xmrig | 2ec6760f21133cfaa22633c2bcaa3dc61dfe96fddf101fcad1a1455e24a16cb4

Analysis

max time kernel
117s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
Size

1.1MB
MD5

03ece1c1764bf36334406de25838cd37
SHA1

3adb96a7e58ad3caad6f968f52cc921af43439b9
SHA256

2ec6760f21133cfaa22633c2bcaa3dc61dfe96fddf101fcad1a1455e24a16cb4
SHA512

391f6dd212cc2ce1f99d32c6e8a10bd1636f174193ecb30e5b97060352891f6bfe3c3b00c02e6262303815a00eb0a2afb9059b0fe3d8333ed75781ee57bce9a7
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcmC3f/DFNkTlq7A:knw9oUUEEDl37jcmWH/z0

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/3176-370-0x00007FF764F20000-0x00007FF765311000-memory.dmp	xmrig
behavioral2/memory/4584-372-0x00007FF708BF0000-0x00007FF708FE1000-memory.dmp	xmrig
behavioral2/memory/4560-378-0x00007FF7C61D0000-0x00007FF7C65C1000-memory.dmp	xmrig
behavioral2/memory/2764-392-0x00007FF6A5850000-0x00007FF6A5C41000-memory.dmp	xmrig
behavioral2/memory/4508-386-0x00007FF69BFD0000-0x00007FF69C3C1000-memory.dmp	xmrig
behavioral2/memory/2144-400-0x00007FF6A4340000-0x00007FF6A4731000-memory.dmp	xmrig
behavioral2/memory/4496-365-0x00007FF72EDF0000-0x00007FF72F1E1000-memory.dmp	xmrig
behavioral2/memory/3340-403-0x00007FF66C010000-0x00007FF66C401000-memory.dmp	xmrig
behavioral2/memory/1008-407-0x00007FF7AB740000-0x00007FF7ABB31000-memory.dmp	xmrig
behavioral2/memory/3924-410-0x00007FF6E32D0000-0x00007FF6E36C1000-memory.dmp	xmrig
behavioral2/memory/1296-414-0x00007FF77AB60000-0x00007FF77AF51000-memory.dmp	xmrig
behavioral2/memory/3684-422-0x00007FF63F7A0000-0x00007FF63FB91000-memory.dmp	xmrig
behavioral2/memory/2604-425-0x00007FF64DAD0000-0x00007FF64DEC1000-memory.dmp	xmrig
behavioral2/memory/4424-432-0x00007FF7769F0000-0x00007FF776DE1000-memory.dmp	xmrig
behavioral2/memory/4236-435-0x00007FF6D5C70000-0x00007FF6D6061000-memory.dmp	xmrig
behavioral2/memory/2436-430-0x00007FF708740000-0x00007FF708B31000-memory.dmp	xmrig
behavioral2/memory/4936-429-0x00007FF70F3C0000-0x00007FF70F7B1000-memory.dmp	xmrig
behavioral2/memory/4684-419-0x00007FF6540E0000-0x00007FF6544D1000-memory.dmp	xmrig
behavioral2/memory/5116-416-0x00007FF71E4B0000-0x00007FF71E8A1000-memory.dmp	xmrig
behavioral2/memory/3388-442-0x00007FF6084E0000-0x00007FF6088D1000-memory.dmp	xmrig
behavioral2/memory/4224-446-0x00007FF7C6880000-0x00007FF7C6C71000-memory.dmp	xmrig
behavioral2/memory/4312-1948-0x00007FF754360000-0x00007FF754751000-memory.dmp	xmrig
behavioral2/memory/3928-1981-0x00007FF6C8EF0000-0x00007FF6C92E1000-memory.dmp	xmrig
behavioral2/memory/2964-1987-0x00007FF711FD0000-0x00007FF7123C1000-memory.dmp	xmrig
behavioral2/memory/4312-1989-0x00007FF754360000-0x00007FF754751000-memory.dmp	xmrig
behavioral2/memory/4560-1997-0x00007FF7C61D0000-0x00007FF7C65C1000-memory.dmp	xmrig
behavioral2/memory/4508-1993-0x00007FF69BFD0000-0x00007FF69C3C1000-memory.dmp	xmrig
behavioral2/memory/4584-1991-0x00007FF708BF0000-0x00007FF708FE1000-memory.dmp	xmrig
behavioral2/memory/5116-2013-0x00007FF71E4B0000-0x00007FF71E8A1000-memory.dmp	xmrig
behavioral2/memory/3684-2017-0x00007FF63F7A0000-0x00007FF63FB91000-memory.dmp	xmrig
behavioral2/memory/4684-2015-0x00007FF6540E0000-0x00007FF6544D1000-memory.dmp	xmrig
behavioral2/memory/1296-2011-0x00007FF77AB60000-0x00007FF77AF51000-memory.dmp	xmrig
behavioral2/memory/3924-2009-0x00007FF6E32D0000-0x00007FF6E36C1000-memory.dmp	xmrig
behavioral2/memory/1008-2007-0x00007FF7AB740000-0x00007FF7ABB31000-memory.dmp	xmrig
behavioral2/memory/3340-2005-0x00007FF66C010000-0x00007FF66C401000-memory.dmp	xmrig
behavioral2/memory/2144-2003-0x00007FF6A4340000-0x00007FF6A4731000-memory.dmp	xmrig
behavioral2/memory/2764-2001-0x00007FF6A5850000-0x00007FF6A5C41000-memory.dmp	xmrig
behavioral2/memory/3176-1995-0x00007FF764F20000-0x00007FF765311000-memory.dmp	xmrig
behavioral2/memory/4496-1999-0x00007FF72EDF0000-0x00007FF72F1E1000-memory.dmp	xmrig
behavioral2/memory/4236-2070-0x00007FF6D5C70000-0x00007FF6D6061000-memory.dmp	xmrig
behavioral2/memory/2604-2019-0x00007FF64DAD0000-0x00007FF64DEC1000-memory.dmp	xmrig
behavioral2/memory/3388-2074-0x00007FF6084E0000-0x00007FF6088D1000-memory.dmp	xmrig
behavioral2/memory/4224-2068-0x00007FF7C6880000-0x00007FF7C6C71000-memory.dmp	xmrig
behavioral2/memory/4936-2029-0x00007FF70F3C0000-0x00007FF70F7B1000-memory.dmp	xmrig
behavioral2/memory/2436-2027-0x00007FF708740000-0x00007FF708B31000-memory.dmp	xmrig
behavioral2/memory/4424-2023-0x00007FF7769F0000-0x00007FF776DE1000-memory.dmp	xmrig
behavioral2/memory/3928-2107-0x00007FF6C8EF0000-0x00007FF6C92E1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2964	DtKqUOH.exe
4312	NFNKJFz.exe
3928	dtkCkjq.exe
4496	byWXZiE.exe
3176	vIXAhns.exe
4584	elpQqIc.exe
4560	CtZspkq.exe
4508	QwwkZje.exe
2764	EJzdcVl.exe
2144	TBRMVTg.exe
3340	fmDnxVz.exe
1008	uIKFTIL.exe
3924	PjYlBXY.exe
1296	eHZCcyp.exe
5116	ccsWEsq.exe
4684	YydsIjw.exe
3684	CbfHNxx.exe
2604	jeYYQqg.exe
4936	SWkrKNa.exe
2436	ErADMZS.exe
4424	OAipwSl.exe
4236	BlHDDuQ.exe
3388	wKwjJLb.exe
4224	DmOvJRL.exe
4536	CWRRSrn.exe
2608	fqBiFhx.exe
1656	jIXdfUh.exe
396	yojZBdk.exe
1644	oVBTjgK.exe
1608	gezyGQU.exe
4868	evocDSI.exe
4784	btuTxVX.exe
4092	oWhWnHO.exe
4988	TmIpJXT.exe
5100	LyQFoaE.exe
4636	adhvPnj.exe
1564	kQlgrQR.exe
1596	BJsfwYA.exe
2744	RGvfzQI.exe
2592	SRzUToT.exe
3580	AaVzwqJ.exe
440	OLVUWkO.exe
624	kXYDLGe.exe
2316	DOUkflP.exe
8	PoIBBFH.exe
1336	XEBLYiY.exe
4932	ULmkBnY.exe
2988	zEJBFfX.exe
2120	KSmwxuP.exe
3572	briwMFU.exe
1932	LMxrDKa.exe
1076	cuHcEXu.exe
1580	BMqdzoc.exe
2268	MwKrBmt.exe
2536	IGoyPUk.exe
1428	vfAOLjE.exe
3140	iYLLxHX.exe
3648	UmMYqRD.exe
3964	KIgAWVB.exe
4256	znMLPIh.exe
1956	JLVrzrJ.exe
532	XWFNKcu.exe
4792	OhuDeZa.exe
1252	sLoojaU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1332-0-0x00007FF61B3E0000-0x00007FF61B7D1000-memory.dmp	upx
behavioral2/files/0x000b000000023b72-4.dat	upx
behavioral2/files/0x000a000000023b73-7.dat	upx
behavioral2/memory/2964-11-0x00007FF711FD0000-0x00007FF7123C1000-memory.dmp	upx
behavioral2/memory/4312-18-0x00007FF754360000-0x00007FF754751000-memory.dmp	upx
behavioral2/files/0x000a000000023b76-28.dat	upx
behavioral2/files/0x000a000000023b77-33.dat	upx
behavioral2/files/0x000a000000023b79-41.dat	upx
behavioral2/files/0x000a000000023b7b-53.dat	upx
behavioral2/files/0x000a000000023b7f-73.dat	upx
behavioral2/files/0x000a000000023b81-83.dat	upx
behavioral2/files/0x000a000000023b85-101.dat	upx
behavioral2/files/0x000a000000023b8a-126.dat	upx
behavioral2/memory/3176-370-0x00007FF764F20000-0x00007FF765311000-memory.dmp	upx
behavioral2/memory/4584-372-0x00007FF708BF0000-0x00007FF708FE1000-memory.dmp	upx
behavioral2/memory/4560-378-0x00007FF7C61D0000-0x00007FF7C65C1000-memory.dmp	upx
behavioral2/memory/2764-392-0x00007FF6A5850000-0x00007FF6A5C41000-memory.dmp	upx
behavioral2/memory/4508-386-0x00007FF69BFD0000-0x00007FF69C3C1000-memory.dmp	upx
behavioral2/memory/2144-400-0x00007FF6A4340000-0x00007FF6A4731000-memory.dmp	upx
behavioral2/memory/4496-365-0x00007FF72EDF0000-0x00007FF72F1E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b91-163.dat	upx
behavioral2/files/0x000a000000023b90-158.dat	upx
behavioral2/files/0x000a000000023b8f-153.dat	upx
behavioral2/files/0x000a000000023b8e-148.dat	upx
behavioral2/files/0x000a000000023b8d-143.dat	upx
behavioral2/files/0x000a000000023b8c-138.dat	upx
behavioral2/files/0x000a000000023b8b-133.dat	upx
behavioral2/files/0x000a000000023b89-123.dat	upx
behavioral2/files/0x000a000000023b88-118.dat	upx
behavioral2/files/0x000a000000023b87-113.dat	upx
behavioral2/files/0x000a000000023b86-108.dat	upx
behavioral2/memory/3340-403-0x00007FF66C010000-0x00007FF66C401000-memory.dmp	upx
behavioral2/memory/1008-407-0x00007FF7AB740000-0x00007FF7ABB31000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-98.dat	upx
behavioral2/files/0x000a000000023b83-93.dat	upx
behavioral2/files/0x000a000000023b82-88.dat	upx
behavioral2/files/0x000a000000023b80-78.dat	upx
behavioral2/files/0x000a000000023b7e-68.dat	upx
behavioral2/files/0x000a000000023b7d-63.dat	upx
behavioral2/files/0x000a000000023b7c-58.dat	upx
behavioral2/files/0x000a000000023b7a-48.dat	upx
behavioral2/files/0x000a000000023b78-38.dat	upx
behavioral2/files/0x000a000000023b75-26.dat	upx
behavioral2/files/0x000a000000023b74-21.dat	upx
behavioral2/memory/3928-19-0x00007FF6C8EF0000-0x00007FF6C92E1000-memory.dmp	upx
behavioral2/memory/3924-410-0x00007FF6E32D0000-0x00007FF6E36C1000-memory.dmp	upx
behavioral2/memory/1296-414-0x00007FF77AB60000-0x00007FF77AF51000-memory.dmp	upx
behavioral2/memory/3684-422-0x00007FF63F7A0000-0x00007FF63FB91000-memory.dmp	upx
behavioral2/memory/2604-425-0x00007FF64DAD0000-0x00007FF64DEC1000-memory.dmp	upx
behavioral2/memory/4424-432-0x00007FF7769F0000-0x00007FF776DE1000-memory.dmp	upx
behavioral2/memory/4236-435-0x00007FF6D5C70000-0x00007FF6D6061000-memory.dmp	upx
behavioral2/memory/2436-430-0x00007FF708740000-0x00007FF708B31000-memory.dmp	upx
behavioral2/memory/4936-429-0x00007FF70F3C0000-0x00007FF70F7B1000-memory.dmp	upx
behavioral2/memory/4684-419-0x00007FF6540E0000-0x00007FF6544D1000-memory.dmp	upx
behavioral2/memory/5116-416-0x00007FF71E4B0000-0x00007FF71E8A1000-memory.dmp	upx
behavioral2/memory/3388-442-0x00007FF6084E0000-0x00007FF6088D1000-memory.dmp	upx
behavioral2/memory/4224-446-0x00007FF7C6880000-0x00007FF7C6C71000-memory.dmp	upx
behavioral2/memory/4312-1948-0x00007FF754360000-0x00007FF754751000-memory.dmp	upx
behavioral2/memory/3928-1981-0x00007FF6C8EF0000-0x00007FF6C92E1000-memory.dmp	upx
behavioral2/memory/2964-1987-0x00007FF711FD0000-0x00007FF7123C1000-memory.dmp	upx
behavioral2/memory/4312-1989-0x00007FF754360000-0x00007FF754751000-memory.dmp	upx
behavioral2/memory/4560-1997-0x00007FF7C61D0000-0x00007FF7C65C1000-memory.dmp	upx
behavioral2/memory/4508-1993-0x00007FF69BFD0000-0x00007FF69C3C1000-memory.dmp	upx
behavioral2/memory/4584-1991-0x00007FF708BF0000-0x00007FF708FE1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\hUhRRUI.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\abiBgGB.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\VgBLCMZ.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\pCQUECv.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\pWAiMeE.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\SJFZtuz.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\QysIAKu.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\LMxrDKa.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\AGccMPb.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\ERQdrQZ.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\SGqUdiO.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\MplUBcA.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\XVBdCPG.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\SBqHlfh.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\hPXkTXz.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\WucEdrh.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\iGvbxWg.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\Qnrirut.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\PoIBBFH.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\cuHcEXu.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\qvXLBFh.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\ABFtmPD.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\jtbHmfC.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\RoFkhhC.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\fuZAVVx.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\TyovTCm.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\KSmwxuP.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\UtJwquF.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\yIwuEqC.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\PqTpqCe.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\BjQRemT.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\HBzFLvh.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\iguTtsH.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\wAzHgXj.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\vlkCCtY.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\HlvQKbX.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\jIXdfUh.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\MBgByak.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\eEdEuaY.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\DUgzkph.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\icItigJ.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\dwcvnRX.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\ctfwxFz.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\oLoHbAY.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\gEGIxWU.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\EpmiLLN.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\MXeruJE.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\pkwlneU.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\ULmkBnY.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\jRePWes.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\OSlLpyp.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\zpmkesz.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\ceyMPXZ.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\gqcRixs.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\VbLZRzn.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\TtPSDxj.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\gkIFSrr.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\nsOtiol.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\ajokGzK.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\ZARmLzp.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\eubjeCk.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\EDDfYZv.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\jZGoJuW.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
File created	C:\Windows\System32\zloCFZl.exe	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	1616	dwm.exe
Token: SeChangeNotifyPrivilege	1616	dwm.exe
Token: 33	1616	dwm.exe
Token: SeIncBasePriorityPrivilege	1616	dwm.exe
Token: SeShutdownPrivilege	1616	dwm.exe
Token: SeCreatePagefilePrivilege	1616	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 2964	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	85
PID 1332 wrote to memory of 2964	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	85
PID 1332 wrote to memory of 4312	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	86
PID 1332 wrote to memory of 4312	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	86
PID 1332 wrote to memory of 3928	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	87
PID 1332 wrote to memory of 3928	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	87
PID 1332 wrote to memory of 4496	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	88
PID 1332 wrote to memory of 4496	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	88
PID 1332 wrote to memory of 3176	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	89
PID 1332 wrote to memory of 3176	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	89
PID 1332 wrote to memory of 4584	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	90
PID 1332 wrote to memory of 4584	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	90
PID 1332 wrote to memory of 4560	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	91
PID 1332 wrote to memory of 4560	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	91
PID 1332 wrote to memory of 4508	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	92
PID 1332 wrote to memory of 4508	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	92
PID 1332 wrote to memory of 2764	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	93
PID 1332 wrote to memory of 2764	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	93
PID 1332 wrote to memory of 2144	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	94
PID 1332 wrote to memory of 2144	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	94
PID 1332 wrote to memory of 3340	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	95
PID 1332 wrote to memory of 3340	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	95
PID 1332 wrote to memory of 1008	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	96
PID 1332 wrote to memory of 1008	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	96
PID 1332 wrote to memory of 3924	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	97
PID 1332 wrote to memory of 3924	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	97
PID 1332 wrote to memory of 1296	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	98
PID 1332 wrote to memory of 1296	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	98
PID 1332 wrote to memory of 5116	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	99
PID 1332 wrote to memory of 5116	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	99
PID 1332 wrote to memory of 4684	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	100
PID 1332 wrote to memory of 4684	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	100
PID 1332 wrote to memory of 3684	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	101
PID 1332 wrote to memory of 3684	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	101
PID 1332 wrote to memory of 2604	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	102
PID 1332 wrote to memory of 2604	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	102
PID 1332 wrote to memory of 4936	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	103
PID 1332 wrote to memory of 4936	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	103
PID 1332 wrote to memory of 2436	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	104
PID 1332 wrote to memory of 2436	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	104
PID 1332 wrote to memory of 4424	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	105
PID 1332 wrote to memory of 4424	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	105
PID 1332 wrote to memory of 4236	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	106
PID 1332 wrote to memory of 4236	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	106
PID 1332 wrote to memory of 3388	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	107
PID 1332 wrote to memory of 3388	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	107
PID 1332 wrote to memory of 4224	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	108
PID 1332 wrote to memory of 4224	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	108
PID 1332 wrote to memory of 4536	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	109
PID 1332 wrote to memory of 4536	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	109
PID 1332 wrote to memory of 2608	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	110
PID 1332 wrote to memory of 2608	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	110
PID 1332 wrote to memory of 1656	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	111
PID 1332 wrote to memory of 1656	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	111
PID 1332 wrote to memory of 396	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	112
PID 1332 wrote to memory of 396	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	112
PID 1332 wrote to memory of 1644	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	113
PID 1332 wrote to memory of 1644	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	113
PID 1332 wrote to memory of 1608	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	114
PID 1332 wrote to memory of 1608	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	114
PID 1332 wrote to memory of 4868	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	115
PID 1332 wrote to memory of 4868	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	115
PID 1332 wrote to memory of 4784	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	116
PID 1332 wrote to memory of 4784	1332	03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03ece1c1764bf36334406de25838cd37_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\System32\DtKqUOH.exe
  C:\Windows\System32\DtKqUOH.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System32\NFNKJFz.exe
  C:\Windows\System32\NFNKJFz.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System32\dtkCkjq.exe
  C:\Windows\System32\dtkCkjq.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System32\byWXZiE.exe
  C:\Windows\System32\byWXZiE.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System32\vIXAhns.exe
  C:\Windows\System32\vIXAhns.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System32\elpQqIc.exe
  C:\Windows\System32\elpQqIc.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System32\CtZspkq.exe
  C:\Windows\System32\CtZspkq.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System32\QwwkZje.exe
  C:\Windows\System32\QwwkZje.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System32\EJzdcVl.exe
  C:\Windows\System32\EJzdcVl.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System32\TBRMVTg.exe
  C:\Windows\System32\TBRMVTg.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System32\fmDnxVz.exe
  C:\Windows\System32\fmDnxVz.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System32\uIKFTIL.exe
  C:\Windows\System32\uIKFTIL.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System32\PjYlBXY.exe
  C:\Windows\System32\PjYlBXY.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System32\eHZCcyp.exe
  C:\Windows\System32\eHZCcyp.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System32\ccsWEsq.exe
  C:\Windows\System32\ccsWEsq.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System32\YydsIjw.exe
  C:\Windows\System32\YydsIjw.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System32\CbfHNxx.exe
  C:\Windows\System32\CbfHNxx.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System32\jeYYQqg.exe
  C:\Windows\System32\jeYYQqg.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System32\SWkrKNa.exe
  C:\Windows\System32\SWkrKNa.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System32\ErADMZS.exe
  C:\Windows\System32\ErADMZS.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System32\OAipwSl.exe
  C:\Windows\System32\OAipwSl.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System32\BlHDDuQ.exe
  C:\Windows\System32\BlHDDuQ.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System32\wKwjJLb.exe
  C:\Windows\System32\wKwjJLb.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System32\DmOvJRL.exe
  C:\Windows\System32\DmOvJRL.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System32\CWRRSrn.exe
  C:\Windows\System32\CWRRSrn.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System32\fqBiFhx.exe
  C:\Windows\System32\fqBiFhx.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System32\jIXdfUh.exe
  C:\Windows\System32\jIXdfUh.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System32\yojZBdk.exe
  C:\Windows\System32\yojZBdk.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System32\oVBTjgK.exe
  C:\Windows\System32\oVBTjgK.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System32\gezyGQU.exe
  C:\Windows\System32\gezyGQU.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System32\evocDSI.exe
  C:\Windows\System32\evocDSI.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System32\btuTxVX.exe
  C:\Windows\System32\btuTxVX.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System32\oWhWnHO.exe
  C:\Windows\System32\oWhWnHO.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System32\TmIpJXT.exe
  C:\Windows\System32\TmIpJXT.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\LyQFoaE.exe
  C:\Windows\System32\LyQFoaE.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System32\adhvPnj.exe
  C:\Windows\System32\adhvPnj.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System32\kQlgrQR.exe
  C:\Windows\System32\kQlgrQR.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System32\BJsfwYA.exe
  C:\Windows\System32\BJsfwYA.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System32\RGvfzQI.exe
  C:\Windows\System32\RGvfzQI.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System32\SRzUToT.exe
  C:\Windows\System32\SRzUToT.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System32\AaVzwqJ.exe
  C:\Windows\System32\AaVzwqJ.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System32\OLVUWkO.exe
  C:\Windows\System32\OLVUWkO.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System32\kXYDLGe.exe
  C:\Windows\System32\kXYDLGe.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System32\DOUkflP.exe
  C:\Windows\System32\DOUkflP.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System32\PoIBBFH.exe
  C:\Windows\System32\PoIBBFH.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System32\XEBLYiY.exe
  C:\Windows\System32\XEBLYiY.exe
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\System32\ULmkBnY.exe
  C:\Windows\System32\ULmkBnY.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System32\zEJBFfX.exe
  C:\Windows\System32\zEJBFfX.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System32\KSmwxuP.exe
  C:\Windows\System32\KSmwxuP.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System32\briwMFU.exe
  C:\Windows\System32\briwMFU.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System32\LMxrDKa.exe
  C:\Windows\System32\LMxrDKa.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System32\cuHcEXu.exe
  C:\Windows\System32\cuHcEXu.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System32\BMqdzoc.exe
  C:\Windows\System32\BMqdzoc.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System32\MwKrBmt.exe
  C:\Windows\System32\MwKrBmt.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System32\IGoyPUk.exe
  C:\Windows\System32\IGoyPUk.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System32\vfAOLjE.exe
  C:\Windows\System32\vfAOLjE.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System32\iYLLxHX.exe
  C:\Windows\System32\iYLLxHX.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System32\UmMYqRD.exe
  C:\Windows\System32\UmMYqRD.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System32\KIgAWVB.exe
  C:\Windows\System32\KIgAWVB.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System32\znMLPIh.exe
  C:\Windows\System32\znMLPIh.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System32\JLVrzrJ.exe
  C:\Windows\System32\JLVrzrJ.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System32\XWFNKcu.exe
  C:\Windows\System32\XWFNKcu.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System32\OhuDeZa.exe
  C:\Windows\System32\OhuDeZa.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System32\sLoojaU.exe
  C:\Windows\System32\sLoojaU.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System32\vZcFChO.exe
  C:\Windows\System32\vZcFChO.exe
  2⤵
  PID:4556
- C:\Windows\System32\RgHuuII.exe
  C:\Windows\System32\RgHuuII.exe
  2⤵
  PID:516
- C:\Windows\System32\hUhRRUI.exe
  C:\Windows\System32\hUhRRUI.exe
  2⤵
  PID:2236
- C:\Windows\System32\VagGgZf.exe
  C:\Windows\System32\VagGgZf.exe
  2⤵
  PID:4120
- C:\Windows\System32\zbQlAQL.exe
  C:\Windows\System32\zbQlAQL.exe
  2⤵
  PID:3432
- C:\Windows\System32\MUUJkxC.exe
  C:\Windows\System32\MUUJkxC.exe
  2⤵
  PID:1668
- C:\Windows\System32\ZAfTxFn.exe
  C:\Windows\System32\ZAfTxFn.exe
  2⤵
  PID:3128
- C:\Windows\System32\TVdTHGH.exe
  C:\Windows\System32\TVdTHGH.exe
  2⤵
  PID:4020
- C:\Windows\System32\xSYtBaQ.exe
  C:\Windows\System32\xSYtBaQ.exe
  2⤵
  PID:912
- C:\Windows\System32\abiBgGB.exe
  C:\Windows\System32\abiBgGB.exe
  2⤵
  PID:3968
- C:\Windows\System32\UHxrwie.exe
  C:\Windows\System32\UHxrwie.exe
  2⤵
  PID:3272
- C:\Windows\System32\fJpxiCv.exe
  C:\Windows\System32\fJpxiCv.exe
  2⤵
  PID:3372
- C:\Windows\System32\bXZetvU.exe
  C:\Windows\System32\bXZetvU.exe
  2⤵
  PID:1560
- C:\Windows\System32\pXnUwJi.exe
  C:\Windows\System32\pXnUwJi.exe
  2⤵
  PID:2416
- C:\Windows\System32\qvXLBFh.exe
  C:\Windows\System32\qvXLBFh.exe
  2⤵
  PID:1628
- C:\Windows\System32\icItigJ.exe
  C:\Windows\System32\icItigJ.exe
  2⤵
  PID:1724
- C:\Windows\System32\SWTOzdZ.exe
  C:\Windows\System32\SWTOzdZ.exe
  2⤵
  PID:720
- C:\Windows\System32\UbbnORX.exe
  C:\Windows\System32\UbbnORX.exe
  2⤵
  PID:2728
- C:\Windows\System32\lNMqSod.exe
  C:\Windows\System32\lNMqSod.exe
  2⤵
  PID:4340
- C:\Windows\System32\VpZXRBd.exe
  C:\Windows\System32\VpZXRBd.exe
  2⤵
  PID:2812
- C:\Windows\System32\OBALiPl.exe
  C:\Windows\System32\OBALiPl.exe
  2⤵
  PID:4532
- C:\Windows\System32\AsEAeBR.exe
  C:\Windows\System32\AsEAeBR.exe
  2⤵
  PID:3316
- C:\Windows\System32\ABFtmPD.exe
  C:\Windows\System32\ABFtmPD.exe
  2⤵
  PID:4380
- C:\Windows\System32\vdwHUYC.exe
  C:\Windows\System32\vdwHUYC.exe
  2⤵
  PID:452
- C:\Windows\System32\sUxydHQ.exe
  C:\Windows\System32\sUxydHQ.exe
  2⤵
  PID:5144
- C:\Windows\System32\AukqKFK.exe
  C:\Windows\System32\AukqKFK.exe
  2⤵
  PID:5172
- C:\Windows\System32\yNosJCI.exe
  C:\Windows\System32\yNosJCI.exe
  2⤵
  PID:5196
- C:\Windows\System32\gqcRixs.exe
  C:\Windows\System32\gqcRixs.exe
  2⤵
  PID:5232
- C:\Windows\System32\tYUCRow.exe
  C:\Windows\System32\tYUCRow.exe
  2⤵
  PID:5252
- C:\Windows\System32\cXzZQZA.exe
  C:\Windows\System32\cXzZQZA.exe
  2⤵
  PID:5284
- C:\Windows\System32\IlhmJtV.exe
  C:\Windows\System32\IlhmJtV.exe
  2⤵
  PID:5316
- C:\Windows\System32\McSpTFx.exe
  C:\Windows\System32\McSpTFx.exe
  2⤵
  PID:5336
- C:\Windows\System32\mzIbwUD.exe
  C:\Windows\System32\mzIbwUD.exe
  2⤵
  PID:5368
- C:\Windows\System32\ejvfPpr.exe
  C:\Windows\System32\ejvfPpr.exe
  2⤵
  PID:5392
- C:\Windows\System32\bbiWGiu.exe
  C:\Windows\System32\bbiWGiu.exe
  2⤵
  PID:5444
- C:\Windows\System32\rOzTBlU.exe
  C:\Windows\System32\rOzTBlU.exe
  2⤵
  PID:5468
- C:\Windows\System32\RLSmwLJ.exe
  C:\Windows\System32\RLSmwLJ.exe
  2⤵
  PID:5492
- C:\Windows\System32\Gilqlzd.exe
  C:\Windows\System32\Gilqlzd.exe
  2⤵
  PID:5520
- C:\Windows\System32\YIMkxFt.exe
  C:\Windows\System32\YIMkxFt.exe
  2⤵
  PID:5540
- C:\Windows\System32\VJxdJmy.exe
  C:\Windows\System32\VJxdJmy.exe
  2⤵
  PID:5556
- C:\Windows\System32\uDJvjEs.exe
  C:\Windows\System32\uDJvjEs.exe
  2⤵
  PID:5588
- C:\Windows\System32\PBBlvcz.exe
  C:\Windows\System32\PBBlvcz.exe
  2⤵
  PID:5604
- C:\Windows\System32\iguTtsH.exe
  C:\Windows\System32\iguTtsH.exe
  2⤵
  PID:5632
- C:\Windows\System32\gyqnYnL.exe
  C:\Windows\System32\gyqnYnL.exe
  2⤵
  PID:5664
- C:\Windows\System32\TPHwmUG.exe
  C:\Windows\System32\TPHwmUG.exe
  2⤵
  PID:5684
- C:\Windows\System32\WfWtFlZ.exe
  C:\Windows\System32\WfWtFlZ.exe
  2⤵
  PID:5736
- C:\Windows\System32\xLfPiKB.exe
  C:\Windows\System32\xLfPiKB.exe
  2⤵
  PID:5756
- C:\Windows\System32\KKFfFZg.exe
  C:\Windows\System32\KKFfFZg.exe
  2⤵
  PID:5836
- C:\Windows\System32\UvKEroy.exe
  C:\Windows\System32\UvKEroy.exe
  2⤵
  PID:5900
- C:\Windows\System32\PWjFDbO.exe
  C:\Windows\System32\PWjFDbO.exe
  2⤵
  PID:5928
- C:\Windows\System32\lJDdLdk.exe
  C:\Windows\System32\lJDdLdk.exe
  2⤵
  PID:5948
- C:\Windows\System32\ngtuARr.exe
  C:\Windows\System32\ngtuARr.exe
  2⤵
  PID:5972
- C:\Windows\System32\nkrcjOR.exe
  C:\Windows\System32\nkrcjOR.exe
  2⤵
  PID:6028
- C:\Windows\System32\lcAtPkf.exe
  C:\Windows\System32\lcAtPkf.exe
  2⤵
  PID:6096
- C:\Windows\System32\JkvxSQY.exe
  C:\Windows\System32\JkvxSQY.exe
  2⤵
  PID:6116
- C:\Windows\System32\WpAWCRm.exe
  C:\Windows\System32\WpAWCRm.exe
  2⤵
  PID:6140
- C:\Windows\System32\gCeQIUE.exe
  C:\Windows\System32\gCeQIUE.exe
  2⤵
  PID:4876
- C:\Windows\System32\WucEdrh.exe
  C:\Windows\System32\WucEdrh.exe
  2⤵
  PID:4032
- C:\Windows\System32\qcNjeQx.exe
  C:\Windows\System32\qcNjeQx.exe
  2⤵
  PID:5096
- C:\Windows\System32\FQAjBtM.exe
  C:\Windows\System32\FQAjBtM.exe
  2⤵
  PID:2704
- C:\Windows\System32\BzyZJiy.exe
  C:\Windows\System32\BzyZJiy.exe
  2⤵
  PID:5228
- C:\Windows\System32\HRcTtCy.exe
  C:\Windows\System32\HRcTtCy.exe
  2⤵
  PID:1196
- C:\Windows\System32\qYIOzeF.exe
  C:\Windows\System32\qYIOzeF.exe
  2⤵
  PID:3876
- C:\Windows\System32\bOYDzLm.exe
  C:\Windows\System32\bOYDzLm.exe
  2⤵
  PID:5360
- C:\Windows\System32\oHYzGUE.exe
  C:\Windows\System32\oHYzGUE.exe
  2⤵
  PID:5380
- C:\Windows\System32\EDDfYZv.exe
  C:\Windows\System32\EDDfYZv.exe
  2⤵
  PID:5416
- C:\Windows\System32\wrNVjAQ.exe
  C:\Windows\System32\wrNVjAQ.exe
  2⤵
  PID:4204
- C:\Windows\System32\MAzzJxG.exe
  C:\Windows\System32\MAzzJxG.exe
  2⤵
  PID:5536
- C:\Windows\System32\iyoMLnj.exe
  C:\Windows\System32\iyoMLnj.exe
  2⤵
  PID:5600
- C:\Windows\System32\cCNNpWA.exe
  C:\Windows\System32\cCNNpWA.exe
  2⤵
  PID:5660
- C:\Windows\System32\NpnMbRg.exe
  C:\Windows\System32\NpnMbRg.exe
  2⤵
  PID:5720
- C:\Windows\System32\tbJHxnl.exe
  C:\Windows\System32\tbJHxnl.exe
  2⤵
  PID:5800
- C:\Windows\System32\eKjdJwp.exe
  C:\Windows\System32\eKjdJwp.exe
  2⤵
  PID:5728
- C:\Windows\System32\wozXzGE.exe
  C:\Windows\System32\wozXzGE.exe
  2⤵
  PID:5920
- C:\Windows\System32\nBSUlRA.exe
  C:\Windows\System32\nBSUlRA.exe
  2⤵
  PID:6044
- C:\Windows\System32\AUJDYTD.exe
  C:\Windows\System32\AUJDYTD.exe
  2⤵
  PID:5576
- C:\Windows\System32\SgOoOJt.exe
  C:\Windows\System32\SgOoOJt.exe
  2⤵
  PID:5912
- C:\Windows\System32\kxaJPQv.exe
  C:\Windows\System32\kxaJPQv.exe
  2⤵
  PID:5860
- C:\Windows\System32\kzxcYLs.exe
  C:\Windows\System32\kzxcYLs.exe
  2⤵
  PID:6012
- C:\Windows\System32\jervRum.exe
  C:\Windows\System32\jervRum.exe
  2⤵
  PID:1160
- C:\Windows\System32\HMEUpWl.exe
  C:\Windows\System32\HMEUpWl.exe
  2⤵
  PID:6124
- C:\Windows\System32\XgaiGyd.exe
  C:\Windows\System32\XgaiGyd.exe
  2⤵
  PID:2376
- C:\Windows\System32\zdITfKS.exe
  C:\Windows\System32\zdITfKS.exe
  2⤵
  PID:4696
- C:\Windows\System32\GpLKVoT.exe
  C:\Windows\System32\GpLKVoT.exe
  2⤵
  PID:5128
- C:\Windows\System32\ApdXqqD.exe
  C:\Windows\System32\ApdXqqD.exe
  2⤵
  PID:2624
- C:\Windows\System32\rZSIbNN.exe
  C:\Windows\System32\rZSIbNN.exe
  2⤵
  PID:5384
- C:\Windows\System32\hPXkTXz.exe
  C:\Windows\System32\hPXkTXz.exe
  2⤵
  PID:3688
- C:\Windows\System32\xdqmjWb.exe
  C:\Windows\System32\xdqmjWb.exe
  2⤵
  PID:5716
- C:\Windows\System32\nZiLGoB.exe
  C:\Windows\System32\nZiLGoB.exe
  2⤵
  PID:5768
- C:\Windows\System32\TnoHozI.exe
  C:\Windows\System32\TnoHozI.exe
  2⤵
  PID:5924
- C:\Windows\System32\bWQsgbJ.exe
  C:\Windows\System32\bWQsgbJ.exe
  2⤵
  PID:5644
- C:\Windows\System32\jZGoJuW.exe
  C:\Windows\System32\jZGoJuW.exe
  2⤵
  PID:4116
- C:\Windows\System32\QGvnfuz.exe
  C:\Windows\System32\QGvnfuz.exe
  2⤵
  PID:1036
- C:\Windows\System32\sttOMHw.exe
  C:\Windows\System32\sttOMHw.exe
  2⤵
  PID:3428
- C:\Windows\System32\zloCFZl.exe
  C:\Windows\System32\zloCFZl.exe
  2⤵
  PID:5300
- C:\Windows\System32\dbyIHzA.exe
  C:\Windows\System32\dbyIHzA.exe
  2⤵
  PID:5804
- C:\Windows\System32\pWAqQBn.exe
  C:\Windows\System32\pWAqQBn.exe
  2⤵
  PID:6000
- C:\Windows\System32\VgBLCMZ.exe
  C:\Windows\System32\VgBLCMZ.exe
  2⤵
  PID:2872
- C:\Windows\System32\ZFspAVV.exe
  C:\Windows\System32\ZFspAVV.exe
  2⤵
  PID:3280
- C:\Windows\System32\ZVviNel.exe
  C:\Windows\System32\ZVviNel.exe
  2⤵
  PID:5744
- C:\Windows\System32\iqPhZbK.exe
  C:\Windows\System32\iqPhZbK.exe
  2⤵
  PID:5980
- C:\Windows\System32\AcmvJup.exe
  C:\Windows\System32\AcmvJup.exe
  2⤵
  PID:6172
- C:\Windows\System32\QgOxZpS.exe
  C:\Windows\System32\QgOxZpS.exe
  2⤵
  PID:6200
- C:\Windows\System32\CZXIPqv.exe
  C:\Windows\System32\CZXIPqv.exe
  2⤵
  PID:6236
- C:\Windows\System32\vmPKERh.exe
  C:\Windows\System32\vmPKERh.exe
  2⤵
  PID:6252
- C:\Windows\System32\yeGEdyr.exe
  C:\Windows\System32\yeGEdyr.exe
  2⤵
  PID:6292
- C:\Windows\System32\zOnooMd.exe
  C:\Windows\System32\zOnooMd.exe
  2⤵
  PID:6308
- C:\Windows\System32\OAJVroH.exe
  C:\Windows\System32\OAJVroH.exe
  2⤵
  PID:6324
- C:\Windows\System32\NOxcvpR.exe
  C:\Windows\System32\NOxcvpR.exe
  2⤵
  PID:6352
- C:\Windows\System32\ZQwZxwq.exe
  C:\Windows\System32\ZQwZxwq.exe
  2⤵
  PID:6368
- C:\Windows\System32\ykFKhWl.exe
  C:\Windows\System32\ykFKhWl.exe
  2⤵
  PID:6412
- C:\Windows\System32\gUwdLcj.exe
  C:\Windows\System32\gUwdLcj.exe
  2⤵
  PID:6432
- C:\Windows\System32\AGccMPb.exe
  C:\Windows\System32\AGccMPb.exe
  2⤵
  PID:6452
- C:\Windows\System32\uNgzHvq.exe
  C:\Windows\System32\uNgzHvq.exe
  2⤵
  PID:6500
- C:\Windows\System32\KHJAcaX.exe
  C:\Windows\System32\KHJAcaX.exe
  2⤵
  PID:6528
- C:\Windows\System32\GtMPwbT.exe
  C:\Windows\System32\GtMPwbT.exe
  2⤵
  PID:6544
- C:\Windows\System32\bYdMhOY.exe
  C:\Windows\System32\bYdMhOY.exe
  2⤵
  PID:6560
- C:\Windows\System32\PmDjQJN.exe
  C:\Windows\System32\PmDjQJN.exe
  2⤵
  PID:6584
- C:\Windows\System32\KRcqYLc.exe
  C:\Windows\System32\KRcqYLc.exe
  2⤵
  PID:6600
- C:\Windows\System32\AzceRCq.exe
  C:\Windows\System32\AzceRCq.exe
  2⤵
  PID:6632
- C:\Windows\System32\flqYXwp.exe
  C:\Windows\System32\flqYXwp.exe
  2⤵
  PID:6688
- C:\Windows\System32\PTrGJyQ.exe
  C:\Windows\System32\PTrGJyQ.exe
  2⤵
  PID:6712
- C:\Windows\System32\pVJMHiT.exe
  C:\Windows\System32\pVJMHiT.exe
  2⤵
  PID:6732
- C:\Windows\System32\sTSJmSD.exe
  C:\Windows\System32\sTSJmSD.exe
  2⤵
  PID:6792
- C:\Windows\System32\AYqozMU.exe
  C:\Windows\System32\AYqozMU.exe
  2⤵
  PID:6832
- C:\Windows\System32\QrhMroK.exe
  C:\Windows\System32\QrhMroK.exe
  2⤵
  PID:6852
- C:\Windows\System32\zlQlLsH.exe
  C:\Windows\System32\zlQlLsH.exe
  2⤵
  PID:6868
- C:\Windows\System32\JtUfxiy.exe
  C:\Windows\System32\JtUfxiy.exe
  2⤵
  PID:6892
- C:\Windows\System32\dQRIOie.exe
  C:\Windows\System32\dQRIOie.exe
  2⤵
  PID:6924
- C:\Windows\System32\hCkFnEY.exe
  C:\Windows\System32\hCkFnEY.exe
  2⤵
  PID:6952
- C:\Windows\System32\ObsjFla.exe
  C:\Windows\System32\ObsjFla.exe
  2⤵
  PID:6984
- C:\Windows\System32\IQIfphM.exe
  C:\Windows\System32\IQIfphM.exe
  2⤵
  PID:7040
- C:\Windows\System32\sGxnGxZ.exe
  C:\Windows\System32\sGxnGxZ.exe
  2⤵
  PID:7060
- C:\Windows\System32\UlkMJbC.exe
  C:\Windows\System32\UlkMJbC.exe
  2⤵
  PID:7080
- C:\Windows\System32\GYZIcaY.exe
  C:\Windows\System32\GYZIcaY.exe
  2⤵
  PID:7100
- C:\Windows\System32\phIQcih.exe
  C:\Windows\System32\phIQcih.exe
  2⤵
  PID:7128
- C:\Windows\System32\dwcvnRX.exe
  C:\Windows\System32\dwcvnRX.exe
  2⤵
  PID:5648
- C:\Windows\System32\purOPas.exe
  C:\Windows\System32\purOPas.exe
  2⤵
  PID:5244
- C:\Windows\System32\OTTlumX.exe
  C:\Windows\System32\OTTlumX.exe
  2⤵
  PID:6216
- C:\Windows\System32\mhHtAlH.exe
  C:\Windows\System32\mhHtAlH.exe
  2⤵
  PID:6280
- C:\Windows\System32\bkSrohD.exe
  C:\Windows\System32\bkSrohD.exe
  2⤵
  PID:6320
- C:\Windows\System32\fFwFtqz.exe
  C:\Windows\System32\fFwFtqz.exe
  2⤵
  PID:6476
- C:\Windows\System32\EGDgTQC.exe
  C:\Windows\System32\EGDgTQC.exe
  2⤵
  PID:6468
- C:\Windows\System32\egCCNTm.exe
  C:\Windows\System32\egCCNTm.exe
  2⤵
  PID:6444
- C:\Windows\System32\NIahETl.exe
  C:\Windows\System32\NIahETl.exe
  2⤵
  PID:6568
- C:\Windows\System32\SdYbyaf.exe
  C:\Windows\System32\SdYbyaf.exe
  2⤵
  PID:6708
- C:\Windows\System32\rogFIHY.exe
  C:\Windows\System32\rogFIHY.exe
  2⤵
  PID:6752
- C:\Windows\System32\wugcAAG.exe
  C:\Windows\System32\wugcAAG.exe
  2⤵
  PID:6772
- C:\Windows\System32\WlKYdfn.exe
  C:\Windows\System32\WlKYdfn.exe
  2⤵
  PID:6844
- C:\Windows\System32\zASXnoJ.exe
  C:\Windows\System32\zASXnoJ.exe
  2⤵
  PID:6840
- C:\Windows\System32\PqTpqCe.exe
  C:\Windows\System32\PqTpqCe.exe
  2⤵
  PID:6920
- C:\Windows\System32\aBnxjNx.exe
  C:\Windows\System32\aBnxjNx.exe
  2⤵
  PID:6980
- C:\Windows\System32\ODRmapN.exe
  C:\Windows\System32\ODRmapN.exe
  2⤵
  PID:7028
- C:\Windows\System32\WQztqYk.exe
  C:\Windows\System32\WQztqYk.exe
  2⤵
  PID:7116
- C:\Windows\System32\nrcJPhj.exe
  C:\Windows\System32\nrcJPhj.exe
  2⤵
  PID:6016
- C:\Windows\System32\STjvDrh.exe
  C:\Windows\System32\STjvDrh.exe
  2⤵
  PID:6420
- C:\Windows\System32\ullseTM.exe
  C:\Windows\System32\ullseTM.exe
  2⤵
  PID:6740
- C:\Windows\System32\tGJPMBU.exe
  C:\Windows\System32\tGJPMBU.exe
  2⤵
  PID:6880
- C:\Windows\System32\PLkGAkK.exe
  C:\Windows\System32\PLkGAkK.exe
  2⤵
  PID:6864
- C:\Windows\System32\zzetOUJ.exe
  C:\Windows\System32\zzetOUJ.exe
  2⤵
  PID:6900
- C:\Windows\System32\JMWFvRy.exe
  C:\Windows\System32\JMWFvRy.exe
  2⤵
  PID:7156
- C:\Windows\System32\NFPkdXM.exe
  C:\Windows\System32\NFPkdXM.exe
  2⤵
  PID:6380
- C:\Windows\System32\KCJtqhF.exe
  C:\Windows\System32\KCJtqhF.exe
  2⤵
  PID:6876
- C:\Windows\System32\DSlclIl.exe
  C:\Windows\System32\DSlclIl.exe
  2⤵
  PID:7048
- C:\Windows\System32\pSjRrhF.exe
  C:\Windows\System32\pSjRrhF.exe
  2⤵
  PID:7192
- C:\Windows\System32\GxqckBZ.exe
  C:\Windows\System32\GxqckBZ.exe
  2⤵
  PID:7208
- C:\Windows\System32\pqChjCW.exe
  C:\Windows\System32\pqChjCW.exe
  2⤵
  PID:7244
- C:\Windows\System32\ahAzvIe.exe
  C:\Windows\System32\ahAzvIe.exe
  2⤵
  PID:7268
- C:\Windows\System32\ubuYjzb.exe
  C:\Windows\System32\ubuYjzb.exe
  2⤵
  PID:7308
- C:\Windows\System32\YYmLbqQ.exe
  C:\Windows\System32\YYmLbqQ.exe
  2⤵
  PID:7336
- C:\Windows\System32\bsUnfzV.exe
  C:\Windows\System32\bsUnfzV.exe
  2⤵
  PID:7360
- C:\Windows\System32\JkBKxPW.exe
  C:\Windows\System32\JkBKxPW.exe
  2⤵
  PID:7380
- C:\Windows\System32\hcYyxgL.exe
  C:\Windows\System32\hcYyxgL.exe
  2⤵
  PID:7408
- C:\Windows\System32\encZgPz.exe
  C:\Windows\System32\encZgPz.exe
  2⤵
  PID:7436
- C:\Windows\System32\zkoQytR.exe
  C:\Windows\System32\zkoQytR.exe
  2⤵
  PID:7452
- C:\Windows\System32\AaSZdSr.exe
  C:\Windows\System32\AaSZdSr.exe
  2⤵
  PID:7480
- C:\Windows\System32\jXLuzeV.exe
  C:\Windows\System32\jXLuzeV.exe
  2⤵
  PID:7500
- C:\Windows\System32\HEAqDKE.exe
  C:\Windows\System32\HEAqDKE.exe
  2⤵
  PID:7528
- C:\Windows\System32\VpOEOhE.exe
  C:\Windows\System32\VpOEOhE.exe
  2⤵
  PID:7576
- C:\Windows\System32\iUumNtP.exe
  C:\Windows\System32\iUumNtP.exe
  2⤵
  PID:7596
- C:\Windows\System32\NlaOHgE.exe
  C:\Windows\System32\NlaOHgE.exe
  2⤵
  PID:7640
- C:\Windows\System32\pCQUECv.exe
  C:\Windows\System32\pCQUECv.exe
  2⤵
  PID:7672
- C:\Windows\System32\gEvXEDj.exe
  C:\Windows\System32\gEvXEDj.exe
  2⤵
  PID:7700
- C:\Windows\System32\ctfwxFz.exe
  C:\Windows\System32\ctfwxFz.exe
  2⤵
  PID:7728
- C:\Windows\System32\TbcTMVh.exe
  C:\Windows\System32\TbcTMVh.exe
  2⤵
  PID:7748
- C:\Windows\System32\bEOhWIM.exe
  C:\Windows\System32\bEOhWIM.exe
  2⤵
  PID:7768
- C:\Windows\System32\quwddBW.exe
  C:\Windows\System32\quwddBW.exe
  2⤵
  PID:7808
- C:\Windows\System32\UflzSnF.exe
  C:\Windows\System32\UflzSnF.exe
  2⤵
  PID:7828
- C:\Windows\System32\JpzLKHc.exe
  C:\Windows\System32\JpzLKHc.exe
  2⤵
  PID:7872
- C:\Windows\System32\lDnMXaJ.exe
  C:\Windows\System32\lDnMXaJ.exe
  2⤵
  PID:7900
- C:\Windows\System32\FApuldt.exe
  C:\Windows\System32\FApuldt.exe
  2⤵
  PID:7928
- C:\Windows\System32\lUPEjzw.exe
  C:\Windows\System32\lUPEjzw.exe
  2⤵
  PID:7956
- C:\Windows\System32\zGERLWr.exe
  C:\Windows\System32\zGERLWr.exe
  2⤵
  PID:7984
- C:\Windows\System32\VRUMfly.exe
  C:\Windows\System32\VRUMfly.exe
  2⤵
  PID:8000
- C:\Windows\System32\CjMtYhB.exe
  C:\Windows\System32\CjMtYhB.exe
  2⤵
  PID:8028
- C:\Windows\System32\hDPzUxa.exe
  C:\Windows\System32\hDPzUxa.exe
  2⤵
  PID:8056
- C:\Windows\System32\MFtwLFh.exe
  C:\Windows\System32\MFtwLFh.exe
  2⤵
  PID:8092
- C:\Windows\System32\oLoHbAY.exe
  C:\Windows\System32\oLoHbAY.exe
  2⤵
  PID:8116
- C:\Windows\System32\nhwEIfE.exe
  C:\Windows\System32\nhwEIfE.exe
  2⤵
  PID:8140
- C:\Windows\System32\sXvGTEb.exe
  C:\Windows\System32\sXvGTEb.exe
  2⤵
  PID:8168
- C:\Windows\System32\bQqVkvs.exe
  C:\Windows\System32\bQqVkvs.exe
  2⤵
  PID:6808
- C:\Windows\System32\wAzHgXj.exe
  C:\Windows\System32\wAzHgXj.exe
  2⤵
  PID:7108
- C:\Windows\System32\uxQkwhw.exe
  C:\Windows\System32\uxQkwhw.exe
  2⤵
  PID:7228
- C:\Windows\System32\BUrKMEa.exe
  C:\Windows\System32\BUrKMEa.exe
  2⤵
  PID:7320
- C:\Windows\System32\bFmDWTz.exe
  C:\Windows\System32\bFmDWTz.exe
  2⤵
  PID:7432
- C:\Windows\System32\gEGIxWU.exe
  C:\Windows\System32\gEGIxWU.exe
  2⤵
  PID:7508
- C:\Windows\System32\kyYfIak.exe
  C:\Windows\System32\kyYfIak.exe
  2⤵
  PID:7560
- C:\Windows\System32\UPUyZOr.exe
  C:\Windows\System32\UPUyZOr.exe
  2⤵
  PID:7636
- C:\Windows\System32\TCaNzAA.exe
  C:\Windows\System32\TCaNzAA.exe
  2⤵
  PID:7696
- C:\Windows\System32\yamYOIo.exe
  C:\Windows\System32\yamYOIo.exe
  2⤵
  PID:7716
- C:\Windows\System32\qQLTyBX.exe
  C:\Windows\System32\qQLTyBX.exe
  2⤵
  PID:7836
- C:\Windows\System32\yqqipIH.exe
  C:\Windows\System32\yqqipIH.exe
  2⤵
  PID:7860
- C:\Windows\System32\iSTimqM.exe
  C:\Windows\System32\iSTimqM.exe
  2⤵
  PID:7912
- C:\Windows\System32\UJEpmns.exe
  C:\Windows\System32\UJEpmns.exe
  2⤵
  PID:7940
- C:\Windows\System32\hYMRvuN.exe
  C:\Windows\System32\hYMRvuN.exe
  2⤵
  PID:8020
- C:\Windows\System32\ipoRoTx.exe
  C:\Windows\System32\ipoRoTx.exe
  2⤵
  PID:8076
- C:\Windows\System32\OQSlReF.exe
  C:\Windows\System32\OQSlReF.exe
  2⤵
  PID:8104
- C:\Windows\System32\axJxRzt.exe
  C:\Windows\System32\axJxRzt.exe
  2⤵
  PID:7220
- C:\Windows\System32\uYrzfqQ.exe
  C:\Windows\System32\uYrzfqQ.exe
  2⤵
  PID:7392
- C:\Windows\System32\mDVwMIn.exe
  C:\Windows\System32\mDVwMIn.exe
  2⤵
  PID:7540
- C:\Windows\System32\OwHONeX.exe
  C:\Windows\System32\OwHONeX.exe
  2⤵
  PID:7628
- C:\Windows\System32\jVWThHD.exe
  C:\Windows\System32\jVWThHD.exe
  2⤵
  PID:7944
- C:\Windows\System32\nsOtiol.exe
  C:\Windows\System32\nsOtiol.exe
  2⤵
  PID:8052
- C:\Windows\System32\Butjfyf.exe
  C:\Windows\System32\Butjfyf.exe
  2⤵
  PID:8156
- C:\Windows\System32\NPmrsDe.exe
  C:\Windows\System32\NPmrsDe.exe
  2⤵
  PID:7448
- C:\Windows\System32\FOlGdzZ.exe
  C:\Windows\System32\FOlGdzZ.exe
  2⤵
  PID:7896
- C:\Windows\System32\yATaOwz.exe
  C:\Windows\System32\yATaOwz.exe
  2⤵
  PID:6940
- C:\Windows\System32\tyNZaWs.exe
  C:\Windows\System32\tyNZaWs.exe
  2⤵
  PID:7720
- C:\Windows\System32\WBqfZqB.exe
  C:\Windows\System32\WBqfZqB.exe
  2⤵
  PID:8220
- C:\Windows\System32\dAPENpY.exe
  C:\Windows\System32\dAPENpY.exe
  2⤵
  PID:8236
- C:\Windows\System32\byMcUry.exe
  C:\Windows\System32\byMcUry.exe
  2⤵
  PID:8252
- C:\Windows\System32\hJJkGpz.exe
  C:\Windows\System32\hJJkGpz.exe
  2⤵
  PID:8292
- C:\Windows\System32\daDuWtv.exe
  C:\Windows\System32\daDuWtv.exe
  2⤵
  PID:8320
- C:\Windows\System32\xyBQaAL.exe
  C:\Windows\System32\xyBQaAL.exe
  2⤵
  PID:8336
- C:\Windows\System32\xyYafvz.exe
  C:\Windows\System32\xyYafvz.exe
  2⤵
  PID:8356
- C:\Windows\System32\gOQjJxh.exe
  C:\Windows\System32\gOQjJxh.exe
  2⤵
  PID:8388
- C:\Windows\System32\QLqlHJy.exe
  C:\Windows\System32\QLqlHJy.exe
  2⤵
  PID:8404
- C:\Windows\System32\aUWPqiT.exe
  C:\Windows\System32\aUWPqiT.exe
  2⤵
  PID:8428
- C:\Windows\System32\JdSczdt.exe
  C:\Windows\System32\JdSczdt.exe
  2⤵
  PID:8476
- C:\Windows\System32\btMSbeF.exe
  C:\Windows\System32\btMSbeF.exe
  2⤵
  PID:8496
- C:\Windows\System32\gOwEVlS.exe
  C:\Windows\System32\gOwEVlS.exe
  2⤵
  PID:8520
- C:\Windows\System32\XHQuAnn.exe
  C:\Windows\System32\XHQuAnn.exe
  2⤵
  PID:8572
- C:\Windows\System32\seDGQKK.exe
  C:\Windows\System32\seDGQKK.exe
  2⤵
  PID:8600
- C:\Windows\System32\bVFhWiD.exe
  C:\Windows\System32\bVFhWiD.exe
  2⤵
  PID:8636
- C:\Windows\System32\jtvQOIG.exe
  C:\Windows\System32\jtvQOIG.exe
  2⤵
  PID:8672
- C:\Windows\System32\khCHqDI.exe
  C:\Windows\System32\khCHqDI.exe
  2⤵
  PID:8768
- C:\Windows\System32\HETzHHq.exe
  C:\Windows\System32\HETzHHq.exe
  2⤵
  PID:8784
- C:\Windows\System32\nfaLeiy.exe
  C:\Windows\System32\nfaLeiy.exe
  2⤵
  PID:8800
- C:\Windows\System32\rvDloeV.exe
  C:\Windows\System32\rvDloeV.exe
  2⤵
  PID:8816
- C:\Windows\System32\htxxLoH.exe
  C:\Windows\System32\htxxLoH.exe
  2⤵
  PID:8832
- C:\Windows\System32\ifYMHTL.exe
  C:\Windows\System32\ifYMHTL.exe
  2⤵
  PID:8848
- C:\Windows\System32\IGiJgsD.exe
  C:\Windows\System32\IGiJgsD.exe
  2⤵
  PID:8864
- C:\Windows\System32\haLcqVF.exe
  C:\Windows\System32\haLcqVF.exe
  2⤵
  PID:8880
- C:\Windows\System32\ncfEqwE.exe
  C:\Windows\System32\ncfEqwE.exe
  2⤵
  PID:8896
- C:\Windows\System32\jtbHmfC.exe
  C:\Windows\System32\jtbHmfC.exe
  2⤵
  PID:8912
- C:\Windows\System32\fgOeWDv.exe
  C:\Windows\System32\fgOeWDv.exe
  2⤵
  PID:8928
- C:\Windows\System32\evkAcRI.exe
  C:\Windows\System32\evkAcRI.exe
  2⤵
  PID:8944
- C:\Windows\System32\ERQdrQZ.exe
  C:\Windows\System32\ERQdrQZ.exe
  2⤵
  PID:8960
- C:\Windows\System32\NjTJAXy.exe
  C:\Windows\System32\NjTJAXy.exe
  2⤵
  PID:9000
- C:\Windows\System32\WnniBJQ.exe
  C:\Windows\System32\WnniBJQ.exe
  2⤵
  PID:9020
- C:\Windows\System32\DFMyoOe.exe
  C:\Windows\System32\DFMyoOe.exe
  2⤵
  PID:9088
- C:\Windows\System32\JvqVXWd.exe
  C:\Windows\System32\JvqVXWd.exe
  2⤵
  PID:9104
- C:\Windows\System32\xggeDoM.exe
  C:\Windows\System32\xggeDoM.exe
  2⤵
  PID:9124
- C:\Windows\System32\yCWtHDG.exe
  C:\Windows\System32\yCWtHDG.exe
  2⤵
  PID:9140
- C:\Windows\System32\jXaCARJ.exe
  C:\Windows\System32\jXaCARJ.exe
  2⤵
  PID:9156
- C:\Windows\System32\SGqUdiO.exe
  C:\Windows\System32\SGqUdiO.exe
  2⤵
  PID:9180
- C:\Windows\System32\ajokGzK.exe
  C:\Windows\System32\ajokGzK.exe
  2⤵
  PID:8456
- C:\Windows\System32\USoWFax.exe
  C:\Windows\System32\USoWFax.exe
  2⤵
  PID:8624
- C:\Windows\System32\dKWsdXt.exe
  C:\Windows\System32\dKWsdXt.exe
  2⤵
  PID:8808
- C:\Windows\System32\RErizZT.exe
  C:\Windows\System32\RErizZT.exe
  2⤵
  PID:8984
- C:\Windows\System32\EpmiLLN.exe
  C:\Windows\System32\EpmiLLN.exe
  2⤵
  PID:8620
- C:\Windows\System32\ExGISPu.exe
  C:\Windows\System32\ExGISPu.exe
  2⤵
  PID:8840
- C:\Windows\System32\yjwEItP.exe
  C:\Windows\System32\yjwEItP.exe
  2⤵
  PID:8876
- C:\Windows\System32\qXofEXO.exe
  C:\Windows\System32\qXofEXO.exe
  2⤵
  PID:8728
- C:\Windows\System32\XMiPFdZ.exe
  C:\Windows\System32\XMiPFdZ.exe
  2⤵
  PID:8936
- C:\Windows\System32\eYyWNsl.exe
  C:\Windows\System32\eYyWNsl.exe
  2⤵
  PID:8968
- C:\Windows\System32\UPktPrm.exe
  C:\Windows\System32\UPktPrm.exe
  2⤵
  PID:9016
- C:\Windows\System32\tRnCrLL.exe
  C:\Windows\System32\tRnCrLL.exe
  2⤵
  PID:8228
- C:\Windows\System32\kIPZPyI.exe
  C:\Windows\System32\kIPZPyI.exe
  2⤵
  PID:9040
- C:\Windows\System32\QeZKJTv.exe
  C:\Windows\System32\QeZKJTv.exe
  2⤵
  PID:8396
- C:\Windows\System32\DXoTyuB.exe
  C:\Windows\System32\DXoTyuB.exe
  2⤵
  PID:9172
- C:\Windows\System32\KisSkzE.exe
  C:\Windows\System32\KisSkzE.exe
  2⤵
  PID:9196
- C:\Windows\System32\HxKzEZd.exe
  C:\Windows\System32\HxKzEZd.exe
  2⤵
  PID:8972
- C:\Windows\System32\SZghoCl.exe
  C:\Windows\System32\SZghoCl.exe
  2⤵
  PID:8828
- C:\Windows\System32\SXNGhOD.exe
  C:\Windows\System32\SXNGhOD.exe
  2⤵
  PID:8924
- C:\Windows\System32\NmtKaSJ.exe
  C:\Windows\System32\NmtKaSJ.exe
  2⤵
  PID:9028
- C:\Windows\System32\fitbCjF.exe
  C:\Windows\System32\fitbCjF.exe
  2⤵
  PID:8212
- C:\Windows\System32\pWAiMeE.exe
  C:\Windows\System32\pWAiMeE.exe
  2⤵
  PID:8376
- C:\Windows\System32\KxvgoQg.exe
  C:\Windows\System32\KxvgoQg.exe
  2⤵
  PID:8628
- C:\Windows\System32\LgfRVFz.exe
  C:\Windows\System32\LgfRVFz.exe
  2⤵
  PID:9188
- C:\Windows\System32\UGbRexL.exe
  C:\Windows\System32\UGbRexL.exe
  2⤵
  PID:3808
- C:\Windows\System32\BfeVrIA.exe
  C:\Windows\System32\BfeVrIA.exe
  2⤵
  PID:9220
- C:\Windows\System32\bFaFVFP.exe
  C:\Windows\System32\bFaFVFP.exe
  2⤵
  PID:9236
- C:\Windows\System32\pEmEVgL.exe
  C:\Windows\System32\pEmEVgL.exe
  2⤵
  PID:9276
- C:\Windows\System32\Nskmssi.exe
  C:\Windows\System32\Nskmssi.exe
  2⤵
  PID:9300
- C:\Windows\System32\OBWpTjF.exe
  C:\Windows\System32\OBWpTjF.exe
  2⤵
  PID:9340
- C:\Windows\System32\hLmWOXM.exe
  C:\Windows\System32\hLmWOXM.exe
  2⤵
  PID:9368
- C:\Windows\System32\EEgWaAw.exe
  C:\Windows\System32\EEgWaAw.exe
  2⤵
  PID:9392
- C:\Windows\System32\GsIHQRa.exe
  C:\Windows\System32\GsIHQRa.exe
  2⤵
  PID:9408
- C:\Windows\System32\LPAKMLU.exe
  C:\Windows\System32\LPAKMLU.exe
  2⤵
  PID:9432
- C:\Windows\System32\WaPlqZm.exe
  C:\Windows\System32\WaPlqZm.exe
  2⤵
  PID:9472
- C:\Windows\System32\wTFdihS.exe
  C:\Windows\System32\wTFdihS.exe
  2⤵
  PID:9496
- C:\Windows\System32\gFRYadE.exe
  C:\Windows\System32\gFRYadE.exe
  2⤵
  PID:9520
- C:\Windows\System32\NHCEKIJ.exe
  C:\Windows\System32\NHCEKIJ.exe
  2⤵
  PID:9544
- C:\Windows\System32\VDvEFkL.exe
  C:\Windows\System32\VDvEFkL.exe
  2⤵
  PID:9592
- C:\Windows\System32\iGvbxWg.exe
  C:\Windows\System32\iGvbxWg.exe
  2⤵
  PID:9612
- C:\Windows\System32\FIMoXOq.exe
  C:\Windows\System32\FIMoXOq.exe
  2⤵
  PID:9632
- C:\Windows\System32\RoFkhhC.exe
  C:\Windows\System32\RoFkhhC.exe
  2⤵
  PID:9672
- C:\Windows\System32\HqnkxWZ.exe
  C:\Windows\System32\HqnkxWZ.exe
  2⤵
  PID:9688
- C:\Windows\System32\URnuCtx.exe
  C:\Windows\System32\URnuCtx.exe
  2⤵
  PID:9736
- C:\Windows\System32\aDtSxPU.exe
  C:\Windows\System32\aDtSxPU.exe
  2⤵
  PID:9756
- C:\Windows\System32\ZlJPcNK.exe
  C:\Windows\System32\ZlJPcNK.exe
  2⤵
  PID:9776
- C:\Windows\System32\sMgKHXF.exe
  C:\Windows\System32\sMgKHXF.exe
  2⤵
  PID:9812
- C:\Windows\System32\CePCJqq.exe
  C:\Windows\System32\CePCJqq.exe
  2⤵
  PID:9844
- C:\Windows\System32\kAPgCLm.exe
  C:\Windows\System32\kAPgCLm.exe
  2⤵
  PID:9864
- C:\Windows\System32\xPMZEJA.exe
  C:\Windows\System32\xPMZEJA.exe
  2⤵
  PID:9896
- C:\Windows\System32\MXeruJE.exe
  C:\Windows\System32\MXeruJE.exe
  2⤵
  PID:9924
- C:\Windows\System32\lMNuQPT.exe
  C:\Windows\System32\lMNuQPT.exe
  2⤵
  PID:9944
- C:\Windows\System32\vlkCCtY.exe
  C:\Windows\System32\vlkCCtY.exe
  2⤵
  PID:10000
- C:\Windows\System32\VfdpFcc.exe
  C:\Windows\System32\VfdpFcc.exe
  2⤵
  PID:10024
- C:\Windows\System32\pSumvQl.exe
  C:\Windows\System32\pSumvQl.exe
  2⤵
  PID:10040
- C:\Windows\System32\BcTqjOv.exe
  C:\Windows\System32\BcTqjOv.exe
  2⤵
  PID:10056
- C:\Windows\System32\rDROMHJ.exe
  C:\Windows\System32\rDROMHJ.exe
  2⤵
  PID:10072
- C:\Windows\System32\fuZAVVx.exe
  C:\Windows\System32\fuZAVVx.exe
  2⤵
  PID:10088
- C:\Windows\System32\FFvBpmp.exe
  C:\Windows\System32\FFvBpmp.exe
  2⤵
  PID:10104
- C:\Windows\System32\XROxrYS.exe
  C:\Windows\System32\XROxrYS.exe
  2⤵
  PID:10120
- C:\Windows\System32\DiOwcxb.exe
  C:\Windows\System32\DiOwcxb.exe
  2⤵
  PID:10168
- C:\Windows\System32\HwIRwdz.exe
  C:\Windows\System32\HwIRwdz.exe
  2⤵
  PID:9116
- C:\Windows\System32\nvjqKXp.exe
  C:\Windows\System32\nvjqKXp.exe
  2⤵
  PID:9228
- C:\Windows\System32\usZXEHr.exe
  C:\Windows\System32\usZXEHr.exe
  2⤵
  PID:9268
- C:\Windows\System32\IxoRhGq.exe
  C:\Windows\System32\IxoRhGq.exe
  2⤵
  PID:9384
- C:\Windows\System32\khvpSkD.exe
  C:\Windows\System32\khvpSkD.exe
  2⤵
  PID:9400
- C:\Windows\System32\DnJCsyR.exe
  C:\Windows\System32\DnJCsyR.exe
  2⤵
  PID:9508
- C:\Windows\System32\bKlURQX.exe
  C:\Windows\System32\bKlURQX.exe
  2⤵
  PID:9600
- C:\Windows\System32\lCabOZm.exe
  C:\Windows\System32\lCabOZm.exe
  2⤵
  PID:9700
- C:\Windows\System32\XMoHMSC.exe
  C:\Windows\System32\XMoHMSC.exe
  2⤵
  PID:9772
- C:\Windows\System32\xtbSYXu.exe
  C:\Windows\System32\xtbSYXu.exe
  2⤵
  PID:9800
- C:\Windows\System32\QRljSVe.exe
  C:\Windows\System32\QRljSVe.exe
  2⤵
  PID:9860
- C:\Windows\System32\XkdQIIw.exe
  C:\Windows\System32\XkdQIIw.exe
  2⤵
  PID:9908
- C:\Windows\System32\hUrSHMq.exe
  C:\Windows\System32\hUrSHMq.exe
  2⤵
  PID:9984
- C:\Windows\System32\evUtxSL.exe
  C:\Windows\System32\evUtxSL.exe
  2⤵
  PID:10128
- C:\Windows\System32\TyovTCm.exe
  C:\Windows\System32\TyovTCm.exe
  2⤵
  PID:10140
- C:\Windows\System32\ACYPSia.exe
  C:\Windows\System32\ACYPSia.exe
  2⤵
  PID:10184
- C:\Windows\System32\RKxxDRu.exe
  C:\Windows\System32\RKxxDRu.exe
  2⤵
  PID:9232
- C:\Windows\System32\UIgMqAk.exe
  C:\Windows\System32\UIgMqAk.exe
  2⤵
  PID:9488
- C:\Windows\System32\sPiXwuN.exe
  C:\Windows\System32\sPiXwuN.exe
  2⤵
  PID:9668
- C:\Windows\System32\OSlLpyp.exe
  C:\Windows\System32\OSlLpyp.exe
  2⤵
  PID:9808
- C:\Windows\System32\LpBxajO.exe
  C:\Windows\System32\LpBxajO.exe
  2⤵
  PID:9920
- C:\Windows\System32\bqyrRVh.exe
  C:\Windows\System32\bqyrRVh.exe
  2⤵
  PID:10100
- C:\Windows\System32\MplUBcA.exe
  C:\Windows\System32\MplUBcA.exe
  2⤵
  PID:10212
- C:\Windows\System32\NmCExfw.exe
  C:\Windows\System32\NmCExfw.exe
  2⤵
  PID:9288
- C:\Windows\System32\jFmGdFJ.exe
  C:\Windows\System32\jFmGdFJ.exe
  2⤵
  PID:9964
- C:\Windows\System32\XxCgeJn.exe
  C:\Windows\System32\XxCgeJn.exe
  2⤵
  PID:9376
- C:\Windows\System32\MBgByak.exe
  C:\Windows\System32\MBgByak.exe
  2⤵
  PID:9680
- C:\Windows\System32\xYMgGAY.exe
  C:\Windows\System32\xYMgGAY.exe
  2⤵
  PID:10256
- C:\Windows\System32\BjQRemT.exe
  C:\Windows\System32\BjQRemT.exe
  2⤵
  PID:10308
- C:\Windows\System32\SJFZtuz.exe
  C:\Windows\System32\SJFZtuz.exe
  2⤵
  PID:10340
- C:\Windows\System32\dISiskt.exe
  C:\Windows\System32\dISiskt.exe
  2⤵
  PID:10356
- C:\Windows\System32\HhhYPlB.exe
  C:\Windows\System32\HhhYPlB.exe
  2⤵
  PID:10392
- C:\Windows\System32\RmKoUcc.exe
  C:\Windows\System32\RmKoUcc.exe
  2⤵
  PID:10420
- C:\Windows\System32\heeGOlA.exe
  C:\Windows\System32\heeGOlA.exe
  2⤵
  PID:10448
- C:\Windows\System32\luTpmTu.exe
  C:\Windows\System32\luTpmTu.exe
  2⤵
  PID:10468
- C:\Windows\System32\NSrxZeP.exe
  C:\Windows\System32\NSrxZeP.exe
  2⤵
  PID:10500
- C:\Windows\System32\wypBeZS.exe
  C:\Windows\System32\wypBeZS.exe
  2⤵
  PID:10532
- C:\Windows\System32\rZsRCSc.exe
  C:\Windows\System32\rZsRCSc.exe
  2⤵
  PID:10560
- C:\Windows\System32\SFWuctJ.exe
  C:\Windows\System32\SFWuctJ.exe
  2⤵
  PID:10588
- C:\Windows\System32\QnFnzhr.exe
  C:\Windows\System32\QnFnzhr.exe
  2⤵
  PID:10616
- C:\Windows\System32\NSUjmgy.exe
  C:\Windows\System32\NSUjmgy.exe
  2⤵
  PID:10644
- C:\Windows\System32\HfncIYb.exe
  C:\Windows\System32\HfncIYb.exe
  2⤵
  PID:10668
- C:\Windows\System32\jeGqobD.exe
  C:\Windows\System32\jeGqobD.exe
  2⤵
  PID:10684
- C:\Windows\System32\QOsQXzM.exe
  C:\Windows\System32\QOsQXzM.exe
  2⤵
  PID:10704
- C:\Windows\System32\HBzFLvh.exe
  C:\Windows\System32\HBzFLvh.exe
  2⤵
  PID:10740
- C:\Windows\System32\VbLZRzn.exe
  C:\Windows\System32\VbLZRzn.exe
  2⤵
  PID:10780
- C:\Windows\System32\AkkkuPV.exe
  C:\Windows\System32\AkkkuPV.exe
  2⤵
  PID:10796
- C:\Windows\System32\WwgQNfK.exe
  C:\Windows\System32\WwgQNfK.exe
  2⤵
  PID:10824
- C:\Windows\System32\BwboGCQ.exe
  C:\Windows\System32\BwboGCQ.exe
  2⤵
  PID:10840
- C:\Windows\System32\yIXLIEU.exe
  C:\Windows\System32\yIXLIEU.exe
  2⤵
  PID:10876
- C:\Windows\System32\pkwlneU.exe
  C:\Windows\System32\pkwlneU.exe
  2⤵
  PID:10900
- C:\Windows\System32\lalRVxu.exe
  C:\Windows\System32\lalRVxu.exe
  2⤵
  PID:10940
- C:\Windows\System32\qmwcoTF.exe
  C:\Windows\System32\qmwcoTF.exe
  2⤵
  PID:10984
- C:\Windows\System32\ZARmLzp.exe
  C:\Windows\System32\ZARmLzp.exe
  2⤵
  PID:11008
- C:\Windows\System32\BewIcRJ.exe
  C:\Windows\System32\BewIcRJ.exe
  2⤵
  PID:11028
- C:\Windows\System32\qytVUrs.exe
  C:\Windows\System32\qytVUrs.exe
  2⤵
  PID:11056
- C:\Windows\System32\JrHadIL.exe
  C:\Windows\System32\JrHadIL.exe
  2⤵
  PID:11104
- C:\Windows\System32\pnWYZvl.exe
  C:\Windows\System32\pnWYZvl.exe
  2⤵
  PID:11128
- C:\Windows\System32\pzmRlNy.exe
  C:\Windows\System32\pzmRlNy.exe
  2⤵
  PID:11156
- C:\Windows\System32\XzjDNBl.exe
  C:\Windows\System32\XzjDNBl.exe
  2⤵
  PID:11172
- C:\Windows\System32\BagVjhW.exe
  C:\Windows\System32\BagVjhW.exe
  2⤵
  PID:11212
- C:\Windows\System32\ZxStvca.exe
  C:\Windows\System32\ZxStvca.exe
  2⤵
  PID:11236
- C:\Windows\System32\CpXtxVq.exe
  C:\Windows\System32\CpXtxVq.exe
  2⤵
  PID:11256
- C:\Windows\System32\epOpkmW.exe
  C:\Windows\System32\epOpkmW.exe
  2⤵
  PID:10252
- C:\Windows\System32\KuvTtAx.exe
  C:\Windows\System32\KuvTtAx.exe
  2⤵
  PID:10332
- C:\Windows\System32\cROmvhZ.exe
  C:\Windows\System32\cROmvhZ.exe
  2⤵
  PID:10412
- C:\Windows\System32\VHMmOTy.exe
  C:\Windows\System32\VHMmOTy.exe
  2⤵
  PID:10444
- C:\Windows\System32\lovYhEk.exe
  C:\Windows\System32\lovYhEk.exe
  2⤵
  PID:10508
- C:\Windows\System32\FjTjlnN.exe
  C:\Windows\System32\FjTjlnN.exe
  2⤵
  PID:10604
- C:\Windows\System32\yIwuEqC.exe
  C:\Windows\System32\yIwuEqC.exe
  2⤵
  PID:10660
- C:\Windows\System32\RHhUNMW.exe
  C:\Windows\System32\RHhUNMW.exe
  2⤵
  PID:10696
- C:\Windows\System32\HlvQKbX.exe
  C:\Windows\System32\HlvQKbX.exe
  2⤵
  PID:10724
- C:\Windows\System32\EmRTCjM.exe
  C:\Windows\System32\EmRTCjM.exe
  2⤵
  PID:10776
- C:\Windows\System32\VNZPuEM.exe
  C:\Windows\System32\VNZPuEM.exe
  2⤵
  PID:10864
- C:\Windows\System32\gSCkwRP.exe
  C:\Windows\System32\gSCkwRP.exe
  2⤵
  PID:10924
- C:\Windows\System32\mkHOEgo.exe
  C:\Windows\System32\mkHOEgo.exe
  2⤵
  PID:11016
- C:\Windows\System32\GCSVcEf.exe
  C:\Windows\System32\GCSVcEf.exe
  2⤵
  PID:11120
- C:\Windows\System32\hsbbPEZ.exe
  C:\Windows\System32\hsbbPEZ.exe
  2⤵
  PID:11164
- C:\Windows\System32\eubjeCk.exe
  C:\Windows\System32\eubjeCk.exe
  2⤵
  PID:9728
- C:\Windows\System32\cqiBkCA.exe
  C:\Windows\System32\cqiBkCA.exe
  2⤵
  PID:10352
- C:\Windows\System32\VLVVVCv.exe
  C:\Windows\System32\VLVVVCv.exe
  2⤵
  PID:10464
- C:\Windows\System32\KLdssJT.exe
  C:\Windows\System32\KLdssJT.exe
  2⤵
  PID:10528
- C:\Windows\System32\NgvKVDf.exe
  C:\Windows\System32\NgvKVDf.exe
  2⤵
  PID:10700
- C:\Windows\System32\dELtbJa.exe
  C:\Windows\System32\dELtbJa.exe
  2⤵
  PID:10892
- C:\Windows\System32\hDkQOFf.exe
  C:\Windows\System32\hDkQOFf.exe
  2⤵
  PID:11204
- C:\Windows\System32\QlHoGCc.exe
  C:\Windows\System32\QlHoGCc.exe
  2⤵
  PID:10304
- C:\Windows\System32\XSLWunW.exe
  C:\Windows\System32\XSLWunW.exe
  2⤵
  PID:10576
- C:\Windows\System32\XVBdCPG.exe
  C:\Windows\System32\XVBdCPG.exe
  2⤵
  PID:11140
- C:\Windows\System32\QpszcCR.exe
  C:\Windows\System32\QpszcCR.exe
  2⤵
  PID:10272
- C:\Windows\System32\aPmPbjp.exe
  C:\Windows\System32\aPmPbjp.exe
  2⤵
  PID:10632
- C:\Windows\System32\HfFGIAJ.exe
  C:\Windows\System32\HfFGIAJ.exe
  2⤵
  PID:11048
- C:\Windows\System32\gWgEHlv.exe
  C:\Windows\System32\gWgEHlv.exe
  2⤵
  PID:11284
- C:\Windows\System32\dEZkApW.exe
  C:\Windows\System32\dEZkApW.exe
  2⤵
  PID:11308
- C:\Windows\System32\nZjFdpR.exe
  C:\Windows\System32\nZjFdpR.exe
  2⤵
  PID:11328
- C:\Windows\System32\uZkHhEA.exe
  C:\Windows\System32\uZkHhEA.exe
  2⤵
  PID:11360
- C:\Windows\System32\zznkoeY.exe
  C:\Windows\System32\zznkoeY.exe
  2⤵
  PID:11380
- C:\Windows\System32\AKOAJLO.exe
  C:\Windows\System32\AKOAJLO.exe
  2⤵
  PID:11396
- C:\Windows\System32\uAIxAzc.exe
  C:\Windows\System32\uAIxAzc.exe
  2⤵
  PID:11432
- C:\Windows\System32\eZuNvXt.exe
  C:\Windows\System32\eZuNvXt.exe
  2⤵
  PID:11484
- C:\Windows\System32\fJbfTBN.exe
  C:\Windows\System32\fJbfTBN.exe
  2⤵
  PID:11508
- C:\Windows\System32\VihSqwM.exe
  C:\Windows\System32\VihSqwM.exe
  2⤵
  PID:11528
- C:\Windows\System32\eEdEuaY.exe
  C:\Windows\System32\eEdEuaY.exe
  2⤵
  PID:11560
- C:\Windows\System32\wZEiico.exe
  C:\Windows\System32\wZEiico.exe
  2⤵
  PID:11584
- C:\Windows\System32\svvtrZG.exe
  C:\Windows\System32\svvtrZG.exe
  2⤵
  PID:11604
- C:\Windows\System32\UtJwquF.exe
  C:\Windows\System32\UtJwquF.exe
  2⤵
  PID:11620
- C:\Windows\System32\tQZfyjD.exe
  C:\Windows\System32\tQZfyjD.exe
  2⤵
  PID:11656
- C:\Windows\System32\DOlhWKj.exe
  C:\Windows\System32\DOlhWKj.exe
  2⤵
  PID:11684
- C:\Windows\System32\iZoJDLQ.exe
  C:\Windows\System32\iZoJDLQ.exe
  2⤵
  PID:11736
- C:\Windows\System32\KkvFHtA.exe
  C:\Windows\System32\KkvFHtA.exe
  2⤵
  PID:11752
- C:\Windows\System32\asuPGJl.exe
  C:\Windows\System32\asuPGJl.exe
  2⤵
  PID:11776
- C:\Windows\System32\hAMyjUR.exe
  C:\Windows\System32\hAMyjUR.exe
  2⤵
  PID:11808
- C:\Windows\System32\aHNNvrc.exe
  C:\Windows\System32\aHNNvrc.exe
  2⤵
  PID:11836
- C:\Windows\System32\AuMKdVM.exe
  C:\Windows\System32\AuMKdVM.exe
  2⤵
  PID:11864
- C:\Windows\System32\gmTGABm.exe
  C:\Windows\System32\gmTGABm.exe
  2⤵
  PID:11880
- C:\Windows\System32\zpmkesz.exe
  C:\Windows\System32\zpmkesz.exe
  2⤵
  PID:11908
- C:\Windows\System32\ZfHbFmM.exe
  C:\Windows\System32\ZfHbFmM.exe
  2⤵
  PID:11960
- C:\Windows\System32\QAeHiwC.exe
  C:\Windows\System32\QAeHiwC.exe
  2⤵
  PID:11988
- C:\Windows\System32\RlguErz.exe
  C:\Windows\System32\RlguErz.exe
  2⤵
  PID:12004
- C:\Windows\System32\grlpfES.exe
  C:\Windows\System32\grlpfES.exe
  2⤵
  PID:12024
- C:\Windows\System32\maNnxRd.exe
  C:\Windows\System32\maNnxRd.exe
  2⤵
  PID:12060
- C:\Windows\System32\jDBwiez.exe
  C:\Windows\System32\jDBwiez.exe
  2⤵
  PID:12096
- C:\Windows\System32\pSflBXZ.exe
  C:\Windows\System32\pSflBXZ.exe
  2⤵
  PID:12132
- C:\Windows\System32\QPAhPfK.exe
  C:\Windows\System32\QPAhPfK.exe
  2⤵
  PID:12160
- C:\Windows\System32\JvtmGtH.exe
  C:\Windows\System32\JvtmGtH.exe
  2⤵
  PID:12176
- C:\Windows\System32\cplFsxq.exe
  C:\Windows\System32\cplFsxq.exe
  2⤵
  PID:12204
- C:\Windows\System32\YRJaeYE.exe
  C:\Windows\System32\YRJaeYE.exe
  2⤵
  PID:12244
- C:\Windows\System32\JfSkBny.exe
  C:\Windows\System32\JfSkBny.exe
  2⤵
  PID:12260
- C:\Windows\System32\lLAJSzV.exe
  C:\Windows\System32\lLAJSzV.exe
  2⤵
  PID:6068
- C:\Windows\System32\LJUtzSB.exe
  C:\Windows\System32\LJUtzSB.exe
  2⤵
  PID:5708
- C:\Windows\System32\dCPYefV.exe
  C:\Windows\System32\dCPYefV.exe
  2⤵
  PID:11348
- C:\Windows\System32\HRKzxFT.exe
  C:\Windows\System32\HRKzxFT.exe
  2⤵
  PID:11404
- C:\Windows\System32\MGmXxsv.exe
  C:\Windows\System32\MGmXxsv.exe
  2⤵
  PID:11408
- C:\Windows\System32\SXtAiJn.exe
  C:\Windows\System32\SXtAiJn.exe
  2⤵
  PID:11472
- C:\Windows\System32\JCLKBZA.exe
  C:\Windows\System32\JCLKBZA.exe
  2⤵
  PID:11520
- C:\Windows\System32\ceyMPXZ.exe
  C:\Windows\System32\ceyMPXZ.exe
  2⤵
  PID:11576
- C:\Windows\System32\auGDCFL.exe
  C:\Windows\System32\auGDCFL.exe
  2⤵
  PID:11632
- C:\Windows\System32\lNqvUKT.exe
  C:\Windows\System32\lNqvUKT.exe
  2⤵
  PID:11676
- C:\Windows\System32\mEPALqm.exe
  C:\Windows\System32\mEPALqm.exe
  2⤵
  PID:11784
- C:\Windows\System32\EwOKrsW.exe
  C:\Windows\System32\EwOKrsW.exe
  2⤵
  PID:11896
- C:\Windows\System32\csAGJfq.exe
  C:\Windows\System32\csAGJfq.exe
  2⤵
  PID:11928
- C:\Windows\System32\rjSvspr.exe
  C:\Windows\System32\rjSvspr.exe
  2⤵
  PID:11976
- C:\Windows\System32\YBHNqwc.exe
  C:\Windows\System32\YBHNqwc.exe
  2⤵
  PID:12092
- C:\Windows\System32\xbDFPmm.exe
  C:\Windows\System32\xbDFPmm.exe
  2⤵
  PID:12148
- C:\Windows\System32\MkqKUPC.exe
  C:\Windows\System32\MkqKUPC.exe
  2⤵
  PID:12172
- C:\Windows\System32\PzdiIwO.exe
  C:\Windows\System32\PzdiIwO.exe
  2⤵
  PID:5464
- C:\Windows\System32\AgNXNqa.exe
  C:\Windows\System32\AgNXNqa.exe
  2⤵
  PID:11460
- C:\Windows\System32\oWsmTTn.exe
  C:\Windows\System32\oWsmTTn.exe
  2⤵
  PID:11556
- C:\Windows\System32\WpZfZac.exe
  C:\Windows\System32\WpZfZac.exe
  2⤵
  PID:11672
- C:\Windows\System32\cANaeCn.exe
  C:\Windows\System32\cANaeCn.exe
  2⤵
  PID:11748
- C:\Windows\System32\DUgzkph.exe
  C:\Windows\System32\DUgzkph.exe
  2⤵
  PID:11952
- C:\Windows\System32\TtPSDxj.exe
  C:\Windows\System32\TtPSDxj.exe
  2⤵
  PID:12012
- C:\Windows\System32\dCBUjjs.exe
  C:\Windows\System32\dCBUjjs.exe
  2⤵
  PID:12280
- C:\Windows\System32\IBuVzoC.exe
  C:\Windows\System32\IBuVzoC.exe
  2⤵
  PID:4448
- C:\Windows\System32\cPAhPsH.exe
  C:\Windows\System32\cPAhPsH.exe
  2⤵
  PID:3064
- C:\Windows\System32\VtVhixV.exe
  C:\Windows\System32\VtVhixV.exe
  2⤵
  PID:12040
- C:\Windows\System32\mVPqVto.exe
  C:\Windows\System32\mVPqVto.exe
  2⤵
  PID:12156
- C:\Windows\System32\rUHpYjI.exe
  C:\Windows\System32\rUHpYjI.exe
  2⤵
  PID:11612
- C:\Windows\System32\jRePWes.exe
  C:\Windows\System32\jRePWes.exe
  2⤵
  PID:11872
- C:\Windows\System32\bgcIZkl.exe
  C:\Windows\System32\bgcIZkl.exe
  2⤵
  PID:12188
- C:\Windows\System32\PcIgTIS.exe
  C:\Windows\System32\PcIgTIS.exe
  2⤵
  PID:12332
- C:\Windows\System32\FLtZHDZ.exe
  C:\Windows\System32\FLtZHDZ.exe
  2⤵
  PID:12348
- C:\Windows\System32\AwLPNib.exe
  C:\Windows\System32\AwLPNib.exe
  2⤵
  PID:12376
- C:\Windows\System32\BDkTNOb.exe
  C:\Windows\System32\BDkTNOb.exe
  2⤵
  PID:12416
- C:\Windows\System32\kvVvmlN.exe
  C:\Windows\System32\kvVvmlN.exe
  2⤵
  PID:12444
- C:\Windows\System32\SBqHlfh.exe
  C:\Windows\System32\SBqHlfh.exe
  2⤵
  PID:12472
- C:\Windows\System32\jMyHLfG.exe
  C:\Windows\System32\jMyHLfG.exe
  2⤵
  PID:12496
- C:\Windows\System32\UiRlmEv.exe
  C:\Windows\System32\UiRlmEv.exe
  2⤵
  PID:12516
- C:\Windows\System32\FirGCxE.exe
  C:\Windows\System32\FirGCxE.exe
  2⤵
  PID:12552
- C:\Windows\System32\KMNhbnp.exe
  C:\Windows\System32\KMNhbnp.exe
  2⤵
  PID:12576
- C:\Windows\System32\gkIFSrr.exe
  C:\Windows\System32\gkIFSrr.exe
  2⤵
  PID:12592
- C:\Windows\System32\uZzCijt.exe
  C:\Windows\System32\uZzCijt.exe
  2⤵
  PID:12628
- C:\Windows\System32\XfoCglJ.exe
  C:\Windows\System32\XfoCglJ.exe
  2⤵
  PID:12648
- C:\Windows\System32\JmUxCTy.exe
  C:\Windows\System32\JmUxCTy.exe
  2⤵
  PID:12672
- C:\Windows\System32\yJlmvWm.exe
  C:\Windows\System32\yJlmvWm.exe
  2⤵
  PID:12688
- C:\Windows\System32\XXJawql.exe
  C:\Windows\System32\XXJawql.exe
  2⤵
  PID:12728
- C:\Windows\System32\HdsKtkd.exe
  C:\Windows\System32\HdsKtkd.exe
  2⤵
  PID:12768
- C:\Windows\System32\ilCCwCR.exe
  C:\Windows\System32\ilCCwCR.exe
  2⤵
  PID:12804
- C:\Windows\System32\XPNtyvp.exe
  C:\Windows\System32\XPNtyvp.exe
  2⤵
  PID:12828
- C:\Windows\System32\syfBqcE.exe
  C:\Windows\System32\syfBqcE.exe
  2⤵
  PID:12864
- C:\Windows\System32\nJBOOIj.exe
  C:\Windows\System32\nJBOOIj.exe
  2⤵
  PID:12896
- C:\Windows\System32\XDFkSCC.exe
  C:\Windows\System32\XDFkSCC.exe
  2⤵
  PID:12924
- C:\Windows\System32\vrOsmNv.exe
  C:\Windows\System32\vrOsmNv.exe
  2⤵
  PID:12952
- C:\Windows\System32\ZRcJxnw.exe
  C:\Windows\System32\ZRcJxnw.exe
  2⤵
  PID:12988
- C:\Windows\System32\XkqoofJ.exe
  C:\Windows\System32\XkqoofJ.exe
  2⤵
  PID:13008
- C:\Windows\System32\Qnrirut.exe
  C:\Windows\System32\Qnrirut.exe
  2⤵
  PID:13028
- C:\Windows\System32\DHyVAXR.exe
  C:\Windows\System32\DHyVAXR.exe
  2⤵
  PID:13052
- C:\Windows\System32\pvviZeU.exe
  C:\Windows\System32\pvviZeU.exe
  2⤵
  PID:13080
- C:\Windows\System32\znXHwwC.exe
  C:\Windows\System32\znXHwwC.exe
  2⤵
  PID:13100
- C:\Windows\System32\QysIAKu.exe
  C:\Windows\System32\QysIAKu.exe
  2⤵
  PID:13148
- C:\Windows\System32\pFXkhOM.exe
  C:\Windows\System32\pFXkhOM.exe
  2⤵
  PID:13176
- C:\Windows\System32\IjyeUda.exe
  C:\Windows\System32\IjyeUda.exe
  2⤵
  PID:13200
- C:\Windows\System32\qfjUvon.exe
  C:\Windows\System32\qfjUvon.exe
  2⤵
  PID:13224
- C:\Windows\System32\bcRNaCj.exe
  C:\Windows\System32\bcRNaCj.exe
  2⤵
  PID:13260
- C:\Windows\System32\bpNmYGM.exe
  C:\Windows\System32\bpNmYGM.exe
  2⤵
  PID:13280
- C:\Windows\System32\nQIlFUZ.exe
  C:\Windows\System32\nQIlFUZ.exe
  2⤵
  PID:13296
- C:\Windows\System32\yZlEWKE.exe
  C:\Windows\System32\yZlEWKE.exe
  2⤵
  PID:12364
- C:\Windows\System32\UBZkfYs.exe
  C:\Windows\System32\UBZkfYs.exe
  2⤵
  PID:12384
- C:\Windows\System32\eHlgSmN.exe
  C:\Windows\System32\eHlgSmN.exe
  2⤵
  PID:12488
- C:\Windows\System32\rfNnNfX.exe
  C:\Windows\System32\rfNnNfX.exe
  2⤵
  PID:12568
- C:\Windows\System32\BSWyUDD.exe
  C:\Windows\System32\BSWyUDD.exe
  2⤵
  PID:12624
- C:\Windows\System32\jMzxsAt.exe
  C:\Windows\System32\jMzxsAt.exe
  2⤵
  PID:12668

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BlHDDuQ.exe

Filesize
1.1MB

MD5
33683d9c39124f5be08e1977afbf767d

SHA1
a09ce5e54aec65244d55d1bb418fbadc3f4e69c7

SHA256
ae4dd5ec1ecbb2fba7ad7fc1eae85d0f5c492f56241330accfbbcdb46e85571a

SHA512
566cba103a52f76f7600ed4d45110c89b34596166618a66a570711d79fcc58c5b45c9cf401191205c52d92b99893467c70084dccd1a7b0929da28749a7cbba49

Download Submit
C:\Windows\System32\CWRRSrn.exe

Filesize
1.1MB

MD5
4df0762fd9de41194b34f45394e56a3d

SHA1
bd9c1bba6c3bace6db8b3b2841dbf843a13f0f9b

SHA256
85468582f315d07b429fff6503aa876efdb54f2609647cae58cbc1bc6f56b648

SHA512
2fbdbb9868e704ced49cd0b9ef53284af858372f4cee559a65cb3bfaf261241ad94817e6681d8be8054421062ae0797845d2a36959497e0e8d03ca05b3a112f2

Download Submit
C:\Windows\System32\CbfHNxx.exe

Filesize
1.1MB

MD5
2c14a14dba5703a8f6c6603f418df207

SHA1
2b9cbee1ed1860935faafd53ad7022a88dd4f0c3

SHA256
eb3fb4dc110830a5e3a862097419962c2316983012e17cab96da1fa5796522c6

SHA512
c3c501d09a43a0ffd698e22d54e0f7ff9bdc4a85fdbd9aaff211b4e496e48a5fba6e9d2830b72064ee7b1adaa4af6b16f46b51e481e25dbcf5abea0145188541

Download Submit
C:\Windows\System32\CtZspkq.exe

Filesize
1.1MB

MD5
1e51e1c3bc40ec7b5e4d5250992b63a6

SHA1
a2d8bb10aea5e0df501ffdae48453de5e37d5776

SHA256
76ad285beb03ed300aac10028d9e48b334aaeed183014b4553a8e980744a61da

SHA512
14301dba1d25511779bff00366f093c9a332dfebb8c997f08337306cadb9cfa91661d97fd4b7485b0df4c8c1e2f5b8529103527312b6001a69cc51214a41575b

Download Submit
C:\Windows\System32\DmOvJRL.exe

Filesize
1.1MB

MD5
15ae53b4ebfd6982f0159eb06f199366

SHA1
0001392673eb7c10bd723e6ed5f0384fe79e11e4

SHA256
281379066e834953920be6a048201c8419eaf0c8a9c670a636f43ded64956cab

SHA512
6371baf66f0d5ac521baffa3cefd30a81c435c0a9a5cee3ce7eebaaaaa7eb0bfe1d5a9dc055ce35a65023b736bdc60bb2d26e592000aeb249d2d01f8e6bb139d

Download Submit
C:\Windows\System32\DtKqUOH.exe

Filesize
1.1MB

MD5
6f70dbff62c5c4fd41b459b760ba278f

SHA1
d8ad4d81049f864013be4913bfcb03a8f5dc3a2e

SHA256
deeeca6dc5b3783e6f3485419b2d5095e8ed64c291435887251825a227cf3ec3

SHA512
ad967d4ac5cc17b211972db158ae59159c9d5d08f3c382ed43ebc5f9c1e8234fed8eb4b3705aee8f0026f47b72295292653406a9c5d1f040e446fc845bc9b75d

Download Submit
C:\Windows\System32\EJzdcVl.exe

Filesize
1.1MB

MD5
6db67c240ed879f45f86e1af957197ae

SHA1
ce3cd831edcd0f336b53be0459879bb7f3dd323b

SHA256
183d245fb1bb0a566750463aeb1b77513091d3d73de35a933d4ef2d25fdd8788

SHA512
93fa6aa6056f04dec0d844348f59cd8e9b1707c8e3e9d38315bb677d813a248c82dbe7088c1d92b27d5fe6faf84e6af4be17afdbe5a5fa3e7164db2dc1f35584

Download Submit
C:\Windows\System32\ErADMZS.exe

Filesize
1.1MB

MD5
dcf13693d5302158df734b2b97acbdff

SHA1
4df817b3aea3f573645e46e474a955ea600f3e80

SHA256
42553674e7ff901845f45c76c640164b772a612b7c6424e37dae012c3e5efda3

SHA512
53762733cca31960904f67d61127770e61fcfe3298793681e152b43e7eebaff6b847417e5023e1cf38239a247c6238a85e8f5e1da53c67f6b917f68f92011f72

Download Submit
C:\Windows\System32\NFNKJFz.exe

Filesize
1.1MB

MD5
d0bd15e1f3490b5064ee8876c8fca755

SHA1
73c25e6ebdcb9155050042a60be5df600ba361bd

SHA256
8d6b44e9bcfc8de92dfcb1cae9f3d3f9c60cda8f867b588f0db158e47a1ec78a

SHA512
4639752f7b64e2d9ac8543f72853bf7b10937a3365ff2e863dcf4f35a413b393e6955315c6a59fd8f9def7dba9f270208f6149dee96134814b8ec173ac136e9c

Download Submit
C:\Windows\System32\OAipwSl.exe

Filesize
1.1MB

MD5
3f4f930945fb2b82810b47a518a51b12

SHA1
cabc8a8bef2482efde98e8b26ef217e9b9ac9502

SHA256
507cd67bff5ee7a3eb3c9869d73962899c8692ca4aecd85f3e29f996e414bcc5

SHA512
5ea4d0a95324eb45f1dc14fbac404175331701a152ca1f84b3433819c01e7bb9db8be30a999ce528be44b24c6d09cf1bf0708f0d0b410692bfd1c37f05e1e1f4

Download Submit
C:\Windows\System32\PjYlBXY.exe

Filesize
1.1MB

MD5
5b7d23c6c0b0639a3dcf91f23306f889

SHA1
88bb36cf4dbafb99f70dfb51f93acfd7dfb3f180

SHA256
180161b93612008e8e9f1a8a2bcf9a6e04105948ffda55bacf2b8c8fcb820b6d

SHA512
66cd74caa16e7054bd95b177aebc90b2557e33283e793ab0d249be17ed27637bad154d76528f21b23c30a44c3a4558a592f54d74e8ed04206674d720e8028b2a

Download Submit
C:\Windows\System32\QwwkZje.exe

Filesize
1.1MB

MD5
0d82fa20ea009e69065d319a3df651c7

SHA1
fce1f8bab2aa0af57a89342f1c958d3189792e57

SHA256
ae27b0d1dce4b668bac03da8e6b527c880b4d4b376bfaa0f6ed5f36367698442

SHA512
6b192e7b43292ce0a26cc4c8bf35a3d618b38db2a3cf4736f4099c3a3bade97d5b03100ab35350f8a71603d9cf8f9dfda9eba839e1c5deadbeb747aa95c0813c

Download Submit
C:\Windows\System32\SWkrKNa.exe

Filesize
1.1MB

MD5
b3644dab3f106c348e98287dc78446a6

SHA1
2c94ff11a0b132bfbd963e3014dd4aa8e327a741

SHA256
4de8ad0e2a7b8862edd5787f9d85696140c4f511113da5ef5ebc949f58241af7

SHA512
1aac46281b93594f1b26d4945a74b800537a4ab244f3cf39591af8f6413c7b11d1c7d34aef470251cd2accf8a6b430898698f6678e1f4d2e1ea38339b7d745a9

Download Submit
C:\Windows\System32\TBRMVTg.exe

Filesize
1.1MB

MD5
0d45d448eac3dc74f23a442fe717274d

SHA1
bfe991dd825b9b3672e18b765388a5c0de3b03db

SHA256
6b021a800b00d0c9a87c254d6fad58e9615cc0b4bd79ef25fa4653a27ea62102

SHA512
bb6447f9f7cf5273b50f7f02b0c811e3e24421454a129e5b1cbb65286e8e73f5edd4624b4d3ab92fc8c79f82a8f55c5fc7c38f2b29fff09bf211e65cb62f2380

Download Submit
C:\Windows\System32\YydsIjw.exe

Filesize
1.1MB

MD5
e064bfec25fb161c9157d372068ac633

SHA1
e785a5a569ea3a3889eefe31f1e44bd7e504aca8

SHA256
78ae654ab144eb0e17d47b40d9e5bb9303938686c0e88d19dccf101516a05987

SHA512
2b9238e0f300c4622b15c2f07e4263f7d99012d2288de6adc75d34055af3c65d33656edcc9e21fa39b12a18920c0c6b81407ebe3db16b6d14a06d9b655efd4ec

Download Submit
C:\Windows\System32\btuTxVX.exe

Filesize
1.1MB

MD5
bf5676693839a0dbbdebe89e13f3179e

SHA1
ab212aef13f515830b330da629b1044b828ce90c

SHA256
c3211537cc63ecdb6b6bce7b0fe676192290950de1655533a7862d326059f435

SHA512
c8c333912aeae419fb4333fd40786ae4c45ec131c3bfb9e4e9965e7d6cdcff6105757039a024537cc9a391ca282f3a920dcf807138ccaef2a620a59140d2fc25

Download Submit
C:\Windows\System32\byWXZiE.exe

Filesize
1.1MB

MD5
2c05a95de92c1e67d73b640dccfd02d6

SHA1
0d8e49b480a24e7ba5a96d7f3c1437b06d2c8096

SHA256
3f7ab000e1120a0d3c8892247ffe3b2c733b7f864905718885a7091bd7a882f4

SHA512
66ca31c4a4a92ade64109f80581d486176fd28c39e650a67b605603c681225bdc0dde10a24a2a9e929dc3b4cf518b9c5f1eb3026e54c8400790695f42eb215e5

Download Submit
C:\Windows\System32\ccsWEsq.exe

Filesize
1.1MB

MD5
c31b500fc66f3ead7679c460ff1afab9

SHA1
5983a8d5bb2be8c7ab4aeecab541b6bd40f45407

SHA256
147d7afdf7e39d5c0e092ca4cf10b58c6efd4fed0b75738262e805d183de03ef

SHA512
accf3c6eb679231175f2cb544fe15532c97718ae48ee403039ef36083a368fbf5fdac5c287bcc05175a93b855820cbabc2c3516932a449ac6282cab2e95000ee

Download Submit
C:\Windows\System32\dtkCkjq.exe

Filesize
1.1MB

MD5
3889819580ccbe59080ded3dde98a9de

SHA1
47afc099491be8ccfd37f7f5d8b9876142909987

SHA256
68ce9aa9e0b747b8eed2a22a4c90bbcb7fcfb209406d14b59920594a809c4ddd

SHA512
b62583f562f6a09fb2e00103c852cad573f7677302e1a0b123a05eb228608f32ca6562e95df86e0a888aebb8b2dc5dfea624bde875ec2b193f95ba8eda3116ea

Download Submit
C:\Windows\System32\eHZCcyp.exe

Filesize
1.1MB

MD5
d54837c89eeee02d9d401503e9a9bd63

SHA1
b38987a4ee661b42867e68d7c3c3ca6201be4ae6

SHA256
fcf9feedfc9acdcfef9fcfa97abdec0848692d00549a5a5f2a281d260ee9251e

SHA512
1d96855b4d185a4981c332ed457d8ab0eeb74b1d4c4d384c95dc821fccb081a46ea6b47b8970b4c9c3b022232cac8d508db50d6593132c1de22ecf1448a1ca7a

Download Submit
C:\Windows\System32\elpQqIc.exe

Filesize
1.1MB

MD5
853a444db3957a350fd92ef2d270e4f7

SHA1
57b4efaa8fd88e9967a0ce694eb1eb81d28c24ac

SHA256
785f5803c21f4057a302abf660523ebdc655bf040065f9754663789fc01e8138

SHA512
6b5f3fd8e442c5c923d230579db496072c22edac1b8abb015513ec799dce5ceafad7b54ff4a156b317512a7408620f0432a054ba3edf90464c20ee52720889e7

Download Submit
C:\Windows\System32\evocDSI.exe

Filesize
1.1MB

MD5
5a12c819f2e17d122fa1534a9d33193c

SHA1
9c0b5794787688d9f0e1ee97a3944b5b58b38060

SHA256
a40fd9c34a7bb7b6c46e0bb938b5ce18bd79e1f0feb51badadbfd4b845ebbb9b

SHA512
02e367d4bc3d9911756f02a560bc982133172d4cb2922b444c6da8745ac86e0baa5fafa74f2133f3143e846c2ca0719b93854861523c2c98e63778b30b48ce7e

Download Submit
C:\Windows\System32\fmDnxVz.exe

Filesize
1.1MB

MD5
174bf2564a0863d6846567c2d0113b40

SHA1
4e9d7e8034bb5f68fe0eaf532170493f6c5b5118

SHA256
e67489814777d0b2ddae8a4ab782856215c356066876c26839c4bb71eab606be

SHA512
352449374fc57361daaf5ab45c37838c9779755c4aaa096c1b345e53e1c26397590549e63a637a9edd85943f7972997d7aabb98e0bde584805cf9853ee696e93

Download Submit
C:\Windows\System32\fqBiFhx.exe

Filesize
1.1MB

MD5
eea04bc9ae6570ea2a4d7157e2743f70

SHA1
f466cd2b85b75112f7e4eacf0992f1662d2204de

SHA256
b36bd9bb9fcadf01546d6063309d5dc992db9e3abc79e8758f123852aa702258

SHA512
ba1b5439d6b8c9084a40f59914c6c98765899f1572b7c1d6ba9fa81de6645899380d538a4c91b378f4d21c63ed79643f5d45dcb72159412874b66603306bfdd6

Download Submit
C:\Windows\System32\gezyGQU.exe

Filesize
1.1MB

MD5
091815917afd71329fd8a1b4a2e328ac

SHA1
a0cbe3964bce0f9c73888f220fc9d10d1e8cd557

SHA256
b149421f243e0e775f920598af83d19bc3e16dd285bbfbd76052d425ba521a85

SHA512
ce2a20a7c90b2725de6abb3a9230e897d103bb8417320e4be84bdedeb393ee2e2c78e65a7603b7ab53e648d7cd697f2ea737a6d83f9cb1670e2b5f8082a1e051

Download Submit
C:\Windows\System32\jIXdfUh.exe

Filesize
1.1MB

MD5
7ebaaca3ec4b34c78ad7bb49fdb59c49

SHA1
78822631a0423dc8855d1fe2c20c88d9be90181a

SHA256
8f6aa662ab7e2785caeddc62e477de36b98d0f38f7567f8fc904824fe5b019f9

SHA512
ef3938e7730e42bf44463559c882a0ceced8b50b5d72af45e526a2ccfb86d7e1e388727e0ab0b1489a3bda6628fc24b8d4865eec194afd01afe1c6c45cd7cfed

Download Submit
C:\Windows\System32\jeYYQqg.exe

Filesize
1.1MB

MD5
f5bd85a0fc78246d4b2adf06f51504fb

SHA1
03f7b2f27ab80e0b498c8d3b44694a8c2bd92cec

SHA256
ea74278bac310d57c1f663049fa1cab40a4492d41bf7565c92ea163f49708672

SHA512
c9b18ba9806c557a32a41847ce6a8096a092b55421f48d01cbe458977a6fe9850724670b07a505930498890c6ea002974b9c5317b727f9665fcf63ee3ec0f747

Download Submit
C:\Windows\System32\oVBTjgK.exe

Filesize
1.1MB

MD5
d54fa3e285d7ed315dce9f0bd40fa91b

SHA1
a29fd600016bdbaef679e54acd731a15da6a1284

SHA256
e29b2c37874625a6dadcc86445383a47fe4cff564cc533e63bb16d2295486da6

SHA512
ccfec5ac4b2420f19d3aef1bb045e0a3e54b168fa4e4dd95ed09f4ec393c07a288cbd20fced11f226b6030f520ed446827e5d713b868615b25ce7c7e684d52cc

Download Submit
C:\Windows\System32\uIKFTIL.exe

Filesize
1.1MB

MD5
685c04d4be5d1d27363dace8b1c0a669

SHA1
daf7c458f9a96a38ef29226800fa80f58d27b097

SHA256
89880ff03cc99711d421df63fb43893d7a344d072e9348e0075b45f5262e0e12

SHA512
ef159703193655d50b565ccfd0975a7ad8097c7ca3b5008087d170132386eff3864dda91a8fab28889c43470d421d1a2960fdacc0b964e5b893777bab2e7ca19

Download Submit
C:\Windows\System32\vIXAhns.exe

Filesize
1.1MB

MD5
d8c52796f9ede8eaa85b1b5e58bbb399

SHA1
83610b29745cac9c26c13e43c3d6402c06c574c1

SHA256
4066d1d4226da1556503c14a01025ca5e68fabfa193fdc1f5141025c3c503f29

SHA512
d5c84279b20fb7a8bc25e88bf9dfa1545fb5ab14e49fbb77951d5c8aa975637d3438f98a7c7d4154cf02309b2efea7a5ecf33365b03c90493f7ed9cd036c685d

Download Submit
C:\Windows\System32\wKwjJLb.exe

Filesize
1.1MB

MD5
c22130a6f6c178c961c4ef31e2c0d89c

SHA1
b42a51a213da0cb9ba46e3b757112aab81df2c79

SHA256
90c17972dc0852166eede3a0b70511e4c4c6a5e03eb9fd487a3d6f5846f29917

SHA512
8651701f6c02953bfa6ff287681beb40f924ded16b25ec02866f6b435accf5f3b8b1201adf9ee0ee03d5ce6700fe0cbd74cc3d4c3c991abe48754323755852e8

Download Submit
C:\Windows\System32\yojZBdk.exe

Filesize
1.1MB

MD5
9ab0a99bff2fe2eb378cceb599e081a2

SHA1
9e6b0343ded6d43230679428470f3ac92b580be8

SHA256
874f5283e5e46d149f75849f9a6f1a9036f0d3ea6ceb4459f7f94e42f7f6909e

SHA512
0a33ffd9ca1fdf4829ad83654049ff1fb667948487bf157b9443639759a53f7335bcf2e5dc2e3219fbe927aa4e20b24ffaad2e695bf714c1a5963e9876c8c32e

Download Submit
memory/1008-2007-0x00007FF7AB740000-0x00007FF7ABB31000-memory.dmp

Filesize
3.9MB

Download
memory/1008-407-0x00007FF7AB740000-0x00007FF7ABB31000-memory.dmp

Filesize
3.9MB

Download
memory/1296-414-0x00007FF77AB60000-0x00007FF77AF51000-memory.dmp

Filesize
3.9MB

Download
memory/1296-2011-0x00007FF77AB60000-0x00007FF77AF51000-memory.dmp

Filesize
3.9MB

Download
memory/1332-1-0x000002805AAF0000-0x000002805AB00000-memory.dmp

Filesize
64KB

Download
memory/1332-0-0x00007FF61B3E0000-0x00007FF61B7D1000-memory.dmp

Filesize
3.9MB

Download
memory/2144-2003-0x00007FF6A4340000-0x00007FF6A4731000-memory.dmp

Filesize
3.9MB

Download
memory/2144-400-0x00007FF6A4340000-0x00007FF6A4731000-memory.dmp

Filesize
3.9MB

Download
memory/2436-430-0x00007FF708740000-0x00007FF708B31000-memory.dmp

Filesize
3.9MB

Download
memory/2436-2027-0x00007FF708740000-0x00007FF708B31000-memory.dmp

Filesize
3.9MB

Download
memory/2604-2019-0x00007FF64DAD0000-0x00007FF64DEC1000-memory.dmp

Filesize
3.9MB

Download
memory/2604-425-0x00007FF64DAD0000-0x00007FF64DEC1000-memory.dmp

Filesize
3.9MB

Download
memory/2764-392-0x00007FF6A5850000-0x00007FF6A5C41000-memory.dmp

Filesize
3.9MB

Download
memory/2764-2001-0x00007FF6A5850000-0x00007FF6A5C41000-memory.dmp

Filesize
3.9MB

Download
memory/2964-1987-0x00007FF711FD0000-0x00007FF7123C1000-memory.dmp

Filesize
3.9MB

Download
memory/2964-11-0x00007FF711FD0000-0x00007FF7123C1000-memory.dmp

Filesize
3.9MB

Download
memory/3176-1995-0x00007FF764F20000-0x00007FF765311000-memory.dmp

Filesize
3.9MB

Download
memory/3176-370-0x00007FF764F20000-0x00007FF765311000-memory.dmp

Filesize
3.9MB

Download
memory/3340-403-0x00007FF66C010000-0x00007FF66C401000-memory.dmp

Filesize
3.9MB

Download
memory/3340-2005-0x00007FF66C010000-0x00007FF66C401000-memory.dmp

Filesize
3.9MB

Download
memory/3388-2074-0x00007FF6084E0000-0x00007FF6088D1000-memory.dmp

Filesize
3.9MB

Download
memory/3388-442-0x00007FF6084E0000-0x00007FF6088D1000-memory.dmp

Filesize
3.9MB

Download
memory/3684-422-0x00007FF63F7A0000-0x00007FF63FB91000-memory.dmp

Filesize
3.9MB

Download
memory/3684-2017-0x00007FF63F7A0000-0x00007FF63FB91000-memory.dmp

Filesize
3.9MB

Download
memory/3924-410-0x00007FF6E32D0000-0x00007FF6E36C1000-memory.dmp

Filesize
3.9MB

Download
memory/3924-2009-0x00007FF6E32D0000-0x00007FF6E36C1000-memory.dmp

Filesize
3.9MB

Download
memory/3928-19-0x00007FF6C8EF0000-0x00007FF6C92E1000-memory.dmp

Filesize
3.9MB

Download
memory/3928-1981-0x00007FF6C8EF0000-0x00007FF6C92E1000-memory.dmp

Filesize
3.9MB

Download
memory/3928-2107-0x00007FF6C8EF0000-0x00007FF6C92E1000-memory.dmp

Filesize
3.9MB

Download
memory/4224-2068-0x00007FF7C6880000-0x00007FF7C6C71000-memory.dmp

Filesize
3.9MB

Download
memory/4224-446-0x00007FF7C6880000-0x00007FF7C6C71000-memory.dmp

Filesize
3.9MB

Download
memory/4236-435-0x00007FF6D5C70000-0x00007FF6D6061000-memory.dmp

Filesize
3.9MB

Download
memory/4236-2070-0x00007FF6D5C70000-0x00007FF6D6061000-memory.dmp

Filesize
3.9MB

Download
memory/4312-1989-0x00007FF754360000-0x00007FF754751000-memory.dmp

Filesize
3.9MB

Download
memory/4312-18-0x00007FF754360000-0x00007FF754751000-memory.dmp

Filesize
3.9MB

Download
memory/4312-1948-0x00007FF754360000-0x00007FF754751000-memory.dmp

Filesize
3.9MB

Download
memory/4424-432-0x00007FF7769F0000-0x00007FF776DE1000-memory.dmp

Filesize
3.9MB

Download
memory/4424-2023-0x00007FF7769F0000-0x00007FF776DE1000-memory.dmp

Filesize
3.9MB

Download
memory/4496-365-0x00007FF72EDF0000-0x00007FF72F1E1000-memory.dmp

Filesize
3.9MB

Download
memory/4496-1999-0x00007FF72EDF0000-0x00007FF72F1E1000-memory.dmp

Filesize
3.9MB

Download
memory/4508-1993-0x00007FF69BFD0000-0x00007FF69C3C1000-memory.dmp

Filesize
3.9MB

Download
memory/4508-386-0x00007FF69BFD0000-0x00007FF69C3C1000-memory.dmp

Filesize
3.9MB

Download
memory/4560-378-0x00007FF7C61D0000-0x00007FF7C65C1000-memory.dmp

Filesize
3.9MB

Download
memory/4560-1997-0x00007FF7C61D0000-0x00007FF7C65C1000-memory.dmp

Filesize
3.9MB

Download
memory/4584-372-0x00007FF708BF0000-0x00007FF708FE1000-memory.dmp

Filesize
3.9MB

Download
memory/4584-1991-0x00007FF708BF0000-0x00007FF708FE1000-memory.dmp

Filesize
3.9MB

Download
memory/4684-419-0x00007FF6540E0000-0x00007FF6544D1000-memory.dmp

Filesize
3.9MB

Download
memory/4684-2015-0x00007FF6540E0000-0x00007FF6544D1000-memory.dmp

Filesize
3.9MB

Download
memory/4936-429-0x00007FF70F3C0000-0x00007FF70F7B1000-memory.dmp

Filesize
3.9MB

Download
memory/4936-2029-0x00007FF70F3C0000-0x00007FF70F7B1000-memory.dmp

Filesize
3.9MB

Download
memory/5116-2013-0x00007FF71E4B0000-0x00007FF71E8A1000-memory.dmp

Filesize
3.9MB

Download
memory/5116-416-0x00007FF71E4B0000-0x00007FF71E8A1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads