xmrig | 7708fed712b148cea79a8c4cc94f3f82c47c496467f597768447200d25fee442

Analysis

max time kernel
130s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
Size

1.1MB
MD5

05242996e2d084c9df65a5a5ff5c3782
SHA1

49889c899f0a73fe899a658929dde95b808fea2c
SHA256

7708fed712b148cea79a8c4cc94f3f82c47c496467f597768447200d25fee442
SHA512

0286c4e0e99ce81677bbfed5eaecb76818c1cd9ff2dc71aa380a84561cb0df8bb3ad366dfe9dfb7602105e50f2fc748d64a8feebcca76cc60b75eebf9cc064a0
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XCejSu1Ouwq9:knw9oUUEEDlGUrML1OU

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/4652-25-0x00007FF79DDE0000-0x00007FF79E1D1000-memory.dmp	xmrig
behavioral2/memory/540-30-0x00007FF6C0F60000-0x00007FF6C1351000-memory.dmp	xmrig
behavioral2/memory/4568-12-0x00007FF71E750000-0x00007FF71EB41000-memory.dmp	xmrig
behavioral2/memory/1580-336-0x00007FF7C20A0000-0x00007FF7C2491000-memory.dmp	xmrig
behavioral2/memory/3688-339-0x00007FF793A70000-0x00007FF793E61000-memory.dmp	xmrig
behavioral2/memory/2100-345-0x00007FF765AB0000-0x00007FF765EA1000-memory.dmp	xmrig
behavioral2/memory/2164-354-0x00007FF78BCE0000-0x00007FF78C0D1000-memory.dmp	xmrig
behavioral2/memory/3300-350-0x00007FF7F0900000-0x00007FF7F0CF1000-memory.dmp	xmrig
behavioral2/memory/4344-367-0x00007FF7BC9F0000-0x00007FF7BCDE1000-memory.dmp	xmrig
behavioral2/memory/2260-373-0x00007FF760320000-0x00007FF760711000-memory.dmp	xmrig
behavioral2/memory/4668-375-0x00007FF78D7E0000-0x00007FF78DBD1000-memory.dmp	xmrig
behavioral2/memory/2468-376-0x00007FF6DBC70000-0x00007FF6DC061000-memory.dmp	xmrig
behavioral2/memory/3536-378-0x00007FF7F7390000-0x00007FF7F7781000-memory.dmp	xmrig
behavioral2/memory/1192-366-0x00007FF76E030000-0x00007FF76E421000-memory.dmp	xmrig
behavioral2/memory/4564-389-0x00007FF7D8C50000-0x00007FF7D9041000-memory.dmp	xmrig
behavioral2/memory/2252-397-0x00007FF65F5F0000-0x00007FF65F9E1000-memory.dmp	xmrig
behavioral2/memory/4820-402-0x00007FF7D9BF0000-0x00007FF7D9FE1000-memory.dmp	xmrig
behavioral2/memory/3284-401-0x00007FF62B650000-0x00007FF62BA41000-memory.dmp	xmrig
behavioral2/memory/2368-394-0x00007FF609560000-0x00007FF609951000-memory.dmp	xmrig
behavioral2/memory/2888-38-0x00007FF7F6B30000-0x00007FF7F6F21000-memory.dmp	xmrig
behavioral2/memory/3476-1967-0x00007FF741DA0000-0x00007FF742191000-memory.dmp	xmrig
behavioral2/memory/2888-1968-0x00007FF7F6B30000-0x00007FF7F6F21000-memory.dmp	xmrig
behavioral2/memory/5100-1969-0x00007FF70ADF0000-0x00007FF70B1E1000-memory.dmp	xmrig
behavioral2/memory/2388-2006-0x00007FF72D420000-0x00007FF72D811000-memory.dmp	xmrig
behavioral2/memory/3480-2004-0x00007FF733F20000-0x00007FF734311000-memory.dmp	xmrig
behavioral2/memory/4568-2014-0x00007FF71E750000-0x00007FF71EB41000-memory.dmp	xmrig
behavioral2/memory/4652-2016-0x00007FF79DDE0000-0x00007FF79E1D1000-memory.dmp	xmrig
behavioral2/memory/3476-2018-0x00007FF741DA0000-0x00007FF742191000-memory.dmp	xmrig
behavioral2/memory/540-2020-0x00007FF6C0F60000-0x00007FF6C1351000-memory.dmp	xmrig
behavioral2/memory/2888-2022-0x00007FF7F6B30000-0x00007FF7F6F21000-memory.dmp	xmrig
behavioral2/memory/5100-2024-0x00007FF70ADF0000-0x00007FF70B1E1000-memory.dmp	xmrig
behavioral2/memory/3480-2026-0x00007FF733F20000-0x00007FF734311000-memory.dmp	xmrig
behavioral2/memory/2388-2028-0x00007FF72D420000-0x00007FF72D811000-memory.dmp	xmrig
behavioral2/memory/3688-2032-0x00007FF793A70000-0x00007FF793E61000-memory.dmp	xmrig
behavioral2/memory/1580-2030-0x00007FF7C20A0000-0x00007FF7C2491000-memory.dmp	xmrig
behavioral2/memory/2100-2034-0x00007FF765AB0000-0x00007FF765EA1000-memory.dmp	xmrig
behavioral2/memory/3300-2036-0x00007FF7F0900000-0x00007FF7F0CF1000-memory.dmp	xmrig
behavioral2/memory/2164-2040-0x00007FF78BCE0000-0x00007FF78C0D1000-memory.dmp	xmrig
behavioral2/memory/1192-2038-0x00007FF76E030000-0x00007FF76E421000-memory.dmp	xmrig
behavioral2/memory/4344-2042-0x00007FF7BC9F0000-0x00007FF7BCDE1000-memory.dmp	xmrig
behavioral2/memory/2260-2044-0x00007FF760320000-0x00007FF760711000-memory.dmp	xmrig
behavioral2/memory/2368-2054-0x00007FF609560000-0x00007FF609951000-memory.dmp	xmrig
behavioral2/memory/2252-2056-0x00007FF65F5F0000-0x00007FF65F9E1000-memory.dmp	xmrig
behavioral2/memory/3284-2058-0x00007FF62B650000-0x00007FF62BA41000-memory.dmp	xmrig
behavioral2/memory/4564-2052-0x00007FF7D8C50000-0x00007FF7D9041000-memory.dmp	xmrig
behavioral2/memory/2468-2050-0x00007FF6DBC70000-0x00007FF6DC061000-memory.dmp	xmrig
behavioral2/memory/3536-2048-0x00007FF7F7390000-0x00007FF7F7781000-memory.dmp	xmrig
behavioral2/memory/4668-2046-0x00007FF78D7E0000-0x00007FF78DBD1000-memory.dmp	xmrig
behavioral2/memory/4820-2061-0x00007FF7D9BF0000-0x00007FF7D9FE1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4568	ejzdNpZ.exe
4652	iRbIceH.exe
3476	lAKvsQc.exe
540	SSsqySV.exe
2888	zubeqKU.exe
5100	BPrxKFl.exe
3480	njLeHIn.exe
2388	yzNUClF.exe
1580	GTKirFo.exe
3688	buNzCvM.exe
2100	dTnrLyk.exe
3300	aBzNRJB.exe
2164	dSMRdjp.exe
1192	StypHTP.exe
4344	BlJlgQA.exe
2260	siKPAgS.exe
4668	UdOSkrX.exe
2468	zATquCE.exe
3536	QiPrUhz.exe
4564	zINXXSo.exe
2368	oKnVvEa.exe
2252	HSCYsUh.exe
3284	VJmQCUf.exe
4820	maJDAAJ.exe
3864	YHVgxcM.exe
3056	giPwseO.exe
4424	vTnYBnK.exe
4836	domqZiS.exe
3340	VjHnciw.exe
744	oVaYwBx.exe
724	CRpRyEL.exe
3220	zisrQzF.exe
4492	YvqQlIc.exe
4920	KqJwkgz.exe
4924	zSNWsWD.exe
4612	rVdYwTc.exe
1852	GMHhrCM.exe
4272	dRpWrVu.exe
4780	KivwlVS.exe
3216	UrchBWI.exe
2608	KYUwviG.exe
2432	URKrcYl.exe
4260	SqOvPkl.exe
3292	QWcbOzz.exe
2648	FzWGMPx.exe
1028	YyuSory.exe
2160	UUyIxtA.exe
3428	bdBfgmb.exe
2616	NQbeLbs.exe
776	TSHNrQq.exe
4828	aWxxLKF.exe
1012	vdZDiIx.exe
1000	mPUwAvb.exe
3224	SwnxlFr.exe
3068	TfhZUwp.exe
4024	AbRGALk.exe
4536	mVwfUKv.exe
3316	zaAOpZD.exe
2524	egmbteD.exe
2344	EGYChxh.exe
2004	ZoLaAgI.exe
5032	ggSfKge.exe
3820	fkBgCFk.exe
4644	dcECBrL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1968-0-0x00007FF61EAA0000-0x00007FF61EE91000-memory.dmp	upx
behavioral2/files/0x000b000000023414-5.dat	upx
behavioral2/files/0x0007000000023422-8.dat	upx
behavioral2/files/0x0008000000023421-18.dat	upx
behavioral2/memory/4652-25-0x00007FF79DDE0000-0x00007FF79E1D1000-memory.dmp	upx
behavioral2/files/0x0007000000023425-32.dat	upx
behavioral2/memory/540-30-0x00007FF6C0F60000-0x00007FF6C1351000-memory.dmp	upx
behavioral2/files/0x0007000000023424-29.dat	upx
behavioral2/memory/3476-21-0x00007FF741DA0000-0x00007FF742191000-memory.dmp	upx
behavioral2/files/0x0007000000023423-26.dat	upx
behavioral2/memory/4568-12-0x00007FF71E750000-0x00007FF71EB41000-memory.dmp	upx
behavioral2/memory/5100-43-0x00007FF70ADF0000-0x00007FF70B1E1000-memory.dmp	upx
behavioral2/files/0x0007000000023428-54.dat	upx
behavioral2/files/0x0007000000023429-60.dat	upx
behavioral2/files/0x000700000002342c-74.dat	upx
behavioral2/files/0x000700000002342f-89.dat	upx
behavioral2/files/0x0007000000023430-94.dat	upx
behavioral2/files/0x0007000000023432-105.dat	upx
behavioral2/files/0x0007000000023435-117.dat	upx
behavioral2/files/0x0007000000023437-129.dat	upx
behavioral2/files/0x0007000000023439-139.dat	upx
behavioral2/files/0x000700000002343e-164.dat	upx
behavioral2/memory/1580-336-0x00007FF7C20A0000-0x00007FF7C2491000-memory.dmp	upx
behavioral2/files/0x000700000002343f-169.dat	upx
behavioral2/files/0x000700000002343d-159.dat	upx
behavioral2/files/0x000700000002343c-155.dat	upx
behavioral2/files/0x000700000002343b-149.dat	upx
behavioral2/files/0x000700000002343a-145.dat	upx
behavioral2/files/0x0007000000023438-134.dat	upx
behavioral2/memory/3688-339-0x00007FF793A70000-0x00007FF793E61000-memory.dmp	upx
behavioral2/memory/2100-345-0x00007FF765AB0000-0x00007FF765EA1000-memory.dmp	upx
behavioral2/memory/2164-354-0x00007FF78BCE0000-0x00007FF78C0D1000-memory.dmp	upx
behavioral2/memory/3300-350-0x00007FF7F0900000-0x00007FF7F0CF1000-memory.dmp	upx
behavioral2/files/0x0007000000023436-125.dat	upx
behavioral2/memory/4344-367-0x00007FF7BC9F0000-0x00007FF7BCDE1000-memory.dmp	upx
behavioral2/memory/2260-373-0x00007FF760320000-0x00007FF760711000-memory.dmp	upx
behavioral2/memory/4668-375-0x00007FF78D7E0000-0x00007FF78DBD1000-memory.dmp	upx
behavioral2/memory/2468-376-0x00007FF6DBC70000-0x00007FF6DC061000-memory.dmp	upx
behavioral2/memory/3536-378-0x00007FF7F7390000-0x00007FF7F7781000-memory.dmp	upx
behavioral2/memory/1192-366-0x00007FF76E030000-0x00007FF76E421000-memory.dmp	upx
behavioral2/files/0x0007000000023434-114.dat	upx
behavioral2/files/0x0007000000023433-109.dat	upx
behavioral2/files/0x0007000000023431-99.dat	upx
behavioral2/files/0x000700000002342e-84.dat	upx
behavioral2/files/0x000700000002342d-80.dat	upx
behavioral2/memory/4564-389-0x00007FF7D8C50000-0x00007FF7D9041000-memory.dmp	upx
behavioral2/memory/2252-397-0x00007FF65F5F0000-0x00007FF65F9E1000-memory.dmp	upx
behavioral2/memory/4820-402-0x00007FF7D9BF0000-0x00007FF7D9FE1000-memory.dmp	upx
behavioral2/memory/3284-401-0x00007FF62B650000-0x00007FF62BA41000-memory.dmp	upx
behavioral2/memory/2368-394-0x00007FF609560000-0x00007FF609951000-memory.dmp	upx
behavioral2/files/0x000700000002342b-69.dat	upx
behavioral2/files/0x000700000002342a-64.dat	upx
behavioral2/files/0x0007000000023427-48.dat	upx
behavioral2/memory/2388-47-0x00007FF72D420000-0x00007FF72D811000-memory.dmp	upx
behavioral2/files/0x0007000000023426-44.dat	upx
behavioral2/memory/3480-46-0x00007FF733F20000-0x00007FF734311000-memory.dmp	upx
behavioral2/memory/2888-38-0x00007FF7F6B30000-0x00007FF7F6F21000-memory.dmp	upx
behavioral2/memory/3476-1967-0x00007FF741DA0000-0x00007FF742191000-memory.dmp	upx
behavioral2/memory/2888-1968-0x00007FF7F6B30000-0x00007FF7F6F21000-memory.dmp	upx
behavioral2/memory/5100-1969-0x00007FF70ADF0000-0x00007FF70B1E1000-memory.dmp	upx
behavioral2/memory/2388-2006-0x00007FF72D420000-0x00007FF72D811000-memory.dmp	upx
behavioral2/memory/3480-2004-0x00007FF733F20000-0x00007FF734311000-memory.dmp	upx
behavioral2/memory/4568-2014-0x00007FF71E750000-0x00007FF71EB41000-memory.dmp	upx
behavioral2/memory/4652-2016-0x00007FF79DDE0000-0x00007FF79E1D1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\naeHxNJ.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\ulzEFAy.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\czCnGiz.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\vdZDiIx.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\RfSPWgC.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\ThcekLa.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\rLhAfye.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\gVJUZLI.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\oskGZRf.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\wyFSPXw.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\wiaubOJ.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\QjMZWdZ.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\cReyCoZ.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\dZdKCyC.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\lAKvsQc.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\etueefc.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\tnbQwHE.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\QcKjLJf.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\CPuzZnn.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\iRbIceH.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\WTUQTez.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\paDlbzZ.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\nukLjAF.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\mMwJMcX.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\ywFsdwg.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\zisrQzF.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\nowzIwV.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\SKReAlA.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\uyCBDeW.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\cHLvZin.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\PMeXnjo.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\BBDPspy.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\cKpLtvF.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\bOFFBjb.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\HxSZVQK.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\jEhkyfk.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\HmrHjrc.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\RKwvHJO.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\lctbluC.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\VptADkn.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\gkojEbN.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\xKqcjCG.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\MONAWSe.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\GfgoZfR.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\MwxZntX.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\cbMGicg.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\XTFguPC.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\hRhyLHG.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\oxJJBXy.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\xcQGtTZ.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\UJTUYwC.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\DXgcFoK.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\izPOQfz.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\xMVxTyi.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\HaoNeRd.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\iTekpBq.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\biGRoxy.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\zlDhKHP.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\zubeqKU.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\rGRvQmE.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\FJAzHju.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\boRfuKI.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\jnTYhvH.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
File created	C:\Windows\System32\mkiQlQZ.exe	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	1708	dwm.exe
Token: SeChangeNotifyPrivilege	1708	dwm.exe
Token: 33	1708	dwm.exe
Token: SeIncBasePriorityPrivilege	1708	dwm.exe
Token: SeShutdownPrivilege	1708	dwm.exe
Token: SeCreatePagefilePrivilege	1708	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 4568	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	84
PID 1968 wrote to memory of 4568	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	84
PID 1968 wrote to memory of 4652	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	85
PID 1968 wrote to memory of 4652	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	85
PID 1968 wrote to memory of 3476	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	86
PID 1968 wrote to memory of 3476	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	86
PID 1968 wrote to memory of 540	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	87
PID 1968 wrote to memory of 540	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	87
PID 1968 wrote to memory of 2888	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	88
PID 1968 wrote to memory of 2888	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	88
PID 1968 wrote to memory of 5100	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	89
PID 1968 wrote to memory of 5100	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	89
PID 1968 wrote to memory of 3480	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	90
PID 1968 wrote to memory of 3480	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	90
PID 1968 wrote to memory of 2388	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	91
PID 1968 wrote to memory of 2388	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	91
PID 1968 wrote to memory of 1580	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	93
PID 1968 wrote to memory of 1580	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	93
PID 1968 wrote to memory of 3688	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	94
PID 1968 wrote to memory of 3688	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	94
PID 1968 wrote to memory of 2100	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	95
PID 1968 wrote to memory of 2100	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	95
PID 1968 wrote to memory of 3300	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	96
PID 1968 wrote to memory of 3300	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	96
PID 1968 wrote to memory of 2164	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	97
PID 1968 wrote to memory of 2164	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	97
PID 1968 wrote to memory of 1192	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	98
PID 1968 wrote to memory of 1192	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	98
PID 1968 wrote to memory of 4344	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	99
PID 1968 wrote to memory of 4344	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	99
PID 1968 wrote to memory of 2260	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	100
PID 1968 wrote to memory of 2260	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	100
PID 1968 wrote to memory of 4668	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	101
PID 1968 wrote to memory of 4668	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	101
PID 1968 wrote to memory of 2468	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	102
PID 1968 wrote to memory of 2468	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	102
PID 1968 wrote to memory of 3536	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	103
PID 1968 wrote to memory of 3536	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	103
PID 1968 wrote to memory of 4564	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	104
PID 1968 wrote to memory of 4564	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	104
PID 1968 wrote to memory of 2368	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	105
PID 1968 wrote to memory of 2368	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	105
PID 1968 wrote to memory of 2252	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	106
PID 1968 wrote to memory of 2252	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	106
PID 1968 wrote to memory of 3284	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	107
PID 1968 wrote to memory of 3284	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	107
PID 1968 wrote to memory of 4820	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	108
PID 1968 wrote to memory of 4820	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	108
PID 1968 wrote to memory of 3864	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	109
PID 1968 wrote to memory of 3864	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	109
PID 1968 wrote to memory of 3056	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	110
PID 1968 wrote to memory of 3056	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	110
PID 1968 wrote to memory of 4424	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	111
PID 1968 wrote to memory of 4424	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	111
PID 1968 wrote to memory of 4836	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	112
PID 1968 wrote to memory of 4836	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	112
PID 1968 wrote to memory of 3340	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	113
PID 1968 wrote to memory of 3340	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	113
PID 1968 wrote to memory of 744	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	114
PID 1968 wrote to memory of 744	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	114
PID 1968 wrote to memory of 724	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	115
PID 1968 wrote to memory of 724	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	115
PID 1968 wrote to memory of 3220	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	116
PID 1968 wrote to memory of 3220	1968	05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05242996e2d084c9df65a5a5ff5c3782_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\System32\ejzdNpZ.exe
  C:\Windows\System32\ejzdNpZ.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System32\iRbIceH.exe
  C:\Windows\System32\iRbIceH.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System32\lAKvsQc.exe
  C:\Windows\System32\lAKvsQc.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System32\SSsqySV.exe
  C:\Windows\System32\SSsqySV.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System32\zubeqKU.exe
  C:\Windows\System32\zubeqKU.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System32\BPrxKFl.exe
  C:\Windows\System32\BPrxKFl.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System32\njLeHIn.exe
  C:\Windows\System32\njLeHIn.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System32\yzNUClF.exe
  C:\Windows\System32\yzNUClF.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System32\GTKirFo.exe
  C:\Windows\System32\GTKirFo.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System32\buNzCvM.exe
  C:\Windows\System32\buNzCvM.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System32\dTnrLyk.exe
  C:\Windows\System32\dTnrLyk.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System32\aBzNRJB.exe
  C:\Windows\System32\aBzNRJB.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System32\dSMRdjp.exe
  C:\Windows\System32\dSMRdjp.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System32\StypHTP.exe
  C:\Windows\System32\StypHTP.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System32\BlJlgQA.exe
  C:\Windows\System32\BlJlgQA.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System32\siKPAgS.exe
  C:\Windows\System32\siKPAgS.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System32\UdOSkrX.exe
  C:\Windows\System32\UdOSkrX.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System32\zATquCE.exe
  C:\Windows\System32\zATquCE.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System32\QiPrUhz.exe
  C:\Windows\System32\QiPrUhz.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System32\zINXXSo.exe
  C:\Windows\System32\zINXXSo.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System32\oKnVvEa.exe
  C:\Windows\System32\oKnVvEa.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System32\HSCYsUh.exe
  C:\Windows\System32\HSCYsUh.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System32\VJmQCUf.exe
  C:\Windows\System32\VJmQCUf.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System32\maJDAAJ.exe
  C:\Windows\System32\maJDAAJ.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System32\YHVgxcM.exe
  C:\Windows\System32\YHVgxcM.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System32\giPwseO.exe
  C:\Windows\System32\giPwseO.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System32\vTnYBnK.exe
  C:\Windows\System32\vTnYBnK.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System32\domqZiS.exe
  C:\Windows\System32\domqZiS.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System32\VjHnciw.exe
  C:\Windows\System32\VjHnciw.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System32\oVaYwBx.exe
  C:\Windows\System32\oVaYwBx.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System32\CRpRyEL.exe
  C:\Windows\System32\CRpRyEL.exe
  2⤵
  - Executes dropped EXE
  PID:724
- C:\Windows\System32\zisrQzF.exe
  C:\Windows\System32\zisrQzF.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System32\YvqQlIc.exe
  C:\Windows\System32\YvqQlIc.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System32\KqJwkgz.exe
  C:\Windows\System32\KqJwkgz.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System32\zSNWsWD.exe
  C:\Windows\System32\zSNWsWD.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\rVdYwTc.exe
  C:\Windows\System32\rVdYwTc.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System32\GMHhrCM.exe
  C:\Windows\System32\GMHhrCM.exe
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\System32\dRpWrVu.exe
  C:\Windows\System32\dRpWrVu.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System32\KivwlVS.exe
  C:\Windows\System32\KivwlVS.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\UrchBWI.exe
  C:\Windows\System32\UrchBWI.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System32\KYUwviG.exe
  C:\Windows\System32\KYUwviG.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System32\URKrcYl.exe
  C:\Windows\System32\URKrcYl.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System32\SqOvPkl.exe
  C:\Windows\System32\SqOvPkl.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System32\QWcbOzz.exe
  C:\Windows\System32\QWcbOzz.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System32\FzWGMPx.exe
  C:\Windows\System32\FzWGMPx.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System32\YyuSory.exe
  C:\Windows\System32\YyuSory.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System32\UUyIxtA.exe
  C:\Windows\System32\UUyIxtA.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System32\bdBfgmb.exe
  C:\Windows\System32\bdBfgmb.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System32\NQbeLbs.exe
  C:\Windows\System32\NQbeLbs.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System32\TSHNrQq.exe
  C:\Windows\System32\TSHNrQq.exe
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\System32\aWxxLKF.exe
  C:\Windows\System32\aWxxLKF.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\vdZDiIx.exe
  C:\Windows\System32\vdZDiIx.exe
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\System32\mPUwAvb.exe
  C:\Windows\System32\mPUwAvb.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System32\SwnxlFr.exe
  C:\Windows\System32\SwnxlFr.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System32\TfhZUwp.exe
  C:\Windows\System32\TfhZUwp.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System32\AbRGALk.exe
  C:\Windows\System32\AbRGALk.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System32\mVwfUKv.exe
  C:\Windows\System32\mVwfUKv.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System32\zaAOpZD.exe
  C:\Windows\System32\zaAOpZD.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System32\egmbteD.exe
  C:\Windows\System32\egmbteD.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System32\EGYChxh.exe
  C:\Windows\System32\EGYChxh.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System32\ZoLaAgI.exe
  C:\Windows\System32\ZoLaAgI.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System32\ggSfKge.exe
  C:\Windows\System32\ggSfKge.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System32\fkBgCFk.exe
  C:\Windows\System32\fkBgCFk.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System32\dcECBrL.exe
  C:\Windows\System32\dcECBrL.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System32\ogvBdKQ.exe
  C:\Windows\System32\ogvBdKQ.exe
  2⤵
  PID:2104
- C:\Windows\System32\vBkmHBL.exe
  C:\Windows\System32\vBkmHBL.exe
  2⤵
  PID:4476
- C:\Windows\System32\RraKgPG.exe
  C:\Windows\System32\RraKgPG.exe
  2⤵
  PID:4784
- C:\Windows\System32\WTUQTez.exe
  C:\Windows\System32\WTUQTez.exe
  2⤵
  PID:4208
- C:\Windows\System32\HxSZVQK.exe
  C:\Windows\System32\HxSZVQK.exe
  2⤵
  PID:1608
- C:\Windows\System32\ToKAdMT.exe
  C:\Windows\System32\ToKAdMT.exe
  2⤵
  PID:4664
- C:\Windows\System32\BbIianN.exe
  C:\Windows\System32\BbIianN.exe
  2⤵
  PID:1904
- C:\Windows\System32\ZcZqNZg.exe
  C:\Windows\System32\ZcZqNZg.exe
  2⤵
  PID:4296
- C:\Windows\System32\RIFhZCm.exe
  C:\Windows\System32\RIFhZCm.exe
  2⤵
  PID:2352
- C:\Windows\System32\ukZBVWf.exe
  C:\Windows\System32\ukZBVWf.exe
  2⤵
  PID:1264
- C:\Windows\System32\jEhkyfk.exe
  C:\Windows\System32\jEhkyfk.exe
  2⤵
  PID:4952
- C:\Windows\System32\LAyCbmR.exe
  C:\Windows\System32\LAyCbmR.exe
  2⤵
  PID:3584
- C:\Windows\System32\KmtYGWk.exe
  C:\Windows\System32\KmtYGWk.exe
  2⤵
  PID:2596
- C:\Windows\System32\kNidDGy.exe
  C:\Windows\System32\kNidDGy.exe
  2⤵
  PID:3008
- C:\Windows\System32\mrTFkCn.exe
  C:\Windows\System32\mrTFkCn.exe
  2⤵
  PID:2440
- C:\Windows\System32\bPmJctc.exe
  C:\Windows\System32\bPmJctc.exe
  2⤵
  PID:3800
- C:\Windows\System32\pcRhZPg.exe
  C:\Windows\System32\pcRhZPg.exe
  2⤵
  PID:4864
- C:\Windows\System32\FAybgsR.exe
  C:\Windows\System32\FAybgsR.exe
  2⤵
  PID:3960
- C:\Windows\System32\HyCfyro.exe
  C:\Windows\System32\HyCfyro.exe
  2⤵
  PID:316
- C:\Windows\System32\wiaubOJ.exe
  C:\Windows\System32\wiaubOJ.exe
  2⤵
  PID:396
- C:\Windows\System32\tfPBFJU.exe
  C:\Windows\System32\tfPBFJU.exe
  2⤵
  PID:2324
- C:\Windows\System32\MpAlhrI.exe
  C:\Windows\System32\MpAlhrI.exe
  2⤵
  PID:3016
- C:\Windows\System32\jwnrEjc.exe
  C:\Windows\System32\jwnrEjc.exe
  2⤵
  PID:2064
- C:\Windows\System32\OKyXDUA.exe
  C:\Windows\System32\OKyXDUA.exe
  2⤵
  PID:4340
- C:\Windows\System32\QjMZWdZ.exe
  C:\Windows\System32\QjMZWdZ.exe
  2⤵
  PID:4312
- C:\Windows\System32\xMVxTyi.exe
  C:\Windows\System32\xMVxTyi.exe
  2⤵
  PID:3988
- C:\Windows\System32\XIrkVlg.exe
  C:\Windows\System32\XIrkVlg.exe
  2⤵
  PID:1696
- C:\Windows\System32\iDpPqDd.exe
  C:\Windows\System32\iDpPqDd.exe
  2⤵
  PID:3996
- C:\Windows\System32\sSWlNKv.exe
  C:\Windows\System32\sSWlNKv.exe
  2⤵
  PID:3092
- C:\Windows\System32\mwfjLwH.exe
  C:\Windows\System32\mwfjLwH.exe
  2⤵
  PID:400
- C:\Windows\System32\WCuMcRz.exe
  C:\Windows\System32\WCuMcRz.exe
  2⤵
  PID:1176
- C:\Windows\System32\WuFCIeu.exe
  C:\Windows\System32\WuFCIeu.exe
  2⤵
  PID:4216
- C:\Windows\System32\SrKztdZ.exe
  C:\Windows\System32\SrKztdZ.exe
  2⤵
  PID:1340
- C:\Windows\System32\bHohksO.exe
  C:\Windows\System32\bHohksO.exe
  2⤵
  PID:3028
- C:\Windows\System32\ESfEerV.exe
  C:\Windows\System32\ESfEerV.exe
  2⤵
  PID:5136
- C:\Windows\System32\buNBuDT.exe
  C:\Windows\System32\buNBuDT.exe
  2⤵
  PID:5180
- C:\Windows\System32\xiiCacP.exe
  C:\Windows\System32\xiiCacP.exe
  2⤵
  PID:5196
- C:\Windows\System32\XVgjUlp.exe
  C:\Windows\System32\XVgjUlp.exe
  2⤵
  PID:5264
- C:\Windows\System32\SkSgUTc.exe
  C:\Windows\System32\SkSgUTc.exe
  2⤵
  PID:5288
- C:\Windows\System32\cReyCoZ.exe
  C:\Windows\System32\cReyCoZ.exe
  2⤵
  PID:5312
- C:\Windows\System32\rGRvQmE.exe
  C:\Windows\System32\rGRvQmE.exe
  2⤵
  PID:5328
- C:\Windows\System32\etueefc.exe
  C:\Windows\System32\etueefc.exe
  2⤵
  PID:5356
- C:\Windows\System32\HaoNeRd.exe
  C:\Windows\System32\HaoNeRd.exe
  2⤵
  PID:5424
- C:\Windows\System32\vbtBkTD.exe
  C:\Windows\System32\vbtBkTD.exe
  2⤵
  PID:5448
- C:\Windows\System32\TgItLMW.exe
  C:\Windows\System32\TgItLMW.exe
  2⤵
  PID:5468
- C:\Windows\System32\IHKaIgJ.exe
  C:\Windows\System32\IHKaIgJ.exe
  2⤵
  PID:5508
- C:\Windows\System32\xqEaiPI.exe
  C:\Windows\System32\xqEaiPI.exe
  2⤵
  PID:5528
- C:\Windows\System32\oxJJBXy.exe
  C:\Windows\System32\oxJJBXy.exe
  2⤵
  PID:5552
- C:\Windows\System32\CXeLNfL.exe
  C:\Windows\System32\CXeLNfL.exe
  2⤵
  PID:5572
- C:\Windows\System32\ePnIXId.exe
  C:\Windows\System32\ePnIXId.exe
  2⤵
  PID:5596
- C:\Windows\System32\XjuIrNI.exe
  C:\Windows\System32\XjuIrNI.exe
  2⤵
  PID:5616
- C:\Windows\System32\IjLzjpE.exe
  C:\Windows\System32\IjLzjpE.exe
  2⤵
  PID:5640
- C:\Windows\System32\tDESyAd.exe
  C:\Windows\System32\tDESyAd.exe
  2⤵
  PID:5684
- C:\Windows\System32\WflErBs.exe
  C:\Windows\System32\WflErBs.exe
  2⤵
  PID:5732
- C:\Windows\System32\HtBMSum.exe
  C:\Windows\System32\HtBMSum.exe
  2⤵
  PID:5768
- C:\Windows\System32\lcdSRpy.exe
  C:\Windows\System32\lcdSRpy.exe
  2⤵
  PID:5792
- C:\Windows\System32\nXhUTqn.exe
  C:\Windows\System32\nXhUTqn.exe
  2⤵
  PID:5808
- C:\Windows\System32\HvuBkpz.exe
  C:\Windows\System32\HvuBkpz.exe
  2⤵
  PID:5824
- C:\Windows\System32\mkiQlQZ.exe
  C:\Windows\System32\mkiQlQZ.exe
  2⤵
  PID:5852
- C:\Windows\System32\PDmLpVL.exe
  C:\Windows\System32\PDmLpVL.exe
  2⤵
  PID:5904
- C:\Windows\System32\xAforxG.exe
  C:\Windows\System32\xAforxG.exe
  2⤵
  PID:5928
- C:\Windows\System32\ZCFyASQ.exe
  C:\Windows\System32\ZCFyASQ.exe
  2⤵
  PID:5944
- C:\Windows\System32\oRzABLT.exe
  C:\Windows\System32\oRzABLT.exe
  2⤵
  PID:5964
- C:\Windows\System32\fiVmgyF.exe
  C:\Windows\System32\fiVmgyF.exe
  2⤵
  PID:5984
- C:\Windows\System32\mMLKSUn.exe
  C:\Windows\System32\mMLKSUn.exe
  2⤵
  PID:6000
- C:\Windows\System32\xcQGtTZ.exe
  C:\Windows\System32\xcQGtTZ.exe
  2⤵
  PID:6064
- C:\Windows\System32\rLhAfye.exe
  C:\Windows\System32\rLhAfye.exe
  2⤵
  PID:6084
- C:\Windows\System32\boRfuKI.exe
  C:\Windows\System32\boRfuKI.exe
  2⤵
  PID:6100
- C:\Windows\System32\VNpTUlW.exe
  C:\Windows\System32\VNpTUlW.exe
  2⤵
  PID:6132
- C:\Windows\System32\NwNjrlo.exe
  C:\Windows\System32\NwNjrlo.exe
  2⤵
  PID:4976
- C:\Windows\System32\ESOrwIL.exe
  C:\Windows\System32\ESOrwIL.exe
  2⤵
  PID:3532
- C:\Windows\System32\CfVuQBg.exe
  C:\Windows\System32\CfVuQBg.exe
  2⤵
  PID:5144
- C:\Windows\System32\cQZrRAL.exe
  C:\Windows\System32\cQZrRAL.exe
  2⤵
  PID:5220
- C:\Windows\System32\HesRXFK.exe
  C:\Windows\System32\HesRXFK.exe
  2⤵
  PID:4948
- C:\Windows\System32\naeHxNJ.exe
  C:\Windows\System32\naeHxNJ.exe
  2⤵
  PID:5348
- C:\Windows\System32\gmahwhI.exe
  C:\Windows\System32\gmahwhI.exe
  2⤵
  PID:5324
- C:\Windows\System32\VMNnbhg.exe
  C:\Windows\System32\VMNnbhg.exe
  2⤵
  PID:2012
- C:\Windows\System32\ScstnOB.exe
  C:\Windows\System32\ScstnOB.exe
  2⤵
  PID:5336
- C:\Windows\System32\MIWevdZ.exe
  C:\Windows\System32\MIWevdZ.exe
  2⤵
  PID:5460
- C:\Windows\System32\EKJcRVo.exe
  C:\Windows\System32\EKJcRVo.exe
  2⤵
  PID:5496
- C:\Windows\System32\uXwccoY.exe
  C:\Windows\System32\uXwccoY.exe
  2⤵
  PID:5536
- C:\Windows\System32\ZSoWvGy.exe
  C:\Windows\System32\ZSoWvGy.exe
  2⤵
  PID:5676
- C:\Windows\System32\RAFxATW.exe
  C:\Windows\System32\RAFxATW.exe
  2⤵
  PID:5776
- C:\Windows\System32\JEMhmEi.exe
  C:\Windows\System32\JEMhmEi.exe
  2⤵
  PID:5788
- C:\Windows\System32\jmHxHGn.exe
  C:\Windows\System32\jmHxHGn.exe
  2⤵
  PID:5804
- C:\Windows\System32\dkLegnT.exe
  C:\Windows\System32\dkLegnT.exe
  2⤵
  PID:5896
- C:\Windows\System32\iwGPRNl.exe
  C:\Windows\System32\iwGPRNl.exe
  2⤵
  PID:5956
- C:\Windows\System32\gxDOHsc.exe
  C:\Windows\System32\gxDOHsc.exe
  2⤵
  PID:6044
- C:\Windows\System32\nowzIwV.exe
  C:\Windows\System32\nowzIwV.exe
  2⤵
  PID:6112
- C:\Windows\System32\tTfijNi.exe
  C:\Windows\System32\tTfijNi.exe
  2⤵
  PID:5168
- C:\Windows\System32\ajXfNvy.exe
  C:\Windows\System32\ajXfNvy.exe
  2⤵
  PID:1252
- C:\Windows\System32\fWFMlPv.exe
  C:\Windows\System32\fWFMlPv.exe
  2⤵
  PID:5224
- C:\Windows\System32\cvjqykL.exe
  C:\Windows\System32\cvjqykL.exe
  2⤵
  PID:5212
- C:\Windows\System32\MoNmRNh.exe
  C:\Windows\System32\MoNmRNh.exe
  2⤵
  PID:2096
- C:\Windows\System32\vvlecgj.exe
  C:\Windows\System32\vvlecgj.exe
  2⤵
  PID:5340
- C:\Windows\System32\UflPLlp.exe
  C:\Windows\System32\UflPLlp.exe
  2⤵
  PID:5380
- C:\Windows\System32\gjrmQUp.exe
  C:\Windows\System32\gjrmQUp.exe
  2⤵
  PID:5764
- C:\Windows\System32\vTaRZMe.exe
  C:\Windows\System32\vTaRZMe.exe
  2⤵
  PID:5888
- C:\Windows\System32\rXjZwHn.exe
  C:\Windows\System32\rXjZwHn.exe
  2⤵
  PID:5952
- C:\Windows\System32\sfjeqkW.exe
  C:\Windows\System32\sfjeqkW.exe
  2⤵
  PID:6072
- C:\Windows\System32\ClUZFdz.exe
  C:\Windows\System32\ClUZFdz.exe
  2⤵
  PID:4408
- C:\Windows\System32\VFsJiHE.exe
  C:\Windows\System32\VFsJiHE.exe
  2⤵
  PID:5980
- C:\Windows\System32\elOlQjl.exe
  C:\Windows\System32\elOlQjl.exe
  2⤵
  PID:6156
- C:\Windows\System32\mxupDGw.exe
  C:\Windows\System32\mxupDGw.exe
  2⤵
  PID:6180
- C:\Windows\System32\twcajXE.exe
  C:\Windows\System32\twcajXE.exe
  2⤵
  PID:6196
- C:\Windows\System32\tDAMkqo.exe
  C:\Windows\System32\tDAMkqo.exe
  2⤵
  PID:6224
- C:\Windows\System32\yLRFxKz.exe
  C:\Windows\System32\yLRFxKz.exe
  2⤵
  PID:6244
- C:\Windows\System32\iTkEUoi.exe
  C:\Windows\System32\iTkEUoi.exe
  2⤵
  PID:6260
- C:\Windows\System32\vuirTNx.exe
  C:\Windows\System32\vuirTNx.exe
  2⤵
  PID:6284
- C:\Windows\System32\oIqeajX.exe
  C:\Windows\System32\oIqeajX.exe
  2⤵
  PID:6388
- C:\Windows\System32\rfstqcM.exe
  C:\Windows\System32\rfstqcM.exe
  2⤵
  PID:6428
- C:\Windows\System32\oOgmhTG.exe
  C:\Windows\System32\oOgmhTG.exe
  2⤵
  PID:6448
- C:\Windows\System32\vqngtCp.exe
  C:\Windows\System32\vqngtCp.exe
  2⤵
  PID:6464
- C:\Windows\System32\jpzTYQF.exe
  C:\Windows\System32\jpzTYQF.exe
  2⤵
  PID:6520
- C:\Windows\System32\paDlbzZ.exe
  C:\Windows\System32\paDlbzZ.exe
  2⤵
  PID:6536
- C:\Windows\System32\iQpZfgv.exe
  C:\Windows\System32\iQpZfgv.exe
  2⤵
  PID:6604
- C:\Windows\System32\jUvngQA.exe
  C:\Windows\System32\jUvngQA.exe
  2⤵
  PID:6640
- C:\Windows\System32\HakAAWF.exe
  C:\Windows\System32\HakAAWF.exe
  2⤵
  PID:6660
- C:\Windows\System32\HGaBZvd.exe
  C:\Windows\System32\HGaBZvd.exe
  2⤵
  PID:6688
- C:\Windows\System32\MrLQfqZ.exe
  C:\Windows\System32\MrLQfqZ.exe
  2⤵
  PID:6704
- C:\Windows\System32\JBYrtAS.exe
  C:\Windows\System32\JBYrtAS.exe
  2⤵
  PID:6744
- C:\Windows\System32\WlwXvAQ.exe
  C:\Windows\System32\WlwXvAQ.exe
  2⤵
  PID:6784
- C:\Windows\System32\DFCEBmc.exe
  C:\Windows\System32\DFCEBmc.exe
  2⤵
  PID:6812
- C:\Windows\System32\SPgEDXs.exe
  C:\Windows\System32\SPgEDXs.exe
  2⤵
  PID:6832
- C:\Windows\System32\CazUnVl.exe
  C:\Windows\System32\CazUnVl.exe
  2⤵
  PID:6852
- C:\Windows\System32\tXueZlZ.exe
  C:\Windows\System32\tXueZlZ.exe
  2⤵
  PID:6872
- C:\Windows\System32\seaGWPE.exe
  C:\Windows\System32\seaGWPE.exe
  2⤵
  PID:6892
- C:\Windows\System32\EecVYtQ.exe
  C:\Windows\System32\EecVYtQ.exe
  2⤵
  PID:6944
- C:\Windows\System32\wzdoOXM.exe
  C:\Windows\System32\wzdoOXM.exe
  2⤵
  PID:6960
- C:\Windows\System32\JwgNoMr.exe
  C:\Windows\System32\JwgNoMr.exe
  2⤵
  PID:6984
- C:\Windows\System32\PBzMDoP.exe
  C:\Windows\System32\PBzMDoP.exe
  2⤵
  PID:7004
- C:\Windows\System32\vkvurJQ.exe
  C:\Windows\System32\vkvurJQ.exe
  2⤵
  PID:7024
- C:\Windows\System32\pfnPjfu.exe
  C:\Windows\System32\pfnPjfu.exe
  2⤵
  PID:7096
- C:\Windows\System32\LDZjqjo.exe
  C:\Windows\System32\LDZjqjo.exe
  2⤵
  PID:7120
- C:\Windows\System32\CxhIEfb.exe
  C:\Windows\System32\CxhIEfb.exe
  2⤵
  PID:7136
- C:\Windows\System32\FzDcTMJ.exe
  C:\Windows\System32\FzDcTMJ.exe
  2⤵
  PID:7152
- C:\Windows\System32\QcKjLJf.exe
  C:\Windows\System32\QcKjLJf.exe
  2⤵
  PID:3488
- C:\Windows\System32\qLOxtjS.exe
  C:\Windows\System32\qLOxtjS.exe
  2⤵
  PID:5304
- C:\Windows\System32\VezJAJw.exe
  C:\Windows\System32\VezJAJw.exe
  2⤵
  PID:5148
- C:\Windows\System32\RAjnDVP.exe
  C:\Windows\System32\RAjnDVP.exe
  2⤵
  PID:5624
- C:\Windows\System32\GfgoZfR.exe
  C:\Windows\System32\GfgoZfR.exe
  2⤵
  PID:6296
- C:\Windows\System32\RPvdgYv.exe
  C:\Windows\System32\RPvdgYv.exe
  2⤵
  PID:6352
- C:\Windows\System32\GKDznOC.exe
  C:\Windows\System32\GKDznOC.exe
  2⤵
  PID:6532
- C:\Windows\System32\PyUupQM.exe
  C:\Windows\System32\PyUupQM.exe
  2⤵
  PID:6564
- C:\Windows\System32\gVJUZLI.exe
  C:\Windows\System32\gVJUZLI.exe
  2⤵
  PID:6616
- C:\Windows\System32\TRRTpvx.exe
  C:\Windows\System32\TRRTpvx.exe
  2⤵
  PID:6680
- C:\Windows\System32\QXDyWQh.exe
  C:\Windows\System32\QXDyWQh.exe
  2⤵
  PID:6728
- C:\Windows\System32\utDQeQq.exe
  C:\Windows\System32\utDQeQq.exe
  2⤵
  PID:6780
- C:\Windows\System32\AKeLRGm.exe
  C:\Windows\System32\AKeLRGm.exe
  2⤵
  PID:6824
- C:\Windows\System32\OnKcFVt.exe
  C:\Windows\System32\OnKcFVt.exe
  2⤵
  PID:6840
- C:\Windows\System32\ILtEvAs.exe
  C:\Windows\System32\ILtEvAs.exe
  2⤵
  PID:5680
- C:\Windows\System32\RUHPinh.exe
  C:\Windows\System32\RUHPinh.exe
  2⤵
  PID:7104
- C:\Windows\System32\TPBqdlM.exe
  C:\Windows\System32\TPBqdlM.exe
  2⤵
  PID:7144
- C:\Windows\System32\CwEsqZw.exe
  C:\Windows\System32\CwEsqZw.exe
  2⤵
  PID:1984
- C:\Windows\System32\iTekpBq.exe
  C:\Windows\System32\iTekpBq.exe
  2⤵
  PID:6256
- C:\Windows\System32\AIemHDE.exe
  C:\Windows\System32\AIemHDE.exe
  2⤵
  PID:6360
- C:\Windows\System32\TJwKkTY.exe
  C:\Windows\System32\TJwKkTY.exe
  2⤵
  PID:6404
- C:\Windows\System32\yWImZHu.exe
  C:\Windows\System32\yWImZHu.exe
  2⤵
  PID:6804
- C:\Windows\System32\InJaGFK.exe
  C:\Windows\System32\InJaGFK.exe
  2⤵
  PID:6860
- C:\Windows\System32\jWYTfUp.exe
  C:\Windows\System32\jWYTfUp.exe
  2⤵
  PID:7000
- C:\Windows\System32\SKReAlA.exe
  C:\Windows\System32\SKReAlA.exe
  2⤵
  PID:7128
- C:\Windows\System32\svPjOcX.exe
  C:\Windows\System32\svPjOcX.exe
  2⤵
  PID:6240
- C:\Windows\System32\MmzYSsj.exe
  C:\Windows\System32\MmzYSsj.exe
  2⤵
  PID:7040
- C:\Windows\System32\EzVMcos.exe
  C:\Windows\System32\EzVMcos.exe
  2⤵
  PID:6648
- C:\Windows\System32\paqWEiQ.exe
  C:\Windows\System32\paqWEiQ.exe
  2⤵
  PID:6548
- C:\Windows\System32\noxbTmS.exe
  C:\Windows\System32\noxbTmS.exe
  2⤵
  PID:7184
- C:\Windows\System32\nukLjAF.exe
  C:\Windows\System32\nukLjAF.exe
  2⤵
  PID:7208
- C:\Windows\System32\aCmborb.exe
  C:\Windows\System32\aCmborb.exe
  2⤵
  PID:7232
- C:\Windows\System32\KWPSgOI.exe
  C:\Windows\System32\KWPSgOI.exe
  2⤵
  PID:7248
- C:\Windows\System32\EyqovMl.exe
  C:\Windows\System32\EyqovMl.exe
  2⤵
  PID:7292
- C:\Windows\System32\TSoYlOe.exe
  C:\Windows\System32\TSoYlOe.exe
  2⤵
  PID:7308
- C:\Windows\System32\NnrbKbv.exe
  C:\Windows\System32\NnrbKbv.exe
  2⤵
  PID:7328
- C:\Windows\System32\lyfnCRQ.exe
  C:\Windows\System32\lyfnCRQ.exe
  2⤵
  PID:7344
- C:\Windows\System32\QhjnnQU.exe
  C:\Windows\System32\QhjnnQU.exe
  2⤵
  PID:7368
- C:\Windows\System32\MwxZntX.exe
  C:\Windows\System32\MwxZntX.exe
  2⤵
  PID:7384
- C:\Windows\System32\yZuGuGD.exe
  C:\Windows\System32\yZuGuGD.exe
  2⤵
  PID:7436
- C:\Windows\System32\VYEWEia.exe
  C:\Windows\System32\VYEWEia.exe
  2⤵
  PID:7456
- C:\Windows\System32\KlmYsQr.exe
  C:\Windows\System32\KlmYsQr.exe
  2⤵
  PID:7540
- C:\Windows\System32\CeWavBH.exe
  C:\Windows\System32\CeWavBH.exe
  2⤵
  PID:7568
- C:\Windows\System32\rWdfgdo.exe
  C:\Windows\System32\rWdfgdo.exe
  2⤵
  PID:7584
- C:\Windows\System32\LEWuCQR.exe
  C:\Windows\System32\LEWuCQR.exe
  2⤵
  PID:7600
- C:\Windows\System32\cIlACQU.exe
  C:\Windows\System32\cIlACQU.exe
  2⤵
  PID:7628
- C:\Windows\System32\gbDanIc.exe
  C:\Windows\System32\gbDanIc.exe
  2⤵
  PID:7648
- C:\Windows\System32\KkpEgbh.exe
  C:\Windows\System32\KkpEgbh.exe
  2⤵
  PID:7684
- C:\Windows\System32\Snkplnp.exe
  C:\Windows\System32\Snkplnp.exe
  2⤵
  PID:7728
- C:\Windows\System32\CcwvzTi.exe
  C:\Windows\System32\CcwvzTi.exe
  2⤵
  PID:7748
- C:\Windows\System32\HxgLivY.exe
  C:\Windows\System32\HxgLivY.exe
  2⤵
  PID:7776
- C:\Windows\System32\NjsrkPN.exe
  C:\Windows\System32\NjsrkPN.exe
  2⤵
  PID:7800
- C:\Windows\System32\KxZPWSw.exe
  C:\Windows\System32\KxZPWSw.exe
  2⤵
  PID:7852
- C:\Windows\System32\tzgewWW.exe
  C:\Windows\System32\tzgewWW.exe
  2⤵
  PID:7880
- C:\Windows\System32\lGynFkt.exe
  C:\Windows\System32\lGynFkt.exe
  2⤵
  PID:7908
- C:\Windows\System32\qfHqcgI.exe
  C:\Windows\System32\qfHqcgI.exe
  2⤵
  PID:7936
- C:\Windows\System32\nvcKDJh.exe
  C:\Windows\System32\nvcKDJh.exe
  2⤵
  PID:7952
- C:\Windows\System32\olDXyen.exe
  C:\Windows\System32\olDXyen.exe
  2⤵
  PID:7980
- C:\Windows\System32\mlcrsie.exe
  C:\Windows\System32\mlcrsie.exe
  2⤵
  PID:8016
- C:\Windows\System32\LxmfeZA.exe
  C:\Windows\System32\LxmfeZA.exe
  2⤵
  PID:8040
- C:\Windows\System32\cbMGicg.exe
  C:\Windows\System32\cbMGicg.exe
  2⤵
  PID:8060
- C:\Windows\System32\tnbQwHE.exe
  C:\Windows\System32\tnbQwHE.exe
  2⤵
  PID:8104
- C:\Windows\System32\xUROenL.exe
  C:\Windows\System32\xUROenL.exe
  2⤵
  PID:8124
- C:\Windows\System32\GhgqrTv.exe
  C:\Windows\System32\GhgqrTv.exe
  2⤵
  PID:8140
- C:\Windows\System32\EfYHvCn.exe
  C:\Windows\System32\EfYHvCn.exe
  2⤵
  PID:8164
- C:\Windows\System32\bZXyIVE.exe
  C:\Windows\System32\bZXyIVE.exe
  2⤵
  PID:8184
- C:\Windows\System32\NIOpfhr.exe
  C:\Windows\System32\NIOpfhr.exe
  2⤵
  PID:7204
- C:\Windows\System32\OedzEXc.exe
  C:\Windows\System32\OedzEXc.exe
  2⤵
  PID:7260
- C:\Windows\System32\NLyguJv.exe
  C:\Windows\System32\NLyguJv.exe
  2⤵
  PID:7352
- C:\Windows\System32\HmrHjrc.exe
  C:\Windows\System32\HmrHjrc.exe
  2⤵
  PID:7408
- C:\Windows\System32\DfwZCdW.exe
  C:\Windows\System32\DfwZCdW.exe
  2⤵
  PID:7452
- C:\Windows\System32\QsxDOsi.exe
  C:\Windows\System32\QsxDOsi.exe
  2⤵
  PID:7500
- C:\Windows\System32\NzHMcYi.exe
  C:\Windows\System32\NzHMcYi.exe
  2⤵
  PID:7596
- C:\Windows\System32\fuNgcxd.exe
  C:\Windows\System32\fuNgcxd.exe
  2⤵
  PID:7712
- C:\Windows\System32\GNYNEcq.exe
  C:\Windows\System32\GNYNEcq.exe
  2⤵
  PID:7772
- C:\Windows\System32\cuHZVWx.exe
  C:\Windows\System32\cuHZVWx.exe
  2⤵
  PID:7848
- C:\Windows\System32\LFkojCH.exe
  C:\Windows\System32\LFkojCH.exe
  2⤵
  PID:7904
- C:\Windows\System32\DJXzpke.exe
  C:\Windows\System32\DJXzpke.exe
  2⤵
  PID:7944
- C:\Windows\System32\HmNJckS.exe
  C:\Windows\System32\HmNJckS.exe
  2⤵
  PID:7964
- C:\Windows\System32\oGHbZGv.exe
  C:\Windows\System32\oGHbZGv.exe
  2⤵
  PID:8072
- C:\Windows\System32\nXMpcLC.exe
  C:\Windows\System32\nXMpcLC.exe
  2⤵
  PID:8088
- C:\Windows\System32\GywiywX.exe
  C:\Windows\System32\GywiywX.exe
  2⤵
  PID:6864
- C:\Windows\System32\lFwcKav.exe
  C:\Windows\System32\lFwcKav.exe
  2⤵
  PID:7220
- C:\Windows\System32\NyRBTeo.exe
  C:\Windows\System32\NyRBTeo.exe
  2⤵
  PID:7424
- C:\Windows\System32\IpwwFNm.exe
  C:\Windows\System32\IpwwFNm.exe
  2⤵
  PID:7680
- C:\Windows\System32\dRIWfXt.exe
  C:\Windows\System32\dRIWfXt.exe
  2⤵
  PID:7892
- C:\Windows\System32\pzpKSTg.exe
  C:\Windows\System32\pzpKSTg.exe
  2⤵
  PID:7920
- C:\Windows\System32\BqSejCJ.exe
  C:\Windows\System32\BqSejCJ.exe
  2⤵
  PID:7976
- C:\Windows\System32\FJAzHju.exe
  C:\Windows\System32\FJAzHju.exe
  2⤵
  PID:7428
- C:\Windows\System32\ACzEWPG.exe
  C:\Windows\System32\ACzEWPG.exe
  2⤵
  PID:7828
- C:\Windows\System32\HKiugoc.exe
  C:\Windows\System32\HKiugoc.exe
  2⤵
  PID:7988
- C:\Windows\System32\xvNycFE.exe
  C:\Windows\System32\xvNycFE.exe
  2⤵
  PID:8068
- C:\Windows\System32\mlPDXbu.exe
  C:\Windows\System32\mlPDXbu.exe
  2⤵
  PID:7696
- C:\Windows\System32\dXjemnz.exe
  C:\Windows\System32\dXjemnz.exe
  2⤵
  PID:8196
- C:\Windows\System32\MDnClgc.exe
  C:\Windows\System32\MDnClgc.exe
  2⤵
  PID:8224
- C:\Windows\System32\EhlweAA.exe
  C:\Windows\System32\EhlweAA.exe
  2⤵
  PID:8264
- C:\Windows\System32\kvMaDSj.exe
  C:\Windows\System32\kvMaDSj.exe
  2⤵
  PID:8292
- C:\Windows\System32\cHLvZin.exe
  C:\Windows\System32\cHLvZin.exe
  2⤵
  PID:8312
- C:\Windows\System32\LDjaADq.exe
  C:\Windows\System32\LDjaADq.exe
  2⤵
  PID:8368
- C:\Windows\System32\QbQzuwI.exe
  C:\Windows\System32\QbQzuwI.exe
  2⤵
  PID:8412
- C:\Windows\System32\hPWGSxR.exe
  C:\Windows\System32\hPWGSxR.exe
  2⤵
  PID:8432
- C:\Windows\System32\dlWFZqN.exe
  C:\Windows\System32\dlWFZqN.exe
  2⤵
  PID:8456
- C:\Windows\System32\qpTtzhs.exe
  C:\Windows\System32\qpTtzhs.exe
  2⤵
  PID:8472
- C:\Windows\System32\bGzIjJV.exe
  C:\Windows\System32\bGzIjJV.exe
  2⤵
  PID:8512
- C:\Windows\System32\GmjtofO.exe
  C:\Windows\System32\GmjtofO.exe
  2⤵
  PID:8556
- C:\Windows\System32\jLoDFXx.exe
  C:\Windows\System32\jLoDFXx.exe
  2⤵
  PID:8576
- C:\Windows\System32\ZoVInfi.exe
  C:\Windows\System32\ZoVInfi.exe
  2⤵
  PID:8596
- C:\Windows\System32\puilgvp.exe
  C:\Windows\System32\puilgvp.exe
  2⤵
  PID:8616
- C:\Windows\System32\UJTUYwC.exe
  C:\Windows\System32\UJTUYwC.exe
  2⤵
  PID:8632
- C:\Windows\System32\piKBSdv.exe
  C:\Windows\System32\piKBSdv.exe
  2⤵
  PID:8660
- C:\Windows\System32\RfSPWgC.exe
  C:\Windows\System32\RfSPWgC.exe
  2⤵
  PID:8676
- C:\Windows\System32\mCJgeMO.exe
  C:\Windows\System32\mCJgeMO.exe
  2⤵
  PID:8728
- C:\Windows\System32\IYhFOsW.exe
  C:\Windows\System32\IYhFOsW.exe
  2⤵
  PID:8764
- C:\Windows\System32\dqohmCm.exe
  C:\Windows\System32\dqohmCm.exe
  2⤵
  PID:8804
- C:\Windows\System32\pKmMWku.exe
  C:\Windows\System32\pKmMWku.exe
  2⤵
  PID:8832
- C:\Windows\System32\gnVuPAF.exe
  C:\Windows\System32\gnVuPAF.exe
  2⤵
  PID:8860
- C:\Windows\System32\sebZeNl.exe
  C:\Windows\System32\sebZeNl.exe
  2⤵
  PID:8876
- C:\Windows\System32\xPKfVRl.exe
  C:\Windows\System32\xPKfVRl.exe
  2⤵
  PID:8896
- C:\Windows\System32\uKDSibA.exe
  C:\Windows\System32\uKDSibA.exe
  2⤵
  PID:8912
- C:\Windows\System32\brViACl.exe
  C:\Windows\System32\brViACl.exe
  2⤵
  PID:8936
- C:\Windows\System32\RmXFvcp.exe
  C:\Windows\System32\RmXFvcp.exe
  2⤵
  PID:8968
- C:\Windows\System32\RBQPNbE.exe
  C:\Windows\System32\RBQPNbE.exe
  2⤵
  PID:9020
- C:\Windows\System32\WaQEgwN.exe
  C:\Windows\System32\WaQEgwN.exe
  2⤵
  PID:9056
- C:\Windows\System32\owezPzG.exe
  C:\Windows\System32\owezPzG.exe
  2⤵
  PID:9080
- C:\Windows\System32\IsBAGYj.exe
  C:\Windows\System32\IsBAGYj.exe
  2⤵
  PID:9104
- C:\Windows\System32\biGRoxy.exe
  C:\Windows\System32\biGRoxy.exe
  2⤵
  PID:9124
- C:\Windows\System32\jOCVvtq.exe
  C:\Windows\System32\jOCVvtq.exe
  2⤵
  PID:9164
- C:\Windows\System32\dZdKCyC.exe
  C:\Windows\System32\dZdKCyC.exe
  2⤵
  PID:9180
- C:\Windows\System32\vijwVOJ.exe
  C:\Windows\System32\vijwVOJ.exe
  2⤵
  PID:9208
- C:\Windows\System32\eBMyeeX.exe
  C:\Windows\System32\eBMyeeX.exe
  2⤵
  PID:8204
- C:\Windows\System32\UbokThY.exe
  C:\Windows\System32\UbokThY.exe
  2⤵
  PID:8452
- C:\Windows\System32\gkojEbN.exe
  C:\Windows\System32\gkojEbN.exe
  2⤵
  PID:8540
- C:\Windows\System32\mqciIPa.exe
  C:\Windows\System32\mqciIPa.exe
  2⤵
  PID:8652
- C:\Windows\System32\tUgdtsA.exe
  C:\Windows\System32\tUgdtsA.exe
  2⤵
  PID:8628
- C:\Windows\System32\hjLQSZy.exe
  C:\Windows\System32\hjLQSZy.exe
  2⤵
  PID:8668
- C:\Windows\System32\PMeXnjo.exe
  C:\Windows\System32\PMeXnjo.exe
  2⤵
  PID:8796
- C:\Windows\System32\ndnJuvA.exe
  C:\Windows\System32\ndnJuvA.exe
  2⤵
  PID:8844
- C:\Windows\System32\uBBrrNa.exe
  C:\Windows\System32\uBBrrNa.exe
  2⤵
  PID:8904
- C:\Windows\System32\ivcXPnc.exe
  C:\Windows\System32\ivcXPnc.exe
  2⤵
  PID:9016
- C:\Windows\System32\qTZRuFD.exe
  C:\Windows\System32\qTZRuFD.exe
  2⤵
  PID:9076
- C:\Windows\System32\wYZPKtp.exe
  C:\Windows\System32\wYZPKtp.exe
  2⤵
  PID:9140
- C:\Windows\System32\svVaedL.exe
  C:\Windows\System32\svVaedL.exe
  2⤵
  PID:9148
- C:\Windows\System32\tMzbXfY.exe
  C:\Windows\System32\tMzbXfY.exe
  2⤵
  PID:8172
- C:\Windows\System32\RVVChFv.exe
  C:\Windows\System32\RVVChFv.exe
  2⤵
  PID:8360
- C:\Windows\System32\WmXFRGv.exe
  C:\Windows\System32\WmXFRGv.exe
  2⤵
  PID:8400
- C:\Windows\System32\kiPdxOD.exe
  C:\Windows\System32\kiPdxOD.exe
  2⤵
  PID:8396
- C:\Windows\System32\utWLOXV.exe
  C:\Windows\System32\utWLOXV.exe
  2⤵
  PID:8584
- C:\Windows\System32\inwwtKj.exe
  C:\Windows\System32\inwwtKj.exe
  2⤵
  PID:8752
- C:\Windows\System32\nLUFffq.exe
  C:\Windows\System32\nLUFffq.exe
  2⤵
  PID:8612
- C:\Windows\System32\XjWDjts.exe
  C:\Windows\System32\XjWDjts.exe
  2⤵
  PID:8920
- C:\Windows\System32\GyfPsOR.exe
  C:\Windows\System32\GyfPsOR.exe
  2⤵
  PID:8336
- C:\Windows\System32\NAQfSYT.exe
  C:\Windows\System32\NAQfSYT.exe
  2⤵
  PID:8852
- C:\Windows\System32\nYZscHM.exe
  C:\Windows\System32\nYZscHM.exe
  2⤵
  PID:8924
- C:\Windows\System32\qCWEjxJ.exe
  C:\Windows\System32\qCWEjxJ.exe
  2⤵
  PID:8640
- C:\Windows\System32\tpEHrTZ.exe
  C:\Windows\System32\tpEHrTZ.exe
  2⤵
  PID:8712
- C:\Windows\System32\VXypjLQ.exe
  C:\Windows\System32\VXypjLQ.exe
  2⤵
  PID:9244
- C:\Windows\System32\NRyWKPV.exe
  C:\Windows\System32\NRyWKPV.exe
  2⤵
  PID:9260
- C:\Windows\System32\vqPpviL.exe
  C:\Windows\System32\vqPpviL.exe
  2⤵
  PID:9284
- C:\Windows\System32\wvitgsL.exe
  C:\Windows\System32\wvitgsL.exe
  2⤵
  PID:9304
- C:\Windows\System32\BBDPspy.exe
  C:\Windows\System32\BBDPspy.exe
  2⤵
  PID:9368
- C:\Windows\System32\GUSvRdJ.exe
  C:\Windows\System32\GUSvRdJ.exe
  2⤵
  PID:9408
- C:\Windows\System32\OaDZUfi.exe
  C:\Windows\System32\OaDZUfi.exe
  2⤵
  PID:9436
- C:\Windows\System32\oNpeEuw.exe
  C:\Windows\System32\oNpeEuw.exe
  2⤵
  PID:9452
- C:\Windows\System32\cKpLtvF.exe
  C:\Windows\System32\cKpLtvF.exe
  2⤵
  PID:9476
- C:\Windows\System32\crtgZAS.exe
  C:\Windows\System32\crtgZAS.exe
  2⤵
  PID:9492
- C:\Windows\System32\VtmneaF.exe
  C:\Windows\System32\VtmneaF.exe
  2⤵
  PID:9540
- C:\Windows\System32\sKfyRyt.exe
  C:\Windows\System32\sKfyRyt.exe
  2⤵
  PID:9568
- C:\Windows\System32\dczpTQE.exe
  C:\Windows\System32\dczpTQE.exe
  2⤵
  PID:9584
- C:\Windows\System32\YQPISat.exe
  C:\Windows\System32\YQPISat.exe
  2⤵
  PID:9608
- C:\Windows\System32\mrpZWxp.exe
  C:\Windows\System32\mrpZWxp.exe
  2⤵
  PID:9632
- C:\Windows\System32\KPuWXBm.exe
  C:\Windows\System32\KPuWXBm.exe
  2⤵
  PID:9664
- C:\Windows\System32\SXMdSLJ.exe
  C:\Windows\System32\SXMdSLJ.exe
  2⤵
  PID:9688
- C:\Windows\System32\ILApjLJ.exe
  C:\Windows\System32\ILApjLJ.exe
  2⤵
  PID:9708
- C:\Windows\System32\XEhXdyN.exe
  C:\Windows\System32\XEhXdyN.exe
  2⤵
  PID:9724
- C:\Windows\System32\VTOhMln.exe
  C:\Windows\System32\VTOhMln.exe
  2⤵
  PID:9748
- C:\Windows\System32\QeduPNQ.exe
  C:\Windows\System32\QeduPNQ.exe
  2⤵
  PID:9764
- C:\Windows\System32\aVnFGev.exe
  C:\Windows\System32\aVnFGev.exe
  2⤵
  PID:9832
- C:\Windows\System32\ixTKywm.exe
  C:\Windows\System32\ixTKywm.exe
  2⤵
  PID:9868
- C:\Windows\System32\ZgnEzdg.exe
  C:\Windows\System32\ZgnEzdg.exe
  2⤵
  PID:9900
- C:\Windows\System32\gOzRwfg.exe
  C:\Windows\System32\gOzRwfg.exe
  2⤵
  PID:9924
- C:\Windows\System32\wVTZdFv.exe
  C:\Windows\System32\wVTZdFv.exe
  2⤵
  PID:9940
- C:\Windows\System32\GTCgANP.exe
  C:\Windows\System32\GTCgANP.exe
  2⤵
  PID:9996
- C:\Windows\System32\XRqdmAP.exe
  C:\Windows\System32\XRqdmAP.exe
  2⤵
  PID:10028
- C:\Windows\System32\mXiQrHk.exe
  C:\Windows\System32\mXiQrHk.exe
  2⤵
  PID:10048
- C:\Windows\System32\EUgcdEj.exe
  C:\Windows\System32\EUgcdEj.exe
  2⤵
  PID:10068
- C:\Windows\System32\QCpyczC.exe
  C:\Windows\System32\QCpyczC.exe
  2⤵
  PID:10088
- C:\Windows\System32\ktUwsRd.exe
  C:\Windows\System32\ktUwsRd.exe
  2⤵
  PID:10120
- C:\Windows\System32\tkENneD.exe
  C:\Windows\System32\tkENneD.exe
  2⤵
  PID:10140
- C:\Windows\System32\DXgcFoK.exe
  C:\Windows\System32\DXgcFoK.exe
  2⤵
  PID:10160
- C:\Windows\System32\VQinawU.exe
  C:\Windows\System32\VQinawU.exe
  2⤵
  PID:10176
- C:\Windows\System32\elYtNRE.exe
  C:\Windows\System32\elYtNRE.exe
  2⤵
  PID:10224
- C:\Windows\System32\XCsgeAe.exe
  C:\Windows\System32\XCsgeAe.exe
  2⤵
  PID:8464
- C:\Windows\System32\zlDhKHP.exe
  C:\Windows\System32\zlDhKHP.exe
  2⤵
  PID:9232
- C:\Windows\System32\MmvpVYn.exe
  C:\Windows\System32\MmvpVYn.exe
  2⤵
  PID:9328
- C:\Windows\System32\QcmeDNC.exe
  C:\Windows\System32\QcmeDNC.exe
  2⤵
  PID:9448
- C:\Windows\System32\dtEABYM.exe
  C:\Windows\System32\dtEABYM.exe
  2⤵
  PID:9484
- C:\Windows\System32\KSADCtu.exe
  C:\Windows\System32\KSADCtu.exe
  2⤵
  PID:9504
- C:\Windows\System32\kRurwbH.exe
  C:\Windows\System32\kRurwbH.exe
  2⤵
  PID:9640
- C:\Windows\System32\fsrfxPU.exe
  C:\Windows\System32\fsrfxPU.exe
  2⤵
  PID:9680
- C:\Windows\System32\NFepENQ.exe
  C:\Windows\System32\NFepENQ.exe
  2⤵
  PID:9704
- C:\Windows\System32\xPnDlOs.exe
  C:\Windows\System32\xPnDlOs.exe
  2⤵
  PID:9876
- C:\Windows\System32\qZsMyOs.exe
  C:\Windows\System32\qZsMyOs.exe
  2⤵
  PID:9840
- C:\Windows\System32\IwfQBni.exe
  C:\Windows\System32\IwfQBni.exe
  2⤵
  PID:9952
- C:\Windows\System32\HDUvBCR.exe
  C:\Windows\System32\HDUvBCR.exe
  2⤵
  PID:10024
- C:\Windows\System32\DSlZcEh.exe
  C:\Windows\System32\DSlZcEh.exe
  2⤵
  PID:10132
- C:\Windows\System32\pAACGgW.exe
  C:\Windows\System32\pAACGgW.exe
  2⤵
  PID:10172
- C:\Windows\System32\USBOvrZ.exe
  C:\Windows\System32\USBOvrZ.exe
  2⤵
  PID:10148
- C:\Windows\System32\DuOvFHo.exe
  C:\Windows\System32\DuOvFHo.exe
  2⤵
  PID:9268
- C:\Windows\System32\mMwJMcX.exe
  C:\Windows\System32\mMwJMcX.exe
  2⤵
  PID:9292
- C:\Windows\System32\soukdsM.exe
  C:\Windows\System32\soukdsM.exe
  2⤵
  PID:9444
- C:\Windows\System32\lCKwHzs.exe
  C:\Windows\System32\lCKwHzs.exe
  2⤵
  PID:9772
- C:\Windows\System32\QIBggsC.exe
  C:\Windows\System32\QIBggsC.exe
  2⤵
  PID:9932
- C:\Windows\System32\krCltoW.exe
  C:\Windows\System32\krCltoW.exe
  2⤵
  PID:10080
- C:\Windows\System32\CkkpFwm.exe
  C:\Windows\System32\CkkpFwm.exe
  2⤵
  PID:10156
- C:\Windows\System32\jFeAgQa.exe
  C:\Windows\System32\jFeAgQa.exe
  2⤵
  PID:9744
- C:\Windows\System32\fMsbeBy.exe
  C:\Windows\System32\fMsbeBy.exe
  2⤵
  PID:9720
- C:\Windows\System32\mOmWTAo.exe
  C:\Windows\System32\mOmWTAo.exe
  2⤵
  PID:8284
- C:\Windows\System32\KkNuYwS.exe
  C:\Windows\System32\KkNuYwS.exe
  2⤵
  PID:9880
- C:\Windows\System32\QAJvZus.exe
  C:\Windows\System32\QAJvZus.exe
  2⤵
  PID:10248
- C:\Windows\System32\uuARTfT.exe
  C:\Windows\System32\uuARTfT.exe
  2⤵
  PID:10292
- C:\Windows\System32\XTFguPC.exe
  C:\Windows\System32\XTFguPC.exe
  2⤵
  PID:10312
- C:\Windows\System32\qEzlmSK.exe
  C:\Windows\System32\qEzlmSK.exe
  2⤵
  PID:10332
- C:\Windows\System32\tzDJlrs.exe
  C:\Windows\System32\tzDJlrs.exe
  2⤵
  PID:10360
- C:\Windows\System32\LcoJFtF.exe
  C:\Windows\System32\LcoJFtF.exe
  2⤵
  PID:10380
- C:\Windows\System32\ANpdgQu.exe
  C:\Windows\System32\ANpdgQu.exe
  2⤵
  PID:10416
- C:\Windows\System32\HOCJjAf.exe
  C:\Windows\System32\HOCJjAf.exe
  2⤵
  PID:10436
- C:\Windows\System32\sNHVjOG.exe
  C:\Windows\System32\sNHVjOG.exe
  2⤵
  PID:10472
- C:\Windows\System32\LdsQtTs.exe
  C:\Windows\System32\LdsQtTs.exe
  2⤵
  PID:10516
- C:\Windows\System32\wnEAFgB.exe
  C:\Windows\System32\wnEAFgB.exe
  2⤵
  PID:10548
- C:\Windows\System32\uFracUD.exe
  C:\Windows\System32\uFracUD.exe
  2⤵
  PID:10564
- C:\Windows\System32\fabAQlq.exe
  C:\Windows\System32\fabAQlq.exe
  2⤵
  PID:10596
- C:\Windows\System32\OFeYhuE.exe
  C:\Windows\System32\OFeYhuE.exe
  2⤵
  PID:10612
- C:\Windows\System32\tNbIfzD.exe
  C:\Windows\System32\tNbIfzD.exe
  2⤵
  PID:10632
- C:\Windows\System32\csBCnzC.exe
  C:\Windows\System32\csBCnzC.exe
  2⤵
  PID:10668
- C:\Windows\System32\lBDicKs.exe
  C:\Windows\System32\lBDicKs.exe
  2⤵
  PID:10696
- C:\Windows\System32\YfHUadz.exe
  C:\Windows\System32\YfHUadz.exe
  2⤵
  PID:10732
- C:\Windows\System32\GEgIdCN.exe
  C:\Windows\System32\GEgIdCN.exe
  2⤵
  PID:10752
- C:\Windows\System32\cZURxGS.exe
  C:\Windows\System32\cZURxGS.exe
  2⤵
  PID:10780
- C:\Windows\System32\OLwAcMs.exe
  C:\Windows\System32\OLwAcMs.exe
  2⤵
  PID:10820
- C:\Windows\System32\oskGZRf.exe
  C:\Windows\System32\oskGZRf.exe
  2⤵
  PID:10836
- C:\Windows\System32\URuiIrH.exe
  C:\Windows\System32\URuiIrH.exe
  2⤵
  PID:10860
- C:\Windows\System32\pBsSyuA.exe
  C:\Windows\System32\pBsSyuA.exe
  2⤵
  PID:10896
- C:\Windows\System32\HwDzvRo.exe
  C:\Windows\System32\HwDzvRo.exe
  2⤵
  PID:10936
- C:\Windows\System32\TNGdDga.exe
  C:\Windows\System32\TNGdDga.exe
  2⤵
  PID:10964
- C:\Windows\System32\ulzEFAy.exe
  C:\Windows\System32\ulzEFAy.exe
  2⤵
  PID:10992
- C:\Windows\System32\nTAylnd.exe
  C:\Windows\System32\nTAylnd.exe
  2⤵
  PID:11012
- C:\Windows\System32\cYZRrCZ.exe
  C:\Windows\System32\cYZRrCZ.exe
  2⤵
  PID:11032
- C:\Windows\System32\rKqlwVr.exe
  C:\Windows\System32\rKqlwVr.exe
  2⤵
  PID:11052
- C:\Windows\System32\zmTxtWt.exe
  C:\Windows\System32\zmTxtWt.exe
  2⤵
  PID:11100
- C:\Windows\System32\FcxwDrF.exe
  C:\Windows\System32\FcxwDrF.exe
  2⤵
  PID:11120
- C:\Windows\System32\puSjJur.exe
  C:\Windows\System32\puSjJur.exe
  2⤵
  PID:11136
- C:\Windows\System32\RPazEfg.exe
  C:\Windows\System32\RPazEfg.exe
  2⤵
  PID:11156
- C:\Windows\System32\PwqbVQz.exe
  C:\Windows\System32\PwqbVQz.exe
  2⤵
  PID:11192
- C:\Windows\System32\YWzpahF.exe
  C:\Windows\System32\YWzpahF.exe
  2⤵
  PID:11212
- C:\Windows\System32\hqMNBuZ.exe
  C:\Windows\System32\hqMNBuZ.exe
  2⤵
  PID:11236
- C:\Windows\System32\uJHWaqY.exe
  C:\Windows\System32\uJHWaqY.exe
  2⤵
  PID:11256
- C:\Windows\System32\TLdTgRP.exe
  C:\Windows\System32\TLdTgRP.exe
  2⤵
  PID:10348
- C:\Windows\System32\bZGzkBr.exe
  C:\Windows\System32\bZGzkBr.exe
  2⤵
  PID:10396
- C:\Windows\System32\DTDGSAR.exe
  C:\Windows\System32\DTDGSAR.exe
  2⤵
  PID:10392
- C:\Windows\System32\bOFFBjb.exe
  C:\Windows\System32\bOFFBjb.exe
  2⤵
  PID:10500
- C:\Windows\System32\DHYSXGM.exe
  C:\Windows\System32\DHYSXGM.exe
  2⤵
  PID:10556
- C:\Windows\System32\PbWjCsh.exe
  C:\Windows\System32\PbWjCsh.exe
  2⤵
  PID:10640
- C:\Windows\System32\GEbXKvy.exe
  C:\Windows\System32\GEbXKvy.exe
  2⤵
  PID:10744
- C:\Windows\System32\IYRyFnd.exe
  C:\Windows\System32\IYRyFnd.exe
  2⤵
  PID:10796
- C:\Windows\System32\esolvgw.exe
  C:\Windows\System32\esolvgw.exe
  2⤵
  PID:10828
- C:\Windows\System32\IHxEVew.exe
  C:\Windows\System32\IHxEVew.exe
  2⤵
  PID:10868
- C:\Windows\System32\IqqzcCu.exe
  C:\Windows\System32\IqqzcCu.exe
  2⤵
  PID:10924
- C:\Windows\System32\xHbhCkd.exe
  C:\Windows\System32\xHbhCkd.exe
  2⤵
  PID:11044
- C:\Windows\System32\EdUqnPB.exe
  C:\Windows\System32\EdUqnPB.exe
  2⤵
  PID:11116
- C:\Windows\System32\vdhnEgE.exe
  C:\Windows\System32\vdhnEgE.exe
  2⤵
  PID:11188
- C:\Windows\System32\fjtlqYd.exe
  C:\Windows\System32\fjtlqYd.exe
  2⤵
  PID:11248
- C:\Windows\System32\xIPHNJl.exe
  C:\Windows\System32\xIPHNJl.exe
  2⤵
  PID:10192
- C:\Windows\System32\CPuzZnn.exe
  C:\Windows\System32\CPuzZnn.exe
  2⤵
  PID:11220
- C:\Windows\System32\ykfxdCO.exe
  C:\Windows\System32\ykfxdCO.exe
  2⤵
  PID:10540
- C:\Windows\System32\KpGgULI.exe
  C:\Windows\System32\KpGgULI.exe
  2⤵
  PID:10584
- C:\Windows\System32\aBKVzrL.exe
  C:\Windows\System32\aBKVzrL.exe
  2⤵
  PID:10624
- C:\Windows\System32\TsPfGFE.exe
  C:\Windows\System32\TsPfGFE.exe
  2⤵
  PID:11128
- C:\Windows\System32\dSokpJD.exe
  C:\Windows\System32\dSokpJD.exe
  2⤵
  PID:10268
- C:\Windows\System32\UYbqvzF.exe
  C:\Windows\System32\UYbqvzF.exe
  2⤵
  PID:10580
- C:\Windows\System32\fZYhHOv.exe
  C:\Windows\System32\fZYhHOv.exe
  2⤵
  PID:11004
- C:\Windows\System32\pMNUkDI.exe
  C:\Windows\System32\pMNUkDI.exe
  2⤵
  PID:11224
- C:\Windows\System32\czCnGiz.exe
  C:\Windows\System32\czCnGiz.exe
  2⤵
  PID:11076
- C:\Windows\System32\eaNVgpV.exe
  C:\Windows\System32\eaNVgpV.exe
  2⤵
  PID:11284
- C:\Windows\System32\TVjRmVO.exe
  C:\Windows\System32\TVjRmVO.exe
  2⤵
  PID:11300
- C:\Windows\System32\jnTYhvH.exe
  C:\Windows\System32\jnTYhvH.exe
  2⤵
  PID:11324
- C:\Windows\System32\wyFSPXw.exe
  C:\Windows\System32\wyFSPXw.exe
  2⤵
  PID:11348
- C:\Windows\System32\eyxZVfF.exe
  C:\Windows\System32\eyxZVfF.exe
  2⤵
  PID:11408
- C:\Windows\System32\gbFSPJl.exe
  C:\Windows\System32\gbFSPJl.exe
  2⤵
  PID:11436
- C:\Windows\System32\ixlHiOK.exe
  C:\Windows\System32\ixlHiOK.exe
  2⤵
  PID:11452
- C:\Windows\System32\BwwUmNE.exe
  C:\Windows\System32\BwwUmNE.exe
  2⤵
  PID:11472
- C:\Windows\System32\RiTTrVO.exe
  C:\Windows\System32\RiTTrVO.exe
  2⤵
  PID:11492
- C:\Windows\System32\fnAGsRG.exe
  C:\Windows\System32\fnAGsRG.exe
  2⤵
  PID:11532
- C:\Windows\System32\DiFvVOV.exe
  C:\Windows\System32\DiFvVOV.exe
  2⤵
  PID:11576
- C:\Windows\System32\DUJKtXJ.exe
  C:\Windows\System32\DUJKtXJ.exe
  2⤵
  PID:11608
- C:\Windows\System32\xlMmeBp.exe
  C:\Windows\System32\xlMmeBp.exe
  2⤵
  PID:11628
- C:\Windows\System32\IuluKoi.exe
  C:\Windows\System32\IuluKoi.exe
  2⤵
  PID:11652
- C:\Windows\System32\XKJRmBY.exe
  C:\Windows\System32\XKJRmBY.exe
  2⤵
  PID:11676
- C:\Windows\System32\YSNeERf.exe
  C:\Windows\System32\YSNeERf.exe
  2⤵
  PID:11724
- C:\Windows\System32\WsPEAOG.exe
  C:\Windows\System32\WsPEAOG.exe
  2⤵
  PID:11744
- C:\Windows\System32\GzMVcMB.exe
  C:\Windows\System32\GzMVcMB.exe
  2⤵
  PID:11776
- C:\Windows\System32\nCeqoMx.exe
  C:\Windows\System32\nCeqoMx.exe
  2⤵
  PID:11792
- C:\Windows\System32\WiBwErm.exe
  C:\Windows\System32\WiBwErm.exe
  2⤵
  PID:11824
- C:\Windows\System32\rrqYign.exe
  C:\Windows\System32\rrqYign.exe
  2⤵
  PID:11848
- C:\Windows\System32\OrONrVf.exe
  C:\Windows\System32\OrONrVf.exe
  2⤵
  PID:11876
- C:\Windows\System32\OFCvFgm.exe
  C:\Windows\System32\OFCvFgm.exe
  2⤵
  PID:11896
- C:\Windows\System32\eTFJycb.exe
  C:\Windows\System32\eTFJycb.exe
  2⤵
  PID:11936
- C:\Windows\System32\jeaAoRN.exe
  C:\Windows\System32\jeaAoRN.exe
  2⤵
  PID:11956
- C:\Windows\System32\nTKqYGj.exe
  C:\Windows\System32\nTKqYGj.exe
  2⤵
  PID:11980
- C:\Windows\System32\CXKeNzf.exe
  C:\Windows\System32\CXKeNzf.exe
  2⤵
  PID:12004
- C:\Windows\System32\PGSZMDa.exe
  C:\Windows\System32\PGSZMDa.exe
  2⤵
  PID:12032
- C:\Windows\System32\uyCBDeW.exe
  C:\Windows\System32\uyCBDeW.exe
  2⤵
  PID:12052
- C:\Windows\System32\SuBlEWs.exe
  C:\Windows\System32\SuBlEWs.exe
  2⤵
  PID:12100
- C:\Windows\System32\iAqxYmv.exe
  C:\Windows\System32\iAqxYmv.exe
  2⤵
  PID:12120
- C:\Windows\System32\MowAzrN.exe
  C:\Windows\System32\MowAzrN.exe
  2⤵
  PID:12148
- C:\Windows\System32\ocEgxDK.exe
  C:\Windows\System32\ocEgxDK.exe
  2⤵
  PID:12168
- C:\Windows\System32\iJKVomc.exe
  C:\Windows\System32\iJKVomc.exe
  2⤵
  PID:12188
- C:\Windows\System32\yKsZgou.exe
  C:\Windows\System32\yKsZgou.exe
  2⤵
  PID:12208
- C:\Windows\System32\ywFsdwg.exe
  C:\Windows\System32\ywFsdwg.exe
  2⤵
  PID:12248
- C:\Windows\System32\wMolMxN.exe
  C:\Windows\System32\wMolMxN.exe
  2⤵
  PID:12272
- C:\Windows\System32\ouhxCIr.exe
  C:\Windows\System32\ouhxCIr.exe
  2⤵
  PID:11208
- C:\Windows\System32\wxECJiX.exe
  C:\Windows\System32\wxECJiX.exe
  2⤵
  PID:11320
- C:\Windows\System32\RKwvHJO.exe
  C:\Windows\System32\RKwvHJO.exe
  2⤵
  PID:11404
- C:\Windows\System32\fTDVyrR.exe
  C:\Windows\System32\fTDVyrR.exe
  2⤵
  PID:11448
- C:\Windows\System32\cCADWEZ.exe
  C:\Windows\System32\cCADWEZ.exe
  2⤵
  PID:11560
- C:\Windows\System32\jPGxRCG.exe
  C:\Windows\System32\jPGxRCG.exe
  2⤵
  PID:11600
- C:\Windows\System32\eAWLWqH.exe
  C:\Windows\System32\eAWLWqH.exe
  2⤵
  PID:11616
- C:\Windows\System32\cntbNEL.exe
  C:\Windows\System32\cntbNEL.exe
  2⤵
  PID:11708
- C:\Windows\System32\uMzhiNv.exe
  C:\Windows\System32\uMzhiNv.exe
  2⤵
  PID:10884
- C:\Windows\System32\MoPgLnf.exe
  C:\Windows\System32\MoPgLnf.exe
  2⤵
  PID:11832
- C:\Windows\System32\BOiHxmc.exe
  C:\Windows\System32\BOiHxmc.exe
  2⤵
  PID:11948
- C:\Windows\System32\jmLpuwr.exe
  C:\Windows\System32\jmLpuwr.exe
  2⤵
  PID:11992
- C:\Windows\System32\LioApEp.exe
  C:\Windows\System32\LioApEp.exe
  2⤵
  PID:12020
- C:\Windows\System32\nmrlRmW.exe
  C:\Windows\System32\nmrlRmW.exe
  2⤵
  PID:12060
- C:\Windows\System32\xKqcjCG.exe
  C:\Windows\System32\xKqcjCG.exe
  2⤵
  PID:12240
- C:\Windows\System32\OVOtLjY.exe
  C:\Windows\System32\OVOtLjY.exe
  2⤵
  PID:12200
- C:\Windows\System32\IgWFxfw.exe
  C:\Windows\System32\IgWFxfw.exe
  2⤵
  PID:10412
- C:\Windows\System32\LUFsUYF.exe
  C:\Windows\System32\LUFsUYF.exe
  2⤵
  PID:11292
- C:\Windows\System32\uRoNRrm.exe
  C:\Windows\System32\uRoNRrm.exe
  2⤵
  PID:11468
- C:\Windows\System32\iCwLlzy.exe
  C:\Windows\System32\iCwLlzy.exe
  2⤵
  PID:11688
- C:\Windows\System32\zVpCncY.exe
  C:\Windows\System32\zVpCncY.exe
  2⤵
  PID:11644
- C:\Windows\System32\YeYUoeb.exe
  C:\Windows\System32\YeYUoeb.exe
  2⤵
  PID:11844
- C:\Windows\System32\HbBfDzI.exe
  C:\Windows\System32\HbBfDzI.exe
  2⤵
  PID:2732
- C:\Windows\System32\lHIhnIw.exe
  C:\Windows\System32\lHIhnIw.exe
  2⤵
  PID:11756
- C:\Windows\System32\hEjivLQ.exe
  C:\Windows\System32\hEjivLQ.exe
  2⤵
  PID:11428
- C:\Windows\System32\AKlXcsy.exe
  C:\Windows\System32\AKlXcsy.exe
  2⤵
  PID:11592
- C:\Windows\System32\ksLWrvm.exe
  C:\Windows\System32\ksLWrvm.exe
  2⤵
  PID:11888
- C:\Windows\System32\CxkBaAK.exe
  C:\Windows\System32\CxkBaAK.exe
  2⤵
  PID:12088
- C:\Windows\System32\gDHKCsr.exe
  C:\Windows\System32\gDHKCsr.exe
  2⤵
  PID:11732
- C:\Windows\System32\lctbluC.exe
  C:\Windows\System32\lctbluC.exe
  2⤵
  PID:12296
- C:\Windows\System32\vUfMLPB.exe
  C:\Windows\System32\vUfMLPB.exe
  2⤵
  PID:12320
- C:\Windows\System32\rOtGuEZ.exe
  C:\Windows\System32\rOtGuEZ.exe
  2⤵
  PID:12380
- C:\Windows\System32\PxkVZYK.exe
  C:\Windows\System32\PxkVZYK.exe
  2⤵
  PID:12400
- C:\Windows\System32\gpyWSpC.exe
  C:\Windows\System32\gpyWSpC.exe
  2⤵
  PID:12416
- C:\Windows\System32\erlhVhL.exe
  C:\Windows\System32\erlhVhL.exe
  2⤵
  PID:12436
- C:\Windows\System32\xJOHLXa.exe
  C:\Windows\System32\xJOHLXa.exe
  2⤵
  PID:12472
- C:\Windows\System32\rZZIMQX.exe
  C:\Windows\System32\rZZIMQX.exe
  2⤵
  PID:12492
- C:\Windows\System32\gSVAlJq.exe
  C:\Windows\System32\gSVAlJq.exe
  2⤵
  PID:12516
- C:\Windows\System32\AXEWkcu.exe
  C:\Windows\System32\AXEWkcu.exe
  2⤵
  PID:12532
- C:\Windows\System32\vxPMHXX.exe
  C:\Windows\System32\vxPMHXX.exe
  2⤵
  PID:12552
- C:\Windows\System32\NuuHryQ.exe
  C:\Windows\System32\NuuHryQ.exe
  2⤵
  PID:12568
- C:\Windows\System32\JqcyCdd.exe
  C:\Windows\System32\JqcyCdd.exe
  2⤵
  PID:12624
- C:\Windows\System32\VTXMWzO.exe
  C:\Windows\System32\VTXMWzO.exe
  2⤵
  PID:12648
- C:\Windows\System32\pQiGJDx.exe
  C:\Windows\System32\pQiGJDx.exe
  2⤵
  PID:12692
- C:\Windows\System32\geRisFC.exe
  C:\Windows\System32\geRisFC.exe
  2⤵
  PID:12720
- C:\Windows\System32\htonnPT.exe
  C:\Windows\System32\htonnPT.exe
  2⤵
  PID:12740
- C:\Windows\System32\DKDjdSx.exe
  C:\Windows\System32\DKDjdSx.exe
  2⤵
  PID:12772
- C:\Windows\System32\MONAWSe.exe
  C:\Windows\System32\MONAWSe.exe
  2⤵
  PID:12800
- C:\Windows\System32\azDXtIB.exe
  C:\Windows\System32\azDXtIB.exe
  2⤵
  PID:12820
- C:\Windows\System32\sFEJLYY.exe
  C:\Windows\System32\sFEJLYY.exe
  2⤵
  PID:12848
- C:\Windows\System32\xnBeaVb.exe
  C:\Windows\System32\xnBeaVb.exe
  2⤵
  PID:12872
- C:\Windows\System32\yGMghxn.exe
  C:\Windows\System32\yGMghxn.exe
  2⤵
  PID:12932
- C:\Windows\System32\DdfbHNT.exe
  C:\Windows\System32\DdfbHNT.exe
  2⤵
  PID:12968
- C:\Windows\System32\BSoaNZE.exe
  C:\Windows\System32\BSoaNZE.exe
  2⤵
  PID:12992
- C:\Windows\System32\MYNQSUx.exe
  C:\Windows\System32\MYNQSUx.exe
  2⤵
  PID:13020
- C:\Windows\System32\ThcekLa.exe
  C:\Windows\System32\ThcekLa.exe
  2⤵
  PID:13052
- C:\Windows\System32\TAEskeC.exe
  C:\Windows\System32\TAEskeC.exe
  2⤵
  PID:13076
- C:\Windows\System32\FxiDsjP.exe
  C:\Windows\System32\FxiDsjP.exe
  2⤵
  PID:13100
- C:\Windows\System32\lurKGSu.exe
  C:\Windows\System32\lurKGSu.exe
  2⤵
  PID:13120
- C:\Windows\System32\hwpoOjB.exe
  C:\Windows\System32\hwpoOjB.exe
  2⤵
  PID:13168
- C:\Windows\System32\McPoqCn.exe
  C:\Windows\System32\McPoqCn.exe
  2⤵
  PID:13200
- C:\Windows\System32\raBhEDR.exe
  C:\Windows\System32\raBhEDR.exe
  2⤵
  PID:13216
- C:\Windows\System32\ZSYcFkz.exe
  C:\Windows\System32\ZSYcFkz.exe
  2⤵
  PID:13244
- C:\Windows\System32\DMSDlxo.exe
  C:\Windows\System32\DMSDlxo.exe
  2⤵
  PID:13260
- C:\Windows\System32\EwqgyxG.exe
  C:\Windows\System32\EwqgyxG.exe
  2⤵
  PID:13296
- C:\Windows\System32\cPbJETa.exe
  C:\Windows\System32\cPbJETa.exe
  2⤵
  PID:12204
- C:\Windows\System32\ocVyChR.exe
  C:\Windows\System32\ocVyChR.exe
  2⤵
  PID:12328
- C:\Windows\System32\mtGyCFO.exe
  C:\Windows\System32\mtGyCFO.exe
  2⤵
  PID:12352
- C:\Windows\System32\COMhKiq.exe
  C:\Windows\System32\COMhKiq.exe
  2⤵
  PID:12460
- C:\Windows\System32\ZcoNHjG.exe
  C:\Windows\System32\ZcoNHjG.exe
  2⤵
  PID:12524
- C:\Windows\System32\JcgTsFL.exe
  C:\Windows\System32\JcgTsFL.exe
  2⤵
  PID:12596
- C:\Windows\System32\iOdpyXz.exe
  C:\Windows\System32\iOdpyXz.exe
  2⤵
  PID:12732
- C:\Windows\System32\yCgPIzi.exe
  C:\Windows\System32\yCgPIzi.exe
  2⤵
  PID:12764
- C:\Windows\System32\aNubhIN.exe
  C:\Windows\System32\aNubhIN.exe
  2⤵
  PID:12892

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BPrxKFl.exe

Filesize
1.1MB

MD5
f6972ec5d55180add1e7d9fd067199e9

SHA1
0c5410747effc19c78e0a66010d5b1643464d719

SHA256
7d115fa3ebc54141a68c68ff47f488a97d62a833e5512523a14e89a1ec18bdb5

SHA512
fd76a362c06c323f824008fb788aaa6e0e1a846307eb5707552fd8e17fa9c1c7e111de373de34660f1a96ba03525c24681dc6e576662b8cd80b0aaf74b791054

Download Submit
C:\Windows\System32\BlJlgQA.exe

Filesize
1.1MB

MD5
43b0ca150da7f13e59abee969e2e337e

SHA1
bbcf87183d4c60ff3cadf2c0f7d41a37a40df8b4

SHA256
7e9c2a591c23652e6c6dbdb645696ef49ad21d63b7cc76cc5872b0c448deb248

SHA512
4d30eadeb3073225c0143ace702c437bb294f172b2cc7eb43aededd110ffcc4e7f941412b982785d04d932028513249592f4033fe1d08580bcb793c9346bd220

Download Submit
C:\Windows\System32\CRpRyEL.exe

Filesize
1.1MB

MD5
9beaf0b50ded4a63d931bbd26c4838ce

SHA1
43efd9af7d0dc8e13e0538f71192852e9a855109

SHA256
0f3f2217a21224ffa43403c29134b50052331c1313fcabbdc72317007f250955

SHA512
f1e0908ad04dfc73eba863ae37637a083dda30d29e3afcbb393a736cd03d8eaf62603181d8774fa8012aef92d419ddc4096a92d8605fd392568451a29c6caca3

Download Submit
C:\Windows\System32\GTKirFo.exe

Filesize
1.1MB

MD5
7ed3c464cfbe63789865142cfefde64c

SHA1
6f2496fed5f195246f34345b2a364361a4647e41

SHA256
8072f31cb5eebfb8cb894ef70f39965915a81ff89661874cdc40f6dd66c5a060

SHA512
578cee41efa93f026aec323366c1fb84b39f9827eb0914754678e6157647d660cda6c07d49e073c7a04d0040987025e863eb62b8320bf32d5fc7db8f9c2e8cb9

Download Submit
C:\Windows\System32\HSCYsUh.exe

Filesize
1.1MB

MD5
7a7d06b9d618198edaff2b7896fadc3b

SHA1
416ecaf65c1f2e3246ad016527fb9868fe089248

SHA256
88db55e6d417f1146e84618a6b19d03ebee5d4a7fbd5584c424f1d2df4a56b3f

SHA512
c479d1d308a24d49a05053f6319dc2b47ed584e5629035d0dfcd7ffc241f91c414ce4d3cbd1821a2bfbfee8a04af9a903da12325b34075755006c2c47c4f99c1

Download Submit
C:\Windows\System32\QiPrUhz.exe

Filesize
1.1MB

MD5
8e391f4371062c858a4127e60840a017

SHA1
91a0bb1695788ffb52955635b8503d746313d301

SHA256
04034b2a5727c8edc599f9daad942770d449992c53f7215a2990259962348f3c

SHA512
db65a79c5dbae169e0a6913fcf92d13e8a4d8631583b5c137a50f468c5397305f37dd7a07ca3e5c828eb8cade980cb6127d6b8cc4ca609e668a01a3b8d2d17c9

Download Submit
C:\Windows\System32\SSsqySV.exe

Filesize
1.1MB

MD5
84156dff931f43e0ac7f25ccc7bcbae4

SHA1
0905d2a24841de6662012844aed870ceee47be13

SHA256
76f108df3417b72f7b8918035ea4b89c44f358c1faf3587332413f5c6b6ed035

SHA512
7aee0dcb617bef16c382e6576fe046886c081f486485e76567ebe137496b909390f6849718def4d4be9c68a8089d5624d4b4ef1ebf296353211b0a38eb6c1d9c

Download Submit
C:\Windows\System32\StypHTP.exe

Filesize
1.1MB

MD5
1def814ebae2298b772a6b72167f69ca

SHA1
9603f39cfa4e238cb0a9a0ec4194f56a79aa1fe1

SHA256
fbae75f0770f82cb933016745eadec3138a31c03599588e4715d00fcd68109c2

SHA512
4ef103a66b7ca0e33dea42c6393f2424c8d7fbb17e9b567881dc77033dbb543a8da8d4b33dbc706ecc7c73ce1015e999fda82bf50996c0a8110b1cee8a8c56f9

Download Submit
C:\Windows\System32\UdOSkrX.exe

Filesize
1.1MB

MD5
a3ad3975b07f51a73da9df5c61cc47e8

SHA1
b014ed889f9402e9fa71bebde862cd394d97c4f9

SHA256
aab88e97962462fdf82b655057e5a84fd3000ec9fce003ca4a645e6d523802f3

SHA512
f332e8931d55f20281cbe0c97da5defc150e9815fbe08486f679bf99ce1ffadff56161450fd92b36048508d65b7b55ed6095a747de9cf8efa0c89f57d7dcee31

Download Submit
C:\Windows\System32\VJmQCUf.exe

Filesize
1.1MB

MD5
5546d28890ebb9a65d4a8c403a4c6702

SHA1
c08508d879a2b957fe4fa9a588c7e0c491947f98

SHA256
b2c898942749e486ba2ad7accbbd0dc7ad7b089e01899a5c759c17bb2a526f2a

SHA512
0604a233366c02a4481b5d7f34cfb2289191de414ed87f768aa64b39e8042a2a9db13f52ec2940043e60f4f935279b708973ece6888f4cd4b84543bd48e76079

Download Submit
C:\Windows\System32\VjHnciw.exe

Filesize
1.1MB

MD5
a4cc0b924ee76196114f23bf8727e135

SHA1
7ee909ccdab3200330a29431d9dad1317b69c40a

SHA256
96660762dd6b4af7211e7cf4eb83b29156cc0524b377df6d2e904494315867f4

SHA512
4fd34cfec9e164c6ade363a3cfaa9c3d09779a0207e6bcd69d44a8ccb3ddb64718c7d70b1811f82a4efc77f223360e018b72ee7ad2d0c3ef2cb71c43a6374b19

Download Submit
C:\Windows\System32\YHVgxcM.exe

Filesize
1.1MB

MD5
ac83aedd38d4fc0b6cafee7704527802

SHA1
c4f25170d1d08578d74e2642bc78bd7a6dcd49a6

SHA256
b35c626b104db944bcf31cea30b9322b72b4dd2a102ea0228fbb14676bc7278a

SHA512
662eecc8af87eb415d01cbf6d751d54dc6d6c80a26f740e25745576facc1d7fa4c14c2dc68883ba51fb72c8c3cb9f28c2ee830a3c9b974802778eb120f4c781c

Download Submit
C:\Windows\System32\aBzNRJB.exe

Filesize
1.1MB

MD5
a46639c5099472985c5589196df299d5

SHA1
744d36c4852332dc0dff33c2690c1a012c6aa545

SHA256
83dc7318c0deba95d39b32aa2ba2623baa7a9a314c21e8001178a58ffb34c099

SHA512
d78fa6cd02df260fc4970bd74b770e2fcca6c28ffe0a6e7e72456a2091bf259043b375dd66b323ce376d0e0996d3c981ca4a70cc35d63f87287431168f708ce9

Download Submit
C:\Windows\System32\buNzCvM.exe

Filesize
1.1MB

MD5
fcb3b6af83cdefa8c29e82289fcb24e3

SHA1
bfdf3819c8656948d812641e9b9962da0349eb05

SHA256
527c1077d18bec757ce6a4d57e0e16dc014715304b7c6e0c530354850b4b4367

SHA512
59e1b18e2127ce2c3ccea1a170c49d2ce969494614989be522517d008f5c2a9ac4c58fc4131ba2eadd317bccbfbd27720d62a3232d7b0d55c19b0b08b48f0d3b

Download Submit
C:\Windows\System32\dSMRdjp.exe

Filesize
1.1MB

MD5
138400b2e06f82fd1c167de456e8d550

SHA1
0334c7416c6596f6986dfec5ad40b3147e6e5c9e

SHA256
55932aa5a4c2db44a0837d8b867fc4af5f56d327b3c063ada69f767a1b3f3525

SHA512
ccd3a209283449d9706a11b4068206a91ca6bf1e43da95117091cf55abd79bb058d76a134ccabcd404ee12291c757f57a2a3915d0f01b7b807ac917ffdeaf565

Download Submit
C:\Windows\System32\dTnrLyk.exe

Filesize
1.1MB

MD5
4fee94cbd591bea985b6625bfa301b3c

SHA1
5115d70d80dac82e933137f2b87290a82bb00632

SHA256
46be48f0f9c4370701b21d4cfb1c49e65a055c186aa0b91dac7644cee34fa99b

SHA512
6e6dd6167abb303905751edb4f9ee52c6fb62c7b2054a98c3f36125e05fb896111f0cee00050a36817708dd2de05ec6ff651eef6916292f83539155832e77faa

Download Submit
C:\Windows\System32\domqZiS.exe

Filesize
1.1MB

MD5
a0ffe08bab05826889aeb990867675c2

SHA1
b8c15a827323d790749ea89630366b75813636a2

SHA256
b565ae9b915f96fba1972b28557dd62e6d87712efd0c1b5a8406e4e7e86a6d29

SHA512
48868ec909e57577d689c0ac31a35e25f404574087a8fce32b7f6a87d8a503737dbb738c6fc8c291224e3816e7435036ad0584837f8637181e14e914efb1ddd4

Download Submit
C:\Windows\System32\ejzdNpZ.exe

Filesize
1.1MB

MD5
bdc7501681629b65a2d241bf9437e8c7

SHA1
b8d3629aedc825d3dc6284003b737d8c403eaeb3

SHA256
3300608f73bb812c98c48b76d7187cdc99ccfe90b02ee52d459cc9231138ee4c

SHA512
fd8ea1ef1fab401893094b8dc7cd182f55e1c55844613b66b04c6c8ae9f8bf9f044c668acef409f3cbd455e4ddaccf4e5ac858aa09169d15238fb13ee19fce57

Download Submit
C:\Windows\System32\giPwseO.exe

Filesize
1.1MB

MD5
ad4cb576530d661066e9587b7d315ed1

SHA1
1e9f1cf67620e0be73d1419607945b1b3ea7bf8e

SHA256
fe875a06457cc37ed38c6fd7ccbe1c81519316147ba9060ec67ce5b9d106ab9d

SHA512
6c05cb3dbc2e683b94f0849e002dac2b8dbe6b09c013e3855bee8b93b7188300c40d107065a628fe1c65c3229ec4c13dd4d3d53a58bfc573ef3940f456fcacbb

Download Submit
C:\Windows\System32\iRbIceH.exe

Filesize
1.1MB

MD5
6296e82ba43d2fc06b7b3985e49ab0e3

SHA1
bb5a9c07bfc8efa091b2d1b4a45cfa8853306b50

SHA256
134ae669e91acb43905ce56bf16556055d40c42f813514430717ce19938ae2c9

SHA512
2f72bcf9e6eb25c009c9e1c2bb49e3456dae0e0d3e5d8f0e2fcbf37eb73b83379f1f90ef88d019502a65fbf4fb37cbef1c4783c0c8dd7bd7f5b981f042e694cc

Download Submit
C:\Windows\System32\lAKvsQc.exe

Filesize
1.1MB

MD5
657bba4b2b8fb08317f58f224aaeffd3

SHA1
4ef0b9bd8669ca6ed5790866a1ba572114019e49

SHA256
903d066c364600709fc44484c68dca741f152f30090889b8dc0f84019e89a7b8

SHA512
0b236047524bae5441232426f47f744d559d67069d16b52b59843c5d8754aabcf05376b92db24c5d34c52167be39f795f2b9da17198aff8d5523a48476b38dae

Download Submit
C:\Windows\System32\maJDAAJ.exe

Filesize
1.1MB

MD5
bdbce81bd5f3efa331d19bf2f10113d5

SHA1
a124b8b7d61a3782fb5ba5975db002d2ca4605bd

SHA256
b72bced93103de8977db5523435225706a95ff969fb1d3219f1453b474b8fc18

SHA512
28b540b944b4e1faa32f283ffb5eaab92ae1983b36dd5c43d0372741d91295eae13dc2e5a2e776b1544f65c08aa15b05eef7e0ee92ddf4a6657f0cc5211c75ae

Download Submit
C:\Windows\System32\njLeHIn.exe

Filesize
1.1MB

MD5
c336627efad773b17202c176ae0c067f

SHA1
ac940e24997dbf77afeb4f29a884f6739aea0989

SHA256
4e201d8098f9d04378da912dc49fe5c8509ca287d7bfc43433f26e93f9bf0f46

SHA512
650761636c69c1938b7f6220c986daaa98dc8186ee113d560ff3d7dc45d937dfe6d704fa59069a1ae217b50f13a78847c6dc8bbab7f947edf79abca10f6889c1

Download Submit
C:\Windows\System32\oKnVvEa.exe

Filesize
1.1MB

MD5
048b31d6a1788e860a8c35b30d3c4a8c

SHA1
a8791cc4504504ed3e776143b5eed58e01f5da81

SHA256
1e0a943dd9650082d8d67dfda4bca9eda072d00e3e12452b1210cfdd1dc93cbf

SHA512
4bc8a23f3804918e0477ba66bf3a9be2079bbbd03849767d41d3a5da583b9c62adb1a3eec8537232303fb885ad6cbd1b98d651a732401cef66f432ea10a0e305

Download Submit
C:\Windows\System32\oVaYwBx.exe

Filesize
1.1MB

MD5
ebe9c2e0bbd716256a9d35818f4197ce

SHA1
28492ca66c0aa2806892b4bde11c3fee5b40f68d

SHA256
b43b7fdfd898100b3591973e6c60e3b78c7c86506c630368cd801507c1020155

SHA512
ea85a08d3eacdc553af5f62005bf397970fd944c36bd8e5270b4659bcfe26b97fa659e9d50527ce154c6a5ee7144556d252f38ad8841dd9fa5ebb48c4104fb37

Download Submit
C:\Windows\System32\siKPAgS.exe

Filesize
1.1MB

MD5
331a96a6b1870890118ce759b680a5de

SHA1
cb0577c93eda836e6beae48d3fb42d808d76f5c4

SHA256
adec5ecb35ea6d0edfb02f37e75813da1e74a6dc49ad3d70f88a31098cb96eca

SHA512
c41d24a8d7eaa65322fa9dbd00bf350ebb44abab60598ed5f26cff1d449f118b62f285c095a3421ce295c9ef4c1a3e0c841d082d331dd34b44e8c44e2f6c6ac3

Download Submit
C:\Windows\System32\vTnYBnK.exe

Filesize
1.1MB

MD5
9171d43b234de71715896f9a6bf3e114

SHA1
3ca3250d697f6967fd9c244263586593eca59c9b

SHA256
76e92dd384ebd93bcbd8140ddfa4a51b6984475110297a3971e97263e0d625c0

SHA512
093ea3a002a79918c5166bb96aff5304a3a1eeaa3cf40a80f63decaff7f321ca9552987caccd1f6bc5e184c1ba9e3eb1001bc592e20839125ce4fa96630b8385

Download Submit
C:\Windows\System32\yzNUClF.exe

Filesize
1.1MB

MD5
5cfb7f0419090efa6e589beb94b0a6d5

SHA1
bafe97d40ecd15703337d59d7d1e89664b3f21d3

SHA256
ac7d5bf484b9131fe5975128d88a126aeaaef2566bd67f8f921122e299beec72

SHA512
2049ff7a2485b0d1462f18a3038b445c4bc74e7cb90639c784b4717d794014e9f4c0f6a85ad43be252184e51c98db970900f2ad77ad1f477fcefbc3e6c6a5e50

Download Submit
C:\Windows\System32\zATquCE.exe

Filesize
1.1MB

MD5
0e243a687109855ef31b4c8ea38de87e

SHA1
a14a8df1f693bd1d1a06ace55f041b8ebfdf4b9f

SHA256
358a3c694ad64024e3062312eed5bde62030b06171f807085d818a2a3f77bf21

SHA512
af1a017e86baecde1b3120cc7cef1a543ff29df637df309b9b3206360fe04f269d1b5e3a66f7d11811fbe8b40105108769f222d0e92c4306508dec1ffdc88ed1

Download Submit
C:\Windows\System32\zINXXSo.exe

Filesize
1.1MB

MD5
3a1345408e9aaeab4c0457c2bd13dd69

SHA1
5afe4672adb62f1dd983928456f2d4afd94ea664

SHA256
a428cc49e805d50b5fb7905b7d266d4d1a9205ac1cb251bcc882f893d6f56f5e

SHA512
703db3d38642569ccf7ddcdc501327c6f4c2537534b7db0561ca5ab1c06a659f6177521ccbb33039609df35000890c39f339038d295067cb75ed6a837da065be

Download Submit
C:\Windows\System32\zisrQzF.exe

Filesize
1.1MB

MD5
cbd07cd5b3cf7c8a139b78427d84ebe5

SHA1
7a42cda504e2c9780109648a57c486161dbc5761

SHA256
e56a4a7bc3ceed884b730f10e0c908874747d3e0d23d9e9f26f5d3f2c4c96584

SHA512
6dba78fc74ddce6bddfbd1b977baa568e51042330eacb902f12fc782d854ce926c93950b55388a59f8f552d069df690b04b709260ce75e04599756702bc37cef

Download Submit
C:\Windows\System32\zubeqKU.exe

Filesize
1.1MB

MD5
d59d462d58b5edc7e168dfd13f61c8cf

SHA1
f97878d185ecb2d7b6ed1df6e11764297bd6ac2c

SHA256
951fc819a9d98ef4c1c96efadb114150b74ffb38207d4e2985e0a3068631de5d

SHA512
0c976047c923514150a662f0a517f5d8ae745934b2788494c1301ec8068e58fa6cce530e54457515f063195f187982c3d71f60a0e9daa32e8fa7ad8f4ffef54a

Download Submit
memory/540-30-0x00007FF6C0F60000-0x00007FF6C1351000-memory.dmp

Filesize
3.9MB

Download
memory/540-2020-0x00007FF6C0F60000-0x00007FF6C1351000-memory.dmp

Filesize
3.9MB

Download
memory/1192-2038-0x00007FF76E030000-0x00007FF76E421000-memory.dmp

Filesize
3.9MB

Download
memory/1192-366-0x00007FF76E030000-0x00007FF76E421000-memory.dmp

Filesize
3.9MB

Download
memory/1580-336-0x00007FF7C20A0000-0x00007FF7C2491000-memory.dmp

Filesize
3.9MB

Download
memory/1580-2030-0x00007FF7C20A0000-0x00007FF7C2491000-memory.dmp

Filesize
3.9MB

Download
memory/1968-1-0x0000022BE93B0000-0x0000022BE93C0000-memory.dmp

Filesize
64KB

Download
memory/1968-0-0x00007FF61EAA0000-0x00007FF61EE91000-memory.dmp

Filesize
3.9MB

Download
memory/2100-2034-0x00007FF765AB0000-0x00007FF765EA1000-memory.dmp

Filesize
3.9MB

Download
memory/2100-345-0x00007FF765AB0000-0x00007FF765EA1000-memory.dmp

Filesize
3.9MB

Download
memory/2164-2040-0x00007FF78BCE0000-0x00007FF78C0D1000-memory.dmp

Filesize
3.9MB

Download
memory/2164-354-0x00007FF78BCE0000-0x00007FF78C0D1000-memory.dmp

Filesize
3.9MB

Download
memory/2252-397-0x00007FF65F5F0000-0x00007FF65F9E1000-memory.dmp

Filesize
3.9MB

Download
memory/2252-2056-0x00007FF65F5F0000-0x00007FF65F9E1000-memory.dmp

Filesize
3.9MB

Download
memory/2260-2044-0x00007FF760320000-0x00007FF760711000-memory.dmp

Filesize
3.9MB

Download
memory/2260-373-0x00007FF760320000-0x00007FF760711000-memory.dmp

Filesize
3.9MB

Download
memory/2368-394-0x00007FF609560000-0x00007FF609951000-memory.dmp

Filesize
3.9MB

Download
memory/2368-2054-0x00007FF609560000-0x00007FF609951000-memory.dmp

Filesize
3.9MB

Download
memory/2388-2028-0x00007FF72D420000-0x00007FF72D811000-memory.dmp

Filesize
3.9MB

Download
memory/2388-47-0x00007FF72D420000-0x00007FF72D811000-memory.dmp

Filesize
3.9MB

Download
memory/2388-2006-0x00007FF72D420000-0x00007FF72D811000-memory.dmp

Filesize
3.9MB

Download
memory/2468-2050-0x00007FF6DBC70000-0x00007FF6DC061000-memory.dmp

Filesize
3.9MB

Download
memory/2468-376-0x00007FF6DBC70000-0x00007FF6DC061000-memory.dmp

Filesize
3.9MB

Download
memory/2888-38-0x00007FF7F6B30000-0x00007FF7F6F21000-memory.dmp

Filesize
3.9MB

Download
memory/2888-2022-0x00007FF7F6B30000-0x00007FF7F6F21000-memory.dmp

Filesize
3.9MB

Download
memory/2888-1968-0x00007FF7F6B30000-0x00007FF7F6F21000-memory.dmp

Filesize
3.9MB

Download
memory/3284-2058-0x00007FF62B650000-0x00007FF62BA41000-memory.dmp

Filesize
3.9MB

Download
memory/3284-401-0x00007FF62B650000-0x00007FF62BA41000-memory.dmp

Filesize
3.9MB

Download
memory/3300-350-0x00007FF7F0900000-0x00007FF7F0CF1000-memory.dmp

Filesize
3.9MB

Download
memory/3300-2036-0x00007FF7F0900000-0x00007FF7F0CF1000-memory.dmp

Filesize
3.9MB

Download
memory/3476-21-0x00007FF741DA0000-0x00007FF742191000-memory.dmp

Filesize
3.9MB

Download
memory/3476-2018-0x00007FF741DA0000-0x00007FF742191000-memory.dmp

Filesize
3.9MB

Download
memory/3476-1967-0x00007FF741DA0000-0x00007FF742191000-memory.dmp

Filesize
3.9MB

Download
memory/3480-2004-0x00007FF733F20000-0x00007FF734311000-memory.dmp

Filesize
3.9MB

Download
memory/3480-46-0x00007FF733F20000-0x00007FF734311000-memory.dmp

Filesize
3.9MB

Download
memory/3480-2026-0x00007FF733F20000-0x00007FF734311000-memory.dmp

Filesize
3.9MB

Download
memory/3536-378-0x00007FF7F7390000-0x00007FF7F7781000-memory.dmp

Filesize
3.9MB

Download
memory/3536-2048-0x00007FF7F7390000-0x00007FF7F7781000-memory.dmp

Filesize
3.9MB

Download
memory/3688-339-0x00007FF793A70000-0x00007FF793E61000-memory.dmp

Filesize
3.9MB

Download
memory/3688-2032-0x00007FF793A70000-0x00007FF793E61000-memory.dmp

Filesize
3.9MB

Download
memory/4344-367-0x00007FF7BC9F0000-0x00007FF7BCDE1000-memory.dmp

Filesize
3.9MB

Download
memory/4344-2042-0x00007FF7BC9F0000-0x00007FF7BCDE1000-memory.dmp

Filesize
3.9MB

Download
memory/4564-2052-0x00007FF7D8C50000-0x00007FF7D9041000-memory.dmp

Filesize
3.9MB

Download
memory/4564-389-0x00007FF7D8C50000-0x00007FF7D9041000-memory.dmp

Filesize
3.9MB

Download
memory/4568-2014-0x00007FF71E750000-0x00007FF71EB41000-memory.dmp

Filesize
3.9MB

Download
memory/4568-12-0x00007FF71E750000-0x00007FF71EB41000-memory.dmp

Filesize
3.9MB

Download
memory/4652-2016-0x00007FF79DDE0000-0x00007FF79E1D1000-memory.dmp

Filesize
3.9MB

Download
memory/4652-25-0x00007FF79DDE0000-0x00007FF79E1D1000-memory.dmp

Filesize
3.9MB

Download
memory/4668-375-0x00007FF78D7E0000-0x00007FF78DBD1000-memory.dmp

Filesize
3.9MB

Download
memory/4668-2046-0x00007FF78D7E0000-0x00007FF78DBD1000-memory.dmp

Filesize
3.9MB

Download
memory/4820-402-0x00007FF7D9BF0000-0x00007FF7D9FE1000-memory.dmp

Filesize
3.9MB

Download
memory/4820-2061-0x00007FF7D9BF0000-0x00007FF7D9FE1000-memory.dmp

Filesize
3.9MB

Download
memory/5100-43-0x00007FF70ADF0000-0x00007FF70B1E1000-memory.dmp

Filesize
3.9MB

Download
memory/5100-1969-0x00007FF70ADF0000-0x00007FF70B1E1000-memory.dmp

Filesize
3.9MB

Download
memory/5100-2024-0x00007FF70ADF0000-0x00007FF70B1E1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads