xmrig | 4b47d81fc21ab994db0f6f5dcfd49edf84bffe1351f7bfdeb9f5978b6463fdc0

Analysis

max time kernel
111s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3369cf536c358225c9bdb5f1a5a4120N.exe
Size

1.8MB
MD5

a3369cf536c358225c9bdb5f1a5a4120
SHA1

c55b4a52134ae1d5bcf2564d728babd53aafd586
SHA256

4b47d81fc21ab994db0f6f5dcfd49edf84bffe1351f7bfdeb9f5978b6463fdc0
SHA512

df146f1eef9ec793d3d5ffc2d244d3456d9a883e7d25592f7b894e63ef34c1fb0b495888739563e51400178c8bfaba2d3d926cbfd40c783925bfa66336f3ccc8
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78SVe4wtdopOA2MAsFhDjvhwcyMA3ryYNdio13d:knw9oUUEEDlGUnwwnAs5dk/1t

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/3644-440-0x00007FF6201C0000-0x00007FF6205B1000-memory.dmp	xmrig
behavioral2/memory/2596-11-0x00007FF7481B0000-0x00007FF7485A1000-memory.dmp	xmrig
behavioral2/memory/860-441-0x00007FF7289E0000-0x00007FF728DD1000-memory.dmp	xmrig
behavioral2/memory/3968-442-0x00007FF676CF0000-0x00007FF6770E1000-memory.dmp	xmrig
behavioral2/memory/2848-443-0x00007FF6182D0000-0x00007FF6186C1000-memory.dmp	xmrig
behavioral2/memory/1800-444-0x00007FF6B2110000-0x00007FF6B2501000-memory.dmp	xmrig
behavioral2/memory/412-445-0x00007FF6E1510000-0x00007FF6E1901000-memory.dmp	xmrig
behavioral2/memory/3544-454-0x00007FF725C00000-0x00007FF725FF1000-memory.dmp	xmrig
behavioral2/memory/3656-463-0x00007FF6082B0000-0x00007FF6086A1000-memory.dmp	xmrig
behavioral2/memory/684-470-0x00007FF637D00000-0x00007FF6380F1000-memory.dmp	xmrig
behavioral2/memory/440-448-0x00007FF624200000-0x00007FF6245F1000-memory.dmp	xmrig
behavioral2/memory/5040-477-0x00007FF7769E0000-0x00007FF776DD1000-memory.dmp	xmrig
behavioral2/memory/4248-485-0x00007FF6D12D0000-0x00007FF6D16C1000-memory.dmp	xmrig
behavioral2/memory/1084-511-0x00007FF6DBF50000-0x00007FF6DC341000-memory.dmp	xmrig
behavioral2/memory/3292-517-0x00007FF7DD240000-0x00007FF7DD631000-memory.dmp	xmrig
behavioral2/memory/5016-496-0x00007FF6241E0000-0x00007FF6245D1000-memory.dmp	xmrig
behavioral2/memory/1224-492-0x00007FF748740000-0x00007FF748B31000-memory.dmp	xmrig
behavioral2/memory/1588-522-0x00007FF653F70000-0x00007FF654361000-memory.dmp	xmrig
behavioral2/memory/3348-490-0x00007FF7095B0000-0x00007FF7099A1000-memory.dmp	xmrig
behavioral2/memory/1924-525-0x00007FF60E950000-0x00007FF60ED41000-memory.dmp	xmrig
behavioral2/memory/2164-529-0x00007FF6CE4E0000-0x00007FF6CE8D1000-memory.dmp	xmrig
behavioral2/memory/3944-532-0x00007FF606750000-0x00007FF606B41000-memory.dmp	xmrig
behavioral2/memory/1692-536-0x00007FF65A6B0000-0x00007FF65AAA1000-memory.dmp	xmrig
behavioral2/memory/2904-619-0x00007FF7232E0000-0x00007FF7236D1000-memory.dmp	xmrig
behavioral2/memory/2596-2013-0x00007FF7481B0000-0x00007FF7485A1000-memory.dmp	xmrig
behavioral2/memory/2596-2039-0x00007FF7481B0000-0x00007FF7485A1000-memory.dmp	xmrig
behavioral2/memory/3644-2042-0x00007FF6201C0000-0x00007FF6205B1000-memory.dmp	xmrig
behavioral2/memory/860-2043-0x00007FF7289E0000-0x00007FF728DD1000-memory.dmp	xmrig
behavioral2/memory/2848-2047-0x00007FF6182D0000-0x00007FF6186C1000-memory.dmp	xmrig
behavioral2/memory/3656-2059-0x00007FF6082B0000-0x00007FF6086A1000-memory.dmp	xmrig
behavioral2/memory/5040-2067-0x00007FF7769E0000-0x00007FF776DD1000-memory.dmp	xmrig
behavioral2/memory/5016-2071-0x00007FF6241E0000-0x00007FF6245D1000-memory.dmp	xmrig
behavioral2/memory/1224-2069-0x00007FF748740000-0x00007FF748B31000-memory.dmp	xmrig
behavioral2/memory/3348-2066-0x00007FF7095B0000-0x00007FF7099A1000-memory.dmp	xmrig
behavioral2/memory/4248-2064-0x00007FF6D12D0000-0x00007FF6D16C1000-memory.dmp	xmrig
behavioral2/memory/684-2061-0x00007FF637D00000-0x00007FF6380F1000-memory.dmp	xmrig
behavioral2/memory/3544-2057-0x00007FF725C00000-0x00007FF725FF1000-memory.dmp	xmrig
behavioral2/memory/412-2051-0x00007FF6E1510000-0x00007FF6E1901000-memory.dmp	xmrig
behavioral2/memory/3968-2055-0x00007FF676CF0000-0x00007FF6770E1000-memory.dmp	xmrig
behavioral2/memory/1800-2053-0x00007FF6B2110000-0x00007FF6B2501000-memory.dmp	xmrig
behavioral2/memory/440-2049-0x00007FF624200000-0x00007FF6245F1000-memory.dmp	xmrig
behavioral2/memory/2904-2045-0x00007FF7232E0000-0x00007FF7236D1000-memory.dmp	xmrig
behavioral2/memory/1924-2092-0x00007FF60E950000-0x00007FF60ED41000-memory.dmp	xmrig
behavioral2/memory/3944-2122-0x00007FF606750000-0x00007FF606B41000-memory.dmp	xmrig
behavioral2/memory/1692-2085-0x00007FF65A6B0000-0x00007FF65AAA1000-memory.dmp	xmrig
behavioral2/memory/1588-2080-0x00007FF653F70000-0x00007FF654361000-memory.dmp	xmrig
behavioral2/memory/1084-2078-0x00007FF6DBF50000-0x00007FF6DC341000-memory.dmp	xmrig
behavioral2/memory/3292-2075-0x00007FF7DD240000-0x00007FF7DD631000-memory.dmp	xmrig
behavioral2/memory/2164-2074-0x00007FF6CE4E0000-0x00007FF6CE8D1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2596	Umpjjyd.exe
3644	ZQnnuTi.exe
860	OTMFmkD.exe
2904	JHRceBF.exe
3968	vZdruDR.exe
2848	VVdYbbk.exe
1800	cCicJnJ.exe
412	PJlJWzs.exe
440	kXNEwAG.exe
3544	xfhRsga.exe
3656	UaqraoT.exe
684	tzmaQku.exe
5040	FAbsUnx.exe
4248	UmDjDOy.exe
3348	xoGQGrd.exe
1224	iHmtRdT.exe
5016	nAIaNvJ.exe
1084	NVOFaWu.exe
3292	ivpZLGj.exe
1588	fMzfcmq.exe
1924	XjbLfwv.exe
2164	LYBkSpn.exe
3944	BFEiemk.exe
1692	NJjCSYW.exe
1152	QJRSsQs.exe
4688	KDKZPbq.exe
2552	nANUbNc.exe
4892	EdeDSSM.exe
852	fYQinmq.exe
3200	cWKiAqF.exe
3012	pOwpnIG.exe
2064	kLNQYkR.exe
1284	NBeVMSM.exe
3484	CUgpsGy.exe
3908	OiBqCif.exe
3252	lsePbgd.exe
1700	eLMrVau.exe
4404	TTUhGZH.exe
4104	pNbfzyk.exe
644	pkvIsvQ.exe
2056	RNzufkB.exe
3420	LfisTOS.exe
2680	voHPNki.exe
2608	HrVNYLp.exe
3220	vQVZFSy.exe
1868	ojJnFre.exe
3076	RVPcvwj.exe
4748	MWQOCvb.exe
1164	gstEQUU.exe
4876	UDslfZq.exe
1256	BiIyZVo.exe
4040	bolaUpv.exe
4672	xjsBLRb.exe
1508	dQwAnuG.exe
4332	BmQIJAK.exe
4584	BCtLUQq.exe
3016	acwVwQf.exe
4796	zTItque.exe
444	BDKVmTk.exe
388	KJZDgJU.exe
2324	zGTJcxt.exe
4604	FJDyqjA.exe
928	MNVsWTA.exe
1408	aAZXaWv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3928-0-0x00007FF780460000-0x00007FF780851000-memory.dmp	upx
behavioral2/files/0x00070000000234f1-4.dat	upx
behavioral2/files/0x00070000000234f3-13.dat	upx
behavioral2/files/0x00070000000234f2-16.dat	upx
behavioral2/files/0x00070000000234f4-20.dat	upx
behavioral2/files/0x00070000000234f5-27.dat	upx
behavioral2/files/0x00070000000234f7-34.dat	upx
behavioral2/files/0x00070000000234f8-39.dat	upx
behavioral2/files/0x00070000000234fa-52.dat	upx
behavioral2/files/0x00070000000234fb-57.dat	upx
behavioral2/files/0x00070000000234fc-62.dat	upx
behavioral2/files/0x00070000000234fe-71.dat	upx
behavioral2/files/0x00070000000234ff-77.dat	upx
behavioral2/files/0x0007000000023503-94.dat	upx
behavioral2/files/0x0007000000023505-104.dat	upx
behavioral2/files/0x0007000000023509-127.dat	upx
behavioral2/memory/3644-440-0x00007FF6201C0000-0x00007FF6205B1000-memory.dmp	upx
behavioral2/files/0x0007000000023510-162.dat	upx
behavioral2/files/0x000700000002350f-160.dat	upx
behavioral2/files/0x000700000002350e-153.dat	upx
behavioral2/files/0x000700000002350d-150.dat	upx
behavioral2/files/0x000700000002350c-145.dat	upx
behavioral2/files/0x000700000002350b-138.dat	upx
behavioral2/files/0x000700000002350a-133.dat	upx
behavioral2/files/0x0007000000023508-122.dat	upx
behavioral2/files/0x0007000000023507-117.dat	upx
behavioral2/files/0x0007000000023506-115.dat	upx
behavioral2/files/0x0007000000023504-102.dat	upx
behavioral2/files/0x0007000000023502-92.dat	upx
behavioral2/files/0x0007000000023501-87.dat	upx
behavioral2/files/0x0007000000023500-82.dat	upx
behavioral2/files/0x00070000000234fd-67.dat	upx
behavioral2/files/0x00070000000234f9-47.dat	upx
behavioral2/files/0x00070000000234f6-32.dat	upx
behavioral2/memory/2596-11-0x00007FF7481B0000-0x00007FF7485A1000-memory.dmp	upx
behavioral2/memory/860-441-0x00007FF7289E0000-0x00007FF728DD1000-memory.dmp	upx
behavioral2/memory/3968-442-0x00007FF676CF0000-0x00007FF6770E1000-memory.dmp	upx
behavioral2/memory/2848-443-0x00007FF6182D0000-0x00007FF6186C1000-memory.dmp	upx
behavioral2/memory/1800-444-0x00007FF6B2110000-0x00007FF6B2501000-memory.dmp	upx
behavioral2/memory/412-445-0x00007FF6E1510000-0x00007FF6E1901000-memory.dmp	upx
behavioral2/memory/3544-454-0x00007FF725C00000-0x00007FF725FF1000-memory.dmp	upx
behavioral2/memory/3656-463-0x00007FF6082B0000-0x00007FF6086A1000-memory.dmp	upx
behavioral2/memory/684-470-0x00007FF637D00000-0x00007FF6380F1000-memory.dmp	upx
behavioral2/memory/440-448-0x00007FF624200000-0x00007FF6245F1000-memory.dmp	upx
behavioral2/memory/5040-477-0x00007FF7769E0000-0x00007FF776DD1000-memory.dmp	upx
behavioral2/memory/4248-485-0x00007FF6D12D0000-0x00007FF6D16C1000-memory.dmp	upx
behavioral2/memory/1084-511-0x00007FF6DBF50000-0x00007FF6DC341000-memory.dmp	upx
behavioral2/memory/3292-517-0x00007FF7DD240000-0x00007FF7DD631000-memory.dmp	upx
behavioral2/memory/5016-496-0x00007FF6241E0000-0x00007FF6245D1000-memory.dmp	upx
behavioral2/memory/1224-492-0x00007FF748740000-0x00007FF748B31000-memory.dmp	upx
behavioral2/memory/1588-522-0x00007FF653F70000-0x00007FF654361000-memory.dmp	upx
behavioral2/memory/3348-490-0x00007FF7095B0000-0x00007FF7099A1000-memory.dmp	upx
behavioral2/memory/1924-525-0x00007FF60E950000-0x00007FF60ED41000-memory.dmp	upx
behavioral2/memory/2164-529-0x00007FF6CE4E0000-0x00007FF6CE8D1000-memory.dmp	upx
behavioral2/memory/3944-532-0x00007FF606750000-0x00007FF606B41000-memory.dmp	upx
behavioral2/memory/1692-536-0x00007FF65A6B0000-0x00007FF65AAA1000-memory.dmp	upx
behavioral2/memory/2904-619-0x00007FF7232E0000-0x00007FF7236D1000-memory.dmp	upx
behavioral2/memory/2596-2013-0x00007FF7481B0000-0x00007FF7485A1000-memory.dmp	upx
behavioral2/memory/2596-2039-0x00007FF7481B0000-0x00007FF7485A1000-memory.dmp	upx
behavioral2/memory/3644-2042-0x00007FF6201C0000-0x00007FF6205B1000-memory.dmp	upx
behavioral2/memory/860-2043-0x00007FF7289E0000-0x00007FF728DD1000-memory.dmp	upx
behavioral2/memory/2848-2047-0x00007FF6182D0000-0x00007FF6186C1000-memory.dmp	upx
behavioral2/memory/3656-2059-0x00007FF6082B0000-0x00007FF6086A1000-memory.dmp	upx
behavioral2/memory/5040-2067-0x00007FF7769E0000-0x00007FF776DD1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\qRZPLAC.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\aRryaSN.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\BDKVmTk.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\iAeRVmP.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\wBtslQv.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\SyCWdkB.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\mSaNTwh.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\WcPgeiR.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\tzmaQku.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\RNzufkB.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\kpHBrAI.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\nWbmQtd.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\dxYmBrd.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\arOXELb.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\xpxBDFv.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\NaIHsnx.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\hMHmvea.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\MmsSZoR.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\nZKzVCk.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\IapiuvD.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\VjrkBgS.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\ErkTuUa.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\zeAPkjq.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\mEKyRLj.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\kXNEwAG.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\AVwmITE.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\BjiFhIn.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\GlhaMHm.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\JTfISHP.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\syTrFZu.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\sdjVADX.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\ZaqlHvf.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\FTHZuAN.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\vQqEFgQ.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\OOiGxfQ.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\hVeYdIp.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\nAIaNvJ.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\BpRskUW.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\QCWLDLr.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\AIrKnNx.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\aRkUBMg.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\NvDIEyy.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\eLMrVau.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\xfucDxt.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\yckoMCB.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\HWsxtbv.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\ivpZLGj.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\QGTVtUG.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\JJSLyrm.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\ardHkHd.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\KEATsZP.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\vOMTpQZ.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\EdeDSSM.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\dEbufrw.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\PsSoBLo.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\vErVnLZ.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\HrjKdlZ.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\AkiVQrE.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\tYDTRsW.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\nNEVOfi.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\cCicJnJ.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\dQwAnuG.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\TDreDYY.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe
File created	C:\Windows\System32\PgxYvzY.exe	a3369cf536c358225c9bdb5f1a5a4120N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12628	dwm.exe
Token: SeChangeNotifyPrivilege	12628	dwm.exe
Token: 33	12628	dwm.exe
Token: SeIncBasePriorityPrivilege	12628	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 2596	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	85
PID 3928 wrote to memory of 2596	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	85
PID 3928 wrote to memory of 3644	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	86
PID 3928 wrote to memory of 3644	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	86
PID 3928 wrote to memory of 860	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	87
PID 3928 wrote to memory of 860	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	87
PID 3928 wrote to memory of 2904	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	88
PID 3928 wrote to memory of 2904	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	88
PID 3928 wrote to memory of 3968	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	89
PID 3928 wrote to memory of 3968	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	89
PID 3928 wrote to memory of 2848	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	90
PID 3928 wrote to memory of 2848	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	90
PID 3928 wrote to memory of 1800	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	91
PID 3928 wrote to memory of 1800	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	91
PID 3928 wrote to memory of 412	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	92
PID 3928 wrote to memory of 412	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	92
PID 3928 wrote to memory of 440	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	93
PID 3928 wrote to memory of 440	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	93
PID 3928 wrote to memory of 3544	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	94
PID 3928 wrote to memory of 3544	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	94
PID 3928 wrote to memory of 3656	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	95
PID 3928 wrote to memory of 3656	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	95
PID 3928 wrote to memory of 684	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	96
PID 3928 wrote to memory of 684	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	96
PID 3928 wrote to memory of 5040	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	97
PID 3928 wrote to memory of 5040	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	97
PID 3928 wrote to memory of 4248	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	98
PID 3928 wrote to memory of 4248	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	98
PID 3928 wrote to memory of 3348	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	99
PID 3928 wrote to memory of 3348	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	99
PID 3928 wrote to memory of 1224	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	100
PID 3928 wrote to memory of 1224	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	100
PID 3928 wrote to memory of 5016	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	101
PID 3928 wrote to memory of 5016	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	101
PID 3928 wrote to memory of 1084	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	102
PID 3928 wrote to memory of 1084	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	102
PID 3928 wrote to memory of 3292	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	103
PID 3928 wrote to memory of 3292	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	103
PID 3928 wrote to memory of 1588	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	104
PID 3928 wrote to memory of 1588	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	104
PID 3928 wrote to memory of 1924	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	105
PID 3928 wrote to memory of 1924	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	105
PID 3928 wrote to memory of 2164	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	106
PID 3928 wrote to memory of 2164	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	106
PID 3928 wrote to memory of 3944	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	107
PID 3928 wrote to memory of 3944	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	107
PID 3928 wrote to memory of 1692	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	108
PID 3928 wrote to memory of 1692	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	108
PID 3928 wrote to memory of 1152	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	109
PID 3928 wrote to memory of 1152	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	109
PID 3928 wrote to memory of 4688	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	110
PID 3928 wrote to memory of 4688	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	110
PID 3928 wrote to memory of 2552	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	111
PID 3928 wrote to memory of 2552	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	111
PID 3928 wrote to memory of 4892	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	112
PID 3928 wrote to memory of 4892	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	112
PID 3928 wrote to memory of 852	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	113
PID 3928 wrote to memory of 852	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	113
PID 3928 wrote to memory of 3200	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	114
PID 3928 wrote to memory of 3200	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	114
PID 3928 wrote to memory of 3012	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	115
PID 3928 wrote to memory of 3012	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	115
PID 3928 wrote to memory of 2064	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	116
PID 3928 wrote to memory of 2064	3928	a3369cf536c358225c9bdb5f1a5a4120N.exe	116

C:\Users\Admin\AppData\Local\Temp\a3369cf536c358225c9bdb5f1a5a4120N.exe
"C:\Users\Admin\AppData\Local\Temp\a3369cf536c358225c9bdb5f1a5a4120N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\System32\Umpjjyd.exe
  C:\Windows\System32\Umpjjyd.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System32\ZQnnuTi.exe
  C:\Windows\System32\ZQnnuTi.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System32\OTMFmkD.exe
  C:\Windows\System32\OTMFmkD.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System32\JHRceBF.exe
  C:\Windows\System32\JHRceBF.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System32\vZdruDR.exe
  C:\Windows\System32\vZdruDR.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System32\VVdYbbk.exe
  C:\Windows\System32\VVdYbbk.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System32\cCicJnJ.exe
  C:\Windows\System32\cCicJnJ.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System32\PJlJWzs.exe
  C:\Windows\System32\PJlJWzs.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System32\kXNEwAG.exe
  C:\Windows\System32\kXNEwAG.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System32\xfhRsga.exe
  C:\Windows\System32\xfhRsga.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System32\UaqraoT.exe
  C:\Windows\System32\UaqraoT.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System32\tzmaQku.exe
  C:\Windows\System32\tzmaQku.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System32\FAbsUnx.exe
  C:\Windows\System32\FAbsUnx.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System32\UmDjDOy.exe
  C:\Windows\System32\UmDjDOy.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System32\xoGQGrd.exe
  C:\Windows\System32\xoGQGrd.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System32\iHmtRdT.exe
  C:\Windows\System32\iHmtRdT.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System32\nAIaNvJ.exe
  C:\Windows\System32\nAIaNvJ.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System32\NVOFaWu.exe
  C:\Windows\System32\NVOFaWu.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System32\ivpZLGj.exe
  C:\Windows\System32\ivpZLGj.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System32\fMzfcmq.exe
  C:\Windows\System32\fMzfcmq.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System32\XjbLfwv.exe
  C:\Windows\System32\XjbLfwv.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System32\LYBkSpn.exe
  C:\Windows\System32\LYBkSpn.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System32\BFEiemk.exe
  C:\Windows\System32\BFEiemk.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\NJjCSYW.exe
  C:\Windows\System32\NJjCSYW.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System32\QJRSsQs.exe
  C:\Windows\System32\QJRSsQs.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System32\KDKZPbq.exe
  C:\Windows\System32\KDKZPbq.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System32\nANUbNc.exe
  C:\Windows\System32\nANUbNc.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System32\EdeDSSM.exe
  C:\Windows\System32\EdeDSSM.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System32\fYQinmq.exe
  C:\Windows\System32\fYQinmq.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System32\cWKiAqF.exe
  C:\Windows\System32\cWKiAqF.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System32\pOwpnIG.exe
  C:\Windows\System32\pOwpnIG.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System32\kLNQYkR.exe
  C:\Windows\System32\kLNQYkR.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System32\NBeVMSM.exe
  C:\Windows\System32\NBeVMSM.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\System32\CUgpsGy.exe
  C:\Windows\System32\CUgpsGy.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System32\OiBqCif.exe
  C:\Windows\System32\OiBqCif.exe
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\System32\lsePbgd.exe
  C:\Windows\System32\lsePbgd.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System32\eLMrVau.exe
  C:\Windows\System32\eLMrVau.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System32\TTUhGZH.exe
  C:\Windows\System32\TTUhGZH.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System32\pNbfzyk.exe
  C:\Windows\System32\pNbfzyk.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System32\pkvIsvQ.exe
  C:\Windows\System32\pkvIsvQ.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\System32\RNzufkB.exe
  C:\Windows\System32\RNzufkB.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System32\LfisTOS.exe
  C:\Windows\System32\LfisTOS.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System32\voHPNki.exe
  C:\Windows\System32\voHPNki.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System32\HrVNYLp.exe
  C:\Windows\System32\HrVNYLp.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System32\vQVZFSy.exe
  C:\Windows\System32\vQVZFSy.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System32\ojJnFre.exe
  C:\Windows\System32\ojJnFre.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System32\RVPcvwj.exe
  C:\Windows\System32\RVPcvwj.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System32\MWQOCvb.exe
  C:\Windows\System32\MWQOCvb.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System32\gstEQUU.exe
  C:\Windows\System32\gstEQUU.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System32\UDslfZq.exe
  C:\Windows\System32\UDslfZq.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System32\BiIyZVo.exe
  C:\Windows\System32\BiIyZVo.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\System32\bolaUpv.exe
  C:\Windows\System32\bolaUpv.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System32\xjsBLRb.exe
  C:\Windows\System32\xjsBLRb.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System32\dQwAnuG.exe
  C:\Windows\System32\dQwAnuG.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System32\BmQIJAK.exe
  C:\Windows\System32\BmQIJAK.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System32\BCtLUQq.exe
  C:\Windows\System32\BCtLUQq.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System32\acwVwQf.exe
  C:\Windows\System32\acwVwQf.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System32\zTItque.exe
  C:\Windows\System32\zTItque.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System32\BDKVmTk.exe
  C:\Windows\System32\BDKVmTk.exe
  2⤵
  - Executes dropped EXE
  PID:444
- C:\Windows\System32\KJZDgJU.exe
  C:\Windows\System32\KJZDgJU.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System32\zGTJcxt.exe
  C:\Windows\System32\zGTJcxt.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System32\FJDyqjA.exe
  C:\Windows\System32\FJDyqjA.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System32\MNVsWTA.exe
  C:\Windows\System32\MNVsWTA.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System32\aAZXaWv.exe
  C:\Windows\System32\aAZXaWv.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System32\qwYPCnE.exe
  C:\Windows\System32\qwYPCnE.exe
  2⤵
  PID:5108
- C:\Windows\System32\gWDFfxt.exe
  C:\Windows\System32\gWDFfxt.exe
  2⤵
  PID:756
- C:\Windows\System32\bDNeseQ.exe
  C:\Windows\System32\bDNeseQ.exe
  2⤵
  PID:1520
- C:\Windows\System32\ppFmQeX.exe
  C:\Windows\System32\ppFmQeX.exe
  2⤵
  PID:3244
- C:\Windows\System32\QejoLAN.exe
  C:\Windows\System32\QejoLAN.exe
  2⤵
  PID:456
- C:\Windows\System32\FZcyaNg.exe
  C:\Windows\System32\FZcyaNg.exe
  2⤵
  PID:2656
- C:\Windows\System32\CfdEcqx.exe
  C:\Windows\System32\CfdEcqx.exe
  2⤵
  PID:3184
- C:\Windows\System32\WTFGJNM.exe
  C:\Windows\System32\WTFGJNM.exe
  2⤵
  PID:1160
- C:\Windows\System32\sgQsbaW.exe
  C:\Windows\System32\sgQsbaW.exe
  2⤵
  PID:4948
- C:\Windows\System32\wOmSTpF.exe
  C:\Windows\System32\wOmSTpF.exe
  2⤵
  PID:1436
- C:\Windows\System32\ijJfAMO.exe
  C:\Windows\System32\ijJfAMO.exe
  2⤵
  PID:4608
- C:\Windows\System32\pugCvWt.exe
  C:\Windows\System32\pugCvWt.exe
  2⤵
  PID:3516
- C:\Windows\System32\WdaIsJi.exe
  C:\Windows\System32\WdaIsJi.exe
  2⤵
  PID:1200
- C:\Windows\System32\BpRskUW.exe
  C:\Windows\System32\BpRskUW.exe
  2⤵
  PID:2412
- C:\Windows\System32\TDreDYY.exe
  C:\Windows\System32\TDreDYY.exe
  2⤵
  PID:4328
- C:\Windows\System32\UclHVzy.exe
  C:\Windows\System32\UclHVzy.exe
  2⤵
  PID:4472
- C:\Windows\System32\rBxXZWf.exe
  C:\Windows\System32\rBxXZWf.exe
  2⤵
  PID:1864
- C:\Windows\System32\ahlKkqn.exe
  C:\Windows\System32\ahlKkqn.exe
  2⤵
  PID:212
- C:\Windows\System32\XBfnePZ.exe
  C:\Windows\System32\XBfnePZ.exe
  2⤵
  PID:452
- C:\Windows\System32\WVgbuMt.exe
  C:\Windows\System32\WVgbuMt.exe
  2⤵
  PID:3344
- C:\Windows\System32\syTrFZu.exe
  C:\Windows\System32\syTrFZu.exe
  2⤵
  PID:1204
- C:\Windows\System32\hMHmvea.exe
  C:\Windows\System32\hMHmvea.exe
  2⤵
  PID:2012
- C:\Windows\System32\tjmgxEM.exe
  C:\Windows\System32\tjmgxEM.exe
  2⤵
  PID:1332
- C:\Windows\System32\qSiGfwR.exe
  C:\Windows\System32\qSiGfwR.exe
  2⤵
  PID:1876
- C:\Windows\System32\uYDLAaI.exe
  C:\Windows\System32\uYDLAaI.exe
  2⤵
  PID:2128
- C:\Windows\System32\MhvTEqR.exe
  C:\Windows\System32\MhvTEqR.exe
  2⤵
  PID:3096
- C:\Windows\System32\IRDlMbb.exe
  C:\Windows\System32\IRDlMbb.exe
  2⤵
  PID:5100
- C:\Windows\System32\pdzZcAj.exe
  C:\Windows\System32\pdzZcAj.exe
  2⤵
  PID:932
- C:\Windows\System32\iAeRVmP.exe
  C:\Windows\System32\iAeRVmP.exe
  2⤵
  PID:2452
- C:\Windows\System32\iSgFIIQ.exe
  C:\Windows\System32\iSgFIIQ.exe
  2⤵
  PID:3848
- C:\Windows\System32\IWTnukL.exe
  C:\Windows\System32\IWTnukL.exe
  2⤵
  PID:1764
- C:\Windows\System32\LaicVbH.exe
  C:\Windows\System32\LaicVbH.exe
  2⤵
  PID:5144
- C:\Windows\System32\EhYZorz.exe
  C:\Windows\System32\EhYZorz.exe
  2⤵
  PID:5172
- C:\Windows\System32\LOoXXFh.exe
  C:\Windows\System32\LOoXXFh.exe
  2⤵
  PID:5200
- C:\Windows\System32\xfucDxt.exe
  C:\Windows\System32\xfucDxt.exe
  2⤵
  PID:5228
- C:\Windows\System32\KymACWn.exe
  C:\Windows\System32\KymACWn.exe
  2⤵
  PID:5256
- C:\Windows\System32\WuQvKOF.exe
  C:\Windows\System32\WuQvKOF.exe
  2⤵
  PID:5316
- C:\Windows\System32\QCWLDLr.exe
  C:\Windows\System32\QCWLDLr.exe
  2⤵
  PID:5332
- C:\Windows\System32\mYzUheS.exe
  C:\Windows\System32\mYzUheS.exe
  2⤵
  PID:5348
- C:\Windows\System32\KqLlahs.exe
  C:\Windows\System32\KqLlahs.exe
  2⤵
  PID:5376
- C:\Windows\System32\HobLIwK.exe
  C:\Windows\System32\HobLIwK.exe
  2⤵
  PID:5404
- C:\Windows\System32\xsxLJKQ.exe
  C:\Windows\System32\xsxLJKQ.exe
  2⤵
  PID:5432
- C:\Windows\System32\dEbufrw.exe
  C:\Windows\System32\dEbufrw.exe
  2⤵
  PID:5460
- C:\Windows\System32\JbQfGPX.exe
  C:\Windows\System32\JbQfGPX.exe
  2⤵
  PID:5488
- C:\Windows\System32\CdgJPpE.exe
  C:\Windows\System32\CdgJPpE.exe
  2⤵
  PID:5512
- C:\Windows\System32\aTAmmrg.exe
  C:\Windows\System32\aTAmmrg.exe
  2⤵
  PID:5544
- C:\Windows\System32\HfGOZVR.exe
  C:\Windows\System32\HfGOZVR.exe
  2⤵
  PID:5572
- C:\Windows\System32\OgpzLoN.exe
  C:\Windows\System32\OgpzLoN.exe
  2⤵
  PID:5600
- C:\Windows\System32\wBtslQv.exe
  C:\Windows\System32\wBtslQv.exe
  2⤵
  PID:5628
- C:\Windows\System32\igXPUSN.exe
  C:\Windows\System32\igXPUSN.exe
  2⤵
  PID:5652
- C:\Windows\System32\jEOlefb.exe
  C:\Windows\System32\jEOlefb.exe
  2⤵
  PID:5680
- C:\Windows\System32\XkdVTPu.exe
  C:\Windows\System32\XkdVTPu.exe
  2⤵
  PID:5712
- C:\Windows\System32\OxucOGI.exe
  C:\Windows\System32\OxucOGI.exe
  2⤵
  PID:5736
- C:\Windows\System32\qDNPCPJ.exe
  C:\Windows\System32\qDNPCPJ.exe
  2⤵
  PID:5768
- C:\Windows\System32\whXzWgk.exe
  C:\Windows\System32\whXzWgk.exe
  2⤵
  PID:5796
- C:\Windows\System32\czcQkAK.exe
  C:\Windows\System32\czcQkAK.exe
  2⤵
  PID:5824
- C:\Windows\System32\KXrpUhd.exe
  C:\Windows\System32\KXrpUhd.exe
  2⤵
  PID:5852
- C:\Windows\System32\ocGRXJg.exe
  C:\Windows\System32\ocGRXJg.exe
  2⤵
  PID:5892
- C:\Windows\System32\FCHQfkG.exe
  C:\Windows\System32\FCHQfkG.exe
  2⤵
  PID:5908
- C:\Windows\System32\dyAcxyl.exe
  C:\Windows\System32\dyAcxyl.exe
  2⤵
  PID:5932
- C:\Windows\System32\TelxkFe.exe
  C:\Windows\System32\TelxkFe.exe
  2⤵
  PID:5960
- C:\Windows\System32\aiVySDd.exe
  C:\Windows\System32\aiVySDd.exe
  2⤵
  PID:6068
- C:\Windows\System32\cDbmycl.exe
  C:\Windows\System32\cDbmycl.exe
  2⤵
  PID:6088
- C:\Windows\System32\AVwmITE.exe
  C:\Windows\System32\AVwmITE.exe
  2⤵
  PID:6112
- C:\Windows\System32\tDlerMM.exe
  C:\Windows\System32\tDlerMM.exe
  2⤵
  PID:6128
- C:\Windows\System32\yckoMCB.exe
  C:\Windows\System32\yckoMCB.exe
  2⤵
  PID:2092
- C:\Windows\System32\vkRBPFT.exe
  C:\Windows\System32\vkRBPFT.exe
  2⤵
  PID:1964
- C:\Windows\System32\aCcaRHI.exe
  C:\Windows\System32\aCcaRHI.exe
  2⤵
  PID:1232
- C:\Windows\System32\IMpfdvT.exe
  C:\Windows\System32\IMpfdvT.exe
  2⤵
  PID:5128
- C:\Windows\System32\SahIszg.exe
  C:\Windows\System32\SahIszg.exe
  2⤵
  PID:208
- C:\Windows\System32\ZGazmUN.exe
  C:\Windows\System32\ZGazmUN.exe
  2⤵
  PID:5276
- C:\Windows\System32\cuEwRZd.exe
  C:\Windows\System32\cuEwRZd.exe
  2⤵
  PID:220
- C:\Windows\System32\oowLnxq.exe
  C:\Windows\System32\oowLnxq.exe
  2⤵
  PID:5340
- C:\Windows\System32\VRKgWce.exe
  C:\Windows\System32\VRKgWce.exe
  2⤵
  PID:5384
- C:\Windows\System32\ThfdeSH.exe
  C:\Windows\System32\ThfdeSH.exe
  2⤵
  PID:5468
- C:\Windows\System32\MmsSZoR.exe
  C:\Windows\System32\MmsSZoR.exe
  2⤵
  PID:3976
- C:\Windows\System32\qKgsolF.exe
  C:\Windows\System32\qKgsolF.exe
  2⤵
  PID:4588
- C:\Windows\System32\xmVhRKY.exe
  C:\Windows\System32\xmVhRKY.exe
  2⤵
  PID:5636
- C:\Windows\System32\VNdDrae.exe
  C:\Windows\System32\VNdDrae.exe
  2⤵
  PID:5660
- C:\Windows\System32\dIICqXk.exe
  C:\Windows\System32\dIICqXk.exe
  2⤵
  PID:5704
- C:\Windows\System32\PhYronO.exe
  C:\Windows\System32\PhYronO.exe
  2⤵
  PID:4088
- C:\Windows\System32\dOdAfYj.exe
  C:\Windows\System32\dOdAfYj.exe
  2⤵
  PID:3756
- C:\Windows\System32\OXVrZmW.exe
  C:\Windows\System32\OXVrZmW.exe
  2⤵
  PID:5804
- C:\Windows\System32\CdDmPCz.exe
  C:\Windows\System32\CdDmPCz.exe
  2⤵
  PID:868
- C:\Windows\System32\RSPYcwy.exe
  C:\Windows\System32\RSPYcwy.exe
  2⤵
  PID:800
- C:\Windows\System32\iXGkjbM.exe
  C:\Windows\System32\iXGkjbM.exe
  2⤵
  PID:5976
- C:\Windows\System32\PsSoBLo.exe
  C:\Windows\System32\PsSoBLo.exe
  2⤵
  PID:2000
- C:\Windows\System32\OzcDdlO.exe
  C:\Windows\System32\OzcDdlO.exe
  2⤵
  PID:6100
- C:\Windows\System32\lNPdsQz.exe
  C:\Windows\System32\lNPdsQz.exe
  2⤵
  PID:5076
- C:\Windows\System32\MhbBSXa.exe
  C:\Windows\System32\MhbBSXa.exe
  2⤵
  PID:5124
- C:\Windows\System32\gDJrJvt.exe
  C:\Windows\System32\gDJrJvt.exe
  2⤵
  PID:5300
- C:\Windows\System32\PvDnQKG.exe
  C:\Windows\System32\PvDnQKG.exe
  2⤵
  PID:5732
- C:\Windows\System32\vErVnLZ.exe
  C:\Windows\System32\vErVnLZ.exe
  2⤵
  PID:3216
- C:\Windows\System32\VUPnzHn.exe
  C:\Windows\System32\VUPnzHn.exe
  2⤵
  PID:5720
- C:\Windows\System32\fkwlTRQ.exe
  C:\Windows\System32\fkwlTRQ.exe
  2⤵
  PID:5780
- C:\Windows\System32\sdjVADX.exe
  C:\Windows\System32\sdjVADX.exe
  2⤵
  PID:408
- C:\Windows\System32\DwLDywa.exe
  C:\Windows\System32\DwLDywa.exe
  2⤵
  PID:5940
- C:\Windows\System32\WENfyHW.exe
  C:\Windows\System32\WENfyHW.exe
  2⤵
  PID:1440
- C:\Windows\System32\KXesUiM.exe
  C:\Windows\System32\KXesUiM.exe
  2⤵
  PID:6052
- C:\Windows\System32\HaHgdbo.exe
  C:\Windows\System32\HaHgdbo.exe
  2⤵
  PID:6140
- C:\Windows\System32\leHFEES.exe
  C:\Windows\System32\leHFEES.exe
  2⤵
  PID:4568
- C:\Windows\System32\MihISlK.exe
  C:\Windows\System32\MihISlK.exe
  2⤵
  PID:4136
- C:\Windows\System32\bERMzik.exe
  C:\Windows\System32\bERMzik.exe
  2⤵
  PID:5208
- C:\Windows\System32\dRiLUPH.exe
  C:\Windows\System32\dRiLUPH.exe
  2⤵
  PID:4408
- C:\Windows\System32\mIwQkgY.exe
  C:\Windows\System32\mIwQkgY.exe
  2⤵
  PID:1648
- C:\Windows\System32\mZzwcEn.exe
  C:\Windows\System32\mZzwcEn.exe
  2⤵
  PID:5844
- C:\Windows\System32\BTYSmME.exe
  C:\Windows\System32\BTYSmME.exe
  2⤵
  PID:6148
- C:\Windows\System32\PgxYvzY.exe
  C:\Windows\System32\PgxYvzY.exe
  2⤵
  PID:6184
- C:\Windows\System32\TCiiCmM.exe
  C:\Windows\System32\TCiiCmM.exe
  2⤵
  PID:6208
- C:\Windows\System32\aRkUBMg.exe
  C:\Windows\System32\aRkUBMg.exe
  2⤵
  PID:6224
- C:\Windows\System32\CjUeamL.exe
  C:\Windows\System32\CjUeamL.exe
  2⤵
  PID:6248
- C:\Windows\System32\ajGEgHp.exe
  C:\Windows\System32\ajGEgHp.exe
  2⤵
  PID:6268
- C:\Windows\System32\sXXPplR.exe
  C:\Windows\System32\sXXPplR.exe
  2⤵
  PID:6288
- C:\Windows\System32\HtGBCdJ.exe
  C:\Windows\System32\HtGBCdJ.exe
  2⤵
  PID:6312
- C:\Windows\System32\kpHBrAI.exe
  C:\Windows\System32\kpHBrAI.exe
  2⤵
  PID:6332
- C:\Windows\System32\XPDcllI.exe
  C:\Windows\System32\XPDcllI.exe
  2⤵
  PID:6372
- C:\Windows\System32\tSLoVMf.exe
  C:\Windows\System32\tSLoVMf.exe
  2⤵
  PID:6396
- C:\Windows\System32\hMDsmgH.exe
  C:\Windows\System32\hMDsmgH.exe
  2⤵
  PID:6452
- C:\Windows\System32\DHwaqIa.exe
  C:\Windows\System32\DHwaqIa.exe
  2⤵
  PID:6524
- C:\Windows\System32\AkiVQrE.exe
  C:\Windows\System32\AkiVQrE.exe
  2⤵
  PID:6584
- C:\Windows\System32\TlvPfhW.exe
  C:\Windows\System32\TlvPfhW.exe
  2⤵
  PID:6648
- C:\Windows\System32\nuYmuys.exe
  C:\Windows\System32\nuYmuys.exe
  2⤵
  PID:6664
- C:\Windows\System32\QGTVtUG.exe
  C:\Windows\System32\QGTVtUG.exe
  2⤵
  PID:6688
- C:\Windows\System32\BhwfxiK.exe
  C:\Windows\System32\BhwfxiK.exe
  2⤵
  PID:6736
- C:\Windows\System32\SyCWdkB.exe
  C:\Windows\System32\SyCWdkB.exe
  2⤵
  PID:6752
- C:\Windows\System32\ntpCwPR.exe
  C:\Windows\System32\ntpCwPR.exe
  2⤵
  PID:6768
- C:\Windows\System32\rQjcBUe.exe
  C:\Windows\System32\rQjcBUe.exe
  2⤵
  PID:6796
- C:\Windows\System32\ZaqlHvf.exe
  C:\Windows\System32\ZaqlHvf.exe
  2⤵
  PID:6836
- C:\Windows\System32\FMvwTZD.exe
  C:\Windows\System32\FMvwTZD.exe
  2⤵
  PID:6876
- C:\Windows\System32\vurkVoi.exe
  C:\Windows\System32\vurkVoi.exe
  2⤵
  PID:6912
- C:\Windows\System32\OpWgzLQ.exe
  C:\Windows\System32\OpWgzLQ.exe
  2⤵
  PID:6940
- C:\Windows\System32\cWEBddq.exe
  C:\Windows\System32\cWEBddq.exe
  2⤵
  PID:6968
- C:\Windows\System32\GNnLgoL.exe
  C:\Windows\System32\GNnLgoL.exe
  2⤵
  PID:6992
- C:\Windows\System32\fGbExdr.exe
  C:\Windows\System32\fGbExdr.exe
  2⤵
  PID:7012
- C:\Windows\System32\pAwlDSk.exe
  C:\Windows\System32\pAwlDSk.exe
  2⤵
  PID:7040
- C:\Windows\System32\EEbTlzk.exe
  C:\Windows\System32\EEbTlzk.exe
  2⤵
  PID:7056
- C:\Windows\System32\BFmebHF.exe
  C:\Windows\System32\BFmebHF.exe
  2⤵
  PID:7080
- C:\Windows\System32\poaEFJk.exe
  C:\Windows\System32\poaEFJk.exe
  2⤵
  PID:7100
- C:\Windows\System32\LepLxGG.exe
  C:\Windows\System32\LepLxGG.exe
  2⤵
  PID:7120
- C:\Windows\System32\wpOFhOj.exe
  C:\Windows\System32\wpOFhOj.exe
  2⤵
  PID:7144
- C:\Windows\System32\EceGdLF.exe
  C:\Windows\System32\EceGdLF.exe
  2⤵
  PID:6036
- C:\Windows\System32\vUuAIIX.exe
  C:\Windows\System32\vUuAIIX.exe
  2⤵
  PID:5620
- C:\Windows\System32\gQVzFvw.exe
  C:\Windows\System32\gQVzFvw.exe
  2⤵
  PID:6240
- C:\Windows\System32\opjSkpz.exe
  C:\Windows\System32\opjSkpz.exe
  2⤵
  PID:6276
- C:\Windows\System32\szdGxbE.exe
  C:\Windows\System32\szdGxbE.exe
  2⤵
  PID:6264
- C:\Windows\System32\sjHbjNU.exe
  C:\Windows\System32\sjHbjNU.exe
  2⤵
  PID:6408
- C:\Windows\System32\MgCgYIs.exe
  C:\Windows\System32\MgCgYIs.exe
  2⤵
  PID:6368
- C:\Windows\System32\OizsilB.exe
  C:\Windows\System32\OizsilB.exe
  2⤵
  PID:6460
- C:\Windows\System32\DSyeUqw.exe
  C:\Windows\System32\DSyeUqw.exe
  2⤵
  PID:6500
- C:\Windows\System32\FnjidUa.exe
  C:\Windows\System32\FnjidUa.exe
  2⤵
  PID:6536
- C:\Windows\System32\xjkEhRf.exe
  C:\Windows\System32\xjkEhRf.exe
  2⤵
  PID:6672
- C:\Windows\System32\ksdukps.exe
  C:\Windows\System32\ksdukps.exe
  2⤵
  PID:6776
- C:\Windows\System32\AMwJynu.exe
  C:\Windows\System32\AMwJynu.exe
  2⤵
  PID:6892
- C:\Windows\System32\CgLpJDE.exe
  C:\Windows\System32\CgLpJDE.exe
  2⤵
  PID:6980
- C:\Windows\System32\WcXyvWT.exe
  C:\Windows\System32\WcXyvWT.exe
  2⤵
  PID:7064
- C:\Windows\System32\JfnQfod.exe
  C:\Windows\System32\JfnQfod.exe
  2⤵
  PID:7076
- C:\Windows\System32\HlYGqjt.exe
  C:\Windows\System32\HlYGqjt.exe
  2⤵
  PID:7140
- C:\Windows\System32\pNAMlll.exe
  C:\Windows\System32\pNAMlll.exe
  2⤵
  PID:7152
- C:\Windows\System32\AIrKnNx.exe
  C:\Windows\System32\AIrKnNx.exe
  2⤵
  PID:6124
- C:\Windows\System32\ZsnbzCw.exe
  C:\Windows\System32\ZsnbzCw.exe
  2⤵
  PID:6436
- C:\Windows\System32\TIwZkJh.exe
  C:\Windows\System32\TIwZkJh.exe
  2⤵
  PID:6820
- C:\Windows\System32\AOILmid.exe
  C:\Windows\System32\AOILmid.exe
  2⤵
  PID:6988
- C:\Windows\System32\iAzMqJC.exe
  C:\Windows\System32\iAzMqJC.exe
  2⤵
  PID:7008
- C:\Windows\System32\dsOTtxh.exe
  C:\Windows\System32\dsOTtxh.exe
  2⤵
  PID:324
- C:\Windows\System32\GiTfzwI.exe
  C:\Windows\System32\GiTfzwI.exe
  2⤵
  PID:6260
- C:\Windows\System32\ulqYAXm.exe
  C:\Windows\System32\ulqYAXm.exe
  2⤵
  PID:6324
- C:\Windows\System32\dykwHvG.exe
  C:\Windows\System32\dykwHvG.exe
  2⤵
  PID:6504
- C:\Windows\System32\qfwjSmD.exe
  C:\Windows\System32\qfwjSmD.exe
  2⤵
  PID:7132
- C:\Windows\System32\BHfUjRR.exe
  C:\Windows\System32\BHfUjRR.exe
  2⤵
  PID:7172
- C:\Windows\System32\GaRWQYU.exe
  C:\Windows\System32\GaRWQYU.exe
  2⤵
  PID:7200
- C:\Windows\System32\sXrDpHt.exe
  C:\Windows\System32\sXrDpHt.exe
  2⤵
  PID:7216
- C:\Windows\System32\NAvlvbA.exe
  C:\Windows\System32\NAvlvbA.exe
  2⤵
  PID:7260
- C:\Windows\System32\aUARtRl.exe
  C:\Windows\System32\aUARtRl.exe
  2⤵
  PID:7276
- C:\Windows\System32\OsKBggl.exe
  C:\Windows\System32\OsKBggl.exe
  2⤵
  PID:7316
- C:\Windows\System32\pKnqecA.exe
  C:\Windows\System32\pKnqecA.exe
  2⤵
  PID:7332
- C:\Windows\System32\VGGiCsf.exe
  C:\Windows\System32\VGGiCsf.exe
  2⤵
  PID:7360
- C:\Windows\System32\ydeKIlK.exe
  C:\Windows\System32\ydeKIlK.exe
  2⤵
  PID:7388
- C:\Windows\System32\PedVcqv.exe
  C:\Windows\System32\PedVcqv.exe
  2⤵
  PID:7412
- C:\Windows\System32\TbwfxHn.exe
  C:\Windows\System32\TbwfxHn.exe
  2⤵
  PID:7444
- C:\Windows\System32\swCNFwi.exe
  C:\Windows\System32\swCNFwi.exe
  2⤵
  PID:7496
- C:\Windows\System32\jsgYBxU.exe
  C:\Windows\System32\jsgYBxU.exe
  2⤵
  PID:7524
- C:\Windows\System32\HTyteNd.exe
  C:\Windows\System32\HTyteNd.exe
  2⤵
  PID:7544
- C:\Windows\System32\nnivplX.exe
  C:\Windows\System32\nnivplX.exe
  2⤵
  PID:7568
- C:\Windows\System32\sGnoVnX.exe
  C:\Windows\System32\sGnoVnX.exe
  2⤵
  PID:7592
- C:\Windows\System32\AZuFYCP.exe
  C:\Windows\System32\AZuFYCP.exe
  2⤵
  PID:7608
- C:\Windows\System32\xziwEoB.exe
  C:\Windows\System32\xziwEoB.exe
  2⤵
  PID:7640
- C:\Windows\System32\yxHyjiQ.exe
  C:\Windows\System32\yxHyjiQ.exe
  2⤵
  PID:7688
- C:\Windows\System32\mStVzGL.exe
  C:\Windows\System32\mStVzGL.exe
  2⤵
  PID:7732
- C:\Windows\System32\HfLbqMC.exe
  C:\Windows\System32\HfLbqMC.exe
  2⤵
  PID:7748
- C:\Windows\System32\qGPFJoG.exe
  C:\Windows\System32\qGPFJoG.exe
  2⤵
  PID:7764
- C:\Windows\System32\cXkAeJi.exe
  C:\Windows\System32\cXkAeJi.exe
  2⤵
  PID:7784
- C:\Windows\System32\orJSGNX.exe
  C:\Windows\System32\orJSGNX.exe
  2⤵
  PID:7808
- C:\Windows\System32\pAGONbd.exe
  C:\Windows\System32\pAGONbd.exe
  2⤵
  PID:7828
- C:\Windows\System32\igPZgxx.exe
  C:\Windows\System32\igPZgxx.exe
  2⤵
  PID:7844
- C:\Windows\System32\vZhlrQO.exe
  C:\Windows\System32\vZhlrQO.exe
  2⤵
  PID:7868
- C:\Windows\System32\uzeguGa.exe
  C:\Windows\System32\uzeguGa.exe
  2⤵
  PID:7896
- C:\Windows\System32\njUsvvo.exe
  C:\Windows\System32\njUsvvo.exe
  2⤵
  PID:7916
- C:\Windows\System32\FgvjELm.exe
  C:\Windows\System32\FgvjELm.exe
  2⤵
  PID:7940
- C:\Windows\System32\pbIKSho.exe
  C:\Windows\System32\pbIKSho.exe
  2⤵
  PID:7960
- C:\Windows\System32\fCernfx.exe
  C:\Windows\System32\fCernfx.exe
  2⤵
  PID:7984
- C:\Windows\System32\nZKzVCk.exe
  C:\Windows\System32\nZKzVCk.exe
  2⤵
  PID:8012
- C:\Windows\System32\IneApQX.exe
  C:\Windows\System32\IneApQX.exe
  2⤵
  PID:8032
- C:\Windows\System32\tYDTRsW.exe
  C:\Windows\System32\tYDTRsW.exe
  2⤵
  PID:8056
- C:\Windows\System32\ladrhBq.exe
  C:\Windows\System32\ladrhBq.exe
  2⤵
  PID:8084
- C:\Windows\System32\JtABGnE.exe
  C:\Windows\System32\JtABGnE.exe
  2⤵
  PID:8104
- C:\Windows\System32\BBFnRXJ.exe
  C:\Windows\System32\BBFnRXJ.exe
  2⤵
  PID:8128
- C:\Windows\System32\IKzKGVd.exe
  C:\Windows\System32\IKzKGVd.exe
  2⤵
  PID:7184
- C:\Windows\System32\vntPOJH.exe
  C:\Windows\System32\vntPOJH.exe
  2⤵
  PID:7232
- C:\Windows\System32\ljXQdLJ.exe
  C:\Windows\System32\ljXQdLJ.exe
  2⤵
  PID:7344
- C:\Windows\System32\ksqHYPe.exe
  C:\Windows\System32\ksqHYPe.exe
  2⤵
  PID:7452
- C:\Windows\System32\dizOhUD.exe
  C:\Windows\System32\dizOhUD.exe
  2⤵
  PID:7532
- C:\Windows\System32\oaxtLTj.exe
  C:\Windows\System32\oaxtLTj.exe
  2⤵
  PID:7620
- C:\Windows\System32\lNtmEhg.exe
  C:\Windows\System32\lNtmEhg.exe
  2⤵
  PID:7664
- C:\Windows\System32\QtRqmKY.exe
  C:\Windows\System32\QtRqmKY.exe
  2⤵
  PID:7740
- C:\Windows\System32\XgrDfEa.exe
  C:\Windows\System32\XgrDfEa.exe
  2⤵
  PID:7860
- C:\Windows\System32\cdfRTDY.exe
  C:\Windows\System32\cdfRTDY.exe
  2⤵
  PID:7864
- C:\Windows\System32\URzgGCR.exe
  C:\Windows\System32\URzgGCR.exe
  2⤵
  PID:7912
- C:\Windows\System32\MTiRgNY.exe
  C:\Windows\System32\MTiRgNY.exe
  2⤵
  PID:7952
- C:\Windows\System32\nqZOaTQ.exe
  C:\Windows\System32\nqZOaTQ.exe
  2⤵
  PID:8028
- C:\Windows\System32\UeSIdrT.exe
  C:\Windows\System32\UeSIdrT.exe
  2⤵
  PID:8052
- C:\Windows\System32\SJRFiUj.exe
  C:\Windows\System32\SJRFiUj.exe
  2⤵
  PID:8180
- C:\Windows\System32\BjiFhIn.exe
  C:\Windows\System32\BjiFhIn.exe
  2⤵
  PID:6568
- C:\Windows\System32\gWjKZil.exe
  C:\Windows\System32\gWjKZil.exe
  2⤵
  PID:7372
- C:\Windows\System32\PrHqqTv.exe
  C:\Windows\System32\PrHqqTv.exe
  2⤵
  PID:7552
- C:\Windows\System32\IXamfmQ.exe
  C:\Windows\System32\IXamfmQ.exe
  2⤵
  PID:7700
- C:\Windows\System32\dEPVKYl.exe
  C:\Windows\System32\dEPVKYl.exe
  2⤵
  PID:7776
- C:\Windows\System32\cpChUCx.exe
  C:\Windows\System32\cpChUCx.exe
  2⤵
  PID:4632
- C:\Windows\System32\HBjhYme.exe
  C:\Windows\System32\HBjhYme.exe
  2⤵
  PID:7852
- C:\Windows\System32\XmSPnyk.exe
  C:\Windows\System32\XmSPnyk.exe
  2⤵
  PID:7992
- C:\Windows\System32\AuVngWU.exe
  C:\Windows\System32\AuVngWU.exe
  2⤵
  PID:8040
- C:\Windows\System32\ATkLBvH.exe
  C:\Windows\System32\ATkLBvH.exe
  2⤵
  PID:7356
- C:\Windows\System32\XtjISDk.exe
  C:\Windows\System32\XtjISDk.exe
  2⤵
  PID:6748
- C:\Windows\System32\FrYjUSC.exe
  C:\Windows\System32\FrYjUSC.exe
  2⤵
  PID:3384
- C:\Windows\System32\ITutoKK.exe
  C:\Windows\System32\ITutoKK.exe
  2⤵
  PID:2628
- C:\Windows\System32\uqbhMxA.exe
  C:\Windows\System32\uqbhMxA.exe
  2⤵
  PID:8244
- C:\Windows\System32\ROTlaEY.exe
  C:\Windows\System32\ROTlaEY.exe
  2⤵
  PID:8260
- C:\Windows\System32\BJqgxCg.exe
  C:\Windows\System32\BJqgxCg.exe
  2⤵
  PID:8280
- C:\Windows\System32\myidBVo.exe
  C:\Windows\System32\myidBVo.exe
  2⤵
  PID:8308
- C:\Windows\System32\NvDIEyy.exe
  C:\Windows\System32\NvDIEyy.exe
  2⤵
  PID:8332
- C:\Windows\System32\KKieRnH.exe
  C:\Windows\System32\KKieRnH.exe
  2⤵
  PID:8360
- C:\Windows\System32\DovolVY.exe
  C:\Windows\System32\DovolVY.exe
  2⤵
  PID:8396
- C:\Windows\System32\VHbeueS.exe
  C:\Windows\System32\VHbeueS.exe
  2⤵
  PID:8416
- C:\Windows\System32\OllCAHk.exe
  C:\Windows\System32\OllCAHk.exe
  2⤵
  PID:8436
- C:\Windows\System32\OuPqQTM.exe
  C:\Windows\System32\OuPqQTM.exe
  2⤵
  PID:8460
- C:\Windows\System32\IapiuvD.exe
  C:\Windows\System32\IapiuvD.exe
  2⤵
  PID:8476
- C:\Windows\System32\PBYhAqX.exe
  C:\Windows\System32\PBYhAqX.exe
  2⤵
  PID:8504
- C:\Windows\System32\oeenmVY.exe
  C:\Windows\System32\oeenmVY.exe
  2⤵
  PID:8532
- C:\Windows\System32\OjssSaw.exe
  C:\Windows\System32\OjssSaw.exe
  2⤵
  PID:8572
- C:\Windows\System32\WsRWEWQ.exe
  C:\Windows\System32\WsRWEWQ.exe
  2⤵
  PID:8604
- C:\Windows\System32\uwIgMZI.exe
  C:\Windows\System32\uwIgMZI.exe
  2⤵
  PID:8620
- C:\Windows\System32\CVWAClv.exe
  C:\Windows\System32\CVWAClv.exe
  2⤵
  PID:8664
- C:\Windows\System32\kqtzwbz.exe
  C:\Windows\System32\kqtzwbz.exe
  2⤵
  PID:8688
- C:\Windows\System32\bYLqUzg.exe
  C:\Windows\System32\bYLqUzg.exe
  2⤵
  PID:8716
- C:\Windows\System32\sGijhkp.exe
  C:\Windows\System32\sGijhkp.exe
  2⤵
  PID:8760
- C:\Windows\System32\RxHLuWC.exe
  C:\Windows\System32\RxHLuWC.exe
  2⤵
  PID:8776
- C:\Windows\System32\ioHQupx.exe
  C:\Windows\System32\ioHQupx.exe
  2⤵
  PID:8800
- C:\Windows\System32\GGsimog.exe
  C:\Windows\System32\GGsimog.exe
  2⤵
  PID:8824
- C:\Windows\System32\oeWrOQG.exe
  C:\Windows\System32\oeWrOQG.exe
  2⤵
  PID:8844
- C:\Windows\System32\jOhzfuC.exe
  C:\Windows\System32\jOhzfuC.exe
  2⤵
  PID:8880
- C:\Windows\System32\lyNdLEX.exe
  C:\Windows\System32\lyNdLEX.exe
  2⤵
  PID:8900
- C:\Windows\System32\qRZPLAC.exe
  C:\Windows\System32\qRZPLAC.exe
  2⤵
  PID:8952
- C:\Windows\System32\AcByRWg.exe
  C:\Windows\System32\AcByRWg.exe
  2⤵
  PID:8984
- C:\Windows\System32\GlhaMHm.exe
  C:\Windows\System32\GlhaMHm.exe
  2⤵
  PID:9016
- C:\Windows\System32\lJswICX.exe
  C:\Windows\System32\lJswICX.exe
  2⤵
  PID:9044
- C:\Windows\System32\VjrkBgS.exe
  C:\Windows\System32\VjrkBgS.exe
  2⤵
  PID:9064
- C:\Windows\System32\tulGOSZ.exe
  C:\Windows\System32\tulGOSZ.exe
  2⤵
  PID:9084
- C:\Windows\System32\mygghsU.exe
  C:\Windows\System32\mygghsU.exe
  2⤵
  PID:9112
- C:\Windows\System32\DhRFibE.exe
  C:\Windows\System32\DhRFibE.exe
  2⤵
  PID:9164
- C:\Windows\System32\lzSVguX.exe
  C:\Windows\System32\lzSVguX.exe
  2⤵
  PID:9200
- C:\Windows\System32\UMaESNb.exe
  C:\Windows\System32\UMaESNb.exe
  2⤵
  PID:8100
- C:\Windows\System32\UZDcNfS.exe
  C:\Windows\System32\UZDcNfS.exe
  2⤵
  PID:8228
- C:\Windows\System32\zAHhZrO.exe
  C:\Windows\System32\zAHhZrO.exe
  2⤵
  PID:8252
- C:\Windows\System32\TuDNwby.exe
  C:\Windows\System32\TuDNwby.exe
  2⤵
  PID:8316
- C:\Windows\System32\UFYZxLf.exe
  C:\Windows\System32\UFYZxLf.exe
  2⤵
  PID:8404
- C:\Windows\System32\tUvZilI.exe
  C:\Windows\System32\tUvZilI.exe
  2⤵
  PID:8516
- C:\Windows\System32\GEVxbyU.exe
  C:\Windows\System32\GEVxbyU.exe
  2⤵
  PID:8452
- C:\Windows\System32\dxYmBrd.exe
  C:\Windows\System32\dxYmBrd.exe
  2⤵
  PID:8584
- C:\Windows\System32\gmZJpPa.exe
  C:\Windows\System32\gmZJpPa.exe
  2⤵
  PID:8676
- C:\Windows\System32\KDcdjOR.exe
  C:\Windows\System32\KDcdjOR.exe
  2⤵
  PID:8792
- C:\Windows\System32\cvgyzXq.exe
  C:\Windows\System32\cvgyzXq.exe
  2⤵
  PID:8864
- C:\Windows\System32\khIeuIf.exe
  C:\Windows\System32\khIeuIf.exe
  2⤵
  PID:8916
- C:\Windows\System32\gOCXoNW.exe
  C:\Windows\System32\gOCXoNW.exe
  2⤵
  PID:8960
- C:\Windows\System32\PsiPJRK.exe
  C:\Windows\System32\PsiPJRK.exe
  2⤵
  PID:9036
- C:\Windows\System32\YaOXtJt.exe
  C:\Windows\System32\YaOXtJt.exe
  2⤵
  PID:9076
- C:\Windows\System32\vCtMCkq.exe
  C:\Windows\System32\vCtMCkq.exe
  2⤵
  PID:9104
- C:\Windows\System32\iPSkkSB.exe
  C:\Windows\System32\iPSkkSB.exe
  2⤵
  PID:9180
- C:\Windows\System32\CCxlXTd.exe
  C:\Windows\System32\CCxlXTd.exe
  2⤵
  PID:9176
- C:\Windows\System32\xivnuWA.exe
  C:\Windows\System32\xivnuWA.exe
  2⤵
  PID:8212
- C:\Windows\System32\JoqiuIq.exe
  C:\Windows\System32\JoqiuIq.exe
  2⤵
  PID:8484
- C:\Windows\System32\MmagkgS.exe
  C:\Windows\System32\MmagkgS.exe
  2⤵
  PID:8600
- C:\Windows\System32\iCCkoqN.exe
  C:\Windows\System32\iCCkoqN.exe
  2⤵
  PID:8808
- C:\Windows\System32\SLNaGYK.exe
  C:\Windows\System32\SLNaGYK.exe
  2⤵
  PID:8924
- C:\Windows\System32\WewUfuO.exe
  C:\Windows\System32\WewUfuO.exe
  2⤵
  PID:6952
- C:\Windows\System32\Pduhnkj.exe
  C:\Windows\System32\Pduhnkj.exe
  2⤵
  PID:8348
- C:\Windows\System32\DCbYjAz.exe
  C:\Windows\System32\DCbYjAz.exe
  2⤵
  PID:8636
- C:\Windows\System32\iMYaqnL.exe
  C:\Windows\System32\iMYaqnL.exe
  2⤵
  PID:8628
- C:\Windows\System32\qiyNwmu.exe
  C:\Windows\System32\qiyNwmu.exe
  2⤵
  PID:8496
- C:\Windows\System32\wlDhpXe.exe
  C:\Windows\System32\wlDhpXe.exe
  2⤵
  PID:9244
- C:\Windows\System32\KKGEFQM.exe
  C:\Windows\System32\KKGEFQM.exe
  2⤵
  PID:9264
- C:\Windows\System32\kGssvkw.exe
  C:\Windows\System32\kGssvkw.exe
  2⤵
  PID:9288
- C:\Windows\System32\WnPxdBR.exe
  C:\Windows\System32\WnPxdBR.exe
  2⤵
  PID:9308
- C:\Windows\System32\PCUEcxY.exe
  C:\Windows\System32\PCUEcxY.exe
  2⤵
  PID:9332
- C:\Windows\System32\BxtetkW.exe
  C:\Windows\System32\BxtetkW.exe
  2⤵
  PID:9376
- C:\Windows\System32\GNKnIdw.exe
  C:\Windows\System32\GNKnIdw.exe
  2⤵
  PID:9416
- C:\Windows\System32\aJuxBaV.exe
  C:\Windows\System32\aJuxBaV.exe
  2⤵
  PID:9448
- C:\Windows\System32\qgNwqfT.exe
  C:\Windows\System32\qgNwqfT.exe
  2⤵
  PID:9484
- C:\Windows\System32\SzRpLim.exe
  C:\Windows\System32\SzRpLim.exe
  2⤵
  PID:9540
- C:\Windows\System32\YXGOGud.exe
  C:\Windows\System32\YXGOGud.exe
  2⤵
  PID:9556
- C:\Windows\System32\sgWhPUf.exe
  C:\Windows\System32\sgWhPUf.exe
  2⤵
  PID:9572
- C:\Windows\System32\vQqEFgQ.exe
  C:\Windows\System32\vQqEFgQ.exe
  2⤵
  PID:9600
- C:\Windows\System32\xuQDiqF.exe
  C:\Windows\System32\xuQDiqF.exe
  2⤵
  PID:9632
- C:\Windows\System32\mJNdpnO.exe
  C:\Windows\System32\mJNdpnO.exe
  2⤵
  PID:9652
- C:\Windows\System32\VoXGzLQ.exe
  C:\Windows\System32\VoXGzLQ.exe
  2⤵
  PID:9680
- C:\Windows\System32\NOxMIcJ.exe
  C:\Windows\System32\NOxMIcJ.exe
  2⤵
  PID:9704
- C:\Windows\System32\VpRwWfc.exe
  C:\Windows\System32\VpRwWfc.exe
  2⤵
  PID:9736
- C:\Windows\System32\arOXELb.exe
  C:\Windows\System32\arOXELb.exe
  2⤵
  PID:9772
- C:\Windows\System32\JMkuPQE.exe
  C:\Windows\System32\JMkuPQE.exe
  2⤵
  PID:9812
- C:\Windows\System32\UDroDVJ.exe
  C:\Windows\System32\UDroDVJ.exe
  2⤵
  PID:9840
- C:\Windows\System32\HAkWgGa.exe
  C:\Windows\System32\HAkWgGa.exe
  2⤵
  PID:9868
- C:\Windows\System32\PVADvPA.exe
  C:\Windows\System32\PVADvPA.exe
  2⤵
  PID:9884
- C:\Windows\System32\QiXuSOO.exe
  C:\Windows\System32\QiXuSOO.exe
  2⤵
  PID:9904
- C:\Windows\System32\IcNPWVZ.exe
  C:\Windows\System32\IcNPWVZ.exe
  2⤵
  PID:9928
- C:\Windows\System32\xwwixOX.exe
  C:\Windows\System32\xwwixOX.exe
  2⤵
  PID:9976
- C:\Windows\System32\QACmKCr.exe
  C:\Windows\System32\QACmKCr.exe
  2⤵
  PID:9996
- C:\Windows\System32\IvpeLwr.exe
  C:\Windows\System32\IvpeLwr.exe
  2⤵
  PID:10020
- C:\Windows\System32\bqUomQb.exe
  C:\Windows\System32\bqUomQb.exe
  2⤵
  PID:10036
- C:\Windows\System32\gxcBhep.exe
  C:\Windows\System32\gxcBhep.exe
  2⤵
  PID:10068
- C:\Windows\System32\JLFvzyf.exe
  C:\Windows\System32\JLFvzyf.exe
  2⤵
  PID:10084
- C:\Windows\System32\oKmYYLE.exe
  C:\Windows\System32\oKmYYLE.exe
  2⤵
  PID:10120
- C:\Windows\System32\lGsQXZY.exe
  C:\Windows\System32\lGsQXZY.exe
  2⤵
  PID:10140
- C:\Windows\System32\JEZSFTv.exe
  C:\Windows\System32\JEZSFTv.exe
  2⤵
  PID:10164
- C:\Windows\System32\VKEVuyG.exe
  C:\Windows\System32\VKEVuyG.exe
  2⤵
  PID:10184
- C:\Windows\System32\rtrDnil.exe
  C:\Windows\System32\rtrDnil.exe
  2⤵
  PID:10228
- C:\Windows\System32\ItMFJks.exe
  C:\Windows\System32\ItMFJks.exe
  2⤵
  PID:9256
- C:\Windows\System32\RvEqQpT.exe
  C:\Windows\System32\RvEqQpT.exe
  2⤵
  PID:9304
- C:\Windows\System32\rJsYRgl.exe
  C:\Windows\System32\rJsYRgl.exe
  2⤵
  PID:9296
- C:\Windows\System32\GuMyRgb.exe
  C:\Windows\System32\GuMyRgb.exe
  2⤵
  PID:9408
- C:\Windows\System32\GLNkyqh.exe
  C:\Windows\System32\GLNkyqh.exe
  2⤵
  PID:9492
- C:\Windows\System32\vSrCHhH.exe
  C:\Windows\System32\vSrCHhH.exe
  2⤵
  PID:9524
- C:\Windows\System32\MAKNmZh.exe
  C:\Windows\System32\MAKNmZh.exe
  2⤵
  PID:9584
- C:\Windows\System32\spqsHfw.exe
  C:\Windows\System32\spqsHfw.exe
  2⤵
  PID:9612
- C:\Windows\System32\UQbYnoH.exe
  C:\Windows\System32\UQbYnoH.exe
  2⤵
  PID:9692
- C:\Windows\System32\adHefRj.exe
  C:\Windows\System32\adHefRj.exe
  2⤵
  PID:9764
- C:\Windows\System32\uRMTrVl.exe
  C:\Windows\System32\uRMTrVl.exe
  2⤵
  PID:9808
- C:\Windows\System32\puCYovF.exe
  C:\Windows\System32\puCYovF.exe
  2⤵
  PID:9856
- C:\Windows\System32\fmlmMnt.exe
  C:\Windows\System32\fmlmMnt.exe
  2⤵
  PID:9876
- C:\Windows\System32\BGPxtey.exe
  C:\Windows\System32\BGPxtey.exe
  2⤵
  PID:10032
- C:\Windows\System32\wRAlIYD.exe
  C:\Windows\System32\wRAlIYD.exe
  2⤵
  PID:10136
- C:\Windows\System32\fPldrmH.exe
  C:\Windows\System32\fPldrmH.exe
  2⤵
  PID:10208
- C:\Windows\System32\wqUTuRu.exe
  C:\Windows\System32\wqUTuRu.exe
  2⤵
  PID:9232
- C:\Windows\System32\UVMTXQd.exe
  C:\Windows\System32\UVMTXQd.exe
  2⤵
  PID:9424
- C:\Windows\System32\VamEPHy.exe
  C:\Windows\System32\VamEPHy.exe
  2⤵
  PID:9548
- C:\Windows\System32\TDUNPFr.exe
  C:\Windows\System32\TDUNPFr.exe
  2⤵
  PID:9728
- C:\Windows\System32\tEdIZaK.exe
  C:\Windows\System32\tEdIZaK.exe
  2⤵
  PID:9912
- C:\Windows\System32\dvFLbDL.exe
  C:\Windows\System32\dvFLbDL.exe
  2⤵
  PID:9988
- C:\Windows\System32\qIQmvuS.exe
  C:\Windows\System32\qIQmvuS.exe
  2⤵
  PID:10224
- C:\Windows\System32\XGGOfVp.exe
  C:\Windows\System32\XGGOfVp.exe
  2⤵
  PID:8700
- C:\Windows\System32\DCMatKN.exe
  C:\Windows\System32\DCMatKN.exe
  2⤵
  PID:9596
- C:\Windows\System32\nrGdrtX.exe
  C:\Windows\System32\nrGdrtX.exe
  2⤵
  PID:9880
- C:\Windows\System32\rnOQekY.exe
  C:\Windows\System32\rnOQekY.exe
  2⤵
  PID:10108
- C:\Windows\System32\rfhnbje.exe
  C:\Windows\System32\rfhnbje.exe
  2⤵
  PID:9344
- C:\Windows\System32\UCQLvNU.exe
  C:\Windows\System32\UCQLvNU.exe
  2⤵
  PID:10252
- C:\Windows\System32\RuRhKdr.exe
  C:\Windows\System32\RuRhKdr.exe
  2⤵
  PID:10276
- C:\Windows\System32\lcQqeNk.exe
  C:\Windows\System32\lcQqeNk.exe
  2⤵
  PID:10296
- C:\Windows\System32\JVMfqXT.exe
  C:\Windows\System32\JVMfqXT.exe
  2⤵
  PID:10348
- C:\Windows\System32\dVTXHeT.exe
  C:\Windows\System32\dVTXHeT.exe
  2⤵
  PID:10368
- C:\Windows\System32\judDJar.exe
  C:\Windows\System32\judDJar.exe
  2⤵
  PID:10400
- C:\Windows\System32\JEZBQZS.exe
  C:\Windows\System32\JEZBQZS.exe
  2⤵
  PID:10420
- C:\Windows\System32\twSRoKN.exe
  C:\Windows\System32\twSRoKN.exe
  2⤵
  PID:10444
- C:\Windows\System32\JJSLyrm.exe
  C:\Windows\System32\JJSLyrm.exe
  2⤵
  PID:10476
- C:\Windows\System32\KelWjPN.exe
  C:\Windows\System32\KelWjPN.exe
  2⤵
  PID:10492
- C:\Windows\System32\qmKdmYV.exe
  C:\Windows\System32\qmKdmYV.exe
  2⤵
  PID:10512
- C:\Windows\System32\OOiGxfQ.exe
  C:\Windows\System32\OOiGxfQ.exe
  2⤵
  PID:10544
- C:\Windows\System32\nWbmQtd.exe
  C:\Windows\System32\nWbmQtd.exe
  2⤵
  PID:10576
- C:\Windows\System32\TsXNhrN.exe
  C:\Windows\System32\TsXNhrN.exe
  2⤵
  PID:10604
- C:\Windows\System32\OueoHSf.exe
  C:\Windows\System32\OueoHSf.exe
  2⤵
  PID:10636
- C:\Windows\System32\suCNQck.exe
  C:\Windows\System32\suCNQck.exe
  2⤵
  PID:10668
- C:\Windows\System32\Xbhqllv.exe
  C:\Windows\System32\Xbhqllv.exe
  2⤵
  PID:10688
- C:\Windows\System32\mBURSnP.exe
  C:\Windows\System32\mBURSnP.exe
  2⤵
  PID:10708
- C:\Windows\System32\ErkTuUa.exe
  C:\Windows\System32\ErkTuUa.exe
  2⤵
  PID:10776
- C:\Windows\System32\zhTParS.exe
  C:\Windows\System32\zhTParS.exe
  2⤵
  PID:10796
- C:\Windows\System32\PHNMcmk.exe
  C:\Windows\System32\PHNMcmk.exe
  2⤵
  PID:10824
- C:\Windows\System32\hVeYdIp.exe
  C:\Windows\System32\hVeYdIp.exe
  2⤵
  PID:10844
- C:\Windows\System32\ardHkHd.exe
  C:\Windows\System32\ardHkHd.exe
  2⤵
  PID:10884
- C:\Windows\System32\OMPsgXr.exe
  C:\Windows\System32\OMPsgXr.exe
  2⤵
  PID:10912
- C:\Windows\System32\veHXSgp.exe
  C:\Windows\System32\veHXSgp.exe
  2⤵
  PID:10936
- C:\Windows\System32\mZPCXpG.exe
  C:\Windows\System32\mZPCXpG.exe
  2⤵
  PID:10976
- C:\Windows\System32\gXgGQoW.exe
  C:\Windows\System32\gXgGQoW.exe
  2⤵
  PID:11000
- C:\Windows\System32\hFdvoRJ.exe
  C:\Windows\System32\hFdvoRJ.exe
  2⤵
  PID:11020
- C:\Windows\System32\TWNMJPE.exe
  C:\Windows\System32\TWNMJPE.exe
  2⤵
  PID:11040
- C:\Windows\System32\WrlwIRv.exe
  C:\Windows\System32\WrlwIRv.exe
  2⤵
  PID:11060
- C:\Windows\System32\UWnumFR.exe
  C:\Windows\System32\UWnumFR.exe
  2⤵
  PID:11100
- C:\Windows\System32\vALTOaW.exe
  C:\Windows\System32\vALTOaW.exe
  2⤵
  PID:11128
- C:\Windows\System32\gGrMxnk.exe
  C:\Windows\System32\gGrMxnk.exe
  2⤵
  PID:11152
- C:\Windows\System32\YGthbnA.exe
  C:\Windows\System32\YGthbnA.exe
  2⤵
  PID:11180
- C:\Windows\System32\IFAtRBn.exe
  C:\Windows\System32\IFAtRBn.exe
  2⤵
  PID:11224
- C:\Windows\System32\YzjheAg.exe
  C:\Windows\System32\YzjheAg.exe
  2⤵
  PID:11252
- C:\Windows\System32\EQYxWnB.exe
  C:\Windows\System32\EQYxWnB.exe
  2⤵
  PID:9672
- C:\Windows\System32\vraegjj.exe
  C:\Windows\System32\vraegjj.exe
  2⤵
  PID:10340
- C:\Windows\System32\VrRwZvT.exe
  C:\Windows\System32\VrRwZvT.exe
  2⤵
  PID:10360
- C:\Windows\System32\lUbxBtr.exe
  C:\Windows\System32\lUbxBtr.exe
  2⤵
  PID:10452
- C:\Windows\System32\jErPxOI.exe
  C:\Windows\System32\jErPxOI.exe
  2⤵
  PID:10528
- C:\Windows\System32\IBPTZbE.exe
  C:\Windows\System32\IBPTZbE.exe
  2⤵
  PID:10572
- C:\Windows\System32\zqBYQsy.exe
  C:\Windows\System32\zqBYQsy.exe
  2⤵
  PID:10656
- C:\Windows\System32\ZSIvlJg.exe
  C:\Windows\System32\ZSIvlJg.exe
  2⤵
  PID:10700
- C:\Windows\System32\pZadMav.exe
  C:\Windows\System32\pZadMav.exe
  2⤵
  PID:10788
- C:\Windows\System32\WUbmYkF.exe
  C:\Windows\System32\WUbmYkF.exe
  2⤵
  PID:10868
- C:\Windows\System32\COVygli.exe
  C:\Windows\System32\COVygli.exe
  2⤵
  PID:10892
- C:\Windows\System32\rJGZEyf.exe
  C:\Windows\System32\rJGZEyf.exe
  2⤵
  PID:10956
- C:\Windows\System32\UmbDqnG.exe
  C:\Windows\System32\UmbDqnG.exe
  2⤵
  PID:10988
- C:\Windows\System32\isnsRZP.exe
  C:\Windows\System32\isnsRZP.exe
  2⤵
  PID:11120
- C:\Windows\System32\NOfqKTQ.exe
  C:\Windows\System32\NOfqKTQ.exe
  2⤵
  PID:11176
- C:\Windows\System32\NgpyUaZ.exe
  C:\Windows\System32\NgpyUaZ.exe
  2⤵
  PID:11220
- C:\Windows\System32\uPTMGgv.exe
  C:\Windows\System32\uPTMGgv.exe
  2⤵
  PID:10264
- C:\Windows\System32\vxtEBFA.exe
  C:\Windows\System32\vxtEBFA.exe
  2⤵
  PID:10416
- C:\Windows\System32\vRpjZWS.exe
  C:\Windows\System32\vRpjZWS.exe
  2⤵
  PID:10564
- C:\Windows\System32\VAAvmrh.exe
  C:\Windows\System32\VAAvmrh.exe
  2⤵
  PID:10676
- C:\Windows\System32\iPzxQOj.exe
  C:\Windows\System32\iPzxQOj.exe
  2⤵
  PID:10860
- C:\Windows\System32\otHIIPr.exe
  C:\Windows\System32\otHIIPr.exe
  2⤵
  PID:11032
- C:\Windows\System32\mnmWKkd.exe
  C:\Windows\System32\mnmWKkd.exe
  2⤵
  PID:11196
- C:\Windows\System32\DaMlhRS.exe
  C:\Windows\System32\DaMlhRS.exe
  2⤵
  PID:10268
- C:\Windows\System32\rZDnRxO.exe
  C:\Windows\System32\rZDnRxO.exe
  2⤵
  PID:10628
- C:\Windows\System32\sychRWD.exe
  C:\Windows\System32\sychRWD.exe
  2⤵
  PID:10920
- C:\Windows\System32\IBnZoMC.exe
  C:\Windows\System32\IBnZoMC.exe
  2⤵
  PID:9936
- C:\Windows\System32\ZefLsMZ.exe
  C:\Windows\System32\ZefLsMZ.exe
  2⤵
  PID:10508
- C:\Windows\System32\GoABFOk.exe
  C:\Windows\System32\GoABFOk.exe
  2⤵
  PID:11280
- C:\Windows\System32\KKXCURK.exe
  C:\Windows\System32\KKXCURK.exe
  2⤵
  PID:11300
- C:\Windows\System32\KEATsZP.exe
  C:\Windows\System32\KEATsZP.exe
  2⤵
  PID:11324
- C:\Windows\System32\HHpiQGL.exe
  C:\Windows\System32\HHpiQGL.exe
  2⤵
  PID:11344
- C:\Windows\System32\vRvYEHy.exe
  C:\Windows\System32\vRvYEHy.exe
  2⤵
  PID:11372
- C:\Windows\System32\RZTPrsL.exe
  C:\Windows\System32\RZTPrsL.exe
  2⤵
  PID:11436
- C:\Windows\System32\SwokxCX.exe
  C:\Windows\System32\SwokxCX.exe
  2⤵
  PID:11460
- C:\Windows\System32\MyccxvV.exe
  C:\Windows\System32\MyccxvV.exe
  2⤵
  PID:11484
- C:\Windows\System32\rzLgmpP.exe
  C:\Windows\System32\rzLgmpP.exe
  2⤵
  PID:11504
- C:\Windows\System32\QsdIPWe.exe
  C:\Windows\System32\QsdIPWe.exe
  2⤵
  PID:11532
- C:\Windows\System32\CsgQdry.exe
  C:\Windows\System32\CsgQdry.exe
  2⤵
  PID:11584
- C:\Windows\System32\XgyLfgP.exe
  C:\Windows\System32\XgyLfgP.exe
  2⤵
  PID:11600
- C:\Windows\System32\EeVHWrW.exe
  C:\Windows\System32\EeVHWrW.exe
  2⤵
  PID:11624
- C:\Windows\System32\GNQriwt.exe
  C:\Windows\System32\GNQriwt.exe
  2⤵
  PID:11668
- C:\Windows\System32\wQCTjck.exe
  C:\Windows\System32\wQCTjck.exe
  2⤵
  PID:11692
- C:\Windows\System32\QDfLwhf.exe
  C:\Windows\System32\QDfLwhf.exe
  2⤵
  PID:11716
- C:\Windows\System32\cJqIOMr.exe
  C:\Windows\System32\cJqIOMr.exe
  2⤵
  PID:11736
- C:\Windows\System32\fJKTrhz.exe
  C:\Windows\System32\fJKTrhz.exe
  2⤵
  PID:11792
- C:\Windows\System32\zpZWnpB.exe
  C:\Windows\System32\zpZWnpB.exe
  2⤵
  PID:11812
- C:\Windows\System32\aSbRqwh.exe
  C:\Windows\System32\aSbRqwh.exe
  2⤵
  PID:11832
- C:\Windows\System32\oZVzcvj.exe
  C:\Windows\System32\oZVzcvj.exe
  2⤵
  PID:11864
- C:\Windows\System32\YpSZVlM.exe
  C:\Windows\System32\YpSZVlM.exe
  2⤵
  PID:11884
- C:\Windows\System32\UoKsZpQ.exe
  C:\Windows\System32\UoKsZpQ.exe
  2⤵
  PID:11928
- C:\Windows\System32\twtuBdQ.exe
  C:\Windows\System32\twtuBdQ.exe
  2⤵
  PID:11956
- C:\Windows\System32\xpxBDFv.exe
  C:\Windows\System32\xpxBDFv.exe
  2⤵
  PID:12064
- C:\Windows\System32\OapANJn.exe
  C:\Windows\System32\OapANJn.exe
  2⤵
  PID:12100
- C:\Windows\System32\IRkdJWO.exe
  C:\Windows\System32\IRkdJWO.exe
  2⤵
  PID:12156
- C:\Windows\System32\lIhgapJ.exe
  C:\Windows\System32\lIhgapJ.exe
  2⤵
  PID:12176
- C:\Windows\System32\PMbYSpa.exe
  C:\Windows\System32\PMbYSpa.exe
  2⤵
  PID:12212
- C:\Windows\System32\FTHZuAN.exe
  C:\Windows\System32\FTHZuAN.exe
  2⤵
  PID:12248
- C:\Windows\System32\eVQzJyg.exe
  C:\Windows\System32\eVQzJyg.exe
  2⤵
  PID:12276
- C:\Windows\System32\LJFtXxH.exe
  C:\Windows\System32\LJFtXxH.exe
  2⤵
  PID:11164
- C:\Windows\System32\RNVdUPe.exe
  C:\Windows\System32\RNVdUPe.exe
  2⤵
  PID:11340
- C:\Windows\System32\YkRxhmO.exe
  C:\Windows\System32\YkRxhmO.exe
  2⤵
  PID:11412
- C:\Windows\System32\TuZjnjU.exe
  C:\Windows\System32\TuZjnjU.exe
  2⤵
  PID:11496
- C:\Windows\System32\TJwoGtc.exe
  C:\Windows\System32\TJwoGtc.exe
  2⤵
  PID:11472
- C:\Windows\System32\AKtgiyW.exe
  C:\Windows\System32\AKtgiyW.exe
  2⤵
  PID:11556
- C:\Windows\System32\pdbOcJb.exe
  C:\Windows\System32\pdbOcJb.exe
  2⤵
  PID:11592
- C:\Windows\System32\FMWGmvK.exe
  C:\Windows\System32\FMWGmvK.exe
  2⤵
  PID:11656
- C:\Windows\System32\VlsoEWv.exe
  C:\Windows\System32\VlsoEWv.exe
  2⤵
  PID:11768
- C:\Windows\System32\yGHELZx.exe
  C:\Windows\System32\yGHELZx.exe
  2⤵
  PID:11808
- C:\Windows\System32\LzOKYga.exe
  C:\Windows\System32\LzOKYga.exe
  2⤵
  PID:11908
- C:\Windows\System32\vraNsny.exe
  C:\Windows\System32\vraNsny.exe
  2⤵
  PID:11968
- C:\Windows\System32\hOajYhO.exe
  C:\Windows\System32\hOajYhO.exe
  2⤵
  PID:12004
- C:\Windows\System32\mIbyPQE.exe
  C:\Windows\System32\mIbyPQE.exe
  2⤵
  PID:12048
- C:\Windows\System32\HWsxtbv.exe
  C:\Windows\System32\HWsxtbv.exe
  2⤵
  PID:12096
- C:\Windows\System32\twIuubd.exe
  C:\Windows\System32\twIuubd.exe
  2⤵
  PID:12128
- C:\Windows\System32\VbosHxM.exe
  C:\Windows\System32\VbosHxM.exe
  2⤵
  PID:12072
- C:\Windows\System32\UllIDNN.exe
  C:\Windows\System32\UllIDNN.exe
  2⤵
  PID:12164
- C:\Windows\System32\dGnlSva.exe
  C:\Windows\System32\dGnlSva.exe
  2⤵
  PID:12220
- C:\Windows\System32\vwAeSCV.exe
  C:\Windows\System32\vwAeSCV.exe
  2⤵
  PID:10436
- C:\Windows\System32\mVgJSsR.exe
  C:\Windows\System32\mVgJSsR.exe
  2⤵
  PID:11408
- C:\Windows\System32\ZawNxzX.exe
  C:\Windows\System32\ZawNxzX.exe
  2⤵
  PID:11644
- C:\Windows\System32\ecIFCWa.exe
  C:\Windows\System32\ecIFCWa.exe
  2⤵
  PID:11780
- C:\Windows\System32\NBMXHvk.exe
  C:\Windows\System32\NBMXHvk.exe
  2⤵
  PID:11844
- C:\Windows\System32\lLhRoJq.exe
  C:\Windows\System32\lLhRoJq.exe
  2⤵
  PID:12016
- C:\Windows\System32\VxNDXxt.exe
  C:\Windows\System32\VxNDXxt.exe
  2⤵
  PID:12076
- C:\Windows\System32\tSBWoUR.exe
  C:\Windows\System32\tSBWoUR.exe
  2⤵
  PID:12192
- C:\Windows\System32\TbVIAKg.exe
  C:\Windows\System32\TbVIAKg.exe
  2⤵
  PID:12240
- C:\Windows\System32\mSaNTwh.exe
  C:\Windows\System32\mSaNTwh.exe
  2⤵
  PID:11516
- C:\Windows\System32\nHxaIIH.exe
  C:\Windows\System32\nHxaIIH.exe
  2⤵
  PID:11996
- C:\Windows\System32\JTfISHP.exe
  C:\Windows\System32\JTfISHP.exe
  2⤵
  PID:11608
- C:\Windows\System32\eAoOqqm.exe
  C:\Windows\System32\eAoOqqm.exe
  2⤵
  PID:11688
- C:\Windows\System32\rnWPDxE.exe
  C:\Windows\System32\rnWPDxE.exe
  2⤵
  PID:12132
- C:\Windows\System32\KmIZoJB.exe
  C:\Windows\System32\KmIZoJB.exe
  2⤵
  PID:12028
- C:\Windows\System32\CCtZSLg.exe
  C:\Windows\System32\CCtZSLg.exe
  2⤵
  PID:12304
- C:\Windows\System32\EfbvRGy.exe
  C:\Windows\System32\EfbvRGy.exe
  2⤵
  PID:12340
- C:\Windows\System32\kFhySMA.exe
  C:\Windows\System32\kFhySMA.exe
  2⤵
  PID:12356
- C:\Windows\System32\SvehPsc.exe
  C:\Windows\System32\SvehPsc.exe
  2⤵
  PID:12380
- C:\Windows\System32\TKiDgWb.exe
  C:\Windows\System32\TKiDgWb.exe
  2⤵
  PID:12396
- C:\Windows\System32\WcPgeiR.exe
  C:\Windows\System32\WcPgeiR.exe
  2⤵
  PID:12436
- C:\Windows\System32\BOfCJMB.exe
  C:\Windows\System32\BOfCJMB.exe
  2⤵
  PID:12484
- C:\Windows\System32\QgkZkQI.exe
  C:\Windows\System32\QgkZkQI.exe
  2⤵
  PID:12504
- C:\Windows\System32\NaIHsnx.exe
  C:\Windows\System32\NaIHsnx.exe
  2⤵
  PID:12520
- C:\Windows\System32\GXrVmju.exe
  C:\Windows\System32\GXrVmju.exe
  2⤵
  PID:12556
- C:\Windows\System32\iHVJuUQ.exe
  C:\Windows\System32\iHVJuUQ.exe
  2⤵
  PID:12576
- C:\Windows\System32\qchHWZO.exe
  C:\Windows\System32\qchHWZO.exe
  2⤵
  PID:12600
- C:\Windows\System32\FzTAKhs.exe
  C:\Windows\System32\FzTAKhs.exe
  2⤵
  PID:12620
- C:\Windows\System32\IWtLPrY.exe
  C:\Windows\System32\IWtLPrY.exe
  2⤵
  PID:12652
- C:\Windows\System32\ZmlEmiC.exe
  C:\Windows\System32\ZmlEmiC.exe
  2⤵
  PID:12696
- C:\Windows\System32\nblocSY.exe
  C:\Windows\System32\nblocSY.exe
  2⤵
  PID:12732
- C:\Windows\System32\hhgWURt.exe
  C:\Windows\System32\hhgWURt.exe
  2⤵
  PID:12760
- C:\Windows\System32\nJqQeWU.exe
  C:\Windows\System32\nJqQeWU.exe
  2⤵
  PID:12784
- C:\Windows\System32\xwiNiLa.exe
  C:\Windows\System32\xwiNiLa.exe
  2⤵
  PID:12824
- C:\Windows\System32\tRfqOct.exe
  C:\Windows\System32\tRfqOct.exe
  2⤵
  PID:12856
- C:\Windows\System32\ASvpYOf.exe
  C:\Windows\System32\ASvpYOf.exe
  2⤵
  PID:12872
- C:\Windows\System32\FSeXYBF.exe
  C:\Windows\System32\FSeXYBF.exe
  2⤵
  PID:12900
- C:\Windows\System32\wmtnsvh.exe
  C:\Windows\System32\wmtnsvh.exe
  2⤵
  PID:12932
- C:\Windows\System32\BIfjMRe.exe
  C:\Windows\System32\BIfjMRe.exe
  2⤵
  PID:12960
- C:\Windows\System32\EAvCBsh.exe
  C:\Windows\System32\EAvCBsh.exe
  2⤵
  PID:12988
- C:\Windows\System32\Klufsgs.exe
  C:\Windows\System32\Klufsgs.exe
  2⤵
  PID:13012
- C:\Windows\System32\zeAPkjq.exe
  C:\Windows\System32\zeAPkjq.exe
  2⤵
  PID:13044
- C:\Windows\System32\IJPcvQH.exe
  C:\Windows\System32\IJPcvQH.exe
  2⤵
  PID:13084
- C:\Windows\System32\gxbSavS.exe
  C:\Windows\System32\gxbSavS.exe
  2⤵
  PID:13112
- C:\Windows\System32\CwwJhgZ.exe
  C:\Windows\System32\CwwJhgZ.exe
  2⤵
  PID:13136
- C:\Windows\System32\AzZmGgk.exe
  C:\Windows\System32\AzZmGgk.exe
  2⤵
  PID:13160
- C:\Windows\System32\ZBPbTlO.exe
  C:\Windows\System32\ZBPbTlO.exe
  2⤵
  PID:13180
- C:\Windows\System32\gCxGDPX.exe
  C:\Windows\System32\gCxGDPX.exe
  2⤵
  PID:13208
- C:\Windows\System32\LSdpvKp.exe
  C:\Windows\System32\LSdpvKp.exe
  2⤵
  PID:13228
- C:\Windows\System32\dXkBbIK.exe
  C:\Windows\System32\dXkBbIK.exe
  2⤵
  PID:13252
- C:\Windows\System32\ehgfBFG.exe
  C:\Windows\System32\ehgfBFG.exe
  2⤵
  PID:13280

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BFEiemk.exe

Filesize
1.8MB

MD5
5a8db058e7aa803c412c9e85b451511c

SHA1
ba74b0e7a12bf8315bfbf0ebaf96b1b9c62dccc3

SHA256
1b4f138187c83f5ff96b2b546db0ee18b6387c418c59f23485eb38046b394f1f

SHA512
930eae9eeab5ddf63b484918ef2985613f73a140eb2d441420b8c5e04da73fab3eeb9dd77a96678960a2fca8e3874a60f6f8557025b247691e9d059570e69e92

Download Submit
C:\Windows\System32\EdeDSSM.exe

Filesize
1.9MB

MD5
0a3abdebec92c1240a73caf70537bb09

SHA1
46b9b8afcf2740ab28811c66122717304051c1de

SHA256
724c651711255ea278c5647587aa94271734a544eb685753dd466fb184964c84

SHA512
2ee2331636dc0f63ec48d8043fda04d012687593be46031bc6d1e7c61a6666dbd72a6fe0193ca5c2e351a653a02592c9e7633652f652312e7ab4e112abd87c5e

Download Submit
C:\Windows\System32\FAbsUnx.exe

Filesize
1.8MB

MD5
3f2ff4aae7b6921e5080e1953bc0617e

SHA1
bd748b0967549999ba44f8741b2e0d585f8603e8

SHA256
bbd451fa6fbb26f13c85b26b9f2e11c639434d3c9dfe6444cfbf13926e0358d1

SHA512
f178dda244fefbbcd9f465a7365e64931cf4779542881b83e134c55ff6727db4bafb98279b0b97dda3317f94b652fd8c6d3cce2ed89b2000f994d358f92ad016

Download Submit
C:\Windows\System32\JHRceBF.exe

Filesize
1.8MB

MD5
a88b70b3849b0f19cec8d2a86f6bb458

SHA1
12115c037c05cb3b023b1daea4748d9e1dceae1b

SHA256
d57866ab7a6541d6ab7e166ee3f748c6b2c12e0411af67f2c945d4ca62380fa7

SHA512
bca6f06bf260665ae854b0dc0c4f7da4d36828b0c7f9f2d59ce4f267f0781d03212e14b93cf1abb8a7e7df424d943224e85352684bbe0bea79417b636862eafa

Download Submit
C:\Windows\System32\KDKZPbq.exe

Filesize
1.9MB

MD5
7ec9736664d331aa82c893fa840d4813

SHA1
03aa660051275238865be30272460d430b674256

SHA256
50acaa3d319e6a74da716e26cc30a60bcc4b6831bb161c43e5ab8232cbd8a4c4

SHA512
69d6746057acdffeb0cd94195bd355cf17a39a4f34664c8e32cac514b6cbd3135d98eb38ace8b865d26538e6078e9db5981601e53eebc66ff2c49331b06429a5

Download Submit
C:\Windows\System32\LYBkSpn.exe

Filesize
1.8MB

MD5
be2220db09b812da3e68e3547af26fb9

SHA1
7261deb5a1519e09c536eacd774911c0b4f289c9

SHA256
e411521747900bacabcab8c013604e373132092ddc4831a2a2a99e2c66bb63f6

SHA512
23e943c56b590feae6c268862df94112b440aa4f7c9f3da60b049f5278fc1235dcab6c2c59c320e0a4c3011025c384fe1fd12a451e75302a40f2a2ab1da29369

Download Submit
C:\Windows\System32\NJjCSYW.exe

Filesize
1.8MB

MD5
46d2096bcae84d5e184ee529b0fe750f

SHA1
ac10abbb15754300a1e9591a33b199b2d96a592d

SHA256
6fa3171267532b0569d66b969e1e4a82343501fadfd6b6978d5e6661f6442fbc

SHA512
5066fde2016dbe444709a7ef07218aabb63760c2317cf360919ecad9b6b408f55ef366221d7a1df893169d3f6c43096a4b6ec78432aa323a9fa3a6ef901eeefa

Download Submit
C:\Windows\System32\NVOFaWu.exe

Filesize
1.8MB

MD5
b586fa0acca15e5262f32e70edfb3e33

SHA1
89cfc4dd40621982beae2739c53a103bfd0da4a5

SHA256
7d4508a3d638cd16823d1430da3aec31f1db1cd7a71690d0266789288800ddfe

SHA512
b7a49b94c589e2ae173d2165c10f8257adcfd4392e830701e408ed579873bcc7b5160e2605bde5583b71c07f195a12e2c90818a76659b4eee656bcbd94e30277

Download Submit
C:\Windows\System32\OTMFmkD.exe

Filesize
1.8MB

MD5
51664bc27abc98e3d66464e5da510812

SHA1
5cc121fa3cde89bcba39ba5393093cdee5c7ad20

SHA256
6aa4e4cf655d3a69192d98b23bcda0427d7bed91caf3076c94159c9fcea4518f

SHA512
1206731e21152ef7ca01914768686cb555feb1bb5e92eca6692099bf8610cfc6baaca72fc52c9fa95fa0ed61dbc8755094de1407bc18fac15f0c84bc942c0e9a

Download Submit
C:\Windows\System32\PJlJWzs.exe

Filesize
1.8MB

MD5
cd9091bb0a203183074b83f432777b53

SHA1
f3cd1e4a2822e4464de5dcc2070d44a6aebb4322

SHA256
7bc6edcfb4a38fb5bba2e99b00b5006800d5b18dad7236cc9b8da56d4f1b8a8d

SHA512
6199fdf1fe777fdd70e4a3b1b6750016a1d96df90d478924b973a3155e85c8bff1e09106f7a82a3818c34ba15ba8c87b041c5e583bc31d1165d40c8ea2d4686c

Download Submit
C:\Windows\System32\QJRSsQs.exe

Filesize
1.9MB

MD5
698dc3d58236af8cc21ec07659701f8e

SHA1
fd2a9d647cf78bacfb35cd7daf24182d49c88144

SHA256
4bf7fe93b9e1f71d415ad6b72fc81a783bc7761654765d4895cca296badfe797

SHA512
a699514f07126b68fcc0c9d1d7d7a43df3c2a3543294a48ebfac6d07736a7468240b3c010c250bd2a77f452d69b08771f4115355fcbd9962beee072228b2e902

Download Submit
C:\Windows\System32\UaqraoT.exe

Filesize
1.8MB

MD5
3a951525b87ecd3d1a3356168a1abe06

SHA1
dd0687b8d8eda97c7952211cb3057fc0e50a1266

SHA256
5bbdf015f9744d4e13d702e074cb2401a0f3cce2cbebfb10e4fc31fa493b9826

SHA512
cae2df13b4719254d17c45a2916c48aedc8772e0ef046180d44166bb76a884a2f0b2f58652b27222bfdf1f63685fc42a7e4ab1f19db522b3ed23aab8814d05c1

Download Submit
C:\Windows\System32\UmDjDOy.exe

Filesize
1.8MB

MD5
d46628a62f8cc0d6b46b7184cee25db1

SHA1
bd07d04ea7d29fa6321b19fa3d323b1319517534

SHA256
dfa0b00f101f607e03cceab8d02ae3e72415bbb596b755d6ce512441c54456eb

SHA512
af9db42b8d9cd53f9c507322c9098d7eadad2ea8e6d87425f6ba35d932279c26a17c2570fcdda28557efd0309dc39631dc5fda7dc0d0bafd4b6701cdbaaf0138

Download Submit
C:\Windows\System32\Umpjjyd.exe

Filesize
1.8MB

MD5
ca436a38c84246d3c85bb9463d157c56

SHA1
21c466f2c149f3be3f60aee578915d1f6be51acb

SHA256
cd890bb9b110700df65cfa4dd38baf00aa5bcecca4b040af6ab6a276e311d965

SHA512
e6f324edefb252e170596e3e0f9518865e02ca81d7628acb66ab4e6327af8b5d654cb98a10189e94032afecad725fe4d156325e4a003be51e29a4135bf970709

Download Submit
C:\Windows\System32\VVdYbbk.exe

Filesize
1.8MB

MD5
d681137a0b4bbd8e716f09069e81f649

SHA1
16510c3591614f1f145be0326db19978a57aac0e

SHA256
f0e7be2b9289aa63768c2eb04a9c9c399272dafb0fd80ba9d5e0b0fb6471f439

SHA512
4080ef8de216f90399d04c07d48343befedf600af989b71b4ef840514b2d5773e1c0d36915a2d120db3a9894c7e16b0fefa927d091bd650df44b0c19e0cb5f72

Download Submit
C:\Windows\System32\XjbLfwv.exe

Filesize
1.8MB

MD5
d812ea0e5e3ef22353be274126277d52

SHA1
90d41fa374f0d2902df2caf3663ede8bf83dcb43

SHA256
3af94c39180d142febaa8a0d5503b70c2debba3a70e621cf17f451f3f482056e

SHA512
e5526804a8a002a1352a45730867bd214c907f74890dcb6e031880ae3e096674c2df67380ab9f92942c0e1352e4053d20b4def2c5b7aa8428a6845763694be1e

Download Submit
C:\Windows\System32\ZQnnuTi.exe

Filesize
1.8MB

MD5
4b5fcec61338ea5fb19bd9550ffa30eb

SHA1
b4536621d110da80cc663a6940bd2554f3108fc6

SHA256
86f294608d62101dc9902ae32d5f7fe5732e4d6369af241e360fceacce6ac57c

SHA512
e82fbf02a17d68fa83ec49d7184c2825463a6e3da9c2045bc685fc48778d59f6a5321cff06d4b09e3263d36e9eea6257d11006e6807de688738b77fdbd015728

Download Submit
C:\Windows\System32\cCicJnJ.exe

Filesize
1.8MB

MD5
ec88b0f450beb64f021db306751338f3

SHA1
0b74f0c8978ee15085a7e4bf41a78cf728b42e86

SHA256
08c6cc013a01f5f7e85272dbcfeb932e61bd24babfda2ab8cc7bf2f67de74e73

SHA512
9bbd45e3eda787492f3394289abc9b2431bf2bf6504013e4ae01accc0147e0d2f303d0c9564f3aa66be7ee2f43331261318b232127d1e08c41d283b42957c06c

Download Submit
C:\Windows\System32\cWKiAqF.exe

Filesize
1.9MB

MD5
7c35cfae3350b4a3c1787e6a9a1dd32f

SHA1
a612362b01c418032d583f118d7420172f74bebd

SHA256
5b8958f6a106756e5b518940b966ac5b3ec2b9d3d60dd46cc57dd1ef5b6dcc32

SHA512
1b1dd26fd872669174a9bad67e8b061968b7132cc9823dc537b3f520e02d54e86f2fc1a522eb837ed03df05e501f9f08c5f4ec2e0b4afc06dd648c4bb94c7ac5

Download Submit
C:\Windows\System32\fMzfcmq.exe

Filesize
1.8MB

MD5
eccb5e8a7ba679a28ccbd6eb2d199579

SHA1
3a07c23895b7b65b643fb078bdfef007ead94073

SHA256
f2d484906236e96605e51adb8814666a320e706e0dd402423be62e2a2dd624c0

SHA512
e4d1e1fc469905475625e2db37b964ee56f8077ebcb6b71329a0f3de19215f8d382b45bf8ce1079d5a4f500c0fecc65c9626a107053f6b526f2ea5f7fc8c4be2

Download Submit
C:\Windows\System32\fYQinmq.exe

Filesize
1.9MB

MD5
5f2e09e167313cecbd57a3a256341193

SHA1
dec94778c194105c93a1ce76540e3ef1bb827b6b

SHA256
33f371387a9db28660036bc527131c2461af6106f5f59d3ef67920da16028b45

SHA512
aa815ba69685b26bcd72b17e4cf8ebaac68e3e6e1cd8b46dd19f6c8261c5a39985e2227bd9366b7a502e9d0cd9e4a281f26c7ad65055387089a428310b8db331

Download Submit
C:\Windows\System32\iHmtRdT.exe

Filesize
1.8MB

MD5
50db6ea2aa8b69dcdd8bd4d1f27f2ff5

SHA1
81e2b21ceb4727307c3929d2576b4e26f6a542f5

SHA256
986bd327d50fa9bde6b0c10b24a0e7837b87bb63ddc32ce45e2ee957c97dc7ff

SHA512
b9718ee8711414f39686be77caaad906416d91b8b5fb665d51199e6a68e8e01e2c37fcf234fee18e781fdbe95f173eeb9832fcb3e793591465d7f07ba8d10e0f

Download Submit
C:\Windows\System32\ivpZLGj.exe

Filesize
1.8MB

MD5
d012ee9611f3dbc5e952afe60b0be295

SHA1
7728c5fcd28e670b3fe01a523ec11a7013f9038f

SHA256
e408b944457c5c1b8267269c529651414d434aa52a094cf64a92fd6114cedb81

SHA512
a6bc7a0e68db1cb859c0ed8a25de5b69f895c607fb0b3abe4fd8f6f9477337b9e3342341e3ab79582e7300192b1ea645d3fcfd823d098047c425783fe59afb57

Download Submit
C:\Windows\System32\kLNQYkR.exe

Filesize
1.9MB

MD5
6cece94779ee5258ff4767a082ef7beb

SHA1
a9a46876ea8ec32512bfca1bb8d43110d39830de

SHA256
21df5d5af6965de097784a1694285fe1e76a2f243097bb221ff86ee83eb87b17

SHA512
c66133e4f490158211547928b4c87e2c374ed27d9fe02d7aa59e7e21d007029fbc1423d5350a68f4b197a7bbc4a6d96d9aeca5bec627806eaa47bc95faa0dfdc

Download Submit
C:\Windows\System32\kXNEwAG.exe

Filesize
1.8MB

MD5
a2ae8a247c3f6e6f7e92c14d4c855093

SHA1
a4d99cb0c84e2a8ccb738a30932e0c2f4de10099

SHA256
60be24b40e2b449dd3821f6fad4bb487d79597a518ca7f76b7738841bea6144c

SHA512
417c191fd5dde2bd61a4f6b1a72483282a7885e2265c36d9b1687adccbfa67f1592cdd634fd499fbb3df601b484669b4d8ede101dee062e55dcda82fe3504604

Download Submit
C:\Windows\System32\nAIaNvJ.exe

Filesize
1.8MB

MD5
211daa4aba45137141ed079c0da1549e

SHA1
f6ffb5b21bdce132d2990fdc14288ed17a9176a1

SHA256
6b42dfeb9ed757ce0c81eec4d84636eacbf64538d8229592dbeabe392f0a2d43

SHA512
fa19756404058984161fb3c0209a2f24f876f9aff3751c25df6300906ac5ec8463f8e3340135f4637147be6557cd31c039e3663b1ab68ee279f8386e210c0d8a

Download Submit
C:\Windows\System32\nANUbNc.exe

Filesize
1.9MB

MD5
e2d9b6b88fb8f00ea286d8bbd253bcb3

SHA1
deadd1cddffeb7b33373a6db3069cd44e236b03d

SHA256
445551e323f0198128e77fa36b668a1964ddee48f91bd6d9396cd527417596bb

SHA512
8f611398f3803dda98d7813f8fde57b6b9d16051ca63ba4b51bca1a2f5f14b79127f7a456828abd23e0d5940fbfa187a958cbf7a3f985041abe2c70107e34d0b

Download Submit
C:\Windows\System32\pOwpnIG.exe

Filesize
1.9MB

MD5
c17e716fa5b1354b813cd9d05c4c8730

SHA1
878b9d8e30b407c172bbed3876e5b4fa52a43611

SHA256
fa3dc5d7fad97be018de130a44b0affedb56ad0757d1531b2dcffe548203cd6c

SHA512
4c68fd847c10824596756b779e79538e5422ec12ce6dac16709de57e81249f2b6c44d1a82ebe2282dfa68244c56533d24b5ada145e931a3e76f7329ef7342ae8

Download Submit
C:\Windows\System32\tzmaQku.exe

Filesize
1.8MB

MD5
f2d26d8596d931f7a4fbf8bda1dc640c

SHA1
d3d55e73c1005693a8b87bad6f7231ac5b18015d

SHA256
d5f033e44f17afd1c0c652513618ded5533af044972696c8fcf27e99520468f5

SHA512
5d1888e1c752b4c12868d2ab6fa59f565589a9bff8ca0408a4bbb1791764aa612902a09bdf17505c77d363b3e313cfeea10bfd0a373e48e70650ac0fd73dd4f6

Download Submit
C:\Windows\System32\vZdruDR.exe

Filesize
1.8MB

MD5
de56f0a282058a6334ee74555ab9d6ee

SHA1
a40eebdc760397d12478355173d7126a5c996d24

SHA256
d359e9e00869562fafbe749a6fcfd2e44309b9f4beeb6cd3f5c7ca1ff5e2ca9c

SHA512
a479277ebf160ad441f2b72fac6269a9b18535fbf4609d2683072910e295bee797a19d2f5f93963323b27b786b7690b5795c5296d99d9f7081d003626c20456a

Download Submit
C:\Windows\System32\xfhRsga.exe

Filesize
1.8MB

MD5
ea64a114d038bbfa9a9c6aee532dd1ac

SHA1
f79bf72fc0bda5e33fe2e98d21c2e8b2ae3a813a

SHA256
9a32db199de72d84122fea3dd0f5467a043b9d190efb257bd0cabf10df42bd9b

SHA512
4549dc5229f9d645f6a3915fde065569117e664d378c5230d572fde3d1c6e7903968bbdb505897333cd0b51fac7f1a6cb8cb1f1af38878bbe80a74a3d8c07004

Download Submit
C:\Windows\System32\xoGQGrd.exe

Filesize
1.8MB

MD5
e3c8aa5621c81d8d85130866f7b4e52a

SHA1
deca32190bc921af590f836a26e19b5d6e73e49a

SHA256
f36f0b9ba295738381e3de99cc601b610dd9db7dbbebc59acfd091263d845c42

SHA512
dcf2f0eac1f48bc0e592f9a70f4711d5f20ab67042b7d611160afee67a108c8b7decf56cec55b413bdc3d7f721269b3ec506ba986230fee83e91ee64a8cdf097

Download Submit
memory/412-445-0x00007FF6E1510000-0x00007FF6E1901000-memory.dmp

Filesize
3.9MB

Download
memory/412-2051-0x00007FF6E1510000-0x00007FF6E1901000-memory.dmp

Filesize
3.9MB

Download
memory/440-448-0x00007FF624200000-0x00007FF6245F1000-memory.dmp

Filesize
3.9MB

Download
memory/440-2049-0x00007FF624200000-0x00007FF6245F1000-memory.dmp

Filesize
3.9MB

Download
memory/684-470-0x00007FF637D00000-0x00007FF6380F1000-memory.dmp

Filesize
3.9MB

Download
memory/684-2061-0x00007FF637D00000-0x00007FF6380F1000-memory.dmp

Filesize
3.9MB

Download
memory/860-441-0x00007FF7289E0000-0x00007FF728DD1000-memory.dmp

Filesize
3.9MB

Download
memory/860-2043-0x00007FF7289E0000-0x00007FF728DD1000-memory.dmp

Filesize
3.9MB

Download
memory/1084-2078-0x00007FF6DBF50000-0x00007FF6DC341000-memory.dmp

Filesize
3.9MB

Download
memory/1084-511-0x00007FF6DBF50000-0x00007FF6DC341000-memory.dmp

Filesize
3.9MB

Download
memory/1224-2069-0x00007FF748740000-0x00007FF748B31000-memory.dmp

Filesize
3.9MB

Download
memory/1224-492-0x00007FF748740000-0x00007FF748B31000-memory.dmp

Filesize
3.9MB

Download
memory/1588-2080-0x00007FF653F70000-0x00007FF654361000-memory.dmp

Filesize
3.9MB

Download
memory/1588-522-0x00007FF653F70000-0x00007FF654361000-memory.dmp

Filesize
3.9MB

Download
memory/1692-2085-0x00007FF65A6B0000-0x00007FF65AAA1000-memory.dmp

Filesize
3.9MB

Download
memory/1692-536-0x00007FF65A6B0000-0x00007FF65AAA1000-memory.dmp

Filesize
3.9MB

Download
memory/1800-444-0x00007FF6B2110000-0x00007FF6B2501000-memory.dmp

Filesize
3.9MB

Download
memory/1800-2053-0x00007FF6B2110000-0x00007FF6B2501000-memory.dmp

Filesize
3.9MB

Download
memory/1924-2092-0x00007FF60E950000-0x00007FF60ED41000-memory.dmp

Filesize
3.9MB

Download
memory/1924-525-0x00007FF60E950000-0x00007FF60ED41000-memory.dmp

Filesize
3.9MB

Download
memory/2164-2074-0x00007FF6CE4E0000-0x00007FF6CE8D1000-memory.dmp

Filesize
3.9MB

Download
memory/2164-529-0x00007FF6CE4E0000-0x00007FF6CE8D1000-memory.dmp

Filesize
3.9MB

Download
memory/2596-2039-0x00007FF7481B0000-0x00007FF7485A1000-memory.dmp

Filesize
3.9MB

Download
memory/2596-11-0x00007FF7481B0000-0x00007FF7485A1000-memory.dmp

Filesize
3.9MB

Download
memory/2596-2013-0x00007FF7481B0000-0x00007FF7485A1000-memory.dmp

Filesize
3.9MB

Download
memory/2848-443-0x00007FF6182D0000-0x00007FF6186C1000-memory.dmp

Filesize
3.9MB

Download
memory/2848-2047-0x00007FF6182D0000-0x00007FF6186C1000-memory.dmp

Filesize
3.9MB

Download
memory/2904-619-0x00007FF7232E0000-0x00007FF7236D1000-memory.dmp

Filesize
3.9MB

Download
memory/2904-2045-0x00007FF7232E0000-0x00007FF7236D1000-memory.dmp

Filesize
3.9MB

Download
memory/3292-517-0x00007FF7DD240000-0x00007FF7DD631000-memory.dmp

Filesize
3.9MB

Download
memory/3292-2075-0x00007FF7DD240000-0x00007FF7DD631000-memory.dmp

Filesize
3.9MB

Download
memory/3348-2066-0x00007FF7095B0000-0x00007FF7099A1000-memory.dmp

Filesize
3.9MB

Download
memory/3348-490-0x00007FF7095B0000-0x00007FF7099A1000-memory.dmp

Filesize
3.9MB

Download
memory/3544-2057-0x00007FF725C00000-0x00007FF725FF1000-memory.dmp

Filesize
3.9MB

Download
memory/3544-454-0x00007FF725C00000-0x00007FF725FF1000-memory.dmp

Filesize
3.9MB

Download
memory/3644-2042-0x00007FF6201C0000-0x00007FF6205B1000-memory.dmp

Filesize
3.9MB

Download
memory/3644-440-0x00007FF6201C0000-0x00007FF6205B1000-memory.dmp

Filesize
3.9MB

Download
memory/3656-2059-0x00007FF6082B0000-0x00007FF6086A1000-memory.dmp

Filesize
3.9MB

Download
memory/3656-463-0x00007FF6082B0000-0x00007FF6086A1000-memory.dmp

Filesize
3.9MB

Download
memory/3928-1-0x000001A4A5D60000-0x000001A4A5D70000-memory.dmp

Filesize
64KB

Download
memory/3928-0-0x00007FF780460000-0x00007FF780851000-memory.dmp

Filesize
3.9MB

Download
memory/3944-2122-0x00007FF606750000-0x00007FF606B41000-memory.dmp

Filesize
3.9MB

Download
memory/3944-532-0x00007FF606750000-0x00007FF606B41000-memory.dmp

Filesize
3.9MB

Download
memory/3968-442-0x00007FF676CF0000-0x00007FF6770E1000-memory.dmp

Filesize
3.9MB

Download
memory/3968-2055-0x00007FF676CF0000-0x00007FF6770E1000-memory.dmp

Filesize
3.9MB

Download
memory/4248-485-0x00007FF6D12D0000-0x00007FF6D16C1000-memory.dmp

Filesize
3.9MB

Download
memory/4248-2064-0x00007FF6D12D0000-0x00007FF6D16C1000-memory.dmp

Filesize
3.9MB

Download
memory/5016-496-0x00007FF6241E0000-0x00007FF6245D1000-memory.dmp

Filesize
3.9MB

Download
memory/5016-2071-0x00007FF6241E0000-0x00007FF6245D1000-memory.dmp

Filesize
3.9MB

Download
memory/5040-2067-0x00007FF7769E0000-0x00007FF776DD1000-memory.dmp

Filesize
3.9MB

Download
memory/5040-477-0x00007FF7769E0000-0x00007FF776DD1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads