xmrig | 18fe58a889131f9b3d7d2a338397a341a4baba27926a54874e07550845b4eed8

Analysis

max time kernel
149s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27/04/2024, 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
Size

965KB
MD5

037975276b03276fa28736c9faf4867f
SHA1

feac6f84f7ade96fbda0cf2927ae868258faf09c
SHA256

18fe58a889131f9b3d7d2a338397a341a4baba27926a54874e07550845b4eed8
SHA512

56c6c69efe40f15cb3399940f233809115d8cf2d443d05211c40e268b18ba4449d964a33c593ccd4a08b411d098596e41f4eea5e0cb2ec0b9a5814b2a3838759
SSDEEP

24576:JanwhSe11QSONCpGJCjETPl+Me7bPMS8YkgcW4m:knw9oUUEEDl+xTMS8Tg5

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/468-370-0x00007FF6512B0000-0x00007FF6516A1000-memory.dmp	xmrig
behavioral2/memory/2332-377-0x00007FF6D3E40000-0x00007FF6D4231000-memory.dmp	xmrig
behavioral2/memory/3200-389-0x00007FF7F3E90000-0x00007FF7F4281000-memory.dmp	xmrig
behavioral2/memory/2648-400-0x00007FF6B8110000-0x00007FF6B8501000-memory.dmp	xmrig
behavioral2/memory/4528-408-0x00007FF7F62F0000-0x00007FF7F66E1000-memory.dmp	xmrig
behavioral2/memory/2284-414-0x00007FF6043F0000-0x00007FF6047E1000-memory.dmp	xmrig
behavioral2/memory/2644-415-0x00007FF688330000-0x00007FF688721000-memory.dmp	xmrig
behavioral2/memory/2196-416-0x00007FF65DD10000-0x00007FF65E101000-memory.dmp	xmrig
behavioral2/memory/312-418-0x00007FF740400000-0x00007FF7407F1000-memory.dmp	xmrig
behavioral2/memory/1908-419-0x00007FF7192E0000-0x00007FF7196D1000-memory.dmp	xmrig
behavioral2/memory/2424-421-0x00007FF7C8920000-0x00007FF7C8D11000-memory.dmp	xmrig
behavioral2/memory/2456-420-0x00007FF747110000-0x00007FF747501000-memory.dmp	xmrig
behavioral2/memory/4592-417-0x00007FF6CA5B0000-0x00007FF6CA9A1000-memory.dmp	xmrig
behavioral2/memory/3944-385-0x00007FF6AB040000-0x00007FF6AB431000-memory.dmp	xmrig
behavioral2/memory/3120-380-0x00007FF77FAA0000-0x00007FF77FE91000-memory.dmp	xmrig
behavioral2/memory/2212-72-0x00007FF684920000-0x00007FF684D11000-memory.dmp	xmrig
behavioral2/memory/1572-66-0x00007FF7C54F0000-0x00007FF7C58E1000-memory.dmp	xmrig
behavioral2/memory/2408-32-0x00007FF6771F0000-0x00007FF6775E1000-memory.dmp	xmrig
behavioral2/memory/3632-24-0x00007FF74AA40000-0x00007FF74AE31000-memory.dmp	xmrig
behavioral2/memory/3832-428-0x00007FF78D7D0000-0x00007FF78DBC1000-memory.dmp	xmrig
behavioral2/memory/3348-2014-0x00007FF741A20000-0x00007FF741E11000-memory.dmp	xmrig
behavioral2/memory/3608-2015-0x00007FF6D5280000-0x00007FF6D5671000-memory.dmp	xmrig
behavioral2/memory/5044-2016-0x00007FF65A380000-0x00007FF65A771000-memory.dmp	xmrig
behavioral2/memory/1564-2017-0x00007FF676E70000-0x00007FF677261000-memory.dmp	xmrig
behavioral2/memory/3632-2023-0x00007FF74AA40000-0x00007FF74AE31000-memory.dmp	xmrig
behavioral2/memory/2408-2025-0x00007FF6771F0000-0x00007FF6775E1000-memory.dmp	xmrig
behavioral2/memory/3608-2029-0x00007FF6D5280000-0x00007FF6D5671000-memory.dmp	xmrig
behavioral2/memory/312-2033-0x00007FF740400000-0x00007FF7407F1000-memory.dmp	xmrig
behavioral2/memory/1572-2027-0x00007FF7C54F0000-0x00007FF7C58E1000-memory.dmp	xmrig
behavioral2/memory/3348-2035-0x00007FF741A20000-0x00007FF741E11000-memory.dmp	xmrig
behavioral2/memory/1908-2031-0x00007FF7192E0000-0x00007FF7196D1000-memory.dmp	xmrig
behavioral2/memory/3120-2043-0x00007FF77FAA0000-0x00007FF77FE91000-memory.dmp	xmrig
behavioral2/memory/5044-2039-0x00007FF65A380000-0x00007FF65A771000-memory.dmp	xmrig
behavioral2/memory/2456-2037-0x00007FF747110000-0x00007FF747501000-memory.dmp	xmrig
behavioral2/memory/2212-2041-0x00007FF684920000-0x00007FF684D11000-memory.dmp	xmrig
behavioral2/memory/3200-2055-0x00007FF7F3E90000-0x00007FF7F4281000-memory.dmp	xmrig
behavioral2/memory/4592-2070-0x00007FF6CA5B0000-0x00007FF6CA9A1000-memory.dmp	xmrig
behavioral2/memory/2196-2068-0x00007FF65DD10000-0x00007FF65E101000-memory.dmp	xmrig
behavioral2/memory/2644-2066-0x00007FF688330000-0x00007FF688721000-memory.dmp	xmrig
behavioral2/memory/4528-2059-0x00007FF7F62F0000-0x00007FF7F66E1000-memory.dmp	xmrig
behavioral2/memory/2284-2057-0x00007FF6043F0000-0x00007FF6047E1000-memory.dmp	xmrig
behavioral2/memory/2648-2053-0x00007FF6B8110000-0x00007FF6B8501000-memory.dmp	xmrig
behavioral2/memory/1564-2051-0x00007FF676E70000-0x00007FF677261000-memory.dmp	xmrig
behavioral2/memory/2332-2049-0x00007FF6D3E40000-0x00007FF6D4231000-memory.dmp	xmrig
behavioral2/memory/468-2063-0x00007FF6512B0000-0x00007FF6516A1000-memory.dmp	xmrig
behavioral2/memory/3832-2061-0x00007FF78D7D0000-0x00007FF78DBC1000-memory.dmp	xmrig
behavioral2/memory/3944-2047-0x00007FF6AB040000-0x00007FF6AB431000-memory.dmp	xmrig
behavioral2/memory/2424-2045-0x00007FF7C8920000-0x00007FF7C8D11000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3632	IXhYchL.exe
2408	vYcnxMf.exe
312	dVccWdX.exe
3348	CtAKUmB.exe
3608	AxtHpHJ.exe
1908	sxbYYcq.exe
5044	ImFwKur.exe
1572	UUgSUbJ.exe
2212	iGSbeve.exe
2456	LZzlmmW.exe
1564	LgCoDzk.exe
468	zLOtBTG.exe
2424	EyhdXSN.exe
3832	CFtWuse.exe
2332	eUjaKrT.exe
3120	crUInQB.exe
3944	HBwuCuN.exe
3200	indMygp.exe
2648	BqySSPX.exe
4528	SMsaQYf.exe
2284	fJrWSip.exe
2644	wFtHqTV.exe
2196	TdIKWeo.exe
4592	igfuwfM.exe
3648	CUHgjDL.exe
3520	gCgmCUy.exe
988	AlBpjRB.exe
1244	OrNzKJN.exe
4428	HyGhiUn.exe
4152	YFgZJlI.exe
3128	MbtMBQk.exe
4524	GXqwLBH.exe
744	lptyfpZ.exe
2404	vzBnxCN.exe
1632	vztVRkx.exe
4916	eKJNyHW.exe
1272	nIKcczO.exe
3456	fLtCMua.exe
2764	CxSGyEQ.exe
736	qPluwak.exe
1496	cqYyEtQ.exe
3368	dagwjdQ.exe
4956	OIqiyoM.exe
2244	bhwRsxV.exe
376	BxjbVVD.exe
4132	DlfuFFd.exe
1756	UwDAdaC.exe
1528	DIeSGIh.exe
440	VBEIRug.exe
3280	RVzbbnA.exe
4320	UtVAsui.exe
4520	qMXxoVt.exe
4536	wugAAmR.exe
3868	USYJpRb.exe
1620	BcopzoR.exe
2936	HTCetKk.exe
5008	plbWPLf.exe
3828	pNHMxvK.exe
5064	fjHuXdL.exe
4376	TZBuVWC.exe
5048	vwZGdoe.exe
3856	kTSKqeK.exe
4408	fVKiDGR.exe
1692	psvBlpq.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2720-0-0x00007FF6A6060000-0x00007FF6A6451000-memory.dmp	upx
behavioral2/files/0x000c000000023b52-6.dat	upx
behavioral2/files/0x000a000000023bb0-9.dat	upx
behavioral2/files/0x0031000000023bb7-37.dat	upx
behavioral2/files/0x000a000000023bb4-50.dat	upx
behavioral2/files/0x000a000000023bba-63.dat	upx
behavioral2/files/0x000a000000023bb9-62.dat	upx
behavioral2/files/0x000a000000023bbb-70.dat	upx
behavioral2/files/0x000a000000023bbe-88.dat	upx
behavioral2/files/0x000a000000023bc0-98.dat	upx
behavioral2/files/0x000a000000023bc2-108.dat	upx
behavioral2/files/0x000a000000023bca-146.dat	upx
behavioral2/files/0x000a000000023bcc-159.dat	upx
behavioral2/memory/1564-364-0x00007FF676E70000-0x00007FF677261000-memory.dmp	upx
behavioral2/memory/468-370-0x00007FF6512B0000-0x00007FF6516A1000-memory.dmp	upx
behavioral2/memory/2332-377-0x00007FF6D3E40000-0x00007FF6D4231000-memory.dmp	upx
behavioral2/memory/3200-389-0x00007FF7F3E90000-0x00007FF7F4281000-memory.dmp	upx
behavioral2/memory/2648-400-0x00007FF6B8110000-0x00007FF6B8501000-memory.dmp	upx
behavioral2/memory/4528-408-0x00007FF7F62F0000-0x00007FF7F66E1000-memory.dmp	upx
behavioral2/memory/2284-414-0x00007FF6043F0000-0x00007FF6047E1000-memory.dmp	upx
behavioral2/memory/2644-415-0x00007FF688330000-0x00007FF688721000-memory.dmp	upx
behavioral2/memory/2196-416-0x00007FF65DD10000-0x00007FF65E101000-memory.dmp	upx
behavioral2/memory/312-418-0x00007FF740400000-0x00007FF7407F1000-memory.dmp	upx
behavioral2/memory/1908-419-0x00007FF7192E0000-0x00007FF7196D1000-memory.dmp	upx
behavioral2/memory/2424-421-0x00007FF7C8920000-0x00007FF7C8D11000-memory.dmp	upx
behavioral2/memory/2456-420-0x00007FF747110000-0x00007FF747501000-memory.dmp	upx
behavioral2/memory/4592-417-0x00007FF6CA5B0000-0x00007FF6CA9A1000-memory.dmp	upx
behavioral2/memory/3944-385-0x00007FF6AB040000-0x00007FF6AB431000-memory.dmp	upx
behavioral2/memory/3120-380-0x00007FF77FAA0000-0x00007FF77FE91000-memory.dmp	upx
behavioral2/files/0x000a000000023bce-168.dat	upx
behavioral2/files/0x000a000000023bcd-163.dat	upx
behavioral2/files/0x000a000000023bcb-153.dat	upx
behavioral2/files/0x000a000000023bc9-143.dat	upx
behavioral2/files/0x000a000000023bc8-138.dat	upx
behavioral2/files/0x000a000000023bc7-133.dat	upx
behavioral2/files/0x000a000000023bc6-128.dat	upx
behavioral2/files/0x000a000000023bc5-123.dat	upx
behavioral2/files/0x000a000000023bc4-119.dat	upx
behavioral2/files/0x000a000000023bc3-113.dat	upx
behavioral2/files/0x000a000000023bc1-103.dat	upx
behavioral2/files/0x000a000000023bbf-93.dat	upx
behavioral2/files/0x000a000000023bbd-83.dat	upx
behavioral2/files/0x000a000000023bbc-78.dat	upx
behavioral2/memory/2212-72-0x00007FF684920000-0x00007FF684D11000-memory.dmp	upx
behavioral2/memory/1572-66-0x00007FF7C54F0000-0x00007FF7C58E1000-memory.dmp	upx
behavioral2/files/0x0031000000023bb8-61.dat	upx
behavioral2/memory/5044-59-0x00007FF65A380000-0x00007FF65A771000-memory.dmp	upx
behavioral2/files/0x0031000000023bb6-58.dat	upx
behavioral2/memory/3608-57-0x00007FF6D5280000-0x00007FF6D5671000-memory.dmp	upx
behavioral2/files/0x000a000000023bb5-54.dat	upx
behavioral2/files/0x000a000000023bb1-52.dat	upx
behavioral2/files/0x000a000000023bb3-43.dat	upx
behavioral2/memory/3348-40-0x00007FF741A20000-0x00007FF741E11000-memory.dmp	upx
behavioral2/memory/2408-32-0x00007FF6771F0000-0x00007FF6775E1000-memory.dmp	upx
behavioral2/files/0x000a000000023bb2-25.dat	upx
behavioral2/memory/3632-24-0x00007FF74AA40000-0x00007FF74AE31000-memory.dmp	upx
behavioral2/memory/3832-428-0x00007FF78D7D0000-0x00007FF78DBC1000-memory.dmp	upx
behavioral2/memory/3348-2014-0x00007FF741A20000-0x00007FF741E11000-memory.dmp	upx
behavioral2/memory/3608-2015-0x00007FF6D5280000-0x00007FF6D5671000-memory.dmp	upx
behavioral2/memory/5044-2016-0x00007FF65A380000-0x00007FF65A771000-memory.dmp	upx
behavioral2/memory/1564-2017-0x00007FF676E70000-0x00007FF677261000-memory.dmp	upx
behavioral2/memory/3632-2023-0x00007FF74AA40000-0x00007FF74AE31000-memory.dmp	upx
behavioral2/memory/2408-2025-0x00007FF6771F0000-0x00007FF6775E1000-memory.dmp	upx
behavioral2/memory/3608-2029-0x00007FF6D5280000-0x00007FF6D5671000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\MbtMBQk.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\wvELYna.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\UFfiyuS.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\saRwcGz.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\DtFvACO.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\ZhHeOdV.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\tqOapjU.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\wEiHCiu.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\xkNiWmz.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\aUXwkld.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\kDjAayP.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\SAIphhk.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\RogtHAj.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\LgCoDzk.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\aVCmYEQ.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\HyFDNvb.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\QcdfGEK.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\dagwjdQ.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\wRzfwyv.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\nwzIGZw.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\AjpNjXE.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\OKpxQNr.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\MWmIDuS.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\SeoQSgK.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\sQUAWgP.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\VdILPGG.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\wygynqo.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\uRfcCSw.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\jWClfuG.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\jyeAfHO.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\KBSPcgH.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\JBEHQxP.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\IXhYchL.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\OrNzKJN.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\Njtcgmb.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\chmQqFG.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\iMDSXvN.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\uqruMNz.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\aBsDoGE.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\Lxnnwgh.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\ACDaWHV.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\MwsFnYm.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\kLCvZLJ.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\RzZYTqs.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\ZENHSZF.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\DwfXbyB.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\SjFxwDw.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\PhNEHQj.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\THOKTvI.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\HqFkFBp.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\IucFZaF.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\iDuVPMk.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\gTSTWlD.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\ntTbsos.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\SBTCqCP.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\kTSKqeK.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\PYtUOoT.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\QZqNLBH.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\uzQbLWj.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\ZVqUZDv.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\SMsaQYf.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\eaiLlSX.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\NEEqRJR.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
File created	C:\Windows\System32\ELHZUsr.exe	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13248	dwm.exe
Token: SeChangeNotifyPrivilege	13248	dwm.exe
Token: 33	13248	dwm.exe
Token: SeIncBasePriorityPrivilege	13248	dwm.exe
Token: SeShutdownPrivilege	13248	dwm.exe
Token: SeCreatePagefilePrivilege	13248	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 3632	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	84
PID 2720 wrote to memory of 3632	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	84
PID 2720 wrote to memory of 2408	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	85
PID 2720 wrote to memory of 2408	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	85
PID 2720 wrote to memory of 3608	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	86
PID 2720 wrote to memory of 3608	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	86
PID 2720 wrote to memory of 312	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	87
PID 2720 wrote to memory of 312	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	87
PID 2720 wrote to memory of 3348	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	88
PID 2720 wrote to memory of 3348	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	88
PID 2720 wrote to memory of 1908	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	89
PID 2720 wrote to memory of 1908	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	89
PID 2720 wrote to memory of 5044	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	90
PID 2720 wrote to memory of 5044	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	90
PID 2720 wrote to memory of 1572	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	91
PID 2720 wrote to memory of 1572	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	91
PID 2720 wrote to memory of 2212	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	92
PID 2720 wrote to memory of 2212	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	92
PID 2720 wrote to memory of 2456	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	93
PID 2720 wrote to memory of 2456	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	93
PID 2720 wrote to memory of 1564	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	94
PID 2720 wrote to memory of 1564	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	94
PID 2720 wrote to memory of 468	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	95
PID 2720 wrote to memory of 468	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	95
PID 2720 wrote to memory of 2424	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	96
PID 2720 wrote to memory of 2424	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	96
PID 2720 wrote to memory of 3832	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	97
PID 2720 wrote to memory of 3832	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	97
PID 2720 wrote to memory of 2332	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	98
PID 2720 wrote to memory of 2332	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	98
PID 2720 wrote to memory of 3120	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	99
PID 2720 wrote to memory of 3120	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	99
PID 2720 wrote to memory of 3944	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	100
PID 2720 wrote to memory of 3944	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	100
PID 2720 wrote to memory of 3200	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	101
PID 2720 wrote to memory of 3200	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	101
PID 2720 wrote to memory of 2648	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	102
PID 2720 wrote to memory of 2648	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	102
PID 2720 wrote to memory of 4528	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	103
PID 2720 wrote to memory of 4528	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	103
PID 2720 wrote to memory of 2284	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	104
PID 2720 wrote to memory of 2284	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	104
PID 2720 wrote to memory of 2644	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	105
PID 2720 wrote to memory of 2644	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	105
PID 2720 wrote to memory of 2196	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	106
PID 2720 wrote to memory of 2196	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	106
PID 2720 wrote to memory of 4592	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	107
PID 2720 wrote to memory of 4592	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	107
PID 2720 wrote to memory of 3648	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	108
PID 2720 wrote to memory of 3648	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	108
PID 2720 wrote to memory of 3520	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	109
PID 2720 wrote to memory of 3520	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	109
PID 2720 wrote to memory of 988	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	110
PID 2720 wrote to memory of 988	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	110
PID 2720 wrote to memory of 1244	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	111
PID 2720 wrote to memory of 1244	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	111
PID 2720 wrote to memory of 4428	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	112
PID 2720 wrote to memory of 4428	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	112
PID 2720 wrote to memory of 4152	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	113
PID 2720 wrote to memory of 4152	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	113
PID 2720 wrote to memory of 3128	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	114
PID 2720 wrote to memory of 3128	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	114
PID 2720 wrote to memory of 4524	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	115
PID 2720 wrote to memory of 4524	2720	037975276b03276fa28736c9faf4867f_JaffaCakes118.exe	115

C:\Users\Admin\AppData\Local\Temp\037975276b03276fa28736c9faf4867f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\037975276b03276fa28736c9faf4867f_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\System32\IXhYchL.exe
  C:\Windows\System32\IXhYchL.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System32\vYcnxMf.exe
  C:\Windows\System32\vYcnxMf.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System32\AxtHpHJ.exe
  C:\Windows\System32\AxtHpHJ.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System32\dVccWdX.exe
  C:\Windows\System32\dVccWdX.exe
  2⤵
  - Executes dropped EXE
  PID:312
- C:\Windows\System32\CtAKUmB.exe
  C:\Windows\System32\CtAKUmB.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System32\sxbYYcq.exe
  C:\Windows\System32\sxbYYcq.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System32\ImFwKur.exe
  C:\Windows\System32\ImFwKur.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System32\UUgSUbJ.exe
  C:\Windows\System32\UUgSUbJ.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System32\iGSbeve.exe
  C:\Windows\System32\iGSbeve.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System32\LZzlmmW.exe
  C:\Windows\System32\LZzlmmW.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System32\LgCoDzk.exe
  C:\Windows\System32\LgCoDzk.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System32\zLOtBTG.exe
  C:\Windows\System32\zLOtBTG.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System32\EyhdXSN.exe
  C:\Windows\System32\EyhdXSN.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System32\CFtWuse.exe
  C:\Windows\System32\CFtWuse.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System32\eUjaKrT.exe
  C:\Windows\System32\eUjaKrT.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System32\crUInQB.exe
  C:\Windows\System32\crUInQB.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System32\HBwuCuN.exe
  C:\Windows\System32\HBwuCuN.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\indMygp.exe
  C:\Windows\System32\indMygp.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System32\BqySSPX.exe
  C:\Windows\System32\BqySSPX.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System32\SMsaQYf.exe
  C:\Windows\System32\SMsaQYf.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System32\fJrWSip.exe
  C:\Windows\System32\fJrWSip.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System32\wFtHqTV.exe
  C:\Windows\System32\wFtHqTV.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System32\TdIKWeo.exe
  C:\Windows\System32\TdIKWeo.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System32\igfuwfM.exe
  C:\Windows\System32\igfuwfM.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System32\CUHgjDL.exe
  C:\Windows\System32\CUHgjDL.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System32\gCgmCUy.exe
  C:\Windows\System32\gCgmCUy.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System32\AlBpjRB.exe
  C:\Windows\System32\AlBpjRB.exe
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\System32\OrNzKJN.exe
  C:\Windows\System32\OrNzKJN.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System32\HyGhiUn.exe
  C:\Windows\System32\HyGhiUn.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System32\YFgZJlI.exe
  C:\Windows\System32\YFgZJlI.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System32\MbtMBQk.exe
  C:\Windows\System32\MbtMBQk.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System32\GXqwLBH.exe
  C:\Windows\System32\GXqwLBH.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System32\lptyfpZ.exe
  C:\Windows\System32\lptyfpZ.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System32\vzBnxCN.exe
  C:\Windows\System32\vzBnxCN.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System32\vztVRkx.exe
  C:\Windows\System32\vztVRkx.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System32\eKJNyHW.exe
  C:\Windows\System32\eKJNyHW.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System32\nIKcczO.exe
  C:\Windows\System32\nIKcczO.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System32\fLtCMua.exe
  C:\Windows\System32\fLtCMua.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System32\CxSGyEQ.exe
  C:\Windows\System32\CxSGyEQ.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System32\qPluwak.exe
  C:\Windows\System32\qPluwak.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\System32\cqYyEtQ.exe
  C:\Windows\System32\cqYyEtQ.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System32\dagwjdQ.exe
  C:\Windows\System32\dagwjdQ.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System32\OIqiyoM.exe
  C:\Windows\System32\OIqiyoM.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System32\bhwRsxV.exe
  C:\Windows\System32\bhwRsxV.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System32\BxjbVVD.exe
  C:\Windows\System32\BxjbVVD.exe
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\System32\DlfuFFd.exe
  C:\Windows\System32\DlfuFFd.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System32\UwDAdaC.exe
  C:\Windows\System32\UwDAdaC.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System32\DIeSGIh.exe
  C:\Windows\System32\DIeSGIh.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System32\VBEIRug.exe
  C:\Windows\System32\VBEIRug.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System32\RVzbbnA.exe
  C:\Windows\System32\RVzbbnA.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System32\UtVAsui.exe
  C:\Windows\System32\UtVAsui.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System32\qMXxoVt.exe
  C:\Windows\System32\qMXxoVt.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System32\wugAAmR.exe
  C:\Windows\System32\wugAAmR.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System32\USYJpRb.exe
  C:\Windows\System32\USYJpRb.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System32\BcopzoR.exe
  C:\Windows\System32\BcopzoR.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System32\HTCetKk.exe
  C:\Windows\System32\HTCetKk.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System32\plbWPLf.exe
  C:\Windows\System32\plbWPLf.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System32\pNHMxvK.exe
  C:\Windows\System32\pNHMxvK.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System32\fjHuXdL.exe
  C:\Windows\System32\fjHuXdL.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System32\TZBuVWC.exe
  C:\Windows\System32\TZBuVWC.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System32\vwZGdoe.exe
  C:\Windows\System32\vwZGdoe.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System32\kTSKqeK.exe
  C:\Windows\System32\kTSKqeK.exe
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\System32\fVKiDGR.exe
  C:\Windows\System32\fVKiDGR.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System32\psvBlpq.exe
  C:\Windows\System32\psvBlpq.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System32\BJYNpRv.exe
  C:\Windows\System32\BJYNpRv.exe
  2⤵
  PID:4948
- C:\Windows\System32\KRluFLS.exe
  C:\Windows\System32\KRluFLS.exe
  2⤵
  PID:5100
- C:\Windows\System32\xKpboEW.exe
  C:\Windows\System32\xKpboEW.exe
  2⤵
  PID:400
- C:\Windows\System32\GMxohQF.exe
  C:\Windows\System32\GMxohQF.exe
  2⤵
  PID:4424
- C:\Windows\System32\SZDGxMy.exe
  C:\Windows\System32\SZDGxMy.exe
  2⤵
  PID:1952
- C:\Windows\System32\EPLyHFG.exe
  C:\Windows\System32\EPLyHFG.exe
  2⤵
  PID:1924
- C:\Windows\System32\CiMNDBw.exe
  C:\Windows\System32\CiMNDBw.exe
  2⤵
  PID:2360
- C:\Windows\System32\hgclxlN.exe
  C:\Windows\System32\hgclxlN.exe
  2⤵
  PID:3036
- C:\Windows\System32\dxCsxYT.exe
  C:\Windows\System32\dxCsxYT.exe
  2⤵
  PID:4856
- C:\Windows\System32\TQGtNJi.exe
  C:\Windows\System32\TQGtNJi.exe
  2⤵
  PID:4044
- C:\Windows\System32\bGETOHf.exe
  C:\Windows\System32\bGETOHf.exe
  2⤵
  PID:4296
- C:\Windows\System32\EnRuSXm.exe
  C:\Windows\System32\EnRuSXm.exe
  2⤵
  PID:540
- C:\Windows\System32\JfNtnmA.exe
  C:\Windows\System32\JfNtnmA.exe
  2⤵
  PID:3736
- C:\Windows\System32\ADKsErw.exe
  C:\Windows\System32\ADKsErw.exe
  2⤵
  PID:2524
- C:\Windows\System32\pbpNtHf.exe
  C:\Windows\System32\pbpNtHf.exe
  2⤵
  PID:2976
- C:\Windows\System32\djdNyDe.exe
  C:\Windows\System32\djdNyDe.exe
  2⤵
  PID:3784
- C:\Windows\System32\jdPJUra.exe
  C:\Windows\System32\jdPJUra.exe
  2⤵
  PID:2028
- C:\Windows\System32\ZVzZSnZ.exe
  C:\Windows\System32\ZVzZSnZ.exe
  2⤵
  PID:3768
- C:\Windows\System32\AullDND.exe
  C:\Windows\System32\AullDND.exe
  2⤵
  PID:8
- C:\Windows\System32\lULAcdE.exe
  C:\Windows\System32\lULAcdE.exe
  2⤵
  PID:3892
- C:\Windows\System32\WFSjKOW.exe
  C:\Windows\System32\WFSjKOW.exe
  2⤵
  PID:4872
- C:\Windows\System32\ISuDtFS.exe
  C:\Windows\System32\ISuDtFS.exe
  2⤵
  PID:1488
- C:\Windows\System32\mtInDjT.exe
  C:\Windows\System32\mtInDjT.exe
  2⤵
  PID:3552
- C:\Windows\System32\ftIPZUd.exe
  C:\Windows\System32\ftIPZUd.exe
  2⤵
  PID:5028
- C:\Windows\System32\mytBqWq.exe
  C:\Windows\System32\mytBqWq.exe
  2⤵
  PID:3272
- C:\Windows\System32\dAEYePp.exe
  C:\Windows\System32\dAEYePp.exe
  2⤵
  PID:1504
- C:\Windows\System32\wOerURL.exe
  C:\Windows\System32\wOerURL.exe
  2⤵
  PID:2016
- C:\Windows\System32\IdqgUYL.exe
  C:\Windows\System32\IdqgUYL.exe
  2⤵
  PID:3536
- C:\Windows\System32\AMvOuoj.exe
  C:\Windows\System32\AMvOuoj.exe
  2⤵
  PID:2460
- C:\Windows\System32\eaiLlSX.exe
  C:\Windows\System32\eaiLlSX.exe
  2⤵
  PID:816
- C:\Windows\System32\Lxnnwgh.exe
  C:\Windows\System32\Lxnnwgh.exe
  2⤵
  PID:3304
- C:\Windows\System32\GrHhZzE.exe
  C:\Windows\System32\GrHhZzE.exe
  2⤵
  PID:1240
- C:\Windows\System32\jKnOGAl.exe
  C:\Windows\System32\jKnOGAl.exe
  2⤵
  PID:3976
- C:\Windows\System32\kcquIbM.exe
  C:\Windows\System32\kcquIbM.exe
  2⤵
  PID:888
- C:\Windows\System32\WEhiGCD.exe
  C:\Windows\System32\WEhiGCD.exe
  2⤵
  PID:1608
- C:\Windows\System32\ggdqbVT.exe
  C:\Windows\System32\ggdqbVT.exe
  2⤵
  PID:972
- C:\Windows\System32\zeeTxvi.exe
  C:\Windows\System32\zeeTxvi.exe
  2⤵
  PID:3968
- C:\Windows\System32\oQgUFcT.exe
  C:\Windows\System32\oQgUFcT.exe
  2⤵
  PID:4316
- C:\Windows\System32\oehghyi.exe
  C:\Windows\System32\oehghyi.exe
  2⤵
  PID:5124
- C:\Windows\System32\NPVyjNU.exe
  C:\Windows\System32\NPVyjNU.exe
  2⤵
  PID:5144
- C:\Windows\System32\FuJtxRL.exe
  C:\Windows\System32\FuJtxRL.exe
  2⤵
  PID:5164
- C:\Windows\System32\JYZPKEj.exe
  C:\Windows\System32\JYZPKEj.exe
  2⤵
  PID:5184
- C:\Windows\System32\RcOMxDy.exe
  C:\Windows\System32\RcOMxDy.exe
  2⤵
  PID:5236
- C:\Windows\System32\DpQIpUb.exe
  C:\Windows\System32\DpQIpUb.exe
  2⤵
  PID:5252
- C:\Windows\System32\sFbzASv.exe
  C:\Windows\System32\sFbzASv.exe
  2⤵
  PID:5268
- C:\Windows\System32\zkkBbCj.exe
  C:\Windows\System32\zkkBbCj.exe
  2⤵
  PID:5284
- C:\Windows\System32\jaUvtFi.exe
  C:\Windows\System32\jaUvtFi.exe
  2⤵
  PID:5304
- C:\Windows\System32\rCVldSJ.exe
  C:\Windows\System32\rCVldSJ.exe
  2⤵
  PID:5324
- C:\Windows\System32\mcquXOx.exe
  C:\Windows\System32\mcquXOx.exe
  2⤵
  PID:5376
- C:\Windows\System32\KjZcmXB.exe
  C:\Windows\System32\KjZcmXB.exe
  2⤵
  PID:5464
- C:\Windows\System32\MhsILBf.exe
  C:\Windows\System32\MhsILBf.exe
  2⤵
  PID:5544
- C:\Windows\System32\ZDpuirJ.exe
  C:\Windows\System32\ZDpuirJ.exe
  2⤵
  PID:5560
- C:\Windows\System32\GQlTUCF.exe
  C:\Windows\System32\GQlTUCF.exe
  2⤵
  PID:5608
- C:\Windows\System32\AVcmVYQ.exe
  C:\Windows\System32\AVcmVYQ.exe
  2⤵
  PID:5624
- C:\Windows\System32\KIhjrjF.exe
  C:\Windows\System32\KIhjrjF.exe
  2⤵
  PID:5648
- C:\Windows\System32\BsXPMMC.exe
  C:\Windows\System32\BsXPMMC.exe
  2⤵
  PID:5676
- C:\Windows\System32\HoBxiVA.exe
  C:\Windows\System32\HoBxiVA.exe
  2⤵
  PID:5696
- C:\Windows\System32\FVVgZGn.exe
  C:\Windows\System32\FVVgZGn.exe
  2⤵
  PID:5712
- C:\Windows\System32\aVCmYEQ.exe
  C:\Windows\System32\aVCmYEQ.exe
  2⤵
  PID:5736
- C:\Windows\System32\TpfpCzy.exe
  C:\Windows\System32\TpfpCzy.exe
  2⤵
  PID:5788
- C:\Windows\System32\NSvTkwv.exe
  C:\Windows\System32\NSvTkwv.exe
  2⤵
  PID:5804
- C:\Windows\System32\FihdJxu.exe
  C:\Windows\System32\FihdJxu.exe
  2⤵
  PID:5820
- C:\Windows\System32\JKzZnjl.exe
  C:\Windows\System32\JKzZnjl.exe
  2⤵
  PID:5856
- C:\Windows\System32\MWmIDuS.exe
  C:\Windows\System32\MWmIDuS.exe
  2⤵
  PID:5876
- C:\Windows\System32\PYtUOoT.exe
  C:\Windows\System32\PYtUOoT.exe
  2⤵
  PID:5904
- C:\Windows\System32\gTSTWlD.exe
  C:\Windows\System32\gTSTWlD.exe
  2⤵
  PID:5952
- C:\Windows\System32\RzZYTqs.exe
  C:\Windows\System32\RzZYTqs.exe
  2⤵
  PID:5968
- C:\Windows\System32\EFEYPXi.exe
  C:\Windows\System32\EFEYPXi.exe
  2⤵
  PID:6012
- C:\Windows\System32\VBFQTMJ.exe
  C:\Windows\System32\VBFQTMJ.exe
  2⤵
  PID:6036
- C:\Windows\System32\tXZPxDD.exe
  C:\Windows\System32\tXZPxDD.exe
  2⤵
  PID:6068
- C:\Windows\System32\ScwtGRo.exe
  C:\Windows\System32\ScwtGRo.exe
  2⤵
  PID:6108
- C:\Windows\System32\tBMJOhi.exe
  C:\Windows\System32\tBMJOhi.exe
  2⤵
  PID:6128
- C:\Windows\System32\RJvMZWE.exe
  C:\Windows\System32\RJvMZWE.exe
  2⤵
  PID:2688
- C:\Windows\System32\CgEOcSU.exe
  C:\Windows\System32\CgEOcSU.exe
  2⤵
  PID:5156
- C:\Windows\System32\pRXQqkJ.exe
  C:\Windows\System32\pRXQqkJ.exe
  2⤵
  PID:5320
- C:\Windows\System32\ysmvhMS.exe
  C:\Windows\System32\ysmvhMS.exe
  2⤵
  PID:5312
- C:\Windows\System32\lkFFsEZ.exe
  C:\Windows\System32\lkFFsEZ.exe
  2⤵
  PID:5264
- C:\Windows\System32\SbIeqVw.exe
  C:\Windows\System32\SbIeqVw.exe
  2⤵
  PID:5332
- C:\Windows\System32\xgAkmuq.exe
  C:\Windows\System32\xgAkmuq.exe
  2⤵
  PID:1140
- C:\Windows\System32\prpTFEV.exe
  C:\Windows\System32\prpTFEV.exe
  2⤵
  PID:2020
- C:\Windows\System32\wvELYna.exe
  C:\Windows\System32\wvELYna.exe
  2⤵
  PID:5132
- C:\Windows\System32\jEhWqkP.exe
  C:\Windows\System32\jEhWqkP.exe
  2⤵
  PID:5488
- C:\Windows\System32\eyYtQRp.exe
  C:\Windows\System32\eyYtQRp.exe
  2⤵
  PID:4384
- C:\Windows\System32\QtQsonI.exe
  C:\Windows\System32\QtQsonI.exe
  2⤵
  PID:5640
- C:\Windows\System32\XRQYmVu.exe
  C:\Windows\System32\XRQYmVu.exe
  2⤵
  PID:5704
- C:\Windows\System32\UEQjqQg.exe
  C:\Windows\System32\UEQjqQg.exe
  2⤵
  PID:5752
- C:\Windows\System32\COuCLYd.exe
  C:\Windows\System32\COuCLYd.exe
  2⤵
  PID:5796
- C:\Windows\System32\GvpwnTQ.exe
  C:\Windows\System32\GvpwnTQ.exe
  2⤵
  PID:5864
- C:\Windows\System32\imbdfqJ.exe
  C:\Windows\System32\imbdfqJ.exe
  2⤵
  PID:5892
- C:\Windows\System32\sVhjeNl.exe
  C:\Windows\System32\sVhjeNl.exe
  2⤵
  PID:5996
- C:\Windows\System32\PCnKUXr.exe
  C:\Windows\System32\PCnKUXr.exe
  2⤵
  PID:6004
- C:\Windows\System32\ubUJoat.exe
  C:\Windows\System32\ubUJoat.exe
  2⤵
  PID:6044
- C:\Windows\System32\zmkDLZh.exe
  C:\Windows\System32\zmkDLZh.exe
  2⤵
  PID:4012
- C:\Windows\System32\VtaIHHV.exe
  C:\Windows\System32\VtaIHHV.exe
  2⤵
  PID:5248
- C:\Windows\System32\ygiglxh.exe
  C:\Windows\System32\ygiglxh.exe
  2⤵
  PID:2900
- C:\Windows\System32\cQbXHez.exe
  C:\Windows\System32\cQbXHez.exe
  2⤵
  PID:848
- C:\Windows\System32\dwmFswJ.exe
  C:\Windows\System32\dwmFswJ.exe
  2⤵
  PID:5440
- C:\Windows\System32\LKbTvqB.exe
  C:\Windows\System32\LKbTvqB.exe
  2⤵
  PID:5600
- C:\Windows\System32\DtFvACO.exe
  C:\Windows\System32\DtFvACO.exe
  2⤵
  PID:5632
- C:\Windows\System32\DQSZOUU.exe
  C:\Windows\System32\DQSZOUU.exe
  2⤵
  PID:5760
- C:\Windows\System32\VgfkzGo.exe
  C:\Windows\System32\VgfkzGo.exe
  2⤵
  PID:5872
- C:\Windows\System32\Njtcgmb.exe
  C:\Windows\System32\Njtcgmb.exe
  2⤵
  PID:5140
- C:\Windows\System32\tWuKcvM.exe
  C:\Windows\System32\tWuKcvM.exe
  2⤵
  PID:5776
- C:\Windows\System32\eYxWaaT.exe
  C:\Windows\System32\eYxWaaT.exe
  2⤵
  PID:6048
- C:\Windows\System32\wXPzhNu.exe
  C:\Windows\System32\wXPzhNu.exe
  2⤵
  PID:5568
- C:\Windows\System32\GNFKWAL.exe
  C:\Windows\System32\GNFKWAL.exe
  2⤵
  PID:4480
- C:\Windows\System32\aNnIZjv.exe
  C:\Windows\System32\aNnIZjv.exe
  2⤵
  PID:6164
- C:\Windows\System32\fgmqoSo.exe
  C:\Windows\System32\fgmqoSo.exe
  2⤵
  PID:6180
- C:\Windows\System32\NCzQrdw.exe
  C:\Windows\System32\NCzQrdw.exe
  2⤵
  PID:6200
- C:\Windows\System32\wsLMETC.exe
  C:\Windows\System32\wsLMETC.exe
  2⤵
  PID:6224
- C:\Windows\System32\zSyqslF.exe
  C:\Windows\System32\zSyqslF.exe
  2⤵
  PID:6252
- C:\Windows\System32\KBDilia.exe
  C:\Windows\System32\KBDilia.exe
  2⤵
  PID:6268
- C:\Windows\System32\fVGkZXG.exe
  C:\Windows\System32\fVGkZXG.exe
  2⤵
  PID:6292
- C:\Windows\System32\pKHCpug.exe
  C:\Windows\System32\pKHCpug.exe
  2⤵
  PID:6308
- C:\Windows\System32\zZyNzKO.exe
  C:\Windows\System32\zZyNzKO.exe
  2⤵
  PID:6328
- C:\Windows\System32\EDkeGtN.exe
  C:\Windows\System32\EDkeGtN.exe
  2⤵
  PID:6352
- C:\Windows\System32\HyFDNvb.exe
  C:\Windows\System32\HyFDNvb.exe
  2⤵
  PID:6368
- C:\Windows\System32\FqdVoeJ.exe
  C:\Windows\System32\FqdVoeJ.exe
  2⤵
  PID:6452
- C:\Windows\System32\IvMEqTR.exe
  C:\Windows\System32\IvMEqTR.exe
  2⤵
  PID:6508
- C:\Windows\System32\eODlAJG.exe
  C:\Windows\System32\eODlAJG.exe
  2⤵
  PID:6532
- C:\Windows\System32\WNAiqXB.exe
  C:\Windows\System32\WNAiqXB.exe
  2⤵
  PID:6560
- C:\Windows\System32\UFfiyuS.exe
  C:\Windows\System32\UFfiyuS.exe
  2⤵
  PID:6600
- C:\Windows\System32\okkMlZf.exe
  C:\Windows\System32\okkMlZf.exe
  2⤵
  PID:6640
- C:\Windows\System32\gbiTqfl.exe
  C:\Windows\System32\gbiTqfl.exe
  2⤵
  PID:6656
- C:\Windows\System32\eoDevaq.exe
  C:\Windows\System32\eoDevaq.exe
  2⤵
  PID:6672
- C:\Windows\System32\quNoisb.exe
  C:\Windows\System32\quNoisb.exe
  2⤵
  PID:6700
- C:\Windows\System32\IgdWGAV.exe
  C:\Windows\System32\IgdWGAV.exe
  2⤵
  PID:6724
- C:\Windows\System32\qUoJOwg.exe
  C:\Windows\System32\qUoJOwg.exe
  2⤵
  PID:6760
- C:\Windows\System32\RFbDpEz.exe
  C:\Windows\System32\RFbDpEz.exe
  2⤵
  PID:6808
- C:\Windows\System32\xxfIndk.exe
  C:\Windows\System32\xxfIndk.exe
  2⤵
  PID:6828
- C:\Windows\System32\oAdqfHN.exe
  C:\Windows\System32\oAdqfHN.exe
  2⤵
  PID:6844
- C:\Windows\System32\HIMsniu.exe
  C:\Windows\System32\HIMsniu.exe
  2⤵
  PID:6880
- C:\Windows\System32\OSzbdOt.exe
  C:\Windows\System32\OSzbdOt.exe
  2⤵
  PID:6908
- C:\Windows\System32\fNlAKZv.exe
  C:\Windows\System32\fNlAKZv.exe
  2⤵
  PID:6924
- C:\Windows\System32\OQucHZv.exe
  C:\Windows\System32\OQucHZv.exe
  2⤵
  PID:6948
- C:\Windows\System32\TRXGcHB.exe
  C:\Windows\System32\TRXGcHB.exe
  2⤵
  PID:6968
- C:\Windows\System32\GceEtkF.exe
  C:\Windows\System32\GceEtkF.exe
  2⤵
  PID:6992
- C:\Windows\System32\LIerAhE.exe
  C:\Windows\System32\LIerAhE.exe
  2⤵
  PID:7036
- C:\Windows\System32\dMNOeQg.exe
  C:\Windows\System32\dMNOeQg.exe
  2⤵
  PID:7092
- C:\Windows\System32\dkNWUwJ.exe
  C:\Windows\System32\dkNWUwJ.exe
  2⤵
  PID:7112
- C:\Windows\System32\LJNHNcQ.exe
  C:\Windows\System32\LJNHNcQ.exe
  2⤵
  PID:7136
- C:\Windows\System32\ZhHeOdV.exe
  C:\Windows\System32\ZhHeOdV.exe
  2⤵
  PID:7156
- C:\Windows\System32\ZANvCWt.exe
  C:\Windows\System32\ZANvCWt.exe
  2⤵
  PID:6188
- C:\Windows\System32\DUtGlzh.exe
  C:\Windows\System32\DUtGlzh.exe
  2⤵
  PID:6192
- C:\Windows\System32\avmpCUb.exe
  C:\Windows\System32\avmpCUb.exe
  2⤵
  PID:6264
- C:\Windows\System32\HGSJwIO.exe
  C:\Windows\System32\HGSJwIO.exe
  2⤵
  PID:6340
- C:\Windows\System32\GqWbyMt.exe
  C:\Windows\System32\GqWbyMt.exe
  2⤵
  PID:6440
- C:\Windows\System32\EtiQRdb.exe
  C:\Windows\System32\EtiQRdb.exe
  2⤵
  PID:6412
- C:\Windows\System32\bNWgkxm.exe
  C:\Windows\System32\bNWgkxm.exe
  2⤵
  PID:6476
- C:\Windows\System32\RkkKaHt.exe
  C:\Windows\System32\RkkKaHt.exe
  2⤵
  PID:6568
- C:\Windows\System32\yeJpxuu.exe
  C:\Windows\System32\yeJpxuu.exe
  2⤵
  PID:6744
- C:\Windows\System32\QJpPsRg.exe
  C:\Windows\System32\QJpPsRg.exe
  2⤵
  PID:6784
- C:\Windows\System32\TQoFrOo.exe
  C:\Windows\System32\TQoFrOo.exe
  2⤵
  PID:6816
- C:\Windows\System32\qbUrPhn.exe
  C:\Windows\System32\qbUrPhn.exe
  2⤵
  PID:6896
- C:\Windows\System32\gjbHGnw.exe
  C:\Windows\System32\gjbHGnw.exe
  2⤵
  PID:6984
- C:\Windows\System32\pKoEXVq.exe
  C:\Windows\System32\pKoEXVq.exe
  2⤵
  PID:7024
- C:\Windows\System32\NEEqRJR.exe
  C:\Windows\System32\NEEqRJR.exe
  2⤵
  PID:7104
- C:\Windows\System32\ELHZUsr.exe
  C:\Windows\System32\ELHZUsr.exe
  2⤵
  PID:7148
- C:\Windows\System32\VejFJGF.exe
  C:\Windows\System32\VejFJGF.exe
  2⤵
  PID:6280
- C:\Windows\System32\ZEnDLQU.exe
  C:\Windows\System32\ZEnDLQU.exe
  2⤵
  PID:6360
- C:\Windows\System32\ntTbsos.exe
  C:\Windows\System32\ntTbsos.exe
  2⤵
  PID:6584
- C:\Windows\System32\ZbnZKLc.exe
  C:\Windows\System32\ZbnZKLc.exe
  2⤵
  PID:6680
- C:\Windows\System32\LyIWaDv.exe
  C:\Windows\System32\LyIWaDv.exe
  2⤵
  PID:6856
- C:\Windows\System32\uiVEzTR.exe
  C:\Windows\System32\uiVEzTR.exe
  2⤵
  PID:6920
- C:\Windows\System32\ymyJJzX.exe
  C:\Windows\System32\ymyJJzX.exe
  2⤵
  PID:7044
- C:\Windows\System32\sQUAWgP.exe
  C:\Windows\System32\sQUAWgP.exe
  2⤵
  PID:6392
- C:\Windows\System32\orhCxJi.exe
  C:\Windows\System32\orhCxJi.exe
  2⤵
  PID:6624
- C:\Windows\System32\BdMMytn.exe
  C:\Windows\System32\BdMMytn.exe
  2⤵
  PID:6888
- C:\Windows\System32\vzecwFM.exe
  C:\Windows\System32\vzecwFM.exe
  2⤵
  PID:7192
- C:\Windows\System32\XbkqqGl.exe
  C:\Windows\System32\XbkqqGl.exe
  2⤵
  PID:7228
- C:\Windows\System32\KOvgdyV.exe
  C:\Windows\System32\KOvgdyV.exe
  2⤵
  PID:7248
- C:\Windows\System32\YkeHdBF.exe
  C:\Windows\System32\YkeHdBF.exe
  2⤵
  PID:7268
- C:\Windows\System32\dzOeryj.exe
  C:\Windows\System32\dzOeryj.exe
  2⤵
  PID:7288
- C:\Windows\System32\ejUicAg.exe
  C:\Windows\System32\ejUicAg.exe
  2⤵
  PID:7328
- C:\Windows\System32\AZxzJlU.exe
  C:\Windows\System32\AZxzJlU.exe
  2⤵
  PID:7388
- C:\Windows\System32\sLxEGUN.exe
  C:\Windows\System32\sLxEGUN.exe
  2⤵
  PID:7424
- C:\Windows\System32\pIHNFMy.exe
  C:\Windows\System32\pIHNFMy.exe
  2⤵
  PID:7444
- C:\Windows\System32\ilomEmc.exe
  C:\Windows\System32\ilomEmc.exe
  2⤵
  PID:7464
- C:\Windows\System32\VdILPGG.exe
  C:\Windows\System32\VdILPGG.exe
  2⤵
  PID:7488
- C:\Windows\System32\tqOapjU.exe
  C:\Windows\System32\tqOapjU.exe
  2⤵
  PID:7512
- C:\Windows\System32\jIAZvHj.exe
  C:\Windows\System32\jIAZvHj.exe
  2⤵
  PID:7548
- C:\Windows\System32\eqIcRRq.exe
  C:\Windows\System32\eqIcRRq.exe
  2⤵
  PID:7572
- C:\Windows\System32\DkctUWw.exe
  C:\Windows\System32\DkctUWw.exe
  2⤵
  PID:7588
- C:\Windows\System32\RLbcIUH.exe
  C:\Windows\System32\RLbcIUH.exe
  2⤵
  PID:7620
- C:\Windows\System32\ZENHSZF.exe
  C:\Windows\System32\ZENHSZF.exe
  2⤵
  PID:7644
- C:\Windows\System32\ptxQrdX.exe
  C:\Windows\System32\ptxQrdX.exe
  2⤵
  PID:7696
- C:\Windows\System32\EHqrLxX.exe
  C:\Windows\System32\EHqrLxX.exe
  2⤵
  PID:7720
- C:\Windows\System32\ZLzwgoo.exe
  C:\Windows\System32\ZLzwgoo.exe
  2⤵
  PID:7740
- C:\Windows\System32\FqgRXLn.exe
  C:\Windows\System32\FqgRXLn.exe
  2⤵
  PID:7768
- C:\Windows\System32\zcLGnPv.exe
  C:\Windows\System32\zcLGnPv.exe
  2⤵
  PID:7784
- C:\Windows\System32\sVpqTNh.exe
  C:\Windows\System32\sVpqTNh.exe
  2⤵
  PID:7804
- C:\Windows\System32\yDmbyxf.exe
  C:\Windows\System32\yDmbyxf.exe
  2⤵
  PID:7872
- C:\Windows\System32\UpywKoS.exe
  C:\Windows\System32\UpywKoS.exe
  2⤵
  PID:7900
- C:\Windows\System32\EuLbNTo.exe
  C:\Windows\System32\EuLbNTo.exe
  2⤵
  PID:7916
- C:\Windows\System32\tdsOcmG.exe
  C:\Windows\System32\tdsOcmG.exe
  2⤵
  PID:7940
- C:\Windows\System32\KJqOmlP.exe
  C:\Windows\System32\KJqOmlP.exe
  2⤵
  PID:7988
- C:\Windows\System32\ziVukeE.exe
  C:\Windows\System32\ziVukeE.exe
  2⤵
  PID:8016
- C:\Windows\System32\GVmfprr.exe
  C:\Windows\System32\GVmfprr.exe
  2⤵
  PID:8032
- C:\Windows\System32\jGiizEL.exe
  C:\Windows\System32\jGiizEL.exe
  2⤵
  PID:8060
- C:\Windows\System32\AimsWnm.exe
  C:\Windows\System32\AimsWnm.exe
  2⤵
  PID:8088
- C:\Windows\System32\DwfXbyB.exe
  C:\Windows\System32\DwfXbyB.exe
  2⤵
  PID:8128
- C:\Windows\System32\PIEmJXx.exe
  C:\Windows\System32\PIEmJXx.exe
  2⤵
  PID:8152
- C:\Windows\System32\oPXKjih.exe
  C:\Windows\System32\oPXKjih.exe
  2⤵
  PID:8168
- C:\Windows\System32\cptZBNs.exe
  C:\Windows\System32\cptZBNs.exe
  2⤵
  PID:8188
- C:\Windows\System32\wygynqo.exe
  C:\Windows\System32\wygynqo.exe
  2⤵
  PID:6152
- C:\Windows\System32\dFdeBkN.exe
  C:\Windows\System32\dFdeBkN.exe
  2⤵
  PID:7224
- C:\Windows\System32\yRfMhKQ.exe
  C:\Windows\System32\yRfMhKQ.exe
  2⤵
  PID:7276
- C:\Windows\System32\QcdfGEK.exe
  C:\Windows\System32\QcdfGEK.exe
  2⤵
  PID:7368
- C:\Windows\System32\QZqNLBH.exe
  C:\Windows\System32\QZqNLBH.exe
  2⤵
  PID:7412
- C:\Windows\System32\iFglCNP.exe
  C:\Windows\System32\iFglCNP.exe
  2⤵
  PID:7440
- C:\Windows\System32\QywRJwq.exe
  C:\Windows\System32\QywRJwq.exe
  2⤵
  PID:7524
- C:\Windows\System32\pfuvWHP.exe
  C:\Windows\System32\pfuvWHP.exe
  2⤵
  PID:7676
- C:\Windows\System32\aFjEGkl.exe
  C:\Windows\System32\aFjEGkl.exe
  2⤵
  PID:7704
- C:\Windows\System32\HHmRtGh.exe
  C:\Windows\System32\HHmRtGh.exe
  2⤵
  PID:7764
- C:\Windows\System32\PoCzGEE.exe
  C:\Windows\System32\PoCzGEE.exe
  2⤵
  PID:7780
- C:\Windows\System32\pGFerlz.exe
  C:\Windows\System32\pGFerlz.exe
  2⤵
  PID:7860
- C:\Windows\System32\wEiHCiu.exe
  C:\Windows\System32\wEiHCiu.exe
  2⤵
  PID:7972
- C:\Windows\System32\eRIJdHy.exe
  C:\Windows\System32\eRIJdHy.exe
  2⤵
  PID:8048
- C:\Windows\System32\EwOoAqn.exe
  C:\Windows\System32\EwOoAqn.exe
  2⤵
  PID:8116
- C:\Windows\System32\QHiTRgf.exe
  C:\Windows\System32\QHiTRgf.exe
  2⤵
  PID:8176
- C:\Windows\System32\yetDPeP.exe
  C:\Windows\System32\yetDPeP.exe
  2⤵
  PID:3556
- C:\Windows\System32\cvVovtp.exe
  C:\Windows\System32\cvVovtp.exe
  2⤵
  PID:7176
- C:\Windows\System32\OmWVsnw.exe
  C:\Windows\System32\OmWVsnw.exe
  2⤵
  PID:7280
- C:\Windows\System32\VNnbDsu.exe
  C:\Windows\System32\VNnbDsu.exe
  2⤵
  PID:7480
- C:\Windows\System32\rvdgDsH.exe
  C:\Windows\System32\rvdgDsH.exe
  2⤵
  PID:7688
- C:\Windows\System32\uRfcCSw.exe
  C:\Windows\System32\uRfcCSw.exe
  2⤵
  PID:7912
- C:\Windows\System32\lLrSJbC.exe
  C:\Windows\System32\lLrSJbC.exe
  2⤵
  PID:7936
- C:\Windows\System32\tGymfOh.exe
  C:\Windows\System32\tGymfOh.exe
  2⤵
  PID:8108
- C:\Windows\System32\JNyrYvU.exe
  C:\Windows\System32\JNyrYvU.exe
  2⤵
  PID:7308
- C:\Windows\System32\uzQbLWj.exe
  C:\Windows\System32\uzQbLWj.exe
  2⤵
  PID:7336
- C:\Windows\System32\DCdmwDj.exe
  C:\Windows\System32\DCdmwDj.exe
  2⤵
  PID:8080
- C:\Windows\System32\vabvXqI.exe
  C:\Windows\System32\vabvXqI.exe
  2⤵
  PID:8220
- C:\Windows\System32\uskompf.exe
  C:\Windows\System32\uskompf.exe
  2⤵
  PID:8240
- C:\Windows\System32\axQIrvl.exe
  C:\Windows\System32\axQIrvl.exe
  2⤵
  PID:8264
- C:\Windows\System32\ZLuWvTw.exe
  C:\Windows\System32\ZLuWvTw.exe
  2⤵
  PID:8292
- C:\Windows\System32\ODfcpwi.exe
  C:\Windows\System32\ODfcpwi.exe
  2⤵
  PID:8340
- C:\Windows\System32\XcaqXRA.exe
  C:\Windows\System32\XcaqXRA.exe
  2⤵
  PID:8360
- C:\Windows\System32\chmQqFG.exe
  C:\Windows\System32\chmQqFG.exe
  2⤵
  PID:8384
- C:\Windows\System32\pFCgCtu.exe
  C:\Windows\System32\pFCgCtu.exe
  2⤵
  PID:8404
- C:\Windows\System32\EiajHIJ.exe
  C:\Windows\System32\EiajHIJ.exe
  2⤵
  PID:8428
- C:\Windows\System32\bpWtvkd.exe
  C:\Windows\System32\bpWtvkd.exe
  2⤵
  PID:8444
- C:\Windows\System32\aHhSBRC.exe
  C:\Windows\System32\aHhSBRC.exe
  2⤵
  PID:8468
- C:\Windows\System32\xJamILc.exe
  C:\Windows\System32\xJamILc.exe
  2⤵
  PID:8484
- C:\Windows\System32\lnFofdf.exe
  C:\Windows\System32\lnFofdf.exe
  2⤵
  PID:8508
- C:\Windows\System32\FLcgtZE.exe
  C:\Windows\System32\FLcgtZE.exe
  2⤵
  PID:8556
- C:\Windows\System32\QkhBKsD.exe
  C:\Windows\System32\QkhBKsD.exe
  2⤵
  PID:8624
- C:\Windows\System32\yPNQEWU.exe
  C:\Windows\System32\yPNQEWU.exe
  2⤵
  PID:8640
- C:\Windows\System32\rBnkdlq.exe
  C:\Windows\System32\rBnkdlq.exe
  2⤵
  PID:8664
- C:\Windows\System32\MNMoYLx.exe
  C:\Windows\System32\MNMoYLx.exe
  2⤵
  PID:8684
- C:\Windows\System32\ZlmsVCV.exe
  C:\Windows\System32\ZlmsVCV.exe
  2⤵
  PID:8700
- C:\Windows\System32\HqAjhSl.exe
  C:\Windows\System32\HqAjhSl.exe
  2⤵
  PID:8728
- C:\Windows\System32\yJhQRJT.exe
  C:\Windows\System32\yJhQRJT.exe
  2⤵
  PID:8768
- C:\Windows\System32\QYfWMmx.exe
  C:\Windows\System32\QYfWMmx.exe
  2⤵
  PID:8788
- C:\Windows\System32\KpCbFqf.exe
  C:\Windows\System32\KpCbFqf.exe
  2⤵
  PID:8808
- C:\Windows\System32\JQjWbGQ.exe
  C:\Windows\System32\JQjWbGQ.exe
  2⤵
  PID:8844
- C:\Windows\System32\BGvWygw.exe
  C:\Windows\System32\BGvWygw.exe
  2⤵
  PID:8888
- C:\Windows\System32\PjzJGog.exe
  C:\Windows\System32\PjzJGog.exe
  2⤵
  PID:8924
- C:\Windows\System32\iMDSXvN.exe
  C:\Windows\System32\iMDSXvN.exe
  2⤵
  PID:8952
- C:\Windows\System32\MGSetXG.exe
  C:\Windows\System32\MGSetXG.exe
  2⤵
  PID:9048
- C:\Windows\System32\eBtPbID.exe
  C:\Windows\System32\eBtPbID.exe
  2⤵
  PID:9064
- C:\Windows\System32\RCGDXkn.exe
  C:\Windows\System32\RCGDXkn.exe
  2⤵
  PID:9080
- C:\Windows\System32\prZGDVy.exe
  C:\Windows\System32\prZGDVy.exe
  2⤵
  PID:9096
- C:\Windows\System32\QTfLGYm.exe
  C:\Windows\System32\QTfLGYm.exe
  2⤵
  PID:9112
- C:\Windows\System32\rnZQVuh.exe
  C:\Windows\System32\rnZQVuh.exe
  2⤵
  PID:9204
- C:\Windows\System32\NvlVstJ.exe
  C:\Windows\System32\NvlVstJ.exe
  2⤵
  PID:7652
- C:\Windows\System32\xkNiWmz.exe
  C:\Windows\System32\xkNiWmz.exe
  2⤵
  PID:8100
- C:\Windows\System32\iysacOH.exe
  C:\Windows\System32\iysacOH.exe
  2⤵
  PID:8252
- C:\Windows\System32\wRzfwyv.exe
  C:\Windows\System32\wRzfwyv.exe
  2⤵
  PID:8236
- C:\Windows\System32\AzDOafF.exe
  C:\Windows\System32\AzDOafF.exe
  2⤵
  PID:8272
- C:\Windows\System32\ajfQGTM.exe
  C:\Windows\System32\ajfQGTM.exe
  2⤵
  PID:8312
- C:\Windows\System32\kljUXeq.exe
  C:\Windows\System32\kljUXeq.exe
  2⤵
  PID:8368
- C:\Windows\System32\sxVgHkK.exe
  C:\Windows\System32\sxVgHkK.exe
  2⤵
  PID:8420
- C:\Windows\System32\CRcFbCC.exe
  C:\Windows\System32\CRcFbCC.exe
  2⤵
  PID:8440
- C:\Windows\System32\kYoeUJG.exe
  C:\Windows\System32\kYoeUJG.exe
  2⤵
  PID:8452
- C:\Windows\System32\eiChoDd.exe
  C:\Windows\System32\eiChoDd.exe
  2⤵
  PID:8552
- C:\Windows\System32\yDQlJll.exe
  C:\Windows\System32\yDQlJll.exe
  2⤵
  PID:8856
- C:\Windows\System32\PGdBQlR.exe
  C:\Windows\System32\PGdBQlR.exe
  2⤵
  PID:9088
- C:\Windows\System32\JkZSfti.exe
  C:\Windows\System32\JkZSfti.exe
  2⤵
  PID:9132
- C:\Windows\System32\UMZwieY.exe
  C:\Windows\System32\UMZwieY.exe
  2⤵
  PID:9072
- C:\Windows\System32\cEFPurG.exe
  C:\Windows\System32\cEFPurG.exe
  2⤵
  PID:9000
- C:\Windows\System32\SjFxwDw.exe
  C:\Windows\System32\SjFxwDw.exe
  2⤵
  PID:8316
- C:\Windows\System32\BjXnYnD.exe
  C:\Windows\System32\BjXnYnD.exe
  2⤵
  PID:9160
- C:\Windows\System32\nJKzyWE.exe
  C:\Windows\System32\nJKzyWE.exe
  2⤵
  PID:8352
- C:\Windows\System32\smdQVfg.exe
  C:\Windows\System32\smdQVfg.exe
  2⤵
  PID:8492
- C:\Windows\System32\CUEMeai.exe
  C:\Windows\System32\CUEMeai.exe
  2⤵
  PID:8464
- C:\Windows\System32\QsCOhWX.exe
  C:\Windows\System32\QsCOhWX.exe
  2⤵
  PID:8288
- C:\Windows\System32\yUzcZQT.exe
  C:\Windows\System32\yUzcZQT.exe
  2⤵
  PID:8632
- C:\Windows\System32\jWClfuG.exe
  C:\Windows\System32\jWClfuG.exe
  2⤵
  PID:8692
- C:\Windows\System32\CMxIgMy.exe
  C:\Windows\System32\CMxIgMy.exe
  2⤵
  PID:8964
- C:\Windows\System32\VHTxrHf.exe
  C:\Windows\System32\VHTxrHf.exe
  2⤵
  PID:8284
- C:\Windows\System32\iBmDMla.exe
  C:\Windows\System32\iBmDMla.exe
  2⤵
  PID:9104
- C:\Windows\System32\qhoeayx.exe
  C:\Windows\System32\qhoeayx.exe
  2⤵
  PID:8984
- C:\Windows\System32\fHFTAEC.exe
  C:\Windows\System32\fHFTAEC.exe
  2⤵
  PID:8936
- C:\Windows\System32\KoyJOoq.exe
  C:\Windows\System32\KoyJOoq.exe
  2⤵
  PID:9120
- C:\Windows\System32\qwfVqdX.exe
  C:\Windows\System32\qwfVqdX.exe
  2⤵
  PID:9040
- C:\Windows\System32\wDFvUqL.exe
  C:\Windows\System32\wDFvUqL.exe
  2⤵
  PID:9224
- C:\Windows\System32\nwzIGZw.exe
  C:\Windows\System32\nwzIGZw.exe
  2⤵
  PID:9248
- C:\Windows\System32\sMzWpdr.exe
  C:\Windows\System32\sMzWpdr.exe
  2⤵
  PID:9264
- C:\Windows\System32\esFdQyd.exe
  C:\Windows\System32\esFdQyd.exe
  2⤵
  PID:9292
- C:\Windows\System32\UIxzsvz.exe
  C:\Windows\System32\UIxzsvz.exe
  2⤵
  PID:9312
- C:\Windows\System32\AqgOkHv.exe
  C:\Windows\System32\AqgOkHv.exe
  2⤵
  PID:9352
- C:\Windows\System32\LMCoLCL.exe
  C:\Windows\System32\LMCoLCL.exe
  2⤵
  PID:9372
- C:\Windows\System32\vIFEoRA.exe
  C:\Windows\System32\vIFEoRA.exe
  2⤵
  PID:9400
- C:\Windows\System32\DBMmUzk.exe
  C:\Windows\System32\DBMmUzk.exe
  2⤵
  PID:9464
- C:\Windows\System32\aUXwkld.exe
  C:\Windows\System32\aUXwkld.exe
  2⤵
  PID:9480
- C:\Windows\System32\BmeEiFV.exe
  C:\Windows\System32\BmeEiFV.exe
  2⤵
  PID:9500
- C:\Windows\System32\ENDTOrs.exe
  C:\Windows\System32\ENDTOrs.exe
  2⤵
  PID:9544
- C:\Windows\System32\LWBmMci.exe
  C:\Windows\System32\LWBmMci.exe
  2⤵
  PID:9568
- C:\Windows\System32\tNSccsn.exe
  C:\Windows\System32\tNSccsn.exe
  2⤵
  PID:9584
- C:\Windows\System32\vXHOojz.exe
  C:\Windows\System32\vXHOojz.exe
  2⤵
  PID:9608
- C:\Windows\System32\mAduLuq.exe
  C:\Windows\System32\mAduLuq.exe
  2⤵
  PID:9632
- C:\Windows\System32\UrWujEr.exe
  C:\Windows\System32\UrWujEr.exe
  2⤵
  PID:9676
- C:\Windows\System32\plJDRxh.exe
  C:\Windows\System32\plJDRxh.exe
  2⤵
  PID:9724
- C:\Windows\System32\XxDtAmV.exe
  C:\Windows\System32\XxDtAmV.exe
  2⤵
  PID:9744
- C:\Windows\System32\RVxQkaZ.exe
  C:\Windows\System32\RVxQkaZ.exe
  2⤵
  PID:9768
- C:\Windows\System32\FyJAgyd.exe
  C:\Windows\System32\FyJAgyd.exe
  2⤵
  PID:9788
- C:\Windows\System32\QSHANvZ.exe
  C:\Windows\System32\QSHANvZ.exe
  2⤵
  PID:9808
- C:\Windows\System32\cAQLLRO.exe
  C:\Windows\System32\cAQLLRO.exe
  2⤵
  PID:9824
- C:\Windows\System32\OJmthbb.exe
  C:\Windows\System32\OJmthbb.exe
  2⤵
  PID:9860
- C:\Windows\System32\TUoLzpb.exe
  C:\Windows\System32\TUoLzpb.exe
  2⤵
  PID:9900
- C:\Windows\System32\cPWJRQD.exe
  C:\Windows\System32\cPWJRQD.exe
  2⤵
  PID:9932
- C:\Windows\System32\HWnrCNI.exe
  C:\Windows\System32\HWnrCNI.exe
  2⤵
  PID:9948
- C:\Windows\System32\DXZErWf.exe
  C:\Windows\System32\DXZErWf.exe
  2⤵
  PID:9972
- C:\Windows\System32\jyeAfHO.exe
  C:\Windows\System32\jyeAfHO.exe
  2⤵
  PID:10012
- C:\Windows\System32\HneCXdN.exe
  C:\Windows\System32\HneCXdN.exe
  2⤵
  PID:10032
- C:\Windows\System32\JjarfPJ.exe
  C:\Windows\System32\JjarfPJ.exe
  2⤵
  PID:10068
- C:\Windows\System32\CFxLMIA.exe
  C:\Windows\System32\CFxLMIA.exe
  2⤵
  PID:10088
- C:\Windows\System32\CUzZxul.exe
  C:\Windows\System32\CUzZxul.exe
  2⤵
  PID:10108
- C:\Windows\System32\nElWDDo.exe
  C:\Windows\System32\nElWDDo.exe
  2⤵
  PID:10140
- C:\Windows\System32\WEWMsAQ.exe
  C:\Windows\System32\WEWMsAQ.exe
  2⤵
  PID:10160
- C:\Windows\System32\PhNEHQj.exe
  C:\Windows\System32\PhNEHQj.exe
  2⤵
  PID:10192
- C:\Windows\System32\tLiQSft.exe
  C:\Windows\System32\tLiQSft.exe
  2⤵
  PID:10220
- C:\Windows\System32\XkFvlVc.exe
  C:\Windows\System32\XkFvlVc.exe
  2⤵
  PID:9220
- C:\Windows\System32\HrUOyyb.exe
  C:\Windows\System32\HrUOyyb.exe
  2⤵
  PID:9288
- C:\Windows\System32\mmNczbw.exe
  C:\Windows\System32\mmNczbw.exe
  2⤵
  PID:9332
- C:\Windows\System32\SaoOJFz.exe
  C:\Windows\System32\SaoOJFz.exe
  2⤵
  PID:9396
- C:\Windows\System32\WfLDGvx.exe
  C:\Windows\System32\WfLDGvx.exe
  2⤵
  PID:9488
- C:\Windows\System32\sbRAwre.exe
  C:\Windows\System32\sbRAwre.exe
  2⤵
  PID:9580
- C:\Windows\System32\OLnCYTh.exe
  C:\Windows\System32\OLnCYTh.exe
  2⤵
  PID:9664
- C:\Windows\System32\IlozTQs.exe
  C:\Windows\System32\IlozTQs.exe
  2⤵
  PID:9688
- C:\Windows\System32\vSFzPQn.exe
  C:\Windows\System32\vSFzPQn.exe
  2⤵
  PID:9752
- C:\Windows\System32\YuSWXkO.exe
  C:\Windows\System32\YuSWXkO.exe
  2⤵
  PID:9804
- C:\Windows\System32\umJkMQJ.exe
  C:\Windows\System32\umJkMQJ.exe
  2⤵
  PID:9816
- C:\Windows\System32\qDIZaHI.exe
  C:\Windows\System32\qDIZaHI.exe
  2⤵
  PID:10000
- C:\Windows\System32\FHeKgzp.exe
  C:\Windows\System32\FHeKgzp.exe
  2⤵
  PID:10064
- C:\Windows\System32\HCKuLFi.exe
  C:\Windows\System32\HCKuLFi.exe
  2⤵
  PID:10084
- C:\Windows\System32\YGBzipz.exe
  C:\Windows\System32\YGBzipz.exe
  2⤵
  PID:10136
- C:\Windows\System32\hUGpjSQ.exe
  C:\Windows\System32\hUGpjSQ.exe
  2⤵
  PID:10200
- C:\Windows\System32\UzQCBMC.exe
  C:\Windows\System32\UzQCBMC.exe
  2⤵
  PID:9360
- C:\Windows\System32\KwMUGAk.exe
  C:\Windows\System32\KwMUGAk.exe
  2⤵
  PID:9380
- C:\Windows\System32\wchbQaS.exe
  C:\Windows\System32\wchbQaS.exe
  2⤵
  PID:9472
- C:\Windows\System32\saRwcGz.exe
  C:\Windows\System32\saRwcGz.exe
  2⤵
  PID:9604
- C:\Windows\System32\fXLgFwI.exe
  C:\Windows\System32\fXLgFwI.exe
  2⤵
  PID:9832
- C:\Windows\System32\HJzWNGC.exe
  C:\Windows\System32\HJzWNGC.exe
  2⤵
  PID:9880
- C:\Windows\System32\misZwqM.exe
  C:\Windows\System32\misZwqM.exe
  2⤵
  PID:9364
- C:\Windows\System32\DJcyLJg.exe
  C:\Windows\System32\DJcyLJg.exe
  2⤵
  PID:8516
- C:\Windows\System32\kWTgZfu.exe
  C:\Windows\System32\kWTgZfu.exe
  2⤵
  PID:10100
- C:\Windows\System32\qMhrziV.exe
  C:\Windows\System32\qMhrziV.exe
  2⤵
  PID:9412
- C:\Windows\System32\THOKTvI.exe
  C:\Windows\System32\THOKTvI.exe
  2⤵
  PID:9704
- C:\Windows\System32\IArYqzY.exe
  C:\Windows\System32\IArYqzY.exe
  2⤵
  PID:10256
- C:\Windows\System32\vOkvEOZ.exe
  C:\Windows\System32\vOkvEOZ.exe
  2⤵
  PID:10288
- C:\Windows\System32\cCNWjyW.exe
  C:\Windows\System32\cCNWjyW.exe
  2⤵
  PID:10332
- C:\Windows\System32\FdsdTAQ.exe
  C:\Windows\System32\FdsdTAQ.exe
  2⤵
  PID:10348
- C:\Windows\System32\TjJeWSr.exe
  C:\Windows\System32\TjJeWSr.exe
  2⤵
  PID:10380
- C:\Windows\System32\kDjAayP.exe
  C:\Windows\System32\kDjAayP.exe
  2⤵
  PID:10400
- C:\Windows\System32\udbPqgQ.exe
  C:\Windows\System32\udbPqgQ.exe
  2⤵
  PID:10436
- C:\Windows\System32\OgaPeqV.exe
  C:\Windows\System32\OgaPeqV.exe
  2⤵
  PID:10468
- C:\Windows\System32\JIkknzX.exe
  C:\Windows\System32\JIkknzX.exe
  2⤵
  PID:10492
- C:\Windows\System32\eGROUnE.exe
  C:\Windows\System32\eGROUnE.exe
  2⤵
  PID:10512
- C:\Windows\System32\fRKuDIm.exe
  C:\Windows\System32\fRKuDIm.exe
  2⤵
  PID:10548
- C:\Windows\System32\xCosQJp.exe
  C:\Windows\System32\xCosQJp.exe
  2⤵
  PID:10568
- C:\Windows\System32\ZrQTTuI.exe
  C:\Windows\System32\ZrQTTuI.exe
  2⤵
  PID:10588
- C:\Windows\System32\JIhFLmk.exe
  C:\Windows\System32\JIhFLmk.exe
  2⤵
  PID:10628
- C:\Windows\System32\uZHqunG.exe
  C:\Windows\System32\uZHqunG.exe
  2⤵
  PID:10672
- C:\Windows\System32\WvqklOV.exe
  C:\Windows\System32\WvqklOV.exe
  2⤵
  PID:10692
- C:\Windows\System32\HqFkFBp.exe
  C:\Windows\System32\HqFkFBp.exe
  2⤵
  PID:10708
- C:\Windows\System32\aGPFEgo.exe
  C:\Windows\System32\aGPFEgo.exe
  2⤵
  PID:10732
- C:\Windows\System32\MJDLwPq.exe
  C:\Windows\System32\MJDLwPq.exe
  2⤵
  PID:10748
- C:\Windows\System32\ugxaooe.exe
  C:\Windows\System32\ugxaooe.exe
  2⤵
  PID:10800
- C:\Windows\System32\gdPiijj.exe
  C:\Windows\System32\gdPiijj.exe
  2⤵
  PID:10816
- C:\Windows\System32\MRKrLqC.exe
  C:\Windows\System32\MRKrLqC.exe
  2⤵
  PID:10852
- C:\Windows\System32\ANimHtZ.exe
  C:\Windows\System32\ANimHtZ.exe
  2⤵
  PID:10872
- C:\Windows\System32\wcTqeEt.exe
  C:\Windows\System32\wcTqeEt.exe
  2⤵
  PID:10932
- C:\Windows\System32\ffloosX.exe
  C:\Windows\System32\ffloosX.exe
  2⤵
  PID:10952
- C:\Windows\System32\chzwDAl.exe
  C:\Windows\System32\chzwDAl.exe
  2⤵
  PID:10968
- C:\Windows\System32\qUiJWyJ.exe
  C:\Windows\System32\qUiJWyJ.exe
  2⤵
  PID:10988
- C:\Windows\System32\oFTWRIl.exe
  C:\Windows\System32\oFTWRIl.exe
  2⤵
  PID:11028
- C:\Windows\System32\smZHCvW.exe
  C:\Windows\System32\smZHCvW.exe
  2⤵
  PID:11044
- C:\Windows\System32\ycDFYLg.exe
  C:\Windows\System32\ycDFYLg.exe
  2⤵
  PID:11068
- C:\Windows\System32\ZaccOVI.exe
  C:\Windows\System32\ZaccOVI.exe
  2⤵
  PID:11096
- C:\Windows\System32\RayXQEG.exe
  C:\Windows\System32\RayXQEG.exe
  2⤵
  PID:11148
- C:\Windows\System32\mlVylBO.exe
  C:\Windows\System32\mlVylBO.exe
  2⤵
  PID:11180
- C:\Windows\System32\rrGeRdv.exe
  C:\Windows\System32\rrGeRdv.exe
  2⤵
  PID:11196
- C:\Windows\System32\yZqKiAe.exe
  C:\Windows\System32\yZqKiAe.exe
  2⤵
  PID:11224
- C:\Windows\System32\OkSGlUl.exe
  C:\Windows\System32\OkSGlUl.exe
  2⤵
  PID:11240
- C:\Windows\System32\OYvBPgL.exe
  C:\Windows\System32\OYvBPgL.exe
  2⤵
  PID:10252
- C:\Windows\System32\IucFZaF.exe
  C:\Windows\System32\IucFZaF.exe
  2⤵
  PID:10372
- C:\Windows\System32\cGirJyu.exe
  C:\Windows\System32\cGirJyu.exe
  2⤵
  PID:10428
- C:\Windows\System32\NygyBzd.exe
  C:\Windows\System32\NygyBzd.exe
  2⤵
  PID:10480
- C:\Windows\System32\LjGOAJd.exe
  C:\Windows\System32\LjGOAJd.exe
  2⤵
  PID:10488
- C:\Windows\System32\mAcpzUA.exe
  C:\Windows\System32\mAcpzUA.exe
  2⤵
  PID:10500
- C:\Windows\System32\WaZHcWI.exe
  C:\Windows\System32\WaZHcWI.exe
  2⤵
  PID:10608
- C:\Windows\System32\hvkYxqr.exe
  C:\Windows\System32\hvkYxqr.exe
  2⤵
  PID:10688
- C:\Windows\System32\iVJnnGe.exe
  C:\Windows\System32\iVJnnGe.exe
  2⤵
  PID:10784
- C:\Windows\System32\afWXzNO.exe
  C:\Windows\System32\afWXzNO.exe
  2⤵
  PID:10860
- C:\Windows\System32\MrFiiPl.exe
  C:\Windows\System32\MrFiiPl.exe
  2⤵
  PID:10948
- C:\Windows\System32\BOjDZed.exe
  C:\Windows\System32\BOjDZed.exe
  2⤵
  PID:11000
- C:\Windows\System32\KBPIjhX.exe
  C:\Windows\System32\KBPIjhX.exe
  2⤵
  PID:11036
- C:\Windows\System32\gqZiWDa.exe
  C:\Windows\System32\gqZiWDa.exe
  2⤵
  PID:11128
- C:\Windows\System32\XYYzuqW.exe
  C:\Windows\System32\XYYzuqW.exe
  2⤵
  PID:11164
- C:\Windows\System32\HwnEaSD.exe
  C:\Windows\System32\HwnEaSD.exe
  2⤵
  PID:11248
- C:\Windows\System32\SAIphhk.exe
  C:\Windows\System32\SAIphhk.exe
  2⤵
  PID:10344
- C:\Windows\System32\sJTauUN.exe
  C:\Windows\System32\sJTauUN.exe
  2⤵
  PID:10508
- C:\Windows\System32\jyrhNdt.exe
  C:\Windows\System32\jyrhNdt.exe
  2⤵
  PID:10452
- C:\Windows\System32\OOBErbQ.exe
  C:\Windows\System32\OOBErbQ.exe
  2⤵
  PID:10824
- C:\Windows\System32\wzozuMK.exe
  C:\Windows\System32\wzozuMK.exe
  2⤵
  PID:10880
- C:\Windows\System32\UEWeDkd.exe
  C:\Windows\System32\UEWeDkd.exe
  2⤵
  PID:10976
- C:\Windows\System32\fveRjsL.exe
  C:\Windows\System32\fveRjsL.exe
  2⤵
  PID:11220
- C:\Windows\System32\sYZERcv.exe
  C:\Windows\System32\sYZERcv.exe
  2⤵
  PID:10184
- C:\Windows\System32\YsheLon.exe
  C:\Windows\System32\YsheLon.exe
  2⤵
  PID:10724
- C:\Windows\System32\fNNZpdQ.exe
  C:\Windows\System32\fNNZpdQ.exe
  2⤵
  PID:10984
- C:\Windows\System32\KBSPcgH.exe
  C:\Windows\System32\KBSPcgH.exe
  2⤵
  PID:10188
- C:\Windows\System32\YpcDPlM.exe
  C:\Windows\System32\YpcDPlM.exe
  2⤵
  PID:11272
- C:\Windows\System32\KRRLpTX.exe
  C:\Windows\System32\KRRLpTX.exe
  2⤵
  PID:11292
- C:\Windows\System32\tmOQaqe.exe
  C:\Windows\System32\tmOQaqe.exe
  2⤵
  PID:11328
- C:\Windows\System32\zQwrqhr.exe
  C:\Windows\System32\zQwrqhr.exe
  2⤵
  PID:11352
- C:\Windows\System32\ACDaWHV.exe
  C:\Windows\System32\ACDaWHV.exe
  2⤵
  PID:11388
- C:\Windows\System32\mgDAaFr.exe
  C:\Windows\System32\mgDAaFr.exe
  2⤵
  PID:11408
- C:\Windows\System32\SxMXgAw.exe
  C:\Windows\System32\SxMXgAw.exe
  2⤵
  PID:11464
- C:\Windows\System32\yxGygNh.exe
  C:\Windows\System32\yxGygNh.exe
  2⤵
  PID:11480
- C:\Windows\System32\xLoxaKD.exe
  C:\Windows\System32\xLoxaKD.exe
  2⤵
  PID:11520
- C:\Windows\System32\ZXhieSZ.exe
  C:\Windows\System32\ZXhieSZ.exe
  2⤵
  PID:11536
- C:\Windows\System32\SeoQSgK.exe
  C:\Windows\System32\SeoQSgK.exe
  2⤵
  PID:11560
- C:\Windows\System32\fFaeBtJ.exe
  C:\Windows\System32\fFaeBtJ.exe
  2⤵
  PID:11596
- C:\Windows\System32\tCVSjYc.exe
  C:\Windows\System32\tCVSjYc.exe
  2⤵
  PID:11620
- C:\Windows\System32\cKrjIJG.exe
  C:\Windows\System32\cKrjIJG.exe
  2⤵
  PID:11644
- C:\Windows\System32\Tnjvvfq.exe
  C:\Windows\System32\Tnjvvfq.exe
  2⤵
  PID:11668
- C:\Windows\System32\CdIqaSm.exe
  C:\Windows\System32\CdIqaSm.exe
  2⤵
  PID:11704
- C:\Windows\System32\nMkxleW.exe
  C:\Windows\System32\nMkxleW.exe
  2⤵
  PID:11744
- C:\Windows\System32\YgMkLYR.exe
  C:\Windows\System32\YgMkLYR.exe
  2⤵
  PID:11764
- C:\Windows\System32\LqeHaSL.exe
  C:\Windows\System32\LqeHaSL.exe
  2⤵
  PID:11792
- C:\Windows\System32\kSbOsWR.exe
  C:\Windows\System32\kSbOsWR.exe
  2⤵
  PID:11824
- C:\Windows\System32\ZgOOcPZ.exe
  C:\Windows\System32\ZgOOcPZ.exe
  2⤵
  PID:11844
- C:\Windows\System32\XJeITIF.exe
  C:\Windows\System32\XJeITIF.exe
  2⤵
  PID:11864
- C:\Windows\System32\qTpXtrx.exe
  C:\Windows\System32\qTpXtrx.exe
  2⤵
  PID:11884
- C:\Windows\System32\kcbwJxP.exe
  C:\Windows\System32\kcbwJxP.exe
  2⤵
  PID:11904
- C:\Windows\System32\iaNzOSP.exe
  C:\Windows\System32\iaNzOSP.exe
  2⤵
  PID:11924
- C:\Windows\System32\uOhGaRd.exe
  C:\Windows\System32\uOhGaRd.exe
  2⤵
  PID:11984
- C:\Windows\System32\OxNirEm.exe
  C:\Windows\System32\OxNirEm.exe
  2⤵
  PID:12004
- C:\Windows\System32\ICVgGIP.exe
  C:\Windows\System32\ICVgGIP.exe
  2⤵
  PID:12024
- C:\Windows\System32\LfwWgju.exe
  C:\Windows\System32\LfwWgju.exe
  2⤵
  PID:12048
- C:\Windows\System32\GYpynmA.exe
  C:\Windows\System32\GYpynmA.exe
  2⤵
  PID:12064
- C:\Windows\System32\NZDplow.exe
  C:\Windows\System32\NZDplow.exe
  2⤵
  PID:12128
- C:\Windows\System32\yasYknu.exe
  C:\Windows\System32\yasYknu.exe
  2⤵
  PID:12156
- C:\Windows\System32\kNcZvcI.exe
  C:\Windows\System32\kNcZvcI.exe
  2⤵
  PID:12176
- C:\Windows\System32\ubjhaJN.exe
  C:\Windows\System32\ubjhaJN.exe
  2⤵
  PID:12192
- C:\Windows\System32\mYBJqEm.exe
  C:\Windows\System32\mYBJqEm.exe
  2⤵
  PID:12240
- C:\Windows\System32\oZWpqid.exe
  C:\Windows\System32\oZWpqid.exe
  2⤵
  PID:12272
- C:\Windows\System32\ckWGpPo.exe
  C:\Windows\System32\ckWGpPo.exe
  2⤵
  PID:10540
- C:\Windows\System32\DyWwCOx.exe
  C:\Windows\System32\DyWwCOx.exe
  2⤵
  PID:11304
- C:\Windows\System32\nrhkGUw.exe
  C:\Windows\System32\nrhkGUw.exe
  2⤵
  PID:11344
- C:\Windows\System32\zmaTyKR.exe
  C:\Windows\System32\zmaTyKR.exe
  2⤵
  PID:11400
- C:\Windows\System32\JoNgzrG.exe
  C:\Windows\System32\JoNgzrG.exe
  2⤵
  PID:11432
- C:\Windows\System32\eUgLPvy.exe
  C:\Windows\System32\eUgLPvy.exe
  2⤵
  PID:11568
- C:\Windows\System32\WrCmDqj.exe
  C:\Windows\System32\WrCmDqj.exe
  2⤵
  PID:11660
- C:\Windows\System32\gRNrQMM.exe
  C:\Windows\System32\gRNrQMM.exe
  2⤵
  PID:11712
- C:\Windows\System32\mcAHeDL.exe
  C:\Windows\System32\mcAHeDL.exe
  2⤵
  PID:11784
- C:\Windows\System32\pfjqulc.exe
  C:\Windows\System32\pfjqulc.exe
  2⤵
  PID:11852
- C:\Windows\System32\joJQAsz.exe
  C:\Windows\System32\joJQAsz.exe
  2⤵
  PID:11896
- C:\Windows\System32\AjpNjXE.exe
  C:\Windows\System32\AjpNjXE.exe
  2⤵
  PID:11932
- C:\Windows\System32\xVaugEd.exe
  C:\Windows\System32\xVaugEd.exe
  2⤵
  PID:12016
- C:\Windows\System32\lzFEoZI.exe
  C:\Windows\System32\lzFEoZI.exe
  2⤵
  PID:12092
- C:\Windows\System32\sWulQAf.exe
  C:\Windows\System32\sWulQAf.exe
  2⤵
  PID:12164
- C:\Windows\System32\iDuVPMk.exe
  C:\Windows\System32\iDuVPMk.exe
  2⤵
  PID:12188
- C:\Windows\System32\StBWiRE.exe
  C:\Windows\System32\StBWiRE.exe
  2⤵
  PID:11288
- C:\Windows\System32\QxUttBH.exe
  C:\Windows\System32\QxUttBH.exe
  2⤵
  PID:11508
- C:\Windows\System32\kslqmyZ.exe
  C:\Windows\System32\kslqmyZ.exe
  2⤵
  PID:11532
- C:\Windows\System32\ymoJfLx.exe
  C:\Windows\System32\ymoJfLx.exe
  2⤵
  PID:11720
- C:\Windows\System32\VDeIMdC.exe
  C:\Windows\System32\VDeIMdC.exe
  2⤵
  PID:11808
- C:\Windows\System32\CYqFEQX.exe
  C:\Windows\System32\CYqFEQX.exe
  2⤵
  PID:11916
- C:\Windows\System32\ifLcRMj.exe
  C:\Windows\System32\ifLcRMj.exe
  2⤵
  PID:12036
- C:\Windows\System32\CSwIZfq.exe
  C:\Windows\System32\CSwIZfq.exe
  2⤵
  PID:12228
- C:\Windows\System32\xSLVaQQ.exe
  C:\Windows\System32\xSLVaQQ.exe
  2⤵
  PID:12248
- C:\Windows\System32\vRAUiMi.exe
  C:\Windows\System32\vRAUiMi.exe
  2⤵
  PID:12000
- C:\Windows\System32\tHLIflT.exe
  C:\Windows\System32\tHLIflT.exe
  2⤵
  PID:12184
- C:\Windows\System32\QhpnzXt.exe
  C:\Windows\System32\QhpnzXt.exe
  2⤵
  PID:1992
- C:\Windows\System32\NJWERzT.exe
  C:\Windows\System32\NJWERzT.exe
  2⤵
  PID:720
- C:\Windows\System32\uqruMNz.exe
  C:\Windows\System32\uqruMNz.exe
  2⤵
  PID:1820
- C:\Windows\System32\zEeBqvL.exe
  C:\Windows\System32\zEeBqvL.exe
  2⤵
  PID:3488
- C:\Windows\System32\FbZJtuF.exe
  C:\Windows\System32\FbZJtuF.exe
  2⤵
  PID:12316
- C:\Windows\System32\BIlNmMT.exe
  C:\Windows\System32\BIlNmMT.exe
  2⤵
  PID:12332
- C:\Windows\System32\ykDBlhS.exe
  C:\Windows\System32\ykDBlhS.exe
  2⤵
  PID:12356
- C:\Windows\System32\LuGinbE.exe
  C:\Windows\System32\LuGinbE.exe
  2⤵
  PID:12380
- C:\Windows\System32\XCfnULd.exe
  C:\Windows\System32\XCfnULd.exe
  2⤵
  PID:12396
- C:\Windows\System32\lsIKUbH.exe
  C:\Windows\System32\lsIKUbH.exe
  2⤵
  PID:12536
- C:\Windows\System32\reNtZnM.exe
  C:\Windows\System32\reNtZnM.exe
  2⤵
  PID:12572
- C:\Windows\System32\ffeUvZt.exe
  C:\Windows\System32\ffeUvZt.exe
  2⤵
  PID:12596
- C:\Windows\System32\yYpnQoR.exe
  C:\Windows\System32\yYpnQoR.exe
  2⤵
  PID:12616
- C:\Windows\System32\jPVWCWs.exe
  C:\Windows\System32\jPVWCWs.exe
  2⤵
  PID:12676
- C:\Windows\System32\HUhaNbY.exe
  C:\Windows\System32\HUhaNbY.exe
  2⤵
  PID:12716
- C:\Windows\System32\DuVaklC.exe
  C:\Windows\System32\DuVaklC.exe
  2⤵
  PID:12732
- C:\Windows\System32\ObcUVut.exe
  C:\Windows\System32\ObcUVut.exe
  2⤵
  PID:12760
- C:\Windows\System32\RkgRzDo.exe
  C:\Windows\System32\RkgRzDo.exe
  2⤵
  PID:12776
- C:\Windows\System32\BWGBHRi.exe
  C:\Windows\System32\BWGBHRi.exe
  2⤵
  PID:12800
- C:\Windows\System32\GfoDTNJ.exe
  C:\Windows\System32\GfoDTNJ.exe
  2⤵
  PID:12820
- C:\Windows\System32\KyXioou.exe
  C:\Windows\System32\KyXioou.exe
  2⤵
  PID:12872
- C:\Windows\System32\uPCeFpB.exe
  C:\Windows\System32\uPCeFpB.exe
  2⤵
  PID:12900
- C:\Windows\System32\AsDASiC.exe
  C:\Windows\System32\AsDASiC.exe
  2⤵
  PID:12936
- C:\Windows\System32\CaUglKS.exe
  C:\Windows\System32\CaUglKS.exe
  2⤵
  PID:12964
- C:\Windows\System32\NdpWPgG.exe
  C:\Windows\System32\NdpWPgG.exe
  2⤵
  PID:12980
- C:\Windows\System32\VBibwbV.exe
  C:\Windows\System32\VBibwbV.exe
  2⤵
  PID:13000
- C:\Windows\System32\nyVCdps.exe
  C:\Windows\System32\nyVCdps.exe
  2⤵
  PID:13024
- C:\Windows\System32\Evlfhdb.exe
  C:\Windows\System32\Evlfhdb.exe
  2⤵
  PID:13068
- C:\Windows\System32\ANvIDte.exe
  C:\Windows\System32\ANvIDte.exe
  2⤵
  PID:13100
- C:\Windows\System32\mwJjgNE.exe
  C:\Windows\System32\mwJjgNE.exe
  2⤵
  PID:13120
- C:\Windows\System32\pbzEvWz.exe
  C:\Windows\System32\pbzEvWz.exe
  2⤵
  PID:13156
- C:\Windows\System32\KBfPfrC.exe
  C:\Windows\System32\KBfPfrC.exe
  2⤵
  PID:13180
- C:\Windows\System32\UtJzUmg.exe
  C:\Windows\System32\UtJzUmg.exe
  2⤵
  PID:13216
- C:\Windows\System32\QWfvINC.exe
  C:\Windows\System32\QWfvINC.exe
  2⤵
  PID:13236
- C:\Windows\System32\MwsFnYm.exe
  C:\Windows\System32\MwsFnYm.exe
  2⤵
  PID:13256
- C:\Windows\System32\bLKAxXp.exe
  C:\Windows\System32\bLKAxXp.exe
  2⤵
  PID:13276
- C:\Windows\System32\pCSOBiq.exe
  C:\Windows\System32\pCSOBiq.exe
  2⤵
  PID:13300
- C:\Windows\System32\kLCvZLJ.exe
  C:\Windows\System32\kLCvZLJ.exe
  2⤵
  PID:12020
- C:\Windows\System32\qOGOwzO.exe
  C:\Windows\System32\qOGOwzO.exe
  2⤵
  PID:12324
- C:\Windows\System32\NBrZzBQ.exe
  C:\Windows\System32\NBrZzBQ.exe
  2⤵
  PID:12364
- C:\Windows\System32\SBTCqCP.exe
  C:\Windows\System32\SBTCqCP.exe
  2⤵
  PID:12420
- C:\Windows\System32\RogtHAj.exe
  C:\Windows\System32\RogtHAj.exe
  2⤵
  PID:12464
- C:\Windows\System32\ghCxnHv.exe
  C:\Windows\System32\ghCxnHv.exe
  2⤵
  PID:12468
- C:\Windows\System32\gzuKFvJ.exe
  C:\Windows\System32\gzuKFvJ.exe
  2⤵
  PID:12488
- C:\Windows\System32\kJkJldN.exe
  C:\Windows\System32\kJkJldN.exe
  2⤵
  PID:12404
- C:\Windows\System32\aBsDoGE.exe
  C:\Windows\System32\aBsDoGE.exe
  2⤵
  PID:12532

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AlBpjRB.exe

Filesize
972KB

MD5
f03e8f9dd70f53d0a8835df8f2cd5307

SHA1
08e80759b1486f0a63716a9f439165870d720e61

SHA256
1c046b45a0f84b193376208e5cb329fe5b877e6b0b33dced89d475a3ba169f48

SHA512
82e5ae3039f98ee8c974ee90d8a2dc3e5c34ca7059e7f0bc56085e921a4fc497665245be64fdd17858a646847d93c7faa38a514e12428789c1a40df00bbcdc8e

Download Submit
C:\Windows\System32\AxtHpHJ.exe

Filesize
966KB

MD5
8812cbdb12dec9cc8a8754febb983583

SHA1
a2183f01065b8879d9d359958243c67ccbf0c712

SHA256
2d5ef9429a87d74b6e52e815da17f3050bb855859c84dc4f99c468bfca6d3634

SHA512
8263cccc42e1cfd9fe2c5e1b6a160d56b6a6b862d0fd863972dbb6fcf58ec485afe13bb0a3cc7245916bbc2813b2774d2c50dc3b79c3662f6a4fa6489e7996a9

Download Submit
C:\Windows\System32\BqySSPX.exe

Filesize
970KB

MD5
b4ef893729711949aa622b4a6d0951e3

SHA1
6d08ab3e8f4cd7c3dca6740801dba91db9977d08

SHA256
b5b8582b30c71b94353cc43368b498b7f3bc21e199df4c26f7e81e18c8e46047

SHA512
2b5359d9eaf3c8807b76f840e6ba4ad1bb452172e69195187bedb993154de475e371d93b7571cf726268194ce76276b2e2d9a78295de309cdd2aaf80fbf2e230

Download Submit
C:\Windows\System32\CFtWuse.exe

Filesize
968KB

MD5
753c112426f82423c868d0d2371fb339

SHA1
e4e6325230dfab1220f2ff49b2bb6aa5605ec4bf

SHA256
72c9d26cb4c44b8f308789ff46b784269eec29540fa87a031368f8d93775bd65

SHA512
36e195c6c1652f918570505028ac4dd3a7ff4bc6356c28bbc45ad5213f892660c3b957d571c8b00fec9b3201047e01d871a73e64c4162ecdfca7c5eba823b2af

Download Submit
C:\Windows\System32\CUHgjDL.exe

Filesize
971KB

MD5
42e5a542673ede928b2f6668d31dc220

SHA1
259721059b8a89a4d568f90a988c51d54b19758e

SHA256
679eac38128bb914f94d58a34dce91dfd63da3a49a92eac3a9a14cafc06802a8

SHA512
bc2984d553909fada3a87b268e6bec666d831a6db6824b7a35545a8f0778ace1d302ce636a0c936dfa416a0ba72013f5da0601d9a5ba665ffee9c96fedb96197

Download Submit
C:\Windows\System32\CtAKUmB.exe

Filesize
966KB

MD5
51d59cc77bf9b4603934e1d799eeef7f

SHA1
92b6a930aac9e52766c444099dfd55742bc7cbd6

SHA256
52c6112d33918f9d83b1a8bb9021ee383d2812f5d841527f609099b3c4cb1685

SHA512
172abc836d79e011f5b9d9f5cfafb004afdb9fe2d7b9ff7d6e534443b1ed70ef6b2b6646062169e28eb084993db9daeb9d09587e7927a41d9a26e06cfedb0c12

Download Submit
C:\Windows\System32\EyhdXSN.exe

Filesize
968KB

MD5
3439367e0d16ccd3386a72d5681846dc

SHA1
6289f7b5321623b8af558d7c19b78f2de965be80

SHA256
6b96d6fea8576c38757c2c88f44dd0df8b9c9ed8014341911355efbf60041867

SHA512
3ea6f4b74c0deb0cb96628cdeb8fb510a5b66124d8c3604bea99c76186b9e07e77c2eb50aac32f74f79828d93280bc05d6bb0963e309f126fd7953324044952c

Download Submit
C:\Windows\System32\GXqwLBH.exe

Filesize
973KB

MD5
ad7b5b63b79b42640f447e3ee2c2ccc7

SHA1
16d2a8ec4f5a5322be4ee74ab48eaac072a935dc

SHA256
96136834a216b025dfb094bb61364423caaf2290ace0885c3005b2884cafaf39

SHA512
aa98e537ec2bb2346485185f4b26c5a5ab81cd9b23480a48c718cb9d45b5971b5f31428c38befa64b5f5e1c0710357fe5b016b1bcc7d54590183e12764facb4c

Download Submit
C:\Windows\System32\HBwuCuN.exe

Filesize
969KB

MD5
5be1ff5f671199b2c598a469d4d1172f

SHA1
ad91f0c5f832a2ff879a79410fbe115ec42a63e9

SHA256
2a65048f3918fa9b57ad94e2c3bc5c7050d99d9303b8e5a762b95059245cb123

SHA512
237cbabd0827a2456f77a6a5a29da5c123c00b02db107544dc632c5d3f0d04b57653adc246b967e3ab2141ea83d3df3e70f470692c7d949984ec1a046cef1438

Download Submit
C:\Windows\System32\HyGhiUn.exe

Filesize
972KB

MD5
998ce4c8c3d96790b421c5ee4dd5c4f1

SHA1
63164fbdfbfd8c2b7d718afadd7c901f1e5179e1

SHA256
f037c65cb3842d6d42e685c68cd11a1a85bbf72c31b73ccf2e305259e1974a79

SHA512
5ca3e82c62f607434388fe70c4e465261cfdf4ee74d47af33e58abef949db2f6a6c70325d1203cd2eab5c229a1dd8fba7ba7fabed3459b14e2382a3d2e8a8060

Download Submit
C:\Windows\System32\IXhYchL.exe

Filesize
965KB

MD5
bf701acd9fb2dca082d724eda27cb4fa

SHA1
e866c93aa74744562f2778170268c1fb390e9c78

SHA256
68d490c599692b8dd7765cdf751e2d0e274b42991fded4dea609c8a891b26b67

SHA512
4de14e4051ffe10659bce632daf0f349e566fb7fe6597069231b1de1f669f886010ae335e20ac05714cd8aeda4ade1dbdae3ca794411219c2b9d1eb0bb11f181

Download Submit
C:\Windows\System32\ImFwKur.exe

Filesize
967KB

MD5
0938f5876ba6f1524a4a99f1d3e66b8c

SHA1
7b1b41588222fe623ea10e738ec3e234bb19dc33

SHA256
911f81bb02d14dc84706a2dfc743cbc69f57453f2865d54c879d5df72981b518

SHA512
6db5ac0f0b0aff738d4f03f8f6e8a1ba9181397bcee07b5efc8dbec6d7e8b4d6c122c3788d87d3d4f459b7d8a9c85cee63a4abb2b70cea3d254183581dd18c9f

Download Submit
C:\Windows\System32\LZzlmmW.exe

Filesize
967KB

MD5
2b184fb4748bf2e08c5eb3fa2161f612

SHA1
52c881eb5643e807a9915c343e48055d418cc8c4

SHA256
b7727649787348646c27b3208638ec21200311e695de93e2d2fcb29d1da9c7aa

SHA512
7ddf93b281a0907de664c359833f55208a4d95d93d9a35fd4be8c632012ac4cd4c42a19cfc7b00bedd03c13e5684b49d89b65fa57fd638a4206ab1f2654ebef9

Download Submit
C:\Windows\System32\LgCoDzk.exe

Filesize
968KB

MD5
4cb168cf89459077bce7eefb7d3f19a7

SHA1
ee97d81768232af06eb80378aeacaac270c93e56

SHA256
441b77062b4e10fcd82e04ef0ebb5bfaf7059b7d334848c9c12408cd55732dad

SHA512
1f8770b6c91d2fc298148af1c58ba615062bbd48c53bbb5119924d85714979af0886ef010cdff6022f8b61bc57b26a87af75da04aba14b9b7521d8ba188268e6

Download Submit
C:\Windows\System32\MbtMBQk.exe

Filesize
973KB

MD5
43d3a9acdd87355d152743877ec577ca

SHA1
6ce263dba8c7378fd3ada8cf5809f34f783b161c

SHA256
6f27a4884616c24bbb6ceb19fd98b1078087db543ae86ef098cc25e77551fe73

SHA512
b56a23b6d15f52e7b7f582773fb32ed384b36e526528dde921f633a0b458176d7e389b5bf79cef46c3463e8235d8f34bca94b449a0135f26e7ac977769a0f2d0

Download Submit
C:\Windows\System32\OrNzKJN.exe

Filesize
972KB

MD5
a15d7040da3f61fad3e1fdccbc617c1d

SHA1
19b73e141853f12a17acf578257949e30e1a1341

SHA256
c515a91308482c2795aa49d8a668e8e13fcd13427cab43e18a9106f57bea9a92

SHA512
fdb1d9afe0d42bf7be9552c5ffe02ef3fe76ab954117a1906110732ebead0c3fbfb39151a7b21e721158c75f60c6976ceba1961c28a313dcbbf1e5bf9038f94e

Download Submit
C:\Windows\System32\SMsaQYf.exe

Filesize
970KB

MD5
2995a9d2fa6b6e631d951e1ff97f3b56

SHA1
726cbe66d96a7b90d02ab68cb4b7c92bda6237c6

SHA256
4a20c05896f92b36352e69ca30d1579d41891688634d496c8714e27abb14a6e2

SHA512
1d05329949767be13f15f51a1bacb0505f7431f67498d62ee834239a2e4826e8037d4a6dfc3f50460e46fa02c59d22945c125ea2dc619f4d3880c506da3f5015

Download Submit
C:\Windows\System32\TdIKWeo.exe

Filesize
971KB

MD5
f4a002cf21daeea6fd0269f0b8639a81

SHA1
f01b9030e115513d4b6adb9416a21a89b4bf43cf

SHA256
7c02d8f6dc008b2df81a8dbb8df237391fe8a3a933cdc1ba855f4ec0cf6a8a3a

SHA512
75263c496ee99927cf52b2fba805a93a77a82e1922852b33210ede2d51256fc67d94ba3a5796f42f7e13fa2f5bc2d0a290c18b22c64300d7d3c66e1a08ffb1d1

Download Submit
C:\Windows\System32\UUgSUbJ.exe

Filesize
967KB

MD5
ae682cbd9a891a356fc29ba38ef98b20

SHA1
996cd34a9f953a1a0b403ece99d155ff2f3a13f4

SHA256
b35084b7630cdeba24b6235f0430a4044047ceeef105d5a47577af9ed26b7a29

SHA512
5559225eccf5eded57e6d879de9f07e6eca1f8132fcac587fa10e7a05b72f43b3e104b951e26e1e650f94d0a75612be333a0137f3c56663a719c1fde16fe6791

Download Submit
C:\Windows\System32\YFgZJlI.exe

Filesize
972KB

MD5
6fb186fd2354952d5e67e827d7c2df7a

SHA1
1a20332c9d56528c9dd7fbec506a9c00bf779b97

SHA256
d1456dc1907155e149153fed6560c254c59ed7f7de9f6e483f272563e8a8f200

SHA512
9684621e4982568e25cc020ef7158c4c9e5c2fecf086fedc73650f449f24b839e07c1d38e23ad40b08345d3a2eab485e04f6046f1ef93569914aa51862ad128b

Download Submit
C:\Windows\System32\crUInQB.exe

Filesize
969KB

MD5
443c328561e9d3b5fc470009ba4d349a

SHA1
cc93ef3fa0a830c564436675b0475fc6c49d63ed

SHA256
da0379d9b44bb41c240f86fb8f3431928f36fb709db0f94cf81bbaa3a79f2405

SHA512
da0f0d8e6e971112277e2932347dbbe0b12b44c147ef1658c8dc3dc9709314499f2838f8d7f3fc4d0a3e9fc2cc0882e93c5c47abe30870a0f583996292f5b8c1

Download Submit
C:\Windows\System32\dVccWdX.exe

Filesize
966KB

MD5
63779d1543a21517a7af11ddf28d696f

SHA1
ffe06209de6946ccf96b8582754ad0cd59f342c8

SHA256
d10d26867437530a581c2a97ab6af61261047d32c2a1c7179ec37988a3d6e577

SHA512
7a921bcef7a65c87c44f263b045c6c3b02f75d285cd6272b84d2e5bd17268856876eb47063bdf5fc448c2f5f9749dbabdc98e8f79a4f58e89d3e7a6257c53028

Download Submit
C:\Windows\System32\eUjaKrT.exe

Filesize
969KB

MD5
1c220ee0b150397f34639f51b5859fd1

SHA1
9873db5a36202dc397884d4ddcc4e58ad4f895dd

SHA256
3d18be4b778360139a9436abfd0e931a93c91139f967566521453c5d617dcb77

SHA512
165873f0e3a6aed8387f129328821014d62c27ca60ebbd924179d07b464d6080dd1f250ee1f600e4a4341a894bf7479b947098dc1b984efb634d350580fb3f9c

Download Submit
C:\Windows\System32\fJrWSip.exe

Filesize
970KB

MD5
221edf59235d83f6673070740c0f6431

SHA1
01032955d5bee1c720e6b4ac431e50c6b55a5ceb

SHA256
4bb13d39976bbd5a6aba0df1efa28a5d8a9a858923028e2798ee50289d28f879

SHA512
e7ee59c1c5ca0ecf49499e161494ba4506e8cb53107d6f7f7e80cd1dbfb3de81834323aed22fae387c98b2d6f11ada85f98e005474d4debee6b8e463fd20e3cf

Download Submit
C:\Windows\System32\gCgmCUy.exe

Filesize
971KB

MD5
26001bf60bbef4a9ef2d6dc91a02eca4

SHA1
bdb3c640f5e84e65095bd013d71d45077ca820c3

SHA256
576fbc0c8d1d9a0d13ffd86bc645e3405fa4db0abb7bafbdaef322fa3c6e09b3

SHA512
5df518f51666ac0cf08260cb0276043b9b9f42ef3be22e87c9b01712ca047f958637656d5b135c0ea8e1d39f29c8016af6abba2884b3228c2a422e47e5ba6d27

Download Submit
C:\Windows\System32\iGSbeve.exe

Filesize
967KB

MD5
32401268dbb7bc25bca9f1a6fdd5be1d

SHA1
e8162f8f5e14e2255ad20b75df977a33a7ca1af6

SHA256
961f12b137f96e85b75a72bb41ce7a7c2b1817e0d3a26105f69bef2419494744

SHA512
3b6a5092bc6585dc995531fc8d157cc08d1a746cc2b90ba0f7b1d28445a1dcff77ad8d6085b4576e2c97eba0b85f80442e981ef28b6f9428d2ce0bc66bc99304

Download Submit
C:\Windows\System32\igfuwfM.exe

Filesize
971KB

MD5
261dac14980183eb6fcf5c629a1c776e

SHA1
a4b89d183c80f877d467be3e367660ee7a83b29f

SHA256
f5a85b57de58b48ee46aa9c4efb2aa57ebcbc4f8eb97c6aedc4aed620350257d

SHA512
128db560ccdfcce335eca9e99ddb06bd6a413e6f3f460df24f90f783cdc2880e22a933b523ffac9b756e7350c7b17a110bc3fd502b2bc4e8be52da9278c2dc1f

Download Submit
C:\Windows\System32\indMygp.exe

Filesize
969KB

MD5
76de2a447c9ab16b20409a0a2ab78e3f

SHA1
a5ba6215725ea99c12463476bccc11b64a0b948c

SHA256
6392ba603da9600d9e7bc53b6924ffc1143041f878f5746575509db303db6d0a

SHA512
dc19860e3e61e1a0b651e39421dcd24094b8ab719c78a8fcf46af980dae1ec812858337e41ce08e897c38494863b127fe4c642357e614c784498a3686db6ef74

Download Submit
C:\Windows\System32\sxbYYcq.exe

Filesize
966KB

MD5
94f5c87460f463acce37c73866ae2c5f

SHA1
2b29d28f094327ea0441c871b2c0279d833a4197

SHA256
dffb0ed200c16028ac0cc173d52c06f24df4d6c5dd5658483134941d916decb8

SHA512
96d36a1340b910f0b3d1ee126172a68b04848d077f8640a64bdc94fb282c4bd21c86974a91446134a73a9f8f714cf32e15b971b20fa2ce88a9dacb5faf67382f

Download Submit
C:\Windows\System32\vYcnxMf.exe

Filesize
965KB

MD5
b83c50ead8d797037cb89d1c46f0eb93

SHA1
3f3ccd967bc1cb3fcdfc990a7f0d29afd65b7e64

SHA256
75c3df32338b424b1133057bfe8170d126cf2a37d6953dd0b3c4916f64b73870

SHA512
8b600d22d6ba7b82a9811b7885b095c779d3ee2b5fea3fa665cef8cca076a907ea6180e4f87f68a324dd1e12105c2f71d6cce37f714ca0132243afd9f7a3c6a7

Download Submit
C:\Windows\System32\wFtHqTV.exe

Filesize
970KB

MD5
502a1dfe1f5b81716a0c6767918abbc9

SHA1
dc3d10379b038b4021703c4b7c48af38da313148

SHA256
834649c3b123b92faf801230abe764ecf94026c3b465637d8dad86d19501d7f1

SHA512
5a66196f610767db0b5533e3552eb3033125ff68934d2ae1c5a69beb174825f4c9fdf7f76234ed46b4a9fe5c308534ebd8ce38bcfcdc0df94c4c27b648d0750c

Download Submit
C:\Windows\System32\zLOtBTG.exe

Filesize
968KB

MD5
101dbc07eef3e357a7d464ab6db156a3

SHA1
2f3495b99c9bef3a5e6951c9edc82bd3b1e53423

SHA256
914012fc59944898d0ea767acc4b5347b4c123269ba47f627e27bba8771083f5

SHA512
98dd52d3332e8962fdeb949eecf177d4b7481c96b3c2ad8328be118b0880a057ae899729c58d02d9ba93e01f7b22fbc576589b11c24ddcbb43a0d7015ab99394

Download Submit
memory/312-418-0x00007FF740400000-0x00007FF7407F1000-memory.dmp

Filesize
3.9MB

Download
memory/312-2033-0x00007FF740400000-0x00007FF7407F1000-memory.dmp

Filesize
3.9MB

Download
memory/468-370-0x00007FF6512B0000-0x00007FF6516A1000-memory.dmp

Filesize
3.9MB

Download
memory/468-2063-0x00007FF6512B0000-0x00007FF6516A1000-memory.dmp

Filesize
3.9MB

Download
memory/1564-2051-0x00007FF676E70000-0x00007FF677261000-memory.dmp

Filesize
3.9MB

Download
memory/1564-2017-0x00007FF676E70000-0x00007FF677261000-memory.dmp

Filesize
3.9MB

Download
memory/1564-364-0x00007FF676E70000-0x00007FF677261000-memory.dmp

Filesize
3.9MB

Download
memory/1572-66-0x00007FF7C54F0000-0x00007FF7C58E1000-memory.dmp

Filesize
3.9MB

Download
memory/1572-2027-0x00007FF7C54F0000-0x00007FF7C58E1000-memory.dmp

Filesize
3.9MB

Download
memory/1908-419-0x00007FF7192E0000-0x00007FF7196D1000-memory.dmp

Filesize
3.9MB

Download
memory/1908-2031-0x00007FF7192E0000-0x00007FF7196D1000-memory.dmp

Filesize
3.9MB

Download
memory/2196-416-0x00007FF65DD10000-0x00007FF65E101000-memory.dmp

Filesize
3.9MB

Download
memory/2196-2068-0x00007FF65DD10000-0x00007FF65E101000-memory.dmp

Filesize
3.9MB

Download
memory/2212-72-0x00007FF684920000-0x00007FF684D11000-memory.dmp

Filesize
3.9MB

Download
memory/2212-2041-0x00007FF684920000-0x00007FF684D11000-memory.dmp

Filesize
3.9MB

Download
memory/2284-414-0x00007FF6043F0000-0x00007FF6047E1000-memory.dmp

Filesize
3.9MB

Download
memory/2284-2057-0x00007FF6043F0000-0x00007FF6047E1000-memory.dmp

Filesize
3.9MB

Download
memory/2332-2049-0x00007FF6D3E40000-0x00007FF6D4231000-memory.dmp

Filesize
3.9MB

Download
memory/2332-377-0x00007FF6D3E40000-0x00007FF6D4231000-memory.dmp

Filesize
3.9MB

Download
memory/2408-2025-0x00007FF6771F0000-0x00007FF6775E1000-memory.dmp

Filesize
3.9MB

Download
memory/2408-32-0x00007FF6771F0000-0x00007FF6775E1000-memory.dmp

Filesize
3.9MB

Download
memory/2424-2045-0x00007FF7C8920000-0x00007FF7C8D11000-memory.dmp

Filesize
3.9MB

Download
memory/2424-421-0x00007FF7C8920000-0x00007FF7C8D11000-memory.dmp

Filesize
3.9MB

Download
memory/2456-2037-0x00007FF747110000-0x00007FF747501000-memory.dmp

Filesize
3.9MB

Download
memory/2456-420-0x00007FF747110000-0x00007FF747501000-memory.dmp

Filesize
3.9MB

Download
memory/2644-2066-0x00007FF688330000-0x00007FF688721000-memory.dmp

Filesize
3.9MB

Download
memory/2644-415-0x00007FF688330000-0x00007FF688721000-memory.dmp

Filesize
3.9MB

Download
memory/2648-2053-0x00007FF6B8110000-0x00007FF6B8501000-memory.dmp

Filesize
3.9MB

Download
memory/2648-400-0x00007FF6B8110000-0x00007FF6B8501000-memory.dmp

Filesize
3.9MB

Download
memory/2720-1-0x0000029522610000-0x0000029522620000-memory.dmp

Filesize
64KB

Download
memory/2720-0-0x00007FF6A6060000-0x00007FF6A6451000-memory.dmp

Filesize
3.9MB

Download
memory/3120-2043-0x00007FF77FAA0000-0x00007FF77FE91000-memory.dmp

Filesize
3.9MB

Download
memory/3120-380-0x00007FF77FAA0000-0x00007FF77FE91000-memory.dmp

Filesize
3.9MB

Download
memory/3200-389-0x00007FF7F3E90000-0x00007FF7F4281000-memory.dmp

Filesize
3.9MB

Download
memory/3200-2055-0x00007FF7F3E90000-0x00007FF7F4281000-memory.dmp

Filesize
3.9MB

Download
memory/3348-2035-0x00007FF741A20000-0x00007FF741E11000-memory.dmp

Filesize
3.9MB

Download
memory/3348-40-0x00007FF741A20000-0x00007FF741E11000-memory.dmp

Filesize
3.9MB

Download
memory/3348-2014-0x00007FF741A20000-0x00007FF741E11000-memory.dmp

Filesize
3.9MB

Download
memory/3608-2029-0x00007FF6D5280000-0x00007FF6D5671000-memory.dmp

Filesize
3.9MB

Download
memory/3608-57-0x00007FF6D5280000-0x00007FF6D5671000-memory.dmp

Filesize
3.9MB

Download
memory/3608-2015-0x00007FF6D5280000-0x00007FF6D5671000-memory.dmp

Filesize
3.9MB

Download
memory/3632-2023-0x00007FF74AA40000-0x00007FF74AE31000-memory.dmp

Filesize
3.9MB

Download
memory/3632-24-0x00007FF74AA40000-0x00007FF74AE31000-memory.dmp

Filesize
3.9MB

Download
memory/3832-2061-0x00007FF78D7D0000-0x00007FF78DBC1000-memory.dmp

Filesize
3.9MB

Download
memory/3832-428-0x00007FF78D7D0000-0x00007FF78DBC1000-memory.dmp

Filesize
3.9MB

Download
memory/3944-385-0x00007FF6AB040000-0x00007FF6AB431000-memory.dmp

Filesize
3.9MB

Download
memory/3944-2047-0x00007FF6AB040000-0x00007FF6AB431000-memory.dmp

Filesize
3.9MB

Download
memory/4528-2059-0x00007FF7F62F0000-0x00007FF7F66E1000-memory.dmp

Filesize
3.9MB

Download
memory/4528-408-0x00007FF7F62F0000-0x00007FF7F66E1000-memory.dmp

Filesize
3.9MB

Download
memory/4592-417-0x00007FF6CA5B0000-0x00007FF6CA9A1000-memory.dmp

Filesize
3.9MB

Download
memory/4592-2070-0x00007FF6CA5B0000-0x00007FF6CA9A1000-memory.dmp

Filesize
3.9MB

Download
memory/5044-59-0x00007FF65A380000-0x00007FF65A771000-memory.dmp

Filesize
3.9MB

Download
memory/5044-2016-0x00007FF65A380000-0x00007FF65A771000-memory.dmp

Filesize
3.9MB

Download
memory/5044-2039-0x00007FF65A380000-0x00007FF65A771000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads