xmrig | d63a5b20bf70208d6dd42c0facb9698d084bdec28354d84feacd0bf490d55178

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00a4fd87c3a488cf84f64b2679469530N.exe
Size

1.5MB
MD5

00a4fd87c3a488cf84f64b2679469530
SHA1

ba1b8b45adfe1052eb4844269b7a69250ae22adb
SHA256

d63a5b20bf70208d6dd42c0facb9698d084bdec28354d84feacd0bf490d55178
SHA512

ea11dacdde30e920a13a083abb3e3e2bd76b093546b5ac2a9afea09ee46bfddebb0bec7b9b549d81ad1feca49927eaf216876d3e9d0161779f6a219be30f8a5f
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIHbAYhbc8lFad+tszICTJKIRmzwQidZ4MV:knw9oUUEEDlGUJ8Y9c87Me1IRs5MV

Score

10^/10

xmrig miner persistence privilege_escalation upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 51 IoCs

miner

resource	yara_rule
behavioral2/memory/2812-36-0x00007FF65EC30000-0x00007FF65F021000-memory.dmp	xmrig
behavioral2/memory/2360-493-0x00007FF7B5B40000-0x00007FF7B5F31000-memory.dmp	xmrig
behavioral2/memory/4528-499-0x00007FF6653A0000-0x00007FF665791000-memory.dmp	xmrig
behavioral2/memory/3288-509-0x00007FF642690000-0x00007FF642A81000-memory.dmp	xmrig
behavioral2/memory/1352-492-0x00007FF76A140000-0x00007FF76A531000-memory.dmp	xmrig
behavioral2/memory/1588-489-0x00007FF6B5C30000-0x00007FF6B6021000-memory.dmp	xmrig
behavioral2/memory/2976-517-0x00007FF6D01C0000-0x00007FF6D05B1000-memory.dmp	xmrig
behavioral2/memory/2612-522-0x00007FF6C8C20000-0x00007FF6C9011000-memory.dmp	xmrig
behavioral2/memory/4276-532-0x00007FF616110000-0x00007FF616501000-memory.dmp	xmrig
behavioral2/memory/3004-528-0x00007FF7EF290000-0x00007FF7EF681000-memory.dmp	xmrig
behavioral2/memory/688-527-0x00007FF7AB440000-0x00007FF7AB831000-memory.dmp	xmrig
behavioral2/memory/4400-511-0x00007FF6C4EB0000-0x00007FF6C52A1000-memory.dmp	xmrig
behavioral2/memory/3936-548-0x00007FF6FABA0000-0x00007FF6FAF91000-memory.dmp	xmrig
behavioral2/memory/3508-547-0x00007FF7E99A0000-0x00007FF7E9D91000-memory.dmp	xmrig
behavioral2/memory/1764-60-0x00007FF62E200000-0x00007FF62E5F1000-memory.dmp	xmrig
behavioral2/memory/4608-1170-0x00007FF615C60000-0x00007FF616051000-memory.dmp	xmrig
behavioral2/memory/1064-1171-0x00007FF769F40000-0x00007FF76A331000-memory.dmp	xmrig
behavioral2/memory/2948-1640-0x00007FF61AA30000-0x00007FF61AE21000-memory.dmp	xmrig
behavioral2/memory/4608-1994-0x00007FF615C60000-0x00007FF616051000-memory.dmp	xmrig
behavioral2/memory/4188-1996-0x00007FF6B0420000-0x00007FF6B0811000-memory.dmp	xmrig
behavioral2/memory/5004-1998-0x00007FF7097B0000-0x00007FF709BA1000-memory.dmp	xmrig
behavioral2/memory/4916-2002-0x00007FF7648A0000-0x00007FF764C91000-memory.dmp	xmrig
behavioral2/memory/1764-2032-0x00007FF62E200000-0x00007FF62E5F1000-memory.dmp	xmrig
behavioral2/memory/3116-2034-0x00007FF64AE90000-0x00007FF64B281000-memory.dmp	xmrig
behavioral2/memory/3228-2035-0x00007FF61F0E0000-0x00007FF61F4D1000-memory.dmp	xmrig
behavioral2/memory/2964-2033-0x00007FF702880000-0x00007FF702C71000-memory.dmp	xmrig
behavioral2/memory/2648-2043-0x00007FF704A80000-0x00007FF704E71000-memory.dmp	xmrig
behavioral2/memory/1064-2048-0x00007FF769F40000-0x00007FF76A331000-memory.dmp	xmrig
behavioral2/memory/2948-2054-0x00007FF61AA30000-0x00007FF61AE21000-memory.dmp	xmrig
behavioral2/memory/2812-2052-0x00007FF65EC30000-0x00007FF65F021000-memory.dmp	xmrig
behavioral2/memory/4188-2050-0x00007FF6B0420000-0x00007FF6B0811000-memory.dmp	xmrig
behavioral2/memory/5004-2062-0x00007FF7097B0000-0x00007FF709BA1000-memory.dmp	xmrig
behavioral2/memory/2964-2060-0x00007FF702880000-0x00007FF702C71000-memory.dmp	xmrig
behavioral2/memory/3116-2058-0x00007FF64AE90000-0x00007FF64B281000-memory.dmp	xmrig
behavioral2/memory/4916-2056-0x00007FF7648A0000-0x00007FF764C91000-memory.dmp	xmrig
behavioral2/memory/1764-2068-0x00007FF62E200000-0x00007FF62E5F1000-memory.dmp	xmrig
behavioral2/memory/2648-2067-0x00007FF704A80000-0x00007FF704E71000-memory.dmp	xmrig
behavioral2/memory/3228-2064-0x00007FF61F0E0000-0x00007FF61F4D1000-memory.dmp	xmrig
behavioral2/memory/688-2093-0x00007FF7AB440000-0x00007FF7AB831000-memory.dmp	xmrig
behavioral2/memory/3004-2091-0x00007FF7EF290000-0x00007FF7EF681000-memory.dmp	xmrig
behavioral2/memory/3936-2085-0x00007FF6FABA0000-0x00007FF6FAF91000-memory.dmp	xmrig
behavioral2/memory/2612-2082-0x00007FF6C8C20000-0x00007FF6C9011000-memory.dmp	xmrig
behavioral2/memory/2976-2099-0x00007FF6D01C0000-0x00007FF6D05B1000-memory.dmp	xmrig
behavioral2/memory/1352-2078-0x00007FF76A140000-0x00007FF76A531000-memory.dmp	xmrig
behavioral2/memory/3288-2076-0x00007FF642690000-0x00007FF642A81000-memory.dmp	xmrig
behavioral2/memory/4400-2097-0x00007FF6C4EB0000-0x00007FF6C52A1000-memory.dmp	xmrig
behavioral2/memory/3508-2089-0x00007FF7E99A0000-0x00007FF7E9D91000-memory.dmp	xmrig
behavioral2/memory/4276-2087-0x00007FF616110000-0x00007FF616501000-memory.dmp	xmrig
behavioral2/memory/2360-2080-0x00007FF7B5B40000-0x00007FF7B5F31000-memory.dmp	xmrig
behavioral2/memory/1588-2075-0x00007FF6B5C30000-0x00007FF6B6021000-memory.dmp	xmrig
behavioral2/memory/4528-2072-0x00007FF6653A0000-0x00007FF665791000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1064	JJPQNWo.exe
2948	wEdzqam.exe
4188	ACOmNcf.exe
5004	VhyJzXQ.exe
4916	RUpNUlx.exe
2812	HElIPrl.exe
2964	FnhMMto.exe
3116	YdQuEYw.exe
1764	GXsXufJ.exe
3228	QdHMnVZ.exe
2648	SgEdcgc.exe
1588	xmXhQrX.exe
1352	RmPjvvb.exe
2360	KVRzawl.exe
4528	eJizKdY.exe
3288	wkfRdVN.exe
4400	cfkDvZc.exe
2976	AJwypVh.exe
2612	gfxsvFf.exe
688	HBXVpqN.exe
3004	JhwuXbK.exe
4276	DIQdlzc.exe
3508	aDGwsuy.exe
3936	rIClCsi.exe
4696	PWKCfuJ.exe
1924	THalJRj.exe
1044	KQcilbT.exe
1820	RIdNZtG.exe
812	VZINdCU.exe
1736	HzplDfg.exe
1092	RngAXet.exe
3924	XuXueCW.exe
4384	VpZwCYt.exe
1476	YPqSxWx.exe
3988	cTtSxzj.exe
3216	OAeUmQs.exe
3276	RaKrGkh.exe
4328	YWVbQPV.exe
3232	sTemmmy.exe
3052	kuWJgZS.exe
5084	EKasyOT.exe
1604	MFOeTnm.exe
4932	rWaTcsl.exe
3204	jjMlElR.exe
1076	oexTLfT.exe
1052	sPshuCh.exe
1824	SedbMxx.exe
2000	uWkxNPy.exe
2592	miGQzyE.exe
4344	XvYffxz.exe
1712	vcMHcdK.exe
1068	PzDkQPx.exe
4844	zYUhtzI.exe
3576	ONntCqK.exe
1248	UVfZtBb.exe
752	WbIFWYu.exe
3668	FBScQhZ.exe
4236	bGqjAqg.exe
3764	kJnyzft.exe
3512	HQbfDDt.exe
2032	gcphSFz.exe
4860	QjcBmqQ.exe
3872	qTPxAyq.exe
3456	MhvTiJp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4608-0-0x00007FF615C60000-0x00007FF616051000-memory.dmp	upx
behavioral2/files/0x0008000000023426-5.dat	upx
behavioral2/files/0x000700000002342a-9.dat	upx
behavioral2/memory/2948-13-0x00007FF61AA30000-0x00007FF61AE21000-memory.dmp	upx
behavioral2/memory/4188-14-0x00007FF6B0420000-0x00007FF6B0811000-memory.dmp	upx
behavioral2/files/0x000700000002342b-12.dat	upx
behavioral2/memory/1064-11-0x00007FF769F40000-0x00007FF76A331000-memory.dmp	upx
behavioral2/files/0x0008000000023427-22.dat	upx
behavioral2/files/0x000700000002342c-21.dat	upx
behavioral2/memory/5004-32-0x00007FF7097B0000-0x00007FF709BA1000-memory.dmp	upx
behavioral2/memory/4916-35-0x00007FF7648A0000-0x00007FF764C91000-memory.dmp	upx
behavioral2/memory/2812-36-0x00007FF65EC30000-0x00007FF65F021000-memory.dmp	upx
behavioral2/files/0x000700000002342d-29.dat	upx
behavioral2/files/0x0007000000023430-46.dat	upx
behavioral2/memory/2964-47-0x00007FF702880000-0x00007FF702C71000-memory.dmp	upx
behavioral2/files/0x000700000002342f-56.dat	upx
behavioral2/memory/3228-63-0x00007FF61F0E0000-0x00007FF61F4D1000-memory.dmp	upx
behavioral2/memory/2648-66-0x00007FF704A80000-0x00007FF704E71000-memory.dmp	upx
behavioral2/files/0x0007000000023434-74.dat	upx
behavioral2/files/0x0007000000023436-90.dat	upx
behavioral2/files/0x0007000000023439-99.dat	upx
behavioral2/files/0x000700000002343c-120.dat	upx
behavioral2/files/0x000700000002343f-135.dat	upx
behavioral2/files/0x0007000000023446-164.dat	upx
behavioral2/memory/2360-493-0x00007FF7B5B40000-0x00007FF7B5F31000-memory.dmp	upx
behavioral2/memory/4528-499-0x00007FF6653A0000-0x00007FF665791000-memory.dmp	upx
behavioral2/memory/3288-509-0x00007FF642690000-0x00007FF642A81000-memory.dmp	upx
behavioral2/memory/1352-492-0x00007FF76A140000-0x00007FF76A531000-memory.dmp	upx
behavioral2/memory/1588-489-0x00007FF6B5C30000-0x00007FF6B6021000-memory.dmp	upx
behavioral2/memory/2976-517-0x00007FF6D01C0000-0x00007FF6D05B1000-memory.dmp	upx
behavioral2/memory/2612-522-0x00007FF6C8C20000-0x00007FF6C9011000-memory.dmp	upx
behavioral2/memory/4276-532-0x00007FF616110000-0x00007FF616501000-memory.dmp	upx
behavioral2/memory/3004-528-0x00007FF7EF290000-0x00007FF7EF681000-memory.dmp	upx
behavioral2/memory/688-527-0x00007FF7AB440000-0x00007FF7AB831000-memory.dmp	upx
behavioral2/memory/4400-511-0x00007FF6C4EB0000-0x00007FF6C52A1000-memory.dmp	upx
behavioral2/files/0x0007000000023448-173.dat	upx
behavioral2/files/0x0007000000023447-168.dat	upx
behavioral2/files/0x0007000000023445-162.dat	upx
behavioral2/files/0x0007000000023444-160.dat	upx
behavioral2/files/0x0007000000023443-155.dat	upx
behavioral2/files/0x0007000000023442-147.dat	upx
behavioral2/files/0x0007000000023441-142.dat	upx
behavioral2/files/0x0007000000023440-137.dat	upx
behavioral2/files/0x000700000002343e-127.dat	upx
behavioral2/memory/3936-548-0x00007FF6FABA0000-0x00007FF6FAF91000-memory.dmp	upx
behavioral2/memory/3508-547-0x00007FF7E99A0000-0x00007FF7E9D91000-memory.dmp	upx
behavioral2/files/0x000700000002343d-125.dat	upx
behavioral2/files/0x000700000002343b-115.dat	upx
behavioral2/files/0x000700000002343a-110.dat	upx
behavioral2/files/0x0007000000023438-97.dat	upx
behavioral2/files/0x0007000000023437-95.dat	upx
behavioral2/files/0x0007000000023435-85.dat	upx
behavioral2/files/0x0007000000023433-72.dat	upx
behavioral2/files/0x0007000000023432-70.dat	upx
behavioral2/files/0x0007000000023431-64.dat	upx
behavioral2/memory/1764-60-0x00007FF62E200000-0x00007FF62E5F1000-memory.dmp	upx
behavioral2/files/0x000700000002342e-55.dat	upx
behavioral2/memory/3116-49-0x00007FF64AE90000-0x00007FF64B281000-memory.dmp	upx
behavioral2/memory/4608-1170-0x00007FF615C60000-0x00007FF616051000-memory.dmp	upx
behavioral2/memory/1064-1171-0x00007FF769F40000-0x00007FF76A331000-memory.dmp	upx
behavioral2/memory/2948-1640-0x00007FF61AA30000-0x00007FF61AE21000-memory.dmp	upx
behavioral2/memory/4608-1994-0x00007FF615C60000-0x00007FF616051000-memory.dmp	upx
behavioral2/memory/4188-1996-0x00007FF6B0420000-0x00007FF6B0811000-memory.dmp	upx
behavioral2/memory/5004-1998-0x00007FF7097B0000-0x00007FF709BA1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\dVxBIPX.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\gXcNvSS.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\FtpsPGS.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\xLygFAF.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\tFKnWqw.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\ZkQTaEI.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\XuXueCW.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\LihQwWs.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\sPwsQpQ.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\JAoDUhY.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\lmjGdFE.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\GfuDRRa.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\rklBNFW.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\XsYASCW.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\BGTaLkI.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\gatLkmp.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\GQBqRdG.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\eJizKdY.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\RlTFVXG.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\CiNKcfO.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\JUodIrK.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\kMzMZRH.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\XTWXDnv.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\ZPJVgFG.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\oNBUsox.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\CbrZNoi.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\BHMRhLb.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\TOISJON.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\PAavUlW.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\pQyhXex.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\pcVacLs.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\XfixxiF.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\YNaSmns.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\cNnOudh.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\KvvXZjr.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\HpBGzvA.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\TBUlPcT.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\LYufwmg.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\FAXiGBa.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\YfZkkgN.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\hhXuhxb.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\BrFHSKX.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\HzplDfg.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\cQOAKXg.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\dlIsTwN.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\kOqxYsR.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\PlOIojU.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\HVvWPFP.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\RGKfMuS.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\kmbrRCJ.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\ozOhcQy.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\IOEwUZi.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\DfRnJnS.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\bItnVZb.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\ZXKYJpP.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\XNbmfIs.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\BjxhWlw.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\xlMaRrD.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\VhyJzXQ.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\kuWJgZS.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\YUvmLTy.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\blzLQEk.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\tpZehyk.exe	00a4fd87c3a488cf84f64b2679469530N.exe
File created	C:\Windows\System32\VKSApGv.exe	00a4fd87c3a488cf84f64b2679469530N.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13072	dwm.exe
Token: SeChangeNotifyPrivilege	13072	dwm.exe
Token: 33	13072	dwm.exe
Token: SeIncBasePriorityPrivilege	13072	dwm.exe
Token: SeShutdownPrivilege	13072	dwm.exe
Token: SeCreatePagefilePrivilege	13072	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 1064	4608	00a4fd87c3a488cf84f64b2679469530N.exe	85
PID 4608 wrote to memory of 1064	4608	00a4fd87c3a488cf84f64b2679469530N.exe	85
PID 4608 wrote to memory of 2948	4608	00a4fd87c3a488cf84f64b2679469530N.exe	86
PID 4608 wrote to memory of 2948	4608	00a4fd87c3a488cf84f64b2679469530N.exe	86
PID 4608 wrote to memory of 4188	4608	00a4fd87c3a488cf84f64b2679469530N.exe	87
PID 4608 wrote to memory of 4188	4608	00a4fd87c3a488cf84f64b2679469530N.exe	87
PID 4608 wrote to memory of 5004	4608	00a4fd87c3a488cf84f64b2679469530N.exe	88
PID 4608 wrote to memory of 5004	4608	00a4fd87c3a488cf84f64b2679469530N.exe	88
PID 4608 wrote to memory of 4916	4608	00a4fd87c3a488cf84f64b2679469530N.exe	89
PID 4608 wrote to memory of 4916	4608	00a4fd87c3a488cf84f64b2679469530N.exe	89
PID 4608 wrote to memory of 2812	4608	00a4fd87c3a488cf84f64b2679469530N.exe	90
PID 4608 wrote to memory of 2812	4608	00a4fd87c3a488cf84f64b2679469530N.exe	90
PID 4608 wrote to memory of 2964	4608	00a4fd87c3a488cf84f64b2679469530N.exe	91
PID 4608 wrote to memory of 2964	4608	00a4fd87c3a488cf84f64b2679469530N.exe	91
PID 4608 wrote to memory of 3116	4608	00a4fd87c3a488cf84f64b2679469530N.exe	92
PID 4608 wrote to memory of 3116	4608	00a4fd87c3a488cf84f64b2679469530N.exe	92
PID 4608 wrote to memory of 1764	4608	00a4fd87c3a488cf84f64b2679469530N.exe	93
PID 4608 wrote to memory of 1764	4608	00a4fd87c3a488cf84f64b2679469530N.exe	93
PID 4608 wrote to memory of 3228	4608	00a4fd87c3a488cf84f64b2679469530N.exe	94
PID 4608 wrote to memory of 3228	4608	00a4fd87c3a488cf84f64b2679469530N.exe	94
PID 4608 wrote to memory of 2648	4608	00a4fd87c3a488cf84f64b2679469530N.exe	95
PID 4608 wrote to memory of 2648	4608	00a4fd87c3a488cf84f64b2679469530N.exe	95
PID 4608 wrote to memory of 1588	4608	00a4fd87c3a488cf84f64b2679469530N.exe	96
PID 4608 wrote to memory of 1588	4608	00a4fd87c3a488cf84f64b2679469530N.exe	96
PID 4608 wrote to memory of 1352	4608	00a4fd87c3a488cf84f64b2679469530N.exe	97
PID 4608 wrote to memory of 1352	4608	00a4fd87c3a488cf84f64b2679469530N.exe	97
PID 4608 wrote to memory of 2360	4608	00a4fd87c3a488cf84f64b2679469530N.exe	98
PID 4608 wrote to memory of 2360	4608	00a4fd87c3a488cf84f64b2679469530N.exe	98
PID 4608 wrote to memory of 4528	4608	00a4fd87c3a488cf84f64b2679469530N.exe	99
PID 4608 wrote to memory of 4528	4608	00a4fd87c3a488cf84f64b2679469530N.exe	99
PID 4608 wrote to memory of 3288	4608	00a4fd87c3a488cf84f64b2679469530N.exe	100
PID 4608 wrote to memory of 3288	4608	00a4fd87c3a488cf84f64b2679469530N.exe	100
PID 4608 wrote to memory of 4400	4608	00a4fd87c3a488cf84f64b2679469530N.exe	101
PID 4608 wrote to memory of 4400	4608	00a4fd87c3a488cf84f64b2679469530N.exe	101
PID 4608 wrote to memory of 2976	4608	00a4fd87c3a488cf84f64b2679469530N.exe	102
PID 4608 wrote to memory of 2976	4608	00a4fd87c3a488cf84f64b2679469530N.exe	102
PID 4608 wrote to memory of 2612	4608	00a4fd87c3a488cf84f64b2679469530N.exe	103
PID 4608 wrote to memory of 2612	4608	00a4fd87c3a488cf84f64b2679469530N.exe	103
PID 4608 wrote to memory of 688	4608	00a4fd87c3a488cf84f64b2679469530N.exe	104
PID 4608 wrote to memory of 688	4608	00a4fd87c3a488cf84f64b2679469530N.exe	104
PID 4608 wrote to memory of 3004	4608	00a4fd87c3a488cf84f64b2679469530N.exe	105
PID 4608 wrote to memory of 3004	4608	00a4fd87c3a488cf84f64b2679469530N.exe	105
PID 4608 wrote to memory of 4276	4608	00a4fd87c3a488cf84f64b2679469530N.exe	106
PID 4608 wrote to memory of 4276	4608	00a4fd87c3a488cf84f64b2679469530N.exe	106
PID 4608 wrote to memory of 3508	4608	00a4fd87c3a488cf84f64b2679469530N.exe	107
PID 4608 wrote to memory of 3508	4608	00a4fd87c3a488cf84f64b2679469530N.exe	107
PID 4608 wrote to memory of 3936	4608	00a4fd87c3a488cf84f64b2679469530N.exe	108
PID 4608 wrote to memory of 3936	4608	00a4fd87c3a488cf84f64b2679469530N.exe	108
PID 4608 wrote to memory of 4696	4608	00a4fd87c3a488cf84f64b2679469530N.exe	109
PID 4608 wrote to memory of 4696	4608	00a4fd87c3a488cf84f64b2679469530N.exe	109
PID 4608 wrote to memory of 1924	4608	00a4fd87c3a488cf84f64b2679469530N.exe	110
PID 4608 wrote to memory of 1924	4608	00a4fd87c3a488cf84f64b2679469530N.exe	110
PID 4608 wrote to memory of 1044	4608	00a4fd87c3a488cf84f64b2679469530N.exe	111
PID 4608 wrote to memory of 1044	4608	00a4fd87c3a488cf84f64b2679469530N.exe	111
PID 4608 wrote to memory of 1820	4608	00a4fd87c3a488cf84f64b2679469530N.exe	112
PID 4608 wrote to memory of 1820	4608	00a4fd87c3a488cf84f64b2679469530N.exe	112
PID 4608 wrote to memory of 812	4608	00a4fd87c3a488cf84f64b2679469530N.exe	113
PID 4608 wrote to memory of 812	4608	00a4fd87c3a488cf84f64b2679469530N.exe	113
PID 4608 wrote to memory of 1736	4608	00a4fd87c3a488cf84f64b2679469530N.exe	114
PID 4608 wrote to memory of 1736	4608	00a4fd87c3a488cf84f64b2679469530N.exe	114
PID 4608 wrote to memory of 1092	4608	00a4fd87c3a488cf84f64b2679469530N.exe	115
PID 4608 wrote to memory of 1092	4608	00a4fd87c3a488cf84f64b2679469530N.exe	115
PID 4608 wrote to memory of 3924	4608	00a4fd87c3a488cf84f64b2679469530N.exe	116
PID 4608 wrote to memory of 3924	4608	00a4fd87c3a488cf84f64b2679469530N.exe	116

C:\Users\Admin\AppData\Local\Temp\00a4fd87c3a488cf84f64b2679469530N.exe
"C:\Users\Admin\AppData\Local\Temp\00a4fd87c3a488cf84f64b2679469530N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\System32\JJPQNWo.exe
  C:\Windows\System32\JJPQNWo.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\System32\wEdzqam.exe
  C:\Windows\System32\wEdzqam.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System32\ACOmNcf.exe
  C:\Windows\System32\ACOmNcf.exe
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\System32\VhyJzXQ.exe
  C:\Windows\System32\VhyJzXQ.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System32\RUpNUlx.exe
  C:\Windows\System32\RUpNUlx.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System32\HElIPrl.exe
  C:\Windows\System32\HElIPrl.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System32\FnhMMto.exe
  C:\Windows\System32\FnhMMto.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System32\YdQuEYw.exe
  C:\Windows\System32\YdQuEYw.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System32\GXsXufJ.exe
  C:\Windows\System32\GXsXufJ.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System32\QdHMnVZ.exe
  C:\Windows\System32\QdHMnVZ.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System32\SgEdcgc.exe
  C:\Windows\System32\SgEdcgc.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System32\xmXhQrX.exe
  C:\Windows\System32\xmXhQrX.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System32\RmPjvvb.exe
  C:\Windows\System32\RmPjvvb.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\System32\KVRzawl.exe
  C:\Windows\System32\KVRzawl.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System32\eJizKdY.exe
  C:\Windows\System32\eJizKdY.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System32\wkfRdVN.exe
  C:\Windows\System32\wkfRdVN.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System32\cfkDvZc.exe
  C:\Windows\System32\cfkDvZc.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System32\AJwypVh.exe
  C:\Windows\System32\AJwypVh.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System32\gfxsvFf.exe
  C:\Windows\System32\gfxsvFf.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System32\HBXVpqN.exe
  C:\Windows\System32\HBXVpqN.exe
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Windows\System32\JhwuXbK.exe
  C:\Windows\System32\JhwuXbK.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System32\DIQdlzc.exe
  C:\Windows\System32\DIQdlzc.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System32\aDGwsuy.exe
  C:\Windows\System32\aDGwsuy.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System32\rIClCsi.exe
  C:\Windows\System32\rIClCsi.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System32\PWKCfuJ.exe
  C:\Windows\System32\PWKCfuJ.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System32\THalJRj.exe
  C:\Windows\System32\THalJRj.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System32\KQcilbT.exe
  C:\Windows\System32\KQcilbT.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System32\RIdNZtG.exe
  C:\Windows\System32\RIdNZtG.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System32\VZINdCU.exe
  C:\Windows\System32\VZINdCU.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System32\HzplDfg.exe
  C:\Windows\System32\HzplDfg.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System32\RngAXet.exe
  C:\Windows\System32\RngAXet.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System32\XuXueCW.exe
  C:\Windows\System32\XuXueCW.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System32\VpZwCYt.exe
  C:\Windows\System32\VpZwCYt.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System32\YPqSxWx.exe
  C:\Windows\System32\YPqSxWx.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System32\cTtSxzj.exe
  C:\Windows\System32\cTtSxzj.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System32\OAeUmQs.exe
  C:\Windows\System32\OAeUmQs.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System32\RaKrGkh.exe
  C:\Windows\System32\RaKrGkh.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System32\YWVbQPV.exe
  C:\Windows\System32\YWVbQPV.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System32\sTemmmy.exe
  C:\Windows\System32\sTemmmy.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System32\kuWJgZS.exe
  C:\Windows\System32\kuWJgZS.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System32\EKasyOT.exe
  C:\Windows\System32\EKasyOT.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System32\MFOeTnm.exe
  C:\Windows\System32\MFOeTnm.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System32\rWaTcsl.exe
  C:\Windows\System32\rWaTcsl.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System32\jjMlElR.exe
  C:\Windows\System32\jjMlElR.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System32\oexTLfT.exe
  C:\Windows\System32\oexTLfT.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System32\sPshuCh.exe
  C:\Windows\System32\sPshuCh.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System32\SedbMxx.exe
  C:\Windows\System32\SedbMxx.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System32\uWkxNPy.exe
  C:\Windows\System32\uWkxNPy.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System32\miGQzyE.exe
  C:\Windows\System32\miGQzyE.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System32\XvYffxz.exe
  C:\Windows\System32\XvYffxz.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System32\vcMHcdK.exe
  C:\Windows\System32\vcMHcdK.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System32\PzDkQPx.exe
  C:\Windows\System32\PzDkQPx.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System32\zYUhtzI.exe
  C:\Windows\System32\zYUhtzI.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System32\ONntCqK.exe
  C:\Windows\System32\ONntCqK.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System32\UVfZtBb.exe
  C:\Windows\System32\UVfZtBb.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System32\WbIFWYu.exe
  C:\Windows\System32\WbIFWYu.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\System32\FBScQhZ.exe
  C:\Windows\System32\FBScQhZ.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System32\bGqjAqg.exe
  C:\Windows\System32\bGqjAqg.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System32\kJnyzft.exe
  C:\Windows\System32\kJnyzft.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System32\HQbfDDt.exe
  C:\Windows\System32\HQbfDDt.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System32\gcphSFz.exe
  C:\Windows\System32\gcphSFz.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System32\QjcBmqQ.exe
  C:\Windows\System32\QjcBmqQ.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\qTPxAyq.exe
  C:\Windows\System32\qTPxAyq.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System32\MhvTiJp.exe
  C:\Windows\System32\MhvTiJp.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System32\SBQmSil.exe
  C:\Windows\System32\SBQmSil.exe
  2⤵
  PID:1844
- C:\Windows\System32\QNezpLa.exe
  C:\Windows\System32\QNezpLa.exe
  2⤵
  PID:4612
- C:\Windows\System32\KTYgTKw.exe
  C:\Windows\System32\KTYgTKw.exe
  2⤵
  PID:404
- C:\Windows\System32\kJqUltX.exe
  C:\Windows\System32\kJqUltX.exe
  2⤵
  PID:3448
- C:\Windows\System32\GfuDRRa.exe
  C:\Windows\System32\GfuDRRa.exe
  2⤵
  PID:1124
- C:\Windows\System32\GryIhhD.exe
  C:\Windows\System32\GryIhhD.exe
  2⤵
  PID:3584
- C:\Windows\System32\PxnNWNf.exe
  C:\Windows\System32\PxnNWNf.exe
  2⤵
  PID:5100
- C:\Windows\System32\enJPCvr.exe
  C:\Windows\System32\enJPCvr.exe
  2⤵
  PID:4140
- C:\Windows\System32\jhGgRti.exe
  C:\Windows\System32\jhGgRti.exe
  2⤵
  PID:3636
- C:\Windows\System32\vtVUhxx.exe
  C:\Windows\System32\vtVUhxx.exe
  2⤵
  PID:3956
- C:\Windows\System32\dVxBIPX.exe
  C:\Windows\System32\dVxBIPX.exe
  2⤵
  PID:3596
- C:\Windows\System32\cNnOudh.exe
  C:\Windows\System32\cNnOudh.exe
  2⤵
  PID:2572
- C:\Windows\System32\esuahLu.exe
  C:\Windows\System32\esuahLu.exe
  2⤵
  PID:1056
- C:\Windows\System32\wEhdhIC.exe
  C:\Windows\System32\wEhdhIC.exe
  2⤵
  PID:2728
- C:\Windows\System32\IgLcPTA.exe
  C:\Windows\System32\IgLcPTA.exe
  2⤵
  PID:4464
- C:\Windows\System32\pQyhXex.exe
  C:\Windows\System32\pQyhXex.exe
  2⤵
  PID:3388
- C:\Windows\System32\iGTsoRy.exe
  C:\Windows\System32\iGTsoRy.exe
  2⤵
  PID:3056
- C:\Windows\System32\AeKVqyo.exe
  C:\Windows\System32\AeKVqyo.exe
  2⤵
  PID:1716
- C:\Windows\System32\MuEztWh.exe
  C:\Windows\System32\MuEztWh.exe
  2⤵
  PID:3684
- C:\Windows\System32\RGKfMuS.exe
  C:\Windows\System32\RGKfMuS.exe
  2⤵
  PID:1040
- C:\Windows\System32\NPgzhqN.exe
  C:\Windows\System32\NPgzhqN.exe
  2⤵
  PID:4336
- C:\Windows\System32\LquEQNm.exe
  C:\Windows\System32\LquEQNm.exe
  2⤵
  PID:3084
- C:\Windows\System32\cKXBvLh.exe
  C:\Windows\System32\cKXBvLh.exe
  2⤵
  PID:5132
- C:\Windows\System32\VxUAnLL.exe
  C:\Windows\System32\VxUAnLL.exe
  2⤵
  PID:5156
- C:\Windows\System32\XNGCHGv.exe
  C:\Windows\System32\XNGCHGv.exe
  2⤵
  PID:5188
- C:\Windows\System32\eTQdfqe.exe
  C:\Windows\System32\eTQdfqe.exe
  2⤵
  PID:5216
- C:\Windows\System32\KqzqoPO.exe
  C:\Windows\System32\KqzqoPO.exe
  2⤵
  PID:5240
- C:\Windows\System32\LEXHdkR.exe
  C:\Windows\System32\LEXHdkR.exe
  2⤵
  PID:5272
- C:\Windows\System32\fnEAalC.exe
  C:\Windows\System32\fnEAalC.exe
  2⤵
  PID:5296
- C:\Windows\System32\YUvmLTy.exe
  C:\Windows\System32\YUvmLTy.exe
  2⤵
  PID:5324
- C:\Windows\System32\QRTPgcq.exe
  C:\Windows\System32\QRTPgcq.exe
  2⤵
  PID:5356
- C:\Windows\System32\QJqsWHE.exe
  C:\Windows\System32\QJqsWHE.exe
  2⤵
  PID:5384
- C:\Windows\System32\vqAqZGc.exe
  C:\Windows\System32\vqAqZGc.exe
  2⤵
  PID:5408
- C:\Windows\System32\fdSPTSF.exe
  C:\Windows\System32\fdSPTSF.exe
  2⤵
  PID:5440
- C:\Windows\System32\sahpChQ.exe
  C:\Windows\System32\sahpChQ.exe
  2⤵
  PID:5464
- C:\Windows\System32\KsbBuoV.exe
  C:\Windows\System32\KsbBuoV.exe
  2⤵
  PID:5496
- C:\Windows\System32\SdsMMAk.exe
  C:\Windows\System32\SdsMMAk.exe
  2⤵
  PID:5524
- C:\Windows\System32\kmbrRCJ.exe
  C:\Windows\System32\kmbrRCJ.exe
  2⤵
  PID:5552
- C:\Windows\System32\mIoAYPR.exe
  C:\Windows\System32\mIoAYPR.exe
  2⤵
  PID:5576
- C:\Windows\System32\tiahdnM.exe
  C:\Windows\System32\tiahdnM.exe
  2⤵
  PID:5604
- C:\Windows\System32\IbgmgMJ.exe
  C:\Windows\System32\IbgmgMJ.exe
  2⤵
  PID:5636
- C:\Windows\System32\GIwJaYu.exe
  C:\Windows\System32\GIwJaYu.exe
  2⤵
  PID:5664
- C:\Windows\System32\CbrZNoi.exe
  C:\Windows\System32\CbrZNoi.exe
  2⤵
  PID:5688
- C:\Windows\System32\ZVjoyOr.exe
  C:\Windows\System32\ZVjoyOr.exe
  2⤵
  PID:5720
- C:\Windows\System32\MxnLBly.exe
  C:\Windows\System32\MxnLBly.exe
  2⤵
  PID:5744
- C:\Windows\System32\tdvUJRm.exe
  C:\Windows\System32\tdvUJRm.exe
  2⤵
  PID:5776
- C:\Windows\System32\YSfrUdE.exe
  C:\Windows\System32\YSfrUdE.exe
  2⤵
  PID:5800
- C:\Windows\System32\guwYMiz.exe
  C:\Windows\System32\guwYMiz.exe
  2⤵
  PID:5832
- C:\Windows\System32\BmrdysM.exe
  C:\Windows\System32\BmrdysM.exe
  2⤵
  PID:5860
- C:\Windows\System32\qpdHQFJ.exe
  C:\Windows\System32\qpdHQFJ.exe
  2⤵
  PID:5884
- C:\Windows\System32\BVyLFsk.exe
  C:\Windows\System32\BVyLFsk.exe
  2⤵
  PID:5916
- C:\Windows\System32\bhUWpZk.exe
  C:\Windows\System32\bhUWpZk.exe
  2⤵
  PID:5940
- C:\Windows\System32\YhhYcXd.exe
  C:\Windows\System32\YhhYcXd.exe
  2⤵
  PID:5972
- C:\Windows\System32\XHrPnBa.exe
  C:\Windows\System32\XHrPnBa.exe
  2⤵
  PID:6000
- C:\Windows\System32\dmUjkOj.exe
  C:\Windows\System32\dmUjkOj.exe
  2⤵
  PID:6024
- C:\Windows\System32\XvotKSf.exe
  C:\Windows\System32\XvotKSf.exe
  2⤵
  PID:6056
- C:\Windows\System32\gmqxrAX.exe
  C:\Windows\System32\gmqxrAX.exe
  2⤵
  PID:6080
- C:\Windows\System32\GShCGcB.exe
  C:\Windows\System32\GShCGcB.exe
  2⤵
  PID:6116
- C:\Windows\System32\ozOhcQy.exe
  C:\Windows\System32\ozOhcQy.exe
  2⤵
  PID:6140
- C:\Windows\System32\gbyRXRd.exe
  C:\Windows\System32\gbyRXRd.exe
  2⤵
  PID:4816
- C:\Windows\System32\nPAzyrx.exe
  C:\Windows\System32\nPAzyrx.exe
  2⤵
  PID:4032
- C:\Windows\System32\HyazCiS.exe
  C:\Windows\System32\HyazCiS.exe
  2⤵
  PID:4704
- C:\Windows\System32\iiDsEBB.exe
  C:\Windows\System32\iiDsEBB.exe
  2⤵
  PID:4068
- C:\Windows\System32\lLeHXTn.exe
  C:\Windows\System32\lLeHXTn.exe
  2⤵
  PID:5164
- C:\Windows\System32\lOtrnBL.exe
  C:\Windows\System32\lOtrnBL.exe
  2⤵
  PID:5224
- C:\Windows\System32\BphACha.exe
  C:\Windows\System32\BphACha.exe
  2⤵
  PID:5284
- C:\Windows\System32\cQOAKXg.exe
  C:\Windows\System32\cQOAKXg.exe
  2⤵
  PID:5320
- C:\Windows\System32\pShIiSK.exe
  C:\Windows\System32\pShIiSK.exe
  2⤵
  PID:5392
- C:\Windows\System32\wddWcij.exe
  C:\Windows\System32\wddWcij.exe
  2⤵
  PID:5452
- C:\Windows\System32\ebJLgPp.exe
  C:\Windows\System32\ebJLgPp.exe
  2⤵
  PID:5516
- C:\Windows\System32\kdwoISW.exe
  C:\Windows\System32\kdwoISW.exe
  2⤵
  PID:5572
- C:\Windows\System32\dlIsTwN.exe
  C:\Windows\System32\dlIsTwN.exe
  2⤵
  PID:5656
- C:\Windows\System32\blzLQEk.exe
  C:\Windows\System32\blzLQEk.exe
  2⤵
  PID:5696
- C:\Windows\System32\BHMRhLb.exe
  C:\Windows\System32\BHMRhLb.exe
  2⤵
  PID:1728
- C:\Windows\System32\EaHCSgu.exe
  C:\Windows\System32\EaHCSgu.exe
  2⤵
  PID:5788
- C:\Windows\System32\mjmDZSg.exe
  C:\Windows\System32\mjmDZSg.exe
  2⤵
  PID:5868
- C:\Windows\System32\whzSmLI.exe
  C:\Windows\System32\whzSmLI.exe
  2⤵
  PID:5964
- C:\Windows\System32\wCIVlLT.exe
  C:\Windows\System32\wCIVlLT.exe
  2⤵
  PID:5984
- C:\Windows\System32\PoXHhol.exe
  C:\Windows\System32\PoXHhol.exe
  2⤵
  PID:6048
- C:\Windows\System32\jsqqElf.exe
  C:\Windows\System32\jsqqElf.exe
  2⤵
  PID:1996
- C:\Windows\System32\XvBQlMc.exe
  C:\Windows\System32\XvBQlMc.exe
  2⤵
  PID:1240
- C:\Windows\System32\wyRlhiq.exe
  C:\Windows\System32\wyRlhiq.exe
  2⤵
  PID:3400
- C:\Windows\System32\oJJfZom.exe
  C:\Windows\System32\oJJfZom.exe
  2⤵
  PID:5144
- C:\Windows\System32\WVxdvJL.exe
  C:\Windows\System32\WVxdvJL.exe
  2⤵
  PID:5208
- C:\Windows\System32\qICgerw.exe
  C:\Windows\System32\qICgerw.exe
  2⤵
  PID:5364
- C:\Windows\System32\JhfKHfo.exe
  C:\Windows\System32\JhfKHfo.exe
  2⤵
  PID:5480
- C:\Windows\System32\buGQWxW.exe
  C:\Windows\System32\buGQWxW.exe
  2⤵
  PID:4316
- C:\Windows\System32\YbvJKwQ.exe
  C:\Windows\System32\YbvJKwQ.exe
  2⤵
  PID:5672
- C:\Windows\System32\RVuRilq.exe
  C:\Windows\System32\RVuRilq.exe
  2⤵
  PID:5816
- C:\Windows\System32\dzELqtx.exe
  C:\Windows\System32\dzELqtx.exe
  2⤵
  PID:5900
- C:\Windows\System32\GcSHaBR.exe
  C:\Windows\System32\GcSHaBR.exe
  2⤵
  PID:452
- C:\Windows\System32\TyNGIyJ.exe
  C:\Windows\System32\TyNGIyJ.exe
  2⤵
  PID:4292
- C:\Windows\System32\NUxPOar.exe
  C:\Windows\System32\NUxPOar.exe
  2⤵
  PID:232
- C:\Windows\System32\aSFBTgs.exe
  C:\Windows\System32\aSFBTgs.exe
  2⤵
  PID:6008
- C:\Windows\System32\hFguiFn.exe
  C:\Windows\System32\hFguiFn.exe
  2⤵
  PID:1640
- C:\Windows\System32\YARfllE.exe
  C:\Windows\System32\YARfllE.exe
  2⤵
  PID:2988
- C:\Windows\System32\PMqykfU.exe
  C:\Windows\System32\PMqykfU.exe
  2⤵
  PID:640
- C:\Windows\System32\drownIE.exe
  C:\Windows\System32\drownIE.exe
  2⤵
  PID:5544
- C:\Windows\System32\opCgAkf.exe
  C:\Windows\System32\opCgAkf.exe
  2⤵
  PID:5088
- C:\Windows\System32\JjERhnv.exe
  C:\Windows\System32\JjERhnv.exe
  2⤵
  PID:4996
- C:\Windows\System32\kaTCoqO.exe
  C:\Windows\System32\kaTCoqO.exe
  2⤵
  PID:3192
- C:\Windows\System32\tqolemq.exe
  C:\Windows\System32\tqolemq.exe
  2⤵
  PID:972
- C:\Windows\System32\iLMBiXh.exe
  C:\Windows\System32\iLMBiXh.exe
  2⤵
  PID:6104
- C:\Windows\System32\adXrgiC.exe
  C:\Windows\System32\adXrgiC.exe
  2⤵
  PID:3016
- C:\Windows\System32\zawqvWX.exe
  C:\Windows\System32\zawqvWX.exe
  2⤵
  PID:5712
- C:\Windows\System32\gXcNvSS.exe
  C:\Windows\System32\gXcNvSS.exe
  2⤵
  PID:4420
- C:\Windows\System32\VrxYsZu.exe
  C:\Windows\System32\VrxYsZu.exe
  2⤵
  PID:6164
- C:\Windows\System32\yWWWxAv.exe
  C:\Windows\System32\yWWWxAv.exe
  2⤵
  PID:6196
- C:\Windows\System32\gIDTkNA.exe
  C:\Windows\System32\gIDTkNA.exe
  2⤵
  PID:6228
- C:\Windows\System32\waaBAdU.exe
  C:\Windows\System32\waaBAdU.exe
  2⤵
  PID:6244
- C:\Windows\System32\JLtKkwU.exe
  C:\Windows\System32\JLtKkwU.exe
  2⤵
  PID:6324
- C:\Windows\System32\uuhfOlr.exe
  C:\Windows\System32\uuhfOlr.exe
  2⤵
  PID:6352
- C:\Windows\System32\LInIhVF.exe
  C:\Windows\System32\LInIhVF.exe
  2⤵
  PID:6368
- C:\Windows\System32\cvmDODP.exe
  C:\Windows\System32\cvmDODP.exe
  2⤵
  PID:6388
- C:\Windows\System32\LJZsUmk.exe
  C:\Windows\System32\LJZsUmk.exe
  2⤵
  PID:6412
- C:\Windows\System32\wNYHDaI.exe
  C:\Windows\System32\wNYHDaI.exe
  2⤵
  PID:6428
- C:\Windows\System32\cCfruEh.exe
  C:\Windows\System32\cCfruEh.exe
  2⤵
  PID:6452
- C:\Windows\System32\WrqoHpw.exe
  C:\Windows\System32\WrqoHpw.exe
  2⤵
  PID:6536
- C:\Windows\System32\XmDrbrI.exe
  C:\Windows\System32\XmDrbrI.exe
  2⤵
  PID:6580
- C:\Windows\System32\QOiKrRn.exe
  C:\Windows\System32\QOiKrRn.exe
  2⤵
  PID:6596
- C:\Windows\System32\pRydbbT.exe
  C:\Windows\System32\pRydbbT.exe
  2⤵
  PID:6628
- C:\Windows\System32\KGGtbAJ.exe
  C:\Windows\System32\KGGtbAJ.exe
  2⤵
  PID:6656
- C:\Windows\System32\EtiYujG.exe
  C:\Windows\System32\EtiYujG.exe
  2⤵
  PID:6672
- C:\Windows\System32\vsXWiEZ.exe
  C:\Windows\System32\vsXWiEZ.exe
  2⤵
  PID:6692
- C:\Windows\System32\zWvbovx.exe
  C:\Windows\System32\zWvbovx.exe
  2⤵
  PID:6712
- C:\Windows\System32\NvsMfuh.exe
  C:\Windows\System32\NvsMfuh.exe
  2⤵
  PID:6784
- C:\Windows\System32\kOqxYsR.exe
  C:\Windows\System32\kOqxYsR.exe
  2⤵
  PID:6808
- C:\Windows\System32\uaepXiJ.exe
  C:\Windows\System32\uaepXiJ.exe
  2⤵
  PID:6832
- C:\Windows\System32\GFwnUAK.exe
  C:\Windows\System32\GFwnUAK.exe
  2⤵
  PID:6848
- C:\Windows\System32\tpZehyk.exe
  C:\Windows\System32\tpZehyk.exe
  2⤵
  PID:6868
- C:\Windows\System32\WMyjwYM.exe
  C:\Windows\System32\WMyjwYM.exe
  2⤵
  PID:6888
- C:\Windows\System32\hSHYDDv.exe
  C:\Windows\System32\hSHYDDv.exe
  2⤵
  PID:6904
- C:\Windows\System32\uGwSVZn.exe
  C:\Windows\System32\uGwSVZn.exe
  2⤵
  PID:6932
- C:\Windows\System32\RssUqYt.exe
  C:\Windows\System32\RssUqYt.exe
  2⤵
  PID:6956
- C:\Windows\System32\DOgPCKq.exe
  C:\Windows\System32\DOgPCKq.exe
  2⤵
  PID:7004
- C:\Windows\System32\IqIGpaC.exe
  C:\Windows\System32\IqIGpaC.exe
  2⤵
  PID:7032
- C:\Windows\System32\Imzxrdb.exe
  C:\Windows\System32\Imzxrdb.exe
  2⤵
  PID:7072
- C:\Windows\System32\LSEvzGZ.exe
  C:\Windows\System32\LSEvzGZ.exe
  2⤵
  PID:7104
- C:\Windows\System32\ofugWGk.exe
  C:\Windows\System32\ofugWGk.exe
  2⤵
  PID:7132
- C:\Windows\System32\lClGITk.exe
  C:\Windows\System32\lClGITk.exe
  2⤵
  PID:7148
- C:\Windows\System32\yahrAql.exe
  C:\Windows\System32\yahrAql.exe
  2⤵
  PID:4824
- C:\Windows\System32\eVOkoeW.exe
  C:\Windows\System32\eVOkoeW.exe
  2⤵
  PID:5808
- C:\Windows\System32\FiFtTJz.exe
  C:\Windows\System32\FiFtTJz.exe
  2⤵
  PID:6176
- C:\Windows\System32\NzPvXix.exe
  C:\Windows\System32\NzPvXix.exe
  2⤵
  PID:6204
- C:\Windows\System32\BJjvSnX.exe
  C:\Windows\System32\BJjvSnX.exe
  2⤵
  PID:6304
- C:\Windows\System32\NKFCreY.exe
  C:\Windows\System32\NKFCreY.exe
  2⤵
  PID:6440
- C:\Windows\System32\wrDEHtK.exe
  C:\Windows\System32\wrDEHtK.exe
  2⤵
  PID:6484
- C:\Windows\System32\dKXFzUy.exe
  C:\Windows\System32\dKXFzUy.exe
  2⤵
  PID:6508
- C:\Windows\System32\mApuxhR.exe
  C:\Windows\System32\mApuxhR.exe
  2⤵
  PID:6544
- C:\Windows\System32\tWsmxAE.exe
  C:\Windows\System32\tWsmxAE.exe
  2⤵
  PID:6636
- C:\Windows\System32\BMBqRKv.exe
  C:\Windows\System32\BMBqRKv.exe
  2⤵
  PID:6756
- C:\Windows\System32\jUcFzOY.exe
  C:\Windows\System32\jUcFzOY.exe
  2⤵
  PID:6860
- C:\Windows\System32\BPVzWES.exe
  C:\Windows\System32\BPVzWES.exe
  2⤵
  PID:6884
- C:\Windows\System32\cGOVYui.exe
  C:\Windows\System32\cGOVYui.exe
  2⤵
  PID:6900
- C:\Windows\System32\bqSVpdC.exe
  C:\Windows\System32\bqSVpdC.exe
  2⤵
  PID:7120
- C:\Windows\System32\BpyVohm.exe
  C:\Windows\System32\BpyVohm.exe
  2⤵
  PID:7088
- C:\Windows\System32\PNXHHdr.exe
  C:\Windows\System32\PNXHHdr.exe
  2⤵
  PID:7164
- C:\Windows\System32\PlOIojU.exe
  C:\Windows\System32\PlOIojU.exe
  2⤵
  PID:5248
- C:\Windows\System32\kiFmkOR.exe
  C:\Windows\System32\kiFmkOR.exe
  2⤵
  PID:6240
- C:\Windows\System32\OaGLtNv.exe
  C:\Windows\System32\OaGLtNv.exe
  2⤵
  PID:6384
- C:\Windows\System32\hwrFDsu.exe
  C:\Windows\System32\hwrFDsu.exe
  2⤵
  PID:6408
- C:\Windows\System32\YReyhTm.exe
  C:\Windows\System32\YReyhTm.exe
  2⤵
  PID:6548
- C:\Windows\System32\gTxIdIy.exe
  C:\Windows\System32\gTxIdIy.exe
  2⤵
  PID:6604
- C:\Windows\System32\BzjYBey.exe
  C:\Windows\System32\BzjYBey.exe
  2⤵
  PID:6944
- C:\Windows\System32\VYjUjCg.exe
  C:\Windows\System32\VYjUjCg.exe
  2⤵
  PID:6968
- C:\Windows\System32\ZRUeelk.exe
  C:\Windows\System32\ZRUeelk.exe
  2⤵
  PID:6396
- C:\Windows\System32\kTgFRvi.exe
  C:\Windows\System32\kTgFRvi.exe
  2⤵
  PID:6488
- C:\Windows\System32\CIOxSne.exe
  C:\Windows\System32\CIOxSne.exe
  2⤵
  PID:6360
- C:\Windows\System32\rqAyCQb.exe
  C:\Windows\System32\rqAyCQb.exe
  2⤵
  PID:7184
- C:\Windows\System32\mVgVCaq.exe
  C:\Windows\System32\mVgVCaq.exe
  2⤵
  PID:7204
- C:\Windows\System32\UYZMlBm.exe
  C:\Windows\System32\UYZMlBm.exe
  2⤵
  PID:7228
- C:\Windows\System32\EcvOgRD.exe
  C:\Windows\System32\EcvOgRD.exe
  2⤵
  PID:7244
- C:\Windows\System32\oLnQKWZ.exe
  C:\Windows\System32\oLnQKWZ.exe
  2⤵
  PID:7264
- C:\Windows\System32\uUkdIDj.exe
  C:\Windows\System32\uUkdIDj.exe
  2⤵
  PID:7284
- C:\Windows\System32\LihQwWs.exe
  C:\Windows\System32\LihQwWs.exe
  2⤵
  PID:7300
- C:\Windows\System32\QtXbuzC.exe
  C:\Windows\System32\QtXbuzC.exe
  2⤵
  PID:7340
- C:\Windows\System32\zHqRcaz.exe
  C:\Windows\System32\zHqRcaz.exe
  2⤵
  PID:7404
- C:\Windows\System32\bVNcTTc.exe
  C:\Windows\System32\bVNcTTc.exe
  2⤵
  PID:7424
- C:\Windows\System32\GlelFlv.exe
  C:\Windows\System32\GlelFlv.exe
  2⤵
  PID:7456
- C:\Windows\System32\hysuczm.exe
  C:\Windows\System32\hysuczm.exe
  2⤵
  PID:7480
- C:\Windows\System32\FGrgePU.exe
  C:\Windows\System32\FGrgePU.exe
  2⤵
  PID:7512
- C:\Windows\System32\HBQQQEG.exe
  C:\Windows\System32\HBQQQEG.exe
  2⤵
  PID:7528
- C:\Windows\System32\MepvrYT.exe
  C:\Windows\System32\MepvrYT.exe
  2⤵
  PID:7572
- C:\Windows\System32\dZNrorv.exe
  C:\Windows\System32\dZNrorv.exe
  2⤵
  PID:7588
- C:\Windows\System32\gykozGY.exe
  C:\Windows\System32\gykozGY.exe
  2⤵
  PID:7624
- C:\Windows\System32\xVcdlKw.exe
  C:\Windows\System32\xVcdlKw.exe
  2⤵
  PID:7648
- C:\Windows\System32\RqXobXh.exe
  C:\Windows\System32\RqXobXh.exe
  2⤵
  PID:7664
- C:\Windows\System32\kCjmmBP.exe
  C:\Windows\System32\kCjmmBP.exe
  2⤵
  PID:7688
- C:\Windows\System32\fMYvlll.exe
  C:\Windows\System32\fMYvlll.exe
  2⤵
  PID:7708
- C:\Windows\System32\FtpsPGS.exe
  C:\Windows\System32\FtpsPGS.exe
  2⤵
  PID:7752
- C:\Windows\System32\kowdoGK.exe
  C:\Windows\System32\kowdoGK.exe
  2⤵
  PID:7796
- C:\Windows\System32\HIzfEHO.exe
  C:\Windows\System32\HIzfEHO.exe
  2⤵
  PID:7824
- C:\Windows\System32\RlTFVXG.exe
  C:\Windows\System32\RlTFVXG.exe
  2⤵
  PID:7840
- C:\Windows\System32\mEewmoy.exe
  C:\Windows\System32\mEewmoy.exe
  2⤵
  PID:7860
- C:\Windows\System32\cwHzLUG.exe
  C:\Windows\System32\cwHzLUG.exe
  2⤵
  PID:7884
- C:\Windows\System32\maAJNoY.exe
  C:\Windows\System32\maAJNoY.exe
  2⤵
  PID:7900
- C:\Windows\System32\rYFXdmJ.exe
  C:\Windows\System32\rYFXdmJ.exe
  2⤵
  PID:7940
- C:\Windows\System32\aAmldtG.exe
  C:\Windows\System32\aAmldtG.exe
  2⤵
  PID:7980
- C:\Windows\System32\cxnHhWQ.exe
  C:\Windows\System32\cxnHhWQ.exe
  2⤵
  PID:8004
- C:\Windows\System32\OHlYyOi.exe
  C:\Windows\System32\OHlYyOi.exe
  2⤵
  PID:8044
- C:\Windows\System32\UtLZSLT.exe
  C:\Windows\System32\UtLZSLT.exe
  2⤵
  PID:8060
- C:\Windows\System32\aoJanbd.exe
  C:\Windows\System32\aoJanbd.exe
  2⤵
  PID:8084
- C:\Windows\System32\TzGWAGx.exe
  C:\Windows\System32\TzGWAGx.exe
  2⤵
  PID:8100
- C:\Windows\System32\PzOLCwt.exe
  C:\Windows\System32\PzOLCwt.exe
  2⤵
  PID:8124
- C:\Windows\System32\MmkwRmK.exe
  C:\Windows\System32\MmkwRmK.exe
  2⤵
  PID:8140
- C:\Windows\System32\iKbpQBZ.exe
  C:\Windows\System32\iKbpQBZ.exe
  2⤵
  PID:8184
- C:\Windows\System32\cifKBpz.exe
  C:\Windows\System32\cifKBpz.exe
  2⤵
  PID:7216
- C:\Windows\System32\vOamcsm.exe
  C:\Windows\System32\vOamcsm.exe
  2⤵
  PID:7292
- C:\Windows\System32\qdzUjCI.exe
  C:\Windows\System32\qdzUjCI.exe
  2⤵
  PID:7384
- C:\Windows\System32\ClTTHdo.exe
  C:\Windows\System32\ClTTHdo.exe
  2⤵
  PID:7464
- C:\Windows\System32\kleqbml.exe
  C:\Windows\System32\kleqbml.exe
  2⤵
  PID:7492
- C:\Windows\System32\KQQbbeq.exe
  C:\Windows\System32\KQQbbeq.exe
  2⤵
  PID:7536
- C:\Windows\System32\rklBNFW.exe
  C:\Windows\System32\rklBNFW.exe
  2⤵
  PID:7584
- C:\Windows\System32\fpPRwZF.exe
  C:\Windows\System32\fpPRwZF.exe
  2⤵
  PID:7660
- C:\Windows\System32\MYnygiC.exe
  C:\Windows\System32\MYnygiC.exe
  2⤵
  PID:7676
- C:\Windows\System32\OtFfefz.exe
  C:\Windows\System32\OtFfefz.exe
  2⤵
  PID:7748
- C:\Windows\System32\PyfLyiM.exe
  C:\Windows\System32\PyfLyiM.exe
  2⤵
  PID:7876
- C:\Windows\System32\MZkPjgT.exe
  C:\Windows\System32\MZkPjgT.exe
  2⤵
  PID:7892
- C:\Windows\System32\bnLbjGD.exe
  C:\Windows\System32\bnLbjGD.exe
  2⤵
  PID:7996
- C:\Windows\System32\RjeGgyM.exe
  C:\Windows\System32\RjeGgyM.exe
  2⤵
  PID:8056
- C:\Windows\System32\tNODiaS.exe
  C:\Windows\System32\tNODiaS.exe
  2⤵
  PID:8172
- C:\Windows\System32\aCblRXh.exe
  C:\Windows\System32\aCblRXh.exe
  2⤵
  PID:7296
- C:\Windows\System32\xhUqGul.exe
  C:\Windows\System32\xhUqGul.exe
  2⤵
  PID:7356
- C:\Windows\System32\PgzHMzK.exe
  C:\Windows\System32\PgzHMzK.exe
  2⤵
  PID:7632
- C:\Windows\System32\exrnKRp.exe
  C:\Windows\System32\exrnKRp.exe
  2⤵
  PID:7764
- C:\Windows\System32\LaeYlAf.exe
  C:\Windows\System32\LaeYlAf.exe
  2⤵
  PID:7924
- C:\Windows\System32\oAsxIGg.exe
  C:\Windows\System32\oAsxIGg.exe
  2⤵
  PID:8028
- C:\Windows\System32\AsGlgEC.exe
  C:\Windows\System32\AsGlgEC.exe
  2⤵
  PID:7352
- C:\Windows\System32\HpBGzvA.exe
  C:\Windows\System32\HpBGzvA.exe
  2⤵
  PID:7436
- C:\Windows\System32\TBUlPcT.exe
  C:\Windows\System32\TBUlPcT.exe
  2⤵
  PID:7856
- C:\Windows\System32\wJzjzSI.exe
  C:\Windows\System32\wJzjzSI.exe
  2⤵
  PID:7252
- C:\Windows\System32\nzCvNmG.exe
  C:\Windows\System32\nzCvNmG.exe
  2⤵
  PID:7472
- C:\Windows\System32\qUDrBtL.exe
  C:\Windows\System32\qUDrBtL.exe
  2⤵
  PID:8204
- C:\Windows\System32\ZneFLUw.exe
  C:\Windows\System32\ZneFLUw.exe
  2⤵
  PID:8240
- C:\Windows\System32\gMCdkFA.exe
  C:\Windows\System32\gMCdkFA.exe
  2⤵
  PID:8264
- C:\Windows\System32\hzoFbhN.exe
  C:\Windows\System32\hzoFbhN.exe
  2⤵
  PID:8296
- C:\Windows\System32\Axpuexh.exe
  C:\Windows\System32\Axpuexh.exe
  2⤵
  PID:8336
- C:\Windows\System32\pLhPomA.exe
  C:\Windows\System32\pLhPomA.exe
  2⤵
  PID:8364
- C:\Windows\System32\IOEwUZi.exe
  C:\Windows\System32\IOEwUZi.exe
  2⤵
  PID:8380
- C:\Windows\System32\LYufwmg.exe
  C:\Windows\System32\LYufwmg.exe
  2⤵
  PID:8404
- C:\Windows\System32\osgGrbK.exe
  C:\Windows\System32\osgGrbK.exe
  2⤵
  PID:8424
- C:\Windows\System32\uaBWKYk.exe
  C:\Windows\System32\uaBWKYk.exe
  2⤵
  PID:8448
- C:\Windows\System32\whUvxpe.exe
  C:\Windows\System32\whUvxpe.exe
  2⤵
  PID:8472
- C:\Windows\System32\vBCEqHY.exe
  C:\Windows\System32\vBCEqHY.exe
  2⤵
  PID:8512
- C:\Windows\System32\GaPhkwq.exe
  C:\Windows\System32\GaPhkwq.exe
  2⤵
  PID:8572
- C:\Windows\System32\OddGBum.exe
  C:\Windows\System32\OddGBum.exe
  2⤵
  PID:8592
- C:\Windows\System32\eNDIOpW.exe
  C:\Windows\System32\eNDIOpW.exe
  2⤵
  PID:8620
- C:\Windows\System32\GrhFSap.exe
  C:\Windows\System32\GrhFSap.exe
  2⤵
  PID:8640
- C:\Windows\System32\mYGyHEy.exe
  C:\Windows\System32\mYGyHEy.exe
  2⤵
  PID:8664
- C:\Windows\System32\FAXiGBa.exe
  C:\Windows\System32\FAXiGBa.exe
  2⤵
  PID:8684
- C:\Windows\System32\FTFpKBE.exe
  C:\Windows\System32\FTFpKBE.exe
  2⤵
  PID:8720
- C:\Windows\System32\fOrtGvi.exe
  C:\Windows\System32\fOrtGvi.exe
  2⤵
  PID:8772
- C:\Windows\System32\DTSEbEI.exe
  C:\Windows\System32\DTSEbEI.exe
  2⤵
  PID:8792
- C:\Windows\System32\Glcawxv.exe
  C:\Windows\System32\Glcawxv.exe
  2⤵
  PID:8808
- C:\Windows\System32\ikxEIkc.exe
  C:\Windows\System32\ikxEIkc.exe
  2⤵
  PID:8832
- C:\Windows\System32\AKGZcla.exe
  C:\Windows\System32\AKGZcla.exe
  2⤵
  PID:8848
- C:\Windows\System32\bwlynOD.exe
  C:\Windows\System32\bwlynOD.exe
  2⤵
  PID:8872
- C:\Windows\System32\DfRnJnS.exe
  C:\Windows\System32\DfRnJnS.exe
  2⤵
  PID:8900
- C:\Windows\System32\LQEgtFn.exe
  C:\Windows\System32\LQEgtFn.exe
  2⤵
  PID:8924
- C:\Windows\System32\OpQSXMT.exe
  C:\Windows\System32\OpQSXMT.exe
  2⤵
  PID:8944
- C:\Windows\System32\RYvQuor.exe
  C:\Windows\System32\RYvQuor.exe
  2⤵
  PID:8984
- C:\Windows\System32\ZJewUlE.exe
  C:\Windows\System32\ZJewUlE.exe
  2⤵
  PID:9016
- C:\Windows\System32\UGerPpS.exe
  C:\Windows\System32\UGerPpS.exe
  2⤵
  PID:9036
- C:\Windows\System32\ljXTAzS.exe
  C:\Windows\System32\ljXTAzS.exe
  2⤵
  PID:9076
- C:\Windows\System32\WiRIVsI.exe
  C:\Windows\System32\WiRIVsI.exe
  2⤵
  PID:9128
- C:\Windows\System32\IaPhxux.exe
  C:\Windows\System32\IaPhxux.exe
  2⤵
  PID:9160
- C:\Windows\System32\jKrRkrp.exe
  C:\Windows\System32\jKrRkrp.exe
  2⤵
  PID:9184
- C:\Windows\System32\jRmHxNf.exe
  C:\Windows\System32\jRmHxNf.exe
  2⤵
  PID:7928
- C:\Windows\System32\CiNKcfO.exe
  C:\Windows\System32\CiNKcfO.exe
  2⤵
  PID:8232
- C:\Windows\System32\JUodIrK.exe
  C:\Windows\System32\JUodIrK.exe
  2⤵
  PID:8284
- C:\Windows\System32\KPgCTJr.exe
  C:\Windows\System32\KPgCTJr.exe
  2⤵
  PID:8356
- C:\Windows\System32\udWUvMi.exe
  C:\Windows\System32\udWUvMi.exe
  2⤵
  PID:8432
- C:\Windows\System32\ZTjsZcp.exe
  C:\Windows\System32\ZTjsZcp.exe
  2⤵
  PID:8468
- C:\Windows\System32\yEpVAlD.exe
  C:\Windows\System32\yEpVAlD.exe
  2⤵
  PID:8460
- C:\Windows\System32\VKSApGv.exe
  C:\Windows\System32\VKSApGv.exe
  2⤵
  PID:8580
- C:\Windows\System32\KAspSwj.exe
  C:\Windows\System32\KAspSwj.exe
  2⤵
  PID:8648
- C:\Windows\System32\AoOsova.exe
  C:\Windows\System32\AoOsova.exe
  2⤵
  PID:8676
- C:\Windows\System32\UhGbPtI.exe
  C:\Windows\System32\UhGbPtI.exe
  2⤵
  PID:8788
- C:\Windows\System32\CpNRsnC.exe
  C:\Windows\System32\CpNRsnC.exe
  2⤵
  PID:8824
- C:\Windows\System32\ZFLZPEx.exe
  C:\Windows\System32\ZFLZPEx.exe
  2⤵
  PID:8916
- C:\Windows\System32\EvEJCom.exe
  C:\Windows\System32\EvEJCom.exe
  2⤵
  PID:9012
- C:\Windows\System32\YEXjdQK.exe
  C:\Windows\System32\YEXjdQK.exe
  2⤵
  PID:8996
- C:\Windows\System32\oTGOrdj.exe
  C:\Windows\System32\oTGOrdj.exe
  2⤵
  PID:9116
- C:\Windows\System32\bhyuskw.exe
  C:\Windows\System32\bhyuskw.exe
  2⤵
  PID:9208
- C:\Windows\System32\fRzkcEp.exe
  C:\Windows\System32\fRzkcEp.exe
  2⤵
  PID:7324
- C:\Windows\System32\vBSwBOX.exe
  C:\Windows\System32\vBSwBOX.exe
  2⤵
  PID:8488
- C:\Windows\System32\wZHgkiq.exe
  C:\Windows\System32\wZHgkiq.exe
  2⤵
  PID:8704
- C:\Windows\System32\cNeUxOE.exe
  C:\Windows\System32\cNeUxOE.exe
  2⤵
  PID:9064
- C:\Windows\System32\IoPTiBB.exe
  C:\Windows\System32\IoPTiBB.exe
  2⤵
  PID:9176
- C:\Windows\System32\afDrPOP.exe
  C:\Windows\System32\afDrPOP.exe
  2⤵
  PID:8600
- C:\Windows\System32\ZecyVWd.exe
  C:\Windows\System32\ZecyVWd.exe
  2⤵
  PID:8700
- C:\Windows\System32\pEkBIiY.exe
  C:\Windows\System32\pEkBIiY.exe
  2⤵
  PID:8976
- C:\Windows\System32\pijSZyT.exe
  C:\Windows\System32\pijSZyT.exe
  2⤵
  PID:8344
- C:\Windows\System32\XbujkWA.exe
  C:\Windows\System32\XbujkWA.exe
  2⤵
  PID:9108
- C:\Windows\System32\bItnVZb.exe
  C:\Windows\System32\bItnVZb.exe
  2⤵
  PID:9240
- C:\Windows\System32\wJevXOR.exe
  C:\Windows\System32\wJevXOR.exe
  2⤵
  PID:9260
- C:\Windows\System32\vTZEoid.exe
  C:\Windows\System32\vTZEoid.exe
  2⤵
  PID:9276
- C:\Windows\System32\XFsrivJ.exe
  C:\Windows\System32\XFsrivJ.exe
  2⤵
  PID:9304
- C:\Windows\System32\ADYmxPi.exe
  C:\Windows\System32\ADYmxPi.exe
  2⤵
  PID:9348
- C:\Windows\System32\gUIyGKc.exe
  C:\Windows\System32\gUIyGKc.exe
  2⤵
  PID:9376
- C:\Windows\System32\sPwsQpQ.exe
  C:\Windows\System32\sPwsQpQ.exe
  2⤵
  PID:9392
- C:\Windows\System32\mIRFUgB.exe
  C:\Windows\System32\mIRFUgB.exe
  2⤵
  PID:9432
- C:\Windows\System32\TcPHgGF.exe
  C:\Windows\System32\TcPHgGF.exe
  2⤵
  PID:9452
- C:\Windows\System32\BKWgNKi.exe
  C:\Windows\System32\BKWgNKi.exe
  2⤵
  PID:9484
- C:\Windows\System32\IWhpnvu.exe
  C:\Windows\System32\IWhpnvu.exe
  2⤵
  PID:9520
- C:\Windows\System32\cDCMbXn.exe
  C:\Windows\System32\cDCMbXn.exe
  2⤵
  PID:9560
- C:\Windows\System32\KQexaMQ.exe
  C:\Windows\System32\KQexaMQ.exe
  2⤵
  PID:9592
- C:\Windows\System32\riQtITA.exe
  C:\Windows\System32\riQtITA.exe
  2⤵
  PID:9612
- C:\Windows\System32\PGFigWg.exe
  C:\Windows\System32\PGFigWg.exe
  2⤵
  PID:9632
- C:\Windows\System32\kyZLWFL.exe
  C:\Windows\System32\kyZLWFL.exe
  2⤵
  PID:9652
- C:\Windows\System32\PEMdyVq.exe
  C:\Windows\System32\PEMdyVq.exe
  2⤵
  PID:9688
- C:\Windows\System32\TyOLqir.exe
  C:\Windows\System32\TyOLqir.exe
  2⤵
  PID:9720
- C:\Windows\System32\xEjOIGh.exe
  C:\Windows\System32\xEjOIGh.exe
  2⤵
  PID:9740
- C:\Windows\System32\wmXUtSb.exe
  C:\Windows\System32\wmXUtSb.exe
  2⤵
  PID:9764
- C:\Windows\System32\mvwaPtJ.exe
  C:\Windows\System32\mvwaPtJ.exe
  2⤵
  PID:9792
- C:\Windows\System32\IoeOiUC.exe
  C:\Windows\System32\IoeOiUC.exe
  2⤵
  PID:9844
- C:\Windows\System32\kQBxkJq.exe
  C:\Windows\System32\kQBxkJq.exe
  2⤵
  PID:9868
- C:\Windows\System32\mqrzBkO.exe
  C:\Windows\System32\mqrzBkO.exe
  2⤵
  PID:9884
- C:\Windows\System32\XFeqIOP.exe
  C:\Windows\System32\XFeqIOP.exe
  2⤵
  PID:9936
- C:\Windows\System32\efJMqFO.exe
  C:\Windows\System32\efJMqFO.exe
  2⤵
  PID:9952
- C:\Windows\System32\qAimUEK.exe
  C:\Windows\System32\qAimUEK.exe
  2⤵
  PID:9972
- C:\Windows\System32\gCgqfdS.exe
  C:\Windows\System32\gCgqfdS.exe
  2⤵
  PID:10020
- C:\Windows\System32\JjLGpjI.exe
  C:\Windows\System32\JjLGpjI.exe
  2⤵
  PID:10048
- C:\Windows\System32\gJwppIn.exe
  C:\Windows\System32\gJwppIn.exe
  2⤵
  PID:10076
- C:\Windows\System32\TNyhSYY.exe
  C:\Windows\System32\TNyhSYY.exe
  2⤵
  PID:10096
- C:\Windows\System32\KLGlDFT.exe
  C:\Windows\System32\KLGlDFT.exe
  2⤵
  PID:10116
- C:\Windows\System32\ZIfNKgO.exe
  C:\Windows\System32\ZIfNKgO.exe
  2⤵
  PID:10140
- C:\Windows\System32\FnfqNCU.exe
  C:\Windows\System32\FnfqNCU.exe
  2⤵
  PID:10176
- C:\Windows\System32\uAHWAlq.exe
  C:\Windows\System32\uAHWAlq.exe
  2⤵
  PID:10208
- C:\Windows\System32\rTCkmuA.exe
  C:\Windows\System32\rTCkmuA.exe
  2⤵
  PID:10228
- C:\Windows\System32\DGesLOE.exe
  C:\Windows\System32\DGesLOE.exe
  2⤵
  PID:7236
- C:\Windows\System32\AROelxe.exe
  C:\Windows\System32\AROelxe.exe
  2⤵
  PID:9252
- C:\Windows\System32\ouqUJrw.exe
  C:\Windows\System32\ouqUJrw.exe
  2⤵
  PID:9312
- C:\Windows\System32\JAoDUhY.exe
  C:\Windows\System32\JAoDUhY.exe
  2⤵
  PID:9428
- C:\Windows\System32\qpAMCNR.exe
  C:\Windows\System32\qpAMCNR.exe
  2⤵
  PID:9500
- C:\Windows\System32\kPyYVtJ.exe
  C:\Windows\System32\kPyYVtJ.exe
  2⤵
  PID:9580
- C:\Windows\System32\qyGiGKE.exe
  C:\Windows\System32\qyGiGKE.exe
  2⤵
  PID:9628
- C:\Windows\System32\nnBjcaC.exe
  C:\Windows\System32\nnBjcaC.exe
  2⤵
  PID:9696
- C:\Windows\System32\ZzsKWXU.exe
  C:\Windows\System32\ZzsKWXU.exe
  2⤵
  PID:9760
- C:\Windows\System32\rtToGOR.exe
  C:\Windows\System32\rtToGOR.exe
  2⤵
  PID:9784
- C:\Windows\System32\dTAUtqA.exe
  C:\Windows\System32\dTAUtqA.exe
  2⤵
  PID:9880
- C:\Windows\System32\OHwvitH.exe
  C:\Windows\System32\OHwvitH.exe
  2⤵
  PID:9944
- C:\Windows\System32\eAdLfyP.exe
  C:\Windows\System32\eAdLfyP.exe
  2⤵
  PID:9980
- C:\Windows\System32\UBnAOsK.exe
  C:\Windows\System32\UBnAOsK.exe
  2⤵
  PID:10084
- C:\Windows\System32\aqhfDSW.exe
  C:\Windows\System32\aqhfDSW.exe
  2⤵
  PID:10128
- C:\Windows\System32\TOISJON.exe
  C:\Windows\System32\TOISJON.exe
  2⤵
  PID:8608
- C:\Windows\System32\scCxtpe.exe
  C:\Windows\System32\scCxtpe.exe
  2⤵
  PID:9232
- C:\Windows\System32\XmgoUdc.exe
  C:\Windows\System32\XmgoUdc.exe
  2⤵
  PID:8908
- C:\Windows\System32\ZlNKPrG.exe
  C:\Windows\System32\ZlNKPrG.exe
  2⤵
  PID:9472
- C:\Windows\System32\ilwqeNi.exe
  C:\Windows\System32\ilwqeNi.exe
  2⤵
  PID:9052
- C:\Windows\System32\SMlFfFI.exe
  C:\Windows\System32\SMlFfFI.exe
  2⤵
  PID:9028
- C:\Windows\System32\ZrWSHjB.exe
  C:\Windows\System32\ZrWSHjB.exe
  2⤵
  PID:10040
- C:\Windows\System32\VFhWVte.exe
  C:\Windows\System32\VFhWVte.exe
  2⤵
  PID:10092
- C:\Windows\System32\ZgdPYCH.exe
  C:\Windows\System32\ZgdPYCH.exe
  2⤵
  PID:9356
- C:\Windows\System32\dbuoUAh.exe
  C:\Windows\System32\dbuoUAh.exe
  2⤵
  PID:9268
- C:\Windows\System32\AYdPEgq.exe
  C:\Windows\System32\AYdPEgq.exe
  2⤵
  PID:9568
- C:\Windows\System32\rCvSqLK.exe
  C:\Windows\System32\rCvSqLK.exe
  2⤵
  PID:10148
- C:\Windows\System32\ZOkQiYJ.exe
  C:\Windows\System32\ZOkQiYJ.exe
  2⤵
  PID:9460
- C:\Windows\System32\juqzoUX.exe
  C:\Windows\System32\juqzoUX.exe
  2⤵
  PID:10268
- C:\Windows\System32\KvAmHQr.exe
  C:\Windows\System32\KvAmHQr.exe
  2⤵
  PID:10308
- C:\Windows\System32\mQSPAPM.exe
  C:\Windows\System32\mQSPAPM.exe
  2⤵
  PID:10332
- C:\Windows\System32\WaYdgEC.exe
  C:\Windows\System32\WaYdgEC.exe
  2⤵
  PID:10360
- C:\Windows\System32\TKyjpLH.exe
  C:\Windows\System32\TKyjpLH.exe
  2⤵
  PID:10388
- C:\Windows\System32\hXDeRNz.exe
  C:\Windows\System32\hXDeRNz.exe
  2⤵
  PID:10416
- C:\Windows\System32\IAwHsXO.exe
  C:\Windows\System32\IAwHsXO.exe
  2⤵
  PID:10432
- C:\Windows\System32\WnMxnND.exe
  C:\Windows\System32\WnMxnND.exe
  2⤵
  PID:10452
- C:\Windows\System32\YfZkkgN.exe
  C:\Windows\System32\YfZkkgN.exe
  2⤵
  PID:10476
- C:\Windows\System32\fYHmThP.exe
  C:\Windows\System32\fYHmThP.exe
  2⤵
  PID:10500
- C:\Windows\System32\PiZHGqf.exe
  C:\Windows\System32\PiZHGqf.exe
  2⤵
  PID:10592
- C:\Windows\System32\XzkjunN.exe
  C:\Windows\System32\XzkjunN.exe
  2⤵
  PID:10612
- C:\Windows\System32\xLygFAF.exe
  C:\Windows\System32\xLygFAF.exe
  2⤵
  PID:10640
- C:\Windows\System32\NsBMiqM.exe
  C:\Windows\System32\NsBMiqM.exe
  2⤵
  PID:10660
- C:\Windows\System32\sJMAeGE.exe
  C:\Windows\System32\sJMAeGE.exe
  2⤵
  PID:10700
- C:\Windows\System32\zhFSoCp.exe
  C:\Windows\System32\zhFSoCp.exe
  2⤵
  PID:10716
- C:\Windows\System32\ymMopgQ.exe
  C:\Windows\System32\ymMopgQ.exe
  2⤵
  PID:10740
- C:\Windows\System32\MnwWkxn.exe
  C:\Windows\System32\MnwWkxn.exe
  2⤵
  PID:10756
- C:\Windows\System32\fyzBEXF.exe
  C:\Windows\System32\fyzBEXF.exe
  2⤵
  PID:10788
- C:\Windows\System32\wEIGeoz.exe
  C:\Windows\System32\wEIGeoz.exe
  2⤵
  PID:10840
- C:\Windows\System32\XsYASCW.exe
  C:\Windows\System32\XsYASCW.exe
  2⤵
  PID:10868
- C:\Windows\System32\AfYibpz.exe
  C:\Windows\System32\AfYibpz.exe
  2⤵
  PID:10888
- C:\Windows\System32\gatviPP.exe
  C:\Windows\System32\gatviPP.exe
  2⤵
  PID:10908
- C:\Windows\System32\lOxqybS.exe
  C:\Windows\System32\lOxqybS.exe
  2⤵
  PID:10956
- C:\Windows\System32\pcVacLs.exe
  C:\Windows\System32\pcVacLs.exe
  2⤵
  PID:10984
- C:\Windows\System32\DIKsKPk.exe
  C:\Windows\System32\DIKsKPk.exe
  2⤵
  PID:11004
- C:\Windows\System32\wRWEytF.exe
  C:\Windows\System32\wRWEytF.exe
  2⤵
  PID:11028
- C:\Windows\System32\hsxSmTZ.exe
  C:\Windows\System32\hsxSmTZ.exe
  2⤵
  PID:11056
- C:\Windows\System32\MOIQDYk.exe
  C:\Windows\System32\MOIQDYk.exe
  2⤵
  PID:11084
- C:\Windows\System32\waervvM.exe
  C:\Windows\System32\waervvM.exe
  2⤵
  PID:11100
- C:\Windows\System32\RJyjbFR.exe
  C:\Windows\System32\RJyjbFR.exe
  2⤵
  PID:11124
- C:\Windows\System32\hbKlLVX.exe
  C:\Windows\System32\hbKlLVX.exe
  2⤵
  PID:11140
- C:\Windows\System32\RgslgSr.exe
  C:\Windows\System32\RgslgSr.exe
  2⤵
  PID:11180
- C:\Windows\System32\srPvArC.exe
  C:\Windows\System32\srPvArC.exe
  2⤵
  PID:11240
- C:\Windows\System32\kMzKkxy.exe
  C:\Windows\System32\kMzKkxy.exe
  2⤵
  PID:628
- C:\Windows\System32\eIjhcsi.exe
  C:\Windows\System32\eIjhcsi.exe
  2⤵
  PID:10304
- C:\Windows\System32\uxFUvju.exe
  C:\Windows\System32\uxFUvju.exe
  2⤵
  PID:10384
- C:\Windows\System32\kntMoAj.exe
  C:\Windows\System32\kntMoAj.exe
  2⤵
  PID:10424
- C:\Windows\System32\HaIjgvm.exe
  C:\Windows\System32\HaIjgvm.exe
  2⤵
  PID:10444
- C:\Windows\System32\otqAoOb.exe
  C:\Windows\System32\otqAoOb.exe
  2⤵
  PID:10536
- C:\Windows\System32\seUkUEb.exe
  C:\Windows\System32\seUkUEb.exe
  2⤵
  PID:10636
- C:\Windows\System32\zNskMQj.exe
  C:\Windows\System32\zNskMQj.exe
  2⤵
  PID:10708
- C:\Windows\System32\pXjzMwA.exe
  C:\Windows\System32\pXjzMwA.exe
  2⤵
  PID:10728
- C:\Windows\System32\tFKnWqw.exe
  C:\Windows\System32\tFKnWqw.exe
  2⤵
  PID:10780
- C:\Windows\System32\SseKJGl.exe
  C:\Windows\System32\SseKJGl.exe
  2⤵
  PID:10864
- C:\Windows\System32\SgRvikd.exe
  C:\Windows\System32\SgRvikd.exe
  2⤵
  PID:10880
- C:\Windows\System32\WHTMRPi.exe
  C:\Windows\System32\WHTMRPi.exe
  2⤵
  PID:10948
- C:\Windows\System32\vuhdaBQ.exe
  C:\Windows\System32\vuhdaBQ.exe
  2⤵
  PID:11020
- C:\Windows\System32\YAMHTuF.exe
  C:\Windows\System32\YAMHTuF.exe
  2⤵
  PID:11112
- C:\Windows\System32\nlknstj.exe
  C:\Windows\System32\nlknstj.exe
  2⤵
  PID:11188
- C:\Windows\System32\bCcTffP.exe
  C:\Windows\System32\bCcTffP.exe
  2⤵
  PID:11220
- C:\Windows\System32\fwqrTVP.exe
  C:\Windows\System32\fwqrTVP.exe
  2⤵
  PID:10324
- C:\Windows\System32\RLKBdLk.exe
  C:\Windows\System32\RLKBdLk.exe
  2⤵
  PID:10428
- C:\Windows\System32\CYNKFRC.exe
  C:\Windows\System32\CYNKFRC.exe
  2⤵
  PID:10768
- C:\Windows\System32\kMzMZRH.exe
  C:\Windows\System32\kMzMZRH.exe
  2⤵
  PID:10916
- C:\Windows\System32\XTWXDnv.exe
  C:\Windows\System32\XTWXDnv.exe
  2⤵
  PID:10968
- C:\Windows\System32\ZXKYJpP.exe
  C:\Windows\System32\ZXKYJpP.exe
  2⤵
  PID:11132
- C:\Windows\System32\zXzgsZl.exe
  C:\Windows\System32\zXzgsZl.exe
  2⤵
  PID:11160
- C:\Windows\System32\UXTstYw.exe
  C:\Windows\System32\UXTstYw.exe
  2⤵
  PID:10684
- C:\Windows\System32\IwQfqMJ.exe
  C:\Windows\System32\IwQfqMJ.exe
  2⤵
  PID:11044
- C:\Windows\System32\KTluhbg.exe
  C:\Windows\System32\KTluhbg.exe
  2⤵
  PID:10996
- C:\Windows\System32\ZPJVgFG.exe
  C:\Windows\System32\ZPJVgFG.exe
  2⤵
  PID:11272
- C:\Windows\System32\lmjGdFE.exe
  C:\Windows\System32\lmjGdFE.exe
  2⤵
  PID:11288
- C:\Windows\System32\BXcsvCk.exe
  C:\Windows\System32\BXcsvCk.exe
  2⤵
  PID:11312
- C:\Windows\System32\icOdfew.exe
  C:\Windows\System32\icOdfew.exe
  2⤵
  PID:11348
- C:\Windows\System32\HMjLdHY.exe
  C:\Windows\System32\HMjLdHY.exe
  2⤵
  PID:11388
- C:\Windows\System32\AXelPvM.exe
  C:\Windows\System32\AXelPvM.exe
  2⤵
  PID:11428
- C:\Windows\System32\hXhfvrl.exe
  C:\Windows\System32\hXhfvrl.exe
  2⤵
  PID:11444
- C:\Windows\System32\HVvWPFP.exe
  C:\Windows\System32\HVvWPFP.exe
  2⤵
  PID:11472
- C:\Windows\System32\MkixhVM.exe
  C:\Windows\System32\MkixhVM.exe
  2⤵
  PID:11496
- C:\Windows\System32\ZSNGijE.exe
  C:\Windows\System32\ZSNGijE.exe
  2⤵
  PID:11520
- C:\Windows\System32\crWTUvX.exe
  C:\Windows\System32\crWTUvX.exe
  2⤵
  PID:11544
- C:\Windows\System32\HZBkpdL.exe
  C:\Windows\System32\HZBkpdL.exe
  2⤵
  PID:11560
- C:\Windows\System32\OOZQkly.exe
  C:\Windows\System32\OOZQkly.exe
  2⤵
  PID:11596
- C:\Windows\System32\TYZDuiS.exe
  C:\Windows\System32\TYZDuiS.exe
  2⤵
  PID:11624
- C:\Windows\System32\zzEGrRq.exe
  C:\Windows\System32\zzEGrRq.exe
  2⤵
  PID:11648
- C:\Windows\System32\HOHPzBZ.exe
  C:\Windows\System32\HOHPzBZ.exe
  2⤵
  PID:11692
- C:\Windows\System32\yYNqYaq.exe
  C:\Windows\System32\yYNqYaq.exe
  2⤵
  PID:11724
- C:\Windows\System32\ZkQTaEI.exe
  C:\Windows\System32\ZkQTaEI.exe
  2⤵
  PID:11744
- C:\Windows\System32\hpTMFYk.exe
  C:\Windows\System32\hpTMFYk.exe
  2⤵
  PID:11768
- C:\Windows\System32\HxTdRfG.exe
  C:\Windows\System32\HxTdRfG.exe
  2⤵
  PID:11784
- C:\Windows\System32\hhXuhxb.exe
  C:\Windows\System32\hhXuhxb.exe
  2⤵
  PID:11812
- C:\Windows\System32\LNaqoUO.exe
  C:\Windows\System32\LNaqoUO.exe
  2⤵
  PID:11828
- C:\Windows\System32\keyhBsP.exe
  C:\Windows\System32\keyhBsP.exe
  2⤵
  PID:11896
- C:\Windows\System32\gThyLlR.exe
  C:\Windows\System32\gThyLlR.exe
  2⤵
  PID:11912
- C:\Windows\System32\BgtEDVZ.exe
  C:\Windows\System32\BgtEDVZ.exe
  2⤵
  PID:11928
- C:\Windows\System32\sfLRLTj.exe
  C:\Windows\System32\sfLRLTj.exe
  2⤵
  PID:11944
- C:\Windows\System32\hOKZblG.exe
  C:\Windows\System32\hOKZblG.exe
  2⤵
  PID:11980
- C:\Windows\System32\CFwQZEJ.exe
  C:\Windows\System32\CFwQZEJ.exe
  2⤵
  PID:11996
- C:\Windows\System32\dFvdcee.exe
  C:\Windows\System32\dFvdcee.exe
  2⤵
  PID:12044
- C:\Windows\System32\QsVJzeq.exe
  C:\Windows\System32\QsVJzeq.exe
  2⤵
  PID:12060
- C:\Windows\System32\aeqXAcz.exe
  C:\Windows\System32\aeqXAcz.exe
  2⤵
  PID:12088
- C:\Windows\System32\nwJfUSG.exe
  C:\Windows\System32\nwJfUSG.exe
  2⤵
  PID:12112
- C:\Windows\System32\OmkMpyi.exe
  C:\Windows\System32\OmkMpyi.exe
  2⤵
  PID:12184
- C:\Windows\System32\XNbmfIs.exe
  C:\Windows\System32\XNbmfIs.exe
  2⤵
  PID:12224
- C:\Windows\System32\iBgYCdV.exe
  C:\Windows\System32\iBgYCdV.exe
  2⤵
  PID:12252
- C:\Windows\System32\OWosbIl.exe
  C:\Windows\System32\OWosbIl.exe
  2⤵
  PID:12276
- C:\Windows\System32\HqxbFZO.exe
  C:\Windows\System32\HqxbFZO.exe
  2⤵
  PID:10588
- C:\Windows\System32\RCTlXdK.exe
  C:\Windows\System32\RCTlXdK.exe
  2⤵
  PID:11284
- C:\Windows\System32\xlMaRrD.exe
  C:\Windows\System32\xlMaRrD.exe
  2⤵
  PID:11396
- C:\Windows\System32\abeRGVA.exe
  C:\Windows\System32\abeRGVA.exe
  2⤵
  PID:11456
- C:\Windows\System32\eWjMzss.exe
  C:\Windows\System32\eWjMzss.exe
  2⤵
  PID:11532
- C:\Windows\System32\pQknOuT.exe
  C:\Windows\System32\pQknOuT.exe
  2⤵
  PID:11568
- C:\Windows\System32\pVIAQDL.exe
  C:\Windows\System32\pVIAQDL.exe
  2⤵
  PID:11676
- C:\Windows\System32\AcasbPz.exe
  C:\Windows\System32\AcasbPz.exe
  2⤵
  PID:11760
- C:\Windows\System32\FjbMyVQ.exe
  C:\Windows\System32\FjbMyVQ.exe
  2⤵
  PID:11792
- C:\Windows\System32\nqoqttN.exe
  C:\Windows\System32\nqoqttN.exe
  2⤵
  PID:11836
- C:\Windows\System32\eHrGLuQ.exe
  C:\Windows\System32\eHrGLuQ.exe
  2⤵
  PID:11860
- C:\Windows\System32\SgpuNex.exe
  C:\Windows\System32\SgpuNex.exe
  2⤵
  PID:11872
- C:\Windows\System32\UpXAWhx.exe
  C:\Windows\System32\UpXAWhx.exe
  2⤵
  PID:11968
- C:\Windows\System32\YFQBKmM.exe
  C:\Windows\System32\YFQBKmM.exe
  2⤵
  PID:12008
- C:\Windows\System32\GEZjBsR.exe
  C:\Windows\System32\GEZjBsR.exe
  2⤵
  PID:12084
- C:\Windows\System32\gOPyrVY.exe
  C:\Windows\System32\gOPyrVY.exe
  2⤵
  PID:12192
- C:\Windows\System32\aAunkIK.exe
  C:\Windows\System32\aAunkIK.exe
  2⤵
  PID:12212
- C:\Windows\System32\ywXOwUk.exe
  C:\Windows\System32\ywXOwUk.exe
  2⤵
  PID:12244
- C:\Windows\System32\bGwwAuQ.exe
  C:\Windows\System32\bGwwAuQ.exe
  2⤵
  PID:11304
- C:\Windows\System32\ejEyznZ.exe
  C:\Windows\System32\ejEyznZ.exe
  2⤵
  PID:4872
- C:\Windows\System32\yXGhlVJ.exe
  C:\Windows\System32\yXGhlVJ.exe
  2⤵
  PID:11736
- C:\Windows\System32\KvvXZjr.exe
  C:\Windows\System32\KvvXZjr.exe
  2⤵
  PID:1760
- C:\Windows\System32\CTfrYBw.exe
  C:\Windows\System32\CTfrYBw.exe
  2⤵
  PID:11764
- C:\Windows\System32\TlmKkvD.exe
  C:\Windows\System32\TlmKkvD.exe
  2⤵
  PID:11924
- C:\Windows\System32\JQiLvJg.exe
  C:\Windows\System32\JQiLvJg.exe
  2⤵
  PID:12120
- C:\Windows\System32\gHoAtrT.exe
  C:\Windows\System32\gHoAtrT.exe
  2⤵
  PID:11504
- C:\Windows\System32\PwYkvTj.exe
  C:\Windows\System32\PwYkvTj.exe
  2⤵
  PID:6124
- C:\Windows\System32\yoglsQH.exe
  C:\Windows\System32\yoglsQH.exe
  2⤵
  PID:4496
- C:\Windows\System32\UPMIMKS.exe
  C:\Windows\System32\UPMIMKS.exe
  2⤵
  PID:12232
- C:\Windows\System32\oixoCNl.exe
  C:\Windows\System32\oixoCNl.exe
  2⤵
  PID:5116
- C:\Windows\System32\nZIyEfo.exe
  C:\Windows\System32\nZIyEfo.exe
  2⤵
  PID:12168
- C:\Windows\System32\eNdFyQf.exe
  C:\Windows\System32\eNdFyQf.exe
  2⤵
  PID:12304
- C:\Windows\System32\oFTgZYU.exe
  C:\Windows\System32\oFTgZYU.exe
  2⤵
  PID:12336
- C:\Windows\System32\HEqlTDp.exe
  C:\Windows\System32\HEqlTDp.exe
  2⤵
  PID:12356
- C:\Windows\System32\ozHrVjQ.exe
  C:\Windows\System32\ozHrVjQ.exe
  2⤵
  PID:12384
- C:\Windows\System32\vwMdSUS.exe
  C:\Windows\System32\vwMdSUS.exe
  2⤵
  PID:12400
- C:\Windows\System32\tuvbgAv.exe
  C:\Windows\System32\tuvbgAv.exe
  2⤵
  PID:12432
- C:\Windows\System32\BGTaLkI.exe
  C:\Windows\System32\BGTaLkI.exe
  2⤵
  PID:12456
- C:\Windows\System32\rxQUoQE.exe
  C:\Windows\System32\rxQUoQE.exe
  2⤵
  PID:12476
- C:\Windows\System32\EYFztCh.exe
  C:\Windows\System32\EYFztCh.exe
  2⤵
  PID:12512
- C:\Windows\System32\lvNXWml.exe
  C:\Windows\System32\lvNXWml.exe
  2⤵
  PID:12536
- C:\Windows\System32\VbfGmJp.exe
  C:\Windows\System32\VbfGmJp.exe
  2⤵
  PID:12560
- C:\Windows\System32\ybIySJv.exe
  C:\Windows\System32\ybIySJv.exe
  2⤵
  PID:12584
- C:\Windows\System32\WwhgbAw.exe
  C:\Windows\System32\WwhgbAw.exe
  2⤵
  PID:12612
- C:\Windows\System32\hGEqiYR.exe
  C:\Windows\System32\hGEqiYR.exe
  2⤵
  PID:12628
- C:\Windows\System32\WaBiZbq.exe
  C:\Windows\System32\WaBiZbq.exe
  2⤵
  PID:12644
- C:\Windows\System32\BjxhWlw.exe
  C:\Windows\System32\BjxhWlw.exe
  2⤵
  PID:12696
- C:\Windows\System32\LSRZxqi.exe
  C:\Windows\System32\LSRZxqi.exe
  2⤵
  PID:12720
- C:\Windows\System32\LWvWkKe.exe
  C:\Windows\System32\LWvWkKe.exe
  2⤵
  PID:12772
- C:\Windows\System32\pKcmthh.exe
  C:\Windows\System32\pKcmthh.exe
  2⤵
  PID:12788
- C:\Windows\System32\gcFAOKJ.exe
  C:\Windows\System32\gcFAOKJ.exe
  2⤵
  PID:12820
- C:\Windows\System32\NXghKGA.exe
  C:\Windows\System32\NXghKGA.exe
  2⤵
  PID:12852
- C:\Windows\System32\laRtXhx.exe
  C:\Windows\System32\laRtXhx.exe
  2⤵
  PID:12884
- C:\Windows\System32\NMxlKpW.exe
  C:\Windows\System32\NMxlKpW.exe
  2⤵
  PID:12904
- C:\Windows\System32\vxrRkPR.exe
  C:\Windows\System32\vxrRkPR.exe
  2⤵
  PID:12920
- C:\Windows\System32\tbRJhFY.exe
  C:\Windows\System32\tbRJhFY.exe
  2⤵
  PID:12944
- C:\Windows\System32\jhKOUfK.exe
  C:\Windows\System32\jhKOUfK.exe
  2⤵
  PID:12984
- C:\Windows\System32\CBrhxHo.exe
  C:\Windows\System32\CBrhxHo.exe
  2⤵
  PID:13016
- C:\Windows\System32\DcZcoOg.exe
  C:\Windows\System32\DcZcoOg.exe
  2⤵
  PID:13056
- C:\Windows\System32\dWrKmhY.exe
  C:\Windows\System32\dWrKmhY.exe
  2⤵
  PID:13096
- C:\Windows\System32\SHJDDhC.exe
  C:\Windows\System32\SHJDDhC.exe
  2⤵
  PID:13132
- C:\Windows\System32\GQBqRdG.exe
  C:\Windows\System32\GQBqRdG.exe
  2⤵
  PID:13148
- C:\Windows\System32\tMRxyQf.exe
  C:\Windows\System32\tMRxyQf.exe
  2⤵
  PID:13168
- C:\Windows\System32\OxzqiKI.exe
  C:\Windows\System32\OxzqiKI.exe
  2⤵
  PID:13192
- C:\Windows\System32\XFLlURC.exe
  C:\Windows\System32\XFLlURC.exe
  2⤵
  PID:13220
- C:\Windows\System32\TharDZQ.exe
  C:\Windows\System32\TharDZQ.exe
  2⤵
  PID:13240
- C:\Windows\System32\gZTLYQo.exe
  C:\Windows\System32\gZTLYQo.exe
  2⤵
  PID:13256
- C:\Windows\System32\Kqsmzlw.exe
  C:\Windows\System32\Kqsmzlw.exe
  2⤵
  PID:13296
- C:\Windows\System32\fnTCjbb.exe
  C:\Windows\System32\fnTCjbb.exe
  2⤵
  PID:12320
- C:\Windows\System32\AvtLRCL.exe
  C:\Windows\System32\AvtLRCL.exe
  2⤵
  PID:12348
- C:\Windows\System32\EFRvEId.exe
  C:\Windows\System32\EFRvEId.exe
  2⤵
  PID:12420
- C:\Windows\System32\CoYWBpM.exe
  C:\Windows\System32\CoYWBpM.exe
  2⤵
  PID:12452
- C:\Windows\System32\cwjqhgR.exe
  C:\Windows\System32\cwjqhgR.exe
  2⤵
  PID:12568
- C:\Windows\System32\SmQhTOb.exe
  C:\Windows\System32\SmQhTOb.exe
  2⤵
  PID:12636
- C:\Windows\System32\HwCDJZo.exe
  C:\Windows\System32\HwCDJZo.exe
  2⤵
  PID:12692
- C:\Windows\System32\LgiKcEb.exe
  C:\Windows\System32\LgiKcEb.exe
  2⤵
  PID:12784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ACOmNcf.exe

Filesize
1.5MB

MD5
98557197b2ff0eccfd372c5ec17f3564

SHA1
1b12763747f0222ef8468f8a84cec63f769cbc53

SHA256
610dbdb0fb2db9e9a0c3f7294d5cc858f051f45a42d1757ef27f3b4e4780f98b

SHA512
52d712f9b66d6df6b4310d4c1def7876ac720e90365b1d8662d20f078f1cacdafe0d5caf088fe647d0d61e7f9ecb489b276e347683c6f6eca938fa1bfc0045ff

Download Submit
C:\Windows\System32\AJwypVh.exe

Filesize
1.5MB

MD5
9d49445905b3cd427f2c498e3ce17a0d

SHA1
df83ea7fd98a523da5701bc11661d0c9698ae5b6

SHA256
c3165ce73f2e713f13d4ecb207cb34ba3d884591829927a21548b366c29b3797

SHA512
626d4437df673d43ceeed54f0dfbeda79290096daf18ab607201ffd6e45740d534793ee5ee3ed950ba1b5f734077855545950cdc7eac301a9c080c1c5a9fa361

Download Submit
C:\Windows\System32\DIQdlzc.exe

Filesize
1.5MB

MD5
edd139aa67d8d51cfdec5ab543b2a4a5

SHA1
f2c7ea2c784da86f7387e5a4ba5b7d2de68bd0cc

SHA256
91b21542186bac1327c8f54b92b50e22fe5c85c01d920fde3486c1df8dd21eac

SHA512
10e8e533e72819c5b556cd892dc93b839c26972fcc679ff53e54b3598ae1b69958417139687a913c25c511c5bf2f0d7ffde795cb9882e16104c9bb80f7cb0029

Download Submit
C:\Windows\System32\FnhMMto.exe

Filesize
1.5MB

MD5
c89052888eff5e17f4ece7f4b1e433d7

SHA1
4549454a68a269459158daf805088349363f50bc

SHA256
10903da4f45ca7df82315fecb982e642ea95742b34beb3ef7d5712c4129b3530

SHA512
d5b047f5f6ef5bf17317f8ad94c31905c02e6e789a09bfab08d2c24273106d8b8575308fdddebed6c4e87e2d39959a4df055735aa995794585a75ac3d89e69c7

Download Submit
C:\Windows\System32\GXsXufJ.exe

Filesize
1.5MB

MD5
17d6836fb3e7fc487c8bfb85093e204e

SHA1
b930300a68d13f6bdb992fef265ec5e19047b68e

SHA256
23517923ef7c877e695bfb4fa24b7f4c1e1b04629f086b8055c41ce2a51afe00

SHA512
da068f4978db26bcd79dfc27abc3bea0b4c83d89526ea5953eed526fbe8a9ebe7210fd5ef07ff9d0ab011031930c8dd60271aea70e1856782c154beabe4631af

Download Submit
C:\Windows\System32\HBXVpqN.exe

Filesize
1.5MB

MD5
f502cb938ed6741627935a8724e559b2

SHA1
910a013473b2fe598608550b0c97134537c1c600

SHA256
4cd93b6d2d9a5c9622b12717c8ecac2eb21998115ca95234f9dc39be578b779d

SHA512
076ff48418049947f21b2e9ccc05b8b8387b397430d61f0fa24a8b4fc0189d766316a4527388878fb767539d05f33136d1a8be5fdfa5acc81f03e492fc11af07

Download Submit
C:\Windows\System32\HElIPrl.exe

Filesize
1.5MB

MD5
b9c07c31d2c6bfa1330ba849c75593ef

SHA1
e46daf4e0d83a9af897c3262c4b99a71b8e7dd75

SHA256
e70793dbf7f331514afa76207b909307c8504cf7fa56392c97f0dde54b6b1816

SHA512
f76c38e5946c6dea8c26a75052538618125a6d4e016fa3261bca0b0d01341dbe86d53a209a52d294cbff64ed121af61829356dd7759a3efae2f1f412d34aff4a

Download Submit
C:\Windows\System32\HzplDfg.exe

Filesize
1.5MB

MD5
65fa2b751d0d2297e2b607bfadc0fd54

SHA1
9529a6924c1b89d77fcf0e1de4c5e4b4dd890a1e

SHA256
a2dacb88962aefd6408fc84a56bc4d6e63088c2ee255a27d278859f71ce36755

SHA512
0784d073ffbe68b239ff5d8d45a4f2e42330a55005436b226cc4f9d57a618b64454b8bc89bc1d43c076980698b21607b79d3fa4fbde4eece368d4a679918278c

Download Submit
C:\Windows\System32\JJPQNWo.exe

Filesize
1.5MB

MD5
6121dd506b49ee2dccb69592179d2897

SHA1
39f194d4c8bb1374f20eed3382654fbef5849bfb

SHA256
5f2f1b84663a429981fcc06e17a63a8c7776cd241b68565da1a8f10ab1f83d6d

SHA512
332498bf96dcfb3c7c0b4596e377630f73be4f122b4acdf7db312d5f716f020076efff13a7cb86efb0ec1d9cf88c54619c7d180484422b64fb76dd3507030b40

Download Submit
C:\Windows\System32\JhwuXbK.exe

Filesize
1.5MB

MD5
a3e8b991a786cd3a3b9fb6bde98fd4ad

SHA1
da12615780415986c21bb8f75461f6041a3469dd

SHA256
6f2a015e91929fc81d5629e399837b4a315a8788bfb39be846fe54e587fad85a

SHA512
eea01e7a42745ad7f3001657d17b13cbdd695e6931cd1c2da11ec3b13947c3f44a236918c18a5dcb41489c6f8b6991bcc6c1ca6c63b21d73fa666245891e8e62

Download Submit
C:\Windows\System32\KQcilbT.exe

Filesize
1.5MB

MD5
de9ee04edabf09b7b7bb9270b1065217

SHA1
042ce108bae4eea5a3552c9efe66585410d4c8c8

SHA256
f2d6088528bf965df3d45fdb79db3c939abb91f4f1f94cd680f8743d068b33af

SHA512
59917ad60dbf9ecc0fd8c5d5e73716058d68dca7dcdf46053008566f4d9221d4dce36688d772bb98a225f4588e88b29fce76ea6c9afcb9bc5a5f7b8ebad6f9cb

Download Submit
C:\Windows\System32\KVRzawl.exe

Filesize
1.5MB

MD5
fe89659561d0f5b9eb385cc062131f8a

SHA1
209ace0a67767acb7684a546869747f971ea91b3

SHA256
ba871afb040fb4f897eb0f340d05300cf7b50349241ac83a9e92fc4d5e57a9af

SHA512
8d0226b7da6cbc628956fd1963f2d0a82bce877021a47f2fe57374d7a75cedf190bcdf47a0518c38764ca9d250d4ceced2e0c77565ef27a45cba073948f37179

Download Submit
C:\Windows\System32\PWKCfuJ.exe

Filesize
1.5MB

MD5
735eebe1481beefd783b58744bae3fb4

SHA1
e1c0621c4b8a5102ad2e371ff331593636d38d72

SHA256
ba4e4dc9c399c289516b369da036bbaf8edd82b20d5239edffe86b47f7dc400f

SHA512
e62cfa292aebad588bab9f57361ed4777dee81845208d2a8c2d916565d974815d840745632e13c8b9a4e171ca1c0ff9d12cbdc6e31beeb2f90be00a539ce478f

Download Submit
C:\Windows\System32\QdHMnVZ.exe

Filesize
1.5MB

MD5
c91f13c20ec8bd963d565d0cd7f760de

SHA1
db27635830465a2e1714c7f9930e9361f2ddac54

SHA256
a37816f72f9ad679064b3490e6555eef81a661bbe9b982c0e552b51f90dd817b

SHA512
67ea33f21ac95321c15a2672437b8b967c860f02acb36743441a47ecc057206a7f7388d18ddf098489c71efb285614e1dc68e8d0c3c70170be5a9c9a0b42d055

Download Submit
C:\Windows\System32\RIdNZtG.exe

Filesize
1.5MB

MD5
8d5a7ed4baaaf573f569c7846e8626d4

SHA1
19d9ab60f57ad2c4a970de4a9440028748292322

SHA256
9205c027cd93554be84ff9b2573873a28e97abd14521d532a6f10cb4f2576a12

SHA512
49d5e881eaad63947ab30d5ad80dac6cbf3e11f86067922a1f620d8ee89ef2a0465d00800f3f4be61cf20943a77a4a1619d23c26dc53ab7d08ccba09876c8530

Download Submit
C:\Windows\System32\RUpNUlx.exe

Filesize
1.5MB

MD5
1e90fb8fdf467f35492318b89dc39c58

SHA1
f058c4fd1a9bd449bce04ec694bb508616789c09

SHA256
3ecf48a9fb62cc646889ee3cb55dc546836002460286e96089bb0a400b8391dc

SHA512
946f753f49a21bf9b9eb7e2dcf6a19f632bdd1f814401df9da2291004189fd7ec0c67af44811aa5a7016d048fcf06044b34dd4ef63d20d63fdabd17a4b025e17

Download Submit
C:\Windows\System32\RmPjvvb.exe

Filesize
1.5MB

MD5
e50356e096a39682553049cd918bca95

SHA1
bb3e485c3526720a717c50bf53f57644743703e9

SHA256
000c0eacb6670c69d5586c62d1d9133c6434afb5d3b96502738fbbad4aca22be

SHA512
b4c6f47a3b8e1ccfa9c0d0093cb6e80d138a3da34c2fd301b7dbc9cd1434f77472b86f682359c1a82d24342c3dc1af9d740fe13b9d6c7f357325e4932ec4f628

Download Submit
C:\Windows\System32\RngAXet.exe

Filesize
1.5MB

MD5
45da3ecd7eb52454c3d520a1165aa69a

SHA1
c2828cedb79f2d91e07e006058a4e156ddf355e8

SHA256
942e00aa071f68ea3934f619f0276ed073a4f7b53e6dd818efab3c6ce2f59c86

SHA512
80eeb84eb75a344d55ac6dfb4229925d5547aca5bae5c81316eb1459307dbb1eaf37f2447976115de371956d04d3e96c559331a71358cc78ab878c526d3f79ee

Download Submit
C:\Windows\System32\SgEdcgc.exe

Filesize
1.5MB

MD5
177e33d8ba4a26401fd26cbee1c8cc51

SHA1
082a2fd21a97172316d84b862202af8bdc3aaa2f

SHA256
4eaeef9dd23de754ae026dfd06355adff280c4a1d6d003821b83805b5fd253de

SHA512
768d15bba6dcf4d14c0d7dd39f9bd46b099d3c41a27e728a8ef72bd90b1966bca909acea0a0ace04be87e3d0765c5fecf9ea6fed0d50e6fd07be1c8d9b9c505d

Download Submit
C:\Windows\System32\THalJRj.exe

Filesize
1.5MB

MD5
3c6a815c20175023d48031ff5e001503

SHA1
416c6b82be660467fb89b214f1632fdf16e46e98

SHA256
0ae41f680ed4d8e1df3ed4ff1165cca924c45d2a8874ccd69c671e9c8319ed06

SHA512
ade46a23726ff9086022f8f2ab203ce6182214073782c7dfd8e31c0077c96698121fb261fcd2fb92553a45482a06221806d0b025765dbe212fd952ec8e38a8bf

Download Submit
C:\Windows\System32\VZINdCU.exe

Filesize
1.5MB

MD5
f6b18f1149a937292c6a709fd752d10f

SHA1
08e44ae122d039544e0fc1514ab1d0c77fb16dd6

SHA256
e5890dabf7168f5f784e279723b51c4f5e441ed23b4ac09a8c4e978ef5884f6e

SHA512
9cca746a46b7a0d9aa08c29c297888e3495893dba7a48d1b29bbb4bcd6f0f08917f117042ba26e5b73e4814039a2a289b29e139c7f12f7c23c5427bf4e5fcb8a

Download Submit
C:\Windows\System32\VhyJzXQ.exe

Filesize
1.5MB

MD5
f3819131fc65f3456ede8471b2e1dcdc

SHA1
961cd803b4d5bf372a5b3fa5baf49420db62fcfb

SHA256
7de28c7104fee335ebe9161c79025b676e38dea12e1510e1c0beb97a6f9fa067

SHA512
de0497fc1a749c86d4411fc9d72666f026cee49d1b2a71fdc839a463d9d67eca211b8fc9e8a16bb09509b5870760dc49d4bf44c9b3a00db6c470459aa5591315

Download Submit
C:\Windows\System32\VpZwCYt.exe

Filesize
1.5MB

MD5
065a458f32a2e008cfa8193161f290f5

SHA1
7291c020ca9a015ea54ed51d53f8f20aa6820e9e

SHA256
3c4d77ca4e71241b52f4ecde9a79c532f030ddb89f60fd154865a17a6e258cba

SHA512
675e4894ea05ccadb2132a05daa54c4206dad476f11b650a01480726c57bfcb7498377da4abdca21855b6a6b7b24c4ff7fe87ffd183e815a3b86db3a6ea71b51

Download Submit
C:\Windows\System32\XuXueCW.exe

Filesize
1.5MB

MD5
e815ffb14b7abde810bdfa40bec468e3

SHA1
9b30c2cd6957fee24022cd6df4bd579943ae6afc

SHA256
2c47c057b23170a3c909d0f58a2d9d9b3ebcb3a9c8789f54e68187ecedf0f1e9

SHA512
1a46baa3444134e94feb14fc38bb5179283186de71b6022eb99a54d8430dea54d90679f82c1f4cc0910c248e1ce75fee5678ec6451145c9f7d01ab8804e4d2dd

Download Submit
C:\Windows\System32\YdQuEYw.exe

Filesize
1.5MB

MD5
f8542d557d218ece6dd8efa46ed85e13

SHA1
d320a06fd15c53bb71b0ee6557652b4d7e9c0460

SHA256
1e56dceef4f45c840d99d4d75d5ecb43322d399a693998d2b9046bc2f44fb888

SHA512
925428d1d867c2e138a0b6b4958804366dbe50df1daef2d49e26327940ac8cc4193421de771d7228f2037c324896834155791d5b92a776dc471f8236c9fea803

Download Submit
C:\Windows\System32\aDGwsuy.exe

Filesize
1.5MB

MD5
71af063fbbe07cd053db036d3bcb0f85

SHA1
4aa18251b59b5d09dc66c49a241df815cf102b21

SHA256
9f53b797698f32d75414062fd4194c4d7864822491d8d5c9acc1ea0f80422fc2

SHA512
50c452fc0d642bef50465b1e3ac89833487693c69caf776d2388713cace9d1cbb0ce43834327c2a31266b25cc066ca98a7b078a226c79047860825e3c1087a06

Download Submit
C:\Windows\System32\cfkDvZc.exe

Filesize
1.5MB

MD5
d25b6684775b1777731ae9f0195b2df0

SHA1
9ae9591566680efdc4be9b813f45c7fd1cd2a1f1

SHA256
24ab9e46e46eb22f59a7e7b9980dbc4979bb4f46c695326369566a2b72b380e8

SHA512
b447cd9f60c9738c451874637c0f50566f6f000d9eb66218516d04e9228f3a511c0d311ecfa9d9a221ae29f638b4194127a615f08898e28558c52de94c2b620c

Download Submit
C:\Windows\System32\eJizKdY.exe

Filesize
1.5MB

MD5
12454cd24c9e332a7468c43745a43a53

SHA1
b0063d7746e0d0fad1851ae2f2d414cc6842ca20

SHA256
d0ebe46a17c5d420f2990b76bc37cdd759eec5737c1ada6a105a8e2f1d33f28d

SHA512
7314d19175f7a62563f42eaf6b4ca41b5558b3c634fea0eaf71a8531842b349b8b30a14c9713eaae59916b9884e75113194f5e8d11e48da201426c79ba7170ec

Download Submit
C:\Windows\System32\gfxsvFf.exe

Filesize
1.5MB

MD5
78ec7ac0a98f9212e9d1ef319c7bca18

SHA1
c6a4847ce12b7d1c8edfe97aa434f582b8e1b201

SHA256
88ad096c422275ba77c42892abb8350bc99cedc3d4da4b62f0e3dc72829333f2

SHA512
7fcdea2163dd7462caa70c1104184fffc3040112a442697071e62262cb0d0d99a961706245a777497b41a1307f2465677f6c4a77691e1e630cc5c8f897a1ade7

Download Submit
C:\Windows\System32\rIClCsi.exe

Filesize
1.5MB

MD5
9afd82453087bb6b6f65b79dab2e4e48

SHA1
6096b1d2b86d5eda868c3a7feaa3b94e3102252e

SHA256
638ea3f4b13745ff2cb417030baa20377c83b23b3a2539c619d4d9c33cf6f27d

SHA512
be071322cfd0f84b9ea97389f504a9eadca153d01936ea09855bcff8851cdb16a42aca0feb2461760fb123b8f298a5ca95a5fc396972b9dba2b9fe9a5f5cd747

Download Submit
C:\Windows\System32\wEdzqam.exe

Filesize
1.5MB

MD5
1f18f353e4ddc7c2bb82d9a8ddc0ecba

SHA1
df98e9e88f21e0d0051a491b6e010041ffd8397f

SHA256
05c0c562271edd56cf60fec692dd0646529d4254fcc1eee7252a0fe08c6bac5a

SHA512
7d0f7db2bd95cf9f252d3bd8029cb6348cef16fdfa80220b027ecbe7ce1207e9b0d28de632f9e55581d79f040db715d4193061ffbd8a0ab71d403cc5afb04028

Download Submit
C:\Windows\System32\wkfRdVN.exe

Filesize
1.5MB

MD5
87f5814ebcd4cc3ca86da51cdab3c72c

SHA1
54626e14f3b90ea82d2b48b3732a7bed6b95206c

SHA256
920e741a9c3e4e4d894a96738455795a89c06e4bb13021344daab7a6852921d3

SHA512
0a24cbccd6c02ca3bf58529af34b1bf2a1f0a0399d82624220072da744584913cda934023c8dedbbec4fb1c5f595c3105e01875e6067a8451421fa2a7d7875d4

Download Submit
C:\Windows\System32\xmXhQrX.exe

Filesize
1.5MB

MD5
07ecd8db2c96a108373054d167897f6c

SHA1
a4987063c39da5056c3ac4d41de7ec2b96d9eafe

SHA256
38fa1ac4381f209a6bcaccd9106382cfc5f99ca511f5a4345d4c674eade8cd85

SHA512
d24651b807f3f4fb9522f7f80bc5f04a634cb652ed40910dc8f0d910c5847eec63ff901fa55d886434b92e98cd4165cc0c94fb762c2826d52c1efc846a56d5a2

Download Submit
memory/688-2093-0x00007FF7AB440000-0x00007FF7AB831000-memory.dmp

Filesize
3.9MB

Download
memory/688-527-0x00007FF7AB440000-0x00007FF7AB831000-memory.dmp

Filesize
3.9MB

Download
memory/1064-1171-0x00007FF769F40000-0x00007FF76A331000-memory.dmp

Filesize
3.9MB

Download
memory/1064-2048-0x00007FF769F40000-0x00007FF76A331000-memory.dmp

Filesize
3.9MB

Download
memory/1064-11-0x00007FF769F40000-0x00007FF76A331000-memory.dmp

Filesize
3.9MB

Download
memory/1352-2078-0x00007FF76A140000-0x00007FF76A531000-memory.dmp

Filesize
3.9MB

Download
memory/1352-492-0x00007FF76A140000-0x00007FF76A531000-memory.dmp

Filesize
3.9MB

Download
memory/1588-2075-0x00007FF6B5C30000-0x00007FF6B6021000-memory.dmp

Filesize
3.9MB

Download
memory/1588-489-0x00007FF6B5C30000-0x00007FF6B6021000-memory.dmp

Filesize
3.9MB

Download
memory/1764-2068-0x00007FF62E200000-0x00007FF62E5F1000-memory.dmp

Filesize
3.9MB

Download
memory/1764-60-0x00007FF62E200000-0x00007FF62E5F1000-memory.dmp

Filesize
3.9MB

Download
memory/1764-2032-0x00007FF62E200000-0x00007FF62E5F1000-memory.dmp

Filesize
3.9MB

Download
memory/2360-2080-0x00007FF7B5B40000-0x00007FF7B5F31000-memory.dmp

Filesize
3.9MB

Download
memory/2360-493-0x00007FF7B5B40000-0x00007FF7B5F31000-memory.dmp

Filesize
3.9MB

Download
memory/2612-522-0x00007FF6C8C20000-0x00007FF6C9011000-memory.dmp

Filesize
3.9MB

Download
memory/2612-2082-0x00007FF6C8C20000-0x00007FF6C9011000-memory.dmp

Filesize
3.9MB

Download
memory/2648-2043-0x00007FF704A80000-0x00007FF704E71000-memory.dmp

Filesize
3.9MB

Download
memory/2648-66-0x00007FF704A80000-0x00007FF704E71000-memory.dmp

Filesize
3.9MB

Download
memory/2648-2067-0x00007FF704A80000-0x00007FF704E71000-memory.dmp

Filesize
3.9MB

Download
memory/2812-36-0x00007FF65EC30000-0x00007FF65F021000-memory.dmp

Filesize
3.9MB

Download
memory/2812-2052-0x00007FF65EC30000-0x00007FF65F021000-memory.dmp

Filesize
3.9MB

Download
memory/2948-13-0x00007FF61AA30000-0x00007FF61AE21000-memory.dmp

Filesize
3.9MB

Download
memory/2948-1640-0x00007FF61AA30000-0x00007FF61AE21000-memory.dmp

Filesize
3.9MB

Download
memory/2948-2054-0x00007FF61AA30000-0x00007FF61AE21000-memory.dmp

Filesize
3.9MB

Download
memory/2964-2033-0x00007FF702880000-0x00007FF702C71000-memory.dmp

Filesize
3.9MB

Download
memory/2964-47-0x00007FF702880000-0x00007FF702C71000-memory.dmp

Filesize
3.9MB

Download
memory/2964-2060-0x00007FF702880000-0x00007FF702C71000-memory.dmp

Filesize
3.9MB

Download
memory/2976-2099-0x00007FF6D01C0000-0x00007FF6D05B1000-memory.dmp

Filesize
3.9MB

Download
memory/2976-517-0x00007FF6D01C0000-0x00007FF6D05B1000-memory.dmp

Filesize
3.9MB

Download
memory/3004-528-0x00007FF7EF290000-0x00007FF7EF681000-memory.dmp

Filesize
3.9MB

Download
memory/3004-2091-0x00007FF7EF290000-0x00007FF7EF681000-memory.dmp

Filesize
3.9MB

Download
memory/3116-2034-0x00007FF64AE90000-0x00007FF64B281000-memory.dmp

Filesize
3.9MB

Download
memory/3116-2058-0x00007FF64AE90000-0x00007FF64B281000-memory.dmp

Filesize
3.9MB

Download
memory/3116-49-0x00007FF64AE90000-0x00007FF64B281000-memory.dmp

Filesize
3.9MB

Download
memory/3228-2064-0x00007FF61F0E0000-0x00007FF61F4D1000-memory.dmp

Filesize
3.9MB

Download
memory/3228-2035-0x00007FF61F0E0000-0x00007FF61F4D1000-memory.dmp

Filesize
3.9MB

Download
memory/3228-63-0x00007FF61F0E0000-0x00007FF61F4D1000-memory.dmp

Filesize
3.9MB

Download
memory/3288-509-0x00007FF642690000-0x00007FF642A81000-memory.dmp

Filesize
3.9MB

Download
memory/3288-2076-0x00007FF642690000-0x00007FF642A81000-memory.dmp

Filesize
3.9MB

Download
memory/3508-547-0x00007FF7E99A0000-0x00007FF7E9D91000-memory.dmp

Filesize
3.9MB

Download
memory/3508-2089-0x00007FF7E99A0000-0x00007FF7E9D91000-memory.dmp

Filesize
3.9MB

Download
memory/3936-2085-0x00007FF6FABA0000-0x00007FF6FAF91000-memory.dmp

Filesize
3.9MB

Download
memory/3936-548-0x00007FF6FABA0000-0x00007FF6FAF91000-memory.dmp

Filesize
3.9MB

Download
memory/4188-1996-0x00007FF6B0420000-0x00007FF6B0811000-memory.dmp

Filesize
3.9MB

Download
memory/4188-2050-0x00007FF6B0420000-0x00007FF6B0811000-memory.dmp

Filesize
3.9MB

Download
memory/4188-14-0x00007FF6B0420000-0x00007FF6B0811000-memory.dmp

Filesize
3.9MB

Download
memory/4276-532-0x00007FF616110000-0x00007FF616501000-memory.dmp

Filesize
3.9MB

Download
memory/4276-2087-0x00007FF616110000-0x00007FF616501000-memory.dmp

Filesize
3.9MB

Download
memory/4400-2097-0x00007FF6C4EB0000-0x00007FF6C52A1000-memory.dmp

Filesize
3.9MB

Download
memory/4400-511-0x00007FF6C4EB0000-0x00007FF6C52A1000-memory.dmp

Filesize
3.9MB

Download
memory/4528-499-0x00007FF6653A0000-0x00007FF665791000-memory.dmp

Filesize
3.9MB

Download
memory/4528-2072-0x00007FF6653A0000-0x00007FF665791000-memory.dmp

Filesize
3.9MB

Download
memory/4608-1170-0x00007FF615C60000-0x00007FF616051000-memory.dmp

Filesize
3.9MB

Download
memory/4608-1994-0x00007FF615C60000-0x00007FF616051000-memory.dmp

Filesize
3.9MB

Download
memory/4608-0-0x00007FF615C60000-0x00007FF616051000-memory.dmp

Filesize
3.9MB

Download
memory/4608-1-0x00000164C21E0000-0x00000164C21F0000-memory.dmp

Filesize
64KB

Download
memory/4916-2002-0x00007FF7648A0000-0x00007FF764C91000-memory.dmp

Filesize
3.9MB

Download
memory/4916-35-0x00007FF7648A0000-0x00007FF764C91000-memory.dmp

Filesize
3.9MB

Download
memory/4916-2056-0x00007FF7648A0000-0x00007FF764C91000-memory.dmp

Filesize
3.9MB

Download
memory/5004-32-0x00007FF7097B0000-0x00007FF709BA1000-memory.dmp

Filesize
3.9MB

Download
memory/5004-2062-0x00007FF7097B0000-0x00007FF709BA1000-memory.dmp

Filesize
3.9MB

Download
memory/5004-1998-0x00007FF7097B0000-0x00007FF709BA1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads