xmrig | bb25cacacb1c9a5d59462ff6d54d89d75abbc1ea019be231963d9874c1a89317

Analysis

max time kernel
116s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04653930dd309ca950832350e4d18680_JaffaCakes118.exe
Size

1.2MB
MD5

04653930dd309ca950832350e4d18680
SHA1

7d882a85c6f8d88ac826892700e99b48f0b33cd4
SHA256

bb25cacacb1c9a5d59462ff6d54d89d75abbc1ea019be231963d9874c1a89317
SHA512

34edbd1d452a1666d27f292c8db19b8da533dc4d8e66366572547f3c9420c527dd188dff98f8ccd7ed8f160dad05afbe7819d7dce3cf7837a25c7e9be3180458
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zjP+sjI1GIRW:knw9oUUEEDl37jcq4nPg8

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/4908-29-0x00007FF79B000000-0x00007FF79B3F1000-memory.dmp	xmrig
behavioral2/memory/1476-398-0x00007FF675520000-0x00007FF675911000-memory.dmp	xmrig
behavioral2/memory/4144-399-0x00007FF68A880000-0x00007FF68AC71000-memory.dmp	xmrig
behavioral2/memory/2196-55-0x00007FF749820000-0x00007FF749C11000-memory.dmp	xmrig
behavioral2/memory/4600-52-0x00007FF6AB160000-0x00007FF6AB551000-memory.dmp	xmrig
behavioral2/memory/4072-400-0x00007FF6E9770000-0x00007FF6E9B61000-memory.dmp	xmrig
behavioral2/memory/4120-402-0x00007FF7E6E30000-0x00007FF7E7221000-memory.dmp	xmrig
behavioral2/memory/1164-411-0x00007FF68BD70000-0x00007FF68C161000-memory.dmp	xmrig
behavioral2/memory/2808-403-0x00007FF6D4C90000-0x00007FF6D5081000-memory.dmp	xmrig
behavioral2/memory/5068-401-0x00007FF7B53E0000-0x00007FF7B57D1000-memory.dmp	xmrig
behavioral2/memory/1092-420-0x00007FF79B1D0000-0x00007FF79B5C1000-memory.dmp	xmrig
behavioral2/memory/2964-432-0x00007FF654B40000-0x00007FF654F31000-memory.dmp	xmrig
behavioral2/memory/5056-438-0x00007FF6AC560000-0x00007FF6AC951000-memory.dmp	xmrig
behavioral2/memory/4992-453-0x00007FF67DC20000-0x00007FF67E011000-memory.dmp	xmrig
behavioral2/memory/2112-463-0x00007FF79CB50000-0x00007FF79CF41000-memory.dmp	xmrig
behavioral2/memory/3780-470-0x00007FF762760000-0x00007FF762B51000-memory.dmp	xmrig
behavioral2/memory/2688-476-0x00007FF6103F0000-0x00007FF6107E1000-memory.dmp	xmrig
behavioral2/memory/2332-474-0x00007FF7AF070000-0x00007FF7AF461000-memory.dmp	xmrig
behavioral2/memory/2040-459-0x00007FF763910000-0x00007FF763D01000-memory.dmp	xmrig
behavioral2/memory/3060-433-0x00007FF683900000-0x00007FF683CF1000-memory.dmp	xmrig
behavioral2/memory/1684-424-0x00007FF79AC10000-0x00007FF79B001000-memory.dmp	xmrig
behavioral2/memory/1168-1959-0x00007FF74D0D0000-0x00007FF74D4C1000-memory.dmp	xmrig
behavioral2/memory/4980-1992-0x00007FF792320000-0x00007FF792711000-memory.dmp	xmrig
behavioral2/memory/2196-1993-0x00007FF749820000-0x00007FF749C11000-memory.dmp	xmrig
behavioral2/memory/4980-2025-0x00007FF792320000-0x00007FF792711000-memory.dmp	xmrig
behavioral2/memory/4600-2029-0x00007FF6AB160000-0x00007FF6AB551000-memory.dmp	xmrig
behavioral2/memory/2112-2027-0x00007FF79CB50000-0x00007FF79CF41000-memory.dmp	xmrig
behavioral2/memory/4908-2023-0x00007FF79B000000-0x00007FF79B3F1000-memory.dmp	xmrig
behavioral2/memory/1168-2021-0x00007FF74D0D0000-0x00007FF74D4C1000-memory.dmp	xmrig
behavioral2/memory/3568-2019-0x00007FF71DF00000-0x00007FF71E2F1000-memory.dmp	xmrig
behavioral2/memory/1476-2033-0x00007FF675520000-0x00007FF675911000-memory.dmp	xmrig
behavioral2/memory/2196-2035-0x00007FF749820000-0x00007FF749C11000-memory.dmp	xmrig
behavioral2/memory/3780-2031-0x00007FF762760000-0x00007FF762B51000-memory.dmp	xmrig
behavioral2/memory/4072-2066-0x00007FF6E9770000-0x00007FF6E9B61000-memory.dmp	xmrig
behavioral2/memory/4120-2070-0x00007FF7E6E30000-0x00007FF7E7221000-memory.dmp	xmrig
behavioral2/memory/2964-2077-0x00007FF654B40000-0x00007FF654F31000-memory.dmp	xmrig
behavioral2/memory/2040-2075-0x00007FF763910000-0x00007FF763D01000-memory.dmp	xmrig
behavioral2/memory/2808-2068-0x00007FF6D4C90000-0x00007FF6D5081000-memory.dmp	xmrig
behavioral2/memory/3060-2056-0x00007FF683900000-0x00007FF683CF1000-memory.dmp	xmrig
behavioral2/memory/1684-2054-0x00007FF79AC10000-0x00007FF79B001000-memory.dmp	xmrig
behavioral2/memory/5068-2048-0x00007FF7B53E0000-0x00007FF7B57D1000-memory.dmp	xmrig
behavioral2/memory/1164-2046-0x00007FF68BD70000-0x00007FF68C161000-memory.dmp	xmrig
behavioral2/memory/1092-2052-0x00007FF79B1D0000-0x00007FF79B5C1000-memory.dmp	xmrig
behavioral2/memory/5056-2050-0x00007FF6AC560000-0x00007FF6AC951000-memory.dmp	xmrig
behavioral2/memory/4992-2043-0x00007FF67DC20000-0x00007FF67E011000-memory.dmp	xmrig
behavioral2/memory/2688-2039-0x00007FF6103F0000-0x00007FF6107E1000-memory.dmp	xmrig
behavioral2/memory/2332-2041-0x00007FF7AF070000-0x00007FF7AF461000-memory.dmp	xmrig
behavioral2/memory/4144-2037-0x00007FF68A880000-0x00007FF68AC71000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3568	AoLpBvl.exe
1168	IRhdREf.exe
4908	ecjUHzN.exe
4980	MWXlpKp.exe
2112	dYqchaJ.exe
4600	dabutls.exe
3780	xZXVBro.exe
2196	YmWJuzc.exe
1476	mzrhZfK.exe
2332	LXCpYQv.exe
2688	TOWgqQi.exe
4144	bntrQeM.exe
4072	iHwJgSm.exe
5068	WhfOyOw.exe
4120	qOmnIZs.exe
2808	yFANnbw.exe
1164	PpzcvZF.exe
1092	LJwTDSq.exe
1684	dAeNbAN.exe
2964	PxoEguU.exe
3060	uJkSsTL.exe
5056	nsHYLji.exe
4992	dUZzexU.exe
2040	otUEYlw.exe
388	RbTiXha.exe
516	RKqgmre.exe
2388	HgRCdFY.exe
3672	umXbMuH.exe
1540	BBXPsEl.exe
2972	LLpMKwO.exe
3524	TrqzuZT.exe
2796	IoWyOXg.exe
4432	LwHXTQM.exe
3588	vRvOpcV.exe
3168	miMJEBc.exe
1200	hcMpaJd.exe
4084	ALEzAhx.exe
2096	PzNvZvO.exe
2824	inIvMIV.exe
400	rqfHrtf.exe
3548	qtcJexI.exe
2428	xovISbQ.exe
3048	BlNyhwo.exe
2864	JHxjjkx.exe
5076	LxmvBaf.exe
4360	leEryDU.exe
680	aRYmgiq.exe
1412	quQSNSa.exe
3052	xxWJYFA.exe
2828	MLmTVgy.exe
4636	LIYRKVz.exe
4632	fxRarcE.exe
3932	fsuJlow.exe
4436	NZrTLDw.exe
5080	eiZbYHq.exe
2788	ynRqYDn.exe
3988	cmBySrQ.exe
1996	VytMhgH.exe
3900	KjbAlSh.exe
1844	mWYbYyq.exe
4808	ynVpsdw.exe
1416	nWOmduD.exe
5008	kbbhNsB.exe
1984	nIyVeED.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4396-0-0x00007FF6CDE10000-0x00007FF6CE201000-memory.dmp	upx
behavioral2/files/0x000c000000023ba9-4.dat	upx
behavioral2/files/0x000a000000023bad-10.dat	upx
behavioral2/files/0x000a000000023baf-19.dat	upx
behavioral2/memory/4908-29-0x00007FF79B000000-0x00007FF79B3F1000-memory.dmp	upx
behavioral2/files/0x000a000000023bb3-36.dat	upx
behavioral2/files/0x000a000000023bb0-41.dat	upx
behavioral2/memory/4980-44-0x00007FF792320000-0x00007FF792711000-memory.dmp	upx
behavioral2/files/0x0031000000023bb5-54.dat	upx
behavioral2/files/0x000a000000023bba-82.dat	upx
behavioral2/files/0x000a000000023bbc-92.dat	upx
behavioral2/files/0x000a000000023bbf-105.dat	upx
behavioral2/files/0x000a000000023bc1-117.dat	upx
behavioral2/files/0x000a000000023bc3-127.dat	upx
behavioral2/files/0x000a000000023bc6-140.dat	upx
behavioral2/files/0x000a000000023bc9-155.dat	upx
behavioral2/memory/1476-398-0x00007FF675520000-0x00007FF675911000-memory.dmp	upx
behavioral2/files/0x000a000000023bcb-167.dat	upx
behavioral2/files/0x000a000000023bca-162.dat	upx
behavioral2/files/0x000a000000023bc8-152.dat	upx
behavioral2/files/0x000a000000023bc7-147.dat	upx
behavioral2/files/0x000a000000023bc5-137.dat	upx
behavioral2/files/0x000a000000023bc4-132.dat	upx
behavioral2/files/0x000a000000023bc2-122.dat	upx
behavioral2/files/0x000a000000023bc0-112.dat	upx
behavioral2/files/0x000a000000023bbe-102.dat	upx
behavioral2/files/0x000a000000023bbd-97.dat	upx
behavioral2/files/0x000a000000023bbb-87.dat	upx
behavioral2/memory/4144-399-0x00007FF68A880000-0x00007FF68AC71000-memory.dmp	upx
behavioral2/files/0x000a000000023bb9-77.dat	upx
behavioral2/files/0x000a000000023bb8-72.dat	upx
behavioral2/files/0x000a000000023bb7-67.dat	upx
behavioral2/files/0x0031000000023bb6-62.dat	upx
behavioral2/memory/2196-55-0x00007FF749820000-0x00007FF749C11000-memory.dmp	upx
behavioral2/memory/4600-52-0x00007FF6AB160000-0x00007FF6AB551000-memory.dmp	upx
behavioral2/files/0x0031000000023bb4-49.dat	upx
behavioral2/files/0x000a000000023bb2-47.dat	upx
behavioral2/files/0x000a000000023bb1-43.dat	upx
behavioral2/files/0x000a000000023bae-33.dat	upx
behavioral2/memory/1168-20-0x00007FF74D0D0000-0x00007FF74D4C1000-memory.dmp	upx
behavioral2/memory/3568-14-0x00007FF71DF00000-0x00007FF71E2F1000-memory.dmp	upx
behavioral2/memory/4072-400-0x00007FF6E9770000-0x00007FF6E9B61000-memory.dmp	upx
behavioral2/memory/4120-402-0x00007FF7E6E30000-0x00007FF7E7221000-memory.dmp	upx
behavioral2/memory/1164-411-0x00007FF68BD70000-0x00007FF68C161000-memory.dmp	upx
behavioral2/memory/2808-403-0x00007FF6D4C90000-0x00007FF6D5081000-memory.dmp	upx
behavioral2/memory/5068-401-0x00007FF7B53E0000-0x00007FF7B57D1000-memory.dmp	upx
behavioral2/memory/1092-420-0x00007FF79B1D0000-0x00007FF79B5C1000-memory.dmp	upx
behavioral2/memory/2964-432-0x00007FF654B40000-0x00007FF654F31000-memory.dmp	upx
behavioral2/memory/5056-438-0x00007FF6AC560000-0x00007FF6AC951000-memory.dmp	upx
behavioral2/memory/4992-453-0x00007FF67DC20000-0x00007FF67E011000-memory.dmp	upx
behavioral2/memory/2112-463-0x00007FF79CB50000-0x00007FF79CF41000-memory.dmp	upx
behavioral2/memory/3780-470-0x00007FF762760000-0x00007FF762B51000-memory.dmp	upx
behavioral2/memory/2688-476-0x00007FF6103F0000-0x00007FF6107E1000-memory.dmp	upx
behavioral2/memory/2332-474-0x00007FF7AF070000-0x00007FF7AF461000-memory.dmp	upx
behavioral2/memory/2040-459-0x00007FF763910000-0x00007FF763D01000-memory.dmp	upx
behavioral2/memory/3060-433-0x00007FF683900000-0x00007FF683CF1000-memory.dmp	upx
behavioral2/memory/1684-424-0x00007FF79AC10000-0x00007FF79B001000-memory.dmp	upx
behavioral2/memory/1168-1959-0x00007FF74D0D0000-0x00007FF74D4C1000-memory.dmp	upx
behavioral2/memory/4980-1992-0x00007FF792320000-0x00007FF792711000-memory.dmp	upx
behavioral2/memory/2196-1993-0x00007FF749820000-0x00007FF749C11000-memory.dmp	upx
behavioral2/memory/4980-2025-0x00007FF792320000-0x00007FF792711000-memory.dmp	upx
behavioral2/memory/4600-2029-0x00007FF6AB160000-0x00007FF6AB551000-memory.dmp	upx
behavioral2/memory/2112-2027-0x00007FF79CB50000-0x00007FF79CF41000-memory.dmp	upx
behavioral2/memory/4908-2023-0x00007FF79B000000-0x00007FF79B3F1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\dwJojGv.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\rvLyEZh.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\LXCpYQv.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\uJkSsTL.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\qzNJfTy.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\SqyzIge.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\iiYzeNa.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\yZbcMfw.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\paryeQS.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\fSuWFLA.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\mqLRCcs.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\fSPrMGk.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\nVWWILL.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\mHuIuao.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\AQiEFhF.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\BQOsiPh.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\ipmMAfd.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\xgPboZJ.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\XGxbACI.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\KjEVgyr.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\ZsaBbFz.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\GXfvfdn.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\tvPZQBw.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\WgznsrE.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\TRJoIOm.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\kGlcklO.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\GdiTaXD.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\ADPpRGh.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\BrDbzgX.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\XTtfYwi.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\IowoSKM.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\bCsAIxB.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\PpzcvZF.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\FjTKaDJ.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\VUszGpN.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\DhMiNaO.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\iyUWcYt.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\VytMhgH.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\xZrUTfb.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\JZAvxBD.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\keGdQOC.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\EYAkpym.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\GUMGibA.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\duYzukE.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\VugqqVo.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\yuExXQw.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\rQhjoBB.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\TzZNeWe.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\CsWdgFz.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\paqPpRG.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\ybokIMy.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\EpwJpCj.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\cglukYT.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\CgQOFVt.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\BlNyhwo.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\nsUiBIz.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\KjbAlSh.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\vosJqbo.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\MJnRIRF.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\qOmnIZs.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\yFANnbw.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\dBwgQaA.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\NYxiXJa.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe
File created	C:\Windows\System32\UjAcyIn.exe	04653930dd309ca950832350e4d18680_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	1924	dwm.exe
Token: SeChangeNotifyPrivilege	1924	dwm.exe
Token: 33	1924	dwm.exe
Token: SeIncBasePriorityPrivilege	1924	dwm.exe
Token: SeShutdownPrivilege	1924	dwm.exe
Token: SeCreatePagefilePrivilege	1924	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 3568	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	85
PID 4396 wrote to memory of 3568	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	85
PID 4396 wrote to memory of 1168	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	86
PID 4396 wrote to memory of 1168	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	86
PID 4396 wrote to memory of 4980	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	87
PID 4396 wrote to memory of 4980	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	87
PID 4396 wrote to memory of 4908	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	88
PID 4396 wrote to memory of 4908	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	88
PID 4396 wrote to memory of 2112	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	89
PID 4396 wrote to memory of 2112	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	89
PID 4396 wrote to memory of 4600	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	90
PID 4396 wrote to memory of 4600	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	90
PID 4396 wrote to memory of 3780	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	91
PID 4396 wrote to memory of 3780	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	91
PID 4396 wrote to memory of 2196	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	92
PID 4396 wrote to memory of 2196	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	92
PID 4396 wrote to memory of 1476	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	93
PID 4396 wrote to memory of 1476	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	93
PID 4396 wrote to memory of 2332	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	94
PID 4396 wrote to memory of 2332	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	94
PID 4396 wrote to memory of 2688	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	95
PID 4396 wrote to memory of 2688	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	95
PID 4396 wrote to memory of 4144	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	96
PID 4396 wrote to memory of 4144	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	96
PID 4396 wrote to memory of 4072	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	97
PID 4396 wrote to memory of 4072	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	97
PID 4396 wrote to memory of 5068	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	98
PID 4396 wrote to memory of 5068	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	98
PID 4396 wrote to memory of 4120	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	99
PID 4396 wrote to memory of 4120	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	99
PID 4396 wrote to memory of 2808	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	100
PID 4396 wrote to memory of 2808	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	100
PID 4396 wrote to memory of 1164	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	101
PID 4396 wrote to memory of 1164	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	101
PID 4396 wrote to memory of 1092	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	102
PID 4396 wrote to memory of 1092	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	102
PID 4396 wrote to memory of 1684	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	103
PID 4396 wrote to memory of 1684	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	103
PID 4396 wrote to memory of 2964	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	104
PID 4396 wrote to memory of 2964	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	104
PID 4396 wrote to memory of 3060	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	105
PID 4396 wrote to memory of 3060	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	105
PID 4396 wrote to memory of 5056	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	106
PID 4396 wrote to memory of 5056	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	106
PID 4396 wrote to memory of 4992	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	107
PID 4396 wrote to memory of 4992	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	107
PID 4396 wrote to memory of 2040	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	108
PID 4396 wrote to memory of 2040	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	108
PID 4396 wrote to memory of 388	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	109
PID 4396 wrote to memory of 388	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	109
PID 4396 wrote to memory of 516	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	110
PID 4396 wrote to memory of 516	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	110
PID 4396 wrote to memory of 2388	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	111
PID 4396 wrote to memory of 2388	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	111
PID 4396 wrote to memory of 3672	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	112
PID 4396 wrote to memory of 3672	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	112
PID 4396 wrote to memory of 1540	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	113
PID 4396 wrote to memory of 1540	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	113
PID 4396 wrote to memory of 2972	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	114
PID 4396 wrote to memory of 2972	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	114
PID 4396 wrote to memory of 3524	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	115
PID 4396 wrote to memory of 3524	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	115
PID 4396 wrote to memory of 2796	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	116
PID 4396 wrote to memory of 2796	4396	04653930dd309ca950832350e4d18680_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\04653930dd309ca950832350e4d18680_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04653930dd309ca950832350e4d18680_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\System32\AoLpBvl.exe
  C:\Windows\System32\AoLpBvl.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System32\IRhdREf.exe
  C:\Windows\System32\IRhdREf.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System32\MWXlpKp.exe
  C:\Windows\System32\MWXlpKp.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System32\ecjUHzN.exe
  C:\Windows\System32\ecjUHzN.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System32\dYqchaJ.exe
  C:\Windows\System32\dYqchaJ.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System32\dabutls.exe
  C:\Windows\System32\dabutls.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System32\xZXVBro.exe
  C:\Windows\System32\xZXVBro.exe
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Windows\System32\YmWJuzc.exe
  C:\Windows\System32\YmWJuzc.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System32\mzrhZfK.exe
  C:\Windows\System32\mzrhZfK.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System32\LXCpYQv.exe
  C:\Windows\System32\LXCpYQv.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System32\TOWgqQi.exe
  C:\Windows\System32\TOWgqQi.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System32\bntrQeM.exe
  C:\Windows\System32\bntrQeM.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System32\iHwJgSm.exe
  C:\Windows\System32\iHwJgSm.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System32\WhfOyOw.exe
  C:\Windows\System32\WhfOyOw.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System32\qOmnIZs.exe
  C:\Windows\System32\qOmnIZs.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System32\yFANnbw.exe
  C:\Windows\System32\yFANnbw.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System32\PpzcvZF.exe
  C:\Windows\System32\PpzcvZF.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System32\LJwTDSq.exe
  C:\Windows\System32\LJwTDSq.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System32\dAeNbAN.exe
  C:\Windows\System32\dAeNbAN.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System32\PxoEguU.exe
  C:\Windows\System32\PxoEguU.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System32\uJkSsTL.exe
  C:\Windows\System32\uJkSsTL.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System32\nsHYLji.exe
  C:\Windows\System32\nsHYLji.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\dUZzexU.exe
  C:\Windows\System32\dUZzexU.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System32\otUEYlw.exe
  C:\Windows\System32\otUEYlw.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System32\RbTiXha.exe
  C:\Windows\System32\RbTiXha.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System32\RKqgmre.exe
  C:\Windows\System32\RKqgmre.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System32\HgRCdFY.exe
  C:\Windows\System32\HgRCdFY.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System32\umXbMuH.exe
  C:\Windows\System32\umXbMuH.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System32\BBXPsEl.exe
  C:\Windows\System32\BBXPsEl.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System32\LLpMKwO.exe
  C:\Windows\System32\LLpMKwO.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System32\TrqzuZT.exe
  C:\Windows\System32\TrqzuZT.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System32\IoWyOXg.exe
  C:\Windows\System32\IoWyOXg.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System32\LwHXTQM.exe
  C:\Windows\System32\LwHXTQM.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System32\vRvOpcV.exe
  C:\Windows\System32\vRvOpcV.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System32\miMJEBc.exe
  C:\Windows\System32\miMJEBc.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System32\hcMpaJd.exe
  C:\Windows\System32\hcMpaJd.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System32\ALEzAhx.exe
  C:\Windows\System32\ALEzAhx.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System32\PzNvZvO.exe
  C:\Windows\System32\PzNvZvO.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System32\inIvMIV.exe
  C:\Windows\System32\inIvMIV.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System32\rqfHrtf.exe
  C:\Windows\System32\rqfHrtf.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System32\qtcJexI.exe
  C:\Windows\System32\qtcJexI.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System32\xovISbQ.exe
  C:\Windows\System32\xovISbQ.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System32\BlNyhwo.exe
  C:\Windows\System32\BlNyhwo.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System32\JHxjjkx.exe
  C:\Windows\System32\JHxjjkx.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System32\LxmvBaf.exe
  C:\Windows\System32\LxmvBaf.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System32\leEryDU.exe
  C:\Windows\System32\leEryDU.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System32\aRYmgiq.exe
  C:\Windows\System32\aRYmgiq.exe
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Windows\System32\quQSNSa.exe
  C:\Windows\System32\quQSNSa.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System32\xxWJYFA.exe
  C:\Windows\System32\xxWJYFA.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System32\MLmTVgy.exe
  C:\Windows\System32\MLmTVgy.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System32\LIYRKVz.exe
  C:\Windows\System32\LIYRKVz.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System32\fxRarcE.exe
  C:\Windows\System32\fxRarcE.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System32\fsuJlow.exe
  C:\Windows\System32\fsuJlow.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System32\NZrTLDw.exe
  C:\Windows\System32\NZrTLDw.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\eiZbYHq.exe
  C:\Windows\System32\eiZbYHq.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System32\ynRqYDn.exe
  C:\Windows\System32\ynRqYDn.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System32\cmBySrQ.exe
  C:\Windows\System32\cmBySrQ.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System32\VytMhgH.exe
  C:\Windows\System32\VytMhgH.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System32\KjbAlSh.exe
  C:\Windows\System32\KjbAlSh.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System32\mWYbYyq.exe
  C:\Windows\System32\mWYbYyq.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System32\ynVpsdw.exe
  C:\Windows\System32\ynVpsdw.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System32\nWOmduD.exe
  C:\Windows\System32\nWOmduD.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System32\kbbhNsB.exe
  C:\Windows\System32\kbbhNsB.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System32\nIyVeED.exe
  C:\Windows\System32\nIyVeED.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System32\ipmMAfd.exe
  C:\Windows\System32\ipmMAfd.exe
  2⤵
  PID:4648
- C:\Windows\System32\sCiGiTX.exe
  C:\Windows\System32\sCiGiTX.exe
  2⤵
  PID:4148
- C:\Windows\System32\bADoVen.exe
  C:\Windows\System32\bADoVen.exe
  2⤵
  PID:4796
- C:\Windows\System32\VQjqLZe.exe
  C:\Windows\System32\VQjqLZe.exe
  2⤵
  PID:4456
- C:\Windows\System32\hPrJTGp.exe
  C:\Windows\System32\hPrJTGp.exe
  2⤵
  PID:3488
- C:\Windows\System32\dulqpQS.exe
  C:\Windows\System32\dulqpQS.exe
  2⤵
  PID:1916
- C:\Windows\System32\LLyQpiz.exe
  C:\Windows\System32\LLyQpiz.exe
  2⤵
  PID:1624
- C:\Windows\System32\ffojMmH.exe
  C:\Windows\System32\ffojMmH.exe
  2⤵
  PID:2144
- C:\Windows\System32\UaweAvl.exe
  C:\Windows\System32\UaweAvl.exe
  2⤵
  PID:4832
- C:\Windows\System32\DIpVvWz.exe
  C:\Windows\System32\DIpVvWz.exe
  2⤵
  PID:4460
- C:\Windows\System32\lCczpZQ.exe
  C:\Windows\System32\lCczpZQ.exe
  2⤵
  PID:2204
- C:\Windows\System32\CDaBDTm.exe
  C:\Windows\System32\CDaBDTm.exe
  2⤵
  PID:3396
- C:\Windows\System32\EKeJLNR.exe
  C:\Windows\System32\EKeJLNR.exe
  2⤵
  PID:4556
- C:\Windows\System32\uhiAlcj.exe
  C:\Windows\System32\uhiAlcj.exe
  2⤵
  PID:1320
- C:\Windows\System32\KMoqSbX.exe
  C:\Windows\System32\KMoqSbX.exe
  2⤵
  PID:3896
- C:\Windows\System32\mqLRCcs.exe
  C:\Windows\System32\mqLRCcs.exe
  2⤵
  PID:4564
- C:\Windows\System32\SUiznVr.exe
  C:\Windows\System32\SUiznVr.exe
  2⤵
  PID:5124
- C:\Windows\System32\HVPlrak.exe
  C:\Windows\System32\HVPlrak.exe
  2⤵
  PID:5148
- C:\Windows\System32\OHqSVLX.exe
  C:\Windows\System32\OHqSVLX.exe
  2⤵
  PID:5180
- C:\Windows\System32\WqqYOeU.exe
  C:\Windows\System32\WqqYOeU.exe
  2⤵
  PID:5208
- C:\Windows\System32\NCKSIKa.exe
  C:\Windows\System32\NCKSIKa.exe
  2⤵
  PID:5232
- C:\Windows\System32\uelgLsO.exe
  C:\Windows\System32\uelgLsO.exe
  2⤵
  PID:5264
- C:\Windows\System32\hSpPLlG.exe
  C:\Windows\System32\hSpPLlG.exe
  2⤵
  PID:5292
- C:\Windows\System32\LwpzBzb.exe
  C:\Windows\System32\LwpzBzb.exe
  2⤵
  PID:5316
- C:\Windows\System32\DydMIZV.exe
  C:\Windows\System32\DydMIZV.exe
  2⤵
  PID:5348
- C:\Windows\System32\PIZelik.exe
  C:\Windows\System32\PIZelik.exe
  2⤵
  PID:5376
- C:\Windows\System32\WgznsrE.exe
  C:\Windows\System32\WgznsrE.exe
  2⤵
  PID:5400
- C:\Windows\System32\IVtzwKd.exe
  C:\Windows\System32\IVtzwKd.exe
  2⤵
  PID:5432
- C:\Windows\System32\sYPwnjs.exe
  C:\Windows\System32\sYPwnjs.exe
  2⤵
  PID:5464
- C:\Windows\System32\SjpeOpg.exe
  C:\Windows\System32\SjpeOpg.exe
  2⤵
  PID:5492
- C:\Windows\System32\xksqsNp.exe
  C:\Windows\System32\xksqsNp.exe
  2⤵
  PID:5512
- C:\Windows\System32\cSfSXSY.exe
  C:\Windows\System32\cSfSXSY.exe
  2⤵
  PID:5548
- C:\Windows\System32\KwrrloT.exe
  C:\Windows\System32\KwrrloT.exe
  2⤵
  PID:5568
- C:\Windows\System32\RiiyFZt.exe
  C:\Windows\System32\RiiyFZt.exe
  2⤵
  PID:5604
- C:\Windows\System32\boviYPq.exe
  C:\Windows\System32\boviYPq.exe
  2⤵
  PID:5628
- C:\Windows\System32\xnVKgDU.exe
  C:\Windows\System32\xnVKgDU.exe
  2⤵
  PID:5652
- C:\Windows\System32\ZsaBbFz.exe
  C:\Windows\System32\ZsaBbFz.exe
  2⤵
  PID:5684
- C:\Windows\System32\NGxAkOv.exe
  C:\Windows\System32\NGxAkOv.exe
  2⤵
  PID:5716
- C:\Windows\System32\DvaWAit.exe
  C:\Windows\System32\DvaWAit.exe
  2⤵
  PID:5736
- C:\Windows\System32\sjtgJRN.exe
  C:\Windows\System32\sjtgJRN.exe
  2⤵
  PID:5768
- C:\Windows\System32\MNgfqsk.exe
  C:\Windows\System32\MNgfqsk.exe
  2⤵
  PID:5796
- C:\Windows\System32\Zwzhvhn.exe
  C:\Windows\System32\Zwzhvhn.exe
  2⤵
  PID:5820
- C:\Windows\System32\cfQeaQQ.exe
  C:\Windows\System32\cfQeaQQ.exe
  2⤵
  PID:5852
- C:\Windows\System32\wMSGSel.exe
  C:\Windows\System32\wMSGSel.exe
  2⤵
  PID:5880
- C:\Windows\System32\QVfWsLm.exe
  C:\Windows\System32\QVfWsLm.exe
  2⤵
  PID:5904
- C:\Windows\System32\FjHJxnp.exe
  C:\Windows\System32\FjHJxnp.exe
  2⤵
  PID:5972
- C:\Windows\System32\kChocos.exe
  C:\Windows\System32\kChocos.exe
  2⤵
  PID:5992
- C:\Windows\System32\rsoTSKU.exe
  C:\Windows\System32\rsoTSKU.exe
  2⤵
  PID:6008
- C:\Windows\System32\CTXGfQq.exe
  C:\Windows\System32\CTXGfQq.exe
  2⤵
  PID:6028
- C:\Windows\System32\XjbDIJj.exe
  C:\Windows\System32\XjbDIJj.exe
  2⤵
  PID:6044
- C:\Windows\System32\XjchLtY.exe
  C:\Windows\System32\XjchLtY.exe
  2⤵
  PID:6068
- C:\Windows\System32\vBcwXEU.exe
  C:\Windows\System32\vBcwXEU.exe
  2⤵
  PID:6112
- C:\Windows\System32\PndaSba.exe
  C:\Windows\System32\PndaSba.exe
  2⤵
  PID:6132
- C:\Windows\System32\dqHRBND.exe
  C:\Windows\System32\dqHRBND.exe
  2⤵
  PID:1300
- C:\Windows\System32\eVsvaVp.exe
  C:\Windows\System32\eVsvaVp.exe
  2⤵
  PID:208
- C:\Windows\System32\ofmTFnD.exe
  C:\Windows\System32\ofmTFnD.exe
  2⤵
  PID:5196
- C:\Windows\System32\ViShHBD.exe
  C:\Windows\System32\ViShHBD.exe
  2⤵
  PID:5228
- C:\Windows\System32\PWZiSyE.exe
  C:\Windows\System32\PWZiSyE.exe
  2⤵
  PID:2620
- C:\Windows\System32\SYuyCfL.exe
  C:\Windows\System32\SYuyCfL.exe
  2⤵
  PID:5300
- C:\Windows\System32\EnebZZO.exe
  C:\Windows\System32\EnebZZO.exe
  2⤵
  PID:4044
- C:\Windows\System32\ryVIWxT.exe
  C:\Windows\System32\ryVIWxT.exe
  2⤵
  PID:4544
- C:\Windows\System32\JkGsJqr.exe
  C:\Windows\System32\JkGsJqr.exe
  2⤵
  PID:5440
- C:\Windows\System32\knwGiZa.exe
  C:\Windows\System32\knwGiZa.exe
  2⤵
  PID:4696
- C:\Windows\System32\vNoBsft.exe
  C:\Windows\System32\vNoBsft.exe
  2⤵
  PID:1812
- C:\Windows\System32\nsUiBIz.exe
  C:\Windows\System32\nsUiBIz.exe
  2⤵
  PID:5636
- C:\Windows\System32\OAUBpOn.exe
  C:\Windows\System32\OAUBpOn.exe
  2⤵
  PID:5668
- C:\Windows\System32\vKxMxuB.exe
  C:\Windows\System32\vKxMxuB.exe
  2⤵
  PID:5704
- C:\Windows\System32\vzrUQIc.exe
  C:\Windows\System32\vzrUQIc.exe
  2⤵
  PID:1116
- C:\Windows\System32\CiVTwNd.exe
  C:\Windows\System32\CiVTwNd.exe
  2⤵
  PID:1580
- C:\Windows\System32\ZfDKWKV.exe
  C:\Windows\System32\ZfDKWKV.exe
  2⤵
  PID:5872
- C:\Windows\System32\jflGaiD.exe
  C:\Windows\System32\jflGaiD.exe
  2⤵
  PID:1908
- C:\Windows\System32\DcdqWoC.exe
  C:\Windows\System32\DcdqWoC.exe
  2⤵
  PID:3776
- C:\Windows\System32\ybokIMy.exe
  C:\Windows\System32\ybokIMy.exe
  2⤵
  PID:3220
- C:\Windows\System32\kmLGmTA.exe
  C:\Windows\System32\kmLGmTA.exe
  2⤵
  PID:1204
- C:\Windows\System32\BKdrTFm.exe
  C:\Windows\System32\BKdrTFm.exe
  2⤵
  PID:5988
- C:\Windows\System32\xZrUTfb.exe
  C:\Windows\System32\xZrUTfb.exe
  2⤵
  PID:5944
- C:\Windows\System32\wiObevD.exe
  C:\Windows\System32\wiObevD.exe
  2⤵
  PID:6036
- C:\Windows\System32\WMEtFGN.exe
  C:\Windows\System32\WMEtFGN.exe
  2⤵
  PID:6124
- C:\Windows\System32\FsCaMZp.exe
  C:\Windows\System32\FsCaMZp.exe
  2⤵
  PID:1512
- C:\Windows\System32\kyYXQEB.exe
  C:\Windows\System32\kyYXQEB.exe
  2⤵
  PID:5188
- C:\Windows\System32\pyYKcws.exe
  C:\Windows\System32\pyYKcws.exe
  2⤵
  PID:5240
- C:\Windows\System32\NiIQtsV.exe
  C:\Windows\System32\NiIQtsV.exe
  2⤵
  PID:5064
- C:\Windows\System32\EqttBIg.exe
  C:\Windows\System32\EqttBIg.exe
  2⤵
  PID:5488
- C:\Windows\System32\EpwJpCj.exe
  C:\Windows\System32\EpwJpCj.exe
  2⤵
  PID:1016
- C:\Windows\System32\pXiArzW.exe
  C:\Windows\System32\pXiArzW.exe
  2⤵
  PID:5620
- C:\Windows\System32\fSPrMGk.exe
  C:\Windows\System32\fSPrMGk.exe
  2⤵
  PID:5804
- C:\Windows\System32\BOUvpRG.exe
  C:\Windows\System32\BOUvpRG.exe
  2⤵
  PID:5836
- C:\Windows\System32\AcAGqQX.exe
  C:\Windows\System32\AcAGqQX.exe
  2⤵
  PID:2456
- C:\Windows\System32\PnODaDG.exe
  C:\Windows\System32\PnODaDG.exe
  2⤵
  PID:5700
- C:\Windows\System32\ZixUowH.exe
  C:\Windows\System32\ZixUowH.exe
  2⤵
  PID:5868
- C:\Windows\System32\vosJqbo.exe
  C:\Windows\System32\vosJqbo.exe
  2⤵
  PID:3420
- C:\Windows\System32\FjTKaDJ.exe
  C:\Windows\System32\FjTKaDJ.exe
  2⤵
  PID:4624
- C:\Windows\System32\YLqecNA.exe
  C:\Windows\System32\YLqecNA.exe
  2⤵
  PID:3972
- C:\Windows\System32\IVxIXHJ.exe
  C:\Windows\System32\IVxIXHJ.exe
  2⤵
  PID:5576
- C:\Windows\System32\mPyJjjJ.exe
  C:\Windows\System32\mPyJjjJ.exe
  2⤵
  PID:4640
- C:\Windows\System32\NtmLWdN.exe
  C:\Windows\System32\NtmLWdN.exe
  2⤵
  PID:3704
- C:\Windows\System32\JXwYQRs.exe
  C:\Windows\System32\JXwYQRs.exe
  2⤵
  PID:5040
- C:\Windows\System32\xgPboZJ.exe
  C:\Windows\System32\xgPboZJ.exe
  2⤵
  PID:5356
- C:\Windows\System32\yuExXQw.exe
  C:\Windows\System32\yuExXQw.exe
  2⤵
  PID:3996
- C:\Windows\System32\FVTKPPZ.exe
  C:\Windows\System32\FVTKPPZ.exe
  2⤵
  PID:4216
- C:\Windows\System32\WaBACvd.exe
  C:\Windows\System32\WaBACvd.exe
  2⤵
  PID:6180
- C:\Windows\System32\ifdOfNd.exe
  C:\Windows\System32\ifdOfNd.exe
  2⤵
  PID:6204
- C:\Windows\System32\vZBkpAa.exe
  C:\Windows\System32\vZBkpAa.exe
  2⤵
  PID:6220
- C:\Windows\System32\rMYausY.exe
  C:\Windows\System32\rMYausY.exe
  2⤵
  PID:6236
- C:\Windows\System32\xYIkLnf.exe
  C:\Windows\System32\xYIkLnf.exe
  2⤵
  PID:6256
- C:\Windows\System32\rQhjoBB.exe
  C:\Windows\System32\rQhjoBB.exe
  2⤵
  PID:6276
- C:\Windows\System32\cZqrijc.exe
  C:\Windows\System32\cZqrijc.exe
  2⤵
  PID:6328
- C:\Windows\System32\KbnMnOW.exe
  C:\Windows\System32\KbnMnOW.exe
  2⤵
  PID:6364
- C:\Windows\System32\qhLnqOd.exe
  C:\Windows\System32\qhLnqOd.exe
  2⤵
  PID:6440
- C:\Windows\System32\UDuapjH.exe
  C:\Windows\System32\UDuapjH.exe
  2⤵
  PID:6468
- C:\Windows\System32\VqxxaKF.exe
  C:\Windows\System32\VqxxaKF.exe
  2⤵
  PID:6500
- C:\Windows\System32\JPeedNf.exe
  C:\Windows\System32\JPeedNf.exe
  2⤵
  PID:6528
- C:\Windows\System32\TtfHWlJ.exe
  C:\Windows\System32\TtfHWlJ.exe
  2⤵
  PID:6544
- C:\Windows\System32\cVDNqAE.exe
  C:\Windows\System32\cVDNqAE.exe
  2⤵
  PID:6560
- C:\Windows\System32\kWlKTrd.exe
  C:\Windows\System32\kWlKTrd.exe
  2⤵
  PID:6580
- C:\Windows\System32\XoQeNUK.exe
  C:\Windows\System32\XoQeNUK.exe
  2⤵
  PID:6604
- C:\Windows\System32\IOitPEY.exe
  C:\Windows\System32\IOitPEY.exe
  2⤵
  PID:6648
- C:\Windows\System32\EGPWxTk.exe
  C:\Windows\System32\EGPWxTk.exe
  2⤵
  PID:6696
- C:\Windows\System32\tyMekEi.exe
  C:\Windows\System32\tyMekEi.exe
  2⤵
  PID:6728
- C:\Windows\System32\znMBcFv.exe
  C:\Windows\System32\znMBcFv.exe
  2⤵
  PID:6744
- C:\Windows\System32\VUszGpN.exe
  C:\Windows\System32\VUszGpN.exe
  2⤵
  PID:6772
- C:\Windows\System32\CjzGKXo.exe
  C:\Windows\System32\CjzGKXo.exe
  2⤵
  PID:6808
- C:\Windows\System32\ADPpRGh.exe
  C:\Windows\System32\ADPpRGh.exe
  2⤵
  PID:6840
- C:\Windows\System32\RuJeTIH.exe
  C:\Windows\System32\RuJeTIH.exe
  2⤵
  PID:6856
- C:\Windows\System32\GBzlrob.exe
  C:\Windows\System32\GBzlrob.exe
  2⤵
  PID:6884
- C:\Windows\System32\XzCuHyV.exe
  C:\Windows\System32\XzCuHyV.exe
  2⤵
  PID:6908
- C:\Windows\System32\itAbPzZ.exe
  C:\Windows\System32\itAbPzZ.exe
  2⤵
  PID:6924
- C:\Windows\System32\duYzukE.exe
  C:\Windows\System32\duYzukE.exe
  2⤵
  PID:6968
- C:\Windows\System32\rSrwiZb.exe
  C:\Windows\System32\rSrwiZb.exe
  2⤵
  PID:6988
- C:\Windows\System32\cygZoDb.exe
  C:\Windows\System32\cygZoDb.exe
  2⤵
  PID:7004
- C:\Windows\System32\cglukYT.exe
  C:\Windows\System32\cglukYT.exe
  2⤵
  PID:7032
- C:\Windows\System32\kwHOiIM.exe
  C:\Windows\System32\kwHOiIM.exe
  2⤵
  PID:7048
- C:\Windows\System32\QqCHdWl.exe
  C:\Windows\System32\QqCHdWl.exe
  2⤵
  PID:7092
- C:\Windows\System32\ssJNUNn.exe
  C:\Windows\System32\ssJNUNn.exe
  2⤵
  PID:7132
- C:\Windows\System32\zffEkHG.exe
  C:\Windows\System32\zffEkHG.exe
  2⤵
  PID:7152
- C:\Windows\System32\xBkTeYh.exe
  C:\Windows\System32\xBkTeYh.exe
  2⤵
  PID:6088
- C:\Windows\System32\TzZNeWe.exe
  C:\Windows\System32\TzZNeWe.exe
  2⤵
  PID:6168
- C:\Windows\System32\iNmlkbg.exe
  C:\Windows\System32\iNmlkbg.exe
  2⤵
  PID:6296
- C:\Windows\System32\OaEClHA.exe
  C:\Windows\System32\OaEClHA.exe
  2⤵
  PID:6288
- C:\Windows\System32\eqUitlG.exe
  C:\Windows\System32\eqUitlG.exe
  2⤵
  PID:6448
- C:\Windows\System32\YjVewom.exe
  C:\Windows\System32\YjVewom.exe
  2⤵
  PID:6516
- C:\Windows\System32\wWbKSIY.exe
  C:\Windows\System32\wWbKSIY.exe
  2⤵
  PID:6540
- C:\Windows\System32\oAJFkMo.exe
  C:\Windows\System32\oAJFkMo.exe
  2⤵
  PID:6612
- C:\Windows\System32\eILSlmF.exe
  C:\Windows\System32\eILSlmF.exe
  2⤵
  PID:6628
- C:\Windows\System32\rTLEWFD.exe
  C:\Windows\System32\rTLEWFD.exe
  2⤵
  PID:6736
- C:\Windows\System32\MYDsHty.exe
  C:\Windows\System32\MYDsHty.exe
  2⤵
  PID:6768
- C:\Windows\System32\YSeNBjx.exe
  C:\Windows\System32\YSeNBjx.exe
  2⤵
  PID:6852
- C:\Windows\System32\hTeIKLg.exe
  C:\Windows\System32\hTeIKLg.exe
  2⤵
  PID:7060
- C:\Windows\System32\rhADVbK.exe
  C:\Windows\System32\rhADVbK.exe
  2⤵
  PID:7012
- C:\Windows\System32\sdBabgA.exe
  C:\Windows\System32\sdBabgA.exe
  2⤵
  PID:7056
- C:\Windows\System32\XhcOUCs.exe
  C:\Windows\System32\XhcOUCs.exe
  2⤵
  PID:7164
- C:\Windows\System32\ZVFIRIP.exe
  C:\Windows\System32\ZVFIRIP.exe
  2⤵
  PID:2592
- C:\Windows\System32\bCsAIxB.exe
  C:\Windows\System32\bCsAIxB.exe
  2⤵
  PID:6320
- C:\Windows\System32\xlwRagB.exe
  C:\Windows\System32\xlwRagB.exe
  2⤵
  PID:6424
- C:\Windows\System32\thepPRE.exe
  C:\Windows\System32\thepPRE.exe
  2⤵
  PID:6556
- C:\Windows\System32\CsWdgFz.exe
  C:\Windows\System32\CsWdgFz.exe
  2⤵
  PID:6640
- C:\Windows\System32\hzTyBJY.exe
  C:\Windows\System32\hzTyBJY.exe
  2⤵
  PID:6828
- C:\Windows\System32\OaJCteZ.exe
  C:\Windows\System32\OaJCteZ.exe
  2⤵
  PID:6932
- C:\Windows\System32\LxZUzBb.exe
  C:\Windows\System32\LxZUzBb.exe
  2⤵
  PID:7068
- C:\Windows\System32\bAWadKB.exe
  C:\Windows\System32\bAWadKB.exe
  2⤵
  PID:7148
- C:\Windows\System32\XUhEoTo.exe
  C:\Windows\System32\XUhEoTo.exe
  2⤵
  PID:6380
- C:\Windows\System32\iPLKaDV.exe
  C:\Windows\System32\iPLKaDV.exe
  2⤵
  PID:6592
- C:\Windows\System32\KRLySLK.exe
  C:\Windows\System32\KRLySLK.exe
  2⤵
  PID:7228
- C:\Windows\System32\IpteoHh.exe
  C:\Windows\System32\IpteoHh.exe
  2⤵
  PID:7284
- C:\Windows\System32\BAXVYgr.exe
  C:\Windows\System32\BAXVYgr.exe
  2⤵
  PID:7304
- C:\Windows\System32\XTtfYwi.exe
  C:\Windows\System32\XTtfYwi.exe
  2⤵
  PID:7320
- C:\Windows\System32\XhgKUrC.exe
  C:\Windows\System32\XhgKUrC.exe
  2⤵
  PID:7344
- C:\Windows\System32\TaWSWVf.exe
  C:\Windows\System32\TaWSWVf.exe
  2⤵
  PID:7380
- C:\Windows\System32\CtpxpvD.exe
  C:\Windows\System32\CtpxpvD.exe
  2⤵
  PID:7416
- C:\Windows\System32\CxevPcs.exe
  C:\Windows\System32\CxevPcs.exe
  2⤵
  PID:7456
- C:\Windows\System32\dwOTJUI.exe
  C:\Windows\System32\dwOTJUI.exe
  2⤵
  PID:7484
- C:\Windows\System32\DhMiNaO.exe
  C:\Windows\System32\DhMiNaO.exe
  2⤵
  PID:7504
- C:\Windows\System32\VKkZogj.exe
  C:\Windows\System32\VKkZogj.exe
  2⤵
  PID:7528
- C:\Windows\System32\aypCzQE.exe
  C:\Windows\System32\aypCzQE.exe
  2⤵
  PID:7544
- C:\Windows\System32\ppyVwar.exe
  C:\Windows\System32\ppyVwar.exe
  2⤵
  PID:7564
- C:\Windows\System32\UrLCoPd.exe
  C:\Windows\System32\UrLCoPd.exe
  2⤵
  PID:7580
- C:\Windows\System32\KYcfbuz.exe
  C:\Windows\System32\KYcfbuz.exe
  2⤵
  PID:7604
- C:\Windows\System32\NuBZziO.exe
  C:\Windows\System32\NuBZziO.exe
  2⤵
  PID:7624
- C:\Windows\System32\iORKyEr.exe
  C:\Windows\System32\iORKyEr.exe
  2⤵
  PID:7664
- C:\Windows\System32\qdAEMWW.exe
  C:\Windows\System32\qdAEMWW.exe
  2⤵
  PID:7692
- C:\Windows\System32\qzNJfTy.exe
  C:\Windows\System32\qzNJfTy.exe
  2⤵
  PID:7760
- C:\Windows\System32\HUMLKqn.exe
  C:\Windows\System32\HUMLKqn.exe
  2⤵
  PID:7792
- C:\Windows\System32\nCcpUbp.exe
  C:\Windows\System32\nCcpUbp.exe
  2⤵
  PID:7820
- C:\Windows\System32\zYAyHKD.exe
  C:\Windows\System32\zYAyHKD.exe
  2⤵
  PID:7848
- C:\Windows\System32\IthgJVl.exe
  C:\Windows\System32\IthgJVl.exe
  2⤵
  PID:7868
- C:\Windows\System32\SwPrenl.exe
  C:\Windows\System32\SwPrenl.exe
  2⤵
  PID:7884
- C:\Windows\System32\GmTVEgv.exe
  C:\Windows\System32\GmTVEgv.exe
  2⤵
  PID:7908
- C:\Windows\System32\xIbpuca.exe
  C:\Windows\System32\xIbpuca.exe
  2⤵
  PID:7928
- C:\Windows\System32\xtfMPCj.exe
  C:\Windows\System32\xtfMPCj.exe
  2⤵
  PID:7992
- C:\Windows\System32\AiGIGfF.exe
  C:\Windows\System32\AiGIGfF.exe
  2⤵
  PID:8012
- C:\Windows\System32\gjtAqti.exe
  C:\Windows\System32\gjtAqti.exe
  2⤵
  PID:8028
- C:\Windows\System32\TUqjSNi.exe
  C:\Windows\System32\TUqjSNi.exe
  2⤵
  PID:8072
- C:\Windows\System32\HnuWxja.exe
  C:\Windows\System32\HnuWxja.exe
  2⤵
  PID:8096
- C:\Windows\System32\kJnraTU.exe
  C:\Windows\System32\kJnraTU.exe
  2⤵
  PID:8128
- C:\Windows\System32\TYjJixa.exe
  C:\Windows\System32\TYjJixa.exe
  2⤵
  PID:8144
- C:\Windows\System32\ZsTAZMy.exe
  C:\Windows\System32\ZsTAZMy.exe
  2⤵
  PID:8172
- C:\Windows\System32\ELJxcuR.exe
  C:\Windows\System32\ELJxcuR.exe
  2⤵
  PID:8188
- C:\Windows\System32\GXfvfdn.exe
  C:\Windows\System32\GXfvfdn.exe
  2⤵
  PID:7192
- C:\Windows\System32\qIymzYG.exe
  C:\Windows\System32\qIymzYG.exe
  2⤵
  PID:7216
- C:\Windows\System32\TXdWivI.exe
  C:\Windows\System32\TXdWivI.exe
  2⤵
  PID:7272
- C:\Windows\System32\bWJNJgL.exe
  C:\Windows\System32\bWJNJgL.exe
  2⤵
  PID:7296
- C:\Windows\System32\CgQOFVt.exe
  C:\Windows\System32\CgQOFVt.exe
  2⤵
  PID:7356
- C:\Windows\System32\bzASJzq.exe
  C:\Windows\System32\bzASJzq.exe
  2⤵
  PID:7428
- C:\Windows\System32\fVigPbH.exe
  C:\Windows\System32\fVigPbH.exe
  2⤵
  PID:7512
- C:\Windows\System32\eoZkNbF.exe
  C:\Windows\System32\eoZkNbF.exe
  2⤵
  PID:7640
- C:\Windows\System32\SqyzIge.exe
  C:\Windows\System32\SqyzIge.exe
  2⤵
  PID:7572
- C:\Windows\System32\BOHHRUy.exe
  C:\Windows\System32\BOHHRUy.exe
  2⤵
  PID:7724
- C:\Windows\System32\GmpzhrC.exe
  C:\Windows\System32\GmpzhrC.exe
  2⤵
  PID:7780
- C:\Windows\System32\suGaxGA.exe
  C:\Windows\System32\suGaxGA.exe
  2⤵
  PID:7892
- C:\Windows\System32\vKsqEAA.exe
  C:\Windows\System32\vKsqEAA.exe
  2⤵
  PID:7880
- C:\Windows\System32\lPMDTin.exe
  C:\Windows\System32\lPMDTin.exe
  2⤵
  PID:7940
- C:\Windows\System32\tPQAjIT.exe
  C:\Windows\System32\tPQAjIT.exe
  2⤵
  PID:7968
- C:\Windows\System32\dwJojGv.exe
  C:\Windows\System32\dwJojGv.exe
  2⤵
  PID:8036
- C:\Windows\System32\sLXJeXG.exe
  C:\Windows\System32\sLXJeXG.exe
  2⤵
  PID:8104
- C:\Windows\System32\lbsVVjw.exe
  C:\Windows\System32\lbsVVjw.exe
  2⤵
  PID:8140
- C:\Windows\System32\sOBPbTj.exe
  C:\Windows\System32\sOBPbTj.exe
  2⤵
  PID:7332
- C:\Windows\System32\KFpykbW.exe
  C:\Windows\System32\KFpykbW.exe
  2⤵
  PID:7516
- C:\Windows\System32\BYVTuns.exe
  C:\Windows\System32\BYVTuns.exe
  2⤵
  PID:7600
- C:\Windows\System32\AWaOkXg.exe
  C:\Windows\System32\AWaOkXg.exe
  2⤵
  PID:7776
- C:\Windows\System32\drAsALU.exe
  C:\Windows\System32\drAsALU.exe
  2⤵
  PID:8084
- C:\Windows\System32\LUKURwU.exe
  C:\Windows\System32\LUKURwU.exe
  2⤵
  PID:7864
- C:\Windows\System32\yqFXgyu.exe
  C:\Windows\System32\yqFXgyu.exe
  2⤵
  PID:8168
- C:\Windows\System32\Wucnswv.exe
  C:\Windows\System32\Wucnswv.exe
  2⤵
  PID:7352
- C:\Windows\System32\ikpmbFS.exe
  C:\Windows\System32\ikpmbFS.exe
  2⤵
  PID:8024
- C:\Windows\System32\PAyUyxp.exe
  C:\Windows\System32\PAyUyxp.exe
  2⤵
  PID:8068
- C:\Windows\System32\EWoToYO.exe
  C:\Windows\System32\EWoToYO.exe
  2⤵
  PID:7716
- C:\Windows\System32\TdFETlN.exe
  C:\Windows\System32\TdFETlN.exe
  2⤵
  PID:8008
- C:\Windows\System32\CAzpNca.exe
  C:\Windows\System32\CAzpNca.exe
  2⤵
  PID:8124
- C:\Windows\System32\BfDjhbp.exe
  C:\Windows\System32\BfDjhbp.exe
  2⤵
  PID:8208
- C:\Windows\System32\rVRvSxV.exe
  C:\Windows\System32\rVRvSxV.exe
  2⤵
  PID:8236
- C:\Windows\System32\Jwzwgrb.exe
  C:\Windows\System32\Jwzwgrb.exe
  2⤵
  PID:8252
- C:\Windows\System32\IBWYRde.exe
  C:\Windows\System32\IBWYRde.exe
  2⤵
  PID:8288
- C:\Windows\System32\NBKlpcF.exe
  C:\Windows\System32\NBKlpcF.exe
  2⤵
  PID:8308
- C:\Windows\System32\ujwBWGL.exe
  C:\Windows\System32\ujwBWGL.exe
  2⤵
  PID:8324
- C:\Windows\System32\csQTLIc.exe
  C:\Windows\System32\csQTLIc.exe
  2⤵
  PID:8348
- C:\Windows\System32\XGxbACI.exe
  C:\Windows\System32\XGxbACI.exe
  2⤵
  PID:8372
- C:\Windows\System32\KQTBJtm.exe
  C:\Windows\System32\KQTBJtm.exe
  2⤵
  PID:8424
- C:\Windows\System32\sUUndCn.exe
  C:\Windows\System32\sUUndCn.exe
  2⤵
  PID:8480
- C:\Windows\System32\MCWmIio.exe
  C:\Windows\System32\MCWmIio.exe
  2⤵
  PID:8532
- C:\Windows\System32\JPhsmHQ.exe
  C:\Windows\System32\JPhsmHQ.exe
  2⤵
  PID:8556
- C:\Windows\System32\tfFOknP.exe
  C:\Windows\System32\tfFOknP.exe
  2⤵
  PID:8576
- C:\Windows\System32\nVWWILL.exe
  C:\Windows\System32\nVWWILL.exe
  2⤵
  PID:8604
- C:\Windows\System32\pLbCkco.exe
  C:\Windows\System32\pLbCkco.exe
  2⤵
  PID:8652
- C:\Windows\System32\clIlfjw.exe
  C:\Windows\System32\clIlfjw.exe
  2⤵
  PID:8668
- C:\Windows\System32\NwHrVFI.exe
  C:\Windows\System32\NwHrVFI.exe
  2⤵
  PID:8684
- C:\Windows\System32\sFELoRd.exe
  C:\Windows\System32\sFELoRd.exe
  2⤵
  PID:8724
- C:\Windows\System32\oNMotSO.exe
  C:\Windows\System32\oNMotSO.exe
  2⤵
  PID:8768
- C:\Windows\System32\AqfQFaP.exe
  C:\Windows\System32\AqfQFaP.exe
  2⤵
  PID:8784
- C:\Windows\System32\rtTOaKD.exe
  C:\Windows\System32\rtTOaKD.exe
  2⤵
  PID:8808
- C:\Windows\System32\HyZWElS.exe
  C:\Windows\System32\HyZWElS.exe
  2⤵
  PID:8828
- C:\Windows\System32\iiYzeNa.exe
  C:\Windows\System32\iiYzeNa.exe
  2⤵
  PID:8852
- C:\Windows\System32\EglXqFo.exe
  C:\Windows\System32\EglXqFo.exe
  2⤵
  PID:8880
- C:\Windows\System32\mGVFHGj.exe
  C:\Windows\System32\mGVFHGj.exe
  2⤵
  PID:8896
- C:\Windows\System32\EvuZOdv.exe
  C:\Windows\System32\EvuZOdv.exe
  2⤵
  PID:8948
- C:\Windows\System32\lrFkeZq.exe
  C:\Windows\System32\lrFkeZq.exe
  2⤵
  PID:8972
- C:\Windows\System32\zeewZXF.exe
  C:\Windows\System32\zeewZXF.exe
  2⤵
  PID:8988
- C:\Windows\System32\tatoROy.exe
  C:\Windows\System32\tatoROy.exe
  2⤵
  PID:9008
- C:\Windows\System32\gNYOnhE.exe
  C:\Windows\System32\gNYOnhE.exe
  2⤵
  PID:9060
- C:\Windows\System32\qYwDnEw.exe
  C:\Windows\System32\qYwDnEw.exe
  2⤵
  PID:9100
- C:\Windows\System32\VuDplZj.exe
  C:\Windows\System32\VuDplZj.exe
  2⤵
  PID:9116
- C:\Windows\System32\ksGsHhR.exe
  C:\Windows\System32\ksGsHhR.exe
  2⤵
  PID:9140
- C:\Windows\System32\YVWyniA.exe
  C:\Windows\System32\YVWyniA.exe
  2⤵
  PID:9156
- C:\Windows\System32\kxRAjaV.exe
  C:\Windows\System32\kxRAjaV.exe
  2⤵
  PID:9188
- C:\Windows\System32\XugCYUj.exe
  C:\Windows\System32\XugCYUj.exe
  2⤵
  PID:9208
- C:\Windows\System32\KTqhNXD.exe
  C:\Windows\System32\KTqhNXD.exe
  2⤵
  PID:8284
- C:\Windows\System32\GwPxhyu.exe
  C:\Windows\System32\GwPxhyu.exe
  2⤵
  PID:8364
- C:\Windows\System32\exvntnR.exe
  C:\Windows\System32\exvntnR.exe
  2⤵
  PID:8448
- C:\Windows\System32\DTHpPCG.exe
  C:\Windows\System32\DTHpPCG.exe
  2⤵
  PID:8592
- C:\Windows\System32\VugqqVo.exe
  C:\Windows\System32\VugqqVo.exe
  2⤵
  PID:8712
- C:\Windows\System32\TFhLbzS.exe
  C:\Windows\System32\TFhLbzS.exe
  2⤵
  PID:8960
- C:\Windows\System32\CSKRvYC.exe
  C:\Windows\System32\CSKRvYC.exe
  2⤵
  PID:9000
- C:\Windows\System32\fIgWNuL.exe
  C:\Windows\System32\fIgWNuL.exe
  2⤵
  PID:8996
- C:\Windows\System32\wARHpwz.exe
  C:\Windows\System32\wARHpwz.exe
  2⤵
  PID:9108
- C:\Windows\System32\EEjermV.exe
  C:\Windows\System32\EEjermV.exe
  2⤵
  PID:9184
- C:\Windows\System32\CoRHhvM.exe
  C:\Windows\System32\CoRHhvM.exe
  2⤵
  PID:9200
- C:\Windows\System32\tqefFvQ.exe
  C:\Windows\System32\tqefFvQ.exe
  2⤵
  PID:8432
- C:\Windows\System32\BrDbzgX.exe
  C:\Windows\System32\BrDbzgX.exe
  2⤵
  PID:8640
- C:\Windows\System32\PbaDXff.exe
  C:\Windows\System32\PbaDXff.exe
  2⤵
  PID:8544
- C:\Windows\System32\CnQfaBm.exe
  C:\Windows\System32\CnQfaBm.exe
  2⤵
  PID:8524
- C:\Windows\System32\ggioxAT.exe
  C:\Windows\System32\ggioxAT.exe
  2⤵
  PID:8632
- C:\Windows\System32\PyznqSN.exe
  C:\Windows\System32\PyznqSN.exe
  2⤵
  PID:8752
- C:\Windows\System32\boBPSsT.exe
  C:\Windows\System32\boBPSsT.exe
  2⤵
  PID:9044
- C:\Windows\System32\wMFxnTk.exe
  C:\Windows\System32\wMFxnTk.exe
  2⤵
  PID:9164
- C:\Windows\System32\kcmKRqa.exe
  C:\Windows\System32\kcmKRqa.exe
  2⤵
  PID:9172
- C:\Windows\System32\itjroZo.exe
  C:\Windows\System32\itjroZo.exe
  2⤵
  PID:3792
- C:\Windows\System32\iFxApet.exe
  C:\Windows\System32\iFxApet.exe
  2⤵
  PID:8516
- C:\Windows\System32\YlSliLO.exe
  C:\Windows\System32\YlSliLO.exe
  2⤵
  PID:9036
- C:\Windows\System32\CVPFgDz.exe
  C:\Windows\System32\CVPFgDz.exe
  2⤵
  PID:8624
- C:\Windows\System32\oGjnAwd.exe
  C:\Windows\System32\oGjnAwd.exe
  2⤵
  PID:8584
- C:\Windows\System32\vyspAMn.exe
  C:\Windows\System32\vyspAMn.exe
  2⤵
  PID:9132
- C:\Windows\System32\dBwgQaA.exe
  C:\Windows\System32\dBwgQaA.exe
  2⤵
  PID:9232
- C:\Windows\System32\kGlcklO.exe
  C:\Windows\System32\kGlcklO.exe
  2⤵
  PID:9268
- C:\Windows\System32\OmRUBxQ.exe
  C:\Windows\System32\OmRUBxQ.exe
  2⤵
  PID:9296
- C:\Windows\System32\paqPpRG.exe
  C:\Windows\System32\paqPpRG.exe
  2⤵
  PID:9316
- C:\Windows\System32\zaSJAXX.exe
  C:\Windows\System32\zaSJAXX.exe
  2⤵
  PID:9340
- C:\Windows\System32\iUgXncS.exe
  C:\Windows\System32\iUgXncS.exe
  2⤵
  PID:9360
- C:\Windows\System32\UfSpdZS.exe
  C:\Windows\System32\UfSpdZS.exe
  2⤵
  PID:9380
- C:\Windows\System32\TRJoIOm.exe
  C:\Windows\System32\TRJoIOm.exe
  2⤵
  PID:9440
- C:\Windows\System32\noMuQLI.exe
  C:\Windows\System32\noMuQLI.exe
  2⤵
  PID:9468
- C:\Windows\System32\yZbcMfw.exe
  C:\Windows\System32\yZbcMfw.exe
  2⤵
  PID:9508
- C:\Windows\System32\HmdnUsJ.exe
  C:\Windows\System32\HmdnUsJ.exe
  2⤵
  PID:9524
- C:\Windows\System32\EcfjhIU.exe
  C:\Windows\System32\EcfjhIU.exe
  2⤵
  PID:9540
- C:\Windows\System32\ieLmcmr.exe
  C:\Windows\System32\ieLmcmr.exe
  2⤵
  PID:9560
- C:\Windows\System32\WESMqCr.exe
  C:\Windows\System32\WESMqCr.exe
  2⤵
  PID:9596
- C:\Windows\System32\TMCZTly.exe
  C:\Windows\System32\TMCZTly.exe
  2⤵
  PID:9616
- C:\Windows\System32\vQcsjSp.exe
  C:\Windows\System32\vQcsjSp.exe
  2⤵
  PID:9652
- C:\Windows\System32\NpDZqim.exe
  C:\Windows\System32\NpDZqim.exe
  2⤵
  PID:9692
- C:\Windows\System32\pTBuxuA.exe
  C:\Windows\System32\pTBuxuA.exe
  2⤵
  PID:9712
- C:\Windows\System32\pVDbbqv.exe
  C:\Windows\System32\pVDbbqv.exe
  2⤵
  PID:9736
- C:\Windows\System32\RhckjJg.exe
  C:\Windows\System32\RhckjJg.exe
  2⤵
  PID:9776
- C:\Windows\System32\ZHcOTTV.exe
  C:\Windows\System32\ZHcOTTV.exe
  2⤵
  PID:9804
- C:\Windows\System32\HYzjOsf.exe
  C:\Windows\System32\HYzjOsf.exe
  2⤵
  PID:9828
- C:\Windows\System32\sLlHrvr.exe
  C:\Windows\System32\sLlHrvr.exe
  2⤵
  PID:9852
- C:\Windows\System32\BcNPCCn.exe
  C:\Windows\System32\BcNPCCn.exe
  2⤵
  PID:9872
- C:\Windows\System32\TyYPDkA.exe
  C:\Windows\System32\TyYPDkA.exe
  2⤵
  PID:9912
- C:\Windows\System32\KjEVgyr.exe
  C:\Windows\System32\KjEVgyr.exe
  2⤵
  PID:9940
- C:\Windows\System32\HwdrVRb.exe
  C:\Windows\System32\HwdrVRb.exe
  2⤵
  PID:9960
- C:\Windows\System32\gLCCfvE.exe
  C:\Windows\System32\gLCCfvE.exe
  2⤵
  PID:9984
- C:\Windows\System32\FFmwHAb.exe
  C:\Windows\System32\FFmwHAb.exe
  2⤵
  PID:10016
- C:\Windows\System32\UdUfAFE.exe
  C:\Windows\System32\UdUfAFE.exe
  2⤵
  PID:10040
- C:\Windows\System32\zMIpadF.exe
  C:\Windows\System32\zMIpadF.exe
  2⤵
  PID:10056
- C:\Windows\System32\ixerLCl.exe
  C:\Windows\System32\ixerLCl.exe
  2⤵
  PID:10108
- C:\Windows\System32\DZyJXaH.exe
  C:\Windows\System32\DZyJXaH.exe
  2⤵
  PID:10140
- C:\Windows\System32\PUryGHK.exe
  C:\Windows\System32\PUryGHK.exe
  2⤵
  PID:10164
- C:\Windows\System32\KyJNYra.exe
  C:\Windows\System32\KyJNYra.exe
  2⤵
  PID:10196
- C:\Windows\System32\MxEQVfk.exe
  C:\Windows\System32\MxEQVfk.exe
  2⤵
  PID:10212
- C:\Windows\System32\hooxIRm.exe
  C:\Windows\System32\hooxIRm.exe
  2⤵
  PID:8276
- C:\Windows\System32\ryxMGoq.exe
  C:\Windows\System32\ryxMGoq.exe
  2⤵
  PID:9220
- C:\Windows\System32\IzTJGbY.exe
  C:\Windows\System32\IzTJGbY.exe
  2⤵
  PID:9280
- C:\Windows\System32\gpVpFeG.exe
  C:\Windows\System32\gpVpFeG.exe
  2⤵
  PID:9352
- C:\Windows\System32\GcYfoxb.exe
  C:\Windows\System32\GcYfoxb.exe
  2⤵
  PID:9372
- C:\Windows\System32\eIBWPBL.exe
  C:\Windows\System32\eIBWPBL.exe
  2⤵
  PID:9492
- C:\Windows\System32\JZAvxBD.exe
  C:\Windows\System32\JZAvxBD.exe
  2⤵
  PID:9608
- C:\Windows\System32\bORmEMo.exe
  C:\Windows\System32\bORmEMo.exe
  2⤵
  PID:9668
- C:\Windows\System32\VVdbbFY.exe
  C:\Windows\System32\VVdbbFY.exe
  2⤵
  PID:9720
- C:\Windows\System32\dgWSXBk.exe
  C:\Windows\System32\dgWSXBk.exe
  2⤵
  PID:9788
- C:\Windows\System32\IowoSKM.exe
  C:\Windows\System32\IowoSKM.exe
  2⤵
  PID:9844
- C:\Windows\System32\KcAYiLn.exe
  C:\Windows\System32\KcAYiLn.exe
  2⤵
  PID:9884
- C:\Windows\System32\NKFsWqS.exe
  C:\Windows\System32\NKFsWqS.exe
  2⤵
  PID:9920
- C:\Windows\System32\bgYxdxP.exe
  C:\Windows\System32\bgYxdxP.exe
  2⤵
  PID:10000
- C:\Windows\System32\GfYPiEX.exe
  C:\Windows\System32\GfYPiEX.exe
  2⤵
  PID:10072
- C:\Windows\System32\RKYdVHN.exe
  C:\Windows\System32\RKYdVHN.exe
  2⤵
  PID:10204
- C:\Windows\System32\WVQdtoT.exe
  C:\Windows\System32\WVQdtoT.exe
  2⤵
  PID:10224
- C:\Windows\System32\pPieBkT.exe
  C:\Windows\System32\pPieBkT.exe
  2⤵
  PID:8344
- C:\Windows\System32\IRhIcWq.exe
  C:\Windows\System32\IRhIcWq.exe
  2⤵
  PID:9520
- C:\Windows\System32\WJKpqhq.exe
  C:\Windows\System32\WJKpqhq.exe
  2⤵
  PID:9764
- C:\Windows\System32\NHNKiqF.exe
  C:\Windows\System32\NHNKiqF.exe
  2⤵
  PID:9880
- C:\Windows\System32\udBAzWX.exe
  C:\Windows\System32\udBAzWX.exe
  2⤵
  PID:9952
- C:\Windows\System32\azucuNY.exe
  C:\Windows\System32\azucuNY.exe
  2⤵
  PID:10024
- C:\Windows\System32\luNxvyH.exe
  C:\Windows\System32\luNxvyH.exe
  2⤵
  PID:10232
- C:\Windows\System32\KTVyOjO.exe
  C:\Windows\System32\KTVyOjO.exe
  2⤵
  PID:9532
- C:\Windows\System32\kzicxcI.exe
  C:\Windows\System32\kzicxcI.exe
  2⤵
  PID:10116
- C:\Windows\System32\rnoGEoX.exe
  C:\Windows\System32\rnoGEoX.exe
  2⤵
  PID:9288
- C:\Windows\System32\EKOtweP.exe
  C:\Windows\System32\EKOtweP.exe
  2⤵
  PID:10260
- C:\Windows\System32\UeOGYFq.exe
  C:\Windows\System32\UeOGYFq.exe
  2⤵
  PID:10284
- C:\Windows\System32\AzImkDP.exe
  C:\Windows\System32\AzImkDP.exe
  2⤵
  PID:10312
- C:\Windows\System32\keGdQOC.exe
  C:\Windows\System32\keGdQOC.exe
  2⤵
  PID:10332
- C:\Windows\System32\TCKDxPR.exe
  C:\Windows\System32\TCKDxPR.exe
  2⤵
  PID:10368
- C:\Windows\System32\HXhiuMh.exe
  C:\Windows\System32\HXhiuMh.exe
  2⤵
  PID:10396
- C:\Windows\System32\yodLFhx.exe
  C:\Windows\System32\yodLFhx.exe
  2⤵
  PID:10412
- C:\Windows\System32\CxzRqXp.exe
  C:\Windows\System32\CxzRqXp.exe
  2⤵
  PID:10440
- C:\Windows\System32\twMVhps.exe
  C:\Windows\System32\twMVhps.exe
  2⤵
  PID:10464
- C:\Windows\System32\oROGVgZ.exe
  C:\Windows\System32\oROGVgZ.exe
  2⤵
  PID:10500
- C:\Windows\System32\NDoRRdb.exe
  C:\Windows\System32\NDoRRdb.exe
  2⤵
  PID:10520
- C:\Windows\System32\eZFqfhh.exe
  C:\Windows\System32\eZFqfhh.exe
  2⤵
  PID:10568
- C:\Windows\System32\MHCeCfn.exe
  C:\Windows\System32\MHCeCfn.exe
  2⤵
  PID:10628
- C:\Windows\System32\MRIhKPQ.exe
  C:\Windows\System32\MRIhKPQ.exe
  2⤵
  PID:10644
- C:\Windows\System32\JqRJqnW.exe
  C:\Windows\System32\JqRJqnW.exe
  2⤵
  PID:10672
- C:\Windows\System32\kMfYvYe.exe
  C:\Windows\System32\kMfYvYe.exe
  2⤵
  PID:10688
- C:\Windows\System32\XcIhaAn.exe
  C:\Windows\System32\XcIhaAn.exe
  2⤵
  PID:10708
- C:\Windows\System32\frRxeDs.exe
  C:\Windows\System32\frRxeDs.exe
  2⤵
  PID:10752
- C:\Windows\System32\NYxiXJa.exe
  C:\Windows\System32\NYxiXJa.exe
  2⤵
  PID:10792
- C:\Windows\System32\rQgMgNl.exe
  C:\Windows\System32\rQgMgNl.exe
  2⤵
  PID:10812
- C:\Windows\System32\hfdjjqC.exe
  C:\Windows\System32\hfdjjqC.exe
  2⤵
  PID:10832
- C:\Windows\System32\UjAcyIn.exe
  C:\Windows\System32\UjAcyIn.exe
  2⤵
  PID:10856
- C:\Windows\System32\mHuIuao.exe
  C:\Windows\System32\mHuIuao.exe
  2⤵
  PID:10888
- C:\Windows\System32\xYzjKqZ.exe
  C:\Windows\System32\xYzjKqZ.exe
  2⤵
  PID:10928
- C:\Windows\System32\dfXdqNY.exe
  C:\Windows\System32\dfXdqNY.exe
  2⤵
  PID:10956
- C:\Windows\System32\UjRJXSj.exe
  C:\Windows\System32\UjRJXSj.exe
  2⤵
  PID:10980
- C:\Windows\System32\HBKDmEp.exe
  C:\Windows\System32\HBKDmEp.exe
  2⤵
  PID:11000
- C:\Windows\System32\GSDezGT.exe
  C:\Windows\System32\GSDezGT.exe
  2⤵
  PID:11020
- C:\Windows\System32\WZCKJaK.exe
  C:\Windows\System32\WZCKJaK.exe
  2⤵
  PID:11044
- C:\Windows\System32\kKHjZhL.exe
  C:\Windows\System32\kKHjZhL.exe
  2⤵
  PID:11060
- C:\Windows\System32\mpkQaBv.exe
  C:\Windows\System32\mpkQaBv.exe
  2⤵
  PID:11104
- C:\Windows\System32\TgvuYli.exe
  C:\Windows\System32\TgvuYli.exe
  2⤵
  PID:11132
- C:\Windows\System32\xmXOXlG.exe
  C:\Windows\System32\xmXOXlG.exe
  2⤵
  PID:11160
- C:\Windows\System32\RqbSeqW.exe
  C:\Windows\System32\RqbSeqW.exe
  2⤵
  PID:11220
- C:\Windows\System32\tTLCZJz.exe
  C:\Windows\System32\tTLCZJz.exe
  2⤵
  PID:11240
- C:\Windows\System32\xAbkhDe.exe
  C:\Windows\System32\xAbkhDe.exe
  2⤵
  PID:11256
- C:\Windows\System32\cUHejhv.exe
  C:\Windows\System32\cUHejhv.exe
  2⤵
  PID:9308
- C:\Windows\System32\dGoRbol.exe
  C:\Windows\System32\dGoRbol.exe
  2⤵
  PID:10272
- C:\Windows\System32\ZKIIzri.exe
  C:\Windows\System32\ZKIIzri.exe
  2⤵
  PID:10384
- C:\Windows\System32\ldIdETo.exe
  C:\Windows\System32\ldIdETo.exe
  2⤵
  PID:10460
- C:\Windows\System32\myZinIs.exe
  C:\Windows\System32\myZinIs.exe
  2⤵
  PID:10516
- C:\Windows\System32\rnATuhK.exe
  C:\Windows\System32\rnATuhK.exe
  2⤵
  PID:10560
- C:\Windows\System32\gfaGpVj.exe
  C:\Windows\System32\gfaGpVj.exe
  2⤵
  PID:10640
- C:\Windows\System32\KwfJnEO.exe
  C:\Windows\System32\KwfJnEO.exe
  2⤵
  PID:10700
- C:\Windows\System32\WKIOVlU.exe
  C:\Windows\System32\WKIOVlU.exe
  2⤵
  PID:10760
- C:\Windows\System32\orEEzSU.exe
  C:\Windows\System32\orEEzSU.exe
  2⤵
  PID:10844
- C:\Windows\System32\AQiEFhF.exe
  C:\Windows\System32\AQiEFhF.exe
  2⤵
  PID:10912
- C:\Windows\System32\WfolJpv.exe
  C:\Windows\System32\WfolJpv.exe
  2⤵
  PID:10944
- C:\Windows\System32\hIETAeN.exe
  C:\Windows\System32\hIETAeN.exe
  2⤵
  PID:10996
- C:\Windows\System32\hUevCwE.exe
  C:\Windows\System32\hUevCwE.exe
  2⤵
  PID:11140
- C:\Windows\System32\RcPoOxc.exe
  C:\Windows\System32\RcPoOxc.exe
  2⤵
  PID:11052
- C:\Windows\System32\skjVpqs.exe
  C:\Windows\System32\skjVpqs.exe
  2⤵
  PID:11204
- C:\Windows\System32\HQnmTYW.exe
  C:\Windows\System32\HQnmTYW.exe
  2⤵
  PID:10252
- C:\Windows\System32\tDQWwTF.exe
  C:\Windows\System32\tDQWwTF.exe
  2⤵
  PID:10408
- C:\Windows\System32\HKguJOQ.exe
  C:\Windows\System32\HKguJOQ.exe
  2⤵
  PID:10552
- C:\Windows\System32\hTfQPSl.exe
  C:\Windows\System32\hTfQPSl.exe
  2⤵
  PID:10664
- C:\Windows\System32\ObJgUPt.exe
  C:\Windows\System32\ObJgUPt.exe
  2⤵
  PID:10740
- C:\Windows\System32\cKMIgXa.exe
  C:\Windows\System32\cKMIgXa.exe
  2⤵
  PID:10904
- C:\Windows\System32\GsQSSKC.exe
  C:\Windows\System32\GsQSSKC.exe
  2⤵
  PID:11012
- C:\Windows\System32\DpXeXAY.exe
  C:\Windows\System32\DpXeXAY.exe
  2⤵
  PID:11144
- C:\Windows\System32\zxClxIL.exe
  C:\Windows\System32\zxClxIL.exe
  2⤵
  PID:10208
- C:\Windows\System32\PjAsjsp.exe
  C:\Windows\System32\PjAsjsp.exe
  2⤵
  PID:1564
- C:\Windows\System32\ahTugEh.exe
  C:\Windows\System32\ahTugEh.exe
  2⤵
  PID:11088
- C:\Windows\System32\ZTlIkoD.exe
  C:\Windows\System32\ZTlIkoD.exe
  2⤵
  PID:10480
- C:\Windows\System32\RwyCPXk.exe
  C:\Windows\System32\RwyCPXk.exe
  2⤵
  PID:11292
- C:\Windows\System32\AUGlKvd.exe
  C:\Windows\System32\AUGlKvd.exe
  2⤵
  PID:11308
- C:\Windows\System32\YmGtBtf.exe
  C:\Windows\System32\YmGtBtf.exe
  2⤵
  PID:11324
- C:\Windows\System32\bTkVzFt.exe
  C:\Windows\System32\bTkVzFt.exe
  2⤵
  PID:11348
- C:\Windows\System32\BoHHqlG.exe
  C:\Windows\System32\BoHHqlG.exe
  2⤵
  PID:11372
- C:\Windows\System32\XusTtJJ.exe
  C:\Windows\System32\XusTtJJ.exe
  2⤵
  PID:11396
- C:\Windows\System32\aknCRes.exe
  C:\Windows\System32\aknCRes.exe
  2⤵
  PID:11452
- C:\Windows\System32\booIRSu.exe
  C:\Windows\System32\booIRSu.exe
  2⤵
  PID:11472
- C:\Windows\System32\YjRURuI.exe
  C:\Windows\System32\YjRURuI.exe
  2⤵
  PID:11496
- C:\Windows\System32\peinoYO.exe
  C:\Windows\System32\peinoYO.exe
  2⤵
  PID:11512
- C:\Windows\System32\vQSKsTH.exe
  C:\Windows\System32\vQSKsTH.exe
  2⤵
  PID:11564
- C:\Windows\System32\RpzLJCw.exe
  C:\Windows\System32\RpzLJCw.exe
  2⤵
  PID:11580
- C:\Windows\System32\ewWxgSI.exe
  C:\Windows\System32\ewWxgSI.exe
  2⤵
  PID:11612
- C:\Windows\System32\oqtQxdL.exe
  C:\Windows\System32\oqtQxdL.exe
  2⤵
  PID:11660
- C:\Windows\System32\BQOsiPh.exe
  C:\Windows\System32\BQOsiPh.exe
  2⤵
  PID:11684
- C:\Windows\System32\kaNPsPs.exe
  C:\Windows\System32\kaNPsPs.exe
  2⤵
  PID:11708
- C:\Windows\System32\tIjLDUt.exe
  C:\Windows\System32\tIjLDUt.exe
  2⤵
  PID:11756
- C:\Windows\System32\VemyKDK.exe
  C:\Windows\System32\VemyKDK.exe
  2⤵
  PID:11776
- C:\Windows\System32\YEdCaRW.exe
  C:\Windows\System32\YEdCaRW.exe
  2⤵
  PID:11804
- C:\Windows\System32\hrYfZfY.exe
  C:\Windows\System32\hrYfZfY.exe
  2⤵
  PID:11852
- C:\Windows\System32\QwWXdXN.exe
  C:\Windows\System32\QwWXdXN.exe
  2⤵
  PID:11868
- C:\Windows\System32\HehJTRi.exe
  C:\Windows\System32\HehJTRi.exe
  2⤵
  PID:11896
- C:\Windows\System32\HXrPZBg.exe
  C:\Windows\System32\HXrPZBg.exe
  2⤵
  PID:11924
- C:\Windows\System32\EDdDuUO.exe
  C:\Windows\System32\EDdDuUO.exe
  2⤵
  PID:11940
- C:\Windows\System32\GXUBSnJ.exe
  C:\Windows\System32\GXUBSnJ.exe
  2⤵
  PID:11976
- C:\Windows\System32\zYdMnDl.exe
  C:\Windows\System32\zYdMnDl.exe
  2⤵
  PID:11996
- C:\Windows\System32\MZFsSjV.exe
  C:\Windows\System32\MZFsSjV.exe
  2⤵
  PID:12016
- C:\Windows\System32\iYvbwmg.exe
  C:\Windows\System32\iYvbwmg.exe
  2⤵
  PID:12044
- C:\Windows\System32\TmTqwqH.exe
  C:\Windows\System32\TmTqwqH.exe
  2⤵
  PID:12064
- C:\Windows\System32\mWwrwFU.exe
  C:\Windows\System32\mWwrwFU.exe
  2⤵
  PID:12120
- C:\Windows\System32\dNHiboH.exe
  C:\Windows\System32\dNHiboH.exe
  2⤵
  PID:12148
- C:\Windows\System32\rvLyEZh.exe
  C:\Windows\System32\rvLyEZh.exe
  2⤵
  PID:12188
- C:\Windows\System32\NDqelkz.exe
  C:\Windows\System32\NDqelkz.exe
  2⤵
  PID:12216
- C:\Windows\System32\UQeEVKl.exe
  C:\Windows\System32\UQeEVKl.exe
  2⤵
  PID:12244
- C:\Windows\System32\iyUWcYt.exe
  C:\Windows\System32\iyUWcYt.exe
  2⤵
  PID:12276
- C:\Windows\System32\oPyIJNT.exe
  C:\Windows\System32\oPyIJNT.exe
  2⤵
  PID:10824
- C:\Windows\System32\uaGLLLj.exe
  C:\Windows\System32\uaGLLLj.exe
  2⤵
  PID:10304
- C:\Windows\System32\paryeQS.exe
  C:\Windows\System32\paryeQS.exe
  2⤵
  PID:11344
- C:\Windows\System32\wyWFjJh.exe
  C:\Windows\System32\wyWFjJh.exe
  2⤵
  PID:11440
- C:\Windows\System32\aCJQPku.exe
  C:\Windows\System32\aCJQPku.exe
  2⤵
  PID:11548
- C:\Windows\System32\yEHKZZN.exe
  C:\Windows\System32\yEHKZZN.exe
  2⤵
  PID:11620
- C:\Windows\System32\KHxWrhl.exe
  C:\Windows\System32\KHxWrhl.exe
  2⤵
  PID:11632
- C:\Windows\System32\pZonoeY.exe
  C:\Windows\System32\pZonoeY.exe
  2⤵
  PID:11692
- C:\Windows\System32\EYAkpym.exe
  C:\Windows\System32\EYAkpym.exe
  2⤵
  PID:11732
- C:\Windows\System32\UdbREvy.exe
  C:\Windows\System32\UdbREvy.exe
  2⤵
  PID:11784
- C:\Windows\System32\qoPNscS.exe
  C:\Windows\System32\qoPNscS.exe
  2⤵
  PID:11864
- C:\Windows\System32\JAsoFRT.exe
  C:\Windows\System32\JAsoFRT.exe
  2⤵
  PID:11952
- C:\Windows\System32\MJnRIRF.exe
  C:\Windows\System32\MJnRIRF.exe
  2⤵
  PID:12024
- C:\Windows\System32\aAxgusT.exe
  C:\Windows\System32\aAxgusT.exe
  2⤵
  PID:12088
- C:\Windows\System32\XXhLChy.exe
  C:\Windows\System32\XXhLChy.exe
  2⤵
  PID:12144
- C:\Windows\System32\CvxGXZY.exe
  C:\Windows\System32\CvxGXZY.exe
  2⤵
  PID:12176
- C:\Windows\System32\zxYZTkw.exe
  C:\Windows\System32\zxYZTkw.exe
  2⤵
  PID:12224
- C:\Windows\System32\fMmUPiV.exe
  C:\Windows\System32\fMmUPiV.exe
  2⤵
  PID:2476
- C:\Windows\System32\jfpoZTq.exe
  C:\Windows\System32\jfpoZTq.exe
  2⤵
  PID:11380
- C:\Windows\System32\iOAPkHA.exe
  C:\Windows\System32\iOAPkHA.exe
  2⤵
  PID:2988
- C:\Windows\System32\sMpwIXr.exe
  C:\Windows\System32\sMpwIXr.exe
  2⤵
  PID:4612
- C:\Windows\System32\jQbIhdc.exe
  C:\Windows\System32\jQbIhdc.exe
  2⤵
  PID:11596
- C:\Windows\System32\zClosrO.exe
  C:\Windows\System32\zClosrO.exe
  2⤵
  PID:11704
- C:\Windows\System32\GdiTaXD.exe
  C:\Windows\System32\GdiTaXD.exe
  2⤵
  PID:11984
- C:\Windows\System32\WoXSUtJ.exe
  C:\Windows\System32\WoXSUtJ.exe
  2⤵
  PID:12128
- C:\Windows\System32\gUOxFRk.exe
  C:\Windows\System32\gUOxFRk.exe
  2⤵
  PID:11196
- C:\Windows\System32\SmMAYtV.exe
  C:\Windows\System32\SmMAYtV.exe
  2⤵
  PID:11792
- C:\Windows\System32\KrntuCT.exe
  C:\Windows\System32\KrntuCT.exe
  2⤵
  PID:11916
- C:\Windows\System32\OlDXmlR.exe
  C:\Windows\System32\OlDXmlR.exe
  2⤵
  PID:11888
- C:\Windows\System32\UNsWVvB.exe
  C:\Windows\System32\UNsWVvB.exe
  2⤵
  PID:11836
- C:\Windows\System32\iOnKYPE.exe
  C:\Windows\System32\iOnKYPE.exe
  2⤵
  PID:12292
- C:\Windows\System32\ibVmHJV.exe
  C:\Windows\System32\ibVmHJV.exe
  2⤵
  PID:12320
- C:\Windows\System32\MkpuEnQ.exe
  C:\Windows\System32\MkpuEnQ.exe
  2⤵
  PID:12348
- C:\Windows\System32\hpYaYYx.exe
  C:\Windows\System32\hpYaYYx.exe
  2⤵
  PID:12384
- C:\Windows\System32\yXcrBjz.exe
  C:\Windows\System32\yXcrBjz.exe
  2⤵
  PID:12408
- C:\Windows\System32\LpgeVks.exe
  C:\Windows\System32\LpgeVks.exe
  2⤵
  PID:12432
- C:\Windows\System32\PvGLZpJ.exe
  C:\Windows\System32\PvGLZpJ.exe
  2⤵
  PID:12448
- C:\Windows\System32\BPsoICH.exe
  C:\Windows\System32\BPsoICH.exe
  2⤵
  PID:12472
- C:\Windows\System32\QQMnHbu.exe
  C:\Windows\System32\QQMnHbu.exe
  2⤵
  PID:12488
- C:\Windows\System32\TzgijSm.exe
  C:\Windows\System32\TzgijSm.exe
  2⤵
  PID:12548
- C:\Windows\System32\mVDtrtk.exe
  C:\Windows\System32\mVDtrtk.exe
  2⤵
  PID:12584
- C:\Windows\System32\EgpcrSj.exe
  C:\Windows\System32\EgpcrSj.exe
  2⤵
  PID:12608
- C:\Windows\System32\ohjjxog.exe
  C:\Windows\System32\ohjjxog.exe
  2⤵
  PID:12628
- C:\Windows\System32\RPRAoKR.exe
  C:\Windows\System32\RPRAoKR.exe
  2⤵
  PID:12644
- C:\Windows\System32\vbKNGjN.exe
  C:\Windows\System32\vbKNGjN.exe
  2⤵
  PID:12700
- C:\Windows\System32\kpPywQL.exe
  C:\Windows\System32\kpPywQL.exe
  2⤵
  PID:12720
- C:\Windows\System32\RdMulxs.exe
  C:\Windows\System32\RdMulxs.exe
  2⤵
  PID:12744
- C:\Windows\System32\zeeCmxR.exe
  C:\Windows\System32\zeeCmxR.exe
  2⤵
  PID:12788
- C:\Windows\System32\ZOuTYMS.exe
  C:\Windows\System32\ZOuTYMS.exe
  2⤵
  PID:12816
- C:\Windows\System32\aoiejFH.exe
  C:\Windows\System32\aoiejFH.exe
  2⤵
  PID:12836
- C:\Windows\System32\BTVqkoQ.exe
  C:\Windows\System32\BTVqkoQ.exe
  2⤵
  PID:12860
- C:\Windows\System32\ljCfsfZ.exe
  C:\Windows\System32\ljCfsfZ.exe
  2⤵
  PID:12876
- C:\Windows\System32\PZnbnkg.exe
  C:\Windows\System32\PZnbnkg.exe
  2⤵
  PID:12896
- C:\Windows\System32\zjrypoC.exe
  C:\Windows\System32\zjrypoC.exe
  2⤵
  PID:12920
- C:\Windows\System32\wLDshCY.exe
  C:\Windows\System32\wLDshCY.exe
  2⤵
  PID:12936
- C:\Windows\System32\zkUpXWf.exe
  C:\Windows\System32\zkUpXWf.exe
  2⤵
  PID:12956
- C:\Windows\System32\LAaWoxw.exe
  C:\Windows\System32\LAaWoxw.exe
  2⤵
  PID:12980
- C:\Windows\System32\wuLWViO.exe
  C:\Windows\System32\wuLWViO.exe
  2⤵
  PID:13032
- C:\Windows\System32\nAGBEXM.exe
  C:\Windows\System32\nAGBEXM.exe
  2⤵
  PID:13096
- C:\Windows\System32\JCjCbFW.exe
  C:\Windows\System32\JCjCbFW.exe
  2⤵
  PID:13116
- C:\Windows\System32\GVCKszi.exe
  C:\Windows\System32\GVCKszi.exe
  2⤵
  PID:13132
- C:\Windows\System32\aODUbww.exe
  C:\Windows\System32\aODUbww.exe
  2⤵
  PID:13160
- C:\Windows\System32\EqnzaDU.exe
  C:\Windows\System32\EqnzaDU.exe
  2⤵
  PID:13188
- C:\Windows\System32\DyVepfL.exe
  C:\Windows\System32\DyVepfL.exe
  2⤵
  PID:13216
- C:\Windows\System32\hvcGIyr.exe
  C:\Windows\System32\hvcGIyr.exe
  2⤵
  PID:13252
- C:\Windows\System32\oGRUweB.exe
  C:\Windows\System32\oGRUweB.exe
  2⤵
  PID:13284
- C:\Windows\System32\zFLWbwt.exe
  C:\Windows\System32\zFLWbwt.exe
  2⤵
  PID:11404
- C:\Windows\System32\YwZAWgV.exe
  C:\Windows\System32\YwZAWgV.exe
  2⤵
  PID:12332
- C:\Windows\System32\haWvfRi.exe
  C:\Windows\System32\haWvfRi.exe
  2⤵
  PID:11148
- C:\Windows\System32\zOrKRYS.exe
  C:\Windows\System32\zOrKRYS.exe
  2⤵
  PID:12396
- C:\Windows\System32\RbUyLrP.exe
  C:\Windows\System32\RbUyLrP.exe
  2⤵
  PID:12428
- C:\Windows\System32\VuWicvs.exe
  C:\Windows\System32\VuWicvs.exe
  2⤵
  PID:12504
- C:\Windows\System32\zcHqKON.exe
  C:\Windows\System32\zcHqKON.exe
  2⤵
  PID:12640
- C:\Windows\System32\amTfPtj.exe
  C:\Windows\System32\amTfPtj.exe
  2⤵
  PID:12776
- C:\Windows\System32\oHPWnfy.exe
  C:\Windows\System32\oHPWnfy.exe
  2⤵
  PID:12812

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AoLpBvl.exe

Filesize
1.2MB

MD5
5898656c221110919395ffe0a7a36d40

SHA1
d8b2a9d0621d861bdb28632ee3fce347e526f840

SHA256
5b5b1ade3e180139f4281e26398645a2b589b9c5990eaf50cb08792f3b0ea279

SHA512
1e9b97633c0be1f4d0e083f2bf7ddf9ac903247e0c519ae05ed4020bb29e9aef356f74fb8307e2a4721549a777df3298aae05dd1d941b1e016bf4c7b13951704

Download Submit
C:\Windows\System32\BBXPsEl.exe

Filesize
1.2MB

MD5
7097bd7da4cfeeb74a094a5a5fb68488

SHA1
c201f55e74d27d30bfd7f304adff7ba30aaf7bb1

SHA256
2cf10360d478fd7ba9b81623053e90683541eaadd495de0b11f9c19baf54da03

SHA512
b72cbdc02c52d44238d1ea2bdc71dcdc97e892ee181aa48d1419de190ca06b8e90d81e7fb5c508a0c5ffc04678f63d8950a5ae4856a54508c9b51e324051f7ff

Download Submit
C:\Windows\System32\HgRCdFY.exe

Filesize
1.2MB

MD5
8b5a79ee41d9df75db92d5286f359923

SHA1
3d8deed2960c5b47b1ec2d18aa2ed8c25fac0d99

SHA256
a2d256f531cf2c046996a57c00dec5e39a30e845072cd4678dac54f8d9fd040e

SHA512
4038ff63e7a626ef1e8b7e7eaf9b922a5903746e442ce7b248730038f1ab876a28f34e29a2dbcef8e45c503ddb662b3157acd64a37b070f78441ffc9792971a8

Download Submit
C:\Windows\System32\IRhdREf.exe

Filesize
1.2MB

MD5
00cf843c505b0aafade5ea1de4f18467

SHA1
0378d3fd1732d1cdd1792819b18b8d763bcee75b

SHA256
0d147c162c3d89be465105fa3fb0eb90c2854732e366c91435dd4ca4107c1dfc

SHA512
1071f1781bd820de96330699f3f2addd44cfb54b03ddd8bb440bec13ea6be29df588a2135c9d75641622965028a303ee6382a2601be846d9805f41aae009fcfd

Download Submit
C:\Windows\System32\IoWyOXg.exe

Filesize
1.2MB

MD5
fe4222785950bdf407bef8beb7decc79

SHA1
105581c0d4644218c684512c7c32f6ea652dd137

SHA256
1c4121c855b6ca6cae7f3aee48fabbed9defda275931debdba33cd9f555c0469

SHA512
a38b32dde97d59a05578b06b7bc513b4887c64183e0b360e8902fce9cff1ad32eaf87f00ca681e47765b275c0ffc4962c0ca69f6a0f74c3db5c3bfe521218de5

Download Submit
C:\Windows\System32\LJwTDSq.exe

Filesize
1.2MB

MD5
a5941eed56063b9fdc938bc1ca9064f6

SHA1
d26154fec90a76e577e222b654cc7a8f62b83668

SHA256
da84fdbc3413b5f881a16da8fff2b1e857708f9f61d171954c5298ca29e8e9cb

SHA512
42213b1414772b2780342a66d6acfa3a374c5a157b3b763578f08749d66dd502374258ddf03df394581e6f4cace69643be4e33527277d444fb6484a0fe4d791d

Download Submit
C:\Windows\System32\LLpMKwO.exe

Filesize
1.2MB

MD5
08aa9585e389884726ca0ab5d12e3426

SHA1
0756c7bd2d9c421a7ae18b9bbc34080e768ebdd9

SHA256
86e296a827c8d3157f568ef3bf8d6a3e928b335548fe840096c65aa1371994a5

SHA512
aea98db178e726fe7b1e71f2b6508db3dca431f77449aca961c666d2c480a83453b6354a3e4b08fa2f4a3e39f383f35b4d0ea66ef6e3359c9522726567886c4b

Download Submit
C:\Windows\System32\LXCpYQv.exe

Filesize
1.2MB

MD5
227c0a370549b8314d27836b11bec0a8

SHA1
1a85ee0670953e46938273e86cce7192f917b641

SHA256
0bbc91288efa6a715c529a1cc9cf4f32afad6d58e018d4d443c4d4343621ebab

SHA512
5dd6888fa13255babaf14bb62549bf964364864fabec9a37cd5dda3b8f0f3430111e37521d94a038d40d57222ad2a2513a62d4f949aefafaf246b79bf467a03a

Download Submit
C:\Windows\System32\MWXlpKp.exe

Filesize
1.2MB

MD5
b19b2314323811f9eba3dcbe641cb9d7

SHA1
8eefec54ad479b8d46b08d675e1033a9f58a92ff

SHA256
af5357258757da80a9cb6c334aeb1522a8bba88ce78ba21d4ac62bd15a442cf8

SHA512
6bf17b05a7a45c6a05e8c22c59c5a2318f7d2d94d0aa2360bb51029c0297606abb3dff8911a21e0766172cb6dea899695db0e791428eb58b2b3808ff32a8e8a2

Download Submit
C:\Windows\System32\PpzcvZF.exe

Filesize
1.2MB

MD5
6712c2a4c5e1f57e8e2075d2b3da5ba4

SHA1
dec6438164731494e37785a31d735fc702e3548f

SHA256
465963bb485b38abb70eafc773580d2c1ab203ca76c9350600fb76e0a27430e6

SHA512
faf06825795aba38c87d46a733a9ea5b49cdeafdd027eebdbbd3ec878f67702ee93f9c626c969f69f0badd69e75efd4a023f0fd425ee11d1c64b8a522efabb3b

Download Submit
C:\Windows\System32\PxoEguU.exe

Filesize
1.2MB

MD5
28a70bd4ea617038b516eeac9e3abff8

SHA1
a09eb37d1533ca340241e3d97c66e70f4136c44b

SHA256
9a4175677c5a04230986120c1cd608b15d2725eeea273420626f962f54ebf496

SHA512
0a9f3c72bf6c3e17c503ef1f578b3bb021a5c9877a053b4783b0c02e93461d271e8bf889a280b189a95589a2d85bbf6373febae667658afbf4ce6e1687c78258

Download Submit
C:\Windows\System32\RKqgmre.exe

Filesize
1.2MB

MD5
8f8cd171269cb8a05e76315cc12ccf96

SHA1
93f72db36e2e949f531cf8c28748e49bf5648662

SHA256
2b9c05e5743af51d9e21d0149530ea9edd46bb22b50a8cc35b6420529c6bf7e1

SHA512
a3c63f8f1d31c13e9b6210825a7029cfaac71d06a1c8d8c9ee84278233b96fa45f0c72f669c57c1f7580beacf2210bdb30f28df7689cb207dac031e2d9f39af4

Download Submit
C:\Windows\System32\RbTiXha.exe

Filesize
1.2MB

MD5
e88e26292828be8dba905d21827bbef9

SHA1
feaaa15b831200f41cbee860a898c39d81ea7e09

SHA256
6b980a05164735f8d671cc236a75017f257a0d97fff41aeaea2a1bd36d9db44c

SHA512
ba77d389791e8920a586bbb9be7978963568a0d3464c5a9007f9798974ebac73f14092b6436f7a1aee403a3fd5705b22e76c317769c4e1c91b3c6d0042205a28

Download Submit
C:\Windows\System32\TOWgqQi.exe

Filesize
1.2MB

MD5
3aeb2656fb805c030a5bbf98496d96b2

SHA1
55df9cd8fe48f537aeddc5402b7c0612d2d9f3fa

SHA256
7599b4fca35f6c03fce7651113f8879ce05e907725db52b89b949c17bf2a3189

SHA512
cf2e0a4cd18f5356d01df05228e77ee86c9f78c96f8cf5c9691fde5147c5e296f7e2193fa9065dea17997c3a0d565d974de9cfb19183a9299468575944ac098f

Download Submit
C:\Windows\System32\TrqzuZT.exe

Filesize
1.2MB

MD5
d490f5c6009655150433dc6834b9383c

SHA1
4f8eac10d68e875c893a25146636943948b71821

SHA256
3295b5b3438bec3050e385a077f70a803e60cb8c71d46a1a8b321badc90119d1

SHA512
577e78e0e339d1135431f9d0babd64c5ff3b554342027a166bf34dec127869cb98f92001718d83f674149befb17c1bcc305303773811a0e7568bb1d2789f049f

Download Submit
C:\Windows\System32\WhfOyOw.exe

Filesize
1.2MB

MD5
c9c00b1022ee4a88237e028153e89031

SHA1
0af166388c167632d3a4f7ee7ae2cc73f5e06f66

SHA256
1f6496589600edb03598d87586a3dbb1078d40d630d5ac4cb328294a3b53e726

SHA512
5ceabe6199ae9b60ccb373587d8a234dac84f5a8433dcb0fee7780d0e40036c0a22dd4e8b3df566d68ff8c0c620c3410d2405b439fd67074498d709f60deb9e4

Download Submit
C:\Windows\System32\YmWJuzc.exe

Filesize
1.2MB

MD5
d95540ddf48d59a9b7ec85a5be5771fd

SHA1
c52c0f6c68020e76b12aa5c9e1b54a43500d910a

SHA256
fdaa03fc147dec4050784aa22b069479b228ebbfb64db322f7ffa6c150520814

SHA512
8422ae78f6308b8b240e14af1f57b3223f790e96e547bcb5afbf1aaf53970c5e1a41525ee26f2ca91e10a7ca2bff460f5bab08f21403bc7a66ff4b8d1e8088a0

Download Submit
C:\Windows\System32\bntrQeM.exe

Filesize
1.2MB

MD5
f96489a9e9e68fa4376bb8c30a680398

SHA1
a4e6187d394d87c1dc8c3e4e38851430313c1893

SHA256
4af476b57ee500930ddc046137647c6a0b2e8e7d3b9b1fb7fd1090876705f664

SHA512
3179e16da09683628e212bec80f8199b57ff2faeebe4c298d07e1de44685bdf2e82434649346126cd82d0d89b629a56ca1f81de9f546c12de98d0d5865cb8979

Download Submit
C:\Windows\System32\dAeNbAN.exe

Filesize
1.2MB

MD5
97547df9a6b5e671fb793bc0cfd8a932

SHA1
534354a4d9edb336a8b760f66a59ebe3e977d291

SHA256
4649bd522c50b8c22460915659fef992867cff6f70fff973dcdbd321a4f7dd4b

SHA512
e19a2ffa7cb62e5ab543d852207e21a366aa1cc1867263e14852b95631b172e70a027c2334407e4fd658f9eb811df55e6dcca66c4f1551aeba03f71819a0eea4

Download Submit
C:\Windows\System32\dUZzexU.exe

Filesize
1.2MB

MD5
e6107ea15353023010924ae3b0829fa4

SHA1
6e964205f880b9c18df55976732ecaa021d0b70a

SHA256
cc02f3701afd0f68c305628eaa1f62794a445f31ab376495cb524299b3f0d284

SHA512
9a3569605258904a72c81a7c5ec39de9bc4cfc69e698df1a1e1990a533d86a16b4da89507e9321d5f28437e5dc4ae9af09feb6b6fbc85f309b8e91091f2ac38a

Download Submit
C:\Windows\System32\dYqchaJ.exe

Filesize
1.2MB

MD5
aba8b97a7622b8bab861d440544a5bf2

SHA1
ad4783eb317e69b8b9c36778ab4cc38f95360283

SHA256
f5bbf6169093076331e917fd8047a90da856d2de5e97293e966531c58d63b52d

SHA512
4f98278ab9e70a48e30f6cb3674950ba8d57cb24c5d23c00e0f7c7206b95c40da325e6a66e11c257bf6cb24b5a0d4fae44496a3dd5aac934cf5b08ca8fb30a6c

Download Submit
C:\Windows\System32\dabutls.exe

Filesize
1.2MB

MD5
fd661d951eb88dae6e1b6c5761878cc7

SHA1
664ed860bf32737e1d831ae2eb7c1ae12f24e5d3

SHA256
985cbc0b8b8b77058fbea60f4461ffa6b710ad26366b50fba097c245cbf233a8

SHA512
db143eee60cba247e6ad8d1c2f732dce3ca3ee1ec717318db7401b90dc15d1357057a8db5366f5feabc32fec28044788e10f7d5655cca644026657a734944d17

Download Submit
C:\Windows\System32\ecjUHzN.exe

Filesize
1.2MB

MD5
e6fa6fc34139abf7eca85c6d51d28237

SHA1
a8954b26d3d3a5737845db13b0d3f46b1f296a80

SHA256
d33f78894844a854d5c037977318d9b0e963f80cfd614086b076b409c07d1cf3

SHA512
884de8e33e8e6f087a39044bdbcad1a3e71856045131af79b46006dcbb198cfd6d974f1fc78c70b58cdac04fb09539db19ed0fb76bb531fc9f58e8b543e5b8bb

Download Submit
C:\Windows\System32\iHwJgSm.exe

Filesize
1.2MB

MD5
106e1ff78016f7005b58f8b81a7430a9

SHA1
5794dbc7484e54150d751f5460f731169d24d8f1

SHA256
bc6f8d9f712fb94e995dd468fa76cd34a76b3f471a6a9b2bf102bd4204bce722

SHA512
ec2f4fb9fe3529102b063257012e1767b0416260c0c9a9ef7748dea55814f809ed84f0cfe47cd1f3b6e02b49bd56de3ad2b2eb3a5bd2e844b4e331169973a0d0

Download Submit
C:\Windows\System32\mzrhZfK.exe

Filesize
1.2MB

MD5
8f38cee2c89dcb5819a0eec580e9fb29

SHA1
1a42ada7ebef71f6b12d3c838879912d1dad9451

SHA256
12c58a2be155b2d105dc0d287de71bdc82aa75a4c59d29d6030d7fc56f0f73b2

SHA512
7235e134956950ce80621a3b199f0293dee774adbe8ad393aab96e9409c0ca085813eda80dace3f8eb6934ab9f2c8688efc0787be005d25aa599bc28bdb09c8a

Download Submit
C:\Windows\System32\nsHYLji.exe

Filesize
1.2MB

MD5
53fe0bcca8a039710e443ec6790b81db

SHA1
c7e6666bf2b01663ab0959d1ca812e28619f3184

SHA256
73b1b234c43dc2b221364d594243d41949f7aa2fe01972d82fd6b1d68e120ec2

SHA512
9c61d115cf884a584c9c4ad4245c01fe95584a0aef1d48ae553ce84d6ad629edb5d9f64a2a1afbd4afc464ba8c23e827543937ff8f200821e25762bd3ff65c46

Download Submit
C:\Windows\System32\otUEYlw.exe

Filesize
1.2MB

MD5
a1b7f5bced9ebeb65413e8dc81372a1c

SHA1
5d14707ab95ede14084e99b2c67a0526b3ed6555

SHA256
b602b1581188b59e1488af2fa20069975524f44b40f86868387fe781ce93373e

SHA512
5e6f9f445d24107d46fdb0b3401840147671e69d5a21bc17ec5bf449d3637f5afca83fcabf5ce102ddfc8fdae45c4505ee8f9437977dfc42f8c63124792cd4b5

Download Submit
C:\Windows\System32\qOmnIZs.exe

Filesize
1.2MB

MD5
12547c3fbb393d5c1fcf606790d95b0d

SHA1
1a6f4a2b0ba1cd42c4efb3ae8c14ff54cc896663

SHA256
1abe0431ad52c3f5472c4de8aee078ba749ab758b70a92071589f5348fc32001

SHA512
3f27681e89ca1fba107e83b002bc75f52a178ac5ae12ec293ba9ae55a2baed0b7911f245a9e2a12893d0ead15caedb76c6605a63903be9426bce9c433b8e6007

Download Submit
C:\Windows\System32\uJkSsTL.exe

Filesize
1.2MB

MD5
2eb8892b72e5655d89e82b4afd3e5407

SHA1
0bfa33be48a52f00f83822ff6ca67fc5f4b089f8

SHA256
e783cc79cbc1aa62148b49467dea7979d980d896bb27364dd9b63c0566abe17e

SHA512
03f310e1b76a3b7fc33699422b2cc58a9e6b05a9ca3e0673fa815ff0034a996ac2429ff19542b3b1591a30909e2a1067d564b81e9a97737f1d08320a297eb1d2

Download Submit
C:\Windows\System32\umXbMuH.exe

Filesize
1.2MB

MD5
2f4e5c25403b7060f520ee0e76e1a087

SHA1
df4abeb895c12050c9636fe80bfe20c3429961a7

SHA256
9e39a7566c89145aca2ee2c9c2e393001fadab853b76e24ed27edc33b82a546f

SHA512
387d003ba5c6789be2e97a4c8e5c26a5eca5d65b0417960bf95731b2f2933616329fb19d4cfe67c0e47990bb2f76338ca22c8edb69d900729bdc82f9a1678054

Download Submit
C:\Windows\System32\xZXVBro.exe

Filesize
1.2MB

MD5
bbf8b0d568c72a03a0c12927300138fa

SHA1
f44727f5bcc81ece5cbc61d071c47e0f6d230dc2

SHA256
c758f8e4845f2e9fe6700b9f9bf6a6482988b12eb3aadc1dd9038f6358fccf48

SHA512
c609eb33bf3d5d1b4a4536904dcdfce49268ee401f67c49350a30b43b5b877b882026a5266c4ccad6f2eee5cf54610a789ed75c5e523527ada54ec2e2f674e7d

Download Submit
C:\Windows\System32\yFANnbw.exe

Filesize
1.2MB

MD5
ad1656eea52c572cf2f1da087b84fd90

SHA1
b5d75fff043e83a5c0eb41a8f488c17f1ab50508

SHA256
252c904d8dbf43cb3f30c0fe2ea70d65eda299e8c0b8e75330eb4745bf34323e

SHA512
f03a4083e19dedb34bf3b6fa6476dfe241427553ef652e0bc810062760c14c3015fb03ed5012088f3b82765929e6ee484dfd566badf4ea94e5de32ba041ab296

Download Submit
memory/1092-420-0x00007FF79B1D0000-0x00007FF79B5C1000-memory.dmp

Filesize
3.9MB

Download
memory/1092-2052-0x00007FF79B1D0000-0x00007FF79B5C1000-memory.dmp

Filesize
3.9MB

Download
memory/1164-2046-0x00007FF68BD70000-0x00007FF68C161000-memory.dmp

Filesize
3.9MB

Download
memory/1164-411-0x00007FF68BD70000-0x00007FF68C161000-memory.dmp

Filesize
3.9MB

Download
memory/1168-20-0x00007FF74D0D0000-0x00007FF74D4C1000-memory.dmp

Filesize
3.9MB

Download
memory/1168-1959-0x00007FF74D0D0000-0x00007FF74D4C1000-memory.dmp

Filesize
3.9MB

Download
memory/1168-2021-0x00007FF74D0D0000-0x00007FF74D4C1000-memory.dmp

Filesize
3.9MB

Download
memory/1476-398-0x00007FF675520000-0x00007FF675911000-memory.dmp

Filesize
3.9MB

Download
memory/1476-2033-0x00007FF675520000-0x00007FF675911000-memory.dmp

Filesize
3.9MB

Download
memory/1684-424-0x00007FF79AC10000-0x00007FF79B001000-memory.dmp

Filesize
3.9MB

Download
memory/1684-2054-0x00007FF79AC10000-0x00007FF79B001000-memory.dmp

Filesize
3.9MB

Download
memory/2040-2075-0x00007FF763910000-0x00007FF763D01000-memory.dmp

Filesize
3.9MB

Download
memory/2040-459-0x00007FF763910000-0x00007FF763D01000-memory.dmp

Filesize
3.9MB

Download
memory/2112-2027-0x00007FF79CB50000-0x00007FF79CF41000-memory.dmp

Filesize
3.9MB

Download
memory/2112-463-0x00007FF79CB50000-0x00007FF79CF41000-memory.dmp

Filesize
3.9MB

Download
memory/2196-1993-0x00007FF749820000-0x00007FF749C11000-memory.dmp

Filesize
3.9MB

Download
memory/2196-2035-0x00007FF749820000-0x00007FF749C11000-memory.dmp

Filesize
3.9MB

Download
memory/2196-55-0x00007FF749820000-0x00007FF749C11000-memory.dmp

Filesize
3.9MB

Download
memory/2332-474-0x00007FF7AF070000-0x00007FF7AF461000-memory.dmp

Filesize
3.9MB

Download
memory/2332-2041-0x00007FF7AF070000-0x00007FF7AF461000-memory.dmp

Filesize
3.9MB

Download
memory/2688-2039-0x00007FF6103F0000-0x00007FF6107E1000-memory.dmp

Filesize
3.9MB

Download
memory/2688-476-0x00007FF6103F0000-0x00007FF6107E1000-memory.dmp

Filesize
3.9MB

Download
memory/2808-2068-0x00007FF6D4C90000-0x00007FF6D5081000-memory.dmp

Filesize
3.9MB

Download
memory/2808-403-0x00007FF6D4C90000-0x00007FF6D5081000-memory.dmp

Filesize
3.9MB

Download
memory/2964-2077-0x00007FF654B40000-0x00007FF654F31000-memory.dmp

Filesize
3.9MB

Download
memory/2964-432-0x00007FF654B40000-0x00007FF654F31000-memory.dmp

Filesize
3.9MB

Download
memory/3060-433-0x00007FF683900000-0x00007FF683CF1000-memory.dmp

Filesize
3.9MB

Download
memory/3060-2056-0x00007FF683900000-0x00007FF683CF1000-memory.dmp

Filesize
3.9MB

Download
memory/3568-2019-0x00007FF71DF00000-0x00007FF71E2F1000-memory.dmp

Filesize
3.9MB

Download
memory/3568-14-0x00007FF71DF00000-0x00007FF71E2F1000-memory.dmp

Filesize
3.9MB

Download
memory/3780-470-0x00007FF762760000-0x00007FF762B51000-memory.dmp

Filesize
3.9MB

Download
memory/3780-2031-0x00007FF762760000-0x00007FF762B51000-memory.dmp

Filesize
3.9MB

Download
memory/4072-400-0x00007FF6E9770000-0x00007FF6E9B61000-memory.dmp

Filesize
3.9MB

Download
memory/4072-2066-0x00007FF6E9770000-0x00007FF6E9B61000-memory.dmp

Filesize
3.9MB

Download
memory/4120-402-0x00007FF7E6E30000-0x00007FF7E7221000-memory.dmp

Filesize
3.9MB

Download
memory/4120-2070-0x00007FF7E6E30000-0x00007FF7E7221000-memory.dmp

Filesize
3.9MB

Download
memory/4144-2037-0x00007FF68A880000-0x00007FF68AC71000-memory.dmp

Filesize
3.9MB

Download
memory/4144-399-0x00007FF68A880000-0x00007FF68AC71000-memory.dmp

Filesize
3.9MB

Download
memory/4396-0-0x00007FF6CDE10000-0x00007FF6CE201000-memory.dmp

Filesize
3.9MB

Download
memory/4396-1-0x000002928B4D0000-0x000002928B4E0000-memory.dmp

Filesize
64KB

Download
memory/4600-2029-0x00007FF6AB160000-0x00007FF6AB551000-memory.dmp

Filesize
3.9MB

Download
memory/4600-52-0x00007FF6AB160000-0x00007FF6AB551000-memory.dmp

Filesize
3.9MB

Download
memory/4908-2023-0x00007FF79B000000-0x00007FF79B3F1000-memory.dmp

Filesize
3.9MB

Download
memory/4908-29-0x00007FF79B000000-0x00007FF79B3F1000-memory.dmp

Filesize
3.9MB

Download
memory/4980-1992-0x00007FF792320000-0x00007FF792711000-memory.dmp

Filesize
3.9MB

Download
memory/4980-2025-0x00007FF792320000-0x00007FF792711000-memory.dmp

Filesize
3.9MB

Download
memory/4980-44-0x00007FF792320000-0x00007FF792711000-memory.dmp

Filesize
3.9MB

Download
memory/4992-2043-0x00007FF67DC20000-0x00007FF67E011000-memory.dmp

Filesize
3.9MB

Download
memory/4992-453-0x00007FF67DC20000-0x00007FF67E011000-memory.dmp

Filesize
3.9MB

Download
memory/5056-2050-0x00007FF6AC560000-0x00007FF6AC951000-memory.dmp

Filesize
3.9MB

Download
memory/5056-438-0x00007FF6AC560000-0x00007FF6AC951000-memory.dmp

Filesize
3.9MB

Download
memory/5068-2048-0x00007FF7B53E0000-0x00007FF7B57D1000-memory.dmp

Filesize
3.9MB

Download
memory/5068-401-0x00007FF7B53E0000-0x00007FF7B57D1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads