xmrig | 3587d9b2e79d59c8cf2acb8b89872993761b72148a47ead36033e523b1af2a9b

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2297b014210679aa3ee4fe25c19c14d0N.exe
Size

1.4MB
MD5

2297b014210679aa3ee4fe25c19c14d0
SHA1

45bbc9c28146d7e0f338ca71a9ea7a006021bd47
SHA256

3587d9b2e79d59c8cf2acb8b89872993761b72148a47ead36033e523b1af2a9b
SHA512

7380ed146155fdd465078d3c4ab870414e942e934793c1e764abf59d0d782b4c2fba5695776835d5d3d7bdbc9358002d893f034feee7259268f58ef50f94e9e5
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO6zRIhRmuSOyldYYz4wMHJj:knw9oUUEEDlGUh+hNMzC

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/1984-44-0x00007FF651E80000-0x00007FF652271000-memory.dmp	xmrig
behavioral2/memory/3728-349-0x00007FF7D7B30000-0x00007FF7D7F21000-memory.dmp	xmrig
behavioral2/memory/4224-350-0x00007FF78FBC0000-0x00007FF78FFB1000-memory.dmp	xmrig
behavioral2/memory/1176-21-0x00007FF7ED2E0000-0x00007FF7ED6D1000-memory.dmp	xmrig
behavioral2/memory/1164-14-0x00007FF6D0A90000-0x00007FF6D0E81000-memory.dmp	xmrig
behavioral2/memory/1524-353-0x00007FF7CCE90000-0x00007FF7CD281000-memory.dmp	xmrig
behavioral2/memory/3028-356-0x00007FF7A3610000-0x00007FF7A3A01000-memory.dmp	xmrig
behavioral2/memory/5068-359-0x00007FF6B1A10000-0x00007FF6B1E01000-memory.dmp	xmrig
behavioral2/memory/1900-362-0x00007FF6561E0000-0x00007FF6565D1000-memory.dmp	xmrig
behavioral2/memory/2156-368-0x00007FF60FBB0000-0x00007FF60FFA1000-memory.dmp	xmrig
behavioral2/memory/2224-378-0x00007FF6022B0000-0x00007FF6026A1000-memory.dmp	xmrig
behavioral2/memory/3500-392-0x00007FF7AE8F0000-0x00007FF7AECE1000-memory.dmp	xmrig
behavioral2/memory/4840-399-0x00007FF6C1840000-0x00007FF6C1C31000-memory.dmp	xmrig
behavioral2/memory/1608-413-0x00007FF749610000-0x00007FF749A01000-memory.dmp	xmrig
behavioral2/memory/2088-446-0x00007FF7BFA30000-0x00007FF7BFE21000-memory.dmp	xmrig
behavioral2/memory/3604-436-0x00007FF7AB990000-0x00007FF7ABD81000-memory.dmp	xmrig
behavioral2/memory/564-429-0x00007FF6DE850000-0x00007FF6DEC41000-memory.dmp	xmrig
behavioral2/memory/2068-405-0x00007FF640270000-0x00007FF640661000-memory.dmp	xmrig
behavioral2/memory/4456-448-0x00007FF779840000-0x00007FF779C31000-memory.dmp	xmrig
behavioral2/memory/4604-452-0x00007FF710820000-0x00007FF710C11000-memory.dmp	xmrig
behavioral2/memory/2616-454-0x00007FF7D6E40000-0x00007FF7D7231000-memory.dmp	xmrig
behavioral2/memory/3484-456-0x00007FF6E3160000-0x00007FF6E3551000-memory.dmp	xmrig
behavioral2/memory/3976-1961-0x00007FF63D860000-0x00007FF63DC51000-memory.dmp	xmrig
behavioral2/memory/4888-1994-0x00007FF786830000-0x00007FF786C21000-memory.dmp	xmrig
behavioral2/memory/3232-1995-0x00007FF7A9DA0000-0x00007FF7AA191000-memory.dmp	xmrig
behavioral2/memory/1164-2001-0x00007FF6D0A90000-0x00007FF6D0E81000-memory.dmp	xmrig
behavioral2/memory/1176-2003-0x00007FF7ED2E0000-0x00007FF7ED6D1000-memory.dmp	xmrig
behavioral2/memory/4888-2005-0x00007FF786830000-0x00007FF786C21000-memory.dmp	xmrig
behavioral2/memory/3232-2009-0x00007FF7A9DA0000-0x00007FF7AA191000-memory.dmp	xmrig
behavioral2/memory/1984-2007-0x00007FF651E80000-0x00007FF652271000-memory.dmp	xmrig
behavioral2/memory/3728-2011-0x00007FF7D7B30000-0x00007FF7D7F21000-memory.dmp	xmrig
behavioral2/memory/2616-2013-0x00007FF7D6E40000-0x00007FF7D7231000-memory.dmp	xmrig
behavioral2/memory/4224-2015-0x00007FF78FBC0000-0x00007FF78FFB1000-memory.dmp	xmrig
behavioral2/memory/5068-2023-0x00007FF6B1A10000-0x00007FF6B1E01000-memory.dmp	xmrig
behavioral2/memory/1900-2027-0x00007FF6561E0000-0x00007FF6565D1000-memory.dmp	xmrig
behavioral2/memory/2156-2025-0x00007FF60FBB0000-0x00007FF60FFA1000-memory.dmp	xmrig
behavioral2/memory/3484-2019-0x00007FF6E3160000-0x00007FF6E3551000-memory.dmp	xmrig
behavioral2/memory/1524-2017-0x00007FF7CCE90000-0x00007FF7CD281000-memory.dmp	xmrig
behavioral2/memory/3028-2021-0x00007FF7A3610000-0x00007FF7A3A01000-memory.dmp	xmrig
behavioral2/memory/3604-2045-0x00007FF7AB990000-0x00007FF7ABD81000-memory.dmp	xmrig
behavioral2/memory/564-2047-0x00007FF6DE850000-0x00007FF6DEC41000-memory.dmp	xmrig
behavioral2/memory/2068-2035-0x00007FF640270000-0x00007FF640661000-memory.dmp	xmrig
behavioral2/memory/4456-2043-0x00007FF779840000-0x00007FF779C31000-memory.dmp	xmrig
behavioral2/memory/4604-2041-0x00007FF710820000-0x00007FF710C11000-memory.dmp	xmrig
behavioral2/memory/2088-2039-0x00007FF7BFA30000-0x00007FF7BFE21000-memory.dmp	xmrig
behavioral2/memory/4840-2037-0x00007FF6C1840000-0x00007FF6C1C31000-memory.dmp	xmrig
behavioral2/memory/3500-2029-0x00007FF7AE8F0000-0x00007FF7AECE1000-memory.dmp	xmrig
behavioral2/memory/1608-2033-0x00007FF749610000-0x00007FF749A01000-memory.dmp	xmrig
behavioral2/memory/2224-2031-0x00007FF6022B0000-0x00007FF6026A1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1164	bQUmuQe.exe
1176	sihXgup.exe
4888	qJIBcMS.exe
1984	VlWKMvT.exe
3232	fXcBZRV.exe
2616	kemyVJs.exe
3728	UzppNHw.exe
3484	XAloaUA.exe
4224	FbehPBV.exe
1524	ptTluBN.exe
3028	rZCrkUG.exe
5068	tNNoBPx.exe
1900	MPHrxxd.exe
2156	CoSLYMV.exe
2224	fmCMxKo.exe
3500	RGPmOkk.exe
4840	lhvSicE.exe
2068	kQqqrGi.exe
1608	RxQIAPO.exe
564	oXhIndy.exe
3604	BVkCJHe.exe
2088	zuseDTg.exe
4456	TVGpvuE.exe
4604	gcyUElz.exe
1220	RgFQyPG.exe
1540	MOPNqEW.exe
836	bGgTFCq.exe
2000	ILuKsbV.exe
1924	yVEnyZe.exe
3200	zkCpnOo.exe
1620	RRqryZa.exe
1464	asJTMLH.exe
1260	gMnhTYB.exe
3020	NPFIuAm.exe
4324	RQCdQPx.exe
2216	hlKIfUq.exe
1344	pVGmqJU.exe
1784	EiBaSxH.exe
1456	PMKYFWs.exe
3136	ohPUkfK.exe
1096	gxpzRBf.exe
4340	DKnefHI.exe
4528	xeTkYMe.exe
4172	EWrQqGr.exe
2252	OfZcwrv.exe
2964	zoAzqmv.exe
3668	OcVAcLu.exe
2896	BeJaBgB.exe
3704	aqznmfN.exe
220	DhoxuOm.exe
3384	VZxzwVq.exe
4832	BZLIyjg.exe
344	hfvDsyj.exe
4540	CYoEXbd.exe
4924	qKlBKyX.exe
3680	MBWmsNw.exe
796	mYLISbt.exe
4928	rnryPbc.exe
2504	FHxWKcN.exe
2320	AWLgWtT.exe
3612	HUVzzjz.exe
4360	cdlVQdx.exe
2124	TcVlEFG.exe
2912	RwYXdfD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3976-0-0x00007FF63D860000-0x00007FF63DC51000-memory.dmp	upx
behavioral2/files/0x00080000000234d9-4.dat	upx
behavioral2/files/0x00070000000234dd-10.dat	upx
behavioral2/files/0x00070000000234df-19.dat	upx
behavioral2/memory/1984-44-0x00007FF651E80000-0x00007FF652271000-memory.dmp	upx
behavioral2/files/0x00070000000234e4-53.dat	upx
behavioral2/files/0x00070000000234e3-52.dat	upx
behavioral2/files/0x00070000000234e8-69.dat	upx
behavioral2/files/0x00070000000234e9-76.dat	upx
behavioral2/files/0x00070000000234f3-126.dat	upx
behavioral2/files/0x00070000000234f5-136.dat	upx
behavioral2/files/0x00070000000234fb-164.dat	upx
behavioral2/memory/3728-349-0x00007FF7D7B30000-0x00007FF7D7F21000-memory.dmp	upx
behavioral2/files/0x00070000000234fa-161.dat	upx
behavioral2/files/0x00070000000234f9-156.dat	upx
behavioral2/files/0x00070000000234f8-151.dat	upx
behavioral2/files/0x00070000000234f7-146.dat	upx
behavioral2/files/0x00070000000234f6-141.dat	upx
behavioral2/files/0x00070000000234f4-131.dat	upx
behavioral2/files/0x00070000000234f2-121.dat	upx
behavioral2/files/0x00070000000234f1-116.dat	upx
behavioral2/files/0x00070000000234f0-111.dat	upx
behavioral2/files/0x00070000000234ef-106.dat	upx
behavioral2/files/0x00070000000234ee-101.dat	upx
behavioral2/files/0x00070000000234ed-96.dat	upx
behavioral2/files/0x00070000000234ec-94.dat	upx
behavioral2/files/0x00070000000234eb-89.dat	upx
behavioral2/files/0x00070000000234ea-81.dat	upx
behavioral2/files/0x00070000000234e7-66.dat	upx
behavioral2/memory/4224-350-0x00007FF78FBC0000-0x00007FF78FFB1000-memory.dmp	upx
behavioral2/files/0x00070000000234e6-61.dat	upx
behavioral2/files/0x00070000000234e5-56.dat	upx
behavioral2/files/0x00070000000234e2-41.dat	upx
behavioral2/files/0x00070000000234e1-40.dat	upx
behavioral2/files/0x00070000000234e0-36.dat	upx
behavioral2/memory/3232-29-0x00007FF7A9DA0000-0x00007FF7AA191000-memory.dmp	upx
behavioral2/memory/4888-25-0x00007FF786830000-0x00007FF786C21000-memory.dmp	upx
behavioral2/files/0x00070000000234de-23.dat	upx
behavioral2/memory/1176-21-0x00007FF7ED2E0000-0x00007FF7ED6D1000-memory.dmp	upx
behavioral2/memory/1164-14-0x00007FF6D0A90000-0x00007FF6D0E81000-memory.dmp	upx
behavioral2/memory/1524-353-0x00007FF7CCE90000-0x00007FF7CD281000-memory.dmp	upx
behavioral2/memory/3028-356-0x00007FF7A3610000-0x00007FF7A3A01000-memory.dmp	upx
behavioral2/memory/5068-359-0x00007FF6B1A10000-0x00007FF6B1E01000-memory.dmp	upx
behavioral2/memory/1900-362-0x00007FF6561E0000-0x00007FF6565D1000-memory.dmp	upx
behavioral2/memory/2156-368-0x00007FF60FBB0000-0x00007FF60FFA1000-memory.dmp	upx
behavioral2/memory/2224-378-0x00007FF6022B0000-0x00007FF6026A1000-memory.dmp	upx
behavioral2/memory/3500-392-0x00007FF7AE8F0000-0x00007FF7AECE1000-memory.dmp	upx
behavioral2/memory/4840-399-0x00007FF6C1840000-0x00007FF6C1C31000-memory.dmp	upx
behavioral2/memory/1608-413-0x00007FF749610000-0x00007FF749A01000-memory.dmp	upx
behavioral2/memory/2088-446-0x00007FF7BFA30000-0x00007FF7BFE21000-memory.dmp	upx
behavioral2/memory/3604-436-0x00007FF7AB990000-0x00007FF7ABD81000-memory.dmp	upx
behavioral2/memory/564-429-0x00007FF6DE850000-0x00007FF6DEC41000-memory.dmp	upx
behavioral2/memory/2068-405-0x00007FF640270000-0x00007FF640661000-memory.dmp	upx
behavioral2/memory/4456-448-0x00007FF779840000-0x00007FF779C31000-memory.dmp	upx
behavioral2/memory/4604-452-0x00007FF710820000-0x00007FF710C11000-memory.dmp	upx
behavioral2/memory/2616-454-0x00007FF7D6E40000-0x00007FF7D7231000-memory.dmp	upx
behavioral2/memory/3484-456-0x00007FF6E3160000-0x00007FF6E3551000-memory.dmp	upx
behavioral2/memory/3976-1961-0x00007FF63D860000-0x00007FF63DC51000-memory.dmp	upx
behavioral2/memory/4888-1994-0x00007FF786830000-0x00007FF786C21000-memory.dmp	upx
behavioral2/memory/3232-1995-0x00007FF7A9DA0000-0x00007FF7AA191000-memory.dmp	upx
behavioral2/memory/1164-2001-0x00007FF6D0A90000-0x00007FF6D0E81000-memory.dmp	upx
behavioral2/memory/1176-2003-0x00007FF7ED2E0000-0x00007FF7ED6D1000-memory.dmp	upx
behavioral2/memory/4888-2005-0x00007FF786830000-0x00007FF786C21000-memory.dmp	upx
behavioral2/memory/3232-2009-0x00007FF7A9DA0000-0x00007FF7AA191000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\HJIeYJo.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\hlKIfUq.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\GMflLPU.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\MsaFYPL.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\GyxamYv.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\beuAabR.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\lLmRKhA.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\qiyqWYF.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\liCkisF.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\dpPYjyb.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\BaMrIIY.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\JzBiTdd.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\jRtyyTt.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\QmRtjkz.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\iYrujES.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\sitzVBo.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\CsHQOAP.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\tprIpUZ.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\HNTKFVb.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\dABvqPI.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\aqVokcn.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\ynYkJDw.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\MhcpwPl.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\XGtXztY.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\kKNMWuA.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\ZJaMSHz.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\fLrpmbB.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\jaHEdHU.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\MPoXusH.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\VIydBHT.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\jcMMGoY.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\RQCdQPx.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\xpAhxSE.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\MqJCTlE.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\HviSzFN.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\GKLZGct.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\OCrLxQu.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\esZYKoC.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\LiJNvsU.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\JpzPaQs.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\MAPjyWp.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\xRvicTc.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\fmCMxKo.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\NIrcnry.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\TcWwWRd.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\RRqryZa.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\hIrPHwl.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\ICZZAzh.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\gqoxRWC.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\uqZgGFU.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\MoRDDhy.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\jXeYxYI.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\mlttZYg.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\yWtazcG.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\gfJGdoM.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\OxsGbsA.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\yXxtyQI.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\fltappI.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\GfaMjsz.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\MXUWNqb.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\elVBmsZ.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\amRmerB.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\NFNQsIp.exe	2297b014210679aa3ee4fe25c19c14d0N.exe
File created	C:\Windows\System32\qlzzjuU.exe	2297b014210679aa3ee4fe25c19c14d0N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	6060	dwm.exe
Token: SeChangeNotifyPrivilege	6060	dwm.exe
Token: 33	6060	dwm.exe
Token: SeIncBasePriorityPrivilege	6060	dwm.exe
Token: SeShutdownPrivilege	6060	dwm.exe
Token: SeCreatePagefilePrivilege	6060	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 1164	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	85
PID 3976 wrote to memory of 1164	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	85
PID 3976 wrote to memory of 1176	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	86
PID 3976 wrote to memory of 1176	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	86
PID 3976 wrote to memory of 4888	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	87
PID 3976 wrote to memory of 4888	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	87
PID 3976 wrote to memory of 1984	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	88
PID 3976 wrote to memory of 1984	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	88
PID 3976 wrote to memory of 3232	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	89
PID 3976 wrote to memory of 3232	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	89
PID 3976 wrote to memory of 2616	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	90
PID 3976 wrote to memory of 2616	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	90
PID 3976 wrote to memory of 3728	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	91
PID 3976 wrote to memory of 3728	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	91
PID 3976 wrote to memory of 3484	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	92
PID 3976 wrote to memory of 3484	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	92
PID 3976 wrote to memory of 4224	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	93
PID 3976 wrote to memory of 4224	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	93
PID 3976 wrote to memory of 1524	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	94
PID 3976 wrote to memory of 1524	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	94
PID 3976 wrote to memory of 3028	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	95
PID 3976 wrote to memory of 3028	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	95
PID 3976 wrote to memory of 5068	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	96
PID 3976 wrote to memory of 5068	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	96
PID 3976 wrote to memory of 1900	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	97
PID 3976 wrote to memory of 1900	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	97
PID 3976 wrote to memory of 2156	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	98
PID 3976 wrote to memory of 2156	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	98
PID 3976 wrote to memory of 2224	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	99
PID 3976 wrote to memory of 2224	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	99
PID 3976 wrote to memory of 3500	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	100
PID 3976 wrote to memory of 3500	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	100
PID 3976 wrote to memory of 4840	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	101
PID 3976 wrote to memory of 4840	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	101
PID 3976 wrote to memory of 2068	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	102
PID 3976 wrote to memory of 2068	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	102
PID 3976 wrote to memory of 1608	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	103
PID 3976 wrote to memory of 1608	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	103
PID 3976 wrote to memory of 564	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	104
PID 3976 wrote to memory of 564	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	104
PID 3976 wrote to memory of 3604	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	105
PID 3976 wrote to memory of 3604	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	105
PID 3976 wrote to memory of 2088	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	106
PID 3976 wrote to memory of 2088	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	106
PID 3976 wrote to memory of 4456	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	107
PID 3976 wrote to memory of 4456	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	107
PID 3976 wrote to memory of 4604	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	108
PID 3976 wrote to memory of 4604	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	108
PID 3976 wrote to memory of 1220	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	109
PID 3976 wrote to memory of 1220	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	109
PID 3976 wrote to memory of 1540	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	110
PID 3976 wrote to memory of 1540	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	110
PID 3976 wrote to memory of 836	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	111
PID 3976 wrote to memory of 836	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	111
PID 3976 wrote to memory of 2000	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	112
PID 3976 wrote to memory of 2000	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	112
PID 3976 wrote to memory of 1924	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	113
PID 3976 wrote to memory of 1924	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	113
PID 3976 wrote to memory of 3200	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	114
PID 3976 wrote to memory of 3200	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	114
PID 3976 wrote to memory of 1620	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	115
PID 3976 wrote to memory of 1620	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	115
PID 3976 wrote to memory of 1464	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	116
PID 3976 wrote to memory of 1464	3976	2297b014210679aa3ee4fe25c19c14d0N.exe	116

C:\Users\Admin\AppData\Local\Temp\2297b014210679aa3ee4fe25c19c14d0N.exe
"C:\Users\Admin\AppData\Local\Temp\2297b014210679aa3ee4fe25c19c14d0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\System32\bQUmuQe.exe
  C:\Windows\System32\bQUmuQe.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System32\sihXgup.exe
  C:\Windows\System32\sihXgup.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System32\qJIBcMS.exe
  C:\Windows\System32\qJIBcMS.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System32\VlWKMvT.exe
  C:\Windows\System32\VlWKMvT.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System32\fXcBZRV.exe
  C:\Windows\System32\fXcBZRV.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System32\kemyVJs.exe
  C:\Windows\System32\kemyVJs.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System32\UzppNHw.exe
  C:\Windows\System32\UzppNHw.exe
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Windows\System32\XAloaUA.exe
  C:\Windows\System32\XAloaUA.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System32\FbehPBV.exe
  C:\Windows\System32\FbehPBV.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System32\ptTluBN.exe
  C:\Windows\System32\ptTluBN.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System32\rZCrkUG.exe
  C:\Windows\System32\rZCrkUG.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System32\tNNoBPx.exe
  C:\Windows\System32\tNNoBPx.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System32\MPHrxxd.exe
  C:\Windows\System32\MPHrxxd.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System32\CoSLYMV.exe
  C:\Windows\System32\CoSLYMV.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System32\fmCMxKo.exe
  C:\Windows\System32\fmCMxKo.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System32\RGPmOkk.exe
  C:\Windows\System32\RGPmOkk.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System32\lhvSicE.exe
  C:\Windows\System32\lhvSicE.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System32\kQqqrGi.exe
  C:\Windows\System32\kQqqrGi.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System32\RxQIAPO.exe
  C:\Windows\System32\RxQIAPO.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System32\oXhIndy.exe
  C:\Windows\System32\oXhIndy.exe
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\System32\BVkCJHe.exe
  C:\Windows\System32\BVkCJHe.exe
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Windows\System32\zuseDTg.exe
  C:\Windows\System32\zuseDTg.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System32\TVGpvuE.exe
  C:\Windows\System32\TVGpvuE.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System32\gcyUElz.exe
  C:\Windows\System32\gcyUElz.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System32\RgFQyPG.exe
  C:\Windows\System32\RgFQyPG.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System32\MOPNqEW.exe
  C:\Windows\System32\MOPNqEW.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System32\bGgTFCq.exe
  C:\Windows\System32\bGgTFCq.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System32\ILuKsbV.exe
  C:\Windows\System32\ILuKsbV.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System32\yVEnyZe.exe
  C:\Windows\System32\yVEnyZe.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System32\zkCpnOo.exe
  C:\Windows\System32\zkCpnOo.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System32\RRqryZa.exe
  C:\Windows\System32\RRqryZa.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System32\asJTMLH.exe
  C:\Windows\System32\asJTMLH.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System32\gMnhTYB.exe
  C:\Windows\System32\gMnhTYB.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System32\NPFIuAm.exe
  C:\Windows\System32\NPFIuAm.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System32\RQCdQPx.exe
  C:\Windows\System32\RQCdQPx.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System32\hlKIfUq.exe
  C:\Windows\System32\hlKIfUq.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System32\pVGmqJU.exe
  C:\Windows\System32\pVGmqJU.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System32\EiBaSxH.exe
  C:\Windows\System32\EiBaSxH.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\System32\PMKYFWs.exe
  C:\Windows\System32\PMKYFWs.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System32\ohPUkfK.exe
  C:\Windows\System32\ohPUkfK.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System32\gxpzRBf.exe
  C:\Windows\System32\gxpzRBf.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System32\DKnefHI.exe
  C:\Windows\System32\DKnefHI.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System32\xeTkYMe.exe
  C:\Windows\System32\xeTkYMe.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System32\EWrQqGr.exe
  C:\Windows\System32\EWrQqGr.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System32\OfZcwrv.exe
  C:\Windows\System32\OfZcwrv.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System32\zoAzqmv.exe
  C:\Windows\System32\zoAzqmv.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System32\OcVAcLu.exe
  C:\Windows\System32\OcVAcLu.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System32\BeJaBgB.exe
  C:\Windows\System32\BeJaBgB.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System32\aqznmfN.exe
  C:\Windows\System32\aqznmfN.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System32\DhoxuOm.exe
  C:\Windows\System32\DhoxuOm.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System32\VZxzwVq.exe
  C:\Windows\System32\VZxzwVq.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System32\BZLIyjg.exe
  C:\Windows\System32\BZLIyjg.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System32\hfvDsyj.exe
  C:\Windows\System32\hfvDsyj.exe
  2⤵
  - Executes dropped EXE
  PID:344
- C:\Windows\System32\CYoEXbd.exe
  C:\Windows\System32\CYoEXbd.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System32\qKlBKyX.exe
  C:\Windows\System32\qKlBKyX.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\MBWmsNw.exe
  C:\Windows\System32\MBWmsNw.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System32\mYLISbt.exe
  C:\Windows\System32\mYLISbt.exe
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\System32\rnryPbc.exe
  C:\Windows\System32\rnryPbc.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System32\FHxWKcN.exe
  C:\Windows\System32\FHxWKcN.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System32\AWLgWtT.exe
  C:\Windows\System32\AWLgWtT.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System32\HUVzzjz.exe
  C:\Windows\System32\HUVzzjz.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System32\cdlVQdx.exe
  C:\Windows\System32\cdlVQdx.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System32\TcVlEFG.exe
  C:\Windows\System32\TcVlEFG.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System32\RwYXdfD.exe
  C:\Windows\System32\RwYXdfD.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System32\JXIlroB.exe
  C:\Windows\System32\JXIlroB.exe
  2⤵
  PID:5028
- C:\Windows\System32\IAiHpmf.exe
  C:\Windows\System32\IAiHpmf.exe
  2⤵
  PID:3140
- C:\Windows\System32\LDtzeGU.exe
  C:\Windows\System32\LDtzeGU.exe
  2⤵
  PID:1940
- C:\Windows\System32\utpikwP.exe
  C:\Windows\System32\utpikwP.exe
  2⤵
  PID:2920
- C:\Windows\System32\tFDPgcR.exe
  C:\Windows\System32\tFDPgcR.exe
  2⤵
  PID:820
- C:\Windows\System32\cODnZBv.exe
  C:\Windows\System32\cODnZBv.exe
  2⤵
  PID:4260
- C:\Windows\System32\dABvqPI.exe
  C:\Windows\System32\dABvqPI.exe
  2⤵
  PID:368
- C:\Windows\System32\uMtWpkm.exe
  C:\Windows\System32\uMtWpkm.exe
  2⤵
  PID:4348
- C:\Windows\System32\QgnqARU.exe
  C:\Windows\System32\QgnqARU.exe
  2⤵
  PID:2924
- C:\Windows\System32\lUleFRN.exe
  C:\Windows\System32\lUleFRN.exe
  2⤵
  PID:4964
- C:\Windows\System32\ECswxLC.exe
  C:\Windows\System32\ECswxLC.exe
  2⤵
  PID:4600
- C:\Windows\System32\ZtzTQDN.exe
  C:\Windows\System32\ZtzTQDN.exe
  2⤵
  PID:1872
- C:\Windows\System32\wjVTRkh.exe
  C:\Windows\System32\wjVTRkh.exe
  2⤵
  PID:2288
- C:\Windows\System32\NlZkXUM.exe
  C:\Windows\System32\NlZkXUM.exe
  2⤵
  PID:1424
- C:\Windows\System32\bfQiMdA.exe
  C:\Windows\System32\bfQiMdA.exe
  2⤵
  PID:4512
- C:\Windows\System32\dKdkKmC.exe
  C:\Windows\System32\dKdkKmC.exe
  2⤵
  PID:4320
- C:\Windows\System32\hIrPHwl.exe
  C:\Windows\System32\hIrPHwl.exe
  2⤵
  PID:1320
- C:\Windows\System32\oPdslYA.exe
  C:\Windows\System32\oPdslYA.exe
  2⤵
  PID:2384
- C:\Windows\System32\tOtZvpL.exe
  C:\Windows\System32\tOtZvpL.exe
  2⤵
  PID:1432
- C:\Windows\System32\QtRjZRu.exe
  C:\Windows\System32\QtRjZRu.exe
  2⤵
  PID:792
- C:\Windows\System32\JyYtlKN.exe
  C:\Windows\System32\JyYtlKN.exe
  2⤵
  PID:3016
- C:\Windows\System32\Xuoxbsl.exe
  C:\Windows\System32\Xuoxbsl.exe
  2⤵
  PID:4816
- C:\Windows\System32\rCjqYgr.exe
  C:\Windows\System32\rCjqYgr.exe
  2⤵
  PID:3636
- C:\Windows\System32\DdYIhBl.exe
  C:\Windows\System32\DdYIhBl.exe
  2⤵
  PID:3688
- C:\Windows\System32\qDuArtc.exe
  C:\Windows\System32\qDuArtc.exe
  2⤵
  PID:2968
- C:\Windows\System32\MXUWNqb.exe
  C:\Windows\System32\MXUWNqb.exe
  2⤵
  PID:4196
- C:\Windows\System32\gloLNfc.exe
  C:\Windows\System32\gloLNfc.exe
  2⤵
  PID:2916
- C:\Windows\System32\uhRfQcM.exe
  C:\Windows\System32\uhRfQcM.exe
  2⤵
  PID:4228
- C:\Windows\System32\CZcFUsz.exe
  C:\Windows\System32\CZcFUsz.exe
  2⤵
  PID:4316
- C:\Windows\System32\kjBhHkq.exe
  C:\Windows\System32\kjBhHkq.exe
  2⤵
  PID:4288
- C:\Windows\System32\yiLLJhY.exe
  C:\Windows\System32\yiLLJhY.exe
  2⤵
  PID:4988
- C:\Windows\System32\VIIWSFF.exe
  C:\Windows\System32\VIIWSFF.exe
  2⤵
  PID:4768
- C:\Windows\System32\jRtyyTt.exe
  C:\Windows\System32\jRtyyTt.exe
  2⤵
  PID:3960
- C:\Windows\System32\idkuRVb.exe
  C:\Windows\System32\idkuRVb.exe
  2⤵
  PID:1944
- C:\Windows\System32\AaJBGVP.exe
  C:\Windows\System32\AaJBGVP.exe
  2⤵
  PID:2040
- C:\Windows\System32\OTPpIUQ.exe
  C:\Windows\System32\OTPpIUQ.exe
  2⤵
  PID:5084
- C:\Windows\System32\ycBUFON.exe
  C:\Windows\System32\ycBUFON.exe
  2⤵
  PID:3208
- C:\Windows\System32\UdyQgxc.exe
  C:\Windows\System32\UdyQgxc.exe
  2⤵
  PID:4712
- C:\Windows\System32\mlZqxPR.exe
  C:\Windows\System32\mlZqxPR.exe
  2⤵
  PID:5040
- C:\Windows\System32\hkVXuGI.exe
  C:\Windows\System32\hkVXuGI.exe
  2⤵
  PID:4480
- C:\Windows\System32\OfsHmiS.exe
  C:\Windows\System32\OfsHmiS.exe
  2⤵
  PID:4548
- C:\Windows\System32\aLcgmtR.exe
  C:\Windows\System32\aLcgmtR.exe
  2⤵
  PID:320
- C:\Windows\System32\ZEFZWZb.exe
  C:\Windows\System32\ZEFZWZb.exe
  2⤵
  PID:5124
- C:\Windows\System32\DvwSEnz.exe
  C:\Windows\System32\DvwSEnz.exe
  2⤵
  PID:5148
- C:\Windows\System32\YOuKLKr.exe
  C:\Windows\System32\YOuKLKr.exe
  2⤵
  PID:5164
- C:\Windows\System32\waRvwrq.exe
  C:\Windows\System32\waRvwrq.exe
  2⤵
  PID:5192
- C:\Windows\System32\ivvOUVY.exe
  C:\Windows\System32\ivvOUVY.exe
  2⤵
  PID:5212
- C:\Windows\System32\hovwRNs.exe
  C:\Windows\System32\hovwRNs.exe
  2⤵
  PID:5232
- C:\Windows\System32\TXYVsDT.exe
  C:\Windows\System32\TXYVsDT.exe
  2⤵
  PID:5252
- C:\Windows\System32\QXQVvwz.exe
  C:\Windows\System32\QXQVvwz.exe
  2⤵
  PID:5332
- C:\Windows\System32\dlVLWaS.exe
  C:\Windows\System32\dlVLWaS.exe
  2⤵
  PID:5352
- C:\Windows\System32\FmMolCu.exe
  C:\Windows\System32\FmMolCu.exe
  2⤵
  PID:5396
- C:\Windows\System32\NKDxwHw.exe
  C:\Windows\System32\NKDxwHw.exe
  2⤵
  PID:5416
- C:\Windows\System32\PexIFPo.exe
  C:\Windows\System32\PexIFPo.exe
  2⤵
  PID:5444
- C:\Windows\System32\YbcFvhG.exe
  C:\Windows\System32\YbcFvhG.exe
  2⤵
  PID:5468
- C:\Windows\System32\Bpjnsuu.exe
  C:\Windows\System32\Bpjnsuu.exe
  2⤵
  PID:5508
- C:\Windows\System32\CTrTrnP.exe
  C:\Windows\System32\CTrTrnP.exe
  2⤵
  PID:5528
- C:\Windows\System32\LicuuIW.exe
  C:\Windows\System32\LicuuIW.exe
  2⤵
  PID:5548
- C:\Windows\System32\SbSOfHM.exe
  C:\Windows\System32\SbSOfHM.exe
  2⤵
  PID:5568
- C:\Windows\System32\esZYKoC.exe
  C:\Windows\System32\esZYKoC.exe
  2⤵
  PID:5596
- C:\Windows\System32\EfTrgon.exe
  C:\Windows\System32\EfTrgon.exe
  2⤵
  PID:5680
- C:\Windows\System32\rgDwXhH.exe
  C:\Windows\System32\rgDwXhH.exe
  2⤵
  PID:5732
- C:\Windows\System32\QcbBscG.exe
  C:\Windows\System32\QcbBscG.exe
  2⤵
  PID:5776
- C:\Windows\System32\PukyHHt.exe
  C:\Windows\System32\PukyHHt.exe
  2⤵
  PID:5824
- C:\Windows\System32\tarnnGD.exe
  C:\Windows\System32\tarnnGD.exe
  2⤵
  PID:5848
- C:\Windows\System32\bRLOuYG.exe
  C:\Windows\System32\bRLOuYG.exe
  2⤵
  PID:5868
- C:\Windows\System32\UsbcuNp.exe
  C:\Windows\System32\UsbcuNp.exe
  2⤵
  PID:5888
- C:\Windows\System32\zdzQPkX.exe
  C:\Windows\System32\zdzQPkX.exe
  2⤵
  PID:5920
- C:\Windows\System32\pCGtHjf.exe
  C:\Windows\System32\pCGtHjf.exe
  2⤵
  PID:6000
- C:\Windows\System32\gyhhVQe.exe
  C:\Windows\System32\gyhhVQe.exe
  2⤵
  PID:6016
- C:\Windows\System32\OYDciel.exe
  C:\Windows\System32\OYDciel.exe
  2⤵
  PID:6044
- C:\Windows\System32\waVjCjb.exe
  C:\Windows\System32\waVjCjb.exe
  2⤵
  PID:6076
- C:\Windows\System32\QmRtjkz.exe
  C:\Windows\System32\QmRtjkz.exe
  2⤵
  PID:6116
- C:\Windows\System32\ziuTqei.exe
  C:\Windows\System32\ziuTqei.exe
  2⤵
  PID:6132
- C:\Windows\System32\UeWNQnk.exe
  C:\Windows\System32\UeWNQnk.exe
  2⤵
  PID:5072
- C:\Windows\System32\jOrXDxl.exe
  C:\Windows\System32\jOrXDxl.exe
  2⤵
  PID:1356
- C:\Windows\System32\SlLvWvk.exe
  C:\Windows\System32\SlLvWvk.exe
  2⤵
  PID:5172
- C:\Windows\System32\hrBLpXW.exe
  C:\Windows\System32\hrBLpXW.exe
  2⤵
  PID:2888
- C:\Windows\System32\LwrhVnv.exe
  C:\Windows\System32\LwrhVnv.exe
  2⤵
  PID:5204
- C:\Windows\System32\JhPyrxS.exe
  C:\Windows\System32\JhPyrxS.exe
  2⤵
  PID:5344
- C:\Windows\System32\GDiGfnV.exe
  C:\Windows\System32\GDiGfnV.exe
  2⤵
  PID:5536
- C:\Windows\System32\OtzdVaw.exe
  C:\Windows\System32\OtzdVaw.exe
  2⤵
  PID:5412
- C:\Windows\System32\vKDbbqP.exe
  C:\Windows\System32\vKDbbqP.exe
  2⤵
  PID:5580
- C:\Windows\System32\UEsEOEq.exe
  C:\Windows\System32\UEsEOEq.exe
  2⤵
  PID:5560
- C:\Windows\System32\FzkECir.exe
  C:\Windows\System32\FzkECir.exe
  2⤵
  PID:5752
- C:\Windows\System32\xnWVTcG.exe
  C:\Windows\System32\xnWVTcG.exe
  2⤵
  PID:5800
- C:\Windows\System32\rYxNlEj.exe
  C:\Windows\System32\rYxNlEj.exe
  2⤵
  PID:5836
- C:\Windows\System32\ZwaLEWi.exe
  C:\Windows\System32\ZwaLEWi.exe
  2⤵
  PID:3964
- C:\Windows\System32\pWJBkCO.exe
  C:\Windows\System32\pWJBkCO.exe
  2⤵
  PID:5908
- C:\Windows\System32\zfsucdb.exe
  C:\Windows\System32\zfsucdb.exe
  2⤵
  PID:5996
- C:\Windows\System32\UWNrvZM.exe
  C:\Windows\System32\UWNrvZM.exe
  2⤵
  PID:5308
- C:\Windows\System32\abRCnUv.exe
  C:\Windows\System32\abRCnUv.exe
  2⤵
  PID:6112
- C:\Windows\System32\MoRDDhy.exe
  C:\Windows\System32\MoRDDhy.exe
  2⤵
  PID:5176
- C:\Windows\System32\mmLqWQT.exe
  C:\Windows\System32\mmLqWQT.exe
  2⤵
  PID:4516
- C:\Windows\System32\fgWgSrt.exe
  C:\Windows\System32\fgWgSrt.exe
  2⤵
  PID:5340
- C:\Windows\System32\rebxUwk.exe
  C:\Windows\System32\rebxUwk.exe
  2⤵
  PID:5524
- C:\Windows\System32\DShMsQa.exe
  C:\Windows\System32\DShMsQa.exe
  2⤵
  PID:5620
- C:\Windows\System32\Lpbbtrh.exe
  C:\Windows\System32\Lpbbtrh.exe
  2⤵
  PID:5704
- C:\Windows\System32\aqVokcn.exe
  C:\Windows\System32\aqVokcn.exe
  2⤵
  PID:6052
- C:\Windows\System32\wmtrxzW.exe
  C:\Windows\System32\wmtrxzW.exe
  2⤵
  PID:2084
- C:\Windows\System32\eeQixYg.exe
  C:\Windows\System32\eeQixYg.exe
  2⤵
  PID:5280
- C:\Windows\System32\hfuLNbh.exe
  C:\Windows\System32\hfuLNbh.exe
  2⤵
  PID:5716
- C:\Windows\System32\yWKxFjC.exe
  C:\Windows\System32\yWKxFjC.exe
  2⤵
  PID:5264
- C:\Windows\System32\ZiYyxmv.exe
  C:\Windows\System32\ZiYyxmv.exe
  2⤵
  PID:5432
- C:\Windows\System32\QxaJlrO.exe
  C:\Windows\System32\QxaJlrO.exe
  2⤵
  PID:6012
- C:\Windows\System32\UiKETIg.exe
  C:\Windows\System32\UiKETIg.exe
  2⤵
  PID:6188
- C:\Windows\System32\ERDBhDn.exe
  C:\Windows\System32\ERDBhDn.exe
  2⤵
  PID:6208
- C:\Windows\System32\XkExaSz.exe
  C:\Windows\System32\XkExaSz.exe
  2⤵
  PID:6232
- C:\Windows\System32\EYCgqlA.exe
  C:\Windows\System32\EYCgqlA.exe
  2⤵
  PID:6272
- C:\Windows\System32\elVBmsZ.exe
  C:\Windows\System32\elVBmsZ.exe
  2⤵
  PID:6292
- C:\Windows\System32\LDMPvmN.exe
  C:\Windows\System32\LDMPvmN.exe
  2⤵
  PID:6308
- C:\Windows\System32\wQSunWN.exe
  C:\Windows\System32\wQSunWN.exe
  2⤵
  PID:6352
- C:\Windows\System32\sZEBixe.exe
  C:\Windows\System32\sZEBixe.exe
  2⤵
  PID:6380
- C:\Windows\System32\BcxcSTP.exe
  C:\Windows\System32\BcxcSTP.exe
  2⤵
  PID:6396
- C:\Windows\System32\tMUWMIE.exe
  C:\Windows\System32\tMUWMIE.exe
  2⤵
  PID:6416
- C:\Windows\System32\mfEasIg.exe
  C:\Windows\System32\mfEasIg.exe
  2⤵
  PID:6448
- C:\Windows\System32\ccXgBdu.exe
  C:\Windows\System32\ccXgBdu.exe
  2⤵
  PID:6480
- C:\Windows\System32\dRPBpyz.exe
  C:\Windows\System32\dRPBpyz.exe
  2⤵
  PID:6500
- C:\Windows\System32\fpKSTfi.exe
  C:\Windows\System32\fpKSTfi.exe
  2⤵
  PID:6524
- C:\Windows\System32\MrrjaLO.exe
  C:\Windows\System32\MrrjaLO.exe
  2⤵
  PID:6548
- C:\Windows\System32\jXhvDFV.exe
  C:\Windows\System32\jXhvDFV.exe
  2⤵
  PID:6588
- C:\Windows\System32\WTcqTRy.exe
  C:\Windows\System32\WTcqTRy.exe
  2⤵
  PID:6636
- C:\Windows\System32\OFnNZPw.exe
  C:\Windows\System32\OFnNZPw.exe
  2⤵
  PID:6652
- C:\Windows\System32\MbhNwlG.exe
  C:\Windows\System32\MbhNwlG.exe
  2⤵
  PID:6680
- C:\Windows\System32\hFlyiIS.exe
  C:\Windows\System32\hFlyiIS.exe
  2⤵
  PID:6716
- C:\Windows\System32\kHwUCCE.exe
  C:\Windows\System32\kHwUCCE.exe
  2⤵
  PID:6736
- C:\Windows\System32\OsfbTSl.exe
  C:\Windows\System32\OsfbTSl.exe
  2⤵
  PID:6756
- C:\Windows\System32\FiPVpcG.exe
  C:\Windows\System32\FiPVpcG.exe
  2⤵
  PID:6796
- C:\Windows\System32\GutanOq.exe
  C:\Windows\System32\GutanOq.exe
  2⤵
  PID:6820
- C:\Windows\System32\xpAhxSE.exe
  C:\Windows\System32\xpAhxSE.exe
  2⤵
  PID:6840
- C:\Windows\System32\XwRdfsw.exe
  C:\Windows\System32\XwRdfsw.exe
  2⤵
  PID:6864
- C:\Windows\System32\eTWfSKv.exe
  C:\Windows\System32\eTWfSKv.exe
  2⤵
  PID:6920
- C:\Windows\System32\hFheobo.exe
  C:\Windows\System32\hFheobo.exe
  2⤵
  PID:6944
- C:\Windows\System32\ePtyzRd.exe
  C:\Windows\System32\ePtyzRd.exe
  2⤵
  PID:6960
- C:\Windows\System32\FyzNpPa.exe
  C:\Windows\System32\FyzNpPa.exe
  2⤵
  PID:6980
- C:\Windows\System32\GndLMwd.exe
  C:\Windows\System32\GndLMwd.exe
  2⤵
  PID:6996
- C:\Windows\System32\idOCmSG.exe
  C:\Windows\System32\idOCmSG.exe
  2⤵
  PID:7024
- C:\Windows\System32\FzsEPHa.exe
  C:\Windows\System32\FzsEPHa.exe
  2⤵
  PID:7040
- C:\Windows\System32\GgANrXs.exe
  C:\Windows\System32\GgANrXs.exe
  2⤵
  PID:7064
- C:\Windows\System32\aMmZceR.exe
  C:\Windows\System32\aMmZceR.exe
  2⤵
  PID:7104
- C:\Windows\System32\IWySwbE.exe
  C:\Windows\System32\IWySwbE.exe
  2⤵
  PID:7120
- C:\Windows\System32\xigALtp.exe
  C:\Windows\System32\xigALtp.exe
  2⤵
  PID:7160
- C:\Windows\System32\oCpvmnD.exe
  C:\Windows\System32\oCpvmnD.exe
  2⤵
  PID:6172
- C:\Windows\System32\jXeYxYI.exe
  C:\Windows\System32\jXeYxYI.exe
  2⤵
  PID:6264
- C:\Windows\System32\RbruyMO.exe
  C:\Windows\System32\RbruyMO.exe
  2⤵
  PID:6300
- C:\Windows\System32\spuaeJW.exe
  C:\Windows\System32\spuaeJW.exe
  2⤵
  PID:6392
- C:\Windows\System32\QoNEFZs.exe
  C:\Windows\System32\QoNEFZs.exe
  2⤵
  PID:6468
- C:\Windows\System32\WfJOyBm.exe
  C:\Windows\System32\WfJOyBm.exe
  2⤵
  PID:6532
- C:\Windows\System32\TlwuwWG.exe
  C:\Windows\System32\TlwuwWG.exe
  2⤵
  PID:6604
- C:\Windows\System32\QAaDpST.exe
  C:\Windows\System32\QAaDpST.exe
  2⤵
  PID:6704
- C:\Windows\System32\ELGVJrr.exe
  C:\Windows\System32\ELGVJrr.exe
  2⤵
  PID:6764
- C:\Windows\System32\KGxBkAt.exe
  C:\Windows\System32\KGxBkAt.exe
  2⤵
  PID:6836
- C:\Windows\System32\YeWcgOB.exe
  C:\Windows\System32\YeWcgOB.exe
  2⤵
  PID:6828
- C:\Windows\System32\mlttZYg.exe
  C:\Windows\System32\mlttZYg.exe
  2⤵
  PID:6936
- C:\Windows\System32\YaiKWnu.exe
  C:\Windows\System32\YaiKWnu.exe
  2⤵
  PID:7048
- C:\Windows\System32\DSMCJDS.exe
  C:\Windows\System32\DSMCJDS.exe
  2⤵
  PID:7032
- C:\Windows\System32\qFlAAGT.exe
  C:\Windows\System32\qFlAAGT.exe
  2⤵
  PID:7156
- C:\Windows\System32\JGeeIHd.exe
  C:\Windows\System32\JGeeIHd.exe
  2⤵
  PID:7144
- C:\Windows\System32\KLnqykP.exe
  C:\Windows\System32\KLnqykP.exe
  2⤵
  PID:6200
- C:\Windows\System32\NIrcnry.exe
  C:\Windows\System32\NIrcnry.exe
  2⤵
  PID:6348
- C:\Windows\System32\RInAAQC.exe
  C:\Windows\System32\RInAAQC.exe
  2⤵
  PID:6492
- C:\Windows\System32\OgKAWVG.exe
  C:\Windows\System32\OgKAWVG.exe
  2⤵
  PID:6620
- C:\Windows\System32\jJRXsoA.exe
  C:\Windows\System32\jJRXsoA.exe
  2⤵
  PID:6676
- C:\Windows\System32\oyGXZdI.exe
  C:\Windows\System32\oyGXZdI.exe
  2⤵
  PID:6804
- C:\Windows\System32\emTXjGJ.exe
  C:\Windows\System32\emTXjGJ.exe
  2⤵
  PID:6912
- C:\Windows\System32\nDzAhIm.exe
  C:\Windows\System32\nDzAhIm.exe
  2⤵
  PID:6992
- C:\Windows\System32\EMZZcVX.exe
  C:\Windows\System32\EMZZcVX.exe
  2⤵
  PID:7116
- C:\Windows\System32\gCyEljh.exe
  C:\Windows\System32\gCyEljh.exe
  2⤵
  PID:7240
- C:\Windows\System32\EoOEHCp.exe
  C:\Windows\System32\EoOEHCp.exe
  2⤵
  PID:7256
- C:\Windows\System32\psYVpzV.exe
  C:\Windows\System32\psYVpzV.exe
  2⤵
  PID:7272
- C:\Windows\System32\CtZRJJc.exe
  C:\Windows\System32\CtZRJJc.exe
  2⤵
  PID:7312
- C:\Windows\System32\MqJCTlE.exe
  C:\Windows\System32\MqJCTlE.exe
  2⤵
  PID:7336
- C:\Windows\System32\LwiljtM.exe
  C:\Windows\System32\LwiljtM.exe
  2⤵
  PID:7364
- C:\Windows\System32\GMflLPU.exe
  C:\Windows\System32\GMflLPU.exe
  2⤵
  PID:7384
- C:\Windows\System32\QzbZmqn.exe
  C:\Windows\System32\QzbZmqn.exe
  2⤵
  PID:7424
- C:\Windows\System32\ynYkJDw.exe
  C:\Windows\System32\ynYkJDw.exe
  2⤵
  PID:7452
- C:\Windows\System32\HviSzFN.exe
  C:\Windows\System32\HviSzFN.exe
  2⤵
  PID:7476
- C:\Windows\System32\IoGipCw.exe
  C:\Windows\System32\IoGipCw.exe
  2⤵
  PID:7504
- C:\Windows\System32\MhcpwPl.exe
  C:\Windows\System32\MhcpwPl.exe
  2⤵
  PID:7524
- C:\Windows\System32\BZHRhgW.exe
  C:\Windows\System32\BZHRhgW.exe
  2⤵
  PID:7552
- C:\Windows\System32\SQTSMQv.exe
  C:\Windows\System32\SQTSMQv.exe
  2⤵
  PID:7572
- C:\Windows\System32\JoMrtvC.exe
  C:\Windows\System32\JoMrtvC.exe
  2⤵
  PID:7604
- C:\Windows\System32\HsyhXfi.exe
  C:\Windows\System32\HsyhXfi.exe
  2⤵
  PID:7628
- C:\Windows\System32\zAvYgtE.exe
  C:\Windows\System32\zAvYgtE.exe
  2⤵
  PID:7656
- C:\Windows\System32\FXVlWpo.exe
  C:\Windows\System32\FXVlWpo.exe
  2⤵
  PID:7672
- C:\Windows\System32\ICZZAzh.exe
  C:\Windows\System32\ICZZAzh.exe
  2⤵
  PID:7704
- C:\Windows\System32\xPMUpIX.exe
  C:\Windows\System32\xPMUpIX.exe
  2⤵
  PID:7740
- C:\Windows\System32\HWrJatR.exe
  C:\Windows\System32\HWrJatR.exe
  2⤵
  PID:7788
- C:\Windows\System32\gqoxRWC.exe
  C:\Windows\System32\gqoxRWC.exe
  2⤵
  PID:7808
- C:\Windows\System32\GIemDvW.exe
  C:\Windows\System32\GIemDvW.exe
  2⤵
  PID:7828
- C:\Windows\System32\usxeZex.exe
  C:\Windows\System32\usxeZex.exe
  2⤵
  PID:7876
- C:\Windows\System32\mgLXNeI.exe
  C:\Windows\System32\mgLXNeI.exe
  2⤵
  PID:7900
- C:\Windows\System32\YGsDlic.exe
  C:\Windows\System32\YGsDlic.exe
  2⤵
  PID:7924
- C:\Windows\System32\aDRwIUI.exe
  C:\Windows\System32\aDRwIUI.exe
  2⤵
  PID:7948
- C:\Windows\System32\qiyqWYF.exe
  C:\Windows\System32\qiyqWYF.exe
  2⤵
  PID:7968
- C:\Windows\System32\qlULnbH.exe
  C:\Windows\System32\qlULnbH.exe
  2⤵
  PID:8000
- C:\Windows\System32\sSwLGEi.exe
  C:\Windows\System32\sSwLGEi.exe
  2⤵
  PID:8016
- C:\Windows\System32\QBkLdRQ.exe
  C:\Windows\System32\QBkLdRQ.exe
  2⤵
  PID:8048
- C:\Windows\System32\uMxdUrT.exe
  C:\Windows\System32\uMxdUrT.exe
  2⤵
  PID:8068
- C:\Windows\System32\uPmkWZi.exe
  C:\Windows\System32\uPmkWZi.exe
  2⤵
  PID:8084
- C:\Windows\System32\kUFUsia.exe
  C:\Windows\System32\kUFUsia.exe
  2⤵
  PID:8108
- C:\Windows\System32\uqZgGFU.exe
  C:\Windows\System32\uqZgGFU.exe
  2⤵
  PID:8124
- C:\Windows\System32\MsaFYPL.exe
  C:\Windows\System32\MsaFYPL.exe
  2⤵
  PID:8152
- C:\Windows\System32\tamRFKu.exe
  C:\Windows\System32\tamRFKu.exe
  2⤵
  PID:8172
- C:\Windows\System32\tZYZfsT.exe
  C:\Windows\System32\tZYZfsT.exe
  2⤵
  PID:6928
- C:\Windows\System32\XGtXztY.exe
  C:\Windows\System32\XGtXztY.exe
  2⤵
  PID:7288
- C:\Windows\System32\nptyuiT.exe
  C:\Windows\System32\nptyuiT.exe
  2⤵
  PID:7352
- C:\Windows\System32\VTRCozc.exe
  C:\Windows\System32\VTRCozc.exe
  2⤵
  PID:7416
- C:\Windows\System32\McNEIgG.exe
  C:\Windows\System32\McNEIgG.exe
  2⤵
  PID:7448
- C:\Windows\System32\JAZyYpH.exe
  C:\Windows\System32\JAZyYpH.exe
  2⤵
  PID:7520
- C:\Windows\System32\dtXgvcf.exe
  C:\Windows\System32\dtXgvcf.exe
  2⤵
  PID:7592
- C:\Windows\System32\GHoOhtm.exe
  C:\Windows\System32\GHoOhtm.exe
  2⤵
  PID:7720
- C:\Windows\System32\dfkzfLY.exe
  C:\Windows\System32\dfkzfLY.exe
  2⤵
  PID:7760
- C:\Windows\System32\YqMiDro.exe
  C:\Windows\System32\YqMiDro.exe
  2⤵
  PID:7800
- C:\Windows\System32\OeNPcYX.exe
  C:\Windows\System32\OeNPcYX.exe
  2⤵
  PID:7848
- C:\Windows\System32\XWfjlKG.exe
  C:\Windows\System32\XWfjlKG.exe
  2⤵
  PID:7892
- C:\Windows\System32\VaCVaor.exe
  C:\Windows\System32\VaCVaor.exe
  2⤵
  PID:7976
- C:\Windows\System32\LiJNvsU.exe
  C:\Windows\System32\LiJNvsU.exe
  2⤵
  PID:8044
- C:\Windows\System32\LAMVCaG.exe
  C:\Windows\System32\LAMVCaG.exe
  2⤵
  PID:8168
- C:\Windows\System32\ZBGEHgu.exe
  C:\Windows\System32\ZBGEHgu.exe
  2⤵
  PID:8188
- C:\Windows\System32\LtmpxkO.exe
  C:\Windows\System32\LtmpxkO.exe
  2⤵
  PID:6976
- C:\Windows\System32\GPwaBRj.exe
  C:\Windows\System32\GPwaBRj.exe
  2⤵
  PID:7360
- C:\Windows\System32\iKKziMZ.exe
  C:\Windows\System32\iKKziMZ.exe
  2⤵
  PID:7472
- C:\Windows\System32\JMLagTd.exe
  C:\Windows\System32\JMLagTd.exe
  2⤵
  PID:7668
- C:\Windows\System32\jPbuIHz.exe
  C:\Windows\System32\jPbuIHz.exe
  2⤵
  PID:7716
- C:\Windows\System32\NFNQsIp.exe
  C:\Windows\System32\NFNQsIp.exe
  2⤵
  PID:7864
- C:\Windows\System32\gfJGdoM.exe
  C:\Windows\System32\gfJGdoM.exe
  2⤵
  PID:8024
- C:\Windows\System32\YSgIAxz.exe
  C:\Windows\System32\YSgIAxz.exe
  2⤵
  PID:8164
- C:\Windows\System32\gxmfRJp.exe
  C:\Windows\System32\gxmfRJp.exe
  2⤵
  PID:7324
- C:\Windows\System32\qrfXAbD.exe
  C:\Windows\System32\qrfXAbD.exe
  2⤵
  PID:7652
- C:\Windows\System32\jaHEdHU.exe
  C:\Windows\System32\jaHEdHU.exe
  2⤵
  PID:6672
- C:\Windows\System32\OxsGbsA.exe
  C:\Windows\System32\OxsGbsA.exe
  2⤵
  PID:7492
- C:\Windows\System32\lQIVFct.exe
  C:\Windows\System32\lQIVFct.exe
  2⤵
  PID:6540
- C:\Windows\System32\aFdBEjc.exe
  C:\Windows\System32\aFdBEjc.exe
  2⤵
  PID:8208
- C:\Windows\System32\oLDxCoc.exe
  C:\Windows\System32\oLDxCoc.exe
  2⤵
  PID:8224
- C:\Windows\System32\OxxkACs.exe
  C:\Windows\System32\OxxkACs.exe
  2⤵
  PID:8252
- C:\Windows\System32\uqPCFSq.exe
  C:\Windows\System32\uqPCFSq.exe
  2⤵
  PID:8272
- C:\Windows\System32\iYrujES.exe
  C:\Windows\System32\iYrujES.exe
  2⤵
  PID:8316
- C:\Windows\System32\kpsRfIJ.exe
  C:\Windows\System32\kpsRfIJ.exe
  2⤵
  PID:8344
- C:\Windows\System32\QczFZRp.exe
  C:\Windows\System32\QczFZRp.exe
  2⤵
  PID:8384
- C:\Windows\System32\nSydyQr.exe
  C:\Windows\System32\nSydyQr.exe
  2⤵
  PID:8428
- C:\Windows\System32\GGrFGec.exe
  C:\Windows\System32\GGrFGec.exe
  2⤵
  PID:8448
- C:\Windows\System32\OOwDdin.exe
  C:\Windows\System32\OOwDdin.exe
  2⤵
  PID:8536
- C:\Windows\System32\ZbTeWLN.exe
  C:\Windows\System32\ZbTeWLN.exe
  2⤵
  PID:8552
- C:\Windows\System32\wnIDMPy.exe
  C:\Windows\System32\wnIDMPy.exe
  2⤵
  PID:8568
- C:\Windows\System32\lYcPxXS.exe
  C:\Windows\System32\lYcPxXS.exe
  2⤵
  PID:8584
- C:\Windows\System32\AYAOxqO.exe
  C:\Windows\System32\AYAOxqO.exe
  2⤵
  PID:8600
- C:\Windows\System32\hgIAsHI.exe
  C:\Windows\System32\hgIAsHI.exe
  2⤵
  PID:8616
- C:\Windows\System32\YnPwlhi.exe
  C:\Windows\System32\YnPwlhi.exe
  2⤵
  PID:8632
- C:\Windows\System32\NUOISRJ.exe
  C:\Windows\System32\NUOISRJ.exe
  2⤵
  PID:8648
- C:\Windows\System32\sitzVBo.exe
  C:\Windows\System32\sitzVBo.exe
  2⤵
  PID:8664
- C:\Windows\System32\QdDdfAM.exe
  C:\Windows\System32\QdDdfAM.exe
  2⤵
  PID:8680
- C:\Windows\System32\idSgFwY.exe
  C:\Windows\System32\idSgFwY.exe
  2⤵
  PID:8696
- C:\Windows\System32\lVDeMKI.exe
  C:\Windows\System32\lVDeMKI.exe
  2⤵
  PID:8712
- C:\Windows\System32\iWynudR.exe
  C:\Windows\System32\iWynudR.exe
  2⤵
  PID:8728
- C:\Windows\System32\GKLZGct.exe
  C:\Windows\System32\GKLZGct.exe
  2⤵
  PID:8772
- C:\Windows\System32\zTxtPoT.exe
  C:\Windows\System32\zTxtPoT.exe
  2⤵
  PID:8856
- C:\Windows\System32\GIaeRfq.exe
  C:\Windows\System32\GIaeRfq.exe
  2⤵
  PID:8952
- C:\Windows\System32\UfoGxIY.exe
  C:\Windows\System32\UfoGxIY.exe
  2⤵
  PID:8980
- C:\Windows\System32\LDHWcHD.exe
  C:\Windows\System32\LDHWcHD.exe
  2⤵
  PID:9012
- C:\Windows\System32\aXYUlBa.exe
  C:\Windows\System32\aXYUlBa.exe
  2⤵
  PID:9076
- C:\Windows\System32\MPoXusH.exe
  C:\Windows\System32\MPoXusH.exe
  2⤵
  PID:9132
- C:\Windows\System32\fbGKBJs.exe
  C:\Windows\System32\fbGKBJs.exe
  2⤵
  PID:9160
- C:\Windows\System32\qxybSyc.exe
  C:\Windows\System32\qxybSyc.exe
  2⤵
  PID:9200
- C:\Windows\System32\TcWwWRd.exe
  C:\Windows\System32\TcWwWRd.exe
  2⤵
  PID:8204
- C:\Windows\System32\dQLUJbU.exe
  C:\Windows\System32\dQLUJbU.exe
  2⤵
  PID:8216
- C:\Windows\System32\BcNNthX.exe
  C:\Windows\System32\BcNNthX.exe
  2⤵
  PID:8292
- C:\Windows\System32\uRJKAAS.exe
  C:\Windows\System32\uRJKAAS.exe
  2⤵
  PID:8396
- C:\Windows\System32\yTPIkNw.exe
  C:\Windows\System32\yTPIkNw.exe
  2⤵
  PID:8360
- C:\Windows\System32\bOBfngr.exe
  C:\Windows\System32\bOBfngr.exe
  2⤵
  PID:8412
- C:\Windows\System32\zZrutPG.exe
  C:\Windows\System32\zZrutPG.exe
  2⤵
  PID:8464
- C:\Windows\System32\OCrLxQu.exe
  C:\Windows\System32\OCrLxQu.exe
  2⤵
  PID:8500
- C:\Windows\System32\ctWUxfv.exe
  C:\Windows\System32\ctWUxfv.exe
  2⤵
  PID:8564
- C:\Windows\System32\JdQKrpi.exe
  C:\Windows\System32\JdQKrpi.exe
  2⤵
  PID:8644
- C:\Windows\System32\NUZdrfV.exe
  C:\Windows\System32\NUZdrfV.exe
  2⤵
  PID:8788
- C:\Windows\System32\aACosnS.exe
  C:\Windows\System32\aACosnS.exe
  2⤵
  PID:8656
- C:\Windows\System32\qjdNLks.exe
  C:\Windows\System32\qjdNLks.exe
  2⤵
  PID:8784
- C:\Windows\System32\JUwzrui.exe
  C:\Windows\System32\JUwzrui.exe
  2⤵
  PID:8800
- C:\Windows\System32\CaOvyMb.exe
  C:\Windows\System32\CaOvyMb.exe
  2⤵
  PID:8900
- C:\Windows\System32\aNuVQdC.exe
  C:\Windows\System32\aNuVQdC.exe
  2⤵
  PID:8932
- C:\Windows\System32\bzXTIgW.exe
  C:\Windows\System32\bzXTIgW.exe
  2⤵
  PID:9028
- C:\Windows\System32\oyuDKlp.exe
  C:\Windows\System32\oyuDKlp.exe
  2⤵
  PID:9104
- C:\Windows\System32\klBPvFs.exe
  C:\Windows\System32\klBPvFs.exe
  2⤵
  PID:9176
- C:\Windows\System32\sypQXkd.exe
  C:\Windows\System32\sypQXkd.exe
  2⤵
  PID:8268
- C:\Windows\System32\LkKOgWU.exe
  C:\Windows\System32\LkKOgWU.exe
  2⤵
  PID:8420
- C:\Windows\System32\DQrFRWl.exe
  C:\Windows\System32\DQrFRWl.exe
  2⤵
  PID:8400
- C:\Windows\System32\TxschmX.exe
  C:\Windows\System32\TxschmX.exe
  2⤵
  PID:8480
- C:\Windows\System32\xeLEBID.exe
  C:\Windows\System32\xeLEBID.exe
  2⤵
  PID:8628
- C:\Windows\System32\jCStHMA.exe
  C:\Windows\System32\jCStHMA.exe
  2⤵
  PID:8780
- C:\Windows\System32\XBckTvG.exe
  C:\Windows\System32\XBckTvG.exe
  2⤵
  PID:8760
- C:\Windows\System32\LbtojRL.exe
  C:\Windows\System32\LbtojRL.exe
  2⤵
  PID:8240
- C:\Windows\System32\CjNvmJN.exe
  C:\Windows\System32\CjNvmJN.exe
  2⤵
  PID:8740
- C:\Windows\System32\KbpQppi.exe
  C:\Windows\System32\KbpQppi.exe
  2⤵
  PID:8692
- C:\Windows\System32\SzNXLpc.exe
  C:\Windows\System32\SzNXLpc.exe
  2⤵
  PID:8592
- C:\Windows\System32\WhmAOSF.exe
  C:\Windows\System32\WhmAOSF.exe
  2⤵
  PID:8520
- C:\Windows\System32\zjTQlOm.exe
  C:\Windows\System32\zjTQlOm.exe
  2⤵
  PID:8232
- C:\Windows\System32\jcMMGoY.exe
  C:\Windows\System32\jcMMGoY.exe
  2⤵
  PID:9236
- C:\Windows\System32\RcLBtEt.exe
  C:\Windows\System32\RcLBtEt.exe
  2⤵
  PID:9264
- C:\Windows\System32\AoasFwp.exe
  C:\Windows\System32\AoasFwp.exe
  2⤵
  PID:9292
- C:\Windows\System32\dcHYbtV.exe
  C:\Windows\System32\dcHYbtV.exe
  2⤵
  PID:9316
- C:\Windows\System32\skPPscC.exe
  C:\Windows\System32\skPPscC.exe
  2⤵
  PID:9344
- C:\Windows\System32\AEVxKoa.exe
  C:\Windows\System32\AEVxKoa.exe
  2⤵
  PID:9364
- C:\Windows\System32\YOrygFv.exe
  C:\Windows\System32\YOrygFv.exe
  2⤵
  PID:9388
- C:\Windows\System32\cJeCWEw.exe
  C:\Windows\System32\cJeCWEw.exe
  2⤵
  PID:9412
- C:\Windows\System32\sdMBBSW.exe
  C:\Windows\System32\sdMBBSW.exe
  2⤵
  PID:9428
- C:\Windows\System32\cGAjbzJ.exe
  C:\Windows\System32\cGAjbzJ.exe
  2⤵
  PID:9452
- C:\Windows\System32\AUoVouk.exe
  C:\Windows\System32\AUoVouk.exe
  2⤵
  PID:9472
- C:\Windows\System32\RCdZaRj.exe
  C:\Windows\System32\RCdZaRj.exe
  2⤵
  PID:9496
- C:\Windows\System32\EYMkhbn.exe
  C:\Windows\System32\EYMkhbn.exe
  2⤵
  PID:9548
- C:\Windows\System32\fJRxviR.exe
  C:\Windows\System32\fJRxviR.exe
  2⤵
  PID:9600
- C:\Windows\System32\uAkwLzC.exe
  C:\Windows\System32\uAkwLzC.exe
  2⤵
  PID:9624
- C:\Windows\System32\GGczlOv.exe
  C:\Windows\System32\GGczlOv.exe
  2⤵
  PID:9660
- C:\Windows\System32\pNodqXR.exe
  C:\Windows\System32\pNodqXR.exe
  2⤵
  PID:9696
- C:\Windows\System32\JpzPaQs.exe
  C:\Windows\System32\JpzPaQs.exe
  2⤵
  PID:9720
- C:\Windows\System32\ZJDNLnv.exe
  C:\Windows\System32\ZJDNLnv.exe
  2⤵
  PID:9740
- C:\Windows\System32\OWSUnhQ.exe
  C:\Windows\System32\OWSUnhQ.exe
  2⤵
  PID:9768
- C:\Windows\System32\YnZXKHh.exe
  C:\Windows\System32\YnZXKHh.exe
  2⤵
  PID:9808
- C:\Windows\System32\FWNTIcy.exe
  C:\Windows\System32\FWNTIcy.exe
  2⤵
  PID:9828
- C:\Windows\System32\IolGCTh.exe
  C:\Windows\System32\IolGCTh.exe
  2⤵
  PID:9852
- C:\Windows\System32\Vhnzpbo.exe
  C:\Windows\System32\Vhnzpbo.exe
  2⤵
  PID:9892
- C:\Windows\System32\LFppTYO.exe
  C:\Windows\System32\LFppTYO.exe
  2⤵
  PID:9916
- C:\Windows\System32\ynXkPbS.exe
  C:\Windows\System32\ynXkPbS.exe
  2⤵
  PID:9936
- C:\Windows\System32\hqDqhKx.exe
  C:\Windows\System32\hqDqhKx.exe
  2⤵
  PID:9952
- C:\Windows\System32\pbxxrmk.exe
  C:\Windows\System32\pbxxrmk.exe
  2⤵
  PID:9996
- C:\Windows\System32\nKbQtzt.exe
  C:\Windows\System32\nKbQtzt.exe
  2⤵
  PID:10012
- C:\Windows\System32\JujICGe.exe
  C:\Windows\System32\JujICGe.exe
  2⤵
  PID:10036
- C:\Windows\System32\BGcRhmB.exe
  C:\Windows\System32\BGcRhmB.exe
  2⤵
  PID:10088
- C:\Windows\System32\RSLzwEl.exe
  C:\Windows\System32\RSLzwEl.exe
  2⤵
  PID:10112
- C:\Windows\System32\EwxJijl.exe
  C:\Windows\System32\EwxJijl.exe
  2⤵
  PID:10132
- C:\Windows\System32\EYtIGae.exe
  C:\Windows\System32\EYtIGae.exe
  2⤵
  PID:10160
- C:\Windows\System32\tCvMYPm.exe
  C:\Windows\System32\tCvMYPm.exe
  2⤵
  PID:10200
- C:\Windows\System32\QVOBPlL.exe
  C:\Windows\System32\QVOBPlL.exe
  2⤵
  PID:10224
- C:\Windows\System32\ZkhCpjz.exe
  C:\Windows\System32\ZkhCpjz.exe
  2⤵
  PID:9224
- C:\Windows\System32\HfOUdRq.exe
  C:\Windows\System32\HfOUdRq.exe
  2⤵
  PID:9276
- C:\Windows\System32\fBzwPYu.exe
  C:\Windows\System32\fBzwPYu.exe
  2⤵
  PID:9324
- C:\Windows\System32\eIKXatr.exe
  C:\Windows\System32\eIKXatr.exe
  2⤵
  PID:9340
- C:\Windows\System32\yXxtyQI.exe
  C:\Windows\System32\yXxtyQI.exe
  2⤵
  PID:9396
- C:\Windows\System32\QpcCLiS.exe
  C:\Windows\System32\QpcCLiS.exe
  2⤵
  PID:9528
- C:\Windows\System32\nmPJEQd.exe
  C:\Windows\System32\nmPJEQd.exe
  2⤵
  PID:9560
- C:\Windows\System32\riVjhQT.exe
  C:\Windows\System32\riVjhQT.exe
  2⤵
  PID:9648
- C:\Windows\System32\aqNyBLq.exe
  C:\Windows\System32\aqNyBLq.exe
  2⤵
  PID:9708
- C:\Windows\System32\jvWpXEL.exe
  C:\Windows\System32\jvWpXEL.exe
  2⤵
  PID:9848
- C:\Windows\System32\ryBwLXX.exe
  C:\Windows\System32\ryBwLXX.exe
  2⤵
  PID:9872
- C:\Windows\System32\ZbQuLYT.exe
  C:\Windows\System32\ZbQuLYT.exe
  2⤵
  PID:9948
- C:\Windows\System32\uxnDazd.exe
  C:\Windows\System32\uxnDazd.exe
  2⤵
  PID:10004
- C:\Windows\System32\gQLCGuR.exe
  C:\Windows\System32\gQLCGuR.exe
  2⤵
  PID:10072
- C:\Windows\System32\dVuhlJQ.exe
  C:\Windows\System32\dVuhlJQ.exe
  2⤵
  PID:10124
- C:\Windows\System32\oySVbrN.exe
  C:\Windows\System32\oySVbrN.exe
  2⤵
  PID:10212
- C:\Windows\System32\ydHKgZf.exe
  C:\Windows\System32\ydHKgZf.exe
  2⤵
  PID:10236
- C:\Windows\System32\RKRpllw.exe
  C:\Windows\System32\RKRpllw.exe
  2⤵
  PID:9380
- C:\Windows\System32\ZGYkXDt.exe
  C:\Windows\System32\ZGYkXDt.exe
  2⤵
  PID:9584
- C:\Windows\System32\EbTSAZz.exe
  C:\Windows\System32\EbTSAZz.exe
  2⤵
  PID:9652
- C:\Windows\System32\ECSZiAN.exe
  C:\Windows\System32\ECSZiAN.exe
  2⤵
  PID:9784
- C:\Windows\System32\bAvcETC.exe
  C:\Windows\System32\bAvcETC.exe
  2⤵
  PID:9924
- C:\Windows\System32\KGNiOar.exe
  C:\Windows\System32\KGNiOar.exe
  2⤵
  PID:9972
- C:\Windows\System32\kBYADqX.exe
  C:\Windows\System32\kBYADqX.exe
  2⤵
  PID:10176
- C:\Windows\System32\qzhkqhC.exe
  C:\Windows\System32\qzhkqhC.exe
  2⤵
  PID:9256
- C:\Windows\System32\UIYZsaa.exe
  C:\Windows\System32\UIYZsaa.exe
  2⤵
  PID:9928
- C:\Windows\System32\DdYdelC.exe
  C:\Windows\System32\DdYdelC.exe
  2⤵
  PID:9656
- C:\Windows\System32\jnWdRZS.exe
  C:\Windows\System32\jnWdRZS.exe
  2⤵
  PID:10056
- C:\Windows\System32\aJScefc.exe
  C:\Windows\System32\aJScefc.exe
  2⤵
  PID:10264
- C:\Windows\System32\kKNMWuA.exe
  C:\Windows\System32\kKNMWuA.exe
  2⤵
  PID:10288
- C:\Windows\System32\UnUrMcV.exe
  C:\Windows\System32\UnUrMcV.exe
  2⤵
  PID:10312
- C:\Windows\System32\ykPupUl.exe
  C:\Windows\System32\ykPupUl.exe
  2⤵
  PID:10356
- C:\Windows\System32\pXEHoKw.exe
  C:\Windows\System32\pXEHoKw.exe
  2⤵
  PID:10380
- C:\Windows\System32\LlKhkzV.exe
  C:\Windows\System32\LlKhkzV.exe
  2⤵
  PID:10396
- C:\Windows\System32\xxQdfsx.exe
  C:\Windows\System32\xxQdfsx.exe
  2⤵
  PID:10420
- C:\Windows\System32\UrpDsLG.exe
  C:\Windows\System32\UrpDsLG.exe
  2⤵
  PID:10440
- C:\Windows\System32\ipMUrfR.exe
  C:\Windows\System32\ipMUrfR.exe
  2⤵
  PID:10484
- C:\Windows\System32\liCkisF.exe
  C:\Windows\System32\liCkisF.exe
  2⤵
  PID:10508
- C:\Windows\System32\oCFXTPj.exe
  C:\Windows\System32\oCFXTPj.exe
  2⤵
  PID:10532
- C:\Windows\System32\bilRBhZ.exe
  C:\Windows\System32\bilRBhZ.exe
  2⤵
  PID:10572
- C:\Windows\System32\QYxxzTO.exe
  C:\Windows\System32\QYxxzTO.exe
  2⤵
  PID:10596
- C:\Windows\System32\BWIgAbQ.exe
  C:\Windows\System32\BWIgAbQ.exe
  2⤵
  PID:10620
- C:\Windows\System32\ZxiYQrn.exe
  C:\Windows\System32\ZxiYQrn.exe
  2⤵
  PID:10644
- C:\Windows\System32\ivBObSH.exe
  C:\Windows\System32\ivBObSH.exe
  2⤵
  PID:10692
- C:\Windows\System32\KDjcLDE.exe
  C:\Windows\System32\KDjcLDE.exe
  2⤵
  PID:10712
- C:\Windows\System32\UxIxujJ.exe
  C:\Windows\System32\UxIxujJ.exe
  2⤵
  PID:10740
- C:\Windows\System32\FWwbdJR.exe
  C:\Windows\System32\FWwbdJR.exe
  2⤵
  PID:10756
- C:\Windows\System32\ALKgaBw.exe
  C:\Windows\System32\ALKgaBw.exe
  2⤵
  PID:10780
- C:\Windows\System32\QIAtRKr.exe
  C:\Windows\System32\QIAtRKr.exe
  2⤵
  PID:10812
- C:\Windows\System32\SkqWXop.exe
  C:\Windows\System32\SkqWXop.exe
  2⤵
  PID:10836
- C:\Windows\System32\amRmerB.exe
  C:\Windows\System32\amRmerB.exe
  2⤵
  PID:10864
- C:\Windows\System32\MAfVsnN.exe
  C:\Windows\System32\MAfVsnN.exe
  2⤵
  PID:10884
- C:\Windows\System32\FvumPbB.exe
  C:\Windows\System32\FvumPbB.exe
  2⤵
  PID:10900
- C:\Windows\System32\UVcduHB.exe
  C:\Windows\System32\UVcduHB.exe
  2⤵
  PID:10944
- C:\Windows\System32\xUtWLPg.exe
  C:\Windows\System32\xUtWLPg.exe
  2⤵
  PID:10964
- C:\Windows\System32\wGpjGHg.exe
  C:\Windows\System32\wGpjGHg.exe
  2⤵
  PID:10980
- C:\Windows\System32\MAPjyWp.exe
  C:\Windows\System32\MAPjyWp.exe
  2⤵
  PID:11004
- C:\Windows\System32\zaYvVae.exe
  C:\Windows\System32\zaYvVae.exe
  2⤵
  PID:11056
- C:\Windows\System32\FyBFpCD.exe
  C:\Windows\System32\FyBFpCD.exe
  2⤵
  PID:11096
- C:\Windows\System32\TGUWinw.exe
  C:\Windows\System32\TGUWinw.exe
  2⤵
  PID:11116
- C:\Windows\System32\WpqMhHV.exe
  C:\Windows\System32\WpqMhHV.exe
  2⤵
  PID:11132
- C:\Windows\System32\GQnPYaj.exe
  C:\Windows\System32\GQnPYaj.exe
  2⤵
  PID:11160
- C:\Windows\System32\lXWjIxb.exe
  C:\Windows\System32\lXWjIxb.exe
  2⤵
  PID:11184
- C:\Windows\System32\fltappI.exe
  C:\Windows\System32\fltappI.exe
  2⤵
  PID:11204
- C:\Windows\System32\njwYAdg.exe
  C:\Windows\System32\njwYAdg.exe
  2⤵
  PID:11252
- C:\Windows\System32\gYFnblV.exe
  C:\Windows\System32\gYFnblV.exe
  2⤵
  PID:10280
- C:\Windows\System32\NutYgyD.exe
  C:\Windows\System32\NutYgyD.exe
  2⤵
  PID:10352
- C:\Windows\System32\NwVUhbV.exe
  C:\Windows\System32\NwVUhbV.exe
  2⤵
  PID:10412
- C:\Windows\System32\tprIpUZ.exe
  C:\Windows\System32\tprIpUZ.exe
  2⤵
  PID:10540
- C:\Windows\System32\eYPWIMp.exe
  C:\Windows\System32\eYPWIMp.exe
  2⤵
  PID:10580
- C:\Windows\System32\Brpkyxy.exe
  C:\Windows\System32\Brpkyxy.exe
  2⤵
  PID:10660
- C:\Windows\System32\CsHQOAP.exe
  C:\Windows\System32\CsHQOAP.exe
  2⤵
  PID:10700
- C:\Windows\System32\pHSvrJS.exe
  C:\Windows\System32\pHSvrJS.exe
  2⤵
  PID:10764
- C:\Windows\System32\qHzOSdN.exe
  C:\Windows\System32\qHzOSdN.exe
  2⤵
  PID:10844
- C:\Windows\System32\dDKCMIc.exe
  C:\Windows\System32\dDKCMIc.exe
  2⤵
  PID:10936
- C:\Windows\System32\DTzHYUf.exe
  C:\Windows\System32\DTzHYUf.exe
  2⤵
  PID:11012
- C:\Windows\System32\eXEIytf.exe
  C:\Windows\System32\eXEIytf.exe
  2⤵
  PID:10996
- C:\Windows\System32\jxIojwn.exe
  C:\Windows\System32\jxIojwn.exe
  2⤵
  PID:11076
- C:\Windows\System32\RjIPkiC.exe
  C:\Windows\System32\RjIPkiC.exe
  2⤵
  PID:11140
- C:\Windows\System32\uwKACkd.exe
  C:\Windows\System32\uwKACkd.exe
  2⤵
  PID:11200
- C:\Windows\System32\UBMKZdB.exe
  C:\Windows\System32\UBMKZdB.exe
  2⤵
  PID:10332
- C:\Windows\System32\xtRKDPe.exe
  C:\Windows\System32\xtRKDPe.exe
  2⤵
  PID:10472
- C:\Windows\System32\sCtVoKb.exe
  C:\Windows\System32\sCtVoKb.exe
  2⤵
  PID:10608
- C:\Windows\System32\ePDPQvd.exe
  C:\Windows\System32\ePDPQvd.exe
  2⤵
  PID:10776
- C:\Windows\System32\OLZkvGG.exe
  C:\Windows\System32\OLZkvGG.exe
  2⤵
  PID:10924
- C:\Windows\System32\oaqfpEf.exe
  C:\Windows\System32\oaqfpEf.exe
  2⤵
  PID:11052
- C:\Windows\System32\EDKXaUJ.exe
  C:\Windows\System32\EDKXaUJ.exe
  2⤵
  PID:11124
- C:\Windows\System32\QDpyozq.exe
  C:\Windows\System32\QDpyozq.exe
  2⤵
  PID:10300
- C:\Windows\System32\yWZjMSI.exe
  C:\Windows\System32\yWZjMSI.exe
  2⤵
  PID:10632
- C:\Windows\System32\uOeJFhP.exe
  C:\Windows\System32\uOeJFhP.exe
  2⤵
  PID:10920
- C:\Windows\System32\mpMwJeM.exe
  C:\Windows\System32\mpMwJeM.exe
  2⤵
  PID:10376
- C:\Windows\System32\DWZueMU.exe
  C:\Windows\System32\DWZueMU.exe
  2⤵
  PID:10896
- C:\Windows\System32\TqWKNMw.exe
  C:\Windows\System32\TqWKNMw.exe
  2⤵
  PID:11280
- C:\Windows\System32\JuPfAEm.exe
  C:\Windows\System32\JuPfAEm.exe
  2⤵
  PID:11304
- C:\Windows\System32\HNTKFVb.exe
  C:\Windows\System32\HNTKFVb.exe
  2⤵
  PID:11324
- C:\Windows\System32\kYlVrtC.exe
  C:\Windows\System32\kYlVrtC.exe
  2⤵
  PID:11344
- C:\Windows\System32\ROlbhBg.exe
  C:\Windows\System32\ROlbhBg.exe
  2⤵
  PID:11412
- C:\Windows\System32\rTMnuEE.exe
  C:\Windows\System32\rTMnuEE.exe
  2⤵
  PID:11444
- C:\Windows\System32\wYjNWWP.exe
  C:\Windows\System32\wYjNWWP.exe
  2⤵
  PID:11460
- C:\Windows\System32\GhArDDd.exe
  C:\Windows\System32\GhArDDd.exe
  2⤵
  PID:11488
- C:\Windows\System32\tWCDouQ.exe
  C:\Windows\System32\tWCDouQ.exe
  2⤵
  PID:11524
- C:\Windows\System32\BwHmSuP.exe
  C:\Windows\System32\BwHmSuP.exe
  2⤵
  PID:11556
- C:\Windows\System32\LClcXYw.exe
  C:\Windows\System32\LClcXYw.exe
  2⤵
  PID:11572
- C:\Windows\System32\OeQXzsk.exe
  C:\Windows\System32\OeQXzsk.exe
  2⤵
  PID:11600
- C:\Windows\System32\GyxamYv.exe
  C:\Windows\System32\GyxamYv.exe
  2⤵
  PID:11644
- C:\Windows\System32\BciVNrk.exe
  C:\Windows\System32\BciVNrk.exe
  2⤵
  PID:11660
- C:\Windows\System32\FiKWIqz.exe
  C:\Windows\System32\FiKWIqz.exe
  2⤵
  PID:11684
- C:\Windows\System32\uCGBiKG.exe
  C:\Windows\System32\uCGBiKG.exe
  2⤵
  PID:11720
- C:\Windows\System32\dpPYjyb.exe
  C:\Windows\System32\dpPYjyb.exe
  2⤵
  PID:11744
- C:\Windows\System32\PLFPMMI.exe
  C:\Windows\System32\PLFPMMI.exe
  2⤵
  PID:11780
- C:\Windows\System32\BBqlVAw.exe
  C:\Windows\System32\BBqlVAw.exe
  2⤵
  PID:11812
- C:\Windows\System32\EshyNQM.exe
  C:\Windows\System32\EshyNQM.exe
  2⤵
  PID:11832
- C:\Windows\System32\YnPycKw.exe
  C:\Windows\System32\YnPycKw.exe
  2⤵
  PID:11860
- C:\Windows\System32\QflSJTn.exe
  C:\Windows\System32\QflSJTn.exe
  2⤵
  PID:11876
- C:\Windows\System32\COkkcuJ.exe
  C:\Windows\System32\COkkcuJ.exe
  2⤵
  PID:11904
- C:\Windows\System32\xRvicTc.exe
  C:\Windows\System32\xRvicTc.exe
  2⤵
  PID:11940
- C:\Windows\System32\TCuSaVQ.exe
  C:\Windows\System32\TCuSaVQ.exe
  2⤵
  PID:11960
- C:\Windows\System32\KiSWekJ.exe
  C:\Windows\System32\KiSWekJ.exe
  2⤵
  PID:11992
- C:\Windows\System32\lFHVuOC.exe
  C:\Windows\System32\lFHVuOC.exe
  2⤵
  PID:12024
- C:\Windows\System32\AnXywCl.exe
  C:\Windows\System32\AnXywCl.exe
  2⤵
  PID:12052
- C:\Windows\System32\DQmTBBk.exe
  C:\Windows\System32\DQmTBBk.exe
  2⤵
  PID:12084
- C:\Windows\System32\OuHDkoW.exe
  C:\Windows\System32\OuHDkoW.exe
  2⤵
  PID:12112
- C:\Windows\System32\BaMrIIY.exe
  C:\Windows\System32\BaMrIIY.exe
  2⤵
  PID:12148
- C:\Windows\System32\UwFlBvR.exe
  C:\Windows\System32\UwFlBvR.exe
  2⤵
  PID:12164
- C:\Windows\System32\ZjNVYqt.exe
  C:\Windows\System32\ZjNVYqt.exe
  2⤵
  PID:12204
- C:\Windows\System32\UZayPWh.exe
  C:\Windows\System32\UZayPWh.exe
  2⤵
  PID:12232
- C:\Windows\System32\zyUhxQC.exe
  C:\Windows\System32\zyUhxQC.exe
  2⤵
  PID:12248
- C:\Windows\System32\beuAabR.exe
  C:\Windows\System32\beuAabR.exe
  2⤵
  PID:12284
- C:\Windows\System32\ldDCYYo.exe
  C:\Windows\System32\ldDCYYo.exe
  2⤵
  PID:11296
- C:\Windows\System32\XmDgYcZ.exe
  C:\Windows\System32\XmDgYcZ.exe
  2⤵
  PID:11332
- C:\Windows\System32\IzmFNIf.exe
  C:\Windows\System32\IzmFNIf.exe
  2⤵
  PID:11396
- C:\Windows\System32\HzNwMBW.exe
  C:\Windows\System32\HzNwMBW.exe
  2⤵
  PID:11484
- C:\Windows\System32\ogqxgWX.exe
  C:\Windows\System32\ogqxgWX.exe
  2⤵
  PID:11540
- C:\Windows\System32\wBiJPiy.exe
  C:\Windows\System32\wBiJPiy.exe
  2⤵
  PID:11592
- C:\Windows\System32\ieEzYye.exe
  C:\Windows\System32\ieEzYye.exe
  2⤵
  PID:11652
- C:\Windows\System32\BGKTSKY.exe
  C:\Windows\System32\BGKTSKY.exe
  2⤵
  PID:11716
- C:\Windows\System32\nPfzftt.exe
  C:\Windows\System32\nPfzftt.exe
  2⤵
  PID:11768
- C:\Windows\System32\XDtHgsu.exe
  C:\Windows\System32\XDtHgsu.exe
  2⤵
  PID:11912
- C:\Windows\System32\vROrDkw.exe
  C:\Windows\System32\vROrDkw.exe
  2⤵
  PID:11956
- C:\Windows\System32\PaWgpBs.exe
  C:\Windows\System32\PaWgpBs.exe
  2⤵
  PID:12020
- C:\Windows\System32\DaMvJmK.exe
  C:\Windows\System32\DaMvJmK.exe
  2⤵
  PID:12092
- C:\Windows\System32\VEmiWqz.exe
  C:\Windows\System32\VEmiWqz.exe
  2⤵
  PID:12156
- C:\Windows\System32\VIydBHT.exe
  C:\Windows\System32\VIydBHT.exe
  2⤵
  PID:12228
- C:\Windows\System32\oWLdDgJ.exe
  C:\Windows\System32\oWLdDgJ.exe
  2⤵
  PID:11380
- C:\Windows\System32\JzBiTdd.exe
  C:\Windows\System32\JzBiTdd.exe
  2⤵
  PID:11424
- C:\Windows\System32\qQfSZPs.exe
  C:\Windows\System32\qQfSZPs.exe
  2⤵
  PID:11620
- C:\Windows\System32\UoZcwkl.exe
  C:\Windows\System32\UoZcwkl.exe
  2⤵
  PID:4828
- C:\Windows\System32\TGjwhRB.exe
  C:\Windows\System32\TGjwhRB.exe
  2⤵
  PID:11680
- C:\Windows\System32\tEugYPo.exe
  C:\Windows\System32\tEugYPo.exe
  2⤵
  PID:11856
- C:\Windows\System32\fySOMlT.exe
  C:\Windows\System32\fySOMlT.exe
  2⤵
  PID:11948
- C:\Windows\System32\QbWELfO.exe
  C:\Windows\System32\QbWELfO.exe
  2⤵
  PID:12044
- C:\Windows\System32\xicuDlZ.exe
  C:\Windows\System32\xicuDlZ.exe
  2⤵
  PID:12220
- C:\Windows\System32\lAMSbcD.exe
  C:\Windows\System32\lAMSbcD.exe
  2⤵
  PID:11496
- C:\Windows\System32\qZWaRHR.exe
  C:\Windows\System32\qZWaRHR.exe
  2⤵
  PID:11804
- C:\Windows\System32\lqyFwxB.exe
  C:\Windows\System32\lqyFwxB.exe
  2⤵
  PID:11976
- C:\Windows\System32\WzgyIsE.exe
  C:\Windows\System32\WzgyIsE.exe
  2⤵
  PID:11640
- C:\Windows\System32\wEIFLYM.exe
  C:\Windows\System32\wEIFLYM.exe
  2⤵
  PID:11480
- C:\Windows\System32\yRGqcCV.exe
  C:\Windows\System32\yRGqcCV.exe
  2⤵
  PID:12316
- C:\Windows\System32\ZJaMSHz.exe
  C:\Windows\System32\ZJaMSHz.exe
  2⤵
  PID:12332
- C:\Windows\System32\eVxaQov.exe
  C:\Windows\System32\eVxaQov.exe
  2⤵
  PID:12356
- C:\Windows\System32\AzWukUG.exe
  C:\Windows\System32\AzWukUG.exe
  2⤵
  PID:12384
- C:\Windows\System32\URlDWEg.exe
  C:\Windows\System32\URlDWEg.exe
  2⤵
  PID:12404
- C:\Windows\System32\nQlocnB.exe
  C:\Windows\System32\nQlocnB.exe
  2⤵
  PID:12436
- C:\Windows\System32\AlfiogX.exe
  C:\Windows\System32\AlfiogX.exe
  2⤵
  PID:12456
- C:\Windows\System32\mgqhVwc.exe
  C:\Windows\System32\mgqhVwc.exe
  2⤵
  PID:12496
- C:\Windows\System32\TZZmzUn.exe
  C:\Windows\System32\TZZmzUn.exe
  2⤵
  PID:12524
- C:\Windows\System32\KUOZhej.exe
  C:\Windows\System32\KUOZhej.exe
  2⤵
  PID:12556
- C:\Windows\System32\LTBuNmT.exe
  C:\Windows\System32\LTBuNmT.exe
  2⤵
  PID:12572
- C:\Windows\System32\IgWiGOb.exe
  C:\Windows\System32\IgWiGOb.exe
  2⤵
  PID:12596
- C:\Windows\System32\unNAYOM.exe
  C:\Windows\System32\unNAYOM.exe
  2⤵
  PID:12624
- C:\Windows\System32\bQtRPfI.exe
  C:\Windows\System32\bQtRPfI.exe
  2⤵
  PID:12688
- C:\Windows\System32\sdvsGjC.exe
  C:\Windows\System32\sdvsGjC.exe
  2⤵
  PID:12712
- C:\Windows\System32\NwSCZwq.exe
  C:\Windows\System32\NwSCZwq.exe
  2⤵
  PID:12744
- C:\Windows\System32\wcqMncx.exe
  C:\Windows\System32\wcqMncx.exe
  2⤵
  PID:12772
- C:\Windows\System32\UfQymwi.exe
  C:\Windows\System32\UfQymwi.exe
  2⤵
  PID:12796
- C:\Windows\System32\lLmRKhA.exe
  C:\Windows\System32\lLmRKhA.exe
  2⤵
  PID:12816
- C:\Windows\System32\LFKQdCD.exe
  C:\Windows\System32\LFKQdCD.exe
  2⤵
  PID:12856
- C:\Windows\System32\bXDALBW.exe
  C:\Windows\System32\bXDALBW.exe
  2⤵
  PID:12872
- C:\Windows\System32\bldoSLK.exe
  C:\Windows\System32\bldoSLK.exe
  2⤵
  PID:12892
- C:\Windows\System32\KNrquDl.exe
  C:\Windows\System32\KNrquDl.exe
  2⤵
  PID:12916
- C:\Windows\System32\HJIeYJo.exe
  C:\Windows\System32\HJIeYJo.exe
  2⤵
  PID:12964
- C:\Windows\System32\qlzzjuU.exe
  C:\Windows\System32\qlzzjuU.exe
  2⤵
  PID:13000
- C:\Windows\System32\vsesiBt.exe
  C:\Windows\System32\vsesiBt.exe
  2⤵
  PID:13028
- C:\Windows\System32\WcwXVMO.exe
  C:\Windows\System32\WcwXVMO.exe
  2⤵
  PID:13064
- C:\Windows\System32\dPmiEdJ.exe
  C:\Windows\System32\dPmiEdJ.exe
  2⤵
  PID:13084
- C:\Windows\System32\qPMBRRp.exe
  C:\Windows\System32\qPMBRRp.exe
  2⤵
  PID:13112
- C:\Windows\System32\jMlKehS.exe
  C:\Windows\System32\jMlKehS.exe
  2⤵
  PID:13156
- C:\Windows\System32\AByHWLV.exe
  C:\Windows\System32\AByHWLV.exe
  2⤵
  PID:13188
- C:\Windows\System32\lVXTCvF.exe
  C:\Windows\System32\lVXTCvF.exe
  2⤵
  PID:13212

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BVkCJHe.exe

Filesize
1.4MB

MD5
8a31bf4ddb2101f57c7a18d5dd54b8a6

SHA1
d5a1542cea02632044ce0cf7e9f5c5215281208e

SHA256
8043893d5c5593f7920fedb81e35c141de554516bdd0ae5385c0bae474f70e10

SHA512
b3f738f77eeb063a8a69a950b50f69d00cf0ffd39223a1a3c90c228aa19f70a209ec27cf012c38d60f896c22cdeaec8d2aa960984b9d187e6b5c1d5e12e9343b

Download Submit
C:\Windows\System32\CoSLYMV.exe

Filesize
1.4MB

MD5
fa1ebf2ce452dc41d1f9b1497dfb90e3

SHA1
74bc2a6998d08b3c5cc41155e37c9b54efe0c782

SHA256
29001fb5dc5f7424160b716752bed8f65b3c3e8a86e535ca2f210011d0c7b6b9

SHA512
46a4c1079f8eb09748b1b39b8b8d2e2ce50c3e131ec643d0e12ac5bef9968a503c643d0fd9ebe27499229fb9f95bc4768773ce26335f61fcb61a4bab39e69e41

Download Submit
C:\Windows\System32\FbehPBV.exe

Filesize
1.4MB

MD5
6a3be04b0cc2060e94fc1004095b3dec

SHA1
2552f17e0a8ca42c54204227f3d5efa350053b92

SHA256
36f9fe1d487395a9643be647b279ea65aab5ea611f1748e8183e7b5b1d93976d

SHA512
1a376b22d5edea6402160b33f3043b80cfa7194613d854418d215d89c34e1224030d4a2325c1bf4ac0f4d95f6fabb5783823635346921c2b862d7090aee93a3b

Download Submit
C:\Windows\System32\ILuKsbV.exe

Filesize
1.4MB

MD5
2bba705411e561105563bd8be174fb48

SHA1
416f76a84a71f79723d38dcb70818c4fd128c267

SHA256
b03cb2f33a3287fa92527b91d71ee370493c2682995a35ccb495f8619448fc11

SHA512
be50eb84560f1291a027ce09cc3269a100676dda3e8de414e7eefb26eb2bbd430cf46d2e9cc29d26678bc735fcacb4f42b4655a44b70fd48949e4c56ea4d50ba

Download Submit
C:\Windows\System32\MOPNqEW.exe

Filesize
1.4MB

MD5
8e2622c35747979c97a786bd050b69d9

SHA1
3ed7963549558d373b9466d7e69e366840e0e34d

SHA256
ca6b72ff4cdfea545bd16194868a1f773d1ca9c8c452147bd395760b367bfd4f

SHA512
7e532457d8a9fc44cbaf6d4d41480d36a3194692e98cf4d5b2d0239347a35701fd98aca7de0923e3549a5246ed565653ecdaa046f936716d8e378b46c5963439

Download Submit
C:\Windows\System32\MPHrxxd.exe

Filesize
1.4MB

MD5
886732b6e2a334de19dff8aa832b9147

SHA1
b38be7d466c609ad7ea43af741beb34bafe6830f

SHA256
83cf07846440edbe21a3d03661cd82c7b9c888c15a1ae07aeb7906c449cf6c93

SHA512
f37378cf28808f5303fd28217eb19a5702ed42f39c0780e42776d5c5a22d835c43ff78dbe40513ec173bf8c0f2b213697b7d2d77a6ab93794193d115e96378a2

Download Submit
C:\Windows\System32\RGPmOkk.exe

Filesize
1.4MB

MD5
15ab802a695bb48307671d0cc480a896

SHA1
579a165c105678e73d200c4deccdb981e5647ac6

SHA256
e3ce5f768d537a8855c9939f367a61509d405f1bc03e7d8be298ee5899be83fb

SHA512
bc9bff031c3965764b10f37857a5f5d7ac56da1d37cd7ebcab7e0c738f4422fbf6fbe42ee38b3bc0b8dbcd85502873f1cf8c908dec6459c19a072d48b9777673

Download Submit
C:\Windows\System32\RRqryZa.exe

Filesize
1.4MB

MD5
ddc2c050369f7749fc3612266daf72fb

SHA1
09aaaf05dccbf30c02fdd7009591c3a17ab6fc38

SHA256
f46ccb46ce41e7aa64eb9e71b7e5c288860caa5c18c871c7cd098c0542de5e86

SHA512
b5756d2468e435cab6ce9068c3e7e9db18bd88073e0887b303796882db4b61ceec6644abc141e4767e68d3f40bced688e13994bc63e41fc37602af92d133b42d

Download Submit
C:\Windows\System32\RgFQyPG.exe

Filesize
1.4MB

MD5
1363fb171742d1f7b6a11cb7786d5ada

SHA1
066fe7e8c518494a36f8b542af7b7fa48577d9f8

SHA256
c32e26a2ee63cc5c0c1e2a3cadf6ebea3b6da3f446caf795e46163f972e283a7

SHA512
7de13e89aaf0e56a1920216763fe01c8301812bb217f448d366902aa688e7d0b93729a8f1a33ac980d2598debf92031769672385282f3c4f2c48da6507273569

Download Submit
C:\Windows\System32\RxQIAPO.exe

Filesize
1.4MB

MD5
5046cfdaacf2d2561e2d2a20ebbb1e4c

SHA1
92c513bee236ee8b85db7d29a4053f78dad512f1

SHA256
6b19d25744abdfca7e32bde76c8ce2bd3f192e5d9e1657888bc8cadd6355f1c9

SHA512
979ca4ac0cdfba67854813ee2ed481c1e5af0108bbc3da42d45a393973f842d8a8cd261598135a3a937bc478302e2169876a753586944cdd00b92ab0890dfcb0

Download Submit
C:\Windows\System32\TVGpvuE.exe

Filesize
1.4MB

MD5
beaacd0452896c8991af4d52a30eb432

SHA1
bd9e57a7064872723653a5a40d1a0e0c8a785587

SHA256
3f3a79b2c126ac517671f126ce7fc95b3977e924b5a8f18976029afddfac85c9

SHA512
a09cc45e0c6b723e606e9addffc8841981a5846fb593e92c05fe539a55912a925c1d19e0c615b1741371654cf74d838a5073dc237d82b6674a57e133e19d462b

Download Submit
C:\Windows\System32\UzppNHw.exe

Filesize
1.4MB

MD5
66c35615a9a87245564acbd9b92b027f

SHA1
240ed2417825d1f737936489d30cc5afc92f8845

SHA256
a44813f437de2c547ab83e1a89ebf56725da3431b7261901ba6e567abbdc9b90

SHA512
50ecee5480c6dd6999b64618db742695561bd5127e5ad5b782676ad96e606cd7b9bbb6ac3647d0f98624dfb048e431a35723c705c86b07c8742f23ed6f75c91b

Download Submit
C:\Windows\System32\VlWKMvT.exe

Filesize
1.4MB

MD5
e824a00043798a2511b1323b398bc234

SHA1
d1101ffadca19e09bb6ecfe7d5a1164bd19dacc7

SHA256
ab2ae363d0663949c6d5467d8fc6f74b5fffa542d6a0234780b72256eb67fdec

SHA512
e3383ba1882ce3d5423685a8ae0c3ec675a4a8b48eff2c5e77949243338055fc3227bf51bb0f3415365612507d86f9fe056885c909c503aa87c5cfa53123abfe

Download Submit
C:\Windows\System32\XAloaUA.exe

Filesize
1.4MB

MD5
afbd4a1f4faa677464c9455f2a35fb80

SHA1
6482d1bb708b79e2b3d9529efb2960106e60dcf8

SHA256
bbc6ec2efd5e9531fc6b6baa6a100fd9824857df6d2c218dcd30dc7dcaaaa6eb

SHA512
64ab899a741f602074939591fef8a1ab54b435fd6c7fc6f5e41a821a5ee1a2964260e5d9755805ada20c744103fed4c3569f48eaa4214c89126f5a64e45fe3b1

Download Submit
C:\Windows\System32\asJTMLH.exe

Filesize
1.4MB

MD5
5bec3f53d1c69c5deb9ab7c897ce7620

SHA1
045522871fb6c03724db1b21ebd2d3e2a9a3f039

SHA256
6a183bcb1dc138409f0a96be053e33a2553d0f9b24d744b5275b5ca6d2ba7dac

SHA512
fc7a8d62ca6e000accd7621357f05955f9a4d3bc4f70406a0ca26832f790bf08b0bad88095ec23f9c8ad98195212a54f974a62541211221ca7b9ed48c6d13842

Download Submit
C:\Windows\System32\bGgTFCq.exe

Filesize
1.4MB

MD5
202db1002ac73d9fbfa1f9ce1adcac73

SHA1
a6f2e622a3a3b5bcb2c76a347f5d09cbe9bb1e99

SHA256
5e37bb82f1d3ad8dbb0ff6978f3efca2fbf16916fa94f58fb6284696a4a03f1e

SHA512
f4f70e997a953067d9248e1fda6a188ff6a518babe7d4ea879095b7dc16c29aacbcbf62d5b1933f6395b2b4ddd1683a9363e21955a444bd49ae6e2ba93353abb

Download Submit
C:\Windows\System32\bQUmuQe.exe

Filesize
1.4MB

MD5
121530362c8766d22b4953550843faf2

SHA1
29dff21b11d47ec61f13a50882a3f4b992a1679a

SHA256
6dc4e23b7b0b489e33dcab7656591cbffab6280f02aee8c9de406671c2a20f9b

SHA512
6d1cb73faea7fe476c850504ee79cd049a978ab4fe51d4ee88c1970585bca13d3dd001623b374b21d20040a91ac2ed79b1c685e23bb8c559ffbf3e33ab7feaff

Download Submit
C:\Windows\System32\fXcBZRV.exe

Filesize
1.4MB

MD5
bf638092acac59007e1571e450744b62

SHA1
6d30c80eaf95916c97b559f10d8b102fa0ec0a64

SHA256
8f10fffd434ecb6e1eb3934f4050833a94012849c9aea37c168b91150b15a7d4

SHA512
4d8d80b4c1690db481a506f0938ced513704b458bd61a9a3c554dcf551855f4c77a6821efd97724ebfc72453f39efa92c365a5c8530d0ed3ddd6e3f025e4bede

Download Submit
C:\Windows\System32\fmCMxKo.exe

Filesize
1.4MB

MD5
2ec20ef0efb3fc8a2b38b5766fffc01a

SHA1
4f880ca5ebcc43017cd1e9d19d4386c73a3b1c03

SHA256
c55cab8ed94ac614300f9f8c6481df1bfb3f3bbb15fddf9346ed92bd8be04cbc

SHA512
79471f616442c25fabdf5af09d0fc0ce2f9ea6631d392e4a7f90ff216b8298a5a3e047fc7acf620ea75bf51847a715aad7cfe672a8208c4e7fdfcb256edb0b46

Download Submit
C:\Windows\System32\gcyUElz.exe

Filesize
1.4MB

MD5
b31206f225705299a2e54a613ffe8116

SHA1
653bdcc4413d6b6a8e2dc38e7e77ecb05067363d

SHA256
32c09c6be7f666ab785ba30b38e6ce21bdac92736f7d1dbeb257b525a7109016

SHA512
90a46b326ac72526cc1fbacaddc8cdd3c762d79d5a823f070a80ad16d334c7175e246772bb48b79b2db10686d8b35255e7787269cf8b61bd50e79600114b5289

Download Submit
C:\Windows\System32\kQqqrGi.exe

Filesize
1.4MB

MD5
e4ebb18fc41378251300fd47a2688cef

SHA1
837c6c321313789053221be7b2b2f3753ae7f75a

SHA256
5797e15bd8ad16ee13a961f30fa517b150d49b8b679a3fa752566161a95e67a4

SHA512
fd9ebdc827f57383e018d8a7cb4d7296558bb0195bc3f318122c0aa9f7be80f687ba1dcffd19be85f05905aad754883238f4e6ac8f16a870da77e59e44da43c6

Download Submit
C:\Windows\System32\kemyVJs.exe

Filesize
1.4MB

MD5
ec61be14f9976336f5022e9e653e5248

SHA1
fbb01d3e20710cb229cdf4794f2033551fa834ea

SHA256
2c62880aea43472850cfec0bd31279d4df8ae5afdf4a0cc11a4dceed45d26490

SHA512
ebd735e1d42e43efa466d9ea9c7529a8ab4ad455c68409f1278d7846fd30e377d1fae57ab96fcb46eaa63427748455580206cb20771608efe97e0b93e1b10bcc

Download Submit
C:\Windows\System32\lhvSicE.exe

Filesize
1.4MB

MD5
2a329407b1cb53213ac6f29d82b62f4e

SHA1
cabc2969c4e45f48f73d2106f6050500817ebca4

SHA256
169face8828846739e743de010176df7098a0b434bdad0227d6c61618870140a

SHA512
da6cef7566f2a6642efbf4961b98c2c7772eacb776064ebf1cb7a015e19414bd0107c0dd9a2f03e527cee09f12f0427029ce0ca440fae77d357fb26f65eb7b4a

Download Submit
C:\Windows\System32\oXhIndy.exe

Filesize
1.4MB

MD5
fef287ef1a23f598009553a985ebc8bb

SHA1
c468eddafdd06700e002cb3ab322db39e74ccde0

SHA256
f984dba1b1ea7155228c85a200f69150e9ab24cd344b23262cbecd581a6c4f7a

SHA512
a54d20c2be5d9de586c9d83b31088e4bf0637603cff644a86bf66b5fd22f963d825a1ec05b79a6693d7e259054324c6d49ac63c4d42d285fa9abc8393392354f

Download Submit
C:\Windows\System32\ptTluBN.exe

Filesize
1.4MB

MD5
e031980e5efe42f443155db5178087db

SHA1
c461947d29b8876af980c2b6e96c9a0ae140a39d

SHA256
034e252947fa02115da666a88ded5bfe8cbdbc036f7ba46d70d96d74df5c401f

SHA512
b7d033f81631537bc589d82fe988e86ab878e74761dd35bdcbcb9dc82bf4850bf6f335165cc626b71c3e238d005bf65dc05876ff12318fddf60e5e3528fec62d

Download Submit
C:\Windows\System32\qJIBcMS.exe

Filesize
1.4MB

MD5
e354f895159e96c4daacbed451553da0

SHA1
7ec5e17881888e0eb2719d3aa5d3a55b521492ef

SHA256
38c762e3e97c1e91e53aac2bded6b71159a669764006d2821b3153af4cf86d2a

SHA512
d7c9fcd29d2b07e666dfd819afbd0cc2ebca7ba6a192de46dbbe56fe88ba216221d447db5b2ffdafbf4f3cdfd6576570a01a528f3568561998df2ff267272676

Download Submit
C:\Windows\System32\rZCrkUG.exe

Filesize
1.4MB

MD5
9428b7974aad0273c4950040e9f296e8

SHA1
181b431302202e1b12334be216a2732dfa95bbcb

SHA256
1c72a2020c8c7a1012412f078f68f5efe698d60377c8cabd6fd37ce1fc6d5429

SHA512
5aa15607924340e75d7d816e012cfdb05e6d6a70b6e064649d13513b0d5ce9447671f8f24b2884dc51dd44df4423c371a141faa9dd2f025e5fc3cc03252c3c9d

Download Submit
C:\Windows\System32\sihXgup.exe

Filesize
1.4MB

MD5
f1525892a04542c189e1a2edae5f163d

SHA1
cbc5b28b85dff1691c6f110d05f1a063c11e8770

SHA256
4679c87f4ec34b51df45e17873b919cef79b9945bf2f603d018b57cf93097ced

SHA512
be578f8aa6eb36413b2056f59a9c25950969b5a2538182ac6ca14c82a0c06f39648e3b8a371233b2b60832bb51880b0287567e762a99821721bbe9386d4be2ec

Download Submit
C:\Windows\System32\tNNoBPx.exe

Filesize
1.4MB

MD5
488c151c320fb1bae9fe918f4616c39c

SHA1
dfa91baf6fa3d82ee015d6a1ff3d8a7e3ee73571

SHA256
ff1f698c7e594ce1cce62352cf344696473b70487cdce69e6c9bc4b4d59d8e7d

SHA512
02abebd56d87040b5d7f0d8976c28c92ff67d4d1d51bcbc4b026defab353e1390f60e9bdd6d43d473f1ebdeac98cb2c58fd1571973c81856b6e4058e12ab0cd2

Download Submit
C:\Windows\System32\yVEnyZe.exe

Filesize
1.4MB

MD5
7973ede33e59c7eacffad2a784a79510

SHA1
52d85a393def92f61f5d63abfdd363fa2b6694c6

SHA256
3705cd9d2e652d3d3ef61fed8e77ab7e337a047c1ef19aa510fd2fb2deeb5553

SHA512
77a7d2d67353f4476cae285c8717171040fbab4b323df65d5409039fe5f784518a6eee441de13bfdda8a1cb9ba8ac394206be24209dadef15861ee4c41389360

Download Submit
C:\Windows\System32\zkCpnOo.exe

Filesize
1.4MB

MD5
e1e212c0585eab9a348401516e814c07

SHA1
d11f9cf865c20f8a6c2d0dc9207189e34d508363

SHA256
75a21bd2972901dbcdb66837f67802f0cab0b6fa59ef3dbe5ccca64e4c322c78

SHA512
0c898c6d76127dddcbe34449553099b881f8264899046d2ff7e079b00a3b53de64d178c01cee41122fe8c122f3852c87f43a80edb6c6541b04dab5d8443d10e6

Download Submit
C:\Windows\System32\zuseDTg.exe

Filesize
1.4MB

MD5
3fd1c6eba0e765cd4500196f33f05cc7

SHA1
11b486b2d1a39d6db73f5f3b14a36b4d0594152c

SHA256
c5eaad950cb1a6abb6197852c5bf9d1bcd0dda50e8ec3849a3f0f1b7eb44a78e

SHA512
ae77a7993fcf367f3c989e41d3172ffbd42dbe4b973fbd6b970d64727561a44253ce93f236028af8210dc67dd6753da58dd0933f20cb61ce948f328d6277696b

Download Submit
memory/564-429-0x00007FF6DE850000-0x00007FF6DEC41000-memory.dmp

Filesize
3.9MB

Download
memory/564-2047-0x00007FF6DE850000-0x00007FF6DEC41000-memory.dmp

Filesize
3.9MB

Download
memory/1164-14-0x00007FF6D0A90000-0x00007FF6D0E81000-memory.dmp

Filesize
3.9MB

Download
memory/1164-2001-0x00007FF6D0A90000-0x00007FF6D0E81000-memory.dmp

Filesize
3.9MB

Download
memory/1176-2003-0x00007FF7ED2E0000-0x00007FF7ED6D1000-memory.dmp

Filesize
3.9MB

Download
memory/1176-21-0x00007FF7ED2E0000-0x00007FF7ED6D1000-memory.dmp

Filesize
3.9MB

Download
memory/1524-2017-0x00007FF7CCE90000-0x00007FF7CD281000-memory.dmp

Filesize
3.9MB

Download
memory/1524-353-0x00007FF7CCE90000-0x00007FF7CD281000-memory.dmp

Filesize
3.9MB

Download
memory/1608-413-0x00007FF749610000-0x00007FF749A01000-memory.dmp

Filesize
3.9MB

Download
memory/1608-2033-0x00007FF749610000-0x00007FF749A01000-memory.dmp

Filesize
3.9MB

Download
memory/1900-2027-0x00007FF6561E0000-0x00007FF6565D1000-memory.dmp

Filesize
3.9MB

Download
memory/1900-362-0x00007FF6561E0000-0x00007FF6565D1000-memory.dmp

Filesize
3.9MB

Download
memory/1984-2007-0x00007FF651E80000-0x00007FF652271000-memory.dmp

Filesize
3.9MB

Download
memory/1984-44-0x00007FF651E80000-0x00007FF652271000-memory.dmp

Filesize
3.9MB

Download
memory/2068-2035-0x00007FF640270000-0x00007FF640661000-memory.dmp

Filesize
3.9MB

Download
memory/2068-405-0x00007FF640270000-0x00007FF640661000-memory.dmp

Filesize
3.9MB

Download
memory/2088-2039-0x00007FF7BFA30000-0x00007FF7BFE21000-memory.dmp

Filesize
3.9MB

Download
memory/2088-446-0x00007FF7BFA30000-0x00007FF7BFE21000-memory.dmp

Filesize
3.9MB

Download
memory/2156-2025-0x00007FF60FBB0000-0x00007FF60FFA1000-memory.dmp

Filesize
3.9MB

Download
memory/2156-368-0x00007FF60FBB0000-0x00007FF60FFA1000-memory.dmp

Filesize
3.9MB

Download
memory/2224-2031-0x00007FF6022B0000-0x00007FF6026A1000-memory.dmp

Filesize
3.9MB

Download
memory/2224-378-0x00007FF6022B0000-0x00007FF6026A1000-memory.dmp

Filesize
3.9MB

Download
memory/2616-2013-0x00007FF7D6E40000-0x00007FF7D7231000-memory.dmp

Filesize
3.9MB

Download
memory/2616-454-0x00007FF7D6E40000-0x00007FF7D7231000-memory.dmp

Filesize
3.9MB

Download
memory/3028-356-0x00007FF7A3610000-0x00007FF7A3A01000-memory.dmp

Filesize
3.9MB

Download
memory/3028-2021-0x00007FF7A3610000-0x00007FF7A3A01000-memory.dmp

Filesize
3.9MB

Download
memory/3232-1995-0x00007FF7A9DA0000-0x00007FF7AA191000-memory.dmp

Filesize
3.9MB

Download
memory/3232-29-0x00007FF7A9DA0000-0x00007FF7AA191000-memory.dmp

Filesize
3.9MB

Download
memory/3232-2009-0x00007FF7A9DA0000-0x00007FF7AA191000-memory.dmp

Filesize
3.9MB

Download
memory/3484-2019-0x00007FF6E3160000-0x00007FF6E3551000-memory.dmp

Filesize
3.9MB

Download
memory/3484-456-0x00007FF6E3160000-0x00007FF6E3551000-memory.dmp

Filesize
3.9MB

Download
memory/3500-392-0x00007FF7AE8F0000-0x00007FF7AECE1000-memory.dmp

Filesize
3.9MB

Download
memory/3500-2029-0x00007FF7AE8F0000-0x00007FF7AECE1000-memory.dmp

Filesize
3.9MB

Download
memory/3604-436-0x00007FF7AB990000-0x00007FF7ABD81000-memory.dmp

Filesize
3.9MB

Download
memory/3604-2045-0x00007FF7AB990000-0x00007FF7ABD81000-memory.dmp

Filesize
3.9MB

Download
memory/3728-2011-0x00007FF7D7B30000-0x00007FF7D7F21000-memory.dmp

Filesize
3.9MB

Download
memory/3728-349-0x00007FF7D7B30000-0x00007FF7D7F21000-memory.dmp

Filesize
3.9MB

Download
memory/3976-1-0x000001E7C06B0000-0x000001E7C06C0000-memory.dmp

Filesize
64KB

Download
memory/3976-1961-0x00007FF63D860000-0x00007FF63DC51000-memory.dmp

Filesize
3.9MB

Download
memory/3976-0-0x00007FF63D860000-0x00007FF63DC51000-memory.dmp

Filesize
3.9MB

Download
memory/4224-350-0x00007FF78FBC0000-0x00007FF78FFB1000-memory.dmp

Filesize
3.9MB

Download
memory/4224-2015-0x00007FF78FBC0000-0x00007FF78FFB1000-memory.dmp

Filesize
3.9MB

Download
memory/4456-2043-0x00007FF779840000-0x00007FF779C31000-memory.dmp

Filesize
3.9MB

Download
memory/4456-448-0x00007FF779840000-0x00007FF779C31000-memory.dmp

Filesize
3.9MB

Download
memory/4604-2041-0x00007FF710820000-0x00007FF710C11000-memory.dmp

Filesize
3.9MB

Download
memory/4604-452-0x00007FF710820000-0x00007FF710C11000-memory.dmp

Filesize
3.9MB

Download
memory/4840-399-0x00007FF6C1840000-0x00007FF6C1C31000-memory.dmp

Filesize
3.9MB

Download
memory/4840-2037-0x00007FF6C1840000-0x00007FF6C1C31000-memory.dmp

Filesize
3.9MB

Download
memory/4888-25-0x00007FF786830000-0x00007FF786C21000-memory.dmp

Filesize
3.9MB

Download
memory/4888-2005-0x00007FF786830000-0x00007FF786C21000-memory.dmp

Filesize
3.9MB

Download
memory/4888-1994-0x00007FF786830000-0x00007FF786C21000-memory.dmp

Filesize
3.9MB

Download
memory/5068-359-0x00007FF6B1A10000-0x00007FF6B1E01000-memory.dmp

Filesize
3.9MB

Download
memory/5068-2023-0x00007FF6B1A10000-0x00007FF6B1E01000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads