xmrig | 6d04335f8ddf5d94e416aa322d80e8f4e607f65366cfe687e0057216508afaf4

Analysis

max time kernel
116s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
Size

1.1MB
MD5

63dbdf9a2d9a4e2561d26fc1454edcf0
SHA1

5f0429dc664d9621a7f4b43459514c69f2ab5803
SHA256

6d04335f8ddf5d94e416aa322d80e8f4e607f65366cfe687e0057216508afaf4
SHA512

6c46713a990a16195b3e5518b924f7e0baf4ea9fb971018e0004f7e1f9e5dea358163ad1bfe72f3d933c9830c60e7f7dd009706910dd6df9e7a26fdd54009226
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XCejIODoselrBS:knw9oUUEEDlGUrMAO

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/732-18-0x00007FF65DEA0000-0x00007FF65E291000-memory.dmp	xmrig
behavioral2/memory/1532-291-0x00007FF6FF930000-0x00007FF6FFD21000-memory.dmp	xmrig
behavioral2/memory/3240-312-0x00007FF70B030000-0x00007FF70B421000-memory.dmp	xmrig
behavioral2/memory/380-326-0x00007FF66DBB0000-0x00007FF66DFA1000-memory.dmp	xmrig
behavioral2/memory/4952-322-0x00007FF754CE0000-0x00007FF7550D1000-memory.dmp	xmrig
behavioral2/memory/4436-300-0x00007FF6CEFB0000-0x00007FF6CF3A1000-memory.dmp	xmrig
behavioral2/memory/4988-334-0x00007FF751FB0000-0x00007FF7523A1000-memory.dmp	xmrig
behavioral2/memory/2288-340-0x00007FF73FE70000-0x00007FF740261000-memory.dmp	xmrig
behavioral2/memory/3512-341-0x00007FF70B1F0000-0x00007FF70B5E1000-memory.dmp	xmrig
behavioral2/memory/1508-347-0x00007FF629CE0000-0x00007FF62A0D1000-memory.dmp	xmrig
behavioral2/memory/4752-354-0x00007FF6F9250000-0x00007FF6F9641000-memory.dmp	xmrig
behavioral2/memory/412-358-0x00007FF696370000-0x00007FF696761000-memory.dmp	xmrig
behavioral2/memory/920-362-0x00007FF675C20000-0x00007FF676011000-memory.dmp	xmrig
behavioral2/memory/1060-366-0x00007FF7D5110000-0x00007FF7D5501000-memory.dmp	xmrig
behavioral2/memory/4240-372-0x00007FF73D3F0000-0x00007FF73D7E1000-memory.dmp	xmrig
behavioral2/memory/4208-379-0x00007FF622E00000-0x00007FF6231F1000-memory.dmp	xmrig
behavioral2/memory/3952-381-0x00007FF7BA8B0000-0x00007FF7BACA1000-memory.dmp	xmrig
behavioral2/memory/1932-378-0x00007FF758550000-0x00007FF758941000-memory.dmp	xmrig
behavioral2/memory/4016-363-0x00007FF76BDB0000-0x00007FF76C1A1000-memory.dmp	xmrig
behavioral2/memory/4740-348-0x00007FF67C600000-0x00007FF67C9F1000-memory.dmp	xmrig
behavioral2/memory/2700-344-0x00007FF655390000-0x00007FF655781000-memory.dmp	xmrig
behavioral2/memory/704-35-0x00007FF673A60000-0x00007FF673E51000-memory.dmp	xmrig
behavioral2/memory/3632-34-0x00007FF6DB320000-0x00007FF6DB711000-memory.dmp	xmrig
behavioral2/memory/3424-1960-0x00007FF6394E0000-0x00007FF6398D1000-memory.dmp	xmrig
behavioral2/memory/732-2017-0x00007FF65DEA0000-0x00007FF65E291000-memory.dmp	xmrig
behavioral2/memory/3632-2019-0x00007FF6DB320000-0x00007FF6DB711000-memory.dmp	xmrig
behavioral2/memory/1532-2021-0x00007FF6FF930000-0x00007FF6FFD21000-memory.dmp	xmrig
behavioral2/memory/4436-2025-0x00007FF6CEFB0000-0x00007FF6CF3A1000-memory.dmp	xmrig
behavioral2/memory/704-2024-0x00007FF673A60000-0x00007FF673E51000-memory.dmp	xmrig
behavioral2/memory/380-2039-0x00007FF66DBB0000-0x00007FF66DFA1000-memory.dmp	xmrig
behavioral2/memory/4988-2035-0x00007FF751FB0000-0x00007FF7523A1000-memory.dmp	xmrig
behavioral2/memory/4740-2027-0x00007FF67C600000-0x00007FF67C9F1000-memory.dmp	xmrig
behavioral2/memory/3240-2029-0x00007FF70B030000-0x00007FF70B421000-memory.dmp	xmrig
behavioral2/memory/4952-2043-0x00007FF754CE0000-0x00007FF7550D1000-memory.dmp	xmrig
behavioral2/memory/3952-2041-0x00007FF7BA8B0000-0x00007FF7BACA1000-memory.dmp	xmrig
behavioral2/memory/4016-2055-0x00007FF76BDB0000-0x00007FF76C1A1000-memory.dmp	xmrig
behavioral2/memory/2288-2053-0x00007FF73FE70000-0x00007FF740261000-memory.dmp	xmrig
behavioral2/memory/4208-2063-0x00007FF622E00000-0x00007FF6231F1000-memory.dmp	xmrig
behavioral2/memory/1932-2061-0x00007FF758550000-0x00007FF758941000-memory.dmp	xmrig
behavioral2/memory/4240-2059-0x00007FF73D3F0000-0x00007FF73D7E1000-memory.dmp	xmrig
behavioral2/memory/1060-2057-0x00007FF7D5110000-0x00007FF7D5501000-memory.dmp	xmrig
behavioral2/memory/412-2051-0x00007FF696370000-0x00007FF696761000-memory.dmp	xmrig
behavioral2/memory/2700-2049-0x00007FF655390000-0x00007FF655781000-memory.dmp	xmrig
behavioral2/memory/1508-2045-0x00007FF629CE0000-0x00007FF62A0D1000-memory.dmp	xmrig
behavioral2/memory/920-2047-0x00007FF675C20000-0x00007FF676011000-memory.dmp	xmrig
behavioral2/memory/3512-2037-0x00007FF70B1F0000-0x00007FF70B5E1000-memory.dmp	xmrig
behavioral2/memory/4752-2033-0x00007FF6F9250000-0x00007FF6F9641000-memory.dmp	xmrig
behavioral2/memory/3424-2031-0x00007FF6394E0000-0x00007FF6398D1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
732	HIsvAlF.exe
1532	RcnRQPa.exe
3632	wvlLobT.exe
4436	pOBcKEN.exe
704	iihClhm.exe
3424	JVmprlQ.exe
3240	AHvTWrF.exe
3952	TJgSaeT.exe
4952	YNCPeGX.exe
380	hAxLWSX.exe
4988	nojVrGq.exe
2288	gvFWXkp.exe
3512	WDdYyjD.exe
2700	BUIYcUh.exe
1508	EmhWpMj.exe
4740	NhOEmJz.exe
4752	rCpVYMY.exe
412	pZtTAVt.exe
920	jKDAGAQ.exe
4016	FvWnaCW.exe
1060	MqrpGSB.exe
4240	saYYonH.exe
1932	gehVsRS.exe
4208	azbbqFy.exe
2420	BYtyLqp.exe
1252	mLCuMQV.exe
4036	YkAcRJi.exe
720	PyHtTTp.exe
2108	QFdWJCe.exe
4536	nnhwndQ.exe
4792	PXiospH.exe
1984	GxMTVeI.exe
5080	XeHSrwS.exe
836	zoqKmza.exe
3356	MVuWpYn.exe
4608	YQqJbww.exe
5032	uvbmPeK.exe
3344	NhHQnUC.exe
760	RDPkTQM.exe
1764	zxvPvyO.exe
1908	lxGHcpt.exe
4124	PJthdky.exe
4784	CtlyfQt.exe
3184	trTZBkx.exe
4076	EenVHTp.exe
2832	swyqihp.exe
1988	IZpQjPu.exe
4748	MaisuSy.exe
4316	vvQbWDR.exe
516	CmXmsPp.exe
3816	UNoShTx.exe
3772	EtvdGzh.exe
2500	BzVfCcd.exe
4992	uzbJEBn.exe
2660	AAQslJM.exe
2816	JIcbvuY.exe
228	yitTYMr.exe
3296	zzSIoyF.exe
2028	FsClyyZ.exe
4260	wfIWclp.exe
4524	UhutzAw.exe
4680	MOQemLy.exe
4756	qJFdtYd.exe
3092	lJEBoss.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1732-0-0x00007FF77AA50000-0x00007FF77AE41000-memory.dmp	upx
behavioral2/files/0x0008000000023418-5.dat	upx
behavioral2/files/0x000700000002341d-14.dat	upx
behavioral2/memory/732-18-0x00007FF65DEA0000-0x00007FF65E291000-memory.dmp	upx
behavioral2/files/0x0007000000023421-32.dat	upx
behavioral2/files/0x000700000002341f-29.dat	upx
behavioral2/files/0x000700000002341e-28.dat	upx
behavioral2/files/0x0007000000023420-36.dat	upx
behavioral2/files/0x0007000000023422-46.dat	upx
behavioral2/files/0x0007000000023424-55.dat	upx
behavioral2/files/0x0007000000023425-60.dat	upx
behavioral2/files/0x0007000000023427-68.dat	upx
behavioral2/files/0x0007000000023428-74.dat	upx
behavioral2/files/0x0007000000023429-81.dat	upx
behavioral2/files/0x000700000002342b-88.dat	upx
behavioral2/files/0x000700000002342c-95.dat	upx
behavioral2/files/0x000700000002342d-101.dat	upx
behavioral2/files/0x0007000000023431-118.dat	upx
behavioral2/files/0x0007000000023432-125.dat	upx
behavioral2/files/0x0007000000023434-133.dat	upx
behavioral2/files/0x0007000000023436-143.dat	upx
behavioral2/files/0x0007000000023438-156.dat	upx
behavioral2/files/0x000700000002343a-165.dat	upx
behavioral2/memory/1532-291-0x00007FF6FF930000-0x00007FF6FFD21000-memory.dmp	upx
behavioral2/memory/3240-312-0x00007FF70B030000-0x00007FF70B421000-memory.dmp	upx
behavioral2/memory/380-326-0x00007FF66DBB0000-0x00007FF66DFA1000-memory.dmp	upx
behavioral2/memory/4952-322-0x00007FF754CE0000-0x00007FF7550D1000-memory.dmp	upx
behavioral2/memory/4436-300-0x00007FF6CEFB0000-0x00007FF6CF3A1000-memory.dmp	upx
behavioral2/files/0x0007000000023439-160.dat	upx
behavioral2/files/0x0007000000023437-150.dat	upx
behavioral2/files/0x0007000000023435-140.dat	upx
behavioral2/files/0x0007000000023433-130.dat	upx
behavioral2/files/0x0007000000023430-115.dat	upx
behavioral2/files/0x000700000002342f-111.dat	upx
behavioral2/files/0x000700000002342e-105.dat	upx
behavioral2/files/0x000700000002342a-86.dat	upx
behavioral2/files/0x0007000000023426-65.dat	upx
behavioral2/memory/4988-334-0x00007FF751FB0000-0x00007FF7523A1000-memory.dmp	upx
behavioral2/memory/2288-340-0x00007FF73FE70000-0x00007FF740261000-memory.dmp	upx
behavioral2/memory/3512-341-0x00007FF70B1F0000-0x00007FF70B5E1000-memory.dmp	upx
behavioral2/memory/1508-347-0x00007FF629CE0000-0x00007FF62A0D1000-memory.dmp	upx
behavioral2/memory/4752-354-0x00007FF6F9250000-0x00007FF6F9641000-memory.dmp	upx
behavioral2/memory/412-358-0x00007FF696370000-0x00007FF696761000-memory.dmp	upx
behavioral2/memory/920-362-0x00007FF675C20000-0x00007FF676011000-memory.dmp	upx
behavioral2/memory/1060-366-0x00007FF7D5110000-0x00007FF7D5501000-memory.dmp	upx
behavioral2/memory/4240-372-0x00007FF73D3F0000-0x00007FF73D7E1000-memory.dmp	upx
behavioral2/memory/4208-379-0x00007FF622E00000-0x00007FF6231F1000-memory.dmp	upx
behavioral2/memory/3952-381-0x00007FF7BA8B0000-0x00007FF7BACA1000-memory.dmp	upx
behavioral2/memory/1932-378-0x00007FF758550000-0x00007FF758941000-memory.dmp	upx
behavioral2/memory/4016-363-0x00007FF76BDB0000-0x00007FF76C1A1000-memory.dmp	upx
behavioral2/memory/4740-348-0x00007FF67C600000-0x00007FF67C9F1000-memory.dmp	upx
behavioral2/memory/2700-344-0x00007FF655390000-0x00007FF655781000-memory.dmp	upx
behavioral2/files/0x0007000000023423-50.dat	upx
behavioral2/memory/3424-37-0x00007FF6394E0000-0x00007FF6398D1000-memory.dmp	upx
behavioral2/memory/704-35-0x00007FF673A60000-0x00007FF673E51000-memory.dmp	upx
behavioral2/memory/3632-34-0x00007FF6DB320000-0x00007FF6DB711000-memory.dmp	upx
behavioral2/files/0x000700000002341c-20.dat	upx
behavioral2/memory/3424-1960-0x00007FF6394E0000-0x00007FF6398D1000-memory.dmp	upx
behavioral2/memory/732-2017-0x00007FF65DEA0000-0x00007FF65E291000-memory.dmp	upx
behavioral2/memory/3632-2019-0x00007FF6DB320000-0x00007FF6DB711000-memory.dmp	upx
behavioral2/memory/1532-2021-0x00007FF6FF930000-0x00007FF6FFD21000-memory.dmp	upx
behavioral2/memory/4436-2025-0x00007FF6CEFB0000-0x00007FF6CF3A1000-memory.dmp	upx
behavioral2/memory/704-2024-0x00007FF673A60000-0x00007FF673E51000-memory.dmp	upx
behavioral2/memory/380-2039-0x00007FF66DBB0000-0x00007FF66DFA1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\wvlLobT.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\dSileZl.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\JGExpFR.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\lqLIyQI.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\FORiUEq.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\iOpZFHQ.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\WldcgGn.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\zoqKmza.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\fIywADZ.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\xgQKHJr.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\eqywiTH.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\ArjRtEu.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\BbjIVKv.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\bNqFTQe.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\DLnSoUL.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\UppIzzx.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\epvJKCl.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\vxQVgXV.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\BUIYcUh.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\efgVnsL.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\BBEirBN.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\sfbFrOT.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\EQOeoeI.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\ZIrjEkC.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\TKhAfIy.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\QjZbpwJ.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\zFWFywU.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\eMFRcet.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\eNZGfPx.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\EzBRKXX.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\kyVmjzv.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\eYLJSJl.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\OxTPRgk.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\jwcdchb.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\dMBlaZu.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\uzbJEBn.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\EGFIVPU.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\lLHLkRj.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\rGJSFXk.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\LVdnnjc.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\hpjogHZ.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\RBaGEMV.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\XCowtyR.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\yNyeodH.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\bZflNYF.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\RehzUSS.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\swyqihp.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\mQisTJB.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\AcWKSOG.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\ESNAcLj.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\irONhRz.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\osUpyJM.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\UCaadlQ.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\athLQyp.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\hBYQzRG.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\SXomLkO.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\rofRAyq.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\qdUYVqD.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\fgzJNMP.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\KPuDyya.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\MUOOYmo.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\khcyVZX.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\ZGoCMzS.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
File created	C:\Windows\System32\jCpjAOl.exe	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	4152	dwm.exe
Token: SeChangeNotifyPrivilege	4152	dwm.exe
Token: 33	4152	dwm.exe
Token: SeIncBasePriorityPrivilege	4152	dwm.exe
Token: SeShutdownPrivilege	4152	dwm.exe
Token: SeCreatePagefilePrivilege	4152	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 732	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	84
PID 1732 wrote to memory of 732	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	84
PID 1732 wrote to memory of 1532	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	85
PID 1732 wrote to memory of 1532	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	85
PID 1732 wrote to memory of 3632	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	86
PID 1732 wrote to memory of 3632	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	86
PID 1732 wrote to memory of 4436	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	87
PID 1732 wrote to memory of 4436	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	87
PID 1732 wrote to memory of 704	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	88
PID 1732 wrote to memory of 704	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	88
PID 1732 wrote to memory of 3240	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	89
PID 1732 wrote to memory of 3240	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	89
PID 1732 wrote to memory of 3424	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	90
PID 1732 wrote to memory of 3424	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	90
PID 1732 wrote to memory of 3952	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	91
PID 1732 wrote to memory of 3952	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	91
PID 1732 wrote to memory of 4952	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	92
PID 1732 wrote to memory of 4952	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	92
PID 1732 wrote to memory of 380	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	93
PID 1732 wrote to memory of 380	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	93
PID 1732 wrote to memory of 4988	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	94
PID 1732 wrote to memory of 4988	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	94
PID 1732 wrote to memory of 2288	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	95
PID 1732 wrote to memory of 2288	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	95
PID 1732 wrote to memory of 3512	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	96
PID 1732 wrote to memory of 3512	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	96
PID 1732 wrote to memory of 2700	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	97
PID 1732 wrote to memory of 2700	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	97
PID 1732 wrote to memory of 1508	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	98
PID 1732 wrote to memory of 1508	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	98
PID 1732 wrote to memory of 4740	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	99
PID 1732 wrote to memory of 4740	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	99
PID 1732 wrote to memory of 4752	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	100
PID 1732 wrote to memory of 4752	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	100
PID 1732 wrote to memory of 412	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	101
PID 1732 wrote to memory of 412	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	101
PID 1732 wrote to memory of 920	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	102
PID 1732 wrote to memory of 920	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	102
PID 1732 wrote to memory of 4016	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	103
PID 1732 wrote to memory of 4016	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	103
PID 1732 wrote to memory of 1060	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	104
PID 1732 wrote to memory of 1060	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	104
PID 1732 wrote to memory of 4240	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	105
PID 1732 wrote to memory of 4240	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	105
PID 1732 wrote to memory of 1932	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	106
PID 1732 wrote to memory of 1932	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	106
PID 1732 wrote to memory of 4208	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	107
PID 1732 wrote to memory of 4208	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	107
PID 1732 wrote to memory of 2420	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	108
PID 1732 wrote to memory of 2420	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	108
PID 1732 wrote to memory of 1252	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	109
PID 1732 wrote to memory of 1252	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	109
PID 1732 wrote to memory of 4036	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	110
PID 1732 wrote to memory of 4036	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	110
PID 1732 wrote to memory of 720	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	111
PID 1732 wrote to memory of 720	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	111
PID 1732 wrote to memory of 2108	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	112
PID 1732 wrote to memory of 2108	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	112
PID 1732 wrote to memory of 4536	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	113
PID 1732 wrote to memory of 4536	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	113
PID 1732 wrote to memory of 4792	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	114
PID 1732 wrote to memory of 4792	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	114
PID 1732 wrote to memory of 1984	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	115
PID 1732 wrote to memory of 1984	1732	63dbdf9a2d9a4e2561d26fc1454edcf0N.exe	115

C:\Users\Admin\AppData\Local\Temp\63dbdf9a2d9a4e2561d26fc1454edcf0N.exe
"C:\Users\Admin\AppData\Local\Temp\63dbdf9a2d9a4e2561d26fc1454edcf0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\System32\HIsvAlF.exe
  C:\Windows\System32\HIsvAlF.exe
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\System32\RcnRQPa.exe
  C:\Windows\System32\RcnRQPa.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System32\wvlLobT.exe
  C:\Windows\System32\wvlLobT.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System32\pOBcKEN.exe
  C:\Windows\System32\pOBcKEN.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\iihClhm.exe
  C:\Windows\System32\iihClhm.exe
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\System32\AHvTWrF.exe
  C:\Windows\System32\AHvTWrF.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System32\JVmprlQ.exe
  C:\Windows\System32\JVmprlQ.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System32\TJgSaeT.exe
  C:\Windows\System32\TJgSaeT.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System32\YNCPeGX.exe
  C:\Windows\System32\YNCPeGX.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System32\hAxLWSX.exe
  C:\Windows\System32\hAxLWSX.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System32\nojVrGq.exe
  C:\Windows\System32\nojVrGq.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\gvFWXkp.exe
  C:\Windows\System32\gvFWXkp.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System32\WDdYyjD.exe
  C:\Windows\System32\WDdYyjD.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System32\BUIYcUh.exe
  C:\Windows\System32\BUIYcUh.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System32\EmhWpMj.exe
  C:\Windows\System32\EmhWpMj.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System32\NhOEmJz.exe
  C:\Windows\System32\NhOEmJz.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System32\rCpVYMY.exe
  C:\Windows\System32\rCpVYMY.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System32\pZtTAVt.exe
  C:\Windows\System32\pZtTAVt.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System32\jKDAGAQ.exe
  C:\Windows\System32\jKDAGAQ.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System32\FvWnaCW.exe
  C:\Windows\System32\FvWnaCW.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System32\MqrpGSB.exe
  C:\Windows\System32\MqrpGSB.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System32\saYYonH.exe
  C:\Windows\System32\saYYonH.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System32\gehVsRS.exe
  C:\Windows\System32\gehVsRS.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System32\azbbqFy.exe
  C:\Windows\System32\azbbqFy.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System32\BYtyLqp.exe
  C:\Windows\System32\BYtyLqp.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System32\mLCuMQV.exe
  C:\Windows\System32\mLCuMQV.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System32\YkAcRJi.exe
  C:\Windows\System32\YkAcRJi.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System32\PyHtTTp.exe
  C:\Windows\System32\PyHtTTp.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System32\QFdWJCe.exe
  C:\Windows\System32\QFdWJCe.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System32\nnhwndQ.exe
  C:\Windows\System32\nnhwndQ.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System32\PXiospH.exe
  C:\Windows\System32\PXiospH.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System32\GxMTVeI.exe
  C:\Windows\System32\GxMTVeI.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System32\XeHSrwS.exe
  C:\Windows\System32\XeHSrwS.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System32\zoqKmza.exe
  C:\Windows\System32\zoqKmza.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System32\MVuWpYn.exe
  C:\Windows\System32\MVuWpYn.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System32\YQqJbww.exe
  C:\Windows\System32\YQqJbww.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System32\uvbmPeK.exe
  C:\Windows\System32\uvbmPeK.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System32\NhHQnUC.exe
  C:\Windows\System32\NhHQnUC.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System32\RDPkTQM.exe
  C:\Windows\System32\RDPkTQM.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System32\zxvPvyO.exe
  C:\Windows\System32\zxvPvyO.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System32\lxGHcpt.exe
  C:\Windows\System32\lxGHcpt.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System32\PJthdky.exe
  C:\Windows\System32\PJthdky.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System32\CtlyfQt.exe
  C:\Windows\System32\CtlyfQt.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System32\trTZBkx.exe
  C:\Windows\System32\trTZBkx.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System32\EenVHTp.exe
  C:\Windows\System32\EenVHTp.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System32\swyqihp.exe
  C:\Windows\System32\swyqihp.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System32\IZpQjPu.exe
  C:\Windows\System32\IZpQjPu.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System32\MaisuSy.exe
  C:\Windows\System32\MaisuSy.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System32\vvQbWDR.exe
  C:\Windows\System32\vvQbWDR.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System32\CmXmsPp.exe
  C:\Windows\System32\CmXmsPp.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System32\UNoShTx.exe
  C:\Windows\System32\UNoShTx.exe
  2⤵
  - Executes dropped EXE
  PID:3816
- C:\Windows\System32\EtvdGzh.exe
  C:\Windows\System32\EtvdGzh.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System32\BzVfCcd.exe
  C:\Windows\System32\BzVfCcd.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System32\uzbJEBn.exe
  C:\Windows\System32\uzbJEBn.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System32\AAQslJM.exe
  C:\Windows\System32\AAQslJM.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System32\JIcbvuY.exe
  C:\Windows\System32\JIcbvuY.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System32\yitTYMr.exe
  C:\Windows\System32\yitTYMr.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System32\zzSIoyF.exe
  C:\Windows\System32\zzSIoyF.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System32\FsClyyZ.exe
  C:\Windows\System32\FsClyyZ.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System32\wfIWclp.exe
  C:\Windows\System32\wfIWclp.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System32\UhutzAw.exe
  C:\Windows\System32\UhutzAw.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System32\MOQemLy.exe
  C:\Windows\System32\MOQemLy.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System32\qJFdtYd.exe
  C:\Windows\System32\qJFdtYd.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System32\lJEBoss.exe
  C:\Windows\System32\lJEBoss.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System32\lrBcUwH.exe
  C:\Windows\System32\lrBcUwH.exe
  2⤵
  PID:1692
- C:\Windows\System32\IagXUcn.exe
  C:\Windows\System32\IagXUcn.exe
  2⤵
  PID:4776
- C:\Windows\System32\zlrSBxw.exe
  C:\Windows\System32\zlrSBxw.exe
  2⤵
  PID:3284
- C:\Windows\System32\MBiSdGa.exe
  C:\Windows\System32\MBiSdGa.exe
  2⤵
  PID:5020
- C:\Windows\System32\ExmXmGU.exe
  C:\Windows\System32\ExmXmGU.exe
  2⤵
  PID:4668
- C:\Windows\System32\DdCCOnj.exe
  C:\Windows\System32\DdCCOnj.exe
  2⤵
  PID:864
- C:\Windows\System32\HfiqJcL.exe
  C:\Windows\System32\HfiqJcL.exe
  2⤵
  PID:5072
- C:\Windows\System32\gRSMEsf.exe
  C:\Windows\System32\gRSMEsf.exe
  2⤵
  PID:4412
- C:\Windows\System32\EGFIVPU.exe
  C:\Windows\System32\EGFIVPU.exe
  2⤵
  PID:5024
- C:\Windows\System32\hxGsYvW.exe
  C:\Windows\System32\hxGsYvW.exe
  2⤵
  PID:4344
- C:\Windows\System32\tMJLYMg.exe
  C:\Windows\System32\tMJLYMg.exe
  2⤵
  PID:4840
- C:\Windows\System32\fkOPAQD.exe
  C:\Windows\System32\fkOPAQD.exe
  2⤵
  PID:5108
- C:\Windows\System32\xgZfmPw.exe
  C:\Windows\System32\xgZfmPw.exe
  2⤵
  PID:428
- C:\Windows\System32\RbEyHRi.exe
  C:\Windows\System32\RbEyHRi.exe
  2⤵
  PID:4384
- C:\Windows\System32\nEykVNL.exe
  C:\Windows\System32\nEykVNL.exe
  2⤵
  PID:404
- C:\Windows\System32\iBKvypB.exe
  C:\Windows\System32\iBKvypB.exe
  2⤵
  PID:4544
- C:\Windows\System32\vtKWrlz.exe
  C:\Windows\System32\vtKWrlz.exe
  2⤵
  PID:4944
- C:\Windows\System32\XGHIgiO.exe
  C:\Windows\System32\XGHIgiO.exe
  2⤵
  PID:4920
- C:\Windows\System32\cIzQdYZ.exe
  C:\Windows\System32\cIzQdYZ.exe
  2⤵
  PID:4268
- C:\Windows\System32\EcAkaoV.exe
  C:\Windows\System32\EcAkaoV.exe
  2⤵
  PID:2064
- C:\Windows\System32\InDcWqG.exe
  C:\Windows\System32\InDcWqG.exe
  2⤵
  PID:2324
- C:\Windows\System32\mQisTJB.exe
  C:\Windows\System32\mQisTJB.exe
  2⤵
  PID:1660
- C:\Windows\System32\ypivhMS.exe
  C:\Windows\System32\ypivhMS.exe
  2⤵
  PID:2844
- C:\Windows\System32\TKhAfIy.exe
  C:\Windows\System32\TKhAfIy.exe
  2⤵
  PID:4284
- C:\Windows\System32\omCkCrL.exe
  C:\Windows\System32\omCkCrL.exe
  2⤵
  PID:4900
- C:\Windows\System32\usILzXn.exe
  C:\Windows\System32\usILzXn.exe
  2⤵
  PID:4912
- C:\Windows\System32\SXomLkO.exe
  C:\Windows\System32\SXomLkO.exe
  2⤵
  PID:4452
- C:\Windows\System32\VwVkMao.exe
  C:\Windows\System32\VwVkMao.exe
  2⤵
  PID:2556
- C:\Windows\System32\xENEFHw.exe
  C:\Windows\System32\xENEFHw.exe
  2⤵
  PID:4780
- C:\Windows\System32\KPuDyya.exe
  C:\Windows\System32\KPuDyya.exe
  2⤵
  PID:1380
- C:\Windows\System32\UtvCLIn.exe
  C:\Windows\System32\UtvCLIn.exe
  2⤵
  PID:1320
- C:\Windows\System32\prrYYly.exe
  C:\Windows\System32\prrYYly.exe
  2⤵
  PID:2564
- C:\Windows\System32\YzmmCGQ.exe
  C:\Windows\System32\YzmmCGQ.exe
  2⤵
  PID:4664
- C:\Windows\System32\qiiTPcf.exe
  C:\Windows\System32\qiiTPcf.exe
  2⤵
  PID:5148
- C:\Windows\System32\oefQHel.exe
  C:\Windows\System32\oefQHel.exe
  2⤵
  PID:5180
- C:\Windows\System32\KZQCmRE.exe
  C:\Windows\System32\KZQCmRE.exe
  2⤵
  PID:5212
- C:\Windows\System32\KXgtzIl.exe
  C:\Windows\System32\KXgtzIl.exe
  2⤵
  PID:5244
- C:\Windows\System32\LZkaPTv.exe
  C:\Windows\System32\LZkaPTv.exe
  2⤵
  PID:5264
- C:\Windows\System32\lhrRXtg.exe
  C:\Windows\System32\lhrRXtg.exe
  2⤵
  PID:5300
- C:\Windows\System32\VwjBmMS.exe
  C:\Windows\System32\VwjBmMS.exe
  2⤵
  PID:5320
- C:\Windows\System32\GaRwKUD.exe
  C:\Windows\System32\GaRwKUD.exe
  2⤵
  PID:5352
- C:\Windows\System32\BwXfXzI.exe
  C:\Windows\System32\BwXfXzI.exe
  2⤵
  PID:5380
- C:\Windows\System32\ZrIBXjJ.exe
  C:\Windows\System32\ZrIBXjJ.exe
  2⤵
  PID:5416
- C:\Windows\System32\lLHLkRj.exe
  C:\Windows\System32\lLHLkRj.exe
  2⤵
  PID:5436
- C:\Windows\System32\fKvQYWW.exe
  C:\Windows\System32\fKvQYWW.exe
  2⤵
  PID:5460
- C:\Windows\System32\VjOlkkO.exe
  C:\Windows\System32\VjOlkkO.exe
  2⤵
  PID:5492
- C:\Windows\System32\tpIhLzF.exe
  C:\Windows\System32\tpIhLzF.exe
  2⤵
  PID:5516
- C:\Windows\System32\ArjRtEu.exe
  C:\Windows\System32\ArjRtEu.exe
  2⤵
  PID:5552
- C:\Windows\System32\PEKDEjn.exe
  C:\Windows\System32\PEKDEjn.exe
  2⤵
  PID:5576
- C:\Windows\System32\cKUSsEq.exe
  C:\Windows\System32\cKUSsEq.exe
  2⤵
  PID:5604
- C:\Windows\System32\lKrypQO.exe
  C:\Windows\System32\lKrypQO.exe
  2⤵
  PID:5632
- C:\Windows\System32\LsHAfcD.exe
  C:\Windows\System32\LsHAfcD.exe
  2⤵
  PID:5648
- C:\Windows\System32\vJqEmqY.exe
  C:\Windows\System32\vJqEmqY.exe
  2⤵
  PID:5664
- C:\Windows\System32\DLjDDCZ.exe
  C:\Windows\System32\DLjDDCZ.exe
  2⤵
  PID:5684
- C:\Windows\System32\njpahOZ.exe
  C:\Windows\System32\njpahOZ.exe
  2⤵
  PID:5708
- C:\Windows\System32\eZhoStU.exe
  C:\Windows\System32\eZhoStU.exe
  2⤵
  PID:5748
- C:\Windows\System32\bQtqCOW.exe
  C:\Windows\System32\bQtqCOW.exe
  2⤵
  PID:5808
- C:\Windows\System32\NxJOfrc.exe
  C:\Windows\System32\NxJOfrc.exe
  2⤵
  PID:5828
- C:\Windows\System32\dVeZHIb.exe
  C:\Windows\System32\dVeZHIb.exe
  2⤵
  PID:5856
- C:\Windows\System32\MUOOYmo.exe
  C:\Windows\System32\MUOOYmo.exe
  2⤵
  PID:5876
- C:\Windows\System32\anymgkO.exe
  C:\Windows\System32\anymgkO.exe
  2⤵
  PID:5904
- C:\Windows\System32\lmmeQms.exe
  C:\Windows\System32\lmmeQms.exe
  2⤵
  PID:5924
- C:\Windows\System32\vBsOQOI.exe
  C:\Windows\System32\vBsOQOI.exe
  2⤵
  PID:5948
- C:\Windows\System32\GZAolOk.exe
  C:\Windows\System32\GZAolOk.exe
  2⤵
  PID:5972
- C:\Windows\System32\CGGOjpX.exe
  C:\Windows\System32\CGGOjpX.exe
  2⤵
  PID:6004
- C:\Windows\System32\LLcAScG.exe
  C:\Windows\System32\LLcAScG.exe
  2⤵
  PID:6032
- C:\Windows\System32\fIywADZ.exe
  C:\Windows\System32\fIywADZ.exe
  2⤵
  PID:6060
- C:\Windows\System32\SYWJFFB.exe
  C:\Windows\System32\SYWJFFB.exe
  2⤵
  PID:6080
- C:\Windows\System32\amtkGKx.exe
  C:\Windows\System32\amtkGKx.exe
  2⤵
  PID:6104
- C:\Windows\System32\xgQKHJr.exe
  C:\Windows\System32\xgQKHJr.exe
  2⤵
  PID:3044
- C:\Windows\System32\EVSLHSD.exe
  C:\Windows\System32\EVSLHSD.exe
  2⤵
  PID:2016
- C:\Windows\System32\CXVuQOS.exe
  C:\Windows\System32\CXVuQOS.exe
  2⤵
  PID:5188
- C:\Windows\System32\SPpaWfn.exe
  C:\Windows\System32\SPpaWfn.exe
  2⤵
  PID:5280
- C:\Windows\System32\pxMVBHC.exe
  C:\Windows\System32\pxMVBHC.exe
  2⤵
  PID:5308
- C:\Windows\System32\rapYkVp.exe
  C:\Windows\System32\rapYkVp.exe
  2⤵
  PID:5368
- C:\Windows\System32\AcWKSOG.exe
  C:\Windows\System32\AcWKSOG.exe
  2⤵
  PID:5408
- C:\Windows\System32\AWnSJeF.exe
  C:\Windows\System32\AWnSJeF.exe
  2⤵
  PID:5456
- C:\Windows\System32\oOQZntr.exe
  C:\Windows\System32\oOQZntr.exe
  2⤵
  PID:5508
- C:\Windows\System32\TmafasI.exe
  C:\Windows\System32\TmafasI.exe
  2⤵
  PID:5568
- C:\Windows\System32\MwceEQr.exe
  C:\Windows\System32\MwceEQr.exe
  2⤵
  PID:1340
- C:\Windows\System32\qoLBeIk.exe
  C:\Windows\System32\qoLBeIk.exe
  2⤵
  PID:5160
- C:\Windows\System32\GdfwucP.exe
  C:\Windows\System32\GdfwucP.exe
  2⤵
  PID:5656
- C:\Windows\System32\KsRbWtw.exe
  C:\Windows\System32\KsRbWtw.exe
  2⤵
  PID:5724
- C:\Windows\System32\ORqVfYi.exe
  C:\Windows\System32\ORqVfYi.exe
  2⤵
  PID:5736
- C:\Windows\System32\ZWtXxDn.exe
  C:\Windows\System32\ZWtXxDn.exe
  2⤵
  PID:5824
- C:\Windows\System32\bPpozKa.exe
  C:\Windows\System32\bPpozKa.exe
  2⤵
  PID:5872
- C:\Windows\System32\GxPGIWk.exe
  C:\Windows\System32\GxPGIWk.exe
  2⤵
  PID:5916
- C:\Windows\System32\MqYZcPK.exe
  C:\Windows\System32\MqYZcPK.exe
  2⤵
  PID:5960
- C:\Windows\System32\igCTTWU.exe
  C:\Windows\System32\igCTTWU.exe
  2⤵
  PID:6044
- C:\Windows\System32\iLkPoCc.exe
  C:\Windows\System32\iLkPoCc.exe
  2⤵
  PID:5168
- C:\Windows\System32\wFtOPMF.exe
  C:\Windows\System32\wFtOPMF.exe
  2⤵
  PID:5272
- C:\Windows\System32\ahWkSUt.exe
  C:\Windows\System32\ahWkSUt.exe
  2⤵
  PID:5296
- C:\Windows\System32\cmUREjy.exe
  C:\Windows\System32\cmUREjy.exe
  2⤵
  PID:5388
- C:\Windows\System32\pPvkaOZ.exe
  C:\Windows\System32\pPvkaOZ.exe
  2⤵
  PID:2940
- C:\Windows\System32\zfbKLaB.exe
  C:\Windows\System32\zfbKLaB.exe
  2⤵
  PID:5628
- C:\Windows\System32\trkYxJU.exe
  C:\Windows\System32\trkYxJU.exe
  2⤵
  PID:5704
- C:\Windows\System32\csZKHii.exe
  C:\Windows\System32\csZKHii.exe
  2⤵
  PID:5912
- C:\Windows\System32\OaNQDku.exe
  C:\Windows\System32\OaNQDku.exe
  2⤵
  PID:5940
- C:\Windows\System32\ddReMIZ.exe
  C:\Windows\System32\ddReMIZ.exe
  2⤵
  PID:5156
- C:\Windows\System32\XSeAXTV.exe
  C:\Windows\System32\XSeAXTV.exe
  2⤵
  PID:5340
- C:\Windows\System32\fSwArfI.exe
  C:\Windows\System32\fSwArfI.exe
  2⤵
  PID:5784
- C:\Windows\System32\oqkRgAi.exe
  C:\Windows\System32\oqkRgAi.exe
  2⤵
  PID:5888
- C:\Windows\System32\nTTnosJ.exe
  C:\Windows\System32\nTTnosJ.exe
  2⤵
  PID:6140
- C:\Windows\System32\jphKLus.exe
  C:\Windows\System32\jphKLus.exe
  2⤵
  PID:692
- C:\Windows\System32\izsrkpP.exe
  C:\Windows\System32\izsrkpP.exe
  2⤵
  PID:6148
- C:\Windows\System32\jVqBPRc.exe
  C:\Windows\System32\jVqBPRc.exe
  2⤵
  PID:6172
- C:\Windows\System32\WSQwWXl.exe
  C:\Windows\System32\WSQwWXl.exe
  2⤵
  PID:6204
- C:\Windows\System32\DLnSoUL.exe
  C:\Windows\System32\DLnSoUL.exe
  2⤵
  PID:6220
- C:\Windows\System32\bYnutOf.exe
  C:\Windows\System32\bYnutOf.exe
  2⤵
  PID:6248
- C:\Windows\System32\dSileZl.exe
  C:\Windows\System32\dSileZl.exe
  2⤵
  PID:6284
- C:\Windows\System32\JxKTAJF.exe
  C:\Windows\System32\JxKTAJF.exe
  2⤵
  PID:6352
- C:\Windows\System32\QzpVryp.exe
  C:\Windows\System32\QzpVryp.exe
  2⤵
  PID:6388
- C:\Windows\System32\NilUUBO.exe
  C:\Windows\System32\NilUUBO.exe
  2⤵
  PID:6416
- C:\Windows\System32\rofRAyq.exe
  C:\Windows\System32\rofRAyq.exe
  2⤵
  PID:6432
- C:\Windows\System32\bNYEIJh.exe
  C:\Windows\System32\bNYEIJh.exe
  2⤵
  PID:6452
- C:\Windows\System32\NjjgIbr.exe
  C:\Windows\System32\NjjgIbr.exe
  2⤵
  PID:6492
- C:\Windows\System32\eVxZUhz.exe
  C:\Windows\System32\eVxZUhz.exe
  2⤵
  PID:6508
- C:\Windows\System32\GzvXbtc.exe
  C:\Windows\System32\GzvXbtc.exe
  2⤵
  PID:6532
- C:\Windows\System32\NyFVCkD.exe
  C:\Windows\System32\NyFVCkD.exe
  2⤵
  PID:6556
- C:\Windows\System32\HlbMoZk.exe
  C:\Windows\System32\HlbMoZk.exe
  2⤵
  PID:6612
- C:\Windows\System32\rGJSFXk.exe
  C:\Windows\System32\rGJSFXk.exe
  2⤵
  PID:6636
- C:\Windows\System32\ESNAcLj.exe
  C:\Windows\System32\ESNAcLj.exe
  2⤵
  PID:6656
- C:\Windows\System32\SoEHbRd.exe
  C:\Windows\System32\SoEHbRd.exe
  2⤵
  PID:6676
- C:\Windows\System32\CmniMNa.exe
  C:\Windows\System32\CmniMNa.exe
  2⤵
  PID:6712
- C:\Windows\System32\dYLbcEo.exe
  C:\Windows\System32\dYLbcEo.exe
  2⤵
  PID:6728
- C:\Windows\System32\tWizmmU.exe
  C:\Windows\System32\tWizmmU.exe
  2⤵
  PID:6784
- C:\Windows\System32\BFWMsDp.exe
  C:\Windows\System32\BFWMsDp.exe
  2⤵
  PID:6804
- C:\Windows\System32\EyWhigv.exe
  C:\Windows\System32\EyWhigv.exe
  2⤵
  PID:6820
- C:\Windows\System32\RBaGEMV.exe
  C:\Windows\System32\RBaGEMV.exe
  2⤵
  PID:6848
- C:\Windows\System32\rGVNbtu.exe
  C:\Windows\System32\rGVNbtu.exe
  2⤵
  PID:6868
- C:\Windows\System32\smrmPwW.exe
  C:\Windows\System32\smrmPwW.exe
  2⤵
  PID:6892
- C:\Windows\System32\GnxlWXl.exe
  C:\Windows\System32\GnxlWXl.exe
  2⤵
  PID:6920
- C:\Windows\System32\VKlUFbd.exe
  C:\Windows\System32\VKlUFbd.exe
  2⤵
  PID:6936
- C:\Windows\System32\ZqircBU.exe
  C:\Windows\System32\ZqircBU.exe
  2⤵
  PID:6952
- C:\Windows\System32\LTZSabV.exe
  C:\Windows\System32\LTZSabV.exe
  2⤵
  PID:7008
- C:\Windows\System32\EvKfTcd.exe
  C:\Windows\System32\EvKfTcd.exe
  2⤵
  PID:7064
- C:\Windows\System32\osUpyJM.exe
  C:\Windows\System32\osUpyJM.exe
  2⤵
  PID:7080
- C:\Windows\System32\VzAIBQQ.exe
  C:\Windows\System32\VzAIBQQ.exe
  2⤵
  PID:7104
- C:\Windows\System32\eqywiTH.exe
  C:\Windows\System32\eqywiTH.exe
  2⤵
  PID:7120
- C:\Windows\System32\vZqRQuT.exe
  C:\Windows\System32\vZqRQuT.exe
  2⤵
  PID:7152
- C:\Windows\System32\QnXQPth.exe
  C:\Windows\System32\QnXQPth.exe
  2⤵
  PID:5328
- C:\Windows\System32\Bqkhwjn.exe
  C:\Windows\System32\Bqkhwjn.exe
  2⤵
  PID:5660
- C:\Windows\System32\PxeYDVf.exe
  C:\Windows\System32\PxeYDVf.exe
  2⤵
  PID:6012
- C:\Windows\System32\OxTPRgk.exe
  C:\Windows\System32\OxTPRgk.exe
  2⤵
  PID:6280
- C:\Windows\System32\woPUWeG.exe
  C:\Windows\System32\woPUWeG.exe
  2⤵
  PID:6304
- C:\Windows\System32\lDBXiWs.exe
  C:\Windows\System32\lDBXiWs.exe
  2⤵
  PID:6400
- C:\Windows\System32\MOAdKqk.exe
  C:\Windows\System32\MOAdKqk.exe
  2⤵
  PID:6460
- C:\Windows\System32\XCowtyR.exe
  C:\Windows\System32\XCowtyR.exe
  2⤵
  PID:6576
- C:\Windows\System32\qfltyzo.exe
  C:\Windows\System32\qfltyzo.exe
  2⤵
  PID:6688
- C:\Windows\System32\WpLuXMc.exe
  C:\Windows\System32\WpLuXMc.exe
  2⤵
  PID:6864
- C:\Windows\System32\BkfWLNT.exe
  C:\Windows\System32\BkfWLNT.exe
  2⤵
  PID:6828
- C:\Windows\System32\FNyUaey.exe
  C:\Windows\System32\FNyUaey.exe
  2⤵
  PID:6908
- C:\Windows\System32\jyKMoki.exe
  C:\Windows\System32\jyKMoki.exe
  2⤵
  PID:6928
- C:\Windows\System32\edFOIgs.exe
  C:\Windows\System32\edFOIgs.exe
  2⤵
  PID:6972
- C:\Windows\System32\DxUaCEF.exe
  C:\Windows\System32\DxUaCEF.exe
  2⤵
  PID:7048
- C:\Windows\System32\RjvtZoX.exe
  C:\Windows\System32\RjvtZoX.exe
  2⤵
  PID:7076
- C:\Windows\System32\HFQRBTH.exe
  C:\Windows\System32\HFQRBTH.exe
  2⤵
  PID:6196
- C:\Windows\System32\ODQhrje.exe
  C:\Windows\System32\ODQhrje.exe
  2⤵
  PID:6476
- C:\Windows\System32\BlnOfOU.exe
  C:\Windows\System32\BlnOfOU.exe
  2⤵
  PID:6468
- C:\Windows\System32\ZZbfhxd.exe
  C:\Windows\System32\ZZbfhxd.exe
  2⤵
  PID:6664
- C:\Windows\System32\PyLYjsb.exe
  C:\Windows\System32\PyLYjsb.exe
  2⤵
  PID:6632
- C:\Windows\System32\bolnNVq.exe
  C:\Windows\System32\bolnNVq.exe
  2⤵
  PID:6944
- C:\Windows\System32\SNRzcqO.exe
  C:\Windows\System32\SNRzcqO.exe
  2⤵
  PID:6968
- C:\Windows\System32\ybIebYl.exe
  C:\Windows\System32\ybIebYl.exe
  2⤵
  PID:7140
- C:\Windows\System32\YOdFUGO.exe
  C:\Windows\System32\YOdFUGO.exe
  2⤵
  PID:6544
- C:\Windows\System32\cSEpqLu.exe
  C:\Windows\System32\cSEpqLu.exe
  2⤵
  PID:6516
- C:\Windows\System32\UCaadlQ.exe
  C:\Windows\System32\UCaadlQ.exe
  2⤵
  PID:7188
- C:\Windows\System32\OANvAwn.exe
  C:\Windows\System32\OANvAwn.exe
  2⤵
  PID:7208
- C:\Windows\System32\YcTnsQB.exe
  C:\Windows\System32\YcTnsQB.exe
  2⤵
  PID:7276
- C:\Windows\System32\GAziCQp.exe
  C:\Windows\System32\GAziCQp.exe
  2⤵
  PID:7312
- C:\Windows\System32\zDHtcPE.exe
  C:\Windows\System32\zDHtcPE.exe
  2⤵
  PID:7328
- C:\Windows\System32\QcHDRRl.exe
  C:\Windows\System32\QcHDRRl.exe
  2⤵
  PID:7384
- C:\Windows\System32\TEaTgJz.exe
  C:\Windows\System32\TEaTgJz.exe
  2⤵
  PID:7408
- C:\Windows\System32\wRmqBIp.exe
  C:\Windows\System32\wRmqBIp.exe
  2⤵
  PID:7428
- C:\Windows\System32\khcyVZX.exe
  C:\Windows\System32\khcyVZX.exe
  2⤵
  PID:7472
- C:\Windows\System32\UtxMroN.exe
  C:\Windows\System32\UtxMroN.exe
  2⤵
  PID:7504
- C:\Windows\System32\WDvegaH.exe
  C:\Windows\System32\WDvegaH.exe
  2⤵
  PID:7532
- C:\Windows\System32\zNbIqkL.exe
  C:\Windows\System32\zNbIqkL.exe
  2⤵
  PID:7552
- C:\Windows\System32\VDGaVil.exe
  C:\Windows\System32\VDGaVil.exe
  2⤵
  PID:7572
- C:\Windows\System32\JCClSYF.exe
  C:\Windows\System32\JCClSYF.exe
  2⤵
  PID:7608
- C:\Windows\System32\VPVcIbR.exe
  C:\Windows\System32\VPVcIbR.exe
  2⤵
  PID:7648
- C:\Windows\System32\RoPDAzd.exe
  C:\Windows\System32\RoPDAzd.exe
  2⤵
  PID:7672
- C:\Windows\System32\FmNKDRs.exe
  C:\Windows\System32\FmNKDRs.exe
  2⤵
  PID:7688
- C:\Windows\System32\dXrbkEs.exe
  C:\Windows\System32\dXrbkEs.exe
  2⤵
  PID:7708
- C:\Windows\System32\BgRfQpu.exe
  C:\Windows\System32\BgRfQpu.exe
  2⤵
  PID:7728
- C:\Windows\System32\LgMVXJx.exe
  C:\Windows\System32\LgMVXJx.exe
  2⤵
  PID:7744
- C:\Windows\System32\bZEgtHu.exe
  C:\Windows\System32\bZEgtHu.exe
  2⤵
  PID:7768
- C:\Windows\System32\zkrbBhx.exe
  C:\Windows\System32\zkrbBhx.exe
  2⤵
  PID:7792
- C:\Windows\System32\YeOPPJp.exe
  C:\Windows\System32\YeOPPJp.exe
  2⤵
  PID:7864
- C:\Windows\System32\jabJxNW.exe
  C:\Windows\System32\jabJxNW.exe
  2⤵
  PID:7896
- C:\Windows\System32\PFwAZaP.exe
  C:\Windows\System32\PFwAZaP.exe
  2⤵
  PID:7928
- C:\Windows\System32\DRSOtyK.exe
  C:\Windows\System32\DRSOtyK.exe
  2⤵
  PID:7952
- C:\Windows\System32\OxGmRFg.exe
  C:\Windows\System32\OxGmRFg.exe
  2⤵
  PID:7972
- C:\Windows\System32\grEomaJ.exe
  C:\Windows\System32\grEomaJ.exe
  2⤵
  PID:7992
- C:\Windows\System32\qiCKvvu.exe
  C:\Windows\System32\qiCKvvu.exe
  2⤵
  PID:8020
- C:\Windows\System32\kHVrvvn.exe
  C:\Windows\System32\kHVrvvn.exe
  2⤵
  PID:8044
- C:\Windows\System32\xPPbGbW.exe
  C:\Windows\System32\xPPbGbW.exe
  2⤵
  PID:8064
- C:\Windows\System32\EVMmibM.exe
  C:\Windows\System32\EVMmibM.exe
  2⤵
  PID:8088
- C:\Windows\System32\JGExpFR.exe
  C:\Windows\System32\JGExpFR.exe
  2⤵
  PID:8120
- C:\Windows\System32\DVxThKz.exe
  C:\Windows\System32\DVxThKz.exe
  2⤵
  PID:8136
- C:\Windows\System32\DBrBoNm.exe
  C:\Windows\System32\DBrBoNm.exe
  2⤵
  PID:8176
- C:\Windows\System32\GjSibhz.exe
  C:\Windows\System32\GjSibhz.exe
  2⤵
  PID:7172
- C:\Windows\System32\tlxnLNY.exe
  C:\Windows\System32\tlxnLNY.exe
  2⤵
  PID:6900
- C:\Windows\System32\KdiGDwl.exe
  C:\Windows\System32\KdiGDwl.exe
  2⤵
  PID:7256
- C:\Windows\System32\ECMIzRp.exe
  C:\Windows\System32\ECMIzRp.exe
  2⤵
  PID:7304
- C:\Windows\System32\pZnzFTw.exe
  C:\Windows\System32\pZnzFTw.exe
  2⤵
  PID:7404
- C:\Windows\System32\dPaRQVI.exe
  C:\Windows\System32\dPaRQVI.exe
  2⤵
  PID:7492
- C:\Windows\System32\pzEghNG.exe
  C:\Windows\System32\pzEghNG.exe
  2⤵
  PID:7548
- C:\Windows\System32\gnrxiBR.exe
  C:\Windows\System32\gnrxiBR.exe
  2⤵
  PID:7584
- C:\Windows\System32\BqklOXo.exe
  C:\Windows\System32\BqklOXo.exe
  2⤵
  PID:7700
- C:\Windows\System32\qLBDATj.exe
  C:\Windows\System32\qLBDATj.exe
  2⤵
  PID:7704
- C:\Windows\System32\ykdMQCO.exe
  C:\Windows\System32\ykdMQCO.exe
  2⤵
  PID:7740
- C:\Windows\System32\cmKqawg.exe
  C:\Windows\System32\cmKqawg.exe
  2⤵
  PID:7800
- C:\Windows\System32\jwcdchb.exe
  C:\Windows\System32\jwcdchb.exe
  2⤵
  PID:7856
- C:\Windows\System32\DHLyGbw.exe
  C:\Windows\System32\DHLyGbw.exe
  2⤵
  PID:7920
- C:\Windows\System32\jCpjAOl.exe
  C:\Windows\System32\jCpjAOl.exe
  2⤵
  PID:7968
- C:\Windows\System32\PsCZtHi.exe
  C:\Windows\System32\PsCZtHi.exe
  2⤵
  PID:8000
- C:\Windows\System32\EMEkbMt.exe
  C:\Windows\System32\EMEkbMt.exe
  2⤵
  PID:8076
- C:\Windows\System32\efgVnsL.exe
  C:\Windows\System32\efgVnsL.exe
  2⤵
  PID:6504
- C:\Windows\System32\HILjIaP.exe
  C:\Windows\System32\HILjIaP.exe
  2⤵
  PID:7248
- C:\Windows\System32\CHVhFws.exe
  C:\Windows\System32\CHVhFws.exe
  2⤵
  PID:7424
- C:\Windows\System32\mYkEAHw.exe
  C:\Windows\System32\mYkEAHw.exe
  2⤵
  PID:7560
- C:\Windows\System32\ScDsgPh.exe
  C:\Windows\System32\ScDsgPh.exe
  2⤵
  PID:7624
- C:\Windows\System32\KCPubee.exe
  C:\Windows\System32\KCPubee.exe
  2⤵
  PID:7756
- C:\Windows\System32\QjZbpwJ.exe
  C:\Windows\System32\QjZbpwJ.exe
  2⤵
  PID:7820
- C:\Windows\System32\IcWKimV.exe
  C:\Windows\System32\IcWKimV.exe
  2⤵
  PID:7964
- C:\Windows\System32\MEWLSoa.exe
  C:\Windows\System32\MEWLSoa.exe
  2⤵
  PID:6856
- C:\Windows\System32\YBpKVPp.exe
  C:\Windows\System32\YBpKVPp.exe
  2⤵
  PID:8008
- C:\Windows\System32\WNjmBco.exe
  C:\Windows\System32\WNjmBco.exe
  2⤵
  PID:7944
- C:\Windows\System32\uzrycgM.exe
  C:\Windows\System32\uzrycgM.exe
  2⤵
  PID:7904
- C:\Windows\System32\fEJXGtF.exe
  C:\Windows\System32\fEJXGtF.exe
  2⤵
  PID:8200
- C:\Windows\System32\JSGyDfx.exe
  C:\Windows\System32\JSGyDfx.exe
  2⤵
  PID:8224
- C:\Windows\System32\pOqwbho.exe
  C:\Windows\System32\pOqwbho.exe
  2⤵
  PID:8248
- C:\Windows\System32\eNZGfPx.exe
  C:\Windows\System32\eNZGfPx.exe
  2⤵
  PID:8300
- C:\Windows\System32\cfPagyS.exe
  C:\Windows\System32\cfPagyS.exe
  2⤵
  PID:8328
- C:\Windows\System32\YhCoukc.exe
  C:\Windows\System32\YhCoukc.exe
  2⤵
  PID:8344
- C:\Windows\System32\wCmnlZr.exe
  C:\Windows\System32\wCmnlZr.exe
  2⤵
  PID:8372
- C:\Windows\System32\RJpYwNv.exe
  C:\Windows\System32\RJpYwNv.exe
  2⤵
  PID:8412
- C:\Windows\System32\FORiUEq.exe
  C:\Windows\System32\FORiUEq.exe
  2⤵
  PID:8440
- C:\Windows\System32\lNzSbyL.exe
  C:\Windows\System32\lNzSbyL.exe
  2⤵
  PID:8472
- C:\Windows\System32\mdxtEkF.exe
  C:\Windows\System32\mdxtEkF.exe
  2⤵
  PID:8508
- C:\Windows\System32\vPtRmRG.exe
  C:\Windows\System32\vPtRmRG.exe
  2⤵
  PID:8528
- C:\Windows\System32\kSuThLs.exe
  C:\Windows\System32\kSuThLs.exe
  2⤵
  PID:8544
- C:\Windows\System32\fGtHJUE.exe
  C:\Windows\System32\fGtHJUE.exe
  2⤵
  PID:8568
- C:\Windows\System32\tPzqXuD.exe
  C:\Windows\System32\tPzqXuD.exe
  2⤵
  PID:8624
- C:\Windows\System32\pNmYJLP.exe
  C:\Windows\System32\pNmYJLP.exe
  2⤵
  PID:8640
- C:\Windows\System32\wNpnRAZ.exe
  C:\Windows\System32\wNpnRAZ.exe
  2⤵
  PID:8664
- C:\Windows\System32\EzBRKXX.exe
  C:\Windows\System32\EzBRKXX.exe
  2⤵
  PID:8680
- C:\Windows\System32\dytNUqH.exe
  C:\Windows\System32\dytNUqH.exe
  2⤵
  PID:8700
- C:\Windows\System32\qdUYVqD.exe
  C:\Windows\System32\qdUYVqD.exe
  2⤵
  PID:8740
- C:\Windows\System32\dMBlaZu.exe
  C:\Windows\System32\dMBlaZu.exe
  2⤵
  PID:8788
- C:\Windows\System32\mpoOPEa.exe
  C:\Windows\System32\mpoOPEa.exe
  2⤵
  PID:8808
- C:\Windows\System32\MruuoRF.exe
  C:\Windows\System32\MruuoRF.exe
  2⤵
  PID:8832
- C:\Windows\System32\oTjNRRF.exe
  C:\Windows\System32\oTjNRRF.exe
  2⤵
  PID:8872
- C:\Windows\System32\HFFMGXD.exe
  C:\Windows\System32\HFFMGXD.exe
  2⤵
  PID:8900
- C:\Windows\System32\iinuLgV.exe
  C:\Windows\System32\iinuLgV.exe
  2⤵
  PID:8916
- C:\Windows\System32\vUGsjIp.exe
  C:\Windows\System32\vUGsjIp.exe
  2⤵
  PID:8932
- C:\Windows\System32\mmIetmw.exe
  C:\Windows\System32\mmIetmw.exe
  2⤵
  PID:8952
- C:\Windows\System32\EYGmXFy.exe
  C:\Windows\System32\EYGmXFy.exe
  2⤵
  PID:8988
- C:\Windows\System32\mCQlxlz.exe
  C:\Windows\System32\mCQlxlz.exe
  2⤵
  PID:9016
- C:\Windows\System32\hvKBCkF.exe
  C:\Windows\System32\hvKBCkF.exe
  2⤵
  PID:9040
- C:\Windows\System32\GAhiITk.exe
  C:\Windows\System32\GAhiITk.exe
  2⤵
  PID:9072
- C:\Windows\System32\CojGhNC.exe
  C:\Windows\System32\CojGhNC.exe
  2⤵
  PID:9116
- C:\Windows\System32\bKpKtFJ.exe
  C:\Windows\System32\bKpKtFJ.exe
  2⤵
  PID:9132
- C:\Windows\System32\aeBLije.exe
  C:\Windows\System32\aeBLije.exe
  2⤵
  PID:9160
- C:\Windows\System32\UppIzzx.exe
  C:\Windows\System32\UppIzzx.exe
  2⤵
  PID:9188
- C:\Windows\System32\ZJCKKTU.exe
  C:\Windows\System32\ZJCKKTU.exe
  2⤵
  PID:8340
- C:\Windows\System32\qiFYjVK.exe
  C:\Windows\System32\qiFYjVK.exe
  2⤵
  PID:8392
- C:\Windows\System32\hUjEKwk.exe
  C:\Windows\System32\hUjEKwk.exe
  2⤵
  PID:8448
- C:\Windows\System32\gMutbGD.exe
  C:\Windows\System32\gMutbGD.exe
  2⤵
  PID:8460
- C:\Windows\System32\SZdYXSy.exe
  C:\Windows\System32\SZdYXSy.exe
  2⤵
  PID:8500
- C:\Windows\System32\dAbHABO.exe
  C:\Windows\System32\dAbHABO.exe
  2⤵
  PID:8592
- C:\Windows\System32\TzDnTbb.exe
  C:\Windows\System32\TzDnTbb.exe
  2⤵
  PID:8632
- C:\Windows\System32\ycVyLxz.exe
  C:\Windows\System32\ycVyLxz.exe
  2⤵
  PID:8752
- C:\Windows\System32\WtszKhm.exe
  C:\Windows\System32\WtszKhm.exe
  2⤵
  PID:8948
- C:\Windows\System32\kZmYnVM.exe
  C:\Windows\System32\kZmYnVM.exe
  2⤵
  PID:8964
- C:\Windows\System32\SrVChZv.exe
  C:\Windows\System32\SrVChZv.exe
  2⤵
  PID:9032
- C:\Windows\System32\DHtJaoR.exe
  C:\Windows\System32\DHtJaoR.exe
  2⤵
  PID:9100
- C:\Windows\System32\znepGTD.exe
  C:\Windows\System32\znepGTD.exe
  2⤵
  PID:9184
- C:\Windows\System32\edxxUVk.exe
  C:\Windows\System32\edxxUVk.exe
  2⤵
  PID:8196
- C:\Windows\System32\Njhwodj.exe
  C:\Windows\System32\Njhwodj.exe
  2⤵
  PID:8284
- C:\Windows\System32\iOpZFHQ.exe
  C:\Windows\System32\iOpZFHQ.exe
  2⤵
  PID:8584
- C:\Windows\System32\CPTDEoW.exe
  C:\Windows\System32\CPTDEoW.exe
  2⤵
  PID:8516
- C:\Windows\System32\fKAyMKV.exe
  C:\Windows\System32\fKAyMKV.exe
  2⤵
  PID:8316
- C:\Windows\System32\HPtLktI.exe
  C:\Windows\System32\HPtLktI.exe
  2⤵
  PID:8620
- C:\Windows\System32\ocUgCRE.exe
  C:\Windows\System32\ocUgCRE.exe
  2⤵
  PID:8912
- C:\Windows\System32\tCSDWjE.exe
  C:\Windows\System32\tCSDWjE.exe
  2⤵
  PID:9024
- C:\Windows\System32\EsRvQub.exe
  C:\Windows\System32\EsRvQub.exe
  2⤵
  PID:9124
- C:\Windows\System32\rhKobCJ.exe
  C:\Windows\System32\rhKobCJ.exe
  2⤵
  PID:8492
- C:\Windows\System32\KCVISLf.exe
  C:\Windows\System32\KCVISLf.exe
  2⤵
  PID:7664
- C:\Windows\System32\ymlbaWm.exe
  C:\Windows\System32\ymlbaWm.exe
  2⤵
  PID:8696
- C:\Windows\System32\hOacnww.exe
  C:\Windows\System32\hOacnww.exe
  2⤵
  PID:8312
- C:\Windows\System32\ZGoCMzS.exe
  C:\Windows\System32\ZGoCMzS.exe
  2⤵
  PID:8256
- C:\Windows\System32\HoehvvQ.exe
  C:\Windows\System32\HoehvvQ.exe
  2⤵
  PID:9220
- C:\Windows\System32\BbjIVKv.exe
  C:\Windows\System32\BbjIVKv.exe
  2⤵
  PID:9244
- C:\Windows\System32\hpJJNdP.exe
  C:\Windows\System32\hpJJNdP.exe
  2⤵
  PID:9264
- C:\Windows\System32\BHgOkEQ.exe
  C:\Windows\System32\BHgOkEQ.exe
  2⤵
  PID:9300
- C:\Windows\System32\WISxXHR.exe
  C:\Windows\System32\WISxXHR.exe
  2⤵
  PID:9328
- C:\Windows\System32\HtUGjiV.exe
  C:\Windows\System32\HtUGjiV.exe
  2⤵
  PID:9352
- C:\Windows\System32\athLQyp.exe
  C:\Windows\System32\athLQyp.exe
  2⤵
  PID:9368
- C:\Windows\System32\JCkzmsW.exe
  C:\Windows\System32\JCkzmsW.exe
  2⤵
  PID:9396
- C:\Windows\System32\NQgPIdf.exe
  C:\Windows\System32\NQgPIdf.exe
  2⤵
  PID:9432
- C:\Windows\System32\lOCzOgf.exe
  C:\Windows\System32\lOCzOgf.exe
  2⤵
  PID:9464
- C:\Windows\System32\znffkZm.exe
  C:\Windows\System32\znffkZm.exe
  2⤵
  PID:9488
- C:\Windows\System32\UGSautu.exe
  C:\Windows\System32\UGSautu.exe
  2⤵
  PID:9504
- C:\Windows\System32\MwhyBnG.exe
  C:\Windows\System32\MwhyBnG.exe
  2⤵
  PID:9532
- C:\Windows\System32\ccvTLIK.exe
  C:\Windows\System32\ccvTLIK.exe
  2⤵
  PID:9580
- C:\Windows\System32\ZdQvoZd.exe
  C:\Windows\System32\ZdQvoZd.exe
  2⤵
  PID:9604
- C:\Windows\System32\ydvYJVJ.exe
  C:\Windows\System32\ydvYJVJ.exe
  2⤵
  PID:9632
- C:\Windows\System32\RRtDHoD.exe
  C:\Windows\System32\RRtDHoD.exe
  2⤵
  PID:9664
- C:\Windows\System32\BBEirBN.exe
  C:\Windows\System32\BBEirBN.exe
  2⤵
  PID:9684
- C:\Windows\System32\XhYPojt.exe
  C:\Windows\System32\XhYPojt.exe
  2⤵
  PID:9708
- C:\Windows\System32\VNURhNZ.exe
  C:\Windows\System32\VNURhNZ.exe
  2⤵
  PID:9772
- C:\Windows\System32\TDRvaXJ.exe
  C:\Windows\System32\TDRvaXJ.exe
  2⤵
  PID:9788
- C:\Windows\System32\DRIVlXv.exe
  C:\Windows\System32\DRIVlXv.exe
  2⤵
  PID:9808
- C:\Windows\System32\IjryNho.exe
  C:\Windows\System32\IjryNho.exe
  2⤵
  PID:9824
- C:\Windows\System32\NuAgAGe.exe
  C:\Windows\System32\NuAgAGe.exe
  2⤵
  PID:9868
- C:\Windows\System32\InrZZoG.exe
  C:\Windows\System32\InrZZoG.exe
  2⤵
  PID:9888
- C:\Windows\System32\xeWGYig.exe
  C:\Windows\System32\xeWGYig.exe
  2⤵
  PID:9908
- C:\Windows\System32\OKWFnbz.exe
  C:\Windows\System32\OKWFnbz.exe
  2⤵
  PID:9940
- C:\Windows\System32\ZglrZpg.exe
  C:\Windows\System32\ZglrZpg.exe
  2⤵
  PID:9972
- C:\Windows\System32\YDCUtLy.exe
  C:\Windows\System32\YDCUtLy.exe
  2⤵
  PID:10012
- C:\Windows\System32\fAUVpHp.exe
  C:\Windows\System32\fAUVpHp.exe
  2⤵
  PID:10036
- C:\Windows\System32\OOexcRI.exe
  C:\Windows\System32\OOexcRI.exe
  2⤵
  PID:10056
- C:\Windows\System32\qlLHwht.exe
  C:\Windows\System32\qlLHwht.exe
  2⤵
  PID:10084
- C:\Windows\System32\iPCrvdL.exe
  C:\Windows\System32\iPCrvdL.exe
  2⤵
  PID:10128
- C:\Windows\System32\NDhcekp.exe
  C:\Windows\System32\NDhcekp.exe
  2⤵
  PID:10164
- C:\Windows\System32\LYngMQr.exe
  C:\Windows\System32\LYngMQr.exe
  2⤵
  PID:10184
- C:\Windows\System32\fgzJNMP.exe
  C:\Windows\System32\fgzJNMP.exe
  2⤵
  PID:10212
- C:\Windows\System32\bNqFTQe.exe
  C:\Windows\System32\bNqFTQe.exe
  2⤵
  PID:8976
- C:\Windows\System32\CcRzZpI.exe
  C:\Windows\System32\CcRzZpI.exe
  2⤵
  PID:9232
- C:\Windows\System32\GjsPvLf.exe
  C:\Windows\System32\GjsPvLf.exe
  2⤵
  PID:9252
- C:\Windows\System32\jDEfwsU.exe
  C:\Windows\System32\jDEfwsU.exe
  2⤵
  PID:9312
- C:\Windows\System32\BUZJZmT.exe
  C:\Windows\System32\BUZJZmT.exe
  2⤵
  PID:9440
- C:\Windows\System32\VEwkaqq.exe
  C:\Windows\System32\VEwkaqq.exe
  2⤵
  PID:9524
- C:\Windows\System32\JYrexZf.exe
  C:\Windows\System32\JYrexZf.exe
  2⤵
  PID:9512
- C:\Windows\System32\hbyeQja.exe
  C:\Windows\System32\hbyeQja.exe
  2⤵
  PID:9476
- C:\Windows\System32\HMrycAn.exe
  C:\Windows\System32\HMrycAn.exe
  2⤵
  PID:9612
- C:\Windows\System32\KqIftmg.exe
  C:\Windows\System32\KqIftmg.exe
  2⤵
  PID:9652
- C:\Windows\System32\hrvaqZk.exe
  C:\Windows\System32\hrvaqZk.exe
  2⤵
  PID:9720
- C:\Windows\System32\ladlqqD.exe
  C:\Windows\System32\ladlqqD.exe
  2⤵
  PID:9920
- C:\Windows\System32\yNyeodH.exe
  C:\Windows\System32\yNyeodH.exe
  2⤵
  PID:9992
- C:\Windows\System32\KTZYTJP.exe
  C:\Windows\System32\KTZYTJP.exe
  2⤵
  PID:10048
- C:\Windows\System32\WCniCpP.exe
  C:\Windows\System32\WCniCpP.exe
  2⤵
  PID:10068
- C:\Windows\System32\hBYQzRG.exe
  C:\Windows\System32\hBYQzRG.exe
  2⤵
  PID:10192
- C:\Windows\System32\cpfGpGM.exe
  C:\Windows\System32\cpfGpGM.exe
  2⤵
  PID:9280
- C:\Windows\System32\zFWFywU.exe
  C:\Windows\System32\zFWFywU.exe
  2⤵
  PID:9296
- C:\Windows\System32\nwTmlUI.exe
  C:\Windows\System32\nwTmlUI.exe
  2⤵
  PID:9376
- C:\Windows\System32\fQyJlVx.exe
  C:\Windows\System32\fQyJlVx.exe
  2⤵
  PID:9692
- C:\Windows\System32\RFzhtwK.exe
  C:\Windows\System32\RFzhtwK.exe
  2⤵
  PID:9748
- C:\Windows\System32\HJFnctQ.exe
  C:\Windows\System32\HJFnctQ.exe
  2⤵
  PID:9880
- C:\Windows\System32\WldcgGn.exe
  C:\Windows\System32\WldcgGn.exe
  2⤵
  PID:10024
- C:\Windows\System32\dnTdmGe.exe
  C:\Windows\System32\dnTdmGe.exe
  2⤵
  PID:10172
- C:\Windows\System32\oymBokB.exe
  C:\Windows\System32\oymBokB.exe
  2⤵
  PID:9472
- C:\Windows\System32\BBCpaod.exe
  C:\Windows\System32\BBCpaod.exe
  2⤵
  PID:9924
- C:\Windows\System32\osGqmDA.exe
  C:\Windows\System32\osGqmDA.exe
  2⤵
  PID:9460
- C:\Windows\System32\QdCxqyH.exe
  C:\Windows\System32\QdCxqyH.exe
  2⤵
  PID:10224
- C:\Windows\System32\TRRYGJd.exe
  C:\Windows\System32\TRRYGJd.exe
  2⤵
  PID:10260
- C:\Windows\System32\RehzUSS.exe
  C:\Windows\System32\RehzUSS.exe
  2⤵
  PID:10276
- C:\Windows\System32\GbyTBEg.exe
  C:\Windows\System32\GbyTBEg.exe
  2⤵
  PID:10304
- C:\Windows\System32\rhSdBmH.exe
  C:\Windows\System32\rhSdBmH.exe
  2⤵
  PID:10320
- C:\Windows\System32\DBPbaWs.exe
  C:\Windows\System32\DBPbaWs.exe
  2⤵
  PID:10344
- C:\Windows\System32\yczxUnX.exe
  C:\Windows\System32\yczxUnX.exe
  2⤵
  PID:10392
- C:\Windows\System32\DOAavKo.exe
  C:\Windows\System32\DOAavKo.exe
  2⤵
  PID:10416
- C:\Windows\System32\bZflNYF.exe
  C:\Windows\System32\bZflNYF.exe
  2⤵
  PID:10448
- C:\Windows\System32\ogKbJKw.exe
  C:\Windows\System32\ogKbJKw.exe
  2⤵
  PID:10468
- C:\Windows\System32\wjTqevK.exe
  C:\Windows\System32\wjTqevK.exe
  2⤵
  PID:10516
- C:\Windows\System32\OzUwRXk.exe
  C:\Windows\System32\OzUwRXk.exe
  2⤵
  PID:10552
- C:\Windows\System32\FAbDDQz.exe
  C:\Windows\System32\FAbDDQz.exe
  2⤵
  PID:10580
- C:\Windows\System32\ePCizqt.exe
  C:\Windows\System32\ePCizqt.exe
  2⤵
  PID:10604
- C:\Windows\System32\EQOeoeI.exe
  C:\Windows\System32\EQOeoeI.exe
  2⤵
  PID:10636
- C:\Windows\System32\tVWjoxU.exe
  C:\Windows\System32\tVWjoxU.exe
  2⤵
  PID:10660
- C:\Windows\System32\oOctisq.exe
  C:\Windows\System32\oOctisq.exe
  2⤵
  PID:10688
- C:\Windows\System32\vqgHlIZ.exe
  C:\Windows\System32\vqgHlIZ.exe
  2⤵
  PID:10708
- C:\Windows\System32\CVreuAy.exe
  C:\Windows\System32\CVreuAy.exe
  2⤵
  PID:10724
- C:\Windows\System32\LVdnnjc.exe
  C:\Windows\System32\LVdnnjc.exe
  2⤵
  PID:10748
- C:\Windows\System32\DXChyOx.exe
  C:\Windows\System32\DXChyOx.exe
  2⤵
  PID:10772
- C:\Windows\System32\HcopxQq.exe
  C:\Windows\System32\HcopxQq.exe
  2⤵
  PID:10796
- C:\Windows\System32\iMxfblG.exe
  C:\Windows\System32\iMxfblG.exe
  2⤵
  PID:10844
- C:\Windows\System32\UlfLIRw.exe
  C:\Windows\System32\UlfLIRw.exe
  2⤵
  PID:10872
- C:\Windows\System32\OPQCbnB.exe
  C:\Windows\System32\OPQCbnB.exe
  2⤵
  PID:10888
- C:\Windows\System32\GICnatZ.exe
  C:\Windows\System32\GICnatZ.exe
  2⤵
  PID:10924
- C:\Windows\System32\XTbwqPL.exe
  C:\Windows\System32\XTbwqPL.exe
  2⤵
  PID:10976
- C:\Windows\System32\zAGjGxl.exe
  C:\Windows\System32\zAGjGxl.exe
  2⤵
  PID:10996
- C:\Windows\System32\HIICohc.exe
  C:\Windows\System32\HIICohc.exe
  2⤵
  PID:11024
- C:\Windows\System32\riapJJM.exe
  C:\Windows\System32\riapJJM.exe
  2⤵
  PID:11040
- C:\Windows\System32\inDbByI.exe
  C:\Windows\System32\inDbByI.exe
  2⤵
  PID:11068
- C:\Windows\System32\kyVmjzv.exe
  C:\Windows\System32\kyVmjzv.exe
  2⤵
  PID:11116
- C:\Windows\System32\EVOfdKo.exe
  C:\Windows\System32\EVOfdKo.exe
  2⤵
  PID:11136
- C:\Windows\System32\xyXxHeX.exe
  C:\Windows\System32\xyXxHeX.exe
  2⤵
  PID:11164
- C:\Windows\System32\feTDvYK.exe
  C:\Windows\System32\feTDvYK.exe
  2⤵
  PID:11196
- C:\Windows\System32\ohehWKM.exe
  C:\Windows\System32\ohehWKM.exe
  2⤵
  PID:11212
- C:\Windows\System32\SOFhIWy.exe
  C:\Windows\System32\SOFhIWy.exe
  2⤵
  PID:11244
- C:\Windows\System32\avFJpVj.exe
  C:\Windows\System32\avFJpVj.exe
  2⤵
  PID:10248
- C:\Windows\System32\rVoQdXc.exe
  C:\Windows\System32\rVoQdXc.exe
  2⤵
  PID:10332
- C:\Windows\System32\AQqjIEn.exe
  C:\Windows\System32\AQqjIEn.exe
  2⤵
  PID:10356
- C:\Windows\System32\dsKBcoO.exe
  C:\Windows\System32\dsKBcoO.exe
  2⤵
  PID:10460
- C:\Windows\System32\FQnaotp.exe
  C:\Windows\System32\FQnaotp.exe
  2⤵
  PID:10464
- C:\Windows\System32\faXtBDs.exe
  C:\Windows\System32\faXtBDs.exe
  2⤵
  PID:10528
- C:\Windows\System32\apZEMuC.exe
  C:\Windows\System32\apZEMuC.exe
  2⤵
  PID:10620
- C:\Windows\System32\BXdSvRK.exe
  C:\Windows\System32\BXdSvRK.exe
  2⤵
  PID:10704
- C:\Windows\System32\tZfCfap.exe
  C:\Windows\System32\tZfCfap.exe
  2⤵
  PID:10764
- C:\Windows\System32\OlWiwbu.exe
  C:\Windows\System32\OlWiwbu.exe
  2⤵
  PID:10836
- C:\Windows\System32\MhDtWAZ.exe
  C:\Windows\System32\MhDtWAZ.exe
  2⤵
  PID:10916
- C:\Windows\System32\ZgcHJDG.exe
  C:\Windows\System32\ZgcHJDG.exe
  2⤵
  PID:10940
- C:\Windows\System32\kMHEfQM.exe
  C:\Windows\System32\kMHEfQM.exe
  2⤵
  PID:11008
- C:\Windows\System32\kLEExBB.exe
  C:\Windows\System32\kLEExBB.exe
  2⤵
  PID:11060
- C:\Windows\System32\edzyHJB.exe
  C:\Windows\System32\edzyHJB.exe
  2⤵
  PID:11152
- C:\Windows\System32\BYDdSDm.exe
  C:\Windows\System32\BYDdSDm.exe
  2⤵
  PID:11232
- C:\Windows\System32\sfbFrOT.exe
  C:\Windows\System32\sfbFrOT.exe
  2⤵
  PID:11252
- C:\Windows\System32\FKYZYYm.exe
  C:\Windows\System32\FKYZYYm.exe
  2⤵
  PID:10316
- C:\Windows\System32\AGXAKUR.exe
  C:\Windows\System32\AGXAKUR.exe
  2⤵
  PID:10380
- C:\Windows\System32\pcIaROY.exe
  C:\Windows\System32\pcIaROY.exe
  2⤵
  PID:10596
- C:\Windows\System32\UySLAeq.exe
  C:\Windows\System32\UySLAeq.exe
  2⤵
  PID:10828
- C:\Windows\System32\YbvBbCS.exe
  C:\Windows\System32\YbvBbCS.exe
  2⤵
  PID:11100
- C:\Windows\System32\pjuTmzX.exe
  C:\Windows\System32\pjuTmzX.exe
  2⤵
  PID:10252
- C:\Windows\System32\aZkPNJt.exe
  C:\Windows\System32\aZkPNJt.exe
  2⤵
  PID:10272
- C:\Windows\System32\vINGdhn.exe
  C:\Windows\System32\vINGdhn.exe
  2⤵
  PID:10652
- C:\Windows\System32\JmsuAzE.exe
  C:\Windows\System32\JmsuAzE.exe
  2⤵
  PID:11132
- C:\Windows\System32\KCWFhYC.exe
  C:\Windows\System32\KCWFhYC.exe
  2⤵
  PID:11004
- C:\Windows\System32\cGlXKWw.exe
  C:\Windows\System32\cGlXKWw.exe
  2⤵
  PID:11268
- C:\Windows\System32\lqLIyQI.exe
  C:\Windows\System32\lqLIyQI.exe
  2⤵
  PID:11292
- C:\Windows\System32\BVTOjkc.exe
  C:\Windows\System32\BVTOjkc.exe
  2⤵
  PID:11308
- C:\Windows\System32\nrQHAbN.exe
  C:\Windows\System32\nrQHAbN.exe
  2⤵
  PID:11336
- C:\Windows\System32\MfLdatv.exe
  C:\Windows\System32\MfLdatv.exe
  2⤵
  PID:11356
- C:\Windows\System32\MYTJviT.exe
  C:\Windows\System32\MYTJviT.exe
  2⤵
  PID:11404
- C:\Windows\System32\dicvAPJ.exe
  C:\Windows\System32\dicvAPJ.exe
  2⤵
  PID:11424
- C:\Windows\System32\KMCTOTA.exe
  C:\Windows\System32\KMCTOTA.exe
  2⤵
  PID:11440
- C:\Windows\System32\KlYfOsY.exe
  C:\Windows\System32\KlYfOsY.exe
  2⤵
  PID:11476
- C:\Windows\System32\ZQklaKH.exe
  C:\Windows\System32\ZQklaKH.exe
  2⤵
  PID:11512
- C:\Windows\System32\BzPNRDq.exe
  C:\Windows\System32\BzPNRDq.exe
  2⤵
  PID:11528
- C:\Windows\System32\BNyHIau.exe
  C:\Windows\System32\BNyHIau.exe
  2⤵
  PID:11552
- C:\Windows\System32\lugiSxL.exe
  C:\Windows\System32\lugiSxL.exe
  2⤵
  PID:11576
- C:\Windows\System32\UAVFMwQ.exe
  C:\Windows\System32\UAVFMwQ.exe
  2⤵
  PID:11604
- C:\Windows\System32\RizRcjm.exe
  C:\Windows\System32\RizRcjm.exe
  2⤵
  PID:11664
- C:\Windows\System32\fdQRVLE.exe
  C:\Windows\System32\fdQRVLE.exe
  2⤵
  PID:11696
- C:\Windows\System32\BcDIdgn.exe
  C:\Windows\System32\BcDIdgn.exe
  2⤵
  PID:11724
- C:\Windows\System32\QTOrkLc.exe
  C:\Windows\System32\QTOrkLc.exe
  2⤵
  PID:11752
- C:\Windows\System32\gZFrKZl.exe
  C:\Windows\System32\gZFrKZl.exe
  2⤵
  PID:11768
- C:\Windows\System32\LfQveDe.exe
  C:\Windows\System32\LfQveDe.exe
  2⤵
  PID:11784
- C:\Windows\System32\DSNnYhC.exe
  C:\Windows\System32\DSNnYhC.exe
  2⤵
  PID:11824
- C:\Windows\System32\BzJWTSz.exe
  C:\Windows\System32\BzJWTSz.exe
  2⤵
  PID:11860
- C:\Windows\System32\iCXVEIe.exe
  C:\Windows\System32\iCXVEIe.exe
  2⤵
  PID:11884
- C:\Windows\System32\vLGxrCa.exe
  C:\Windows\System32\vLGxrCa.exe
  2⤵
  PID:11920
- C:\Windows\System32\oOimcgx.exe
  C:\Windows\System32\oOimcgx.exe
  2⤵
  PID:11936
- C:\Windows\System32\TFdprsV.exe
  C:\Windows\System32\TFdprsV.exe
  2⤵
  PID:11972
- C:\Windows\System32\jbrgBCE.exe
  C:\Windows\System32\jbrgBCE.exe
  2⤵
  PID:12048
- C:\Windows\System32\EsUxIEj.exe
  C:\Windows\System32\EsUxIEj.exe
  2⤵
  PID:12068
- C:\Windows\System32\fYXvcmu.exe
  C:\Windows\System32\fYXvcmu.exe
  2⤵
  PID:12088
- C:\Windows\System32\aAXoXyO.exe
  C:\Windows\System32\aAXoXyO.exe
  2⤵
  PID:12104
- C:\Windows\System32\CzIoFUn.exe
  C:\Windows\System32\CzIoFUn.exe
  2⤵
  PID:12132
- C:\Windows\System32\dlWIOjw.exe
  C:\Windows\System32\dlWIOjw.exe
  2⤵
  PID:12196
- C:\Windows\System32\iTKbpcr.exe
  C:\Windows\System32\iTKbpcr.exe
  2⤵
  PID:12220
- C:\Windows\System32\WRzAbsJ.exe
  C:\Windows\System32\WRzAbsJ.exe
  2⤵
  PID:12248
- C:\Windows\System32\DhMrlDA.exe
  C:\Windows\System32\DhMrlDA.exe
  2⤵
  PID:10428
- C:\Windows\System32\eYLJSJl.exe
  C:\Windows\System32\eYLJSJl.exe
  2⤵
  PID:11276
- C:\Windows\System32\xnGOgvn.exe
  C:\Windows\System32\xnGOgvn.exe
  2⤵
  PID:11332
- C:\Windows\System32\ZYZfCvQ.exe
  C:\Windows\System32\ZYZfCvQ.exe
  2⤵
  PID:11420
- C:\Windows\System32\RsCjtKY.exe
  C:\Windows\System32\RsCjtKY.exe
  2⤵
  PID:11416
- C:\Windows\System32\dlgNeXw.exe
  C:\Windows\System32\dlgNeXw.exe
  2⤵
  PID:11492
- C:\Windows\System32\goyGjUh.exe
  C:\Windows\System32\goyGjUh.exe
  2⤵
  PID:11564
- C:\Windows\System32\UMxQUxl.exe
  C:\Windows\System32\UMxQUxl.exe
  2⤵
  PID:11588
- C:\Windows\System32\bxFfqPD.exe
  C:\Windows\System32\bxFfqPD.exe
  2⤵
  PID:11636
- C:\Windows\System32\nQUBLei.exe
  C:\Windows\System32\nQUBLei.exe
  2⤵
  PID:11708
- C:\Windows\System32\wLnzNpN.exe
  C:\Windows\System32\wLnzNpN.exe
  2⤵
  PID:11892
- C:\Windows\System32\vFNUxAc.exe
  C:\Windows\System32\vFNUxAc.exe
  2⤵
  PID:11932
- C:\Windows\System32\buuPRpA.exe
  C:\Windows\System32\buuPRpA.exe
  2⤵
  PID:11992
- C:\Windows\System32\WHuOjxk.exe
  C:\Windows\System32\WHuOjxk.exe
  2⤵
  PID:12004
- C:\Windows\System32\JHfIAVU.exe
  C:\Windows\System32\JHfIAVU.exe
  2⤵
  PID:12100
- C:\Windows\System32\YkHQOVy.exe
  C:\Windows\System32\YkHQOVy.exe
  2⤵
  PID:12080
- C:\Windows\System32\snburwR.exe
  C:\Windows\System32\snburwR.exe
  2⤵
  PID:12192
- C:\Windows\System32\HDdhTRC.exe
  C:\Windows\System32\HDdhTRC.exe
  2⤵
  PID:12228
- C:\Windows\System32\bHpHSrs.exe
  C:\Windows\System32\bHpHSrs.exe
  2⤵
  PID:3392
- C:\Windows\System32\XXhctFG.exe
  C:\Windows\System32\XXhctFG.exe
  2⤵
  PID:2792
- C:\Windows\System32\PUzokUr.exe
  C:\Windows\System32\PUzokUr.exe
  2⤵
  PID:11352
- C:\Windows\System32\tgWGfmT.exe
  C:\Windows\System32\tgWGfmT.exe
  2⤵
  PID:11688
- C:\Windows\System32\jPsyTDM.exe
  C:\Windows\System32\jPsyTDM.exe
  2⤵
  PID:11776
- C:\Windows\System32\DapKMXX.exe
  C:\Windows\System32\DapKMXX.exe
  2⤵
  PID:11908
- C:\Windows\System32\TyxnmUS.exe
  C:\Windows\System32\TyxnmUS.exe
  2⤵
  PID:11980
- C:\Windows\System32\VsByLLm.exe
  C:\Windows\System32\VsByLLm.exe
  2⤵
  PID:12096
- C:\Windows\System32\inwLlpm.exe
  C:\Windows\System32\inwLlpm.exe
  2⤵
  PID:12216
- C:\Windows\System32\fVdVQbx.exe
  C:\Windows\System32\fVdVQbx.exe
  2⤵
  PID:11304
- C:\Windows\System32\dikLAim.exe
  C:\Windows\System32\dikLAim.exe
  2⤵
  PID:11988
- C:\Windows\System32\qwmaVUd.exe
  C:\Windows\System32\qwmaVUd.exe
  2⤵
  PID:12016
- C:\Windows\System32\RBiQxdY.exe
  C:\Windows\System32\RBiQxdY.exe
  2⤵
  PID:12264
- C:\Windows\System32\pXFCiCM.exe
  C:\Windows\System32\pXFCiCM.exe
  2⤵
  PID:11280
- C:\Windows\System32\WYsXsXD.exe
  C:\Windows\System32\WYsXsXD.exe
  2⤵
  PID:12308
- C:\Windows\System32\hlUvlyy.exe
  C:\Windows\System32\hlUvlyy.exe
  2⤵
  PID:12340
- C:\Windows\System32\AYkfhXk.exe
  C:\Windows\System32\AYkfhXk.exe
  2⤵
  PID:12356
- C:\Windows\System32\SuQtzty.exe
  C:\Windows\System32\SuQtzty.exe
  2⤵
  PID:12408
- C:\Windows\System32\JKPIDXK.exe
  C:\Windows\System32\JKPIDXK.exe
  2⤵
  PID:12460
- C:\Windows\System32\QdwhSvW.exe
  C:\Windows\System32\QdwhSvW.exe
  2⤵
  PID:12492
- C:\Windows\System32\BQHQSkm.exe
  C:\Windows\System32\BQHQSkm.exe
  2⤵
  PID:12508
- C:\Windows\System32\RAWjYHP.exe
  C:\Windows\System32\RAWjYHP.exe
  2⤵
  PID:12544
- C:\Windows\System32\FkrGmqU.exe
  C:\Windows\System32\FkrGmqU.exe
  2⤵
  PID:12564
- C:\Windows\System32\UCXCtYr.exe
  C:\Windows\System32\UCXCtYr.exe
  2⤵
  PID:12580
- C:\Windows\System32\zcQmtwc.exe
  C:\Windows\System32\zcQmtwc.exe
  2⤵
  PID:12604
- C:\Windows\System32\rHRbLmO.exe
  C:\Windows\System32\rHRbLmO.exe
  2⤵
  PID:12632
- C:\Windows\System32\GCZOGRk.exe
  C:\Windows\System32\GCZOGRk.exe
  2⤵
  PID:12656
- C:\Windows\System32\cRGMCPd.exe
  C:\Windows\System32\cRGMCPd.exe
  2⤵
  PID:12720
- C:\Windows\System32\wxoPjnD.exe
  C:\Windows\System32\wxoPjnD.exe
  2⤵
  PID:12740
- C:\Windows\System32\vxQVgXV.exe
  C:\Windows\System32\vxQVgXV.exe
  2⤵
  PID:12760
- C:\Windows\System32\eVAtLFt.exe
  C:\Windows\System32\eVAtLFt.exe
  2⤵
  PID:12792
- C:\Windows\System32\gwsFbPH.exe
  C:\Windows\System32\gwsFbPH.exe
  2⤵
  PID:12836
- C:\Windows\System32\epvJKCl.exe
  C:\Windows\System32\epvJKCl.exe
  2⤵
  PID:12864
- C:\Windows\System32\zcLbscn.exe
  C:\Windows\System32\zcLbscn.exe
  2⤵
  PID:12880
- C:\Windows\System32\KFbiDaJ.exe
  C:\Windows\System32\KFbiDaJ.exe
  2⤵
  PID:12900
- C:\Windows\System32\peBgHJV.exe
  C:\Windows\System32\peBgHJV.exe
  2⤵
  PID:12916
- C:\Windows\System32\ODJiEhw.exe
  C:\Windows\System32\ODJiEhw.exe
  2⤵
  PID:12940
- C:\Windows\System32\DaHlNqf.exe
  C:\Windows\System32\DaHlNqf.exe
  2⤵
  PID:12968
- C:\Windows\System32\hsTNNry.exe
  C:\Windows\System32\hsTNNry.exe
  2⤵
  PID:12996
- C:\Windows\System32\WZgZEKE.exe
  C:\Windows\System32\WZgZEKE.exe
  2⤵
  PID:13028
- C:\Windows\System32\eMFRcet.exe
  C:\Windows\System32\eMFRcet.exe
  2⤵
  PID:13048
- C:\Windows\System32\ibKLwXb.exe
  C:\Windows\System32\ibKLwXb.exe
  2⤵
  PID:13088
- C:\Windows\System32\vqnMXrS.exe
  C:\Windows\System32\vqnMXrS.exe
  2⤵
  PID:13108
- C:\Windows\System32\JNoHPRO.exe
  C:\Windows\System32\JNoHPRO.exe
  2⤵
  PID:13128
- C:\Windows\System32\QzsRIpJ.exe
  C:\Windows\System32\QzsRIpJ.exe
  2⤵
  PID:13156
- C:\Windows\System32\qkTYIFw.exe
  C:\Windows\System32\qkTYIFw.exe
  2⤵
  PID:13184
- C:\Windows\System32\eEJZPAA.exe
  C:\Windows\System32\eEJZPAA.exe
  2⤵
  PID:13208
- C:\Windows\System32\ktKVRsJ.exe
  C:\Windows\System32\ktKVRsJ.exe
  2⤵
  PID:13224
- C:\Windows\System32\NFTgJJq.exe
  C:\Windows\System32\NFTgJJq.exe
  2⤵
  PID:13284
- C:\Windows\System32\aSTKxBx.exe
  C:\Windows\System32\aSTKxBx.exe
  2⤵
  PID:12184
- C:\Windows\System32\bVFCvsL.exe
  C:\Windows\System32\bVFCvsL.exe
  2⤵
  PID:12032
- C:\Windows\System32\QmyfAsy.exe
  C:\Windows\System32\QmyfAsy.exe
  2⤵
  PID:12316
- C:\Windows\System32\AOfDgEb.exe
  C:\Windows\System32\AOfDgEb.exe
  2⤵
  PID:12416
- C:\Windows\System32\ZIrjEkC.exe
  C:\Windows\System32\ZIrjEkC.exe
  2⤵
  PID:12528
- C:\Windows\System32\vwfiatX.exe
  C:\Windows\System32\vwfiatX.exe
  2⤵
  PID:12588
- C:\Windows\System32\NaFVbrB.exe
  C:\Windows\System32\NaFVbrB.exe
  2⤵
  PID:12644
- C:\Windows\System32\BvJyNnI.exe
  C:\Windows\System32\BvJyNnI.exe
  2⤵
  PID:12732
- C:\Windows\System32\HXMGxiq.exe
  C:\Windows\System32\HXMGxiq.exe
  2⤵
  PID:12768
- C:\Windows\System32\hpjogHZ.exe
  C:\Windows\System32\hpjogHZ.exe
  2⤵
  PID:12860
- C:\Windows\System32\GxKLNco.exe
  C:\Windows\System32\GxKLNco.exe
  2⤵
  PID:12936
- C:\Windows\System32\OpxFtiv.exe
  C:\Windows\System32\OpxFtiv.exe
  2⤵
  PID:13008
- C:\Windows\System32\zfGIewW.exe
  C:\Windows\System32\zfGIewW.exe
  2⤵
  PID:13064

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AHvTWrF.exe

Filesize
1.1MB

MD5
7eb4df0d6f39932b29150fdc9c8dea03

SHA1
24a2c2913bef86046f0f5d7216a9e291f0984694

SHA256
69c509d57b11e18393ec353f35dfef7b3dd58965617e8a3d42ac514f656155df

SHA512
f79f6766eceb3e2eb533390d3610cfe9549ca5be298899017c40bea5d49e28a6d2c82619c694b7ff76010747428182b6feb76a67f6678a71032d806b6cd5e9e1

Download Submit
C:\Windows\System32\BUIYcUh.exe

Filesize
1.1MB

MD5
22ba9531f691012cd0c85b56f4a2c14c

SHA1
4bf4fee75b1a7c8e80667829a6419ce2bce24330

SHA256
442c84eb017bf1fa3e1f71fd9f963716c9db816919118549025a443c53a0d5b7

SHA512
98499463a35667a3b8f94b37c06c5b5a0ba51768cb612679b9ca7a62cb6da5b742776bd3220613283bc661b4f61458486e4c661e531ab7e253e5e60b7fb3e65a

Download Submit
C:\Windows\System32\BYtyLqp.exe

Filesize
1.1MB

MD5
f25cd0cecce127dd49569e8c37bc1b9f

SHA1
a57443ddd7667524ea5c20dc28278e92d256062c

SHA256
305945cb2d3bc3be4c5eba019bda88d808018e62a0e4a249b7663433f5925bf4

SHA512
5fec3f55b217c158c205f3be9ad100ae7f4fd6bd98e73beb37569aecb24fd972cb047e1169f916acbd55abd129f1d76904812a5ea03442f693fad2197c82536a

Download Submit
C:\Windows\System32\EmhWpMj.exe

Filesize
1.1MB

MD5
2367b95232a694fd113639e3f6de8e02

SHA1
e43f48638cd23f620f41ef9a458ef9da3e35338a

SHA256
96435d1379585c83a9db5a0339c73f1da34c8fa2c7839aa021fc5cd163b64619

SHA512
c01eb6dd0506e062c45edf56c6205b262ff37bbbd8a8cdb9db84e633b236c1df562e2122256aa9e1bfaa8205723838ef96c77aeebc37c5f595d86a0165768c8a

Download Submit
C:\Windows\System32\FvWnaCW.exe

Filesize
1.1MB

MD5
873f9811ac8445ed85467a6c27cc0ebb

SHA1
b9b1d53ec64a8280bb510b90df8ce6b17cb1c6ba

SHA256
cb2894dd471bdf2ffee4486031c363ef7102da09f875d90d48b0dedf602fc60c

SHA512
c3dc244e3676837a8f1a23f74705b41c14b9b7c1fe1ae485860782eb928c234aeda8fbc46baa545d95b56678d90602460315153b03f5edabe7fd2e5ef2efbc84

Download Submit
C:\Windows\System32\GxMTVeI.exe

Filesize
1.1MB

MD5
46ff263b63f362e0e7f7aba9469453ab

SHA1
641aba2e07d5a632a4f6c5cd777a9de693242ba1

SHA256
70bfb52ae242dd6e6e81d8487d0d3c4f10850ca12ac8d526098c6aca5624b539

SHA512
96b2411b2def2d21d347d9afc57fd563853e09faefdb74ece5c8ee83f4781190c5ec5976c85c9447b01ae05d77b6fa4b47cfc7c0f36df6b54955bf12b3e26480

Download Submit
C:\Windows\System32\HIsvAlF.exe

Filesize
1.1MB

MD5
7e5d8db9e056ff4f0b3562ba6a1ba5db

SHA1
c4d124542db3ec26eeca010472b9d6734f1c657a

SHA256
6c8de5dd69763b6b73c6be15ebc57cbea406f8b2b9ed2cff2468350686ca04cd

SHA512
4faaf8c5d887ecab50fe3570a5fa654dc13630adc0c98d8561ca8622005bb69acc70aa43bbbc7db78a98730e3aba7cd35cf55350d30662671f90699d9458e2c1

Download Submit
C:\Windows\System32\JVmprlQ.exe

Filesize
1.1MB

MD5
daa224e1222c10caee980f192c6a103f

SHA1
e4694620df0ec5811c56090932f5570fb50a0d87

SHA256
c184ce43b2958e0780ee18da74960fcfd6d866ae3ff251a4c03c82aacc8826ab

SHA512
a8381117e8e86cc409415793bed156c59cbf7bd036235457926e5c9f1fcd6297d4356614dc464f86805bf26c688e932f31e1f6b851e0ee25425a170083ad730b

Download Submit
C:\Windows\System32\MqrpGSB.exe

Filesize
1.1MB

MD5
55d97848e21eca0b0a5770e86581724b

SHA1
35a7f40c69d860752aa5a03b8293027419b183ad

SHA256
4117040d297d5e730d2f1c549928f1ff00515f1bc487b5811d9377f1af4d88f7

SHA512
5030a8bc4fc003e6ea2247491a59c6ce0d8ad70b112956931e751e8ae77da9b4d21d5ec00746331a9d9206e9c843d076a3a2296a844dd8dc2b5ebf3e5752e56a

Download Submit
C:\Windows\System32\NhOEmJz.exe

Filesize
1.1MB

MD5
ec01d47de44565186413ae6d881080e7

SHA1
8bffe18e92ff92e7ce3cc58bc2086c935890450e

SHA256
a7307eca85e99fb13480d7dc57c10fcf56e6262f7c6fa91cce1604a6739da79d

SHA512
6841e718b63250b61f9ea0b19d5a5799eec182d37c091a023b27a2ea89e1b842017d13c125cd092278bb22d6e254e15d50f170d8b0550ffd0d0336747bf7b52f

Download Submit
C:\Windows\System32\PXiospH.exe

Filesize
1.1MB

MD5
eac956e452873d894ef82c8188a401c3

SHA1
2162785ec79ecb51cebd4320c33c17313459b5f2

SHA256
6b32ffb5f128cb31b537b4b328dfe59b804df0db035476d00b0703188078dd6d

SHA512
ed93b4f0f5d11ee1ca2ff1eda930f3ab576976412674a1122af273b4c600750c0547cefad1748b1d681bdca7d65df78ff3dce02d177a2a3ae11ed6d26ae2f3c7

Download Submit
C:\Windows\System32\PyHtTTp.exe

Filesize
1.1MB

MD5
2815de55f73e4d8f0afa4c886f15021a

SHA1
b15ab6da74e00c8bb1b164dfbb068f966f781236

SHA256
1969abfaa5fdb8aef879145dde39321bb75d2519db56c354e5538f550d09182d

SHA512
0d11384e81659b5eab5e96bb0654348a0e060f810188460cb1f2b8841c40828a5d56c579556c2f0de176505a5fc6e7c5f6c0ada14bbb8553fbde0b3673d383fa

Download Submit
C:\Windows\System32\QFdWJCe.exe

Filesize
1.1MB

MD5
58c6917dfc3035c2ea30c170d29b8ef7

SHA1
bc3af9858546ff59c04678acf0d776f886fabc70

SHA256
854914ee1f048fe46ab08435d4104ca5ce3b6e9ebd7464f3ba7c2fb72c52886c

SHA512
88d4f47dd704240546a11bf2886c9489b3631849bfea3879230199d3befffaba279ec7d3578785105a54498c90c72bc3d915a84d0aeeb56c20d23fcf63fd4d3b

Download Submit
C:\Windows\System32\RcnRQPa.exe

Filesize
1.1MB

MD5
32caf964dd401b89e0c83fd749847f0e

SHA1
be7e5b371161b5b3394f51b384673db8f759c133

SHA256
58a423d0394bfd6b7c40e710eec60490416d8d47161f4780b64518231d332d4d

SHA512
83afa7d769e19f29e27866a65c84f8f319c117061c09815438111057bf17ced9eb47690994e4705345fb7b4c9fc035a1135b282f945ceecd28fd6b39d72d112c

Download Submit
C:\Windows\System32\TJgSaeT.exe

Filesize
1.1MB

MD5
66526fc9db48d95d509b9104b69322ff

SHA1
13a46b410ec9d88e4822d0b0e37b6d0756abafa5

SHA256
11c47de050a98961e39d2efbe79d98b51c17aebd405b7910f4b2a538ec3ce334

SHA512
8166fd1129a9fae9a0ba2471bb772de059920649c3fa8fb90efd179d8e449d01047a7c844bac79ae8020e34d4413671be8d0a591096a621bd2fe9d7c472c7113

Download Submit
C:\Windows\System32\WDdYyjD.exe

Filesize
1.1MB

MD5
c7bef040eeb1041e1d1164bcd7ded6ae

SHA1
89fa2803956aa9ee3542e4794d94fa1849fcd671

SHA256
d8a4167d46ce0ea584c3e8c5be706ddab69e552ac849c5a0333f4916115e9829

SHA512
2f03d33306fa07e89d496fda594b4d5714f0fa0cabc37ecf9975f6942bd5e437c9e32219cb2baeab2321bdac5fc91e6418b1e00828083d483992e209bea1ea17

Download Submit
C:\Windows\System32\YNCPeGX.exe

Filesize
1.1MB

MD5
c25b02aa78059ee363d9fbce01c58427

SHA1
771c2ee03ed311b6c0ef87d9082521dadb567e69

SHA256
66bceb8ff646750263387f82cb1bd5e4768842f3c9fb59a36b0ae2c7bdd10f57

SHA512
1af5773ebdc5b10d0dad7c8a16ced4a6e82b6d0fc521cfe90d310ba258a153f99692cd1546fc4f09a21b1420d01c737e8f86db7261b21bf57333f02f40282d70

Download Submit
C:\Windows\System32\YkAcRJi.exe

Filesize
1.1MB

MD5
f53c036a9d84a487557d24e06c47df2e

SHA1
d2b4a6ddedcc166a1f87f8ef8d2ef9bbe9776e1a

SHA256
816692c185a32eaa581285b80791c7d8e96523404ceb1c8c952c7c64901ec1e6

SHA512
4ce4fa826ad625e1b98e53e26579bd00f9838aafbcbf98466da4d67b5018a1df5e7492698f1414f0c156cbf72e61c821d657ab0a597144bab76bcc0ef21b17e1

Download Submit
C:\Windows\System32\azbbqFy.exe

Filesize
1.1MB

MD5
d00cde0aa379cc08c6d1e088f025062e

SHA1
70a1124fdeab97a15d2869aef2ab053b7813e61c

SHA256
d019cb5841b01f6e09ae3ad72e400138e84b7148c8b8213be33a34202f65cc44

SHA512
0fadc2802e0e290c5d0f1374b9e9f99a56eb36e34965b882c1204565ab5d8f738da2a41433716721539fbcc4b981576993b1bc6a04a39d0ee84f17fa454ea190

Download Submit
C:\Windows\System32\gehVsRS.exe

Filesize
1.1MB

MD5
8ef627f7918cca1967da306c699026ac

SHA1
65cd61447f3b1a406fd1b1ae384ca38bb8eded10

SHA256
2d2cde4256bd552e0858c47bcc54adc78303dcb94bf7fc20024bb72853da3ec6

SHA512
7f0a5ed36dda974859beb5ba5d925324a5552b00581a404991efe73eb8c6fde0c23606f194aea2be5968a0e6515ebd4c0812a3ed3299d5a41956e04555daa9c7

Download Submit
C:\Windows\System32\gvFWXkp.exe

Filesize
1.1MB

MD5
8b0469dee9623bea37ac90d1ef913e7c

SHA1
f95479d9a4f5b1cf31134cf05b9f56afd8d3c722

SHA256
b5eee8d913ecbe60ec0beab55619a170fe3bd7e6480471291d7f9b5b9295c184

SHA512
620aec0cc25df785338af31c9359ee30ec75606c37333280513533bab6e50ced52c86ffb5031b93751048494ad4036a92f575abb9d1fa07e9da5c39320f1e9a5

Download Submit
C:\Windows\System32\hAxLWSX.exe

Filesize
1.1MB

MD5
3c71db2eaaad64c1f14f0ecbd9ebf605

SHA1
fc0b80cb426b371298d371ab9b6809779d091661

SHA256
7ec8964a2ff98682c923cbe6f48e20e29ef7033fe915f332328999d2a7a6b1a7

SHA512
ed7c0d2deaf02e03abd811611945e72f3ca9f2025b9a29ec62255fac0c4dde7004088c77940dafbb26d2bcf9c9b19e19ab3ee22f01f10654c852f8f0abaa90e6

Download Submit
C:\Windows\System32\iihClhm.exe

Filesize
1.1MB

MD5
ccf9cd916a9807935e73be4efcb3cf6e

SHA1
0e246dd145979639ed18ceb49729aa66a8192940

SHA256
b8b15f83caf07663cdc33f071dd9cda1aa905270b3294af892f189afa94ba4ff

SHA512
cb5f5e7b0a63bd4d3d91810172072efbc3280ec260ae60c25673d5b158bf12f76069ea21d45fabd8657c88d4388e6ba3a714459eb6d214b9b2e4d881472656c9

Download Submit
C:\Windows\System32\jKDAGAQ.exe

Filesize
1.1MB

MD5
2dc40a406a54ef1ee9077718dba1dfdb

SHA1
0707a86973faad4f7d25bb8d2a4521b6f9d81c01

SHA256
414383ca1e6b4c9527b5865df5c5a99b50dc856b7244901a3d2a72697de7322a

SHA512
3488f108ec1769abf2e1bfbf27d7c203853ebbf97a82161618e84d2fc0bad872625c80b1763545754fab2cc4f50ce555f5e4b438e22b460e655c85c84fba4d72

Download Submit
C:\Windows\System32\mLCuMQV.exe

Filesize
1.1MB

MD5
f31d83bb9d289cfedf49c0b7db7e4f55

SHA1
a4897a1f4ebb6fa4bd8af022fbee999676d5cc3e

SHA256
31e931dee0a6501a3d704cd45ca18133ee04ac710c11b514ed760e1dde7efcdb

SHA512
cf9e039d5e6598be4c3c73a99b107053c96e251a78d26b161762e4fbc3bde6c670de3ed8990469579d611c706c6d60628e6a1ac7ee2f57bb443e97f45907462f

Download Submit
C:\Windows\System32\nnhwndQ.exe

Filesize
1.1MB

MD5
ee70de08262c0978b14cac295e8543a3

SHA1
4eb4fc537710b3b611ca9cdd5d9e6ae6c9a3e099

SHA256
acec7fa92831767c91aac33dda42cb3026489571621853dcc0a04996cfe373cb

SHA512
ef0d7036688b1d49066aabf97585f843cc87c684456264e00026c2906f7280fe9105d4f51cc73230eb94d4b4beae2c823b35ac9ae046d63e8187e512f2ea4796

Download Submit
C:\Windows\System32\nojVrGq.exe

Filesize
1.1MB

MD5
e6e661aa1cd3ff3b6ce155c20b7234e4

SHA1
66215d344c8e37e31a41a4d6649c0c84d4a1c352

SHA256
3be21d79c88b3c963730e2f178ba48e0fe5afc3831221c84698edee82235537a

SHA512
265f254171849c2a9a18f2a032261c09b8fe4e8596a4c4d5f070b67ca351e4236b2f037d7ed4a9d44b33f93d2d0ed291492b18aabddff1be004385c2ae066941

Download Submit
C:\Windows\System32\pOBcKEN.exe

Filesize
1.1MB

MD5
720928c6693ffda967aefc62fad507f0

SHA1
d7d87987a4b3a372b568270ae4c24937f9ef5499

SHA256
54a269cef2e4c173a8cafd87056d874f467dea4c3d590bff9881040a9bb80b15

SHA512
b7f04f74837c619f0051b6e54bc839f619c882c6c82a55915f78ce10f339a7c83d0ecdb7e3520aeb3889b76e90c8e48f47f51810a42f3832daeda4d4d972f03a

Download Submit
C:\Windows\System32\pZtTAVt.exe

Filesize
1.1MB

MD5
11cf71c6c00825e8e866ac8cfec22011

SHA1
14d5f0a41ec6e886baa5707cdf0922f6d1d190c9

SHA256
700591096c958c1be571dfc614521644ee6d3c3ae67ef082e4cf39486b07e13e

SHA512
2af7fbc1ec88b9a880fb91cfc3004283ccacf1b0776f7d7ba22ffc088c63e5e1d32408952a822b14a369a0b53c83aefcb43a70fdfe0eae304962b30d5a051373

Download Submit
C:\Windows\System32\rCpVYMY.exe

Filesize
1.1MB

MD5
a80daa22e0950a063591e2dea8eaaee2

SHA1
0f67fe013ac98c1a79ab390658749632b261e598

SHA256
3e5c043a9bdc480ffa8b7e58a3487f38899dd34dd4ada5c0bfcec43c2f70e084

SHA512
0f601953a2a8ae4ee52c6c376c3676bac21e94e53ba2e935a370412b2a9318753ae8bab3b70c9aa143957b815fe54cf0f7c5d4196bebfb1781c79ce06756739a

Download Submit
C:\Windows\System32\saYYonH.exe

Filesize
1.1MB

MD5
34a2b723643f2934661daa8b6753db20

SHA1
4b3b5d275d948817d61bb555d4ec613b0d5fb71b

SHA256
a6a882d322a65ff7e288c0cf8829d181dd47d50fa0afab7d4a1df246df01bf69

SHA512
d6aef3c1c2a44a4055c51756fc5306a188c311036ad6d008c8d9c126c03ca7216fd34648d16d591a4f7b1c4fe0bed519f6ece8a9254447a9533d2588dd861c42

Download Submit
C:\Windows\System32\wvlLobT.exe

Filesize
1.1MB

MD5
3e12f53da9301d3f816b3297decd0c85

SHA1
d3ad2b9e670243db1dbf95df8c78cf521066ac5f

SHA256
10a9bfa173119dc4c4e42ef98152a2e76340708cb91138ffcf3392873bdde797

SHA512
59909c4f455ff6a2c4a161727764b86e1dd00f2e8e9d5b6d31b0b43d08351ee9faa62c8d55953941b6c1664153761a0ced7750fd09efcec1e760a4458d56538b

Download Submit
memory/380-2039-0x00007FF66DBB0000-0x00007FF66DFA1000-memory.dmp

Filesize
3.9MB

Download
memory/380-326-0x00007FF66DBB0000-0x00007FF66DFA1000-memory.dmp

Filesize
3.9MB

Download
memory/412-2051-0x00007FF696370000-0x00007FF696761000-memory.dmp

Filesize
3.9MB

Download
memory/412-358-0x00007FF696370000-0x00007FF696761000-memory.dmp

Filesize
3.9MB

Download
memory/704-2024-0x00007FF673A60000-0x00007FF673E51000-memory.dmp

Filesize
3.9MB

Download
memory/704-35-0x00007FF673A60000-0x00007FF673E51000-memory.dmp

Filesize
3.9MB

Download
memory/732-2017-0x00007FF65DEA0000-0x00007FF65E291000-memory.dmp

Filesize
3.9MB

Download
memory/732-18-0x00007FF65DEA0000-0x00007FF65E291000-memory.dmp

Filesize
3.9MB

Download
memory/920-2047-0x00007FF675C20000-0x00007FF676011000-memory.dmp

Filesize
3.9MB

Download
memory/920-362-0x00007FF675C20000-0x00007FF676011000-memory.dmp

Filesize
3.9MB

Download
memory/1060-2057-0x00007FF7D5110000-0x00007FF7D5501000-memory.dmp

Filesize
3.9MB

Download
memory/1060-366-0x00007FF7D5110000-0x00007FF7D5501000-memory.dmp

Filesize
3.9MB

Download
memory/1508-347-0x00007FF629CE0000-0x00007FF62A0D1000-memory.dmp

Filesize
3.9MB

Download
memory/1508-2045-0x00007FF629CE0000-0x00007FF62A0D1000-memory.dmp

Filesize
3.9MB

Download
memory/1532-2021-0x00007FF6FF930000-0x00007FF6FFD21000-memory.dmp

Filesize
3.9MB

Download
memory/1532-291-0x00007FF6FF930000-0x00007FF6FFD21000-memory.dmp

Filesize
3.9MB

Download
memory/1732-0-0x00007FF77AA50000-0x00007FF77AE41000-memory.dmp

Filesize
3.9MB

Download
memory/1732-1-0x000001893BA00000-0x000001893BA10000-memory.dmp

Filesize
64KB

Download
memory/1932-378-0x00007FF758550000-0x00007FF758941000-memory.dmp

Filesize
3.9MB

Download
memory/1932-2061-0x00007FF758550000-0x00007FF758941000-memory.dmp

Filesize
3.9MB

Download
memory/2288-2053-0x00007FF73FE70000-0x00007FF740261000-memory.dmp

Filesize
3.9MB

Download
memory/2288-340-0x00007FF73FE70000-0x00007FF740261000-memory.dmp

Filesize
3.9MB

Download
memory/2700-344-0x00007FF655390000-0x00007FF655781000-memory.dmp

Filesize
3.9MB

Download
memory/2700-2049-0x00007FF655390000-0x00007FF655781000-memory.dmp

Filesize
3.9MB

Download
memory/3240-312-0x00007FF70B030000-0x00007FF70B421000-memory.dmp

Filesize
3.9MB

Download
memory/3240-2029-0x00007FF70B030000-0x00007FF70B421000-memory.dmp

Filesize
3.9MB

Download
memory/3424-37-0x00007FF6394E0000-0x00007FF6398D1000-memory.dmp

Filesize
3.9MB

Download
memory/3424-2031-0x00007FF6394E0000-0x00007FF6398D1000-memory.dmp

Filesize
3.9MB

Download
memory/3424-1960-0x00007FF6394E0000-0x00007FF6398D1000-memory.dmp

Filesize
3.9MB

Download
memory/3512-2037-0x00007FF70B1F0000-0x00007FF70B5E1000-memory.dmp

Filesize
3.9MB

Download
memory/3512-341-0x00007FF70B1F0000-0x00007FF70B5E1000-memory.dmp

Filesize
3.9MB

Download
memory/3632-2019-0x00007FF6DB320000-0x00007FF6DB711000-memory.dmp

Filesize
3.9MB

Download
memory/3632-34-0x00007FF6DB320000-0x00007FF6DB711000-memory.dmp

Filesize
3.9MB

Download
memory/3952-381-0x00007FF7BA8B0000-0x00007FF7BACA1000-memory.dmp

Filesize
3.9MB

Download
memory/3952-2041-0x00007FF7BA8B0000-0x00007FF7BACA1000-memory.dmp

Filesize
3.9MB

Download
memory/4016-363-0x00007FF76BDB0000-0x00007FF76C1A1000-memory.dmp

Filesize
3.9MB

Download
memory/4016-2055-0x00007FF76BDB0000-0x00007FF76C1A1000-memory.dmp

Filesize
3.9MB

Download
memory/4208-379-0x00007FF622E00000-0x00007FF6231F1000-memory.dmp

Filesize
3.9MB

Download
memory/4208-2063-0x00007FF622E00000-0x00007FF6231F1000-memory.dmp

Filesize
3.9MB

Download
memory/4240-2059-0x00007FF73D3F0000-0x00007FF73D7E1000-memory.dmp

Filesize
3.9MB

Download
memory/4240-372-0x00007FF73D3F0000-0x00007FF73D7E1000-memory.dmp

Filesize
3.9MB

Download
memory/4436-300-0x00007FF6CEFB0000-0x00007FF6CF3A1000-memory.dmp

Filesize
3.9MB

Download
memory/4436-2025-0x00007FF6CEFB0000-0x00007FF6CF3A1000-memory.dmp

Filesize
3.9MB

Download
memory/4740-2027-0x00007FF67C600000-0x00007FF67C9F1000-memory.dmp

Filesize
3.9MB

Download
memory/4740-348-0x00007FF67C600000-0x00007FF67C9F1000-memory.dmp

Filesize
3.9MB

Download
memory/4752-354-0x00007FF6F9250000-0x00007FF6F9641000-memory.dmp

Filesize
3.9MB

Download
memory/4752-2033-0x00007FF6F9250000-0x00007FF6F9641000-memory.dmp

Filesize
3.9MB

Download
memory/4952-2043-0x00007FF754CE0000-0x00007FF7550D1000-memory.dmp

Filesize
3.9MB

Download
memory/4952-322-0x00007FF754CE0000-0x00007FF7550D1000-memory.dmp

Filesize
3.9MB

Download
memory/4988-2035-0x00007FF751FB0000-0x00007FF7523A1000-memory.dmp

Filesize
3.9MB

Download
memory/4988-334-0x00007FF751FB0000-0x00007FF7523A1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads