xmrig | f947e6a4b09a719d0d34d3526da3f2e713d20f4577f9c222c71e554ca9850f3c

Analysis

max time kernel
98s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
Size

1.0MB
MD5

0442926c35838854da6140c2fa0ef035
SHA1

06af4e226218adabd57bc555bf77e77b2c496e9e
SHA256

f947e6a4b09a719d0d34d3526da3f2e713d20f4577f9c222c71e554ca9850f3c
SHA512

9f80b1bee0cd8911a3eba54411690fbeaa684f1a93be7ff843e986d377a233e3e30820775e78fc29c247e02fdc4f64d14d8b375e1ae000a91cde3b47c91fee3d
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcmC3f/DFNkTwHlZ+:knw9oUUEEDl37jcmWH/hO

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/2172-370-0x00007FF7F88A0000-0x00007FF7F8C91000-memory.dmp	xmrig
behavioral2/memory/2232-373-0x00007FF75EB10000-0x00007FF75EF01000-memory.dmp	xmrig
behavioral2/memory/2108-377-0x00007FF6A4330000-0x00007FF6A4721000-memory.dmp	xmrig
behavioral2/memory/3592-384-0x00007FF609310000-0x00007FF609701000-memory.dmp	xmrig
behavioral2/memory/5100-392-0x00007FF75F420000-0x00007FF75F811000-memory.dmp	xmrig
behavioral2/memory/756-403-0x00007FF739640000-0x00007FF739A31000-memory.dmp	xmrig
behavioral2/memory/4100-407-0x00007FF7A9E90000-0x00007FF7AA281000-memory.dmp	xmrig
behavioral2/memory/3056-411-0x00007FF702A00000-0x00007FF702DF1000-memory.dmp	xmrig
behavioral2/memory/3880-419-0x00007FF7AB610000-0x00007FF7ABA01000-memory.dmp	xmrig
behavioral2/memory/960-418-0x00007FF6753E0000-0x00007FF6757D1000-memory.dmp	xmrig
behavioral2/memory/2632-402-0x00007FF64C850000-0x00007FF64CC41000-memory.dmp	xmrig
behavioral2/memory/2508-395-0x00007FF6505C0000-0x00007FF6509B1000-memory.dmp	xmrig
behavioral2/memory/244-427-0x00007FF6E9BA0000-0x00007FF6E9F91000-memory.dmp	xmrig
behavioral2/memory/4432-434-0x00007FF6B7550000-0x00007FF6B7941000-memory.dmp	xmrig
behavioral2/memory/2896-439-0x00007FF7AB3C0000-0x00007FF7AB7B1000-memory.dmp	xmrig
behavioral2/memory/4524-438-0x00007FF709200000-0x00007FF7095F1000-memory.dmp	xmrig
behavioral2/memory/2912-431-0x00007FF6D06D0000-0x00007FF6D0AC1000-memory.dmp	xmrig
behavioral2/memory/3144-424-0x00007FF6FC150000-0x00007FF6FC541000-memory.dmp	xmrig
behavioral2/memory/468-421-0x00007FF70F480000-0x00007FF70F871000-memory.dmp	xmrig
behavioral2/memory/3504-448-0x00007FF716B50000-0x00007FF716F41000-memory.dmp	xmrig
behavioral2/memory/4852-2007-0x00007FF6AADA0000-0x00007FF6AB191000-memory.dmp	xmrig
behavioral2/memory/3456-2008-0x00007FF601950000-0x00007FF601D41000-memory.dmp	xmrig
behavioral2/memory/5040-2010-0x00007FF6A2D40000-0x00007FF6A3131000-memory.dmp	xmrig
behavioral2/memory/4304-2017-0x00007FF7CB590000-0x00007FF7CB981000-memory.dmp	xmrig
behavioral2/memory/4432-2019-0x00007FF6B7550000-0x00007FF6B7941000-memory.dmp	xmrig
behavioral2/memory/5040-2021-0x00007FF6A2D40000-0x00007FF6A3131000-memory.dmp	xmrig
behavioral2/memory/4852-2029-0x00007FF6AADA0000-0x00007FF6AB191000-memory.dmp	xmrig
behavioral2/memory/2232-2035-0x00007FF75EB10000-0x00007FF75EF01000-memory.dmp	xmrig
behavioral2/memory/2108-2037-0x00007FF6A4330000-0x00007FF6A4721000-memory.dmp	xmrig
behavioral2/memory/2172-2033-0x00007FF7F88A0000-0x00007FF7F8C91000-memory.dmp	xmrig
behavioral2/memory/3504-2031-0x00007FF716B50000-0x00007FF716F41000-memory.dmp	xmrig
behavioral2/memory/2896-2027-0x00007FF7AB3C0000-0x00007FF7AB7B1000-memory.dmp	xmrig
behavioral2/memory/3456-2025-0x00007FF601950000-0x00007FF601D41000-memory.dmp	xmrig
behavioral2/memory/4524-2023-0x00007FF709200000-0x00007FF7095F1000-memory.dmp	xmrig
behavioral2/memory/3592-2039-0x00007FF609310000-0x00007FF609701000-memory.dmp	xmrig
behavioral2/memory/468-2072-0x00007FF70F480000-0x00007FF70F871000-memory.dmp	xmrig
behavioral2/memory/3880-2080-0x00007FF7AB610000-0x00007FF7ABA01000-memory.dmp	xmrig
behavioral2/memory/3144-2068-0x00007FF6FC150000-0x00007FF6FC541000-memory.dmp	xmrig
behavioral2/memory/244-2066-0x00007FF6E9BA0000-0x00007FF6E9F91000-memory.dmp	xmrig
behavioral2/memory/3056-2059-0x00007FF702A00000-0x00007FF702DF1000-memory.dmp	xmrig
behavioral2/memory/2912-2070-0x00007FF6D06D0000-0x00007FF6D0AC1000-memory.dmp	xmrig
behavioral2/memory/4100-2050-0x00007FF7A9E90000-0x00007FF7AA281000-memory.dmp	xmrig
behavioral2/memory/2508-2046-0x00007FF6505C0000-0x00007FF6509B1000-memory.dmp	xmrig
behavioral2/memory/960-2057-0x00007FF6753E0000-0x00007FF6757D1000-memory.dmp	xmrig
behavioral2/memory/756-2048-0x00007FF739640000-0x00007FF739A31000-memory.dmp	xmrig
behavioral2/memory/2632-2044-0x00007FF64C850000-0x00007FF64CC41000-memory.dmp	xmrig
behavioral2/memory/5100-2041-0x00007FF75F420000-0x00007FF75F811000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4304	gIeTUBI.exe
4432	QUViGGy.exe
4852	pDJBWOt.exe
4524	YfylMQU.exe
3456	QxSraIz.exe
2896	hVtMKwm.exe
5040	sUldozY.exe
3504	ocZuLXk.exe
2172	wXHHuXW.exe
2232	TrDgjiu.exe
2108	mQnmgOh.exe
3592	GZvRucq.exe
5100	olUziko.exe
2508	XvgweBM.exe
2632	cVNCSsd.exe
756	bmvJNfk.exe
4100	VdwUAqV.exe
3056	tDaIbrd.exe
960	gYJjUVq.exe
3880	PHcyYXc.exe
468	zUldKuL.exe
3144	HVriDjd.exe
244	WiIgSIf.exe
2912	nlUtQEt.exe
2680	GGGFToj.exe
3036	MjUvdKW.exe
3068	ZpFVArq.exe
4372	jCqzNwy.exe
2132	PMdlQqF.exe
3088	erpbCOF.exe
3364	mpXELFR.exe
4980	dZSzkyb.exe
2168	YiPwDxm.exe
64	AYSqdpR.exe
2040	wUUJNUw.exe
2708	aGXFlaq.exe
3516	GsVTVCu.exe
2748	qcemZfS.exe
2948	jOJbvaN.exe
4684	lAcTiru.exe
2156	bZrxfbz.exe
4444	cVDzEkM.exe
3084	ikDpkvo.exe
2996	RnsGyuw.exe
868	NZFDPUW.exe
824	vfXMORg.exe
4408	oBXPYBg.exe
2352	hzPraKK.exe
4548	ZtwCIgS.exe
928	GWRFdck.exe
4020	VudKKuX.exe
1076	JQOLqfK.exe
2116	JGqheLv.exe
2452	xebcXQN.exe
4440	lsAymsc.exe
2944	ILtOJPu.exe
3864	GXZleue.exe
2868	wTdnSmI.exe
1352	kLVEQaa.exe
4360	gupixYW.exe
640	cFxBDNa.exe
4288	mAhzXnU.exe
4352	VnYexwn.exe
4820	YFphGdO.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4644-0-0x00007FF6E3280000-0x00007FF6E3671000-memory.dmp	upx
behavioral2/files/0x000b000000023b98-4.dat	upx
behavioral2/files/0x000a000000023b9d-7.dat	upx
behavioral2/files/0x000a000000023b9e-30.dat	upx
behavioral2/memory/3456-35-0x00007FF601950000-0x00007FF601D41000-memory.dmp	upx
behavioral2/files/0x000a000000023ba1-39.dat	upx
behavioral2/files/0x000a000000023ba2-43.dat	upx
behavioral2/files/0x000a000000023ba4-55.dat	upx
behavioral2/files/0x000a000000023ba6-63.dat	upx
behavioral2/files/0x000a000000023ba7-70.dat	upx
behavioral2/files/0x000a000000023ba9-80.dat	upx
behavioral2/files/0x000a000000023bae-103.dat	upx
behavioral2/files/0x000a000000023bb0-115.dat	upx
behavioral2/files/0x000a000000023bb3-128.dat	upx
behavioral2/files/0x0031000000023bb6-145.dat	upx
behavioral2/memory/2172-370-0x00007FF7F88A0000-0x00007FF7F8C91000-memory.dmp	upx
behavioral2/memory/2232-373-0x00007FF75EB10000-0x00007FF75EF01000-memory.dmp	upx
behavioral2/memory/2108-377-0x00007FF6A4330000-0x00007FF6A4721000-memory.dmp	upx
behavioral2/memory/3592-384-0x00007FF609310000-0x00007FF609701000-memory.dmp	upx
behavioral2/files/0x000a000000023bba-165.dat	upx
behavioral2/files/0x000a000000023bb9-160.dat	upx
behavioral2/files/0x000a000000023bb8-155.dat	upx
behavioral2/files/0x0031000000023bb7-150.dat	upx
behavioral2/files/0x0031000000023bb5-140.dat	upx
behavioral2/files/0x000a000000023bb4-135.dat	upx
behavioral2/files/0x000a000000023bb2-125.dat	upx
behavioral2/files/0x000a000000023bb1-120.dat	upx
behavioral2/files/0x000a000000023baf-110.dat	upx
behavioral2/files/0x000a000000023bad-100.dat	upx
behavioral2/files/0x000a000000023bac-95.dat	upx
behavioral2/files/0x000a000000023bab-90.dat	upx
behavioral2/files/0x000a000000023baa-85.dat	upx
behavioral2/files/0x000a000000023ba8-75.dat	upx
behavioral2/files/0x000a000000023ba5-60.dat	upx
behavioral2/files/0x000a000000023ba3-50.dat	upx
behavioral2/memory/5040-44-0x00007FF6A2D40000-0x00007FF6A3131000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-37.dat	upx
behavioral2/memory/5100-392-0x00007FF75F420000-0x00007FF75F811000-memory.dmp	upx
behavioral2/memory/756-403-0x00007FF739640000-0x00007FF739A31000-memory.dmp	upx
behavioral2/memory/4100-407-0x00007FF7A9E90000-0x00007FF7AA281000-memory.dmp	upx
behavioral2/memory/3056-411-0x00007FF702A00000-0x00007FF702DF1000-memory.dmp	upx
behavioral2/memory/3880-419-0x00007FF7AB610000-0x00007FF7ABA01000-memory.dmp	upx
behavioral2/memory/960-418-0x00007FF6753E0000-0x00007FF6757D1000-memory.dmp	upx
behavioral2/memory/2632-402-0x00007FF64C850000-0x00007FF64CC41000-memory.dmp	upx
behavioral2/memory/2508-395-0x00007FF6505C0000-0x00007FF6509B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9f-34.dat	upx
behavioral2/files/0x000a000000023b9c-25.dat	upx
behavioral2/memory/4852-27-0x00007FF6AADA0000-0x00007FF6AB191000-memory.dmp	upx
behavioral2/memory/4304-14-0x00007FF7CB590000-0x00007FF7CB981000-memory.dmp	upx
behavioral2/memory/244-427-0x00007FF6E9BA0000-0x00007FF6E9F91000-memory.dmp	upx
behavioral2/memory/4432-434-0x00007FF6B7550000-0x00007FF6B7941000-memory.dmp	upx
behavioral2/memory/2896-439-0x00007FF7AB3C0000-0x00007FF7AB7B1000-memory.dmp	upx
behavioral2/memory/4524-438-0x00007FF709200000-0x00007FF7095F1000-memory.dmp	upx
behavioral2/memory/2912-431-0x00007FF6D06D0000-0x00007FF6D0AC1000-memory.dmp	upx
behavioral2/memory/3144-424-0x00007FF6FC150000-0x00007FF6FC541000-memory.dmp	upx
behavioral2/memory/468-421-0x00007FF70F480000-0x00007FF70F871000-memory.dmp	upx
behavioral2/memory/3504-448-0x00007FF716B50000-0x00007FF716F41000-memory.dmp	upx
behavioral2/memory/4852-2007-0x00007FF6AADA0000-0x00007FF6AB191000-memory.dmp	upx
behavioral2/memory/3456-2008-0x00007FF601950000-0x00007FF601D41000-memory.dmp	upx
behavioral2/memory/5040-2010-0x00007FF6A2D40000-0x00007FF6A3131000-memory.dmp	upx
behavioral2/memory/4304-2017-0x00007FF7CB590000-0x00007FF7CB981000-memory.dmp	upx
behavioral2/memory/4432-2019-0x00007FF6B7550000-0x00007FF6B7941000-memory.dmp	upx
behavioral2/memory/5040-2021-0x00007FF6A2D40000-0x00007FF6A3131000-memory.dmp	upx
behavioral2/memory/4852-2029-0x00007FF6AADA0000-0x00007FF6AB191000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\WiIgSIf.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\YFphGdO.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\hbQKVWW.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\RwChAdK.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\NqVZLkG.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\SrcXTvp.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\GrMqWfQ.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\Urikhbn.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\EflMCJn.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\DYdvRkM.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\WmiiPfR.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\jDWeAPX.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\oyXzpRD.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\lcbcPIu.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\KiFsFth.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\hLIKcyk.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\JQOLqfK.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\HYRTnqN.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\GZvRucq.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\rbQCuZM.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\WHbItMx.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\jCqzNwy.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\MwFLPAq.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\rAiYmrv.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\RQuheWX.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\HJxXxZW.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\OxbxwdC.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\IatMOSl.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\UEZmwBW.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\vYSYIaz.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\pBOpRMW.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\kEgVEDt.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\vbddgTX.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\ogGtRmG.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\NBDNbQE.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\mIThhIq.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\UAWQMLm.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\zQxzhzu.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\GVGXWjD.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\MEHniiP.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\ZuiGpYG.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\qoacPnl.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\HITMMkV.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\zVhGjSP.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\sSQnqya.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\xyZpSxV.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\JKtQVpY.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\qUxXOnq.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\ApJVqft.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\SYTDAeg.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\KpNxrvN.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\CqzplVH.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\XakUbhT.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\zuJguzJ.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\xTTJpyM.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\ZZNqQrr.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\bPUaDAA.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\rfqwkWS.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\NmwAmzX.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\NvsFSBh.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\tzhzuto.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\iVqLEBG.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\FsWBPxX.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
File created	C:\Windows\System32\twroDUA.exe	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13248	dwm.exe
Token: SeChangeNotifyPrivilege	13248	dwm.exe
Token: 33	13248	dwm.exe
Token: SeIncBasePriorityPrivilege	13248	dwm.exe
Token: SeShutdownPrivilege	13248	dwm.exe
Token: SeCreatePagefilePrivilege	13248	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4304	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	85
PID 4644 wrote to memory of 4304	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	85
PID 4644 wrote to memory of 4852	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	86
PID 4644 wrote to memory of 4852	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	86
PID 4644 wrote to memory of 4432	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	87
PID 4644 wrote to memory of 4432	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	87
PID 4644 wrote to memory of 4524	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	88
PID 4644 wrote to memory of 4524	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	88
PID 4644 wrote to memory of 3456	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	89
PID 4644 wrote to memory of 3456	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	89
PID 4644 wrote to memory of 2896	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	90
PID 4644 wrote to memory of 2896	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	90
PID 4644 wrote to memory of 5040	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	91
PID 4644 wrote to memory of 5040	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	91
PID 4644 wrote to memory of 3504	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	92
PID 4644 wrote to memory of 3504	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	92
PID 4644 wrote to memory of 2172	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	93
PID 4644 wrote to memory of 2172	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	93
PID 4644 wrote to memory of 2232	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	94
PID 4644 wrote to memory of 2232	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	94
PID 4644 wrote to memory of 2108	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	95
PID 4644 wrote to memory of 2108	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	95
PID 4644 wrote to memory of 3592	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	96
PID 4644 wrote to memory of 3592	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	96
PID 4644 wrote to memory of 5100	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	97
PID 4644 wrote to memory of 5100	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	97
PID 4644 wrote to memory of 2508	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	98
PID 4644 wrote to memory of 2508	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	98
PID 4644 wrote to memory of 2632	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	99
PID 4644 wrote to memory of 2632	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	99
PID 4644 wrote to memory of 756	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	100
PID 4644 wrote to memory of 756	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	100
PID 4644 wrote to memory of 4100	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	101
PID 4644 wrote to memory of 4100	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	101
PID 4644 wrote to memory of 3056	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	102
PID 4644 wrote to memory of 3056	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	102
PID 4644 wrote to memory of 960	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	103
PID 4644 wrote to memory of 960	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	103
PID 4644 wrote to memory of 3880	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	104
PID 4644 wrote to memory of 3880	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	104
PID 4644 wrote to memory of 468	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	105
PID 4644 wrote to memory of 468	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	105
PID 4644 wrote to memory of 3144	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	106
PID 4644 wrote to memory of 3144	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	106
PID 4644 wrote to memory of 244	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	107
PID 4644 wrote to memory of 244	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	107
PID 4644 wrote to memory of 2912	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	108
PID 4644 wrote to memory of 2912	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	108
PID 4644 wrote to memory of 2680	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	109
PID 4644 wrote to memory of 2680	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	109
PID 4644 wrote to memory of 3036	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	110
PID 4644 wrote to memory of 3036	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	110
PID 4644 wrote to memory of 3068	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	111
PID 4644 wrote to memory of 3068	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	111
PID 4644 wrote to memory of 4372	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	112
PID 4644 wrote to memory of 4372	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	112
PID 4644 wrote to memory of 2132	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	113
PID 4644 wrote to memory of 2132	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	113
PID 4644 wrote to memory of 3088	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	114
PID 4644 wrote to memory of 3088	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	114
PID 4644 wrote to memory of 3364	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	115
PID 4644 wrote to memory of 3364	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	115
PID 4644 wrote to memory of 4980	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	116
PID 4644 wrote to memory of 4980	4644	0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0442926c35838854da6140c2fa0ef035_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\System32\gIeTUBI.exe
  C:\Windows\System32\gIeTUBI.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System32\pDJBWOt.exe
  C:\Windows\System32\pDJBWOt.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System32\QUViGGy.exe
  C:\Windows\System32\QUViGGy.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System32\YfylMQU.exe
  C:\Windows\System32\YfylMQU.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System32\QxSraIz.exe
  C:\Windows\System32\QxSraIz.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System32\hVtMKwm.exe
  C:\Windows\System32\hVtMKwm.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System32\sUldozY.exe
  C:\Windows\System32\sUldozY.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System32\ocZuLXk.exe
  C:\Windows\System32\ocZuLXk.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System32\wXHHuXW.exe
  C:\Windows\System32\wXHHuXW.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System32\TrDgjiu.exe
  C:\Windows\System32\TrDgjiu.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System32\mQnmgOh.exe
  C:\Windows\System32\mQnmgOh.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System32\GZvRucq.exe
  C:\Windows\System32\GZvRucq.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System32\olUziko.exe
  C:\Windows\System32\olUziko.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System32\XvgweBM.exe
  C:\Windows\System32\XvgweBM.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System32\cVNCSsd.exe
  C:\Windows\System32\cVNCSsd.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System32\bmvJNfk.exe
  C:\Windows\System32\bmvJNfk.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System32\VdwUAqV.exe
  C:\Windows\System32\VdwUAqV.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System32\tDaIbrd.exe
  C:\Windows\System32\tDaIbrd.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System32\gYJjUVq.exe
  C:\Windows\System32\gYJjUVq.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System32\PHcyYXc.exe
  C:\Windows\System32\PHcyYXc.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System32\zUldKuL.exe
  C:\Windows\System32\zUldKuL.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System32\HVriDjd.exe
  C:\Windows\System32\HVriDjd.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System32\WiIgSIf.exe
  C:\Windows\System32\WiIgSIf.exe
  2⤵
  - Executes dropped EXE
  PID:244
- C:\Windows\System32\nlUtQEt.exe
  C:\Windows\System32\nlUtQEt.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System32\GGGFToj.exe
  C:\Windows\System32\GGGFToj.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System32\MjUvdKW.exe
  C:\Windows\System32\MjUvdKW.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System32\ZpFVArq.exe
  C:\Windows\System32\ZpFVArq.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System32\jCqzNwy.exe
  C:\Windows\System32\jCqzNwy.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System32\PMdlQqF.exe
  C:\Windows\System32\PMdlQqF.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System32\erpbCOF.exe
  C:\Windows\System32\erpbCOF.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System32\mpXELFR.exe
  C:\Windows\System32\mpXELFR.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System32\dZSzkyb.exe
  C:\Windows\System32\dZSzkyb.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System32\YiPwDxm.exe
  C:\Windows\System32\YiPwDxm.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System32\AYSqdpR.exe
  C:\Windows\System32\AYSqdpR.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System32\wUUJNUw.exe
  C:\Windows\System32\wUUJNUw.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System32\aGXFlaq.exe
  C:\Windows\System32\aGXFlaq.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System32\GsVTVCu.exe
  C:\Windows\System32\GsVTVCu.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System32\qcemZfS.exe
  C:\Windows\System32\qcemZfS.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System32\jOJbvaN.exe
  C:\Windows\System32\jOJbvaN.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System32\lAcTiru.exe
  C:\Windows\System32\lAcTiru.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System32\bZrxfbz.exe
  C:\Windows\System32\bZrxfbz.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System32\cVDzEkM.exe
  C:\Windows\System32\cVDzEkM.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System32\ikDpkvo.exe
  C:\Windows\System32\ikDpkvo.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System32\RnsGyuw.exe
  C:\Windows\System32\RnsGyuw.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System32\NZFDPUW.exe
  C:\Windows\System32\NZFDPUW.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System32\vfXMORg.exe
  C:\Windows\System32\vfXMORg.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System32\oBXPYBg.exe
  C:\Windows\System32\oBXPYBg.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System32\hzPraKK.exe
  C:\Windows\System32\hzPraKK.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System32\ZtwCIgS.exe
  C:\Windows\System32\ZtwCIgS.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System32\GWRFdck.exe
  C:\Windows\System32\GWRFdck.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System32\VudKKuX.exe
  C:\Windows\System32\VudKKuX.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System32\JQOLqfK.exe
  C:\Windows\System32\JQOLqfK.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System32\JGqheLv.exe
  C:\Windows\System32\JGqheLv.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System32\xebcXQN.exe
  C:\Windows\System32\xebcXQN.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System32\lsAymsc.exe
  C:\Windows\System32\lsAymsc.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System32\ILtOJPu.exe
  C:\Windows\System32\ILtOJPu.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System32\GXZleue.exe
  C:\Windows\System32\GXZleue.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System32\wTdnSmI.exe
  C:\Windows\System32\wTdnSmI.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System32\kLVEQaa.exe
  C:\Windows\System32\kLVEQaa.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\System32\gupixYW.exe
  C:\Windows\System32\gupixYW.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System32\cFxBDNa.exe
  C:\Windows\System32\cFxBDNa.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\mAhzXnU.exe
  C:\Windows\System32\mAhzXnU.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System32\VnYexwn.exe
  C:\Windows\System32\VnYexwn.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System32\YFphGdO.exe
  C:\Windows\System32\YFphGdO.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System32\glMspNO.exe
  C:\Windows\System32\glMspNO.exe
  2⤵
  PID:684
- C:\Windows\System32\bTdDaxD.exe
  C:\Windows\System32\bTdDaxD.exe
  2⤵
  PID:988
- C:\Windows\System32\yAaARoL.exe
  C:\Windows\System32\yAaARoL.exe
  2⤵
  PID:4588
- C:\Windows\System32\vwEHfkT.exe
  C:\Windows\System32\vwEHfkT.exe
  2⤵
  PID:4260
- C:\Windows\System32\WftdXPR.exe
  C:\Windows\System32\WftdXPR.exe
  2⤵
  PID:1476
- C:\Windows\System32\ALzOnnO.exe
  C:\Windows\System32\ALzOnnO.exe
  2⤵
  PID:3356
- C:\Windows\System32\JXYDzUV.exe
  C:\Windows\System32\JXYDzUV.exe
  2⤵
  PID:2668
- C:\Windows\System32\uTnhVak.exe
  C:\Windows\System32\uTnhVak.exe
  2⤵
  PID:4892
- C:\Windows\System32\eVRbLks.exe
  C:\Windows\System32\eVRbLks.exe
  2⤵
  PID:4312
- C:\Windows\System32\JhukHjX.exe
  C:\Windows\System32\JhukHjX.exe
  2⤵
  PID:4480
- C:\Windows\System32\XLInrHg.exe
  C:\Windows\System32\XLInrHg.exe
  2⤵
  PID:3404
- C:\Windows\System32\jckOMnI.exe
  C:\Windows\System32\jckOMnI.exe
  2⤵
  PID:3044
- C:\Windows\System32\MZVDelj.exe
  C:\Windows\System32\MZVDelj.exe
  2⤵
  PID:4648
- C:\Windows\System32\QFEMlLT.exe
  C:\Windows\System32\QFEMlLT.exe
  2⤵
  PID:4868
- C:\Windows\System32\CMKBDFc.exe
  C:\Windows\System32\CMKBDFc.exe
  2⤵
  PID:2420
- C:\Windows\System32\SSGlVHB.exe
  C:\Windows\System32\SSGlVHB.exe
  2⤵
  PID:892
- C:\Windows\System32\SjvNxbX.exe
  C:\Windows\System32\SjvNxbX.exe
  2⤵
  PID:2884
- C:\Windows\System32\bYdPpsW.exe
  C:\Windows\System32\bYdPpsW.exe
  2⤵
  PID:4196
- C:\Windows\System32\rPpjeTn.exe
  C:\Windows\System32\rPpjeTn.exe
  2⤵
  PID:5124
- C:\Windows\System32\Zblulic.exe
  C:\Windows\System32\Zblulic.exe
  2⤵
  PID:5160
- C:\Windows\System32\LSDPsmy.exe
  C:\Windows\System32\LSDPsmy.exe
  2⤵
  PID:5184
- C:\Windows\System32\YYSAvTF.exe
  C:\Windows\System32\YYSAvTF.exe
  2⤵
  PID:5208
- C:\Windows\System32\NbVHhMp.exe
  C:\Windows\System32\NbVHhMp.exe
  2⤵
  PID:5240
- C:\Windows\System32\oqWRgKs.exe
  C:\Windows\System32\oqWRgKs.exe
  2⤵
  PID:5264
- C:\Windows\System32\GSDWILe.exe
  C:\Windows\System32\GSDWILe.exe
  2⤵
  PID:5296
- C:\Windows\System32\SfEtQWa.exe
  C:\Windows\System32\SfEtQWa.exe
  2⤵
  PID:5320
- C:\Windows\System32\feqfCsp.exe
  C:\Windows\System32\feqfCsp.exe
  2⤵
  PID:5352
- C:\Windows\System32\aHhZYKR.exe
  C:\Windows\System32\aHhZYKR.exe
  2⤵
  PID:5376
- C:\Windows\System32\CZZmGqe.exe
  C:\Windows\System32\CZZmGqe.exe
  2⤵
  PID:5408
- C:\Windows\System32\ZwosuTV.exe
  C:\Windows\System32\ZwosuTV.exe
  2⤵
  PID:5432
- C:\Windows\System32\MUWjXPo.exe
  C:\Windows\System32\MUWjXPo.exe
  2⤵
  PID:5464
- C:\Windows\System32\blIGVox.exe
  C:\Windows\System32\blIGVox.exe
  2⤵
  PID:5492
- C:\Windows\System32\PjVLBtN.exe
  C:\Windows\System32\PjVLBtN.exe
  2⤵
  PID:5516
- C:\Windows\System32\DJDADue.exe
  C:\Windows\System32\DJDADue.exe
  2⤵
  PID:5548
- C:\Windows\System32\DITeClL.exe
  C:\Windows\System32\DITeClL.exe
  2⤵
  PID:5576
- C:\Windows\System32\JOBkRLC.exe
  C:\Windows\System32\JOBkRLC.exe
  2⤵
  PID:5600
- C:\Windows\System32\LBHDuRk.exe
  C:\Windows\System32\LBHDuRk.exe
  2⤵
  PID:5644
- C:\Windows\System32\KywKTyc.exe
  C:\Windows\System32\KywKTyc.exe
  2⤵
  PID:5688
- C:\Windows\System32\CrmBJWi.exe
  C:\Windows\System32\CrmBJWi.exe
  2⤵
  PID:5708
- C:\Windows\System32\MEzViVB.exe
  C:\Windows\System32\MEzViVB.exe
  2⤵
  PID:5752
- C:\Windows\System32\ilohmeY.exe
  C:\Windows\System32\ilohmeY.exe
  2⤵
  PID:5768
- C:\Windows\System32\lluMscx.exe
  C:\Windows\System32\lluMscx.exe
  2⤵
  PID:5796
- C:\Windows\System32\uNLnvAo.exe
  C:\Windows\System32\uNLnvAo.exe
  2⤵
  PID:5816
- C:\Windows\System32\wEExMAi.exe
  C:\Windows\System32\wEExMAi.exe
  2⤵
  PID:5860
- C:\Windows\System32\emwvBUE.exe
  C:\Windows\System32\emwvBUE.exe
  2⤵
  PID:5880
- C:\Windows\System32\KguAgvC.exe
  C:\Windows\System32\KguAgvC.exe
  2⤵
  PID:5896
- C:\Windows\System32\NQcQCbg.exe
  C:\Windows\System32\NQcQCbg.exe
  2⤵
  PID:5916
- C:\Windows\System32\DqNMvHT.exe
  C:\Windows\System32\DqNMvHT.exe
  2⤵
  PID:5940
- C:\Windows\System32\NvsFSBh.exe
  C:\Windows\System32\NvsFSBh.exe
  2⤵
  PID:5968
- C:\Windows\System32\coyQsLb.exe
  C:\Windows\System32\coyQsLb.exe
  2⤵
  PID:6044
- C:\Windows\System32\yuZiyXf.exe
  C:\Windows\System32\yuZiyXf.exe
  2⤵
  PID:6100
- C:\Windows\System32\HIfhUkY.exe
  C:\Windows\System32\HIfhUkY.exe
  2⤵
  PID:6120
- C:\Windows\System32\QTTlEXL.exe
  C:\Windows\System32\QTTlEXL.exe
  2⤵
  PID:4748
- C:\Windows\System32\OQKpchG.exe
  C:\Windows\System32\OQKpchG.exe
  2⤵
  PID:1912
- C:\Windows\System32\CzIRwSh.exe
  C:\Windows\System32\CzIRwSh.exe
  2⤵
  PID:2344
- C:\Windows\System32\jpBVbyf.exe
  C:\Windows\System32\jpBVbyf.exe
  2⤵
  PID:5148
- C:\Windows\System32\kRsuPAs.exe
  C:\Windows\System32\kRsuPAs.exe
  2⤵
  PID:5196
- C:\Windows\System32\xyZpSxV.exe
  C:\Windows\System32\xyZpSxV.exe
  2⤵
  PID:3716
- C:\Windows\System32\dCCbCju.exe
  C:\Windows\System32\dCCbCju.exe
  2⤵
  PID:4972
- C:\Windows\System32\NBDNbQE.exe
  C:\Windows\System32\NBDNbQE.exe
  2⤵
  PID:5276
- C:\Windows\System32\tXDBvSG.exe
  C:\Windows\System32\tXDBvSG.exe
  2⤵
  PID:5308
- C:\Windows\System32\XiWQaTr.exe
  C:\Windows\System32\XiWQaTr.exe
  2⤵
  PID:3992
- C:\Windows\System32\PqATLDj.exe
  C:\Windows\System32\PqATLDj.exe
  2⤵
  PID:4688
- C:\Windows\System32\YEGKcLE.exe
  C:\Windows\System32\YEGKcLE.exe
  2⤵
  PID:5392
- C:\Windows\System32\Pdracmr.exe
  C:\Windows\System32\Pdracmr.exe
  2⤵
  PID:5508
- C:\Windows\System32\mIThhIq.exe
  C:\Windows\System32\mIThhIq.exe
  2⤵
  PID:3432
- C:\Windows\System32\XJjkECV.exe
  C:\Windows\System32\XJjkECV.exe
  2⤵
  PID:1608
- C:\Windows\System32\itaNBOt.exe
  C:\Windows\System32\itaNBOt.exe
  2⤵
  PID:1564
- C:\Windows\System32\SyzOZHA.exe
  C:\Windows\System32\SyzOZHA.exe
  2⤵
  PID:5592
- C:\Windows\System32\ApJVqft.exe
  C:\Windows\System32\ApJVqft.exe
  2⤵
  PID:5656
- C:\Windows\System32\CeEOAzd.exe
  C:\Windows\System32\CeEOAzd.exe
  2⤵
  PID:5700
- C:\Windows\System32\CPoLbWC.exe
  C:\Windows\System32\CPoLbWC.exe
  2⤵
  PID:5764
- C:\Windows\System32\Azgolut.exe
  C:\Windows\System32\Azgolut.exe
  2⤵
  PID:5832
- C:\Windows\System32\gotSwjO.exe
  C:\Windows\System32\gotSwjO.exe
  2⤵
  PID:5876
- C:\Windows\System32\DTUOKhh.exe
  C:\Windows\System32\DTUOKhh.exe
  2⤵
  PID:6000
- C:\Windows\System32\ILCltId.exe
  C:\Windows\System32\ILCltId.exe
  2⤵
  PID:5676
- C:\Windows\System32\aKteeDL.exe
  C:\Windows\System32\aKteeDL.exe
  2⤵
  PID:6068
- C:\Windows\System32\FfOxfEt.exe
  C:\Windows\System32\FfOxfEt.exe
  2⤵
  PID:5868
- C:\Windows\System32\zuJguzJ.exe
  C:\Windows\System32\zuJguzJ.exe
  2⤵
  PID:4280
- C:\Windows\System32\kUQcKkb.exe
  C:\Windows\System32\kUQcKkb.exe
  2⤵
  PID:2556
- C:\Windows\System32\SYTDAeg.exe
  C:\Windows\System32\SYTDAeg.exe
  2⤵
  PID:6056
- C:\Windows\System32\engdCQj.exe
  C:\Windows\System32\engdCQj.exe
  2⤵
  PID:5172
- C:\Windows\System32\JrbPFFN.exe
  C:\Windows\System32\JrbPFFN.exe
  2⤵
  PID:5424
- C:\Windows\System32\TqXeDjI.exe
  C:\Windows\System32\TqXeDjI.exe
  2⤵
  PID:5532
- C:\Windows\System32\hmQAinG.exe
  C:\Windows\System32\hmQAinG.exe
  2⤵
  PID:5564
- C:\Windows\System32\tzhzuto.exe
  C:\Windows\System32\tzhzuto.exe
  2⤵
  PID:4900
- C:\Windows\System32\oIMDflF.exe
  C:\Windows\System32\oIMDflF.exe
  2⤵
  PID:5804
- C:\Windows\System32\EEXAoPv.exe
  C:\Windows\System32\EEXAoPv.exe
  2⤵
  PID:5960
- C:\Windows\System32\hGUoLcA.exe
  C:\Windows\System32\hGUoLcA.exe
  2⤵
  PID:6008
- C:\Windows\System32\ekvJfZQ.exe
  C:\Windows\System32\ekvJfZQ.exe
  2⤵
  PID:5200
- C:\Windows\System32\HITMMkV.exe
  C:\Windows\System32\HITMMkV.exe
  2⤵
  PID:6036
- C:\Windows\System32\BAeRVlb.exe
  C:\Windows\System32\BAeRVlb.exe
  2⤵
  PID:3440
- C:\Windows\System32\vYdZYdd.exe
  C:\Windows\System32\vYdZYdd.exe
  2⤵
  PID:4884
- C:\Windows\System32\MXwGwWD.exe
  C:\Windows\System32\MXwGwWD.exe
  2⤵
  PID:1900
- C:\Windows\System32\jnWSdjl.exe
  C:\Windows\System32\jnWSdjl.exe
  2⤵
  PID:4848
- C:\Windows\System32\ffOACGk.exe
  C:\Windows\System32\ffOACGk.exe
  2⤵
  PID:3540
- C:\Windows\System32\DLZfpvM.exe
  C:\Windows\System32\DLZfpvM.exe
  2⤵
  PID:6128
- C:\Windows\System32\ccHBsfU.exe
  C:\Windows\System32\ccHBsfU.exe
  2⤵
  PID:5720
- C:\Windows\System32\lGxOzlI.exe
  C:\Windows\System32\lGxOzlI.exe
  2⤵
  PID:5332
- C:\Windows\System32\sfwdzmS.exe
  C:\Windows\System32\sfwdzmS.exe
  2⤵
  PID:2148
- C:\Windows\System32\azslvgv.exe
  C:\Windows\System32\azslvgv.exe
  2⤵
  PID:5844
- C:\Windows\System32\GPiPTvF.exe
  C:\Windows\System32\GPiPTvF.exe
  2⤵
  PID:5444
- C:\Windows\System32\NgxQdQR.exe
  C:\Windows\System32\NgxQdQR.exe
  2⤵
  PID:6176
- C:\Windows\System32\FlGWbGx.exe
  C:\Windows\System32\FlGWbGx.exe
  2⤵
  PID:6216
- C:\Windows\System32\OtySMMB.exe
  C:\Windows\System32\OtySMMB.exe
  2⤵
  PID:6232
- C:\Windows\System32\jTgcZtw.exe
  C:\Windows\System32\jTgcZtw.exe
  2⤵
  PID:6248
- C:\Windows\System32\hIaDCZV.exe
  C:\Windows\System32\hIaDCZV.exe
  2⤵
  PID:6280
- C:\Windows\System32\blArrgW.exe
  C:\Windows\System32\blArrgW.exe
  2⤵
  PID:6304
- C:\Windows\System32\QAhlAHf.exe
  C:\Windows\System32\QAhlAHf.exe
  2⤵
  PID:6348
- C:\Windows\System32\xTTJpyM.exe
  C:\Windows\System32\xTTJpyM.exe
  2⤵
  PID:6376
- C:\Windows\System32\PqXVaGg.exe
  C:\Windows\System32\PqXVaGg.exe
  2⤵
  PID:6404
- C:\Windows\System32\UHnELfR.exe
  C:\Windows\System32\UHnELfR.exe
  2⤵
  PID:6432
- C:\Windows\System32\RIACeoo.exe
  C:\Windows\System32\RIACeoo.exe
  2⤵
  PID:6448
- C:\Windows\System32\ZMGNcxL.exe
  C:\Windows\System32\ZMGNcxL.exe
  2⤵
  PID:6480
- C:\Windows\System32\xfZxXyn.exe
  C:\Windows\System32\xfZxXyn.exe
  2⤵
  PID:6496
- C:\Windows\System32\lnZocex.exe
  C:\Windows\System32\lnZocex.exe
  2⤵
  PID:6520
- C:\Windows\System32\Kabfyvn.exe
  C:\Windows\System32\Kabfyvn.exe
  2⤵
  PID:6540
- C:\Windows\System32\jDWeAPX.exe
  C:\Windows\System32\jDWeAPX.exe
  2⤵
  PID:6556
- C:\Windows\System32\beBdpCS.exe
  C:\Windows\System32\beBdpCS.exe
  2⤵
  PID:6592
- C:\Windows\System32\kMrHJVV.exe
  C:\Windows\System32\kMrHJVV.exe
  2⤵
  PID:6616
- C:\Windows\System32\GKQwZgN.exe
  C:\Windows\System32\GKQwZgN.exe
  2⤵
  PID:6672
- C:\Windows\System32\oyXzpRD.exe
  C:\Windows\System32\oyXzpRD.exe
  2⤵
  PID:6708
- C:\Windows\System32\AArdgnu.exe
  C:\Windows\System32\AArdgnu.exe
  2⤵
  PID:6724
- C:\Windows\System32\WwyJOum.exe
  C:\Windows\System32\WwyJOum.exe
  2⤵
  PID:6768
- C:\Windows\System32\zLkkAnz.exe
  C:\Windows\System32\zLkkAnz.exe
  2⤵
  PID:6784
- C:\Windows\System32\AoVykNO.exe
  C:\Windows\System32\AoVykNO.exe
  2⤵
  PID:6808
- C:\Windows\System32\GMgEujO.exe
  C:\Windows\System32\GMgEujO.exe
  2⤵
  PID:6836
- C:\Windows\System32\zBfZNIQ.exe
  C:\Windows\System32\zBfZNIQ.exe
  2⤵
  PID:6872
- C:\Windows\System32\aJXEJdY.exe
  C:\Windows\System32\aJXEJdY.exe
  2⤵
  PID:6896
- C:\Windows\System32\dbJENSa.exe
  C:\Windows\System32\dbJENSa.exe
  2⤵
  PID:6944
- C:\Windows\System32\twroDUA.exe
  C:\Windows\System32\twroDUA.exe
  2⤵
  PID:6960
- C:\Windows\System32\SECMUNy.exe
  C:\Windows\System32\SECMUNy.exe
  2⤵
  PID:7000
- C:\Windows\System32\rbQCuZM.exe
  C:\Windows\System32\rbQCuZM.exe
  2⤵
  PID:7032
- C:\Windows\System32\oSQYzIw.exe
  C:\Windows\System32\oSQYzIw.exe
  2⤵
  PID:7052
- C:\Windows\System32\ndVZUAM.exe
  C:\Windows\System32\ndVZUAM.exe
  2⤵
  PID:7096
- C:\Windows\System32\JKtQVpY.exe
  C:\Windows\System32\JKtQVpY.exe
  2⤵
  PID:7116
- C:\Windows\System32\JYwxCrd.exe
  C:\Windows\System32\JYwxCrd.exe
  2⤵
  PID:7140
- C:\Windows\System32\mgifIMB.exe
  C:\Windows\System32\mgifIMB.exe
  2⤵
  PID:7156
- C:\Windows\System32\UpfQWOS.exe
  C:\Windows\System32\UpfQWOS.exe
  2⤵
  PID:1600
- C:\Windows\System32\dSqMzjG.exe
  C:\Windows\System32\dSqMzjG.exe
  2⤵
  PID:6244
- C:\Windows\System32\ZGEvDIY.exe
  C:\Windows\System32\ZGEvDIY.exe
  2⤵
  PID:6292
- C:\Windows\System32\zVhGjSP.exe
  C:\Windows\System32\zVhGjSP.exe
  2⤵
  PID:6324
- C:\Windows\System32\xHkoXjS.exe
  C:\Windows\System32\xHkoXjS.exe
  2⤵
  PID:6364
- C:\Windows\System32\vLKZyEW.exe
  C:\Windows\System32\vLKZyEW.exe
  2⤵
  PID:6444
- C:\Windows\System32\vFsaBmk.exe
  C:\Windows\System32\vFsaBmk.exe
  2⤵
  PID:6488
- C:\Windows\System32\UEZmwBW.exe
  C:\Windows\System32\UEZmwBW.exe
  2⤵
  PID:6572
- C:\Windows\System32\NqlIwXB.exe
  C:\Windows\System32\NqlIwXB.exe
  2⤵
  PID:6644
- C:\Windows\System32\VhmnImr.exe
  C:\Windows\System32\VhmnImr.exe
  2⤵
  PID:6660
- C:\Windows\System32\OUfLAST.exe
  C:\Windows\System32\OUfLAST.exe
  2⤵
  PID:6720
- C:\Windows\System32\WleiboD.exe
  C:\Windows\System32\WleiboD.exe
  2⤵
  PID:6888
- C:\Windows\System32\rQfLTEV.exe
  C:\Windows\System32\rQfLTEV.exe
  2⤵
  PID:6940
- C:\Windows\System32\aYLNwYs.exe
  C:\Windows\System32\aYLNwYs.exe
  2⤵
  PID:6972
- C:\Windows\System32\BNDbcPU.exe
  C:\Windows\System32\BNDbcPU.exe
  2⤵
  PID:7104
- C:\Windows\System32\MwFLPAq.exe
  C:\Windows\System32\MwFLPAq.exe
  2⤵
  PID:5932
- C:\Windows\System32\FNSzSQZ.exe
  C:\Windows\System32\FNSzSQZ.exe
  2⤵
  PID:6268
- C:\Windows\System32\cRQVAiI.exe
  C:\Windows\System32\cRQVAiI.exe
  2⤵
  PID:6332
- C:\Windows\System32\nQkbDAV.exe
  C:\Windows\System32\nQkbDAV.exe
  2⤵
  PID:6384
- C:\Windows\System32\TXBVVvJ.exe
  C:\Windows\System32\TXBVVvJ.exe
  2⤵
  PID:6536
- C:\Windows\System32\ZuiGpYG.exe
  C:\Windows\System32\ZuiGpYG.exe
  2⤵
  PID:6860
- C:\Windows\System32\dTCVEnQ.exe
  C:\Windows\System32\dTCVEnQ.exe
  2⤵
  PID:6968
- C:\Windows\System32\CDdAQjS.exe
  C:\Windows\System32\CDdAQjS.exe
  2⤵
  PID:7132
- C:\Windows\System32\rAiYmrv.exe
  C:\Windows\System32\rAiYmrv.exe
  2⤵
  PID:6156
- C:\Windows\System32\saXtAYq.exe
  C:\Windows\System32\saXtAYq.exe
  2⤵
  PID:6260
- C:\Windows\System32\nigGQqd.exe
  C:\Windows\System32\nigGQqd.exe
  2⤵
  PID:5704
- C:\Windows\System32\XbBWUTw.exe
  C:\Windows\System32\XbBWUTw.exe
  2⤵
  PID:6464
- C:\Windows\System32\ShGNaCx.exe
  C:\Windows\System32\ShGNaCx.exe
  2⤵
  PID:7204
- C:\Windows\System32\JIsrwvw.exe
  C:\Windows\System32\JIsrwvw.exe
  2⤵
  PID:7236
- C:\Windows\System32\BJkWDfq.exe
  C:\Windows\System32\BJkWDfq.exe
  2⤵
  PID:7264
- C:\Windows\System32\WwNksPt.exe
  C:\Windows\System32\WwNksPt.exe
  2⤵
  PID:7292
- C:\Windows\System32\ALtmFUk.exe
  C:\Windows\System32\ALtmFUk.exe
  2⤵
  PID:7308
- C:\Windows\System32\xddCxWn.exe
  C:\Windows\System32\xddCxWn.exe
  2⤵
  PID:7328
- C:\Windows\System32\qJPrIVS.exe
  C:\Windows\System32\qJPrIVS.exe
  2⤵
  PID:7344
- C:\Windows\System32\RQuheWX.exe
  C:\Windows\System32\RQuheWX.exe
  2⤵
  PID:7372
- C:\Windows\System32\tTUHAPV.exe
  C:\Windows\System32\tTUHAPV.exe
  2⤵
  PID:7420
- C:\Windows\System32\JPATIeS.exe
  C:\Windows\System32\JPATIeS.exe
  2⤵
  PID:7456
- C:\Windows\System32\qhACEbh.exe
  C:\Windows\System32\qhACEbh.exe
  2⤵
  PID:7472
- C:\Windows\System32\iVqLEBG.exe
  C:\Windows\System32\iVqLEBG.exe
  2⤵
  PID:7500
- C:\Windows\System32\kSRRQHY.exe
  C:\Windows\System32\kSRRQHY.exe
  2⤵
  PID:7552
- C:\Windows\System32\GPwycGW.exe
  C:\Windows\System32\GPwycGW.exe
  2⤵
  PID:7572
- C:\Windows\System32\HJxXxZW.exe
  C:\Windows\System32\HJxXxZW.exe
  2⤵
  PID:7596
- C:\Windows\System32\pjzkcXt.exe
  C:\Windows\System32\pjzkcXt.exe
  2⤵
  PID:7612
- C:\Windows\System32\sVUwurD.exe
  C:\Windows\System32\sVUwurD.exe
  2⤵
  PID:7628
- C:\Windows\System32\lIjhUcp.exe
  C:\Windows\System32\lIjhUcp.exe
  2⤵
  PID:7648
- C:\Windows\System32\bslfXIh.exe
  C:\Windows\System32\bslfXIh.exe
  2⤵
  PID:7688
- C:\Windows\System32\vXlPxJe.exe
  C:\Windows\System32\vXlPxJe.exe
  2⤵
  PID:7728
- C:\Windows\System32\NEBbVzi.exe
  C:\Windows\System32\NEBbVzi.exe
  2⤵
  PID:7744
- C:\Windows\System32\VDyuWvL.exe
  C:\Windows\System32\VDyuWvL.exe
  2⤵
  PID:7776
- C:\Windows\System32\jaOCQiz.exe
  C:\Windows\System32\jaOCQiz.exe
  2⤵
  PID:7792
- C:\Windows\System32\jEFRIcJ.exe
  C:\Windows\System32\jEFRIcJ.exe
  2⤵
  PID:7820
- C:\Windows\System32\RxUZjcn.exe
  C:\Windows\System32\RxUZjcn.exe
  2⤵
  PID:7836
- C:\Windows\System32\FDlPvxU.exe
  C:\Windows\System32\FDlPvxU.exe
  2⤵
  PID:7904
- C:\Windows\System32\oYrrrFN.exe
  C:\Windows\System32\oYrrrFN.exe
  2⤵
  PID:7932
- C:\Windows\System32\CxsrRZX.exe
  C:\Windows\System32\CxsrRZX.exe
  2⤵
  PID:7968
- C:\Windows\System32\ZAurtgE.exe
  C:\Windows\System32\ZAurtgE.exe
  2⤵
  PID:7984
- C:\Windows\System32\etytmBI.exe
  C:\Windows\System32\etytmBI.exe
  2⤵
  PID:8008
- C:\Windows\System32\pkHzeju.exe
  C:\Windows\System32\pkHzeju.exe
  2⤵
  PID:8044
- C:\Windows\System32\DukZbUJ.exe
  C:\Windows\System32\DukZbUJ.exe
  2⤵
  PID:8076
- C:\Windows\System32\tzBEXkW.exe
  C:\Windows\System32\tzBEXkW.exe
  2⤵
  PID:8096
- C:\Windows\System32\JzngBSC.exe
  C:\Windows\System32\JzngBSC.exe
  2⤵
  PID:8132
- C:\Windows\System32\tSEbnTM.exe
  C:\Windows\System32\tSEbnTM.exe
  2⤵
  PID:8164
- C:\Windows\System32\vlunVoA.exe
  C:\Windows\System32\vlunVoA.exe
  2⤵
  PID:8184
- C:\Windows\System32\NTHHRfF.exe
  C:\Windows\System32\NTHHRfF.exe
  2⤵
  PID:7192
- C:\Windows\System32\wMBAJKt.exe
  C:\Windows\System32\wMBAJKt.exe
  2⤵
  PID:7256
- C:\Windows\System32\qoacPnl.exe
  C:\Windows\System32\qoacPnl.exe
  2⤵
  PID:7320
- C:\Windows\System32\rCyPLhn.exe
  C:\Windows\System32\rCyPLhn.exe
  2⤵
  PID:7388
- C:\Windows\System32\ICowhqH.exe
  C:\Windows\System32\ICowhqH.exe
  2⤵
  PID:7464
- C:\Windows\System32\HhxYeAS.exe
  C:\Windows\System32\HhxYeAS.exe
  2⤵
  PID:7448
- C:\Windows\System32\lcbcPIu.exe
  C:\Windows\System32\lcbcPIu.exe
  2⤵
  PID:7496
- C:\Windows\System32\jGnNfjA.exe
  C:\Windows\System32\jGnNfjA.exe
  2⤵
  PID:7568
- C:\Windows\System32\ISWFugW.exe
  C:\Windows\System32\ISWFugW.exe
  2⤵
  PID:7644
- C:\Windows\System32\IGdhTYh.exe
  C:\Windows\System32\IGdhTYh.exe
  2⤵
  PID:7664
- C:\Windows\System32\kIeAvPF.exe
  C:\Windows\System32\kIeAvPF.exe
  2⤵
  PID:7784
- C:\Windows\System32\wvuBbqp.exe
  C:\Windows\System32\wvuBbqp.exe
  2⤵
  PID:7928
- C:\Windows\System32\ffQvycs.exe
  C:\Windows\System32\ffQvycs.exe
  2⤵
  PID:7980
- C:\Windows\System32\jQsUFEJ.exe
  C:\Windows\System32\jQsUFEJ.exe
  2⤵
  PID:8040
- C:\Windows\System32\WZeVMxK.exe
  C:\Windows\System32\WZeVMxK.exe
  2⤵
  PID:8108
- C:\Windows\System32\JkzCMrU.exe
  C:\Windows\System32\JkzCMrU.exe
  2⤵
  PID:8148
- C:\Windows\System32\EEbNSbe.exe
  C:\Windows\System32\EEbNSbe.exe
  2⤵
  PID:7024
- C:\Windows\System32\xXFFEDf.exe
  C:\Windows\System32\xXFFEDf.exe
  2⤵
  PID:7248
- C:\Windows\System32\rlaWhwV.exe
  C:\Windows\System32\rlaWhwV.exe
  2⤵
  PID:7636
- C:\Windows\System32\MrmYdbd.exe
  C:\Windows\System32\MrmYdbd.exe
  2⤵
  PID:7608
- C:\Windows\System32\rmbUnFH.exe
  C:\Windows\System32\rmbUnFH.exe
  2⤵
  PID:7804
- C:\Windows\System32\kMkbQXC.exe
  C:\Windows\System32\kMkbQXC.exe
  2⤵
  PID:7880
- C:\Windows\System32\JwZIhve.exe
  C:\Windows\System32\JwZIhve.exe
  2⤵
  PID:8064
- C:\Windows\System32\qbXqcYj.exe
  C:\Windows\System32\qbXqcYj.exe
  2⤵
  PID:7340
- C:\Windows\System32\ZZNqQrr.exe
  C:\Windows\System32\ZZNqQrr.exe
  2⤵
  PID:7912
- C:\Windows\System32\OfbWZbE.exe
  C:\Windows\System32\OfbWZbE.exe
  2⤵
  PID:8180
- C:\Windows\System32\vSNXaQb.exe
  C:\Windows\System32\vSNXaQb.exe
  2⤵
  PID:7736
- C:\Windows\System32\SNkaWFi.exe
  C:\Windows\System32\SNkaWFi.exe
  2⤵
  PID:7488
- C:\Windows\System32\TJvDCil.exe
  C:\Windows\System32\TJvDCil.exe
  2⤵
  PID:8216
- C:\Windows\System32\oItPMYK.exe
  C:\Windows\System32\oItPMYK.exe
  2⤵
  PID:8244
- C:\Windows\System32\KpNxrvN.exe
  C:\Windows\System32\KpNxrvN.exe
  2⤵
  PID:8272
- C:\Windows\System32\mPRGWbv.exe
  C:\Windows\System32\mPRGWbv.exe
  2⤵
  PID:8308
- C:\Windows\System32\LsprqAt.exe
  C:\Windows\System32\LsprqAt.exe
  2⤵
  PID:8324
- C:\Windows\System32\Urikhbn.exe
  C:\Windows\System32\Urikhbn.exe
  2⤵
  PID:8416
- C:\Windows\System32\puSbcgt.exe
  C:\Windows\System32\puSbcgt.exe
  2⤵
  PID:8432
- C:\Windows\System32\YtCktsY.exe
  C:\Windows\System32\YtCktsY.exe
  2⤵
  PID:8448
- C:\Windows\System32\IayhVql.exe
  C:\Windows\System32\IayhVql.exe
  2⤵
  PID:8516
- C:\Windows\System32\uMRWsBT.exe
  C:\Windows\System32\uMRWsBT.exe
  2⤵
  PID:8532
- C:\Windows\System32\DBRbgze.exe
  C:\Windows\System32\DBRbgze.exe
  2⤵
  PID:8548
- C:\Windows\System32\KhpgQQC.exe
  C:\Windows\System32\KhpgQQC.exe
  2⤵
  PID:8564
- C:\Windows\System32\cVcLINz.exe
  C:\Windows\System32\cVcLINz.exe
  2⤵
  PID:8580
- C:\Windows\System32\lbDapVF.exe
  C:\Windows\System32\lbDapVF.exe
  2⤵
  PID:8596
- C:\Windows\System32\qUxXOnq.exe
  C:\Windows\System32\qUxXOnq.exe
  2⤵
  PID:8612
- C:\Windows\System32\qRtfjCo.exe
  C:\Windows\System32\qRtfjCo.exe
  2⤵
  PID:8628
- C:\Windows\System32\tzCSKgG.exe
  C:\Windows\System32\tzCSKgG.exe
  2⤵
  PID:8644
- C:\Windows\System32\ayyqBXQ.exe
  C:\Windows\System32\ayyqBXQ.exe
  2⤵
  PID:8660
- C:\Windows\System32\EyGmieJ.exe
  C:\Windows\System32\EyGmieJ.exe
  2⤵
  PID:8680
- C:\Windows\System32\dAouwUF.exe
  C:\Windows\System32\dAouwUF.exe
  2⤵
  PID:8696
- C:\Windows\System32\xYyhoCW.exe
  C:\Windows\System32\xYyhoCW.exe
  2⤵
  PID:8728
- C:\Windows\System32\RgUtJCG.exe
  C:\Windows\System32\RgUtJCG.exe
  2⤵
  PID:8812
- C:\Windows\System32\YcQXhfz.exe
  C:\Windows\System32\YcQXhfz.exe
  2⤵
  PID:8992
- C:\Windows\System32\encZFxV.exe
  C:\Windows\System32\encZFxV.exe
  2⤵
  PID:9020
- C:\Windows\System32\vGFABls.exe
  C:\Windows\System32\vGFABls.exe
  2⤵
  PID:9048
- C:\Windows\System32\HVAmHdq.exe
  C:\Windows\System32\HVAmHdq.exe
  2⤵
  PID:9064
- C:\Windows\System32\vYSYIaz.exe
  C:\Windows\System32\vYSYIaz.exe
  2⤵
  PID:9092
- C:\Windows\System32\eMGPKLO.exe
  C:\Windows\System32\eMGPKLO.exe
  2⤵
  PID:9132
- C:\Windows\System32\LTicZib.exe
  C:\Windows\System32\LTicZib.exe
  2⤵
  PID:9152
- C:\Windows\System32\hbQKVWW.exe
  C:\Windows\System32\hbQKVWW.exe
  2⤵
  PID:9168
- C:\Windows\System32\IfoXZZG.exe
  C:\Windows\System32\IfoXZZG.exe
  2⤵
  PID:9192
- C:\Windows\System32\hHDmVyn.exe
  C:\Windows\System32\hHDmVyn.exe
  2⤵
  PID:8240
- C:\Windows\System32\RwChAdK.exe
  C:\Windows\System32\RwChAdK.exe
  2⤵
  PID:8344
- C:\Windows\System32\jIDdVFU.exe
  C:\Windows\System32\jIDdVFU.exe
  2⤵
  PID:8280
- C:\Windows\System32\YbPsyep.exe
  C:\Windows\System32\YbPsyep.exe
  2⤵
  PID:8440
- C:\Windows\System32\daNBioG.exe
  C:\Windows\System32\daNBioG.exe
  2⤵
  PID:8292
- C:\Windows\System32\HKfphvj.exe
  C:\Windows\System32\HKfphvj.exe
  2⤵
  PID:8360
- C:\Windows\System32\GlGTwrh.exe
  C:\Windows\System32\GlGTwrh.exe
  2⤵
  PID:8544
- C:\Windows\System32\nyUImMs.exe
  C:\Windows\System32\nyUImMs.exe
  2⤵
  PID:8488
- C:\Windows\System32\HtUuANq.exe
  C:\Windows\System32\HtUuANq.exe
  2⤵
  PID:8512
- C:\Windows\System32\WbhGlDm.exe
  C:\Windows\System32\WbhGlDm.exe
  2⤵
  PID:8640
- C:\Windows\System32\AFLhjAZ.exe
  C:\Windows\System32\AFLhjAZ.exe
  2⤵
  PID:8524
- C:\Windows\System32\QbOTELb.exe
  C:\Windows\System32\QbOTELb.exe
  2⤵
  PID:8652
- C:\Windows\System32\AWORQrq.exe
  C:\Windows\System32\AWORQrq.exe
  2⤵
  PID:8688
- C:\Windows\System32\OWCzIEj.exe
  C:\Windows\System32\OWCzIEj.exe
  2⤵
  PID:8796
- C:\Windows\System32\EflMCJn.exe
  C:\Windows\System32\EflMCJn.exe
  2⤵
  PID:8952
- C:\Windows\System32\imriIpH.exe
  C:\Windows\System32\imriIpH.exe
  2⤵
  PID:9036
- C:\Windows\System32\ZoAmVhF.exe
  C:\Windows\System32\ZoAmVhF.exe
  2⤵
  PID:9112
- C:\Windows\System32\NozPTTN.exe
  C:\Windows\System32\NozPTTN.exe
  2⤵
  PID:9188
- C:\Windows\System32\notFdLH.exe
  C:\Windows\System32\notFdLH.exe
  2⤵
  PID:8332
- C:\Windows\System32\UsRXtdl.exe
  C:\Windows\System32\UsRXtdl.exe
  2⤵
  PID:8252
- C:\Windows\System32\pDYpxZQ.exe
  C:\Windows\System32\pDYpxZQ.exe
  2⤵
  PID:8336
- C:\Windows\System32\DPzhWJT.exe
  C:\Windows\System32\DPzhWJT.exe
  2⤵
  PID:8468
- C:\Windows\System32\oOHGHOj.exe
  C:\Windows\System32\oOHGHOj.exe
  2⤵
  PID:8576
- C:\Windows\System32\KZOEwYU.exe
  C:\Windows\System32\KZOEwYU.exe
  2⤵
  PID:8556
- C:\Windows\System32\wCHfUhH.exe
  C:\Windows\System32\wCHfUhH.exe
  2⤵
  PID:9088
- C:\Windows\System32\OtirAsX.exe
  C:\Windows\System32\OtirAsX.exe
  2⤵
  PID:9200
- C:\Windows\System32\jabkxUQ.exe
  C:\Windows\System32\jabkxUQ.exe
  2⤵
  PID:8372
- C:\Windows\System32\bPUaDAA.exe
  C:\Windows\System32\bPUaDAA.exe
  2⤵
  PID:8780
- C:\Windows\System32\CWCkPqn.exe
  C:\Windows\System32\CWCkPqn.exe
  2⤵
  PID:8944
- C:\Windows\System32\YJnSqCo.exe
  C:\Windows\System32\YJnSqCo.exe
  2⤵
  PID:8228
- C:\Windows\System32\mCXdWiI.exe
  C:\Windows\System32\mCXdWiI.exe
  2⤵
  PID:8748
- C:\Windows\System32\KBQinnE.exe
  C:\Windows\System32\KBQinnE.exe
  2⤵
  PID:9236
- C:\Windows\System32\jkLgnDQ.exe
  C:\Windows\System32\jkLgnDQ.exe
  2⤵
  PID:9256
- C:\Windows\System32\juOiFoD.exe
  C:\Windows\System32\juOiFoD.exe
  2⤵
  PID:9288
- C:\Windows\System32\UszsPuj.exe
  C:\Windows\System32\UszsPuj.exe
  2⤵
  PID:9316
- C:\Windows\System32\SoFuUXU.exe
  C:\Windows\System32\SoFuUXU.exe
  2⤵
  PID:9332
- C:\Windows\System32\qdmJWex.exe
  C:\Windows\System32\qdmJWex.exe
  2⤵
  PID:9364
- C:\Windows\System32\oroDjPf.exe
  C:\Windows\System32\oroDjPf.exe
  2⤵
  PID:9396
- C:\Windows\System32\xXnsUTj.exe
  C:\Windows\System32\xXnsUTj.exe
  2⤵
  PID:9416
- C:\Windows\System32\sFijKUE.exe
  C:\Windows\System32\sFijKUE.exe
  2⤵
  PID:9436
- C:\Windows\System32\Fpdagqy.exe
  C:\Windows\System32\Fpdagqy.exe
  2⤵
  PID:9468
- C:\Windows\System32\QMOwsiY.exe
  C:\Windows\System32\QMOwsiY.exe
  2⤵
  PID:9488
- C:\Windows\System32\cVvuaJM.exe
  C:\Windows\System32\cVvuaJM.exe
  2⤵
  PID:9532
- C:\Windows\System32\JuozJib.exe
  C:\Windows\System32\JuozJib.exe
  2⤵
  PID:9584
- C:\Windows\System32\nlBmCky.exe
  C:\Windows\System32\nlBmCky.exe
  2⤵
  PID:9612
- C:\Windows\System32\fptsECK.exe
  C:\Windows\System32\fptsECK.exe
  2⤵
  PID:9648
- C:\Windows\System32\POIQDAd.exe
  C:\Windows\System32\POIQDAd.exe
  2⤵
  PID:9676
- C:\Windows\System32\YSDbkus.exe
  C:\Windows\System32\YSDbkus.exe
  2⤵
  PID:9696
- C:\Windows\System32\GMnRBZo.exe
  C:\Windows\System32\GMnRBZo.exe
  2⤵
  PID:9716
- C:\Windows\System32\KMRmogo.exe
  C:\Windows\System32\KMRmogo.exe
  2⤵
  PID:9748
- C:\Windows\System32\EjmUAwG.exe
  C:\Windows\System32\EjmUAwG.exe
  2⤵
  PID:9776
- C:\Windows\System32\TqqYYsL.exe
  C:\Windows\System32\TqqYYsL.exe
  2⤵
  PID:9792
- C:\Windows\System32\HsHykpI.exe
  C:\Windows\System32\HsHykpI.exe
  2⤵
  PID:9828
- C:\Windows\System32\OZufcAA.exe
  C:\Windows\System32\OZufcAA.exe
  2⤵
  PID:9852
- C:\Windows\System32\uKWDzBC.exe
  C:\Windows\System32\uKWDzBC.exe
  2⤵
  PID:9872
- C:\Windows\System32\JeaRzyl.exe
  C:\Windows\System32\JeaRzyl.exe
  2⤵
  PID:9888
- C:\Windows\System32\OsznCxF.exe
  C:\Windows\System32\OsznCxF.exe
  2⤵
  PID:9916
- C:\Windows\System32\dWrYQXU.exe
  C:\Windows\System32\dWrYQXU.exe
  2⤵
  PID:9932
- C:\Windows\System32\GOnpFSG.exe
  C:\Windows\System32\GOnpFSG.exe
  2⤵
  PID:9960
- C:\Windows\System32\sSQnqya.exe
  C:\Windows\System32\sSQnqya.exe
  2⤵
  PID:9988
- C:\Windows\System32\dTuXGGE.exe
  C:\Windows\System32\dTuXGGE.exe
  2⤵
  PID:10016
- C:\Windows\System32\wrCIdbi.exe
  C:\Windows\System32\wrCIdbi.exe
  2⤵
  PID:10084
- C:\Windows\System32\yKhNQTU.exe
  C:\Windows\System32\yKhNQTU.exe
  2⤵
  PID:10104
- C:\Windows\System32\ASXIjhk.exe
  C:\Windows\System32\ASXIjhk.exe
  2⤵
  PID:10120
- C:\Windows\System32\VphJCIq.exe
  C:\Windows\System32\VphJCIq.exe
  2⤵
  PID:10148
- C:\Windows\System32\hwheYjK.exe
  C:\Windows\System32\hwheYjK.exe
  2⤵
  PID:10168
- C:\Windows\System32\cWLJLLg.exe
  C:\Windows\System32\cWLJLLg.exe
  2⤵
  PID:10188
- C:\Windows\System32\NbUJsnT.exe
  C:\Windows\System32\NbUJsnT.exe
  2⤵
  PID:10208
- C:\Windows\System32\vmYMBdc.exe
  C:\Windows\System32\vmYMBdc.exe
  2⤵
  PID:10224
- C:\Windows\System32\nkiyCFu.exe
  C:\Windows\System32\nkiyCFu.exe
  2⤵
  PID:9280
- C:\Windows\System32\akSxQyi.exe
  C:\Windows\System32\akSxQyi.exe
  2⤵
  PID:9324
- C:\Windows\System32\kczNrLN.exe
  C:\Windows\System32\kczNrLN.exe
  2⤵
  PID:9356
- C:\Windows\System32\SBMTJdj.exe
  C:\Windows\System32\SBMTJdj.exe
  2⤵
  PID:9512
- C:\Windows\System32\DDgtTeV.exe
  C:\Windows\System32\DDgtTeV.exe
  2⤵
  PID:9560
- C:\Windows\System32\OmOHiIs.exe
  C:\Windows\System32\OmOHiIs.exe
  2⤵
  PID:9660
- C:\Windows\System32\yXpLUCK.exe
  C:\Windows\System32\yXpLUCK.exe
  2⤵
  PID:9692
- C:\Windows\System32\xKjZggI.exe
  C:\Windows\System32\xKjZggI.exe
  2⤵
  PID:9844
- C:\Windows\System32\enJTOfd.exe
  C:\Windows\System32\enJTOfd.exe
  2⤵
  PID:9864
- C:\Windows\System32\KuYiKRm.exe
  C:\Windows\System32\KuYiKRm.exe
  2⤵
  PID:9924
- C:\Windows\System32\VItFIRP.exe
  C:\Windows\System32\VItFIRP.exe
  2⤵
  PID:9968
- C:\Windows\System32\fCtJITl.exe
  C:\Windows\System32\fCtJITl.exe
  2⤵
  PID:10092
- C:\Windows\System32\eujVqLM.exe
  C:\Windows\System32\eujVqLM.exe
  2⤵
  PID:10180
- C:\Windows\System32\CjorrWE.exe
  C:\Windows\System32\CjorrWE.exe
  2⤵
  PID:10176
- C:\Windows\System32\ZlyEhgq.exe
  C:\Windows\System32\ZlyEhgq.exe
  2⤵
  PID:9264
- C:\Windows\System32\pBOpRMW.exe
  C:\Windows\System32\pBOpRMW.exe
  2⤵
  PID:9508
- C:\Windows\System32\jDXzWbZ.exe
  C:\Windows\System32\jDXzWbZ.exe
  2⤵
  PID:9556
- C:\Windows\System32\YLMNyZj.exe
  C:\Windows\System32\YLMNyZj.exe
  2⤵
  PID:9452
- C:\Windows\System32\NIAiNGH.exe
  C:\Windows\System32\NIAiNGH.exe
  2⤵
  PID:9764
- C:\Windows\System32\ZkXZvTO.exe
  C:\Windows\System32\ZkXZvTO.exe
  2⤵
  PID:9868
- C:\Windows\System32\ebzHaSe.exe
  C:\Windows\System32\ebzHaSe.exe
  2⤵
  PID:9344
- C:\Windows\System32\KjgOfCq.exe
  C:\Windows\System32\KjgOfCq.exe
  2⤵
  PID:8724
- C:\Windows\System32\DYdvRkM.exe
  C:\Windows\System32\DYdvRkM.exe
  2⤵
  PID:9904
- C:\Windows\System32\xBqyUjT.exe
  C:\Windows\System32\xBqyUjT.exe
  2⤵
  PID:10112
- C:\Windows\System32\OxbxwdC.exe
  C:\Windows\System32\OxbxwdC.exe
  2⤵
  PID:9760
- C:\Windows\System32\wzhErNO.exe
  C:\Windows\System32\wzhErNO.exe
  2⤵
  PID:10252
- C:\Windows\System32\SHvdGwo.exe
  C:\Windows\System32\SHvdGwo.exe
  2⤵
  PID:10280
- C:\Windows\System32\OVRtBUU.exe
  C:\Windows\System32\OVRtBUU.exe
  2⤵
  PID:10296
- C:\Windows\System32\biNCNjc.exe
  C:\Windows\System32\biNCNjc.exe
  2⤵
  PID:10316
- C:\Windows\System32\oXSdsyn.exe
  C:\Windows\System32\oXSdsyn.exe
  2⤵
  PID:10340
- C:\Windows\System32\kEgVEDt.exe
  C:\Windows\System32\kEgVEDt.exe
  2⤵
  PID:10356
- C:\Windows\System32\yTQEMFe.exe
  C:\Windows\System32\yTQEMFe.exe
  2⤵
  PID:10376
- C:\Windows\System32\zfnNwam.exe
  C:\Windows\System32\zfnNwam.exe
  2⤵
  PID:10440
- C:\Windows\System32\EBDDQSx.exe
  C:\Windows\System32\EBDDQSx.exe
  2⤵
  PID:10504
- C:\Windows\System32\sBbAFmx.exe
  C:\Windows\System32\sBbAFmx.exe
  2⤵
  PID:10532
- C:\Windows\System32\wljjnkJ.exe
  C:\Windows\System32\wljjnkJ.exe
  2⤵
  PID:10560
- C:\Windows\System32\ALfXloG.exe
  C:\Windows\System32\ALfXloG.exe
  2⤵
  PID:10584
- C:\Windows\System32\mprGeaM.exe
  C:\Windows\System32\mprGeaM.exe
  2⤵
  PID:10604
- C:\Windows\System32\GdadeVi.exe
  C:\Windows\System32\GdadeVi.exe
  2⤵
  PID:10632
- C:\Windows\System32\AVfJGSi.exe
  C:\Windows\System32\AVfJGSi.exe
  2⤵
  PID:10672
- C:\Windows\System32\sUuYAbP.exe
  C:\Windows\System32\sUuYAbP.exe
  2⤵
  PID:10692
- C:\Windows\System32\yiFtgOe.exe
  C:\Windows\System32\yiFtgOe.exe
  2⤵
  PID:10708
- C:\Windows\System32\rfqwkWS.exe
  C:\Windows\System32\rfqwkWS.exe
  2⤵
  PID:10748
- C:\Windows\System32\EynWYsh.exe
  C:\Windows\System32\EynWYsh.exe
  2⤵
  PID:10768
- C:\Windows\System32\sZCVMIN.exe
  C:\Windows\System32\sZCVMIN.exe
  2⤵
  PID:10804
- C:\Windows\System32\GMXzGOH.exe
  C:\Windows\System32\GMXzGOH.exe
  2⤵
  PID:10820
- C:\Windows\System32\sgFoDGi.exe
  C:\Windows\System32\sgFoDGi.exe
  2⤵
  PID:10856
- C:\Windows\System32\GcMDbjC.exe
  C:\Windows\System32\GcMDbjC.exe
  2⤵
  PID:10872
- C:\Windows\System32\CQJGoxK.exe
  C:\Windows\System32\CQJGoxK.exe
  2⤵
  PID:10900
- C:\Windows\System32\VmeMKfq.exe
  C:\Windows\System32\VmeMKfq.exe
  2⤵
  PID:10952
- C:\Windows\System32\PPuvTTU.exe
  C:\Windows\System32\PPuvTTU.exe
  2⤵
  PID:10980
- C:\Windows\System32\NqVZLkG.exe
  C:\Windows\System32\NqVZLkG.exe
  2⤵
  PID:10996
- C:\Windows\System32\SjSBeoi.exe
  C:\Windows\System32\SjSBeoi.exe
  2⤵
  PID:11024
- C:\Windows\System32\VkYGVtm.exe
  C:\Windows\System32\VkYGVtm.exe
  2⤵
  PID:11052
- C:\Windows\System32\UFFlUVu.exe
  C:\Windows\System32\UFFlUVu.exe
  2⤵
  PID:11080
- C:\Windows\System32\dKmgIsl.exe
  C:\Windows\System32\dKmgIsl.exe
  2⤵
  PID:11116
- C:\Windows\System32\CBwmtoP.exe
  C:\Windows\System32\CBwmtoP.exe
  2⤵
  PID:11132
- C:\Windows\System32\NQNXszU.exe
  C:\Windows\System32\NQNXszU.exe
  2⤵
  PID:11176
- C:\Windows\System32\gZIxffq.exe
  C:\Windows\System32\gZIxffq.exe
  2⤵
  PID:11212
- C:\Windows\System32\ktvnYtO.exe
  C:\Windows\System32\ktvnYtO.exe
  2⤵
  PID:11236
- C:\Windows\System32\SwZAGXB.exe
  C:\Windows\System32\SwZAGXB.exe
  2⤵
  PID:11256
- C:\Windows\System32\qvpvaGY.exe
  C:\Windows\System32\qvpvaGY.exe
  2⤵
  PID:10012
- C:\Windows\System32\UIFwbxG.exe
  C:\Windows\System32\UIFwbxG.exe
  2⤵
  PID:10312
- C:\Windows\System32\RGJILns.exe
  C:\Windows\System32\RGJILns.exe
  2⤵
  PID:10324
- C:\Windows\System32\hLUBbQh.exe
  C:\Windows\System32\hLUBbQh.exe
  2⤵
  PID:10468
- C:\Windows\System32\ItyVMmI.exe
  C:\Windows\System32\ItyVMmI.exe
  2⤵
  PID:10544
- C:\Windows\System32\KtLOCAG.exe
  C:\Windows\System32\KtLOCAG.exe
  2⤵
  PID:10624
- C:\Windows\System32\WOwriMF.exe
  C:\Windows\System32\WOwriMF.exe
  2⤵
  PID:10664
- C:\Windows\System32\ZTThPzD.exe
  C:\Windows\System32\ZTThPzD.exe
  2⤵
  PID:10728
- C:\Windows\System32\ZqKNjDp.exe
  C:\Windows\System32\ZqKNjDp.exe
  2⤵
  PID:10764
- C:\Windows\System32\WdnzZBR.exe
  C:\Windows\System32\WdnzZBR.exe
  2⤵
  PID:10868
- C:\Windows\System32\yOBKBSI.exe
  C:\Windows\System32\yOBKBSI.exe
  2⤵
  PID:10892
- C:\Windows\System32\wKTfEiA.exe
  C:\Windows\System32\wKTfEiA.exe
  2⤵
  PID:11004
- C:\Windows\System32\LbSOJai.exe
  C:\Windows\System32\LbSOJai.exe
  2⤵
  PID:11072
- C:\Windows\System32\fdccNyP.exe
  C:\Windows\System32\fdccNyP.exe
  2⤵
  PID:11104
- C:\Windows\System32\cOBXTSL.exe
  C:\Windows\System32\cOBXTSL.exe
  2⤵
  PID:11164
- C:\Windows\System32\ECYjLUj.exe
  C:\Windows\System32\ECYjLUj.exe
  2⤵
  PID:11244
- C:\Windows\System32\iaMyYMt.exe
  C:\Windows\System32\iaMyYMt.exe
  2⤵
  PID:10260
- C:\Windows\System32\vjjgeon.exe
  C:\Windows\System32\vjjgeon.exe
  2⤵
  PID:10556
- C:\Windows\System32\lqlOLZv.exe
  C:\Windows\System32\lqlOLZv.exe
  2⤵
  PID:10652
- C:\Windows\System32\qsKkecQ.exe
  C:\Windows\System32\qsKkecQ.exe
  2⤵
  PID:10756
- C:\Windows\System32\nKsfIbI.exe
  C:\Windows\System32\nKsfIbI.exe
  2⤵
  PID:10848
- C:\Windows\System32\ljuohFo.exe
  C:\Windows\System32\ljuohFo.exe
  2⤵
  PID:10988
- C:\Windows\System32\RfzuKBu.exe
  C:\Windows\System32\RfzuKBu.exe
  2⤵
  PID:11148
- C:\Windows\System32\apIwvNd.exe
  C:\Windows\System32\apIwvNd.exe
  2⤵
  PID:10616
- C:\Windows\System32\NodMECA.exe
  C:\Windows\System32\NodMECA.exe
  2⤵
  PID:11048
- C:\Windows\System32\WmiiPfR.exe
  C:\Windows\System32\WmiiPfR.exe
  2⤵
  PID:10724
- C:\Windows\System32\FfTpGZl.exe
  C:\Windows\System32\FfTpGZl.exe
  2⤵
  PID:10884
- C:\Windows\System32\ZUDDbsS.exe
  C:\Windows\System32\ZUDDbsS.exe
  2⤵
  PID:11276
- C:\Windows\System32\cBrNZng.exe
  C:\Windows\System32\cBrNZng.exe
  2⤵
  PID:11296
- C:\Windows\System32\NmwAmzX.exe
  C:\Windows\System32\NmwAmzX.exe
  2⤵
  PID:11348
- C:\Windows\System32\PTutHGp.exe
  C:\Windows\System32\PTutHGp.exe
  2⤵
  PID:11372
- C:\Windows\System32\EOBakMR.exe
  C:\Windows\System32\EOBakMR.exe
  2⤵
  PID:11392
- C:\Windows\System32\IJfnPQm.exe
  C:\Windows\System32\IJfnPQm.exe
  2⤵
  PID:11440
- C:\Windows\System32\IarvRmC.exe
  C:\Windows\System32\IarvRmC.exe
  2⤵
  PID:11464
- C:\Windows\System32\ypAsQLe.exe
  C:\Windows\System32\ypAsQLe.exe
  2⤵
  PID:11484
- C:\Windows\System32\wNsitUv.exe
  C:\Windows\System32\wNsitUv.exe
  2⤵
  PID:11500
- C:\Windows\System32\FsWBPxX.exe
  C:\Windows\System32\FsWBPxX.exe
  2⤵
  PID:11524
- C:\Windows\System32\jsquLuN.exe
  C:\Windows\System32\jsquLuN.exe
  2⤵
  PID:11560
- C:\Windows\System32\CUUuuhV.exe
  C:\Windows\System32\CUUuuhV.exe
  2⤵
  PID:11588
- C:\Windows\System32\flIHZHv.exe
  C:\Windows\System32\flIHZHv.exe
  2⤵
  PID:11604
- C:\Windows\System32\JtXyFhj.exe
  C:\Windows\System32\JtXyFhj.exe
  2⤵
  PID:11628
- C:\Windows\System32\NWQajbC.exe
  C:\Windows\System32\NWQajbC.exe
  2⤵
  PID:11684
- C:\Windows\System32\dJdAgxI.exe
  C:\Windows\System32\dJdAgxI.exe
  2⤵
  PID:11720
- C:\Windows\System32\YcxzAop.exe
  C:\Windows\System32\YcxzAop.exe
  2⤵
  PID:11748
- C:\Windows\System32\wnMpGUV.exe
  C:\Windows\System32\wnMpGUV.exe
  2⤵
  PID:11776
- C:\Windows\System32\uwuKTcf.exe
  C:\Windows\System32\uwuKTcf.exe
  2⤵
  PID:11804
- C:\Windows\System32\MArpbSb.exe
  C:\Windows\System32\MArpbSb.exe
  2⤵
  PID:11836
- C:\Windows\System32\CucyTDa.exe
  C:\Windows\System32\CucyTDa.exe
  2⤵
  PID:11864
- C:\Windows\System32\UtmWNqL.exe
  C:\Windows\System32\UtmWNqL.exe
  2⤵
  PID:11900
- C:\Windows\System32\UDfvyXK.exe
  C:\Windows\System32\UDfvyXK.exe
  2⤵
  PID:11920
- C:\Windows\System32\UAWQMLm.exe
  C:\Windows\System32\UAWQMLm.exe
  2⤵
  PID:11936
- C:\Windows\System32\skEJIHO.exe
  C:\Windows\System32\skEJIHO.exe
  2⤵
  PID:11952
- C:\Windows\System32\jDqnlKk.exe
  C:\Windows\System32\jDqnlKk.exe
  2⤵
  PID:12016
- C:\Windows\System32\cIfSWxh.exe
  C:\Windows\System32\cIfSWxh.exe
  2⤵
  PID:12032
- C:\Windows\System32\qudYkch.exe
  C:\Windows\System32\qudYkch.exe
  2⤵
  PID:12056
- C:\Windows\System32\EGeeCiQ.exe
  C:\Windows\System32\EGeeCiQ.exe
  2⤵
  PID:12084
- C:\Windows\System32\pBCubis.exe
  C:\Windows\System32\pBCubis.exe
  2⤵
  PID:12112
- C:\Windows\System32\palSGVk.exe
  C:\Windows\System32\palSGVk.exe
  2⤵
  PID:12132
- C:\Windows\System32\dwAOQaJ.exe
  C:\Windows\System32\dwAOQaJ.exe
  2⤵
  PID:12148
- C:\Windows\System32\jsxThAt.exe
  C:\Windows\System32\jsxThAt.exe
  2⤵
  PID:12200
- C:\Windows\System32\SrcXTvp.exe
  C:\Windows\System32\SrcXTvp.exe
  2⤵
  PID:12220
- C:\Windows\System32\nftzhTT.exe
  C:\Windows\System32\nftzhTT.exe
  2⤵
  PID:12236
- C:\Windows\System32\ISLQuac.exe
  C:\Windows\System32\ISLQuac.exe
  2⤵
  PID:12264
- C:\Windows\System32\ibOLqhL.exe
  C:\Windows\System32\ibOLqhL.exe
  2⤵
  PID:10416
- C:\Windows\System32\AvYZomT.exe
  C:\Windows\System32\AvYZomT.exe
  2⤵
  PID:11328
- C:\Windows\System32\JqBlSey.exe
  C:\Windows\System32\JqBlSey.exe
  2⤵
  PID:11368
- C:\Windows\System32\sljcyMs.exe
  C:\Windows\System32\sljcyMs.exe
  2⤵
  PID:11400
- C:\Windows\System32\GABjwKC.exe
  C:\Windows\System32\GABjwKC.exe
  2⤵
  PID:11480
- C:\Windows\System32\MTkYLpX.exe
  C:\Windows\System32\MTkYLpX.exe
  2⤵
  PID:11492
- C:\Windows\System32\jKQRvvK.exe
  C:\Windows\System32\jKQRvvK.exe
  2⤵
  PID:11652
- C:\Windows\System32\kuCtvgg.exe
  C:\Windows\System32\kuCtvgg.exe
  2⤵
  PID:11760
- C:\Windows\System32\fbTxCFD.exe
  C:\Windows\System32\fbTxCFD.exe
  2⤵
  PID:11828
- C:\Windows\System32\vibsHTm.exe
  C:\Windows\System32\vibsHTm.exe
  2⤵
  PID:11860
- C:\Windows\System32\wgIdGTi.exe
  C:\Windows\System32\wgIdGTi.exe
  2⤵
  PID:11908
- C:\Windows\System32\jVEIkzc.exe
  C:\Windows\System32\jVEIkzc.exe
  2⤵
  PID:11992
- C:\Windows\System32\MDwYngA.exe
  C:\Windows\System32\MDwYngA.exe
  2⤵
  PID:12064
- C:\Windows\System32\CqzplVH.exe
  C:\Windows\System32\CqzplVH.exe
  2⤵
  PID:12140
- C:\Windows\System32\KiFsFth.exe
  C:\Windows\System32\KiFsFth.exe
  2⤵
  PID:12196
- C:\Windows\System32\zQxzhzu.exe
  C:\Windows\System32\zQxzhzu.exe
  2⤵
  PID:12280
- C:\Windows\System32\tfuafXB.exe
  C:\Windows\System32\tfuafXB.exe
  2⤵
  PID:11424
- C:\Windows\System32\aExhyfA.exe
  C:\Windows\System32\aExhyfA.exe
  2⤵
  PID:11520
- C:\Windows\System32\vbGaLfp.exe
  C:\Windows\System32\vbGaLfp.exe
  2⤵
  PID:11708
- C:\Windows\System32\CEFInsg.exe
  C:\Windows\System32\CEFInsg.exe
  2⤵
  PID:11848
- C:\Windows\System32\fDEEmRw.exe
  C:\Windows\System32\fDEEmRw.exe
  2⤵
  PID:12028
- C:\Windows\System32\XakUbhT.exe
  C:\Windows\System32\XakUbhT.exe
  2⤵
  PID:12120
- C:\Windows\System32\IatMOSl.exe
  C:\Windows\System32\IatMOSl.exe
  2⤵
  PID:12168
- C:\Windows\System32\TwxNhKr.exe
  C:\Windows\System32\TwxNhKr.exe
  2⤵
  PID:2112
- C:\Windows\System32\KDjWaeW.exe
  C:\Windows\System32\KDjWaeW.exe
  2⤵
  PID:11736
- C:\Windows\System32\MBPcDjY.exe
  C:\Windows\System32\MBPcDjY.exe
  2⤵
  PID:11932
- C:\Windows\System32\mCSIxCn.exe
  C:\Windows\System32\mCSIxCn.exe
  2⤵
  PID:11284
- C:\Windows\System32\eJJNDwf.exe
  C:\Windows\System32\eJJNDwf.exe
  2⤵
  PID:11856
- C:\Windows\System32\LUaLBie.exe
  C:\Windows\System32\LUaLBie.exe
  2⤵
  PID:12100
- C:\Windows\System32\etMdyMT.exe
  C:\Windows\System32\etMdyMT.exe
  2⤵
  PID:12300
- C:\Windows\System32\JQSYGXC.exe
  C:\Windows\System32\JQSYGXC.exe
  2⤵
  PID:12328
- C:\Windows\System32\fUiPFyr.exe
  C:\Windows\System32\fUiPFyr.exe
  2⤵
  PID:12348
- C:\Windows\System32\ZRXnhOB.exe
  C:\Windows\System32\ZRXnhOB.exe
  2⤵
  PID:12364
- C:\Windows\System32\oIEJAbF.exe
  C:\Windows\System32\oIEJAbF.exe
  2⤵
  PID:12388
- C:\Windows\System32\qxwYCFV.exe
  C:\Windows\System32\qxwYCFV.exe
  2⤵
  PID:12404
- C:\Windows\System32\KCQhXSW.exe
  C:\Windows\System32\KCQhXSW.exe
  2⤵
  PID:12456
- C:\Windows\System32\rEpRSmU.exe
  C:\Windows\System32\rEpRSmU.exe
  2⤵
  PID:12508
- C:\Windows\System32\UlUNTUb.exe
  C:\Windows\System32\UlUNTUb.exe
  2⤵
  PID:12532
- C:\Windows\System32\LKihbXJ.exe
  C:\Windows\System32\LKihbXJ.exe
  2⤵
  PID:12552
- C:\Windows\System32\xUgUhif.exe
  C:\Windows\System32\xUgUhif.exe
  2⤵
  PID:12592
- C:\Windows\System32\fCTIGED.exe
  C:\Windows\System32\fCTIGED.exe
  2⤵
  PID:12608
- C:\Windows\System32\bpRcFCR.exe
  C:\Windows\System32\bpRcFCR.exe
  2⤵
  PID:12628
- C:\Windows\System32\CcsdYpc.exe
  C:\Windows\System32\CcsdYpc.exe
  2⤵
  PID:12656
- C:\Windows\System32\qssopmN.exe
  C:\Windows\System32\qssopmN.exe
  2⤵
  PID:12692
- C:\Windows\System32\JhEQRQX.exe
  C:\Windows\System32\JhEQRQX.exe
  2⤵
  PID:12708
- C:\Windows\System32\EPnTfGd.exe
  C:\Windows\System32\EPnTfGd.exe
  2⤵
  PID:12732
- C:\Windows\System32\RZbQjME.exe
  C:\Windows\System32\RZbQjME.exe
  2⤵
  PID:12764
- C:\Windows\System32\GVGXWjD.exe
  C:\Windows\System32\GVGXWjD.exe
  2⤵
  PID:12792
- C:\Windows\System32\TejPbDJ.exe
  C:\Windows\System32\TejPbDJ.exe
  2⤵
  PID:12836
- C:\Windows\System32\ShhZXMK.exe
  C:\Windows\System32\ShhZXMK.exe
  2⤵
  PID:12860
- C:\Windows\System32\NQIwBgX.exe
  C:\Windows\System32\NQIwBgX.exe
  2⤵
  PID:12892
- C:\Windows\System32\qTxungG.exe
  C:\Windows\System32\qTxungG.exe
  2⤵
  PID:12908
- C:\Windows\System32\TqBaMIr.exe
  C:\Windows\System32\TqBaMIr.exe
  2⤵
  PID:12956
- C:\Windows\System32\vbddgTX.exe
  C:\Windows\System32\vbddgTX.exe
  2⤵
  PID:12980
- C:\Windows\System32\GAhiaEJ.exe
  C:\Windows\System32\GAhiaEJ.exe
  2⤵
  PID:13000
- C:\Windows\System32\FQJbtjB.exe
  C:\Windows\System32\FQJbtjB.exe
  2⤵
  PID:13020
- C:\Windows\System32\eyDsoZW.exe
  C:\Windows\System32\eyDsoZW.exe
  2⤵
  PID:13056
- C:\Windows\System32\UxtIrwq.exe
  C:\Windows\System32\UxtIrwq.exe
  2⤵
  PID:13084
- C:\Windows\System32\dZNdQoi.exe
  C:\Windows\System32\dZNdQoi.exe
  2⤵
  PID:13104
- C:\Windows\System32\yuygSTQ.exe
  C:\Windows\System32\yuygSTQ.exe
  2⤵
  PID:13140
- C:\Windows\System32\KhajGgp.exe
  C:\Windows\System32\KhajGgp.exe
  2⤵
  PID:13172
- C:\Windows\System32\lIXSTzr.exe
  C:\Windows\System32\lIXSTzr.exe
  2⤵
  PID:13188
- C:\Windows\System32\vsHlFAT.exe
  C:\Windows\System32\vsHlFAT.exe
  2⤵
  PID:13236
- C:\Windows\System32\rBnksDL.exe
  C:\Windows\System32\rBnksDL.exe
  2⤵
  PID:13264
- C:\Windows\System32\vSgyYsR.exe
  C:\Windows\System32\vSgyYsR.exe
  2⤵
  PID:13288
- C:\Windows\System32\WHbItMx.exe
  C:\Windows\System32\WHbItMx.exe
  2⤵
  PID:13308
- C:\Windows\System32\QycxNPv.exe
  C:\Windows\System32\QycxNPv.exe
  2⤵
  PID:12312
- C:\Windows\System32\qQzNrur.exe
  C:\Windows\System32\qQzNrur.exe
  2⤵
  PID:12384
- C:\Windows\System32\Yqdkucg.exe
  C:\Windows\System32\Yqdkucg.exe
  2⤵
  PID:12444
- C:\Windows\System32\memZror.exe
  C:\Windows\System32\memZror.exe
  2⤵
  PID:12568
- C:\Windows\System32\NaKXWrR.exe
  C:\Windows\System32\NaKXWrR.exe
  2⤵
  PID:12624
- C:\Windows\System32\hLIKcyk.exe
  C:\Windows\System32\hLIKcyk.exe
  2⤵
  PID:12688
- C:\Windows\System32\tepeCdj.exe
  C:\Windows\System32\tepeCdj.exe
  2⤵
  PID:12704
- C:\Windows\System32\tNNEEIp.exe
  C:\Windows\System32\tNNEEIp.exe
  2⤵
  PID:12824
- C:\Windows\System32\MhVWoFQ.exe
  C:\Windows\System32\MhVWoFQ.exe
  2⤵
  PID:12900
- C:\Windows\System32\MUwuekP.exe
  C:\Windows\System32\MUwuekP.exe
  2⤵
  PID:12940

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\GGGFToj.exe

Filesize
1.0MB

MD5
b3a4b83719ef3e0bf621b4fb5c885632

SHA1
60fefa24ce1daf782e20429141a023872dbbf4d8

SHA256
803b47360a11e1347765bd10ebbba46b47bb4da51d68f1db5c68a51b8e2b78ac

SHA512
44fefe408e37fe38113622f4aa15b996aac91eadd109f7bd9a27e4aca0975332db5197aebfc5c5ca2e727f6a5d842907bb68dce4d113984b15a74ab521268ace

Download Submit
C:\Windows\System32\GZvRucq.exe

Filesize
1.0MB

MD5
11bb43917c75c774041d88bd14ce75c1

SHA1
f2107e3f46de59caa8dd86a6ed19174f7ed765da

SHA256
32bac7d45d01ca244a30a9fdb81f0a3c7edfd6fd1a5aeae94d91b93afa4fcfab

SHA512
3baa25b1c26cf7ae55a3f3ed5fb1a1ae5511e5fcbc1dd39dcec8c76872e605e7609eb0f720c82a77d82b971b03a5e49532197d7431dbf78b05e4a2b5eb3b9d17

Download Submit
C:\Windows\System32\HVriDjd.exe

Filesize
1.0MB

MD5
4ddde12fc4f762760608969ac27b8d07

SHA1
ccbcc9ddff8c2b3f5afd34160aca808a04adad11

SHA256
d6d4e1deb50782e76e5ec4dcc3733360aca00ac5ecb968c9c3c8f0fc6aa8a97b

SHA512
e84813a8f8abbb3a936d2ea3bad8f9bba34025eba35cf60300fe877bc677721938db95bad69fa01bbe37ceb7b6e5ff3eb8c4b5f8839dd28aa99392f0f8ee7d79

Download Submit
C:\Windows\System32\MjUvdKW.exe

Filesize
1.0MB

MD5
bb78908cc7f06fc4e23c046227d5242e

SHA1
00683efc2fb9e3ba58eb262957d9c5038af6a253

SHA256
9bd909c7e6b908891ce610db9d503abcf62fca0c4e307799ef3068ebf5ca3430

SHA512
3344ddf604dd61cfe77268409b727c1374d13283e7db97a5ea9eadbf7dd4341e18c56f9be53a58be51a519d32c4e934314548fe8d4439234746cd5b6fb23c764

Download Submit
C:\Windows\System32\PHcyYXc.exe

Filesize
1.0MB

MD5
90e089a1f87d23ba863f2603bb5f39a5

SHA1
caabb0480a0070b1987db89fb30868a009ba2e74

SHA256
86b5b0656e3be4f09e0a80e1a04cbebe73c9d1adacebce91d020b117ae4461dc

SHA512
8f9c5548127ff7d7e1855ea93ee3a40081f1dcbd189592d4addfffb8a6c816fbdf4b1f8246e1d129cd682d1c4bcc8635115f072c7f399c5709660ee529ab34d7

Download Submit
C:\Windows\System32\PMdlQqF.exe

Filesize
1.0MB

MD5
71f1835fda499894c7d796cce136fd9e

SHA1
a7dfd5ea8a7f3c54e42ebee0af1b85d179b80937

SHA256
cf9c01d6f40fad16dbc85c7fe19f4a381ca309cd818ad45735db01346e8845e8

SHA512
1fe7b4dfc3d3b07f27543ea824cc98d4f885fbf229a1a484f51b4eecd6e9c11a0838339178bce8d4a2b27a8c0d350c882baa2e3f4e99da2f2e637ab1700907b6

Download Submit
C:\Windows\System32\QUViGGy.exe

Filesize
1.0MB

MD5
5e6e6a75ace4ce547d9c6ea6c94fdf54

SHA1
bc648ff7c372bf298aadcd80dec251b8363c0167

SHA256
c35e83211d5cb63f24d911b4dd62447a60dd45439c7508858d8c065ee7fbc4e5

SHA512
1be34154ed99546dedc375d6e74f4385e5bd4ab2712cf2707cc1e4771d628e45d7bc88eedc4239a8ca4464bbc04b83101278e86c9b9774f6f4760be757f71038

Download Submit
C:\Windows\System32\QxSraIz.exe

Filesize
1.0MB

MD5
bcbfa22d23c317cfbd4428455eea41eb

SHA1
61d44bdf1dd389a3e5b6fbe82afe7604bff3ee93

SHA256
c92a08efe87e8cd1f58abed52b4756d3070ed89dd43b1ce178d15c93357d2d34

SHA512
a673dec0213fef8c359d24e957524151c679f882e778e767746cc159df9dff2f1bb4e8665f902dc7275bc67a9b03f34f81c39e2f3d7b1b1cdce0414e137bc696

Download Submit
C:\Windows\System32\TrDgjiu.exe

Filesize
1.0MB

MD5
800e49648f2005d345e48e333903a314

SHA1
a0b4441af7587d95a39e87d1573124e46db4f53b

SHA256
9444e7150abba98fa2b0204a2defc855d31fb73ca951cc00f4147bd77eb63499

SHA512
699bccc12dbd62f2a03d794f31a6d88bfb157aa1dc94b65deec0e29bc248cf4b09eb21e69722357d10b62c919261d2ec9be3891dd48def0f3d39b07b98230998

Download Submit
C:\Windows\System32\VdwUAqV.exe

Filesize
1.0MB

MD5
571732081411227b76e51c56e0da4d51

SHA1
6f1bebeca94e90c8368bfd1d188d27ba134c4185

SHA256
bb05844fbe6590c2acd9e6349192b43b001d85a3a68e5f9cf3d1bbd090fff927

SHA512
839278ea57271235c5159a1a2ea9778342ed96d1d640870af5975ca4377a3543a61207fe04430541d578902e92cd4150baf963ec24539dcc3e3901761e9fa49a

Download Submit
C:\Windows\System32\WiIgSIf.exe

Filesize
1.0MB

MD5
815a210965defa677c638fb05b499623

SHA1
16209f9c9cd5bd044ad07b5785d99674e6943e1f

SHA256
ff72959724e0da608f17838c854016cf26013b64288b7c50f8eff453c1cf874f

SHA512
c47f23b9f7dab7bb9f9f528bc0e2054b0b80e96f6aa808e4aad2ab156c3ed7c41bff1ceeeeddb836c7f21076aa65dee13913d0318188e97ffe79cbba459306d1

Download Submit
C:\Windows\System32\XvgweBM.exe

Filesize
1.0MB

MD5
57bc4a1f5de23e60219577b85af80f94

SHA1
6b952d87463ffbfbf6df4f9fe6d12e63259382c6

SHA256
79e0d5e70e3ef275829af2af74961bdfccc790303a3d77a4420cc738f5af1c6a

SHA512
ddebaa04b23dc614cce324ea1b7b890bec2be4b45621da8999523659380f770dc440fa1613a98897b6695d6b4dc252af5d69cc75b64836fc6b961319ceae2305

Download Submit
C:\Windows\System32\YfylMQU.exe

Filesize
1.0MB

MD5
b6ccc7d2615ec4c2d804cda60aa6917b

SHA1
bdc07520c2456f584842e200b7b19b3bdb7c8aff

SHA256
aa21a301104deae41459692436f8316e2554e24cc5ab446e6e35e458520bed88

SHA512
1001d7d26ea24d28d1549e1b3139df6f0a06c73003cab0131d2fe7a9b5c0b12ef8eea5d30326b0c0dc1f30f42837983b2612f1d97214450986c3aeb4c0651c74

Download Submit
C:\Windows\System32\ZpFVArq.exe

Filesize
1.0MB

MD5
aafed23d6da545a763c09be10bf8d84f

SHA1
7629442ede1ab5fed54a373afc94e5778281c60b

SHA256
b7d14b99241d08295e442f8a14b7f627e5b51929a633fe3a5958be63ba060f42

SHA512
5d74ac96ae5b90cfb3a2d35f6e1a214ca9db90d85658e1d7008c5175cbc2c5791d28e61dd02c9c2bf629694d0a57195baf748b76f8942a20a343cb2e44722343

Download Submit
C:\Windows\System32\bmvJNfk.exe

Filesize
1.0MB

MD5
ae94dabd5aec9d6a369d5aceba55b982

SHA1
ac97ee657aed45d52384e818f88d54a689727884

SHA256
412b4ee053d4cce0de583f2b91a68e8853d8a510af3c537b53a122015fa49201

SHA512
8a4d04d6588c15075ebcbb4dd898961b9bafc19b5e0131d0228343791688cf652e6a2dc1b5473d0b6d82e2412e29709d71e328dc938767122c28d5807f69628e

Download Submit
C:\Windows\System32\cVNCSsd.exe

Filesize
1.0MB

MD5
061aaa5fb0374570c60589ecd52c9508

SHA1
9d805018dd428333417e92f138025c8a6721e1ff

SHA256
a10e6fb236a62d280933d95a8f76c581b2c356bf8a070fa864a1531dd5d7abd4

SHA512
ef289060340acd7c7f070dd310703f561a2167e11c3897372c2fe321a8a7c9671be1ccb905138390b0be680c7e809bf7c8e2340bb54549bb797e92c155a2acc6

Download Submit
C:\Windows\System32\dZSzkyb.exe

Filesize
1.0MB

MD5
4fb922da2ffe333951e636772c823329

SHA1
8d6de0b0e8fdfd9f1f2d711b57bb31f30f98005a

SHA256
f8fed42e9f9ac06531ec525f0410c6a0ebb693cb238dc641cc87cc8965071844

SHA512
c16761303b02378b258799d6be425bf01d5fc8be92d85666618a9ba5d2aa4e3d064dbcf3f925ba46ad9b2f35f1e861c60ee4e9b0ab63b8de4996c0945172b5a1

Download Submit
C:\Windows\System32\erpbCOF.exe

Filesize
1.0MB

MD5
23cd6af473d0c22f13c45f6dd39249a1

SHA1
ef8fe3f13c22e09178d215070a02c297636e36b2

SHA256
8aa0bd0d7dc55f7087fd17ec0878924cf3b668991443e5669907bd97ed2f43d4

SHA512
abce89734a5d26c1667feb6efb4bbddf392b3edca79837805bcc37f6ea01c5fab790d047d9f2ee77a81706c7e9bd6b7c274d3ab4fb7568af5d6dc89d4ab58cfe

Download Submit
C:\Windows\System32\gIeTUBI.exe

Filesize
1.0MB

MD5
9b67ac96576937e18a755f8df8ed5428

SHA1
5360977d5214244fc1e4e7647a325a1f7f64991f

SHA256
f029ab1cd8757bd1abf1e68a94e62a5072ae412e752c30a8767ad5b425b2404b

SHA512
3f6271cccf875bfd81fc00dcfced833baf036771135bcd54fa770ffa7b49a7ecac2fe01ce9e119da96ff2905a47d546bde52c1f61b245e9ed6851a474f102fa7

Download Submit
C:\Windows\System32\gYJjUVq.exe

Filesize
1.0MB

MD5
51987ec44041cd7d7e107cde5c792ce7

SHA1
9e6671085c39b25e5a0f7585b82160a31eaff46a

SHA256
80263e16d4cf88835444050e5760189429ccc269d9c15a187f747f9b99475e88

SHA512
3f91e8841bab413a127ec71ed3e13d4a0b2e3b8a23aff9ff326510f1922ae07d6e0dba1758d70d37673b649bd9049fd384169a763feab195e5f5f514728eccf7

Download Submit
C:\Windows\System32\hVtMKwm.exe

Filesize
1.0MB

MD5
e092df216f3f938dcd8d2a2d44a51711

SHA1
fcbd86c10584bc437be7c36a91d01bbee9fbc820

SHA256
d0b85bd5c6fee501a32ae6cf6ef22f9f50f3a0d2f3eb48419dbb99e8f43d5bff

SHA512
fb31f888d97b57084acd465f7cf44fc81a794bc175f83e5af9cf845717e580f5c03cc7326668ff49915b9d3d5bfe31417fb224acb65896d3f1e5ca493e788535

Download Submit
C:\Windows\System32\jCqzNwy.exe

Filesize
1.0MB

MD5
1a45544c3fa413e66c7d3aa32ae6dfe8

SHA1
4249a9af2dece341d9cd4d445d2cb456e6079d96

SHA256
7e7538b6fe9fce0f7eccbd3d33183a15eb86105d14fbe9e6243eac4915386efe

SHA512
cafedcc8cec71c437fd226a1bfb7c5e0f40d4b75e05e9725197f8690fab3eb3d6ccb6c7497f6bfad7b5cacf2ee6bf9153e80f212ccd795c93fba43f516d05e52

Download Submit
C:\Windows\System32\mQnmgOh.exe

Filesize
1.0MB

MD5
6db76fe9b2cac259fcb9677098d5ef4f

SHA1
99789c6e6f5590c10764f1297b3331930af5d52f

SHA256
ad6e2e9ef0e0dc2bb3ab08045cd8c6f18c63fd3bd4d64eac080b0d97bab9eab8

SHA512
6883122a1f624bc1e3a737b6719c106ee3a27323b9533b1b3997405131fb40aca5b0ea1ef786257eb1ba36ed61fe65d4b920149892cc4dd82d5c070e886041d5

Download Submit
C:\Windows\System32\mpXELFR.exe

Filesize
1.0MB

MD5
dd96b8f808874599dd8027e7dca9f186

SHA1
3d9593ea071d7ac8469d2754cb72f42fb1050e93

SHA256
d4eed358b82895225225c8397711b2b267646fe57badcea05b49344292329b73

SHA512
c223bbfaae14fe4662b2c1cda7c868cb9eae6bd1dab173fd193005ca46f04dd0ea56ea4d9179c06ee83e8aa15b4fae5a2e9b690e317688313a350324a2902309

Download Submit
C:\Windows\System32\nlUtQEt.exe

Filesize
1.0MB

MD5
9706d0d112b90795bf9dfeeff774dc8a

SHA1
bd0f2ab6348fc966600629deadd510e2fbc4f11e

SHA256
7b83a06f577d60bdc657958a257bf0a872368b6f8fe75e38e66ae9ce092671d7

SHA512
4b081e0f96255e9a49b8e72b9cb2a3ed69ed3f09715111a14d07d68dbb4eb9b5ad48f2bcfa9876e332994f768f43912ed7442057f2bd25a1e990022e388226d3

Download Submit
C:\Windows\System32\ocZuLXk.exe

Filesize
1.0MB

MD5
619d72893eb8123bd547e7de0e8bc956

SHA1
ecfaf4c7e502575d756a6d6a6dd1ebbdd8fde390

SHA256
50c5ad9a1fe9ffc12a81857a7e4d1e4cc88018a9e149bf7c388f44ae13d46b09

SHA512
4ef17fbeddd868d64f3a193db3228426f5e0f6552b2423661af86ee9161705552ba4eb316a7294947c5b4a1a22c48fd66116bbe89ab17c1d28a5aeff63761bd1

Download Submit
C:\Windows\System32\olUziko.exe

Filesize
1.0MB

MD5
fb802cd114325927bf654694f3982967

SHA1
2870967b5b22370b3a8565a541aef1e1f873f585

SHA256
db10b1f1de274ae6cf12c001b4e80288c508f8076b947f90a6f22ea3ec126228

SHA512
2cebc5ee33e8622f2b59717400be85c0740e9a0ef0d623fb650e68caa5acc6903943f613dc834ed9be1259209ac11deb2e3c02b21d58ee6bfbc9a283c312528d

Download Submit
C:\Windows\System32\pDJBWOt.exe

Filesize
1.0MB

MD5
a95b52162daa204f8c60124bfbe67138

SHA1
b3a1b2b963fff4abb5e88e78f7f4961aa51940db

SHA256
126765f2d2736e122959db94a00878a5e187e2f548f4f6a9a916870c96249cd8

SHA512
b87b5b513f330a6fb4290a6c9b29070db2888a50ca6fc0ec5a3677a8af56a05a111fcb4bd83bfe3bbf8092af6fa4c7cc251b6a2fa95da21b794cd17b58d9608d

Download Submit
C:\Windows\System32\sUldozY.exe

Filesize
1.0MB

MD5
a19f159eba217c1edcad8ab2ffa268b0

SHA1
a7b7adaffbb7b959251f0af6502a334bd807ab03

SHA256
8068c7c06b19980d8ae46578ec2dc3a1a77fdf82853ba8b02436ab09c0352b03

SHA512
59a71a47e2afadf7b96f575583879853e2aa43e5d04a06bba6bc9e0c1d543d38b5bfacc9b547c0d194aa210286da17ce7ea65c7486074eb46ea831af40d2d7d1

Download Submit
C:\Windows\System32\tDaIbrd.exe

Filesize
1.0MB

MD5
0778c21c7b23ab1f65d2d2d4ba9f4e05

SHA1
fb9387d49b9402037d61efdce19e780dc8ba9ee9

SHA256
e05e1dfc913bcfd76b75484362644e92a588f24137212ce5b405f4073a119fb6

SHA512
c96e04c7b12a4d444526bad35b78c007f53fbccba3cb09264cc810d2af6379b6e56535ac0f0e05a5fa88aa2830c3e777d9055c6eee25cda24a645f81a38d13a0

Download Submit
C:\Windows\System32\wXHHuXW.exe

Filesize
1.0MB

MD5
9a12897007d46c7d49aae9ebeee6c0b9

SHA1
e8113db3b25c22e353ede8040c297786bf5a8e09

SHA256
3ba00efb3a77369b24fcf7813838d9d9335e659f0b8ec57344b99c13789cf0d2

SHA512
7db4f4367d2069141ecc420e3ecce15a59a4676259b13609b717cbd04784df3afb99d8f524134f523716fa2c68c9f00bff8579ccb8025f714967d6cd450ec958

Download Submit
C:\Windows\System32\zUldKuL.exe

Filesize
1.0MB

MD5
2110e79262acb2bae75030fc04ed36eb

SHA1
6746955bec467da617cd367a84cd81ad8d20159d

SHA256
24683dc326a296cb6bd1e7410a42f69ab7ddc02b8c30ed381acb730dd7771ff7

SHA512
5541fba31c6539f0e6934dde92c693d86ffda969a3433c1ab0a8bd0900798f64691b7841a3c71331543fec7cf05ab210fa8a001831a7c292ff2b14868248221f

Download Submit
memory/244-2066-0x00007FF6E9BA0000-0x00007FF6E9F91000-memory.dmp

Filesize
3.9MB

Download
memory/244-427-0x00007FF6E9BA0000-0x00007FF6E9F91000-memory.dmp

Filesize
3.9MB

Download
memory/468-2072-0x00007FF70F480000-0x00007FF70F871000-memory.dmp

Filesize
3.9MB

Download
memory/468-421-0x00007FF70F480000-0x00007FF70F871000-memory.dmp

Filesize
3.9MB

Download
memory/756-403-0x00007FF739640000-0x00007FF739A31000-memory.dmp

Filesize
3.9MB

Download
memory/756-2048-0x00007FF739640000-0x00007FF739A31000-memory.dmp

Filesize
3.9MB

Download
memory/960-2057-0x00007FF6753E0000-0x00007FF6757D1000-memory.dmp

Filesize
3.9MB

Download
memory/960-418-0x00007FF6753E0000-0x00007FF6757D1000-memory.dmp

Filesize
3.9MB

Download
memory/2108-377-0x00007FF6A4330000-0x00007FF6A4721000-memory.dmp

Filesize
3.9MB

Download
memory/2108-2037-0x00007FF6A4330000-0x00007FF6A4721000-memory.dmp

Filesize
3.9MB

Download
memory/2172-370-0x00007FF7F88A0000-0x00007FF7F8C91000-memory.dmp

Filesize
3.9MB

Download
memory/2172-2033-0x00007FF7F88A0000-0x00007FF7F8C91000-memory.dmp

Filesize
3.9MB

Download
memory/2232-2035-0x00007FF75EB10000-0x00007FF75EF01000-memory.dmp

Filesize
3.9MB

Download
memory/2232-373-0x00007FF75EB10000-0x00007FF75EF01000-memory.dmp

Filesize
3.9MB

Download
memory/2508-395-0x00007FF6505C0000-0x00007FF6509B1000-memory.dmp

Filesize
3.9MB

Download
memory/2508-2046-0x00007FF6505C0000-0x00007FF6509B1000-memory.dmp

Filesize
3.9MB

Download
memory/2632-2044-0x00007FF64C850000-0x00007FF64CC41000-memory.dmp

Filesize
3.9MB

Download
memory/2632-402-0x00007FF64C850000-0x00007FF64CC41000-memory.dmp

Filesize
3.9MB

Download
memory/2896-2027-0x00007FF7AB3C0000-0x00007FF7AB7B1000-memory.dmp

Filesize
3.9MB

Download
memory/2896-439-0x00007FF7AB3C0000-0x00007FF7AB7B1000-memory.dmp

Filesize
3.9MB

Download
memory/2912-2070-0x00007FF6D06D0000-0x00007FF6D0AC1000-memory.dmp

Filesize
3.9MB

Download
memory/2912-431-0x00007FF6D06D0000-0x00007FF6D0AC1000-memory.dmp

Filesize
3.9MB

Download
memory/3056-411-0x00007FF702A00000-0x00007FF702DF1000-memory.dmp

Filesize
3.9MB

Download
memory/3056-2059-0x00007FF702A00000-0x00007FF702DF1000-memory.dmp

Filesize
3.9MB

Download
memory/3144-424-0x00007FF6FC150000-0x00007FF6FC541000-memory.dmp

Filesize
3.9MB

Download
memory/3144-2068-0x00007FF6FC150000-0x00007FF6FC541000-memory.dmp

Filesize
3.9MB

Download
memory/3456-35-0x00007FF601950000-0x00007FF601D41000-memory.dmp

Filesize
3.9MB

Download
memory/3456-2008-0x00007FF601950000-0x00007FF601D41000-memory.dmp

Filesize
3.9MB

Download
memory/3456-2025-0x00007FF601950000-0x00007FF601D41000-memory.dmp

Filesize
3.9MB

Download
memory/3504-2031-0x00007FF716B50000-0x00007FF716F41000-memory.dmp

Filesize
3.9MB

Download
memory/3504-448-0x00007FF716B50000-0x00007FF716F41000-memory.dmp

Filesize
3.9MB

Download
memory/3592-384-0x00007FF609310000-0x00007FF609701000-memory.dmp

Filesize
3.9MB

Download
memory/3592-2039-0x00007FF609310000-0x00007FF609701000-memory.dmp

Filesize
3.9MB

Download
memory/3880-2080-0x00007FF7AB610000-0x00007FF7ABA01000-memory.dmp

Filesize
3.9MB

Download
memory/3880-419-0x00007FF7AB610000-0x00007FF7ABA01000-memory.dmp

Filesize
3.9MB

Download
memory/4100-407-0x00007FF7A9E90000-0x00007FF7AA281000-memory.dmp

Filesize
3.9MB

Download
memory/4100-2050-0x00007FF7A9E90000-0x00007FF7AA281000-memory.dmp

Filesize
3.9MB

Download
memory/4304-14-0x00007FF7CB590000-0x00007FF7CB981000-memory.dmp

Filesize
3.9MB

Download
memory/4304-2017-0x00007FF7CB590000-0x00007FF7CB981000-memory.dmp

Filesize
3.9MB

Download
memory/4432-434-0x00007FF6B7550000-0x00007FF6B7941000-memory.dmp

Filesize
3.9MB

Download
memory/4432-2019-0x00007FF6B7550000-0x00007FF6B7941000-memory.dmp

Filesize
3.9MB

Download
memory/4524-2023-0x00007FF709200000-0x00007FF7095F1000-memory.dmp

Filesize
3.9MB

Download
memory/4524-438-0x00007FF709200000-0x00007FF7095F1000-memory.dmp

Filesize
3.9MB

Download
memory/4644-1-0x000001899F2C0000-0x000001899F2D0000-memory.dmp

Filesize
64KB

Download
memory/4644-0-0x00007FF6E3280000-0x00007FF6E3671000-memory.dmp

Filesize
3.9MB

Download
memory/4852-2029-0x00007FF6AADA0000-0x00007FF6AB191000-memory.dmp

Filesize
3.9MB

Download
memory/4852-2007-0x00007FF6AADA0000-0x00007FF6AB191000-memory.dmp

Filesize
3.9MB

Download
memory/4852-27-0x00007FF6AADA0000-0x00007FF6AB191000-memory.dmp

Filesize
3.9MB

Download
memory/5040-2010-0x00007FF6A2D40000-0x00007FF6A3131000-memory.dmp

Filesize
3.9MB

Download
memory/5040-44-0x00007FF6A2D40000-0x00007FF6A3131000-memory.dmp

Filesize
3.9MB

Download
memory/5040-2021-0x00007FF6A2D40000-0x00007FF6A3131000-memory.dmp

Filesize
3.9MB

Download
memory/5100-392-0x00007FF75F420000-0x00007FF75F811000-memory.dmp

Filesize
3.9MB

Download
memory/5100-2041-0x00007FF75F420000-0x00007FF75F811000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads