xmrig | 446633f25670ae49b4d76b41b7945f4eed2513cc58956a1aa60ba73801457bab

Analysis

max time kernel
102s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a562c94799f429c4fe52bb25313da10N.exe
Size

1.4MB
MD5

5a562c94799f429c4fe52bb25313da10
SHA1

1d7df8d444f753a5477b4c7f07470a591da3fbc5
SHA256

446633f25670ae49b4d76b41b7945f4eed2513cc58956a1aa60ba73801457bab
SHA512

e90feb01e7aea61878de758b05cb35bd213eb90bc1b3689f7a5abebdb3cda502b745572e09cdb13e59d315b00d336f4fad71272698e90e502a6808b94266bbdf
SSDEEP

24576:JanwhSe11QSONCpGJCjETPl+Me7bPMS8Ykgc66HVFZIURK+1+jk4eui2LhP+pX:knw9oUUEEDl+xTMS8Tg4nZIURZkVPg

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/4532-25-0x00007FF6AFCB0000-0x00007FF6B00A1000-memory.dmp	xmrig
behavioral2/memory/4364-28-0x00007FF71F790000-0x00007FF71FB81000-memory.dmp	xmrig
behavioral2/memory/3944-407-0x00007FF647A40000-0x00007FF647E31000-memory.dmp	xmrig
behavioral2/memory/3260-409-0x00007FF7BC320000-0x00007FF7BC711000-memory.dmp	xmrig
behavioral2/memory/1932-408-0x00007FF70DBE0000-0x00007FF70DFD1000-memory.dmp	xmrig
behavioral2/memory/1100-405-0x00007FF6ACC90000-0x00007FF6AD081000-memory.dmp	xmrig
behavioral2/memory/3624-411-0x00007FF724CD0000-0x00007FF7250C1000-memory.dmp	xmrig
behavioral2/memory/4760-412-0x00007FF785420000-0x00007FF785811000-memory.dmp	xmrig
behavioral2/memory/3464-414-0x00007FF6EC1C0000-0x00007FF6EC5B1000-memory.dmp	xmrig
behavioral2/memory/4216-413-0x00007FF67F680000-0x00007FF67FA71000-memory.dmp	xmrig
behavioral2/memory/2720-410-0x00007FF73DD40000-0x00007FF73E131000-memory.dmp	xmrig
behavioral2/memory/4884-90-0x00007FF6A2F00000-0x00007FF6A32F1000-memory.dmp	xmrig
behavioral2/memory/2416-81-0x00007FF7D6B90000-0x00007FF7D6F81000-memory.dmp	xmrig
behavioral2/memory/2092-37-0x00007FF7E0DB0000-0x00007FF7E11A1000-memory.dmp	xmrig
behavioral2/memory/3508-1165-0x00007FF60B5E0000-0x00007FF60B9D1000-memory.dmp	xmrig
behavioral2/memory/1260-1999-0x00007FF6946B0000-0x00007FF694AA1000-memory.dmp	xmrig
behavioral2/memory/2472-2000-0x00007FF74A150000-0x00007FF74A541000-memory.dmp	xmrig
behavioral2/memory/1948-2001-0x00007FF7D5990000-0x00007FF7D5D81000-memory.dmp	xmrig
behavioral2/memory/668-2002-0x00007FF610680000-0x00007FF610A71000-memory.dmp	xmrig
behavioral2/memory/2416-2003-0x00007FF7D6B90000-0x00007FF7D6F81000-memory.dmp	xmrig
behavioral2/memory/456-2010-0x00007FF675690000-0x00007FF675A81000-memory.dmp	xmrig
behavioral2/memory/324-2009-0x00007FF723B80000-0x00007FF723F71000-memory.dmp	xmrig
behavioral2/memory/4884-2013-0x00007FF6A2F00000-0x00007FF6A32F1000-memory.dmp	xmrig
behavioral2/memory/1100-2040-0x00007FF6ACC90000-0x00007FF6AD081000-memory.dmp	xmrig
behavioral2/memory/1284-2044-0x00007FF64EEC0000-0x00007FF64F2B1000-memory.dmp	xmrig
behavioral2/memory/1468-2042-0x00007FF7CA4C0000-0x00007FF7CA8B1000-memory.dmp	xmrig
behavioral2/memory/3944-2053-0x00007FF647A40000-0x00007FF647E31000-memory.dmp	xmrig
behavioral2/memory/4364-2055-0x00007FF71F790000-0x00007FF71FB81000-memory.dmp	xmrig
behavioral2/memory/2092-2059-0x00007FF7E0DB0000-0x00007FF7E11A1000-memory.dmp	xmrig
behavioral2/memory/4532-2061-0x00007FF6AFCB0000-0x00007FF6B00A1000-memory.dmp	xmrig
behavioral2/memory/3508-2058-0x00007FF60B5E0000-0x00007FF60B9D1000-memory.dmp	xmrig
behavioral2/memory/2824-2063-0x00007FF718B70000-0x00007FF718F61000-memory.dmp	xmrig
behavioral2/memory/1948-2065-0x00007FF7D5990000-0x00007FF7D5D81000-memory.dmp	xmrig
behavioral2/memory/2472-2067-0x00007FF74A150000-0x00007FF74A541000-memory.dmp	xmrig
behavioral2/memory/1260-2069-0x00007FF6946B0000-0x00007FF694AA1000-memory.dmp	xmrig
behavioral2/memory/2416-2071-0x00007FF7D6B90000-0x00007FF7D6F81000-memory.dmp	xmrig
behavioral2/memory/668-2075-0x00007FF610680000-0x00007FF610A71000-memory.dmp	xmrig
behavioral2/memory/456-2073-0x00007FF675690000-0x00007FF675A81000-memory.dmp	xmrig
behavioral2/memory/1488-2079-0x00007FF77A370000-0x00007FF77A761000-memory.dmp	xmrig
behavioral2/memory/1932-2087-0x00007FF70DBE0000-0x00007FF70DFD1000-memory.dmp	xmrig
behavioral2/memory/3624-2091-0x00007FF724CD0000-0x00007FF7250C1000-memory.dmp	xmrig
behavioral2/memory/4216-2095-0x00007FF67F680000-0x00007FF67FA71000-memory.dmp	xmrig
behavioral2/memory/3260-2089-0x00007FF7BC320000-0x00007FF7BC711000-memory.dmp	xmrig
behavioral2/memory/1284-2085-0x00007FF64EEC0000-0x00007FF64F2B1000-memory.dmp	xmrig
behavioral2/memory/2720-2083-0x00007FF73DD40000-0x00007FF73E131000-memory.dmp	xmrig
behavioral2/memory/1468-2081-0x00007FF7CA4C0000-0x00007FF7CA8B1000-memory.dmp	xmrig
behavioral2/memory/4884-2077-0x00007FF6A2F00000-0x00007FF6A32F1000-memory.dmp	xmrig
behavioral2/memory/4760-2093-0x00007FF785420000-0x00007FF785811000-memory.dmp	xmrig
behavioral2/memory/3464-2097-0x00007FF6EC1C0000-0x00007FF6EC5B1000-memory.dmp	xmrig
behavioral2/memory/324-2213-0x00007FF723B80000-0x00007FF723F71000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3944	JZoHxib.exe
4364	CUpADpm.exe
3508	omoYhfO.exe
4532	ihuNmKE.exe
2092	RhLsqLu.exe
2824	zjDtdMr.exe
1260	UhNpLSq.exe
2472	KqOabMU.exe
1948	xNELVnQ.exe
668	weBwLmX.exe
456	yzOKDDk.exe
2416	yRTwNQX.exe
4884	iPDbIqT.exe
1488	BqjcrHz.exe
324	IqIHmPT.exe
1468	WSbmcNG.exe
1284	tibMcEj.exe
1932	IzsSKat.exe
3260	XoRqHdD.exe
2720	kGbeOOo.exe
3624	aNJBxMA.exe
4760	xTDgGTv.exe
4216	WQTcygS.exe
3464	cIoyVPR.exe
3300	CeqgQQW.exe
3524	rYONmSI.exe
4544	hnmEGQP.exe
1348	rPVCElx.exe
3172	VRunYKV.exe
2676	IgqZbWj.exe
1916	GCKfFAY.exe
1756	UlbODbM.exe
3420	luiUntp.exe
3036	DpFpDAQ.exe
4068	qFLWaic.exe
4236	RSnMgYN.exe
1328	bdHqDqx.exe
2896	PqXUbHB.exe
4492	OKfxZRF.exe
4304	fyPZMnj.exe
2016	sFmjXPx.exe
2784	XkENkmd.exe
2604	lsTMwgp.exe
2680	wTvIYvx.exe
4264	RjpPPJV.exe
824	ydVlcLH.exe
3864	qdjELRQ.exe
644	dhqarrQ.exe
1556	MKRlpaf.exe
740	dzKeJUD.exe
2404	BcQecYP.exe
2272	rMFlIHl.exe
2076	QDhPgwa.exe
4860	hPvPsxI.exe
4476	EpzXDeG.exe
3372	ZHXVtst.exe
2316	oUpVuGH.exe
3380	RUFxjTM.exe
4032	vauAjjo.exe
1004	kghfOib.exe
2568	OYTEaQY.exe
4312	ynHqmZA.exe
1980	nhyPqNr.exe
4060	vXbdrrh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1100-0-0x00007FF6ACC90000-0x00007FF6AD081000-memory.dmp	upx
behavioral2/files/0x0009000000023447-5.dat	upx
behavioral2/files/0x000700000002344f-15.dat	upx
behavioral2/files/0x000700000002344e-14.dat	upx
behavioral2/memory/4532-25-0x00007FF6AFCB0000-0x00007FF6B00A1000-memory.dmp	upx
behavioral2/files/0x0007000000023450-30.dat	upx
behavioral2/memory/4364-28-0x00007FF71F790000-0x00007FF71FB81000-memory.dmp	upx
behavioral2/memory/3508-23-0x00007FF60B5E0000-0x00007FF60B9D1000-memory.dmp	upx
behavioral2/memory/3944-18-0x00007FF647A40000-0x00007FF647E31000-memory.dmp	upx
behavioral2/files/0x000800000002344a-17.dat	upx
behavioral2/files/0x0007000000023451-34.dat	upx
behavioral2/files/0x0007000000023452-39.dat	upx
behavioral2/files/0x0007000000023456-57.dat	upx
behavioral2/files/0x0007000000023453-65.dat	upx
behavioral2/files/0x0007000000023457-83.dat	upx
behavioral2/files/0x000700000002345a-87.dat	upx
behavioral2/files/0x000700000002345b-91.dat	upx
behavioral2/files/0x0007000000023459-96.dat	upx
behavioral2/files/0x0007000000023460-130.dat	upx
behavioral2/files/0x0007000000023462-140.dat	upx
behavioral2/files/0x0007000000023464-150.dat	upx
behavioral2/files/0x0007000000023466-160.dat	upx
behavioral2/files/0x0007000000023468-170.dat	upx
behavioral2/memory/3944-407-0x00007FF647A40000-0x00007FF647E31000-memory.dmp	upx
behavioral2/memory/3260-409-0x00007FF7BC320000-0x00007FF7BC711000-memory.dmp	upx
behavioral2/memory/1932-408-0x00007FF70DBE0000-0x00007FF70DFD1000-memory.dmp	upx
behavioral2/memory/1100-405-0x00007FF6ACC90000-0x00007FF6AD081000-memory.dmp	upx
behavioral2/memory/3624-411-0x00007FF724CD0000-0x00007FF7250C1000-memory.dmp	upx
behavioral2/memory/4760-412-0x00007FF785420000-0x00007FF785811000-memory.dmp	upx
behavioral2/memory/3464-414-0x00007FF6EC1C0000-0x00007FF6EC5B1000-memory.dmp	upx
behavioral2/memory/4216-413-0x00007FF67F680000-0x00007FF67FA71000-memory.dmp	upx
behavioral2/memory/2720-410-0x00007FF73DD40000-0x00007FF73E131000-memory.dmp	upx
behavioral2/files/0x000700000002346b-178.dat	upx
behavioral2/files/0x000700000002346a-175.dat	upx
behavioral2/files/0x0007000000023469-172.dat	upx
behavioral2/files/0x0007000000023467-165.dat	upx
behavioral2/files/0x0007000000023465-155.dat	upx
behavioral2/files/0x0007000000023463-145.dat	upx
behavioral2/files/0x0007000000023461-135.dat	upx
behavioral2/files/0x000700000002345f-125.dat	upx
behavioral2/files/0x000700000002345e-120.dat	upx
behavioral2/files/0x000700000002345d-112.dat	upx
behavioral2/files/0x000700000002345c-110.dat	upx
behavioral2/memory/1284-100-0x00007FF64EEC0000-0x00007FF64F2B1000-memory.dmp	upx
behavioral2/memory/1468-98-0x00007FF7CA4C0000-0x00007FF7CA8B1000-memory.dmp	upx
behavioral2/files/0x0007000000023458-94.dat	upx
behavioral2/memory/1488-93-0x00007FF77A370000-0x00007FF77A761000-memory.dmp	upx
behavioral2/memory/4884-90-0x00007FF6A2F00000-0x00007FF6A32F1000-memory.dmp	upx
behavioral2/memory/456-89-0x00007FF675690000-0x00007FF675A81000-memory.dmp	upx
behavioral2/memory/324-84-0x00007FF723B80000-0x00007FF723F71000-memory.dmp	upx
behavioral2/memory/2416-81-0x00007FF7D6B90000-0x00007FF7D6F81000-memory.dmp	upx
behavioral2/files/0x0007000000023455-75.dat	upx
behavioral2/memory/668-69-0x00007FF610680000-0x00007FF610A71000-memory.dmp	upx
behavioral2/files/0x000800000002344b-64.dat	upx
behavioral2/memory/1948-60-0x00007FF7D5990000-0x00007FF7D5D81000-memory.dmp	upx
behavioral2/files/0x0007000000023454-63.dat	upx
behavioral2/memory/2472-54-0x00007FF74A150000-0x00007FF74A541000-memory.dmp	upx
behavioral2/memory/1260-48-0x00007FF6946B0000-0x00007FF694AA1000-memory.dmp	upx
behavioral2/memory/2824-40-0x00007FF718B70000-0x00007FF718F61000-memory.dmp	upx
behavioral2/memory/2092-37-0x00007FF7E0DB0000-0x00007FF7E11A1000-memory.dmp	upx
behavioral2/memory/3508-1165-0x00007FF60B5E0000-0x00007FF60B9D1000-memory.dmp	upx
behavioral2/memory/1260-1999-0x00007FF6946B0000-0x00007FF694AA1000-memory.dmp	upx
behavioral2/memory/2472-2000-0x00007FF74A150000-0x00007FF74A541000-memory.dmp	upx
behavioral2/memory/1948-2001-0x00007FF7D5990000-0x00007FF7D5D81000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\XkENkmd.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\MkTSaCC.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\faxTcgO.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\RjpPPJV.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\mwDlxkc.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\lwUxGGp.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\cmMXCVw.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\uEDWsLJ.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\sfrhiIx.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\KizPeDp.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\WSbmcNG.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\XQCupIx.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\KNjWLzY.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\KKjizxU.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\JEyWYVH.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\Masgfip.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\teeTbXf.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\kGbeOOo.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\ydVlcLH.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\DlRDOHa.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\qkxMWlj.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\JEsiRwF.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\JPHMUHZ.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\iXDcoep.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\LdLdYgp.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\QDhPgwa.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\pkapjFM.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\hAJPmoy.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\ndnHOfT.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\BNWjQkE.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\UhNpLSq.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\LEdPTrn.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\NKzACNH.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\ThXZrqW.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\ktRlIVd.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\vkLwvqf.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\njrcKgu.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\zjDtdMr.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\BcpvLWX.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\AOiryuo.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\eyNugJr.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\bPkMEXE.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\SVegUZv.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\JoBGWMj.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\qHBEHGD.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\fBNmPqL.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\bGIBapo.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\rjIzjCb.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\nUSgfPH.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\HfgHoLN.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\oymodum.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\qIpijWF.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\kVvneVt.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\IBhdGam.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\DKZfTnv.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\yKAyGRn.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\mgLYyKu.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\ogCcjMU.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\kghfOib.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\QzhjJFW.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\dPtLJjp.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\CVUGUHh.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\uTgIAIn.exe	5a562c94799f429c4fe52bb25313da10N.exe
File created	C:\Windows\System32\BExezHu.exe	5a562c94799f429c4fe52bb25313da10N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13028	dwm.exe
Token: SeChangeNotifyPrivilege	13028	dwm.exe
Token: 33	13028	dwm.exe
Token: SeIncBasePriorityPrivilege	13028	dwm.exe
Token: SeShutdownPrivilege	13028	dwm.exe
Token: SeCreatePagefilePrivilege	13028	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 3944	1100	5a562c94799f429c4fe52bb25313da10N.exe	85
PID 1100 wrote to memory of 3944	1100	5a562c94799f429c4fe52bb25313da10N.exe	85
PID 1100 wrote to memory of 4364	1100	5a562c94799f429c4fe52bb25313da10N.exe	86
PID 1100 wrote to memory of 4364	1100	5a562c94799f429c4fe52bb25313da10N.exe	86
PID 1100 wrote to memory of 3508	1100	5a562c94799f429c4fe52bb25313da10N.exe	87
PID 1100 wrote to memory of 3508	1100	5a562c94799f429c4fe52bb25313da10N.exe	87
PID 1100 wrote to memory of 4532	1100	5a562c94799f429c4fe52bb25313da10N.exe	88
PID 1100 wrote to memory of 4532	1100	5a562c94799f429c4fe52bb25313da10N.exe	88
PID 1100 wrote to memory of 2092	1100	5a562c94799f429c4fe52bb25313da10N.exe	89
PID 1100 wrote to memory of 2092	1100	5a562c94799f429c4fe52bb25313da10N.exe	89
PID 1100 wrote to memory of 2824	1100	5a562c94799f429c4fe52bb25313da10N.exe	90
PID 1100 wrote to memory of 2824	1100	5a562c94799f429c4fe52bb25313da10N.exe	90
PID 1100 wrote to memory of 1260	1100	5a562c94799f429c4fe52bb25313da10N.exe	91
PID 1100 wrote to memory of 1260	1100	5a562c94799f429c4fe52bb25313da10N.exe	91
PID 1100 wrote to memory of 2472	1100	5a562c94799f429c4fe52bb25313da10N.exe	92
PID 1100 wrote to memory of 2472	1100	5a562c94799f429c4fe52bb25313da10N.exe	92
PID 1100 wrote to memory of 1948	1100	5a562c94799f429c4fe52bb25313da10N.exe	93
PID 1100 wrote to memory of 1948	1100	5a562c94799f429c4fe52bb25313da10N.exe	93
PID 1100 wrote to memory of 668	1100	5a562c94799f429c4fe52bb25313da10N.exe	94
PID 1100 wrote to memory of 668	1100	5a562c94799f429c4fe52bb25313da10N.exe	94
PID 1100 wrote to memory of 456	1100	5a562c94799f429c4fe52bb25313da10N.exe	95
PID 1100 wrote to memory of 456	1100	5a562c94799f429c4fe52bb25313da10N.exe	95
PID 1100 wrote to memory of 2416	1100	5a562c94799f429c4fe52bb25313da10N.exe	96
PID 1100 wrote to memory of 2416	1100	5a562c94799f429c4fe52bb25313da10N.exe	96
PID 1100 wrote to memory of 4884	1100	5a562c94799f429c4fe52bb25313da10N.exe	97
PID 1100 wrote to memory of 4884	1100	5a562c94799f429c4fe52bb25313da10N.exe	97
PID 1100 wrote to memory of 1488	1100	5a562c94799f429c4fe52bb25313da10N.exe	98
PID 1100 wrote to memory of 1488	1100	5a562c94799f429c4fe52bb25313da10N.exe	98
PID 1100 wrote to memory of 324	1100	5a562c94799f429c4fe52bb25313da10N.exe	99
PID 1100 wrote to memory of 324	1100	5a562c94799f429c4fe52bb25313da10N.exe	99
PID 1100 wrote to memory of 1468	1100	5a562c94799f429c4fe52bb25313da10N.exe	100
PID 1100 wrote to memory of 1468	1100	5a562c94799f429c4fe52bb25313da10N.exe	100
PID 1100 wrote to memory of 1284	1100	5a562c94799f429c4fe52bb25313da10N.exe	101
PID 1100 wrote to memory of 1284	1100	5a562c94799f429c4fe52bb25313da10N.exe	101
PID 1100 wrote to memory of 1932	1100	5a562c94799f429c4fe52bb25313da10N.exe	102
PID 1100 wrote to memory of 1932	1100	5a562c94799f429c4fe52bb25313da10N.exe	102
PID 1100 wrote to memory of 3260	1100	5a562c94799f429c4fe52bb25313da10N.exe	103
PID 1100 wrote to memory of 3260	1100	5a562c94799f429c4fe52bb25313da10N.exe	103
PID 1100 wrote to memory of 2720	1100	5a562c94799f429c4fe52bb25313da10N.exe	104
PID 1100 wrote to memory of 2720	1100	5a562c94799f429c4fe52bb25313da10N.exe	104
PID 1100 wrote to memory of 3624	1100	5a562c94799f429c4fe52bb25313da10N.exe	105
PID 1100 wrote to memory of 3624	1100	5a562c94799f429c4fe52bb25313da10N.exe	105
PID 1100 wrote to memory of 4760	1100	5a562c94799f429c4fe52bb25313da10N.exe	106
PID 1100 wrote to memory of 4760	1100	5a562c94799f429c4fe52bb25313da10N.exe	106
PID 1100 wrote to memory of 4216	1100	5a562c94799f429c4fe52bb25313da10N.exe	107
PID 1100 wrote to memory of 4216	1100	5a562c94799f429c4fe52bb25313da10N.exe	107
PID 1100 wrote to memory of 3464	1100	5a562c94799f429c4fe52bb25313da10N.exe	108
PID 1100 wrote to memory of 3464	1100	5a562c94799f429c4fe52bb25313da10N.exe	108
PID 1100 wrote to memory of 3300	1100	5a562c94799f429c4fe52bb25313da10N.exe	109
PID 1100 wrote to memory of 3300	1100	5a562c94799f429c4fe52bb25313da10N.exe	109
PID 1100 wrote to memory of 3524	1100	5a562c94799f429c4fe52bb25313da10N.exe	110
PID 1100 wrote to memory of 3524	1100	5a562c94799f429c4fe52bb25313da10N.exe	110
PID 1100 wrote to memory of 4544	1100	5a562c94799f429c4fe52bb25313da10N.exe	111
PID 1100 wrote to memory of 4544	1100	5a562c94799f429c4fe52bb25313da10N.exe	111
PID 1100 wrote to memory of 1348	1100	5a562c94799f429c4fe52bb25313da10N.exe	112
PID 1100 wrote to memory of 1348	1100	5a562c94799f429c4fe52bb25313da10N.exe	112
PID 1100 wrote to memory of 3172	1100	5a562c94799f429c4fe52bb25313da10N.exe	113
PID 1100 wrote to memory of 3172	1100	5a562c94799f429c4fe52bb25313da10N.exe	113
PID 1100 wrote to memory of 2676	1100	5a562c94799f429c4fe52bb25313da10N.exe	114
PID 1100 wrote to memory of 2676	1100	5a562c94799f429c4fe52bb25313da10N.exe	114
PID 1100 wrote to memory of 1916	1100	5a562c94799f429c4fe52bb25313da10N.exe	115
PID 1100 wrote to memory of 1916	1100	5a562c94799f429c4fe52bb25313da10N.exe	115
PID 1100 wrote to memory of 1756	1100	5a562c94799f429c4fe52bb25313da10N.exe	116
PID 1100 wrote to memory of 1756	1100	5a562c94799f429c4fe52bb25313da10N.exe	116

C:\Users\Admin\AppData\Local\Temp\5a562c94799f429c4fe52bb25313da10N.exe
"C:\Users\Admin\AppData\Local\Temp\5a562c94799f429c4fe52bb25313da10N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\System32\JZoHxib.exe
  C:\Windows\System32\JZoHxib.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\CUpADpm.exe
  C:\Windows\System32\CUpADpm.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System32\omoYhfO.exe
  C:\Windows\System32\omoYhfO.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System32\ihuNmKE.exe
  C:\Windows\System32\ihuNmKE.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System32\RhLsqLu.exe
  C:\Windows\System32\RhLsqLu.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System32\zjDtdMr.exe
  C:\Windows\System32\zjDtdMr.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System32\UhNpLSq.exe
  C:\Windows\System32\UhNpLSq.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System32\KqOabMU.exe
  C:\Windows\System32\KqOabMU.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System32\xNELVnQ.exe
  C:\Windows\System32\xNELVnQ.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System32\weBwLmX.exe
  C:\Windows\System32\weBwLmX.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System32\yzOKDDk.exe
  C:\Windows\System32\yzOKDDk.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System32\yRTwNQX.exe
  C:\Windows\System32\yRTwNQX.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System32\iPDbIqT.exe
  C:\Windows\System32\iPDbIqT.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System32\BqjcrHz.exe
  C:\Windows\System32\BqjcrHz.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System32\IqIHmPT.exe
  C:\Windows\System32\IqIHmPT.exe
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\System32\WSbmcNG.exe
  C:\Windows\System32\WSbmcNG.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System32\tibMcEj.exe
  C:\Windows\System32\tibMcEj.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\System32\IzsSKat.exe
  C:\Windows\System32\IzsSKat.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System32\XoRqHdD.exe
  C:\Windows\System32\XoRqHdD.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System32\kGbeOOo.exe
  C:\Windows\System32\kGbeOOo.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System32\aNJBxMA.exe
  C:\Windows\System32\aNJBxMA.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System32\xTDgGTv.exe
  C:\Windows\System32\xTDgGTv.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System32\WQTcygS.exe
  C:\Windows\System32\WQTcygS.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System32\cIoyVPR.exe
  C:\Windows\System32\cIoyVPR.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System32\CeqgQQW.exe
  C:\Windows\System32\CeqgQQW.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System32\rYONmSI.exe
  C:\Windows\System32\rYONmSI.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System32\hnmEGQP.exe
  C:\Windows\System32\hnmEGQP.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System32\rPVCElx.exe
  C:\Windows\System32\rPVCElx.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System32\VRunYKV.exe
  C:\Windows\System32\VRunYKV.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System32\IgqZbWj.exe
  C:\Windows\System32\IgqZbWj.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System32\GCKfFAY.exe
  C:\Windows\System32\GCKfFAY.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System32\UlbODbM.exe
  C:\Windows\System32\UlbODbM.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System32\luiUntp.exe
  C:\Windows\System32\luiUntp.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System32\DpFpDAQ.exe
  C:\Windows\System32\DpFpDAQ.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System32\qFLWaic.exe
  C:\Windows\System32\qFLWaic.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System32\RSnMgYN.exe
  C:\Windows\System32\RSnMgYN.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System32\bdHqDqx.exe
  C:\Windows\System32\bdHqDqx.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System32\PqXUbHB.exe
  C:\Windows\System32\PqXUbHB.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System32\OKfxZRF.exe
  C:\Windows\System32\OKfxZRF.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System32\fyPZMnj.exe
  C:\Windows\System32\fyPZMnj.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System32\sFmjXPx.exe
  C:\Windows\System32\sFmjXPx.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System32\XkENkmd.exe
  C:\Windows\System32\XkENkmd.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System32\lsTMwgp.exe
  C:\Windows\System32\lsTMwgp.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System32\wTvIYvx.exe
  C:\Windows\System32\wTvIYvx.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System32\RjpPPJV.exe
  C:\Windows\System32\RjpPPJV.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System32\ydVlcLH.exe
  C:\Windows\System32\ydVlcLH.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System32\qdjELRQ.exe
  C:\Windows\System32\qdjELRQ.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System32\dhqarrQ.exe
  C:\Windows\System32\dhqarrQ.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\System32\MKRlpaf.exe
  C:\Windows\System32\MKRlpaf.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System32\dzKeJUD.exe
  C:\Windows\System32\dzKeJUD.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System32\BcQecYP.exe
  C:\Windows\System32\BcQecYP.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System32\rMFlIHl.exe
  C:\Windows\System32\rMFlIHl.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System32\QDhPgwa.exe
  C:\Windows\System32\QDhPgwa.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System32\hPvPsxI.exe
  C:\Windows\System32\hPvPsxI.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\EpzXDeG.exe
  C:\Windows\System32\EpzXDeG.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System32\ZHXVtst.exe
  C:\Windows\System32\ZHXVtst.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System32\oUpVuGH.exe
  C:\Windows\System32\oUpVuGH.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System32\RUFxjTM.exe
  C:\Windows\System32\RUFxjTM.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System32\vauAjjo.exe
  C:\Windows\System32\vauAjjo.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System32\kghfOib.exe
  C:\Windows\System32\kghfOib.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System32\OYTEaQY.exe
  C:\Windows\System32\OYTEaQY.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System32\ynHqmZA.exe
  C:\Windows\System32\ynHqmZA.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System32\nhyPqNr.exe
  C:\Windows\System32\nhyPqNr.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System32\vXbdrrh.exe
  C:\Windows\System32\vXbdrrh.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System32\kvdIIfJ.exe
  C:\Windows\System32\kvdIIfJ.exe
  2⤵
  PID:2012
- C:\Windows\System32\kVvneVt.exe
  C:\Windows\System32\kVvneVt.exe
  2⤵
  PID:1572
- C:\Windows\System32\TYZtyMR.exe
  C:\Windows\System32\TYZtyMR.exe
  2⤵
  PID:2252
- C:\Windows\System32\XQCupIx.exe
  C:\Windows\System32\XQCupIx.exe
  2⤵
  PID:1688
- C:\Windows\System32\iPARoZW.exe
  C:\Windows\System32\iPARoZW.exe
  2⤵
  PID:1624
- C:\Windows\System32\mjlnwZJ.exe
  C:\Windows\System32\mjlnwZJ.exe
  2⤵
  PID:2808
- C:\Windows\System32\NzdPyNV.exe
  C:\Windows\System32\NzdPyNV.exe
  2⤵
  PID:4124
- C:\Windows\System32\lkcIrOz.exe
  C:\Windows\System32\lkcIrOz.exe
  2⤵
  PID:1212
- C:\Windows\System32\KrLuuse.exe
  C:\Windows\System32\KrLuuse.exe
  2⤵
  PID:5140
- C:\Windows\System32\hPPBNtw.exe
  C:\Windows\System32\hPPBNtw.exe
  2⤵
  PID:5164
- C:\Windows\System32\GENWkPn.exe
  C:\Windows\System32\GENWkPn.exe
  2⤵
  PID:5200
- C:\Windows\System32\wNmSVdQ.exe
  C:\Windows\System32\wNmSVdQ.exe
  2⤵
  PID:5224
- C:\Windows\System32\GPJWBxu.exe
  C:\Windows\System32\GPJWBxu.exe
  2⤵
  PID:5252
- C:\Windows\System32\TWSKJzR.exe
  C:\Windows\System32\TWSKJzR.exe
  2⤵
  PID:5276
- C:\Windows\System32\drDtaQw.exe
  C:\Windows\System32\drDtaQw.exe
  2⤵
  PID:5304
- C:\Windows\System32\TJVIzAn.exe
  C:\Windows\System32\TJVIzAn.exe
  2⤵
  PID:5332
- C:\Windows\System32\TNCiuVU.exe
  C:\Windows\System32\TNCiuVU.exe
  2⤵
  PID:5360
- C:\Windows\System32\qUNONVf.exe
  C:\Windows\System32\qUNONVf.exe
  2⤵
  PID:5388
- C:\Windows\System32\pITtHbL.exe
  C:\Windows\System32\pITtHbL.exe
  2⤵
  PID:5420
- C:\Windows\System32\ThXZrqW.exe
  C:\Windows\System32\ThXZrqW.exe
  2⤵
  PID:5448
- C:\Windows\System32\KmJQbLX.exe
  C:\Windows\System32\KmJQbLX.exe
  2⤵
  PID:5480
- C:\Windows\System32\ZpXCKEp.exe
  C:\Windows\System32\ZpXCKEp.exe
  2⤵
  PID:5500
- C:\Windows\System32\jBWrnAl.exe
  C:\Windows\System32\jBWrnAl.exe
  2⤵
  PID:5536
- C:\Windows\System32\omxuiQL.exe
  C:\Windows\System32\omxuiQL.exe
  2⤵
  PID:5568
- C:\Windows\System32\jrYYyeh.exe
  C:\Windows\System32\jrYYyeh.exe
  2⤵
  PID:5596
- C:\Windows\System32\lSMCpBu.exe
  C:\Windows\System32\lSMCpBu.exe
  2⤵
  PID:5612
- C:\Windows\System32\VqxAxMR.exe
  C:\Windows\System32\VqxAxMR.exe
  2⤵
  PID:5652
- C:\Windows\System32\heMZwbj.exe
  C:\Windows\System32\heMZwbj.exe
  2⤵
  PID:5672
- C:\Windows\System32\BBHVyNk.exe
  C:\Windows\System32\BBHVyNk.exe
  2⤵
  PID:5696
- C:\Windows\System32\BalVuLx.exe
  C:\Windows\System32\BalVuLx.exe
  2⤵
  PID:5736
- C:\Windows\System32\PBkNtdo.exe
  C:\Windows\System32\PBkNtdo.exe
  2⤵
  PID:5756
- C:\Windows\System32\APfJFrc.exe
  C:\Windows\System32\APfJFrc.exe
  2⤵
  PID:5780
- C:\Windows\System32\IZSHDZc.exe
  C:\Windows\System32\IZSHDZc.exe
  2⤵
  PID:5816
- C:\Windows\System32\jdTGYDw.exe
  C:\Windows\System32\jdTGYDw.exe
  2⤵
  PID:5860
- C:\Windows\System32\PlVjCDc.exe
  C:\Windows\System32\PlVjCDc.exe
  2⤵
  PID:5876
- C:\Windows\System32\nTiKxQu.exe
  C:\Windows\System32\nTiKxQu.exe
  2⤵
  PID:5892
- C:\Windows\System32\cLzNOZV.exe
  C:\Windows\System32\cLzNOZV.exe
  2⤵
  PID:5920
- C:\Windows\System32\IIowQLQ.exe
  C:\Windows\System32\IIowQLQ.exe
  2⤵
  PID:5948
- C:\Windows\System32\BcjcooC.exe
  C:\Windows\System32\BcjcooC.exe
  2⤵
  PID:5976
- C:\Windows\System32\YONmQJT.exe
  C:\Windows\System32\YONmQJT.exe
  2⤵
  PID:6004
- C:\Windows\System32\rTPaYFD.exe
  C:\Windows\System32\rTPaYFD.exe
  2⤵
  PID:6032
- C:\Windows\System32\gCFrWXq.exe
  C:\Windows\System32\gCFrWXq.exe
  2⤵
  PID:6060
- C:\Windows\System32\QawpPGS.exe
  C:\Windows\System32\QawpPGS.exe
  2⤵
  PID:6088
- C:\Windows\System32\YOHSfVR.exe
  C:\Windows\System32\YOHSfVR.exe
  2⤵
  PID:6116
- C:\Windows\System32\HKbhDsW.exe
  C:\Windows\System32\HKbhDsW.exe
  2⤵
  PID:6140
- C:\Windows\System32\aEpQhDD.exe
  C:\Windows\System32\aEpQhDD.exe
  2⤵
  PID:5128
- C:\Windows\System32\gIWYhwB.exe
  C:\Windows\System32\gIWYhwB.exe
  2⤵
  PID:5160
- C:\Windows\System32\CkClrHY.exe
  C:\Windows\System32\CkClrHY.exe
  2⤵
  PID:5196
- C:\Windows\System32\iLIQpKF.exe
  C:\Windows\System32\iLIQpKF.exe
  2⤵
  PID:5232
- C:\Windows\System32\JrsCGOX.exe
  C:\Windows\System32\JrsCGOX.exe
  2⤵
  PID:5284
- C:\Windows\System32\VGXLqyY.exe
  C:\Windows\System32\VGXLqyY.exe
  2⤵
  PID:5352
- C:\Windows\System32\fBNmPqL.exe
  C:\Windows\System32\fBNmPqL.exe
  2⤵
  PID:5380
- C:\Windows\System32\ERbfmhQ.exe
  C:\Windows\System32\ERbfmhQ.exe
  2⤵
  PID:5456
- C:\Windows\System32\ZyXnloe.exe
  C:\Windows\System32\ZyXnloe.exe
  2⤵
  PID:4232
- C:\Windows\System32\QyAPXqj.exe
  C:\Windows\System32\QyAPXqj.exe
  2⤵
  PID:5588
- C:\Windows\System32\KXIwVpN.exe
  C:\Windows\System32\KXIwVpN.exe
  2⤵
  PID:5664
- C:\Windows\System32\ktRlIVd.exe
  C:\Windows\System32\ktRlIVd.exe
  2⤵
  PID:1676
- C:\Windows\System32\TThjGfd.exe
  C:\Windows\System32\TThjGfd.exe
  2⤵
  PID:5724
- C:\Windows\System32\cBnprIq.exe
  C:\Windows\System32\cBnprIq.exe
  2⤵
  PID:3812
- C:\Windows\System32\FdJOOBT.exe
  C:\Windows\System32\FdJOOBT.exe
  2⤵
  PID:5872
- C:\Windows\System32\YbslruF.exe
  C:\Windows\System32\YbslruF.exe
  2⤵
  PID:5900
- C:\Windows\System32\KNjWLzY.exe
  C:\Windows\System32\KNjWLzY.exe
  2⤵
  PID:5928
- C:\Windows\System32\tpYrAZb.exe
  C:\Windows\System32\tpYrAZb.exe
  2⤵
  PID:1116
- C:\Windows\System32\cGlKiVI.exe
  C:\Windows\System32\cGlKiVI.exe
  2⤵
  PID:5960
- C:\Windows\System32\jwxhWRs.exe
  C:\Windows\System32\jwxhWRs.exe
  2⤵
  PID:5984
- C:\Windows\System32\hAJPmoy.exe
  C:\Windows\System32\hAJPmoy.exe
  2⤵
  PID:6052
- C:\Windows\System32\SDiBxpt.exe
  C:\Windows\System32\SDiBxpt.exe
  2⤵
  PID:6072
- C:\Windows\System32\yuAKIjB.exe
  C:\Windows\System32\yuAKIjB.exe
  2⤵
  PID:956
- C:\Windows\System32\rOyJUWS.exe
  C:\Windows\System32\rOyJUWS.exe
  2⤵
  PID:1668
- C:\Windows\System32\gidhHPB.exe
  C:\Windows\System32\gidhHPB.exe
  2⤵
  PID:4888
- C:\Windows\System32\fVvKhhY.exe
  C:\Windows\System32\fVvKhhY.exe
  2⤵
  PID:3240
- C:\Windows\System32\YeabtEE.exe
  C:\Windows\System32\YeabtEE.exe
  2⤵
  PID:1548
- C:\Windows\System32\MdtZTiG.exe
  C:\Windows\System32\MdtZTiG.exe
  2⤵
  PID:640
- C:\Windows\System32\ylRkgnr.exe
  C:\Windows\System32\ylRkgnr.exe
  2⤵
  PID:760
- C:\Windows\System32\hGwQEGb.exe
  C:\Windows\System32\hGwQEGb.exe
  2⤵
  PID:4640
- C:\Windows\System32\rrgQcDz.exe
  C:\Windows\System32\rrgQcDz.exe
  2⤵
  PID:1772
- C:\Windows\System32\ywTPRYh.exe
  C:\Windows\System32\ywTPRYh.exe
  2⤵
  PID:1812
- C:\Windows\System32\mwDlxkc.exe
  C:\Windows\System32\mwDlxkc.exe
  2⤵
  PID:4704
- C:\Windows\System32\QzhjJFW.exe
  C:\Windows\System32\QzhjJFW.exe
  2⤵
  PID:3788
- C:\Windows\System32\NcnBnqW.exe
  C:\Windows\System32\NcnBnqW.exe
  2⤵
  PID:4180
- C:\Windows\System32\WQBzwkD.exe
  C:\Windows\System32\WQBzwkD.exe
  2⤵
  PID:3792
- C:\Windows\System32\ofKxmec.exe
  C:\Windows\System32\ofKxmec.exe
  2⤵
  PID:3996
- C:\Windows\System32\aCaBMsy.exe
  C:\Windows\System32\aCaBMsy.exe
  2⤵
  PID:2264
- C:\Windows\System32\njyUArI.exe
  C:\Windows\System32\njyUArI.exe
  2⤵
  PID:4628
- C:\Windows\System32\lwUxGGp.exe
  C:\Windows\System32\lwUxGGp.exe
  2⤵
  PID:3884
- C:\Windows\System32\mmHhlKs.exe
  C:\Windows\System32\mmHhlKs.exe
  2⤵
  PID:5172
- C:\Windows\System32\JdsvelU.exe
  C:\Windows\System32\JdsvelU.exe
  2⤵
  PID:5396
- C:\Windows\System32\TsOMkkM.exe
  C:\Windows\System32\TsOMkkM.exe
  2⤵
  PID:5512
- C:\Windows\System32\iHuEQet.exe
  C:\Windows\System32\iHuEQet.exe
  2⤵
  PID:5788
- C:\Windows\System32\yubpWrS.exe
  C:\Windows\System32\yubpWrS.exe
  2⤵
  PID:5996
- C:\Windows\System32\qBEqGjb.exe
  C:\Windows\System32\qBEqGjb.exe
  2⤵
  PID:3616
- C:\Windows\System32\wbRoEnC.exe
  C:\Windows\System32\wbRoEnC.exe
  2⤵
  PID:2884
- C:\Windows\System32\VjlRhOO.exe
  C:\Windows\System32\VjlRhOO.exe
  2⤵
  PID:2464
- C:\Windows\System32\pkapjFM.exe
  C:\Windows\System32\pkapjFM.exe
  2⤵
  PID:1140
- C:\Windows\System32\dPtLJjp.exe
  C:\Windows\System32\dPtLJjp.exe
  2⤵
  PID:2412
- C:\Windows\System32\Jmkbhju.exe
  C:\Windows\System32\Jmkbhju.exe
  2⤵
  PID:6108
- C:\Windows\System32\BcpvLWX.exe
  C:\Windows\System32\BcpvLWX.exe
  2⤵
  PID:2308
- C:\Windows\System32\zSeCfWS.exe
  C:\Windows\System32\zSeCfWS.exe
  2⤵
  PID:4556
- C:\Windows\System32\wPCWswi.exe
  C:\Windows\System32\wPCWswi.exe
  2⤵
  PID:6128
- C:\Windows\System32\zrcRqOT.exe
  C:\Windows\System32\zrcRqOT.exe
  2⤵
  PID:5620
- C:\Windows\System32\gffFPUM.exe
  C:\Windows\System32\gffFPUM.exe
  2⤵
  PID:5688
- C:\Windows\System32\mMoIhbU.exe
  C:\Windows\System32\mMoIhbU.exe
  2⤵
  PID:5940
- C:\Windows\System32\KFGSrkr.exe
  C:\Windows\System32\KFGSrkr.exe
  2⤵
  PID:4408
- C:\Windows\System32\JHUNMal.exe
  C:\Windows\System32\JHUNMal.exe
  2⤵
  PID:2232
- C:\Windows\System32\QgKxNgo.exe
  C:\Windows\System32\QgKxNgo.exe
  2⤵
  PID:3480
- C:\Windows\System32\UVacmaR.exe
  C:\Windows\System32\UVacmaR.exe
  2⤵
  PID:4644
- C:\Windows\System32\XRmMXvi.exe
  C:\Windows\System32\XRmMXvi.exe
  2⤵
  PID:5296
- C:\Windows\System32\WceMKIm.exe
  C:\Windows\System32\WceMKIm.exe
  2⤵
  PID:5884
- C:\Windows\System32\ketlJqG.exe
  C:\Windows\System32\ketlJqG.exe
  2⤵
  PID:5064
- C:\Windows\System32\cmMXCVw.exe
  C:\Windows\System32\cmMXCVw.exe
  2⤵
  PID:6156
- C:\Windows\System32\ESwwKkD.exe
  C:\Windows\System32\ESwwKkD.exe
  2⤵
  PID:6216
- C:\Windows\System32\rNnPIvb.exe
  C:\Windows\System32\rNnPIvb.exe
  2⤵
  PID:6232
- C:\Windows\System32\yztksXY.exe
  C:\Windows\System32\yztksXY.exe
  2⤵
  PID:6272
- C:\Windows\System32\MgZoOLR.exe
  C:\Windows\System32\MgZoOLR.exe
  2⤵
  PID:6292
- C:\Windows\System32\AOiryuo.exe
  C:\Windows\System32\AOiryuo.exe
  2⤵
  PID:6332
- C:\Windows\System32\osHTtOd.exe
  C:\Windows\System32\osHTtOd.exe
  2⤵
  PID:6348
- C:\Windows\System32\vUlNeeS.exe
  C:\Windows\System32\vUlNeeS.exe
  2⤵
  PID:6372
- C:\Windows\System32\XIaXeZR.exe
  C:\Windows\System32\XIaXeZR.exe
  2⤵
  PID:6392
- C:\Windows\System32\qmuaeMp.exe
  C:\Windows\System32\qmuaeMp.exe
  2⤵
  PID:6412
- C:\Windows\System32\DQSyChD.exe
  C:\Windows\System32\DQSyChD.exe
  2⤵
  PID:6440
- C:\Windows\System32\dZfthVS.exe
  C:\Windows\System32\dZfthVS.exe
  2⤵
  PID:6456
- C:\Windows\System32\InyvUbF.exe
  C:\Windows\System32\InyvUbF.exe
  2⤵
  PID:6496
- C:\Windows\System32\kdpkEJv.exe
  C:\Windows\System32\kdpkEJv.exe
  2⤵
  PID:6520
- C:\Windows\System32\bGIBapo.exe
  C:\Windows\System32\bGIBapo.exe
  2⤵
  PID:6540
- C:\Windows\System32\KMKwxfw.exe
  C:\Windows\System32\KMKwxfw.exe
  2⤵
  PID:6564
- C:\Windows\System32\JWuiRSB.exe
  C:\Windows\System32\JWuiRSB.exe
  2⤵
  PID:6596
- C:\Windows\System32\QxYDhNs.exe
  C:\Windows\System32\QxYDhNs.exe
  2⤵
  PID:6648
- C:\Windows\System32\ENMFjKd.exe
  C:\Windows\System32\ENMFjKd.exe
  2⤵
  PID:6668
- C:\Windows\System32\JUTrLpY.exe
  C:\Windows\System32\JUTrLpY.exe
  2⤵
  PID:6692
- C:\Windows\System32\rnsKUCy.exe
  C:\Windows\System32\rnsKUCy.exe
  2⤵
  PID:6708
- C:\Windows\System32\VvZfJEd.exe
  C:\Windows\System32\VvZfJEd.exe
  2⤵
  PID:6724
- C:\Windows\System32\LEdPTrn.exe
  C:\Windows\System32\LEdPTrn.exe
  2⤵
  PID:6748
- C:\Windows\System32\rWYXVCv.exe
  C:\Windows\System32\rWYXVCv.exe
  2⤵
  PID:6772
- C:\Windows\System32\PEsPmDh.exe
  C:\Windows\System32\PEsPmDh.exe
  2⤵
  PID:6800
- C:\Windows\System32\PhnhHCs.exe
  C:\Windows\System32\PhnhHCs.exe
  2⤵
  PID:6892
- C:\Windows\System32\bFmNxYY.exe
  C:\Windows\System32\bFmNxYY.exe
  2⤵
  PID:6920
- C:\Windows\System32\sGVdXWC.exe
  C:\Windows\System32\sGVdXWC.exe
  2⤵
  PID:6936
- C:\Windows\System32\yBtCFYu.exe
  C:\Windows\System32\yBtCFYu.exe
  2⤵
  PID:6960
- C:\Windows\System32\MSgBsEr.exe
  C:\Windows\System32\MSgBsEr.exe
  2⤵
  PID:7004
- C:\Windows\System32\DlRDOHa.exe
  C:\Windows\System32\DlRDOHa.exe
  2⤵
  PID:7068
- C:\Windows\System32\BXGGKCC.exe
  C:\Windows\System32\BXGGKCC.exe
  2⤵
  PID:7096
- C:\Windows\System32\OmYYqWL.exe
  C:\Windows\System32\OmYYqWL.exe
  2⤵
  PID:7120
- C:\Windows\System32\MDGeQcM.exe
  C:\Windows\System32\MDGeQcM.exe
  2⤵
  PID:7136
- C:\Windows\System32\NZGzBzg.exe
  C:\Windows\System32\NZGzBzg.exe
  2⤵
  PID:7160
- C:\Windows\System32\fiCtuUe.exe
  C:\Windows\System32\fiCtuUe.exe
  2⤵
  PID:5988
- C:\Windows\System32\BLtigXn.exe
  C:\Windows\System32\BLtigXn.exe
  2⤵
  PID:4912
- C:\Windows\System32\qkxMWlj.exe
  C:\Windows\System32\qkxMWlj.exe
  2⤵
  PID:6228
- C:\Windows\System32\JsnfgeW.exe
  C:\Windows\System32\JsnfgeW.exe
  2⤵
  PID:6224
- C:\Windows\System32\AgNgPMe.exe
  C:\Windows\System32\AgNgPMe.exe
  2⤵
  PID:6324
- C:\Windows\System32\QWwHjmz.exe
  C:\Windows\System32\QWwHjmz.exe
  2⤵
  PID:6384
- C:\Windows\System32\KNIaiDt.exe
  C:\Windows\System32\KNIaiDt.exe
  2⤵
  PID:6340
- C:\Windows\System32\ZQdhQjE.exe
  C:\Windows\System32\ZQdhQjE.exe
  2⤵
  PID:6464
- C:\Windows\System32\qPGMVWp.exe
  C:\Windows\System32\qPGMVWp.exe
  2⤵
  PID:6584
- C:\Windows\System32\DSXqIAB.exe
  C:\Windows\System32\DSXqIAB.exe
  2⤵
  PID:6424
- C:\Windows\System32\eyNugJr.exe
  C:\Windows\System32\eyNugJr.exe
  2⤵
  PID:6580
- C:\Windows\System32\tAlDQwm.exe
  C:\Windows\System32\tAlDQwm.exe
  2⤵
  PID:6636
- C:\Windows\System32\caXKzzz.exe
  C:\Windows\System32\caXKzzz.exe
  2⤵
  PID:6768
- C:\Windows\System32\OoeBhIn.exe
  C:\Windows\System32\OoeBhIn.exe
  2⤵
  PID:6788
- C:\Windows\System32\lAUiAau.exe
  C:\Windows\System32\lAUiAau.exe
  2⤵
  PID:6928
- C:\Windows\System32\QyBnHCq.exe
  C:\Windows\System32\QyBnHCq.exe
  2⤵
  PID:7116
- C:\Windows\System32\HhTKyQb.exe
  C:\Windows\System32\HhTKyQb.exe
  2⤵
  PID:6168
- C:\Windows\System32\asFLsTX.exe
  C:\Windows\System32\asFLsTX.exe
  2⤵
  PID:6536
- C:\Windows\System32\lqRbnnH.exe
  C:\Windows\System32\lqRbnnH.exe
  2⤵
  PID:6284
- C:\Windows\System32\tSURSwl.exe
  C:\Windows\System32\tSURSwl.exe
  2⤵
  PID:6644
- C:\Windows\System32\kIHQVud.exe
  C:\Windows\System32\kIHQVud.exe
  2⤵
  PID:6388
- C:\Windows\System32\ioyZSJU.exe
  C:\Windows\System32\ioyZSJU.exe
  2⤵
  PID:6760
- C:\Windows\System32\pxoNRtq.exe
  C:\Windows\System32\pxoNRtq.exe
  2⤵
  PID:4192
- C:\Windows\System32\qlvefCX.exe
  C:\Windows\System32\qlvefCX.exe
  2⤵
  PID:6180
- C:\Windows\System32\rVrVVkL.exe
  C:\Windows\System32\rVrVVkL.exe
  2⤵
  PID:6288
- C:\Windows\System32\kRnLAFG.exe
  C:\Windows\System32\kRnLAFG.exe
  2⤵
  PID:6572
- C:\Windows\System32\CVUGUHh.exe
  C:\Windows\System32\CVUGUHh.exe
  2⤵
  PID:6868
- C:\Windows\System32\yyUXVcQ.exe
  C:\Windows\System32\yyUXVcQ.exe
  2⤵
  PID:7172
- C:\Windows\System32\tXBgdwQ.exe
  C:\Windows\System32\tXBgdwQ.exe
  2⤵
  PID:7204
- C:\Windows\System32\MwWCefy.exe
  C:\Windows\System32\MwWCefy.exe
  2⤵
  PID:7228
- C:\Windows\System32\pOsFXRC.exe
  C:\Windows\System32\pOsFXRC.exe
  2⤵
  PID:7248
- C:\Windows\System32\MuECHSY.exe
  C:\Windows\System32\MuECHSY.exe
  2⤵
  PID:7264
- C:\Windows\System32\UHuDAev.exe
  C:\Windows\System32\UHuDAev.exe
  2⤵
  PID:7288
- C:\Windows\System32\LnQErfu.exe
  C:\Windows\System32\LnQErfu.exe
  2⤵
  PID:7320
- C:\Windows\System32\yfZwUPS.exe
  C:\Windows\System32\yfZwUPS.exe
  2⤵
  PID:7356
- C:\Windows\System32\bPkMEXE.exe
  C:\Windows\System32\bPkMEXE.exe
  2⤵
  PID:7376
- C:\Windows\System32\yoMZcdh.exe
  C:\Windows\System32\yoMZcdh.exe
  2⤵
  PID:7396
- C:\Windows\System32\iKbvWvd.exe
  C:\Windows\System32\iKbvWvd.exe
  2⤵
  PID:7420
- C:\Windows\System32\xFoGeaL.exe
  C:\Windows\System32\xFoGeaL.exe
  2⤵
  PID:7480
- C:\Windows\System32\XDxJtMg.exe
  C:\Windows\System32\XDxJtMg.exe
  2⤵
  PID:7500
- C:\Windows\System32\tslSOKR.exe
  C:\Windows\System32\tslSOKR.exe
  2⤵
  PID:7536
- C:\Windows\System32\dUYdXxX.exe
  C:\Windows\System32\dUYdXxX.exe
  2⤵
  PID:7556
- C:\Windows\System32\rTraTsn.exe
  C:\Windows\System32\rTraTsn.exe
  2⤵
  PID:7572
- C:\Windows\System32\nOFdWPG.exe
  C:\Windows\System32\nOFdWPG.exe
  2⤵
  PID:7592
- C:\Windows\System32\DRwYxXG.exe
  C:\Windows\System32\DRwYxXG.exe
  2⤵
  PID:7656
- C:\Windows\System32\kKjuidb.exe
  C:\Windows\System32\kKjuidb.exe
  2⤵
  PID:7716
- C:\Windows\System32\gQHguvm.exe
  C:\Windows\System32\gQHguvm.exe
  2⤵
  PID:7744
- C:\Windows\System32\DeDWpfN.exe
  C:\Windows\System32\DeDWpfN.exe
  2⤵
  PID:7768
- C:\Windows\System32\czglUmA.exe
  C:\Windows\System32\czglUmA.exe
  2⤵
  PID:7788
- C:\Windows\System32\csoGPLw.exe
  C:\Windows\System32\csoGPLw.exe
  2⤵
  PID:7816
- C:\Windows\System32\AgvgTLj.exe
  C:\Windows\System32\AgvgTLj.exe
  2⤵
  PID:7832
- C:\Windows\System32\lVwhZEd.exe
  C:\Windows\System32\lVwhZEd.exe
  2⤵
  PID:7852
- C:\Windows\System32\rznCwyc.exe
  C:\Windows\System32\rznCwyc.exe
  2⤵
  PID:7900
- C:\Windows\System32\YdWlVzl.exe
  C:\Windows\System32\YdWlVzl.exe
  2⤵
  PID:7920
- C:\Windows\System32\RZSfOPZ.exe
  C:\Windows\System32\RZSfOPZ.exe
  2⤵
  PID:7936
- C:\Windows\System32\VGlyKge.exe
  C:\Windows\System32\VGlyKge.exe
  2⤵
  PID:7960
- C:\Windows\System32\SlskXKr.exe
  C:\Windows\System32\SlskXKr.exe
  2⤵
  PID:7976
- C:\Windows\System32\hlVWbgD.exe
  C:\Windows\System32\hlVWbgD.exe
  2⤵
  PID:8004
- C:\Windows\System32\bbBIvWt.exe
  C:\Windows\System32\bbBIvWt.exe
  2⤵
  PID:8024
- C:\Windows\System32\FaQdhDy.exe
  C:\Windows\System32\FaQdhDy.exe
  2⤵
  PID:8044
- C:\Windows\System32\IqmvwPt.exe
  C:\Windows\System32\IqmvwPt.exe
  2⤵
  PID:8064
- C:\Windows\System32\ATOnKJn.exe
  C:\Windows\System32\ATOnKJn.exe
  2⤵
  PID:8088
- C:\Windows\System32\uVxUHQb.exe
  C:\Windows\System32\uVxUHQb.exe
  2⤵
  PID:8108
- C:\Windows\System32\yTGMFrA.exe
  C:\Windows\System32\yTGMFrA.exe
  2⤵
  PID:8148
- C:\Windows\System32\ZHdXDZR.exe
  C:\Windows\System32\ZHdXDZR.exe
  2⤵
  PID:8168
- C:\Windows\System32\uEDWsLJ.exe
  C:\Windows\System32\uEDWsLJ.exe
  2⤵
  PID:6576
- C:\Windows\System32\DkVgroe.exe
  C:\Windows\System32\DkVgroe.exe
  2⤵
  PID:7180
- C:\Windows\System32\RxHKgFt.exe
  C:\Windows\System32\RxHKgFt.exe
  2⤵
  PID:7244
- C:\Windows\System32\fYidWhV.exe
  C:\Windows\System32\fYidWhV.exe
  2⤵
  PID:7284
- C:\Windows\System32\IBhdGam.exe
  C:\Windows\System32\IBhdGam.exe
  2⤵
  PID:7332
- C:\Windows\System32\ELPaZGR.exe
  C:\Windows\System32\ELPaZGR.exe
  2⤵
  PID:7368
- C:\Windows\System32\kFUbimW.exe
  C:\Windows\System32\kFUbimW.exe
  2⤵
  PID:7588
- C:\Windows\System32\ERUxCgq.exe
  C:\Windows\System32\ERUxCgq.exe
  2⤵
  PID:7784
- C:\Windows\System32\MYfdYHD.exe
  C:\Windows\System32\MYfdYHD.exe
  2⤵
  PID:7824
- C:\Windows\System32\dkBwjSS.exe
  C:\Windows\System32\dkBwjSS.exe
  2⤵
  PID:7848
- C:\Windows\System32\AHUnnOR.exe
  C:\Windows\System32\AHUnnOR.exe
  2⤵
  PID:7952
- C:\Windows\System32\DimKWTu.exe
  C:\Windows\System32\DimKWTu.exe
  2⤵
  PID:8040
- C:\Windows\System32\AQcBOZr.exe
  C:\Windows\System32\AQcBOZr.exe
  2⤵
  PID:8076
- C:\Windows\System32\KISoDSk.exe
  C:\Windows\System32\KISoDSk.exe
  2⤵
  PID:8124
- C:\Windows\System32\wkDJyAl.exe
  C:\Windows\System32\wkDJyAl.exe
  2⤵
  PID:8136
- C:\Windows\System32\fefqpLY.exe
  C:\Windows\System32\fefqpLY.exe
  2⤵
  PID:7348
- C:\Windows\System32\krRLKIL.exe
  C:\Windows\System32\krRLKIL.exe
  2⤵
  PID:7548
- C:\Windows\System32\dZEOzJi.exe
  C:\Windows\System32\dZEOzJi.exe
  2⤵
  PID:7496
- C:\Windows\System32\YcbwewT.exe
  C:\Windows\System32\YcbwewT.exe
  2⤵
  PID:7628
- C:\Windows\System32\XNQpRfR.exe
  C:\Windows\System32\XNQpRfR.exe
  2⤵
  PID:7812
- C:\Windows\System32\sfrhiIx.exe
  C:\Windows\System32\sfrhiIx.exe
  2⤵
  PID:7912
- C:\Windows\System32\StlozEJ.exe
  C:\Windows\System32\StlozEJ.exe
  2⤵
  PID:8020
- C:\Windows\System32\KEDNvem.exe
  C:\Windows\System32\KEDNvem.exe
  2⤵
  PID:6980
- C:\Windows\System32\XwUsxZS.exe
  C:\Windows\System32\XwUsxZS.exe
  2⤵
  PID:6616
- C:\Windows\System32\DKZfTnv.exe
  C:\Windows\System32\DKZfTnv.exe
  2⤵
  PID:7664
- C:\Windows\System32\xCzyvqL.exe
  C:\Windows\System32\xCzyvqL.exe
  2⤵
  PID:8212
- C:\Windows\System32\rqohvRS.exe
  C:\Windows\System32\rqohvRS.exe
  2⤵
  PID:8236
- C:\Windows\System32\qJpwKUp.exe
  C:\Windows\System32\qJpwKUp.exe
  2⤵
  PID:8292
- C:\Windows\System32\lQyNqvs.exe
  C:\Windows\System32\lQyNqvs.exe
  2⤵
  PID:8312
- C:\Windows\System32\EeyVgIh.exe
  C:\Windows\System32\EeyVgIh.exe
  2⤵
  PID:8328
- C:\Windows\System32\sJWsLXs.exe
  C:\Windows\System32\sJWsLXs.exe
  2⤵
  PID:8356
- C:\Windows\System32\DdRnHtr.exe
  C:\Windows\System32\DdRnHtr.exe
  2⤵
  PID:8372
- C:\Windows\System32\KizPeDp.exe
  C:\Windows\System32\KizPeDp.exe
  2⤵
  PID:8400
- C:\Windows\System32\YlZkLSr.exe
  C:\Windows\System32\YlZkLSr.exe
  2⤵
  PID:8420
- C:\Windows\System32\TJXdVVz.exe
  C:\Windows\System32\TJXdVVz.exe
  2⤵
  PID:8444
- C:\Windows\System32\sZnsXgs.exe
  C:\Windows\System32\sZnsXgs.exe
  2⤵
  PID:8464
- C:\Windows\System32\bWWoOaR.exe
  C:\Windows\System32\bWWoOaR.exe
  2⤵
  PID:8484
- C:\Windows\System32\qrgGAqj.exe
  C:\Windows\System32\qrgGAqj.exe
  2⤵
  PID:8512
- C:\Windows\System32\zKMjmKT.exe
  C:\Windows\System32\zKMjmKT.exe
  2⤵
  PID:8544
- C:\Windows\System32\VuZKblU.exe
  C:\Windows\System32\VuZKblU.exe
  2⤵
  PID:8564
- C:\Windows\System32\ZGjhLHw.exe
  C:\Windows\System32\ZGjhLHw.exe
  2⤵
  PID:8584
- C:\Windows\System32\vJmxwvl.exe
  C:\Windows\System32\vJmxwvl.exe
  2⤵
  PID:8636
- C:\Windows\System32\gCxgBpw.exe
  C:\Windows\System32\gCxgBpw.exe
  2⤵
  PID:8668
- C:\Windows\System32\rjIzjCb.exe
  C:\Windows\System32\rjIzjCb.exe
  2⤵
  PID:8688
- C:\Windows\System32\SFLWjOF.exe
  C:\Windows\System32\SFLWjOF.exe
  2⤵
  PID:8712
- C:\Windows\System32\LVAgHJB.exe
  C:\Windows\System32\LVAgHJB.exe
  2⤵
  PID:8732
- C:\Windows\System32\aMfhNKA.exe
  C:\Windows\System32\aMfhNKA.exe
  2⤵
  PID:8784
- C:\Windows\System32\deYTloa.exe
  C:\Windows\System32\deYTloa.exe
  2⤵
  PID:8820
- C:\Windows\System32\EysNRDh.exe
  C:\Windows\System32\EysNRDh.exe
  2⤵
  PID:8840
- C:\Windows\System32\KKjizxU.exe
  C:\Windows\System32\KKjizxU.exe
  2⤵
  PID:8856
- C:\Windows\System32\NUqOPvv.exe
  C:\Windows\System32\NUqOPvv.exe
  2⤵
  PID:8896
- C:\Windows\System32\WizwZIz.exe
  C:\Windows\System32\WizwZIz.exe
  2⤵
  PID:8952
- C:\Windows\System32\yBKgbEe.exe
  C:\Windows\System32\yBKgbEe.exe
  2⤵
  PID:8968
- C:\Windows\System32\EIICffm.exe
  C:\Windows\System32\EIICffm.exe
  2⤵
  PID:8984
- C:\Windows\System32\zEqotLX.exe
  C:\Windows\System32\zEqotLX.exe
  2⤵
  PID:9004
- C:\Windows\System32\NgSYLwk.exe
  C:\Windows\System32\NgSYLwk.exe
  2⤵
  PID:9032
- C:\Windows\System32\VfJjTkK.exe
  C:\Windows\System32\VfJjTkK.exe
  2⤵
  PID:9076
- C:\Windows\System32\doihvWW.exe
  C:\Windows\System32\doihvWW.exe
  2⤵
  PID:9096
- C:\Windows\System32\xKxnrBC.exe
  C:\Windows\System32\xKxnrBC.exe
  2⤵
  PID:9120
- C:\Windows\System32\jreDgfT.exe
  C:\Windows\System32\jreDgfT.exe
  2⤵
  PID:9160
- C:\Windows\System32\wrAXmdQ.exe
  C:\Windows\System32\wrAXmdQ.exe
  2⤵
  PID:9184
- C:\Windows\System32\qevvCtT.exe
  C:\Windows\System32\qevvCtT.exe
  2⤵
  PID:9204
- C:\Windows\System32\SCmHmTj.exe
  C:\Windows\System32\SCmHmTj.exe
  2⤵
  PID:8056
- C:\Windows\System32\OXjRoHB.exe
  C:\Windows\System32\OXjRoHB.exe
  2⤵
  PID:7564
- C:\Windows\System32\CuTzdCl.exe
  C:\Windows\System32\CuTzdCl.exe
  2⤵
  PID:8256
- C:\Windows\System32\HwyvprF.exe
  C:\Windows\System32\HwyvprF.exe
  2⤵
  PID:8308
- C:\Windows\System32\mFClIil.exe
  C:\Windows\System32\mFClIil.exe
  2⤵
  PID:8340
- C:\Windows\System32\RyoRaSf.exe
  C:\Windows\System32\RyoRaSf.exe
  2⤵
  PID:8432
- C:\Windows\System32\uTgIAIn.exe
  C:\Windows\System32\uTgIAIn.exe
  2⤵
  PID:8580
- C:\Windows\System32\flYWoyX.exe
  C:\Windows\System32\flYWoyX.exe
  2⤵
  PID:8556
- C:\Windows\System32\trfUpnX.exe
  C:\Windows\System32\trfUpnX.exe
  2⤵
  PID:8680
- C:\Windows\System32\onuiKjU.exe
  C:\Windows\System32\onuiKjU.exe
  2⤵
  PID:8772
- C:\Windows\System32\EfYqlPn.exe
  C:\Windows\System32\EfYqlPn.exe
  2⤵
  PID:8816
- C:\Windows\System32\EbDoJjf.exe
  C:\Windows\System32\EbDoJjf.exe
  2⤵
  PID:7404
- C:\Windows\System32\oiFyGdi.exe
  C:\Windows\System32\oiFyGdi.exe
  2⤵
  PID:8220
- C:\Windows\System32\JTZkupY.exe
  C:\Windows\System32\JTZkupY.exe
  2⤵
  PID:8304
- C:\Windows\System32\VjaxyuU.exe
  C:\Windows\System32\VjaxyuU.exe
  2⤵
  PID:8520
- C:\Windows\System32\hzXTRfP.exe
  C:\Windows\System32\hzXTRfP.exe
  2⤵
  PID:8644
- C:\Windows\System32\bqpyDNn.exe
  C:\Windows\System32\bqpyDNn.exe
  2⤵
  PID:9092
- C:\Windows\System32\tyGqkPV.exe
  C:\Windows\System32\tyGqkPV.exe
  2⤵
  PID:8964
- C:\Windows\System32\bfZpCch.exe
  C:\Windows\System32\bfZpCch.exe
  2⤵
  PID:9060
- C:\Windows\System32\BOAfWrA.exe
  C:\Windows\System32\BOAfWrA.exe
  2⤵
  PID:9148
- C:\Windows\System32\MtArmty.exe
  C:\Windows\System32\MtArmty.exe
  2⤵
  PID:8320
- C:\Windows\System32\nUSgfPH.exe
  C:\Windows\System32\nUSgfPH.exe
  2⤵
  PID:7216
- C:\Windows\System32\ntfGqQu.exe
  C:\Windows\System32\ntfGqQu.exe
  2⤵
  PID:8492
- C:\Windows\System32\UTYbJkg.exe
  C:\Windows\System32\UTYbJkg.exe
  2⤵
  PID:8632
- C:\Windows\System32\JEsiRwF.exe
  C:\Windows\System32\JEsiRwF.exe
  2⤵
  PID:8848
- C:\Windows\System32\JPHMUHZ.exe
  C:\Windows\System32\JPHMUHZ.exe
  2⤵
  PID:9056
- C:\Windows\System32\yYsiEMZ.exe
  C:\Windows\System32\yYsiEMZ.exe
  2⤵
  PID:9236
- C:\Windows\System32\vxyEcsH.exe
  C:\Windows\System32\vxyEcsH.exe
  2⤵
  PID:9256
- C:\Windows\System32\xNjAoDw.exe
  C:\Windows\System32\xNjAoDw.exe
  2⤵
  PID:9292
- C:\Windows\System32\HEGPxEs.exe
  C:\Windows\System32\HEGPxEs.exe
  2⤵
  PID:9352
- C:\Windows\System32\zMMYxsL.exe
  C:\Windows\System32\zMMYxsL.exe
  2⤵
  PID:9372
- C:\Windows\System32\UBbWoXZ.exe
  C:\Windows\System32\UBbWoXZ.exe
  2⤵
  PID:9400
- C:\Windows\System32\UcdMagP.exe
  C:\Windows\System32\UcdMagP.exe
  2⤵
  PID:9420
- C:\Windows\System32\AnarRSE.exe
  C:\Windows\System32\AnarRSE.exe
  2⤵
  PID:9472
- C:\Windows\System32\ArLPedv.exe
  C:\Windows\System32\ArLPedv.exe
  2⤵
  PID:9492
- C:\Windows\System32\KsmGskv.exe
  C:\Windows\System32\KsmGskv.exe
  2⤵
  PID:9512
- C:\Windows\System32\FWVqPMT.exe
  C:\Windows\System32\FWVqPMT.exe
  2⤵
  PID:9536
- C:\Windows\System32\iXDcoep.exe
  C:\Windows\System32\iXDcoep.exe
  2⤵
  PID:9568
- C:\Windows\System32\uqVJinh.exe
  C:\Windows\System32\uqVJinh.exe
  2⤵
  PID:9592
- C:\Windows\System32\YAbeLXK.exe
  C:\Windows\System32\YAbeLXK.exe
  2⤵
  PID:9608
- C:\Windows\System32\HfgHoLN.exe
  C:\Windows\System32\HfgHoLN.exe
  2⤵
  PID:9628
- C:\Windows\System32\IMnfDAo.exe
  C:\Windows\System32\IMnfDAo.exe
  2⤵
  PID:9652
- C:\Windows\System32\peqIWjk.exe
  C:\Windows\System32\peqIWjk.exe
  2⤵
  PID:9668
- C:\Windows\System32\CRuOSNu.exe
  C:\Windows\System32\CRuOSNu.exe
  2⤵
  PID:9692
- C:\Windows\System32\bEIorAL.exe
  C:\Windows\System32\bEIorAL.exe
  2⤵
  PID:9716
- C:\Windows\System32\oXXEWxa.exe
  C:\Windows\System32\oXXEWxa.exe
  2⤵
  PID:9744
- C:\Windows\System32\RkxOrNg.exe
  C:\Windows\System32\RkxOrNg.exe
  2⤵
  PID:9764
- C:\Windows\System32\fOMhTJY.exe
  C:\Windows\System32\fOMhTJY.exe
  2⤵
  PID:9792
- C:\Windows\System32\lXInXFF.exe
  C:\Windows\System32\lXInXFF.exe
  2⤵
  PID:9812
- C:\Windows\System32\TbWhGTb.exe
  C:\Windows\System32\TbWhGTb.exe
  2⤵
  PID:9840
- C:\Windows\System32\gAhCnKI.exe
  C:\Windows\System32\gAhCnKI.exe
  2⤵
  PID:9860
- C:\Windows\System32\XSfiMyz.exe
  C:\Windows\System32\XSfiMyz.exe
  2⤵
  PID:9880
- C:\Windows\System32\yPLLgem.exe
  C:\Windows\System32\yPLLgem.exe
  2⤵
  PID:9952
- C:\Windows\System32\BJHAfGV.exe
  C:\Windows\System32\BJHAfGV.exe
  2⤵
  PID:9984
- C:\Windows\System32\SBlnIjA.exe
  C:\Windows\System32\SBlnIjA.exe
  2⤵
  PID:10000
- C:\Windows\System32\FSNdZLE.exe
  C:\Windows\System32\FSNdZLE.exe
  2⤵
  PID:10024
- C:\Windows\System32\NKzACNH.exe
  C:\Windows\System32\NKzACNH.exe
  2⤵
  PID:10044
- C:\Windows\System32\aDSAibC.exe
  C:\Windows\System32\aDSAibC.exe
  2⤵
  PID:10104
- C:\Windows\System32\ExezZmk.exe
  C:\Windows\System32\ExezZmk.exe
  2⤵
  PID:10128
- C:\Windows\System32\bbMkkiN.exe
  C:\Windows\System32\bbMkkiN.exe
  2⤵
  PID:10160
- C:\Windows\System32\jNSSYkE.exe
  C:\Windows\System32\jNSSYkE.exe
  2⤵
  PID:10184
- C:\Windows\System32\hJXUKWo.exe
  C:\Windows\System32\hJXUKWo.exe
  2⤵
  PID:10236
- C:\Windows\System32\CeMutbF.exe
  C:\Windows\System32\CeMutbF.exe
  2⤵
  PID:9268
- C:\Windows\System32\DnAOErn.exe
  C:\Windows\System32\DnAOErn.exe
  2⤵
  PID:9360
- C:\Windows\System32\uPbjJtN.exe
  C:\Windows\System32\uPbjJtN.exe
  2⤵
  PID:9392
- C:\Windows\System32\PqEvEaq.exe
  C:\Windows\System32\PqEvEaq.exe
  2⤵
  PID:9408
- C:\Windows\System32\zVneMoJ.exe
  C:\Windows\System32\zVneMoJ.exe
  2⤵
  PID:9488
- C:\Windows\System32\uezsEJO.exe
  C:\Windows\System32\uezsEJO.exe
  2⤵
  PID:9508
- C:\Windows\System32\lfMNvjR.exe
  C:\Windows\System32\lfMNvjR.exe
  2⤵
  PID:9552
- C:\Windows\System32\TpGyHpr.exe
  C:\Windows\System32\TpGyHpr.exe
  2⤵
  PID:9644
- C:\Windows\System32\xERqlfM.exe
  C:\Windows\System32\xERqlfM.exe
  2⤵
  PID:9604
- C:\Windows\System32\tiRKmQF.exe
  C:\Windows\System32\tiRKmQF.exe
  2⤵
  PID:9776
- C:\Windows\System32\bCXTOwe.exe
  C:\Windows\System32\bCXTOwe.exe
  2⤵
  PID:9944
- C:\Windows\System32\tgOKGfq.exe
  C:\Windows\System32\tgOKGfq.exe
  2⤵
  PID:9788
- C:\Windows\System32\cTBqUhO.exe
  C:\Windows\System32\cTBqUhO.exe
  2⤵
  PID:9932
- C:\Windows\System32\bXFDsir.exe
  C:\Windows\System32\bXFDsir.exe
  2⤵
  PID:10008
- C:\Windows\System32\SMxagBf.exe
  C:\Windows\System32\SMxagBf.exe
  2⤵
  PID:10120
- C:\Windows\System32\rZdUoHk.exe
  C:\Windows\System32\rZdUoHk.exe
  2⤵
  PID:10200
- C:\Windows\System32\ytdKPVF.exe
  C:\Windows\System32\ytdKPVF.exe
  2⤵
  PID:10172
- C:\Windows\System32\CGGmDCz.exe
  C:\Windows\System32\CGGmDCz.exe
  2⤵
  PID:9328
- C:\Windows\System32\KeYMdew.exe
  C:\Windows\System32\KeYMdew.exe
  2⤵
  PID:9504
- C:\Windows\System32\wNMinRP.exe
  C:\Windows\System32\wNMinRP.exe
  2⤵
  PID:9528
- C:\Windows\System32\VljNMbG.exe
  C:\Windows\System32\VljNMbG.exe
  2⤵
  PID:9660
- C:\Windows\System32\AIwPqDU.exe
  C:\Windows\System32\AIwPqDU.exe
  2⤵
  PID:9676
- C:\Windows\System32\LagaFnV.exe
  C:\Windows\System32\LagaFnV.exe
  2⤵
  PID:9888
- C:\Windows\System32\lgdFuyA.exe
  C:\Windows\System32\lgdFuyA.exe
  2⤵
  PID:10144
- C:\Windows\System32\ASVWRNs.exe
  C:\Windows\System32\ASVWRNs.exe
  2⤵
  PID:9380
- C:\Windows\System32\XRqymUV.exe
  C:\Windows\System32\XRqymUV.exe
  2⤵
  PID:10056
- C:\Windows\System32\NiymQua.exe
  C:\Windows\System32\NiymQua.exe
  2⤵
  PID:10040
- C:\Windows\System32\tssMLLO.exe
  C:\Windows\System32\tssMLLO.exe
  2⤵
  PID:9560
- C:\Windows\System32\pzQfrUP.exe
  C:\Windows\System32\pzQfrUP.exe
  2⤵
  PID:10204
- C:\Windows\System32\YYqovdB.exe
  C:\Windows\System32\YYqovdB.exe
  2⤵
  PID:10272
- C:\Windows\System32\KYpmKLI.exe
  C:\Windows\System32\KYpmKLI.exe
  2⤵
  PID:10300
- C:\Windows\System32\ndnHOfT.exe
  C:\Windows\System32\ndnHOfT.exe
  2⤵
  PID:10324
- C:\Windows\System32\oymodum.exe
  C:\Windows\System32\oymodum.exe
  2⤵
  PID:10340
- C:\Windows\System32\KkzDAIq.exe
  C:\Windows\System32\KkzDAIq.exe
  2⤵
  PID:10368
- C:\Windows\System32\wVYCRdE.exe
  C:\Windows\System32\wVYCRdE.exe
  2⤵
  PID:10404
- C:\Windows\System32\PImPQkF.exe
  C:\Windows\System32\PImPQkF.exe
  2⤵
  PID:10424
- C:\Windows\System32\eQjhIjD.exe
  C:\Windows\System32\eQjhIjD.exe
  2⤵
  PID:10452
- C:\Windows\System32\XFYyqRB.exe
  C:\Windows\System32\XFYyqRB.exe
  2⤵
  PID:10468
- C:\Windows\System32\BfmMscw.exe
  C:\Windows\System32\BfmMscw.exe
  2⤵
  PID:10492
- C:\Windows\System32\gqgjjXl.exe
  C:\Windows\System32\gqgjjXl.exe
  2⤵
  PID:10540
- C:\Windows\System32\yRCZVsG.exe
  C:\Windows\System32\yRCZVsG.exe
  2⤵
  PID:10572
- C:\Windows\System32\stRyhJL.exe
  C:\Windows\System32\stRyhJL.exe
  2⤵
  PID:10600
- C:\Windows\System32\qYBRoXK.exe
  C:\Windows\System32\qYBRoXK.exe
  2⤵
  PID:10628
- C:\Windows\System32\cgtYztJ.exe
  C:\Windows\System32\cgtYztJ.exe
  2⤵
  PID:10664
- C:\Windows\System32\hLNcqne.exe
  C:\Windows\System32\hLNcqne.exe
  2⤵
  PID:10684
- C:\Windows\System32\kKyueuZ.exe
  C:\Windows\System32\kKyueuZ.exe
  2⤵
  PID:10700
- C:\Windows\System32\UpxgKFH.exe
  C:\Windows\System32\UpxgKFH.exe
  2⤵
  PID:10736
- C:\Windows\System32\MQccbuc.exe
  C:\Windows\System32\MQccbuc.exe
  2⤵
  PID:10772
- C:\Windows\System32\BNWjQkE.exe
  C:\Windows\System32\BNWjQkE.exe
  2⤵
  PID:10792
- C:\Windows\System32\ACeWrWY.exe
  C:\Windows\System32\ACeWrWY.exe
  2⤵
  PID:10824
- C:\Windows\System32\IvuuSfw.exe
  C:\Windows\System32\IvuuSfw.exe
  2⤵
  PID:10844
- C:\Windows\System32\bULHOzl.exe
  C:\Windows\System32\bULHOzl.exe
  2⤵
  PID:10892
- C:\Windows\System32\QQmVAJr.exe
  C:\Windows\System32\QQmVAJr.exe
  2⤵
  PID:10912
- C:\Windows\System32\daDlXyR.exe
  C:\Windows\System32\daDlXyR.exe
  2⤵
  PID:10936
- C:\Windows\System32\lZWdVfG.exe
  C:\Windows\System32\lZWdVfG.exe
  2⤵
  PID:10956
- C:\Windows\System32\AOIXfTh.exe
  C:\Windows\System32\AOIXfTh.exe
  2⤵
  PID:10984
- C:\Windows\System32\sUfdVbX.exe
  C:\Windows\System32\sUfdVbX.exe
  2⤵
  PID:11012
- C:\Windows\System32\fnoAaUu.exe
  C:\Windows\System32\fnoAaUu.exe
  2⤵
  PID:11032
- C:\Windows\System32\GqZyMGF.exe
  C:\Windows\System32\GqZyMGF.exe
  2⤵
  PID:11048
- C:\Windows\System32\cEpkFnd.exe
  C:\Windows\System32\cEpkFnd.exe
  2⤵
  PID:11072
- C:\Windows\System32\OZsxAkN.exe
  C:\Windows\System32\OZsxAkN.exe
  2⤵
  PID:11128
- C:\Windows\System32\YjOBLhj.exe
  C:\Windows\System32\YjOBLhj.exe
  2⤵
  PID:11148
- C:\Windows\System32\ubRxlUJ.exe
  C:\Windows\System32\ubRxlUJ.exe
  2⤵
  PID:11180
- C:\Windows\System32\zgZYhtU.exe
  C:\Windows\System32\zgZYhtU.exe
  2⤵
  PID:11208
- C:\Windows\System32\JEyWYVH.exe
  C:\Windows\System32\JEyWYVH.exe
  2⤵
  PID:11248
- C:\Windows\System32\CLzZKOQ.exe
  C:\Windows\System32\CLzZKOQ.exe
  2⤵
  PID:10248
- C:\Windows\System32\JwMGynW.exe
  C:\Windows\System32\JwMGynW.exe
  2⤵
  PID:10292
- C:\Windows\System32\jwYhwOA.exe
  C:\Windows\System32\jwYhwOA.exe
  2⤵
  PID:10336
- C:\Windows\System32\mZXodhH.exe
  C:\Windows\System32\mZXodhH.exe
  2⤵
  PID:10420
- C:\Windows\System32\NRVTxat.exe
  C:\Windows\System32\NRVTxat.exe
  2⤵
  PID:10480
- C:\Windows\System32\FxcQOGe.exe
  C:\Windows\System32\FxcQOGe.exe
  2⤵
  PID:10500
- C:\Windows\System32\BExezHu.exe
  C:\Windows\System32\BExezHu.exe
  2⤵
  PID:10584
- C:\Windows\System32\jFKdGvh.exe
  C:\Windows\System32\jFKdGvh.exe
  2⤵
  PID:10708
- C:\Windows\System32\flvGwzQ.exe
  C:\Windows\System32\flvGwzQ.exe
  2⤵
  PID:10800
- C:\Windows\System32\sKsYYAE.exe
  C:\Windows\System32\sKsYYAE.exe
  2⤵
  PID:10832
- C:\Windows\System32\QwYfmFA.exe
  C:\Windows\System32\QwYfmFA.exe
  2⤵
  PID:10900
- C:\Windows\System32\fYnTNqX.exe
  C:\Windows\System32\fYnTNqX.exe
  2⤵
  PID:10924
- C:\Windows\System32\JkPUUVy.exe
  C:\Windows\System32\JkPUUVy.exe
  2⤵
  PID:11008
- C:\Windows\System32\VNAaPOB.exe
  C:\Windows\System32\VNAaPOB.exe
  2⤵
  PID:11028
- C:\Windows\System32\Joirghj.exe
  C:\Windows\System32\Joirghj.exe
  2⤵
  PID:11084
- C:\Windows\System32\yKAyGRn.exe
  C:\Windows\System32\yKAyGRn.exe
  2⤵
  PID:11144
- C:\Windows\System32\sbMFxhr.exe
  C:\Windows\System32\sbMFxhr.exe
  2⤵
  PID:10288
- C:\Windows\System32\wukAZhX.exe
  C:\Windows\System32\wukAZhX.exe
  2⤵
  PID:10376
- C:\Windows\System32\lnAWUYC.exe
  C:\Windows\System32\lnAWUYC.exe
  2⤵
  PID:10460
- C:\Windows\System32\HTwzbhS.exe
  C:\Windows\System32\HTwzbhS.exe
  2⤵
  PID:10768
- C:\Windows\System32\ocFBrzo.exe
  C:\Windows\System32\ocFBrzo.exe
  2⤵
  PID:10944
- C:\Windows\System32\nmTKsCV.exe
  C:\Windows\System32\nmTKsCV.exe
  2⤵
  PID:10880
- C:\Windows\System32\QxoAzsI.exe
  C:\Windows\System32\QxoAzsI.exe
  2⤵
  PID:11168
- C:\Windows\System32\uyKTAvL.exe
  C:\Windows\System32\uyKTAvL.exe
  2⤵
  PID:11240
- C:\Windows\System32\hlyZfSB.exe
  C:\Windows\System32\hlyZfSB.exe
  2⤵
  PID:10612
- C:\Windows\System32\IQQjhyB.exe
  C:\Windows\System32\IQQjhyB.exe
  2⤵
  PID:10812
- C:\Windows\System32\OVgQmTX.exe
  C:\Windows\System32\OVgQmTX.exe
  2⤵
  PID:10780
- C:\Windows\System32\bQsWjDj.exe
  C:\Windows\System32\bQsWjDj.exe
  2⤵
  PID:10396
- C:\Windows\System32\GFzGTqb.exe
  C:\Windows\System32\GFzGTqb.exe
  2⤵
  PID:11280
- C:\Windows\System32\oeFtzrk.exe
  C:\Windows\System32\oeFtzrk.exe
  2⤵
  PID:11300
- C:\Windows\System32\uOVOohL.exe
  C:\Windows\System32\uOVOohL.exe
  2⤵
  PID:11336
- C:\Windows\System32\loiPjRm.exe
  C:\Windows\System32\loiPjRm.exe
  2⤵
  PID:11360
- C:\Windows\System32\SVegUZv.exe
  C:\Windows\System32\SVegUZv.exe
  2⤵
  PID:11380
- C:\Windows\System32\nnsSPQn.exe
  C:\Windows\System32\nnsSPQn.exe
  2⤵
  PID:11432
- C:\Windows\System32\bwdwmvb.exe
  C:\Windows\System32\bwdwmvb.exe
  2⤵
  PID:11448
- C:\Windows\System32\YTomMHi.exe
  C:\Windows\System32\YTomMHi.exe
  2⤵
  PID:11464
- C:\Windows\System32\gueYaam.exe
  C:\Windows\System32\gueYaam.exe
  2⤵
  PID:11484
- C:\Windows\System32\qmBypxp.exe
  C:\Windows\System32\qmBypxp.exe
  2⤵
  PID:11504
- C:\Windows\System32\lLxQbXL.exe
  C:\Windows\System32\lLxQbXL.exe
  2⤵
  PID:11520
- C:\Windows\System32\IzRaELo.exe
  C:\Windows\System32\IzRaELo.exe
  2⤵
  PID:11564
- C:\Windows\System32\WMhWfUQ.exe
  C:\Windows\System32\WMhWfUQ.exe
  2⤵
  PID:11596
- C:\Windows\System32\dbuZJWJ.exe
  C:\Windows\System32\dbuZJWJ.exe
  2⤵
  PID:11636
- C:\Windows\System32\dUchfnm.exe
  C:\Windows\System32\dUchfnm.exe
  2⤵
  PID:11660
- C:\Windows\System32\AcyfvWm.exe
  C:\Windows\System32\AcyfvWm.exe
  2⤵
  PID:11688
- C:\Windows\System32\vkLwvqf.exe
  C:\Windows\System32\vkLwvqf.exe
  2⤵
  PID:11728
- C:\Windows\System32\auJEbff.exe
  C:\Windows\System32\auJEbff.exe
  2⤵
  PID:11744
- C:\Windows\System32\DNpZCzQ.exe
  C:\Windows\System32\DNpZCzQ.exe
  2⤵
  PID:11768
- C:\Windows\System32\cOWELIs.exe
  C:\Windows\System32\cOWELIs.exe
  2⤵
  PID:11812
- C:\Windows\System32\ThUHKgg.exe
  C:\Windows\System32\ThUHKgg.exe
  2⤵
  PID:11860
- C:\Windows\System32\usIwXgX.exe
  C:\Windows\System32\usIwXgX.exe
  2⤵
  PID:11884
- C:\Windows\System32\xbyVOwg.exe
  C:\Windows\System32\xbyVOwg.exe
  2⤵
  PID:11912
- C:\Windows\System32\sedWaKT.exe
  C:\Windows\System32\sedWaKT.exe
  2⤵
  PID:11928
- C:\Windows\System32\qIpijWF.exe
  C:\Windows\System32\qIpijWF.exe
  2⤵
  PID:11956
- C:\Windows\System32\OvMymov.exe
  C:\Windows\System32\OvMymov.exe
  2⤵
  PID:11976
- C:\Windows\System32\CThHxCg.exe
  C:\Windows\System32\CThHxCg.exe
  2⤵
  PID:11996
- C:\Windows\System32\jVToSbi.exe
  C:\Windows\System32\jVToSbi.exe
  2⤵
  PID:12020
- C:\Windows\System32\zHigrDS.exe
  C:\Windows\System32\zHigrDS.exe
  2⤵
  PID:12040
- C:\Windows\System32\LzDbgqi.exe
  C:\Windows\System32\LzDbgqi.exe
  2⤵
  PID:12064
- C:\Windows\System32\ogCcjMU.exe
  C:\Windows\System32\ogCcjMU.exe
  2⤵
  PID:12112
- C:\Windows\System32\syvaJBM.exe
  C:\Windows\System32\syvaJBM.exe
  2⤵
  PID:12144
- C:\Windows\System32\dUBoQbg.exe
  C:\Windows\System32\dUBoQbg.exe
  2⤵
  PID:12168
- C:\Windows\System32\nIKMGRY.exe
  C:\Windows\System32\nIKMGRY.exe
  2⤵
  PID:12196
- C:\Windows\System32\MkTSaCC.exe
  C:\Windows\System32\MkTSaCC.exe
  2⤵
  PID:12240
- C:\Windows\System32\lesBzxR.exe
  C:\Windows\System32\lesBzxR.exe
  2⤵
  PID:12264
- C:\Windows\System32\ruVQHmu.exe
  C:\Windows\System32\ruVQHmu.exe
  2⤵
  PID:11268
- C:\Windows\System32\gWKzwQd.exe
  C:\Windows\System32\gWKzwQd.exe
  2⤵
  PID:11376
- C:\Windows\System32\cuGvIIa.exe
  C:\Windows\System32\cuGvIIa.exe
  2⤵
  PID:11372
- C:\Windows\System32\qHBEHGD.exe
  C:\Windows\System32\qHBEHGD.exe
  2⤵
  PID:11444
- C:\Windows\System32\oNHVsCr.exe
  C:\Windows\System32\oNHVsCr.exe
  2⤵
  PID:11532
- C:\Windows\System32\gyaccWo.exe
  C:\Windows\System32\gyaccWo.exe
  2⤵
  PID:11560
- C:\Windows\System32\iNUMMdE.exe
  C:\Windows\System32\iNUMMdE.exe
  2⤵
  PID:11496
- C:\Windows\System32\RgIEXwo.exe
  C:\Windows\System32\RgIEXwo.exe
  2⤵
  PID:10836
- C:\Windows\System32\YpdfeeH.exe
  C:\Windows\System32\YpdfeeH.exe
  2⤵
  PID:11740
- C:\Windows\System32\djSjtrt.exe
  C:\Windows\System32\djSjtrt.exe
  2⤵
  PID:11820
- C:\Windows\System32\APNcBrM.exe
  C:\Windows\System32\APNcBrM.exe
  2⤵
  PID:11876
- C:\Windows\System32\SfSbYzH.exe
  C:\Windows\System32\SfSbYzH.exe
  2⤵
  PID:11944
- C:\Windows\System32\QnHyfDv.exe
  C:\Windows\System32\QnHyfDv.exe
  2⤵
  PID:11984
- C:\Windows\System32\eVVWMMg.exe
  C:\Windows\System32\eVVWMMg.exe
  2⤵
  PID:12048
- C:\Windows\System32\CEsLlpB.exe
  C:\Windows\System32\CEsLlpB.exe
  2⤵
  PID:12156
- C:\Windows\System32\POYXmmK.exe
  C:\Windows\System32\POYXmmK.exe
  2⤵
  PID:12152
- C:\Windows\System32\wopkKWb.exe
  C:\Windows\System32\wopkKWb.exe
  2⤵
  PID:12216
- C:\Windows\System32\ukozHwp.exe
  C:\Windows\System32\ukozHwp.exe
  2⤵
  PID:2540
- C:\Windows\System32\zoiPqrJ.exe
  C:\Windows\System32\zoiPqrJ.exe
  2⤵
  PID:11348
- C:\Windows\System32\snDDgiA.exe
  C:\Windows\System32\snDDgiA.exe
  2⤵
  PID:11460
- C:\Windows\System32\mgLYyKu.exe
  C:\Windows\System32\mgLYyKu.exe
  2⤵
  PID:11584
- C:\Windows\System32\QUoKSei.exe
  C:\Windows\System32\QUoKSei.exe
  2⤵
  PID:11572
- C:\Windows\System32\OYLqRiK.exe
  C:\Windows\System32\OYLqRiK.exe
  2⤵
  PID:11708
- C:\Windows\System32\WFqknTO.exe
  C:\Windows\System32\WFqknTO.exe
  2⤵
  PID:11848
- C:\Windows\System32\HRdAABP.exe
  C:\Windows\System32\HRdAABP.exe
  2⤵
  PID:11952
- C:\Windows\System32\GsKfUiY.exe
  C:\Windows\System32\GsKfUiY.exe
  2⤵
  PID:12132
- C:\Windows\System32\BlzQIRU.exe
  C:\Windows\System32\BlzQIRU.exe
  2⤵
  PID:12232
- C:\Windows\System32\ltZIIBK.exe
  C:\Windows\System32\ltZIIBK.exe
  2⤵
  PID:12180
- C:\Windows\System32\TipKEFD.exe
  C:\Windows\System32\TipKEFD.exe
  2⤵
  PID:4296
- C:\Windows\System32\fXwgLVc.exe
  C:\Windows\System32\fXwgLVc.exe
  2⤵
  PID:12096
- C:\Windows\System32\WRPbAqD.exe
  C:\Windows\System32\WRPbAqD.exe
  2⤵
  PID:12292
- C:\Windows\System32\dlAvWNn.exe
  C:\Windows\System32\dlAvWNn.exe
  2⤵
  PID:12308
- C:\Windows\System32\IBPxbIt.exe
  C:\Windows\System32\IBPxbIt.exe
  2⤵
  PID:12348
- C:\Windows\System32\uiYkiOO.exe
  C:\Windows\System32\uiYkiOO.exe
  2⤵
  PID:12376
- C:\Windows\System32\lbCkDjF.exe
  C:\Windows\System32\lbCkDjF.exe
  2⤵
  PID:12392
- C:\Windows\System32\drmdpHE.exe
  C:\Windows\System32\drmdpHE.exe
  2⤵
  PID:12412
- C:\Windows\System32\VptkQGB.exe
  C:\Windows\System32\VptkQGB.exe
  2⤵
  PID:12428
- C:\Windows\System32\NxbfhMP.exe
  C:\Windows\System32\NxbfhMP.exe
  2⤵
  PID:12464
- C:\Windows\System32\qQHTVeY.exe
  C:\Windows\System32\qQHTVeY.exe
  2⤵
  PID:12484
- C:\Windows\System32\jEfbviv.exe
  C:\Windows\System32\jEfbviv.exe
  2⤵
  PID:12508
- C:\Windows\System32\FXHDURl.exe
  C:\Windows\System32\FXHDURl.exe
  2⤵
  PID:12540
- C:\Windows\System32\DrwbkRv.exe
  C:\Windows\System32\DrwbkRv.exe
  2⤵
  PID:12572
- C:\Windows\System32\ZqvumWn.exe
  C:\Windows\System32\ZqvumWn.exe
  2⤵
  PID:12596
- C:\Windows\System32\njrcKgu.exe
  C:\Windows\System32\njrcKgu.exe
  2⤵
  PID:12612
- C:\Windows\System32\MytjOyz.exe
  C:\Windows\System32\MytjOyz.exe
  2⤵
  PID:12660
- C:\Windows\System32\GecoFKk.exe
  C:\Windows\System32\GecoFKk.exe
  2⤵
  PID:12708
- C:\Windows\System32\mkbMCbb.exe
  C:\Windows\System32\mkbMCbb.exe
  2⤵
  PID:12728
- C:\Windows\System32\Masgfip.exe
  C:\Windows\System32\Masgfip.exe
  2⤵
  PID:12760
- C:\Windows\System32\ozTQVLR.exe
  C:\Windows\System32\ozTQVLR.exe
  2⤵
  PID:12788
- C:\Windows\System32\gqejRIw.exe
  C:\Windows\System32\gqejRIw.exe
  2⤵
  PID:12804
- C:\Windows\System32\omILBKg.exe
  C:\Windows\System32\omILBKg.exe
  2⤵
  PID:12836
- C:\Windows\System32\bsbpJDH.exe
  C:\Windows\System32\bsbpJDH.exe
  2⤵
  PID:12868
- C:\Windows\System32\irrYpQZ.exe
  C:\Windows\System32\irrYpQZ.exe
  2⤵
  PID:12896
- C:\Windows\System32\FflMGPw.exe
  C:\Windows\System32\FflMGPw.exe
  2⤵
  PID:12932
- C:\Windows\System32\guXNsda.exe
  C:\Windows\System32\guXNsda.exe
  2⤵
  PID:12956
- C:\Windows\System32\MOSHvxR.exe
  C:\Windows\System32\MOSHvxR.exe
  2⤵
  PID:12976
- C:\Windows\System32\JzezXCZ.exe
  C:\Windows\System32\JzezXCZ.exe
  2⤵
  PID:13020
- C:\Windows\System32\DueaZFm.exe
  C:\Windows\System32\DueaZFm.exe
  2⤵
  PID:13036
- C:\Windows\System32\eQrYJOQ.exe
  C:\Windows\System32\eQrYJOQ.exe
  2⤵
  PID:13060
- C:\Windows\System32\GtikQwm.exe
  C:\Windows\System32\GtikQwm.exe
  2⤵
  PID:13080
- C:\Windows\System32\OTdNvQD.exe
  C:\Windows\System32\OTdNvQD.exe
  2⤵
  PID:13100
- C:\Windows\System32\htWbHbq.exe
  C:\Windows\System32\htWbHbq.exe
  2⤵
  PID:13116
- C:\Windows\System32\OdmWdnq.exe
  C:\Windows\System32\OdmWdnq.exe
  2⤵
  PID:13136
- C:\Windows\System32\UecVNOc.exe
  C:\Windows\System32\UecVNOc.exe
  2⤵
  PID:13156
- C:\Windows\System32\JktLswE.exe
  C:\Windows\System32\JktLswE.exe
  2⤵
  PID:13180
- C:\Windows\System32\faxTcgO.exe
  C:\Windows\System32\faxTcgO.exe
  2⤵
  PID:13196
- C:\Windows\System32\evjCfrc.exe
  C:\Windows\System32\evjCfrc.exe
  2⤵
  PID:13256
- C:\Windows\System32\xpbpLBG.exe
  C:\Windows\System32\xpbpLBG.exe
  2⤵
  PID:13272
- C:\Windows\System32\DiygBFE.exe
  C:\Windows\System32\DiygBFE.exe
  2⤵
  PID:12320
- C:\Windows\System32\biXImTa.exe
  C:\Windows\System32\biXImTa.exe
  2⤵
  PID:12424
- C:\Windows\System32\DQJcWmM.exe
  C:\Windows\System32\DQJcWmM.exe
  2⤵
  PID:12420
- C:\Windows\System32\xTaPMiC.exe
  C:\Windows\System32\xTaPMiC.exe
  2⤵
  PID:12472
- C:\Windows\System32\KPJrnnX.exe
  C:\Windows\System32\KPJrnnX.exe
  2⤵
  PID:12584
- C:\Windows\System32\hioAelw.exe
  C:\Windows\System32\hioAelw.exe
  2⤵
  PID:12620
- C:\Windows\System32\bBlukLA.exe
  C:\Windows\System32\bBlukLA.exe
  2⤵
  PID:12740
- C:\Windows\System32\RKpVoaK.exe
  C:\Windows\System32\RKpVoaK.exe
  2⤵
  PID:12800
- C:\Windows\System32\teeTbXf.exe
  C:\Windows\System32\teeTbXf.exe
  2⤵
  PID:12852

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BqjcrHz.exe

Filesize
1.4MB

MD5
e63f2c4c4c6bdb6a25506dffb7b783c7

SHA1
775d74bc2311845edf4c6a96aee33d674aff65f9

SHA256
ce3a7fa79cd2274f4cf3890fb33a7a9fe75639d88a168e84bd8c761664c389b0

SHA512
cdf461dbb1aa7972b1af97028964dd93a1fff0d5966f7e7d15ca8c235c23bdf915214763c140b94db5addcf1c2a48022b71edeafe686f906e97c029ac29da9bd

Download Submit
C:\Windows\System32\CUpADpm.exe

Filesize
1.4MB

MD5
e09c10847eb15a6e1170247a5d4bc74c

SHA1
99c10698ce65712ae1c3b177055041f169cd7bae

SHA256
fd92dd016782e74d3148b7a57d3730e15fc02f428278e1fa64b7c032db75d1c4

SHA512
04108ca536b91767c5247b2cf672a95a58e447bb1a114ee84858844ef0e8fbac3608c08d8306c8714e2779bc53a455201832d681a8d2a8ec198d006d9a701ff8

Download Submit
C:\Windows\System32\CeqgQQW.exe

Filesize
1.4MB

MD5
7c269ef8991bda60d7c513e8edfabb94

SHA1
fabc25b6b49b663288effffabe0e8690e140b886

SHA256
f2133b3e17def65decdd93c2ae485020bac1068c3406aab3ac364cade7b5e2d3

SHA512
d6b7518cf81520319e21641df7036957642dba75c64c323fa27155cd92b346f0c5d7c01ff841af86522da514cd857d969754f6e9453e96660597256b5c0a0783

Download Submit
C:\Windows\System32\GCKfFAY.exe

Filesize
1.4MB

MD5
965403d94638ae54c0c90347e0b8c2f7

SHA1
0e885c78e4373f33662a7a97cf565d5d38023f02

SHA256
4ceeb95f630274b952f52a57e43a1953e55f6fa0fb014553c539f497df663a49

SHA512
921c4910df6261d47d661f533e98ad35a0405d38c847181dfad647f09fdd7c267ffb97ee867700c69e6c37ff80330e26fa243c1380166ec08d09ff3abaf9b9ad

Download Submit
C:\Windows\System32\IgqZbWj.exe

Filesize
1.4MB

MD5
03cdbddf2e6b8a5a8481b6900d662e22

SHA1
58ac40412a6cd8254cfc5e345b58a78b71717691

SHA256
5487fcdfdee24f760124b1a9331fc61d7f9ede7ea41eda2a021e9d182574b2a1

SHA512
f3443efa37ad4b70dfec1d7e6040c8ac68f4d5e7cf18869ce0d802e49b9d9ec047c2a6eafaa5efef6095796abf3122d2946c06bf7cebc6aed602c7c3a6389f14

Download Submit
C:\Windows\System32\IqIHmPT.exe

Filesize
1.4MB

MD5
134cc6f2b51fed05c2fc4aed82c8c7f1

SHA1
7bc9cdf9326934bf79e397024c0c3177bbb0622c

SHA256
33ec75c7ff5d7ff039a0569894cd601944ac3d8e7a1b74bdda7bd70dfb417075

SHA512
8c46d5c3b56b9b7c6cae2e13fee39f5b2a880a49153ff96ecd92470597721f2f2ebbe8a37709c8ba9fc4d85be5109c2e040a7933180e822e2915ab4f0a83a0b4

Download Submit
C:\Windows\System32\IzsSKat.exe

Filesize
1.4MB

MD5
0648a8955c1563e23adac7fca0856eba

SHA1
91ca6f71314da47a7ee11d2e6acee16d9b2c8dca

SHA256
985759a2429e39af185bced30f3e1acb3df5375a44dbc489158530baf7d09822

SHA512
5cea6d517d7b633db699bac5fa3fa9bd0175e4d1d7590e132d5d429bf9e45903b66d33d9afdb978c4c875d11cd15164d514c94d3ff594a9a82d6079be5bf6c27

Download Submit
C:\Windows\System32\JZoHxib.exe

Filesize
1.4MB

MD5
8a7ef9389c877dfa444ac55449a21a34

SHA1
aee55e3791cf468edaa58b06105deb1efd36c65a

SHA256
14e612a0c35c73f33d8fbe2e99c36f879e1153a4bf89b891d52d13b7fbf2e573

SHA512
5f39135d42a74c9cf05249ff0f41d9a05651e10769327e57e63ac81eab5a99fbe0588cdc02a76a2ca4b8e2323fc5a8a646e9f11fdffc51dc7f3173fe0c2dba11

Download Submit
C:\Windows\System32\KqOabMU.exe

Filesize
1.4MB

MD5
2d32891a85f289c2d5498754376af6db

SHA1
a4a7cbad0fda56df4dfccc783f8a6ee9a93c227f

SHA256
f4ba51f4bba4241aabd40173542919b0a4587759d6c2dc54a7a912a0aa01d863

SHA512
8bc01f8ed84031252e23381d40c8df23deaa52c4e87ce323105c76e1d4d65e712613d3ab713213d6b61735a4933054c0ca607706e896de9dcc23a5e5c1631c23

Download Submit
C:\Windows\System32\RhLsqLu.exe

Filesize
1.4MB

MD5
a2b6c7b6851b7f15be9e079df437f9bc

SHA1
089a80841c5365dc1a7a1bf65b0cebb78be469e7

SHA256
bcd2b92d5b79b92f88131345c58b45e24059dc183d0b22c8fd899c98ed947605

SHA512
10cd840a99ddc7a5dcffa254ac2de6727067f39201643a4aaac9e72914b2ea34238f15d7a40cc8db19db3cfc0e8d846c3ffd855e4e266f10dfcea88fb8157ced

Download Submit
C:\Windows\System32\UhNpLSq.exe

Filesize
1.4MB

MD5
54bee41971036f6c048e17afba96b30b

SHA1
5af423c1178829a4b1dbed8e55fb78a8704caa46

SHA256
0b402621ef740e13073963e26c5798c1c8ba082ad0b38043ce2eecb9c87db8e6

SHA512
7269c241ecf6bdb4157274d16c2715d3fd48800ca946814899104df49e9159b57bb1cbcfc6c5c828152fc0e71e54f21e9cb01c341af6fde0b4b58f8367def243

Download Submit
C:\Windows\System32\UlbODbM.exe

Filesize
1.4MB

MD5
5c24fa044b2199707ea0c29672344837

SHA1
da5ba9f50af5bdfc1cba02bbed0a5bd243bd8e76

SHA256
ec4932b3a1dc6e15b9cb898f43e024cdb2c161a8ddb19f20a03b15c76e18e961

SHA512
5733d1a1556c1b714f6e0b3820c6d8609cffeedb9d48abc66514d853eea0d0f07b772f7978fea35763a8bb8d51d9ad16c479b4981e766d88bfe1d6d93d7eb46c

Download Submit
C:\Windows\System32\VRunYKV.exe

Filesize
1.4MB

MD5
89b6eeb24bc89e4be2fd560b284ec20a

SHA1
d04661c574a4223090dd8e3e4eaa7e7067997594

SHA256
a5805e12832004cbad8f2d6612a45d41faeab00e07ff23e839a302121dfe789b

SHA512
30e52f36539416e17f4a5fbf5e98aaafbacfe9d68aa72b26cf4590b312588ba5481b58eb21e5f9f20a79335d91eb1065177439da3217d30c101f027bf969e0a3

Download Submit
C:\Windows\System32\WQTcygS.exe

Filesize
1.4MB

MD5
e5248bd77e2915dcd917861fda419b50

SHA1
154cf0723d3b7c4be27dad62ef0564d96ea82963

SHA256
433a5b49e4658abc75ef64fec054d7254180e906f9e9c4831de8323426a98958

SHA512
94ccfbd5998bb286197314f8b24661535fae4c9f393c233e6fd0ec4d95cb3827ff0b6ab4cfa60370632e08be5298a829304e3d08689d732ada94d1168d071a34

Download Submit
C:\Windows\System32\WSbmcNG.exe

Filesize
1.4MB

MD5
ca6ff2d62dd7e953dc499681cb27703b

SHA1
2e5ea1ad8972404f496303db1c40482b83ada95f

SHA256
11f47a1f9aab421dac7f45cd7f9a7aff2593fc5ae48ac8e5f323fa239bb5239c

SHA512
4cfc9b489b31564f6a718b0f24cfc7c308e757c31d4f9a00f5a8feb96cd1ad50f96d6f28fd9ac4ded52cc98b35fe4b0e500e92672ddbd577f2777dd12bfca7cf

Download Submit
C:\Windows\System32\XoRqHdD.exe

Filesize
1.4MB

MD5
9e156961dc1a10341f4cdc6e96876e92

SHA1
0a55af15f309fb25b5c609b40c5a365ad047c98f

SHA256
cc9fd0b94b65cde92cbfb40870911c7c7d992437215adb0d26d686f06d3a18fb

SHA512
dd72ec9434ad1d1ed436b2666ebbed17a4f954cc5e829bbe551a64ea94c1bfbe2a461bcb312f5f2bd376b5649a0157f375c7cabd73fc7b2503535876261eded6

Download Submit
C:\Windows\System32\aNJBxMA.exe

Filesize
1.4MB

MD5
f3cb19c0ab956c9fb7a5e28c557047c3

SHA1
d0a6f2e264068a1be709d564c80f716546eb4b15

SHA256
d688c0b6983812b8bae318bb43d8f1a4541546f1fa212e3c5e865c9801539737

SHA512
2cd07c4aeee0aad3745e1db091fbc80be4093c37582a4ea5bdeea668f5eae2d95b1f9d56e5d3ba132677ba425ce92bcaeb6c7c5596a33e3b5a857b5dce29d595

Download Submit
C:\Windows\System32\cIoyVPR.exe

Filesize
1.4MB

MD5
b59123a4fad7f443baa0b50366cdb61d

SHA1
3cfa4816eaa79eea4c5672f206b0224a9aef042a

SHA256
1a69126be1e2227bb5e1e302385e271e183d01653c8c2f7213bc5d2d390d7331

SHA512
15726625cc6fd8c100f9818194459dd540034735a14fb1a8a4854649533b9eb16c6435c70adaee2da3c67250b3364514165978b10ad7a93102303560e5f7e79b

Download Submit
C:\Windows\System32\hnmEGQP.exe

Filesize
1.4MB

MD5
2ef4f9e19b3f59914f4036e30529e340

SHA1
b6e28aedd81596d69a80cd85f9d08102d7bfffb5

SHA256
a8802eba8f1f5a7e40aaa5fb98807d0df548f242e0547d7b2f497f8b6740575b

SHA512
8166bd84949b12d6d16e640b2655580254ab9ddce1f7efe9dcae9b135655ff9a64b74760d0a2f89cf6524b06b85069fbc7eeb7b050d4fd8a61cf66c333f0b819

Download Submit
C:\Windows\System32\iPDbIqT.exe

Filesize
1.4MB

MD5
e59394a90bcfabf372aa819a604bd308

SHA1
11640204be4b2e635a5411eb096149708ea50b75

SHA256
8b041f019ef75d4f59199dc32c384111e74d18187604c5f328d0ae9181b2a0ac

SHA512
180e6d873c621e8cb9c58d5922dd6c99377bfaf71062d9f4b4981f196ef7d43b99e2a05c4f443c3b1a0ef4508c985846fd9ed18fc8027ee2ec7fb867cbe70ac9

Download Submit
C:\Windows\System32\ihuNmKE.exe

Filesize
1.4MB

MD5
28def30541c7e904c5e998aa3a8c4d39

SHA1
ed97ea064c5313ea08b50782ba5bbfdebc2eefc1

SHA256
0bb2e36d7683df23a9c2f4e89826e64f2c38d5a3e0ce35803251488893a5ab5e

SHA512
4fa893c270bd882bb8af53819dc4afa61dac07bc554a1950c86b0418a013ea82e79a73e6e8b311e9f5fff88047e88bf5e06c3a23a1ae4cf0ebe34f5feed75bde

Download Submit
C:\Windows\System32\kGbeOOo.exe

Filesize
1.4MB

MD5
9b1127d490009c2abe308e41ce4a3a13

SHA1
3a958109f61b7574dc054d8f9e625f70a4f1b963

SHA256
fa02675f74db275b606151e92e2136dab66c0202bcdaf90ac501dcaec69f7842

SHA512
ebdddae39d4fd8d62c0faa30d0a01e807c46dd5e1c4e538fc8d7ff50c91a62aef35c5f2c8cb8a600e3f528cf1dea9a6f56b0f8b17d8e351f7dd32cc1169dde37

Download Submit
C:\Windows\System32\luiUntp.exe

Filesize
1.4MB

MD5
fa723cfa194ef86d474ca37d0ab97693

SHA1
3e7f2b6c5784b9c21c9087d1d118834ac7dc391e

SHA256
f4199cb44ac44a15564f58d74389a8e5f36ad21e0e6bb1dc2c48b5b9a4fa18a1

SHA512
bd47fc38da1319870f2392667f90822e123d7f3617bee0eea025c94c6af7cf7cbf18339b6c6b1efca5290c5756900ccf75d507fd87edc8174accba39630f0997

Download Submit
C:\Windows\System32\omoYhfO.exe

Filesize
1.4MB

MD5
8974d93d6c6eba9e1fec5afec4e6fe86

SHA1
ddfc8473b38005d3d7d5716b58c0ccb3035a16d3

SHA256
24bbecd30ed091582f924462f62b48523aa60c21a23f232cd612e0a5d636061a

SHA512
2c6581325a56fc951d4e178beb9dc7522c9f068b6ba9cb33832bff79f83470f04b75ac2bc033b3d86b854c17e92d7ca94e77598da30ace648224edf97c0d7f1e

Download Submit
C:\Windows\System32\rPVCElx.exe

Filesize
1.4MB

MD5
f7173c618e6639a5c5585c99f397b552

SHA1
3465a79fd40cfa0b232e6da65daa2ffb1942b02b

SHA256
1eb76ff3f23566f00124688e147b2bd2a4651e329f9102f54f2e5d83d216bc92

SHA512
15b253b945c815999193bc0fac0d6607d90a4843c06d00b2bb9c1ebe087a406b46b5695d22b4da4fc44164cf529045dd4347de78c822aebdf656a63344112a5c

Download Submit
C:\Windows\System32\rYONmSI.exe

Filesize
1.4MB

MD5
58c8ead5d19749e26460074866a1fc49

SHA1
2d2a2ec2426385b029adaec4599a82b26aedf338

SHA256
bff6f68357d90abafcaa0241f184d0244a0ed1d870e47ef057557c6c5375d72b

SHA512
d83fd5cec9d1ef6307a5a42d6bbf717d5e31a8de6a45c34dc90dcafc18454cc04aec89f72c17da37da919b6d7fb70ec84d3897237f10e71d1452563977779049

Download Submit
C:\Windows\System32\tibMcEj.exe

Filesize
1.4MB

MD5
12a63bc148472f0c6d1970c722543076

SHA1
b2a901538b939a7c46f1f18ba29a8d20a83c83be

SHA256
20812a928034888cd4aa8ba9661c294efbff9cf6bc4c8b8c6ee2bb842d845739

SHA512
9ee98f53b59ce348ddb9fabdcf2ecb7c0c52ec010c8c2a9071bd1b18e4ce4225bee5b0aff0a843fc2427793da09bd845f5cbbe4132af212456ba9b4d029d25de

Download Submit
C:\Windows\System32\weBwLmX.exe

Filesize
1.4MB

MD5
3bc3e6ff80b034a042f60f6422fec0ae

SHA1
86903bc5783aec7c871a196eaf0577c87f1ecc0e

SHA256
7b3a52ed11c5c023ea64d9976ffa9c0c55837e140e6f27bba5441d7b61b828b5

SHA512
33be3c319e4481a35081a09589d89317b2c7f5dc55bcb71b00bcf9b2fd26a86db2b9a5a022c6d2514b1c72ba8b7022d89ae6257b7cb7922defb089dd860f0a8b

Download Submit
C:\Windows\System32\xNELVnQ.exe

Filesize
1.4MB

MD5
740bb6fcd321d565f067459fd9fde9d5

SHA1
1dd1c8b928fb506f111f4eb73f6f5934379ea727

SHA256
a2f6718660d4a8647127eaffabafc8c4b1f7c06f300247fe32822108c30b8600

SHA512
2bd960511fff910bbd6610574a28a1e39530a1f57a48f1b9cd3060035b164a9473353166eebd2baed2e5b19a672fc9b86c57377de7173e38c975605c4f6d9997

Download Submit
C:\Windows\System32\xTDgGTv.exe

Filesize
1.4MB

MD5
769f7e8c22a6d3745c48ea6cd8ad2463

SHA1
1d2aed74aa1fdd9d490cb173a2959304e2f1c937

SHA256
f5a41c7cbe974ffe85418880226122d8ae81dac9b0b284331184a242a0abe6ea

SHA512
8a6754944f1965b537fabcb031ac0d846bf3259cffee56a7a61398c4b1ad56b200c37df92c65fb6fae5130f2735b8d01993ad1a110b7123dc5f31f11a772549e

Download Submit
C:\Windows\System32\yRTwNQX.exe

Filesize
1.4MB

MD5
47e8ea13db30a14f89e7f9942d60ad5a

SHA1
7041956fbab44fba548452438f464d3612f8cd93

SHA256
d40c79c0bea2b51f3634afa0590da5aa94f9615ddf99e2b240e1647a012f7eac

SHA512
ebb92283ab1e6a16a39b8985f36791400d4997d219b9806447546b5a1a7229a05c16c95d365f976d2bad0c68ef5bd6de1659fe4d770eed34a8f20ed289edfe92

Download Submit
C:\Windows\System32\yzOKDDk.exe

Filesize
1.4MB

MD5
ecf33062dd0166cf799b36b00c48cbe7

SHA1
2517148b20f8ac61247fad11fb342c74b19216d4

SHA256
3b928d359f6d2a87709ff6f968b38c431cc7d3a0f573f25edc763d0139b53ad7

SHA512
7e6d102c9e54fa26596fadfd00d15745f5fee5d721743f4ba451272976931f86b37c5aff420a9e34f05fce9e76adafe989afcf887f06b7d89cd237d398999010

Download Submit
C:\Windows\System32\zjDtdMr.exe

Filesize
1.4MB

MD5
54ab22cdd427f33c103f3bb97196f3f5

SHA1
899858046a50b3f09da3e171827f05716915e9d4

SHA256
07431b34360f27eddc9c960168f8559e01b332fdd2d744d3a6d5c7f7a5a01fc8

SHA512
80ebd70145e65f4ef715b0c5c7daedb4debdc74cd0144c24c75a8fe3a5ca19221b9f344486ef1a46c8127ca842fd67777758c68a7c5d2add3faae2ddd243d028

Download Submit
memory/324-84-0x00007FF723B80000-0x00007FF723F71000-memory.dmp

Filesize
3.9MB

Download
memory/324-2213-0x00007FF723B80000-0x00007FF723F71000-memory.dmp

Filesize
3.9MB

Download
memory/324-2009-0x00007FF723B80000-0x00007FF723F71000-memory.dmp

Filesize
3.9MB

Download
memory/456-89-0x00007FF675690000-0x00007FF675A81000-memory.dmp

Filesize
3.9MB

Download
memory/456-2010-0x00007FF675690000-0x00007FF675A81000-memory.dmp

Filesize
3.9MB

Download
memory/456-2073-0x00007FF675690000-0x00007FF675A81000-memory.dmp

Filesize
3.9MB

Download
memory/668-69-0x00007FF610680000-0x00007FF610A71000-memory.dmp

Filesize
3.9MB

Download
memory/668-2075-0x00007FF610680000-0x00007FF610A71000-memory.dmp

Filesize
3.9MB

Download
memory/668-2002-0x00007FF610680000-0x00007FF610A71000-memory.dmp

Filesize
3.9MB

Download
memory/1100-0-0x00007FF6ACC90000-0x00007FF6AD081000-memory.dmp

Filesize
3.9MB

Download
memory/1100-2040-0x00007FF6ACC90000-0x00007FF6AD081000-memory.dmp

Filesize
3.9MB

Download
memory/1100-405-0x00007FF6ACC90000-0x00007FF6AD081000-memory.dmp

Filesize
3.9MB

Download
memory/1100-1-0x0000021CC6460000-0x0000021CC6470000-memory.dmp

Filesize
64KB

Download
memory/1260-1999-0x00007FF6946B0000-0x00007FF694AA1000-memory.dmp

Filesize
3.9MB

Download
memory/1260-2069-0x00007FF6946B0000-0x00007FF694AA1000-memory.dmp

Filesize
3.9MB

Download
memory/1260-48-0x00007FF6946B0000-0x00007FF694AA1000-memory.dmp

Filesize
3.9MB

Download
memory/1284-100-0x00007FF64EEC0000-0x00007FF64F2B1000-memory.dmp

Filesize
3.9MB

Download
memory/1284-2085-0x00007FF64EEC0000-0x00007FF64F2B1000-memory.dmp

Filesize
3.9MB

Download
memory/1284-2044-0x00007FF64EEC0000-0x00007FF64F2B1000-memory.dmp

Filesize
3.9MB

Download
memory/1468-2081-0x00007FF7CA4C0000-0x00007FF7CA8B1000-memory.dmp

Filesize
3.9MB

Download
memory/1468-98-0x00007FF7CA4C0000-0x00007FF7CA8B1000-memory.dmp

Filesize
3.9MB

Download
memory/1468-2042-0x00007FF7CA4C0000-0x00007FF7CA8B1000-memory.dmp

Filesize
3.9MB

Download
memory/1488-93-0x00007FF77A370000-0x00007FF77A761000-memory.dmp

Filesize
3.9MB

Download
memory/1488-2079-0x00007FF77A370000-0x00007FF77A761000-memory.dmp

Filesize
3.9MB

Download
memory/1932-2087-0x00007FF70DBE0000-0x00007FF70DFD1000-memory.dmp

Filesize
3.9MB

Download
memory/1932-408-0x00007FF70DBE0000-0x00007FF70DFD1000-memory.dmp

Filesize
3.9MB

Download
memory/1948-2001-0x00007FF7D5990000-0x00007FF7D5D81000-memory.dmp

Filesize
3.9MB

Download
memory/1948-2065-0x00007FF7D5990000-0x00007FF7D5D81000-memory.dmp

Filesize
3.9MB

Download
memory/1948-60-0x00007FF7D5990000-0x00007FF7D5D81000-memory.dmp

Filesize
3.9MB

Download
memory/2092-37-0x00007FF7E0DB0000-0x00007FF7E11A1000-memory.dmp

Filesize
3.9MB

Download
memory/2092-2059-0x00007FF7E0DB0000-0x00007FF7E11A1000-memory.dmp

Filesize
3.9MB

Download
memory/2416-2003-0x00007FF7D6B90000-0x00007FF7D6F81000-memory.dmp

Filesize
3.9MB

Download
memory/2416-81-0x00007FF7D6B90000-0x00007FF7D6F81000-memory.dmp

Filesize
3.9MB

Download
memory/2416-2071-0x00007FF7D6B90000-0x00007FF7D6F81000-memory.dmp

Filesize
3.9MB

Download
memory/2472-2000-0x00007FF74A150000-0x00007FF74A541000-memory.dmp

Filesize
3.9MB

Download
memory/2472-54-0x00007FF74A150000-0x00007FF74A541000-memory.dmp

Filesize
3.9MB

Download
memory/2472-2067-0x00007FF74A150000-0x00007FF74A541000-memory.dmp

Filesize
3.9MB

Download
memory/2720-2083-0x00007FF73DD40000-0x00007FF73E131000-memory.dmp

Filesize
3.9MB

Download
memory/2720-410-0x00007FF73DD40000-0x00007FF73E131000-memory.dmp

Filesize
3.9MB

Download
memory/2824-2063-0x00007FF718B70000-0x00007FF718F61000-memory.dmp

Filesize
3.9MB

Download
memory/2824-40-0x00007FF718B70000-0x00007FF718F61000-memory.dmp

Filesize
3.9MB

Download
memory/3260-2089-0x00007FF7BC320000-0x00007FF7BC711000-memory.dmp

Filesize
3.9MB

Download
memory/3260-409-0x00007FF7BC320000-0x00007FF7BC711000-memory.dmp

Filesize
3.9MB

Download
memory/3464-414-0x00007FF6EC1C0000-0x00007FF6EC5B1000-memory.dmp

Filesize
3.9MB

Download
memory/3464-2097-0x00007FF6EC1C0000-0x00007FF6EC5B1000-memory.dmp

Filesize
3.9MB

Download
memory/3508-1165-0x00007FF60B5E0000-0x00007FF60B9D1000-memory.dmp

Filesize
3.9MB

Download
memory/3508-23-0x00007FF60B5E0000-0x00007FF60B9D1000-memory.dmp

Filesize
3.9MB

Download
memory/3508-2058-0x00007FF60B5E0000-0x00007FF60B9D1000-memory.dmp

Filesize
3.9MB

Download
memory/3624-2091-0x00007FF724CD0000-0x00007FF7250C1000-memory.dmp

Filesize
3.9MB

Download
memory/3624-411-0x00007FF724CD0000-0x00007FF7250C1000-memory.dmp

Filesize
3.9MB

Download
memory/3944-2053-0x00007FF647A40000-0x00007FF647E31000-memory.dmp

Filesize
3.9MB

Download
memory/3944-18-0x00007FF647A40000-0x00007FF647E31000-memory.dmp

Filesize
3.9MB

Download
memory/3944-407-0x00007FF647A40000-0x00007FF647E31000-memory.dmp

Filesize
3.9MB

Download
memory/4216-2095-0x00007FF67F680000-0x00007FF67FA71000-memory.dmp

Filesize
3.9MB

Download
memory/4216-413-0x00007FF67F680000-0x00007FF67FA71000-memory.dmp

Filesize
3.9MB

Download
memory/4364-28-0x00007FF71F790000-0x00007FF71FB81000-memory.dmp

Filesize
3.9MB

Download
memory/4364-2055-0x00007FF71F790000-0x00007FF71FB81000-memory.dmp

Filesize
3.9MB

Download
memory/4532-25-0x00007FF6AFCB0000-0x00007FF6B00A1000-memory.dmp

Filesize
3.9MB

Download
memory/4532-2061-0x00007FF6AFCB0000-0x00007FF6B00A1000-memory.dmp

Filesize
3.9MB

Download
memory/4760-412-0x00007FF785420000-0x00007FF785811000-memory.dmp

Filesize
3.9MB

Download
memory/4760-2093-0x00007FF785420000-0x00007FF785811000-memory.dmp

Filesize
3.9MB

Download
memory/4884-2077-0x00007FF6A2F00000-0x00007FF6A32F1000-memory.dmp

Filesize
3.9MB

Download
memory/4884-2013-0x00007FF6A2F00000-0x00007FF6A32F1000-memory.dmp

Filesize
3.9MB

Download
memory/4884-90-0x00007FF6A2F00000-0x00007FF6A32F1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads