xmrig | db5ebd2470872f399db6097f898cd3a23df2a6bf9406845d7d15bc2eb0e0b3b7

Analysis

max time kernel
149s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 11:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
Size

1.7MB
MD5

00a829489f208da9aff5bfe2171ce5f4
SHA1

25fde2d6fd4d46f1014f5358fee34602975be81a
SHA256

db5ebd2470872f399db6097f898cd3a23df2a6bf9406845d7d15bc2eb0e0b3b7
SHA512

64f8da58bfa2e5826fe34246a07ed97573fc7df97ba4b09adecfcf449271a9b02f4ddd9d208c8ecae91b90bece7769a2a95cda5b47464efc0e34b7768d35bef2
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO9C1MKTbcMfHhGjw2Do+BRrCfULwvTnZC:knw9oUUEEDlGUjc2HhG82DivTnZC

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/2160-11-0x00007FF6590F0000-0x00007FF6594E1000-memory.dmp	xmrig
behavioral2/memory/3044-52-0x00007FF7A91D0000-0x00007FF7A95C1000-memory.dmp	xmrig
behavioral2/memory/3560-41-0x00007FF6AC2A0000-0x00007FF6AC691000-memory.dmp	xmrig
behavioral2/memory/2528-1995-0x00007FF720AC0000-0x00007FF720EB1000-memory.dmp	xmrig
behavioral2/memory/4396-1996-0x00007FF6C0680000-0x00007FF6C0A71000-memory.dmp	xmrig
behavioral2/memory/3548-2009-0x00007FF63EB50000-0x00007FF63EF41000-memory.dmp	xmrig
behavioral2/memory/2108-2030-0x00007FF7E1650000-0x00007FF7E1A41000-memory.dmp	xmrig
behavioral2/memory/2124-2034-0x00007FF7F9160000-0x00007FF7F9551000-memory.dmp	xmrig
behavioral2/memory/3508-2036-0x00007FF6F0C70000-0x00007FF6F1061000-memory.dmp	xmrig
behavioral2/memory/5000-2047-0x00007FF692460000-0x00007FF692851000-memory.dmp	xmrig
behavioral2/memory/2584-2056-0x00007FF6C78D0000-0x00007FF6C7CC1000-memory.dmp	xmrig
behavioral2/memory/876-2058-0x00007FF71B0E0000-0x00007FF71B4D1000-memory.dmp	xmrig
behavioral2/memory/1060-2059-0x00007FF7710B0000-0x00007FF7714A1000-memory.dmp	xmrig
behavioral2/memory/2032-2065-0x00007FF715480000-0x00007FF715871000-memory.dmp	xmrig
behavioral2/memory/64-2073-0x00007FF651940000-0x00007FF651D31000-memory.dmp	xmrig
behavioral2/memory/3960-2083-0x00007FF69D600000-0x00007FF69D9F1000-memory.dmp	xmrig
behavioral2/memory/2288-2082-0x00007FF70BCF0000-0x00007FF70C0E1000-memory.dmp	xmrig
behavioral2/memory/3496-2081-0x00007FF648AF0000-0x00007FF648EE1000-memory.dmp	xmrig
behavioral2/memory/2056-2079-0x00007FF6A6CE0000-0x00007FF6A70D1000-memory.dmp	xmrig
behavioral2/memory/3936-2078-0x00007FF71C770000-0x00007FF71CB61000-memory.dmp	xmrig
behavioral2/memory/3060-2075-0x00007FF7D8E30000-0x00007FF7D9221000-memory.dmp	xmrig
behavioral2/memory/1772-2072-0x00007FF797C60000-0x00007FF798051000-memory.dmp	xmrig
behavioral2/memory/1188-2067-0x00007FF76A750000-0x00007FF76AB41000-memory.dmp	xmrig
behavioral2/memory/4592-2049-0x00007FF762FB0000-0x00007FF7633A1000-memory.dmp	xmrig
behavioral2/memory/4396-2088-0x00007FF6C0680000-0x00007FF6C0A71000-memory.dmp	xmrig
behavioral2/memory/3044-2095-0x00007FF7A91D0000-0x00007FF7A95C1000-memory.dmp	xmrig
behavioral2/memory/2108-2099-0x00007FF7E1650000-0x00007FF7E1A41000-memory.dmp	xmrig
behavioral2/memory/3548-2097-0x00007FF63EB50000-0x00007FF63EF41000-memory.dmp	xmrig
behavioral2/memory/2160-2093-0x00007FF6590F0000-0x00007FF6594E1000-memory.dmp	xmrig
behavioral2/memory/2528-2092-0x00007FF720AC0000-0x00007FF720EB1000-memory.dmp	xmrig
behavioral2/memory/2124-2090-0x00007FF7F9160000-0x00007FF7F9551000-memory.dmp	xmrig
behavioral2/memory/3560-2086-0x00007FF6AC2A0000-0x00007FF6AC691000-memory.dmp	xmrig
behavioral2/memory/3496-2364-0x00007FF648AF0000-0x00007FF648EE1000-memory.dmp	xmrig
behavioral2/memory/3960-2461-0x00007FF69D600000-0x00007FF69D9F1000-memory.dmp	xmrig
behavioral2/memory/3936-2463-0x00007FF71C770000-0x00007FF71CB61000-memory.dmp	xmrig
behavioral2/memory/2288-2459-0x00007FF70BCF0000-0x00007FF70C0E1000-memory.dmp	xmrig
behavioral2/memory/5000-2457-0x00007FF692460000-0x00007FF692851000-memory.dmp	xmrig
behavioral2/memory/2032-2572-0x00007FF715480000-0x00007FF715871000-memory.dmp	xmrig
behavioral2/memory/876-2579-0x00007FF71B0E0000-0x00007FF71B4D1000-memory.dmp	xmrig
behavioral2/memory/3060-2586-0x00007FF7D8E30000-0x00007FF7D9221000-memory.dmp	xmrig
behavioral2/memory/1060-2583-0x00007FF7710B0000-0x00007FF7714A1000-memory.dmp	xmrig
behavioral2/memory/1772-2581-0x00007FF797C60000-0x00007FF798051000-memory.dmp	xmrig
behavioral2/memory/1188-2590-0x00007FF76A750000-0x00007FF76AB41000-memory.dmp	xmrig
behavioral2/memory/64-2355-0x00007FF651940000-0x00007FF651D31000-memory.dmp	xmrig
behavioral2/memory/3508-2353-0x00007FF6F0C70000-0x00007FF6F1061000-memory.dmp	xmrig
behavioral2/memory/2056-2366-0x00007FF6A6CE0000-0x00007FF6A70D1000-memory.dmp	xmrig
behavioral2/memory/4592-2361-0x00007FF762FB0000-0x00007FF7633A1000-memory.dmp	xmrig
behavioral2/memory/2584-2351-0x00007FF6C78D0000-0x00007FF6C7CC1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2160	qyzgubO.exe
2528	jXUyQDt.exe
4396	LCvyzPx.exe
2108	LsXBElK.exe
3548	osHYbba.exe
3560	jXhCfBo.exe
2124	wrUwFPZ.exe
3044	KouCVYD.exe
3508	HdSnBmP.exe
5000	zFzYNHq.exe
4592	FDvlTeF.exe
2584	lweoHUA.exe
876	weDzqsC.exe
1060	XeuNWkW.exe
2032	vPDlFqS.exe
1188	rkbnNOz.exe
1772	CbvYjcK.exe
64	nGBJnmU.exe
3060	EEnTNno.exe
3936	fqNxzwu.exe
2056	rnlSbDY.exe
3496	thygcSn.exe
2288	twqJWem.exe
3960	AoFuZPG.exe
1404	jcRbNmR.exe
1692	WwiPMQg.exe
2180	lFLYtHO.exe
1836	afmzmRJ.exe
2488	QAvPeQp.exe
3824	tmQJlfi.exe
3880	xOYzDau.exe
956	IDhwDwB.exe
4532	zsxSCdo.exe
2112	xCcgPkq.exe
1704	SmyIijI.exe
4452	fRDOwtl.exe
4804	ixJRXig.exe
764	HGPftOk.exe
4628	wUBAXPZ.exe
3828	slanTut.exe
828	iRpFRsT.exe
4696	ZkQiuZa.exe
4456	GvfAkOr.exe
1212	jrzVSpK.exe
3752	gfjTtVw.exe
2744	mqTyaMN.exe
1488	KvXjVja.exe
888	XFxijXl.exe
4852	FyNzaDw.exe
4732	AqZfQqZ.exe
1496	MDzyGQw.exe
388	VjiKVdv.exe
1636	SZJDuVE.exe
2296	XsNChlj.exe
3376	taeKCzN.exe
1392	lWpLwrd.exe
1696	XutclcW.exe
3140	oiMPDyt.exe
864	WsUBVIF.exe
2524	upDuRBf.exe
2612	gvIWHwc.exe
2300	fqMrDJs.exe
2628	lRshOhe.exe
4912	BgBxkbe.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3116-0-0x00007FF791F80000-0x00007FF792371000-memory.dmp	upx
behavioral2/files/0x000d000000023b23-4.dat	upx
behavioral2/memory/2160-11-0x00007FF6590F0000-0x00007FF6594E1000-memory.dmp	upx
behavioral2/files/0x000b000000023b88-18.dat	upx
behavioral2/memory/3548-27-0x00007FF63EB50000-0x00007FF63EF41000-memory.dmp	upx
behavioral2/files/0x000a000000023b8c-35.dat	upx
behavioral2/files/0x000a000000023b8d-37.dat	upx
behavioral2/files/0x000a000000023b8e-48.dat	upx
behavioral2/files/0x000a000000023b8f-51.dat	upx
behavioral2/memory/3508-53-0x00007FF6F0C70000-0x00007FF6F1061000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-104.dat	upx
behavioral2/memory/4592-749-0x00007FF762FB0000-0x00007FF7633A1000-memory.dmp	upx
behavioral2/memory/5000-748-0x00007FF692460000-0x00007FF692851000-memory.dmp	upx
behavioral2/memory/2584-750-0x00007FF6C78D0000-0x00007FF6C7CC1000-memory.dmp	upx
behavioral2/memory/876-751-0x00007FF71B0E0000-0x00007FF71B4D1000-memory.dmp	upx
behavioral2/memory/2032-753-0x00007FF715480000-0x00007FF715871000-memory.dmp	upx
behavioral2/memory/1188-754-0x00007FF76A750000-0x00007FF76AB41000-memory.dmp	upx
behavioral2/memory/1772-755-0x00007FF797C60000-0x00007FF798051000-memory.dmp	upx
behavioral2/memory/3060-757-0x00007FF7D8E30000-0x00007FF7D9221000-memory.dmp	upx
behavioral2/memory/3936-758-0x00007FF71C770000-0x00007FF71CB61000-memory.dmp	upx
behavioral2/memory/2056-759-0x00007FF6A6CE0000-0x00007FF6A70D1000-memory.dmp	upx
behavioral2/memory/3496-760-0x00007FF648AF0000-0x00007FF648EE1000-memory.dmp	upx
behavioral2/memory/3960-762-0x00007FF69D600000-0x00007FF69D9F1000-memory.dmp	upx
behavioral2/memory/2288-761-0x00007FF70BCF0000-0x00007FF70C0E1000-memory.dmp	upx
behavioral2/memory/64-756-0x00007FF651940000-0x00007FF651D31000-memory.dmp	upx
behavioral2/memory/1060-752-0x00007FF7710B0000-0x00007FF7714A1000-memory.dmp	upx
behavioral2/files/0x000a000000023bbe-194.dat	upx
behavioral2/files/0x000a000000023bbd-191.dat	upx
behavioral2/files/0x000a000000023bbc-188.dat	upx
behavioral2/files/0x000a000000023bbb-185.dat	upx
behavioral2/files/0x000a000000023bba-182.dat	upx
behavioral2/files/0x000a000000023bb9-179.dat	upx
behavioral2/files/0x000a000000023bb8-176.dat	upx
behavioral2/files/0x0031000000023bb7-173.dat	upx
behavioral2/files/0x0031000000023bb6-170.dat	upx
behavioral2/files/0x0031000000023bb5-167.dat	upx
behavioral2/files/0x000a000000023bb4-164.dat	upx
behavioral2/files/0x000a000000023bb3-161.dat	upx
behavioral2/files/0x000a000000023bb2-158.dat	upx
behavioral2/files/0x000a000000023bb1-155.dat	upx
behavioral2/files/0x000a000000023bb0-152.dat	upx
behavioral2/files/0x000a000000023baf-149.dat	upx
behavioral2/files/0x000a000000023bae-146.dat	upx
behavioral2/files/0x000a000000023bad-143.dat	upx
behavioral2/files/0x000a000000023bac-140.dat	upx
behavioral2/files/0x000a000000023bab-137.dat	upx
behavioral2/files/0x000a000000023baa-134.dat	upx
behavioral2/files/0x000a000000023ba9-131.dat	upx
behavioral2/files/0x000a000000023ba8-128.dat	upx
behavioral2/files/0x000a000000023ba7-125.dat	upx
behavioral2/files/0x000a000000023ba6-122.dat	upx
behavioral2/files/0x000a000000023ba5-119.dat	upx
behavioral2/files/0x000a000000023ba4-116.dat	upx
behavioral2/files/0x000a000000023ba3-113.dat	upx
behavioral2/files/0x000a000000023ba2-110.dat	upx
behavioral2/files/0x000a000000023ba1-107.dat	upx
behavioral2/files/0x000a000000023b9f-101.dat	upx
behavioral2/files/0x000a000000023b9e-98.dat	upx
behavioral2/files/0x000a000000023b9d-95.dat	upx
behavioral2/files/0x000a000000023b9c-92.dat	upx
behavioral2/files/0x000a000000023b9b-89.dat	upx
behavioral2/files/0x000a000000023b9a-86.dat	upx
behavioral2/files/0x000a000000023b99-83.dat	upx
behavioral2/files/0x000a000000023b98-80.dat	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\WNhbseG.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\JutNWrX.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\sgtBqlU.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\hwXZrRO.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\EsDADiA.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\RxpXman.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\sSQUcSv.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\BuYIEdU.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\fqNxzwu.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\eHaZoAp.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\QLhkcTd.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\ikBQmYD.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\OCZlYHq.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\wScCiXA.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\wrTvMsV.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\lweoHUA.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\afmzmRJ.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\uuVVkxF.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\TgnhdMH.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\OITNIaU.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\rnlSbDY.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\tZTdPte.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\lEgFnaP.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\oOczYeE.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\OXDBBpL.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\sjLidVn.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\oeTSjAJ.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\bdeEqJs.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\LCvyzPx.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\taeKCzN.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\JozzFtk.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\YKvREvc.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\rltZYId.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\KIJkIBE.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\GHIVdnm.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\QnRNVvR.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\LBfDlLO.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\DwGuOGj.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\XwouFNO.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\ViEOaYf.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\GNTvQRk.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\FkRhNDK.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\eoSXRUO.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\qCCTtXx.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\HIqSYlj.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\UwAyInx.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\ZZDYYhI.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\swUQwWy.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\VofhJAb.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\HrylLiM.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\TKsNnDD.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\ieoMECC.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\fAnyvCC.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\KKKUusj.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\AcVcNMh.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\mIfTPMy.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\UaobAhg.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\oOKJBaB.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\jcRbNmR.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\qCIHSrS.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\LXuWKBy.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\IYRzAbw.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\lKZVajy.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
File created	C:\Windows\System32\dIjGwNb.exe	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12684	dwm.exe
Token: SeChangeNotifyPrivilege	12684	dwm.exe
Token: 33	12684	dwm.exe
Token: SeIncBasePriorityPrivilege	12684	dwm.exe
Token: SeShutdownPrivilege	12684	dwm.exe
Token: SeCreatePagefilePrivilege	12684	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 2160	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	83
PID 3116 wrote to memory of 2160	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	83
PID 3116 wrote to memory of 2528	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	84
PID 3116 wrote to memory of 2528	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	84
PID 3116 wrote to memory of 2108	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	85
PID 3116 wrote to memory of 2108	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	85
PID 3116 wrote to memory of 4396	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	86
PID 3116 wrote to memory of 4396	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	86
PID 3116 wrote to memory of 3548	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	87
PID 3116 wrote to memory of 3548	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	87
PID 3116 wrote to memory of 3560	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	88
PID 3116 wrote to memory of 3560	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	88
PID 3116 wrote to memory of 2124	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	89
PID 3116 wrote to memory of 2124	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	89
PID 3116 wrote to memory of 3044	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	90
PID 3116 wrote to memory of 3044	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	90
PID 3116 wrote to memory of 3508	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	91
PID 3116 wrote to memory of 3508	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	91
PID 3116 wrote to memory of 5000	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	92
PID 3116 wrote to memory of 5000	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	92
PID 3116 wrote to memory of 4592	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	93
PID 3116 wrote to memory of 4592	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	93
PID 3116 wrote to memory of 2584	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	94
PID 3116 wrote to memory of 2584	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	94
PID 3116 wrote to memory of 876	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	95
PID 3116 wrote to memory of 876	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	95
PID 3116 wrote to memory of 1060	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	96
PID 3116 wrote to memory of 1060	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	96
PID 3116 wrote to memory of 2032	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	97
PID 3116 wrote to memory of 2032	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	97
PID 3116 wrote to memory of 1188	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	98
PID 3116 wrote to memory of 1188	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	98
PID 3116 wrote to memory of 1772	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	99
PID 3116 wrote to memory of 1772	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	99
PID 3116 wrote to memory of 64	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	100
PID 3116 wrote to memory of 64	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	100
PID 3116 wrote to memory of 3060	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	101
PID 3116 wrote to memory of 3060	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	101
PID 3116 wrote to memory of 3936	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	102
PID 3116 wrote to memory of 3936	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	102
PID 3116 wrote to memory of 2056	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	103
PID 3116 wrote to memory of 2056	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	103
PID 3116 wrote to memory of 3496	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	104
PID 3116 wrote to memory of 3496	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	104
PID 3116 wrote to memory of 2288	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	105
PID 3116 wrote to memory of 2288	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	105
PID 3116 wrote to memory of 3960	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	106
PID 3116 wrote to memory of 3960	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	106
PID 3116 wrote to memory of 1404	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	107
PID 3116 wrote to memory of 1404	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	107
PID 3116 wrote to memory of 1692	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	108
PID 3116 wrote to memory of 1692	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	108
PID 3116 wrote to memory of 2180	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	109
PID 3116 wrote to memory of 2180	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	109
PID 3116 wrote to memory of 1836	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	110
PID 3116 wrote to memory of 1836	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	110
PID 3116 wrote to memory of 2488	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	111
PID 3116 wrote to memory of 2488	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	111
PID 3116 wrote to memory of 3824	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	112
PID 3116 wrote to memory of 3824	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	112
PID 3116 wrote to memory of 3880	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	113
PID 3116 wrote to memory of 3880	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	113
PID 3116 wrote to memory of 956	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	114
PID 3116 wrote to memory of 956	3116	00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe	114

C:\Users\Admin\AppData\Local\Temp\00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00a829489f208da9aff5bfe2171ce5f4_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\System32\qyzgubO.exe
  C:\Windows\System32\qyzgubO.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System32\jXUyQDt.exe
  C:\Windows\System32\jXUyQDt.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System32\LsXBElK.exe
  C:\Windows\System32\LsXBElK.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System32\LCvyzPx.exe
  C:\Windows\System32\LCvyzPx.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System32\osHYbba.exe
  C:\Windows\System32\osHYbba.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System32\jXhCfBo.exe
  C:\Windows\System32\jXhCfBo.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System32\wrUwFPZ.exe
  C:\Windows\System32\wrUwFPZ.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System32\KouCVYD.exe
  C:\Windows\System32\KouCVYD.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System32\HdSnBmP.exe
  C:\Windows\System32\HdSnBmP.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System32\zFzYNHq.exe
  C:\Windows\System32\zFzYNHq.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System32\FDvlTeF.exe
  C:\Windows\System32\FDvlTeF.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System32\lweoHUA.exe
  C:\Windows\System32\lweoHUA.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System32\weDzqsC.exe
  C:\Windows\System32\weDzqsC.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System32\XeuNWkW.exe
  C:\Windows\System32\XeuNWkW.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System32\vPDlFqS.exe
  C:\Windows\System32\vPDlFqS.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System32\rkbnNOz.exe
  C:\Windows\System32\rkbnNOz.exe
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\System32\CbvYjcK.exe
  C:\Windows\System32\CbvYjcK.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System32\nGBJnmU.exe
  C:\Windows\System32\nGBJnmU.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System32\EEnTNno.exe
  C:\Windows\System32\EEnTNno.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System32\fqNxzwu.exe
  C:\Windows\System32\fqNxzwu.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System32\rnlSbDY.exe
  C:\Windows\System32\rnlSbDY.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System32\thygcSn.exe
  C:\Windows\System32\thygcSn.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System32\twqJWem.exe
  C:\Windows\System32\twqJWem.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System32\AoFuZPG.exe
  C:\Windows\System32\AoFuZPG.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System32\jcRbNmR.exe
  C:\Windows\System32\jcRbNmR.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System32\WwiPMQg.exe
  C:\Windows\System32\WwiPMQg.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System32\lFLYtHO.exe
  C:\Windows\System32\lFLYtHO.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System32\afmzmRJ.exe
  C:\Windows\System32\afmzmRJ.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System32\QAvPeQp.exe
  C:\Windows\System32\QAvPeQp.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System32\tmQJlfi.exe
  C:\Windows\System32\tmQJlfi.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\System32\xOYzDau.exe
  C:\Windows\System32\xOYzDau.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System32\IDhwDwB.exe
  C:\Windows\System32\IDhwDwB.exe
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Windows\System32\zsxSCdo.exe
  C:\Windows\System32\zsxSCdo.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System32\xCcgPkq.exe
  C:\Windows\System32\xCcgPkq.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System32\SmyIijI.exe
  C:\Windows\System32\SmyIijI.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System32\fRDOwtl.exe
  C:\Windows\System32\fRDOwtl.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\ixJRXig.exe
  C:\Windows\System32\ixJRXig.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\HGPftOk.exe
  C:\Windows\System32\HGPftOk.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System32\wUBAXPZ.exe
  C:\Windows\System32\wUBAXPZ.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System32\slanTut.exe
  C:\Windows\System32\slanTut.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System32\iRpFRsT.exe
  C:\Windows\System32\iRpFRsT.exe
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\System32\ZkQiuZa.exe
  C:\Windows\System32\ZkQiuZa.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System32\GvfAkOr.exe
  C:\Windows\System32\GvfAkOr.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System32\jrzVSpK.exe
  C:\Windows\System32\jrzVSpK.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System32\gfjTtVw.exe
  C:\Windows\System32\gfjTtVw.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System32\mqTyaMN.exe
  C:\Windows\System32\mqTyaMN.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System32\KvXjVja.exe
  C:\Windows\System32\KvXjVja.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System32\XFxijXl.exe
  C:\Windows\System32\XFxijXl.exe
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\System32\FyNzaDw.exe
  C:\Windows\System32\FyNzaDw.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System32\AqZfQqZ.exe
  C:\Windows\System32\AqZfQqZ.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System32\MDzyGQw.exe
  C:\Windows\System32\MDzyGQw.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System32\VjiKVdv.exe
  C:\Windows\System32\VjiKVdv.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System32\SZJDuVE.exe
  C:\Windows\System32\SZJDuVE.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System32\XsNChlj.exe
  C:\Windows\System32\XsNChlj.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System32\taeKCzN.exe
  C:\Windows\System32\taeKCzN.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System32\lWpLwrd.exe
  C:\Windows\System32\lWpLwrd.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System32\XutclcW.exe
  C:\Windows\System32\XutclcW.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System32\oiMPDyt.exe
  C:\Windows\System32\oiMPDyt.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System32\WsUBVIF.exe
  C:\Windows\System32\WsUBVIF.exe
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\System32\upDuRBf.exe
  C:\Windows\System32\upDuRBf.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System32\gvIWHwc.exe
  C:\Windows\System32\gvIWHwc.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System32\fqMrDJs.exe
  C:\Windows\System32\fqMrDJs.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System32\lRshOhe.exe
  C:\Windows\System32\lRshOhe.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System32\BgBxkbe.exe
  C:\Windows\System32\BgBxkbe.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System32\gwDiqfs.exe
  C:\Windows\System32\gwDiqfs.exe
  2⤵
  PID:4512
- C:\Windows\System32\zMteLsQ.exe
  C:\Windows\System32\zMteLsQ.exe
  2⤵
  PID:3340
- C:\Windows\System32\aXiydLd.exe
  C:\Windows\System32\aXiydLd.exe
  2⤵
  PID:4900
- C:\Windows\System32\qCIHSrS.exe
  C:\Windows\System32\qCIHSrS.exe
  2⤵
  PID:2852
- C:\Windows\System32\fAolCzA.exe
  C:\Windows\System32\fAolCzA.exe
  2⤵
  PID:3788
- C:\Windows\System32\vLrKQnh.exe
  C:\Windows\System32\vLrKQnh.exe
  2⤵
  PID:1968
- C:\Windows\System32\DsxUbtd.exe
  C:\Windows\System32\DsxUbtd.exe
  2⤵
  PID:2684
- C:\Windows\System32\vkBynQi.exe
  C:\Windows\System32\vkBynQi.exe
  2⤵
  PID:1544
- C:\Windows\System32\VKiKaGF.exe
  C:\Windows\System32\VKiKaGF.exe
  2⤵
  PID:2404
- C:\Windows\System32\EngMEVl.exe
  C:\Windows\System32\EngMEVl.exe
  2⤵
  PID:4940
- C:\Windows\System32\rZrFdwG.exe
  C:\Windows\System32\rZrFdwG.exe
  2⤵
  PID:2096
- C:\Windows\System32\MScBAgX.exe
  C:\Windows\System32\MScBAgX.exe
  2⤵
  PID:2644
- C:\Windows\System32\wFdjVYo.exe
  C:\Windows\System32\wFdjVYo.exe
  2⤵
  PID:4880
- C:\Windows\System32\JIbZKNS.exe
  C:\Windows\System32\JIbZKNS.exe
  2⤵
  PID:2948
- C:\Windows\System32\emOUDON.exe
  C:\Windows\System32\emOUDON.exe
  2⤵
  PID:4508
- C:\Windows\System32\NxJNeoW.exe
  C:\Windows\System32\NxJNeoW.exe
  2⤵
  PID:1348
- C:\Windows\System32\hXWcAwb.exe
  C:\Windows\System32\hXWcAwb.exe
  2⤵
  PID:4564
- C:\Windows\System32\zUUbESi.exe
  C:\Windows\System32\zUUbESi.exe
  2⤵
  PID:3704
- C:\Windows\System32\uVqDmBg.exe
  C:\Windows\System32\uVqDmBg.exe
  2⤵
  PID:3848
- C:\Windows\System32\UKCXlfU.exe
  C:\Windows\System32\UKCXlfU.exe
  2⤵
  PID:2000
- C:\Windows\System32\CbrfSmD.exe
  C:\Windows\System32\CbrfSmD.exe
  2⤵
  PID:2724
- C:\Windows\System32\SzOPFNf.exe
  C:\Windows\System32\SzOPFNf.exe
  2⤵
  PID:3876
- C:\Windows\System32\tZTdPte.exe
  C:\Windows\System32\tZTdPte.exe
  2⤵
  PID:4496
- C:\Windows\System32\WUWrIlV.exe
  C:\Windows\System32\WUWrIlV.exe
  2⤵
  PID:4920
- C:\Windows\System32\GMAeMwr.exe
  C:\Windows\System32\GMAeMwr.exe
  2⤵
  PID:1216
- C:\Windows\System32\pTiOhiX.exe
  C:\Windows\System32\pTiOhiX.exe
  2⤵
  PID:3404
- C:\Windows\System32\loHOSNW.exe
  C:\Windows\System32\loHOSNW.exe
  2⤵
  PID:4500
- C:\Windows\System32\HJvDNSr.exe
  C:\Windows\System32\HJvDNSr.exe
  2⤵
  PID:4264
- C:\Windows\System32\evTQXvD.exe
  C:\Windows\System32\evTQXvD.exe
  2⤵
  PID:4076
- C:\Windows\System32\AqIZAOm.exe
  C:\Windows\System32\AqIZAOm.exe
  2⤵
  PID:4744
- C:\Windows\System32\JutNWrX.exe
  C:\Windows\System32\JutNWrX.exe
  2⤵
  PID:3276
- C:\Windows\System32\OjVOgkb.exe
  C:\Windows\System32\OjVOgkb.exe
  2⤵
  PID:4604
- C:\Windows\System32\dETDWoq.exe
  C:\Windows\System32\dETDWoq.exe
  2⤵
  PID:2968
- C:\Windows\System32\puMMQxc.exe
  C:\Windows\System32\puMMQxc.exe
  2⤵
  PID:3756
- C:\Windows\System32\WkfURcT.exe
  C:\Windows\System32\WkfURcT.exe
  2⤵
  PID:2128
- C:\Windows\System32\Frqlndx.exe
  C:\Windows\System32\Frqlndx.exe
  2⤵
  PID:1204
- C:\Windows\System32\viDMtsY.exe
  C:\Windows\System32\viDMtsY.exe
  2⤵
  PID:1264
- C:\Windows\System32\DIYCGAo.exe
  C:\Windows\System32\DIYCGAo.exe
  2⤵
  PID:4156
- C:\Windows\System32\YFWBLmW.exe
  C:\Windows\System32\YFWBLmW.exe
  2⤵
  PID:4112
- C:\Windows\System32\JozzFtk.exe
  C:\Windows\System32\JozzFtk.exe
  2⤵
  PID:3452
- C:\Windows\System32\IZllphW.exe
  C:\Windows\System32\IZllphW.exe
  2⤵
  PID:4840
- C:\Windows\System32\oSawolf.exe
  C:\Windows\System32\oSawolf.exe
  2⤵
  PID:3164
- C:\Windows\System32\LGkueyp.exe
  C:\Windows\System32\LGkueyp.exe
  2⤵
  PID:2568
- C:\Windows\System32\jJtLqWZ.exe
  C:\Windows\System32\jJtLqWZ.exe
  2⤵
  PID:2400
- C:\Windows\System32\hiAfxpr.exe
  C:\Windows\System32\hiAfxpr.exe
  2⤵
  PID:2140
- C:\Windows\System32\tfkPsbK.exe
  C:\Windows\System32\tfkPsbK.exe
  2⤵
  PID:4588
- C:\Windows\System32\lEgFnaP.exe
  C:\Windows\System32\lEgFnaP.exe
  2⤵
  PID:3200
- C:\Windows\System32\YLnpfHa.exe
  C:\Windows\System32\YLnpfHa.exe
  2⤵
  PID:2272
- C:\Windows\System32\HEOigbw.exe
  C:\Windows\System32\HEOigbw.exe
  2⤵
  PID:4948
- C:\Windows\System32\JPrYKGe.exe
  C:\Windows\System32\JPrYKGe.exe
  2⤵
  PID:4464
- C:\Windows\System32\LgBBELk.exe
  C:\Windows\System32\LgBBELk.exe
  2⤵
  PID:2264
- C:\Windows\System32\VNhSrzH.exe
  C:\Windows\System32\VNhSrzH.exe
  2⤵
  PID:620
- C:\Windows\System32\bqMRtJq.exe
  C:\Windows\System32\bqMRtJq.exe
  2⤵
  PID:5064
- C:\Windows\System32\fofbzze.exe
  C:\Windows\System32\fofbzze.exe
  2⤵
  PID:4060
- C:\Windows\System32\eTySJwO.exe
  C:\Windows\System32\eTySJwO.exe
  2⤵
  PID:3912
- C:\Windows\System32\sJonJBL.exe
  C:\Windows\System32\sJonJBL.exe
  2⤵
  PID:3656
- C:\Windows\System32\vSMrTKt.exe
  C:\Windows\System32\vSMrTKt.exe
  2⤵
  PID:2596
- C:\Windows\System32\lSdzQnq.exe
  C:\Windows\System32\lSdzQnq.exe
  2⤵
  PID:632
- C:\Windows\System32\BxAkhUH.exe
  C:\Windows\System32\BxAkhUH.exe
  2⤵
  PID:2268
- C:\Windows\System32\kHQLvHu.exe
  C:\Windows\System32\kHQLvHu.exe
  2⤵
  PID:3956
- C:\Windows\System32\qCCTtXx.exe
  C:\Windows\System32\qCCTtXx.exe
  2⤵
  PID:3248
- C:\Windows\System32\oOczYeE.exe
  C:\Windows\System32\oOczYeE.exe
  2⤵
  PID:3088
- C:\Windows\System32\FIGZpFK.exe
  C:\Windows\System32\FIGZpFK.exe
  2⤵
  PID:2080
- C:\Windows\System32\iFZUoZV.exe
  C:\Windows\System32\iFZUoZV.exe
  2⤵
  PID:2512
- C:\Windows\System32\ZywdPNx.exe
  C:\Windows\System32\ZywdPNx.exe
  2⤵
  PID:1480
- C:\Windows\System32\XwouFNO.exe
  C:\Windows\System32\XwouFNO.exe
  2⤵
  PID:5116
- C:\Windows\System32\qkaCFkb.exe
  C:\Windows\System32\qkaCFkb.exe
  2⤵
  PID:4524
- C:\Windows\System32\faIdtFJ.exe
  C:\Windows\System32\faIdtFJ.exe
  2⤵
  PID:3108
- C:\Windows\System32\WLzJznJ.exe
  C:\Windows\System32\WLzJznJ.exe
  2⤵
  PID:4608
- C:\Windows\System32\iexsNMI.exe
  C:\Windows\System32\iexsNMI.exe
  2⤵
  PID:4460
- C:\Windows\System32\EiqBStE.exe
  C:\Windows\System32\EiqBStE.exe
  2⤵
  PID:4724
- C:\Windows\System32\pJtRXfW.exe
  C:\Windows\System32\pJtRXfW.exe
  2⤵
  PID:220
- C:\Windows\System32\ZrqGlAB.exe
  C:\Windows\System32\ZrqGlAB.exe
  2⤵
  PID:4492
- C:\Windows\System32\JWugKwz.exe
  C:\Windows\System32\JWugKwz.exe
  2⤵
  PID:4544
- C:\Windows\System32\SJRVaGC.exe
  C:\Windows\System32\SJRVaGC.exe
  2⤵
  PID:2412
- C:\Windows\System32\lJZcKyX.exe
  C:\Windows\System32\lJZcKyX.exe
  2⤵
  PID:2360
- C:\Windows\System32\ViEOaYf.exe
  C:\Windows\System32\ViEOaYf.exe
  2⤵
  PID:460
- C:\Windows\System32\GNTvQRk.exe
  C:\Windows\System32\GNTvQRk.exe
  2⤵
  PID:4324
- C:\Windows\System32\AcVcNMh.exe
  C:\Windows\System32\AcVcNMh.exe
  2⤵
  PID:1736
- C:\Windows\System32\wlAWdyx.exe
  C:\Windows\System32\wlAWdyx.exe
  2⤵
  PID:3320
- C:\Windows\System32\eDUqOPh.exe
  C:\Windows\System32\eDUqOPh.exe
  2⤵
  PID:4988
- C:\Windows\System32\NIlXYSr.exe
  C:\Windows\System32\NIlXYSr.exe
  2⤵
  PID:2720
- C:\Windows\System32\VofhJAb.exe
  C:\Windows\System32\VofhJAb.exe
  2⤵
  PID:3336
- C:\Windows\System32\wnSZHIP.exe
  C:\Windows\System32\wnSZHIP.exe
  2⤵
  PID:4216
- C:\Windows\System32\VVTApEj.exe
  C:\Windows\System32\VVTApEj.exe
  2⤵
  PID:4380
- C:\Windows\System32\JZmOTaM.exe
  C:\Windows\System32\JZmOTaM.exe
  2⤵
  PID:2312
- C:\Windows\System32\YKvREvc.exe
  C:\Windows\System32\YKvREvc.exe
  2⤵
  PID:3620
- C:\Windows\System32\ZaQXmgv.exe
  C:\Windows\System32\ZaQXmgv.exe
  2⤵
  PID:4360
- C:\Windows\System32\nkXJlTj.exe
  C:\Windows\System32\nkXJlTj.exe
  2⤵
  PID:4612
- C:\Windows\System32\IoUgygK.exe
  C:\Windows\System32\IoUgygK.exe
  2⤵
  PID:1004
- C:\Windows\System32\mqYnKPe.exe
  C:\Windows\System32\mqYnKPe.exe
  2⤵
  PID:5096
- C:\Windows\System32\OXDBBpL.exe
  C:\Windows\System32\OXDBBpL.exe
  2⤵
  PID:680
- C:\Windows\System32\IlNXaaI.exe
  C:\Windows\System32\IlNXaaI.exe
  2⤵
  PID:3628
- C:\Windows\System32\fbEtzkn.exe
  C:\Windows\System32\fbEtzkn.exe
  2⤵
  PID:3596
- C:\Windows\System32\AHxzNea.exe
  C:\Windows\System32\AHxzNea.exe
  2⤵
  PID:2608
- C:\Windows\System32\JiaaIcs.exe
  C:\Windows\System32\JiaaIcs.exe
  2⤵
  PID:4408
- C:\Windows\System32\hwtdzdN.exe
  C:\Windows\System32\hwtdzdN.exe
  2⤵
  PID:744
- C:\Windows\System32\VRhsDaW.exe
  C:\Windows\System32\VRhsDaW.exe
  2⤵
  PID:3952
- C:\Windows\System32\yPGruqR.exe
  C:\Windows\System32\yPGruqR.exe
  2⤵
  PID:3784
- C:\Windows\System32\ZOMOyaC.exe
  C:\Windows\System32\ZOMOyaC.exe
  2⤵
  PID:4092
- C:\Windows\System32\JCPyhfv.exe
  C:\Windows\System32\JCPyhfv.exe
  2⤵
  PID:4036
- C:\Windows\System32\RazeTwC.exe
  C:\Windows\System32\RazeTwC.exe
  2⤵
  PID:5136
- C:\Windows\System32\SHXSAXB.exe
  C:\Windows\System32\SHXSAXB.exe
  2⤵
  PID:5152
- C:\Windows\System32\PxqOvpv.exe
  C:\Windows\System32\PxqOvpv.exe
  2⤵
  PID:5168
- C:\Windows\System32\RuVdVYT.exe
  C:\Windows\System32\RuVdVYT.exe
  2⤵
  PID:5184
- C:\Windows\System32\ofRephf.exe
  C:\Windows\System32\ofRephf.exe
  2⤵
  PID:5200
- C:\Windows\System32\QXfWGzj.exe
  C:\Windows\System32\QXfWGzj.exe
  2⤵
  PID:5216
- C:\Windows\System32\OoOGaRO.exe
  C:\Windows\System32\OoOGaRO.exe
  2⤵
  PID:5232
- C:\Windows\System32\eemNIJx.exe
  C:\Windows\System32\eemNIJx.exe
  2⤵
  PID:5248
- C:\Windows\System32\rltZYId.exe
  C:\Windows\System32\rltZYId.exe
  2⤵
  PID:5264
- C:\Windows\System32\WAwLJLL.exe
  C:\Windows\System32\WAwLJLL.exe
  2⤵
  PID:5280
- C:\Windows\System32\NHobRcP.exe
  C:\Windows\System32\NHobRcP.exe
  2⤵
  PID:5296
- C:\Windows\System32\jiSeaVS.exe
  C:\Windows\System32\jiSeaVS.exe
  2⤵
  PID:5312
- C:\Windows\System32\WbDUzmn.exe
  C:\Windows\System32\WbDUzmn.exe
  2⤵
  PID:5328
- C:\Windows\System32\mKdblZj.exe
  C:\Windows\System32\mKdblZj.exe
  2⤵
  PID:5344
- C:\Windows\System32\grffpjR.exe
  C:\Windows\System32\grffpjR.exe
  2⤵
  PID:5360
- C:\Windows\System32\VdVTGqD.exe
  C:\Windows\System32\VdVTGqD.exe
  2⤵
  PID:5376
- C:\Windows\System32\FkRhNDK.exe
  C:\Windows\System32\FkRhNDK.exe
  2⤵
  PID:5392
- C:\Windows\System32\SnmzgjQ.exe
  C:\Windows\System32\SnmzgjQ.exe
  2⤵
  PID:5408
- C:\Windows\System32\XWefocR.exe
  C:\Windows\System32\XWefocR.exe
  2⤵
  PID:5424
- C:\Windows\System32\qGjTBPx.exe
  C:\Windows\System32\qGjTBPx.exe
  2⤵
  PID:5440
- C:\Windows\System32\Wocbfju.exe
  C:\Windows\System32\Wocbfju.exe
  2⤵
  PID:5456
- C:\Windows\System32\oASLAhl.exe
  C:\Windows\System32\oASLAhl.exe
  2⤵
  PID:5472
- C:\Windows\System32\kBwRVQS.exe
  C:\Windows\System32\kBwRVQS.exe
  2⤵
  PID:5488
- C:\Windows\System32\AavWROG.exe
  C:\Windows\System32\AavWROG.exe
  2⤵
  PID:5504
- C:\Windows\System32\YHPkeoi.exe
  C:\Windows\System32\YHPkeoi.exe
  2⤵
  PID:5520
- C:\Windows\System32\LPNmNiP.exe
  C:\Windows\System32\LPNmNiP.exe
  2⤵
  PID:5536
- C:\Windows\System32\HNLLUHY.exe
  C:\Windows\System32\HNLLUHY.exe
  2⤵
  PID:5552
- C:\Windows\System32\wQsRMJy.exe
  C:\Windows\System32\wQsRMJy.exe
  2⤵
  PID:5568
- C:\Windows\System32\HeUVmCM.exe
  C:\Windows\System32\HeUVmCM.exe
  2⤵
  PID:5584
- C:\Windows\System32\vnYIvZx.exe
  C:\Windows\System32\vnYIvZx.exe
  2⤵
  PID:5600
- C:\Windows\System32\HrRwICF.exe
  C:\Windows\System32\HrRwICF.exe
  2⤵
  PID:5616
- C:\Windows\System32\moDBvfj.exe
  C:\Windows\System32\moDBvfj.exe
  2⤵
  PID:5632
- C:\Windows\System32\nCDayPx.exe
  C:\Windows\System32\nCDayPx.exe
  2⤵
  PID:5648
- C:\Windows\System32\nwzsmHT.exe
  C:\Windows\System32\nwzsmHT.exe
  2⤵
  PID:5664
- C:\Windows\System32\kdjYliN.exe
  C:\Windows\System32\kdjYliN.exe
  2⤵
  PID:5680
- C:\Windows\System32\DEOvDcn.exe
  C:\Windows\System32\DEOvDcn.exe
  2⤵
  PID:5696
- C:\Windows\System32\zsOTeuu.exe
  C:\Windows\System32\zsOTeuu.exe
  2⤵
  PID:5712
- C:\Windows\System32\RcMXFAZ.exe
  C:\Windows\System32\RcMXFAZ.exe
  2⤵
  PID:5728
- C:\Windows\System32\CjboJmF.exe
  C:\Windows\System32\CjboJmF.exe
  2⤵
  PID:5744
- C:\Windows\System32\zdlIucF.exe
  C:\Windows\System32\zdlIucF.exe
  2⤵
  PID:5760
- C:\Windows\System32\VPQBJbA.exe
  C:\Windows\System32\VPQBJbA.exe
  2⤵
  PID:5776
- C:\Windows\System32\hrHmIoL.exe
  C:\Windows\System32\hrHmIoL.exe
  2⤵
  PID:5792
- C:\Windows\System32\PeCincw.exe
  C:\Windows\System32\PeCincw.exe
  2⤵
  PID:5808
- C:\Windows\System32\eHaZoAp.exe
  C:\Windows\System32\eHaZoAp.exe
  2⤵
  PID:5824
- C:\Windows\System32\mHgfSSU.exe
  C:\Windows\System32\mHgfSSU.exe
  2⤵
  PID:5840
- C:\Windows\System32\xNFDfiO.exe
  C:\Windows\System32\xNFDfiO.exe
  2⤵
  PID:5856
- C:\Windows\System32\yDeVKjj.exe
  C:\Windows\System32\yDeVKjj.exe
  2⤵
  PID:5872
- C:\Windows\System32\NJlPFaC.exe
  C:\Windows\System32\NJlPFaC.exe
  2⤵
  PID:5888
- C:\Windows\System32\PHKXuCz.exe
  C:\Windows\System32\PHKXuCz.exe
  2⤵
  PID:5904
- C:\Windows\System32\hbaPdTX.exe
  C:\Windows\System32\hbaPdTX.exe
  2⤵
  PID:5920
- C:\Windows\System32\dOAeKSp.exe
  C:\Windows\System32\dOAeKSp.exe
  2⤵
  PID:5936
- C:\Windows\System32\zoWJits.exe
  C:\Windows\System32\zoWJits.exe
  2⤵
  PID:5952
- C:\Windows\System32\YvoMxvM.exe
  C:\Windows\System32\YvoMxvM.exe
  2⤵
  PID:5968
- C:\Windows\System32\UKzXYlS.exe
  C:\Windows\System32\UKzXYlS.exe
  2⤵
  PID:5984
- C:\Windows\System32\QwfMOXU.exe
  C:\Windows\System32\QwfMOXU.exe
  2⤵
  PID:6000
- C:\Windows\System32\DtgyHZl.exe
  C:\Windows\System32\DtgyHZl.exe
  2⤵
  PID:6016
- C:\Windows\System32\QzTbnXm.exe
  C:\Windows\System32\QzTbnXm.exe
  2⤵
  PID:6032
- C:\Windows\System32\RnuvBCm.exe
  C:\Windows\System32\RnuvBCm.exe
  2⤵
  PID:6048
- C:\Windows\System32\ITsSnsl.exe
  C:\Windows\System32\ITsSnsl.exe
  2⤵
  PID:6064
- C:\Windows\System32\IwHkZBN.exe
  C:\Windows\System32\IwHkZBN.exe
  2⤵
  PID:6080
- C:\Windows\System32\eeYSpwc.exe
  C:\Windows\System32\eeYSpwc.exe
  2⤵
  PID:6096
- C:\Windows\System32\PdTFRPb.exe
  C:\Windows\System32\PdTFRPb.exe
  2⤵
  PID:6112
- C:\Windows\System32\EwigKBV.exe
  C:\Windows\System32\EwigKBV.exe
  2⤵
  PID:6128
- C:\Windows\System32\rcQbNlz.exe
  C:\Windows\System32\rcQbNlz.exe
  2⤵
  PID:3024
- C:\Windows\System32\VoXDleJ.exe
  C:\Windows\System32\VoXDleJ.exe
  2⤵
  PID:3592
- C:\Windows\System32\vBrVyCq.exe
  C:\Windows\System32\vBrVyCq.exe
  2⤵
  PID:3084
- C:\Windows\System32\mIfTPMy.exe
  C:\Windows\System32\mIfTPMy.exe
  2⤵
  PID:2552
- C:\Windows\System32\BrtHChq.exe
  C:\Windows\System32\BrtHChq.exe
  2⤵
  PID:444
- C:\Windows\System32\Mamedaf.exe
  C:\Windows\System32\Mamedaf.exe
  2⤵
  PID:2924
- C:\Windows\System32\tTDGFzJ.exe
  C:\Windows\System32\tTDGFzJ.exe
  2⤵
  PID:636
- C:\Windows\System32\QPHyPGM.exe
  C:\Windows\System32\QPHyPGM.exe
  2⤵
  PID:4020
- C:\Windows\System32\ggtvJVT.exe
  C:\Windows\System32\ggtvJVT.exe
  2⤵
  PID:1444
- C:\Windows\System32\QLhkcTd.exe
  C:\Windows\System32\QLhkcTd.exe
  2⤵
  PID:2336
- C:\Windows\System32\WVwfUeH.exe
  C:\Windows\System32\WVwfUeH.exe
  2⤵
  PID:2316
- C:\Windows\System32\DSOhOcc.exe
  C:\Windows\System32\DSOhOcc.exe
  2⤵
  PID:1604
- C:\Windows\System32\bwqrRIx.exe
  C:\Windows\System32\bwqrRIx.exe
  2⤵
  PID:3652
- C:\Windows\System32\IgIbLio.exe
  C:\Windows\System32\IgIbLio.exe
  2⤵
  PID:5128
- C:\Windows\System32\iaSUMEN.exe
  C:\Windows\System32\iaSUMEN.exe
  2⤵
  PID:3772
- C:\Windows\System32\uuVVkxF.exe
  C:\Windows\System32\uuVVkxF.exe
  2⤵
  PID:5180
- C:\Windows\System32\vqvAqyI.exe
  C:\Windows\System32\vqvAqyI.exe
  2⤵
  PID:5212
- C:\Windows\System32\CMeBsCM.exe
  C:\Windows\System32\CMeBsCM.exe
  2⤵
  PID:5240
- C:\Windows\System32\cklVIzU.exe
  C:\Windows\System32\cklVIzU.exe
  2⤵
  PID:5272
- C:\Windows\System32\XGxRSuL.exe
  C:\Windows\System32\XGxRSuL.exe
  2⤵
  PID:5304
- C:\Windows\System32\jWpMpKH.exe
  C:\Windows\System32\jWpMpKH.exe
  2⤵
  PID:3092
- C:\Windows\System32\xxUVOHS.exe
  C:\Windows\System32\xxUVOHS.exe
  2⤵
  PID:5356
- C:\Windows\System32\MlisNZi.exe
  C:\Windows\System32\MlisNZi.exe
  2⤵
  PID:5388
- C:\Windows\System32\gSsdoKU.exe
  C:\Windows\System32\gSsdoKU.exe
  2⤵
  PID:5420
- C:\Windows\System32\olRtsZb.exe
  C:\Windows\System32\olRtsZb.exe
  2⤵
  PID:5452
- C:\Windows\System32\WoKSwRu.exe
  C:\Windows\System32\WoKSwRu.exe
  2⤵
  PID:5480
- C:\Windows\System32\DNLMZCi.exe
  C:\Windows\System32\DNLMZCi.exe
  2⤵
  PID:5512
- C:\Windows\System32\VHOgFqi.exe
  C:\Windows\System32\VHOgFqi.exe
  2⤵
  PID:5544
- C:\Windows\System32\zqYTuHG.exe
  C:\Windows\System32\zqYTuHG.exe
  2⤵
  PID:5564
- C:\Windows\System32\sCqPOre.exe
  C:\Windows\System32\sCqPOre.exe
  2⤵
  PID:5596
- C:\Windows\System32\EoXqwrn.exe
  C:\Windows\System32\EoXqwrn.exe
  2⤵
  PID:5628
- C:\Windows\System32\VfkFBQD.exe
  C:\Windows\System32\VfkFBQD.exe
  2⤵
  PID:5660
- C:\Windows\System32\byxYior.exe
  C:\Windows\System32\byxYior.exe
  2⤵
  PID:5692
- C:\Windows\System32\PyACgAn.exe
  C:\Windows\System32\PyACgAn.exe
  2⤵
  PID:5724
- C:\Windows\System32\haPHecB.exe
  C:\Windows\System32\haPHecB.exe
  2⤵
  PID:5756
- C:\Windows\System32\HrylLiM.exe
  C:\Windows\System32\HrylLiM.exe
  2⤵
  PID:5788
- C:\Windows\System32\IJlRrbr.exe
  C:\Windows\System32\IJlRrbr.exe
  2⤵
  PID:5820
- C:\Windows\System32\iYsetMk.exe
  C:\Windows\System32\iYsetMk.exe
  2⤵
  PID:5852
- C:\Windows\System32\REhYrfd.exe
  C:\Windows\System32\REhYrfd.exe
  2⤵
  PID:5880
- C:\Windows\System32\hGEAsQA.exe
  C:\Windows\System32\hGEAsQA.exe
  2⤵
  PID:5912
- C:\Windows\System32\pyjBtMi.exe
  C:\Windows\System32\pyjBtMi.exe
  2⤵
  PID:5944
- C:\Windows\System32\HJkVwHp.exe
  C:\Windows\System32\HJkVwHp.exe
  2⤵
  PID:5964
- C:\Windows\System32\cedQrmz.exe
  C:\Windows\System32\cedQrmz.exe
  2⤵
  PID:5996
- C:\Windows\System32\TKsNnDD.exe
  C:\Windows\System32\TKsNnDD.exe
  2⤵
  PID:6028
- C:\Windows\System32\pcUQYnz.exe
  C:\Windows\System32\pcUQYnz.exe
  2⤵
  PID:6060
- C:\Windows\System32\lnQqDPd.exe
  C:\Windows\System32\lnQqDPd.exe
  2⤵
  PID:6092
- C:\Windows\System32\ZBZTIlV.exe
  C:\Windows\System32\ZBZTIlV.exe
  2⤵
  PID:6124
- C:\Windows\System32\PEKRdIe.exe
  C:\Windows\System32\PEKRdIe.exe
  2⤵
  PID:4992
- C:\Windows\System32\OoEtJpd.exe
  C:\Windows\System32\OoEtJpd.exe
  2⤵
  PID:4276
- C:\Windows\System32\LZRdNgo.exe
  C:\Windows\System32\LZRdNgo.exe
  2⤵
  PID:3860
- C:\Windows\System32\tIGxIpQ.exe
  C:\Windows\System32\tIGxIpQ.exe
  2⤵
  PID:688
- C:\Windows\System32\NtKAFFH.exe
  C:\Windows\System32\NtKAFFH.exe
  2⤵
  PID:5112
- C:\Windows\System32\iMovvxX.exe
  C:\Windows\System32\iMovvxX.exe
  2⤵
  PID:1732
- C:\Windows\System32\pRhwSRK.exe
  C:\Windows\System32\pRhwSRK.exe
  2⤵
  PID:3300
- C:\Windows\System32\ysTeMIF.exe
  C:\Windows\System32\ysTeMIF.exe
  2⤵
  PID:5148
- C:\Windows\System32\MqXwXOT.exe
  C:\Windows\System32\MqXwXOT.exe
  2⤵
  PID:5196
- C:\Windows\System32\abtEgph.exe
  C:\Windows\System32\abtEgph.exe
  2⤵
  PID:5256
- C:\Windows\System32\HIqSYlj.exe
  C:\Windows\System32\HIqSYlj.exe
  2⤵
  PID:1196
- C:\Windows\System32\RwiPVZk.exe
  C:\Windows\System32\RwiPVZk.exe
  2⤵
  PID:5352
- C:\Windows\System32\pmkdcIp.exe
  C:\Windows\System32\pmkdcIp.exe
  2⤵
  PID:5416
- C:\Windows\System32\RVxAIec.exe
  C:\Windows\System32\RVxAIec.exe
  2⤵
  PID:1048
- C:\Windows\System32\LZRwCJm.exe
  C:\Windows\System32\LZRwCJm.exe
  2⤵
  PID:5496
- C:\Windows\System32\RxxTkBY.exe
  C:\Windows\System32\RxxTkBY.exe
  2⤵
  PID:3776
- C:\Windows\System32\NPXnbTS.exe
  C:\Windows\System32\NPXnbTS.exe
  2⤵
  PID:3156
- C:\Windows\System32\KYSLzMF.exe
  C:\Windows\System32\KYSLzMF.exe
  2⤵
  PID:5656
- C:\Windows\System32\cOKismu.exe
  C:\Windows\System32\cOKismu.exe
  2⤵
  PID:5708
- C:\Windows\System32\uzbdhAs.exe
  C:\Windows\System32\uzbdhAs.exe
  2⤵
  PID:5752
- C:\Windows\System32\WpNAZMd.exe
  C:\Windows\System32\WpNAZMd.exe
  2⤵
  PID:5804
- C:\Windows\System32\kwIyslW.exe
  C:\Windows\System32\kwIyslW.exe
  2⤵
  PID:5864
- C:\Windows\System32\NnNCDqH.exe
  C:\Windows\System32\NnNCDqH.exe
  2⤵
  PID:5928
- C:\Windows\System32\MoJpyXC.exe
  C:\Windows\System32\MoJpyXC.exe
  2⤵
  PID:5980
- C:\Windows\System32\UaobAhg.exe
  C:\Windows\System32\UaobAhg.exe
  2⤵
  PID:3588
- C:\Windows\System32\XInAhBo.exe
  C:\Windows\System32\XInAhBo.exe
  2⤵
  PID:6076
- C:\Windows\System32\vdJsZEf.exe
  C:\Windows\System32\vdJsZEf.exe
  2⤵
  PID:6120
- C:\Windows\System32\MmIoYQm.exe
  C:\Windows\System32\MmIoYQm.exe
  2⤵
  PID:3720
- C:\Windows\System32\ReupuAQ.exe
  C:\Windows\System32\ReupuAQ.exe
  2⤵
  PID:4016
- C:\Windows\System32\BKBZIud.exe
  C:\Windows\System32\BKBZIud.exe
  2⤵
  PID:2292
- C:\Windows\System32\fDnWOnR.exe
  C:\Windows\System32\fDnWOnR.exe
  2⤵
  PID:4308
- C:\Windows\System32\zdUMWSY.exe
  C:\Windows\System32\zdUMWSY.exe
  2⤵
  PID:2024
- C:\Windows\System32\SxWpwJW.exe
  C:\Windows\System32\SxWpwJW.exe
  2⤵
  PID:5176
- C:\Windows\System32\aSYIJjN.exe
  C:\Windows\System32\aSYIJjN.exe
  2⤵
  PID:5224
- C:\Windows\System32\GkDxYnD.exe
  C:\Windows\System32\GkDxYnD.exe
  2⤵
  PID:5324
- C:\Windows\System32\ieoMECC.exe
  C:\Windows\System32\ieoMECC.exe
  2⤵
  PID:4896
- C:\Windows\System32\IYZTKFx.exe
  C:\Windows\System32\IYZTKFx.exe
  2⤵
  PID:5468
- C:\Windows\System32\ceHSBvX.exe
  C:\Windows\System32\ceHSBvX.exe
  2⤵
  PID:3500
- C:\Windows\System32\EPenLIC.exe
  C:\Windows\System32\EPenLIC.exe
  2⤵
  PID:5644
- C:\Windows\System32\YwDJhJL.exe
  C:\Windows\System32\YwDJhJL.exe
  2⤵
  PID:3868
- C:\Windows\System32\WAsRUzE.exe
  C:\Windows\System32\WAsRUzE.exe
  2⤵
  PID:5784
- C:\Windows\System32\rmpqGAb.exe
  C:\Windows\System32\rmpqGAb.exe
  2⤵
  PID:3504
- C:\Windows\System32\LxZqrrP.exe
  C:\Windows\System32\LxZqrrP.exe
  2⤵
  PID:4548
- C:\Windows\System32\ikBQmYD.exe
  C:\Windows\System32\ikBQmYD.exe
  2⤵
  PID:4740
- C:\Windows\System32\fUvgyow.exe
  C:\Windows\System32\fUvgyow.exe
  2⤵
  PID:2932
- C:\Windows\System32\TNraZcf.exe
  C:\Windows\System32\TNraZcf.exe
  2⤵
  PID:60
- C:\Windows\System32\KIJkIBE.exe
  C:\Windows\System32\KIJkIBE.exe
  2⤵
  PID:1844
- C:\Windows\System32\GLpjwxY.exe
  C:\Windows\System32\GLpjwxY.exe
  2⤵
  PID:3288
- C:\Windows\System32\ewAmSdT.exe
  C:\Windows\System32\ewAmSdT.exe
  2⤵
  PID:692
- C:\Windows\System32\APIhLtw.exe
  C:\Windows\System32\APIhLtw.exe
  2⤵
  PID:1964
- C:\Windows\System32\pPlvXAn.exe
  C:\Windows\System32\pPlvXAn.exe
  2⤵
  PID:4164
- C:\Windows\System32\CkPsOiM.exe
  C:\Windows\System32\CkPsOiM.exe
  2⤵
  PID:3412
- C:\Windows\System32\fAnyvCC.exe
  C:\Windows\System32\fAnyvCC.exe
  2⤵
  PID:4568
- C:\Windows\System32\kewRLvk.exe
  C:\Windows\System32\kewRLvk.exe
  2⤵
  PID:5436
- C:\Windows\System32\tCnnvzZ.exe
  C:\Windows\System32\tCnnvzZ.exe
  2⤵
  PID:3728
- C:\Windows\System32\WzUxQZc.exe
  C:\Windows\System32\WzUxQZc.exe
  2⤵
  PID:3816
- C:\Windows\System32\GZQegct.exe
  C:\Windows\System32\GZQegct.exe
  2⤵
  PID:5900
- C:\Windows\System32\oCjiqoI.exe
  C:\Windows\System32\oCjiqoI.exe
  2⤵
  PID:6044
- C:\Windows\System32\HDvmztQ.exe
  C:\Windows\System32\HDvmztQ.exe
  2⤵
  PID:1796
- C:\Windows\System32\KZTPnbQ.exe
  C:\Windows\System32\KZTPnbQ.exe
  2⤵
  PID:1956
- C:\Windows\System32\MrVfKdh.exe
  C:\Windows\System32\MrVfKdh.exe
  2⤵
  PID:3384
- C:\Windows\System32\qkhlLYD.exe
  C:\Windows\System32\qkhlLYD.exe
  2⤵
  PID:2660
- C:\Windows\System32\USyYvbR.exe
  C:\Windows\System32\USyYvbR.exe
  2⤵
  PID:6156
- C:\Windows\System32\CKHXTEb.exe
  C:\Windows\System32\CKHXTEb.exe
  2⤵
  PID:6172
- C:\Windows\System32\XpJPhbq.exe
  C:\Windows\System32\XpJPhbq.exe
  2⤵
  PID:6188
- C:\Windows\System32\bwhvCcf.exe
  C:\Windows\System32\bwhvCcf.exe
  2⤵
  PID:6204
- C:\Windows\System32\GHIVdnm.exe
  C:\Windows\System32\GHIVdnm.exe
  2⤵
  PID:6220
- C:\Windows\System32\HJRROxj.exe
  C:\Windows\System32\HJRROxj.exe
  2⤵
  PID:6236
- C:\Windows\System32\eOKmLLs.exe
  C:\Windows\System32\eOKmLLs.exe
  2⤵
  PID:6252
- C:\Windows\System32\wYKuFDn.exe
  C:\Windows\System32\wYKuFDn.exe
  2⤵
  PID:6268
- C:\Windows\System32\mkgDrwX.exe
  C:\Windows\System32\mkgDrwX.exe
  2⤵
  PID:6284
- C:\Windows\System32\EAFRgyg.exe
  C:\Windows\System32\EAFRgyg.exe
  2⤵
  PID:6300
- C:\Windows\System32\TgnhdMH.exe
  C:\Windows\System32\TgnhdMH.exe
  2⤵
  PID:6316
- C:\Windows\System32\HrrmLQJ.exe
  C:\Windows\System32\HrrmLQJ.exe
  2⤵
  PID:6332
- C:\Windows\System32\RpcOtkV.exe
  C:\Windows\System32\RpcOtkV.exe
  2⤵
  PID:6348
- C:\Windows\System32\ntxhfiU.exe
  C:\Windows\System32\ntxhfiU.exe
  2⤵
  PID:6364
- C:\Windows\System32\VbObvdV.exe
  C:\Windows\System32\VbObvdV.exe
  2⤵
  PID:6380
- C:\Windows\System32\lletrtI.exe
  C:\Windows\System32\lletrtI.exe
  2⤵
  PID:6396
- C:\Windows\System32\hCfMmun.exe
  C:\Windows\System32\hCfMmun.exe
  2⤵
  PID:6412
- C:\Windows\System32\DcdrpvK.exe
  C:\Windows\System32\DcdrpvK.exe
  2⤵
  PID:6428
- C:\Windows\System32\OadvIbA.exe
  C:\Windows\System32\OadvIbA.exe
  2⤵
  PID:6444
- C:\Windows\System32\VyrmDqE.exe
  C:\Windows\System32\VyrmDqE.exe
  2⤵
  PID:6460
- C:\Windows\System32\mkRhLkN.exe
  C:\Windows\System32\mkRhLkN.exe
  2⤵
  PID:6476
- C:\Windows\System32\ISPrsrk.exe
  C:\Windows\System32\ISPrsrk.exe
  2⤵
  PID:6492
- C:\Windows\System32\qYlRWEL.exe
  C:\Windows\System32\qYlRWEL.exe
  2⤵
  PID:6508
- C:\Windows\System32\xJTKeqo.exe
  C:\Windows\System32\xJTKeqo.exe
  2⤵
  PID:6524
- C:\Windows\System32\OCZlYHq.exe
  C:\Windows\System32\OCZlYHq.exe
  2⤵
  PID:6540
- C:\Windows\System32\jwUkKQH.exe
  C:\Windows\System32\jwUkKQH.exe
  2⤵
  PID:6556
- C:\Windows\System32\PhcaWKC.exe
  C:\Windows\System32\PhcaWKC.exe
  2⤵
  PID:6572
- C:\Windows\System32\GzdgIOB.exe
  C:\Windows\System32\GzdgIOB.exe
  2⤵
  PID:6588
- C:\Windows\System32\tDEuufL.exe
  C:\Windows\System32\tDEuufL.exe
  2⤵
  PID:6604
- C:\Windows\System32\ifkugPe.exe
  C:\Windows\System32\ifkugPe.exe
  2⤵
  PID:6620
- C:\Windows\System32\EtzFIVI.exe
  C:\Windows\System32\EtzFIVI.exe
  2⤵
  PID:6636
- C:\Windows\System32\mVUhVCg.exe
  C:\Windows\System32\mVUhVCg.exe
  2⤵
  PID:6652
- C:\Windows\System32\aZkHTfl.exe
  C:\Windows\System32\aZkHTfl.exe
  2⤵
  PID:6668
- C:\Windows\System32\kqZfulC.exe
  C:\Windows\System32\kqZfulC.exe
  2⤵
  PID:6684
- C:\Windows\System32\hnXtgjd.exe
  C:\Windows\System32\hnXtgjd.exe
  2⤵
  PID:6700
- C:\Windows\System32\ufRjGgF.exe
  C:\Windows\System32\ufRjGgF.exe
  2⤵
  PID:6716
- C:\Windows\System32\cRIjAtw.exe
  C:\Windows\System32\cRIjAtw.exe
  2⤵
  PID:6732
- C:\Windows\System32\VHXdCDN.exe
  C:\Windows\System32\VHXdCDN.exe
  2⤵
  PID:6748
- C:\Windows\System32\NDfkVUm.exe
  C:\Windows\System32\NDfkVUm.exe
  2⤵
  PID:6764
- C:\Windows\System32\iKpSNKo.exe
  C:\Windows\System32\iKpSNKo.exe
  2⤵
  PID:6780
- C:\Windows\System32\LESPuRd.exe
  C:\Windows\System32\LESPuRd.exe
  2⤵
  PID:6796
- C:\Windows\System32\CxSVwqE.exe
  C:\Windows\System32\CxSVwqE.exe
  2⤵
  PID:6812
- C:\Windows\System32\eenroKt.exe
  C:\Windows\System32\eenroKt.exe
  2⤵
  PID:6828
- C:\Windows\System32\sZKDKYT.exe
  C:\Windows\System32\sZKDKYT.exe
  2⤵
  PID:6844
- C:\Windows\System32\mGTTrYn.exe
  C:\Windows\System32\mGTTrYn.exe
  2⤵
  PID:6860
- C:\Windows\System32\kfKkjUx.exe
  C:\Windows\System32\kfKkjUx.exe
  2⤵
  PID:6876
- C:\Windows\System32\mCqQtLy.exe
  C:\Windows\System32\mCqQtLy.exe
  2⤵
  PID:6892
- C:\Windows\System32\XfCpAzC.exe
  C:\Windows\System32\XfCpAzC.exe
  2⤵
  PID:6908
- C:\Windows\System32\pUOsMGZ.exe
  C:\Windows\System32\pUOsMGZ.exe
  2⤵
  PID:6924
- C:\Windows\System32\AQbrizB.exe
  C:\Windows\System32\AQbrizB.exe
  2⤵
  PID:6940
- C:\Windows\System32\NNCNrAc.exe
  C:\Windows\System32\NNCNrAc.exe
  2⤵
  PID:6956
- C:\Windows\System32\inOSjhE.exe
  C:\Windows\System32\inOSjhE.exe
  2⤵
  PID:6972
- C:\Windows\System32\mXNdWxd.exe
  C:\Windows\System32\mXNdWxd.exe
  2⤵
  PID:6988
- C:\Windows\System32\JzzCYzF.exe
  C:\Windows\System32\JzzCYzF.exe
  2⤵
  PID:7004
- C:\Windows\System32\DKiFtaU.exe
  C:\Windows\System32\DKiFtaU.exe
  2⤵
  PID:7020
- C:\Windows\System32\WTjpDKa.exe
  C:\Windows\System32\WTjpDKa.exe
  2⤵
  PID:7036
- C:\Windows\System32\JSofrqG.exe
  C:\Windows\System32\JSofrqG.exe
  2⤵
  PID:7052
- C:\Windows\System32\rcEdjoi.exe
  C:\Windows\System32\rcEdjoi.exe
  2⤵
  PID:7068
- C:\Windows\System32\ekQhIaw.exe
  C:\Windows\System32\ekQhIaw.exe
  2⤵
  PID:7084
- C:\Windows\System32\sgtBqlU.exe
  C:\Windows\System32\sgtBqlU.exe
  2⤵
  PID:7100
- C:\Windows\System32\TZCgHaw.exe
  C:\Windows\System32\TZCgHaw.exe
  2⤵
  PID:7116
- C:\Windows\System32\TYoAkJv.exe
  C:\Windows\System32\TYoAkJv.exe
  2⤵
  PID:7132
- C:\Windows\System32\ZbDsYIG.exe
  C:\Windows\System32\ZbDsYIG.exe
  2⤵
  PID:7148
- C:\Windows\System32\OBqXYbE.exe
  C:\Windows\System32\OBqXYbE.exe
  2⤵
  PID:7164
- C:\Windows\System32\jGxBBgh.exe
  C:\Windows\System32\jGxBBgh.exe
  2⤵
  PID:5960
- C:\Windows\System32\IWSiFTt.exe
  C:\Windows\System32\IWSiFTt.exe
  2⤵
  PID:3040
- C:\Windows\System32\xFoeeIP.exe
  C:\Windows\System32\xFoeeIP.exe
  2⤵
  PID:6168
- C:\Windows\System32\hPkfviZ.exe
  C:\Windows\System32\hPkfviZ.exe
  2⤵
  PID:6200
- C:\Windows\System32\cNuJWtS.exe
  C:\Windows\System32\cNuJWtS.exe
  2⤵
  PID:6232
- C:\Windows\System32\gLfeSzL.exe
  C:\Windows\System32\gLfeSzL.exe
  2⤵
  PID:6264
- C:\Windows\System32\wRPKrWZ.exe
  C:\Windows\System32\wRPKrWZ.exe
  2⤵
  PID:6296
- C:\Windows\System32\UwAyInx.exe
  C:\Windows\System32\UwAyInx.exe
  2⤵
  PID:6328
- C:\Windows\System32\wScCiXA.exe
  C:\Windows\System32\wScCiXA.exe
  2⤵
  PID:6360
- C:\Windows\System32\gDlSKlz.exe
  C:\Windows\System32\gDlSKlz.exe
  2⤵
  PID:6392
- C:\Windows\System32\BKSAssZ.exe
  C:\Windows\System32\BKSAssZ.exe
  2⤵
  PID:6424
- C:\Windows\System32\DhsygAJ.exe
  C:\Windows\System32\DhsygAJ.exe
  2⤵
  PID:6456
- C:\Windows\System32\KfmjbSR.exe
  C:\Windows\System32\KfmjbSR.exe
  2⤵
  PID:6488
- C:\Windows\System32\ZagkMBB.exe
  C:\Windows\System32\ZagkMBB.exe
  2⤵
  PID:6520
- C:\Windows\System32\LTmcyOQ.exe
  C:\Windows\System32\LTmcyOQ.exe
  2⤵
  PID:6552
- C:\Windows\System32\IuPjavV.exe
  C:\Windows\System32\IuPjavV.exe
  2⤵
  PID:6584
- C:\Windows\System32\gJnMEcY.exe
  C:\Windows\System32\gJnMEcY.exe
  2⤵
  PID:6616
- C:\Windows\System32\FMbfQle.exe
  C:\Windows\System32\FMbfQle.exe
  2⤵
  PID:6644
- C:\Windows\System32\xlxoiNo.exe
  C:\Windows\System32\xlxoiNo.exe
  2⤵
  PID:6676
- C:\Windows\System32\lCldOJh.exe
  C:\Windows\System32\lCldOJh.exe
  2⤵
  PID:6708
- C:\Windows\System32\CHDyStp.exe
  C:\Windows\System32\CHDyStp.exe
  2⤵
  PID:6740
- C:\Windows\System32\hwXZrRO.exe
  C:\Windows\System32\hwXZrRO.exe
  2⤵
  PID:6772
- C:\Windows\System32\eNiAGgF.exe
  C:\Windows\System32\eNiAGgF.exe
  2⤵
  PID:6804
- C:\Windows\System32\JDRLBuX.exe
  C:\Windows\System32\JDRLBuX.exe
  2⤵
  PID:6836
- C:\Windows\System32\EbbfgwB.exe
  C:\Windows\System32\EbbfgwB.exe
  2⤵
  PID:6868
- C:\Windows\System32\SSpNEhD.exe
  C:\Windows\System32\SSpNEhD.exe
  2⤵
  PID:6900
- C:\Windows\System32\MAkZRJC.exe
  C:\Windows\System32\MAkZRJC.exe
  2⤵
  PID:6932
- C:\Windows\System32\qIevpaO.exe
  C:\Windows\System32\qIevpaO.exe
  2⤵
  PID:6964
- C:\Windows\System32\ZZDYYhI.exe
  C:\Windows\System32\ZZDYYhI.exe
  2⤵
  PID:6996
- C:\Windows\System32\tcndZRz.exe
  C:\Windows\System32\tcndZRz.exe
  2⤵
  PID:7028
- C:\Windows\System32\bSqoRug.exe
  C:\Windows\System32\bSqoRug.exe
  2⤵
  PID:7060
- C:\Windows\System32\xLDldds.exe
  C:\Windows\System32\xLDldds.exe
  2⤵
  PID:7092
- C:\Windows\System32\ONesOIg.exe
  C:\Windows\System32\ONesOIg.exe
  2⤵
  PID:7124
- C:\Windows\System32\asHmegz.exe
  C:\Windows\System32\asHmegz.exe
  2⤵
  PID:7156
- C:\Windows\System32\iWIbqTN.exe
  C:\Windows\System32\iWIbqTN.exe
  2⤵
  PID:2956
- C:\Windows\System32\OLtBqQN.exe
  C:\Windows\System32\OLtBqQN.exe
  2⤵
  PID:6184
- C:\Windows\System32\tBkeJSb.exe
  C:\Windows\System32\tBkeJSb.exe
  2⤵
  PID:6248
- C:\Windows\System32\skVmzGX.exe
  C:\Windows\System32\skVmzGX.exe
  2⤵
  PID:6312
- C:\Windows\System32\rBzUKXO.exe
  C:\Windows\System32\rBzUKXO.exe
  2⤵
  PID:6376
- C:\Windows\System32\sXSGiDf.exe
  C:\Windows\System32\sXSGiDf.exe
  2⤵
  PID:6440
- C:\Windows\System32\UTTfpOg.exe
  C:\Windows\System32\UTTfpOg.exe
  2⤵
  PID:6504
- C:\Windows\System32\rlastTQ.exe
  C:\Windows\System32\rlastTQ.exe
  2⤵
  PID:6568
- C:\Windows\System32\thGmpjQ.exe
  C:\Windows\System32\thGmpjQ.exe
  2⤵
  PID:6628
- C:\Windows\System32\JuFndwL.exe
  C:\Windows\System32\JuFndwL.exe
  2⤵
  PID:6692
- C:\Windows\System32\EjFYnfv.exe
  C:\Windows\System32\EjFYnfv.exe
  2⤵
  PID:6756
- C:\Windows\System32\BaXhFap.exe
  C:\Windows\System32\BaXhFap.exe
  2⤵
  PID:6820
- C:\Windows\System32\CmGKuNX.exe
  C:\Windows\System32\CmGKuNX.exe
  2⤵
  PID:6884
- C:\Windows\System32\dSUigju.exe
  C:\Windows\System32\dSUigju.exe
  2⤵
  PID:6948
- C:\Windows\System32\wSFUsAV.exe
  C:\Windows\System32\wSFUsAV.exe
  2⤵
  PID:7012
- C:\Windows\System32\LPMmvpp.exe
  C:\Windows\System32\LPMmvpp.exe
  2⤵
  PID:7076
- C:\Windows\System32\TKZtRFj.exe
  C:\Windows\System32\TKZtRFj.exe
  2⤵
  PID:7112
- C:\Windows\System32\gQVmamQ.exe
  C:\Windows\System32\gQVmamQ.exe
  2⤵
  PID:5836
- C:\Windows\System32\irtMiUQ.exe
  C:\Windows\System32\irtMiUQ.exe
  2⤵
  PID:6228
- C:\Windows\System32\bdeEqJs.exe
  C:\Windows\System32\bdeEqJs.exe
  2⤵
  PID:6344
- C:\Windows\System32\EyyACKe.exe
  C:\Windows\System32\EyyACKe.exe
  2⤵
  PID:6484
- C:\Windows\System32\fthLlvb.exe
  C:\Windows\System32\fthLlvb.exe
  2⤵
  PID:6612
- C:\Windows\System32\NxffiRj.exe
  C:\Windows\System32\NxffiRj.exe
  2⤵
  PID:6664
- C:\Windows\System32\xiesNjp.exe
  C:\Windows\System32\xiesNjp.exe
  2⤵
  PID:4024
- C:\Windows\System32\NgsKZvg.exe
  C:\Windows\System32\NgsKZvg.exe
  2⤵
  PID:6852
- C:\Windows\System32\ArkYtOB.exe
  C:\Windows\System32\ArkYtOB.exe
  2⤵
  PID:10088
- C:\Windows\System32\QbRjLIW.exe
  C:\Windows\System32\QbRjLIW.exe
  2⤵
  PID:11528
- C:\Windows\System32\ujlKhmz.exe
  C:\Windows\System32\ujlKhmz.exe
  2⤵
  PID:12272
- C:\Windows\System32\zlLogCo.exe
  C:\Windows\System32\zlLogCo.exe
  2⤵
  PID:10000
- C:\Windows\System32\VpGyJkT.exe
  C:\Windows\System32\VpGyJkT.exe
  2⤵
  PID:10104
- C:\Windows\System32\jROhWcY.exe
  C:\Windows\System32\jROhWcY.exe
  2⤵
  PID:10300
- C:\Windows\System32\qYDwBGe.exe
  C:\Windows\System32\qYDwBGe.exe
  2⤵
  PID:10624
- C:\Windows\System32\quvmzkS.exe
  C:\Windows\System32\quvmzkS.exe
  2⤵
  PID:7224
- C:\Windows\System32\QHkPuhT.exe
  C:\Windows\System32\QHkPuhT.exe
  2⤵
  PID:10856
- C:\Windows\System32\gUMevdg.exe
  C:\Windows\System32\gUMevdg.exe
  2⤵
  PID:10968
- C:\Windows\System32\AolZSPh.exe
  C:\Windows\System32\AolZSPh.exe
  2⤵
  PID:7292
- C:\Windows\System32\KeNqKxm.exe
  C:\Windows\System32\KeNqKxm.exe
  2⤵
  PID:7340
- C:\Windows\System32\itpjPJx.exe
  C:\Windows\System32\itpjPJx.exe
  2⤵
  PID:7420
- C:\Windows\System32\zWuXPyF.exe
  C:\Windows\System32\zWuXPyF.exe
  2⤵
  PID:7468
- C:\Windows\System32\kzavuMZ.exe
  C:\Windows\System32\kzavuMZ.exe
  2⤵
  PID:7676
- C:\Windows\System32\ehITDmB.exe
  C:\Windows\System32\ehITDmB.exe
  2⤵
  PID:7788
- C:\Windows\System32\dhZVFHY.exe
  C:\Windows\System32\dhZVFHY.exe
  2⤵
  PID:7844
- C:\Windows\System32\JEUWSqO.exe
  C:\Windows\System32\JEUWSqO.exe
  2⤵
  PID:7940
- C:\Windows\System32\EsDADiA.exe
  C:\Windows\System32\EsDADiA.exe
  2⤵
  PID:8012
- C:\Windows\System32\JILkGKg.exe
  C:\Windows\System32\JILkGKg.exe
  2⤵
  PID:8060
- C:\Windows\System32\xHPiaXI.exe
  C:\Windows\System32\xHPiaXI.exe
  2⤵
  PID:8116
- C:\Windows\System32\YisLIaY.exe
  C:\Windows\System32\YisLIaY.exe
  2⤵
  PID:8224
- C:\Windows\System32\RmCaazz.exe
  C:\Windows\System32\RmCaazz.exe
  2⤵
  PID:8280
- C:\Windows\System32\eoSXRUO.exe
  C:\Windows\System32\eoSXRUO.exe
  2⤵
  PID:8344
- C:\Windows\System32\ukRuosb.exe
  C:\Windows\System32\ukRuosb.exe
  2⤵
  PID:8392
- C:\Windows\System32\RdBsfPf.exe
  C:\Windows\System32\RdBsfPf.exe
  2⤵
  PID:8480
- C:\Windows\System32\sGmQPEZ.exe
  C:\Windows\System32\sGmQPEZ.exe
  2⤵
  PID:8552
- C:\Windows\System32\AhFuhci.exe
  C:\Windows\System32\AhFuhci.exe
  2⤵
  PID:8600
- C:\Windows\System32\fEfudEg.exe
  C:\Windows\System32\fEfudEg.exe
  2⤵
  PID:8620
- C:\Windows\System32\zzaEaZE.exe
  C:\Windows\System32\zzaEaZE.exe
  2⤵
  PID:11252
- C:\Windows\System32\GKchqpD.exe
  C:\Windows\System32\GKchqpD.exe
  2⤵
  PID:10156
- C:\Windows\System32\wHcewDP.exe
  C:\Windows\System32\wHcewDP.exe
  2⤵
  PID:10212
- C:\Windows\System32\bWQFxjO.exe
  C:\Windows\System32\bWQFxjO.exe
  2⤵
  PID:10348
- C:\Windows\System32\sveYTwr.exe
  C:\Windows\System32\sveYTwr.exe
  2⤵
  PID:10468
- C:\Windows\System32\UReefFW.exe
  C:\Windows\System32\UReefFW.exe
  2⤵
  PID:10524
- C:\Windows\System32\PRKWJGr.exe
  C:\Windows\System32\PRKWJGr.exe
  2⤵
  PID:10564
- C:\Windows\System32\retjbdV.exe
  C:\Windows\System32\retjbdV.exe
  2⤵
  PID:8760
- C:\Windows\System32\bfiMEhU.exe
  C:\Windows\System32\bfiMEhU.exe
  2⤵
  PID:10896
- C:\Windows\System32\EFzvnLp.exe
  C:\Windows\System32\EFzvnLp.exe
  2⤵
  PID:10944
- C:\Windows\System32\SFUVTWb.exe
  C:\Windows\System32\SFUVTWb.exe
  2⤵
  PID:9308
- C:\Windows\System32\PhquYRo.exe
  C:\Windows\System32\PhquYRo.exe
  2⤵
  PID:9400
- C:\Windows\System32\dGEifhY.exe
  C:\Windows\System32\dGEifhY.exe
  2⤵
  PID:9488
- C:\Windows\System32\BivZOMF.exe
  C:\Windows\System32\BivZOMF.exe
  2⤵
  PID:9536
- C:\Windows\System32\RxpXman.exe
  C:\Windows\System32\RxpXman.exe
  2⤵
  PID:9600
- C:\Windows\System32\ADTAcGL.exe
  C:\Windows\System32\ADTAcGL.exe
  2⤵
  PID:11292
- C:\Windows\System32\hruKJLr.exe
  C:\Windows\System32\hruKJLr.exe
  2⤵
  PID:9720
- C:\Windows\System32\yOQSFkI.exe
  C:\Windows\System32\yOQSFkI.exe
  2⤵
  PID:9816
- C:\Windows\System32\jnMKuSg.exe
  C:\Windows\System32\jnMKuSg.exe
  2⤵
  PID:9888
- C:\Windows\System32\LmJSvru.exe
  C:\Windows\System32\LmJSvru.exe
  2⤵
  PID:9960
- C:\Windows\System32\BsfDAAK.exe
  C:\Windows\System32\BsfDAAK.exe
  2⤵
  PID:10056
- C:\Windows\System32\sSQUcSv.exe
  C:\Windows\System32\sSQUcSv.exe
  2⤵
  PID:10100
- C:\Windows\System32\jpIEmgc.exe
  C:\Windows\System32\jpIEmgc.exe
  2⤵
  PID:10708
- C:\Windows\System32\FkWIxiM.exe
  C:\Windows\System32\FkWIxiM.exe
  2⤵
  PID:10740
- C:\Windows\System32\EGxWpGZ.exe
  C:\Windows\System32\EGxWpGZ.exe
  2⤵
  PID:10772
- C:\Windows\System32\vtqVyzG.exe
  C:\Windows\System32\vtqVyzG.exe
  2⤵
  PID:10880
- C:\Windows\System32\QDnGAMT.exe
  C:\Windows\System32\QDnGAMT.exe
  2⤵
  PID:11188
- C:\Windows\System32\HjlNbfb.exe
  C:\Windows\System32\HjlNbfb.exe
  2⤵
  PID:12236
- C:\Windows\System32\skRAjiI.exe
  C:\Windows\System32\skRAjiI.exe
  2⤵
  PID:12184
- C:\Windows\System32\schIgKE.exe
  C:\Windows\System32\schIgKE.exe
  2⤵
  PID:12252
- C:\Windows\System32\etMGWqT.exe
  C:\Windows\System32\etMGWqT.exe
  2⤵
  PID:10276
- C:\Windows\System32\vqvCXhY.exe
  C:\Windows\System32\vqvCXhY.exe
  2⤵
  PID:10904
- C:\Windows\System32\ahzuoIk.exe
  C:\Windows\System32\ahzuoIk.exe
  2⤵
  PID:7380
- C:\Windows\System32\LXuWKBy.exe
  C:\Windows\System32\LXuWKBy.exe
  2⤵
  PID:7648
- C:\Windows\System32\GjEvDZG.exe
  C:\Windows\System32\GjEvDZG.exe
  2⤵
  PID:7772
- C:\Windows\System32\hxxaqLp.exe
  C:\Windows\System32\hxxaqLp.exe
  2⤵
  PID:7972
- C:\Windows\System32\pakzQtu.exe
  C:\Windows\System32\pakzQtu.exe
  2⤵
  PID:8108
- C:\Windows\System32\ryNpbtx.exe
  C:\Windows\System32\ryNpbtx.exe
  2⤵
  PID:8256
- C:\Windows\System32\NFQkzBh.exe
  C:\Windows\System32\NFQkzBh.exe
  2⤵
  PID:8312
- C:\Windows\System32\COuDbTv.exe
  C:\Windows\System32\COuDbTv.exe
  2⤵
  PID:8568
- C:\Windows\System32\AidcixX.exe
  C:\Windows\System32\AidcixX.exe
  2⤵
  PID:11212
- C:\Windows\System32\VAFVUdD.exe
  C:\Windows\System32\VAFVUdD.exe
  2⤵
  PID:10228
- C:\Windows\System32\hgdfhhz.exe
  C:\Windows\System32\hgdfhhz.exe
  2⤵
  PID:10492
- C:\Windows\System32\vyeewwA.exe
  C:\Windows\System32\vyeewwA.exe
  2⤵
  PID:10824
- C:\Windows\System32\PXeZtrr.exe
  C:\Windows\System32\PXeZtrr.exe
  2⤵
  PID:11056
- C:\Windows\System32\WWjobpA.exe
  C:\Windows\System32\WWjobpA.exe
  2⤵
  PID:9456
- C:\Windows\System32\NtaITBK.exe
  C:\Windows\System32\NtaITBK.exe
  2⤵
  PID:9560
- C:\Windows\System32\YdqVDea.exe
  C:\Windows\System32\YdqVDea.exe
  2⤵
  PID:9632
- C:\Windows\System32\CIuzDdd.exe
  C:\Windows\System32\CIuzDdd.exe
  2⤵
  PID:9852
- C:\Windows\System32\JGdXBrL.exe
  C:\Windows\System32\JGdXBrL.exe
  2⤵
  PID:9984
- C:\Windows\System32\FnjMvGe.exe
  C:\Windows\System32\FnjMvGe.exe
  2⤵
  PID:10656
- C:\Windows\System32\bsVAwbb.exe
  C:\Windows\System32\bsVAwbb.exe
  2⤵
  PID:10716
- C:\Windows\System32\PlhhthZ.exe
  C:\Windows\System32\PlhhthZ.exe
  2⤵
  PID:12092
- C:\Windows\System32\zNyFWyc.exe
  C:\Windows\System32\zNyFWyc.exe
  2⤵
  PID:10120
- C:\Windows\System32\LwKXqPi.exe
  C:\Windows\System32\LwKXqPi.exe
  2⤵
  PID:7492
- C:\Windows\System32\BHvnnJZ.exe
  C:\Windows\System32\BHvnnJZ.exe
  2⤵
  PID:7988
- C:\Windows\System32\IeMtfHs.exe
  C:\Windows\System32\IeMtfHs.exe
  2⤵
  PID:8464
- C:\Windows\System32\tvPELNr.exe
  C:\Windows\System32\tvPELNr.exe
  2⤵
  PID:10364
- C:\Windows\System32\aziOgXh.exe
  C:\Windows\System32\aziOgXh.exe
  2⤵
  PID:6472
- C:\Windows\System32\vhGvNLc.exe
  C:\Windows\System32\vhGvNLc.exe
  2⤵
  PID:4372
- C:\Windows\System32\bIOyQQf.exe
  C:\Windows\System32\bIOyQQf.exe
  2⤵
  PID:1972
- C:\Windows\System32\GNAVQqG.exe
  C:\Windows\System32\GNAVQqG.exe
  2⤵
  PID:9992
- C:\Windows\System32\KKKUusj.exe
  C:\Windows\System32\KKKUusj.exe
  2⤵
  PID:8744
- C:\Windows\System32\EeNNBQr.exe
  C:\Windows\System32\EeNNBQr.exe
  2⤵
  PID:10476
- C:\Windows\System32\eIrojCC.exe
  C:\Windows\System32\eIrojCC.exe
  2⤵
  PID:8180
- C:\Windows\System32\zoMFKyX.exe
  C:\Windows\System32\zoMFKyX.exe
  2⤵
  PID:8728
- C:\Windows\System32\LvfcweN.exe
  C:\Windows\System32\LvfcweN.exe
  2⤵
  PID:10688
- C:\Windows\System32\IPougAy.exe
  C:\Windows\System32\IPougAy.exe
  2⤵
  PID:12172
- C:\Windows\System32\yKQIiyk.exe
  C:\Windows\System32\yKQIiyk.exe
  2⤵
  PID:8188
- C:\Windows\System32\VXoPFzD.exe
  C:\Windows\System32\VXoPFzD.exe
  2⤵
  PID:10928
- C:\Windows\System32\caYPrPV.exe
  C:\Windows\System32\caYPrPV.exe
  2⤵
  PID:12296
- C:\Windows\System32\PtvqBjs.exe
  C:\Windows\System32\PtvqBjs.exe
  2⤵
  PID:12324
- C:\Windows\System32\sjLidVn.exe
  C:\Windows\System32\sjLidVn.exe
  2⤵
  PID:12348
- C:\Windows\System32\swUQwWy.exe
  C:\Windows\System32\swUQwWy.exe
  2⤵
  PID:12368
- C:\Windows\System32\lBYNNfv.exe
  C:\Windows\System32\lBYNNfv.exe
  2⤵
  PID:12408
- C:\Windows\System32\wBVXRLz.exe
  C:\Windows\System32\wBVXRLz.exe
  2⤵
  PID:12424
- C:\Windows\System32\XyTnhzx.exe
  C:\Windows\System32\XyTnhzx.exe
  2⤵
  PID:12448
- C:\Windows\System32\QnRNVvR.exe
  C:\Windows\System32\QnRNVvR.exe
  2⤵
  PID:12468
- C:\Windows\System32\gPAZVpX.exe
  C:\Windows\System32\gPAZVpX.exe
  2⤵
  PID:12508
- C:\Windows\System32\qQMOywd.exe
  C:\Windows\System32\qQMOywd.exe
  2⤵
  PID:12548
- C:\Windows\System32\SimcFkd.exe
  C:\Windows\System32\SimcFkd.exe
  2⤵
  PID:12576
- C:\Windows\System32\BuYIEdU.exe
  C:\Windows\System32\BuYIEdU.exe
  2⤵
  PID:12600
- C:\Windows\System32\LBfDlLO.exe
  C:\Windows\System32\LBfDlLO.exe
  2⤵
  PID:12620
- C:\Windows\System32\VnfkXbJ.exe
  C:\Windows\System32\VnfkXbJ.exe
  2⤵
  PID:12636
- C:\Windows\System32\QyorVzx.exe
  C:\Windows\System32\QyorVzx.exe
  2⤵
  PID:12672
- C:\Windows\System32\JFIEYVW.exe
  C:\Windows\System32\JFIEYVW.exe
  2⤵
  PID:12704
- C:\Windows\System32\fhkZFPJ.exe
  C:\Windows\System32\fhkZFPJ.exe
  2⤵
  PID:12732
- C:\Windows\System32\EPEbCPz.exe
  C:\Windows\System32\EPEbCPz.exe
  2⤵
  PID:12768
- C:\Windows\System32\MVjUqDl.exe
  C:\Windows\System32\MVjUqDl.exe
  2⤵
  PID:12800
- C:\Windows\System32\fYyeIhJ.exe
  C:\Windows\System32\fYyeIhJ.exe
  2⤵
  PID:12824
- C:\Windows\System32\oYNEoFB.exe
  C:\Windows\System32\oYNEoFB.exe
  2⤵
  PID:12844
- C:\Windows\System32\HtXoqVi.exe
  C:\Windows\System32\HtXoqVi.exe
  2⤵
  PID:12880
- C:\Windows\System32\dRMuMCr.exe
  C:\Windows\System32\dRMuMCr.exe
  2⤵
  PID:12900
- C:\Windows\System32\PKLVrhl.exe
  C:\Windows\System32\PKLVrhl.exe
  2⤵
  PID:12920
- C:\Windows\System32\UdbzcCk.exe
  C:\Windows\System32\UdbzcCk.exe
  2⤵
  PID:12948
- C:\Windows\System32\ZExeJSk.exe
  C:\Windows\System32\ZExeJSk.exe
  2⤵
  PID:12968
- C:\Windows\System32\dlzRLEk.exe
  C:\Windows\System32\dlzRLEk.exe
  2⤵
  PID:13120
- C:\Windows\System32\zfwskqt.exe
  C:\Windows\System32\zfwskqt.exe
  2⤵
  PID:13156
- C:\Windows\System32\oeTSjAJ.exe
  C:\Windows\System32\oeTSjAJ.exe
  2⤵
  PID:13172
- C:\Windows\System32\AqykYoh.exe
  C:\Windows\System32\AqykYoh.exe
  2⤵
  PID:13196
- C:\Windows\System32\dgrTqEJ.exe
  C:\Windows\System32\dgrTqEJ.exe
  2⤵
  PID:13248
- C:\Windows\System32\uuCiLOA.exe
  C:\Windows\System32\uuCiLOA.exe
  2⤵
  PID:13272
- C:\Windows\System32\eaVZLQF.exe
  C:\Windows\System32\eaVZLQF.exe
  2⤵
  PID:13296

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AoFuZPG.exe

Filesize
1.7MB

MD5
24cec47faa967de7f383977328162292

SHA1
b24ab208811502410516fc8525db64aa6eb4f327

SHA256
de4faafa66ecc2386443abdb45667543db0d8f9e8adbd7643bf00aebdcf65367

SHA512
6c71c32994239db6ece2302b64fef66175094c3bee21a17637094c40466049092f972cd64ca783ab72ff114b36899b3541d7470c73a7595fe45f493b81d6020e

Download Submit
C:\Windows\System32\AqZfQqZ.exe

Filesize
1.7MB

MD5
61170bc400ef1607403613ce59a5520d

SHA1
89029726f9933f1f902be1dc7eba46975b9bde36

SHA256
291b966d0bef3e215b47b1f278ad7e8d4526d8431bb0765e8074f1fd5787a595

SHA512
dad7cf0525e5049f53b2412daf1cfbe9cdd5488aa808ba330f6314e834181090fd69628e2d7af162b3f5e76c58e0acdf906c4e1532f3b51b5755875a815d1c5b

Download Submit
C:\Windows\System32\CbvYjcK.exe

Filesize
1.7MB

MD5
19340044161a2d594160cb7b3765354a

SHA1
dcb293473032158a3ca20c9e0be4d1ef767e0760

SHA256
4786632cecb40903a1671bd2b38d00132f81c35bc4e95d2fc0b5c290c0b43cc1

SHA512
2a16d624750039b317ee2742871a98ab26845b6863bd4eb481174db0c1c52eaad11d08bd79a5e02bc95e5004b2ad1e6579cbf1c37335c7ad91b4ed8d0c31a23c

Download Submit
C:\Windows\System32\EEnTNno.exe

Filesize
1.7MB

MD5
d4d0c394b19ba549c7048e38bab191f7

SHA1
e5d011722b9d4a9f70be9554065fc29faffbb2f5

SHA256
b2647810292293df85d3f0fc0a5884922b89fda7976db394e492fda9d9840c01

SHA512
6d5f7c9245908337d289f16f99d4671bff8198a4879198ad76900461ac5d63ce3890fc39d91fb758027b7b0ac7ac8064831bbb24f103fdda8b0fe42b884b9f07

Download Submit
C:\Windows\System32\FDvlTeF.exe

Filesize
1.7MB

MD5
52b014d9deb65a1ba58093872828241a

SHA1
602a8491af1228858234801cf84bd04ea3f83324

SHA256
197b5e17d6c9a92d52b5189ca94bc516c29587049c8ad077fb37ca5cf9359d00

SHA512
07fab988ac45bd6b97d4ded84b67754ad3fcc2f735ece4bfba2b767a6d90d1eae6116514317233926e08a3493ca6c5a8b97336fdbc4c1117510ef88fedfbe6bf

Download Submit
C:\Windows\System32\FyNzaDw.exe

Filesize
1.7MB

MD5
5210c23d992bc0441b3643896d2a0259

SHA1
a7667ed3741d1cd0916df0749a3df6db261bb009

SHA256
aa42d87fec95349166ec7ae12e1d3936aa5535ac0e600e46411c503c602fae0b

SHA512
59eb1cd19c3c55e5b59d5546b309f725a97c1fe72602d9a7ef71de39bc32fc99036d6261018469d1c7dad85872a8676c5c52fd89796189226c56fb8b76a046b8

Download Submit
C:\Windows\System32\GvfAkOr.exe

Filesize
1.7MB

MD5
0d78eee61843826a4c8034723de5884b

SHA1
2b03bef9faeb7f5cb08360aa2a6b8d54c54b5753

SHA256
5049f1b0448fa3f0ef5ba57658bcb4288fb2a1ca299aadea2cc72bd19ef00e1e

SHA512
245cb81d2efb1f2fb86daf70b4fadfd7f4758d6e3d6d645d633223aef1ece83cf3015c5265c2e977a9f48f66ca5767a84b97f0b9e671d4e33c6edeaea9e9463d

Download Submit
C:\Windows\System32\HGPftOk.exe

Filesize
1.7MB

MD5
ade7b1ea28f2273efbdd2796269a78f4

SHA1
2236441015dd05f8dc51407343c7421f529b60a7

SHA256
206cb04944c356c553a3420294a8aae2d92e68f0e60fd60a2d0b2e6308e5871b

SHA512
b7dbe711621f68b3498fc064130e027f92cb3c0386f105ba689618df4d66291d1ec4010683d57247937f98652df9d652d30f9b377b27d16e2996f4807d06d17d

Download Submit
C:\Windows\System32\HdSnBmP.exe

Filesize
1.7MB

MD5
0bfeaf7c696ee10d337e168b6f805c89

SHA1
c2c83830563882c69a11d97c1cf1e33718558364

SHA256
d9f6e2654eb83db313da1481cc23fe998ea2f8d6d46df08fa2d16102c858c860

SHA512
5a6eea4d172bf3c39e18201fd7e60dc772ac4bb7704984b055e28bc3aa7cb187458f98d6b12d95a2d0931fecc51300d374128df3402256191dd114f8aa2508de

Download Submit
C:\Windows\System32\IDhwDwB.exe

Filesize
1.7MB

MD5
02a9a8a526037228ddd1f6020470cc09

SHA1
3984c6091a09c5325e008f9490f92e073f09ef7e

SHA256
281a7e32f164e5b51b8163a695336bad83b35347187ecce829e0efd4e1cf144f

SHA512
1ac3ef7ea10202d85dda7ef3b6486d8d233e792afa488c703cd274bd3c6608030b0e2dacd061ac107f2c789a14323e7454348c2e01d73d4d149d107d2b3da2a7

Download Submit
C:\Windows\System32\KouCVYD.exe

Filesize
1.7MB

MD5
b21d569ca0798162c91f1eaae1c1cf72

SHA1
bca383ede93e7bd1e5b4186316e485f37f90859c

SHA256
afb86e6b41702cfa42100b9eebf9b653bf589df5ba0c809a17ba09b40aff17ec

SHA512
61c9d8b40ea6d3913696b9616372a5bbce0ade5ba6807cfd3e3d4da8a866b3f18c72b6a0cb49c53eac991ea6c8414c674deed4a7d1762fbc9f8dc263b7a30ff6

Download Submit
C:\Windows\System32\KvXjVja.exe

Filesize
1.7MB

MD5
230b3d608dd09ca7b962e37dca3cd341

SHA1
27defa04c4a5d7921faf3b86b1034a1a6b119100

SHA256
c3e1dfb261bc73e1dc65e5c34c30feee85a21730c2f4260c60c12bc0f9e5c04b

SHA512
3fde83dc974796d1204347bff591f38925dcc3c21b5e5dcafb49f125d32874a0e3dc2a1d306900eb81abd155823077214ea8873de71b1a6cb2810751001dc065

Download Submit
C:\Windows\System32\LCvyzPx.exe

Filesize
1.7MB

MD5
4cc7fef86038e5f9818a2e4d8c600429

SHA1
2688bc1e286aaad4548864efc12f00b5f1684789

SHA256
0b5c103ed19aebb77f4adef6cdc95befa725211a0e461637102ae2fda5d00130

SHA512
a5845d8569b90531feac8c604cd7cb9c37c424cdfb4436f5b7160c70e8859acde4eea605a23e2c6397a234e305206754b51e168414eb373187f4e1e1267d5b1d

Download Submit
C:\Windows\System32\LsXBElK.exe

Filesize
1.7MB

MD5
d810b1c61dd99dc190237c82162183c1

SHA1
e71efc8fd5553826f7c77549ef7d34a9e408650f

SHA256
8f9edd8b566ff3d8c3cd0244569922d4b89d658962b082ebe6c4fd1b94cada38

SHA512
145f1f042d99c3a06d620cd322684b788614d15351396a2b15a2f0dabcb727d907e169a4645c703f3c7c5899bb85e35e05049a57cfc1c4b15244ee4c49b7eb0b

Download Submit
C:\Windows\System32\MDzyGQw.exe

Filesize
1.7MB

MD5
ae96a7e506ac9e3cb110b60fbc77d5f0

SHA1
21ac5382daf233f8c90676a01ec9dd3531a2ab3e

SHA256
93a896ac4870461333229bbf612b06c66b5dea5859268dd00a2a44eccf3dd13c

SHA512
6e52f3a9a7b47226f14ed8cc027b8a64bf0ed745689aecca1d20f4bb0db1ba9eb2fdcd4d9284e5a12e588826279ba970b71a62e6dd0064cf2acfa555719e6b56

Download Submit
C:\Windows\System32\QAvPeQp.exe

Filesize
1.7MB

MD5
badd1a83fb5100cf8e91712980c836a0

SHA1
fe99b096d53c10c8cb35bc9b8e12b40c5b85116b

SHA256
04d3fce000bf35d8536331b980ca98ec57df5e59dacd8e4264c2489e3e89f00f

SHA512
5d0fcda92a417dd361c1582ed32025196008de1dd3be87ebe26faa0772b0d4aeb4eb771e4081a9b43329bd710096df6ad7d6548e45b9e1398801d93cd0abb433

Download Submit
C:\Windows\System32\SZJDuVE.exe

Filesize
1.7MB

MD5
8a4febf204ce2b5a844cc04855b973f4

SHA1
acb20d7b4da68963b445bd9796cadcc9954f1d45

SHA256
257488d042abdd831e1adfe81532613d793778479dd5aa12e69346d6df9586ee

SHA512
eb686fc56beed03a575eac28cdc1f296673f64a348c143ba3d0741285f5545d7ffce50054620d59641db87de5fbc82d3ab89e9192fae8cfc94773af31080401c

Download Submit
C:\Windows\System32\SmyIijI.exe

Filesize
1.7MB

MD5
3d521a0cef2a80506b3e4b7d83dc1476

SHA1
5dc44c9482ae3f31ab40d9847376b41ae79d4f84

SHA256
73dd5a8e8ad81087757696306bcc54e445c91cbf8a4e1d3cfa3022c39b0549f7

SHA512
bb4c953f2dea72bf86f77d2afd90059904952da3e16aa94a36c7afb680d0004ba02215016e23cb93bf91cc835965c7617fbd7f9b27e5a019b305d1d96efba8b8

Download Submit
C:\Windows\System32\VjiKVdv.exe

Filesize
1.7MB

MD5
915690c7d4e8dc1aab9b9141b4fedd3e

SHA1
adf83825bbc29d9bd9b28c67e7ae99e83140310f

SHA256
7ff61bc911d432fcff0a672369b844a4186059c9ff69beb93b35a978efcee6a5

SHA512
177166c5b13db9a0aaf57a6f159387ee12054bc4236bc64e29d7f5fc45d0dc233cdf086b902c4edaa77fcbf4010c92bd516335d17c344988e13dbe96277eb7f8

Download Submit
C:\Windows\System32\WwiPMQg.exe

Filesize
1.7MB

MD5
d3d428d783bffa7279b77eee7d8ae29c

SHA1
31e66cc9bd2a6bf5f84a3e5a2a3620749716ec7a

SHA256
62b0227d627a8332e5bb7cba5c2abd62f96d6f4f6273986ea7004c2b010e2f7a

SHA512
fe136235f428ea624b333cb600bae4ace7bee9ec43024c4bab948c842eee63331f548cd8f1193734aa5ffe145cef09a4515ca080f4c220c120770eee91b03622

Download Submit
C:\Windows\System32\XFxijXl.exe

Filesize
1.7MB

MD5
c8986f00cc552ad11452efad30218a46

SHA1
be6020e4e99a9f5576ff4e6642e6121813ebb169

SHA256
c3efd82f5723a9ce169b5a1ee6d1d19b7ed6e8cb83ee57a76612b28832dcd791

SHA512
cc2a94b977d798605f54e3c2b93ee94cecab9d3cac8c3ccdbb8dd75575ba24a09965eea7f869873d85985fd9010dc382079426d5d76ee50baeb0466cb8a1181a

Download Submit
C:\Windows\System32\XeuNWkW.exe

Filesize
1.7MB

MD5
fd1a87ad3e72f585acf4af352e516974

SHA1
511553a4792ad95f189194676174329d97c0b543

SHA256
fba1e3a414e27ce2495c2b621468924629e21a9f201bee9d51dce7533fbd0b77

SHA512
520a2d42ca5db129e66bf135491771cd9d12d56285616580058ca394b99da33bbce08ee3259cc3493b86a1a666f738be6fee4d2e34c5e94dcf219a59beead621

Download Submit
C:\Windows\System32\XsNChlj.exe

Filesize
1.7MB

MD5
9349aa3e0c369a9da475e24b4baee397

SHA1
922cca6d85a2894ee8cb4854b6c7ee9e9d6e23f8

SHA256
2f5ce6c5b8a73d17dda5f5b69ba8e6d1e520ac92f4e2ecf8ec28ce81667944f9

SHA512
dc50763bc44da900c35abb7ea48d1b7030f5604aae994eb00326cc9f03b5cc7888040d70b1414077045132619b605490db8385854ce4f5b8f64746db6d651db5

Download Submit
C:\Windows\System32\ZkQiuZa.exe

Filesize
1.7MB

MD5
0b6177d50ed1eb2180a19c9bbd9d4597

SHA1
f0b43c029d1f6a693d725c1ef6dac987bb271445

SHA256
ae46cc1cf8f7dba46c92625fc57dbdedaae1f9af08ee7112a191e1754d8ba0f3

SHA512
1b6578c0bc685ae7495dea34e9b18a7baaa749f950bc520a6fd045cf2982d51add86ff9eaf5d3bc6fd7c370ca1f0b55e9a5fd00979a3df7457565ca91b4d68dd

Download Submit
C:\Windows\System32\afmzmRJ.exe

Filesize
1.7MB

MD5
62886e18b36bcb97d81c6924154c93f7

SHA1
8e13bba5b7ac1b595a95158fa1f6109dd9ea1ed8

SHA256
8e96100223b5901e73bef73e18d3eca0774dbe26fa5fa6490bfeafc5bec408ab

SHA512
c16e2facf0841845ba96d085b7edcfff0e860f5103c9e8baebf20ac612c9291cf19e3639b4237937377ef1fdabd127d2ed75914dcf31e27e2f760a0998c408a4

Download Submit
C:\Windows\System32\fRDOwtl.exe

Filesize
1.7MB

MD5
b607c8c856b29006ed2b81a38cbc830d

SHA1
b09759ec70752c2f61ea2e6297c7216029a39bdc

SHA256
75215d70e85e209e8e6ebf90f0d0186a701efef1a79a29a1822ed2fc3e65ed5d

SHA512
8d2253f2508b9a7a20207b04bd631be7135b1baa842ec56bea75822be487c80e06eb3c52674e9d46905a9f0d0fa908aa19768472d01584dd89dcbde568fc97af

Download Submit
C:\Windows\System32\fqNxzwu.exe

Filesize
1.7MB

MD5
6e856becb1955f40a75c385122caac38

SHA1
3bf2973a48156ec6e718b6bb9e6cca2ab839815a

SHA256
d984795cb82adc432b8c7127d01194a0edf05c03e73b3cabcedb0148320bc683

SHA512
9148450effa6af7418e513770d29e13819a177b53047cbc0c618b5434ccd22f9b88e3830dced8d6eff4404fcb70b97b0d41fd9f0645edbab47df9bff99d9baeb

Download Submit
C:\Windows\System32\gfjTtVw.exe

Filesize
1.7MB

MD5
26554de5733c99af35a3795cdd74e452

SHA1
03759d213f34c181507b97e6f7a359fdb653abf1

SHA256
fb59bcc6501292c219dba10e8fed5ca93d13c4b07c969f7a69f550b1ecae24bc

SHA512
530b00f527f6b877725b41428efe9983485b1ff239622ef5e75893411f43356b676092389f421132cd4f7832e2fa2f2d4dddf0e3c0d02a6d91505951b01370bf

Download Submit
C:\Windows\System32\iRpFRsT.exe

Filesize
1.7MB

MD5
5285e5070e0611d4e20a02c3e5722b15

SHA1
d3982369268a51eb5727cc3db41b46349627f4be

SHA256
c58dfba377955f506a88896deddc8388b5251e3566be1ba55180cf32a6c5cff7

SHA512
2f8864101d29c0a854533ffb57d2afb756d2f9c2579221c14bbce6debba5f425d3fb4c69cbc56ed68bbceb30865439d36588f90d74651a7398ec5aab0ff2c027

Download Submit
C:\Windows\System32\ixJRXig.exe

Filesize
1.7MB

MD5
d8223a2bde3a9e3ebfbb0b96fc51c65c

SHA1
d5418126fc525b429b29c318bcf496d1f89bd0d3

SHA256
3acceffc5b4261a64cda5b7d07f7bef3e96cbdb98391245273c8821f4b72a7d3

SHA512
0e5dbe445fb4912bcc31af5ebe4161706bfd35727ebe01ee4201da7d9419f818181fd9b071e5237ab255f90114d9a7d1f04f34d8ac32419d675e7a987a0d6dc1

Download Submit
C:\Windows\System32\jXUyQDt.exe

Filesize
1.7MB

MD5
c3f83e4fa5dce9d8b67b6072eb920537

SHA1
b0d1d925e40b05b88bfdc08ccfe67b0295b57a5d

SHA256
28f7ca47292821e6243fd0193ae075a3a3087093832130a750b41846a5471393

SHA512
ecd1f2e98b2a2a92f168fc01aab8a5bdd45c84d7cf9bd175ea2e6fcc15b29e69da88f88851e2686dad80472e0c09b1e50ebfae069987737d920d2e38ace3e65f

Download Submit
C:\Windows\System32\jXhCfBo.exe

Filesize
1.7MB

MD5
472e76cd1b4c28a6175009e7ab873eba

SHA1
4d4c7a52c23adee894e5acf326827711c9513bb0

SHA256
e3fd3746464310d3e6e42f368468822fed6762105ec43e205911973717e490a4

SHA512
825f9f139aa8514f67881454a4502a542ab2932be98c58a4e25e25d5bf03c21bcb0f829e0ffc4fdcab5db67beb42de6e8f9080f277cd6b398caaa784c303446a

Download Submit
C:\Windows\System32\jcRbNmR.exe

Filesize
1.7MB

MD5
4702d864527cf246241b09b778bc4769

SHA1
be1f47145a598cd6434bc7bc547478dd634eb5fb

SHA256
4125dbd10e71085e530b739001cd3c0402f5649a2ce5bd2b2e6083c774bc0b98

SHA512
43d27e672c0034deb23ce182695fe33ec645461fca545b3d1194454f3f808d4e1cfabef741288db53179037e0428ace89301548060315ecbaf92ae519059664f

Download Submit
C:\Windows\System32\jrzVSpK.exe

Filesize
1.7MB

MD5
562c8b9992be2ce31e126603d84d63d9

SHA1
73eb87ab1091a92e03ee01bcde6ddfd8e2a7aed8

SHA256
70e8ea4fa7577913c8128b7b793946a46c6b746b1d8ae12a08669409f3ed02ef

SHA512
7d695a220b0a9f620506ff591a2a789ea4981f0cbbd220fc074c4aa34d0a8defd486372c15d2d055f7079752f6439db89b9d9fae5ea605b23eb9c77b08930644

Download Submit
C:\Windows\System32\lFLYtHO.exe

Filesize
1.7MB

MD5
1284303624cf324ff9650a40f5182111

SHA1
ea0babc8d79b9cce4daddcea511035e85daf7f1f

SHA256
9933d6f783ceae4de1b19b141a2e3aa0a6f1745a8524620cbc327bbb7ecf59eb

SHA512
89d1c628882b4fce60b4affbac20531a0c19e8d1203d9095decac9cf9735c9a30d862b5d8816f576cf91543efccd39ca00bffc69568c338cd07f2219346ec19b

Download Submit
C:\Windows\System32\lWpLwrd.exe

Filesize
1.7MB

MD5
c6f8a62f3390ba132def81167f07018e

SHA1
0e31b46aefe208722c2381f4430f842b25ac7d5f

SHA256
0553de981ac6f0e462e07a6f58d45d82a046624b81fc11e5ba136d67c5ff2957

SHA512
b850e060b4ebbefdb715ac9de4677f2c8505521debf92d1191bb28e9f4e4cb5e4d33f6a442d7ed6be26a2966f46ed631d3e06dd90c3273a79b8c9fbf909715f0

Download Submit
C:\Windows\System32\lweoHUA.exe

Filesize
1.7MB

MD5
ce039e41151064e8ccac486a362fe0e0

SHA1
8758627ce0efee58c4d6225bba17ddc02aa5eef7

SHA256
70c2f88adf9206b0e95f1485d44c8fe0cf04541c4837da01630ad064324b7f85

SHA512
cca4151162eca5b8e11d743870369c849ba064b6ee0a3fb81dc1ab0e3dae668abb15eb52c4e9b3b87e274fbe9f2220be5e494de71b69804f255cbcf79c02b50f

Download Submit
C:\Windows\System32\mqTyaMN.exe

Filesize
1.7MB

MD5
bcbb4307321dc3d19e24ed4f6364a1b4

SHA1
cbf0b8ff187a624d24f681cad866473ef4707d24

SHA256
b866b5c029b488606b69d7b17a03f0f83f5f8dc7e9bf0261104044f656aced99

SHA512
3b6bf0951e3034023116b08fcbc1187488c0e4e6a987f1c211f49cdf895797f3ee06e9744b046d57f343692e0b97b7d60a409a18a9b272ea6489f85a010cc099

Download Submit
C:\Windows\System32\nGBJnmU.exe

Filesize
1.7MB

MD5
6b97e808c6fbbb3b093098acdd56c807

SHA1
488bb1cdfd7572ad35a9925b691d566a493c6337

SHA256
68dc4a6b0fa8b503a07df8754c73d07c9adbcb51ea214529e8b7c4753c727b2a

SHA512
c418831e592e6a19b8ee97f732bc3158b8fd04cc9ccef9cfb0a8905646e921ff36204a6ae70de933de62069e51588d2008de716912210b6316cf6c1c9a7837a9

Download Submit
C:\Windows\System32\osHYbba.exe

Filesize
1.7MB

MD5
23c9cea6834379883a4b3196a529ef35

SHA1
6c731a038887f421b85cb2e2bcd8d720d5278a42

SHA256
439b9bccecf144f16ae6c4eef08076c66471dfc50002ea20419ebe2bdcfe3495

SHA512
a64bf6645ca34f90e72066613b191252ce4deaa41e1562c19d6c61539eb1596f4e8679bb2211e391081a918d6f3b9ada333b82c913bc869c2ca05fca341df0ed

Download Submit
C:\Windows\System32\qyzgubO.exe

Filesize
1.7MB

MD5
7651b2fb1cb68fc77c03ae5bfffe76e2

SHA1
bffa257178d3a3265762fbc4e353dc7b8ac1adc2

SHA256
4f5fd9fb026807ce06433966824e9d4993454b21e1b4ff98f2c701693a4c8281

SHA512
e12e40ea9571c31472e0ac2905a2e31f45516f082ae615d2de17c0989e587573fafdbfe978a7d1a993277eacecebf63f248ff54e8e551479fca17e946ebb1618

Download Submit
C:\Windows\System32\rkbnNOz.exe

Filesize
1.7MB

MD5
f0f73975efef32f304bc943a6c389a1b

SHA1
6121ef3875e071685b32b4704fdc38331b6d1d0b

SHA256
1474e8049da62ddb914923153fc49a153b571d02b3ee42a9da3c8f7e633ad9ad

SHA512
c87f615d7b28dffc55053ee219994e832bd31881251f605afb72fe33deaac02cc29962d85923a9fdfc4620aa1c2a0a66c134658ecf0f7728d42fd7c0bb5c2b45

Download Submit
C:\Windows\System32\rnlSbDY.exe

Filesize
1.7MB

MD5
65fd7c9bdb5412baa38934ff910d6b50

SHA1
bec50517fcc58b7f135791e7c73f012b3772e89e

SHA256
7eb5dce4d0b60fb3ab7cc5a3ec6ffe588dd252faa208431ee20ac3b3a4db08ec

SHA512
d7e8dcadd0b817e306cdfae08477db2f74790d22b1a02f128d259f9af7de89e6d8807d40c528de63c872a4c092401510d22cc9c8b61fa5923a199527e60f0cb9

Download Submit
C:\Windows\System32\slanTut.exe

Filesize
1.7MB

MD5
74de65d0ef7b131dc03c9b7fa3872a24

SHA1
a4a1e0191e07f71ae5bad17f164e703abcebc320

SHA256
68301d1ae9c285db992b2e2981cfe25a1bd19f7b51ba7a5d8f7b6cc39914e04d

SHA512
a4f5aab7ff9bc1609e845e20201b0ec1139cc307f71ced102cb3aed12b2c8bc63e09d2c2a96aa5c879c0ff466ff7b33eb63d0c1f3feb77a59f50dfa67b5de863

Download Submit
C:\Windows\System32\taeKCzN.exe

Filesize
1.7MB

MD5
5b3e0bc57415122b95a0d262fbdc2f11

SHA1
b00794ac55174c9fedec374218262ada94eb80dd

SHA256
1485e4b47ecf34dc950ad87e33209dda914dab841d95c4747668a509058d8e22

SHA512
d65c886dfed930f58d4e4c990157087561c59b313ccc5fd032b33d69fc4df01faf38cb7cc7af24e3a48fdf90225eb6e8253d18d31cd7b42afbee1cc575dc1076

Download Submit
C:\Windows\System32\thygcSn.exe

Filesize
1.7MB

MD5
d39eba87e47c1d224a9ed18f57ec2ae7

SHA1
d13aba036ae7c3fb64a16eab68c17050cb02d87c

SHA256
830667afcf8837d9fc6aedac1b2bcd6ffc09b07163c3ab3e2523b2862de63e86

SHA512
8adb9e2189762e5c03544468f7621641c5b352a421c53103411a89254919d64c08b00cc91b9917043d8a2dcef6f91fa979e2cc0af518cefafcafb3d26e9a37f0

Download Submit
C:\Windows\System32\tmQJlfi.exe

Filesize
1.7MB

MD5
121f3d15c717991f7c7a54c7687a7f77

SHA1
659dfbcec46bd31bfe13fa55d85c31aa6d414fc6

SHA256
26d384d5474e733829fd428d1180e97c9b7d9868e7c3c69e46a7688d646c72e1

SHA512
32bd30d84b876a46e4d90976319336958994fdb0cd20e982eafba638cae06d4035cd4879b54d51b0344c55af125af0d4bc990a8b89209c3e065a9c27f2c1cc4f

Download Submit
C:\Windows\System32\twqJWem.exe

Filesize
1.7MB

MD5
27947bb5aca3f0b26c8f1a7a83e6cbb1

SHA1
2dba7cc7ad6fe67177c62cebc51ad1d1600f5125

SHA256
2cb749753ffc9ca3db391da165d529575f688450dedebcab0535d6d30fdca28e

SHA512
f2302a9eba6029c1a3620e351e82504df9c5ec8663795e2981fc3ea3cfd36a7a57ff73214da9e5bc8dc98adb93e06441deb0c00c25d1f0091247b9e7757e19c4

Download Submit
C:\Windows\System32\vPDlFqS.exe

Filesize
1.7MB

MD5
fb900267e6c9bd305ddfd2afcbd3bdca

SHA1
699ddf75330b9c5ca7f2e766f7dd2f5d6b3c5408

SHA256
52de2c6f4a6ef0e2d8855a98fc488e4e78c63bbcc525301a10f3f4e4e270a4e8

SHA512
573f3b1fd5a85e7d42164244c7a0cb95e5c3ffba30163efd154b5943c2938602876443468746a312e6e7ff047aa350640e744ad127e79ef1c80d160d4fd3cee3

Download Submit
C:\Windows\System32\wUBAXPZ.exe

Filesize
1.7MB

MD5
2fc0916c3221a0c138259a6376818b65

SHA1
c82fad4fba1745129f194362de3418385118b627

SHA256
166f1db7ec6e49daa51afa99f7a6d05bf0e97ebf5082cf1b66d76d3cd7d8c714

SHA512
82199d352ab3aa644dcac9b9322c1d7d27bf6bb2f52bb1b01e702d8985a3a2c77c707ee536f3bcfc3fa5b92feaf8dcee19003abc766de2830e99b83915d9a3f3

Download Submit
C:\Windows\System32\weDzqsC.exe

Filesize
1.7MB

MD5
25f8e3e016f34a4c8fef33260b734b40

SHA1
8a74708cb208676b4a99e1752a508870fabf5027

SHA256
d3bd72344bb93ec39a68bdae29c8acbd167daac7e176e5ec915b7379d0246aa8

SHA512
941db511392fba87eb075ffa0b00896abb1b66eff0bd8e04d155b72c8aed42983a82106aa4e48fadff052ff2b170e7fd691ac4e20e9179bdf333a36b1c812109

Download Submit
C:\Windows\System32\wrUwFPZ.exe

Filesize
1.7MB

MD5
c27e61bb04b75af60745dea01e5e1387

SHA1
9a6925b1a642ba91e767387249811cb70472c70d

SHA256
63c667247dbdf3a517dbe98cfa3d2ca459cc8525c1949e2f35f3ef43a7106a0e

SHA512
89e93169fbeddbd1a539e43411ac9190776bf8e570ca2e0371ee0cd1f319fab4990cbcc0ff95d8cd8944d44221c7cccc13896fdbac756452a20fbf97620423a2

Download Submit
C:\Windows\System32\xCcgPkq.exe

Filesize
1.7MB

MD5
1faf73ffa3dcb3ba5f9619572a832f89

SHA1
f2457092471c7e1baa747b575b47edeeb84c3737

SHA256
880aaa78c4f26d4910da8fcdcb4cd6552377508ede4c518ed510a91a31fd72a4

SHA512
64b07653dc258d82571bb48dae70a1a9dab9447f5eaa864edceed4dc628306bfdbaab82a70e09b29bf7039b29371c1a46c9502b414917bad5e665de283b1f2d3

Download Submit
C:\Windows\System32\xOYzDau.exe

Filesize
1.7MB

MD5
01fb6e7e1d6e89d30b9969ca0b3650a3

SHA1
b2bc7e063bf3945d9e02dcbb3945f3d27f3e635d

SHA256
d6a9e10c2357523b5e205224ec10c5c788f86266ba597d720a64fbecbe45c08a

SHA512
022e3a6bf9ddd83508bebf59673e0317fe33b89443f53b6f4afff33d55e3239c94f7b252e192ef9865fbb67cb8be2a0febdc7e870f0586df71396f54ee4ee0d0

Download Submit
C:\Windows\System32\zFzYNHq.exe

Filesize
1.7MB

MD5
03e67ae020201fb835c437f3029f1e5d

SHA1
8ddd025c6ddce5caf37f0c4d6edcc8784ddeb8f8

SHA256
b7b110505926133a24b0f3274c552a877afb83ba2a34b858fe2a30bc77fb95f4

SHA512
58ab393e7907827ebb3a1f41f7276c0cfdb8c6565974eab2f71bd2394fdef375a15cadadde704c028f016ec04d0d2844690522ceba5f4b4c47753748365e7325

Download Submit
C:\Windows\System32\zsxSCdo.exe

Filesize
1.7MB

MD5
1b5cfd6bb7212e681c595947c25a5038

SHA1
b2e491f9a477f0d2cde6a9e9192b5354e325cd27

SHA256
28eed15c3343a8f26a563e703a8be226cebfde76b915f71ec20773160b9e84a5

SHA512
25a54fbb8af938eb7206fb8ab940e4b023aed3fcaf16b58289840603d67e3fc8af13229bb23bf349221ff3390dd5e50b8894da2bce5253611b96e433aed009e0

Download Submit
memory/64-2355-0x00007FF651940000-0x00007FF651D31000-memory.dmp

Filesize
3.9MB

Download
memory/64-756-0x00007FF651940000-0x00007FF651D31000-memory.dmp

Filesize
3.9MB

Download
memory/64-2073-0x00007FF651940000-0x00007FF651D31000-memory.dmp

Filesize
3.9MB

Download
memory/876-2579-0x00007FF71B0E0000-0x00007FF71B4D1000-memory.dmp

Filesize
3.9MB

Download
memory/876-2058-0x00007FF71B0E0000-0x00007FF71B4D1000-memory.dmp

Filesize
3.9MB

Download
memory/876-751-0x00007FF71B0E0000-0x00007FF71B4D1000-memory.dmp

Filesize
3.9MB

Download
memory/1060-2059-0x00007FF7710B0000-0x00007FF7714A1000-memory.dmp

Filesize
3.9MB

Download
memory/1060-752-0x00007FF7710B0000-0x00007FF7714A1000-memory.dmp

Filesize
3.9MB

Download
memory/1060-2583-0x00007FF7710B0000-0x00007FF7714A1000-memory.dmp

Filesize
3.9MB

Download
memory/1188-754-0x00007FF76A750000-0x00007FF76AB41000-memory.dmp

Filesize
3.9MB

Download
memory/1188-2590-0x00007FF76A750000-0x00007FF76AB41000-memory.dmp

Filesize
3.9MB

Download
memory/1188-2067-0x00007FF76A750000-0x00007FF76AB41000-memory.dmp

Filesize
3.9MB

Download
memory/1772-2072-0x00007FF797C60000-0x00007FF798051000-memory.dmp

Filesize
3.9MB

Download
memory/1772-755-0x00007FF797C60000-0x00007FF798051000-memory.dmp

Filesize
3.9MB

Download
memory/1772-2581-0x00007FF797C60000-0x00007FF798051000-memory.dmp

Filesize
3.9MB

Download
memory/2032-753-0x00007FF715480000-0x00007FF715871000-memory.dmp

Filesize
3.9MB

Download
memory/2032-2065-0x00007FF715480000-0x00007FF715871000-memory.dmp

Filesize
3.9MB

Download
memory/2032-2572-0x00007FF715480000-0x00007FF715871000-memory.dmp

Filesize
3.9MB

Download
memory/2056-759-0x00007FF6A6CE0000-0x00007FF6A70D1000-memory.dmp

Filesize
3.9MB

Download
memory/2056-2366-0x00007FF6A6CE0000-0x00007FF6A70D1000-memory.dmp

Filesize
3.9MB

Download
memory/2056-2079-0x00007FF6A6CE0000-0x00007FF6A70D1000-memory.dmp

Filesize
3.9MB

Download
memory/2108-28-0x00007FF7E1650000-0x00007FF7E1A41000-memory.dmp

Filesize
3.9MB

Download
memory/2108-2030-0x00007FF7E1650000-0x00007FF7E1A41000-memory.dmp

Filesize
3.9MB

Download
memory/2108-2099-0x00007FF7E1650000-0x00007FF7E1A41000-memory.dmp

Filesize
3.9MB

Download
memory/2124-45-0x00007FF7F9160000-0x00007FF7F9551000-memory.dmp

Filesize
3.9MB

Download
memory/2124-2090-0x00007FF7F9160000-0x00007FF7F9551000-memory.dmp

Filesize
3.9MB

Download
memory/2124-2034-0x00007FF7F9160000-0x00007FF7F9551000-memory.dmp

Filesize
3.9MB

Download
memory/2160-11-0x00007FF6590F0000-0x00007FF6594E1000-memory.dmp

Filesize
3.9MB

Download
memory/2160-2093-0x00007FF6590F0000-0x00007FF6594E1000-memory.dmp

Filesize
3.9MB

Download
memory/2288-2082-0x00007FF70BCF0000-0x00007FF70C0E1000-memory.dmp

Filesize
3.9MB

Download
memory/2288-2459-0x00007FF70BCF0000-0x00007FF70C0E1000-memory.dmp

Filesize
3.9MB

Download
memory/2288-761-0x00007FF70BCF0000-0x00007FF70C0E1000-memory.dmp

Filesize
3.9MB

Download
memory/2528-1995-0x00007FF720AC0000-0x00007FF720EB1000-memory.dmp

Filesize
3.9MB

Download
memory/2528-17-0x00007FF720AC0000-0x00007FF720EB1000-memory.dmp

Filesize
3.9MB

Download
memory/2528-2092-0x00007FF720AC0000-0x00007FF720EB1000-memory.dmp

Filesize
3.9MB

Download
memory/2584-2351-0x00007FF6C78D0000-0x00007FF6C7CC1000-memory.dmp

Filesize
3.9MB

Download
memory/2584-750-0x00007FF6C78D0000-0x00007FF6C7CC1000-memory.dmp

Filesize
3.9MB

Download
memory/2584-2056-0x00007FF6C78D0000-0x00007FF6C7CC1000-memory.dmp

Filesize
3.9MB

Download
memory/3044-2095-0x00007FF7A91D0000-0x00007FF7A95C1000-memory.dmp

Filesize
3.9MB

Download
memory/3044-52-0x00007FF7A91D0000-0x00007FF7A95C1000-memory.dmp

Filesize
3.9MB

Download
memory/3060-757-0x00007FF7D8E30000-0x00007FF7D9221000-memory.dmp

Filesize
3.9MB

Download
memory/3060-2075-0x00007FF7D8E30000-0x00007FF7D9221000-memory.dmp

Filesize
3.9MB

Download
memory/3060-2586-0x00007FF7D8E30000-0x00007FF7D9221000-memory.dmp

Filesize
3.9MB

Download
memory/3116-1-0x000001EFD3480000-0x000001EFD3490000-memory.dmp

Filesize
64KB

Download
memory/3116-0-0x00007FF791F80000-0x00007FF792371000-memory.dmp

Filesize
3.9MB

Download
memory/3496-2364-0x00007FF648AF0000-0x00007FF648EE1000-memory.dmp

Filesize
3.9MB

Download
memory/3496-2081-0x00007FF648AF0000-0x00007FF648EE1000-memory.dmp

Filesize
3.9MB

Download
memory/3496-760-0x00007FF648AF0000-0x00007FF648EE1000-memory.dmp

Filesize
3.9MB

Download
memory/3508-53-0x00007FF6F0C70000-0x00007FF6F1061000-memory.dmp

Filesize
3.9MB

Download
memory/3508-2353-0x00007FF6F0C70000-0x00007FF6F1061000-memory.dmp

Filesize
3.9MB

Download
memory/3508-2036-0x00007FF6F0C70000-0x00007FF6F1061000-memory.dmp

Filesize
3.9MB

Download
memory/3548-27-0x00007FF63EB50000-0x00007FF63EF41000-memory.dmp

Filesize
3.9MB

Download
memory/3548-2009-0x00007FF63EB50000-0x00007FF63EF41000-memory.dmp

Filesize
3.9MB

Download
memory/3548-2097-0x00007FF63EB50000-0x00007FF63EF41000-memory.dmp

Filesize
3.9MB

Download
memory/3560-41-0x00007FF6AC2A0000-0x00007FF6AC691000-memory.dmp

Filesize
3.9MB

Download
memory/3560-2086-0x00007FF6AC2A0000-0x00007FF6AC691000-memory.dmp

Filesize
3.9MB

Download
memory/3936-758-0x00007FF71C770000-0x00007FF71CB61000-memory.dmp

Filesize
3.9MB

Download
memory/3936-2078-0x00007FF71C770000-0x00007FF71CB61000-memory.dmp

Filesize
3.9MB

Download
memory/3936-2463-0x00007FF71C770000-0x00007FF71CB61000-memory.dmp

Filesize
3.9MB

Download
memory/3960-762-0x00007FF69D600000-0x00007FF69D9F1000-memory.dmp

Filesize
3.9MB

Download
memory/3960-2461-0x00007FF69D600000-0x00007FF69D9F1000-memory.dmp

Filesize
3.9MB

Download
memory/3960-2083-0x00007FF69D600000-0x00007FF69D9F1000-memory.dmp

Filesize
3.9MB

Download
memory/4396-26-0x00007FF6C0680000-0x00007FF6C0A71000-memory.dmp

Filesize
3.9MB

Download
memory/4396-2088-0x00007FF6C0680000-0x00007FF6C0A71000-memory.dmp

Filesize
3.9MB

Download
memory/4396-1996-0x00007FF6C0680000-0x00007FF6C0A71000-memory.dmp

Filesize
3.9MB

Download
memory/4592-749-0x00007FF762FB0000-0x00007FF7633A1000-memory.dmp

Filesize
3.9MB

Download
memory/4592-2049-0x00007FF762FB0000-0x00007FF7633A1000-memory.dmp

Filesize
3.9MB

Download
memory/4592-2361-0x00007FF762FB0000-0x00007FF7633A1000-memory.dmp

Filesize
3.9MB

Download
memory/5000-2457-0x00007FF692460000-0x00007FF692851000-memory.dmp

Filesize
3.9MB

Download
memory/5000-2047-0x00007FF692460000-0x00007FF692851000-memory.dmp

Filesize
3.9MB

Download
memory/5000-748-0x00007FF692460000-0x00007FF692851000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads