xmrig | 53038d25fc2e91b73f457a281ce9f1ab6ec4b7df8192264ce05ec4f5bc6a2e42

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

111f6a3441cc0f04cfc7760ef6af7da0N.exe
Size

936KB
MD5

111f6a3441cc0f04cfc7760ef6af7da0
SHA1

e8a6b26a523a4330d16e3a6d4dcc4b25447eb67e
SHA256

53038d25fc2e91b73f457a281ce9f1ab6ec4b7df8192264ce05ec4f5bc6a2e42
SHA512

7114b7fa5dd22b047068190d0e231cd9f785eb6b0d17fe4149c30dea19444af947e9e9ef2371e2a248b1240fa53043da62bfb7c9e9cfca57be6bbdb2b36689a6
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcmhVm72:knw9oUUEEDl37jcmhV82

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/2732-27-0x00007FF6A79A0000-0x00007FF6A7D91000-memory.dmp	xmrig
behavioral2/memory/1916-333-0x00007FF671650000-0x00007FF671A41000-memory.dmp	xmrig
behavioral2/memory/1948-343-0x00007FF728840000-0x00007FF728C31000-memory.dmp	xmrig
behavioral2/memory/224-332-0x00007FF7C68D0000-0x00007FF7C6CC1000-memory.dmp	xmrig
behavioral2/memory/2880-328-0x00007FF7E56B0000-0x00007FF7E5AA1000-memory.dmp	xmrig
behavioral2/memory/2316-348-0x00007FF79EAA0000-0x00007FF79EE91000-memory.dmp	xmrig
behavioral2/memory/216-350-0x00007FF654C10000-0x00007FF655001000-memory.dmp	xmrig
behavioral2/memory/1108-352-0x00007FF768AB0000-0x00007FF768EA1000-memory.dmp	xmrig
behavioral2/memory/1708-366-0x00007FF6E6A30000-0x00007FF6E6E21000-memory.dmp	xmrig
behavioral2/memory/4076-365-0x00007FF618270000-0x00007FF618661000-memory.dmp	xmrig
behavioral2/memory/5024-360-0x00007FF65CE20000-0x00007FF65D211000-memory.dmp	xmrig
behavioral2/memory/2868-358-0x00007FF694700000-0x00007FF694AF1000-memory.dmp	xmrig
behavioral2/memory/4628-372-0x00007FF6D8B90000-0x00007FF6D8F81000-memory.dmp	xmrig
behavioral2/memory/4980-371-0x00007FF6492E0000-0x00007FF6496D1000-memory.dmp	xmrig
behavioral2/memory/5008-374-0x00007FF673BF0000-0x00007FF673FE1000-memory.dmp	xmrig
behavioral2/memory/4780-377-0x00007FF65DD90000-0x00007FF65E181000-memory.dmp	xmrig
behavioral2/memory/1320-388-0x00007FF6BBB50000-0x00007FF6BBF41000-memory.dmp	xmrig
behavioral2/memory/5040-392-0x00007FF754330000-0x00007FF754721000-memory.dmp	xmrig
behavioral2/memory/3680-390-0x00007FF6646F0000-0x00007FF664AE1000-memory.dmp	xmrig
behavioral2/memory/1556-383-0x00007FF60C5D0000-0x00007FF60C9C1000-memory.dmp	xmrig
behavioral2/memory/3196-1995-0x00007FF7BFF70000-0x00007FF7C0361000-memory.dmp	xmrig
behavioral2/memory/1588-1997-0x00007FF7BEDC0000-0x00007FF7BF1B1000-memory.dmp	xmrig
behavioral2/memory/3248-1996-0x00007FF6FF680000-0x00007FF6FFA71000-memory.dmp	xmrig
behavioral2/memory/4684-2012-0x00007FF6C66B0000-0x00007FF6C6AA1000-memory.dmp	xmrig
behavioral2/memory/3196-2018-0x00007FF7BFF70000-0x00007FF7C0361000-memory.dmp	xmrig
behavioral2/memory/2732-2039-0x00007FF6A79A0000-0x00007FF6A7D91000-memory.dmp	xmrig
behavioral2/memory/1108-2070-0x00007FF768AB0000-0x00007FF768EA1000-memory.dmp	xmrig
behavioral2/memory/1916-2068-0x00007FF671650000-0x00007FF671A41000-memory.dmp	xmrig
behavioral2/memory/216-2080-0x00007FF654C10000-0x00007FF655001000-memory.dmp	xmrig
behavioral2/memory/1320-2098-0x00007FF6BBB50000-0x00007FF6BBF41000-memory.dmp	xmrig
behavioral2/memory/3680-2096-0x00007FF6646F0000-0x00007FF664AE1000-memory.dmp	xmrig
behavioral2/memory/4780-2086-0x00007FF65DD90000-0x00007FF65E181000-memory.dmp	xmrig
behavioral2/memory/1556-2092-0x00007FF60C5D0000-0x00007FF60C9C1000-memory.dmp	xmrig
behavioral2/memory/4980-2090-0x00007FF6492E0000-0x00007FF6496D1000-memory.dmp	xmrig
behavioral2/memory/5008-2088-0x00007FF673BF0000-0x00007FF673FE1000-memory.dmp	xmrig
behavioral2/memory/1708-2079-0x00007FF6E6A30000-0x00007FF6E6E21000-memory.dmp	xmrig
behavioral2/memory/5024-2077-0x00007FF65CE20000-0x00007FF65D211000-memory.dmp	xmrig
behavioral2/memory/4076-2084-0x00007FF618270000-0x00007FF618661000-memory.dmp	xmrig
behavioral2/memory/4628-2083-0x00007FF6D8B90000-0x00007FF6D8F81000-memory.dmp	xmrig
behavioral2/memory/2868-2074-0x00007FF694700000-0x00007FF694AF1000-memory.dmp	xmrig
behavioral2/memory/1588-2066-0x00007FF7BEDC0000-0x00007FF7BF1B1000-memory.dmp	xmrig
behavioral2/memory/1948-2064-0x00007FF728840000-0x00007FF728C31000-memory.dmp	xmrig
behavioral2/memory/4684-2062-0x00007FF6C66B0000-0x00007FF6C6AA1000-memory.dmp	xmrig
behavioral2/memory/5040-2060-0x00007FF754330000-0x00007FF754721000-memory.dmp	xmrig
behavioral2/memory/224-2059-0x00007FF7C68D0000-0x00007FF7C6CC1000-memory.dmp	xmrig
behavioral2/memory/2316-2072-0x00007FF79EAA0000-0x00007FF79EE91000-memory.dmp	xmrig
behavioral2/memory/2880-2056-0x00007FF7E56B0000-0x00007FF7E5AA1000-memory.dmp	xmrig
behavioral2/memory/3248-2041-0x00007FF6FF680000-0x00007FF6FFA71000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3196	HOqSTwm.exe
3248	WmTZYCq.exe
2732	isEsrwM.exe
1588	XfKDFRL.exe
4684	tBRoCuH.exe
2880	wsuSHel.exe
5040	kGEZWZM.exe
224	TuVqZKO.exe
1916	GfgKIJm.exe
1948	qeetuOw.exe
2316	ZjGooPK.exe
216	JFeJKsP.exe
1108	wkmVvau.exe
2868	rxPMmFJ.exe
5024	AQHWwPs.exe
4076	bBpJfRu.exe
1708	OJRARgU.exe
4980	wxSPUOC.exe
4628	cgGDOMD.exe
5008	lqcAjvq.exe
4780	IPicZxi.exe
1556	tZFLwTc.exe
1320	TJUmbBB.exe
3680	HgaOrVB.exe
4288	eTPYIFw.exe
3220	WVAeOqq.exe
4848	viGxDtF.exe
624	xOxHMyL.exe
2604	tgZbehR.exe
720	DBjgERE.exe
2136	NUowLrZ.exe
1160	vmQcZtp.exe
5076	TckfrIW.exe
1628	brQTXpS.exe
3888	FXjueZX.exe
3236	lYyEpBj.exe
4572	oZicQGH.exe
4476	hRCsxsR.exe
2196	PccZTge.exe
2332	BBkvVGA.exe
4512	LMudvOE.exe
1068	xoZXCOY.exe
4344	hDfbPlD.exe
4412	wYqgSll.exe
2308	XZMPrgi.exe
2252	GKzTSCW.exe
3776	jutEiYV.exe
4644	rlboYCi.exe
208	LCTWInY.exe
1428	MFXTYpk.exe
4428	XOlsvtW.exe
676	OzlqDnq.exe
1568	CAFEemk.exe
1048	xIxJFgv.exe
2752	MtZAsJm.exe
4976	niEtfUK.exe
2312	grTXZJn.exe
740	nGBitWc.exe
4440	ctsjhOX.exe
4632	UdEDieP.exe
4032	KDlvGuv.exe
2664	gLzXQfc.exe
3280	pKfCLrh.exe
4108	dbtzdPM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3148-0-0x00007FF7CE2C0000-0x00007FF7CE6B1000-memory.dmp	upx
behavioral2/files/0x0008000000023440-4.dat	upx
behavioral2/files/0x0007000000023446-17.dat	upx
behavioral2/files/0x0007000000023447-20.dat	upx
behavioral2/files/0x0007000000023445-22.dat	upx
behavioral2/memory/2732-27-0x00007FF6A79A0000-0x00007FF6A7D91000-memory.dmp	upx
behavioral2/files/0x0007000000023449-40.dat	upx
behavioral2/files/0x000700000002344b-50.dat	upx
behavioral2/files/0x000700000002344c-55.dat	upx
behavioral2/files/0x000700000002344e-63.dat	upx
behavioral2/files/0x0007000000023452-85.dat	upx
behavioral2/files/0x0007000000023455-100.dat	upx
behavioral2/files/0x0007000000023457-110.dat	upx
behavioral2/files/0x000700000002345c-135.dat	upx
behavioral2/files/0x0007000000023461-160.dat	upx
behavioral2/memory/4684-323-0x00007FF6C66B0000-0x00007FF6C6AA1000-memory.dmp	upx
behavioral2/memory/1916-333-0x00007FF671650000-0x00007FF671A41000-memory.dmp	upx
behavioral2/memory/1948-343-0x00007FF728840000-0x00007FF728C31000-memory.dmp	upx
behavioral2/memory/224-332-0x00007FF7C68D0000-0x00007FF7C6CC1000-memory.dmp	upx
behavioral2/memory/2880-328-0x00007FF7E56B0000-0x00007FF7E5AA1000-memory.dmp	upx
behavioral2/files/0x0007000000023462-165.dat	upx
behavioral2/files/0x0007000000023460-155.dat	upx
behavioral2/files/0x000700000002345f-153.dat	upx
behavioral2/files/0x000700000002345e-145.dat	upx
behavioral2/files/0x000700000002345d-143.dat	upx
behavioral2/files/0x000700000002345b-130.dat	upx
behavioral2/files/0x000700000002345a-125.dat	upx
behavioral2/files/0x0007000000023459-120.dat	upx
behavioral2/files/0x0007000000023458-115.dat	upx
behavioral2/files/0x0007000000023456-105.dat	upx
behavioral2/files/0x0007000000023454-95.dat	upx
behavioral2/files/0x0007000000023453-90.dat	upx
behavioral2/files/0x0007000000023451-80.dat	upx
behavioral2/files/0x0007000000023450-75.dat	upx
behavioral2/files/0x000700000002344f-73.dat	upx
behavioral2/files/0x000700000002344d-60.dat	upx
behavioral2/memory/2316-348-0x00007FF79EAA0000-0x00007FF79EE91000-memory.dmp	upx
behavioral2/memory/216-350-0x00007FF654C10000-0x00007FF655001000-memory.dmp	upx
behavioral2/files/0x000700000002344a-45.dat	upx
behavioral2/files/0x0007000000023448-35.dat	upx
behavioral2/memory/1588-30-0x00007FF7BEDC0000-0x00007FF7BF1B1000-memory.dmp	upx
behavioral2/memory/3248-26-0x00007FF6FF680000-0x00007FF6FFA71000-memory.dmp	upx
behavioral2/memory/1108-352-0x00007FF768AB0000-0x00007FF768EA1000-memory.dmp	upx
behavioral2/files/0x0007000000023444-21.dat	upx
behavioral2/memory/3196-14-0x00007FF7BFF70000-0x00007FF7C0361000-memory.dmp	upx
behavioral2/memory/1708-366-0x00007FF6E6A30000-0x00007FF6E6E21000-memory.dmp	upx
behavioral2/memory/4076-365-0x00007FF618270000-0x00007FF618661000-memory.dmp	upx
behavioral2/memory/5024-360-0x00007FF65CE20000-0x00007FF65D211000-memory.dmp	upx
behavioral2/memory/2868-358-0x00007FF694700000-0x00007FF694AF1000-memory.dmp	upx
behavioral2/memory/4628-372-0x00007FF6D8B90000-0x00007FF6D8F81000-memory.dmp	upx
behavioral2/memory/4980-371-0x00007FF6492E0000-0x00007FF6496D1000-memory.dmp	upx
behavioral2/memory/5008-374-0x00007FF673BF0000-0x00007FF673FE1000-memory.dmp	upx
behavioral2/memory/4780-377-0x00007FF65DD90000-0x00007FF65E181000-memory.dmp	upx
behavioral2/memory/1320-388-0x00007FF6BBB50000-0x00007FF6BBF41000-memory.dmp	upx
behavioral2/memory/5040-392-0x00007FF754330000-0x00007FF754721000-memory.dmp	upx
behavioral2/memory/3680-390-0x00007FF6646F0000-0x00007FF664AE1000-memory.dmp	upx
behavioral2/memory/1556-383-0x00007FF60C5D0000-0x00007FF60C9C1000-memory.dmp	upx
behavioral2/memory/3196-1995-0x00007FF7BFF70000-0x00007FF7C0361000-memory.dmp	upx
behavioral2/memory/1588-1997-0x00007FF7BEDC0000-0x00007FF7BF1B1000-memory.dmp	upx
behavioral2/memory/3248-1996-0x00007FF6FF680000-0x00007FF6FFA71000-memory.dmp	upx
behavioral2/memory/4684-2012-0x00007FF6C66B0000-0x00007FF6C6AA1000-memory.dmp	upx
behavioral2/memory/3196-2018-0x00007FF7BFF70000-0x00007FF7C0361000-memory.dmp	upx
behavioral2/memory/2732-2039-0x00007FF6A79A0000-0x00007FF6A7D91000-memory.dmp	upx
behavioral2/memory/1108-2070-0x00007FF768AB0000-0x00007FF768EA1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\tyUldYO.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\HIbSnhY.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\dbtzdPM.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\yvrZTvf.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\tVQDKNg.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\GeYqCLX.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\aerYRTY.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\WFoPtvJ.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\HsudvBB.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\FWMHvtP.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\yKmkGXh.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\laFEYxd.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\NRVfJPn.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\cDPBCXZ.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\xZiLKHO.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\qtDBxRl.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\yscJqrg.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\tppgQay.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\rdRFvCA.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\xlBWSEd.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\jdynPHa.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\eOsDvAL.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\RyigxCx.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\jutEiYV.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\vpJUtkI.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\VkGCXxr.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\mKxaZpW.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\tkVQfdk.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\IusAATv.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\ZjGooPK.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\QeOnnMe.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\BWacmWK.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\PwsKoEe.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\tLzJJIp.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\fhbLoQi.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\zRYgUOV.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\zHHEgeR.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\BGPTKXr.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\WPaGLQu.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\TJUmbBB.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\CAFEemk.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\XbsYqkZ.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\fWoEdLX.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\VcVDjAV.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\TVOtxtb.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\oHTkNxc.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\fZJuEDi.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\orIKmVm.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\niEtfUK.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\pqczUjE.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\RkBQslA.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\zeUMFec.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\ePZujrW.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\frngwVA.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\uTaRHLm.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\fzcoXxx.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\YIOVubK.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\GmGEwOv.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\GQxTKRs.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\RzwdilJ.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\oYTCiFJ.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\cvnNbHY.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\AWdyAHQ.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe
File created	C:\Windows\System32\XUErKKR.exe	111f6a3441cc0f04cfc7760ef6af7da0N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12732	dwm.exe
Token: SeChangeNotifyPrivilege	12732	dwm.exe
Token: 33	12732	dwm.exe
Token: SeIncBasePriorityPrivilege	12732	dwm.exe
Token: SeShutdownPrivilege	12732	dwm.exe
Token: SeCreatePagefilePrivilege	12732	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 3196	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	85
PID 3148 wrote to memory of 3196	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	85
PID 3148 wrote to memory of 3248	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	86
PID 3148 wrote to memory of 3248	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	86
PID 3148 wrote to memory of 2732	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	87
PID 3148 wrote to memory of 2732	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	87
PID 3148 wrote to memory of 1588	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	88
PID 3148 wrote to memory of 1588	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	88
PID 3148 wrote to memory of 4684	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	89
PID 3148 wrote to memory of 4684	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	89
PID 3148 wrote to memory of 2880	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	90
PID 3148 wrote to memory of 2880	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	90
PID 3148 wrote to memory of 5040	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	91
PID 3148 wrote to memory of 5040	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	91
PID 3148 wrote to memory of 224	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	92
PID 3148 wrote to memory of 224	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	92
PID 3148 wrote to memory of 1916	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	93
PID 3148 wrote to memory of 1916	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	93
PID 3148 wrote to memory of 1948	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	94
PID 3148 wrote to memory of 1948	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	94
PID 3148 wrote to memory of 2316	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	95
PID 3148 wrote to memory of 2316	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	95
PID 3148 wrote to memory of 216	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	96
PID 3148 wrote to memory of 216	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	96
PID 3148 wrote to memory of 1108	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	97
PID 3148 wrote to memory of 1108	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	97
PID 3148 wrote to memory of 2868	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	98
PID 3148 wrote to memory of 2868	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	98
PID 3148 wrote to memory of 5024	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	99
PID 3148 wrote to memory of 5024	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	99
PID 3148 wrote to memory of 4076	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	100
PID 3148 wrote to memory of 4076	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	100
PID 3148 wrote to memory of 1708	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	101
PID 3148 wrote to memory of 1708	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	101
PID 3148 wrote to memory of 4980	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	102
PID 3148 wrote to memory of 4980	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	102
PID 3148 wrote to memory of 4628	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	103
PID 3148 wrote to memory of 4628	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	103
PID 3148 wrote to memory of 5008	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	104
PID 3148 wrote to memory of 5008	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	104
PID 3148 wrote to memory of 4780	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	105
PID 3148 wrote to memory of 4780	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	105
PID 3148 wrote to memory of 1556	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	106
PID 3148 wrote to memory of 1556	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	106
PID 3148 wrote to memory of 1320	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	107
PID 3148 wrote to memory of 1320	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	107
PID 3148 wrote to memory of 3680	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	108
PID 3148 wrote to memory of 3680	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	108
PID 3148 wrote to memory of 4288	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	109
PID 3148 wrote to memory of 4288	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	109
PID 3148 wrote to memory of 3220	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	110
PID 3148 wrote to memory of 3220	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	110
PID 3148 wrote to memory of 4848	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	111
PID 3148 wrote to memory of 4848	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	111
PID 3148 wrote to memory of 624	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	112
PID 3148 wrote to memory of 624	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	112
PID 3148 wrote to memory of 2604	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	113
PID 3148 wrote to memory of 2604	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	113
PID 3148 wrote to memory of 720	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	114
PID 3148 wrote to memory of 720	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	114
PID 3148 wrote to memory of 2136	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	115
PID 3148 wrote to memory of 2136	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	115
PID 3148 wrote to memory of 1160	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	116
PID 3148 wrote to memory of 1160	3148	111f6a3441cc0f04cfc7760ef6af7da0N.exe	116

C:\Users\Admin\AppData\Local\Temp\111f6a3441cc0f04cfc7760ef6af7da0N.exe
"C:\Users\Admin\AppData\Local\Temp\111f6a3441cc0f04cfc7760ef6af7da0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\System32\HOqSTwm.exe
  C:\Windows\System32\HOqSTwm.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System32\WmTZYCq.exe
  C:\Windows\System32\WmTZYCq.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System32\isEsrwM.exe
  C:\Windows\System32\isEsrwM.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System32\XfKDFRL.exe
  C:\Windows\System32\XfKDFRL.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System32\tBRoCuH.exe
  C:\Windows\System32\tBRoCuH.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System32\wsuSHel.exe
  C:\Windows\System32\wsuSHel.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System32\kGEZWZM.exe
  C:\Windows\System32\kGEZWZM.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System32\TuVqZKO.exe
  C:\Windows\System32\TuVqZKO.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System32\GfgKIJm.exe
  C:\Windows\System32\GfgKIJm.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System32\qeetuOw.exe
  C:\Windows\System32\qeetuOw.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System32\ZjGooPK.exe
  C:\Windows\System32\ZjGooPK.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System32\JFeJKsP.exe
  C:\Windows\System32\JFeJKsP.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System32\wkmVvau.exe
  C:\Windows\System32\wkmVvau.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System32\rxPMmFJ.exe
  C:\Windows\System32\rxPMmFJ.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System32\AQHWwPs.exe
  C:\Windows\System32\AQHWwPs.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System32\bBpJfRu.exe
  C:\Windows\System32\bBpJfRu.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System32\OJRARgU.exe
  C:\Windows\System32\OJRARgU.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System32\wxSPUOC.exe
  C:\Windows\System32\wxSPUOC.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System32\cgGDOMD.exe
  C:\Windows\System32\cgGDOMD.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System32\lqcAjvq.exe
  C:\Windows\System32\lqcAjvq.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System32\IPicZxi.exe
  C:\Windows\System32\IPicZxi.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\tZFLwTc.exe
  C:\Windows\System32\tZFLwTc.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System32\TJUmbBB.exe
  C:\Windows\System32\TJUmbBB.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System32\HgaOrVB.exe
  C:\Windows\System32\HgaOrVB.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System32\eTPYIFw.exe
  C:\Windows\System32\eTPYIFw.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System32\WVAeOqq.exe
  C:\Windows\System32\WVAeOqq.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System32\viGxDtF.exe
  C:\Windows\System32\viGxDtF.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System32\xOxHMyL.exe
  C:\Windows\System32\xOxHMyL.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System32\tgZbehR.exe
  C:\Windows\System32\tgZbehR.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System32\DBjgERE.exe
  C:\Windows\System32\DBjgERE.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System32\NUowLrZ.exe
  C:\Windows\System32\NUowLrZ.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System32\vmQcZtp.exe
  C:\Windows\System32\vmQcZtp.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System32\TckfrIW.exe
  C:\Windows\System32\TckfrIW.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System32\brQTXpS.exe
  C:\Windows\System32\brQTXpS.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System32\FXjueZX.exe
  C:\Windows\System32\FXjueZX.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System32\lYyEpBj.exe
  C:\Windows\System32\lYyEpBj.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System32\oZicQGH.exe
  C:\Windows\System32\oZicQGH.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System32\hRCsxsR.exe
  C:\Windows\System32\hRCsxsR.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System32\PccZTge.exe
  C:\Windows\System32\PccZTge.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System32\BBkvVGA.exe
  C:\Windows\System32\BBkvVGA.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System32\LMudvOE.exe
  C:\Windows\System32\LMudvOE.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\xoZXCOY.exe
  C:\Windows\System32\xoZXCOY.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System32\hDfbPlD.exe
  C:\Windows\System32\hDfbPlD.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System32\wYqgSll.exe
  C:\Windows\System32\wYqgSll.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System32\XZMPrgi.exe
  C:\Windows\System32\XZMPrgi.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System32\GKzTSCW.exe
  C:\Windows\System32\GKzTSCW.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System32\jutEiYV.exe
  C:\Windows\System32\jutEiYV.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System32\rlboYCi.exe
  C:\Windows\System32\rlboYCi.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System32\LCTWInY.exe
  C:\Windows\System32\LCTWInY.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System32\MFXTYpk.exe
  C:\Windows\System32\MFXTYpk.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System32\XOlsvtW.exe
  C:\Windows\System32\XOlsvtW.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System32\OzlqDnq.exe
  C:\Windows\System32\OzlqDnq.exe
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\System32\CAFEemk.exe
  C:\Windows\System32\CAFEemk.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System32\xIxJFgv.exe
  C:\Windows\System32\xIxJFgv.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System32\MtZAsJm.exe
  C:\Windows\System32\MtZAsJm.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System32\niEtfUK.exe
  C:\Windows\System32\niEtfUK.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System32\grTXZJn.exe
  C:\Windows\System32\grTXZJn.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System32\nGBitWc.exe
  C:\Windows\System32\nGBitWc.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System32\ctsjhOX.exe
  C:\Windows\System32\ctsjhOX.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System32\UdEDieP.exe
  C:\Windows\System32\UdEDieP.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System32\KDlvGuv.exe
  C:\Windows\System32\KDlvGuv.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System32\gLzXQfc.exe
  C:\Windows\System32\gLzXQfc.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System32\pKfCLrh.exe
  C:\Windows\System32\pKfCLrh.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System32\dbtzdPM.exe
  C:\Windows\System32\dbtzdPM.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System32\jdynPHa.exe
  C:\Windows\System32\jdynPHa.exe
  2⤵
  PID:4756
- C:\Windows\System32\jQVzDMg.exe
  C:\Windows\System32\jQVzDMg.exe
  2⤵
  PID:4552
- C:\Windows\System32\TEhGvVQ.exe
  C:\Windows\System32\TEhGvVQ.exe
  2⤵
  PID:2596
- C:\Windows\System32\TruqUou.exe
  C:\Windows\System32\TruqUou.exe
  2⤵
  PID:4008
- C:\Windows\System32\VPpFGQL.exe
  C:\Windows\System32\VPpFGQL.exe
  2⤵
  PID:2184
- C:\Windows\System32\TwHnzFs.exe
  C:\Windows\System32\TwHnzFs.exe
  2⤵
  PID:1800
- C:\Windows\System32\RDgFbsV.exe
  C:\Windows\System32\RDgFbsV.exe
  2⤵
  PID:2116
- C:\Windows\System32\zRYgUOV.exe
  C:\Windows\System32\zRYgUOV.exe
  2⤵
  PID:4020
- C:\Windows\System32\asdCuny.exe
  C:\Windows\System32\asdCuny.exe
  2⤵
  PID:2780
- C:\Windows\System32\pqczUjE.exe
  C:\Windows\System32\pqczUjE.exe
  2⤵
  PID:4956
- C:\Windows\System32\LMCTvBQ.exe
  C:\Windows\System32\LMCTvBQ.exe
  2⤵
  PID:4904
- C:\Windows\System32\WyDYNrp.exe
  C:\Windows\System32\WyDYNrp.exe
  2⤵
  PID:4452
- C:\Windows\System32\RkBQslA.exe
  C:\Windows\System32\RkBQslA.exe
  2⤵
  PID:1176
- C:\Windows\System32\uCQySaT.exe
  C:\Windows\System32\uCQySaT.exe
  2⤵
  PID:4380
- C:\Windows\System32\xxOORLP.exe
  C:\Windows\System32\xxOORLP.exe
  2⤵
  PID:648
- C:\Windows\System32\iexavDS.exe
  C:\Windows\System32\iexavDS.exe
  2⤵
  PID:1660
- C:\Windows\System32\zHHEgeR.exe
  C:\Windows\System32\zHHEgeR.exe
  2⤵
  PID:900
- C:\Windows\System32\dCRAyda.exe
  C:\Windows\System32\dCRAyda.exe
  2⤵
  PID:5092
- C:\Windows\System32\naFRvYo.exe
  C:\Windows\System32\naFRvYo.exe
  2⤵
  PID:3988
- C:\Windows\System32\dYhEDsn.exe
  C:\Windows\System32\dYhEDsn.exe
  2⤵
  PID:2576
- C:\Windows\System32\cMVkijk.exe
  C:\Windows\System32\cMVkijk.exe
  2⤵
  PID:4180
- C:\Windows\System32\ykgjceP.exe
  C:\Windows\System32\ykgjceP.exe
  2⤵
  PID:1148
- C:\Windows\System32\nHoBpVc.exe
  C:\Windows\System32\nHoBpVc.exe
  2⤵
  PID:2636
- C:\Windows\System32\STNeFBk.exe
  C:\Windows\System32\STNeFBk.exe
  2⤵
  PID:1988
- C:\Windows\System32\RhbnPAl.exe
  C:\Windows\System32\RhbnPAl.exe
  2⤵
  PID:3116
- C:\Windows\System32\SqAgwZa.exe
  C:\Windows\System32\SqAgwZa.exe
  2⤵
  PID:4364
- C:\Windows\System32\CwTwlgD.exe
  C:\Windows\System32\CwTwlgD.exe
  2⤵
  PID:1420
- C:\Windows\System32\kLxlcmb.exe
  C:\Windows\System32\kLxlcmb.exe
  2⤵
  PID:3028
- C:\Windows\System32\lscQeMO.exe
  C:\Windows\System32\lscQeMO.exe
  2⤵
  PID:4844
- C:\Windows\System32\IOjqeDH.exe
  C:\Windows\System32\IOjqeDH.exe
  2⤵
  PID:944
- C:\Windows\System32\aliajfU.exe
  C:\Windows\System32\aliajfU.exe
  2⤵
  PID:4104
- C:\Windows\System32\BGPTKXr.exe
  C:\Windows\System32\BGPTKXr.exe
  2⤵
  PID:1100
- C:\Windows\System32\QESYhYh.exe
  C:\Windows\System32\QESYhYh.exe
  2⤵
  PID:3684
- C:\Windows\System32\KLeAiuf.exe
  C:\Windows\System32\KLeAiuf.exe
  2⤵
  PID:5068
- C:\Windows\System32\UpOAuly.exe
  C:\Windows\System32\UpOAuly.exe
  2⤵
  PID:4376
- C:\Windows\System32\GZcbxFV.exe
  C:\Windows\System32\GZcbxFV.exe
  2⤵
  PID:4924
- C:\Windows\System32\sizUZht.exe
  C:\Windows\System32\sizUZht.exe
  2⤵
  PID:2564
- C:\Windows\System32\JdNpvFa.exe
  C:\Windows\System32\JdNpvFa.exe
  2⤵
  PID:2000
- C:\Windows\System32\MEBOUXj.exe
  C:\Windows\System32\MEBOUXj.exe
  2⤵
  PID:1152
- C:\Windows\System32\myJlHEv.exe
  C:\Windows\System32\myJlHEv.exe
  2⤵
  PID:3444
- C:\Windows\System32\zIueZTc.exe
  C:\Windows\System32\zIueZTc.exe
  2⤵
  PID:5176
- C:\Windows\System32\AYwaKkq.exe
  C:\Windows\System32\AYwaKkq.exe
  2⤵
  PID:5204
- C:\Windows\System32\fLTwbIH.exe
  C:\Windows\System32\fLTwbIH.exe
  2⤵
  PID:5224
- C:\Windows\System32\rcHUyjw.exe
  C:\Windows\System32\rcHUyjw.exe
  2⤵
  PID:5256
- C:\Windows\System32\aLBanFI.exe
  C:\Windows\System32\aLBanFI.exe
  2⤵
  PID:5276
- C:\Windows\System32\oNHnmKQ.exe
  C:\Windows\System32\oNHnmKQ.exe
  2⤵
  PID:5304
- C:\Windows\System32\gpCTBHa.exe
  C:\Windows\System32\gpCTBHa.exe
  2⤵
  PID:5332
- C:\Windows\System32\WyQsNho.exe
  C:\Windows\System32\WyQsNho.exe
  2⤵
  PID:5372
- C:\Windows\System32\aVimWnz.exe
  C:\Windows\System32\aVimWnz.exe
  2⤵
  PID:5388
- C:\Windows\System32\LcMARiv.exe
  C:\Windows\System32\LcMARiv.exe
  2⤵
  PID:5428
- C:\Windows\System32\QeOnnMe.exe
  C:\Windows\System32\QeOnnMe.exe
  2⤵
  PID:5464
- C:\Windows\System32\aCzJZpW.exe
  C:\Windows\System32\aCzJZpW.exe
  2⤵
  PID:5480
- C:\Windows\System32\VIBSpYc.exe
  C:\Windows\System32\VIBSpYc.exe
  2⤵
  PID:5496
- C:\Windows\System32\bUJNDlk.exe
  C:\Windows\System32\bUJNDlk.exe
  2⤵
  PID:5516
- C:\Windows\System32\ElcBiaZ.exe
  C:\Windows\System32\ElcBiaZ.exe
  2⤵
  PID:5544
- C:\Windows\System32\AWdyAHQ.exe
  C:\Windows\System32\AWdyAHQ.exe
  2⤵
  PID:5584
- C:\Windows\System32\SzbMsct.exe
  C:\Windows\System32\SzbMsct.exe
  2⤵
  PID:5612
- C:\Windows\System32\PjVSMqh.exe
  C:\Windows\System32\PjVSMqh.exe
  2⤵
  PID:5652
- C:\Windows\System32\byydIiv.exe
  C:\Windows\System32\byydIiv.exe
  2⤵
  PID:5676
- C:\Windows\System32\CJsHuik.exe
  C:\Windows\System32\CJsHuik.exe
  2⤵
  PID:5696
- C:\Windows\System32\NmHFZno.exe
  C:\Windows\System32\NmHFZno.exe
  2⤵
  PID:5716
- C:\Windows\System32\sbbiBdk.exe
  C:\Windows\System32\sbbiBdk.exe
  2⤵
  PID:5732
- C:\Windows\System32\ojVYCKf.exe
  C:\Windows\System32\ojVYCKf.exe
  2⤵
  PID:5748
- C:\Windows\System32\fXpkAJn.exe
  C:\Windows\System32\fXpkAJn.exe
  2⤵
  PID:5768
- C:\Windows\System32\JpmLThz.exe
  C:\Windows\System32\JpmLThz.exe
  2⤵
  PID:5820
- C:\Windows\System32\VNhABXs.exe
  C:\Windows\System32\VNhABXs.exe
  2⤵
  PID:5860
- C:\Windows\System32\wgqUGwz.exe
  C:\Windows\System32\wgqUGwz.exe
  2⤵
  PID:5884
- C:\Windows\System32\BWacmWK.exe
  C:\Windows\System32\BWacmWK.exe
  2⤵
  PID:5936
- C:\Windows\System32\hcjEUJz.exe
  C:\Windows\System32\hcjEUJz.exe
  2⤵
  PID:5960
- C:\Windows\System32\MpYnWfb.exe
  C:\Windows\System32\MpYnWfb.exe
  2⤵
  PID:5976
- C:\Windows\System32\RakHkYY.exe
  C:\Windows\System32\RakHkYY.exe
  2⤵
  PID:5992
- C:\Windows\System32\SgsKFAc.exe
  C:\Windows\System32\SgsKFAc.exe
  2⤵
  PID:6012
- C:\Windows\System32\VXZQoAL.exe
  C:\Windows\System32\VXZQoAL.exe
  2⤵
  PID:6028
- C:\Windows\System32\wSABBlE.exe
  C:\Windows\System32\wSABBlE.exe
  2⤵
  PID:6076
- C:\Windows\System32\ZfrfUFC.exe
  C:\Windows\System32\ZfrfUFC.exe
  2⤵
  PID:6092
- C:\Windows\System32\EobhtOh.exe
  C:\Windows\System32\EobhtOh.exe
  2⤵
  PID:6108
- C:\Windows\System32\yNovUgF.exe
  C:\Windows\System32\yNovUgF.exe
  2⤵
  PID:6128
- C:\Windows\System32\XUErKKR.exe
  C:\Windows\System32\XUErKKR.exe
  2⤵
  PID:2716
- C:\Windows\System32\XFFYtrH.exe
  C:\Windows\System32\XFFYtrH.exe
  2⤵
  PID:1620
- C:\Windows\System32\NrDkhTS.exe
  C:\Windows\System32\NrDkhTS.exe
  2⤵
  PID:5240
- C:\Windows\System32\LrwPola.exe
  C:\Windows\System32\LrwPola.exe
  2⤵
  PID:5300
- C:\Windows\System32\vvVZTBZ.exe
  C:\Windows\System32\vvVZTBZ.exe
  2⤵
  PID:5348
- C:\Windows\System32\GXxcSpI.exe
  C:\Windows\System32\GXxcSpI.exe
  2⤵
  PID:5412
- C:\Windows\System32\PwsKoEe.exe
  C:\Windows\System32\PwsKoEe.exe
  2⤵
  PID:5472
- C:\Windows\System32\rsSEOnK.exe
  C:\Windows\System32\rsSEOnK.exe
  2⤵
  PID:5528
- C:\Windows\System32\VkGCXxr.exe
  C:\Windows\System32\VkGCXxr.exe
  2⤵
  PID:5608
- C:\Windows\System32\SqnUzyn.exe
  C:\Windows\System32\SqnUzyn.exe
  2⤵
  PID:5648
- C:\Windows\System32\ClRIRPe.exe
  C:\Windows\System32\ClRIRPe.exe
  2⤵
  PID:5708
- C:\Windows\System32\HImNyqT.exe
  C:\Windows\System32\HImNyqT.exe
  2⤵
  PID:5744
- C:\Windows\System32\ezhaRVV.exe
  C:\Windows\System32\ezhaRVV.exe
  2⤵
  PID:5852
- C:\Windows\System32\VcJEmpt.exe
  C:\Windows\System32\VcJEmpt.exe
  2⤵
  PID:5948
- C:\Windows\System32\xOMOtVw.exe
  C:\Windows\System32\xOMOtVw.exe
  2⤵
  PID:6000
- C:\Windows\System32\OMwWsQS.exe
  C:\Windows\System32\OMwWsQS.exe
  2⤵
  PID:6100
- C:\Windows\System32\IRCLPgf.exe
  C:\Windows\System32\IRCLPgf.exe
  2⤵
  PID:5156
- C:\Windows\System32\uEigAro.exe
  C:\Windows\System32\uEigAro.exe
  2⤵
  PID:2160
- C:\Windows\System32\rVQDyKR.exe
  C:\Windows\System32\rVQDyKR.exe
  2⤵
  PID:5328
- C:\Windows\System32\ftTIDRA.exe
  C:\Windows\System32\ftTIDRA.exe
  2⤵
  PID:5380
- C:\Windows\System32\eOsDvAL.exe
  C:\Windows\System32\eOsDvAL.exe
  2⤵
  PID:5668
- C:\Windows\System32\HOiKHbd.exe
  C:\Windows\System32\HOiKHbd.exe
  2⤵
  PID:5724
- C:\Windows\System32\RBhAmdE.exe
  C:\Windows\System32\RBhAmdE.exe
  2⤵
  PID:5760
- C:\Windows\System32\pHBksSu.exe
  C:\Windows\System32\pHBksSu.exe
  2⤵
  PID:5804
- C:\Windows\System32\oHTkNxc.exe
  C:\Windows\System32\oHTkNxc.exe
  2⤵
  PID:6060
- C:\Windows\System32\SFMuNWe.exe
  C:\Windows\System32\SFMuNWe.exe
  2⤵
  PID:5196
- C:\Windows\System32\kGXbHxt.exe
  C:\Windows\System32\kGXbHxt.exe
  2⤵
  PID:5596
- C:\Windows\System32\AJapXIy.exe
  C:\Windows\System32\AJapXIy.exe
  2⤵
  PID:5644
- C:\Windows\System32\QkoLgDH.exe
  C:\Windows\System32\QkoLgDH.exe
  2⤵
  PID:6188
- C:\Windows\System32\FGRPNEe.exe
  C:\Windows\System32\FGRPNEe.exe
  2⤵
  PID:6216
- C:\Windows\System32\kNLTKSN.exe
  C:\Windows\System32\kNLTKSN.exe
  2⤵
  PID:6280
- C:\Windows\System32\ZpnlyHQ.exe
  C:\Windows\System32\ZpnlyHQ.exe
  2⤵
  PID:6304
- C:\Windows\System32\cPDuPmT.exe
  C:\Windows\System32\cPDuPmT.exe
  2⤵
  PID:6332
- C:\Windows\System32\IdOBfhJ.exe
  C:\Windows\System32\IdOBfhJ.exe
  2⤵
  PID:6352
- C:\Windows\System32\RLKkome.exe
  C:\Windows\System32\RLKkome.exe
  2⤵
  PID:6372
- C:\Windows\System32\SmBcgbe.exe
  C:\Windows\System32\SmBcgbe.exe
  2⤵
  PID:6404
- C:\Windows\System32\bHTxgdi.exe
  C:\Windows\System32\bHTxgdi.exe
  2⤵
  PID:6444
- C:\Windows\System32\JBlyhUV.exe
  C:\Windows\System32\JBlyhUV.exe
  2⤵
  PID:6472
- C:\Windows\System32\pikrfwH.exe
  C:\Windows\System32\pikrfwH.exe
  2⤵
  PID:6496
- C:\Windows\System32\JHfBKtu.exe
  C:\Windows\System32\JHfBKtu.exe
  2⤵
  PID:6512
- C:\Windows\System32\fJZiZVi.exe
  C:\Windows\System32\fJZiZVi.exe
  2⤵
  PID:6540
- C:\Windows\System32\dTnlwWB.exe
  C:\Windows\System32\dTnlwWB.exe
  2⤵
  PID:6564
- C:\Windows\System32\yDgPbHN.exe
  C:\Windows\System32\yDgPbHN.exe
  2⤵
  PID:6580
- C:\Windows\System32\KFxzuWn.exe
  C:\Windows\System32\KFxzuWn.exe
  2⤵
  PID:6600
- C:\Windows\System32\sIHXiXW.exe
  C:\Windows\System32\sIHXiXW.exe
  2⤵
  PID:6632
- C:\Windows\System32\LflvSYO.exe
  C:\Windows\System32\LflvSYO.exe
  2⤵
  PID:6652
- C:\Windows\System32\eTCFnZN.exe
  C:\Windows\System32\eTCFnZN.exe
  2⤵
  PID:6692
- C:\Windows\System32\IkaESKr.exe
  C:\Windows\System32\IkaESKr.exe
  2⤵
  PID:6720
- C:\Windows\System32\bdtwTOg.exe
  C:\Windows\System32\bdtwTOg.exe
  2⤵
  PID:6764
- C:\Windows\System32\tLzJJIp.exe
  C:\Windows\System32\tLzJJIp.exe
  2⤵
  PID:6780
- C:\Windows\System32\lWObUJS.exe
  C:\Windows\System32\lWObUJS.exe
  2⤵
  PID:6836
- C:\Windows\System32\RHwmrfF.exe
  C:\Windows\System32\RHwmrfF.exe
  2⤵
  PID:6860
- C:\Windows\System32\GiyHtdz.exe
  C:\Windows\System32\GiyHtdz.exe
  2⤵
  PID:6880
- C:\Windows\System32\JPJiGNF.exe
  C:\Windows\System32\JPJiGNF.exe
  2⤵
  PID:6924
- C:\Windows\System32\CadJkIo.exe
  C:\Windows\System32\CadJkIo.exe
  2⤵
  PID:6956
- C:\Windows\System32\WopapLO.exe
  C:\Windows\System32\WopapLO.exe
  2⤵
  PID:6972
- C:\Windows\System32\IzzGGik.exe
  C:\Windows\System32\IzzGGik.exe
  2⤵
  PID:6992
- C:\Windows\System32\fWoEdLX.exe
  C:\Windows\System32\fWoEdLX.exe
  2⤵
  PID:7040
- C:\Windows\System32\eiQEFjS.exe
  C:\Windows\System32\eiQEFjS.exe
  2⤵
  PID:7060
- C:\Windows\System32\RzwdilJ.exe
  C:\Windows\System32\RzwdilJ.exe
  2⤵
  PID:7088
- C:\Windows\System32\fOxsUue.exe
  C:\Windows\System32\fOxsUue.exe
  2⤵
  PID:7108
- C:\Windows\System32\gTBXjCv.exe
  C:\Windows\System32\gTBXjCv.exe
  2⤵
  PID:7124
- C:\Windows\System32\IoeBFYG.exe
  C:\Windows\System32\IoeBFYG.exe
  2⤵
  PID:7148
- C:\Windows\System32\zBFiSWJ.exe
  C:\Windows\System32\zBFiSWJ.exe
  2⤵
  PID:5552
- C:\Windows\System32\CIszjih.exe
  C:\Windows\System32\CIszjih.exe
  2⤵
  PID:5868
- C:\Windows\System32\HeLOmLo.exe
  C:\Windows\System32\HeLOmLo.exe
  2⤵
  PID:5316
- C:\Windows\System32\ArdzxFI.exe
  C:\Windows\System32\ArdzxFI.exe
  2⤵
  PID:6224
- C:\Windows\System32\EpVxtLU.exe
  C:\Windows\System32\EpVxtLU.exe
  2⤵
  PID:6316
- C:\Windows\System32\kcKWmyT.exe
  C:\Windows\System32\kcKWmyT.exe
  2⤵
  PID:6344
- C:\Windows\System32\BVyUPMT.exe
  C:\Windows\System32\BVyUPMT.exe
  2⤵
  PID:6508
- C:\Windows\System32\fhbLoQi.exe
  C:\Windows\System32\fhbLoQi.exe
  2⤵
  PID:6520
- C:\Windows\System32\HDUdQUW.exe
  C:\Windows\System32\HDUdQUW.exe
  2⤵
  PID:6704
- C:\Windows\System32\fOzHXPA.exe
  C:\Windows\System32\fOzHXPA.exe
  2⤵
  PID:6748
- C:\Windows\System32\qXYoJaQ.exe
  C:\Windows\System32\qXYoJaQ.exe
  2⤵
  PID:6776
- C:\Windows\System32\uTaRHLm.exe
  C:\Windows\System32\uTaRHLm.exe
  2⤵
  PID:6856
- C:\Windows\System32\KpImNoC.exe
  C:\Windows\System32\KpImNoC.exe
  2⤵
  PID:6916
- C:\Windows\System32\TDLBnHo.exe
  C:\Windows\System32\TDLBnHo.exe
  2⤵
  PID:6952
- C:\Windows\System32\AZVRQkJ.exe
  C:\Windows\System32\AZVRQkJ.exe
  2⤵
  PID:6968
- C:\Windows\System32\EXyyqEr.exe
  C:\Windows\System32\EXyyqEr.exe
  2⤵
  PID:7052
- C:\Windows\System32\HEtdMmN.exe
  C:\Windows\System32\HEtdMmN.exe
  2⤵
  PID:7100
- C:\Windows\System32\RukSpdD.exe
  C:\Windows\System32\RukSpdD.exe
  2⤵
  PID:6160
- C:\Windows\System32\owGTZrq.exe
  C:\Windows\System32\owGTZrq.exe
  2⤵
  PID:6320
- C:\Windows\System32\xxGkLnN.exe
  C:\Windows\System32\xxGkLnN.exe
  2⤵
  PID:6504
- C:\Windows\System32\oYTCiFJ.exe
  C:\Windows\System32\oYTCiFJ.exe
  2⤵
  PID:6672
- C:\Windows\System32\tcctulu.exe
  C:\Windows\System32\tcctulu.exe
  2⤵
  PID:6588
- C:\Windows\System32\yvrZTvf.exe
  C:\Windows\System32\yvrZTvf.exe
  2⤵
  PID:6832
- C:\Windows\System32\TmCbGBY.exe
  C:\Windows\System32\TmCbGBY.exe
  2⤵
  PID:6948
- C:\Windows\System32\hIMpSJe.exe
  C:\Windows\System32\hIMpSJe.exe
  2⤵
  PID:7120
- C:\Windows\System32\VqoqKNz.exe
  C:\Windows\System32\VqoqKNz.exe
  2⤵
  PID:7076
- C:\Windows\System32\EZbIGxe.exe
  C:\Windows\System32\EZbIGxe.exe
  2⤵
  PID:6184
- C:\Windows\System32\ymrCGDL.exe
  C:\Windows\System32\ymrCGDL.exe
  2⤵
  PID:6872
- C:\Windows\System32\QcFfdFo.exe
  C:\Windows\System32\QcFfdFo.exe
  2⤵
  PID:6984
- C:\Windows\System32\bLuIQYg.exe
  C:\Windows\System32\bLuIQYg.exe
  2⤵
  PID:6596
- C:\Windows\System32\gmbRJac.exe
  C:\Windows\System32\gmbRJac.exe
  2⤵
  PID:7192
- C:\Windows\System32\UIZYiAK.exe
  C:\Windows\System32\UIZYiAK.exe
  2⤵
  PID:7220
- C:\Windows\System32\cvnNbHY.exe
  C:\Windows\System32\cvnNbHY.exe
  2⤵
  PID:7288
- C:\Windows\System32\WVGfXCr.exe
  C:\Windows\System32\WVGfXCr.exe
  2⤵
  PID:7320
- C:\Windows\System32\WbumCKF.exe
  C:\Windows\System32\WbumCKF.exe
  2⤵
  PID:7344
- C:\Windows\System32\knxRlge.exe
  C:\Windows\System32\knxRlge.exe
  2⤵
  PID:7360
- C:\Windows\System32\pMbdyfX.exe
  C:\Windows\System32\pMbdyfX.exe
  2⤵
  PID:7380
- C:\Windows\System32\yKDnSBs.exe
  C:\Windows\System32\yKDnSBs.exe
  2⤵
  PID:7396
- C:\Windows\System32\yAouFeE.exe
  C:\Windows\System32\yAouFeE.exe
  2⤵
  PID:7416
- C:\Windows\System32\KBljKFB.exe
  C:\Windows\System32\KBljKFB.exe
  2⤵
  PID:7432
- C:\Windows\System32\tPtcono.exe
  C:\Windows\System32\tPtcono.exe
  2⤵
  PID:7456
- C:\Windows\System32\xMIXmdq.exe
  C:\Windows\System32\xMIXmdq.exe
  2⤵
  PID:7512
- C:\Windows\System32\RDUHGBD.exe
  C:\Windows\System32\RDUHGBD.exe
  2⤵
  PID:7560
- C:\Windows\System32\QbUScqe.exe
  C:\Windows\System32\QbUScqe.exe
  2⤵
  PID:7592
- C:\Windows\System32\thXxFnb.exe
  C:\Windows\System32\thXxFnb.exe
  2⤵
  PID:7640
- C:\Windows\System32\gkJYShe.exe
  C:\Windows\System32\gkJYShe.exe
  2⤵
  PID:7656
- C:\Windows\System32\WvReaYA.exe
  C:\Windows\System32\WvReaYA.exe
  2⤵
  PID:7672
- C:\Windows\System32\sWcOoAA.exe
  C:\Windows\System32\sWcOoAA.exe
  2⤵
  PID:7692
- C:\Windows\System32\jNejZfO.exe
  C:\Windows\System32\jNejZfO.exe
  2⤵
  PID:7708
- C:\Windows\System32\UAzRUih.exe
  C:\Windows\System32\UAzRUih.exe
  2⤵
  PID:7736
- C:\Windows\System32\cQswcll.exe
  C:\Windows\System32\cQswcll.exe
  2⤵
  PID:7752
- C:\Windows\System32\XRIOLnk.exe
  C:\Windows\System32\XRIOLnk.exe
  2⤵
  PID:7768
- C:\Windows\System32\THOvjtY.exe
  C:\Windows\System32\THOvjtY.exe
  2⤵
  PID:7800
- C:\Windows\System32\sKcmHYW.exe
  C:\Windows\System32\sKcmHYW.exe
  2⤵
  PID:7828
- C:\Windows\System32\iWJGNom.exe
  C:\Windows\System32\iWJGNom.exe
  2⤵
  PID:7844
- C:\Windows\System32\xYvffuL.exe
  C:\Windows\System32\xYvffuL.exe
  2⤵
  PID:7868
- C:\Windows\System32\fZNSTSH.exe
  C:\Windows\System32\fZNSTSH.exe
  2⤵
  PID:7924
- C:\Windows\System32\GkarSoC.exe
  C:\Windows\System32\GkarSoC.exe
  2⤵
  PID:7940
- C:\Windows\System32\HMeIiuT.exe
  C:\Windows\System32\HMeIiuT.exe
  2⤵
  PID:7984
- C:\Windows\System32\OIfkGgH.exe
  C:\Windows\System32\OIfkGgH.exe
  2⤵
  PID:8036
- C:\Windows\System32\wpHQAJg.exe
  C:\Windows\System32\wpHQAJg.exe
  2⤵
  PID:8072
- C:\Windows\System32\rtnjSQE.exe
  C:\Windows\System32\rtnjSQE.exe
  2⤵
  PID:8092
- C:\Windows\System32\CGMowJz.exe
  C:\Windows\System32\CGMowJz.exe
  2⤵
  PID:8116
- C:\Windows\System32\zeUMFec.exe
  C:\Windows\System32\zeUMFec.exe
  2⤵
  PID:8132
- C:\Windows\System32\csQemld.exe
  C:\Windows\System32\csQemld.exe
  2⤵
  PID:8164
- C:\Windows\System32\QqGhDad.exe
  C:\Windows\System32\QqGhDad.exe
  2⤵
  PID:8180
- C:\Windows\System32\aEApfCK.exe
  C:\Windows\System32\aEApfCK.exe
  2⤵
  PID:7228
- C:\Windows\System32\XXcGrsO.exe
  C:\Windows\System32\XXcGrsO.exe
  2⤵
  PID:7312
- C:\Windows\System32\sgcpldA.exe
  C:\Windows\System32\sgcpldA.exe
  2⤵
  PID:7332
- C:\Windows\System32\KUlASSM.exe
  C:\Windows\System32\KUlASSM.exe
  2⤵
  PID:7428
- C:\Windows\System32\gxcxGlx.exe
  C:\Windows\System32\gxcxGlx.exe
  2⤵
  PID:7508
- C:\Windows\System32\NRVfJPn.exe
  C:\Windows\System32\NRVfJPn.exe
  2⤵
  PID:7576
- C:\Windows\System32\LWLfsHK.exe
  C:\Windows\System32\LWLfsHK.exe
  2⤵
  PID:7628
- C:\Windows\System32\aSEnbhq.exe
  C:\Windows\System32\aSEnbhq.exe
  2⤵
  PID:7700
- C:\Windows\System32\xOVkDVG.exe
  C:\Windows\System32\xOVkDVG.exe
  2⤵
  PID:7684
- C:\Windows\System32\NZxgzUa.exe
  C:\Windows\System32\NZxgzUa.exe
  2⤵
  PID:7824
- C:\Windows\System32\rPlBsRv.exe
  C:\Windows\System32\rPlBsRv.exe
  2⤵
  PID:7948
- C:\Windows\System32\LveQkOB.exe
  C:\Windows\System32\LveQkOB.exe
  2⤵
  PID:7968
- C:\Windows\System32\kNxeBMp.exe
  C:\Windows\System32\kNxeBMp.exe
  2⤵
  PID:8016
- C:\Windows\System32\FxzwXnO.exe
  C:\Windows\System32\FxzwXnO.exe
  2⤵
  PID:8080
- C:\Windows\System32\YzTVeFH.exe
  C:\Windows\System32\YzTVeFH.exe
  2⤵
  PID:8140
- C:\Windows\System32\Fotkydx.exe
  C:\Windows\System32\Fotkydx.exe
  2⤵
  PID:6556
- C:\Windows\System32\huAmSyg.exe
  C:\Windows\System32\huAmSyg.exe
  2⤵
  PID:7304
- C:\Windows\System32\bQklfCt.exe
  C:\Windows\System32\bQklfCt.exe
  2⤵
  PID:7392
- C:\Windows\System32\HMOrIwD.exe
  C:\Windows\System32\HMOrIwD.exe
  2⤵
  PID:7624
- C:\Windows\System32\JbctfyA.exe
  C:\Windows\System32\JbctfyA.exe
  2⤵
  PID:7760
- C:\Windows\System32\ygBkkEQ.exe
  C:\Windows\System32\ygBkkEQ.exe
  2⤵
  PID:8020
- C:\Windows\System32\HsudvBB.exe
  C:\Windows\System32\HsudvBB.exe
  2⤵
  PID:8100
- C:\Windows\System32\CwQLBKG.exe
  C:\Windows\System32\CwQLBKG.exe
  2⤵
  PID:5856
- C:\Windows\System32\vbRmsNc.exe
  C:\Windows\System32\vbRmsNc.exe
  2⤵
  PID:7784
- C:\Windows\System32\HeVtcIn.exe
  C:\Windows\System32\HeVtcIn.exe
  2⤵
  PID:7976
- C:\Windows\System32\AiTCWOs.exe
  C:\Windows\System32\AiTCWOs.exe
  2⤵
  PID:7548
- C:\Windows\System32\yZTIHRs.exe
  C:\Windows\System32\yZTIHRs.exe
  2⤵
  PID:7748
- C:\Windows\System32\GeYqCLX.exe
  C:\Windows\System32\GeYqCLX.exe
  2⤵
  PID:8204
- C:\Windows\System32\utXBACe.exe
  C:\Windows\System32\utXBACe.exe
  2⤵
  PID:8228
- C:\Windows\System32\qZPQuJt.exe
  C:\Windows\System32\qZPQuJt.exe
  2⤵
  PID:8272
- C:\Windows\System32\TsTqupj.exe
  C:\Windows\System32\TsTqupj.exe
  2⤵
  PID:8288
- C:\Windows\System32\jiQakyo.exe
  C:\Windows\System32\jiQakyo.exe
  2⤵
  PID:8308
- C:\Windows\System32\lWINpLN.exe
  C:\Windows\System32\lWINpLN.exe
  2⤵
  PID:8332
- C:\Windows\System32\HjpGwox.exe
  C:\Windows\System32\HjpGwox.exe
  2⤵
  PID:8360
- C:\Windows\System32\yMYQhjt.exe
  C:\Windows\System32\yMYQhjt.exe
  2⤵
  PID:8396
- C:\Windows\System32\CgEeGUN.exe
  C:\Windows\System32\CgEeGUN.exe
  2⤵
  PID:8432
- C:\Windows\System32\fXxnzOa.exe
  C:\Windows\System32\fXxnzOa.exe
  2⤵
  PID:8460
- C:\Windows\System32\uhcWRLB.exe
  C:\Windows\System32\uhcWRLB.exe
  2⤵
  PID:8484
- C:\Windows\System32\gCBIZrS.exe
  C:\Windows\System32\gCBIZrS.exe
  2⤵
  PID:8512
- C:\Windows\System32\lMOygRP.exe
  C:\Windows\System32\lMOygRP.exe
  2⤵
  PID:8528
- C:\Windows\System32\vsFfFhl.exe
  C:\Windows\System32\vsFfFhl.exe
  2⤵
  PID:8556
- C:\Windows\System32\GGNUXGB.exe
  C:\Windows\System32\GGNUXGB.exe
  2⤵
  PID:8592
- C:\Windows\System32\FGnxcAE.exe
  C:\Windows\System32\FGnxcAE.exe
  2⤵
  PID:8632
- C:\Windows\System32\RwVGPJh.exe
  C:\Windows\System32\RwVGPJh.exe
  2⤵
  PID:8664
- C:\Windows\System32\SzeObtR.exe
  C:\Windows\System32\SzeObtR.exe
  2⤵
  PID:8696
- C:\Windows\System32\grIxlCM.exe
  C:\Windows\System32\grIxlCM.exe
  2⤵
  PID:8716
- C:\Windows\System32\ySKarhs.exe
  C:\Windows\System32\ySKarhs.exe
  2⤵
  PID:8736
- C:\Windows\System32\eVUkuvM.exe
  C:\Windows\System32\eVUkuvM.exe
  2⤵
  PID:8756
- C:\Windows\System32\GTdqrWH.exe
  C:\Windows\System32\GTdqrWH.exe
  2⤵
  PID:8780
- C:\Windows\System32\RsPRXPG.exe
  C:\Windows\System32\RsPRXPG.exe
  2⤵
  PID:8916
- C:\Windows\System32\scXHsas.exe
  C:\Windows\System32\scXHsas.exe
  2⤵
  PID:8932
- C:\Windows\System32\KGwKQsM.exe
  C:\Windows\System32\KGwKQsM.exe
  2⤵
  PID:8948
- C:\Windows\System32\sVxWyMj.exe
  C:\Windows\System32\sVxWyMj.exe
  2⤵
  PID:8964
- C:\Windows\System32\RLhlSLG.exe
  C:\Windows\System32\RLhlSLG.exe
  2⤵
  PID:8980
- C:\Windows\System32\IFCCDHA.exe
  C:\Windows\System32\IFCCDHA.exe
  2⤵
  PID:8996
- C:\Windows\System32\qNEriRV.exe
  C:\Windows\System32\qNEriRV.exe
  2⤵
  PID:9012
- C:\Windows\System32\awbrLEV.exe
  C:\Windows\System32\awbrLEV.exe
  2⤵
  PID:9028
- C:\Windows\System32\KpGQKmg.exe
  C:\Windows\System32\KpGQKmg.exe
  2⤵
  PID:9044
- C:\Windows\System32\tVQDKNg.exe
  C:\Windows\System32\tVQDKNg.exe
  2⤵
  PID:9060
- C:\Windows\System32\CUaLVXl.exe
  C:\Windows\System32\CUaLVXl.exe
  2⤵
  PID:9076
- C:\Windows\System32\lpYGUtm.exe
  C:\Windows\System32\lpYGUtm.exe
  2⤵
  PID:9092
- C:\Windows\System32\wBeJZzv.exe
  C:\Windows\System32\wBeJZzv.exe
  2⤵
  PID:9112
- C:\Windows\System32\ZTzTMNo.exe
  C:\Windows\System32\ZTzTMNo.exe
  2⤵
  PID:9128
- C:\Windows\System32\DBoyMRv.exe
  C:\Windows\System32\DBoyMRv.exe
  2⤵
  PID:9144
- C:\Windows\System32\fsQQVVe.exe
  C:\Windows\System32\fsQQVVe.exe
  2⤵
  PID:9160
- C:\Windows\System32\rjlGjdT.exe
  C:\Windows\System32\rjlGjdT.exe
  2⤵
  PID:9176
- C:\Windows\System32\KgvvxCo.exe
  C:\Windows\System32\KgvvxCo.exe
  2⤵
  PID:9192
- C:\Windows\System32\oIQnlrV.exe
  C:\Windows\System32\oIQnlrV.exe
  2⤵
  PID:9208
- C:\Windows\System32\vmfmAfi.exe
  C:\Windows\System32\vmfmAfi.exe
  2⤵
  PID:8212
- C:\Windows\System32\xRGxybF.exe
  C:\Windows\System32\xRGxybF.exe
  2⤵
  PID:8216
- C:\Windows\System32\ihPpWPo.exe
  C:\Windows\System32\ihPpWPo.exe
  2⤵
  PID:8256
- C:\Windows\System32\PbUNvqt.exe
  C:\Windows\System32\PbUNvqt.exe
  2⤵
  PID:8300
- C:\Windows\System32\SKaiakM.exe
  C:\Windows\System32\SKaiakM.exe
  2⤵
  PID:8348
- C:\Windows\System32\GSErJvN.exe
  C:\Windows\System32\GSErJvN.exe
  2⤵
  PID:8380
- C:\Windows\System32\XXtbbqo.exe
  C:\Windows\System32\XXtbbqo.exe
  2⤵
  PID:8416
- C:\Windows\System32\IbzJvDC.exe
  C:\Windows\System32\IbzJvDC.exe
  2⤵
  PID:8480
- C:\Windows\System32\vQPQAWA.exe
  C:\Windows\System32\vQPQAWA.exe
  2⤵
  PID:8504
- C:\Windows\System32\MlzpwFa.exe
  C:\Windows\System32\MlzpwFa.exe
  2⤵
  PID:8792
- C:\Windows\System32\BmrVniN.exe
  C:\Windows\System32\BmrVniN.exe
  2⤵
  PID:9140
- C:\Windows\System32\TUOZsCE.exe
  C:\Windows\System32\TUOZsCE.exe
  2⤵
  PID:9200
- C:\Windows\System32\HOWLLVg.exe
  C:\Windows\System32\HOWLLVg.exe
  2⤵
  PID:8868
- C:\Windows\System32\JucPMej.exe
  C:\Windows\System32\JucPMej.exe
  2⤵
  PID:8872
- C:\Windows\System32\FSdqqAN.exe
  C:\Windows\System32\FSdqqAN.exe
  2⤵
  PID:9088
- C:\Windows\System32\BNKVCKZ.exe
  C:\Windows\System32\BNKVCKZ.exe
  2⤵
  PID:8704
- C:\Windows\System32\hMBdMvk.exe
  C:\Windows\System32\hMBdMvk.exe
  2⤵
  PID:9136
- C:\Windows\System32\YBpCYwD.exe
  C:\Windows\System32\YBpCYwD.exe
  2⤵
  PID:8992
- C:\Windows\System32\nfORiMk.exe
  C:\Windows\System32\nfORiMk.exe
  2⤵
  PID:8508
- C:\Windows\System32\ceYdKQJ.exe
  C:\Windows\System32\ceYdKQJ.exe
  2⤵
  PID:8960
- C:\Windows\System32\kMytFGZ.exe
  C:\Windows\System32\kMytFGZ.exe
  2⤵
  PID:9004
- C:\Windows\System32\mtpiRYY.exe
  C:\Windows\System32\mtpiRYY.exe
  2⤵
  PID:9220
- C:\Windows\System32\yAMwFFR.exe
  C:\Windows\System32\yAMwFFR.exe
  2⤵
  PID:9240
- C:\Windows\System32\ONAQmUd.exe
  C:\Windows\System32\ONAQmUd.exe
  2⤵
  PID:9260
- C:\Windows\System32\BXopkbD.exe
  C:\Windows\System32\BXopkbD.exe
  2⤵
  PID:9296
- C:\Windows\System32\xzEHKzQ.exe
  C:\Windows\System32\xzEHKzQ.exe
  2⤵
  PID:9316
- C:\Windows\System32\yNFfzpi.exe
  C:\Windows\System32\yNFfzpi.exe
  2⤵
  PID:9332
- C:\Windows\System32\BIZIVdK.exe
  C:\Windows\System32\BIZIVdK.exe
  2⤵
  PID:9356
- C:\Windows\System32\rfCrVwX.exe
  C:\Windows\System32\rfCrVwX.exe
  2⤵
  PID:9372
- C:\Windows\System32\yuSAFWg.exe
  C:\Windows\System32\yuSAFWg.exe
  2⤵
  PID:9416
- C:\Windows\System32\VlgWzCc.exe
  C:\Windows\System32\VlgWzCc.exe
  2⤵
  PID:9456
- C:\Windows\System32\KeWxkzB.exe
  C:\Windows\System32\KeWxkzB.exe
  2⤵
  PID:9476
- C:\Windows\System32\hVWwobO.exe
  C:\Windows\System32\hVWwobO.exe
  2⤵
  PID:9496
- C:\Windows\System32\vWPvgIC.exe
  C:\Windows\System32\vWPvgIC.exe
  2⤵
  PID:9544
- C:\Windows\System32\sYNxAMO.exe
  C:\Windows\System32\sYNxAMO.exe
  2⤵
  PID:9564
- C:\Windows\System32\YmMwyMs.exe
  C:\Windows\System32\YmMwyMs.exe
  2⤵
  PID:9580
- C:\Windows\System32\KzwDvAI.exe
  C:\Windows\System32\KzwDvAI.exe
  2⤵
  PID:9608
- C:\Windows\System32\YRTIovI.exe
  C:\Windows\System32\YRTIovI.exe
  2⤵
  PID:9668
- C:\Windows\System32\gprscti.exe
  C:\Windows\System32\gprscti.exe
  2⤵
  PID:9700
- C:\Windows\System32\FseZTvv.exe
  C:\Windows\System32\FseZTvv.exe
  2⤵
  PID:9732
- C:\Windows\System32\BioijHR.exe
  C:\Windows\System32\BioijHR.exe
  2⤵
  PID:9756
- C:\Windows\System32\WiovOsx.exe
  C:\Windows\System32\WiovOsx.exe
  2⤵
  PID:9772
- C:\Windows\System32\ZvlbqZp.exe
  C:\Windows\System32\ZvlbqZp.exe
  2⤵
  PID:9788
- C:\Windows\System32\jQoiUfH.exe
  C:\Windows\System32\jQoiUfH.exe
  2⤵
  PID:9840
- C:\Windows\System32\FvoOmzF.exe
  C:\Windows\System32\FvoOmzF.exe
  2⤵
  PID:9860
- C:\Windows\System32\XWvSeYq.exe
  C:\Windows\System32\XWvSeYq.exe
  2⤵
  PID:9888
- C:\Windows\System32\STHSQPe.exe
  C:\Windows\System32\STHSQPe.exe
  2⤵
  PID:9904
- C:\Windows\System32\oiAmaDI.exe
  C:\Windows\System32\oiAmaDI.exe
  2⤵
  PID:9952
- C:\Windows\System32\JTDOJlm.exe
  C:\Windows\System32\JTDOJlm.exe
  2⤵
  PID:9968
- C:\Windows\System32\IwdRFIr.exe
  C:\Windows\System32\IwdRFIr.exe
  2⤵
  PID:9992
- C:\Windows\System32\ZAoOaGh.exe
  C:\Windows\System32\ZAoOaGh.exe
  2⤵
  PID:10024
- C:\Windows\System32\sNFyyWN.exe
  C:\Windows\System32\sNFyyWN.exe
  2⤵
  PID:10040
- C:\Windows\System32\WmAIlGA.exe
  C:\Windows\System32\WmAIlGA.exe
  2⤵
  PID:10104
- C:\Windows\System32\GmGEwOv.exe
  C:\Windows\System32\GmGEwOv.exe
  2⤵
  PID:10136
- C:\Windows\System32\QutLslF.exe
  C:\Windows\System32\QutLslF.exe
  2⤵
  PID:10160
- C:\Windows\System32\mSKkmst.exe
  C:\Windows\System32\mSKkmst.exe
  2⤵
  PID:10176
- C:\Windows\System32\rrWRNAk.exe
  C:\Windows\System32\rrWRNAk.exe
  2⤵
  PID:10208
- C:\Windows\System32\HSOVNAU.exe
  C:\Windows\System32\HSOVNAU.exe
  2⤵
  PID:10228
- C:\Windows\System32\aKrhMQF.exe
  C:\Windows\System32\aKrhMQF.exe
  2⤵
  PID:9228
- C:\Windows\System32\tyUldYO.exe
  C:\Windows\System32\tyUldYO.exe
  2⤵
  PID:9340
- C:\Windows\System32\iOzROUq.exe
  C:\Windows\System32\iOzROUq.exe
  2⤵
  PID:9364
- C:\Windows\System32\KqPaRHv.exe
  C:\Windows\System32\KqPaRHv.exe
  2⤵
  PID:9424
- C:\Windows\System32\CDttGfO.exe
  C:\Windows\System32\CDttGfO.exe
  2⤵
  PID:9488
- C:\Windows\System32\GQxTKRs.exe
  C:\Windows\System32\GQxTKRs.exe
  2⤵
  PID:9540
- C:\Windows\System32\zuXrbsz.exe
  C:\Windows\System32\zuXrbsz.exe
  2⤵
  PID:9600
- C:\Windows\System32\HIbSnhY.exe
  C:\Windows\System32\HIbSnhY.exe
  2⤵
  PID:9556
- C:\Windows\System32\GrQTOui.exe
  C:\Windows\System32\GrQTOui.exe
  2⤵
  PID:9744
- C:\Windows\System32\vGaObbx.exe
  C:\Windows\System32\vGaObbx.exe
  2⤵
  PID:9852
- C:\Windows\System32\VPhGEXc.exe
  C:\Windows\System32\VPhGEXc.exe
  2⤵
  PID:9880
- C:\Windows\System32\avhDBzc.exe
  C:\Windows\System32\avhDBzc.exe
  2⤵
  PID:9980
- C:\Windows\System32\shdbifr.exe
  C:\Windows\System32\shdbifr.exe
  2⤵
  PID:10020
- C:\Windows\System32\RyIeoiS.exe
  C:\Windows\System32\RyIeoiS.exe
  2⤵
  PID:10056
- C:\Windows\System32\nMNPdtK.exe
  C:\Windows\System32\nMNPdtK.exe
  2⤵
  PID:10092
- C:\Windows\System32\aerYRTY.exe
  C:\Windows\System32\aerYRTY.exe
  2⤵
  PID:10132
- C:\Windows\System32\qtDBxRl.exe
  C:\Windows\System32\qtDBxRl.exe
  2⤵
  PID:10216
- C:\Windows\System32\PxdsGJR.exe
  C:\Windows\System32\PxdsGJR.exe
  2⤵
  PID:9400
- C:\Windows\System32\bbPXdUt.exe
  C:\Windows\System32\bbPXdUt.exe
  2⤵
  PID:9524
- C:\Windows\System32\woRZAwZ.exe
  C:\Windows\System32\woRZAwZ.exe
  2⤵
  PID:9684
- C:\Windows\System32\RyigxCx.exe
  C:\Windows\System32\RyigxCx.exe
  2⤵
  PID:9748
- C:\Windows\System32\NKJWADR.exe
  C:\Windows\System32\NKJWADR.exe
  2⤵
  PID:10084
- C:\Windows\System32\lMFCezX.exe
  C:\Windows\System32\lMFCezX.exe
  2⤵
  PID:10156
- C:\Windows\System32\IuDudSL.exe
  C:\Windows\System32\IuDudSL.exe
  2⤵
  PID:9692
- C:\Windows\System32\UTYImHa.exe
  C:\Windows\System32\UTYImHa.exe
  2⤵
  PID:9572
- C:\Windows\System32\nejfNbU.exe
  C:\Windows\System32\nejfNbU.exe
  2⤵
  PID:9256
- C:\Windows\System32\QsKvPkQ.exe
  C:\Windows\System32\QsKvPkQ.exe
  2⤵
  PID:10064
- C:\Windows\System32\ocIfCCz.exe
  C:\Windows\System32\ocIfCCz.exe
  2⤵
  PID:10260
- C:\Windows\System32\wowSrJn.exe
  C:\Windows\System32\wowSrJn.exe
  2⤵
  PID:10284
- C:\Windows\System32\CfZHhpr.exe
  C:\Windows\System32\CfZHhpr.exe
  2⤵
  PID:10300
- C:\Windows\System32\cBuNvOO.exe
  C:\Windows\System32\cBuNvOO.exe
  2⤵
  PID:10324
- C:\Windows\System32\XbsYqkZ.exe
  C:\Windows\System32\XbsYqkZ.exe
  2⤵
  PID:10348
- C:\Windows\System32\BCIFGCX.exe
  C:\Windows\System32\BCIFGCX.exe
  2⤵
  PID:10364
- C:\Windows\System32\igVtiTG.exe
  C:\Windows\System32\igVtiTG.exe
  2⤵
  PID:10412
- C:\Windows\System32\bSmvgNP.exe
  C:\Windows\System32\bSmvgNP.exe
  2⤵
  PID:10436
- C:\Windows\System32\CNszwhl.exe
  C:\Windows\System32\CNszwhl.exe
  2⤵
  PID:10456
- C:\Windows\System32\Wggbmth.exe
  C:\Windows\System32\Wggbmth.exe
  2⤵
  PID:10492
- C:\Windows\System32\irhdgJc.exe
  C:\Windows\System32\irhdgJc.exe
  2⤵
  PID:10508
- C:\Windows\System32\KjRaCSm.exe
  C:\Windows\System32\KjRaCSm.exe
  2⤵
  PID:10532
- C:\Windows\System32\OeRYHcz.exe
  C:\Windows\System32\OeRYHcz.exe
  2⤵
  PID:10568
- C:\Windows\System32\FzPCGnV.exe
  C:\Windows\System32\FzPCGnV.exe
  2⤵
  PID:10608
- C:\Windows\System32\wOkUhzf.exe
  C:\Windows\System32\wOkUhzf.exe
  2⤵
  PID:10644
- C:\Windows\System32\cDPBCXZ.exe
  C:\Windows\System32\cDPBCXZ.exe
  2⤵
  PID:10664
- C:\Windows\System32\eMicYzN.exe
  C:\Windows\System32\eMicYzN.exe
  2⤵
  PID:10700
- C:\Windows\System32\AOyyrOl.exe
  C:\Windows\System32\AOyyrOl.exe
  2⤵
  PID:10732
- C:\Windows\System32\enAgJXd.exe
  C:\Windows\System32\enAgJXd.exe
  2⤵
  PID:10752
- C:\Windows\System32\FBHzZkR.exe
  C:\Windows\System32\FBHzZkR.exe
  2⤵
  PID:10808
- C:\Windows\System32\fyvUnSz.exe
  C:\Windows\System32\fyvUnSz.exe
  2⤵
  PID:10832
- C:\Windows\System32\NogUwmB.exe
  C:\Windows\System32\NogUwmB.exe
  2⤵
  PID:10856
- C:\Windows\System32\WgPmWug.exe
  C:\Windows\System32\WgPmWug.exe
  2⤵
  PID:10872
- C:\Windows\System32\WJzFCDI.exe
  C:\Windows\System32\WJzFCDI.exe
  2⤵
  PID:10892
- C:\Windows\System32\CcJOPyx.exe
  C:\Windows\System32\CcJOPyx.exe
  2⤵
  PID:10920
- C:\Windows\System32\XIejloE.exe
  C:\Windows\System32\XIejloE.exe
  2⤵
  PID:10944
- C:\Windows\System32\qlOPzeg.exe
  C:\Windows\System32\qlOPzeg.exe
  2⤵
  PID:10976
- C:\Windows\System32\ndHLylR.exe
  C:\Windows\System32\ndHLylR.exe
  2⤵
  PID:11016
- C:\Windows\System32\lHZwwoZ.exe
  C:\Windows\System32\lHZwwoZ.exe
  2⤵
  PID:11036
- C:\Windows\System32\WfPIXvc.exe
  C:\Windows\System32\WfPIXvc.exe
  2⤵
  PID:11060
- C:\Windows\System32\cCdTWPu.exe
  C:\Windows\System32\cCdTWPu.exe
  2⤵
  PID:11092
- C:\Windows\System32\FAHPHfv.exe
  C:\Windows\System32\FAHPHfv.exe
  2⤵
  PID:11108
- C:\Windows\System32\TnvNQoO.exe
  C:\Windows\System32\TnvNQoO.exe
  2⤵
  PID:11136
- C:\Windows\System32\ZVlfuIs.exe
  C:\Windows\System32\ZVlfuIs.exe
  2⤵
  PID:11208
- C:\Windows\System32\yscJqrg.exe
  C:\Windows\System32\yscJqrg.exe
  2⤵
  PID:11228
- C:\Windows\System32\OJsYNfN.exe
  C:\Windows\System32\OJsYNfN.exe
  2⤵
  PID:11252
- C:\Windows\System32\ABanBFh.exe
  C:\Windows\System32\ABanBFh.exe
  2⤵
  PID:9936
- C:\Windows\System32\HUZbWTq.exe
  C:\Windows\System32\HUZbWTq.exe
  2⤵
  PID:10332
- C:\Windows\System32\QJowSCK.exe
  C:\Windows\System32\QJowSCK.exe
  2⤵
  PID:10384
- C:\Windows\System32\rdRFvCA.exe
  C:\Windows\System32\rdRFvCA.exe
  2⤵
  PID:10452
- C:\Windows\System32\xZiLKHO.exe
  C:\Windows\System32\xZiLKHO.exe
  2⤵
  PID:10548
- C:\Windows\System32\MyxZaPh.exe
  C:\Windows\System32\MyxZaPh.exe
  2⤵
  PID:10588
- C:\Windows\System32\svnbBeb.exe
  C:\Windows\System32\svnbBeb.exe
  2⤵
  PID:10660
- C:\Windows\System32\mKxaZpW.exe
  C:\Windows\System32\mKxaZpW.exe
  2⤵
  PID:10716
- C:\Windows\System32\EgKRMoY.exe
  C:\Windows\System32\EgKRMoY.exe
  2⤵
  PID:10796
- C:\Windows\System32\TqWfQFj.exe
  C:\Windows\System32\TqWfQFj.exe
  2⤵
  PID:10852
- C:\Windows\System32\wfcmTYX.exe
  C:\Windows\System32\wfcmTYX.exe
  2⤵
  PID:10884
- C:\Windows\System32\STjKHSt.exe
  C:\Windows\System32\STjKHSt.exe
  2⤵
  PID:10972
- C:\Windows\System32\iMuTkZl.exe
  C:\Windows\System32\iMuTkZl.exe
  2⤵
  PID:11000
- C:\Windows\System32\IUDiuHO.exe
  C:\Windows\System32\IUDiuHO.exe
  2⤵
  PID:11004
- C:\Windows\System32\ZdrjrOU.exe
  C:\Windows\System32\ZdrjrOU.exe
  2⤵
  PID:11132
- C:\Windows\System32\XPxiYef.exe
  C:\Windows\System32\XPxiYef.exe
  2⤵
  PID:9404
- C:\Windows\System32\hVtaSlv.exe
  C:\Windows\System32\hVtaSlv.exe
  2⤵
  PID:10344
- C:\Windows\System32\sDtauFJ.exe
  C:\Windows\System32\sDtauFJ.exe
  2⤵
  PID:10468
- C:\Windows\System32\NsMmkVG.exe
  C:\Windows\System32\NsMmkVG.exe
  2⤵
  PID:10604
- C:\Windows\System32\miPFmev.exe
  C:\Windows\System32\miPFmev.exe
  2⤵
  PID:10772
- C:\Windows\System32\mObFCTy.exe
  C:\Windows\System32\mObFCTy.exe
  2⤵
  PID:10864
- C:\Windows\System32\CzDJotn.exe
  C:\Windows\System32\CzDJotn.exe
  2⤵
  PID:10912
- C:\Windows\System32\ZzNzjZF.exe
  C:\Windows\System32\ZzNzjZF.exe
  2⤵
  PID:11048
- C:\Windows\System32\IAbLXJh.exe
  C:\Windows\System32\IAbLXJh.exe
  2⤵
  PID:11168
- C:\Windows\System32\eCkgOBP.exe
  C:\Windows\System32\eCkgOBP.exe
  2⤵
  PID:10520
- C:\Windows\System32\VqoAIUP.exe
  C:\Windows\System32\VqoAIUP.exe
  2⤵
  PID:10936
- C:\Windows\System32\dsAgfGE.exe
  C:\Windows\System32\dsAgfGE.exe
  2⤵
  PID:10432
- C:\Windows\System32\laFEYxd.exe
  C:\Windows\System32\laFEYxd.exe
  2⤵
  PID:11272
- C:\Windows\System32\GmIohrp.exe
  C:\Windows\System32\GmIohrp.exe
  2⤵
  PID:11300
- C:\Windows\System32\cmLyWkG.exe
  C:\Windows\System32\cmLyWkG.exe
  2⤵
  PID:11340
- C:\Windows\System32\apPPdVD.exe
  C:\Windows\System32\apPPdVD.exe
  2⤵
  PID:11356
- C:\Windows\System32\zDxnTrF.exe
  C:\Windows\System32\zDxnTrF.exe
  2⤵
  PID:11380
- C:\Windows\System32\jQoPuIz.exe
  C:\Windows\System32\jQoPuIz.exe
  2⤵
  PID:11444
- C:\Windows\System32\FWMHvtP.exe
  C:\Windows\System32\FWMHvtP.exe
  2⤵
  PID:11460
- C:\Windows\System32\olBtXaH.exe
  C:\Windows\System32\olBtXaH.exe
  2⤵
  PID:11484
- C:\Windows\System32\piqmLNH.exe
  C:\Windows\System32\piqmLNH.exe
  2⤵
  PID:11504
- C:\Windows\System32\pgfeaOu.exe
  C:\Windows\System32\pgfeaOu.exe
  2⤵
  PID:11524
- C:\Windows\System32\NlWaEbq.exe
  C:\Windows\System32\NlWaEbq.exe
  2⤵
  PID:11544
- C:\Windows\System32\ywhpOkm.exe
  C:\Windows\System32\ywhpOkm.exe
  2⤵
  PID:11596
- C:\Windows\System32\IJFdvax.exe
  C:\Windows\System32\IJFdvax.exe
  2⤵
  PID:11624
- C:\Windows\System32\ofmauoa.exe
  C:\Windows\System32\ofmauoa.exe
  2⤵
  PID:11644
- C:\Windows\System32\tMCHBAQ.exe
  C:\Windows\System32\tMCHBAQ.exe
  2⤵
  PID:11672
- C:\Windows\System32\PDjwDFv.exe
  C:\Windows\System32\PDjwDFv.exe
  2⤵
  PID:11712
- C:\Windows\System32\ouldgNm.exe
  C:\Windows\System32\ouldgNm.exe
  2⤵
  PID:11736
- C:\Windows\System32\NKGslEu.exe
  C:\Windows\System32\NKGslEu.exe
  2⤵
  PID:11752
- C:\Windows\System32\TEguXyu.exe
  C:\Windows\System32\TEguXyu.exe
  2⤵
  PID:11776
- C:\Windows\System32\bSEvRQx.exe
  C:\Windows\System32\bSEvRQx.exe
  2⤵
  PID:11792
- C:\Windows\System32\NonoGSA.exe
  C:\Windows\System32\NonoGSA.exe
  2⤵
  PID:11832
- C:\Windows\System32\RoFDVUK.exe
  C:\Windows\System32\RoFDVUK.exe
  2⤵
  PID:11852
- C:\Windows\System32\UgwJoKY.exe
  C:\Windows\System32\UgwJoKY.exe
  2⤵
  PID:11880
- C:\Windows\System32\QCVdYxK.exe
  C:\Windows\System32\QCVdYxK.exe
  2⤵
  PID:11940
- C:\Windows\System32\WFoPtvJ.exe
  C:\Windows\System32\WFoPtvJ.exe
  2⤵
  PID:11964
- C:\Windows\System32\AWAUuPo.exe
  C:\Windows\System32\AWAUuPo.exe
  2⤵
  PID:11992
- C:\Windows\System32\WqIzdIs.exe
  C:\Windows\System32\WqIzdIs.exe
  2⤵
  PID:12024
- C:\Windows\System32\kcMhZgr.exe
  C:\Windows\System32\kcMhZgr.exe
  2⤵
  PID:12060
- C:\Windows\System32\paXpBFD.exe
  C:\Windows\System32\paXpBFD.exe
  2⤵
  PID:12084
- C:\Windows\System32\EvfOTkV.exe
  C:\Windows\System32\EvfOTkV.exe
  2⤵
  PID:12116
- C:\Windows\System32\venOBhu.exe
  C:\Windows\System32\venOBhu.exe
  2⤵
  PID:12144
- C:\Windows\System32\WBQuvzc.exe
  C:\Windows\System32\WBQuvzc.exe
  2⤵
  PID:12184
- C:\Windows\System32\RBOBclk.exe
  C:\Windows\System32\RBOBclk.exe
  2⤵
  PID:12204
- C:\Windows\System32\TnmPKbT.exe
  C:\Windows\System32\TnmPKbT.exe
  2⤵
  PID:12228
- C:\Windows\System32\lqftZPP.exe
  C:\Windows\System32\lqftZPP.exe
  2⤵
  PID:12244
- C:\Windows\System32\WWefsoq.exe
  C:\Windows\System32\WWefsoq.exe
  2⤵
  PID:12260
- C:\Windows\System32\trwDKdu.exe
  C:\Windows\System32\trwDKdu.exe
  2⤵
  PID:12276
- C:\Windows\System32\LZFERZc.exe
  C:\Windows\System32\LZFERZc.exe
  2⤵
  PID:10720
- C:\Windows\System32\FiflChu.exe
  C:\Windows\System32\FiflChu.exe
  2⤵
  PID:11312
- C:\Windows\System32\eRjAnNL.exe
  C:\Windows\System32\eRjAnNL.exe
  2⤵
  PID:11408
- C:\Windows\System32\iiOrVIT.exe
  C:\Windows\System32\iiOrVIT.exe
  2⤵
  PID:11456
- C:\Windows\System32\lDeVglx.exe
  C:\Windows\System32\lDeVglx.exe
  2⤵
  PID:11560
- C:\Windows\System32\VcVDjAV.exe
  C:\Windows\System32\VcVDjAV.exe
  2⤵
  PID:11640
- C:\Windows\System32\OGOYKsB.exe
  C:\Windows\System32\OGOYKsB.exe
  2⤵
  PID:11732
- C:\Windows\System32\WJjQMZV.exe
  C:\Windows\System32\WJjQMZV.exe
  2⤵
  PID:11808
- C:\Windows\System32\KOAfBSm.exe
  C:\Windows\System32\KOAfBSm.exe
  2⤵
  PID:11904
- C:\Windows\System32\THunYnX.exe
  C:\Windows\System32\THunYnX.exe
  2⤵
  PID:11900
- C:\Windows\System32\UFVNIst.exe
  C:\Windows\System32\UFVNIst.exe
  2⤵
  PID:12080
- C:\Windows\System32\ZAhISQc.exe
  C:\Windows\System32\ZAhISQc.exe
  2⤵
  PID:12108
- C:\Windows\System32\KsVQsNC.exe
  C:\Windows\System32\KsVQsNC.exe
  2⤵
  PID:12128
- C:\Windows\System32\CBlcNvH.exe
  C:\Windows\System32\CBlcNvH.exe
  2⤵
  PID:12236
- C:\Windows\System32\ewbZEwa.exe
  C:\Windows\System32\ewbZEwa.exe
  2⤵
  PID:10296
- C:\Windows\System32\TVOtxtb.exe
  C:\Windows\System32\TVOtxtb.exe
  2⤵
  PID:11368
- C:\Windows\System32\LqjfwGX.exe
  C:\Windows\System32\LqjfwGX.exe
  2⤵
  PID:11612
- C:\Windows\System32\NRwEprf.exe
  C:\Windows\System32\NRwEprf.exe
  2⤵
  PID:11684
- C:\Windows\System32\iBtGugV.exe
  C:\Windows\System32\iBtGugV.exe
  2⤵
  PID:11120
- C:\Windows\System32\PqGScEu.exe
  C:\Windows\System32\PqGScEu.exe
  2⤵
  PID:12072
- C:\Windows\System32\pMSMCcm.exe
  C:\Windows\System32\pMSMCcm.exe
  2⤵
  PID:12172
- C:\Windows\System32\yKmkGXh.exe
  C:\Windows\System32\yKmkGXh.exe
  2⤵
  PID:11452
- C:\Windows\System32\RgCtZSU.exe
  C:\Windows\System32\RgCtZSU.exe
  2⤵
  PID:11540
- C:\Windows\System32\wPSphFm.exe
  C:\Windows\System32\wPSphFm.exe
  2⤵
  PID:12168
- C:\Windows\System32\avsdvXh.exe
  C:\Windows\System32\avsdvXh.exe
  2⤵
  PID:11872
- C:\Windows\System32\HIVgEnm.exe
  C:\Windows\System32\HIVgEnm.exe
  2⤵
  PID:11316
- C:\Windows\System32\AclnlsQ.exe
  C:\Windows\System32\AclnlsQ.exe
  2⤵
  PID:536
- C:\Windows\System32\dNXzeya.exe
  C:\Windows\System32\dNXzeya.exe
  2⤵
  PID:4348
- C:\Windows\System32\ddxiKJS.exe
  C:\Windows\System32\ddxiKJS.exe
  2⤵
  PID:12312
- C:\Windows\System32\fZJuEDi.exe
  C:\Windows\System32\fZJuEDi.exe
  2⤵
  PID:12340
- C:\Windows\System32\aCufcCD.exe
  C:\Windows\System32\aCufcCD.exe
  2⤵
  PID:12360
- C:\Windows\System32\yoNdSZf.exe
  C:\Windows\System32\yoNdSZf.exe
  2⤵
  PID:12400
- C:\Windows\System32\WPaGLQu.exe
  C:\Windows\System32\WPaGLQu.exe
  2⤵
  PID:12416
- C:\Windows\System32\cNdybhH.exe
  C:\Windows\System32\cNdybhH.exe
  2⤵
  PID:12436
- C:\Windows\System32\RAbPYzI.exe
  C:\Windows\System32\RAbPYzI.exe
  2⤵
  PID:12476
- C:\Windows\System32\tkVQfdk.exe
  C:\Windows\System32\tkVQfdk.exe
  2⤵
  PID:12508
- C:\Windows\System32\pGUuSRq.exe
  C:\Windows\System32\pGUuSRq.exe
  2⤵
  PID:12524
- C:\Windows\System32\fzcoXxx.exe
  C:\Windows\System32\fzcoXxx.exe
  2⤵
  PID:12544
- C:\Windows\System32\jpXuilo.exe
  C:\Windows\System32\jpXuilo.exe
  2⤵
  PID:12580
- C:\Windows\System32\VCWseAs.exe
  C:\Windows\System32\VCWseAs.exe
  2⤵
  PID:12616
- C:\Windows\System32\wleYFUC.exe
  C:\Windows\System32\wleYFUC.exe
  2⤵
  PID:12644
- C:\Windows\System32\dWCaaii.exe
  C:\Windows\System32\dWCaaii.exe
  2⤵
  PID:12668
- C:\Windows\System32\UKiFeAg.exe
  C:\Windows\System32\UKiFeAg.exe
  2⤵
  PID:12700
- C:\Windows\System32\HJixnfR.exe
  C:\Windows\System32\HJixnfR.exe
  2⤵
  PID:12716
- C:\Windows\System32\DoUiJeC.exe
  C:\Windows\System32\DoUiJeC.exe
  2⤵
  PID:12744
- C:\Windows\System32\QoNByRv.exe
  C:\Windows\System32\QoNByRv.exe
  2⤵
  PID:12764
- C:\Windows\System32\AgIIEGl.exe
  C:\Windows\System32\AgIIEGl.exe
  2⤵
  PID:12784
- C:\Windows\System32\RKpGcRN.exe
  C:\Windows\System32\RKpGcRN.exe
  2⤵
  PID:12816
- C:\Windows\System32\yfepSZz.exe
  C:\Windows\System32\yfepSZz.exe
  2⤵
  PID:12860
- C:\Windows\System32\onBjSKn.exe
  C:\Windows\System32\onBjSKn.exe
  2⤵
  PID:12876
- C:\Windows\System32\rBKbSoB.exe
  C:\Windows\System32\rBKbSoB.exe
  2⤵
  PID:12908
- C:\Windows\System32\oeVnxnH.exe
  C:\Windows\System32\oeVnxnH.exe
  2⤵
  PID:12928
- C:\Windows\System32\HXnefJy.exe
  C:\Windows\System32\HXnefJy.exe
  2⤵
  PID:12944
- C:\Windows\System32\jpyCaUl.exe
  C:\Windows\System32\jpyCaUl.exe
  2⤵
  PID:13012
- C:\Windows\System32\WXAzCbe.exe
  C:\Windows\System32\WXAzCbe.exe
  2⤵
  PID:13040
- C:\Windows\System32\yXcTawE.exe
  C:\Windows\System32\yXcTawE.exe
  2⤵
  PID:13068
- C:\Windows\System32\xlBWSEd.exe
  C:\Windows\System32\xlBWSEd.exe
  2⤵
  PID:13108
- C:\Windows\System32\gMlQCUw.exe
  C:\Windows\System32\gMlQCUw.exe
  2⤵
  PID:13136
- C:\Windows\System32\WNPdXHo.exe
  C:\Windows\System32\WNPdXHo.exe
  2⤵
  PID:13156
- C:\Windows\System32\orIKmVm.exe
  C:\Windows\System32\orIKmVm.exe
  2⤵
  PID:13172
- C:\Windows\System32\PzWamcY.exe
  C:\Windows\System32\PzWamcY.exe
  2⤵
  PID:13216
- C:\Windows\System32\eIZNcaE.exe
  C:\Windows\System32\eIZNcaE.exe
  2⤵
  PID:13252
- C:\Windows\System32\ijiCnqP.exe
  C:\Windows\System32\ijiCnqP.exe
  2⤵
  PID:13268
- C:\Windows\System32\wcRLuQN.exe
  C:\Windows\System32\wcRLuQN.exe
  2⤵
  PID:12152
- C:\Windows\System32\kjLQapf.exe
  C:\Windows\System32\kjLQapf.exe
  2⤵
  PID:12332
- C:\Windows\System32\ekTBZMV.exe
  C:\Windows\System32\ekTBZMV.exe
  2⤵
  PID:12388
- C:\Windows\System32\KzpkICi.exe
  C:\Windows\System32\KzpkICi.exe
  2⤵
  PID:12456
- C:\Windows\System32\TpDQKan.exe
  C:\Windows\System32\TpDQKan.exe
  2⤵
  PID:12532
- C:\Windows\System32\lFfXBsi.exe
  C:\Windows\System32\lFfXBsi.exe
  2⤵
  PID:12568
- C:\Windows\System32\fXRwoLW.exe
  C:\Windows\System32\fXRwoLW.exe
  2⤵
  PID:12612
- C:\Windows\System32\YIOVubK.exe
  C:\Windows\System32\YIOVubK.exe
  2⤵
  PID:12664
- C:\Windows\System32\KYXUKVu.exe
  C:\Windows\System32\KYXUKVu.exe
  2⤵
  PID:12740

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AQHWwPs.exe

Filesize
939KB

MD5
567b07f4ae4bba956514381d9a03800f

SHA1
f08b468c2d49a961701ac0b5ba708a61a84516f9

SHA256
20619af5d942a6b71f517cbff11a9bf8acae5edef555534b628a21a227827bf1

SHA512
7c5c00b896ed771a3cb65c0e846d8043d7d52ea07627b54cc135eaf0c8647818678ad2689607a26e4546f482f30009058e62e6a39ebc126ec149228c9081fd5b

Download Submit
C:\Windows\System32\DBjgERE.exe

Filesize
943KB

MD5
63440e6ef0e4446598d4cd2e739bd896

SHA1
fb79f43141c591399dbed888a666f248c25c886e

SHA256
bcbad4f61e0fdfc6b99556d5ea48ce1a9db06f028070e787bcfb8c4e93d04a51

SHA512
0a7bec0279d5bc7cd7155eefa90112af0b057de0f1cbd57962130e835871cc8a06699ad4c784739e8f2891fd92e4fa63b2c0c167e3314bfb47011b612c18df2b

Download Submit
C:\Windows\System32\GfgKIJm.exe

Filesize
938KB

MD5
a53f9a75ea3157cc1a0b7acc1c4b1d06

SHA1
d537903e165302f7a38b7bf0b66d59b33b1c02c2

SHA256
36391d5969234868ee13e827930492b6334e7071e60dda1665b6483f7543012f

SHA512
bd33073d4b54b24d2220e68271da20adc50b8cea675fd643bb056f5016d9d90628bb17d16e87ce125c50eb6347898c24d8b180800439624b579b2724c40d763c

Download Submit
C:\Windows\System32\HOqSTwm.exe

Filesize
936KB

MD5
18c78d99c8a3fa5572293cd32241d9a2

SHA1
03045b4ea6091bba11ce3494c705d53ec197ca5f

SHA256
f35a841b58bd2cfaa1ccdfdc8abc58259419376a9754db8a1e66c45435467ef2

SHA512
f4be004d6bab8799c1d794a3f15f7aec8b82a8e48261480fe8afb7386c326d355527a206c376a61f533f873040bde27ef630f71bb3de7c9367f745dbd9176740

Download Submit
C:\Windows\System32\HgaOrVB.exe

Filesize
941KB

MD5
7617665d0aaa96a4389dcc6a27678366

SHA1
1a1e2f33a2394c07ba4e650a844d37988da42730

SHA256
716fd04df0a286244200130abfe54d9f5e2346fe90d51e9a4955a167c10777e3

SHA512
8875c49756f63cc82a850f1dadd837bda828a31df8821b043060adbbd101d84efcf7b16d6cd00f50490f08fda5080946efa21cdceebe0a4db9faad4b25ab4ca8

Download Submit
C:\Windows\System32\IPicZxi.exe

Filesize
941KB

MD5
f67e3c19e6418c52b13d3bf7301a0773

SHA1
b151f6d7e4218b5806c839c906e5dfe2a6e2a0ec

SHA256
069342ee4d247b2b0fa4b9737e4ca51899004718add78f32fd353d1e2bd4485e

SHA512
aa74ff4c3e3e005959db4601e8a7e21446fd1f7f7e1fa7c0242d15e2a07bc5d07829c7e89470b8b998fabfa29197bfde49e16abf9ba82d88efa74ee54fe2cada

Download Submit
C:\Windows\System32\JFeJKsP.exe

Filesize
938KB

MD5
5e9c2cf5f06ba86d86223caf1191d3a4

SHA1
47ef119f5464085414a8820086190a3e7b60ec6e

SHA256
c68d90099c27b55fc3787fec4a3503808fc77deb7ca24c4883ef6760de0da9bb

SHA512
431dae187388c07d232d28a2976847baab80a02876d7891356cf3bc0d089b85d48cc373ae144001a7442285ed03f30746fe6e889098494529e93841cb134406a

Download Submit
C:\Windows\System32\NUowLrZ.exe

Filesize
943KB

MD5
ee1eb3b9aa8786f93fb0a92f5464fd49

SHA1
a66264a234ab97e3ac1d504ac0b01b4c4f291022

SHA256
ceba946de724aadc58bab96f2e78565fca8e067b88f31f9dea09d9ae5fe6b9e2

SHA512
41762a8b01858e3f76620ea63b7fe2db69a8f78993a7ef736dcff523ee021b545c1cd980a2685a555abea4db34dfb714df2916207cfb3ea91b3eaef1c3fcdddd

Download Submit
C:\Windows\System32\OJRARgU.exe

Filesize
940KB

MD5
4d62364bdacf704d78fed6c2c2cc178d

SHA1
1358625f3f0fb5caec53382c246c97a31677e09a

SHA256
39c6384d82417956f966590f97d390ccba0b665aa1c369583865e66f38c92646

SHA512
fa6443ce36110442396edf9eebfcd853ae65816d41adeb57b5e86379826bb30f9677a93aa66fc47ab02530dbebf08453a2865130d12b52bd3b7f3d7f2431240a

Download Submit
C:\Windows\System32\TJUmbBB.exe

Filesize
941KB

MD5
bfe317a5b2001eb9876f4b8e640e0b0d

SHA1
2b4b69529ab3f459148abc84201601543c11c626

SHA256
7d38ed21051f655204fd6d2a628058dba25980c4cb31d34b2da0432b714b0e3f

SHA512
5c94bb3fbd494b341de0ebf913c5e44404fc1360ea9477bf614f2f8a50c16882521d16af9fe205516d6ed8314f76564e346e61e7b5cb16063200c17531692549

Download Submit
C:\Windows\System32\TuVqZKO.exe

Filesize
937KB

MD5
209617885140ec5180cd750f6b8c8e35

SHA1
81574edaa67299d51ca1edc2cc53a29027676498

SHA256
39a64bd66cfd3b84fa903b7edc95ccc5a15ed2cfb6f8aa6615f1ca54216d8998

SHA512
8a35f1de710c30fc554587981514048b64bee9502902c62e4a58f9bb111cbd024ba34397abdbe0ec0d3e1b4c3b07157a5399f6a806a05611fcea822d39b9fbe2

Download Submit
C:\Windows\System32\WVAeOqq.exe

Filesize
942KB

MD5
d8e78c820bb06fc7a26b2dfed13823fc

SHA1
8648982f057a69f68b689de0d4a4d50ba1101788

SHA256
d806eabeb9f62a4a49e415b958b8440eff9b48a6f870a662873c82008a3eae10

SHA512
97f9f207e14ff32a43b672cd8edbad485a29e27c70abd7025e54b103f8934722239488106fbfaf8664e7c275f2cf59388fe2e85e43b3a69cbaf3ba25bb4c1f9c

Download Submit
C:\Windows\System32\WmTZYCq.exe

Filesize
936KB

MD5
3c61bedb37ccfac7d82ae1ed62721ccf

SHA1
a6c15ad1a39f7d67271bdf2091b8372baca962b6

SHA256
7f8d7ba5ae6326db9773d17ba22d364a638fae6168efe4aa54e03a8836ab1b3c

SHA512
f6f715a5183dc84b0a44edf55482be79d76e7a7044eccfbde090f3a75ce3c6ee22b893b5068f7158efec003f4b6d99de93bcfe14bc6a04c002f2cc5e952ca48a

Download Submit
C:\Windows\System32\XfKDFRL.exe

Filesize
936KB

MD5
3ca25825a566959f7fa895f30b8a6177

SHA1
c05470d60da20437937528b341791f672c900885

SHA256
96b423c31fdca46c91f7dfe2273cac86a256a6312a75cb183faa99e8eea9f4f4

SHA512
b45f438c0ec9f5b028999cd7e34dba4750a9f7727f966482cc42c337889c68a1b869aa9b30d076ea4a990b43afdaddf069e031c864be7ec2fbd4d76472b3abf6

Download Submit
C:\Windows\System32\ZjGooPK.exe

Filesize
938KB

MD5
17522f77e80bface6b30bc5bed92daf2

SHA1
4609a5c83c7b69bf4ae9da401b022d3fdda23eef

SHA256
c0a24166940b5183e39bb37eba9124bf15a12acbc8e0f9c5bcf41f68e8536873

SHA512
52ac7ecff19888b4cee11af9ef32f369e1fcf9155317aba3dcf699ee5f84245e5f78d3a0562ac20cb912bf9892c8549cb5d5622cefc3cb8c34f93b2bf94ca484

Download Submit
C:\Windows\System32\bBpJfRu.exe

Filesize
939KB

MD5
078dbe6d43259e5fc562a4b16d05542f

SHA1
5cad6968fd10eb91a28602dc7e416e9c0747b8db

SHA256
200d86198972e947db91afb782a9fea083ece74c93f6f447af07623283510328

SHA512
2065cd741cd7b401da3b0209d04b5a37176fc05d83c6faca438875d5aaea65beaa574363b90ad5f0a2927fb60a932a09351b1fad5db658ec1a700ee7fa01602f

Download Submit
C:\Windows\System32\cgGDOMD.exe

Filesize
940KB

MD5
150feb13c4080b3937384863c60292a4

SHA1
0d3e547589ad4fcc8696b6be1fc048c46ac5bf44

SHA256
1c48e9365e51b2aaa4680ed82328e78d7dc182b25280be4517c9c2c6831a22de

SHA512
a7085d7b22b6368b15118d25ab17d2ac590c932c84f0eeb3e2e0abcf08b98f6e5caee1846c603e8305c1351034cc599410df1647b8f240fa8048faed4f348df2

Download Submit
C:\Windows\System32\eTPYIFw.exe

Filesize
942KB

MD5
fe47a7aaad9cf8caaf1fb029bf050f33

SHA1
85f0534ffa5b11c1f50e7adf568ac85b3c77638a

SHA256
5b12e056dfa0d4985fbd3de28f5c1c82df002b8a5bf7c679e7e2464161ec75c8

SHA512
71d1e0b8b1ade67606676bf9511627856ee6ebb944653405a915ddb4ce56a21b9cbafcee9397a0cd165a175d16bb8b35efb94a9bb66844fdd56e41b8ab0a225d

Download Submit
C:\Windows\System32\isEsrwM.exe

Filesize
936KB

MD5
71c6e65053c81352e0051d59d8db6de2

SHA1
62cf252cd844fcc3c34e23cbab0b911110786294

SHA256
f105621ec9e2e283f01e0bf8d76baf94aef390f2aa6fea407fbf25e42eec573d

SHA512
a8f26411b8296d98ae63414aae74820afaf04916280d3540ff96b0cebcd3fbf44bba262c51c2f47f7c987c4c9c697df8f8d67bf15912bdfc747d666f902aa6fb

Download Submit
C:\Windows\System32\kGEZWZM.exe

Filesize
937KB

MD5
a13d9b80d72824cb75a4041d874f7545

SHA1
9b3e2ad9309eb0f9559060ce6fde740e3e83c398

SHA256
53a8c14a7e542f13533bcbd47020d7ad9aa37fe9a6925792be72802053c8d9ac

SHA512
985de81df69c35a637c6fbda92aabd9b309cd01de31fc8f2dc51895d506e12b11bbacdb52d911a3c45f3b55ab94061ef5078ac4f26b0e2551452c38264a43333

Download Submit
C:\Windows\System32\lqcAjvq.exe

Filesize
940KB

MD5
f3cf71bea0998333877f64c48d74c607

SHA1
b5545ef1c32d4b42bfdccf7ef74255abd7c869b3

SHA256
3f159548ec6bae9e9f54ec9c2de4b78b2153aa5130a198becb3159f16acd918d

SHA512
585a6d20255b63dc5b4a773f192c80f8ec65f0d52ab4bfb8158285b86a59f9fb0d6f13675c5ba21ad92b150619ab158c7d9787da119112486ed3f0f4b0e5f8d1

Download Submit
C:\Windows\System32\qeetuOw.exe

Filesize
938KB

MD5
95f37fc4da51e8bf9255ff8e4b6606f0

SHA1
2726aa8fae6155d3e66280ee9556a5314dd08586

SHA256
21f5ba683442b955402c7e6b76615796a47ddb64b0cb76d1004d26136256c443

SHA512
9d2f99f990b2f08207164c4b4273571d263376a9177516baf54542f094e77682329c5455f561131148710b49379dcd57140e8812e9d4b42e8e0bc56d1ee45eeb

Download Submit
C:\Windows\System32\rxPMmFJ.exe

Filesize
939KB

MD5
7bc371202bf5aafe687b478c05689255

SHA1
661d312152993fe8cf84b72b396abbb3fbe94765

SHA256
2c33f2e28de6d762b944f89b06dc0042d455917c31de94617b49c026988006fd

SHA512
c093c11fc341e870bcbe445a9d3acda7755b81449c9f4975f83b67b6d8cab65ddc08d91bda9502953091ce41da0f7bd8f078a43a20e611cd67db505dff147c65

Download Submit
C:\Windows\System32\tBRoCuH.exe

Filesize
937KB

MD5
4b62d035f40a1907e4f3790bcb43e8b0

SHA1
60f30fa4194569c1da1bb6247f7988c98e6dff9e

SHA256
f07ca947412597688e0dc08c57d0e31240f0328e98188f4240a841d55ccf9a66

SHA512
00c7bbd90313fc2c496b3d96cfa74076596e1ccb52bdb5994f6a466c2b2eeaabab402556cf307dbab348fed39bee1484d50cda4c0b6b675a73d15a760fc930e9

Download Submit
C:\Windows\System32\tZFLwTc.exe

Filesize
941KB

MD5
c3894e7a98d71d8f324ea312352fd8ce

SHA1
d938e6fe8d2f0b9cb5c66781f534ad19e4035ed9

SHA256
dd20db5305ecef9a2b3d55f8a3efe5fa7ac21e11ef6fd1d6c1acfc39680856af

SHA512
f31abc3ebb6258a7812512bd7c4a5a368778e5d05ae00a74333ecc3b950986783dbd4544553b92378c3b7a6f3bf4219e0a598e7aee3a4a7b9abb1766c956fbf5

Download Submit
C:\Windows\System32\tgZbehR.exe

Filesize
942KB

MD5
9663cc56bf44cb55e60e9fc3522eaef4

SHA1
017cb06911749765ef37802534bd54a9fce12f3f

SHA256
d350b77e818784a8198b4305330be6c4b2235a7b940fc612e7dfa99aeffaaf53

SHA512
6737ffd523999685019b1858cef1ede65fdb14468555fe924f0cd2d4ab5d72229cb9482b5a2c7945598156963caf5e0ea83e1c2102cb78f6755839f87309ffa1

Download Submit
C:\Windows\System32\viGxDtF.exe

Filesize
942KB

MD5
5d874d8281d693e887afacc35ae0407e

SHA1
d3317ee5dfe050178cb41e0d5f5d7f8342a9b6d8

SHA256
fc1c575af2b52fafed51d4948b5e3173e6e5d2d3fe2345996cbbb7a8e053b7b5

SHA512
4009f7ab859ac49eae211a5e9a09883765e12eb8bc0f9d93ee30481bdb1fa33afb8b7de79f416a5b4404fae2fbdb1bd52b6c5f084a91e7f495b4ed8537718443

Download Submit
C:\Windows\System32\vmQcZtp.exe

Filesize
943KB

MD5
2cafe069503b17e270ec4af7013ec125

SHA1
1f2b2be71dd7fc92080475f3f8320931ccf7e3ee

SHA256
83f68ab0593c0bc0e0e0eab00f1e0f8a0f06282729e7f7e85b0c100d993853c6

SHA512
a133383024cccbbda7a06d7fdc1ed88c5af820753a836d844ed00bd919500c08744258321213d9214b45b753b508ffee6e8d16a940ed3adc816958440da002a8

Download Submit
C:\Windows\System32\wkmVvau.exe

Filesize
939KB

MD5
333c0ce86daf67aa0e00c6ef488caa5d

SHA1
3d545c4414eb87456215a7e5576063c843192566

SHA256
fbf7aca0354c4bc8f17622cc430e4d66fd3f658d8d538258c96d999441d9df96

SHA512
13a22ba5e88d8164d77ba21d81b3fc6262ca79a0d1d23f79f8963a1fceb95d2306217d739ad5843a32e6212c2a9bd3cae2615ac49baaa4cf2df3e611c684d42d

Download Submit
C:\Windows\System32\wsuSHel.exe

Filesize
937KB

MD5
1da1732865a2822c5a6bd97c33aa3a0e

SHA1
025b6d14ae72046b0c20ca3b558a8830be999348

SHA256
853f19728ede4c65d6470d84d48cd32f122c0a8f703f2555430ad82a675fd7c5

SHA512
5a918bf1a83a8e92b107248feb4102a20749d630d2c062047a78042e6475b949c782803fa02241b41a0192e7b2ba5e9db0b3d3d8afaf7455a74ad1dd0da2cd7f

Download Submit
C:\Windows\System32\wxSPUOC.exe

Filesize
940KB

MD5
1028567c937d7735f50d7dbc809709ab

SHA1
e7a40eae19e11ac3a4d788b8d91d34698bb75c44

SHA256
1af199b663d5f4705688937a4adb495ebbf683afd0ea3256a773f50311920d61

SHA512
a8057a9b2d1c68b3d31b8011b84514a91139028622ea9d16f9ea4f4dc3fe321852a39f533890ad3d7c87e4e46a06ef72a378124606ebb3f2feef8885dec83082

Download Submit
C:\Windows\System32\xOxHMyL.exe

Filesize
942KB

MD5
d25cf5e64ea1ab4444593974609de39b

SHA1
c57ec171bace6d57738b2a045787447185c20d46

SHA256
75da46d906663e801ab2fd937077faadfa9c3a3d0cce82dfca0de0f06a3e716d

SHA512
40783c3f1f5538a4e9fbfe06933c5fe0b464e6cc810095ef9d44583d5111e8d712cf2cd27ea5d9a9723bd986ce73281165f4151f855e8d51c5c0e3590f87fd98

Download Submit
memory/216-350-0x00007FF654C10000-0x00007FF655001000-memory.dmp

Filesize
3.9MB

Download
memory/216-2080-0x00007FF654C10000-0x00007FF655001000-memory.dmp

Filesize
3.9MB

Download
memory/224-332-0x00007FF7C68D0000-0x00007FF7C6CC1000-memory.dmp

Filesize
3.9MB

Download
memory/224-2059-0x00007FF7C68D0000-0x00007FF7C6CC1000-memory.dmp

Filesize
3.9MB

Download
memory/1108-352-0x00007FF768AB0000-0x00007FF768EA1000-memory.dmp

Filesize
3.9MB

Download
memory/1108-2070-0x00007FF768AB0000-0x00007FF768EA1000-memory.dmp

Filesize
3.9MB

Download
memory/1320-2098-0x00007FF6BBB50000-0x00007FF6BBF41000-memory.dmp

Filesize
3.9MB

Download
memory/1320-388-0x00007FF6BBB50000-0x00007FF6BBF41000-memory.dmp

Filesize
3.9MB

Download
memory/1556-2092-0x00007FF60C5D0000-0x00007FF60C9C1000-memory.dmp

Filesize
3.9MB

Download
memory/1556-383-0x00007FF60C5D0000-0x00007FF60C9C1000-memory.dmp

Filesize
3.9MB

Download
memory/1588-30-0x00007FF7BEDC0000-0x00007FF7BF1B1000-memory.dmp

Filesize
3.9MB

Download
memory/1588-2066-0x00007FF7BEDC0000-0x00007FF7BF1B1000-memory.dmp

Filesize
3.9MB

Download
memory/1588-1997-0x00007FF7BEDC0000-0x00007FF7BF1B1000-memory.dmp

Filesize
3.9MB

Download
memory/1708-366-0x00007FF6E6A30000-0x00007FF6E6E21000-memory.dmp

Filesize
3.9MB

Download
memory/1708-2079-0x00007FF6E6A30000-0x00007FF6E6E21000-memory.dmp

Filesize
3.9MB

Download
memory/1916-333-0x00007FF671650000-0x00007FF671A41000-memory.dmp

Filesize
3.9MB

Download
memory/1916-2068-0x00007FF671650000-0x00007FF671A41000-memory.dmp

Filesize
3.9MB

Download
memory/1948-2064-0x00007FF728840000-0x00007FF728C31000-memory.dmp

Filesize
3.9MB

Download
memory/1948-343-0x00007FF728840000-0x00007FF728C31000-memory.dmp

Filesize
3.9MB

Download
memory/2316-348-0x00007FF79EAA0000-0x00007FF79EE91000-memory.dmp

Filesize
3.9MB

Download
memory/2316-2072-0x00007FF79EAA0000-0x00007FF79EE91000-memory.dmp

Filesize
3.9MB

Download
memory/2732-2039-0x00007FF6A79A0000-0x00007FF6A7D91000-memory.dmp

Filesize
3.9MB

Download
memory/2732-27-0x00007FF6A79A0000-0x00007FF6A7D91000-memory.dmp

Filesize
3.9MB

Download
memory/2868-358-0x00007FF694700000-0x00007FF694AF1000-memory.dmp

Filesize
3.9MB

Download
memory/2868-2074-0x00007FF694700000-0x00007FF694AF1000-memory.dmp

Filesize
3.9MB

Download
memory/2880-2056-0x00007FF7E56B0000-0x00007FF7E5AA1000-memory.dmp

Filesize
3.9MB

Download
memory/2880-328-0x00007FF7E56B0000-0x00007FF7E5AA1000-memory.dmp

Filesize
3.9MB

Download
memory/3148-0-0x00007FF7CE2C0000-0x00007FF7CE6B1000-memory.dmp

Filesize
3.9MB

Download
memory/3148-1-0x00000215AADC0000-0x00000215AADD0000-memory.dmp

Filesize
64KB

Download
memory/3196-2018-0x00007FF7BFF70000-0x00007FF7C0361000-memory.dmp

Filesize
3.9MB

Download
memory/3196-1995-0x00007FF7BFF70000-0x00007FF7C0361000-memory.dmp

Filesize
3.9MB

Download
memory/3196-14-0x00007FF7BFF70000-0x00007FF7C0361000-memory.dmp

Filesize
3.9MB

Download
memory/3248-26-0x00007FF6FF680000-0x00007FF6FFA71000-memory.dmp

Filesize
3.9MB

Download
memory/3248-2041-0x00007FF6FF680000-0x00007FF6FFA71000-memory.dmp

Filesize
3.9MB

Download
memory/3248-1996-0x00007FF6FF680000-0x00007FF6FFA71000-memory.dmp

Filesize
3.9MB

Download
memory/3680-390-0x00007FF6646F0000-0x00007FF664AE1000-memory.dmp

Filesize
3.9MB

Download
memory/3680-2096-0x00007FF6646F0000-0x00007FF664AE1000-memory.dmp

Filesize
3.9MB

Download
memory/4076-2084-0x00007FF618270000-0x00007FF618661000-memory.dmp

Filesize
3.9MB

Download
memory/4076-365-0x00007FF618270000-0x00007FF618661000-memory.dmp

Filesize
3.9MB

Download
memory/4628-372-0x00007FF6D8B90000-0x00007FF6D8F81000-memory.dmp

Filesize
3.9MB

Download
memory/4628-2083-0x00007FF6D8B90000-0x00007FF6D8F81000-memory.dmp

Filesize
3.9MB

Download
memory/4684-2062-0x00007FF6C66B0000-0x00007FF6C6AA1000-memory.dmp

Filesize
3.9MB

Download
memory/4684-323-0x00007FF6C66B0000-0x00007FF6C6AA1000-memory.dmp

Filesize
3.9MB

Download
memory/4684-2012-0x00007FF6C66B0000-0x00007FF6C6AA1000-memory.dmp

Filesize
3.9MB

Download
memory/4780-2086-0x00007FF65DD90000-0x00007FF65E181000-memory.dmp

Filesize
3.9MB

Download
memory/4780-377-0x00007FF65DD90000-0x00007FF65E181000-memory.dmp

Filesize
3.9MB

Download
memory/4980-2090-0x00007FF6492E0000-0x00007FF6496D1000-memory.dmp

Filesize
3.9MB

Download
memory/4980-371-0x00007FF6492E0000-0x00007FF6496D1000-memory.dmp

Filesize
3.9MB

Download
memory/5008-2088-0x00007FF673BF0000-0x00007FF673FE1000-memory.dmp

Filesize
3.9MB

Download
memory/5008-374-0x00007FF673BF0000-0x00007FF673FE1000-memory.dmp

Filesize
3.9MB

Download
memory/5024-2077-0x00007FF65CE20000-0x00007FF65D211000-memory.dmp

Filesize
3.9MB

Download
memory/5024-360-0x00007FF65CE20000-0x00007FF65D211000-memory.dmp

Filesize
3.9MB

Download
memory/5040-2060-0x00007FF754330000-0x00007FF754721000-memory.dmp

Filesize
3.9MB

Download
memory/5040-392-0x00007FF754330000-0x00007FF754721000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads