xmrig | 52cbb322f9250388c12ab7687f532598f2367a7f2b590996a81fbdbd585ec665

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c7033b8bcffb1192c7efa489f980d30N.exe
Size

1.1MB
MD5

6c7033b8bcffb1192c7efa489f980d30
SHA1

3cfb67675cdfb59231d091eb6003a8c213a9af09
SHA256

52cbb322f9250388c12ab7687f532598f2367a7f2b590996a81fbdbd585ec665
SHA512

d0989038245e7fc1d57294b700b660887d06421be7f5e9339812384cc62744e02a0e2968596bbd3aef5de4d033a77c5536c9ca437e04928e1bc006f2d9582e37
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XCtSw83V2YE:knw9oUUEEDlGUrCVy

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/4120-389-0x00007FF69DC00000-0x00007FF69DFF1000-memory.dmp	xmrig
behavioral2/memory/392-394-0x00007FF6AA0C0000-0x00007FF6AA4B1000-memory.dmp	xmrig
behavioral2/memory/4528-393-0x00007FF7DDE20000-0x00007FF7DE211000-memory.dmp	xmrig
behavioral2/memory/3764-399-0x00007FF703890000-0x00007FF703C81000-memory.dmp	xmrig
behavioral2/memory/860-408-0x00007FF6EF7D0000-0x00007FF6EFBC1000-memory.dmp	xmrig
behavioral2/memory/1484-414-0x00007FF724590000-0x00007FF724981000-memory.dmp	xmrig
behavioral2/memory/3580-425-0x00007FF69AA20000-0x00007FF69AE11000-memory.dmp	xmrig
behavioral2/memory/3440-433-0x00007FF727520000-0x00007FF727911000-memory.dmp	xmrig
behavioral2/memory/1676-439-0x00007FF702F90000-0x00007FF703381000-memory.dmp	xmrig
behavioral2/memory/4116-442-0x00007FF7A6960000-0x00007FF7A6D51000-memory.dmp	xmrig
behavioral2/memory/4812-443-0x00007FF6C3570000-0x00007FF6C3961000-memory.dmp	xmrig
behavioral2/memory/756-446-0x00007FF7A6220000-0x00007FF7A6611000-memory.dmp	xmrig
behavioral2/memory/728-451-0x00007FF613AE0000-0x00007FF613ED1000-memory.dmp	xmrig
behavioral2/memory/332-450-0x00007FF7DA000000-0x00007FF7DA3F1000-memory.dmp	xmrig
behavioral2/memory/4292-462-0x00007FF7254D0000-0x00007FF7258C1000-memory.dmp	xmrig
behavioral2/memory/4556-464-0x00007FF620040000-0x00007FF620431000-memory.dmp	xmrig
behavioral2/memory/4008-459-0x00007FF7579B0000-0x00007FF757DA1000-memory.dmp	xmrig
behavioral2/memory/2372-449-0x00007FF675020000-0x00007FF675411000-memory.dmp	xmrig
behavioral2/memory/4188-445-0x00007FF6812E0000-0x00007FF6816D1000-memory.dmp	xmrig
behavioral2/memory/1980-441-0x00007FF655910000-0x00007FF655D01000-memory.dmp	xmrig
behavioral2/memory/2232-422-0x00007FF647740000-0x00007FF647B31000-memory.dmp	xmrig
behavioral2/memory/3048-1941-0x00007FF7235B0000-0x00007FF7239A1000-memory.dmp	xmrig
behavioral2/memory/1544-2007-0x00007FF734980000-0x00007FF734D71000-memory.dmp	xmrig
behavioral2/memory/3612-2008-0x00007FF701320000-0x00007FF701711000-memory.dmp	xmrig
behavioral2/memory/4120-2009-0x00007FF69DC00000-0x00007FF69DFF1000-memory.dmp	xmrig
behavioral2/memory/4488-2011-0x00007FF6CF330000-0x00007FF6CF721000-memory.dmp	xmrig
behavioral2/memory/4120-2013-0x00007FF69DC00000-0x00007FF69DFF1000-memory.dmp	xmrig
behavioral2/memory/3612-2017-0x00007FF701320000-0x00007FF701711000-memory.dmp	xmrig
behavioral2/memory/1544-2015-0x00007FF734980000-0x00007FF734D71000-memory.dmp	xmrig
behavioral2/memory/4528-2021-0x00007FF7DDE20000-0x00007FF7DE211000-memory.dmp	xmrig
behavioral2/memory/3764-2025-0x00007FF703890000-0x00007FF703C81000-memory.dmp	xmrig
behavioral2/memory/860-2027-0x00007FF6EF7D0000-0x00007FF6EFBC1000-memory.dmp	xmrig
behavioral2/memory/392-2023-0x00007FF6AA0C0000-0x00007FF6AA4B1000-memory.dmp	xmrig
behavioral2/memory/4556-2019-0x00007FF620040000-0x00007FF620431000-memory.dmp	xmrig
behavioral2/memory/2372-2059-0x00007FF675020000-0x00007FF675411000-memory.dmp	xmrig
behavioral2/memory/756-2070-0x00007FF7A6220000-0x00007FF7A6611000-memory.dmp	xmrig
behavioral2/memory/4812-2067-0x00007FF6C3570000-0x00007FF6C3961000-memory.dmp	xmrig
behavioral2/memory/4292-2062-0x00007FF7254D0000-0x00007FF7258C1000-memory.dmp	xmrig
behavioral2/memory/332-2057-0x00007FF7DA000000-0x00007FF7DA3F1000-memory.dmp	xmrig
behavioral2/memory/1676-2040-0x00007FF702F90000-0x00007FF703381000-memory.dmp	xmrig
behavioral2/memory/4008-2052-0x00007FF7579B0000-0x00007FF757DA1000-memory.dmp	xmrig
behavioral2/memory/2232-2050-0x00007FF647740000-0x00007FF647B31000-memory.dmp	xmrig
behavioral2/memory/1484-2029-0x00007FF724590000-0x00007FF724981000-memory.dmp	xmrig
behavioral2/memory/4116-2048-0x00007FF7A6960000-0x00007FF7A6D51000-memory.dmp	xmrig
behavioral2/memory/3580-2046-0x00007FF69AA20000-0x00007FF69AE11000-memory.dmp	xmrig
behavioral2/memory/1980-2044-0x00007FF655910000-0x00007FF655D01000-memory.dmp	xmrig
behavioral2/memory/3440-2042-0x00007FF727520000-0x00007FF727911000-memory.dmp	xmrig
behavioral2/memory/728-2033-0x00007FF613AE0000-0x00007FF613ED1000-memory.dmp	xmrig
behavioral2/memory/4188-2031-0x00007FF6812E0000-0x00007FF6816D1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4488	NAILuAO.exe
1544	lvJvedM.exe
4120	ahfoiwP.exe
3612	JzQdwvu.exe
4556	zToFdIz.exe
4528	mUaAfUq.exe
392	ILACIji.exe
3764	bnoEJgE.exe
860	yfnhXOn.exe
1484	YwKbHxh.exe
2232	wFousCY.exe
3580	SbxCsCy.exe
3440	EcxMPnn.exe
1676	mZJKADp.exe
1980	zhyHiMp.exe
4116	nQtuGxW.exe
4812	ucOQFui.exe
4188	UnNyVOb.exe
756	nNekhqZ.exe
2372	xtNJOzV.exe
332	bnSriZs.exe
728	mJhdvzT.exe
4008	lsFvmhi.exe
4292	TflxWyf.exe
3972	TUasUtm.exe
2184	FblwByK.exe
3964	StONKHq.exe
3808	uciyXLo.exe
3904	aXmKLmo.exe
3912	PzSTkaw.exe
4380	ilLWAUH.exe
3428	EMuGiCN.exe
1524	OAPAaOT.exe
2548	hbdbcSq.exe
3936	WNdNfMV.exe
4756	GCJDFIY.exe
2416	zCbJDBb.exe
2348	nxsYRbH.exe
1612	eRsqmlJ.exe
1700	aXhLkBD.exe
460	WXPrSPH.exe
3456	cyqLyGc.exe
3336	ZdVPCma.exe
3624	LrvjyHD.exe
3476	bUSfkad.exe
2852	OUUnJVZ.exe
1408	eJlBbDe.exe
3700	UpGCrMm.exe
4840	hmxHRhF.exe
1056	FnfTQdl.exe
1536	WKQfDis.exe
1504	knApBuq.exe
2400	gFzVMmH.exe
3780	ZNNSWCO.exe
4512	KPreOOE.exe
4976	DIBqNiW.exe
4372	QChnrrj.exe
2344	FXKyCWD.exe
3876	UiUDiPG.exe
5004	LnXSlhe.exe
4228	CcdPdfx.exe
876	tvrrzsP.exe
1268	vXMgmjG.exe
2352	CIoNOGk.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3048-0-0x00007FF7235B0000-0x00007FF7239A1000-memory.dmp	upx
behavioral2/files/0x000900000002347c-5.dat	upx
behavioral2/files/0x00080000000234dd-8.dat	upx
behavioral2/memory/4488-13-0x00007FF6CF330000-0x00007FF6CF721000-memory.dmp	upx
behavioral2/memory/1544-18-0x00007FF734980000-0x00007FF734D71000-memory.dmp	upx
behavioral2/files/0x00070000000234e2-39.dat	upx
behavioral2/files/0x00070000000234e3-47.dat	upx
behavioral2/files/0x00070000000234e5-51.dat	upx
behavioral2/files/0x00070000000234eb-87.dat	upx
behavioral2/files/0x00070000000234ee-102.dat	upx
behavioral2/files/0x00070000000234f0-112.dat	upx
behavioral2/files/0x00070000000234fc-165.dat	upx
behavioral2/memory/4120-389-0x00007FF69DC00000-0x00007FF69DFF1000-memory.dmp	upx
behavioral2/memory/392-394-0x00007FF6AA0C0000-0x00007FF6AA4B1000-memory.dmp	upx
behavioral2/memory/4528-393-0x00007FF7DDE20000-0x00007FF7DE211000-memory.dmp	upx
behavioral2/memory/3764-399-0x00007FF703890000-0x00007FF703C81000-memory.dmp	upx
behavioral2/memory/860-408-0x00007FF6EF7D0000-0x00007FF6EFBC1000-memory.dmp	upx
behavioral2/memory/1484-414-0x00007FF724590000-0x00007FF724981000-memory.dmp	upx
behavioral2/memory/3580-425-0x00007FF69AA20000-0x00007FF69AE11000-memory.dmp	upx
behavioral2/memory/3440-433-0x00007FF727520000-0x00007FF727911000-memory.dmp	upx
behavioral2/memory/1676-439-0x00007FF702F90000-0x00007FF703381000-memory.dmp	upx
behavioral2/memory/4116-442-0x00007FF7A6960000-0x00007FF7A6D51000-memory.dmp	upx
behavioral2/memory/4812-443-0x00007FF6C3570000-0x00007FF6C3961000-memory.dmp	upx
behavioral2/memory/756-446-0x00007FF7A6220000-0x00007FF7A6611000-memory.dmp	upx
behavioral2/memory/728-451-0x00007FF613AE0000-0x00007FF613ED1000-memory.dmp	upx
behavioral2/memory/332-450-0x00007FF7DA000000-0x00007FF7DA3F1000-memory.dmp	upx
behavioral2/memory/4292-462-0x00007FF7254D0000-0x00007FF7258C1000-memory.dmp	upx
behavioral2/memory/4556-464-0x00007FF620040000-0x00007FF620431000-memory.dmp	upx
behavioral2/memory/4008-459-0x00007FF7579B0000-0x00007FF757DA1000-memory.dmp	upx
behavioral2/memory/2372-449-0x00007FF675020000-0x00007FF675411000-memory.dmp	upx
behavioral2/memory/4188-445-0x00007FF6812E0000-0x00007FF6816D1000-memory.dmp	upx
behavioral2/memory/1980-441-0x00007FF655910000-0x00007FF655D01000-memory.dmp	upx
behavioral2/memory/2232-422-0x00007FF647740000-0x00007FF647B31000-memory.dmp	upx
behavioral2/files/0x00070000000234fa-162.dat	upx
behavioral2/files/0x00070000000234fb-160.dat	upx
behavioral2/files/0x00070000000234f9-157.dat	upx
behavioral2/files/0x00070000000234f8-149.dat	upx
behavioral2/files/0x00070000000234f7-147.dat	upx
behavioral2/files/0x00070000000234f6-142.dat	upx
behavioral2/files/0x00070000000234f5-137.dat	upx
behavioral2/files/0x00070000000234f4-132.dat	upx
behavioral2/files/0x00070000000234f3-127.dat	upx
behavioral2/files/0x00070000000234f2-119.dat	upx
behavioral2/files/0x00070000000234f1-117.dat	upx
behavioral2/files/0x00070000000234ef-104.dat	upx
behavioral2/files/0x00070000000234ed-94.dat	upx
behavioral2/files/0x00070000000234ec-90.dat	upx
behavioral2/files/0x00070000000234ea-82.dat	upx
behavioral2/files/0x00070000000234e9-77.dat	upx
behavioral2/files/0x00070000000234e8-72.dat	upx
behavioral2/files/0x00070000000234e7-67.dat	upx
behavioral2/files/0x00070000000234e6-60.dat	upx
behavioral2/files/0x00070000000234e4-49.dat	upx
behavioral2/files/0x00070000000234e1-34.dat	upx
behavioral2/files/0x00070000000234e0-29.dat	upx
behavioral2/files/0x00070000000234df-24.dat	upx
behavioral2/memory/3612-21-0x00007FF701320000-0x00007FF701711000-memory.dmp	upx
behavioral2/files/0x00070000000234de-19.dat	upx
behavioral2/memory/3048-1941-0x00007FF7235B0000-0x00007FF7239A1000-memory.dmp	upx
behavioral2/memory/1544-2007-0x00007FF734980000-0x00007FF734D71000-memory.dmp	upx
behavioral2/memory/3612-2008-0x00007FF701320000-0x00007FF701711000-memory.dmp	upx
behavioral2/memory/4120-2009-0x00007FF69DC00000-0x00007FF69DFF1000-memory.dmp	upx
behavioral2/memory/4488-2011-0x00007FF6CF330000-0x00007FF6CF721000-memory.dmp	upx
behavioral2/memory/4120-2013-0x00007FF69DC00000-0x00007FF69DFF1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\ziijRIZ.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\bPjpCgg.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\ZOhZKcu.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\gSkfmOh.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\zaaavOC.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\oYTHWyO.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\iRCVKzj.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\gjdDPUG.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\fqnyMGq.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\WGBaIWI.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\dAKNxuX.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\FnEtbnO.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\uciyXLo.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\FXKyCWD.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\CejJbUu.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\fcSbbNH.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\TwvmkPL.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\xFmoKtt.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\RJiuEOs.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\IXZHjTL.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\IdirFvN.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\IJqKOSM.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\SbCnjRO.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\sEJWeXO.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\yXqnEDV.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\TTrJrSm.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\bDksqAl.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\VtNJXql.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\pSpcbwB.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\wbwJddc.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\ewcGPXP.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\EhfkAGB.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\ZXMWKWL.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\yqLlRFe.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\RfahuYg.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\oVpvJRu.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\ScMZjyZ.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\pSmvoDT.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\iRmzNRL.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\SgVKBnY.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\JfaurXy.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\ANmFWbJ.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\StONKHq.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\IKrbJOx.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\qghuKfg.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\OepayzC.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\vQSOpsQ.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\ZmgjaVb.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\ysvfStw.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\FlhnJlX.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\DmeEmCP.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\flxBTbf.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\jpbqmrg.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\blPESEO.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\KEOUdUw.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\VkJAgAt.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\mPUwrdn.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\RKKBQkC.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\guSLtPL.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\uOPsQgc.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\TMGFhGZ.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\EiLjDbZ.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\LEoiMao.exe	6c7033b8bcffb1192c7efa489f980d30N.exe
File created	C:\Windows\System32\FQfgpXn.exe	6c7033b8bcffb1192c7efa489f980d30N.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12776	dwm.exe
Token: SeChangeNotifyPrivilege	12776	dwm.exe
Token: 33	12776	dwm.exe
Token: SeIncBasePriorityPrivilege	12776	dwm.exe
Token: SeCreateGlobalPrivilege	13012	dwm.exe
Token: SeChangeNotifyPrivilege	13012	dwm.exe
Token: 33	13012	dwm.exe
Token: SeIncBasePriorityPrivilege	13012	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1764	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 4488	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	84
PID 3048 wrote to memory of 4488	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	84
PID 3048 wrote to memory of 1544	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	85
PID 3048 wrote to memory of 1544	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	85
PID 3048 wrote to memory of 4120	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	86
PID 3048 wrote to memory of 4120	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	86
PID 3048 wrote to memory of 3612	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	87
PID 3048 wrote to memory of 3612	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	87
PID 3048 wrote to memory of 4556	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	88
PID 3048 wrote to memory of 4556	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	88
PID 3048 wrote to memory of 4528	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	89
PID 3048 wrote to memory of 4528	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	89
PID 3048 wrote to memory of 392	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	90
PID 3048 wrote to memory of 392	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	90
PID 3048 wrote to memory of 3764	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	91
PID 3048 wrote to memory of 3764	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	91
PID 3048 wrote to memory of 860	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	92
PID 3048 wrote to memory of 860	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	92
PID 3048 wrote to memory of 1484	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	93
PID 3048 wrote to memory of 1484	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	93
PID 3048 wrote to memory of 2232	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	94
PID 3048 wrote to memory of 2232	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	94
PID 3048 wrote to memory of 3580	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	95
PID 3048 wrote to memory of 3580	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	95
PID 3048 wrote to memory of 3440	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	96
PID 3048 wrote to memory of 3440	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	96
PID 3048 wrote to memory of 1676	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	97
PID 3048 wrote to memory of 1676	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	97
PID 3048 wrote to memory of 1980	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	98
PID 3048 wrote to memory of 1980	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	98
PID 3048 wrote to memory of 4116	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	99
PID 3048 wrote to memory of 4116	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	99
PID 3048 wrote to memory of 4812	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	100
PID 3048 wrote to memory of 4812	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	100
PID 3048 wrote to memory of 4188	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	101
PID 3048 wrote to memory of 4188	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	101
PID 3048 wrote to memory of 756	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	102
PID 3048 wrote to memory of 756	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	102
PID 3048 wrote to memory of 2372	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	103
PID 3048 wrote to memory of 2372	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	103
PID 3048 wrote to memory of 332	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	104
PID 3048 wrote to memory of 332	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	104
PID 3048 wrote to memory of 728	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	105
PID 3048 wrote to memory of 728	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	105
PID 3048 wrote to memory of 4008	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	106
PID 3048 wrote to memory of 4008	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	106
PID 3048 wrote to memory of 4292	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	107
PID 3048 wrote to memory of 4292	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	107
PID 3048 wrote to memory of 3972	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	108
PID 3048 wrote to memory of 3972	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	108
PID 3048 wrote to memory of 2184	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	109
PID 3048 wrote to memory of 2184	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	109
PID 3048 wrote to memory of 3964	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	110
PID 3048 wrote to memory of 3964	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	110
PID 3048 wrote to memory of 3808	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	111
PID 3048 wrote to memory of 3808	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	111
PID 3048 wrote to memory of 3904	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	112
PID 3048 wrote to memory of 3904	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	112
PID 3048 wrote to memory of 3912	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	113
PID 3048 wrote to memory of 3912	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	113
PID 3048 wrote to memory of 4380	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	114
PID 3048 wrote to memory of 4380	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	114
PID 3048 wrote to memory of 3428	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	115
PID 3048 wrote to memory of 3428	3048	6c7033b8bcffb1192c7efa489f980d30N.exe	115

C:\Users\Admin\AppData\Local\Temp\6c7033b8bcffb1192c7efa489f980d30N.exe
"C:\Users\Admin\AppData\Local\Temp\6c7033b8bcffb1192c7efa489f980d30N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\System32\NAILuAO.exe
  C:\Windows\System32\NAILuAO.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System32\lvJvedM.exe
  C:\Windows\System32\lvJvedM.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System32\ahfoiwP.exe
  C:\Windows\System32\ahfoiwP.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System32\JzQdwvu.exe
  C:\Windows\System32\JzQdwvu.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System32\zToFdIz.exe
  C:\Windows\System32\zToFdIz.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System32\mUaAfUq.exe
  C:\Windows\System32\mUaAfUq.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System32\ILACIji.exe
  C:\Windows\System32\ILACIji.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System32\bnoEJgE.exe
  C:\Windows\System32\bnoEJgE.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System32\yfnhXOn.exe
  C:\Windows\System32\yfnhXOn.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System32\YwKbHxh.exe
  C:\Windows\System32\YwKbHxh.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System32\wFousCY.exe
  C:\Windows\System32\wFousCY.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System32\SbxCsCy.exe
  C:\Windows\System32\SbxCsCy.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System32\EcxMPnn.exe
  C:\Windows\System32\EcxMPnn.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System32\mZJKADp.exe
  C:\Windows\System32\mZJKADp.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System32\zhyHiMp.exe
  C:\Windows\System32\zhyHiMp.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System32\nQtuGxW.exe
  C:\Windows\System32\nQtuGxW.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System32\ucOQFui.exe
  C:\Windows\System32\ucOQFui.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System32\UnNyVOb.exe
  C:\Windows\System32\UnNyVOb.exe
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\System32\nNekhqZ.exe
  C:\Windows\System32\nNekhqZ.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System32\xtNJOzV.exe
  C:\Windows\System32\xtNJOzV.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System32\bnSriZs.exe
  C:\Windows\System32\bnSriZs.exe
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\System32\mJhdvzT.exe
  C:\Windows\System32\mJhdvzT.exe
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Windows\System32\lsFvmhi.exe
  C:\Windows\System32\lsFvmhi.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System32\TflxWyf.exe
  C:\Windows\System32\TflxWyf.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System32\TUasUtm.exe
  C:\Windows\System32\TUasUtm.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System32\FblwByK.exe
  C:\Windows\System32\FblwByK.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System32\StONKHq.exe
  C:\Windows\System32\StONKHq.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System32\uciyXLo.exe
  C:\Windows\System32\uciyXLo.exe
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Windows\System32\aXmKLmo.exe
  C:\Windows\System32\aXmKLmo.exe
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\System32\PzSTkaw.exe
  C:\Windows\System32\PzSTkaw.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System32\ilLWAUH.exe
  C:\Windows\System32\ilLWAUH.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System32\EMuGiCN.exe
  C:\Windows\System32\EMuGiCN.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System32\OAPAaOT.exe
  C:\Windows\System32\OAPAaOT.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System32\hbdbcSq.exe
  C:\Windows\System32\hbdbcSq.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System32\WNdNfMV.exe
  C:\Windows\System32\WNdNfMV.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System32\GCJDFIY.exe
  C:\Windows\System32\GCJDFIY.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System32\zCbJDBb.exe
  C:\Windows\System32\zCbJDBb.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System32\nxsYRbH.exe
  C:\Windows\System32\nxsYRbH.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System32\eRsqmlJ.exe
  C:\Windows\System32\eRsqmlJ.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System32\aXhLkBD.exe
  C:\Windows\System32\aXhLkBD.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System32\WXPrSPH.exe
  C:\Windows\System32\WXPrSPH.exe
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\System32\cyqLyGc.exe
  C:\Windows\System32\cyqLyGc.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System32\ZdVPCma.exe
  C:\Windows\System32\ZdVPCma.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System32\LrvjyHD.exe
  C:\Windows\System32\LrvjyHD.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System32\bUSfkad.exe
  C:\Windows\System32\bUSfkad.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System32\OUUnJVZ.exe
  C:\Windows\System32\OUUnJVZ.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System32\eJlBbDe.exe
  C:\Windows\System32\eJlBbDe.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System32\UpGCrMm.exe
  C:\Windows\System32\UpGCrMm.exe
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\System32\hmxHRhF.exe
  C:\Windows\System32\hmxHRhF.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System32\FnfTQdl.exe
  C:\Windows\System32\FnfTQdl.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System32\WKQfDis.exe
  C:\Windows\System32\WKQfDis.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System32\knApBuq.exe
  C:\Windows\System32\knApBuq.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System32\gFzVMmH.exe
  C:\Windows\System32\gFzVMmH.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System32\ZNNSWCO.exe
  C:\Windows\System32\ZNNSWCO.exe
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Windows\System32\KPreOOE.exe
  C:\Windows\System32\KPreOOE.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\DIBqNiW.exe
  C:\Windows\System32\DIBqNiW.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System32\QChnrrj.exe
  C:\Windows\System32\QChnrrj.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System32\FXKyCWD.exe
  C:\Windows\System32\FXKyCWD.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System32\UiUDiPG.exe
  C:\Windows\System32\UiUDiPG.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System32\LnXSlhe.exe
  C:\Windows\System32\LnXSlhe.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System32\CcdPdfx.exe
  C:\Windows\System32\CcdPdfx.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System32\tvrrzsP.exe
  C:\Windows\System32\tvrrzsP.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System32\vXMgmjG.exe
  C:\Windows\System32\vXMgmjG.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System32\CIoNOGk.exe
  C:\Windows\System32\CIoNOGk.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System32\EidhwSd.exe
  C:\Windows\System32\EidhwSd.exe
  2⤵
  PID:4392
- C:\Windows\System32\EhXikJx.exe
  C:\Windows\System32\EhXikJx.exe
  2⤵
  PID:428
- C:\Windows\System32\CyNQSig.exe
  C:\Windows\System32\CyNQSig.exe
  2⤵
  PID:2356
- C:\Windows\System32\QaKQOvf.exe
  C:\Windows\System32\QaKQOvf.exe
  2⤵
  PID:3504
- C:\Windows\System32\ZzfHafC.exe
  C:\Windows\System32\ZzfHafC.exe
  2⤵
  PID:4052
- C:\Windows\System32\OBivBnu.exe
  C:\Windows\System32\OBivBnu.exe
  2⤵
  PID:3976
- C:\Windows\System32\oVCkjsA.exe
  C:\Windows\System32\oVCkjsA.exe
  2⤵
  PID:2380
- C:\Windows\System32\KXGEPmt.exe
  C:\Windows\System32\KXGEPmt.exe
  2⤵
  PID:708
- C:\Windows\System32\IBTsmna.exe
  C:\Windows\System32\IBTsmna.exe
  2⤵
  PID:4272
- C:\Windows\System32\UMNHLxI.exe
  C:\Windows\System32\UMNHLxI.exe
  2⤵
  PID:1088
- C:\Windows\System32\WqqhENP.exe
  C:\Windows\System32\WqqhENP.exe
  2⤵
  PID:3544
- C:\Windows\System32\jEybnyI.exe
  C:\Windows\System32\jEybnyI.exe
  2⤵
  PID:4408
- C:\Windows\System32\SrwOoDj.exe
  C:\Windows\System32\SrwOoDj.exe
  2⤵
  PID:2832
- C:\Windows\System32\ExYQbPk.exe
  C:\Windows\System32\ExYQbPk.exe
  2⤵
  PID:3660
- C:\Windows\System32\EatYZhK.exe
  C:\Windows\System32\EatYZhK.exe
  2⤵
  PID:3956
- C:\Windows\System32\VCGWGXr.exe
  C:\Windows\System32\VCGWGXr.exe
  2⤵
  PID:1064
- C:\Windows\System32\bEyOXnH.exe
  C:\Windows\System32\bEyOXnH.exe
  2⤵
  PID:2156
- C:\Windows\System32\bkJeKtd.exe
  C:\Windows\System32\bkJeKtd.exe
  2⤵
  PID:1432
- C:\Windows\System32\GbpTVdN.exe
  C:\Windows\System32\GbpTVdN.exe
  2⤵
  PID:4360
- C:\Windows\System32\zhROKdX.exe
  C:\Windows\System32\zhROKdX.exe
  2⤵
  PID:2728
- C:\Windows\System32\guSLtPL.exe
  C:\Windows\System32\guSLtPL.exe
  2⤵
  PID:1404
- C:\Windows\System32\chyEKhd.exe
  C:\Windows\System32\chyEKhd.exe
  2⤵
  PID:2588
- C:\Windows\System32\UyYSfuI.exe
  C:\Windows\System32\UyYSfuI.exe
  2⤵
  PID:1736
- C:\Windows\System32\SSOBSMJ.exe
  C:\Windows\System32\SSOBSMJ.exe
  2⤵
  PID:444
- C:\Windows\System32\YBLcxix.exe
  C:\Windows\System32\YBLcxix.exe
  2⤵
  PID:4984
- C:\Windows\System32\TwvmkPL.exe
  C:\Windows\System32\TwvmkPL.exe
  2⤵
  PID:4068
- C:\Windows\System32\GWoiWGP.exe
  C:\Windows\System32\GWoiWGP.exe
  2⤵
  PID:2596
- C:\Windows\System32\VFAlTru.exe
  C:\Windows\System32\VFAlTru.exe
  2⤵
  PID:2340
- C:\Windows\System32\IZUZvqp.exe
  C:\Windows\System32\IZUZvqp.exe
  2⤵
  PID:4016
- C:\Windows\System32\fjKicvn.exe
  C:\Windows\System32\fjKicvn.exe
  2⤵
  PID:3600
- C:\Windows\System32\MYnmDsv.exe
  C:\Windows\System32\MYnmDsv.exe
  2⤵
  PID:3596
- C:\Windows\System32\FcEWLDm.exe
  C:\Windows\System32\FcEWLDm.exe
  2⤵
  PID:828
- C:\Windows\System32\rJFligE.exe
  C:\Windows\System32\rJFligE.exe
  2⤵
  PID:2028
- C:\Windows\System32\iRCVKzj.exe
  C:\Windows\System32\iRCVKzj.exe
  2⤵
  PID:2288
- C:\Windows\System32\myfAqiS.exe
  C:\Windows\System32\myfAqiS.exe
  2⤵
  PID:3172
- C:\Windows\System32\SAxoOJc.exe
  C:\Windows\System32\SAxoOJc.exe
  2⤵
  PID:4216
- C:\Windows\System32\Ftzjqzp.exe
  C:\Windows\System32\Ftzjqzp.exe
  2⤵
  PID:748
- C:\Windows\System32\pqbVBCS.exe
  C:\Windows\System32\pqbVBCS.exe
  2⤵
  PID:4920
- C:\Windows\System32\VNqbykI.exe
  C:\Windows\System32\VNqbykI.exe
  2⤵
  PID:1500
- C:\Windows\System32\YwOKNIs.exe
  C:\Windows\System32\YwOKNIs.exe
  2⤵
  PID:4664
- C:\Windows\System32\HCLWiOs.exe
  C:\Windows\System32\HCLWiOs.exe
  2⤵
  PID:4496
- C:\Windows\System32\xFmoKtt.exe
  C:\Windows\System32\xFmoKtt.exe
  2⤵
  PID:2872
- C:\Windows\System32\EIoCfJv.exe
  C:\Windows\System32\EIoCfJv.exe
  2⤵
  PID:2948
- C:\Windows\System32\amMJKOa.exe
  C:\Windows\System32\amMJKOa.exe
  2⤵
  PID:5020
- C:\Windows\System32\Yofphzx.exe
  C:\Windows\System32\Yofphzx.exe
  2⤵
  PID:3844
- C:\Windows\System32\zxUyZci.exe
  C:\Windows\System32\zxUyZci.exe
  2⤵
  PID:4632
- C:\Windows\System32\ppGTlca.exe
  C:\Windows\System32\ppGTlca.exe
  2⤵
  PID:3640
- C:\Windows\System32\fWsrwCx.exe
  C:\Windows\System32\fWsrwCx.exe
  2⤵
  PID:4544
- C:\Windows\System32\IKrbJOx.exe
  C:\Windows\System32\IKrbJOx.exe
  2⤵
  PID:4548
- C:\Windows\System32\eYXaQlj.exe
  C:\Windows\System32\eYXaQlj.exe
  2⤵
  PID:5128
- C:\Windows\System32\soFlTKI.exe
  C:\Windows\System32\soFlTKI.exe
  2⤵
  PID:5168
- C:\Windows\System32\ESzwIIf.exe
  C:\Windows\System32\ESzwIIf.exe
  2⤵
  PID:5184
- C:\Windows\System32\xCAWsnN.exe
  C:\Windows\System32\xCAWsnN.exe
  2⤵
  PID:5204
- C:\Windows\System32\tAYWncz.exe
  C:\Windows\System32\tAYWncz.exe
  2⤵
  PID:5248
- C:\Windows\System32\obJtXZa.exe
  C:\Windows\System32\obJtXZa.exe
  2⤵
  PID:5280
- C:\Windows\System32\ZEtQdJk.exe
  C:\Windows\System32\ZEtQdJk.exe
  2⤵
  PID:5324
- C:\Windows\System32\sJmDkiX.exe
  C:\Windows\System32\sJmDkiX.exe
  2⤵
  PID:5352
- C:\Windows\System32\DmeEmCP.exe
  C:\Windows\System32\DmeEmCP.exe
  2⤵
  PID:5376
- C:\Windows\System32\EhfkAGB.exe
  C:\Windows\System32\EhfkAGB.exe
  2⤵
  PID:5428
- C:\Windows\System32\KhiwOYo.exe
  C:\Windows\System32\KhiwOYo.exe
  2⤵
  PID:5456
- C:\Windows\System32\MrRlIZr.exe
  C:\Windows\System32\MrRlIZr.exe
  2⤵
  PID:5476
- C:\Windows\System32\RUMLsGb.exe
  C:\Windows\System32\RUMLsGb.exe
  2⤵
  PID:5496
- C:\Windows\System32\raRuoUJ.exe
  C:\Windows\System32\raRuoUJ.exe
  2⤵
  PID:5540
- C:\Windows\System32\gaMJJmH.exe
  C:\Windows\System32\gaMJJmH.exe
  2⤵
  PID:5588
- C:\Windows\System32\KStXbAW.exe
  C:\Windows\System32\KStXbAW.exe
  2⤵
  PID:5612
- C:\Windows\System32\zcvXZDS.exe
  C:\Windows\System32\zcvXZDS.exe
  2⤵
  PID:5640
- C:\Windows\System32\IQNXUlN.exe
  C:\Windows\System32\IQNXUlN.exe
  2⤵
  PID:5664
- C:\Windows\System32\VcYfhBX.exe
  C:\Windows\System32\VcYfhBX.exe
  2⤵
  PID:5704
- C:\Windows\System32\cwoFqtC.exe
  C:\Windows\System32\cwoFqtC.exe
  2⤵
  PID:5720
- C:\Windows\System32\VgHRBin.exe
  C:\Windows\System32\VgHRBin.exe
  2⤵
  PID:5744
- C:\Windows\System32\jGkRbxR.exe
  C:\Windows\System32\jGkRbxR.exe
  2⤵
  PID:5792
- C:\Windows\System32\uZmVrvq.exe
  C:\Windows\System32\uZmVrvq.exe
  2⤵
  PID:5816
- C:\Windows\System32\dZDjbgE.exe
  C:\Windows\System32\dZDjbgE.exe
  2⤵
  PID:5840
- C:\Windows\System32\ulyxhUU.exe
  C:\Windows\System32\ulyxhUU.exe
  2⤵
  PID:5868
- C:\Windows\System32\NjjWfTa.exe
  C:\Windows\System32\NjjWfTa.exe
  2⤵
  PID:5892
- C:\Windows\System32\SsAQTnY.exe
  C:\Windows\System32\SsAQTnY.exe
  2⤵
  PID:5916
- C:\Windows\System32\BHYzsaT.exe
  C:\Windows\System32\BHYzsaT.exe
  2⤵
  PID:5940
- C:\Windows\System32\lcEvHMF.exe
  C:\Windows\System32\lcEvHMF.exe
  2⤵
  PID:5968
- C:\Windows\System32\oFkwRHa.exe
  C:\Windows\System32\oFkwRHa.exe
  2⤵
  PID:6016
- C:\Windows\System32\JtQYFUA.exe
  C:\Windows\System32\JtQYFUA.exe
  2⤵
  PID:6056
- C:\Windows\System32\TLeUqFq.exe
  C:\Windows\System32\TLeUqFq.exe
  2⤵
  PID:6088
- C:\Windows\System32\vFsbWzj.exe
  C:\Windows\System32\vFsbWzj.exe
  2⤵
  PID:6104
- C:\Windows\System32\myuXkjN.exe
  C:\Windows\System32\myuXkjN.exe
  2⤵
  PID:6128
- C:\Windows\System32\IXZHjTL.exe
  C:\Windows\System32\IXZHjTL.exe
  2⤵
  PID:2920
- C:\Windows\System32\flxBTbf.exe
  C:\Windows\System32\flxBTbf.exe
  2⤵
  PID:1152
- C:\Windows\System32\NfHidEV.exe
  C:\Windows\System32\NfHidEV.exe
  2⤵
  PID:5212
- C:\Windows\System32\uOPsQgc.exe
  C:\Windows\System32\uOPsQgc.exe
  2⤵
  PID:5296
- C:\Windows\System32\qbNPBhf.exe
  C:\Windows\System32\qbNPBhf.exe
  2⤵
  PID:5336
- C:\Windows\System32\TlAguXS.exe
  C:\Windows\System32\TlAguXS.exe
  2⤵
  PID:5364
- C:\Windows\System32\mNUNWOV.exe
  C:\Windows\System32\mNUNWOV.exe
  2⤵
  PID:5384
- C:\Windows\System32\ibMssFw.exe
  C:\Windows\System32\ibMssFw.exe
  2⤵
  PID:5452
- C:\Windows\System32\XsvjdZd.exe
  C:\Windows\System32\XsvjdZd.exe
  2⤵
  PID:5504
- C:\Windows\System32\YUPeFUe.exe
  C:\Windows\System32\YUPeFUe.exe
  2⤵
  PID:5560
- C:\Windows\System32\jpbqmrg.exe
  C:\Windows\System32\jpbqmrg.exe
  2⤵
  PID:4852
- C:\Windows\System32\OZaSLxB.exe
  C:\Windows\System32\OZaSLxB.exe
  2⤵
  PID:3060
- C:\Windows\System32\EtAXMPn.exe
  C:\Windows\System32\EtAXMPn.exe
  2⤵
  PID:5628
- C:\Windows\System32\uQrMfrE.exe
  C:\Windows\System32\uQrMfrE.exe
  2⤵
  PID:5728
- C:\Windows\System32\ssyUmik.exe
  C:\Windows\System32\ssyUmik.exe
  2⤵
  PID:5716
- C:\Windows\System32\GgyhErM.exe
  C:\Windows\System32\GgyhErM.exe
  2⤵
  PID:5852
- C:\Windows\System32\dVyVXyn.exe
  C:\Windows\System32\dVyVXyn.exe
  2⤵
  PID:5876
- C:\Windows\System32\hYGeQYi.exe
  C:\Windows\System32\hYGeQYi.exe
  2⤵
  PID:6000
- C:\Windows\System32\ioWRzFG.exe
  C:\Windows\System32\ioWRzFG.exe
  2⤵
  PID:5924
- C:\Windows\System32\YTwVPEC.exe
  C:\Windows\System32\YTwVPEC.exe
  2⤵
  PID:6112
- C:\Windows\System32\CNeyZKa.exe
  C:\Windows\System32\CNeyZKa.exe
  2⤵
  PID:5240
- C:\Windows\System32\kjXovBz.exe
  C:\Windows\System32\kjXovBz.exe
  2⤵
  PID:4628
- C:\Windows\System32\rAMySTb.exe
  C:\Windows\System32\rAMySTb.exe
  2⤵
  PID:5468
- C:\Windows\System32\gAiALSw.exe
  C:\Windows\System32\gAiALSw.exe
  2⤵
  PID:3636
- C:\Windows\System32\VCCCbaD.exe
  C:\Windows\System32\VCCCbaD.exe
  2⤵
  PID:5648
- C:\Windows\System32\GALEAPC.exe
  C:\Windows\System32\GALEAPC.exe
  2⤵
  PID:6032
- C:\Windows\System32\IFMQmnk.exe
  C:\Windows\System32\IFMQmnk.exe
  2⤵
  PID:6036
- C:\Windows\System32\ScMZjyZ.exe
  C:\Windows\System32\ScMZjyZ.exe
  2⤵
  PID:5332
- C:\Windows\System32\jfLZoOc.exe
  C:\Windows\System32\jfLZoOc.exe
  2⤵
  PID:5632
- C:\Windows\System32\tEGWTUv.exe
  C:\Windows\System32\tEGWTUv.exe
  2⤵
  PID:5512
- C:\Windows\System32\QSJeDwS.exe
  C:\Windows\System32\QSJeDwS.exe
  2⤵
  PID:5288
- C:\Windows\System32\enJAVUc.exe
  C:\Windows\System32\enJAVUc.exe
  2⤵
  PID:6152
- C:\Windows\System32\nEtbXDe.exe
  C:\Windows\System32\nEtbXDe.exe
  2⤵
  PID:6168
- C:\Windows\System32\UPcBELe.exe
  C:\Windows\System32\UPcBELe.exe
  2⤵
  PID:6192
- C:\Windows\System32\zJrXZTa.exe
  C:\Windows\System32\zJrXZTa.exe
  2⤵
  PID:6212
- C:\Windows\System32\OkQTVFM.exe
  C:\Windows\System32\OkQTVFM.exe
  2⤵
  PID:6232
- C:\Windows\System32\YkuRTbG.exe
  C:\Windows\System32\YkuRTbG.exe
  2⤵
  PID:6248
- C:\Windows\System32\vSjifBC.exe
  C:\Windows\System32\vSjifBC.exe
  2⤵
  PID:6272
- C:\Windows\System32\blPESEO.exe
  C:\Windows\System32\blPESEO.exe
  2⤵
  PID:6292
- C:\Windows\System32\pVQzwsA.exe
  C:\Windows\System32\pVQzwsA.exe
  2⤵
  PID:6340
- C:\Windows\System32\zdUeYkN.exe
  C:\Windows\System32\zdUeYkN.exe
  2⤵
  PID:6356
- C:\Windows\System32\yOkESEc.exe
  C:\Windows\System32\yOkESEc.exe
  2⤵
  PID:6416
- C:\Windows\System32\trdGuix.exe
  C:\Windows\System32\trdGuix.exe
  2⤵
  PID:6432
- C:\Windows\System32\ezrgfFq.exe
  C:\Windows\System32\ezrgfFq.exe
  2⤵
  PID:6460
- C:\Windows\System32\nqRDDlG.exe
  C:\Windows\System32\nqRDDlG.exe
  2⤵
  PID:6476
- C:\Windows\System32\bkdxyUE.exe
  C:\Windows\System32\bkdxyUE.exe
  2⤵
  PID:6504
- C:\Windows\System32\oHKNZgn.exe
  C:\Windows\System32\oHKNZgn.exe
  2⤵
  PID:6524
- C:\Windows\System32\PSEWNgO.exe
  C:\Windows\System32\PSEWNgO.exe
  2⤵
  PID:6568
- C:\Windows\System32\xkGGcmx.exe
  C:\Windows\System32\xkGGcmx.exe
  2⤵
  PID:6620
- C:\Windows\System32\oGzSaBh.exe
  C:\Windows\System32\oGzSaBh.exe
  2⤵
  PID:6636
- C:\Windows\System32\EqAEFqD.exe
  C:\Windows\System32\EqAEFqD.exe
  2⤵
  PID:6664
- C:\Windows\System32\llGqhPn.exe
  C:\Windows\System32\llGqhPn.exe
  2⤵
  PID:6688
- C:\Windows\System32\UGwsSOj.exe
  C:\Windows\System32\UGwsSOj.exe
  2⤵
  PID:6744
- C:\Windows\System32\NAXBUZo.exe
  C:\Windows\System32\NAXBUZo.exe
  2⤵
  PID:6760
- C:\Windows\System32\ZChQKlT.exe
  C:\Windows\System32\ZChQKlT.exe
  2⤵
  PID:6800
- C:\Windows\System32\dVOglHZ.exe
  C:\Windows\System32\dVOglHZ.exe
  2⤵
  PID:6816
- C:\Windows\System32\FhtdEZK.exe
  C:\Windows\System32\FhtdEZK.exe
  2⤵
  PID:6852
- C:\Windows\System32\izvcbbU.exe
  C:\Windows\System32\izvcbbU.exe
  2⤵
  PID:6880
- C:\Windows\System32\RhUZBNh.exe
  C:\Windows\System32\RhUZBNh.exe
  2⤵
  PID:6924
- C:\Windows\System32\rWYzPBj.exe
  C:\Windows\System32\rWYzPBj.exe
  2⤵
  PID:6940
- C:\Windows\System32\upJvPAd.exe
  C:\Windows\System32\upJvPAd.exe
  2⤵
  PID:6968
- C:\Windows\System32\isOKCHQ.exe
  C:\Windows\System32\isOKCHQ.exe
  2⤵
  PID:6984
- C:\Windows\System32\kQpytHC.exe
  C:\Windows\System32\kQpytHC.exe
  2⤵
  PID:7008
- C:\Windows\System32\LFkqOLa.exe
  C:\Windows\System32\LFkqOLa.exe
  2⤵
  PID:7056
- C:\Windows\System32\AIizlHV.exe
  C:\Windows\System32\AIizlHV.exe
  2⤵
  PID:7088
- C:\Windows\System32\aJGtYyq.exe
  C:\Windows\System32\aJGtYyq.exe
  2⤵
  PID:7104
- C:\Windows\System32\VIoMuzL.exe
  C:\Windows\System32\VIoMuzL.exe
  2⤵
  PID:7144
- C:\Windows\System32\vxCuDaG.exe
  C:\Windows\System32\vxCuDaG.exe
  2⤵
  PID:5948
- C:\Windows\System32\cMFqzwC.exe
  C:\Windows\System32\cMFqzwC.exe
  2⤵
  PID:1688
- C:\Windows\System32\WbRfxwK.exe
  C:\Windows\System32\WbRfxwK.exe
  2⤵
  PID:6200
- C:\Windows\System32\CejJbUu.exe
  C:\Windows\System32\CejJbUu.exe
  2⤵
  PID:6264
- C:\Windows\System32\QFSbqWt.exe
  C:\Windows\System32\QFSbqWt.exe
  2⤵
  PID:6352
- C:\Windows\System32\FZlRHyP.exe
  C:\Windows\System32\FZlRHyP.exe
  2⤵
  PID:6452
- C:\Windows\System32\FMoILVM.exe
  C:\Windows\System32\FMoILVM.exe
  2⤵
  PID:6468
- C:\Windows\System32\WWscQpH.exe
  C:\Windows\System32\WWscQpH.exe
  2⤵
  PID:6532
- C:\Windows\System32\XeKmBrd.exe
  C:\Windows\System32\XeKmBrd.exe
  2⤵
  PID:6424
- C:\Windows\System32\QbOlcBo.exe
  C:\Windows\System32\QbOlcBo.exe
  2⤵
  PID:6604
- C:\Windows\System32\ZGOARmG.exe
  C:\Windows\System32\ZGOARmG.exe
  2⤵
  PID:6656
- C:\Windows\System32\rLDJesi.exe
  C:\Windows\System32\rLDJesi.exe
  2⤵
  PID:5636
- C:\Windows\System32\TunHdzZ.exe
  C:\Windows\System32\TunHdzZ.exe
  2⤵
  PID:6728
- C:\Windows\System32\HNqxlFk.exe
  C:\Windows\System32\HNqxlFk.exe
  2⤵
  PID:6828
- C:\Windows\System32\KEOUdUw.exe
  C:\Windows\System32\KEOUdUw.exe
  2⤵
  PID:6864
- C:\Windows\System32\uiFBmqF.exe
  C:\Windows\System32\uiFBmqF.exe
  2⤵
  PID:6932
- C:\Windows\System32\CgKtBMl.exe
  C:\Windows\System32\CgKtBMl.exe
  2⤵
  PID:7000
- C:\Windows\System32\GvDbEvv.exe
  C:\Windows\System32\GvDbEvv.exe
  2⤵
  PID:7132
- C:\Windows\System32\jDniiVQ.exe
  C:\Windows\System32\jDniiVQ.exe
  2⤵
  PID:6180
- C:\Windows\System32\ygdaxok.exe
  C:\Windows\System32\ygdaxok.exe
  2⤵
  PID:6284
- C:\Windows\System32\wsCrPKF.exe
  C:\Windows\System32\wsCrPKF.exe
  2⤵
  PID:6484
- C:\Windows\System32\PFjWwiK.exe
  C:\Windows\System32\PFjWwiK.exe
  2⤵
  PID:6672
- C:\Windows\System32\VpdoXKC.exe
  C:\Windows\System32\VpdoXKC.exe
  2⤵
  PID:7084
- C:\Windows\System32\nfYeIaR.exe
  C:\Windows\System32\nfYeIaR.exe
  2⤵
  PID:6496
- C:\Windows\System32\HIhiHlu.exe
  C:\Windows\System32\HIhiHlu.exe
  2⤵
  PID:7160
- C:\Windows\System32\wxFFYBD.exe
  C:\Windows\System32\wxFFYBD.exe
  2⤵
  PID:6592
- C:\Windows\System32\yxUaeTs.exe
  C:\Windows\System32\yxUaeTs.exe
  2⤵
  PID:6768
- C:\Windows\System32\glRfSiE.exe
  C:\Windows\System32\glRfSiE.exe
  2⤵
  PID:6240
- C:\Windows\System32\SbrVPWN.exe
  C:\Windows\System32\SbrVPWN.exe
  2⤵
  PID:6364
- C:\Windows\System32\ssDFgek.exe
  C:\Windows\System32\ssDFgek.exe
  2⤵
  PID:6892
- C:\Windows\System32\pdWyfVw.exe
  C:\Windows\System32\pdWyfVw.exe
  2⤵
  PID:7188
- C:\Windows\System32\pSmvoDT.exe
  C:\Windows\System32\pSmvoDT.exe
  2⤵
  PID:7208
- C:\Windows\System32\zlTZNZH.exe
  C:\Windows\System32\zlTZNZH.exe
  2⤵
  PID:7228
- C:\Windows\System32\IdirFvN.exe
  C:\Windows\System32\IdirFvN.exe
  2⤵
  PID:7276
- C:\Windows\System32\pyIZity.exe
  C:\Windows\System32\pyIZity.exe
  2⤵
  PID:7296
- C:\Windows\System32\HNrVFKu.exe
  C:\Windows\System32\HNrVFKu.exe
  2⤵
  PID:7316
- C:\Windows\System32\jhvETUb.exe
  C:\Windows\System32\jhvETUb.exe
  2⤵
  PID:7332
- C:\Windows\System32\kMznLwE.exe
  C:\Windows\System32\kMznLwE.exe
  2⤵
  PID:7408
- C:\Windows\System32\KiAuQPB.exe
  C:\Windows\System32\KiAuQPB.exe
  2⤵
  PID:7424
- C:\Windows\System32\zetNVJh.exe
  C:\Windows\System32\zetNVJh.exe
  2⤵
  PID:7440
- C:\Windows\System32\UGIeLTq.exe
  C:\Windows\System32\UGIeLTq.exe
  2⤵
  PID:7464
- C:\Windows\System32\ciwWJTJ.exe
  C:\Windows\System32\ciwWJTJ.exe
  2⤵
  PID:7512
- C:\Windows\System32\ISlOPnV.exe
  C:\Windows\System32\ISlOPnV.exe
  2⤵
  PID:7532
- C:\Windows\System32\qOKRhvA.exe
  C:\Windows\System32\qOKRhvA.exe
  2⤵
  PID:7552
- C:\Windows\System32\bwokqJU.exe
  C:\Windows\System32\bwokqJU.exe
  2⤵
  PID:7576
- C:\Windows\System32\NvNoVpN.exe
  C:\Windows\System32\NvNoVpN.exe
  2⤵
  PID:7624
- C:\Windows\System32\VkJAgAt.exe
  C:\Windows\System32\VkJAgAt.exe
  2⤵
  PID:7668
- C:\Windows\System32\tjmKrzo.exe
  C:\Windows\System32\tjmKrzo.exe
  2⤵
  PID:7696
- C:\Windows\System32\jDkTkmA.exe
  C:\Windows\System32\jDkTkmA.exe
  2⤵
  PID:7732
- C:\Windows\System32\CNBgtwp.exe
  C:\Windows\System32\CNBgtwp.exe
  2⤵
  PID:7752
- C:\Windows\System32\cNjjjHq.exe
  C:\Windows\System32\cNjjjHq.exe
  2⤵
  PID:7796
- C:\Windows\System32\oMvFnxH.exe
  C:\Windows\System32\oMvFnxH.exe
  2⤵
  PID:7816
- C:\Windows\System32\CczcGSF.exe
  C:\Windows\System32\CczcGSF.exe
  2⤵
  PID:7836
- C:\Windows\System32\iqDFjvr.exe
  C:\Windows\System32\iqDFjvr.exe
  2⤵
  PID:7896
- C:\Windows\System32\MFEAdTE.exe
  C:\Windows\System32\MFEAdTE.exe
  2⤵
  PID:7912
- C:\Windows\System32\YlISfPP.exe
  C:\Windows\System32\YlISfPP.exe
  2⤵
  PID:7928
- C:\Windows\System32\ReUrBEr.exe
  C:\Windows\System32\ReUrBEr.exe
  2⤵
  PID:7948
- C:\Windows\System32\PRMkgmG.exe
  C:\Windows\System32\PRMkgmG.exe
  2⤵
  PID:7972
- C:\Windows\System32\gwPXLOj.exe
  C:\Windows\System32\gwPXLOj.exe
  2⤵
  PID:7996
- C:\Windows\System32\yeUWjeg.exe
  C:\Windows\System32\yeUWjeg.exe
  2⤵
  PID:8012
- C:\Windows\System32\KtBBYdu.exe
  C:\Windows\System32\KtBBYdu.exe
  2⤵
  PID:8028
- C:\Windows\System32\vgifQWS.exe
  C:\Windows\System32\vgifQWS.exe
  2⤵
  PID:8084
- C:\Windows\System32\DFNSUYm.exe
  C:\Windows\System32\DFNSUYm.exe
  2⤵
  PID:8112
- C:\Windows\System32\sHSaofv.exe
  C:\Windows\System32\sHSaofv.exe
  2⤵
  PID:8140
- C:\Windows\System32\gjdDPUG.exe
  C:\Windows\System32\gjdDPUG.exe
  2⤵
  PID:8160
- C:\Windows\System32\DdsjwFQ.exe
  C:\Windows\System32\DdsjwFQ.exe
  2⤵
  PID:8184
- C:\Windows\System32\oRqOJHX.exe
  C:\Windows\System32\oRqOJHX.exe
  2⤵
  PID:7216
- C:\Windows\System32\LcYYrNk.exe
  C:\Windows\System32\LcYYrNk.exe
  2⤵
  PID:7200
- C:\Windows\System32\CYvgrSO.exe
  C:\Windows\System32\CYvgrSO.exe
  2⤵
  PID:7392
- C:\Windows\System32\hJQGHhv.exe
  C:\Windows\System32\hJQGHhv.exe
  2⤵
  PID:7456
- C:\Windows\System32\TwsoABh.exe
  C:\Windows\System32\TwsoABh.exe
  2⤵
  PID:7448
- C:\Windows\System32\cyNrIzs.exe
  C:\Windows\System32\cyNrIzs.exe
  2⤵
  PID:7524
- C:\Windows\System32\vFuZwtQ.exe
  C:\Windows\System32\vFuZwtQ.exe
  2⤵
  PID:7620
- C:\Windows\System32\pWnqnGd.exe
  C:\Windows\System32\pWnqnGd.exe
  2⤵
  PID:7692
- C:\Windows\System32\fnUXtjW.exe
  C:\Windows\System32\fnUXtjW.exe
  2⤵
  PID:7744
- C:\Windows\System32\wrfMJtD.exe
  C:\Windows\System32\wrfMJtD.exe
  2⤵
  PID:7804
- C:\Windows\System32\iRmzNRL.exe
  C:\Windows\System32\iRmzNRL.exe
  2⤵
  PID:7908
- C:\Windows\System32\YbDxhrT.exe
  C:\Windows\System32\YbDxhrT.exe
  2⤵
  PID:7964
- C:\Windows\System32\gpdSBKJ.exe
  C:\Windows\System32\gpdSBKJ.exe
  2⤵
  PID:8052
- C:\Windows\System32\pGxNPPh.exe
  C:\Windows\System32\pGxNPPh.exe
  2⤵
  PID:8056
- C:\Windows\System32\vUcegdb.exe
  C:\Windows\System32\vUcegdb.exe
  2⤵
  PID:8080
- C:\Windows\System32\XOiaiqE.exe
  C:\Windows\System32\XOiaiqE.exe
  2⤵
  PID:8168
- C:\Windows\System32\miTUNVb.exe
  C:\Windows\System32\miTUNVb.exe
  2⤵
  PID:7324
- C:\Windows\System32\HkjAfDe.exe
  C:\Windows\System32\HkjAfDe.exe
  2⤵
  PID:7240
- C:\Windows\System32\OBkHGIf.exe
  C:\Windows\System32\OBkHGIf.exe
  2⤵
  PID:6380
- C:\Windows\System32\NbRefuI.exe
  C:\Windows\System32\NbRefuI.exe
  2⤵
  PID:7540
- C:\Windows\System32\uCdHtji.exe
  C:\Windows\System32\uCdHtji.exe
  2⤵
  PID:7584
- C:\Windows\System32\aZEjXvP.exe
  C:\Windows\System32\aZEjXvP.exe
  2⤵
  PID:7988
- C:\Windows\System32\ygTEEUg.exe
  C:\Windows\System32\ygTEEUg.exe
  2⤵
  PID:7224
- C:\Windows\System32\vYBvzWv.exe
  C:\Windows\System32\vYBvzWv.exe
  2⤵
  PID:7688
- C:\Windows\System32\FMKxBCa.exe
  C:\Windows\System32\FMKxBCa.exe
  2⤵
  PID:7260
- C:\Windows\System32\xkfKAmG.exe
  C:\Windows\System32\xkfKAmG.exe
  2⤵
  PID:8204
- C:\Windows\System32\DzrDkWV.exe
  C:\Windows\System32\DzrDkWV.exe
  2⤵
  PID:8440
- C:\Windows\System32\BvmbaiL.exe
  C:\Windows\System32\BvmbaiL.exe
  2⤵
  PID:8476
- C:\Windows\System32\GYCIJCC.exe
  C:\Windows\System32\GYCIJCC.exe
  2⤵
  PID:8496
- C:\Windows\System32\agGndnq.exe
  C:\Windows\System32\agGndnq.exe
  2⤵
  PID:8524
- C:\Windows\System32\KQueFXU.exe
  C:\Windows\System32\KQueFXU.exe
  2⤵
  PID:8572
- C:\Windows\System32\ZXMWKWL.exe
  C:\Windows\System32\ZXMWKWL.exe
  2⤵
  PID:8592
- C:\Windows\System32\SIiQbOV.exe
  C:\Windows\System32\SIiQbOV.exe
  2⤵
  PID:8612
- C:\Windows\System32\VtNJXql.exe
  C:\Windows\System32\VtNJXql.exe
  2⤵
  PID:8636
- C:\Windows\System32\OepayzC.exe
  C:\Windows\System32\OepayzC.exe
  2⤵
  PID:8660
- C:\Windows\System32\gGyIXtN.exe
  C:\Windows\System32\gGyIXtN.exe
  2⤵
  PID:8680
- C:\Windows\System32\CPDIEsL.exe
  C:\Windows\System32\CPDIEsL.exe
  2⤵
  PID:8704
- C:\Windows\System32\FqPXBWL.exe
  C:\Windows\System32\FqPXBWL.exe
  2⤵
  PID:8724
- C:\Windows\System32\SwKDMpX.exe
  C:\Windows\System32\SwKDMpX.exe
  2⤵
  PID:8744
- C:\Windows\System32\pCaHpDs.exe
  C:\Windows\System32\pCaHpDs.exe
  2⤵
  PID:8792
- C:\Windows\System32\ziijRIZ.exe
  C:\Windows\System32\ziijRIZ.exe
  2⤵
  PID:8856
- C:\Windows\System32\BbRbDJm.exe
  C:\Windows\System32\BbRbDJm.exe
  2⤵
  PID:8872
- C:\Windows\System32\wYPTVkm.exe
  C:\Windows\System32\wYPTVkm.exe
  2⤵
  PID:8892
- C:\Windows\System32\XdrmYYf.exe
  C:\Windows\System32\XdrmYYf.exe
  2⤵
  PID:8916
- C:\Windows\System32\YbdrSpN.exe
  C:\Windows\System32\YbdrSpN.exe
  2⤵
  PID:8936
- C:\Windows\System32\KLzziUQ.exe
  C:\Windows\System32\KLzziUQ.exe
  2⤵
  PID:8964
- C:\Windows\System32\fcSbbNH.exe
  C:\Windows\System32\fcSbbNH.exe
  2⤵
  PID:9012
- C:\Windows\System32\uUHOmRW.exe
  C:\Windows\System32\uUHOmRW.exe
  2⤵
  PID:9064
- C:\Windows\System32\CBLZbya.exe
  C:\Windows\System32\CBLZbya.exe
  2⤵
  PID:9080
- C:\Windows\System32\xzrMiwL.exe
  C:\Windows\System32\xzrMiwL.exe
  2⤵
  PID:9100
- C:\Windows\System32\RfahuYg.exe
  C:\Windows\System32\RfahuYg.exe
  2⤵
  PID:9124
- C:\Windows\System32\XVllCeJ.exe
  C:\Windows\System32\XVllCeJ.exe
  2⤵
  PID:9140
- C:\Windows\System32\HuPRqGt.exe
  C:\Windows\System32\HuPRqGt.exe
  2⤵
  PID:9176
- C:\Windows\System32\mPUwrdn.exe
  C:\Windows\System32\mPUwrdn.exe
  2⤵
  PID:7196
- C:\Windows\System32\iNEGlId.exe
  C:\Windows\System32\iNEGlId.exe
  2⤵
  PID:7772
- C:\Windows\System32\WGBaIWI.exe
  C:\Windows\System32\WGBaIWI.exe
  2⤵
  PID:7432
- C:\Windows\System32\tjPXJiN.exe
  C:\Windows\System32\tjPXJiN.exe
  2⤵
  PID:8236
- C:\Windows\System32\hqZwkMT.exe
  C:\Windows\System32\hqZwkMT.exe
  2⤵
  PID:8252
- C:\Windows\System32\JZgbETj.exe
  C:\Windows\System32\JZgbETj.exe
  2⤵
  PID:8280
- C:\Windows\System32\yWHHtLs.exe
  C:\Windows\System32\yWHHtLs.exe
  2⤵
  PID:8308
- C:\Windows\System32\RKKBQkC.exe
  C:\Windows\System32\RKKBQkC.exe
  2⤵
  PID:8424
- C:\Windows\System32\TZbMjXV.exe
  C:\Windows\System32\TZbMjXV.exe
  2⤵
  PID:8312
- C:\Windows\System32\ngwsMch.exe
  C:\Windows\System32\ngwsMch.exe
  2⤵
  PID:8504
- C:\Windows\System32\yXptpeH.exe
  C:\Windows\System32\yXptpeH.exe
  2⤵
  PID:3748
- C:\Windows\System32\VEnErSv.exe
  C:\Windows\System32\VEnErSv.exe
  2⤵
  PID:8568
- C:\Windows\System32\tnvYXYW.exe
  C:\Windows\System32\tnvYXYW.exe
  2⤵
  PID:8580
- C:\Windows\System32\yLZzzoU.exe
  C:\Windows\System32\yLZzzoU.exe
  2⤵
  PID:8608
- C:\Windows\System32\tEfzMwd.exe
  C:\Windows\System32\tEfzMwd.exe
  2⤵
  PID:8740
- C:\Windows\System32\iJRmsTX.exe
  C:\Windows\System32\iJRmsTX.exe
  2⤵
  PID:8668
- C:\Windows\System32\dAKNxuX.exe
  C:\Windows\System32\dAKNxuX.exe
  2⤵
  PID:8836
- C:\Windows\System32\FqKwcvw.exe
  C:\Windows\System32\FqKwcvw.exe
  2⤵
  PID:8888
- C:\Windows\System32\jZVHlpP.exe
  C:\Windows\System32\jZVHlpP.exe
  2⤵
  PID:8976
- C:\Windows\System32\MSrtBvY.exe
  C:\Windows\System32\MSrtBvY.exe
  2⤵
  PID:9024
- C:\Windows\System32\aEwxjcp.exe
  C:\Windows\System32\aEwxjcp.exe
  2⤵
  PID:9112
- C:\Windows\System32\ZhgJwiZ.exe
  C:\Windows\System32\ZhgJwiZ.exe
  2⤵
  PID:9160
- C:\Windows\System32\YszhWjM.exe
  C:\Windows\System32\YszhWjM.exe
  2⤵
  PID:9184
- C:\Windows\System32\TCBXEfb.exe
  C:\Windows\System32\TCBXEfb.exe
  2⤵
  PID:8232
- C:\Windows\System32\jpMYEgA.exe
  C:\Windows\System32\jpMYEgA.exe
  2⤵
  PID:8272
- C:\Windows\System32\POmqZOP.exe
  C:\Windows\System32\POmqZOP.exe
  2⤵
  PID:8376
- C:\Windows\System32\ldYjvYa.exe
  C:\Windows\System32\ldYjvYa.exe
  2⤵
  PID:8620
- C:\Windows\System32\IDHRqiE.exe
  C:\Windows\System32\IDHRqiE.exe
  2⤵
  PID:8752
- C:\Windows\System32\AdwcINA.exe
  C:\Windows\System32\AdwcINA.exe
  2⤵
  PID:8864
- C:\Windows\System32\VyMBclc.exe
  C:\Windows\System32\VyMBclc.exe
  2⤵
  PID:9028
- C:\Windows\System32\RMLGDIn.exe
  C:\Windows\System32\RMLGDIn.exe
  2⤵
  PID:7528
- C:\Windows\System32\PFzLlXr.exe
  C:\Windows\System32\PFzLlXr.exe
  2⤵
  PID:8268
- C:\Windows\System32\AQwwfng.exe
  C:\Windows\System32\AQwwfng.exe
  2⤵
  PID:8368
- C:\Windows\System32\pSpcbwB.exe
  C:\Windows\System32\pSpcbwB.exe
  2⤵
  PID:8392
- C:\Windows\System32\WzLewCe.exe
  C:\Windows\System32\WzLewCe.exe
  2⤵
  PID:9072
- C:\Windows\System32\YGtjOWf.exe
  C:\Windows\System32\YGtjOWf.exe
  2⤵
  PID:9168
- C:\Windows\System32\LAHvVZZ.exe
  C:\Windows\System32\LAHvVZZ.exe
  2⤵
  PID:8408
- C:\Windows\System32\IMFfAES.exe
  C:\Windows\System32\IMFfAES.exe
  2⤵
  PID:9272
- C:\Windows\System32\FxFUxTp.exe
  C:\Windows\System32\FxFUxTp.exe
  2⤵
  PID:9344
- C:\Windows\System32\wIMQiSj.exe
  C:\Windows\System32\wIMQiSj.exe
  2⤵
  PID:9364
- C:\Windows\System32\ieVKOkQ.exe
  C:\Windows\System32\ieVKOkQ.exe
  2⤵
  PID:9380
- C:\Windows\System32\dahLrYb.exe
  C:\Windows\System32\dahLrYb.exe
  2⤵
  PID:9396
- C:\Windows\System32\XykDCwm.exe
  C:\Windows\System32\XykDCwm.exe
  2⤵
  PID:9412
- C:\Windows\System32\fpTGJvC.exe
  C:\Windows\System32\fpTGJvC.exe
  2⤵
  PID:9428
- C:\Windows\System32\gWiRMUd.exe
  C:\Windows\System32\gWiRMUd.exe
  2⤵
  PID:9444
- C:\Windows\System32\awxFDli.exe
  C:\Windows\System32\awxFDli.exe
  2⤵
  PID:9484
- C:\Windows\System32\baolxuc.exe
  C:\Windows\System32\baolxuc.exe
  2⤵
  PID:9524
- C:\Windows\System32\IswQULd.exe
  C:\Windows\System32\IswQULd.exe
  2⤵
  PID:9556
- C:\Windows\System32\ROgVHPk.exe
  C:\Windows\System32\ROgVHPk.exe
  2⤵
  PID:9576
- C:\Windows\System32\OZAbfwO.exe
  C:\Windows\System32\OZAbfwO.exe
  2⤵
  PID:9664
- C:\Windows\System32\ocdqllU.exe
  C:\Windows\System32\ocdqllU.exe
  2⤵
  PID:9700
- C:\Windows\System32\yIXDoRG.exe
  C:\Windows\System32\yIXDoRG.exe
  2⤵
  PID:9788
- C:\Windows\System32\VEVeZaI.exe
  C:\Windows\System32\VEVeZaI.exe
  2⤵
  PID:9812
- C:\Windows\System32\agXrAnf.exe
  C:\Windows\System32\agXrAnf.exe
  2⤵
  PID:9832
- C:\Windows\System32\lZirnkz.exe
  C:\Windows\System32\lZirnkz.exe
  2⤵
  PID:9860
- C:\Windows\System32\ILKpfyh.exe
  C:\Windows\System32\ILKpfyh.exe
  2⤵
  PID:9884
- C:\Windows\System32\mZAxlqO.exe
  C:\Windows\System32\mZAxlqO.exe
  2⤵
  PID:9928
- C:\Windows\System32\nAUbYFY.exe
  C:\Windows\System32\nAUbYFY.exe
  2⤵
  PID:9956
- C:\Windows\System32\GHQprgw.exe
  C:\Windows\System32\GHQprgw.exe
  2⤵
  PID:9980
- C:\Windows\System32\LEoiMao.exe
  C:\Windows\System32\LEoiMao.exe
  2⤵
  PID:9996
- C:\Windows\System32\baoUdxS.exe
  C:\Windows\System32\baoUdxS.exe
  2⤵
  PID:10020
- C:\Windows\System32\kzrMqEc.exe
  C:\Windows\System32\kzrMqEc.exe
  2⤵
  PID:10052
- C:\Windows\System32\TTrJrSm.exe
  C:\Windows\System32\TTrJrSm.exe
  2⤵
  PID:10088
- C:\Windows\System32\DdFseDx.exe
  C:\Windows\System32\DdFseDx.exe
  2⤵
  PID:10112
- C:\Windows\System32\QMYBntg.exe
  C:\Windows\System32\QMYBntg.exe
  2⤵
  PID:10132
- C:\Windows\System32\bDksqAl.exe
  C:\Windows\System32\bDksqAl.exe
  2⤵
  PID:10156
- C:\Windows\System32\efwSMSh.exe
  C:\Windows\System32\efwSMSh.exe
  2⤵
  PID:10180
- C:\Windows\System32\SwMwleF.exe
  C:\Windows\System32\SwMwleF.exe
  2⤵
  PID:10236
- C:\Windows\System32\eykMlQJ.exe
  C:\Windows\System32\eykMlQJ.exe
  2⤵
  PID:9280
- C:\Windows\System32\FumeEjM.exe
  C:\Windows\System32\FumeEjM.exe
  2⤵
  PID:9300
- C:\Windows\System32\TTXyKjp.exe
  C:\Windows\System32\TTXyKjp.exe
  2⤵
  PID:9468
- C:\Windows\System32\sEJWeXO.exe
  C:\Windows\System32\sEJWeXO.exe
  2⤵
  PID:9508
- C:\Windows\System32\ceERzIC.exe
  C:\Windows\System32\ceERzIC.exe
  2⤵
  PID:9284
- C:\Windows\System32\xrvNOop.exe
  C:\Windows\System32\xrvNOop.exe
  2⤵
  PID:9512
- C:\Windows\System32\behVUNJ.exe
  C:\Windows\System32\behVUNJ.exe
  2⤵
  PID:9324
- C:\Windows\System32\BzhWFZV.exe
  C:\Windows\System32\BzhWFZV.exe
  2⤵
  PID:9328
- C:\Windows\System32\siZqxKQ.exe
  C:\Windows\System32\siZqxKQ.exe
  2⤵
  PID:9532
- C:\Windows\System32\rbKoepF.exe
  C:\Windows\System32\rbKoepF.exe
  2⤵
  PID:9472
- C:\Windows\System32\LGOzGgh.exe
  C:\Windows\System32\LGOzGgh.exe
  2⤵
  PID:9608
- C:\Windows\System32\PjNhDMU.exe
  C:\Windows\System32\PjNhDMU.exe
  2⤵
  PID:9632
- C:\Windows\System32\pwbPzVd.exe
  C:\Windows\System32\pwbPzVd.exe
  2⤵
  PID:9720
- C:\Windows\System32\AqGixvy.exe
  C:\Windows\System32\AqGixvy.exe
  2⤵
  PID:9916
- C:\Windows\System32\TcGDmjM.exe
  C:\Windows\System32\TcGDmjM.exe
  2⤵
  PID:9968
- C:\Windows\System32\wIykTlZ.exe
  C:\Windows\System32\wIykTlZ.exe
  2⤵
  PID:10028
- C:\Windows\System32\QZUXICq.exe
  C:\Windows\System32\QZUXICq.exe
  2⤵
  PID:10108
- C:\Windows\System32\iJwBCmy.exe
  C:\Windows\System32\iJwBCmy.exe
  2⤵
  PID:10212
- C:\Windows\System32\LIkArLr.exe
  C:\Windows\System32\LIkArLr.exe
  2⤵
  PID:9308
- C:\Windows\System32\zMoBuqx.exe
  C:\Windows\System32\zMoBuqx.exe
  2⤵
  PID:9248
- C:\Windows\System32\huAHmih.exe
  C:\Windows\System32\huAHmih.exe
  2⤵
  PID:9268
- C:\Windows\System32\maoeqpx.exe
  C:\Windows\System32\maoeqpx.exe
  2⤵
  PID:9316
- C:\Windows\System32\kxcFXZI.exe
  C:\Windows\System32\kxcFXZI.exe
  2⤵
  PID:9588
- C:\Windows\System32\ULQeToj.exe
  C:\Windows\System32\ULQeToj.exe
  2⤵
  PID:9800
- C:\Windows\System32\jynVJBm.exe
  C:\Windows\System32\jynVJBm.exe
  2⤵
  PID:9940
- C:\Windows\System32\tICFghC.exe
  C:\Windows\System32\tICFghC.exe
  2⤵
  PID:10044
- C:\Windows\System32\YfBaBSV.exe
  C:\Windows\System32\YfBaBSV.exe
  2⤵
  PID:9240
- C:\Windows\System32\uvwspWo.exe
  C:\Windows\System32\uvwspWo.exe
  2⤵
  PID:9452
- C:\Windows\System32\tzUNwtr.exe
  C:\Windows\System32\tzUNwtr.exe
  2⤵
  PID:9584
- C:\Windows\System32\bPjpCgg.exe
  C:\Windows\System32\bPjpCgg.exe
  2⤵
  PID:10096
- C:\Windows\System32\vHMPJhK.exe
  C:\Windows\System32\vHMPJhK.exe
  2⤵
  PID:9716
- C:\Windows\System32\WqoJMPO.exe
  C:\Windows\System32\WqoJMPO.exe
  2⤵
  PID:10204
- C:\Windows\System32\SgVKBnY.exe
  C:\Windows\System32\SgVKBnY.exe
  2⤵
  PID:10260
- C:\Windows\System32\LJBJzVj.exe
  C:\Windows\System32\LJBJzVj.exe
  2⤵
  PID:10300
- C:\Windows\System32\MpjlJoN.exe
  C:\Windows\System32\MpjlJoN.exe
  2⤵
  PID:10320
- C:\Windows\System32\MINNKoC.exe
  C:\Windows\System32\MINNKoC.exe
  2⤵
  PID:10344
- C:\Windows\System32\NuRJhtb.exe
  C:\Windows\System32\NuRJhtb.exe
  2⤵
  PID:10364
- C:\Windows\System32\XeFHKnR.exe
  C:\Windows\System32\XeFHKnR.exe
  2⤵
  PID:10384
- C:\Windows\System32\rZqqpwB.exe
  C:\Windows\System32\rZqqpwB.exe
  2⤵
  PID:10408
- C:\Windows\System32\ShhAfZt.exe
  C:\Windows\System32\ShhAfZt.exe
  2⤵
  PID:10444
- C:\Windows\System32\IIkAsFZ.exe
  C:\Windows\System32\IIkAsFZ.exe
  2⤵
  PID:10488
- C:\Windows\System32\kWqqoZl.exe
  C:\Windows\System32\kWqqoZl.exe
  2⤵
  PID:10516
- C:\Windows\System32\dhUtXRh.exe
  C:\Windows\System32\dhUtXRh.exe
  2⤵
  PID:10540
- C:\Windows\System32\LeKCzVy.exe
  C:\Windows\System32\LeKCzVy.exe
  2⤵
  PID:10580
- C:\Windows\System32\JAdbGIW.exe
  C:\Windows\System32\JAdbGIW.exe
  2⤵
  PID:10596
- C:\Windows\System32\KZSQKwU.exe
  C:\Windows\System32\KZSQKwU.exe
  2⤵
  PID:10612
- C:\Windows\System32\AWHuMjz.exe
  C:\Windows\System32\AWHuMjz.exe
  2⤵
  PID:10636
- C:\Windows\System32\kKMfRjx.exe
  C:\Windows\System32\kKMfRjx.exe
  2⤵
  PID:10684
- C:\Windows\System32\jRQDGpR.exe
  C:\Windows\System32\jRQDGpR.exe
  2⤵
  PID:10724
- C:\Windows\System32\xgOpWHp.exe
  C:\Windows\System32\xgOpWHp.exe
  2⤵
  PID:10744
- C:\Windows\System32\CkNkTEh.exe
  C:\Windows\System32\CkNkTEh.exe
  2⤵
  PID:10768
- C:\Windows\System32\AbmTnMN.exe
  C:\Windows\System32\AbmTnMN.exe
  2⤵
  PID:10804
- C:\Windows\System32\hJWhWRG.exe
  C:\Windows\System32\hJWhWRG.exe
  2⤵
  PID:10824
- C:\Windows\System32\qCSWyVr.exe
  C:\Windows\System32\qCSWyVr.exe
  2⤵
  PID:10852
- C:\Windows\System32\oULrLCy.exe
  C:\Windows\System32\oULrLCy.exe
  2⤵
  PID:10884
- C:\Windows\System32\TRorauZ.exe
  C:\Windows\System32\TRorauZ.exe
  2⤵
  PID:10904
- C:\Windows\System32\PaYSfVK.exe
  C:\Windows\System32\PaYSfVK.exe
  2⤵
  PID:10928
- C:\Windows\System32\tfOpcbD.exe
  C:\Windows\System32\tfOpcbD.exe
  2⤵
  PID:10976
- C:\Windows\System32\CUNApaB.exe
  C:\Windows\System32\CUNApaB.exe
  2⤵
  PID:11000
- C:\Windows\System32\EYYgmfO.exe
  C:\Windows\System32\EYYgmfO.exe
  2⤵
  PID:11020
- C:\Windows\System32\cwgtxMF.exe
  C:\Windows\System32\cwgtxMF.exe
  2⤵
  PID:11040
- C:\Windows\System32\KbgmEJr.exe
  C:\Windows\System32\KbgmEJr.exe
  2⤵
  PID:11064
- C:\Windows\System32\XRKUCEn.exe
  C:\Windows\System32\XRKUCEn.exe
  2⤵
  PID:11092
- C:\Windows\System32\ZkpgJjv.exe
  C:\Windows\System32\ZkpgJjv.exe
  2⤵
  PID:11136
- C:\Windows\System32\HnihQXg.exe
  C:\Windows\System32\HnihQXg.exe
  2⤵
  PID:11168
- C:\Windows\System32\XslWuFV.exe
  C:\Windows\System32\XslWuFV.exe
  2⤵
  PID:11184
- C:\Windows\System32\wbwJddc.exe
  C:\Windows\System32\wbwJddc.exe
  2⤵
  PID:11200
- C:\Windows\System32\cKnkosq.exe
  C:\Windows\System32\cKnkosq.exe
  2⤵
  PID:11224
- C:\Windows\System32\RJiuEOs.exe
  C:\Windows\System32\RJiuEOs.exe
  2⤵
  PID:11248
- C:\Windows\System32\vQSOpsQ.exe
  C:\Windows\System32\vQSOpsQ.exe
  2⤵
  PID:9892
- C:\Windows\System32\taanTGA.exe
  C:\Windows\System32\taanTGA.exe
  2⤵
  PID:9500
- C:\Windows\System32\YMPUwZd.exe
  C:\Windows\System32\YMPUwZd.exe
  2⤵
  PID:10380
- C:\Windows\System32\FnEtbnO.exe
  C:\Windows\System32\FnEtbnO.exe
  2⤵
  PID:10524
- C:\Windows\System32\ZcdqRJz.exe
  C:\Windows\System32\ZcdqRJz.exe
  2⤵
  PID:10564
- C:\Windows\System32\tKxPRMQ.exe
  C:\Windows\System32\tKxPRMQ.exe
  2⤵
  PID:10628
- C:\Windows\System32\IBPVmMG.exe
  C:\Windows\System32\IBPVmMG.exe
  2⤵
  PID:10668
- C:\Windows\System32\BEZluds.exe
  C:\Windows\System32\BEZluds.exe
  2⤵
  PID:10708
- C:\Windows\System32\pdesbbv.exe
  C:\Windows\System32\pdesbbv.exe
  2⤵
  PID:10792
- C:\Windows\System32\zIlYCoW.exe
  C:\Windows\System32\zIlYCoW.exe
  2⤵
  PID:10912
- C:\Windows\System32\UFEamHn.exe
  C:\Windows\System32\UFEamHn.exe
  2⤵
  PID:10964
- C:\Windows\System32\APqrlvo.exe
  C:\Windows\System32\APqrlvo.exe
  2⤵
  PID:11052
- C:\Windows\System32\QKGCYQc.exe
  C:\Windows\System32\QKGCYQc.exe
  2⤵
  PID:11080
- C:\Windows\System32\qihvGkg.exe
  C:\Windows\System32\qihvGkg.exe
  2⤵
  PID:11160
- C:\Windows\System32\gfNQsYL.exe
  C:\Windows\System32\gfNQsYL.exe
  2⤵
  PID:11244
- C:\Windows\System32\tePeSBM.exe
  C:\Windows\System32\tePeSBM.exe
  2⤵
  PID:11256
- C:\Windows\System32\NemJhbF.exe
  C:\Windows\System32\NemJhbF.exe
  2⤵
  PID:10336
- C:\Windows\System32\ZOhZKcu.exe
  C:\Windows\System32\ZOhZKcu.exe
  2⤵
  PID:10400
- C:\Windows\System32\gSkfmOh.exe
  C:\Windows\System32\gSkfmOh.exe
  2⤵
  PID:10764
- C:\Windows\System32\nFMbUMk.exe
  C:\Windows\System32\nFMbUMk.exe
  2⤵
  PID:10800
- C:\Windows\System32\DXiPBvA.exe
  C:\Windows\System32\DXiPBvA.exe
  2⤵
  PID:10940
- C:\Windows\System32\PZjxHkh.exe
  C:\Windows\System32\PZjxHkh.exe
  2⤵
  PID:11060
- C:\Windows\System32\yXqnEDV.exe
  C:\Windows\System32\yXqnEDV.exe
  2⤵
  PID:10372
- C:\Windows\System32\ZwpxLLk.exe
  C:\Windows\System32\ZwpxLLk.exe
  2⤵
  PID:10664
- C:\Windows\System32\ceBhvVh.exe
  C:\Windows\System32\ceBhvVh.exe
  2⤵
  PID:10820
- C:\Windows\System32\sTOZJqp.exe
  C:\Windows\System32\sTOZJqp.exe
  2⤵
  PID:11196
- C:\Windows\System32\jevzHML.exe
  C:\Windows\System32\jevzHML.exe
  2⤵
  PID:11260
- C:\Windows\System32\SNaWITa.exe
  C:\Windows\System32\SNaWITa.exe
  2⤵
  PID:11292
- C:\Windows\System32\YfYFppg.exe
  C:\Windows\System32\YfYFppg.exe
  2⤵
  PID:11324
- C:\Windows\System32\GEmSuKC.exe
  C:\Windows\System32\GEmSuKC.exe
  2⤵
  PID:11356
- C:\Windows\System32\McXAZJk.exe
  C:\Windows\System32\McXAZJk.exe
  2⤵
  PID:11392
- C:\Windows\System32\gwoHJLd.exe
  C:\Windows\System32\gwoHJLd.exe
  2⤵
  PID:11412
- C:\Windows\System32\EFogyhV.exe
  C:\Windows\System32\EFogyhV.exe
  2⤵
  PID:11436
- C:\Windows\System32\HMbbbTw.exe
  C:\Windows\System32\HMbbbTw.exe
  2⤵
  PID:11476
- C:\Windows\System32\JfaurXy.exe
  C:\Windows\System32\JfaurXy.exe
  2⤵
  PID:11496
- C:\Windows\System32\FWkknVt.exe
  C:\Windows\System32\FWkknVt.exe
  2⤵
  PID:11520
- C:\Windows\System32\KhCpkwp.exe
  C:\Windows\System32\KhCpkwp.exe
  2⤵
  PID:11544
- C:\Windows\System32\DWvhHfQ.exe
  C:\Windows\System32\DWvhHfQ.exe
  2⤵
  PID:11560
- C:\Windows\System32\jxbadao.exe
  C:\Windows\System32\jxbadao.exe
  2⤵
  PID:11584
- C:\Windows\System32\MduQhjD.exe
  C:\Windows\System32\MduQhjD.exe
  2⤵
  PID:11612
- C:\Windows\System32\dbEUvQw.exe
  C:\Windows\System32\dbEUvQw.exe
  2⤵
  PID:11640
- C:\Windows\System32\FQfgpXn.exe
  C:\Windows\System32\FQfgpXn.exe
  2⤵
  PID:11668
- C:\Windows\System32\ZmgjaVb.exe
  C:\Windows\System32\ZmgjaVb.exe
  2⤵
  PID:11724
- C:\Windows\System32\lbpeGjz.exe
  C:\Windows\System32\lbpeGjz.exe
  2⤵
  PID:11740
- C:\Windows\System32\KlDBLnb.exe
  C:\Windows\System32\KlDBLnb.exe
  2⤵
  PID:11764
- C:\Windows\System32\OqUFNRF.exe
  C:\Windows\System32\OqUFNRF.exe
  2⤵
  PID:11792
- C:\Windows\System32\GAMQeqZ.exe
  C:\Windows\System32\GAMQeqZ.exe
  2⤵
  PID:11808
- C:\Windows\System32\LEEGdMM.exe
  C:\Windows\System32\LEEGdMM.exe
  2⤵
  PID:11848
- C:\Windows\System32\wSRRNOQ.exe
  C:\Windows\System32\wSRRNOQ.exe
  2⤵
  PID:11888
- C:\Windows\System32\fosqWKk.exe
  C:\Windows\System32\fosqWKk.exe
  2⤵
  PID:11908
- C:\Windows\System32\bhZPaej.exe
  C:\Windows\System32\bhZPaej.exe
  2⤵
  PID:11924
- C:\Windows\System32\bKKhIzq.exe
  C:\Windows\System32\bKKhIzq.exe
  2⤵
  PID:11988
- C:\Windows\System32\nsnzSpH.exe
  C:\Windows\System32\nsnzSpH.exe
  2⤵
  PID:12012
- C:\Windows\System32\UPzXLLS.exe
  C:\Windows\System32\UPzXLLS.exe
  2⤵
  PID:12028
- C:\Windows\System32\mTqmFyv.exe
  C:\Windows\System32\mTqmFyv.exe
  2⤵
  PID:12052
- C:\Windows\System32\kCdBUlr.exe
  C:\Windows\System32\kCdBUlr.exe
  2⤵
  PID:12072
- C:\Windows\System32\BygYfyb.exe
  C:\Windows\System32\BygYfyb.exe
  2⤵
  PID:12124
- C:\Windows\System32\KElLYop.exe
  C:\Windows\System32\KElLYop.exe
  2⤵
  PID:12140
- C:\Windows\System32\wXerTBf.exe
  C:\Windows\System32\wXerTBf.exe
  2⤵
  PID:12168
- C:\Windows\System32\OAVYLcT.exe
  C:\Windows\System32\OAVYLcT.exe
  2⤵
  PID:12188
- C:\Windows\System32\uyuxUGa.exe
  C:\Windows\System32\uyuxUGa.exe
  2⤵
  PID:12212
- C:\Windows\System32\UlFgZjF.exe
  C:\Windows\System32\UlFgZjF.exe
  2⤵
  PID:12240
- C:\Windows\System32\ZFyAxYu.exe
  C:\Windows\System32\ZFyAxYu.exe
  2⤵
  PID:12260
- C:\Windows\System32\lrwSjMF.exe
  C:\Windows\System32\lrwSjMF.exe
  2⤵
  PID:12280
- C:\Windows\System32\IJqKOSM.exe
  C:\Windows\System32\IJqKOSM.exe
  2⤵
  PID:11336
- C:\Windows\System32\Fyxaxur.exe
  C:\Windows\System32\Fyxaxur.exe
  2⤵
  PID:11460
- C:\Windows\System32\WfQVFuv.exe
  C:\Windows\System32\WfQVFuv.exe
  2⤵
  PID:11484
- C:\Windows\System32\bHpqEWY.exe
  C:\Windows\System32\bHpqEWY.exe
  2⤵
  PID:11556
- C:\Windows\System32\ANmFWbJ.exe
  C:\Windows\System32\ANmFWbJ.exe
  2⤵
  PID:11596
- C:\Windows\System32\yBQHdJg.exe
  C:\Windows\System32\yBQHdJg.exe
  2⤵
  PID:11648
- C:\Windows\System32\HUrYzKo.exe
  C:\Windows\System32\HUrYzKo.exe
  2⤵
  PID:11760
- C:\Windows\System32\zaaavOC.exe
  C:\Windows\System32\zaaavOC.exe
  2⤵
  PID:11816
- C:\Windows\System32\JOaSGju.exe
  C:\Windows\System32\JOaSGju.exe
  2⤵
  PID:11932
- C:\Windows\System32\hNWfyXz.exe
  C:\Windows\System32\hNWfyXz.exe
  2⤵
  PID:11960
- C:\Windows\System32\ysvfStw.exe
  C:\Windows\System32\ysvfStw.exe
  2⤵
  PID:12000
- C:\Windows\System32\pWGEAOe.exe
  C:\Windows\System32\pWGEAOe.exe
  2⤵
  PID:12036
- C:\Windows\System32\PvaUMti.exe
  C:\Windows\System32\PvaUMti.exe
  2⤵
  PID:12112
- C:\Windows\System32\rLWNCpk.exe
  C:\Windows\System32\rLWNCpk.exe
  2⤵
  PID:12180
- C:\Windows\System32\jmUioVa.exe
  C:\Windows\System32\jmUioVa.exe
  2⤵
  PID:12176
- C:\Windows\System32\pVvwPUK.exe
  C:\Windows\System32\pVvwPUK.exe
  2⤵
  PID:11304
- C:\Windows\System32\GMdQwDX.exe
  C:\Windows\System32\GMdQwDX.exe
  2⤵
  PID:11444
- C:\Windows\System32\iXVjpas.exe
  C:\Windows\System32\iXVjpas.exe
  2⤵
  PID:11568
- C:\Windows\System32\zXFvyVI.exe
  C:\Windows\System32\zXFvyVI.exe
  2⤵
  PID:11680
- C:\Windows\System32\MLfMrWG.exe
  C:\Windows\System32\MLfMrWG.exe
  2⤵
  PID:11868
- C:\Windows\System32\lyNmkkF.exe
  C:\Windows\System32\lyNmkkF.exe
  2⤵
  PID:11976
- C:\Windows\System32\dlBTqvb.exe
  C:\Windows\System32\dlBTqvb.exe
  2⤵
  PID:3696
- C:\Windows\System32\mHPkLDq.exe
  C:\Windows\System32\mHPkLDq.exe
  2⤵
  PID:12116
- C:\Windows\System32\NMNJiGk.exe
  C:\Windows\System32\NMNJiGk.exe
  2⤵
  PID:12208
- C:\Windows\System32\UtUYYPN.exe
  C:\Windows\System32\UtUYYPN.exe
  2⤵
  PID:11376
- C:\Windows\System32\TMGFhGZ.exe
  C:\Windows\System32\TMGFhGZ.exe
  2⤵
  PID:11876
- C:\Windows\System32\owSBniO.exe
  C:\Windows\System32\owSBniO.exe
  2⤵
  PID:11896
- C:\Windows\System32\nfYoKul.exe
  C:\Windows\System32\nfYoKul.exe
  2⤵
  PID:12268
- C:\Windows\System32\RykuzwV.exe
  C:\Windows\System32\RykuzwV.exe
  2⤵
  PID:12248
- C:\Windows\System32\oVpvJRu.exe
  C:\Windows\System32\oVpvJRu.exe
  2⤵
  PID:12332
- C:\Windows\System32\iSoRjwq.exe
  C:\Windows\System32\iSoRjwq.exe
  2⤵
  PID:12352
- C:\Windows\System32\ZOMCutJ.exe
  C:\Windows\System32\ZOMCutJ.exe
  2⤵
  PID:12392
- C:\Windows\System32\hTobaRP.exe
  C:\Windows\System32\hTobaRP.exe
  2⤵
  PID:12412
- C:\Windows\System32\JdNJwUT.exe
  C:\Windows\System32\JdNJwUT.exe
  2⤵
  PID:12432
- C:\Windows\System32\vwInVeJ.exe
  C:\Windows\System32\vwInVeJ.exe
  2⤵
  PID:12500
- C:\Windows\System32\nRHSxAu.exe
  C:\Windows\System32\nRHSxAu.exe
  2⤵
  PID:12540
- C:\Windows\System32\WRsaTpJ.exe
  C:\Windows\System32\WRsaTpJ.exe
  2⤵
  PID:12572
- C:\Windows\System32\zuONnjq.exe
  C:\Windows\System32\zuONnjq.exe
  2⤵
  PID:12596
- C:\Windows\System32\oYTHWyO.exe
  C:\Windows\System32\oYTHWyO.exe
  2⤵
  PID:12616
- C:\Windows\System32\ecoBKum.exe
  C:\Windows\System32\ecoBKum.exe
  2⤵
  PID:12644
- C:\Windows\System32\HYXDdpu.exe
  C:\Windows\System32\HYXDdpu.exe
  2⤵
  PID:12664
- C:\Windows\System32\fXpUONP.exe
  C:\Windows\System32\fXpUONP.exe
  2⤵
  PID:12680
- C:\Windows\System32\xsSCdcO.exe
  C:\Windows\System32\xsSCdcO.exe
  2⤵
  PID:12704
- C:\Windows\System32\tmgiZvV.exe
  C:\Windows\System32\tmgiZvV.exe
  2⤵
  PID:12724
- C:\Windows\System32\TrmbPhZ.exe
  C:\Windows\System32\TrmbPhZ.exe
  2⤵
  PID:12748
- C:\Windows\System32\FWHVzHQ.exe
  C:\Windows\System32\FWHVzHQ.exe
  2⤵
  PID:12788
- C:\Windows\System32\tlAuYad.exe
  C:\Windows\System32\tlAuYad.exe
  2⤵
  PID:12840
- C:\Windows\System32\UuRiMXV.exe
  C:\Windows\System32\UuRiMXV.exe
  2⤵
  PID:12868
- C:\Windows\System32\lmfAeUj.exe
  C:\Windows\System32\lmfAeUj.exe
  2⤵
  PID:12900
- C:\Windows\System32\fqnyMGq.exe
  C:\Windows\System32\fqnyMGq.exe
  2⤵
  PID:12924
- C:\Windows\System32\qkKHuEo.exe
  C:\Windows\System32\qkKHuEo.exe
  2⤵
  PID:12940
- C:\Windows\System32\obWWINn.exe
  C:\Windows\System32\obWWINn.exe
  2⤵
  PID:12968
- C:\Windows\System32\aSbHzRn.exe
  C:\Windows\System32\aSbHzRn.exe
  2⤵
  PID:12984
- C:\Windows\System32\tUOOftp.exe
  C:\Windows\System32\tUOOftp.exe
  2⤵
  PID:13004
- C:\Windows\System32\qghuKfg.exe
  C:\Windows\System32\qghuKfg.exe
  2⤵
  PID:13020
- C:\Windows\System32\XbNlVif.exe
  C:\Windows\System32\XbNlVif.exe
  2⤵
  PID:13064
- C:\Windows\System32\KvseDoq.exe
  C:\Windows\System32\KvseDoq.exe
  2⤵
  PID:13080
- C:\Windows\System32\BXuEckW.exe
  C:\Windows\System32\BXuEckW.exe
  2⤵
  PID:13116
- C:\Windows\System32\GMrXSHl.exe
  C:\Windows\System32\GMrXSHl.exe
  2⤵
  PID:13136
- C:\Windows\System32\yqLlRFe.exe
  C:\Windows\System32\yqLlRFe.exe
  2⤵
  PID:13212
- C:\Windows\System32\pBWQpaP.exe
  C:\Windows\System32\pBWQpaP.exe
  2⤵
  PID:13240
- C:\Windows\System32\jqyGKSU.exe
  C:\Windows\System32\jqyGKSU.exe
  2⤵
  PID:13260

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12776

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13012

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\EMuGiCN.exe

Filesize
1.1MB

MD5
e423621b4093ae963f534dbb45eeca10

SHA1
c94c848d9603bcddb7eab7eaef791a68919c3a64

SHA256
d5fff960504e46d5afe3ad6d0f01c53d5927b74ed919abe9140e18016c12e005

SHA512
9e316dd9aa365ea80743af170e64e8acd04d2f4b8fff79f5a1a3e9328cd62f2dd1bdac20841c91a2530a2204778ec91014ddce4bfd06bfeb0308c15d0050629f

Download Submit
C:\Windows\System32\EcxMPnn.exe

Filesize
1.1MB

MD5
f1e3613187bda2fd779bde7c7852a594

SHA1
ad1e05d9780b252c3ac6264457e4920de51becf2

SHA256
ae99e89fe1e358f580d40da2f075f08b3ddb6e6ce69a41fca7ac54338cb6e9ed

SHA512
fdc7c0fbb7008407e84b6d9f6f25c0fe2c39a580be9977cb95cb41f8235d72c449dbb8357806e908212a22892f48c675ca13b87dbe40b9b0db7358f2e187db65

Download Submit
C:\Windows\System32\FblwByK.exe

Filesize
1.1MB

MD5
8e693930426fe060ee317e4f448be8e9

SHA1
866e9ab78d410d6fec54538cdf1e1b07cfda9df0

SHA256
916f5fead438fa23a7c9069acbe84677aed1583056a84be47ffb0f743aaa8074

SHA512
4c9bba0cea26c3474fd94975b31160b13cc9822d4be349382542ce76504629ecda37033eaf9bf044f6b1cf32d35cb03e6711a2cb370852c9aa6fc243fe19abb7

Download Submit
C:\Windows\System32\ILACIji.exe

Filesize
1.1MB

MD5
f74730de1477c4456c2217d29026859e

SHA1
8ec99ee0e6fbc82a99459030acf87045af6bfc54

SHA256
e936dbafd7e0156f29024e1f69841ce270a32dd2227e1f454a88fa62963b10b3

SHA512
04fec34c15640d8a005013e59a80a626e79dfa4278c201d9becf189904df5bed32f1f8e269b1f58635aff64865788c417939a7d8b3412fb9019d147bee713f2e

Download Submit
C:\Windows\System32\JzQdwvu.exe

Filesize
1.1MB

MD5
d658417fdbab8b76af027024091618f2

SHA1
9c6fefb396ab357d7d71c1cce6e7d411f9265b59

SHA256
60410d0a5180e799e30a5307cf0c7f606b09f897945405198fef74727735f0e8

SHA512
01de0987127b1d73f4bef2f0f79e68be755f68c57f4d0a76724673996ce6f1c40c1c969f37fce83f8a4f19292ff9786d5fb107e6025304356d7fac62aba4f044

Download Submit
C:\Windows\System32\NAILuAO.exe

Filesize
1.1MB

MD5
1263e8a310a9068ae4fbd7b2674c2cd4

SHA1
2b352f016316d4c9b673d07f93117383370e7d43

SHA256
37f54e50af265711b1d9003e2f3a425ecde7741c50ed24f7549b9419372a52fa

SHA512
b0ad0f21794a261ee975799aad26e7e354a654c41587b4ccfee75ea7b609599bcbbfddc577d577a0a7ce8a2ea7263e6f06f967bce6961871fd2fcf28aef5ead4

Download Submit
C:\Windows\System32\OAPAaOT.exe

Filesize
1.1MB

MD5
5453b5bc9bfcd3c4ceb7210953140ad4

SHA1
16c28e88cc389dc556a37d7be783cb09d6ec14f9

SHA256
3a4c365c0b9e10628f02a6ff5b959f69c75dd1ecb4c6f32977d263faf4ac6b06

SHA512
dbdebcd8d539dd192eb29b47e5fb3ad3fdda4585e38703f4a9473e04b82fbc877a818e9baec05a42563ae2cbae22019c0060853fd80e606ae1024a8805293ebb

Download Submit
C:\Windows\System32\PzSTkaw.exe

Filesize
1.1MB

MD5
86a1b5fcced6fbef67c467b4c66ca6ff

SHA1
37894e94b1a4cc17a3c21db6c34b0587c6dbfef7

SHA256
bc05cc3a860b910c87fe1f4795d0bc65991e155c7899d33ac41aa489f8f5dc1b

SHA512
8275c04dc86431e8c3228bfae23fc52c86cbb1fe8b980d4c1eb34a7e1bfbe2e53d71f21e816cc2cbddc93a95c5a14a5f882ab0921a2168f47fc00fba66fbf0ae

Download Submit
C:\Windows\System32\SbxCsCy.exe

Filesize
1.1MB

MD5
8b0f33d5914f2cae48d0564d7b82a633

SHA1
a130d572394cdab7654be21e66ca46faedf7bf07

SHA256
9c359e13a657620b94f9594857ae67511a820c2e586ace9888265fc17ac474bb

SHA512
ebd4353cc8fe6f0c08bbdd98276f3ce3a2f833240ea6a18b6913a11a26453ce8f334c866437e10d55155ab92d38275ca36aca5f9be88e7c45845af2c678bcda3

Download Submit
C:\Windows\System32\StONKHq.exe

Filesize
1.1MB

MD5
dc56b10747bc89b799ae9532d9d4d9af

SHA1
7af958ad336745a79409b1133824b9dee59e9c76

SHA256
c1772e3d3cb204fd76262e92ebec5bffb9aee5906598710c06228be1301ad025

SHA512
52dc0afd965f3d246b1b7a720c82a82e08888a71102f6637e7850e340672d8e5d069f774143d17d358b0af7b5b631dc52f0130b611a82f8ad66ecd165cf2dc04

Download Submit
C:\Windows\System32\TUasUtm.exe

Filesize
1.1MB

MD5
5e1287fe46238915021684a8fa8bbeba

SHA1
7be2057e8db325f59031db1bb633610abc404ddf

SHA256
28ce77317ed07ce41efd85053d5ea05f7b21444b336a438fa4e33e8794018707

SHA512
50321fe0dc498d890c5401223e68795f0b219310794dfad156efc2f430b6045cdc192c46650b3334cc2a8cd47863db31802b4cd32c64a27dc0c768b096c4a340

Download Submit
C:\Windows\System32\TflxWyf.exe

Filesize
1.1MB

MD5
ec895d1d6ae86f766e176ff99d83aee8

SHA1
e2c0e568f80ca6d8f4d9cd69cbbf2c4d9ff4c9a9

SHA256
f9b69ec38ed02633457b07675dd224d9c4063c8fde944f3d872a83fff3f1ae2c

SHA512
7b2d1d79b5125f13f7f323b0a2439c852a1f0c646b35b910263807de6d261dab011e3c9ca95efcf56ca7ca6dd992aa5e26cc61964b5ad523c049de08771d69d6

Download Submit
C:\Windows\System32\UnNyVOb.exe

Filesize
1.1MB

MD5
cd336d8b8738b728e00a626b6508816a

SHA1
2943d135b3769f66f1f2880eda16b54bb0796756

SHA256
d5caa2bdb05b671cc69022d5b130e05cb26734feebc4159299cf2837b13ecbf6

SHA512
4874659914c4c77f97051f89ccd5475076f12b13943dc913a595d3df86eddfc27ffa64ade87da9e4a356d6882ddecceb8139e260892e4e53239818d9e47535c2

Download Submit
C:\Windows\System32\YwKbHxh.exe

Filesize
1.1MB

MD5
e699096c2cbf91ab90f92f93ef6e3d78

SHA1
5632bb5dc60594ffbb7458903195ea7db9792a24

SHA256
be6beac84bf4fc20f9dbbb44c4ce683419cf5cc1efb0ffebd8dd68da1133e7ef

SHA512
5497a30cdd52319160f65c8b213b7f7615a2c2104b087dbbd688297f2e7fa70ead50070d807ae56b95669e0f8ce924da3544b5459382a7891bbfd3d768b10226

Download Submit
C:\Windows\System32\aXmKLmo.exe

Filesize
1.1MB

MD5
8c2486faeedf0496bb2c4fb9d7c42a7d

SHA1
1ffee4578e9ade2a2173dffb894e42b0c16c5c3c

SHA256
1a4895243cba5d2db61a81ea49d4b87cc5aebfda433eea922edc605bdeabf960

SHA512
5be71d66a23c4b214ad853bdedeff9725496318ca3e8550b44b45f9fc05cfd5145f9e8221826ec5f69df110e9c26f3dcf7eb8cd0cce046a29c837dfa2af5ca40

Download Submit
C:\Windows\System32\ahfoiwP.exe

Filesize
1.1MB

MD5
27aa894f19c0be71593bf7bc275e9e8a

SHA1
3589f841a63d4ceb358689fae314aee4fcbd0374

SHA256
f2ac5d777760c2d08c5b12494419d8017e89196eb2b99cd431a24e1891320563

SHA512
69aff789133c99872d3d4ce3d9d0df274c19ebc68e1f3e3b4335c6ee3b4af4e59a35cb368cb5c6b270e3e2f8ad39fa9156a39f2cf7daf0bd0edb349dcbc5d58c

Download Submit
C:\Windows\System32\bnSriZs.exe

Filesize
1.1MB

MD5
9af14343b698830cd09e8c283ebad93a

SHA1
964cb36291947e2a432ac83ec6451ba670eb4000

SHA256
6e1d30c80607856dc041edbfce9372aaa03291b31236c5c9ddc9b84056b79427

SHA512
7865bafc57e90950553bd4f4af567f401b69b15d7a00c2518f54486f3524855d78ed157ff9337e0d84119332dd521d16eedb7b6db2bc1089aa9cf089ea9911f6

Download Submit
C:\Windows\System32\bnoEJgE.exe

Filesize
1.1MB

MD5
51343ddd8d3e9ffd3eacdeb11e80196b

SHA1
688a1a89a53c83f96848c1486836baf857ca7e28

SHA256
9c663d96f493d61d16e27cfeaf6bf7228987e60c8eb5d728070dc4b821b9d368

SHA512
c0888abf9a16e28082d2b7413294c59ab92e9f235894a93d9183f5711200bf5a63960ac2f86ae315c67452f7a5805b4dbbedffec7fae76c9b6be3d11f824fee5

Download Submit
C:\Windows\System32\ilLWAUH.exe

Filesize
1.1MB

MD5
0e5a56df64007e81827cf29103c6672e

SHA1
c6272f7480d6e64634eb4987773c9447d79aec65

SHA256
2e9128c963805f87c55a90c6cafe71508b54ce13b8ecad2bd5f1c7cd8313765b

SHA512
41d8fea7fb24157571fb6490608bcf74326be13939b06277701c542d8b98ea50a685471ebdc01db345fa7325cbbf29a7eb5284ebca9e56db81e3e05171a9bbd8

Download Submit
C:\Windows\System32\lsFvmhi.exe

Filesize
1.1MB

MD5
b8238335fd5a0958cfe61db34b2452eb

SHA1
91db3ea1aab29be568d4edf1121874217641d81b

SHA256
8dd02f2671e1e9a1a4386dd5101cc31b16430aeae06742a1a9d5a662143d447a

SHA512
d2ea87db1a6cb963c28eb3d71fa7c7f58363d0f52c67954ddc0c6b1330f2ca84cc7b2828540c261f8255ddf371138494562035a967ef2a209af4ad6991baaacf

Download Submit
C:\Windows\System32\lvJvedM.exe

Filesize
1.1MB

MD5
b522ac0ffce03cccc374820113ef29ed

SHA1
ee01a16561df9a24194fb0e1a4cfb796e019070b

SHA256
563863b5d18d71a8d53954bc91a6e199e96a9c0532060ffb7850ada4a7e75fca

SHA512
2f82583ee6f3bd4c870cde73df092088aca5762b9d5d0792d159f1b038ecacc60029adf6cce422cfb04fdf30ccb0c497d2b55bd0559e1f2746a2f75e3b9a7459

Download Submit
C:\Windows\System32\mJhdvzT.exe

Filesize
1.1MB

MD5
177b78579e329ac2f164577b3821f2c5

SHA1
4588e635081d2551f11b3e99415fb51567512851

SHA256
cd4571eb324091512ac6c1e16b3f76ce61b9d74575291526426b70d68ef74acf

SHA512
c87a4850e63bc37cbf75253b48b985e288e9cc1f8b2d9c95aa3a3e3de41ac79ff9db2c9008137d6c1f9b46ff7c3dc31cde8f2750bbe7f7651d57fb2f9879fe13

Download Submit
C:\Windows\System32\mUaAfUq.exe

Filesize
1.1MB

MD5
034c9e8f2d14d4815006a96742f6aa72

SHA1
8761e41ab18d54356f64e96b9cb2ca84bf82b2e1

SHA256
ce2e76b490f2bbd94c7f2a8e3cffbb481a9ff991891190e6f7559f0b487d4134

SHA512
d551fb8a639c24e3a4e4584ebbbc0df4d06b37c06dea817205b02f69e35b94b032e42aa3aeb0507abfbbc684d41cd04b40dd19189d534d75e0e1c8357a917c34

Download Submit
C:\Windows\System32\mZJKADp.exe

Filesize
1.1MB

MD5
c6df5ed5285d8d083853256b86a4c729

SHA1
eb4c984d704d77e94657e10808356b74ba829f2f

SHA256
7d98bc66611399da23d40d265c69013930323d7ad1a73b6482e60da93dffc5af

SHA512
7089196ecee2383a8353aa8d91811c2bedd6754de35916eecde1687a453f21ccfabc2ed7443380bc5b3f0e007f55f1248826298daa01227c79635da4a486dcf3

Download Submit
C:\Windows\System32\nNekhqZ.exe

Filesize
1.1MB

MD5
e2205fc80d976378b8b9e1eae1077305

SHA1
7dacf5175b047b0330d204264a3a70df2f4af75a

SHA256
1a81c339723e0525240e6dee48172f4582d3b8331a04feab98123cee6dec9a99

SHA512
77251985acce812ce7732e5d653f1b87bc40b916f1b7515a34b284511868b270d27198641cfd881e3531425d3c6178f580b4772c1d31aae45b72aac7005778fd

Download Submit
C:\Windows\System32\nQtuGxW.exe

Filesize
1.1MB

MD5
a79e4da634cdc8152cd83aa23991065e

SHA1
ee626ccd7ba014fba09467fcc542b67f3c6d4d4e

SHA256
887f37c45367120b26c7ee0bde9d93c39c2a891d90456a8d2eeb0636045ff003

SHA512
bc4b19950fae12e571b0b4a62a6ea7c19a30165cfa9541586f170405bddd07ebf66aa3a801f63ef28f2a1a15eea4ad2ab530c0f53345f0d05bb12d5d0339480a

Download Submit
C:\Windows\System32\ucOQFui.exe

Filesize
1.1MB

MD5
943b67c18e36d75e1799b728d4761b48

SHA1
375d02e2783f2289259d43f7615bc8e2f3e46add

SHA256
810f20f6dec9202d2563165cce6497f2ca2090fdb8688e41719246e28833e86f

SHA512
f2ee827911983b6b5bc1415fd8a5fd24af24eb090ab4b5100e27e4fec1cec0a3b75e540c3ac28d7b839307b01acd6681540ccd36ac1c940d650a0aaa4942130e

Download Submit
C:\Windows\System32\uciyXLo.exe

Filesize
1.1MB

MD5
3933e630357a071d8c0d2490d5e493e0

SHA1
7d1dcc3a3db7ddff594477c830de93d3bee88608

SHA256
b030db1125261322b01520c2332c9c2c5052ee0f5845af1ebb29579cf5d9c08e

SHA512
e3fe58130b6937e41b5c286cbde0450035467730b0faaf07d10755892bb090ea2a33b65cb93e0fd7b9a33db52686c739e91076c0c4e1dfe1e9019e1985d44fc9

Download Submit
C:\Windows\System32\wFousCY.exe

Filesize
1.1MB

MD5
051a938a566f6a85ab45f74e3c04f8b0

SHA1
e5c21d477b2aa6b71e0da06ed9b1b1db3bc13e86

SHA256
3a52be5eaa94c834d919728fa500d2ae1efc1169696ba2f178fa9d5c6d9fb7fa

SHA512
66d7934de94f4d31926cce1d2d782bc245c2065f49cec6511f62b87cb35fd3fe424349abc4d7503e9242a18a53e03543579ae7d36d42a940158c97a4fcae315e

Download Submit
C:\Windows\System32\xtNJOzV.exe

Filesize
1.1MB

MD5
248f651db6aff2c9b6c8621b725da3af

SHA1
63ce20ab2188f8f36f1c5692bad2487af49b516b

SHA256
4942ddbf891496e6ed219ea482c04d51260acdefda3d7bd82993db017e7ca90b

SHA512
091264a75f89282adbc600146e1a1cf35cf28230a8880e3a16f1cfc8bf9ca8d9fa10caeb957d3f98e0c3ec436beecd116f6ea57409b5fc68218ad1bb964b5784

Download Submit
C:\Windows\System32\yfnhXOn.exe

Filesize
1.1MB

MD5
c110ae62823d398df4db05625a0e9df0

SHA1
a12e8d1086fad354c8209a887a9540242bd9f846

SHA256
4901a796f73240ddcada245f4d12e6d0722c689a788dbefbe4dc7eee6c791b7c

SHA512
9ee04c3ab48edfa0b7495adff3d89c9f5297368659cab8266354ea7c0d5d01f0f70960ada7808a489991c42c38cd2b9e913aa147bbb13c8fa757f0a31fd7beb7

Download Submit
C:\Windows\System32\zToFdIz.exe

Filesize
1.1MB

MD5
bab16372a84eb045da2d31933f394efd

SHA1
13908804692f20da191116407aba3d74bd3752fe

SHA256
6edb6067d8f5f873b64c34812ec8f87301ed494c7c0858e8b9382d2bdd93b9a2

SHA512
98c0ee167f234cf7713b223703e867e23621fde9534e76e34956962f76157826f999f74a683eba8a686f9073f667e9a700082d694db5a39a9fd87aa4a9a89fe5

Download Submit
C:\Windows\System32\zhyHiMp.exe

Filesize
1.1MB

MD5
08f7e0b7a52ff59887b892b6a28c496b

SHA1
77bb2f36ee94de56ba26fe7402ac36ad69c35a76

SHA256
f957c3c0eabd8a9724874d12f23f2b3621bfa68f184e4e76db9f406286e9c752

SHA512
5c12f118905c1d1108563a2469fa1f4eb9aa3d462c13e8e40333c85c453f0ea4291a49ed140876549e9db3f57eb802d608670096248d05f989a068bd8016e131

Download Submit
memory/332-2057-0x00007FF7DA000000-0x00007FF7DA3F1000-memory.dmp

Filesize
3.9MB

Download
memory/332-450-0x00007FF7DA000000-0x00007FF7DA3F1000-memory.dmp

Filesize
3.9MB

Download
memory/392-394-0x00007FF6AA0C0000-0x00007FF6AA4B1000-memory.dmp

Filesize
3.9MB

Download
memory/392-2023-0x00007FF6AA0C0000-0x00007FF6AA4B1000-memory.dmp

Filesize
3.9MB

Download
memory/728-451-0x00007FF613AE0000-0x00007FF613ED1000-memory.dmp

Filesize
3.9MB

Download
memory/728-2033-0x00007FF613AE0000-0x00007FF613ED1000-memory.dmp

Filesize
3.9MB

Download
memory/756-2070-0x00007FF7A6220000-0x00007FF7A6611000-memory.dmp

Filesize
3.9MB

Download
memory/756-446-0x00007FF7A6220000-0x00007FF7A6611000-memory.dmp

Filesize
3.9MB

Download
memory/860-2027-0x00007FF6EF7D0000-0x00007FF6EFBC1000-memory.dmp

Filesize
3.9MB

Download
memory/860-408-0x00007FF6EF7D0000-0x00007FF6EFBC1000-memory.dmp

Filesize
3.9MB

Download
memory/1484-414-0x00007FF724590000-0x00007FF724981000-memory.dmp

Filesize
3.9MB

Download
memory/1484-2029-0x00007FF724590000-0x00007FF724981000-memory.dmp

Filesize
3.9MB

Download
memory/1544-2007-0x00007FF734980000-0x00007FF734D71000-memory.dmp

Filesize
3.9MB

Download
memory/1544-2015-0x00007FF734980000-0x00007FF734D71000-memory.dmp

Filesize
3.9MB

Download
memory/1544-18-0x00007FF734980000-0x00007FF734D71000-memory.dmp

Filesize
3.9MB

Download
memory/1676-2040-0x00007FF702F90000-0x00007FF703381000-memory.dmp

Filesize
3.9MB

Download
memory/1676-439-0x00007FF702F90000-0x00007FF703381000-memory.dmp

Filesize
3.9MB

Download
memory/1980-2044-0x00007FF655910000-0x00007FF655D01000-memory.dmp

Filesize
3.9MB

Download
memory/1980-441-0x00007FF655910000-0x00007FF655D01000-memory.dmp

Filesize
3.9MB

Download
memory/2232-422-0x00007FF647740000-0x00007FF647B31000-memory.dmp

Filesize
3.9MB

Download
memory/2232-2050-0x00007FF647740000-0x00007FF647B31000-memory.dmp

Filesize
3.9MB

Download
memory/2372-2059-0x00007FF675020000-0x00007FF675411000-memory.dmp

Filesize
3.9MB

Download
memory/2372-449-0x00007FF675020000-0x00007FF675411000-memory.dmp

Filesize
3.9MB

Download
memory/3048-0-0x00007FF7235B0000-0x00007FF7239A1000-memory.dmp

Filesize
3.9MB

Download
memory/3048-1941-0x00007FF7235B0000-0x00007FF7239A1000-memory.dmp

Filesize
3.9MB

Download
memory/3048-1-0x0000021CD1A90000-0x0000021CD1AA0000-memory.dmp

Filesize
64KB

Download
memory/3440-433-0x00007FF727520000-0x00007FF727911000-memory.dmp

Filesize
3.9MB

Download
memory/3440-2042-0x00007FF727520000-0x00007FF727911000-memory.dmp

Filesize
3.9MB

Download
memory/3580-425-0x00007FF69AA20000-0x00007FF69AE11000-memory.dmp

Filesize
3.9MB

Download
memory/3580-2046-0x00007FF69AA20000-0x00007FF69AE11000-memory.dmp

Filesize
3.9MB

Download
memory/3612-21-0x00007FF701320000-0x00007FF701711000-memory.dmp

Filesize
3.9MB

Download
memory/3612-2017-0x00007FF701320000-0x00007FF701711000-memory.dmp

Filesize
3.9MB

Download
memory/3612-2008-0x00007FF701320000-0x00007FF701711000-memory.dmp

Filesize
3.9MB

Download
memory/3764-2025-0x00007FF703890000-0x00007FF703C81000-memory.dmp

Filesize
3.9MB

Download
memory/3764-399-0x00007FF703890000-0x00007FF703C81000-memory.dmp

Filesize
3.9MB

Download
memory/4008-459-0x00007FF7579B0000-0x00007FF757DA1000-memory.dmp

Filesize
3.9MB

Download
memory/4008-2052-0x00007FF7579B0000-0x00007FF757DA1000-memory.dmp

Filesize
3.9MB

Download
memory/4116-442-0x00007FF7A6960000-0x00007FF7A6D51000-memory.dmp

Filesize
3.9MB

Download
memory/4116-2048-0x00007FF7A6960000-0x00007FF7A6D51000-memory.dmp

Filesize
3.9MB

Download
memory/4120-2013-0x00007FF69DC00000-0x00007FF69DFF1000-memory.dmp

Filesize
3.9MB

Download
memory/4120-389-0x00007FF69DC00000-0x00007FF69DFF1000-memory.dmp

Filesize
3.9MB

Download
memory/4120-2009-0x00007FF69DC00000-0x00007FF69DFF1000-memory.dmp

Filesize
3.9MB

Download
memory/4188-445-0x00007FF6812E0000-0x00007FF6816D1000-memory.dmp

Filesize
3.9MB

Download
memory/4188-2031-0x00007FF6812E0000-0x00007FF6816D1000-memory.dmp

Filesize
3.9MB

Download
memory/4292-2062-0x00007FF7254D0000-0x00007FF7258C1000-memory.dmp

Filesize
3.9MB

Download
memory/4292-462-0x00007FF7254D0000-0x00007FF7258C1000-memory.dmp

Filesize
3.9MB

Download
memory/4488-2011-0x00007FF6CF330000-0x00007FF6CF721000-memory.dmp

Filesize
3.9MB

Download
memory/4488-13-0x00007FF6CF330000-0x00007FF6CF721000-memory.dmp

Filesize
3.9MB

Download
memory/4528-393-0x00007FF7DDE20000-0x00007FF7DE211000-memory.dmp

Filesize
3.9MB

Download
memory/4528-2021-0x00007FF7DDE20000-0x00007FF7DE211000-memory.dmp

Filesize
3.9MB

Download
memory/4556-2019-0x00007FF620040000-0x00007FF620431000-memory.dmp

Filesize
3.9MB

Download
memory/4556-464-0x00007FF620040000-0x00007FF620431000-memory.dmp

Filesize
3.9MB

Download
memory/4812-2067-0x00007FF6C3570000-0x00007FF6C3961000-memory.dmp

Filesize
3.9MB

Download
memory/4812-443-0x00007FF6C3570000-0x00007FF6C3961000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads