xmrig | ca4a67e16c367cb0c23302d700650a057274aa4de7694aa589ceb2b34eab470f

Analysis

max time kernel
125s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
Size

3.4MB
MD5

0b3a98992b87230b16dff096d66b0fa0
SHA1

d00842f4f4f784414f9f08a24b28a1af3e5f1cf6
SHA256

ca4a67e16c367cb0c23302d700650a057274aa4de7694aa589ceb2b34eab470f
SHA512

a2a7b17020803a762a7607bfceef74949c3b71389d68c18701b6b088908f9a8bf2a3702bb94dfdab7da28ccedeef4b081d3b1ad1c3962c2b0178c4cf6a2727f1
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc4g:NFWPClFQ

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/724-0-0x00007FF73F5F0000-0x00007FF73F9E5000-memory.dmp	xmrig
behavioral2/files/0x000d000000023aee-5.dat	xmrig
behavioral2/files/0x000a000000023b67-7.dat	xmrig
behavioral2/files/0x000a000000023b69-28.dat	xmrig
behavioral2/files/0x000a000000023b6a-33.dat	xmrig
behavioral2/files/0x000a000000023b6c-43.dat	xmrig
behavioral2/files/0x000a000000023b6e-51.dat	xmrig
behavioral2/files/0x000a000000023b6f-58.dat	xmrig
behavioral2/files/0x000a000000023b72-71.dat	xmrig
behavioral2/files/0x000a000000023b74-81.dat	xmrig
behavioral2/files/0x000a000000023b7a-113.dat	xmrig
behavioral2/files/0x000a000000023b7f-138.dat	xmrig
behavioral2/files/0x000a000000023b83-156.dat	xmrig
behavioral2/files/0x000a000000023b84-163.dat	xmrig
behavioral2/files/0x000a000000023b82-153.dat	xmrig
behavioral2/files/0x000a000000023b81-148.dat	xmrig
behavioral2/files/0x000a000000023b80-143.dat	xmrig
behavioral2/files/0x000a000000023b7e-133.dat	xmrig
behavioral2/files/0x000a000000023b7d-128.dat	xmrig
behavioral2/files/0x000a000000023b7c-123.dat	xmrig
behavioral2/files/0x000a000000023b7b-118.dat	xmrig
behavioral2/files/0x000a000000023b79-108.dat	xmrig
behavioral2/files/0x000a000000023b78-103.dat	xmrig
behavioral2/files/0x000a000000023b77-98.dat	xmrig
behavioral2/files/0x000a000000023b76-93.dat	xmrig
behavioral2/files/0x000a000000023b75-88.dat	xmrig
behavioral2/files/0x000a000000023b73-78.dat	xmrig
behavioral2/files/0x000a000000023b71-68.dat	xmrig
behavioral2/files/0x000a000000023b70-63.dat	xmrig
behavioral2/files/0x000a000000023b6d-48.dat	xmrig
behavioral2/files/0x000a000000023b6b-38.dat	xmrig
behavioral2/files/0x000a000000023b68-23.dat	xmrig
behavioral2/memory/1536-15-0x00007FF62C6A0000-0x00007FF62CA95000-memory.dmp	xmrig
behavioral2/files/0x000d000000023b59-9.dat	xmrig
behavioral2/memory/3616-11-0x00007FF6E1080000-0x00007FF6E1475000-memory.dmp	xmrig
behavioral2/memory/3484-803-0x00007FF6860E0000-0x00007FF6864D5000-memory.dmp	xmrig
behavioral2/memory/468-807-0x00007FF72E660000-0x00007FF72EA55000-memory.dmp	xmrig
behavioral2/memory/1724-820-0x00007FF6DB5D0000-0x00007FF6DB9C5000-memory.dmp	xmrig
behavioral2/memory/2980-815-0x00007FF753D70000-0x00007FF754165000-memory.dmp	xmrig
behavioral2/memory/640-813-0x00007FF6C3DE0000-0x00007FF6C41D5000-memory.dmp	xmrig
behavioral2/memory/4468-824-0x00007FF6E2700000-0x00007FF6E2AF5000-memory.dmp	xmrig
behavioral2/memory/4948-827-0x00007FF7F0C60000-0x00007FF7F1055000-memory.dmp	xmrig
behavioral2/memory/1540-833-0x00007FF71BFE0000-0x00007FF71C3D5000-memory.dmp	xmrig
behavioral2/memory/3948-836-0x00007FF7D8C20000-0x00007FF7D9015000-memory.dmp	xmrig
behavioral2/memory/3352-844-0x00007FF7D5DF0000-0x00007FF7D61E5000-memory.dmp	xmrig
behavioral2/memory/4756-850-0x00007FF60D560000-0x00007FF60D955000-memory.dmp	xmrig
behavioral2/memory/2152-840-0x00007FF697320000-0x00007FF697715000-memory.dmp	xmrig
behavioral2/memory/1168-837-0x00007FF6C5330000-0x00007FF6C5725000-memory.dmp	xmrig
behavioral2/memory/2724-851-0x00007FF6167D0000-0x00007FF616BC5000-memory.dmp	xmrig
behavioral2/memory/4860-860-0x00007FF7DD290000-0x00007FF7DD685000-memory.dmp	xmrig
behavioral2/memory/4512-866-0x00007FF7F20E0000-0x00007FF7F24D5000-memory.dmp	xmrig
behavioral2/memory/1196-871-0x00007FF6D93B0000-0x00007FF6D97A5000-memory.dmp	xmrig
behavioral2/memory/3572-864-0x00007FF6B3EB0000-0x00007FF6B42A5000-memory.dmp	xmrig
behavioral2/memory/4316-877-0x00007FF69FB00000-0x00007FF69FEF5000-memory.dmp	xmrig
behavioral2/memory/3760-878-0x00007FF719F90000-0x00007FF71A385000-memory.dmp	xmrig
behavioral2/memory/4632-881-0x00007FF64A630000-0x00007FF64AA25000-memory.dmp	xmrig
behavioral2/memory/3032-857-0x00007FF76EBA0000-0x00007FF76EF95000-memory.dmp	xmrig
behavioral2/memory/3616-1857-0x00007FF6E1080000-0x00007FF6E1475000-memory.dmp	xmrig
behavioral2/memory/3616-1859-0x00007FF6E1080000-0x00007FF6E1475000-memory.dmp	xmrig
behavioral2/memory/1536-1858-0x00007FF62C6A0000-0x00007FF62CA95000-memory.dmp	xmrig
behavioral2/memory/3484-1861-0x00007FF6860E0000-0x00007FF6864D5000-memory.dmp	xmrig
behavioral2/memory/640-1862-0x00007FF6C3DE0000-0x00007FF6C41D5000-memory.dmp	xmrig
behavioral2/memory/468-1860-0x00007FF72E660000-0x00007FF72EA55000-memory.dmp	xmrig
behavioral2/memory/4316-1877-0x00007FF69FB00000-0x00007FF69FEF5000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3616	XLCJvoL.exe
1536	uMZyFTU.exe
3484	MTdADNt.exe
468	tjhHmOp.exe
640	ClugDvv.exe
2980	TXAFavx.exe
1724	XSpRWrW.exe
4468	tOuetWT.exe
4948	jMXUWsD.exe
1540	SRokUni.exe
3948	DqlrPni.exe
1168	ZyXVDkq.exe
2152	qojzRXF.exe
3352	npyhFUy.exe
4756	RxRBzAj.exe
2724	gjbzyNL.exe
3032	wbEWxPo.exe
4860	mWHOcdk.exe
3572	lrJrpre.exe
4512	qVEwGOu.exe
1196	KCxVwcT.exe
4316	xCRFshv.exe
3760	FXUJjcD.exe
4632	KWiJuNT.exe
4452	lpPybwP.exe
4776	wtCJOYQ.exe
4268	unhbutr.exe
1888	wxyBoHe.exe
4476	KlcSyBw.exe
3992	JCRyzUk.exe
720	UwLTWgN.exe
3532	qrWDsgz.exe
3504	BRgfMGd.exe
1004	rccTUUL.exe
2668	KWwRYRh.exe
1596	iONwIop.exe
4960	OLeTfjo.exe
1472	eoSoFms.exe
3056	VlhgTZI.exe
4892	OfMqrbV.exe
220	DynCIwW.exe
1440	PvRUXqj.exe
2896	GFbjoXy.exe
4852	zSzqOkB.exe
4300	zQjHWtf.exe
4344	OmsgiYs.exe
3460	kahYjHZ.exe
3028	vkhPuyP.exe
4112	UDhslKQ.exe
4608	hyAAtaj.exe
1812	PQzCVoj.exe
3868	ZuBPrVt.exe
1048	PEomQkm.exe
2304	ilSgtcQ.exe
1436	EwGuZDm.exe
2992	ZDaTjGV.exe
1756	YwnYnrZ.exe
1980	xedqhlK.exe
4056	wlZuvbM.exe
2352	BBXuRms.exe
400	qyWglWW.exe
1336	MRxFtST.exe
1564	hmvOIDl.exe
4340	NULwnwY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/724-0-0x00007FF73F5F0000-0x00007FF73F9E5000-memory.dmp	upx
behavioral2/files/0x000d000000023aee-5.dat	upx
behavioral2/files/0x000a000000023b67-7.dat	upx
behavioral2/files/0x000a000000023b69-28.dat	upx
behavioral2/files/0x000a000000023b6a-33.dat	upx
behavioral2/files/0x000a000000023b6c-43.dat	upx
behavioral2/files/0x000a000000023b6e-51.dat	upx
behavioral2/files/0x000a000000023b6f-58.dat	upx
behavioral2/files/0x000a000000023b72-71.dat	upx
behavioral2/files/0x000a000000023b74-81.dat	upx
behavioral2/files/0x000a000000023b7a-113.dat	upx
behavioral2/files/0x000a000000023b7f-138.dat	upx
behavioral2/files/0x000a000000023b83-156.dat	upx
behavioral2/files/0x000a000000023b84-163.dat	upx
behavioral2/files/0x000a000000023b82-153.dat	upx
behavioral2/files/0x000a000000023b81-148.dat	upx
behavioral2/files/0x000a000000023b80-143.dat	upx
behavioral2/files/0x000a000000023b7e-133.dat	upx
behavioral2/files/0x000a000000023b7d-128.dat	upx
behavioral2/files/0x000a000000023b7c-123.dat	upx
behavioral2/files/0x000a000000023b7b-118.dat	upx
behavioral2/files/0x000a000000023b79-108.dat	upx
behavioral2/files/0x000a000000023b78-103.dat	upx
behavioral2/files/0x000a000000023b77-98.dat	upx
behavioral2/files/0x000a000000023b76-93.dat	upx
behavioral2/files/0x000a000000023b75-88.dat	upx
behavioral2/files/0x000a000000023b73-78.dat	upx
behavioral2/files/0x000a000000023b71-68.dat	upx
behavioral2/files/0x000a000000023b70-63.dat	upx
behavioral2/files/0x000a000000023b6d-48.dat	upx
behavioral2/files/0x000a000000023b6b-38.dat	upx
behavioral2/files/0x000a000000023b68-23.dat	upx
behavioral2/memory/1536-15-0x00007FF62C6A0000-0x00007FF62CA95000-memory.dmp	upx
behavioral2/files/0x000d000000023b59-9.dat	upx
behavioral2/memory/3616-11-0x00007FF6E1080000-0x00007FF6E1475000-memory.dmp	upx
behavioral2/memory/3484-803-0x00007FF6860E0000-0x00007FF6864D5000-memory.dmp	upx
behavioral2/memory/468-807-0x00007FF72E660000-0x00007FF72EA55000-memory.dmp	upx
behavioral2/memory/1724-820-0x00007FF6DB5D0000-0x00007FF6DB9C5000-memory.dmp	upx
behavioral2/memory/2980-815-0x00007FF753D70000-0x00007FF754165000-memory.dmp	upx
behavioral2/memory/640-813-0x00007FF6C3DE0000-0x00007FF6C41D5000-memory.dmp	upx
behavioral2/memory/4468-824-0x00007FF6E2700000-0x00007FF6E2AF5000-memory.dmp	upx
behavioral2/memory/4948-827-0x00007FF7F0C60000-0x00007FF7F1055000-memory.dmp	upx
behavioral2/memory/1540-833-0x00007FF71BFE0000-0x00007FF71C3D5000-memory.dmp	upx
behavioral2/memory/3948-836-0x00007FF7D8C20000-0x00007FF7D9015000-memory.dmp	upx
behavioral2/memory/3352-844-0x00007FF7D5DF0000-0x00007FF7D61E5000-memory.dmp	upx
behavioral2/memory/4756-850-0x00007FF60D560000-0x00007FF60D955000-memory.dmp	upx
behavioral2/memory/2152-840-0x00007FF697320000-0x00007FF697715000-memory.dmp	upx
behavioral2/memory/1168-837-0x00007FF6C5330000-0x00007FF6C5725000-memory.dmp	upx
behavioral2/memory/2724-851-0x00007FF6167D0000-0x00007FF616BC5000-memory.dmp	upx
behavioral2/memory/4860-860-0x00007FF7DD290000-0x00007FF7DD685000-memory.dmp	upx
behavioral2/memory/4512-866-0x00007FF7F20E0000-0x00007FF7F24D5000-memory.dmp	upx
behavioral2/memory/1196-871-0x00007FF6D93B0000-0x00007FF6D97A5000-memory.dmp	upx
behavioral2/memory/3572-864-0x00007FF6B3EB0000-0x00007FF6B42A5000-memory.dmp	upx
behavioral2/memory/4316-877-0x00007FF69FB00000-0x00007FF69FEF5000-memory.dmp	upx
behavioral2/memory/3760-878-0x00007FF719F90000-0x00007FF71A385000-memory.dmp	upx
behavioral2/memory/4632-881-0x00007FF64A630000-0x00007FF64AA25000-memory.dmp	upx
behavioral2/memory/3032-857-0x00007FF76EBA0000-0x00007FF76EF95000-memory.dmp	upx
behavioral2/memory/3616-1857-0x00007FF6E1080000-0x00007FF6E1475000-memory.dmp	upx
behavioral2/memory/3616-1859-0x00007FF6E1080000-0x00007FF6E1475000-memory.dmp	upx
behavioral2/memory/1536-1858-0x00007FF62C6A0000-0x00007FF62CA95000-memory.dmp	upx
behavioral2/memory/3484-1861-0x00007FF6860E0000-0x00007FF6864D5000-memory.dmp	upx
behavioral2/memory/640-1862-0x00007FF6C3DE0000-0x00007FF6C41D5000-memory.dmp	upx
behavioral2/memory/468-1860-0x00007FF72E660000-0x00007FF72EA55000-memory.dmp	upx
behavioral2/memory/4316-1877-0x00007FF69FB00000-0x00007FF69FEF5000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DZGoMzw.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\whnjJwD.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\bbMYTLe.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\jgfPebs.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\aaGNIqZ.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\ZuBPrVt.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\fERZVMQ.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\qlsCCVR.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\wxaUnpl.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\zIwWyrj.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\UhXupXX.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\Lapkecy.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\QYTAuht.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\RbZoDkU.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\VbiTmRk.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\GgTLWCm.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\zFPzuoH.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\UPcJtYY.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\PmdRmtD.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\vsCNHTo.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\phpCFYX.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\ypBGpMf.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\HnTFdgx.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\GDphkeh.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\mAjDjkR.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\vGTaRAz.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\EUiJZln.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\QpwhMOS.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\iwfkbWi.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\EiGuyew.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\DEoWxSl.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\TBzcGwj.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\FpKGHHr.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\FIoVRXj.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\CWWeBvd.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\OnqgKrK.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\LiQMbdJ.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\SIVlbLb.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\EGAZTQQ.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\OfMqrbV.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\NOwmAzw.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\KZtpWMX.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\TbxmJRu.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\mglJtpu.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\ILEwWgf.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\DWWcgWT.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\QIBvPeX.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\hIkjWBd.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\cEeRJtt.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\PbCjzOF.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\OmsgiYs.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\eWSDEwn.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\MloNGhf.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\OtmWoiz.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\sJiAWVl.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\UuwgZXF.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\xIcIEuN.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\npyhFUy.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\VXKwcNY.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\yFqGDDX.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\qapuJkz.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\FFVYCIo.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\lxeLold.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
File created	C:\Windows\System32\mZGjIqj.exe	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	10500	dwm.exe
Token: SeChangeNotifyPrivilege	10500	dwm.exe
Token: 33	10500	dwm.exe
Token: SeIncBasePriorityPrivilege	10500	dwm.exe
Token: SeShutdownPrivilege	10500	dwm.exe
Token: SeCreatePagefilePrivilege	10500	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 724 wrote to memory of 3616	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	86
PID 724 wrote to memory of 3616	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	86
PID 724 wrote to memory of 1536	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	87
PID 724 wrote to memory of 1536	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	87
PID 724 wrote to memory of 3484	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	88
PID 724 wrote to memory of 3484	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	88
PID 724 wrote to memory of 468	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	89
PID 724 wrote to memory of 468	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	89
PID 724 wrote to memory of 640	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	90
PID 724 wrote to memory of 640	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	90
PID 724 wrote to memory of 2980	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	91
PID 724 wrote to memory of 2980	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	91
PID 724 wrote to memory of 1724	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	92
PID 724 wrote to memory of 1724	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	92
PID 724 wrote to memory of 4468	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	93
PID 724 wrote to memory of 4468	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	93
PID 724 wrote to memory of 4948	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	94
PID 724 wrote to memory of 4948	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	94
PID 724 wrote to memory of 1540	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	95
PID 724 wrote to memory of 1540	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	95
PID 724 wrote to memory of 3948	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	96
PID 724 wrote to memory of 3948	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	96
PID 724 wrote to memory of 1168	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	97
PID 724 wrote to memory of 1168	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	97
PID 724 wrote to memory of 2152	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	98
PID 724 wrote to memory of 2152	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	98
PID 724 wrote to memory of 3352	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	99
PID 724 wrote to memory of 3352	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	99
PID 724 wrote to memory of 4756	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	100
PID 724 wrote to memory of 4756	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	100
PID 724 wrote to memory of 2724	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	101
PID 724 wrote to memory of 2724	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	101
PID 724 wrote to memory of 3032	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	102
PID 724 wrote to memory of 3032	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	102
PID 724 wrote to memory of 4860	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	103
PID 724 wrote to memory of 4860	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	103
PID 724 wrote to memory of 3572	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	104
PID 724 wrote to memory of 3572	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	104
PID 724 wrote to memory of 4512	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	105
PID 724 wrote to memory of 4512	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	105
PID 724 wrote to memory of 1196	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	106
PID 724 wrote to memory of 1196	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	106
PID 724 wrote to memory of 4316	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	107
PID 724 wrote to memory of 4316	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	107
PID 724 wrote to memory of 3760	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	108
PID 724 wrote to memory of 3760	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	108
PID 724 wrote to memory of 4632	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	109
PID 724 wrote to memory of 4632	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	109
PID 724 wrote to memory of 4452	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	110
PID 724 wrote to memory of 4452	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	110
PID 724 wrote to memory of 4776	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	111
PID 724 wrote to memory of 4776	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	111
PID 724 wrote to memory of 4268	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	112
PID 724 wrote to memory of 4268	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	112
PID 724 wrote to memory of 1888	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	113
PID 724 wrote to memory of 1888	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	113
PID 724 wrote to memory of 4476	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	114
PID 724 wrote to memory of 4476	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	114
PID 724 wrote to memory of 3992	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	115
PID 724 wrote to memory of 3992	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	115
PID 724 wrote to memory of 720	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	116
PID 724 wrote to memory of 720	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	116
PID 724 wrote to memory of 3532	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	117
PID 724 wrote to memory of 3532	724	0b3a98992b87230b16dff096d66b0fa0_NEAS.exe	117

C:\Users\Admin\AppData\Local\Temp\0b3a98992b87230b16dff096d66b0fa0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\0b3a98992b87230b16dff096d66b0fa0_NEAS.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:724
- C:\Windows\System32\XLCJvoL.exe
  C:\Windows\System32\XLCJvoL.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System32\uMZyFTU.exe
  C:\Windows\System32\uMZyFTU.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System32\MTdADNt.exe
  C:\Windows\System32\MTdADNt.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System32\tjhHmOp.exe
  C:\Windows\System32\tjhHmOp.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System32\ClugDvv.exe
  C:\Windows\System32\ClugDvv.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\TXAFavx.exe
  C:\Windows\System32\TXAFavx.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System32\XSpRWrW.exe
  C:\Windows\System32\XSpRWrW.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System32\tOuetWT.exe
  C:\Windows\System32\tOuetWT.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System32\jMXUWsD.exe
  C:\Windows\System32\jMXUWsD.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System32\SRokUni.exe
  C:\Windows\System32\SRokUni.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System32\DqlrPni.exe
  C:\Windows\System32\DqlrPni.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System32\ZyXVDkq.exe
  C:\Windows\System32\ZyXVDkq.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System32\qojzRXF.exe
  C:\Windows\System32\qojzRXF.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System32\npyhFUy.exe
  C:\Windows\System32\npyhFUy.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System32\RxRBzAj.exe
  C:\Windows\System32\RxRBzAj.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System32\gjbzyNL.exe
  C:\Windows\System32\gjbzyNL.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System32\wbEWxPo.exe
  C:\Windows\System32\wbEWxPo.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System32\mWHOcdk.exe
  C:\Windows\System32\mWHOcdk.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\lrJrpre.exe
  C:\Windows\System32\lrJrpre.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System32\qVEwGOu.exe
  C:\Windows\System32\qVEwGOu.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\KCxVwcT.exe
  C:\Windows\System32\KCxVwcT.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System32\xCRFshv.exe
  C:\Windows\System32\xCRFshv.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System32\FXUJjcD.exe
  C:\Windows\System32\FXUJjcD.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System32\KWiJuNT.exe
  C:\Windows\System32\KWiJuNT.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System32\lpPybwP.exe
  C:\Windows\System32\lpPybwP.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\wtCJOYQ.exe
  C:\Windows\System32\wtCJOYQ.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System32\unhbutr.exe
  C:\Windows\System32\unhbutr.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System32\wxyBoHe.exe
  C:\Windows\System32\wxyBoHe.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System32\KlcSyBw.exe
  C:\Windows\System32\KlcSyBw.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System32\JCRyzUk.exe
  C:\Windows\System32\JCRyzUk.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System32\UwLTWgN.exe
  C:\Windows\System32\UwLTWgN.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System32\qrWDsgz.exe
  C:\Windows\System32\qrWDsgz.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System32\BRgfMGd.exe
  C:\Windows\System32\BRgfMGd.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System32\rccTUUL.exe
  C:\Windows\System32\rccTUUL.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System32\KWwRYRh.exe
  C:\Windows\System32\KWwRYRh.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System32\iONwIop.exe
  C:\Windows\System32\iONwIop.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System32\OLeTfjo.exe
  C:\Windows\System32\OLeTfjo.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System32\eoSoFms.exe
  C:\Windows\System32\eoSoFms.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System32\VlhgTZI.exe
  C:\Windows\System32\VlhgTZI.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System32\OfMqrbV.exe
  C:\Windows\System32\OfMqrbV.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System32\DynCIwW.exe
  C:\Windows\System32\DynCIwW.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System32\PvRUXqj.exe
  C:\Windows\System32\PvRUXqj.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System32\GFbjoXy.exe
  C:\Windows\System32\GFbjoXy.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System32\zSzqOkB.exe
  C:\Windows\System32\zSzqOkB.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System32\zQjHWtf.exe
  C:\Windows\System32\zQjHWtf.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System32\OmsgiYs.exe
  C:\Windows\System32\OmsgiYs.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System32\kahYjHZ.exe
  C:\Windows\System32\kahYjHZ.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System32\vkhPuyP.exe
  C:\Windows\System32\vkhPuyP.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System32\UDhslKQ.exe
  C:\Windows\System32\UDhslKQ.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System32\hyAAtaj.exe
  C:\Windows\System32\hyAAtaj.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System32\PQzCVoj.exe
  C:\Windows\System32\PQzCVoj.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System32\ZuBPrVt.exe
  C:\Windows\System32\ZuBPrVt.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System32\PEomQkm.exe
  C:\Windows\System32\PEomQkm.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System32\ilSgtcQ.exe
  C:\Windows\System32\ilSgtcQ.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System32\EwGuZDm.exe
  C:\Windows\System32\EwGuZDm.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System32\ZDaTjGV.exe
  C:\Windows\System32\ZDaTjGV.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System32\YwnYnrZ.exe
  C:\Windows\System32\YwnYnrZ.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System32\xedqhlK.exe
  C:\Windows\System32\xedqhlK.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System32\wlZuvbM.exe
  C:\Windows\System32\wlZuvbM.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System32\BBXuRms.exe
  C:\Windows\System32\BBXuRms.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System32\qyWglWW.exe
  C:\Windows\System32\qyWglWW.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System32\MRxFtST.exe
  C:\Windows\System32\MRxFtST.exe
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\System32\hmvOIDl.exe
  C:\Windows\System32\hmvOIDl.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System32\NULwnwY.exe
  C:\Windows\System32\NULwnwY.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System32\EiGuyew.exe
  C:\Windows\System32\EiGuyew.exe
  2⤵
  PID:2276
- C:\Windows\System32\tWlQNOD.exe
  C:\Windows\System32\tWlQNOD.exe
  2⤵
  PID:4060
- C:\Windows\System32\ukHCDLW.exe
  C:\Windows\System32\ukHCDLW.exe
  2⤵
  PID:752
- C:\Windows\System32\LhlQkgn.exe
  C:\Windows\System32\LhlQkgn.exe
  2⤵
  PID:2140
- C:\Windows\System32\ILqJose.exe
  C:\Windows\System32\ILqJose.exe
  2⤵
  PID:2744
- C:\Windows\System32\uuJEBvk.exe
  C:\Windows\System32\uuJEBvk.exe
  2⤵
  PID:1284
- C:\Windows\System32\wPFclMr.exe
  C:\Windows\System32\wPFclMr.exe
  2⤵
  PID:1644
- C:\Windows\System32\fkpZeDr.exe
  C:\Windows\System32\fkpZeDr.exe
  2⤵
  PID:5140
- C:\Windows\System32\yaJMcbD.exe
  C:\Windows\System32\yaJMcbD.exe
  2⤵
  PID:5168
- C:\Windows\System32\fQMuOzf.exe
  C:\Windows\System32\fQMuOzf.exe
  2⤵
  PID:5196
- C:\Windows\System32\xVcCbNr.exe
  C:\Windows\System32\xVcCbNr.exe
  2⤵
  PID:5224
- C:\Windows\System32\KxTUdmR.exe
  C:\Windows\System32\KxTUdmR.exe
  2⤵
  PID:5252
- C:\Windows\System32\uuHYFjO.exe
  C:\Windows\System32\uuHYFjO.exe
  2⤵
  PID:5280
- C:\Windows\System32\LNbBVfB.exe
  C:\Windows\System32\LNbBVfB.exe
  2⤵
  PID:5308
- C:\Windows\System32\aOIuqNC.exe
  C:\Windows\System32\aOIuqNC.exe
  2⤵
  PID:5336
- C:\Windows\System32\IIJAtER.exe
  C:\Windows\System32\IIJAtER.exe
  2⤵
  PID:5364
- C:\Windows\System32\MQtqIwD.exe
  C:\Windows\System32\MQtqIwD.exe
  2⤵
  PID:5392
- C:\Windows\System32\hjZRXOK.exe
  C:\Windows\System32\hjZRXOK.exe
  2⤵
  PID:5420
- C:\Windows\System32\VavsGwc.exe
  C:\Windows\System32\VavsGwc.exe
  2⤵
  PID:5448
- C:\Windows\System32\AVUyBMf.exe
  C:\Windows\System32\AVUyBMf.exe
  2⤵
  PID:5476
- C:\Windows\System32\qaGQPas.exe
  C:\Windows\System32\qaGQPas.exe
  2⤵
  PID:5504
- C:\Windows\System32\nRDCGYw.exe
  C:\Windows\System32\nRDCGYw.exe
  2⤵
  PID:5532
- C:\Windows\System32\NiSFrCD.exe
  C:\Windows\System32\NiSFrCD.exe
  2⤵
  PID:5560
- C:\Windows\System32\TDvJCHR.exe
  C:\Windows\System32\TDvJCHR.exe
  2⤵
  PID:5596
- C:\Windows\System32\whnjJwD.exe
  C:\Windows\System32\whnjJwD.exe
  2⤵
  PID:5616
- C:\Windows\System32\mstmpfd.exe
  C:\Windows\System32\mstmpfd.exe
  2⤵
  PID:5644
- C:\Windows\System32\sxPYOec.exe
  C:\Windows\System32\sxPYOec.exe
  2⤵
  PID:5672
- C:\Windows\System32\pelJCdo.exe
  C:\Windows\System32\pelJCdo.exe
  2⤵
  PID:5700
- C:\Windows\System32\RrDBhHc.exe
  C:\Windows\System32\RrDBhHc.exe
  2⤵
  PID:5728
- C:\Windows\System32\kvQefoS.exe
  C:\Windows\System32\kvQefoS.exe
  2⤵
  PID:5756
- C:\Windows\System32\YRQzFsv.exe
  C:\Windows\System32\YRQzFsv.exe
  2⤵
  PID:5784
- C:\Windows\System32\ASxwVYa.exe
  C:\Windows\System32\ASxwVYa.exe
  2⤵
  PID:5812
- C:\Windows\System32\dcxoXFk.exe
  C:\Windows\System32\dcxoXFk.exe
  2⤵
  PID:5840
- C:\Windows\System32\GKPNxdx.exe
  C:\Windows\System32\GKPNxdx.exe
  2⤵
  PID:5876
- C:\Windows\System32\kIoAIhd.exe
  C:\Windows\System32\kIoAIhd.exe
  2⤵
  PID:5896
- C:\Windows\System32\abvVWiR.exe
  C:\Windows\System32\abvVWiR.exe
  2⤵
  PID:5924
- C:\Windows\System32\SkGAfAk.exe
  C:\Windows\System32\SkGAfAk.exe
  2⤵
  PID:5952
- C:\Windows\System32\EDwmfOi.exe
  C:\Windows\System32\EDwmfOi.exe
  2⤵
  PID:5980
- C:\Windows\System32\TbxmJRu.exe
  C:\Windows\System32\TbxmJRu.exe
  2⤵
  PID:6008
- C:\Windows\System32\wqySpJI.exe
  C:\Windows\System32\wqySpJI.exe
  2⤵
  PID:6036
- C:\Windows\System32\QWkZfar.exe
  C:\Windows\System32\QWkZfar.exe
  2⤵
  PID:6064
- C:\Windows\System32\aBCWtRW.exe
  C:\Windows\System32\aBCWtRW.exe
  2⤵
  PID:6092
- C:\Windows\System32\FSCUbUc.exe
  C:\Windows\System32\FSCUbUc.exe
  2⤵
  PID:6128
- C:\Windows\System32\mLqQVdE.exe
  C:\Windows\System32\mLqQVdE.exe
  2⤵
  PID:4676
- C:\Windows\System32\kmppHfj.exe
  C:\Windows\System32\kmppHfj.exe
  2⤵
  PID:2580
- C:\Windows\System32\rQAybWP.exe
  C:\Windows\System32\rQAybWP.exe
  2⤵
  PID:672
- C:\Windows\System32\UrmlacO.exe
  C:\Windows\System32\UrmlacO.exe
  2⤵
  PID:2528
- C:\Windows\System32\UvjLvcp.exe
  C:\Windows\System32\UvjLvcp.exe
  2⤵
  PID:4772
- C:\Windows\System32\bbMYTLe.exe
  C:\Windows\System32\bbMYTLe.exe
  2⤵
  PID:5136
- C:\Windows\System32\fERZVMQ.exe
  C:\Windows\System32\fERZVMQ.exe
  2⤵
  PID:5184
- C:\Windows\System32\GHLRzfY.exe
  C:\Windows\System32\GHLRzfY.exe
  2⤵
  PID:5264
- C:\Windows\System32\veqZOER.exe
  C:\Windows\System32\veqZOER.exe
  2⤵
  PID:5332
- C:\Windows\System32\VbiTmRk.exe
  C:\Windows\System32\VbiTmRk.exe
  2⤵
  PID:5380
- C:\Windows\System32\esGZLzs.exe
  C:\Windows\System32\esGZLzs.exe
  2⤵
  PID:5460
- C:\Windows\System32\dkwjnAr.exe
  C:\Windows\System32\dkwjnAr.exe
  2⤵
  PID:5528
- C:\Windows\System32\KtBIkWL.exe
  C:\Windows\System32\KtBIkWL.exe
  2⤵
  PID:5584
- C:\Windows\System32\oJzyjZO.exe
  C:\Windows\System32\oJzyjZO.exe
  2⤵
  PID:5656
- C:\Windows\System32\kjtCnoh.exe
  C:\Windows\System32\kjtCnoh.exe
  2⤵
  PID:5724
- C:\Windows\System32\zmYOFnK.exe
  C:\Windows\System32\zmYOFnK.exe
  2⤵
  PID:5780
- C:\Windows\System32\bfoAJvm.exe
  C:\Windows\System32\bfoAJvm.exe
  2⤵
  PID:5852
- C:\Windows\System32\VESMeyl.exe
  C:\Windows\System32\VESMeyl.exe
  2⤵
  PID:5936
- C:\Windows\System32\QRAAOcR.exe
  C:\Windows\System32\QRAAOcR.exe
  2⤵
  PID:5968
- C:\Windows\System32\fUCmrsV.exe
  C:\Windows\System32\fUCmrsV.exe
  2⤵
  PID:6048
- C:\Windows\System32\gCvUkXx.exe
  C:\Windows\System32\gCvUkXx.exe
  2⤵
  PID:6116
- C:\Windows\System32\wlNrqlu.exe
  C:\Windows\System32\wlNrqlu.exe
  2⤵
  PID:744
- C:\Windows\System32\wxaUnpl.exe
  C:\Windows\System32\wxaUnpl.exe
  2⤵
  PID:2196
- C:\Windows\System32\IvGfskK.exe
  C:\Windows\System32\IvGfskK.exe
  2⤵
  PID:5192
- C:\Windows\System32\PWBpGOt.exe
  C:\Windows\System32\PWBpGOt.exe
  2⤵
  PID:5320
- C:\Windows\System32\yfOlfoL.exe
  C:\Windows\System32\yfOlfoL.exe
  2⤵
  PID:5488
- C:\Windows\System32\DIImsXU.exe
  C:\Windows\System32\DIImsXU.exe
  2⤵
  PID:5684
- C:\Windows\System32\rKYgVXB.exe
  C:\Windows\System32\rKYgVXB.exe
  2⤵
  PID:5828
- C:\Windows\System32\RcNatPd.exe
  C:\Windows\System32\RcNatPd.exe
  2⤵
  PID:5912
- C:\Windows\System32\wmJoKTF.exe
  C:\Windows\System32\wmJoKTF.exe
  2⤵
  PID:6104
- C:\Windows\System32\YIBHWOn.exe
  C:\Windows\System32\YIBHWOn.exe
  2⤵
  PID:2784
- C:\Windows\System32\vAICQSm.exe
  C:\Windows\System32\vAICQSm.exe
  2⤵
  PID:6172
- C:\Windows\System32\dDlcOBc.exe
  C:\Windows\System32\dDlcOBc.exe
  2⤵
  PID:6200
- C:\Windows\System32\fhIfrfW.exe
  C:\Windows\System32\fhIfrfW.exe
  2⤵
  PID:6240
- C:\Windows\System32\UQjipEU.exe
  C:\Windows\System32\UQjipEU.exe
  2⤵
  PID:6256
- C:\Windows\System32\VqfXSLC.exe
  C:\Windows\System32\VqfXSLC.exe
  2⤵
  PID:6284
- C:\Windows\System32\HyYTtaR.exe
  C:\Windows\System32\HyYTtaR.exe
  2⤵
  PID:6312
- C:\Windows\System32\qXqmmTb.exe
  C:\Windows\System32\qXqmmTb.exe
  2⤵
  PID:6340
- C:\Windows\System32\ilVLkeH.exe
  C:\Windows\System32\ilVLkeH.exe
  2⤵
  PID:6368
- C:\Windows\System32\slOYsBw.exe
  C:\Windows\System32\slOYsBw.exe
  2⤵
  PID:6396
- C:\Windows\System32\cJfAzUy.exe
  C:\Windows\System32\cJfAzUy.exe
  2⤵
  PID:6424
- C:\Windows\System32\mUjQkfj.exe
  C:\Windows\System32\mUjQkfj.exe
  2⤵
  PID:6452
- C:\Windows\System32\SkDMvTb.exe
  C:\Windows\System32\SkDMvTb.exe
  2⤵
  PID:6480
- C:\Windows\System32\rfIZqdR.exe
  C:\Windows\System32\rfIZqdR.exe
  2⤵
  PID:6508
- C:\Windows\System32\nKsEsRj.exe
  C:\Windows\System32\nKsEsRj.exe
  2⤵
  PID:6544
- C:\Windows\System32\RrSjCwc.exe
  C:\Windows\System32\RrSjCwc.exe
  2⤵
  PID:6572
- C:\Windows\System32\nslNawF.exe
  C:\Windows\System32\nslNawF.exe
  2⤵
  PID:6600
- C:\Windows\System32\mZGjIqj.exe
  C:\Windows\System32\mZGjIqj.exe
  2⤵
  PID:6628
- C:\Windows\System32\fKiJzBv.exe
  C:\Windows\System32\fKiJzBv.exe
  2⤵
  PID:6648
- C:\Windows\System32\thFJOML.exe
  C:\Windows\System32\thFJOML.exe
  2⤵
  PID:6684
- C:\Windows\System32\JVvPnVI.exe
  C:\Windows\System32\JVvPnVI.exe
  2⤵
  PID:6712
- C:\Windows\System32\NSgfvRZ.exe
  C:\Windows\System32\NSgfvRZ.exe
  2⤵
  PID:6732
- C:\Windows\System32\FiZwkCU.exe
  C:\Windows\System32\FiZwkCU.exe
  2⤵
  PID:6760
- C:\Windows\System32\DGpxKYM.exe
  C:\Windows\System32\DGpxKYM.exe
  2⤵
  PID:6788
- C:\Windows\System32\wVjOfFX.exe
  C:\Windows\System32\wVjOfFX.exe
  2⤵
  PID:6816
- C:\Windows\System32\GHhOazR.exe
  C:\Windows\System32\GHhOazR.exe
  2⤵
  PID:6852
- C:\Windows\System32\dILTQZS.exe
  C:\Windows\System32\dILTQZS.exe
  2⤵
  PID:6872
- C:\Windows\System32\eWSDEwn.exe
  C:\Windows\System32\eWSDEwn.exe
  2⤵
  PID:6900
- C:\Windows\System32\HYMkCXo.exe
  C:\Windows\System32\HYMkCXo.exe
  2⤵
  PID:6928
- C:\Windows\System32\jgfPebs.exe
  C:\Windows\System32\jgfPebs.exe
  2⤵
  PID:6964
- C:\Windows\System32\tGbYJHe.exe
  C:\Windows\System32\tGbYJHe.exe
  2⤵
  PID:6984
- C:\Windows\System32\mAjDjkR.exe
  C:\Windows\System32\mAjDjkR.exe
  2⤵
  PID:7020
- C:\Windows\System32\NDLpsEb.exe
  C:\Windows\System32\NDLpsEb.exe
  2⤵
  PID:7040
- C:\Windows\System32\FgnYTpN.exe
  C:\Windows\System32\FgnYTpN.exe
  2⤵
  PID:7076
- C:\Windows\System32\NOwmAzw.exe
  C:\Windows\System32\NOwmAzw.exe
  2⤵
  PID:7096
- C:\Windows\System32\wWsZdoj.exe
  C:\Windows\System32\wWsZdoj.exe
  2⤵
  PID:7132
- C:\Windows\System32\VxXthWW.exe
  C:\Windows\System32\VxXthWW.exe
  2⤵
  PID:7160
- C:\Windows\System32\CWWeBvd.exe
  C:\Windows\System32\CWWeBvd.exe
  2⤵
  PID:5236
- C:\Windows\System32\lwSlflP.exe
  C:\Windows\System32\lwSlflP.exe
  2⤵
  PID:5712
- C:\Windows\System32\MCiYdao.exe
  C:\Windows\System32\MCiYdao.exe
  2⤵
  PID:5908
- C:\Windows\System32\VKvjvuo.exe
  C:\Windows\System32\VKvjvuo.exe
  2⤵
  PID:6160
- C:\Windows\System32\JUYyWWA.exe
  C:\Windows\System32\JUYyWWA.exe
  2⤵
  PID:6224
- C:\Windows\System32\JRHYIwS.exe
  C:\Windows\System32\JRHYIwS.exe
  2⤵
  PID:6308
- C:\Windows\System32\ekrjKiE.exe
  C:\Windows\System32\ekrjKiE.exe
  2⤵
  PID:6352
- C:\Windows\System32\wXgWIIZ.exe
  C:\Windows\System32\wXgWIIZ.exe
  2⤵
  PID:6412
- C:\Windows\System32\MzFpUpw.exe
  C:\Windows\System32\MzFpUpw.exe
  2⤵
  PID:6468
- C:\Windows\System32\mhBsDtc.exe
  C:\Windows\System32\mhBsDtc.exe
  2⤵
  PID:6540
- C:\Windows\System32\KZtpWMX.exe
  C:\Windows\System32\KZtpWMX.exe
  2⤵
  PID:6612
- C:\Windows\System32\HqyIqFe.exe
  C:\Windows\System32\HqyIqFe.exe
  2⤵
  PID:6664
- C:\Windows\System32\nQPMyOa.exe
  C:\Windows\System32\nQPMyOa.exe
  2⤵
  PID:6744
- C:\Windows\System32\KFFuQKN.exe
  C:\Windows\System32\KFFuQKN.exe
  2⤵
  PID:6832
- C:\Windows\System32\YfjlIFn.exe
  C:\Windows\System32\YfjlIFn.exe
  2⤵
  PID:6864
- C:\Windows\System32\KrdLsEH.exe
  C:\Windows\System32\KrdLsEH.exe
  2⤵
  PID:6940
- C:\Windows\System32\DEoWxSl.exe
  C:\Windows\System32\DEoWxSl.exe
  2⤵
  PID:6996
- C:\Windows\System32\DFLPZhw.exe
  C:\Windows\System32\DFLPZhw.exe
  2⤵
  PID:7056
- C:\Windows\System32\VXKwcNY.exe
  C:\Windows\System32\VXKwcNY.exe
  2⤵
  PID:7120
- C:\Windows\System32\bkMKmea.exe
  C:\Windows\System32\bkMKmea.exe
  2⤵
  PID:5304
- C:\Windows\System32\Suhdvot.exe
  C:\Windows\System32\Suhdvot.exe
  2⤵
  PID:6140
- C:\Windows\System32\wZrGXmz.exe
  C:\Windows\System32\wZrGXmz.exe
  2⤵
  PID:6268
- C:\Windows\System32\zDHHXQM.exe
  C:\Windows\System32\zDHHXQM.exe
  2⤵
  PID:6448
- C:\Windows\System32\VxuBGFV.exe
  C:\Windows\System32\VxuBGFV.exe
  2⤵
  PID:6596
- C:\Windows\System32\DZGoMzw.exe
  C:\Windows\System32\DZGoMzw.exe
  2⤵
  PID:6724
- C:\Windows\System32\mglJtpu.exe
  C:\Windows\System32\mglJtpu.exe
  2⤵
  PID:6868
- C:\Windows\System32\KCMBrFf.exe
  C:\Windows\System32\KCMBrFf.exe
  2⤵
  PID:4992
- C:\Windows\System32\RqHlUMS.exe
  C:\Windows\System32\RqHlUMS.exe
  2⤵
  PID:7148
- C:\Windows\System32\URZBLPI.exe
  C:\Windows\System32\URZBLPI.exe
  2⤵
  PID:7172
- C:\Windows\System32\GRSdDCs.exe
  C:\Windows\System32\GRSdDCs.exe
  2⤵
  PID:7192
- C:\Windows\System32\fyFUuxl.exe
  C:\Windows\System32\fyFUuxl.exe
  2⤵
  PID:7220
- C:\Windows\System32\oCBnwmL.exe
  C:\Windows\System32\oCBnwmL.exe
  2⤵
  PID:7248
- C:\Windows\System32\GBEwdTv.exe
  C:\Windows\System32\GBEwdTv.exe
  2⤵
  PID:7276
- C:\Windows\System32\CpbYHHr.exe
  C:\Windows\System32\CpbYHHr.exe
  2⤵
  PID:7304
- C:\Windows\System32\xqkmMis.exe
  C:\Windows\System32\xqkmMis.exe
  2⤵
  PID:7332
- C:\Windows\System32\sUxmbJG.exe
  C:\Windows\System32\sUxmbJG.exe
  2⤵
  PID:7360
- C:\Windows\System32\GmmSpVX.exe
  C:\Windows\System32\GmmSpVX.exe
  2⤵
  PID:7388
- C:\Windows\System32\aPlfmlh.exe
  C:\Windows\System32\aPlfmlh.exe
  2⤵
  PID:7416
- C:\Windows\System32\RLFnLbd.exe
  C:\Windows\System32\RLFnLbd.exe
  2⤵
  PID:7444
- C:\Windows\System32\OifBwge.exe
  C:\Windows\System32\OifBwge.exe
  2⤵
  PID:7472
- C:\Windows\System32\DIkFNpu.exe
  C:\Windows\System32\DIkFNpu.exe
  2⤵
  PID:7500
- C:\Windows\System32\nmrtMOy.exe
  C:\Windows\System32\nmrtMOy.exe
  2⤵
  PID:7528
- C:\Windows\System32\HxPAPqZ.exe
  C:\Windows\System32\HxPAPqZ.exe
  2⤵
  PID:7556
- C:\Windows\System32\TmOuEJT.exe
  C:\Windows\System32\TmOuEJT.exe
  2⤵
  PID:7584
- C:\Windows\System32\fWCYLVk.exe
  C:\Windows\System32\fWCYLVk.exe
  2⤵
  PID:7612
- C:\Windows\System32\fNWikWi.exe
  C:\Windows\System32\fNWikWi.exe
  2⤵
  PID:7648
- C:\Windows\System32\AhNwtUU.exe
  C:\Windows\System32\AhNwtUU.exe
  2⤵
  PID:7668
- C:\Windows\System32\TBzcGwj.exe
  C:\Windows\System32\TBzcGwj.exe
  2⤵
  PID:7696
- C:\Windows\System32\kWHrNwf.exe
  C:\Windows\System32\kWHrNwf.exe
  2⤵
  PID:7724
- C:\Windows\System32\JQyhkMc.exe
  C:\Windows\System32\JQyhkMc.exe
  2⤵
  PID:7752
- C:\Windows\System32\bnfaNJV.exe
  C:\Windows\System32\bnfaNJV.exe
  2⤵
  PID:7780
- C:\Windows\System32\LuLmDUf.exe
  C:\Windows\System32\LuLmDUf.exe
  2⤵
  PID:7808
- C:\Windows\System32\bMjJKBS.exe
  C:\Windows\System32\bMjJKBS.exe
  2⤵
  PID:7836
- C:\Windows\System32\RjPEltz.exe
  C:\Windows\System32\RjPEltz.exe
  2⤵
  PID:7864
- C:\Windows\System32\dVfQfzB.exe
  C:\Windows\System32\dVfQfzB.exe
  2⤵
  PID:7892
- C:\Windows\System32\UhrvTFH.exe
  C:\Windows\System32\UhrvTFH.exe
  2⤵
  PID:7920
- C:\Windows\System32\MloNGhf.exe
  C:\Windows\System32\MloNGhf.exe
  2⤵
  PID:7948
- C:\Windows\System32\OnqgKrK.exe
  C:\Windows\System32\OnqgKrK.exe
  2⤵
  PID:7976
- C:\Windows\System32\phpCFYX.exe
  C:\Windows\System32\phpCFYX.exe
  2⤵
  PID:8004
- C:\Windows\System32\sTxnMuU.exe
  C:\Windows\System32\sTxnMuU.exe
  2⤵
  PID:8032
- C:\Windows\System32\UHAdgYs.exe
  C:\Windows\System32\UHAdgYs.exe
  2⤵
  PID:8060
- C:\Windows\System32\fdgwnGB.exe
  C:\Windows\System32\fdgwnGB.exe
  2⤵
  PID:8096
- C:\Windows\System32\UbfXJYp.exe
  C:\Windows\System32\UbfXJYp.exe
  2⤵
  PID:8116
- C:\Windows\System32\JtJUWGu.exe
  C:\Windows\System32\JtJUWGu.exe
  2⤵
  PID:8144
- C:\Windows\System32\xthvEjo.exe
  C:\Windows\System32\xthvEjo.exe
  2⤵
  PID:8180
- C:\Windows\System32\lmWBcaK.exe
  C:\Windows\System32\lmWBcaK.exe
  2⤵
  PID:6336
- C:\Windows\System32\icGcWev.exe
  C:\Windows\System32\icGcWev.exe
  2⤵
  PID:6784
- C:\Windows\System32\qqJQXrL.exe
  C:\Windows\System32\qqJQXrL.exe
  2⤵
  PID:6944
- C:\Windows\System32\rtCFnfu.exe
  C:\Windows\System32\rtCFnfu.exe
  2⤵
  PID:6188
- C:\Windows\System32\GTaKLyf.exe
  C:\Windows\System32\GTaKLyf.exe
  2⤵
  PID:7216
- C:\Windows\System32\nxlEoWs.exe
  C:\Windows\System32\nxlEoWs.exe
  2⤵
  PID:7264
- C:\Windows\System32\zcEEwFS.exe
  C:\Windows\System32\zcEEwFS.exe
  2⤵
  PID:7404
- C:\Windows\System32\BWVbEkf.exe
  C:\Windows\System32\BWVbEkf.exe
  2⤵
  PID:7460
- C:\Windows\System32\yFqGDDX.exe
  C:\Windows\System32\yFqGDDX.exe
  2⤵
  PID:7516
- C:\Windows\System32\tMxXllc.exe
  C:\Windows\System32\tMxXllc.exe
  2⤵
  PID:7644
- C:\Windows\System32\ljXMbSi.exe
  C:\Windows\System32\ljXMbSi.exe
  2⤵
  PID:7680
- C:\Windows\System32\SEbJYlB.exe
  C:\Windows\System32\SEbJYlB.exe
  2⤵
  PID:7740
- C:\Windows\System32\LiQMbdJ.exe
  C:\Windows\System32\LiQMbdJ.exe
  2⤵
  PID:7824
- C:\Windows\System32\TLhVrLQ.exe
  C:\Windows\System32\TLhVrLQ.exe
  2⤵
  PID:1960
- C:\Windows\System32\hJVKJpy.exe
  C:\Windows\System32\hJVKJpy.exe
  2⤵
  PID:8020
- C:\Windows\System32\tccOfNy.exe
  C:\Windows\System32\tccOfNy.exe
  2⤵
  PID:8084
- C:\Windows\System32\ldIERud.exe
  C:\Windows\System32\ldIERud.exe
  2⤵
  PID:3980
- C:\Windows\System32\vYiezyL.exe
  C:\Windows\System32\vYiezyL.exe
  2⤵
  PID:8128
- C:\Windows\System32\ltzKXHF.exe
  C:\Windows\System32\ltzKXHF.exe
  2⤵
  PID:5080
- C:\Windows\System32\bXtiHfq.exe
  C:\Windows\System32\bXtiHfq.exe
  2⤵
  PID:6568
- C:\Windows\System32\TgPMUWX.exe
  C:\Windows\System32\TgPMUWX.exe
  2⤵
  PID:1744
- C:\Windows\System32\ExIMRSC.exe
  C:\Windows\System32\ExIMRSC.exe
  2⤵
  PID:4516
- C:\Windows\System32\RVifrbS.exe
  C:\Windows\System32\RVifrbS.exe
  2⤵
  PID:4416
- C:\Windows\System32\FfeQqkr.exe
  C:\Windows\System32\FfeQqkr.exe
  2⤵
  PID:7272
- C:\Windows\System32\eKWWvby.exe
  C:\Windows\System32\eKWWvby.exe
  2⤵
  PID:1632
- C:\Windows\System32\nZdNnTa.exe
  C:\Windows\System32\nZdNnTa.exe
  2⤵
  PID:4440
- C:\Windows\System32\BwdqvZo.exe
  C:\Windows\System32\BwdqvZo.exe
  2⤵
  PID:4384
- C:\Windows\System32\FfqNjSl.exe
  C:\Windows\System32\FfqNjSl.exe
  2⤵
  PID:7880
- C:\Windows\System32\QduhsjN.exe
  C:\Windows\System32\QduhsjN.exe
  2⤵
  PID:8156
- C:\Windows\System32\ujXPbHO.exe
  C:\Windows\System32\ujXPbHO.exe
  2⤵
  PID:4560
- C:\Windows\System32\QsmUbJP.exe
  C:\Windows\System32\QsmUbJP.exe
  2⤵
  PID:4480
- C:\Windows\System32\AzUyIHo.exe
  C:\Windows\System32\AzUyIHo.exe
  2⤵
  PID:1432
- C:\Windows\System32\EmDTnbE.exe
  C:\Windows\System32\EmDTnbE.exe
  2⤵
  PID:4660
- C:\Windows\System32\yTaXlSB.exe
  C:\Windows\System32\yTaXlSB.exe
  2⤵
  PID:7660
- C:\Windows\System32\FYdoTIw.exe
  C:\Windows\System32\FYdoTIw.exe
  2⤵
  PID:6888
- C:\Windows\System32\EluzHgp.exe
  C:\Windows\System32\EluzHgp.exe
  2⤵
  PID:1712
- C:\Windows\System32\RVRRjTg.exe
  C:\Windows\System32\RVRRjTg.exe
  2⤵
  PID:7412
- C:\Windows\System32\orUEwWN.exe
  C:\Windows\System32\orUEwWN.exe
  2⤵
  PID:4216
- C:\Windows\System32\oUBTkeh.exe
  C:\Windows\System32\oUBTkeh.exe
  2⤵
  PID:7400
- C:\Windows\System32\BUPZvnZ.exe
  C:\Windows\System32\BUPZvnZ.exe
  2⤵
  PID:7992
- C:\Windows\System32\Tiyrlhp.exe
  C:\Windows\System32\Tiyrlhp.exe
  2⤵
  PID:1620
- C:\Windows\System32\PKPUPFr.exe
  C:\Windows\System32\PKPUPFr.exe
  2⤵
  PID:1124
- C:\Windows\System32\oJkFceI.exe
  C:\Windows\System32\oJkFceI.exe
  2⤵
  PID:7608
- C:\Windows\System32\IUKHgng.exe
  C:\Windows\System32\IUKHgng.exe
  2⤵
  PID:7432
- C:\Windows\System32\FLwSoUS.exe
  C:\Windows\System32\FLwSoUS.exe
  2⤵
  PID:8204
- C:\Windows\System32\eWUYJww.exe
  C:\Windows\System32\eWUYJww.exe
  2⤵
  PID:8244
- C:\Windows\System32\vgfZUjq.exe
  C:\Windows\System32\vgfZUjq.exe
  2⤵
  PID:8260
- C:\Windows\System32\khpDSoL.exe
  C:\Windows\System32\khpDSoL.exe
  2⤵
  PID:8296
- C:\Windows\System32\KfzVLRr.exe
  C:\Windows\System32\KfzVLRr.exe
  2⤵
  PID:8320
- C:\Windows\System32\ZgAPHqK.exe
  C:\Windows\System32\ZgAPHqK.exe
  2⤵
  PID:8352
- C:\Windows\System32\hbsvpeK.exe
  C:\Windows\System32\hbsvpeK.exe
  2⤵
  PID:8376
- C:\Windows\System32\IhBfzmW.exe
  C:\Windows\System32\IhBfzmW.exe
  2⤵
  PID:8392
- C:\Windows\System32\mhhiOWk.exe
  C:\Windows\System32\mhhiOWk.exe
  2⤵
  PID:8440
- C:\Windows\System32\cWtjAxh.exe
  C:\Windows\System32\cWtjAxh.exe
  2⤵
  PID:8472
- C:\Windows\System32\ypBGpMf.exe
  C:\Windows\System32\ypBGpMf.exe
  2⤵
  PID:8504
- C:\Windows\System32\LFAXjxn.exe
  C:\Windows\System32\LFAXjxn.exe
  2⤵
  PID:8532
- C:\Windows\System32\mBBjMKR.exe
  C:\Windows\System32\mBBjMKR.exe
  2⤵
  PID:8564
- C:\Windows\System32\DWWcgWT.exe
  C:\Windows\System32\DWWcgWT.exe
  2⤵
  PID:8592
- C:\Windows\System32\ygAzWLu.exe
  C:\Windows\System32\ygAzWLu.exe
  2⤵
  PID:8620
- C:\Windows\System32\fzRFDbq.exe
  C:\Windows\System32\fzRFDbq.exe
  2⤵
  PID:8652
- C:\Windows\System32\GgTLWCm.exe
  C:\Windows\System32\GgTLWCm.exe
  2⤵
  PID:8676
- C:\Windows\System32\blTffTS.exe
  C:\Windows\System32\blTffTS.exe
  2⤵
  PID:8708
- C:\Windows\System32\Oodzqcv.exe
  C:\Windows\System32\Oodzqcv.exe
  2⤵
  PID:8740
- C:\Windows\System32\GXWUTYf.exe
  C:\Windows\System32\GXWUTYf.exe
  2⤵
  PID:8768
- C:\Windows\System32\ulSvyyh.exe
  C:\Windows\System32\ulSvyyh.exe
  2⤵
  PID:8796
- C:\Windows\System32\pxYhrbO.exe
  C:\Windows\System32\pxYhrbO.exe
  2⤵
  PID:8828
- C:\Windows\System32\DXETkzJ.exe
  C:\Windows\System32\DXETkzJ.exe
  2⤵
  PID:8852
- C:\Windows\System32\VclDCcP.exe
  C:\Windows\System32\VclDCcP.exe
  2⤵
  PID:8884
- C:\Windows\System32\INXRoQF.exe
  C:\Windows\System32\INXRoQF.exe
  2⤵
  PID:8916
- C:\Windows\System32\Qwwwjhl.exe
  C:\Windows\System32\Qwwwjhl.exe
  2⤵
  PID:8956
- C:\Windows\System32\EFsaVcs.exe
  C:\Windows\System32\EFsaVcs.exe
  2⤵
  PID:8972
- C:\Windows\System32\HnTFdgx.exe
  C:\Windows\System32\HnTFdgx.exe
  2⤵
  PID:9000
- C:\Windows\System32\tivlZIM.exe
  C:\Windows\System32\tivlZIM.exe
  2⤵
  PID:9028
- C:\Windows\System32\RHEOvqK.exe
  C:\Windows\System32\RHEOvqK.exe
  2⤵
  PID:9056
- C:\Windows\System32\XQMGqJY.exe
  C:\Windows\System32\XQMGqJY.exe
  2⤵
  PID:9084
- C:\Windows\System32\QYcnLDC.exe
  C:\Windows\System32\QYcnLDC.exe
  2⤵
  PID:9112
- C:\Windows\System32\hmSjFVt.exe
  C:\Windows\System32\hmSjFVt.exe
  2⤵
  PID:9140
- C:\Windows\System32\FdryQwA.exe
  C:\Windows\System32\FdryQwA.exe
  2⤵
  PID:9176
- C:\Windows\System32\OCopBHu.exe
  C:\Windows\System32\OCopBHu.exe
  2⤵
  PID:9208
- C:\Windows\System32\IKeWARY.exe
  C:\Windows\System32\IKeWARY.exe
  2⤵
  PID:8224
- C:\Windows\System32\nSySqLe.exe
  C:\Windows\System32\nSySqLe.exe
  2⤵
  PID:8256
- C:\Windows\System32\zcYblZz.exe
  C:\Windows\System32\zcYblZz.exe
  2⤵
  PID:8368
- C:\Windows\System32\rIGkmnL.exe
  C:\Windows\System32\rIGkmnL.exe
  2⤵
  PID:8428
- C:\Windows\System32\clGlBdd.exe
  C:\Windows\System32\clGlBdd.exe
  2⤵
  PID:8500
- C:\Windows\System32\vGTaRAz.exe
  C:\Windows\System32\vGTaRAz.exe
  2⤵
  PID:8552
- C:\Windows\System32\cgyuwEc.exe
  C:\Windows\System32\cgyuwEc.exe
  2⤵
  PID:8616
- C:\Windows\System32\utxCIDY.exe
  C:\Windows\System32\utxCIDY.exe
  2⤵
  PID:8692
- C:\Windows\System32\dlpwoCr.exe
  C:\Windows\System32\dlpwoCr.exe
  2⤵
  PID:8760
- C:\Windows\System32\SYXZusA.exe
  C:\Windows\System32\SYXZusA.exe
  2⤵
  PID:8820
- C:\Windows\System32\tsdCMvR.exe
  C:\Windows\System32\tsdCMvR.exe
  2⤵
  PID:8896
- C:\Windows\System32\ZUkZUew.exe
  C:\Windows\System32\ZUkZUew.exe
  2⤵
  PID:8948
- C:\Windows\System32\qOgANUI.exe
  C:\Windows\System32\qOgANUI.exe
  2⤵
  PID:8996
- C:\Windows\System32\QpwhMOS.exe
  C:\Windows\System32\QpwhMOS.exe
  2⤵
  PID:9068
- C:\Windows\System32\GWRQmQK.exe
  C:\Windows\System32\GWRQmQK.exe
  2⤵
  PID:9184
- C:\Windows\System32\KdFdxGo.exe
  C:\Windows\System32\KdFdxGo.exe
  2⤵
  PID:8220
- C:\Windows\System32\jEijyhd.exe
  C:\Windows\System32\jEijyhd.exe
  2⤵
  PID:8240
- C:\Windows\System32\qHAtxyY.exe
  C:\Windows\System32\qHAtxyY.exe
  2⤵
  PID:8452
- C:\Windows\System32\MsinScy.exe
  C:\Windows\System32\MsinScy.exe
  2⤵
  PID:8668
- C:\Windows\System32\OmvQZpZ.exe
  C:\Windows\System32\OmvQZpZ.exe
  2⤵
  PID:8812
- C:\Windows\System32\KgThSWJ.exe
  C:\Windows\System32\KgThSWJ.exe
  2⤵
  PID:9048
- C:\Windows\System32\CiUQtKM.exe
  C:\Windows\System32\CiUQtKM.exe
  2⤵
  PID:9164
- C:\Windows\System32\SQnOStE.exe
  C:\Windows\System32\SQnOStE.exe
  2⤵
  PID:8412
- C:\Windows\System32\EIxVpxJ.exe
  C:\Windows\System32\EIxVpxJ.exe
  2⤵
  PID:8872
- C:\Windows\System32\ovttNts.exe
  C:\Windows\System32\ovttNts.exe
  2⤵
  PID:8200
- C:\Windows\System32\KERIQYJ.exe
  C:\Windows\System32\KERIQYJ.exe
  2⤵
  PID:8580
- C:\Windows\System32\EGSlsRG.exe
  C:\Windows\System32\EGSlsRG.exe
  2⤵
  PID:9232
- C:\Windows\System32\AgazNVw.exe
  C:\Windows\System32\AgazNVw.exe
  2⤵
  PID:9260
- C:\Windows\System32\ILEwWgf.exe
  C:\Windows\System32\ILEwWgf.exe
  2⤵
  PID:9288
- C:\Windows\System32\MVdmxLH.exe
  C:\Windows\System32\MVdmxLH.exe
  2⤵
  PID:9316
- C:\Windows\System32\QIBvPeX.exe
  C:\Windows\System32\QIBvPeX.exe
  2⤵
  PID:9344
- C:\Windows\System32\drhiHvq.exe
  C:\Windows\System32\drhiHvq.exe
  2⤵
  PID:9368
- C:\Windows\System32\KbxMIZn.exe
  C:\Windows\System32\KbxMIZn.exe
  2⤵
  PID:9400
- C:\Windows\System32\qDNzqRp.exe
  C:\Windows\System32\qDNzqRp.exe
  2⤵
  PID:9428
- C:\Windows\System32\TDwVpBg.exe
  C:\Windows\System32\TDwVpBg.exe
  2⤵
  PID:9456
- C:\Windows\System32\qapuJkz.exe
  C:\Windows\System32\qapuJkz.exe
  2⤵
  PID:9484
- C:\Windows\System32\hIkjWBd.exe
  C:\Windows\System32\hIkjWBd.exe
  2⤵
  PID:9512
- C:\Windows\System32\yXVLqRX.exe
  C:\Windows\System32\yXVLqRX.exe
  2⤵
  PID:9528
- C:\Windows\System32\uzDoOuz.exe
  C:\Windows\System32\uzDoOuz.exe
  2⤵
  PID:9568
- C:\Windows\System32\DQRIGJD.exe
  C:\Windows\System32\DQRIGJD.exe
  2⤵
  PID:9596
- C:\Windows\System32\cUWmfpr.exe
  C:\Windows\System32\cUWmfpr.exe
  2⤵
  PID:9624
- C:\Windows\System32\SIxnhVz.exe
  C:\Windows\System32\SIxnhVz.exe
  2⤵
  PID:9652
- C:\Windows\System32\mqFbOAi.exe
  C:\Windows\System32\mqFbOAi.exe
  2⤵
  PID:9680
- C:\Windows\System32\wCzYGrI.exe
  C:\Windows\System32\wCzYGrI.exe
  2⤵
  PID:9696
- C:\Windows\System32\BJzTcdu.exe
  C:\Windows\System32\BJzTcdu.exe
  2⤵
  PID:9716
- C:\Windows\System32\XVFpInf.exe
  C:\Windows\System32\XVFpInf.exe
  2⤵
  PID:9764
- C:\Windows\System32\qlsCCVR.exe
  C:\Windows\System32\qlsCCVR.exe
  2⤵
  PID:9792
- C:\Windows\System32\ligSzXw.exe
  C:\Windows\System32\ligSzXw.exe
  2⤵
  PID:9820
- C:\Windows\System32\Mglilib.exe
  C:\Windows\System32\Mglilib.exe
  2⤵
  PID:9848
- C:\Windows\System32\hBsYHYS.exe
  C:\Windows\System32\hBsYHYS.exe
  2⤵
  PID:9876
- C:\Windows\System32\fdmVUVi.exe
  C:\Windows\System32\fdmVUVi.exe
  2⤵
  PID:9904
- C:\Windows\System32\gZwQXSJ.exe
  C:\Windows\System32\gZwQXSJ.exe
  2⤵
  PID:9932
- C:\Windows\System32\zIwWyrj.exe
  C:\Windows\System32\zIwWyrj.exe
  2⤵
  PID:9952
- C:\Windows\System32\cJIzhkX.exe
  C:\Windows\System32\cJIzhkX.exe
  2⤵
  PID:9980
- C:\Windows\System32\YrQKove.exe
  C:\Windows\System32\YrQKove.exe
  2⤵
  PID:10016
- C:\Windows\System32\LFpohfq.exe
  C:\Windows\System32\LFpohfq.exe
  2⤵
  PID:10032
- C:\Windows\System32\jMIgIVV.exe
  C:\Windows\System32\jMIgIVV.exe
  2⤵
  PID:10060
- C:\Windows\System32\MhNnNxg.exe
  C:\Windows\System32\MhNnNxg.exe
  2⤵
  PID:10088
- C:\Windows\System32\cEeRJtt.exe
  C:\Windows\System32\cEeRJtt.exe
  2⤵
  PID:10128
- C:\Windows\System32\ZSzrKsh.exe
  C:\Windows\System32\ZSzrKsh.exe
  2⤵
  PID:10164
- C:\Windows\System32\budPobf.exe
  C:\Windows\System32\budPobf.exe
  2⤵
  PID:10196
- C:\Windows\System32\FhmtPHC.exe
  C:\Windows\System32\FhmtPHC.exe
  2⤵
  PID:9124
- C:\Windows\System32\zjWmDoZ.exe
  C:\Windows\System32\zjWmDoZ.exe
  2⤵
  PID:9284
- C:\Windows\System32\kSyEleC.exe
  C:\Windows\System32\kSyEleC.exe
  2⤵
  PID:9356
- C:\Windows\System32\RkwXVKK.exe
  C:\Windows\System32\RkwXVKK.exe
  2⤵
  PID:9448
- C:\Windows\System32\FRwXAiI.exe
  C:\Windows\System32\FRwXAiI.exe
  2⤵
  PID:9480
- C:\Windows\System32\hXpBXUv.exe
  C:\Windows\System32\hXpBXUv.exe
  2⤵
  PID:9564
- C:\Windows\System32\gXNxaiU.exe
  C:\Windows\System32\gXNxaiU.exe
  2⤵
  PID:9636
- C:\Windows\System32\YovKZfb.exe
  C:\Windows\System32\YovKZfb.exe
  2⤵
  PID:9692
- C:\Windows\System32\lINjdnk.exe
  C:\Windows\System32\lINjdnk.exe
  2⤵
  PID:9752
- C:\Windows\System32\BEVOmNE.exe
  C:\Windows\System32\BEVOmNE.exe
  2⤵
  PID:9840
- C:\Windows\System32\RwuFhYv.exe
  C:\Windows\System32\RwuFhYv.exe
  2⤵
  PID:9900
- C:\Windows\System32\vlOImio.exe
  C:\Windows\System32\vlOImio.exe
  2⤵
  PID:9944
- C:\Windows\System32\OMNPvVR.exe
  C:\Windows\System32\OMNPvVR.exe
  2⤵
  PID:10012
- C:\Windows\System32\VlLzXwh.exe
  C:\Windows\System32\VlLzXwh.exe
  2⤵
  PID:10080
- C:\Windows\System32\NgUqHNv.exe
  C:\Windows\System32\NgUqHNv.exe
  2⤵
  PID:10148
- C:\Windows\System32\WSDJFaa.exe
  C:\Windows\System32\WSDJFaa.exe
  2⤵
  PID:10208
- C:\Windows\System32\qUVKwWo.exe
  C:\Windows\System32\qUVKwWo.exe
  2⤵
  PID:9336
- C:\Windows\System32\BmAIykx.exe
  C:\Windows\System32\BmAIykx.exe
  2⤵
  PID:9452
- C:\Windows\System32\OQkqnDy.exe
  C:\Windows\System32\OQkqnDy.exe
  2⤵
  PID:9668
- C:\Windows\System32\xtrpMDI.exe
  C:\Windows\System32\xtrpMDI.exe
  2⤵
  PID:9808
- C:\Windows\System32\oixkMkP.exe
  C:\Windows\System32\oixkMkP.exe
  2⤵
  PID:4984
- C:\Windows\System32\dgssrPJ.exe
  C:\Windows\System32\dgssrPJ.exe
  2⤵
  PID:10104
- C:\Windows\System32\GAcOtyM.exe
  C:\Windows\System32\GAcOtyM.exe
  2⤵
  PID:9252
- C:\Windows\System32\XcgNrzA.exe
  C:\Windows\System32\XcgNrzA.exe
  2⤵
  PID:9424
- C:\Windows\System32\lSGrqux.exe
  C:\Windows\System32\lSGrqux.exe
  2⤵
  PID:9892
- C:\Windows\System32\sCrTRie.exe
  C:\Windows\System32\sCrTRie.exe
  2⤵
  PID:9788
- C:\Windows\System32\VDErMuu.exe
  C:\Windows\System32\VDErMuu.exe
  2⤵
  PID:9420
- C:\Windows\System32\NVNdfFc.exe
  C:\Windows\System32\NVNdfFc.exe
  2⤵
  PID:10256
- C:\Windows\System32\lcBTYGp.exe
  C:\Windows\System32\lcBTYGp.exe
  2⤵
  PID:10276
- C:\Windows\System32\DhDOLuJ.exe
  C:\Windows\System32\DhDOLuJ.exe
  2⤵
  PID:10300
- C:\Windows\System32\LNEmMjP.exe
  C:\Windows\System32\LNEmMjP.exe
  2⤵
  PID:10332
- C:\Windows\System32\IIxEasR.exe
  C:\Windows\System32\IIxEasR.exe
  2⤵
  PID:10368
- C:\Windows\System32\NhBXMbM.exe
  C:\Windows\System32\NhBXMbM.exe
  2⤵
  PID:10396
- C:\Windows\System32\yfaIXMk.exe
  C:\Windows\System32\yfaIXMk.exe
  2⤵
  PID:10424
- C:\Windows\System32\YMirdhX.exe
  C:\Windows\System32\YMirdhX.exe
  2⤵
  PID:10452
- C:\Windows\System32\ywboBzX.exe
  C:\Windows\System32\ywboBzX.exe
  2⤵
  PID:10480
- C:\Windows\System32\tsHLoUB.exe
  C:\Windows\System32\tsHLoUB.exe
  2⤵
  PID:10524
- C:\Windows\System32\kiubyVH.exe
  C:\Windows\System32\kiubyVH.exe
  2⤵
  PID:10552
- C:\Windows\System32\AazgiYP.exe
  C:\Windows\System32\AazgiYP.exe
  2⤵
  PID:10580
- C:\Windows\System32\JvTBGcT.exe
  C:\Windows\System32\JvTBGcT.exe
  2⤵
  PID:10632
- C:\Windows\System32\bIxdmIe.exe
  C:\Windows\System32\bIxdmIe.exe
  2⤵
  PID:10672
- C:\Windows\System32\YlqwCfZ.exe
  C:\Windows\System32\YlqwCfZ.exe
  2⤵
  PID:10716
- C:\Windows\System32\obonuqM.exe
  C:\Windows\System32\obonuqM.exe
  2⤵
  PID:10748
- C:\Windows\System32\ShykGLA.exe
  C:\Windows\System32\ShykGLA.exe
  2⤵
  PID:10776
- C:\Windows\System32\SIVlbLb.exe
  C:\Windows\System32\SIVlbLb.exe
  2⤵
  PID:10812
- C:\Windows\System32\OdzqkjP.exe
  C:\Windows\System32\OdzqkjP.exe
  2⤵
  PID:10884
- C:\Windows\System32\ZGbswOM.exe
  C:\Windows\System32\ZGbswOM.exe
  2⤵
  PID:10936
- C:\Windows\System32\PbCjzOF.exe
  C:\Windows\System32\PbCjzOF.exe
  2⤵
  PID:10976
- C:\Windows\System32\tZBshJa.exe
  C:\Windows\System32\tZBshJa.exe
  2⤵
  PID:11004
- C:\Windows\System32\JdFavrz.exe
  C:\Windows\System32\JdFavrz.exe
  2⤵
  PID:11036
- C:\Windows\System32\KjFtbnK.exe
  C:\Windows\System32\KjFtbnK.exe
  2⤵
  PID:11064
- C:\Windows\System32\JYQrThw.exe
  C:\Windows\System32\JYQrThw.exe
  2⤵
  PID:11108
- C:\Windows\System32\NWxOkGa.exe
  C:\Windows\System32\NWxOkGa.exe
  2⤵
  PID:11128
- C:\Windows\System32\qJaSlYz.exe
  C:\Windows\System32\qJaSlYz.exe
  2⤵
  PID:11160
- C:\Windows\System32\cUALvZv.exe
  C:\Windows\System32\cUALvZv.exe
  2⤵
  PID:11192
- C:\Windows\System32\kVrYQaR.exe
  C:\Windows\System32\kVrYQaR.exe
  2⤵
  PID:11232
- C:\Windows\System32\RdDayxe.exe
  C:\Windows\System32\RdDayxe.exe
  2⤵
  PID:11260
- C:\Windows\System32\UAUuKop.exe
  C:\Windows\System32\UAUuKop.exe
  2⤵
  PID:10296
- C:\Windows\System32\bUyKsYJ.exe
  C:\Windows\System32\bUyKsYJ.exe
  2⤵
  PID:10360
- C:\Windows\System32\FTXCIvp.exe
  C:\Windows\System32\FTXCIvp.exe
  2⤵
  PID:10420
- C:\Windows\System32\zFPzuoH.exe
  C:\Windows\System32\zFPzuoH.exe
  2⤵
  PID:10492
- C:\Windows\System32\oRDgjAZ.exe
  C:\Windows\System32\oRDgjAZ.exe
  2⤵
  PID:10576
- C:\Windows\System32\aaGNIqZ.exe
  C:\Windows\System32\aaGNIqZ.exe
  2⤵
  PID:10656
- C:\Windows\System32\QNzOfDR.exe
  C:\Windows\System32\QNzOfDR.exe
  2⤵
  PID:10764
- C:\Windows\System32\fDZsROc.exe
  C:\Windows\System32\fDZsROc.exe
  2⤵
  PID:10856
- C:\Windows\System32\RDhMTvm.exe
  C:\Windows\System32\RDhMTvm.exe
  2⤵
  PID:10968
- C:\Windows\System32\EBKjVSD.exe
  C:\Windows\System32\EBKjVSD.exe
  2⤵
  PID:11020
- C:\Windows\System32\cxocexZ.exe
  C:\Windows\System32\cxocexZ.exe
  2⤵
  PID:11104
- C:\Windows\System32\iELSRxq.exe
  C:\Windows\System32\iELSRxq.exe
  2⤵
  PID:11180
- C:\Windows\System32\IZETUJw.exe
  C:\Windows\System32\IZETUJw.exe
  2⤵
  PID:10244
- C:\Windows\System32\FTiXgwH.exe
  C:\Windows\System32\FTiXgwH.exe
  2⤵
  PID:10408
- C:\Windows\System32\AlFtazw.exe
  C:\Windows\System32\AlFtazw.exe
  2⤵
  PID:10572
- C:\Windows\System32\BARBVrx.exe
  C:\Windows\System32\BARBVrx.exe
  2⤵
  PID:10788
- C:\Windows\System32\cFkBZtG.exe
  C:\Windows\System32\cFkBZtG.exe
  2⤵
  PID:11032
- C:\Windows\System32\dxygGSC.exe
  C:\Windows\System32\dxygGSC.exe
  2⤵
  PID:11256
- C:\Windows\System32\WtiRbmN.exe
  C:\Windows\System32\WtiRbmN.exe
  2⤵
  PID:10660
- C:\Windows\System32\ClkfaUV.exe
  C:\Windows\System32\ClkfaUV.exe
  2⤵
  PID:11252
- C:\Windows\System32\etkAPqm.exe
  C:\Windows\System32\etkAPqm.exe
  2⤵
  PID:10548
- C:\Windows\System32\EGAZTQQ.exe
  C:\Windows\System32\EGAZTQQ.exe
  2⤵
  PID:11280
- C:\Windows\System32\dDWgWXS.exe
  C:\Windows\System32\dDWgWXS.exe
  2⤵
  PID:11320
- C:\Windows\System32\VuBrYPf.exe
  C:\Windows\System32\VuBrYPf.exe
  2⤵
  PID:11348
- C:\Windows\System32\jvMpjHa.exe
  C:\Windows\System32\jvMpjHa.exe
  2⤵
  PID:11376
- C:\Windows\System32\cnwvRRk.exe
  C:\Windows\System32\cnwvRRk.exe
  2⤵
  PID:11404
- C:\Windows\System32\UhXupXX.exe
  C:\Windows\System32\UhXupXX.exe
  2⤵
  PID:11440
- C:\Windows\System32\NifqgmU.exe
  C:\Windows\System32\NifqgmU.exe
  2⤵
  PID:11460
- C:\Windows\System32\KTioDbQ.exe
  C:\Windows\System32\KTioDbQ.exe
  2⤵
  PID:11488
- C:\Windows\System32\SUjWWCi.exe
  C:\Windows\System32\SUjWWCi.exe
  2⤵
  PID:11516
- C:\Windows\System32\IOiMmAK.exe
  C:\Windows\System32\IOiMmAK.exe
  2⤵
  PID:11544
- C:\Windows\System32\FpKGHHr.exe
  C:\Windows\System32\FpKGHHr.exe
  2⤵
  PID:11576
- C:\Windows\System32\SFnKavq.exe
  C:\Windows\System32\SFnKavq.exe
  2⤵
  PID:11600
- C:\Windows\System32\UKeVQHD.exe
  C:\Windows\System32\UKeVQHD.exe
  2⤵
  PID:11628
- C:\Windows\System32\LeDuURA.exe
  C:\Windows\System32\LeDuURA.exe
  2⤵
  PID:11656
- C:\Windows\System32\zwmgafP.exe
  C:\Windows\System32\zwmgafP.exe
  2⤵
  PID:11684
- C:\Windows\System32\IHTvzAB.exe
  C:\Windows\System32\IHTvzAB.exe
  2⤵
  PID:11712
- C:\Windows\System32\uvIENhU.exe
  C:\Windows\System32\uvIENhU.exe
  2⤵
  PID:11744
- C:\Windows\System32\oprNwAh.exe
  C:\Windows\System32\oprNwAh.exe
  2⤵
  PID:11772
- C:\Windows\System32\wFPYYQe.exe
  C:\Windows\System32\wFPYYQe.exe
  2⤵
  PID:11800
- C:\Windows\System32\QPUjYxc.exe
  C:\Windows\System32\QPUjYxc.exe
  2⤵
  PID:11828
- C:\Windows\System32\FFVYCIo.exe
  C:\Windows\System32\FFVYCIo.exe
  2⤵
  PID:11860
- C:\Windows\System32\XBhNdiA.exe
  C:\Windows\System32\XBhNdiA.exe
  2⤵
  PID:11888
- C:\Windows\System32\cKOlfmk.exe
  C:\Windows\System32\cKOlfmk.exe
  2⤵
  PID:11916
- C:\Windows\System32\iwfkbWi.exe
  C:\Windows\System32\iwfkbWi.exe
  2⤵
  PID:11952
- C:\Windows\System32\ovCDIAd.exe
  C:\Windows\System32\ovCDIAd.exe
  2⤵
  PID:11972
- C:\Windows\System32\FIoVRXj.exe
  C:\Windows\System32\FIoVRXj.exe
  2⤵
  PID:12008
- C:\Windows\System32\RsyjSph.exe
  C:\Windows\System32\RsyjSph.exe
  2⤵
  PID:12040
- C:\Windows\System32\WtylMGF.exe
  C:\Windows\System32\WtylMGF.exe
  2⤵
  PID:12068
- C:\Windows\System32\sceaHNe.exe
  C:\Windows\System32\sceaHNe.exe
  2⤵
  PID:12096
- C:\Windows\System32\iGaipaa.exe
  C:\Windows\System32\iGaipaa.exe
  2⤵
  PID:12124
- C:\Windows\System32\diyOige.exe
  C:\Windows\System32\diyOige.exe
  2⤵
  PID:12160
- C:\Windows\System32\UPcJtYY.exe
  C:\Windows\System32\UPcJtYY.exe
  2⤵
  PID:12188
- C:\Windows\System32\GavnrYf.exe
  C:\Windows\System32\GavnrYf.exe
  2⤵
  PID:12216
- C:\Windows\System32\NzuxfLn.exe
  C:\Windows\System32\NzuxfLn.exe
  2⤵
  PID:12244
- C:\Windows\System32\pFAWbtt.exe
  C:\Windows\System32\pFAWbtt.exe
  2⤵
  PID:12272
- C:\Windows\System32\PPfpCUD.exe
  C:\Windows\System32\PPfpCUD.exe
  2⤵
  PID:11272
- C:\Windows\System32\soBAesU.exe
  C:\Windows\System32\soBAesU.exe
  2⤵
  PID:11344
- C:\Windows\System32\GDphkeh.exe
  C:\Windows\System32\GDphkeh.exe
  2⤵
  PID:11416
- C:\Windows\System32\oxHrIzY.exe
  C:\Windows\System32\oxHrIzY.exe
  2⤵
  PID:11472
- C:\Windows\System32\yEcHRRo.exe
  C:\Windows\System32\yEcHRRo.exe
  2⤵
  PID:11536
- C:\Windows\System32\sIxslOg.exe
  C:\Windows\System32\sIxslOg.exe
  2⤵
  PID:11596
- C:\Windows\System32\RrobYYO.exe
  C:\Windows\System32\RrobYYO.exe
  2⤵
  PID:11668
- C:\Windows\System32\APEdHWe.exe
  C:\Windows\System32\APEdHWe.exe
  2⤵
  PID:11732
- C:\Windows\System32\Lapkecy.exe
  C:\Windows\System32\Lapkecy.exe
  2⤵
  PID:11796
- C:\Windows\System32\lWxQHCh.exe
  C:\Windows\System32\lWxQHCh.exe
  2⤵
  PID:11872
- C:\Windows\System32\QKxEvfC.exe
  C:\Windows\System32\QKxEvfC.exe
  2⤵
  PID:11936
- C:\Windows\System32\JRuSVPx.exe
  C:\Windows\System32\JRuSVPx.exe
  2⤵
  PID:12000
- C:\Windows\System32\lxeLold.exe
  C:\Windows\System32\lxeLold.exe
  2⤵
  PID:12080
- C:\Windows\System32\jyFuDvz.exe
  C:\Windows\System32\jyFuDvz.exe
  2⤵
  PID:12156
- C:\Windows\System32\OtmWoiz.exe
  C:\Windows\System32\OtmWoiz.exe
  2⤵
  PID:12232
- C:\Windows\System32\bQmGCly.exe
  C:\Windows\System32\bQmGCly.exe
  2⤵
  PID:11156
- C:\Windows\System32\aYORReZ.exe
  C:\Windows\System32\aYORReZ.exe
  2⤵
  PID:11396
- C:\Windows\System32\mPYWkjx.exe
  C:\Windows\System32\mPYWkjx.exe
  2⤵
  PID:11592
- C:\Windows\System32\sJiAWVl.exe
  C:\Windows\System32\sJiAWVl.exe
  2⤵
  PID:11900
- C:\Windows\System32\zJCUXjS.exe
  C:\Windows\System32\zJCUXjS.exe
  2⤵
  PID:12032
- C:\Windows\System32\RHXoByx.exe
  C:\Windows\System32\RHXoByx.exe
  2⤵
  PID:12204
- C:\Windows\System32\CRvwTlt.exe
  C:\Windows\System32\CRvwTlt.exe
  2⤵
  PID:11340
- C:\Windows\System32\oSbalXc.exe
  C:\Windows\System32\oSbalXc.exe
  2⤵
  PID:11856
- C:\Windows\System32\XjgjoUf.exe
  C:\Windows\System32\XjgjoUf.exe
  2⤵
  PID:4900
- C:\Windows\System32\UbQdNcA.exe
  C:\Windows\System32\UbQdNcA.exe
  2⤵
  PID:11988
- C:\Windows\System32\MKlPyOe.exe
  C:\Windows\System32\MKlPyOe.exe
  2⤵
  PID:12292
- C:\Windows\System32\GTBVocz.exe
  C:\Windows\System32\GTBVocz.exe
  2⤵
  PID:12320
- C:\Windows\System32\RbbIqyP.exe
  C:\Windows\System32\RbbIqyP.exe
  2⤵
  PID:12348
- C:\Windows\System32\lhgdmpn.exe
  C:\Windows\System32\lhgdmpn.exe
  2⤵
  PID:12380
- C:\Windows\System32\bFxaFOE.exe
  C:\Windows\System32\bFxaFOE.exe
  2⤵
  PID:12408
- C:\Windows\System32\BBmJNCl.exe
  C:\Windows\System32\BBmJNCl.exe
  2⤵
  PID:12436
- C:\Windows\System32\OjfzHJS.exe
  C:\Windows\System32\OjfzHJS.exe
  2⤵
  PID:12464
- C:\Windows\System32\pZIhzlO.exe
  C:\Windows\System32\pZIhzlO.exe
  2⤵
  PID:12492
- C:\Windows\System32\bhwRmNW.exe
  C:\Windows\System32\bhwRmNW.exe
  2⤵
  PID:12520
- C:\Windows\System32\gjFQfgr.exe
  C:\Windows\System32\gjFQfgr.exe
  2⤵
  PID:12548
- C:\Windows\System32\CfCZfzA.exe
  C:\Windows\System32\CfCZfzA.exe
  2⤵
  PID:12576
- C:\Windows\System32\eSBVjzf.exe
  C:\Windows\System32\eSBVjzf.exe
  2⤵
  PID:12604
- C:\Windows\System32\NZeYBRn.exe
  C:\Windows\System32\NZeYBRn.exe
  2⤵
  PID:12632
- C:\Windows\System32\dogNqbG.exe
  C:\Windows\System32\dogNqbG.exe
  2⤵
  PID:12660
- C:\Windows\System32\DrZtHid.exe
  C:\Windows\System32\DrZtHid.exe
  2⤵
  PID:12688
- C:\Windows\System32\UuwgZXF.exe
  C:\Windows\System32\UuwgZXF.exe
  2⤵
  PID:12716
- C:\Windows\System32\FErfDap.exe
  C:\Windows\System32\FErfDap.exe
  2⤵
  PID:12744
- C:\Windows\System32\HXtmhPp.exe
  C:\Windows\System32\HXtmhPp.exe
  2⤵
  PID:12772
- C:\Windows\System32\tZIXajM.exe
  C:\Windows\System32\tZIXajM.exe
  2⤵
  PID:12800
- C:\Windows\System32\rVRgCDV.exe
  C:\Windows\System32\rVRgCDV.exe
  2⤵
  PID:12828
- C:\Windows\System32\BDnzPlL.exe
  C:\Windows\System32\BDnzPlL.exe
  2⤵
  PID:12856
- C:\Windows\System32\LQmhTjL.exe
  C:\Windows\System32\LQmhTjL.exe
  2⤵
  PID:12884
- C:\Windows\System32\MgAUfCs.exe
  C:\Windows\System32\MgAUfCs.exe
  2⤵
  PID:12912
- C:\Windows\System32\NtiUbpm.exe
  C:\Windows\System32\NtiUbpm.exe
  2⤵
  PID:12940
- C:\Windows\System32\YxHGjoG.exe
  C:\Windows\System32\YxHGjoG.exe
  2⤵
  PID:12968
- C:\Windows\System32\OUsulSS.exe
  C:\Windows\System32\OUsulSS.exe
  2⤵
  PID:12996
- C:\Windows\System32\nFiCQkZ.exe
  C:\Windows\System32\nFiCQkZ.exe
  2⤵
  PID:13024
- C:\Windows\System32\aNDCkFN.exe
  C:\Windows\System32\aNDCkFN.exe
  2⤵
  PID:13056
- C:\Windows\System32\FllpsjH.exe
  C:\Windows\System32\FllpsjH.exe
  2⤵
  PID:13084
- C:\Windows\System32\RqkDQwi.exe
  C:\Windows\System32\RqkDQwi.exe
  2⤵
  PID:13112
- C:\Windows\System32\tnfBxKq.exe
  C:\Windows\System32\tnfBxKq.exe
  2⤵
  PID:13140
- C:\Windows\System32\bemJLRr.exe
  C:\Windows\System32\bemJLRr.exe
  2⤵
  PID:13168
- C:\Windows\System32\NsemvtQ.exe
  C:\Windows\System32\NsemvtQ.exe
  2⤵
  PID:13208
- C:\Windows\System32\vbEZUGY.exe
  C:\Windows\System32\vbEZUGY.exe
  2⤵
  PID:13224
- C:\Windows\System32\shbFPEQ.exe
  C:\Windows\System32\shbFPEQ.exe
  2⤵
  PID:13256
- C:\Windows\System32\QYTAuht.exe
  C:\Windows\System32\QYTAuht.exe
  2⤵
  PID:13284
- C:\Windows\System32\nnYLzKA.exe
  C:\Windows\System32\nnYLzKA.exe
  2⤵
  PID:11512
- C:\Windows\System32\KsOFAiI.exe
  C:\Windows\System32\KsOFAiI.exe
  2⤵
  PID:12344
- C:\Windows\System32\PnuVMmQ.exe
  C:\Windows\System32\PnuVMmQ.exe
  2⤵
  PID:12424
- C:\Windows\System32\dZKamHf.exe
  C:\Windows\System32\dZKamHf.exe
  2⤵
  PID:532
- C:\Windows\System32\wAAoJOf.exe
  C:\Windows\System32\wAAoJOf.exe
  2⤵
  PID:12480
- C:\Windows\System32\yFozxfD.exe
  C:\Windows\System32\yFozxfD.exe
  2⤵
  PID:12512
- C:\Windows\System32\CIOCxjZ.exe
  C:\Windows\System32\CIOCxjZ.exe
  2⤵
  PID:12572
- C:\Windows\System32\hdNgYmu.exe
  C:\Windows\System32\hdNgYmu.exe
  2⤵
  PID:12644
- C:\Windows\System32\XueLxvc.exe
  C:\Windows\System32\XueLxvc.exe
  2⤵
  PID:12708
- C:\Windows\System32\tudZJpZ.exe
  C:\Windows\System32\tudZJpZ.exe
  2⤵
  PID:12764
- C:\Windows\System32\FRIYDuH.exe
  C:\Windows\System32\FRIYDuH.exe
  2⤵
  PID:12824
- C:\Windows\System32\fJaQcwH.exe
  C:\Windows\System32\fJaQcwH.exe
  2⤵
  PID:12896
- C:\Windows\System32\ozfKeNp.exe
  C:\Windows\System32\ozfKeNp.exe
  2⤵
  PID:12960
- C:\Windows\System32\pIujaDH.exe
  C:\Windows\System32\pIujaDH.exe
  2⤵
  PID:13020
- C:\Windows\System32\rHGOilJ.exe
  C:\Windows\System32\rHGOilJ.exe
  2⤵
  PID:13096
- C:\Windows\System32\Qjcqpzi.exe
  C:\Windows\System32\Qjcqpzi.exe
  2⤵
  PID:13160
- C:\Windows\System32\EMGFMrg.exe
  C:\Windows\System32\EMGFMrg.exe
  2⤵
  PID:13220
- C:\Windows\System32\PmdRmtD.exe
  C:\Windows\System32\PmdRmtD.exe
  2⤵
  PID:3604
- C:\Windows\System32\gpHtXuw.exe
  C:\Windows\System32\gpHtXuw.exe
  2⤵
  PID:13296
- C:\Windows\System32\XKebRnX.exe
  C:\Windows\System32\XKebRnX.exe
  2⤵
  PID:12400
- C:\Windows\System32\htmuPeH.exe
  C:\Windows\System32\htmuPeH.exe
  2⤵
  PID:12456
- C:\Windows\System32\yUblmFR.exe
  C:\Windows\System32\yUblmFR.exe
  2⤵
  PID:12600
- C:\Windows\System32\ELCbasl.exe
  C:\Windows\System32\ELCbasl.exe
  2⤵
  PID:12756
- C:\Windows\System32\EbEOZNT.exe
  C:\Windows\System32\EbEOZNT.exe
  2⤵
  PID:12880
- C:\Windows\System32\yrYbYda.exe
  C:\Windows\System32\yrYbYda.exe
  2⤵
  PID:13076

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:10500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ClugDvv.exe

Filesize
3.4MB

MD5
2962f42450acaa076453de22110bf978

SHA1
b20434281198bf2c419173a8e810759e58620d3e

SHA256
288c78094911e73c87aed6fd34b4f1f34ca4417fa77b4c1b510e542983fa4e3f

SHA512
f6a55bc86ab3b96403208e860fadbed674b9be7c41b41b6b813540b248d0dcf2ccf82dedfc00bc055ac1229f940f5a840903c54fa44e41ac8df59dc7884aeeb1

Download Submit
C:\Windows\System32\DqlrPni.exe

Filesize
3.4MB

MD5
dc29f0ae811ab74a183b02020e8ab0fa

SHA1
6e7839c0dee9c322bc3ac5ebb949c8c3aee7423f

SHA256
cc2e0d7d9f63a6988562c8bb557f8591753c3fa816fe8055e786125502d4e415

SHA512
6c7cbe687ae8229ac232275c6509ac0a05203d13169b92367f501ee6aeb54061f57dfcbaa8a697af7a908005f75f17069606a614a65ce754fe559f2b5393059e

Download Submit
C:\Windows\System32\FXUJjcD.exe

Filesize
3.4MB

MD5
23a4dbdaac3885b0608ea871489f2a07

SHA1
0eabbf2aa72f430066c548722cd25cfbee75ad7f

SHA256
d3deccd8039ffbe3365e5fa722efa59d5267279a15bf4131d3de5ba08f08812b

SHA512
766cd9e9f45cc02b3f46039ae98371fb9174e7d8f2a7a334543496ef514cd97ff4249f1bbe1bec8241b0931ce71009205e8257f437566874630de8e10c84d002

Download Submit
C:\Windows\System32\JCRyzUk.exe

Filesize
3.4MB

MD5
f3b71fdd489b1bd3370befcc78d6aa3c

SHA1
6fdf48816fc08b8be203b01ad809bb30623bcaa7

SHA256
1693983adc86306e73f94a69cd7037010450c90d47d184828fd3be4fb09eea34

SHA512
8a7d3c20010e3bce4e1b4e7e4b6145ee4e493637aac00ec0078faa8b47bae8edd502513ae4c14b9af9ad0c13f42870a1427563192adabf4ab177a953131f38da

Download Submit
C:\Windows\System32\KCxVwcT.exe

Filesize
3.4MB

MD5
0ca1a5465834637d1188db635e9070e4

SHA1
a73ef3c8d7c3319db241643c62f6ab2ad52858ad

SHA256
a3dc120ab1d2f6815bedcd2c649b7887e1197f86940f11edf3f1f28cdab45328

SHA512
764ff28187a7dcf2e226d81ff771f18c5c9847e45368ce562900b136216707d8e795de62de47a4c18f83881bc83d001321a0a688e9936ce8ee81b508629bf4f0

Download Submit
C:\Windows\System32\KWiJuNT.exe

Filesize
3.4MB

MD5
1f72761a1d65e8432bbc79b4fde0abfe

SHA1
31b860499c910afea2ef105ada7d9182d7efdce2

SHA256
7234e0b68f8074f577745b260071bcc734ff7e93af912f04557ffd3c59220f0d

SHA512
5b4699f6888f19e86c08fe17f1960ddcbb6befd32df29c2199eaf4dd75ec393918cce6f601b27c7bb54f980dc92b8da63f7ef2114f211cb0594b9e3742415d45

Download Submit
C:\Windows\System32\KlcSyBw.exe

Filesize
3.4MB

MD5
7138522f8994658d81dce28d1d4e9d71

SHA1
738565e4cfbd482da29a8aa0becb43f5f126aaa8

SHA256
b1d47f9d6c7d41f2a87c8cc5abddac6422c5ea149233b7cd5c79b782b3db3de4

SHA512
cc98105f0f626b81e151ec1a7a99e401b21756f3ecdb18bed84784fdad8f4e4c8d12c915072b852f59147347e6a3d2d10a63045765cf4fdd0567893a867596d9

Download Submit
C:\Windows\System32\MTdADNt.exe

Filesize
3.4MB

MD5
7336b972057cae607b6cf7bb3e89b893

SHA1
8521c5d4ea2b333bc0f20afe852bbfc1fb30b0ae

SHA256
f18ea9533e0c4b8fb74a061451a1fe64afb6c5750228e42050ea80ce140039c3

SHA512
f24967a936c822191e377be9f8fc310cbe224ec754f64ce61156c53eee38b5fba08cf4744d34c5c798bd39d96aa80810a0f5acbab697ee5ca9a704b29a0bccfd

Download Submit
C:\Windows\System32\RxRBzAj.exe

Filesize
3.4MB

MD5
c04a12f1906d3203112ac0f4fbf85dae

SHA1
4f207cf8339a6451bd16d28632e59ba4325c6cdb

SHA256
e073c6fbedede88702dd8a5ac2df6fd7310ff369492ee23fc993afa457fbe552

SHA512
7e634e003f5592e9355829d4a5148e3dae1b60cb9cfb774cf82838e4a6793e9dea4a7f030ec9ec43ba64d16f2be88109629ccb734a40a399b69aac8f2916a9d9

Download Submit
C:\Windows\System32\SRokUni.exe

Filesize
3.4MB

MD5
ce1e69dd8867c9be31bdea4ab7b491e8

SHA1
b381fe0dd300f806a74f4edc5c87659ad10905e6

SHA256
a5e0dc58646d72bee9d6e27b0e3a84c2c5653d01b5161a404cee6b717ef4e02c

SHA512
11c8c0f68b5e9219963d2cb42b26bde85a2b9b706bd6a3c08ce7371800f33a5595e9ad6751618f195225177f1160a89d7807ceb00f98092b66eeb2b31da43cf0

Download Submit
C:\Windows\System32\TXAFavx.exe

Filesize
3.4MB

MD5
f00c95adf532041edf20fcdc23d9e0cd

SHA1
411a88862fa453b90f0501c90c05b8f8f68fa801

SHA256
d63d3cb0355b8a552045b5b9b41bb6dc51e2816b174b23b7278102b9c1ba80bb

SHA512
61468105beea1eb5cd0439b218978eecc5d7460cd7a8ada6c14f39345871b3b17247600fd290b2f9cd66c0144856f384c66795f98ac54119b296c7268d26d981

Download Submit
C:\Windows\System32\UwLTWgN.exe

Filesize
3.4MB

MD5
e062872d0dc0c31165fbd54dad506a1e

SHA1
465b01dc5702344b9c25505d8e58fc310f5e76ec

SHA256
213d787e7c4092a2f2a289868aaf77c14414b4e4de24086df6e676220401c9f6

SHA512
ff997bab07c8d9fd22a2f95fc6153a1ec725ba3618e4b607d2f54aea97447e95b41bb44ded2ba4343815f24586df9a3e5a7f74c16ca052ee0a06259d705d121b

Download Submit
C:\Windows\System32\XLCJvoL.exe

Filesize
3.4MB

MD5
d1dce545a051c446b35506df4c4ff03b

SHA1
bf3bb91e511559058bb685e0e1b4f8399a23177f

SHA256
7eba5dddb282fa320189f768cea4af7fcdbd9a02d17a26ddccdc56eb7333d036

SHA512
f4b8aecd86e8b0edbce564d6e9cbaedc45f126e62b62da4a3e39f4d8f64556b678f4f62cd421d1760c5b44b9338fbfbe2e026beecb0a91cf08daa26efa354ad1

Download Submit
C:\Windows\System32\XSpRWrW.exe

Filesize
3.4MB

MD5
df8f2810ccb2cb9922e91e8edb08ed58

SHA1
40bb2184766f4b99b0a5a2a5c6cb38bac584e843

SHA256
539e2cb3bac7d9a340ed2add5f5a4d8a538afbfed86e5d3ddc1d196003c1248d

SHA512
5dfe06b3a984476b60939c4d050fc33a4013c843357cae33b4cb34c966d9475ae7b6844d5e78b51ad21526da6941b0682e8e3f93ccf56510787e450bad549193

Download Submit
C:\Windows\System32\ZyXVDkq.exe

Filesize
3.4MB

MD5
48b45aa2f6c7107d71d613e5aa7d475d

SHA1
041f4c0fb4005f8168f95a5c84790901f112b2c3

SHA256
d88288a4854d9dd1f9d401f47e7cf197586eedba202f7d3171c9bcbb0e20c8b5

SHA512
01ada544f6c4bc5199fcd563d9a38e197b09723d4ee7a895fd76f0590627225fa9056e6a4ee74fa9525dcdc26fab3af07eb9d6f9d9ddbf4c063fcc697c2fb653

Download Submit
C:\Windows\System32\gjbzyNL.exe

Filesize
3.4MB

MD5
99bbdc4ab7740c51439246dba421b791

SHA1
4c90f75ad0d3c5d3ff8eee3b2e58a620e2db4968

SHA256
6eb06b2d6acbdb19d191f7ed7a321ca1d71ac8e2e700f3a3003c17371f08f37c

SHA512
2eb9b492791c7dd66e8f904738550b89db4be05a8b273b528a994c8f601c9ab25c4db55ebd2a05cdbd5889798b0fb4216f66865c77abc08ce3b897cbe8f3b58c

Download Submit
C:\Windows\System32\jMXUWsD.exe

Filesize
3.4MB

MD5
3f422eee5f1f6b35206078dfb4c8f3da

SHA1
6e6522158e1c84283f112929dd3d7c7e77dc6e72

SHA256
db71edbfd46d64e7b323d9e61164f819c7af6dfcf2abe40555128d4f87f8b7fd

SHA512
8e08eeb8f6057052b00f24e019f352094be6ad7a943a1ab4fd55c3ecc80cb94b302f778556f9bcb06be1b85f1438c3622fac29c9bdc44282c7e0f7e8bb2ef5e4

Download Submit
C:\Windows\System32\lpPybwP.exe

Filesize
3.4MB

MD5
79257c2f4140552b7523ae83bcbe4836

SHA1
68855a5360b37f8445685823bcd1153dde90a093

SHA256
c8ec933cc696e1efd9edd429c2c5c9cd0be2859261b3d333d4e556a39577b03d

SHA512
c8002fc387311f6d93efaeeb0b3661e59cc6a04546d839e4049d47c199964f9092da4d95b335fd4241c254147433bfc68a0dbdb93530380c58f6df65133b91f7

Download Submit
C:\Windows\System32\lrJrpre.exe

Filesize
3.4MB

MD5
4e306a45a00c2cd3f3d81f6486ef7d75

SHA1
0965af211c4811ba48b74977d8bbd07e3022ba08

SHA256
f851f20490ee9657b26a39d1f83155dcafa48faebd2f7d5fcc81b3f556bbe01d

SHA512
63d34f6d0fc66367f5907c1787d0e04b72b61b79a737bdca53b65e055b9f5bd55c11212a12256541e1bfcbf47fcc5785863b77e3218ae61062741b4b7ba94cc5

Download Submit
C:\Windows\System32\mWHOcdk.exe

Filesize
3.4MB

MD5
69344d72769fad73033ed37cbc9db411

SHA1
dd0a13a2efa4203c2e4c361d320c2ec1c2567ce2

SHA256
6b66dbe8aa2eb15fb01e51c2cb81ac473411d34af74f9d39a92e6298e4413bff

SHA512
55b694625b704557e062f8561aa2d68e89c2682802ea76691d7e464afd1ea91e5bb0e48631e22bbf5491fccfcd12cda5e2dfc3e45aba91ce8679d51e4fff4053

Download Submit
C:\Windows\System32\npyhFUy.exe

Filesize
3.4MB

MD5
5c1d684d353ffd8715e95f6d47150de9

SHA1
478bfe41fd7e868080d5de21403fb5894b37a46c

SHA256
e27d305df4c04c8b0666e25120172c2e3c6895ce14f0fe3c0a560eb3b45f5334

SHA512
07fe06d03dd2e3eac91e523d964ec6b5c5a7fe87671070414eb6d1d9048574f52c56308183f31ba5ad2ac855c1cd4917c4b7be244846a11054c6ba09d6eac4a1

Download Submit
C:\Windows\System32\qVEwGOu.exe

Filesize
3.4MB

MD5
5e43ec685f8bd4231f9f62095cb95f74

SHA1
7a11bcbbbdf2e2cd1af47fea1c2cd071dcb57335

SHA256
51065da525808a31fb36337c527b2988f431b6304b3e356e9cc490b58a5924cd

SHA512
b95af9c74d491a394de7c4682e2003a03b66a3e6ff89bde16326c889e89d88af280b30d8c63c5339d66ba120da95938400e035ce0e9cf80b77648d7e0ff17c6b

Download Submit
C:\Windows\System32\qojzRXF.exe

Filesize
3.4MB

MD5
765bdfb4c537c99cfaa69dcf6c3ab859

SHA1
868e5e0a7d7412ebd3667bf91050a7a99faf7255

SHA256
541614339eeb49766f7cbe06298b47ab47057fbdf2abbb458da8471fece1affe

SHA512
39e696240306cd6c2e017f2e6a1b36c8d9d9f5f31f3fdc6fd0ebaba078619e4bbb279a64d0a139a418aef1292b28932e309ee98d862c30397c023ef19585fe65

Download Submit
C:\Windows\System32\qrWDsgz.exe

Filesize
3.4MB

MD5
5ed52fd718b57f8b31d46499184c2d51

SHA1
dae6559534066bb4759d582fc4f4331a45d1730f

SHA256
bfea0e35c98cd05baf94450493d849209397053d72c5c296360c4c5666d18d50

SHA512
261ef8b121cb6b6803e93ebfdc642ec29842107355982b2b69629727e7722c639203812e8bab2cf6a2544300e8bbd714fc9cb420dc1dfc69b8b48adc6b5a1754

Download Submit
C:\Windows\System32\tOuetWT.exe

Filesize
3.4MB

MD5
864e4bdb460ad840897e6e1720a9f7d3

SHA1
2fafd7a23d63ee3570312538e6e6630a208e0746

SHA256
ae051a5975d49f5a66204d93032526ce0721ae404409ddb3e8905bef2af171ab

SHA512
bee043fcebce8f64a9833264eecbc0c743fa1eed3de4ae0c5519b9d39342b872586f24c0331f9549d28fb2701f97ab66cfa525e78c48c1efaa20dcc3de0b9521

Download Submit
C:\Windows\System32\tjhHmOp.exe

Filesize
3.4MB

MD5
b87527254088217bde41fec2f2581d8d

SHA1
e02c9c7a078f2d3ada1e1078003313a1b4e19a15

SHA256
c7b7ce0bfaf0f0da948e53fadcb5e18395b23bad1ea496964ee5186567f51dfb

SHA512
844ce583abf0fa57fffe76d828e2b4cc06b40dc08d0386cfd8aa774cf14f144dc4d50ecb5f26b2343975a1cb14ec350049cc1f4ae380e8ee46ed966a6f389a3e

Download Submit
C:\Windows\System32\uMZyFTU.exe

Filesize
3.4MB

MD5
12a8a204a7ad87da5e23a548ca3a99fb

SHA1
cddfc711d2ef72c67256d6774d10f967ea411678

SHA256
667813aecab600725c7bc1f72faf39ef57a9c8075a0311b52cbe2d5243d6e230

SHA512
ec73f6241cfcc22031b8901c5343bd3f3a5af44540eeed28a6dd83d63ded2d990090ecab20c80b7bc1fd520c0fcd365173154ccc06bc82d864fed7de880fb0d5

Download Submit
C:\Windows\System32\unhbutr.exe

Filesize
3.4MB

MD5
3b8676947b480cf93336a6de218e680e

SHA1
64e3c29f242182088df70f808ede08a002770dfd

SHA256
e4b65f48cc3d5e6ace2f16758f524dffdb74b66f783f8eca11e4fbffcf2400cb

SHA512
d0f8843cb375bae49a4f4b4f9498c4122a0997bb1a90d43f86af89c537558ad4172129d321c532a0fdf8dd4c9919958f3262db2ccbdea07f01c71c9b6c0a89f9

Download Submit
C:\Windows\System32\wbEWxPo.exe

Filesize
3.4MB

MD5
59bb982a29b3f340788d99cb9df61844

SHA1
80ae19e228edcf886b7649043b986fa037535db9

SHA256
ceece15e1a6cc7c3ecb531663785eddfb13ed7f96a74d7dd8b6073b798b72a02

SHA512
c33b1ddf7518616d773424c441018c86cbdffd39a5e7558536c65b411d53d5921be2d30f351f60a9765921cdf91de73941bb15c3051b934d6639e2b3a4bc8876

Download Submit
C:\Windows\System32\wtCJOYQ.exe

Filesize
3.4MB

MD5
c08f6d191097ab8915780e060e1ceec3

SHA1
8d7354066a308330655799dc413683e7b5112d52

SHA256
0236be6c84929bad6288480e2c2e8330caf52378c06c997c6c6c9726e90e6358

SHA512
a2ad9990c81392c6f0df9f3ea5248a1d19a6eaa875f47b5e6d1f4c0de728e113799568d0e61c24b303896bf2f2cccc41044c4bf32b487655902da9d7771b7d7c

Download Submit
C:\Windows\System32\wxyBoHe.exe

Filesize
3.4MB

MD5
e3f13f143222b37a33c3da6e8aedccb2

SHA1
5c653aeb6b30a76c7961a766f6ad237cd939fedb

SHA256
715dc7e75d1834808f566aad0bdf9b76d10073651cc3301f639f25bea49d4dee

SHA512
e8f7bc80265f052978f1306ec9e0b56cd172e637e87bdfadfbe84465849f82e3af7fb62af3c603f017fe02402b2061915cdc62f96a76b9cf98255215d793ddb7

Download Submit
C:\Windows\System32\xCRFshv.exe

Filesize
3.4MB

MD5
c052dac552f3574beda0da17b5534959

SHA1
1dd69d2052cff5afd300f478355a74087a789684

SHA256
dbe47634cffbbbb83e290751b5d580aa1c6a1816f70b3f71f89e10492eab48de

SHA512
55ac8aa0b6d74b12f85ab0533749df999f9ae1314fa7ec3d714ab453d1f2f66b2ccf70690e964711ba117d6493fa855f2f68c961ee0a0418238e06dc2b75fc79

Download Submit
memory/468-1860-0x00007FF72E660000-0x00007FF72EA55000-memory.dmp

Filesize
4.0MB

Download
memory/468-807-0x00007FF72E660000-0x00007FF72EA55000-memory.dmp

Filesize
4.0MB

Download
memory/640-813-0x00007FF6C3DE0000-0x00007FF6C41D5000-memory.dmp

Filesize
4.0MB

Download
memory/640-1862-0x00007FF6C3DE0000-0x00007FF6C41D5000-memory.dmp

Filesize
4.0MB

Download
memory/724-1-0x0000022E5D710000-0x0000022E5D720000-memory.dmp

Filesize
64KB

Download
memory/724-0-0x00007FF73F5F0000-0x00007FF73F9E5000-memory.dmp

Filesize
4.0MB

Download
memory/1168-837-0x00007FF6C5330000-0x00007FF6C5725000-memory.dmp

Filesize
4.0MB

Download
memory/1168-1870-0x00007FF6C5330000-0x00007FF6C5725000-memory.dmp

Filesize
4.0MB

Download
memory/1196-1878-0x00007FF6D93B0000-0x00007FF6D97A5000-memory.dmp

Filesize
4.0MB

Download
memory/1196-871-0x00007FF6D93B0000-0x00007FF6D97A5000-memory.dmp

Filesize
4.0MB

Download
memory/1536-15-0x00007FF62C6A0000-0x00007FF62CA95000-memory.dmp

Filesize
4.0MB

Download
memory/1536-1858-0x00007FF62C6A0000-0x00007FF62CA95000-memory.dmp

Filesize
4.0MB

Download
memory/1540-833-0x00007FF71BFE0000-0x00007FF71C3D5000-memory.dmp

Filesize
4.0MB

Download
memory/1540-1871-0x00007FF71BFE0000-0x00007FF71C3D5000-memory.dmp

Filesize
4.0MB

Download
memory/1724-820-0x00007FF6DB5D0000-0x00007FF6DB9C5000-memory.dmp

Filesize
4.0MB

Download
memory/1724-1874-0x00007FF6DB5D0000-0x00007FF6DB9C5000-memory.dmp

Filesize
4.0MB

Download
memory/2152-1868-0x00007FF697320000-0x00007FF697715000-memory.dmp

Filesize
4.0MB

Download
memory/2152-840-0x00007FF697320000-0x00007FF697715000-memory.dmp

Filesize
4.0MB

Download
memory/2724-1867-0x00007FF6167D0000-0x00007FF616BC5000-memory.dmp

Filesize
4.0MB

Download
memory/2724-851-0x00007FF6167D0000-0x00007FF616BC5000-memory.dmp

Filesize
4.0MB

Download
memory/2980-815-0x00007FF753D70000-0x00007FF754165000-memory.dmp

Filesize
4.0MB

Download
memory/2980-1876-0x00007FF753D70000-0x00007FF754165000-memory.dmp

Filesize
4.0MB

Download
memory/3032-1881-0x00007FF76EBA0000-0x00007FF76EF95000-memory.dmp

Filesize
4.0MB

Download
memory/3032-857-0x00007FF76EBA0000-0x00007FF76EF95000-memory.dmp

Filesize
4.0MB

Download
memory/3352-844-0x00007FF7D5DF0000-0x00007FF7D61E5000-memory.dmp

Filesize
4.0MB

Download
memory/3352-1879-0x00007FF7D5DF0000-0x00007FF7D61E5000-memory.dmp

Filesize
4.0MB

Download
memory/3484-803-0x00007FF6860E0000-0x00007FF6864D5000-memory.dmp

Filesize
4.0MB

Download
memory/3484-1861-0x00007FF6860E0000-0x00007FF6864D5000-memory.dmp

Filesize
4.0MB

Download
memory/3572-864-0x00007FF6B3EB0000-0x00007FF6B42A5000-memory.dmp

Filesize
4.0MB

Download
memory/3572-1865-0x00007FF6B3EB0000-0x00007FF6B42A5000-memory.dmp

Filesize
4.0MB

Download
memory/3616-1857-0x00007FF6E1080000-0x00007FF6E1475000-memory.dmp

Filesize
4.0MB

Download
memory/3616-1859-0x00007FF6E1080000-0x00007FF6E1475000-memory.dmp

Filesize
4.0MB

Download
memory/3616-11-0x00007FF6E1080000-0x00007FF6E1475000-memory.dmp

Filesize
4.0MB

Download
memory/3760-878-0x00007FF719F90000-0x00007FF71A385000-memory.dmp

Filesize
4.0MB

Download
memory/3760-1875-0x00007FF719F90000-0x00007FF71A385000-memory.dmp

Filesize
4.0MB

Download
memory/3948-836-0x00007FF7D8C20000-0x00007FF7D9015000-memory.dmp

Filesize
4.0MB

Download
memory/3948-1869-0x00007FF7D8C20000-0x00007FF7D9015000-memory.dmp

Filesize
4.0MB

Download
memory/4316-1877-0x00007FF69FB00000-0x00007FF69FEF5000-memory.dmp

Filesize
4.0MB

Download
memory/4316-877-0x00007FF69FB00000-0x00007FF69FEF5000-memory.dmp

Filesize
4.0MB

Download
memory/4468-1872-0x00007FF6E2700000-0x00007FF6E2AF5000-memory.dmp

Filesize
4.0MB

Download
memory/4468-824-0x00007FF6E2700000-0x00007FF6E2AF5000-memory.dmp

Filesize
4.0MB

Download
memory/4512-866-0x00007FF7F20E0000-0x00007FF7F24D5000-memory.dmp

Filesize
4.0MB

Download
memory/4512-1863-0x00007FF7F20E0000-0x00007FF7F24D5000-memory.dmp

Filesize
4.0MB

Download
memory/4632-1880-0x00007FF64A630000-0x00007FF64AA25000-memory.dmp

Filesize
4.0MB

Download
memory/4632-881-0x00007FF64A630000-0x00007FF64AA25000-memory.dmp

Filesize
4.0MB

Download
memory/4756-1866-0x00007FF60D560000-0x00007FF60D955000-memory.dmp

Filesize
4.0MB

Download
memory/4756-850-0x00007FF60D560000-0x00007FF60D955000-memory.dmp

Filesize
4.0MB

Download
memory/4860-860-0x00007FF7DD290000-0x00007FF7DD685000-memory.dmp

Filesize
4.0MB

Download
memory/4860-1864-0x00007FF7DD290000-0x00007FF7DD685000-memory.dmp

Filesize
4.0MB

Download
memory/4948-827-0x00007FF7F0C60000-0x00007FF7F1055000-memory.dmp

Filesize
4.0MB

Download
memory/4948-1873-0x00007FF7F0C60000-0x00007FF7F1055000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads