⤵
  PID:5396
- C:\Windows\System32\dImKkyW.exe
  C:\Windows\System32\dImKkyW.exe
  2⤵
  PID:5424
- C:\Windows\System32\sYzMNTS.exe
  C:\Windows\System32\sYzMNTS.exe
  2⤵
  PID:5452
- C:\Windows\System32\btiURjx.exe
  C:\Windows\System32\btiURjx.exe
  2⤵
  PID:5480
- C:\Windows\System32\xAuIsxZ.exe
  C:\Windows\System32\xAuIsxZ.exe
  2⤵
  PID:5508
- C:\Windows\System32\wpcyNfg.exe
  C:\Windows\System32\wpcyNfg.exe
  2⤵
  PID:5536
- C:\Windows\System32\DubCDkz.exe
  C:\Windows\System32\DubCDkz.exe
  2⤵
  PID:5564
- C:\Windows\System32\khDmaTr.exe
  C:\Windows\System32\khDmaTr.exe
  2⤵
  PID:5592
- C:\Windows\System32\MYYmPgl.exe
  C:\Windows\System32\MYYmPgl.exe
  2⤵
  PID:5620
- C:\Windows\System32\jJvWTOA.exe
  C:\Windows\System32\jJvWTOA.exe
  2⤵
  PID:5648
- C:\Windows\System32\qZUeHSx.exe
  C:\Windows\System32\qZUeHSx.exe
  2⤵
  PID:5676
- C:\Windows\System32\mWWWHKX.exe
  C:\Windows\System32\mWWWHKX.exe
  2⤵
  PID:5704
- C:\Windows\System32\SpRdNiZ.exe
  C:\Windows\System32\SpRdNiZ.exe
  2⤵
  PID:5732
- C:\Windows\System32\kjHzXZP.exe
  C:\Windows\System32\kjHzXZP.exe
  2⤵
  PID:5760
- C:\Windows\System32\mOhhdqI.exe
  C:\Windows\System32\mOhhdqI.exe
  2⤵
  PID:5788
- C:\Windows\System32\yeKnEgR.exe
  C:\Windows\System32\yeKnEgR.exe
  2⤵
  PID:5816
- C:\Windows\System32\mZPNFTo.exe
  C:\Windows\System32\mZPNFTo.exe
  2⤵
  PID:5844
- C:\Windows\System32\qmSOmsm.exe
  C:\Windows\System32\qmSOmsm.exe
  2⤵
  PID:5872
- C:\Windows\System32\EuRqBwX.exe
  C:\Windows\System32\EuRqBwX.exe
  2⤵
  PID:5900
- C:\Windows\System32\AMsRZnf.exe
  C:\Windows\System32\AMsRZnf.exe
  2⤵
  PID:5928
- C:\Windows\System32\bUZPPty.exe
  C:\Windows\System32\bUZPPty.exe
  2⤵
  PID:5956
- C:\Windows\System32\kZDOdQc.exe
  C:\Windows\System32\kZDOdQc.exe
  2⤵
  PID:5984
- C:\Windows\System32\tbleCAl.exe
  C:\Windows\System32\tbleCAl.exe
  2⤵
  PID:6012
- C:\Windows\System32\lxfgFIY.exe
  C:\Windows\System32\lxfgFIY.exe
  2⤵
  PID:6040
- C:\Windows\System32\jdCOzXN.exe
  C:\Windows\System32\jdCOzXN.exe
  2⤵
  PID:6068
- C:\Windows\System32\umdSeAI.exe
  C:\Windows\System32\umdSeAI.exe
  2⤵
  PID:6096
- C:\Windows\System32\sXzCudW.exe
  C:\Windows\System32\sXzCudW.exe
  2⤵
  PID:6124
- C:\Windows\System32\bHsVJru.exe
  C:\Windows\System32\bHsVJru.exe
  2⤵
  PID:2920
- C:\Windows\System32\CQoesWR.exe
  C:\Windows\System32\CQoesWR.exe
  2⤵
  PID:1196
- C:\Windows\System32\jperqzI.exe
  C:\Windows\System32\jperqzI.exe
  2⤵
  PID:4996
- C:\Windows\System32\PAigUsA.exe
  C:\Windows\System32\PAigUsA.exe
  2⤵
  PID:540
- C:\Windows\System32\zTKhvLU.exe
  C:\Windows\System32\zTKhvLU.exe
  2⤵
  PID:5124
- C:\Windows\System32\KFXCgga.exe
  C:\Windows\System32\KFXCgga.exe
  2⤵
  PID:5192
- C:\Windows\System32\dyCmjWh.exe
  C:\Windows\System32\dyCmjWh.exe
  2⤵
  PID:5272
- C:\Windows\System32\IgHKRfU.exe
  C:\Windows\System32\IgHKRfU.exe
  2⤵
  PID:5348
- C:\Windows\System32\rdvOnHT.exe
  C:\Windows\System32\rdvOnHT.exe
  2⤵
  PID:5388
- C:\Windows\System32\NMAGYKI.exe
  C:\Windows\System32\NMAGYKI.exe
  2⤵
  PID:5468
- C:\Windows\System32\SGKMnSo.exe
  C:\Windows\System32\SGKMnSo.exe
  2⤵
  PID:5544
- C:\Windows\System32\GfmDuGh.exe
  C:\Windows\System32\GfmDuGh.exe
  2⤵
  PID:5600
- C:\Windows\System32\YzHalvz.exe
  C:\Windows\System32\YzHalvz.exe
  2⤵
  PID:5668
- C:\Windows\System32\hTvzJHY.exe
  C:\Windows\System32\hTvzJHY.exe
  2⤵
  PID:5748
- C:\Windows\System32\CrNccUp.exe
  C:\Windows\System32\CrNccUp.exe
  2⤵
  PID:5780
- C:\Windows\System32\sHOIofw.exe
  C:\Windows\System32\sHOIofw.exe
  2⤵
  PID:5860
- C:\Windows\System32\gJogwnA.exe
  C:\Windows\System32\gJogwnA.exe
  2⤵
  PID:5908
- C:\Windows\System32\Fmbbzto.exe
  C:\Windows\System32\Fmbbzto.exe
  2⤵
  PID:5976
- C:\Windows\System32\NKvQLiP.exe
  C:\Windows\System32\NKvQLiP.exe
  2⤵
  PID:6056
- C:\Windows\System32\lGsbDeK.exe
  C:\Windows\System32\lGsbDeK.exe
  2⤵
  PID:6104
- C:\Windows\System32\sXrIIdH.exe
  C:\Windows\System32\sXrIIdH.exe
  2⤵
  PID:2356
- C:\Windows\System32\AOOvlvh.exe
  C:\Windows\System32\AOOvlvh.exe
  2⤵
  PID:4812
- C:\Windows\System32\rdQLizU.exe
  C:\Windows\System32\rdQLizU.exe
  2⤵
  PID:5208
- C:\Windows\System32\QFsFWqW.exe
  C:\Windows\System32\QFsFWqW.exe
  2⤵
  PID:5376
- C:\Windows\System32\gPQxiHd.exe
  C:\Windows\System32\gPQxiHd.exe
  2⤵
  PID:5572
- C:\Windows\System32\LQktOcn.exe
  C:\Windows\System32\LQktOcn.exe
  2⤵
  PID:5684
- C:\Windows\System32\STMGLKU.exe
  C:\Windows\System32\STMGLKU.exe
  2⤵
  PID:5824
- C:\Windows\System32\NwSwJdb.exe
  C:\Windows\System32\NwSwJdb.exe
  2⤵
  PID:6028
- C:\Windows\System32\sXANfgm.exe
  C:\Windows\System32\sXANfgm.exe
  2⤵
  PID:6172
- C:\Windows\System32\rZDmGBT.exe
  C:\Windows\System32\rZDmGBT.exe
  2⤵
  PID:6208
- C:\Windows\System32\gmUaDBb.exe
  C:\Windows\System32\gmUaDBb.exe
  2⤵
  PID:6240
- C:\Windows\System32\cwPSocc.exe
  C:\Windows\System32\cwPSocc.exe
  2⤵
  PID:6256
- C:\Windows\System32\OMaGfQR.exe
  C:\Windows\System32\OMaGfQR.exe
  2⤵
  PID:6284
- C:\Windows\System32\qshwfvd.exe
  C:\Windows\System32\qshwfvd.exe
  2⤵
  PID:6312
- C:\Windows\System32\JPydpNp.exe
  C:\Windows\System32\JPydpNp.exe
  2⤵
  PID:6340
- C:\Windows\System32\RbrerRu.exe
  C:\Windows\System32\RbrerRu.exe
  2⤵
  PID:6368
- C:\Windows\System32\IDLdacX.exe
  C:\Windows\System32\IDLdacX.exe
  2⤵
  PID:6396
- C:\Windows\System32\yAiBuJq.exe
  C:\Windows\System32\yAiBuJq.exe
  2⤵
  PID:6424
- C:\Windows\System32\FKIihJv.exe
  C:\Windows\System32\FKIihJv.exe
  2⤵
  PID:6464
- C:\Windows\System32\ReSPGHg.exe
  C:\Windows\System32\ReSPGHg.exe
  2⤵
  PID:6480
- C:\Windows\System32\FNxtVls.exe
  C:\Windows\System32\FNxtVls.exe
  2⤵
  PID:6516
- C:\Windows\System32\giPixmX.exe
  C:\Windows\System32\giPixmX.exe
  2⤵
  PID:6536
- C:\Windows\System32\RdQVZMm.exe
  C:\Windows\System32\RdQVZMm.exe
  2⤵
  PID:6572
- C:\Windows\System32\ZJOQrbe.exe
  C:\Windows\System32\ZJOQrbe.exe
  2⤵
  PID:6600
- C:\Windows\System32\OpnIBxX.exe
  C:\Windows\System32\OpnIBxX.exe
  2⤵
  PID:6620
- C:\Windows\System32\TvdGlYM.exe
  C:\Windows\System32\TvdGlYM.exe
  2⤵
  PID:6648
- C:\Windows\System32\BxyeBFX.exe
  C:\Windows\System32\BxyeBFX.exe
  2⤵
  PID:6676
- C:\Windows\System32\UkGbJxb.exe
  C:\Windows\System32\UkGbJxb.exe
  2⤵
  PID:6712
- C:\Windows\System32\zzRBNGL.exe
  C:\Windows\System32\zzRBNGL.exe
  2⤵
  PID:6732
- C:\Windows\System32\GotAyyL.exe
  C:\Windows\System32\GotAyyL.exe
  2⤵
  PID:6760
- C:\Windows\System32\ssUkDaP.exe
  C:\Windows\System32\ssUkDaP.exe
  2⤵
  PID:6788
- C:\Windows\System32\ZyQmdJd.exe
  C:\Windows\System32\ZyQmdJd.exe
  2⤵
  PID:6816
- C:\Windows\System32\OJPGIiT.exe
  C:\Windows\System32\OJPGIiT.exe
  2⤵
  PID:6844
- C:\Windows\System32\OymTTga.exe
  C:\Windows\System32\OymTTga.exe
  2⤵
  PID:6880
- C:\Windows\System32\WLPeaWT.exe
  C:\Windows\System32\WLPeaWT.exe
  2⤵
  PID:6908
- C:\Windows\System32\ksdKgZh.exe
  C:\Windows\System32\ksdKgZh.exe
  2⤵
  PID:6928
- C:\Windows\System32\HKmKlgT.exe
  C:\Windows\System32\HKmKlgT.exe
  2⤵
  PID:6956
- C:\Windows\System32\ZcDwVfr.exe
  C:\Windows\System32\ZcDwVfr.exe
  2⤵
  PID:6984
- C:\Windows\System32\TUXYiEA.exe
  C:\Windows\System32\TUXYiEA.exe
  2⤵
  PID:7020
- C:\Windows\System32\PpPzhPS.exe
  C:\Windows\System32\PpPzhPS.exe
  2⤵
  PID:7040
- C:\Windows\System32\QBDrMHS.exe
  C:\Windows\System32\QBDrMHS.exe
  2⤵
  PID:7068
- C:\Windows\System32\ZEISqHw.exe
  C:\Windows\System32\ZEISqHw.exe
  2⤵
  PID:7096
- C:\Windows\System32\FbsQQot.exe
  C:\Windows\System32\FbsQQot.exe
  2⤵
  PID:7124
- C:\Windows\System32\RDGsapE.exe
  C:\Windows\System32\RDGsapE.exe
  2⤵
  PID:7152
- C:\Windows\System32\vkZZmAS.exe
  C:\Windows\System32\vkZZmAS.exe
  2⤵
  PID:6140
- C:\Windows\System32\zkMmIcR.exe
  C:\Windows\System32\zkMmIcR.exe
  2⤵
  PID:3608
- C:\Windows\System32\eisNOgL.exe
  C:\Windows\System32\eisNOgL.exe
  2⤵
  PID:5488
- C:\Windows\System32\kgBffXX.exe
  C:\Windows\System32\kgBffXX.exe
  2⤵
  PID:5740
- C:\Windows\System32\oBCteNz.exe
  C:\Windows\System32\oBCteNz.exe
  2⤵
  PID:6152
- C:\Windows\System32\YtdAqgP.exe
  C:\Windows\System32\YtdAqgP.exe
  2⤵
  PID:6224
- C:\Windows\System32\okcZkCp.exe
  C:\Windows\System32\okcZkCp.exe
  2⤵
  PID:6276
- C:\Windows\System32\QYWdEOc.exe
  C:\Windows\System32\QYWdEOc.exe
  2⤵
  PID:6356
- C:\Windows\System32\FjeUwnn.exe
  C:\Windows\System32\FjeUwnn.exe
  2⤵
  PID:6404
- C:\Windows\System32\LeIqVgO.exe
  C:\Windows\System32\LeIqVgO.exe
  2⤵
  PID:6476
- C:\Windows\System32\tyYxTzB.exe
  C:\Windows\System32\tyYxTzB.exe
  2⤵
  PID:6552
- C:\Windows\System32\faznZWM.exe
  C:\Windows\System32\faznZWM.exe
  2⤵
  PID:6616
- C:\Windows\System32\nVEhGMB.exe
  C:\Windows\System32\nVEhGMB.exe
  2⤵
  PID:6668
- C:\Windows\System32\wgceXSJ.exe
  C:\Windows\System32\wgceXSJ.exe
  2⤵
  PID:6776
- C:\Windows\System32\cSeBMGK.exe
  C:\Windows\System32\cSeBMGK.exe
  2⤵
  PID:6804
- C:\Windows\System32\MpCGIHN.exe
  C:\Windows\System32\MpCGIHN.exe
  2⤵
  PID:6852
- C:\Windows\System32\utpoNgz.exe
  C:\Windows\System32\utpoNgz.exe
  2⤵
  PID:6916
- C:\Windows\System32\dMQjttI.exe
  C:\Windows\System32\dMQjttI.exe
  2⤵
  PID:7000
- C:\Windows\System32\VJIknwU.exe
  C:\Windows\System32\VJIknwU.exe
  2⤵
  PID:7048
- C:\Windows\System32\pBrxdTl.exe
  C:\Windows\System32\pBrxdTl.exe
  2⤵
  PID:7116
- C:\Windows\System32\aCrNLoJ.exe
  C:\Windows\System32\aCrNLoJ.exe
  2⤵
  PID:6060
- C:\Windows\System32\irenqoy.exe
  C:\Windows\System32\irenqoy.exe
  2⤵
  PID:5472
- C:\Windows\System32\uCwKBGF.exe
  C:\Windows\System32\uCwKBGF.exe
  2⤵
  PID:6188
- C:\Windows\System32\XcFthtR.exe
  C:\Windows\System32\XcFthtR.exe
  2⤵
  PID:6320
- C:\Windows\System32\CSOtSxq.exe
  C:\Windows\System32\CSOtSxq.exe
  2⤵
  PID:6456
- C:\Windows\System32\sENUgHM.exe
  C:\Windows\System32\sENUgHM.exe
  2⤵
  PID:6628
- C:\Windows\System32\admneKw.exe
  C:\Windows\System32\admneKw.exe
  2⤵
  PID:6768
- C:\Windows\System32\iLvoDpb.exe
  C:\Windows\System32\iLvoDpb.exe
  2⤵
  PID:6876
- C:\Windows\System32\AykpYhC.exe
  C:\Windows\System32\AykpYhC.exe
  2⤵
  PID:7036
- C:\Windows\System32\piFuCUf.exe
  C:\Windows\System32\piFuCUf.exe
  2⤵
  PID:7132
- C:\Windows\System32\UdMxKYO.exe
  C:\Windows\System32\UdMxKYO.exe
  2⤵
  PID:7180
- C:\Windows\System32\kblyHIe.exe
  C:\Windows\System32\kblyHIe.exe
  2⤵
  PID:7208
- C:\Windows\System32\kgpUSRE.exe
  C:\Windows\System32\kgpUSRE.exe
  2⤵
  PID:7236
- C:\Windows\System32\nDNEsof.exe
  C:\Windows\System32\nDNEsof.exe
  2⤵
  PID:7264
- C:\Windows\System32\sZcGyMd.exe
  C:\Windows\System32\sZcGyMd.exe
  2⤵
  PID:7292
- C:\Windows\System32\xOPecbv.exe
  C:\Windows\System32\xOPecbv.exe
  2⤵
  PID:7320
- C:\Windows\System32\vJKTAcq.exe
  C:\Windows\System32\vJKTAcq.exe
  2⤵
  PID:7348
- C:\Windows\System32\asfVuNy.exe
  C:\Windows\System32\asfVuNy.exe
  2⤵
  PID:7376
- C:\Windows\System32\OoZvNqg.exe
  C:\Windows\System32\OoZvNqg.exe
  2⤵
  PID:7404
- C:\Windows\System32\pkSWRUh.exe
  C:\Windows\System32\pkSWRUh.exe
  2⤵
  PID:7432
- C:\Windows\System32\acgKXAN.exe
  C:\Windows\System32\acgKXAN.exe
  2⤵
  PID:7460
- C:\Windows\System32\pVeeKBp.exe
  C:\Windows\System32\pVeeKBp.exe
  2⤵
  PID:7500
- C:\Windows\System32\ZMoHPhK.exe
  C:\Windows\System32\ZMoHPhK.exe
  2⤵
  PID:7516
- C:\Windows\System32\kJTuGIa.exe
  C:\Windows\System32\kJTuGIa.exe
  2⤵
  PID:7544
- C:\Windows\System32\VWBUnFq.exe
  C:\Windows\System32\VWBUnFq.exe
  2⤵
  PID:7572
- C:\Windows\System32\dalkUJy.exe
  C:\Windows\System32\dalkUJy.exe
  2⤵
  PID:7600
- C:\Windows\System32\kmkFDLi.exe
  C:\Windows\System32\kmkFDLi.exe
  2⤵
  PID:7628
- C:\Windows\System32\OmrzNBn.exe
  C:\Windows\System32\OmrzNBn.exe
  2⤵
  PID:7656
- C:\Windows\System32\XWwiQHJ.exe
  C:\Windows\System32\XWwiQHJ.exe
  2⤵
  PID:7684
- C:\Windows\System32\mlHgRhU.exe
  C:\Windows\System32\mlHgRhU.exe
  2⤵
  PID:7712
- C:\Windows\System32\cARgTeZ.exe
  C:\Windows\System32\cARgTeZ.exe
  2⤵
  PID:7740
- C:\Windows\System32\RLBlsia.exe
  C:\Windows\System32\RLBlsia.exe
  2⤵
  PID:7768
- C:\Windows\System32\jEXerTl.exe
  C:\Windows\System32\jEXerTl.exe
  2⤵
  PID:7796
- C:\Windows\System32\trwUSVu.exe
  C:\Windows\System32\trwUSVu.exe
  2⤵
  PID:7824
- C:\Windows\System32\UdOLdHd.exe
  C:\Windows\System32\UdOLdHd.exe
  2⤵
  PID:7852
- C:\Windows\System32\HBiSsyl.exe
  C:\Windows\System32\HBiSsyl.exe
  2⤵
  PID:7880
- C:\Windows\System32\hvQmlgu.exe
  C:\Windows\System32\hvQmlgu.exe
  2⤵
  PID:7908
- C:\Windows\System32\UEvujgE.exe
  C:\Windows\System32\UEvujgE.exe
  2⤵
  PID:7936
- C:\Windows\System32\cODaIZT.exe
  C:\Windows\System32\cODaIZT.exe
  2⤵
  PID:7964
- C:\Windows\System32\HgOnWsz.exe
  C:\Windows\System32\HgOnWsz.exe
  2⤵
  PID:7992
- C:\Windows\System32\wadomcb.exe
  C:\Windows\System32\wadomcb.exe
  2⤵
  PID:8032
- C:\Windows\System32\nCmqust.exe
  C:\Windows\System32\nCmqust.exe
  2⤵
  PID:8048
- C:\Windows\System32\BAdkByG.exe
  C:\Windows\System32\BAdkByG.exe
  2⤵
  PID:8088
- C:\Windows\System32\WVCSgSx.exe
  C:\Windows\System32\WVCSgSx.exe
  2⤵
  PID:8104
- C:\Windows\System32\vIOszOd.exe
  C:\Windows\System32\vIOszOd.exe
  2⤵
  PID:8144
- C:\Windows\System32\wZpbXUd.exe
  C:\Windows\System32\wZpbXUd.exe
  2⤵
  PID:8160
- C:\Windows\System32\lxOJoRQ.exe
  C:\Windows\System32\lxOJoRQ.exe
  2⤵
  PID:5944
- C:\Windows\System32\dlpnSAq.exe
  C:\Windows\System32\dlpnSAq.exe
  2⤵
  PID:6376
- C:\Windows\System32\lTfhUFG.exe
  C:\Windows\System32\lTfhUFG.exe
  2⤵
  PID:6664
- C:\Windows\System32\kAUtqEu.exe
  C:\Windows\System32\kAUtqEu.exe
  2⤵
  PID:6972
- C:\Windows\System32\QTTtQFm.exe
  C:\Windows\System32\QTTtQFm.exe
  2⤵
  PID:7172
- C:\Windows\System32\wCGYPVB.exe
  C:\Windows\System32\wCGYPVB.exe
  2⤵
  PID:7252
- C:\Windows\System32\iQqVSER.exe
  C:\Windows\System32\iQqVSER.exe
  2⤵
  PID:3612
- C:\Windows\System32\XZCZNhY.exe
  C:\Windows\System32\XZCZNhY.exe
  2⤵
  PID:7340
- C:\Windows\System32\qkuxzdw.exe
  C:\Windows\System32\qkuxzdw.exe
  2⤵
  PID:7396
- C:\Windows\System32\RifdMgA.exe
  C:\Windows\System32\RifdMgA.exe
  2⤵
  PID:7924
- C:\Windows\System32\DwvtJIT.exe
  C:\Windows\System32\DwvtJIT.exe
  2⤵
  PID:4728
- C:\Windows\System32\qIVlThH.exe
  C:\Windows\System32\qIVlThH.exe
  2⤵
  PID:8044
- C:\Windows\System32\wSEYbkK.exe
  C:\Windows\System32\wSEYbkK.exe
  2⤵
  PID:4416
- C:\Windows\System32\uzqUqjl.exe
  C:\Windows\System32\uzqUqjl.exe
  2⤵
  PID:8120
- C:\Windows\System32\UMOEuJE.exe
  C:\Windows\System32\UMOEuJE.exe
  2⤵
  PID:8184
- C:\Windows\System32\GvfEqQk.exe
  C:\Windows\System32\GvfEqQk.exe
  2⤵
  PID:6488
- C:\Windows\System32\wSpskkz.exe
  C:\Windows\System32\wSpskkz.exe
  2⤵
  PID:6556
- C:\Windows\System32\RkVlpPs.exe
  C:\Windows\System32\RkVlpPs.exe
  2⤵
  PID:3160
- C:\Windows\System32\atOwmKX.exe
  C:\Windows\System32\atOwmKX.exe
  2⤵
  PID:232
- C:\Windows\System32\iKTbzeS.exe
  C:\Windows\System32\iKTbzeS.exe
  2⤵
  PID:1756
- C:\Windows\System32\jsOeElL.exe
  C:\Windows\System32\jsOeElL.exe
  2⤵
  PID:2928
- C:\Windows\System32\qGNlygG.exe
  C:\Windows\System32\qGNlygG.exe
  2⤵
  PID:7480
- C:\Windows\System32\ggYgzcu.exe
  C:\Windows\System32\ggYgzcu.exe
  2⤵
  PID:1808
- C:\Windows\System32\ZEwJpRl.exe
  C:\Windows\System32\ZEwJpRl.exe
  2⤵
  PID:2692
- C:\Windows\System32\FiwvjPt.exe
  C:\Windows\System32\FiwvjPt.exe
  2⤵
  PID:3192
- C:\Windows\System32\EqpmhLc.exe
  C:\Windows\System32\EqpmhLc.exe
  2⤵
  PID:7552
- C:\Windows\System32\FNjPfCG.exe
  C:\Windows\System32\FNjPfCG.exe
  2⤵
  PID:8096
- C:\Windows\System32\qFfpHTN.exe
  C:\Windows\System32\qFfpHTN.exe
  2⤵
  PID:1420
- C:\Windows\System32\BJSJhSZ.exe
  C:\Windows\System32\BJSJhSZ.exe
  2⤵
  PID:6328
- C:\Windows\System32\GlXCwmu.exe
  C:\Windows\System32\GlXCwmu.exe
  2⤵
  PID:4984
- C:\Windows\System32\hvIVyMp.exe
  C:\Windows\System32\hvIVyMp.exe
  2⤵
  PID:7592
- C:\Windows\System32\RezOpbt.exe
  C:\Windows\System32\RezOpbt.exe
  2⤵
  PID:1956
- C:\Windows\System32\VamnxTw.exe
  C:\Windows\System32\VamnxTw.exe
  2⤵
  PID:7872
- C:\Windows\System32\IpcTYsQ.exe
  C:\Windows\System32\IpcTYsQ.exe
  2⤵
  PID:7672
- C:\Windows\System32\PTPHWpt.exe
  C:\Windows\System32\PTPHWpt.exe
  2⤵
  PID:7692
- C:\Windows\System32\QKsgINz.exe
  C:\Windows\System32\QKsgINz.exe
  2⤵
  PID:7760
- C:\Windows\System32\lELiBKo.exe
  C:\Windows\System32\lELiBKo.exe
  2⤵
  PID:7788
- C:\Windows\System32\IgeldNY.exe
  C:\Windows\System32\IgeldNY.exe
  2⤵
  PID:7844
- C:\Windows\System32\ruXrFHk.exe
  C:\Windows\System32\ruXrFHk.exe
  2⤵
  PID:8100
- C:\Windows\System32\vEMrWXD.exe
  C:\Windows\System32\vEMrWXD.exe
  2⤵
  PID:7224
- C:\Windows\System32\gdMVSHA.exe
  C:\Windows\System32\gdMVSHA.exe
  2⤵
  PID:1072
- C:\Windows\System32\llizfwi.exe
  C:\Windows\System32\llizfwi.exe
  2⤵
  PID:2452
- C:\Windows\System32\yLmtgci.exe
  C:\Windows\System32\yLmtgci.exe
  2⤵
  PID:7888
- C:\Windows\System32\bCyXYqB.exe
  C:\Windows\System32\bCyXYqB.exe
  2⤵
  PID:7280
- C:\Windows\System32\wUHVvAA.exe
  C:\Windows\System32\wUHVvAA.exe
  2⤵
  PID:6964
- C:\Windows\System32\WnhyhpS.exe
  C:\Windows\System32\WnhyhpS.exe
  2⤵
  PID:1912
- C:\Windows\System32\SYvUQlB.exe
  C:\Windows\System32\SYvUQlB.exe
  2⤵
  PID:7928
- C:\Windows\System32\LuvCEvi.exe
  C:\Windows\System32\LuvCEvi.exe
  2⤵
  PID:8128
- C:\Windows\System32\jeeDtoZ.exe
  C:\Windows\System32\jeeDtoZ.exe
  2⤵
  PID:8208
- C:\Windows\System32\edYNGlj.exe
  C:\Windows\System32\edYNGlj.exe
  2⤵
  PID:8244
- C:\Windows\System32\qPQYhmL.exe
  C:\Windows\System32\qPQYhmL.exe
  2⤵
  PID:8276
- C:\Windows\System32\fGnyifl.exe
  C:\Windows\System32\fGnyifl.exe
  2⤵
  PID:8296
- C:\Windows\System32\fkjXTXL.exe
  C:\Windows\System32\fkjXTXL.exe
  2⤵
  PID:8324
- C:\Windows\System32\FhPGOAE.exe
  C:\Windows\System32\FhPGOAE.exe
  2⤵
  PID:8356
- C:\Windows\System32\yqSZzOC.exe
  C:\Windows\System32\yqSZzOC.exe
  2⤵
  PID:8392
- C:\Windows\System32\kcdFjnB.exe
  C:\Windows\System32\kcdFjnB.exe
  2⤵
  PID:8412
- C:\Windows\System32\dizEjyb.exe
  C:\Windows\System32\dizEjyb.exe
  2⤵
  PID:8428
- C:\Windows\System32\DbPoLvw.exe
  C:\Windows\System32\DbPoLvw.exe
  2⤵
  PID:8484
- C:\Windows\System32\OTJGTjZ.exe
  C:\Windows\System32\OTJGTjZ.exe
  2⤵
  PID:8516
- C:\Windows\System32\nHURsRs.exe
  C:\Windows\System32\nHURsRs.exe
  2⤵
  PID:8536
- C:\Windows\System32\DmglWjj.exe
  C:\Windows\System32\DmglWjj.exe
  2⤵
  PID:8560
- C:\Windows\System32\vCywzrI.exe
  C:\Windows\System32\vCywzrI.exe
  2⤵
  PID:8588
- C:\Windows\System32\ymPoGZW.exe
  C:\Windows\System32\ymPoGZW.exe
  2⤵
  PID:8624
- C:\Windows\System32\Xygqyet.exe
  C:\Windows\System32\Xygqyet.exe
  2⤵
  PID:8648
- C:\Windows\System32\mkoWTSE.exe
  C:\Windows\System32\mkoWTSE.exe
  2⤵
  PID:8672
- C:\Windows\System32\cbAtAcF.exe
  C:\Windows\System32\cbAtAcF.exe
  2⤵
  PID:8704
- C:\Windows\System32\AibEpsh.exe
  C:\Windows\System32\AibEpsh.exe
  2⤵
  PID:8752
- C:\Windows\System32\MdjuWlT.exe
  C:\Windows\System32\MdjuWlT.exe
  2⤵
  PID:8780
- C:\Windows\System32\xXJXDqr.exe
  C:\Windows\System32\xXJXDqr.exe
  2⤵
  PID:8796
- C:\Windows\System32\DAJGYZh.exe
  C:\Windows\System32\DAJGYZh.exe
  2⤵
  PID:8828
- C:\Windows\System32\mHFxRlh.exe
  C:\Windows\System32\mHFxRlh.exe
  2⤵
  PID:8864
- C:\Windows\System32\bpbdhwu.exe
  C:\Windows\System32\bpbdhwu.exe
  2⤵
  PID:8884
- C:\Windows\System32\jMtwgIh.exe
  C:\Windows\System32\jMtwgIh.exe
  2⤵
  PID:8908
- C:\Windows\System32\gWVcBaI.exe
  C:\Windows\System32\gWVcBaI.exe
  2⤵
  PID:8940
- C:\Windows\System32\fIFTsOd.exe
  C:\Windows\System32\fIFTsOd.exe
  2⤵
  PID:8964
- C:\Windows\System32\XmSvPgL.exe
  C:\Windows\System32\XmSvPgL.exe
  2⤵
  PID:8992
- C:\Windows\System32\RlRFmvn.exe
  C:\Windows\System32\RlRFmvn.exe
  2⤵
  PID:9008
- C:\Windows\System32\IiyCdbu.exe
  C:\Windows\System32\IiyCdbu.exe
  2⤵
  PID:9052
- C:\Windows\System32\UFfLdzb.exe
  C:\Windows\System32\UFfLdzb.exe
  2⤵
  PID:9088
- C:\Windows\System32\cfQOSdk.exe
  C:\Windows\System32\cfQOSdk.exe
  2⤵
  PID:9104
- C:\Windows\System32\baWbarg.exe
  C:\Windows\System32\baWbarg.exe
  2⤵
  PID:9136
- C:\Windows\System32\fIBChKr.exe
  C:\Windows\System32\fIBChKr.exe
  2⤵
  PID:9172
- C:\Windows\System32\vpqNQrV.exe
  C:\Windows\System32\vpqNQrV.exe
  2⤵
  PID:9208
- C:\Windows\System32\aBUmSob.exe
  C:\Windows\System32\aBUmSob.exe
  2⤵
  PID:8220
- C:\Windows\System32\UveRaex.exe
  C:\Windows\System32\UveRaex.exe
  2⤵
  PID:8272
- C:\Windows\System32\vbyYAAi.exe
  C:\Windows\System32\vbyYAAi.exe
  2⤵
  PID:8332
- C:\Windows\System32\QZvcpUr.exe
  C:\Windows\System32\QZvcpUr.exe
  2⤵
  PID:8420
- C:\Windows\System32\YlpPRur.exe
  C:\Windows\System32\YlpPRur.exe
  2⤵
  PID:8468
- C:\Windows\System32\ctzSElV.exe
  C:\Windows\System32\ctzSElV.exe
  2⤵
  PID:8528
- C:\Windows\System32\chuqJsp.exe
  C:\Windows\System32\chuqJsp.exe
  2⤵
  PID:8636
- C:\Windows\System32\jpgeigi.exe
  C:\Windows\System32\jpgeigi.exe
  2⤵
  PID:8668
- C:\Windows\System32\SrlJVzl.exe
  C:\Windows\System32\SrlJVzl.exe
  2⤵
  PID:8776
- C:\Windows\System32\bZybDuY.exe
  C:\Windows\System32\bZybDuY.exe
  2⤵
  PID:8836
- C:\Windows\System32\UtdZVfY.exe
  C:\Windows\System32\UtdZVfY.exe
  2⤵
  PID:8872
- C:\Windows\System32\RJrjXfh.exe
  C:\Windows\System32\RJrjXfh.exe
  2⤵
  PID:8976
- C:\Windows\System32\JNYiRNX.exe
  C:\Windows\System32\JNYiRNX.exe
  2⤵
  PID:9036
- C:\Windows\System32\SOgTAXk.exe
  C:\Windows\System32\SOgTAXk.exe
  2⤵
  PID:9124
- C:\Windows\System32\PxUWAbV.exe
  C:\Windows\System32\PxUWAbV.exe
  2⤵
  PID:9180
- C:\Windows\System32\wGisfeM.exe
  C:\Windows\System32\wGisfeM.exe
  2⤵
  PID:8284
- C:\Windows\System32\OrFPTqA.exe
  C:\Windows\System32\OrFPTqA.exe
  2⤵
  PID:8500
- C:\Windows\System32\sUUHLwF.exe
  C:\Windows\System32\sUUHLwF.exe
  2⤵
  PID:8596
- C:\Windows\System32\bChTCMB.exe
  C:\Windows\System32\bChTCMB.exe
  2⤵
  PID:8716
- C:\Windows\System32\qmLThLl.exe
  C:\Windows\System32\qmLThLl.exe
  2⤵
  PID:8920
- C:\Windows\System32\vAfORDC.exe
  C:\Windows\System32\vAfORDC.exe
  2⤵
  PID:9028
- C:\Windows\System32\WZIzWKs.exe
  C:\Windows\System32\WZIzWKs.exe
  2⤵
  PID:8448
- C:\Windows\System32\GmrNoKe.exe
  C:\Windows\System32\GmrNoKe.exe
  2⤵
  PID:8572
- C:\Windows\System32\LVNolGi.exe
  C:\Windows\System32\LVNolGi.exe
  2⤵
  PID:8860
- C:\Windows\System32\EqYRRAv.exe
  C:\Windows\System32\EqYRRAv.exe
  2⤵
  PID:8576
- C:\Windows\System32\WmRifXA.exe
  C:\Windows\System32\WmRifXA.exe
  2⤵
  PID:8848
- C:\Windows\System32\NubOuya.exe
  C:\Windows\System32\NubOuya.exe
  2⤵
  PID:9248
- C:\Windows\System32\wgaNKnD.exe
  C:\Windows\System32\wgaNKnD.exe
  2⤵
  PID:9268
- C:\Windows\System32\yUFVVYN.exe
  C:\Windows\System32\yUFVVYN.exe
  2⤵
  PID:9308
- C:\Windows\System32\UYfrcyT.exe
  C:\Windows\System32\UYfrcyT.exe
  2⤵
  PID:9344
- C:\Windows\System32\dXNYjvg.exe
  C:\Windows\System32\dXNYjvg.exe
  2⤵
  PID:9360
- C:\Windows\System32\tgYoHcN.exe
  C:\Windows\System32\tgYoHcN.exe
  2⤵
  PID:9392
- C:\Windows\System32\gjmiHNd.exe
  C:\Windows\System32\gjmiHNd.exe
  2⤵
  PID:9428
- C:\Windows\System32\OjykMxt.exe
  C:\Windows\System32\OjykMxt.exe
  2⤵
  PID:9448
- C:\Windows\System32\izQZEiM.exe
  C:\Windows\System32\izQZEiM.exe
  2⤵
  PID:9476
- C:\Windows\System32\yMFUijN.exe
  C:\Windows\System32\yMFUijN.exe
  2⤵
  PID:9528
- C:\Windows\System32\OhZSTRD.exe
  C:\Windows\System32\OhZSTRD.exe
  2⤵
  PID:9548
- C:\Windows\System32\ZhviPUS.exe
  C:\Windows\System32\ZhviPUS.exe
  2⤵
  PID:9564
- C:\Windows\System32\pTnGThJ.exe
  C:\Windows\System32\pTnGThJ.exe
  2⤵
  PID:9604
- C:\Windows\System32\FNnfnFv.exe
  C:\Windows\System32\FNnfnFv.exe
  2⤵
  PID:9628
- C:\Windows\System32\OeeEmPt.exe
  C:\Windows\System32\OeeEmPt.exe
  2⤵
  PID:9648
- C:\Windows\System32\OBlQtPE.exe
  C:\Windows\System32\OBlQtPE.exe
  2⤵
  PID:9676
- C:\Windows\System32\uaGlOmZ.exe
  C:\Windows\System32\uaGlOmZ.exe
  2⤵
  PID:9700
- C:\Windows\System32\XToapQg.exe
  C:\Windows\System32\XToapQg.exe
  2⤵
  PID:9732
- C:\Windows\System32\bUqbXbd.exe
  C:\Windows\System32\bUqbXbd.exe
  2⤵
  PID:9760
- C:\Windows\System32\fsWiDte.exe
  C:\Windows\System32\fsWiDte.exe
  2⤵
  PID:9800
- C:\Windows\System32\EBYtEjQ.exe
  C:\Windows\System32\EBYtEjQ.exe
  2⤵
  PID:9828
- C:\Windows\System32\TBSMOuQ.exe
  C:\Windows\System32\TBSMOuQ.exe
  2⤵
  PID:9856
- C:\Windows\System32\QCKDjOy.exe
  C:\Windows\System32\QCKDjOy.exe
  2⤵
  PID:9884
- C:\Windows\System32\rjwGJKb.exe
  C:\Windows\System32\rjwGJKb.exe
  2⤵
  PID:9908
- C:\Windows\System32\REZUlhf.exe
  C:\Windows\System32\REZUlhf.exe
  2⤵
  PID:9928
- C:\Windows\System32\QUENdPr.exe
  C:\Windows\System32\QUENdPr.exe
  2⤵
  PID:9956
- C:\Windows\System32\FxhmHFh.exe
  C:\Windows\System32\FxhmHFh.exe
  2⤵
  PID:10004
- C:\Windows\System32\ioXMLbA.exe
  C:\Windows\System32\ioXMLbA.exe
  2⤵
  PID:10024
- C:\Windows\System32\wPSZOBI.exe
  C:\Windows\System32\wPSZOBI.exe
  2⤵
  PID:10040
- C:\Windows\System32\GQpfiPj.exe
  C:\Windows\System32\GQpfiPj.exe
  2⤵
  PID:10064
- C:\Windows\System32\IDjtJpK.exe
  C:\Windows\System32\IDjtJpK.exe
  2⤵
  PID:10096
- C:\Windows\System32\TuXbbqt.exe
  C:\Windows\System32\TuXbbqt.exe
  2⤵
  PID:10136
- C:\Windows\System32\RBibpBe.exe
  C:\Windows\System32\RBibpBe.exe
  2⤵
  PID:10168
- C:\Windows\System32\IVpaJdk.exe
  C:\Windows\System32\IVpaJdk.exe
  2⤵
  PID:10192
- C:\Windows\System32\XXrClYg.exe
  C:\Windows\System32\XXrClYg.exe
  2⤵
  PID:10224
- C:\Windows\System32\YcbaNYA.exe
  C:\Windows\System32\YcbaNYA.exe
  2⤵
  PID:9236
- C:\Windows\System32\OAEJTQv.exe
  C:\Windows\System32\OAEJTQv.exe
  2⤵
  PID:9260
- C:\Windows\System32\pqVQtav.exe
  C:\Windows\System32\pqVQtav.exe
  2⤵
  PID:9384
- C:\Windows\System32\dpFUlCz.exe
  C:\Windows\System32\dpFUlCz.exe
  2⤵
  PID:9456
- C:\Windows\System32\ifdlLVW.exe
  C:\Windows\System32\ifdlLVW.exe
  2⤵
  PID:9488
- C:\Windows\System32\MPfDXpP.exe
  C:\Windows\System32\MPfDXpP.exe
  2⤵
  PID:9576
- C:\Windows\System32\IItjNgD.exe
  C:\Windows\System32\IItjNgD.exe
  2⤵
  PID:9644
- C:\Windows\System32\oOAnpJc.exe
  C:\Windows\System32\oOAnpJc.exe
  2⤵
  PID:9664
- C:\Windows\System32\VzBirDy.exe
  C:\Windows\System32\VzBirDy.exe
  2⤵
  PID:9752
- C:\Windows\System32\sGsrIre.exe
  C:\Windows\System32\sGsrIre.exe
  2⤵
  PID:9840
- C:\Windows\System32\HJATjKa.exe
  C:\Windows\System32\HJATjKa.exe
  2⤵
  PID:9900
- C:\Windows\System32\pHcfYDL.exe
  C:\Windows\System32\pHcfYDL.exe
  2⤵
  PID:9968
- C:\Windows\System32\KdVLsqX.exe
  C:\Windows\System32\KdVLsqX.exe
  2⤵
  PID:10012
- C:\Windows\System32\NtnUHKs.exe
  C:\Windows\System32\NtnUHKs.exe
  2⤵
  PID:10072
- C:\Windows\System32\wZKrluD.exe
  C:\Windows\System32\wZKrluD.exe
  2⤵
  PID:10200
- C:\Windows\System32\tGvEURJ.exe
  C:\Windows\System32\tGvEURJ.exe
  2⤵
  PID:10236
- C:\Windows\System32\nMqrdgf.exe
  C:\Windows\System32\nMqrdgf.exe
  2⤵
  PID:9336
- C:\Windows\System32\TKdayty.exe
  C:\Windows\System32\TKdayty.exe
  2⤵
  PID:9424
- C:\Windows\System32\eGbbCtQ.exe
  C:\Windows\System32\eGbbCtQ.exe
  2⤵
  PID:9640
- C:\Windows\System32\quCSPQK.exe
  C:\Windows\System32\quCSPQK.exe
  2⤵
  PID:9820
- C:\Windows\System32\BwbpZOq.exe
  C:\Windows\System32\BwbpZOq.exe
  2⤵
  PID:9952
- C:\Windows\System32\sjxJVec.exe
  C:\Windows\System32\sjxJVec.exe
  2⤵
  PID:10128
- C:\Windows\System32\JNezJbg.exe
  C:\Windows\System32\JNezJbg.exe
  2⤵
  PID:9228
- C:\Windows\System32\vZtmPeE.exe
  C:\Windows\System32\vZtmPeE.exe
  2⤵
  PID:9508
- C:\Windows\System32\TsdcDtm.exe
  C:\Windows\System32\TsdcDtm.exe
  2⤵
  PID:10056
- C:\Windows\System32\VvStxPy.exe
  C:\Windows\System32\VvStxPy.exe
  2⤵
  PID:9408
- C:\Windows\System32\GcBUACO.exe
  C:\Windows\System32\GcBUACO.exe
  2⤵
  PID:10212
- C:\Windows\System32\ncRDrnm.exe
  C:\Windows\System32\ncRDrnm.exe
  2⤵
  PID:10252
- C:\Windows\System32\MFJFydH.exe
  C:\Windows\System32\MFJFydH.exe
  2⤵
  PID:10276
- C:\Windows\System32\MISdxgl.exe
  C:\Windows\System32\MISdxgl.exe
  2⤵
  PID:10304
- C:\Windows\System32\BzCxkmv.exe
  C:\Windows\System32\BzCxkmv.exe
  2⤵
  PID:10348
- C:\Windows\System32\qWBWuHP.exe
  C:\Windows\System32\qWBWuHP.exe
  2⤵
  PID:10372
- C:\Windows\System32\hrUFcpX.exe
  C:\Windows\System32\hrUFcpX.exe
  2⤵
  PID:10388
- C:\Windows\System32\QxBbzAi.exe
  C:\Windows\System32\QxBbzAi.exe
  2⤵
  PID:10428
- C:\Windows\System32\OtZhPhP.exe
  C:\Windows\System32\OtZhPhP.exe
  2⤵
  PID:10456
- C:\Windows\System32\dvlnNIE.exe
  C:\Windows\System32\dvlnNIE.exe
  2⤵
  PID:10480
- C:\Windows\System32\vLjjZuO.exe
  C:\Windows\System32\vLjjZuO.exe
  2⤵
  PID:10504
- C:\Windows\System32\GssrfdT.exe
  C:\Windows\System32\GssrfdT.exe
  2⤵
  PID:10536
- C:\Windows\System32\CRnziCS.exe
  C:\Windows\System32\CRnziCS.exe
  2⤵
  PID:10564
- C:\Windows\System32\EzLJmqQ.exe
  C:\Windows\System32\EzLJmqQ.exe
  2⤵
  PID:10584
- C:\Windows\System32\AagbgyX.exe
  C:\Windows\System32\AagbgyX.exe
  2⤵
  PID:10612
- C:\Windows\System32\oMtWVyi.exe
  C:\Windows\System32\oMtWVyi.exe
  2⤵
  PID:10628
- C:\Windows\System32\BkrsWyB.exe
  C:\Windows\System32\BkrsWyB.exe
  2⤵
  PID:10656
- C:\Windows\System32\RkFjKOM.exe
  C:\Windows\System32\RkFjKOM.exe
  2⤵
  PID:10688
- C:\Windows\System32\JIYpwiN.exe
  C:\Windows\System32\JIYpwiN.exe
  2⤵
  PID:10736
- C:\Windows\System32\oRDSnIQ.exe
  C:\Windows\System32\oRDSnIQ.exe
  2⤵
  PID:10768
- C:\Windows\System32\ojOBiIV.exe
  C:\Windows\System32\ojOBiIV.exe
  2⤵
  PID:10820
- C:\Windows\System32\UHCFAfC.exe
  C:\Windows\System32\UHCFAfC.exe
  2⤵
  PID:10864
- C:\Windows\System32\qckWQsF.exe
  C:\Windows\System32\qckWQsF.exe
  2⤵
  PID:10884
- C:\Windows\System32\VIXCxUE.exe
  C:\Windows\System32\VIXCxUE.exe
  2⤵
  PID:10912
- C:\Windows\System32\odGSJyv.exe
  C:\Windows\System32\odGSJyv.exe
  2⤵
  PID:10952
- C:\Windows\System32\CENjyMf.exe
  C:\Windows\System32\CENjyMf.exe
  2⤵
  PID:10968
- C:\Windows\System32\WIyvLUV.exe
  C:\Windows\System32\WIyvLUV.exe
  2⤵
  PID:11008
- C:\Windows\System32\OuRJITY.exe
  C:\Windows\System32\OuRJITY.exe
  2⤵
  PID:11028
- C:\Windows\System32\HBExWev.exe
  C:\Windows\System32\HBExWev.exe
  2⤵
  PID:11056
- C:\Windows\System32\YuiONqT.exe
  C:\Windows\System32\YuiONqT.exe
  2⤵
  PID:11112
- C:\Windows\System32\xytfCye.exe
  C:\Windows\System32\xytfCye.exe
  2⤵
  PID:11128
- C:\Windows\System32\RRsQxcI.exe
  C:\Windows\System32\RRsQxcI.exe
  2⤵
  PID:11152
- C:\Windows\System32\NlCUfqJ.exe
  C:\Windows\System32\NlCUfqJ.exe
  2⤵
  PID:11184
- C:\Windows\System32\nqNCUif.exe
  C:\Windows\System32\nqNCUif.exe
  2⤵
  PID:11204
- C:\Windows\System32\CDQvEbO.exe
  C:\Windows\System32\CDQvEbO.exe
  2⤵
  PID:11228
- C:\Windows\System32\huCvqXz.exe
  C:\Windows\System32\huCvqXz.exe
  2⤵
  PID:11256
- C:\Windows\System32\vrGInYI.exe
  C:\Windows\System32\vrGInYI.exe
  2⤵
  PID:9304
- C:\Windows\System32\HvEkQLR.exe
  C:\Windows\System32\HvEkQLR.exe
  2⤵
  PID:10364
- C:\Windows\System32\QJFJqdh.exe
  C:\Windows\System32\QJFJqdh.exe
  2⤵
  PID:10440
- C:\Windows\System32\iGYKhQK.exe
  C:\Windows\System32\iGYKhQK.exe
  2⤵
  PID:10488
- C:\Windows\System32\sHaAhEK.exe
  C:\Windows\System32\sHaAhEK.exe
  2⤵
  PID:10548
- C:\Windows\System32\HFOGaZR.exe
  C:\Windows\System32\HFOGaZR.exe
  2⤵
  PID:10624
- C:\Windows\System32\efNGnjx.exe
  C:\Windows\System32\efNGnjx.exe
  2⤵
  PID:10748
- C:\Windows\System32\MFMtTeb.exe
  C:\Windows\System32\MFMtTeb.exe
  2⤵
  PID:10840
- C:\Windows\System32\vuACRNt.exe
  C:\Windows\System32\vuACRNt.exe
  2⤵
  PID:10944
- C:\Windows\System32\VEKNbLK.exe
  C:\Windows\System32\VEKNbLK.exe
  2⤵
  PID:10996
- C:\Windows\System32\ykUgbSm.exe
  C:\Windows\System32\ykUgbSm.exe
  2⤵
  PID:11064
- C:\Windows\System32\yaBaLdo.exe
  C:\Windows\System32\yaBaLdo.exe
  2⤵
  PID:2400
- C:\Windows\System32\fmFCweO.exe
  C:\Windows\System32\fmFCweO.exe
  2⤵
  PID:11192
- C:\Windows\System32\XyCCIUk.exe
  C:\Windows\System32\XyCCIUk.exe
  2⤵
  PID:10272
- C:\Windows\System32\LPdYNvO.exe
  C:\Windows\System32\LPdYNvO.exe
  2⤵
  PID:10420
- C:\Windows\System32\selbvli.exe
  C:\Windows\System32\selbvli.exe
  2⤵
  PID:10516
- C:\Windows\System32\PJGUdmz.exe
  C:\Windows\System32\PJGUdmz.exe
  2⤵
  PID:10796
- C:\Windows\System32\DvoXmgH.exe
  C:\Windows\System32\DvoXmgH.exe
  2⤵
  PID:10980
- C:\Windows\System32\mUErmdI.exe
  C:\Windows\System32\mUErmdI.exe
  2⤵
  PID:11136
- C:\Windows\System32\MvpUAGE.exe
  C:\Windows\System32\MvpUAGE.exe
  2⤵
  PID:9588
- C:\Windows\System32\SqaQdnX.exe
  C:\Windows\System32\SqaQdnX.exe
  2⤵
  PID:10604
- C:\Windows\System32\aoLYgzS.exe
  C:\Windows\System32\aoLYgzS.exe
  2⤵
  PID:10964
- C:\Windows\System32\TxPhqNX.exe
  C:\Windows\System32\TxPhqNX.exe
  2⤵
  PID:11276
- C:\Windows\System32\dvlSoSu.exe
  C:\Windows\System32\dvlSoSu.exe
  2⤵
  PID:11308
- C:\Windows\System32\WXGHvcB.exe
  C:\Windows\System32\WXGHvcB.exe
  2⤵
  PID:11352
- C:\Windows\System32\cuFklsb.exe
  C:\Windows\System32\cuFklsb.exe
  2⤵
  PID:11392
- C:\Windows\System32\YtlpdFL.exe
  C:\Windows\System32\YtlpdFL.exe
  2⤵
  PID:11424
- C:\Windows\System32\xBbKQHO.exe
  C:\Windows\System32\xBbKQHO.exe
  2⤵
  PID:11484
- C:\Windows\System32\WTMeLJy.exe
  C:\Windows\System32\WTMeLJy.exe
  2⤵
  PID:11504
- C:\Windows\System32\GFOEvOU.exe
  C:\Windows\System32\GFOEvOU.exe
  2⤵
  PID:11524
- C:\Windows\System32\YVbasxW.exe
  C:\Windows\System32\YVbasxW.exe
  2⤵
  PID:11564
- C:\Windows\System32\iUkPxGG.exe
  C:\Windows\System32\iUkPxGG.exe
  2⤵
  PID:11588
- C:\Windows\System32\ZpxOUha.exe
  C:\Windows\System32\ZpxOUha.exe
  2⤵
  PID:11608
- C:\Windows\System32\zugAmEt.exe
  C:\Windows\System32\zugAmEt.exe
  2⤵
  PID:11656
- C:\Windows\System32\VSVYdwR.exe
  C:\Windows\System32\VSVYdwR.exe
  2⤵
  PID:11704
- C:\Windows\System32\NVGVyDv.exe
  C:\Windows\System32\NVGVyDv.exe
  2⤵
  PID:11772
- C:\Windows\System32\jiNgnwK.exe
  C:\Windows\System32\jiNgnwK.exe
  2⤵
  PID:11788
- C:\Windows\System32\MuEvMrd.exe
  C:\Windows\System32\MuEvMrd.exe
  2⤵
  PID:11820
- C:\Windows\System32\VzyvVxt.exe
  C:\Windows\System32\VzyvVxt.exe
  2⤵
  PID:11860
- C:\Windows\System32\hbuCsIg.exe
  C:\Windows\System32\hbuCsIg.exe
  2⤵
  PID:11888
- C:\Windows\System32\gESmDBZ.exe
  C:\Windows\System32\gESmDBZ.exe
  2⤵
  PID:11916
- C:\Windows\System32\slEGUNm.exe
  C:\Windows\System32\slEGUNm.exe
  2⤵
  PID:11960
- C:\Windows\System32\uiJnXSi.exe
  C:\Windows\System32\uiJnXSi.exe
  2⤵
  PID:11976
- C:\Windows\System32\gxFYjlH.exe
  C:\Windows\System32\gxFYjlH.exe
  2⤵
  PID:12000
- C:\Windows\System32\OrJQpiQ.exe
  C:\Windows\System32\OrJQpiQ.exe
  2⤵
  PID:12024
- C:\Windows\System32\jgDJGmq.exe
  C:\Windows\System32\jgDJGmq.exe
  2⤵
  PID:12052
- C:\Windows\System32\eDObyvW.exe
  C:\Windows\System32\eDObyvW.exe
  2⤵
  PID:12072
- C:\Windows\System32\iuvrJYC.exe
  C:\Windows\System32\iuvrJYC.exe
  2⤵
  PID:12096
- C:\Windows\System32\UOvPINE.exe
  C:\Windows\System32\UOvPINE.exe
  2⤵
  PID:12140
- C:\Windows\System32\euEFDhe.exe
  C:\Windows\System32\euEFDhe.exe
  2⤵
  PID:12172
- C:\Windows\System32\tCStzbP.exe
  C:\Windows\System32\tCStzbP.exe
  2⤵
  PID:12192
- C:\Windows\System32\fnURAsj.exe
  C:\Windows\System32\fnURAsj.exe
  2⤵
  PID:12232
- C:\Windows\System32\myItERz.exe
  C:\Windows\System32\myItERz.exe
  2⤵
  PID:12248
- C:\Windows\System32\LOgTNPK.exe
  C:\Windows\System32\LOgTNPK.exe
  2⤵
  PID:12268
- C:\Windows\System32\uVyqDBO.exe
  C:\Windows\System32\uVyqDBO.exe
  2⤵
  PID:11284
- C:\Windows\System32\WnZbUQC.exe
  C:\Windows\System32\WnZbUQC.exe
  2⤵
  PID:11412
- C:\Windows\System32\EMAoECy.exe
  C:\Windows\System32\EMAoECy.exe
  2⤵
  PID:11468
- C:\Windows\System32\EsRnGxC.exe
  C:\Windows\System32\EsRnGxC.exe
  2⤵
  PID:11512
- C:\Windows\System32\XmMFvnB.exe
  C:\Windows\System32\XmMFvnB.exe
  2⤵
  PID:11624
- C:\Windows\System32\DjgQEBc.exe
  C:\Windows\System32\DjgQEBc.exe
  2⤵
  PID:11720
- C:\Windows\System32\ZfqnbMD.exe
  C:\Windows\System32\ZfqnbMD.exe
  2⤵
  PID:11808
- C:\Windows\System32\dYuwEPC.exe
  C:\Windows\System32\dYuwEPC.exe
  2⤵
  PID:11880
- C:\Windows\System32\KVfhDHb.exe
  C:\Windows\System32\KVfhDHb.exe
  2⤵
  PID:11940
- C:\Windows\System32\lGnUpFr.exe
  C:\Windows\System32\lGnUpFr.exe
  2⤵
  PID:12008
- C:\Windows\System32\gIDSpwR.exe
  C:\Windows\System32\gIDSpwR.exe
  2⤵
  PID:12092
- C:\Windows\System32\UxPvREF.exe
  C:\Windows\System32\UxPvREF.exe
  2⤵
  PID:12164
- C:\Windows\System32\MxOTEqM.exe
  C:\Windows\System32\MxOTEqM.exe
  2⤵
  PID:12208
- C:\Windows\System32\MviAqGW.exe
  C:\Windows\System32\MviAqGW.exe
  2⤵
  PID:11368
- C:\Windows\System32\wFpGRFA.exe
  C:\Windows\System32\wFpGRFA.exe
  2⤵
  PID:11540
- C:\Windows\System32\YLTMEtk.exe
  C:\Windows\System32\YLTMEtk.exe
  2⤵
  PID:11600
- C:\Windows\System32\eDLhKAz.exe
  C:\Windows\System32\eDLhKAz.exe
  2⤵
  PID:11908
- C:\Windows\System32\PKtcUsp.exe
  C:\Windows\System32\PKtcUsp.exe
  2⤵
  PID:12044
- C:\Windows\System32\lXScfzN.exe
  C:\Windows\System32\lXScfzN.exe
  2⤵
  PID:11348
- C:\Windows\System32\ovBcxIg.exe
  C:\Windows\System32\ovBcxIg.exe
  2⤵
  PID:11784
- C:\Windows\System32\hbmPshk.exe
  C:\Windows\System32\hbmPshk.exe
  2⤵
  PID:11448
- C:\Windows\System32\QcATAid.exe
  C:\Windows\System32\QcATAid.exe
  2⤵
  PID:3428
- C:\Windows\System32\VMgOcVO.exe
  C:\Windows\System32\VMgOcVO.exe
  2⤵
  PID:10872
- C:\Windows\System32\UwkMFOC.exe
  C:\Windows\System32\UwkMFOC.exe
  2⤵
  PID:12152
- C:\Windows\System32\chXIgkC.exe
  C:\Windows\System32\chXIgkC.exe
  2⤵
  PID:12316
- C:\Windows\System32\nnopHVb.exe
  C:\Windows\System32\nnopHVb.exe
  2⤵
  PID:12344
- C:\Windows\System32\hGtshHp.exe
  C:\Windows\System32\hGtshHp.exe
  2⤵
  PID:12372
- C:\Windows\System32\tUOUrqC.exe
  C:\Windows\System32\tUOUrqC.exe
  2⤵
  PID:12400
- C:\Windows\System32\EcDihnv.exe
  C:\Windows\System32\EcDihnv.exe
  2⤵
  PID:12448
- C:\Windows\System32\rVHUUFl.exe
  C:\Windows\System32\rVHUUFl.exe
  2⤵
  PID:12484
- C:\Windows\System32\CXoefvz.exe
  C:\Windows\System32\CXoefvz.exe
  2⤵
  PID:12516
- C:\Windows\System32\pVASqyM.exe
  C:\Windows\System32\pVASqyM.exe
  2⤵
  PID:12544
- C:\Windows\System32\JHiuKEo.exe
  C:\Windows\System32\JHiuKEo.exe
  2⤵
  PID:12572
- C:\Windows\System32\sONDUSJ.exe
  C:\Windows\System32\sONDUSJ.exe
  2⤵
  PID:12600
- C:\Windows\System32\DfGauul.exe
  C:\Windows\System32\DfGauul.exe
  2⤵
  PID:12628
- C:\Windows\System32\rQHoxIe.exe
  C:\Windows\System32\rQHoxIe.exe
  2⤵
  PID:12656
- C:\Windows\System32\jRKBQCp.exe
  C:\Windows\System32\jRKBQCp.exe
  2⤵
  PID:12692
- C:\Windows\System32\GgfxGuj.exe
  C:\Windows\System32\GgfxGuj.exe
  2⤵
  PID:12728
- C:\Windows\System32\zXNSxeH.exe
  C:\Windows\System32\zXNSxeH.exe
  2⤵
  PID:12756
- C:\Windows\System32\UIQBLSI.exe
  C:\Windows\System32\UIQBLSI.exe
  2⤵
  PID:12784
- C:\Windows\System32\BdzBxsG.exe
  C:\Windows\System32\BdzBxsG.exe
  2⤵
  PID:12812
- C:\Windows\System32\mPSJWdh.exe
  C:\Windows\System32\mPSJWdh.exe
  2⤵
  PID:12840
- C:\Windows\System32\MNBtxFC.exe
  C:\Windows\System32\MNBtxFC.exe
  2⤵
  PID:12872
- C:\Windows\System32\sVsQBNs.exe
  C:\Windows\System32\sVsQBNs.exe
  2⤵
  PID:12900
- C:\Windows\System32\AHbmfga.exe
  C:\Windows\System32\AHbmfga.exe
  2⤵
  PID:12928
- C:\Windows\System32\ndhQlNh.exe
  C:\Windows\System32\ndhQlNh.exe
  2⤵
  PID:12956
- C:\Windows\System32\OkXlOiY.exe
  C:\Windows\System32\OkXlOiY.exe
  2⤵
  PID:12984
- C:\Windows\System32\XoLrVbQ.exe
  C:\Windows\System32\XoLrVbQ.exe
  2⤵
  PID:13024
- C:\Windows\System32\MYEBsrv.exe
  C:\Windows\System32\MYEBsrv.exe
  2⤵
  PID:13060
- C:\Windows\System32\QZzHmxn.exe
  C:\Windows\System32\QZzHmxn.exe
  2⤵
  PID:13088
- C:\Windows\System32\CaJklpG.exe
  C:\Windows\System32\CaJklpG.exe
  2⤵
  PID:13116
- C:\Windows\System32\dEqghvP.exe
  C:\Windows\System32\dEqghvP.exe
  2⤵
  PID:13144
- C:\Windows\System32\zYZoCZH.exe
  C:\Windows\System32\zYZoCZH.exe
  2⤵
  PID:13172
- C:\Windows\System32\mPPkZcR.exe
  C:\Windows\System32\mPPkZcR.exe
  2⤵
  PID:13200
- C:\Windows\System32\kLGJqIe.exe
  C:\Windows\System32\kLGJqIe.exe
  2⤵
  PID:13228
- C:\Windows\System32\cPircqV.exe
  C:\Windows\System32\cPircqV.exe
  2⤵
  PID:13256
- C:\Windows\System32\cIlXnio.exe
  C:\Windows\System32\cIlXnio.exe
  2⤵
  PID:13284
- C:\Windows\System32\qFzvUYh.exe
  C:\Windows\System32\qFzvUYh.exe
  2⤵
  PID:12300
- C:\Windows\System32\suBFjqF.exe
  C:\Windows\System32\suBFjqF.exe
  2⤵
  PID:10644
- C:\Windows\System32\RqoDWGe.exe
  C:\Windows\System32\RqoDWGe.exe
  2⤵
  PID:12432
- C:\Windows\System32\XKtgSLX.exe
  C:\Windows\System32\XKtgSLX.exe
  2⤵
  PID:12532
- C:\Windows\System32\aYHtunH.exe
  C:\Windows\System32\aYHtunH.exe
  2⤵
  PID:12612
- C:\Windows\System32\pHRepPn.exe
  C:\Windows\System32\pHRepPn.exe
  2⤵
  PID:12680
- C:\Windows\System32\kmXLaSc.exe
  C:\Windows\System32\kmXLaSc.exe
  2⤵
  PID:12740
- C:\Windows\System32\MPEezJT.exe
  C:\Windows\System32\MPEezJT.exe
  2⤵
  PID:12824
- C:\Windows\System32\FrCjlby.exe
  C:\Windows\System32\FrCjlby.exe
  2⤵
  PID:12916
- C:\Windows\System32\opLDshv.exe
  C:\Windows\System32\opLDshv.exe
  2⤵
  PID:12996
- C:\Windows\System32\xCmBCKJ.exe
  C:\Windows\System32\xCmBCKJ.exe
  2⤵
  PID:13072
- C:\Windows\System32\IePHRwn.exe
  C:\Windows\System32\IePHRwn.exe
  2⤵
  PID:13136
- C:\Windows\System32\rODWOZF.exe
  C:\Windows\System32\rODWOZF.exe
  2⤵
  PID:13212
- C:\Windows\System32\XhwTTdW.exe
  C:\Windows\System32\XhwTTdW.exe
  2⤵
  PID:13296
- C:\Windows\System32\rRQMZBX.exe
  C:\Windows\System32\rRQMZBX.exe
  2⤵
  PID:9536
- C:\Windows\System32\AEcYulV.exe
  C:\Windows\System32\AEcYulV.exe
  2⤵
  PID:12568
- C:\Windows\System32\jMzcEkF.exe
  C:\Windows\System32\jMzcEkF.exe
  2⤵
  PID:12724
- C:\Windows\System32\JglIUAd.exe
  C:\Windows\System32\JglIUAd.exe
  2⤵
  PID:12868
- C:\Windows\System32\LfFguzS.exe
  C:\Windows\System32\LfFguzS.exe
  2⤵
  PID:12976
- C:\Windows\System32\PHvFetm.exe
  C:\Windows\System32\PHvFetm.exe
  2⤵
  PID:1172
- C:\Windows\System32\eqTkyQp.exe
  C:\Windows\System32\eqTkyQp.exe
  2⤵
  PID:9328
- C:\Windows\System32\ZYKVnEL.exe
  C:\Windows\System32\ZYKVnEL.exe
  2⤵
  PID:12428
- C:\Windows\System32\cAdOTCW.exe
  C:\Windows\System32\cAdOTCW.exe
  2⤵
  PID:12968
- C:\Windows\System32\IZEeRfh.exe
  C:\Windows\System32\IZEeRfh.exe
  2⤵
  PID:12512
- C:\Windows\System32\RpqVKCB.exe
  C:\Windows\System32\RpqVKCB.exe
  2⤵
  PID:4164
- C:\Windows\System32\euZuqpz.exe
  C:\Windows\System32\euZuqpz.exe
  2⤵
  PID:13328

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\CEaHPsn.exe

Filesize
3.0MB

MD5
941b90184175ea25f214b11326cc63cb

SHA1
8fa1d2479921f504479994bba6f75b1e15780407

SHA256
8c7b63bc9e320e1c8b26839cf375fac5949c299e64bc872927c77c87dd5b6db0

SHA512
68ae6ee6ee25090a80c34519d87387ae2d483fd8154b4a29901502081b2e43b9698568a9765e3619704a1906d53e49b6ea87753f8d493d2884c48df6b5af15bc

Download Submit
C:\Windows\System32\DxwEWgP.exe

Filesize
3.0MB

MD5
98133349fb28bafedf9ab5b85b7c0633

SHA1
71dabe412a012f813044de49bfe875999a5be53b

SHA256
4bd7a67124611fe373558c054c2de10fcfca26bca671852ab4b10dbaa85ee0d4

SHA512
b695f28ac34ad0e0457d0fdc55a0a235e60596c4382738900f67925aa5c20070b2bf5bd8918bf244e6cdca678b2a89a5ebbe595603522855f6f1e64ab111067c

Download Submit
C:\Windows\System32\GJSKDZN.exe

Filesize
3.0MB

MD5
162d26ac6e6d9cd7fcf6e95b36f3518e

SHA1
a65b7b44e6890279bc59fd889392d081d57ac1f4

SHA256
b7966a14a3f240599af8f5b8a1d7d1cfe6d07fb4c58b414f7fbec23d88855a1f

SHA512
dcae63ce7f5c5feecc8668f73073788a045c967fa2f49c03be715d14e9cecfd83f12a6ff8fb60e4b474d6b9a62556bb305514198bc773afa262eb38ce2e6f96c

Download Submit
C:\Windows\System32\ItnnJaJ.exe

Filesize
3.0MB

MD5
d9accb338b151e7577e818e7311b008e

SHA1
132927824a0563c1ad7cbfe9c29ce44cbde7dc56

SHA256
e0c279e90012ddd7f65c382847733ea7abaafceedcf5867607889f5bf64cc00d

SHA512
2d9ff28f7a144a553b96b5cefb167277f4a7abf0bd03e9ebe2cee19b3f7dfa233874f07d90dd1ebe31c8fbb80b681269373dd22ee6fceca91271440abaee2004

Download Submit
C:\Windows\System32\JdCNYPp.exe

Filesize
3.0MB

MD5
02595be718049dd68b5e97310d99fb1b

SHA1
55ea90623b4f92f45dc9c3ca67eaca38d13cdc7d

SHA256
73d113221b0a3aa3c7e1c1d9bdc093ad1936d890c46cb6a7204e214eef74e320

SHA512
cd5acfd7bdad455f2c58efd319f321c0ec9d8a2cb1bf62440d0fa4a44c86df4ad590749d9a6766271191e877c48489f632f8c58a90d80611f129257aaf6b5d17

Download Submit
C:\Windows\System32\KZsWmqS.exe

Filesize
3.0MB

MD5
3e424a9ded467b0fb2041d7230a847b9

SHA1
182b88c1d2d85828d0a5759f7a873156403122fa

SHA256
491f86d780205d9ded2624f9f7fdfb867ac11d970101acd10230337a3d7e6105

SHA512
0086ef36bc92a4791f1ce0b8cc05f649ef2ebb6ea0b4fd565a50b016d4451df17ef051b5c74a47d6e627066815acfa04b5940a391cba31eb7a58a6af133822f6

Download Submit
C:\Windows\System32\LWBhsuc.exe

Filesize
3.0MB

MD5
dcb11b0354eab36b323022281521aa70

SHA1
9cc74ae3486f69e14919c77ac4c5e067fd75b34c

SHA256
54f0ed80abba17143c3e9b01433d603d80a751916a5e725789fd7838bc948b44

SHA512
3b1455b70c7a018abe96a2c39f057488c7c83c2a18f03c891132ffe0896d21462869bc0df43ca566c3369b881e97e395d1be98aee8d2d3423f2545138c580d04

Download Submit
C:\Windows\System32\LoWFiLN.exe

Filesize
3.0MB

MD5
d63360b38d5824913a4f4609943f0d56

SHA1
56ac8098b7a96b7c5b50df5c9d15b33e9dfbea82

SHA256
fe15bcd73e323ce9fef50cff5a7e2f5c2f9662c195b7fbdb670f12c60e006a9c

SHA512
e7f91828c6b1f7e0f94d2bc48a4637cbe43965c9f4e4e4972896767edda00374b563ce98842cd059fb5cf113fba5546ec35ccf354d5030c6cfd72ca8cd425e48

Download Submit
C:\Windows\System32\NOZLlcw.exe

Filesize
3.0MB

MD5
22626ae7864e34e34a1996ad3d6c567d

SHA1
2ae7ac6cb4e337aa0fc2c6bb92c5dbad0b444280

SHA256
9eea755d67027742ddeba7c3f28c9e1e69c882de701f6b524ca38dd05971585b

SHA512
4c2bcc7e84cd55515e4bcd73c8fe1e15ad49f045bbdabe42241433be23579e52b635f657fdc5cce7c2d0259035da650b6ef50f89491610df9244490ecf97e31d

Download Submit
C:\Windows\System32\RwkPhgo.exe

Filesize
3.0MB

MD5
5f03148f9123bb0fd465742d1fbff507

SHA1
12964461875b6f9bd9fb9b10e9bfa41d07f3ddb1

SHA256
5d6cac31d44738dfa10448cad21e2512b4bb2a8e677cdb5ad06d38da835dca61

SHA512
9a1a8cb14bc969e8f1fcb6ac5a0072b912e86a7adc76186a8db85a4d13f698d6ca1e450a211d24487f5dff7e2f67e7ab362d2d6e22947bbcd0cdad81cd485f11

Download Submit
C:\Windows\System32\UitJYXj.exe

Filesize
3.0MB

MD5
e291c5119667196a8dace9eebde880d4

SHA1
e9a5e6ae0e4be5a2f150c35500a1f13b2916c657

SHA256
9fa472e6deaaa3bad7642712d18ea3f62dc2e2498895a73ec01485e1b227c497

SHA512
316eb36ff8b8e3ff7df5349da57e28b4a5f5614ec8be9705f3244f701424e24038dcc09a252d273954380ef413469230a027b850b99ca5cca08a5f559b399fa5

Download Submit
C:\Windows\System32\WYMpWeS.exe

Filesize
3.0MB

MD5
918ab344823868b625d169dda2e6799f

SHA1
a56ca39fd59d4e48dd364160f6886a59b5af6304

SHA256
b93d269f51fe23f8025681ef36acda7a91ce0521566cd42be2f2bd25c635b942

SHA512
2bb2cd3fa0b317eb86b1c8ca28426078c390e54622d41189bd3bc63d2d2aad30c7bb03294d94ff6ad0958bda88b1833a3a917b1d4fe7182dd58ac9174be509fd

Download Submit
C:\Windows\System32\XhowHKy.exe

Filesize
3.0MB

MD5
eb8fca9ca4775ff140313fd5b1a3a45a

SHA1
424976aa127cf12ec16ff1f7ea56726dbefba57f

SHA256
9522579723d94737e9dfd87b7a239cdbc869d14458066eab6fff48ef34708d1c

SHA512
95199518c01d8d70d3cc85bc28d760cb7cc76dbd118b6d5fe96c987cbf0878674962653fdf970e6f11312c14fb9fd5762bfff2d2ba3dfe3ae9792f475a4dd808

Download Submit
C:\Windows\System32\XvAzhKd.exe

Filesize
3.0MB

MD5
4187d54062d4e74c24a9787e7d56ad53

SHA1
c3bc14f6c6a1865e94f80973b425e63e17b39ce3

SHA256
f0405325eb69194b839db60e9858a9d54cb527a7f22ea6b4f3a7f5c860664d13

SHA512
19a4a5e3b78673366336014cb0b0d2422beba1bdf2f6c357080a206d5dec225242fc307c1f4b62c509fefc4ce0e32e6c312107f5dde2468e717662b9fdfd9cc8

Download Submit
C:\Windows\System32\YOnZkKG.exe

Filesize
3.0MB

MD5
d4c2df74d2bc212425ec741aa73dbc76

SHA1
cb4bb9b77a98a4e6f0c5b32e39e01a0578dc1a47

SHA256
098b8172bdf1227f6a760f1cfc32b415bec7ebe4b6e2f86d692273657f01c781

SHA512
022cc548855e91f56bcf21ea00f84be90d8ca14ec6376fc5c5deaa39600ac7b1875f23cc4e1b16039926ab219c3bd64842ed67ddfff3af87b8a9924ec9a76a75

Download Submit
C:\Windows\System32\YVIpcwj.exe

Filesize
3.0MB

MD5
7ac4bd1e3580c4356e8ddd0fb512c69a

SHA1
89f27c0e1b45b3ea0bce7303976d96d62e946657

SHA256
0ff94b2f579d61ff4f880521a88dd1e14c5b5d48dd03d0b33d4acfcb3fce31a1

SHA512
557aa4b04c66241b47933f88e7c95dcc8782b2222b030842e97edd4ce0c98657551f9049ed9b0199bd69613080524acd266f8954bb193122ce188dc11ee04d84

Download Submit
C:\Windows\System32\dMYsqWJ.exe

Filesize
3.0MB

MD5
f00cf958c0098dddd8c20aaaf6834683

SHA1
4bb4f81fd164f77c16af5382a707ff581cac5160

SHA256
ba7d4a28e48da8a6d57673268a8d4c03ead1a8bec4b54b7f1d197085a029d14b

SHA512
7ca0d8760ca9f6a7b9ab0e03f985df9e50ff040bbbc3cbc1f26d0a7bbcb9f4d68e45b88d3ab5a07639a8668673709a6c48c5927d43c7902e75357ddc9d46a4e8

Download Submit
C:\Windows\System32\fgEqcYn.exe

Filesize
3.0MB

MD5
e2ba0c75d22c900d930410e7df48582b

SHA1
2e948133f71fb5170ae900ffc7a7161496bd788a

SHA256
d704af49fa8189e30f0b777539841c2c9ace35682b59e8753cb96b6ba01c3634

SHA512
6b6c81c8b36eec9a400e88a0f6c6be6aa197f4561318ad36d51d8a20dedcac057aafc7295ebe4edd7d2ed5a35b7ad3e0f8f3c01bbffe8bdb0e957ae6bf3ff3cb

Download Submit
C:\Windows\System32\hGLyWFn.exe

Filesize
3.0MB

MD5
2eb4522677eefa91552c08eec78fc792

SHA1
cc6a4317b284a0481f2d96727e644f7590051edd

SHA256
d591d65d7885937e1305e131b2f2450c71596df91a7b9f4233a78b2c43f12875

SHA512
6f6b8961742246b2b750b55d0ee6d36e8d0f593c069006ef1d31807403b6d8f338e4b073c11acbb2b509b11b2c90ba5c15f68c118f947a3fea218d9ba8a7b7b9

Download Submit
C:\Windows\System32\jWZqmMv.exe

Filesize
3.0MB

MD5
724f16cbc0c719cc71b9801dc986d099

SHA1
9ecb73445cac02cb969b11654c239bebb5244f5d

SHA256
2d119318a4b73692a6fa73626a82150ed8762341de01b9d1cbe972537baa83c4

SHA512
13b50b5aeaea68b9b4e0a82bedc72cc7ab254c12ebf65a16fc9e33d87f4fbc8904b110958dd5ea9b7e6607f76cd803b04402af59c48f3ff80c55facbdef523f8

Download Submit
C:\Windows\System32\lTvKYzR.exe

Filesize
3.0MB

MD5
36f8c8fdf94842dff4299f04dcb550cf

SHA1
bea438f4bdefee9345a57e19368922c843079ba5

SHA256
1d468adeb2bdbdfd390bf243a0582cdda17fd99a7092cd360cdfd190748bef55

SHA512
2d9e871786aebd3848e75b61ec789f26716af60058e2f2fb3429dcea5358995226349ed7d164809afc85785af69825d938db7a6d15c6b628236a8a0dd7cc0a8c

Download Submit
C:\Windows\System32\lnFLjsd.exe

Filesize
3.0MB

MD5
992cc22c158a9f2d9c59d52e8392242e

SHA1
65926d5dd38a9bf5e9ca4a9b88895344f6d862db

SHA256
0eede5fedd6521b40d119725afbe0aa36e298cdf7c835185022724dcdd25391b

SHA512
ca994e3d94c4e47dcf90742016a1ccd9a76f9e3332724d945fe42915113131bf9e71600dfbaecf2ebf6c50e882c878a32101af8c031bded34351dee8dce06777

Download Submit
C:\Windows\System32\nETKrsX.exe

Filesize
3.0MB

MD5
0fd9b7ac6512496a7da14ff934f2bc82

SHA1
740cce32eb1d97c06447010222b415cb016c5c74

SHA256
a44861384e21425d34d4bc54e92ecd8226d87f51ef071c33c458eab09d25c6a6

SHA512
fbe97ba0df47ce62d99944cbfc7faf18b9c6f64de85af8def03cf3cb732ace54c90cf73e9d68e4c54f8bfbb2339f931e71e8cfc733bd522ae8e30c86c9c2b224

Download Submit
C:\Windows\System32\nUqTVeN.exe

Filesize
3.0MB

MD5
bd5613482da6d69db0d3a9368f2d9cfb

SHA1
13bd92e6b95cd51004914aa6e9218a38821ba893

SHA256
bb9834fbedf0cca95343be4856320a657cabb88dfcd1b65a2701aea4c2a50cb2

SHA512
0df7ab1fd38d39db937f51fcc6e06e8cf4a6736ddbd4846004f624fdf81fb3727b4a7bca621b0b236cb6598b41dce6e79c7b7bd8f65292a2c65ce5e2b6c20743

Download Submit
C:\Windows\System32\ndEcOGB.exe

Filesize
3.0MB

MD5
7b585596c5e87fdb1fa3e0aec4cc7d08

SHA1
5b87d2df4d56e63cb60bdf46a2fe0769304abd09

SHA256
b68b4446d5c6979cf1686b6332b532d43b2b3fbcce1abcf11702803513d1157c

SHA512
cde63f38ad07888b0574ebe7818c93e049222dabf78d979de62b2f29828a300d4825308fd9eda87181e69bd57a253c3946997540ee8e8f85c88311c72e31a50a

Download Submit
C:\Windows\System32\quHkJMz.exe

Filesize
3.0MB

MD5
c3e55faf66707ec660cf5c940765e77b

SHA1
af2b871cdad5f698577bb1ddbb23857f8df329ce

SHA256
f8ba8ea5c4aba17404699219987aee654cf6b601adf427f7ac783ff749932537

SHA512
bb3a004dfbd41b491358830f1ac17e230bdbcdcc22d56fb9b866c4ef423afe0022fc6575f22292384cc504993c15fb0151ce9b82c3f5403b1277c4193f9e2722

Download Submit
C:\Windows\System32\rbrbmgg.exe

Filesize
3.0MB

MD5
748bace77bb54e6e28761058509ae300

SHA1
4727b7d51d797b685669f0c59cfb329dd834a201

SHA256
14c6272e2ccdaec60830c60b92471022397b1aec92f259eaafa1f42632b4463c

SHA512
1a3655020f396758c152491755aba3d787da3bb726eff1d42a74f2e5a3f21141ff072c93e80bec5bf858470572cebb487e60d9f3718ee398864fd951e789dde5

Download Submit
C:\Windows\System32\uIMlMHx.exe

Filesize
3.0MB

MD5
4e4ea7ca72986eb48a9fdec3ea86c9c0

SHA1
b151a1f73bdb462e4e4d473dc34ff195faf27628

SHA256
9e1f44f4e218adf59f90abbc6e389aed64ff9c12a487b9bec96314ec4a4c35c4

SHA512
10bca2336aaf30e79de5a9aad648dc5ea652596966837a90e48522ac6d10b40891e2758c41783fe88a4e115148f994e602e304962e7d75aa78bef92443d24cea

Download Submit
C:\Windows\System32\uamwZKu.exe

Filesize
3.0MB

MD5
732e42ba118c7c0c2ca4eaf30465d348

SHA1
5f7b902b65949e96fcb8a76c712bc2f19268132c

SHA256
7e0220760e7107ad79d8e1798d0e3c142dec0cde7e7725fd9557c40d1e1f34ed

SHA512
5ce915e7a952792adb1708bcb6bf92cbdd039d5fd0f1142a95095454f23aa3c154d2f72aae9f67fd32c87d48fe2ad928ca314e001e9fc3026033b2d1c8e6b67d

Download Submit
C:\Windows\System32\ukjMOMs.exe

Filesize
3.0MB

MD5
3221e4551b6f502dda33b998bfaf85e1

SHA1
64123a5e4ca85a65f642ed7bb3fe0d0b3caa536e

SHA256
391870d6d43684567b937be7c1762a4708aeac64fe360aa64e006c3ecde95e15

SHA512
3a8794fc0151a7804fb0f6a249c86219fd2f6657ac3577701475eee678fb78036694b9522e85638ed8d67ef7c346d02f6402ef5a77b11ca2647195a9d54317b5

Download Submit
C:\Windows\System32\vbtkffA.exe

Filesize
3.0MB

MD5
9f0e5619572d6364abc810c905b0c866

SHA1
d3b584a579d8bb6386ebca847e354226b83ab87e

SHA256
88c0ebff4c03c5b560337c443192530d812a09b24e03b37d1398c131508ac4f3

SHA512
674e454418ef8369ec570745310723d074c5c662e4ca69f8ca4021e5f64d967833177167d861f1afe1bc4e1557c3b3345d69c4dc23e599f3848d154cce88e0b1

Download Submit
C:\Windows\System32\wXfqCqY.exe

Filesize
3.0MB

MD5
3bffa52e29a2825e721319f937348d7b

SHA1
52d46d102b797e7b0a604586ec21a2e537ce4aba

SHA256
8076fa363dcb89a62e5443e7ee66de538e85459f661f7145d3d115aa76a31e65

SHA512
df30d88bf5fe5fdf81ac7c82eb429db9793d57a5d1fbe6658017a562b90c02bbe98985dfc0a8c6c937201d24548a44eae245acebf069de5391aba6838e59bc3d

Download Submit
memory/372-802-0x00007FF651CD0000-0x00007FF6520C5000-memory.dmp

Filesize
4.0MB

Download
memory/372-1905-0x00007FF651CD0000-0x00007FF6520C5000-memory.dmp

Filesize
4.0MB

Download
memory/464-0-0x00007FF727F50000-0x00007FF728345000-memory.dmp

Filesize
4.0MB

Download
memory/464-1888-0x00007FF727F50000-0x00007FF728345000-memory.dmp

Filesize
4.0MB

Download
memory/464-1-0x0000023B8BAC0000-0x0000023B8BAD0000-memory.dmp

Filesize
64KB

Download
memory/708-861-0x00007FF6701E0000-0x00007FF6705D5000-memory.dmp

Filesize
4.0MB

Download
memory/708-1906-0x00007FF6701E0000-0x00007FF6705D5000-memory.dmp

Filesize
4.0MB

Download
memory/976-892-0x00007FF6BC9D0000-0x00007FF6BCDC5000-memory.dmp

Filesize
4.0MB

Download
memory/976-1913-0x00007FF6BC9D0000-0x00007FF6BCDC5000-memory.dmp

Filesize
4.0MB

Download
memory/1084-805-0x00007FF6BFCA0000-0x00007FF6C0095000-memory.dmp

Filesize
4.0MB

Download
memory/1084-1899-0x00007FF6BFCA0000-0x00007FF6C0095000-memory.dmp

Filesize
4.0MB

Download
memory/1284-1900-0x00007FF64C630000-0x00007FF64CA25000-memory.dmp

Filesize
4.0MB

Download
memory/1284-812-0x00007FF64C630000-0x00007FF64CA25000-memory.dmp

Filesize
4.0MB

Download
memory/2192-1890-0x00007FF7B6430000-0x00007FF7B6825000-memory.dmp

Filesize
4.0MB

Download
memory/2192-14-0x00007FF7B6430000-0x00007FF7B6825000-memory.dmp

Filesize
4.0MB

Download
memory/2300-1911-0x00007FF6F0BE0000-0x00007FF6F0FD5000-memory.dmp

Filesize
4.0MB

Download
memory/2300-888-0x00007FF6F0BE0000-0x00007FF6F0FD5000-memory.dmp

Filesize
4.0MB

Download
memory/2484-1908-0x00007FF687D60000-0x00007FF688155000-memory.dmp

Filesize
4.0MB

Download
memory/2484-878-0x00007FF687D60000-0x00007FF688155000-memory.dmp

Filesize
4.0MB

Download
memory/2768-1898-0x00007FF692B40000-0x00007FF692F35000-memory.dmp

Filesize
4.0MB

Download
memory/2768-823-0x00007FF692B40000-0x00007FF692F35000-memory.dmp

Filesize
4.0MB

Download
memory/2908-1903-0x00007FF630E80000-0x00007FF631275000-memory.dmp

Filesize
4.0MB

Download
memory/2908-850-0x00007FF630E80000-0x00007FF631275000-memory.dmp

Filesize
4.0MB

Download
memory/2976-1912-0x00007FF772C30000-0x00007FF773025000-memory.dmp

Filesize
4.0MB

Download
memory/2976-873-0x00007FF772C30000-0x00007FF773025000-memory.dmp

Filesize
4.0MB

Download
memory/3144-864-0x00007FF7C6EE0000-0x00007FF7C72D5000-memory.dmp

Filesize
4.0MB

Download
memory/3144-1907-0x00007FF7C6EE0000-0x00007FF7C72D5000-memory.dmp

Filesize
4.0MB

Download
memory/3372-839-0x00007FF6496F0000-0x00007FF649AE5000-memory.dmp

Filesize
4.0MB

Download
memory/3372-1894-0x00007FF6496F0000-0x00007FF649AE5000-memory.dmp

Filesize
4.0MB

Download
memory/3532-20-0x00007FF786840000-0x00007FF786C35000-memory.dmp

Filesize
4.0MB

Download
memory/3532-1891-0x00007FF786840000-0x00007FF786C35000-memory.dmp

Filesize
4.0MB

Download
memory/3796-1901-0x00007FF746F00000-0x00007FF7472F5000-memory.dmp

Filesize
4.0MB

Download
memory/3796-849-0x00007FF746F00000-0x00007FF7472F5000-memory.dmp

Filesize
4.0MB

Download
memory/3972-907-0x00007FF7F5DA0000-0x00007FF7F6195000-memory.dmp

Filesize
4.0MB

Download
memory/3972-1893-0x00007FF7F5DA0000-0x00007FF7F6195000-memory.dmp

Filesize
4.0MB

Download
memory/4076-901-0x00007FF6D9FE0000-0x00007FF6DA3D5000-memory.dmp

Filesize
4.0MB

Download
memory/4076-1910-0x00007FF6D9FE0000-0x00007FF6DA3D5000-memory.dmp

Filesize
4.0MB

Download
memory/4240-818-0x00007FF7A1CA0000-0x00007FF7A2095000-memory.dmp

Filesize
4.0MB

Download
memory/4240-1897-0x00007FF7A1CA0000-0x00007FF7A2095000-memory.dmp

Filesize
4.0MB

Download
memory/4444-1896-0x00007FF7246F0000-0x00007FF724AE5000-memory.dmp

Filesize
4.0MB

Download
memory/4444-833-0x00007FF7246F0000-0x00007FF724AE5000-memory.dmp

Filesize
4.0MB

Download
memory/4472-23-0x00007FF717B90000-0x00007FF717F85000-memory.dmp

Filesize
4.0MB

Download
memory/4472-1892-0x00007FF717B90000-0x00007FF717F85000-memory.dmp

Filesize
4.0MB

Download
memory/4580-883-0x00007FF767C00000-0x00007FF767FF5000-memory.dmp

Filesize
4.0MB

Download
memory/4580-1909-0x00007FF767C00000-0x00007FF767FF5000-memory.dmp

Filesize
4.0MB

Download
memory/4648-1902-0x00007FF635590000-0x00007FF635985000-memory.dmp

Filesize
4.0MB

Download
memory/4648-843-0x00007FF635590000-0x00007FF635985000-memory.dmp

Filesize
4.0MB

Download
memory/4704-856-0x00007FF62EE70000-0x00007FF62F265000-memory.dmp

Filesize
4.0MB

Download
memory/4704-1904-0x00007FF62EE70000-0x00007FF62F265000-memory.dmp

Filesize
4.0MB

Download
memory/4948-1895-0x00007FF721C70000-0x00007FF722065000-memory.dmp

Filesize
4.0MB

Download
memory/4948-1889-0x00007FF721C70000-0x00007FF722065000-memory.dmp

Filesize
4.0MB

Download
memory/4948-801-0x00007FF721C70000-0x00007FF722065000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads