xmrig | 9d0ef54ad592f60f25e5cb84720010c459e23b16bce5ca9a0ecde5c07980c533

Analysis

max time kernel
120s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 11:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a09496fcf130d9f9d8a741396531aa90N.exe
Size

3.0MB
MD5

a09496fcf130d9f9d8a741396531aa90
SHA1

b975a313b8465ba4bf8536c334fe775f5e497f11
SHA256

9d0ef54ad592f60f25e5cb84720010c459e23b16bce5ca9a0ecde5c07980c533
SHA512

c78bee3393064049a7c80f16319a9a478c309911e5f87873317816a427d95c0679fe64ae56fe312fb4125fe8b4a3b724c32d0f4c354f256f7ae3851df596d3ca
SSDEEP

49152:w0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8Dze7jcqDrUS1querR:w0GnJMOWPClFdx6e0EALKWVTffZiPAcj

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/400-0-0x00007FF73B9A0000-0x00007FF73BD95000-memory.dmp	xmrig
behavioral2/files/0x0008000000023493-5.dat	xmrig
behavioral2/memory/2112-8-0x00007FF68DA20000-0x00007FF68DE15000-memory.dmp	xmrig
behavioral2/files/0x0007000000023497-10.dat	xmrig
behavioral2/files/0x0007000000023498-11.dat	xmrig
behavioral2/files/0x0007000000023499-22.dat	xmrig
behavioral2/memory/4572-21-0x00007FF72B730000-0x00007FF72BB25000-memory.dmp	xmrig
behavioral2/memory/4116-27-0x00007FF68D130000-0x00007FF68D525000-memory.dmp	xmrig
behavioral2/files/0x000700000002349b-31.dat	xmrig
behavioral2/files/0x000700000002349c-38.dat	xmrig
behavioral2/files/0x000700000002349e-50.dat	xmrig
behavioral2/files/0x000700000002349f-55.dat	xmrig
behavioral2/files/0x00070000000234a1-65.dat	xmrig
behavioral2/files/0x00070000000234a4-80.dat	xmrig
behavioral2/files/0x00070000000234a7-95.dat	xmrig
behavioral2/files/0x00070000000234a9-103.dat	xmrig
behavioral2/files/0x00070000000234ae-130.dat	xmrig
behavioral2/files/0x00070000000234b3-155.dat	xmrig
behavioral2/memory/2008-694-0x00007FF6E3670000-0x00007FF6E3A65000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b5-165.dat	xmrig
behavioral2/memory/3428-695-0x00007FF67E970000-0x00007FF67ED65000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b4-160.dat	xmrig
behavioral2/files/0x00070000000234b2-150.dat	xmrig
behavioral2/files/0x00070000000234b1-145.dat	xmrig
behavioral2/files/0x00070000000234b0-140.dat	xmrig
behavioral2/files/0x00070000000234af-135.dat	xmrig
behavioral2/files/0x00070000000234ad-125.dat	xmrig
behavioral2/files/0x00070000000234ac-120.dat	xmrig
behavioral2/files/0x00070000000234ab-115.dat	xmrig
behavioral2/files/0x00070000000234aa-110.dat	xmrig
behavioral2/files/0x00070000000234a8-100.dat	xmrig
behavioral2/files/0x00070000000234a6-90.dat	xmrig
behavioral2/files/0x00070000000234a5-85.dat	xmrig
behavioral2/files/0x00070000000234a3-75.dat	xmrig
behavioral2/files/0x00070000000234a2-70.dat	xmrig
behavioral2/files/0x00070000000234a0-60.dat	xmrig
behavioral2/files/0x000700000002349d-45.dat	xmrig
behavioral2/files/0x000700000002349a-33.dat	xmrig
behavioral2/memory/212-14-0x00007FF7175E0000-0x00007FF7179D5000-memory.dmp	xmrig
behavioral2/memory/2200-697-0x00007FF7C4610000-0x00007FF7C4A05000-memory.dmp	xmrig
behavioral2/memory/1756-696-0x00007FF7B2480000-0x00007FF7B2875000-memory.dmp	xmrig
behavioral2/memory/3184-698-0x00007FF68FEA0000-0x00007FF690295000-memory.dmp	xmrig
behavioral2/memory/2528-699-0x00007FF6BC780000-0x00007FF6BCB75000-memory.dmp	xmrig
behavioral2/memory/224-700-0x00007FF6CD6C0000-0x00007FF6CDAB5000-memory.dmp	xmrig
behavioral2/memory/4012-702-0x00007FF730920000-0x00007FF730D15000-memory.dmp	xmrig
behavioral2/memory/1772-707-0x00007FF7CFF80000-0x00007FF7D0375000-memory.dmp	xmrig
behavioral2/memory/1848-709-0x00007FF6E6A50000-0x00007FF6E6E45000-memory.dmp	xmrig
behavioral2/memory/3048-711-0x00007FF64F310000-0x00007FF64F705000-memory.dmp	xmrig
behavioral2/memory/1612-725-0x00007FF69A470000-0x00007FF69A865000-memory.dmp	xmrig
behavioral2/memory/4120-722-0x00007FF6B3210000-0x00007FF6B3605000-memory.dmp	xmrig
behavioral2/memory/2596-720-0x00007FF727FD0000-0x00007FF7283C5000-memory.dmp	xmrig
behavioral2/memory/4932-731-0x00007FF7CF1E0000-0x00007FF7CF5D5000-memory.dmp	xmrig
behavioral2/memory/1908-735-0x00007FF7EF480000-0x00007FF7EF875000-memory.dmp	xmrig
behavioral2/memory/3320-730-0x00007FF7B5900000-0x00007FF7B5CF5000-memory.dmp	xmrig
behavioral2/memory/1376-751-0x00007FF6E8AE0000-0x00007FF6E8ED5000-memory.dmp	xmrig
behavioral2/memory/3512-750-0x00007FF666B40000-0x00007FF666F35000-memory.dmp	xmrig
behavioral2/memory/1068-745-0x00007FF7BD5C0000-0x00007FF7BD9B5000-memory.dmp	xmrig
behavioral2/memory/400-1079-0x00007FF73B9A0000-0x00007FF73BD95000-memory.dmp	xmrig
behavioral2/memory/2112-1186-0x00007FF68DA20000-0x00007FF68DE15000-memory.dmp	xmrig
behavioral2/memory/212-1298-0x00007FF7175E0000-0x00007FF7179D5000-memory.dmp	xmrig
behavioral2/memory/4572-1419-0x00007FF72B730000-0x00007FF72BB25000-memory.dmp	xmrig
behavioral2/memory/4116-1534-0x00007FF68D130000-0x00007FF68D525000-memory.dmp	xmrig
behavioral2/memory/2008-1537-0x00007FF6E3670000-0x00007FF6E3A65000-memory.dmp	xmrig
behavioral2/memory/2112-1972-0x00007FF68DA20000-0x00007FF68DE15000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2112	yKbcfyd.exe
212	QiiaPFZ.exe
4572	VYtBPmA.exe
4116	FhrCoXl.exe
2008	yKQrBQj.exe
3428	BByUXUE.exe
1376	aDrnnyh.exe
1756	EGKKpEA.exe
2200	cjWibfo.exe
3184	HuKIvNl.exe
2528	WQAnlPH.exe
224	IDuVemX.exe
4012	MpEDZEj.exe
1772	WAwVmNH.exe
1848	JzQRjko.exe
3048	GFbKCuI.exe
2596	xWwrOoI.exe
4120	eNNqSqy.exe
1612	LFkzdCQ.exe
3320	znBGCGd.exe
4932	HuNdpmc.exe
1908	vHOJhsY.exe
1068	nyhtswj.exe
3512	RsVJKKr.exe
5024	oPogZes.exe
4668	oKKeprz.exe
3012	Wsraiiq.exe
2800	kmkoZPT.exe
736	YwAhrAs.exe
3200	SCEqIue.exe
4356	hhLXthf.exe
4424	sGLVCmd.exe
2304	CNRXaEt.exe
1964	VSiDQFf.exe
2984	GQUxxYu.exe
5112	vIYRUuR.exe
2860	DeATaWo.exe
2296	MbaChJt.exe
2868	EqeTvBy.exe
4412	WiWqCJc.exe
3112	UYoWPkq.exe
4124	NxsXteN.exe
4956	DOBOFnw.exe
1792	BEjyhqA.exe
3860	UySZaFa.exe
3404	fdJXLRf.exe
2716	dDBInRN.exe
1936	ApOKOwr.exe
4820	dMynTzh.exe
464	RaToYsd.exe
2156	AziFEot.exe
216	HXdsleK.exe
2204	LPzCRJf.exe
3652	OFCNqiv.exe
2416	fNPkNVQ.exe
368	IGuXvtQ.exe
4852	FajEwuQ.exe
3648	dtKMIGd.exe
4360	ihmYACz.exe
3312	hQOhPrt.exe
3080	jqXdAbc.exe
3912	GzIaCTO.exe
968	tcdYnrd.exe
876	CTceMGS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/400-0-0x00007FF73B9A0000-0x00007FF73BD95000-memory.dmp	upx
behavioral2/files/0x0008000000023493-5.dat	upx
behavioral2/memory/2112-8-0x00007FF68DA20000-0x00007FF68DE15000-memory.dmp	upx
behavioral2/files/0x0007000000023497-10.dat	upx
behavioral2/files/0x0007000000023498-11.dat	upx
behavioral2/files/0x0007000000023499-22.dat	upx
behavioral2/memory/4572-21-0x00007FF72B730000-0x00007FF72BB25000-memory.dmp	upx
behavioral2/memory/4116-27-0x00007FF68D130000-0x00007FF68D525000-memory.dmp	upx
behavioral2/files/0x000700000002349b-31.dat	upx
behavioral2/files/0x000700000002349c-38.dat	upx
behavioral2/files/0x000700000002349e-50.dat	upx
behavioral2/files/0x000700000002349f-55.dat	upx
behavioral2/files/0x00070000000234a1-65.dat	upx
behavioral2/files/0x00070000000234a4-80.dat	upx
behavioral2/files/0x00070000000234a7-95.dat	upx
behavioral2/files/0x00070000000234a9-103.dat	upx
behavioral2/files/0x00070000000234ae-130.dat	upx
behavioral2/files/0x00070000000234b3-155.dat	upx
behavioral2/memory/2008-694-0x00007FF6E3670000-0x00007FF6E3A65000-memory.dmp	upx
behavioral2/files/0x00070000000234b5-165.dat	upx
behavioral2/memory/3428-695-0x00007FF67E970000-0x00007FF67ED65000-memory.dmp	upx
behavioral2/files/0x00070000000234b4-160.dat	upx
behavioral2/files/0x00070000000234b2-150.dat	upx
behavioral2/files/0x00070000000234b1-145.dat	upx
behavioral2/files/0x00070000000234b0-140.dat	upx
behavioral2/files/0x00070000000234af-135.dat	upx
behavioral2/files/0x00070000000234ad-125.dat	upx
behavioral2/files/0x00070000000234ac-120.dat	upx
behavioral2/files/0x00070000000234ab-115.dat	upx
behavioral2/files/0x00070000000234aa-110.dat	upx
behavioral2/files/0x00070000000234a8-100.dat	upx
behavioral2/files/0x00070000000234a6-90.dat	upx
behavioral2/files/0x00070000000234a5-85.dat	upx
behavioral2/files/0x00070000000234a3-75.dat	upx
behavioral2/files/0x00070000000234a2-70.dat	upx
behavioral2/files/0x00070000000234a0-60.dat	upx
behavioral2/files/0x000700000002349d-45.dat	upx
behavioral2/files/0x000700000002349a-33.dat	upx
behavioral2/memory/212-14-0x00007FF7175E0000-0x00007FF7179D5000-memory.dmp	upx
behavioral2/memory/2200-697-0x00007FF7C4610000-0x00007FF7C4A05000-memory.dmp	upx
behavioral2/memory/1756-696-0x00007FF7B2480000-0x00007FF7B2875000-memory.dmp	upx
behavioral2/memory/3184-698-0x00007FF68FEA0000-0x00007FF690295000-memory.dmp	upx
behavioral2/memory/2528-699-0x00007FF6BC780000-0x00007FF6BCB75000-memory.dmp	upx
behavioral2/memory/224-700-0x00007FF6CD6C0000-0x00007FF6CDAB5000-memory.dmp	upx
behavioral2/memory/4012-702-0x00007FF730920000-0x00007FF730D15000-memory.dmp	upx
behavioral2/memory/1772-707-0x00007FF7CFF80000-0x00007FF7D0375000-memory.dmp	upx
behavioral2/memory/1848-709-0x00007FF6E6A50000-0x00007FF6E6E45000-memory.dmp	upx
behavioral2/memory/3048-711-0x00007FF64F310000-0x00007FF64F705000-memory.dmp	upx
behavioral2/memory/1612-725-0x00007FF69A470000-0x00007FF69A865000-memory.dmp	upx
behavioral2/memory/4120-722-0x00007FF6B3210000-0x00007FF6B3605000-memory.dmp	upx
behavioral2/memory/2596-720-0x00007FF727FD0000-0x00007FF7283C5000-memory.dmp	upx
behavioral2/memory/4932-731-0x00007FF7CF1E0000-0x00007FF7CF5D5000-memory.dmp	upx
behavioral2/memory/1908-735-0x00007FF7EF480000-0x00007FF7EF875000-memory.dmp	upx
behavioral2/memory/3320-730-0x00007FF7B5900000-0x00007FF7B5CF5000-memory.dmp	upx
behavioral2/memory/1376-751-0x00007FF6E8AE0000-0x00007FF6E8ED5000-memory.dmp	upx
behavioral2/memory/3512-750-0x00007FF666B40000-0x00007FF666F35000-memory.dmp	upx
behavioral2/memory/1068-745-0x00007FF7BD5C0000-0x00007FF7BD9B5000-memory.dmp	upx
behavioral2/memory/400-1079-0x00007FF73B9A0000-0x00007FF73BD95000-memory.dmp	upx
behavioral2/memory/2112-1186-0x00007FF68DA20000-0x00007FF68DE15000-memory.dmp	upx
behavioral2/memory/212-1298-0x00007FF7175E0000-0x00007FF7179D5000-memory.dmp	upx
behavioral2/memory/4572-1419-0x00007FF72B730000-0x00007FF72BB25000-memory.dmp	upx
behavioral2/memory/4116-1534-0x00007FF68D130000-0x00007FF68D525000-memory.dmp	upx
behavioral2/memory/2008-1537-0x00007FF6E3670000-0x00007FF6E3A65000-memory.dmp	upx
behavioral2/memory/2112-1972-0x00007FF68DA20000-0x00007FF68DE15000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\cuKLrqM.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\tXAXmfJ.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\iuNWLFa.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\aykZKod.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\RaToYsd.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\ikAmsNE.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\EYYuvxn.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\yIhDtUF.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\sweyGuG.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\easEsho.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\DdZcnnn.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\PNwgfcD.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\dMynTzh.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\vgkPBeA.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\DLWKvfQ.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\vNTMiQv.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\mCpbNqs.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\YSdjpWz.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\vkSnWSG.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\exfzFCK.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\TvJLKYv.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\OJWYxFJ.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\QFINfCR.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\CNRXaEt.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\ytZdrMA.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\lOpSNJE.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\lCYDXIv.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\pUmdKur.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\CBNpQIA.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\JlYkPTf.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\erjPsaC.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\HWpSVqn.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\nviqOPO.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\OaTDsvW.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\VHkuUvh.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\aOnwGAY.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\GFbKCuI.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\DOBOFnw.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\ZBwFPVM.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\BnlIZzX.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\EgzDwiv.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\WuhWRzX.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\bVmEarf.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\nlMuXad.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\XYXRnLZ.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\BByUXUE.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\BwRMEce.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\ekYUkhQ.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\UnYSxqz.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\hreXaZv.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\HuKIvNl.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\HuNdpmc.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\ZdukkEk.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\mnLgSag.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\IuSYVSX.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\LkgwrkK.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\aCvaQGR.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\ZinPjqV.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\XvIBZFN.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\AziFEot.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\HXdsleK.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\FQCyVDA.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\JVCadMq.exe	a09496fcf130d9f9d8a741396531aa90N.exe
File created	C:\Windows\System32\aZLjIFQ.exe	a09496fcf130d9f9d8a741396531aa90N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13752	dwm.exe
Token: SeChangeNotifyPrivilege	13752	dwm.exe
Token: 33	13752	dwm.exe
Token: SeIncBasePriorityPrivilege	13752	dwm.exe
Token: SeShutdownPrivilege	13752	dwm.exe
Token: SeCreatePagefilePrivilege	13752	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2112	400	a09496fcf130d9f9d8a741396531aa90N.exe	87
PID 400 wrote to memory of 2112	400	a09496fcf130d9f9d8a741396531aa90N.exe	87
PID 400 wrote to memory of 212	400	a09496fcf130d9f9d8a741396531aa90N.exe	88
PID 400 wrote to memory of 212	400	a09496fcf130d9f9d8a741396531aa90N.exe	88
PID 400 wrote to memory of 4572	400	a09496fcf130d9f9d8a741396531aa90N.exe	89
PID 400 wrote to memory of 4572	400	a09496fcf130d9f9d8a741396531aa90N.exe	89
PID 400 wrote to memory of 4116	400	a09496fcf130d9f9d8a741396531aa90N.exe	90
PID 400 wrote to memory of 4116	400	a09496fcf130d9f9d8a741396531aa90N.exe	90
PID 400 wrote to memory of 2008	400	a09496fcf130d9f9d8a741396531aa90N.exe	91
PID 400 wrote to memory of 2008	400	a09496fcf130d9f9d8a741396531aa90N.exe	91
PID 400 wrote to memory of 3428	400	a09496fcf130d9f9d8a741396531aa90N.exe	92
PID 400 wrote to memory of 3428	400	a09496fcf130d9f9d8a741396531aa90N.exe	92
PID 400 wrote to memory of 1376	400	a09496fcf130d9f9d8a741396531aa90N.exe	93
PID 400 wrote to memory of 1376	400	a09496fcf130d9f9d8a741396531aa90N.exe	93
PID 400 wrote to memory of 1756	400	a09496fcf130d9f9d8a741396531aa90N.exe	94
PID 400 wrote to memory of 1756	400	a09496fcf130d9f9d8a741396531aa90N.exe	94
PID 400 wrote to memory of 2200	400	a09496fcf130d9f9d8a741396531aa90N.exe	95
PID 400 wrote to memory of 2200	400	a09496fcf130d9f9d8a741396531aa90N.exe	95
PID 400 wrote to memory of 3184	400	a09496fcf130d9f9d8a741396531aa90N.exe	96
PID 400 wrote to memory of 3184	400	a09496fcf130d9f9d8a741396531aa90N.exe	96
PID 400 wrote to memory of 2528	400	a09496fcf130d9f9d8a741396531aa90N.exe	97
PID 400 wrote to memory of 2528	400	a09496fcf130d9f9d8a741396531aa90N.exe	97
PID 400 wrote to memory of 224	400	a09496fcf130d9f9d8a741396531aa90N.exe	98
PID 400 wrote to memory of 224	400	a09496fcf130d9f9d8a741396531aa90N.exe	98
PID 400 wrote to memory of 4012	400	a09496fcf130d9f9d8a741396531aa90N.exe	99
PID 400 wrote to memory of 4012	400	a09496fcf130d9f9d8a741396531aa90N.exe	99
PID 400 wrote to memory of 1772	400	a09496fcf130d9f9d8a741396531aa90N.exe	100
PID 400 wrote to memory of 1772	400	a09496fcf130d9f9d8a741396531aa90N.exe	100
PID 400 wrote to memory of 1848	400	a09496fcf130d9f9d8a741396531aa90N.exe	101
PID 400 wrote to memory of 1848	400	a09496fcf130d9f9d8a741396531aa90N.exe	101
PID 400 wrote to memory of 3048	400	a09496fcf130d9f9d8a741396531aa90N.exe	102
PID 400 wrote to memory of 3048	400	a09496fcf130d9f9d8a741396531aa90N.exe	102
PID 400 wrote to memory of 2596	400	a09496fcf130d9f9d8a741396531aa90N.exe	103
PID 400 wrote to memory of 2596	400	a09496fcf130d9f9d8a741396531aa90N.exe	103
PID 400 wrote to memory of 4120	400	a09496fcf130d9f9d8a741396531aa90N.exe	104
PID 400 wrote to memory of 4120	400	a09496fcf130d9f9d8a741396531aa90N.exe	104
PID 400 wrote to memory of 1612	400	a09496fcf130d9f9d8a741396531aa90N.exe	105
PID 400 wrote to memory of 1612	400	a09496fcf130d9f9d8a741396531aa90N.exe	105
PID 400 wrote to memory of 3320	400	a09496fcf130d9f9d8a741396531aa90N.exe	106
PID 400 wrote to memory of 3320	400	a09496fcf130d9f9d8a741396531aa90N.exe	106
PID 400 wrote to memory of 4932	400	a09496fcf130d9f9d8a741396531aa90N.exe	107
PID 400 wrote to memory of 4932	400	a09496fcf130d9f9d8a741396531aa90N.exe	107
PID 400 wrote to memory of 1908	400	a09496fcf130d9f9d8a741396531aa90N.exe	108
PID 400 wrote to memory of 1908	400	a09496fcf130d9f9d8a741396531aa90N.exe	108
PID 400 wrote to memory of 1068	400	a09496fcf130d9f9d8a741396531aa90N.exe	109
PID 400 wrote to memory of 1068	400	a09496fcf130d9f9d8a741396531aa90N.exe	109
PID 400 wrote to memory of 3512	400	a09496fcf130d9f9d8a741396531aa90N.exe	110
PID 400 wrote to memory of 3512	400	a09496fcf130d9f9d8a741396531aa90N.exe	110
PID 400 wrote to memory of 5024	400	a09496fcf130d9f9d8a741396531aa90N.exe	111
PID 400 wrote to memory of 5024	400	a09496fcf130d9f9d8a741396531aa90N.exe	111
PID 400 wrote to memory of 4668	400	a09496fcf130d9f9d8a741396531aa90N.exe	112
PID 400 wrote to memory of 4668	400	a09496fcf130d9f9d8a741396531aa90N.exe	112
PID 400 wrote to memory of 3012	400	a09496fcf130d9f9d8a741396531aa90N.exe	113
PID 400 wrote to memory of 3012	400	a09496fcf130d9f9d8a741396531aa90N.exe	113
PID 400 wrote to memory of 2800	400	a09496fcf130d9f9d8a741396531aa90N.exe	114
PID 400 wrote to memory of 2800	400	a09496fcf130d9f9d8a741396531aa90N.exe	114
PID 400 wrote to memory of 736	400	a09496fcf130d9f9d8a741396531aa90N.exe	115
PID 400 wrote to memory of 736	400	a09496fcf130d9f9d8a741396531aa90N.exe	115
PID 400 wrote to memory of 3200	400	a09496fcf130d9f9d8a741396531aa90N.exe	116
PID 400 wrote to memory of 3200	400	a09496fcf130d9f9d8a741396531aa90N.exe	116
PID 400 wrote to memory of 4356	400	a09496fcf130d9f9d8a741396531aa90N.exe	117
PID 400 wrote to memory of 4356	400	a09496fcf130d9f9d8a741396531aa90N.exe	117
PID 400 wrote to memory of 4424	400	a09496fcf130d9f9d8a741396531aa90N.exe	118
PID 400 wrote to memory of 4424	400	a09496fcf130d9f9d8a741396531aa90N.exe	118

C:\Users\Admin\AppData\Local\Temp\a09496fcf130d9f9d8a741396531aa90N.exe
"C:\Users\Admin\AppData\Local\Temp\a09496fcf130d9f9d8a741396531aa90N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\System32\yKbcfyd.exe
  C:\Windows\System32\yKbcfyd.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System32\QiiaPFZ.exe
  C:\Windows\System32\QiiaPFZ.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System32\VYtBPmA.exe
  C:\Windows\System32\VYtBPmA.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System32\FhrCoXl.exe
  C:\Windows\System32\FhrCoXl.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System32\yKQrBQj.exe
  C:\Windows\System32\yKQrBQj.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System32\BByUXUE.exe
  C:\Windows\System32\BByUXUE.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System32\aDrnnyh.exe
  C:\Windows\System32\aDrnnyh.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System32\EGKKpEA.exe
  C:\Windows\System32\EGKKpEA.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System32\cjWibfo.exe
  C:\Windows\System32\cjWibfo.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System32\HuKIvNl.exe
  C:\Windows\System32\HuKIvNl.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System32\WQAnlPH.exe
  C:\Windows\System32\WQAnlPH.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System32\IDuVemX.exe
  C:\Windows\System32\IDuVemX.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System32\MpEDZEj.exe
  C:\Windows\System32\MpEDZEj.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System32\WAwVmNH.exe
  C:\Windows\System32\WAwVmNH.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System32\JzQRjko.exe
  C:\Windows\System32\JzQRjko.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System32\GFbKCuI.exe
  C:\Windows\System32\GFbKCuI.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System32\xWwrOoI.exe
  C:\Windows\System32\xWwrOoI.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System32\eNNqSqy.exe
  C:\Windows\System32\eNNqSqy.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System32\LFkzdCQ.exe
  C:\Windows\System32\LFkzdCQ.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System32\znBGCGd.exe
  C:\Windows\System32\znBGCGd.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System32\HuNdpmc.exe
  C:\Windows\System32\HuNdpmc.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System32\vHOJhsY.exe
  C:\Windows\System32\vHOJhsY.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System32\nyhtswj.exe
  C:\Windows\System32\nyhtswj.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System32\RsVJKKr.exe
  C:\Windows\System32\RsVJKKr.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System32\oPogZes.exe
  C:\Windows\System32\oPogZes.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System32\oKKeprz.exe
  C:\Windows\System32\oKKeprz.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System32\Wsraiiq.exe
  C:\Windows\System32\Wsraiiq.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System32\kmkoZPT.exe
  C:\Windows\System32\kmkoZPT.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System32\YwAhrAs.exe
  C:\Windows\System32\YwAhrAs.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\System32\SCEqIue.exe
  C:\Windows\System32\SCEqIue.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System32\hhLXthf.exe
  C:\Windows\System32\hhLXthf.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System32\sGLVCmd.exe
  C:\Windows\System32\sGLVCmd.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System32\CNRXaEt.exe
  C:\Windows\System32\CNRXaEt.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System32\VSiDQFf.exe
  C:\Windows\System32\VSiDQFf.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System32\GQUxxYu.exe
  C:\Windows\System32\GQUxxYu.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System32\vIYRUuR.exe
  C:\Windows\System32\vIYRUuR.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System32\DeATaWo.exe
  C:\Windows\System32\DeATaWo.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System32\MbaChJt.exe
  C:\Windows\System32\MbaChJt.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System32\EqeTvBy.exe
  C:\Windows\System32\EqeTvBy.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System32\WiWqCJc.exe
  C:\Windows\System32\WiWqCJc.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System32\UYoWPkq.exe
  C:\Windows\System32\UYoWPkq.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System32\NxsXteN.exe
  C:\Windows\System32\NxsXteN.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System32\DOBOFnw.exe
  C:\Windows\System32\DOBOFnw.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System32\BEjyhqA.exe
  C:\Windows\System32\BEjyhqA.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System32\UySZaFa.exe
  C:\Windows\System32\UySZaFa.exe
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\System32\fdJXLRf.exe
  C:\Windows\System32\fdJXLRf.exe
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Windows\System32\dDBInRN.exe
  C:\Windows\System32\dDBInRN.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System32\ApOKOwr.exe
  C:\Windows\System32\ApOKOwr.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System32\dMynTzh.exe
  C:\Windows\System32\dMynTzh.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System32\RaToYsd.exe
  C:\Windows\System32\RaToYsd.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System32\AziFEot.exe
  C:\Windows\System32\AziFEot.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System32\HXdsleK.exe
  C:\Windows\System32\HXdsleK.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System32\LPzCRJf.exe
  C:\Windows\System32\LPzCRJf.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System32\OFCNqiv.exe
  C:\Windows\System32\OFCNqiv.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System32\fNPkNVQ.exe
  C:\Windows\System32\fNPkNVQ.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System32\IGuXvtQ.exe
  C:\Windows\System32\IGuXvtQ.exe
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\System32\FajEwuQ.exe
  C:\Windows\System32\FajEwuQ.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System32\dtKMIGd.exe
  C:\Windows\System32\dtKMIGd.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System32\ihmYACz.exe
  C:\Windows\System32\ihmYACz.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System32\hQOhPrt.exe
  C:\Windows\System32\hQOhPrt.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System32\jqXdAbc.exe
  C:\Windows\System32\jqXdAbc.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System32\GzIaCTO.exe
  C:\Windows\System32\GzIaCTO.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System32\tcdYnrd.exe
  C:\Windows\System32\tcdYnrd.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System32\CTceMGS.exe
  C:\Windows\System32\CTceMGS.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System32\jcpCLRA.exe
  C:\Windows\System32\jcpCLRA.exe
  2⤵
  PID:1552
- C:\Windows\System32\MZZGwOQ.exe
  C:\Windows\System32\MZZGwOQ.exe
  2⤵
  PID:3124
- C:\Windows\System32\VTrgRpc.exe
  C:\Windows\System32\VTrgRpc.exe
  2⤵
  PID:3680
- C:\Windows\System32\HIkJVvf.exe
  C:\Windows\System32\HIkJVvf.exe
  2⤵
  PID:3756
- C:\Windows\System32\YNFGRcH.exe
  C:\Windows\System32\YNFGRcH.exe
  2⤵
  PID:3748
- C:\Windows\System32\UXQkBpZ.exe
  C:\Windows\System32\UXQkBpZ.exe
  2⤵
  PID:4328
- C:\Windows\System32\aoTTETA.exe
  C:\Windows\System32\aoTTETA.exe
  2⤵
  PID:228
- C:\Windows\System32\PIvISBx.exe
  C:\Windows\System32\PIvISBx.exe
  2⤵
  PID:2520
- C:\Windows\System32\LHhDCFc.exe
  C:\Windows\System32\LHhDCFc.exe
  2⤵
  PID:1196
- C:\Windows\System32\PRGyqGB.exe
  C:\Windows\System32\PRGyqGB.exe
  2⤵
  PID:4988
- C:\Windows\System32\MioEDzG.exe
  C:\Windows\System32\MioEDzG.exe
  2⤵
  PID:2044
- C:\Windows\System32\dQKeExn.exe
  C:\Windows\System32\dQKeExn.exe
  2⤵
  PID:4444
- C:\Windows\System32\iKDzIjk.exe
  C:\Windows\System32\iKDzIjk.exe
  2⤵
  PID:376
- C:\Windows\System32\uoyHzlU.exe
  C:\Windows\System32\uoyHzlU.exe
  2⤵
  PID:4188
- C:\Windows\System32\sweyGuG.exe
  C:\Windows\System32\sweyGuG.exe
  2⤵
  PID:3604
- C:\Windows\System32\xdojION.exe
  C:\Windows\System32\xdojION.exe
  2⤵
  PID:5144
- C:\Windows\System32\MhZDkKT.exe
  C:\Windows\System32\MhZDkKT.exe
  2⤵
  PID:5160
- C:\Windows\System32\gYxDixu.exe
  C:\Windows\System32\gYxDixu.exe
  2⤵
  PID:5200
- C:\Windows\System32\AGgIAmb.exe
  C:\Windows\System32\AGgIAmb.exe
  2⤵
  PID:5216
- C:\Windows\System32\RCwUUsJ.exe
  C:\Windows\System32\RCwUUsJ.exe
  2⤵
  PID:5244
- C:\Windows\System32\uQOfEDb.exe
  C:\Windows\System32\uQOfEDb.exe
  2⤵
  PID:5280
- C:\Windows\System32\MjEHqda.exe
  C:\Windows\System32\MjEHqda.exe
  2⤵
  PID:5300
- C:\Windows\System32\SRhUBiY.exe
  C:\Windows\System32\SRhUBiY.exe
  2⤵
  PID:5328
- C:\Windows\System32\KDCvCqE.exe
  C:\Windows\System32\KDCvCqE.exe
  2⤵
  PID:5368
- C:\Windows\System32\upvsMNp.exe
  C:\Windows\System32\upvsMNp.exe
  2⤵
  PID:5384
- C:\Windows\System32\QSUpkll.exe
  C:\Windows\System32\QSUpkll.exe
  2⤵
  PID:5424
- C:\Windows\System32\sjkPYNy.exe
  C:\Windows\System32\sjkPYNy.exe
  2⤵
  PID:5440
- C:\Windows\System32\MdAIfHs.exe
  C:\Windows\System32\MdAIfHs.exe
  2⤵
  PID:5480
- C:\Windows\System32\xpCJamu.exe
  C:\Windows\System32\xpCJamu.exe
  2⤵
  PID:5496
- C:\Windows\System32\FQCyVDA.exe
  C:\Windows\System32\FQCyVDA.exe
  2⤵
  PID:5524
- C:\Windows\System32\iMpebAF.exe
  C:\Windows\System32\iMpebAF.exe
  2⤵
  PID:5552
- C:\Windows\System32\oxqCnMF.exe
  C:\Windows\System32\oxqCnMF.exe
  2⤵
  PID:5592
- C:\Windows\System32\pHYWxcS.exe
  C:\Windows\System32\pHYWxcS.exe
  2⤵
  PID:5608
- C:\Windows\System32\dIgZqpV.exe
  C:\Windows\System32\dIgZqpV.exe
  2⤵
  PID:5636
- C:\Windows\System32\WRkWrPO.exe
  C:\Windows\System32\WRkWrPO.exe
  2⤵
  PID:5676
- C:\Windows\System32\jUfpRPl.exe
  C:\Windows\System32\jUfpRPl.exe
  2⤵
  PID:5692
- C:\Windows\System32\CpNfZet.exe
  C:\Windows\System32\CpNfZet.exe
  2⤵
  PID:5732
- C:\Windows\System32\tXBjOFc.exe
  C:\Windows\System32\tXBjOFc.exe
  2⤵
  PID:5748
- C:\Windows\System32\QyhrmGR.exe
  C:\Windows\System32\QyhrmGR.exe
  2⤵
  PID:5788
- C:\Windows\System32\EYYuvxn.exe
  C:\Windows\System32\EYYuvxn.exe
  2⤵
  PID:5804
- C:\Windows\System32\IrtGEau.exe
  C:\Windows\System32\IrtGEau.exe
  2⤵
  PID:5844
- C:\Windows\System32\fMYdGha.exe
  C:\Windows\System32\fMYdGha.exe
  2⤵
  PID:5860
- C:\Windows\System32\ugZHVYv.exe
  C:\Windows\System32\ugZHVYv.exe
  2⤵
  PID:5888
- C:\Windows\System32\aDOethJ.exe
  C:\Windows\System32\aDOethJ.exe
  2⤵
  PID:5928
- C:\Windows\System32\uJGjJzu.exe
  C:\Windows\System32\uJGjJzu.exe
  2⤵
  PID:5944
- C:\Windows\System32\XAOEmWg.exe
  C:\Windows\System32\XAOEmWg.exe
  2⤵
  PID:5972
- C:\Windows\System32\jhwTxxp.exe
  C:\Windows\System32\jhwTxxp.exe
  2⤵
  PID:6000
- C:\Windows\System32\oBqsuCF.exe
  C:\Windows\System32\oBqsuCF.exe
  2⤵
  PID:6028
- C:\Windows\System32\Cgshwvy.exe
  C:\Windows\System32\Cgshwvy.exe
  2⤵
  PID:6068
- C:\Windows\System32\vgkPBeA.exe
  C:\Windows\System32\vgkPBeA.exe
  2⤵
  PID:6084
- C:\Windows\System32\AijhrHS.exe
  C:\Windows\System32\AijhrHS.exe
  2⤵
  PID:6112
- C:\Windows\System32\PKQwSCV.exe
  C:\Windows\System32\PKQwSCV.exe
  2⤵
  PID:6140
- C:\Windows\System32\cpkdSLQ.exe
  C:\Windows\System32\cpkdSLQ.exe
  2⤵
  PID:3856
- C:\Windows\System32\Caxcuyq.exe
  C:\Windows\System32\Caxcuyq.exe
  2⤵
  PID:4564
- C:\Windows\System32\DLWKvfQ.exe
  C:\Windows\System32\DLWKvfQ.exe
  2⤵
  PID:1072
- C:\Windows\System32\xvpnbBf.exe
  C:\Windows\System32\xvpnbBf.exe
  2⤵
  PID:1540
- C:\Windows\System32\ngVjJmI.exe
  C:\Windows\System32\ngVjJmI.exe
  2⤵
  PID:5184
- C:\Windows\System32\vNTMiQv.exe
  C:\Windows\System32\vNTMiQv.exe
  2⤵
  PID:5240
- C:\Windows\System32\dNvfYKo.exe
  C:\Windows\System32\dNvfYKo.exe
  2⤵
  PID:5292
- C:\Windows\System32\NXBZLLT.exe
  C:\Windows\System32\NXBZLLT.exe
  2⤵
  PID:5396
- C:\Windows\System32\MFfnbcp.exe
  C:\Windows\System32\MFfnbcp.exe
  2⤵
  PID:5432
- C:\Windows\System32\RZqCZQQ.exe
  C:\Windows\System32\RZqCZQQ.exe
  2⤵
  PID:5504
- C:\Windows\System32\pYfIoQh.exe
  C:\Windows\System32\pYfIoQh.exe
  2⤵
  PID:5564
- C:\Windows\System32\nyLPjdL.exe
  C:\Windows\System32\nyLPjdL.exe
  2⤵
  PID:5632
- C:\Windows\System32\BnlIZzX.exe
  C:\Windows\System32\BnlIZzX.exe
  2⤵
  PID:5724
- C:\Windows\System32\btBEdxN.exe
  C:\Windows\System32\btBEdxN.exe
  2⤵
  PID:5760
- C:\Windows\System32\VqAgPeq.exe
  C:\Windows\System32\VqAgPeq.exe
  2⤵
  PID:5828
- C:\Windows\System32\hFLrNTt.exe
  C:\Windows\System32\hFLrNTt.exe
  2⤵
  PID:5904
- C:\Windows\System32\ccTjKtl.exe
  C:\Windows\System32\ccTjKtl.exe
  2⤵
  PID:5996
- C:\Windows\System32\HnkTtje.exe
  C:\Windows\System32\HnkTtje.exe
  2⤵
  PID:6024
- C:\Windows\System32\GjFTwcw.exe
  C:\Windows\System32\GjFTwcw.exe
  2⤵
  PID:6096
- C:\Windows\System32\VQXiDFT.exe
  C:\Windows\System32\VQXiDFT.exe
  2⤵
  PID:4960
- C:\Windows\System32\elpnsXf.exe
  C:\Windows\System32\elpnsXf.exe
  2⤵
  PID:2404
- C:\Windows\System32\pUmdKur.exe
  C:\Windows\System32\pUmdKur.exe
  2⤵
  PID:5212
- C:\Windows\System32\VUkdpNH.exe
  C:\Windows\System32\VUkdpNH.exe
  2⤵
  PID:5416
- C:\Windows\System32\nuLiiIo.exe
  C:\Windows\System32\nuLiiIo.exe
  2⤵
  PID:5488
- C:\Windows\System32\PsZrUwP.exe
  C:\Windows\System32\PsZrUwP.exe
  2⤵
  PID:5660
- C:\Windows\System32\nuBbvuw.exe
  C:\Windows\System32\nuBbvuw.exe
  2⤵
  PID:5764
- C:\Windows\System32\hoamktU.exe
  C:\Windows\System32\hoamktU.exe
  2⤵
  PID:5956
- C:\Windows\System32\ytZdrMA.exe
  C:\Windows\System32\ytZdrMA.exe
  2⤵
  PID:6044
- C:\Windows\System32\MWgisBi.exe
  C:\Windows\System32\MWgisBi.exe
  2⤵
  PID:6168
- C:\Windows\System32\uEoIbCL.exe
  C:\Windows\System32\uEoIbCL.exe
  2⤵
  PID:6208
- C:\Windows\System32\krEfXoX.exe
  C:\Windows\System32\krEfXoX.exe
  2⤵
  PID:6224
- C:\Windows\System32\cqlqUqN.exe
  C:\Windows\System32\cqlqUqN.exe
  2⤵
  PID:6264
- C:\Windows\System32\cuKLrqM.exe
  C:\Windows\System32\cuKLrqM.exe
  2⤵
  PID:6280
- C:\Windows\System32\ilHgRTC.exe
  C:\Windows\System32\ilHgRTC.exe
  2⤵
  PID:6320
- C:\Windows\System32\GjnvYsI.exe
  C:\Windows\System32\GjnvYsI.exe
  2⤵
  PID:6336
- C:\Windows\System32\qOqWicG.exe
  C:\Windows\System32\qOqWicG.exe
  2⤵
  PID:6364
- C:\Windows\System32\YSwXyYt.exe
  C:\Windows\System32\YSwXyYt.exe
  2⤵
  PID:6404
- C:\Windows\System32\yuRFAoE.exe
  C:\Windows\System32\yuRFAoE.exe
  2⤵
  PID:6420
- C:\Windows\System32\YqhyCvU.exe
  C:\Windows\System32\YqhyCvU.exe
  2⤵
  PID:6444
- C:\Windows\System32\tGaroPl.exe
  C:\Windows\System32\tGaroPl.exe
  2⤵
  PID:6476
- C:\Windows\System32\FfZqRFR.exe
  C:\Windows\System32\FfZqRFR.exe
  2⤵
  PID:6504
- C:\Windows\System32\JVCadMq.exe
  C:\Windows\System32\JVCadMq.exe
  2⤵
  PID:6532
- C:\Windows\System32\JlYkPTf.exe
  C:\Windows\System32\JlYkPTf.exe
  2⤵
  PID:6572
- C:\Windows\System32\XRKnUzL.exe
  C:\Windows\System32\XRKnUzL.exe
  2⤵
  PID:6588
- C:\Windows\System32\JUoiOBn.exe
  C:\Windows\System32\JUoiOBn.exe
  2⤵
  PID:6616
- C:\Windows\System32\rxpxPXA.exe
  C:\Windows\System32\rxpxPXA.exe
  2⤵
  PID:6644
- C:\Windows\System32\RWjhVga.exe
  C:\Windows\System32\RWjhVga.exe
  2⤵
  PID:6672
- C:\Windows\System32\UCzNUhV.exe
  C:\Windows\System32\UCzNUhV.exe
  2⤵
  PID:6700
- C:\Windows\System32\UBCFMRn.exe
  C:\Windows\System32\UBCFMRn.exe
  2⤵
  PID:6728
- C:\Windows\System32\DsKwOUX.exe
  C:\Windows\System32\DsKwOUX.exe
  2⤵
  PID:6756
- C:\Windows\System32\VouebLI.exe
  C:\Windows\System32\VouebLI.exe
  2⤵
  PID:6784
- C:\Windows\System32\ZdukkEk.exe
  C:\Windows\System32\ZdukkEk.exe
  2⤵
  PID:6824
- C:\Windows\System32\noQqHxV.exe
  C:\Windows\System32\noQqHxV.exe
  2⤵
  PID:6840
- C:\Windows\System32\bMYZgmt.exe
  C:\Windows\System32\bMYZgmt.exe
  2⤵
  PID:6868
- C:\Windows\System32\MakdCLw.exe
  C:\Windows\System32\MakdCLw.exe
  2⤵
  PID:6896
- C:\Windows\System32\YhayUsp.exe
  C:\Windows\System32\YhayUsp.exe
  2⤵
  PID:6932
- C:\Windows\System32\SlTXhfU.exe
  C:\Windows\System32\SlTXhfU.exe
  2⤵
  PID:6952
- C:\Windows\System32\oZgIXSB.exe
  C:\Windows\System32\oZgIXSB.exe
  2⤵
  PID:6980
- C:\Windows\System32\yphBWyI.exe
  C:\Windows\System32\yphBWyI.exe
  2⤵
  PID:7008
- C:\Windows\System32\aZLjIFQ.exe
  C:\Windows\System32\aZLjIFQ.exe
  2⤵
  PID:7036
- C:\Windows\System32\QuEGowT.exe
  C:\Windows\System32\QuEGowT.exe
  2⤵
  PID:7064
- C:\Windows\System32\chFnOaw.exe
  C:\Windows\System32\chFnOaw.exe
  2⤵
  PID:7104
- C:\Windows\System32\wxxObAl.exe
  C:\Windows\System32\wxxObAl.exe
  2⤵
  PID:7120
- C:\Windows\System32\vkSnWSG.exe
  C:\Windows\System32\vkSnWSG.exe
  2⤵
  PID:7148
- C:\Windows\System32\HDMRzwe.exe
  C:\Windows\System32\HDMRzwe.exe
  2⤵
  PID:4912
- C:\Windows\System32\KBiaQho.exe
  C:\Windows\System32\KBiaQho.exe
  2⤵
  PID:5268
- C:\Windows\System32\vUfgcds.exe
  C:\Windows\System32\vUfgcds.exe
  2⤵
  PID:5620
- C:\Windows\System32\pUDhAKp.exe
  C:\Windows\System32\pUDhAKp.exe
  2⤵
  PID:6016
- C:\Windows\System32\ikAmsNE.exe
  C:\Windows\System32\ikAmsNE.exe
  2⤵
  PID:6164
- C:\Windows\System32\yVMFQBj.exe
  C:\Windows\System32\yVMFQBj.exe
  2⤵
  PID:6220
- C:\Windows\System32\CoreQlj.exe
  C:\Windows\System32\CoreQlj.exe
  2⤵
  PID:6296
- C:\Windows\System32\WHprlbE.exe
  C:\Windows\System32\WHprlbE.exe
  2⤵
  PID:6352
- C:\Windows\System32\rBPPWjj.exe
  C:\Windows\System32\rBPPWjj.exe
  2⤵
  PID:6428
- C:\Windows\System32\VcMdNmh.exe
  C:\Windows\System32\VcMdNmh.exe
  2⤵
  PID:6488
- C:\Windows\System32\easEsho.exe
  C:\Windows\System32\easEsho.exe
  2⤵
  PID:6556
- C:\Windows\System32\fBKlmuS.exe
  C:\Windows\System32\fBKlmuS.exe
  2⤵
  PID:6640
- C:\Windows\System32\DlSMhSx.exe
  C:\Windows\System32\DlSMhSx.exe
  2⤵
  PID:6660
- C:\Windows\System32\YkwGMKD.exe
  C:\Windows\System32\YkwGMKD.exe
  2⤵
  PID:6752
- C:\Windows\System32\CRJlWqi.exe
  C:\Windows\System32\CRJlWqi.exe
  2⤵
  PID:6772
- C:\Windows\System32\gTYsYjf.exe
  C:\Windows\System32\gTYsYjf.exe
  2⤵
  PID:6864
- C:\Windows\System32\sjgckRs.exe
  C:\Windows\System32\sjgckRs.exe
  2⤵
  PID:6920
- C:\Windows\System32\UayhhMf.exe
  C:\Windows\System32\UayhhMf.exe
  2⤵
  PID:6944
- C:\Windows\System32\roIeuJW.exe
  C:\Windows\System32\roIeuJW.exe
  2⤵
  PID:7004
- C:\Windows\System32\RzvmxHn.exe
  C:\Windows\System32\RzvmxHn.exe
  2⤵
  PID:7052
- C:\Windows\System32\exfzFCK.exe
  C:\Windows\System32\exfzFCK.exe
  2⤵
  PID:7136
- C:\Windows\System32\LPKyKYT.exe
  C:\Windows\System32\LPKyKYT.exe
  2⤵
  PID:1148
- C:\Windows\System32\Uibgsdx.exe
  C:\Windows\System32\Uibgsdx.exe
  2⤵
  PID:5540
- C:\Windows\System32\xrOVqvQ.exe
  C:\Windows\System32\xrOVqvQ.exe
  2⤵
  PID:6184
- C:\Windows\System32\rpvhYXQ.exe
  C:\Windows\System32\rpvhYXQ.exe
  2⤵
  PID:6304
- C:\Windows\System32\UKHvZeV.exe
  C:\Windows\System32\UKHvZeV.exe
  2⤵
  PID:6432
- C:\Windows\System32\aSEqwIq.exe
  C:\Windows\System32\aSEqwIq.exe
  2⤵
  PID:2092
- C:\Windows\System32\NGJUXks.exe
  C:\Windows\System32\NGJUXks.exe
  2⤵
  PID:6580
- C:\Windows\System32\EhZJkkt.exe
  C:\Windows\System32\EhZJkkt.exe
  2⤵
  PID:7028
- C:\Windows\System32\erjPsaC.exe
  C:\Windows\System32\erjPsaC.exe
  2⤵
  PID:7164
- C:\Windows\System32\jobezsJ.exe
  C:\Windows\System32\jobezsJ.exe
  2⤵
  PID:2228
- C:\Windows\System32\rEDPPPV.exe
  C:\Windows\System32\rEDPPPV.exe
  2⤵
  PID:6200
- C:\Windows\System32\dQioXQv.exe
  C:\Windows\System32\dQioXQv.exe
  2⤵
  PID:3464
- C:\Windows\System32\JVMvXJH.exe
  C:\Windows\System32\JVMvXJH.exe
  2⤵
  PID:1420
- C:\Windows\System32\mnLgSag.exe
  C:\Windows\System32\mnLgSag.exe
  2⤵
  PID:1020
- C:\Windows\System32\FxemwVf.exe
  C:\Windows\System32\FxemwVf.exe
  2⤵
  PID:852
- C:\Windows\System32\gBGRqAx.exe
  C:\Windows\System32\gBGRqAx.exe
  2⤵
  PID:6892
- C:\Windows\System32\zmVjxCd.exe
  C:\Windows\System32\zmVjxCd.exe
  2⤵
  PID:4068
- C:\Windows\System32\HWpSVqn.exe
  C:\Windows\System32\HWpSVqn.exe
  2⤵
  PID:3040
- C:\Windows\System32\yGNNMLW.exe
  C:\Windows\System32\yGNNMLW.exe
  2⤵
  PID:4920
- C:\Windows\System32\ocftAfC.exe
  C:\Windows\System32\ocftAfC.exe
  2⤵
  PID:5668
- C:\Windows\System32\hwQwbOb.exe
  C:\Windows\System32\hwQwbOb.exe
  2⤵
  PID:6256
- C:\Windows\System32\ccJlLqE.exe
  C:\Windows\System32\ccJlLqE.exe
  2⤵
  PID:3212
- C:\Windows\System32\cgxmitj.exe
  C:\Windows\System32\cgxmitj.exe
  2⤵
  PID:7200
- C:\Windows\System32\mbnciun.exe
  C:\Windows\System32\mbnciun.exe
  2⤵
  PID:7240
- C:\Windows\System32\nviqOPO.exe
  C:\Windows\System32\nviqOPO.exe
  2⤵
  PID:7260
- C:\Windows\System32\OTWdhmB.exe
  C:\Windows\System32\OTWdhmB.exe
  2⤵
  PID:7284
- C:\Windows\System32\tekvinE.exe
  C:\Windows\System32\tekvinE.exe
  2⤵
  PID:7304
- C:\Windows\System32\EgzDwiv.exe
  C:\Windows\System32\EgzDwiv.exe
  2⤵
  PID:7336
- C:\Windows\System32\yIhDtUF.exe
  C:\Windows\System32\yIhDtUF.exe
  2⤵
  PID:7364
- C:\Windows\System32\asYZXlX.exe
  C:\Windows\System32\asYZXlX.exe
  2⤵
  PID:7392
- C:\Windows\System32\YqMeyRL.exe
  C:\Windows\System32\YqMeyRL.exe
  2⤵
  PID:7424
- C:\Windows\System32\MXFdxvo.exe
  C:\Windows\System32\MXFdxvo.exe
  2⤵
  PID:7456
- C:\Windows\System32\WPMuvtJ.exe
  C:\Windows\System32\WPMuvtJ.exe
  2⤵
  PID:7484
- C:\Windows\System32\dNrorUn.exe
  C:\Windows\System32\dNrorUn.exe
  2⤵
  PID:7512
- C:\Windows\System32\qNnBtUk.exe
  C:\Windows\System32\qNnBtUk.exe
  2⤵
  PID:7540
- C:\Windows\System32\xYvzCZL.exe
  C:\Windows\System32\xYvzCZL.exe
  2⤵
  PID:7556
- C:\Windows\System32\WgUbuSQ.exe
  C:\Windows\System32\WgUbuSQ.exe
  2⤵
  PID:7576
- C:\Windows\System32\pELaKbc.exe
  C:\Windows\System32\pELaKbc.exe
  2⤵
  PID:7620
- C:\Windows\System32\jmTaKih.exe
  C:\Windows\System32\jmTaKih.exe
  2⤵
  PID:7652
- C:\Windows\System32\bGSaLMP.exe
  C:\Windows\System32\bGSaLMP.exe
  2⤵
  PID:7668
- C:\Windows\System32\LfawjZq.exe
  C:\Windows\System32\LfawjZq.exe
  2⤵
  PID:7708
- C:\Windows\System32\BwRMEce.exe
  C:\Windows\System32\BwRMEce.exe
  2⤵
  PID:7748
- C:\Windows\System32\dXtJMGE.exe
  C:\Windows\System32\dXtJMGE.exe
  2⤵
  PID:7768
- C:\Windows\System32\ZloLpeR.exe
  C:\Windows\System32\ZloLpeR.exe
  2⤵
  PID:7784
- C:\Windows\System32\HKksyla.exe
  C:\Windows\System32\HKksyla.exe
  2⤵
  PID:7832
- C:\Windows\System32\HzapbbH.exe
  C:\Windows\System32\HzapbbH.exe
  2⤵
  PID:7856
- C:\Windows\System32\bCInNtU.exe
  C:\Windows\System32\bCInNtU.exe
  2⤵
  PID:7884
- C:\Windows\System32\xWlrxRw.exe
  C:\Windows\System32\xWlrxRw.exe
  2⤵
  PID:7912
- C:\Windows\System32\tVUbfPZ.exe
  C:\Windows\System32\tVUbfPZ.exe
  2⤵
  PID:7940
- C:\Windows\System32\zLvyxaL.exe
  C:\Windows\System32\zLvyxaL.exe
  2⤵
  PID:7976
- C:\Windows\System32\wOXAKXs.exe
  C:\Windows\System32\wOXAKXs.exe
  2⤵
  PID:8004
- C:\Windows\System32\YgbsOXP.exe
  C:\Windows\System32\YgbsOXP.exe
  2⤵
  PID:8028
- C:\Windows\System32\eWdvRfm.exe
  C:\Windows\System32\eWdvRfm.exe
  2⤵
  PID:8068
- C:\Windows\System32\jjOafiA.exe
  C:\Windows\System32\jjOafiA.exe
  2⤵
  PID:8112
- C:\Windows\System32\qZJYWhy.exe
  C:\Windows\System32\qZJYWhy.exe
  2⤵
  PID:8152
- C:\Windows\System32\yBdQwxH.exe
  C:\Windows\System32\yBdQwxH.exe
  2⤵
  PID:8188
- C:\Windows\System32\MIqGaVQ.exe
  C:\Windows\System32\MIqGaVQ.exe
  2⤵
  PID:3688
- C:\Windows\System32\fMSjxMz.exe
  C:\Windows\System32\fMSjxMz.exe
  2⤵
  PID:7208
- C:\Windows\System32\DkTwZHU.exe
  C:\Windows\System32\DkTwZHU.exe
  2⤵
  PID:7096
- C:\Windows\System32\tXAXmfJ.exe
  C:\Windows\System32\tXAXmfJ.exe
  2⤵
  PID:4612
- C:\Windows\System32\pHimzmn.exe
  C:\Windows\System32\pHimzmn.exe
  2⤵
  PID:7296
- C:\Windows\System32\FXdAsKh.exe
  C:\Windows\System32\FXdAsKh.exe
  2⤵
  PID:7380
- C:\Windows\System32\AuOPczk.exe
  C:\Windows\System32\AuOPczk.exe
  2⤵
  PID:7436
- C:\Windows\System32\PHGpUAl.exe
  C:\Windows\System32\PHGpUAl.exe
  2⤵
  PID:7532
- C:\Windows\System32\vvOTHEc.exe
  C:\Windows\System32\vvOTHEc.exe
  2⤵
  PID:7592
- C:\Windows\System32\aVyPfjE.exe
  C:\Windows\System32\aVyPfjE.exe
  2⤵
  PID:7692
- C:\Windows\System32\IuSYVSX.exe
  C:\Windows\System32\IuSYVSX.exe
  2⤵
  PID:7780
- C:\Windows\System32\JjltOBC.exe
  C:\Windows\System32\JjltOBC.exe
  2⤵
  PID:7852
- C:\Windows\System32\qwyOqvw.exe
  C:\Windows\System32\qwyOqvw.exe
  2⤵
  PID:7928
- C:\Windows\System32\LRHwQbb.exe
  C:\Windows\System32\LRHwQbb.exe
  2⤵
  PID:8000
- C:\Windows\System32\ImkhMLW.exe
  C:\Windows\System32\ImkhMLW.exe
  2⤵
  PID:8108
- C:\Windows\System32\FCnWuCj.exe
  C:\Windows\System32\FCnWuCj.exe
  2⤵
  PID:4404
- C:\Windows\System32\obmXOnD.exe
  C:\Windows\System32\obmXOnD.exe
  2⤵
  PID:8020
- C:\Windows\System32\QNZzwrl.exe
  C:\Windows\System32\QNZzwrl.exe
  2⤵
  PID:7268
- C:\Windows\System32\mxnfhmE.exe
  C:\Windows\System32\mxnfhmE.exe
  2⤵
  PID:7356
- C:\Windows\System32\UOtCLrn.exe
  C:\Windows\System32\UOtCLrn.exe
  2⤵
  PID:7572
- C:\Windows\System32\kbbSgKH.exe
  C:\Windows\System32\kbbSgKH.exe
  2⤵
  PID:7644
- C:\Windows\System32\rckNXAP.exe
  C:\Windows\System32\rckNXAP.exe
  2⤵
  PID:7904
- C:\Windows\System32\qlpMFvE.exe
  C:\Windows\System32\qlpMFvE.exe
  2⤵
  PID:8180
- C:\Windows\System32\bGayhLV.exe
  C:\Windows\System32\bGayhLV.exe
  2⤵
  PID:1364
- C:\Windows\System32\HziKupU.exe
  C:\Windows\System32\HziKupU.exe
  2⤵
  PID:7628
- C:\Windows\System32\lpprlQE.exe
  C:\Windows\System32\lpprlQE.exe
  2⤵
  PID:8064
- C:\Windows\System32\kzCWbgS.exe
  C:\Windows\System32\kzCWbgS.exe
  2⤵
  PID:7932
- C:\Windows\System32\cuVEgrh.exe
  C:\Windows\System32\cuVEgrh.exe
  2⤵
  PID:8200
- C:\Windows\System32\aQbGnrT.exe
  C:\Windows\System32\aQbGnrT.exe
  2⤵
  PID:8228
- C:\Windows\System32\gNURQFu.exe
  C:\Windows\System32\gNURQFu.exe
  2⤵
  PID:8256
- C:\Windows\System32\kAzRAdc.exe
  C:\Windows\System32\kAzRAdc.exe
  2⤵
  PID:8284
- C:\Windows\System32\fMSltPf.exe
  C:\Windows\System32\fMSltPf.exe
  2⤵
  PID:8312
- C:\Windows\System32\HEWcVJN.exe
  C:\Windows\System32\HEWcVJN.exe
  2⤵
  PID:8328
- C:\Windows\System32\VUNBsHp.exe
  C:\Windows\System32\VUNBsHp.exe
  2⤵
  PID:8372
- C:\Windows\System32\fEvNyez.exe
  C:\Windows\System32\fEvNyez.exe
  2⤵
  PID:8400
- C:\Windows\System32\zPfiFxV.exe
  C:\Windows\System32\zPfiFxV.exe
  2⤵
  PID:8416
- C:\Windows\System32\FixmagP.exe
  C:\Windows\System32\FixmagP.exe
  2⤵
  PID:8460
- C:\Windows\System32\ICTqlaB.exe
  C:\Windows\System32\ICTqlaB.exe
  2⤵
  PID:8484
- C:\Windows\System32\WjRupYH.exe
  C:\Windows\System32\WjRupYH.exe
  2⤵
  PID:8516
- C:\Windows\System32\thDfOye.exe
  C:\Windows\System32\thDfOye.exe
  2⤵
  PID:8544
- C:\Windows\System32\zWLkvSb.exe
  C:\Windows\System32\zWLkvSb.exe
  2⤵
  PID:8560
- C:\Windows\System32\QvyVwPk.exe
  C:\Windows\System32\QvyVwPk.exe
  2⤵
  PID:8600
- C:\Windows\System32\JHLKRvc.exe
  C:\Windows\System32\JHLKRvc.exe
  2⤵
  PID:8616
- C:\Windows\System32\bwWZvao.exe
  C:\Windows\System32\bwWZvao.exe
  2⤵
  PID:8656
- C:\Windows\System32\kVWyVbY.exe
  C:\Windows\System32\kVWyVbY.exe
  2⤵
  PID:8684
- C:\Windows\System32\ZdYiJsz.exe
  C:\Windows\System32\ZdYiJsz.exe
  2⤵
  PID:8716
- C:\Windows\System32\ffKHsaQ.exe
  C:\Windows\System32\ffKHsaQ.exe
  2⤵
  PID:8740
- C:\Windows\System32\WhBdIdn.exe
  C:\Windows\System32\WhBdIdn.exe
  2⤵
  PID:8768
- C:\Windows\System32\NIeXtit.exe
  C:\Windows\System32\NIeXtit.exe
  2⤵
  PID:8796
- C:\Windows\System32\ismHxdR.exe
  C:\Windows\System32\ismHxdR.exe
  2⤵
  PID:8824
- C:\Windows\System32\npiLtaJ.exe
  C:\Windows\System32\npiLtaJ.exe
  2⤵
  PID:8840
- C:\Windows\System32\WcXOYKG.exe
  C:\Windows\System32\WcXOYKG.exe
  2⤵
  PID:8948
- C:\Windows\System32\IqfEutc.exe
  C:\Windows\System32\IqfEutc.exe
  2⤵
  PID:8964
- C:\Windows\System32\JDSORuH.exe
  C:\Windows\System32\JDSORuH.exe
  2⤵
  PID:8996
- C:\Windows\System32\LfVXnzc.exe
  C:\Windows\System32\LfVXnzc.exe
  2⤵
  PID:9024
- C:\Windows\System32\GNsYyIg.exe
  C:\Windows\System32\GNsYyIg.exe
  2⤵
  PID:9040
- C:\Windows\System32\SqNvrcI.exe
  C:\Windows\System32\SqNvrcI.exe
  2⤵
  PID:9080
- C:\Windows\System32\STfszRh.exe
  C:\Windows\System32\STfszRh.exe
  2⤵
  PID:9112
- C:\Windows\System32\auTBSEo.exe
  C:\Windows\System32\auTBSEo.exe
  2⤵
  PID:9144
- C:\Windows\System32\sQvezeJ.exe
  C:\Windows\System32\sQvezeJ.exe
  2⤵
  PID:9172
- C:\Windows\System32\XKXUKBv.exe
  C:\Windows\System32\XKXUKBv.exe
  2⤵
  PID:7552
- C:\Windows\System32\pZVMcvW.exe
  C:\Windows\System32\pZVMcvW.exe
  2⤵
  PID:8268
- C:\Windows\System32\jhYFXKZ.exe
  C:\Windows\System32\jhYFXKZ.exe
  2⤵
  PID:8324
- C:\Windows\System32\dLCXCcl.exe
  C:\Windows\System32\dLCXCcl.exe
  2⤵
  PID:8368
- C:\Windows\System32\jUVWGeN.exe
  C:\Windows\System32\jUVWGeN.exe
  2⤵
  PID:8468
- C:\Windows\System32\GrizyQS.exe
  C:\Windows\System32\GrizyQS.exe
  2⤵
  PID:8536
- C:\Windows\System32\XcvvNHh.exe
  C:\Windows\System32\XcvvNHh.exe
  2⤵
  PID:8588
- C:\Windows\System32\uGAzZLv.exe
  C:\Windows\System32\uGAzZLv.exe
  2⤵
  PID:8652
- C:\Windows\System32\qNzbjQG.exe
  C:\Windows\System32\qNzbjQG.exe
  2⤵
  PID:8696
- C:\Windows\System32\nRzELwP.exe
  C:\Windows\System32\nRzELwP.exe
  2⤵
  PID:8780
- C:\Windows\System32\NSVtfRQ.exe
  C:\Windows\System32\NSVtfRQ.exe
  2⤵
  PID:8832
- C:\Windows\System32\NUbWinY.exe
  C:\Windows\System32\NUbWinY.exe
  2⤵
  PID:8888
- C:\Windows\System32\WuhWRzX.exe
  C:\Windows\System32\WuhWRzX.exe
  2⤵
  PID:8092
- C:\Windows\System32\LkgwrkK.exe
  C:\Windows\System32\LkgwrkK.exe
  2⤵
  PID:8960
- C:\Windows\System32\TYUdemq.exe
  C:\Windows\System32\TYUdemq.exe
  2⤵
  PID:9020
- C:\Windows\System32\yMLJHwy.exe
  C:\Windows\System32\yMLJHwy.exe
  2⤵
  PID:9140
- C:\Windows\System32\EASkWfs.exe
  C:\Windows\System32\EASkWfs.exe
  2⤵
  PID:9212
- C:\Windows\System32\hLUutzY.exe
  C:\Windows\System32\hLUutzY.exe
  2⤵
  PID:8364
- C:\Windows\System32\hTcSQUi.exe
  C:\Windows\System32\hTcSQUi.exe
  2⤵
  PID:8580
- C:\Windows\System32\DiDbGVc.exe
  C:\Windows\System32\DiDbGVc.exe
  2⤵
  PID:8736
- C:\Windows\System32\ObUkNrB.exe
  C:\Windows\System32\ObUkNrB.exe
  2⤵
  PID:8872
- C:\Windows\System32\bvHAtXG.exe
  C:\Windows\System32\bvHAtXG.exe
  2⤵
  PID:8980
- C:\Windows\System32\eTcSeMr.exe
  C:\Windows\System32\eTcSeMr.exe
  2⤵
  PID:9100
- C:\Windows\System32\OJcFYVp.exe
  C:\Windows\System32\OJcFYVp.exe
  2⤵
  PID:8452
- C:\Windows\System32\MzgBLIu.exe
  C:\Windows\System32\MzgBLIu.exe
  2⤵
  PID:8988
- C:\Windows\System32\ooHweze.exe
  C:\Windows\System32\ooHweze.exe
  2⤵
  PID:8248
- C:\Windows\System32\asEmjwI.exe
  C:\Windows\System32\asEmjwI.exe
  2⤵
  PID:8644
- C:\Windows\System32\oVHyLnI.exe
  C:\Windows\System32\oVHyLnI.exe
  2⤵
  PID:9036
- C:\Windows\System32\JfNOwjc.exe
  C:\Windows\System32\JfNOwjc.exe
  2⤵
  PID:9236
- C:\Windows\System32\BlgBhMv.exe
  C:\Windows\System32\BlgBhMv.exe
  2⤵
  PID:9264
- C:\Windows\System32\uzkSQoW.exe
  C:\Windows\System32\uzkSQoW.exe
  2⤵
  PID:9284
- C:\Windows\System32\EjqZhVd.exe
  C:\Windows\System32\EjqZhVd.exe
  2⤵
  PID:9324
- C:\Windows\System32\UrgTKtg.exe
  C:\Windows\System32\UrgTKtg.exe
  2⤵
  PID:9340
- C:\Windows\System32\YFJsxMi.exe
  C:\Windows\System32\YFJsxMi.exe
  2⤵
  PID:9380
- C:\Windows\System32\DbuGvQr.exe
  C:\Windows\System32\DbuGvQr.exe
  2⤵
  PID:9400
- C:\Windows\System32\FfkZqQu.exe
  C:\Windows\System32\FfkZqQu.exe
  2⤵
  PID:9436
- C:\Windows\System32\tuqQJxh.exe
  C:\Windows\System32\tuqQJxh.exe
  2⤵
  PID:9464
- C:\Windows\System32\oanrJuK.exe
  C:\Windows\System32\oanrJuK.exe
  2⤵
  PID:9492
- C:\Windows\System32\BcoCJMO.exe
  C:\Windows\System32\BcoCJMO.exe
  2⤵
  PID:9528
- C:\Windows\System32\dXfGiCg.exe
  C:\Windows\System32\dXfGiCg.exe
  2⤵
  PID:9576
- C:\Windows\System32\JSXAqIV.exe
  C:\Windows\System32\JSXAqIV.exe
  2⤵
  PID:9620
- C:\Windows\System32\TvJLKYv.exe
  C:\Windows\System32\TvJLKYv.exe
  2⤵
  PID:9648
- C:\Windows\System32\Htaipxh.exe
  C:\Windows\System32\Htaipxh.exe
  2⤵
  PID:9684
- C:\Windows\System32\WsPsBJJ.exe
  C:\Windows\System32\WsPsBJJ.exe
  2⤵
  PID:9712
- C:\Windows\System32\PyiLzym.exe
  C:\Windows\System32\PyiLzym.exe
  2⤵
  PID:9740
- C:\Windows\System32\iuNWLFa.exe
  C:\Windows\System32\iuNWLFa.exe
  2⤵
  PID:9768
- C:\Windows\System32\FPjzUuf.exe
  C:\Windows\System32\FPjzUuf.exe
  2⤵
  PID:9796
- C:\Windows\System32\PsWABkn.exe
  C:\Windows\System32\PsWABkn.exe
  2⤵
  PID:9828
- C:\Windows\System32\OdVTZAz.exe
  C:\Windows\System32\OdVTZAz.exe
  2⤵
  PID:9856
- C:\Windows\System32\VkxZuCK.exe
  C:\Windows\System32\VkxZuCK.exe
  2⤵
  PID:9876
- C:\Windows\System32\hXNOEcU.exe
  C:\Windows\System32\hXNOEcU.exe
  2⤵
  PID:9916
- C:\Windows\System32\iaWXcyO.exe
  C:\Windows\System32\iaWXcyO.exe
  2⤵
  PID:9940
- C:\Windows\System32\SyOGQoG.exe
  C:\Windows\System32\SyOGQoG.exe
  2⤵
  PID:9964
- C:\Windows\System32\hjmjesV.exe
  C:\Windows\System32\hjmjesV.exe
  2⤵
  PID:10000
- C:\Windows\System32\FxADNiV.exe
  C:\Windows\System32\FxADNiV.exe
  2⤵
  PID:10028
- C:\Windows\System32\tqSRPxF.exe
  C:\Windows\System32\tqSRPxF.exe
  2⤵
  PID:10056
- C:\Windows\System32\aHpMYdd.exe
  C:\Windows\System32\aHpMYdd.exe
  2⤵
  PID:10088
- C:\Windows\System32\aykZKod.exe
  C:\Windows\System32\aykZKod.exe
  2⤵
  PID:10120
- C:\Windows\System32\bVmEarf.exe
  C:\Windows\System32\bVmEarf.exe
  2⤵
  PID:10148
- C:\Windows\System32\CgMMYQf.exe
  C:\Windows\System32\CgMMYQf.exe
  2⤵
  PID:10176
- C:\Windows\System32\BPcrrXB.exe
  C:\Windows\System32\BPcrrXB.exe
  2⤵
  PID:10208
- C:\Windows\System32\jHyjiuJ.exe
  C:\Windows\System32\jHyjiuJ.exe
  2⤵
  PID:10236
- C:\Windows\System32\tdQlIMg.exe
  C:\Windows\System32\tdQlIMg.exe
  2⤵
  PID:8972
- C:\Windows\System32\DsSBkII.exe
  C:\Windows\System32\DsSBkII.exe
  2⤵
  PID:9336
- C:\Windows\System32\FIrJTfP.exe
  C:\Windows\System32\FIrJTfP.exe
  2⤵
  PID:9388
- C:\Windows\System32\ElyhHAp.exe
  C:\Windows\System32\ElyhHAp.exe
  2⤵
  PID:9460
- C:\Windows\System32\LMSmNNk.exe
  C:\Windows\System32\LMSmNNk.exe
  2⤵
  PID:9548
- C:\Windows\System32\pXkBPzu.exe
  C:\Windows\System32\pXkBPzu.exe
  2⤵
  PID:9644
- C:\Windows\System32\ojHkCuJ.exe
  C:\Windows\System32\ojHkCuJ.exe
  2⤵
  PID:9724
- C:\Windows\System32\bDqPSOi.exe
  C:\Windows\System32\bDqPSOi.exe
  2⤵
  PID:9808
- C:\Windows\System32\clYZzPe.exe
  C:\Windows\System32\clYZzPe.exe
  2⤵
  PID:9868
- C:\Windows\System32\ZSUcYln.exe
  C:\Windows\System32\ZSUcYln.exe
  2⤵
  PID:9936
- C:\Windows\System32\AOROyiq.exe
  C:\Windows\System32\AOROyiq.exe
  2⤵
  PID:9980
- C:\Windows\System32\ekPpWJR.exe
  C:\Windows\System32\ekPpWJR.exe
  2⤵
  PID:10084
- C:\Windows\System32\ZBwFPVM.exe
  C:\Windows\System32\ZBwFPVM.exe
  2⤵
  PID:10188
- C:\Windows\System32\ezirHOG.exe
  C:\Windows\System32\ezirHOG.exe
  2⤵
  PID:9252
- C:\Windows\System32\bKTFfXT.exe
  C:\Windows\System32\bKTFfXT.exe
  2⤵
  PID:9392
- C:\Windows\System32\aCvaQGR.exe
  C:\Windows\System32\aCvaQGR.exe
  2⤵
  PID:9792
- C:\Windows\System32\DHAKOtN.exe
  C:\Windows\System32\DHAKOtN.exe
  2⤵
  PID:10172
- C:\Windows\System32\CyACViI.exe
  C:\Windows\System32\CyACViI.exe
  2⤵
  PID:9444
- C:\Windows\System32\TfsFEcP.exe
  C:\Windows\System32\TfsFEcP.exe
  2⤵
  PID:9316
- C:\Windows\System32\MHbvGKY.exe
  C:\Windows\System32\MHbvGKY.exe
  2⤵
  PID:10288
- C:\Windows\System32\ogzlWOL.exe
  C:\Windows\System32\ogzlWOL.exe
  2⤵
  PID:10320
- C:\Windows\System32\JotrlAh.exe
  C:\Windows\System32\JotrlAh.exe
  2⤵
  PID:10376
- C:\Windows\System32\yLmSExB.exe
  C:\Windows\System32\yLmSExB.exe
  2⤵
  PID:10408
- C:\Windows\System32\eglzXBF.exe
  C:\Windows\System32\eglzXBF.exe
  2⤵
  PID:10440
- C:\Windows\System32\rkAAFmV.exe
  C:\Windows\System32\rkAAFmV.exe
  2⤵
  PID:10480
- C:\Windows\System32\PbbWGsJ.exe
  C:\Windows\System32\PbbWGsJ.exe
  2⤵
  PID:10504
- C:\Windows\System32\USiGVuq.exe
  C:\Windows\System32\USiGVuq.exe
  2⤵
  PID:10532
- C:\Windows\System32\DSEHMdZ.exe
  C:\Windows\System32\DSEHMdZ.exe
  2⤵
  PID:10576
- C:\Windows\System32\VsbCCjJ.exe
  C:\Windows\System32\VsbCCjJ.exe
  2⤵
  PID:10596
- C:\Windows\System32\pmaqHjL.exe
  C:\Windows\System32\pmaqHjL.exe
  2⤵
  PID:10620
- C:\Windows\System32\uQpjHfN.exe
  C:\Windows\System32\uQpjHfN.exe
  2⤵
  PID:10640
- C:\Windows\System32\YNoEKaD.exe
  C:\Windows\System32\YNoEKaD.exe
  2⤵
  PID:10672
- C:\Windows\System32\aVgJvxq.exe
  C:\Windows\System32\aVgJvxq.exe
  2⤵
  PID:10696
- C:\Windows\System32\uJniLRD.exe
  C:\Windows\System32\uJniLRD.exe
  2⤵
  PID:10716
- C:\Windows\System32\GsrfkrY.exe
  C:\Windows\System32\GsrfkrY.exe
  2⤵
  PID:10748
- C:\Windows\System32\xarPkYX.exe
  C:\Windows\System32\xarPkYX.exe
  2⤵
  PID:10800
- C:\Windows\System32\IDAIfgE.exe
  C:\Windows\System32\IDAIfgE.exe
  2⤵
  PID:10828
- C:\Windows\System32\rYTBmNa.exe
  C:\Windows\System32\rYTBmNa.exe
  2⤵
  PID:10856
- C:\Windows\System32\tIuQFEU.exe
  C:\Windows\System32\tIuQFEU.exe
  2⤵
  PID:10888
- C:\Windows\System32\ZTNfKLW.exe
  C:\Windows\System32\ZTNfKLW.exe
  2⤵
  PID:10920
- C:\Windows\System32\MKLuDKp.exe
  C:\Windows\System32\MKLuDKp.exe
  2⤵
  PID:10956
- C:\Windows\System32\NejIYJV.exe
  C:\Windows\System32\NejIYJV.exe
  2⤵
  PID:10992
- C:\Windows\System32\NgGFwQK.exe
  C:\Windows\System32\NgGFwQK.exe
  2⤵
  PID:11028
- C:\Windows\System32\SRcuqFZ.exe
  C:\Windows\System32\SRcuqFZ.exe
  2⤵
  PID:11056
- C:\Windows\System32\WKTEpVh.exe
  C:\Windows\System32\WKTEpVh.exe
  2⤵
  PID:11084
- C:\Windows\System32\RuwMnfC.exe
  C:\Windows\System32\RuwMnfC.exe
  2⤵
  PID:11112
- C:\Windows\System32\WScIvvg.exe
  C:\Windows\System32\WScIvvg.exe
  2⤵
  PID:11144
- C:\Windows\System32\ntPVScu.exe
  C:\Windows\System32\ntPVScu.exe
  2⤵
  PID:11172
- C:\Windows\System32\Gimzhud.exe
  C:\Windows\System32\Gimzhud.exe
  2⤵
  PID:11200
- C:\Windows\System32\ekYUkhQ.exe
  C:\Windows\System32\ekYUkhQ.exe
  2⤵
  PID:11228
- C:\Windows\System32\iimsBZi.exe
  C:\Windows\System32\iimsBZi.exe
  2⤵
  PID:11260
- C:\Windows\System32\WRBXFLU.exe
  C:\Windows\System32\WRBXFLU.exe
  2⤵
  PID:10308
- C:\Windows\System32\msMZIke.exe
  C:\Windows\System32\msMZIke.exe
  2⤵
  PID:10396
- C:\Windows\System32\nAkJmIZ.exe
  C:\Windows\System32\nAkJmIZ.exe
  2⤵
  PID:10492
- C:\Windows\System32\BoGLQxZ.exe
  C:\Windows\System32\BoGLQxZ.exe
  2⤵
  PID:10548
- C:\Windows\System32\GXCFRSK.exe
  C:\Windows\System32\GXCFRSK.exe
  2⤵
  PID:10648
- C:\Windows\System32\xKIfEHq.exe
  C:\Windows\System32\xKIfEHq.exe
  2⤵
  PID:10704
- C:\Windows\System32\nlMuXad.exe
  C:\Windows\System32\nlMuXad.exe
  2⤵
  PID:10768
- C:\Windows\System32\hvzvhNz.exe
  C:\Windows\System32\hvzvhNz.exe
  2⤵
  PID:10840
- C:\Windows\System32\FLPLFLE.exe
  C:\Windows\System32\FLPLFLE.exe
  2⤵
  PID:10908
- C:\Windows\System32\NebOVBP.exe
  C:\Windows\System32\NebOVBP.exe
  2⤵
  PID:10988
- C:\Windows\System32\soOPesu.exe
  C:\Windows\System32\soOPesu.exe
  2⤵
  PID:2824
- C:\Windows\System32\cHcRgYg.exe
  C:\Windows\System32\cHcRgYg.exe
  2⤵
  PID:11156
- C:\Windows\System32\bfByVtW.exe
  C:\Windows\System32\bfByVtW.exe
  2⤵
  PID:11220
- C:\Windows\System32\lCHMFdM.exe
  C:\Windows\System32\lCHMFdM.exe
  2⤵
  PID:10268
- C:\Windows\System32\VYFByjd.exe
  C:\Windows\System32\VYFByjd.exe
  2⤵
  PID:10524
- C:\Windows\System32\jsoQKZv.exe
  C:\Windows\System32\jsoQKZv.exe
  2⤵
  PID:10688
- C:\Windows\System32\LchFqyD.exe
  C:\Windows\System32\LchFqyD.exe
  2⤵
  PID:10824
- C:\Windows\System32\SgDoXvi.exe
  C:\Windows\System32\SgDoXvi.exe
  2⤵
  PID:11040
- C:\Windows\System32\GNkOGOX.exe
  C:\Windows\System32\GNkOGOX.exe
  2⤵
  PID:11196
- C:\Windows\System32\EzMvHvS.exe
  C:\Windows\System32\EzMvHvS.exe
  2⤵
  PID:10452
- C:\Windows\System32\EHydEiA.exe
  C:\Windows\System32\EHydEiA.exe
  2⤵
  PID:10900
- C:\Windows\System32\ecIvUUq.exe
  C:\Windows\System32\ecIvUUq.exe
  2⤵
  PID:10404
- C:\Windows\System32\aVceYZd.exe
  C:\Windows\System32\aVceYZd.exe
  2⤵
  PID:11140
- C:\Windows\System32\jFiRQkl.exe
  C:\Windows\System32\jFiRQkl.exe
  2⤵
  PID:11276
- C:\Windows\System32\GqBYmLK.exe
  C:\Windows\System32\GqBYmLK.exe
  2⤵
  PID:11304
- C:\Windows\System32\ghehzwL.exe
  C:\Windows\System32\ghehzwL.exe
  2⤵
  PID:11332
- C:\Windows\System32\hreXaZv.exe
  C:\Windows\System32\hreXaZv.exe
  2⤵
  PID:11360
- C:\Windows\System32\fNdqGRd.exe
  C:\Windows\System32\fNdqGRd.exe
  2⤵
  PID:11388
- C:\Windows\System32\cRwppHx.exe
  C:\Windows\System32\cRwppHx.exe
  2⤵
  PID:11420
- C:\Windows\System32\IQJZVBP.exe
  C:\Windows\System32\IQJZVBP.exe
  2⤵
  PID:11448
- C:\Windows\System32\YAAtEKz.exe
  C:\Windows\System32\YAAtEKz.exe
  2⤵
  PID:11476
- C:\Windows\System32\XvIBZFN.exe
  C:\Windows\System32\XvIBZFN.exe
  2⤵
  PID:11504
- C:\Windows\System32\cxfqxFY.exe
  C:\Windows\System32\cxfqxFY.exe
  2⤵
  PID:11532
- C:\Windows\System32\KhNpobi.exe
  C:\Windows\System32\KhNpobi.exe
  2⤵
  PID:11560
- C:\Windows\System32\sDkePIS.exe
  C:\Windows\System32\sDkePIS.exe
  2⤵
  PID:11588
- C:\Windows\System32\YfvlEJy.exe
  C:\Windows\System32\YfvlEJy.exe
  2⤵
  PID:11616
- C:\Windows\System32\LqLDyqV.exe
  C:\Windows\System32\LqLDyqV.exe
  2⤵
  PID:11644
- C:\Windows\System32\xvYRGFX.exe
  C:\Windows\System32\xvYRGFX.exe
  2⤵
  PID:11672
- C:\Windows\System32\mWGnUKK.exe
  C:\Windows\System32\mWGnUKK.exe
  2⤵
  PID:11700
- C:\Windows\System32\lOpSNJE.exe
  C:\Windows\System32\lOpSNJE.exe
  2⤵
  PID:11728
- C:\Windows\System32\lmepNQT.exe
  C:\Windows\System32\lmepNQT.exe
  2⤵
  PID:11756
- C:\Windows\System32\WAZyycA.exe
  C:\Windows\System32\WAZyycA.exe
  2⤵
  PID:11792
- C:\Windows\System32\ftfYyPG.exe
  C:\Windows\System32\ftfYyPG.exe
  2⤵
  PID:11820
- C:\Windows\System32\mlQxWFN.exe
  C:\Windows\System32\mlQxWFN.exe
  2⤵
  PID:11848
- C:\Windows\System32\uxmNvCh.exe
  C:\Windows\System32\uxmNvCh.exe
  2⤵
  PID:11876
- C:\Windows\System32\OJWYxFJ.exe
  C:\Windows\System32\OJWYxFJ.exe
  2⤵
  PID:11904
- C:\Windows\System32\vrvJVwT.exe
  C:\Windows\System32\vrvJVwT.exe
  2⤵
  PID:11932
- C:\Windows\System32\JTDlJNb.exe
  C:\Windows\System32\JTDlJNb.exe
  2⤵
  PID:11960
- C:\Windows\System32\raqkWrn.exe
  C:\Windows\System32\raqkWrn.exe
  2⤵
  PID:11988
- C:\Windows\System32\EbpHQeC.exe
  C:\Windows\System32\EbpHQeC.exe
  2⤵
  PID:12016
- C:\Windows\System32\CPbQYmo.exe
  C:\Windows\System32\CPbQYmo.exe
  2⤵
  PID:12044
- C:\Windows\System32\gmRaCYA.exe
  C:\Windows\System32\gmRaCYA.exe
  2⤵
  PID:12072
- C:\Windows\System32\MpSjsqD.exe
  C:\Windows\System32\MpSjsqD.exe
  2⤵
  PID:12108
- C:\Windows\System32\ofrFDRC.exe
  C:\Windows\System32\ofrFDRC.exe
  2⤵
  PID:12128
- C:\Windows\System32\giWrSmg.exe
  C:\Windows\System32\giWrSmg.exe
  2⤵
  PID:12168
- C:\Windows\System32\KwPtZoe.exe
  C:\Windows\System32\KwPtZoe.exe
  2⤵
  PID:12196
- C:\Windows\System32\GKIFULW.exe
  C:\Windows\System32\GKIFULW.exe
  2⤵
  PID:12224
- C:\Windows\System32\AMzDlyC.exe
  C:\Windows\System32\AMzDlyC.exe
  2⤵
  PID:12252
- C:\Windows\System32\wqrLgms.exe
  C:\Windows\System32\wqrLgms.exe
  2⤵
  PID:12280
- C:\Windows\System32\XhGVZXa.exe
  C:\Windows\System32\XhGVZXa.exe
  2⤵
  PID:11068
- C:\Windows\System32\WAwwBuf.exe
  C:\Windows\System32\WAwwBuf.exe
  2⤵
  PID:11356
- C:\Windows\System32\TCaThKT.exe
  C:\Windows\System32\TCaThKT.exe
  2⤵
  PID:11412
- C:\Windows\System32\bgjdXMu.exe
  C:\Windows\System32\bgjdXMu.exe
  2⤵
  PID:11488
- C:\Windows\System32\CuFUDCd.exe
  C:\Windows\System32\CuFUDCd.exe
  2⤵
  PID:11572
- C:\Windows\System32\YcWYMFq.exe
  C:\Windows\System32\YcWYMFq.exe
  2⤵
  PID:11636
- C:\Windows\System32\JtWBEde.exe
  C:\Windows\System32\JtWBEde.exe
  2⤵
  PID:11696
- C:\Windows\System32\MpwJflk.exe
  C:\Windows\System32\MpwJflk.exe
  2⤵
  PID:11788
- C:\Windows\System32\PidRIUp.exe
  C:\Windows\System32\PidRIUp.exe
  2⤵
  PID:11868
- C:\Windows\System32\zeNrfGm.exe
  C:\Windows\System32\zeNrfGm.exe
  2⤵
  PID:11956
- C:\Windows\System32\YiJutTG.exe
  C:\Windows\System32\YiJutTG.exe
  2⤵
  PID:12036
- C:\Windows\System32\ocrYQtH.exe
  C:\Windows\System32\ocrYQtH.exe
  2⤵
  PID:1548
- C:\Windows\System32\IsospRr.exe
  C:\Windows\System32\IsospRr.exe
  2⤵
  PID:3852
- C:\Windows\System32\onUNrGG.exe
  C:\Windows\System32\onUNrGG.exe
  2⤵
  PID:12160
- C:\Windows\System32\hIzqNlk.exe
  C:\Windows\System32\hIzqNlk.exe
  2⤵
  PID:12248
- C:\Windows\System32\KydxqIU.exe
  C:\Windows\System32\KydxqIU.exe
  2⤵
  PID:12272
- C:\Windows\System32\YIKnBDU.exe
  C:\Windows\System32\YIKnBDU.exe
  2⤵
  PID:11440
- C:\Windows\System32\WnzHlep.exe
  C:\Windows\System32\WnzHlep.exe
  2⤵
  PID:11612
- C:\Windows\System32\BBcGxmz.exe
  C:\Windows\System32\BBcGxmz.exe
  2⤵
  PID:11724
- C:\Windows\System32\dorrAMz.exe
  C:\Windows\System32\dorrAMz.exe
  2⤵
  PID:11776
- C:\Windows\System32\OaTDsvW.exe
  C:\Windows\System32\OaTDsvW.exe
  2⤵
  PID:12088
- C:\Windows\System32\vhSobPh.exe
  C:\Windows\System32\vhSobPh.exe
  2⤵
  PID:12188
- C:\Windows\System32\zwtUdSx.exe
  C:\Windows\System32\zwtUdSx.exe
  2⤵
  PID:11600
- C:\Windows\System32\MatGQFU.exe
  C:\Windows\System32\MatGQFU.exe
  2⤵
  PID:11984
- C:\Windows\System32\GkBnEfl.exe
  C:\Windows\System32\GkBnEfl.exe
  2⤵
  PID:12068
- C:\Windows\System32\beZMeQI.exe
  C:\Windows\System32\beZMeQI.exe
  2⤵
  PID:4140
- C:\Windows\System32\EGxkIkS.exe
  C:\Windows\System32\EGxkIkS.exe
  2⤵
  PID:11528
- C:\Windows\System32\KJzapoh.exe
  C:\Windows\System32\KJzapoh.exe
  2⤵
  PID:12300
- C:\Windows\System32\LLQCwDX.exe
  C:\Windows\System32\LLQCwDX.exe
  2⤵
  PID:12328
- C:\Windows\System32\amlaORb.exe
  C:\Windows\System32\amlaORb.exe
  2⤵
  PID:12356
- C:\Windows\System32\hlojowj.exe
  C:\Windows\System32\hlojowj.exe
  2⤵
  PID:12384
- C:\Windows\System32\AigKwUZ.exe
  C:\Windows\System32\AigKwUZ.exe
  2⤵
  PID:12412
- C:\Windows\System32\dRzIWmB.exe
  C:\Windows\System32\dRzIWmB.exe
  2⤵
  PID:12440
- C:\Windows\System32\IAGVnuz.exe
  C:\Windows\System32\IAGVnuz.exe
  2⤵
  PID:12468
- C:\Windows\System32\BQAgKdN.exe
  C:\Windows\System32\BQAgKdN.exe
  2⤵
  PID:12496
- C:\Windows\System32\ByIwUzA.exe
  C:\Windows\System32\ByIwUzA.exe
  2⤵
  PID:12524
- C:\Windows\System32\rKhIwCY.exe
  C:\Windows\System32\rKhIwCY.exe
  2⤵
  PID:12552
- C:\Windows\System32\INRZKtk.exe
  C:\Windows\System32\INRZKtk.exe
  2⤵
  PID:12580
- C:\Windows\System32\nmnOruG.exe
  C:\Windows\System32\nmnOruG.exe
  2⤵
  PID:12608
- C:\Windows\System32\DdZcnnn.exe
  C:\Windows\System32\DdZcnnn.exe
  2⤵
  PID:12636
- C:\Windows\System32\VHkuUvh.exe
  C:\Windows\System32\VHkuUvh.exe
  2⤵
  PID:12664
- C:\Windows\System32\SAcYNRX.exe
  C:\Windows\System32\SAcYNRX.exe
  2⤵
  PID:12692
- C:\Windows\System32\XYXRnLZ.exe
  C:\Windows\System32\XYXRnLZ.exe
  2⤵
  PID:12720
- C:\Windows\System32\AxvWzGp.exe
  C:\Windows\System32\AxvWzGp.exe
  2⤵
  PID:12748
- C:\Windows\System32\jFDmYPH.exe
  C:\Windows\System32\jFDmYPH.exe
  2⤵
  PID:12776
- C:\Windows\System32\FQOqorp.exe
  C:\Windows\System32\FQOqorp.exe
  2⤵
  PID:12804
- C:\Windows\System32\OIrsuvM.exe
  C:\Windows\System32\OIrsuvM.exe
  2⤵
  PID:12832
- C:\Windows\System32\NLpOLjo.exe
  C:\Windows\System32\NLpOLjo.exe
  2⤵
  PID:12860
- C:\Windows\System32\IeTAOlO.exe
  C:\Windows\System32\IeTAOlO.exe
  2⤵
  PID:12888
- C:\Windows\System32\ShJmZUJ.exe
  C:\Windows\System32\ShJmZUJ.exe
  2⤵
  PID:12916
- C:\Windows\System32\mXdBiag.exe
  C:\Windows\System32\mXdBiag.exe
  2⤵
  PID:12944
- C:\Windows\System32\ndIhrQQ.exe
  C:\Windows\System32\ndIhrQQ.exe
  2⤵
  PID:12972
- C:\Windows\System32\EMFQADm.exe
  C:\Windows\System32\EMFQADm.exe
  2⤵
  PID:13000
- C:\Windows\System32\hAXteLO.exe
  C:\Windows\System32\hAXteLO.exe
  2⤵
  PID:13028
- C:\Windows\System32\iPeTQXa.exe
  C:\Windows\System32\iPeTQXa.exe
  2⤵
  PID:13056
- C:\Windows\System32\GxFitfT.exe
  C:\Windows\System32\GxFitfT.exe
  2⤵
  PID:13084
- C:\Windows\System32\mEoscLx.exe
  C:\Windows\System32\mEoscLx.exe
  2⤵
  PID:13124
- C:\Windows\System32\DLXgusF.exe
  C:\Windows\System32\DLXgusF.exe
  2⤵
  PID:13152
- C:\Windows\System32\IhZrevM.exe
  C:\Windows\System32\IhZrevM.exe
  2⤵
  PID:13168
- C:\Windows\System32\mCpbNqs.exe
  C:\Windows\System32\mCpbNqs.exe
  2⤵
  PID:13196
- C:\Windows\System32\YWqQRoD.exe
  C:\Windows\System32\YWqQRoD.exe
  2⤵
  PID:13224
- C:\Windows\System32\XRWjVxP.exe
  C:\Windows\System32\XRWjVxP.exe
  2⤵
  PID:13252
- C:\Windows\System32\ZinPjqV.exe
  C:\Windows\System32\ZinPjqV.exe
  2⤵
  PID:13280
- C:\Windows\System32\DEMefGt.exe
  C:\Windows\System32\DEMefGt.exe
  2⤵
  PID:13308
- C:\Windows\System32\PNwgfcD.exe
  C:\Windows\System32\PNwgfcD.exe
  2⤵
  PID:12348
- C:\Windows\System32\kfpRqaC.exe
  C:\Windows\System32\kfpRqaC.exe
  2⤵
  PID:12408
- C:\Windows\System32\QFINfCR.exe
  C:\Windows\System32\QFINfCR.exe
  2⤵
  PID:12480
- C:\Windows\System32\UodDTll.exe
  C:\Windows\System32\UodDTll.exe
  2⤵
  PID:12544
- C:\Windows\System32\ewdjYHP.exe
  C:\Windows\System32\ewdjYHP.exe
  2⤵
  PID:12624
- C:\Windows\System32\TFBhdmT.exe
  C:\Windows\System32\TFBhdmT.exe
  2⤵
  PID:12676
- C:\Windows\System32\UnYSxqz.exe
  C:\Windows\System32\UnYSxqz.exe
  2⤵
  PID:12740
- C:\Windows\System32\WkCJPCW.exe
  C:\Windows\System32\WkCJPCW.exe
  2⤵
  PID:12800
- C:\Windows\System32\LYsYtqr.exe
  C:\Windows\System32\LYsYtqr.exe
  2⤵
  PID:12872
- C:\Windows\System32\lCYDXIv.exe
  C:\Windows\System32\lCYDXIv.exe
  2⤵
  PID:12940
- C:\Windows\System32\xJUYMYx.exe
  C:\Windows\System32\xJUYMYx.exe
  2⤵
  PID:13020
- C:\Windows\System32\PWwbpWD.exe
  C:\Windows\System32\PWwbpWD.exe
  2⤵
  PID:13080
- C:\Windows\System32\EQmaDCT.exe
  C:\Windows\System32\EQmaDCT.exe
  2⤵
  PID:13132
- C:\Windows\System32\sAnxcMA.exe
  C:\Windows\System32\sAnxcMA.exe
  2⤵
  PID:13208
- C:\Windows\System32\ZWXqtDj.exe
  C:\Windows\System32\ZWXqtDj.exe
  2⤵
  PID:13264
- C:\Windows\System32\NvGKtkC.exe
  C:\Windows\System32\NvGKtkC.exe
  2⤵
  PID:12316
- C:\Windows\System32\IxxvvIO.exe
  C:\Windows\System32\IxxvvIO.exe
  2⤵
  PID:3172
- C:\Windows\System32\gXWhZhd.exe
  C:\Windows\System32\gXWhZhd.exe
  2⤵
  PID:12460
- C:\Windows\System32\eiyDvva.exe
  C:\Windows\System32\eiyDvva.exe
  2⤵
  PID:12600
- C:\Windows\System32\oMlVjob.exe
  C:\Windows\System32\oMlVjob.exe
  2⤵
  PID:12772
- C:\Windows\System32\mOEwNht.exe
  C:\Windows\System32\mOEwNht.exe
  2⤵
  PID:12928
- C:\Windows\System32\cngrSxK.exe
  C:\Windows\System32\cngrSxK.exe
  2⤵
  PID:13048
- C:\Windows\System32\yJGhVcp.exe
  C:\Windows\System32\yJGhVcp.exe
  2⤵
  PID:13296
- C:\Windows\System32\iUAaUYw.exe
  C:\Windows\System32\iUAaUYw.exe
  2⤵
  PID:636
- C:\Windows\System32\XQOsOYN.exe
  C:\Windows\System32\XQOsOYN.exe
  2⤵
  PID:12596
- C:\Windows\System32\QWMIpdB.exe
  C:\Windows\System32\QWMIpdB.exe
  2⤵
  PID:12992
- C:\Windows\System32\KdbvuJF.exe
  C:\Windows\System32\KdbvuJF.exe
  2⤵
  PID:2616
- C:\Windows\System32\RxdGyom.exe
  C:\Windows\System32\RxdGyom.exe
  2⤵
  PID:13188
- C:\Windows\System32\fGvLjdh.exe
  C:\Windows\System32\fGvLjdh.exe
  2⤵
  PID:12900
- C:\Windows\System32\PXevQTY.exe
  C:\Windows\System32\PXevQTY.exe
  2⤵
  PID:13340
- C:\Windows\System32\xxudybE.exe
  C:\Windows\System32\xxudybE.exe
  2⤵
  PID:13368
- C:\Windows\System32\oTncsXh.exe
  C:\Windows\System32\oTncsXh.exe
  2⤵
  PID:13400
- C:\Windows\System32\KFlPKVi.exe
  C:\Windows\System32\KFlPKVi.exe
  2⤵
  PID:13424
- C:\Windows\System32\LbPLpzP.exe
  C:\Windows\System32\LbPLpzP.exe
  2⤵
  PID:13452
- C:\Windows\System32\DBFuqVX.exe
  C:\Windows\System32\DBFuqVX.exe
  2⤵
  PID:13480
- C:\Windows\System32\ckYRMfa.exe
  C:\Windows\System32\ckYRMfa.exe
  2⤵
  PID:13508
- C:\Windows\System32\YXMHibm.exe
  C:\Windows\System32\YXMHibm.exe
  2⤵
  PID:13536
- C:\Windows\System32\BUoTjZD.exe
  C:\Windows\System32\BUoTjZD.exe
  2⤵
  PID:13564
- C:\Windows\System32\jvJwPrU.exe
  C:\Windows\System32\jvJwPrU.exe
  2⤵
  PID:13592
- C:\Windows\System32\Ipjhaqj.exe
  C:\Windows\System32\Ipjhaqj.exe
  2⤵
  PID:13620
- C:\Windows\System32\FnpXJYS.exe
  C:\Windows\System32\FnpXJYS.exe
  2⤵
  PID:13648
- C:\Windows\System32\YSdjpWz.exe
  C:\Windows\System32\YSdjpWz.exe
  2⤵
  PID:13688
- C:\Windows\System32\eXvRRim.exe
  C:\Windows\System32\eXvRRim.exe
  2⤵
  PID:13704
- C:\Windows\System32\RIBJeAZ.exe
  C:\Windows\System32\RIBJeAZ.exe
  2⤵
  PID:13732
- C:\Windows\System32\hGOkypt.exe
  C:\Windows\System32\hGOkypt.exe
  2⤵
  PID:13760
- C:\Windows\System32\FZLCCeO.exe
  C:\Windows\System32\FZLCCeO.exe
  2⤵
  PID:13788
- C:\Windows\System32\ZItTTka.exe
  C:\Windows\System32\ZItTTka.exe
  2⤵
  PID:13816
- C:\Windows\System32\ASlLDja.exe
  C:\Windows\System32\ASlLDja.exe
  2⤵
  PID:13844
- C:\Windows\System32\RHVYent.exe
  C:\Windows\System32\RHVYent.exe
  2⤵
  PID:13872
- C:\Windows\System32\UhHVIFe.exe
  C:\Windows\System32\UhHVIFe.exe
  2⤵
  PID:13900
- C:\Windows\System32\XHOWGjf.exe
  C:\Windows\System32\XHOWGjf.exe
  2⤵
  PID:13928
- C:\Windows\System32\NsXGjTT.exe
  C:\Windows\System32\NsXGjTT.exe
  2⤵
  PID:13956
- C:\Windows\System32\AcAByBB.exe
  C:\Windows\System32\AcAByBB.exe
  2⤵
  PID:13984
- C:\Windows\System32\kwuhtPV.exe
  C:\Windows\System32\kwuhtPV.exe
  2⤵
  PID:14016
- C:\Windows\System32\vYPlCyL.exe
  C:\Windows\System32\vYPlCyL.exe
  2⤵
  PID:14072
- C:\Windows\System32\CkJedhN.exe
  C:\Windows\System32\CkJedhN.exe
  2⤵
  PID:14116
- C:\Windows\System32\aOnwGAY.exe
  C:\Windows\System32\aOnwGAY.exe
  2⤵
  PID:14164
- C:\Windows\System32\HtYfhnB.exe
  C:\Windows\System32\HtYfhnB.exe
  2⤵
  PID:14236

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BByUXUE.exe

Filesize
3.0MB

MD5
e018a5826a1d428a341b319f9b6dd7e3

SHA1
a921b6b05035bafc20ff59f062ea65cdd554a2e4

SHA256
9ddd145ffe3eda86f9773c6cf233dd3083d45214e7f74215ff5210da80910913

SHA512
7db0cff55275237c18765782e7833339a8bb1fd2d4e88360417584d0b5c9dcac7b4ebe4e92609468ed66690a942a3dd6c0fc3f7dffd6a7dc871bf840a20f9144

Download Submit
C:\Windows\System32\EGKKpEA.exe

Filesize
3.0MB

MD5
57c07a49553ce80f3cc29c6161f4cd6e

SHA1
34d3f1e40a3129bde69a7b58fe277b4bc146a8cd

SHA256
51f51bdb7bb53f4a66d974cb8721a4ce060b12b524f99e1566c3882b550b4d84

SHA512
dbb2e6353a6cb1d334d5a257ecf6fc29944d27dbe35bf462b634fee324fbd640712c371cd5737940d292ed5adc4d12be6e6b56193d5a4ff614ad2e4846326362

Download Submit
C:\Windows\System32\FhrCoXl.exe

Filesize
3.0MB

MD5
636835097db81ea34bc0937cb17b772a

SHA1
44e9de4034872eefc432354b3f554d297cacbaa8

SHA256
c35087d25a3dacda2a0dfc919839202d6da41d32878b5f34edaad964add17532

SHA512
9c04c62943e9bfa1e9915e5d77bb8453229b3cc975f84ee98355cadb78bdbdf616cec92bd3fa671598692d7d43ed181700de9d77ba7095c5dd35ce47eb20c84a

Download Submit
C:\Windows\System32\GFbKCuI.exe

Filesize
3.0MB

MD5
aa6edb1122237da58851d33db06ca0c0

SHA1
3bd5b3632fda5cf18175ea4d45d907bba9e172bb

SHA256
d61385bf7943ca2500657ecedc64ab713ae3008f2bd4f1f8d438d845ffa1903c

SHA512
2a1887a9f80448e77d4ea24fac082e16a204cf094f2fb3c7bcad90dd6f06de69df7e7626f62eea5849fa235c275c14b68ec7716817d329d7ed9d1383a14ec821

Download Submit
C:\Windows\System32\HuKIvNl.exe

Filesize
3.0MB

MD5
0f001bebfc0dc00a2866c76c14d8c882

SHA1
3c6fa33eed0fc06f4629959d9855de657492894e

SHA256
dc95d0f30b895cf790c4975851aa6787baec2272c91b0578003d4383342c052b

SHA512
0caf383d791e4f8926a96cffdee858e1871dbeec644f386656f529db4fbe60e2198f200b074aad3fde964cc2a662cbb75453ae19851af983e5648d1e25855a94

Download Submit
C:\Windows\System32\HuNdpmc.exe

Filesize
3.0MB

MD5
8f928bfbeb1c5d3a9f9bd9768f032461

SHA1
683a9d8da627035bbc31ec988fd4b9c937328299

SHA256
c9a2bb31699487b8841711377be32861157d7485da74280ba5297c6dfc4eb4df

SHA512
8ffb243bdda05db32619e7919a2988c5d33b3b1eeda936a4fe07cab990f969687a9509c19f7f7fe4b643fe66498b647c4c31337acca368ef3566186a02843cb7

Download Submit
C:\Windows\System32\IDuVemX.exe

Filesize
3.0MB

MD5
40cadb357539dbb9c930f6afca09c385

SHA1
082167719c24ef1e2b98fef4e373bc21b99a1417

SHA256
5c852a51bdc7cbacb8b20a96a1f704e14982d394ca52cfdb7c956ac76b30f7ad

SHA512
1aa0f591bd67a42e115ad847a32d20f2a4664a948b30e263d2486de307c6d8f3444ef76838ffd83a4640c415cc224a0c5d6042373917a0cd7f48c385353fcc87

Download Submit
C:\Windows\System32\JzQRjko.exe

Filesize
3.0MB

MD5
7fdbb1ba881e003352dc94abc326a425

SHA1
a901a631efab78c6ead16688235615ce6acc02ad

SHA256
bc9faa98f82919f2ec7e3043ecf010ae2fba91c39b17163044d57ee2f419667e

SHA512
f70d6380ad709f527191934f4a76c933489294db6d11fe37350316cb7771f53bc354e047762a39611ef89fae984fbdb1d5122610f2abc8b7ce1df39b5eed43a6

Download Submit
C:\Windows\System32\LFkzdCQ.exe

Filesize
3.0MB

MD5
59e6da63b94a70733d48441055c7bec0

SHA1
54e0df68772ff239a94d24846b25da75d430e5df

SHA256
cc686c29d85f036fe1e035346bf27ab5be77e2bd90832b0364b5ee7b8036aa50

SHA512
b25e3155bc8dd92c8731606e01b7bb5bc2d8fae520c9e8a0773ac0447c263da20e388e5848689987123b0a3a67f62c5da48c5cac47cc76fbe8dd1912ac3e2c42

Download Submit
C:\Windows\System32\MpEDZEj.exe

Filesize
3.0MB

MD5
cf876a9368812b95ddd0b7a40231bf01

SHA1
d7d340bbe75db43505b5f5869fef868601e29ef9

SHA256
b23509e3c50c22567e016e24a383c8cf1b303713f0746ba4155877c7878bba83

SHA512
a4fc5872fb2658489d5881e6fe037972d4f0f58a951f5ded6a829d205255871fe900a9467fe1d8a73a207acf3573ef064c88b87898b1e85ff9a11ff18ef8bc5b

Download Submit
C:\Windows\System32\QiiaPFZ.exe

Filesize
3.0MB

MD5
e1042d7682d980810ec99e7b5de5c364

SHA1
d0c1a8db8d7160273999378bfe930788243e8aff

SHA256
c07dd343625df59730fb8edc08b36b744d24d0846338130955e2f842dcf92932

SHA512
1624e7b1b6b33d2ffad5085f2d425e0345f94fffd7dc4003d00860fa64561b8b4b8271214f44e30d4de73c0152cc6945fa4ef3edbed7f2e26e3dccacda96d17b

Download Submit
C:\Windows\System32\RsVJKKr.exe

Filesize
3.0MB

MD5
c39b4a0fe3f1c24210a1d6ce3808bfee

SHA1
6baa8bdb7c7bf6872ddd6e3ea4c8741703d3cff3

SHA256
d1c8dd75f07a848b283e1f16e046fd7cdd7ff7c06222baa813539309a5947fb9

SHA512
689f0e2b9213b4ad8c423a9c82c8092d8d84701c1794f42ec96f712a68258bb018fd5c20fab850263495b6fbca2410cf9b5c8383fc18f20959550632ce16b828

Download Submit
C:\Windows\System32\SCEqIue.exe

Filesize
3.0MB

MD5
a7185d5303d68e40ab1e1c0bb32f09d4

SHA1
51b1441375c0d3589c33919a47a0de075efd1033

SHA256
d58a738195a0ce1d2029f69896b7788eb223790cf3a8d75abdbbb4f9570df4c4

SHA512
abcc5b8061050d3a1f8346e3de2d65203cdb3625c29c41649f59f6fe35db5bfdd2fbdcefd202d6b1615718e593e77a801e729fca98f2ae70ae863db89cba57b4

Download Submit
C:\Windows\System32\VYtBPmA.exe

Filesize
3.0MB

MD5
9f4a9c2cf7431bedf738662a1ee8241f

SHA1
1669b72932b3e1c632f69a57c35b1e20d5e865cc

SHA256
a73d9c7f089d5913635b100f6df825239c2f31d56f10de6f0ff4ce17a4f48331

SHA512
445c6d68bc614605dba374ae8916829112e2e36c11f747dc45ba46cc9324e816d95e120e1e0512d442520e7e7c4acbc74c556c123e8a52d041fa1878cf8b9f9b

Download Submit
C:\Windows\System32\WAwVmNH.exe

Filesize
3.0MB

MD5
bc1e25765dc1b877543cc029fd619f23

SHA1
673c1046fd9fb0ed448ee999bef7236881ab76b1

SHA256
485eb629886930bf2fc2aa951da283700ae85cd3c32e65549a7d1b2c4694bcd5

SHA512
0ecd982678fd616fb035bb8dc2a09d6c149681dd899da9bc2d9769c543b5890c2db5b008d7f342b14142247e058fa2e8c745d7b25baf9fc93b6f14131db78493

Download Submit
C:\Windows\System32\WQAnlPH.exe

Filesize
3.0MB

MD5
993b0f6d8d75c723e1fe521e982ed346

SHA1
376f946780a9fdfc697f6b38d5c0b02305916f17

SHA256
b77c38c5b6f846826b6997187cf2448a2a302a5726993bd3fbc7df83132db36a

SHA512
532a2b6a9dacd1988a575a5316c642deaca89f15d63ec444d85c87278f8222f098f05710956fe87201f6e1fa5acf34fd19a4edc83cfa4ab77f3bcbd354e18d53

Download Submit
C:\Windows\System32\Wsraiiq.exe

Filesize
3.0MB

MD5
23c2a75f321e5d2a1174f520555aedbf

SHA1
faf2326eea3f9ad9e05877532b5b8ace9bc7561d

SHA256
c8af2c480d09c65976d1e8c4e5432a9b857685242dc80e5f8798b4e69c6d3a97

SHA512
6f6355ce20cab433e0e9e573e77852281d752b2ea036e79b702dfe39e441952c0a838e623036dac6d2e9c13ccc19d5605fcd21749f7e29690bf6558d639a2810

Download Submit
C:\Windows\System32\YwAhrAs.exe

Filesize
3.0MB

MD5
5f15dd71420c8e63fa0ce1cc1631c13d

SHA1
2f55b42d8ae33320515ff4074e547a7c0c020579

SHA256
33678e4cd48177f527a0bb48cb8240688f3974b691c047f987c0f6f5edd7039b

SHA512
c5c429f2f4d34b9234ef6d28cc3317341b66db95e88c86eee24dac78c8115fcb74365bf1de762d174cc5fad64b9e56e0b22d2d2ec2f7550776a7db3459275111

Download Submit
C:\Windows\System32\aDrnnyh.exe

Filesize
3.0MB

MD5
22007d4b1fc96ed6cb7bfa3f75a386d8

SHA1
de152f59953bdc546b8131c06c2db9832528acfa

SHA256
7be87fea2d7c5d5f2beb660fa858140194712d0c30620685dc7b699ac647a18f

SHA512
1d7e1344dadfeeb2bbca85d861188269a3c8b563382e67952c5e1a7d58353c05cac17beee760c47ac2142677eee9be0c9ac48c27d0a91a7d2dc60e409dbf7c37

Download Submit
C:\Windows\System32\cjWibfo.exe

Filesize
3.0MB

MD5
5436bd91f84f1e3d770ce1533bb74ad4

SHA1
f8b25dc3e9b0f9b117186afee17216118e8108df

SHA256
80cf47f303d73280743b0584edece1c4839bbc2ca1421915b4df0c884d5e1b6f

SHA512
69399eec1fbe0dd8c25ac7a40722d11a1d4103fae6f35431af7a4f12df4b2f54038966ec96224c62815d8fbea63e1eb74371f02963e8f059dd1f25e8951c9d8e

Download Submit
C:\Windows\System32\eNNqSqy.exe

Filesize
3.0MB

MD5
91f33d7f89c1b24c844833fe58e14252

SHA1
6a98e67d3f76c40a0da46874fcb0d8d875d7f06b

SHA256
d051a08e319a69c9ff86035ceb401c49d926c5c8639b04dc1daa7a836d53ca8c

SHA512
82e5b1c0001ebe058b92b69143cbbd0ff7a8bb794bfd23be84a10d38aa7927ae7b9883af4a057673ecde442aa7541480cb6d3c1aac169d3db72fbbfc6514812b

Download Submit
C:\Windows\System32\hhLXthf.exe

Filesize
3.0MB

MD5
c695e770ec8884ff99b0b8d2db47b6b4

SHA1
6f88f94e4862ebaebe721f5dd1922c604cc7600e

SHA256
f45423a7c6ca80aebda9685428dc2dd55c1a63d5c555e67f385df3511a1f73dc

SHA512
56d5bb566e79533a10dfa33d38242d270d4548ab73474b925c0de509f303da21100460edf92897441a8247b1fea42654a89b3a82eed07a18e4188cb9a3a304e1

Download Submit
C:\Windows\System32\kmkoZPT.exe

Filesize
3.0MB

MD5
6bf772f9874592809005a37ce94917df

SHA1
eb467cc4cd1d7df6335a232b5a9d93082d067a99

SHA256
4613354b6559c6c162d4a5b5a76ea039071af479b6190ab05e0bdeea1d0cd570

SHA512
a4f209d8090d002c637d77cf4f161ccf267b346a7c8a6a91b4c6b4ed9d694cb507a3a6bd1225bfad164691b2b65911070798f2eaac02dbc0c41c058b40beef3e

Download Submit
C:\Windows\System32\nyhtswj.exe

Filesize
3.0MB

MD5
d23c7eb8a9a77b7af8c2fe4e208c3bd5

SHA1
a6c66301ab07a5d034ab6ce84cf2ffd699aa14d0

SHA256
aceecb5dbc6fb96fc3023e5aadbcaa75b43dc3700fd1b76d745477e47a35d52e

SHA512
a7e6d4419b9f7055db674cc12f8a7ed84bd3756b56e7052c9d5f6dc9d557cfffede7b5c58f6e80367de8fc278f392118f4762905a2ff5723c711f2907debacef

Download Submit
C:\Windows\System32\oKKeprz.exe

Filesize
3.0MB

MD5
144082ddcc37b2fe79204a85f41cbd49

SHA1
1a0f82205dd4e44b390e6c0c0bfab493a3ebd25d

SHA256
977b90655e6e0b6c9c2ecee62a50c6cefb472de16aa64dbd4611ca3d4c9909a6

SHA512
63a684bcd22872ba17ccd0a00e34ba67f6b7c9349c8cb04d09b763c06aa92fdcda432e1347116e29389ba436dac09ae84716e5afbfdc8012784067969d1e72ca

Download Submit
C:\Windows\System32\oPogZes.exe

Filesize
3.0MB

MD5
bf69c020db4b130622333f7c39736b8b

SHA1
ceb92c13c4fc1090e185fddf52ba53863d9d0a59

SHA256
0f83db51fee25ccdcf1f1d725a928a6b1a4eb5160a84c23cf02687fb1c744fc3

SHA512
816db318eee23729b3341fb1949c66bf6cb03b05bdd551617c1bf2a56cb03b2228a0706b01f3cbb7654f8c57da537772481df0f00661ead46c0f3ab2a62eb60f

Download Submit
C:\Windows\System32\sGLVCmd.exe

Filesize
3.0MB

MD5
71fbc1f63cabb5ce29f68988ff6e1161

SHA1
f5115a79ff02e17a88707c49ca2b0aac07971c19

SHA256
f93f5dd07f4b15018694eaac2927949d57f9b9ac93be24cbc1e62aa6506ff60d

SHA512
226d69a06ced6f3b339fd9cc4ece904a367485a0e492028e318164cba03c9544cdf544f693a4a078db974f078ecd8a6a083caaa793a72c6eebcf49fa97b89fc9

Download Submit
C:\Windows\System32\vHOJhsY.exe

Filesize
3.0MB

MD5
e578ba25241f58ab5195ee50fa766dcf

SHA1
346e535186e6b34d453b3547a4891544104eeb2d

SHA256
acdcfffbc5994c2ce829aaf824ac86c038130f5b4ec43f527ad9823d322eb803

SHA512
ac68e1ab83b3e7a151f640080b12ae878062ea3743b5491df3fe41aa15725132006416ae883412cf345e21908d5d5e6f5fe9a3da1a0ff772cc6fb68ce620f5fd

Download Submit
C:\Windows\System32\xWwrOoI.exe

Filesize
3.0MB

MD5
7c2e91fae6c5ccdd01288cecd47892d0

SHA1
1c06a7c24201e75ddf2461d8b3ee558c63f3dd5a

SHA256
f8609f766854983b6c5784d0853a72c82139592cd1750f1654a5130cb1143654

SHA512
a7afe0f137efa2a25cf9530fd69a4f43c455b9ac77cb6d9e66cd70acc50dcc456685ef3e9d01fd7f74046580cbba6badd0f3b7301123ce7b209bd9fe9a2b989c

Download Submit
C:\Windows\System32\yKQrBQj.exe

Filesize
3.0MB

MD5
e9d4366f1acca75e8e2650c2993d2445

SHA1
f2c66979a0acdf65dc6bd34dd8308330864cd3a0

SHA256
e503f3d3e63c666bff8b93afd4b9cedd158a362ad6d1665c1ff028cbc4356d01

SHA512
8a58b32687078092bbe483f448d607858aebcb24da91bd8c212bc1846b661c2adb050db208a8da422356a333476ea4fe0047d9ff3369d8b90bc808e9748a6c90

Download Submit
C:\Windows\System32\yKbcfyd.exe

Filesize
3.0MB

MD5
97906ee679276a62dd20e1865972b105

SHA1
d989f720d6904bd932f0e30c67edeec185b351bb

SHA256
9ef6dc7f2dfca40e13d24ae8c7ec905e053e3f8384f04e78de69c1b193535c08

SHA512
f5b8b0116e30694b478a69651ac2e5ab6c48285de69eb3c980c936e72da82e28facf6fccaefc9e4ad86fbe6a08feb9e3b66170f05bf9be91f6a7f2c0501c42fc

Download Submit
C:\Windows\System32\znBGCGd.exe

Filesize
3.0MB

MD5
7927630b65d13e84e6a4f9376a1316e0

SHA1
6b8e7bcfe063aec688a3439a62b15b63b70e2e7f

SHA256
7dd012154abfb4ae34e0b035fece0eab84ed62b0bdc21ac5d0da0631153d1fdb

SHA512
490da5bc85a5684d10009d4ede63a15a7f8e6d799defd8dac30b5496c6c49cf1e849e88cc7209ac2a07c88407a75d3faaca3e1b94d332a07fc92817009d1a0c7

Download Submit
memory/212-1298-0x00007FF7175E0000-0x00007FF7179D5000-memory.dmp

Filesize
4.0MB

Download
memory/212-1973-0x00007FF7175E0000-0x00007FF7179D5000-memory.dmp

Filesize
4.0MB

Download
memory/212-14-0x00007FF7175E0000-0x00007FF7179D5000-memory.dmp

Filesize
4.0MB

Download
memory/224-1984-0x00007FF6CD6C0000-0x00007FF6CDAB5000-memory.dmp

Filesize
4.0MB

Download
memory/224-700-0x00007FF6CD6C0000-0x00007FF6CDAB5000-memory.dmp

Filesize
4.0MB

Download
memory/400-0-0x00007FF73B9A0000-0x00007FF73BD95000-memory.dmp

Filesize
4.0MB

Download
memory/400-1079-0x00007FF73B9A0000-0x00007FF73BD95000-memory.dmp

Filesize
4.0MB

Download
memory/400-1-0x000002A4C97D0000-0x000002A4C97E0000-memory.dmp

Filesize
64KB

Download
memory/1068-745-0x00007FF7BD5C0000-0x00007FF7BD9B5000-memory.dmp

Filesize
4.0MB

Download
memory/1068-1989-0x00007FF7BD5C0000-0x00007FF7BD9B5000-memory.dmp

Filesize
4.0MB

Download
memory/1376-751-0x00007FF6E8AE0000-0x00007FF6E8ED5000-memory.dmp

Filesize
4.0MB

Download
memory/1376-1978-0x00007FF6E8AE0000-0x00007FF6E8ED5000-memory.dmp

Filesize
4.0MB

Download
memory/1612-1990-0x00007FF69A470000-0x00007FF69A865000-memory.dmp

Filesize
4.0MB

Download
memory/1612-725-0x00007FF69A470000-0x00007FF69A865000-memory.dmp

Filesize
4.0MB

Download
memory/1756-696-0x00007FF7B2480000-0x00007FF7B2875000-memory.dmp

Filesize
4.0MB

Download
memory/1756-1985-0x00007FF7B2480000-0x00007FF7B2875000-memory.dmp

Filesize
4.0MB

Download
memory/1772-1980-0x00007FF7CFF80000-0x00007FF7D0375000-memory.dmp

Filesize
4.0MB

Download
memory/1772-707-0x00007FF7CFF80000-0x00007FF7D0375000-memory.dmp

Filesize
4.0MB

Download
memory/1848-1979-0x00007FF6E6A50000-0x00007FF6E6E45000-memory.dmp

Filesize
4.0MB

Download
memory/1848-709-0x00007FF6E6A50000-0x00007FF6E6E45000-memory.dmp

Filesize
4.0MB

Download
memory/1908-1994-0x00007FF7EF480000-0x00007FF7EF875000-memory.dmp

Filesize
4.0MB

Download
memory/1908-735-0x00007FF7EF480000-0x00007FF7EF875000-memory.dmp

Filesize
4.0MB

Download
memory/2008-1977-0x00007FF6E3670000-0x00007FF6E3A65000-memory.dmp

Filesize
4.0MB

Download
memory/2008-1537-0x00007FF6E3670000-0x00007FF6E3A65000-memory.dmp

Filesize
4.0MB

Download
memory/2008-694-0x00007FF6E3670000-0x00007FF6E3A65000-memory.dmp

Filesize
4.0MB

Download
memory/2112-8-0x00007FF68DA20000-0x00007FF68DE15000-memory.dmp

Filesize
4.0MB

Download
memory/2112-1186-0x00007FF68DA20000-0x00007FF68DE15000-memory.dmp

Filesize
4.0MB

Download
memory/2112-1972-0x00007FF68DA20000-0x00007FF68DE15000-memory.dmp

Filesize
4.0MB

Download
memory/2200-1981-0x00007FF7C4610000-0x00007FF7C4A05000-memory.dmp

Filesize
4.0MB

Download
memory/2200-697-0x00007FF7C4610000-0x00007FF7C4A05000-memory.dmp

Filesize
4.0MB

Download
memory/2528-699-0x00007FF6BC780000-0x00007FF6BCB75000-memory.dmp

Filesize
4.0MB

Download
memory/2528-1988-0x00007FF6BC780000-0x00007FF6BCB75000-memory.dmp

Filesize
4.0MB

Download
memory/2596-720-0x00007FF727FD0000-0x00007FF7283C5000-memory.dmp

Filesize
4.0MB

Download
memory/2596-1986-0x00007FF727FD0000-0x00007FF7283C5000-memory.dmp

Filesize
4.0MB

Download
memory/3048-1983-0x00007FF64F310000-0x00007FF64F705000-memory.dmp

Filesize
4.0MB

Download
memory/3048-711-0x00007FF64F310000-0x00007FF64F705000-memory.dmp

Filesize
4.0MB

Download
memory/3184-698-0x00007FF68FEA0000-0x00007FF690295000-memory.dmp

Filesize
4.0MB

Download
memory/3184-1982-0x00007FF68FEA0000-0x00007FF690295000-memory.dmp

Filesize
4.0MB

Download
memory/3320-730-0x00007FF7B5900000-0x00007FF7B5CF5000-memory.dmp

Filesize
4.0MB

Download
memory/3320-1992-0x00007FF7B5900000-0x00007FF7B5CF5000-memory.dmp

Filesize
4.0MB

Download
memory/3428-1976-0x00007FF67E970000-0x00007FF67ED65000-memory.dmp

Filesize
4.0MB

Download
memory/3428-695-0x00007FF67E970000-0x00007FF67ED65000-memory.dmp

Filesize
4.0MB

Download
memory/3512-750-0x00007FF666B40000-0x00007FF666F35000-memory.dmp

Filesize
4.0MB

Download
memory/3512-1995-0x00007FF666B40000-0x00007FF666F35000-memory.dmp

Filesize
4.0MB

Download
memory/4012-1987-0x00007FF730920000-0x00007FF730D15000-memory.dmp

Filesize
4.0MB

Download
memory/4012-702-0x00007FF730920000-0x00007FF730D15000-memory.dmp

Filesize
4.0MB

Download
memory/4116-1975-0x00007FF68D130000-0x00007FF68D525000-memory.dmp

Filesize
4.0MB

Download
memory/4116-27-0x00007FF68D130000-0x00007FF68D525000-memory.dmp

Filesize
4.0MB

Download
memory/4116-1534-0x00007FF68D130000-0x00007FF68D525000-memory.dmp

Filesize
4.0MB

Download
memory/4120-1991-0x00007FF6B3210000-0x00007FF6B3605000-memory.dmp

Filesize
4.0MB

Download
memory/4120-722-0x00007FF6B3210000-0x00007FF6B3605000-memory.dmp

Filesize
4.0MB

Download
memory/4572-1974-0x00007FF72B730000-0x00007FF72BB25000-memory.dmp

Filesize
4.0MB

Download
memory/4572-21-0x00007FF72B730000-0x00007FF72BB25000-memory.dmp

Filesize
4.0MB

Download
memory/4572-1419-0x00007FF72B730000-0x00007FF72BB25000-memory.dmp

Filesize
4.0MB

Download
memory/4932-731-0x00007FF7CF1E0000-0x00007FF7CF5D5000-memory.dmp

Filesize
4.0MB

Download
memory/4932-1993-0x00007FF7CF1E0000-0x00007FF7CF5D5000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads