xmrig | c1dbe639375dd1d4c9b62fb73dd0a005d8a03ae93909c64101354e3427738d01

Analysis

max time kernel
100s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 00:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c1a802876c530a900f8a6dcbb586080N.exe
Size

1.5MB
MD5

2c1a802876c530a900f8a6dcbb586080
SHA1

9dac269836f228c4175353acd89246a39c532546
SHA256

c1dbe639375dd1d4c9b62fb73dd0a005d8a03ae93909c64101354e3427738d01
SHA512

895c200b9d5959d916ff32507f3107bf303e0d8d5784396956841a8499319b44fe8928a8213364b3281e916b2c69409bed3b891f236671bae16c93c1142665a4
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlOqzJO0L0+EYPcfgV/4zuq/lw4244PNJ+SZ7tR7lQ3:knw9oUUEEDlOuJvhV/yl14P9nC

Score

10^/10

xmrig miner persistence privilege_escalation upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/1456-39-0x00007FF6B7200000-0x00007FF6B75F1000-memory.dmp	xmrig
behavioral2/memory/2384-397-0x00007FF64D4C0000-0x00007FF64D8B1000-memory.dmp	xmrig
behavioral2/memory/2636-398-0x00007FF6F33B0000-0x00007FF6F37A1000-memory.dmp	xmrig
behavioral2/memory/2664-400-0x00007FF7420E0000-0x00007FF7424D1000-memory.dmp	xmrig
behavioral2/memory/4988-399-0x00007FF6D2B40000-0x00007FF6D2F31000-memory.dmp	xmrig
behavioral2/memory/3556-62-0x00007FF6568F0000-0x00007FF656CE1000-memory.dmp	xmrig
behavioral2/memory/4308-59-0x00007FF70DFB0000-0x00007FF70E3A1000-memory.dmp	xmrig
behavioral2/memory/1468-58-0x00007FF7EC950000-0x00007FF7ECD41000-memory.dmp	xmrig
behavioral2/memory/2392-29-0x00007FF61DA00000-0x00007FF61DDF1000-memory.dmp	xmrig
behavioral2/memory/720-20-0x00007FF6A2170000-0x00007FF6A2561000-memory.dmp	xmrig
behavioral2/memory/2396-402-0x00007FF638F50000-0x00007FF639341000-memory.dmp	xmrig
behavioral2/memory/608-403-0x00007FF6D75A0000-0x00007FF6D7991000-memory.dmp	xmrig
behavioral2/memory/3908-404-0x00007FF726CE0000-0x00007FF7270D1000-memory.dmp	xmrig
behavioral2/memory/2264-406-0x00007FF61CAE0000-0x00007FF61CED1000-memory.dmp	xmrig
behavioral2/memory/4336-407-0x00007FF7FB1A0000-0x00007FF7FB591000-memory.dmp	xmrig
behavioral2/memory/3720-405-0x00007FF7A0B50000-0x00007FF7A0F41000-memory.dmp	xmrig
behavioral2/memory/4744-401-0x00007FF6F77B0000-0x00007FF6F7BA1000-memory.dmp	xmrig
behavioral2/memory/2548-419-0x00007FF7B4550000-0x00007FF7B4941000-memory.dmp	xmrig
behavioral2/memory/1428-423-0x00007FF6961F0000-0x00007FF6965E1000-memory.dmp	xmrig
behavioral2/memory/1108-414-0x00007FF6BF960000-0x00007FF6BFD51000-memory.dmp	xmrig
behavioral2/memory/736-1494-0x00007FF660290000-0x00007FF660681000-memory.dmp	xmrig
behavioral2/memory/4348-1496-0x00007FF7BC8F0000-0x00007FF7BCCE1000-memory.dmp	xmrig
behavioral2/memory/1292-1965-0x00007FF63E610000-0x00007FF63EA01000-memory.dmp	xmrig
behavioral2/memory/1192-1966-0x00007FF6162C0000-0x00007FF6166B1000-memory.dmp	xmrig
behavioral2/memory/736-2000-0x00007FF660290000-0x00007FF660681000-memory.dmp	xmrig
behavioral2/memory/4348-2017-0x00007FF7BC8F0000-0x00007FF7BCCE1000-memory.dmp	xmrig
behavioral2/memory/2564-2019-0x00007FF61A370000-0x00007FF61A761000-memory.dmp	xmrig
behavioral2/memory/720-2021-0x00007FF6A2170000-0x00007FF6A2561000-memory.dmp	xmrig
behavioral2/memory/2392-2023-0x00007FF61DA00000-0x00007FF61DDF1000-memory.dmp	xmrig
behavioral2/memory/1456-2031-0x00007FF6B7200000-0x00007FF6B75F1000-memory.dmp	xmrig
behavioral2/memory/1192-2029-0x00007FF6162C0000-0x00007FF6166B1000-memory.dmp	xmrig
behavioral2/memory/4308-2033-0x00007FF70DFB0000-0x00007FF70E3A1000-memory.dmp	xmrig
behavioral2/memory/1292-2027-0x00007FF63E610000-0x00007FF63EA01000-memory.dmp	xmrig
behavioral2/memory/1468-2025-0x00007FF7EC950000-0x00007FF7ECD41000-memory.dmp	xmrig
behavioral2/memory/4744-2045-0x00007FF6F77B0000-0x00007FF6F7BA1000-memory.dmp	xmrig
behavioral2/memory/2396-2047-0x00007FF638F50000-0x00007FF639341000-memory.dmp	xmrig
behavioral2/memory/3720-2053-0x00007FF7A0B50000-0x00007FF7A0F41000-memory.dmp	xmrig
behavioral2/memory/608-2049-0x00007FF6D75A0000-0x00007FF6D7991000-memory.dmp	xmrig
behavioral2/memory/3908-2051-0x00007FF726CE0000-0x00007FF7270D1000-memory.dmp	xmrig
behavioral2/memory/2384-2043-0x00007FF64D4C0000-0x00007FF64D8B1000-memory.dmp	xmrig
behavioral2/memory/2636-2041-0x00007FF6F33B0000-0x00007FF6F37A1000-memory.dmp	xmrig
behavioral2/memory/2664-2037-0x00007FF7420E0000-0x00007FF7424D1000-memory.dmp	xmrig
behavioral2/memory/4988-2039-0x00007FF6D2B40000-0x00007FF6D2F31000-memory.dmp	xmrig
behavioral2/memory/3556-2035-0x00007FF6568F0000-0x00007FF656CE1000-memory.dmp	xmrig
behavioral2/memory/1428-2064-0x00007FF6961F0000-0x00007FF6965E1000-memory.dmp	xmrig
behavioral2/memory/2548-2061-0x00007FF7B4550000-0x00007FF7B4941000-memory.dmp	xmrig
behavioral2/memory/1108-2059-0x00007FF6BF960000-0x00007FF6BFD51000-memory.dmp	xmrig
behavioral2/memory/4336-2057-0x00007FF7FB1A0000-0x00007FF7FB591000-memory.dmp	xmrig
behavioral2/memory/2264-2055-0x00007FF61CAE0000-0x00007FF61CED1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4348	etiXwVi.exe
2564	ikWMJdE.exe
720	rgfXczY.exe
2392	MXRInKQ.exe
1292	MgkOnLy.exe
1456	qjlwUva.exe
1192	TrqDVug.exe
1468	jnkYtUs.exe
4308	ekcddIN.exe
3556	yXIvIFM.exe
2384	IbiqFmJ.exe
2636	uzdnPbG.exe
4988	GmfXjxY.exe
2664	gRDyEwb.exe
4744	BBHasPp.exe
2396	JNKDcHV.exe
608	fhaemqi.exe
3908	rkzdqXy.exe
3720	VRRkfqN.exe
2264	bPXojSE.exe
4336	XwqMIMN.exe
1108	xZgdheu.exe
2548	cJDxpSW.exe
1428	MTAOrCu.exe
4016	RzuPIei.exe
1008	MoasSXl.exe
1752	WbKDIpZ.exe
3260	tlBKYSb.exe
3480	fGXTrcV.exe
2800	sAzLtKx.exe
2344	lmoEIVM.exe
1696	CXAstQM.exe
2864	gihTMcD.exe
2936	gPWiiZk.exe
5084	dGnltRT.exe
1716	SHjUXgn.exe
4972	uvetLtp.exe
2060	TIyzdgK.exe
1968	dwTRHto.exe
3456	muijGDF.exe
3352	VXwoMgT.exe
2984	nVlZocu.exe
5096	MIguxok.exe
2016	DJCFdAf.exe
2988	pjdVMgZ.exe
3488	lyyycQs.exe
4440	VbYwkfE.exe
2952	PXLpIam.exe
3576	efAjGnh.exe
4384	ptabVMn.exe
3256	IqFvIkA.exe
1320	meaytnP.exe
4200	mFCVZit.exe
396	dMliPsp.exe
3496	ZPMGBmt.exe
5064	TINQOys.exe
3112	TPRLeRx.exe
2712	UEtzrFc.exe
2628	BWRPQSN.exe
4540	tlktpdu.exe
1248	Gcooqos.exe
3716	dVhuibO.exe
4472	NeovJiq.exe
1384	UBvHCyf.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/736-0-0x00007FF660290000-0x00007FF660681000-memory.dmp	upx
behavioral2/files/0x00080000000234df-5.dat	upx
behavioral2/memory/4348-11-0x00007FF7BC8F0000-0x00007FF7BCCE1000-memory.dmp	upx
behavioral2/files/0x00070000000234e3-10.dat	upx
behavioral2/memory/2564-13-0x00007FF61A370000-0x00007FF61A761000-memory.dmp	upx
behavioral2/files/0x00070000000234e4-8.dat	upx
behavioral2/files/0x00070000000234e5-24.dat	upx
behavioral2/files/0x00070000000234e6-27.dat	upx
behavioral2/memory/1292-30-0x00007FF63E610000-0x00007FF63EA01000-memory.dmp	upx
behavioral2/files/0x00070000000234e8-35.dat	upx
behavioral2/files/0x00070000000234e7-37.dat	upx
behavioral2/memory/1456-39-0x00007FF6B7200000-0x00007FF6B75F1000-memory.dmp	upx
behavioral2/files/0x00070000000234e9-51.dat	upx
behavioral2/files/0x00070000000234ea-53.dat	upx
behavioral2/files/0x00070000000234eb-57.dat	upx
behavioral2/files/0x00070000000234ec-66.dat	upx
behavioral2/files/0x00070000000234ed-69.dat	upx
behavioral2/files/0x00070000000234ef-81.dat	upx
behavioral2/files/0x00070000000234f1-89.dat	upx
behavioral2/files/0x00070000000234f4-106.dat	upx
behavioral2/files/0x00070000000234f6-119.dat	upx
behavioral2/files/0x00070000000234f8-126.dat	upx
behavioral2/files/0x00070000000234fa-136.dat	upx
behavioral2/files/0x00070000000234ff-161.dat	upx
behavioral2/files/0x0007000000023501-171.dat	upx
behavioral2/memory/2384-397-0x00007FF64D4C0000-0x00007FF64D8B1000-memory.dmp	upx
behavioral2/memory/2636-398-0x00007FF6F33B0000-0x00007FF6F37A1000-memory.dmp	upx
behavioral2/memory/2664-400-0x00007FF7420E0000-0x00007FF7424D1000-memory.dmp	upx
behavioral2/memory/4988-399-0x00007FF6D2B40000-0x00007FF6D2F31000-memory.dmp	upx
behavioral2/files/0x0007000000023500-166.dat	upx
behavioral2/files/0x00070000000234fe-156.dat	upx
behavioral2/files/0x00070000000234fd-151.dat	upx
behavioral2/files/0x00070000000234fc-146.dat	upx
behavioral2/files/0x00070000000234fb-141.dat	upx
behavioral2/files/0x00070000000234f9-131.dat	upx
behavioral2/files/0x00070000000234f7-124.dat	upx
behavioral2/files/0x00070000000234f5-111.dat	upx
behavioral2/files/0x00070000000234f3-101.dat	upx
behavioral2/files/0x00070000000234f2-99.dat	upx
behavioral2/files/0x00070000000234f0-86.dat	upx
behavioral2/files/0x00070000000234ee-76.dat	upx
behavioral2/memory/3556-62-0x00007FF6568F0000-0x00007FF656CE1000-memory.dmp	upx
behavioral2/memory/4308-59-0x00007FF70DFB0000-0x00007FF70E3A1000-memory.dmp	upx
behavioral2/memory/1468-58-0x00007FF7EC950000-0x00007FF7ECD41000-memory.dmp	upx
behavioral2/memory/1192-46-0x00007FF6162C0000-0x00007FF6166B1000-memory.dmp	upx
behavioral2/memory/2392-29-0x00007FF61DA00000-0x00007FF61DDF1000-memory.dmp	upx
behavioral2/memory/720-20-0x00007FF6A2170000-0x00007FF6A2561000-memory.dmp	upx
behavioral2/memory/2396-402-0x00007FF638F50000-0x00007FF639341000-memory.dmp	upx
behavioral2/memory/608-403-0x00007FF6D75A0000-0x00007FF6D7991000-memory.dmp	upx
behavioral2/memory/3908-404-0x00007FF726CE0000-0x00007FF7270D1000-memory.dmp	upx
behavioral2/memory/2264-406-0x00007FF61CAE0000-0x00007FF61CED1000-memory.dmp	upx
behavioral2/memory/4336-407-0x00007FF7FB1A0000-0x00007FF7FB591000-memory.dmp	upx
behavioral2/memory/3720-405-0x00007FF7A0B50000-0x00007FF7A0F41000-memory.dmp	upx
behavioral2/memory/4744-401-0x00007FF6F77B0000-0x00007FF6F7BA1000-memory.dmp	upx
behavioral2/memory/2548-419-0x00007FF7B4550000-0x00007FF7B4941000-memory.dmp	upx
behavioral2/memory/1428-423-0x00007FF6961F0000-0x00007FF6965E1000-memory.dmp	upx
behavioral2/memory/1108-414-0x00007FF6BF960000-0x00007FF6BFD51000-memory.dmp	upx
behavioral2/memory/736-1494-0x00007FF660290000-0x00007FF660681000-memory.dmp	upx
behavioral2/memory/4348-1496-0x00007FF7BC8F0000-0x00007FF7BCCE1000-memory.dmp	upx
behavioral2/memory/1292-1965-0x00007FF63E610000-0x00007FF63EA01000-memory.dmp	upx
behavioral2/memory/1192-1966-0x00007FF6162C0000-0x00007FF6166B1000-memory.dmp	upx
behavioral2/memory/736-2000-0x00007FF660290000-0x00007FF660681000-memory.dmp	upx
behavioral2/memory/4348-2017-0x00007FF7BC8F0000-0x00007FF7BCCE1000-memory.dmp	upx
behavioral2/memory/2564-2019-0x00007FF61A370000-0x00007FF61A761000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\gRDyEwb.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\NHKcVxX.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\xzApJjX.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\jKIYYVr.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\aiBBTNN.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\NhEqiTN.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\muijGDF.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\AFtsEmW.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\INixWsT.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\gdlDOcn.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\BQkHIiD.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\MwTedUH.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\xaBrAXT.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\bPXojSE.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\GsOjaLS.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\EWCfPMH.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\XwFqYEw.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\gTITiqx.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\gBHEIZy.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\ZkkSXXy.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\nhwCOLh.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\JXuiExT.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\bxKtzml.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\FCNImqx.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\sYFAgCJ.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\yGNsEAP.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\urzPRnn.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\vrQRQyO.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\xwgnixk.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\KzzUwSa.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\CSfPMLX.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\pNpgSuL.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\xmrLXBx.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\WvKQwnX.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\nrnGQCU.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\YRbPTOI.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\RMmwIGW.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\pJUAJii.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\ZwJnoof.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\nuIerDT.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\fGDBWxv.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\cSvldDw.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\UcvdLqN.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\VKjpBDy.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\AqRyKBT.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\MYuOOuK.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\iqKEEZR.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\kDwZEfr.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\dtGmFzh.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\MPrrtqx.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\EFjmZAo.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\jSmSaPn.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\MiLkAnc.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\vbasAbP.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\eHhVejl.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\IIWHDKP.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\dfBFeiB.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\lbjiiZa.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\pTqMiyZ.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\dtKGPHW.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\NXKixFH.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\CDetjVN.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\vcVIzGs.exe	2c1a802876c530a900f8a6dcbb586080N.exe
File created	C:\Windows\System32\VTdiwHq.exe	2c1a802876c530a900f8a6dcbb586080N.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	3008	dwm.exe
Token: SeChangeNotifyPrivilege	3008	dwm.exe
Token: 33	3008	dwm.exe
Token: SeIncBasePriorityPrivilege	3008	dwm.exe
Token: SeShutdownPrivilege	3008	dwm.exe
Token: SeCreatePagefilePrivilege	3008	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 4348	736	2c1a802876c530a900f8a6dcbb586080N.exe	85
PID 736 wrote to memory of 4348	736	2c1a802876c530a900f8a6dcbb586080N.exe	85
PID 736 wrote to memory of 2564	736	2c1a802876c530a900f8a6dcbb586080N.exe	86
PID 736 wrote to memory of 2564	736	2c1a802876c530a900f8a6dcbb586080N.exe	86
PID 736 wrote to memory of 720	736	2c1a802876c530a900f8a6dcbb586080N.exe	87
PID 736 wrote to memory of 720	736	2c1a802876c530a900f8a6dcbb586080N.exe	87
PID 736 wrote to memory of 2392	736	2c1a802876c530a900f8a6dcbb586080N.exe	88
PID 736 wrote to memory of 2392	736	2c1a802876c530a900f8a6dcbb586080N.exe	88
PID 736 wrote to memory of 1292	736	2c1a802876c530a900f8a6dcbb586080N.exe	89
PID 736 wrote to memory of 1292	736	2c1a802876c530a900f8a6dcbb586080N.exe	89
PID 736 wrote to memory of 1456	736	2c1a802876c530a900f8a6dcbb586080N.exe	90
PID 736 wrote to memory of 1456	736	2c1a802876c530a900f8a6dcbb586080N.exe	90
PID 736 wrote to memory of 1192	736	2c1a802876c530a900f8a6dcbb586080N.exe	91
PID 736 wrote to memory of 1192	736	2c1a802876c530a900f8a6dcbb586080N.exe	91
PID 736 wrote to memory of 1468	736	2c1a802876c530a900f8a6dcbb586080N.exe	92
PID 736 wrote to memory of 1468	736	2c1a802876c530a900f8a6dcbb586080N.exe	92
PID 736 wrote to memory of 4308	736	2c1a802876c530a900f8a6dcbb586080N.exe	93
PID 736 wrote to memory of 4308	736	2c1a802876c530a900f8a6dcbb586080N.exe	93
PID 736 wrote to memory of 3556	736	2c1a802876c530a900f8a6dcbb586080N.exe	94
PID 736 wrote to memory of 3556	736	2c1a802876c530a900f8a6dcbb586080N.exe	94
PID 736 wrote to memory of 2384	736	2c1a802876c530a900f8a6dcbb586080N.exe	95
PID 736 wrote to memory of 2384	736	2c1a802876c530a900f8a6dcbb586080N.exe	95
PID 736 wrote to memory of 2636	736	2c1a802876c530a900f8a6dcbb586080N.exe	96
PID 736 wrote to memory of 2636	736	2c1a802876c530a900f8a6dcbb586080N.exe	96
PID 736 wrote to memory of 4988	736	2c1a802876c530a900f8a6dcbb586080N.exe	97
PID 736 wrote to memory of 4988	736	2c1a802876c530a900f8a6dcbb586080N.exe	97
PID 736 wrote to memory of 2664	736	2c1a802876c530a900f8a6dcbb586080N.exe	98
PID 736 wrote to memory of 2664	736	2c1a802876c530a900f8a6dcbb586080N.exe	98
PID 736 wrote to memory of 4744	736	2c1a802876c530a900f8a6dcbb586080N.exe	99
PID 736 wrote to memory of 4744	736	2c1a802876c530a900f8a6dcbb586080N.exe	99
PID 736 wrote to memory of 2396	736	2c1a802876c530a900f8a6dcbb586080N.exe	100
PID 736 wrote to memory of 2396	736	2c1a802876c530a900f8a6dcbb586080N.exe	100
PID 736 wrote to memory of 608	736	2c1a802876c530a900f8a6dcbb586080N.exe	101
PID 736 wrote to memory of 608	736	2c1a802876c530a900f8a6dcbb586080N.exe	101
PID 736 wrote to memory of 3908	736	2c1a802876c530a900f8a6dcbb586080N.exe	102
PID 736 wrote to memory of 3908	736	2c1a802876c530a900f8a6dcbb586080N.exe	102
PID 736 wrote to memory of 3720	736	2c1a802876c530a900f8a6dcbb586080N.exe	103
PID 736 wrote to memory of 3720	736	2c1a802876c530a900f8a6dcbb586080N.exe	103
PID 736 wrote to memory of 2264	736	2c1a802876c530a900f8a6dcbb586080N.exe	104
PID 736 wrote to memory of 2264	736	2c1a802876c530a900f8a6dcbb586080N.exe	104
PID 736 wrote to memory of 4336	736	2c1a802876c530a900f8a6dcbb586080N.exe	105
PID 736 wrote to memory of 4336	736	2c1a802876c530a900f8a6dcbb586080N.exe	105
PID 736 wrote to memory of 1108	736	2c1a802876c530a900f8a6dcbb586080N.exe	106
PID 736 wrote to memory of 1108	736	2c1a802876c530a900f8a6dcbb586080N.exe	106
PID 736 wrote to memory of 2548	736	2c1a802876c530a900f8a6dcbb586080N.exe	107
PID 736 wrote to memory of 2548	736	2c1a802876c530a900f8a6dcbb586080N.exe	107
PID 736 wrote to memory of 1428	736	2c1a802876c530a900f8a6dcbb586080N.exe	108
PID 736 wrote to memory of 1428	736	2c1a802876c530a900f8a6dcbb586080N.exe	108
PID 736 wrote to memory of 4016	736	2c1a802876c530a900f8a6dcbb586080N.exe	109
PID 736 wrote to memory of 4016	736	2c1a802876c530a900f8a6dcbb586080N.exe	109
PID 736 wrote to memory of 1008	736	2c1a802876c530a900f8a6dcbb586080N.exe	110
PID 736 wrote to memory of 1008	736	2c1a802876c530a900f8a6dcbb586080N.exe	110
PID 736 wrote to memory of 1752	736	2c1a802876c530a900f8a6dcbb586080N.exe	111
PID 736 wrote to memory of 1752	736	2c1a802876c530a900f8a6dcbb586080N.exe	111
PID 736 wrote to memory of 3260	736	2c1a802876c530a900f8a6dcbb586080N.exe	112
PID 736 wrote to memory of 3260	736	2c1a802876c530a900f8a6dcbb586080N.exe	112
PID 736 wrote to memory of 3480	736	2c1a802876c530a900f8a6dcbb586080N.exe	113
PID 736 wrote to memory of 3480	736	2c1a802876c530a900f8a6dcbb586080N.exe	113
PID 736 wrote to memory of 2800	736	2c1a802876c530a900f8a6dcbb586080N.exe	114
PID 736 wrote to memory of 2800	736	2c1a802876c530a900f8a6dcbb586080N.exe	114
PID 736 wrote to memory of 2344	736	2c1a802876c530a900f8a6dcbb586080N.exe	115
PID 736 wrote to memory of 2344	736	2c1a802876c530a900f8a6dcbb586080N.exe	115
PID 736 wrote to memory of 1696	736	2c1a802876c530a900f8a6dcbb586080N.exe	116
PID 736 wrote to memory of 1696	736	2c1a802876c530a900f8a6dcbb586080N.exe	116

C:\Users\Admin\AppData\Local\Temp\2c1a802876c530a900f8a6dcbb586080N.exe
"C:\Users\Admin\AppData\Local\Temp\2c1a802876c530a900f8a6dcbb586080N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\System32\etiXwVi.exe
  C:\Windows\System32\etiXwVi.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System32\ikWMJdE.exe
  C:\Windows\System32\ikWMJdE.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System32\rgfXczY.exe
  C:\Windows\System32\rgfXczY.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System32\MXRInKQ.exe
  C:\Windows\System32\MXRInKQ.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System32\MgkOnLy.exe
  C:\Windows\System32\MgkOnLy.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System32\qjlwUva.exe
  C:\Windows\System32\qjlwUva.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System32\TrqDVug.exe
  C:\Windows\System32\TrqDVug.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System32\jnkYtUs.exe
  C:\Windows\System32\jnkYtUs.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System32\ekcddIN.exe
  C:\Windows\System32\ekcddIN.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System32\yXIvIFM.exe
  C:\Windows\System32\yXIvIFM.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System32\IbiqFmJ.exe
  C:\Windows\System32\IbiqFmJ.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System32\uzdnPbG.exe
  C:\Windows\System32\uzdnPbG.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System32\GmfXjxY.exe
  C:\Windows\System32\GmfXjxY.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\gRDyEwb.exe
  C:\Windows\System32\gRDyEwb.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System32\BBHasPp.exe
  C:\Windows\System32\BBHasPp.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System32\JNKDcHV.exe
  C:\Windows\System32\JNKDcHV.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System32\fhaemqi.exe
  C:\Windows\System32\fhaemqi.exe
  2⤵
  - Executes dropped EXE
  PID:608
- C:\Windows\System32\rkzdqXy.exe
  C:\Windows\System32\rkzdqXy.exe
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\System32\VRRkfqN.exe
  C:\Windows\System32\VRRkfqN.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System32\bPXojSE.exe
  C:\Windows\System32\bPXojSE.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System32\XwqMIMN.exe
  C:\Windows\System32\XwqMIMN.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System32\xZgdheu.exe
  C:\Windows\System32\xZgdheu.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System32\cJDxpSW.exe
  C:\Windows\System32\cJDxpSW.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System32\MTAOrCu.exe
  C:\Windows\System32\MTAOrCu.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System32\RzuPIei.exe
  C:\Windows\System32\RzuPIei.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System32\MoasSXl.exe
  C:\Windows\System32\MoasSXl.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System32\WbKDIpZ.exe
  C:\Windows\System32\WbKDIpZ.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System32\tlBKYSb.exe
  C:\Windows\System32\tlBKYSb.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System32\fGXTrcV.exe
  C:\Windows\System32\fGXTrcV.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System32\sAzLtKx.exe
  C:\Windows\System32\sAzLtKx.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System32\lmoEIVM.exe
  C:\Windows\System32\lmoEIVM.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System32\CXAstQM.exe
  C:\Windows\System32\CXAstQM.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System32\gihTMcD.exe
  C:\Windows\System32\gihTMcD.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System32\gPWiiZk.exe
  C:\Windows\System32\gPWiiZk.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System32\dGnltRT.exe
  C:\Windows\System32\dGnltRT.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System32\SHjUXgn.exe
  C:\Windows\System32\SHjUXgn.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System32\uvetLtp.exe
  C:\Windows\System32\uvetLtp.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System32\TIyzdgK.exe
  C:\Windows\System32\TIyzdgK.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System32\dwTRHto.exe
  C:\Windows\System32\dwTRHto.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System32\muijGDF.exe
  C:\Windows\System32\muijGDF.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System32\VXwoMgT.exe
  C:\Windows\System32\VXwoMgT.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System32\nVlZocu.exe
  C:\Windows\System32\nVlZocu.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System32\MIguxok.exe
  C:\Windows\System32\MIguxok.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System32\DJCFdAf.exe
  C:\Windows\System32\DJCFdAf.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System32\pjdVMgZ.exe
  C:\Windows\System32\pjdVMgZ.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System32\lyyycQs.exe
  C:\Windows\System32\lyyycQs.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System32\VbYwkfE.exe
  C:\Windows\System32\VbYwkfE.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System32\PXLpIam.exe
  C:\Windows\System32\PXLpIam.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System32\efAjGnh.exe
  C:\Windows\System32\efAjGnh.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System32\ptabVMn.exe
  C:\Windows\System32\ptabVMn.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System32\IqFvIkA.exe
  C:\Windows\System32\IqFvIkA.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System32\meaytnP.exe
  C:\Windows\System32\meaytnP.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System32\mFCVZit.exe
  C:\Windows\System32\mFCVZit.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System32\dMliPsp.exe
  C:\Windows\System32\dMliPsp.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System32\ZPMGBmt.exe
  C:\Windows\System32\ZPMGBmt.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System32\TINQOys.exe
  C:\Windows\System32\TINQOys.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System32\TPRLeRx.exe
  C:\Windows\System32\TPRLeRx.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System32\UEtzrFc.exe
  C:\Windows\System32\UEtzrFc.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System32\BWRPQSN.exe
  C:\Windows\System32\BWRPQSN.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System32\tlktpdu.exe
  C:\Windows\System32\tlktpdu.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System32\Gcooqos.exe
  C:\Windows\System32\Gcooqos.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System32\dVhuibO.exe
  C:\Windows\System32\dVhuibO.exe
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Windows\System32\NeovJiq.exe
  C:\Windows\System32\NeovJiq.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System32\UBvHCyf.exe
  C:\Windows\System32\UBvHCyf.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System32\HCQZOau.exe
  C:\Windows\System32\HCQZOau.exe
  2⤵
  PID:392
- C:\Windows\System32\sDVYvBk.exe
  C:\Windows\System32\sDVYvBk.exe
  2⤵
  PID:2996
- C:\Windows\System32\ZwJnoof.exe
  C:\Windows\System32\ZwJnoof.exe
  2⤵
  PID:4928
- C:\Windows\System32\wMKcdcZ.exe
  C:\Windows\System32\wMKcdcZ.exe
  2⤵
  PID:1956
- C:\Windows\System32\SgNHDzs.exe
  C:\Windows\System32\SgNHDzs.exe
  2⤵
  PID:1784
- C:\Windows\System32\UaLupke.exe
  C:\Windows\System32\UaLupke.exe
  2⤵
  PID:1380
- C:\Windows\System32\SdEpsAq.exe
  C:\Windows\System32\SdEpsAq.exe
  2⤵
  PID:3168
- C:\Windows\System32\NAhEdwB.exe
  C:\Windows\System32\NAhEdwB.exe
  2⤵
  PID:4480
- C:\Windows\System32\uyhqWvF.exe
  C:\Windows\System32\uyhqWvF.exe
  2⤵
  PID:4272
- C:\Windows\System32\wPngnOT.exe
  C:\Windows\System32\wPngnOT.exe
  2⤵
  PID:4420
- C:\Windows\System32\xzApJjX.exe
  C:\Windows\System32\xzApJjX.exe
  2⤵
  PID:1216
- C:\Windows\System32\AmGQMcO.exe
  C:\Windows\System32\AmGQMcO.exe
  2⤵
  PID:4416
- C:\Windows\System32\uIOmOPr.exe
  C:\Windows\System32\uIOmOPr.exe
  2⤵
  PID:4872
- C:\Windows\System32\HwBGYmB.exe
  C:\Windows\System32\HwBGYmB.exe
  2⤵
  PID:1464
- C:\Windows\System32\caPkhhU.exe
  C:\Windows\System32\caPkhhU.exe
  2⤵
  PID:4184
- C:\Windows\System32\czccacC.exe
  C:\Windows\System32\czccacC.exe
  2⤵
  PID:1988
- C:\Windows\System32\eLwhXFh.exe
  C:\Windows\System32\eLwhXFh.exe
  2⤵
  PID:3084
- C:\Windows\System32\ckeqCBL.exe
  C:\Windows\System32\ckeqCBL.exe
  2⤵
  PID:4256
- C:\Windows\System32\EKRnQwd.exe
  C:\Windows\System32\EKRnQwd.exe
  2⤵
  PID:4664
- C:\Windows\System32\nuIerDT.exe
  C:\Windows\System32\nuIerDT.exe
  2⤵
  PID:2588
- C:\Windows\System32\kMteBBf.exe
  C:\Windows\System32\kMteBBf.exe
  2⤵
  PID:3836
- C:\Windows\System32\wdYjCNt.exe
  C:\Windows\System32\wdYjCNt.exe
  2⤵
  PID:4360
- C:\Windows\System32\MiLkAnc.exe
  C:\Windows\System32\MiLkAnc.exe
  2⤵
  PID:4428
- C:\Windows\System32\xlcfZfJ.exe
  C:\Windows\System32\xlcfZfJ.exe
  2⤵
  PID:932
- C:\Windows\System32\XLulNLe.exe
  C:\Windows\System32\XLulNLe.exe
  2⤵
  PID:2028
- C:\Windows\System32\WvKQwnX.exe
  C:\Windows\System32\WvKQwnX.exe
  2⤵
  PID:4296
- C:\Windows\System32\fOUrnhT.exe
  C:\Windows\System32\fOUrnhT.exe
  2⤵
  PID:5148
- C:\Windows\System32\tSRoyBw.exe
  C:\Windows\System32\tSRoyBw.exe
  2⤵
  PID:5164
- C:\Windows\System32\KFiHkcK.exe
  C:\Windows\System32\KFiHkcK.exe
  2⤵
  PID:5204
- C:\Windows\System32\ORPwtSA.exe
  C:\Windows\System32\ORPwtSA.exe
  2⤵
  PID:5220
- C:\Windows\System32\BdtiUQH.exe
  C:\Windows\System32\BdtiUQH.exe
  2⤵
  PID:5248
- C:\Windows\System32\jKIYYVr.exe
  C:\Windows\System32\jKIYYVr.exe
  2⤵
  PID:5276
- C:\Windows\System32\CTvbPGw.exe
  C:\Windows\System32\CTvbPGw.exe
  2⤵
  PID:5304
- C:\Windows\System32\nPmmKGu.exe
  C:\Windows\System32\nPmmKGu.exe
  2⤵
  PID:5332
- C:\Windows\System32\QzrZwst.exe
  C:\Windows\System32\QzrZwst.exe
  2⤵
  PID:5360
- C:\Windows\System32\GsOjaLS.exe
  C:\Windows\System32\GsOjaLS.exe
  2⤵
  PID:5400
- C:\Windows\System32\DeZsSEf.exe
  C:\Windows\System32\DeZsSEf.exe
  2⤵
  PID:5416
- C:\Windows\System32\JHtTcKI.exe
  C:\Windows\System32\JHtTcKI.exe
  2⤵
  PID:5444
- C:\Windows\System32\KFnbBnx.exe
  C:\Windows\System32\KFnbBnx.exe
  2⤵
  PID:5472
- C:\Windows\System32\kYIvPok.exe
  C:\Windows\System32\kYIvPok.exe
  2⤵
  PID:5512
- C:\Windows\System32\vrQRQyO.exe
  C:\Windows\System32\vrQRQyO.exe
  2⤵
  PID:5540
- C:\Windows\System32\MgcgXah.exe
  C:\Windows\System32\MgcgXah.exe
  2⤵
  PID:5556
- C:\Windows\System32\AqRyKBT.exe
  C:\Windows\System32\AqRyKBT.exe
  2⤵
  PID:5596
- C:\Windows\System32\HSSKFMz.exe
  C:\Windows\System32\HSSKFMz.exe
  2⤵
  PID:5612
- C:\Windows\System32\OhtDdLe.exe
  C:\Windows\System32\OhtDdLe.exe
  2⤵
  PID:5704
- C:\Windows\System32\PPaaXRC.exe
  C:\Windows\System32\PPaaXRC.exe
  2⤵
  PID:5724
- C:\Windows\System32\YoERxGJ.exe
  C:\Windows\System32\YoERxGJ.exe
  2⤵
  PID:5740
- C:\Windows\System32\oQhnCzo.exe
  C:\Windows\System32\oQhnCzo.exe
  2⤵
  PID:5760
- C:\Windows\System32\hgHEVuy.exe
  C:\Windows\System32\hgHEVuy.exe
  2⤵
  PID:5776
- C:\Windows\System32\EWCfPMH.exe
  C:\Windows\System32\EWCfPMH.exe
  2⤵
  PID:5820
- C:\Windows\System32\dnWhrfy.exe
  C:\Windows\System32\dnWhrfy.exe
  2⤵
  PID:5860
- C:\Windows\System32\VhwvWqL.exe
  C:\Windows\System32\VhwvWqL.exe
  2⤵
  PID:5908
- C:\Windows\System32\qBADOSk.exe
  C:\Windows\System32\qBADOSk.exe
  2⤵
  PID:5932
- C:\Windows\System32\psdaNgq.exe
  C:\Windows\System32\psdaNgq.exe
  2⤵
  PID:5960
- C:\Windows\System32\ENLFDCf.exe
  C:\Windows\System32\ENLFDCf.exe
  2⤵
  PID:6000
- C:\Windows\System32\JTTUJtC.exe
  C:\Windows\System32\JTTUJtC.exe
  2⤵
  PID:6072
- C:\Windows\System32\bBXlbZZ.exe
  C:\Windows\System32\bBXlbZZ.exe
  2⤵
  PID:6092
- C:\Windows\System32\ahMbtBK.exe
  C:\Windows\System32\ahMbtBK.exe
  2⤵
  PID:6108
- C:\Windows\System32\lbGIctX.exe
  C:\Windows\System32\lbGIctX.exe
  2⤵
  PID:6128
- C:\Windows\System32\zkfjiLK.exe
  C:\Windows\System32\zkfjiLK.exe
  2⤵
  PID:3060
- C:\Windows\System32\jNELxGg.exe
  C:\Windows\System32\jNELxGg.exe
  2⤵
  PID:2868
- C:\Windows\System32\xwgnixk.exe
  C:\Windows\System32\xwgnixk.exe
  2⤵
  PID:5140
- C:\Windows\System32\aASJGSu.exe
  C:\Windows\System32\aASJGSu.exe
  2⤵
  PID:5176
- C:\Windows\System32\QGTxFka.exe
  C:\Windows\System32\QGTxFka.exe
  2⤵
  PID:5212
- C:\Windows\System32\pTqMiyZ.exe
  C:\Windows\System32\pTqMiyZ.exe
  2⤵
  PID:4516
- C:\Windows\System32\ILrjBNF.exe
  C:\Windows\System32\ILrjBNF.exe
  2⤵
  PID:5288
- C:\Windows\System32\hvvyoKs.exe
  C:\Windows\System32\hvvyoKs.exe
  2⤵
  PID:3128
- C:\Windows\System32\EMVxCLC.exe
  C:\Windows\System32\EMVxCLC.exe
  2⤵
  PID:5320
- C:\Windows\System32\KKcnyWy.exe
  C:\Windows\System32\KKcnyWy.exe
  2⤵
  PID:4768
- C:\Windows\System32\qcHUpLA.exe
  C:\Windows\System32\qcHUpLA.exe
  2⤵
  PID:5384
- C:\Windows\System32\FvmvkQa.exe
  C:\Windows\System32\FvmvkQa.exe
  2⤵
  PID:5408
- C:\Windows\System32\BSZDkLL.exe
  C:\Windows\System32\BSZDkLL.exe
  2⤵
  PID:5432
- C:\Windows\System32\qIgglLL.exe
  C:\Windows\System32\qIgglLL.exe
  2⤵
  PID:2228
- C:\Windows\System32\QNQcZEC.exe
  C:\Windows\System32\QNQcZEC.exe
  2⤵
  PID:5520
- C:\Windows\System32\MdYCyvi.exe
  C:\Windows\System32\MdYCyvi.exe
  2⤵
  PID:5548
- C:\Windows\System32\eRplUXy.exe
  C:\Windows\System32\eRplUXy.exe
  2⤵
  PID:4812
- C:\Windows\System32\QzXMpRW.exe
  C:\Windows\System32\QzXMpRW.exe
  2⤵
  PID:1900
- C:\Windows\System32\zrInCRP.exe
  C:\Windows\System32\zrInCRP.exe
  2⤵
  PID:1552
- C:\Windows\System32\rwEMzMW.exe
  C:\Windows\System32\rwEMzMW.exe
  2⤵
  PID:2020
- C:\Windows\System32\MnRnrME.exe
  C:\Windows\System32\MnRnrME.exe
  2⤵
  PID:5052
- C:\Windows\System32\ZwsAPCM.exe
  C:\Windows\System32\ZwsAPCM.exe
  2⤵
  PID:5756
- C:\Windows\System32\giMqCuS.exe
  C:\Windows\System32\giMqCuS.exe
  2⤵
  PID:5796
- C:\Windows\System32\GnAxUdS.exe
  C:\Windows\System32\GnAxUdS.exe
  2⤵
  PID:5848
- C:\Windows\System32\iOuhlil.exe
  C:\Windows\System32\iOuhlil.exe
  2⤵
  PID:5956
- C:\Windows\System32\fGDBWxv.exe
  C:\Windows\System32\fGDBWxv.exe
  2⤵
  PID:5676
- C:\Windows\System32\vBhOxJM.exe
  C:\Windows\System32\vBhOxJM.exe
  2⤵
  PID:6020
- C:\Windows\System32\duQLeCN.exe
  C:\Windows\System32\duQLeCN.exe
  2⤵
  PID:6088
- C:\Windows\System32\QlMCmcF.exe
  C:\Windows\System32\QlMCmcF.exe
  2⤵
  PID:6100
- C:\Windows\System32\ZWUYxDJ.exe
  C:\Windows\System32\ZWUYxDJ.exe
  2⤵
  PID:1936
- C:\Windows\System32\TjQqFLa.exe
  C:\Windows\System32\TjQqFLa.exe
  2⤵
  PID:2224
- C:\Windows\System32\XhNCTYR.exe
  C:\Windows\System32\XhNCTYR.exe
  2⤵
  PID:780
- C:\Windows\System32\dXyWmGI.exe
  C:\Windows\System32\dXyWmGI.exe
  2⤵
  PID:5412
- C:\Windows\System32\cSvldDw.exe
  C:\Windows\System32\cSvldDw.exe
  2⤵
  PID:2536
- C:\Windows\System32\rSMFYQi.exe
  C:\Windows\System32\rSMFYQi.exe
  2⤵
  PID:5552
- C:\Windows\System32\WvriOdN.exe
  C:\Windows\System32\WvriOdN.exe
  2⤵
  PID:4276
- C:\Windows\System32\GmYDeDm.exe
  C:\Windows\System32\GmYDeDm.exe
  2⤵
  PID:1884
- C:\Windows\System32\crqAXWw.exe
  C:\Windows\System32\crqAXWw.exe
  2⤵
  PID:5716
- C:\Windows\System32\komxWIh.exe
  C:\Windows\System32\komxWIh.exe
  2⤵
  PID:5736
- C:\Windows\System32\RfZDmMc.exe
  C:\Windows\System32\RfZDmMc.exe
  2⤵
  PID:5888
- C:\Windows\System32\XwFqYEw.exe
  C:\Windows\System32\XwFqYEw.exe
  2⤵
  PID:5940
- C:\Windows\System32\mqkaGoW.exe
  C:\Windows\System32\mqkaGoW.exe
  2⤵
  PID:5992
- C:\Windows\System32\PFhQcxo.exe
  C:\Windows\System32\PFhQcxo.exe
  2⤵
  PID:6116
- C:\Windows\System32\LMYepZJ.exe
  C:\Windows\System32\LMYepZJ.exe
  2⤵
  PID:5328
- C:\Windows\System32\RrqtYhx.exe
  C:\Windows\System32\RrqtYhx.exe
  2⤵
  PID:2292
- C:\Windows\System32\SHiPeiA.exe
  C:\Windows\System32\SHiPeiA.exe
  2⤵
  PID:5696
- C:\Windows\System32\TotWWLl.exe
  C:\Windows\System32\TotWWLl.exe
  2⤵
  PID:6032
- C:\Windows\System32\GiBpqxa.exe
  C:\Windows\System32\GiBpqxa.exe
  2⤵
  PID:5524
- C:\Windows\System32\ITILAFG.exe
  C:\Windows\System32\ITILAFG.exe
  2⤵
  PID:5768
- C:\Windows\System32\teIUink.exe
  C:\Windows\System32\teIUink.exe
  2⤵
  PID:6168
- C:\Windows\System32\crUHYvn.exe
  C:\Windows\System32\crUHYvn.exe
  2⤵
  PID:6196
- C:\Windows\System32\jdentWA.exe
  C:\Windows\System32\jdentWA.exe
  2⤵
  PID:6220
- C:\Windows\System32\AaJkvjr.exe
  C:\Windows\System32\AaJkvjr.exe
  2⤵
  PID:6248
- C:\Windows\System32\gugVZEL.exe
  C:\Windows\System32\gugVZEL.exe
  2⤵
  PID:6296
- C:\Windows\System32\dtGmFzh.exe
  C:\Windows\System32\dtGmFzh.exe
  2⤵
  PID:6312
- C:\Windows\System32\juPCJmW.exe
  C:\Windows\System32\juPCJmW.exe
  2⤵
  PID:6352
- C:\Windows\System32\FYeRFJv.exe
  C:\Windows\System32\FYeRFJv.exe
  2⤵
  PID:6368
- C:\Windows\System32\vuaYjuI.exe
  C:\Windows\System32\vuaYjuI.exe
  2⤵
  PID:6396
- C:\Windows\System32\krKDZpa.exe
  C:\Windows\System32\krKDZpa.exe
  2⤵
  PID:6424
- C:\Windows\System32\nvuVgTk.exe
  C:\Windows\System32\nvuVgTk.exe
  2⤵
  PID:6444
- C:\Windows\System32\lQwbgYZ.exe
  C:\Windows\System32\lQwbgYZ.exe
  2⤵
  PID:6460
- C:\Windows\System32\bnjMRPM.exe
  C:\Windows\System32\bnjMRPM.exe
  2⤵
  PID:6484
- C:\Windows\System32\pEWXKVR.exe
  C:\Windows\System32\pEWXKVR.exe
  2⤵
  PID:6500
- C:\Windows\System32\gBHEIZy.exe
  C:\Windows\System32\gBHEIZy.exe
  2⤵
  PID:6520
- C:\Windows\System32\tHeSRvu.exe
  C:\Windows\System32\tHeSRvu.exe
  2⤵
  PID:6540
- C:\Windows\System32\aijZgHo.exe
  C:\Windows\System32\aijZgHo.exe
  2⤵
  PID:6584
- C:\Windows\System32\JnoFsGu.exe
  C:\Windows\System32\JnoFsGu.exe
  2⤵
  PID:6640
- C:\Windows\System32\Oatvdwi.exe
  C:\Windows\System32\Oatvdwi.exe
  2⤵
  PID:6668
- C:\Windows\System32\CtGpUpO.exe
  C:\Windows\System32\CtGpUpO.exe
  2⤵
  PID:6684
- C:\Windows\System32\vbasAbP.exe
  C:\Windows\System32\vbasAbP.exe
  2⤵
  PID:6716
- C:\Windows\System32\DSgpXoS.exe
  C:\Windows\System32\DSgpXoS.exe
  2⤵
  PID:6744
- C:\Windows\System32\vzjbtGW.exe
  C:\Windows\System32\vzjbtGW.exe
  2⤵
  PID:6776
- C:\Windows\System32\NgtPlhZ.exe
  C:\Windows\System32\NgtPlhZ.exe
  2⤵
  PID:6796
- C:\Windows\System32\gSLmKhy.exe
  C:\Windows\System32\gSLmKhy.exe
  2⤵
  PID:6828
- C:\Windows\System32\hXPUGsK.exe
  C:\Windows\System32\hXPUGsK.exe
  2⤵
  PID:6872
- C:\Windows\System32\sFGSPKi.exe
  C:\Windows\System32\sFGSPKi.exe
  2⤵
  PID:6892
- C:\Windows\System32\KzzUwSa.exe
  C:\Windows\System32\KzzUwSa.exe
  2⤵
  PID:6928
- C:\Windows\System32\mOgeXeN.exe
  C:\Windows\System32\mOgeXeN.exe
  2⤵
  PID:6956
- C:\Windows\System32\GFFLEdT.exe
  C:\Windows\System32\GFFLEdT.exe
  2⤵
  PID:6980
- C:\Windows\System32\ZkkSXXy.exe
  C:\Windows\System32\ZkkSXXy.exe
  2⤵
  PID:6996
- C:\Windows\System32\MktjOvk.exe
  C:\Windows\System32\MktjOvk.exe
  2⤵
  PID:7040
- C:\Windows\System32\llsAsev.exe
  C:\Windows\System32\llsAsev.exe
  2⤵
  PID:7056
- C:\Windows\System32\jNIgyCv.exe
  C:\Windows\System32\jNIgyCv.exe
  2⤵
  PID:7096
- C:\Windows\System32\ugqozVU.exe
  C:\Windows\System32\ugqozVU.exe
  2⤵
  PID:7116
- C:\Windows\System32\PMlRFUv.exe
  C:\Windows\System32\PMlRFUv.exe
  2⤵
  PID:7132
- C:\Windows\System32\QhhngIW.exe
  C:\Windows\System32\QhhngIW.exe
  2⤵
  PID:5488
- C:\Windows\System32\CGhcqDO.exe
  C:\Windows\System32\CGhcqDO.exe
  2⤵
  PID:6212
- C:\Windows\System32\lbykJSo.exe
  C:\Windows\System32\lbykJSo.exe
  2⤵
  PID:6208
- C:\Windows\System32\KgVVyru.exe
  C:\Windows\System32\KgVVyru.exe
  2⤵
  PID:6324
- C:\Windows\System32\sGxsyJk.exe
  C:\Windows\System32\sGxsyJk.exe
  2⤵
  PID:6416
- C:\Windows\System32\rIbiyDO.exe
  C:\Windows\System32\rIbiyDO.exe
  2⤵
  PID:6476
- C:\Windows\System32\SNysVVC.exe
  C:\Windows\System32\SNysVVC.exe
  2⤵
  PID:6516
- C:\Windows\System32\JDegMVK.exe
  C:\Windows\System32\JDegMVK.exe
  2⤵
  PID:6620
- C:\Windows\System32\AmyXDfQ.exe
  C:\Windows\System32\AmyXDfQ.exe
  2⤵
  PID:6600
- C:\Windows\System32\dtKGPHW.exe
  C:\Windows\System32\dtKGPHW.exe
  2⤵
  PID:6736
- C:\Windows\System32\lHJsjLk.exe
  C:\Windows\System32\lHJsjLk.exe
  2⤵
  PID:6808
- C:\Windows\System32\uHotsxI.exe
  C:\Windows\System32\uHotsxI.exe
  2⤵
  PID:6868
- C:\Windows\System32\IljLiWc.exe
  C:\Windows\System32\IljLiWc.exe
  2⤵
  PID:6916
- C:\Windows\System32\hnjLVnc.exe
  C:\Windows\System32\hnjLVnc.exe
  2⤵
  PID:6968
- C:\Windows\System32\WNTyKrG.exe
  C:\Windows\System32\WNTyKrG.exe
  2⤵
  PID:7052
- C:\Windows\System32\EfWlJYP.exe
  C:\Windows\System32\EfWlJYP.exe
  2⤵
  PID:7108
- C:\Windows\System32\yjyOKws.exe
  C:\Windows\System32\yjyOKws.exe
  2⤵
  PID:7124
- C:\Windows\System32\MfZeCdh.exe
  C:\Windows\System32\MfZeCdh.exe
  2⤵
  PID:6256
- C:\Windows\System32\MPrrtqx.exe
  C:\Windows\System32\MPrrtqx.exe
  2⤵
  PID:6456
- C:\Windows\System32\HHOucGx.exe
  C:\Windows\System32\HHOucGx.exe
  2⤵
  PID:6608
- C:\Windows\System32\MYuOOuK.exe
  C:\Windows\System32\MYuOOuK.exe
  2⤵
  PID:6752
- C:\Windows\System32\SsqmfvT.exe
  C:\Windows\System32\SsqmfvT.exe
  2⤵
  PID:6848
- C:\Windows\System32\UcvdLqN.exe
  C:\Windows\System32\UcvdLqN.exe
  2⤵
  PID:6952
- C:\Windows\System32\gkyBaue.exe
  C:\Windows\System32\gkyBaue.exe
  2⤵
  PID:7152
- C:\Windows\System32\gKAibft.exe
  C:\Windows\System32\gKAibft.exe
  2⤵
  PID:6676
- C:\Windows\System32\EHdGdAv.exe
  C:\Windows\System32\EHdGdAv.exe
  2⤵
  PID:6792
- C:\Windows\System32\WogqXhz.exe
  C:\Windows\System32\WogqXhz.exe
  2⤵
  PID:6532
- C:\Windows\System32\wrayFhU.exe
  C:\Windows\System32\wrayFhU.exe
  2⤵
  PID:5316
- C:\Windows\System32\zQHwHCI.exe
  C:\Windows\System32\zQHwHCI.exe
  2⤵
  PID:7192
- C:\Windows\System32\moKFLLD.exe
  C:\Windows\System32\moKFLLD.exe
  2⤵
  PID:7236
- C:\Windows\System32\zGwdSwQ.exe
  C:\Windows\System32\zGwdSwQ.exe
  2⤵
  PID:7260
- C:\Windows\System32\GCkDVru.exe
  C:\Windows\System32\GCkDVru.exe
  2⤵
  PID:7280
- C:\Windows\System32\rHJfIzy.exe
  C:\Windows\System32\rHJfIzy.exe
  2⤵
  PID:7300
- C:\Windows\System32\kFpkDOn.exe
  C:\Windows\System32\kFpkDOn.exe
  2⤵
  PID:7328
- C:\Windows\System32\MuyhwRq.exe
  C:\Windows\System32\MuyhwRq.exe
  2⤵
  PID:7352
- C:\Windows\System32\JnGrDXC.exe
  C:\Windows\System32\JnGrDXC.exe
  2⤵
  PID:7372
- C:\Windows\System32\XMncMqG.exe
  C:\Windows\System32\XMncMqG.exe
  2⤵
  PID:7424
- C:\Windows\System32\kiRJgQG.exe
  C:\Windows\System32\kiRJgQG.exe
  2⤵
  PID:7448
- C:\Windows\System32\aUjqiig.exe
  C:\Windows\System32\aUjqiig.exe
  2⤵
  PID:7488
- C:\Windows\System32\UmYAUPg.exe
  C:\Windows\System32\UmYAUPg.exe
  2⤵
  PID:7516
- C:\Windows\System32\YUUwCDK.exe
  C:\Windows\System32\YUUwCDK.exe
  2⤵
  PID:7544
- C:\Windows\System32\LRcYUxa.exe
  C:\Windows\System32\LRcYUxa.exe
  2⤵
  PID:7572
- C:\Windows\System32\ddbvknG.exe
  C:\Windows\System32\ddbvknG.exe
  2⤵
  PID:7596
- C:\Windows\System32\jBfRLcl.exe
  C:\Windows\System32\jBfRLcl.exe
  2⤵
  PID:7624
- C:\Windows\System32\vKRyLQy.exe
  C:\Windows\System32\vKRyLQy.exe
  2⤵
  PID:7656
- C:\Windows\System32\kRJIncn.exe
  C:\Windows\System32\kRJIncn.exe
  2⤵
  PID:7684
- C:\Windows\System32\eHhVejl.exe
  C:\Windows\System32\eHhVejl.exe
  2⤵
  PID:7712
- C:\Windows\System32\rhoYvmc.exe
  C:\Windows\System32\rhoYvmc.exe
  2⤵
  PID:7728
- C:\Windows\System32\qnHEYBY.exe
  C:\Windows\System32\qnHEYBY.exe
  2⤵
  PID:7768
- C:\Windows\System32\nhwCOLh.exe
  C:\Windows\System32\nhwCOLh.exe
  2⤵
  PID:7788
- C:\Windows\System32\EVPvFXp.exe
  C:\Windows\System32\EVPvFXp.exe
  2⤵
  PID:7812
- C:\Windows\System32\eTipusU.exe
  C:\Windows\System32\eTipusU.exe
  2⤵
  PID:7836
- C:\Windows\System32\hCQUysS.exe
  C:\Windows\System32\hCQUysS.exe
  2⤵
  PID:7852
- C:\Windows\System32\vwVICKD.exe
  C:\Windows\System32\vwVICKD.exe
  2⤵
  PID:7872
- C:\Windows\System32\nKratZR.exe
  C:\Windows\System32\nKratZR.exe
  2⤵
  PID:7924
- C:\Windows\System32\CotITUu.exe
  C:\Windows\System32\CotITUu.exe
  2⤵
  PID:7956
- C:\Windows\System32\HbVpCxq.exe
  C:\Windows\System32\HbVpCxq.exe
  2⤵
  PID:7996
- C:\Windows\System32\aiBBTNN.exe
  C:\Windows\System32\aiBBTNN.exe
  2⤵
  PID:8016
- C:\Windows\System32\YwaBEDw.exe
  C:\Windows\System32\YwaBEDw.exe
  2⤵
  PID:8032
- C:\Windows\System32\DqCKClm.exe
  C:\Windows\System32\DqCKClm.exe
  2⤵
  PID:8056
- C:\Windows\System32\bswTLLp.exe
  C:\Windows\System32\bswTLLp.exe
  2⤵
  PID:8072
- C:\Windows\System32\HfKGQRf.exe
  C:\Windows\System32\HfKGQRf.exe
  2⤵
  PID:8132
- C:\Windows\System32\dlxgOoc.exe
  C:\Windows\System32\dlxgOoc.exe
  2⤵
  PID:8160
- C:\Windows\System32\kfUOPgI.exe
  C:\Windows\System32\kfUOPgI.exe
  2⤵
  PID:8180
- C:\Windows\System32\HWDAgQD.exe
  C:\Windows\System32\HWDAgQD.exe
  2⤵
  PID:7208
- C:\Windows\System32\WTNlaEI.exe
  C:\Windows\System32\WTNlaEI.exe
  2⤵
  PID:7272
- C:\Windows\System32\PAvbmyE.exe
  C:\Windows\System32\PAvbmyE.exe
  2⤵
  PID:7316
- C:\Windows\System32\JXuiExT.exe
  C:\Windows\System32\JXuiExT.exe
  2⤵
  PID:7420
- C:\Windows\System32\rwNZHYO.exe
  C:\Windows\System32\rwNZHYO.exe
  2⤵
  PID:7464
- C:\Windows\System32\SzaCNDH.exe
  C:\Windows\System32\SzaCNDH.exe
  2⤵
  PID:7500
- C:\Windows\System32\fkNprji.exe
  C:\Windows\System32\fkNprji.exe
  2⤵
  PID:7556
- C:\Windows\System32\tewFCCg.exe
  C:\Windows\System32\tewFCCg.exe
  2⤵
  PID:7644
- C:\Windows\System32\WlpDvaO.exe
  C:\Windows\System32\WlpDvaO.exe
  2⤵
  PID:7696
- C:\Windows\System32\SdjBBXH.exe
  C:\Windows\System32\SdjBBXH.exe
  2⤵
  PID:7740
- C:\Windows\System32\IixwTCh.exe
  C:\Windows\System32\IixwTCh.exe
  2⤵
  PID:7780
- C:\Windows\System32\KcvFRRr.exe
  C:\Windows\System32\KcvFRRr.exe
  2⤵
  PID:7868
- C:\Windows\System32\GZLmMVk.exe
  C:\Windows\System32\GZLmMVk.exe
  2⤵
  PID:8028
- C:\Windows\System32\jnmakUM.exe
  C:\Windows\System32\jnmakUM.exe
  2⤵
  PID:8088
- C:\Windows\System32\CSfPMLX.exe
  C:\Windows\System32\CSfPMLX.exe
  2⤵
  PID:6944
- C:\Windows\System32\niklQQd.exe
  C:\Windows\System32\niklQQd.exe
  2⤵
  PID:7228
- C:\Windows\System32\NnTFMHv.exe
  C:\Windows\System32\NnTFMHv.exe
  2⤵
  PID:7608
- C:\Windows\System32\eMjJier.exe
  C:\Windows\System32\eMjJier.exe
  2⤵
  PID:7748
- C:\Windows\System32\WCtbzFe.exe
  C:\Windows\System32\WCtbzFe.exe
  2⤵
  PID:7784
- C:\Windows\System32\szjXOyu.exe
  C:\Windows\System32\szjXOyu.exe
  2⤵
  PID:7824
- C:\Windows\System32\DIstydL.exe
  C:\Windows\System32\DIstydL.exe
  2⤵
  PID:7936
- C:\Windows\System32\AFtsEmW.exe
  C:\Windows\System32\AFtsEmW.exe
  2⤵
  PID:8140
- C:\Windows\System32\lzKRXMr.exe
  C:\Windows\System32\lzKRXMr.exe
  2⤵
  PID:8200
- C:\Windows\System32\tDRVACt.exe
  C:\Windows\System32\tDRVACt.exe
  2⤵
  PID:8216
- C:\Windows\System32\fZolJNa.exe
  C:\Windows\System32\fZolJNa.exe
  2⤵
  PID:8244
- C:\Windows\System32\njhFQEh.exe
  C:\Windows\System32\njhFQEh.exe
  2⤵
  PID:8260
- C:\Windows\System32\osmaUVR.exe
  C:\Windows\System32\osmaUVR.exe
  2⤵
  PID:8316
- C:\Windows\System32\NHZQIhK.exe
  C:\Windows\System32\NHZQIhK.exe
  2⤵
  PID:8416
- C:\Windows\System32\qIAugUs.exe
  C:\Windows\System32\qIAugUs.exe
  2⤵
  PID:8472
- C:\Windows\System32\Icibkca.exe
  C:\Windows\System32\Icibkca.exe
  2⤵
  PID:8516
- C:\Windows\System32\aiMoeHe.exe
  C:\Windows\System32\aiMoeHe.exe
  2⤵
  PID:8532
- C:\Windows\System32\yUHdfOE.exe
  C:\Windows\System32\yUHdfOE.exe
  2⤵
  PID:8560
- C:\Windows\System32\yfoKMkY.exe
  C:\Windows\System32\yfoKMkY.exe
  2⤵
  PID:8600
- C:\Windows\System32\NHKcVxX.exe
  C:\Windows\System32\NHKcVxX.exe
  2⤵
  PID:8624
- C:\Windows\System32\fsBjCLQ.exe
  C:\Windows\System32\fsBjCLQ.exe
  2⤵
  PID:8660
- C:\Windows\System32\wljZKSk.exe
  C:\Windows\System32\wljZKSk.exe
  2⤵
  PID:8684
- C:\Windows\System32\qEfXZpY.exe
  C:\Windows\System32\qEfXZpY.exe
  2⤵
  PID:8712
- C:\Windows\System32\TRZgQoQ.exe
  C:\Windows\System32\TRZgQoQ.exe
  2⤵
  PID:8732
- C:\Windows\System32\llszrGf.exe
  C:\Windows\System32\llszrGf.exe
  2⤵
  PID:8772
- C:\Windows\System32\oeDcwZR.exe
  C:\Windows\System32\oeDcwZR.exe
  2⤵
  PID:8788
- C:\Windows\System32\INixWsT.exe
  C:\Windows\System32\INixWsT.exe
  2⤵
  PID:8808
- C:\Windows\System32\PbIdGoI.exe
  C:\Windows\System32\PbIdGoI.exe
  2⤵
  PID:8832
- C:\Windows\System32\kbShgyX.exe
  C:\Windows\System32\kbShgyX.exe
  2⤵
  PID:8852
- C:\Windows\System32\azlBufg.exe
  C:\Windows\System32\azlBufg.exe
  2⤵
  PID:8888
- C:\Windows\System32\CDetjVN.exe
  C:\Windows\System32\CDetjVN.exe
  2⤵
  PID:8916
- C:\Windows\System32\UjTPJwv.exe
  C:\Windows\System32\UjTPJwv.exe
  2⤵
  PID:8952
- C:\Windows\System32\bMiwhUz.exe
  C:\Windows\System32\bMiwhUz.exe
  2⤵
  PID:8976
- C:\Windows\System32\BfixSOy.exe
  C:\Windows\System32\BfixSOy.exe
  2⤵
  PID:8996
- C:\Windows\System32\cbtBqtk.exe
  C:\Windows\System32\cbtBqtk.exe
  2⤵
  PID:9016
- C:\Windows\System32\SXgtAxp.exe
  C:\Windows\System32\SXgtAxp.exe
  2⤵
  PID:9036
- C:\Windows\System32\iAVWOfF.exe
  C:\Windows\System32\iAVWOfF.exe
  2⤵
  PID:9068
- C:\Windows\System32\qWlAokG.exe
  C:\Windows\System32\qWlAokG.exe
  2⤵
  PID:9096
- C:\Windows\System32\EFJMyCo.exe
  C:\Windows\System32\EFJMyCo.exe
  2⤵
  PID:9136
- C:\Windows\System32\WiEYwSf.exe
  C:\Windows\System32\WiEYwSf.exe
  2⤵
  PID:9164
- C:\Windows\System32\aHVrQeT.exe
  C:\Windows\System32\aHVrQeT.exe
  2⤵
  PID:9196
- C:\Windows\System32\IIWHDKP.exe
  C:\Windows\System32\IIWHDKP.exe
  2⤵
  PID:7368
- C:\Windows\System32\vUkhUPK.exe
  C:\Windows\System32\vUkhUPK.exe
  2⤵
  PID:8120
- C:\Windows\System32\gVcBqFT.exe
  C:\Windows\System32\gVcBqFT.exe
  2⤵
  PID:7480
- C:\Windows\System32\eWIiZee.exe
  C:\Windows\System32\eWIiZee.exe
  2⤵
  PID:7580
- C:\Windows\System32\ZogNMRH.exe
  C:\Windows\System32\ZogNMRH.exe
  2⤵
  PID:7820
- C:\Windows\System32\oYLRKrl.exe
  C:\Windows\System32\oYLRKrl.exe
  2⤵
  PID:8328
- C:\Windows\System32\aFkksBe.exe
  C:\Windows\System32\aFkksBe.exe
  2⤵
  PID:8252
- C:\Windows\System32\hNOSbgQ.exe
  C:\Windows\System32\hNOSbgQ.exe
  2⤵
  PID:8364
- C:\Windows\System32\HnKxNrJ.exe
  C:\Windows\System32\HnKxNrJ.exe
  2⤵
  PID:8428
- C:\Windows\System32\jXudJyj.exe
  C:\Windows\System32\jXudJyj.exe
  2⤵
  PID:8496
- C:\Windows\System32\dpEZnFS.exe
  C:\Windows\System32\dpEZnFS.exe
  2⤵
  PID:8552
- C:\Windows\System32\rLUsymA.exe
  C:\Windows\System32\rLUsymA.exe
  2⤵
  PID:8592
- C:\Windows\System32\VdXflhW.exe
  C:\Windows\System32\VdXflhW.exe
  2⤵
  PID:8704
- C:\Windows\System32\oHFpVYB.exe
  C:\Windows\System32\oHFpVYB.exe
  2⤵
  PID:8700
- C:\Windows\System32\uhWeTkn.exe
  C:\Windows\System32\uhWeTkn.exe
  2⤵
  PID:7828
- C:\Windows\System32\NHFCjKZ.exe
  C:\Windows\System32\NHFCjKZ.exe
  2⤵
  PID:8928
- C:\Windows\System32\CXZMPmY.exe
  C:\Windows\System32\CXZMPmY.exe
  2⤵
  PID:8992
- C:\Windows\System32\RMCkllm.exe
  C:\Windows\System32\RMCkllm.exe
  2⤵
  PID:8960
- C:\Windows\System32\RajPgGF.exe
  C:\Windows\System32\RajPgGF.exe
  2⤵
  PID:9092
- C:\Windows\System32\KSTXLkT.exe
  C:\Windows\System32\KSTXLkT.exe
  2⤵
  PID:9132
- C:\Windows\System32\HTTNTLo.exe
  C:\Windows\System32\HTTNTLo.exe
  2⤵
  PID:9184
- C:\Windows\System32\qHiJBnR.exe
  C:\Windows\System32\qHiJBnR.exe
  2⤵
  PID:8176
- C:\Windows\System32\hODWBvA.exe
  C:\Windows\System32\hODWBvA.exe
  2⤵
  PID:7292
- C:\Windows\System32\frBMVNK.exe
  C:\Windows\System32\frBMVNK.exe
  2⤵
  PID:7916
- C:\Windows\System32\dDZwHgc.exe
  C:\Windows\System32\dDZwHgc.exe
  2⤵
  PID:8508
- C:\Windows\System32\nGikjIV.exe
  C:\Windows\System32\nGikjIV.exe
  2⤵
  PID:8576
- C:\Windows\System32\Fasonup.exe
  C:\Windows\System32\Fasonup.exe
  2⤵
  PID:8764
- C:\Windows\System32\FCNImqx.exe
  C:\Windows\System32\FCNImqx.exe
  2⤵
  PID:8964
- C:\Windows\System32\xGyAefB.exe
  C:\Windows\System32\xGyAefB.exe
  2⤵
  PID:8064
- C:\Windows\System32\NhEqiTN.exe
  C:\Windows\System32\NhEqiTN.exe
  2⤵
  PID:7392
- C:\Windows\System32\TLEPnOk.exe
  C:\Windows\System32\TLEPnOk.exe
  2⤵
  PID:8492
- C:\Windows\System32\eVjiuzh.exe
  C:\Windows\System32\eVjiuzh.exe
  2⤵
  PID:8848
- C:\Windows\System32\gTITiqx.exe
  C:\Windows\System32\gTITiqx.exe
  2⤵
  PID:9064
- C:\Windows\System32\dfBFeiB.exe
  C:\Windows\System32\dfBFeiB.exe
  2⤵
  PID:7440
- C:\Windows\System32\xgkOHoQ.exe
  C:\Windows\System32\xgkOHoQ.exe
  2⤵
  PID:8752
- C:\Windows\System32\ppMQtQI.exe
  C:\Windows\System32\ppMQtQI.exe
  2⤵
  PID:9228
- C:\Windows\System32\pTmABEW.exe
  C:\Windows\System32\pTmABEW.exe
  2⤵
  PID:9244
- C:\Windows\System32\QBZodnq.exe
  C:\Windows\System32\QBZodnq.exe
  2⤵
  PID:9276
- C:\Windows\System32\GPPBIDp.exe
  C:\Windows\System32\GPPBIDp.exe
  2⤵
  PID:9316
- C:\Windows\System32\yGNsEAP.exe
  C:\Windows\System32\yGNsEAP.exe
  2⤵
  PID:9340
- C:\Windows\System32\MHBVpuu.exe
  C:\Windows\System32\MHBVpuu.exe
  2⤵
  PID:9360
- C:\Windows\System32\BsPBLaC.exe
  C:\Windows\System32\BsPBLaC.exe
  2⤵
  PID:9376
- C:\Windows\System32\RWLnAPk.exe
  C:\Windows\System32\RWLnAPk.exe
  2⤵
  PID:9428
- C:\Windows\System32\EYLTBZf.exe
  C:\Windows\System32\EYLTBZf.exe
  2⤵
  PID:9456
- C:\Windows\System32\gHlVkTN.exe
  C:\Windows\System32\gHlVkTN.exe
  2⤵
  PID:9520
- C:\Windows\System32\KmqkaAo.exe
  C:\Windows\System32\KmqkaAo.exe
  2⤵
  PID:9556
- C:\Windows\System32\nrqDaOy.exe
  C:\Windows\System32\nrqDaOy.exe
  2⤵
  PID:9580
- C:\Windows\System32\BmndmUu.exe
  C:\Windows\System32\BmndmUu.exe
  2⤵
  PID:9608
- C:\Windows\System32\zUFTAjv.exe
  C:\Windows\System32\zUFTAjv.exe
  2⤵
  PID:9628
- C:\Windows\System32\VBdSXfX.exe
  C:\Windows\System32\VBdSXfX.exe
  2⤵
  PID:9660
- C:\Windows\System32\czzQtfW.exe
  C:\Windows\System32\czzQtfW.exe
  2⤵
  PID:9680
- C:\Windows\System32\ZTcFMkt.exe
  C:\Windows\System32\ZTcFMkt.exe
  2⤵
  PID:9700
- C:\Windows\System32\JgkqwwB.exe
  C:\Windows\System32\JgkqwwB.exe
  2⤵
  PID:9756
- C:\Windows\System32\DGCSmpp.exe
  C:\Windows\System32\DGCSmpp.exe
  2⤵
  PID:9784
- C:\Windows\System32\owuPFGC.exe
  C:\Windows\System32\owuPFGC.exe
  2⤵
  PID:9832
- C:\Windows\System32\bVsQvus.exe
  C:\Windows\System32\bVsQvus.exe
  2⤵
  PID:9848
- C:\Windows\System32\uLSxNaJ.exe
  C:\Windows\System32\uLSxNaJ.exe
  2⤵
  PID:9872
- C:\Windows\System32\OyACmHc.exe
  C:\Windows\System32\OyACmHc.exe
  2⤵
  PID:9892
- C:\Windows\System32\jSmSaPn.exe
  C:\Windows\System32\jSmSaPn.exe
  2⤵
  PID:9932
- C:\Windows\System32\LlXDvPO.exe
  C:\Windows\System32\LlXDvPO.exe
  2⤵
  PID:9948
- C:\Windows\System32\rNQveKv.exe
  C:\Windows\System32\rNQveKv.exe
  2⤵
  PID:9980
- C:\Windows\System32\gdlDOcn.exe
  C:\Windows\System32\gdlDOcn.exe
  2⤵
  PID:10004
- C:\Windows\System32\kDwZEfr.exe
  C:\Windows\System32\kDwZEfr.exe
  2⤵
  PID:10048
- C:\Windows\System32\ZjMUpkp.exe
  C:\Windows\System32\ZjMUpkp.exe
  2⤵
  PID:10076
- C:\Windows\System32\gJKQrwW.exe
  C:\Windows\System32\gJKQrwW.exe
  2⤵
  PID:10092
- C:\Windows\System32\EAnxoSl.exe
  C:\Windows\System32\EAnxoSl.exe
  2⤵
  PID:10120
- C:\Windows\System32\dtDYZZQ.exe
  C:\Windows\System32\dtDYZZQ.exe
  2⤵
  PID:10144
- C:\Windows\System32\RWFWuRO.exe
  C:\Windows\System32\RWFWuRO.exe
  2⤵
  PID:10160
- C:\Windows\System32\YhzZkOP.exe
  C:\Windows\System32\YhzZkOP.exe
  2⤵
  PID:10184
- C:\Windows\System32\futyOLl.exe
  C:\Windows\System32\futyOLl.exe
  2⤵
  PID:8896
- C:\Windows\System32\bifvfXs.exe
  C:\Windows\System32\bifvfXs.exe
  2⤵
  PID:9220
- C:\Windows\System32\dBHDGGv.exe
  C:\Windows\System32\dBHDGGv.exe
  2⤵
  PID:9300
- C:\Windows\System32\YRbPTOI.exe
  C:\Windows\System32\YRbPTOI.exe
  2⤵
  PID:9404
- C:\Windows\System32\ybnWZNO.exe
  C:\Windows\System32\ybnWZNO.exe
  2⤵
  PID:9420
- C:\Windows\System32\xmrLXBx.exe
  C:\Windows\System32\xmrLXBx.exe
  2⤵
  PID:9484
- C:\Windows\System32\hTjcfut.exe
  C:\Windows\System32\hTjcfut.exe
  2⤵
  PID:9544
- C:\Windows\System32\NamoDfF.exe
  C:\Windows\System32\NamoDfF.exe
  2⤵
  PID:9640
- C:\Windows\System32\fvvzuih.exe
  C:\Windows\System32\fvvzuih.exe
  2⤵
  PID:9728
- C:\Windows\System32\KzvcmjS.exe
  C:\Windows\System32\KzvcmjS.exe
  2⤵
  PID:9776
- C:\Windows\System32\eRbstPD.exe
  C:\Windows\System32\eRbstPD.exe
  2⤵
  PID:9844
- C:\Windows\System32\mWEmpNk.exe
  C:\Windows\System32\mWEmpNk.exe
  2⤵
  PID:9912
- C:\Windows\System32\kikKire.exe
  C:\Windows\System32\kikKire.exe
  2⤵
  PID:10000
- C:\Windows\System32\WRiMKhk.exe
  C:\Windows\System32\WRiMKhk.exe
  2⤵
  PID:10024
- C:\Windows\System32\jBBErCi.exe
  C:\Windows\System32\jBBErCi.exe
  2⤵
  PID:10036
- C:\Windows\System32\vztOkKZ.exe
  C:\Windows\System32\vztOkKZ.exe
  2⤵
  PID:10156
- C:\Windows\System32\BvvWzRs.exe
  C:\Windows\System32\BvvWzRs.exe
  2⤵
  PID:10228
- C:\Windows\System32\nVlmsjb.exe
  C:\Windows\System32\nVlmsjb.exe
  2⤵
  PID:9256
- C:\Windows\System32\rzUKTIJ.exe
  C:\Windows\System32\rzUKTIJ.exe
  2⤵
  PID:9368
- C:\Windows\System32\cOVVncY.exe
  C:\Windows\System32\cOVVncY.exe
  2⤵
  PID:9440
- C:\Windows\System32\GdpoomO.exe
  C:\Windows\System32\GdpoomO.exe
  2⤵
  PID:9696
- C:\Windows\System32\rWoBbOF.exe
  C:\Windows\System32\rWoBbOF.exe
  2⤵
  PID:9880
- C:\Windows\System32\PgoldYB.exe
  C:\Windows\System32\PgoldYB.exe
  2⤵
  PID:10072
- C:\Windows\System32\egCCAOU.exe
  C:\Windows\System32\egCCAOU.exe
  2⤵
  PID:9284
- C:\Windows\System32\JAEWjtJ.exe
  C:\Windows\System32\JAEWjtJ.exe
  2⤵
  PID:9436
- C:\Windows\System32\KfVPoFd.exe
  C:\Windows\System32\KfVPoFd.exe
  2⤵
  PID:9796
- C:\Windows\System32\ocFLmgq.exe
  C:\Windows\System32\ocFLmgq.exe
  2⤵
  PID:9924
- C:\Windows\System32\lFxbYhS.exe
  C:\Windows\System32\lFxbYhS.exe
  2⤵
  PID:10204
- C:\Windows\System32\EFjmZAo.exe
  C:\Windows\System32\EFjmZAo.exe
  2⤵
  PID:9492
- C:\Windows\System32\gsJmGkR.exe
  C:\Windows\System32\gsJmGkR.exe
  2⤵
  PID:10268
- C:\Windows\System32\DzQVzbQ.exe
  C:\Windows\System32\DzQVzbQ.exe
  2⤵
  PID:10292
- C:\Windows\System32\CyAcIDS.exe
  C:\Windows\System32\CyAcIDS.exe
  2⤵
  PID:10312
- C:\Windows\System32\csQjHsx.exe
  C:\Windows\System32\csQjHsx.exe
  2⤵
  PID:10332
- C:\Windows\System32\smFhKYC.exe
  C:\Windows\System32\smFhKYC.exe
  2⤵
  PID:10356
- C:\Windows\System32\VNjgovv.exe
  C:\Windows\System32\VNjgovv.exe
  2⤵
  PID:10420
- C:\Windows\System32\gkpxwEx.exe
  C:\Windows\System32\gkpxwEx.exe
  2⤵
  PID:10460
- C:\Windows\System32\VAENYWf.exe
  C:\Windows\System32\VAENYWf.exe
  2⤵
  PID:10476
- C:\Windows\System32\GkDNyBS.exe
  C:\Windows\System32\GkDNyBS.exe
  2⤵
  PID:10504
- C:\Windows\System32\zBArgaP.exe
  C:\Windows\System32\zBArgaP.exe
  2⤵
  PID:10536
- C:\Windows\System32\EAMVPtq.exe
  C:\Windows\System32\EAMVPtq.exe
  2⤵
  PID:10576
- C:\Windows\System32\kOMUjnZ.exe
  C:\Windows\System32\kOMUjnZ.exe
  2⤵
  PID:10600
- C:\Windows\System32\LlnqzyS.exe
  C:\Windows\System32\LlnqzyS.exe
  2⤵
  PID:10620
- C:\Windows\System32\kGPwDUP.exe
  C:\Windows\System32\kGPwDUP.exe
  2⤵
  PID:10652
- C:\Windows\System32\gALEgYD.exe
  C:\Windows\System32\gALEgYD.exe
  2⤵
  PID:10684
- C:\Windows\System32\uhJEePH.exe
  C:\Windows\System32\uhJEePH.exe
  2⤵
  PID:10704
- C:\Windows\System32\YlGCvOe.exe
  C:\Windows\System32\YlGCvOe.exe
  2⤵
  PID:10728
- C:\Windows\System32\sYFAgCJ.exe
  C:\Windows\System32\sYFAgCJ.exe
  2⤵
  PID:10756
- C:\Windows\System32\PaIjYWV.exe
  C:\Windows\System32\PaIjYWV.exe
  2⤵
  PID:10772
- C:\Windows\System32\ziOPaRi.exe
  C:\Windows\System32\ziOPaRi.exe
  2⤵
  PID:10788
- C:\Windows\System32\RxLjLJl.exe
  C:\Windows\System32\RxLjLJl.exe
  2⤵
  PID:10820
- C:\Windows\System32\gpAgeas.exe
  C:\Windows\System32\gpAgeas.exe
  2⤵
  PID:10840
- C:\Windows\System32\RMmwIGW.exe
  C:\Windows\System32\RMmwIGW.exe
  2⤵
  PID:10860
- C:\Windows\System32\pJUAJii.exe
  C:\Windows\System32\pJUAJii.exe
  2⤵
  PID:10896
- C:\Windows\System32\eawrNZx.exe
  C:\Windows\System32\eawrNZx.exe
  2⤵
  PID:10912
- C:\Windows\System32\tTAHAGU.exe
  C:\Windows\System32\tTAHAGU.exe
  2⤵
  PID:10984
- C:\Windows\System32\cbUrRyr.exe
  C:\Windows\System32\cbUrRyr.exe
  2⤵
  PID:11024
- C:\Windows\System32\jboQHpH.exe
  C:\Windows\System32\jboQHpH.exe
  2⤵
  PID:11040
- C:\Windows\System32\PQujaeB.exe
  C:\Windows\System32\PQujaeB.exe
  2⤵
  PID:11080
- C:\Windows\System32\lfQZJMl.exe
  C:\Windows\System32\lfQZJMl.exe
  2⤵
  PID:11108
- C:\Windows\System32\DQBErut.exe
  C:\Windows\System32\DQBErut.exe
  2⤵
  PID:11136
- C:\Windows\System32\lYgCezb.exe
  C:\Windows\System32\lYgCezb.exe
  2⤵
  PID:11164
- C:\Windows\System32\bLoFZth.exe
  C:\Windows\System32\bLoFZth.exe
  2⤵
  PID:11180
- C:\Windows\System32\voJYrsj.exe
  C:\Windows\System32\voJYrsj.exe
  2⤵
  PID:11204
- C:\Windows\System32\HOIFahr.exe
  C:\Windows\System32\HOIFahr.exe
  2⤵
  PID:10216
- C:\Windows\System32\sOyslnW.exe
  C:\Windows\System32\sOyslnW.exe
  2⤵
  PID:10328
- C:\Windows\System32\TLIvoOB.exe
  C:\Windows\System32\TLIvoOB.exe
  2⤵
  PID:10404
- C:\Windows\System32\AwGurWJ.exe
  C:\Windows\System32\AwGurWJ.exe
  2⤵
  PID:10408
- C:\Windows\System32\DBDPKYQ.exe
  C:\Windows\System32\DBDPKYQ.exe
  2⤵
  PID:10500
- C:\Windows\System32\OCUwPlE.exe
  C:\Windows\System32\OCUwPlE.exe
  2⤵
  PID:10592
- C:\Windows\System32\AwEgIkG.exe
  C:\Windows\System32\AwEgIkG.exe
  2⤵
  PID:10532
- C:\Windows\System32\RZGnYlM.exe
  C:\Windows\System32\RZGnYlM.exe
  2⤵
  PID:10668
- C:\Windows\System32\JoNCYKb.exe
  C:\Windows\System32\JoNCYKb.exe
  2⤵
  PID:10716
- C:\Windows\System32\lRhsfZa.exe
  C:\Windows\System32\lRhsfZa.exe
  2⤵
  PID:10780
- C:\Windows\System32\OtemsbI.exe
  C:\Windows\System32\OtemsbI.exe
  2⤵
  PID:10856
- C:\Windows\System32\fDZDBCE.exe
  C:\Windows\System32\fDZDBCE.exe
  2⤵
  PID:10940
- C:\Windows\System32\QWkyjky.exe
  C:\Windows\System32\QWkyjky.exe
  2⤵
  PID:11016
- C:\Windows\System32\foeIEWR.exe
  C:\Windows\System32\foeIEWR.exe
  2⤵
  PID:11048
- C:\Windows\System32\thofkzZ.exe
  C:\Windows\System32\thofkzZ.exe
  2⤵
  PID:11104
- C:\Windows\System32\VZicHja.exe
  C:\Windows\System32\VZicHja.exe
  2⤵
  PID:11116
- C:\Windows\System32\kVwMDQd.exe
  C:\Windows\System32\kVwMDQd.exe
  2⤵
  PID:11240
- C:\Windows\System32\hAsFszs.exe
  C:\Windows\System32\hAsFszs.exe
  2⤵
  PID:10288
- C:\Windows\System32\BMwXpFo.exe
  C:\Windows\System32\BMwXpFo.exe
  2⤵
  PID:10444
- C:\Windows\System32\kAwZDlH.exe
  C:\Windows\System32\kAwZDlH.exe
  2⤵
  PID:10520
- C:\Windows\System32\iSMpGAt.exe
  C:\Windows\System32\iSMpGAt.exe
  2⤵
  PID:10672
- C:\Windows\System32\cEiQUWy.exe
  C:\Windows\System32\cEiQUWy.exe
  2⤵
  PID:10748
- C:\Windows\System32\vjnIcVy.exe
  C:\Windows\System32\vjnIcVy.exe
  2⤵
  PID:10972
- C:\Windows\System32\GPDUkZR.exe
  C:\Windows\System32\GPDUkZR.exe
  2⤵
  PID:11128
- C:\Windows\System32\zODksnN.exe
  C:\Windows\System32\zODksnN.exe
  2⤵
  PID:9968
- C:\Windows\System32\bxKtzml.exe
  C:\Windows\System32\bxKtzml.exe
  2⤵
  PID:10472
- C:\Windows\System32\RYTrbkd.exe
  C:\Windows\System32\RYTrbkd.exe
  2⤵
  PID:10924
- C:\Windows\System32\VKjpBDy.exe
  C:\Windows\System32\VKjpBDy.exe
  2⤵
  PID:11216
- C:\Windows\System32\khauORw.exe
  C:\Windows\System32\khauORw.exe
  2⤵
  PID:10784
- C:\Windows\System32\XLqHCvu.exe
  C:\Windows\System32\XLqHCvu.exe
  2⤵
  PID:11276
- C:\Windows\System32\WEqdiHr.exe
  C:\Windows\System32\WEqdiHr.exe
  2⤵
  PID:11304
- C:\Windows\System32\AEgpchZ.exe
  C:\Windows\System32\AEgpchZ.exe
  2⤵
  PID:11332
- C:\Windows\System32\ThDNpZl.exe
  C:\Windows\System32\ThDNpZl.exe
  2⤵
  PID:11360
- C:\Windows\System32\WJDdpWh.exe
  C:\Windows\System32\WJDdpWh.exe
  2⤵
  PID:11376
- C:\Windows\System32\Gtkxxuv.exe
  C:\Windows\System32\Gtkxxuv.exe
  2⤵
  PID:11424
- C:\Windows\System32\ZsDtGnb.exe
  C:\Windows\System32\ZsDtGnb.exe
  2⤵
  PID:11464
- C:\Windows\System32\aftOGzF.exe
  C:\Windows\System32\aftOGzF.exe
  2⤵
  PID:11484
- C:\Windows\System32\NLmRzbP.exe
  C:\Windows\System32\NLmRzbP.exe
  2⤵
  PID:11508
- C:\Windows\System32\iiCJFOR.exe
  C:\Windows\System32\iiCJFOR.exe
  2⤵
  PID:11536
- C:\Windows\System32\ULxwvDk.exe
  C:\Windows\System32\ULxwvDk.exe
  2⤵
  PID:11564
- C:\Windows\System32\MVNpdFV.exe
  C:\Windows\System32\MVNpdFV.exe
  2⤵
  PID:11584
- C:\Windows\System32\NXKixFH.exe
  C:\Windows\System32\NXKixFH.exe
  2⤵
  PID:11604
- C:\Windows\System32\bGXWWXW.exe
  C:\Windows\System32\bGXWWXW.exe
  2⤵
  PID:11632
- C:\Windows\System32\AWsLCdA.exe
  C:\Windows\System32\AWsLCdA.exe
  2⤵
  PID:11660
- C:\Windows\System32\WcnkUVn.exe
  C:\Windows\System32\WcnkUVn.exe
  2⤵
  PID:11688
- C:\Windows\System32\DdPaUZx.exe
  C:\Windows\System32\DdPaUZx.exe
  2⤵
  PID:11728
- C:\Windows\System32\KsIKRAb.exe
  C:\Windows\System32\KsIKRAb.exe
  2⤵
  PID:11752
- C:\Windows\System32\BzeBJHl.exe
  C:\Windows\System32\BzeBJHl.exe
  2⤵
  PID:11772
- C:\Windows\System32\mGtpluV.exe
  C:\Windows\System32\mGtpluV.exe
  2⤵
  PID:11828
- C:\Windows\System32\QAUmWkt.exe
  C:\Windows\System32\QAUmWkt.exe
  2⤵
  PID:11848
- C:\Windows\System32\JuggYZK.exe
  C:\Windows\System32\JuggYZK.exe
  2⤵
  PID:11872
- C:\Windows\System32\tlgVQEQ.exe
  C:\Windows\System32\tlgVQEQ.exe
  2⤵
  PID:11888
- C:\Windows\System32\dfUZYxA.exe
  C:\Windows\System32\dfUZYxA.exe
  2⤵
  PID:11920
- C:\Windows\System32\wDBvJHg.exe
  C:\Windows\System32\wDBvJHg.exe
  2⤵
  PID:11940
- C:\Windows\System32\jctukaM.exe
  C:\Windows\System32\jctukaM.exe
  2⤵
  PID:11968
- C:\Windows\System32\ynERdJI.exe
  C:\Windows\System32\ynERdJI.exe
  2⤵
  PID:11984
- C:\Windows\System32\ahOUugi.exe
  C:\Windows\System32\ahOUugi.exe
  2⤵
  PID:12040
- C:\Windows\System32\oyOUfmY.exe
  C:\Windows\System32\oyOUfmY.exe
  2⤵
  PID:12104
- C:\Windows\System32\akotHnz.exe
  C:\Windows\System32\akotHnz.exe
  2⤵
  PID:12120
- C:\Windows\System32\JbGwCGw.exe
  C:\Windows\System32\JbGwCGw.exe
  2⤵
  PID:12136
- C:\Windows\System32\DcQKnzC.exe
  C:\Windows\System32\DcQKnzC.exe
  2⤵
  PID:12156
- C:\Windows\System32\arpcGVo.exe
  C:\Windows\System32\arpcGVo.exe
  2⤵
  PID:12204
- C:\Windows\System32\ErstIYb.exe
  C:\Windows\System32\ErstIYb.exe
  2⤵
  PID:12220
- C:\Windows\System32\PbwxJOs.exe
  C:\Windows\System32\PbwxJOs.exe
  2⤵
  PID:12248
- C:\Windows\System32\GLZSalp.exe
  C:\Windows\System32\GLZSalp.exe
  2⤵
  PID:12284
- C:\Windows\System32\LLqKlyp.exe
  C:\Windows\System32\LLqKlyp.exe
  2⤵
  PID:11300
- C:\Windows\System32\LkKfGLd.exe
  C:\Windows\System32\LkKfGLd.exe
  2⤵
  PID:11324
- C:\Windows\System32\MfSxaTO.exe
  C:\Windows\System32\MfSxaTO.exe
  2⤵
  PID:11368
- C:\Windows\System32\ZKfqwXR.exe
  C:\Windows\System32\ZKfqwXR.exe
  2⤵
  PID:11472
- C:\Windows\System32\SSzjPQa.exe
  C:\Windows\System32\SSzjPQa.exe
  2⤵
  PID:11572
- C:\Windows\System32\sbJMVMc.exe
  C:\Windows\System32\sbJMVMc.exe
  2⤵
  PID:11620
- C:\Windows\System32\sYoQKQs.exe
  C:\Windows\System32\sYoQKQs.exe
  2⤵
  PID:11668
- C:\Windows\System32\mQKlrTk.exe
  C:\Windows\System32\mQKlrTk.exe
  2⤵
  PID:11700
- C:\Windows\System32\kxWMlTR.exe
  C:\Windows\System32\kxWMlTR.exe
  2⤵
  PID:11868
- C:\Windows\System32\iqKEEZR.exe
  C:\Windows\System32\iqKEEZR.exe
  2⤵
  PID:11884
- C:\Windows\System32\NhJHjmQ.exe
  C:\Windows\System32\NhJHjmQ.exe
  2⤵
  PID:11948
- C:\Windows\System32\gAONGPF.exe
  C:\Windows\System32\gAONGPF.exe
  2⤵
  PID:11992
- C:\Windows\System32\KlmCljT.exe
  C:\Windows\System32\KlmCljT.exe
  2⤵
  PID:12048
- C:\Windows\System32\avFULZW.exe
  C:\Windows\System32\avFULZW.exe
  2⤵
  PID:12072
- C:\Windows\System32\JKWLsIP.exe
  C:\Windows\System32\JKWLsIP.exe
  2⤵
  PID:12148
- C:\Windows\System32\dwDisWA.exe
  C:\Windows\System32\dwDisWA.exe
  2⤵
  PID:10720
- C:\Windows\System32\YPEoGcd.exe
  C:\Windows\System32\YPEoGcd.exe
  2⤵
  PID:620
- C:\Windows\System32\XLcYEVx.exe
  C:\Windows\System32\XLcYEVx.exe
  2⤵
  PID:4340
- C:\Windows\System32\tHRQyzP.exe
  C:\Windows\System32\tHRQyzP.exe
  2⤵
  PID:11544
- C:\Windows\System32\ykOEtDb.exe
  C:\Windows\System32\ykOEtDb.exe
  2⤵
  PID:11652
- C:\Windows\System32\LCUhlgZ.exe
  C:\Windows\System32\LCUhlgZ.exe
  2⤵
  PID:11836
- C:\Windows\System32\xGKvRos.exe
  C:\Windows\System32\xGKvRos.exe
  2⤵
  PID:11956
- C:\Windows\System32\cwgyLuT.exe
  C:\Windows\System32\cwgyLuT.exe
  2⤵
  PID:11980
- C:\Windows\System32\IoZLjlK.exe
  C:\Windows\System32\IoZLjlK.exe
  2⤵
  PID:12132
- C:\Windows\System32\bPgSYXX.exe
  C:\Windows\System32\bPgSYXX.exe
  2⤵
  PID:12264
- C:\Windows\System32\AEKPxSk.exe
  C:\Windows\System32\AEKPxSk.exe
  2⤵
  PID:11768
- C:\Windows\System32\nfrgVcB.exe
  C:\Windows\System32\nfrgVcB.exe
  2⤵
  PID:11976
- C:\Windows\System32\OaSAoff.exe
  C:\Windows\System32\OaSAoff.exe
  2⤵
  PID:12244
- C:\Windows\System32\uFuAddS.exe
  C:\Windows\System32\uFuAddS.exe
  2⤵
  PID:11600
- C:\Windows\System32\xvqKVWq.exe
  C:\Windows\System32\xvqKVWq.exe
  2⤵
  PID:12304
- C:\Windows\System32\zGOgdjI.exe
  C:\Windows\System32\zGOgdjI.exe
  2⤵
  PID:12344
- C:\Windows\System32\MwTedUH.exe
  C:\Windows\System32\MwTedUH.exe
  2⤵
  PID:12364
- C:\Windows\System32\erJKKzq.exe
  C:\Windows\System32\erJKKzq.exe
  2⤵
  PID:12392
- C:\Windows\System32\pTlRrmP.exe
  C:\Windows\System32\pTlRrmP.exe
  2⤵
  PID:12412
- C:\Windows\System32\lbjiiZa.exe
  C:\Windows\System32\lbjiiZa.exe
  2⤵
  PID:12448
- C:\Windows\System32\XbkTdZb.exe
  C:\Windows\System32\XbkTdZb.exe
  2⤵
  PID:12468
- C:\Windows\System32\IOdaQPm.exe
  C:\Windows\System32\IOdaQPm.exe
  2⤵
  PID:12484
- C:\Windows\System32\LXQIAYp.exe
  C:\Windows\System32\LXQIAYp.exe
  2⤵
  PID:12508
- C:\Windows\System32\cMMhPkL.exe
  C:\Windows\System32\cMMhPkL.exe
  2⤵
  PID:12548
- C:\Windows\System32\xOWuxLA.exe
  C:\Windows\System32\xOWuxLA.exe
  2⤵
  PID:12588
- C:\Windows\System32\fxSLCPu.exe
  C:\Windows\System32\fxSLCPu.exe
  2⤵
  PID:12604
- C:\Windows\System32\rPnDvCF.exe
  C:\Windows\System32\rPnDvCF.exe
  2⤵
  PID:12636
- C:\Windows\System32\rJzrzkY.exe
  C:\Windows\System32\rJzrzkY.exe
  2⤵
  PID:12688
- C:\Windows\System32\nrnGQCU.exe
  C:\Windows\System32\nrnGQCU.exe
  2⤵
  PID:12708
- C:\Windows\System32\gYZpHEX.exe
  C:\Windows\System32\gYZpHEX.exe
  2⤵
  PID:12732
- C:\Windows\System32\zxFxcyV.exe
  C:\Windows\System32\zxFxcyV.exe
  2⤵
  PID:12760
- C:\Windows\System32\kHlVNon.exe
  C:\Windows\System32\kHlVNon.exe
  2⤵
  PID:12780
- C:\Windows\System32\pjHDdIs.exe
  C:\Windows\System32\pjHDdIs.exe
  2⤵
  PID:12812
- C:\Windows\System32\wUiPxbA.exe
  C:\Windows\System32\wUiPxbA.exe
  2⤵
  PID:12856
- C:\Windows\System32\lyDiGQz.exe
  C:\Windows\System32\lyDiGQz.exe
  2⤵
  PID:12876
- C:\Windows\System32\CRefDfS.exe
  C:\Windows\System32\CRefDfS.exe
  2⤵
  PID:12892
- C:\Windows\System32\UsmtTQz.exe
  C:\Windows\System32\UsmtTQz.exe
  2⤵
  PID:12916
- C:\Windows\System32\OZvaUSR.exe
  C:\Windows\System32\OZvaUSR.exe
  2⤵
  PID:12936
- C:\Windows\System32\msprmPB.exe
  C:\Windows\System32\msprmPB.exe
  2⤵
  PID:12956
- C:\Windows\System32\dFDiToU.exe
  C:\Windows\System32\dFDiToU.exe
  2⤵
  PID:13000
- C:\Windows\System32\zDFpKjZ.exe
  C:\Windows\System32\zDFpKjZ.exe
  2⤵
  PID:13024
- C:\Windows\System32\PEnjQvW.exe
  C:\Windows\System32\PEnjQvW.exe
  2⤵
  PID:13052
- C:\Windows\System32\aEHMtVD.exe
  C:\Windows\System32\aEHMtVD.exe
  2⤵
  PID:13096
- C:\Windows\System32\EeEzCVj.exe
  C:\Windows\System32\EeEzCVj.exe
  2⤵
  PID:13128
- C:\Windows\System32\xaBrAXT.exe
  C:\Windows\System32\xaBrAXT.exe
  2⤵
  PID:13148
- C:\Windows\System32\vzQKYlB.exe
  C:\Windows\System32\vzQKYlB.exe
  2⤵
  PID:13164
- C:\Windows\System32\CkYMkmi.exe
  C:\Windows\System32\CkYMkmi.exe
  2⤵
  PID:13196
- C:\Windows\System32\dUylSIX.exe
  C:\Windows\System32\dUylSIX.exe
  2⤵
  PID:13220
- C:\Windows\System32\NTcwZLq.exe
  C:\Windows\System32\NTcwZLq.exe
  2⤵
  PID:13260
- C:\Windows\System32\UyuCFth.exe
  C:\Windows\System32\UyuCFth.exe
  2⤵
  PID:13308
- C:\Windows\System32\vcVIzGs.exe
  C:\Windows\System32\vcVIzGs.exe
  2⤵
  PID:12336
- C:\Windows\System32\chzBbqa.exe
  C:\Windows\System32\chzBbqa.exe
  2⤵
  PID:12360
- C:\Windows\System32\wRygzgH.exe
  C:\Windows\System32\wRygzgH.exe
  2⤵
  PID:12400
- C:\Windows\System32\VNqLFIC.exe
  C:\Windows\System32\VNqLFIC.exe
  2⤵
  PID:12480

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BBHasPp.exe

Filesize
1.6MB

MD5
975407817d9741d40733203c5f55d327

SHA1
bb0011aa51575b494c40a40efe172472eaa46e77

SHA256
8f1492353811907b8436a3885cc3bf90eda954d216ef5a594dd09678c4b03014

SHA512
b0b2c60c6a3381539c68a879ce00027aea4e62f1382d2572584c0c2c00a73ed93770044a9f48f9383edc4c2ff47401c70f56dd41b41cd0c50da6b075984a8bac

Download Submit
C:\Windows\System32\CXAstQM.exe

Filesize
1.6MB

MD5
3e8eccd75fa79bb2f8f8dd5a8f6caebd

SHA1
daefa1f2c4af0169fb5955ffcd19c5c4ec767ac6

SHA256
cb68b60cc39e6136ddc193a88b5430b6ef14427010ec25cb9498644e15a1ad90

SHA512
0828358664f0a1edd295b868a7cc0e2a7183bdf025a9f2d67f345416012f9496c15384f71db537cbdc4432a43917c10ec83caee48842e8da219e99ac9d773991

Download Submit
C:\Windows\System32\GmfXjxY.exe

Filesize
1.5MB

MD5
537c8680cddb601650a9ff3a2c938d30

SHA1
8ec1612593cfb67ab8f9bfd92e706a663e3342f5

SHA256
0d43eb3b18aa750caaed9a1b201fb9e37257d7f6443527b04b4c9eb360c05abd

SHA512
eb097f5c010501d542e16d7bc618f447645bbe6018320027b9979dc240f1b58df01715afdfc8637e397f5accfb9362d10bede6ea50e62b5b71f7c2706abacc87

Download Submit
C:\Windows\System32\IbiqFmJ.exe

Filesize
1.5MB

MD5
3e5f5cbefeb999612ec693f3eb002a0a

SHA1
23c108607b1aae55054849ecc4d949719dcdfe65

SHA256
bd37584099a0ed230fc20c152319024c97921fb74278f26ebd108a669ac9ce56

SHA512
f5b6cac272b4d0219ad5011e5b72f57767e524bf5e989620c7b5603576bc2f97b5fbf11b92e50516d68c95eabaf6abe20d9ed861b5df5d04ea11b2c257f81e11

Download Submit
C:\Windows\System32\JNKDcHV.exe

Filesize
1.6MB

MD5
fc0a95a5c8c23b360f1f46015273aae5

SHA1
862654abf0ed309f3ff2e65f6c324555f324e2b2

SHA256
473f61a8f3743b210429930a091b8baae9d0da0b22c7265f89edabe10ac508ad

SHA512
2c19dcf2107d0d1df7a55d7e9e8d731d31f8da5e2dee7a62f192aa31e630a2f25e28d7724f6183c9229686d3a3efff6eaae2874af0cdbd31f55bd840b194815e

Download Submit
C:\Windows\System32\MTAOrCu.exe

Filesize
1.6MB

MD5
d8dc88a3fbdc3cc712776ef08ca1ab9e

SHA1
31c9b3c597f32f15fc205e51445602acb5781b04

SHA256
e03fbbe7bc34a8f062fda2114493f22c1ff6db736ecdddb1f6942de8a50c64ab

SHA512
936fe804f49f2f693249ff15a5381691014087ffc346ead5c7999fd8dd11ae932602a75cc395c14b9de13d5e1b41c4dbc9ffb1e34417ff16edae6929aeeac708

Download Submit
C:\Windows\System32\MXRInKQ.exe

Filesize
1.5MB

MD5
a3b0382050f2bd5c20af781ba655d8e8

SHA1
f56f27d920d82f3a96b04e1164011fad38c24074

SHA256
e53d795199355dfc5de38ae0f236bedeb0ab23629b0593dfae84430112685857

SHA512
7fc763dec60c0505cf9f489d611694fb77eaed53dc6e4a7b1d36ae8eaac421b65ddad5dd2eda8732b7d6bafeb67b221c815907a9b507c05fb2eb8bfec8169227

Download Submit
C:\Windows\System32\MgkOnLy.exe

Filesize
1.5MB

MD5
26a6ee03c213cbbac493aad6b0060243

SHA1
96ef7a7529bdafe3a8d8ad5a395ddfbf6be5ad89

SHA256
9666138fc93a020e98ac52d278335545cd58b8fafa23f8e0a7752dbf21a348b4

SHA512
8d6a20b45e1b9e46f734829e8718ea7249dd364f2d529f5d62e7037bee88e087fef95d9d90b31eba5f9de769c7bb3619594902b3cd488a4e3c390cceea6ec350

Download Submit
C:\Windows\System32\MoasSXl.exe

Filesize
1.6MB

MD5
f25c554b21ae6059686b49821dd4ddf4

SHA1
60653ddf20c14ad2c30932f15c10e76a777f4c0e

SHA256
08d18168072138b766b31c85812a714b78a150c48689d000a7b0ad9805c412d4

SHA512
4cc00c58dbb9e49690d925a1facef0484c15eefca9423bcab23db137d1e016ffa76764d0c87e4063c644c31640d03d67bf786a3b5fecd0fe1eb0df9d291386b9

Download Submit
C:\Windows\System32\RzuPIei.exe

Filesize
1.6MB

MD5
2c4e541a92f48ded9369a1fd567e05bb

SHA1
12aa729e2c8bd08fd8c099626812cc73619c0c86

SHA256
6a4dc1ed8337b5e9162109a48aeb171c50dcd652b192fea040ff86977b62f989

SHA512
5c2d2dc6434984daf88e4b812de2a401228f6f8ca6945ea7b91414c22c310208e7775a080e1fd2e02b16690063dc4ee04d5cc7df415c0d3d6bc22085eac2c884

Download Submit
C:\Windows\System32\TrqDVug.exe

Filesize
1.5MB

MD5
5787d0add60f1eb07782771f9e892dfb

SHA1
f2b27bfcc81f2d999044e1acb6d4c4479dcceb70

SHA256
fffb0b593ae25f25c563e5bee5b2d8a98654b52574371be0e56874249763e67d

SHA512
5f49052e7fa16ff951f7f549a21f259fa385d58bf278cc58936612f0d21255b8278ac2c457f7a626491a634001672a53fede75256714852d21c77aa84278fc39

Download Submit
C:\Windows\System32\VRRkfqN.exe

Filesize
1.6MB

MD5
124bcfba3fad00d8f644fb6cb2c4b8af

SHA1
ceaca0b9dedecd2f91957752938a95a81da26cf0

SHA256
e1eb3be8943b94637b45cc340ffefd2e9f76a378304288f95f26878dd2abb77f

SHA512
2c98d8bd36130358f2ec612a6c34fbb7b9d25378381c5dc04c1f3cdf2609c1cafba20f122e835262d59c8ebdabb7444b6592b3eae9a8795273d6216525493a4d

Download Submit
C:\Windows\System32\WbKDIpZ.exe

Filesize
1.6MB

MD5
62b3d5c2515f4f8e4b6ba903263e3445

SHA1
a00b9bc1c5dff14339d4536432a5c9cc260401f3

SHA256
a8dc6548c6284aa289d3dcca4a1441a30027e7a60133f8164a9ec0b2f912c894

SHA512
3cda7da3328962e3e7f95dcad0019d4ea47c5db4e1f6e7e234b0408c00aecd3dfaf396a089a91dce0e83fc9ef2422ddf604949a6809aa9d8d5e435049a697d89

Download Submit
C:\Windows\System32\XwqMIMN.exe

Filesize
1.6MB

MD5
e2fd9340486d714b9203f7693ccbb26e

SHA1
a13bb9942c073cdbaa3113397878917088a80f61

SHA256
bdbc1490743aa2d2c368725c2e5e26c6b703c1a10d3ca35baa80d29587d40d81

SHA512
b9b3703369736a97e360076ed55fc856bd84a8cb430d76196a6d572d216734b67c357109ee16dc76622fa689b91ac68d6affcd0697cc3130f934b49f509b8aac

Download Submit
C:\Windows\System32\bPXojSE.exe

Filesize
1.6MB

MD5
8d8b06ba237780bbf8490ad93a82efa7

SHA1
aaad5e60a1f8e01a6db7072b29097a0ad7f25120

SHA256
3c9613bc1b2862e5216dddfb5bd8b61bdffa824b95c6822336da79b0a75c08a5

SHA512
e5f9e38bed68ed30843b6c58ce088343c71384eded75426a1434961f069ee28743cd22b425a34ea54b1c2aae56038cdfb956448c41d3ed59b187f8950fcedafd

Download Submit
C:\Windows\System32\cJDxpSW.exe

Filesize
1.6MB

MD5
4995a20fd29fc12313e5aeb4ce062592

SHA1
bbb8a2888f103d93d8937b5a62afb3745eb7033f

SHA256
37871dac4ae30c2b2f93f93b7b488beb98c75d6832e0afebcacae7784fbee3e9

SHA512
7f200900ea0c47f4c37ed1f9b868c74cae4eb9eb227c2b5ad626c7176e65019bfea7d3b8cdd197757889a3d082b5839d46087f9e54f09fe224489b7a998e3369

Download Submit
C:\Windows\System32\ekcddIN.exe

Filesize
1.5MB

MD5
33b269842fbb3d688439fc3584d4a9ce

SHA1
0751dc0b9a5d9ef98d2d8ea61ac8b5f9b842784a

SHA256
b20280b9b964ca65da2bf0aeb987e00e7e8aeb5bd2503220995c51569e592c74

SHA512
5e5837cd03300222a164c9bc4bb600fa8f44cd215232296db0b8ae356ec7029dd19c0681a50e4b553437c159242c9d7913ce2ea8d5b0aaa312f654d7092db466

Download Submit
C:\Windows\System32\etiXwVi.exe

Filesize
1.5MB

MD5
0c5a69d9fa73ac743b4e2bc692460f91

SHA1
77f206eb3ff1d9fe105319069be3e59520fdc540

SHA256
9077e4e474ddc4dd0319c2462f6fdd944dad1b418a1dae9e1b665126780f0f39

SHA512
24aeae7d1718bc47bd319b182c417bcacfaafdaab20436073350f473f499b2ad6f2a9077d3aeafc9c214454e868a08541c254027fcff747953f1f7b39f632117

Download Submit
C:\Windows\System32\fGXTrcV.exe

Filesize
1.6MB

MD5
485baefc35bc60bbdfab443ff0676943

SHA1
0018824c6a7a6e4f24ad12f2ac1fa799e0d4c95c

SHA256
934781d4588cca8f32c0ae55b93b72f8b6a6acc12638434715ab1a5e6e7558f9

SHA512
8e79eb598f652b6641790681c970987d7554f55bb6077e1b1bd353cbe6817ff879d1aecb1407a30cbbf7bd6af36b3e5e4e0fe7c5c8a3b433c8ddc2bd6b59f820

Download Submit
C:\Windows\System32\fhaemqi.exe

Filesize
1.6MB

MD5
8614f793e569ee51c1902bb2b80ff2b1

SHA1
0d74276195edbe72082ea5f11fa2c0d3488fb377

SHA256
d77b67ef156261b64b56947e739678f1007838d80a5659b3f2e4717e8d52dce7

SHA512
56168aafb74c8a1b398c434a431407d21bf58eb573a13615c376ce1f4d0045990816f1ce5f40a388d8a9f67adf3e2d6d831d3bb971319d974e4f0bcc752f377b

Download Submit
C:\Windows\System32\gRDyEwb.exe

Filesize
1.5MB

MD5
75625852ee2c1dfecd125df393fdc941

SHA1
edd7fd6423c99a8aaf44a31669fddbdbf18a0486

SHA256
b8f2bcc2d2ab0bdf9f6d49590a998c9eb921f8761c41a767f520ee4089a04035

SHA512
55d24cc3d5cdcef48ae570d4d74d34c5f20d05bb1759ffe5e3bbc549e5f5601a9353b525a41456b20dca3a10ea288daf2e449536680d50c9a24157ac50eb7bb2

Download Submit
C:\Windows\System32\ikWMJdE.exe

Filesize
1.5MB

MD5
f09b12309736b0d86cf9430e7753e8ad

SHA1
3febb7fbb91a47d1556e989c3f2085ba6a276b97

SHA256
ff2c82dff9efb3b851e6edff50379d02622f7c93151c8b92b54c7c9e9f33fda1

SHA512
c22ad9f94678aef0185fcc2ad17ff29637354fde3599af66a2ae69f6058c6742782eb21393e8318289843a8c0eec2d05b9eedbb19cdfa9684f142293853570ee

Download Submit
C:\Windows\System32\jnkYtUs.exe

Filesize
1.5MB

MD5
6a98d0ff173b9f01058758e5b524f43d

SHA1
759e258628b60cbe1de536087a8416395076e55d

SHA256
ce89311c87ad2168bcff12f713723ac5807d3f666d77e53a5c45c73b450b0d46

SHA512
7d65e451e47a2ec3ca7b19194e64e569e63a9c669e5ba7b2db52d7becd8f925e936812638fef83bce0cc5fd7d44998272042e224648986e1280fd1d92d2f6d36

Download Submit
C:\Windows\System32\lmoEIVM.exe

Filesize
1.6MB

MD5
da81756ae194550bfc335c3147940b0a

SHA1
480f060d1efb3c65104bca9dde37365603cece9b

SHA256
73063c8bf395c77fadec8ecb690992a81f23172df3a7fdbe6b516b555a635082

SHA512
48afe7be37ba98331cdfcfae47988202e1aaa4390f7863898bb3c0c77f7074ac680f592f223ac68734dcf8f253cc339db0c7389c64ff37514314748d50e5e3f7

Download Submit
C:\Windows\System32\qjlwUva.exe

Filesize
1.5MB

MD5
8cf1d8535e68a7168baf250f868b27f5

SHA1
c490a62f8de537805c66c03f174b1360b8426a73

SHA256
9cafcaed2f6592eefea5545a0086ce97db21221d135ff29252e0d6eb0d4d2f71

SHA512
08070606e0b8e5e6e5dfdd3badb66ea7193502dc0ab0abb6632dc992165c767449c548fdc68182855ae2a4817ec78072410f9381ae1c90c26da7cd29d6233d6d

Download Submit
C:\Windows\System32\rgfXczY.exe

Filesize
1.5MB

MD5
bcadf0651fd8ebf002fcdcb52c4b632d

SHA1
3b2ef0ac70134918a2e774443c79f74954b13bc6

SHA256
aa3463f36e8c600b1413150f03b0a13b4f0dc072888931e246938cbce028d456

SHA512
27751081ae74799cbe9b00f2716d39904195fae2c743947ef07d4f48c58843ec6c803afc48a5d406fceee8fc2213add910529f01cd3eac4d807e9840b6c8eca6

Download Submit
C:\Windows\System32\rkzdqXy.exe

Filesize
1.6MB

MD5
85758f86e9b034a9917bfe580a584b77

SHA1
d7e099b11eab44e551607dce99151eb8580be232

SHA256
3385bec44e20e5d3a7535c179b52e3bc5e9a3810cfe35382be17cc0010e85cbe

SHA512
2292c11a58589e4172bd8e1f8502d624aeb761ce5cf00adfdc06406aa2fa85c47d7522d467708f07842fdc1eaafd5e53b42ec4bf27177c07d32c695077a6f5b7

Download Submit
C:\Windows\System32\sAzLtKx.exe

Filesize
1.6MB

MD5
2fc2f65f49af0cb8f53bed622c1389d2

SHA1
109b3d1d4e09af25179d2caa43eea5addccc4024

SHA256
f3aa08240b19e321c5b981c7913cc8735a262dfd66a45d9e5c3d89c37d54ac16

SHA512
b9b244903ba5be2e4951acaeb3429a067cf3cdfafc85f51b82ab23a1a8798933d11a715cfc8d112d2ed0a40d9a276529d4b2270166071303aec4284d4f94b307

Download Submit
C:\Windows\System32\tlBKYSb.exe

Filesize
1.6MB

MD5
bb4479bc1e35cea3edbedc37189a56ff

SHA1
3f4282e82ed72b15a5ed085e4d4a3314d016f8ba

SHA256
a357081f6f93db31755dad3d9cdb2d71f56f2abca7d05104869bc9720ba95691

SHA512
3e1104a3d39953c2dd2291fe1156d2e6d0dde94e8617c9b9ea9115a283daa0a285c31e7eda9f51f48b8eeb9c2574ac36e818505c82535067d6e9a23f0c93c90c

Download Submit
C:\Windows\System32\uzdnPbG.exe

Filesize
1.5MB

MD5
f349590323b9104df565c4d828f4a930

SHA1
ad6cd056292a2ed79670aa745417ed66219243dc

SHA256
d1fcda150a4bad0531fc1e832d513ea22f2c6b4de24ac091f34f12ac07e5717b

SHA512
e211798fa0e04417dd94e7fb96ad6e499b9f3a0548de20d6395613d0793ad6731f711c73f9ddf16fe07e654f8675158761bedcaf403f865cf55406c939cdec16

Download Submit
C:\Windows\System32\xZgdheu.exe

Filesize
1.6MB

MD5
4877178ab108ff3492dc3a88ba1e648f

SHA1
b505167503320399c3c4882c306b9d667d990d15

SHA256
808ea7951955d8caf011361850d00e8ca7af53842563b032539b84c14d6db788

SHA512
f8e8b15db35a87b06e9d6f5db9e556f0b7ccbe983ac364b9264fa6e39057c197675ab127f9ad0b00d1a60e48c053b9ecb5eaf142a19622d392575cbe592807e2

Download Submit
C:\Windows\System32\yXIvIFM.exe

Filesize
1.5MB

MD5
cb48c8533ed6b6976afad4ad53ec3d38

SHA1
3e25ea2e062987d8c87e77454228fc78732f038c

SHA256
ef5c2fce34c10b2ff2da9c314649f13984768a42271f5c12ea89eebca0d29df6

SHA512
9aa0b7d302a06512e43f8867dc4c2dc4b41b63bec04d603456ad4012a99744f915f9dd86a8efb6e69d37baa9a710a4e9602fb57be71d393b29a5ab3321bf3e9b

Download Submit
memory/608-2049-0x00007FF6D75A0000-0x00007FF6D7991000-memory.dmp

Filesize
3.9MB

Download
memory/608-403-0x00007FF6D75A0000-0x00007FF6D7991000-memory.dmp

Filesize
3.9MB

Download
memory/720-2021-0x00007FF6A2170000-0x00007FF6A2561000-memory.dmp

Filesize
3.9MB

Download
memory/720-20-0x00007FF6A2170000-0x00007FF6A2561000-memory.dmp

Filesize
3.9MB

Download
memory/736-2000-0x00007FF660290000-0x00007FF660681000-memory.dmp

Filesize
3.9MB

Download
memory/736-0-0x00007FF660290000-0x00007FF660681000-memory.dmp

Filesize
3.9MB

Download
memory/736-1494-0x00007FF660290000-0x00007FF660681000-memory.dmp

Filesize
3.9MB

Download
memory/736-1-0x0000020B83920000-0x0000020B83930000-memory.dmp

Filesize
64KB

Download
memory/1108-414-0x00007FF6BF960000-0x00007FF6BFD51000-memory.dmp

Filesize
3.9MB

Download
memory/1108-2059-0x00007FF6BF960000-0x00007FF6BFD51000-memory.dmp

Filesize
3.9MB

Download
memory/1192-46-0x00007FF6162C0000-0x00007FF6166B1000-memory.dmp

Filesize
3.9MB

Download
memory/1192-1966-0x00007FF6162C0000-0x00007FF6166B1000-memory.dmp

Filesize
3.9MB

Download
memory/1192-2029-0x00007FF6162C0000-0x00007FF6166B1000-memory.dmp

Filesize
3.9MB

Download
memory/1292-1965-0x00007FF63E610000-0x00007FF63EA01000-memory.dmp

Filesize
3.9MB

Download
memory/1292-30-0x00007FF63E610000-0x00007FF63EA01000-memory.dmp

Filesize
3.9MB

Download
memory/1292-2027-0x00007FF63E610000-0x00007FF63EA01000-memory.dmp

Filesize
3.9MB

Download
memory/1428-423-0x00007FF6961F0000-0x00007FF6965E1000-memory.dmp

Filesize
3.9MB

Download
memory/1428-2064-0x00007FF6961F0000-0x00007FF6965E1000-memory.dmp

Filesize
3.9MB

Download
memory/1456-2031-0x00007FF6B7200000-0x00007FF6B75F1000-memory.dmp

Filesize
3.9MB

Download
memory/1456-39-0x00007FF6B7200000-0x00007FF6B75F1000-memory.dmp

Filesize
3.9MB

Download
memory/1468-58-0x00007FF7EC950000-0x00007FF7ECD41000-memory.dmp

Filesize
3.9MB

Download
memory/1468-2025-0x00007FF7EC950000-0x00007FF7ECD41000-memory.dmp

Filesize
3.9MB

Download
memory/2264-2055-0x00007FF61CAE0000-0x00007FF61CED1000-memory.dmp

Filesize
3.9MB

Download
memory/2264-406-0x00007FF61CAE0000-0x00007FF61CED1000-memory.dmp

Filesize
3.9MB

Download
memory/2384-2043-0x00007FF64D4C0000-0x00007FF64D8B1000-memory.dmp

Filesize
3.9MB

Download
memory/2384-397-0x00007FF64D4C0000-0x00007FF64D8B1000-memory.dmp

Filesize
3.9MB

Download
memory/2392-29-0x00007FF61DA00000-0x00007FF61DDF1000-memory.dmp

Filesize
3.9MB

Download
memory/2392-2023-0x00007FF61DA00000-0x00007FF61DDF1000-memory.dmp

Filesize
3.9MB

Download
memory/2396-2047-0x00007FF638F50000-0x00007FF639341000-memory.dmp

Filesize
3.9MB

Download
memory/2396-402-0x00007FF638F50000-0x00007FF639341000-memory.dmp

Filesize
3.9MB

Download
memory/2548-419-0x00007FF7B4550000-0x00007FF7B4941000-memory.dmp

Filesize
3.9MB

Download
memory/2548-2061-0x00007FF7B4550000-0x00007FF7B4941000-memory.dmp

Filesize
3.9MB

Download
memory/2564-2019-0x00007FF61A370000-0x00007FF61A761000-memory.dmp

Filesize
3.9MB

Download
memory/2564-13-0x00007FF61A370000-0x00007FF61A761000-memory.dmp

Filesize
3.9MB

Download
memory/2636-398-0x00007FF6F33B0000-0x00007FF6F37A1000-memory.dmp

Filesize
3.9MB

Download
memory/2636-2041-0x00007FF6F33B0000-0x00007FF6F37A1000-memory.dmp

Filesize
3.9MB

Download
memory/2664-2037-0x00007FF7420E0000-0x00007FF7424D1000-memory.dmp

Filesize
3.9MB

Download
memory/2664-400-0x00007FF7420E0000-0x00007FF7424D1000-memory.dmp

Filesize
3.9MB

Download
memory/3556-2035-0x00007FF6568F0000-0x00007FF656CE1000-memory.dmp

Filesize
3.9MB

Download
memory/3556-62-0x00007FF6568F0000-0x00007FF656CE1000-memory.dmp

Filesize
3.9MB

Download
memory/3720-2053-0x00007FF7A0B50000-0x00007FF7A0F41000-memory.dmp

Filesize
3.9MB

Download
memory/3720-405-0x00007FF7A0B50000-0x00007FF7A0F41000-memory.dmp

Filesize
3.9MB

Download
memory/3908-404-0x00007FF726CE0000-0x00007FF7270D1000-memory.dmp

Filesize
3.9MB

Download
memory/3908-2051-0x00007FF726CE0000-0x00007FF7270D1000-memory.dmp

Filesize
3.9MB

Download
memory/4308-59-0x00007FF70DFB0000-0x00007FF70E3A1000-memory.dmp

Filesize
3.9MB

Download
memory/4308-2033-0x00007FF70DFB0000-0x00007FF70E3A1000-memory.dmp

Filesize
3.9MB

Download
memory/4336-407-0x00007FF7FB1A0000-0x00007FF7FB591000-memory.dmp

Filesize
3.9MB

Download
memory/4336-2057-0x00007FF7FB1A0000-0x00007FF7FB591000-memory.dmp

Filesize
3.9MB

Download
memory/4348-2017-0x00007FF7BC8F0000-0x00007FF7BCCE1000-memory.dmp

Filesize
3.9MB

Download
memory/4348-1496-0x00007FF7BC8F0000-0x00007FF7BCCE1000-memory.dmp

Filesize
3.9MB

Download
memory/4348-11-0x00007FF7BC8F0000-0x00007FF7BCCE1000-memory.dmp

Filesize
3.9MB

Download
memory/4744-2045-0x00007FF6F77B0000-0x00007FF6F7BA1000-memory.dmp

Filesize
3.9MB

Download
memory/4744-401-0x00007FF6F77B0000-0x00007FF6F7BA1000-memory.dmp

Filesize
3.9MB

Download
memory/4988-399-0x00007FF6D2B40000-0x00007FF6D2F31000-memory.dmp

Filesize
3.9MB

Download
memory/4988-2039-0x00007FF6D2B40000-0x00007FF6D2F31000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads