xmrig | bc318479f8c7f224a00752d7a61aa93840dd85f66bfd7be53a40ce4cf9bed48f

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

086e6a83dc32727ec974da6ecb2a82d0N.exe
Size

1.4MB
MD5

086e6a83dc32727ec974da6ecb2a82d0
SHA1

2c33b04424798097f14ee20845869aa7258548b8
SHA256

bc318479f8c7f224a00752d7a61aa93840dd85f66bfd7be53a40ce4cf9bed48f
SHA512

dfeff613e63cbe6e76f518da44448e72336a645c32427af7eb99dcdee509738fe408288380a2cf6c8f97198467cfbae49a542799bbee26b2d86f9fe6b4099299
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zFqlWNIPzZG75aN+G/f:knw9oUUEEDl37jcq4JqC+G7qff

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 51 IoCs

miner

resource	yara_rule
behavioral2/memory/3512-59-0x00007FF6EBFC0000-0x00007FF6EC3B1000-memory.dmp	xmrig
behavioral2/memory/3396-107-0x00007FF642D50000-0x00007FF643141000-memory.dmp	xmrig
behavioral2/memory/1468-106-0x00007FF7F3C40000-0x00007FF7F4031000-memory.dmp	xmrig
behavioral2/memory/3284-103-0x00007FF6BBD10000-0x00007FF6BC101000-memory.dmp	xmrig
behavioral2/memory/4620-101-0x00007FF73A800000-0x00007FF73ABF1000-memory.dmp	xmrig
behavioral2/memory/4560-86-0x00007FF61B010000-0x00007FF61B401000-memory.dmp	xmrig
behavioral2/memory/3800-79-0x00007FF7592A0000-0x00007FF759691000-memory.dmp	xmrig
behavioral2/memory/3408-56-0x00007FF698270000-0x00007FF698661000-memory.dmp	xmrig
behavioral2/memory/2176-50-0x00007FF6CA340000-0x00007FF6CA731000-memory.dmp	xmrig
behavioral2/memory/3456-762-0x00007FF79CC10000-0x00007FF79D001000-memory.dmp	xmrig
behavioral2/memory/3864-776-0x00007FF7688A0000-0x00007FF768C91000-memory.dmp	xmrig
behavioral2/memory/2532-769-0x00007FF74DD90000-0x00007FF74E181000-memory.dmp	xmrig
behavioral2/memory/4472-798-0x00007FF68D500000-0x00007FF68D8F1000-memory.dmp	xmrig
behavioral2/memory/4728-815-0x00007FF64B470000-0x00007FF64B861000-memory.dmp	xmrig
behavioral2/memory/5020-1859-0x00007FF7283F0000-0x00007FF7287E1000-memory.dmp	xmrig
behavioral2/memory/5020-1986-0x00007FF7283F0000-0x00007FF7287E1000-memory.dmp	xmrig
behavioral2/memory/4856-1991-0x00007FF673000000-0x00007FF6733F1000-memory.dmp	xmrig
behavioral2/memory/4388-1990-0x00007FF7418C0000-0x00007FF741CB1000-memory.dmp	xmrig
behavioral2/memory/1072-1989-0x00007FF64F790000-0x00007FF64FB81000-memory.dmp	xmrig
behavioral2/memory/2616-1992-0x00007FF76D250000-0x00007FF76D641000-memory.dmp	xmrig
behavioral2/memory/3076-2025-0x00007FF7DBBB0000-0x00007FF7DBFA1000-memory.dmp	xmrig
behavioral2/memory/3800-2026-0x00007FF7592A0000-0x00007FF759691000-memory.dmp	xmrig
behavioral2/memory/4900-2029-0x00007FF6FF020000-0x00007FF6FF411000-memory.dmp	xmrig
behavioral2/memory/3648-2028-0x00007FF73DDF0000-0x00007FF73E1E1000-memory.dmp	xmrig
behavioral2/memory/1144-2027-0x00007FF6BC690000-0x00007FF6BCA81000-memory.dmp	xmrig
behavioral2/memory/4040-2030-0x00007FF60D210000-0x00007FF60D601000-memory.dmp	xmrig
behavioral2/memory/2992-2031-0x00007FF7F7D10000-0x00007FF7F8101000-memory.dmp	xmrig
behavioral2/memory/1072-2033-0x00007FF64F790000-0x00007FF64FB81000-memory.dmp	xmrig
behavioral2/memory/2176-2035-0x00007FF6CA340000-0x00007FF6CA731000-memory.dmp	xmrig
behavioral2/memory/3408-2037-0x00007FF698270000-0x00007FF698661000-memory.dmp	xmrig
behavioral2/memory/3800-2053-0x00007FF7592A0000-0x00007FF759691000-memory.dmp	xmrig
behavioral2/memory/3284-2055-0x00007FF6BBD10000-0x00007FF6BC101000-memory.dmp	xmrig
behavioral2/memory/3648-2063-0x00007FF73DDF0000-0x00007FF73E1E1000-memory.dmp	xmrig
behavioral2/memory/4900-2065-0x00007FF6FF020000-0x00007FF6FF411000-memory.dmp	xmrig
behavioral2/memory/4620-2061-0x00007FF73A800000-0x00007FF73ABF1000-memory.dmp	xmrig
behavioral2/memory/1144-2059-0x00007FF6BC690000-0x00007FF6BCA81000-memory.dmp	xmrig
behavioral2/memory/3396-2057-0x00007FF642D50000-0x00007FF643141000-memory.dmp	xmrig
behavioral2/memory/3076-2051-0x00007FF7DBBB0000-0x00007FF7DBFA1000-memory.dmp	xmrig
behavioral2/memory/1468-2049-0x00007FF7F3C40000-0x00007FF7F4031000-memory.dmp	xmrig
behavioral2/memory/4560-2047-0x00007FF61B010000-0x00007FF61B401000-memory.dmp	xmrig
behavioral2/memory/2616-2039-0x00007FF76D250000-0x00007FF76D641000-memory.dmp	xmrig
behavioral2/memory/4388-2045-0x00007FF7418C0000-0x00007FF741CB1000-memory.dmp	xmrig
behavioral2/memory/3512-2043-0x00007FF6EBFC0000-0x00007FF6EC3B1000-memory.dmp	xmrig
behavioral2/memory/4856-2041-0x00007FF673000000-0x00007FF6733F1000-memory.dmp	xmrig
behavioral2/memory/4472-2136-0x00007FF68D500000-0x00007FF68D8F1000-memory.dmp	xmrig
behavioral2/memory/2992-2119-0x00007FF7F7D10000-0x00007FF7F8101000-memory.dmp	xmrig
behavioral2/memory/4040-2094-0x00007FF60D210000-0x00007FF60D601000-memory.dmp	xmrig
behavioral2/memory/4728-2123-0x00007FF64B470000-0x00007FF64B861000-memory.dmp	xmrig
behavioral2/memory/2532-2091-0x00007FF74DD90000-0x00007FF74E181000-memory.dmp	xmrig
behavioral2/memory/3864-2089-0x00007FF7688A0000-0x00007FF768C91000-memory.dmp	xmrig
behavioral2/memory/3456-2117-0x00007FF79CC10000-0x00007FF79D001000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1072	zjEBkCS.exe
4388	AoevOwy.exe
4856	bTercGn.exe
2616	KruzNZw.exe
2176	udeiwXQ.exe
3408	rcAhJQy.exe
3512	vaLbpnH.exe
3284	dUQaQHY.exe
3076	RtApjQq.exe
3800	CyOdghs.exe
4560	UoieZAX.exe
1468	wkRBEKe.exe
3396	UUMrvXJ.exe
1144	gamAMPZ.exe
3648	CIqGrsF.exe
4900	NgDKZBG.exe
4620	QMpAbBB.exe
4040	JAMukyj.exe
2992	EHCmCaY.exe
3456	UEhMMAG.exe
2532	PYscSsZ.exe
3864	WjySqwl.exe
4472	LWpjsjP.exe
4728	bcyGvRK.exe
4328	YFZGxxC.exe
4144	jDAsyjw.exe
1828	yXWwgBV.exe
4480	QbTZKYl.exe
3688	AwmIfPm.exe
1944	sUyiXpc.exe
3024	vxAlARe.exe
3000	GApbfLs.exe
4816	VHAuRnM.exe
3488	QVBjwHu.exe
2768	fjcXBzg.exe
2524	rFhIzbW.exe
1532	fgpzsKa.exe
1176	NkBHZjS.exe
4440	JxPpiwT.exe
2924	WewAHKx.exe
4276	kHUhUmQ.exe
608	bPJAkYj.exe
4224	ZZQhLyz.exe
1120	YnUnNxa.exe
4724	JfxfnsA.exe
2684	mjfGsym.exe
2664	HQzcxkf.exe
4468	WgErLpW.exe
2996	CIRMhmu.exe
8	UXDlzKD.exe
460	xbEqhia.exe
4384	NzVyRKd.exe
4052	kzNbXLV.exe
3816	shUWrcP.exe
2276	WuBZjyE.exe
4544	eZltYNt.exe
3232	RDUHBoB.exe
2540	MwVhrYg.exe
3532	zLORTYK.exe
2472	XWpowQb.exe
3972	yKPFiMP.exe
2736	TsYCsui.exe
2004	YJpDgqk.exe
2132	IZNILRh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5020-0-0x00007FF7283F0000-0x00007FF7287E1000-memory.dmp	upx
behavioral2/files/0x00090000000233c4-5.dat	upx
behavioral2/files/0x0007000000023419-7.dat	upx
behavioral2/files/0x000700000002341a-18.dat	upx
behavioral2/files/0x000700000002341c-34.dat	upx
behavioral2/files/0x000700000002341d-42.dat	upx
behavioral2/memory/3512-59-0x00007FF6EBFC0000-0x00007FF6EC3B1000-memory.dmp	upx
behavioral2/files/0x0007000000023422-65.dat	upx
behavioral2/memory/4900-100-0x00007FF6FF020000-0x00007FF6FF411000-memory.dmp	upx
behavioral2/files/0x000700000002342b-133.dat	upx
behavioral2/files/0x0007000000023434-178.dat	upx
behavioral2/files/0x0007000000023423-89.dat	upx
behavioral2/files/0x0007000000023436-181.dat	upx
behavioral2/files/0x0007000000023435-176.dat	upx
behavioral2/files/0x0007000000023433-173.dat	upx
behavioral2/files/0x0007000000023432-168.dat	upx
behavioral2/files/0x0007000000023431-163.dat	upx
behavioral2/files/0x0007000000023430-158.dat	upx
behavioral2/files/0x000700000002342f-150.dat	upx
behavioral2/files/0x000700000002342e-146.dat	upx
behavioral2/files/0x000700000002342d-143.dat	upx
behavioral2/files/0x000700000002342c-138.dat	upx
behavioral2/files/0x000700000002342a-128.dat	upx
behavioral2/files/0x0007000000023429-123.dat	upx
behavioral2/files/0x0008000000023415-118.dat	upx
behavioral2/files/0x0007000000023428-113.dat	upx
behavioral2/memory/2992-112-0x00007FF7F7D10000-0x00007FF7F8101000-memory.dmp	upx
behavioral2/memory/4040-109-0x00007FF60D210000-0x00007FF60D601000-memory.dmp	upx
behavioral2/memory/3396-107-0x00007FF642D50000-0x00007FF643141000-memory.dmp	upx
behavioral2/memory/1468-106-0x00007FF7F3C40000-0x00007FF7F4031000-memory.dmp	upx
behavioral2/memory/3284-103-0x00007FF6BBD10000-0x00007FF6BC101000-memory.dmp	upx
behavioral2/memory/4620-101-0x00007FF73A800000-0x00007FF73ABF1000-memory.dmp	upx
behavioral2/files/0x0007000000023427-97.dat	upx
behavioral2/files/0x0007000000023426-95.dat	upx
behavioral2/files/0x0007000000023425-93.dat	upx
behavioral2/files/0x0007000000023424-91.dat	upx
behavioral2/memory/3648-88-0x00007FF73DDF0000-0x00007FF73E1E1000-memory.dmp	upx
behavioral2/memory/1144-87-0x00007FF6BC690000-0x00007FF6BCA81000-memory.dmp	upx
behavioral2/memory/4560-86-0x00007FF61B010000-0x00007FF61B401000-memory.dmp	upx
behavioral2/memory/3800-79-0x00007FF7592A0000-0x00007FF759691000-memory.dmp	upx
behavioral2/files/0x0007000000023421-64.dat	upx
behavioral2/files/0x0007000000023420-63.dat	upx
behavioral2/files/0x000700000002341f-62.dat	upx
behavioral2/files/0x000700000002341e-61.dat	upx
behavioral2/memory/3076-60-0x00007FF7DBBB0000-0x00007FF7DBFA1000-memory.dmp	upx
behavioral2/memory/3408-56-0x00007FF698270000-0x00007FF698661000-memory.dmp	upx
behavioral2/memory/2176-50-0x00007FF6CA340000-0x00007FF6CA731000-memory.dmp	upx
behavioral2/memory/2616-39-0x00007FF76D250000-0x00007FF76D641000-memory.dmp	upx
behavioral2/memory/4856-32-0x00007FF673000000-0x00007FF6733F1000-memory.dmp	upx
behavioral2/memory/4388-28-0x00007FF7418C0000-0x00007FF741CB1000-memory.dmp	upx
behavioral2/files/0x000700000002341b-36.dat	upx
behavioral2/files/0x0007000000023418-23.dat	upx
behavioral2/memory/1072-15-0x00007FF64F790000-0x00007FF64FB81000-memory.dmp	upx
behavioral2/memory/3456-762-0x00007FF79CC10000-0x00007FF79D001000-memory.dmp	upx
behavioral2/memory/3864-776-0x00007FF7688A0000-0x00007FF768C91000-memory.dmp	upx
behavioral2/memory/2532-769-0x00007FF74DD90000-0x00007FF74E181000-memory.dmp	upx
behavioral2/memory/4472-798-0x00007FF68D500000-0x00007FF68D8F1000-memory.dmp	upx
behavioral2/memory/4728-815-0x00007FF64B470000-0x00007FF64B861000-memory.dmp	upx
behavioral2/memory/5020-1859-0x00007FF7283F0000-0x00007FF7287E1000-memory.dmp	upx
behavioral2/memory/5020-1986-0x00007FF7283F0000-0x00007FF7287E1000-memory.dmp	upx
behavioral2/memory/4856-1991-0x00007FF673000000-0x00007FF6733F1000-memory.dmp	upx
behavioral2/memory/4388-1990-0x00007FF7418C0000-0x00007FF741CB1000-memory.dmp	upx
behavioral2/memory/1072-1989-0x00007FF64F790000-0x00007FF64FB81000-memory.dmp	upx
behavioral2/memory/2616-1992-0x00007FF76D250000-0x00007FF76D641000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\vaLbpnH.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\bcyGvRK.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\jmnIXOM.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\jAlaRrx.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\NWEMMiz.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\YFZGxxC.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\IXrWbWz.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\sVizmvY.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\RlFInAp.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\WkuVReE.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\FQDDFPm.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\WgErLpW.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\jMbxXqT.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\QVPoLAJ.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\QYeskhV.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\gBjurlC.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\JjnHxFL.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\QbTZKYl.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\mjfGsym.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\FKJsHbs.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\jijIsXh.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\MFpyrGw.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\AEBKVHD.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\hrNAoKp.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\nxVPUjv.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\QnFSwif.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\yAXPidS.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\cgCMMft.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\vQcuCnQ.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\qnYyFBc.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\VlAjXgj.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\HYHXSsR.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\CWrpSsd.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\AHdnlAw.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\IGKUtUx.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\FcoxcxN.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\sfHnCNz.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\IzXnXIi.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\UoieZAX.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\QMpAbBB.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\HwvZJux.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\ZuSPKHI.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\jbrfrRE.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\JdinCFg.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\eBTgtFI.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\MZDRnTG.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\LnqkqwC.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\kzNbXLV.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\BaaBavJ.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\fPhVIRL.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\DrrfZpE.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\YEKdLHr.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\aaUYXIb.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\oVVvrKY.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\LmUYORk.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\vXTnOdj.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\uVGAvhU.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\rfMDteI.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\kHUhUmQ.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\qbnEiIR.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\vOtpApQ.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\ZbVZinb.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\zOuxqOG.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe
File created	C:\Windows\System32\ykbnrHW.exe	086e6a83dc32727ec974da6ecb2a82d0N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13288	dwm.exe
Token: SeChangeNotifyPrivilege	13288	dwm.exe
Token: 33	13288	dwm.exe
Token: SeIncBasePriorityPrivilege	13288	dwm.exe
Token: SeShutdownPrivilege	13288	dwm.exe
Token: SeCreatePagefilePrivilege	13288	dwm.exe
Token: SeShutdownPrivilege	13288	dwm.exe
Token: SeCreatePagefilePrivilege	13288	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 1072	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	85
PID 5020 wrote to memory of 1072	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	85
PID 5020 wrote to memory of 2176	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	86
PID 5020 wrote to memory of 2176	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	86
PID 5020 wrote to memory of 4388	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	87
PID 5020 wrote to memory of 4388	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	87
PID 5020 wrote to memory of 4856	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	88
PID 5020 wrote to memory of 4856	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	88
PID 5020 wrote to memory of 2616	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	89
PID 5020 wrote to memory of 2616	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	89
PID 5020 wrote to memory of 3512	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	90
PID 5020 wrote to memory of 3512	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	90
PID 5020 wrote to memory of 3408	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	91
PID 5020 wrote to memory of 3408	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	91
PID 5020 wrote to memory of 3284	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	92
PID 5020 wrote to memory of 3284	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	92
PID 5020 wrote to memory of 3076	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	93
PID 5020 wrote to memory of 3076	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	93
PID 5020 wrote to memory of 3800	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	94
PID 5020 wrote to memory of 3800	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	94
PID 5020 wrote to memory of 4560	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	95
PID 5020 wrote to memory of 4560	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	95
PID 5020 wrote to memory of 1468	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	96
PID 5020 wrote to memory of 1468	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	96
PID 5020 wrote to memory of 3396	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	97
PID 5020 wrote to memory of 3396	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	97
PID 5020 wrote to memory of 1144	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	98
PID 5020 wrote to memory of 1144	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	98
PID 5020 wrote to memory of 3648	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	99
PID 5020 wrote to memory of 3648	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	99
PID 5020 wrote to memory of 4900	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	100
PID 5020 wrote to memory of 4900	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	100
PID 5020 wrote to memory of 4620	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	101
PID 5020 wrote to memory of 4620	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	101
PID 5020 wrote to memory of 4040	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	102
PID 5020 wrote to memory of 4040	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	102
PID 5020 wrote to memory of 2992	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	103
PID 5020 wrote to memory of 2992	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	103
PID 5020 wrote to memory of 3456	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	104
PID 5020 wrote to memory of 3456	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	104
PID 5020 wrote to memory of 2532	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	105
PID 5020 wrote to memory of 2532	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	105
PID 5020 wrote to memory of 3864	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	106
PID 5020 wrote to memory of 3864	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	106
PID 5020 wrote to memory of 4472	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	107
PID 5020 wrote to memory of 4472	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	107
PID 5020 wrote to memory of 4728	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	108
PID 5020 wrote to memory of 4728	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	108
PID 5020 wrote to memory of 4328	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	109
PID 5020 wrote to memory of 4328	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	109
PID 5020 wrote to memory of 4144	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	110
PID 5020 wrote to memory of 4144	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	110
PID 5020 wrote to memory of 1828	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	111
PID 5020 wrote to memory of 1828	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	111
PID 5020 wrote to memory of 4480	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	112
PID 5020 wrote to memory of 4480	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	112
PID 5020 wrote to memory of 3688	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	113
PID 5020 wrote to memory of 3688	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	113
PID 5020 wrote to memory of 1944	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	114
PID 5020 wrote to memory of 1944	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	114
PID 5020 wrote to memory of 3024	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	115
PID 5020 wrote to memory of 3024	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	115
PID 5020 wrote to memory of 3000	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	116
PID 5020 wrote to memory of 3000	5020	086e6a83dc32727ec974da6ecb2a82d0N.exe	116

C:\Users\Admin\AppData\Local\Temp\086e6a83dc32727ec974da6ecb2a82d0N.exe
"C:\Users\Admin\AppData\Local\Temp\086e6a83dc32727ec974da6ecb2a82d0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\System32\zjEBkCS.exe
  C:\Windows\System32\zjEBkCS.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System32\udeiwXQ.exe
  C:\Windows\System32\udeiwXQ.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System32\AoevOwy.exe
  C:\Windows\System32\AoevOwy.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System32\bTercGn.exe
  C:\Windows\System32\bTercGn.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System32\KruzNZw.exe
  C:\Windows\System32\KruzNZw.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System32\vaLbpnH.exe
  C:\Windows\System32\vaLbpnH.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System32\rcAhJQy.exe
  C:\Windows\System32\rcAhJQy.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System32\dUQaQHY.exe
  C:\Windows\System32\dUQaQHY.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System32\RtApjQq.exe
  C:\Windows\System32\RtApjQq.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System32\CyOdghs.exe
  C:\Windows\System32\CyOdghs.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\System32\UoieZAX.exe
  C:\Windows\System32\UoieZAX.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System32\wkRBEKe.exe
  C:\Windows\System32\wkRBEKe.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System32\UUMrvXJ.exe
  C:\Windows\System32\UUMrvXJ.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System32\gamAMPZ.exe
  C:\Windows\System32\gamAMPZ.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System32\CIqGrsF.exe
  C:\Windows\System32\CIqGrsF.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System32\NgDKZBG.exe
  C:\Windows\System32\NgDKZBG.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System32\QMpAbBB.exe
  C:\Windows\System32\QMpAbBB.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System32\JAMukyj.exe
  C:\Windows\System32\JAMukyj.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System32\EHCmCaY.exe
  C:\Windows\System32\EHCmCaY.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System32\UEhMMAG.exe
  C:\Windows\System32\UEhMMAG.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System32\PYscSsZ.exe
  C:\Windows\System32\PYscSsZ.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System32\WjySqwl.exe
  C:\Windows\System32\WjySqwl.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System32\LWpjsjP.exe
  C:\Windows\System32\LWpjsjP.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System32\bcyGvRK.exe
  C:\Windows\System32\bcyGvRK.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System32\YFZGxxC.exe
  C:\Windows\System32\YFZGxxC.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System32\jDAsyjw.exe
  C:\Windows\System32\jDAsyjw.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System32\yXWwgBV.exe
  C:\Windows\System32\yXWwgBV.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System32\QbTZKYl.exe
  C:\Windows\System32\QbTZKYl.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System32\AwmIfPm.exe
  C:\Windows\System32\AwmIfPm.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System32\sUyiXpc.exe
  C:\Windows\System32\sUyiXpc.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System32\vxAlARe.exe
  C:\Windows\System32\vxAlARe.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System32\GApbfLs.exe
  C:\Windows\System32\GApbfLs.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System32\VHAuRnM.exe
  C:\Windows\System32\VHAuRnM.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System32\QVBjwHu.exe
  C:\Windows\System32\QVBjwHu.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System32\fjcXBzg.exe
  C:\Windows\System32\fjcXBzg.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System32\rFhIzbW.exe
  C:\Windows\System32\rFhIzbW.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System32\fgpzsKa.exe
  C:\Windows\System32\fgpzsKa.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System32\NkBHZjS.exe
  C:\Windows\System32\NkBHZjS.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System32\JxPpiwT.exe
  C:\Windows\System32\JxPpiwT.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System32\WewAHKx.exe
  C:\Windows\System32\WewAHKx.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System32\kHUhUmQ.exe
  C:\Windows\System32\kHUhUmQ.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System32\bPJAkYj.exe
  C:\Windows\System32\bPJAkYj.exe
  2⤵
  - Executes dropped EXE
  PID:608
- C:\Windows\System32\ZZQhLyz.exe
  C:\Windows\System32\ZZQhLyz.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System32\YnUnNxa.exe
  C:\Windows\System32\YnUnNxa.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System32\JfxfnsA.exe
  C:\Windows\System32\JfxfnsA.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System32\mjfGsym.exe
  C:\Windows\System32\mjfGsym.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System32\HQzcxkf.exe
  C:\Windows\System32\HQzcxkf.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System32\WgErLpW.exe
  C:\Windows\System32\WgErLpW.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System32\CIRMhmu.exe
  C:\Windows\System32\CIRMhmu.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System32\UXDlzKD.exe
  C:\Windows\System32\UXDlzKD.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System32\xbEqhia.exe
  C:\Windows\System32\xbEqhia.exe
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\System32\NzVyRKd.exe
  C:\Windows\System32\NzVyRKd.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System32\kzNbXLV.exe
  C:\Windows\System32\kzNbXLV.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System32\shUWrcP.exe
  C:\Windows\System32\shUWrcP.exe
  2⤵
  - Executes dropped EXE
  PID:3816
- C:\Windows\System32\WuBZjyE.exe
  C:\Windows\System32\WuBZjyE.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System32\eZltYNt.exe
  C:\Windows\System32\eZltYNt.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System32\RDUHBoB.exe
  C:\Windows\System32\RDUHBoB.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System32\MwVhrYg.exe
  C:\Windows\System32\MwVhrYg.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System32\zLORTYK.exe
  C:\Windows\System32\zLORTYK.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System32\XWpowQb.exe
  C:\Windows\System32\XWpowQb.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System32\yKPFiMP.exe
  C:\Windows\System32\yKPFiMP.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System32\TsYCsui.exe
  C:\Windows\System32\TsYCsui.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System32\YJpDgqk.exe
  C:\Windows\System32\YJpDgqk.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System32\IZNILRh.exe
  C:\Windows\System32\IZNILRh.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System32\kQkaatl.exe
  C:\Windows\System32\kQkaatl.exe
  2⤵
  PID:3484
- C:\Windows\System32\xKwpOlx.exe
  C:\Windows\System32\xKwpOlx.exe
  2⤵
  PID:2712
- C:\Windows\System32\prZoiLF.exe
  C:\Windows\System32\prZoiLF.exe
  2⤵
  PID:4108
- C:\Windows\System32\dnFdyGB.exe
  C:\Windows\System32\dnFdyGB.exe
  2⤵
  PID:2252
- C:\Windows\System32\pFSTMoZ.exe
  C:\Windows\System32\pFSTMoZ.exe
  2⤵
  PID:1152
- C:\Windows\System32\AHdnlAw.exe
  C:\Windows\System32\AHdnlAw.exe
  2⤵
  PID:5140
- C:\Windows\System32\DGzLFBD.exe
  C:\Windows\System32\DGzLFBD.exe
  2⤵
  PID:5156
- C:\Windows\System32\mauLlGd.exe
  C:\Windows\System32\mauLlGd.exe
  2⤵
  PID:5188
- C:\Windows\System32\lqGTVXy.exe
  C:\Windows\System32\lqGTVXy.exe
  2⤵
  PID:5212
- C:\Windows\System32\FKJsHbs.exe
  C:\Windows\System32\FKJsHbs.exe
  2⤵
  PID:5252
- C:\Windows\System32\xRMVhVw.exe
  C:\Windows\System32\xRMVhVw.exe
  2⤵
  PID:5268
- C:\Windows\System32\QiYdZUc.exe
  C:\Windows\System32\QiYdZUc.exe
  2⤵
  PID:5296
- C:\Windows\System32\KumDyeo.exe
  C:\Windows\System32\KumDyeo.exe
  2⤵
  PID:5336
- C:\Windows\System32\jijIsXh.exe
  C:\Windows\System32\jijIsXh.exe
  2⤵
  PID:5356
- C:\Windows\System32\XLMYRDM.exe
  C:\Windows\System32\XLMYRDM.exe
  2⤵
  PID:5380
- C:\Windows\System32\gaeyNUU.exe
  C:\Windows\System32\gaeyNUU.exe
  2⤵
  PID:5412
- C:\Windows\System32\fPgCKjV.exe
  C:\Windows\System32\fPgCKjV.exe
  2⤵
  PID:5436
- C:\Windows\System32\Rjrbyjn.exe
  C:\Windows\System32\Rjrbyjn.exe
  2⤵
  PID:5468
- C:\Windows\System32\jmnIXOM.exe
  C:\Windows\System32\jmnIXOM.exe
  2⤵
  PID:5500
- C:\Windows\System32\VscGYAu.exe
  C:\Windows\System32\VscGYAu.exe
  2⤵
  PID:5532
- C:\Windows\System32\RLbvnxE.exe
  C:\Windows\System32\RLbvnxE.exe
  2⤵
  PID:5548
- C:\Windows\System32\NHSHGvX.exe
  C:\Windows\System32\NHSHGvX.exe
  2⤵
  PID:5576
- C:\Windows\System32\qbnEiIR.exe
  C:\Windows\System32\qbnEiIR.exe
  2⤵
  PID:5604
- C:\Windows\System32\IEcRPzX.exe
  C:\Windows\System32\IEcRPzX.exe
  2⤵
  PID:5632
- C:\Windows\System32\CNOfhgr.exe
  C:\Windows\System32\CNOfhgr.exe
  2⤵
  PID:5660
- C:\Windows\System32\kbcuFlM.exe
  C:\Windows\System32\kbcuFlM.exe
  2⤵
  PID:5684
- C:\Windows\System32\hXuxhmq.exe
  C:\Windows\System32\hXuxhmq.exe
  2⤵
  PID:5716
- C:\Windows\System32\rPxsNZl.exe
  C:\Windows\System32\rPxsNZl.exe
  2⤵
  PID:5740
- C:\Windows\System32\KoiNFpF.exe
  C:\Windows\System32\KoiNFpF.exe
  2⤵
  PID:5772
- C:\Windows\System32\ivPlcMC.exe
  C:\Windows\System32\ivPlcMC.exe
  2⤵
  PID:5800
- C:\Windows\System32\WOQsLrK.exe
  C:\Windows\System32\WOQsLrK.exe
  2⤵
  PID:5824
- C:\Windows\System32\YiYopAs.exe
  C:\Windows\System32\YiYopAs.exe
  2⤵
  PID:5852
- C:\Windows\System32\LmjHzFi.exe
  C:\Windows\System32\LmjHzFi.exe
  2⤵
  PID:5884
- C:\Windows\System32\OQHoStL.exe
  C:\Windows\System32\OQHoStL.exe
  2⤵
  PID:5912
- C:\Windows\System32\rpCmpiT.exe
  C:\Windows\System32\rpCmpiT.exe
  2⤵
  PID:5940
- C:\Windows\System32\XPKCoHc.exe
  C:\Windows\System32\XPKCoHc.exe
  2⤵
  PID:5968
- C:\Windows\System32\PumuJiq.exe
  C:\Windows\System32\PumuJiq.exe
  2⤵
  PID:5992
- C:\Windows\System32\wkSbljy.exe
  C:\Windows\System32\wkSbljy.exe
  2⤵
  PID:6020
- C:\Windows\System32\RLzCjqR.exe
  C:\Windows\System32\RLzCjqR.exe
  2⤵
  PID:6052
- C:\Windows\System32\jGxOURD.exe
  C:\Windows\System32\jGxOURD.exe
  2⤵
  PID:6080
- C:\Windows\System32\HMylDid.exe
  C:\Windows\System32\HMylDid.exe
  2⤵
  PID:6108
- C:\Windows\System32\PYNVaBZ.exe
  C:\Windows\System32\PYNVaBZ.exe
  2⤵
  PID:6136
- C:\Windows\System32\HOkDppH.exe
  C:\Windows\System32\HOkDppH.exe
  2⤵
  PID:5084
- C:\Windows\System32\MkAHTUB.exe
  C:\Windows\System32\MkAHTUB.exe
  2⤵
  PID:396
- C:\Windows\System32\ecPjOjP.exe
  C:\Windows\System32\ecPjOjP.exe
  2⤵
  PID:1960
- C:\Windows\System32\VnGEkqU.exe
  C:\Windows\System32\VnGEkqU.exe
  2⤵
  PID:1856
- C:\Windows\System32\WZjajOy.exe
  C:\Windows\System32\WZjajOy.exe
  2⤵
  PID:4048
- C:\Windows\System32\CCxOpGe.exe
  C:\Windows\System32\CCxOpGe.exe
  2⤵
  PID:5132
- C:\Windows\System32\yRmCzzO.exe
  C:\Windows\System32\yRmCzzO.exe
  2⤵
  PID:5200
- C:\Windows\System32\LttPQnk.exe
  C:\Windows\System32\LttPQnk.exe
  2⤵
  PID:5264
- C:\Windows\System32\wBVMCae.exe
  C:\Windows\System32\wBVMCae.exe
  2⤵
  PID:5304
- C:\Windows\System32\FVyTpmN.exe
  C:\Windows\System32\FVyTpmN.exe
  2⤵
  PID:5392
- C:\Windows\System32\rKqGdJX.exe
  C:\Windows\System32\rKqGdJX.exe
  2⤵
  PID:5448
- C:\Windows\System32\OHzLTmM.exe
  C:\Windows\System32\OHzLTmM.exe
  2⤵
  PID:5516
- C:\Windows\System32\JLvkasY.exe
  C:\Windows\System32\JLvkasY.exe
  2⤵
  PID:5560
- C:\Windows\System32\eQDBgPT.exe
  C:\Windows\System32\eQDBgPT.exe
  2⤵
  PID:5644
- C:\Windows\System32\zrRRSYI.exe
  C:\Windows\System32\zrRRSYI.exe
  2⤵
  PID:5700
- C:\Windows\System32\yxHWpwO.exe
  C:\Windows\System32\yxHWpwO.exe
  2⤵
  PID:4504
- C:\Windows\System32\WYIaqjm.exe
  C:\Windows\System32\WYIaqjm.exe
  2⤵
  PID:5820
- C:\Windows\System32\OanWXaH.exe
  C:\Windows\System32\OanWXaH.exe
  2⤵
  PID:2672
- C:\Windows\System32\HtOvwiC.exe
  C:\Windows\System32\HtOvwiC.exe
  2⤵
  PID:5960
- C:\Windows\System32\xjibuaF.exe
  C:\Windows\System32\xjibuaF.exe
  2⤵
  PID:6016
- C:\Windows\System32\ZEcyGmw.exe
  C:\Windows\System32\ZEcyGmw.exe
  2⤵
  PID:6072
- C:\Windows\System32\TguUbHF.exe
  C:\Windows\System32\TguUbHF.exe
  2⤵
  PID:3860
- C:\Windows\System32\UpSbjun.exe
  C:\Windows\System32\UpSbjun.exe
  2⤵
  PID:2656
- C:\Windows\System32\qwCHJTn.exe
  C:\Windows\System32\qwCHJTn.exe
  2⤵
  PID:3640
- C:\Windows\System32\IUfgayI.exe
  C:\Windows\System32\IUfgayI.exe
  2⤵
  PID:5168
- C:\Windows\System32\rPsXuUm.exe
  C:\Windows\System32\rPsXuUm.exe
  2⤵
  PID:5372
- C:\Windows\System32\KcxpHGz.exe
  C:\Windows\System32\KcxpHGz.exe
  2⤵
  PID:224
- C:\Windows\System32\lBYzUiw.exe
  C:\Windows\System32\lBYzUiw.exe
  2⤵
  PID:5540
- C:\Windows\System32\zXXPUEn.exe
  C:\Windows\System32\zXXPUEn.exe
  2⤵
  PID:5756
- C:\Windows\System32\hWbDeFY.exe
  C:\Windows\System32\hWbDeFY.exe
  2⤵
  PID:5812
- C:\Windows\System32\kvsNOHk.exe
  C:\Windows\System32\kvsNOHk.exe
  2⤵
  PID:6000
- C:\Windows\System32\qkOxTVp.exe
  C:\Windows\System32\qkOxTVp.exe
  2⤵
  PID:4956
- C:\Windows\System32\rLyWWGb.exe
  C:\Windows\System32\rLyWWGb.exe
  2⤵
  PID:6172
- C:\Windows\System32\QDITwMI.exe
  C:\Windows\System32\QDITwMI.exe
  2⤵
  PID:6200
- C:\Windows\System32\lCQxwdE.exe
  C:\Windows\System32\lCQxwdE.exe
  2⤵
  PID:6240
- C:\Windows\System32\mSyxVYI.exe
  C:\Windows\System32\mSyxVYI.exe
  2⤵
  PID:6260
- C:\Windows\System32\sHyPqAO.exe
  C:\Windows\System32\sHyPqAO.exe
  2⤵
  PID:6288
- C:\Windows\System32\BphIUTc.exe
  C:\Windows\System32\BphIUTc.exe
  2⤵
  PID:6312
- C:\Windows\System32\JeAVPaI.exe
  C:\Windows\System32\JeAVPaI.exe
  2⤵
  PID:6340
- C:\Windows\System32\ObpivsI.exe
  C:\Windows\System32\ObpivsI.exe
  2⤵
  PID:6372
- C:\Windows\System32\NbYEomt.exe
  C:\Windows\System32\NbYEomt.exe
  2⤵
  PID:6400
- C:\Windows\System32\HsYzzfK.exe
  C:\Windows\System32\HsYzzfK.exe
  2⤵
  PID:6424
- C:\Windows\System32\ysOmXxZ.exe
  C:\Windows\System32\ysOmXxZ.exe
  2⤵
  PID:6456
- C:\Windows\System32\pWbpBcQ.exe
  C:\Windows\System32\pWbpBcQ.exe
  2⤵
  PID:6484
- C:\Windows\System32\Wsmxeyr.exe
  C:\Windows\System32\Wsmxeyr.exe
  2⤵
  PID:6508
- C:\Windows\System32\MuuiXBR.exe
  C:\Windows\System32\MuuiXBR.exe
  2⤵
  PID:6536
- C:\Windows\System32\VlAjXgj.exe
  C:\Windows\System32\VlAjXgj.exe
  2⤵
  PID:6568
- C:\Windows\System32\jcoCtzq.exe
  C:\Windows\System32\jcoCtzq.exe
  2⤵
  PID:6596
- C:\Windows\System32\tMmFyHR.exe
  C:\Windows\System32\tMmFyHR.exe
  2⤵
  PID:6624
- C:\Windows\System32\frQkOoz.exe
  C:\Windows\System32\frQkOoz.exe
  2⤵
  PID:6648
- C:\Windows\System32\iSUwqvA.exe
  C:\Windows\System32\iSUwqvA.exe
  2⤵
  PID:6676
- C:\Windows\System32\UuxgLZL.exe
  C:\Windows\System32\UuxgLZL.exe
  2⤵
  PID:6716
- C:\Windows\System32\hrNAoKp.exe
  C:\Windows\System32\hrNAoKp.exe
  2⤵
  PID:6736
- C:\Windows\System32\QrSTCwu.exe
  C:\Windows\System32\QrSTCwu.exe
  2⤵
  PID:6760
- C:\Windows\System32\aBLQvgI.exe
  C:\Windows\System32\aBLQvgI.exe
  2⤵
  PID:6792
- C:\Windows\System32\adMnxrd.exe
  C:\Windows\System32\adMnxrd.exe
  2⤵
  PID:6820
- C:\Windows\System32\dVgvhIA.exe
  C:\Windows\System32\dVgvhIA.exe
  2⤵
  PID:6848
- C:\Windows\System32\zpwFbUA.exe
  C:\Windows\System32\zpwFbUA.exe
  2⤵
  PID:6876
- C:\Windows\System32\xCjTuKq.exe
  C:\Windows\System32\xCjTuKq.exe
  2⤵
  PID:6900
- C:\Windows\System32\jXvomku.exe
  C:\Windows\System32\jXvomku.exe
  2⤵
  PID:6932
- C:\Windows\System32\poLPrKn.exe
  C:\Windows\System32\poLPrKn.exe
  2⤵
  PID:6956
- C:\Windows\System32\FZWzoAK.exe
  C:\Windows\System32\FZWzoAK.exe
  2⤵
  PID:6996
- C:\Windows\System32\jAlaRrx.exe
  C:\Windows\System32\jAlaRrx.exe
  2⤵
  PID:7016
- C:\Windows\System32\BzUujZt.exe
  C:\Windows\System32\BzUujZt.exe
  2⤵
  PID:7044
- C:\Windows\System32\mBDcMjk.exe
  C:\Windows\System32\mBDcMjk.exe
  2⤵
  PID:7072
- C:\Windows\System32\MlMmoIn.exe
  C:\Windows\System32\MlMmoIn.exe
  2⤵
  PID:7100
- C:\Windows\System32\gWAzllM.exe
  C:\Windows\System32\gWAzllM.exe
  2⤵
  PID:7128
- C:\Windows\System32\EDNHPJt.exe
  C:\Windows\System32\EDNHPJt.exe
  2⤵
  PID:7156
- C:\Windows\System32\tbttiFw.exe
  C:\Windows\System32\tbttiFw.exe
  2⤵
  PID:232
- C:\Windows\System32\MyJcbDB.exe
  C:\Windows\System32\MyJcbDB.exe
  2⤵
  PID:3616
- C:\Windows\System32\vOtpApQ.exe
  C:\Windows\System32\vOtpApQ.exe
  2⤵
  PID:5420
- C:\Windows\System32\HYHXSsR.exe
  C:\Windows\System32\HYHXSsR.exe
  2⤵
  PID:4628
- C:\Windows\System32\MFpyrGw.exe
  C:\Windows\System32\MFpyrGw.exe
  2⤵
  PID:5724
- C:\Windows\System32\FeRdqXt.exe
  C:\Windows\System32\FeRdqXt.exe
  2⤵
  PID:6152
- C:\Windows\System32\xwiwgbS.exe
  C:\Windows\System32\xwiwgbS.exe
  2⤵
  PID:6208
- C:\Windows\System32\HwvZJux.exe
  C:\Windows\System32\HwvZJux.exe
  2⤵
  PID:6268
- C:\Windows\System32\wDzcnTL.exe
  C:\Windows\System32\wDzcnTL.exe
  2⤵
  PID:4264
- C:\Windows\System32\plskglN.exe
  C:\Windows\System32\plskglN.exe
  2⤵
  PID:6380
- C:\Windows\System32\CWrpSsd.exe
  C:\Windows\System32\CWrpSsd.exe
  2⤵
  PID:6448
- C:\Windows\System32\KbvViwu.exe
  C:\Windows\System32\KbvViwu.exe
  2⤵
  PID:6476
- C:\Windows\System32\YnhRsJE.exe
  C:\Windows\System32\YnhRsJE.exe
  2⤵
  PID:6516
- C:\Windows\System32\FqTfpKH.exe
  C:\Windows\System32\FqTfpKH.exe
  2⤵
  PID:6580
- C:\Windows\System32\GusMhMC.exe
  C:\Windows\System32\GusMhMC.exe
  2⤵
  PID:6644
- C:\Windows\System32\Aeloikg.exe
  C:\Windows\System32\Aeloikg.exe
  2⤵
  PID:6692
- C:\Windows\System32\qznOewq.exe
  C:\Windows\System32\qznOewq.exe
  2⤵
  PID:6744
- C:\Windows\System32\AGGWXuV.exe
  C:\Windows\System32\AGGWXuV.exe
  2⤵
  PID:6768
- C:\Windows\System32\RtBlucp.exe
  C:\Windows\System32\RtBlucp.exe
  2⤵
  PID:6868
- C:\Windows\System32\WwGHvBd.exe
  C:\Windows\System32\WwGHvBd.exe
  2⤵
  PID:6924
- C:\Windows\System32\yXkzWJJ.exe
  C:\Windows\System32\yXkzWJJ.exe
  2⤵
  PID:6952
- C:\Windows\System32\sTliUgO.exe
  C:\Windows\System32\sTliUgO.exe
  2⤵
  PID:4768
- C:\Windows\System32\KxPRSAP.exe
  C:\Windows\System32\KxPRSAP.exe
  2⤵
  PID:4660
- C:\Windows\System32\bSYoILz.exe
  C:\Windows\System32\bSYoILz.exe
  2⤵
  PID:1132
- C:\Windows\System32\ocbzIAO.exe
  C:\Windows\System32\ocbzIAO.exe
  2⤵
  PID:7092
- C:\Windows\System32\mTaxTbU.exe
  C:\Windows\System32\mTaxTbU.exe
  2⤵
  PID:7120
- C:\Windows\System32\vHApNOC.exe
  C:\Windows\System32\vHApNOC.exe
  2⤵
  PID:972
- C:\Windows\System32\tgjhTjr.exe
  C:\Windows\System32\tgjhTjr.exe
  2⤵
  PID:7164
- C:\Windows\System32\IXrWbWz.exe
  C:\Windows\System32\IXrWbWz.exe
  2⤵
  PID:5456
- C:\Windows\System32\EItBKhM.exe
  C:\Windows\System32\EItBKhM.exe
  2⤵
  PID:6196
- C:\Windows\System32\PvtVbXR.exe
  C:\Windows\System32\PvtVbXR.exe
  2⤵
  PID:6236
- C:\Windows\System32\ZyiGlDG.exe
  C:\Windows\System32\ZyiGlDG.exe
  2⤵
  PID:6392
- C:\Windows\System32\BFGuAST.exe
  C:\Windows\System32\BFGuAST.exe
  2⤵
  PID:6492
- C:\Windows\System32\MqOaQhN.exe
  C:\Windows\System32\MqOaQhN.exe
  2⤵
  PID:6604
- C:\Windows\System32\chZUuPS.exe
  C:\Windows\System32\chZUuPS.exe
  2⤵
  PID:6776
- C:\Windows\System32\utOwBwq.exe
  C:\Windows\System32\utOwBwq.exe
  2⤵
  PID:6860
- C:\Windows\System32\RusidiL.exe
  C:\Windows\System32\RusidiL.exe
  2⤵
  PID:4076
- C:\Windows\System32\BYtqjrd.exe
  C:\Windows\System32\BYtqjrd.exe
  2⤵
  PID:6364
- C:\Windows\System32\FmcPUYK.exe
  C:\Windows\System32\FmcPUYK.exe
  2⤵
  PID:6408
- C:\Windows\System32\sVizmvY.exe
  C:\Windows\System32\sVizmvY.exe
  2⤵
  PID:6544
- C:\Windows\System32\RIqvYOw.exe
  C:\Windows\System32\RIqvYOw.exe
  2⤵
  PID:6632
- C:\Windows\System32\mKiybfE.exe
  C:\Windows\System32\mKiybfE.exe
  2⤵
  PID:2644
- C:\Windows\System32\jMbxXqT.exe
  C:\Windows\System32\jMbxXqT.exe
  2⤵
  PID:2748
- C:\Windows\System32\bTeMpts.exe
  C:\Windows\System32\bTeMpts.exe
  2⤵
  PID:1124
- C:\Windows\System32\PohnCzx.exe
  C:\Windows\System32\PohnCzx.exe
  2⤵
  PID:1508
- C:\Windows\System32\OzlkBFp.exe
  C:\Windows\System32\OzlkBFp.exe
  2⤵
  PID:4192
- C:\Windows\System32\kelCsEw.exe
  C:\Windows\System32\kelCsEw.exe
  2⤵
  PID:4752
- C:\Windows\System32\nxVPUjv.exe
  C:\Windows\System32\nxVPUjv.exe
  2⤵
  PID:3416
- C:\Windows\System32\IYbErXz.exe
  C:\Windows\System32\IYbErXz.exe
  2⤵
  PID:3612
- C:\Windows\System32\vFAVoch.exe
  C:\Windows\System32\vFAVoch.exe
  2⤵
  PID:4044
- C:\Windows\System32\pTYDQSx.exe
  C:\Windows\System32\pTYDQSx.exe
  2⤵
  PID:3904
- C:\Windows\System32\NAMkwxc.exe
  C:\Windows\System32\NAMkwxc.exe
  2⤵
  PID:4568
- C:\Windows\System32\qaJINHx.exe
  C:\Windows\System32\qaJINHx.exe
  2⤵
  PID:4152
- C:\Windows\System32\XWbwkSI.exe
  C:\Windows\System32\XWbwkSI.exe
  2⤵
  PID:7084
- C:\Windows\System32\dIWLzik.exe
  C:\Windows\System32\dIWLzik.exe
  2⤵
  PID:3580
- C:\Windows\System32\PaehWPQ.exe
  C:\Windows\System32\PaehWPQ.exe
  2⤵
  PID:5112
- C:\Windows\System32\WNMlJfg.exe
  C:\Windows\System32\WNMlJfg.exe
  2⤵
  PID:3624
- C:\Windows\System32\FpNGqPW.exe
  C:\Windows\System32\FpNGqPW.exe
  2⤵
  PID:6060
- C:\Windows\System32\GYxsZmo.exe
  C:\Windows\System32\GYxsZmo.exe
  2⤵
  PID:1612
- C:\Windows\System32\FXWtJYR.exe
  C:\Windows\System32\FXWtJYR.exe
  2⤵
  PID:6168
- C:\Windows\System32\EutzzZH.exe
  C:\Windows\System32\EutzzZH.exe
  2⤵
  PID:4716
- C:\Windows\System32\ZuSPKHI.exe
  C:\Windows\System32\ZuSPKHI.exe
  2⤵
  PID:6884
- C:\Windows\System32\dOhIfTN.exe
  C:\Windows\System32\dOhIfTN.exe
  2⤵
  PID:1064
- C:\Windows\System32\snKvHtc.exe
  C:\Windows\System32\snKvHtc.exe
  2⤵
  PID:2332
- C:\Windows\System32\ALnZkGQ.exe
  C:\Windows\System32\ALnZkGQ.exe
  2⤵
  PID:7180
- C:\Windows\System32\IrUtITc.exe
  C:\Windows\System32\IrUtITc.exe
  2⤵
  PID:7244
- C:\Windows\System32\EWwoyoK.exe
  C:\Windows\System32\EWwoyoK.exe
  2⤵
  PID:7260
- C:\Windows\System32\KpHngUs.exe
  C:\Windows\System32\KpHngUs.exe
  2⤵
  PID:7284
- C:\Windows\System32\XrBBEBz.exe
  C:\Windows\System32\XrBBEBz.exe
  2⤵
  PID:7336
- C:\Windows\System32\JcgElyz.exe
  C:\Windows\System32\JcgElyz.exe
  2⤵
  PID:7356
- C:\Windows\System32\xbqEvNG.exe
  C:\Windows\System32\xbqEvNG.exe
  2⤵
  PID:7376
- C:\Windows\System32\FBYztbo.exe
  C:\Windows\System32\FBYztbo.exe
  2⤵
  PID:7392
- C:\Windows\System32\AzkMCLy.exe
  C:\Windows\System32\AzkMCLy.exe
  2⤵
  PID:7412
- C:\Windows\System32\OIcZQyB.exe
  C:\Windows\System32\OIcZQyB.exe
  2⤵
  PID:7440
- C:\Windows\System32\sBzMvXK.exe
  C:\Windows\System32\sBzMvXK.exe
  2⤵
  PID:7456
- C:\Windows\System32\MDHTsjb.exe
  C:\Windows\System32\MDHTsjb.exe
  2⤵
  PID:7508
- C:\Windows\System32\fXtLrze.exe
  C:\Windows\System32\fXtLrze.exe
  2⤵
  PID:7528
- C:\Windows\System32\JeEOJDm.exe
  C:\Windows\System32\JeEOJDm.exe
  2⤵
  PID:7572
- C:\Windows\System32\AdFMntP.exe
  C:\Windows\System32\AdFMntP.exe
  2⤵
  PID:7728
- C:\Windows\System32\CEBKsHR.exe
  C:\Windows\System32\CEBKsHR.exe
  2⤵
  PID:7760
- C:\Windows\System32\rKQXkAg.exe
  C:\Windows\System32\rKQXkAg.exe
  2⤵
  PID:7792
- C:\Windows\System32\YlIEGsW.exe
  C:\Windows\System32\YlIEGsW.exe
  2⤵
  PID:7816
- C:\Windows\System32\RlFInAp.exe
  C:\Windows\System32\RlFInAp.exe
  2⤵
  PID:7836
- C:\Windows\System32\fdiOWSN.exe
  C:\Windows\System32\fdiOWSN.exe
  2⤵
  PID:7852
- C:\Windows\System32\ZbVZinb.exe
  C:\Windows\System32\ZbVZinb.exe
  2⤵
  PID:7872
- C:\Windows\System32\PmbysWu.exe
  C:\Windows\System32\PmbysWu.exe
  2⤵
  PID:7900
- C:\Windows\System32\vLYQZpj.exe
  C:\Windows\System32\vLYQZpj.exe
  2⤵
  PID:7924
- C:\Windows\System32\YbdGfUN.exe
  C:\Windows\System32\YbdGfUN.exe
  2⤵
  PID:7984
- C:\Windows\System32\oVVvrKY.exe
  C:\Windows\System32\oVVvrKY.exe
  2⤵
  PID:8008
- C:\Windows\System32\CKxiUiF.exe
  C:\Windows\System32\CKxiUiF.exe
  2⤵
  PID:8044
- C:\Windows\System32\nTxAOuX.exe
  C:\Windows\System32\nTxAOuX.exe
  2⤵
  PID:8060
- C:\Windows\System32\eJqnThu.exe
  C:\Windows\System32\eJqnThu.exe
  2⤵
  PID:8088
- C:\Windows\System32\vNnAUmA.exe
  C:\Windows\System32\vNnAUmA.exe
  2⤵
  PID:8104
- C:\Windows\System32\BcDQtMb.exe
  C:\Windows\System32\BcDQtMb.exe
  2⤵
  PID:8144
- C:\Windows\System32\LmUYORk.exe
  C:\Windows\System32\LmUYORk.exe
  2⤵
  PID:8172
- C:\Windows\System32\kCXouQU.exe
  C:\Windows\System32\kCXouQU.exe
  2⤵
  PID:648
- C:\Windows\System32\GsTipqg.exe
  C:\Windows\System32\GsTipqg.exe
  2⤵
  PID:5052
- C:\Windows\System32\VAHdMDy.exe
  C:\Windows\System32\VAHdMDy.exe
  2⤵
  PID:2492
- C:\Windows\System32\jbrfrRE.exe
  C:\Windows\System32\jbrfrRE.exe
  2⤵
  PID:916
- C:\Windows\System32\QVPoLAJ.exe
  C:\Windows\System32\QVPoLAJ.exe
  2⤵
  PID:1692
- C:\Windows\System32\vXTnOdj.exe
  C:\Windows\System32\vXTnOdj.exe
  2⤵
  PID:7176
- C:\Windows\System32\sPDxmtv.exe
  C:\Windows\System32\sPDxmtv.exe
  2⤵
  PID:7252
- C:\Windows\System32\iGkXhwd.exe
  C:\Windows\System32\iGkXhwd.exe
  2⤵
  PID:7464
- C:\Windows\System32\AEBKVHD.exe
  C:\Windows\System32\AEBKVHD.exe
  2⤵
  PID:7372
- C:\Windows\System32\Fcbatnw.exe
  C:\Windows\System32\Fcbatnw.exe
  2⤵
  PID:7312
- C:\Windows\System32\ijqxDgM.exe
  C:\Windows\System32\ijqxDgM.exe
  2⤵
  PID:7428
- C:\Windows\System32\SjrjBNR.exe
  C:\Windows\System32\SjrjBNR.exe
  2⤵
  PID:7564
- C:\Windows\System32\iUXNlyQ.exe
  C:\Windows\System32\iUXNlyQ.exe
  2⤵
  PID:7696
- C:\Windows\System32\UVSljjv.exe
  C:\Windows\System32\UVSljjv.exe
  2⤵
  PID:7632
- C:\Windows\System32\BaaBavJ.exe
  C:\Windows\System32\BaaBavJ.exe
  2⤵
  PID:5672
- C:\Windows\System32\hzSbWFq.exe
  C:\Windows\System32\hzSbWFq.exe
  2⤵
  PID:7804
- C:\Windows\System32\NbNnDkW.exe
  C:\Windows\System32\NbNnDkW.exe
  2⤵
  PID:7992
- C:\Windows\System32\HJGSZNV.exe
  C:\Windows\System32\HJGSZNV.exe
  2⤵
  PID:7956
- C:\Windows\System32\PdQuSsN.exe
  C:\Windows\System32\PdQuSsN.exe
  2⤵
  PID:8072
- C:\Windows\System32\bVztUEx.exe
  C:\Windows\System32\bVztUEx.exe
  2⤵
  PID:3200
- C:\Windows\System32\ZEHQWKg.exe
  C:\Windows\System32\ZEHQWKg.exe
  2⤵
  PID:8132
- C:\Windows\System32\AlcWxhc.exe
  C:\Windows\System32\AlcWxhc.exe
  2⤵
  PID:8168
- C:\Windows\System32\nnAYTqH.exe
  C:\Windows\System32\nnAYTqH.exe
  2⤵
  PID:1996
- C:\Windows\System32\fPhVIRL.exe
  C:\Windows\System32\fPhVIRL.exe
  2⤵
  PID:3056
- C:\Windows\System32\KxSHTza.exe
  C:\Windows\System32\KxSHTza.exe
  2⤵
  PID:7368
- C:\Windows\System32\PevssWf.exe
  C:\Windows\System32\PevssWf.exe
  2⤵
  PID:7452
- C:\Windows\System32\gGzofdo.exe
  C:\Windows\System32\gGzofdo.exe
  2⤵
  PID:7420
- C:\Windows\System32\eITuvbC.exe
  C:\Windows\System32\eITuvbC.exe
  2⤵
  PID:7620
- C:\Windows\System32\wVfbTAz.exe
  C:\Windows\System32\wVfbTAz.exe
  2⤵
  PID:7824
- C:\Windows\System32\wkrduHq.exe
  C:\Windows\System32\wkrduHq.exe
  2⤵
  PID:8028
- C:\Windows\System32\VCtwLSJ.exe
  C:\Windows\System32\VCtwLSJ.exe
  2⤵
  PID:6308
- C:\Windows\System32\gsgJaBo.exe
  C:\Windows\System32\gsgJaBo.exe
  2⤵
  PID:7580
- C:\Windows\System32\POALuGf.exe
  C:\Windows\System32\POALuGf.exe
  2⤵
  PID:7948
- C:\Windows\System32\nkKpIxk.exe
  C:\Windows\System32\nkKpIxk.exe
  2⤵
  PID:7536
- C:\Windows\System32\eXWkmGM.exe
  C:\Windows\System32\eXWkmGM.exe
  2⤵
  PID:1852
- C:\Windows\System32\RSJEONn.exe
  C:\Windows\System32\RSJEONn.exe
  2⤵
  PID:8224
- C:\Windows\System32\rEXVOEP.exe
  C:\Windows\System32\rEXVOEP.exe
  2⤵
  PID:8256
- C:\Windows\System32\kucUJwn.exe
  C:\Windows\System32\kucUJwn.exe
  2⤵
  PID:8276
- C:\Windows\System32\lZJHnHZ.exe
  C:\Windows\System32\lZJHnHZ.exe
  2⤵
  PID:8316
- C:\Windows\System32\ncQrGyb.exe
  C:\Windows\System32\ncQrGyb.exe
  2⤵
  PID:8344
- C:\Windows\System32\GxWvnSH.exe
  C:\Windows\System32\GxWvnSH.exe
  2⤵
  PID:8368
- C:\Windows\System32\fGhhcGr.exe
  C:\Windows\System32\fGhhcGr.exe
  2⤵
  PID:8388
- C:\Windows\System32\FcTVMzd.exe
  C:\Windows\System32\FcTVMzd.exe
  2⤵
  PID:8408
- C:\Windows\System32\XYsFSnj.exe
  C:\Windows\System32\XYsFSnj.exe
  2⤵
  PID:8428
- C:\Windows\System32\clKvjmR.exe
  C:\Windows\System32\clKvjmR.exe
  2⤵
  PID:8468
- C:\Windows\System32\tlkwyJa.exe
  C:\Windows\System32\tlkwyJa.exe
  2⤵
  PID:8508
- C:\Windows\System32\QdCZLuB.exe
  C:\Windows\System32\QdCZLuB.exe
  2⤵
  PID:8532
- C:\Windows\System32\zRReRSN.exe
  C:\Windows\System32\zRReRSN.exe
  2⤵
  PID:8552
- C:\Windows\System32\keWMEAm.exe
  C:\Windows\System32\keWMEAm.exe
  2⤵
  PID:8576
- C:\Windows\System32\IMZMdlp.exe
  C:\Windows\System32\IMZMdlp.exe
  2⤵
  PID:8604
- C:\Windows\System32\apCHCNh.exe
  C:\Windows\System32\apCHCNh.exe
  2⤵
  PID:8640
- C:\Windows\System32\StGbGap.exe
  C:\Windows\System32\StGbGap.exe
  2⤵
  PID:8660
- C:\Windows\System32\LsgrpjW.exe
  C:\Windows\System32\LsgrpjW.exe
  2⤵
  PID:8700
- C:\Windows\System32\TgMJOdz.exe
  C:\Windows\System32\TgMJOdz.exe
  2⤵
  PID:8732
- C:\Windows\System32\JdinCFg.exe
  C:\Windows\System32\JdinCFg.exe
  2⤵
  PID:8760
- C:\Windows\System32\ingOguk.exe
  C:\Windows\System32\ingOguk.exe
  2⤵
  PID:8796
- C:\Windows\System32\qDwcrkj.exe
  C:\Windows\System32\qDwcrkj.exe
  2⤵
  PID:8820
- C:\Windows\System32\heAoYmi.exe
  C:\Windows\System32\heAoYmi.exe
  2⤵
  PID:8844
- C:\Windows\System32\kerJpHH.exe
  C:\Windows\System32\kerJpHH.exe
  2⤵
  PID:8864
- C:\Windows\System32\aiHhBvv.exe
  C:\Windows\System32\aiHhBvv.exe
  2⤵
  PID:8912
- C:\Windows\System32\ecBgvav.exe
  C:\Windows\System32\ecBgvav.exe
  2⤵
  PID:8936
- C:\Windows\System32\wIKahRy.exe
  C:\Windows\System32\wIKahRy.exe
  2⤵
  PID:8952
- C:\Windows\System32\FwvnfdZ.exe
  C:\Windows\System32\FwvnfdZ.exe
  2⤵
  PID:8988
- C:\Windows\System32\ZbjalTn.exe
  C:\Windows\System32\ZbjalTn.exe
  2⤵
  PID:9020
- C:\Windows\System32\cxCviuw.exe
  C:\Windows\System32\cxCviuw.exe
  2⤵
  PID:9048
- C:\Windows\System32\smlmsUf.exe
  C:\Windows\System32\smlmsUf.exe
  2⤵
  PID:9068
- C:\Windows\System32\QYeskhV.exe
  C:\Windows\System32\QYeskhV.exe
  2⤵
  PID:9088
- C:\Windows\System32\uVGAvhU.exe
  C:\Windows\System32\uVGAvhU.exe
  2⤵
  PID:9124
- C:\Windows\System32\IGKUtUx.exe
  C:\Windows\System32\IGKUtUx.exe
  2⤵
  PID:9144
- C:\Windows\System32\HdKTMDj.exe
  C:\Windows\System32\HdKTMDj.exe
  2⤵
  PID:9172
- C:\Windows\System32\uSmMmNo.exe
  C:\Windows\System32\uSmMmNo.exe
  2⤵
  PID:9200
- C:\Windows\System32\FHMNrrh.exe
  C:\Windows\System32\FHMNrrh.exe
  2⤵
  PID:8268
- C:\Windows\System32\syuhCtt.exe
  C:\Windows\System32\syuhCtt.exe
  2⤵
  PID:8300
- C:\Windows\System32\wfmJbWn.exe
  C:\Windows\System32\wfmJbWn.exe
  2⤵
  PID:8384
- C:\Windows\System32\QaBCfBd.exe
  C:\Windows\System32\QaBCfBd.exe
  2⤵
  PID:8416
- C:\Windows\System32\ElwSqeb.exe
  C:\Windows\System32\ElwSqeb.exe
  2⤵
  PID:8500
- C:\Windows\System32\nqMlpbs.exe
  C:\Windows\System32\nqMlpbs.exe
  2⤵
  PID:8568
- C:\Windows\System32\avjIwyx.exe
  C:\Windows\System32\avjIwyx.exe
  2⤵
  PID:8616
- C:\Windows\System32\FdxqhnN.exe
  C:\Windows\System32\FdxqhnN.exe
  2⤵
  PID:8680
- C:\Windows\System32\POmrYSM.exe
  C:\Windows\System32\POmrYSM.exe
  2⤵
  PID:8756
- C:\Windows\System32\ExfwYZU.exe
  C:\Windows\System32\ExfwYZU.exe
  2⤵
  PID:8828
- C:\Windows\System32\jxyTwRV.exe
  C:\Windows\System32\jxyTwRV.exe
  2⤵
  PID:8896
- C:\Windows\System32\yCTZAIq.exe
  C:\Windows\System32\yCTZAIq.exe
  2⤵
  PID:8924
- C:\Windows\System32\yfHRKpF.exe
  C:\Windows\System32\yfHRKpF.exe
  2⤵
  PID:8964
- C:\Windows\System32\MRpbxaS.exe
  C:\Windows\System32\MRpbxaS.exe
  2⤵
  PID:9096
- C:\Windows\System32\FdPgJyI.exe
  C:\Windows\System32\FdPgJyI.exe
  2⤵
  PID:9140
- C:\Windows\System32\fklxkYN.exe
  C:\Windows\System32\fklxkYN.exe
  2⤵
  PID:9180
- C:\Windows\System32\MkzSdAb.exe
  C:\Windows\System32\MkzSdAb.exe
  2⤵
  PID:8336
- C:\Windows\System32\qPjenCX.exe
  C:\Windows\System32\qPjenCX.exe
  2⤵
  PID:8504
- C:\Windows\System32\jaCcOuS.exe
  C:\Windows\System32\jaCcOuS.exe
  2⤵
  PID:8600
- C:\Windows\System32\VeFdQaG.exe
  C:\Windows\System32\VeFdQaG.exe
  2⤵
  PID:8668
- C:\Windows\System32\lbxFvWo.exe
  C:\Windows\System32\lbxFvWo.exe
  2⤵
  PID:8744
- C:\Windows\System32\RRszGSO.exe
  C:\Windows\System32\RRszGSO.exe
  2⤵
  PID:8948
- C:\Windows\System32\bQIuJQr.exe
  C:\Windows\System32\bQIuJQr.exe
  2⤵
  PID:4996
- C:\Windows\System32\WKtNWXw.exe
  C:\Windows\System32\WKtNWXw.exe
  2⤵
  PID:8716
- C:\Windows\System32\BvCAhbM.exe
  C:\Windows\System32\BvCAhbM.exe
  2⤵
  PID:8884
- C:\Windows\System32\HFWUGBB.exe
  C:\Windows\System32\HFWUGBB.exe
  2⤵
  PID:8540
- C:\Windows\System32\PYDiOKc.exe
  C:\Windows\System32\PYDiOKc.exe
  2⤵
  PID:8456
- C:\Windows\System32\ijLCcWy.exe
  C:\Windows\System32\ijLCcWy.exe
  2⤵
  PID:9240
- C:\Windows\System32\CyLxNQH.exe
  C:\Windows\System32\CyLxNQH.exe
  2⤵
  PID:9260
- C:\Windows\System32\qsqhwMA.exe
  C:\Windows\System32\qsqhwMA.exe
  2⤵
  PID:9296
- C:\Windows\System32\QLJxanY.exe
  C:\Windows\System32\QLJxanY.exe
  2⤵
  PID:9344
- C:\Windows\System32\JJznTRa.exe
  C:\Windows\System32\JJznTRa.exe
  2⤵
  PID:9372
- C:\Windows\System32\zOuxqOG.exe
  C:\Windows\System32\zOuxqOG.exe
  2⤵
  PID:9392
- C:\Windows\System32\welyTPA.exe
  C:\Windows\System32\welyTPA.exe
  2⤵
  PID:9412
- C:\Windows\System32\buwjfCE.exe
  C:\Windows\System32\buwjfCE.exe
  2⤵
  PID:9456
- C:\Windows\System32\LOaHNQL.exe
  C:\Windows\System32\LOaHNQL.exe
  2⤵
  PID:9476
- C:\Windows\System32\CyuCYJO.exe
  C:\Windows\System32\CyuCYJO.exe
  2⤵
  PID:9496
- C:\Windows\System32\KskadBQ.exe
  C:\Windows\System32\KskadBQ.exe
  2⤵
  PID:9516
- C:\Windows\System32\VQvThWz.exe
  C:\Windows\System32\VQvThWz.exe
  2⤵
  PID:9536
- C:\Windows\System32\sYWxAHu.exe
  C:\Windows\System32\sYWxAHu.exe
  2⤵
  PID:9564
- C:\Windows\System32\JXgTHaw.exe
  C:\Windows\System32\JXgTHaw.exe
  2⤵
  PID:9584
- C:\Windows\System32\fQMHTrW.exe
  C:\Windows\System32\fQMHTrW.exe
  2⤵
  PID:9608
- C:\Windows\System32\yGMankR.exe
  C:\Windows\System32\yGMankR.exe
  2⤵
  PID:9640
- C:\Windows\System32\tLjmSjt.exe
  C:\Windows\System32\tLjmSjt.exe
  2⤵
  PID:9684
- C:\Windows\System32\DNYTHhg.exe
  C:\Windows\System32\DNYTHhg.exe
  2⤵
  PID:9724
- C:\Windows\System32\cUWssLc.exe
  C:\Windows\System32\cUWssLc.exe
  2⤵
  PID:9752
- C:\Windows\System32\bcPrOCj.exe
  C:\Windows\System32\bcPrOCj.exe
  2⤵
  PID:9788
- C:\Windows\System32\rLyUSZm.exe
  C:\Windows\System32\rLyUSZm.exe
  2⤵
  PID:9820
- C:\Windows\System32\YxceLPj.exe
  C:\Windows\System32\YxceLPj.exe
  2⤵
  PID:9836
- C:\Windows\System32\sfHnCNz.exe
  C:\Windows\System32\sfHnCNz.exe
  2⤵
  PID:9856
- C:\Windows\System32\qCdSLzW.exe
  C:\Windows\System32\qCdSLzW.exe
  2⤵
  PID:9896
- C:\Windows\System32\TBEffti.exe
  C:\Windows\System32\TBEffti.exe
  2⤵
  PID:9916
- C:\Windows\System32\OaiKOCO.exe
  C:\Windows\System32\OaiKOCO.exe
  2⤵
  PID:9940
- C:\Windows\System32\ERbUHyA.exe
  C:\Windows\System32\ERbUHyA.exe
  2⤵
  PID:9980
- C:\Windows\System32\kFQZuYR.exe
  C:\Windows\System32\kFQZuYR.exe
  2⤵
  PID:10000
- C:\Windows\System32\ykbnrHW.exe
  C:\Windows\System32\ykbnrHW.exe
  2⤵
  PID:10024
- C:\Windows\System32\NxlnMEj.exe
  C:\Windows\System32\NxlnMEj.exe
  2⤵
  PID:10044
- C:\Windows\System32\jDBuwuM.exe
  C:\Windows\System32\jDBuwuM.exe
  2⤵
  PID:10100
- C:\Windows\System32\psIMxHK.exe
  C:\Windows\System32\psIMxHK.exe
  2⤵
  PID:10128
- C:\Windows\System32\pNZtoGV.exe
  C:\Windows\System32\pNZtoGV.exe
  2⤵
  PID:10152
- C:\Windows\System32\dGPVorw.exe
  C:\Windows\System32\dGPVorw.exe
  2⤵
  PID:10168
- C:\Windows\System32\SNZlbAL.exe
  C:\Windows\System32\SNZlbAL.exe
  2⤵
  PID:10192
- C:\Windows\System32\pMbJRGV.exe
  C:\Windows\System32\pMbJRGV.exe
  2⤵
  PID:8656
- C:\Windows\System32\wsTcdKp.exe
  C:\Windows\System32\wsTcdKp.exe
  2⤵
  PID:9232
- C:\Windows\System32\SrEDsJe.exe
  C:\Windows\System32\SrEDsJe.exe
  2⤵
  PID:9384
- C:\Windows\System32\cwIxCMy.exe
  C:\Windows\System32\cwIxCMy.exe
  2⤵
  PID:9420
- C:\Windows\System32\QqlRgja.exe
  C:\Windows\System32\QqlRgja.exe
  2⤵
  PID:9444
- C:\Windows\System32\NOvlsRg.exe
  C:\Windows\System32\NOvlsRg.exe
  2⤵
  PID:9488
- C:\Windows\System32\DrTtBYE.exe
  C:\Windows\System32\DrTtBYE.exe
  2⤵
  PID:9504
- C:\Windows\System32\zuAvpsC.exe
  C:\Windows\System32\zuAvpsC.exe
  2⤵
  PID:9628
- C:\Windows\System32\DrrfZpE.exe
  C:\Windows\System32\DrrfZpE.exe
  2⤵
  PID:9708
- C:\Windows\System32\osFIrlo.exe
  C:\Windows\System32\osFIrlo.exe
  2⤵
  PID:9772
- C:\Windows\System32\knUZeas.exe
  C:\Windows\System32\knUZeas.exe
  2⤵
  PID:9852
- C:\Windows\System32\aTpZkZC.exe
  C:\Windows\System32\aTpZkZC.exe
  2⤵
  PID:9912
- C:\Windows\System32\qIcNCLc.exe
  C:\Windows\System32\qIcNCLc.exe
  2⤵
  PID:9968
- C:\Windows\System32\rFqHqvZ.exe
  C:\Windows\System32\rFqHqvZ.exe
  2⤵
  PID:10040
- C:\Windows\System32\NQPdXnP.exe
  C:\Windows\System32\NQPdXnP.exe
  2⤵
  PID:10184
- C:\Windows\System32\MFHdEfZ.exe
  C:\Windows\System32\MFHdEfZ.exe
  2⤵
  PID:10228
- C:\Windows\System32\ATCMKTU.exe
  C:\Windows\System32\ATCMKTU.exe
  2⤵
  PID:9224
- C:\Windows\System32\gMwTPAK.exe
  C:\Windows\System32\gMwTPAK.exe
  2⤵
  PID:9368
- C:\Windows\System32\fboqeuU.exe
  C:\Windows\System32\fboqeuU.exe
  2⤵
  PID:9428
- C:\Windows\System32\SRRhNxP.exe
  C:\Windows\System32\SRRhNxP.exe
  2⤵
  PID:9576
- C:\Windows\System32\YSzAjxZ.exe
  C:\Windows\System32\YSzAjxZ.exe
  2⤵
  PID:9580
- C:\Windows\System32\kjigxIS.exe
  C:\Windows\System32\kjigxIS.exe
  2⤵
  PID:9844
- C:\Windows\System32\BmFkdKw.exe
  C:\Windows\System32\BmFkdKw.exe
  2⤵
  PID:9964
- C:\Windows\System32\Xmrzcxm.exe
  C:\Windows\System32\Xmrzcxm.exe
  2⤵
  PID:9996
- C:\Windows\System32\TGXFoRZ.exe
  C:\Windows\System32\TGXFoRZ.exe
  2⤵
  PID:10068
- C:\Windows\System32\yFODCWn.exe
  C:\Windows\System32\yFODCWn.exe
  2⤵
  PID:9284
- C:\Windows\System32\MkUSUAt.exe
  C:\Windows\System32\MkUSUAt.exe
  2⤵
  PID:9312
- C:\Windows\System32\uUKNFyf.exe
  C:\Windows\System32\uUKNFyf.exe
  2⤵
  PID:9992
- C:\Windows\System32\PXFbaQe.exe
  C:\Windows\System32\PXFbaQe.exe
  2⤵
  PID:10256
- C:\Windows\System32\VOQGvVY.exe
  C:\Windows\System32\VOQGvVY.exe
  2⤵
  PID:10276
- C:\Windows\System32\vlyCykC.exe
  C:\Windows\System32\vlyCykC.exe
  2⤵
  PID:10300
- C:\Windows\System32\MekUKTi.exe
  C:\Windows\System32\MekUKTi.exe
  2⤵
  PID:10316
- C:\Windows\System32\RRuAcZe.exe
  C:\Windows\System32\RRuAcZe.exe
  2⤵
  PID:10376
- C:\Windows\System32\yZuMhRB.exe
  C:\Windows\System32\yZuMhRB.exe
  2⤵
  PID:10412
- C:\Windows\System32\FCyepfR.exe
  C:\Windows\System32\FCyepfR.exe
  2⤵
  PID:10436
- C:\Windows\System32\ONmvaBd.exe
  C:\Windows\System32\ONmvaBd.exe
  2⤵
  PID:10468
- C:\Windows\System32\DEwBJTw.exe
  C:\Windows\System32\DEwBJTw.exe
  2⤵
  PID:10504
- C:\Windows\System32\KtrQVYu.exe
  C:\Windows\System32\KtrQVYu.exe
  2⤵
  PID:10524
- C:\Windows\System32\JksLMIg.exe
  C:\Windows\System32\JksLMIg.exe
  2⤵
  PID:10540
- C:\Windows\System32\WRCgzUN.exe
  C:\Windows\System32\WRCgzUN.exe
  2⤵
  PID:10564
- C:\Windows\System32\OFMRdjl.exe
  C:\Windows\System32\OFMRdjl.exe
  2⤵
  PID:10596
- C:\Windows\System32\fiShihz.exe
  C:\Windows\System32\fiShihz.exe
  2⤵
  PID:10620
- C:\Windows\System32\IGauxuZ.exe
  C:\Windows\System32\IGauxuZ.exe
  2⤵
  PID:10652
- C:\Windows\System32\ySDTDHp.exe
  C:\Windows\System32\ySDTDHp.exe
  2⤵
  PID:10684
- C:\Windows\System32\gUQtsUI.exe
  C:\Windows\System32\gUQtsUI.exe
  2⤵
  PID:10712
- C:\Windows\System32\LrvfDoO.exe
  C:\Windows\System32\LrvfDoO.exe
  2⤵
  PID:10752
- C:\Windows\System32\xscPKmy.exe
  C:\Windows\System32\xscPKmy.exe
  2⤵
  PID:10776
- C:\Windows\System32\cTbWPAz.exe
  C:\Windows\System32\cTbWPAz.exe
  2⤵
  PID:10816
- C:\Windows\System32\YMAxrvA.exe
  C:\Windows\System32\YMAxrvA.exe
  2⤵
  PID:10840
- C:\Windows\System32\KqTlEcy.exe
  C:\Windows\System32\KqTlEcy.exe
  2⤵
  PID:10856
- C:\Windows\System32\YEKdLHr.exe
  C:\Windows\System32\YEKdLHr.exe
  2⤵
  PID:10876
- C:\Windows\System32\GbQzPbf.exe
  C:\Windows\System32\GbQzPbf.exe
  2⤵
  PID:10896
- C:\Windows\System32\TuOtwuW.exe
  C:\Windows\System32\TuOtwuW.exe
  2⤵
  PID:10936
- C:\Windows\System32\xUVsgym.exe
  C:\Windows\System32\xUVsgym.exe
  2⤵
  PID:10960
- C:\Windows\System32\SUqsdzU.exe
  C:\Windows\System32\SUqsdzU.exe
  2⤵
  PID:11000
- C:\Windows\System32\XTofUHX.exe
  C:\Windows\System32\XTofUHX.exe
  2⤵
  PID:11040
- C:\Windows\System32\xfKsrrd.exe
  C:\Windows\System32\xfKsrrd.exe
  2⤵
  PID:11064
- C:\Windows\System32\nfxndWi.exe
  C:\Windows\System32\nfxndWi.exe
  2⤵
  PID:11084
- C:\Windows\System32\LpqKnNx.exe
  C:\Windows\System32\LpqKnNx.exe
  2⤵
  PID:11100
- C:\Windows\System32\vKCOsMu.exe
  C:\Windows\System32\vKCOsMu.exe
  2⤵
  PID:11116
- C:\Windows\System32\fVgFNoE.exe
  C:\Windows\System32\fVgFNoE.exe
  2⤵
  PID:11136
- C:\Windows\System32\JFvdcPa.exe
  C:\Windows\System32\JFvdcPa.exe
  2⤵
  PID:11176
- C:\Windows\System32\QnFSwif.exe
  C:\Windows\System32\QnFSwif.exe
  2⤵
  PID:11216
- C:\Windows\System32\GiOyJbd.exe
  C:\Windows\System32\GiOyJbd.exe
  2⤵
  PID:11256
- C:\Windows\System32\amXeyQv.exe
  C:\Windows\System32\amXeyQv.exe
  2⤵
  PID:10252
- C:\Windows\System32\reQZasA.exe
  C:\Windows\System32\reQZasA.exe
  2⤵
  PID:10312
- C:\Windows\System32\dDiiBXI.exe
  C:\Windows\System32\dDiiBXI.exe
  2⤵
  PID:10348
- C:\Windows\System32\gBjurlC.exe
  C:\Windows\System32\gBjurlC.exe
  2⤵
  PID:10432
- C:\Windows\System32\EpyqbCj.exe
  C:\Windows\System32\EpyqbCj.exe
  2⤵
  PID:10496
- C:\Windows\System32\PhIUIVb.exe
  C:\Windows\System32\PhIUIVb.exe
  2⤵
  PID:10556
- C:\Windows\System32\qRyRxJX.exe
  C:\Windows\System32\qRyRxJX.exe
  2⤵
  PID:10616
- C:\Windows\System32\wMLQSsh.exe
  C:\Windows\System32\wMLQSsh.exe
  2⤵
  PID:10692
- C:\Windows\System32\CJSETgV.exe
  C:\Windows\System32\CJSETgV.exe
  2⤵
  PID:10748
- C:\Windows\System32\AWuHqMa.exe
  C:\Windows\System32\AWuHqMa.exe
  2⤵
  PID:10804
- C:\Windows\System32\jtimcep.exe
  C:\Windows\System32\jtimcep.exe
  2⤵
  PID:10824
- C:\Windows\System32\ZwdLdKW.exe
  C:\Windows\System32\ZwdLdKW.exe
  2⤵
  PID:10952
- C:\Windows\System32\ecaQSyb.exe
  C:\Windows\System32\ecaQSyb.exe
  2⤵
  PID:11036
- C:\Windows\System32\aCkHkRs.exe
  C:\Windows\System32\aCkHkRs.exe
  2⤵
  PID:11076
- C:\Windows\System32\RZluByB.exe
  C:\Windows\System32\RZluByB.exe
  2⤵
  PID:11092
- C:\Windows\System32\PePRMmY.exe
  C:\Windows\System32\PePRMmY.exe
  2⤵
  PID:11172
- C:\Windows\System32\dbDqKUm.exe
  C:\Windows\System32\dbDqKUm.exe
  2⤵
  PID:11252
- C:\Windows\System32\IwQdJty.exe
  C:\Windows\System32\IwQdJty.exe
  2⤵
  PID:10340
- C:\Windows\System32\TvUwgUD.exe
  C:\Windows\System32\TvUwgUD.exe
  2⤵
  PID:10488
- C:\Windows\System32\qGkhprS.exe
  C:\Windows\System32\qGkhprS.exe
  2⤵
  PID:10584
- C:\Windows\System32\BtRxJgu.exe
  C:\Windows\System32\BtRxJgu.exe
  2⤵
  PID:10796
- C:\Windows\System32\pNOSLEn.exe
  C:\Windows\System32\pNOSLEn.exe
  2⤵
  PID:10968
- C:\Windows\System32\RZqwtrU.exe
  C:\Windows\System32\RZqwtrU.exe
  2⤵
  PID:11096
- C:\Windows\System32\EZOgWLX.exe
  C:\Windows\System32\EZOgWLX.exe
  2⤵
  PID:9924
- C:\Windows\System32\hFmaLCf.exe
  C:\Windows\System32\hFmaLCf.exe
  2⤵
  PID:10292
- C:\Windows\System32\PNQWVLF.exe
  C:\Windows\System32\PNQWVLF.exe
  2⤵
  PID:10532
- C:\Windows\System32\aDNGrNr.exe
  C:\Windows\System32\aDNGrNr.exe
  2⤵
  PID:10144
- C:\Windows\System32\KyPsCsD.exe
  C:\Windows\System32\KyPsCsD.exe
  2⤵
  PID:11148
- C:\Windows\System32\aCDpAff.exe
  C:\Windows\System32\aCDpAff.exe
  2⤵
  PID:11292
- C:\Windows\System32\NurtZvI.exe
  C:\Windows\System32\NurtZvI.exe
  2⤵
  PID:11320
- C:\Windows\System32\cgCMMft.exe
  C:\Windows\System32\cgCMMft.exe
  2⤵
  PID:11340
- C:\Windows\System32\fpymgih.exe
  C:\Windows\System32\fpymgih.exe
  2⤵
  PID:11356
- C:\Windows\System32\cmOTVmV.exe
  C:\Windows\System32\cmOTVmV.exe
  2⤵
  PID:11388
- C:\Windows\System32\SxmJVzw.exe
  C:\Windows\System32\SxmJVzw.exe
  2⤵
  PID:11424
- C:\Windows\System32\VfONhPe.exe
  C:\Windows\System32\VfONhPe.exe
  2⤵
  PID:11452
- C:\Windows\System32\QdXIeZd.exe
  C:\Windows\System32\QdXIeZd.exe
  2⤵
  PID:11480
- C:\Windows\System32\fraQVaL.exe
  C:\Windows\System32\fraQVaL.exe
  2⤵
  PID:11508
- C:\Windows\System32\AakUOYO.exe
  C:\Windows\System32\AakUOYO.exe
  2⤵
  PID:11528
- C:\Windows\System32\gaVpGdu.exe
  C:\Windows\System32\gaVpGdu.exe
  2⤵
  PID:11576
- C:\Windows\System32\ELucSym.exe
  C:\Windows\System32\ELucSym.exe
  2⤵
  PID:11608
- C:\Windows\System32\GANdkfo.exe
  C:\Windows\System32\GANdkfo.exe
  2⤵
  PID:11632
- C:\Windows\System32\vwcuGZK.exe
  C:\Windows\System32\vwcuGZK.exe
  2⤵
  PID:11656
- C:\Windows\System32\uDwITyO.exe
  C:\Windows\System32\uDwITyO.exe
  2⤵
  PID:11672
- C:\Windows\System32\InjjOZT.exe
  C:\Windows\System32\InjjOZT.exe
  2⤵
  PID:11716
- C:\Windows\System32\BddIbqS.exe
  C:\Windows\System32\BddIbqS.exe
  2⤵
  PID:11740
- C:\Windows\System32\zNTvHAU.exe
  C:\Windows\System32\zNTvHAU.exe
  2⤵
  PID:11756
- C:\Windows\System32\aaUYXIb.exe
  C:\Windows\System32\aaUYXIb.exe
  2⤵
  PID:11776
- C:\Windows\System32\OKDQmLI.exe
  C:\Windows\System32\OKDQmLI.exe
  2⤵
  PID:11792
- C:\Windows\System32\wbNFTQv.exe
  C:\Windows\System32\wbNFTQv.exe
  2⤵
  PID:11832
- C:\Windows\System32\MPeERcG.exe
  C:\Windows\System32\MPeERcG.exe
  2⤵
  PID:11852
- C:\Windows\System32\SZUDmTI.exe
  C:\Windows\System32\SZUDmTI.exe
  2⤵
  PID:11876
- C:\Windows\System32\keynSUK.exe
  C:\Windows\System32\keynSUK.exe
  2⤵
  PID:11892
- C:\Windows\System32\chJocTB.exe
  C:\Windows\System32\chJocTB.exe
  2⤵
  PID:11928
- C:\Windows\System32\FqcDuDc.exe
  C:\Windows\System32\FqcDuDc.exe
  2⤵
  PID:12000
- C:\Windows\System32\inUKKaN.exe
  C:\Windows\System32\inUKKaN.exe
  2⤵
  PID:12020
- C:\Windows\System32\NWEMMiz.exe
  C:\Windows\System32\NWEMMiz.exe
  2⤵
  PID:12044
- C:\Windows\System32\EzOBIZf.exe
  C:\Windows\System32\EzOBIZf.exe
  2⤵
  PID:12080
- C:\Windows\System32\wiswdQK.exe
  C:\Windows\System32\wiswdQK.exe
  2⤵
  PID:12112
- C:\Windows\System32\vqTkaiE.exe
  C:\Windows\System32\vqTkaiE.exe
  2⤵
  PID:12140
- C:\Windows\System32\rczGGHQ.exe
  C:\Windows\System32\rczGGHQ.exe
  2⤵
  PID:12160
- C:\Windows\System32\paKAWaV.exe
  C:\Windows\System32\paKAWaV.exe
  2⤵
  PID:12184
- C:\Windows\System32\WNkbhbd.exe
  C:\Windows\System32\WNkbhbd.exe
  2⤵
  PID:12212
- C:\Windows\System32\DnrIurB.exe
  C:\Windows\System32\DnrIurB.exe
  2⤵
  PID:12248
- C:\Windows\System32\ZcrpXld.exe
  C:\Windows\System32\ZcrpXld.exe
  2⤵
  PID:12272
- C:\Windows\System32\wlzGklz.exe
  C:\Windows\System32\wlzGklz.exe
  2⤵
  PID:10768
- C:\Windows\System32\JjnHxFL.exe
  C:\Windows\System32\JjnHxFL.exe
  2⤵
  PID:11316
- C:\Windows\System32\KqXRrNL.exe
  C:\Windows\System32\KqXRrNL.exe
  2⤵
  PID:11368
- C:\Windows\System32\IzXnXIi.exe
  C:\Windows\System32\IzXnXIi.exe
  2⤵
  PID:11400
- C:\Windows\System32\YrczHBI.exe
  C:\Windows\System32\YrczHBI.exe
  2⤵
  PID:11516
- C:\Windows\System32\IowFhls.exe
  C:\Windows\System32\IowFhls.exe
  2⤵
  PID:11600
- C:\Windows\System32\RmrdAWq.exe
  C:\Windows\System32\RmrdAWq.exe
  2⤵
  PID:11644
- C:\Windows\System32\TLBEGkx.exe
  C:\Windows\System32\TLBEGkx.exe
  2⤵
  PID:11668
- C:\Windows\System32\fQVwkaH.exe
  C:\Windows\System32\fQVwkaH.exe
  2⤵
  PID:11732
- C:\Windows\System32\goEGAJD.exe
  C:\Windows\System32\goEGAJD.exe
  2⤵
  PID:11804
- C:\Windows\System32\EdXBrCj.exe
  C:\Windows\System32\EdXBrCj.exe
  2⤵
  PID:11920
- C:\Windows\System32\EhSSpQW.exe
  C:\Windows\System32\EhSSpQW.exe
  2⤵
  PID:11968
- C:\Windows\System32\SfOYDzx.exe
  C:\Windows\System32\SfOYDzx.exe
  2⤵
  PID:12016
- C:\Windows\System32\PoIKfsx.exe
  C:\Windows\System32\PoIKfsx.exe
  2⤵
  PID:12052
- C:\Windows\System32\IdYDZcB.exe
  C:\Windows\System32\IdYDZcB.exe
  2⤵
  PID:12148
- C:\Windows\System32\owPonit.exe
  C:\Windows\System32\owPonit.exe
  2⤵
  PID:12240
- C:\Windows\System32\gInovNd.exe
  C:\Windows\System32\gInovNd.exe
  2⤵
  PID:11300
- C:\Windows\System32\lzpzoUW.exe
  C:\Windows\System32\lzpzoUW.exe
  2⤵
  PID:10728
- C:\Windows\System32\eRjVRKW.exe
  C:\Windows\System32\eRjVRKW.exe
  2⤵
  PID:11564
- C:\Windows\System32\SXRhjet.exe
  C:\Windows\System32\SXRhjet.exe
  2⤵
  PID:11800
- C:\Windows\System32\aEIOhuW.exe
  C:\Windows\System32\aEIOhuW.exe
  2⤵
  PID:11912
- C:\Windows\System32\YplbxxB.exe
  C:\Windows\System32\YplbxxB.exe
  2⤵
  PID:12008
- C:\Windows\System32\hTARYmj.exe
  C:\Windows\System32\hTARYmj.exe
  2⤵
  PID:12180
- C:\Windows\System32\zynYdVJ.exe
  C:\Windows\System32\zynYdVJ.exe
  2⤵
  PID:5024
- C:\Windows\System32\iKMHbOP.exe
  C:\Windows\System32\iKMHbOP.exe
  2⤵
  PID:11336
- C:\Windows\System32\UPXSflq.exe
  C:\Windows\System32\UPXSflq.exe
  2⤵
  PID:11684
- C:\Windows\System32\FrwpvRD.exe
  C:\Windows\System32\FrwpvRD.exe
  2⤵
  PID:12120
- C:\Windows\System32\uzuaWYy.exe
  C:\Windows\System32\uzuaWYy.exe
  2⤵
  PID:12280
- C:\Windows\System32\eBTgtFI.exe
  C:\Windows\System32\eBTgtFI.exe
  2⤵
  PID:11884
- C:\Windows\System32\ojSzHex.exe
  C:\Windows\System32\ojSzHex.exe
  2⤵
  PID:12300
- C:\Windows\System32\hWEzBaW.exe
  C:\Windows\System32\hWEzBaW.exe
  2⤵
  PID:12324
- C:\Windows\System32\wqSOmYV.exe
  C:\Windows\System32\wqSOmYV.exe
  2⤵
  PID:12340
- C:\Windows\System32\ivKIDwJ.exe
  C:\Windows\System32\ivKIDwJ.exe
  2⤵
  PID:12400
- C:\Windows\System32\HRLrfym.exe
  C:\Windows\System32\HRLrfym.exe
  2⤵
  PID:12424
- C:\Windows\System32\MaxuUKz.exe
  C:\Windows\System32\MaxuUKz.exe
  2⤵
  PID:12472
- C:\Windows\System32\WkuVReE.exe
  C:\Windows\System32\WkuVReE.exe
  2⤵
  PID:12496
- C:\Windows\System32\LZoEjjp.exe
  C:\Windows\System32\LZoEjjp.exe
  2⤵
  PID:12516
- C:\Windows\System32\vQcuCnQ.exe
  C:\Windows\System32\vQcuCnQ.exe
  2⤵
  PID:12548
- C:\Windows\System32\LnqkqwC.exe
  C:\Windows\System32\LnqkqwC.exe
  2⤵
  PID:12572
- C:\Windows\System32\tDmXIXp.exe
  C:\Windows\System32\tDmXIXp.exe
  2⤵
  PID:12604
- C:\Windows\System32\wkJUbjp.exe
  C:\Windows\System32\wkJUbjp.exe
  2⤵
  PID:12636
- C:\Windows\System32\PWqYNzB.exe
  C:\Windows\System32\PWqYNzB.exe
  2⤵
  PID:12660
- C:\Windows\System32\ymUNuJZ.exe
  C:\Windows\System32\ymUNuJZ.exe
  2⤵
  PID:12676
- C:\Windows\System32\LPpEyMI.exe
  C:\Windows\System32\LPpEyMI.exe
  2⤵
  PID:12700
- C:\Windows\System32\TCkcEWP.exe
  C:\Windows\System32\TCkcEWP.exe
  2⤵
  PID:12744
- C:\Windows\System32\hEVtYAT.exe
  C:\Windows\System32\hEVtYAT.exe
  2⤵
  PID:12768
- C:\Windows\System32\DByOrlj.exe
  C:\Windows\System32\DByOrlj.exe
  2⤵
  PID:12788
- C:\Windows\System32\GYWYafB.exe
  C:\Windows\System32\GYWYafB.exe
  2⤵
  PID:12812
- C:\Windows\System32\vvVfAga.exe
  C:\Windows\System32\vvVfAga.exe
  2⤵
  PID:12852
- C:\Windows\System32\vdRDUZp.exe
  C:\Windows\System32\vdRDUZp.exe
  2⤵
  PID:12904
- C:\Windows\System32\yEZXGee.exe
  C:\Windows\System32\yEZXGee.exe
  2⤵
  PID:12920
- C:\Windows\System32\CdpsLyD.exe
  C:\Windows\System32\CdpsLyD.exe
  2⤵
  PID:12936
- C:\Windows\System32\RkkPRJD.exe
  C:\Windows\System32\RkkPRJD.exe
  2⤵
  PID:12960
- C:\Windows\System32\MZDRnTG.exe
  C:\Windows\System32\MZDRnTG.exe
  2⤵
  PID:12976
- C:\Windows\System32\mJaBeWF.exe
  C:\Windows\System32\mJaBeWF.exe
  2⤵
  PID:12992
- C:\Windows\System32\pEArFCD.exe
  C:\Windows\System32\pEArFCD.exe
  2⤵
  PID:13012
- C:\Windows\System32\SpCsmzh.exe
  C:\Windows\System32\SpCsmzh.exe
  2⤵
  PID:13060
- C:\Windows\System32\tMEKTHQ.exe
  C:\Windows\System32\tMEKTHQ.exe
  2⤵
  PID:13088
- C:\Windows\System32\SNqAeac.exe
  C:\Windows\System32\SNqAeac.exe
  2⤵
  PID:13128
- C:\Windows\System32\zteryEt.exe
  C:\Windows\System32\zteryEt.exe
  2⤵
  PID:13168
- C:\Windows\System32\XnMnVPx.exe
  C:\Windows\System32\XnMnVPx.exe
  2⤵
  PID:13188
- C:\Windows\System32\WooIFjQ.exe
  C:\Windows\System32\WooIFjQ.exe
  2⤵
  PID:13212

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AoevOwy.exe

Filesize
1.4MB

MD5
1c76dbb4aed017a2344db837de268d0a

SHA1
1e657bf40ab58a1b6e0a20994a788e14f32a27d3

SHA256
36214f38942ac67eb2c6a2f2cd39c238102192bea2f54743f907b5117eaba752

SHA512
c7461ab922ce7dec7b55318fef632354a9bc3ab374b5e2810284c224cccfeea6e2289bb9c1ef244a5c000a6aecf5b2860b7f76abcc491e4baa0a78a8cd64c58d

Download Submit
C:\Windows\System32\AwmIfPm.exe

Filesize
1.5MB

MD5
2b79b60515e7514839217cddbd99f9e1

SHA1
8629a31ab8939d3c509c264881726ed4d6c0572b

SHA256
844c832896f6ea19ce8b882fa3d949bc7b6a26c81c9f5939571326e7e8c6376d

SHA512
072c0321207f096e5afe939e518ec992bdfa80450b125095b3d2251029efd5f5567c16487b2af713044359237f2cd0aeaabc2066c03e4266f8acda57407cec93

Download Submit
C:\Windows\System32\CIqGrsF.exe

Filesize
1.4MB

MD5
f4f4dabad9aa63b51c204dab1a7b62de

SHA1
1f8c5aef0cb856fa749c0109e7ee7b7da9691d35

SHA256
d3a92734d3e17efc2f37c307787dc45b3c01330760307f585acf309f4dfe2c45

SHA512
9b2ab7747f83705c174d3a6c10f4a43cc5662b31867c35973d149370ec856edb337ce89fa38fab297626a4a5e3697129989c144fd2117e7fdd413bbe3493f3ad

Download Submit
C:\Windows\System32\CyOdghs.exe

Filesize
1.4MB

MD5
03fb371e85e4e2e16b7a21c18a01bd51

SHA1
fb1830707b768894669f22df649ca81f31257bac

SHA256
6c9630a40aea9b04adab2c3a25cef642f953ef0c9af749771d316f2eef6f43d2

SHA512
ddb0b2f8337ad16bc2df49467e2dfe551b2db8e091d79811091c5067bb09707cd70b5554d58ceecfa2430a5d041cf285c9480c9a0a93a64f5baa8b3e35cd8a10

Download Submit
C:\Windows\System32\EHCmCaY.exe

Filesize
1.5MB

MD5
ef36739b496b30d446edd0b5e2d6f45b

SHA1
8b637c6931d6748f54450fd4efc7b4e808f8548c

SHA256
f6d0bc8ab8f37e569d37b8ee1f582dffd292a167eeba0b53605e49c43f6fa9a3

SHA512
a0d197c8c6d282fbbfc011672bfda91508af30cac640e6427c6f25397a7f4a38d8bfc6d2c428677ef37c1adca9e70220d3d4f66d226cd9c97b540d7b7304e423

Download Submit
C:\Windows\System32\GApbfLs.exe

Filesize
1.5MB

MD5
86f4ef9038b13bb1c277992edcfd4a29

SHA1
4a1c13790081a4e609cc2f5429183b6349d52b41

SHA256
ba93c8e26e714785d3ebe4c15b9af8a2eaca5be83e2da0352a770a46432136d6

SHA512
ebd0abcd7677ca6a2ef96a77bb007210d86f75e515cba768ebf854968b193e20d06ab9dfe5315e7b5e7351c1df6e3c48167f0fbf004bd7f7cbc3018d33d8a356

Download Submit
C:\Windows\System32\JAMukyj.exe

Filesize
1.4MB

MD5
d0cad5cd20ad98caad1915ca81948685

SHA1
9a094fdd548c68e9dd2fb6c7573de0b764467fb4

SHA256
0a933c669ac4267f79c6c211a2aa4c3db87460c816d3d248993f534663f7ae2c

SHA512
f6d0f05739bc03b6aad1fc1cce2b6a8d9af20fb754d99998e33e2accbce85b44ac9109158fb38ff0f5616703c0693962837f887d4f221f601c30139d36572b2b

Download Submit
C:\Windows\System32\KruzNZw.exe

Filesize
1.4MB

MD5
e5efad03a6004d8ec72c29b875e1da26

SHA1
9bd9627a1bacd3ef3647ec82bba71a9dba2db436

SHA256
a71a2e282af1b6b960c36aad5d618852509a5d342d4a83ee18627203b37584be

SHA512
ad2d8f23c1a395a5019971b93adb1ca296b31544786a24a13d4037eca61a8d6b7d47c52bc086a4b3c293e247396a16b6b1c6e939c9800cc9087fc7a347825eaa

Download Submit
C:\Windows\System32\LWpjsjP.exe

Filesize
1.5MB

MD5
0915d1f3aad9c53580fae60506ba6c38

SHA1
6ecb4fc3fc4001718ac1b90d6e1ca6c1ade50020

SHA256
6eb581226bfa189a205d414ec07f970e971902252105e699beb4535993144d05

SHA512
f96268bf2d0351a99d5962730004cc8f6b477b953168e3317856ba7cc07a8721292dbbe30235cb7d5213829d5e2453d7d597ba163e0ea56212643f8e27a8c7a6

Download Submit
C:\Windows\System32\NgDKZBG.exe

Filesize
1.4MB

MD5
3a127889277f9840d01df7753a9675a5

SHA1
0156dcd18fe5c09db487b5abdee322244a144cf3

SHA256
251dbd1e0d5b4b7f7fc9f3036c8d55823521c793677bf81c7dd29d395c0ef6bb

SHA512
9e325033b5c3f473bc19176decb02ca56abe2191e33e6a704b3d9041317a74cc97d27a4a0e93f609bda05733718d531cc058c909ceed466cb1bac36595f847cc

Download Submit
C:\Windows\System32\PYscSsZ.exe

Filesize
1.5MB

MD5
636e642b3f50e8926c1e3b1815cda65e

SHA1
3d2f0482cc9ba23089fa04e4c64b31d8ec107e9f

SHA256
ac613bf0f11dc80848d0590176a49f73e81ad28002555508858e5432ec304582

SHA512
e2b452fc1251ae32dfec9a369f6365ef1977039f13bb848acd6a8919a050b3268f5d05538dc98f5941ae2d7990f6e995d51dc6d8105beb9f323e34112c2312d9

Download Submit
C:\Windows\System32\QMpAbBB.exe

Filesize
1.4MB

MD5
f198556780c438409a5d87a9356cdf53

SHA1
c87d24d3726544fbf716e8988ecf9c04f6c5beb1

SHA256
8d5c3738d5f5c97f40c8c8d52723d1f7f28425268de34c6d3ba8ce1dfce0ef7e

SHA512
228706a569ce688975e528ece59dc81032b97ae56c540c679dc23e34c74a5b68b6628e191f0973349e490e72c579d7ea2519dc3e0ba700583f918afe56b670cc

Download Submit
C:\Windows\System32\QbTZKYl.exe

Filesize
1.5MB

MD5
5b84ee303eb94bb923177899d8a26cb1

SHA1
feba0716bead793e81f6f286d90e2213b33a41ec

SHA256
c2b300a7435995ace9c0ec0d78fe9fa392b301e9d4e7fef0d3e9a0820f658361

SHA512
820fc53a9b258f19b2a1c61d91d0c740a6447fe7ae094c1edf29d1dd274419c7ef28149132c4e77247a96661ece6195e26a8acf9e60da58e12c80d9c006c103c

Download Submit
C:\Windows\System32\RtApjQq.exe

Filesize
1.4MB

MD5
6c9b5a79b9af3ffc45134008ab35ab47

SHA1
820a687210f121e2cf39f44bf8b8185c6d096427

SHA256
c0d6f5feb44850ad13a384777a4afb8bd0ea1d031cf1487c5b710df41db369b6

SHA512
d1205d6e3b9bc7343ef03c7cebda1d77273d3dee4bf6fcbfa9d806018c689c1279f1b0e3a72522cd71cd58bfdcbd359b5ace936be1ac5b2a7275fdca71ebe7ff

Download Submit
C:\Windows\System32\UEhMMAG.exe

Filesize
1.5MB

MD5
68ad538521d2152a9744216f97457d05

SHA1
b4644454e6b2d8137d89cf10b79d67b1ebd7e6ce

SHA256
e2d1dc46eb098092e7f095b89d2d7cc2d237c4c0cd60187672d1733e2c38b7e0

SHA512
649cc895817675083b328f4641dfe1494f1796d53e4db729e90e7eaf26e858617c98002c1bc8cb85c228d159c5233de308f3d247b2d9fb5531e8e17f71676faf

Download Submit
C:\Windows\System32\UUMrvXJ.exe

Filesize
1.4MB

MD5
25e339563b78cb7376917382ee95fbe4

SHA1
600dfe9dfaf591c282adccaa942c5d64bbaa2f47

SHA256
26cb876d93c0b6cb4ed6c6d157267eec8d882df9f826dfc219176f4e3231706d

SHA512
8ebaa67fcc56f71f8d599d7ab8b701bb5a41da987c153815cb003d984f45940e201bd615c38076af3a5098a051c6e087738cf988b38457fd1e21a062bb6ebff1

Download Submit
C:\Windows\System32\UoieZAX.exe

Filesize
1.4MB

MD5
cd26a636475a1011c75939f5269e0007

SHA1
00c79bfd507caa0159ca9702e439970bf79099a4

SHA256
468b1350b6f6e520901507adddad6c9a24ef20d751dc3b1b76d8dcd6592c78e4

SHA512
0fdcdf50c72bd2b4da8a681a9c81f6dbe8787666fab71226b3a452c029f4cb6cda0d9f03ca9def0851ad816f055ba87d642fa8bda2aac1ed45e07d15bf26693c

Download Submit
C:\Windows\System32\VHAuRnM.exe

Filesize
1.5MB

MD5
f84f89d052c50094865d3e3a992fd509

SHA1
69ec72685ecd89122fb49016103ab5c09c4cb7b9

SHA256
0dd1f8847d22735d5e104a785943cccd762d9919682c0dca048045ecdaad4ccb

SHA512
1d294f46a205ed876c7c09826eb964d7e5eb20c9d4549ce47f56f890773955c23cbcd726def00826f3c71cb0ab479a963bc4dca6a1f44ccb0e6b456320c01f53

Download Submit
C:\Windows\System32\WjySqwl.exe

Filesize
1.5MB

MD5
b4857c50a241f4f31cae9a240cf48cfe

SHA1
eba1aa1cff10d5f95ae929178d2aaef0fc224eb2

SHA256
179d851bcb592a92489305b7669195833f12a6e615e0c0d11f9fa563e037c73a

SHA512
a60ef9d5cde598f6d35a1e737e6ec4413d3d4b05d1fb001e38ef0bdec3c72cb44275c2cfe8b63a1441e2ede132085510e31ab8f14ca3ac13b9e47d3af63fff76

Download Submit
C:\Windows\System32\YFZGxxC.exe

Filesize
1.5MB

MD5
8b8efc8eb02af2e858a9bf2066e2b163

SHA1
a3bd9cc44c4f9e3c37a201df6c3e860aa8ff4fe4

SHA256
9ad5af61e0a8d2a62edd2d9c2de536200875ffa06cef706e827fb5b04f4dd8b7

SHA512
22ed0c5e9ad74c78c6028cf660d3e8081dc1a85d15197b0383c5c135702ddeac46d4a5c3eeaa0f9b26d7347816979a91428bf90004ea6948604b4f4730d05620

Download Submit
C:\Windows\System32\bTercGn.exe

Filesize
1.4MB

MD5
f8fbb466399483c1a2fb373550716083

SHA1
0351d6364e6a6176dc606043d5548195a22c77ab

SHA256
e3734aa16942aa2638e2a78aaf988125b6ed422d4b79d8eaacf62f0540d1ea8f

SHA512
7d813b6d66b26f6f0ed93d9d35b0ba4cddce8b4f9c72b09d235eee4a43928f6ccd4277d4be6eae8c47afe25805d657d403b96cf303ae1437848f4b49612814ac

Download Submit
C:\Windows\System32\bcyGvRK.exe

Filesize
1.5MB

MD5
499a2fe22c83cb5d31be37738932eaa7

SHA1
369e47646fe89e7f56eefbf917e494b77cd507e3

SHA256
89227234b55ffc136dac1c4d96fe7ff4561e5b335c34cb52246e0a037e5da585

SHA512
703086b7fcca635ea1a2a0729929cc7e4daec5be8fdd4cd373206af680d7193f3e7b144b90d88b07a95cc8fb5e30069d96c6fe0900826041e6aa5a35f4ed18d4

Download Submit
C:\Windows\System32\dUQaQHY.exe

Filesize
1.4MB

MD5
97a5cff54b24f0dd9f142e6f71b6e833

SHA1
38b5aa3095d02dfc7cf2a30816dc70f78c94be66

SHA256
38842d3e93279f173e4439844aee1118f554a94739927e6d655fbb7b64354598

SHA512
9c04808a62ef59f6417e5e8661a201b7418cef98b948a5b2fb34d2621d34c3239f5eb5f4a2a6355fe13c5886a1dcebe62fb880ae5f2ccbca940e7307cc89768b

Download Submit
C:\Windows\System32\gamAMPZ.exe

Filesize
1.4MB

MD5
d2a0d4b3528ff6e2604e8751373ec4a5

SHA1
7c6a1a9ee4f3080242b856db128e7b72a19be882

SHA256
47c7fe6cd6d714f1c0a50533d124142328de1d42c72ca5d8bb01ede4eeca218d

SHA512
a5d9b0fafe93bf846b5f38d3565e84775b6007d0b75a4fdf20432c00b4633335e01cd7041aa240794d9d1b4565ee2464ff7aecad57df3f72d228bead2a827d2c

Download Submit
C:\Windows\System32\jDAsyjw.exe

Filesize
1.5MB

MD5
76936a1b0d356ee1cc9a87f138481d6e

SHA1
57d4ace92e5436bae7b5eda8f66377a9e7e74d03

SHA256
106f6b04667b3189323b7f038099ec63fe70dd337274812c37a2e9f89a3cac0a

SHA512
3804b8a975c31ccf4da23f5b153de9046f548adb8ccc45c8da6f7c80132d2999806b865526e3d28a6c04a1e5ce25d313992f94070bab4c4defa7c8922c090167

Download Submit
C:\Windows\System32\rcAhJQy.exe

Filesize
1.4MB

MD5
6cf20bad0a539cfea788bdac6da1e3db

SHA1
7093ba245abdff572ebdb0805e995ea14d338f30

SHA256
a98523245b1cf665b3ae068816e9531f7ad106346cfc9729e5dd435cbf0ad128

SHA512
bf9172bd3907fc4c6ab114d9239ce9459d7347edf2c7a8ef53879dea307dbda73f4953caccfac1f8183acfa7d416cef5c16a22dc2d43d52fb124437c5ce64057

Download Submit
C:\Windows\System32\sUyiXpc.exe

Filesize
1.5MB

MD5
ad70ef012c51adb1fac49c3cbecaf2d8

SHA1
4ba88ebe60fab97f3b6259b6272fa7f25303f08e

SHA256
8cc6068eb627f42136bbc36933d4e2de04ca93c68f11d5ee4278f55cb8f86c5d

SHA512
dba6b010a27afc5efed86631645b0fe1f831616e69fdebee070cc67177951387c68b4dd788bef9c3736b8b17ddf2befddefc107d1c2bb865552d16bb09f5d992

Download Submit
C:\Windows\System32\udeiwXQ.exe

Filesize
1.4MB

MD5
1a94ac653e92bf865868913f750776d4

SHA1
fda920e3aa119fae8fd614149a180e2d14540f6d

SHA256
bd9d1839c0334ec38286d224f005c59a72ce8ad2d0c828289fc4485512f3bb84

SHA512
a6afcb18eec0cd36821f0a99fe8d1273cb2fdfb08c0c62bc438143ce6fcd621608294802a18e56adb6631e2f2bb3db29be3b9f6e78effcb722c8a68593340fe4

Download Submit
C:\Windows\System32\vaLbpnH.exe

Filesize
1.4MB

MD5
14b847cadf5355039c4dd6325e3ca08b

SHA1
cb7263fcc0689259f67732b46cbcceb40b19659d

SHA256
fbefa8c5672ed87e637183e5b20a86b8f6729259048a08cb0d7b7f54ee210f55

SHA512
2b2c77e40aada85ef96e35d755046cce73d203c957f3527f71a669f77706ff45805d478da11241087895913a20f3f22cee04a7060d1e5c5f1deb7ab989ea3635

Download Submit
C:\Windows\System32\vxAlARe.exe

Filesize
1.5MB

MD5
e8ad4e8a89f21087b09cc61a823abd1a

SHA1
6a10651bafca36190683c1bdb0a94a008100855b

SHA256
0d0ee43946441e9cdf64fcc1df5c7e0fdd7c2dfa1ff3fbbbb5cf85890fd12f59

SHA512
0c5d54ca4d39f6ca2cdd18ad4bea1cd7780b777566acccd949cc41050351eb21c90aed45ffb4a28b0796c3f27710773d8ee0c1f14a9937397579402174260a1f

Download Submit
C:\Windows\System32\wkRBEKe.exe

Filesize
1.4MB

MD5
d2b9c2a1f8f463522c714bf9e34508ff

SHA1
1a06a00b1321bf4ddafbcbcc7593cf3e9aafb615

SHA256
0862b2a306f58a1a14b9f8af0c46595d56597e6920f37293a1a84ae9fbd00d09

SHA512
60687cd126c029c93e9a6a85de284e5b8ec3127181e3a0fead138881ca71e89da47ff902b602a301a6047ca940e15f85092034ea341261d9233fbc71fdcfbab1

Download Submit
C:\Windows\System32\yXWwgBV.exe

Filesize
1.5MB

MD5
aeec1e969d5cb58e9434b4abb3814e14

SHA1
e430c6faaacc697ece1d67edfc8301e4a89d4ba6

SHA256
e477d52c88f36082dd8ed4e01a221204a1d37dba94dc4cafdfeb8d662d0068c4

SHA512
acddaa683f6282539b576a7a92fcc18b68de71afd00b3868aae11fe509fa233d0b608962706c59ed44cbdf29c23054fb5f781e80a72f3a18ff75849b67c4ee02

Download Submit
C:\Windows\System32\zjEBkCS.exe

Filesize
1.4MB

MD5
3e14ea0aa247b61ba758f6e816b8f32e

SHA1
6f00252a21fc9d500a3425c063081cea977f7ecc

SHA256
ade7af3b221c73d8b9097b82d55f65d3b82baa3bdc526cf67a6a1169ee12ec82

SHA512
9bf3546b3b97947c17d614d772285a4b46c4f2d38544d4ab09b61f16b3d229a215901b4947384d0a6641514360f7d5e560f89db1c5f8d6ffc800085af5edb354

Download Submit
memory/1072-2033-0x00007FF64F790000-0x00007FF64FB81000-memory.dmp

Filesize
3.9MB

Download
memory/1072-15-0x00007FF64F790000-0x00007FF64FB81000-memory.dmp

Filesize
3.9MB

Download
memory/1072-1989-0x00007FF64F790000-0x00007FF64FB81000-memory.dmp

Filesize
3.9MB

Download
memory/1144-2059-0x00007FF6BC690000-0x00007FF6BCA81000-memory.dmp

Filesize
3.9MB

Download
memory/1144-87-0x00007FF6BC690000-0x00007FF6BCA81000-memory.dmp

Filesize
3.9MB

Download
memory/1144-2027-0x00007FF6BC690000-0x00007FF6BCA81000-memory.dmp

Filesize
3.9MB

Download
memory/1468-106-0x00007FF7F3C40000-0x00007FF7F4031000-memory.dmp

Filesize
3.9MB

Download
memory/1468-2049-0x00007FF7F3C40000-0x00007FF7F4031000-memory.dmp

Filesize
3.9MB

Download
memory/2176-2035-0x00007FF6CA340000-0x00007FF6CA731000-memory.dmp

Filesize
3.9MB

Download
memory/2176-50-0x00007FF6CA340000-0x00007FF6CA731000-memory.dmp

Filesize
3.9MB

Download
memory/2532-2091-0x00007FF74DD90000-0x00007FF74E181000-memory.dmp

Filesize
3.9MB

Download
memory/2532-769-0x00007FF74DD90000-0x00007FF74E181000-memory.dmp

Filesize
3.9MB

Download
memory/2616-1992-0x00007FF76D250000-0x00007FF76D641000-memory.dmp

Filesize
3.9MB

Download
memory/2616-39-0x00007FF76D250000-0x00007FF76D641000-memory.dmp

Filesize
3.9MB

Download
memory/2616-2039-0x00007FF76D250000-0x00007FF76D641000-memory.dmp

Filesize
3.9MB

Download
memory/2992-2119-0x00007FF7F7D10000-0x00007FF7F8101000-memory.dmp

Filesize
3.9MB

Download
memory/2992-112-0x00007FF7F7D10000-0x00007FF7F8101000-memory.dmp

Filesize
3.9MB

Download
memory/2992-2031-0x00007FF7F7D10000-0x00007FF7F8101000-memory.dmp

Filesize
3.9MB

Download
memory/3076-60-0x00007FF7DBBB0000-0x00007FF7DBFA1000-memory.dmp

Filesize
3.9MB

Download
memory/3076-2025-0x00007FF7DBBB0000-0x00007FF7DBFA1000-memory.dmp

Filesize
3.9MB

Download
memory/3076-2051-0x00007FF7DBBB0000-0x00007FF7DBFA1000-memory.dmp

Filesize
3.9MB

Download
memory/3284-2055-0x00007FF6BBD10000-0x00007FF6BC101000-memory.dmp

Filesize
3.9MB

Download
memory/3284-103-0x00007FF6BBD10000-0x00007FF6BC101000-memory.dmp

Filesize
3.9MB

Download
memory/3396-107-0x00007FF642D50000-0x00007FF643141000-memory.dmp

Filesize
3.9MB

Download
memory/3396-2057-0x00007FF642D50000-0x00007FF643141000-memory.dmp

Filesize
3.9MB

Download
memory/3408-2037-0x00007FF698270000-0x00007FF698661000-memory.dmp

Filesize
3.9MB

Download
memory/3408-56-0x00007FF698270000-0x00007FF698661000-memory.dmp

Filesize
3.9MB

Download
memory/3456-762-0x00007FF79CC10000-0x00007FF79D001000-memory.dmp

Filesize
3.9MB

Download
memory/3456-2117-0x00007FF79CC10000-0x00007FF79D001000-memory.dmp

Filesize
3.9MB

Download
memory/3512-59-0x00007FF6EBFC0000-0x00007FF6EC3B1000-memory.dmp

Filesize
3.9MB

Download
memory/3512-2043-0x00007FF6EBFC0000-0x00007FF6EC3B1000-memory.dmp

Filesize
3.9MB

Download
memory/3648-2028-0x00007FF73DDF0000-0x00007FF73E1E1000-memory.dmp

Filesize
3.9MB

Download
memory/3648-2063-0x00007FF73DDF0000-0x00007FF73E1E1000-memory.dmp

Filesize
3.9MB

Download
memory/3648-88-0x00007FF73DDF0000-0x00007FF73E1E1000-memory.dmp

Filesize
3.9MB

Download
memory/3800-79-0x00007FF7592A0000-0x00007FF759691000-memory.dmp

Filesize
3.9MB

Download
memory/3800-2053-0x00007FF7592A0000-0x00007FF759691000-memory.dmp

Filesize
3.9MB

Download
memory/3800-2026-0x00007FF7592A0000-0x00007FF759691000-memory.dmp

Filesize
3.9MB

Download
memory/3864-2089-0x00007FF7688A0000-0x00007FF768C91000-memory.dmp

Filesize
3.9MB

Download
memory/3864-776-0x00007FF7688A0000-0x00007FF768C91000-memory.dmp

Filesize
3.9MB

Download
memory/4040-2094-0x00007FF60D210000-0x00007FF60D601000-memory.dmp

Filesize
3.9MB

Download
memory/4040-2030-0x00007FF60D210000-0x00007FF60D601000-memory.dmp

Filesize
3.9MB

Download
memory/4040-109-0x00007FF60D210000-0x00007FF60D601000-memory.dmp

Filesize
3.9MB

Download
memory/4388-1990-0x00007FF7418C0000-0x00007FF741CB1000-memory.dmp

Filesize
3.9MB

Download
memory/4388-28-0x00007FF7418C0000-0x00007FF741CB1000-memory.dmp

Filesize
3.9MB

Download
memory/4388-2045-0x00007FF7418C0000-0x00007FF741CB1000-memory.dmp

Filesize
3.9MB

Download
memory/4472-2136-0x00007FF68D500000-0x00007FF68D8F1000-memory.dmp

Filesize
3.9MB

Download
memory/4472-798-0x00007FF68D500000-0x00007FF68D8F1000-memory.dmp

Filesize
3.9MB

Download
memory/4560-2047-0x00007FF61B010000-0x00007FF61B401000-memory.dmp

Filesize
3.9MB

Download
memory/4560-86-0x00007FF61B010000-0x00007FF61B401000-memory.dmp

Filesize
3.9MB

Download
memory/4620-2061-0x00007FF73A800000-0x00007FF73ABF1000-memory.dmp

Filesize
3.9MB

Download
memory/4620-101-0x00007FF73A800000-0x00007FF73ABF1000-memory.dmp

Filesize
3.9MB

Download
memory/4728-815-0x00007FF64B470000-0x00007FF64B861000-memory.dmp

Filesize
3.9MB

Download
memory/4728-2123-0x00007FF64B470000-0x00007FF64B861000-memory.dmp

Filesize
3.9MB

Download
memory/4856-32-0x00007FF673000000-0x00007FF6733F1000-memory.dmp

Filesize
3.9MB

Download
memory/4856-2041-0x00007FF673000000-0x00007FF6733F1000-memory.dmp

Filesize
3.9MB

Download
memory/4856-1991-0x00007FF673000000-0x00007FF6733F1000-memory.dmp

Filesize
3.9MB

Download
memory/4900-2065-0x00007FF6FF020000-0x00007FF6FF411000-memory.dmp

Filesize
3.9MB

Download
memory/4900-100-0x00007FF6FF020000-0x00007FF6FF411000-memory.dmp

Filesize
3.9MB

Download
memory/4900-2029-0x00007FF6FF020000-0x00007FF6FF411000-memory.dmp

Filesize
3.9MB

Download
memory/5020-1-0x0000021B050B0000-0x0000021B050C0000-memory.dmp

Filesize
64KB

Download
memory/5020-0-0x00007FF7283F0000-0x00007FF7287E1000-memory.dmp

Filesize
3.9MB

Download
memory/5020-1859-0x00007FF7283F0000-0x00007FF7287E1000-memory.dmp

Filesize
3.9MB

Download
memory/5020-1986-0x00007FF7283F0000-0x00007FF7287E1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads