xmrig | baccbd717a53849ea5b7539141967cc9d524549b7f09b90128c6762c0c81f272

Analysis

max time kernel
103s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
Size

1.7MB
MD5

063df0cd4a0aa064676b6a8f80a44391
SHA1

68f3b416292e388cbf5728c4fbd692e35d9c79f6
SHA256

baccbd717a53849ea5b7539141967cc9d524549b7f09b90128c6762c0c81f272
SHA512

ea3b1d46d40b194f010fe2151ab11f0aa1556fcac6d17ccf3a211b770419579348b890441e1fab62315ed59eb87ca9fb41d224f76296a6f819673be8896a2dc5
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO9C1MKTbcMfHhGjw2Do+BRrCfUgSIA3PR5:knw9oUUEEDlGUjc2HhG82DiA3v

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/708-47-0x00007FF703090000-0x00007FF703481000-memory.dmp	xmrig
behavioral2/memory/4344-475-0x00007FF7BE650000-0x00007FF7BEA41000-memory.dmp	xmrig
behavioral2/memory/532-477-0x00007FF7AB170000-0x00007FF7AB561000-memory.dmp	xmrig
behavioral2/memory/4944-478-0x00007FF6FA970000-0x00007FF6FAD61000-memory.dmp	xmrig
behavioral2/memory/4172-33-0x00007FF749B30000-0x00007FF749F21000-memory.dmp	xmrig
behavioral2/memory/2812-479-0x00007FF606D60000-0x00007FF607151000-memory.dmp	xmrig
behavioral2/memory/5064-481-0x00007FF7FAF10000-0x00007FF7FB301000-memory.dmp	xmrig
behavioral2/memory/4044-480-0x00007FF6DEAF0000-0x00007FF6DEEE1000-memory.dmp	xmrig
behavioral2/memory/3388-482-0x00007FF6D0840000-0x00007FF6D0C31000-memory.dmp	xmrig
behavioral2/memory/4056-484-0x00007FF70D660000-0x00007FF70DA51000-memory.dmp	xmrig
behavioral2/memory/4696-492-0x00007FF793D70000-0x00007FF794161000-memory.dmp	xmrig
behavioral2/memory/3340-483-0x00007FF6EA0D0000-0x00007FF6EA4C1000-memory.dmp	xmrig
behavioral2/memory/1812-494-0x00007FF6EFBC0000-0x00007FF6EFFB1000-memory.dmp	xmrig
behavioral2/memory/1688-499-0x00007FF6A09C0000-0x00007FF6A0DB1000-memory.dmp	xmrig
behavioral2/memory/2396-501-0x00007FF714D80000-0x00007FF715171000-memory.dmp	xmrig
behavioral2/memory/664-506-0x00007FF798670000-0x00007FF798A61000-memory.dmp	xmrig
behavioral2/memory/1636-510-0x00007FF7902E0000-0x00007FF7906D1000-memory.dmp	xmrig
behavioral2/memory/2144-514-0x00007FF65B8E0000-0x00007FF65BCD1000-memory.dmp	xmrig
behavioral2/memory/3720-511-0x00007FF6A1090000-0x00007FF6A1481000-memory.dmp	xmrig
behavioral2/memory/5012-518-0x00007FF6DAD70000-0x00007FF6DB161000-memory.dmp	xmrig
behavioral2/memory/2872-1958-0x00007FF74B8C0000-0x00007FF74BCB1000-memory.dmp	xmrig
behavioral2/memory/4028-1959-0x00007FF61FCC0000-0x00007FF6200B1000-memory.dmp	xmrig
behavioral2/memory/2592-1960-0x00007FF602FB0000-0x00007FF6033A1000-memory.dmp	xmrig
behavioral2/memory/888-1993-0x00007FF6E2020000-0x00007FF6E2411000-memory.dmp	xmrig
behavioral2/memory/4344-1994-0x00007FF7BE650000-0x00007FF7BEA41000-memory.dmp	xmrig
behavioral2/memory/2872-2000-0x00007FF74B8C0000-0x00007FF74BCB1000-memory.dmp	xmrig
behavioral2/memory/4028-2002-0x00007FF61FCC0000-0x00007FF6200B1000-memory.dmp	xmrig
behavioral2/memory/2144-2012-0x00007FF65B8E0000-0x00007FF65BCD1000-memory.dmp	xmrig
behavioral2/memory/2592-2010-0x00007FF602FB0000-0x00007FF6033A1000-memory.dmp	xmrig
behavioral2/memory/888-2008-0x00007FF6E2020000-0x00007FF6E2411000-memory.dmp	xmrig
behavioral2/memory/4172-2006-0x00007FF749B30000-0x00007FF749F21000-memory.dmp	xmrig
behavioral2/memory/708-2004-0x00007FF703090000-0x00007FF703481000-memory.dmp	xmrig
behavioral2/memory/5012-2034-0x00007FF6DAD70000-0x00007FF6DB161000-memory.dmp	xmrig
behavioral2/memory/1688-2042-0x00007FF6A09C0000-0x00007FF6A0DB1000-memory.dmp	xmrig
behavioral2/memory/1636-2046-0x00007FF7902E0000-0x00007FF7906D1000-memory.dmp	xmrig
behavioral2/memory/3720-2044-0x00007FF6A1090000-0x00007FF6A1481000-memory.dmp	xmrig
behavioral2/memory/2396-2040-0x00007FF714D80000-0x00007FF715171000-memory.dmp	xmrig
behavioral2/memory/664-2038-0x00007FF798670000-0x00007FF798A61000-memory.dmp	xmrig
behavioral2/memory/1812-2036-0x00007FF6EFBC0000-0x00007FF6EFFB1000-memory.dmp	xmrig
behavioral2/memory/2812-2032-0x00007FF606D60000-0x00007FF607151000-memory.dmp	xmrig
behavioral2/memory/4044-2030-0x00007FF6DEAF0000-0x00007FF6DEEE1000-memory.dmp	xmrig
behavioral2/memory/5064-2028-0x00007FF7FAF10000-0x00007FF7FB301000-memory.dmp	xmrig
behavioral2/memory/3340-2026-0x00007FF6EA0D0000-0x00007FF6EA4C1000-memory.dmp	xmrig
behavioral2/memory/3388-2024-0x00007FF6D0840000-0x00007FF6D0C31000-memory.dmp	xmrig
behavioral2/memory/4944-2022-0x00007FF6FA970000-0x00007FF6FAD61000-memory.dmp	xmrig
behavioral2/memory/4696-2020-0x00007FF793D70000-0x00007FF794161000-memory.dmp	xmrig
behavioral2/memory/4056-2018-0x00007FF70D660000-0x00007FF70DA51000-memory.dmp	xmrig
behavioral2/memory/4344-2014-0x00007FF7BE650000-0x00007FF7BEA41000-memory.dmp	xmrig
behavioral2/memory/532-2016-0x00007FF7AB170000-0x00007FF7AB561000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2872	cCUNKVN.exe
4028	JkGECqO.exe
888	LcqKFBS.exe
2592	vLChyvS.exe
4172	tMmRdPF.exe
708	aRDfyvJ.exe
2144	JtOdHAO.exe
4344	yuzWnvp.exe
5012	tGTkUtg.exe
532	OzeokAh.exe
4944	RlDqgQq.exe
2812	nrQLoCO.exe
4044	TfRxPXM.exe
5064	XsrjJPz.exe
3388	iWVPfPR.exe
3340	CArekZT.exe
4056	uHWXwnb.exe
4696	aTwdVNY.exe
1812	FIZHfrg.exe
1688	PvnhacR.exe
2396	akSoMmZ.exe
664	igduhBL.exe
1636	WbHAiYX.exe
3720	ahKcmAz.exe
1116	ROXCfaP.exe
2784	IYUiAOp.exe
3512	HHzYEQL.exe
4480	yfFxANS.exe
3296	WgkViSj.exe
3300	XAEhKES.exe
1104	UIiguaY.exe
432	psDEmsE.exe
2796	xhmRDfI.exe
4880	EMEnXZT.exe
3396	GiZMOPy.exe
4404	fIIfWeF.exe
1020	jHCxRqh.exe
5100	utFscvj.exe
2000	JnLURSQ.exe
2824	Czyfgqd.exe
4032	mgaMrkv.exe
372	qzoeDLM.exe
3144	dMoazel.exe
920	uHaNCXS.exe
2512	GtUCFWk.exe
208	ICMJlqL.exe
4360	wMqxwHs.exe
2804	AmpjMVn.exe
2520	wrurCSK.exe
3416	tnNxCcj.exe
3228	FYdPpxb.exe
4104	ASPwLxs.exe
3116	pTMlqNB.exe
4576	ymVDXxV.exe
4416	UKpsOyb.exe
1092	KScrgCl.exe
1800	ivkNTnm.exe
4448	FfmALDC.exe
2460	PQhkTwt.exe
2388	UrgtOHm.exe
1540	tDbkogh.exe
4836	TgtDWwI.exe
3168	tTYqzuA.exe
1372	diVuDHg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3428-0-0x00007FF6018D0000-0x00007FF601CC1000-memory.dmp	upx
behavioral2/files/0x000c000000023b50-5.dat	upx
behavioral2/memory/2872-6-0x00007FF74B8C0000-0x00007FF74BCB1000-memory.dmp	upx
behavioral2/files/0x000b000000023bac-10.dat	upx
behavioral2/files/0x000a000000023bae-15.dat	upx
behavioral2/files/0x000a000000023baf-16.dat	upx
behavioral2/memory/2592-21-0x00007FF602FB0000-0x00007FF6033A1000-memory.dmp	upx
behavioral2/files/0x000a000000023bb0-26.dat	upx
behavioral2/files/0x000a000000023bb1-36.dat	upx
behavioral2/files/0x000a000000023bb3-42.dat	upx
behavioral2/memory/708-47-0x00007FF703090000-0x00007FF703481000-memory.dmp	upx
behavioral2/files/0x0031000000023bb4-52.dat	upx
behavioral2/files/0x0031000000023bb5-57.dat	upx
behavioral2/files/0x000a000000023bb7-65.dat	upx
behavioral2/files/0x000a000000023bb8-72.dat	upx
behavioral2/files/0x000a000000023bbd-97.dat	upx
behavioral2/files/0x000a000000023bbf-107.dat	upx
behavioral2/files/0x000a000000023bc1-117.dat	upx
behavioral2/files/0x000a000000023bc6-142.dat	upx
behavioral2/memory/4344-475-0x00007FF7BE650000-0x00007FF7BEA41000-memory.dmp	upx
behavioral2/memory/532-477-0x00007FF7AB170000-0x00007FF7AB561000-memory.dmp	upx
behavioral2/memory/4944-478-0x00007FF6FA970000-0x00007FF6FAD61000-memory.dmp	upx
behavioral2/files/0x000a000000023bcb-168.dat	upx
behavioral2/files/0x000a000000023bca-162.dat	upx
behavioral2/files/0x000a000000023bc9-158.dat	upx
behavioral2/files/0x000a000000023bc8-152.dat	upx
behavioral2/files/0x000a000000023bc7-147.dat	upx
behavioral2/files/0x000a000000023bc5-137.dat	upx
behavioral2/files/0x000a000000023bc4-132.dat	upx
behavioral2/files/0x000a000000023bc3-127.dat	upx
behavioral2/files/0x000a000000023bc2-122.dat	upx
behavioral2/files/0x000a000000023bc0-112.dat	upx
behavioral2/files/0x000a000000023bbe-102.dat	upx
behavioral2/files/0x000a000000023bbc-92.dat	upx
behavioral2/files/0x000a000000023bbb-87.dat	upx
behavioral2/files/0x000a000000023bba-82.dat	upx
behavioral2/files/0x000a000000023bb9-77.dat	upx
behavioral2/files/0x0031000000023bb6-62.dat	upx
behavioral2/files/0x000a000000023bb2-44.dat	upx
behavioral2/memory/4172-33-0x00007FF749B30000-0x00007FF749F21000-memory.dmp	upx
behavioral2/memory/888-25-0x00007FF6E2020000-0x00007FF6E2411000-memory.dmp	upx
behavioral2/memory/4028-19-0x00007FF61FCC0000-0x00007FF6200B1000-memory.dmp	upx
behavioral2/memory/2812-479-0x00007FF606D60000-0x00007FF607151000-memory.dmp	upx
behavioral2/memory/5064-481-0x00007FF7FAF10000-0x00007FF7FB301000-memory.dmp	upx
behavioral2/memory/4044-480-0x00007FF6DEAF0000-0x00007FF6DEEE1000-memory.dmp	upx
behavioral2/memory/3388-482-0x00007FF6D0840000-0x00007FF6D0C31000-memory.dmp	upx
behavioral2/memory/4056-484-0x00007FF70D660000-0x00007FF70DA51000-memory.dmp	upx
behavioral2/memory/4696-492-0x00007FF793D70000-0x00007FF794161000-memory.dmp	upx
behavioral2/memory/3340-483-0x00007FF6EA0D0000-0x00007FF6EA4C1000-memory.dmp	upx
behavioral2/memory/1812-494-0x00007FF6EFBC0000-0x00007FF6EFFB1000-memory.dmp	upx
behavioral2/memory/1688-499-0x00007FF6A09C0000-0x00007FF6A0DB1000-memory.dmp	upx
behavioral2/memory/2396-501-0x00007FF714D80000-0x00007FF715171000-memory.dmp	upx
behavioral2/memory/664-506-0x00007FF798670000-0x00007FF798A61000-memory.dmp	upx
behavioral2/memory/1636-510-0x00007FF7902E0000-0x00007FF7906D1000-memory.dmp	upx
behavioral2/memory/2144-514-0x00007FF65B8E0000-0x00007FF65BCD1000-memory.dmp	upx
behavioral2/memory/3720-511-0x00007FF6A1090000-0x00007FF6A1481000-memory.dmp	upx
behavioral2/memory/5012-518-0x00007FF6DAD70000-0x00007FF6DB161000-memory.dmp	upx
behavioral2/memory/2872-1958-0x00007FF74B8C0000-0x00007FF74BCB1000-memory.dmp	upx
behavioral2/memory/4028-1959-0x00007FF61FCC0000-0x00007FF6200B1000-memory.dmp	upx
behavioral2/memory/2592-1960-0x00007FF602FB0000-0x00007FF6033A1000-memory.dmp	upx
behavioral2/memory/888-1993-0x00007FF6E2020000-0x00007FF6E2411000-memory.dmp	upx
behavioral2/memory/4344-1994-0x00007FF7BE650000-0x00007FF7BEA41000-memory.dmp	upx
behavioral2/memory/2872-2000-0x00007FF74B8C0000-0x00007FF74BCB1000-memory.dmp	upx
behavioral2/memory/4028-2002-0x00007FF61FCC0000-0x00007FF6200B1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\rGRawgQ.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\nJKgJAo.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\ahKcmAz.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\MprauwA.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\IKgIyhl.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\nJvEwKX.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\QJSTKmk.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\klGOtxE.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\syLIHAq.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\tTYqzuA.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\JrXTReV.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\NbngbDr.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\LXjGYmk.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\fDYxkCJ.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\leMFwCm.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\RkqyKQR.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\PeKEqam.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\tMmRdPF.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\LkrFNxo.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\nrkzwQv.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\tRRoxjx.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\WnVhEhO.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\pVlITCx.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\BMxLUEz.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\fqDEGnL.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\sSXaXdu.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\mBgPicH.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\QBQoZCf.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\hBzZamJ.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\ASPwLxs.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\tnNxCcj.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\NusLqTQ.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\SchkDRw.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\RwYyyez.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\EIYbwVx.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\qieEhFf.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\sVuCDBc.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\iWVPfPR.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\hiBkMsE.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\XiHupCa.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\vkzVHkq.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\OzeokAh.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\JyoUhnI.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\pDRnTAd.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\BVYutQh.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\mOnucSZ.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\bFBOteE.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\mgaMrkv.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\LuQpMuS.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\eFFLNRe.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\YzkNCSf.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\BEbEWkf.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\WmRgWlY.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\hfGrkkA.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\CCPJLBV.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\JnLURSQ.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\nbKqUVL.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\MStsVSe.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\JwgLMzm.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\mXyfMBG.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\gjGzaPs.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\jtUqzZt.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\AVnncKd.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
File created	C:\Windows\System32\RmoryxD.exe	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	1872	dwm.exe
Token: SeChangeNotifyPrivilege	1872	dwm.exe
Token: 33	1872	dwm.exe
Token: SeIncBasePriorityPrivilege	1872	dwm.exe
Token: SeShutdownPrivilege	1872	dwm.exe
Token: SeCreatePagefilePrivilege	1872	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 2872	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	85
PID 3428 wrote to memory of 2872	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	85
PID 3428 wrote to memory of 4028	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	86
PID 3428 wrote to memory of 4028	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	86
PID 3428 wrote to memory of 888	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	87
PID 3428 wrote to memory of 888	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	87
PID 3428 wrote to memory of 2592	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	88
PID 3428 wrote to memory of 2592	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	88
PID 3428 wrote to memory of 4172	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	89
PID 3428 wrote to memory of 4172	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	89
PID 3428 wrote to memory of 708	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	90
PID 3428 wrote to memory of 708	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	90
PID 3428 wrote to memory of 2144	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	91
PID 3428 wrote to memory of 2144	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	91
PID 3428 wrote to memory of 4344	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	92
PID 3428 wrote to memory of 4344	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	92
PID 3428 wrote to memory of 5012	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	93
PID 3428 wrote to memory of 5012	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	93
PID 3428 wrote to memory of 532	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	94
PID 3428 wrote to memory of 532	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	94
PID 3428 wrote to memory of 4944	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	95
PID 3428 wrote to memory of 4944	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	95
PID 3428 wrote to memory of 2812	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	96
PID 3428 wrote to memory of 2812	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	96
PID 3428 wrote to memory of 4044	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	97
PID 3428 wrote to memory of 4044	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	97
PID 3428 wrote to memory of 5064	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	98
PID 3428 wrote to memory of 5064	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	98
PID 3428 wrote to memory of 3388	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	99
PID 3428 wrote to memory of 3388	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	99
PID 3428 wrote to memory of 3340	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	100
PID 3428 wrote to memory of 3340	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	100
PID 3428 wrote to memory of 4056	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	101
PID 3428 wrote to memory of 4056	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	101
PID 3428 wrote to memory of 4696	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	102
PID 3428 wrote to memory of 4696	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	102
PID 3428 wrote to memory of 1812	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	103
PID 3428 wrote to memory of 1812	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	103
PID 3428 wrote to memory of 1688	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	104
PID 3428 wrote to memory of 1688	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	104
PID 3428 wrote to memory of 2396	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	105
PID 3428 wrote to memory of 2396	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	105
PID 3428 wrote to memory of 664	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	106
PID 3428 wrote to memory of 664	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	106
PID 3428 wrote to memory of 1636	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	107
PID 3428 wrote to memory of 1636	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	107
PID 3428 wrote to memory of 3720	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	108
PID 3428 wrote to memory of 3720	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	108
PID 3428 wrote to memory of 1116	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	109
PID 3428 wrote to memory of 1116	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	109
PID 3428 wrote to memory of 2784	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	110
PID 3428 wrote to memory of 2784	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	110
PID 3428 wrote to memory of 3512	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	111
PID 3428 wrote to memory of 3512	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	111
PID 3428 wrote to memory of 4480	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	112
PID 3428 wrote to memory of 4480	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	112
PID 3428 wrote to memory of 3296	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	113
PID 3428 wrote to memory of 3296	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	113
PID 3428 wrote to memory of 3300	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	114
PID 3428 wrote to memory of 3300	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	114
PID 3428 wrote to memory of 1104	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	115
PID 3428 wrote to memory of 1104	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	115
PID 3428 wrote to memory of 432	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	116
PID 3428 wrote to memory of 432	3428	063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\063df0cd4a0aa064676b6a8f80a44391_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\System32\cCUNKVN.exe
  C:\Windows\System32\cCUNKVN.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System32\JkGECqO.exe
  C:\Windows\System32\JkGECqO.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System32\LcqKFBS.exe
  C:\Windows\System32\LcqKFBS.exe
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\System32\vLChyvS.exe
  C:\Windows\System32\vLChyvS.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System32\tMmRdPF.exe
  C:\Windows\System32\tMmRdPF.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System32\aRDfyvJ.exe
  C:\Windows\System32\aRDfyvJ.exe
  2⤵
  - Executes dropped EXE
  PID:708
- C:\Windows\System32\JtOdHAO.exe
  C:\Windows\System32\JtOdHAO.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System32\yuzWnvp.exe
  C:\Windows\System32\yuzWnvp.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System32\tGTkUtg.exe
  C:\Windows\System32\tGTkUtg.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System32\OzeokAh.exe
  C:\Windows\System32\OzeokAh.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System32\RlDqgQq.exe
  C:\Windows\System32\RlDqgQq.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System32\nrQLoCO.exe
  C:\Windows\System32\nrQLoCO.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System32\TfRxPXM.exe
  C:\Windows\System32\TfRxPXM.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System32\XsrjJPz.exe
  C:\Windows\System32\XsrjJPz.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System32\iWVPfPR.exe
  C:\Windows\System32\iWVPfPR.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System32\CArekZT.exe
  C:\Windows\System32\CArekZT.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System32\uHWXwnb.exe
  C:\Windows\System32\uHWXwnb.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System32\aTwdVNY.exe
  C:\Windows\System32\aTwdVNY.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System32\FIZHfrg.exe
  C:\Windows\System32\FIZHfrg.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System32\PvnhacR.exe
  C:\Windows\System32\PvnhacR.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System32\akSoMmZ.exe
  C:\Windows\System32\akSoMmZ.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System32\igduhBL.exe
  C:\Windows\System32\igduhBL.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System32\WbHAiYX.exe
  C:\Windows\System32\WbHAiYX.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System32\ahKcmAz.exe
  C:\Windows\System32\ahKcmAz.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System32\ROXCfaP.exe
  C:\Windows\System32\ROXCfaP.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System32\IYUiAOp.exe
  C:\Windows\System32\IYUiAOp.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System32\HHzYEQL.exe
  C:\Windows\System32\HHzYEQL.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System32\yfFxANS.exe
  C:\Windows\System32\yfFxANS.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System32\WgkViSj.exe
  C:\Windows\System32\WgkViSj.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System32\XAEhKES.exe
  C:\Windows\System32\XAEhKES.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System32\UIiguaY.exe
  C:\Windows\System32\UIiguaY.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System32\psDEmsE.exe
  C:\Windows\System32\psDEmsE.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System32\xhmRDfI.exe
  C:\Windows\System32\xhmRDfI.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System32\EMEnXZT.exe
  C:\Windows\System32\EMEnXZT.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System32\GiZMOPy.exe
  C:\Windows\System32\GiZMOPy.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System32\fIIfWeF.exe
  C:\Windows\System32\fIIfWeF.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System32\jHCxRqh.exe
  C:\Windows\System32\jHCxRqh.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System32\utFscvj.exe
  C:\Windows\System32\utFscvj.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System32\JnLURSQ.exe
  C:\Windows\System32\JnLURSQ.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System32\Czyfgqd.exe
  C:\Windows\System32\Czyfgqd.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System32\mgaMrkv.exe
  C:\Windows\System32\mgaMrkv.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System32\qzoeDLM.exe
  C:\Windows\System32\qzoeDLM.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System32\dMoazel.exe
  C:\Windows\System32\dMoazel.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System32\uHaNCXS.exe
  C:\Windows\System32\uHaNCXS.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System32\GtUCFWk.exe
  C:\Windows\System32\GtUCFWk.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System32\ICMJlqL.exe
  C:\Windows\System32\ICMJlqL.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System32\wMqxwHs.exe
  C:\Windows\System32\wMqxwHs.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System32\AmpjMVn.exe
  C:\Windows\System32\AmpjMVn.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System32\wrurCSK.exe
  C:\Windows\System32\wrurCSK.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System32\tnNxCcj.exe
  C:\Windows\System32\tnNxCcj.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System32\FYdPpxb.exe
  C:\Windows\System32\FYdPpxb.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System32\ASPwLxs.exe
  C:\Windows\System32\ASPwLxs.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System32\pTMlqNB.exe
  C:\Windows\System32\pTMlqNB.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System32\ymVDXxV.exe
  C:\Windows\System32\ymVDXxV.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System32\UKpsOyb.exe
  C:\Windows\System32\UKpsOyb.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System32\KScrgCl.exe
  C:\Windows\System32\KScrgCl.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System32\ivkNTnm.exe
  C:\Windows\System32\ivkNTnm.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System32\FfmALDC.exe
  C:\Windows\System32\FfmALDC.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System32\PQhkTwt.exe
  C:\Windows\System32\PQhkTwt.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System32\UrgtOHm.exe
  C:\Windows\System32\UrgtOHm.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System32\tDbkogh.exe
  C:\Windows\System32\tDbkogh.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System32\TgtDWwI.exe
  C:\Windows\System32\TgtDWwI.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System32\tTYqzuA.exe
  C:\Windows\System32\tTYqzuA.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System32\diVuDHg.exe
  C:\Windows\System32\diVuDHg.exe
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\System32\EfoyuvL.exe
  C:\Windows\System32\EfoyuvL.exe
  2⤵
  PID:468
- C:\Windows\System32\YOmZZgx.exe
  C:\Windows\System32\YOmZZgx.exe
  2⤵
  PID:2428
- C:\Windows\System32\WNptplr.exe
  C:\Windows\System32\WNptplr.exe
  2⤵
  PID:4180
- C:\Windows\System32\PPCHffb.exe
  C:\Windows\System32\PPCHffb.exe
  2⤵
  PID:232
- C:\Windows\System32\AHSIeBR.exe
  C:\Windows\System32\AHSIeBR.exe
  2⤵
  PID:3492
- C:\Windows\System32\LwrWHVC.exe
  C:\Windows\System32\LwrWHVC.exe
  2⤵
  PID:3780
- C:\Windows\System32\NusLqTQ.exe
  C:\Windows\System32\NusLqTQ.exe
  2⤵
  PID:4072
- C:\Windows\System32\JrXTReV.exe
  C:\Windows\System32\JrXTReV.exe
  2⤵
  PID:1788
- C:\Windows\System32\YFmDgtb.exe
  C:\Windows\System32\YFmDgtb.exe
  2⤵
  PID:2840
- C:\Windows\System32\NmfFUul.exe
  C:\Windows\System32\NmfFUul.exe
  2⤵
  PID:2336
- C:\Windows\System32\pHhZqOo.exe
  C:\Windows\System32\pHhZqOo.exe
  2⤵
  PID:1908
- C:\Windows\System32\sROfDje.exe
  C:\Windows\System32\sROfDje.exe
  2⤵
  PID:1200
- C:\Windows\System32\qJTnwwF.exe
  C:\Windows\System32\qJTnwwF.exe
  2⤵
  PID:4768
- C:\Windows\System32\XoOggoQ.exe
  C:\Windows\System32\XoOggoQ.exe
  2⤵
  PID:4256
- C:\Windows\System32\kSwOnNC.exe
  C:\Windows\System32\kSwOnNC.exe
  2⤵
  PID:5136
- C:\Windows\System32\vfvknOd.exe
  C:\Windows\System32\vfvknOd.exe
  2⤵
  PID:5160
- C:\Windows\System32\YzLajsG.exe
  C:\Windows\System32\YzLajsG.exe
  2⤵
  PID:5192
- C:\Windows\System32\nrJOzkR.exe
  C:\Windows\System32\nrJOzkR.exe
  2⤵
  PID:5220
- C:\Windows\System32\vGvBIBA.exe
  C:\Windows\System32\vGvBIBA.exe
  2⤵
  PID:5248
- C:\Windows\System32\rlmWzdR.exe
  C:\Windows\System32\rlmWzdR.exe
  2⤵
  PID:5276
- C:\Windows\System32\aJbiOYq.exe
  C:\Windows\System32\aJbiOYq.exe
  2⤵
  PID:5304
- C:\Windows\System32\JvWzwdl.exe
  C:\Windows\System32\JvWzwdl.exe
  2⤵
  PID:5332
- C:\Windows\System32\IEvhkSY.exe
  C:\Windows\System32\IEvhkSY.exe
  2⤵
  PID:5360
- C:\Windows\System32\OUaxIgI.exe
  C:\Windows\System32\OUaxIgI.exe
  2⤵
  PID:5388
- C:\Windows\System32\rNIwmtw.exe
  C:\Windows\System32\rNIwmtw.exe
  2⤵
  PID:5420
- C:\Windows\System32\VzrpXWH.exe
  C:\Windows\System32\VzrpXWH.exe
  2⤵
  PID:5444
- C:\Windows\System32\tMnUJBw.exe
  C:\Windows\System32\tMnUJBw.exe
  2⤵
  PID:5472
- C:\Windows\System32\BtMLdVP.exe
  C:\Windows\System32\BtMLdVP.exe
  2⤵
  PID:5500
- C:\Windows\System32\raEXtMh.exe
  C:\Windows\System32\raEXtMh.exe
  2⤵
  PID:5532
- C:\Windows\System32\uJspNdZ.exe
  C:\Windows\System32\uJspNdZ.exe
  2⤵
  PID:5552
- C:\Windows\System32\LIeJBSD.exe
  C:\Windows\System32\LIeJBSD.exe
  2⤵
  PID:5584
- C:\Windows\System32\AoHWZNP.exe
  C:\Windows\System32\AoHWZNP.exe
  2⤵
  PID:5616
- C:\Windows\System32\KkekGJu.exe
  C:\Windows\System32\KkekGJu.exe
  2⤵
  PID:5644
- C:\Windows\System32\NtIWtqI.exe
  C:\Windows\System32\NtIWtqI.exe
  2⤵
  PID:5668
- C:\Windows\System32\eadiWqk.exe
  C:\Windows\System32\eadiWqk.exe
  2⤵
  PID:5696
- C:\Windows\System32\cmIHFxG.exe
  C:\Windows\System32\cmIHFxG.exe
  2⤵
  PID:5728
- C:\Windows\System32\qfRqLaB.exe
  C:\Windows\System32\qfRqLaB.exe
  2⤵
  PID:5756
- C:\Windows\System32\MaABfnA.exe
  C:\Windows\System32\MaABfnA.exe
  2⤵
  PID:5784
- C:\Windows\System32\MOTnApU.exe
  C:\Windows\System32\MOTnApU.exe
  2⤵
  PID:5816
- C:\Windows\System32\KOuHCha.exe
  C:\Windows\System32\KOuHCha.exe
  2⤵
  PID:5832
- C:\Windows\System32\YKjAXQc.exe
  C:\Windows\System32\YKjAXQc.exe
  2⤵
  PID:5860
- C:\Windows\System32\NbngbDr.exe
  C:\Windows\System32\NbngbDr.exe
  2⤵
  PID:5888
- C:\Windows\System32\pSpCiyO.exe
  C:\Windows\System32\pSpCiyO.exe
  2⤵
  PID:5916
- C:\Windows\System32\dwgNocI.exe
  C:\Windows\System32\dwgNocI.exe
  2⤵
  PID:5944
- C:\Windows\System32\LXqjpCC.exe
  C:\Windows\System32\LXqjpCC.exe
  2⤵
  PID:5972
- C:\Windows\System32\HdYBYAu.exe
  C:\Windows\System32\HdYBYAu.exe
  2⤵
  PID:6000
- C:\Windows\System32\idAqWDO.exe
  C:\Windows\System32\idAqWDO.exe
  2⤵
  PID:6028
- C:\Windows\System32\ZWLKjPJ.exe
  C:\Windows\System32\ZWLKjPJ.exe
  2⤵
  PID:6056
- C:\Windows\System32\iZqAiut.exe
  C:\Windows\System32\iZqAiut.exe
  2⤵
  PID:6084
- C:\Windows\System32\syaZniy.exe
  C:\Windows\System32\syaZniy.exe
  2⤵
  PID:6112
- C:\Windows\System32\NIPEVXR.exe
  C:\Windows\System32\NIPEVXR.exe
  2⤵
  PID:6140
- C:\Windows\System32\UlGwKkg.exe
  C:\Windows\System32\UlGwKkg.exe
  2⤵
  PID:1612
- C:\Windows\System32\ZoLhxcJ.exe
  C:\Windows\System32\ZoLhxcJ.exe
  2⤵
  PID:3392
- C:\Windows\System32\qmBqLYn.exe
  C:\Windows\System32\qmBqLYn.exe
  2⤵
  PID:4432
- C:\Windows\System32\FaetsBh.exe
  C:\Windows\System32\FaetsBh.exe
  2⤵
  PID:1168
- C:\Windows\System32\Antfsik.exe
  C:\Windows\System32\Antfsik.exe
  2⤵
  PID:5152
- C:\Windows\System32\rWCTqTu.exe
  C:\Windows\System32\rWCTqTu.exe
  2⤵
  PID:5212
- C:\Windows\System32\KuwsTwL.exe
  C:\Windows\System32\KuwsTwL.exe
  2⤵
  PID:5256
- C:\Windows\System32\hBzZamJ.exe
  C:\Windows\System32\hBzZamJ.exe
  2⤵
  PID:5348
- C:\Windows\System32\KkEsfoW.exe
  C:\Windows\System32\KkEsfoW.exe
  2⤵
  PID:5404
- C:\Windows\System32\MXnZyJI.exe
  C:\Windows\System32\MXnZyJI.exe
  2⤵
  PID:5464
- C:\Windows\System32\IYurACu.exe
  C:\Windows\System32\IYurACu.exe
  2⤵
  PID:5508
- C:\Windows\System32\ZwnmzQW.exe
  C:\Windows\System32\ZwnmzQW.exe
  2⤵
  PID:5600
- C:\Windows\System32\LuQpMuS.exe
  C:\Windows\System32\LuQpMuS.exe
  2⤵
  PID:5660
- C:\Windows\System32\FHnfyXK.exe
  C:\Windows\System32\FHnfyXK.exe
  2⤵
  PID:5712
- C:\Windows\System32\jdiISVo.exe
  C:\Windows\System32\jdiISVo.exe
  2⤵
  PID:1196
- C:\Windows\System32\kXEnzTa.exe
  C:\Windows\System32\kXEnzTa.exe
  2⤵
  PID:5800
- C:\Windows\System32\orxwoNQ.exe
  C:\Windows\System32\orxwoNQ.exe
  2⤵
  PID:5868
- C:\Windows\System32\LXjGYmk.exe
  C:\Windows\System32\LXjGYmk.exe
  2⤵
  PID:5924
- C:\Windows\System32\qGGJXjD.exe
  C:\Windows\System32\qGGJXjD.exe
  2⤵
  PID:5988
- C:\Windows\System32\LNUStjf.exe
  C:\Windows\System32\LNUStjf.exe
  2⤵
  PID:6008
- C:\Windows\System32\ndjSiNz.exe
  C:\Windows\System32\ndjSiNz.exe
  2⤵
  PID:4276
- C:\Windows\System32\peATMir.exe
  C:\Windows\System32\peATMir.exe
  2⤵
  PID:5000
- C:\Windows\System32\bmQwYUX.exe
  C:\Windows\System32\bmQwYUX.exe
  2⤵
  PID:5128
- C:\Windows\System32\MprauwA.exe
  C:\Windows\System32\MprauwA.exe
  2⤵
  PID:5236
- C:\Windows\System32\eFFLNRe.exe
  C:\Windows\System32\eFFLNRe.exe
  2⤵
  PID:5428
- C:\Windows\System32\dxmTHAA.exe
  C:\Windows\System32\dxmTHAA.exe
  2⤵
  PID:5540
- C:\Windows\System32\pfvpfjt.exe
  C:\Windows\System32\pfvpfjt.exe
  2⤵
  PID:5704
- C:\Windows\System32\TtqpcAU.exe
  C:\Windows\System32\TtqpcAU.exe
  2⤵
  PID:3956
- C:\Windows\System32\YzkNCSf.exe
  C:\Windows\System32\YzkNCSf.exe
  2⤵
  PID:3900
- C:\Windows\System32\mTuRpKO.exe
  C:\Windows\System32\mTuRpKO.exe
  2⤵
  PID:5840
- C:\Windows\System32\YZuGyyd.exe
  C:\Windows\System32\YZuGyyd.exe
  2⤵
  PID:4216
- C:\Windows\System32\poCxOeD.exe
  C:\Windows\System32\poCxOeD.exe
  2⤵
  PID:6016
- C:\Windows\System32\jWsAYuB.exe
  C:\Windows\System32\jWsAYuB.exe
  2⤵
  PID:4912
- C:\Windows\System32\JKgvedS.exe
  C:\Windows\System32\JKgvedS.exe
  2⤵
  PID:4144
- C:\Windows\System32\hhusiCf.exe
  C:\Windows\System32\hhusiCf.exe
  2⤵
  PID:3452
- C:\Windows\System32\EMpzmyk.exe
  C:\Windows\System32\EMpzmyk.exe
  2⤵
  PID:2112
- C:\Windows\System32\qAkJKjI.exe
  C:\Windows\System32\qAkJKjI.exe
  2⤵
  PID:5004
- C:\Windows\System32\OIPvJtS.exe
  C:\Windows\System32\OIPvJtS.exe
  2⤵
  PID:5380
- C:\Windows\System32\bOXdbJT.exe
  C:\Windows\System32\bOXdbJT.exe
  2⤵
  PID:5228
- C:\Windows\System32\PiETswL.exe
  C:\Windows\System32\PiETswL.exe
  2⤵
  PID:2772
- C:\Windows\System32\hvJiuym.exe
  C:\Windows\System32\hvJiuym.exe
  2⤵
  PID:2452
- C:\Windows\System32\wokoHEe.exe
  C:\Windows\System32\wokoHEe.exe
  2⤵
  PID:5296
- C:\Windows\System32\CwWBubR.exe
  C:\Windows\System32\CwWBubR.exe
  2⤵
  PID:516
- C:\Windows\System32\ESQLXbO.exe
  C:\Windows\System32\ESQLXbO.exe
  2⤵
  PID:3944
- C:\Windows\System32\yVEKftd.exe
  C:\Windows\System32\yVEKftd.exe
  2⤵
  PID:3980
- C:\Windows\System32\kRnrgzN.exe
  C:\Windows\System32\kRnrgzN.exe
  2⤵
  PID:5980
- C:\Windows\System32\JyoUhnI.exe
  C:\Windows\System32\JyoUhnI.exe
  2⤵
  PID:2540
- C:\Windows\System32\yuhbzwB.exe
  C:\Windows\System32\yuhbzwB.exe
  2⤵
  PID:6148
- C:\Windows\System32\yTjzgxL.exe
  C:\Windows\System32\yTjzgxL.exe
  2⤵
  PID:6172
- C:\Windows\System32\kwgACVf.exe
  C:\Windows\System32\kwgACVf.exe
  2⤵
  PID:6188
- C:\Windows\System32\kOmGthd.exe
  C:\Windows\System32\kOmGthd.exe
  2⤵
  PID:6204
- C:\Windows\System32\BVRZmuN.exe
  C:\Windows\System32\BVRZmuN.exe
  2⤵
  PID:6256
- C:\Windows\System32\OrmqpWK.exe
  C:\Windows\System32\OrmqpWK.exe
  2⤵
  PID:6276
- C:\Windows\System32\kXuTbyi.exe
  C:\Windows\System32\kXuTbyi.exe
  2⤵
  PID:6324
- C:\Windows\System32\fzfIstA.exe
  C:\Windows\System32\fzfIstA.exe
  2⤵
  PID:6348
- C:\Windows\System32\oRtYGaW.exe
  C:\Windows\System32\oRtYGaW.exe
  2⤵
  PID:6392
- C:\Windows\System32\KYZdpSP.exe
  C:\Windows\System32\KYZdpSP.exe
  2⤵
  PID:6420
- C:\Windows\System32\cdJWeNr.exe
  C:\Windows\System32\cdJWeNr.exe
  2⤵
  PID:6440
- C:\Windows\System32\LUGirYS.exe
  C:\Windows\System32\LUGirYS.exe
  2⤵
  PID:6460
- C:\Windows\System32\iemHhck.exe
  C:\Windows\System32\iemHhck.exe
  2⤵
  PID:6480
- C:\Windows\System32\SPXAwpO.exe
  C:\Windows\System32\SPXAwpO.exe
  2⤵
  PID:6500
- C:\Windows\System32\KqMRmLF.exe
  C:\Windows\System32\KqMRmLF.exe
  2⤵
  PID:6516
- C:\Windows\System32\OWwIFUD.exe
  C:\Windows\System32\OWwIFUD.exe
  2⤵
  PID:6544
- C:\Windows\System32\pVyXebJ.exe
  C:\Windows\System32\pVyXebJ.exe
  2⤵
  PID:6564
- C:\Windows\System32\RcDvBkh.exe
  C:\Windows\System32\RcDvBkh.exe
  2⤵
  PID:6640
- C:\Windows\System32\gjGzaPs.exe
  C:\Windows\System32\gjGzaPs.exe
  2⤵
  PID:6688
- C:\Windows\System32\rmchPrq.exe
  C:\Windows\System32\rmchPrq.exe
  2⤵
  PID:6708
- C:\Windows\System32\IuZLCdg.exe
  C:\Windows\System32\IuZLCdg.exe
  2⤵
  PID:6732
- C:\Windows\System32\tCXmSQR.exe
  C:\Windows\System32\tCXmSQR.exe
  2⤵
  PID:6748
- C:\Windows\System32\tQbegwy.exe
  C:\Windows\System32\tQbegwy.exe
  2⤵
  PID:6784
- C:\Windows\System32\faSNcRn.exe
  C:\Windows\System32\faSNcRn.exe
  2⤵
  PID:6804
- C:\Windows\System32\fkOpBgD.exe
  C:\Windows\System32\fkOpBgD.exe
  2⤵
  PID:6824
- C:\Windows\System32\mxvLPWz.exe
  C:\Windows\System32\mxvLPWz.exe
  2⤵
  PID:6884
- C:\Windows\System32\GYLIrBq.exe
  C:\Windows\System32\GYLIrBq.exe
  2⤵
  PID:6900
- C:\Windows\System32\XTGXRMo.exe
  C:\Windows\System32\XTGXRMo.exe
  2⤵
  PID:6920
- C:\Windows\System32\motJAki.exe
  C:\Windows\System32\motJAki.exe
  2⤵
  PID:6936
- C:\Windows\System32\dAbaCzM.exe
  C:\Windows\System32\dAbaCzM.exe
  2⤵
  PID:6960
- C:\Windows\System32\IKgIyhl.exe
  C:\Windows\System32\IKgIyhl.exe
  2⤵
  PID:6980
- C:\Windows\System32\pZLNtBN.exe
  C:\Windows\System32\pZLNtBN.exe
  2⤵
  PID:7036
- C:\Windows\System32\KjNmTQV.exe
  C:\Windows\System32\KjNmTQV.exe
  2⤵
  PID:7060
- C:\Windows\System32\rZvSwvy.exe
  C:\Windows\System32\rZvSwvy.exe
  2⤵
  PID:7084
- C:\Windows\System32\dlxlhqK.exe
  C:\Windows\System32\dlxlhqK.exe
  2⤵
  PID:7108
- C:\Windows\System32\TYrMDbU.exe
  C:\Windows\System32\TYrMDbU.exe
  2⤵
  PID:7152
- C:\Windows\System32\mHIlMsu.exe
  C:\Windows\System32\mHIlMsu.exe
  2⤵
  PID:6160
- C:\Windows\System32\EUYvQqM.exe
  C:\Windows\System32\EUYvQqM.exe
  2⤵
  PID:6180
- C:\Windows\System32\oDoGQMT.exe
  C:\Windows\System32\oDoGQMT.exe
  2⤵
  PID:6228
- C:\Windows\System32\xDiBLgb.exe
  C:\Windows\System32\xDiBLgb.exe
  2⤵
  PID:6284
- C:\Windows\System32\nBrRvaM.exe
  C:\Windows\System32\nBrRvaM.exe
  2⤵
  PID:6336
- C:\Windows\System32\mBgPicH.exe
  C:\Windows\System32\mBgPicH.exe
  2⤵
  PID:6472
- C:\Windows\System32\sWxJnaq.exe
  C:\Windows\System32\sWxJnaq.exe
  2⤵
  PID:6476
- C:\Windows\System32\otyyBPv.exe
  C:\Windows\System32\otyyBPv.exe
  2⤵
  PID:6596
- C:\Windows\System32\gjftsAm.exe
  C:\Windows\System32\gjftsAm.exe
  2⤵
  PID:6624
- C:\Windows\System32\tUevkBD.exe
  C:\Windows\System32\tUevkBD.exe
  2⤵
  PID:6684
- C:\Windows\System32\jGUouyK.exe
  C:\Windows\System32\jGUouyK.exe
  2⤵
  PID:6800
- C:\Windows\System32\cDUrfnc.exe
  C:\Windows\System32\cDUrfnc.exe
  2⤵
  PID:6832
- C:\Windows\System32\PAFLmGB.exe
  C:\Windows\System32\PAFLmGB.exe
  2⤵
  PID:6896
- C:\Windows\System32\yjYmMhW.exe
  C:\Windows\System32\yjYmMhW.exe
  2⤵
  PID:6948
- C:\Windows\System32\VxKiAlg.exe
  C:\Windows\System32\VxKiAlg.exe
  2⤵
  PID:6996
- C:\Windows\System32\EvgVoUq.exe
  C:\Windows\System32\EvgVoUq.exe
  2⤵
  PID:7044
- C:\Windows\System32\eHmVfWu.exe
  C:\Windows\System32\eHmVfWu.exe
  2⤵
  PID:7048
- C:\Windows\System32\iNKWvVL.exe
  C:\Windows\System32\iNKWvVL.exe
  2⤵
  PID:6296
- C:\Windows\System32\jpZdouJ.exe
  C:\Windows\System32\jpZdouJ.exe
  2⤵
  PID:6380
- C:\Windows\System32\wCLsFrL.exe
  C:\Windows\System32\wCLsFrL.exe
  2⤵
  PID:6512
- C:\Windows\System32\tRRoxjx.exe
  C:\Windows\System32\tRRoxjx.exe
  2⤵
  PID:6716
- C:\Windows\System32\MDllXMF.exe
  C:\Windows\System32\MDllXMF.exe
  2⤵
  PID:6864
- C:\Windows\System32\cXgWmoF.exe
  C:\Windows\System32\cXgWmoF.exe
  2⤵
  PID:7080
- C:\Windows\System32\fDYxkCJ.exe
  C:\Windows\System32\fDYxkCJ.exe
  2⤵
  PID:7096
- C:\Windows\System32\icJcdyq.exe
  C:\Windows\System32\icJcdyq.exe
  2⤵
  PID:6268
- C:\Windows\System32\DQONuge.exe
  C:\Windows\System32\DQONuge.exe
  2⤵
  PID:6908
- C:\Windows\System32\kCYSJzN.exe
  C:\Windows\System32\kCYSJzN.exe
  2⤵
  PID:7056
- C:\Windows\System32\ipqFKyq.exe
  C:\Windows\System32\ipqFKyq.exe
  2⤵
  PID:6764
- C:\Windows\System32\CsVtlhl.exe
  C:\Windows\System32\CsVtlhl.exe
  2⤵
  PID:7196
- C:\Windows\System32\KrcKSKG.exe
  C:\Windows\System32\KrcKSKG.exe
  2⤵
  PID:7212
- C:\Windows\System32\aiUxrWE.exe
  C:\Windows\System32\aiUxrWE.exe
  2⤵
  PID:7252
- C:\Windows\System32\yxbziPU.exe
  C:\Windows\System32\yxbziPU.exe
  2⤵
  PID:7268
- C:\Windows\System32\bHBUlvm.exe
  C:\Windows\System32\bHBUlvm.exe
  2⤵
  PID:7308
- C:\Windows\System32\xQrmGoU.exe
  C:\Windows\System32\xQrmGoU.exe
  2⤵
  PID:7324
- C:\Windows\System32\NzLnGkJ.exe
  C:\Windows\System32\NzLnGkJ.exe
  2⤵
  PID:7344
- C:\Windows\System32\xBXawfs.exe
  C:\Windows\System32\xBXawfs.exe
  2⤵
  PID:7368
- C:\Windows\System32\HaXIokt.exe
  C:\Windows\System32\HaXIokt.exe
  2⤵
  PID:7400
- C:\Windows\System32\RfRxrCS.exe
  C:\Windows\System32\RfRxrCS.exe
  2⤵
  PID:7420
- C:\Windows\System32\EJBfuMK.exe
  C:\Windows\System32\EJBfuMK.exe
  2⤵
  PID:7440
- C:\Windows\System32\VtrDhUW.exe
  C:\Windows\System32\VtrDhUW.exe
  2⤵
  PID:7460
- C:\Windows\System32\EtpNrnD.exe
  C:\Windows\System32\EtpNrnD.exe
  2⤵
  PID:7508
- C:\Windows\System32\OkXgKmB.exe
  C:\Windows\System32\OkXgKmB.exe
  2⤵
  PID:7536
- C:\Windows\System32\rXSqSgW.exe
  C:\Windows\System32\rXSqSgW.exe
  2⤵
  PID:7556
- C:\Windows\System32\VjidAEX.exe
  C:\Windows\System32\VjidAEX.exe
  2⤵
  PID:7584
- C:\Windows\System32\szaARTE.exe
  C:\Windows\System32\szaARTE.exe
  2⤵
  PID:7600
- C:\Windows\System32\RifPvSu.exe
  C:\Windows\System32\RifPvSu.exe
  2⤵
  PID:7624
- C:\Windows\System32\PqGvYEy.exe
  C:\Windows\System32\PqGvYEy.exe
  2⤵
  PID:7652
- C:\Windows\System32\qAxNvQV.exe
  C:\Windows\System32\qAxNvQV.exe
  2⤵
  PID:7708
- C:\Windows\System32\FRAxnyw.exe
  C:\Windows\System32\FRAxnyw.exe
  2⤵
  PID:7728
- C:\Windows\System32\bKFLxOh.exe
  C:\Windows\System32\bKFLxOh.exe
  2⤵
  PID:7760
- C:\Windows\System32\MNuBDlb.exe
  C:\Windows\System32\MNuBDlb.exe
  2⤵
  PID:7780
- C:\Windows\System32\YLEhCIC.exe
  C:\Windows\System32\YLEhCIC.exe
  2⤵
  PID:7812
- C:\Windows\System32\tgFDzgk.exe
  C:\Windows\System32\tgFDzgk.exe
  2⤵
  PID:7852
- C:\Windows\System32\zxcqsQM.exe
  C:\Windows\System32\zxcqsQM.exe
  2⤵
  PID:7884
- C:\Windows\System32\tKsKEYz.exe
  C:\Windows\System32\tKsKEYz.exe
  2⤵
  PID:7904
- C:\Windows\System32\vdUTfQe.exe
  C:\Windows\System32\vdUTfQe.exe
  2⤵
  PID:7924
- C:\Windows\System32\WnVhEhO.exe
  C:\Windows\System32\WnVhEhO.exe
  2⤵
  PID:7952
- C:\Windows\System32\SAMKaYg.exe
  C:\Windows\System32\SAMKaYg.exe
  2⤵
  PID:7992
- C:\Windows\System32\tZglGLF.exe
  C:\Windows\System32\tZglGLF.exe
  2⤵
  PID:8036
- C:\Windows\System32\TmoUJQp.exe
  C:\Windows\System32\TmoUJQp.exe
  2⤵
  PID:8064
- C:\Windows\System32\zjqoohZ.exe
  C:\Windows\System32\zjqoohZ.exe
  2⤵
  PID:8096
- C:\Windows\System32\oHAEgLJ.exe
  C:\Windows\System32\oHAEgLJ.exe
  2⤵
  PID:8112
- C:\Windows\System32\zUTLKNK.exe
  C:\Windows\System32\zUTLKNK.exe
  2⤵
  PID:8128
- C:\Windows\System32\BEbEWkf.exe
  C:\Windows\System32\BEbEWkf.exe
  2⤵
  PID:8148
- C:\Windows\System32\jJBnqfC.exe
  C:\Windows\System32\jJBnqfC.exe
  2⤵
  PID:8172
- C:\Windows\System32\lsFynnz.exe
  C:\Windows\System32\lsFynnz.exe
  2⤵
  PID:8188
- C:\Windows\System32\szHinfs.exe
  C:\Windows\System32\szHinfs.exe
  2⤵
  PID:7220
- C:\Windows\System32\zBdwvzu.exe
  C:\Windows\System32\zBdwvzu.exe
  2⤵
  PID:7296
- C:\Windows\System32\SiaemiF.exe
  C:\Windows\System32\SiaemiF.exe
  2⤵
  PID:7436
- C:\Windows\System32\goBjjkw.exe
  C:\Windows\System32\goBjjkw.exe
  2⤵
  PID:7412
- C:\Windows\System32\qopNOkm.exe
  C:\Windows\System32\qopNOkm.exe
  2⤵
  PID:7520
- C:\Windows\System32\VeYrMEu.exe
  C:\Windows\System32\VeYrMEu.exe
  2⤵
  PID:7548
- C:\Windows\System32\CgOUAdd.exe
  C:\Windows\System32\CgOUAdd.exe
  2⤵
  PID:7684
- C:\Windows\System32\uLQETjZ.exe
  C:\Windows\System32\uLQETjZ.exe
  2⤵
  PID:7740
- C:\Windows\System32\NYpXkWf.exe
  C:\Windows\System32\NYpXkWf.exe
  2⤵
  PID:7792
- C:\Windows\System32\IXrjRrh.exe
  C:\Windows\System32\IXrjRrh.exe
  2⤵
  PID:7868
- C:\Windows\System32\YpJfwui.exe
  C:\Windows\System32\YpJfwui.exe
  2⤵
  PID:7892
- C:\Windows\System32\ySgosJA.exe
  C:\Windows\System32\ySgosJA.exe
  2⤵
  PID:7972
- C:\Windows\System32\XZknXEG.exe
  C:\Windows\System32\XZknXEG.exe
  2⤵
  PID:8004
- C:\Windows\System32\zfVzJPu.exe
  C:\Windows\System32\zfVzJPu.exe
  2⤵
  PID:8088
- C:\Windows\System32\taWaILg.exe
  C:\Windows\System32\taWaILg.exe
  2⤵
  PID:8184
- C:\Windows\System32\FUciRbo.exe
  C:\Windows\System32\FUciRbo.exe
  2⤵
  PID:7352
- C:\Windows\System32\WmRgWlY.exe
  C:\Windows\System32\WmRgWlY.exe
  2⤵
  PID:7260
- C:\Windows\System32\ooAEEgR.exe
  C:\Windows\System32\ooAEEgR.exe
  2⤵
  PID:7496
- C:\Windows\System32\rNvWvVd.exe
  C:\Windows\System32\rNvWvVd.exe
  2⤵
  PID:7468
- C:\Windows\System32\sPYgDjg.exe
  C:\Windows\System32\sPYgDjg.exe
  2⤵
  PID:7936
- C:\Windows\System32\IHCjGDM.exe
  C:\Windows\System32\IHCjGDM.exe
  2⤵
  PID:8056
- C:\Windows\System32\ydzltGy.exe
  C:\Windows\System32\ydzltGy.exe
  2⤵
  PID:7148
- C:\Windows\System32\ihFyHdG.exe
  C:\Windows\System32\ihFyHdG.exe
  2⤵
  PID:7608
- C:\Windows\System32\RwYdaul.exe
  C:\Windows\System32\RwYdaul.exe
  2⤵
  PID:7844
- C:\Windows\System32\SebhTYR.exe
  C:\Windows\System32\SebhTYR.exe
  2⤵
  PID:8140
- C:\Windows\System32\aNvHVlP.exe
  C:\Windows\System32\aNvHVlP.exe
  2⤵
  PID:8208
- C:\Windows\System32\RDWWZlr.exe
  C:\Windows\System32\RDWWZlr.exe
  2⤵
  PID:8244
- C:\Windows\System32\vmwaoYh.exe
  C:\Windows\System32\vmwaoYh.exe
  2⤵
  PID:8288
- C:\Windows\System32\UlJHWzU.exe
  C:\Windows\System32\UlJHWzU.exe
  2⤵
  PID:8312
- C:\Windows\System32\lnrBYzC.exe
  C:\Windows\System32\lnrBYzC.exe
  2⤵
  PID:8328
- C:\Windows\System32\XUYXXSl.exe
  C:\Windows\System32\XUYXXSl.exe
  2⤵
  PID:8360
- C:\Windows\System32\oTJwAMN.exe
  C:\Windows\System32\oTJwAMN.exe
  2⤵
  PID:8376
- C:\Windows\System32\UzwjdQR.exe
  C:\Windows\System32\UzwjdQR.exe
  2⤵
  PID:8404
- C:\Windows\System32\PgAyIUn.exe
  C:\Windows\System32\PgAyIUn.exe
  2⤵
  PID:8440
- C:\Windows\System32\FTtzMCG.exe
  C:\Windows\System32\FTtzMCG.exe
  2⤵
  PID:8480
- C:\Windows\System32\leMFwCm.exe
  C:\Windows\System32\leMFwCm.exe
  2⤵
  PID:8496
- C:\Windows\System32\kxyiDhP.exe
  C:\Windows\System32\kxyiDhP.exe
  2⤵
  PID:8516
- C:\Windows\System32\daypzxn.exe
  C:\Windows\System32\daypzxn.exe
  2⤵
  PID:8544
- C:\Windows\System32\HkrHgfu.exe
  C:\Windows\System32\HkrHgfu.exe
  2⤵
  PID:8568
- C:\Windows\System32\zrndSCP.exe
  C:\Windows\System32\zrndSCP.exe
  2⤵
  PID:8616
- C:\Windows\System32\WqFrdQj.exe
  C:\Windows\System32\WqFrdQj.exe
  2⤵
  PID:8636
- C:\Windows\System32\yJJbKUW.exe
  C:\Windows\System32\yJJbKUW.exe
  2⤵
  PID:8684
- C:\Windows\System32\rSHAmSu.exe
  C:\Windows\System32\rSHAmSu.exe
  2⤵
  PID:8708
- C:\Windows\System32\hfGrkkA.exe
  C:\Windows\System32\hfGrkkA.exe
  2⤵
  PID:8724
- C:\Windows\System32\mffpgFH.exe
  C:\Windows\System32\mffpgFH.exe
  2⤵
  PID:8772
- C:\Windows\System32\LmZkauZ.exe
  C:\Windows\System32\LmZkauZ.exe
  2⤵
  PID:8804
- C:\Windows\System32\rGRawgQ.exe
  C:\Windows\System32\rGRawgQ.exe
  2⤵
  PID:8836
- C:\Windows\System32\cHEtKrb.exe
  C:\Windows\System32\cHEtKrb.exe
  2⤵
  PID:8860
- C:\Windows\System32\OFookYI.exe
  C:\Windows\System32\OFookYI.exe
  2⤵
  PID:8884
- C:\Windows\System32\JhDiGXD.exe
  C:\Windows\System32\JhDiGXD.exe
  2⤵
  PID:8900
- C:\Windows\System32\KoiSekw.exe
  C:\Windows\System32\KoiSekw.exe
  2⤵
  PID:8920
- C:\Windows\System32\qYNlgka.exe
  C:\Windows\System32\qYNlgka.exe
  2⤵
  PID:8968
- C:\Windows\System32\LoSmonz.exe
  C:\Windows\System32\LoSmonz.exe
  2⤵
  PID:8992
- C:\Windows\System32\pDRnTAd.exe
  C:\Windows\System32\pDRnTAd.exe
  2⤵
  PID:9016
- C:\Windows\System32\yKwwzjm.exe
  C:\Windows\System32\yKwwzjm.exe
  2⤵
  PID:9040
- C:\Windows\System32\TwYbDTO.exe
  C:\Windows\System32\TwYbDTO.exe
  2⤵
  PID:9056
- C:\Windows\System32\TiOGtap.exe
  C:\Windows\System32\TiOGtap.exe
  2⤵
  PID:9080
- C:\Windows\System32\dJSZaCf.exe
  C:\Windows\System32\dJSZaCf.exe
  2⤵
  PID:9200
- C:\Windows\System32\EhXsfNh.exe
  C:\Windows\System32\EhXsfNh.exe
  2⤵
  PID:7428
- C:\Windows\System32\yYPyMnU.exe
  C:\Windows\System32\yYPyMnU.exe
  2⤵
  PID:8196
- C:\Windows\System32\RkqyKQR.exe
  C:\Windows\System32\RkqyKQR.exe
  2⤵
  PID:8232
- C:\Windows\System32\tQObuXa.exe
  C:\Windows\System32\tQObuXa.exe
  2⤵
  PID:8264
- C:\Windows\System32\CFGSLOy.exe
  C:\Windows\System32\CFGSLOy.exe
  2⤵
  PID:8308
- C:\Windows\System32\apPYxrK.exe
  C:\Windows\System32\apPYxrK.exe
  2⤵
  PID:8340
- C:\Windows\System32\SKxaWfC.exe
  C:\Windows\System32\SKxaWfC.exe
  2⤵
  PID:8372
- C:\Windows\System32\AQwtYuo.exe
  C:\Windows\System32\AQwtYuo.exe
  2⤵
  PID:8420
- C:\Windows\System32\EMvSOFu.exe
  C:\Windows\System32\EMvSOFu.exe
  2⤵
  PID:8468
- C:\Windows\System32\nmRnUtW.exe
  C:\Windows\System32\nmRnUtW.exe
  2⤵
  PID:8492
- C:\Windows\System32\gcurVOF.exe
  C:\Windows\System32\gcurVOF.exe
  2⤵
  PID:8560
- C:\Windows\System32\TCRYRyt.exe
  C:\Windows\System32\TCRYRyt.exe
  2⤵
  PID:8624
- C:\Windows\System32\WtTAPfx.exe
  C:\Windows\System32\WtTAPfx.exe
  2⤵
  PID:8656
- C:\Windows\System32\mCTPopX.exe
  C:\Windows\System32\mCTPopX.exe
  2⤵
  PID:3792
- C:\Windows\System32\BVYutQh.exe
  C:\Windows\System32\BVYutQh.exe
  2⤵
  PID:8788
- C:\Windows\System32\MjaReaF.exe
  C:\Windows\System32\MjaReaF.exe
  2⤵
  PID:8820
- C:\Windows\System32\tDKiHUB.exe
  C:\Windows\System32\tDKiHUB.exe
  2⤵
  PID:9052
- C:\Windows\System32\rpdCUeK.exe
  C:\Windows\System32\rpdCUeK.exe
  2⤵
  PID:8584
- C:\Windows\System32\GqPvbLF.exe
  C:\Windows\System32\GqPvbLF.exe
  2⤵
  PID:8240
- C:\Windows\System32\pOQcagy.exe
  C:\Windows\System32\pOQcagy.exe
  2⤵
  PID:8476
- C:\Windows\System32\CDgQNOO.exe
  C:\Windows\System32\CDgQNOO.exe
  2⤵
  PID:8628
- C:\Windows\System32\frjMUfU.exe
  C:\Windows\System32\frjMUfU.exe
  2⤵
  PID:8912
- C:\Windows\System32\WyFrfEo.exe
  C:\Windows\System32\WyFrfEo.exe
  2⤵
  PID:9108
- C:\Windows\System32\leavJRV.exe
  C:\Windows\System32\leavJRV.exe
  2⤵
  PID:9196
- C:\Windows\System32\QORbXTo.exe
  C:\Windows\System32\QORbXTo.exe
  2⤵
  PID:8664
- C:\Windows\System32\xaGcygc.exe
  C:\Windows\System32\xaGcygc.exe
  2⤵
  PID:8940
- C:\Windows\System32\sFgewYA.exe
  C:\Windows\System32\sFgewYA.exe
  2⤵
  PID:8344
- C:\Windows\System32\bGCBGXc.exe
  C:\Windows\System32\bGCBGXc.exe
  2⤵
  PID:8272
- C:\Windows\System32\nJvEwKX.exe
  C:\Windows\System32\nJvEwKX.exe
  2⤵
  PID:9104
- C:\Windows\System32\tgTIoPX.exe
  C:\Windows\System32\tgTIoPX.exe
  2⤵
  PID:9208
- C:\Windows\System32\pVlITCx.exe
  C:\Windows\System32\pVlITCx.exe
  2⤵
  PID:9176
- C:\Windows\System32\ZSavdfv.exe
  C:\Windows\System32\ZSavdfv.exe
  2⤵
  PID:9244
- C:\Windows\System32\QYElfYH.exe
  C:\Windows\System32\QYElfYH.exe
  2⤵
  PID:9264
- C:\Windows\System32\asyqVUM.exe
  C:\Windows\System32\asyqVUM.exe
  2⤵
  PID:9292
- C:\Windows\System32\NymcWjy.exe
  C:\Windows\System32\NymcWjy.exe
  2⤵
  PID:9308
- C:\Windows\System32\SUdiUEW.exe
  C:\Windows\System32\SUdiUEW.exe
  2⤵
  PID:9348
- C:\Windows\System32\QEeCgOb.exe
  C:\Windows\System32\QEeCgOb.exe
  2⤵
  PID:9408
- C:\Windows\System32\viHVgLZ.exe
  C:\Windows\System32\viHVgLZ.exe
  2⤵
  PID:9428
- C:\Windows\System32\lVyDctZ.exe
  C:\Windows\System32\lVyDctZ.exe
  2⤵
  PID:9456
- C:\Windows\System32\UQGRHEo.exe
  C:\Windows\System32\UQGRHEo.exe
  2⤵
  PID:9476
- C:\Windows\System32\PucLdHl.exe
  C:\Windows\System32\PucLdHl.exe
  2⤵
  PID:9528
- C:\Windows\System32\TvRSAcq.exe
  C:\Windows\System32\TvRSAcq.exe
  2⤵
  PID:9548
- C:\Windows\System32\AjrQFiM.exe
  C:\Windows\System32\AjrQFiM.exe
  2⤵
  PID:9572
- C:\Windows\System32\amQuVAJ.exe
  C:\Windows\System32\amQuVAJ.exe
  2⤵
  PID:9588
- C:\Windows\System32\cWcsRHy.exe
  C:\Windows\System32\cWcsRHy.exe
  2⤵
  PID:9612
- C:\Windows\System32\CgYFcVs.exe
  C:\Windows\System32\CgYFcVs.exe
  2⤵
  PID:9632
- C:\Windows\System32\KlYEEoJ.exe
  C:\Windows\System32\KlYEEoJ.exe
  2⤵
  PID:9656
- C:\Windows\System32\MpJYVyH.exe
  C:\Windows\System32\MpJYVyH.exe
  2⤵
  PID:9672
- C:\Windows\System32\eLYhQEW.exe
  C:\Windows\System32\eLYhQEW.exe
  2⤵
  PID:9696
- C:\Windows\System32\AvzDWAv.exe
  C:\Windows\System32\AvzDWAv.exe
  2⤵
  PID:9736
- C:\Windows\System32\EYIhJFC.exe
  C:\Windows\System32\EYIhJFC.exe
  2⤵
  PID:9752
- C:\Windows\System32\ZbsQtNB.exe
  C:\Windows\System32\ZbsQtNB.exe
  2⤵
  PID:9788
- C:\Windows\System32\fvYoAzZ.exe
  C:\Windows\System32\fvYoAzZ.exe
  2⤵
  PID:9812
- C:\Windows\System32\kdHCkTg.exe
  C:\Windows\System32\kdHCkTg.exe
  2⤵
  PID:9836
- C:\Windows\System32\ZMsruBb.exe
  C:\Windows\System32\ZMsruBb.exe
  2⤵
  PID:9876
- C:\Windows\System32\tYnCEdL.exe
  C:\Windows\System32\tYnCEdL.exe
  2⤵
  PID:9892
- C:\Windows\System32\PeKEqam.exe
  C:\Windows\System32\PeKEqam.exe
  2⤵
  PID:9948
- C:\Windows\System32\GPTYrpU.exe
  C:\Windows\System32\GPTYrpU.exe
  2⤵
  PID:9992
- C:\Windows\System32\wBEXlcN.exe
  C:\Windows\System32\wBEXlcN.exe
  2⤵
  PID:10016
- C:\Windows\System32\ZjpcsWJ.exe
  C:\Windows\System32\ZjpcsWJ.exe
  2⤵
  PID:10044
- C:\Windows\System32\IceAiab.exe
  C:\Windows\System32\IceAiab.exe
  2⤵
  PID:10064
- C:\Windows\System32\QJSTKmk.exe
  C:\Windows\System32\QJSTKmk.exe
  2⤵
  PID:10100
- C:\Windows\System32\TGzHDHe.exe
  C:\Windows\System32\TGzHDHe.exe
  2⤵
  PID:10132
- C:\Windows\System32\OMRFeUw.exe
  C:\Windows\System32\OMRFeUw.exe
  2⤵
  PID:10152
- C:\Windows\System32\MENqkAb.exe
  C:\Windows\System32\MENqkAb.exe
  2⤵
  PID:10180
- C:\Windows\System32\SchkDRw.exe
  C:\Windows\System32\SchkDRw.exe
  2⤵
  PID:10200
- C:\Windows\System32\WhOwjyf.exe
  C:\Windows\System32\WhOwjyf.exe
  2⤵
  PID:9228
- C:\Windows\System32\nDXHceZ.exe
  C:\Windows\System32\nDXHceZ.exe
  2⤵
  PID:9304
- C:\Windows\System32\KRBdVSv.exe
  C:\Windows\System32\KRBdVSv.exe
  2⤵
  PID:9332
- C:\Windows\System32\mXyfMBG.exe
  C:\Windows\System32\mXyfMBG.exe
  2⤵
  PID:9424
- C:\Windows\System32\RABikwc.exe
  C:\Windows\System32\RABikwc.exe
  2⤵
  PID:9508
- C:\Windows\System32\RJURoPN.exe
  C:\Windows\System32\RJURoPN.exe
  2⤵
  PID:9584
- C:\Windows\System32\qDQzMoF.exe
  C:\Windows\System32\qDQzMoF.exe
  2⤵
  PID:9580
- C:\Windows\System32\ozLUEPV.exe
  C:\Windows\System32\ozLUEPV.exe
  2⤵
  PID:9664
- C:\Windows\System32\tcfkHqv.exe
  C:\Windows\System32\tcfkHqv.exe
  2⤵
  PID:9680
- C:\Windows\System32\jtUqzZt.exe
  C:\Windows\System32\jtUqzZt.exe
  2⤵
  PID:9768
- C:\Windows\System32\EIfkCju.exe
  C:\Windows\System32\EIfkCju.exe
  2⤵
  PID:9848
- C:\Windows\System32\pfzoaVa.exe
  C:\Windows\System32\pfzoaVa.exe
  2⤵
  PID:9908
- C:\Windows\System32\mtVdtnf.exe
  C:\Windows\System32\mtVdtnf.exe
  2⤵
  PID:9984
- C:\Windows\System32\XlOhHQI.exe
  C:\Windows\System32\XlOhHQI.exe
  2⤵
  PID:10000
- C:\Windows\System32\FGnmYqW.exe
  C:\Windows\System32\FGnmYqW.exe
  2⤵
  PID:10092
- C:\Windows\System32\bWGUroN.exe
  C:\Windows\System32\bWGUroN.exe
  2⤵
  PID:10112
- C:\Windows\System32\QtjYiEs.exe
  C:\Windows\System32\QtjYiEs.exe
  2⤵
  PID:9320
- C:\Windows\System32\spyKThP.exe
  C:\Windows\System32\spyKThP.exe
  2⤵
  PID:9404
- C:\Windows\System32\RYdaNqJ.exe
  C:\Windows\System32\RYdaNqJ.exe
  2⤵
  PID:9048
- C:\Windows\System32\OkDgije.exe
  C:\Windows\System32\OkDgije.exe
  2⤵
  PID:9620
- C:\Windows\System32\klGOtxE.exe
  C:\Windows\System32\klGOtxE.exe
  2⤵
  PID:9744
- C:\Windows\System32\xuUkAMk.exe
  C:\Windows\System32\xuUkAMk.exe
  2⤵
  PID:10024
- C:\Windows\System32\MBdasPW.exe
  C:\Windows\System32\MBdasPW.exe
  2⤵
  PID:10060
- C:\Windows\System32\xXurGtl.exe
  C:\Windows\System32\xXurGtl.exe
  2⤵
  PID:9364
- C:\Windows\System32\roWDURk.exe
  C:\Windows\System32\roWDURk.exe
  2⤵
  PID:9556
- C:\Windows\System32\aKzqKii.exe
  C:\Windows\System32\aKzqKii.exe
  2⤵
  PID:9644
- C:\Windows\System32\SlUVlbU.exe
  C:\Windows\System32\SlUVlbU.exe
  2⤵
  PID:10192
- C:\Windows\System32\SWrUoEo.exe
  C:\Windows\System32\SWrUoEo.exe
  2⤵
  PID:10264
- C:\Windows\System32\OrxjAtT.exe
  C:\Windows\System32\OrxjAtT.exe
  2⤵
  PID:10292
- C:\Windows\System32\AgVywop.exe
  C:\Windows\System32\AgVywop.exe
  2⤵
  PID:10308
- C:\Windows\System32\uBfCevW.exe
  C:\Windows\System32\uBfCevW.exe
  2⤵
  PID:10328
- C:\Windows\System32\XSfbiMc.exe
  C:\Windows\System32\XSfbiMc.exe
  2⤵
  PID:10352
- C:\Windows\System32\SjcLgDj.exe
  C:\Windows\System32\SjcLgDj.exe
  2⤵
  PID:10372
- C:\Windows\System32\EktoZVi.exe
  C:\Windows\System32\EktoZVi.exe
  2⤵
  PID:10396
- C:\Windows\System32\joLFxnL.exe
  C:\Windows\System32\joLFxnL.exe
  2⤵
  PID:10460
- C:\Windows\System32\pjazWKH.exe
  C:\Windows\System32\pjazWKH.exe
  2⤵
  PID:10484
- C:\Windows\System32\LHMXGjp.exe
  C:\Windows\System32\LHMXGjp.exe
  2⤵
  PID:10516
- C:\Windows\System32\FlIFHXk.exe
  C:\Windows\System32\FlIFHXk.exe
  2⤵
  PID:10544
- C:\Windows\System32\oRbaELo.exe
  C:\Windows\System32\oRbaELo.exe
  2⤵
  PID:10564
- C:\Windows\System32\HswKwTX.exe
  C:\Windows\System32\HswKwTX.exe
  2⤵
  PID:10588
- C:\Windows\System32\nuAbSaf.exe
  C:\Windows\System32\nuAbSaf.exe
  2⤵
  PID:10608
- C:\Windows\System32\FRhbyAr.exe
  C:\Windows\System32\FRhbyAr.exe
  2⤵
  PID:10648
- C:\Windows\System32\ivUCypr.exe
  C:\Windows\System32\ivUCypr.exe
  2⤵
  PID:10684
- C:\Windows\System32\yJmYDXz.exe
  C:\Windows\System32\yJmYDXz.exe
  2⤵
  PID:10712
- C:\Windows\System32\pzJiWJk.exe
  C:\Windows\System32\pzJiWJk.exe
  2⤵
  PID:10752
- C:\Windows\System32\RBxrRcX.exe
  C:\Windows\System32\RBxrRcX.exe
  2⤵
  PID:10768
- C:\Windows\System32\QoVpstV.exe
  C:\Windows\System32\QoVpstV.exe
  2⤵
  PID:10796
- C:\Windows\System32\syLIHAq.exe
  C:\Windows\System32\syLIHAq.exe
  2⤵
  PID:10812
- C:\Windows\System32\arGkdgf.exe
  C:\Windows\System32\arGkdgf.exe
  2⤵
  PID:10840
- C:\Windows\System32\xnpDfJi.exe
  C:\Windows\System32\xnpDfJi.exe
  2⤵
  PID:10868
- C:\Windows\System32\YgSrgLb.exe
  C:\Windows\System32\YgSrgLb.exe
  2⤵
  PID:10908
- C:\Windows\System32\wMfGofg.exe
  C:\Windows\System32\wMfGofg.exe
  2⤵
  PID:10928
- C:\Windows\System32\aLryrCZ.exe
  C:\Windows\System32\aLryrCZ.exe
  2⤵
  PID:10956
- C:\Windows\System32\JwwMsWB.exe
  C:\Windows\System32\JwwMsWB.exe
  2⤵
  PID:10972
- C:\Windows\System32\QREpgoz.exe
  C:\Windows\System32\QREpgoz.exe
  2⤵
  PID:11016
- C:\Windows\System32\UQhcabj.exe
  C:\Windows\System32\UQhcabj.exe
  2⤵
  PID:11052
- C:\Windows\System32\dmjbbxt.exe
  C:\Windows\System32\dmjbbxt.exe
  2⤵
  PID:11076
- C:\Windows\System32\CDvYQNa.exe
  C:\Windows\System32\CDvYQNa.exe
  2⤵
  PID:11096
- C:\Windows\System32\IkWQdGZ.exe
  C:\Windows\System32\IkWQdGZ.exe
  2⤵
  PID:11124
- C:\Windows\System32\skkUyQb.exe
  C:\Windows\System32\skkUyQb.exe
  2⤵
  PID:11152
- C:\Windows\System32\ZyLJGMk.exe
  C:\Windows\System32\ZyLJGMk.exe
  2⤵
  PID:11172
- C:\Windows\System32\jNMmHRb.exe
  C:\Windows\System32\jNMmHRb.exe
  2⤵
  PID:11204
- C:\Windows\System32\RwYyyez.exe
  C:\Windows\System32\RwYyyez.exe
  2⤵
  PID:11236
- C:\Windows\System32\ELlyGwc.exe
  C:\Windows\System32\ELlyGwc.exe
  2⤵
  PID:11252
- C:\Windows\System32\fPiQNyr.exe
  C:\Windows\System32\fPiQNyr.exe
  2⤵
  PID:10304
- C:\Windows\System32\OUTKPyO.exe
  C:\Windows\System32\OUTKPyO.exe
  2⤵
  PID:10368
- C:\Windows\System32\cMbtaIh.exe
  C:\Windows\System32\cMbtaIh.exe
  2⤵
  PID:10424
- C:\Windows\System32\STltYPS.exe
  C:\Windows\System32\STltYPS.exe
  2⤵
  PID:10512
- C:\Windows\System32\eFcKaPf.exe
  C:\Windows\System32\eFcKaPf.exe
  2⤵
  PID:10576
- C:\Windows\System32\KDNWdEE.exe
  C:\Windows\System32\KDNWdEE.exe
  2⤵
  PID:10604
- C:\Windows\System32\zItTExy.exe
  C:\Windows\System32\zItTExy.exe
  2⤵
  PID:10696
- C:\Windows\System32\GDIIQvg.exe
  C:\Windows\System32\GDIIQvg.exe
  2⤵
  PID:10748
- C:\Windows\System32\alJCGBb.exe
  C:\Windows\System32\alJCGBb.exe
  2⤵
  PID:10848
- C:\Windows\System32\lQObAJq.exe
  C:\Windows\System32\lQObAJq.exe
  2⤵
  PID:10892
- C:\Windows\System32\PeCkVHX.exe
  C:\Windows\System32\PeCkVHX.exe
  2⤵
  PID:10992
- C:\Windows\System32\MJbXuVV.exe
  C:\Windows\System32\MJbXuVV.exe
  2⤵
  PID:11032
- C:\Windows\System32\tVilBPW.exe
  C:\Windows\System32\tVilBPW.exe
  2⤵
  PID:11084
- C:\Windows\System32\ecGnHal.exe
  C:\Windows\System32\ecGnHal.exe
  2⤵
  PID:11108
- C:\Windows\System32\dqptLry.exe
  C:\Windows\System32\dqptLry.exe
  2⤵
  PID:11148
- C:\Windows\System32\gnRmRct.exe
  C:\Windows\System32\gnRmRct.exe
  2⤵
  PID:11220
- C:\Windows\System32\mIXISwM.exe
  C:\Windows\System32\mIXISwM.exe
  2⤵
  PID:9628
- C:\Windows\System32\ceOMLsQ.exe
  C:\Windows\System32\ceOMLsQ.exe
  2⤵
  PID:10504
- C:\Windows\System32\pDAllLV.exe
  C:\Windows\System32\pDAllLV.exe
  2⤵
  PID:4972
- C:\Windows\System32\QNcmpuj.exe
  C:\Windows\System32\QNcmpuj.exe
  2⤵
  PID:10828
- C:\Windows\System32\vbfVdnW.exe
  C:\Windows\System32\vbfVdnW.exe
  2⤵
  PID:11112
- C:\Windows\System32\MnLrwvu.exe
  C:\Windows\System32\MnLrwvu.exe
  2⤵
  PID:11228
- C:\Windows\System32\hMYPbSS.exe
  C:\Windows\System32\hMYPbSS.exe
  2⤵
  PID:10252
- C:\Windows\System32\RwwbJYX.exe
  C:\Windows\System32\RwwbJYX.exe
  2⤵
  PID:10532
- C:\Windows\System32\aTpuKuy.exe
  C:\Windows\System32\aTpuKuy.exe
  2⤵
  PID:10952
- C:\Windows\System32\qWbSaZB.exe
  C:\Windows\System32\qWbSaZB.exe
  2⤵
  PID:10600
- C:\Windows\System32\bbETGuv.exe
  C:\Windows\System32\bbETGuv.exe
  2⤵
  PID:11248
- C:\Windows\System32\qlPPdbv.exe
  C:\Windows\System32\qlPPdbv.exe
  2⤵
  PID:11288
- C:\Windows\System32\EIYbwVx.exe
  C:\Windows\System32\EIYbwVx.exe
  2⤵
  PID:11308
- C:\Windows\System32\LHsyvRq.exe
  C:\Windows\System32\LHsyvRq.exe
  2⤵
  PID:11340
- C:\Windows\System32\cXKBnEA.exe
  C:\Windows\System32\cXKBnEA.exe
  2⤵
  PID:11360
- C:\Windows\System32\daDLHah.exe
  C:\Windows\System32\daDLHah.exe
  2⤵
  PID:11388
- C:\Windows\System32\DePETVn.exe
  C:\Windows\System32\DePETVn.exe
  2⤵
  PID:11420
- C:\Windows\System32\IPkCdIO.exe
  C:\Windows\System32\IPkCdIO.exe
  2⤵
  PID:11460
- C:\Windows\System32\EGioixT.exe
  C:\Windows\System32\EGioixT.exe
  2⤵
  PID:11484
- C:\Windows\System32\bhWMRLk.exe
  C:\Windows\System32\bhWMRLk.exe
  2⤵
  PID:11504
- C:\Windows\System32\PQYXwin.exe
  C:\Windows\System32\PQYXwin.exe
  2⤵
  PID:11532
- C:\Windows\System32\tHrcVyO.exe
  C:\Windows\System32\tHrcVyO.exe
  2⤵
  PID:11556
- C:\Windows\System32\mOnucSZ.exe
  C:\Windows\System32\mOnucSZ.exe
  2⤵
  PID:11604
- C:\Windows\System32\oYTjwjw.exe
  C:\Windows\System32\oYTjwjw.exe
  2⤵
  PID:11628
- C:\Windows\System32\CCPJLBV.exe
  C:\Windows\System32\CCPJLBV.exe
  2⤵
  PID:11664
- C:\Windows\System32\urMVfBG.exe
  C:\Windows\System32\urMVfBG.exe
  2⤵
  PID:11684
- C:\Windows\System32\nPesrcg.exe
  C:\Windows\System32\nPesrcg.exe
  2⤵
  PID:11712
- C:\Windows\System32\xHFcrUV.exe
  C:\Windows\System32\xHFcrUV.exe
  2⤵
  PID:11740
- C:\Windows\System32\BMxLUEz.exe
  C:\Windows\System32\BMxLUEz.exe
  2⤵
  PID:11768
- C:\Windows\System32\RbCwHdh.exe
  C:\Windows\System32\RbCwHdh.exe
  2⤵
  PID:11792
- C:\Windows\System32\mLXnlyL.exe
  C:\Windows\System32\mLXnlyL.exe
  2⤵
  PID:11816
- C:\Windows\System32\qtxQrae.exe
  C:\Windows\System32\qtxQrae.exe
  2⤵
  PID:11832
- C:\Windows\System32\XjBYVGf.exe
  C:\Windows\System32\XjBYVGf.exe
  2⤵
  PID:11860
- C:\Windows\System32\uitLCOE.exe
  C:\Windows\System32\uitLCOE.exe
  2⤵
  PID:11880
- C:\Windows\System32\MfjFMNp.exe
  C:\Windows\System32\MfjFMNp.exe
  2⤵
  PID:11904
- C:\Windows\System32\wkcDqtv.exe
  C:\Windows\System32\wkcDqtv.exe
  2⤵
  PID:11920
- C:\Windows\System32\oMdBgwp.exe
  C:\Windows\System32\oMdBgwp.exe
  2⤵
  PID:11976
- C:\Windows\System32\MStsVSe.exe
  C:\Windows\System32\MStsVSe.exe
  2⤵
  PID:12024
- C:\Windows\System32\wRqncND.exe
  C:\Windows\System32\wRqncND.exe
  2⤵
  PID:12040
- C:\Windows\System32\gIJfZjD.exe
  C:\Windows\System32\gIJfZjD.exe
  2⤵
  PID:12068
- C:\Windows\System32\ycehcgx.exe
  C:\Windows\System32\ycehcgx.exe
  2⤵
  PID:12120
- C:\Windows\System32\lOMlYab.exe
  C:\Windows\System32\lOMlYab.exe
  2⤵
  PID:12136
- C:\Windows\System32\OwpkPHM.exe
  C:\Windows\System32\OwpkPHM.exe
  2⤵
  PID:12156
- C:\Windows\System32\IjKAwhm.exe
  C:\Windows\System32\IjKAwhm.exe
  2⤵
  PID:12176
- C:\Windows\System32\QVNifrq.exe
  C:\Windows\System32\QVNifrq.exe
  2⤵
  PID:12192
- C:\Windows\System32\cvIeBgZ.exe
  C:\Windows\System32\cvIeBgZ.exe
  2⤵
  PID:12220
- C:\Windows\System32\YZQMynO.exe
  C:\Windows\System32\YZQMynO.exe
  2⤵
  PID:12248
- C:\Windows\System32\jNIlgAq.exe
  C:\Windows\System32\jNIlgAq.exe
  2⤵
  PID:12268
- C:\Windows\System32\XiHupCa.exe
  C:\Windows\System32\XiHupCa.exe
  2⤵
  PID:11296
- C:\Windows\System32\fBmCFEf.exe
  C:\Windows\System32\fBmCFEf.exe
  2⤵
  PID:11400
- C:\Windows\System32\fqDEGnL.exe
  C:\Windows\System32\fqDEGnL.exe
  2⤵
  PID:11492
- C:\Windows\System32\WXNtqBM.exe
  C:\Windows\System32\WXNtqBM.exe
  2⤵
  PID:11552
- C:\Windows\System32\FSNHALn.exe
  C:\Windows\System32\FSNHALn.exe
  2⤵
  PID:11572
- C:\Windows\System32\mhOGbIC.exe
  C:\Windows\System32\mhOGbIC.exe
  2⤵
  PID:11648
- C:\Windows\System32\QBQoZCf.exe
  C:\Windows\System32\QBQoZCf.exe
  2⤵
  PID:11732
- C:\Windows\System32\auExIfo.exe
  C:\Windows\System32\auExIfo.exe
  2⤵
  PID:11780
- C:\Windows\System32\DMwLDMW.exe
  C:\Windows\System32\DMwLDMW.exe
  2⤵
  PID:11848
- C:\Windows\System32\ABjBVDT.exe
  C:\Windows\System32\ABjBVDT.exe
  2⤵
  PID:11876
- C:\Windows\System32\McUoLRQ.exe
  C:\Windows\System32\McUoLRQ.exe
  2⤵
  PID:11928
- C:\Windows\System32\vkzVHkq.exe
  C:\Windows\System32\vkzVHkq.exe
  2⤵
  PID:12008
- C:\Windows\System32\qDFgdYR.exe
  C:\Windows\System32\qDFgdYR.exe
  2⤵
  PID:12056
- C:\Windows\System32\AVnncKd.exe
  C:\Windows\System32\AVnncKd.exe
  2⤵
  PID:4000
- C:\Windows\System32\VLoSHzh.exe
  C:\Windows\System32\VLoSHzh.exe
  2⤵
  PID:3016
- C:\Windows\System32\ynfhkgd.exe
  C:\Windows\System32\ynfhkgd.exe
  2⤵
  PID:12260
- C:\Windows\System32\vZwJnoY.exe
  C:\Windows\System32\vZwJnoY.exe
  2⤵
  PID:11328
- C:\Windows\System32\rPeiTQq.exe
  C:\Windows\System32\rPeiTQq.exe
  2⤵
  PID:11500
- C:\Windows\System32\vOuTJpG.exe
  C:\Windows\System32\vOuTJpG.exe
  2⤵
  PID:11624
- C:\Windows\System32\dYBDFgb.exe
  C:\Windows\System32\dYBDFgb.exe
  2⤵
  PID:11752
- C:\Windows\System32\sQaRCyj.exe
  C:\Windows\System32\sQaRCyj.exe
  2⤵
  PID:11812
- C:\Windows\System32\bBKIeMC.exe
  C:\Windows\System32\bBKIeMC.exe
  2⤵
  PID:11996
- C:\Windows\System32\NJRHoxx.exe
  C:\Windows\System32\NJRHoxx.exe
  2⤵
  PID:12172
- C:\Windows\System32\QUeKjMB.exe
  C:\Windows\System32\QUeKjMB.exe
  2⤵
  PID:11280
- C:\Windows\System32\twdrJda.exe
  C:\Windows\System32\twdrJda.exe
  2⤵
  PID:11672
- C:\Windows\System32\jAVLyCw.exe
  C:\Windows\System32\jAVLyCw.exe
  2⤵
  PID:11844
- C:\Windows\System32\hEeNWux.exe
  C:\Windows\System32\hEeNWux.exe
  2⤵
  PID:11380
- C:\Windows\System32\aCMwsmp.exe
  C:\Windows\System32\aCMwsmp.exe
  2⤵
  PID:12300
- C:\Windows\System32\cUGWcaT.exe
  C:\Windows\System32\cUGWcaT.exe
  2⤵
  PID:12324
- C:\Windows\System32\pwxdZIh.exe
  C:\Windows\System32\pwxdZIh.exe
  2⤵
  PID:12344
- C:\Windows\System32\CrqfCZh.exe
  C:\Windows\System32\CrqfCZh.exe
  2⤵
  PID:12364
- C:\Windows\System32\NatPjIC.exe
  C:\Windows\System32\NatPjIC.exe
  2⤵
  PID:12412
- C:\Windows\System32\LiuDMiZ.exe
  C:\Windows\System32\LiuDMiZ.exe
  2⤵
  PID:12436
- C:\Windows\System32\qieEhFf.exe
  C:\Windows\System32\qieEhFf.exe
  2⤵
  PID:12460
- C:\Windows\System32\mYfgWcH.exe
  C:\Windows\System32\mYfgWcH.exe
  2⤵
  PID:12496
- C:\Windows\System32\YcGzuYj.exe
  C:\Windows\System32\YcGzuYj.exe
  2⤵
  PID:12520
- C:\Windows\System32\sYPYpGh.exe
  C:\Windows\System32\sYPYpGh.exe
  2⤵
  PID:12536
- C:\Windows\System32\VGTwwfX.exe
  C:\Windows\System32\VGTwwfX.exe
  2⤵
  PID:12560
- C:\Windows\System32\LwHhGBw.exe
  C:\Windows\System32\LwHhGBw.exe
  2⤵
  PID:12616
- C:\Windows\System32\nrkzwQv.exe
  C:\Windows\System32\nrkzwQv.exe
  2⤵
  PID:12636
- C:\Windows\System32\cTqwzHl.exe
  C:\Windows\System32\cTqwzHl.exe
  2⤵
  PID:12656
- C:\Windows\System32\EgKWUPS.exe
  C:\Windows\System32\EgKWUPS.exe
  2⤵
  PID:12696
- C:\Windows\System32\sSXaXdu.exe
  C:\Windows\System32\sSXaXdu.exe
  2⤵
  PID:12720
- C:\Windows\System32\ULoWGsR.exe
  C:\Windows\System32\ULoWGsR.exe
  2⤵
  PID:12740
- C:\Windows\System32\OQXVGrm.exe
  C:\Windows\System32\OQXVGrm.exe
  2⤵
  PID:12788
- C:\Windows\System32\WNXjbJH.exe
  C:\Windows\System32\WNXjbJH.exe
  2⤵
  PID:12804
- C:\Windows\System32\nbKqUVL.exe
  C:\Windows\System32\nbKqUVL.exe
  2⤵
  PID:12824
- C:\Windows\System32\VqykjFK.exe
  C:\Windows\System32\VqykjFK.exe
  2⤵
  PID:12848
- C:\Windows\System32\JwgLMzm.exe
  C:\Windows\System32\JwgLMzm.exe
  2⤵
  PID:12868
- C:\Windows\System32\JFcLPhW.exe
  C:\Windows\System32\JFcLPhW.exe
  2⤵
  PID:12884
- C:\Windows\System32\glafrHw.exe
  C:\Windows\System32\glafrHw.exe
  2⤵
  PID:12924
- C:\Windows\System32\bFBOteE.exe
  C:\Windows\System32\bFBOteE.exe
  2⤵
  PID:12964
- C:\Windows\System32\sdhgEMx.exe
  C:\Windows\System32\sdhgEMx.exe
  2⤵
  PID:12996
- C:\Windows\System32\jlvHktG.exe
  C:\Windows\System32\jlvHktG.exe
  2⤵
  PID:13020
- C:\Windows\System32\PrdHaxh.exe
  C:\Windows\System32\PrdHaxh.exe
  2⤵
  PID:13052
- C:\Windows\System32\lIvjzPv.exe
  C:\Windows\System32\lIvjzPv.exe
  2⤵
  PID:13084
- C:\Windows\System32\OsmSNLX.exe
  C:\Windows\System32\OsmSNLX.exe
  2⤵
  PID:13112
- C:\Windows\System32\FMoRXfQ.exe
  C:\Windows\System32\FMoRXfQ.exe
  2⤵
  PID:13132
- C:\Windows\System32\ZDWUJSH.exe
  C:\Windows\System32\ZDWUJSH.exe
  2⤵
  PID:13148
- C:\Windows\System32\swZuwZf.exe
  C:\Windows\System32\swZuwZf.exe
  2⤵
  PID:13188
- C:\Windows\System32\VjKQVDp.exe
  C:\Windows\System32\VjKQVDp.exe
  2⤵
  PID:13220
- C:\Windows\System32\UyZLdne.exe
  C:\Windows\System32\UyZLdne.exe
  2⤵
  PID:13252
- C:\Windows\System32\cfkdXjo.exe
  C:\Windows\System32\cfkdXjo.exe
  2⤵
  PID:13272
- C:\Windows\System32\MCevKeD.exe
  C:\Windows\System32\MCevKeD.exe
  2⤵
  PID:13300
- C:\Windows\System32\TKsHrpE.exe
  C:\Windows\System32\TKsHrpE.exe
  2⤵
  PID:12332
- C:\Windows\System32\dpLuaiQ.exe
  C:\Windows\System32\dpLuaiQ.exe
  2⤵
  PID:12340
- C:\Windows\System32\RjWXOLy.exe
  C:\Windows\System32\RjWXOLy.exe
  2⤵
  PID:12400
- C:\Windows\System32\JVqLepx.exe
  C:\Windows\System32\JVqLepx.exe
  2⤵
  PID:12444
- C:\Windows\System32\VVNTlvj.exe
  C:\Windows\System32\VVNTlvj.exe
  2⤵
  PID:12532
- C:\Windows\System32\eZYYzPm.exe
  C:\Windows\System32\eZYYzPm.exe
  2⤵
  PID:12584
- C:\Windows\System32\FQecgOu.exe
  C:\Windows\System32\FQecgOu.exe
  2⤵
  PID:4948
- C:\Windows\System32\sVuCDBc.exe
  C:\Windows\System32\sVuCDBc.exe
  2⤵
  PID:12644
- C:\Windows\System32\LkrFNxo.exe
  C:\Windows\System32\LkrFNxo.exe
  2⤵
  PID:12668
- C:\Windows\System32\NWuCBlJ.exe
  C:\Windows\System32\NWuCBlJ.exe
  2⤵
  PID:12780
- C:\Windows\System32\DlMwZkH.exe
  C:\Windows\System32\DlMwZkH.exe
  2⤵
  PID:12820
- C:\Windows\System32\BGHFFeD.exe
  C:\Windows\System32\BGHFFeD.exe
  2⤵
  PID:12976

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\CArekZT.exe

Filesize
1.7MB

MD5
13ab3e30d13310cc2d4382dc60e8bf86

SHA1
9de704806be59a189540183e268bd93dad2a6b2b

SHA256
1a3a6b68f5d7f882bddd1229a40a898b490101f19983a632efc6a28d06cfa941

SHA512
c8a7a9653557f032aa0b67b6b6900bf4b6c952c6b59e5279988ad90d3e7114fb16e58368078a75bba475ed2a34f7232afb60231dccee4946870eb6d39d1da892

Download Submit
C:\Windows\System32\FIZHfrg.exe

Filesize
1.7MB

MD5
9a9799787916925de61c1639c57db349

SHA1
5c826e2b3e4058151d00d9a48a753d6cc239f191

SHA256
ecf540a8624bb82e0a2e647abe6afd07aa0d6b3973322cd85f47c3915c5ec938

SHA512
37d378e17433e4b6f119737ed1154eb66bd15938643ee31d66bae30bcbfaeb27909c7a847a01692625adc6b4f0ee7b1379a23c032370d5dec957e274c0d5e852

Download Submit
C:\Windows\System32\HHzYEQL.exe

Filesize
1.7MB

MD5
1669b64ebda3e2ac85dbb7416fbf5e73

SHA1
3f5fded0363f63e0e47ffaf74cbc87990d75002f

SHA256
3fd31df8a20ab55119bfaf2dc81fba7a235aded7a2509a431ad0ccc99dcea5df

SHA512
b1ac60ad8fc2fe16de96cbe817fe8934a5e532bc12660490bb60c03883166dc3df76bc9cebe69593238eff143660dd8381f79b8a8fb686630ff1531171fbcd82

Download Submit
C:\Windows\System32\IYUiAOp.exe

Filesize
1.7MB

MD5
e61e79b1b95a3c3323ba6622e687686b

SHA1
d8e147553d66555eb872f166b619386746ce322e

SHA256
12c6c379aa0b49d88ca01aee7dc9abcf9fbc8afcd27449ad4899e09d6be7c3b0

SHA512
4eab66c6e9a703b5b77e11d9be396634bf235eba1e5638c9131432fe418e5d55ef355efba00292dd7303de10520617f7aadb9bdb7d60bb87475eaf20b8c3916a

Download Submit
C:\Windows\System32\JkGECqO.exe

Filesize
1.7MB

MD5
ab651560c60b447b66b5ba34667b0bd2

SHA1
6a06fc01072a885a09507c10911138e603ac7ff4

SHA256
77e412f22bb9dcacd95112cd00f0b05013b78de89f78478db2479405a991b03c

SHA512
c6c9dc12891c492d811a34fb2db766b671b8f8ec5002a409b29f8c46274f8301d5561ae301c1015dde1c425566ed7f3242859ac3a551a919951f53a0ef2b1aeb

Download Submit
C:\Windows\System32\JtOdHAO.exe

Filesize
1.7MB

MD5
8295cc500909ffee0e69bff90bde5c93

SHA1
c1e808f89ed556769df9d3f908d5485c688486f4

SHA256
357c64a9082a56dc925cd79aedf0a427283ade9257e12365b8e2ecf4b79cdf4a

SHA512
9ed6ac74c0c47f6f44bf14f8b48a7a7e7881c59f0d28f1636fb17b44cac4cd161ad90ee78754073cdb2d93513b3a1e24704a8396a9ee81104da57204dc5786b5

Download Submit
C:\Windows\System32\LcqKFBS.exe

Filesize
1.7MB

MD5
8900b4621363412986c4a71550bf0d59

SHA1
9dff552b175820cd15271e1a85fbc150264a4060

SHA256
042462454897809b2985d1c31f647aacce80b9e8a1d4a21e806deb4ffd160fce

SHA512
4b54f90225560e4756643a61d429648595c5cc01c6258e4ba9101e3d271da2495a6e1bb206f97889b8cea563a285753ec1e38026ae3065bebf5fbdc65db34998

Download Submit
C:\Windows\System32\OzeokAh.exe

Filesize
1.7MB

MD5
d405e56d8bde052f59963256a2a74e60

SHA1
967656aeca30b738a9c9f0ac3f707a7e838392ae

SHA256
885830f62ae0c5baa5244d95b584062be0d5cc12f4fe2c53015289c91cd53aca

SHA512
b0a9fd33b3a3e83d5211737d704798d7511a1aa5f8cdd09dd62c9c9b244ae86a6f18642785b037db8a8d46e6f38a723ab8a965e719cda0279c7b4ce522912093

Download Submit
C:\Windows\System32\PvnhacR.exe

Filesize
1.7MB

MD5
8e5135120ca54dcd9192768c135289bf

SHA1
ec43d70d8db8d158d108311bc1f98ba60e769a55

SHA256
51a759621c5da2dadd59f61ae6f8ac55ff78ec3480ef6be3c409ba635d0eca00

SHA512
374cd2f4a31b8ccc2542c77799d0ed7452adacb31644b46a82f04364e06d9ecb18eb16c6f7a87176dd6ab4186972872caac5ff107856469a8a2603377e35400a

Download Submit
C:\Windows\System32\ROXCfaP.exe

Filesize
1.7MB

MD5
5f021acfda01a6f6f8e092e9baf2a5f6

SHA1
05a492f1435baef19f6425dbf327945a84346ac3

SHA256
5e0e32c06abe70868c76e26e5db4be60b3d19e43efa78cba6607798c75f82147

SHA512
d3939c020dd5b2a251102ee5f224dda61f4c71be1123aa16258ddaa45c07168d9832151e19066c536c39ffa769f3f1cb30608469ffcf34c6b1c407342abf0b59

Download Submit
C:\Windows\System32\RlDqgQq.exe

Filesize
1.7MB

MD5
6ee907080b9f605bcd44dc7a99275101

SHA1
9d62380ffc27a192efba45ccea8866912933fc6a

SHA256
0dfe8fdfa41407c595bbf824a971d8ca27813efefc6b380322a195e3b0b45993

SHA512
ad723af3ec76775ad6cdc2ff9ba2b40e6351e1ab662a68570b9fdb0549a05f1b091a753eb0f156feff999302c950376305cc16bda85262372cda1d08f5bd4215

Download Submit
C:\Windows\System32\TfRxPXM.exe

Filesize
1.7MB

MD5
485ad528b6afb8417bd48b844fb9fb5d

SHA1
b0595f3558ddd06354e6528d06208e52cf1c8dd3

SHA256
d7bc295ba485078c11ab80fd684758ebf6f871c37133043d77a88be8fb950ed1

SHA512
39479fa7d4c5ec40df14a9e426334c204e5cc7cd145a0f83e74fdca154734565e7a189c483e27c16671f635108847e9ac37e40f8431497423896ddaa7cf1950d

Download Submit
C:\Windows\System32\UIiguaY.exe

Filesize
1.7MB

MD5
36c0be80dc1ae16cb78b6ca02763474b

SHA1
68ca65093aa90e705379da0e4197bcf32d75a44e

SHA256
5147495f3cb77aa128810188b62ac0fd948e7e57cfb6ab75a529787df6b72dc9

SHA512
210ec0f0fd7aef8c76a6bd5034a19cf31ebfe69a88d45b83ee15a2d8d9de9c761bf3d77540d2087b0af8c18def7186b3c2d174baff8580763e76a36ff71cfccb

Download Submit
C:\Windows\System32\WbHAiYX.exe

Filesize
1.7MB

MD5
126b3483d85ffb60c1449c39459c5409

SHA1
8a6aee8615e8fa27929b7cd04a66ca2c5adcc467

SHA256
367b6bd893d1985881c1783964d78893f8d6176adcccac9fd73e9af5b45e4c88

SHA512
096480ddcaac339a66af1a9507b911fe82fd51fc818b13efe3eb89b05fc8695330c2fe07d9119ca5daede2a4f951a7c49fc805bd5a50acddb1def0f8b38b9d8b

Download Submit
C:\Windows\System32\WgkViSj.exe

Filesize
1.7MB

MD5
f4f4383a66e3bd4c6679ec102e4752ae

SHA1
4b2075c517f4d63cda8aa43bf375e29e5b7190bc

SHA256
116c23846fcc91590df4500d2ae33162835e97aeaf0750d6fbea3da336fcd467

SHA512
8cc0c66b48633613a9ba591a241606fc8db8d10f5c5bb06cd1923c92e0ad029614b43561fee4f7772acd751168cad5ef4bb60b89f9307dfb6cb64f9b84e7234e

Download Submit
C:\Windows\System32\XAEhKES.exe

Filesize
1.7MB

MD5
227d31d63a82e427f95b05a7cdfc276f

SHA1
b3ef6d94c31861cbe15c23f4fff0de7717200941

SHA256
a1169468fe396688a423e4165c5fd1b6e3704fdd8bd54d2b39a9e9c75dd6b5a5

SHA512
6d7019dc2c129c705eaf2229ac4aa26d83c0e8bffc2b7acda009ee13eb1b63b9c66116c3217d6aaea9a03e15c356695432878e98252cedf6ccf74b5c30a26ad4

Download Submit
C:\Windows\System32\XsrjJPz.exe

Filesize
1.7MB

MD5
69b06961d1861219b6f057fb6628563f

SHA1
5a93e340c73e8e93f66078688bc4a98db158ac14

SHA256
a756125c0e4be18862562646cf7ae54efe6a30cbd52ccb2ebdbdfa8bf0d64d99

SHA512
f37f835cf2c936222d5d69a5d1fce2efbf3415132b976968634f8cdd996d353416f0ba4b4234053a49fafdfd593933c194e1571af74c4f5ba1a6c3f244b8494c

Download Submit
C:\Windows\System32\aRDfyvJ.exe

Filesize
1.7MB

MD5
23605c0d62654a9f6a8dfda5bba56716

SHA1
d431cfd60ddd24f78b3aa2d3aca5b4aa5cde192d

SHA256
d5665e0136a745075747e19a91dec7a55b7036f3a3fca63ceb8c39e553ebc33c

SHA512
a4c965830655f680341cd2b6e43fd8952cf8f3799f80fad82598723e2b595af8b73c1eb7e998d352ffe9553a694bb86e3e7f5945b0747cdabe9d1a5e8f90e697

Download Submit
C:\Windows\System32\aTwdVNY.exe

Filesize
1.7MB

MD5
757b0b02c01313b08d3ad89a21b528bf

SHA1
bbc5e18033bd341dfbe41234497af76a196d1ec1

SHA256
47b4460331e1ec156036140894fac276a05e3a0e6e30d91ea2efa323584138fc

SHA512
c76420808a402491e7d83969b3a5fae4b0126b121b5e9421c22a84d6452eaa3126dd1f242f8fe2385aa8b81e0ff1f75442e532ca927dd0b722dc16d3c82f366d

Download Submit
C:\Windows\System32\ahKcmAz.exe

Filesize
1.7MB

MD5
645d2a85a8fe5ee1443c93be72a4f4fe

SHA1
7adba221e02f90b23117287a3a3897a256230a07

SHA256
02c4f255ebbaf602f6c064867002de357a9862358213df77cb270752bc7f58ce

SHA512
2ef4272d0f34600cdbff3cbbe1f374d4478a0737223ac226c3aacca12368b297b61908a552a1aae50c33dadfdf6a53b829021e14f7f5b6fe774ab646506fbf81

Download Submit
C:\Windows\System32\akSoMmZ.exe

Filesize
1.7MB

MD5
5700e93ca4ad79714cac60ba21887dad

SHA1
da175b9fc2394c5ba64b67d84d4b8402e5ac6f84

SHA256
21089d716e402bb175a936b4e631b6d52fc545fb4e97691f61d1ef60b42347d3

SHA512
efe7b5c3d97eacbfb85556b4d37a29526dca0042c4fd2bdff85be7daa88fd1a7c9a4e379f4242275af0e7969a8cc8bbf1d7256480f96b1d0fef084a6e3bb9b8b

Download Submit
C:\Windows\System32\cCUNKVN.exe

Filesize
1.7MB

MD5
6f2b6d42a74c5763c94aece2d70e78f8

SHA1
1df3dbfbe1e99b3ff5b4425dc031d5b9d99396a2

SHA256
3874f6fad075cac374ed57ffbb7faaa5de2d3c897f4825f292e812b76e192150

SHA512
a48d7283273c2ddf12e66aac2d931fbd7b3cb677b3c466262b8f61920ebdd9b4e413b0ea9bde5592cfba9944e905bd16c65d401a348eee76bcd06818c0eb36e4

Download Submit
C:\Windows\System32\iWVPfPR.exe

Filesize
1.7MB

MD5
5c7dd69c21f67064ab17c688ff1b2a47

SHA1
db26040767e18e4da93e5d55db22010f678cfd38

SHA256
ce1ede71cbe3aff9c5de96b17b19e5dc07c598db188bd79d90a6bf3e7de49f19

SHA512
5fc9a44a933cba24d0e8b5ec2e79a424c5989832038e5e9cd8c601055a399916b9ebee68e83da823c7789a52c14466a495ced65404db4f97c41930bba8f76c41

Download Submit
C:\Windows\System32\igduhBL.exe

Filesize
1.7MB

MD5
d9e385937884cb154e34c80f34a14e40

SHA1
4feda0f9643a2badc2fb63284ab31cf468bd4933

SHA256
beede8440371a9fd5696e75d34ceedbafc553a6e38b1e0514141d05d467432a5

SHA512
1f6d2ff6bf49954686c3022224dabaa7b3d0aed1798d074d83b1c0909c80f5457f87bedafdaa3f09a426f0f27555fb8ed73198e2646f2749c64910b94c5aee66

Download Submit
C:\Windows\System32\nrQLoCO.exe

Filesize
1.7MB

MD5
70760f0922bdabb0739ae44712d6bf74

SHA1
c470363fd4d9f77b443f400af2a666c87a973afb

SHA256
7f35c5ec21e03b847997798dd19870110e748053f728f14ba17a53fc38ebbcf9

SHA512
e2d97db391f0b31969bfbdf900bb21e004622a3cf8bc75d8958bcdde01acb09b834216f82faa660d0b7b9a3372f0b9bd68ba84b3826b68e0a5189410386b320d

Download Submit
C:\Windows\System32\psDEmsE.exe

Filesize
1.7MB

MD5
a059af51b311693789f7dc7bfc78243c

SHA1
cf13b8852fa321f3983609fd56152126762bc2b2

SHA256
9647d367c96a968721bef1923f8992656b92502e9ba59c988798657ef7b9f35e

SHA512
21305225f131ef2a5a9c5f6c31deaf66dfb73693cbf5a4cdfcdc5766b1c6c649a4851247b53b216d5f2f4e617fa581218f1adb2b50e53bb3b0d3b702fd0558aa

Download Submit
C:\Windows\System32\tGTkUtg.exe

Filesize
1.7MB

MD5
352d6798b5a397244803f5dfd0b0d0de

SHA1
5a8aac0812a6e190287902c692593f911994a63a

SHA256
cafe577f1c2e6e711992b8dcc980c3586c07d3a0f6cc2496612bd9bd130e9064

SHA512
8b3a3ec0856e1922d4f9db0668747721d666f548c735547b92c9835f777c87611d718c386a25b3d5ac316f48e2f59494c04d6e78366a9dfcbb6ced8fcb21bfe8

Download Submit
C:\Windows\System32\tMmRdPF.exe

Filesize
1.7MB

MD5
8cce1492b9f17439cce867126132a79d

SHA1
5badb0cb4a114c460216ce6a3983c98d37e7f606

SHA256
016be63705b7a761c74a5d72336f8a63107bbb9c2fdf878dc8699fd3ff4ba926

SHA512
22155b4a7aa42cfe52acf84c191dbc9f2a75a086f054c4c04700588d3121786c8edc0e3778a85a147664d12a437e5df5a2ed91b0591a81d17de2bfc2df7af947

Download Submit
C:\Windows\System32\uHWXwnb.exe

Filesize
1.7MB

MD5
61aefe3fda7cac729035ce1cf781b7ce

SHA1
c9557238e6ea6f33521e384ff9d46b1e5f5867d9

SHA256
dadfbfc4b1854878ba916974f4d3d4975f7abea84b9cd5475fedf2fd039118d5

SHA512
cbba19ffe241fccc305558f734676281f39e24536f8bf3d2881dfe04e06e8240af6715255fae51f819d9e5edc437f6f2855c84154624639530913f380b1d2e0e

Download Submit
C:\Windows\System32\vLChyvS.exe

Filesize
1.7MB

MD5
b4cc0003d51aa146f83b7f9089912ed1

SHA1
e0eb13e5a02de7b285251e1d175ad8f09ba07633

SHA256
9f58f46868c73977ccc6afb373ba8577780acc256c7a120291bd1becb51396a4

SHA512
e0e0b94cd108c991438495d9265148fd383655a663d89e1a6b6a0223a7ccfa9da5fe7051cc7d0af6ef1cd9a7d2a61cb023c49d14fcb45b2ff2fb62fd163ef96a

Download Submit
C:\Windows\System32\yfFxANS.exe

Filesize
1.7MB

MD5
905d8c653d1d5119fd3cd858d6cef160

SHA1
ba9c27a4a2cabedc7b762501ec7beb8b546dc6c2

SHA256
8c845fdfc2dd8cfc2ed4ac8107be1229a80c4d249477071277d9b0111e587a54

SHA512
c4accc8017e9ab158ccd1a776ef3e5449aab6cd39c59672ec2c15a2cf600d199804f0d9efcccaa8445f22d8e6593c8d735cb2ae571f62f95aa2e77efe51c977e

Download Submit
C:\Windows\System32\yuzWnvp.exe

Filesize
1.7MB

MD5
31e6c2ed2fcae2a6c6a7e6108e3cbc1d

SHA1
396865b5ff317044cb0ff51d67a3f0d08931afbd

SHA256
67aaead0f0dbc3496ddccf556756d5ce0d12776b9b4561612e0569159a2126e0

SHA512
013b896541be2cc91b09582a01cbc3a56e12576411300c997aad9db9d92e5feb357e0ffb33a327d5b3521f816f49b3b8c60eae489eb00bb5119897a5e8b7368c

Download Submit
memory/532-477-0x00007FF7AB170000-0x00007FF7AB561000-memory.dmp

Filesize
3.9MB

Download
memory/532-2016-0x00007FF7AB170000-0x00007FF7AB561000-memory.dmp

Filesize
3.9MB

Download
memory/664-506-0x00007FF798670000-0x00007FF798A61000-memory.dmp

Filesize
3.9MB

Download
memory/664-2038-0x00007FF798670000-0x00007FF798A61000-memory.dmp

Filesize
3.9MB

Download
memory/708-47-0x00007FF703090000-0x00007FF703481000-memory.dmp

Filesize
3.9MB

Download
memory/708-2004-0x00007FF703090000-0x00007FF703481000-memory.dmp

Filesize
3.9MB

Download
memory/888-25-0x00007FF6E2020000-0x00007FF6E2411000-memory.dmp

Filesize
3.9MB

Download
memory/888-2008-0x00007FF6E2020000-0x00007FF6E2411000-memory.dmp

Filesize
3.9MB

Download
memory/888-1993-0x00007FF6E2020000-0x00007FF6E2411000-memory.dmp

Filesize
3.9MB

Download
memory/1636-510-0x00007FF7902E0000-0x00007FF7906D1000-memory.dmp

Filesize
3.9MB

Download
memory/1636-2046-0x00007FF7902E0000-0x00007FF7906D1000-memory.dmp

Filesize
3.9MB

Download
memory/1688-499-0x00007FF6A09C0000-0x00007FF6A0DB1000-memory.dmp

Filesize
3.9MB

Download
memory/1688-2042-0x00007FF6A09C0000-0x00007FF6A0DB1000-memory.dmp

Filesize
3.9MB

Download
memory/1812-2036-0x00007FF6EFBC0000-0x00007FF6EFFB1000-memory.dmp

Filesize
3.9MB

Download
memory/1812-494-0x00007FF6EFBC0000-0x00007FF6EFFB1000-memory.dmp

Filesize
3.9MB

Download
memory/2144-514-0x00007FF65B8E0000-0x00007FF65BCD1000-memory.dmp

Filesize
3.9MB

Download
memory/2144-2012-0x00007FF65B8E0000-0x00007FF65BCD1000-memory.dmp

Filesize
3.9MB

Download
memory/2396-2040-0x00007FF714D80000-0x00007FF715171000-memory.dmp

Filesize
3.9MB

Download
memory/2396-501-0x00007FF714D80000-0x00007FF715171000-memory.dmp

Filesize
3.9MB

Download
memory/2592-2010-0x00007FF602FB0000-0x00007FF6033A1000-memory.dmp

Filesize
3.9MB

Download
memory/2592-1960-0x00007FF602FB0000-0x00007FF6033A1000-memory.dmp

Filesize
3.9MB

Download
memory/2592-21-0x00007FF602FB0000-0x00007FF6033A1000-memory.dmp

Filesize
3.9MB

Download
memory/2812-2032-0x00007FF606D60000-0x00007FF607151000-memory.dmp

Filesize
3.9MB

Download
memory/2812-479-0x00007FF606D60000-0x00007FF607151000-memory.dmp

Filesize
3.9MB

Download
memory/2872-6-0x00007FF74B8C0000-0x00007FF74BCB1000-memory.dmp

Filesize
3.9MB

Download
memory/2872-1958-0x00007FF74B8C0000-0x00007FF74BCB1000-memory.dmp

Filesize
3.9MB

Download
memory/2872-2000-0x00007FF74B8C0000-0x00007FF74BCB1000-memory.dmp

Filesize
3.9MB

Download
memory/3340-483-0x00007FF6EA0D0000-0x00007FF6EA4C1000-memory.dmp

Filesize
3.9MB

Download
memory/3340-2026-0x00007FF6EA0D0000-0x00007FF6EA4C1000-memory.dmp

Filesize
3.9MB

Download
memory/3388-2024-0x00007FF6D0840000-0x00007FF6D0C31000-memory.dmp

Filesize
3.9MB

Download
memory/3388-482-0x00007FF6D0840000-0x00007FF6D0C31000-memory.dmp

Filesize
3.9MB

Download
memory/3428-1-0x000002CDDAD20000-0x000002CDDAD30000-memory.dmp

Filesize
64KB

Download
memory/3428-0-0x00007FF6018D0000-0x00007FF601CC1000-memory.dmp

Filesize
3.9MB

Download
memory/3720-511-0x00007FF6A1090000-0x00007FF6A1481000-memory.dmp

Filesize
3.9MB

Download
memory/3720-2044-0x00007FF6A1090000-0x00007FF6A1481000-memory.dmp

Filesize
3.9MB

Download
memory/4028-2002-0x00007FF61FCC0000-0x00007FF6200B1000-memory.dmp

Filesize
3.9MB

Download
memory/4028-19-0x00007FF61FCC0000-0x00007FF6200B1000-memory.dmp

Filesize
3.9MB

Download
memory/4028-1959-0x00007FF61FCC0000-0x00007FF6200B1000-memory.dmp

Filesize
3.9MB

Download
memory/4044-2030-0x00007FF6DEAF0000-0x00007FF6DEEE1000-memory.dmp

Filesize
3.9MB

Download
memory/4044-480-0x00007FF6DEAF0000-0x00007FF6DEEE1000-memory.dmp

Filesize
3.9MB

Download
memory/4056-2018-0x00007FF70D660000-0x00007FF70DA51000-memory.dmp

Filesize
3.9MB

Download
memory/4056-484-0x00007FF70D660000-0x00007FF70DA51000-memory.dmp

Filesize
3.9MB

Download
memory/4172-33-0x00007FF749B30000-0x00007FF749F21000-memory.dmp

Filesize
3.9MB

Download
memory/4172-2006-0x00007FF749B30000-0x00007FF749F21000-memory.dmp

Filesize
3.9MB

Download
memory/4344-2014-0x00007FF7BE650000-0x00007FF7BEA41000-memory.dmp

Filesize
3.9MB

Download
memory/4344-475-0x00007FF7BE650000-0x00007FF7BEA41000-memory.dmp

Filesize
3.9MB

Download
memory/4344-1994-0x00007FF7BE650000-0x00007FF7BEA41000-memory.dmp

Filesize
3.9MB

Download
memory/4696-2020-0x00007FF793D70000-0x00007FF794161000-memory.dmp

Filesize
3.9MB

Download
memory/4696-492-0x00007FF793D70000-0x00007FF794161000-memory.dmp

Filesize
3.9MB

Download
memory/4944-478-0x00007FF6FA970000-0x00007FF6FAD61000-memory.dmp

Filesize
3.9MB

Download
memory/4944-2022-0x00007FF6FA970000-0x00007FF6FAD61000-memory.dmp

Filesize
3.9MB

Download
memory/5012-518-0x00007FF6DAD70000-0x00007FF6DB161000-memory.dmp

Filesize
3.9MB

Download
memory/5012-2034-0x00007FF6DAD70000-0x00007FF6DB161000-memory.dmp

Filesize
3.9MB

Download
memory/5064-2028-0x00007FF7FAF10000-0x00007FF7FB301000-memory.dmp

Filesize
3.9MB

Download
memory/5064-481-0x00007FF7FAF10000-0x00007FF7FB301000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads