xmrig | 578b945d4fa9ece2e8ff9f4db92d35104e8e49dcd8fd3ab8178a684e1610f548

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_d9c89633c385d52dd214b537f31986c0.exe
Size

3.2MB
MD5

d9c89633c385d52dd214b537f31986c0
SHA1

594ff7b8ad39ba759a7f45877b275a0dc6654eb9
SHA256

578b945d4fa9ece2e8ff9f4db92d35104e8e49dcd8fd3ab8178a684e1610f548
SHA512

a108e83fee8bdb9f6cb3712364928ec742f8e0147dc3650dce915418e46bcf27d61b54dcc484d173d58f0ef4bd21147b2db94d4572cfeb160f3d3eb95e20b8d1
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc40:NFWPClFk

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2388-0-0x00007FF7954E0000-0x00007FF7958D5000-memory.dmp	xmrig
behavioral2/memory/3496-6-0x00007FF6E8990000-0x00007FF6E8D85000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fb-12.dat	xmrig
behavioral2/files/0x00070000000233fc-18.dat	xmrig
behavioral2/files/0x00070000000233fd-23.dat	xmrig
behavioral2/files/0x00070000000233fe-28.dat	xmrig
behavioral2/files/0x0007000000023400-38.dat	xmrig
behavioral2/files/0x0007000000023404-58.dat	xmrig
behavioral2/files/0x0007000000023407-73.dat	xmrig
behavioral2/files/0x0007000000023409-83.dat	xmrig
behavioral2/files/0x000700000002340d-101.dat	xmrig
behavioral2/files/0x000700000002340f-114.dat	xmrig
behavioral2/files/0x0007000000023418-159.dat	xmrig
behavioral2/memory/740-773-0x00007FF7EE3B0000-0x00007FF7EE7A5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023419-164.dat	xmrig
behavioral2/files/0x0007000000023417-154.dat	xmrig
behavioral2/files/0x0007000000023416-149.dat	xmrig
behavioral2/files/0x0007000000023415-144.dat	xmrig
behavioral2/files/0x0007000000023414-139.dat	xmrig
behavioral2/files/0x0007000000023413-134.dat	xmrig
behavioral2/files/0x0007000000023412-128.dat	xmrig
behavioral2/files/0x0007000000023411-124.dat	xmrig
behavioral2/files/0x0007000000023410-118.dat	xmrig
behavioral2/files/0x000700000002340e-109.dat	xmrig
behavioral2/files/0x000700000002340c-99.dat	xmrig
behavioral2/files/0x000700000002340b-93.dat	xmrig
behavioral2/files/0x000700000002340a-88.dat	xmrig
behavioral2/files/0x0007000000023408-78.dat	xmrig
behavioral2/files/0x0007000000023406-68.dat	xmrig
behavioral2/files/0x0007000000023405-63.dat	xmrig
behavioral2/files/0x0007000000023403-53.dat	xmrig
behavioral2/files/0x0007000000023402-48.dat	xmrig
behavioral2/files/0x0007000000023401-43.dat	xmrig
behavioral2/files/0x00070000000233ff-33.dat	xmrig
behavioral2/memory/4340-16-0x00007FF7333A0000-0x00007FF733795000-memory.dmp	xmrig
behavioral2/files/0x000a0000000233f2-10.dat	xmrig
behavioral2/memory/4088-781-0x00007FF621350000-0x00007FF621745000-memory.dmp	xmrig
behavioral2/memory/1012-785-0x00007FF7062F0000-0x00007FF7066E5000-memory.dmp	xmrig
behavioral2/memory/4564-806-0x00007FF7C4830000-0x00007FF7C4C25000-memory.dmp	xmrig
behavioral2/memory/3328-826-0x00007FF707AC0000-0x00007FF707EB5000-memory.dmp	xmrig
behavioral2/memory/3920-832-0x00007FF7BFA10000-0x00007FF7BFE05000-memory.dmp	xmrig
behavioral2/memory/4960-837-0x00007FF7913B0000-0x00007FF7917A5000-memory.dmp	xmrig
behavioral2/memory/4008-821-0x00007FF74A140000-0x00007FF74A535000-memory.dmp	xmrig
behavioral2/memory/4900-813-0x00007FF667E70000-0x00007FF668265000-memory.dmp	xmrig
behavioral2/memory/3892-802-0x00007FF749000000-0x00007FF7493F5000-memory.dmp	xmrig
behavioral2/memory/4172-794-0x00007FF7C6270000-0x00007FF7C6665000-memory.dmp	xmrig
behavioral2/memory/2500-845-0x00007FF7F1E10000-0x00007FF7F2205000-memory.dmp	xmrig
behavioral2/memory/4544-849-0x00007FF7638E0000-0x00007FF763CD5000-memory.dmp	xmrig
behavioral2/memory/4576-846-0x00007FF677E10000-0x00007FF678205000-memory.dmp	xmrig
behavioral2/memory/4896-853-0x00007FF7C0AE0000-0x00007FF7C0ED5000-memory.dmp	xmrig
behavioral2/memory/3372-856-0x00007FF79A600000-0x00007FF79A9F5000-memory.dmp	xmrig
behavioral2/memory/3744-860-0x00007FF75D810000-0x00007FF75DC05000-memory.dmp	xmrig
behavioral2/memory/4624-863-0x00007FF654560000-0x00007FF654955000-memory.dmp	xmrig
behavioral2/memory/3492-865-0x00007FF668590000-0x00007FF668985000-memory.dmp	xmrig
behavioral2/memory/3800-866-0x00007FF6C5B70000-0x00007FF6C5F65000-memory.dmp	xmrig
behavioral2/memory/404-869-0x00007FF6ECF90000-0x00007FF6ED385000-memory.dmp	xmrig
behavioral2/memory/4520-874-0x00007FF7ABE40000-0x00007FF7AC235000-memory.dmp	xmrig
behavioral2/memory/3496-1893-0x00007FF6E8990000-0x00007FF6E8D85000-memory.dmp	xmrig
behavioral2/memory/4340-1895-0x00007FF7333A0000-0x00007FF733795000-memory.dmp	xmrig
behavioral2/memory/3496-1894-0x00007FF6E8990000-0x00007FF6E8D85000-memory.dmp	xmrig
behavioral2/memory/4520-1899-0x00007FF7ABE40000-0x00007FF7AC235000-memory.dmp	xmrig
behavioral2/memory/740-1901-0x00007FF7EE3B0000-0x00007FF7EE7A5000-memory.dmp	xmrig
behavioral2/memory/4008-1904-0x00007FF74A140000-0x00007FF74A535000-memory.dmp	xmrig
behavioral2/memory/4900-1903-0x00007FF667E70000-0x00007FF668265000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3496	xFNogFc.exe
4340	WDVeyRS.exe
740	Yjnaage.exe
4520	MTiFaJH.exe
4088	IJXtNfl.exe
1012	FJnxnBf.exe
4172	PwyMGVm.exe
3892	iAkrzsr.exe
4564	XxolOTn.exe
4900	bmfJZiq.exe
4008	bFqYJbN.exe
3328	tihiokp.exe
3920	PgwXpRj.exe
4960	TlBSDNv.exe
2500	IhfPwkY.exe
4576	gEHMkVi.exe
4544	HonirzK.exe
4896	nvBvIyt.exe
3372	LVPQAWM.exe
3744	IoOHsth.exe
4624	dVwYESx.exe
3492	ikvnTfr.exe
3800	SYOBGRS.exe
404	UyfbjvP.exe
3872	brvNHkU.exe
3112	jBqaBwX.exe
2476	cAfhAfU.exe
4732	ypdrgSD.exe
1988	DwhjaKp.exe
1920	LadgOaY.exe
436	ZOOmmVq.exe
2892	dfXrFcM.exe
2704	aVANQyX.exe
4424	kEubsxj.exe
3976	zMwLPCj.exe
1028	BMEWWFs.exe
2548	BQVWHAS.exe
1464	AsapccD.exe
2364	dzvPLCG.exe
876	SFmmaLn.exe
2100	bwGTFod.exe
3468	QTohLaA.exe
1932	FQCAvbG.exe
1244	OIIrjvX.exe
3192	OWSqfrv.exe
4324	EUikOZk.exe
3272	WGhtCsZ.exe
4484	VQVLtqn.exe
2812	aBpZhwC.exe
1312	vUTrTgM.exe
1908	MTSNnoz.exe
4628	lrgTqun.exe
4996	LClFDWD.exe
3384	TMlNNei.exe
4740	CcLBxhb.exe
2808	RfONjgY.exe
3572	AAaRiyh.exe
948	XitYLem.exe
1720	KMSsZRK.exe
3596	kxxrLhx.exe
2180	HdAVFin.exe
1240	HeGWbhz.exe
564	qdrKRsn.exe
4452	yxxKGhm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2388-0-0x00007FF7954E0000-0x00007FF7958D5000-memory.dmp	upx
behavioral2/memory/3496-6-0x00007FF6E8990000-0x00007FF6E8D85000-memory.dmp	upx
behavioral2/files/0x00070000000233fb-12.dat	upx
behavioral2/files/0x00070000000233fc-18.dat	upx
behavioral2/files/0x00070000000233fd-23.dat	upx
behavioral2/files/0x00070000000233fe-28.dat	upx
behavioral2/files/0x0007000000023400-38.dat	upx
behavioral2/files/0x0007000000023404-58.dat	upx
behavioral2/files/0x0007000000023407-73.dat	upx
behavioral2/files/0x0007000000023409-83.dat	upx
behavioral2/files/0x000700000002340d-101.dat	upx
behavioral2/files/0x000700000002340f-114.dat	upx
behavioral2/files/0x0007000000023418-159.dat	upx
behavioral2/memory/740-773-0x00007FF7EE3B0000-0x00007FF7EE7A5000-memory.dmp	upx
behavioral2/files/0x0007000000023419-164.dat	upx
behavioral2/files/0x0007000000023417-154.dat	upx
behavioral2/files/0x0007000000023416-149.dat	upx
behavioral2/files/0x0007000000023415-144.dat	upx
behavioral2/files/0x0007000000023414-139.dat	upx
behavioral2/files/0x0007000000023413-134.dat	upx
behavioral2/files/0x0007000000023412-128.dat	upx
behavioral2/files/0x0007000000023411-124.dat	upx
behavioral2/files/0x0007000000023410-118.dat	upx
behavioral2/files/0x000700000002340e-109.dat	upx
behavioral2/files/0x000700000002340c-99.dat	upx
behavioral2/files/0x000700000002340b-93.dat	upx
behavioral2/files/0x000700000002340a-88.dat	upx
behavioral2/files/0x0007000000023408-78.dat	upx
behavioral2/files/0x0007000000023406-68.dat	upx
behavioral2/files/0x0007000000023405-63.dat	upx
behavioral2/files/0x0007000000023403-53.dat	upx
behavioral2/files/0x0007000000023402-48.dat	upx
behavioral2/files/0x0007000000023401-43.dat	upx
behavioral2/files/0x00070000000233ff-33.dat	upx
behavioral2/memory/4340-16-0x00007FF7333A0000-0x00007FF733795000-memory.dmp	upx
behavioral2/files/0x000a0000000233f2-10.dat	upx
behavioral2/memory/4088-781-0x00007FF621350000-0x00007FF621745000-memory.dmp	upx
behavioral2/memory/1012-785-0x00007FF7062F0000-0x00007FF7066E5000-memory.dmp	upx
behavioral2/memory/4564-806-0x00007FF7C4830000-0x00007FF7C4C25000-memory.dmp	upx
behavioral2/memory/3328-826-0x00007FF707AC0000-0x00007FF707EB5000-memory.dmp	upx
behavioral2/memory/3920-832-0x00007FF7BFA10000-0x00007FF7BFE05000-memory.dmp	upx
behavioral2/memory/4960-837-0x00007FF7913B0000-0x00007FF7917A5000-memory.dmp	upx
behavioral2/memory/4008-821-0x00007FF74A140000-0x00007FF74A535000-memory.dmp	upx
behavioral2/memory/4900-813-0x00007FF667E70000-0x00007FF668265000-memory.dmp	upx
behavioral2/memory/3892-802-0x00007FF749000000-0x00007FF7493F5000-memory.dmp	upx
behavioral2/memory/4172-794-0x00007FF7C6270000-0x00007FF7C6665000-memory.dmp	upx
behavioral2/memory/2500-845-0x00007FF7F1E10000-0x00007FF7F2205000-memory.dmp	upx
behavioral2/memory/4544-849-0x00007FF7638E0000-0x00007FF763CD5000-memory.dmp	upx
behavioral2/memory/4576-846-0x00007FF677E10000-0x00007FF678205000-memory.dmp	upx
behavioral2/memory/4896-853-0x00007FF7C0AE0000-0x00007FF7C0ED5000-memory.dmp	upx
behavioral2/memory/3372-856-0x00007FF79A600000-0x00007FF79A9F5000-memory.dmp	upx
behavioral2/memory/3744-860-0x00007FF75D810000-0x00007FF75DC05000-memory.dmp	upx
behavioral2/memory/4624-863-0x00007FF654560000-0x00007FF654955000-memory.dmp	upx
behavioral2/memory/3492-865-0x00007FF668590000-0x00007FF668985000-memory.dmp	upx
behavioral2/memory/3800-866-0x00007FF6C5B70000-0x00007FF6C5F65000-memory.dmp	upx
behavioral2/memory/404-869-0x00007FF6ECF90000-0x00007FF6ED385000-memory.dmp	upx
behavioral2/memory/4520-874-0x00007FF7ABE40000-0x00007FF7AC235000-memory.dmp	upx
behavioral2/memory/3496-1893-0x00007FF6E8990000-0x00007FF6E8D85000-memory.dmp	upx
behavioral2/memory/4340-1895-0x00007FF7333A0000-0x00007FF733795000-memory.dmp	upx
behavioral2/memory/3496-1894-0x00007FF6E8990000-0x00007FF6E8D85000-memory.dmp	upx
behavioral2/memory/4520-1899-0x00007FF7ABE40000-0x00007FF7AC235000-memory.dmp	upx
behavioral2/memory/740-1901-0x00007FF7EE3B0000-0x00007FF7EE7A5000-memory.dmp	upx
behavioral2/memory/4008-1904-0x00007FF74A140000-0x00007FF74A535000-memory.dmp	upx
behavioral2/memory/4900-1903-0x00007FF667E70000-0x00007FF668265000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\YYbFXqQ.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\RlPIDlL.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\FQCAvbG.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\gULeIHX.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\xoNMmPq.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\nMiyPlA.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\NvbCUTv.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\lwQyUhV.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\oYdjLhk.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\PhyywxD.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\Yjnaage.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\OWSqfrv.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\FeWidJB.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\hmdSYSB.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\DcrLByM.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\LaBIMXI.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\NjwKjah.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\nvBvIyt.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\aZbrRts.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\UUONoLi.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\lOlyVrH.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\AcEBfGb.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\XmwAGuv.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\mxsMDxr.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\VbwaibC.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\AiTldZk.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\oqGwItP.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\rsWmqbD.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\VNXJMZq.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\YenxuUm.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\fMabaFJ.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\nGiMFlj.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\wUTLIfN.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\uoZSkkz.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\EMUItbS.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\GxFxYUx.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\wslcUFs.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\qULmTxR.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\YUWnFqe.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\fAcXDvE.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\aBpZhwC.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\jGtBOCy.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\rDuGxuI.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\nfBkWpe.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\ZeaEELB.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\xQfpHIh.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\kXqvDbf.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\SIqCGcN.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\xuqEHPD.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\pCYoQub.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\HdAVFin.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\cpLVllE.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\OcuBQfJ.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\PfsNEXv.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\vKOvkhv.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\bAicGBO.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\TSsVlRN.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\dszNJBR.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\VcTnMgj.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\jgVbmWE.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\CayLvkY.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\JDhmvjk.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\aVANQyX.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe
File created	C:\Windows\System32\qTdmGOg.exe	virussign.com_d9c89633c385d52dd214b537f31986c0.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	860	dwm.exe
Token: SeChangeNotifyPrivilege	860	dwm.exe
Token: 33	860	dwm.exe
Token: SeIncBasePriorityPrivilege	860	dwm.exe
Token: SeShutdownPrivilege	860	dwm.exe
Token: SeCreatePagefilePrivilege	860	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2524	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 3496	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	85
PID 2388 wrote to memory of 3496	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	85
PID 2388 wrote to memory of 4340	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	86
PID 2388 wrote to memory of 4340	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	86
PID 2388 wrote to memory of 740	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	87
PID 2388 wrote to memory of 740	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	87
PID 2388 wrote to memory of 4520	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	88
PID 2388 wrote to memory of 4520	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	88
PID 2388 wrote to memory of 4088	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	89
PID 2388 wrote to memory of 4088	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	89
PID 2388 wrote to memory of 1012	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	90
PID 2388 wrote to memory of 1012	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	90
PID 2388 wrote to memory of 4172	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	91
PID 2388 wrote to memory of 4172	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	91
PID 2388 wrote to memory of 3892	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	92
PID 2388 wrote to memory of 3892	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	92
PID 2388 wrote to memory of 4564	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	93
PID 2388 wrote to memory of 4564	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	93
PID 2388 wrote to memory of 4900	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	94
PID 2388 wrote to memory of 4900	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	94
PID 2388 wrote to memory of 4008	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	95
PID 2388 wrote to memory of 4008	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	95
PID 2388 wrote to memory of 3328	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	96
PID 2388 wrote to memory of 3328	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	96
PID 2388 wrote to memory of 3920	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	97
PID 2388 wrote to memory of 3920	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	97
PID 2388 wrote to memory of 4960	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	98
PID 2388 wrote to memory of 4960	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	98
PID 2388 wrote to memory of 2500	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	99
PID 2388 wrote to memory of 2500	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	99
PID 2388 wrote to memory of 4576	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	100
PID 2388 wrote to memory of 4576	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	100
PID 2388 wrote to memory of 4544	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	101
PID 2388 wrote to memory of 4544	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	101
PID 2388 wrote to memory of 4896	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	102
PID 2388 wrote to memory of 4896	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	102
PID 2388 wrote to memory of 3372	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	103
PID 2388 wrote to memory of 3372	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	103
PID 2388 wrote to memory of 3744	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	104
PID 2388 wrote to memory of 3744	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	104
PID 2388 wrote to memory of 4624	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	105
PID 2388 wrote to memory of 4624	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	105
PID 2388 wrote to memory of 3492	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	106
PID 2388 wrote to memory of 3492	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	106
PID 2388 wrote to memory of 3800	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	107
PID 2388 wrote to memory of 3800	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	107
PID 2388 wrote to memory of 404	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	108
PID 2388 wrote to memory of 404	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	108
PID 2388 wrote to memory of 3872	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	109
PID 2388 wrote to memory of 3872	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	109
PID 2388 wrote to memory of 3112	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	110
PID 2388 wrote to memory of 3112	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	110
PID 2388 wrote to memory of 2476	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	111
PID 2388 wrote to memory of 2476	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	111
PID 2388 wrote to memory of 4732	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	112
PID 2388 wrote to memory of 4732	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	112
PID 2388 wrote to memory of 1988	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	113
PID 2388 wrote to memory of 1988	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	113
PID 2388 wrote to memory of 1920	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	114
PID 2388 wrote to memory of 1920	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	114
PID 2388 wrote to memory of 436	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	115
PID 2388 wrote to memory of 436	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	115
PID 2388 wrote to memory of 2892	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	116
PID 2388 wrote to memory of 2892	2388	virussign.com_d9c89633c385d52dd214b537f31986c0.exe	116

C:\Users\Admin\AppData\Local\Temp\virussign.com_d9c89633c385d52dd214b537f31986c0.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_d9c89633c385d52dd214b537f31986c0.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\System32\xFNogFc.exe
  C:\Windows\System32\xFNogFc.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System32\WDVeyRS.exe
  C:\Windows\System32\WDVeyRS.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System32\Yjnaage.exe
  C:\Windows\System32\Yjnaage.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System32\MTiFaJH.exe
  C:\Windows\System32\MTiFaJH.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System32\IJXtNfl.exe
  C:\Windows\System32\IJXtNfl.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System32\FJnxnBf.exe
  C:\Windows\System32\FJnxnBf.exe
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\System32\PwyMGVm.exe
  C:\Windows\System32\PwyMGVm.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System32\iAkrzsr.exe
  C:\Windows\System32\iAkrzsr.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System32\XxolOTn.exe
  C:\Windows\System32\XxolOTn.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System32\bmfJZiq.exe
  C:\Windows\System32\bmfJZiq.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System32\bFqYJbN.exe
  C:\Windows\System32\bFqYJbN.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System32\tihiokp.exe
  C:\Windows\System32\tihiokp.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System32\PgwXpRj.exe
  C:\Windows\System32\PgwXpRj.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System32\TlBSDNv.exe
  C:\Windows\System32\TlBSDNv.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System32\IhfPwkY.exe
  C:\Windows\System32\IhfPwkY.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System32\gEHMkVi.exe
  C:\Windows\System32\gEHMkVi.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System32\HonirzK.exe
  C:\Windows\System32\HonirzK.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System32\nvBvIyt.exe
  C:\Windows\System32\nvBvIyt.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System32\LVPQAWM.exe
  C:\Windows\System32\LVPQAWM.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System32\IoOHsth.exe
  C:\Windows\System32\IoOHsth.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System32\dVwYESx.exe
  C:\Windows\System32\dVwYESx.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System32\ikvnTfr.exe
  C:\Windows\System32\ikvnTfr.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System32\SYOBGRS.exe
  C:\Windows\System32\SYOBGRS.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\System32\UyfbjvP.exe
  C:\Windows\System32\UyfbjvP.exe
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Windows\System32\brvNHkU.exe
  C:\Windows\System32\brvNHkU.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System32\jBqaBwX.exe
  C:\Windows\System32\jBqaBwX.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System32\cAfhAfU.exe
  C:\Windows\System32\cAfhAfU.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System32\ypdrgSD.exe
  C:\Windows\System32\ypdrgSD.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System32\DwhjaKp.exe
  C:\Windows\System32\DwhjaKp.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System32\LadgOaY.exe
  C:\Windows\System32\LadgOaY.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System32\ZOOmmVq.exe
  C:\Windows\System32\ZOOmmVq.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\dfXrFcM.exe
  C:\Windows\System32\dfXrFcM.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System32\aVANQyX.exe
  C:\Windows\System32\aVANQyX.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System32\kEubsxj.exe
  C:\Windows\System32\kEubsxj.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System32\zMwLPCj.exe
  C:\Windows\System32\zMwLPCj.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System32\BMEWWFs.exe
  C:\Windows\System32\BMEWWFs.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System32\BQVWHAS.exe
  C:\Windows\System32\BQVWHAS.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System32\AsapccD.exe
  C:\Windows\System32\AsapccD.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System32\dzvPLCG.exe
  C:\Windows\System32\dzvPLCG.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System32\SFmmaLn.exe
  C:\Windows\System32\SFmmaLn.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System32\bwGTFod.exe
  C:\Windows\System32\bwGTFod.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System32\QTohLaA.exe
  C:\Windows\System32\QTohLaA.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System32\FQCAvbG.exe
  C:\Windows\System32\FQCAvbG.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System32\OIIrjvX.exe
  C:\Windows\System32\OIIrjvX.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System32\OWSqfrv.exe
  C:\Windows\System32\OWSqfrv.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System32\EUikOZk.exe
  C:\Windows\System32\EUikOZk.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System32\WGhtCsZ.exe
  C:\Windows\System32\WGhtCsZ.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System32\VQVLtqn.exe
  C:\Windows\System32\VQVLtqn.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System32\aBpZhwC.exe
  C:\Windows\System32\aBpZhwC.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System32\vUTrTgM.exe
  C:\Windows\System32\vUTrTgM.exe
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\System32\MTSNnoz.exe
  C:\Windows\System32\MTSNnoz.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System32\lrgTqun.exe
  C:\Windows\System32\lrgTqun.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System32\LClFDWD.exe
  C:\Windows\System32\LClFDWD.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System32\TMlNNei.exe
  C:\Windows\System32\TMlNNei.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System32\CcLBxhb.exe
  C:\Windows\System32\CcLBxhb.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System32\RfONjgY.exe
  C:\Windows\System32\RfONjgY.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System32\AAaRiyh.exe
  C:\Windows\System32\AAaRiyh.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System32\XitYLem.exe
  C:\Windows\System32\XitYLem.exe
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\System32\KMSsZRK.exe
  C:\Windows\System32\KMSsZRK.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System32\kxxrLhx.exe
  C:\Windows\System32\kxxrLhx.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System32\HdAVFin.exe
  C:\Windows\System32\HdAVFin.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System32\HeGWbhz.exe
  C:\Windows\System32\HeGWbhz.exe
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\System32\qdrKRsn.exe
  C:\Windows\System32\qdrKRsn.exe
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\System32\yxxKGhm.exe
  C:\Windows\System32\yxxKGhm.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\EFywpTD.exe
  C:\Windows\System32\EFywpTD.exe
  2⤵
  PID:2784
- C:\Windows\System32\FeWidJB.exe
  C:\Windows\System32\FeWidJB.exe
  2⤵
  PID:4012
- C:\Windows\System32\GJkDKOM.exe
  C:\Windows\System32\GJkDKOM.exe
  2⤵
  PID:4052
- C:\Windows\System32\XGGUiee.exe
  C:\Windows\System32\XGGUiee.exe
  2⤵
  PID:2692
- C:\Windows\System32\xLbTXcH.exe
  C:\Windows\System32\xLbTXcH.exe
  2⤵
  PID:2888
- C:\Windows\System32\vzUDVIA.exe
  C:\Windows\System32\vzUDVIA.exe
  2⤵
  PID:3368
- C:\Windows\System32\vGvLPkD.exe
  C:\Windows\System32\vGvLPkD.exe
  2⤵
  PID:2584
- C:\Windows\System32\LRRsiSB.exe
  C:\Windows\System32\LRRsiSB.exe
  2⤵
  PID:656
- C:\Windows\System32\ptbvxbG.exe
  C:\Windows\System32\ptbvxbG.exe
  2⤵
  PID:3416
- C:\Windows\System32\pWvXpDw.exe
  C:\Windows\System32\pWvXpDw.exe
  2⤵
  PID:3464
- C:\Windows\System32\auDlOvL.exe
  C:\Windows\System32\auDlOvL.exe
  2⤵
  PID:3504
- C:\Windows\System32\LdFpGFn.exe
  C:\Windows\System32\LdFpGFn.exe
  2⤵
  PID:5132
- C:\Windows\System32\FwaQHis.exe
  C:\Windows\System32\FwaQHis.exe
  2⤵
  PID:5160
- C:\Windows\System32\TBroegN.exe
  C:\Windows\System32\TBroegN.exe
  2⤵
  PID:5200
- C:\Windows\System32\xVkFduq.exe
  C:\Windows\System32\xVkFduq.exe
  2⤵
  PID:5216
- C:\Windows\System32\KFRARqK.exe
  C:\Windows\System32\KFRARqK.exe
  2⤵
  PID:5256
- C:\Windows\System32\JNYANHF.exe
  C:\Windows\System32\JNYANHF.exe
  2⤵
  PID:5272
- C:\Windows\System32\QTQCuMl.exe
  C:\Windows\System32\QTQCuMl.exe
  2⤵
  PID:5300
- C:\Windows\System32\zTuGdJF.exe
  C:\Windows\System32\zTuGdJF.exe
  2⤵
  PID:5328
- C:\Windows\System32\UdATKOB.exe
  C:\Windows\System32\UdATKOB.exe
  2⤵
  PID:5356
- C:\Windows\System32\OQGIFgs.exe
  C:\Windows\System32\OQGIFgs.exe
  2⤵
  PID:5384
- C:\Windows\System32\rjZrSTm.exe
  C:\Windows\System32\rjZrSTm.exe
  2⤵
  PID:5412
- C:\Windows\System32\ZBJrRSj.exe
  C:\Windows\System32\ZBJrRSj.exe
  2⤵
  PID:5448
- C:\Windows\System32\GdXcpDq.exe
  C:\Windows\System32\GdXcpDq.exe
  2⤵
  PID:5468
- C:\Windows\System32\hcDeMvr.exe
  C:\Windows\System32\hcDeMvr.exe
  2⤵
  PID:5496
- C:\Windows\System32\SnCganc.exe
  C:\Windows\System32\SnCganc.exe
  2⤵
  PID:5524
- C:\Windows\System32\xkIeNeZ.exe
  C:\Windows\System32\xkIeNeZ.exe
  2⤵
  PID:5552
- C:\Windows\System32\TOvenRF.exe
  C:\Windows\System32\TOvenRF.exe
  2⤵
  PID:5592
- C:\Windows\System32\OluHfSc.exe
  C:\Windows\System32\OluHfSc.exe
  2⤵
  PID:5608
- C:\Windows\System32\vZdWzHj.exe
  C:\Windows\System32\vZdWzHj.exe
  2⤵
  PID:5636
- C:\Windows\System32\gvonMwX.exe
  C:\Windows\System32\gvonMwX.exe
  2⤵
  PID:5664
- C:\Windows\System32\amfVkvM.exe
  C:\Windows\System32\amfVkvM.exe
  2⤵
  PID:5692
- C:\Windows\System32\AxMAZGi.exe
  C:\Windows\System32\AxMAZGi.exe
  2⤵
  PID:5720
- C:\Windows\System32\DcXXgzO.exe
  C:\Windows\System32\DcXXgzO.exe
  2⤵
  PID:5748
- C:\Windows\System32\knCZALK.exe
  C:\Windows\System32\knCZALK.exe
  2⤵
  PID:5776
- C:\Windows\System32\jgzUKEq.exe
  C:\Windows\System32\jgzUKEq.exe
  2⤵
  PID:5804
- C:\Windows\System32\oxTOvJY.exe
  C:\Windows\System32\oxTOvJY.exe
  2⤵
  PID:5832
- C:\Windows\System32\xqKKuMn.exe
  C:\Windows\System32\xqKKuMn.exe
  2⤵
  PID:5860
- C:\Windows\System32\SIqCGcN.exe
  C:\Windows\System32\SIqCGcN.exe
  2⤵
  PID:5888
- C:\Windows\System32\rjgPWDS.exe
  C:\Windows\System32\rjgPWDS.exe
  2⤵
  PID:5916
- C:\Windows\System32\GKeZWsS.exe
  C:\Windows\System32\GKeZWsS.exe
  2⤵
  PID:5944
- C:\Windows\System32\jGtBOCy.exe
  C:\Windows\System32\jGtBOCy.exe
  2⤵
  PID:5972
- C:\Windows\System32\qUEzCjn.exe
  C:\Windows\System32\qUEzCjn.exe
  2⤵
  PID:6000
- C:\Windows\System32\QGmrDjj.exe
  C:\Windows\System32\QGmrDjj.exe
  2⤵
  PID:6028
- C:\Windows\System32\wTkzFeK.exe
  C:\Windows\System32\wTkzFeK.exe
  2⤵
  PID:6056
- C:\Windows\System32\tPFfPUx.exe
  C:\Windows\System32\tPFfPUx.exe
  2⤵
  PID:6084
- C:\Windows\System32\CyRKPjA.exe
  C:\Windows\System32\CyRKPjA.exe
  2⤵
  PID:6112
- C:\Windows\System32\rVFAxgP.exe
  C:\Windows\System32\rVFAxgP.exe
  2⤵
  PID:6140
- C:\Windows\System32\qTdmGOg.exe
  C:\Windows\System32\qTdmGOg.exe
  2⤵
  PID:4676
- C:\Windows\System32\HdCCWsB.exe
  C:\Windows\System32\HdCCWsB.exe
  2⤵
  PID:4600
- C:\Windows\System32\EmFzNJG.exe
  C:\Windows\System32\EmFzNJG.exe
  2⤵
  PID:2764
- C:\Windows\System32\zChacpK.exe
  C:\Windows\System32\zChacpK.exe
  2⤵
  PID:3880
- C:\Windows\System32\ezlvWoJ.exe
  C:\Windows\System32\ezlvWoJ.exe
  2⤵
  PID:5128
- C:\Windows\System32\isOQEPi.exe
  C:\Windows\System32\isOQEPi.exe
  2⤵
  PID:5184
- C:\Windows\System32\GDHseVG.exe
  C:\Windows\System32\GDHseVG.exe
  2⤵
  PID:5264
- C:\Windows\System32\PnjxVPl.exe
  C:\Windows\System32\PnjxVPl.exe
  2⤵
  PID:5320
- C:\Windows\System32\iorrkEa.exe
  C:\Windows\System32\iorrkEa.exe
  2⤵
  PID:5400
- C:\Windows\System32\UMfkWRS.exe
  C:\Windows\System32\UMfkWRS.exe
  2⤵
  PID:5456
- C:\Windows\System32\xnUbgAR.exe
  C:\Windows\System32\xnUbgAR.exe
  2⤵
  PID:5516
- C:\Windows\System32\NRNrUTU.exe
  C:\Windows\System32\NRNrUTU.exe
  2⤵
  PID:5584
- C:\Windows\System32\qExhKAn.exe
  C:\Windows\System32\qExhKAn.exe
  2⤵
  PID:5644
- C:\Windows\System32\rXGhWFo.exe
  C:\Windows\System32\rXGhWFo.exe
  2⤵
  PID:5712
- C:\Windows\System32\QaQJDRR.exe
  C:\Windows\System32\QaQJDRR.exe
  2⤵
  PID:5792
- C:\Windows\System32\waTpwUW.exe
  C:\Windows\System32\waTpwUW.exe
  2⤵
  PID:5840
- C:\Windows\System32\NFFpptj.exe
  C:\Windows\System32\NFFpptj.exe
  2⤵
  PID:5908
- C:\Windows\System32\MzKKRKd.exe
  C:\Windows\System32\MzKKRKd.exe
  2⤵
  PID:5988
- C:\Windows\System32\CCCcTBI.exe
  C:\Windows\System32\CCCcTBI.exe
  2⤵
  PID:6036
- C:\Windows\System32\otrCpPN.exe
  C:\Windows\System32\otrCpPN.exe
  2⤵
  PID:6104
- C:\Windows\System32\afYtetc.exe
  C:\Windows\System32\afYtetc.exe
  2⤵
  PID:2676
- C:\Windows\System32\rhYGPlh.exe
  C:\Windows\System32\rhYGPlh.exe
  2⤵
  PID:3148
- C:\Windows\System32\glrvMNU.exe
  C:\Windows\System32\glrvMNU.exe
  2⤵
  PID:5168
- C:\Windows\System32\kYGymEt.exe
  C:\Windows\System32\kYGymEt.exe
  2⤵
  PID:5372
- C:\Windows\System32\tAwqwah.exe
  C:\Windows\System32\tAwqwah.exe
  2⤵
  PID:5484
- C:\Windows\System32\uUvVfgl.exe
  C:\Windows\System32\uUvVfgl.exe
  2⤵
  PID:5628
- C:\Windows\System32\oCjCgDH.exe
  C:\Windows\System32\oCjCgDH.exe
  2⤵
  PID:5812
- C:\Windows\System32\ylQCaIU.exe
  C:\Windows\System32\ylQCaIU.exe
  2⤵
  PID:5924
- C:\Windows\System32\jKYYCYE.exe
  C:\Windows\System32\jKYYCYE.exe
  2⤵
  PID:6072
- C:\Windows\System32\AiTldZk.exe
  C:\Windows\System32\AiTldZk.exe
  2⤵
  PID:6168
- C:\Windows\System32\bJodaHZ.exe
  C:\Windows\System32\bJodaHZ.exe
  2⤵
  PID:6196
- C:\Windows\System32\CebzkTg.exe
  C:\Windows\System32\CebzkTg.exe
  2⤵
  PID:6224
- C:\Windows\System32\XvAoqHk.exe
  C:\Windows\System32\XvAoqHk.exe
  2⤵
  PID:6252
- C:\Windows\System32\LigRikH.exe
  C:\Windows\System32\LigRikH.exe
  2⤵
  PID:6280
- C:\Windows\System32\nAJEMEJ.exe
  C:\Windows\System32\nAJEMEJ.exe
  2⤵
  PID:6308
- C:\Windows\System32\dMUpMqk.exe
  C:\Windows\System32\dMUpMqk.exe
  2⤵
  PID:6336
- C:\Windows\System32\DUcoyaB.exe
  C:\Windows\System32\DUcoyaB.exe
  2⤵
  PID:6364
- C:\Windows\System32\ZrpZEuO.exe
  C:\Windows\System32\ZrpZEuO.exe
  2⤵
  PID:6392
- C:\Windows\System32\yemzLyk.exe
  C:\Windows\System32\yemzLyk.exe
  2⤵
  PID:6420
- C:\Windows\System32\kuIYUrc.exe
  C:\Windows\System32\kuIYUrc.exe
  2⤵
  PID:6448
- C:\Windows\System32\oiiBQVO.exe
  C:\Windows\System32\oiiBQVO.exe
  2⤵
  PID:6488
- C:\Windows\System32\VBFCwLY.exe
  C:\Windows\System32\VBFCwLY.exe
  2⤵
  PID:6504
- C:\Windows\System32\pvEmnpn.exe
  C:\Windows\System32\pvEmnpn.exe
  2⤵
  PID:6532
- C:\Windows\System32\GNzmaze.exe
  C:\Windows\System32\GNzmaze.exe
  2⤵
  PID:6560
- C:\Windows\System32\IhXCZNF.exe
  C:\Windows\System32\IhXCZNF.exe
  2⤵
  PID:6588
- C:\Windows\System32\zorJjXW.exe
  C:\Windows\System32\zorJjXW.exe
  2⤵
  PID:6616
- C:\Windows\System32\shQxaDJ.exe
  C:\Windows\System32\shQxaDJ.exe
  2⤵
  PID:6644
- C:\Windows\System32\mfYadVf.exe
  C:\Windows\System32\mfYadVf.exe
  2⤵
  PID:6672
- C:\Windows\System32\rmCEJha.exe
  C:\Windows\System32\rmCEJha.exe
  2⤵
  PID:6700
- C:\Windows\System32\FOYGkXw.exe
  C:\Windows\System32\FOYGkXw.exe
  2⤵
  PID:6728
- C:\Windows\System32\sCweqUP.exe
  C:\Windows\System32\sCweqUP.exe
  2⤵
  PID:6756
- C:\Windows\System32\CfTZAyN.exe
  C:\Windows\System32\CfTZAyN.exe
  2⤵
  PID:6796
- C:\Windows\System32\fYBRBqr.exe
  C:\Windows\System32\fYBRBqr.exe
  2⤵
  PID:6812
- C:\Windows\System32\fRVUHKs.exe
  C:\Windows\System32\fRVUHKs.exe
  2⤵
  PID:6840
- C:\Windows\System32\DtyrUBI.exe
  C:\Windows\System32\DtyrUBI.exe
  2⤵
  PID:6868
- C:\Windows\System32\vQJwmcL.exe
  C:\Windows\System32\vQJwmcL.exe
  2⤵
  PID:6896
- C:\Windows\System32\SAItqKb.exe
  C:\Windows\System32\SAItqKb.exe
  2⤵
  PID:6924
- C:\Windows\System32\OADdinq.exe
  C:\Windows\System32\OADdinq.exe
  2⤵
  PID:6952
- C:\Windows\System32\eMnWbHO.exe
  C:\Windows\System32\eMnWbHO.exe
  2⤵
  PID:6980
- C:\Windows\System32\gUpFpVS.exe
  C:\Windows\System32\gUpFpVS.exe
  2⤵
  PID:7008
- C:\Windows\System32\BCeHoiW.exe
  C:\Windows\System32\BCeHoiW.exe
  2⤵
  PID:7036
- C:\Windows\System32\PeiovoX.exe
  C:\Windows\System32\PeiovoX.exe
  2⤵
  PID:7064
- C:\Windows\System32\rfowDpC.exe
  C:\Windows\System32\rfowDpC.exe
  2⤵
  PID:7092
- C:\Windows\System32\xQJhSyE.exe
  C:\Windows\System32\xQJhSyE.exe
  2⤵
  PID:7120
- C:\Windows\System32\sBQtDGT.exe
  C:\Windows\System32\sBQtDGT.exe
  2⤵
  PID:7148
- C:\Windows\System32\OJqMSSo.exe
  C:\Windows\System32\OJqMSSo.exe
  2⤵
  PID:4596
- C:\Windows\System32\bAwZEeX.exe
  C:\Windows\System32\bAwZEeX.exe
  2⤵
  PID:5292
- C:\Windows\System32\zIcbamG.exe
  C:\Windows\System32\zIcbamG.exe
  2⤵
  PID:5568
- C:\Windows\System32\ADWQKXy.exe
  C:\Windows\System32\ADWQKXy.exe
  2⤵
  PID:5876
- C:\Windows\System32\PMhJurO.exe
  C:\Windows\System32\PMhJurO.exe
  2⤵
  PID:6184
- C:\Windows\System32\XqVIFAW.exe
  C:\Windows\System32\XqVIFAW.exe
  2⤵
  PID:6232
- C:\Windows\System32\cpLVllE.exe
  C:\Windows\System32\cpLVllE.exe
  2⤵
  PID:6300
- C:\Windows\System32\RIzLKlz.exe
  C:\Windows\System32\RIzLKlz.exe
  2⤵
  PID:6380
- C:\Windows\System32\JtRMrKJ.exe
  C:\Windows\System32\JtRMrKJ.exe
  2⤵
  PID:6428
- C:\Windows\System32\GtzRhwD.exe
  C:\Windows\System32\GtzRhwD.exe
  2⤵
  PID:6500
- C:\Windows\System32\oqGwItP.exe
  C:\Windows\System32\oqGwItP.exe
  2⤵
  PID:6576
- C:\Windows\System32\oduIZua.exe
  C:\Windows\System32\oduIZua.exe
  2⤵
  PID:6624
- C:\Windows\System32\shZecFJ.exe
  C:\Windows\System32\shZecFJ.exe
  2⤵
  PID:6692
- C:\Windows\System32\HvwTYlT.exe
  C:\Windows\System32\HvwTYlT.exe
  2⤵
  PID:6748
- C:\Windows\System32\OfRXEPE.exe
  C:\Windows\System32\OfRXEPE.exe
  2⤵
  PID:6828
- C:\Windows\System32\nGiMFlj.exe
  C:\Windows\System32\nGiMFlj.exe
  2⤵
  PID:6876
- C:\Windows\System32\KObBeQT.exe
  C:\Windows\System32\KObBeQT.exe
  2⤵
  PID:6944
- C:\Windows\System32\KeElmYT.exe
  C:\Windows\System32\KeElmYT.exe
  2⤵
  PID:7024
- C:\Windows\System32\WJORPCz.exe
  C:\Windows\System32\WJORPCz.exe
  2⤵
  PID:3640
- C:\Windows\System32\KNUOuri.exe
  C:\Windows\System32\KNUOuri.exe
  2⤵
  PID:7136
- C:\Windows\System32\EltLPYy.exe
  C:\Windows\System32\EltLPYy.exe
  2⤵
  PID:1304
- C:\Windows\System32\bVQkEwy.exe
  C:\Windows\System32\bVQkEwy.exe
  2⤵
  PID:5764
- C:\Windows\System32\ASgmGbM.exe
  C:\Windows\System32\ASgmGbM.exe
  2⤵
  PID:6188
- C:\Windows\System32\KNHrhIU.exe
  C:\Windows\System32\KNHrhIU.exe
  2⤵
  PID:6400
- C:\Windows\System32\aZbrRts.exe
  C:\Windows\System32\aZbrRts.exe
  2⤵
  PID:6548
- C:\Windows\System32\SxEqbUh.exe
  C:\Windows\System32\SxEqbUh.exe
  2⤵
  PID:6664
- C:\Windows\System32\OKNMWah.exe
  C:\Windows\System32\OKNMWah.exe
  2⤵
  PID:6764
- C:\Windows\System32\zbWAGat.exe
  C:\Windows\System32\zbWAGat.exe
  2⤵
  PID:6940
- C:\Windows\System32\nMiyPlA.exe
  C:\Windows\System32\nMiyPlA.exe
  2⤵
  PID:7056
- C:\Windows\System32\mOJTyKQ.exe
  C:\Windows\System32\mOJTyKQ.exe
  2⤵
  PID:2988
- C:\Windows\System32\ZtKVEuR.exe
  C:\Windows\System32\ZtKVEuR.exe
  2⤵
  PID:6204
- C:\Windows\System32\cVOFCgT.exe
  C:\Windows\System32\cVOFCgT.exe
  2⤵
  PID:7184
- C:\Windows\System32\Ofcfafv.exe
  C:\Windows\System32\Ofcfafv.exe
  2⤵
  PID:7212
- C:\Windows\System32\NvbCUTv.exe
  C:\Windows\System32\NvbCUTv.exe
  2⤵
  PID:7240
- C:\Windows\System32\HPagJFI.exe
  C:\Windows\System32\HPagJFI.exe
  2⤵
  PID:7268
- C:\Windows\System32\nQaTQBA.exe
  C:\Windows\System32\nQaTQBA.exe
  2⤵
  PID:7296
- C:\Windows\System32\AHHoxPa.exe
  C:\Windows\System32\AHHoxPa.exe
  2⤵
  PID:7324
- C:\Windows\System32\vwtQUAK.exe
  C:\Windows\System32\vwtQUAK.exe
  2⤵
  PID:7352
- C:\Windows\System32\AhgYQRU.exe
  C:\Windows\System32\AhgYQRU.exe
  2⤵
  PID:7380
- C:\Windows\System32\cNWZPpF.exe
  C:\Windows\System32\cNWZPpF.exe
  2⤵
  PID:7408
- C:\Windows\System32\Lgtbzst.exe
  C:\Windows\System32\Lgtbzst.exe
  2⤵
  PID:7436
- C:\Windows\System32\oYdjLhk.exe
  C:\Windows\System32\oYdjLhk.exe
  2⤵
  PID:7464
- C:\Windows\System32\VQmInUY.exe
  C:\Windows\System32\VQmInUY.exe
  2⤵
  PID:7492
- C:\Windows\System32\lcgBluw.exe
  C:\Windows\System32\lcgBluw.exe
  2⤵
  PID:7520
- C:\Windows\System32\lYTbfmt.exe
  C:\Windows\System32\lYTbfmt.exe
  2⤵
  PID:7548
- C:\Windows\System32\qLitmon.exe
  C:\Windows\System32\qLitmon.exe
  2⤵
  PID:7576
- C:\Windows\System32\lyAajhc.exe
  C:\Windows\System32\lyAajhc.exe
  2⤵
  PID:7616
- C:\Windows\System32\rXqCgSm.exe
  C:\Windows\System32\rXqCgSm.exe
  2⤵
  PID:7632
- C:\Windows\System32\DvgCufP.exe
  C:\Windows\System32\DvgCufP.exe
  2⤵
  PID:7660
- C:\Windows\System32\fqyeQJG.exe
  C:\Windows\System32\fqyeQJG.exe
  2⤵
  PID:7688
- C:\Windows\System32\jgVbmWE.exe
  C:\Windows\System32\jgVbmWE.exe
  2⤵
  PID:7716
- C:\Windows\System32\UqYgAhx.exe
  C:\Windows\System32\UqYgAhx.exe
  2⤵
  PID:7756
- C:\Windows\System32\mxlUfTx.exe
  C:\Windows\System32\mxlUfTx.exe
  2⤵
  PID:7772
- C:\Windows\System32\ePhuSEE.exe
  C:\Windows\System32\ePhuSEE.exe
  2⤵
  PID:7800
- C:\Windows\System32\HjLxXpH.exe
  C:\Windows\System32\HjLxXpH.exe
  2⤵
  PID:7828
- C:\Windows\System32\jHgTtIc.exe
  C:\Windows\System32\jHgTtIc.exe
  2⤵
  PID:7856
- C:\Windows\System32\wslcUFs.exe
  C:\Windows\System32\wslcUFs.exe
  2⤵
  PID:7884
- C:\Windows\System32\dBuwhoj.exe
  C:\Windows\System32\dBuwhoj.exe
  2⤵
  PID:7924
- C:\Windows\System32\NnHMSvK.exe
  C:\Windows\System32\NnHMSvK.exe
  2⤵
  PID:7940
- C:\Windows\System32\hQETRrd.exe
  C:\Windows\System32\hQETRrd.exe
  2⤵
  PID:8020
- C:\Windows\System32\CayLvkY.exe
  C:\Windows\System32\CayLvkY.exe
  2⤵
  PID:8040
- C:\Windows\System32\ocIdiWN.exe
  C:\Windows\System32\ocIdiWN.exe
  2⤵
  PID:8088
- C:\Windows\System32\OzJlswb.exe
  C:\Windows\System32\OzJlswb.exe
  2⤵
  PID:8116
- C:\Windows\System32\rzhVvFy.exe
  C:\Windows\System32\rzhVvFy.exe
  2⤵
  PID:8136
- C:\Windows\System32\gAiWHcl.exe
  C:\Windows\System32\gAiWHcl.exe
  2⤵
  PID:8152
- C:\Windows\System32\BlfDEwt.exe
  C:\Windows\System32\BlfDEwt.exe
  2⤵
  PID:8180
- C:\Windows\System32\jcZhaey.exe
  C:\Windows\System32\jcZhaey.exe
  2⤵
  PID:6464
- C:\Windows\System32\mWCivaE.exe
  C:\Windows\System32\mWCivaE.exe
  2⤵
  PID:6688
- C:\Windows\System32\EpyjXpC.exe
  C:\Windows\System32\EpyjXpC.exe
  2⤵
  PID:4816
- C:\Windows\System32\hmdSYSB.exe
  C:\Windows\System32\hmdSYSB.exe
  2⤵
  PID:1180
- C:\Windows\System32\IKkNhlx.exe
  C:\Windows\System32\IKkNhlx.exe
  2⤵
  PID:7192
- C:\Windows\System32\WhRQLxZ.exe
  C:\Windows\System32\WhRQLxZ.exe
  2⤵
  PID:7284
- C:\Windows\System32\wUTLIfN.exe
  C:\Windows\System32\wUTLIfN.exe
  2⤵
  PID:7304
- C:\Windows\System32\DFOLgEL.exe
  C:\Windows\System32\DFOLgEL.exe
  2⤵
  PID:3376
- C:\Windows\System32\sviXPZH.exe
  C:\Windows\System32\sviXPZH.exe
  2⤵
  PID:7444
- C:\Windows\System32\JRHnBpq.exe
  C:\Windows\System32\JRHnBpq.exe
  2⤵
  PID:4836
- C:\Windows\System32\jjTUxfa.exe
  C:\Windows\System32\jjTUxfa.exe
  2⤵
  PID:7500
- C:\Windows\System32\LypJknx.exe
  C:\Windows\System32\LypJknx.exe
  2⤵
  PID:7540
- C:\Windows\System32\bKoSsrw.exe
  C:\Windows\System32\bKoSsrw.exe
  2⤵
  PID:7732
- C:\Windows\System32\VgeZPIP.exe
  C:\Windows\System32\VgeZPIP.exe
  2⤵
  PID:3052
- C:\Windows\System32\DJQwBGQ.exe
  C:\Windows\System32\DJQwBGQ.exe
  2⤵
  PID:7780
- C:\Windows\System32\VIeVhMj.exe
  C:\Windows\System32\VIeVhMj.exe
  2⤵
  PID:4188
- C:\Windows\System32\FGsqFXa.exe
  C:\Windows\System32\FGsqFXa.exe
  2⤵
  PID:7848
- C:\Windows\System32\ZzYzvKj.exe
  C:\Windows\System32\ZzYzvKj.exe
  2⤵
  PID:1256
- C:\Windows\System32\WxxGzyT.exe
  C:\Windows\System32\WxxGzyT.exe
  2⤵
  PID:2044
- C:\Windows\System32\ShkrWvz.exe
  C:\Windows\System32\ShkrWvz.exe
  2⤵
  PID:7996
- C:\Windows\System32\zHlHgzg.exe
  C:\Windows\System32\zHlHgzg.exe
  2⤵
  PID:2556
- C:\Windows\System32\jCdOmNb.exe
  C:\Windows\System32\jCdOmNb.exe
  2⤵
  PID:8036
- C:\Windows\System32\eFPMdLB.exe
  C:\Windows\System32\eFPMdLB.exe
  2⤵
  PID:3692
- C:\Windows\System32\iGVKrhh.exe
  C:\Windows\System32\iGVKrhh.exe
  2⤵
  PID:1224
- C:\Windows\System32\QsAhRDn.exe
  C:\Windows\System32\QsAhRDn.exe
  2⤵
  PID:7340
- C:\Windows\System32\XCQofpF.exe
  C:\Windows\System32\XCQofpF.exe
  2⤵
  PID:7332
- C:\Windows\System32\jGTOAAX.exe
  C:\Windows\System32\jGTOAAX.exe
  2⤵
  PID:7472
- C:\Windows\System32\ugtKRob.exe
  C:\Windows\System32\ugtKRob.exe
  2⤵
  PID:7584
- C:\Windows\System32\YfQkAZI.exe
  C:\Windows\System32\YfQkAZI.exe
  2⤵
  PID:2320
- C:\Windows\System32\xYlstpi.exe
  C:\Windows\System32\xYlstpi.exe
  2⤵
  PID:884
- C:\Windows\System32\offRMId.exe
  C:\Windows\System32\offRMId.exe
  2⤵
  PID:7220
- C:\Windows\System32\HJzHwQn.exe
  C:\Windows\System32\HJzHwQn.exe
  2⤵
  PID:1848
- C:\Windows\System32\rDuGxuI.exe
  C:\Windows\System32\rDuGxuI.exe
  2⤵
  PID:60
- C:\Windows\System32\xuRSslx.exe
  C:\Windows\System32\xuRSslx.exe
  2⤵
  PID:8052
- C:\Windows\System32\oMDJazm.exe
  C:\Windows\System32\oMDJazm.exe
  2⤵
  PID:8028
- C:\Windows\System32\SGeaxxg.exe
  C:\Windows\System32\SGeaxxg.exe
  2⤵
  PID:7172
- C:\Windows\System32\owBzBGG.exe
  C:\Windows\System32\owBzBGG.exe
  2⤵
  PID:7768
- C:\Windows\System32\FsdfGQh.exe
  C:\Windows\System32\FsdfGQh.exe
  2⤵
  PID:7820
- C:\Windows\System32\cvZgflp.exe
  C:\Windows\System32\cvZgflp.exe
  2⤵
  PID:2944
- C:\Windows\System32\SMSjctT.exe
  C:\Windows\System32\SMSjctT.exe
  2⤵
  PID:3284
- C:\Windows\System32\SDagQLN.exe
  C:\Windows\System32\SDagQLN.exe
  2⤵
  PID:8076
- C:\Windows\System32\CZuYtrq.exe
  C:\Windows\System32\CZuYtrq.exe
  2⤵
  PID:3244
- C:\Windows\System32\UAVOWrs.exe
  C:\Windows\System32\UAVOWrs.exe
  2⤵
  PID:2860
- C:\Windows\System32\UdrDaXR.exe
  C:\Windows\System32\UdrDaXR.exe
  2⤵
  PID:536
- C:\Windows\System32\rtUqGhH.exe
  C:\Windows\System32\rtUqGhH.exe
  2⤵
  PID:1364
- C:\Windows\System32\lJJhKfu.exe
  C:\Windows\System32\lJJhKfu.exe
  2⤵
  PID:2800
- C:\Windows\System32\TDVFhbF.exe
  C:\Windows\System32\TDVFhbF.exe
  2⤵
  PID:7844
- C:\Windows\System32\yuYiMEs.exe
  C:\Windows\System32\yuYiMEs.exe
  2⤵
  PID:8220
- C:\Windows\System32\wQCCTZz.exe
  C:\Windows\System32\wQCCTZz.exe
  2⤵
  PID:8248
- C:\Windows\System32\JHCvIHF.exe
  C:\Windows\System32\JHCvIHF.exe
  2⤵
  PID:8276
- C:\Windows\System32\DJQlmua.exe
  C:\Windows\System32\DJQlmua.exe
  2⤵
  PID:8312
- C:\Windows\System32\CiCGetY.exe
  C:\Windows\System32\CiCGetY.exe
  2⤵
  PID:8332
- C:\Windows\System32\pdodSrs.exe
  C:\Windows\System32\pdodSrs.exe
  2⤵
  PID:8348
- C:\Windows\System32\GWiDvfN.exe
  C:\Windows\System32\GWiDvfN.exe
  2⤵
  PID:8376
- C:\Windows\System32\YwbnaUY.exe
  C:\Windows\System32\YwbnaUY.exe
  2⤵
  PID:8416
- C:\Windows\System32\fCRCXmz.exe
  C:\Windows\System32\fCRCXmz.exe
  2⤵
  PID:8456
- C:\Windows\System32\PrsFvDW.exe
  C:\Windows\System32\PrsFvDW.exe
  2⤵
  PID:8472
- C:\Windows\System32\QFqjbgC.exe
  C:\Windows\System32\QFqjbgC.exe
  2⤵
  PID:8488
- C:\Windows\System32\GnQXReB.exe
  C:\Windows\System32\GnQXReB.exe
  2⤵
  PID:8516
- C:\Windows\System32\berjBlY.exe
  C:\Windows\System32\berjBlY.exe
  2⤵
  PID:8560
- C:\Windows\System32\OcuBQfJ.exe
  C:\Windows\System32\OcuBQfJ.exe
  2⤵
  PID:8584
- C:\Windows\System32\GHMnynV.exe
  C:\Windows\System32\GHMnynV.exe
  2⤵
  PID:8600
- C:\Windows\System32\SZtktPM.exe
  C:\Windows\System32\SZtktPM.exe
  2⤵
  PID:8640
- C:\Windows\System32\ukKQFOu.exe
  C:\Windows\System32\ukKQFOu.exe
  2⤵
  PID:8660
- C:\Windows\System32\FIcpehG.exe
  C:\Windows\System32\FIcpehG.exe
  2⤵
  PID:8700
- C:\Windows\System32\CnjSFqU.exe
  C:\Windows\System32\CnjSFqU.exe
  2⤵
  PID:8724
- C:\Windows\System32\vihjLuu.exe
  C:\Windows\System32\vihjLuu.exe
  2⤵
  PID:8760
- C:\Windows\System32\dbcFCex.exe
  C:\Windows\System32\dbcFCex.exe
  2⤵
  PID:8784
- C:\Windows\System32\QydELdI.exe
  C:\Windows\System32\QydELdI.exe
  2⤵
  PID:8816
- C:\Windows\System32\AaIDbzS.exe
  C:\Windows\System32\AaIDbzS.exe
  2⤵
  PID:8844
- C:\Windows\System32\DytCDks.exe
  C:\Windows\System32\DytCDks.exe
  2⤵
  PID:8876
- C:\Windows\System32\GhRBPRN.exe
  C:\Windows\System32\GhRBPRN.exe
  2⤵
  PID:8896
- C:\Windows\System32\KZILtfr.exe
  C:\Windows\System32\KZILtfr.exe
  2⤵
  PID:8928
- C:\Windows\System32\VbAFyIM.exe
  C:\Windows\System32\VbAFyIM.exe
  2⤵
  PID:8960
- C:\Windows\System32\ihCUhck.exe
  C:\Windows\System32\ihCUhck.exe
  2⤵
  PID:8976
- C:\Windows\System32\YFwGjYz.exe
  C:\Windows\System32\YFwGjYz.exe
  2⤵
  PID:9060
- C:\Windows\System32\nzuUqbm.exe
  C:\Windows\System32\nzuUqbm.exe
  2⤵
  PID:9076
- C:\Windows\System32\qSjHNWb.exe
  C:\Windows\System32\qSjHNWb.exe
  2⤵
  PID:9104
- C:\Windows\System32\jBNfANb.exe
  C:\Windows\System32\jBNfANb.exe
  2⤵
  PID:9132
- C:\Windows\System32\LhopOFd.exe
  C:\Windows\System32\LhopOFd.exe
  2⤵
  PID:9152
- C:\Windows\System32\BrAkxDh.exe
  C:\Windows\System32\BrAkxDh.exe
  2⤵
  PID:9176
- C:\Windows\System32\nfBkWpe.exe
  C:\Windows\System32\nfBkWpe.exe
  2⤵
  PID:9192
- C:\Windows\System32\dVSeCTg.exe
  C:\Windows\System32\dVSeCTg.exe
  2⤵
  PID:828
- C:\Windows\System32\zGqMMTh.exe
  C:\Windows\System32\zGqMMTh.exe
  2⤵
  PID:8324
- C:\Windows\System32\diLLrjv.exe
  C:\Windows\System32\diLLrjv.exe
  2⤵
  PID:8356
- C:\Windows\System32\uAAOasz.exe
  C:\Windows\System32\uAAOasz.exe
  2⤵
  PID:8468
- C:\Windows\System32\wYLxCmk.exe
  C:\Windows\System32\wYLxCmk.exe
  2⤵
  PID:3172
- C:\Windows\System32\KiyyRvk.exe
  C:\Windows\System32\KiyyRvk.exe
  2⤵
  PID:4204
- C:\Windows\System32\maGiTuJ.exe
  C:\Windows\System32\maGiTuJ.exe
  2⤵
  PID:8656
- C:\Windows\System32\CwuQZIH.exe
  C:\Windows\System32\CwuQZIH.exe
  2⤵
  PID:8716
- C:\Windows\System32\sxxHoRm.exe
  C:\Windows\System32\sxxHoRm.exe
  2⤵
  PID:8812
- C:\Windows\System32\oKrPXAm.exe
  C:\Windows\System32\oKrPXAm.exe
  2⤵
  PID:8904
- C:\Windows\System32\OnDpScQ.exe
  C:\Windows\System32\OnDpScQ.exe
  2⤵
  PID:8968
- C:\Windows\System32\njPpAwR.exe
  C:\Windows\System32\njPpAwR.exe
  2⤵
  PID:9012
- C:\Windows\System32\FaLnbhp.exe
  C:\Windows\System32\FaLnbhp.exe
  2⤵
  PID:9100
- C:\Windows\System32\DFigSgF.exe
  C:\Windows\System32\DFigSgF.exe
  2⤵
  PID:9140
- C:\Windows\System32\fzAcYuU.exe
  C:\Windows\System32\fzAcYuU.exe
  2⤵
  PID:9208
- C:\Windows\System32\TSsVlRN.exe
  C:\Windows\System32\TSsVlRN.exe
  2⤵
  PID:8408
- C:\Windows\System32\Nixomxq.exe
  C:\Windows\System32\Nixomxq.exe
  2⤵
  PID:8484
- C:\Windows\System32\mZWzdRZ.exe
  C:\Windows\System32\mZWzdRZ.exe
  2⤵
  PID:8800
- C:\Windows\System32\PhyywxD.exe
  C:\Windows\System32\PhyywxD.exe
  2⤵
  PID:8916
- C:\Windows\System32\PAivraM.exe
  C:\Windows\System32\PAivraM.exe
  2⤵
  PID:9088
- C:\Windows\System32\UUONoLi.exe
  C:\Windows\System32\UUONoLi.exe
  2⤵
  PID:8320
- C:\Windows\System32\svDGRXY.exe
  C:\Windows\System32\svDGRXY.exe
  2⤵
  PID:8592
- C:\Windows\System32\snFdEBf.exe
  C:\Windows\System32\snFdEBf.exe
  2⤵
  PID:9072
- C:\Windows\System32\qULmTxR.exe
  C:\Windows\System32\qULmTxR.exe
  2⤵
  PID:8480
- C:\Windows\System32\tStejvQ.exe
  C:\Windows\System32\tStejvQ.exe
  2⤵
  PID:8344
- C:\Windows\System32\sBhmpdH.exe
  C:\Windows\System32\sBhmpdH.exe
  2⤵
  PID:9240
- C:\Windows\System32\NihmveJ.exe
  C:\Windows\System32\NihmveJ.exe
  2⤵
  PID:9272
- C:\Windows\System32\PUBDzhe.exe
  C:\Windows\System32\PUBDzhe.exe
  2⤵
  PID:9292
- C:\Windows\System32\DJOfxVF.exe
  C:\Windows\System32\DJOfxVF.exe
  2⤵
  PID:9324
- C:\Windows\System32\rsWmqbD.exe
  C:\Windows\System32\rsWmqbD.exe
  2⤵
  PID:9352
- C:\Windows\System32\LupbvuW.exe
  C:\Windows\System32\LupbvuW.exe
  2⤵
  PID:9388
- C:\Windows\System32\lOlyVrH.exe
  C:\Windows\System32\lOlyVrH.exe
  2⤵
  PID:9420
- C:\Windows\System32\wOVEhVw.exe
  C:\Windows\System32\wOVEhVw.exe
  2⤵
  PID:9436
- C:\Windows\System32\TZRnhtY.exe
  C:\Windows\System32\TZRnhtY.exe
  2⤵
  PID:9484
- C:\Windows\System32\PdqRpuk.exe
  C:\Windows\System32\PdqRpuk.exe
  2⤵
  PID:9524
- C:\Windows\System32\pWXkNaz.exe
  C:\Windows\System32\pWXkNaz.exe
  2⤵
  PID:9544
- C:\Windows\System32\cVSCpfK.exe
  C:\Windows\System32\cVSCpfK.exe
  2⤵
  PID:9560
- C:\Windows\System32\QZsLwlw.exe
  C:\Windows\System32\QZsLwlw.exe
  2⤵
  PID:9612
- C:\Windows\System32\aASEmNd.exe
  C:\Windows\System32\aASEmNd.exe
  2⤵
  PID:9640
- C:\Windows\System32\TsdCuOJ.exe
  C:\Windows\System32\TsdCuOJ.exe
  2⤵
  PID:9660
- C:\Windows\System32\AcEBfGb.exe
  C:\Windows\System32\AcEBfGb.exe
  2⤵
  PID:9696
- C:\Windows\System32\zooPmPv.exe
  C:\Windows\System32\zooPmPv.exe
  2⤵
  PID:9732
- C:\Windows\System32\irTZIHV.exe
  C:\Windows\System32\irTZIHV.exe
  2⤵
  PID:9756
- C:\Windows\System32\rKVaUYE.exe
  C:\Windows\System32\rKVaUYE.exe
  2⤵
  PID:9788
- C:\Windows\System32\KFVmYCZ.exe
  C:\Windows\System32\KFVmYCZ.exe
  2⤵
  PID:9836
- C:\Windows\System32\aaFoEmB.exe
  C:\Windows\System32\aaFoEmB.exe
  2⤵
  PID:9868
- C:\Windows\System32\EhurVKu.exe
  C:\Windows\System32\EhurVKu.exe
  2⤵
  PID:9888
- C:\Windows\System32\tzTrkDX.exe
  C:\Windows\System32\tzTrkDX.exe
  2⤵
  PID:9912
- C:\Windows\System32\vofceeW.exe
  C:\Windows\System32\vofceeW.exe
  2⤵
  PID:9932
- C:\Windows\System32\lwQyUhV.exe
  C:\Windows\System32\lwQyUhV.exe
  2⤵
  PID:9980
- C:\Windows\System32\uIprKaF.exe
  C:\Windows\System32\uIprKaF.exe
  2⤵
  PID:10008
- C:\Windows\System32\GlmnukT.exe
  C:\Windows\System32\GlmnukT.exe
  2⤵
  PID:10024
- C:\Windows\System32\QOfVrbh.exe
  C:\Windows\System32\QOfVrbh.exe
  2⤵
  PID:10064
- C:\Windows\System32\NjwKjah.exe
  C:\Windows\System32\NjwKjah.exe
  2⤵
  PID:10092
- C:\Windows\System32\grTJLUb.exe
  C:\Windows\System32\grTJLUb.exe
  2⤵
  PID:10120
- C:\Windows\System32\wMifoEJ.exe
  C:\Windows\System32\wMifoEJ.exe
  2⤵
  PID:10148
- C:\Windows\System32\TpvNhfZ.exe
  C:\Windows\System32\TpvNhfZ.exe
  2⤵
  PID:10176
- C:\Windows\System32\OtegiPh.exe
  C:\Windows\System32\OtegiPh.exe
  2⤵
  PID:10208
- C:\Windows\System32\iEZxNYX.exe
  C:\Windows\System32\iEZxNYX.exe
  2⤵
  PID:10232
- C:\Windows\System32\vNnLOKH.exe
  C:\Windows\System32\vNnLOKH.exe
  2⤵
  PID:9264
- C:\Windows\System32\nNKRlRf.exe
  C:\Windows\System32\nNKRlRf.exe
  2⤵
  PID:9316
- C:\Windows\System32\cUDdgKy.exe
  C:\Windows\System32\cUDdgKy.exe
  2⤵
  PID:9380
- C:\Windows\System32\eZyIpWY.exe
  C:\Windows\System32\eZyIpWY.exe
  2⤵
  PID:9460
- C:\Windows\System32\JhukFtj.exe
  C:\Windows\System32\JhukFtj.exe
  2⤵
  PID:9020
- C:\Windows\System32\ZeaEELB.exe
  C:\Windows\System32\ZeaEELB.exe
  2⤵
  PID:9492
- C:\Windows\System32\Ezeztbf.exe
  C:\Windows\System32\Ezeztbf.exe
  2⤵
  PID:8712
- C:\Windows\System32\OsJrcsQ.exe
  C:\Windows\System32\OsJrcsQ.exe
  2⤵
  PID:9580
- C:\Windows\System32\WCWoFRu.exe
  C:\Windows\System32\WCWoFRu.exe
  2⤵
  PID:9680
- C:\Windows\System32\VNXJMZq.exe
  C:\Windows\System32\VNXJMZq.exe
  2⤵
  PID:9744
- C:\Windows\System32\YYbFXqQ.exe
  C:\Windows\System32\YYbFXqQ.exe
  2⤵
  PID:9848
- C:\Windows\System32\uoZSkkz.exe
  C:\Windows\System32\uoZSkkz.exe
  2⤵
  PID:9924
- C:\Windows\System32\sxhLJEb.exe
  C:\Windows\System32\sxhLJEb.exe
  2⤵
  PID:3528
- C:\Windows\System32\qguyPZy.exe
  C:\Windows\System32\qguyPZy.exe
  2⤵
  PID:9968
- C:\Windows\System32\Wxntgfx.exe
  C:\Windows\System32\Wxntgfx.exe
  2⤵
  PID:10036
- C:\Windows\System32\beNLRJL.exe
  C:\Windows\System32\beNLRJL.exe
  2⤵
  PID:1548
- C:\Windows\System32\DcrLByM.exe
  C:\Windows\System32\DcrLByM.exe
  2⤵
  PID:10112
- C:\Windows\System32\BLMIDno.exe
  C:\Windows\System32\BLMIDno.exe
  2⤵
  PID:10192
- C:\Windows\System32\PIRZRWB.exe
  C:\Windows\System32\PIRZRWB.exe
  2⤵
  PID:9284
- C:\Windows\System32\IsUhTgg.exe
  C:\Windows\System32\IsUhTgg.exe
  2⤵
  PID:9024
- C:\Windows\System32\QiCHXKe.exe
  C:\Windows\System32\QiCHXKe.exe
  2⤵
  PID:9536
- C:\Windows\System32\wJysoGa.exe
  C:\Windows\System32\wJysoGa.exe
  2⤵
  PID:9668
- C:\Windows\System32\XxPMDfv.exe
  C:\Windows\System32\XxPMDfv.exe
  2⤵
  PID:9816
- C:\Windows\System32\xQfpHIh.exe
  C:\Windows\System32\xQfpHIh.exe
  2⤵
  PID:316
- C:\Windows\System32\OsVYoiE.exe
  C:\Windows\System32\OsVYoiE.exe
  2⤵
  PID:10088
- C:\Windows\System32\HEOaaWW.exe
  C:\Windows\System32\HEOaaWW.exe
  2⤵
  PID:9248
- C:\Windows\System32\gIMuAwj.exe
  C:\Windows\System32\gIMuAwj.exe
  2⤵
  PID:8780
- C:\Windows\System32\jwmAbFt.exe
  C:\Windows\System32\jwmAbFt.exe
  2⤵
  PID:9876
- C:\Windows\System32\gzosSXj.exe
  C:\Windows\System32\gzosSXj.exe
  2⤵
  PID:10004
- C:\Windows\System32\KnYYACT.exe
  C:\Windows\System32\KnYYACT.exe
  2⤵
  PID:9416
- C:\Windows\System32\tZmHmuN.exe
  C:\Windows\System32\tZmHmuN.exe
  2⤵
  PID:9684
- C:\Windows\System32\KpeVgPc.exe
  C:\Windows\System32\KpeVgPc.exe
  2⤵
  PID:10256
- C:\Windows\System32\PfsNEXv.exe
  C:\Windows\System32\PfsNEXv.exe
  2⤵
  PID:10284
- C:\Windows\System32\CePRuyn.exe
  C:\Windows\System32\CePRuyn.exe
  2⤵
  PID:10312
- C:\Windows\System32\kBpZgGl.exe
  C:\Windows\System32\kBpZgGl.exe
  2⤵
  PID:10332
- C:\Windows\System32\ngeWCGp.exe
  C:\Windows\System32\ngeWCGp.exe
  2⤵
  PID:10360
- C:\Windows\System32\jIUQnrT.exe
  C:\Windows\System32\jIUQnrT.exe
  2⤵
  PID:10396
- C:\Windows\System32\bfwJzlx.exe
  C:\Windows\System32\bfwJzlx.exe
  2⤵
  PID:10424
- C:\Windows\System32\htaXYgX.exe
  C:\Windows\System32\htaXYgX.exe
  2⤵
  PID:10448
- C:\Windows\System32\XVwFeNG.exe
  C:\Windows\System32\XVwFeNG.exe
  2⤵
  PID:10468
- C:\Windows\System32\mfhGtbw.exe
  C:\Windows\System32\mfhGtbw.exe
  2⤵
  PID:10512
- C:\Windows\System32\XmwAGuv.exe
  C:\Windows\System32\XmwAGuv.exe
  2⤵
  PID:10536
- C:\Windows\System32\QXLkBTI.exe
  C:\Windows\System32\QXLkBTI.exe
  2⤵
  PID:10576
- C:\Windows\System32\yxegtSV.exe
  C:\Windows\System32\yxegtSV.exe
  2⤵
  PID:10596
- C:\Windows\System32\YenxuUm.exe
  C:\Windows\System32\YenxuUm.exe
  2⤵
  PID:10624
- C:\Windows\System32\OGKRsis.exe
  C:\Windows\System32\OGKRsis.exe
  2⤵
  PID:10652
- C:\Windows\System32\UgLsbzS.exe
  C:\Windows\System32\UgLsbzS.exe
  2⤵
  PID:10672
- C:\Windows\System32\cqboyMX.exe
  C:\Windows\System32\cqboyMX.exe
  2⤵
  PID:10696
- C:\Windows\System32\JzkkJTA.exe
  C:\Windows\System32\JzkkJTA.exe
  2⤵
  PID:10736
- C:\Windows\System32\GHSHpSh.exe
  C:\Windows\System32\GHSHpSh.exe
  2⤵
  PID:10760
- C:\Windows\System32\ySBFXta.exe
  C:\Windows\System32\ySBFXta.exe
  2⤵
  PID:10788
- C:\Windows\System32\ASNGjaS.exe
  C:\Windows\System32\ASNGjaS.exe
  2⤵
  PID:10828
- C:\Windows\System32\EWoHkAX.exe
  C:\Windows\System32\EWoHkAX.exe
  2⤵
  PID:10848
- C:\Windows\System32\AHiHxVT.exe
  C:\Windows\System32\AHiHxVT.exe
  2⤵
  PID:10880
- C:\Windows\System32\WKfBoCJ.exe
  C:\Windows\System32\WKfBoCJ.exe
  2⤵
  PID:10904
- C:\Windows\System32\YVCJOfJ.exe
  C:\Windows\System32\YVCJOfJ.exe
  2⤵
  PID:10932
- C:\Windows\System32\mnDdxUN.exe
  C:\Windows\System32\mnDdxUN.exe
  2⤵
  PID:10960
- C:\Windows\System32\dtSbTRX.exe
  C:\Windows\System32\dtSbTRX.exe
  2⤵
  PID:10996
- C:\Windows\System32\PDvXZRP.exe
  C:\Windows\System32\PDvXZRP.exe
  2⤵
  PID:11016
- C:\Windows\System32\HvJFDIz.exe
  C:\Windows\System32\HvJFDIz.exe
  2⤵
  PID:11036
- C:\Windows\System32\qUvlfxr.exe
  C:\Windows\System32\qUvlfxr.exe
  2⤵
  PID:11064
- C:\Windows\System32\RlPIDlL.exe
  C:\Windows\System32\RlPIDlL.exe
  2⤵
  PID:11092
- C:\Windows\System32\ptZbjpP.exe
  C:\Windows\System32\ptZbjpP.exe
  2⤵
  PID:11128
- C:\Windows\System32\UnYWVyp.exe
  C:\Windows\System32\UnYWVyp.exe
  2⤵
  PID:11184
- C:\Windows\System32\pBIxZYA.exe
  C:\Windows\System32\pBIxZYA.exe
  2⤵
  PID:11220
- C:\Windows\System32\JDzjGha.exe
  C:\Windows\System32\JDzjGha.exe
  2⤵
  PID:11244
- C:\Windows\System32\UidsDAF.exe
  C:\Windows\System32\UidsDAF.exe
  2⤵
  PID:10292
- C:\Windows\System32\AsmSLjk.exe
  C:\Windows\System32\AsmSLjk.exe
  2⤵
  PID:10320
- C:\Windows\System32\pnnYOJq.exe
  C:\Windows\System32\pnnYOJq.exe
  2⤵
  PID:10392
- C:\Windows\System32\ScsLVZP.exe
  C:\Windows\System32\ScsLVZP.exe
  2⤵
  PID:10464
- C:\Windows\System32\zRYbtNx.exe
  C:\Windows\System32\zRYbtNx.exe
  2⤵
  PID:10520
- C:\Windows\System32\XQvytRL.exe
  C:\Windows\System32\XQvytRL.exe
  2⤵
  PID:10584
- C:\Windows\System32\MdhjjOu.exe
  C:\Windows\System32\MdhjjOu.exe
  2⤵
  PID:10648
- C:\Windows\System32\yEoGjdF.exe
  C:\Windows\System32\yEoGjdF.exe
  2⤵
  PID:10780
- C:\Windows\System32\mxsMDxr.exe
  C:\Windows\System32\mxsMDxr.exe
  2⤵
  PID:10840
- C:\Windows\System32\GYaLZYZ.exe
  C:\Windows\System32\GYaLZYZ.exe
  2⤵
  PID:10888
- C:\Windows\System32\dszNJBR.exe
  C:\Windows\System32\dszNJBR.exe
  2⤵
  PID:10984
- C:\Windows\System32\dhdGlgV.exe
  C:\Windows\System32\dhdGlgV.exe
  2⤵
  PID:11056
- C:\Windows\System32\OUlKIdU.exe
  C:\Windows\System32\OUlKIdU.exe
  2⤵
  PID:11104
- C:\Windows\System32\Dzocqhw.exe
  C:\Windows\System32\Dzocqhw.exe
  2⤵
  PID:11212
- C:\Windows\System32\nMGrKyb.exe
  C:\Windows\System32\nMGrKyb.exe
  2⤵
  PID:10244
- C:\Windows\System32\APwhYRE.exe
  C:\Windows\System32\APwhYRE.exe
  2⤵
  PID:10368
- C:\Windows\System32\eqFxxYb.exe
  C:\Windows\System32\eqFxxYb.exe
  2⤵
  PID:10500
- C:\Windows\System32\DuTfUVd.exe
  C:\Windows\System32\DuTfUVd.exe
  2⤵
  PID:10612
- C:\Windows\System32\BfhBCcK.exe
  C:\Windows\System32\BfhBCcK.exe
  2⤵
  PID:10804
- C:\Windows\System32\TAMueSX.exe
  C:\Windows\System32\TAMueSX.exe
  2⤵
  PID:11008
- C:\Windows\System32\dZbMpkR.exe
  C:\Windows\System32\dZbMpkR.exe
  2⤵
  PID:11144
- C:\Windows\System32\CSErEvJ.exe
  C:\Windows\System32\CSErEvJ.exe
  2⤵
  PID:10444
- C:\Windows\System32\vKOvkhv.exe
  C:\Windows\System32\vKOvkhv.exe
  2⤵
  PID:10768
- C:\Windows\System32\mSfyWFI.exe
  C:\Windows\System32\mSfyWFI.exe
  2⤵
  PID:10856
- C:\Windows\System32\gMdsEHI.exe
  C:\Windows\System32\gMdsEHI.exe
  2⤵
  PID:10412
- C:\Windows\System32\XWlAFFb.exe
  C:\Windows\System32\XWlAFFb.exe
  2⤵
  PID:9648
- C:\Windows\System32\KoWGCqH.exe
  C:\Windows\System32\KoWGCqH.exe
  2⤵
  PID:1852
- C:\Windows\System32\QmkgsbD.exe
  C:\Windows\System32\QmkgsbD.exe
  2⤵
  PID:11296
- C:\Windows\System32\fFUZPVj.exe
  C:\Windows\System32\fFUZPVj.exe
  2⤵
  PID:11332
- C:\Windows\System32\hoDwyBm.exe
  C:\Windows\System32\hoDwyBm.exe
  2⤵
  PID:11360
- C:\Windows\System32\wbMuTLH.exe
  C:\Windows\System32\wbMuTLH.exe
  2⤵
  PID:11388
- C:\Windows\System32\EVBPxVP.exe
  C:\Windows\System32\EVBPxVP.exe
  2⤵
  PID:11416
- C:\Windows\System32\sknkbnR.exe
  C:\Windows\System32\sknkbnR.exe
  2⤵
  PID:11444
- C:\Windows\System32\YXxrQlU.exe
  C:\Windows\System32\YXxrQlU.exe
  2⤵
  PID:11472
- C:\Windows\System32\VNjSOMZ.exe
  C:\Windows\System32\VNjSOMZ.exe
  2⤵
  PID:11500
- C:\Windows\System32\eFJLXZK.exe
  C:\Windows\System32\eFJLXZK.exe
  2⤵
  PID:11528
- C:\Windows\System32\FJRwSeM.exe
  C:\Windows\System32\FJRwSeM.exe
  2⤵
  PID:11556
- C:\Windows\System32\TGmAoFW.exe
  C:\Windows\System32\TGmAoFW.exe
  2⤵
  PID:11600
- C:\Windows\System32\YUWnFqe.exe
  C:\Windows\System32\YUWnFqe.exe
  2⤵
  PID:11628
- C:\Windows\System32\BpvKsHB.exe
  C:\Windows\System32\BpvKsHB.exe
  2⤵
  PID:11664
- C:\Windows\System32\zjqpPXS.exe
  C:\Windows\System32\zjqpPXS.exe
  2⤵
  PID:11716
- C:\Windows\System32\PatuPiZ.exe
  C:\Windows\System32\PatuPiZ.exe
  2⤵
  PID:11756
- C:\Windows\System32\pTePDrd.exe
  C:\Windows\System32\pTePDrd.exe
  2⤵
  PID:11800
- C:\Windows\System32\KcqWvkm.exe
  C:\Windows\System32\KcqWvkm.exe
  2⤵
  PID:11832
- C:\Windows\System32\PHwTDeq.exe
  C:\Windows\System32\PHwTDeq.exe
  2⤵
  PID:11856
- C:\Windows\System32\KvsfJhb.exe
  C:\Windows\System32\KvsfJhb.exe
  2⤵
  PID:11880
- C:\Windows\System32\okNiJgv.exe
  C:\Windows\System32\okNiJgv.exe
  2⤵
  PID:11924
- C:\Windows\System32\pouXTve.exe
  C:\Windows\System32\pouXTve.exe
  2⤵
  PID:11976
- C:\Windows\System32\EZcpEai.exe
  C:\Windows\System32\EZcpEai.exe
  2⤵
  PID:12004
- C:\Windows\System32\VcTnMgj.exe
  C:\Windows\System32\VcTnMgj.exe
  2⤵
  PID:12044
- C:\Windows\System32\ODxWOiG.exe
  C:\Windows\System32\ODxWOiG.exe
  2⤵
  PID:12096
- C:\Windows\System32\GikcGaf.exe
  C:\Windows\System32\GikcGaf.exe
  2⤵
  PID:12124
- C:\Windows\System32\RxQZjfV.exe
  C:\Windows\System32\RxQZjfV.exe
  2⤵
  PID:12156
- C:\Windows\System32\EsIjDBe.exe
  C:\Windows\System32\EsIjDBe.exe
  2⤵
  PID:12184
- C:\Windows\System32\fLBVGSP.exe
  C:\Windows\System32\fLBVGSP.exe
  2⤵
  PID:12216
- C:\Windows\System32\hXoxptg.exe
  C:\Windows\System32\hXoxptg.exe
  2⤵
  PID:12244
- C:\Windows\System32\xuqEHPD.exe
  C:\Windows\System32\xuqEHPD.exe
  2⤵
  PID:12260
- C:\Windows\System32\ImRinrv.exe
  C:\Windows\System32\ImRinrv.exe
  2⤵
  PID:12280
- C:\Windows\System32\wqhegeY.exe
  C:\Windows\System32\wqhegeY.exe
  2⤵
  PID:11304
- C:\Windows\System32\AhohJxw.exe
  C:\Windows\System32\AhohJxw.exe
  2⤵
  PID:11408
- C:\Windows\System32\uSTJEWB.exe
  C:\Windows\System32\uSTJEWB.exe
  2⤵
  PID:11492
- C:\Windows\System32\pserOIW.exe
  C:\Windows\System32\pserOIW.exe
  2⤵
  PID:11540
- C:\Windows\System32\IRUERCk.exe
  C:\Windows\System32\IRUERCk.exe
  2⤵
  PID:11640
- C:\Windows\System32\HkkxhaP.exe
  C:\Windows\System32\HkkxhaP.exe
  2⤵
  PID:11744
- C:\Windows\System32\fzYfCTR.exe
  C:\Windows\System32\fzYfCTR.exe
  2⤵
  PID:11840
- C:\Windows\System32\ErUBtPT.exe
  C:\Windows\System32\ErUBtPT.exe
  2⤵
  PID:11960
- C:\Windows\System32\pCYoQub.exe
  C:\Windows\System32\pCYoQub.exe
  2⤵
  PID:12056
- C:\Windows\System32\ofEIFFI.exe
  C:\Windows\System32\ofEIFFI.exe
  2⤵
  PID:12148
- C:\Windows\System32\PgIpVWP.exe
  C:\Windows\System32\PgIpVWP.exe
  2⤵
  PID:12204
- C:\Windows\System32\unRxXzk.exe
  C:\Windows\System32\unRxXzk.exe
  2⤵
  PID:12240
- C:\Windows\System32\KUXsMEZ.exe
  C:\Windows\System32\KUXsMEZ.exe
  2⤵
  PID:11384
- C:\Windows\System32\uLwZgmP.exe
  C:\Windows\System32\uLwZgmP.exe
  2⤵
  PID:11568
- C:\Windows\System32\zdpLcxk.exe
  C:\Windows\System32\zdpLcxk.exe
  2⤵
  PID:11848
- C:\Windows\System32\IoqeUcX.exe
  C:\Windows\System32\IoqeUcX.exe
  2⤵
  PID:12032
- C:\Windows\System32\xaOLnby.exe
  C:\Windows\System32\xaOLnby.exe
  2⤵
  PID:8124
- C:\Windows\System32\VtvsbJx.exe
  C:\Windows\System32\VtvsbJx.exe
  2⤵
  PID:1816
- C:\Windows\System32\zItHXyz.exe
  C:\Windows\System32\zItHXyz.exe
  2⤵
  PID:12268
- C:\Windows\System32\aIztbTj.exe
  C:\Windows\System32\aIztbTj.exe
  2⤵
  PID:11912
- C:\Windows\System32\xKqdOhv.exe
  C:\Windows\System32\xKqdOhv.exe
  2⤵
  PID:540
- C:\Windows\System32\fpEJmMj.exe
  C:\Windows\System32\fpEJmMj.exe
  2⤵
  PID:11824
- C:\Windows\System32\YKIdjLf.exe
  C:\Windows\System32\YKIdjLf.exe
  2⤵
  PID:12328
- C:\Windows\System32\roICtdZ.exe
  C:\Windows\System32\roICtdZ.exe
  2⤵
  PID:12344
- C:\Windows\System32\wogrWOQ.exe
  C:\Windows\System32\wogrWOQ.exe
  2⤵
  PID:12372
- C:\Windows\System32\IXBJLUf.exe
  C:\Windows\System32\IXBJLUf.exe
  2⤵
  PID:12400
- C:\Windows\System32\wuZRKvg.exe
  C:\Windows\System32\wuZRKvg.exe
  2⤵
  PID:12428
- C:\Windows\System32\ibVFVkA.exe
  C:\Windows\System32\ibVFVkA.exe
  2⤵
  PID:12456
- C:\Windows\System32\kXqvDbf.exe
  C:\Windows\System32\kXqvDbf.exe
  2⤵
  PID:12484
- C:\Windows\System32\HnnlOJU.exe
  C:\Windows\System32\HnnlOJU.exe
  2⤵
  PID:12512
- C:\Windows\System32\qauLtSk.exe
  C:\Windows\System32\qauLtSk.exe
  2⤵
  PID:12540
- C:\Windows\System32\wcOKOmp.exe
  C:\Windows\System32\wcOKOmp.exe
  2⤵
  PID:12568
- C:\Windows\System32\rbsHfJA.exe
  C:\Windows\System32\rbsHfJA.exe
  2⤵
  PID:12596
- C:\Windows\System32\gULeIHX.exe
  C:\Windows\System32\gULeIHX.exe
  2⤵
  PID:12628
- C:\Windows\System32\KThmUwG.exe
  C:\Windows\System32\KThmUwG.exe
  2⤵
  PID:12656
- C:\Windows\System32\MgfLWEZ.exe
  C:\Windows\System32\MgfLWEZ.exe
  2⤵
  PID:12700
- C:\Windows\System32\eITkihb.exe
  C:\Windows\System32\eITkihb.exe
  2⤵
  PID:12720
- C:\Windows\System32\RryoUsF.exe
  C:\Windows\System32\RryoUsF.exe
  2⤵
  PID:12752
- C:\Windows\System32\KCWvokX.exe
  C:\Windows\System32\KCWvokX.exe
  2⤵
  PID:12780
- C:\Windows\System32\OfupGKY.exe
  C:\Windows\System32\OfupGKY.exe
  2⤵
  PID:12808
- C:\Windows\System32\fMabaFJ.exe
  C:\Windows\System32\fMabaFJ.exe
  2⤵
  PID:12836
- C:\Windows\System32\fAcXDvE.exe
  C:\Windows\System32\fAcXDvE.exe
  2⤵
  PID:12864
- C:\Windows\System32\lCWqWGo.exe
  C:\Windows\System32\lCWqWGo.exe
  2⤵
  PID:12892
- C:\Windows\System32\uTsbrho.exe
  C:\Windows\System32\uTsbrho.exe
  2⤵
  PID:12920
- C:\Windows\System32\zmlJYUk.exe
  C:\Windows\System32\zmlJYUk.exe
  2⤵
  PID:12948
- C:\Windows\System32\DaZMnIC.exe
  C:\Windows\System32\DaZMnIC.exe
  2⤵
  PID:12976
- C:\Windows\System32\mGRViHm.exe
  C:\Windows\System32\mGRViHm.exe
  2⤵
  PID:13004
- C:\Windows\System32\qIiVsRG.exe
  C:\Windows\System32\qIiVsRG.exe
  2⤵
  PID:13032
- C:\Windows\System32\NyZZVrr.exe
  C:\Windows\System32\NyZZVrr.exe
  2⤵
  PID:13060
- C:\Windows\System32\XvoleEs.exe
  C:\Windows\System32\XvoleEs.exe
  2⤵
  PID:13088
- C:\Windows\System32\qMorigp.exe
  C:\Windows\System32\qMorigp.exe
  2⤵
  PID:13116
- C:\Windows\System32\eGNVlrV.exe
  C:\Windows\System32\eGNVlrV.exe
  2⤵
  PID:13144
- C:\Windows\System32\lCALMJz.exe
  C:\Windows\System32\lCALMJz.exe
  2⤵
  PID:13172
- C:\Windows\System32\nIKzxkO.exe
  C:\Windows\System32\nIKzxkO.exe
  2⤵
  PID:13200
- C:\Windows\System32\uPssKLn.exe
  C:\Windows\System32\uPssKLn.exe
  2⤵
  PID:13228
- C:\Windows\System32\AvydIVX.exe
  C:\Windows\System32\AvydIVX.exe
  2⤵
  PID:13256
- C:\Windows\System32\PrKeNAT.exe
  C:\Windows\System32\PrKeNAT.exe
  2⤵
  PID:13284
- C:\Windows\System32\hCYynNw.exe
  C:\Windows\System32\hCYynNw.exe
  2⤵
  PID:12312
- C:\Windows\System32\BEmfmph.exe
  C:\Windows\System32\BEmfmph.exe
  2⤵
  PID:12384
- C:\Windows\System32\AexhGYW.exe
  C:\Windows\System32\AexhGYW.exe
  2⤵
  PID:12448
- C:\Windows\System32\JDhmvjk.exe
  C:\Windows\System32\JDhmvjk.exe
  2⤵
  PID:12508
- C:\Windows\System32\ITXPpxM.exe
  C:\Windows\System32\ITXPpxM.exe
  2⤵
  PID:12564
- C:\Windows\System32\FkyYHjK.exe
  C:\Windows\System32\FkyYHjK.exe
  2⤵
  PID:12640
- C:\Windows\System32\afcxmQv.exe
  C:\Windows\System32\afcxmQv.exe
  2⤵
  PID:12712
- C:\Windows\System32\ADbHRAH.exe
  C:\Windows\System32\ADbHRAH.exe
  2⤵
  PID:12776
- C:\Windows\System32\AnYTBNm.exe
  C:\Windows\System32\AnYTBNm.exe
  2⤵
  PID:12848
- C:\Windows\System32\YfnUzGI.exe
  C:\Windows\System32\YfnUzGI.exe
  2⤵
  PID:12912
- C:\Windows\System32\ugKowzg.exe
  C:\Windows\System32\ugKowzg.exe
  2⤵
  PID:12972
- C:\Windows\System32\NaqhvSp.exe
  C:\Windows\System32\NaqhvSp.exe
  2⤵
  PID:13044
- C:\Windows\System32\XLqCtnr.exe
  C:\Windows\System32\XLqCtnr.exe
  2⤵
  PID:13108
- C:\Windows\System32\GOSFgek.exe
  C:\Windows\System32\GOSFgek.exe
  2⤵
  PID:13168
- C:\Windows\System32\kjYyCun.exe
  C:\Windows\System32\kjYyCun.exe
  2⤵
  PID:13240
- C:\Windows\System32\vxdHLMr.exe
  C:\Windows\System32\vxdHLMr.exe
  2⤵
  PID:13304
- C:\Windows\System32\AKnTlFG.exe
  C:\Windows\System32\AKnTlFG.exe
  2⤵
  PID:12440
- C:\Windows\System32\EPvMnxJ.exe
  C:\Windows\System32\EPvMnxJ.exe
  2⤵
  PID:12592
- C:\Windows\System32\ZVYkzez.exe
  C:\Windows\System32\ZVYkzez.exe
  2⤵
  PID:12708

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 4124 -i 4124 -h 472 -j 480 -s 184 -d 0
1⤵
PID:13268

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\DwhjaKp.exe

Filesize
3.2MB

MD5
d61c4f894ce30268bf20ca1cfad5fae5

SHA1
fd758db6930762f90d88d34829b88caa1fcd2fce

SHA256
ac56bb84a8d6192989269b87d8bc2a59efca2f7271c92fe8307de66f157030f6

SHA512
4a6b1234f4e062c22b39ff9cf58a6685651f0f6572cd6c05e23a1b08bfb01ad0fdfcc253b4fc3875c98d43244f03ba567163bd896ef0ee0b60831513ae2aa6a9

Download Submit
C:\Windows\System32\FJnxnBf.exe

Filesize
3.2MB

MD5
238f8abd66c6d5be873596eb35cf65fd

SHA1
c690434c598bcbbf46fd6d15620895986346c9a1

SHA256
5cf493d733cc737ee5af038e8b9e50f05ed9cf63e2ce404cdfdba437a7b990f4

SHA512
5a7820fe46ee0ed657a549d67d3b0b322b4bf0574b5ff819a1153da9962f01674b020d6ee568caeb9dba4d1ad9c8f7f84c79c1e267502dfe2e1c6fb632c3797d

Download Submit
C:\Windows\System32\HonirzK.exe

Filesize
3.2MB

MD5
a2fc242525e1769ab1283c37ef2ed093

SHA1
7ae0f4f584f6237822741cf675e51cd4cbab4a55

SHA256
0d5edfabdf3609db7f25d0bb91f34ea8cf781dc8442a2dc025867ad52238201a

SHA512
3592a9fba1001e6fda6fbd9e6e6f1801aef8b5706efeb07f84d8eb09cf6c84aaf3c2f57c6c708a42b6e9fbadfa4ae77be5d49c17bc5293f040fd80411384a7ee

Download Submit
C:\Windows\System32\IJXtNfl.exe

Filesize
3.2MB

MD5
62f960a8315ea0a6adfb4fdb4d809f2c

SHA1
11a74f9a37498d972974337b815fa8e77c89f3a0

SHA256
8faf29bf378d241e8d2d26b592c45ce5013025a01de43a92988b9c7ed1a6dea5

SHA512
de942509d779a5715d1a964c4c682e9e67c0e0b959466228ea1012eef4a03eb32d95358c0bee28350c52b4a8948db033196767e86676d549a980add1fd0b22ce

Download Submit
C:\Windows\System32\IhfPwkY.exe

Filesize
3.2MB

MD5
e0beafacbec6ce236bd6545968d15b6c

SHA1
5e9719d94eecebe1c6733c555870e7379ed1aa2b

SHA256
76efc8323d3ef331a37c342fed544ca462ba05bfcaf6ba0c98829c3431fccc99

SHA512
c380c08622c4645db60f50c34260c3655646ee95ffda15d9cd36c7123e0bc9a94a9ea5a67aad9d1a4e2f22ffbd347c36c978c04792a8fda35c636aced17b5f10

Download Submit
C:\Windows\System32\IoOHsth.exe

Filesize
3.2MB

MD5
04d61a07b9e64868bc8d44977b752629

SHA1
3bc03d845e8b9d9fa9e82d0d9166f50c0e6e64a5

SHA256
bd7181c9ca5babf0c36f70334d99586d3293ace3bb6751b599beef4a18e5b5a4

SHA512
bf11acf0134cedad15702b3efe21e79b7134ac04df53ac28d5467f11c373978b80d4269069b1ca031a2b86a9b44302e504933bc5892bc88d052de786738b07de

Download Submit
C:\Windows\System32\LVPQAWM.exe

Filesize
3.2MB

MD5
97df0b71fd502707dc8a99d8ad21b787

SHA1
a60d94b21d0c58c94756fffb81bed6c0b5ff87c8

SHA256
ae10fcd8c31c36fe515a9afd314adc8d27c495bf72128ff848bcd5d1978b2aa9

SHA512
2bba1d7fa75659b8f516f3c349ddf0eefa50d70ea9f2ea4601efc176526463dcbcb4a15ceb92eeaed77d3f60cb5928a7b287657dbf70e1d2d431ac84e6415b95

Download Submit
C:\Windows\System32\LadgOaY.exe

Filesize
3.2MB

MD5
51a913d3a8bd0ad57d089bc2784affb4

SHA1
224f162bfe6c97c2446957bb2ba872b5b415fcd2

SHA256
59a1756cf557b59120badc0efa9f0fdbadec11e46984b72500d4a26f85147bc0

SHA512
36ee4160c0743486d05cb6cf63216e7d57ded574e9e31dd10317d45c69f7e9112d364fa842d7024a6296c27528e60ca575e9cf8ae639e4bfb079dbd68e9b49e7

Download Submit
C:\Windows\System32\MTiFaJH.exe

Filesize
3.2MB

MD5
4eb24d937e31c90b38d17c0f1de35e24

SHA1
40157fcc194922b2c19ffb8e38ac5699ed5793ed

SHA256
321adfde34860ca01eee243d133a54502cfd4be92e4eab1700297437813b4de1

SHA512
5f093ac8cd0812f2de92b71b338f0257ea11951c64ca9652334101014310de36fbfb47e5bfb62e1583ed965cfb4c1726530a3bfe5a1b0dc791379668ba0aa4c4

Download Submit
C:\Windows\System32\PgwXpRj.exe

Filesize
3.2MB

MD5
1b552df75d410765b12f6a9acb337106

SHA1
818cb1aef30dcead401142251a8a28c92d931fdc

SHA256
cf9f2589e5a0f90fdbe8c3d709bf4c51ef23e5de247621e012e3e1f01df3732a

SHA512
f01e30880d395ee187194209ccc1316c53e6e762cb132454f979ccf3a54cf3da510ca669647b47133a02377a99ec56deb482c608fdf8fba150ffcd9e3db9a589

Download Submit
C:\Windows\System32\PwyMGVm.exe

Filesize
3.2MB

MD5
47fd47a71ff72b3024358fac322f79d0

SHA1
b8ec703777827ce8280fd6393756090eb4de7b94

SHA256
896ce4b47c48eee3eda3b0d7197d993bd24d5eadb49ea846b801fce37475cc29

SHA512
06d1fe12a0fff109dff1b38915af6d50e38c357546daf1f6dbddeeb77f7cc5333310aa7d8466d1d86b44088981b42018f109b34da153f727655409e3a095de6b

Download Submit
C:\Windows\System32\SYOBGRS.exe

Filesize
3.2MB

MD5
2a26f8f52e0d00a25fa5368a3fa98f35

SHA1
316e752ddb2d24cf6ffef1c6f9ef2ea4cc2caa20

SHA256
30198a9185fd1b5e30c4556a8a0b0a73b9fb55ec2b3c96e21447c8cc5f2f1af1

SHA512
dfac5ee6afea819a37c95c158d52eb2ada3fcaeed5d67ba28c69447ce8ab043c6f73b7a986c2776ff773a29eaf8923a9851fb4820d253bcd3babc237b7d797f1

Download Submit
C:\Windows\System32\TlBSDNv.exe

Filesize
3.2MB

MD5
b0607a3a6c4ea6279cbf4cf17bd20aa3

SHA1
64fc07a841dcf464546d2af239ae3a5af4f810f5

SHA256
8ec7dd8184c5247abeb69ed5598a7a10295ba650d5d5b186c379f46690158486

SHA512
1b205106d78a1fc344d452aaccf2bb0106b4661879f12b065ea6bdd159deb9079a4f54de01883d2c11cd8b34b89c1680ca522a495ae11e405675d7435af9b796

Download Submit
C:\Windows\System32\UyfbjvP.exe

Filesize
3.2MB

MD5
b9120cbbdfd90eba2a7b00f62cd35ef7

SHA1
1487f1b5c7f1fa9dfcf77be533bb21a89ec77acb

SHA256
c34c9dd5683c51931a49d4699067f5b26eb3d8b5983ba6c2831ec99806a47cd6

SHA512
75d16c340095a8f4d004106469c14ed54bf82072b050abcc88d982b724225ab800974dbceb373d5aca31246d2a56bdb601ab0edba24450a1447bfd76b523332b

Download Submit
C:\Windows\System32\WDVeyRS.exe

Filesize
3.2MB

MD5
92798772395dce779b7e4a0951f83f1e

SHA1
5dfe950e2739932d86a5638c48f900c0f5bfd9df

SHA256
d4e79ac958ebe12a30e8c211445d0e20f2f02b927892cfeb7b9ca123b87c9f91

SHA512
aa2525ca6441bba07c86122281bc20ff35c6b6f6ae615f369a9a8caec14f11f015af78902e0016f3557657fa30e4712560dedfd27cf0b112f7f583a587347562

Download Submit
C:\Windows\System32\XxolOTn.exe

Filesize
3.2MB

MD5
791aeabdff606e1993a82b38220b94e8

SHA1
eb9e95513da35d4958da3083c64d87010a84039f

SHA256
7bb726d3dda7f37f0ec566fe70f40f1f540bf394b1f1809a6b337b29f843e96e

SHA512
492f95a0e69f77a7e0896c261da855a24b22c3cf6b69d24d587784cfe2f422699af91ba468ab30678eae5d398fedb6f86be549b0310163aa578705dbc6b7338b

Download Submit
C:\Windows\System32\Yjnaage.exe

Filesize
3.2MB

MD5
7aa4ecc354612fc245fa90b3a1d56117

SHA1
bc696ee842cb9dc623dbe0aa24a8b4455d40202d

SHA256
4b96977709fc64a36236b4f752367570b242b3e916e64f50ab65e7324ee421e8

SHA512
3cd682d07f33d22b4b962d6828b8c7145207bd098db8f0bd6fa1b9c4530e25e923bfff177a6527ff37e4e0f21432a3d3485292b825de5ece1f6688b2d467ce75

Download Submit
C:\Windows\System32\ZOOmmVq.exe

Filesize
3.2MB

MD5
fc4de7bb6e2573eb26852bec61d409ee

SHA1
1d1ab83b30fe28089c1b6d1f84e7e441ccb3ca74

SHA256
4d85754d4e1a34cb4cc694eec7c9ad6fb8649bd1d02da6e3d3aa0b325e1b26fa

SHA512
6673e09ed478af672fd3ceb8258b853c2ed56893752e67e48edd3fe0fe2bdeaa4c96b02bac5082e7f366133323b4a6d2b75fb6c36662afb6742b18f4e743510b

Download Submit
C:\Windows\System32\bFqYJbN.exe

Filesize
3.2MB

MD5
b4b8d0c614150ec292501e2e79fa7cd8

SHA1
9449f51ce6faaa3aa51316155a30f4cf7abee9d6

SHA256
cbf5e43c13d9abf1df61fda45ff72ef003618f336f1821eed22ed698c65a1d9c

SHA512
c8c18d6afbee2664da06b9cf4556b2e497b212914ba6caa8ebcf3a5e7f60a5dbb12b707ff54f2b588ff5dd9dd82f1ba6785b17a776ce77c57059976b762b4478

Download Submit
C:\Windows\System32\bmfJZiq.exe

Filesize
3.2MB

MD5
01f46d5dc80ed9df525100edd34e3dd7

SHA1
e976bde27b3c755bac7e953385cced5955d9bfc7

SHA256
44bfd13ee7cb2cb427440ee22e28506106692e9f2fc16ae8648a069554f3a62c

SHA512
ab3c157a4dc16cc1363243f2a17a5514f0b7b905987979c3609ff5c39c310f5f6e60cc9f33697773442a2f59916367539846129944b186e7e76689a7bc737355

Download Submit
C:\Windows\System32\brvNHkU.exe

Filesize
3.2MB

MD5
d04e5044a2b820d085612b1313f51e70

SHA1
d87ffcfa42793a4fba3ee0976b143168a3a55608

SHA256
6917b0bbf4bcd2488463ec15c1d03c5e85ba383899086256a3ecc0783be8f59d

SHA512
b7c93eaf4f4212d3793608bea0f116be26a961e58a73603620d8d48bde943292c51f55a4f42067b66019a8bb16a079b83fb63c4299f30be1c5fdde5e85c9a8fd

Download Submit
C:\Windows\System32\cAfhAfU.exe

Filesize
3.2MB

MD5
c57f369793b4fdca9e2146d62e8dd9b6

SHA1
2bcdd25025f1cfa9d794ec933294e04a4503a6a7

SHA256
b846e3b8d95cb92835f3aacc4210644b9ff97311c48ce833b4b9128079f456f8

SHA512
3dbe32b4c92e4ec6ea1dc39945f1f8402f3e790353cbd50c59fbcd615e76b75dce3e6194441f540cda433084691d23855546196035b80c3ee28400aeb911089c

Download Submit
C:\Windows\System32\dVwYESx.exe

Filesize
3.2MB

MD5
0fd51982bbbefdae5e8340d674d23c60

SHA1
da3edbe13de6709926cefa1fb059ca7ead1f7c91

SHA256
86b1cee0e23483337f24fb9ac7130335b6739edaa45340550782c8d86f41588f

SHA512
ae7e54a024ef25616295f3292f448bf9c6e5cc87fe506f092df061a190bd32ff0b940bdab21997170dab1a1ee71439f6286a651d9109212ca74a36b99e48076a

Download Submit
C:\Windows\System32\dfXrFcM.exe

Filesize
3.2MB

MD5
181d1306746c433af8657cdd879f55a4

SHA1
567ef554b8dcc383355b5825753047b306be8363

SHA256
4fd4bcbaef1cbb7f18cbcaf3e14deb579d57fe1d7d080390a0f12bfe1fc4756d

SHA512
424825356ff8c0aa744b8e220aa9e3fe340c7ebe8e33c3580c2894031fca3fbc743be90055c5a3c5698af0b127819357f8890d0272802bf7c0e29125ff9292f3

Download Submit
C:\Windows\System32\gEHMkVi.exe

Filesize
3.2MB

MD5
79fddbf5db52768c0160155dbbf2371b

SHA1
92b4c2d3b69a256920deda2cb698f3e7801898c9

SHA256
c3b93001809a46ff03bd565c3a0f13fd6041da2d03b560a256cc3f6479586121

SHA512
3d4f1118de3850c5488792360ebdfcca1bb27fa583f52da305a9531d956b91538aa17c39e043ccd0193bcb502a53a175634f1983006b61067a635ec67e7ebe6b

Download Submit
C:\Windows\System32\iAkrzsr.exe

Filesize
3.2MB

MD5
febdc7ba69e0962013ecdfb861d16860

SHA1
eaeab3815855085d1719361d086a37d8ebb926ed

SHA256
7d81938ed7df6eb3b6c09e860485bc553f3e43efec6ec8bde6de00f567756189

SHA512
95020f51ac5d9e5240f04c80074839a9e2d3b95ea5b496fcf7904c007328ddb3108a77ff6f83b8e9aa91992a5c66f95514937f6f556f03113943e63995207187

Download Submit
C:\Windows\System32\ikvnTfr.exe

Filesize
3.2MB

MD5
69b3816ddd1f34948aa96e74c169d3a2

SHA1
2d87155229c354ecf4924e480dc39d92f9b074e4

SHA256
b29fa86b8b421d121e4e7419e36faeca7b44685d41d421fd620d156e35f75700

SHA512
bae7b741691107c37b8380e960b697a232a93f22efeffcc46b37fea8a11fc90e80a61561640fd3c217f60a8673eda186896cb888f8cb9dc697e559bfcfd60019

Download Submit
C:\Windows\System32\jBqaBwX.exe

Filesize
3.2MB

MD5
1155a8890a4674df2320491a8042d40a

SHA1
ad880d020cace1239ad4d8990e31bd090a0b4338

SHA256
f9f2f9f021cd90f4dce82c7958173d6f732c4493f28896c2bc4150b190dfb4cc

SHA512
2809afa87fb524673ef4c268470ea13e30ac88342dff5f76fa96901f961c12f5ab08fea6c7dc737e7c0d821d2973e8f11f4a91f6858d7735922fe60bbc35d3ec

Download Submit
C:\Windows\System32\nvBvIyt.exe

Filesize
3.2MB

MD5
0dfa1e5135f7a4b5ce99f771463f4117

SHA1
f62ec3847ab9f1f0e76924942120ff85db0c2196

SHA256
498fbe29dd17511582f4adb06fbc85d52889e4bc5faa88bda6ad4176374ba997

SHA512
4bb063e6b090d65858d981705fe102a944442cdf5c210db6da706c6ad65e3ad484f397b61c57f1522743f567ab4ea6de40767913b4ec61cedec1172a36f1bb6f

Download Submit
C:\Windows\System32\tihiokp.exe

Filesize
3.2MB

MD5
02b4ebf04d3fa82c95cad2f3da2c57a1

SHA1
008d9b766dafeaa3ee6faa9f7111ac375b4df8ce

SHA256
0393e705a6ad2a8dae729938b634af2b1163f9ba99d5d8cfb44ff3b9939fe629

SHA512
e23b23764182f7ef3d3b044a86fe2a0cd383d49568c885c1ba1811a3b4c40daeb8090436bac76f3e087c529afb4637c6ec31951d6591a21ff684d427d3b26581

Download Submit
C:\Windows\System32\xFNogFc.exe

Filesize
3.2MB

MD5
dc3aea47aea7830f12c272beeec5d3b7

SHA1
db443ace9aa2aaa295fa598a250288e5e6de745f

SHA256
766b1b64364bfd979084ea0cd2d0e8607e7eb304213cc494885516abfc4a987b

SHA512
86bdd165ac922660a056a32715cd56d16f501bf99e6d3bd68a74d79fc325f5b669bf41a5a5a2460f607d6741b1af289e4d56be0db8f0617a361fa53b4a3fde3c

Download Submit
C:\Windows\System32\ypdrgSD.exe

Filesize
3.2MB

MD5
8ae228e5b1f34141db198956bd85b6de

SHA1
0cb2dd735f2ca854f25c3ccd2124afc09a20e9d6

SHA256
a27e009d8fe2a07fd0c6b08283582ae8875b9623f23cad14e17d26fb7b7c5539

SHA512
64406751d73766c91f0f211518b6a35e7b73c5f5c7ef405cf2679d6fd4cf88af87e90ee362fcc136b86eec44c5882393b6905f2a057ac3f5c1398dfb32759067

Download Submit
memory/404-869-0x00007FF6ECF90000-0x00007FF6ED385000-memory.dmp

Filesize
4.0MB

Download
memory/404-1915-0x00007FF6ECF90000-0x00007FF6ED385000-memory.dmp

Filesize
4.0MB

Download
memory/740-1901-0x00007FF7EE3B0000-0x00007FF7EE7A5000-memory.dmp

Filesize
4.0MB

Download
memory/740-773-0x00007FF7EE3B0000-0x00007FF7EE7A5000-memory.dmp

Filesize
4.0MB

Download
memory/1012-785-0x00007FF7062F0000-0x00007FF7066E5000-memory.dmp

Filesize
4.0MB

Download
memory/1012-1897-0x00007FF7062F0000-0x00007FF7066E5000-memory.dmp

Filesize
4.0MB

Download
memory/2388-1-0x00000176179C0000-0x00000176179D0000-memory.dmp

Filesize
64KB

Download
memory/2388-0-0x00007FF7954E0000-0x00007FF7958D5000-memory.dmp

Filesize
4.0MB

Download
memory/2500-845-0x00007FF7F1E10000-0x00007FF7F2205000-memory.dmp

Filesize
4.0MB

Download
memory/2500-1908-0x00007FF7F1E10000-0x00007FF7F2205000-memory.dmp

Filesize
4.0MB

Download
memory/3328-826-0x00007FF707AC0000-0x00007FF707EB5000-memory.dmp

Filesize
4.0MB

Download
memory/3328-1911-0x00007FF707AC0000-0x00007FF707EB5000-memory.dmp

Filesize
4.0MB

Download
memory/3372-856-0x00007FF79A600000-0x00007FF79A9F5000-memory.dmp

Filesize
4.0MB

Download
memory/3372-1909-0x00007FF79A600000-0x00007FF79A9F5000-memory.dmp

Filesize
4.0MB

Download
memory/3492-1917-0x00007FF668590000-0x00007FF668985000-memory.dmp

Filesize
4.0MB

Download
memory/3492-865-0x00007FF668590000-0x00007FF668985000-memory.dmp

Filesize
4.0MB

Download
memory/3496-6-0x00007FF6E8990000-0x00007FF6E8D85000-memory.dmp

Filesize
4.0MB

Download
memory/3496-1894-0x00007FF6E8990000-0x00007FF6E8D85000-memory.dmp

Filesize
4.0MB

Download
memory/3496-1893-0x00007FF6E8990000-0x00007FF6E8D85000-memory.dmp

Filesize
4.0MB

Download
memory/3744-1912-0x00007FF75D810000-0x00007FF75DC05000-memory.dmp

Filesize
4.0MB

Download
memory/3744-860-0x00007FF75D810000-0x00007FF75DC05000-memory.dmp

Filesize
4.0MB

Download
memory/3800-1910-0x00007FF6C5B70000-0x00007FF6C5F65000-memory.dmp

Filesize
4.0MB

Download
memory/3800-866-0x00007FF6C5B70000-0x00007FF6C5F65000-memory.dmp

Filesize
4.0MB

Download
memory/3892-1900-0x00007FF749000000-0x00007FF7493F5000-memory.dmp

Filesize
4.0MB

Download
memory/3892-802-0x00007FF749000000-0x00007FF7493F5000-memory.dmp

Filesize
4.0MB

Download
memory/3920-832-0x00007FF7BFA10000-0x00007FF7BFE05000-memory.dmp

Filesize
4.0MB

Download
memory/3920-1905-0x00007FF7BFA10000-0x00007FF7BFE05000-memory.dmp

Filesize
4.0MB

Download
memory/4008-821-0x00007FF74A140000-0x00007FF74A535000-memory.dmp

Filesize
4.0MB

Download
memory/4008-1904-0x00007FF74A140000-0x00007FF74A535000-memory.dmp

Filesize
4.0MB

Download
memory/4088-781-0x00007FF621350000-0x00007FF621745000-memory.dmp

Filesize
4.0MB

Download
memory/4088-1898-0x00007FF621350000-0x00007FF621745000-memory.dmp

Filesize
4.0MB

Download
memory/4172-794-0x00007FF7C6270000-0x00007FF7C6665000-memory.dmp

Filesize
4.0MB

Download
memory/4172-1896-0x00007FF7C6270000-0x00007FF7C6665000-memory.dmp

Filesize
4.0MB

Download
memory/4340-1895-0x00007FF7333A0000-0x00007FF733795000-memory.dmp

Filesize
4.0MB

Download
memory/4340-16-0x00007FF7333A0000-0x00007FF733795000-memory.dmp

Filesize
4.0MB

Download
memory/4520-1899-0x00007FF7ABE40000-0x00007FF7AC235000-memory.dmp

Filesize
4.0MB

Download
memory/4520-874-0x00007FF7ABE40000-0x00007FF7AC235000-memory.dmp

Filesize
4.0MB

Download
memory/4544-1907-0x00007FF7638E0000-0x00007FF763CD5000-memory.dmp

Filesize
4.0MB

Download
memory/4544-849-0x00007FF7638E0000-0x00007FF763CD5000-memory.dmp

Filesize
4.0MB

Download
memory/4564-806-0x00007FF7C4830000-0x00007FF7C4C25000-memory.dmp

Filesize
4.0MB

Download
memory/4564-1902-0x00007FF7C4830000-0x00007FF7C4C25000-memory.dmp

Filesize
4.0MB

Download
memory/4576-846-0x00007FF677E10000-0x00007FF678205000-memory.dmp

Filesize
4.0MB

Download
memory/4576-1906-0x00007FF677E10000-0x00007FF678205000-memory.dmp

Filesize
4.0MB

Download
memory/4624-1913-0x00007FF654560000-0x00007FF654955000-memory.dmp

Filesize
4.0MB

Download
memory/4624-863-0x00007FF654560000-0x00007FF654955000-memory.dmp

Filesize
4.0MB

Download
memory/4896-1914-0x00007FF7C0AE0000-0x00007FF7C0ED5000-memory.dmp

Filesize
4.0MB

Download
memory/4896-853-0x00007FF7C0AE0000-0x00007FF7C0ED5000-memory.dmp

Filesize
4.0MB

Download
memory/4900-813-0x00007FF667E70000-0x00007FF668265000-memory.dmp

Filesize
4.0MB

Download
memory/4900-1903-0x00007FF667E70000-0x00007FF668265000-memory.dmp

Filesize
4.0MB

Download
memory/4960-1916-0x00007FF7913B0000-0x00007FF7917A5000-memory.dmp

Filesize
4.0MB

Download
memory/4960-837-0x00007FF7913B0000-0x00007FF7917A5000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads