xmrig | 04483e2d11819305a8e871dd0239a839f813f03b05ed2f5661af6fed0554ea18

Analysis

max time kernel
114s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afbb08be64a0d53cdf6dfb146e1a1500N.exe
Size

1.6MB
MD5

afbb08be64a0d53cdf6dfb146e1a1500
SHA1

971db1691833003e25446cd679a48f364cb2bcc6
SHA256

04483e2d11819305a8e871dd0239a839f813f03b05ed2f5661af6fed0554ea18
SHA512

1aa8d80d6b924414cb461a882c3bff85082d088ca72e125243499fc166c4ba1e1bcd11f31b402b7a87f2ee08c794c986e8db9a968de272df76a501fd833c7c06
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIHbAYhbc8lFad+tsytA7W79KvYK9+u2mqDKk:knw9oUUEEDlGUJ8Y9c87MQUSOk

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/3936-11-0x00007FF678500000-0x00007FF6788F1000-memory.dmp	xmrig
behavioral2/memory/2304-414-0x00007FF6D9940000-0x00007FF6D9D31000-memory.dmp	xmrig
behavioral2/memory/1000-415-0x00007FF655E90000-0x00007FF656281000-memory.dmp	xmrig
behavioral2/memory/4684-33-0x00007FF66AFB0000-0x00007FF66B3A1000-memory.dmp	xmrig
behavioral2/memory/4124-416-0x00007FF773E80000-0x00007FF774271000-memory.dmp	xmrig
behavioral2/memory/2360-417-0x00007FF6329A0000-0x00007FF632D91000-memory.dmp	xmrig
behavioral2/memory/4988-421-0x00007FF661F20000-0x00007FF662311000-memory.dmp	xmrig
behavioral2/memory/3764-419-0x00007FF6F4EF0000-0x00007FF6F52E1000-memory.dmp	xmrig
behavioral2/memory/2988-420-0x00007FF7221D0000-0x00007FF7225C1000-memory.dmp	xmrig
behavioral2/memory/2940-418-0x00007FF766530000-0x00007FF766921000-memory.dmp	xmrig
behavioral2/memory/244-422-0x00007FF680060000-0x00007FF680451000-memory.dmp	xmrig
behavioral2/memory/3168-424-0x00007FF7E3750000-0x00007FF7E3B41000-memory.dmp	xmrig
behavioral2/memory/3280-423-0x00007FF6048A0000-0x00007FF604C91000-memory.dmp	xmrig
behavioral2/memory/1204-425-0x00007FF615940000-0x00007FF615D31000-memory.dmp	xmrig
behavioral2/memory/548-426-0x00007FF6E27A0000-0x00007FF6E2B91000-memory.dmp	xmrig
behavioral2/memory/2060-427-0x00007FF7A4FE0000-0x00007FF7A53D1000-memory.dmp	xmrig
behavioral2/memory/664-428-0x00007FF672A10000-0x00007FF672E01000-memory.dmp	xmrig
behavioral2/memory/856-429-0x00007FF7436C0000-0x00007FF743AB1000-memory.dmp	xmrig
behavioral2/memory/2260-431-0x00007FF6D6BC0000-0x00007FF6D6FB1000-memory.dmp	xmrig
behavioral2/memory/4216-432-0x00007FF672C40000-0x00007FF673031000-memory.dmp	xmrig
behavioral2/memory/4688-430-0x00007FF7642D0000-0x00007FF7646C1000-memory.dmp	xmrig
behavioral2/memory/1100-1978-0x00007FF6FC990000-0x00007FF6FCD81000-memory.dmp	xmrig
behavioral2/memory/3632-1979-0x00007FF66AE50000-0x00007FF66B241000-memory.dmp	xmrig
behavioral2/memory/3500-1980-0x00007FF6B3830000-0x00007FF6B3C21000-memory.dmp	xmrig
behavioral2/memory/3936-1986-0x00007FF678500000-0x00007FF6788F1000-memory.dmp	xmrig
behavioral2/memory/1100-1988-0x00007FF6FC990000-0x00007FF6FCD81000-memory.dmp	xmrig
behavioral2/memory/3500-1990-0x00007FF6B3830000-0x00007FF6B3C21000-memory.dmp	xmrig
behavioral2/memory/3632-1992-0x00007FF66AE50000-0x00007FF66B241000-memory.dmp	xmrig
behavioral2/memory/4684-1994-0x00007FF66AFB0000-0x00007FF66B3A1000-memory.dmp	xmrig
behavioral2/memory/1000-2000-0x00007FF655E90000-0x00007FF656281000-memory.dmp	xmrig
behavioral2/memory/2940-2010-0x00007FF766530000-0x00007FF766921000-memory.dmp	xmrig
behavioral2/memory/548-2020-0x00007FF6E27A0000-0x00007FF6E2B91000-memory.dmp	xmrig
behavioral2/memory/2060-2022-0x00007FF7A4FE0000-0x00007FF7A53D1000-memory.dmp	xmrig
behavioral2/memory/244-2018-0x00007FF680060000-0x00007FF680451000-memory.dmp	xmrig
behavioral2/memory/3168-2016-0x00007FF7E3750000-0x00007FF7E3B41000-memory.dmp	xmrig
behavioral2/memory/1204-2012-0x00007FF615940000-0x00007FF615D31000-memory.dmp	xmrig
behavioral2/memory/2988-2006-0x00007FF7221D0000-0x00007FF7225C1000-memory.dmp	xmrig
behavioral2/memory/2360-2004-0x00007FF6329A0000-0x00007FF632D91000-memory.dmp	xmrig
behavioral2/memory/4988-2003-0x00007FF661F20000-0x00007FF662311000-memory.dmp	xmrig
behavioral2/memory/3280-2014-0x00007FF6048A0000-0x00007FF604C91000-memory.dmp	xmrig
behavioral2/memory/4124-2008-0x00007FF773E80000-0x00007FF774271000-memory.dmp	xmrig
behavioral2/memory/3764-1998-0x00007FF6F4EF0000-0x00007FF6F52E1000-memory.dmp	xmrig
behavioral2/memory/2304-1996-0x00007FF6D9940000-0x00007FF6D9D31000-memory.dmp	xmrig
behavioral2/memory/856-2026-0x00007FF7436C0000-0x00007FF743AB1000-memory.dmp	xmrig
behavioral2/memory/4216-2038-0x00007FF672C40000-0x00007FF673031000-memory.dmp	xmrig
behavioral2/memory/2260-2030-0x00007FF6D6BC0000-0x00007FF6D6FB1000-memory.dmp	xmrig
behavioral2/memory/664-2024-0x00007FF672A10000-0x00007FF672E01000-memory.dmp	xmrig
behavioral2/memory/4688-2028-0x00007FF7642D0000-0x00007FF7646C1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3936	xIRVJDV.exe
1100	oMqeNFa.exe
3632	aGzfxIm.exe
3500	hujPsiI.exe
4684	hwDGXzO.exe
2304	jqWgKmP.exe
1000	WzxtAUg.exe
4124	ekKlWyz.exe
2360	YxbmUBP.exe
2940	wMkdnty.exe
3764	XSudhmz.exe
2988	ZcuKVmM.exe
4988	AzOSAzc.exe
244	mqNKFLI.exe
3280	ADEsBVW.exe
3168	mRMiYbe.exe
1204	HazqaTB.exe
548	TrzRgRf.exe
2060	cBOWPYA.exe
664	YKCHilJ.exe
856	FJVqWDO.exe
4688	HYCxUlH.exe
2260	WDBjRDf.exe
4216	dvJkVKf.exe
4936	CCziHFV.exe
1492	pIEYzUr.exe
5084	TELIrmO.exe
3352	uNMiytm.exe
2228	DDeBgOO.exe
4436	gnQxjZU.exe
4896	hOCXGbE.exe
4828	fDgNwXT.exe
1120	eMYHbLT.exe
1488	BPThfQr.exe
4804	nEzQLiZ.exe
4220	imOtLYD.exe
4136	mjKsXqu.exe
4108	mDwkzAN.exe
832	LePiuQr.exe
728	YBzPhEd.exe
3080	Uouuyxu.exe
3600	NUiecRo.exe
4052	FVsdQtP.exe
2788	fTycupo.exe
512	xkSooXw.exe
4084	LEaaNom.exe
4576	ijzWUYU.exe
4452	fULFhHp.exe
2100	FixJGil.exe
1956	hpKDFYh.exe
3144	bcNPQIk.exe
4552	iDRHUXb.exe
4300	XtZUdbz.exe
4288	ehuNyHD.exe
3248	jneAgkk.exe
448	YDPpDUy.exe
3940	pRvPYtI.exe
4060	ZEGZBoI.exe
1008	irsUHaZ.exe
5076	ofsKYHG.exe
368	ejrmXZj.exe
2204	WWkNBoU.exe
2912	PpMaqSb.exe
3540	ePAwHcD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2688-0-0x00007FF773550000-0x00007FF773941000-memory.dmp	upx
behavioral2/files/0x000900000002345c-4.dat	upx
behavioral2/memory/3936-11-0x00007FF678500000-0x00007FF6788F1000-memory.dmp	upx
behavioral2/files/0x00070000000234bd-10.dat	upx
behavioral2/files/0x00080000000234bc-19.dat	upx
behavioral2/files/0x00070000000234bf-28.dat	upx
behavioral2/files/0x00070000000234c0-39.dat	upx
behavioral2/files/0x00070000000234c2-49.dat	upx
behavioral2/files/0x00070000000234c4-54.dat	upx
behavioral2/files/0x00070000000234c6-64.dat	upx
behavioral2/files/0x00070000000234c7-71.dat	upx
behavioral2/files/0x00070000000234c9-78.dat	upx
behavioral2/files/0x00070000000234cb-94.dat	upx
behavioral2/files/0x00070000000234cd-101.dat	upx
behavioral2/files/0x00070000000234d1-121.dat	upx
behavioral2/files/0x00070000000234d6-149.dat	upx
behavioral2/files/0x00070000000234d9-164.dat	upx
behavioral2/memory/2304-414-0x00007FF6D9940000-0x00007FF6D9D31000-memory.dmp	upx
behavioral2/memory/1000-415-0x00007FF655E90000-0x00007FF656281000-memory.dmp	upx
behavioral2/files/0x00070000000234db-167.dat	upx
behavioral2/files/0x00070000000234da-162.dat	upx
behavioral2/files/0x00070000000234d8-159.dat	upx
behavioral2/files/0x00070000000234d7-154.dat	upx
behavioral2/files/0x00070000000234d5-144.dat	upx
behavioral2/files/0x00070000000234d4-139.dat	upx
behavioral2/files/0x00070000000234d3-134.dat	upx
behavioral2/files/0x00070000000234d2-129.dat	upx
behavioral2/files/0x00070000000234d0-116.dat	upx
behavioral2/files/0x00070000000234cf-111.dat	upx
behavioral2/files/0x00070000000234ce-106.dat	upx
behavioral2/files/0x00070000000234cc-96.dat	upx
behavioral2/files/0x00070000000234ca-89.dat	upx
behavioral2/files/0x00070000000234c8-76.dat	upx
behavioral2/files/0x00070000000234c5-61.dat	upx
behavioral2/files/0x00070000000234c3-51.dat	upx
behavioral2/files/0x00070000000234c1-44.dat	upx
behavioral2/memory/4684-33-0x00007FF66AFB0000-0x00007FF66B3A1000-memory.dmp	upx
behavioral2/memory/4124-416-0x00007FF773E80000-0x00007FF774271000-memory.dmp	upx
behavioral2/files/0x00070000000234be-26.dat	upx
behavioral2/memory/3500-23-0x00007FF6B3830000-0x00007FF6B3C21000-memory.dmp	upx
behavioral2/memory/3632-22-0x00007FF66AE50000-0x00007FF66B241000-memory.dmp	upx
behavioral2/memory/1100-12-0x00007FF6FC990000-0x00007FF6FCD81000-memory.dmp	upx
behavioral2/memory/2360-417-0x00007FF6329A0000-0x00007FF632D91000-memory.dmp	upx
behavioral2/memory/4988-421-0x00007FF661F20000-0x00007FF662311000-memory.dmp	upx
behavioral2/memory/3764-419-0x00007FF6F4EF0000-0x00007FF6F52E1000-memory.dmp	upx
behavioral2/memory/2988-420-0x00007FF7221D0000-0x00007FF7225C1000-memory.dmp	upx
behavioral2/memory/2940-418-0x00007FF766530000-0x00007FF766921000-memory.dmp	upx
behavioral2/memory/244-422-0x00007FF680060000-0x00007FF680451000-memory.dmp	upx
behavioral2/memory/3168-424-0x00007FF7E3750000-0x00007FF7E3B41000-memory.dmp	upx
behavioral2/memory/3280-423-0x00007FF6048A0000-0x00007FF604C91000-memory.dmp	upx
behavioral2/memory/1204-425-0x00007FF615940000-0x00007FF615D31000-memory.dmp	upx
behavioral2/memory/548-426-0x00007FF6E27A0000-0x00007FF6E2B91000-memory.dmp	upx
behavioral2/memory/2060-427-0x00007FF7A4FE0000-0x00007FF7A53D1000-memory.dmp	upx
behavioral2/memory/664-428-0x00007FF672A10000-0x00007FF672E01000-memory.dmp	upx
behavioral2/memory/856-429-0x00007FF7436C0000-0x00007FF743AB1000-memory.dmp	upx
behavioral2/memory/2260-431-0x00007FF6D6BC0000-0x00007FF6D6FB1000-memory.dmp	upx
behavioral2/memory/4216-432-0x00007FF672C40000-0x00007FF673031000-memory.dmp	upx
behavioral2/memory/4688-430-0x00007FF7642D0000-0x00007FF7646C1000-memory.dmp	upx
behavioral2/memory/1100-1978-0x00007FF6FC990000-0x00007FF6FCD81000-memory.dmp	upx
behavioral2/memory/3632-1979-0x00007FF66AE50000-0x00007FF66B241000-memory.dmp	upx
behavioral2/memory/3500-1980-0x00007FF6B3830000-0x00007FF6B3C21000-memory.dmp	upx
behavioral2/memory/3936-1986-0x00007FF678500000-0x00007FF6788F1000-memory.dmp	upx
behavioral2/memory/1100-1988-0x00007FF6FC990000-0x00007FF6FCD81000-memory.dmp	upx
behavioral2/memory/3500-1990-0x00007FF6B3830000-0x00007FF6B3C21000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\TrzRgRf.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\FJVqWDO.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\zSOMUiN.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\qrdAcma.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\YDPpDUy.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\EpFdLdF.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\XVbiKnU.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\QDLcanJ.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\qfyjUJk.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\RlaWbho.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\EcGXVxD.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\FffSkck.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\TnvJmDy.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\irMnagf.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\ZAWtGTk.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\afsMQYW.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\uLVILhI.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\eOoWjNY.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\kgCmAFj.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\iHRjYpB.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\HHLvhzN.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\QaWIfxz.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\PVtpZkb.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\CcthYyL.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\AMuMkaG.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\KRGZSCh.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\qyEyNNh.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\imoaZtq.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\AzOSAzc.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\dfoNMjs.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\UFJUIiI.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\LieJwIp.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\tkncbux.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\zkUXbFZ.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\EhbxkTB.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\hvaDkyE.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\UgGKUkt.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\gfmRcVx.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\zMsjBdu.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\zlCkhcZ.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\ITUKWxP.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\NxORMiM.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\iXznFgy.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\VNCcZwC.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\XSDmifw.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\RBTGpvq.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\iLtscmj.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\ApHQczl.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\hSbvWYt.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\AkOIbDq.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\yEDkfSM.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\CFSLXXr.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\dWQmQUL.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\yjntimm.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\Uouuyxu.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\cTUlRDX.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\bdaYwrR.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\NpDLfSg.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\UxnHHCY.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\cJVXcji.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\XHzWyhw.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\JoyPtcl.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\GySgaBD.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe
File created	C:\Windows\System32\eueANAT.exe	afbb08be64a0d53cdf6dfb146e1a1500N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12992	dwm.exe
Token: SeChangeNotifyPrivilege	12992	dwm.exe
Token: 33	12992	dwm.exe
Token: SeIncBasePriorityPrivilege	12992	dwm.exe
Token: SeShutdownPrivilege	12992	dwm.exe
Token: SeCreatePagefilePrivilege	12992	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 3936	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	84
PID 2688 wrote to memory of 3936	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	84
PID 2688 wrote to memory of 1100	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	85
PID 2688 wrote to memory of 1100	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	85
PID 2688 wrote to memory of 3632	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	86
PID 2688 wrote to memory of 3632	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	86
PID 2688 wrote to memory of 3500	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	87
PID 2688 wrote to memory of 3500	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	87
PID 2688 wrote to memory of 4684	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	88
PID 2688 wrote to memory of 4684	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	88
PID 2688 wrote to memory of 2304	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	89
PID 2688 wrote to memory of 2304	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	89
PID 2688 wrote to memory of 1000	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	90
PID 2688 wrote to memory of 1000	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	90
PID 2688 wrote to memory of 4124	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	91
PID 2688 wrote to memory of 4124	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	91
PID 2688 wrote to memory of 2360	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	92
PID 2688 wrote to memory of 2360	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	92
PID 2688 wrote to memory of 2940	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	93
PID 2688 wrote to memory of 2940	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	93
PID 2688 wrote to memory of 3764	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	94
PID 2688 wrote to memory of 3764	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	94
PID 2688 wrote to memory of 2988	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	95
PID 2688 wrote to memory of 2988	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	95
PID 2688 wrote to memory of 4988	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	96
PID 2688 wrote to memory of 4988	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	96
PID 2688 wrote to memory of 244	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	97
PID 2688 wrote to memory of 244	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	97
PID 2688 wrote to memory of 3280	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	98
PID 2688 wrote to memory of 3280	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	98
PID 2688 wrote to memory of 3168	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	99
PID 2688 wrote to memory of 3168	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	99
PID 2688 wrote to memory of 1204	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	100
PID 2688 wrote to memory of 1204	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	100
PID 2688 wrote to memory of 548	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	101
PID 2688 wrote to memory of 548	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	101
PID 2688 wrote to memory of 2060	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	102
PID 2688 wrote to memory of 2060	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	102
PID 2688 wrote to memory of 664	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	103
PID 2688 wrote to memory of 664	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	103
PID 2688 wrote to memory of 856	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	104
PID 2688 wrote to memory of 856	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	104
PID 2688 wrote to memory of 4688	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	105
PID 2688 wrote to memory of 4688	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	105
PID 2688 wrote to memory of 2260	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	106
PID 2688 wrote to memory of 2260	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	106
PID 2688 wrote to memory of 4216	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	107
PID 2688 wrote to memory of 4216	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	107
PID 2688 wrote to memory of 4936	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	108
PID 2688 wrote to memory of 4936	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	108
PID 2688 wrote to memory of 1492	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	109
PID 2688 wrote to memory of 1492	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	109
PID 2688 wrote to memory of 5084	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	110
PID 2688 wrote to memory of 5084	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	110
PID 2688 wrote to memory of 3352	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	111
PID 2688 wrote to memory of 3352	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	111
PID 2688 wrote to memory of 2228	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	112
PID 2688 wrote to memory of 2228	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	112
PID 2688 wrote to memory of 4436	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	113
PID 2688 wrote to memory of 4436	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	113
PID 2688 wrote to memory of 4896	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	114
PID 2688 wrote to memory of 4896	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	114
PID 2688 wrote to memory of 4828	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	115
PID 2688 wrote to memory of 4828	2688	afbb08be64a0d53cdf6dfb146e1a1500N.exe	115

C:\Users\Admin\AppData\Local\Temp\afbb08be64a0d53cdf6dfb146e1a1500N.exe
"C:\Users\Admin\AppData\Local\Temp\afbb08be64a0d53cdf6dfb146e1a1500N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\System32\xIRVJDV.exe
  C:\Windows\System32\xIRVJDV.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System32\oMqeNFa.exe
  C:\Windows\System32\oMqeNFa.exe
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\System32\aGzfxIm.exe
  C:\Windows\System32\aGzfxIm.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System32\hujPsiI.exe
  C:\Windows\System32\hujPsiI.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System32\hwDGXzO.exe
  C:\Windows\System32\hwDGXzO.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System32\jqWgKmP.exe
  C:\Windows\System32\jqWgKmP.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System32\WzxtAUg.exe
  C:\Windows\System32\WzxtAUg.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System32\ekKlWyz.exe
  C:\Windows\System32\ekKlWyz.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System32\YxbmUBP.exe
  C:\Windows\System32\YxbmUBP.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System32\wMkdnty.exe
  C:\Windows\System32\wMkdnty.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System32\XSudhmz.exe
  C:\Windows\System32\XSudhmz.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System32\ZcuKVmM.exe
  C:\Windows\System32\ZcuKVmM.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System32\AzOSAzc.exe
  C:\Windows\System32\AzOSAzc.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\mqNKFLI.exe
  C:\Windows\System32\mqNKFLI.exe
  2⤵
  - Executes dropped EXE
  PID:244
- C:\Windows\System32\ADEsBVW.exe
  C:\Windows\System32\ADEsBVW.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System32\mRMiYbe.exe
  C:\Windows\System32\mRMiYbe.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System32\HazqaTB.exe
  C:\Windows\System32\HazqaTB.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System32\TrzRgRf.exe
  C:\Windows\System32\TrzRgRf.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System32\cBOWPYA.exe
  C:\Windows\System32\cBOWPYA.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System32\YKCHilJ.exe
  C:\Windows\System32\YKCHilJ.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System32\FJVqWDO.exe
  C:\Windows\System32\FJVqWDO.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System32\HYCxUlH.exe
  C:\Windows\System32\HYCxUlH.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System32\WDBjRDf.exe
  C:\Windows\System32\WDBjRDf.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System32\dvJkVKf.exe
  C:\Windows\System32\dvJkVKf.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System32\CCziHFV.exe
  C:\Windows\System32\CCziHFV.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System32\pIEYzUr.exe
  C:\Windows\System32\pIEYzUr.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System32\TELIrmO.exe
  C:\Windows\System32\TELIrmO.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System32\uNMiytm.exe
  C:\Windows\System32\uNMiytm.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System32\DDeBgOO.exe
  C:\Windows\System32\DDeBgOO.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System32\gnQxjZU.exe
  C:\Windows\System32\gnQxjZU.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\hOCXGbE.exe
  C:\Windows\System32\hOCXGbE.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System32\fDgNwXT.exe
  C:\Windows\System32\fDgNwXT.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\eMYHbLT.exe
  C:\Windows\System32\eMYHbLT.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System32\BPThfQr.exe
  C:\Windows\System32\BPThfQr.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System32\nEzQLiZ.exe
  C:\Windows\System32\nEzQLiZ.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\imOtLYD.exe
  C:\Windows\System32\imOtLYD.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System32\mjKsXqu.exe
  C:\Windows\System32\mjKsXqu.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System32\mDwkzAN.exe
  C:\Windows\System32\mDwkzAN.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System32\LePiuQr.exe
  C:\Windows\System32\LePiuQr.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System32\YBzPhEd.exe
  C:\Windows\System32\YBzPhEd.exe
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Windows\System32\Uouuyxu.exe
  C:\Windows\System32\Uouuyxu.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System32\NUiecRo.exe
  C:\Windows\System32\NUiecRo.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\System32\FVsdQtP.exe
  C:\Windows\System32\FVsdQtP.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System32\fTycupo.exe
  C:\Windows\System32\fTycupo.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System32\xkSooXw.exe
  C:\Windows\System32\xkSooXw.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System32\LEaaNom.exe
  C:\Windows\System32\LEaaNom.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System32\ijzWUYU.exe
  C:\Windows\System32\ijzWUYU.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System32\fULFhHp.exe
  C:\Windows\System32\fULFhHp.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\FixJGil.exe
  C:\Windows\System32\FixJGil.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System32\hpKDFYh.exe
  C:\Windows\System32\hpKDFYh.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System32\bcNPQIk.exe
  C:\Windows\System32\bcNPQIk.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System32\iDRHUXb.exe
  C:\Windows\System32\iDRHUXb.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System32\XtZUdbz.exe
  C:\Windows\System32\XtZUdbz.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System32\ehuNyHD.exe
  C:\Windows\System32\ehuNyHD.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System32\jneAgkk.exe
  C:\Windows\System32\jneAgkk.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System32\YDPpDUy.exe
  C:\Windows\System32\YDPpDUy.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System32\pRvPYtI.exe
  C:\Windows\System32\pRvPYtI.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System32\ZEGZBoI.exe
  C:\Windows\System32\ZEGZBoI.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System32\irsUHaZ.exe
  C:\Windows\System32\irsUHaZ.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System32\ofsKYHG.exe
  C:\Windows\System32\ofsKYHG.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System32\ejrmXZj.exe
  C:\Windows\System32\ejrmXZj.exe
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\System32\WWkNBoU.exe
  C:\Windows\System32\WWkNBoU.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System32\PpMaqSb.exe
  C:\Windows\System32\PpMaqSb.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System32\ePAwHcD.exe
  C:\Windows\System32\ePAwHcD.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System32\JYtHJSC.exe
  C:\Windows\System32\JYtHJSC.exe
  2⤵
  PID:4800
- C:\Windows\System32\mpBvLnM.exe
  C:\Windows\System32\mpBvLnM.exe
  2⤵
  PID:4056
- C:\Windows\System32\XWXAzpO.exe
  C:\Windows\System32\XWXAzpO.exe
  2⤵
  PID:3728
- C:\Windows\System32\RyEGORf.exe
  C:\Windows\System32\RyEGORf.exe
  2⤵
  PID:3456
- C:\Windows\System32\eNlwWMB.exe
  C:\Windows\System32\eNlwWMB.exe
  2⤵
  PID:4564
- C:\Windows\System32\SToeMDX.exe
  C:\Windows\System32\SToeMDX.exe
  2⤵
  PID:1684
- C:\Windows\System32\TnvJmDy.exe
  C:\Windows\System32\TnvJmDy.exe
  2⤵
  PID:4600
- C:\Windows\System32\kgCmAFj.exe
  C:\Windows\System32\kgCmAFj.exe
  2⤵
  PID:3024
- C:\Windows\System32\kAviMze.exe
  C:\Windows\System32\kAviMze.exe
  2⤵
  PID:3548
- C:\Windows\System32\SpBXLKp.exe
  C:\Windows\System32\SpBXLKp.exe
  2⤵
  PID:2612
- C:\Windows\System32\beAIQkY.exe
  C:\Windows\System32\beAIQkY.exe
  2⤵
  PID:4352
- C:\Windows\System32\ukmdmek.exe
  C:\Windows\System32\ukmdmek.exe
  2⤵
  PID:980
- C:\Windows\System32\foBlPwz.exe
  C:\Windows\System32\foBlPwz.exe
  2⤵
  PID:4080
- C:\Windows\System32\XatqiOG.exe
  C:\Windows\System32\XatqiOG.exe
  2⤵
  PID:4348
- C:\Windows\System32\CcbxZlM.exe
  C:\Windows\System32\CcbxZlM.exe
  2⤵
  PID:4748
- C:\Windows\System32\FkoAGlB.exe
  C:\Windows\System32\FkoAGlB.exe
  2⤵
  PID:3584
- C:\Windows\System32\bnqMbej.exe
  C:\Windows\System32\bnqMbej.exe
  2⤵
  PID:2480
- C:\Windows\System32\uiTTiNE.exe
  C:\Windows\System32\uiTTiNE.exe
  2⤵
  PID:5064
- C:\Windows\System32\zgelqRB.exe
  C:\Windows\System32\zgelqRB.exe
  2⤵
  PID:1164
- C:\Windows\System32\MEnIIfe.exe
  C:\Windows\System32\MEnIIfe.exe
  2⤵
  PID:860
- C:\Windows\System32\FOTfEwf.exe
  C:\Windows\System32\FOTfEwf.exe
  2⤵
  PID:1824
- C:\Windows\System32\YfDOvHE.exe
  C:\Windows\System32\YfDOvHE.exe
  2⤵
  PID:2152
- C:\Windows\System32\CwvMkrj.exe
  C:\Windows\System32\CwvMkrj.exe
  2⤵
  PID:2676
- C:\Windows\System32\EreuLWn.exe
  C:\Windows\System32\EreuLWn.exe
  2⤵
  PID:1556
- C:\Windows\System32\hbnGFwz.exe
  C:\Windows\System32\hbnGFwz.exe
  2⤵
  PID:4572
- C:\Windows\System32\YbkQgXv.exe
  C:\Windows\System32\YbkQgXv.exe
  2⤵
  PID:4672
- C:\Windows\System32\ujzcaLD.exe
  C:\Windows\System32\ujzcaLD.exe
  2⤵
  PID:3096
- C:\Windows\System32\XSDmifw.exe
  C:\Windows\System32\XSDmifw.exe
  2⤵
  PID:1596
- C:\Windows\System32\vMWsbzN.exe
  C:\Windows\System32\vMWsbzN.exe
  2⤵
  PID:4372
- C:\Windows\System32\UIcZSqE.exe
  C:\Windows\System32\UIcZSqE.exe
  2⤵
  PID:4548
- C:\Windows\System32\irMnagf.exe
  C:\Windows\System32\irMnagf.exe
  2⤵
  PID:1176
- C:\Windows\System32\LysKndJ.exe
  C:\Windows\System32\LysKndJ.exe
  2⤵
  PID:1540
- C:\Windows\System32\WHgajdR.exe
  C:\Windows\System32\WHgajdR.exe
  2⤵
  PID:2120
- C:\Windows\System32\WcSdavH.exe
  C:\Windows\System32\WcSdavH.exe
  2⤵
  PID:5128
- C:\Windows\System32\zMsjBdu.exe
  C:\Windows\System32\zMsjBdu.exe
  2⤵
  PID:5156
- C:\Windows\System32\RBTGpvq.exe
  C:\Windows\System32\RBTGpvq.exe
  2⤵
  PID:5184
- C:\Windows\System32\oqXyCxF.exe
  C:\Windows\System32\oqXyCxF.exe
  2⤵
  PID:5212
- C:\Windows\System32\jnmbVRm.exe
  C:\Windows\System32\jnmbVRm.exe
  2⤵
  PID:5240
- C:\Windows\System32\xqDthAM.exe
  C:\Windows\System32\xqDthAM.exe
  2⤵
  PID:5268
- C:\Windows\System32\ydQLsYC.exe
  C:\Windows\System32\ydQLsYC.exe
  2⤵
  PID:5288
- C:\Windows\System32\xkHGopQ.exe
  C:\Windows\System32\xkHGopQ.exe
  2⤵
  PID:5312
- C:\Windows\System32\sDCFzdb.exe
  C:\Windows\System32\sDCFzdb.exe
  2⤵
  PID:5328
- C:\Windows\System32\cTUlRDX.exe
  C:\Windows\System32\cTUlRDX.exe
  2⤵
  PID:5344
- C:\Windows\System32\SIDraDn.exe
  C:\Windows\System32\SIDraDn.exe
  2⤵
  PID:5384
- C:\Windows\System32\BUtWplt.exe
  C:\Windows\System32\BUtWplt.exe
  2⤵
  PID:5420
- C:\Windows\System32\toUhwxm.exe
  C:\Windows\System32\toUhwxm.exe
  2⤵
  PID:5440
- C:\Windows\System32\PeesgPz.exe
  C:\Windows\System32\PeesgPz.exe
  2⤵
  PID:5468
- C:\Windows\System32\xRGHKXY.exe
  C:\Windows\System32\xRGHKXY.exe
  2⤵
  PID:5496
- C:\Windows\System32\gJrTHto.exe
  C:\Windows\System32\gJrTHto.exe
  2⤵
  PID:5524
- C:\Windows\System32\YsmXokE.exe
  C:\Windows\System32\YsmXokE.exe
  2⤵
  PID:5552
- C:\Windows\System32\iLtscmj.exe
  C:\Windows\System32\iLtscmj.exe
  2⤵
  PID:5580
- C:\Windows\System32\VMORtJp.exe
  C:\Windows\System32\VMORtJp.exe
  2⤵
  PID:5732
- C:\Windows\System32\ZAWtGTk.exe
  C:\Windows\System32\ZAWtGTk.exe
  2⤵
  PID:5760
- C:\Windows\System32\imPkNNZ.exe
  C:\Windows\System32\imPkNNZ.exe
  2⤵
  PID:5796
- C:\Windows\System32\oteTaGD.exe
  C:\Windows\System32\oteTaGD.exe
  2⤵
  PID:5844
- C:\Windows\System32\jklxSRD.exe
  C:\Windows\System32\jklxSRD.exe
  2⤵
  PID:5868
- C:\Windows\System32\VrMnBKJ.exe
  C:\Windows\System32\VrMnBKJ.exe
  2⤵
  PID:5888
- C:\Windows\System32\bRUlRmQ.exe
  C:\Windows\System32\bRUlRmQ.exe
  2⤵
  PID:5916
- C:\Windows\System32\CMYEVta.exe
  C:\Windows\System32\CMYEVta.exe
  2⤵
  PID:5936
- C:\Windows\System32\Wqdlazb.exe
  C:\Windows\System32\Wqdlazb.exe
  2⤵
  PID:5956
- C:\Windows\System32\ysbrbUP.exe
  C:\Windows\System32\ysbrbUP.exe
  2⤵
  PID:5988
- C:\Windows\System32\vMGcSzz.exe
  C:\Windows\System32\vMGcSzz.exe
  2⤵
  PID:6024
- C:\Windows\System32\XYefzaH.exe
  C:\Windows\System32\XYefzaH.exe
  2⤵
  PID:6048
- C:\Windows\System32\vYXmytw.exe
  C:\Windows\System32\vYXmytw.exe
  2⤵
  PID:6072
- C:\Windows\System32\IuFXlQw.exe
  C:\Windows\System32\IuFXlQw.exe
  2⤵
  PID:6096
- C:\Windows\System32\DbsuETV.exe
  C:\Windows\System32\DbsuETV.exe
  2⤵
  PID:6128
- C:\Windows\System32\QqFFqxY.exe
  C:\Windows\System32\QqFFqxY.exe
  2⤵
  PID:4416
- C:\Windows\System32\afsMQYW.exe
  C:\Windows\System32\afsMQYW.exe
  2⤵
  PID:4360
- C:\Windows\System32\aJkWnOL.exe
  C:\Windows\System32\aJkWnOL.exe
  2⤵
  PID:3696
- C:\Windows\System32\CvCzZEc.exe
  C:\Windows\System32\CvCzZEc.exe
  2⤵
  PID:684
- C:\Windows\System32\zkUXbFZ.exe
  C:\Windows\System32\zkUXbFZ.exe
  2⤵
  PID:5136
- C:\Windows\System32\OjLNhBy.exe
  C:\Windows\System32\OjLNhBy.exe
  2⤵
  PID:5168
- C:\Windows\System32\iNZJVgT.exe
  C:\Windows\System32\iNZJVgT.exe
  2⤵
  PID:1504
- C:\Windows\System32\oCQWOlk.exe
  C:\Windows\System32\oCQWOlk.exe
  2⤵
  PID:5320
- C:\Windows\System32\MfkwEBw.exe
  C:\Windows\System32\MfkwEBw.exe
  2⤵
  PID:3592
- C:\Windows\System32\CmAvwGF.exe
  C:\Windows\System32\CmAvwGF.exe
  2⤵
  PID:5408
- C:\Windows\System32\iEJJhKh.exe
  C:\Windows\System32\iEJJhKh.exe
  2⤵
  PID:5452
- C:\Windows\System32\uLVILhI.exe
  C:\Windows\System32\uLVILhI.exe
  2⤵
  PID:5488
- C:\Windows\System32\zGCoBgj.exe
  C:\Windows\System32\zGCoBgj.exe
  2⤵
  PID:1624
- C:\Windows\System32\dSBKpMv.exe
  C:\Windows\System32\dSBKpMv.exe
  2⤵
  PID:5532
- C:\Windows\System32\cxUXFtP.exe
  C:\Windows\System32\cxUXFtP.exe
  2⤵
  PID:1408
- C:\Windows\System32\UYMlKWx.exe
  C:\Windows\System32\UYMlKWx.exe
  2⤵
  PID:4472
- C:\Windows\System32\HDngrkh.exe
  C:\Windows\System32\HDngrkh.exe
  2⤵
  PID:3252
- C:\Windows\System32\eYQjpZN.exe
  C:\Windows\System32\eYQjpZN.exe
  2⤵
  PID:5560
- C:\Windows\System32\mLKMkro.exe
  C:\Windows\System32\mLKMkro.exe
  2⤵
  PID:5636
- C:\Windows\System32\LWnXhxD.exe
  C:\Windows\System32\LWnXhxD.exe
  2⤵
  PID:5692
- C:\Windows\System32\NSIvUPI.exe
  C:\Windows\System32\NSIvUPI.exe
  2⤵
  PID:212
- C:\Windows\System32\ngUQTgq.exe
  C:\Windows\System32\ngUQTgq.exe
  2⤵
  PID:5740
- C:\Windows\System32\OpduQEK.exe
  C:\Windows\System32\OpduQEK.exe
  2⤵
  PID:5696
- C:\Windows\System32\wVYEjJH.exe
  C:\Windows\System32\wVYEjJH.exe
  2⤵
  PID:5720
- C:\Windows\System32\wdRpfGo.exe
  C:\Windows\System32\wdRpfGo.exe
  2⤵
  PID:5860
- C:\Windows\System32\XRRYaEw.exe
  C:\Windows\System32\XRRYaEw.exe
  2⤵
  PID:5704
- C:\Windows\System32\TSToUDX.exe
  C:\Windows\System32\TSToUDX.exe
  2⤵
  PID:5944
- C:\Windows\System32\XTMItrx.exe
  C:\Windows\System32\XTMItrx.exe
  2⤵
  PID:6016
- C:\Windows\System32\ZZqtvUA.exe
  C:\Windows\System32\ZZqtvUA.exe
  2⤵
  PID:6084
- C:\Windows\System32\jMJAVUF.exe
  C:\Windows\System32\jMJAVUF.exe
  2⤵
  PID:6108
- C:\Windows\System32\EwnDvfo.exe
  C:\Windows\System32\EwnDvfo.exe
  2⤵
  PID:6136
- C:\Windows\System32\EhbxkTB.exe
  C:\Windows\System32\EhbxkTB.exe
  2⤵
  PID:1420
- C:\Windows\System32\Uryfmhy.exe
  C:\Windows\System32\Uryfmhy.exe
  2⤵
  PID:5296
- C:\Windows\System32\pRqFLtW.exe
  C:\Windows\System32\pRqFLtW.exe
  2⤵
  PID:5396
- C:\Windows\System32\rMoMKOL.exe
  C:\Windows\System32\rMoMKOL.exe
  2⤵
  PID:1584
- C:\Windows\System32\PFjRqqs.exe
  C:\Windows\System32\PFjRqqs.exe
  2⤵
  PID:4428
- C:\Windows\System32\JoyPtcl.exe
  C:\Windows\System32\JoyPtcl.exe
  2⤵
  PID:2208
- C:\Windows\System32\kIpkSBL.exe
  C:\Windows\System32\kIpkSBL.exe
  2⤵
  PID:1156
- C:\Windows\System32\YCTEiYH.exe
  C:\Windows\System32\YCTEiYH.exe
  2⤵
  PID:2548
- C:\Windows\System32\ApHQczl.exe
  C:\Windows\System32\ApHQczl.exe
  2⤵
  PID:5908
- C:\Windows\System32\LhXttie.exe
  C:\Windows\System32\LhXttie.exe
  2⤵
  PID:2036
- C:\Windows\System32\DKbgaki.exe
  C:\Windows\System32\DKbgaki.exe
  2⤵
  PID:4728
- C:\Windows\System32\kstEToR.exe
  C:\Windows\System32\kstEToR.exe
  2⤵
  PID:1332
- C:\Windows\System32\BGdCDyI.exe
  C:\Windows\System32\BGdCDyI.exe
  2⤵
  PID:3376
- C:\Windows\System32\izIYQiK.exe
  C:\Windows\System32\izIYQiK.exe
  2⤵
  PID:2252
- C:\Windows\System32\qVtqItJ.exe
  C:\Windows\System32\qVtqItJ.exe
  2⤵
  PID:5876
- C:\Windows\System32\MSZsMYw.exe
  C:\Windows\System32\MSZsMYw.exe
  2⤵
  PID:5952
- C:\Windows\System32\euMMpSi.exe
  C:\Windows\System32\euMMpSi.exe
  2⤵
  PID:5564
- C:\Windows\System32\rlzuHBZ.exe
  C:\Windows\System32\rlzuHBZ.exe
  2⤵
  PID:5880
- C:\Windows\System32\yKeuXjw.exe
  C:\Windows\System32\yKeuXjw.exe
  2⤵
  PID:6152
- C:\Windows\System32\cCTrtQA.exe
  C:\Windows\System32\cCTrtQA.exe
  2⤵
  PID:6188
- C:\Windows\System32\QADaYHg.exe
  C:\Windows\System32\QADaYHg.exe
  2⤵
  PID:6228
- C:\Windows\System32\oAlmTcG.exe
  C:\Windows\System32\oAlmTcG.exe
  2⤵
  PID:6280
- C:\Windows\System32\yYkOPTL.exe
  C:\Windows\System32\yYkOPTL.exe
  2⤵
  PID:6296
- C:\Windows\System32\AhPSRzq.exe
  C:\Windows\System32\AhPSRzq.exe
  2⤵
  PID:6316
- C:\Windows\System32\MVntGXr.exe
  C:\Windows\System32\MVntGXr.exe
  2⤵
  PID:6336
- C:\Windows\System32\PwsSBzO.exe
  C:\Windows\System32\PwsSBzO.exe
  2⤵
  PID:6368
- C:\Windows\System32\mlVXIWF.exe
  C:\Windows\System32\mlVXIWF.exe
  2⤵
  PID:6396
- C:\Windows\System32\PVtpZkb.exe
  C:\Windows\System32\PVtpZkb.exe
  2⤵
  PID:6416
- C:\Windows\System32\vDDyHGX.exe
  C:\Windows\System32\vDDyHGX.exe
  2⤵
  PID:6440
- C:\Windows\System32\QGrXoio.exe
  C:\Windows\System32\QGrXoio.exe
  2⤵
  PID:6468
- C:\Windows\System32\FLjsHLs.exe
  C:\Windows\System32\FLjsHLs.exe
  2⤵
  PID:6488
- C:\Windows\System32\ttzyNWw.exe
  C:\Windows\System32\ttzyNWw.exe
  2⤵
  PID:6512
- C:\Windows\System32\tIlMzUR.exe
  C:\Windows\System32\tIlMzUR.exe
  2⤵
  PID:6576
- C:\Windows\System32\dxEsAmC.exe
  C:\Windows\System32\dxEsAmC.exe
  2⤵
  PID:6608
- C:\Windows\System32\aabUyLa.exe
  C:\Windows\System32\aabUyLa.exe
  2⤵
  PID:6628
- C:\Windows\System32\XOjFXCY.exe
  C:\Windows\System32\XOjFXCY.exe
  2⤵
  PID:6648
- C:\Windows\System32\NfCqHov.exe
  C:\Windows\System32\NfCqHov.exe
  2⤵
  PID:6668
- C:\Windows\System32\ErdoJSR.exe
  C:\Windows\System32\ErdoJSR.exe
  2⤵
  PID:6688
- C:\Windows\System32\wySkDrA.exe
  C:\Windows\System32\wySkDrA.exe
  2⤵
  PID:6740
- C:\Windows\System32\CXDaRFY.exe
  C:\Windows\System32\CXDaRFY.exe
  2⤵
  PID:6764
- C:\Windows\System32\yWHqqim.exe
  C:\Windows\System32\yWHqqim.exe
  2⤵
  PID:6780
- C:\Windows\System32\lvhtDiW.exe
  C:\Windows\System32\lvhtDiW.exe
  2⤵
  PID:6800
- C:\Windows\System32\AhWXnhb.exe
  C:\Windows\System32\AhWXnhb.exe
  2⤵
  PID:6824
- C:\Windows\System32\CcthYyL.exe
  C:\Windows\System32\CcthYyL.exe
  2⤵
  PID:6904
- C:\Windows\System32\rKYBYoY.exe
  C:\Windows\System32\rKYBYoY.exe
  2⤵
  PID:6928
- C:\Windows\System32\ZBfdhGw.exe
  C:\Windows\System32\ZBfdhGw.exe
  2⤵
  PID:6952
- C:\Windows\System32\NMbqDVM.exe
  C:\Windows\System32\NMbqDVM.exe
  2⤵
  PID:6976
- C:\Windows\System32\ogSKmMP.exe
  C:\Windows\System32\ogSKmMP.exe
  2⤵
  PID:7000
- C:\Windows\System32\zlCkhcZ.exe
  C:\Windows\System32\zlCkhcZ.exe
  2⤵
  PID:7016
- C:\Windows\System32\EpFdLdF.exe
  C:\Windows\System32\EpFdLdF.exe
  2⤵
  PID:7036
- C:\Windows\System32\WxUBeOc.exe
  C:\Windows\System32\WxUBeOc.exe
  2⤵
  PID:7064
- C:\Windows\System32\PjeOybg.exe
  C:\Windows\System32\PjeOybg.exe
  2⤵
  PID:7096
- C:\Windows\System32\dUPqUKf.exe
  C:\Windows\System32\dUPqUKf.exe
  2⤵
  PID:7112
- C:\Windows\System32\mqsUkeS.exe
  C:\Windows\System32\mqsUkeS.exe
  2⤵
  PID:7128
- C:\Windows\System32\OsgnVnP.exe
  C:\Windows\System32\OsgnVnP.exe
  2⤵
  PID:6164
- C:\Windows\System32\WQzYSmu.exe
  C:\Windows\System32\WQzYSmu.exe
  2⤵
  PID:6264
- C:\Windows\System32\EvGNMIB.exe
  C:\Windows\System32\EvGNMIB.exe
  2⤵
  PID:6292
- C:\Windows\System32\XXgTjOj.exe
  C:\Windows\System32\XXgTjOj.exe
  2⤵
  PID:6348
- C:\Windows\System32\FCjBuBg.exe
  C:\Windows\System32\FCjBuBg.exe
  2⤵
  PID:6392
- C:\Windows\System32\AKFQLUY.exe
  C:\Windows\System32\AKFQLUY.exe
  2⤵
  PID:6500
- C:\Windows\System32\jDPegPH.exe
  C:\Windows\System32\jDPegPH.exe
  2⤵
  PID:6496
- C:\Windows\System32\BRKvcbh.exe
  C:\Windows\System32\BRKvcbh.exe
  2⤵
  PID:6584
- C:\Windows\System32\nqAqOVV.exe
  C:\Windows\System32\nqAqOVV.exe
  2⤵
  PID:6640
- C:\Windows\System32\cChbXMs.exe
  C:\Windows\System32\cChbXMs.exe
  2⤵
  PID:6724
- C:\Windows\System32\NyIfYlb.exe
  C:\Windows\System32\NyIfYlb.exe
  2⤵
  PID:6796
- C:\Windows\System32\avGzBXV.exe
  C:\Windows\System32\avGzBXV.exe
  2⤵
  PID:6832
- C:\Windows\System32\omVqyAX.exe
  C:\Windows\System32\omVqyAX.exe
  2⤵
  PID:6816
- C:\Windows\System32\iGSwxJL.exe
  C:\Windows\System32\iGSwxJL.exe
  2⤵
  PID:6912
- C:\Windows\System32\ZlrNAOf.exe
  C:\Windows\System32\ZlrNAOf.exe
  2⤵
  PID:6968
- C:\Windows\System32\TzYLIHc.exe
  C:\Windows\System32\TzYLIHc.exe
  2⤵
  PID:6960
- C:\Windows\System32\qLYJpvy.exe
  C:\Windows\System32\qLYJpvy.exe
  2⤵
  PID:5772
- C:\Windows\System32\xhiAhzb.exe
  C:\Windows\System32\xhiAhzb.exe
  2⤵
  PID:6380
- C:\Windows\System32\IXMIbGm.exe
  C:\Windows\System32\IXMIbGm.exe
  2⤵
  PID:6536
- C:\Windows\System32\OzayLHU.exe
  C:\Windows\System32\OzayLHU.exe
  2⤵
  PID:6568
- C:\Windows\System32\GySgaBD.exe
  C:\Windows\System32\GySgaBD.exe
  2⤵
  PID:6792
- C:\Windows\System32\kkSqwkY.exe
  C:\Windows\System32\kkSqwkY.exe
  2⤵
  PID:6892
- C:\Windows\System32\TSauCKK.exe
  C:\Windows\System32\TSauCKK.exe
  2⤵
  PID:6864
- C:\Windows\System32\PtqPEdD.exe
  C:\Windows\System32\PtqPEdD.exe
  2⤵
  PID:6172
- C:\Windows\System32\QQSqxBi.exe
  C:\Windows\System32\QQSqxBi.exe
  2⤵
  PID:6664
- C:\Windows\System32\vEeUWKZ.exe
  C:\Windows\System32\vEeUWKZ.exe
  2⤵
  PID:6480
- C:\Windows\System32\RHDeVZU.exe
  C:\Windows\System32\RHDeVZU.exe
  2⤵
  PID:6604
- C:\Windows\System32\PXRRDmC.exe
  C:\Windows\System32\PXRRDmC.exe
  2⤵
  PID:7180
- C:\Windows\System32\CeBpMoQ.exe
  C:\Windows\System32\CeBpMoQ.exe
  2⤵
  PID:7204
- C:\Windows\System32\rgaOqrA.exe
  C:\Windows\System32\rgaOqrA.exe
  2⤵
  PID:7232
- C:\Windows\System32\VgmyOYI.exe
  C:\Windows\System32\VgmyOYI.exe
  2⤵
  PID:7296
- C:\Windows\System32\GBmrFlP.exe
  C:\Windows\System32\GBmrFlP.exe
  2⤵
  PID:7324
- C:\Windows\System32\CQgEKDH.exe
  C:\Windows\System32\CQgEKDH.exe
  2⤵
  PID:7348
- C:\Windows\System32\hSbvWYt.exe
  C:\Windows\System32\hSbvWYt.exe
  2⤵
  PID:7368
- C:\Windows\System32\uQvKmMl.exe
  C:\Windows\System32\uQvKmMl.exe
  2⤵
  PID:7388
- C:\Windows\System32\YrpEgOt.exe
  C:\Windows\System32\YrpEgOt.exe
  2⤵
  PID:7440
- C:\Windows\System32\NzArKlc.exe
  C:\Windows\System32\NzArKlc.exe
  2⤵
  PID:7464
- C:\Windows\System32\XifspmF.exe
  C:\Windows\System32\XifspmF.exe
  2⤵
  PID:7492
- C:\Windows\System32\wpXjYcH.exe
  C:\Windows\System32\wpXjYcH.exe
  2⤵
  PID:7516
- C:\Windows\System32\ksTVVRP.exe
  C:\Windows\System32\ksTVVRP.exe
  2⤵
  PID:7532
- C:\Windows\System32\rfMDKnY.exe
  C:\Windows\System32\rfMDKnY.exe
  2⤵
  PID:7552
- C:\Windows\System32\tmVXZvk.exe
  C:\Windows\System32\tmVXZvk.exe
  2⤵
  PID:7572
- C:\Windows\System32\aUzYwbc.exe
  C:\Windows\System32\aUzYwbc.exe
  2⤵
  PID:7592
- C:\Windows\System32\KgUqEwj.exe
  C:\Windows\System32\KgUqEwj.exe
  2⤵
  PID:7612
- C:\Windows\System32\LWxjBxL.exe
  C:\Windows\System32\LWxjBxL.exe
  2⤵
  PID:7636
- C:\Windows\System32\sBQxxLQ.exe
  C:\Windows\System32\sBQxxLQ.exe
  2⤵
  PID:7684
- C:\Windows\System32\eueANAT.exe
  C:\Windows\System32\eueANAT.exe
  2⤵
  PID:7716
- C:\Windows\System32\LbIzbrG.exe
  C:\Windows\System32\LbIzbrG.exe
  2⤵
  PID:7748
- C:\Windows\System32\StpfMSR.exe
  C:\Windows\System32\StpfMSR.exe
  2⤵
  PID:7768
- C:\Windows\System32\ITUKWxP.exe
  C:\Windows\System32\ITUKWxP.exe
  2⤵
  PID:7808
- C:\Windows\System32\bKLmMAm.exe
  C:\Windows\System32\bKLmMAm.exe
  2⤵
  PID:7832
- C:\Windows\System32\WqSOEKY.exe
  C:\Windows\System32\WqSOEKY.exe
  2⤵
  PID:7884
- C:\Windows\System32\BiXKhIm.exe
  C:\Windows\System32\BiXKhIm.exe
  2⤵
  PID:7900
- C:\Windows\System32\lETmebX.exe
  C:\Windows\System32\lETmebX.exe
  2⤵
  PID:7928
- C:\Windows\System32\ujqwhWJ.exe
  C:\Windows\System32\ujqwhWJ.exe
  2⤵
  PID:7944
- C:\Windows\System32\ZSIZlFx.exe
  C:\Windows\System32\ZSIZlFx.exe
  2⤵
  PID:7960
- C:\Windows\System32\hdWemfM.exe
  C:\Windows\System32\hdWemfM.exe
  2⤵
  PID:8004
- C:\Windows\System32\qqWHPud.exe
  C:\Windows\System32\qqWHPud.exe
  2⤵
  PID:8040
- C:\Windows\System32\JzqQpUs.exe
  C:\Windows\System32\JzqQpUs.exe
  2⤵
  PID:8060
- C:\Windows\System32\QjQmMXz.exe
  C:\Windows\System32\QjQmMXz.exe
  2⤵
  PID:8104
- C:\Windows\System32\ksjmkXV.exe
  C:\Windows\System32\ksjmkXV.exe
  2⤵
  PID:8132
- C:\Windows\System32\oSrReNv.exe
  C:\Windows\System32\oSrReNv.exe
  2⤵
  PID:8152
- C:\Windows\System32\IjGHffc.exe
  C:\Windows\System32\IjGHffc.exe
  2⤵
  PID:8168
- C:\Windows\System32\BYUdrNt.exe
  C:\Windows\System32\BYUdrNt.exe
  2⤵
  PID:7140
- C:\Windows\System32\ZnsLRYE.exe
  C:\Windows\System32\ZnsLRYE.exe
  2⤵
  PID:7216
- C:\Windows\System32\QmDINtP.exe
  C:\Windows\System32\QmDINtP.exe
  2⤵
  PID:7252
- C:\Windows\System32\QNIiSwj.exe
  C:\Windows\System32\QNIiSwj.exe
  2⤵
  PID:7308
- C:\Windows\System32\apQVUoC.exe
  C:\Windows\System32\apQVUoC.exe
  2⤵
  PID:7360
- C:\Windows\System32\AsbJHKq.exe
  C:\Windows\System32\AsbJHKq.exe
  2⤵
  PID:7420
- C:\Windows\System32\dfoNMjs.exe
  C:\Windows\System32\dfoNMjs.exe
  2⤵
  PID:7448
- C:\Windows\System32\ypNunUz.exe
  C:\Windows\System32\ypNunUz.exe
  2⤵
  PID:7544
- C:\Windows\System32\YnCiNHc.exe
  C:\Windows\System32\YnCiNHc.exe
  2⤵
  PID:7608
- C:\Windows\System32\XvPRUEU.exe
  C:\Windows\System32\XvPRUEU.exe
  2⤵
  PID:7620
- C:\Windows\System32\XCCeQax.exe
  C:\Windows\System32\XCCeQax.exe
  2⤵
  PID:7732
- C:\Windows\System32\PaXwyBs.exe
  C:\Windows\System32\PaXwyBs.exe
  2⤵
  PID:7776
- C:\Windows\System32\rxCheWz.exe
  C:\Windows\System32\rxCheWz.exe
  2⤵
  PID:7828
- C:\Windows\System32\ctnfcec.exe
  C:\Windows\System32\ctnfcec.exe
  2⤵
  PID:7892
- C:\Windows\System32\hkOwWRL.exe
  C:\Windows\System32\hkOwWRL.exe
  2⤵
  PID:7972
- C:\Windows\System32\FevtGuH.exe
  C:\Windows\System32\FevtGuH.exe
  2⤵
  PID:8072
- C:\Windows\System32\sZRKweb.exe
  C:\Windows\System32\sZRKweb.exe
  2⤵
  PID:8144
- C:\Windows\System32\YNUnLEl.exe
  C:\Windows\System32\YNUnLEl.exe
  2⤵
  PID:8180
- C:\Windows\System32\ZVZooFV.exe
  C:\Windows\System32\ZVZooFV.exe
  2⤵
  PID:6776
- C:\Windows\System32\UhDtdXS.exe
  C:\Windows\System32\UhDtdXS.exe
  2⤵
  PID:7396
- C:\Windows\System32\pwaUHJG.exe
  C:\Windows\System32\pwaUHJG.exe
  2⤵
  PID:7432
- C:\Windows\System32\cocGKFx.exe
  C:\Windows\System32\cocGKFx.exe
  2⤵
  PID:7564
- C:\Windows\System32\bPoZHCa.exe
  C:\Windows\System32\bPoZHCa.exe
  2⤵
  PID:7912
- C:\Windows\System32\jTFVpSO.exe
  C:\Windows\System32\jTFVpSO.exe
  2⤵
  PID:7816
- C:\Windows\System32\bdaYwrR.exe
  C:\Windows\System32\bdaYwrR.exe
  2⤵
  PID:8184
- C:\Windows\System32\jbQycGa.exe
  C:\Windows\System32\jbQycGa.exe
  2⤵
  PID:7400
- C:\Windows\System32\oVyCHwX.exe
  C:\Windows\System32\oVyCHwX.exe
  2⤵
  PID:7704
- C:\Windows\System32\QIrYmOM.exe
  C:\Windows\System32\QIrYmOM.exe
  2⤵
  PID:7200
- C:\Windows\System32\bNNsyRa.exe
  C:\Windows\System32\bNNsyRa.exe
  2⤵
  PID:7652
- C:\Windows\System32\TEMLCFl.exe
  C:\Windows\System32\TEMLCFl.exe
  2⤵
  PID:8224
- C:\Windows\System32\Oqetagr.exe
  C:\Windows\System32\Oqetagr.exe
  2⤵
  PID:8248
- C:\Windows\System32\XCdtRYG.exe
  C:\Windows\System32\XCdtRYG.exe
  2⤵
  PID:8276
- C:\Windows\System32\icLifel.exe
  C:\Windows\System32\icLifel.exe
  2⤵
  PID:8296
- C:\Windows\System32\dXRKPFN.exe
  C:\Windows\System32\dXRKPFN.exe
  2⤵
  PID:8340
- C:\Windows\System32\zAFfrEp.exe
  C:\Windows\System32\zAFfrEp.exe
  2⤵
  PID:8376
- C:\Windows\System32\AAhgwIy.exe
  C:\Windows\System32\AAhgwIy.exe
  2⤵
  PID:8404
- C:\Windows\System32\FHwaEzz.exe
  C:\Windows\System32\FHwaEzz.exe
  2⤵
  PID:8432
- C:\Windows\System32\uGqjQoc.exe
  C:\Windows\System32\uGqjQoc.exe
  2⤵
  PID:8464
- C:\Windows\System32\ASnPoOD.exe
  C:\Windows\System32\ASnPoOD.exe
  2⤵
  PID:8492
- C:\Windows\System32\ofPSRqp.exe
  C:\Windows\System32\ofPSRqp.exe
  2⤵
  PID:8508
- C:\Windows\System32\elCyygS.exe
  C:\Windows\System32\elCyygS.exe
  2⤵
  PID:8524
- C:\Windows\System32\tKmqvVX.exe
  C:\Windows\System32\tKmqvVX.exe
  2⤵
  PID:8552
- C:\Windows\System32\WlmHucq.exe
  C:\Windows\System32\WlmHucq.exe
  2⤵
  PID:8572
- C:\Windows\System32\AkOIbDq.exe
  C:\Windows\System32\AkOIbDq.exe
  2⤵
  PID:8616
- C:\Windows\System32\QaxqCdi.exe
  C:\Windows\System32\QaxqCdi.exe
  2⤵
  PID:8640
- C:\Windows\System32\rUiRQmO.exe
  C:\Windows\System32\rUiRQmO.exe
  2⤵
  PID:8660
- C:\Windows\System32\NxORMiM.exe
  C:\Windows\System32\NxORMiM.exe
  2⤵
  PID:8692
- C:\Windows\System32\dixMffb.exe
  C:\Windows\System32\dixMffb.exe
  2⤵
  PID:8708
- C:\Windows\System32\JpXCNwE.exe
  C:\Windows\System32\JpXCNwE.exe
  2⤵
  PID:8736
- C:\Windows\System32\BclTvPG.exe
  C:\Windows\System32\BclTvPG.exe
  2⤵
  PID:8872
- C:\Windows\System32\kUUNHyT.exe
  C:\Windows\System32\kUUNHyT.exe
  2⤵
  PID:8892
- C:\Windows\System32\BhFTNUW.exe
  C:\Windows\System32\BhFTNUW.exe
  2⤵
  PID:8908
- C:\Windows\System32\fVJzzHJ.exe
  C:\Windows\System32\fVJzzHJ.exe
  2⤵
  PID:8924
- C:\Windows\System32\jcfoLeT.exe
  C:\Windows\System32\jcfoLeT.exe
  2⤵
  PID:8940
- C:\Windows\System32\xvqQGyL.exe
  C:\Windows\System32\xvqQGyL.exe
  2⤵
  PID:8956
- C:\Windows\System32\XVbiKnU.exe
  C:\Windows\System32\XVbiKnU.exe
  2⤵
  PID:8972
- C:\Windows\System32\QJQoBbk.exe
  C:\Windows\System32\QJQoBbk.exe
  2⤵
  PID:8988
- C:\Windows\System32\duOaUnw.exe
  C:\Windows\System32\duOaUnw.exe
  2⤵
  PID:9004
- C:\Windows\System32\tZOeRgU.exe
  C:\Windows\System32\tZOeRgU.exe
  2⤵
  PID:9020
- C:\Windows\System32\AMuMkaG.exe
  C:\Windows\System32\AMuMkaG.exe
  2⤵
  PID:9036
- C:\Windows\System32\kkITcCR.exe
  C:\Windows\System32\kkITcCR.exe
  2⤵
  PID:9052
- C:\Windows\System32\dddBpUv.exe
  C:\Windows\System32\dddBpUv.exe
  2⤵
  PID:9068
- C:\Windows\System32\BeKkNMS.exe
  C:\Windows\System32\BeKkNMS.exe
  2⤵
  PID:9088
- C:\Windows\System32\yTzraTu.exe
  C:\Windows\System32\yTzraTu.exe
  2⤵
  PID:9104
- C:\Windows\System32\eXGffAq.exe
  C:\Windows\System32\eXGffAq.exe
  2⤵
  PID:9120
- C:\Windows\System32\hvaDkyE.exe
  C:\Windows\System32\hvaDkyE.exe
  2⤵
  PID:9136
- C:\Windows\System32\wVDPQfx.exe
  C:\Windows\System32\wVDPQfx.exe
  2⤵
  PID:9152
- C:\Windows\System32\gCEoUXb.exe
  C:\Windows\System32\gCEoUXb.exe
  2⤵
  PID:9168
- C:\Windows\System32\hyVggzo.exe
  C:\Windows\System32\hyVggzo.exe
  2⤵
  PID:9184
- C:\Windows\System32\yEDkfSM.exe
  C:\Windows\System32\yEDkfSM.exe
  2⤵
  PID:8232
- C:\Windows\System32\NXonAfv.exe
  C:\Windows\System32\NXonAfv.exe
  2⤵
  PID:4368
- C:\Windows\System32\GoxdWrb.exe
  C:\Windows\System32\GoxdWrb.exe
  2⤵
  PID:8336
- C:\Windows\System32\qSUFumk.exe
  C:\Windows\System32\qSUFumk.exe
  2⤵
  PID:8504
- C:\Windows\System32\vMIZsRP.exe
  C:\Windows\System32\vMIZsRP.exe
  2⤵
  PID:8604
- C:\Windows\System32\XXXrEun.exe
  C:\Windows\System32\XXXrEun.exe
  2⤵
  PID:8748
- C:\Windows\System32\VCOPGqf.exe
  C:\Windows\System32\VCOPGqf.exe
  2⤵
  PID:9116
- C:\Windows\System32\MjQytbI.exe
  C:\Windows\System32\MjQytbI.exe
  2⤵
  PID:8800
- C:\Windows\System32\rWPurrI.exe
  C:\Windows\System32\rWPurrI.exe
  2⤵
  PID:8844
- C:\Windows\System32\URaEhnC.exe
  C:\Windows\System32\URaEhnC.exe
  2⤵
  PID:8680
- C:\Windows\System32\bllOMJc.exe
  C:\Windows\System32\bllOMJc.exe
  2⤵
  PID:9148
- C:\Windows\System32\qfyjUJk.exe
  C:\Windows\System32\qfyjUJk.exe
  2⤵
  PID:9208
- C:\Windows\System32\roFRzdb.exe
  C:\Windows\System32\roFRzdb.exe
  2⤵
  PID:8272
- C:\Windows\System32\usuJmfn.exe
  C:\Windows\System32\usuJmfn.exe
  2⤵
  PID:8652
- C:\Windows\System32\MSTiVSC.exe
  C:\Windows\System32\MSTiVSC.exe
  2⤵
  PID:8732
- C:\Windows\System32\cNwutNS.exe
  C:\Windows\System32\cNwutNS.exe
  2⤵
  PID:9064
- C:\Windows\System32\DjyffJk.exe
  C:\Windows\System32\DjyffJk.exe
  2⤵
  PID:8364
- C:\Windows\System32\nKcxUqf.exe
  C:\Windows\System32\nKcxUqf.exe
  2⤵
  PID:8648
- C:\Windows\System32\dGEPYqT.exe
  C:\Windows\System32\dGEPYqT.exe
  2⤵
  PID:9192
- C:\Windows\System32\gvVAMZY.exe
  C:\Windows\System32\gvVAMZY.exe
  2⤵
  PID:8292
- C:\Windows\System32\xynvQlp.exe
  C:\Windows\System32\xynvQlp.exe
  2⤵
  PID:9132
- C:\Windows\System32\fyBTFur.exe
  C:\Windows\System32\fyBTFur.exe
  2⤵
  PID:9128
- C:\Windows\System32\ndkuGhA.exe
  C:\Windows\System32\ndkuGhA.exe
  2⤵
  PID:9204
- C:\Windows\System32\veWEeSl.exe
  C:\Windows\System32\veWEeSl.exe
  2⤵
  PID:8772
- C:\Windows\System32\avZErNT.exe
  C:\Windows\System32\avZErNT.exe
  2⤵
  PID:9232
- C:\Windows\System32\hzHEHCc.exe
  C:\Windows\System32\hzHEHCc.exe
  2⤵
  PID:9268
- C:\Windows\System32\wyyKEdp.exe
  C:\Windows\System32\wyyKEdp.exe
  2⤵
  PID:9308
- C:\Windows\System32\wUAMZWU.exe
  C:\Windows\System32\wUAMZWU.exe
  2⤵
  PID:9336
- C:\Windows\System32\gmvsngr.exe
  C:\Windows\System32\gmvsngr.exe
  2⤵
  PID:9352
- C:\Windows\System32\UgGKUkt.exe
  C:\Windows\System32\UgGKUkt.exe
  2⤵
  PID:9380
- C:\Windows\System32\uXbbYNa.exe
  C:\Windows\System32\uXbbYNa.exe
  2⤵
  PID:9400
- C:\Windows\System32\eOoWjNY.exe
  C:\Windows\System32\eOoWjNY.exe
  2⤵
  PID:9448
- C:\Windows\System32\JjzAHei.exe
  C:\Windows\System32\JjzAHei.exe
  2⤵
  PID:9476
- C:\Windows\System32\VWwPkTI.exe
  C:\Windows\System32\VWwPkTI.exe
  2⤵
  PID:9516
- C:\Windows\System32\lwFlWHM.exe
  C:\Windows\System32\lwFlWHM.exe
  2⤵
  PID:9532
- C:\Windows\System32\KjIKfvm.exe
  C:\Windows\System32\KjIKfvm.exe
  2⤵
  PID:9564
- C:\Windows\System32\YhliTMc.exe
  C:\Windows\System32\YhliTMc.exe
  2⤵
  PID:9588
- C:\Windows\System32\RlaWbho.exe
  C:\Windows\System32\RlaWbho.exe
  2⤵
  PID:9604
- C:\Windows\System32\aQGhcNw.exe
  C:\Windows\System32\aQGhcNw.exe
  2⤵
  PID:9628
- C:\Windows\System32\xNbWbCJ.exe
  C:\Windows\System32\xNbWbCJ.exe
  2⤵
  PID:9664
- C:\Windows\System32\xEuJOYC.exe
  C:\Windows\System32\xEuJOYC.exe
  2⤵
  PID:9684
- C:\Windows\System32\qYumCTW.exe
  C:\Windows\System32\qYumCTW.exe
  2⤵
  PID:9704
- C:\Windows\System32\HsbPZPh.exe
  C:\Windows\System32\HsbPZPh.exe
  2⤵
  PID:9736
- C:\Windows\System32\xAhmHYH.exe
  C:\Windows\System32\xAhmHYH.exe
  2⤵
  PID:9768
- C:\Windows\System32\fGbIcyV.exe
  C:\Windows\System32\fGbIcyV.exe
  2⤵
  PID:9832
- C:\Windows\System32\rvTirNw.exe
  C:\Windows\System32\rvTirNw.exe
  2⤵
  PID:9856
- C:\Windows\System32\AsLdAqd.exe
  C:\Windows\System32\AsLdAqd.exe
  2⤵
  PID:9876
- C:\Windows\System32\QcVKNux.exe
  C:\Windows\System32\QcVKNux.exe
  2⤵
  PID:9896
- C:\Windows\System32\TYmgiUs.exe
  C:\Windows\System32\TYmgiUs.exe
  2⤵
  PID:9916
- C:\Windows\System32\NuyeUCi.exe
  C:\Windows\System32\NuyeUCi.exe
  2⤵
  PID:9932
- C:\Windows\System32\mQHHHNr.exe
  C:\Windows\System32\mQHHHNr.exe
  2⤵
  PID:9980
- C:\Windows\System32\pOnVdwv.exe
  C:\Windows\System32\pOnVdwv.exe
  2⤵
  PID:10000
- C:\Windows\System32\RDEHMBu.exe
  C:\Windows\System32\RDEHMBu.exe
  2⤵
  PID:10052
- C:\Windows\System32\XtIRaVg.exe
  C:\Windows\System32\XtIRaVg.exe
  2⤵
  PID:10080
- C:\Windows\System32\ndDhwaD.exe
  C:\Windows\System32\ndDhwaD.exe
  2⤵
  PID:10104
- C:\Windows\System32\dFGWJPS.exe
  C:\Windows\System32\dFGWJPS.exe
  2⤵
  PID:10124
- C:\Windows\System32\TrWvLYG.exe
  C:\Windows\System32\TrWvLYG.exe
  2⤵
  PID:10168
- C:\Windows\System32\CxxwBRL.exe
  C:\Windows\System32\CxxwBRL.exe
  2⤵
  PID:10184
- C:\Windows\System32\ONAKJgV.exe
  C:\Windows\System32\ONAKJgV.exe
  2⤵
  PID:10212
- C:\Windows\System32\VoMdPak.exe
  C:\Windows\System32\VoMdPak.exe
  2⤵
  PID:10228
- C:\Windows\System32\UFJUIiI.exe
  C:\Windows\System32\UFJUIiI.exe
  2⤵
  PID:9240
- C:\Windows\System32\SNKpLhF.exe
  C:\Windows\System32\SNKpLhF.exe
  2⤵
  PID:9296
- C:\Windows\System32\QjtHHnH.exe
  C:\Windows\System32\QjtHHnH.exe
  2⤵
  PID:9348
- C:\Windows\System32\tyYIGtB.exe
  C:\Windows\System32\tyYIGtB.exe
  2⤵
  PID:9412
- C:\Windows\System32\OuuxzKM.exe
  C:\Windows\System32\OuuxzKM.exe
  2⤵
  PID:9456
- C:\Windows\System32\CzGRlZu.exe
  C:\Windows\System32\CzGRlZu.exe
  2⤵
  PID:9616
- C:\Windows\System32\xdVOujB.exe
  C:\Windows\System32\xdVOujB.exe
  2⤵
  PID:9672
- C:\Windows\System32\pLqmMMB.exe
  C:\Windows\System32\pLqmMMB.exe
  2⤵
  PID:9752
- C:\Windows\System32\PxVdXTE.exe
  C:\Windows\System32\PxVdXTE.exe
  2⤵
  PID:9796
- C:\Windows\System32\BWODpLS.exe
  C:\Windows\System32\BWODpLS.exe
  2⤵
  PID:9824
- C:\Windows\System32\HePGkBy.exe
  C:\Windows\System32\HePGkBy.exe
  2⤵
  PID:9888
- C:\Windows\System32\KRGZSCh.exe
  C:\Windows\System32\KRGZSCh.exe
  2⤵
  PID:9956
- C:\Windows\System32\ghTnCko.exe
  C:\Windows\System32\ghTnCko.exe
  2⤵
  PID:9996
- C:\Windows\System32\reAhWuQ.exe
  C:\Windows\System32\reAhWuQ.exe
  2⤵
  PID:10092
- C:\Windows\System32\MyfXWAv.exe
  C:\Windows\System32\MyfXWAv.exe
  2⤵
  PID:10224
- C:\Windows\System32\bEtfQbq.exe
  C:\Windows\System32\bEtfQbq.exe
  2⤵
  PID:9228
- C:\Windows\System32\VlLEpxY.exe
  C:\Windows\System32\VlLEpxY.exe
  2⤵
  PID:9332
- C:\Windows\System32\qoDuRZD.exe
  C:\Windows\System32\qoDuRZD.exe
  2⤵
  PID:9344
- C:\Windows\System32\cvhIOaB.exe
  C:\Windows\System32\cvhIOaB.exe
  2⤵
  PID:9544
- C:\Windows\System32\TSeMynO.exe
  C:\Windows\System32\TSeMynO.exe
  2⤵
  PID:9800
- C:\Windows\System32\cgHrTFA.exe
  C:\Windows\System32\cgHrTFA.exe
  2⤵
  PID:9840
- C:\Windows\System32\nFNyfPj.exe
  C:\Windows\System32\nFNyfPj.exe
  2⤵
  PID:10180
- C:\Windows\System32\lbqXopx.exe
  C:\Windows\System32\lbqXopx.exe
  2⤵
  PID:9324
- C:\Windows\System32\seADEml.exe
  C:\Windows\System32\seADEml.exe
  2⤵
  PID:9912
- C:\Windows\System32\Llzobqz.exe
  C:\Windows\System32\Llzobqz.exe
  2⤵
  PID:7924
- C:\Windows\System32\weILezf.exe
  C:\Windows\System32\weILezf.exe
  2⤵
  PID:9828
- C:\Windows\System32\KCCVPdz.exe
  C:\Windows\System32\KCCVPdz.exe
  2⤵
  PID:9396
- C:\Windows\System32\kXoNREf.exe
  C:\Windows\System32\kXoNREf.exe
  2⤵
  PID:10252
- C:\Windows\System32\EcGXVxD.exe
  C:\Windows\System32\EcGXVxD.exe
  2⤵
  PID:10280
- C:\Windows\System32\sAxdHOR.exe
  C:\Windows\System32\sAxdHOR.exe
  2⤵
  PID:10316
- C:\Windows\System32\rLymEYw.exe
  C:\Windows\System32\rLymEYw.exe
  2⤵
  PID:10336
- C:\Windows\System32\UVLVXDE.exe
  C:\Windows\System32\UVLVXDE.exe
  2⤵
  PID:10372
- C:\Windows\System32\wBDcIVP.exe
  C:\Windows\System32\wBDcIVP.exe
  2⤵
  PID:10400
- C:\Windows\System32\TJrfBkP.exe
  C:\Windows\System32\TJrfBkP.exe
  2⤵
  PID:10428
- C:\Windows\System32\leySvMi.exe
  C:\Windows\System32\leySvMi.exe
  2⤵
  PID:10448
- C:\Windows\System32\MMVewRx.exe
  C:\Windows\System32\MMVewRx.exe
  2⤵
  PID:10488
- C:\Windows\System32\WFzMJrU.exe
  C:\Windows\System32\WFzMJrU.exe
  2⤵
  PID:10504
- C:\Windows\System32\CdiEDeM.exe
  C:\Windows\System32\CdiEDeM.exe
  2⤵
  PID:10528
- C:\Windows\System32\RGbFcpN.exe
  C:\Windows\System32\RGbFcpN.exe
  2⤵
  PID:10556
- C:\Windows\System32\ZXacANw.exe
  C:\Windows\System32\ZXacANw.exe
  2⤵
  PID:10596
- C:\Windows\System32\iHRjYpB.exe
  C:\Windows\System32\iHRjYpB.exe
  2⤵
  PID:10616
- C:\Windows\System32\fDFfbdk.exe
  C:\Windows\System32\fDFfbdk.exe
  2⤵
  PID:10636
- C:\Windows\System32\gjEKbFM.exe
  C:\Windows\System32\gjEKbFM.exe
  2⤵
  PID:10660
- C:\Windows\System32\juirNyf.exe
  C:\Windows\System32\juirNyf.exe
  2⤵
  PID:10680
- C:\Windows\System32\VNCcZwC.exe
  C:\Windows\System32\VNCcZwC.exe
  2⤵
  PID:10700
- C:\Windows\System32\DLaXaNE.exe
  C:\Windows\System32\DLaXaNE.exe
  2⤵
  PID:10724
- C:\Windows\System32\uTlVPdo.exe
  C:\Windows\System32\uTlVPdo.exe
  2⤵
  PID:10784
- C:\Windows\System32\CdWeJkI.exe
  C:\Windows\System32\CdWeJkI.exe
  2⤵
  PID:10804
- C:\Windows\System32\yDKyXGE.exe
  C:\Windows\System32\yDKyXGE.exe
  2⤵
  PID:10828
- C:\Windows\System32\nMFKclL.exe
  C:\Windows\System32\nMFKclL.exe
  2⤵
  PID:10852
- C:\Windows\System32\OyvXodY.exe
  C:\Windows\System32\OyvXodY.exe
  2⤵
  PID:10876
- C:\Windows\System32\VPONYqE.exe
  C:\Windows\System32\VPONYqE.exe
  2⤵
  PID:10900
- C:\Windows\System32\Gicrcer.exe
  C:\Windows\System32\Gicrcer.exe
  2⤵
  PID:10924
- C:\Windows\System32\tAjJkZg.exe
  C:\Windows\System32\tAjJkZg.exe
  2⤵
  PID:10996
- C:\Windows\System32\LujylCT.exe
  C:\Windows\System32\LujylCT.exe
  2⤵
  PID:11024
- C:\Windows\System32\jUBBmlA.exe
  C:\Windows\System32\jUBBmlA.exe
  2⤵
  PID:11048
- C:\Windows\System32\iTudyMs.exe
  C:\Windows\System32\iTudyMs.exe
  2⤵
  PID:11076
- C:\Windows\System32\gYWWojF.exe
  C:\Windows\System32\gYWWojF.exe
  2⤵
  PID:11096
- C:\Windows\System32\CFSLXXr.exe
  C:\Windows\System32\CFSLXXr.exe
  2⤵
  PID:11120
- C:\Windows\System32\ZKkhdCx.exe
  C:\Windows\System32\ZKkhdCx.exe
  2⤵
  PID:11144
- C:\Windows\System32\sGakJsq.exe
  C:\Windows\System32\sGakJsq.exe
  2⤵
  PID:11160
- C:\Windows\System32\TTCpQsL.exe
  C:\Windows\System32\TTCpQsL.exe
  2⤵
  PID:11184
- C:\Windows\System32\wNInwTm.exe
  C:\Windows\System32\wNInwTm.exe
  2⤵
  PID:11208
- C:\Windows\System32\uPBJQAK.exe
  C:\Windows\System32\uPBJQAK.exe
  2⤵
  PID:11224
- C:\Windows\System32\kUxCzEu.exe
  C:\Windows\System32\kUxCzEu.exe
  2⤵
  PID:11248
- C:\Windows\System32\WnMuOux.exe
  C:\Windows\System32\WnMuOux.exe
  2⤵
  PID:10260
- C:\Windows\System32\sHDvMQe.exe
  C:\Windows\System32\sHDvMQe.exe
  2⤵
  PID:10328
- C:\Windows\System32\QDLcanJ.exe
  C:\Windows\System32\QDLcanJ.exe
  2⤵
  PID:10416
- C:\Windows\System32\sRkgcqN.exe
  C:\Windows\System32\sRkgcqN.exe
  2⤵
  PID:10552
- C:\Windows\System32\juAERFo.exe
  C:\Windows\System32\juAERFo.exe
  2⤵
  PID:10624
- C:\Windows\System32\mMNadBs.exe
  C:\Windows\System32\mMNadBs.exe
  2⤵
  PID:10716
- C:\Windows\System32\uGzKluH.exe
  C:\Windows\System32\uGzKluH.exe
  2⤵
  PID:10764
- C:\Windows\System32\IJsOvCs.exe
  C:\Windows\System32\IJsOvCs.exe
  2⤵
  PID:10836
- C:\Windows\System32\eHlSmvP.exe
  C:\Windows\System32\eHlSmvP.exe
  2⤵
  PID:10908
- C:\Windows\System32\BlZmcBR.exe
  C:\Windows\System32\BlZmcBR.exe
  2⤵
  PID:10956
- C:\Windows\System32\XXGgOuZ.exe
  C:\Windows\System32\XXGgOuZ.exe
  2⤵
  PID:11004
- C:\Windows\System32\HNOXBhZ.exe
  C:\Windows\System32\HNOXBhZ.exe
  2⤵
  PID:11016
- C:\Windows\System32\eWfbhTm.exe
  C:\Windows\System32\eWfbhTm.exe
  2⤵
  PID:11108
- C:\Windows\System32\aQQalXe.exe
  C:\Windows\System32\aQQalXe.exe
  2⤵
  PID:11192
- C:\Windows\System32\qyEyNNh.exe
  C:\Windows\System32\qyEyNNh.exe
  2⤵
  PID:10300
- C:\Windows\System32\ETOUtuY.exe
  C:\Windows\System32\ETOUtuY.exe
  2⤵
  PID:10296
- C:\Windows\System32\vVfpFyQ.exe
  C:\Windows\System32\vVfpFyQ.exe
  2⤵
  PID:10444
- C:\Windows\System32\RrjWCYa.exe
  C:\Windows\System32\RrjWCYa.exe
  2⤵
  PID:10608
- C:\Windows\System32\zSOMUiN.exe
  C:\Windows\System32\zSOMUiN.exe
  2⤵
  PID:10708
- C:\Windows\System32\gfmRcVx.exe
  C:\Windows\System32\gfmRcVx.exe
  2⤵
  PID:10844
- C:\Windows\System32\nPyzIWf.exe
  C:\Windows\System32\nPyzIWf.exe
  2⤵
  PID:11156
- C:\Windows\System32\EtXdXEg.exe
  C:\Windows\System32\EtXdXEg.exe
  2⤵
  PID:10496
- C:\Windows\System32\yfKARPu.exe
  C:\Windows\System32\yfKARPu.exe
  2⤵
  PID:10824
- C:\Windows\System32\WPkWdcQ.exe
  C:\Windows\System32\WPkWdcQ.exe
  2⤵
  PID:11136
- C:\Windows\System32\jTdlsMR.exe
  C:\Windows\System32\jTdlsMR.exe
  2⤵
  PID:10896
- C:\Windows\System32\RCZBLrJ.exe
  C:\Windows\System32\RCZBLrJ.exe
  2⤵
  PID:2616
- C:\Windows\System32\tPnyenp.exe
  C:\Windows\System32\tPnyenp.exe
  2⤵
  PID:11280
- C:\Windows\System32\PGOdXNb.exe
  C:\Windows\System32\PGOdXNb.exe
  2⤵
  PID:11300
- C:\Windows\System32\TAcqsfh.exe
  C:\Windows\System32\TAcqsfh.exe
  2⤵
  PID:11324
- C:\Windows\System32\kpiRTQp.exe
  C:\Windows\System32\kpiRTQp.exe
  2⤵
  PID:11352
- C:\Windows\System32\LhhBtWe.exe
  C:\Windows\System32\LhhBtWe.exe
  2⤵
  PID:11404
- C:\Windows\System32\UvjEIUf.exe
  C:\Windows\System32\UvjEIUf.exe
  2⤵
  PID:11432
- C:\Windows\System32\dYqSebC.exe
  C:\Windows\System32\dYqSebC.exe
  2⤵
  PID:11460
- C:\Windows\System32\TgTBnsU.exe
  C:\Windows\System32\TgTBnsU.exe
  2⤵
  PID:11488
- C:\Windows\System32\ZKXuzvs.exe
  C:\Windows\System32\ZKXuzvs.exe
  2⤵
  PID:11508
- C:\Windows\System32\RdbbwZz.exe
  C:\Windows\System32\RdbbwZz.exe
  2⤵
  PID:11528
- C:\Windows\System32\LRVNbWg.exe
  C:\Windows\System32\LRVNbWg.exe
  2⤵
  PID:11564
- C:\Windows\System32\bNHNGpO.exe
  C:\Windows\System32\bNHNGpO.exe
  2⤵
  PID:11596
- C:\Windows\System32\NkqhOfH.exe
  C:\Windows\System32\NkqhOfH.exe
  2⤵
  PID:11620
- C:\Windows\System32\xdrQsvZ.exe
  C:\Windows\System32\xdrQsvZ.exe
  2⤵
  PID:11636
- C:\Windows\System32\HGnjAdF.exe
  C:\Windows\System32\HGnjAdF.exe
  2⤵
  PID:11660
- C:\Windows\System32\GmesAaA.exe
  C:\Windows\System32\GmesAaA.exe
  2⤵
  PID:11684
- C:\Windows\System32\QEmQRvl.exe
  C:\Windows\System32\QEmQRvl.exe
  2⤵
  PID:11712
- C:\Windows\System32\rURuMxM.exe
  C:\Windows\System32\rURuMxM.exe
  2⤵
  PID:11732
- C:\Windows\System32\llQtBFF.exe
  C:\Windows\System32\llQtBFF.exe
  2⤵
  PID:11748
- C:\Windows\System32\UAZJqAp.exe
  C:\Windows\System32\UAZJqAp.exe
  2⤵
  PID:11776
- C:\Windows\System32\msOEDsN.exe
  C:\Windows\System32\msOEDsN.exe
  2⤵
  PID:11852
- C:\Windows\System32\oohAMkJ.exe
  C:\Windows\System32\oohAMkJ.exe
  2⤵
  PID:11892
- C:\Windows\System32\abnoKEG.exe
  C:\Windows\System32\abnoKEG.exe
  2⤵
  PID:11912
- C:\Windows\System32\YhUWjJx.exe
  C:\Windows\System32\YhUWjJx.exe
  2⤵
  PID:11948
- C:\Windows\System32\vJtJusD.exe
  C:\Windows\System32\vJtJusD.exe
  2⤵
  PID:11976
- C:\Windows\System32\zKdFXLX.exe
  C:\Windows\System32\zKdFXLX.exe
  2⤵
  PID:11992
- C:\Windows\System32\JemEuNx.exe
  C:\Windows\System32\JemEuNx.exe
  2⤵
  PID:12008
- C:\Windows\System32\fBVMbHl.exe
  C:\Windows\System32\fBVMbHl.exe
  2⤵
  PID:12036
- C:\Windows\System32\oQGYmeq.exe
  C:\Windows\System32\oQGYmeq.exe
  2⤵
  PID:12056
- C:\Windows\System32\SnmwStd.exe
  C:\Windows\System32\SnmwStd.exe
  2⤵
  PID:12100
- C:\Windows\System32\SDTNyzT.exe
  C:\Windows\System32\SDTNyzT.exe
  2⤵
  PID:12132
- C:\Windows\System32\xZWRYZr.exe
  C:\Windows\System32\xZWRYZr.exe
  2⤵
  PID:12152
- C:\Windows\System32\euQobnQ.exe
  C:\Windows\System32\euQobnQ.exe
  2⤵
  PID:12176
- C:\Windows\System32\fICzjTX.exe
  C:\Windows\System32\fICzjTX.exe
  2⤵
  PID:12224
- C:\Windows\System32\dWQmQUL.exe
  C:\Windows\System32\dWQmQUL.exe
  2⤵
  PID:12244
- C:\Windows\System32\AzzLgXb.exe
  C:\Windows\System32\AzzLgXb.exe
  2⤵
  PID:12264
- C:\Windows\System32\qrdAcma.exe
  C:\Windows\System32\qrdAcma.exe
  2⤵
  PID:11036
- C:\Windows\System32\wqGsjjr.exe
  C:\Windows\System32\wqGsjjr.exe
  2⤵
  PID:11308
- C:\Windows\System32\wnFFljX.exe
  C:\Windows\System32\wnFFljX.exe
  2⤵
  PID:11456
- C:\Windows\System32\JrWfoLg.exe
  C:\Windows\System32\JrWfoLg.exe
  2⤵
  PID:11504
- C:\Windows\System32\vDkRIII.exe
  C:\Windows\System32\vDkRIII.exe
  2⤵
  PID:11536
- C:\Windows\System32\MKhmxFf.exe
  C:\Windows\System32\MKhmxFf.exe
  2⤵
  PID:11592
- C:\Windows\System32\pBQYDKo.exe
  C:\Windows\System32\pBQYDKo.exe
  2⤵
  PID:11604
- C:\Windows\System32\JlDZhEz.exe
  C:\Windows\System32\JlDZhEz.exe
  2⤵
  PID:1648
- C:\Windows\System32\xSDsDQm.exe
  C:\Windows\System32\xSDsDQm.exe
  2⤵
  PID:1588
- C:\Windows\System32\YtAACcA.exe
  C:\Windows\System32\YtAACcA.exe
  2⤵
  PID:11720
- C:\Windows\System32\NpDLfSg.exe
  C:\Windows\System32\NpDLfSg.exe
  2⤵
  PID:11928
- C:\Windows\System32\LAEqTHW.exe
  C:\Windows\System32\LAEqTHW.exe
  2⤵
  PID:11988
- C:\Windows\System32\xwPTrwH.exe
  C:\Windows\System32\xwPTrwH.exe
  2⤵
  PID:12084
- C:\Windows\System32\VztykBk.exe
  C:\Windows\System32\VztykBk.exe
  2⤵
  PID:12108
- C:\Windows\System32\yjntimm.exe
  C:\Windows\System32\yjntimm.exe
  2⤵
  PID:12208
- C:\Windows\System32\nIwEnRf.exe
  C:\Windows\System32\nIwEnRf.exe
  2⤵
  PID:12240
- C:\Windows\System32\ThtrdKV.exe
  C:\Windows\System32\ThtrdKV.exe
  2⤵
  PID:12276
- C:\Windows\System32\jgnZXtP.exe
  C:\Windows\System32\jgnZXtP.exe
  2⤵
  PID:11380
- C:\Windows\System32\jMirYja.exe
  C:\Windows\System32\jMirYja.exe
  2⤵
  PID:11484
- C:\Windows\System32\RXeqkor.exe
  C:\Windows\System32\RXeqkor.exe
  2⤵
  PID:11588
- C:\Windows\System32\qanYRLv.exe
  C:\Windows\System32\qanYRLv.exe
  2⤵
  PID:11680
- C:\Windows\System32\aXJaBQw.exe
  C:\Windows\System32\aXJaBQw.exe
  2⤵
  PID:11840
- C:\Windows\System32\rVtVrPF.exe
  C:\Windows\System32\rVtVrPF.exe
  2⤵
  PID:11984
- C:\Windows\System32\UxnHHCY.exe
  C:\Windows\System32\UxnHHCY.exe
  2⤵
  PID:12160
- C:\Windows\System32\OSLspUl.exe
  C:\Windows\System32\OSLspUl.exe
  2⤵
  PID:12188
- C:\Windows\System32\sVChYjZ.exe
  C:\Windows\System32\sVChYjZ.exe
  2⤵
  PID:11972
- C:\Windows\System32\wJRaSJk.exe
  C:\Windows\System32\wJRaSJk.exe
  2⤵
  PID:12044
- C:\Windows\System32\giRqVqa.exe
  C:\Windows\System32\giRqVqa.exe
  2⤵
  PID:12292
- C:\Windows\System32\VbLAZNp.exe
  C:\Windows\System32\VbLAZNp.exe
  2⤵
  PID:12320
- C:\Windows\System32\ZvNVVgN.exe
  C:\Windows\System32\ZvNVVgN.exe
  2⤵
  PID:12356
- C:\Windows\System32\rgEfEqZ.exe
  C:\Windows\System32\rgEfEqZ.exe
  2⤵
  PID:12380
- C:\Windows\System32\HFFOWHn.exe
  C:\Windows\System32\HFFOWHn.exe
  2⤵
  PID:12448
- C:\Windows\System32\veDfMCc.exe
  C:\Windows\System32\veDfMCc.exe
  2⤵
  PID:12472
- C:\Windows\System32\MJRcewm.exe
  C:\Windows\System32\MJRcewm.exe
  2⤵
  PID:12492
- C:\Windows\System32\kxtRbSP.exe
  C:\Windows\System32\kxtRbSP.exe
  2⤵
  PID:12516
- C:\Windows\System32\yatSaqq.exe
  C:\Windows\System32\yatSaqq.exe
  2⤵
  PID:12540
- C:\Windows\System32\XsWbQCX.exe
  C:\Windows\System32\XsWbQCX.exe
  2⤵
  PID:12560
- C:\Windows\System32\mHetXak.exe
  C:\Windows\System32\mHetXak.exe
  2⤵
  PID:12612
- C:\Windows\System32\cPdrWcq.exe
  C:\Windows\System32\cPdrWcq.exe
  2⤵
  PID:12628
- C:\Windows\System32\fGvujGc.exe
  C:\Windows\System32\fGvujGc.exe
  2⤵
  PID:12656
- C:\Windows\System32\MzahcdD.exe
  C:\Windows\System32\MzahcdD.exe
  2⤵
  PID:12688
- C:\Windows\System32\TnJWGvA.exe
  C:\Windows\System32\TnJWGvA.exe
  2⤵
  PID:12708
- C:\Windows\System32\YHcVxgn.exe
  C:\Windows\System32\YHcVxgn.exe
  2⤵
  PID:12752
- C:\Windows\System32\UhqfAZb.exe
  C:\Windows\System32\UhqfAZb.exe
  2⤵
  PID:12772
- C:\Windows\System32\SdUKYyh.exe
  C:\Windows\System32\SdUKYyh.exe
  2⤵
  PID:12788
- C:\Windows\System32\YBiGvpj.exe
  C:\Windows\System32\YBiGvpj.exe
  2⤵
  PID:12812
- C:\Windows\System32\ybaoNWh.exe
  C:\Windows\System32\ybaoNWh.exe
  2⤵
  PID:12852
- C:\Windows\System32\rLssQii.exe
  C:\Windows\System32\rLssQii.exe
  2⤵
  PID:12916
- C:\Windows\System32\sxalmXo.exe
  C:\Windows\System32\sxalmXo.exe
  2⤵
  PID:12932
- C:\Windows\System32\XRenvUO.exe
  C:\Windows\System32\XRenvUO.exe
  2⤵
  PID:12952
- C:\Windows\System32\rrXpnqu.exe
  C:\Windows\System32\rrXpnqu.exe
  2⤵
  PID:12976
- C:\Windows\System32\LieJwIp.exe
  C:\Windows\System32\LieJwIp.exe
  2⤵
  PID:12996

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ADEsBVW.exe

Filesize
1.6MB

MD5
0a903fe83857e5aa456e1c4fa87bdd94

SHA1
0b7db572d859a88305ec860b5933672f69e7fe18

SHA256
875e14209e73bf97109b6f4d8fb33fa3af69f96b46d033f01272e00dc70e6532

SHA512
0c3d37156c444dd082b77bdc563584f65428c9db130c656c79983f9d9b05b55f0d06c3b57fb8015c15e48cc1a67e29c1007487baf014cc061001e06707974911

Download Submit
C:\Windows\System32\AzOSAzc.exe

Filesize
1.6MB

MD5
6baf423a9c1f5a0e5c6c1a875e669f3e

SHA1
12263952e5f230dd7240888d2c0c5c35c1a2912f

SHA256
3c8ff3bfb11f5eff559528804d3ec7afaf8fef1d051abae87cff949e79a85874

SHA512
3816157c9823e8f63e83bf05bd50b3b0795fb2fb8103149620ce8a0152d152c316cd6497d0be19f9551bd68ada59873466222fdb9965f741c218c55e5720f95c

Download Submit
C:\Windows\System32\CCziHFV.exe

Filesize
1.6MB

MD5
db7312bff1b9512eda871fea90e1a0cd

SHA1
e8a41224dc8548de93cd82952ef0e209cc81ead1

SHA256
dbd71880e7894a93a3e98bea80d2b061b19ad53fe1c1271ac2f35b0a58c627f7

SHA512
61f4d5d3d6d4fa6285079f89ae95b3fa4bcfc6f0f997aeec8863f9cfd1b60b0ecf73450af53af66f7b6641695035373dad145fb6a7dddd4a273067525373a825

Download Submit
C:\Windows\System32\DDeBgOO.exe

Filesize
1.6MB

MD5
c109caab1ef75e217456087f39d175b3

SHA1
902f658ffc351e2967b6bf372306d46673b926bb

SHA256
fff81aee1ecc59a6e0d2f3b7ef92a7e737e2be03a4a50db5344255a2e7252269

SHA512
5ee483076a96ed83a898ec35e55a18bdad3d656c1c8c8c20fde6097558b392f6eeb3df80b8ea76492242455c1b44cc39ed686494c45d6120bfb6a3112887a4a8

Download Submit
C:\Windows\System32\FJVqWDO.exe

Filesize
1.6MB

MD5
6ecb35d318b3f293888e0cf3fcd1d615

SHA1
7bae23a0fde2ee0be1ba1f8800f86cb78e5dda35

SHA256
269f81f027f6d6ae2dddca7f503458e6e578c6c49310d72026b3f9c57bfd4f3b

SHA512
d8efe6dada6a6c673866d827944b7eb3d4e116341f82d28dfc4b848c73899f80566a0d5d63563c3874c817d3dc6e0d60a097efc602ab91d676e4ae99f43f45e4

Download Submit
C:\Windows\System32\HYCxUlH.exe

Filesize
1.6MB

MD5
7182a96979981e78a2d64c012858f27b

SHA1
081e4aaa64d4202f979d5b39c4a1b7b83c5af7db

SHA256
5cb35456f9c882a462081485ebee77cf85bc2b16ab46c8a7f7ee492338c31ee9

SHA512
459da4a676189d6a601c65bba5be717e425ffb1fce714c20f5bd53f823e20818d80a3c10bd3f9a5d421bb49cb4ea17d05d605a502274a0b8f6602de92537913b

Download Submit
C:\Windows\System32\HazqaTB.exe

Filesize
1.6MB

MD5
0d77deab8bef88f221b4bc41c98ee3b0

SHA1
00f606256da082f9aae17275e539cd604a8f22af

SHA256
adfb1d4497cf5c46ec327f5e282d4167295700e5226cfc49a2464a6db5981736

SHA512
ea55aa169c6d8edacd2ac4620a423b5543373d0f3f9f206e1e21d05d49a71edfead5c74acb0e1fcdcf7592e52367ab1e9c31fb7ba20964b810ad23624fcf0be4

Download Submit
C:\Windows\System32\TELIrmO.exe

Filesize
1.6MB

MD5
3a1d2aeeeb83e31ba469ff1c797abf8b

SHA1
97f119deb7f0da86da1baaa766e58733812a22ca

SHA256
b45792b240cc1dbc816932b7b4c89433be8186a7939273371ffe40ce58106c2b

SHA512
1167134ccc96f8bb53cac8dcb5f5dc9cb385b308cbb2d67e16a601983841174ebf5693e8d219db2452e78d7eb17e45c91ae2c9675ea543f164310dbdbdcb6a83

Download Submit
C:\Windows\System32\TrzRgRf.exe

Filesize
1.6MB

MD5
5ff90b3efcf277d093f102a7016b8812

SHA1
c42cdc8a0487e95a48136f451d7875356a840a0d

SHA256
98eb0510676aa5eefee2db2212ecc205aa24047441e6669222d783363736f04f

SHA512
9e5ccf8664a8998759f3142354ef65ffb8fbfbbcb74136b9921414aa9bc7183ac871e76f3dc730bc00801ec394ddfbf9e4ccef7368ffe0d92405ccf804609943

Download Submit
C:\Windows\System32\WDBjRDf.exe

Filesize
1.6MB

MD5
65d2513c36de297d38e9e490e2f0b446

SHA1
700e13d4ff5996f55dcf558bb224fbcd509fe881

SHA256
45b92850707e4ed23044dfb8134620085cadf967c7dbb2b3afdb4d2953dcbe59

SHA512
2cbec158355144ade9e5b9b8dfaa3deed84cae49f29da03485ac2d1f5cfbc561ab6780b527d0121727a7a785bca046c450af4359119976c17c4d328aa082d672

Download Submit
C:\Windows\System32\WzxtAUg.exe

Filesize
1.6MB

MD5
189258a41d18544e079dfdfaf46d72eb

SHA1
7838270f9855b2d649c1ca8af3be44e5b25ee208

SHA256
ed017268896e18e65ed2c271217ade0a6110696a625682223f2f41fce72cf5a1

SHA512
ace9620ece391e6e228d2906a5f5553911ecbac5fbc13299d16e3c6e6f6552b57ee46fe0f4178c564b16950eb8082cc1b09d41e6e13b9c8323399736f20fc45e

Download Submit
C:\Windows\System32\XSudhmz.exe

Filesize
1.6MB

MD5
8f7ae1d8c9508883643da55e00d5b0ff

SHA1
cb3ce6854a7011ca25ec21847190ad42533c05cc

SHA256
8869f7e134e2c04353d1e096c9c28c0da6e6d52b6499e4db714484753eb0f946

SHA512
ddd3d6916cc8d7d27076c42c93e12e1d3c5e95271d451d20c2f2bcdf94359b7d02695903b01717b3da3b9d9026f37d96681555643b433d6b8d60f86653801c80

Download Submit
C:\Windows\System32\YKCHilJ.exe

Filesize
1.6MB

MD5
7ee5f093e944117bba67dbc119ff7d8b

SHA1
3103d2f83299a994be0acf557a1f9b4e9ebfb617

SHA256
8122e7da1d8540d2195d92ee329beb042fd9384d2d5787c390867ddf90686a90

SHA512
425588f75921093a32ca3900345310eee105e8e4a48b4b6f16b95c9fb7f3ec6f583efd69ebde27b5e23cc92a2ce4420b633a73efc163a2ed95fb4071339a3878

Download Submit
C:\Windows\System32\YxbmUBP.exe

Filesize
1.6MB

MD5
61dda693ddeb998a63a2c69f5bb42ef4

SHA1
101f71bd6d133f79d7df9606884d36cd32b32e8f

SHA256
916774be9fe4cdd19c9e451c0fa4e36bb7d47175e66808ff350cc65da0d32739

SHA512
f2f440c0e302eae2e189b856db6ab6ce0aea0dd101cd3614e0bf4d2371f77732795a20583952816f24c4f199a0f8e1655808b805b23369aa802926d59bd21382

Download Submit
C:\Windows\System32\ZcuKVmM.exe

Filesize
1.6MB

MD5
5b4912845d62158fcfffbb719b1456be

SHA1
3eda868c5c0da4c7b93278cf4b727c5b426d184f

SHA256
e654a0572eefdd42771962ba250e3de028819e9234f727f2bb2564570f94214b

SHA512
7cd4b1adc16c0fd15542b03ecb6efa48c4b5d92b54a80dad2904356a11cc912cc1af42813b7f54ae56548a17fd9231479de63afa87402e7f948af3c84711c5ca

Download Submit
C:\Windows\System32\aGzfxIm.exe

Filesize
1.6MB

MD5
863fef3e9c73a3e036f064ad03d24e5c

SHA1
ec4c40e98e8a6a7d4eb13dc28f4d04a329816bf2

SHA256
71429a9ac7c6ec930fb13b44e53a31877dda737a29dcb97a592bdaad90268ba7

SHA512
1335930b3ad6be86d127c41c9ea6c5e9cddbcc8bec02eb54f6dfa86aa6be21c9c52d22b7c584fd49a975a567d47ce363ea923af7b403d2317d2d1340b6fab123

Download Submit
C:\Windows\System32\cBOWPYA.exe

Filesize
1.6MB

MD5
2be1c7828389e3135f4ab8547fb1e8dd

SHA1
fda4150d031ac5acd9f44b2c979978c63d6bc983

SHA256
28162cfe4ee5c8d1bc0bc6ef1608eb025bea6f23d650e8ecd37689310fc15aa6

SHA512
f460241fe3538db19a5a60660df16c3b86523b50c26cfd909a4b9b740d4b07f72f8f585e9c0aba72ec76342c3297ca718f497a486531e0248f5bcb1c915a1e92

Download Submit
C:\Windows\System32\dvJkVKf.exe

Filesize
1.6MB

MD5
886635389cad046b684ed423f08be3f4

SHA1
bd039788b9409700e59cd9e1f8ac1c7a22d82ad0

SHA256
1ab3518383750ab60868dc5a936c1ff98c01e362b3b7b6fc030caf5dad821e06

SHA512
cef8549df777212372fe600a5da73c79f9d63190a532127fa9874406c936037d1362b89d83db28e6b2adcb1dc61ef554d96fda11d983019abf1c111935418f67

Download Submit
C:\Windows\System32\eMYHbLT.exe

Filesize
1.6MB

MD5
77c7cd876ebab7b6e4e70c38db2ee769

SHA1
2713f98def60c1ee44539cfdc5d7e9e59682f489

SHA256
bdfe69daab10372d4a9d475f6b836f996db007feb214e5c65adb9519fd78d6ce

SHA512
54be2a9a75bf41826fe1a778793ef879314b860594635181dd6f7c3e8349d8d56d17ac2c9801cb3fe4a5c5c2e810e93d0c62a91ad00a9d9e016b3233c9ce36a6

Download Submit
C:\Windows\System32\ekKlWyz.exe

Filesize
1.6MB

MD5
42a0f07500248580bb27d4ca599f9fba

SHA1
40a6635af94aa513df30afe4b0f9dd7bec47987f

SHA256
64f28af5efdab4d255fbb5a1c205757cdc03435c0574c366514e944117de3ef4

SHA512
9f2c3113db092063f730054e24bcc9e95a985637325af2eceaf2d04c4d1c3f7da1c730ed9527402b4106ac38b82759589dd4af2a25e572d6ee8f51e5639e2b23

Download Submit
C:\Windows\System32\fDgNwXT.exe

Filesize
1.6MB

MD5
6c8b8509bd6905bd754b906e098fa913

SHA1
4cb7f88473b4cc500d9faa90f9b0560d01133169

SHA256
f44fad2c1e8457ffb1deae6192e08d20597cfb9dfb0d360d590cb15cb69b6ad2

SHA512
32b6c497b3dd4db0b7b2a7f5ed27ee6c18726ec330f6c178bf3b22aeb6203c99cfa4ac4620c759faa8e424684ad522ad6dcec9c83b95ee4e607a4e2b83110b1b

Download Submit
C:\Windows\System32\gnQxjZU.exe

Filesize
1.6MB

MD5
4d3271168015c59bdb9fc432956172d3

SHA1
e697acdd8b50061a10cd39de335aa22253ecd069

SHA256
d231d453653eff593768481dcde2c1f2f9ce160fd294b0836f485fe76fb34128

SHA512
7b7bce7e9269bd96f58d662c6e369fda236836ab62be56129b25306d39552c00e7de0bca42c7b0bc95a5423be397c8a949e3cc73694a794f0e9486c10b1a1fb9

Download Submit
C:\Windows\System32\hOCXGbE.exe

Filesize
1.6MB

MD5
075d4b384044e402611b8079cc7d5b81

SHA1
c8a67f38ad217b9ec2a2817c0db4956bdde6cdc4

SHA256
a36bba23a407af5cf678117c345388dffdc521b9f0428cbb215a4db8d26871a3

SHA512
f0d1c620f79207621bf7f7bce5ab86ffbc5fe06034c4174c46e9f96eaf56073312e0d396fd27bb62ab82ff88b619afa7d4e9718b1ad78e90239e98548345fb83

Download Submit
C:\Windows\System32\hujPsiI.exe

Filesize
1.6MB

MD5
15f0e6d8273649a9ac98e34ae9b10b1d

SHA1
a1b06d05c05de64b75ec343f408461af229e1550

SHA256
77ae9d130a64694978c43ef3a7d09d5b7ea1ab8fa5b6b64ddc8f681fcfe39858

SHA512
28ba35745c274542b6bc5db5448739739e133f685baca6719803132185878cb6f44b1288f068eefca7a39e3cfec86e3357109cb0486c18bcb9edaaaaf3d82a3c

Download Submit
C:\Windows\System32\hwDGXzO.exe

Filesize
1.6MB

MD5
80f37754c3e118c5ae4af2acaf2b50b1

SHA1
098e06451f854c8c08eb2cc3896625a66e9e20aa

SHA256
e44043554cdc97139b2f591e6d945ae070fc57b80fbb34d2a40c73311e3dc0dd

SHA512
a27d6c52b5e8bf2fbfd4d8017ed966204599b5f8c2782900a111723dfa9ec62f16fccd29e7a7e67c4ae1d69bb7dde38d70f97ccd9201beef681fe5b470c025bd

Download Submit
C:\Windows\System32\jqWgKmP.exe

Filesize
1.6MB

MD5
e0ef208e9239ffdb50e799ebb87369db

SHA1
eed8df7cbbbd6a254d84089b4fed09d85a7d390a

SHA256
3a2d6538f48d47ee8500d6140eece8fc769cdac3cfa206712d62939dc6e00b61

SHA512
dc3743431e3edd2448dd60e1fd32b9ccb8f584750d42557b384ce04a45232f790e8d67f3018455452d003e16687ca51c06850bd30e9940b8b9a845b024bfc3d7

Download Submit
C:\Windows\System32\mRMiYbe.exe

Filesize
1.6MB

MD5
61c113fe795554fd4eb6335799a325b7

SHA1
b6635fd1ec48d27bf240fe71a35db887f6ad1688

SHA256
932f881b03bc6ebaddfc08df0db55a23e9036dd3933d503de4d145eeb9a5d37d

SHA512
c5b0668c90fbeba1437ae89fcfbd54adef86d814efbabf6f1225c473e4df2c91740cb5a8569fdf28698d28c004b8e7d89af62ca8182ad9751edf04df27b524b2

Download Submit
C:\Windows\System32\mqNKFLI.exe

Filesize
1.6MB

MD5
d855e67a063797b266349cf55242b1e1

SHA1
2c1ffddf04de6ecac9084d7424fcf17b59239b04

SHA256
a908742e4192ec1ce1004d68cd9f90949766e85e89ca8990746f27f373daa65c

SHA512
a8b9432f1abd36575ba1d61604eb2f429b425afe8f912de02871974d5d03d1b67b1cc80ac2072236b704b5b98bc59a7f56b4e7646b2ba9c1bb0b372a602ab773

Download Submit
C:\Windows\System32\oMqeNFa.exe

Filesize
1.6MB

MD5
ea0d65ca1b8723e539dd67990ee85ed3

SHA1
88628f30d8cb746bf3472e4708e248611ae4fdeb

SHA256
8dc18582dfe61ad78baff018fafbc2afe7b5e60fd4f8a81dad765cd40d3414ae

SHA512
bdd5695bf6717a4416e3efea50b01ea1ed3b8c5613a08fed7b9df22e4ed3755b372ae97aeda64bfd8737bcf39488ec24e61107c99cbcc2434f4c6975b15ce7d2

Download Submit
C:\Windows\System32\pIEYzUr.exe

Filesize
1.6MB

MD5
809c33f4fdb6e1e3e9e12a3e14d0ed59

SHA1
737f36fab3b90d987bee9f0fdfab59f696fa0fe4

SHA256
68e00a9a368ce07623dfe41d3a4d3556da39b8ebb7a1e9cf435d93655f0f15ba

SHA512
61dee47b60ec9f53c8fe17b4e8f930745b6f973853c93f0e97b97bd9b75080c0c98775a227c0d673e41f6480e360c77011f696919ed7d220950b858ffb2f073b

Download Submit
C:\Windows\System32\uNMiytm.exe

Filesize
1.6MB

MD5
afc28bc2ce40f456002f216295f03a01

SHA1
ed77cc19a8bed1b92431cf1c4717865f9f9a4ca0

SHA256
88193386f2b64dc73e54f71ae3e28472bda243a87eff3358a566af5d305b17b9

SHA512
f074a11cf1fdb8a9c906e48f80b708339f3d492aafdc8766bb5b912d0fa6d60f9a8d17fce65aaeb1c3ef44d3d24091738700ab8453df5bf1a450c037f149c565

Download Submit
C:\Windows\System32\wMkdnty.exe

Filesize
1.6MB

MD5
58ca98b30e425cdc14af30c21e53548c

SHA1
8296a3c612844e5e3ca3116193bac88f739388a1

SHA256
f0aacffc98abde36dfa823182f3e6313c4d30a2ea266d2862f000ddd6227585d

SHA512
10c0455f12b24bb5174f49cce90c761fdbb20bf65d4935412bc1b8e97c6bd6a1cbc0da7e4aee588e34bde2676ac19dc73f126b9d784d10b58e9f35b6209c7a41

Download Submit
C:\Windows\System32\xIRVJDV.exe

Filesize
1.6MB

MD5
959a3791d09148cdb6af020b24a2262d

SHA1
aa064ac05299104bd726525769429be8bb353813

SHA256
36f08cc07b9bd6a391e3cf5cbf6922a48c062740d743470e23e22fe3b9fa2f4a

SHA512
4ae072f3501cf9377457feb85182b1bc93b2c258c81532e39a10eccec32ac9a082be31ae2be91929d2e006da3ab8f3c3a5e285afb2b068fa2284045ca976993c

Download Submit
memory/244-422-0x00007FF680060000-0x00007FF680451000-memory.dmp

Filesize
3.9MB

Download
memory/244-2018-0x00007FF680060000-0x00007FF680451000-memory.dmp

Filesize
3.9MB

Download
memory/548-426-0x00007FF6E27A0000-0x00007FF6E2B91000-memory.dmp

Filesize
3.9MB

Download
memory/548-2020-0x00007FF6E27A0000-0x00007FF6E2B91000-memory.dmp

Filesize
3.9MB

Download
memory/664-2024-0x00007FF672A10000-0x00007FF672E01000-memory.dmp

Filesize
3.9MB

Download
memory/664-428-0x00007FF672A10000-0x00007FF672E01000-memory.dmp

Filesize
3.9MB

Download
memory/856-2026-0x00007FF7436C0000-0x00007FF743AB1000-memory.dmp

Filesize
3.9MB

Download
memory/856-429-0x00007FF7436C0000-0x00007FF743AB1000-memory.dmp

Filesize
3.9MB

Download
memory/1000-2000-0x00007FF655E90000-0x00007FF656281000-memory.dmp

Filesize
3.9MB

Download
memory/1000-415-0x00007FF655E90000-0x00007FF656281000-memory.dmp

Filesize
3.9MB

Download
memory/1100-12-0x00007FF6FC990000-0x00007FF6FCD81000-memory.dmp

Filesize
3.9MB

Download
memory/1100-1988-0x00007FF6FC990000-0x00007FF6FCD81000-memory.dmp

Filesize
3.9MB

Download
memory/1100-1978-0x00007FF6FC990000-0x00007FF6FCD81000-memory.dmp

Filesize
3.9MB

Download
memory/1204-425-0x00007FF615940000-0x00007FF615D31000-memory.dmp

Filesize
3.9MB

Download
memory/1204-2012-0x00007FF615940000-0x00007FF615D31000-memory.dmp

Filesize
3.9MB

Download
memory/2060-2022-0x00007FF7A4FE0000-0x00007FF7A53D1000-memory.dmp

Filesize
3.9MB

Download
memory/2060-427-0x00007FF7A4FE0000-0x00007FF7A53D1000-memory.dmp

Filesize
3.9MB

Download
memory/2260-2030-0x00007FF6D6BC0000-0x00007FF6D6FB1000-memory.dmp

Filesize
3.9MB

Download
memory/2260-431-0x00007FF6D6BC0000-0x00007FF6D6FB1000-memory.dmp

Filesize
3.9MB

Download
memory/2304-1996-0x00007FF6D9940000-0x00007FF6D9D31000-memory.dmp

Filesize
3.9MB

Download
memory/2304-414-0x00007FF6D9940000-0x00007FF6D9D31000-memory.dmp

Filesize
3.9MB

Download
memory/2360-417-0x00007FF6329A0000-0x00007FF632D91000-memory.dmp

Filesize
3.9MB

Download
memory/2360-2004-0x00007FF6329A0000-0x00007FF632D91000-memory.dmp

Filesize
3.9MB

Download
memory/2688-1-0x0000026E5C840000-0x0000026E5C850000-memory.dmp

Filesize
64KB

Download
memory/2688-0-0x00007FF773550000-0x00007FF773941000-memory.dmp

Filesize
3.9MB

Download
memory/2940-2010-0x00007FF766530000-0x00007FF766921000-memory.dmp

Filesize
3.9MB

Download
memory/2940-418-0x00007FF766530000-0x00007FF766921000-memory.dmp

Filesize
3.9MB

Download
memory/2988-420-0x00007FF7221D0000-0x00007FF7225C1000-memory.dmp

Filesize
3.9MB

Download
memory/2988-2006-0x00007FF7221D0000-0x00007FF7225C1000-memory.dmp

Filesize
3.9MB

Download
memory/3168-2016-0x00007FF7E3750000-0x00007FF7E3B41000-memory.dmp

Filesize
3.9MB

Download
memory/3168-424-0x00007FF7E3750000-0x00007FF7E3B41000-memory.dmp

Filesize
3.9MB

Download
memory/3280-2014-0x00007FF6048A0000-0x00007FF604C91000-memory.dmp

Filesize
3.9MB

Download
memory/3280-423-0x00007FF6048A0000-0x00007FF604C91000-memory.dmp

Filesize
3.9MB

Download
memory/3500-1990-0x00007FF6B3830000-0x00007FF6B3C21000-memory.dmp

Filesize
3.9MB

Download
memory/3500-1980-0x00007FF6B3830000-0x00007FF6B3C21000-memory.dmp

Filesize
3.9MB

Download
memory/3500-23-0x00007FF6B3830000-0x00007FF6B3C21000-memory.dmp

Filesize
3.9MB

Download
memory/3632-1992-0x00007FF66AE50000-0x00007FF66B241000-memory.dmp

Filesize
3.9MB

Download
memory/3632-22-0x00007FF66AE50000-0x00007FF66B241000-memory.dmp

Filesize
3.9MB

Download
memory/3632-1979-0x00007FF66AE50000-0x00007FF66B241000-memory.dmp

Filesize
3.9MB

Download
memory/3764-419-0x00007FF6F4EF0000-0x00007FF6F52E1000-memory.dmp

Filesize
3.9MB

Download
memory/3764-1998-0x00007FF6F4EF0000-0x00007FF6F52E1000-memory.dmp

Filesize
3.9MB

Download
memory/3936-1986-0x00007FF678500000-0x00007FF6788F1000-memory.dmp

Filesize
3.9MB

Download
memory/3936-11-0x00007FF678500000-0x00007FF6788F1000-memory.dmp

Filesize
3.9MB

Download
memory/4124-2008-0x00007FF773E80000-0x00007FF774271000-memory.dmp

Filesize
3.9MB

Download
memory/4124-416-0x00007FF773E80000-0x00007FF774271000-memory.dmp

Filesize
3.9MB

Download
memory/4216-2038-0x00007FF672C40000-0x00007FF673031000-memory.dmp

Filesize
3.9MB

Download
memory/4216-432-0x00007FF672C40000-0x00007FF673031000-memory.dmp

Filesize
3.9MB

Download
memory/4684-1994-0x00007FF66AFB0000-0x00007FF66B3A1000-memory.dmp

Filesize
3.9MB

Download
memory/4684-33-0x00007FF66AFB0000-0x00007FF66B3A1000-memory.dmp

Filesize
3.9MB

Download
memory/4688-2028-0x00007FF7642D0000-0x00007FF7646C1000-memory.dmp

Filesize
3.9MB

Download
memory/4688-430-0x00007FF7642D0000-0x00007FF7646C1000-memory.dmp

Filesize
3.9MB

Download
memory/4988-421-0x00007FF661F20000-0x00007FF662311000-memory.dmp

Filesize
3.9MB

Download
memory/4988-2003-0x00007FF661F20000-0x00007FF662311000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads