xmrig | 71a3f3ea5a5296df180bd02c81a2afb11e2f8676b2dc201ba52a1f28e4e9dee9

Analysis

max time kernel
110s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a5a4a3368835bca805c9b8f9c193c10N.exe
Size

1.2MB
MD5

1a5a4a3368835bca805c9b8f9c193c10
SHA1

59dafca2725868539fb8f5bd2b0b80c590becd67
SHA256

71a3f3ea5a5296df180bd02c81a2afb11e2f8676b2dc201ba52a1f28e4e9dee9
SHA512

6bb7bd6846cac739a0e69d5efca5c962f06b131876d04eadbb4259f22e48d3d174ccf4b8026f57bd8a347dd89ddebe5e7862c21d59ba4cc20caafddedeaecf8e
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XCejIODosB2Qc:knw9oUUEEDlGUrMu1

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/1044-32-0x00007FF6B31C0000-0x00007FF6B35B1000-memory.dmp	xmrig
behavioral2/memory/752-356-0x00007FF6A01D0000-0x00007FF6A05C1000-memory.dmp	xmrig
behavioral2/memory/1368-357-0x00007FF6987C0000-0x00007FF698BB1000-memory.dmp	xmrig
behavioral2/memory/4128-361-0x00007FF7BDAE0000-0x00007FF7BDED1000-memory.dmp	xmrig
behavioral2/memory/3888-385-0x00007FF7E4110000-0x00007FF7E4501000-memory.dmp	xmrig
behavioral2/memory/2076-377-0x00007FF757070000-0x00007FF757461000-memory.dmp	xmrig
behavioral2/memory/1764-374-0x00007FF77B930000-0x00007FF77BD21000-memory.dmp	xmrig
behavioral2/memory/2452-392-0x00007FF707FA0000-0x00007FF708391000-memory.dmp	xmrig
behavioral2/memory/2064-395-0x00007FF60B6B0000-0x00007FF60BAA1000-memory.dmp	xmrig
behavioral2/memory/4756-398-0x00007FF798130000-0x00007FF798521000-memory.dmp	xmrig
behavioral2/memory/1604-388-0x00007FF77E340000-0x00007FF77E731000-memory.dmp	xmrig
behavioral2/memory/2620-407-0x00007FF7E3A30000-0x00007FF7E3E21000-memory.dmp	xmrig
behavioral2/memory/748-403-0x00007FF73F4A0000-0x00007FF73F891000-memory.dmp	xmrig
behavioral2/memory/2428-410-0x00007FF62ECB0000-0x00007FF62F0A1000-memory.dmp	xmrig
behavioral2/memory/4076-413-0x00007FF759B90000-0x00007FF759F81000-memory.dmp	xmrig
behavioral2/memory/4408-415-0x00007FF761CA0000-0x00007FF762091000-memory.dmp	xmrig
behavioral2/memory/3788-416-0x00007FF60A400000-0x00007FF60A7F1000-memory.dmp	xmrig
behavioral2/memory/3944-417-0x00007FF6FDEC0000-0x00007FF6FE2B1000-memory.dmp	xmrig
behavioral2/memory/2460-414-0x00007FF60D570000-0x00007FF60D961000-memory.dmp	xmrig
behavioral2/memory/2268-400-0x00007FF6414B0000-0x00007FF6418A1000-memory.dmp	xmrig
behavioral2/memory/4544-1936-0x00007FF6D0FF0000-0x00007FF6D13E1000-memory.dmp	xmrig
behavioral2/memory/4484-1937-0x00007FF759CE0000-0x00007FF75A0D1000-memory.dmp	xmrig
behavioral2/memory/952-1970-0x00007FF6B14D0000-0x00007FF6B18C1000-memory.dmp	xmrig
behavioral2/memory/2068-1971-0x00007FF713960000-0x00007FF713D51000-memory.dmp	xmrig
behavioral2/memory/1676-1973-0x00007FF606880000-0x00007FF606C71000-memory.dmp	xmrig
behavioral2/memory/4544-1975-0x00007FF6D0FF0000-0x00007FF6D13E1000-memory.dmp	xmrig
behavioral2/memory/4484-1977-0x00007FF759CE0000-0x00007FF75A0D1000-memory.dmp	xmrig
behavioral2/memory/952-1979-0x00007FF6B14D0000-0x00007FF6B18C1000-memory.dmp	xmrig
behavioral2/memory/1044-1983-0x00007FF6B31C0000-0x00007FF6B35B1000-memory.dmp	xmrig
behavioral2/memory/2068-1982-0x00007FF713960000-0x00007FF713D51000-memory.dmp	xmrig
behavioral2/memory/752-1992-0x00007FF6A01D0000-0x00007FF6A05C1000-memory.dmp	xmrig
behavioral2/memory/2452-1994-0x00007FF707FA0000-0x00007FF708391000-memory.dmp	xmrig
behavioral2/memory/2064-2001-0x00007FF60B6B0000-0x00007FF60BAA1000-memory.dmp	xmrig
behavioral2/memory/2620-2007-0x00007FF7E3A30000-0x00007FF7E3E21000-memory.dmp	xmrig
behavioral2/memory/748-2011-0x00007FF73F4A0000-0x00007FF73F891000-memory.dmp	xmrig
behavioral2/memory/4076-2013-0x00007FF759B90000-0x00007FF759F81000-memory.dmp	xmrig
behavioral2/memory/4408-2015-0x00007FF761CA0000-0x00007FF762091000-memory.dmp	xmrig
behavioral2/memory/3788-2019-0x00007FF60A400000-0x00007FF60A7F1000-memory.dmp	xmrig
behavioral2/memory/2460-2017-0x00007FF60D570000-0x00007FF60D961000-memory.dmp	xmrig
behavioral2/memory/2428-2010-0x00007FF62ECB0000-0x00007FF62F0A1000-memory.dmp	xmrig
behavioral2/memory/2268-2005-0x00007FF6414B0000-0x00007FF6418A1000-memory.dmp	xmrig
behavioral2/memory/4756-2004-0x00007FF798130000-0x00007FF798521000-memory.dmp	xmrig
behavioral2/memory/4128-1997-0x00007FF7BDAE0000-0x00007FF7BDED1000-memory.dmp	xmrig
behavioral2/memory/1604-1996-0x00007FF77E340000-0x00007FF77E731000-memory.dmp	xmrig
behavioral2/memory/1764-1990-0x00007FF77B930000-0x00007FF77BD21000-memory.dmp	xmrig
behavioral2/memory/1368-1999-0x00007FF6987C0000-0x00007FF698BB1000-memory.dmp	xmrig
behavioral2/memory/3888-1986-0x00007FF7E4110000-0x00007FF7E4501000-memory.dmp	xmrig
behavioral2/memory/2076-1988-0x00007FF757070000-0x00007FF757461000-memory.dmp	xmrig
behavioral2/memory/3944-2077-0x00007FF6FDEC0000-0x00007FF6FE2B1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4544	qDpJMIl.exe
4484	EIEIJGw.exe
952	VQSZIGS.exe
2068	OBEgFTd.exe
1044	MjbTuXr.exe
752	JzPAPgL.exe
1368	ZfJghfx.exe
4128	rmYMGHe.exe
1764	RjIURRG.exe
2076	qpaVOzm.exe
3888	QJMXDtS.exe
1604	BsCZNRw.exe
2452	KHvbWeq.exe
2064	mfMRREQ.exe
4756	jKZyaBE.exe
2268	AkyLrky.exe
748	KKnyQqC.exe
2620	BQSUyxD.exe
2428	HtNvoOn.exe
4076	DicRsuL.exe
2460	zjWpwHd.exe
4408	eIqgeWE.exe
3788	gNuwXmR.exe
3944	KunTDsX.exe
3440	lBeMnJe.exe
1952	kjssNIP.exe
3184	VimfocG.exe
692	flnumlc.exe
4872	EKMKuId.exe
5040	nKRbQOd.exe
32	UajqPGA.exe
1440	pUXtPsP.exe
840	NkBnLXe.exe
4904	QPkNpim.exe
3616	OLjFFpA.exe
4760	WxHnIPX.exe
3580	HFdRfRp.exe
4804	uQtXqqf.exe
2828	LsLcIPN.exe
4312	cjMDxVM.exe
3056	KiMyjrd.exe
2208	FowNAuu.exe
2172	rLVnkDu.exe
3824	DtqZhsQ.exe
2884	oVudGYe.exe
3756	cgJgPHq.exe
4604	VqdSOWb.exe
2480	rqifkvD.exe
4184	HPcCQRX.exe
3344	GjTtPhs.exe
4376	iNUMuSy.exe
1136	QzhJkOx.exe
2880	lWUEiTf.exe
5052	uyJwKcQ.exe
508	RxVnGIZ.exe
4220	njQfAWg.exe
2688	nAKjIXw.exe
2876	iKhvzsZ.exe
4720	HYBDNSx.exe
4972	eCzvRMG.exe
3420	mYAXDiM.exe
2488	ZNrKTHI.exe
1040	dSZfnLv.exe
2740	PfPSEor.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1676-0-0x00007FF606880000-0x00007FF606C71000-memory.dmp	upx
behavioral2/files/0x000800000002344c-5.dat	upx
behavioral2/memory/4544-8-0x00007FF6D0FF0000-0x00007FF6D13E1000-memory.dmp	upx
behavioral2/files/0x0007000000023453-11.dat	upx
behavioral2/files/0x0007000000023454-17.dat	upx
behavioral2/memory/952-20-0x00007FF6B14D0000-0x00007FF6B18C1000-memory.dmp	upx
behavioral2/files/0x0007000000023455-22.dat	upx
behavioral2/memory/2068-24-0x00007FF713960000-0x00007FF713D51000-memory.dmp	upx
behavioral2/files/0x0007000000023456-30.dat	upx
behavioral2/memory/1044-32-0x00007FF6B31C0000-0x00007FF6B35B1000-memory.dmp	upx
behavioral2/files/0x0007000000023457-36.dat	upx
behavioral2/files/0x0008000000023450-44.dat	upx
behavioral2/files/0x000700000002345a-51.dat	upx
behavioral2/files/0x000700000002345b-56.dat	upx
behavioral2/files/0x000700000002345c-61.dat	upx
behavioral2/files/0x000700000002345e-69.dat	upx
behavioral2/files/0x000700000002345f-76.dat	upx
behavioral2/files/0x0007000000023461-84.dat	upx
behavioral2/files/0x0007000000023462-91.dat	upx
behavioral2/files/0x0007000000023464-101.dat	upx
behavioral2/files/0x0007000000023468-121.dat	upx
behavioral2/memory/752-356-0x00007FF6A01D0000-0x00007FF6A05C1000-memory.dmp	upx
behavioral2/memory/1368-357-0x00007FF6987C0000-0x00007FF698BB1000-memory.dmp	upx
behavioral2/memory/4128-361-0x00007FF7BDAE0000-0x00007FF7BDED1000-memory.dmp	upx
behavioral2/memory/3888-385-0x00007FF7E4110000-0x00007FF7E4501000-memory.dmp	upx
behavioral2/memory/2076-377-0x00007FF757070000-0x00007FF757461000-memory.dmp	upx
behavioral2/memory/1764-374-0x00007FF77B930000-0x00007FF77BD21000-memory.dmp	upx
behavioral2/files/0x0007000000023471-166.dat	upx
behavioral2/files/0x0007000000023470-161.dat	upx
behavioral2/files/0x000700000002346f-156.dat	upx
behavioral2/files/0x000700000002346e-151.dat	upx
behavioral2/files/0x000700000002346d-146.dat	upx
behavioral2/files/0x000700000002346c-141.dat	upx
behavioral2/files/0x000700000002346b-136.dat	upx
behavioral2/files/0x000700000002346a-131.dat	upx
behavioral2/files/0x0007000000023469-126.dat	upx
behavioral2/files/0x0007000000023467-116.dat	upx
behavioral2/memory/2452-392-0x00007FF707FA0000-0x00007FF708391000-memory.dmp	upx
behavioral2/memory/2064-395-0x00007FF60B6B0000-0x00007FF60BAA1000-memory.dmp	upx
behavioral2/memory/4756-398-0x00007FF798130000-0x00007FF798521000-memory.dmp	upx
behavioral2/memory/1604-388-0x00007FF77E340000-0x00007FF77E731000-memory.dmp	upx
behavioral2/files/0x0007000000023466-111.dat	upx
behavioral2/files/0x0007000000023465-106.dat	upx
behavioral2/files/0x0007000000023463-96.dat	upx
behavioral2/files/0x0007000000023460-81.dat	upx
behavioral2/files/0x000700000002345d-66.dat	upx
behavioral2/memory/2620-407-0x00007FF7E3A30000-0x00007FF7E3E21000-memory.dmp	upx
behavioral2/memory/748-403-0x00007FF73F4A0000-0x00007FF73F891000-memory.dmp	upx
behavioral2/memory/2428-410-0x00007FF62ECB0000-0x00007FF62F0A1000-memory.dmp	upx
behavioral2/memory/4076-413-0x00007FF759B90000-0x00007FF759F81000-memory.dmp	upx
behavioral2/memory/4408-415-0x00007FF761CA0000-0x00007FF762091000-memory.dmp	upx
behavioral2/memory/3788-416-0x00007FF60A400000-0x00007FF60A7F1000-memory.dmp	upx
behavioral2/memory/3944-417-0x00007FF6FDEC0000-0x00007FF6FE2B1000-memory.dmp	upx
behavioral2/memory/2460-414-0x00007FF60D570000-0x00007FF60D961000-memory.dmp	upx
behavioral2/memory/2268-400-0x00007FF6414B0000-0x00007FF6418A1000-memory.dmp	upx
behavioral2/files/0x0007000000023459-41.dat	upx
behavioral2/memory/4484-13-0x00007FF759CE0000-0x00007FF75A0D1000-memory.dmp	upx
behavioral2/memory/4544-1936-0x00007FF6D0FF0000-0x00007FF6D13E1000-memory.dmp	upx
behavioral2/memory/4484-1937-0x00007FF759CE0000-0x00007FF75A0D1000-memory.dmp	upx
behavioral2/memory/952-1970-0x00007FF6B14D0000-0x00007FF6B18C1000-memory.dmp	upx
behavioral2/memory/2068-1971-0x00007FF713960000-0x00007FF713D51000-memory.dmp	upx
behavioral2/memory/1676-1973-0x00007FF606880000-0x00007FF606C71000-memory.dmp	upx
behavioral2/memory/4544-1975-0x00007FF6D0FF0000-0x00007FF6D13E1000-memory.dmp	upx
behavioral2/memory/4484-1977-0x00007FF759CE0000-0x00007FF75A0D1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\tbWvLcY.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\BsCZNRw.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\iFypYsG.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\synhCBN.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\hdyEuJw.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\WiykodS.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\tDIvTey.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\irPXZzL.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\zjWpwHd.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\VimfocG.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\QZKJbEq.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\hxJzYwY.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\weyRwZf.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\SUiMqBz.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\nndfhSI.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\KKnyQqC.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\whAFMLI.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\AVgcIbB.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\UzTkgjZ.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\zQGMrkz.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\hZIPyKS.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\TiBntDk.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\xVXwHUi.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\eAphmTZ.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\hgnghyc.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\wTLXRCD.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\RuWWgnV.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\hnVBiYW.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\YOOhDYx.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\xYUiHJq.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\ByYNbMs.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\PKUjCbY.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\PpgqhWM.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\WdSGGDK.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\ombZSes.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\BUnFoCp.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\SgakcbY.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\fRoVWQT.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\WxHnIPX.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\QjdCycp.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\vEIHojp.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\wRfGiVb.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\UDxQuvW.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\MjbTuXr.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\eJXVwdk.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\SQXHFFY.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\ARhadRT.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\COMrGfa.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\rdvaiUN.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\XzvUBmJ.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\bjZHaIi.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\cFFCLSW.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\JJhiuYf.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\QNWdnGo.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\nyoaOjZ.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\EjCKymC.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\MBTHUsr.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\HTkWyAW.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\OQrXvgr.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\uREmvUw.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\Umvneik.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\XMloJgy.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\Hrkxiiz.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe
File created	C:\Windows\System32\PVwNesI.exe	1a5a4a3368835bca805c9b8f9c193c10N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	5872	dwm.exe
Token: SeChangeNotifyPrivilege	5872	dwm.exe
Token: 33	5872	dwm.exe
Token: SeIncBasePriorityPrivilege	5872	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 4544	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	85
PID 1676 wrote to memory of 4544	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	85
PID 1676 wrote to memory of 4484	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	86
PID 1676 wrote to memory of 4484	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	86
PID 1676 wrote to memory of 952	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	87
PID 1676 wrote to memory of 952	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	87
PID 1676 wrote to memory of 2068	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	89
PID 1676 wrote to memory of 2068	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	89
PID 1676 wrote to memory of 1044	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	90
PID 1676 wrote to memory of 1044	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	90
PID 1676 wrote to memory of 752	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	91
PID 1676 wrote to memory of 752	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	91
PID 1676 wrote to memory of 1368	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	92
PID 1676 wrote to memory of 1368	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	92
PID 1676 wrote to memory of 4128	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	93
PID 1676 wrote to memory of 4128	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	93
PID 1676 wrote to memory of 1764	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	94
PID 1676 wrote to memory of 1764	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	94
PID 1676 wrote to memory of 2076	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	95
PID 1676 wrote to memory of 2076	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	95
PID 1676 wrote to memory of 3888	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	96
PID 1676 wrote to memory of 3888	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	96
PID 1676 wrote to memory of 1604	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	97
PID 1676 wrote to memory of 1604	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	97
PID 1676 wrote to memory of 2452	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	98
PID 1676 wrote to memory of 2452	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	98
PID 1676 wrote to memory of 2064	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	99
PID 1676 wrote to memory of 2064	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	99
PID 1676 wrote to memory of 4756	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	100
PID 1676 wrote to memory of 4756	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	100
PID 1676 wrote to memory of 2268	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	101
PID 1676 wrote to memory of 2268	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	101
PID 1676 wrote to memory of 748	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	102
PID 1676 wrote to memory of 748	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	102
PID 1676 wrote to memory of 2620	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	103
PID 1676 wrote to memory of 2620	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	103
PID 1676 wrote to memory of 2428	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	104
PID 1676 wrote to memory of 2428	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	104
PID 1676 wrote to memory of 4076	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	105
PID 1676 wrote to memory of 4076	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	105
PID 1676 wrote to memory of 2460	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	106
PID 1676 wrote to memory of 2460	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	106
PID 1676 wrote to memory of 4408	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	107
PID 1676 wrote to memory of 4408	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	107
PID 1676 wrote to memory of 3788	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	108
PID 1676 wrote to memory of 3788	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	108
PID 1676 wrote to memory of 3944	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	109
PID 1676 wrote to memory of 3944	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	109
PID 1676 wrote to memory of 3440	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	110
PID 1676 wrote to memory of 3440	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	110
PID 1676 wrote to memory of 1952	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	111
PID 1676 wrote to memory of 1952	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	111
PID 1676 wrote to memory of 3184	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	112
PID 1676 wrote to memory of 3184	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	112
PID 1676 wrote to memory of 692	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	113
PID 1676 wrote to memory of 692	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	113
PID 1676 wrote to memory of 4872	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	114
PID 1676 wrote to memory of 4872	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	114
PID 1676 wrote to memory of 5040	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	115
PID 1676 wrote to memory of 5040	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	115
PID 1676 wrote to memory of 32	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	116
PID 1676 wrote to memory of 32	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	116
PID 1676 wrote to memory of 1440	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	117
PID 1676 wrote to memory of 1440	1676	1a5a4a3368835bca805c9b8f9c193c10N.exe	117

C:\Users\Admin\AppData\Local\Temp\1a5a4a3368835bca805c9b8f9c193c10N.exe
"C:\Users\Admin\AppData\Local\Temp\1a5a4a3368835bca805c9b8f9c193c10N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\System32\qDpJMIl.exe
  C:\Windows\System32\qDpJMIl.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System32\EIEIJGw.exe
  C:\Windows\System32\EIEIJGw.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System32\VQSZIGS.exe
  C:\Windows\System32\VQSZIGS.exe
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\System32\OBEgFTd.exe
  C:\Windows\System32\OBEgFTd.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System32\MjbTuXr.exe
  C:\Windows\System32\MjbTuXr.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System32\JzPAPgL.exe
  C:\Windows\System32\JzPAPgL.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\System32\ZfJghfx.exe
  C:\Windows\System32\ZfJghfx.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System32\rmYMGHe.exe
  C:\Windows\System32\rmYMGHe.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\System32\RjIURRG.exe
  C:\Windows\System32\RjIURRG.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System32\qpaVOzm.exe
  C:\Windows\System32\qpaVOzm.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System32\QJMXDtS.exe
  C:\Windows\System32\QJMXDtS.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System32\BsCZNRw.exe
  C:\Windows\System32\BsCZNRw.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System32\KHvbWeq.exe
  C:\Windows\System32\KHvbWeq.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System32\mfMRREQ.exe
  C:\Windows\System32\mfMRREQ.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System32\jKZyaBE.exe
  C:\Windows\System32\jKZyaBE.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System32\AkyLrky.exe
  C:\Windows\System32\AkyLrky.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System32\KKnyQqC.exe
  C:\Windows\System32\KKnyQqC.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System32\BQSUyxD.exe
  C:\Windows\System32\BQSUyxD.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System32\HtNvoOn.exe
  C:\Windows\System32\HtNvoOn.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System32\DicRsuL.exe
  C:\Windows\System32\DicRsuL.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System32\zjWpwHd.exe
  C:\Windows\System32\zjWpwHd.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System32\eIqgeWE.exe
  C:\Windows\System32\eIqgeWE.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System32\gNuwXmR.exe
  C:\Windows\System32\gNuwXmR.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System32\KunTDsX.exe
  C:\Windows\System32\KunTDsX.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\lBeMnJe.exe
  C:\Windows\System32\lBeMnJe.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System32\kjssNIP.exe
  C:\Windows\System32\kjssNIP.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System32\VimfocG.exe
  C:\Windows\System32\VimfocG.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System32\flnumlc.exe
  C:\Windows\System32\flnumlc.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System32\EKMKuId.exe
  C:\Windows\System32\EKMKuId.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System32\nKRbQOd.exe
  C:\Windows\System32\nKRbQOd.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System32\UajqPGA.exe
  C:\Windows\System32\UajqPGA.exe
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Windows\System32\pUXtPsP.exe
  C:\Windows\System32\pUXtPsP.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System32\NkBnLXe.exe
  C:\Windows\System32\NkBnLXe.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System32\QPkNpim.exe
  C:\Windows\System32\QPkNpim.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System32\OLjFFpA.exe
  C:\Windows\System32\OLjFFpA.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System32\WxHnIPX.exe
  C:\Windows\System32\WxHnIPX.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System32\HFdRfRp.exe
  C:\Windows\System32\HFdRfRp.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System32\uQtXqqf.exe
  C:\Windows\System32\uQtXqqf.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\LsLcIPN.exe
  C:\Windows\System32\LsLcIPN.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System32\cjMDxVM.exe
  C:\Windows\System32\cjMDxVM.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System32\KiMyjrd.exe
  C:\Windows\System32\KiMyjrd.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System32\FowNAuu.exe
  C:\Windows\System32\FowNAuu.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System32\rLVnkDu.exe
  C:\Windows\System32\rLVnkDu.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System32\DtqZhsQ.exe
  C:\Windows\System32\DtqZhsQ.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\System32\oVudGYe.exe
  C:\Windows\System32\oVudGYe.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System32\cgJgPHq.exe
  C:\Windows\System32\cgJgPHq.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\System32\VqdSOWb.exe
  C:\Windows\System32\VqdSOWb.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System32\rqifkvD.exe
  C:\Windows\System32\rqifkvD.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System32\HPcCQRX.exe
  C:\Windows\System32\HPcCQRX.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System32\GjTtPhs.exe
  C:\Windows\System32\GjTtPhs.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System32\iNUMuSy.exe
  C:\Windows\System32\iNUMuSy.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System32\QzhJkOx.exe
  C:\Windows\System32\QzhJkOx.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System32\lWUEiTf.exe
  C:\Windows\System32\lWUEiTf.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System32\uyJwKcQ.exe
  C:\Windows\System32\uyJwKcQ.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System32\RxVnGIZ.exe
  C:\Windows\System32\RxVnGIZ.exe
  2⤵
  - Executes dropped EXE
  PID:508
- C:\Windows\System32\njQfAWg.exe
  C:\Windows\System32\njQfAWg.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System32\nAKjIXw.exe
  C:\Windows\System32\nAKjIXw.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System32\iKhvzsZ.exe
  C:\Windows\System32\iKhvzsZ.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System32\HYBDNSx.exe
  C:\Windows\System32\HYBDNSx.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System32\eCzvRMG.exe
  C:\Windows\System32\eCzvRMG.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System32\mYAXDiM.exe
  C:\Windows\System32\mYAXDiM.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System32\ZNrKTHI.exe
  C:\Windows\System32\ZNrKTHI.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System32\dSZfnLv.exe
  C:\Windows\System32\dSZfnLv.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System32\PfPSEor.exe
  C:\Windows\System32\PfPSEor.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System32\qCdZUuB.exe
  C:\Windows\System32\qCdZUuB.exe
  2⤵
  PID:3436
- C:\Windows\System32\iTWeFvI.exe
  C:\Windows\System32\iTWeFvI.exe
  2⤵
  PID:3512
- C:\Windows\System32\BnXRwFv.exe
  C:\Windows\System32\BnXRwFv.exe
  2⤵
  PID:2600
- C:\Windows\System32\ypOxDvd.exe
  C:\Windows\System32\ypOxDvd.exe
  2⤵
  PID:724
- C:\Windows\System32\NXDanPn.exe
  C:\Windows\System32\NXDanPn.exe
  2⤵
  PID:836
- C:\Windows\System32\ZWZFzIB.exe
  C:\Windows\System32\ZWZFzIB.exe
  2⤵
  PID:4860
- C:\Windows\System32\KNbummI.exe
  C:\Windows\System32\KNbummI.exe
  2⤵
  PID:4156
- C:\Windows\System32\HrklNHL.exe
  C:\Windows\System32\HrklNHL.exe
  2⤵
  PID:3668
- C:\Windows\System32\OexscLP.exe
  C:\Windows\System32\OexscLP.exe
  2⤵
  PID:2356
- C:\Windows\System32\boZNeMC.exe
  C:\Windows\System32\boZNeMC.exe
  2⤵
  PID:2228
- C:\Windows\System32\TJpmjVy.exe
  C:\Windows\System32\TJpmjVy.exe
  2⤵
  PID:3320
- C:\Windows\System32\CdRfFuJ.exe
  C:\Windows\System32\CdRfFuJ.exe
  2⤵
  PID:4372
- C:\Windows\System32\QEnItiJ.exe
  C:\Windows\System32\QEnItiJ.exe
  2⤵
  PID:3236
- C:\Windows\System32\bpiUXge.exe
  C:\Windows\System32\bpiUXge.exe
  2⤵
  PID:4500
- C:\Windows\System32\oZLcsCW.exe
  C:\Windows\System32\oZLcsCW.exe
  2⤵
  PID:2288
- C:\Windows\System32\whAFMLI.exe
  C:\Windows\System32\whAFMLI.exe
  2⤵
  PID:2916
- C:\Windows\System32\xnuzHiw.exe
  C:\Windows\System32\xnuzHiw.exe
  2⤵
  PID:2648
- C:\Windows\System32\tNTkaZw.exe
  C:\Windows\System32\tNTkaZw.exe
  2⤵
  PID:3832
- C:\Windows\System32\DHGrGRb.exe
  C:\Windows\System32\DHGrGRb.exe
  2⤵
  PID:696
- C:\Windows\System32\NuvMqua.exe
  C:\Windows\System32\NuvMqua.exe
  2⤵
  PID:664
- C:\Windows\System32\VAHXVRZ.exe
  C:\Windows\System32\VAHXVRZ.exe
  2⤵
  PID:2536
- C:\Windows\System32\eRYWZcw.exe
  C:\Windows\System32\eRYWZcw.exe
  2⤵
  PID:4536
- C:\Windows\System32\dKIXzUX.exe
  C:\Windows\System32\dKIXzUX.exe
  2⤵
  PID:3288
- C:\Windows\System32\oRSGvCt.exe
  C:\Windows\System32\oRSGvCt.exe
  2⤵
  PID:3680
- C:\Windows\System32\vSAtBBO.exe
  C:\Windows\System32\vSAtBBO.exe
  2⤵
  PID:1372
- C:\Windows\System32\QZKJbEq.exe
  C:\Windows\System32\QZKJbEq.exe
  2⤵
  PID:5096
- C:\Windows\System32\mJqcNTd.exe
  C:\Windows\System32\mJqcNTd.exe
  2⤵
  PID:2328
- C:\Windows\System32\JtHRVRb.exe
  C:\Windows\System32\JtHRVRb.exe
  2⤵
  PID:3484
- C:\Windows\System32\QImXCfN.exe
  C:\Windows\System32\QImXCfN.exe
  2⤵
  PID:4984
- C:\Windows\System32\NKkECEW.exe
  C:\Windows\System32\NKkECEW.exe
  2⤵
  PID:876
- C:\Windows\System32\BTdMHpQ.exe
  C:\Windows\System32\BTdMHpQ.exe
  2⤵
  PID:3748
- C:\Windows\System32\WCXHXgR.exe
  C:\Windows\System32\WCXHXgR.exe
  2⤵
  PID:1504
- C:\Windows\System32\iEGnpyQ.exe
  C:\Windows\System32\iEGnpyQ.exe
  2⤵
  PID:3952
- C:\Windows\System32\QQFUkxi.exe
  C:\Windows\System32\QQFUkxi.exe
  2⤵
  PID:4900
- C:\Windows\System32\AEXWMGl.exe
  C:\Windows\System32\AEXWMGl.exe
  2⤵
  PID:1620
- C:\Windows\System32\kSjnskZ.exe
  C:\Windows\System32\kSjnskZ.exe
  2⤵
  PID:548
- C:\Windows\System32\XtCStxk.exe
  C:\Windows\System32\XtCStxk.exe
  2⤵
  PID:5140
- C:\Windows\System32\XoIbpUM.exe
  C:\Windows\System32\XoIbpUM.exe
  2⤵
  PID:5176
- C:\Windows\System32\PpgqhWM.exe
  C:\Windows\System32\PpgqhWM.exe
  2⤵
  PID:5204
- C:\Windows\System32\KSLNLco.exe
  C:\Windows\System32\KSLNLco.exe
  2⤵
  PID:5248
- C:\Windows\System32\aXNObQC.exe
  C:\Windows\System32\aXNObQC.exe
  2⤵
  PID:5268
- C:\Windows\System32\aSYrJEg.exe
  C:\Windows\System32\aSYrJEg.exe
  2⤵
  PID:5308
- C:\Windows\System32\mGWwIIw.exe
  C:\Windows\System32\mGWwIIw.exe
  2⤵
  PID:5360
- C:\Windows\System32\TJNfxpB.exe
  C:\Windows\System32\TJNfxpB.exe
  2⤵
  PID:5396
- C:\Windows\System32\Fbwacvh.exe
  C:\Windows\System32\Fbwacvh.exe
  2⤵
  PID:5424
- C:\Windows\System32\hgnghyc.exe
  C:\Windows\System32\hgnghyc.exe
  2⤵
  PID:5484
- C:\Windows\System32\nPEUlNz.exe
  C:\Windows\System32\nPEUlNz.exe
  2⤵
  PID:5556
- C:\Windows\System32\vOZklLn.exe
  C:\Windows\System32\vOZklLn.exe
  2⤵
  PID:5632
- C:\Windows\System32\wpVCgSP.exe
  C:\Windows\System32\wpVCgSP.exe
  2⤵
  PID:5664
- C:\Windows\System32\YOOhDYx.exe
  C:\Windows\System32\YOOhDYx.exe
  2⤵
  PID:5692
- C:\Windows\System32\AVgcIbB.exe
  C:\Windows\System32\AVgcIbB.exe
  2⤵
  PID:5724
- C:\Windows\System32\zQGMrkz.exe
  C:\Windows\System32\zQGMrkz.exe
  2⤵
  PID:5752
- C:\Windows\System32\nLFxEVJ.exe
  C:\Windows\System32\nLFxEVJ.exe
  2⤵
  PID:5792
- C:\Windows\System32\bXYiSsb.exe
  C:\Windows\System32\bXYiSsb.exe
  2⤵
  PID:5816
- C:\Windows\System32\WInvqyr.exe
  C:\Windows\System32\WInvqyr.exe
  2⤵
  PID:5840
- C:\Windows\System32\nYVlGLR.exe
  C:\Windows\System32\nYVlGLR.exe
  2⤵
  PID:5860
- C:\Windows\System32\kMUBKLU.exe
  C:\Windows\System32\kMUBKLU.exe
  2⤵
  PID:5908
- C:\Windows\System32\OTMjSFF.exe
  C:\Windows\System32\OTMjSFF.exe
  2⤵
  PID:5928
- C:\Windows\System32\oLyrTql.exe
  C:\Windows\System32\oLyrTql.exe
  2⤵
  PID:5960
- C:\Windows\System32\XRKjMAC.exe
  C:\Windows\System32\XRKjMAC.exe
  2⤵
  PID:5980
- C:\Windows\System32\EUERunn.exe
  C:\Windows\System32\EUERunn.exe
  2⤵
  PID:5996
- C:\Windows\System32\CYylolt.exe
  C:\Windows\System32\CYylolt.exe
  2⤵
  PID:6020
- C:\Windows\System32\XkPtRTB.exe
  C:\Windows\System32\XkPtRTB.exe
  2⤵
  PID:6040
- C:\Windows\System32\VAXHZRy.exe
  C:\Windows\System32\VAXHZRy.exe
  2⤵
  PID:6060
- C:\Windows\System32\UzTkgjZ.exe
  C:\Windows\System32\UzTkgjZ.exe
  2⤵
  PID:6100
- C:\Windows\System32\gGBhHxM.exe
  C:\Windows\System32\gGBhHxM.exe
  2⤵
  PID:6124
- C:\Windows\System32\FFIWyZj.exe
  C:\Windows\System32\FFIWyZj.exe
  2⤵
  PID:2232
- C:\Windows\System32\UwKkVDu.exe
  C:\Windows\System32\UwKkVDu.exe
  2⤵
  PID:4316
- C:\Windows\System32\mfVJSIf.exe
  C:\Windows\System32\mfVJSIf.exe
  2⤵
  PID:1540
- C:\Windows\System32\AzBxYRg.exe
  C:\Windows\System32\AzBxYRg.exe
  2⤵
  PID:3664
- C:\Windows\System32\eJXVwdk.exe
  C:\Windows\System32\eJXVwdk.exe
  2⤵
  PID:5216
- C:\Windows\System32\sIhjnoL.exe
  C:\Windows\System32\sIhjnoL.exe
  2⤵
  PID:5224
- C:\Windows\System32\OWxNjgw.exe
  C:\Windows\System32\OWxNjgw.exe
  2⤵
  PID:5296
- C:\Windows\System32\QCWVNDa.exe
  C:\Windows\System32\QCWVNDa.exe
  2⤵
  PID:5472
- C:\Windows\System32\hIsaMzi.exe
  C:\Windows\System32\hIsaMzi.exe
  2⤵
  PID:5620
- C:\Windows\System32\OpHChby.exe
  C:\Windows\System32\OpHChby.exe
  2⤵
  PID:5648
- C:\Windows\System32\iMLNbZM.exe
  C:\Windows\System32\iMLNbZM.exe
  2⤵
  PID:5688
- C:\Windows\System32\eNndZKh.exe
  C:\Windows\System32\eNndZKh.exe
  2⤵
  PID:5760
- C:\Windows\System32\HDjpuHw.exe
  C:\Windows\System32\HDjpuHw.exe
  2⤵
  PID:5832
- C:\Windows\System32\cpYArIi.exe
  C:\Windows\System32\cpYArIi.exe
  2⤵
  PID:5920
- C:\Windows\System32\bRpXxli.exe
  C:\Windows\System32\bRpXxli.exe
  2⤵
  PID:5972
- C:\Windows\System32\CWUUdyM.exe
  C:\Windows\System32\CWUUdyM.exe
  2⤵
  PID:6048
- C:\Windows\System32\nSUfLJN.exe
  C:\Windows\System32\nSUfLJN.exe
  2⤵
  PID:6036
- C:\Windows\System32\tAuuMFD.exe
  C:\Windows\System32\tAuuMFD.exe
  2⤵
  PID:6136
- C:\Windows\System32\vVaLvYt.exe
  C:\Windows\System32\vVaLvYt.exe
  2⤵
  PID:2364
- C:\Windows\System32\VEYjvGV.exe
  C:\Windows\System32\VEYjvGV.exe
  2⤵
  PID:5152
- C:\Windows\System32\yUiAzum.exe
  C:\Windows\System32\yUiAzum.exe
  2⤵
  PID:5300
- C:\Windows\System32\evhJJKR.exe
  C:\Windows\System32\evhJJKR.exe
  2⤵
  PID:4624
- C:\Windows\System32\DxNQbVz.exe
  C:\Windows\System32\DxNQbVz.exe
  2⤵
  PID:5552
- C:\Windows\System32\YumQnXr.exe
  C:\Windows\System32\YumQnXr.exe
  2⤵
  PID:5000
- C:\Windows\System32\EfEmFIu.exe
  C:\Windows\System32\EfEmFIu.exe
  2⤵
  PID:5656
- C:\Windows\System32\USOKUpD.exe
  C:\Windows\System32\USOKUpD.exe
  2⤵
  PID:5884
- C:\Windows\System32\ASZhUrM.exe
  C:\Windows\System32\ASZhUrM.exe
  2⤵
  PID:5956
- C:\Windows\System32\NISgDSx.exe
  C:\Windows\System32\NISgDSx.exe
  2⤵
  PID:6084
- C:\Windows\System32\QapKTbY.exe
  C:\Windows\System32\QapKTbY.exe
  2⤵
  PID:5212
- C:\Windows\System32\cvwWmTC.exe
  C:\Windows\System32\cvwWmTC.exe
  2⤵
  PID:5292
- C:\Windows\System32\VubdEhT.exe
  C:\Windows\System32\VubdEhT.exe
  2⤵
  PID:5380
- C:\Windows\System32\dcHvhPx.exe
  C:\Windows\System32\dcHvhPx.exe
  2⤵
  PID:5848
- C:\Windows\System32\SQXHFFY.exe
  C:\Windows\System32\SQXHFFY.exe
  2⤵
  PID:4980
- C:\Windows\System32\ThhFISo.exe
  C:\Windows\System32\ThhFISo.exe
  2⤵
  PID:5408
- C:\Windows\System32\MJPHpol.exe
  C:\Windows\System32\MJPHpol.exe
  2⤵
  PID:6092
- C:\Windows\System32\zKCWLWu.exe
  C:\Windows\System32\zKCWLWu.exe
  2⤵
  PID:5416
- C:\Windows\System32\OcBXWBc.exe
  C:\Windows\System32\OcBXWBc.exe
  2⤵
  PID:6176
- C:\Windows\System32\MBTHUsr.exe
  C:\Windows\System32\MBTHUsr.exe
  2⤵
  PID:6228
- C:\Windows\System32\NqVluxA.exe
  C:\Windows\System32\NqVluxA.exe
  2⤵
  PID:6248
- C:\Windows\System32\DcNthAh.exe
  C:\Windows\System32\DcNthAh.exe
  2⤵
  PID:6268
- C:\Windows\System32\cFFCLSW.exe
  C:\Windows\System32\cFFCLSW.exe
  2⤵
  PID:6304
- C:\Windows\System32\eHuEVZD.exe
  C:\Windows\System32\eHuEVZD.exe
  2⤵
  PID:6340
- C:\Windows\System32\dJzXRkT.exe
  C:\Windows\System32\dJzXRkT.exe
  2⤵
  PID:6372
- C:\Windows\System32\rPMnztg.exe
  C:\Windows\System32\rPMnztg.exe
  2⤵
  PID:6400
- C:\Windows\System32\XBfQhIM.exe
  C:\Windows\System32\XBfQhIM.exe
  2⤵
  PID:6428
- C:\Windows\System32\YKFNFMi.exe
  C:\Windows\System32\YKFNFMi.exe
  2⤵
  PID:6448
- C:\Windows\System32\uoFxNbh.exe
  C:\Windows\System32\uoFxNbh.exe
  2⤵
  PID:6484
- C:\Windows\System32\ioKRFft.exe
  C:\Windows\System32\ioKRFft.exe
  2⤵
  PID:6508
- C:\Windows\System32\uFYEnbj.exe
  C:\Windows\System32\uFYEnbj.exe
  2⤵
  PID:6528
- C:\Windows\System32\weyRwZf.exe
  C:\Windows\System32\weyRwZf.exe
  2⤵
  PID:6548
- C:\Windows\System32\xYUiHJq.exe
  C:\Windows\System32\xYUiHJq.exe
  2⤵
  PID:6580
- C:\Windows\System32\DSZtncX.exe
  C:\Windows\System32\DSZtncX.exe
  2⤵
  PID:6624
- C:\Windows\System32\JJhiuYf.exe
  C:\Windows\System32\JJhiuYf.exe
  2⤵
  PID:6656
- C:\Windows\System32\zwbpLOl.exe
  C:\Windows\System32\zwbpLOl.exe
  2⤵
  PID:6680
- C:\Windows\System32\bRoeMHi.exe
  C:\Windows\System32\bRoeMHi.exe
  2⤵
  PID:6700
- C:\Windows\System32\eYIIaso.exe
  C:\Windows\System32\eYIIaso.exe
  2⤵
  PID:6740
- C:\Windows\System32\BxwrbMQ.exe
  C:\Windows\System32\BxwrbMQ.exe
  2⤵
  PID:6756
- C:\Windows\System32\uNtWLrD.exe
  C:\Windows\System32\uNtWLrD.exe
  2⤵
  PID:6784
- C:\Windows\System32\jQBwjmm.exe
  C:\Windows\System32\jQBwjmm.exe
  2⤵
  PID:6804
- C:\Windows\System32\xQjZOjk.exe
  C:\Windows\System32\xQjZOjk.exe
  2⤵
  PID:6828
- C:\Windows\System32\jQtujkh.exe
  C:\Windows\System32\jQtujkh.exe
  2⤵
  PID:6848
- C:\Windows\System32\ixUgtUx.exe
  C:\Windows\System32\ixUgtUx.exe
  2⤵
  PID:6888
- C:\Windows\System32\khJNRwf.exe
  C:\Windows\System32\khJNRwf.exe
  2⤵
  PID:6936
- C:\Windows\System32\GMulHSq.exe
  C:\Windows\System32\GMulHSq.exe
  2⤵
  PID:6952
- C:\Windows\System32\dzroTXG.exe
  C:\Windows\System32\dzroTXG.exe
  2⤵
  PID:6980
- C:\Windows\System32\dguivWE.exe
  C:\Windows\System32\dguivWE.exe
  2⤵
  PID:7016
- C:\Windows\System32\TWfJXQW.exe
  C:\Windows\System32\TWfJXQW.exe
  2⤵
  PID:7036
- C:\Windows\System32\hxJzYwY.exe
  C:\Windows\System32\hxJzYwY.exe
  2⤵
  PID:7060
- C:\Windows\System32\gqoUVYE.exe
  C:\Windows\System32\gqoUVYE.exe
  2⤵
  PID:7076
- C:\Windows\System32\EVvimHO.exe
  C:\Windows\System32\EVvimHO.exe
  2⤵
  PID:7108
- C:\Windows\System32\TAAGiIf.exe
  C:\Windows\System32\TAAGiIf.exe
  2⤵
  PID:7124
- C:\Windows\System32\FAvSlTY.exe
  C:\Windows\System32\FAvSlTY.exe
  2⤵
  PID:1664
- C:\Windows\System32\LzfakGg.exe
  C:\Windows\System32\LzfakGg.exe
  2⤵
  PID:6224
- C:\Windows\System32\PVwNesI.exe
  C:\Windows\System32\PVwNesI.exe
  2⤵
  PID:6240
- C:\Windows\System32\QjdCycp.exe
  C:\Windows\System32\QjdCycp.exe
  2⤵
  PID:6284
- C:\Windows\System32\oyESQRJ.exe
  C:\Windows\System32\oyESQRJ.exe
  2⤵
  PID:6332
- C:\Windows\System32\UOnMoTE.exe
  C:\Windows\System32\UOnMoTE.exe
  2⤵
  PID:6384
- C:\Windows\System32\tEkDomi.exe
  C:\Windows\System32\tEkDomi.exe
  2⤵
  PID:6416
- C:\Windows\System32\iFypYsG.exe
  C:\Windows\System32\iFypYsG.exe
  2⤵
  PID:6440
- C:\Windows\System32\OOfJOhn.exe
  C:\Windows\System32\OOfJOhn.exe
  2⤵
  PID:6500
- C:\Windows\System32\ADAviwD.exe
  C:\Windows\System32\ADAviwD.exe
  2⤵
  PID:6600
- C:\Windows\System32\HTkWyAW.exe
  C:\Windows\System32\HTkWyAW.exe
  2⤵
  PID:6668
- C:\Windows\System32\xdZHsEn.exe
  C:\Windows\System32\xdZHsEn.exe
  2⤵
  PID:6796
- C:\Windows\System32\xYIdKgY.exe
  C:\Windows\System32\xYIdKgY.exe
  2⤵
  PID:6912
- C:\Windows\System32\csbQHcy.exe
  C:\Windows\System32\csbQHcy.exe
  2⤵
  PID:7000
- C:\Windows\System32\ViuZdDV.exe
  C:\Windows\System32\ViuZdDV.exe
  2⤵
  PID:7052
- C:\Windows\System32\FZlPlEJ.exe
  C:\Windows\System32\FZlPlEJ.exe
  2⤵
  PID:7068
- C:\Windows\System32\wTLXRCD.exe
  C:\Windows\System32\wTLXRCD.exe
  2⤵
  PID:7156
- C:\Windows\System32\lBKZyLT.exe
  C:\Windows\System32\lBKZyLT.exe
  2⤵
  PID:6328
- C:\Windows\System32\PBrmgYp.exe
  C:\Windows\System32\PBrmgYp.exe
  2⤵
  PID:6316
- C:\Windows\System32\kIdMkNm.exe
  C:\Windows\System32\kIdMkNm.exe
  2⤵
  PID:6504
- C:\Windows\System32\jQDOkzs.exe
  C:\Windows\System32\jQDOkzs.exe
  2⤵
  PID:6816
- C:\Windows\System32\QKgOXRW.exe
  C:\Windows\System32\QKgOXRW.exe
  2⤵
  PID:6900
- C:\Windows\System32\JrmWeKr.exe
  C:\Windows\System32\JrmWeKr.exe
  2⤵
  PID:7100
- C:\Windows\System32\SlSlDYE.exe
  C:\Windows\System32\SlSlDYE.exe
  2⤵
  PID:6264
- C:\Windows\System32\NgWDZqz.exe
  C:\Windows\System32\NgWDZqz.exe
  2⤵
  PID:6492
- C:\Windows\System32\ZjRFMyP.exe
  C:\Windows\System32\ZjRFMyP.exe
  2⤵
  PID:6732
- C:\Windows\System32\RuWWgnV.exe
  C:\Windows\System32\RuWWgnV.exe
  2⤵
  PID:6424
- C:\Windows\System32\VsmNPkB.exe
  C:\Windows\System32\VsmNPkB.exe
  2⤵
  PID:1244
- C:\Windows\System32\ZpzMavd.exe
  C:\Windows\System32\ZpzMavd.exe
  2⤵
  PID:6516
- C:\Windows\System32\vEIHojp.exe
  C:\Windows\System32\vEIHojp.exe
  2⤵
  PID:7204
- C:\Windows\System32\zbAGmam.exe
  C:\Windows\System32\zbAGmam.exe
  2⤵
  PID:7240
- C:\Windows\System32\xPcvNaE.exe
  C:\Windows\System32\xPcvNaE.exe
  2⤵
  PID:7260
- C:\Windows\System32\synhCBN.exe
  C:\Windows\System32\synhCBN.exe
  2⤵
  PID:7300
- C:\Windows\System32\vMJVAHS.exe
  C:\Windows\System32\vMJVAHS.exe
  2⤵
  PID:7324
- C:\Windows\System32\PvvYWyK.exe
  C:\Windows\System32\PvvYWyK.exe
  2⤵
  PID:7344
- C:\Windows\System32\NGLRzOg.exe
  C:\Windows\System32\NGLRzOg.exe
  2⤵
  PID:7364
- C:\Windows\System32\oWrBunp.exe
  C:\Windows\System32\oWrBunp.exe
  2⤵
  PID:7404
- C:\Windows\System32\hZIPyKS.exe
  C:\Windows\System32\hZIPyKS.exe
  2⤵
  PID:7436
- C:\Windows\System32\MlqvsHE.exe
  C:\Windows\System32\MlqvsHE.exe
  2⤵
  PID:7452
- C:\Windows\System32\TUoGmQz.exe
  C:\Windows\System32\TUoGmQz.exe
  2⤵
  PID:7476
- C:\Windows\System32\JGgSdVb.exe
  C:\Windows\System32\JGgSdVb.exe
  2⤵
  PID:7492
- C:\Windows\System32\QNaVFMV.exe
  C:\Windows\System32\QNaVFMV.exe
  2⤵
  PID:7516
- C:\Windows\System32\vailomY.exe
  C:\Windows\System32\vailomY.exe
  2⤵
  PID:7532
- C:\Windows\System32\rMUwVSG.exe
  C:\Windows\System32\rMUwVSG.exe
  2⤵
  PID:7600
- C:\Windows\System32\wrjHwfk.exe
  C:\Windows\System32\wrjHwfk.exe
  2⤵
  PID:7628
- C:\Windows\System32\yspnnJP.exe
  C:\Windows\System32\yspnnJP.exe
  2⤵
  PID:7648
- C:\Windows\System32\ocGFvOp.exe
  C:\Windows\System32\ocGFvOp.exe
  2⤵
  PID:7672
- C:\Windows\System32\ZgQSHic.exe
  C:\Windows\System32\ZgQSHic.exe
  2⤵
  PID:7692
- C:\Windows\System32\SRdiFVy.exe
  C:\Windows\System32\SRdiFVy.exe
  2⤵
  PID:7716
- C:\Windows\System32\bPzAhce.exe
  C:\Windows\System32\bPzAhce.exe
  2⤵
  PID:7756
- C:\Windows\System32\DPqTXaJ.exe
  C:\Windows\System32\DPqTXaJ.exe
  2⤵
  PID:7780
- C:\Windows\System32\BnYTHLc.exe
  C:\Windows\System32\BnYTHLc.exe
  2⤵
  PID:7796
- C:\Windows\System32\mmwpjsg.exe
  C:\Windows\System32\mmwpjsg.exe
  2⤵
  PID:7812
- C:\Windows\System32\IVauBcp.exe
  C:\Windows\System32\IVauBcp.exe
  2⤵
  PID:7828
- C:\Windows\System32\wRfGiVb.exe
  C:\Windows\System32\wRfGiVb.exe
  2⤵
  PID:7852
- C:\Windows\System32\yJaZxNK.exe
  C:\Windows\System32\yJaZxNK.exe
  2⤵
  PID:7884
- C:\Windows\System32\hqctOYA.exe
  C:\Windows\System32\hqctOYA.exe
  2⤵
  PID:7924
- C:\Windows\System32\xMcqFmE.exe
  C:\Windows\System32\xMcqFmE.exe
  2⤵
  PID:7964
- C:\Windows\System32\ARhadRT.exe
  C:\Windows\System32\ARhadRT.exe
  2⤵
  PID:8012
- C:\Windows\System32\seixOww.exe
  C:\Windows\System32\seixOww.exe
  2⤵
  PID:8064
- C:\Windows\System32\MKYgBIe.exe
  C:\Windows\System32\MKYgBIe.exe
  2⤵
  PID:8088
- C:\Windows\System32\TiLlOiS.exe
  C:\Windows\System32\TiLlOiS.exe
  2⤵
  PID:8104
- C:\Windows\System32\tlbVgAs.exe
  C:\Windows\System32\tlbVgAs.exe
  2⤵
  PID:8120
- C:\Windows\System32\fPzBatz.exe
  C:\Windows\System32\fPzBatz.exe
  2⤵
  PID:7188
- C:\Windows\System32\WiykodS.exe
  C:\Windows\System32\WiykodS.exe
  2⤵
  PID:7412
- C:\Windows\System32\COMrGfa.exe
  C:\Windows\System32\COMrGfa.exe
  2⤵
  PID:7464
- C:\Windows\System32\DUcuqQf.exe
  C:\Windows\System32\DUcuqQf.exe
  2⤵
  PID:7584
- C:\Windows\System32\DqYlAlC.exe
  C:\Windows\System32\DqYlAlC.exe
  2⤵
  PID:7668
- C:\Windows\System32\vAjdOjK.exe
  C:\Windows\System32\vAjdOjK.exe
  2⤵
  PID:7712
- C:\Windows\System32\zaurCrE.exe
  C:\Windows\System32\zaurCrE.exe
  2⤵
  PID:7684
- C:\Windows\System32\ODucvGC.exe
  C:\Windows\System32\ODucvGC.exe
  2⤵
  PID:7736
- C:\Windows\System32\ombZSes.exe
  C:\Windows\System32\ombZSes.exe
  2⤵
  PID:7840
- C:\Windows\System32\XSDmdJN.exe
  C:\Windows\System32\XSDmdJN.exe
  2⤵
  PID:7844
- C:\Windows\System32\gNwZzTE.exe
  C:\Windows\System32\gNwZzTE.exe
  2⤵
  PID:7908
- C:\Windows\System32\bEUJgnd.exe
  C:\Windows\System32\bEUJgnd.exe
  2⤵
  PID:7804
- C:\Windows\System32\XJeLWDt.exe
  C:\Windows\System32\XJeLWDt.exe
  2⤵
  PID:7920
- C:\Windows\System32\UlyzIRA.exe
  C:\Windows\System32\UlyzIRA.exe
  2⤵
  PID:7768
- C:\Windows\System32\YVLbspD.exe
  C:\Windows\System32\YVLbspD.exe
  2⤵
  PID:7980
- C:\Windows\System32\jQoBXKc.exe
  C:\Windows\System32\jQoBXKc.exe
  2⤵
  PID:8128
- C:\Windows\System32\deYLssQ.exe
  C:\Windows\System32\deYLssQ.exe
  2⤵
  PID:8052
- C:\Windows\System32\IzoPFEP.exe
  C:\Windows\System32\IzoPFEP.exe
  2⤵
  PID:7488
- C:\Windows\System32\POiYRne.exe
  C:\Windows\System32\POiYRne.exe
  2⤵
  PID:7528
- C:\Windows\System32\XWERvbo.exe
  C:\Windows\System32\XWERvbo.exe
  2⤵
  PID:7752
- C:\Windows\System32\hdyEuJw.exe
  C:\Windows\System32\hdyEuJw.exe
  2⤵
  PID:7872
- C:\Windows\System32\rdvaiUN.exe
  C:\Windows\System32\rdvaiUN.exe
  2⤵
  PID:7912
- C:\Windows\System32\zoXJnXJ.exe
  C:\Windows\System32\zoXJnXJ.exe
  2⤵
  PID:8048
- C:\Windows\System32\jXxShoS.exe
  C:\Windows\System32\jXxShoS.exe
  2⤵
  PID:7288
- C:\Windows\System32\xNEhhbd.exe
  C:\Windows\System32\xNEhhbd.exe
  2⤵
  PID:7444
- C:\Windows\System32\yoWwaXM.exe
  C:\Windows\System32\yoWwaXM.exe
  2⤵
  PID:7792
- C:\Windows\System32\XbwnpIt.exe
  C:\Windows\System32\XbwnpIt.exe
  2⤵
  PID:7932
- C:\Windows\System32\tMzuczm.exe
  C:\Windows\System32\tMzuczm.exe
  2⤵
  PID:7992
- C:\Windows\System32\fniwImt.exe
  C:\Windows\System32\fniwImt.exe
  2⤵
  PID:8216
- C:\Windows\System32\iaogVtI.exe
  C:\Windows\System32\iaogVtI.exe
  2⤵
  PID:8236
- C:\Windows\System32\uuzRxdL.exe
  C:\Windows\System32\uuzRxdL.exe
  2⤵
  PID:8268
- C:\Windows\System32\FRRaDpT.exe
  C:\Windows\System32\FRRaDpT.exe
  2⤵
  PID:8292
- C:\Windows\System32\EZafBik.exe
  C:\Windows\System32\EZafBik.exe
  2⤵
  PID:8312
- C:\Windows\System32\OQKpOPQ.exe
  C:\Windows\System32\OQKpOPQ.exe
  2⤵
  PID:8328
- C:\Windows\System32\Rjakrwx.exe
  C:\Windows\System32\Rjakrwx.exe
  2⤵
  PID:8356
- C:\Windows\System32\JsPCqSJ.exe
  C:\Windows\System32\JsPCqSJ.exe
  2⤵
  PID:8380
- C:\Windows\System32\yLJIUuI.exe
  C:\Windows\System32\yLJIUuI.exe
  2⤵
  PID:8444
- C:\Windows\System32\uQHRUtW.exe
  C:\Windows\System32\uQHRUtW.exe
  2⤵
  PID:8484
- C:\Windows\System32\iaQkGXe.exe
  C:\Windows\System32\iaQkGXe.exe
  2⤵
  PID:8524
- C:\Windows\System32\VIohowV.exe
  C:\Windows\System32\VIohowV.exe
  2⤵
  PID:8548
- C:\Windows\System32\yueOqAn.exe
  C:\Windows\System32\yueOqAn.exe
  2⤵
  PID:8568
- C:\Windows\System32\fQqkjMx.exe
  C:\Windows\System32\fQqkjMx.exe
  2⤵
  PID:8584
- C:\Windows\System32\TUZCleJ.exe
  C:\Windows\System32\TUZCleJ.exe
  2⤵
  PID:8612
- C:\Windows\System32\wMIvobW.exe
  C:\Windows\System32\wMIvobW.exe
  2⤵
  PID:8640
- C:\Windows\System32\VACbxNJ.exe
  C:\Windows\System32\VACbxNJ.exe
  2⤵
  PID:8660
- C:\Windows\System32\ACjwQqb.exe
  C:\Windows\System32\ACjwQqb.exe
  2⤵
  PID:8688
- C:\Windows\System32\eskvXKN.exe
  C:\Windows\System32\eskvXKN.exe
  2⤵
  PID:8720
- C:\Windows\System32\kwWioAP.exe
  C:\Windows\System32\kwWioAP.exe
  2⤵
  PID:8744
- C:\Windows\System32\cYTwZVQ.exe
  C:\Windows\System32\cYTwZVQ.exe
  2⤵
  PID:8764
- C:\Windows\System32\rdYobTD.exe
  C:\Windows\System32\rdYobTD.exe
  2⤵
  PID:8780
- C:\Windows\System32\tIgFGxn.exe
  C:\Windows\System32\tIgFGxn.exe
  2⤵
  PID:8828
- C:\Windows\System32\SDOLOBw.exe
  C:\Windows\System32\SDOLOBw.exe
  2⤵
  PID:8848
- C:\Windows\System32\MunCoOF.exe
  C:\Windows\System32\MunCoOF.exe
  2⤵
  PID:8864
- C:\Windows\System32\ZqEvdFG.exe
  C:\Windows\System32\ZqEvdFG.exe
  2⤵
  PID:8888
- C:\Windows\System32\MEyULXj.exe
  C:\Windows\System32\MEyULXj.exe
  2⤵
  PID:8916
- C:\Windows\System32\eBXpSHM.exe
  C:\Windows\System32\eBXpSHM.exe
  2⤵
  PID:8980
- C:\Windows\System32\jWOYCZe.exe
  C:\Windows\System32\jWOYCZe.exe
  2⤵
  PID:9032
- C:\Windows\System32\oLvarvN.exe
  C:\Windows\System32\oLvarvN.exe
  2⤵
  PID:9048
- C:\Windows\System32\OKBEJfp.exe
  C:\Windows\System32\OKBEJfp.exe
  2⤵
  PID:9064
- C:\Windows\System32\MEfhQfj.exe
  C:\Windows\System32\MEfhQfj.exe
  2⤵
  PID:9116
- C:\Windows\System32\JUDSQvV.exe
  C:\Windows\System32\JUDSQvV.exe
  2⤵
  PID:9140
- C:\Windows\System32\BrmIaTA.exe
  C:\Windows\System32\BrmIaTA.exe
  2⤵
  PID:9160
- C:\Windows\System32\ZqRUcch.exe
  C:\Windows\System32\ZqRUcch.exe
  2⤵
  PID:9188
- C:\Windows\System32\BUnFoCp.exe
  C:\Windows\System32\BUnFoCp.exe
  2⤵
  PID:9208
- C:\Windows\System32\dkUCFcI.exe
  C:\Windows\System32\dkUCFcI.exe
  2⤵
  PID:6556
- C:\Windows\System32\jvZegMf.exe
  C:\Windows\System32\jvZegMf.exe
  2⤵
  PID:8256
- C:\Windows\System32\pUVMKaP.exe
  C:\Windows\System32\pUVMKaP.exe
  2⤵
  PID:8336
- C:\Windows\System32\dkrFnzI.exe
  C:\Windows\System32\dkrFnzI.exe
  2⤵
  PID:8372
- C:\Windows\System32\hZbTUIa.exe
  C:\Windows\System32\hZbTUIa.exe
  2⤵
  PID:8436
- C:\Windows\System32\pFeSJNB.exe
  C:\Windows\System32\pFeSJNB.exe
  2⤵
  PID:8512
- C:\Windows\System32\ZkrLpHa.exe
  C:\Windows\System32\ZkrLpHa.exe
  2⤵
  PID:8560
- C:\Windows\System32\PyVANwd.exe
  C:\Windows\System32\PyVANwd.exe
  2⤵
  PID:8652
- C:\Windows\System32\QJbYJsS.exe
  C:\Windows\System32\QJbYJsS.exe
  2⤵
  PID:8680
- C:\Windows\System32\DFAwabH.exe
  C:\Windows\System32\DFAwabH.exe
  2⤵
  PID:8760
- C:\Windows\System32\gKuSuhk.exe
  C:\Windows\System32\gKuSuhk.exe
  2⤵
  PID:8904
- C:\Windows\System32\VOUDflB.exe
  C:\Windows\System32\VOUDflB.exe
  2⤵
  PID:8880
- C:\Windows\System32\JdIJvHO.exe
  C:\Windows\System32\JdIJvHO.exe
  2⤵
  PID:8932
- C:\Windows\System32\VwAHLWV.exe
  C:\Windows\System32\VwAHLWV.exe
  2⤵
  PID:9060
- C:\Windows\System32\HoqkViV.exe
  C:\Windows\System32\HoqkViV.exe
  2⤵
  PID:9080
- C:\Windows\System32\eFSacrq.exe
  C:\Windows\System32\eFSacrq.exe
  2⤵
  PID:9176
- C:\Windows\System32\Umvneik.exe
  C:\Windows\System32\Umvneik.exe
  2⤵
  PID:8232
- C:\Windows\System32\tDIvTey.exe
  C:\Windows\System32\tDIvTey.exe
  2⤵
  PID:8308
- C:\Windows\System32\JkfbrhN.exe
  C:\Windows\System32\JkfbrhN.exe
  2⤵
  PID:8432
- C:\Windows\System32\lZsiDpf.exe
  C:\Windows\System32\lZsiDpf.exe
  2⤵
  PID:8696
- C:\Windows\System32\JugMPmA.exe
  C:\Windows\System32\JugMPmA.exe
  2⤵
  PID:8816
- C:\Windows\System32\drXSrtj.exe
  C:\Windows\System32\drXSrtj.exe
  2⤵
  PID:8964
- C:\Windows\System32\IENCENe.exe
  C:\Windows\System32\IENCENe.exe
  2⤵
  PID:9044
- C:\Windows\System32\hLNrKHB.exe
  C:\Windows\System32\hLNrKHB.exe
  2⤵
  PID:9200
- C:\Windows\System32\vEOeccc.exe
  C:\Windows\System32\vEOeccc.exe
  2⤵
  PID:8368
- C:\Windows\System32\jzkliRJ.exe
  C:\Windows\System32\jzkliRJ.exe
  2⤵
  PID:8712
- C:\Windows\System32\udfipQG.exe
  C:\Windows\System32\udfipQG.exe
  2⤵
  PID:9112
- C:\Windows\System32\bcbdBEl.exe
  C:\Windows\System32\bcbdBEl.exe
  2⤵
  PID:8496
- C:\Windows\System32\UBPXOlM.exe
  C:\Windows\System32\UBPXOlM.exe
  2⤵
  PID:9244
- C:\Windows\System32\UVXLEha.exe
  C:\Windows\System32\UVXLEha.exe
  2⤵
  PID:9280
- C:\Windows\System32\XGZWHzL.exe
  C:\Windows\System32\XGZWHzL.exe
  2⤵
  PID:9300
- C:\Windows\System32\YCNyySo.exe
  C:\Windows\System32\YCNyySo.exe
  2⤵
  PID:9316
- C:\Windows\System32\lkjCYpB.exe
  C:\Windows\System32\lkjCYpB.exe
  2⤵
  PID:9340
- C:\Windows\System32\PlrNngv.exe
  C:\Windows\System32\PlrNngv.exe
  2⤵
  PID:9380
- C:\Windows\System32\cJhgQos.exe
  C:\Windows\System32\cJhgQos.exe
  2⤵
  PID:9408
- C:\Windows\System32\mXtrzVr.exe
  C:\Windows\System32\mXtrzVr.exe
  2⤵
  PID:9428
- C:\Windows\System32\OQrXvgr.exe
  C:\Windows\System32\OQrXvgr.exe
  2⤵
  PID:9448
- C:\Windows\System32\nHdsriF.exe
  C:\Windows\System32\nHdsriF.exe
  2⤵
  PID:9476
- C:\Windows\System32\cVMUyVO.exe
  C:\Windows\System32\cVMUyVO.exe
  2⤵
  PID:9504
- C:\Windows\System32\mXskeah.exe
  C:\Windows\System32\mXskeah.exe
  2⤵
  PID:9548
- C:\Windows\System32\jKckvIg.exe
  C:\Windows\System32\jKckvIg.exe
  2⤵
  PID:9568
- C:\Windows\System32\CFCvbNb.exe
  C:\Windows\System32\CFCvbNb.exe
  2⤵
  PID:9584
- C:\Windows\System32\xGldPLF.exe
  C:\Windows\System32\xGldPLF.exe
  2⤵
  PID:9636
- C:\Windows\System32\XDaEprB.exe
  C:\Windows\System32\XDaEprB.exe
  2⤵
  PID:9664
- C:\Windows\System32\wfYnzSY.exe
  C:\Windows\System32\wfYnzSY.exe
  2⤵
  PID:9696
- C:\Windows\System32\yiygxte.exe
  C:\Windows\System32\yiygxte.exe
  2⤵
  PID:9720
- C:\Windows\System32\PCfuQnE.exe
  C:\Windows\System32\PCfuQnE.exe
  2⤵
  PID:9740
- C:\Windows\System32\xfwbHvF.exe
  C:\Windows\System32\xfwbHvF.exe
  2⤵
  PID:9768
- C:\Windows\System32\xHBwkgQ.exe
  C:\Windows\System32\xHBwkgQ.exe
  2⤵
  PID:9784
- C:\Windows\System32\TBLaqfP.exe
  C:\Windows\System32\TBLaqfP.exe
  2⤵
  PID:9804
- C:\Windows\System32\ntZvETY.exe
  C:\Windows\System32\ntZvETY.exe
  2⤵
  PID:9852
- C:\Windows\System32\EoiiCER.exe
  C:\Windows\System32\EoiiCER.exe
  2⤵
  PID:9868
- C:\Windows\System32\iZcvHep.exe
  C:\Windows\System32\iZcvHep.exe
  2⤵
  PID:9888
- C:\Windows\System32\iQbnaVo.exe
  C:\Windows\System32\iQbnaVo.exe
  2⤵
  PID:9912
- C:\Windows\System32\WUCgFjW.exe
  C:\Windows\System32\WUCgFjW.exe
  2⤵
  PID:9940
- C:\Windows\System32\AdLsErU.exe
  C:\Windows\System32\AdLsErU.exe
  2⤵
  PID:9988
- C:\Windows\System32\VSNNfJf.exe
  C:\Windows\System32\VSNNfJf.exe
  2⤵
  PID:10016
- C:\Windows\System32\uMfUlNN.exe
  C:\Windows\System32\uMfUlNN.exe
  2⤵
  PID:10040
- C:\Windows\System32\buPoMyu.exe
  C:\Windows\System32\buPoMyu.exe
  2⤵
  PID:10080
- C:\Windows\System32\bNhTatM.exe
  C:\Windows\System32\bNhTatM.exe
  2⤵
  PID:10096
- C:\Windows\System32\XygYPbl.exe
  C:\Windows\System32\XygYPbl.exe
  2⤵
  PID:10120
- C:\Windows\System32\hvPards.exe
  C:\Windows\System32\hvPards.exe
  2⤵
  PID:10180
- C:\Windows\System32\FRiLKJd.exe
  C:\Windows\System32\FRiLKJd.exe
  2⤵
  PID:10196
- C:\Windows\System32\OcRFuNF.exe
  C:\Windows\System32\OcRFuNF.exe
  2⤵
  PID:8464
- C:\Windows\System32\VOxntAa.exe
  C:\Windows\System32\VOxntAa.exe
  2⤵
  PID:9272
- C:\Windows\System32\JgWJbxv.exe
  C:\Windows\System32\JgWJbxv.exe
  2⤵
  PID:9308
- C:\Windows\System32\QaUSgOT.exe
  C:\Windows\System32\QaUSgOT.exe
  2⤵
  PID:9376
- C:\Windows\System32\deycbrS.exe
  C:\Windows\System32\deycbrS.exe
  2⤵
  PID:9456
- C:\Windows\System32\ssgzOhY.exe
  C:\Windows\System32\ssgzOhY.exe
  2⤵
  PID:9468
- C:\Windows\System32\VXDPzmk.exe
  C:\Windows\System32\VXDPzmk.exe
  2⤵
  PID:9556
- C:\Windows\System32\owBnfKt.exe
  C:\Windows\System32\owBnfKt.exe
  2⤵
  PID:7608
- C:\Windows\System32\IFxqYff.exe
  C:\Windows\System32\IFxqYff.exe
  2⤵
  PID:9680
- C:\Windows\System32\KteOYqB.exe
  C:\Windows\System32\KteOYqB.exe
  2⤵
  PID:9736
- C:\Windows\System32\ooHHZCo.exe
  C:\Windows\System32\ooHHZCo.exe
  2⤵
  PID:9832
- C:\Windows\System32\ByYNbMs.exe
  C:\Windows\System32\ByYNbMs.exe
  2⤵
  PID:9900
- C:\Windows\System32\irPXZzL.exe
  C:\Windows\System32\irPXZzL.exe
  2⤵
  PID:9880
- C:\Windows\System32\QAjuaoS.exe
  C:\Windows\System32\QAjuaoS.exe
  2⤵
  PID:10036
- C:\Windows\System32\DtpmyLT.exe
  C:\Windows\System32\DtpmyLT.exe
  2⤵
  PID:10088
- C:\Windows\System32\XRksFed.exe
  C:\Windows\System32\XRksFed.exe
  2⤵
  PID:10144
- C:\Windows\System32\VWSkCFT.exe
  C:\Windows\System32\VWSkCFT.exe
  2⤵
  PID:10152
- C:\Windows\System32\ofooJZp.exe
  C:\Windows\System32\ofooJZp.exe
  2⤵
  PID:10228
- C:\Windows\System32\VjMVvDf.exe
  C:\Windows\System32\VjMVvDf.exe
  2⤵
  PID:9416
- C:\Windows\System32\fEdcawf.exe
  C:\Windows\System32\fEdcawf.exe
  2⤵
  PID:9532
- C:\Windows\System32\uREmvUw.exe
  C:\Windows\System32\uREmvUw.exe
  2⤵
  PID:9828
- C:\Windows\System32\OCbIRVk.exe
  C:\Windows\System32\OCbIRVk.exe
  2⤵
  PID:9984
- C:\Windows\System32\pwJvtZF.exe
  C:\Windows\System32\pwJvtZF.exe
  2⤵
  PID:10024
- C:\Windows\System32\DFSOsyD.exe
  C:\Windows\System32\DFSOsyD.exe
  2⤵
  PID:10188
- C:\Windows\System32\DaekNrS.exe
  C:\Windows\System32\DaekNrS.exe
  2⤵
  PID:9704
- C:\Windows\System32\iwCDTmH.exe
  C:\Windows\System32\iwCDTmH.exe
  2⤵
  PID:9864
- C:\Windows\System32\jaOTcVs.exe
  C:\Windows\System32\jaOTcVs.exe
  2⤵
  PID:10172
- C:\Windows\System32\QcIiPmS.exe
  C:\Windows\System32\QcIiPmS.exe
  2⤵
  PID:10244
- C:\Windows\System32\feppZAN.exe
  C:\Windows\System32\feppZAN.exe
  2⤵
  PID:10264
- C:\Windows\System32\NPhrrqJ.exe
  C:\Windows\System32\NPhrrqJ.exe
  2⤵
  PID:10280
- C:\Windows\System32\QNWdnGo.exe
  C:\Windows\System32\QNWdnGo.exe
  2⤵
  PID:10296
- C:\Windows\System32\SnKmcwg.exe
  C:\Windows\System32\SnKmcwg.exe
  2⤵
  PID:10320
- C:\Windows\System32\ngpDXUk.exe
  C:\Windows\System32\ngpDXUk.exe
  2⤵
  PID:10376
- C:\Windows\System32\QSfwcVU.exe
  C:\Windows\System32\QSfwcVU.exe
  2⤵
  PID:10404
- C:\Windows\System32\FdoGHyY.exe
  C:\Windows\System32\FdoGHyY.exe
  2⤵
  PID:10444
- C:\Windows\System32\jXQAjNS.exe
  C:\Windows\System32\jXQAjNS.exe
  2⤵
  PID:10464
- C:\Windows\System32\BAbnQgd.exe
  C:\Windows\System32\BAbnQgd.exe
  2⤵
  PID:10492
- C:\Windows\System32\zkPHMfW.exe
  C:\Windows\System32\zkPHMfW.exe
  2⤵
  PID:10508
- C:\Windows\System32\yQGCKvp.exe
  C:\Windows\System32\yQGCKvp.exe
  2⤵
  PID:10532
- C:\Windows\System32\NuKXXyg.exe
  C:\Windows\System32\NuKXXyg.exe
  2⤵
  PID:10560
- C:\Windows\System32\LhYIPiB.exe
  C:\Windows\System32\LhYIPiB.exe
  2⤵
  PID:10592
- C:\Windows\System32\GzQCYji.exe
  C:\Windows\System32\GzQCYji.exe
  2⤵
  PID:10608
- C:\Windows\System32\laTSpTz.exe
  C:\Windows\System32\laTSpTz.exe
  2⤵
  PID:10644
- C:\Windows\System32\oJnrYJw.exe
  C:\Windows\System32\oJnrYJw.exe
  2⤵
  PID:10672
- C:\Windows\System32\BUacdLZ.exe
  C:\Windows\System32\BUacdLZ.exe
  2⤵
  PID:10724
- C:\Windows\System32\CWHPfct.exe
  C:\Windows\System32\CWHPfct.exe
  2⤵
  PID:10748
- C:\Windows\System32\OjBSCvm.exe
  C:\Windows\System32\OjBSCvm.exe
  2⤵
  PID:10764
- C:\Windows\System32\TiBntDk.exe
  C:\Windows\System32\TiBntDk.exe
  2⤵
  PID:10784
- C:\Windows\System32\aGqRRUZ.exe
  C:\Windows\System32\aGqRRUZ.exe
  2⤵
  PID:10804
- C:\Windows\System32\duCnKaa.exe
  C:\Windows\System32\duCnKaa.exe
  2⤵
  PID:10852
- C:\Windows\System32\sBYuzMz.exe
  C:\Windows\System32\sBYuzMz.exe
  2⤵
  PID:10868
- C:\Windows\System32\dKsBVob.exe
  C:\Windows\System32\dKsBVob.exe
  2⤵
  PID:10888
- C:\Windows\System32\HTRPaOW.exe
  C:\Windows\System32\HTRPaOW.exe
  2⤵
  PID:10928
- C:\Windows\System32\FHuEpsw.exe
  C:\Windows\System32\FHuEpsw.exe
  2⤵
  PID:10956
- C:\Windows\System32\yrdSsJj.exe
  C:\Windows\System32\yrdSsJj.exe
  2⤵
  PID:10980
- C:\Windows\System32\zqUIYWh.exe
  C:\Windows\System32\zqUIYWh.exe
  2⤵
  PID:10996
- C:\Windows\System32\WcBgAIb.exe
  C:\Windows\System32\WcBgAIb.exe
  2⤵
  PID:11016
- C:\Windows\System32\KSTlAEp.exe
  C:\Windows\System32\KSTlAEp.exe
  2⤵
  PID:11040
- C:\Windows\System32\NVAmSfM.exe
  C:\Windows\System32\NVAmSfM.exe
  2⤵
  PID:11056
- C:\Windows\System32\XzvUBmJ.exe
  C:\Windows\System32\XzvUBmJ.exe
  2⤵
  PID:11084
- C:\Windows\System32\cfdHFnq.exe
  C:\Windows\System32\cfdHFnq.exe
  2⤵
  PID:11112
- C:\Windows\System32\QYrmdVA.exe
  C:\Windows\System32\QYrmdVA.exe
  2⤵
  PID:11156
- C:\Windows\System32\aEvbArZ.exe
  C:\Windows\System32\aEvbArZ.exe
  2⤵
  PID:11204
- C:\Windows\System32\QRbszaK.exe
  C:\Windows\System32\QRbszaK.exe
  2⤵
  PID:11256
- C:\Windows\System32\PKUjCbY.exe
  C:\Windows\System32\PKUjCbY.exe
  2⤵
  PID:10256
- C:\Windows\System32\PDtilbF.exe
  C:\Windows\System32\PDtilbF.exe
  2⤵
  PID:10272
- C:\Windows\System32\LVYZoka.exe
  C:\Windows\System32\LVYZoka.exe
  2⤵
  PID:10372
- C:\Windows\System32\vrgxAcT.exe
  C:\Windows\System32\vrgxAcT.exe
  2⤵
  PID:10416
- C:\Windows\System32\vpXxsyc.exe
  C:\Windows\System32\vpXxsyc.exe
  2⤵
  PID:10480
- C:\Windows\System32\rKLzOvm.exe
  C:\Windows\System32\rKLzOvm.exe
  2⤵
  PID:10540
- C:\Windows\System32\nyoaOjZ.exe
  C:\Windows\System32\nyoaOjZ.exe
  2⤵
  PID:10640
- C:\Windows\System32\aqhFKhh.exe
  C:\Windows\System32\aqhFKhh.exe
  2⤵
  PID:10704
- C:\Windows\System32\NneIOkw.exe
  C:\Windows\System32\NneIOkw.exe
  2⤵
  PID:10776
- C:\Windows\System32\eTgfPHy.exe
  C:\Windows\System32\eTgfPHy.exe
  2⤵
  PID:10848
- C:\Windows\System32\tbWvLcY.exe
  C:\Windows\System32\tbWvLcY.exe
  2⤵
  PID:10884
- C:\Windows\System32\ueQEahG.exe
  C:\Windows\System32\ueQEahG.exe
  2⤵
  PID:10940
- C:\Windows\System32\YgCeUda.exe
  C:\Windows\System32\YgCeUda.exe
  2⤵
  PID:11008
- C:\Windows\System32\OfLlzLB.exe
  C:\Windows\System32\OfLlzLB.exe
  2⤵
  PID:10992
- C:\Windows\System32\sQBMNbC.exe
  C:\Windows\System32\sQBMNbC.exe
  2⤵
  PID:11080
- C:\Windows\System32\OgVvCGx.exe
  C:\Windows\System32\OgVvCGx.exe
  2⤵
  PID:11124
- C:\Windows\System32\ArLCLQH.exe
  C:\Windows\System32\ArLCLQH.exe
  2⤵
  PID:9648
- C:\Windows\System32\vNtBIDQ.exe
  C:\Windows\System32\vNtBIDQ.exe
  2⤵
  PID:10344
- C:\Windows\System32\GbRyaNY.exe
  C:\Windows\System32\GbRyaNY.exe
  2⤵
  PID:10460
- C:\Windows\System32\dhIkYaM.exe
  C:\Windows\System32\dhIkYaM.exe
  2⤵
  PID:10688
- C:\Windows\System32\AjOJftK.exe
  C:\Windows\System32\AjOJftK.exe
  2⤵
  PID:10792
- C:\Windows\System32\HqQlaen.exe
  C:\Windows\System32\HqQlaen.exe
  2⤵
  PID:10944
- C:\Windows\System32\IWnwXdl.exe
  C:\Windows\System32\IWnwXdl.exe
  2⤵
  PID:11104
- C:\Windows\System32\YcJtpiV.exe
  C:\Windows\System32\YcJtpiV.exe
  2⤵
  PID:11192
- C:\Windows\System32\VdRLOVP.exe
  C:\Windows\System32\VdRLOVP.exe
  2⤵
  PID:10456
- C:\Windows\System32\YpyiqXg.exe
  C:\Windows\System32\YpyiqXg.exe
  2⤵
  PID:3312
- C:\Windows\System32\gtapALb.exe
  C:\Windows\System32\gtapALb.exe
  2⤵
  PID:10756
- C:\Windows\System32\nCmWutx.exe
  C:\Windows\System32\nCmWutx.exe
  2⤵
  PID:10968
- C:\Windows\System32\RxfJejO.exe
  C:\Windows\System32\RxfJejO.exe
  2⤵
  PID:11048
- C:\Windows\System32\jppIdEO.exe
  C:\Windows\System32\jppIdEO.exe
  2⤵
  PID:11272
- C:\Windows\System32\Hrkxiiz.exe
  C:\Windows\System32\Hrkxiiz.exe
  2⤵
  PID:11308
- C:\Windows\System32\nqeAyNd.exe
  C:\Windows\System32\nqeAyNd.exe
  2⤵
  PID:11328
- C:\Windows\System32\SUiMqBz.exe
  C:\Windows\System32\SUiMqBz.exe
  2⤵
  PID:11364
- C:\Windows\System32\pRbMcYo.exe
  C:\Windows\System32\pRbMcYo.exe
  2⤵
  PID:11384
- C:\Windows\System32\PufgZxB.exe
  C:\Windows\System32\PufgZxB.exe
  2⤵
  PID:11424
- C:\Windows\System32\CEkNQnq.exe
  C:\Windows\System32\CEkNQnq.exe
  2⤵
  PID:11448
- C:\Windows\System32\SuxtlHs.exe
  C:\Windows\System32\SuxtlHs.exe
  2⤵
  PID:11472
- C:\Windows\System32\UATbPsP.exe
  C:\Windows\System32\UATbPsP.exe
  2⤵
  PID:11488
- C:\Windows\System32\PumeVMz.exe
  C:\Windows\System32\PumeVMz.exe
  2⤵
  PID:11512
- C:\Windows\System32\ggkszeC.exe
  C:\Windows\System32\ggkszeC.exe
  2⤵
  PID:11544
- C:\Windows\System32\QfesNgT.exe
  C:\Windows\System32\QfesNgT.exe
  2⤵
  PID:11584
- C:\Windows\System32\jygBdmF.exe
  C:\Windows\System32\jygBdmF.exe
  2⤵
  PID:11624
- C:\Windows\System32\orxNafi.exe
  C:\Windows\System32\orxNafi.exe
  2⤵
  PID:11640
- C:\Windows\System32\bjZHaIi.exe
  C:\Windows\System32\bjZHaIi.exe
  2⤵
  PID:11660
- C:\Windows\System32\EjCKymC.exe
  C:\Windows\System32\EjCKymC.exe
  2⤵
  PID:11696
- C:\Windows\System32\tpwMdUe.exe
  C:\Windows\System32\tpwMdUe.exe
  2⤵
  PID:11724
- C:\Windows\System32\MrmTUFQ.exe
  C:\Windows\System32\MrmTUFQ.exe
  2⤵
  PID:11740
- C:\Windows\System32\sLqHKnJ.exe
  C:\Windows\System32\sLqHKnJ.exe
  2⤵
  PID:11788
- C:\Windows\System32\bZqMYqB.exe
  C:\Windows\System32\bZqMYqB.exe
  2⤵
  PID:11812
- C:\Windows\System32\zQSxNEN.exe
  C:\Windows\System32\zQSxNEN.exe
  2⤵
  PID:11828
- C:\Windows\System32\coKuDHh.exe
  C:\Windows\System32\coKuDHh.exe
  2⤵
  PID:11852
- C:\Windows\System32\XGzxsmC.exe
  C:\Windows\System32\XGzxsmC.exe
  2⤵
  PID:11872
- C:\Windows\System32\VQTfynx.exe
  C:\Windows\System32\VQTfynx.exe
  2⤵
  PID:11940
- C:\Windows\System32\gNFNhbn.exe
  C:\Windows\System32\gNFNhbn.exe
  2⤵
  PID:11956
- C:\Windows\System32\XASYqFc.exe
  C:\Windows\System32\XASYqFc.exe
  2⤵
  PID:11984
- C:\Windows\System32\JemWnYO.exe
  C:\Windows\System32\JemWnYO.exe
  2⤵
  PID:12012
- C:\Windows\System32\wXAUGra.exe
  C:\Windows\System32\wXAUGra.exe
  2⤵
  PID:12032
- C:\Windows\System32\gJMjpDs.exe
  C:\Windows\System32\gJMjpDs.exe
  2⤵
  PID:12056
- C:\Windows\System32\seKRNMi.exe
  C:\Windows\System32\seKRNMi.exe
  2⤵
  PID:12088
- C:\Windows\System32\ALfYoUE.exe
  C:\Windows\System32\ALfYoUE.exe
  2⤵
  PID:12124
- C:\Windows\System32\vHNuIEC.exe
  C:\Windows\System32\vHNuIEC.exe
  2⤵
  PID:12152
- C:\Windows\System32\uCDBcIT.exe
  C:\Windows\System32\uCDBcIT.exe
  2⤵
  PID:12184
- C:\Windows\System32\mvjOltv.exe
  C:\Windows\System32\mvjOltv.exe
  2⤵
  PID:12212
- C:\Windows\System32\saTnNfx.exe
  C:\Windows\System32\saTnNfx.exe
  2⤵
  PID:12252
- C:\Windows\System32\QxYoYmf.exe
  C:\Windows\System32\QxYoYmf.exe
  2⤵
  PID:12280
- C:\Windows\System32\DccLtqB.exe
  C:\Windows\System32\DccLtqB.exe
  2⤵
  PID:11304
- C:\Windows\System32\kpHZbtB.exe
  C:\Windows\System32\kpHZbtB.exe
  2⤵
  PID:11336
- C:\Windows\System32\CcxYrnl.exe
  C:\Windows\System32\CcxYrnl.exe
  2⤵
  PID:11392
- C:\Windows\System32\TissdwI.exe
  C:\Windows\System32\TissdwI.exe
  2⤵
  PID:11444
- C:\Windows\System32\SgakcbY.exe
  C:\Windows\System32\SgakcbY.exe
  2⤵
  PID:11480
- C:\Windows\System32\Xvgnpff.exe
  C:\Windows\System32\Xvgnpff.exe
  2⤵
  PID:11604
- C:\Windows\System32\KNkVgvH.exe
  C:\Windows\System32\KNkVgvH.exe
  2⤵
  PID:11616
- C:\Windows\System32\SdkyBWo.exe
  C:\Windows\System32\SdkyBWo.exe
  2⤵
  PID:11636
- C:\Windows\System32\kLVOKgb.exe
  C:\Windows\System32\kLVOKgb.exe
  2⤵
  PID:11692
- C:\Windows\System32\WdSGGDK.exe
  C:\Windows\System32\WdSGGDK.exe
  2⤵
  PID:11708
- C:\Windows\System32\zapwPTv.exe
  C:\Windows\System32\zapwPTv.exe
  2⤵
  PID:11824
- C:\Windows\System32\dQTgfGF.exe
  C:\Windows\System32\dQTgfGF.exe
  2⤵
  PID:11844
- C:\Windows\System32\ddEYXAU.exe
  C:\Windows\System32\ddEYXAU.exe
  2⤵
  PID:11860
- C:\Windows\System32\YksQpDu.exe
  C:\Windows\System32\YksQpDu.exe
  2⤵
  PID:12020
- C:\Windows\System32\fAGkHWv.exe
  C:\Windows\System32\fAGkHWv.exe
  2⤵
  PID:12104
- C:\Windows\System32\jwaxGOG.exe
  C:\Windows\System32\jwaxGOG.exe
  2⤵
  PID:12172
- C:\Windows\System32\QKNsXcb.exe
  C:\Windows\System32\QKNsXcb.exe
  2⤵
  PID:11380
- C:\Windows\System32\HaHMiBl.exe
  C:\Windows\System32\HaHMiBl.exe
  2⤵
  PID:11372
- C:\Windows\System32\TllesoQ.exe
  C:\Windows\System32\TllesoQ.exe
  2⤵
  PID:11536
- C:\Windows\System32\lWDubHe.exe
  C:\Windows\System32\lWDubHe.exe
  2⤵
  PID:11736
- C:\Windows\System32\MCZXpgB.exe
  C:\Windows\System32\MCZXpgB.exe
  2⤵
  PID:11808
- C:\Windows\System32\QZXbptW.exe
  C:\Windows\System32\QZXbptW.exe
  2⤵
  PID:12236
- C:\Windows\System32\kMtuiHt.exe
  C:\Windows\System32\kMtuiHt.exe
  2⤵
  PID:12228
- C:\Windows\System32\jMoNxBT.exe
  C:\Windows\System32\jMoNxBT.exe
  2⤵
  PID:11440
- C:\Windows\System32\XMloJgy.exe
  C:\Windows\System32\XMloJgy.exe
  2⤵
  PID:11800
- C:\Windows\System32\lHLpeKB.exe
  C:\Windows\System32\lHLpeKB.exe
  2⤵
  PID:11632
- C:\Windows\System32\CgmbYdH.exe
  C:\Windows\System32\CgmbYdH.exe
  2⤵
  PID:11580
- C:\Windows\System32\tSljXeM.exe
  C:\Windows\System32\tSljXeM.exe
  2⤵
  PID:2944
- C:\Windows\System32\hnVBiYW.exe
  C:\Windows\System32\hnVBiYW.exe
  2⤵
  PID:11968
- C:\Windows\System32\nndfhSI.exe
  C:\Windows\System32\nndfhSI.exe
  2⤵
  PID:12304
- C:\Windows\System32\uyNdUxk.exe
  C:\Windows\System32\uyNdUxk.exe
  2⤵
  PID:12324
- C:\Windows\System32\xVhaDKN.exe
  C:\Windows\System32\xVhaDKN.exe
  2⤵
  PID:12344
- C:\Windows\System32\BypXMSI.exe
  C:\Windows\System32\BypXMSI.exe
  2⤵
  PID:12368
- C:\Windows\System32\wmiTRyp.exe
  C:\Windows\System32\wmiTRyp.exe
  2⤵
  PID:12384
- C:\Windows\System32\dpSnMvC.exe
  C:\Windows\System32\dpSnMvC.exe
  2⤵
  PID:12420
- C:\Windows\System32\ytZeuBB.exe
  C:\Windows\System32\ytZeuBB.exe
  2⤵
  PID:12480
- C:\Windows\System32\pgJAZro.exe
  C:\Windows\System32\pgJAZro.exe
  2⤵
  PID:12516
- C:\Windows\System32\yiqxExV.exe
  C:\Windows\System32\yiqxExV.exe
  2⤵
  PID:12544
- C:\Windows\System32\QYNEonS.exe
  C:\Windows\System32\QYNEonS.exe
  2⤵
  PID:12560
- C:\Windows\System32\eAphmTZ.exe
  C:\Windows\System32\eAphmTZ.exe
  2⤵
  PID:12588
- C:\Windows\System32\qnywjBB.exe
  C:\Windows\System32\qnywjBB.exe
  2⤵
  PID:12628
- C:\Windows\System32\DfQCwtx.exe
  C:\Windows\System32\DfQCwtx.exe
  2⤵
  PID:12652
- C:\Windows\System32\itNbqVj.exe
  C:\Windows\System32\itNbqVj.exe
  2⤵
  PID:12672
- C:\Windows\System32\CTZzPVE.exe
  C:\Windows\System32\CTZzPVE.exe
  2⤵
  PID:12696
- C:\Windows\System32\nHOthWa.exe
  C:\Windows\System32\nHOthWa.exe
  2⤵
  PID:12740
- C:\Windows\System32\EgbSFrv.exe
  C:\Windows\System32\EgbSFrv.exe
  2⤵
  PID:12764
- C:\Windows\System32\wyOOnmT.exe
  C:\Windows\System32\wyOOnmT.exe
  2⤵
  PID:12792
- C:\Windows\System32\szHHmDs.exe
  C:\Windows\System32\szHHmDs.exe
  2⤵
  PID:12884
- C:\Windows\System32\CflSsRB.exe
  C:\Windows\System32\CflSsRB.exe
  2⤵
  PID:12936
- C:\Windows\System32\xfhSwQj.exe
  C:\Windows\System32\xfhSwQj.exe
  2⤵
  PID:12952
- C:\Windows\System32\tOExZJD.exe
  C:\Windows\System32\tOExZJD.exe
  2⤵
  PID:12968
- C:\Windows\System32\hOcpCMF.exe
  C:\Windows\System32\hOcpCMF.exe
  2⤵
  PID:12984
- C:\Windows\System32\riFMKEU.exe
  C:\Windows\System32\riFMKEU.exe
  2⤵
  PID:13000
- C:\Windows\System32\nGrxYUB.exe
  C:\Windows\System32\nGrxYUB.exe
  2⤵
  PID:13016
- C:\Windows\System32\tzSyhuk.exe
  C:\Windows\System32\tzSyhuk.exe
  2⤵
  PID:13032
- C:\Windows\System32\fRoVWQT.exe
  C:\Windows\System32\fRoVWQT.exe
  2⤵
  PID:13056
- C:\Windows\System32\dJZYKyZ.exe
  C:\Windows\System32\dJZYKyZ.exe
  2⤵
  PID:13164
- C:\Windows\System32\IWpgOyb.exe
  C:\Windows\System32\IWpgOyb.exe
  2⤵
  PID:13224
- C:\Windows\System32\deddRAa.exe
  C:\Windows\System32\deddRAa.exe
  2⤵
  PID:13252
- C:\Windows\System32\BVDkypj.exe
  C:\Windows\System32\BVDkypj.exe
  2⤵
  PID:13276
- C:\Windows\System32\UHYdWRF.exe
  C:\Windows\System32\UHYdWRF.exe
  2⤵
  PID:12340
- C:\Windows\System32\UDxQuvW.exe
  C:\Windows\System32\UDxQuvW.exe
  2⤵
  PID:12336
- C:\Windows\System32\CmxZrEY.exe
  C:\Windows\System32\CmxZrEY.exe
  2⤵
  PID:12412
- C:\Windows\System32\tndHwqt.exe
  C:\Windows\System32\tndHwqt.exe
  2⤵
  PID:12452
- C:\Windows\System32\lAuvhoC.exe
  C:\Windows\System32\lAuvhoC.exe
  2⤵
  PID:12552
- C:\Windows\System32\mMUuMXW.exe
  C:\Windows\System32\mMUuMXW.exe
  2⤵
  PID:12608
- C:\Windows\System32\xVXwHUi.exe
  C:\Windows\System32\xVXwHUi.exe
  2⤵
  PID:12660
- C:\Windows\System32\Jcciuad.exe
  C:\Windows\System32\Jcciuad.exe
  2⤵
  PID:12708
- C:\Windows\System32\VRqBNAU.exe
  C:\Windows\System32\VRqBNAU.exe
  2⤵
  PID:12788
- C:\Windows\System32\NCrTswS.exe
  C:\Windows\System32\NCrTswS.exe
  2⤵
  PID:12800
- C:\Windows\System32\MliobJd.exe
  C:\Windows\System32\MliobJd.exe
  2⤵
  PID:12912

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AkyLrky.exe

Filesize
1.2MB

MD5
7f476b4b301b40034fb6dc1c42f7909c

SHA1
239d7e0b0b06e6851b952a44ad637f13900a4461

SHA256
82608b28b5ea2feb001eda34239d7848ab1367da63345f1cc002f960347c9db2

SHA512
df73ce493b8ecc9d53e36faffda4d8446b27f21e9d258b446b60cf79f4cfb66244e7d36eff08265a79030962fa47e14d6b50304dd9a8e8b6debedbe2d91d7f15

Download Submit
C:\Windows\System32\BQSUyxD.exe

Filesize
1.2MB

MD5
36b3c865767ba63b0aa0bf9c8f734af8

SHA1
c56ecffab1fa7d7dbebd47e6d7e19f4866959212

SHA256
ac0f4b1826dad43350339cfb183bd42ca8fa06236671964cd022dee23a21f589

SHA512
526ead8f12ef0d2e76002b0188e8b02eade44f280654849037b6b7471708780b9209d8882a28e268cea7a33419d3a80c080d5c139f325beeb002b6d2caaa5ea8

Download Submit
C:\Windows\System32\BsCZNRw.exe

Filesize
1.2MB

MD5
cf34e4a7a4db2dda1390891ba3f9f5ce

SHA1
2f618b4092e12663c1a954ae821381a853d03112

SHA256
6558b6d8511315867586f8f57f85c0372f381966a37c909dd05c1ebef30c9686

SHA512
157e008e81818062b2997fb0a6141c1e682e0d53ba5a99d849be60f161bb09ffecd198f49b12907cf181b077fc150d26ac6075e8480cb7f1d79506216b219760

Download Submit
C:\Windows\System32\DicRsuL.exe

Filesize
1.2MB

MD5
85012a9642278f6536117077e199cb5c

SHA1
aa595408e0dc80eab95e2d29f73059a89267f05b

SHA256
88ba6eb8f7e6c4c1d48a57d1022938ff27978bb8cf37d7ccaa98e7e55bcb8ff1

SHA512
ccba109b809f4fccf29c777525334285136f1d273f540d4a37d3846ce1f26306c2436e6996695d7ce14fec77448b1af08404bf188818ea0d3cc035604c192b00

Download Submit
C:\Windows\System32\EIEIJGw.exe

Filesize
1.2MB

MD5
8529649e9b153a6ffe88efc773b9f694

SHA1
1708f0a97c83c0fd9521df3d592405d933efcf11

SHA256
2f0ee2eda593f59053b6cbb0c6616f84407b5a3e2da9666f4cc80940c2b231d8

SHA512
e4a0350d31f6b7f8239b3ed971fe719128f5e3e95802ee4257c117cebca0f918ba2067a122c953e680fb86dde7b7e1152856c5514592174b9b83a04b44ad1468

Download Submit
C:\Windows\System32\EKMKuId.exe

Filesize
1.2MB

MD5
9886a2690a47b17c74f810605cf1c34b

SHA1
52af706912a136eaf2edeae277e4ad45010b39fe

SHA256
4756db2bdb4f19d7c14d49f5ed0d1d7a16de19fcc736b2e8b3fbdc6a0754d916

SHA512
2ed5acf35ba171617744d07dd811dbec78cd8181d6e5f657c97ea1d2dcda496dd8f1638271d23f0398348479dff4ae676eaf796853eacfc633e3d0d9489a4bb3

Download Submit
C:\Windows\System32\HtNvoOn.exe

Filesize
1.2MB

MD5
497afbc6caf7476cba55763e9dc1af98

SHA1
c505276c38d39143474a6f05e599ba79dba7cfc6

SHA256
cfcbe9013e716c4dbbe4ea70b2dacc747e9f518263d515961c7744733d172d5e

SHA512
ab57385e7f7ed14b3bad2d3eb5311304328842e3c5a83dd7cfed75aa14356b46466a4945a29985385e2289414c53efd85b4584a077fac387055c1e02daed7095

Download Submit
C:\Windows\System32\JzPAPgL.exe

Filesize
1.2MB

MD5
2576bb840c5b773ac070bfce13352572

SHA1
7547b871eeff9d08c6e17572eac7b43e5544dc59

SHA256
a1286be7c1c5d963a26cfb01707d0ea371f5b742d45d784b79d34402a2f44f09

SHA512
338ccde94875964387f9483125d5c9d1d7638448ee6876a5ecce885c0c8c85dce23cc99e0302441ddffc227b922298c8001da1465ab7dc0057740b37252c9094

Download Submit
C:\Windows\System32\KHvbWeq.exe

Filesize
1.2MB

MD5
508bc23e7ce96611fa5f75a633e72957

SHA1
e1218a1f2688a6b617e72df3202f442b1bbd2067

SHA256
cb03b814da3b10a948adfc771953e757393735fa03f9c9772af5280d6a4a4181

SHA512
2f6b9c9ed96db19084d1c5b8da1943e20be4afbed2381e37c86407cf885658acd1bb0a3e45aa6a51f11cf80f2c3b2a8010be980eed8b0cffa757453c34ae0836

Download Submit
C:\Windows\System32\KKnyQqC.exe

Filesize
1.2MB

MD5
eb7ed206e8c27f4a304311d8b6315afe

SHA1
7e03320359d0a90c9ff2c98c935d0a328397b7dd

SHA256
d0719262b2efbf08aa39282612cde20062f490325a28edc5d0583020ecc8f121

SHA512
7e24b12d3b8267f8118222e30836dca8689f3e97ec8c145842bff37672867f909cd35534b02428354b41b85db0a856e71a2ea60d26e05de26a2646d33ba13cad

Download Submit
C:\Windows\System32\KunTDsX.exe

Filesize
1.2MB

MD5
ca274db0dcc0cc7a3ee9c6e647500f1b

SHA1
2cac970302b47cd1d0bf7949076069447c71314b

SHA256
c50ec5aec8d58c8182fdd6f2e3a15ab7ab38d31efe634001293071339de6297e

SHA512
738947c6b4f35a9b077df8dd51d236eb87d13deee383f4425ca231cafc2c24c68b752df2220577a6c8740547c7077b07767cac0843f206538ce7abed9c282bfb

Download Submit
C:\Windows\System32\MjbTuXr.exe

Filesize
1.2MB

MD5
40ebab92e47e56d007b4dcea92ff4b56

SHA1
795ca74867faeab05c2603af7c905527beccfeba

SHA256
3d8941d0df81615d3dcdc5bc494057913609ddf1518fb9f7c4a4a22c374a466c

SHA512
239e6b61fce47feeda8f750be80a6571834028eff43426467c5a61029d2a20cb9bb05686ee41c24d189c5ffa88985e782fbf8fb06105db2d8e4419d5e4777516

Download Submit
C:\Windows\System32\OBEgFTd.exe

Filesize
1.2MB

MD5
9d653e83c67c779c4a20683fb3ad654d

SHA1
ca4fd4daab373dbfb42fbe045b2f2f3a42292511

SHA256
aaf9c90c9588b2e3df465e525f9592c8378993c63da9eb98a5abd21b694f7f1c

SHA512
1e14a216a559231f892f186728bdb706926d0684e501c9be11c69d4c6cc3b473b0c9cf543863bf176ef48831b149d5e7ba1647df81ea708771b5a3abd04625d9

Download Submit
C:\Windows\System32\QJMXDtS.exe

Filesize
1.2MB

MD5
21d66c43e93f96c2a3ad98dec9046a3c

SHA1
1437ae73b22f9d44f8fe7748c597983b0aee2b1c

SHA256
58b1ee3465ae1bfedd8d3b3d1b3e6c4cdbbc3c7fdec6a4b151902db33974933f

SHA512
eaf65174171e1f0a914e29bf921eced63fc24a6c78ad5504e74fdfb94defb7ad9d15dc1ea9f2d51fe83b64dc7b1fa57dd44abcd572df23fe8a7e1c169a6ed6ed

Download Submit
C:\Windows\System32\RjIURRG.exe

Filesize
1.2MB

MD5
ca6c80314d56de309191a34f57177076

SHA1
23ae4e488fc96dd89636090dd977f7cbc4354dbc

SHA256
189af193bc350ec0a4082c4f455e10515f197d59d9bd45c9e475cbde386f4ced

SHA512
d4fe32c71286ddf1ecdd2dde288943a2f1a2f175d673adccc4f20a16bc39dca56c8e461a2d91060bd236493bea11a21256ce4a47131cb36764e1908b86c4149a

Download Submit
C:\Windows\System32\UajqPGA.exe

Filesize
1.2MB

MD5
916d42b3c90640b387ee94d701de0f3a

SHA1
08bb586fe4ddb69687d4eead006c9a193259644b

SHA256
0b13f551f23d57acba73f56565b00bf718dc7680b30b6d26801577622466b61f

SHA512
3fa7c8d501c12967fd0804d69dccae278338f5350ac4682e2343d6820a9dd41d19bec13338099a58eec03c9974235bb41e953a136f324d5e762bf6fc316091a8

Download Submit
C:\Windows\System32\VQSZIGS.exe

Filesize
1.2MB

MD5
49869d2b9ab9243fb49f259cedc152bc

SHA1
97b3cd784bf8b626f8d8c0856984d11cd0869b28

SHA256
3f2546b462c530deaab8f12e7e428d7308b450b76020ae1d0eda9cdb4db77eef

SHA512
7550d73c8ff17d6a7dc05117cd0b3b5e60eaf730f9bf550005c02014c6c7851225a9277b761d861be8351bfc83c90cce417561549fa1345c00d6e8f9633bd222

Download Submit
C:\Windows\System32\VimfocG.exe

Filesize
1.2MB

MD5
9a7e6c40d7fc221670192fe5c5ea1d8c

SHA1
0f1da2b754e0840022a95205f8b4bd932baeebc0

SHA256
53db2faa9de55597f4225de921b433ab23dbc2c89877d0c647984450c0eabebf

SHA512
0ff08ab17a7793d93d283019edff125baeff357948feb9289ee385d87bb92758b41196cf70569699a42b61c765d80df07203384f6b4abac73e17c77756286846

Download Submit
C:\Windows\System32\ZfJghfx.exe

Filesize
1.2MB

MD5
2a945c16c7485fe5d5ef92f951cddf8b

SHA1
a2e21371583fd3af97be2f63e06ab48d022dcb0d

SHA256
362f5bcc173815f0b0f487bc9d51995eaba45a5c4e72bcb56743ef58ca38b545

SHA512
de2e731f272ddc073fa6a4a72f0f4f47b0ddac3247f99e57caeea5eab9743229f10b1ceb9c5282c6f5c3d175d8cafd1e6ade2d8f29c4055e974bdc9653443b22

Download Submit
C:\Windows\System32\eIqgeWE.exe

Filesize
1.2MB

MD5
fe07c8803192f6448e2a133b31eb40b6

SHA1
e97a8eb929ac1decf7b35eec13e915407a2be3e4

SHA256
7760d69b6fcaaa2805b8eb49978cbefcbae78c331ec2280e4b746fb1e33ce56a

SHA512
0ff27aaddf20fe2bdedf083878c37a7304d4fb664a956587b23649ab82eb942d91578be4e0b14098c7bc080144eee9d739cf01c590a4e7e8ea2c29220176b761

Download Submit
C:\Windows\System32\flnumlc.exe

Filesize
1.2MB

MD5
98a4adf56418b6e3a79298cfddbbcc9a

SHA1
f945a65769f8a4214f5f1a0155160fc4dbd40321

SHA256
b38f36dd37086f147e971cb247bb16a69fe70f15437950931d4a5e956bd3dcb9

SHA512
d584a88182581ab0f63fa7ba6cf3bed9faf8f7af8bcbe4940986dec091c1abaea8d0e4f41550b3af8a4c85624fdaf9c3da1c01c0e63247b8a22999ea258c15e9

Download Submit
C:\Windows\System32\gNuwXmR.exe

Filesize
1.2MB

MD5
72e9417bd10f091f42700f4e81c7866f

SHA1
4a774380eeef3bf54c862a7aa9ea116ad2c3777d

SHA256
c5a8a1ae20751d476e9f540abcd5afc55ccf01f8d1b3298d0d13719a3ec621a9

SHA512
0c23a17d9db7bfafd5a5918c19c08f36dcaffcfd88f319a5434f81ceccd42eea816143597dabfa413ef1ed56b9a165cbca5cff593b87abf8200c5e12a555d62e

Download Submit
C:\Windows\System32\jKZyaBE.exe

Filesize
1.2MB

MD5
18e4f707beaeb76708d12270d27b5802

SHA1
6ed24898060009cbea261df58260ab95758203cd

SHA256
9f78afb7576bb3b3da704b30a36532bb5b20ac7d5242dd2c900c4bc99d8fb567

SHA512
1279e3369eb51e61eede9fa631af017101cc0c4d1555936a2cfbc02eb296a1a232dc8ad7398bf21435092ec25d3129bc49fd3178a5ce8f54a35cb5cc2768eea7

Download Submit
C:\Windows\System32\kjssNIP.exe

Filesize
1.2MB

MD5
8e834d5ecbb980b842ac72b32e41c3c1

SHA1
decf0974a34e11990a4d252611d7d007dfc42c41

SHA256
43eb5b07768e5c0254d101f542b979711ee9a756c13b5ea1f3f0031b996bdda7

SHA512
67e50f85443d7121b65a3cad579be4a5cbcd6138350c464fee12a24740a4c754e6087eb11882fc3464388241767a005be1de09fdc3d7681a6f8b291bb4970a7a

Download Submit
C:\Windows\System32\lBeMnJe.exe

Filesize
1.2MB

MD5
9a43353027dab46ddbb385c04251a537

SHA1
ece09bb66644402274c8567b643887ccb821f6e8

SHA256
cc8af4692be3487f5ced3b54afe3baad2eb7369b9db1164535ae05cff8d04cc2

SHA512
b35cdad53e101550b1e1b27754c9095166110e6d785665d49e1865a0d77e3d6cca5d28a1b87af43aefac9bec20ac6b8b73ceaf67054a4cb17ddfbc0cfe054375

Download Submit
C:\Windows\System32\mfMRREQ.exe

Filesize
1.2MB

MD5
ef3ceaeac5f6d54ebc1f9afabcc9d3bf

SHA1
6a720e9de6ac8a244159c47fd48b2ce78e150855

SHA256
2f1c81e81e44b7f521a474d89b535c94045f6160501148bcb2ec7defbf900076

SHA512
52fd3ef26c5780bef1cbd76146f373ac4d36a9826e9fd50f5781d6ff42fecd3c21774ab86cfe35c0b78f6bb52e74fa043414889016403f5160938906124f8d84

Download Submit
C:\Windows\System32\nKRbQOd.exe

Filesize
1.2MB

MD5
97960291d346630f717770e6e4443eb4

SHA1
71ca515bddbc719e62fc97292ce6dfecc57357c7

SHA256
8afeb10552ce8b7ce0bdf2fb3f5385a990e6994ebfa8dd3ebc3b6d840549e250

SHA512
e9c988bd8d91027c07e8b9f11bf6cef27bc1e11a2fcf378682252e92f8c51c91af09f468f2dfad50433b45659df1fc010456360bab385ede6205e58efc94d674

Download Submit
C:\Windows\System32\pUXtPsP.exe

Filesize
1.2MB

MD5
0a327ae4e55f05d180a80a1731b9f6a7

SHA1
43f66a18ac618c5dc0e34f704f89886118cf8537

SHA256
c50473fda3bca2e4d7ee3d5a5a72d80fc2ae5c5ef7803d69697e93b16c540494

SHA512
9e7251d6a9cf2eeddcb186013b75b17d6592a772668b12c0eb64bd68947e2fa83806d34dc7410d92a68b79e8b1b5e9abeeb3cf8d5e90f6b385a173a000d1946d

Download Submit
C:\Windows\System32\qDpJMIl.exe

Filesize
1.2MB

MD5
bc20b10d834c0c3e3aaa1deff1ed91c9

SHA1
b73907ba5e140990de47129da5b278508adcb92d

SHA256
883b06467b1a2d9d23e00c56437b3efeb7dfe379fabc5b81d4c49dd6424ee0eb

SHA512
bbef328b482bcc22517d3aa3cb5b8572a8317b359482f0800108349c8edabdf7f1ba4427299e82fc8de1429bfa7f8cd1d28ad37c3b17f6da7a36a64b52fcfb23

Download Submit
C:\Windows\System32\qpaVOzm.exe

Filesize
1.2MB

MD5
24303244f1d9e913996bb847b4abea7b

SHA1
d107a9baf80d5e83e5b39ab10f36c606c1e653db

SHA256
ebd5b8a98d1371d7a4f78e0d31e14b7d59a7f75acbdaf72820f358249089ef9a

SHA512
2f2338f1f9d19c2ed1ca7b4fc183396cc20a534cffc85adfefb0808ee0392c29efbb6a23f265261a169882abcea557e6e149f1a5f479555d248b05e9d4fbb60d

Download Submit
C:\Windows\System32\rmYMGHe.exe

Filesize
1.2MB

MD5
39444ef71343cdcdbc7ffd97f3582fe8

SHA1
7f9d2e7bcaa9f4c5a58252b6e5bcd61cf900f2c6

SHA256
261bd22ce894fd5c0d70841d45bce6845ad178d8a433f401fc272d70e6b65397

SHA512
b3533d629ee06dd62a721f241629d8d080b86cb2afe4d8573dba11ffeeea4c7de4baaa88128293e79226ff71b46a30e4238779b2412f8021e9fb8be0e8185d9a

Download Submit
C:\Windows\System32\zjWpwHd.exe

Filesize
1.2MB

MD5
a03f497291be06e2421912148aae6c8f

SHA1
e46786088d33e06a518e9240a889756c2c88dd28

SHA256
c65d11057831230a639ce31e933725d94b656040f0b349c58690d87da3442c48

SHA512
208fbf29214e3b7b48169e784915fb82b4710ad1284c5758e4e1c8913c0e2df8f79307e62b63ade49323c6ec1ab35ad7dd83bf81fc780047002691f107818b55

Download Submit
memory/748-403-0x00007FF73F4A0000-0x00007FF73F891000-memory.dmp

Filesize
3.9MB

Download
memory/748-2011-0x00007FF73F4A0000-0x00007FF73F891000-memory.dmp

Filesize
3.9MB

Download
memory/752-1992-0x00007FF6A01D0000-0x00007FF6A05C1000-memory.dmp

Filesize
3.9MB

Download
memory/752-356-0x00007FF6A01D0000-0x00007FF6A05C1000-memory.dmp

Filesize
3.9MB

Download
memory/952-20-0x00007FF6B14D0000-0x00007FF6B18C1000-memory.dmp

Filesize
3.9MB

Download
memory/952-1970-0x00007FF6B14D0000-0x00007FF6B18C1000-memory.dmp

Filesize
3.9MB

Download
memory/952-1979-0x00007FF6B14D0000-0x00007FF6B18C1000-memory.dmp

Filesize
3.9MB

Download
memory/1044-1983-0x00007FF6B31C0000-0x00007FF6B35B1000-memory.dmp

Filesize
3.9MB

Download
memory/1044-32-0x00007FF6B31C0000-0x00007FF6B35B1000-memory.dmp

Filesize
3.9MB

Download
memory/1368-357-0x00007FF6987C0000-0x00007FF698BB1000-memory.dmp

Filesize
3.9MB

Download
memory/1368-1999-0x00007FF6987C0000-0x00007FF698BB1000-memory.dmp

Filesize
3.9MB

Download
memory/1604-388-0x00007FF77E340000-0x00007FF77E731000-memory.dmp

Filesize
3.9MB

Download
memory/1604-1996-0x00007FF77E340000-0x00007FF77E731000-memory.dmp

Filesize
3.9MB

Download
memory/1676-0-0x00007FF606880000-0x00007FF606C71000-memory.dmp

Filesize
3.9MB

Download
memory/1676-1-0x00000229AC250000-0x00000229AC260000-memory.dmp

Filesize
64KB

Download
memory/1676-1973-0x00007FF606880000-0x00007FF606C71000-memory.dmp

Filesize
3.9MB

Download
memory/1764-374-0x00007FF77B930000-0x00007FF77BD21000-memory.dmp

Filesize
3.9MB

Download
memory/1764-1990-0x00007FF77B930000-0x00007FF77BD21000-memory.dmp

Filesize
3.9MB

Download
memory/2064-2001-0x00007FF60B6B0000-0x00007FF60BAA1000-memory.dmp

Filesize
3.9MB

Download
memory/2064-395-0x00007FF60B6B0000-0x00007FF60BAA1000-memory.dmp

Filesize
3.9MB

Download
memory/2068-24-0x00007FF713960000-0x00007FF713D51000-memory.dmp

Filesize
3.9MB

Download
memory/2068-1971-0x00007FF713960000-0x00007FF713D51000-memory.dmp

Filesize
3.9MB

Download
memory/2068-1982-0x00007FF713960000-0x00007FF713D51000-memory.dmp

Filesize
3.9MB

Download
memory/2076-1988-0x00007FF757070000-0x00007FF757461000-memory.dmp

Filesize
3.9MB

Download
memory/2076-377-0x00007FF757070000-0x00007FF757461000-memory.dmp

Filesize
3.9MB

Download
memory/2268-400-0x00007FF6414B0000-0x00007FF6418A1000-memory.dmp

Filesize
3.9MB

Download
memory/2268-2005-0x00007FF6414B0000-0x00007FF6418A1000-memory.dmp

Filesize
3.9MB

Download
memory/2428-2010-0x00007FF62ECB0000-0x00007FF62F0A1000-memory.dmp

Filesize
3.9MB

Download
memory/2428-410-0x00007FF62ECB0000-0x00007FF62F0A1000-memory.dmp

Filesize
3.9MB

Download
memory/2452-392-0x00007FF707FA0000-0x00007FF708391000-memory.dmp

Filesize
3.9MB

Download
memory/2452-1994-0x00007FF707FA0000-0x00007FF708391000-memory.dmp

Filesize
3.9MB

Download
memory/2460-414-0x00007FF60D570000-0x00007FF60D961000-memory.dmp

Filesize
3.9MB

Download
memory/2460-2017-0x00007FF60D570000-0x00007FF60D961000-memory.dmp

Filesize
3.9MB

Download
memory/2620-407-0x00007FF7E3A30000-0x00007FF7E3E21000-memory.dmp

Filesize
3.9MB

Download
memory/2620-2007-0x00007FF7E3A30000-0x00007FF7E3E21000-memory.dmp

Filesize
3.9MB

Download
memory/3788-2019-0x00007FF60A400000-0x00007FF60A7F1000-memory.dmp

Filesize
3.9MB

Download
memory/3788-416-0x00007FF60A400000-0x00007FF60A7F1000-memory.dmp

Filesize
3.9MB

Download
memory/3888-1986-0x00007FF7E4110000-0x00007FF7E4501000-memory.dmp

Filesize
3.9MB

Download
memory/3888-385-0x00007FF7E4110000-0x00007FF7E4501000-memory.dmp

Filesize
3.9MB

Download
memory/3944-2077-0x00007FF6FDEC0000-0x00007FF6FE2B1000-memory.dmp

Filesize
3.9MB

Download
memory/3944-417-0x00007FF6FDEC0000-0x00007FF6FE2B1000-memory.dmp

Filesize
3.9MB

Download
memory/4076-413-0x00007FF759B90000-0x00007FF759F81000-memory.dmp

Filesize
3.9MB

Download
memory/4076-2013-0x00007FF759B90000-0x00007FF759F81000-memory.dmp

Filesize
3.9MB

Download
memory/4128-1997-0x00007FF7BDAE0000-0x00007FF7BDED1000-memory.dmp

Filesize
3.9MB

Download
memory/4128-361-0x00007FF7BDAE0000-0x00007FF7BDED1000-memory.dmp

Filesize
3.9MB

Download
memory/4408-415-0x00007FF761CA0000-0x00007FF762091000-memory.dmp

Filesize
3.9MB

Download
memory/4408-2015-0x00007FF761CA0000-0x00007FF762091000-memory.dmp

Filesize
3.9MB

Download
memory/4484-1977-0x00007FF759CE0000-0x00007FF75A0D1000-memory.dmp

Filesize
3.9MB

Download
memory/4484-13-0x00007FF759CE0000-0x00007FF75A0D1000-memory.dmp

Filesize
3.9MB

Download
memory/4484-1937-0x00007FF759CE0000-0x00007FF75A0D1000-memory.dmp

Filesize
3.9MB

Download
memory/4544-1975-0x00007FF6D0FF0000-0x00007FF6D13E1000-memory.dmp

Filesize
3.9MB

Download
memory/4544-8-0x00007FF6D0FF0000-0x00007FF6D13E1000-memory.dmp

Filesize
3.9MB

Download
memory/4544-1936-0x00007FF6D0FF0000-0x00007FF6D13E1000-memory.dmp

Filesize
3.9MB

Download
memory/4756-2004-0x00007FF798130000-0x00007FF798521000-memory.dmp

Filesize
3.9MB

Download
memory/4756-398-0x00007FF798130000-0x00007FF798521000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads