xmrig | 9fa437a6d619014ad6f15f98a248e43b82774c59cf2bfc91645fd97a8a415d3c

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c12f3dc5833e93ae9a1dafa3e110c70N.exe
Size

1.4MB
MD5

6c12f3dc5833e93ae9a1dafa3e110c70
SHA1

e6be42c218468404fb4b8da1cf4050c5f371084b
SHA256

9fa437a6d619014ad6f15f98a248e43b82774c59cf2bfc91645fd97a8a415d3c
SHA512

60d401c3bf95384ad2a7a7e6ecf77207c0299d8367b1efa03a3c34312a03ab2d6cbe6c0774a6e2c9d41ca25163d8ed3b8e2c5e777f196b5b2fc9044c64f7b71a
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zjP+sjI1dG+0JUx1p/IM:knw9oUUEEDl37jcq4nP7khd

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/3208-373-0x00007FF7D7C00000-0x00007FF7D7FF1000-memory.dmp	xmrig
behavioral2/memory/3292-376-0x00007FF6DE210000-0x00007FF6DE601000-memory.dmp	xmrig
behavioral2/memory/2500-387-0x00007FF6C4440000-0x00007FF6C4831000-memory.dmp	xmrig
behavioral2/memory/384-392-0x00007FF73E700000-0x00007FF73EAF1000-memory.dmp	xmrig
behavioral2/memory/4904-410-0x00007FF62E570000-0x00007FF62E961000-memory.dmp	xmrig
behavioral2/memory/2456-421-0x00007FF723420000-0x00007FF723811000-memory.dmp	xmrig
behavioral2/memory/1380-452-0x00007FF6C7D40000-0x00007FF6C8131000-memory.dmp	xmrig
behavioral2/memory/4608-453-0x00007FF706CD0000-0x00007FF7070C1000-memory.dmp	xmrig
behavioral2/memory/2784-450-0x00007FF790B90000-0x00007FF790F81000-memory.dmp	xmrig
behavioral2/memory/4060-444-0x00007FF703840000-0x00007FF703C31000-memory.dmp	xmrig
behavioral2/memory/2728-441-0x00007FF71E1B0000-0x00007FF71E5A1000-memory.dmp	xmrig
behavioral2/memory/1544-462-0x00007FF7A80B0000-0x00007FF7A84A1000-memory.dmp	xmrig
behavioral2/memory/1044-461-0x00007FF7E1720000-0x00007FF7E1B11000-memory.dmp	xmrig
behavioral2/memory/4644-424-0x00007FF76D560000-0x00007FF76D951000-memory.dmp	xmrig
behavioral2/memory/4144-466-0x00007FF78B280000-0x00007FF78B671000-memory.dmp	xmrig
behavioral2/memory/3968-465-0x00007FF6EF6F0000-0x00007FF6EFAE1000-memory.dmp	xmrig
behavioral2/memory/3004-464-0x00007FF700E20000-0x00007FF701211000-memory.dmp	xmrig
behavioral2/memory/2900-463-0x00007FF727120000-0x00007FF727511000-memory.dmp	xmrig
behavioral2/memory/4256-419-0x00007FF75F710000-0x00007FF75FB01000-memory.dmp	xmrig
behavioral2/memory/3708-418-0x00007FF602390000-0x00007FF602781000-memory.dmp	xmrig
behavioral2/memory/2952-405-0x00007FF7CF1A0000-0x00007FF7CF591000-memory.dmp	xmrig
behavioral2/memory/208-25-0x00007FF6F89B0000-0x00007FF6F8DA1000-memory.dmp	xmrig
behavioral2/memory/2400-1987-0x00007FF70E950000-0x00007FF70ED41000-memory.dmp	xmrig
behavioral2/memory/3944-1990-0x00007FF659CE0000-0x00007FF65A0D1000-memory.dmp	xmrig
behavioral2/memory/1832-2004-0x00007FF672160000-0x00007FF672551000-memory.dmp	xmrig
behavioral2/memory/208-2006-0x00007FF6F89B0000-0x00007FF6F8DA1000-memory.dmp	xmrig
behavioral2/memory/3968-2012-0x00007FF6EF6F0000-0x00007FF6EFAE1000-memory.dmp	xmrig
behavioral2/memory/4144-2014-0x00007FF78B280000-0x00007FF78B671000-memory.dmp	xmrig
behavioral2/memory/3004-2010-0x00007FF700E20000-0x00007FF701211000-memory.dmp	xmrig
behavioral2/memory/3944-2008-0x00007FF659CE0000-0x00007FF65A0D1000-memory.dmp	xmrig
behavioral2/memory/3208-2018-0x00007FF7D7C00000-0x00007FF7D7FF1000-memory.dmp	xmrig
behavioral2/memory/2952-2032-0x00007FF7CF1A0000-0x00007FF7CF591000-memory.dmp	xmrig
behavioral2/memory/384-2034-0x00007FF73E700000-0x00007FF73EAF1000-memory.dmp	xmrig
behavioral2/memory/4608-2046-0x00007FF706CD0000-0x00007FF7070C1000-memory.dmp	xmrig
behavioral2/memory/1044-2048-0x00007FF7E1720000-0x00007FF7E1B11000-memory.dmp	xmrig
behavioral2/memory/2900-2050-0x00007FF727120000-0x00007FF727511000-memory.dmp	xmrig
behavioral2/memory/1544-2044-0x00007FF7A80B0000-0x00007FF7A84A1000-memory.dmp	xmrig
behavioral2/memory/1380-2042-0x00007FF6C7D40000-0x00007FF6C8131000-memory.dmp	xmrig
behavioral2/memory/2784-2040-0x00007FF790B90000-0x00007FF790F81000-memory.dmp	xmrig
behavioral2/memory/4060-2038-0x00007FF703840000-0x00007FF703C31000-memory.dmp	xmrig
behavioral2/memory/2728-2036-0x00007FF71E1B0000-0x00007FF71E5A1000-memory.dmp	xmrig
behavioral2/memory/4256-2028-0x00007FF75F710000-0x00007FF75FB01000-memory.dmp	xmrig
behavioral2/memory/2456-2022-0x00007FF723420000-0x00007FF723811000-memory.dmp	xmrig
behavioral2/memory/2500-2020-0x00007FF6C4440000-0x00007FF6C4831000-memory.dmp	xmrig
behavioral2/memory/3292-2016-0x00007FF6DE210000-0x00007FF6DE601000-memory.dmp	xmrig
behavioral2/memory/4904-2030-0x00007FF62E570000-0x00007FF62E961000-memory.dmp	xmrig
behavioral2/memory/3708-2026-0x00007FF602390000-0x00007FF602781000-memory.dmp	xmrig
behavioral2/memory/4644-2024-0x00007FF76D560000-0x00007FF76D951000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1832	zMnQDcA.exe
208	CfVrCNq.exe
3004	lddUnfs.exe
3968	wBQiIXT.exe
3944	eDJwUVA.exe
4144	uXuBdnG.exe
3208	iZIBESx.exe
3292	tyoZkjL.exe
2500	jHWAVGb.exe
384	NEYHDbS.exe
2952	YBKQWwk.exe
4904	kFTfDGz.exe
3708	tQbZkTJ.exe
4256	tqbMHLw.exe
2456	SFUsxTF.exe
4644	TXksiMm.exe
2728	WpjXACa.exe
4060	NsBIkXD.exe
2784	XmYzONF.exe
1380	RHzckyc.exe
4608	kcxpjKp.exe
1044	teoYsRv.exe
1544	IKXECsH.exe
2900	qfAKTfW.exe
1288	icmHrgx.exe
2808	lMHFmjd.exe
640	cKeuHIm.exe
544	TvubuqB.exe
796	bUhQvys.exe
2192	CuhrwRw.exe
2364	eEWTlqm.exe
2076	jVhAtTO.exe
1528	GDMhDgo.exe
4452	OdRJNJe.exe
4272	jRCxZuP.exe
1376	hBMtmAH.exe
3008	amMuYXW.exe
1844	leDCcHD.exe
3188	QtaRWOv.exe
2584	rIJliUp.exe
4592	pccmDzI.exe
3284	QLBRimi.exe
4392	tKztBgR.exe
4540	hFaXhlr.exe
4792	YsgPMid.exe
452	oZRVgAi.exe
1500	JVljTBn.exe
4860	mzadvzz.exe
4856	IcoUJFL.exe
4312	zVmcUHR.exe
852	gZSfidb.exe
1276	tDUxVDm.exe
3224	yaQZLDG.exe
1988	sWhOgnE.exe
3692	VICDeNj.exe
1656	mXNHPhD.exe
3756	xSCalvG.exe
4748	UxsUMOF.exe
1976	WyrdqhZ.exe
1232	ZvTZAsl.exe
1036	rGziwyL.exe
4436	AoGKfGj.exe
1928	PETEhmZ.exe
4736	rBIbmUu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2400-0-0x00007FF70E950000-0x00007FF70ED41000-memory.dmp	upx
behavioral2/files/0x00070000000233fd-7.dat	upx
behavioral2/memory/1832-15-0x00007FF672160000-0x00007FF672551000-memory.dmp	upx
behavioral2/files/0x00070000000233fe-20.dat	upx
behavioral2/files/0x0007000000023400-36.dat	upx
behavioral2/files/0x0007000000023403-51.dat	upx
behavioral2/files/0x0007000000023404-53.dat	upx
behavioral2/files/0x0007000000023405-58.dat	upx
behavioral2/files/0x0007000000023407-65.dat	upx
behavioral2/files/0x0007000000023409-78.dat	upx
behavioral2/files/0x000700000002340a-86.dat	upx
behavioral2/files/0x000700000002340d-94.dat	upx
behavioral2/files/0x0007000000023410-116.dat	upx
behavioral2/files/0x0007000000023412-126.dat	upx
behavioral2/files/0x0007000000023415-141.dat	upx
behavioral2/memory/3208-373-0x00007FF7D7C00000-0x00007FF7D7FF1000-memory.dmp	upx
behavioral2/memory/3944-369-0x00007FF659CE0000-0x00007FF65A0D1000-memory.dmp	upx
behavioral2/memory/3292-376-0x00007FF6DE210000-0x00007FF6DE601000-memory.dmp	upx
behavioral2/memory/2500-387-0x00007FF6C4440000-0x00007FF6C4831000-memory.dmp	upx
behavioral2/memory/384-392-0x00007FF73E700000-0x00007FF73EAF1000-memory.dmp	upx
behavioral2/memory/4904-410-0x00007FF62E570000-0x00007FF62E961000-memory.dmp	upx
behavioral2/memory/2456-421-0x00007FF723420000-0x00007FF723811000-memory.dmp	upx
behavioral2/memory/1380-452-0x00007FF6C7D40000-0x00007FF6C8131000-memory.dmp	upx
behavioral2/memory/4608-453-0x00007FF706CD0000-0x00007FF7070C1000-memory.dmp	upx
behavioral2/memory/2784-450-0x00007FF790B90000-0x00007FF790F81000-memory.dmp	upx
behavioral2/memory/4060-444-0x00007FF703840000-0x00007FF703C31000-memory.dmp	upx
behavioral2/memory/2728-441-0x00007FF71E1B0000-0x00007FF71E5A1000-memory.dmp	upx
behavioral2/memory/1544-462-0x00007FF7A80B0000-0x00007FF7A84A1000-memory.dmp	upx
behavioral2/memory/1044-461-0x00007FF7E1720000-0x00007FF7E1B11000-memory.dmp	upx
behavioral2/memory/4644-424-0x00007FF76D560000-0x00007FF76D951000-memory.dmp	upx
behavioral2/memory/4144-466-0x00007FF78B280000-0x00007FF78B671000-memory.dmp	upx
behavioral2/memory/3968-465-0x00007FF6EF6F0000-0x00007FF6EFAE1000-memory.dmp	upx
behavioral2/memory/3004-464-0x00007FF700E20000-0x00007FF701211000-memory.dmp	upx
behavioral2/memory/2900-463-0x00007FF727120000-0x00007FF727511000-memory.dmp	upx
behavioral2/memory/4256-419-0x00007FF75F710000-0x00007FF75FB01000-memory.dmp	upx
behavioral2/memory/3708-418-0x00007FF602390000-0x00007FF602781000-memory.dmp	upx
behavioral2/memory/2952-405-0x00007FF7CF1A0000-0x00007FF7CF591000-memory.dmp	upx
behavioral2/files/0x000700000002341a-163.dat	upx
behavioral2/files/0x0007000000023419-161.dat	upx
behavioral2/files/0x0007000000023418-156.dat	upx
behavioral2/files/0x0007000000023417-151.dat	upx
behavioral2/files/0x0007000000023416-146.dat	upx
behavioral2/files/0x0007000000023414-136.dat	upx
behavioral2/files/0x0007000000023413-131.dat	upx
behavioral2/files/0x0007000000023411-121.dat	upx
behavioral2/files/0x000700000002340f-111.dat	upx
behavioral2/files/0x000700000002340e-106.dat	upx
behavioral2/files/0x000700000002340c-96.dat	upx
behavioral2/files/0x000700000002340b-91.dat	upx
behavioral2/files/0x0007000000023408-76.dat	upx
behavioral2/files/0x0007000000023406-63.dat	upx
behavioral2/files/0x0007000000023402-43.dat	upx
behavioral2/files/0x0007000000023401-38.dat	upx
behavioral2/files/0x00070000000233ff-26.dat	upx
behavioral2/memory/208-25-0x00007FF6F89B0000-0x00007FF6F8DA1000-memory.dmp	upx
behavioral2/files/0x00080000000233fc-14.dat	upx
behavioral2/files/0x00090000000233f4-9.dat	upx
behavioral2/memory/2400-1987-0x00007FF70E950000-0x00007FF70ED41000-memory.dmp	upx
behavioral2/memory/3944-1990-0x00007FF659CE0000-0x00007FF65A0D1000-memory.dmp	upx
behavioral2/memory/1832-2004-0x00007FF672160000-0x00007FF672551000-memory.dmp	upx
behavioral2/memory/208-2006-0x00007FF6F89B0000-0x00007FF6F8DA1000-memory.dmp	upx
behavioral2/memory/3968-2012-0x00007FF6EF6F0000-0x00007FF6EFAE1000-memory.dmp	upx
behavioral2/memory/4144-2014-0x00007FF78B280000-0x00007FF78B671000-memory.dmp	upx
behavioral2/memory/3004-2010-0x00007FF700E20000-0x00007FF701211000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\nhVjvwI.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\aRqekXA.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\GeitAbc.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\luMgUKg.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\WyrdqhZ.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\HHXeKHO.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\GhaQGcM.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\GEKJeOw.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\iaeuklQ.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\iqVMLoe.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\CxYLPfs.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\DGbPcQx.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\ZvTZAsl.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\efunRKa.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\BUXuNkP.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\mzadvzz.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\swiJuhM.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\ZdIBjzV.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\JWPeOwW.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\LyuDCRO.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\rvXLTzH.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\SoOwnES.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\gQmKAQd.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\QKZKaKE.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\BbskCXH.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\HmlTmcP.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\tetEiRt.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\BHGXPZh.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\uVcyJhr.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\CHxgOzS.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\UxsUMOF.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\ifvpTya.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\nKkzuxZ.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\oZRVgAi.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\wwMlYZc.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\MiDqvkt.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\EGAlVtM.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\oPTpFrR.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\sYtYdAI.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\oGQXcKG.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\KDsdINF.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\aBrLYeS.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\GnWKyyb.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\qYjrcbN.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\SucgZKq.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\ktxGrfE.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\vLYCtgA.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\ThehHTx.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\sacLtTY.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\SjdSzEb.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\NfwFRvt.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\DOcrxeK.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\EbOmRnj.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\KSCgNBG.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\SzBcAZh.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\rIJliUp.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\GaCGOvF.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\OTDSJgw.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\ntMfhjY.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\GzmcIpA.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\EIgnccd.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\FJfoZEC.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\umOqshx.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe
File created	C:\Windows\System32\YuGMgZS.exe	6c12f3dc5833e93ae9a1dafa3e110c70N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12920	dwm.exe
Token: SeChangeNotifyPrivilege	12920	dwm.exe
Token: 33	12920	dwm.exe
Token: SeIncBasePriorityPrivilege	12920	dwm.exe
Token: SeShutdownPrivilege	12920	dwm.exe
Token: SeCreatePagefilePrivilege	12920	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1832	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	83
PID 2400 wrote to memory of 1832	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	83
PID 2400 wrote to memory of 208	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	84
PID 2400 wrote to memory of 208	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	84
PID 2400 wrote to memory of 3004	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	85
PID 2400 wrote to memory of 3004	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	85
PID 2400 wrote to memory of 3968	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	86
PID 2400 wrote to memory of 3968	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	86
PID 2400 wrote to memory of 3944	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	87
PID 2400 wrote to memory of 3944	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	87
PID 2400 wrote to memory of 4144	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	88
PID 2400 wrote to memory of 4144	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	88
PID 2400 wrote to memory of 3208	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	89
PID 2400 wrote to memory of 3208	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	89
PID 2400 wrote to memory of 3292	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	90
PID 2400 wrote to memory of 3292	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	90
PID 2400 wrote to memory of 2500	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	91
PID 2400 wrote to memory of 2500	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	91
PID 2400 wrote to memory of 384	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	92
PID 2400 wrote to memory of 384	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	92
PID 2400 wrote to memory of 2952	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	93
PID 2400 wrote to memory of 2952	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	93
PID 2400 wrote to memory of 4904	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	94
PID 2400 wrote to memory of 4904	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	94
PID 2400 wrote to memory of 3708	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	95
PID 2400 wrote to memory of 3708	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	95
PID 2400 wrote to memory of 4256	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	96
PID 2400 wrote to memory of 4256	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	96
PID 2400 wrote to memory of 2456	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	97
PID 2400 wrote to memory of 2456	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	97
PID 2400 wrote to memory of 4644	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	98
PID 2400 wrote to memory of 4644	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	98
PID 2400 wrote to memory of 2728	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	99
PID 2400 wrote to memory of 2728	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	99
PID 2400 wrote to memory of 4060	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	100
PID 2400 wrote to memory of 4060	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	100
PID 2400 wrote to memory of 2784	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	101
PID 2400 wrote to memory of 2784	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	101
PID 2400 wrote to memory of 1380	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	102
PID 2400 wrote to memory of 1380	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	102
PID 2400 wrote to memory of 4608	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	103
PID 2400 wrote to memory of 4608	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	103
PID 2400 wrote to memory of 1044	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	104
PID 2400 wrote to memory of 1044	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	104
PID 2400 wrote to memory of 1544	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	105
PID 2400 wrote to memory of 1544	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	105
PID 2400 wrote to memory of 2900	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	106
PID 2400 wrote to memory of 2900	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	106
PID 2400 wrote to memory of 1288	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	107
PID 2400 wrote to memory of 1288	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	107
PID 2400 wrote to memory of 2808	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	108
PID 2400 wrote to memory of 2808	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	108
PID 2400 wrote to memory of 640	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	109
PID 2400 wrote to memory of 640	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	109
PID 2400 wrote to memory of 544	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	110
PID 2400 wrote to memory of 544	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	110
PID 2400 wrote to memory of 796	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	111
PID 2400 wrote to memory of 796	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	111
PID 2400 wrote to memory of 2192	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	112
PID 2400 wrote to memory of 2192	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	112
PID 2400 wrote to memory of 2364	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	113
PID 2400 wrote to memory of 2364	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	113
PID 2400 wrote to memory of 2076	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	114
PID 2400 wrote to memory of 2076	2400	6c12f3dc5833e93ae9a1dafa3e110c70N.exe	114

C:\Users\Admin\AppData\Local\Temp\6c12f3dc5833e93ae9a1dafa3e110c70N.exe
"C:\Users\Admin\AppData\Local\Temp\6c12f3dc5833e93ae9a1dafa3e110c70N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\System32\zMnQDcA.exe
  C:\Windows\System32\zMnQDcA.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System32\CfVrCNq.exe
  C:\Windows\System32\CfVrCNq.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System32\lddUnfs.exe
  C:\Windows\System32\lddUnfs.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System32\wBQiIXT.exe
  C:\Windows\System32\wBQiIXT.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System32\eDJwUVA.exe
  C:\Windows\System32\eDJwUVA.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\uXuBdnG.exe
  C:\Windows\System32\uXuBdnG.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System32\iZIBESx.exe
  C:\Windows\System32\iZIBESx.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System32\tyoZkjL.exe
  C:\Windows\System32\tyoZkjL.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System32\jHWAVGb.exe
  C:\Windows\System32\jHWAVGb.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System32\NEYHDbS.exe
  C:\Windows\System32\NEYHDbS.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System32\YBKQWwk.exe
  C:\Windows\System32\YBKQWwk.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System32\kFTfDGz.exe
  C:\Windows\System32\kFTfDGz.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System32\tQbZkTJ.exe
  C:\Windows\System32\tQbZkTJ.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System32\tqbMHLw.exe
  C:\Windows\System32\tqbMHLw.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System32\SFUsxTF.exe
  C:\Windows\System32\SFUsxTF.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System32\TXksiMm.exe
  C:\Windows\System32\TXksiMm.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System32\WpjXACa.exe
  C:\Windows\System32\WpjXACa.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System32\NsBIkXD.exe
  C:\Windows\System32\NsBIkXD.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System32\XmYzONF.exe
  C:\Windows\System32\XmYzONF.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System32\RHzckyc.exe
  C:\Windows\System32\RHzckyc.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System32\kcxpjKp.exe
  C:\Windows\System32\kcxpjKp.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System32\teoYsRv.exe
  C:\Windows\System32\teoYsRv.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System32\IKXECsH.exe
  C:\Windows\System32\IKXECsH.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System32\qfAKTfW.exe
  C:\Windows\System32\qfAKTfW.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System32\icmHrgx.exe
  C:\Windows\System32\icmHrgx.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System32\lMHFmjd.exe
  C:\Windows\System32\lMHFmjd.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System32\cKeuHIm.exe
  C:\Windows\System32\cKeuHIm.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\TvubuqB.exe
  C:\Windows\System32\TvubuqB.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System32\bUhQvys.exe
  C:\Windows\System32\bUhQvys.exe
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\System32\CuhrwRw.exe
  C:\Windows\System32\CuhrwRw.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System32\eEWTlqm.exe
  C:\Windows\System32\eEWTlqm.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System32\jVhAtTO.exe
  C:\Windows\System32\jVhAtTO.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System32\GDMhDgo.exe
  C:\Windows\System32\GDMhDgo.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System32\OdRJNJe.exe
  C:\Windows\System32\OdRJNJe.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\jRCxZuP.exe
  C:\Windows\System32\jRCxZuP.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System32\hBMtmAH.exe
  C:\Windows\System32\hBMtmAH.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System32\amMuYXW.exe
  C:\Windows\System32\amMuYXW.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System32\leDCcHD.exe
  C:\Windows\System32\leDCcHD.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System32\QtaRWOv.exe
  C:\Windows\System32\QtaRWOv.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System32\rIJliUp.exe
  C:\Windows\System32\rIJliUp.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System32\pccmDzI.exe
  C:\Windows\System32\pccmDzI.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System32\QLBRimi.exe
  C:\Windows\System32\QLBRimi.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System32\tKztBgR.exe
  C:\Windows\System32\tKztBgR.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System32\hFaXhlr.exe
  C:\Windows\System32\hFaXhlr.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System32\YsgPMid.exe
  C:\Windows\System32\YsgPMid.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System32\oZRVgAi.exe
  C:\Windows\System32\oZRVgAi.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System32\JVljTBn.exe
  C:\Windows\System32\JVljTBn.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System32\mzadvzz.exe
  C:\Windows\System32\mzadvzz.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\IcoUJFL.exe
  C:\Windows\System32\IcoUJFL.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System32\zVmcUHR.exe
  C:\Windows\System32\zVmcUHR.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System32\gZSfidb.exe
  C:\Windows\System32\gZSfidb.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System32\tDUxVDm.exe
  C:\Windows\System32\tDUxVDm.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System32\yaQZLDG.exe
  C:\Windows\System32\yaQZLDG.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System32\sWhOgnE.exe
  C:\Windows\System32\sWhOgnE.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System32\VICDeNj.exe
  C:\Windows\System32\VICDeNj.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System32\mXNHPhD.exe
  C:\Windows\System32\mXNHPhD.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System32\xSCalvG.exe
  C:\Windows\System32\xSCalvG.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\System32\UxsUMOF.exe
  C:\Windows\System32\UxsUMOF.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System32\WyrdqhZ.exe
  C:\Windows\System32\WyrdqhZ.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System32\ZvTZAsl.exe
  C:\Windows\System32\ZvTZAsl.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System32\rGziwyL.exe
  C:\Windows\System32\rGziwyL.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System32\AoGKfGj.exe
  C:\Windows\System32\AoGKfGj.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\PETEhmZ.exe
  C:\Windows\System32\PETEhmZ.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System32\rBIbmUu.exe
  C:\Windows\System32\rBIbmUu.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System32\rvXLTzH.exe
  C:\Windows\System32\rvXLTzH.exe
  2⤵
  PID:4472
- C:\Windows\System32\DiHKCzH.exe
  C:\Windows\System32\DiHKCzH.exe
  2⤵
  PID:4912
- C:\Windows\System32\FvBBmUj.exe
  C:\Windows\System32\FvBBmUj.exe
  2⤵
  PID:2796
- C:\Windows\System32\MtcKBoP.exe
  C:\Windows\System32\MtcKBoP.exe
  2⤵
  PID:2676
- C:\Windows\System32\SxldvzG.exe
  C:\Windows\System32\SxldvzG.exe
  2⤵
  PID:1876
- C:\Windows\System32\Hrhyzom.exe
  C:\Windows\System32\Hrhyzom.exe
  2⤵
  PID:5016
- C:\Windows\System32\zoQfDwj.exe
  C:\Windows\System32\zoQfDwj.exe
  2⤵
  PID:4664
- C:\Windows\System32\QdrzuOq.exe
  C:\Windows\System32\QdrzuOq.exe
  2⤵
  PID:1452
- C:\Windows\System32\aXoXHyu.exe
  C:\Windows\System32\aXoXHyu.exe
  2⤵
  PID:2684
- C:\Windows\System32\sYtYdAI.exe
  C:\Windows\System32\sYtYdAI.exe
  2⤵
  PID:4012
- C:\Windows\System32\vYhUXBX.exe
  C:\Windows\System32\vYhUXBX.exe
  2⤵
  PID:1896
- C:\Windows\System32\rcNRbht.exe
  C:\Windows\System32\rcNRbht.exe
  2⤵
  PID:828
- C:\Windows\System32\LCgvIgf.exe
  C:\Windows\System32\LCgvIgf.exe
  2⤵
  PID:4848
- C:\Windows\System32\BbskCXH.exe
  C:\Windows\System32\BbskCXH.exe
  2⤵
  PID:1436
- C:\Windows\System32\pwBssvp.exe
  C:\Windows\System32\pwBssvp.exe
  2⤵
  PID:1520
- C:\Windows\System32\POsucVf.exe
  C:\Windows\System32\POsucVf.exe
  2⤵
  PID:1924
- C:\Windows\System32\ZeERFUV.exe
  C:\Windows\System32\ZeERFUV.exe
  2⤵
  PID:4576
- C:\Windows\System32\LOvoJUD.exe
  C:\Windows\System32\LOvoJUD.exe
  2⤵
  PID:4408
- C:\Windows\System32\XwWvjSN.exe
  C:\Windows\System32\XwWvjSN.exe
  2⤵
  PID:3412
- C:\Windows\System32\Jbbyhkx.exe
  C:\Windows\System32\Jbbyhkx.exe
  2⤵
  PID:1404
- C:\Windows\System32\NfwFRvt.exe
  C:\Windows\System32\NfwFRvt.exe
  2⤵
  PID:1736
- C:\Windows\System32\iJNJPdv.exe
  C:\Windows\System32\iJNJPdv.exe
  2⤵
  PID:4656
- C:\Windows\System32\ygCSIBv.exe
  C:\Windows\System32\ygCSIBv.exe
  2⤵
  PID:3696
- C:\Windows\System32\nlGPOdQ.exe
  C:\Windows\System32\nlGPOdQ.exe
  2⤵
  PID:1296
- C:\Windows\System32\qYjrcbN.exe
  C:\Windows\System32\qYjrcbN.exe
  2⤵
  PID:2320
- C:\Windows\System32\DTeCpHj.exe
  C:\Windows\System32\DTeCpHj.exe
  2⤵
  PID:1724
- C:\Windows\System32\iZPnBhN.exe
  C:\Windows\System32\iZPnBhN.exe
  2⤵
  PID:524
- C:\Windows\System32\umOqshx.exe
  C:\Windows\System32\umOqshx.exe
  2⤵
  PID:4024
- C:\Windows\System32\eteCeaU.exe
  C:\Windows\System32\eteCeaU.exe
  2⤵
  PID:4628
- C:\Windows\System32\PyEbSUE.exe
  C:\Windows\System32\PyEbSUE.exe
  2⤵
  PID:5144
- C:\Windows\System32\bBkHawi.exe
  C:\Windows\System32\bBkHawi.exe
  2⤵
  PID:5180
- C:\Windows\System32\LywtGCW.exe
  C:\Windows\System32\LywtGCW.exe
  2⤵
  PID:5200
- C:\Windows\System32\fAdMULB.exe
  C:\Windows\System32\fAdMULB.exe
  2⤵
  PID:5228
- C:\Windows\System32\okVfvsi.exe
  C:\Windows\System32\okVfvsi.exe
  2⤵
  PID:5256
- C:\Windows\System32\lawhbPQ.exe
  C:\Windows\System32\lawhbPQ.exe
  2⤵
  PID:5280
- C:\Windows\System32\xjRGZpF.exe
  C:\Windows\System32\xjRGZpF.exe
  2⤵
  PID:5312
- C:\Windows\System32\iJICgcN.exe
  C:\Windows\System32\iJICgcN.exe
  2⤵
  PID:5344
- C:\Windows\System32\UBLInnt.exe
  C:\Windows\System32\UBLInnt.exe
  2⤵
  PID:5392
- C:\Windows\System32\oMxWIiC.exe
  C:\Windows\System32\oMxWIiC.exe
  2⤵
  PID:5412
- C:\Windows\System32\YGWxXbn.exe
  C:\Windows\System32\YGWxXbn.exe
  2⤵
  PID:5436
- C:\Windows\System32\TpuExfH.exe
  C:\Windows\System32\TpuExfH.exe
  2⤵
  PID:5452
- C:\Windows\System32\qLaOgAh.exe
  C:\Windows\System32\qLaOgAh.exe
  2⤵
  PID:5476
- C:\Windows\System32\vqClmfO.exe
  C:\Windows\System32\vqClmfO.exe
  2⤵
  PID:5492
- C:\Windows\System32\iETNIKC.exe
  C:\Windows\System32\iETNIKC.exe
  2⤵
  PID:5536
- C:\Windows\System32\bigjeQK.exe
  C:\Windows\System32\bigjeQK.exe
  2⤵
  PID:5576
- C:\Windows\System32\KbQTayA.exe
  C:\Windows\System32\KbQTayA.exe
  2⤵
  PID:5596
- C:\Windows\System32\NeHNAdd.exe
  C:\Windows\System32\NeHNAdd.exe
  2⤵
  PID:5628
- C:\Windows\System32\efunRKa.exe
  C:\Windows\System32\efunRKa.exe
  2⤵
  PID:5644
- C:\Windows\System32\LcvbUOs.exe
  C:\Windows\System32\LcvbUOs.exe
  2⤵
  PID:5664
- C:\Windows\System32\nuNBrRg.exe
  C:\Windows\System32\nuNBrRg.exe
  2⤵
  PID:5688
- C:\Windows\System32\drHMaMW.exe
  C:\Windows\System32\drHMaMW.exe
  2⤵
  PID:5708
- C:\Windows\System32\SiRUAhZ.exe
  C:\Windows\System32\SiRUAhZ.exe
  2⤵
  PID:5724
- C:\Windows\System32\HPXpCaW.exe
  C:\Windows\System32\HPXpCaW.exe
  2⤵
  PID:5748
- C:\Windows\System32\BHfftPq.exe
  C:\Windows\System32\BHfftPq.exe
  2⤵
  PID:5768
- C:\Windows\System32\WmoZzEy.exe
  C:\Windows\System32\WmoZzEy.exe
  2⤵
  PID:5896
- C:\Windows\System32\dAOLwXv.exe
  C:\Windows\System32\dAOLwXv.exe
  2⤵
  PID:5924
- C:\Windows\System32\buWJCzl.exe
  C:\Windows\System32\buWJCzl.exe
  2⤵
  PID:5944
- C:\Windows\System32\iaeuklQ.exe
  C:\Windows\System32\iaeuklQ.exe
  2⤵
  PID:5976
- C:\Windows\System32\jmLSlYE.exe
  C:\Windows\System32\jmLSlYE.exe
  2⤵
  PID:5992
- C:\Windows\System32\uSrPicI.exe
  C:\Windows\System32\uSrPicI.exe
  2⤵
  PID:6012
- C:\Windows\System32\MLPiamu.exe
  C:\Windows\System32\MLPiamu.exe
  2⤵
  PID:6032
- C:\Windows\System32\ThFKpHv.exe
  C:\Windows\System32\ThFKpHv.exe
  2⤵
  PID:6052
- C:\Windows\System32\uLWAsQf.exe
  C:\Windows\System32\uLWAsQf.exe
  2⤵
  PID:2368
- C:\Windows\System32\zPrwYRW.exe
  C:\Windows\System32\zPrwYRW.exe
  2⤵
  PID:1800
- C:\Windows\System32\wrBcqBy.exe
  C:\Windows\System32\wrBcqBy.exe
  2⤵
  PID:5188
- C:\Windows\System32\DEVKzKG.exe
  C:\Windows\System32\DEVKzKG.exe
  2⤵
  PID:5220
- C:\Windows\System32\tPODbZY.exe
  C:\Windows\System32\tPODbZY.exe
  2⤵
  PID:5268
- C:\Windows\System32\EJyxBIa.exe
  C:\Windows\System32\EJyxBIa.exe
  2⤵
  PID:4120
- C:\Windows\System32\ahwRHmK.exe
  C:\Windows\System32\ahwRHmK.exe
  2⤵
  PID:3788
- C:\Windows\System32\SoOwnES.exe
  C:\Windows\System32\SoOwnES.exe
  2⤵
  PID:1032
- C:\Windows\System32\JryuFwq.exe
  C:\Windows\System32\JryuFwq.exe
  2⤵
  PID:5404
- C:\Windows\System32\bupgmhT.exe
  C:\Windows\System32\bupgmhT.exe
  2⤵
  PID:5400
- C:\Windows\System32\nVJkUMQ.exe
  C:\Windows\System32\nVJkUMQ.exe
  2⤵
  PID:5444
- C:\Windows\System32\DZHYspR.exe
  C:\Windows\System32\DZHYspR.exe
  2⤵
  PID:5556
- C:\Windows\System32\IRFXEGh.exe
  C:\Windows\System32\IRFXEGh.exe
  2⤵
  PID:4828
- C:\Windows\System32\CohKeXc.exe
  C:\Windows\System32\CohKeXc.exe
  2⤵
  PID:5760
- C:\Windows\System32\vjKtomu.exe
  C:\Windows\System32\vjKtomu.exe
  2⤵
  PID:5756
- C:\Windows\System32\fBmCoGu.exe
  C:\Windows\System32\fBmCoGu.exe
  2⤵
  PID:6048
- C:\Windows\System32\xDcyzOi.exe
  C:\Windows\System32\xDcyzOi.exe
  2⤵
  PID:5972
- C:\Windows\System32\avYcLOn.exe
  C:\Windows\System32\avYcLOn.exe
  2⤵
  PID:5912
- C:\Windows\System32\iEMlGRk.exe
  C:\Windows\System32\iEMlGRk.exe
  2⤵
  PID:5960
- C:\Windows\System32\ZyNDSmp.exe
  C:\Windows\System32\ZyNDSmp.exe
  2⤵
  PID:6068
- C:\Windows\System32\nlkKKxS.exe
  C:\Windows\System32\nlkKKxS.exe
  2⤵
  PID:5212
- C:\Windows\System32\HLlqpBH.exe
  C:\Windows\System32\HLlqpBH.exe
  2⤵
  PID:1560
- C:\Windows\System32\eRCgAcW.exe
  C:\Windows\System32\eRCgAcW.exe
  2⤵
  PID:4840
- C:\Windows\System32\BUXuNkP.exe
  C:\Windows\System32\BUXuNkP.exe
  2⤵
  PID:5408
- C:\Windows\System32\FXXWkGu.exe
  C:\Windows\System32\FXXWkGu.exe
  2⤵
  PID:4196
- C:\Windows\System32\UxpRyoI.exe
  C:\Windows\System32\UxpRyoI.exe
  2⤵
  PID:1620
- C:\Windows\System32\OEyIgsA.exe
  C:\Windows\System32\OEyIgsA.exe
  2⤵
  PID:1824
- C:\Windows\System32\JFRzdsz.exe
  C:\Windows\System32\JFRzdsz.exe
  2⤵
  PID:3680
- C:\Windows\System32\SucgZKq.exe
  C:\Windows\System32\SucgZKq.exe
  2⤵
  PID:1700
- C:\Windows\System32\ZQBXKeM.exe
  C:\Windows\System32\ZQBXKeM.exe
  2⤵
  PID:4836
- C:\Windows\System32\gYUvzHi.exe
  C:\Windows\System32\gYUvzHi.exe
  2⤵
  PID:5484
- C:\Windows\System32\cjlxDfo.exe
  C:\Windows\System32\cjlxDfo.exe
  2⤵
  PID:5428
- C:\Windows\System32\KOpsmmv.exe
  C:\Windows\System32\KOpsmmv.exe
  2⤵
  PID:5732
- C:\Windows\System32\jQzBsFX.exe
  C:\Windows\System32\jQzBsFX.exe
  2⤵
  PID:6000
- C:\Windows\System32\UaYyswe.exe
  C:\Windows\System32\UaYyswe.exe
  2⤵
  PID:4432
- C:\Windows\System32\uVlgXeN.exe
  C:\Windows\System32\uVlgXeN.exe
  2⤵
  PID:2592
- C:\Windows\System32\qBusOhA.exe
  C:\Windows\System32\qBusOhA.exe
  2⤵
  PID:1848
- C:\Windows\System32\upUBvEm.exe
  C:\Windows\System32\upUBvEm.exe
  2⤵
  PID:2148
- C:\Windows\System32\lXrqYdq.exe
  C:\Windows\System32\lXrqYdq.exe
  2⤵
  PID:5780
- C:\Windows\System32\XEBXlOv.exe
  C:\Windows\System32\XEBXlOv.exe
  2⤵
  PID:6104
- C:\Windows\System32\sDvseko.exe
  C:\Windows\System32\sDvseko.exe
  2⤵
  PID:5264
- C:\Windows\System32\MXSotzf.exe
  C:\Windows\System32\MXSotzf.exe
  2⤵
  PID:3732
- C:\Windows\System32\CHxgOzS.exe
  C:\Windows\System32\CHxgOzS.exe
  2⤵
  PID:5324
- C:\Windows\System32\BWQmgcL.exe
  C:\Windows\System32\BWQmgcL.exe
  2⤵
  PID:4844
- C:\Windows\System32\tlCkNKk.exe
  C:\Windows\System32\tlCkNKk.exe
  2⤵
  PID:6076
- C:\Windows\System32\XcvwvlI.exe
  C:\Windows\System32\XcvwvlI.exe
  2⤵
  PID:4412
- C:\Windows\System32\lKQqtWE.exe
  C:\Windows\System32\lKQqtWE.exe
  2⤵
  PID:6108
- C:\Windows\System32\GpuAkGv.exe
  C:\Windows\System32\GpuAkGv.exe
  2⤵
  PID:5164
- C:\Windows\System32\dDjzkjz.exe
  C:\Windows\System32\dDjzkjz.exe
  2⤵
  PID:5208
- C:\Windows\System32\IGisspb.exe
  C:\Windows\System32\IGisspb.exe
  2⤵
  PID:3560
- C:\Windows\System32\AQHEiKh.exe
  C:\Windows\System32\AQHEiKh.exe
  2⤵
  PID:1408
- C:\Windows\System32\GaCGOvF.exe
  C:\Windows\System32\GaCGOvF.exe
  2⤵
  PID:3244
- C:\Windows\System32\ifvpTya.exe
  C:\Windows\System32\ifvpTya.exe
  2⤵
  PID:4532
- C:\Windows\System32\MAwhCFV.exe
  C:\Windows\System32\MAwhCFV.exe
  2⤵
  PID:4868
- C:\Windows\System32\iSRnuxR.exe
  C:\Windows\System32\iSRnuxR.exe
  2⤵
  PID:5248
- C:\Windows\System32\wsCeFMl.exe
  C:\Windows\System32\wsCeFMl.exe
  2⤵
  PID:6176
- C:\Windows\System32\PtMjnyK.exe
  C:\Windows\System32\PtMjnyK.exe
  2⤵
  PID:6208
- C:\Windows\System32\XgbSiuS.exe
  C:\Windows\System32\XgbSiuS.exe
  2⤵
  PID:6224
- C:\Windows\System32\XLYhuyR.exe
  C:\Windows\System32\XLYhuyR.exe
  2⤵
  PID:6248
- C:\Windows\System32\rVVXthN.exe
  C:\Windows\System32\rVVXthN.exe
  2⤵
  PID:6264
- C:\Windows\System32\jlUKoPq.exe
  C:\Windows\System32\jlUKoPq.exe
  2⤵
  PID:6288
- C:\Windows\System32\ktxGrfE.exe
  C:\Windows\System32\ktxGrfE.exe
  2⤵
  PID:6312
- C:\Windows\System32\jeXlBTL.exe
  C:\Windows\System32\jeXlBTL.exe
  2⤵
  PID:6328
- C:\Windows\System32\PmBnJPn.exe
  C:\Windows\System32\PmBnJPn.exe
  2⤵
  PID:6352
- C:\Windows\System32\NaEnmll.exe
  C:\Windows\System32\NaEnmll.exe
  2⤵
  PID:6368
- C:\Windows\System32\uLSEiGB.exe
  C:\Windows\System32\uLSEiGB.exe
  2⤵
  PID:6408
- C:\Windows\System32\KrZqsRJ.exe
  C:\Windows\System32\KrZqsRJ.exe
  2⤵
  PID:6436
- C:\Windows\System32\GgLVppg.exe
  C:\Windows\System32\GgLVppg.exe
  2⤵
  PID:6456
- C:\Windows\System32\EiSwYrf.exe
  C:\Windows\System32\EiSwYrf.exe
  2⤵
  PID:6516
- C:\Windows\System32\eKvxdXO.exe
  C:\Windows\System32\eKvxdXO.exe
  2⤵
  PID:6588
- C:\Windows\System32\wwMlYZc.exe
  C:\Windows\System32\wwMlYZc.exe
  2⤵
  PID:6608
- C:\Windows\System32\qZhMfCr.exe
  C:\Windows\System32\qZhMfCr.exe
  2⤵
  PID:6628
- C:\Windows\System32\lLbPWsk.exe
  C:\Windows\System32\lLbPWsk.exe
  2⤵
  PID:6644
- C:\Windows\System32\dncBeZX.exe
  C:\Windows\System32\dncBeZX.exe
  2⤵
  PID:6668
- C:\Windows\System32\MbXnBkr.exe
  C:\Windows\System32\MbXnBkr.exe
  2⤵
  PID:6708
- C:\Windows\System32\YCFocaD.exe
  C:\Windows\System32\YCFocaD.exe
  2⤵
  PID:6724
- C:\Windows\System32\ZaVrPso.exe
  C:\Windows\System32\ZaVrPso.exe
  2⤵
  PID:6748
- C:\Windows\System32\OlwITPn.exe
  C:\Windows\System32\OlwITPn.exe
  2⤵
  PID:6764
- C:\Windows\System32\vLYCtgA.exe
  C:\Windows\System32\vLYCtgA.exe
  2⤵
  PID:6788
- C:\Windows\System32\FPjtScZ.exe
  C:\Windows\System32\FPjtScZ.exe
  2⤵
  PID:6816
- C:\Windows\System32\BLJdkMm.exe
  C:\Windows\System32\BLJdkMm.exe
  2⤵
  PID:6868
- C:\Windows\System32\crsBnwh.exe
  C:\Windows\System32\crsBnwh.exe
  2⤵
  PID:6892
- C:\Windows\System32\HmlTmcP.exe
  C:\Windows\System32\HmlTmcP.exe
  2⤵
  PID:6936
- C:\Windows\System32\WizyQcd.exe
  C:\Windows\System32\WizyQcd.exe
  2⤵
  PID:6988
- C:\Windows\System32\pITRiQq.exe
  C:\Windows\System32\pITRiQq.exe
  2⤵
  PID:7008
- C:\Windows\System32\qJFPZcE.exe
  C:\Windows\System32\qJFPZcE.exe
  2⤵
  PID:7032
- C:\Windows\System32\ZqRnspy.exe
  C:\Windows\System32\ZqRnspy.exe
  2⤵
  PID:7052
- C:\Windows\System32\EzsejtL.exe
  C:\Windows\System32\EzsejtL.exe
  2⤵
  PID:7068
- C:\Windows\System32\YuGMgZS.exe
  C:\Windows\System32\YuGMgZS.exe
  2⤵
  PID:7096
- C:\Windows\System32\joQiyrS.exe
  C:\Windows\System32\joQiyrS.exe
  2⤵
  PID:7116
- C:\Windows\System32\YxfvYEg.exe
  C:\Windows\System32\YxfvYEg.exe
  2⤵
  PID:7136
- C:\Windows\System32\VxogqyF.exe
  C:\Windows\System32\VxogqyF.exe
  2⤵
  PID:7156
- C:\Windows\System32\yqkkBsZ.exe
  C:\Windows\System32\yqkkBsZ.exe
  2⤵
  PID:2416
- C:\Windows\System32\GEKJeOw.exe
  C:\Windows\System32\GEKJeOw.exe
  2⤵
  PID:6260
- C:\Windows\System32\iLCMUAn.exe
  C:\Windows\System32\iLCMUAn.exe
  2⤵
  PID:6424
- C:\Windows\System32\TVoxvoE.exe
  C:\Windows\System32\TVoxvoE.exe
  2⤵
  PID:6472
- C:\Windows\System32\rYTjSSv.exe
  C:\Windows\System32\rYTjSSv.exe
  2⤵
  PID:6552
- C:\Windows\System32\OOKhXpf.exe
  C:\Windows\System32\OOKhXpf.exe
  2⤵
  PID:6524
- C:\Windows\System32\HtaBcUf.exe
  C:\Windows\System32\HtaBcUf.exe
  2⤵
  PID:6624
- C:\Windows\System32\SFRRbuJ.exe
  C:\Windows\System32\SFRRbuJ.exe
  2⤵
  PID:6640
- C:\Windows\System32\efVTebu.exe
  C:\Windows\System32\efVTebu.exe
  2⤵
  PID:6680
- C:\Windows\System32\UpOKQyo.exe
  C:\Windows\System32\UpOKQyo.exe
  2⤵
  PID:6800
- C:\Windows\System32\HHXeKHO.exe
  C:\Windows\System32\HHXeKHO.exe
  2⤵
  PID:6828
- C:\Windows\System32\cshjScx.exe
  C:\Windows\System32\cshjScx.exe
  2⤵
  PID:6884
- C:\Windows\System32\vMaYDUD.exe
  C:\Windows\System32\vMaYDUD.exe
  2⤵
  PID:6904
- C:\Windows\System32\kizrkry.exe
  C:\Windows\System32\kizrkry.exe
  2⤵
  PID:7000
- C:\Windows\System32\OJTpuBB.exe
  C:\Windows\System32\OJTpuBB.exe
  2⤵
  PID:7152
- C:\Windows\System32\OkOuEYq.exe
  C:\Windows\System32\OkOuEYq.exe
  2⤵
  PID:7148
- C:\Windows\System32\VDyrAGl.exe
  C:\Windows\System32\VDyrAGl.exe
  2⤵
  PID:6464
- C:\Windows\System32\CRwNIaT.exe
  C:\Windows\System32\CRwNIaT.exe
  2⤵
  PID:6540
- C:\Windows\System32\mVnlpYx.exe
  C:\Windows\System32\mVnlpYx.exe
  2⤵
  PID:2964
- C:\Windows\System32\rXOuphj.exe
  C:\Windows\System32\rXOuphj.exe
  2⤵
  PID:6636
- C:\Windows\System32\iqVMLoe.exe
  C:\Windows\System32\iqVMLoe.exe
  2⤵
  PID:6912
- C:\Windows\System32\dzKJtii.exe
  C:\Windows\System32\dzKJtii.exe
  2⤵
  PID:7060
- C:\Windows\System32\eoaaMhW.exe
  C:\Windows\System32\eoaaMhW.exe
  2⤵
  PID:6096
- C:\Windows\System32\AJCDXGV.exe
  C:\Windows\System32\AJCDXGV.exe
  2⤵
  PID:6388
- C:\Windows\System32\uhImeOt.exe
  C:\Windows\System32\uhImeOt.exe
  2⤵
  PID:6616
- C:\Windows\System32\rMxPLfx.exe
  C:\Windows\System32\rMxPLfx.exe
  2⤵
  PID:7104
- C:\Windows\System32\FgMmTtu.exe
  C:\Windows\System32\FgMmTtu.exe
  2⤵
  PID:6664
- C:\Windows\System32\UusSYFb.exe
  C:\Windows\System32\UusSYFb.exe
  2⤵
  PID:7184
- C:\Windows\System32\JxigjGV.exe
  C:\Windows\System32\JxigjGV.exe
  2⤵
  PID:7220
- C:\Windows\System32\cyAEuWU.exe
  C:\Windows\System32\cyAEuWU.exe
  2⤵
  PID:7248
- C:\Windows\System32\PoRXZfF.exe
  C:\Windows\System32\PoRXZfF.exe
  2⤵
  PID:7272
- C:\Windows\System32\nKkzuxZ.exe
  C:\Windows\System32\nKkzuxZ.exe
  2⤵
  PID:7312
- C:\Windows\System32\KetSdYz.exe
  C:\Windows\System32\KetSdYz.exe
  2⤵
  PID:7360
- C:\Windows\System32\nhVjvwI.exe
  C:\Windows\System32\nhVjvwI.exe
  2⤵
  PID:7376
- C:\Windows\System32\KPPoZlK.exe
  C:\Windows\System32\KPPoZlK.exe
  2⤵
  PID:7392
- C:\Windows\System32\MwLtxib.exe
  C:\Windows\System32\MwLtxib.exe
  2⤵
  PID:7412
- C:\Windows\System32\aPzizwM.exe
  C:\Windows\System32\aPzizwM.exe
  2⤵
  PID:7436
- C:\Windows\System32\tetEiRt.exe
  C:\Windows\System32\tetEiRt.exe
  2⤵
  PID:7468
- C:\Windows\System32\OTDSJgw.exe
  C:\Windows\System32\OTDSJgw.exe
  2⤵
  PID:7504
- C:\Windows\System32\snuoFNQ.exe
  C:\Windows\System32\snuoFNQ.exe
  2⤵
  PID:7528
- C:\Windows\System32\JfHknRE.exe
  C:\Windows\System32\JfHknRE.exe
  2⤵
  PID:7564
- C:\Windows\System32\gQmKAQd.exe
  C:\Windows\System32\gQmKAQd.exe
  2⤵
  PID:7600
- C:\Windows\System32\iGzASZY.exe
  C:\Windows\System32\iGzASZY.exe
  2⤵
  PID:7632
- C:\Windows\System32\zXOtKrb.exe
  C:\Windows\System32\zXOtKrb.exe
  2⤵
  PID:7648
- C:\Windows\System32\xEtiemb.exe
  C:\Windows\System32\xEtiemb.exe
  2⤵
  PID:7676
- C:\Windows\System32\OOneElN.exe
  C:\Windows\System32\OOneElN.exe
  2⤵
  PID:7692
- C:\Windows\System32\DZczdXC.exe
  C:\Windows\System32\DZczdXC.exe
  2⤵
  PID:7712
- C:\Windows\System32\xNDfJEM.exe
  C:\Windows\System32\xNDfJEM.exe
  2⤵
  PID:7732
- C:\Windows\System32\ZFtdbyi.exe
  C:\Windows\System32\ZFtdbyi.exe
  2⤵
  PID:7784
- C:\Windows\System32\gNcXMma.exe
  C:\Windows\System32\gNcXMma.exe
  2⤵
  PID:7816
- C:\Windows\System32\aRqekXA.exe
  C:\Windows\System32\aRqekXA.exe
  2⤵
  PID:7836
- C:\Windows\System32\FySiyUg.exe
  C:\Windows\System32\FySiyUg.exe
  2⤵
  PID:7864
- C:\Windows\System32\EjsLRwD.exe
  C:\Windows\System32\EjsLRwD.exe
  2⤵
  PID:7884
- C:\Windows\System32\JtYWsiB.exe
  C:\Windows\System32\JtYWsiB.exe
  2⤵
  PID:7920
- C:\Windows\System32\uZxGVBa.exe
  C:\Windows\System32\uZxGVBa.exe
  2⤵
  PID:7956
- C:\Windows\System32\qjhZMLr.exe
  C:\Windows\System32\qjhZMLr.exe
  2⤵
  PID:7976
- C:\Windows\System32\WCWoPfr.exe
  C:\Windows\System32\WCWoPfr.exe
  2⤵
  PID:8000
- C:\Windows\System32\KeHuzKm.exe
  C:\Windows\System32\KeHuzKm.exe
  2⤵
  PID:8032
- C:\Windows\System32\ThDJygU.exe
  C:\Windows\System32\ThDJygU.exe
  2⤵
  PID:8060
- C:\Windows\System32\sUzPPsg.exe
  C:\Windows\System32\sUzPPsg.exe
  2⤵
  PID:8084
- C:\Windows\System32\RGfjzeJ.exe
  C:\Windows\System32\RGfjzeJ.exe
  2⤵
  PID:8112
- C:\Windows\System32\OJjyMCG.exe
  C:\Windows\System32\OJjyMCG.exe
  2⤵
  PID:8132
- C:\Windows\System32\DnuUqjw.exe
  C:\Windows\System32\DnuUqjw.exe
  2⤵
  PID:8152
- C:\Windows\System32\lQncVBp.exe
  C:\Windows\System32\lQncVBp.exe
  2⤵
  PID:6488
- C:\Windows\System32\AYpYOGi.exe
  C:\Windows\System32\AYpYOGi.exe
  2⤵
  PID:6880
- C:\Windows\System32\swiJuhM.exe
  C:\Windows\System32\swiJuhM.exe
  2⤵
  PID:7216
- C:\Windows\System32\WXMxbql.exe
  C:\Windows\System32\WXMxbql.exe
  2⤵
  PID:7268
- C:\Windows\System32\nfBTbMs.exe
  C:\Windows\System32\nfBTbMs.exe
  2⤵
  PID:7404
- C:\Windows\System32\gHcEMFI.exe
  C:\Windows\System32\gHcEMFI.exe
  2⤵
  PID:7488
- C:\Windows\System32\jOhJjyE.exe
  C:\Windows\System32\jOhJjyE.exe
  2⤵
  PID:7520
- C:\Windows\System32\HcVdTqk.exe
  C:\Windows\System32\HcVdTqk.exe
  2⤵
  PID:7576
- C:\Windows\System32\SfpOVSY.exe
  C:\Windows\System32\SfpOVSY.exe
  2⤵
  PID:7640
- C:\Windows\System32\JEEljmP.exe
  C:\Windows\System32\JEEljmP.exe
  2⤵
  PID:7208
- C:\Windows\System32\LRmhsTi.exe
  C:\Windows\System32\LRmhsTi.exe
  2⤵
  PID:7280
- C:\Windows\System32\YGGBMxv.exe
  C:\Windows\System32\YGGBMxv.exe
  2⤵
  PID:7476
- C:\Windows\System32\VAcymsA.exe
  C:\Windows\System32\VAcymsA.exe
  2⤵
  PID:7536
- C:\Windows\System32\ChQaOMu.exe
  C:\Windows\System32\ChQaOMu.exe
  2⤵
  PID:7748
- C:\Windows\System32\Gckxgkr.exe
  C:\Windows\System32\Gckxgkr.exe
  2⤵
  PID:7856
- C:\Windows\System32\bsLwJFg.exe
  C:\Windows\System32\bsLwJFg.exe
  2⤵
  PID:7896
- C:\Windows\System32\KtARGQc.exe
  C:\Windows\System32\KtARGQc.exe
  2⤵
  PID:7964
- C:\Windows\System32\EbOmRnj.exe
  C:\Windows\System32\EbOmRnj.exe
  2⤵
  PID:8024
- C:\Windows\System32\WuEDwOC.exe
  C:\Windows\System32\WuEDwOC.exe
  2⤵
  PID:7984
- C:\Windows\System32\SfbzOXM.exe
  C:\Windows\System32\SfbzOXM.exe
  2⤵
  PID:8148
- C:\Windows\System32\VnwSBGi.exe
  C:\Windows\System32\VnwSBGi.exe
  2⤵
  PID:8140
- C:\Windows\System32\tYxGGXE.exe
  C:\Windows\System32\tYxGGXE.exe
  2⤵
  PID:7624
- C:\Windows\System32\GnWKyyb.exe
  C:\Windows\System32\GnWKyyb.exe
  2⤵
  PID:7608
- C:\Windows\System32\BtnKkiT.exe
  C:\Windows\System32\BtnKkiT.exe
  2⤵
  PID:8076
- C:\Windows\System32\KSCgNBG.exe
  C:\Windows\System32\KSCgNBG.exe
  2⤵
  PID:8096
- C:\Windows\System32\pixWFxR.exe
  C:\Windows\System32\pixWFxR.exe
  2⤵
  PID:7500
- C:\Windows\System32\YUcbXII.exe
  C:\Windows\System32\YUcbXII.exe
  2⤵
  PID:7932
- C:\Windows\System32\LVTwdGk.exe
  C:\Windows\System32\LVTwdGk.exe
  2⤵
  PID:8200
- C:\Windows\System32\tskwGwG.exe
  C:\Windows\System32\tskwGwG.exe
  2⤵
  PID:8240
- C:\Windows\System32\llSKVNN.exe
  C:\Windows\System32\llSKVNN.exe
  2⤵
  PID:8272
- C:\Windows\System32\ELtPeCX.exe
  C:\Windows\System32\ELtPeCX.exe
  2⤵
  PID:8288
- C:\Windows\System32\MiDqvkt.exe
  C:\Windows\System32\MiDqvkt.exe
  2⤵
  PID:8324
- C:\Windows\System32\GGfzpWy.exe
  C:\Windows\System32\GGfzpWy.exe
  2⤵
  PID:8352
- C:\Windows\System32\MWqRLcR.exe
  C:\Windows\System32\MWqRLcR.exe
  2⤵
  PID:8372
- C:\Windows\System32\ENbWfYk.exe
  C:\Windows\System32\ENbWfYk.exe
  2⤵
  PID:8412
- C:\Windows\System32\RLbmzzr.exe
  C:\Windows\System32\RLbmzzr.exe
  2⤵
  PID:8472
- C:\Windows\System32\fOnNsbL.exe
  C:\Windows\System32\fOnNsbL.exe
  2⤵
  PID:8496
- C:\Windows\System32\gYFsLum.exe
  C:\Windows\System32\gYFsLum.exe
  2⤵
  PID:8516
- C:\Windows\System32\OLUoLso.exe
  C:\Windows\System32\OLUoLso.exe
  2⤵
  PID:8540
- C:\Windows\System32\OFffpSf.exe
  C:\Windows\System32\OFffpSf.exe
  2⤵
  PID:8560
- C:\Windows\System32\xFsWlKi.exe
  C:\Windows\System32\xFsWlKi.exe
  2⤵
  PID:8576
- C:\Windows\System32\CDQVTIL.exe
  C:\Windows\System32\CDQVTIL.exe
  2⤵
  PID:8600
- C:\Windows\System32\kiWNecJ.exe
  C:\Windows\System32\kiWNecJ.exe
  2⤵
  PID:8620
- C:\Windows\System32\PurPlay.exe
  C:\Windows\System32\PurPlay.exe
  2⤵
  PID:8636
- C:\Windows\System32\GeitAbc.exe
  C:\Windows\System32\GeitAbc.exe
  2⤵
  PID:8680
- C:\Windows\System32\fFKCmeW.exe
  C:\Windows\System32\fFKCmeW.exe
  2⤵
  PID:8696
- C:\Windows\System32\mziiHbs.exe
  C:\Windows\System32\mziiHbs.exe
  2⤵
  PID:8752
- C:\Windows\System32\nRzRktx.exe
  C:\Windows\System32\nRzRktx.exe
  2⤵
  PID:8772
- C:\Windows\System32\BrRWHPj.exe
  C:\Windows\System32\BrRWHPj.exe
  2⤵
  PID:8832
- C:\Windows\System32\QqxAhxe.exe
  C:\Windows\System32\QqxAhxe.exe
  2⤵
  PID:8860
- C:\Windows\System32\aXPsQXV.exe
  C:\Windows\System32\aXPsQXV.exe
  2⤵
  PID:8888
- C:\Windows\System32\oGQXcKG.exe
  C:\Windows\System32\oGQXcKG.exe
  2⤵
  PID:8908
- C:\Windows\System32\tdHdurT.exe
  C:\Windows\System32\tdHdurT.exe
  2⤵
  PID:8932
- C:\Windows\System32\TkBqByf.exe
  C:\Windows\System32\TkBqByf.exe
  2⤵
  PID:8952
- C:\Windows\System32\FOIuORM.exe
  C:\Windows\System32\FOIuORM.exe
  2⤵
  PID:8988
- C:\Windows\System32\pdDbrOx.exe
  C:\Windows\System32\pdDbrOx.exe
  2⤵
  PID:9076
- C:\Windows\System32\powTobc.exe
  C:\Windows\System32\powTobc.exe
  2⤵
  PID:9176
- C:\Windows\System32\frcaBAX.exe
  C:\Windows\System32\frcaBAX.exe
  2⤵
  PID:9192
- C:\Windows\System32\ntMfhjY.exe
  C:\Windows\System32\ntMfhjY.exe
  2⤵
  PID:9208
- C:\Windows\System32\NryDsnI.exe
  C:\Windows\System32\NryDsnI.exe
  2⤵
  PID:8068
- C:\Windows\System32\ykoprbU.exe
  C:\Windows\System32\ykoprbU.exe
  2⤵
  PID:8212
- C:\Windows\System32\TCOsRal.exe
  C:\Windows\System32\TCOsRal.exe
  2⤵
  PID:8268
- C:\Windows\System32\clmerHd.exe
  C:\Windows\System32\clmerHd.exe
  2⤵
  PID:8304
- C:\Windows\System32\PpLWEls.exe
  C:\Windows\System32\PpLWEls.exe
  2⤵
  PID:8308
- C:\Windows\System32\TVWQIkr.exe
  C:\Windows\System32\TVWQIkr.exe
  2⤵
  PID:8424
- C:\Windows\System32\WWGHdFC.exe
  C:\Windows\System32\WWGHdFC.exe
  2⤵
  PID:8480
- C:\Windows\System32\XlfzZCk.exe
  C:\Windows\System32\XlfzZCk.exe
  2⤵
  PID:8504
- C:\Windows\System32\iHiNbZh.exe
  C:\Windows\System32\iHiNbZh.exe
  2⤵
  PID:8628
- C:\Windows\System32\khZChqZ.exe
  C:\Windows\System32\khZChqZ.exe
  2⤵
  PID:8704
- C:\Windows\System32\mCLCGiA.exe
  C:\Windows\System32\mCLCGiA.exe
  2⤵
  PID:8764
- C:\Windows\System32\slddFnc.exe
  C:\Windows\System32\slddFnc.exe
  2⤵
  PID:8852
- C:\Windows\System32\IHOQFfe.exe
  C:\Windows\System32\IHOQFfe.exe
  2⤵
  PID:8904
- C:\Windows\System32\dIymMXt.exe
  C:\Windows\System32\dIymMXt.exe
  2⤵
  PID:9020
- C:\Windows\System32\IzHTulZ.exe
  C:\Windows\System32\IzHTulZ.exe
  2⤵
  PID:9156
- C:\Windows\System32\zlHdsGw.exe
  C:\Windows\System32\zlHdsGw.exe
  2⤵
  PID:9116
- C:\Windows\System32\lnmQIke.exe
  C:\Windows\System32\lnmQIke.exe
  2⤵
  PID:9136
- C:\Windows\System32\ItgKWDe.exe
  C:\Windows\System32\ItgKWDe.exe
  2⤵
  PID:8388
- C:\Windows\System32\SqMRdlo.exe
  C:\Windows\System32\SqMRdlo.exe
  2⤵
  PID:9172
- C:\Windows\System32\wVtbmeJ.exe
  C:\Windows\System32\wVtbmeJ.exe
  2⤵
  PID:8380
- C:\Windows\System32\qLplkgL.exe
  C:\Windows\System32\qLplkgL.exe
  2⤵
  PID:7616
- C:\Windows\System32\ywyEhhg.exe
  C:\Windows\System32\ywyEhhg.exe
  2⤵
  PID:8644
- C:\Windows\System32\ryugvgg.exe
  C:\Windows\System32\ryugvgg.exe
  2⤵
  PID:8676
- C:\Windows\System32\AIufUtK.exe
  C:\Windows\System32\AIufUtK.exe
  2⤵
  PID:8724
- C:\Windows\System32\yHMNknh.exe
  C:\Windows\System32\yHMNknh.exe
  2⤵
  PID:9152
- C:\Windows\System32\NikcYeh.exe
  C:\Windows\System32\NikcYeh.exe
  2⤵
  PID:8368
- C:\Windows\System32\hsPyfhH.exe
  C:\Windows\System32\hsPyfhH.exe
  2⤵
  PID:8552
- C:\Windows\System32\uRnqxEf.exe
  C:\Windows\System32\uRnqxEf.exe
  2⤵
  PID:8788
- C:\Windows\System32\GzmcIpA.exe
  C:\Windows\System32\GzmcIpA.exe
  2⤵
  PID:9108
- C:\Windows\System32\KRrcIlR.exe
  C:\Windows\System32\KRrcIlR.exe
  2⤵
  PID:9168
- C:\Windows\System32\QKZKaKE.exe
  C:\Windows\System32\QKZKaKE.exe
  2⤵
  PID:7900
- C:\Windows\System32\GhaQGcM.exe
  C:\Windows\System32\GhaQGcM.exe
  2⤵
  PID:8816
- C:\Windows\System32\MMaOEnx.exe
  C:\Windows\System32\MMaOEnx.exe
  2⤵
  PID:9236
- C:\Windows\System32\HouzbRs.exe
  C:\Windows\System32\HouzbRs.exe
  2⤵
  PID:9264
- C:\Windows\System32\ZdIBjzV.exe
  C:\Windows\System32\ZdIBjzV.exe
  2⤵
  PID:9296
- C:\Windows\System32\EqydcGM.exe
  C:\Windows\System32\EqydcGM.exe
  2⤵
  PID:9316
- C:\Windows\System32\XNbDoWp.exe
  C:\Windows\System32\XNbDoWp.exe
  2⤵
  PID:9344
- C:\Windows\System32\AdXvpbB.exe
  C:\Windows\System32\AdXvpbB.exe
  2⤵
  PID:9404
- C:\Windows\System32\qYjEuCh.exe
  C:\Windows\System32\qYjEuCh.exe
  2⤵
  PID:9432
- C:\Windows\System32\JikjNuM.exe
  C:\Windows\System32\JikjNuM.exe
  2⤵
  PID:9492
- C:\Windows\System32\KujAJyz.exe
  C:\Windows\System32\KujAJyz.exe
  2⤵
  PID:9508
- C:\Windows\System32\eRmnqiw.exe
  C:\Windows\System32\eRmnqiw.exe
  2⤵
  PID:9536
- C:\Windows\System32\XtdTunl.exe
  C:\Windows\System32\XtdTunl.exe
  2⤵
  PID:9552
- C:\Windows\System32\ObwzZPx.exe
  C:\Windows\System32\ObwzZPx.exe
  2⤵
  PID:9568
- C:\Windows\System32\svKilyD.exe
  C:\Windows\System32\svKilyD.exe
  2⤵
  PID:9600
- C:\Windows\System32\hpTYmve.exe
  C:\Windows\System32\hpTYmve.exe
  2⤵
  PID:9620
- C:\Windows\System32\ehZEUEY.exe
  C:\Windows\System32\ehZEUEY.exe
  2⤵
  PID:9672
- C:\Windows\System32\VdFSLWF.exe
  C:\Windows\System32\VdFSLWF.exe
  2⤵
  PID:9716
- C:\Windows\System32\iRzydTL.exe
  C:\Windows\System32\iRzydTL.exe
  2⤵
  PID:9736
- C:\Windows\System32\NtvlZxk.exe
  C:\Windows\System32\NtvlZxk.exe
  2⤵
  PID:9756
- C:\Windows\System32\SzBcAZh.exe
  C:\Windows\System32\SzBcAZh.exe
  2⤵
  PID:9780
- C:\Windows\System32\RjieCdS.exe
  C:\Windows\System32\RjieCdS.exe
  2⤵
  PID:9800
- C:\Windows\System32\UYcoiiA.exe
  C:\Windows\System32\UYcoiiA.exe
  2⤵
  PID:9836
- C:\Windows\System32\gPHZffs.exe
  C:\Windows\System32\gPHZffs.exe
  2⤵
  PID:9864
- C:\Windows\System32\aKBmzow.exe
  C:\Windows\System32\aKBmzow.exe
  2⤵
  PID:9880
- C:\Windows\System32\CxYLPfs.exe
  C:\Windows\System32\CxYLPfs.exe
  2⤵
  PID:9928
- C:\Windows\System32\dluTAiy.exe
  C:\Windows\System32\dluTAiy.exe
  2⤵
  PID:9952
- C:\Windows\System32\vuilQML.exe
  C:\Windows\System32\vuilQML.exe
  2⤵
  PID:9976
- C:\Windows\System32\TOMWkDQ.exe
  C:\Windows\System32\TOMWkDQ.exe
  2⤵
  PID:10016
- C:\Windows\System32\oyxOdRs.exe
  C:\Windows\System32\oyxOdRs.exe
  2⤵
  PID:10032
- C:\Windows\System32\qhHBklh.exe
  C:\Windows\System32\qhHBklh.exe
  2⤵
  PID:10052
- C:\Windows\System32\DzqJKbC.exe
  C:\Windows\System32\DzqJKbC.exe
  2⤵
  PID:10088
- C:\Windows\System32\DGbPcQx.exe
  C:\Windows\System32\DGbPcQx.exe
  2⤵
  PID:10128
- C:\Windows\System32\RIipWiu.exe
  C:\Windows\System32\RIipWiu.exe
  2⤵
  PID:10148
- C:\Windows\System32\tvJdYmu.exe
  C:\Windows\System32\tvJdYmu.exe
  2⤵
  PID:10172
- C:\Windows\System32\ZSrBqYV.exe
  C:\Windows\System32\ZSrBqYV.exe
  2⤵
  PID:10188
- C:\Windows\System32\mbICilR.exe
  C:\Windows\System32\mbICilR.exe
  2⤵
  PID:10220
- C:\Windows\System32\FAZyLIl.exe
  C:\Windows\System32\FAZyLIl.exe
  2⤵
  PID:8524
- C:\Windows\System32\EcLytdU.exe
  C:\Windows\System32\EcLytdU.exe
  2⤵
  PID:3104
- C:\Windows\System32\xZNUlTE.exe
  C:\Windows\System32\xZNUlTE.exe
  2⤵
  PID:9308
- C:\Windows\System32\bdACcRv.exe
  C:\Windows\System32\bdACcRv.exe
  2⤵
  PID:9396
- C:\Windows\System32\TmOaDSU.exe
  C:\Windows\System32\TmOaDSU.exe
  2⤵
  PID:9520
- C:\Windows\System32\FVklgYQ.exe
  C:\Windows\System32\FVklgYQ.exe
  2⤵
  PID:9636
- C:\Windows\System32\qlrajzB.exe
  C:\Windows\System32\qlrajzB.exe
  2⤵
  PID:9644
- C:\Windows\System32\CGEujKN.exe
  C:\Windows\System32\CGEujKN.exe
  2⤵
  PID:9684
- C:\Windows\System32\QqkzjxK.exe
  C:\Windows\System32\QqkzjxK.exe
  2⤵
  PID:9692
- C:\Windows\System32\KMefifj.exe
  C:\Windows\System32\KMefifj.exe
  2⤵
  PID:9748
- C:\Windows\System32\nAqWQpQ.exe
  C:\Windows\System32\nAqWQpQ.exe
  2⤵
  PID:9824
- C:\Windows\System32\VlGlBpV.exe
  C:\Windows\System32\VlGlBpV.exe
  2⤵
  PID:9876
- C:\Windows\System32\JWPeOwW.exe
  C:\Windows\System32\JWPeOwW.exe
  2⤵
  PID:9936
- C:\Windows\System32\EkOuVsY.exe
  C:\Windows\System32\EkOuVsY.exe
  2⤵
  PID:9948
- C:\Windows\System32\YyPzFRh.exe
  C:\Windows\System32\YyPzFRh.exe
  2⤵
  PID:10108
- C:\Windows\System32\fcWuTKz.exe
  C:\Windows\System32\fcWuTKz.exe
  2⤵
  PID:10184
- C:\Windows\System32\NxvtEsC.exe
  C:\Windows\System32\NxvtEsC.exe
  2⤵
  PID:10212
- C:\Windows\System32\NIBfieq.exe
  C:\Windows\System32\NIBfieq.exe
  2⤵
  PID:9360
- C:\Windows\System32\wOdepHW.exe
  C:\Windows\System32\wOdepHW.exe
  2⤵
  PID:8396
- C:\Windows\System32\ZvuyZyr.exe
  C:\Windows\System32\ZvuyZyr.exe
  2⤵
  PID:9772
- C:\Windows\System32\eTqpLel.exe
  C:\Windows\System32\eTqpLel.exe
  2⤵
  PID:9872
- C:\Windows\System32\sVMvkIs.exe
  C:\Windows\System32\sVMvkIs.exe
  2⤵
  PID:10004
- C:\Windows\System32\BHGXPZh.exe
  C:\Windows\System32\BHGXPZh.exe
  2⤵
  PID:10028
- C:\Windows\System32\VgsfsaO.exe
  C:\Windows\System32\VgsfsaO.exe
  2⤵
  PID:9584
- C:\Windows\System32\cKnWFGA.exe
  C:\Windows\System32\cKnWFGA.exe
  2⤵
  PID:9964
- C:\Windows\System32\XOnjKMi.exe
  C:\Windows\System32\XOnjKMi.exe
  2⤵
  PID:10044
- C:\Windows\System32\eYnItyn.exe
  C:\Windows\System32\eYnItyn.exe
  2⤵
  PID:10156
- C:\Windows\System32\NhKyTzN.exe
  C:\Windows\System32\NhKyTzN.exe
  2⤵
  PID:8432
- C:\Windows\System32\giRPIzE.exe
  C:\Windows\System32\giRPIzE.exe
  2⤵
  PID:10268
- C:\Windows\System32\gSVXsMU.exe
  C:\Windows\System32\gSVXsMU.exe
  2⤵
  PID:10292
- C:\Windows\System32\OvuMnGT.exe
  C:\Windows\System32\OvuMnGT.exe
  2⤵
  PID:10312
- C:\Windows\System32\DjBCYHd.exe
  C:\Windows\System32\DjBCYHd.exe
  2⤵
  PID:10328
- C:\Windows\System32\OAziWQw.exe
  C:\Windows\System32\OAziWQw.exe
  2⤵
  PID:10356
- C:\Windows\System32\LEamRMG.exe
  C:\Windows\System32\LEamRMG.exe
  2⤵
  PID:10380
- C:\Windows\System32\mOqDDdH.exe
  C:\Windows\System32\mOqDDdH.exe
  2⤵
  PID:10436
- C:\Windows\System32\apMHiEQ.exe
  C:\Windows\System32\apMHiEQ.exe
  2⤵
  PID:10464
- C:\Windows\System32\oEuFWLh.exe
  C:\Windows\System32\oEuFWLh.exe
  2⤵
  PID:10480
- C:\Windows\System32\mTPedqY.exe
  C:\Windows\System32\mTPedqY.exe
  2⤵
  PID:10520
- C:\Windows\System32\DtHnTFE.exe
  C:\Windows\System32\DtHnTFE.exe
  2⤵
  PID:10552
- C:\Windows\System32\XXDYFOk.exe
  C:\Windows\System32\XXDYFOk.exe
  2⤵
  PID:10576
- C:\Windows\System32\GOXSEDs.exe
  C:\Windows\System32\GOXSEDs.exe
  2⤵
  PID:10600
- C:\Windows\System32\GJSXPdS.exe
  C:\Windows\System32\GJSXPdS.exe
  2⤵
  PID:10624
- C:\Windows\System32\dQhWpBA.exe
  C:\Windows\System32\dQhWpBA.exe
  2⤵
  PID:10640
- C:\Windows\System32\dSGYWMw.exe
  C:\Windows\System32\dSGYWMw.exe
  2⤵
  PID:10664
- C:\Windows\System32\ThehHTx.exe
  C:\Windows\System32\ThehHTx.exe
  2⤵
  PID:10704
- C:\Windows\System32\NnDcrhu.exe
  C:\Windows\System32\NnDcrhu.exe
  2⤵
  PID:10740
- C:\Windows\System32\GNXQBKt.exe
  C:\Windows\System32\GNXQBKt.exe
  2⤵
  PID:10788
- C:\Windows\System32\qyOkSHg.exe
  C:\Windows\System32\qyOkSHg.exe
  2⤵
  PID:10804
- C:\Windows\System32\jqFRvDa.exe
  C:\Windows\System32\jqFRvDa.exe
  2⤵
  PID:10840
- C:\Windows\System32\CtnJrNg.exe
  C:\Windows\System32\CtnJrNg.exe
  2⤵
  PID:10864
- C:\Windows\System32\eaeXjPb.exe
  C:\Windows\System32\eaeXjPb.exe
  2⤵
  PID:10892
- C:\Windows\System32\rxJoCwo.exe
  C:\Windows\System32\rxJoCwo.exe
  2⤵
  PID:10912
- C:\Windows\System32\TUrvKqQ.exe
  C:\Windows\System32\TUrvKqQ.exe
  2⤵
  PID:10936
- C:\Windows\System32\ZrhmOPQ.exe
  C:\Windows\System32\ZrhmOPQ.exe
  2⤵
  PID:10984
- C:\Windows\System32\GqvHmQz.exe
  C:\Windows\System32\GqvHmQz.exe
  2⤵
  PID:11008
- C:\Windows\System32\IYWQXrh.exe
  C:\Windows\System32\IYWQXrh.exe
  2⤵
  PID:11032
- C:\Windows\System32\PoiSRxv.exe
  C:\Windows\System32\PoiSRxv.exe
  2⤵
  PID:11052
- C:\Windows\System32\ceJFkmI.exe
  C:\Windows\System32\ceJFkmI.exe
  2⤵
  PID:11076
- C:\Windows\System32\ckxjhsD.exe
  C:\Windows\System32\ckxjhsD.exe
  2⤵
  PID:11104
- C:\Windows\System32\SUyVUex.exe
  C:\Windows\System32\SUyVUex.exe
  2⤵
  PID:11132
- C:\Windows\System32\ofTxKYM.exe
  C:\Windows\System32\ofTxKYM.exe
  2⤵
  PID:11164
- C:\Windows\System32\xbMmJGm.exe
  C:\Windows\System32\xbMmJGm.exe
  2⤵
  PID:11192
- C:\Windows\System32\QQsXUTK.exe
  C:\Windows\System32\QQsXUTK.exe
  2⤵
  PID:11216
- C:\Windows\System32\fRTCXHN.exe
  C:\Windows\System32\fRTCXHN.exe
  2⤵
  PID:9608
- C:\Windows\System32\JCZKhOM.exe
  C:\Windows\System32\JCZKhOM.exe
  2⤵
  PID:10256
- C:\Windows\System32\bwpYxLt.exe
  C:\Windows\System32\bwpYxLt.exe
  2⤵
  PID:10324
- C:\Windows\System32\KYJrLoT.exe
  C:\Windows\System32\KYJrLoT.exe
  2⤵
  PID:10376
- C:\Windows\System32\rIhEBtf.exe
  C:\Windows\System32\rIhEBtf.exe
  2⤵
  PID:10424
- C:\Windows\System32\EIgnccd.exe
  C:\Windows\System32\EIgnccd.exe
  2⤵
  PID:10456
- C:\Windows\System32\zqnYGgR.exe
  C:\Windows\System32\zqnYGgR.exe
  2⤵
  PID:10516
- C:\Windows\System32\RtaJrjS.exe
  C:\Windows\System32\RtaJrjS.exe
  2⤵
  PID:10560
- C:\Windows\System32\XqrILMS.exe
  C:\Windows\System32\XqrILMS.exe
  2⤵
  PID:10672
- C:\Windows\System32\kusKrHS.exe
  C:\Windows\System32\kusKrHS.exe
  2⤵
  PID:10772
- C:\Windows\System32\VJkhaxd.exe
  C:\Windows\System32\VJkhaxd.exe
  2⤵
  PID:10748
- C:\Windows\System32\MKHRlTt.exe
  C:\Windows\System32\MKHRlTt.exe
  2⤵
  PID:10852
- C:\Windows\System32\qyBCaWA.exe
  C:\Windows\System32\qyBCaWA.exe
  2⤵
  PID:10904
- C:\Windows\System32\DUGmAFc.exe
  C:\Windows\System32\DUGmAFc.exe
  2⤵
  PID:10944
- C:\Windows\System32\XSOtTcM.exe
  C:\Windows\System32\XSOtTcM.exe
  2⤵
  PID:11028
- C:\Windows\System32\BhozCBQ.exe
  C:\Windows\System32\BhozCBQ.exe
  2⤵
  PID:11120
- C:\Windows\System32\aDmMgtb.exe
  C:\Windows\System32\aDmMgtb.exe
  2⤵
  PID:11156
- C:\Windows\System32\AnkeYHV.exe
  C:\Windows\System32\AnkeYHV.exe
  2⤵
  PID:11228
- C:\Windows\System32\CYvTWeJ.exe
  C:\Windows\System32\CYvTWeJ.exe
  2⤵
  PID:10488
- C:\Windows\System32\KWHMOuy.exe
  C:\Windows\System32\KWHMOuy.exe
  2⤵
  PID:10752
- C:\Windows\System32\lvyHOko.exe
  C:\Windows\System32\lvyHOko.exe
  2⤵
  PID:10796
- C:\Windows\System32\luMgUKg.exe
  C:\Windows\System32\luMgUKg.exe
  2⤵
  PID:10820
- C:\Windows\System32\OfAQIpl.exe
  C:\Windows\System32\OfAQIpl.exe
  2⤵
  PID:11124
- C:\Windows\System32\mAqLgSQ.exe
  C:\Windows\System32\mAqLgSQ.exe
  2⤵
  PID:10392
- C:\Windows\System32\nwCCQFt.exe
  C:\Windows\System32\nwCCQFt.exe
  2⤵
  PID:10920
- C:\Windows\System32\uKUmCQE.exe
  C:\Windows\System32\uKUmCQE.exe
  2⤵
  PID:10540
- C:\Windows\System32\pdKoQxM.exe
  C:\Windows\System32\pdKoQxM.exe
  2⤵
  PID:11276
- C:\Windows\System32\xdcbWTL.exe
  C:\Windows\System32\xdcbWTL.exe
  2⤵
  PID:11312
- C:\Windows\System32\ZaUtmlo.exe
  C:\Windows\System32\ZaUtmlo.exe
  2⤵
  PID:11332
- C:\Windows\System32\IUjwaUc.exe
  C:\Windows\System32\IUjwaUc.exe
  2⤵
  PID:11360
- C:\Windows\System32\YKsgJnC.exe
  C:\Windows\System32\YKsgJnC.exe
  2⤵
  PID:11404
- C:\Windows\System32\rAELLUq.exe
  C:\Windows\System32\rAELLUq.exe
  2⤵
  PID:11424
- C:\Windows\System32\qVbVctB.exe
  C:\Windows\System32\qVbVctB.exe
  2⤵
  PID:11440
- C:\Windows\System32\UlhcCmJ.exe
  C:\Windows\System32\UlhcCmJ.exe
  2⤵
  PID:11476
- C:\Windows\System32\cgbKAMG.exe
  C:\Windows\System32\cgbKAMG.exe
  2⤵
  PID:11512
- C:\Windows\System32\iapmtAj.exe
  C:\Windows\System32\iapmtAj.exe
  2⤵
  PID:11548
- C:\Windows\System32\qRmyQiA.exe
  C:\Windows\System32\qRmyQiA.exe
  2⤵
  PID:11568
- C:\Windows\System32\LCTYTnN.exe
  C:\Windows\System32\LCTYTnN.exe
  2⤵
  PID:11588
- C:\Windows\System32\yjPPxmk.exe
  C:\Windows\System32\yjPPxmk.exe
  2⤵
  PID:11608
- C:\Windows\System32\BNhoDeV.exe
  C:\Windows\System32\BNhoDeV.exe
  2⤵
  PID:11628
- C:\Windows\System32\MurmaAf.exe
  C:\Windows\System32\MurmaAf.exe
  2⤵
  PID:11660
- C:\Windows\System32\hXjYkkV.exe
  C:\Windows\System32\hXjYkkV.exe
  2⤵
  PID:11680
- C:\Windows\System32\GxtxVba.exe
  C:\Windows\System32\GxtxVba.exe
  2⤵
  PID:11728
- C:\Windows\System32\sacLtTY.exe
  C:\Windows\System32\sacLtTY.exe
  2⤵
  PID:11744
- C:\Windows\System32\jyfXRxy.exe
  C:\Windows\System32\jyfXRxy.exe
  2⤵
  PID:11768
- C:\Windows\System32\exhxynN.exe
  C:\Windows\System32\exhxynN.exe
  2⤵
  PID:11788
- C:\Windows\System32\YzjSKwq.exe
  C:\Windows\System32\YzjSKwq.exe
  2⤵
  PID:11808
- C:\Windows\System32\HORAAii.exe
  C:\Windows\System32\HORAAii.exe
  2⤵
  PID:11836
- C:\Windows\System32\XtdxrAT.exe
  C:\Windows\System32\XtdxrAT.exe
  2⤵
  PID:11888
- C:\Windows\System32\YvwkOKE.exe
  C:\Windows\System32\YvwkOKE.exe
  2⤵
  PID:11908
- C:\Windows\System32\hmoIPyD.exe
  C:\Windows\System32\hmoIPyD.exe
  2⤵
  PID:11928
- C:\Windows\System32\fsYlZkw.exe
  C:\Windows\System32\fsYlZkw.exe
  2⤵
  PID:11976
- C:\Windows\System32\YOOlrVO.exe
  C:\Windows\System32\YOOlrVO.exe
  2⤵
  PID:12008
- C:\Windows\System32\NMMujAz.exe
  C:\Windows\System32\NMMujAz.exe
  2⤵
  PID:12032
- C:\Windows\System32\UkzVpFo.exe
  C:\Windows\System32\UkzVpFo.exe
  2⤵
  PID:12056
- C:\Windows\System32\msPrHPC.exe
  C:\Windows\System32\msPrHPC.exe
  2⤵
  PID:12076
- C:\Windows\System32\HHBEoaO.exe
  C:\Windows\System32\HHBEoaO.exe
  2⤵
  PID:12100
- C:\Windows\System32\ENGlzaj.exe
  C:\Windows\System32\ENGlzaj.exe
  2⤵
  PID:12180
- C:\Windows\System32\XHxzTnE.exe
  C:\Windows\System32\XHxzTnE.exe
  2⤵
  PID:12196
- C:\Windows\System32\UlMwxOm.exe
  C:\Windows\System32\UlMwxOm.exe
  2⤵
  PID:12212
- C:\Windows\System32\swGWSAD.exe
  C:\Windows\System32\swGWSAD.exe
  2⤵
  PID:12232
- C:\Windows\System32\wsZTpUG.exe
  C:\Windows\System32\wsZTpUG.exe
  2⤵
  PID:12248
- C:\Windows\System32\UoAjmLA.exe
  C:\Windows\System32\UoAjmLA.exe
  2⤵
  PID:12284
- C:\Windows\System32\hbDbJdb.exe
  C:\Windows\System32\hbDbJdb.exe
  2⤵
  PID:11340
- C:\Windows\System32\AHBIGXa.exe
  C:\Windows\System32\AHBIGXa.exe
  2⤵
  PID:11352
- C:\Windows\System32\waURDYA.exe
  C:\Windows\System32\waURDYA.exe
  2⤵
  PID:11412
- C:\Windows\System32\iQEfEdF.exe
  C:\Windows\System32\iQEfEdF.exe
  2⤵
  PID:11464
- C:\Windows\System32\uVcyJhr.exe
  C:\Windows\System32\uVcyJhr.exe
  2⤵
  PID:11584
- C:\Windows\System32\WhWPXqI.exe
  C:\Windows\System32\WhWPXqI.exe
  2⤵
  PID:11704
- C:\Windows\System32\KDsdINF.exe
  C:\Windows\System32\KDsdINF.exe
  2⤵
  PID:11784
- C:\Windows\System32\wNtjiBH.exe
  C:\Windows\System32\wNtjiBH.exe
  2⤵
  PID:11776
- C:\Windows\System32\RpIVPJO.exe
  C:\Windows\System32\RpIVPJO.exe
  2⤵
  PID:11816
- C:\Windows\System32\sLwzahr.exe
  C:\Windows\System32\sLwzahr.exe
  2⤵
  PID:11884
- C:\Windows\System32\Sposkuw.exe
  C:\Windows\System32\Sposkuw.exe
  2⤵
  PID:11956
- C:\Windows\System32\pyPUNOS.exe
  C:\Windows\System32\pyPUNOS.exe
  2⤵
  PID:12068
- C:\Windows\System32\szAcvSc.exe
  C:\Windows\System32\szAcvSc.exe
  2⤵
  PID:12096
- C:\Windows\System32\KhIfwfN.exe
  C:\Windows\System32\KhIfwfN.exe
  2⤵
  PID:1820
- C:\Windows\System32\zjCblUO.exe
  C:\Windows\System32\zjCblUO.exe
  2⤵
  PID:12192
- C:\Windows\System32\ssXWKRd.exe
  C:\Windows\System32\ssXWKRd.exe
  2⤵
  PID:12228
- C:\Windows\System32\HEjYDQH.exe
  C:\Windows\System32\HEjYDQH.exe
  2⤵
  PID:12240
- C:\Windows\System32\ujEYlnS.exe
  C:\Windows\System32\ujEYlnS.exe
  2⤵
  PID:11532
- C:\Windows\System32\LXiPwmr.exe
  C:\Windows\System32\LXiPwmr.exe
  2⤵
  PID:11644
- C:\Windows\System32\zyDNGFJ.exe
  C:\Windows\System32\zyDNGFJ.exe
  2⤵
  PID:11752
- C:\Windows\System32\fpmisVl.exe
  C:\Windows\System32\fpmisVl.exe
  2⤵
  PID:11988
- C:\Windows\System32\ZSzALDc.exe
  C:\Windows\System32\ZSzALDc.exe
  2⤵
  PID:12084
- C:\Windows\System32\itQZRxc.exe
  C:\Windows\System32\itQZRxc.exe
  2⤵
  PID:12176
- C:\Windows\System32\DbZZeLh.exe
  C:\Windows\System32\DbZZeLh.exe
  2⤵
  PID:11324
- C:\Windows\System32\BmpWgag.exe
  C:\Windows\System32\BmpWgag.exe
  2⤵
  PID:11696
- C:\Windows\System32\CaTyXHE.exe
  C:\Windows\System32\CaTyXHE.exe
  2⤵
  PID:11968
- C:\Windows\System32\YENlwIp.exe
  C:\Windows\System32\YENlwIp.exe
  2⤵
  PID:12264
- C:\Windows\System32\hYTfFst.exe
  C:\Windows\System32\hYTfFst.exe
  2⤵
  PID:12116
- C:\Windows\System32\HwJKJdA.exe
  C:\Windows\System32\HwJKJdA.exe
  2⤵
  PID:12316
- C:\Windows\System32\puRkOLu.exe
  C:\Windows\System32\puRkOLu.exe
  2⤵
  PID:12344
- C:\Windows\System32\NPuKmEN.exe
  C:\Windows\System32\NPuKmEN.exe
  2⤵
  PID:12368
- C:\Windows\System32\uhPxkSJ.exe
  C:\Windows\System32\uhPxkSJ.exe
  2⤵
  PID:12384
- C:\Windows\System32\YZNPWyd.exe
  C:\Windows\System32\YZNPWyd.exe
  2⤵
  PID:12408
- C:\Windows\System32\ufkmbny.exe
  C:\Windows\System32\ufkmbny.exe
  2⤵
  PID:12436
- C:\Windows\System32\JoOkvot.exe
  C:\Windows\System32\JoOkvot.exe
  2⤵
  PID:12476
- C:\Windows\System32\yBKgPuX.exe
  C:\Windows\System32\yBKgPuX.exe
  2⤵
  PID:12496
- C:\Windows\System32\KJFoQHB.exe
  C:\Windows\System32\KJFoQHB.exe
  2⤵
  PID:12520
- C:\Windows\System32\drboiqv.exe
  C:\Windows\System32\drboiqv.exe
  2⤵
  PID:12540
- C:\Windows\System32\otqFzFi.exe
  C:\Windows\System32\otqFzFi.exe
  2⤵
  PID:12568
- C:\Windows\System32\gaEwTza.exe
  C:\Windows\System32\gaEwTza.exe
  2⤵
  PID:12592
- C:\Windows\System32\LyuDCRO.exe
  C:\Windows\System32\LyuDCRO.exe
  2⤵
  PID:12608
- C:\Windows\System32\LaBGjde.exe
  C:\Windows\System32\LaBGjde.exe
  2⤵
  PID:12632
- C:\Windows\System32\nfHehSo.exe
  C:\Windows\System32\nfHehSo.exe
  2⤵
  PID:12684
- C:\Windows\System32\jROtGjy.exe
  C:\Windows\System32\jROtGjy.exe
  2⤵
  PID:12708
- C:\Windows\System32\dKLUJOy.exe
  C:\Windows\System32\dKLUJOy.exe
  2⤵
  PID:12732
- C:\Windows\System32\RRIOZTV.exe
  C:\Windows\System32\RRIOZTV.exe
  2⤵
  PID:12764
- C:\Windows\System32\aBrLYeS.exe
  C:\Windows\System32\aBrLYeS.exe
  2⤵
  PID:12792
- C:\Windows\System32\dNYkVTd.exe
  C:\Windows\System32\dNYkVTd.exe
  2⤵
  PID:12820
- C:\Windows\System32\SjdSzEb.exe
  C:\Windows\System32\SjdSzEb.exe
  2⤵
  PID:12836
- C:\Windows\System32\ZZOcivf.exe
  C:\Windows\System32\ZZOcivf.exe
  2⤵
  PID:12860
- C:\Windows\System32\tnMDJqt.exe
  C:\Windows\System32\tnMDJqt.exe
  2⤵
  PID:12880
- C:\Windows\System32\FYsZzvf.exe
  C:\Windows\System32\FYsZzvf.exe
  2⤵
  PID:12936
- C:\Windows\System32\gUrrfFY.exe
  C:\Windows\System32\gUrrfFY.exe
  2⤵
  PID:12956
- C:\Windows\System32\DeeGtLW.exe
  C:\Windows\System32\DeeGtLW.exe
  2⤵
  PID:12976
- C:\Windows\System32\sAAFQTL.exe
  C:\Windows\System32\sAAFQTL.exe
  2⤵
  PID:12996
- C:\Windows\System32\mnucdzq.exe
  C:\Windows\System32\mnucdzq.exe
  2⤵
  PID:13016
- C:\Windows\System32\XCcYXsu.exe
  C:\Windows\System32\XCcYXsu.exe
  2⤵
  PID:13048
- C:\Windows\System32\GDvRkTP.exe
  C:\Windows\System32\GDvRkTP.exe
  2⤵
  PID:13068
- C:\Windows\System32\FJfoZEC.exe
  C:\Windows\System32\FJfoZEC.exe
  2⤵
  PID:13116

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12920

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv nwboepaeCU6FLRm3o361vA.0
1⤵
PID:10404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\CfVrCNq.exe

Filesize
1.4MB

MD5
8bd5c22fa58db431d3250208d385da81

SHA1
7cf4b6feecc14f5440f17c14e028dd03ca565516

SHA256
270470572a9d24937c32e3494a0564450a4ea2d202f38dc27108efb5c1f89ff1

SHA512
23d9106cef65a560126b4d670e5514c8edeb7d6daf2d6d4d729f38cfcbf508405a776ef28582ffa9351f980ee73278bed81809c4c181b1302a01cb348769811e

Download Submit
C:\Windows\System32\CuhrwRw.exe

Filesize
1.4MB

MD5
619afcc09810bb235956b8216683bf7e

SHA1
6fcd2265bf99a4e07806127c0f4b787380af2b2c

SHA256
90058f32f48dddc0362c8c748baac472047388e39b233b6abd45c5bf8ea119d5

SHA512
51974ce1c0033ecd517cb82a26f512ec1c58040b4e85e68667e131a6520f3e9c79a2aca51684d9c3ad841c55bee220bb7aa61b0de611d42851af3fc1db1e00e0

Download Submit
C:\Windows\System32\IKXECsH.exe

Filesize
1.4MB

MD5
d919271250435b4fb4da6d8463829191

SHA1
753b53e94cc5a57d8b183749cb8ffb3439e46600

SHA256
8ee4d4011b110f628b1c8c6cd1eae13942d608b5db417474450a18223bc5349c

SHA512
30f4dd6bfc7cefc4e155d1c8b30c6bbaed87eb5edef91539adc902a97cf9826b22e48621351b6d92326cadca8a3ceddb030a7e8fc9ba2611073032d562d03c24

Download Submit
C:\Windows\System32\NEYHDbS.exe

Filesize
1.4MB

MD5
09e92a0752d08dd0f856fd392ecd1397

SHA1
a542eeecd929c44074e02f3d74a56d15b05ccbe3

SHA256
1f1fa69a910a3068c8861e5b5a193c33cb06422490621f9145aa62438849fdd1

SHA512
afb1ff3671058bc7ed3ed63d30da1e4eba793ff2f1b9cd2a62f3270f47dcf97eb829088541c73d55c523d5c6ae2190eef3c54f0101c813d6fbf1df01c8f8e53e

Download Submit
C:\Windows\System32\NsBIkXD.exe

Filesize
1.4MB

MD5
8bc6d7cb3c7b9545c2ce57ff4574c4fa

SHA1
a665ccee46fc33d2900f0b250e0687800ecedd8b

SHA256
966c48d6302a723e4439737f6161de6f50aa6446a773dfc9c1783e4635000b8b

SHA512
306007509f31494781e5265701dc9d5283f6843f2b7a9567290883e2513b1602a18ec8a82e135f99a4bc47447d24a925236c3ac5be50f83e0f502eb4143915a0

Download Submit
C:\Windows\System32\RHzckyc.exe

Filesize
1.4MB

MD5
76ace3874f9ba0b0316f43377a20efcd

SHA1
9137625769187b6b584270ba18ec5b8743e69bd3

SHA256
d26285ed7de6edde9871002c2c15271e6b697c6edb410648a043a2164973274b

SHA512
c7166a986d404624fd25c69f81ad28b3ce4625b5966e469cb25f8b934c77f905a979a33cca992aeb0fcfb04e9d3ba9c4ef502835d9fba6a0c681e01db23e2f82

Download Submit
C:\Windows\System32\SFUsxTF.exe

Filesize
1.4MB

MD5
1a87ba2e9615166055cfc8e3becec1b6

SHA1
e3b3dc454ea6a632b25126ee2f3364eebc5f1d31

SHA256
4d49d8ca2d45f404d37accc7c99b094c70de2bf27e9bbceda270e28a6744b3f9

SHA512
1aae2476f284bdf42d3b1c187cf6e85fbfc412c5a81c6742efea6876095fed6ca3228c248bdfeb3e2df232ad0f52b8b68f3d3eb0e7020acb18af839520552809

Download Submit
C:\Windows\System32\TXksiMm.exe

Filesize
1.4MB

MD5
c5c09350b7ead5ed07e4ebf8ee898a61

SHA1
01c89552ede317333bf463b7d0c93e340eeb7e17

SHA256
f5d2a17fa34eb998773c7e109ff6ae444aa721143dd9b22bd4f00454c6d42980

SHA512
c76fbb2b58bcfc4ef2a822453b7e84ac1a1538a44eb013115981af3f9da72a15609b4750e9d892fb0c62a8852093b32a8c780c30fa794ff37c43228dec3a5107

Download Submit
C:\Windows\System32\TvubuqB.exe

Filesize
1.4MB

MD5
418a0dd0bf3afb8c8133712ff8fc2357

SHA1
171f70e9ef2cf2218dac9fc27b867e067b3279f1

SHA256
4f22d637e6b1575690ddcf6c09ad19890966126f1bf12b7bc9f907686f758b8e

SHA512
f3e42a9cf30e607fa1e624200ab0a671ed2d79348a4135839471413645420df14fabc40a02a5f4c970f1e6e24f351fd0ea9cff5fac0dc4dd8c844cd4564c0f6e

Download Submit
C:\Windows\System32\WpjXACa.exe

Filesize
1.4MB

MD5
0266e907b3b5e25503ccb1a4598daaea

SHA1
17bc075c1133f4c7171bad1798c0603441801c85

SHA256
f0d6d3bcbd2e4f13bd32b9239d26c50361bad3ba412b0ed1eeca24ba7cd7d479

SHA512
bb434ef8457104a0d7ba0d73a756fdf443bb1d0129836cd6271d0f484a398350c3cee2b29dd2a1fa7215afdeefa8c663c704d1d7f80bebf1277705fe1b86450c

Download Submit
C:\Windows\System32\XmYzONF.exe

Filesize
1.4MB

MD5
a6a13468057c9c7b10dc5af39f9a5817

SHA1
2005f808212f797bb5f857b37a1f8b9a0472b578

SHA256
3b623206ae80ba23a40b382301c86eae1abb7d5362e6f4ae81e1fac4207a2f18

SHA512
665075a6422aff345c37ac9426b7f9088b1764ae79ef581694cd5ccae353e98ad08dc699b87ed2dfc2f34ac15f685e0b65edaf6fa60f6838ecff5dfe68bc16bd

Download Submit
C:\Windows\System32\YBKQWwk.exe

Filesize
1.4MB

MD5
4012d9c069b194684d5d4c6abe34599e

SHA1
b7f98bff4ff14edfae7f53744b04d89286e038c3

SHA256
2a4b7b530757d39203cbdf9ea2b4dd0882327ace1b7a22213f4268ec53fd6710

SHA512
c27ae54cf6be9a28b3d479fdda6b424cb00b062eba9e4ce0f42f77be5284d511c3afc4347f8797c545befcd81885e2b581d3300fcd3ebd13b694e88d8501ece4

Download Submit
C:\Windows\System32\bUhQvys.exe

Filesize
1.4MB

MD5
687a614b42c6c248b1d1e2f7063bf9f2

SHA1
91abfec27cd2fb8e684f7998259a5e90753ea45d

SHA256
3d10421284a3580ce848285b97e18817714905600eefd2f9a009bb4061e7f84c

SHA512
3ae999236b0f533d97ea1d7c37765dbcef023788c3ccba9eb9a47283eb5dbcaacef2d20a487274fc86896b8a84fe99c1535811004b7eaeb8f91356512ec4b532

Download Submit
C:\Windows\System32\cKeuHIm.exe

Filesize
1.4MB

MD5
c3dca5fd50ee28c3cfc776bc62ab8fa5

SHA1
deb2161f33e66ca07a2f96de7fcc60a2dbf97324

SHA256
e756858c0393afb909fec9e75870acab420f36d32fd2101d2af9f609761744a5

SHA512
ef2dd98039427e0f988fee942bd11227fcddec10a99d68394a5bef4802efb7e3b8baac6908fedb2c4cac5e3d094dd9f3a43236b6fb6a0fc5f4a1ea52f756d696

Download Submit
C:\Windows\System32\eDJwUVA.exe

Filesize
1.4MB

MD5
b25f78b8acaea275978837b0eb41c0a6

SHA1
39a02266b1bbb7ec9771b98c30e1fadd42b5cb64

SHA256
bf4ed5b711ff4d5623ff6b5b41536e943c15e7c715216fe0d98263931ef70181

SHA512
03abbbaf906a1c5d9f4d2712ef87c6dab7eabadb15f6a0a86be9063d5f1fa63a4697d717a3e416807bda8e918a0157815531059c849fb082074cfe22051b3474

Download Submit
C:\Windows\System32\eEWTlqm.exe

Filesize
1.4MB

MD5
f35e73009ffa0e8f0e4421ddf5a90855

SHA1
8600e95da93316585b58aa831266f77e89da382d

SHA256
4a457648eaf150ff49701d73411693b54e748e978db4e076e63fa01face7aaa7

SHA512
3acfc716cf353809dbc62889344feafddec202aa11c45158bfa3f9e367106b88d1bac28fce98cc6738177ffde9ac91872db92ab50b7906f9b08e3b1c3d678dca

Download Submit
C:\Windows\System32\iZIBESx.exe

Filesize
1.4MB

MD5
24d418d565eb72214d7bbf0710d292ca

SHA1
2a174c926cbbaea70f7d914e1ce76bea63d1326c

SHA256
6a3a5b896ef71a54fe09907a5d4a3de995fb55095b38842c3a46a7b4df666cbf

SHA512
e75d5aa02ee89c1915bfb199ef9e3da795f1c69817e19fd795fc5cf0e8299a36fa6010f0b5096a71c5dc704f700a748a316dcac7f28b2b7db71e77ec176afd7b

Download Submit
C:\Windows\System32\icmHrgx.exe

Filesize
1.4MB

MD5
def98d3c9f177be2b0726aafe10e0f6f

SHA1
45776e4820c949e624d586fe7477234bdd74d9e5

SHA256
e6a02a33b92f9e852481dfefc899a32da17ac11b6ce42e75c3f07a643755dbb1

SHA512
d0dcc20436a072d8a5e1b15822b12c21e16f8145b7a8c28852163b08acfd476f9260742a93f2368d149065685b4196873bebd1dba05b52f5cabf275977445e93

Download Submit
C:\Windows\System32\jHWAVGb.exe

Filesize
1.4MB

MD5
73514a79cab879965302e772176d3990

SHA1
d78adabbffea4b10affd526c8038a72473fef99c

SHA256
0117ea804c08acad7d60e7d12c797688a6a57552682ec7a21191769a87f536f2

SHA512
61a22853df893ab81650b1cd287c0fcc9956630d3000ea1e213f6485dc8bf0bb99c59ffd4ab73b4deb43ee09ef511d179976d70c6087aec90d778e1d7b6f1718

Download Submit
C:\Windows\System32\jVhAtTO.exe

Filesize
1.4MB

MD5
2be490094bbaad4bf9f909bb64ab2186

SHA1
20a221e07ce25a0000c496a4516344c24a37d935

SHA256
4d74174b9b630a819353a2a9456f95f2bb546bd7ce458c0116954fa8e0fac131

SHA512
4803d4b25983c26db21c78a600fc112ce0bf44e03c9832a8f0a49e8dde36c5c464697f5af7f51ca920705a1da805eb72fe5e7a9c700b352c18d9648155f8189e

Download Submit
C:\Windows\System32\kFTfDGz.exe

Filesize
1.4MB

MD5
8ffc8b688b7db7f5416ed0da1765615d

SHA1
17bef9141e7104bcde60564441a6a0ee870db518

SHA256
4dec3c564c3ffff8baa7ac7e4c9047c24624ad49ae1cc551c103d904167174ff

SHA512
544924fee1864f2383950b3d9caa785a958f0359200c044ba37b296e2e702efc53fb1b001182294f628abddda5496248d55a0ed4fdb4de2446d507069fe59c9d

Download Submit
C:\Windows\System32\kcxpjKp.exe

Filesize
1.4MB

MD5
1f1dca769d0f408afe8d5137d211498e

SHA1
c48b794e1b6f51f4b5c1bbd096121b73f69600ce

SHA256
b8aee3a35d6fcc5144a9f649b00cb4183b9104c80dd4a30fb0297f94f3f2eb1f

SHA512
9988f4a6781a0838f6dbe98fd9a54c2fad34f4a92687e0c28830c8e3f8dcd9c2618bc032218d4a9dc77ab9a883c2a5174d7649733ae9f85ff38aecda43f9ae83

Download Submit
C:\Windows\System32\lMHFmjd.exe

Filesize
1.4MB

MD5
1b1951888d3ef2ddb65da464d8c36ed3

SHA1
20bc71e0ba5c57f18190ef38e17d41785ba62bf7

SHA256
28d65bfde17c28d16cdabe25d997e8188705b79d4527165d801931670b701517

SHA512
e78e6942f5947883d53724d9be81882e86532a3088da0be540fd55466c8e0344905c91cded6628d3bc68d370e0f27877b606a7f53446ede17078bf0bf6a0ac92

Download Submit
C:\Windows\System32\lddUnfs.exe

Filesize
1.4MB

MD5
ac46ed5dfbb4836b0d345f9fe5f38e5a

SHA1
6268899c8e5c96b8968686cb81282e10a2f5a326

SHA256
390316f36d27c9b367bc8f6fd80c37edffa6e07dd81623e347f6beb5971b2b25

SHA512
701adb3c7429236bc1a19a717b10ebea8e606b90e205194c41ac0f98e03ced0a01bd34ac9d757ae4f2fd51fa098981e532d549ff680a93c42ac1625dcd5fe447

Download Submit
C:\Windows\System32\qfAKTfW.exe

Filesize
1.4MB

MD5
a454f64fb05e882e1bdaaf36efb2eabc

SHA1
3824dbe44aa0bd31f21e833054e629096ae87239

SHA256
622f42fe7287840f2bc136fe971df73a9ce836171b823dfce321d609ae263649

SHA512
96bbe19b1fd2706bbe760e9f41c0c076866accf73e2249b91eff2b90e259122d6b46ed56c2bbde9d4bbab53c9f522981eeb69b73c78e08fa9bec28eb77f1a8ae

Download Submit
C:\Windows\System32\tQbZkTJ.exe

Filesize
1.4MB

MD5
dd2e227f8d859e455a7a07bf040f2c15

SHA1
768f90ec853809e9298876236eb20971167fba09

SHA256
864f0e70d7a8bd4adac025395423e18ee9f6fd47d79696b6390993d1e7dd845d

SHA512
962d0f72dd325ef48c685b57f29817680795adef70790b5753dabc7ea41022f57ff790a9332b504dc13b4fe053b2ae0b071b7d2084c04de88b52c3dc87fd1755

Download Submit
C:\Windows\System32\teoYsRv.exe

Filesize
1.4MB

MD5
2fc941ced74100b2f13fcc8ffab1d26f

SHA1
e0396ccc115759567fc87c5038aa7f40e5cfc8d1

SHA256
2cddc062bf18e313cf7c2c0023ffe55c4917db3ec8dc094147a16a9b012be7eb

SHA512
ce2c5076cec14e7aac61e3caa385da2c066dd0b8a3664bda0b5bdd5f16922c2944502ba1c3da20034771600ee59ff5751601ac39a6fa3799fd108446a68c8b54

Download Submit
C:\Windows\System32\tqbMHLw.exe

Filesize
1.4MB

MD5
c54ada01c3a018d124ffb2e5a97fad5c

SHA1
50a0f4645362d0a87f9fd30e14d5d429834d8497

SHA256
9c9fd989d9ae2e77278231bdce6f797c6ebf3ef62a2e25c281fe6f3709ed9194

SHA512
43f3959bb3f05ae27f7c933081c56e70c56f0f3acceb88e6196b20286d7ca8534f36450df7adbb95fd527bbd1226f04fbcf555a51cf2b6dafaf33f272ee9e689

Download Submit
C:\Windows\System32\tyoZkjL.exe

Filesize
1.4MB

MD5
48d90d53cc617d7617edbca89ff63938

SHA1
3b08c088aef6998343452bac5c79b6694138fd45

SHA256
0f2bc15bd80f42e13909edbad1118ea302bb7acaa227829500c2ecc82df743e1

SHA512
5f5b4bfec228890e4f0660bfd4260f2c3427b31779e754a50bad551bc2b4adcc2d34f78eb72627a50a65a0807904ed08803701ae4f74dd615aef587017947679

Download Submit
C:\Windows\System32\uXuBdnG.exe

Filesize
1.4MB

MD5
ad2fd7cc6ecaa63a9b247171d5a7d70f

SHA1
47656f4cdca3a43f8fec5664cb9b8c7360a99a33

SHA256
b5e3418fa31e9e508b55315359f3029e4634376c439cfa562971b2393ead3261

SHA512
9396985d96ef5449e1a5894efbaf9006bd407c85f54464549b5908c3516e77d9bcc4b4a25b3b1efe41a9d799933250ffe1292c2716c06ceaf58e53c6a16be774

Download Submit
C:\Windows\System32\wBQiIXT.exe

Filesize
1.4MB

MD5
8d64abc27b443eb60989393d3721d98e

SHA1
16f3544d7fe18e635d84d060244fe61253c43df4

SHA256
605515b68965fd6223533bf28eb8ef2391a9d9523287f562f08f0ed1b41bbc6c

SHA512
ee646b9c97398a803432d1466be944405d9ceb7762d66f8b8c94667db1420a65ff84689467010da6c9ff5a7658341087ddd6cb784b18e07fd4d77f046d8607d6

Download Submit
C:\Windows\System32\zMnQDcA.exe

Filesize
1.4MB

MD5
38f60505d728284c60ab66ecb89440ed

SHA1
6453d5cc32c6b44ff2acdde2ac6ae1be7e847353

SHA256
5e2e4c73b898431c61abd5a757dad098214e14b734583ae14d0f7418501ddf23

SHA512
1781aa77d762f9509ade844833e320623ad89326b9f162ada78b5941e403ebdf7067db3df4b7ba4d25138c4d1e3d53d557abb7cd693ddc3d46f67020ca32d987

Download Submit
memory/208-25-0x00007FF6F89B0000-0x00007FF6F8DA1000-memory.dmp

Filesize
3.9MB

Download
memory/208-2006-0x00007FF6F89B0000-0x00007FF6F8DA1000-memory.dmp

Filesize
3.9MB

Download
memory/384-392-0x00007FF73E700000-0x00007FF73EAF1000-memory.dmp

Filesize
3.9MB

Download
memory/384-2034-0x00007FF73E700000-0x00007FF73EAF1000-memory.dmp

Filesize
3.9MB

Download
memory/1044-2048-0x00007FF7E1720000-0x00007FF7E1B11000-memory.dmp

Filesize
3.9MB

Download
memory/1044-461-0x00007FF7E1720000-0x00007FF7E1B11000-memory.dmp

Filesize
3.9MB

Download
memory/1380-2042-0x00007FF6C7D40000-0x00007FF6C8131000-memory.dmp

Filesize
3.9MB

Download
memory/1380-452-0x00007FF6C7D40000-0x00007FF6C8131000-memory.dmp

Filesize
3.9MB

Download
memory/1544-2044-0x00007FF7A80B0000-0x00007FF7A84A1000-memory.dmp

Filesize
3.9MB

Download
memory/1544-462-0x00007FF7A80B0000-0x00007FF7A84A1000-memory.dmp

Filesize
3.9MB

Download
memory/1832-2004-0x00007FF672160000-0x00007FF672551000-memory.dmp

Filesize
3.9MB

Download
memory/1832-15-0x00007FF672160000-0x00007FF672551000-memory.dmp

Filesize
3.9MB

Download
memory/2400-0-0x00007FF70E950000-0x00007FF70ED41000-memory.dmp

Filesize
3.9MB

Download
memory/2400-1987-0x00007FF70E950000-0x00007FF70ED41000-memory.dmp

Filesize
3.9MB

Download
memory/2400-1-0x000002D94C290000-0x000002D94C2A0000-memory.dmp

Filesize
64KB

Download
memory/2456-421-0x00007FF723420000-0x00007FF723811000-memory.dmp

Filesize
3.9MB

Download
memory/2456-2022-0x00007FF723420000-0x00007FF723811000-memory.dmp

Filesize
3.9MB

Download
memory/2500-387-0x00007FF6C4440000-0x00007FF6C4831000-memory.dmp

Filesize
3.9MB

Download
memory/2500-2020-0x00007FF6C4440000-0x00007FF6C4831000-memory.dmp

Filesize
3.9MB

Download
memory/2728-2036-0x00007FF71E1B0000-0x00007FF71E5A1000-memory.dmp

Filesize
3.9MB

Download
memory/2728-441-0x00007FF71E1B0000-0x00007FF71E5A1000-memory.dmp

Filesize
3.9MB

Download
memory/2784-2040-0x00007FF790B90000-0x00007FF790F81000-memory.dmp

Filesize
3.9MB

Download
memory/2784-450-0x00007FF790B90000-0x00007FF790F81000-memory.dmp

Filesize
3.9MB

Download
memory/2900-2050-0x00007FF727120000-0x00007FF727511000-memory.dmp

Filesize
3.9MB

Download
memory/2900-463-0x00007FF727120000-0x00007FF727511000-memory.dmp

Filesize
3.9MB

Download
memory/2952-405-0x00007FF7CF1A0000-0x00007FF7CF591000-memory.dmp

Filesize
3.9MB

Download
memory/2952-2032-0x00007FF7CF1A0000-0x00007FF7CF591000-memory.dmp

Filesize
3.9MB

Download
memory/3004-2010-0x00007FF700E20000-0x00007FF701211000-memory.dmp

Filesize
3.9MB

Download
memory/3004-464-0x00007FF700E20000-0x00007FF701211000-memory.dmp

Filesize
3.9MB

Download
memory/3208-2018-0x00007FF7D7C00000-0x00007FF7D7FF1000-memory.dmp

Filesize
3.9MB

Download
memory/3208-373-0x00007FF7D7C00000-0x00007FF7D7FF1000-memory.dmp

Filesize
3.9MB

Download
memory/3292-2016-0x00007FF6DE210000-0x00007FF6DE601000-memory.dmp

Filesize
3.9MB

Download
memory/3292-376-0x00007FF6DE210000-0x00007FF6DE601000-memory.dmp

Filesize
3.9MB

Download
memory/3708-2026-0x00007FF602390000-0x00007FF602781000-memory.dmp

Filesize
3.9MB

Download
memory/3708-418-0x00007FF602390000-0x00007FF602781000-memory.dmp

Filesize
3.9MB

Download
memory/3944-1990-0x00007FF659CE0000-0x00007FF65A0D1000-memory.dmp

Filesize
3.9MB

Download
memory/3944-2008-0x00007FF659CE0000-0x00007FF65A0D1000-memory.dmp

Filesize
3.9MB

Download
memory/3944-369-0x00007FF659CE0000-0x00007FF65A0D1000-memory.dmp

Filesize
3.9MB

Download
memory/3968-2012-0x00007FF6EF6F0000-0x00007FF6EFAE1000-memory.dmp

Filesize
3.9MB

Download
memory/3968-465-0x00007FF6EF6F0000-0x00007FF6EFAE1000-memory.dmp

Filesize
3.9MB

Download
memory/4060-444-0x00007FF703840000-0x00007FF703C31000-memory.dmp

Filesize
3.9MB

Download
memory/4060-2038-0x00007FF703840000-0x00007FF703C31000-memory.dmp

Filesize
3.9MB

Download
memory/4144-2014-0x00007FF78B280000-0x00007FF78B671000-memory.dmp

Filesize
3.9MB

Download
memory/4144-466-0x00007FF78B280000-0x00007FF78B671000-memory.dmp

Filesize
3.9MB

Download
memory/4256-2028-0x00007FF75F710000-0x00007FF75FB01000-memory.dmp

Filesize
3.9MB

Download
memory/4256-419-0x00007FF75F710000-0x00007FF75FB01000-memory.dmp

Filesize
3.9MB

Download
memory/4608-2046-0x00007FF706CD0000-0x00007FF7070C1000-memory.dmp

Filesize
3.9MB

Download
memory/4608-453-0x00007FF706CD0000-0x00007FF7070C1000-memory.dmp

Filesize
3.9MB

Download
memory/4644-424-0x00007FF76D560000-0x00007FF76D951000-memory.dmp

Filesize
3.9MB

Download
memory/4644-2024-0x00007FF76D560000-0x00007FF76D951000-memory.dmp

Filesize
3.9MB

Download
memory/4904-410-0x00007FF62E570000-0x00007FF62E961000-memory.dmp

Filesize
3.9MB

Download
memory/4904-2030-0x00007FF62E570000-0x00007FF62E961000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads