xmrig | 6bbc094e6ed1124a9627e48e3a8be24464d927faa750904077a1f52c70934c65

Analysis

max time kernel
120s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 02:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
Size

1.6MB
MD5

8227d4ff16b1e22dfddcc826cd5bb1d0
SHA1

c63b4fc5b1554938c3f827fe685e8f7538cb8f7e
SHA256

6bbc094e6ed1124a9627e48e3a8be24464d927faa750904077a1f52c70934c65
SHA512

d58f281bf01104f93235bbc64ab532ccee6c3e9d70c210a6918a33eadbd7e355094dde3e037b2f97b9cbde3b9dfbd790decc57292f8da8459ddae0f04a4b13c1
SSDEEP

49152:knw9oUUEEDl37jcmWH8SKJhSnq8u3Nf/l4m/:kQUEEX

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1016-12-0x00007FF65FB20000-0x00007FF65FF11000-memory.dmp	xmrig
behavioral2/memory/4420-69-0x00007FF7D50A0000-0x00007FF7D5491000-memory.dmp	xmrig
behavioral2/memory/3588-84-0x00007FF7D5E60000-0x00007FF7D6251000-memory.dmp	xmrig
behavioral2/memory/856-112-0x00007FF7D7670000-0x00007FF7D7A61000-memory.dmp	xmrig
behavioral2/memory/1992-122-0x00007FF609620000-0x00007FF609A11000-memory.dmp	xmrig
behavioral2/memory/1380-116-0x00007FF7FE900000-0x00007FF7FECF1000-memory.dmp	xmrig
behavioral2/memory/3720-109-0x00007FF7C60E0000-0x00007FF7C64D1000-memory.dmp	xmrig
behavioral2/memory/1164-103-0x00007FF65C8B0000-0x00007FF65CCA1000-memory.dmp	xmrig
behavioral2/memory/876-100-0x00007FF6FC100000-0x00007FF6FC4F1000-memory.dmp	xmrig
behavioral2/memory/2264-94-0x00007FF7FC050000-0x00007FF7FC441000-memory.dmp	xmrig
behavioral2/memory/2648-92-0x00007FF74CAA0000-0x00007FF74CE91000-memory.dmp	xmrig
behavioral2/memory/2764-89-0x00007FF69D0D0000-0x00007FF69D4C1000-memory.dmp	xmrig
behavioral2/memory/3944-85-0x00007FF6F9200000-0x00007FF6F95F1000-memory.dmp	xmrig
behavioral2/memory/2072-81-0x00007FF6EFED0000-0x00007FF6F02C1000-memory.dmp	xmrig
behavioral2/memory/3336-72-0x00007FF659590000-0x00007FF659981000-memory.dmp	xmrig
behavioral2/memory/3264-61-0x00007FF669720000-0x00007FF669B11000-memory.dmp	xmrig
behavioral2/memory/3952-52-0x00007FF6A9490000-0x00007FF6A9881000-memory.dmp	xmrig
behavioral2/memory/2408-1867-0x00007FF6C2240000-0x00007FF6C2631000-memory.dmp	xmrig
behavioral2/memory/3952-1879-0x00007FF6A9490000-0x00007FF6A9881000-memory.dmp	xmrig
behavioral2/memory/4548-1886-0x00007FF712CD0000-0x00007FF7130C1000-memory.dmp	xmrig
behavioral2/memory/960-1875-0x00007FF7357C0000-0x00007FF735BB1000-memory.dmp	xmrig
behavioral2/memory/3588-2068-0x00007FF7D5E60000-0x00007FF7D6251000-memory.dmp	xmrig
behavioral2/memory/960-2070-0x00007FF7357C0000-0x00007FF735BB1000-memory.dmp	xmrig
behavioral2/memory/3944-2072-0x00007FF6F9200000-0x00007FF6F95F1000-memory.dmp	xmrig
behavioral2/memory/3952-2074-0x00007FF6A9490000-0x00007FF6A9881000-memory.dmp	xmrig
behavioral2/memory/3264-2076-0x00007FF669720000-0x00007FF669B11000-memory.dmp	xmrig
behavioral2/memory/4420-2078-0x00007FF7D50A0000-0x00007FF7D5491000-memory.dmp	xmrig
behavioral2/memory/3336-2085-0x00007FF659590000-0x00007FF659981000-memory.dmp	xmrig
behavioral2/memory/2072-2086-0x00007FF6EFED0000-0x00007FF6F02C1000-memory.dmp	xmrig
behavioral2/memory/2264-2088-0x00007FF7FC050000-0x00007FF7FC441000-memory.dmp	xmrig
behavioral2/memory/2648-2092-0x00007FF74CAA0000-0x00007FF74CE91000-memory.dmp	xmrig
behavioral2/memory/876-2090-0x00007FF6FC100000-0x00007FF6FC4F1000-memory.dmp	xmrig
behavioral2/memory/2764-2083-0x00007FF69D0D0000-0x00007FF69D4C1000-memory.dmp	xmrig
behavioral2/memory/4548-2081-0x00007FF712CD0000-0x00007FF7130C1000-memory.dmp	xmrig
behavioral2/memory/3720-2100-0x00007FF7C60E0000-0x00007FF7C64D1000-memory.dmp	xmrig
behavioral2/memory/4428-2113-0x00007FF715560000-0x00007FF715951000-memory.dmp	xmrig
behavioral2/memory/2280-2108-0x00007FF745ED0000-0x00007FF7462C1000-memory.dmp	xmrig
behavioral2/memory/2416-2107-0x00007FF698890000-0x00007FF698C81000-memory.dmp	xmrig
behavioral2/memory/2516-2106-0x00007FF71D0F0000-0x00007FF71D4E1000-memory.dmp	xmrig
behavioral2/memory/1992-2105-0x00007FF609620000-0x00007FF609A11000-memory.dmp	xmrig
behavioral2/memory/856-2099-0x00007FF7D7670000-0x00007FF7D7A61000-memory.dmp	xmrig
behavioral2/memory/1380-2095-0x00007FF7FE900000-0x00007FF7FECF1000-memory.dmp	xmrig
behavioral2/memory/3236-2118-0x00007FF729290000-0x00007FF729681000-memory.dmp	xmrig
behavioral2/memory/1164-2096-0x00007FF65C8B0000-0x00007FF65CCA1000-memory.dmp	xmrig
behavioral2/memory/2408-2298-0x00007FF6C2240000-0x00007FF6C2631000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1016	SlhLxel.exe
3588	dGmJtdU.exe
960	mtCBFxM.exe
3944	eHrBQok.exe
3952	RWhQFCN.exe
4548	dDCtlBX.exe
3264	lqEgGQT.exe
2764	UKNKlBP.exe
4420	UMIDsey.exe
3336	bUBOgCy.exe
2072	wqMKbUe.exe
2648	xbdeEgv.exe
2264	xTcIgwg.exe
876	mKvfMbc.exe
1164	FFUuiNX.exe
3720	ZjZrhwq.exe
856	fGJGHHi.exe
1380	DqaFAHo.exe
1992	VpsiMzz.exe
2280	EEKibNQ.exe
2416	qVCruAs.exe
2516	WhkNKIt.exe
4428	jpuBnCC.exe
3236	QBGsJAS.exe
4608	znqxdbR.exe
1468	fwSMjCN.exe
2140	cXDifHJ.exe
4512	ayXFUAJ.exe
4256	jFhrTMh.exe
2568	SHLxNDo.exe
3676	exgPaCy.exe
4588	uDIQDEp.exe
2604	CvezaGt.exe
1232	yzzOahm.exe
5008	wqXDCZK.exe
2852	NZTYbNi.exe
4528	oEmVBcw.exe
5040	UzqbFdh.exe
1808	oSsPiDd.exe
1684	PUDDLfc.exe
2556	fOMleYs.exe
232	UcAupVy.exe
5108	bVZHwud.exe
1296	oFWHrcN.exe
4464	bCiiAWc.exe
3120	ccONLYY.exe
4820	MkpqQeo.exe
3316	fwxvdlp.exe
5012	ZsuQEgM.exe
1080	QhkWtGx.exe
3312	ptPYSYZ.exe
2716	nEWAvvc.exe
4032	AKmTziG.exe
4944	LVgiCfK.exe
1492	kTniIea.exe
4892	cVeoLyW.exe
992	aWVmJQL.exe
2428	LnhAfyL.exe
2456	ucQeuiS.exe
2052	iAWiGTC.exe
4160	FuxQgWU.exe
3212	aDygZpO.exe
2480	zEiRYZi.exe
3684	czNAunK.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2408-0-0x00007FF6C2240000-0x00007FF6C2631000-memory.dmp	upx
behavioral2/memory/1016-12-0x00007FF65FB20000-0x00007FF65FF11000-memory.dmp	upx
behavioral2/files/0x000700000002344f-16.dat	upx
behavioral2/files/0x000700000002344e-21.dat	upx
behavioral2/files/0x0007000000023452-25.dat	upx
behavioral2/files/0x0007000000023453-30.dat	upx
behavioral2/files/0x0007000000023454-42.dat	upx
behavioral2/files/0x0007000000023455-53.dat	upx
behavioral2/files/0x0007000000023459-59.dat	upx
behavioral2/memory/4420-69-0x00007FF7D50A0000-0x00007FF7D5491000-memory.dmp	upx
behavioral2/files/0x0007000000023458-76.dat	upx
behavioral2/memory/3588-84-0x00007FF7D5E60000-0x00007FF7D6251000-memory.dmp	upx
behavioral2/files/0x000700000002345b-86.dat	upx
behavioral2/files/0x000700000002345c-104.dat	upx
behavioral2/memory/856-112-0x00007FF7D7670000-0x00007FF7D7A61000-memory.dmp	upx
behavioral2/files/0x000700000002345e-117.dat	upx
behavioral2/files/0x0007000000023461-127.dat	upx
behavioral2/memory/2516-138-0x00007FF71D0F0000-0x00007FF71D4E1000-memory.dmp	upx
behavioral2/files/0x000700000002346b-185.dat	upx
behavioral2/files/0x000700000002346a-180.dat	upx
behavioral2/files/0x0007000000023469-175.dat	upx
behavioral2/files/0x0007000000023468-170.dat	upx
behavioral2/files/0x0007000000023467-168.dat	upx
behavioral2/files/0x0007000000023466-163.dat	upx
behavioral2/files/0x0007000000023465-155.dat	upx
behavioral2/files/0x0007000000023464-153.dat	upx
behavioral2/memory/3236-150-0x00007FF729290000-0x00007FF729681000-memory.dmp	upx
behavioral2/files/0x0007000000023463-147.dat	upx
behavioral2/memory/4428-144-0x00007FF715560000-0x00007FF715951000-memory.dmp	upx
behavioral2/files/0x0007000000023462-141.dat	upx
behavioral2/memory/2416-132-0x00007FF698890000-0x00007FF698C81000-memory.dmp	upx
behavioral2/files/0x0007000000023460-129.dat	upx
behavioral2/memory/2280-126-0x00007FF745ED0000-0x00007FF7462C1000-memory.dmp	upx
behavioral2/files/0x000700000002345f-123.dat	upx
behavioral2/memory/1992-122-0x00007FF609620000-0x00007FF609A11000-memory.dmp	upx
behavioral2/memory/1380-116-0x00007FF7FE900000-0x00007FF7FECF1000-memory.dmp	upx
behavioral2/files/0x000700000002345d-110.dat	upx
behavioral2/memory/3720-109-0x00007FF7C60E0000-0x00007FF7C64D1000-memory.dmp	upx
behavioral2/memory/1164-103-0x00007FF65C8B0000-0x00007FF65CCA1000-memory.dmp	upx
behavioral2/memory/876-100-0x00007FF6FC100000-0x00007FF6FC4F1000-memory.dmp	upx
behavioral2/files/0x000800000002344b-97.dat	upx
behavioral2/memory/2264-94-0x00007FF7FC050000-0x00007FF7FC441000-memory.dmp	upx
behavioral2/memory/2648-92-0x00007FF74CAA0000-0x00007FF74CE91000-memory.dmp	upx
behavioral2/memory/2764-89-0x00007FF69D0D0000-0x00007FF69D4C1000-memory.dmp	upx
behavioral2/memory/3944-85-0x00007FF6F9200000-0x00007FF6F95F1000-memory.dmp	upx
behavioral2/files/0x000700000002345a-82.dat	upx
behavioral2/memory/2072-81-0x00007FF6EFED0000-0x00007FF6F02C1000-memory.dmp	upx
behavioral2/memory/3336-72-0x00007FF659590000-0x00007FF659981000-memory.dmp	upx
behavioral2/files/0x0007000000023456-64.dat	upx
behavioral2/files/0x0007000000023457-63.dat	upx
behavioral2/memory/3264-61-0x00007FF669720000-0x00007FF669B11000-memory.dmp	upx
behavioral2/memory/4548-58-0x00007FF712CD0000-0x00007FF7130C1000-memory.dmp	upx
behavioral2/memory/3952-52-0x00007FF6A9490000-0x00007FF6A9881000-memory.dmp	upx
behavioral2/files/0x0007000000023450-33.dat	upx
behavioral2/memory/960-29-0x00007FF7357C0000-0x00007FF735BB1000-memory.dmp	upx
behavioral2/files/0x0007000000023451-35.dat	upx
behavioral2/files/0x00090000000233e7-6.dat	upx
behavioral2/memory/2408-1867-0x00007FF6C2240000-0x00007FF6C2631000-memory.dmp	upx
behavioral2/memory/3952-1879-0x00007FF6A9490000-0x00007FF6A9881000-memory.dmp	upx
behavioral2/memory/4548-1886-0x00007FF712CD0000-0x00007FF7130C1000-memory.dmp	upx
behavioral2/memory/960-1875-0x00007FF7357C0000-0x00007FF735BB1000-memory.dmp	upx
behavioral2/memory/3588-2068-0x00007FF7D5E60000-0x00007FF7D6251000-memory.dmp	upx
behavioral2/memory/960-2070-0x00007FF7357C0000-0x00007FF735BB1000-memory.dmp	upx
behavioral2/memory/3944-2072-0x00007FF6F9200000-0x00007FF6F95F1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\ktutQNo.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\QENPKai.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\QjEudoW.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\NplWkML.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\bxtysQk.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\xjZxsha.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\RWhQFCN.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\aOxsqht.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\iaZPcGR.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\wgMSJSs.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\rzrxsFs.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\VQSfcYp.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\SHLxNDo.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\vbVmDjk.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\ysueIvC.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\fAkmBcI.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\QVIcYxl.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\VePEBHc.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\RgyLAUW.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\XlCWQsz.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\kKyUeWW.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\TpvZPTY.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\TSlkqwc.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\vWKynBQ.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\guixehx.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\enrAhpS.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\ymPAHKe.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\qNnOdOV.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\eHTFAMX.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\jFhrTMh.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\oSsPiDd.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\abqVENZ.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\TvtrTcg.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\wGmIzBM.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\iiVBXPp.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\uJTEzYS.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\SNlsCjT.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\XEJkLmt.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\TbKSzLS.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\qSObmsB.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\foHZzqg.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\guAYuFr.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\OrJXfLG.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\PpkdSao.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\KUpGPwH.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\YigCpWG.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\KvDCtrp.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\AFQllBO.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\Ltejrfr.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\titMUIU.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\zCzhepK.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\REEzveh.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\jzPcfpb.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\JPYfgUx.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\CemzTxL.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\qeaISAM.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\PifnYkF.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\OYDYDco.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\VUKUJrI.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\HZcWkst.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\ouWxMLX.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\URBueTV.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\vdEJSEo.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
File created	C:\Windows\System32\wwgVxDZ.exe	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	4864	dwm.exe
Token: SeChangeNotifyPrivilege	4864	dwm.exe
Token: 33	4864	dwm.exe
Token: SeIncBasePriorityPrivilege	4864	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1016	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	87
PID 2408 wrote to memory of 1016	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	87
PID 2408 wrote to memory of 3588	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	88
PID 2408 wrote to memory of 3588	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	88
PID 2408 wrote to memory of 960	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	89
PID 2408 wrote to memory of 960	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	89
PID 2408 wrote to memory of 3952	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	90
PID 2408 wrote to memory of 3952	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	90
PID 2408 wrote to memory of 3944	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	91
PID 2408 wrote to memory of 3944	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	91
PID 2408 wrote to memory of 4548	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	92
PID 2408 wrote to memory of 4548	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	92
PID 2408 wrote to memory of 3264	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	93
PID 2408 wrote to memory of 3264	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	93
PID 2408 wrote to memory of 2764	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	94
PID 2408 wrote to memory of 2764	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	94
PID 2408 wrote to memory of 4420	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	95
PID 2408 wrote to memory of 4420	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	95
PID 2408 wrote to memory of 3336	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	96
PID 2408 wrote to memory of 3336	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	96
PID 2408 wrote to memory of 2072	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	97
PID 2408 wrote to memory of 2072	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	97
PID 2408 wrote to memory of 2648	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	98
PID 2408 wrote to memory of 2648	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	98
PID 2408 wrote to memory of 2264	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	99
PID 2408 wrote to memory of 2264	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	99
PID 2408 wrote to memory of 876	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	100
PID 2408 wrote to memory of 876	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	100
PID 2408 wrote to memory of 1164	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	101
PID 2408 wrote to memory of 1164	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	101
PID 2408 wrote to memory of 3720	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	102
PID 2408 wrote to memory of 3720	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	102
PID 2408 wrote to memory of 856	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	103
PID 2408 wrote to memory of 856	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	103
PID 2408 wrote to memory of 1380	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	104
PID 2408 wrote to memory of 1380	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	104
PID 2408 wrote to memory of 1992	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	105
PID 2408 wrote to memory of 1992	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	105
PID 2408 wrote to memory of 2280	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	106
PID 2408 wrote to memory of 2280	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	106
PID 2408 wrote to memory of 2416	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	107
PID 2408 wrote to memory of 2416	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	107
PID 2408 wrote to memory of 2516	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	108
PID 2408 wrote to memory of 2516	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	108
PID 2408 wrote to memory of 4428	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	109
PID 2408 wrote to memory of 4428	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	109
PID 2408 wrote to memory of 3236	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	110
PID 2408 wrote to memory of 3236	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	110
PID 2408 wrote to memory of 4608	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	111
PID 2408 wrote to memory of 4608	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	111
PID 2408 wrote to memory of 1468	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	112
PID 2408 wrote to memory of 1468	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	112
PID 2408 wrote to memory of 2140	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	113
PID 2408 wrote to memory of 2140	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	113
PID 2408 wrote to memory of 4512	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	114
PID 2408 wrote to memory of 4512	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	114
PID 2408 wrote to memory of 4256	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	115
PID 2408 wrote to memory of 4256	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	115
PID 2408 wrote to memory of 2568	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	116
PID 2408 wrote to memory of 2568	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	116
PID 2408 wrote to memory of 3676	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	117
PID 2408 wrote to memory of 3676	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	117
PID 2408 wrote to memory of 4588	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	118
PID 2408 wrote to memory of 4588	2408	8227d4ff16b1e22dfddcc826cd5bb1d0N.exe	118

C:\Users\Admin\AppData\Local\Temp\8227d4ff16b1e22dfddcc826cd5bb1d0N.exe
"C:\Users\Admin\AppData\Local\Temp\8227d4ff16b1e22dfddcc826cd5bb1d0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\System32\SlhLxel.exe
  C:\Windows\System32\SlhLxel.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System32\dGmJtdU.exe
  C:\Windows\System32\dGmJtdU.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System32\mtCBFxM.exe
  C:\Windows\System32\mtCBFxM.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System32\RWhQFCN.exe
  C:\Windows\System32\RWhQFCN.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System32\eHrBQok.exe
  C:\Windows\System32\eHrBQok.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\dDCtlBX.exe
  C:\Windows\System32\dDCtlBX.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System32\lqEgGQT.exe
  C:\Windows\System32\lqEgGQT.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System32\UKNKlBP.exe
  C:\Windows\System32\UKNKlBP.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System32\UMIDsey.exe
  C:\Windows\System32\UMIDsey.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System32\bUBOgCy.exe
  C:\Windows\System32\bUBOgCy.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System32\wqMKbUe.exe
  C:\Windows\System32\wqMKbUe.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System32\xbdeEgv.exe
  C:\Windows\System32\xbdeEgv.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System32\xTcIgwg.exe
  C:\Windows\System32\xTcIgwg.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System32\mKvfMbc.exe
  C:\Windows\System32\mKvfMbc.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System32\FFUuiNX.exe
  C:\Windows\System32\FFUuiNX.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System32\ZjZrhwq.exe
  C:\Windows\System32\ZjZrhwq.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System32\fGJGHHi.exe
  C:\Windows\System32\fGJGHHi.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System32\DqaFAHo.exe
  C:\Windows\System32\DqaFAHo.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System32\VpsiMzz.exe
  C:\Windows\System32\VpsiMzz.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System32\EEKibNQ.exe
  C:\Windows\System32\EEKibNQ.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System32\qVCruAs.exe
  C:\Windows\System32\qVCruAs.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System32\WhkNKIt.exe
  C:\Windows\System32\WhkNKIt.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System32\jpuBnCC.exe
  C:\Windows\System32\jpuBnCC.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System32\QBGsJAS.exe
  C:\Windows\System32\QBGsJAS.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System32\znqxdbR.exe
  C:\Windows\System32\znqxdbR.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System32\fwSMjCN.exe
  C:\Windows\System32\fwSMjCN.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System32\cXDifHJ.exe
  C:\Windows\System32\cXDifHJ.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System32\ayXFUAJ.exe
  C:\Windows\System32\ayXFUAJ.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\jFhrTMh.exe
  C:\Windows\System32\jFhrTMh.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System32\SHLxNDo.exe
  C:\Windows\System32\SHLxNDo.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System32\exgPaCy.exe
  C:\Windows\System32\exgPaCy.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System32\uDIQDEp.exe
  C:\Windows\System32\uDIQDEp.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System32\CvezaGt.exe
  C:\Windows\System32\CvezaGt.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System32\yzzOahm.exe
  C:\Windows\System32\yzzOahm.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System32\wqXDCZK.exe
  C:\Windows\System32\wqXDCZK.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System32\NZTYbNi.exe
  C:\Windows\System32\NZTYbNi.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System32\oEmVBcw.exe
  C:\Windows\System32\oEmVBcw.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System32\UzqbFdh.exe
  C:\Windows\System32\UzqbFdh.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System32\oSsPiDd.exe
  C:\Windows\System32\oSsPiDd.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System32\PUDDLfc.exe
  C:\Windows\System32\PUDDLfc.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System32\fOMleYs.exe
  C:\Windows\System32\fOMleYs.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System32\UcAupVy.exe
  C:\Windows\System32\UcAupVy.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System32\bVZHwud.exe
  C:\Windows\System32\bVZHwud.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System32\oFWHrcN.exe
  C:\Windows\System32\oFWHrcN.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System32\bCiiAWc.exe
  C:\Windows\System32\bCiiAWc.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System32\ccONLYY.exe
  C:\Windows\System32\ccONLYY.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System32\MkpqQeo.exe
  C:\Windows\System32\MkpqQeo.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System32\fwxvdlp.exe
  C:\Windows\System32\fwxvdlp.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System32\ZsuQEgM.exe
  C:\Windows\System32\ZsuQEgM.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System32\QhkWtGx.exe
  C:\Windows\System32\QhkWtGx.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System32\ptPYSYZ.exe
  C:\Windows\System32\ptPYSYZ.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System32\nEWAvvc.exe
  C:\Windows\System32\nEWAvvc.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System32\AKmTziG.exe
  C:\Windows\System32\AKmTziG.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System32\LVgiCfK.exe
  C:\Windows\System32\LVgiCfK.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System32\kTniIea.exe
  C:\Windows\System32\kTniIea.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System32\cVeoLyW.exe
  C:\Windows\System32\cVeoLyW.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System32\aWVmJQL.exe
  C:\Windows\System32\aWVmJQL.exe
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\System32\LnhAfyL.exe
  C:\Windows\System32\LnhAfyL.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System32\ucQeuiS.exe
  C:\Windows\System32\ucQeuiS.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System32\iAWiGTC.exe
  C:\Windows\System32\iAWiGTC.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System32\FuxQgWU.exe
  C:\Windows\System32\FuxQgWU.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System32\aDygZpO.exe
  C:\Windows\System32\aDygZpO.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System32\zEiRYZi.exe
  C:\Windows\System32\zEiRYZi.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System32\czNAunK.exe
  C:\Windows\System32\czNAunK.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System32\PKYgGOW.exe
  C:\Windows\System32\PKYgGOW.exe
  2⤵
  PID:3572
- C:\Windows\System32\VlBGYVv.exe
  C:\Windows\System32\VlBGYVv.exe
  2⤵
  PID:4312
- C:\Windows\System32\dJYHXSO.exe
  C:\Windows\System32\dJYHXSO.exe
  2⤵
  PID:3660
- C:\Windows\System32\hKolPRX.exe
  C:\Windows\System32\hKolPRX.exe
  2⤵
  PID:4072
- C:\Windows\System32\YhFauYS.exe
  C:\Windows\System32\YhFauYS.exe
  2⤵
  PID:1888
- C:\Windows\System32\cgfPeic.exe
  C:\Windows\System32\cgfPeic.exe
  2⤵
  PID:2032
- C:\Windows\System32\SNlsCjT.exe
  C:\Windows\System32\SNlsCjT.exe
  2⤵
  PID:3496
- C:\Windows\System32\PifnYkF.exe
  C:\Windows\System32\PifnYkF.exe
  2⤵
  PID:5140
- C:\Windows\System32\vWKynBQ.exe
  C:\Windows\System32\vWKynBQ.exe
  2⤵
  PID:5160
- C:\Windows\System32\YfMeooj.exe
  C:\Windows\System32\YfMeooj.exe
  2⤵
  PID:5176
- C:\Windows\System32\MTpoRxi.exe
  C:\Windows\System32\MTpoRxi.exe
  2⤵
  PID:5200
- C:\Windows\System32\nObqHAe.exe
  C:\Windows\System32\nObqHAe.exe
  2⤵
  PID:5224
- C:\Windows\System32\jytbdeH.exe
  C:\Windows\System32\jytbdeH.exe
  2⤵
  PID:5260
- C:\Windows\System32\KvDCtrp.exe
  C:\Windows\System32\KvDCtrp.exe
  2⤵
  PID:5288
- C:\Windows\System32\mVqDOed.exe
  C:\Windows\System32\mVqDOed.exe
  2⤵
  PID:5316
- C:\Windows\System32\DjWnvtD.exe
  C:\Windows\System32\DjWnvtD.exe
  2⤵
  PID:5344
- C:\Windows\System32\kkLWjxl.exe
  C:\Windows\System32\kkLWjxl.exe
  2⤵
  PID:5376
- C:\Windows\System32\JrOutlc.exe
  C:\Windows\System32\JrOutlc.exe
  2⤵
  PID:5404
- C:\Windows\System32\ptNiaIL.exe
  C:\Windows\System32\ptNiaIL.exe
  2⤵
  PID:5440
- C:\Windows\System32\vDerjxf.exe
  C:\Windows\System32\vDerjxf.exe
  2⤵
  PID:5468
- C:\Windows\System32\CpIKZCl.exe
  C:\Windows\System32\CpIKZCl.exe
  2⤵
  PID:5488
- C:\Windows\System32\xsEyjYN.exe
  C:\Windows\System32\xsEyjYN.exe
  2⤵
  PID:5512
- C:\Windows\System32\KvfRHEg.exe
  C:\Windows\System32\KvfRHEg.exe
  2⤵
  PID:5540
- C:\Windows\System32\mjuxSWI.exe
  C:\Windows\System32\mjuxSWI.exe
  2⤵
  PID:5568
- C:\Windows\System32\XEJkLmt.exe
  C:\Windows\System32\XEJkLmt.exe
  2⤵
  PID:5596
- C:\Windows\System32\YyMMewz.exe
  C:\Windows\System32\YyMMewz.exe
  2⤵
  PID:5624
- C:\Windows\System32\IYrtArS.exe
  C:\Windows\System32\IYrtArS.exe
  2⤵
  PID:5652
- C:\Windows\System32\CcEtvva.exe
  C:\Windows\System32\CcEtvva.exe
  2⤵
  PID:5680
- C:\Windows\System32\nyPKrtv.exe
  C:\Windows\System32\nyPKrtv.exe
  2⤵
  PID:5708
- C:\Windows\System32\MjGoLLk.exe
  C:\Windows\System32\MjGoLLk.exe
  2⤵
  PID:5736
- C:\Windows\System32\nqxmtJG.exe
  C:\Windows\System32\nqxmtJG.exe
  2⤵
  PID:5764
- C:\Windows\System32\HoyeRzp.exe
  C:\Windows\System32\HoyeRzp.exe
  2⤵
  PID:5792
- C:\Windows\System32\rVtIMAs.exe
  C:\Windows\System32\rVtIMAs.exe
  2⤵
  PID:5820
- C:\Windows\System32\OYDYDco.exe
  C:\Windows\System32\OYDYDco.exe
  2⤵
  PID:5852
- C:\Windows\System32\dgBaxxS.exe
  C:\Windows\System32\dgBaxxS.exe
  2⤵
  PID:5876
- C:\Windows\System32\ZfOkCfy.exe
  C:\Windows\System32\ZfOkCfy.exe
  2⤵
  PID:5904
- C:\Windows\System32\gKrFncC.exe
  C:\Windows\System32\gKrFncC.exe
  2⤵
  PID:5932
- C:\Windows\System32\XxHdWFU.exe
  C:\Windows\System32\XxHdWFU.exe
  2⤵
  PID:5956
- C:\Windows\System32\yxzxISQ.exe
  C:\Windows\System32\yxzxISQ.exe
  2⤵
  PID:5984
- C:\Windows\System32\fTThMhI.exe
  C:\Windows\System32\fTThMhI.exe
  2⤵
  PID:6016
- C:\Windows\System32\MrISrsl.exe
  C:\Windows\System32\MrISrsl.exe
  2⤵
  PID:6044
- C:\Windows\System32\zQWhBds.exe
  C:\Windows\System32\zQWhBds.exe
  2⤵
  PID:6072
- C:\Windows\System32\yqVgqgR.exe
  C:\Windows\System32\yqVgqgR.exe
  2⤵
  PID:6096
- C:\Windows\System32\cDeFxNG.exe
  C:\Windows\System32\cDeFxNG.exe
  2⤵
  PID:6120
- C:\Windows\System32\RDEHDLM.exe
  C:\Windows\System32\RDEHDLM.exe
  2⤵
  PID:3240
- C:\Windows\System32\yMvePZg.exe
  C:\Windows\System32\yMvePZg.exe
  2⤵
  PID:800
- C:\Windows\System32\FgDjUhX.exe
  C:\Windows\System32\FgDjUhX.exe
  2⤵
  PID:4604
- C:\Windows\System32\TsViWfm.exe
  C:\Windows\System32\TsViWfm.exe
  2⤵
  PID:4956
- C:\Windows\System32\aHkMBNE.exe
  C:\Windows\System32\aHkMBNE.exe
  2⤵
  PID:768
- C:\Windows\System32\DMeHQkL.exe
  C:\Windows\System32\DMeHQkL.exe
  2⤵
  PID:3592
- C:\Windows\System32\eUxgZNj.exe
  C:\Windows\System32\eUxgZNj.exe
  2⤵
  PID:5136
- C:\Windows\System32\OFGZbxY.exe
  C:\Windows\System32\OFGZbxY.exe
  2⤵
  PID:5240
- C:\Windows\System32\SSYBiUT.exe
  C:\Windows\System32\SSYBiUT.exe
  2⤵
  PID:3560
- C:\Windows\System32\KlwrrNu.exe
  C:\Windows\System32\KlwrrNu.exe
  2⤵
  PID:5300
- C:\Windows\System32\EBSAqZT.exe
  C:\Windows\System32\EBSAqZT.exe
  2⤵
  PID:5356
- C:\Windows\System32\LeTZuvq.exe
  C:\Windows\System32\LeTZuvq.exe
  2⤵
  PID:5420
- C:\Windows\System32\kKpTOjH.exe
  C:\Windows\System32\kKpTOjH.exe
  2⤵
  PID:5508
- C:\Windows\System32\CZWjdJC.exe
  C:\Windows\System32\CZWjdJC.exe
  2⤵
  PID:5552
- C:\Windows\System32\apbzLrW.exe
  C:\Windows\System32\apbzLrW.exe
  2⤵
  PID:5604
- C:\Windows\System32\jxyAQyP.exe
  C:\Windows\System32\jxyAQyP.exe
  2⤵
  PID:5664
- C:\Windows\System32\CNMsUac.exe
  C:\Windows\System32\CNMsUac.exe
  2⤵
  PID:5744
- C:\Windows\System32\dTQlqFh.exe
  C:\Windows\System32\dTQlqFh.exe
  2⤵
  PID:5812
- C:\Windows\System32\geLAnyC.exe
  C:\Windows\System32\geLAnyC.exe
  2⤵
  PID:5860
- C:\Windows\System32\bQuJwXn.exe
  C:\Windows\System32\bQuJwXn.exe
  2⤵
  PID:5888
- C:\Windows\System32\KpcRQOe.exe
  C:\Windows\System32\KpcRQOe.exe
  2⤵
  PID:5944
- C:\Windows\System32\JBKVPgj.exe
  C:\Windows\System32\JBKVPgj.exe
  2⤵
  PID:6008
- C:\Windows\System32\ypPzsxx.exe
  C:\Windows\System32\ypPzsxx.exe
  2⤵
  PID:6064
- C:\Windows\System32\NQXJWhA.exe
  C:\Windows\System32\NQXJWhA.exe
  2⤵
  PID:6112
- C:\Windows\System32\qwVYIaA.exe
  C:\Windows\System32\qwVYIaA.exe
  2⤵
  PID:1740
- C:\Windows\System32\qDxNZBZ.exe
  C:\Windows\System32\qDxNZBZ.exe
  2⤵
  PID:5028
- C:\Windows\System32\pMOMjmA.exe
  C:\Windows\System32\pMOMjmA.exe
  2⤵
  PID:2420
- C:\Windows\System32\XDEKDGn.exe
  C:\Windows\System32\XDEKDGn.exe
  2⤵
  PID:5188
- C:\Windows\System32\Fipdelw.exe
  C:\Windows\System32\Fipdelw.exe
  2⤵
  PID:5272
- C:\Windows\System32\CaRwLMR.exe
  C:\Windows\System32\CaRwLMR.exe
  2⤵
  PID:5324
- C:\Windows\System32\iFNQOXm.exe
  C:\Windows\System32\iFNQOXm.exe
  2⤵
  PID:5496
- C:\Windows\System32\koVSUBH.exe
  C:\Windows\System32\koVSUBH.exe
  2⤵
  PID:5580
- C:\Windows\System32\xZANybd.exe
  C:\Windows\System32\xZANybd.exe
  2⤵
  PID:5720
- C:\Windows\System32\abqVENZ.exe
  C:\Windows\System32\abqVENZ.exe
  2⤵
  PID:5840
- C:\Windows\System32\WXZXmMA.exe
  C:\Windows\System32\WXZXmMA.exe
  2⤵
  PID:5924
- C:\Windows\System32\XPVQAIh.exe
  C:\Windows\System32\XPVQAIh.exe
  2⤵
  PID:6056
- C:\Windows\System32\dxtCMHS.exe
  C:\Windows\System32\dxtCMHS.exe
  2⤵
  PID:2180
- C:\Windows\System32\dtEVRGE.exe
  C:\Windows\System32\dtEVRGE.exe
  2⤵
  PID:4476
- C:\Windows\System32\XBUfHgg.exe
  C:\Windows\System32\XBUfHgg.exe
  2⤵
  PID:2288
- C:\Windows\System32\OqGInwn.exe
  C:\Windows\System32\OqGInwn.exe
  2⤵
  PID:5424
- C:\Windows\System32\GZhDIiW.exe
  C:\Windows\System32\GZhDIiW.exe
  2⤵
  PID:2028
- C:\Windows\System32\EVEbExG.exe
  C:\Windows\System32\EVEbExG.exe
  2⤵
  PID:5964
- C:\Windows\System32\jVYdQTE.exe
  C:\Windows\System32\jVYdQTE.exe
  2⤵
  PID:3752
- C:\Windows\System32\eSsIfCK.exe
  C:\Windows\System32\eSsIfCK.exe
  2⤵
  PID:1408
- C:\Windows\System32\vLTXnNc.exe
  C:\Windows\System32\vLTXnNc.exe
  2⤵
  PID:3148
- C:\Windows\System32\ChYqIsW.exe
  C:\Windows\System32\ChYqIsW.exe
  2⤵
  PID:2268
- C:\Windows\System32\OYxxsyf.exe
  C:\Windows\System32\OYxxsyf.exe
  2⤵
  PID:1776
- C:\Windows\System32\hMiFgXB.exe
  C:\Windows\System32\hMiFgXB.exe
  2⤵
  PID:4836
- C:\Windows\System32\xTAWREC.exe
  C:\Windows\System32\xTAWREC.exe
  2⤵
  PID:3464
- C:\Windows\System32\VumruMm.exe
  C:\Windows\System32\VumruMm.exe
  2⤵
  PID:2068
- C:\Windows\System32\sKipEFH.exe
  C:\Windows\System32\sKipEFH.exe
  2⤵
  PID:5104
- C:\Windows\System32\MpxZLAm.exe
  C:\Windows\System32\MpxZLAm.exe
  2⤵
  PID:2460
- C:\Windows\System32\SlIIuGs.exe
  C:\Windows\System32\SlIIuGs.exe
  2⤵
  PID:3424
- C:\Windows\System32\fSxUPCS.exe
  C:\Windows\System32\fSxUPCS.exe
  2⤵
  PID:2372
- C:\Windows\System32\GfOeYfb.exe
  C:\Windows\System32\GfOeYfb.exe
  2⤵
  PID:6168
- C:\Windows\System32\AvSMNof.exe
  C:\Windows\System32\AvSMNof.exe
  2⤵
  PID:6204
- C:\Windows\System32\lxCSMwU.exe
  C:\Windows\System32\lxCSMwU.exe
  2⤵
  PID:6252
- C:\Windows\System32\ceIepeZ.exe
  C:\Windows\System32\ceIepeZ.exe
  2⤵
  PID:6268
- C:\Windows\System32\cTuPIyQ.exe
  C:\Windows\System32\cTuPIyQ.exe
  2⤵
  PID:6296
- C:\Windows\System32\omQwIWQ.exe
  C:\Windows\System32\omQwIWQ.exe
  2⤵
  PID:6320
- C:\Windows\System32\THFzRRU.exe
  C:\Windows\System32\THFzRRU.exe
  2⤵
  PID:6336
- C:\Windows\System32\AzmRrTq.exe
  C:\Windows\System32\AzmRrTq.exe
  2⤵
  PID:6364
- C:\Windows\System32\aUEyHEB.exe
  C:\Windows\System32\aUEyHEB.exe
  2⤵
  PID:6404
- C:\Windows\System32\bIBzImC.exe
  C:\Windows\System32\bIBzImC.exe
  2⤵
  PID:6424
- C:\Windows\System32\wwgVxDZ.exe
  C:\Windows\System32\wwgVxDZ.exe
  2⤵
  PID:6444
- C:\Windows\System32\ewNrIzX.exe
  C:\Windows\System32\ewNrIzX.exe
  2⤵
  PID:6464
- C:\Windows\System32\JoevgJk.exe
  C:\Windows\System32\JoevgJk.exe
  2⤵
  PID:6504
- C:\Windows\System32\plDtTUn.exe
  C:\Windows\System32\plDtTUn.exe
  2⤵
  PID:6532
- C:\Windows\System32\qtiTnFi.exe
  C:\Windows\System32\qtiTnFi.exe
  2⤵
  PID:6548
- C:\Windows\System32\IAhHZkF.exe
  C:\Windows\System32\IAhHZkF.exe
  2⤵
  PID:6568
- C:\Windows\System32\peVOHsx.exe
  C:\Windows\System32\peVOHsx.exe
  2⤵
  PID:6596
- C:\Windows\System32\XBCeUPZ.exe
  C:\Windows\System32\XBCeUPZ.exe
  2⤵
  PID:6616
- C:\Windows\System32\KWAtbRc.exe
  C:\Windows\System32\KWAtbRc.exe
  2⤵
  PID:6664
- C:\Windows\System32\ETYHqQt.exe
  C:\Windows\System32\ETYHqQt.exe
  2⤵
  PID:6680
- C:\Windows\System32\ouJNiAy.exe
  C:\Windows\System32\ouJNiAy.exe
  2⤵
  PID:6708
- C:\Windows\System32\PrCIcbe.exe
  C:\Windows\System32\PrCIcbe.exe
  2⤵
  PID:6724
- C:\Windows\System32\VUKUJrI.exe
  C:\Windows\System32\VUKUJrI.exe
  2⤵
  PID:6752
- C:\Windows\System32\fURHGnQ.exe
  C:\Windows\System32\fURHGnQ.exe
  2⤵
  PID:6772
- C:\Windows\System32\qyVamXH.exe
  C:\Windows\System32\qyVamXH.exe
  2⤵
  PID:6788
- C:\Windows\System32\sBiZLHJ.exe
  C:\Windows\System32\sBiZLHJ.exe
  2⤵
  PID:6840
- C:\Windows\System32\ktutQNo.exe
  C:\Windows\System32\ktutQNo.exe
  2⤵
  PID:6860
- C:\Windows\System32\oxZSzqm.exe
  C:\Windows\System32\oxZSzqm.exe
  2⤵
  PID:6876
- C:\Windows\System32\JPYfgUx.exe
  C:\Windows\System32\JPYfgUx.exe
  2⤵
  PID:6912
- C:\Windows\System32\bCMztNz.exe
  C:\Windows\System32\bCMztNz.exe
  2⤵
  PID:7004
- C:\Windows\System32\lPXtzTz.exe
  C:\Windows\System32\lPXtzTz.exe
  2⤵
  PID:7028
- C:\Windows\System32\bhheoVD.exe
  C:\Windows\System32\bhheoVD.exe
  2⤵
  PID:7052
- C:\Windows\System32\YaNIcLf.exe
  C:\Windows\System32\YaNIcLf.exe
  2⤵
  PID:7076
- C:\Windows\System32\TmiRfdT.exe
  C:\Windows\System32\TmiRfdT.exe
  2⤵
  PID:7096
- C:\Windows\System32\Cnvkoba.exe
  C:\Windows\System32\Cnvkoba.exe
  2⤵
  PID:7112
- C:\Windows\System32\XlCWQsz.exe
  C:\Windows\System32\XlCWQsz.exe
  2⤵
  PID:7144
- C:\Windows\System32\NNHXBLM.exe
  C:\Windows\System32\NNHXBLM.exe
  2⤵
  PID:6152
- C:\Windows\System32\tJbHgSS.exe
  C:\Windows\System32\tJbHgSS.exe
  2⤵
  PID:6212
- C:\Windows\System32\eOPQfqK.exe
  C:\Windows\System32\eOPQfqK.exe
  2⤵
  PID:6248
- C:\Windows\System32\litjdcX.exe
  C:\Windows\System32\litjdcX.exe
  2⤵
  PID:2584
- C:\Windows\System32\JvnGDRy.exe
  C:\Windows\System32\JvnGDRy.exe
  2⤵
  PID:6264
- C:\Windows\System32\EgrJljO.exe
  C:\Windows\System32\EgrJljO.exe
  2⤵
  PID:2092
- C:\Windows\System32\NdpghmD.exe
  C:\Windows\System32\NdpghmD.exe
  2⤵
  PID:6440
- C:\Windows\System32\MKGoQfq.exe
  C:\Windows\System32\MKGoQfq.exe
  2⤵
  PID:6500
- C:\Windows\System32\NAvKrKm.exe
  C:\Windows\System32\NAvKrKm.exe
  2⤵
  PID:6564
- C:\Windows\System32\DYyOHmS.exe
  C:\Windows\System32\DYyOHmS.exe
  2⤵
  PID:6604
- C:\Windows\System32\tULtvHd.exe
  C:\Windows\System32\tULtvHd.exe
  2⤵
  PID:6640
- C:\Windows\System32\WTdNoqI.exe
  C:\Windows\System32\WTdNoqI.exe
  2⤵
  PID:6720
- C:\Windows\System32\vbVmDjk.exe
  C:\Windows\System32\vbVmDjk.exe
  2⤵
  PID:6760
- C:\Windows\System32\LvGoNVZ.exe
  C:\Windows\System32\LvGoNVZ.exe
  2⤵
  PID:6804
- C:\Windows\System32\AhYlFwv.exe
  C:\Windows\System32\AhYlFwv.exe
  2⤵
  PID:6924
- C:\Windows\System32\CpYjvuW.exe
  C:\Windows\System32\CpYjvuW.exe
  2⤵
  PID:6988
- C:\Windows\System32\EgdEHnG.exe
  C:\Windows\System32\EgdEHnG.exe
  2⤵
  PID:7036
- C:\Windows\System32\aOxsqht.exe
  C:\Windows\System32\aOxsqht.exe
  2⤵
  PID:7072
- C:\Windows\System32\OVOlMdl.exe
  C:\Windows\System32\OVOlMdl.exe
  2⤵
  PID:7132
- C:\Windows\System32\uguuRPx.exe
  C:\Windows\System32\uguuRPx.exe
  2⤵
  PID:5048
- C:\Windows\System32\VWtnPXn.exe
  C:\Windows\System32\VWtnPXn.exe
  2⤵
  PID:6412
- C:\Windows\System32\TQMAtoz.exe
  C:\Windows\System32\TQMAtoz.exe
  2⤵
  PID:6688
- C:\Windows\System32\wdjNLWQ.exe
  C:\Windows\System32\wdjNLWQ.exe
  2⤵
  PID:6784
- C:\Windows\System32\pLSZCRK.exe
  C:\Windows\System32\pLSZCRK.exe
  2⤵
  PID:6848
- C:\Windows\System32\ElcHZBz.exe
  C:\Windows\System32\ElcHZBz.exe
  2⤵
  PID:6980
- C:\Windows\System32\TbKSzLS.exe
  C:\Windows\System32\TbKSzLS.exe
  2⤵
  PID:6472
- C:\Windows\System32\tUMBaGH.exe
  C:\Windows\System32\tUMBaGH.exe
  2⤵
  PID:6740
- C:\Windows\System32\udZOiuM.exe
  C:\Windows\System32\udZOiuM.exe
  2⤵
  PID:7164
- C:\Windows\System32\UaJgilX.exe
  C:\Windows\System32\UaJgilX.exe
  2⤵
  PID:4352
- C:\Windows\System32\qqtXmPX.exe
  C:\Windows\System32\qqtXmPX.exe
  2⤵
  PID:6888
- C:\Windows\System32\IBkUkyu.exe
  C:\Windows\System32\IBkUkyu.exe
  2⤵
  PID:7184
- C:\Windows\System32\thaAFHE.exe
  C:\Windows\System32\thaAFHE.exe
  2⤵
  PID:7212
- C:\Windows\System32\gbxokLP.exe
  C:\Windows\System32\gbxokLP.exe
  2⤵
  PID:7236
- C:\Windows\System32\iytqXag.exe
  C:\Windows\System32\iytqXag.exe
  2⤵
  PID:7268
- C:\Windows\System32\iaZPcGR.exe
  C:\Windows\System32\iaZPcGR.exe
  2⤵
  PID:7292
- C:\Windows\System32\NodjBvk.exe
  C:\Windows\System32\NodjBvk.exe
  2⤵
  PID:7316
- C:\Windows\System32\QXJyuTM.exe
  C:\Windows\System32\QXJyuTM.exe
  2⤵
  PID:7336
- C:\Windows\System32\JkGoYcA.exe
  C:\Windows\System32\JkGoYcA.exe
  2⤵
  PID:7368
- C:\Windows\System32\QyuBymV.exe
  C:\Windows\System32\QyuBymV.exe
  2⤵
  PID:7388
- C:\Windows\System32\CemzTxL.exe
  C:\Windows\System32\CemzTxL.exe
  2⤵
  PID:7412
- C:\Windows\System32\wCEazOr.exe
  C:\Windows\System32\wCEazOr.exe
  2⤵
  PID:7464
- C:\Windows\System32\QunryTJ.exe
  C:\Windows\System32\QunryTJ.exe
  2⤵
  PID:7492
- C:\Windows\System32\tSBPuXa.exe
  C:\Windows\System32\tSBPuXa.exe
  2⤵
  PID:7508
- C:\Windows\System32\VNXjaTI.exe
  C:\Windows\System32\VNXjaTI.exe
  2⤵
  PID:7528
- C:\Windows\System32\lmISZKE.exe
  C:\Windows\System32\lmISZKE.exe
  2⤵
  PID:7556
- C:\Windows\System32\ZTinyGc.exe
  C:\Windows\System32\ZTinyGc.exe
  2⤵
  PID:7584
- C:\Windows\System32\CbBKMNh.exe
  C:\Windows\System32\CbBKMNh.exe
  2⤵
  PID:7620
- C:\Windows\System32\KINrloR.exe
  C:\Windows\System32\KINrloR.exe
  2⤵
  PID:7664
- C:\Windows\System32\qBsOfsX.exe
  C:\Windows\System32\qBsOfsX.exe
  2⤵
  PID:7688
- C:\Windows\System32\AFQllBO.exe
  C:\Windows\System32\AFQllBO.exe
  2⤵
  PID:7712
- C:\Windows\System32\eGLAsPQ.exe
  C:\Windows\System32\eGLAsPQ.exe
  2⤵
  PID:7732
- C:\Windows\System32\hwGyzrH.exe
  C:\Windows\System32\hwGyzrH.exe
  2⤵
  PID:7752
- C:\Windows\System32\UwwXlGI.exe
  C:\Windows\System32\UwwXlGI.exe
  2⤵
  PID:7780
- C:\Windows\System32\DoiarMe.exe
  C:\Windows\System32\DoiarMe.exe
  2⤵
  PID:7820
- C:\Windows\System32\ARWQXXd.exe
  C:\Windows\System32\ARWQXXd.exe
  2⤵
  PID:7868
- C:\Windows\System32\ZFTyOgJ.exe
  C:\Windows\System32\ZFTyOgJ.exe
  2⤵
  PID:7884
- C:\Windows\System32\wzpyZTF.exe
  C:\Windows\System32\wzpyZTF.exe
  2⤵
  PID:7912
- C:\Windows\System32\kQdbVGQ.exe
  C:\Windows\System32\kQdbVGQ.exe
  2⤵
  PID:7932
- C:\Windows\System32\PXPefZf.exe
  C:\Windows\System32\PXPefZf.exe
  2⤵
  PID:7956
- C:\Windows\System32\qSCUdRE.exe
  C:\Windows\System32\qSCUdRE.exe
  2⤵
  PID:7984
- C:\Windows\System32\HDRjIAO.exe
  C:\Windows\System32\HDRjIAO.exe
  2⤵
  PID:8000
- C:\Windows\System32\FKqgsmM.exe
  C:\Windows\System32\FKqgsmM.exe
  2⤵
  PID:8020
- C:\Windows\System32\jDwGsqA.exe
  C:\Windows\System32\jDwGsqA.exe
  2⤵
  PID:8044
- C:\Windows\System32\HWgLZQD.exe
  C:\Windows\System32\HWgLZQD.exe
  2⤵
  PID:8060
- C:\Windows\System32\HZcWkst.exe
  C:\Windows\System32\HZcWkst.exe
  2⤵
  PID:8076
- C:\Windows\System32\LHgRVlY.exe
  C:\Windows\System32\LHgRVlY.exe
  2⤵
  PID:8092
- C:\Windows\System32\ysueIvC.exe
  C:\Windows\System32\ysueIvC.exe
  2⤵
  PID:8108
- C:\Windows\System32\tXijaFt.exe
  C:\Windows\System32\tXijaFt.exe
  2⤵
  PID:8132
- C:\Windows\System32\guixehx.exe
  C:\Windows\System32\guixehx.exe
  2⤵
  PID:7220
- C:\Windows\System32\UgRQjlH.exe
  C:\Windows\System32\UgRQjlH.exe
  2⤵
  PID:7300
- C:\Windows\System32\hRoscYa.exe
  C:\Windows\System32\hRoscYa.exe
  2⤵
  PID:7400
- C:\Windows\System32\RHGalBe.exe
  C:\Windows\System32\RHGalBe.exe
  2⤵
  PID:7552
- C:\Windows\System32\wnZiixD.exe
  C:\Windows\System32\wnZiixD.exe
  2⤵
  PID:7612
- C:\Windows\System32\QSpKKfY.exe
  C:\Windows\System32\QSpKKfY.exe
  2⤵
  PID:7632
- C:\Windows\System32\kKyUeWW.exe
  C:\Windows\System32\kKyUeWW.exe
  2⤵
  PID:7728
- C:\Windows\System32\dKbfjxA.exe
  C:\Windows\System32\dKbfjxA.exe
  2⤵
  PID:7744
- C:\Windows\System32\TMUmGIZ.exe
  C:\Windows\System32\TMUmGIZ.exe
  2⤵
  PID:7880
- C:\Windows\System32\kXbhwie.exe
  C:\Windows\System32\kXbhwie.exe
  2⤵
  PID:7904
- C:\Windows\System32\wTJqBBw.exe
  C:\Windows\System32\wTJqBBw.exe
  2⤵
  PID:7940
- C:\Windows\System32\TvtrTcg.exe
  C:\Windows\System32\TvtrTcg.exe
  2⤵
  PID:8068
- C:\Windows\System32\YTCjSLi.exe
  C:\Windows\System32\YTCjSLi.exe
  2⤵
  PID:8072
- C:\Windows\System32\AefJJbj.exe
  C:\Windows\System32\AefJJbj.exe
  2⤵
  PID:8140
- C:\Windows\System32\guAYuFr.exe
  C:\Windows\System32\guAYuFr.exe
  2⤵
  PID:7276
- C:\Windows\System32\mAaPtMo.exe
  C:\Windows\System32\mAaPtMo.exe
  2⤵
  PID:7172
- C:\Windows\System32\hcsuBfA.exe
  C:\Windows\System32\hcsuBfA.exe
  2⤵
  PID:7580
- C:\Windows\System32\sFTzohq.exe
  C:\Windows\System32\sFTzohq.exe
  2⤵
  PID:7796
- C:\Windows\System32\QsopHXb.exe
  C:\Windows\System32\QsopHXb.exe
  2⤵
  PID:7964
- C:\Windows\System32\oLJjrjY.exe
  C:\Windows\System32\oLJjrjY.exe
  2⤵
  PID:7996
- C:\Windows\System32\QOlqraE.exe
  C:\Windows\System32\QOlqraE.exe
  2⤵
  PID:7228
- C:\Windows\System32\WCqNfGr.exe
  C:\Windows\System32\WCqNfGr.exe
  2⤵
  PID:7720
- C:\Windows\System32\mmXwjZI.exe
  C:\Windows\System32\mmXwjZI.exe
  2⤵
  PID:7992
- C:\Windows\System32\tsjNsxi.exe
  C:\Windows\System32\tsjNsxi.exe
  2⤵
  PID:8216
- C:\Windows\System32\wGmIzBM.exe
  C:\Windows\System32\wGmIzBM.exe
  2⤵
  PID:8268
- C:\Windows\System32\wnsWFKe.exe
  C:\Windows\System32\wnsWFKe.exe
  2⤵
  PID:8284
- C:\Windows\System32\TpvZPTY.exe
  C:\Windows\System32\TpvZPTY.exe
  2⤵
  PID:8300
- C:\Windows\System32\ZHfQKZK.exe
  C:\Windows\System32\ZHfQKZK.exe
  2⤵
  PID:8316
- C:\Windows\System32\QWgNqIj.exe
  C:\Windows\System32\QWgNqIj.exe
  2⤵
  PID:8332
- C:\Windows\System32\BefdywB.exe
  C:\Windows\System32\BefdywB.exe
  2⤵
  PID:8356
- C:\Windows\System32\TjCzYvJ.exe
  C:\Windows\System32\TjCzYvJ.exe
  2⤵
  PID:8400
- C:\Windows\System32\QENPKai.exe
  C:\Windows\System32\QENPKai.exe
  2⤵
  PID:8440
- C:\Windows\System32\WqssxkY.exe
  C:\Windows\System32\WqssxkY.exe
  2⤵
  PID:8508
- C:\Windows\System32\yvOdBKE.exe
  C:\Windows\System32\yvOdBKE.exe
  2⤵
  PID:8568
- C:\Windows\System32\NBTebDu.exe
  C:\Windows\System32\NBTebDu.exe
  2⤵
  PID:8592
- C:\Windows\System32\ViUTeIC.exe
  C:\Windows\System32\ViUTeIC.exe
  2⤵
  PID:8680
- C:\Windows\System32\xfOFqLk.exe
  C:\Windows\System32\xfOFqLk.exe
  2⤵
  PID:8696
- C:\Windows\System32\wYtuZlf.exe
  C:\Windows\System32\wYtuZlf.exe
  2⤵
  PID:8712
- C:\Windows\System32\ANTJSFN.exe
  C:\Windows\System32\ANTJSFN.exe
  2⤵
  PID:8728
- C:\Windows\System32\EGKCapq.exe
  C:\Windows\System32\EGKCapq.exe
  2⤵
  PID:8744
- C:\Windows\System32\tuEDKKP.exe
  C:\Windows\System32\tuEDKKP.exe
  2⤵
  PID:8760
- C:\Windows\System32\RgTrCRq.exe
  C:\Windows\System32\RgTrCRq.exe
  2⤵
  PID:8780
- C:\Windows\System32\gYdNsAb.exe
  C:\Windows\System32\gYdNsAb.exe
  2⤵
  PID:8800
- C:\Windows\System32\ewtrhwI.exe
  C:\Windows\System32\ewtrhwI.exe
  2⤵
  PID:8832
- C:\Windows\System32\gXTbZEa.exe
  C:\Windows\System32\gXTbZEa.exe
  2⤵
  PID:8856
- C:\Windows\System32\CUsElSz.exe
  C:\Windows\System32\CUsElSz.exe
  2⤵
  PID:8876
- C:\Windows\System32\FmzsZYS.exe
  C:\Windows\System32\FmzsZYS.exe
  2⤵
  PID:8896
- C:\Windows\System32\EUBOaWK.exe
  C:\Windows\System32\EUBOaWK.exe
  2⤵
  PID:8912
- C:\Windows\System32\iiVBXPp.exe
  C:\Windows\System32\iiVBXPp.exe
  2⤵
  PID:8964
- C:\Windows\System32\yVKjQxM.exe
  C:\Windows\System32\yVKjQxM.exe
  2⤵
  PID:8996
- C:\Windows\System32\wGUVqfR.exe
  C:\Windows\System32\wGUVqfR.exe
  2⤵
  PID:9124
- C:\Windows\System32\OhZWiGP.exe
  C:\Windows\System32\OhZWiGP.exe
  2⤵
  PID:9160
- C:\Windows\System32\jRrwXyc.exe
  C:\Windows\System32\jRrwXyc.exe
  2⤵
  PID:9180
- C:\Windows\System32\uzXcBSx.exe
  C:\Windows\System32\uzXcBSx.exe
  2⤵
  PID:9204
- C:\Windows\System32\FquVJHF.exe
  C:\Windows\System32\FquVJHF.exe
  2⤵
  PID:7944
- C:\Windows\System32\WnlUsfI.exe
  C:\Windows\System32\WnlUsfI.exe
  2⤵
  PID:8264
- C:\Windows\System32\fyzQiXN.exe
  C:\Windows\System32\fyzQiXN.exe
  2⤵
  PID:8376
- C:\Windows\System32\SxtnzTv.exe
  C:\Windows\System32\SxtnzTv.exe
  2⤵
  PID:8312
- C:\Windows\System32\ZkeVXYu.exe
  C:\Windows\System32\ZkeVXYu.exe
  2⤵
  PID:8412
- C:\Windows\System32\WRNIaQN.exe
  C:\Windows\System32\WRNIaQN.exe
  2⤵
  PID:8428
- C:\Windows\System32\cHhNRBZ.exe
  C:\Windows\System32\cHhNRBZ.exe
  2⤵
  PID:8504
- C:\Windows\System32\TJoRdDD.exe
  C:\Windows\System32\TJoRdDD.exe
  2⤵
  PID:8540
- C:\Windows\System32\VQRYTpl.exe
  C:\Windows\System32\VQRYTpl.exe
  2⤵
  PID:8480
- C:\Windows\System32\XEKuPmD.exe
  C:\Windows\System32\XEKuPmD.exe
  2⤵
  PID:8516
- C:\Windows\System32\FqMhJYa.exe
  C:\Windows\System32\FqMhJYa.exe
  2⤵
  PID:8692
- C:\Windows\System32\upDTLoe.exe
  C:\Windows\System32\upDTLoe.exe
  2⤵
  PID:548
- C:\Windows\System32\fSiaihA.exe
  C:\Windows\System32\fSiaihA.exe
  2⤵
  PID:8752
- C:\Windows\System32\CbacTNg.exe
  C:\Windows\System32\CbacTNg.exe
  2⤵
  PID:8776
- C:\Windows\System32\xJAFeAJ.exe
  C:\Windows\System32\xJAFeAJ.exe
  2⤵
  PID:8740
- C:\Windows\System32\LYOoEWS.exe
  C:\Windows\System32\LYOoEWS.exe
  2⤵
  PID:8736
- C:\Windows\System32\OrJXfLG.exe
  C:\Windows\System32\OrJXfLG.exe
  2⤵
  PID:8864
- C:\Windows\System32\opcmsqJ.exe
  C:\Windows\System32\opcmsqJ.exe
  2⤵
  PID:8932
- C:\Windows\System32\AfyscMG.exe
  C:\Windows\System32\AfyscMG.exe
  2⤵
  PID:9012
- C:\Windows\System32\fpHYEfl.exe
  C:\Windows\System32\fpHYEfl.exe
  2⤵
  PID:9172
- C:\Windows\System32\gkXbtxN.exe
  C:\Windows\System32\gkXbtxN.exe
  2⤵
  PID:9176
- C:\Windows\System32\DEqnUvb.exe
  C:\Windows\System32\DEqnUvb.exe
  2⤵
  PID:8276
- C:\Windows\System32\UAomvHA.exe
  C:\Windows\System32\UAomvHA.exe
  2⤵
  PID:8380
- C:\Windows\System32\fXgZPLe.exe
  C:\Windows\System32\fXgZPLe.exe
  2⤵
  PID:8492
- C:\Windows\System32\ltjFpzs.exe
  C:\Windows\System32\ltjFpzs.exe
  2⤵
  PID:8608
- C:\Windows\System32\EIwawkD.exe
  C:\Windows\System32\EIwawkD.exe
  2⤵
  PID:8576
- C:\Windows\System32\XfMDWJi.exe
  C:\Windows\System32\XfMDWJi.exe
  2⤵
  PID:8704
- C:\Windows\System32\JaZKMzQ.exe
  C:\Windows\System32\JaZKMzQ.exe
  2⤵
  PID:8756
- C:\Windows\System32\RDninWh.exe
  C:\Windows\System32\RDninWh.exe
  2⤵
  PID:8888
- C:\Windows\System32\jKhhZRZ.exe
  C:\Windows\System32\jKhhZRZ.exe
  2⤵
  PID:9020
- C:\Windows\System32\CZXISYY.exe
  C:\Windows\System32\CZXISYY.exe
  2⤵
  PID:7544
- C:\Windows\System32\PpkdSao.exe
  C:\Windows\System32\PpkdSao.exe
  2⤵
  PID:8280
- C:\Windows\System32\LCXUViH.exe
  C:\Windows\System32\LCXUViH.exe
  2⤵
  PID:8432
- C:\Windows\System32\GUkyVjR.exe
  C:\Windows\System32\GUkyVjR.exe
  2⤵
  PID:8660
- C:\Windows\System32\EeturfN.exe
  C:\Windows\System32\EeturfN.exe
  2⤵
  PID:9008
- C:\Windows\System32\IDgpcuq.exe
  C:\Windows\System32\IDgpcuq.exe
  2⤵
  PID:8484
- C:\Windows\System32\QuAPqKf.exe
  C:\Windows\System32\QuAPqKf.exe
  2⤵
  PID:8416
- C:\Windows\System32\AAtxpot.exe
  C:\Windows\System32\AAtxpot.exe
  2⤵
  PID:9236
- C:\Windows\System32\bUoCJqy.exe
  C:\Windows\System32\bUoCJqy.exe
  2⤵
  PID:9276
- C:\Windows\System32\VIzSPRF.exe
  C:\Windows\System32\VIzSPRF.exe
  2⤵
  PID:9300
- C:\Windows\System32\ADLTGmC.exe
  C:\Windows\System32\ADLTGmC.exe
  2⤵
  PID:9324
- C:\Windows\System32\YGMcKwI.exe
  C:\Windows\System32\YGMcKwI.exe
  2⤵
  PID:9344
- C:\Windows\System32\qStEMAp.exe
  C:\Windows\System32\qStEMAp.exe
  2⤵
  PID:9368
- C:\Windows\System32\CQiOzlz.exe
  C:\Windows\System32\CQiOzlz.exe
  2⤵
  PID:9392
- C:\Windows\System32\QYhVufe.exe
  C:\Windows\System32\QYhVufe.exe
  2⤵
  PID:9424
- C:\Windows\System32\Ltejrfr.exe
  C:\Windows\System32\Ltejrfr.exe
  2⤵
  PID:9460
- C:\Windows\System32\TSlkqwc.exe
  C:\Windows\System32\TSlkqwc.exe
  2⤵
  PID:9512
- C:\Windows\System32\FehKSaJ.exe
  C:\Windows\System32\FehKSaJ.exe
  2⤵
  PID:9540
- C:\Windows\System32\JzaUgUN.exe
  C:\Windows\System32\JzaUgUN.exe
  2⤵
  PID:9564
- C:\Windows\System32\wgMSJSs.exe
  C:\Windows\System32\wgMSJSs.exe
  2⤵
  PID:9596
- C:\Windows\System32\jjWmZqy.exe
  C:\Windows\System32\jjWmZqy.exe
  2⤵
  PID:9620
- C:\Windows\System32\sMfueda.exe
  C:\Windows\System32\sMfueda.exe
  2⤵
  PID:9672
- C:\Windows\System32\rzrxsFs.exe
  C:\Windows\System32\rzrxsFs.exe
  2⤵
  PID:9696
- C:\Windows\System32\CGyCHZl.exe
  C:\Windows\System32\CGyCHZl.exe
  2⤵
  PID:9724
- C:\Windows\System32\sDzsgFw.exe
  C:\Windows\System32\sDzsgFw.exe
  2⤵
  PID:9752
- C:\Windows\System32\aTBMpyD.exe
  C:\Windows\System32\aTBMpyD.exe
  2⤵
  PID:9776
- C:\Windows\System32\gEAwCxq.exe
  C:\Windows\System32\gEAwCxq.exe
  2⤵
  PID:9816
- C:\Windows\System32\xhmHZby.exe
  C:\Windows\System32\xhmHZby.exe
  2⤵
  PID:9836
- C:\Windows\System32\ytZFwfy.exe
  C:\Windows\System32\ytZFwfy.exe
  2⤵
  PID:9864
- C:\Windows\System32\QMPzjXd.exe
  C:\Windows\System32\QMPzjXd.exe
  2⤵
  PID:9884
- C:\Windows\System32\OXQAPFW.exe
  C:\Windows\System32\OXQAPFW.exe
  2⤵
  PID:9928
- C:\Windows\System32\OaHlPkW.exe
  C:\Windows\System32\OaHlPkW.exe
  2⤵
  PID:9960
- C:\Windows\System32\ZOsBXSx.exe
  C:\Windows\System32\ZOsBXSx.exe
  2⤵
  PID:9984
- C:\Windows\System32\FzAnTIN.exe
  C:\Windows\System32\FzAnTIN.exe
  2⤵
  PID:10012
- C:\Windows\System32\FoSprCF.exe
  C:\Windows\System32\FoSprCF.exe
  2⤵
  PID:10040
- C:\Windows\System32\rZGeDAE.exe
  C:\Windows\System32\rZGeDAE.exe
  2⤵
  PID:10064
- C:\Windows\System32\kYzOgNs.exe
  C:\Windows\System32\kYzOgNs.exe
  2⤵
  PID:10096
- C:\Windows\System32\eixpvRZ.exe
  C:\Windows\System32\eixpvRZ.exe
  2⤵
  PID:10132
- C:\Windows\System32\sBKWRNJ.exe
  C:\Windows\System32\sBKWRNJ.exe
  2⤵
  PID:10160
- C:\Windows\System32\xjfgtVK.exe
  C:\Windows\System32\xjfgtVK.exe
  2⤵
  PID:10188
- C:\Windows\System32\lcPzODr.exe
  C:\Windows\System32\lcPzODr.exe
  2⤵
  PID:10232
- C:\Windows\System32\bVhjAfd.exe
  C:\Windows\System32\bVhjAfd.exe
  2⤵
  PID:1284
- C:\Windows\System32\UDoFrcp.exe
  C:\Windows\System32\UDoFrcp.exe
  2⤵
  PID:9228
- C:\Windows\System32\BiMWKlp.exe
  C:\Windows\System32\BiMWKlp.exe
  2⤵
  PID:9316
- C:\Windows\System32\neIQSdy.exe
  C:\Windows\System32\neIQSdy.exe
  2⤵
  PID:9380
- C:\Windows\System32\ouWxMLX.exe
  C:\Windows\System32\ouWxMLX.exe
  2⤵
  PID:9468
- C:\Windows\System32\KUpGPwH.exe
  C:\Windows\System32\KUpGPwH.exe
  2⤵
  PID:4516
- C:\Windows\System32\BVaxaMQ.exe
  C:\Windows\System32\BVaxaMQ.exe
  2⤵
  PID:9548
- C:\Windows\System32\qSObmsB.exe
  C:\Windows\System32\qSObmsB.exe
  2⤵
  PID:9616
- C:\Windows\System32\qeaISAM.exe
  C:\Windows\System32\qeaISAM.exe
  2⤵
  PID:9716
- C:\Windows\System32\juLFtwT.exe
  C:\Windows\System32\juLFtwT.exe
  2⤵
  PID:9796
- C:\Windows\System32\YunbtVJ.exe
  C:\Windows\System32\YunbtVJ.exe
  2⤵
  PID:9860
- C:\Windows\System32\bCqgNXj.exe
  C:\Windows\System32\bCqgNXj.exe
  2⤵
  PID:9872
- C:\Windows\System32\miYAtRK.exe
  C:\Windows\System32\miYAtRK.exe
  2⤵
  PID:10036
- C:\Windows\System32\BjtWInb.exe
  C:\Windows\System32\BjtWInb.exe
  2⤵
  PID:10052
- C:\Windows\System32\fLKKyCV.exe
  C:\Windows\System32\fLKKyCV.exe
  2⤵
  PID:10112
- C:\Windows\System32\asZABlt.exe
  C:\Windows\System32\asZABlt.exe
  2⤵
  PID:10176
- C:\Windows\System32\foHZzqg.exe
  C:\Windows\System32\foHZzqg.exe
  2⤵
  PID:8552
- C:\Windows\System32\JjmTlMD.exe
  C:\Windows\System32\JjmTlMD.exe
  2⤵
  PID:9340
- C:\Windows\System32\PBoKejy.exe
  C:\Windows\System32\PBoKejy.exe
  2⤵
  PID:9420
- C:\Windows\System32\RKDmHan.exe
  C:\Windows\System32\RKDmHan.exe
  2⤵
  PID:9532
- C:\Windows\System32\YhPIJKo.exe
  C:\Windows\System32\YhPIJKo.exe
  2⤵
  PID:9588
- C:\Windows\System32\HfMhWUQ.exe
  C:\Windows\System32\HfMhWUQ.exe
  2⤵
  PID:9764
- C:\Windows\System32\QLBGVYL.exe
  C:\Windows\System32\QLBGVYL.exe
  2⤵
  PID:10048
- C:\Windows\System32\DIotOWS.exe
  C:\Windows\System32\DIotOWS.exe
  2⤵
  PID:10152
- C:\Windows\System32\tRYzAqB.exe
  C:\Windows\System32\tRYzAqB.exe
  2⤵
  PID:9844
- C:\Windows\System32\DVfbkfE.exe
  C:\Windows\System32\DVfbkfE.exe
  2⤵
  PID:9808
- C:\Windows\System32\rEWMyvL.exe
  C:\Windows\System32\rEWMyvL.exe
  2⤵
  PID:4452
- C:\Windows\System32\KUSBmMC.exe
  C:\Windows\System32\KUSBmMC.exe
  2⤵
  PID:3856
- C:\Windows\System32\EhkwcCo.exe
  C:\Windows\System32\EhkwcCo.exe
  2⤵
  PID:10256
- C:\Windows\System32\FQkjTEB.exe
  C:\Windows\System32\FQkjTEB.exe
  2⤵
  PID:10280
- C:\Windows\System32\OnLNILf.exe
  C:\Windows\System32\OnLNILf.exe
  2⤵
  PID:10324
- C:\Windows\System32\pELiVxT.exe
  C:\Windows\System32\pELiVxT.exe
  2⤵
  PID:10348
- C:\Windows\System32\exRUcVa.exe
  C:\Windows\System32\exRUcVa.exe
  2⤵
  PID:10364
- C:\Windows\System32\UBMeYJm.exe
  C:\Windows\System32\UBMeYJm.exe
  2⤵
  PID:10384
- C:\Windows\System32\tkRfVRy.exe
  C:\Windows\System32\tkRfVRy.exe
  2⤵
  PID:10424
- C:\Windows\System32\eeAlBDt.exe
  C:\Windows\System32\eeAlBDt.exe
  2⤵
  PID:10440
- C:\Windows\System32\VXnuClX.exe
  C:\Windows\System32\VXnuClX.exe
  2⤵
  PID:10464
- C:\Windows\System32\vYCeByL.exe
  C:\Windows\System32\vYCeByL.exe
  2⤵
  PID:10492
- C:\Windows\System32\QjEudoW.exe
  C:\Windows\System32\QjEudoW.exe
  2⤵
  PID:10508
- C:\Windows\System32\bAAGrzx.exe
  C:\Windows\System32\bAAGrzx.exe
  2⤵
  PID:10568
- C:\Windows\System32\ThYpbRv.exe
  C:\Windows\System32\ThYpbRv.exe
  2⤵
  PID:10588
- C:\Windows\System32\WcluGns.exe
  C:\Windows\System32\WcluGns.exe
  2⤵
  PID:10604
- C:\Windows\System32\xfcUXxT.exe
  C:\Windows\System32\xfcUXxT.exe
  2⤵
  PID:10628
- C:\Windows\System32\GIvfUnF.exe
  C:\Windows\System32\GIvfUnF.exe
  2⤵
  PID:10680
- C:\Windows\System32\eOQuwZY.exe
  C:\Windows\System32\eOQuwZY.exe
  2⤵
  PID:10704
- C:\Windows\System32\ThbzOYC.exe
  C:\Windows\System32\ThbzOYC.exe
  2⤵
  PID:10724
- C:\Windows\System32\VzLxCmE.exe
  C:\Windows\System32\VzLxCmE.exe
  2⤵
  PID:10756
- C:\Windows\System32\cmewQbH.exe
  C:\Windows\System32\cmewQbH.exe
  2⤵
  PID:10780
- C:\Windows\System32\CjVtDUQ.exe
  C:\Windows\System32\CjVtDUQ.exe
  2⤵
  PID:10804
- C:\Windows\System32\uJxnNoQ.exe
  C:\Windows\System32\uJxnNoQ.exe
  2⤵
  PID:10820
- C:\Windows\System32\OyOfnAV.exe
  C:\Windows\System32\OyOfnAV.exe
  2⤵
  PID:10840
- C:\Windows\System32\bNKuURg.exe
  C:\Windows\System32\bNKuURg.exe
  2⤵
  PID:10884
- C:\Windows\System32\dfbrmSA.exe
  C:\Windows\System32\dfbrmSA.exe
  2⤵
  PID:10956
- C:\Windows\System32\tVewner.exe
  C:\Windows\System32\tVewner.exe
  2⤵
  PID:10972
- C:\Windows\System32\xDhkZAc.exe
  C:\Windows\System32\xDhkZAc.exe
  2⤵
  PID:11012
- C:\Windows\System32\uuObYnE.exe
  C:\Windows\System32\uuObYnE.exe
  2⤵
  PID:11040
- C:\Windows\System32\enrAhpS.exe
  C:\Windows\System32\enrAhpS.exe
  2⤵
  PID:11068
- C:\Windows\System32\YgSPXZP.exe
  C:\Windows\System32\YgSPXZP.exe
  2⤵
  PID:11096
- C:\Windows\System32\CsKZJoF.exe
  C:\Windows\System32\CsKZJoF.exe
  2⤵
  PID:11160
- C:\Windows\System32\bwdSgxP.exe
  C:\Windows\System32\bwdSgxP.exe
  2⤵
  PID:11184
- C:\Windows\System32\titMUIU.exe
  C:\Windows\System32\titMUIU.exe
  2⤵
  PID:11228
- C:\Windows\System32\cjRRWgL.exe
  C:\Windows\System32\cjRRWgL.exe
  2⤵
  PID:11248
- C:\Windows\System32\zotklTY.exe
  C:\Windows\System32\zotklTY.exe
  2⤵
  PID:9856
- C:\Windows\System32\QgMNNST.exe
  C:\Windows\System32\QgMNNST.exe
  2⤵
  PID:10344
- C:\Windows\System32\dFYSWig.exe
  C:\Windows\System32\dFYSWig.exe
  2⤵
  PID:10392
- C:\Windows\System32\mxrigzM.exe
  C:\Windows\System32\mxrigzM.exe
  2⤵
  PID:10476
- C:\Windows\System32\txsfNLr.exe
  C:\Windows\System32\txsfNLr.exe
  2⤵
  PID:10484
- C:\Windows\System32\fjfXbtu.exe
  C:\Windows\System32\fjfXbtu.exe
  2⤵
  PID:10580
- C:\Windows\System32\BBUfanH.exe
  C:\Windows\System32\BBUfanH.exe
  2⤵
  PID:10652
- C:\Windows\System32\ymPAHKe.exe
  C:\Windows\System32\ymPAHKe.exe
  2⤵
  PID:10720
- C:\Windows\System32\YiGKrNW.exe
  C:\Windows\System32\YiGKrNW.exe
  2⤵
  PID:10736
- C:\Windows\System32\ytlpIdE.exe
  C:\Windows\System32\ytlpIdE.exe
  2⤵
  PID:10788
- C:\Windows\System32\zCzhepK.exe
  C:\Windows\System32\zCzhepK.exe
  2⤵
  PID:10908
- C:\Windows\System32\zomzcBn.exe
  C:\Windows\System32\zomzcBn.exe
  2⤵
  PID:11000
- C:\Windows\System32\WXoNQoa.exe
  C:\Windows\System32\WXoNQoa.exe
  2⤵
  PID:11060
- C:\Windows\System32\GZXpOgo.exe
  C:\Windows\System32\GZXpOgo.exe
  2⤵
  PID:9940
- C:\Windows\System32\kRRXfcd.exe
  C:\Windows\System32\kRRXfcd.exe
  2⤵
  PID:1720
- C:\Windows\System32\YywDKwR.exe
  C:\Windows\System32\YywDKwR.exe
  2⤵
  PID:11240
- C:\Windows\System32\dSjhFam.exe
  C:\Windows\System32\dSjhFam.exe
  2⤵
  PID:10436
- C:\Windows\System32\XGjGLjP.exe
  C:\Windows\System32\XGjGLjP.exe
  2⤵
  PID:10584
- C:\Windows\System32\ETogngD.exe
  C:\Windows\System32\ETogngD.exe
  2⤵
  PID:440
- C:\Windows\System32\hfqQWnV.exe
  C:\Windows\System32\hfqQWnV.exe
  2⤵
  PID:10892
- C:\Windows\System32\fbPsftG.exe
  C:\Windows\System32\fbPsftG.exe
  2⤵
  PID:11052
- C:\Windows\System32\dyQOiuU.exe
  C:\Windows\System32\dyQOiuU.exe
  2⤵
  PID:632
- C:\Windows\System32\bGyOLpi.exe
  C:\Windows\System32\bGyOLpi.exe
  2⤵
  PID:10504
- C:\Windows\System32\GnLyQcT.exe
  C:\Windows\System32\GnLyQcT.exe
  2⤵
  PID:10860
- C:\Windows\System32\ZXunGUc.exe
  C:\Windows\System32\ZXunGUc.exe
  2⤵
  PID:11276
- C:\Windows\System32\kMmSXlK.exe
  C:\Windows\System32\kMmSXlK.exe
  2⤵
  PID:11300
- C:\Windows\System32\kBmaNgm.exe
  C:\Windows\System32\kBmaNgm.exe
  2⤵
  PID:11316
- C:\Windows\System32\aDvecpn.exe
  C:\Windows\System32\aDvecpn.exe
  2⤵
  PID:11340
- C:\Windows\System32\qpGsZaa.exe
  C:\Windows\System32\qpGsZaa.exe
  2⤵
  PID:11384
- C:\Windows\System32\NplWkML.exe
  C:\Windows\System32\NplWkML.exe
  2⤵
  PID:11404
- C:\Windows\System32\TnUKuzB.exe
  C:\Windows\System32\TnUKuzB.exe
  2⤵
  PID:11444
- C:\Windows\System32\kWGUgdM.exe
  C:\Windows\System32\kWGUgdM.exe
  2⤵
  PID:11468
- C:\Windows\System32\rJxJxjS.exe
  C:\Windows\System32\rJxJxjS.exe
  2⤵
  PID:11492
- C:\Windows\System32\yzPyGMG.exe
  C:\Windows\System32\yzPyGMG.exe
  2⤵
  PID:11520
- C:\Windows\System32\YsyoILj.exe
  C:\Windows\System32\YsyoILj.exe
  2⤵
  PID:11552
- C:\Windows\System32\rWVJEkv.exe
  C:\Windows\System32\rWVJEkv.exe
  2⤵
  PID:11608
- C:\Windows\System32\wrsbzAQ.exe
  C:\Windows\System32\wrsbzAQ.exe
  2⤵
  PID:11628
- C:\Windows\System32\AThDJgV.exe
  C:\Windows\System32\AThDJgV.exe
  2⤵
  PID:11648
- C:\Windows\System32\LiLhuxC.exe
  C:\Windows\System32\LiLhuxC.exe
  2⤵
  PID:11668
- C:\Windows\System32\YRtYDXg.exe
  C:\Windows\System32\YRtYDXg.exe
  2⤵
  PID:11700
- C:\Windows\System32\tQmtcQU.exe
  C:\Windows\System32\tQmtcQU.exe
  2⤵
  PID:11736
- C:\Windows\System32\OIzciGp.exe
  C:\Windows\System32\OIzciGp.exe
  2⤵
  PID:11764
- C:\Windows\System32\ClcczLx.exe
  C:\Windows\System32\ClcczLx.exe
  2⤵
  PID:11788
- C:\Windows\System32\mTwnKHx.exe
  C:\Windows\System32\mTwnKHx.exe
  2⤵
  PID:11804
- C:\Windows\System32\bmCXhKd.exe
  C:\Windows\System32\bmCXhKd.exe
  2⤵
  PID:11832
- C:\Windows\System32\DGKhKkA.exe
  C:\Windows\System32\DGKhKkA.exe
  2⤵
  PID:11872
- C:\Windows\System32\ErhYLiY.exe
  C:\Windows\System32\ErhYLiY.exe
  2⤵
  PID:11900
- C:\Windows\System32\kxubrGf.exe
  C:\Windows\System32\kxubrGf.exe
  2⤵
  PID:11920
- C:\Windows\System32\bzkYhwV.exe
  C:\Windows\System32\bzkYhwV.exe
  2⤵
  PID:11968
- C:\Windows\System32\zwKoatB.exe
  C:\Windows\System32\zwKoatB.exe
  2⤵
  PID:11992
- C:\Windows\System32\IfvZRth.exe
  C:\Windows\System32\IfvZRth.exe
  2⤵
  PID:12008
- C:\Windows\System32\SpzyxGF.exe
  C:\Windows\System32\SpzyxGF.exe
  2⤵
  PID:12028
- C:\Windows\System32\sEvTAio.exe
  C:\Windows\System32\sEvTAio.exe
  2⤵
  PID:12068
- C:\Windows\System32\NRyxPax.exe
  C:\Windows\System32\NRyxPax.exe
  2⤵
  PID:12108
- C:\Windows\System32\REEzveh.exe
  C:\Windows\System32\REEzveh.exe
  2⤵
  PID:12132
- C:\Windows\System32\BIGprCs.exe
  C:\Windows\System32\BIGprCs.exe
  2⤵
  PID:12180
- C:\Windows\System32\LGbDYEw.exe
  C:\Windows\System32\LGbDYEw.exe
  2⤵
  PID:12196
- C:\Windows\System32\mwAwRkV.exe
  C:\Windows\System32\mwAwRkV.exe
  2⤵
  PID:12220
- C:\Windows\System32\fAkmBcI.exe
  C:\Windows\System32\fAkmBcI.exe
  2⤵
  PID:12248
- C:\Windows\System32\vjiyAps.exe
  C:\Windows\System32\vjiyAps.exe
  2⤵
  PID:12272
- C:\Windows\System32\xrXyCad.exe
  C:\Windows\System32\xrXyCad.exe
  2⤵
  PID:11204
- C:\Windows\System32\yYVYANy.exe
  C:\Windows\System32\yYVYANy.exe
  2⤵
  PID:11284
- C:\Windows\System32\UwVlufW.exe
  C:\Windows\System32\UwVlufW.exe
  2⤵
  PID:11376
- C:\Windows\System32\hiGlKyO.exe
  C:\Windows\System32\hiGlKyO.exe
  2⤵
  PID:11452
- C:\Windows\System32\nbHfydJ.exe
  C:\Windows\System32\nbHfydJ.exe
  2⤵
  PID:11512
- C:\Windows\System32\TCOroCZ.exe
  C:\Windows\System32\TCOroCZ.exe
  2⤵
  PID:11528
- C:\Windows\System32\MZSyoUb.exe
  C:\Windows\System32\MZSyoUb.exe
  2⤵
  PID:11640
- C:\Windows\System32\WyCnLrR.exe
  C:\Windows\System32\WyCnLrR.exe
  2⤵
  PID:11696
- C:\Windows\System32\SIOPrru.exe
  C:\Windows\System32\SIOPrru.exe
  2⤵
  PID:11784
- C:\Windows\System32\jkHVrIP.exe
  C:\Windows\System32\jkHVrIP.exe
  2⤵
  PID:11908
- C:\Windows\System32\ZKDchEY.exe
  C:\Windows\System32\ZKDchEY.exe
  2⤵
  PID:10920
- C:\Windows\System32\zFbfjKt.exe
  C:\Windows\System32\zFbfjKt.exe
  2⤵
  PID:12016
- C:\Windows\System32\iuaTQGG.exe
  C:\Windows\System32\iuaTQGG.exe
  2⤵
  PID:12052
- C:\Windows\System32\QTEnfWs.exe
  C:\Windows\System32\QTEnfWs.exe
  2⤵
  PID:12164
- C:\Windows\System32\habHRYI.exe
  C:\Windows\System32\habHRYI.exe
  2⤵
  PID:12208
- C:\Windows\System32\qspwwvt.exe
  C:\Windows\System32\qspwwvt.exe
  2⤵
  PID:10648
- C:\Windows\System32\gATSLcm.exe
  C:\Windows\System32\gATSLcm.exe
  2⤵
  PID:11348
- C:\Windows\System32\HdToNAN.exe
  C:\Windows\System32\HdToNAN.exe
  2⤵
  PID:11544
- C:\Windows\System32\xICmHEy.exe
  C:\Windows\System32\xICmHEy.exe
  2⤵
  PID:908
- C:\Windows\System32\zSlujQq.exe
  C:\Windows\System32\zSlujQq.exe
  2⤵
  PID:11732
- C:\Windows\System32\DuErGSQ.exe
  C:\Windows\System32\DuErGSQ.exe
  2⤵
  PID:11776
- C:\Windows\System32\kzQAzJo.exe
  C:\Windows\System32\kzQAzJo.exe
  2⤵
  PID:11976
- C:\Windows\System32\uJTEzYS.exe
  C:\Windows\System32\uJTEzYS.exe
  2⤵
  PID:12188
- C:\Windows\System32\TGtElak.exe
  C:\Windows\System32\TGtElak.exe
  2⤵
  PID:11480
- C:\Windows\System32\QVIcYxl.exe
  C:\Windows\System32\QVIcYxl.exe
  2⤵
  PID:11780
- C:\Windows\System32\lamslQW.exe
  C:\Windows\System32\lamslQW.exe
  2⤵
  PID:11712
- C:\Windows\System32\hnljOFy.exe
  C:\Windows\System32\hnljOFy.exe
  2⤵
  PID:12004
- C:\Windows\System32\PkARRsy.exe
  C:\Windows\System32\PkARRsy.exe
  2⤵
  PID:11428
- C:\Windows\System32\UxWYvML.exe
  C:\Windows\System32\UxWYvML.exe
  2⤵
  PID:11944
- C:\Windows\System32\zcArSAI.exe
  C:\Windows\System32\zcArSAI.exe
  2⤵
  PID:12320
- C:\Windows\System32\MCOfBFD.exe
  C:\Windows\System32\MCOfBFD.exe
  2⤵
  PID:12368
- C:\Windows\System32\IjfYazJ.exe
  C:\Windows\System32\IjfYazJ.exe
  2⤵
  PID:12384
- C:\Windows\System32\mztSMYw.exe
  C:\Windows\System32\mztSMYw.exe
  2⤵
  PID:12408
- C:\Windows\System32\pkiktTw.exe
  C:\Windows\System32\pkiktTw.exe
  2⤵
  PID:12428
- C:\Windows\System32\dvwDsJz.exe
  C:\Windows\System32\dvwDsJz.exe
  2⤵
  PID:12468
- C:\Windows\System32\gtqvwIT.exe
  C:\Windows\System32\gtqvwIT.exe
  2⤵
  PID:12488
- C:\Windows\System32\ranoKMM.exe
  C:\Windows\System32\ranoKMM.exe
  2⤵
  PID:12516
- C:\Windows\System32\TZOpcIL.exe
  C:\Windows\System32\TZOpcIL.exe
  2⤵
  PID:12568
- C:\Windows\System32\kTBBLkg.exe
  C:\Windows\System32\kTBBLkg.exe
  2⤵
  PID:12584
- C:\Windows\System32\KurwhkD.exe
  C:\Windows\System32\KurwhkD.exe
  2⤵
  PID:12608
- C:\Windows\System32\DTlhMFL.exe
  C:\Windows\System32\DTlhMFL.exe
  2⤵
  PID:12680
- C:\Windows\System32\HxYwxQm.exe
  C:\Windows\System32\HxYwxQm.exe
  2⤵
  PID:12696
- C:\Windows\System32\BbMhMaK.exe
  C:\Windows\System32\BbMhMaK.exe
  2⤵
  PID:12712
- C:\Windows\System32\NGxogft.exe
  C:\Windows\System32\NGxogft.exe
  2⤵
  PID:12728
- C:\Windows\System32\gvNzIWX.exe
  C:\Windows\System32\gvNzIWX.exe
  2⤵
  PID:12744
- C:\Windows\System32\gUSKlBf.exe
  C:\Windows\System32\gUSKlBf.exe
  2⤵
  PID:12760
- C:\Windows\System32\LFbWijP.exe
  C:\Windows\System32\LFbWijP.exe
  2⤵
  PID:12776
- C:\Windows\System32\gFzpODr.exe
  C:\Windows\System32\gFzpODr.exe
  2⤵
  PID:12792
- C:\Windows\System32\WtqslCQ.exe
  C:\Windows\System32\WtqslCQ.exe
  2⤵
  PID:12808
- C:\Windows\System32\skvojnH.exe
  C:\Windows\System32\skvojnH.exe
  2⤵
  PID:12836
- C:\Windows\System32\tvSDPMK.exe
  C:\Windows\System32\tvSDPMK.exe
  2⤵
  PID:12968
- C:\Windows\System32\aNGAYnx.exe
  C:\Windows\System32\aNGAYnx.exe
  2⤵
  PID:12984
- C:\Windows\System32\URBueTV.exe
  C:\Windows\System32\URBueTV.exe
  2⤵
  PID:13040
- C:\Windows\System32\VQSfcYp.exe
  C:\Windows\System32\VQSfcYp.exe
  2⤵
  PID:13080
- C:\Windows\System32\LAwitUy.exe
  C:\Windows\System32\LAwitUy.exe
  2⤵
  PID:13112
- C:\Windows\System32\TbgsqOf.exe
  C:\Windows\System32\TbgsqOf.exe
  2⤵
  PID:13180
- C:\Windows\System32\srfSswI.exe
  C:\Windows\System32\srfSswI.exe
  2⤵
  PID:13196
- C:\Windows\System32\YigCpWG.exe
  C:\Windows\System32\YigCpWG.exe
  2⤵
  PID:13228
- C:\Windows\System32\hDNWJKw.exe
  C:\Windows\System32\hDNWJKw.exe
  2⤵
  PID:13252
- C:\Windows\System32\WTRVKtB.exe
  C:\Windows\System32\WTRVKtB.exe
  2⤵
  PID:13272
- C:\Windows\System32\IkOSYEN.exe
  C:\Windows\System32\IkOSYEN.exe
  2⤵
  PID:12316
- C:\Windows\System32\RRSYcVg.exe
  C:\Windows\System32\RRSYcVg.exe
  2⤵
  PID:4424
- C:\Windows\System32\qNnOdOV.exe
  C:\Windows\System32\qNnOdOV.exe
  2⤵
  PID:12440
- C:\Windows\System32\NAaQCKy.exe
  C:\Windows\System32\NAaQCKy.exe
  2⤵
  PID:12476
- C:\Windows\System32\ZvHMvHa.exe
  C:\Windows\System32\ZvHMvHa.exe
  2⤵
  PID:12556
- C:\Windows\System32\vFUvHaO.exe
  C:\Windows\System32\vFUvHaO.exe
  2⤵
  PID:12600
- C:\Windows\System32\tdFjtzd.exe
  C:\Windows\System32\tdFjtzd.exe
  2⤵
  PID:12648
- C:\Windows\System32\QZxadKt.exe
  C:\Windows\System32\QZxadKt.exe
  2⤵
  PID:12736
- C:\Windows\System32\bxtysQk.exe
  C:\Windows\System32\bxtysQk.exe
  2⤵
  PID:12724
- C:\Windows\System32\RfwQhCN.exe
  C:\Windows\System32\RfwQhCN.exe
  2⤵
  PID:12660
- C:\Windows\System32\UzSRUkW.exe
  C:\Windows\System32\UzSRUkW.exe
  2⤵
  PID:12888
- C:\Windows\System32\SdKQSkI.exe
  C:\Windows\System32\SdKQSkI.exe
  2⤵
  PID:12844
- C:\Windows\System32\ogqoTOg.exe
  C:\Windows\System32\ogqoTOg.exe
  2⤵
  PID:12864
- C:\Windows\System32\hyVkWln.exe
  C:\Windows\System32\hyVkWln.exe
  2⤵
  PID:12856
- C:\Windows\System32\sayONxU.exe
  C:\Windows\System32\sayONxU.exe
  2⤵
  PID:12944
- C:\Windows\System32\yMVzxxU.exe
  C:\Windows\System32\yMVzxxU.exe
  2⤵
  PID:13024
- C:\Windows\System32\bxefHgp.exe
  C:\Windows\System32\bxefHgp.exe
  2⤵
  PID:13072
- C:\Windows\System32\eHTFAMX.exe
  C:\Windows\System32\eHTFAMX.exe
  2⤵
  PID:13212
- C:\Windows\System32\YCBwoxC.exe
  C:\Windows\System32\YCBwoxC.exe
  2⤵
  PID:13192
- C:\Windows\System32\FIAJRyV.exe
  C:\Windows\System32\FIAJRyV.exe
  2⤵
  PID:13260
- C:\Windows\System32\gOonxYz.exe
  C:\Windows\System32\gOonxYz.exe
  2⤵
  PID:2784
- C:\Windows\System32\dmttsGj.exe
  C:\Windows\System32\dmttsGj.exe
  2⤵
  PID:3696
- C:\Windows\System32\yIrkfEZ.exe
  C:\Windows\System32\yIrkfEZ.exe
  2⤵
  PID:12616
- C:\Windows\System32\YGRSfOY.exe
  C:\Windows\System32\YGRSfOY.exe
  2⤵
  PID:12740
- C:\Windows\System32\XeiNvrc.exe
  C:\Windows\System32\XeiNvrc.exe
  2⤵
  PID:12668
- C:\Windows\System32\PLSFQlz.exe
  C:\Windows\System32\PLSFQlz.exe
  2⤵
  PID:12676
- C:\Windows\System32\tgkBAyd.exe
  C:\Windows\System32\tgkBAyd.exe
  2⤵
  PID:12816
- C:\Windows\System32\OYClMfB.exe
  C:\Windows\System32\OYClMfB.exe
  2⤵
  PID:13128
- C:\Windows\System32\HWOUGRk.exe
  C:\Windows\System32\HWOUGRk.exe
  2⤵
  PID:12416

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\DqaFAHo.exe

Filesize
1.6MB

MD5
896f5240abf93191eb971c3d8604e30b

SHA1
7763afd127b1bdd4bd2cb6ea7cf40d8253de5d4c

SHA256
27e63118c807c204373ad7779861208d96bdfd1e3c64edcfa3923fee5fff3fe5

SHA512
2381d55e9d5e3c8f725ad6d760aadb384656130c424049deecde8f29278a824ca768d73893f8349e59c697f39b0206b23feda7f9da9a271a94e89f555e3169c5

Download Submit
C:\Windows\System32\EEKibNQ.exe

Filesize
1.6MB

MD5
6ff533a37f7db3f05bee8bf37150b304

SHA1
ad8200267055cae33a95ecd7b89370f612b8f637

SHA256
6a7c5cd68ffbf5f02c0686bf0aa83a4155d31a26fb63997b1cfbdaeeca7950f0

SHA512
5c78ef4c0a2c14f0749a95b8a3392106ae62fd675b342dcf3baaf7285f88c380806c7710e4d7d574b1b19ff8ad44cfdc3429f3f7acc6c4a3ec3e0d49c172a617

Download Submit
C:\Windows\System32\FFUuiNX.exe

Filesize
1.6MB

MD5
cfa3366ccc249764c242cde740b8c221

SHA1
d38df8b43c03b51853e018f2ba726d7d7cae5e2c

SHA256
2dab69ed2e42cc57f934217cf26f3e6f742074a0681232c7218f523466a58824

SHA512
7dcfe5173f0df44623582ccacab69adbe2b5dea101f9a19b1d6bd5a8aa54d4803ba1727e9e47c424e8c00b2350f4e4ca21e7a66d4573663c92a1f93d91d373ef

Download Submit
C:\Windows\System32\QBGsJAS.exe

Filesize
1.6MB

MD5
50700bb51e6dda6f0a6a55eea7b8eb15

SHA1
17adeff9cff5489b217d10d68fa25aaea270e196

SHA256
687b8093ec0734a7568fd82292aaa647a014824d644ef8b4d17dd8f91c28f019

SHA512
c3a71ca39292f7c986f3161164ac671884cd3730aafce478e00f0f4851e586d319509235bafb66cddf221c9c0775461f49db5bb5e3dd3fd79786e68415ee3c9c

Download Submit
C:\Windows\System32\RWhQFCN.exe

Filesize
1.6MB

MD5
08fa07835ab578bb6fc2cbd001e0464e

SHA1
603c5a0261707fe5059370ca6f9f97126d7d1365

SHA256
6db270405c656ce4e3ac501278f2a98daa546e2e4148b2919ea30e6b9f1a331c

SHA512
b9a4f6b093da730007952b2f775d1bc66d8bcec4786a6d796d1e82004504dec6f54e0d63cc3c30fcaa0cc8751d83b148b5aabcf2a37d876eff5eb0d9c5d5df49

Download Submit
C:\Windows\System32\SHLxNDo.exe

Filesize
1.6MB

MD5
e68d63c6c859971e5d63f5d19cbed6af

SHA1
ca131f09a1f28b3972525e29c19e5b4842a61b28

SHA256
3208ff44ca06b5bf2239a8c42a9a6580ba8d66835b9c69e3eccdb6c9663b498f

SHA512
505cf09fcedc0a52b216e5748bf7c52a47253e4e8f88352f17329eb4a44056a328d5aa5331ccc2ab2e0befecc31443f3b7f36809d31e6602db266344cf3da19a

Download Submit
C:\Windows\System32\SlhLxel.exe

Filesize
1.6MB

MD5
8a84d047680bef5cb8574d2dd7ead586

SHA1
b43d5773a00224bd9ab6026686b4e06391a0fe3d

SHA256
01550653fdf272ad75d55dba0385de41aeed42f077a728b731e8d8264cada0fc

SHA512
e34f329bd6b76508fabad89b95c5020da08423ae96c09ae64bffa3678ca019dc0c411069d38dd774621eebeb2af3f074e340011b5b2204f1c228e0d34ea49ef6

Download Submit
C:\Windows\System32\UKNKlBP.exe

Filesize
1.6MB

MD5
e63d0b4216ca3c48bcc0ca0a10b1a091

SHA1
8cce4abe88bc4bc1ca56a8fe3ddba5544380cde5

SHA256
a82df2994ebad1d561ac6bee91fa522852708d5a1bce5d0024bd7246ba6d5726

SHA512
580e85c770157c5bb3b2d257efb4620a640796b4b9b788c215a2599a268350ecb4ed8c5310510238efc936c7d3d6c2c8c390a8a5c1280486bf0c96672829c785

Download Submit
C:\Windows\System32\UMIDsey.exe

Filesize
1.6MB

MD5
d59bb5f47f541525195c6fcd8538eaaf

SHA1
8c416c081a3175818d960544a7153afe25e6906b

SHA256
0f7aa24a08cb285000aa4cfe4e3b3a2fdf68620f0a20350ff9457d83f496364a

SHA512
6bc2fa1f382edf480a11e32684e3412f43ca75c3916ee1fb826cf47f439c3278b06412d38ac37eb772e82d1eab5ab10e54d55df1bc41a8cba429ce21cd7df59b

Download Submit
C:\Windows\System32\VpsiMzz.exe

Filesize
1.6MB

MD5
6505276cced50530acf421c59aaa2a38

SHA1
e67ba466b1495268bd6aa325b75899322f5b9133

SHA256
64ddb75b7eae9b8d1f3fbfc68ab3da8de014f673a5ba67501ccd4a34772f9bc3

SHA512
9054d59fd24312ffe632620d2ef83c98eaa10203ff8ea4a0f61c41b55363d04d31b5ce580183ecbc6747f9d2ae6271516972692a6cb2b1700c60658a37a9cb74

Download Submit
C:\Windows\System32\WhkNKIt.exe

Filesize
1.6MB

MD5
4b2e685ac251923cfdbd1869121ea974

SHA1
c8e31325f07bfeaac8e69bef3acb27079fe2a852

SHA256
a707651eab467c2ee276236ba05ef1fd4c4bec09a36c875c50cc38b718bd375a

SHA512
1c3e5ffd2e61a16ce15bbb23031c4cd02b806f34140b0e7ccd14efc5d2e0f75ed967ad5bbd75f86616a174a415370578d961fe44eb2f1993ea0d7b4e29b6502e

Download Submit
C:\Windows\System32\ZjZrhwq.exe

Filesize
1.6MB

MD5
7ade3aa822bfffc88fbdce236ae04841

SHA1
b893da2d33d1d60e10eb109287508034c4940064

SHA256
769d138795f0b6d06112c2503c9e4ca8a1178ae4fde689baef052ee4189b72fa

SHA512
1f57303058102bf81cb8248868d8431b49117d2a6ba4192f85ca0f4a233148987d8814d50259de3f608393db5c65444b2f05129ff424029fe30c18d7b7bea702

Download Submit
C:\Windows\System32\ayXFUAJ.exe

Filesize
1.6MB

MD5
af844af54cbc0262aefb0d735d5282f2

SHA1
87ed1d75af384e8c9ddf93d61080487e414c06f2

SHA256
87c42b9cb06e025089c5fea37b088eedd0cb09cc19dc52a39937d101925af76a

SHA512
39c6a0aca258f17af5fd42040d69c796ce65b6be46f5939e9775b6966933ba18de605447ebd653083f54b15a9ab37f0f4edcbbd47db3afd65b42bbb3d28e1105

Download Submit
C:\Windows\System32\bUBOgCy.exe

Filesize
1.6MB

MD5
001a791190cde962293ff94b505a36e0

SHA1
33af4c371fb84bdf1b2c0bcb40586e42aadcb067

SHA256
f51d0c1a7f6d6820173c8b456998d9ba103465237bd30fcfcea5348a9a7895a5

SHA512
bfa74415a73141ceaadab4e3f67c058df73e8d6df52c8a348f2d5a2d59515f83aa77c79a03fd73beadc0620960ec3a318056563323071f73d6c6dcd13456b791

Download Submit
C:\Windows\System32\cXDifHJ.exe

Filesize
1.6MB

MD5
025438f77c915490efd737963c8d117a

SHA1
8457ad0377cbbe38617588a05ab7ab57ed13bca0

SHA256
821fe6b56a42efcd8474c4f185a2c49adc77cc0b43ca98a700b8aaa62d795403

SHA512
39f5f8d3749f21e389f0c1af4d9217d99b5c7f08a21ea1c7815a1ed26a137643c0ff4ec13b3fed75d26a738c593a26c14e5cd44073ca46d79bb27412523b255e

Download Submit
C:\Windows\System32\dDCtlBX.exe

Filesize
1.6MB

MD5
b1951b0172774bd76a30c8b9e5656028

SHA1
1bfa3bc4b828915172a0a4250aadc7dfa9389036

SHA256
357a66e9cf0da5ca2158bbb174f9cbb0fb238ef83d5ef7857206af994b23b60d

SHA512
fa27afa3ece78cb479921afbf40ef01bcaa6be5a6c57c9b89bf808876de39eb08d0c5edfa47f75eb25e902cc2d8c56ddb7d38b78ffb9940f142d1c8a1c0c2b56

Download Submit
C:\Windows\System32\dGmJtdU.exe

Filesize
1.6MB

MD5
e52a6ffc8c960e591afb039c16292d05

SHA1
97ae210b42d5fb5fa44df7b739ee808b69fbd53e

SHA256
b01ad4c7878f0dc31f37da928062e84c5b8e4ba33746dc1eb8b5e22594af3bcd

SHA512
080fe09455028e3323e9f5fd83610c7b37b7e11288c8425a3950ac6f24abed9f0cdd6b8600f58df3330197f378825b26e276a5247d699e0f9170ffacc0f310d1

Download Submit
C:\Windows\System32\eHrBQok.exe

Filesize
1.6MB

MD5
63f93c519100bd3ea8d46e54831ce124

SHA1
a6649e130d1df521bf0af0a2d40938bad5182597

SHA256
b63d841a9647bc0dabfa44b76a41578bda7132fb6e2e0e5f9a01561a503247ca

SHA512
66a19fa08ac7dfa44b346f3235011e37cb27df43fc0404e130d343e6ba6ea98a3f0a4f096c96810f931be5232c92dd2da26d772c2fb6c7f7d437e60ba7a4bcb8

Download Submit
C:\Windows\System32\exgPaCy.exe

Filesize
1.6MB

MD5
f0a794dbbb341f1b8d0f285584931bd9

SHA1
b134c3dc12654ed91d66d246dd6cd53dd20534ab

SHA256
ea729fc6e1394a8d8d5f5a7bab0227dda4022f38049771da35e4779afe19a084

SHA512
c24ffb8bb7a71a1ea11f061e52735c76ba6e64eac918236f48bc66f0f2f4aa15cd285cf2ebecaa96d8bcfbef3b38ad20619f74603d797b974a358a13cb0ecd19

Download Submit
C:\Windows\System32\fGJGHHi.exe

Filesize
1.6MB

MD5
98a67ba7f7e16f49c119ef649d196483

SHA1
9d4ed0e9f5b6b4c7e92e116aa6f7cedc8f326636

SHA256
ccc9623d91b86f2ab76024a1107ed21fc6bce50222ffc9653e40e0f9e02399aa

SHA512
7016e54ac4c610693aa359b8609de13b8dfaacec5d4eccd0b2929d83a968db7ca8178549bc4ce3df14b825c4da44d1cbb0a914c5a572b232261989c5836ae8cb

Download Submit
C:\Windows\System32\fwSMjCN.exe

Filesize
1.6MB

MD5
2f105df6e8c7a1b8550e3c1bb301080a

SHA1
ac007fd15a3e69c4ebcfec741c6a46183c5b1cfd

SHA256
d44bba86cef96ea06ba7605a34c977244eff96cf7fdc44fa3ee3622e044233db

SHA512
159884ec862b18deb9370bf6fc447274c09b851c7331a43d0d6ac9f955231c45f1f9ed33b4f35b615a6da0ec717ad747526b6a98fd5f1357ec2f2cbb2fc5839d

Download Submit
C:\Windows\System32\jFhrTMh.exe

Filesize
1.6MB

MD5
f42b21a84c8e209f8316b031f58ca525

SHA1
bea91bf8bc803e05075d457c181e5c447d8d37cb

SHA256
08724ff33b4c472c349ec4f5ff3a20d1091a8284bb43cd4c3aafece89bee4e44

SHA512
b4ca6b8197f1433cbad3fe4fc7303ee0d5594bc94b2a349b308c9722b900a2704fcefd8350eb609bb01c600572a37f41ddb45726d9d95f35a7c74baf9121c3e1

Download Submit
C:\Windows\System32\jpuBnCC.exe

Filesize
1.6MB

MD5
96f6764d9f81d54892767980f4a77ed6

SHA1
3c890d925121f889ee78c8f93f67aa2caa9f36c9

SHA256
7c2dad7418cc54d858f1017d199a35ec5ba33e656c119a66088219cc863159c8

SHA512
4208348f6a6ca047614d5b853fa0f145206d230b6898dcf203d42ddc422317bb1ee339bea06fad1c13b2b59f3039af7d6dc1bf9775360508accd4c38344bfac3

Download Submit
C:\Windows\System32\lqEgGQT.exe

Filesize
1.6MB

MD5
a9537bdeaa328d6202bfea7e3d64a0d5

SHA1
760f41f41286102be3bb4754462d24a0c2fb948e

SHA256
9d5d23cd9fbf0419e05cd91c6557b5899d504e43eda9a42014e4f0b8ecc5ce47

SHA512
762ca865ffff1d087569b65bf9d9739c7eb44365eda20cd2a7571145011b2cd5f100bce3613552d11e687a88833f406696126b8e0b28837d4534e9272ecf7517

Download Submit
C:\Windows\System32\mKvfMbc.exe

Filesize
1.6MB

MD5
dce0f651aa805e135b0ebdee999c5100

SHA1
c076d5bd5671194cdcd1de644a15fd93213b0f1c

SHA256
20e6e6445902420132897e2c46bc133c71af21d079901255c8537dc07b97d87c

SHA512
e7386f723f1d43f50af2f6a05bac98dc90106c03be5328f4497f18267f4c2100162f36a5a81a93d80f4388c04ea04a981ee709bb54ede2edb1164d7574316292

Download Submit
C:\Windows\System32\mtCBFxM.exe

Filesize
1.6MB

MD5
7af92d1a01c5cd4530585ac70d22b930

SHA1
30ea8a296c91ea20244f7885b8f267140927a0be

SHA256
64a78921b6a9dc3ef04a8398c61b23467d76cdfcb3c17388863726a3bcebab8b

SHA512
ddffd3a49b88cda08303d2ff976ed352fd97710dff5f4a97d5eb039dad9059afc61b2fd6ce2b3c8d5f7bc09475160f4acb9d65faf62dfb834c2ed7eec0cbdd75

Download Submit
C:\Windows\System32\qVCruAs.exe

Filesize
1.6MB

MD5
313be433b4e371aa1af2d3dbd760dd11

SHA1
38e048a62755fc6a511c068cb1a656e81a441e7b

SHA256
a38c850be7ee58e29353c457376ac48b459ad9d22afc6db25bd0490498d61ae5

SHA512
4c77bc9df73b05e626254634cdb9070b20a89e448f6a3ece9ced8a290f3ead93d473987c4dd63c6ff2b49ab017a3c8881ea1564a6958feec817a2f859a90e662

Download Submit
C:\Windows\System32\uDIQDEp.exe

Filesize
1.6MB

MD5
f8a4fede746db53b7aaf04ff639cc0e8

SHA1
396cae277f046b45a232233513a46251b8a48f3c

SHA256
9d05068989801e1d6ff14dc933247e422755904b4b6dd76a475c152b532daea7

SHA512
236e1abbe39f7d4bb21184c290196bc3997cdf7a59c1ad44a677ea606501a8f9629741c9b06adf077a9ee04fdf71d21bd854c99805c750daf002c068a0b7f750

Download Submit
C:\Windows\System32\wqMKbUe.exe

Filesize
1.6MB

MD5
3237b2c123b3f5c2fc162730c5d9176e

SHA1
23182293dc205bb6131293b9d910d41ccc8d3c9f

SHA256
461ff2baf33c2dd6ac15625dd87f9dcd5c17045630bc2ad5599aace66750b696

SHA512
a5777f8638178e4bd4ce02591f22d8d54767d555f53de807823ba08bc2dfd46f1d09f39c3604953b1c630f7bda2cf470b10a56e07760d756daf301c666b6d0b8

Download Submit
C:\Windows\System32\xTcIgwg.exe

Filesize
1.6MB

MD5
8f093483f5ceae8c39a4f5240c93caea

SHA1
e93b7b78a656968a0f400ac2f12423437d93a8d7

SHA256
a72aa3a74c18958eaaa3b8f3a15022fd6cd609d31576b2ffea369df1ecc3052b

SHA512
798738a103e6832cdf0ada63c3e7614a0e618568ef6cbf77843c38578367e25694165747d591a0a2ff5e8e8b1119e9f74381c2d3ceea102fb2e72cc529939579

Download Submit
C:\Windows\System32\xbdeEgv.exe

Filesize
1.6MB

MD5
0873f2c9023c4c573d19a2dc1ce8a4ae

SHA1
854458f78ee07a625307eff97705fcd8f271b913

SHA256
bd72ac6d5e1cba2fae9304e8967c2fbaae9362050f036d688cf9591ca42ff6ae

SHA512
dc0f347a9994933c81747c5414980e5c9fc73e7afb01f8abedd8f389e5fb57b965e2df6af84a99b4f8416d3ef719cce2269199721ab8d2c02193445f251ee7e8

Download Submit
C:\Windows\System32\znqxdbR.exe

Filesize
1.6MB

MD5
d7856bed08ba526b20f90106a3b7efdf

SHA1
94718a90e9515d4ddc6873ed5d64f002b097c2c0

SHA256
b261d88354ee8b124037cc0379366b82bb3e707a068ab5d51f63141c5cea0cf9

SHA512
15c8830d1a31ed56a85ac3b3cccf7641ee742feb2e4bae0df843ecf3e92449f735f7b57fa2a57dc9e99aa258e86ce57a247a9ad7f182978a0680688fac340037

Download Submit
memory/856-2099-0x00007FF7D7670000-0x00007FF7D7A61000-memory.dmp

Filesize
3.9MB

Download
memory/856-112-0x00007FF7D7670000-0x00007FF7D7A61000-memory.dmp

Filesize
3.9MB

Download
memory/876-100-0x00007FF6FC100000-0x00007FF6FC4F1000-memory.dmp

Filesize
3.9MB

Download
memory/876-2090-0x00007FF6FC100000-0x00007FF6FC4F1000-memory.dmp

Filesize
3.9MB

Download
memory/960-2070-0x00007FF7357C0000-0x00007FF735BB1000-memory.dmp

Filesize
3.9MB

Download
memory/960-29-0x00007FF7357C0000-0x00007FF735BB1000-memory.dmp

Filesize
3.9MB

Download
memory/960-1875-0x00007FF7357C0000-0x00007FF735BB1000-memory.dmp

Filesize
3.9MB

Download
memory/1016-12-0x00007FF65FB20000-0x00007FF65FF11000-memory.dmp

Filesize
3.9MB

Download
memory/1164-103-0x00007FF65C8B0000-0x00007FF65CCA1000-memory.dmp

Filesize
3.9MB

Download
memory/1164-2096-0x00007FF65C8B0000-0x00007FF65CCA1000-memory.dmp

Filesize
3.9MB

Download
memory/1380-116-0x00007FF7FE900000-0x00007FF7FECF1000-memory.dmp

Filesize
3.9MB

Download
memory/1380-2095-0x00007FF7FE900000-0x00007FF7FECF1000-memory.dmp

Filesize
3.9MB

Download
memory/1992-2105-0x00007FF609620000-0x00007FF609A11000-memory.dmp

Filesize
3.9MB

Download
memory/1992-122-0x00007FF609620000-0x00007FF609A11000-memory.dmp

Filesize
3.9MB

Download
memory/2072-2086-0x00007FF6EFED0000-0x00007FF6F02C1000-memory.dmp

Filesize
3.9MB

Download
memory/2072-81-0x00007FF6EFED0000-0x00007FF6F02C1000-memory.dmp

Filesize
3.9MB

Download
memory/2264-94-0x00007FF7FC050000-0x00007FF7FC441000-memory.dmp

Filesize
3.9MB

Download
memory/2264-2088-0x00007FF7FC050000-0x00007FF7FC441000-memory.dmp

Filesize
3.9MB

Download
memory/2280-126-0x00007FF745ED0000-0x00007FF7462C1000-memory.dmp

Filesize
3.9MB

Download
memory/2280-2108-0x00007FF745ED0000-0x00007FF7462C1000-memory.dmp

Filesize
3.9MB

Download
memory/2408-0-0x00007FF6C2240000-0x00007FF6C2631000-memory.dmp

Filesize
3.9MB

Download
memory/2408-1867-0x00007FF6C2240000-0x00007FF6C2631000-memory.dmp

Filesize
3.9MB

Download
memory/2408-2298-0x00007FF6C2240000-0x00007FF6C2631000-memory.dmp

Filesize
3.9MB

Download
memory/2408-1-0x000001478B5F0000-0x000001478B600000-memory.dmp

Filesize
64KB

Download
memory/2416-132-0x00007FF698890000-0x00007FF698C81000-memory.dmp

Filesize
3.9MB

Download
memory/2416-2107-0x00007FF698890000-0x00007FF698C81000-memory.dmp

Filesize
3.9MB

Download
memory/2516-2106-0x00007FF71D0F0000-0x00007FF71D4E1000-memory.dmp

Filesize
3.9MB

Download
memory/2516-138-0x00007FF71D0F0000-0x00007FF71D4E1000-memory.dmp

Filesize
3.9MB

Download
memory/2648-2092-0x00007FF74CAA0000-0x00007FF74CE91000-memory.dmp

Filesize
3.9MB

Download
memory/2648-92-0x00007FF74CAA0000-0x00007FF74CE91000-memory.dmp

Filesize
3.9MB

Download
memory/2764-89-0x00007FF69D0D0000-0x00007FF69D4C1000-memory.dmp

Filesize
3.9MB

Download
memory/2764-2083-0x00007FF69D0D0000-0x00007FF69D4C1000-memory.dmp

Filesize
3.9MB

Download
memory/3236-2118-0x00007FF729290000-0x00007FF729681000-memory.dmp

Filesize
3.9MB

Download
memory/3236-150-0x00007FF729290000-0x00007FF729681000-memory.dmp

Filesize
3.9MB

Download
memory/3264-2076-0x00007FF669720000-0x00007FF669B11000-memory.dmp

Filesize
3.9MB

Download
memory/3264-61-0x00007FF669720000-0x00007FF669B11000-memory.dmp

Filesize
3.9MB

Download
memory/3336-72-0x00007FF659590000-0x00007FF659981000-memory.dmp

Filesize
3.9MB

Download
memory/3336-2085-0x00007FF659590000-0x00007FF659981000-memory.dmp

Filesize
3.9MB

Download
memory/3588-2068-0x00007FF7D5E60000-0x00007FF7D6251000-memory.dmp

Filesize
3.9MB

Download
memory/3588-84-0x00007FF7D5E60000-0x00007FF7D6251000-memory.dmp

Filesize
3.9MB

Download
memory/3720-109-0x00007FF7C60E0000-0x00007FF7C64D1000-memory.dmp

Filesize
3.9MB

Download
memory/3720-2100-0x00007FF7C60E0000-0x00007FF7C64D1000-memory.dmp

Filesize
3.9MB

Download
memory/3944-85-0x00007FF6F9200000-0x00007FF6F95F1000-memory.dmp

Filesize
3.9MB

Download
memory/3944-2072-0x00007FF6F9200000-0x00007FF6F95F1000-memory.dmp

Filesize
3.9MB

Download
memory/3952-1879-0x00007FF6A9490000-0x00007FF6A9881000-memory.dmp

Filesize
3.9MB

Download
memory/3952-2074-0x00007FF6A9490000-0x00007FF6A9881000-memory.dmp

Filesize
3.9MB

Download
memory/3952-52-0x00007FF6A9490000-0x00007FF6A9881000-memory.dmp

Filesize
3.9MB

Download
memory/4420-2078-0x00007FF7D50A0000-0x00007FF7D5491000-memory.dmp

Filesize
3.9MB

Download
memory/4420-69-0x00007FF7D50A0000-0x00007FF7D5491000-memory.dmp

Filesize
3.9MB

Download
memory/4428-2113-0x00007FF715560000-0x00007FF715951000-memory.dmp

Filesize
3.9MB

Download
memory/4428-144-0x00007FF715560000-0x00007FF715951000-memory.dmp

Filesize
3.9MB

Download
memory/4548-2081-0x00007FF712CD0000-0x00007FF7130C1000-memory.dmp

Filesize
3.9MB

Download
memory/4548-1886-0x00007FF712CD0000-0x00007FF7130C1000-memory.dmp

Filesize
3.9MB

Download
memory/4548-58-0x00007FF712CD0000-0x00007FF7130C1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads