xmrig | 74c88802c64f0830717280ca9a0b7f7c06a01a5e765d4e72a22db40e49f722b8

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 22:29 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b350d8084f0c6bf33fd6e4d2c720070N.exe
Size

1.5MB
MD5

1b350d8084f0c6bf33fd6e4d2c720070
SHA1

b77f7d67dc9abbbbd904b391606bfcbe546c667d
SHA256

74c88802c64f0830717280ca9a0b7f7c06a01a5e765d4e72a22db40e49f722b8
SHA512

a020562d4b20ccefe34e1660111e4dafc0831eec9f016fdc1cec5d7daf0267b2cc86280e09adcb63f4094a33dc10110783f4feadb9db16ac76c7254152cf51f3
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIHbAYhn3AXXiuNmj6hviok92Uy6:knw9oUUEEDlGUJ8YhOXwoZ6

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/2888-11-0x00007FF6B8520000-0x00007FF6B8911000-memory.dmp	xmrig
behavioral2/memory/2860-400-0x00007FF606350000-0x00007FF606741000-memory.dmp	xmrig
behavioral2/memory/2108-406-0x00007FF74B930000-0x00007FF74BD21000-memory.dmp	xmrig
behavioral2/memory/4120-419-0x00007FF78FB30000-0x00007FF78FF21000-memory.dmp	xmrig
behavioral2/memory/4036-422-0x00007FF76A470000-0x00007FF76A861000-memory.dmp	xmrig
behavioral2/memory/436-423-0x00007FF730C10000-0x00007FF731001000-memory.dmp	xmrig
behavioral2/memory/4336-421-0x00007FF647D20000-0x00007FF648111000-memory.dmp	xmrig
behavioral2/memory/4980-416-0x00007FF6646B0000-0x00007FF664AA1000-memory.dmp	xmrig
behavioral2/memory/4468-430-0x00007FF733B80000-0x00007FF733F71000-memory.dmp	xmrig
behavioral2/memory/1468-403-0x00007FF686CE0000-0x00007FF6870D1000-memory.dmp	xmrig
behavioral2/memory/1564-397-0x00007FF655890000-0x00007FF655C81000-memory.dmp	xmrig
behavioral2/memory/3500-394-0x00007FF615360000-0x00007FF615751000-memory.dmp	xmrig
behavioral2/memory/4612-431-0x00007FF6C7590000-0x00007FF6C7981000-memory.dmp	xmrig
behavioral2/memory/4692-434-0x00007FF7FA4A0000-0x00007FF7FA891000-memory.dmp	xmrig
behavioral2/memory/3584-433-0x00007FF755210000-0x00007FF755601000-memory.dmp	xmrig
behavioral2/memory/4604-438-0x00007FF66ED40000-0x00007FF66F131000-memory.dmp	xmrig
behavioral2/memory/4944-444-0x00007FF71B0C0000-0x00007FF71B4B1000-memory.dmp	xmrig
behavioral2/memory/2440-451-0x00007FF7353B0000-0x00007FF7357A1000-memory.dmp	xmrig
behavioral2/memory/4708-455-0x00007FF6347F0000-0x00007FF634BE1000-memory.dmp	xmrig
behavioral2/memory/1692-443-0x00007FF6AAEA0000-0x00007FF6AB291000-memory.dmp	xmrig
behavioral2/memory/3204-34-0x00007FF65A9E0000-0x00007FF65ADD1000-memory.dmp	xmrig
behavioral2/memory/3624-32-0x00007FF6E83D0000-0x00007FF6E87C1000-memory.dmp	xmrig
behavioral2/memory/3668-1966-0x00007FF7FA6D0000-0x00007FF7FAAC1000-memory.dmp	xmrig
behavioral2/memory/4260-1967-0x00007FF751EB0000-0x00007FF7522A1000-memory.dmp	xmrig
behavioral2/memory/2888-2005-0x00007FF6B8520000-0x00007FF6B8911000-memory.dmp	xmrig
behavioral2/memory/3668-2007-0x00007FF7FA6D0000-0x00007FF7FAAC1000-memory.dmp	xmrig
behavioral2/memory/4260-2040-0x00007FF751EB0000-0x00007FF7522A1000-memory.dmp	xmrig
behavioral2/memory/3204-2042-0x00007FF65A9E0000-0x00007FF65ADD1000-memory.dmp	xmrig
behavioral2/memory/2108-2054-0x00007FF74B930000-0x00007FF74BD21000-memory.dmp	xmrig
behavioral2/memory/1468-2052-0x00007FF686CE0000-0x00007FF6870D1000-memory.dmp	xmrig
behavioral2/memory/3624-2038-0x00007FF6E83D0000-0x00007FF6E87C1000-memory.dmp	xmrig
behavioral2/memory/4336-2058-0x00007FF647D20000-0x00007FF648111000-memory.dmp	xmrig
behavioral2/memory/4468-2066-0x00007FF733B80000-0x00007FF733F71000-memory.dmp	xmrig
behavioral2/memory/4604-2072-0x00007FF66ED40000-0x00007FF66F131000-memory.dmp	xmrig
behavioral2/memory/4944-2076-0x00007FF71B0C0000-0x00007FF71B4B1000-memory.dmp	xmrig
behavioral2/memory/4708-2082-0x00007FF6347F0000-0x00007FF634BE1000-memory.dmp	xmrig
behavioral2/memory/1692-2074-0x00007FF6AAEA0000-0x00007FF6AB291000-memory.dmp	xmrig
behavioral2/memory/3584-2068-0x00007FF755210000-0x00007FF755601000-memory.dmp	xmrig
behavioral2/memory/2440-2079-0x00007FF7353B0000-0x00007FF7357A1000-memory.dmp	xmrig
behavioral2/memory/436-2064-0x00007FF730C10000-0x00007FF731001000-memory.dmp	xmrig
behavioral2/memory/4692-2070-0x00007FF7FA4A0000-0x00007FF7FA891000-memory.dmp	xmrig
behavioral2/memory/4036-2062-0x00007FF76A470000-0x00007FF76A861000-memory.dmp	xmrig
behavioral2/memory/4612-2060-0x00007FF6C7590000-0x00007FF6C7981000-memory.dmp	xmrig
behavioral2/memory/3500-2056-0x00007FF615360000-0x00007FF615751000-memory.dmp	xmrig
behavioral2/memory/4980-2050-0x00007FF6646B0000-0x00007FF664AA1000-memory.dmp	xmrig
behavioral2/memory/4120-2048-0x00007FF78FB30000-0x00007FF78FF21000-memory.dmp	xmrig
behavioral2/memory/2860-2046-0x00007FF606350000-0x00007FF606741000-memory.dmp	xmrig
behavioral2/memory/1564-2044-0x00007FF655890000-0x00007FF655C81000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2888	CAUAQJt.exe
3668	rjgQxbK.exe
3624	IFZXCTL.exe
4260	tKWNKmd.exe
3204	dnIOtBa.exe
3500	lztNcNW.exe
1564	sRznREa.exe
2860	CHxBYnF.exe
1468	CEfFbPU.exe
2108	GlkdiLE.exe
4980	wmbwFEq.exe
4120	xzXsXBG.exe
4336	xUBKdPC.exe
4036	pRdXZbj.exe
436	cdSgmWT.exe
4468	WSyzEiU.exe
4612	nPfMJYy.exe
3584	CUxsoHG.exe
4692	pvdxrit.exe
4604	yxUERap.exe
1692	hxbTbaS.exe
4944	UJxbGYH.exe
2440	MznvVmQ.exe
4708	glTInYN.exe
1400	eReLMOL.exe
3480	OhMusdy.exe
552	VQHNVAa.exe
4724	vaxXTpH.exe
1892	ImHrnkv.exe
3944	YRJiNbm.exe
1444	KYSEpYF.exe
2364	tcEJhQK.exe
5084	nHrhJyR.exe
2548	wLVWgAS.exe
1004	yOyBTST.exe
2000	uXJisvj.exe
2692	eZfqLFf.exe
4124	PxPalIN.exe
1120	qMTxNtC.exe
2104	YbfAXty.exe
4780	xNXOwKX.exe
2924	ITZbIvq.exe
2992	iyQNJzd.exe
864	GKmrKpJ.exe
760	OfkwNck.exe
2236	YxyYQPG.exe
3328	dYVPQqo.exe
3596	cRJWfRx.exe
4376	bDYHdVK.exe
3664	zcHRWnc.exe
1608	OOHHAyk.exe
4660	XLCfHcd.exe
4632	uuDZZAr.exe
4440	kPFmeXi.exe
3152	zfraJeb.exe
5036	cRAlZqN.exe
1404	PlNktjP.exe
1108	UitOdXC.exe
1164	LmxApZc.exe
3976	bYSGVXW.exe
3196	xhuXHdf.exe
4792	RenlGfr.exe
620	hlUNqju.exe
4868	IvUeojE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/544-0-0x00007FF6E9E80000-0x00007FF6EA271000-memory.dmp	upx
behavioral2/files/0x00080000000234d9-4.dat	upx
behavioral2/memory/2888-11-0x00007FF6B8520000-0x00007FF6B8911000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-14.dat	upx
behavioral2/files/0x00070000000234e1-17.dat	upx
behavioral2/files/0x00070000000234e2-21.dat	upx
behavioral2/files/0x00070000000234e4-38.dat	upx
behavioral2/files/0x00070000000234e7-56.dat	upx
behavioral2/files/0x00070000000234e9-63.dat	upx
behavioral2/files/0x00070000000234ee-89.dat	upx
behavioral2/files/0x00070000000234ef-99.dat	upx
behavioral2/files/0x00070000000234f2-108.dat	upx
behavioral2/files/0x00070000000234f3-119.dat	upx
behavioral2/files/0x00070000000234f5-129.dat	upx
behavioral2/memory/2860-400-0x00007FF606350000-0x00007FF606741000-memory.dmp	upx
behavioral2/memory/2108-406-0x00007FF74B930000-0x00007FF74BD21000-memory.dmp	upx
behavioral2/memory/4120-419-0x00007FF78FB30000-0x00007FF78FF21000-memory.dmp	upx
behavioral2/memory/4036-422-0x00007FF76A470000-0x00007FF76A861000-memory.dmp	upx
behavioral2/memory/436-423-0x00007FF730C10000-0x00007FF731001000-memory.dmp	upx
behavioral2/memory/4336-421-0x00007FF647D20000-0x00007FF648111000-memory.dmp	upx
behavioral2/memory/4980-416-0x00007FF6646B0000-0x00007FF664AA1000-memory.dmp	upx
behavioral2/memory/4468-430-0x00007FF733B80000-0x00007FF733F71000-memory.dmp	upx
behavioral2/memory/1468-403-0x00007FF686CE0000-0x00007FF6870D1000-memory.dmp	upx
behavioral2/memory/1564-397-0x00007FF655890000-0x00007FF655C81000-memory.dmp	upx
behavioral2/memory/3500-394-0x00007FF615360000-0x00007FF615751000-memory.dmp	upx
behavioral2/files/0x00070000000234fe-167.dat	upx
behavioral2/files/0x00070000000234fc-164.dat	upx
behavioral2/files/0x00070000000234fd-162.dat	upx
behavioral2/files/0x00070000000234fb-156.dat	upx
behavioral2/files/0x00070000000234fa-154.dat	upx
behavioral2/files/0x00070000000234f9-147.dat	upx
behavioral2/files/0x00070000000234f8-141.dat	upx
behavioral2/files/0x00070000000234f7-139.dat	upx
behavioral2/files/0x00070000000234f6-131.dat	upx
behavioral2/memory/4612-431-0x00007FF6C7590000-0x00007FF6C7981000-memory.dmp	upx
behavioral2/memory/4692-434-0x00007FF7FA4A0000-0x00007FF7FA891000-memory.dmp	upx
behavioral2/memory/3584-433-0x00007FF755210000-0x00007FF755601000-memory.dmp	upx
behavioral2/memory/4604-438-0x00007FF66ED40000-0x00007FF66F131000-memory.dmp	upx
behavioral2/memory/4944-444-0x00007FF71B0C0000-0x00007FF71B4B1000-memory.dmp	upx
behavioral2/memory/2440-451-0x00007FF7353B0000-0x00007FF7357A1000-memory.dmp	upx
behavioral2/memory/4708-455-0x00007FF6347F0000-0x00007FF634BE1000-memory.dmp	upx
behavioral2/memory/1692-443-0x00007FF6AAEA0000-0x00007FF6AB291000-memory.dmp	upx
behavioral2/files/0x00070000000234f4-121.dat	upx
behavioral2/files/0x00070000000234f1-106.dat	upx
behavioral2/files/0x00070000000234f0-102.dat	upx
behavioral2/files/0x00070000000234ed-86.dat	upx
behavioral2/files/0x00070000000234ec-81.dat	upx
behavioral2/files/0x00070000000234eb-79.dat	upx
behavioral2/files/0x00070000000234ea-71.dat	upx
behavioral2/files/0x00070000000234e8-61.dat	upx
behavioral2/files/0x00070000000234e6-54.dat	upx
behavioral2/files/0x00070000000234e5-46.dat	upx
behavioral2/files/0x00070000000234e3-36.dat	upx
behavioral2/memory/3204-34-0x00007FF65A9E0000-0x00007FF65ADD1000-memory.dmp	upx
behavioral2/memory/3624-32-0x00007FF6E83D0000-0x00007FF6E87C1000-memory.dmp	upx
behavioral2/memory/4260-27-0x00007FF751EB0000-0x00007FF7522A1000-memory.dmp	upx
behavioral2/files/0x00080000000234df-20.dat	upx
behavioral2/memory/3668-19-0x00007FF7FA6D0000-0x00007FF7FAAC1000-memory.dmp	upx
behavioral2/memory/3668-1966-0x00007FF7FA6D0000-0x00007FF7FAAC1000-memory.dmp	upx
behavioral2/memory/4260-1967-0x00007FF751EB0000-0x00007FF7522A1000-memory.dmp	upx
behavioral2/memory/2888-2005-0x00007FF6B8520000-0x00007FF6B8911000-memory.dmp	upx
behavioral2/memory/3668-2007-0x00007FF7FA6D0000-0x00007FF7FAAC1000-memory.dmp	upx
behavioral2/memory/4260-2040-0x00007FF751EB0000-0x00007FF7522A1000-memory.dmp	upx
behavioral2/memory/3204-2042-0x00007FF65A9E0000-0x00007FF65ADD1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\THCuMFW.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\fyraxbw.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\fVBMrdI.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\mBVDYnx.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\mNSlqvt.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\QrJNpQN.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\pvdxrit.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\SloGelO.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\ZZHfnbQ.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\llFxXEo.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\UwYNIAX.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\ZLbQQfS.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\azuqNPS.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\bDYHdVK.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\rCMaMmq.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\QcGXBCe.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\jNJudEF.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\nCemjSg.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\YpQtCUg.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\XgrUMXV.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\wlHTcjQ.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\JJjmYkR.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\tKDIEMQ.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\AoUNWfq.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\fwHjOFu.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\KYVZWqI.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\YuUWqHU.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\wyJTeyy.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\EgXwohK.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\nHrhJyR.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\FLhgram.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\rDDQHlW.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\pTBlnhc.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\WcKDbYV.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\NGJpNsK.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\nnAHQHM.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\rTVaXbL.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\IFZXCTL.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\NHWbFiB.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\YqjwfaM.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\ZHojwNh.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\EWngWge.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\pRdXZbj.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\JfHNnUp.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\EeWoTAm.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\fSbExyF.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\lMFfZnp.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\vIJAlrN.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\IcyaGxe.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\loWwduq.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\tMtGJfD.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\cdSgmWT.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\jaulJNq.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\dnFMhlJ.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\xPQUmNq.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\VDuZLdT.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\FNKIaOX.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\VMKRVdQ.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\xhuXHdf.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\lVFCxgH.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\HQbNFrA.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\TqcDbnw.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\NSvUKQD.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe
File created	C:\Windows\System32\ionMgbe.exe	1b350d8084f0c6bf33fd6e4d2c720070N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12536	dwm.exe
Token: SeChangeNotifyPrivilege	12536	dwm.exe
Token: 33	12536	dwm.exe
Token: SeIncBasePriorityPrivilege	12536	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 2888	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	84
PID 544 wrote to memory of 2888	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	84
PID 544 wrote to memory of 3668	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	85
PID 544 wrote to memory of 3668	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	85
PID 544 wrote to memory of 3624	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	86
PID 544 wrote to memory of 3624	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	86
PID 544 wrote to memory of 4260	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	87
PID 544 wrote to memory of 4260	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	87
PID 544 wrote to memory of 3204	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	88
PID 544 wrote to memory of 3204	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	88
PID 544 wrote to memory of 3500	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	90
PID 544 wrote to memory of 3500	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	90
PID 544 wrote to memory of 1564	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	91
PID 544 wrote to memory of 1564	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	91
PID 544 wrote to memory of 2860	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	92
PID 544 wrote to memory of 2860	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	92
PID 544 wrote to memory of 1468	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	93
PID 544 wrote to memory of 1468	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	93
PID 544 wrote to memory of 2108	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	94
PID 544 wrote to memory of 2108	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	94
PID 544 wrote to memory of 4980	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	95
PID 544 wrote to memory of 4980	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	95
PID 544 wrote to memory of 4120	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	96
PID 544 wrote to memory of 4120	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	96
PID 544 wrote to memory of 4336	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	97
PID 544 wrote to memory of 4336	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	97
PID 544 wrote to memory of 4036	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	98
PID 544 wrote to memory of 4036	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	98
PID 544 wrote to memory of 436	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	99
PID 544 wrote to memory of 436	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	99
PID 544 wrote to memory of 4468	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	100
PID 544 wrote to memory of 4468	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	100
PID 544 wrote to memory of 4612	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	101
PID 544 wrote to memory of 4612	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	101
PID 544 wrote to memory of 3584	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	102
PID 544 wrote to memory of 3584	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	102
PID 544 wrote to memory of 4692	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	103
PID 544 wrote to memory of 4692	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	103
PID 544 wrote to memory of 4604	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	104
PID 544 wrote to memory of 4604	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	104
PID 544 wrote to memory of 1692	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	105
PID 544 wrote to memory of 1692	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	105
PID 544 wrote to memory of 4944	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	106
PID 544 wrote to memory of 4944	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	106
PID 544 wrote to memory of 2440	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	107
PID 544 wrote to memory of 2440	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	107
PID 544 wrote to memory of 4708	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	108
PID 544 wrote to memory of 4708	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	108
PID 544 wrote to memory of 1400	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	109
PID 544 wrote to memory of 1400	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	109
PID 544 wrote to memory of 3480	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	110
PID 544 wrote to memory of 3480	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	110
PID 544 wrote to memory of 552	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	111
PID 544 wrote to memory of 552	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	111
PID 544 wrote to memory of 4724	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	112
PID 544 wrote to memory of 4724	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	112
PID 544 wrote to memory of 1892	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	113
PID 544 wrote to memory of 1892	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	113
PID 544 wrote to memory of 3944	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	114
PID 544 wrote to memory of 3944	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	114
PID 544 wrote to memory of 1444	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	115
PID 544 wrote to memory of 1444	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	115
PID 544 wrote to memory of 2364	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	116
PID 544 wrote to memory of 2364	544	1b350d8084f0c6bf33fd6e4d2c720070N.exe	116

C:\Users\Admin\AppData\Local\Temp\1b350d8084f0c6bf33fd6e4d2c720070N.exe
"C:\Users\Admin\AppData\Local\Temp\1b350d8084f0c6bf33fd6e4d2c720070N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\System32\CAUAQJt.exe
  C:\Windows\System32\CAUAQJt.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System32\rjgQxbK.exe
  C:\Windows\System32\rjgQxbK.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System32\IFZXCTL.exe
  C:\Windows\System32\IFZXCTL.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System32\tKWNKmd.exe
  C:\Windows\System32\tKWNKmd.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System32\dnIOtBa.exe
  C:\Windows\System32\dnIOtBa.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System32\lztNcNW.exe
  C:\Windows\System32\lztNcNW.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System32\sRznREa.exe
  C:\Windows\System32\sRznREa.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System32\CHxBYnF.exe
  C:\Windows\System32\CHxBYnF.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System32\CEfFbPU.exe
  C:\Windows\System32\CEfFbPU.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System32\GlkdiLE.exe
  C:\Windows\System32\GlkdiLE.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System32\wmbwFEq.exe
  C:\Windows\System32\wmbwFEq.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System32\xzXsXBG.exe
  C:\Windows\System32\xzXsXBG.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System32\xUBKdPC.exe
  C:\Windows\System32\xUBKdPC.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System32\pRdXZbj.exe
  C:\Windows\System32\pRdXZbj.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System32\cdSgmWT.exe
  C:\Windows\System32\cdSgmWT.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\WSyzEiU.exe
  C:\Windows\System32\WSyzEiU.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System32\nPfMJYy.exe
  C:\Windows\System32\nPfMJYy.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System32\CUxsoHG.exe
  C:\Windows\System32\CUxsoHG.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System32\pvdxrit.exe
  C:\Windows\System32\pvdxrit.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System32\yxUERap.exe
  C:\Windows\System32\yxUERap.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System32\hxbTbaS.exe
  C:\Windows\System32\hxbTbaS.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System32\UJxbGYH.exe
  C:\Windows\System32\UJxbGYH.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System32\MznvVmQ.exe
  C:\Windows\System32\MznvVmQ.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System32\glTInYN.exe
  C:\Windows\System32\glTInYN.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\eReLMOL.exe
  C:\Windows\System32\eReLMOL.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System32\OhMusdy.exe
  C:\Windows\System32\OhMusdy.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System32\VQHNVAa.exe
  C:\Windows\System32\VQHNVAa.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System32\vaxXTpH.exe
  C:\Windows\System32\vaxXTpH.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System32\ImHrnkv.exe
  C:\Windows\System32\ImHrnkv.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System32\YRJiNbm.exe
  C:\Windows\System32\YRJiNbm.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\KYSEpYF.exe
  C:\Windows\System32\KYSEpYF.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System32\tcEJhQK.exe
  C:\Windows\System32\tcEJhQK.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System32\nHrhJyR.exe
  C:\Windows\System32\nHrhJyR.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System32\wLVWgAS.exe
  C:\Windows\System32\wLVWgAS.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System32\yOyBTST.exe
  C:\Windows\System32\yOyBTST.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System32\uXJisvj.exe
  C:\Windows\System32\uXJisvj.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System32\eZfqLFf.exe
  C:\Windows\System32\eZfqLFf.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System32\PxPalIN.exe
  C:\Windows\System32\PxPalIN.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System32\qMTxNtC.exe
  C:\Windows\System32\qMTxNtC.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System32\YbfAXty.exe
  C:\Windows\System32\YbfAXty.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System32\xNXOwKX.exe
  C:\Windows\System32\xNXOwKX.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\ITZbIvq.exe
  C:\Windows\System32\ITZbIvq.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System32\iyQNJzd.exe
  C:\Windows\System32\iyQNJzd.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System32\GKmrKpJ.exe
  C:\Windows\System32\GKmrKpJ.exe
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\System32\OfkwNck.exe
  C:\Windows\System32\OfkwNck.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System32\YxyYQPG.exe
  C:\Windows\System32\YxyYQPG.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System32\dYVPQqo.exe
  C:\Windows\System32\dYVPQqo.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System32\cRJWfRx.exe
  C:\Windows\System32\cRJWfRx.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System32\bDYHdVK.exe
  C:\Windows\System32\bDYHdVK.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System32\zcHRWnc.exe
  C:\Windows\System32\zcHRWnc.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System32\OOHHAyk.exe
  C:\Windows\System32\OOHHAyk.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System32\XLCfHcd.exe
  C:\Windows\System32\XLCfHcd.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System32\uuDZZAr.exe
  C:\Windows\System32\uuDZZAr.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System32\kPFmeXi.exe
  C:\Windows\System32\kPFmeXi.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System32\zfraJeb.exe
  C:\Windows\System32\zfraJeb.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System32\cRAlZqN.exe
  C:\Windows\System32\cRAlZqN.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System32\PlNktjP.exe
  C:\Windows\System32\PlNktjP.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System32\UitOdXC.exe
  C:\Windows\System32\UitOdXC.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System32\LmxApZc.exe
  C:\Windows\System32\LmxApZc.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System32\bYSGVXW.exe
  C:\Windows\System32\bYSGVXW.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System32\xhuXHdf.exe
  C:\Windows\System32\xhuXHdf.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System32\RenlGfr.exe
  C:\Windows\System32\RenlGfr.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System32\hlUNqju.exe
  C:\Windows\System32\hlUNqju.exe
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\System32\IvUeojE.exe
  C:\Windows\System32\IvUeojE.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System32\XEbXAvL.exe
  C:\Windows\System32\XEbXAvL.exe
  2⤵
  PID:3808
- C:\Windows\System32\xkRTmJw.exe
  C:\Windows\System32\xkRTmJw.exe
  2⤵
  PID:1492
- C:\Windows\System32\GJcCitg.exe
  C:\Windows\System32\GJcCitg.exe
  2⤵
  PID:3728
- C:\Windows\System32\lVFCxgH.exe
  C:\Windows\System32\lVFCxgH.exe
  2⤵
  PID:4024
- C:\Windows\System32\kvBQqai.exe
  C:\Windows\System32\kvBQqai.exe
  2⤵
  PID:464
- C:\Windows\System32\itqgpXS.exe
  C:\Windows\System32\itqgpXS.exe
  2⤵
  PID:2420
- C:\Windows\System32\RJDKdhj.exe
  C:\Windows\System32\RJDKdhj.exe
  2⤵
  PID:2556
- C:\Windows\System32\RpDrTRb.exe
  C:\Windows\System32\RpDrTRb.exe
  2⤵
  PID:3712
- C:\Windows\System32\mNSlqvt.exe
  C:\Windows\System32\mNSlqvt.exe
  2⤵
  PID:1592
- C:\Windows\System32\WywKeIq.exe
  C:\Windows\System32\WywKeIq.exe
  2⤵
  PID:1596
- C:\Windows\System32\FiCRqdh.exe
  C:\Windows\System32\FiCRqdh.exe
  2⤵
  PID:4188
- C:\Windows\System32\oLYZmEA.exe
  C:\Windows\System32\oLYZmEA.exe
  2⤵
  PID:3856
- C:\Windows\System32\XKdEZCI.exe
  C:\Windows\System32\XKdEZCI.exe
  2⤵
  PID:1740
- C:\Windows\System32\nDOSXVb.exe
  C:\Windows\System32\nDOSXVb.exe
  2⤵
  PID:1524
- C:\Windows\System32\yoHhHRM.exe
  C:\Windows\System32\yoHhHRM.exe
  2⤵
  PID:3864
- C:\Windows\System32\jaulJNq.exe
  C:\Windows\System32\jaulJNq.exe
  2⤵
  PID:4324
- C:\Windows\System32\fnRVtlf.exe
  C:\Windows\System32\fnRVtlf.exe
  2⤵
  PID:1112
- C:\Windows\System32\AHRjsBu.exe
  C:\Windows\System32\AHRjsBu.exe
  2⤵
  PID:920
- C:\Windows\System32\gbICuTg.exe
  C:\Windows\System32\gbICuTg.exe
  2⤵
  PID:2780
- C:\Windows\System32\TZAgBgY.exe
  C:\Windows\System32\TZAgBgY.exe
  2⤵
  PID:3564
- C:\Windows\System32\uRGfvCo.exe
  C:\Windows\System32\uRGfvCo.exe
  2⤵
  PID:4760
- C:\Windows\System32\MNAwSAZ.exe
  C:\Windows\System32\MNAwSAZ.exe
  2⤵
  PID:2932
- C:\Windows\System32\dnFMhlJ.exe
  C:\Windows\System32\dnFMhlJ.exe
  2⤵
  PID:1940
- C:\Windows\System32\bSfGSDv.exe
  C:\Windows\System32\bSfGSDv.exe
  2⤵
  PID:4204
- C:\Windows\System32\hyoVQsT.exe
  C:\Windows\System32\hyoVQsT.exe
  2⤵
  PID:3284
- C:\Windows\System32\zSPosDI.exe
  C:\Windows\System32\zSPosDI.exe
  2⤵
  PID:4448
- C:\Windows\System32\PvhjXGV.exe
  C:\Windows\System32\PvhjXGV.exe
  2⤵
  PID:972
- C:\Windows\System32\XCFvXfo.exe
  C:\Windows\System32\XCFvXfo.exe
  2⤵
  PID:2936
- C:\Windows\System32\hSphQsP.exe
  C:\Windows\System32\hSphQsP.exe
  2⤵
  PID:4060
- C:\Windows\System32\iHEbUHe.exe
  C:\Windows\System32\iHEbUHe.exe
  2⤵
  PID:5024
- C:\Windows\System32\qzSmVMN.exe
  C:\Windows\System32\qzSmVMN.exe
  2⤵
  PID:4972
- C:\Windows\System32\sBVClvf.exe
  C:\Windows\System32\sBVClvf.exe
  2⤵
  PID:4736
- C:\Windows\System32\ZjoBmmr.exe
  C:\Windows\System32\ZjoBmmr.exe
  2⤵
  PID:3700
- C:\Windows\System32\HeOTPkP.exe
  C:\Windows\System32\HeOTPkP.exe
  2⤵
  PID:3048
- C:\Windows\System32\IoYytHY.exe
  C:\Windows\System32\IoYytHY.exe
  2⤵
  PID:4940
- C:\Windows\System32\CCjfUXV.exe
  C:\Windows\System32\CCjfUXV.exe
  2⤵
  PID:2284
- C:\Windows\System32\IkNPcOi.exe
  C:\Windows\System32\IkNPcOi.exe
  2⤵
  PID:3116
- C:\Windows\System32\DbbOyrA.exe
  C:\Windows\System32\DbbOyrA.exe
  2⤵
  PID:2152
- C:\Windows\System32\WOfCAYd.exe
  C:\Windows\System32\WOfCAYd.exe
  2⤵
  PID:2388
- C:\Windows\System32\nLsUcGx.exe
  C:\Windows\System32\nLsUcGx.exe
  2⤵
  PID:4956
- C:\Windows\System32\KASpyVx.exe
  C:\Windows\System32\KASpyVx.exe
  2⤵
  PID:2900
- C:\Windows\System32\McycLBm.exe
  C:\Windows\System32\McycLBm.exe
  2⤵
  PID:4948
- C:\Windows\System32\SloGelO.exe
  C:\Windows\System32\SloGelO.exe
  2⤵
  PID:4380
- C:\Windows\System32\wlHTcjQ.exe
  C:\Windows\System32\wlHTcjQ.exe
  2⤵
  PID:3320
- C:\Windows\System32\VzLsAiN.exe
  C:\Windows\System32\VzLsAiN.exe
  2⤵
  PID:3400
- C:\Windows\System32\UFjNVEU.exe
  C:\Windows\System32\UFjNVEU.exe
  2⤵
  PID:5168
- C:\Windows\System32\uMENGLR.exe
  C:\Windows\System32\uMENGLR.exe
  2⤵
  PID:5184
- C:\Windows\System32\sBxHAiG.exe
  C:\Windows\System32\sBxHAiG.exe
  2⤵
  PID:5240
- C:\Windows\System32\nzQFezP.exe
  C:\Windows\System32\nzQFezP.exe
  2⤵
  PID:5256
- C:\Windows\System32\JJjmYkR.exe
  C:\Windows\System32\JJjmYkR.exe
  2⤵
  PID:5272
- C:\Windows\System32\ynuqhIj.exe
  C:\Windows\System32\ynuqhIj.exe
  2⤵
  PID:5288
- C:\Windows\System32\XksYkMz.exe
  C:\Windows\System32\XksYkMz.exe
  2⤵
  PID:5316
- C:\Windows\System32\WWvmJEA.exe
  C:\Windows\System32\WWvmJEA.exe
  2⤵
  PID:5400
- C:\Windows\System32\cErAXwQ.exe
  C:\Windows\System32\cErAXwQ.exe
  2⤵
  PID:5460
- C:\Windows\System32\qZuGkdW.exe
  C:\Windows\System32\qZuGkdW.exe
  2⤵
  PID:5480
- C:\Windows\System32\zXIidLb.exe
  C:\Windows\System32\zXIidLb.exe
  2⤵
  PID:5496
- C:\Windows\System32\whPeIpQ.exe
  C:\Windows\System32\whPeIpQ.exe
  2⤵
  PID:5532
- C:\Windows\System32\rqigNCe.exe
  C:\Windows\System32\rqigNCe.exe
  2⤵
  PID:5548
- C:\Windows\System32\HJQNuIG.exe
  C:\Windows\System32\HJQNuIG.exe
  2⤵
  PID:5564
- C:\Windows\System32\JfHNnUp.exe
  C:\Windows\System32\JfHNnUp.exe
  2⤵
  PID:5584
- C:\Windows\System32\TiUElfT.exe
  C:\Windows\System32\TiUElfT.exe
  2⤵
  PID:5612
- C:\Windows\System32\gyqlbjZ.exe
  C:\Windows\System32\gyqlbjZ.exe
  2⤵
  PID:5704
- C:\Windows\System32\FLhgram.exe
  C:\Windows\System32\FLhgram.exe
  2⤵
  PID:5816
- C:\Windows\System32\qYSbEWz.exe
  C:\Windows\System32\qYSbEWz.exe
  2⤵
  PID:5836
- C:\Windows\System32\oxjcvJN.exe
  C:\Windows\System32\oxjcvJN.exe
  2⤵
  PID:5860
- C:\Windows\System32\gZJuKbW.exe
  C:\Windows\System32\gZJuKbW.exe
  2⤵
  PID:5892
- C:\Windows\System32\FEqWzgS.exe
  C:\Windows\System32\FEqWzgS.exe
  2⤵
  PID:5948
- C:\Windows\System32\lGWRCOc.exe
  C:\Windows\System32\lGWRCOc.exe
  2⤵
  PID:5968
- C:\Windows\System32\VNFpPEn.exe
  C:\Windows\System32\VNFpPEn.exe
  2⤵
  PID:5984
- C:\Windows\System32\enIFzwA.exe
  C:\Windows\System32\enIFzwA.exe
  2⤵
  PID:6000
- C:\Windows\System32\zBXmfws.exe
  C:\Windows\System32\zBXmfws.exe
  2⤵
  PID:6016
- C:\Windows\System32\mDQBOgC.exe
  C:\Windows\System32\mDQBOgC.exe
  2⤵
  PID:6060
- C:\Windows\System32\eHpziZo.exe
  C:\Windows\System32\eHpziZo.exe
  2⤵
  PID:6096
- C:\Windows\System32\IUWPFuw.exe
  C:\Windows\System32\IUWPFuw.exe
  2⤵
  PID:6112
- C:\Windows\System32\AFLRfLN.exe
  C:\Windows\System32\AFLRfLN.exe
  2⤵
  PID:6132
- C:\Windows\System32\oxmQPaY.exe
  C:\Windows\System32\oxmQPaY.exe
  2⤵
  PID:2956
- C:\Windows\System32\OsDqxmt.exe
  C:\Windows\System32\OsDqxmt.exe
  2⤵
  PID:2044
- C:\Windows\System32\cWziahr.exe
  C:\Windows\System32\cWziahr.exe
  2⤵
  PID:4264
- C:\Windows\System32\vIJAlrN.exe
  C:\Windows\System32\vIJAlrN.exe
  2⤵
  PID:5148
- C:\Windows\System32\BawmeyV.exe
  C:\Windows\System32\BawmeyV.exe
  2⤵
  PID:5252
- C:\Windows\System32\rHiYfQf.exe
  C:\Windows\System32\rHiYfQf.exe
  2⤵
  PID:5312
- C:\Windows\System32\jRImFAk.exe
  C:\Windows\System32\jRImFAk.exe
  2⤵
  PID:5432
- C:\Windows\System32\MGTbtwf.exe
  C:\Windows\System32\MGTbtwf.exe
  2⤵
  PID:5488
- C:\Windows\System32\sjArXyB.exe
  C:\Windows\System32\sjArXyB.exe
  2⤵
  PID:5540
- C:\Windows\System32\hoXkvjM.exe
  C:\Windows\System32\hoXkvjM.exe
  2⤵
  PID:5592
- C:\Windows\System32\XvMrMri.exe
  C:\Windows\System32\XvMrMri.exe
  2⤵
  PID:5620
- C:\Windows\System32\aMVOHbO.exe
  C:\Windows\System32\aMVOHbO.exe
  2⤵
  PID:5156
- C:\Windows\System32\PFSMMvu.exe
  C:\Windows\System32\PFSMMvu.exe
  2⤵
  PID:5516
- C:\Windows\System32\tJLeRFa.exe
  C:\Windows\System32\tJLeRFa.exe
  2⤵
  PID:5876
- C:\Windows\System32\JSlKELm.exe
  C:\Windows\System32\JSlKELm.exe
  2⤵
  PID:5956
- C:\Windows\System32\XxioFOl.exe
  C:\Windows\System32\XxioFOl.exe
  2⤵
  PID:6028
- C:\Windows\System32\eICsojA.exe
  C:\Windows\System32\eICsojA.exe
  2⤵
  PID:6076
- C:\Windows\System32\ZpirogY.exe
  C:\Windows\System32\ZpirogY.exe
  2⤵
  PID:2376
- C:\Windows\System32\QmkPfDp.exe
  C:\Windows\System32\QmkPfDp.exe
  2⤵
  PID:2240
- C:\Windows\System32\PSuWvQM.exe
  C:\Windows\System32\PSuWvQM.exe
  2⤵
  PID:5328
- C:\Windows\System32\tCYOpPk.exe
  C:\Windows\System32\tCYOpPk.exe
  2⤵
  PID:4052
- C:\Windows\System32\eFekpJc.exe
  C:\Windows\System32\eFekpJc.exe
  2⤵
  PID:5284
- C:\Windows\System32\sQCkFJS.exe
  C:\Windows\System32\sQCkFJS.exe
  2⤵
  PID:5668
- C:\Windows\System32\MYpEYwi.exe
  C:\Windows\System32\MYpEYwi.exe
  2⤵
  PID:5324
- C:\Windows\System32\RLFvOOt.exe
  C:\Windows\System32\RLFvOOt.exe
  2⤵
  PID:5808
- C:\Windows\System32\rWOloQW.exe
  C:\Windows\System32\rWOloQW.exe
  2⤵
  PID:6040
- C:\Windows\System32\fSbExyF.exe
  C:\Windows\System32\fSbExyF.exe
  2⤵
  PID:5220
- C:\Windows\System32\NmfpInD.exe
  C:\Windows\System32\NmfpInD.exe
  2⤵
  PID:5380
- C:\Windows\System32\tKDIEMQ.exe
  C:\Windows\System32\tKDIEMQ.exe
  2⤵
  PID:5652
- C:\Windows\System32\IFuqiXh.exe
  C:\Windows\System32\IFuqiXh.exe
  2⤵
  PID:5828
- C:\Windows\System32\BtBZWce.exe
  C:\Windows\System32\BtBZWce.exe
  2⤵
  PID:6152
- C:\Windows\System32\gAXSqcw.exe
  C:\Windows\System32\gAXSqcw.exe
  2⤵
  PID:6172
- C:\Windows\System32\FZlxLQR.exe
  C:\Windows\System32\FZlxLQR.exe
  2⤵
  PID:6192
- C:\Windows\System32\aqhYqBQ.exe
  C:\Windows\System32\aqhYqBQ.exe
  2⤵
  PID:6212
- C:\Windows\System32\PiwNbVE.exe
  C:\Windows\System32\PiwNbVE.exe
  2⤵
  PID:6248
- C:\Windows\System32\oMcNFmh.exe
  C:\Windows\System32\oMcNFmh.exe
  2⤵
  PID:6272
- C:\Windows\System32\ONFVxnP.exe
  C:\Windows\System32\ONFVxnP.exe
  2⤵
  PID:6316
- C:\Windows\System32\bfsVIkG.exe
  C:\Windows\System32\bfsVIkG.exe
  2⤵
  PID:6340
- C:\Windows\System32\tlJbKRG.exe
  C:\Windows\System32\tlJbKRG.exe
  2⤵
  PID:6368
- C:\Windows\System32\vvUixkz.exe
  C:\Windows\System32\vvUixkz.exe
  2⤵
  PID:6388
- C:\Windows\System32\YqjwfaM.exe
  C:\Windows\System32\YqjwfaM.exe
  2⤵
  PID:6408
- C:\Windows\System32\QcGXBCe.exe
  C:\Windows\System32\QcGXBCe.exe
  2⤵
  PID:6436
- C:\Windows\System32\rKVMxxQ.exe
  C:\Windows\System32\rKVMxxQ.exe
  2⤵
  PID:6452
- C:\Windows\System32\xxhoZfo.exe
  C:\Windows\System32\xxhoZfo.exe
  2⤵
  PID:6508
- C:\Windows\System32\IcyaGxe.exe
  C:\Windows\System32\IcyaGxe.exe
  2⤵
  PID:6532
- C:\Windows\System32\SKGdEyc.exe
  C:\Windows\System32\SKGdEyc.exe
  2⤵
  PID:6556
- C:\Windows\System32\dJBGxSD.exe
  C:\Windows\System32\dJBGxSD.exe
  2⤵
  PID:6576
- C:\Windows\System32\SyHHYUw.exe
  C:\Windows\System32\SyHHYUw.exe
  2⤵
  PID:6596
- C:\Windows\System32\uMMBbEi.exe
  C:\Windows\System32\uMMBbEi.exe
  2⤵
  PID:6620
- C:\Windows\System32\nHgsPSp.exe
  C:\Windows\System32\nHgsPSp.exe
  2⤵
  PID:6640
- C:\Windows\System32\AEHIaaV.exe
  C:\Windows\System32\AEHIaaV.exe
  2⤵
  PID:6660
- C:\Windows\System32\mfQVZvp.exe
  C:\Windows\System32\mfQVZvp.exe
  2⤵
  PID:6712
- C:\Windows\System32\ionMgbe.exe
  C:\Windows\System32\ionMgbe.exe
  2⤵
  PID:6732
- C:\Windows\System32\lrvgXOI.exe
  C:\Windows\System32\lrvgXOI.exe
  2⤵
  PID:6752
- C:\Windows\System32\SMQuerI.exe
  C:\Windows\System32\SMQuerI.exe
  2⤵
  PID:6824
- C:\Windows\System32\eWGxDcN.exe
  C:\Windows\System32\eWGxDcN.exe
  2⤵
  PID:6844
- C:\Windows\System32\YDSGIvL.exe
  C:\Windows\System32\YDSGIvL.exe
  2⤵
  PID:6896
- C:\Windows\System32\XyfTgjp.exe
  C:\Windows\System32\XyfTgjp.exe
  2⤵
  PID:6920
- C:\Windows\System32\yLXEeZp.exe
  C:\Windows\System32\yLXEeZp.exe
  2⤵
  PID:6964
- C:\Windows\System32\knLUaGz.exe
  C:\Windows\System32\knLUaGz.exe
  2⤵
  PID:6984
- C:\Windows\System32\EgXwohK.exe
  C:\Windows\System32\EgXwohK.exe
  2⤵
  PID:7004
- C:\Windows\System32\RPFLRDi.exe
  C:\Windows\System32\RPFLRDi.exe
  2⤵
  PID:7024
- C:\Windows\System32\IUXAMKX.exe
  C:\Windows\System32\IUXAMKX.exe
  2⤵
  PID:7048
- C:\Windows\System32\RPHabbJ.exe
  C:\Windows\System32\RPHabbJ.exe
  2⤵
  PID:7068
- C:\Windows\System32\fvoVlWL.exe
  C:\Windows\System32\fvoVlWL.exe
  2⤵
  PID:7104
- C:\Windows\System32\kwARxvg.exe
  C:\Windows\System32\kwARxvg.exe
  2⤵
  PID:7124
- C:\Windows\System32\tKcFfpQ.exe
  C:\Windows\System32\tKcFfpQ.exe
  2⤵
  PID:7144
- C:\Windows\System32\cJjBlUA.exe
  C:\Windows\System32\cJjBlUA.exe
  2⤵
  PID:6140
- C:\Windows\System32\NpUILIN.exe
  C:\Windows\System32\NpUILIN.exe
  2⤵
  PID:6168
- C:\Windows\System32\rIZtKvd.exe
  C:\Windows\System32\rIZtKvd.exe
  2⤵
  PID:6288
- C:\Windows\System32\QrJNpQN.exe
  C:\Windows\System32\QrJNpQN.exe
  2⤵
  PID:6296
- C:\Windows\System32\HzAZjuv.exe
  C:\Windows\System32\HzAZjuv.exe
  2⤵
  PID:6376
- C:\Windows\System32\oaxTfyu.exe
  C:\Windows\System32\oaxTfyu.exe
  2⤵
  PID:6404
- C:\Windows\System32\iynJCFz.exe
  C:\Windows\System32\iynJCFz.exe
  2⤵
  PID:6488
- C:\Windows\System32\uSVnHxF.exe
  C:\Windows\System32\uSVnHxF.exe
  2⤵
  PID:6552
- C:\Windows\System32\rqVPbAw.exe
  C:\Windows\System32\rqVPbAw.exe
  2⤵
  PID:6704
- C:\Windows\System32\IwEXago.exe
  C:\Windows\System32\IwEXago.exe
  2⤵
  PID:6740
- C:\Windows\System32\DgqMImX.exe
  C:\Windows\System32\DgqMImX.exe
  2⤵
  PID:6780
- C:\Windows\System32\dJykYMh.exe
  C:\Windows\System32\dJykYMh.exe
  2⤵
  PID:6872
- C:\Windows\System32\oWqiije.exe
  C:\Windows\System32\oWqiije.exe
  2⤵
  PID:6856
- C:\Windows\System32\VnHEmPT.exe
  C:\Windows\System32\VnHEmPT.exe
  2⤵
  PID:6972
- C:\Windows\System32\hQJhXuC.exe
  C:\Windows\System32\hQJhXuC.exe
  2⤵
  PID:7096
- C:\Windows\System32\xnlcdZK.exe
  C:\Windows\System32\xnlcdZK.exe
  2⤵
  PID:7156
- C:\Windows\System32\HPPZWDG.exe
  C:\Windows\System32\HPPZWDG.exe
  2⤵
  PID:6204
- C:\Windows\System32\Mmfnlhy.exe
  C:\Windows\System32\Mmfnlhy.exe
  2⤵
  PID:6348
- C:\Windows\System32\qHxoaUG.exe
  C:\Windows\System32\qHxoaUG.exe
  2⤵
  PID:6476
- C:\Windows\System32\ehYSDYR.exe
  C:\Windows\System32\ehYSDYR.exe
  2⤵
  PID:6612
- C:\Windows\System32\KslZiHh.exe
  C:\Windows\System32\KslZiHh.exe
  2⤵
  PID:6820
- C:\Windows\System32\RWpqdUg.exe
  C:\Windows\System32\RWpqdUg.exe
  2⤵
  PID:6928
- C:\Windows\System32\lTVfhYx.exe
  C:\Windows\System32\lTVfhYx.exe
  2⤵
  PID:7064
- C:\Windows\System32\DGUkKcd.exe
  C:\Windows\System32\DGUkKcd.exe
  2⤵
  PID:6572
- C:\Windows\System32\HqwrGJT.exe
  C:\Windows\System32\HqwrGJT.exe
  2⤵
  PID:6720
- C:\Windows\System32\soSFlfA.exe
  C:\Windows\System32\soSFlfA.exe
  2⤵
  PID:7060
- C:\Windows\System32\FznFrgk.exe
  C:\Windows\System32\FznFrgk.exe
  2⤵
  PID:7136
- C:\Windows\System32\jJvqJgo.exe
  C:\Windows\System32\jJvqJgo.exe
  2⤵
  PID:7172
- C:\Windows\System32\YaEjSgj.exe
  C:\Windows\System32\YaEjSgj.exe
  2⤵
  PID:7196
- C:\Windows\System32\SKTVgBO.exe
  C:\Windows\System32\SKTVgBO.exe
  2⤵
  PID:7216
- C:\Windows\System32\QIJkzle.exe
  C:\Windows\System32\QIJkzle.exe
  2⤵
  PID:7232
- C:\Windows\System32\qRunPEb.exe
  C:\Windows\System32\qRunPEb.exe
  2⤵
  PID:7256
- C:\Windows\System32\IGlPVpv.exe
  C:\Windows\System32\IGlPVpv.exe
  2⤵
  PID:7276
- C:\Windows\System32\NHWbFiB.exe
  C:\Windows\System32\NHWbFiB.exe
  2⤵
  PID:7308
- C:\Windows\System32\jZxDkhs.exe
  C:\Windows\System32\jZxDkhs.exe
  2⤵
  PID:7328
- C:\Windows\System32\rcikUTN.exe
  C:\Windows\System32\rcikUTN.exe
  2⤵
  PID:7392
- C:\Windows\System32\GfEpJJj.exe
  C:\Windows\System32\GfEpJJj.exe
  2⤵
  PID:7412
- C:\Windows\System32\geSlTov.exe
  C:\Windows\System32\geSlTov.exe
  2⤵
  PID:7436
- C:\Windows\System32\YCDwglQ.exe
  C:\Windows\System32\YCDwglQ.exe
  2⤵
  PID:7468
- C:\Windows\System32\xetaVce.exe
  C:\Windows\System32\xetaVce.exe
  2⤵
  PID:7512
- C:\Windows\System32\wuiQIjX.exe
  C:\Windows\System32\wuiQIjX.exe
  2⤵
  PID:7536
- C:\Windows\System32\TcTTall.exe
  C:\Windows\System32\TcTTall.exe
  2⤵
  PID:7556
- C:\Windows\System32\KImzVmj.exe
  C:\Windows\System32\KImzVmj.exe
  2⤵
  PID:7572
- C:\Windows\System32\UUnwxQp.exe
  C:\Windows\System32\UUnwxQp.exe
  2⤵
  PID:7604
- C:\Windows\System32\SnMJJFL.exe
  C:\Windows\System32\SnMJJFL.exe
  2⤵
  PID:7624
- C:\Windows\System32\fZNklLO.exe
  C:\Windows\System32\fZNklLO.exe
  2⤵
  PID:7644
- C:\Windows\System32\YfikpDX.exe
  C:\Windows\System32\YfikpDX.exe
  2⤵
  PID:7664
- C:\Windows\System32\LDIUCgA.exe
  C:\Windows\System32\LDIUCgA.exe
  2⤵
  PID:7684
- C:\Windows\System32\tJLpJsC.exe
  C:\Windows\System32\tJLpJsC.exe
  2⤵
  PID:7740
- C:\Windows\System32\rDDQHlW.exe
  C:\Windows\System32\rDDQHlW.exe
  2⤵
  PID:7756
- C:\Windows\System32\SKwJgam.exe
  C:\Windows\System32\SKwJgam.exe
  2⤵
  PID:7800
- C:\Windows\System32\AvNxaAr.exe
  C:\Windows\System32\AvNxaAr.exe
  2⤵
  PID:7832
- C:\Windows\System32\pTBlnhc.exe
  C:\Windows\System32\pTBlnhc.exe
  2⤵
  PID:7848
- C:\Windows\System32\rCMaMmq.exe
  C:\Windows\System32\rCMaMmq.exe
  2⤵
  PID:7912
- C:\Windows\System32\rPsJcbX.exe
  C:\Windows\System32\rPsJcbX.exe
  2⤵
  PID:7928
- C:\Windows\System32\ivHJgIQ.exe
  C:\Windows\System32\ivHJgIQ.exe
  2⤵
  PID:7948
- C:\Windows\System32\EKdJrcI.exe
  C:\Windows\System32\EKdJrcI.exe
  2⤵
  PID:7972
- C:\Windows\System32\sMQGyXX.exe
  C:\Windows\System32\sMQGyXX.exe
  2⤵
  PID:8024
- C:\Windows\System32\PbiRdXO.exe
  C:\Windows\System32\PbiRdXO.exe
  2⤵
  PID:8040
- C:\Windows\System32\KnapWLL.exe
  C:\Windows\System32\KnapWLL.exe
  2⤵
  PID:8068
- C:\Windows\System32\scWrnna.exe
  C:\Windows\System32\scWrnna.exe
  2⤵
  PID:8088
- C:\Windows\System32\JvXwBed.exe
  C:\Windows\System32\JvXwBed.exe
  2⤵
  PID:8112
- C:\Windows\System32\DcDvECj.exe
  C:\Windows\System32\DcDvECj.exe
  2⤵
  PID:8128
- C:\Windows\System32\eXCuCAl.exe
  C:\Windows\System32\eXCuCAl.exe
  2⤵
  PID:8176
- C:\Windows\System32\NQiMSgK.exe
  C:\Windows\System32\NQiMSgK.exe
  2⤵
  PID:7228
- C:\Windows\System32\HnrCzfR.exe
  C:\Windows\System32\HnrCzfR.exe
  2⤵
  PID:7272
- C:\Windows\System32\ivwQnpC.exe
  C:\Windows\System32\ivwQnpC.exe
  2⤵
  PID:7336
- C:\Windows\System32\KbREIdo.exe
  C:\Windows\System32\KbREIdo.exe
  2⤵
  PID:7320
- C:\Windows\System32\ykPPsZP.exe
  C:\Windows\System32\ykPPsZP.exe
  2⤵
  PID:7496
- C:\Windows\System32\oyjOcSA.exe
  C:\Windows\System32\oyjOcSA.exe
  2⤵
  PID:7480
- C:\Windows\System32\IMxXJRI.exe
  C:\Windows\System32\IMxXJRI.exe
  2⤵
  PID:7568
- C:\Windows\System32\xqLqPin.exe
  C:\Windows\System32\xqLqPin.exe
  2⤵
  PID:7616
- C:\Windows\System32\HZxWkBB.exe
  C:\Windows\System32\HZxWkBB.exe
  2⤵
  PID:7640
- C:\Windows\System32\btYZsWo.exe
  C:\Windows\System32\btYZsWo.exe
  2⤵
  PID:7748
- C:\Windows\System32\ytSZYFn.exe
  C:\Windows\System32\ytSZYFn.exe
  2⤵
  PID:7780
- C:\Windows\System32\PDxeHOx.exe
  C:\Windows\System32\PDxeHOx.exe
  2⤵
  PID:5728
- C:\Windows\System32\veoATgP.exe
  C:\Windows\System32\veoATgP.exe
  2⤵
  PID:5756
- C:\Windows\System32\LGlOGxc.exe
  C:\Windows\System32\LGlOGxc.exe
  2⤵
  PID:7920
- C:\Windows\System32\oJDsnNI.exe
  C:\Windows\System32\oJDsnNI.exe
  2⤵
  PID:5804
- C:\Windows\System32\NMnHEze.exe
  C:\Windows\System32\NMnHEze.exe
  2⤵
  PID:7984
- C:\Windows\System32\epERzZj.exe
  C:\Windows\System32\epERzZj.exe
  2⤵
  PID:8060
- C:\Windows\System32\MVEggPk.exe
  C:\Windows\System32\MVEggPk.exe
  2⤵
  PID:8096
- C:\Windows\System32\fnMvcdw.exe
  C:\Windows\System32\fnMvcdw.exe
  2⤵
  PID:8164
- C:\Windows\System32\yBhHwnM.exe
  C:\Windows\System32\yBhHwnM.exe
  2⤵
  PID:7240
- C:\Windows\System32\Zfbjnqp.exe
  C:\Windows\System32\Zfbjnqp.exe
  2⤵
  PID:7372
- C:\Windows\System32\HVQCJqp.exe
  C:\Windows\System32\HVQCJqp.exe
  2⤵
  PID:7520
- C:\Windows\System32\fzHKxUG.exe
  C:\Windows\System32\fzHKxUG.exe
  2⤵
  PID:7564
- C:\Windows\System32\OjGXolQ.exe
  C:\Windows\System32\OjGXolQ.exe
  2⤵
  PID:7700
- C:\Windows\System32\qYSeqDa.exe
  C:\Windows\System32\qYSeqDa.exe
  2⤵
  PID:7844
- C:\Windows\System32\VCXRgHZ.exe
  C:\Windows\System32\VCXRgHZ.exe
  2⤵
  PID:7956
- C:\Windows\System32\BmETuge.exe
  C:\Windows\System32\BmETuge.exe
  2⤵
  PID:7964
- C:\Windows\System32\XDczXxJ.exe
  C:\Windows\System32\XDczXxJ.exe
  2⤵
  PID:7996
- C:\Windows\System32\xPQUmNq.exe
  C:\Windows\System32\xPQUmNq.exe
  2⤵
  PID:8104
- C:\Windows\System32\WcKDbYV.exe
  C:\Windows\System32\WcKDbYV.exe
  2⤵
  PID:7448
- C:\Windows\System32\IdXlImO.exe
  C:\Windows\System32\IdXlImO.exe
  2⤵
  PID:7632
- C:\Windows\System32\lMFfZnp.exe
  C:\Windows\System32\lMFfZnp.exe
  2⤵
  PID:8252
- C:\Windows\System32\ZZHfnbQ.exe
  C:\Windows\System32\ZZHfnbQ.exe
  2⤵
  PID:8284
- C:\Windows\System32\BRbAFVE.exe
  C:\Windows\System32\BRbAFVE.exe
  2⤵
  PID:8320
- C:\Windows\System32\KkmHOAE.exe
  C:\Windows\System32\KkmHOAE.exe
  2⤵
  PID:8340
- C:\Windows\System32\uepKdDz.exe
  C:\Windows\System32\uepKdDz.exe
  2⤵
  PID:8368
- C:\Windows\System32\bBfBhHT.exe
  C:\Windows\System32\bBfBhHT.exe
  2⤵
  PID:8404
- C:\Windows\System32\PGClxqN.exe
  C:\Windows\System32\PGClxqN.exe
  2⤵
  PID:8420
- C:\Windows\System32\VDuZLdT.exe
  C:\Windows\System32\VDuZLdT.exe
  2⤵
  PID:8444
- C:\Windows\System32\YuUWqHU.exe
  C:\Windows\System32\YuUWqHU.exe
  2⤵
  PID:8464
- C:\Windows\System32\WUuqIrm.exe
  C:\Windows\System32\WUuqIrm.exe
  2⤵
  PID:8512
- C:\Windows\System32\LPjzGVZ.exe
  C:\Windows\System32\LPjzGVZ.exe
  2⤵
  PID:8532
- C:\Windows\System32\fAWLgRA.exe
  C:\Windows\System32\fAWLgRA.exe
  2⤵
  PID:8568
- C:\Windows\System32\EOPKgef.exe
  C:\Windows\System32\EOPKgef.exe
  2⤵
  PID:8612
- C:\Windows\System32\DKDDigK.exe
  C:\Windows\System32\DKDDigK.exe
  2⤵
  PID:8632
- C:\Windows\System32\PfflkKp.exe
  C:\Windows\System32\PfflkKp.exe
  2⤵
  PID:8660
- C:\Windows\System32\jikVWkd.exe
  C:\Windows\System32\jikVWkd.exe
  2⤵
  PID:8684
- C:\Windows\System32\VvxCQut.exe
  C:\Windows\System32\VvxCQut.exe
  2⤵
  PID:8708
- C:\Windows\System32\hLGWbDN.exe
  C:\Windows\System32\hLGWbDN.exe
  2⤵
  PID:8752
- C:\Windows\System32\GSpBSkH.exe
  C:\Windows\System32\GSpBSkH.exe
  2⤵
  PID:8788
- C:\Windows\System32\qqVNbJj.exe
  C:\Windows\System32\qqVNbJj.exe
  2⤵
  PID:8804
- C:\Windows\System32\pZlAJBH.exe
  C:\Windows\System32\pZlAJBH.exe
  2⤵
  PID:8820
- C:\Windows\System32\BXncqfg.exe
  C:\Windows\System32\BXncqfg.exe
  2⤵
  PID:8868
- C:\Windows\System32\uKiXVdi.exe
  C:\Windows\System32\uKiXVdi.exe
  2⤵
  PID:9000
- C:\Windows\System32\NTzkYES.exe
  C:\Windows\System32\NTzkYES.exe
  2⤵
  PID:9016
- C:\Windows\System32\pJnNTjy.exe
  C:\Windows\System32\pJnNTjy.exe
  2⤵
  PID:9032
- C:\Windows\System32\gjjjixx.exe
  C:\Windows\System32\gjjjixx.exe
  2⤵
  PID:9072
- C:\Windows\System32\xXJhLJo.exe
  C:\Windows\System32\xXJhLJo.exe
  2⤵
  PID:9116
- C:\Windows\System32\eVbaabx.exe
  C:\Windows\System32\eVbaabx.exe
  2⤵
  PID:9156
- C:\Windows\System32\RmVWMAb.exe
  C:\Windows\System32\RmVWMAb.exe
  2⤵
  PID:9180
- C:\Windows\System32\gtToDhg.exe
  C:\Windows\System32\gtToDhg.exe
  2⤵
  PID:9196
- C:\Windows\System32\QbaieFx.exe
  C:\Windows\System32\QbaieFx.exe
  2⤵
  PID:9212
- C:\Windows\System32\bPhKHRL.exe
  C:\Windows\System32\bPhKHRL.exe
  2⤵
  PID:5732
- C:\Windows\System32\DdRZfvY.exe
  C:\Windows\System32\DdRZfvY.exe
  2⤵
  PID:8296
- C:\Windows\System32\BfKdVEO.exe
  C:\Windows\System32\BfKdVEO.exe
  2⤵
  PID:7460
- C:\Windows\System32\nkZzfrS.exe
  C:\Windows\System32\nkZzfrS.exe
  2⤵
  PID:8456
- C:\Windows\System32\RmgNCyV.exe
  C:\Windows\System32\RmgNCyV.exe
  2⤵
  PID:8500
- C:\Windows\System32\mvEwDnj.exe
  C:\Windows\System32\mvEwDnj.exe
  2⤵
  PID:8528
- C:\Windows\System32\Msyouuk.exe
  C:\Windows\System32\Msyouuk.exe
  2⤵
  PID:8628
- C:\Windows\System32\rLhnDUe.exe
  C:\Windows\System32\rLhnDUe.exe
  2⤵
  PID:8696
- C:\Windows\System32\koasgVZ.exe
  C:\Windows\System32\koasgVZ.exe
  2⤵
  PID:8720
- C:\Windows\System32\rPNzyWo.exe
  C:\Windows\System32\rPNzyWo.exe
  2⤵
  PID:8800
- C:\Windows\System32\DuykHsx.exe
  C:\Windows\System32\DuykHsx.exe
  2⤵
  PID:8916
- C:\Windows\System32\UWfAOhw.exe
  C:\Windows\System32\UWfAOhw.exe
  2⤵
  PID:8992
- C:\Windows\System32\QfSsCYC.exe
  C:\Windows\System32\QfSsCYC.exe
  2⤵
  PID:8928
- C:\Windows\System32\XQyAmBV.exe
  C:\Windows\System32\XQyAmBV.exe
  2⤵
  PID:8972
- C:\Windows\System32\nBBiMPI.exe
  C:\Windows\System32\nBBiMPI.exe
  2⤵
  PID:9008
- C:\Windows\System32\CDMuMLk.exe
  C:\Windows\System32\CDMuMLk.exe
  2⤵
  PID:9084
- C:\Windows\System32\ECEaCMn.exe
  C:\Windows\System32\ECEaCMn.exe
  2⤵
  PID:9192
- C:\Windows\System32\qvZhJkx.exe
  C:\Windows\System32\qvZhJkx.exe
  2⤵
  PID:9172
- C:\Windows\System32\loWwduq.exe
  C:\Windows\System32\loWwduq.exe
  2⤵
  PID:8196
- C:\Windows\System32\qnPVGeH.exe
  C:\Windows\System32\qnPVGeH.exe
  2⤵
  PID:8380
- C:\Windows\System32\HUwwsyk.exe
  C:\Windows\System32\HUwwsyk.exe
  2⤵
  PID:8496
- C:\Windows\System32\TBsNlHo.exe
  C:\Windows\System32\TBsNlHo.exe
  2⤵
  PID:8480
- C:\Windows\System32\yxktIHZ.exe
  C:\Windows\System32\yxktIHZ.exe
  2⤵
  PID:8832
- C:\Windows\System32\qJRcsiV.exe
  C:\Windows\System32\qJRcsiV.exe
  2⤵
  PID:8976
- C:\Windows\System32\AissICf.exe
  C:\Windows\System32\AissICf.exe
  2⤵
  PID:8896
- C:\Windows\System32\OiQrwNB.exe
  C:\Windows\System32\OiQrwNB.exe
  2⤵
  PID:9128
- C:\Windows\System32\gLEoXfA.exe
  C:\Windows\System32\gLEoXfA.exe
  2⤵
  PID:8524
- C:\Windows\System32\THCuMFW.exe
  C:\Windows\System32\THCuMFW.exe
  2⤵
  PID:8784
- C:\Windows\System32\tTJmmAK.exe
  C:\Windows\System32\tTJmmAK.exe
  2⤵
  PID:9088
- C:\Windows\System32\tCAMRgY.exe
  C:\Windows\System32\tCAMRgY.exe
  2⤵
  PID:8276
- C:\Windows\System32\wzXFyTS.exe
  C:\Windows\System32\wzXFyTS.exe
  2⤵
  PID:8960
- C:\Windows\System32\SomAvbS.exe
  C:\Windows\System32\SomAvbS.exe
  2⤵
  PID:9220
- C:\Windows\System32\NGJpNsK.exe
  C:\Windows\System32\NGJpNsK.exe
  2⤵
  PID:9236
- C:\Windows\System32\PJAJMkl.exe
  C:\Windows\System32\PJAJMkl.exe
  2⤵
  PID:9260
- C:\Windows\System32\llFxXEo.exe
  C:\Windows\System32\llFxXEo.exe
  2⤵
  PID:9280
- C:\Windows\System32\ryGuVuv.exe
  C:\Windows\System32\ryGuVuv.exe
  2⤵
  PID:9316
- C:\Windows\System32\tYIaBDP.exe
  C:\Windows\System32\tYIaBDP.exe
  2⤵
  PID:9376
- C:\Windows\System32\jjHTKIj.exe
  C:\Windows\System32\jjHTKIj.exe
  2⤵
  PID:9396
- C:\Windows\System32\xrMNEqs.exe
  C:\Windows\System32\xrMNEqs.exe
  2⤵
  PID:9428
- C:\Windows\System32\zIDbpSS.exe
  C:\Windows\System32\zIDbpSS.exe
  2⤵
  PID:9444
- C:\Windows\System32\ADFXJGq.exe
  C:\Windows\System32\ADFXJGq.exe
  2⤵
  PID:9468
- C:\Windows\System32\eIBIadf.exe
  C:\Windows\System32\eIBIadf.exe
  2⤵
  PID:9488
- C:\Windows\System32\AzomOjT.exe
  C:\Windows\System32\AzomOjT.exe
  2⤵
  PID:9512
- C:\Windows\System32\oeBsdXG.exe
  C:\Windows\System32\oeBsdXG.exe
  2⤵
  PID:9552
- C:\Windows\System32\HQbNFrA.exe
  C:\Windows\System32\HQbNFrA.exe
  2⤵
  PID:9576
- C:\Windows\System32\LuGUGuJ.exe
  C:\Windows\System32\LuGUGuJ.exe
  2⤵
  PID:9604
- C:\Windows\System32\nBJxOXG.exe
  C:\Windows\System32\nBJxOXG.exe
  2⤵
  PID:9644
- C:\Windows\System32\jHGskDa.exe
  C:\Windows\System32\jHGskDa.exe
  2⤵
  PID:9676
- C:\Windows\System32\MkktCaE.exe
  C:\Windows\System32\MkktCaE.exe
  2⤵
  PID:9704
- C:\Windows\System32\TccHIeF.exe
  C:\Windows\System32\TccHIeF.exe
  2⤵
  PID:9724
- C:\Windows\System32\ManWeWI.exe
  C:\Windows\System32\ManWeWI.exe
  2⤵
  PID:9748
- C:\Windows\System32\PjKqpUk.exe
  C:\Windows\System32\PjKqpUk.exe
  2⤵
  PID:9800
- C:\Windows\System32\NQsDwQr.exe
  C:\Windows\System32\NQsDwQr.exe
  2⤵
  PID:9820
- C:\Windows\System32\PacIwQw.exe
  C:\Windows\System32\PacIwQw.exe
  2⤵
  PID:9840
- C:\Windows\System32\CnjYFSk.exe
  C:\Windows\System32\CnjYFSk.exe
  2⤵
  PID:9860
- C:\Windows\System32\MztelXK.exe
  C:\Windows\System32\MztelXK.exe
  2⤵
  PID:9900
- C:\Windows\System32\QpNuvey.exe
  C:\Windows\System32\QpNuvey.exe
  2⤵
  PID:9920
- C:\Windows\System32\woPijAm.exe
  C:\Windows\System32\woPijAm.exe
  2⤵
  PID:9944
- C:\Windows\System32\wwFUeVL.exe
  C:\Windows\System32\wwFUeVL.exe
  2⤵
  PID:9984
- C:\Windows\System32\Rtogxht.exe
  C:\Windows\System32\Rtogxht.exe
  2⤵
  PID:10008
- C:\Windows\System32\TQdQVqu.exe
  C:\Windows\System32\TQdQVqu.exe
  2⤵
  PID:10032
- C:\Windows\System32\BTBHNTo.exe
  C:\Windows\System32\BTBHNTo.exe
  2⤵
  PID:10084
- C:\Windows\System32\FInNqEe.exe
  C:\Windows\System32\FInNqEe.exe
  2⤵
  PID:10108
- C:\Windows\System32\iFOVRUQ.exe
  C:\Windows\System32\iFOVRUQ.exe
  2⤵
  PID:10136
- C:\Windows\System32\FNKIaOX.exe
  C:\Windows\System32\FNKIaOX.exe
  2⤵
  PID:10204
- C:\Windows\System32\jNJudEF.exe
  C:\Windows\System32\jNJudEF.exe
  2⤵
  PID:10232
- C:\Windows\System32\NYPgqqp.exe
  C:\Windows\System32\NYPgqqp.exe
  2⤵
  PID:9244
- C:\Windows\System32\wlipmBL.exe
  C:\Windows\System32\wlipmBL.exe
  2⤵
  PID:9256
- C:\Windows\System32\kXQxuWc.exe
  C:\Windows\System32\kXQxuWc.exe
  2⤵
  PID:9304
- C:\Windows\System32\wyJTeyy.exe
  C:\Windows\System32\wyJTeyy.exe
  2⤵
  PID:9336
- C:\Windows\System32\rovOPEl.exe
  C:\Windows\System32\rovOPEl.exe
  2⤵
  PID:9416
- C:\Windows\System32\apQqQiC.exe
  C:\Windows\System32\apQqQiC.exe
  2⤵
  PID:9480
- C:\Windows\System32\WoiJObG.exe
  C:\Windows\System32\WoiJObG.exe
  2⤵
  PID:9560
- C:\Windows\System32\NpwGuaD.exe
  C:\Windows\System32\NpwGuaD.exe
  2⤵
  PID:9696
- C:\Windows\System32\nnAHQHM.exe
  C:\Windows\System32\nnAHQHM.exe
  2⤵
  PID:9736
- C:\Windows\System32\vixnvBR.exe
  C:\Windows\System32\vixnvBR.exe
  2⤵
  PID:9876
- C:\Windows\System32\WKkFauf.exe
  C:\Windows\System32\WKkFauf.exe
  2⤵
  PID:9912
- C:\Windows\System32\QEbuodq.exe
  C:\Windows\System32\QEbuodq.exe
  2⤵
  PID:9928
- C:\Windows\System32\JDEMAvD.exe
  C:\Windows\System32\JDEMAvD.exe
  2⤵
  PID:9960
- C:\Windows\System32\DuPoosX.exe
  C:\Windows\System32\DuPoosX.exe
  2⤵
  PID:10028
- C:\Windows\System32\pKzNIZm.exe
  C:\Windows\System32\pKzNIZm.exe
  2⤵
  PID:10080
- C:\Windows\System32\GWLZsMm.exe
  C:\Windows\System32\GWLZsMm.exe
  2⤵
  PID:10172
- C:\Windows\System32\gzNJBmr.exe
  C:\Windows\System32\gzNJBmr.exe
  2⤵
  PID:9392
- C:\Windows\System32\tMtGJfD.exe
  C:\Windows\System32\tMtGJfD.exe
  2⤵
  PID:9308
- C:\Windows\System32\CiIXmSb.exe
  C:\Windows\System32\CiIXmSb.exe
  2⤵
  PID:9324
- C:\Windows\System32\GzmGuRZ.exe
  C:\Windows\System32\GzmGuRZ.exe
  2⤵
  PID:9520
- C:\Windows\System32\xpUytZa.exe
  C:\Windows\System32\xpUytZa.exe
  2⤵
  PID:9848
- C:\Windows\System32\cLSxEaM.exe
  C:\Windows\System32\cLSxEaM.exe
  2⤵
  PID:10068
- C:\Windows\System32\KBXaENZ.exe
  C:\Windows\System32\KBXaENZ.exe
  2⤵
  PID:10092
- C:\Windows\System32\shrGVcR.exe
  C:\Windows\System32\shrGVcR.exe
  2⤵
  PID:9484
- C:\Windows\System32\FunQqmk.exe
  C:\Windows\System32\FunQqmk.exe
  2⤵
  PID:9532
- C:\Windows\System32\TqcDbnw.exe
  C:\Windows\System32\TqcDbnw.exe
  2⤵
  PID:9288
- C:\Windows\System32\VgQoUWh.exe
  C:\Windows\System32\VgQoUWh.exe
  2⤵
  PID:9684
- C:\Windows\System32\BvSiaDb.exe
  C:\Windows\System32\BvSiaDb.exe
  2⤵
  PID:10248
- C:\Windows\System32\AWEmNCf.exe
  C:\Windows\System32\AWEmNCf.exe
  2⤵
  PID:10272
- C:\Windows\System32\iUyqJsb.exe
  C:\Windows\System32\iUyqJsb.exe
  2⤵
  PID:10292
- C:\Windows\System32\QJtOxfG.exe
  C:\Windows\System32\QJtOxfG.exe
  2⤵
  PID:10368
- C:\Windows\System32\JvUpBRM.exe
  C:\Windows\System32\JvUpBRM.exe
  2⤵
  PID:10400
- C:\Windows\System32\FTAatUG.exe
  C:\Windows\System32\FTAatUG.exe
  2⤵
  PID:10420
- C:\Windows\System32\baEdUsL.exe
  C:\Windows\System32\baEdUsL.exe
  2⤵
  PID:10456
- C:\Windows\System32\HmHCiks.exe
  C:\Windows\System32\HmHCiks.exe
  2⤵
  PID:10488
- C:\Windows\System32\lbMZjSO.exe
  C:\Windows\System32\lbMZjSO.exe
  2⤵
  PID:10516
- C:\Windows\System32\BjJtTau.exe
  C:\Windows\System32\BjJtTau.exe
  2⤵
  PID:10536
- C:\Windows\System32\ybYLeZJ.exe
  C:\Windows\System32\ybYLeZJ.exe
  2⤵
  PID:10560
- C:\Windows\System32\EeWoTAm.exe
  C:\Windows\System32\EeWoTAm.exe
  2⤵
  PID:10580
- C:\Windows\System32\jrawPOK.exe
  C:\Windows\System32\jrawPOK.exe
  2⤵
  PID:10628
- C:\Windows\System32\tzOFpFX.exe
  C:\Windows\System32\tzOFpFX.exe
  2⤵
  PID:10652
- C:\Windows\System32\gDKlseD.exe
  C:\Windows\System32\gDKlseD.exe
  2⤵
  PID:10676
- C:\Windows\System32\qOUJDYP.exe
  C:\Windows\System32\qOUJDYP.exe
  2⤵
  PID:10704
- C:\Windows\System32\KmkWkiV.exe
  C:\Windows\System32\KmkWkiV.exe
  2⤵
  PID:10724
- C:\Windows\System32\zjuXakn.exe
  C:\Windows\System32\zjuXakn.exe
  2⤵
  PID:10756
- C:\Windows\System32\jYaFnDC.exe
  C:\Windows\System32\jYaFnDC.exe
  2⤵
  PID:10784
- C:\Windows\System32\nCemjSg.exe
  C:\Windows\System32\nCemjSg.exe
  2⤵
  PID:10804
- C:\Windows\System32\VmjCNSk.exe
  C:\Windows\System32\VmjCNSk.exe
  2⤵
  PID:10828
- C:\Windows\System32\OPkMzQQ.exe
  C:\Windows\System32\OPkMzQQ.exe
  2⤵
  PID:10872
- C:\Windows\System32\BwlPnty.exe
  C:\Windows\System32\BwlPnty.exe
  2⤵
  PID:10912
- C:\Windows\System32\pGyfydZ.exe
  C:\Windows\System32\pGyfydZ.exe
  2⤵
  PID:10948
- C:\Windows\System32\TmxDjhl.exe
  C:\Windows\System32\TmxDjhl.exe
  2⤵
  PID:10972
- C:\Windows\System32\uNuwMDt.exe
  C:\Windows\System32\uNuwMDt.exe
  2⤵
  PID:10992
- C:\Windows\System32\uVUgBtE.exe
  C:\Windows\System32\uVUgBtE.exe
  2⤵
  PID:11008
- C:\Windows\System32\hfOFuKy.exe
  C:\Windows\System32\hfOFuKy.exe
  2⤵
  PID:11052
- C:\Windows\System32\uQACmRm.exe
  C:\Windows\System32\uQACmRm.exe
  2⤵
  PID:11076
- C:\Windows\System32\HupHsYV.exe
  C:\Windows\System32\HupHsYV.exe
  2⤵
  PID:11092
- C:\Windows\System32\pepDdaM.exe
  C:\Windows\System32\pepDdaM.exe
  2⤵
  PID:11132
- C:\Windows\System32\tgwhSAb.exe
  C:\Windows\System32\tgwhSAb.exe
  2⤵
  PID:11160
- C:\Windows\System32\jQRZefx.exe
  C:\Windows\System32\jQRZefx.exe
  2⤵
  PID:11180
- C:\Windows\System32\NLVKpbJ.exe
  C:\Windows\System32\NLVKpbJ.exe
  2⤵
  PID:11208
- C:\Windows\System32\fwHjOFu.exe
  C:\Windows\System32\fwHjOFu.exe
  2⤵
  PID:11252
- C:\Windows\System32\lGlzsos.exe
  C:\Windows\System32\lGlzsos.exe
  2⤵
  PID:9228
- C:\Windows\System32\qhFBEEy.exe
  C:\Windows\System32\qhFBEEy.exe
  2⤵
  PID:9464
- C:\Windows\System32\ReUGAIu.exe
  C:\Windows\System32\ReUGAIu.exe
  2⤵
  PID:10256
- C:\Windows\System32\iEJEtbN.exe
  C:\Windows\System32\iEJEtbN.exe
  2⤵
  PID:10380
- C:\Windows\System32\qFNqsBI.exe
  C:\Windows\System32\qFNqsBI.exe
  2⤵
  PID:10376
- C:\Windows\System32\jgxDUqj.exe
  C:\Windows\System32\jgxDUqj.exe
  2⤵
  PID:10468
- C:\Windows\System32\EGaMTGz.exe
  C:\Windows\System32\EGaMTGz.exe
  2⤵
  PID:10544
- C:\Windows\System32\VVnLqrY.exe
  C:\Windows\System32\VVnLqrY.exe
  2⤵
  PID:10596
- C:\Windows\System32\ZHojwNh.exe
  C:\Windows\System32\ZHojwNh.exe
  2⤵
  PID:10672
- C:\Windows\System32\yEbQIEZ.exe
  C:\Windows\System32\yEbQIEZ.exe
  2⤵
  PID:10712
- C:\Windows\System32\qCSUSNx.exe
  C:\Windows\System32\qCSUSNx.exe
  2⤵
  PID:10736
- C:\Windows\System32\rdRucuz.exe
  C:\Windows\System32\rdRucuz.exe
  2⤵
  PID:10840
- C:\Windows\System32\jvZYLPr.exe
  C:\Windows\System32\jvZYLPr.exe
  2⤵
  PID:10980
- C:\Windows\System32\iQuRuao.exe
  C:\Windows\System32\iQuRuao.exe
  2⤵
  PID:11000
- C:\Windows\System32\VpqKkFG.exe
  C:\Windows\System32\VpqKkFG.exe
  2⤵
  PID:11072
- C:\Windows\System32\hlXohMU.exe
  C:\Windows\System32\hlXohMU.exe
  2⤵
  PID:11128
- C:\Windows\System32\oxRkWMG.exe
  C:\Windows\System32\oxRkWMG.exe
  2⤵
  PID:11176
- C:\Windows\System32\NHSygTi.exe
  C:\Windows\System32\NHSygTi.exe
  2⤵
  PID:9360
- C:\Windows\System32\DtkEnGj.exe
  C:\Windows\System32\DtkEnGj.exe
  2⤵
  PID:10260
- C:\Windows\System32\OEyzPJv.exe
  C:\Windows\System32\OEyzPJv.exe
  2⤵
  PID:10428
- C:\Windows\System32\Btuctpx.exe
  C:\Windows\System32\Btuctpx.exe
  2⤵
  PID:10464
- C:\Windows\System32\XNmcyIv.exe
  C:\Windows\System32\XNmcyIv.exe
  2⤵
  PID:10740
- C:\Windows\System32\hmusqML.exe
  C:\Windows\System32\hmusqML.exe
  2⤵
  PID:11028
- C:\Windows\System32\FZvzpAZ.exe
  C:\Windows\System32\FZvzpAZ.exe
  2⤵
  PID:11236
- C:\Windows\System32\GOdNmRE.exe
  C:\Windows\System32\GOdNmRE.exe
  2⤵
  PID:10556
- C:\Windows\System32\OuHXIrw.exe
  C:\Windows\System32\OuHXIrw.exe
  2⤵
  PID:10852
- C:\Windows\System32\SzOirRj.exe
  C:\Windows\System32\SzOirRj.exe
  2⤵
  PID:10748
- C:\Windows\System32\AxlcpTf.exe
  C:\Windows\System32\AxlcpTf.exe
  2⤵
  PID:10356
- C:\Windows\System32\YbjXcYf.exe
  C:\Windows\System32\YbjXcYf.exe
  2⤵
  PID:11172
- C:\Windows\System32\WfKLvAr.exe
  C:\Windows\System32\WfKLvAr.exe
  2⤵
  PID:11288
- C:\Windows\System32\msLkfzE.exe
  C:\Windows\System32\msLkfzE.exe
  2⤵
  PID:11316
- C:\Windows\System32\VhDPNlF.exe
  C:\Windows\System32\VhDPNlF.exe
  2⤵
  PID:11380
- C:\Windows\System32\tErPygc.exe
  C:\Windows\System32\tErPygc.exe
  2⤵
  PID:11408
- C:\Windows\System32\KqkfHlS.exe
  C:\Windows\System32\KqkfHlS.exe
  2⤵
  PID:11436
- C:\Windows\System32\ANHYsbH.exe
  C:\Windows\System32\ANHYsbH.exe
  2⤵
  PID:11452
- C:\Windows\System32\VRErHHv.exe
  C:\Windows\System32\VRErHHv.exe
  2⤵
  PID:11476
- C:\Windows\System32\VMKRVdQ.exe
  C:\Windows\System32\VMKRVdQ.exe
  2⤵
  PID:11504
- C:\Windows\System32\JDXqHRr.exe
  C:\Windows\System32\JDXqHRr.exe
  2⤵
  PID:11532
- C:\Windows\System32\XzbdNMp.exe
  C:\Windows\System32\XzbdNMp.exe
  2⤵
  PID:11560
- C:\Windows\System32\ofSVdcn.exe
  C:\Windows\System32\ofSVdcn.exe
  2⤵
  PID:11584
- C:\Windows\System32\eFxSxXP.exe
  C:\Windows\System32\eFxSxXP.exe
  2⤵
  PID:11608
- C:\Windows\System32\kjsSBen.exe
  C:\Windows\System32\kjsSBen.exe
  2⤵
  PID:11628
- C:\Windows\System32\OcJFuSO.exe
  C:\Windows\System32\OcJFuSO.exe
  2⤵
  PID:11648
- C:\Windows\System32\lEyeKKB.exe
  C:\Windows\System32\lEyeKKB.exe
  2⤵
  PID:11680
- C:\Windows\System32\dJHrjJU.exe
  C:\Windows\System32\dJHrjJU.exe
  2⤵
  PID:11712
- C:\Windows\System32\YpQtCUg.exe
  C:\Windows\System32\YpQtCUg.exe
  2⤵
  PID:11760
- C:\Windows\System32\KYVZWqI.exe
  C:\Windows\System32\KYVZWqI.exe
  2⤵
  PID:11792
- C:\Windows\System32\OhSEjHg.exe
  C:\Windows\System32\OhSEjHg.exe
  2⤵
  PID:11820
- C:\Windows\System32\PCAfXrt.exe
  C:\Windows\System32\PCAfXrt.exe
  2⤵
  PID:11840
- C:\Windows\System32\iJCrQEl.exe
  C:\Windows\System32\iJCrQEl.exe
  2⤵
  PID:11860
- C:\Windows\System32\BFBcSJI.exe
  C:\Windows\System32\BFBcSJI.exe
  2⤵
  PID:11900
- C:\Windows\System32\tcLFkvd.exe
  C:\Windows\System32\tcLFkvd.exe
  2⤵
  PID:11928
- C:\Windows\System32\AmepmGO.exe
  C:\Windows\System32\AmepmGO.exe
  2⤵
  PID:11984
- C:\Windows\System32\YZRDVWv.exe
  C:\Windows\System32\YZRDVWv.exe
  2⤵
  PID:12000
- C:\Windows\System32\XjoAWcD.exe
  C:\Windows\System32\XjoAWcD.exe
  2⤵
  PID:12028
- C:\Windows\System32\DooIslg.exe
  C:\Windows\System32\DooIslg.exe
  2⤵
  PID:12044
- C:\Windows\System32\PNBrdzP.exe
  C:\Windows\System32\PNBrdzP.exe
  2⤵
  PID:12060
- C:\Windows\System32\ERucKVE.exe
  C:\Windows\System32\ERucKVE.exe
  2⤵
  PID:12080
- C:\Windows\System32\WOUsvyx.exe
  C:\Windows\System32\WOUsvyx.exe
  2⤵
  PID:12116
- C:\Windows\System32\EDpqWdP.exe
  C:\Windows\System32\EDpqWdP.exe
  2⤵
  PID:12148
- C:\Windows\System32\eVvDZZi.exe
  C:\Windows\System32\eVvDZZi.exe
  2⤵
  PID:12172
- C:\Windows\System32\HMDWjwP.exe
  C:\Windows\System32\HMDWjwP.exe
  2⤵
  PID:12200
- C:\Windows\System32\RBqHUcQ.exe
  C:\Windows\System32\RBqHUcQ.exe
  2⤵
  PID:12224
- C:\Windows\System32\YAgzxxS.exe
  C:\Windows\System32\YAgzxxS.exe
  2⤵
  PID:12240
- C:\Windows\System32\HOfquzu.exe
  C:\Windows\System32\HOfquzu.exe
  2⤵
  PID:12264
- C:\Windows\System32\mLdrSIx.exe
  C:\Windows\System32\mLdrSIx.exe
  2⤵
  PID:12284
- C:\Windows\System32\gNRFwFr.exe
  C:\Windows\System32\gNRFwFr.exe
  2⤵
  PID:11284
- C:\Windows\System32\HnPWYbQ.exe
  C:\Windows\System32\HnPWYbQ.exe
  2⤵
  PID:11444
- C:\Windows\System32\AYHqjgo.exe
  C:\Windows\System32\AYHqjgo.exe
  2⤵
  PID:11500
- C:\Windows\System32\kpcLGgo.exe
  C:\Windows\System32\kpcLGgo.exe
  2⤵
  PID:11640
- C:\Windows\System32\CzkeMiq.exe
  C:\Windows\System32\CzkeMiq.exe
  2⤵
  PID:11620
- C:\Windows\System32\rljaCnG.exe
  C:\Windows\System32\rljaCnG.exe
  2⤵
  PID:11704
- C:\Windows\System32\iABEyZo.exe
  C:\Windows\System32\iABEyZo.exe
  2⤵
  PID:11744
- C:\Windows\System32\LxXrTKZ.exe
  C:\Windows\System32\LxXrTKZ.exe
  2⤵
  PID:11788
- C:\Windows\System32\NmdYmNZ.exe
  C:\Windows\System32\NmdYmNZ.exe
  2⤵
  PID:11852
- C:\Windows\System32\FTIBMBV.exe
  C:\Windows\System32\FTIBMBV.exe
  2⤵
  PID:11908
- C:\Windows\System32\AoUNWfq.exe
  C:\Windows\System32\AoUNWfq.exe
  2⤵
  PID:12036
- C:\Windows\System32\TvTzYdu.exe
  C:\Windows\System32\TvTzYdu.exe
  2⤵
  PID:12092
- C:\Windows\System32\qFvxnHl.exe
  C:\Windows\System32\qFvxnHl.exe
  2⤵
  PID:12184
- C:\Windows\System32\utDeQAE.exe
  C:\Windows\System32\utDeQAE.exe
  2⤵
  PID:12252
- C:\Windows\System32\tHaHYfz.exe
  C:\Windows\System32\tHaHYfz.exe
  2⤵
  PID:11004
- C:\Windows\System32\QZCiJCB.exe
  C:\Windows\System32\QZCiJCB.exe
  2⤵
  PID:11280
- C:\Windows\System32\xLcReMS.exe
  C:\Windows\System32\xLcReMS.exe
  2⤵
  PID:11492
- C:\Windows\System32\tPNcIEE.exe
  C:\Windows\System32\tPNcIEE.exe
  2⤵
  PID:11600
- C:\Windows\System32\YZXzSvZ.exe
  C:\Windows\System32\YZXzSvZ.exe
  2⤵
  PID:216
- C:\Windows\System32\JyCmOTV.exe
  C:\Windows\System32\JyCmOTV.exe
  2⤵
  PID:11596
- C:\Windows\System32\jNvjGcV.exe
  C:\Windows\System32\jNvjGcV.exe
  2⤵
  PID:11836
- C:\Windows\System32\TJCsBmV.exe
  C:\Windows\System32\TJCsBmV.exe
  2⤵
  PID:11980
- C:\Windows\System32\HHektqv.exe
  C:\Windows\System32\HHektqv.exe
  2⤵
  PID:12196
- C:\Windows\System32\cvXqxMx.exe
  C:\Windows\System32\cvXqxMx.exe
  2⤵
  PID:12220
- C:\Windows\System32\fyraxbw.exe
  C:\Windows\System32\fyraxbw.exe
  2⤵
  PID:11732
- C:\Windows\System32\TPlJkoy.exe
  C:\Windows\System32\TPlJkoy.exe
  2⤵
  PID:11968
- C:\Windows\System32\PKqlpRL.exe
  C:\Windows\System32\PKqlpRL.exe
  2⤵
  PID:3612
- C:\Windows\System32\cmCxDpr.exe
  C:\Windows\System32\cmCxDpr.exe
  2⤵
  PID:11696
- C:\Windows\System32\eBCZqkq.exe
  C:\Windows\System32\eBCZqkq.exe
  2⤵
  PID:12296
- C:\Windows\System32\oYxOWpH.exe
  C:\Windows\System32\oYxOWpH.exe
  2⤵
  PID:12336
- C:\Windows\System32\TSUcdVG.exe
  C:\Windows\System32\TSUcdVG.exe
  2⤵
  PID:12368
- C:\Windows\System32\seVkYAK.exe
  C:\Windows\System32\seVkYAK.exe
  2⤵
  PID:12396
- C:\Windows\System32\rtXxxlK.exe
  C:\Windows\System32\rtXxxlK.exe
  2⤵
  PID:12420
- C:\Windows\System32\wnDxhDQ.exe
  C:\Windows\System32\wnDxhDQ.exe
  2⤵
  PID:12440
- C:\Windows\System32\LwCqddb.exe
  C:\Windows\System32\LwCqddb.exe
  2⤵
  PID:12488
- C:\Windows\System32\fVBMrdI.exe
  C:\Windows\System32\fVBMrdI.exe
  2⤵
  PID:12528
- C:\Windows\System32\iiJhPCA.exe
  C:\Windows\System32\iiJhPCA.exe
  2⤵
  PID:12548
- C:\Windows\System32\CEMBCNk.exe
  C:\Windows\System32\CEMBCNk.exe
  2⤵
  PID:12572
- C:\Windows\System32\yykzqYs.exe
  C:\Windows\System32\yykzqYs.exe
  2⤵
  PID:12608
- C:\Windows\System32\dganFlD.exe
  C:\Windows\System32\dganFlD.exe
  2⤵
  PID:12648
- C:\Windows\System32\XXYUlzv.exe
  C:\Windows\System32\XXYUlzv.exe
  2⤵
  PID:12668
- C:\Windows\System32\vIIDkPL.exe
  C:\Windows\System32\vIIDkPL.exe
  2⤵
  PID:12700
- C:\Windows\System32\QBlzhkc.exe
  C:\Windows\System32\QBlzhkc.exe
  2⤵
  PID:12720
- C:\Windows\System32\XgrUMXV.exe
  C:\Windows\System32\XgrUMXV.exe
  2⤵
  PID:12736
- C:\Windows\System32\aogQJQy.exe
  C:\Windows\System32\aogQJQy.exe
  2⤵
  PID:12764
- C:\Windows\System32\RwXpcKZ.exe
  C:\Windows\System32\RwXpcKZ.exe
  2⤵
  PID:12788
- C:\Windows\System32\EWngWge.exe
  C:\Windows\System32\EWngWge.exe
  2⤵
  PID:12816
- C:\Windows\System32\HeWKAaB.exe
  C:\Windows\System32\HeWKAaB.exe
  2⤵
  PID:12844
- C:\Windows\System32\vfbeGZy.exe
  C:\Windows\System32\vfbeGZy.exe
  2⤵
  PID:12900
- C:\Windows\System32\HboieWg.exe
  C:\Windows\System32\HboieWg.exe
  2⤵
  PID:12924
- C:\Windows\System32\ezKSQRF.exe
  C:\Windows\System32\ezKSQRF.exe
  2⤵
  PID:12948
- C:\Windows\System32\QPwHuwl.exe
  C:\Windows\System32\QPwHuwl.exe
  2⤵
  PID:12980
- C:\Windows\System32\NMwoAvJ.exe
  C:\Windows\System32\NMwoAvJ.exe
  2⤵
  PID:13004
- C:\Windows\System32\UwYNIAX.exe
  C:\Windows\System32\UwYNIAX.exe
  2⤵
  PID:13024
- C:\Windows\System32\sdvyrYE.exe
  C:\Windows\System32\sdvyrYE.exe
  2⤵
  PID:13044
- C:\Windows\System32\KklknIU.exe
  C:\Windows\System32\KklknIU.exe
  2⤵
  PID:13068
- C:\Windows\System32\xnVzdDM.exe
  C:\Windows\System32\xnVzdDM.exe
  2⤵
  PID:13088
- C:\Windows\System32\gKkVOAO.exe
  C:\Windows\System32\gKkVOAO.exe
  2⤵
  PID:13112
- C:\Windows\System32\XvPIRSX.exe
  C:\Windows\System32\XvPIRSX.exe
  2⤵
  PID:13152
- C:\Windows\System32\ZLbQQfS.exe
  C:\Windows\System32\ZLbQQfS.exe
  2⤵
  PID:13172
- C:\Windows\System32\IqyNubo.exe
  C:\Windows\System32\IqyNubo.exe
  2⤵
  PID:13220
- C:\Windows\System32\dhWoNtl.exe
  C:\Windows\System32\dhWoNtl.exe
  2⤵
  PID:13240
- C:\Windows\System32\CGXRLjg.exe
  C:\Windows\System32\CGXRLjg.exe
  2⤵
  PID:13264
- C:\Windows\System32\IBrOZma.exe
  C:\Windows\System32\IBrOZma.exe
  2⤵
  PID:13284

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12536

Network

DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

35.58.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.58.20.217.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

98.58.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

98.58.20.217.in-addr.arpa

IN PTR

Response
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

35.58.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

35.58.20.217.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

98.58.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

98.58.20.217.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\CAUAQJt.exe

Filesize
1.5MB

MD5
b5d13dde8951acac9d81bf2ba4a10eed

SHA1
6b1a95473b1f540af962c2f59d97e8bc4fefcfa0

SHA256
178a9c1c7e59a5b605c62f6caf5dd7698cd9a35db3767af449bd7f10f3717d7c

SHA512
ff37b0ac951d0352c93066a8c5c452671fd9014a6d40ee83c1fe8b47e5051bc9a0c6eaa651fca5573dfb2dae59a2054d621d787a7aa6fae511cc1e89062bbb15

Download Submit
C:\Windows\System32\CEfFbPU.exe

Filesize
1.5MB

MD5
6736eb36929e38cbcbe193efb00d7cb9

SHA1
5a701452bb70d5e582154287573b23c484ae638c

SHA256
0e4c37b9fbf63ae85af3e9be56073c32910568370512028b0f15b6d61bb1ad43

SHA512
69765bea2e37ed0106440591a6049adde58bf740003a69f17f955c71b8f8cf566bafd7b3d1d7bb0a49a07ad5045e2e3e214eda755c30b8fc66ffb3cadd6bc37f

Download Submit
C:\Windows\System32\CHxBYnF.exe

Filesize
1.5MB

MD5
565810a0bd5d98d4514cada3236853d4

SHA1
af8784cfd0115e1ddd9adcf22fa2021d2c915c37

SHA256
d51fc4e01f5af659afaf28d43e9a73c6aa4c2e11885033246d3588894c3d97f2

SHA512
4a12db780a9404efdfd8f4749bf7ece201fb32fb04f02d55f195e9645b22e01b94a954db88040ea475dcef854e4cd31b514c7c40a34241d40dd29b8c9070b346

Download Submit
C:\Windows\System32\CUxsoHG.exe

Filesize
1.5MB

MD5
a9eb995f46f1a4007a3cab5039f5260e

SHA1
3fed7731907152ea7753161228ec928bb0c0f1b0

SHA256
08153b7b560c7ceccf62ae30adde92d137729a021e8a461c2814430a1820f500

SHA512
f7195065d794652d1c9508feb288cd57fbab7b820a36e53e6af3c37ab73f188a38363fb596916f59b85164ccb691bdaab13344125084382853e2f7ad9d7689f2

Download Submit
C:\Windows\System32\GlkdiLE.exe

Filesize
1.5MB

MD5
c1537df34ca5af46e60897fc2460c4ea

SHA1
f78ad5fea3d71405fcc7dbd9cf1261b5ab93ba08

SHA256
c8688b42678e2c2d85989eafb0a2212012242b94bfb2cb738b383fdd9ece4a1f

SHA512
362a2e45bd0f457aa82901074df2b6d0c5abe10f3db4183817aac6a743ffdfbf38dc37a5584c65bbe5775da7ae6aedcbabfe2c27592286183a4738487c07e785

Download Submit
C:\Windows\System32\IFZXCTL.exe

Filesize
1.5MB

MD5
2532b55dcbb98d1e7353d84ff7c75eeb

SHA1
569b97388a61d047f13155ac5a55f3a041977f65

SHA256
a57fe7d1dddabb55d6eb094b4404145c89437249c022f54ec4c4e9ffad499950

SHA512
37a958ed9707220dc0bc72fb4c40d8a38a2c403499fa54c142421dd4c77af8d2da5e20b4ee9e0a655cff4d791f65dcac5800423976686c730168f7bf5e5198e3

Download Submit
C:\Windows\System32\ImHrnkv.exe

Filesize
1.5MB

MD5
a6b4a2d812645e50af6ee929625f41a1

SHA1
5b55f5c9abf65ccd57a6d65b328ea312c36239be

SHA256
c27166342dd0cdbe48868425fd811600ad209c57ca40fb87917b2839b948d2bc

SHA512
d2d10ed72d5f47a89c18ab82726df7d1a74d589cd8adbc0051bfc820f23b50c9c3ebd7fb8f841aa485a7adb2dfe2ccbb84b290ccd111832a54ad43207f94d8f9

Download Submit
C:\Windows\System32\KYSEpYF.exe

Filesize
1.5MB

MD5
06bc4f5c1981778e3562f374ff69ac75

SHA1
a8af48ed759d1ef35eef7354ce75221289bb889b

SHA256
5e32cae2f4f92090f958d59c1d2804cf167873bb2798b7d14a10c48204cd14bb

SHA512
0243c500b9c4904c955d892f39444074d8bf786fc06bf4efd19553b04064009ccc060b0aaa52f583d079be706f3e798a8f8f0260d29e2f1e50415372c38b39f3

Download Submit
C:\Windows\System32\MznvVmQ.exe

Filesize
1.5MB

MD5
97bd6cf5fb4f791a4ee21fa9760bd915

SHA1
9e227f70db541ac2c5562ef46bf2396fc2c6a61d

SHA256
820792ee7dc1803df594790e5f53e2c6f5d50276af39a18f6dccb00103d023b5

SHA512
418aeae780dadec3ac0a91c8051f139c6f8bfd38e09a34689544ed9ddb602f721b9aba550a55931154334edc9e8ad67af1001a1108b758ad3f900b20046e7354

Download Submit
C:\Windows\System32\OhMusdy.exe

Filesize
1.5MB

MD5
b060bdb4bf70113526148d81a8fb3def

SHA1
7c7d021aefe95f8b5e22c8147381f7d44e7f0b41

SHA256
bd12c2b03b69282a0d86a1c012540211dea55d47cdbc47837751b54a1fce9f44

SHA512
eda4e4dfca93c73971ca224314b5a5fbaae7ffaf955b397552317777fcc9d3b68470d4b967b3e13937982668c402574829808ec7583e4629f506c2b7a74ced98

Download Submit
C:\Windows\System32\UJxbGYH.exe

Filesize
1.5MB

MD5
8e2ea90f5c24b9f1b2bc36a79b5af2e1

SHA1
759832ce29125c84349d5096648d370fdfd2e1b4

SHA256
ab6a2affce2b1b9c8b8f9c93c3148239b0c0efe6567c73195b08426f5a4fab33

SHA512
14afc85f9eda55499947705b8e7d7f4f6c34ac45447013b6f8fe20ae927dd6246aac5314f30d1f1b3cf032793c6955bdd5d149fd02d434ae0d1d1d239f6ce978

Download Submit
C:\Windows\System32\VQHNVAa.exe

Filesize
1.5MB

MD5
924f5dbcc7b56ac344d02ed37bea63e8

SHA1
91f55ab035aeb627685f8946d5d85d77ef441a3d

SHA256
85e642716c028d85c88eb1621329017c18244e53ef2df4539304f611540618af

SHA512
4d05bcc88218214503c8de8f2ab028cd5fffd56ea67e16e0cb597f8a72ed2c083c9787625a2fb41f6ebf99ebcfa371130f195bfdef701db508bfc2347feef768

Download Submit
C:\Windows\System32\WSyzEiU.exe

Filesize
1.5MB

MD5
62525e814da47f50900ce7a0b24f2033

SHA1
8a7836532bbea1230a34f1fe8a815ea4158c11b2

SHA256
2d0c7cf00d6ad086ec6b6b9ee0487b48f1c21d0f82d6e1f06872a63bf6343fd2

SHA512
76f8e786adb2342e3fe68e31c95cb55b54263b24a08e5a0afb1dd7d59e98592ae3fa56a235cdfad431670ada17dd2f48cb50e5aceceb3a458b8c52485848dc4d

Download Submit
C:\Windows\System32\YRJiNbm.exe

Filesize
1.5MB

MD5
c810f3145d00bd32ddeeb24e215a58a3

SHA1
b64af5bbce605e3d8a1fd4e284e3ca6193205294

SHA256
2b61ce6cfabb17ba9366b98dce514d9e0dd1124e743ff9d30b4a71c83d4d745f

SHA512
512b49503c4e2dd22af6ebda23b3726ace57872c99e2ebf612f2ee40e925e1895b8de73a2066ece9df6bc52c6b74e62cb10a79028b4a7d6290877e0840eeaea4

Download Submit
C:\Windows\System32\cdSgmWT.exe

Filesize
1.5MB

MD5
6060a0d4ae2d23ba68815a2e9a78a7aa

SHA1
8de0b72f858a8335c151207e51ee574d46315d04

SHA256
0b7d0a3e75bc9ad5b10d2fa766ead1d2a4b77b3138295019455e3d7ce90b85c8

SHA512
c2187694c1ef1642391879d40f1df40e079572cfebff7d2e74157b82aaae8f4e5079fda9b7aa59d8a4ec9df6c4e7a714dac126587f2fd00c80201f09569ee0f1

Download Submit
C:\Windows\System32\dnIOtBa.exe

Filesize
1.5MB

MD5
1bfe2ccfa949c17f3f1098d3e835a85f

SHA1
d050602b113945cd783b3c9ab3476f261bdc5ce3

SHA256
0b488372a4bd41a32ce8f26e49bc5f2a9e3761c3859ef0f353f8ca6a1e24fc31

SHA512
ca3fef894737c33fb4ac57e174fa6eca0cc39ce16095a2a5d9419205bc0711653934ece036f0088d6fb7c6079d14c05e4ffb1ee6cb331378985bd4f2eb20a67e

Download Submit
C:\Windows\System32\eReLMOL.exe

Filesize
1.5MB

MD5
3cf10d38fc91eb06ebb2b5e8360c8c24

SHA1
1c5a5e110151607d6f459fc758d74b252d2aa040

SHA256
a9bb9a5143c86bff91d461f6b3ffa438a8955d66a30e9d44258106e44b055119

SHA512
69d7d0a9ccc911b472c4dabe2ce3a995349440a62fed25145d0f0b7802b3bce8bf87665671fd3f7a23754d545cdc2b383efd0fd4f56e70932b40ad205a00ef7f

Download Submit
C:\Windows\System32\glTInYN.exe

Filesize
1.5MB

MD5
77fcfc927494ff86d68e1f05dce0a2dc

SHA1
f2b3d7ba3aa951d3ec9dd7e488ed79f7b4401ad2

SHA256
780b7e5640cbb6759bdfbb26951a7600afc791a7ee5dc57d4b19cea7d8e639f6

SHA512
8af4c5d48c62af92ab59b03e9ae704741c0bbf60b1056ee46699f07e1348a0fc874e5fc0e99a3bacda6cc4d38d3f6aa1694f060cc40fd80bcd6779f304280dd5

Download Submit
C:\Windows\System32\hxbTbaS.exe

Filesize
1.5MB

MD5
144a5053f6f5bceaf898890bfae84a7a

SHA1
2dd8e70a6e80d0758be7dd85a630f0e2bd1f6adc

SHA256
cbcdb2ad54dd4b4c2b4c263e23905208ab24e3e243aeeddf7e60e4893614c10c

SHA512
30a1e79a019232990d5b884e1475b7925d2cb687c5e912325165c9d30b2a910f828f1360401477d11cc04bad927966f86edb36d8562a4d368b7a04330a020eb1

Download Submit
C:\Windows\System32\lztNcNW.exe

Filesize
1.5MB

MD5
380f5700337b8ed60cd71d509952daf6

SHA1
54e671651ebf0b27d43f591e7f89aebf3724be11

SHA256
5d708f062eecb663e288f5f654a24a5fa7265c0967a60a6b4a7441bc334b7535

SHA512
f94e7a862ce459757abd291824f37e1485fbc831a373b4b28be51fe4e06cbf0833beca19be33acf000a717c9305667253bc95ebd02089814874b2ec8453128e6

Download Submit
C:\Windows\System32\nHrhJyR.exe

Filesize
1.5MB

MD5
a801e06c341f177e96915cb7dedbeabd

SHA1
bba65d2e74fb6bc0324993f74156aaf9a3611090

SHA256
020f4a21f11c2c8d7046fa2d160308064501c4d0792d713e02c83adb4d8601c8

SHA512
3e95d3c670eb0b8bf08ba4f2b6fc9defefb0b9a74b75dd86ea1d97d939e6e6681b2d69ff455945e2a7e93e19a7b506a5e1fa4897b429da5622e73014ef8453dd

Download Submit
C:\Windows\System32\nPfMJYy.exe

Filesize
1.5MB

MD5
18d965a18ffd48514f228d65bf7f8181

SHA1
cbee805a0029991c361afc87428aaada1b91de81

SHA256
6647eb601142bd00d1d3d40158164b2d100a572369fbae6395deb59c5ed748b8

SHA512
6182d4ae25514229da1b8085b532c8f5b96fda7585999ca13e55cc92185ab44d02166176ef73fba3b3be6e7d86cf2920c5397cf608b0e55920fe076565259554

Download Submit
C:\Windows\System32\pRdXZbj.exe

Filesize
1.5MB

MD5
67ab40b8d7d5d4f7d18c44b2b34b2edb

SHA1
8cd8985db9e396057563eeabbd100db80df876de

SHA256
7510296b02d86dd40e63b70a9d01df5355a14f7158bf3cd3b178898bb13861b7

SHA512
216b33c405e4f709023450928a883774f67621a7588bd28c606c2e31649fb9cf3ee8e28a1ef6082782b11d906e8a0c67fe0c7d5884dcfb567136921352623e85

Download Submit
C:\Windows\System32\pvdxrit.exe

Filesize
1.5MB

MD5
75bb005f90937cc28a9eca2178744b35

SHA1
62c80f560eb5f645ee607011863f394928759488

SHA256
95677f23d9e81ec2e62be552f77f00620835a4d76bbf2d1339e1cdbaceaea2ec

SHA512
e557506f468ce6ac4d65409e6024773ab4bf303c744c54f4a2659411ed1ee27d7969a2c7346f4d26effecd4110a8657d984668732b2fe85422558ff530cc2f36

Download Submit
C:\Windows\System32\rjgQxbK.exe

Filesize
1.5MB

MD5
f377f24e3547703377f9cfbd52d87e31

SHA1
706e5b802084fce11bd98dc13c48fd8481deeca2

SHA256
4cb2a858798bfa13920d45cc74ef0bdfbabeeac5a48165ff5c1ebce439591074

SHA512
5e4de639d3bfd11962d0f9b3cf2845ecc0ad3d6856d21b6de323ecd9c10e7e56aad5ef4859e94ee611762fecd185891e7a03b4484c65f6b7ecf44a7105dfa184

Download Submit
C:\Windows\System32\sRznREa.exe

Filesize
1.5MB

MD5
b0a29835447aa588822e34ef73437421

SHA1
e974dc62e7855bfc30243dfa81bc962869eb43c1

SHA256
903406f5806575e7c7a708794aad69c2211590535a90949a482c71a3eda1aa5e

SHA512
f277c7d81a75b8dc425899318f013811b52d592820c7fc1de7361ab7d1b35ea089f98bc3722b238ca27dd3bae21561eb690b436e50c406e5f5d123c79b604451

Download Submit
C:\Windows\System32\tKWNKmd.exe

Filesize
1.5MB

MD5
9e401ec6b192c1e671b53aad9f455a92

SHA1
3ba7124b3e84aa4381dbee6ff6726ffd8069d341

SHA256
e412bf612640cc4759b557889a042a14fc397ad8e2ca3a696917af61fbed73c7

SHA512
be829c2235f8f3764a45c245caa7f3a57bd403ac618d3a80beffd284e6296c7b0b6b2a4fbabcedc46abcbac800f779f3eecf4bf0012af1efa350c129a4623836

Download Submit
C:\Windows\System32\tcEJhQK.exe

Filesize
1.5MB

MD5
e484c6e9d90a0019091a6f10c06828ad

SHA1
302b178e2f6ed127f13068a2a089561306ca4c59

SHA256
eff6ba0f42cf3fb2cf8c2132153f02127fcfc6fb2f6353c81c5738ff60b2930a

SHA512
7f7ac994df37e16fd590ac24081b66ef268d0a855e907e6844884e9eb74f11629b882f156a5e7ca557173469947c603e1f2579904e84b2ca45ca3f8c29f40a2f

Download Submit
C:\Windows\System32\vaxXTpH.exe

Filesize
1.5MB

MD5
556314d01bcafa98e39a27935bc17642

SHA1
269b801981f6dc51c1a76c41ca33f5df4fa8dca5

SHA256
f05e13e9a119b45f5bf3819d5a4e89bf4820c346a45d7f1aa1d3b534f2459cc3

SHA512
8503c7a5171cb0be67efb03c3294566d02acf97f5144e9b404125157a925ef4a36ba2838c285ab30d8a590a363ec0f83ddb214379e386c141fa213000a02bac1

Download Submit
C:\Windows\System32\wmbwFEq.exe

Filesize
1.5MB

MD5
dffdc21755c377a34b9bbe2a4c072338

SHA1
6a7e2d232eed68b30f4dbf0b8553e3e3380e27d1

SHA256
ba382c6fa400df8b984c6d7d724e474ed0a86bd27f5fc54daded20c8d9b5ecdc

SHA512
2fb87df93046d172783a4e73806428c63cc7e7010922fbc418acf1260d3f39796935ed62d7fbcfd9e12078fe9e056abb75d4a1f1a8dff8aec318f5399eec4ef3

Download Submit
C:\Windows\System32\xUBKdPC.exe

Filesize
1.5MB

MD5
b43d088fc938e4de3d51428ec392d362

SHA1
adacb436dfed6ebd692e2aa3478dfaacf55b42cf

SHA256
8d87ec17d70da756b0312bad7231b65750bd42e6fb22c0ec5b4adecfc7ddc860

SHA512
804767cf328a5f60b3b7f6cb5ccc391300c95dc206bdb6e96f5f28a082391d6c89d7774d66e1657a849ba96d3d5cd1ada83db8313613475bf1abe3edb3be774c

Download Submit
C:\Windows\System32\xzXsXBG.exe

Filesize
1.5MB

MD5
7a336659f5dcd672cb51f6f907d0c07c

SHA1
5f5f8e49a71573d85b27efab4c48e41173940b1f

SHA256
2b34d36cddc7ab26f5f0daa4a0cfbfcef5f11118209a2e34af36b151083a7b48

SHA512
9db6e9d1a15d29547fc87dc323e643244d1c2fe9d24291b2477af6048da44385374747ac7dc23a36402c3454a6d90edfc02d286e3bfd4da3d67c123f51f58fac

Download Submit
C:\Windows\System32\yxUERap.exe

Filesize
1.5MB

MD5
51d1d10a4470ce187fc9a7bd5a9e395a

SHA1
0da6ce83a44e8ab1d4f445affd66e83e1766367e

SHA256
83584cdb1f22924973deab20cf4ec7d1a33acdad41cbf80c87ee3d433629a086

SHA512
97fa8f11c4be9a18d03b7a62b31546333e585ffe995282c7ada827bf1deae6a08ee8ce8184fdf055d1c30f37839fec482ae3f1368f531f24b641c9b75f7e62aa

Download Submit
memory/436-423-0x00007FF730C10000-0x00007FF731001000-memory.dmp

Filesize
3.9MB

Download
memory/436-2064-0x00007FF730C10000-0x00007FF731001000-memory.dmp

Filesize
3.9MB

Download
memory/544-0-0x00007FF6E9E80000-0x00007FF6EA271000-memory.dmp

Filesize
3.9MB

Download
memory/544-1-0x000001A039B20000-0x000001A039B30000-memory.dmp

Filesize
64KB

Download
memory/1468-403-0x00007FF686CE0000-0x00007FF6870D1000-memory.dmp

Filesize
3.9MB

Download
memory/1468-2052-0x00007FF686CE0000-0x00007FF6870D1000-memory.dmp

Filesize
3.9MB

Download
memory/1564-2044-0x00007FF655890000-0x00007FF655C81000-memory.dmp

Filesize
3.9MB

Download
memory/1564-397-0x00007FF655890000-0x00007FF655C81000-memory.dmp

Filesize
3.9MB

Download
memory/1692-443-0x00007FF6AAEA0000-0x00007FF6AB291000-memory.dmp

Filesize
3.9MB

Download
memory/1692-2074-0x00007FF6AAEA0000-0x00007FF6AB291000-memory.dmp

Filesize
3.9MB

Download
memory/2108-2054-0x00007FF74B930000-0x00007FF74BD21000-memory.dmp

Filesize
3.9MB

Download
memory/2108-406-0x00007FF74B930000-0x00007FF74BD21000-memory.dmp

Filesize
3.9MB

Download
memory/2440-451-0x00007FF7353B0000-0x00007FF7357A1000-memory.dmp

Filesize
3.9MB

Download
memory/2440-2079-0x00007FF7353B0000-0x00007FF7357A1000-memory.dmp

Filesize
3.9MB

Download
memory/2860-400-0x00007FF606350000-0x00007FF606741000-memory.dmp

Filesize
3.9MB

Download
memory/2860-2046-0x00007FF606350000-0x00007FF606741000-memory.dmp

Filesize
3.9MB

Download
memory/2888-11-0x00007FF6B8520000-0x00007FF6B8911000-memory.dmp

Filesize
3.9MB

Download
memory/2888-2005-0x00007FF6B8520000-0x00007FF6B8911000-memory.dmp

Filesize
3.9MB

Download
memory/3204-34-0x00007FF65A9E0000-0x00007FF65ADD1000-memory.dmp

Filesize
3.9MB

Download
memory/3204-2042-0x00007FF65A9E0000-0x00007FF65ADD1000-memory.dmp

Filesize
3.9MB

Download
memory/3500-394-0x00007FF615360000-0x00007FF615751000-memory.dmp

Filesize
3.9MB

Download
memory/3500-2056-0x00007FF615360000-0x00007FF615751000-memory.dmp

Filesize
3.9MB

Download
memory/3584-2068-0x00007FF755210000-0x00007FF755601000-memory.dmp

Filesize
3.9MB

Download
memory/3584-433-0x00007FF755210000-0x00007FF755601000-memory.dmp

Filesize
3.9MB

Download
memory/3624-32-0x00007FF6E83D0000-0x00007FF6E87C1000-memory.dmp

Filesize
3.9MB

Download
memory/3624-2038-0x00007FF6E83D0000-0x00007FF6E87C1000-memory.dmp

Filesize
3.9MB

Download
memory/3668-2007-0x00007FF7FA6D0000-0x00007FF7FAAC1000-memory.dmp

Filesize
3.9MB

Download
memory/3668-1966-0x00007FF7FA6D0000-0x00007FF7FAAC1000-memory.dmp

Filesize
3.9MB

Download
memory/3668-19-0x00007FF7FA6D0000-0x00007FF7FAAC1000-memory.dmp

Filesize
3.9MB

Download
memory/4036-422-0x00007FF76A470000-0x00007FF76A861000-memory.dmp

Filesize
3.9MB

Download
memory/4036-2062-0x00007FF76A470000-0x00007FF76A861000-memory.dmp

Filesize
3.9MB

Download
memory/4120-2048-0x00007FF78FB30000-0x00007FF78FF21000-memory.dmp

Filesize
3.9MB

Download
memory/4120-419-0x00007FF78FB30000-0x00007FF78FF21000-memory.dmp

Filesize
3.9MB

Download
memory/4260-1967-0x00007FF751EB0000-0x00007FF7522A1000-memory.dmp

Filesize
3.9MB

Download
memory/4260-27-0x00007FF751EB0000-0x00007FF7522A1000-memory.dmp

Filesize
3.9MB

Download
memory/4260-2040-0x00007FF751EB0000-0x00007FF7522A1000-memory.dmp

Filesize
3.9MB

Download
memory/4336-2058-0x00007FF647D20000-0x00007FF648111000-memory.dmp

Filesize
3.9MB

Download
memory/4336-421-0x00007FF647D20000-0x00007FF648111000-memory.dmp

Filesize
3.9MB

Download
memory/4468-2066-0x00007FF733B80000-0x00007FF733F71000-memory.dmp

Filesize
3.9MB

Download
memory/4468-430-0x00007FF733B80000-0x00007FF733F71000-memory.dmp

Filesize
3.9MB

Download
memory/4604-438-0x00007FF66ED40000-0x00007FF66F131000-memory.dmp

Filesize
3.9MB

Download
memory/4604-2072-0x00007FF66ED40000-0x00007FF66F131000-memory.dmp

Filesize
3.9MB

Download
memory/4612-2060-0x00007FF6C7590000-0x00007FF6C7981000-memory.dmp

Filesize
3.9MB

Download
memory/4612-431-0x00007FF6C7590000-0x00007FF6C7981000-memory.dmp

Filesize
3.9MB

Download
memory/4692-434-0x00007FF7FA4A0000-0x00007FF7FA891000-memory.dmp

Filesize
3.9MB

Download
memory/4692-2070-0x00007FF7FA4A0000-0x00007FF7FA891000-memory.dmp

Filesize
3.9MB

Download
memory/4708-2082-0x00007FF6347F0000-0x00007FF634BE1000-memory.dmp

Filesize
3.9MB

Download
memory/4708-455-0x00007FF6347F0000-0x00007FF634BE1000-memory.dmp

Filesize
3.9MB

Download
memory/4944-2076-0x00007FF71B0C0000-0x00007FF71B4B1000-memory.dmp

Filesize
3.9MB

Download
memory/4944-444-0x00007FF71B0C0000-0x00007FF71B4B1000-memory.dmp

Filesize
3.9MB

Download
memory/4980-416-0x00007FF6646B0000-0x00007FF664AA1000-memory.dmp

Filesize
3.9MB

Download
memory/4980-2050-0x00007FF6646B0000-0x00007FF664AA1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.