xmrig | 1238bf83d1c2de42cf30fde686d49640f65f53d2d50217c90b8095588046a5d9

Analysis

max time kernel
118s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
Size

1.6MB
MD5

055a324322efb1525eca1a228a0f7c27
SHA1

5057ec448691583a429976798a36db5c541175cf
SHA256

1238bf83d1c2de42cf30fde686d49640f65f53d2d50217c90b8095588046a5d9
SHA512

2b0424ae5b073388b4480f68a07d14c47d457cf67366a47f9e9d1c0c0838c8ae83230f8bfb6411bcf7c4e64d884474a32c150ab36f5f312e39ca855d41265eed
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO9C1MKTbcMfHhGjw2Do+BRrCfULQ387/46:knw9oUUEEDlGUjc2HhG82Dikb

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/1176-40-0x00007FF728A60000-0x00007FF728E51000-memory.dmp	xmrig
behavioral2/memory/1144-455-0x00007FF6B7200000-0x00007FF6B75F1000-memory.dmp	xmrig
behavioral2/memory/3248-456-0x00007FF7D77C0000-0x00007FF7D7BB1000-memory.dmp	xmrig
behavioral2/memory/4468-458-0x00007FF6010D0000-0x00007FF6014C1000-memory.dmp	xmrig
behavioral2/memory/2288-457-0x00007FF616CB0000-0x00007FF6170A1000-memory.dmp	xmrig
behavioral2/memory/2636-460-0x00007FF617720000-0x00007FF617B11000-memory.dmp	xmrig
behavioral2/memory/3008-461-0x00007FF7FCF50000-0x00007FF7FD341000-memory.dmp	xmrig
behavioral2/memory/1976-462-0x00007FF6FF870000-0x00007FF6FFC61000-memory.dmp	xmrig
behavioral2/memory/1648-463-0x00007FF6B6390000-0x00007FF6B6781000-memory.dmp	xmrig
behavioral2/memory/2896-465-0x00007FF6639E0000-0x00007FF663DD1000-memory.dmp	xmrig
behavioral2/memory/740-466-0x00007FF7161F0000-0x00007FF7165E1000-memory.dmp	xmrig
behavioral2/memory/4548-467-0x00007FF7EAEF0000-0x00007FF7EB2E1000-memory.dmp	xmrig
behavioral2/memory/3808-468-0x00007FF62FC30000-0x00007FF630021000-memory.dmp	xmrig
behavioral2/memory/2564-464-0x00007FF78D680000-0x00007FF78DA71000-memory.dmp	xmrig
behavioral2/memory/688-459-0x00007FF60D5A0000-0x00007FF60D991000-memory.dmp	xmrig
behavioral2/memory/1928-45-0x00007FF79E9F0000-0x00007FF79EDE1000-memory.dmp	xmrig
behavioral2/memory/888-36-0x00007FF785C80000-0x00007FF786071000-memory.dmp	xmrig
behavioral2/memory/3472-493-0x00007FF6CEFA0000-0x00007FF6CF391000-memory.dmp	xmrig
behavioral2/memory/1528-495-0x00007FF78AF30000-0x00007FF78B321000-memory.dmp	xmrig
behavioral2/memory/4640-492-0x00007FF6C2500000-0x00007FF6C28F1000-memory.dmp	xmrig
behavioral2/memory/4824-1953-0x00007FF7C08A0000-0x00007FF7C0C91000-memory.dmp	xmrig
behavioral2/memory/2312-1976-0x00007FF6B32F0000-0x00007FF6B36E1000-memory.dmp	xmrig
behavioral2/memory/4572-1977-0x00007FF72C240000-0x00007FF72C631000-memory.dmp	xmrig
behavioral2/memory/1176-1988-0x00007FF728A60000-0x00007FF728E51000-memory.dmp	xmrig
behavioral2/memory/4304-1994-0x00007FF78FD20000-0x00007FF790111000-memory.dmp	xmrig
behavioral2/memory/4824-1996-0x00007FF7C08A0000-0x00007FF7C0C91000-memory.dmp	xmrig
behavioral2/memory/4572-2000-0x00007FF72C240000-0x00007FF72C631000-memory.dmp	xmrig
behavioral2/memory/1176-2006-0x00007FF728A60000-0x00007FF728E51000-memory.dmp	xmrig
behavioral2/memory/1144-2008-0x00007FF6B7200000-0x00007FF6B75F1000-memory.dmp	xmrig
behavioral2/memory/2288-2012-0x00007FF616CB0000-0x00007FF6170A1000-memory.dmp	xmrig
behavioral2/memory/3248-2010-0x00007FF7D77C0000-0x00007FF7D7BB1000-memory.dmp	xmrig
behavioral2/memory/888-2002-0x00007FF785C80000-0x00007FF786071000-memory.dmp	xmrig
behavioral2/memory/1928-2004-0x00007FF79E9F0000-0x00007FF79EDE1000-memory.dmp	xmrig
behavioral2/memory/2312-1998-0x00007FF6B32F0000-0x00007FF6B36E1000-memory.dmp	xmrig
behavioral2/memory/2636-2016-0x00007FF617720000-0x00007FF617B11000-memory.dmp	xmrig
behavioral2/memory/4468-2014-0x00007FF6010D0000-0x00007FF6014C1000-memory.dmp	xmrig
behavioral2/memory/2896-2039-0x00007FF6639E0000-0x00007FF663DD1000-memory.dmp	xmrig
behavioral2/memory/3808-2033-0x00007FF62FC30000-0x00007FF630021000-memory.dmp	xmrig
behavioral2/memory/2564-2041-0x00007FF78D680000-0x00007FF78DA71000-memory.dmp	xmrig
behavioral2/memory/740-2037-0x00007FF7161F0000-0x00007FF7165E1000-memory.dmp	xmrig
behavioral2/memory/4548-2036-0x00007FF7EAEF0000-0x00007FF7EB2E1000-memory.dmp	xmrig
behavioral2/memory/4640-2024-0x00007FF6C2500000-0x00007FF6C28F1000-memory.dmp	xmrig
behavioral2/memory/3472-2022-0x00007FF6CEFA0000-0x00007FF6CF391000-memory.dmp	xmrig
behavioral2/memory/1528-2020-0x00007FF78AF30000-0x00007FF78B321000-memory.dmp	xmrig
behavioral2/memory/688-2018-0x00007FF60D5A0000-0x00007FF60D991000-memory.dmp	xmrig
behavioral2/memory/1648-2031-0x00007FF6B6390000-0x00007FF6B6781000-memory.dmp	xmrig
behavioral2/memory/1976-2029-0x00007FF6FF870000-0x00007FF6FFC61000-memory.dmp	xmrig
behavioral2/memory/3008-2027-0x00007FF7FCF50000-0x00007FF7FD341000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4304	tzMRJZA.exe
4824	okCoHvj.exe
2312	SYhkHfF.exe
4572	sqryetU.exe
888	XZiFlhG.exe
1176	wmKZslz.exe
1928	PcVaqSs.exe
1144	msJNkKj.exe
3248	lyXxSYL.exe
2288	sZcfmsY.exe
4468	lbTSJGX.exe
688	WuSLkjQ.exe
2636	mdiBVwI.exe
3008	kBHpVgg.exe
1976	XUXeLZo.exe
1648	NxVKmem.exe
2564	sbUgXIM.exe
2896	fIKjjNI.exe
740	zfHaQrU.exe
4548	yVyTBwG.exe
3808	nLDxDSX.exe
4640	mqTEMtg.exe
3472	uNDfDES.exe
1528	lDcaXAw.exe
1624	SwlfMUE.exe
2144	kNRutCG.exe
1308	JuirjUM.exe
1780	oIVHyKz.exe
4044	NpEXVaM.exe
3636	ehIvRbl.exe
4232	FoIwBkk.exe
4444	HJAmLaV.exe
1636	Lpvcfpw.exe
4776	IdqBjRr.exe
4788	lnRpWps.exe
1068	HESywEQ.exe
4568	LFCSWqs.exe
2240	XacklSR.exe
4476	WDFipyU.exe
4384	zMFNlSo.exe
1148	LXiNXGR.exe
3728	XnLZowi.exe
832	rseGcSJ.exe
4480	iTfGRkv.exe
4684	vXIlVHk.exe
4048	hiVqNUZ.exe
3900	GtmBgBU.exe
4724	FjZxpAr.exe
4340	bqMtdps.exe
396	AVYpxcQ.exe
556	thNVOvh.exe
1004	ywEPtaN.exe
4680	zRhJilZ.exe
3240	FDGFmXE.exe
2276	NEpswYf.exe
3860	HIBfWRZ.exe
3484	pTZeJnC.exe
3564	bJQFbcD.exe
2856	nVkQUOV.exe
2272	zqGYiRe.exe
3044	vIHMYqc.exe
4056	PJEBLHz.exe
1152	QNpCXJO.exe
932	PhJUHPW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3480-0-0x00007FF6F0F20000-0x00007FF6F1311000-memory.dmp	upx
behavioral2/files/0x000c000000023ba8-5.dat	upx
behavioral2/files/0x000a000000023bb6-7.dat	upx
behavioral2/memory/4304-9-0x00007FF78FD20000-0x00007FF790111000-memory.dmp	upx
behavioral2/files/0x000a000000023bb7-16.dat	upx
behavioral2/memory/4572-24-0x00007FF72C240000-0x00007FF72C631000-memory.dmp	upx
behavioral2/files/0x000a000000023bb5-20.dat	upx
behavioral2/files/0x000a000000023bb8-33.dat	upx
behavioral2/files/0x000a000000023bb9-35.dat	upx
behavioral2/files/0x000a000000023bba-42.dat	upx
behavioral2/memory/1176-40-0x00007FF728A60000-0x00007FF728E51000-memory.dmp	upx
behavioral2/files/0x000a000000023bbb-47.dat	upx
behavioral2/files/0x0031000000023bbe-63.dat	upx
behavioral2/files/0x0031000000023bbf-68.dat	upx
behavioral2/files/0x000a000000023bc1-76.dat	upx
behavioral2/files/0x000a000000023bc3-88.dat	upx
behavioral2/files/0x000a000000023bc6-103.dat	upx
behavioral2/files/0x000a000000023bc8-113.dat	upx
behavioral2/files/0x000a000000023bcd-138.dat	upx
behavioral2/files/0x000a000000023bd0-153.dat	upx
behavioral2/memory/1144-455-0x00007FF6B7200000-0x00007FF6B75F1000-memory.dmp	upx
behavioral2/memory/3248-456-0x00007FF7D77C0000-0x00007FF7D7BB1000-memory.dmp	upx
behavioral2/memory/4468-458-0x00007FF6010D0000-0x00007FF6014C1000-memory.dmp	upx
behavioral2/memory/2288-457-0x00007FF616CB0000-0x00007FF6170A1000-memory.dmp	upx
behavioral2/files/0x000a000000023bd3-168.dat	upx
behavioral2/files/0x000a000000023bd2-163.dat	upx
behavioral2/files/0x000a000000023bd1-158.dat	upx
behavioral2/memory/2636-460-0x00007FF617720000-0x00007FF617B11000-memory.dmp	upx
behavioral2/memory/3008-461-0x00007FF7FCF50000-0x00007FF7FD341000-memory.dmp	upx
behavioral2/memory/1976-462-0x00007FF6FF870000-0x00007FF6FFC61000-memory.dmp	upx
behavioral2/memory/1648-463-0x00007FF6B6390000-0x00007FF6B6781000-memory.dmp	upx
behavioral2/memory/2896-465-0x00007FF6639E0000-0x00007FF663DD1000-memory.dmp	upx
behavioral2/memory/740-466-0x00007FF7161F0000-0x00007FF7165E1000-memory.dmp	upx
behavioral2/memory/4548-467-0x00007FF7EAEF0000-0x00007FF7EB2E1000-memory.dmp	upx
behavioral2/memory/3808-468-0x00007FF62FC30000-0x00007FF630021000-memory.dmp	upx
behavioral2/memory/2564-464-0x00007FF78D680000-0x00007FF78DA71000-memory.dmp	upx
behavioral2/memory/688-459-0x00007FF60D5A0000-0x00007FF60D991000-memory.dmp	upx
behavioral2/files/0x000a000000023bcf-148.dat	upx
behavioral2/files/0x000a000000023bce-143.dat	upx
behavioral2/files/0x000a000000023bcc-133.dat	upx
behavioral2/files/0x000a000000023bcb-128.dat	upx
behavioral2/files/0x000a000000023bca-123.dat	upx
behavioral2/files/0x000a000000023bc9-118.dat	upx
behavioral2/files/0x000a000000023bc7-108.dat	upx
behavioral2/files/0x000a000000023bc5-98.dat	upx
behavioral2/files/0x000a000000023bc4-93.dat	upx
behavioral2/files/0x000a000000023bc2-83.dat	upx
behavioral2/files/0x000a000000023bc0-73.dat	upx
behavioral2/files/0x0031000000023bbd-58.dat	upx
behavioral2/files/0x000a000000023bbc-53.dat	upx
behavioral2/memory/1928-45-0x00007FF79E9F0000-0x00007FF79EDE1000-memory.dmp	upx
behavioral2/memory/888-36-0x00007FF785C80000-0x00007FF786071000-memory.dmp	upx
behavioral2/memory/2312-19-0x00007FF6B32F0000-0x00007FF6B36E1000-memory.dmp	upx
behavioral2/memory/4824-14-0x00007FF7C08A0000-0x00007FF7C0C91000-memory.dmp	upx
behavioral2/memory/3472-493-0x00007FF6CEFA0000-0x00007FF6CF391000-memory.dmp	upx
behavioral2/memory/1528-495-0x00007FF78AF30000-0x00007FF78B321000-memory.dmp	upx
behavioral2/memory/4640-492-0x00007FF6C2500000-0x00007FF6C28F1000-memory.dmp	upx
behavioral2/memory/4824-1953-0x00007FF7C08A0000-0x00007FF7C0C91000-memory.dmp	upx
behavioral2/memory/2312-1976-0x00007FF6B32F0000-0x00007FF6B36E1000-memory.dmp	upx
behavioral2/memory/4572-1977-0x00007FF72C240000-0x00007FF72C631000-memory.dmp	upx
behavioral2/memory/1176-1988-0x00007FF728A60000-0x00007FF728E51000-memory.dmp	upx
behavioral2/memory/4304-1994-0x00007FF78FD20000-0x00007FF790111000-memory.dmp	upx
behavioral2/memory/4824-1996-0x00007FF7C08A0000-0x00007FF7C0C91000-memory.dmp	upx
behavioral2/memory/4572-2000-0x00007FF72C240000-0x00007FF72C631000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\yJyXpHz.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\lCRXRem.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\YFaWsjS.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\bUzscby.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\wjmaVne.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\rseGcSJ.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\CSvzoIW.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\WBIySLj.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\nOxzrDL.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\FDGFmXE.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\FoeuWzZ.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\wipcBZk.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\PguXzUd.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\bqKVeEY.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\oIVHyKz.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\swgjywE.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\XgGugTs.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\fyhbzUv.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\QlIcSMS.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\XCcDuOr.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\ahSnXuU.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\lSMlLcm.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\OXRTzYp.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\sqryetU.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\lbTSJGX.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\kygXUzk.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\YZJwwOc.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\Edzffhq.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\cwFCHkH.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\CrwCJEB.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\XnLZowi.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\LAOVgzN.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\CwnOROz.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\TgJqxkg.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\EHvCIIC.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\AVYpxcQ.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\YfJJGDS.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\stbrKGN.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\CiLnxGZ.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\lRGdCxg.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\YbtUeEE.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\WxbSPcz.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\psCxPBQ.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\Lpvcfpw.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\oxtvLnJ.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\lDcaXAw.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\NXkcIqQ.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\xBpkuND.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\cIIduru.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\DrntFYQ.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\wJnrqBv.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\IjcfIeg.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\YzOmXAb.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\bkYoWNu.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\qAbZckR.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\CRXmaWS.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\OcytZuS.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\vchoKdF.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\QkQnmXd.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\zUvJXzS.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\TNhbcIU.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\NIPYClz.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\CvPrELW.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
File created	C:\Windows\System32\xUrfcgn.exe	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2872	dwm.exe
Token: SeChangeNotifyPrivilege	2872	dwm.exe
Token: 33	2872	dwm.exe
Token: SeIncBasePriorityPrivilege	2872	dwm.exe
Token: SeShutdownPrivilege	2872	dwm.exe
Token: SeCreatePagefilePrivilege	2872	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 4304	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	86
PID 3480 wrote to memory of 4304	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	86
PID 3480 wrote to memory of 4824	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	87
PID 3480 wrote to memory of 4824	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	87
PID 3480 wrote to memory of 2312	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	88
PID 3480 wrote to memory of 2312	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	88
PID 3480 wrote to memory of 4572	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	89
PID 3480 wrote to memory of 4572	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	89
PID 3480 wrote to memory of 888	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	90
PID 3480 wrote to memory of 888	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	90
PID 3480 wrote to memory of 1176	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	91
PID 3480 wrote to memory of 1176	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	91
PID 3480 wrote to memory of 1928	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	92
PID 3480 wrote to memory of 1928	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	92
PID 3480 wrote to memory of 1144	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	93
PID 3480 wrote to memory of 1144	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	93
PID 3480 wrote to memory of 3248	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	94
PID 3480 wrote to memory of 3248	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	94
PID 3480 wrote to memory of 2288	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	95
PID 3480 wrote to memory of 2288	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	95
PID 3480 wrote to memory of 4468	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	96
PID 3480 wrote to memory of 4468	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	96
PID 3480 wrote to memory of 688	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	97
PID 3480 wrote to memory of 688	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	97
PID 3480 wrote to memory of 2636	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	98
PID 3480 wrote to memory of 2636	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	98
PID 3480 wrote to memory of 3008	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	99
PID 3480 wrote to memory of 3008	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	99
PID 3480 wrote to memory of 1976	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	100
PID 3480 wrote to memory of 1976	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	100
PID 3480 wrote to memory of 1648	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	101
PID 3480 wrote to memory of 1648	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	101
PID 3480 wrote to memory of 2564	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	102
PID 3480 wrote to memory of 2564	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	102
PID 3480 wrote to memory of 2896	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	103
PID 3480 wrote to memory of 2896	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	103
PID 3480 wrote to memory of 740	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	104
PID 3480 wrote to memory of 740	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	104
PID 3480 wrote to memory of 4548	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	105
PID 3480 wrote to memory of 4548	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	105
PID 3480 wrote to memory of 3808	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	106
PID 3480 wrote to memory of 3808	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	106
PID 3480 wrote to memory of 4640	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	107
PID 3480 wrote to memory of 4640	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	107
PID 3480 wrote to memory of 3472	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	108
PID 3480 wrote to memory of 3472	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	108
PID 3480 wrote to memory of 1528	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	109
PID 3480 wrote to memory of 1528	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	109
PID 3480 wrote to memory of 1624	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	110
PID 3480 wrote to memory of 1624	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	110
PID 3480 wrote to memory of 2144	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	111
PID 3480 wrote to memory of 2144	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	111
PID 3480 wrote to memory of 1308	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	112
PID 3480 wrote to memory of 1308	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	112
PID 3480 wrote to memory of 1780	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	113
PID 3480 wrote to memory of 1780	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	113
PID 3480 wrote to memory of 4044	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	114
PID 3480 wrote to memory of 4044	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	114
PID 3480 wrote to memory of 3636	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	115
PID 3480 wrote to memory of 3636	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	115
PID 3480 wrote to memory of 4232	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	116
PID 3480 wrote to memory of 4232	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	116
PID 3480 wrote to memory of 4444	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	117
PID 3480 wrote to memory of 4444	3480	055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe	117

C:\Users\Admin\AppData\Local\Temp\055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\055a324322efb1525eca1a228a0f7c27_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\System32\tzMRJZA.exe
  C:\Windows\System32\tzMRJZA.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System32\okCoHvj.exe
  C:\Windows\System32\okCoHvj.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System32\SYhkHfF.exe
  C:\Windows\System32\SYhkHfF.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System32\sqryetU.exe
  C:\Windows\System32\sqryetU.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System32\XZiFlhG.exe
  C:\Windows\System32\XZiFlhG.exe
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\System32\wmKZslz.exe
  C:\Windows\System32\wmKZslz.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System32\PcVaqSs.exe
  C:\Windows\System32\PcVaqSs.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System32\msJNkKj.exe
  C:\Windows\System32\msJNkKj.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System32\lyXxSYL.exe
  C:\Windows\System32\lyXxSYL.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System32\sZcfmsY.exe
  C:\Windows\System32\sZcfmsY.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System32\lbTSJGX.exe
  C:\Windows\System32\lbTSJGX.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System32\WuSLkjQ.exe
  C:\Windows\System32\WuSLkjQ.exe
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Windows\System32\mdiBVwI.exe
  C:\Windows\System32\mdiBVwI.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System32\kBHpVgg.exe
  C:\Windows\System32\kBHpVgg.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System32\XUXeLZo.exe
  C:\Windows\System32\XUXeLZo.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System32\NxVKmem.exe
  C:\Windows\System32\NxVKmem.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System32\sbUgXIM.exe
  C:\Windows\System32\sbUgXIM.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System32\fIKjjNI.exe
  C:\Windows\System32\fIKjjNI.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System32\zfHaQrU.exe
  C:\Windows\System32\zfHaQrU.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System32\yVyTBwG.exe
  C:\Windows\System32\yVyTBwG.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System32\nLDxDSX.exe
  C:\Windows\System32\nLDxDSX.exe
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Windows\System32\mqTEMtg.exe
  C:\Windows\System32\mqTEMtg.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System32\uNDfDES.exe
  C:\Windows\System32\uNDfDES.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System32\lDcaXAw.exe
  C:\Windows\System32\lDcaXAw.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System32\SwlfMUE.exe
  C:\Windows\System32\SwlfMUE.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System32\kNRutCG.exe
  C:\Windows\System32\kNRutCG.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System32\JuirjUM.exe
  C:\Windows\System32\JuirjUM.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System32\oIVHyKz.exe
  C:\Windows\System32\oIVHyKz.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System32\NpEXVaM.exe
  C:\Windows\System32\NpEXVaM.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System32\ehIvRbl.exe
  C:\Windows\System32\ehIvRbl.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System32\FoIwBkk.exe
  C:\Windows\System32\FoIwBkk.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System32\HJAmLaV.exe
  C:\Windows\System32\HJAmLaV.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System32\Lpvcfpw.exe
  C:\Windows\System32\Lpvcfpw.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System32\IdqBjRr.exe
  C:\Windows\System32\IdqBjRr.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System32\lnRpWps.exe
  C:\Windows\System32\lnRpWps.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\HESywEQ.exe
  C:\Windows\System32\HESywEQ.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System32\LFCSWqs.exe
  C:\Windows\System32\LFCSWqs.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System32\XacklSR.exe
  C:\Windows\System32\XacklSR.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System32\WDFipyU.exe
  C:\Windows\System32\WDFipyU.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System32\zMFNlSo.exe
  C:\Windows\System32\zMFNlSo.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System32\LXiNXGR.exe
  C:\Windows\System32\LXiNXGR.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System32\XnLZowi.exe
  C:\Windows\System32\XnLZowi.exe
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Windows\System32\rseGcSJ.exe
  C:\Windows\System32\rseGcSJ.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System32\iTfGRkv.exe
  C:\Windows\System32\iTfGRkv.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System32\vXIlVHk.exe
  C:\Windows\System32\vXIlVHk.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System32\hiVqNUZ.exe
  C:\Windows\System32\hiVqNUZ.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System32\GtmBgBU.exe
  C:\Windows\System32\GtmBgBU.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System32\FjZxpAr.exe
  C:\Windows\System32\FjZxpAr.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System32\bqMtdps.exe
  C:\Windows\System32\bqMtdps.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System32\AVYpxcQ.exe
  C:\Windows\System32\AVYpxcQ.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System32\thNVOvh.exe
  C:\Windows\System32\thNVOvh.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System32\ywEPtaN.exe
  C:\Windows\System32\ywEPtaN.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System32\zRhJilZ.exe
  C:\Windows\System32\zRhJilZ.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System32\FDGFmXE.exe
  C:\Windows\System32\FDGFmXE.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System32\NEpswYf.exe
  C:\Windows\System32\NEpswYf.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System32\HIBfWRZ.exe
  C:\Windows\System32\HIBfWRZ.exe
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\System32\pTZeJnC.exe
  C:\Windows\System32\pTZeJnC.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System32\bJQFbcD.exe
  C:\Windows\System32\bJQFbcD.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System32\nVkQUOV.exe
  C:\Windows\System32\nVkQUOV.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System32\zqGYiRe.exe
  C:\Windows\System32\zqGYiRe.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System32\vIHMYqc.exe
  C:\Windows\System32\vIHMYqc.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System32\PJEBLHz.exe
  C:\Windows\System32\PJEBLHz.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System32\QNpCXJO.exe
  C:\Windows\System32\QNpCXJO.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System32\PhJUHPW.exe
  C:\Windows\System32\PhJUHPW.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\System32\utfELkr.exe
  C:\Windows\System32\utfELkr.exe
  2⤵
  PID:4016
- C:\Windows\System32\LAOVgzN.exe
  C:\Windows\System32\LAOVgzN.exe
  2⤵
  PID:3836
- C:\Windows\System32\MdwRbTl.exe
  C:\Windows\System32\MdwRbTl.exe
  2⤵
  PID:2748
- C:\Windows\System32\Hcevqfo.exe
  C:\Windows\System32\Hcevqfo.exe
  2⤵
  PID:2192
- C:\Windows\System32\SnFhMJC.exe
  C:\Windows\System32\SnFhMJC.exe
  2⤵
  PID:4856
- C:\Windows\System32\fBCnhWr.exe
  C:\Windows\System32\fBCnhWr.exe
  2⤵
  PID:3924
- C:\Windows\System32\sEBbHNu.exe
  C:\Windows\System32\sEBbHNu.exe
  2⤵
  PID:4284
- C:\Windows\System32\FoeuWzZ.exe
  C:\Windows\System32\FoeuWzZ.exe
  2⤵
  PID:4504
- C:\Windows\System32\ZwwMMLs.exe
  C:\Windows\System32\ZwwMMLs.exe
  2⤵
  PID:1232
- C:\Windows\System32\XNGLUsC.exe
  C:\Windows\System32\XNGLUsC.exe
  2⤵
  PID:2132
- C:\Windows\System32\gjbHphs.exe
  C:\Windows\System32\gjbHphs.exe
  2⤵
  PID:4884
- C:\Windows\System32\CKDGLTp.exe
  C:\Windows\System32\CKDGLTp.exe
  2⤵
  PID:3348
- C:\Windows\System32\TcBgwKl.exe
  C:\Windows\System32\TcBgwKl.exe
  2⤵
  PID:4728
- C:\Windows\System32\PPQahVZ.exe
  C:\Windows\System32\PPQahVZ.exe
  2⤵
  PID:4212
- C:\Windows\System32\ArIZunC.exe
  C:\Windows\System32\ArIZunC.exe
  2⤵
  PID:2772
- C:\Windows\System32\WqKMSji.exe
  C:\Windows\System32\WqKMSji.exe
  2⤵
  PID:2964
- C:\Windows\System32\zRgupXP.exe
  C:\Windows\System32\zRgupXP.exe
  2⤵
  PID:2824
- C:\Windows\System32\SwTbTAp.exe
  C:\Windows\System32\SwTbTAp.exe
  2⤵
  PID:4320
- C:\Windows\System32\MPQMMtR.exe
  C:\Windows\System32\MPQMMtR.exe
  2⤵
  PID:5024
- C:\Windows\System32\EwBleJl.exe
  C:\Windows\System32\EwBleJl.exe
  2⤵
  PID:5140
- C:\Windows\System32\EXWHolu.exe
  C:\Windows\System32\EXWHolu.exe
  2⤵
  PID:5172
- C:\Windows\System32\OIthVqM.exe
  C:\Windows\System32\OIthVqM.exe
  2⤵
  PID:5192
- C:\Windows\System32\ZCmzpAZ.exe
  C:\Windows\System32\ZCmzpAZ.exe
  2⤵
  PID:5224
- C:\Windows\System32\YcmyndA.exe
  C:\Windows\System32\YcmyndA.exe
  2⤵
  PID:5252
- C:\Windows\System32\MnBqUpq.exe
  C:\Windows\System32\MnBqUpq.exe
  2⤵
  PID:5280
- C:\Windows\System32\MmZBewJ.exe
  C:\Windows\System32\MmZBewJ.exe
  2⤵
  PID:5308
- C:\Windows\System32\hnfhPcM.exe
  C:\Windows\System32\hnfhPcM.exe
  2⤵
  PID:5336
- C:\Windows\System32\EMZJKcK.exe
  C:\Windows\System32\EMZJKcK.exe
  2⤵
  PID:5364
- C:\Windows\System32\eQEtOUX.exe
  C:\Windows\System32\eQEtOUX.exe
  2⤵
  PID:5388
- C:\Windows\System32\gPwQaFT.exe
  C:\Windows\System32\gPwQaFT.exe
  2⤵
  PID:5424
- C:\Windows\System32\UWjuouy.exe
  C:\Windows\System32\UWjuouy.exe
  2⤵
  PID:5444
- C:\Windows\System32\CswuArj.exe
  C:\Windows\System32\CswuArj.exe
  2⤵
  PID:5476
- C:\Windows\System32\GoLLLGp.exe
  C:\Windows\System32\GoLLLGp.exe
  2⤵
  PID:5504
- C:\Windows\System32\tKJmyoI.exe
  C:\Windows\System32\tKJmyoI.exe
  2⤵
  PID:5532
- C:\Windows\System32\uXyjloL.exe
  C:\Windows\System32\uXyjloL.exe
  2⤵
  PID:5560
- C:\Windows\System32\POeeOlX.exe
  C:\Windows\System32\POeeOlX.exe
  2⤵
  PID:5592
- C:\Windows\System32\eLupLKS.exe
  C:\Windows\System32\eLupLKS.exe
  2⤵
  PID:5612
- C:\Windows\System32\fCtFIVH.exe
  C:\Windows\System32\fCtFIVH.exe
  2⤵
  PID:5644
- C:\Windows\System32\uKtVqWO.exe
  C:\Windows\System32\uKtVqWO.exe
  2⤵
  PID:5672
- C:\Windows\System32\MuheWZt.exe
  C:\Windows\System32\MuheWZt.exe
  2⤵
  PID:5696
- C:\Windows\System32\ClnKxVv.exe
  C:\Windows\System32\ClnKxVv.exe
  2⤵
  PID:5728
- C:\Windows\System32\CXNrvFq.exe
  C:\Windows\System32\CXNrvFq.exe
  2⤵
  PID:5756
- C:\Windows\System32\CwnOROz.exe
  C:\Windows\System32\CwnOROz.exe
  2⤵
  PID:5784
- C:\Windows\System32\CSvzoIW.exe
  C:\Windows\System32\CSvzoIW.exe
  2⤵
  PID:5812
- C:\Windows\System32\qQydTAb.exe
  C:\Windows\System32\qQydTAb.exe
  2⤵
  PID:5840
- C:\Windows\System32\wDqkdRW.exe
  C:\Windows\System32\wDqkdRW.exe
  2⤵
  PID:5868
- C:\Windows\System32\hJRwtlE.exe
  C:\Windows\System32\hJRwtlE.exe
  2⤵
  PID:5892
- C:\Windows\System32\awnmWiJ.exe
  C:\Windows\System32\awnmWiJ.exe
  2⤵
  PID:5924
- C:\Windows\System32\HQeKmey.exe
  C:\Windows\System32\HQeKmey.exe
  2⤵
  PID:5952
- C:\Windows\System32\FLLNUCE.exe
  C:\Windows\System32\FLLNUCE.exe
  2⤵
  PID:5980
- C:\Windows\System32\wipcBZk.exe
  C:\Windows\System32\wipcBZk.exe
  2⤵
  PID:6008
- C:\Windows\System32\tUwIRUy.exe
  C:\Windows\System32\tUwIRUy.exe
  2⤵
  PID:6036
- C:\Windows\System32\eSwRcRN.exe
  C:\Windows\System32\eSwRcRN.exe
  2⤵
  PID:6064
- C:\Windows\System32\yeGphaW.exe
  C:\Windows\System32\yeGphaW.exe
  2⤵
  PID:6092
- C:\Windows\System32\fvoGWtn.exe
  C:\Windows\System32\fvoGWtn.exe
  2⤵
  PID:6120
- C:\Windows\System32\gyGTlRZ.exe
  C:\Windows\System32\gyGTlRZ.exe
  2⤵
  PID:3200
- C:\Windows\System32\XAgaoYV.exe
  C:\Windows\System32\XAgaoYV.exe
  2⤵
  PID:3536
- C:\Windows\System32\XCcDuOr.exe
  C:\Windows\System32\XCcDuOr.exe
  2⤵
  PID:3628
- C:\Windows\System32\OxyAkXX.exe
  C:\Windows\System32\OxyAkXX.exe
  2⤵
  PID:2796
- C:\Windows\System32\tdxcmuB.exe
  C:\Windows\System32\tdxcmuB.exe
  2⤵
  PID:4192
- C:\Windows\System32\yJyXpHz.exe
  C:\Windows\System32\yJyXpHz.exe
  2⤵
  PID:5188
- C:\Windows\System32\tucjYVV.exe
  C:\Windows\System32\tucjYVV.exe
  2⤵
  PID:5244
- C:\Windows\System32\EYCfYJe.exe
  C:\Windows\System32\EYCfYJe.exe
  2⤵
  PID:5348
- C:\Windows\System32\HhqjSJR.exe
  C:\Windows\System32\HhqjSJR.exe
  2⤵
  PID:5384
- C:\Windows\System32\WBIySLj.exe
  C:\Windows\System32\WBIySLj.exe
  2⤵
  PID:3080
- C:\Windows\System32\aYXSDoV.exe
  C:\Windows\System32\aYXSDoV.exe
  2⤵
  PID:1880
- C:\Windows\System32\HTMUwRc.exe
  C:\Windows\System32\HTMUwRc.exe
  2⤵
  PID:5776
- C:\Windows\System32\HTHjaRN.exe
  C:\Windows\System32\HTHjaRN.exe
  2⤵
  PID:5824
- C:\Windows\System32\xEWKaGO.exe
  C:\Windows\System32\xEWKaGO.exe
  2⤵
  PID:5856
- C:\Windows\System32\XplgLHk.exe
  C:\Windows\System32\XplgLHk.exe
  2⤵
  PID:5916
- C:\Windows\System32\TNhbcIU.exe
  C:\Windows\System32\TNhbcIU.exe
  2⤵
  PID:6000
- C:\Windows\System32\IttPmlO.exe
  C:\Windows\System32\IttPmlO.exe
  2⤵
  PID:2296
- C:\Windows\System32\AhIWWfq.exe
  C:\Windows\System32\AhIWWfq.exe
  2⤵
  PID:6108
- C:\Windows\System32\GBxmcig.exe
  C:\Windows\System32\GBxmcig.exe
  2⤵
  PID:2444
- C:\Windows\System32\SWRiXpP.exe
  C:\Windows\System32\SWRiXpP.exe
  2⤵
  PID:4868
- C:\Windows\System32\ZrHUKDI.exe
  C:\Windows\System32\ZrHUKDI.exe
  2⤵
  PID:3640
- C:\Windows\System32\APiUlhk.exe
  C:\Windows\System32\APiUlhk.exe
  2⤵
  PID:2136
- C:\Windows\System32\VCpRJxv.exe
  C:\Windows\System32\VCpRJxv.exe
  2⤵
  PID:5152
- C:\Windows\System32\wbYHpVc.exe
  C:\Windows\System32\wbYHpVc.exe
  2⤵
  PID:2764
- C:\Windows\System32\CWAPBKG.exe
  C:\Windows\System32\CWAPBKG.exe
  2⤵
  PID:4464
- C:\Windows\System32\JQrKAWT.exe
  C:\Windows\System32\JQrKAWT.exe
  2⤵
  PID:3092
- C:\Windows\System32\NXkcIqQ.exe
  C:\Windows\System32\NXkcIqQ.exe
  2⤵
  PID:1120
- C:\Windows\System32\ZyCYOGM.exe
  C:\Windows\System32\ZyCYOGM.exe
  2⤵
  PID:4672
- C:\Windows\System32\JhbSsJU.exe
  C:\Windows\System32\JhbSsJU.exe
  2⤵
  PID:1556
- C:\Windows\System32\DEyPbeT.exe
  C:\Windows\System32\DEyPbeT.exe
  2⤵
  PID:5520
- C:\Windows\System32\MMZszne.exe
  C:\Windows\System32\MMZszne.exe
  2⤵
  PID:5580
- C:\Windows\System32\bEsXXRd.exe
  C:\Windows\System32\bEsXXRd.exe
  2⤵
  PID:4924
- C:\Windows\System32\TgJqxkg.exe
  C:\Windows\System32\TgJqxkg.exe
  2⤵
  PID:3136
- C:\Windows\System32\pnPobxW.exe
  C:\Windows\System32\pnPobxW.exe
  2⤵
  PID:2000
- C:\Windows\System32\YfJJGDS.exe
  C:\Windows\System32\YfJJGDS.exe
  2⤵
  PID:2116
- C:\Windows\System32\AQmjMmn.exe
  C:\Windows\System32\AQmjMmn.exe
  2⤵
  PID:3788
- C:\Windows\System32\dxYmKtS.exe
  C:\Windows\System32\dxYmKtS.exe
  2⤵
  PID:2812
- C:\Windows\System32\PrhoGHy.exe
  C:\Windows\System32\PrhoGHy.exe
  2⤵
  PID:6140
- C:\Windows\System32\xfkvAiu.exe
  C:\Windows\System32\xfkvAiu.exe
  2⤵
  PID:2420
- C:\Windows\System32\BZZOHUN.exe
  C:\Windows\System32\BZZOHUN.exe
  2⤵
  PID:1788
- C:\Windows\System32\hweokJE.exe
  C:\Windows\System32\hweokJE.exe
  2⤵
  PID:5488
- C:\Windows\System32\zcKMQqs.exe
  C:\Windows\System32\zcKMQqs.exe
  2⤵
  PID:1760
- C:\Windows\System32\nkJwcPd.exe
  C:\Windows\System32\nkJwcPd.exe
  2⤵
  PID:6156
- C:\Windows\System32\fOhWFxO.exe
  C:\Windows\System32\fOhWFxO.exe
  2⤵
  PID:6184
- C:\Windows\System32\YKOiAxX.exe
  C:\Windows\System32\YKOiAxX.exe
  2⤵
  PID:6208
- C:\Windows\System32\NIPYClz.exe
  C:\Windows\System32\NIPYClz.exe
  2⤵
  PID:6232
- C:\Windows\System32\srORYQr.exe
  C:\Windows\System32\srORYQr.exe
  2⤵
  PID:6252
- C:\Windows\System32\YOUmXhF.exe
  C:\Windows\System32\YOUmXhF.exe
  2⤵
  PID:6268
- C:\Windows\System32\NMbIxGu.exe
  C:\Windows\System32\NMbIxGu.exe
  2⤵
  PID:6348
- C:\Windows\System32\LwHtbhh.exe
  C:\Windows\System32\LwHtbhh.exe
  2⤵
  PID:6376
- C:\Windows\System32\prltcjt.exe
  C:\Windows\System32\prltcjt.exe
  2⤵
  PID:6396
- C:\Windows\System32\MLpugbk.exe
  C:\Windows\System32\MLpugbk.exe
  2⤵
  PID:6420
- C:\Windows\System32\oenVDsx.exe
  C:\Windows\System32\oenVDsx.exe
  2⤵
  PID:6436
- C:\Windows\System32\aVqxkey.exe
  C:\Windows\System32\aVqxkey.exe
  2⤵
  PID:6472
- C:\Windows\System32\lRGdCxg.exe
  C:\Windows\System32\lRGdCxg.exe
  2⤵
  PID:6508
- C:\Windows\System32\JCrtytq.exe
  C:\Windows\System32\JCrtytq.exe
  2⤵
  PID:6536
- C:\Windows\System32\Wohgimq.exe
  C:\Windows\System32\Wohgimq.exe
  2⤵
  PID:6556
- C:\Windows\System32\xgreWvh.exe
  C:\Windows\System32\xgreWvh.exe
  2⤵
  PID:6592
- C:\Windows\System32\fUDmYjX.exe
  C:\Windows\System32\fUDmYjX.exe
  2⤵
  PID:6620
- C:\Windows\System32\DTKMKcn.exe
  C:\Windows\System32\DTKMKcn.exe
  2⤵
  PID:6660
- C:\Windows\System32\yeIENeI.exe
  C:\Windows\System32\yeIENeI.exe
  2⤵
  PID:6680
- C:\Windows\System32\kygXUzk.exe
  C:\Windows\System32\kygXUzk.exe
  2⤵
  PID:6712
- C:\Windows\System32\dicHVxy.exe
  C:\Windows\System32\dicHVxy.exe
  2⤵
  PID:6736
- C:\Windows\System32\gUOrtVP.exe
  C:\Windows\System32\gUOrtVP.exe
  2⤵
  PID:6772
- C:\Windows\System32\FEDITjB.exe
  C:\Windows\System32\FEDITjB.exe
  2⤵
  PID:6800
- C:\Windows\System32\qAbZckR.exe
  C:\Windows\System32\qAbZckR.exe
  2⤵
  PID:6820
- C:\Windows\System32\XvFxSCy.exe
  C:\Windows\System32\XvFxSCy.exe
  2⤵
  PID:6836
- C:\Windows\System32\KemlzKP.exe
  C:\Windows\System32\KemlzKP.exe
  2⤵
  PID:6884
- C:\Windows\System32\iporCPW.exe
  C:\Windows\System32\iporCPW.exe
  2⤵
  PID:6908
- C:\Windows\System32\yBmqjlM.exe
  C:\Windows\System32\yBmqjlM.exe
  2⤵
  PID:6940
- C:\Windows\System32\QlXQaml.exe
  C:\Windows\System32\QlXQaml.exe
  2⤵
  PID:6964
- C:\Windows\System32\eQxjxdf.exe
  C:\Windows\System32\eQxjxdf.exe
  2⤵
  PID:6980
- C:\Windows\System32\ucYCnwg.exe
  C:\Windows\System32\ucYCnwg.exe
  2⤵
  PID:7032
- C:\Windows\System32\QKRDZNA.exe
  C:\Windows\System32\QKRDZNA.exe
  2⤵
  PID:7048
- C:\Windows\System32\unKEcuR.exe
  C:\Windows\System32\unKEcuR.exe
  2⤵
  PID:7068
- C:\Windows\System32\ngNDcZd.exe
  C:\Windows\System32\ngNDcZd.exe
  2⤵
  PID:7088
- C:\Windows\System32\GckWSzM.exe
  C:\Windows\System32\GckWSzM.exe
  2⤵
  PID:7144
- C:\Windows\System32\stbrKGN.exe
  C:\Windows\System32\stbrKGN.exe
  2⤵
  PID:7164
- C:\Windows\System32\CvPrELW.exe
  C:\Windows\System32\CvPrELW.exe
  2⤵
  PID:6148
- C:\Windows\System32\UNvNBXk.exe
  C:\Windows\System32\UNvNBXk.exe
  2⤵
  PID:6264
- C:\Windows\System32\wgRRYtG.exe
  C:\Windows\System32\wgRRYtG.exe
  2⤵
  PID:6340
- C:\Windows\System32\YWTjROB.exe
  C:\Windows\System32\YWTjROB.exe
  2⤵
  PID:6360
- C:\Windows\System32\FNJbqpN.exe
  C:\Windows\System32\FNJbqpN.exe
  2⤵
  PID:6432
- C:\Windows\System32\MeHMXDh.exe
  C:\Windows\System32\MeHMXDh.exe
  2⤵
  PID:6444
- C:\Windows\System32\eGakKnA.exe
  C:\Windows\System32\eGakKnA.exe
  2⤵
  PID:6520
- C:\Windows\System32\OZkYEyW.exe
  C:\Windows\System32\OZkYEyW.exe
  2⤵
  PID:6552
- C:\Windows\System32\SPlQmlK.exe
  C:\Windows\System32\SPlQmlK.exe
  2⤵
  PID:6672
- C:\Windows\System32\BZsvQqw.exe
  C:\Windows\System32\BZsvQqw.exe
  2⤵
  PID:6728
- C:\Windows\System32\CiLnxGZ.exe
  C:\Windows\System32\CiLnxGZ.exe
  2⤵
  PID:6760
- C:\Windows\System32\MZdpqwQ.exe
  C:\Windows\System32\MZdpqwQ.exe
  2⤵
  PID:6832
- C:\Windows\System32\hKjZEdH.exe
  C:\Windows\System32\hKjZEdH.exe
  2⤵
  PID:6936
- C:\Windows\System32\eFyEigP.exe
  C:\Windows\System32\eFyEigP.exe
  2⤵
  PID:7012
- C:\Windows\System32\TTjRGAl.exe
  C:\Windows\System32\TTjRGAl.exe
  2⤵
  PID:7056
- C:\Windows\System32\ZkvmYtI.exe
  C:\Windows\System32\ZkvmYtI.exe
  2⤵
  PID:7156
- C:\Windows\System32\AhNGQbw.exe
  C:\Windows\System32\AhNGQbw.exe
  2⤵
  PID:6248
- C:\Windows\System32\eMqhCIy.exe
  C:\Windows\System32\eMqhCIy.exe
  2⤵
  PID:6260
- C:\Windows\System32\aQBnecT.exe
  C:\Windows\System32\aQBnecT.exe
  2⤵
  PID:6392
- C:\Windows\System32\wmRAfVm.exe
  C:\Windows\System32\wmRAfVm.exe
  2⤵
  PID:6588
- C:\Windows\System32\YEfePof.exe
  C:\Windows\System32\YEfePof.exe
  2⤵
  PID:6720
- C:\Windows\System32\PUCGMKi.exe
  C:\Windows\System32\PUCGMKi.exe
  2⤵
  PID:6808
- C:\Windows\System32\wcaCeSr.exe
  C:\Windows\System32\wcaCeSr.exe
  2⤵
  PID:6988
- C:\Windows\System32\pREAkwn.exe
  C:\Windows\System32\pREAkwn.exe
  2⤵
  PID:7096
- C:\Windows\System32\PhixxYq.exe
  C:\Windows\System32\PhixxYq.exe
  2⤵
  PID:5972
- C:\Windows\System32\YuqNCZF.exe
  C:\Windows\System32\YuqNCZF.exe
  2⤵
  PID:6504
- C:\Windows\System32\FrMWyRt.exe
  C:\Windows\System32\FrMWyRt.exe
  2⤵
  PID:7152
- C:\Windows\System32\BWQEEnj.exe
  C:\Windows\System32\BWQEEnj.exe
  2⤵
  PID:7192
- C:\Windows\System32\cIuvwFA.exe
  C:\Windows\System32\cIuvwFA.exe
  2⤵
  PID:7236
- C:\Windows\System32\pRgdgrr.exe
  C:\Windows\System32\pRgdgrr.exe
  2⤵
  PID:7272
- C:\Windows\System32\swgjywE.exe
  C:\Windows\System32\swgjywE.exe
  2⤵
  PID:7296
- C:\Windows\System32\xBpkuND.exe
  C:\Windows\System32\xBpkuND.exe
  2⤵
  PID:7316
- C:\Windows\System32\YZJwwOc.exe
  C:\Windows\System32\YZJwwOc.exe
  2⤵
  PID:7356
- C:\Windows\System32\gAihEom.exe
  C:\Windows\System32\gAihEom.exe
  2⤵
  PID:7380
- C:\Windows\System32\LyxqKhJ.exe
  C:\Windows\System32\LyxqKhJ.exe
  2⤵
  PID:7404
- C:\Windows\System32\WwKnyAV.exe
  C:\Windows\System32\WwKnyAV.exe
  2⤵
  PID:7428
- C:\Windows\System32\NfGIjsc.exe
  C:\Windows\System32\NfGIjsc.exe
  2⤵
  PID:7452
- C:\Windows\System32\mCEPyKw.exe
  C:\Windows\System32\mCEPyKw.exe
  2⤵
  PID:7468
- C:\Windows\System32\szdXyQB.exe
  C:\Windows\System32\szdXyQB.exe
  2⤵
  PID:7484
- C:\Windows\System32\txCeuxg.exe
  C:\Windows\System32\txCeuxg.exe
  2⤵
  PID:7508
- C:\Windows\System32\ohRpCpE.exe
  C:\Windows\System32\ohRpCpE.exe
  2⤵
  PID:7544
- C:\Windows\System32\IMnVDRg.exe
  C:\Windows\System32\IMnVDRg.exe
  2⤵
  PID:7584
- C:\Windows\System32\vkJujbS.exe
  C:\Windows\System32\vkJujbS.exe
  2⤵
  PID:7632
- C:\Windows\System32\RWfBvLl.exe
  C:\Windows\System32\RWfBvLl.exe
  2⤵
  PID:7664
- C:\Windows\System32\QBUsvki.exe
  C:\Windows\System32\QBUsvki.exe
  2⤵
  PID:7680
- C:\Windows\System32\akUMJVy.exe
  C:\Windows\System32\akUMJVy.exe
  2⤵
  PID:7724
- C:\Windows\System32\iteSNPL.exe
  C:\Windows\System32\iteSNPL.exe
  2⤵
  PID:7748
- C:\Windows\System32\atSZrfO.exe
  C:\Windows\System32\atSZrfO.exe
  2⤵
  PID:7768
- C:\Windows\System32\GUpIJnf.exe
  C:\Windows\System32\GUpIJnf.exe
  2⤵
  PID:7808
- C:\Windows\System32\iKraLQB.exe
  C:\Windows\System32\iKraLQB.exe
  2⤵
  PID:7836
- C:\Windows\System32\aKmZGCX.exe
  C:\Windows\System32\aKmZGCX.exe
  2⤵
  PID:7860
- C:\Windows\System32\IVETPIu.exe
  C:\Windows\System32\IVETPIu.exe
  2⤵
  PID:7880
- C:\Windows\System32\vjjolQJ.exe
  C:\Windows\System32\vjjolQJ.exe
  2⤵
  PID:7908
- C:\Windows\System32\hySiAKP.exe
  C:\Windows\System32\hySiAKP.exe
  2⤵
  PID:7928
- C:\Windows\System32\YbtUeEE.exe
  C:\Windows\System32\YbtUeEE.exe
  2⤵
  PID:7956
- C:\Windows\System32\VBzekZp.exe
  C:\Windows\System32\VBzekZp.exe
  2⤵
  PID:7972
- C:\Windows\System32\KSpjfHa.exe
  C:\Windows\System32\KSpjfHa.exe
  2⤵
  PID:8000
- C:\Windows\System32\iyslugC.exe
  C:\Windows\System32\iyslugC.exe
  2⤵
  PID:8036
- C:\Windows\System32\aDvaKgK.exe
  C:\Windows\System32\aDvaKgK.exe
  2⤵
  PID:8064
- C:\Windows\System32\slpuXXO.exe
  C:\Windows\System32\slpuXXO.exe
  2⤵
  PID:8100
- C:\Windows\System32\ahSnXuU.exe
  C:\Windows\System32\ahSnXuU.exe
  2⤵
  PID:8124
- C:\Windows\System32\CRXmaWS.exe
  C:\Windows\System32\CRXmaWS.exe
  2⤵
  PID:8148
- C:\Windows\System32\fipPGIH.exe
  C:\Windows\System32\fipPGIH.exe
  2⤵
  PID:8168
- C:\Windows\System32\zOOiQDj.exe
  C:\Windows\System32\zOOiQDj.exe
  2⤵
  PID:6724
- C:\Windows\System32\WuQVSDZ.exe
  C:\Windows\System32\WuQVSDZ.exe
  2⤵
  PID:7256
- C:\Windows\System32\fBBWKmJ.exe
  C:\Windows\System32\fBBWKmJ.exe
  2⤵
  PID:7312
- C:\Windows\System32\joebgCd.exe
  C:\Windows\System32\joebgCd.exe
  2⤵
  PID:7388
- C:\Windows\System32\aWqOLJV.exe
  C:\Windows\System32\aWqOLJV.exe
  2⤵
  PID:7444
- C:\Windows\System32\EcnkmDd.exe
  C:\Windows\System32\EcnkmDd.exe
  2⤵
  PID:7464
- C:\Windows\System32\DxLstXP.exe
  C:\Windows\System32\DxLstXP.exe
  2⤵
  PID:7572
- C:\Windows\System32\VmgCRjx.exe
  C:\Windows\System32\VmgCRjx.exe
  2⤵
  PID:7644
- C:\Windows\System32\DrntFYQ.exe
  C:\Windows\System32\DrntFYQ.exe
  2⤵
  PID:7708
- C:\Windows\System32\ImMRTRe.exe
  C:\Windows\System32\ImMRTRe.exe
  2⤵
  PID:7100
- C:\Windows\System32\BUeObsd.exe
  C:\Windows\System32\BUeObsd.exe
  2⤵
  PID:7820
- C:\Windows\System32\DSQzEUW.exe
  C:\Windows\System32\DSQzEUW.exe
  2⤵
  PID:7892
- C:\Windows\System32\FbTDhSP.exe
  C:\Windows\System32\FbTDhSP.exe
  2⤵
  PID:7980
- C:\Windows\System32\dsHrFFA.exe
  C:\Windows\System32\dsHrFFA.exe
  2⤵
  PID:8008
- C:\Windows\System32\jMvlkbQ.exe
  C:\Windows\System32\jMvlkbQ.exe
  2⤵
  PID:8024
- C:\Windows\System32\gDzLwkv.exe
  C:\Windows\System32\gDzLwkv.exe
  2⤵
  PID:8144
- C:\Windows\System32\nrBrwxn.exe
  C:\Windows\System32\nrBrwxn.exe
  2⤵
  PID:8164
- C:\Windows\System32\rAwDCrM.exe
  C:\Windows\System32\rAwDCrM.exe
  2⤵
  PID:7208
- C:\Windows\System32\AlOiwcI.exe
  C:\Windows\System32\AlOiwcI.exe
  2⤵
  PID:7492
- C:\Windows\System32\CnSNYCZ.exe
  C:\Windows\System32\CnSNYCZ.exe
  2⤵
  PID:7688
- C:\Windows\System32\wJnrqBv.exe
  C:\Windows\System32\wJnrqBv.exe
  2⤵
  PID:7804
- C:\Windows\System32\YQWPXOL.exe
  C:\Windows\System32\YQWPXOL.exe
  2⤵
  PID:7868
- C:\Windows\System32\roDyyLz.exe
  C:\Windows\System32\roDyyLz.exe
  2⤵
  PID:7996
- C:\Windows\System32\iZvguiJ.exe
  C:\Windows\System32\iZvguiJ.exe
  2⤵
  PID:8120
- C:\Windows\System32\GOXoYvL.exe
  C:\Windows\System32\GOXoYvL.exe
  2⤵
  PID:7460
- C:\Windows\System32\kEAmDAI.exe
  C:\Windows\System32\kEAmDAI.exe
  2⤵
  PID:8080
- C:\Windows\System32\VlLLNKK.exe
  C:\Windows\System32\VlLLNKK.exe
  2⤵
  PID:8188
- C:\Windows\System32\oZkoiiQ.exe
  C:\Windows\System32\oZkoiiQ.exe
  2⤵
  PID:7764
- C:\Windows\System32\OWKKBzo.exe
  C:\Windows\System32\OWKKBzo.exe
  2⤵
  PID:8208
- C:\Windows\System32\CBEqjEX.exe
  C:\Windows\System32\CBEqjEX.exe
  2⤵
  PID:8256
- C:\Windows\System32\ivhJJfP.exe
  C:\Windows\System32\ivhJJfP.exe
  2⤵
  PID:8284
- C:\Windows\System32\qvOMUPW.exe
  C:\Windows\System32\qvOMUPW.exe
  2⤵
  PID:8308
- C:\Windows\System32\IBVsRXT.exe
  C:\Windows\System32\IBVsRXT.exe
  2⤵
  PID:8328
- C:\Windows\System32\lSMlLcm.exe
  C:\Windows\System32\lSMlLcm.exe
  2⤵
  PID:8348
- C:\Windows\System32\icsUSiH.exe
  C:\Windows\System32\icsUSiH.exe
  2⤵
  PID:8376
- C:\Windows\System32\EDNZpJw.exe
  C:\Windows\System32\EDNZpJw.exe
  2⤵
  PID:8412
- C:\Windows\System32\omAgVet.exe
  C:\Windows\System32\omAgVet.exe
  2⤵
  PID:8436
- C:\Windows\System32\MCUfoiC.exe
  C:\Windows\System32\MCUfoiC.exe
  2⤵
  PID:8460
- C:\Windows\System32\pRMZRPb.exe
  C:\Windows\System32\pRMZRPb.exe
  2⤵
  PID:8496
- C:\Windows\System32\qSzvaHL.exe
  C:\Windows\System32\qSzvaHL.exe
  2⤵
  PID:8516
- C:\Windows\System32\dEcPSaZ.exe
  C:\Windows\System32\dEcPSaZ.exe
  2⤵
  PID:8544
- C:\Windows\System32\xbEbrNx.exe
  C:\Windows\System32\xbEbrNx.exe
  2⤵
  PID:8588
- C:\Windows\System32\xUrfcgn.exe
  C:\Windows\System32\xUrfcgn.exe
  2⤵
  PID:8612
- C:\Windows\System32\PoqMXGJ.exe
  C:\Windows\System32\PoqMXGJ.exe
  2⤵
  PID:8636
- C:\Windows\System32\YFaWsjS.exe
  C:\Windows\System32\YFaWsjS.exe
  2⤵
  PID:8668
- C:\Windows\System32\WxbSPcz.exe
  C:\Windows\System32\WxbSPcz.exe
  2⤵
  PID:8700
- C:\Windows\System32\RZzBXnr.exe
  C:\Windows\System32\RZzBXnr.exe
  2⤵
  PID:8744
- C:\Windows\System32\ktvnBhM.exe
  C:\Windows\System32\ktvnBhM.exe
  2⤵
  PID:8768
- C:\Windows\System32\EdUkjsT.exe
  C:\Windows\System32\EdUkjsT.exe
  2⤵
  PID:8792
- C:\Windows\System32\mgOwRRN.exe
  C:\Windows\System32\mgOwRRN.exe
  2⤵
  PID:8812
- C:\Windows\System32\jXPYFLY.exe
  C:\Windows\System32\jXPYFLY.exe
  2⤵
  PID:8848
- C:\Windows\System32\IDmboWQ.exe
  C:\Windows\System32\IDmboWQ.exe
  2⤵
  PID:8868
- C:\Windows\System32\MrhfXEk.exe
  C:\Windows\System32\MrhfXEk.exe
  2⤵
  PID:8908
- C:\Windows\System32\MniHavS.exe
  C:\Windows\System32\MniHavS.exe
  2⤵
  PID:9000
- C:\Windows\System32\NWEYacG.exe
  C:\Windows\System32\NWEYacG.exe
  2⤵
  PID:9016
- C:\Windows\System32\FzODXof.exe
  C:\Windows\System32\FzODXof.exe
  2⤵
  PID:9032
- C:\Windows\System32\NhBibGJ.exe
  C:\Windows\System32\NhBibGJ.exe
  2⤵
  PID:9052
- C:\Windows\System32\ekeRlLQ.exe
  C:\Windows\System32\ekeRlLQ.exe
  2⤵
  PID:9068
- C:\Windows\System32\BqinLTm.exe
  C:\Windows\System32\BqinLTm.exe
  2⤵
  PID:9084
- C:\Windows\System32\VJjfDin.exe
  C:\Windows\System32\VJjfDin.exe
  2⤵
  PID:9100
- C:\Windows\System32\mqwIuZx.exe
  C:\Windows\System32\mqwIuZx.exe
  2⤵
  PID:9116
- C:\Windows\System32\BjWLoEK.exe
  C:\Windows\System32\BjWLoEK.exe
  2⤵
  PID:9132
- C:\Windows\System32\hhfStJq.exe
  C:\Windows\System32\hhfStJq.exe
  2⤵
  PID:9152
- C:\Windows\System32\SCUbuNE.exe
  C:\Windows\System32\SCUbuNE.exe
  2⤵
  PID:9168
- C:\Windows\System32\buygUtI.exe
  C:\Windows\System32\buygUtI.exe
  2⤵
  PID:9184
- C:\Windows\System32\ZzgiInR.exe
  C:\Windows\System32\ZzgiInR.exe
  2⤵
  PID:9200
- C:\Windows\System32\ZYOasED.exe
  C:\Windows\System32\ZYOasED.exe
  2⤵
  PID:7480
- C:\Windows\System32\OHYjehb.exe
  C:\Windows\System32\OHYjehb.exe
  2⤵
  PID:8216
- C:\Windows\System32\LvbQSfm.exe
  C:\Windows\System32\LvbQSfm.exe
  2⤵
  PID:8300
- C:\Windows\System32\UndeUZF.exe
  C:\Windows\System32\UndeUZF.exe
  2⤵
  PID:8392
- C:\Windows\System32\tzsUiwr.exe
  C:\Windows\System32\tzsUiwr.exe
  2⤵
  PID:8484
- C:\Windows\System32\KwWgAOP.exe
  C:\Windows\System32\KwWgAOP.exe
  2⤵
  PID:8860
- C:\Windows\System32\BQUjxgY.exe
  C:\Windows\System32\BQUjxgY.exe
  2⤵
  PID:8952
- C:\Windows\System32\wLGUzoH.exe
  C:\Windows\System32\wLGUzoH.exe
  2⤵
  PID:8972
- C:\Windows\System32\bpgYOtz.exe
  C:\Windows\System32\bpgYOtz.exe
  2⤵
  PID:8340
- C:\Windows\System32\chRsgov.exe
  C:\Windows\System32\chRsgov.exe
  2⤵
  PID:9064
- C:\Windows\System32\hLgAoYP.exe
  C:\Windows\System32\hLgAoYP.exe
  2⤵
  PID:9148
- C:\Windows\System32\EfISloF.exe
  C:\Windows\System32\EfISloF.exe
  2⤵
  PID:8204
- C:\Windows\System32\Vioydpd.exe
  C:\Windows\System32\Vioydpd.exe
  2⤵
  PID:8280
- C:\Windows\System32\mISHPuS.exe
  C:\Windows\System32\mISHPuS.exe
  2⤵
  PID:9008
- C:\Windows\System32\mecsBjy.exe
  C:\Windows\System32\mecsBjy.exe
  2⤵
  PID:9208
- C:\Windows\System32\XgGugTs.exe
  C:\Windows\System32\XgGugTs.exe
  2⤵
  PID:9144
- C:\Windows\System32\YwGBnHY.exe
  C:\Windows\System32\YwGBnHY.exe
  2⤵
  PID:8884
- C:\Windows\System32\lCRXRem.exe
  C:\Windows\System32\lCRXRem.exe
  2⤵
  PID:8988
- C:\Windows\System32\oTrsqMS.exe
  C:\Windows\System32\oTrsqMS.exe
  2⤵
  PID:8980
- C:\Windows\System32\JEdtRmu.exe
  C:\Windows\System32\JEdtRmu.exe
  2⤵
  PID:9044
- C:\Windows\System32\TfNuCJD.exe
  C:\Windows\System32\TfNuCJD.exe
  2⤵
  PID:9012
- C:\Windows\System32\GwjRPeg.exe
  C:\Windows\System32\GwjRPeg.exe
  2⤵
  PID:8824
- C:\Windows\System32\cIIduru.exe
  C:\Windows\System32\cIIduru.exe
  2⤵
  PID:8528
- C:\Windows\System32\HBAJFVa.exe
  C:\Windows\System32\HBAJFVa.exe
  2⤵
  PID:9112
- C:\Windows\System32\xNyAwjt.exe
  C:\Windows\System32\xNyAwjt.exe
  2⤵
  PID:8896
- C:\Windows\System32\UXFHsdb.exe
  C:\Windows\System32\UXFHsdb.exe
  2⤵
  PID:9076
- C:\Windows\System32\hnGTKyW.exe
  C:\Windows\System32\hnGTKyW.exe
  2⤵
  PID:9228
- C:\Windows\System32\gNnivMY.exe
  C:\Windows\System32\gNnivMY.exe
  2⤵
  PID:9296
- C:\Windows\System32\vqfKUZz.exe
  C:\Windows\System32\vqfKUZz.exe
  2⤵
  PID:9316
- C:\Windows\System32\TszHzqp.exe
  C:\Windows\System32\TszHzqp.exe
  2⤵
  PID:9340
- C:\Windows\System32\XlRmCyB.exe
  C:\Windows\System32\XlRmCyB.exe
  2⤵
  PID:9360
- C:\Windows\System32\psCxPBQ.exe
  C:\Windows\System32\psCxPBQ.exe
  2⤵
  PID:9392
- C:\Windows\System32\rdcpTQG.exe
  C:\Windows\System32\rdcpTQG.exe
  2⤵
  PID:9420
- C:\Windows\System32\mkhoKnC.exe
  C:\Windows\System32\mkhoKnC.exe
  2⤵
  PID:9444
- C:\Windows\System32\fyhbzUv.exe
  C:\Windows\System32\fyhbzUv.exe
  2⤵
  PID:9488
- C:\Windows\System32\Edzffhq.exe
  C:\Windows\System32\Edzffhq.exe
  2⤵
  PID:9512
- C:\Windows\System32\YDWYLtl.exe
  C:\Windows\System32\YDWYLtl.exe
  2⤵
  PID:9540
- C:\Windows\System32\aToNxie.exe
  C:\Windows\System32\aToNxie.exe
  2⤵
  PID:9556
- C:\Windows\System32\BPjdpxB.exe
  C:\Windows\System32\BPjdpxB.exe
  2⤵
  PID:9576
- C:\Windows\System32\xqFIUcb.exe
  C:\Windows\System32\xqFIUcb.exe
  2⤵
  PID:9600
- C:\Windows\System32\AWDISyw.exe
  C:\Windows\System32\AWDISyw.exe
  2⤵
  PID:9620
- C:\Windows\System32\IjcfIeg.exe
  C:\Windows\System32\IjcfIeg.exe
  2⤵
  PID:9648
- C:\Windows\System32\cFkmZiM.exe
  C:\Windows\System32\cFkmZiM.exe
  2⤵
  PID:9684
- C:\Windows\System32\ExOlytX.exe
  C:\Windows\System32\ExOlytX.exe
  2⤵
  PID:9724
- C:\Windows\System32\VZjDWDX.exe
  C:\Windows\System32\VZjDWDX.exe
  2⤵
  PID:9768
- C:\Windows\System32\zwkTJld.exe
  C:\Windows\System32\zwkTJld.exe
  2⤵
  PID:9784
- C:\Windows\System32\XoEbyfA.exe
  C:\Windows\System32\XoEbyfA.exe
  2⤵
  PID:9800
- C:\Windows\System32\bVOHpaY.exe
  C:\Windows\System32\bVOHpaY.exe
  2⤵
  PID:9828
- C:\Windows\System32\ygHpQKI.exe
  C:\Windows\System32\ygHpQKI.exe
  2⤵
  PID:9864
- C:\Windows\System32\ZgHGnJl.exe
  C:\Windows\System32\ZgHGnJl.exe
  2⤵
  PID:9912
- C:\Windows\System32\OQpqTvb.exe
  C:\Windows\System32\OQpqTvb.exe
  2⤵
  PID:9940
- C:\Windows\System32\MfjokQz.exe
  C:\Windows\System32\MfjokQz.exe
  2⤵
  PID:9960
- C:\Windows\System32\otCTLXQ.exe
  C:\Windows\System32\otCTLXQ.exe
  2⤵
  PID:9984
- C:\Windows\System32\cwFCHkH.exe
  C:\Windows\System32\cwFCHkH.exe
  2⤵
  PID:10004
- C:\Windows\System32\lwEUcKk.exe
  C:\Windows\System32\lwEUcKk.exe
  2⤵
  PID:10032
- C:\Windows\System32\YzOmXAb.exe
  C:\Windows\System32\YzOmXAb.exe
  2⤵
  PID:10068
- C:\Windows\System32\FbfmAaz.exe
  C:\Windows\System32\FbfmAaz.exe
  2⤵
  PID:10100
- C:\Windows\System32\NbFUmmX.exe
  C:\Windows\System32\NbFUmmX.exe
  2⤵
  PID:10116
- C:\Windows\System32\OcytZuS.exe
  C:\Windows\System32\OcytZuS.exe
  2⤵
  PID:10136
- C:\Windows\System32\VRofrsE.exe
  C:\Windows\System32\VRofrsE.exe
  2⤵
  PID:10168
- C:\Windows\System32\RVLrgBx.exe
  C:\Windows\System32\RVLrgBx.exe
  2⤵
  PID:10220
- C:\Windows\System32\owuJGia.exe
  C:\Windows\System32\owuJGia.exe
  2⤵
  PID:9164
- C:\Windows\System32\CaPQiFw.exe
  C:\Windows\System32\CaPQiFw.exe
  2⤵
  PID:9140
- C:\Windows\System32\CmUFKCL.exe
  C:\Windows\System32\CmUFKCL.exe
  2⤵
  PID:9272
- C:\Windows\System32\QUeAROD.exe
  C:\Windows\System32\QUeAROD.exe
  2⤵
  PID:9356
- C:\Windows\System32\mSfuuuM.exe
  C:\Windows\System32\mSfuuuM.exe
  2⤵
  PID:9416
- C:\Windows\System32\ddQJllZ.exe
  C:\Windows\System32\ddQJllZ.exe
  2⤵
  PID:9524
- C:\Windows\System32\HiZIFeL.exe
  C:\Windows\System32\HiZIFeL.exe
  2⤵
  PID:9548
- C:\Windows\System32\MFmoYLP.exe
  C:\Windows\System32\MFmoYLP.exe
  2⤵
  PID:9616
- C:\Windows\System32\mQCAwdS.exe
  C:\Windows\System32\mQCAwdS.exe
  2⤵
  PID:9664
- C:\Windows\System32\fVJZuhI.exe
  C:\Windows\System32\fVJZuhI.exe
  2⤵
  PID:9712
- C:\Windows\System32\bdXzIMu.exe
  C:\Windows\System32\bdXzIMu.exe
  2⤵
  PID:9776
- C:\Windows\System32\bkYoWNu.exe
  C:\Windows\System32\bkYoWNu.exe
  2⤵
  PID:9896
- C:\Windows\System32\FIgaLxn.exe
  C:\Windows\System32\FIgaLxn.exe
  2⤵
  PID:9928
- C:\Windows\System32\GsbnvNj.exe
  C:\Windows\System32\GsbnvNj.exe
  2⤵
  PID:9972
- C:\Windows\System32\wgKJjTx.exe
  C:\Windows\System32\wgKJjTx.exe
  2⤵
  PID:9996
- C:\Windows\System32\qYTQzEh.exe
  C:\Windows\System32\qYTQzEh.exe
  2⤵
  PID:10040
- C:\Windows\System32\bjUOFdG.exe
  C:\Windows\System32\bjUOFdG.exe
  2⤵
  PID:10128
- C:\Windows\System32\YNgBZCY.exe
  C:\Windows\System32\YNgBZCY.exe
  2⤵
  PID:10200
- C:\Windows\System32\djUoGiS.exe
  C:\Windows\System32\djUoGiS.exe
  2⤵
  PID:9224
- C:\Windows\System32\mwFjpho.exe
  C:\Windows\System32\mwFjpho.exe
  2⤵
  PID:9312
- C:\Windows\System32\dpcCUTC.exe
  C:\Windows\System32\dpcCUTC.exe
  2⤵
  PID:9376
- C:\Windows\System32\xuStqTm.exe
  C:\Windows\System32\xuStqTm.exe
  2⤵
  PID:9668
- C:\Windows\System32\mkKvdMc.exe
  C:\Windows\System32\mkKvdMc.exe
  2⤵
  PID:9796
- C:\Windows\System32\GSoDoGD.exe
  C:\Windows\System32\GSoDoGD.exe
  2⤵
  PID:9920
- C:\Windows\System32\PEiRPOV.exe
  C:\Windows\System32\PEiRPOV.exe
  2⤵
  PID:2488
- C:\Windows\System32\yJNKWht.exe
  C:\Windows\System32\yJNKWht.exe
  2⤵
  PID:10112
- C:\Windows\System32\MTQHbkS.exe
  C:\Windows\System32\MTQHbkS.exe
  2⤵
  PID:10208
- C:\Windows\System32\iPMTHXU.exe
  C:\Windows\System32\iPMTHXU.exe
  2⤵
  PID:9456
- C:\Windows\System32\IVDDFJh.exe
  C:\Windows\System32\IVDDFJh.exe
  2⤵
  PID:920
- C:\Windows\System32\zuWHfBp.exe
  C:\Windows\System32\zuWHfBp.exe
  2⤵
  PID:10088
- C:\Windows\System32\GZQOFup.exe
  C:\Windows\System32\GZQOFup.exe
  2⤵
  PID:10236
- C:\Windows\System32\lHqjpgu.exe
  C:\Windows\System32\lHqjpgu.exe
  2⤵
  PID:9948
- C:\Windows\System32\VrDJRIy.exe
  C:\Windows\System32\VrDJRIy.exe
  2⤵
  PID:10264
- C:\Windows\System32\DNXfOTb.exe
  C:\Windows\System32\DNXfOTb.exe
  2⤵
  PID:10292
- C:\Windows\System32\vHXXYqd.exe
  C:\Windows\System32\vHXXYqd.exe
  2⤵
  PID:10308
- C:\Windows\System32\toAwdNW.exe
  C:\Windows\System32\toAwdNW.exe
  2⤵
  PID:10336
- C:\Windows\System32\zhHcKWr.exe
  C:\Windows\System32\zhHcKWr.exe
  2⤵
  PID:10356
- C:\Windows\System32\dUlBequ.exe
  C:\Windows\System32\dUlBequ.exe
  2⤵
  PID:10376
- C:\Windows\System32\LzPExum.exe
  C:\Windows\System32\LzPExum.exe
  2⤵
  PID:10420
- C:\Windows\System32\nRAmSgW.exe
  C:\Windows\System32\nRAmSgW.exe
  2⤵
  PID:10444
- C:\Windows\System32\tGEntdR.exe
  C:\Windows\System32\tGEntdR.exe
  2⤵
  PID:10484
- C:\Windows\System32\sCHAOdx.exe
  C:\Windows\System32\sCHAOdx.exe
  2⤵
  PID:10516
- C:\Windows\System32\SLyscXt.exe
  C:\Windows\System32\SLyscXt.exe
  2⤵
  PID:10540
- C:\Windows\System32\tiBkfxe.exe
  C:\Windows\System32\tiBkfxe.exe
  2⤵
  PID:10560
- C:\Windows\System32\JyrXQYt.exe
  C:\Windows\System32\JyrXQYt.exe
  2⤵
  PID:10596
- C:\Windows\System32\nYRQSxw.exe
  C:\Windows\System32\nYRQSxw.exe
  2⤵
  PID:10624
- C:\Windows\System32\KdvxHvH.exe
  C:\Windows\System32\KdvxHvH.exe
  2⤵
  PID:10644
- C:\Windows\System32\BMkxEVj.exe
  C:\Windows\System32\BMkxEVj.exe
  2⤵
  PID:10668
- C:\Windows\System32\tMgtWNI.exe
  C:\Windows\System32\tMgtWNI.exe
  2⤵
  PID:10688
- C:\Windows\System32\CmlPrXL.exe
  C:\Windows\System32\CmlPrXL.exe
  2⤵
  PID:10716
- C:\Windows\System32\CsUMdTx.exe
  C:\Windows\System32\CsUMdTx.exe
  2⤵
  PID:10732
- C:\Windows\System32\vchoKdF.exe
  C:\Windows\System32\vchoKdF.exe
  2⤵
  PID:10804
- C:\Windows\System32\roNZdAR.exe
  C:\Windows\System32\roNZdAR.exe
  2⤵
  PID:10832
- C:\Windows\System32\nlsMHZj.exe
  C:\Windows\System32\nlsMHZj.exe
  2⤵
  PID:10860
- C:\Windows\System32\FekgRvm.exe
  C:\Windows\System32\FekgRvm.exe
  2⤵
  PID:10876
- C:\Windows\System32\ooGqzlB.exe
  C:\Windows\System32\ooGqzlB.exe
  2⤵
  PID:10896
- C:\Windows\System32\NTwfgAk.exe
  C:\Windows\System32\NTwfgAk.exe
  2⤵
  PID:10924
- C:\Windows\System32\VqQFrOe.exe
  C:\Windows\System32\VqQFrOe.exe
  2⤵
  PID:10972
- C:\Windows\System32\kZqNEXH.exe
  C:\Windows\System32\kZqNEXH.exe
  2⤵
  PID:10988
- C:\Windows\System32\cqLNOAl.exe
  C:\Windows\System32\cqLNOAl.exe
  2⤵
  PID:11016
- C:\Windows\System32\RJTmYHH.exe
  C:\Windows\System32\RJTmYHH.exe
  2⤵
  PID:11044
- C:\Windows\System32\sTHolzg.exe
  C:\Windows\System32\sTHolzg.exe
  2⤵
  PID:11060
- C:\Windows\System32\NrrfFRU.exe
  C:\Windows\System32\NrrfFRU.exe
  2⤵
  PID:11092
- C:\Windows\System32\QhNFMjg.exe
  C:\Windows\System32\QhNFMjg.exe
  2⤵
  PID:11120
- C:\Windows\System32\HTsyvyt.exe
  C:\Windows\System32\HTsyvyt.exe
  2⤵
  PID:11136
- C:\Windows\System32\uJdgqvz.exe
  C:\Windows\System32\uJdgqvz.exe
  2⤵
  PID:11192
- C:\Windows\System32\BCDvcJR.exe
  C:\Windows\System32\BCDvcJR.exe
  2⤵
  PID:11220
- C:\Windows\System32\aCJxDnX.exe
  C:\Windows\System32\aCJxDnX.exe
  2⤵
  PID:11240
- C:\Windows\System32\eQUnEgR.exe
  C:\Windows\System32\eQUnEgR.exe
  2⤵
  PID:9536
- C:\Windows\System32\iSEcUXM.exe
  C:\Windows\System32\iSEcUXM.exe
  2⤵
  PID:10280
- C:\Windows\System32\PguXzUd.exe
  C:\Windows\System32\PguXzUd.exe
  2⤵
  PID:10324
- C:\Windows\System32\HXxiRQC.exe
  C:\Windows\System32\HXxiRQC.exe
  2⤵
  PID:10496
- C:\Windows\System32\LdqOQfz.exe
  C:\Windows\System32\LdqOQfz.exe
  2⤵
  PID:10512
- C:\Windows\System32\FKMQWpD.exe
  C:\Windows\System32\FKMQWpD.exe
  2⤵
  PID:10556
- C:\Windows\System32\fBvnliZ.exe
  C:\Windows\System32\fBvnliZ.exe
  2⤵
  PID:10640
- C:\Windows\System32\tIUHlND.exe
  C:\Windows\System32\tIUHlND.exe
  2⤵
  PID:3052
- C:\Windows\System32\uzDkwXe.exe
  C:\Windows\System32\uzDkwXe.exe
  2⤵
  PID:10680
- C:\Windows\System32\OsSxuOR.exe
  C:\Windows\System32\OsSxuOR.exe
  2⤵
  PID:10760
- C:\Windows\System32\wqVpLFZ.exe
  C:\Windows\System32\wqVpLFZ.exe
  2⤵
  PID:10844
- C:\Windows\System32\AiTvMQU.exe
  C:\Windows\System32\AiTvMQU.exe
  2⤵
  PID:10892
- C:\Windows\System32\acOULHz.exe
  C:\Windows\System32\acOULHz.exe
  2⤵
  PID:10984
- C:\Windows\System32\LzazPkd.exe
  C:\Windows\System32\LzazPkd.exe
  2⤵
  PID:11072
- C:\Windows\System32\eOMgopl.exe
  C:\Windows\System32\eOMgopl.exe
  2⤵
  PID:11132
- C:\Windows\System32\GqrAYwS.exe
  C:\Windows\System32\GqrAYwS.exe
  2⤵
  PID:11204
- C:\Windows\System32\AjtqJud.exe
  C:\Windows\System32\AjtqJud.exe
  2⤵
  PID:10048
- C:\Windows\System32\ceJMyqe.exe
  C:\Windows\System32\ceJMyqe.exe
  2⤵
  PID:10372
- C:\Windows\System32\OXRTzYp.exe
  C:\Windows\System32\OXRTzYp.exe
  2⤵
  PID:10452
- C:\Windows\System32\aVAsMou.exe
  C:\Windows\System32\aVAsMou.exe
  2⤵
  PID:10636
- C:\Windows\System32\fukTwdf.exe
  C:\Windows\System32\fukTwdf.exe
  2⤵
  PID:10704
- C:\Windows\System32\ItQEEtj.exe
  C:\Windows\System32\ItQEEtj.exe
  2⤵
  PID:10728
- C:\Windows\System32\fUHcssD.exe
  C:\Windows\System32\fUHcssD.exe
  2⤵
  PID:11000
- C:\Windows\System32\OPqIzTl.exe
  C:\Windows\System32\OPqIzTl.exe
  2⤵
  PID:11172
- C:\Windows\System32\gTWPXsG.exe
  C:\Windows\System32\gTWPXsG.exe
  2⤵
  PID:10304
- C:\Windows\System32\CrwCJEB.exe
  C:\Windows\System32\CrwCJEB.exe
  2⤵
  PID:10572
- C:\Windows\System32\UcRTCCp.exe
  C:\Windows\System32\UcRTCCp.exe
  2⤵
  PID:10792
- C:\Windows\System32\LVzNwpL.exe
  C:\Windows\System32\LVzNwpL.exe
  2⤵
  PID:11028
- C:\Windows\System32\pXyxXWT.exe
  C:\Windows\System32\pXyxXWT.exe
  2⤵
  PID:11268
- C:\Windows\System32\LwiCTps.exe
  C:\Windows\System32\LwiCTps.exe
  2⤵
  PID:11292
- C:\Windows\System32\bUzscby.exe
  C:\Windows\System32\bUzscby.exe
  2⤵
  PID:11316
- C:\Windows\System32\GlfbrLf.exe
  C:\Windows\System32\GlfbrLf.exe
  2⤵
  PID:11336
- C:\Windows\System32\dhaBfsn.exe
  C:\Windows\System32\dhaBfsn.exe
  2⤵
  PID:11364
- C:\Windows\System32\BjAxZoS.exe
  C:\Windows\System32\BjAxZoS.exe
  2⤵
  PID:11408
- C:\Windows\System32\vVlhghJ.exe
  C:\Windows\System32\vVlhghJ.exe
  2⤵
  PID:11432
- C:\Windows\System32\ijoCkCj.exe
  C:\Windows\System32\ijoCkCj.exe
  2⤵
  PID:11460
- C:\Windows\System32\tSTHlvm.exe
  C:\Windows\System32\tSTHlvm.exe
  2⤵
  PID:11496
- C:\Windows\System32\UVsHIrb.exe
  C:\Windows\System32\UVsHIrb.exe
  2⤵
  PID:11520
- C:\Windows\System32\aqKaGBO.exe
  C:\Windows\System32\aqKaGBO.exe
  2⤵
  PID:11548
- C:\Windows\System32\wTSeIWB.exe
  C:\Windows\System32\wTSeIWB.exe
  2⤵
  PID:11572
- C:\Windows\System32\OwEYivy.exe
  C:\Windows\System32\OwEYivy.exe
  2⤵
  PID:11600
- C:\Windows\System32\kMmJEcE.exe
  C:\Windows\System32\kMmJEcE.exe
  2⤵
  PID:11624
- C:\Windows\System32\IMBhKUi.exe
  C:\Windows\System32\IMBhKUi.exe
  2⤵
  PID:11644
- C:\Windows\System32\gMjcYwZ.exe
  C:\Windows\System32\gMjcYwZ.exe
  2⤵
  PID:11668
- C:\Windows\System32\VBvGeZw.exe
  C:\Windows\System32\VBvGeZw.exe
  2⤵
  PID:11724
- C:\Windows\System32\IkzTptm.exe
  C:\Windows\System32\IkzTptm.exe
  2⤵
  PID:11744
- C:\Windows\System32\UROoRQy.exe
  C:\Windows\System32\UROoRQy.exe
  2⤵
  PID:11788
- C:\Windows\System32\udLKRLn.exe
  C:\Windows\System32\udLKRLn.exe
  2⤵
  PID:11804
- C:\Windows\System32\JdYNRKX.exe
  C:\Windows\System32\JdYNRKX.exe
  2⤵
  PID:11828
- C:\Windows\System32\dtyEHog.exe
  C:\Windows\System32\dtyEHog.exe
  2⤵
  PID:11848
- C:\Windows\System32\WBPmIzl.exe
  C:\Windows\System32\WBPmIzl.exe
  2⤵
  PID:11864
- C:\Windows\System32\oubdwTV.exe
  C:\Windows\System32\oubdwTV.exe
  2⤵
  PID:11884
- C:\Windows\System32\wjmaVne.exe
  C:\Windows\System32\wjmaVne.exe
  2⤵
  PID:11944
- C:\Windows\System32\VZpwhBH.exe
  C:\Windows\System32\VZpwhBH.exe
  2⤵
  PID:11972
- C:\Windows\System32\KEULnXh.exe
  C:\Windows\System32\KEULnXh.exe
  2⤵
  PID:12004
- C:\Windows\System32\UmSOTes.exe
  C:\Windows\System32\UmSOTes.exe
  2⤵
  PID:12028
- C:\Windows\System32\pSrhfip.exe
  C:\Windows\System32\pSrhfip.exe
  2⤵
  PID:12056
- C:\Windows\System32\YdbhowW.exe
  C:\Windows\System32\YdbhowW.exe
  2⤵
  PID:12080
- C:\Windows\System32\xYrxgXU.exe
  C:\Windows\System32\xYrxgXU.exe
  2⤵
  PID:12100
- C:\Windows\System32\QkQnmXd.exe
  C:\Windows\System32\QkQnmXd.exe
  2⤵
  PID:12124
- C:\Windows\System32\Acgmbmh.exe
  C:\Windows\System32\Acgmbmh.exe
  2⤵
  PID:12148
- C:\Windows\System32\CpIdwWu.exe
  C:\Windows\System32\CpIdwWu.exe
  2⤵
  PID:12192
- C:\Windows\System32\eAcfrgl.exe
  C:\Windows\System32\eAcfrgl.exe
  2⤵
  PID:12212
- C:\Windows\System32\xFwtZId.exe
  C:\Windows\System32\xFwtZId.exe
  2⤵
  PID:12248
- C:\Windows\System32\ZGNANQB.exe
  C:\Windows\System32\ZGNANQB.exe
  2⤵
  PID:12280
- C:\Windows\System32\ZzPODUZ.exe
  C:\Windows\System32\ZzPODUZ.exe
  2⤵
  PID:11284
- C:\Windows\System32\vOczcDF.exe
  C:\Windows\System32\vOczcDF.exe
  2⤵
  PID:11304
- C:\Windows\System32\mdxgTOs.exe
  C:\Windows\System32\mdxgTOs.exe
  2⤵
  PID:11376
- C:\Windows\System32\zwJAkZY.exe
  C:\Windows\System32\zwJAkZY.exe
  2⤵
  PID:1336
- C:\Windows\System32\ruHMcdN.exe
  C:\Windows\System32\ruHMcdN.exe
  2⤵
  PID:11508
- C:\Windows\System32\yyKDywm.exe
  C:\Windows\System32\yyKDywm.exe
  2⤵
  PID:11564
- C:\Windows\System32\JejVRxg.exe
  C:\Windows\System32\JejVRxg.exe
  2⤵
  PID:11640
- C:\Windows\System32\TZUDDox.exe
  C:\Windows\System32\TZUDDox.exe
  2⤵
  PID:11688
- C:\Windows\System32\MUshyOg.exe
  C:\Windows\System32\MUshyOg.exe
  2⤵
  PID:11760
- C:\Windows\System32\kDtJtIj.exe
  C:\Windows\System32\kDtJtIj.exe
  2⤵
  PID:11872
- C:\Windows\System32\qHAujmK.exe
  C:\Windows\System32\qHAujmK.exe
  2⤵
  PID:11908
- C:\Windows\System32\PaWcmJC.exe
  C:\Windows\System32\PaWcmJC.exe
  2⤵
  PID:12044
- C:\Windows\System32\SdACHSZ.exe
  C:\Windows\System32\SdACHSZ.exe
  2⤵
  PID:12096
- C:\Windows\System32\FYjfnIN.exe
  C:\Windows\System32\FYjfnIN.exe
  2⤵
  PID:12160
- C:\Windows\System32\YikPTKl.exe
  C:\Windows\System32\YikPTKl.exe
  2⤵
  PID:12232
- C:\Windows\System32\EVnuoyU.exe
  C:\Windows\System32\EVnuoyU.exe
  2⤵
  PID:10256
- C:\Windows\System32\xtfZKYA.exe
  C:\Windows\System32\xtfZKYA.exe
  2⤵
  PID:11332
- C:\Windows\System32\vSsGzBS.exe
  C:\Windows\System32\vSsGzBS.exe
  2⤵
  PID:4540
- C:\Windows\System32\SLuqyzP.exe
  C:\Windows\System32\SLuqyzP.exe
  2⤵
  PID:11536
- C:\Windows\System32\tJaMFUN.exe
  C:\Windows\System32\tJaMFUN.exe
  2⤵
  PID:11680
- C:\Windows\System32\uxgjBSw.exe
  C:\Windows\System32\uxgjBSw.exe
  2⤵
  PID:11840
- C:\Windows\System32\oxtvLnJ.exe
  C:\Windows\System32\oxtvLnJ.exe
  2⤵
  PID:12068
- C:\Windows\System32\zUvJXzS.exe
  C:\Windows\System32\zUvJXzS.exe
  2⤵
  PID:12184
- C:\Windows\System32\soqIIYy.exe
  C:\Windows\System32\soqIIYy.exe
  2⤵
  PID:11328
- C:\Windows\System32\LxyTeuz.exe
  C:\Windows\System32\LxyTeuz.exe
  2⤵
  PID:2784
- C:\Windows\System32\KLIgpAw.exe
  C:\Windows\System32\KLIgpAw.exe
  2⤵
  PID:11752
- C:\Windows\System32\QWYbxkg.exe
  C:\Windows\System32\QWYbxkg.exe
  2⤵
  PID:12200
- C:\Windows\System32\QlIcSMS.exe
  C:\Windows\System32\QlIcSMS.exe
  2⤵
  PID:11532
- C:\Windows\System32\HTZxeuQ.exe
  C:\Windows\System32\HTZxeuQ.exe
  2⤵
  PID:12296
- C:\Windows\System32\qfisYwU.exe
  C:\Windows\System32\qfisYwU.exe
  2⤵
  PID:12340
- C:\Windows\System32\wfJABbR.exe
  C:\Windows\System32\wfJABbR.exe
  2⤵
  PID:12364
- C:\Windows\System32\zVuiDiq.exe
  C:\Windows\System32\zVuiDiq.exe
  2⤵
  PID:12392
- C:\Windows\System32\XnHZwVc.exe
  C:\Windows\System32\XnHZwVc.exe
  2⤵
  PID:12420
- C:\Windows\System32\TrTLKao.exe
  C:\Windows\System32\TrTLKao.exe
  2⤵
  PID:12436
- C:\Windows\System32\ZclCwxq.exe
  C:\Windows\System32\ZclCwxq.exe
  2⤵
  PID:12472
- C:\Windows\System32\AEaFdtU.exe
  C:\Windows\System32\AEaFdtU.exe
  2⤵
  PID:12504
- C:\Windows\System32\pvSnNjB.exe
  C:\Windows\System32\pvSnNjB.exe
  2⤵
  PID:12528
- C:\Windows\System32\nOxzrDL.exe
  C:\Windows\System32\nOxzrDL.exe
  2⤵
  PID:12548
- C:\Windows\System32\xJXHqkB.exe
  C:\Windows\System32\xJXHqkB.exe
  2⤵
  PID:12568
- C:\Windows\System32\jKdtyNq.exe
  C:\Windows\System32\jKdtyNq.exe
  2⤵
  PID:12592
- C:\Windows\System32\LZVJJOG.exe
  C:\Windows\System32\LZVJJOG.exe
  2⤵
  PID:12612
- C:\Windows\System32\KTnhrtA.exe
  C:\Windows\System32\KTnhrtA.exe
  2⤵
  PID:12656
- C:\Windows\System32\szfQdlj.exe
  C:\Windows\System32\szfQdlj.exe
  2⤵
  PID:12708
- C:\Windows\System32\XQpOTdh.exe
  C:\Windows\System32\XQpOTdh.exe
  2⤵
  PID:12728
- C:\Windows\System32\bqKVeEY.exe
  C:\Windows\System32\bqKVeEY.exe
  2⤵
  PID:12756
- C:\Windows\System32\sXHCJcB.exe
  C:\Windows\System32\sXHCJcB.exe
  2⤵
  PID:12780
- C:\Windows\System32\EHvCIIC.exe
  C:\Windows\System32\EHvCIIC.exe
  2⤵
  PID:12800
- C:\Windows\System32\bgpVTNh.exe
  C:\Windows\System32\bgpVTNh.exe
  2⤵
  PID:12824
- C:\Windows\System32\tezbzir.exe
  C:\Windows\System32\tezbzir.exe
  2⤵
  PID:12864
- C:\Windows\System32\PsDgqxT.exe
  C:\Windows\System32\PsDgqxT.exe
  2⤵
  PID:12888
- C:\Windows\System32\wElyjEk.exe
  C:\Windows\System32\wElyjEk.exe
  2⤵
  PID:12920
- C:\Windows\System32\liLJqtR.exe
  C:\Windows\System32\liLJqtR.exe
  2⤵
  PID:12956
- C:\Windows\System32\RXcHsJI.exe
  C:\Windows\System32\RXcHsJI.exe
  2⤵
  PID:12980
- C:\Windows\System32\WUuTJif.exe
  C:\Windows\System32\WUuTJif.exe
  2⤵
  PID:13000
- C:\Windows\System32\vkQJNXw.exe
  C:\Windows\System32\vkQJNXw.exe
  2⤵
  PID:13032
- C:\Windows\System32\pfMsxvj.exe
  C:\Windows\System32\pfMsxvj.exe
  2⤵
  PID:13072
- C:\Windows\System32\DYumzEG.exe
  C:\Windows\System32\DYumzEG.exe
  2⤵
  PID:13096
- C:\Windows\System32\KRcHqMC.exe
  C:\Windows\System32\KRcHqMC.exe
  2⤵
  PID:13116
- C:\Windows\System32\IfwdGcN.exe
  C:\Windows\System32\IfwdGcN.exe
  2⤵
  PID:13152
- C:\Windows\System32\MzYwgRy.exe
  C:\Windows\System32\MzYwgRy.exe
  2⤵
  PID:13188
- C:\Windows\System32\azFGNXH.exe
  C:\Windows\System32\azFGNXH.exe
  2⤵
  PID:13216
- C:\Windows\System32\eUVuVyK.exe
  C:\Windows\System32\eUVuVyK.exe
  2⤵
  PID:13240
- C:\Windows\System32\jyZfXpX.exe
  C:\Windows\System32\jyZfXpX.exe
  2⤵
  PID:13264
- C:\Windows\System32\BYYNoeP.exe
  C:\Windows\System32\BYYNoeP.exe
  2⤵
  PID:13280
- C:\Windows\System32\aDlySVL.exe
  C:\Windows\System32\aDlySVL.exe
  2⤵
  PID:13304
- C:\Windows\System32\rrXXzMx.exe
  C:\Windows\System32\rrXXzMx.exe
  2⤵
  PID:12320
- C:\Windows\System32\pGeGUOt.exe
  C:\Windows\System32\pGeGUOt.exe
  2⤵
  PID:12416
- C:\Windows\System32\ERzjsnT.exe
  C:\Windows\System32\ERzjsnT.exe
  2⤵
  PID:12464
- C:\Windows\System32\xusAMYW.exe
  C:\Windows\System32\xusAMYW.exe
  2⤵
  PID:12536
- C:\Windows\System32\nxhNDeM.exe
  C:\Windows\System32\nxhNDeM.exe
  2⤵
  PID:12580

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\FoIwBkk.exe

Filesize
1.6MB

MD5
046aa3b210b3ba2fdc786bc31c4d0fc6

SHA1
7cad29439d72d39b9199bbf3eab408921818430d

SHA256
56e32a7e5c7876efb6d965fbed7ebdc454a4b69d71248bdbd64bb5756f6e017b

SHA512
73343ddf1128d54c2ad05aae3e001d3eb5a1110971b1aed9c8a98a2d5bf53db88ef135f9ee2e0fe25f81d6f4cd9972291239d8f8ce0993e89908383bef37c19e

Download Submit
C:\Windows\System32\HJAmLaV.exe

Filesize
1.6MB

MD5
7f2abb1b6611ea3edd57cad9214455d2

SHA1
37e8a4990a349518534c3e3a36bd0887d5a2907d

SHA256
3e1e4490f06fbc567b96dfb851f475b7b7bec4f9485c0efe4b7f897061ea9205

SHA512
a7d7b944f264b370675ab6bf1d880ec7d80b012ee03e38df9458e4190fdf3e6efea6f7ec6220c7f46a94e7a74083c6a9a63bd2e5884969e489086b6559c1d595

Download Submit
C:\Windows\System32\JuirjUM.exe

Filesize
1.6MB

MD5
253810ffd80bd31963105c7dfc425228

SHA1
fdc0babfdfce8de5a38e75763820da44011f053c

SHA256
e081511f69bc704f7eb4fcb36ab6548d29c6e336e9d041cf55a598f66b24c885

SHA512
dc655de961db79d7c714e1a7a47aaa4019928eacdd2ce0b36fcb992dbcab10e45d61c4519e635fd68e4278b554e8fbde8712313b749a33287d785c958aa5afef

Download Submit
C:\Windows\System32\NpEXVaM.exe

Filesize
1.6MB

MD5
52610bfd94f86796af2803e323da5fc8

SHA1
81cfdabb07a774516da272320391175f9d147390

SHA256
dec69eaf17af812f24619fe72d690968c02056d73191387d5788b2170c278017

SHA512
bde70a761f0d283408e214341637c578cf5b734e4f11a4c9bb18cab5ddd03a1368c65b78c930a4bd5ec537bc915a0cde2603cd4938221c665d7d750308e6fd4c

Download Submit
C:\Windows\System32\NxVKmem.exe

Filesize
1.6MB

MD5
bcc1d2cfbf6aeb39e93d53ac3fca773b

SHA1
b4440bcfe8291cff2afe39bb8489686867bda2b9

SHA256
15afdda2235fe9dac0313a94265ee7250580ad007a94ea93ef9b242273daf7ee

SHA512
49383521231357944a71016d368fe2a9730a0b2d5e1038318e44c8d7ff4b47e76a2d30594e4f7ad319c6bdfd511a9dc3c6834ab54e446a44d61a06ac087a9448

Download Submit
C:\Windows\System32\PcVaqSs.exe

Filesize
1.6MB

MD5
499a660b05b37a8fc12b1bf9759f24b5

SHA1
a4bdb63d86289bdb2728b00f4e32cad83e61ded5

SHA256
f061070880f799ecfaf9e8fbb2c0d73bba4bbf3553a4bc76021589a08fdd6186

SHA512
f0cecf52af5d6ed4ea96b8e9fb1f9bc41c1d3da2adb7b4d7df44ca27b725298af08fee8cc86255ff2774e62e8a8d869b4996d9244137b5d14d5a4e610f98a687

Download Submit
C:\Windows\System32\SYhkHfF.exe

Filesize
1.6MB

MD5
f720bb9b2e5c2d9e20053f4241daa9c5

SHA1
61600f14b0820b6526c98d770f9b722834e7b03e

SHA256
1b09f39dce7db5c23289a238ba5ad955fe6591acf606758a0f8ef3b970603751

SHA512
65bc6a4afdf6b791c6058b0f4143209bc9257e6a3ffc010d0ad4f1783097891fc06e226d1010997b712a7b84ef8a7440f056c467b2a57b8ad6bf216119840145

Download Submit
C:\Windows\System32\SwlfMUE.exe

Filesize
1.6MB

MD5
7125ba5faf61877396967c8265dceeae

SHA1
243a5ad9a709f3649b2aee1111efc35806e0b6bd

SHA256
e1a7126f33b91c8a647d90602709f789a5444bd3f714be247115033b27d85537

SHA512
3e4b71d781f006a0eb32e8486d2b808e6a7b69035c16d729375177cd28a7a519d5249cbc8a42df6b6f38498dad514351f149ee228173d2dfefe5261bcf49ae6c

Download Submit
C:\Windows\System32\WuSLkjQ.exe

Filesize
1.6MB

MD5
dcc73d253470bc64181cffe2b3956742

SHA1
cd99f01048f1d0c4364cce0714e1004ace2c8527

SHA256
8ed341b8f7ee302d28322a15bf6948d98e44368df52fbee0130dca05c73a31d7

SHA512
b4640b88161368633f7092b6dfd1beac8b615611785ae1e1f1f0480d2857d22b986bc56d0f7143644ee2c060a35e210c7b791600e3d56934017a199dd6660223

Download Submit
C:\Windows\System32\XUXeLZo.exe

Filesize
1.6MB

MD5
0e17d5ea7ecbd0ff0325adf0981fd00d

SHA1
588ee89e3a6e7f9e0dcbc4ac0d9b6e0d7623c97e

SHA256
5ef993bcdb8dba63e666bc30ec4a95f6fe787658db7dce0b6f4ac8e9b8fe9ff5

SHA512
f01e4454d95ae9c304e227dc78664c6b8d54367d56dfd0066353e6e07e729d9991c4af52d6025b27604402368e7d5f10c407d05646756aba0466e3c659cec592

Download Submit
C:\Windows\System32\XZiFlhG.exe

Filesize
1.6MB

MD5
d1dbe9eaa41607dfa82bf73a326bc903

SHA1
f0e661d164b81ffacce13b752ed3d04dd8621345

SHA256
33b6a30b9ade7ecfaaf821ce1c07dcf84da9224404eb76a316ac48ab7e9203d6

SHA512
a1ea38ce2ec3e815d50fa33b4ec82b2f8b472314f9453500ab8c3eb2652dcc4b6d5f5f98d32820f9559569e87c5731b4e2ee72f6a2d20a207086dbd3d661ddb2

Download Submit
C:\Windows\System32\ehIvRbl.exe

Filesize
1.6MB

MD5
d6cdb1da14abf87ea21cbcba996f9eb6

SHA1
9fef8a8a9782304a503cae5d86c23310cae48b47

SHA256
433d24a7c38da4d3e7c4454f72708057f278ca3634242532dd78822d50f56245

SHA512
68e24b06915796738b9621e72054edc7be76c233f43e8912f601b164d94e5efa6169915f2d919e533749433a59ca071f7f0b5d8788c04ca73c0a1511616a18db

Download Submit
C:\Windows\System32\fIKjjNI.exe

Filesize
1.6MB

MD5
dc23c1f5fb6f7fc6ec6adf7be5b07049

SHA1
49fcd58e0b7f73aebb85fd28e50f8e394fe31578

SHA256
c41fc451bea34584dd33e48289032487b755a868e22fd4c853497f3c2eefb179

SHA512
09912887d3f5bac7bc7376f6a9c7fd95780e8053beafec37dccdbf02ab98cb64660f14d7299226f5f63965b158c8467cc3391a868fc693ab9ac1d887f68ca7ba

Download Submit
C:\Windows\System32\kBHpVgg.exe

Filesize
1.6MB

MD5
397d6e122895bc80aa6363004f96f251

SHA1
5dbe10a797398444da0d0a64277c33f084717e94

SHA256
d650aa1281d590302e09d6d5688b2c7e4401e027d040c968480ddf6b6e64aa0a

SHA512
f47dc11f1db378fa886c159c3b832054e5fc28ae77fe0532046f96e8179cddf3a9a00827598adb2b6e96db6f5e45468c8de5419ae1d845c4cc6bc03d1c8127c0

Download Submit
C:\Windows\System32\kNRutCG.exe

Filesize
1.6MB

MD5
f2b44fc509955f5f6940be2726695450

SHA1
d7e504032b93ea42968df89155c0838b0fcdf84b

SHA256
82078e63c43e8620a1b9b47ef0b4559df16758a081f92b236dabcf590a97ebe2

SHA512
4573ebfe43a2fa0ba34eaa60a3884f92c329f441ad440937c5ae41fc80ef54ade1823abb7151bc5e89b1d6271b4ea98b144b17f70b408cf8c42fa05f44351970

Download Submit
C:\Windows\System32\lDcaXAw.exe

Filesize
1.6MB

MD5
372202f87501e151a59abded2f61cde9

SHA1
7c74dc648352aa569c8f3a5a0b3ae01b90a44623

SHA256
b8ea54a1beac6f3b932fbe3af6f5d46ef58f8ae1ed1ef55387463c8e77aef3a4

SHA512
bfdb0666262f5a9bce2b16d922ff0599e5c7e690b969cddefba2c399ac54cc734eee468948cfb3f528043e7d1538c3ddcd6ba2b2681eb8d008e7ff4c539d92df

Download Submit
C:\Windows\System32\lbTSJGX.exe

Filesize
1.6MB

MD5
0045bda766ac7d7f5b4a72490ab7a64e

SHA1
3f6d55739a45e8233d09b6cd432f6c696efd2c35

SHA256
2fc7bd73a9d303a8d0f1ce09da7614a5e92bf8da06dac2200384d25e8948981a

SHA512
7e03f6288968b55cafc8b17b1350ca4c49e64a335b8e554451cd753c37742b74b050a254ef00eaa4343cb24ffdfdd17c8a3d0d926b41107c5ec2959d4318ba7d

Download Submit
C:\Windows\System32\lyXxSYL.exe

Filesize
1.6MB

MD5
e4777c7cf4400e22ae708524695c2cf7

SHA1
c936f352c3c5314d548f7301d3b697f01e8e8c90

SHA256
0947ad88b67c4691b53f5f66884b07384679a772e7d79e794ae4320943744ba2

SHA512
25d1d39b7c73ff302d2733a3cf81379e6469c93240a5c54bd122e2d20da6a7e56f8d42a2d8ab94922d437b698ba52632780b8f40fc0f99300426bf899b9c1bfb

Download Submit
C:\Windows\System32\mdiBVwI.exe

Filesize
1.6MB

MD5
9acdc3403c40264c6ff81b20afcf0b0e

SHA1
3fd94ef2f6560c7abc635bfbece4d65d5d0b84f4

SHA256
10e985b136e7cebc307b3b7a31a8715fe6d52147764a0e405c38fac6c26adb4e

SHA512
e68460af5c6e15d4fbe9c52e7ec3bb1bb302bc27d25cdc7c462fd766176f96a7dec55063c6ddb97ffde3e6b714bc677c34b560fa359010573b9eaed65a4028b8

Download Submit
C:\Windows\System32\mqTEMtg.exe

Filesize
1.6MB

MD5
47c4ef5e0eb29cdc20e23494a1ed6ea4

SHA1
7ad2e67d2733579e47fb3ee9c63028afbf326a18

SHA256
f13e2c20ad2b84662d4530935a4aa5658a0b4c3b7cfdd4399c39ed7e3920c789

SHA512
bf7edb6b726c079f56ae3fa97c600965008788301416938191ee27b6db5dda697cacc7784f33b8ee4b23e3ed4d04ce869331b37530da19ce5d395acf12aefaae

Download Submit
C:\Windows\System32\msJNkKj.exe

Filesize
1.6MB

MD5
3b5653e5252c6341b0703fb3e7bb1b77

SHA1
f89473f4a76ca4a07828199fe7f3a76b35421b35

SHA256
816f5f2323d74d8ed0b3f1eed57d6c1c9c00f357e966d68bf7b81dbc19dedb2b

SHA512
c317ffdb642364df226f107e112de881b4bf8d7b39950b5c8391b60a1dc3689f223d9eaad11af1aae72fd9cbb686a35ad04f5c50c46f142bb31f7d688386ed1a

Download Submit
C:\Windows\System32\nLDxDSX.exe

Filesize
1.6MB

MD5
af609b9617e9f6a65b32fe01cbe3591a

SHA1
9e782efeed1b5d18220c748d73d15afb289b8b34

SHA256
1d2ac9149f4cd7923e1655a4d8fe863fba2ed46fd8750ad60b25ad533e2007eb

SHA512
534ad5a4045ab8c939f0547f91766bdfde46770782b9fa0eb39bb773cc64c49221ea80c7aff2c413e22feb002450f13a68774c74b95373167cba27e2a1762cd9

Download Submit
C:\Windows\System32\oIVHyKz.exe

Filesize
1.6MB

MD5
1a3c476fce8ea58ee9800e3ac1de9890

SHA1
4a9ae64962e34deb51cd960c8e2a3c4aa0fcc8ac

SHA256
864e568fb51a2f3cf0b129ec5850bc09f019b471bafa6b0174d28d79aae35bf0

SHA512
87249b35859078146be7691e4c07d81eecc12dfcaeb8570bf0cb49e7a573a55205f5eb761a9f460fe1f2a657302dbfb89709024b7b081e5ab254cadd28946e19

Download Submit
C:\Windows\System32\okCoHvj.exe

Filesize
1.6MB

MD5
6aa5abaa3fe09d871743fd1363b04307

SHA1
dec8689e38e712659689997a4771df8868658ee7

SHA256
6e5fa8cc9aba6ea0bae42fa5bfd6cea52716815bcfe5dd702e4a6ad0967c2b8e

SHA512
a5e9d7d8ebcf5aa12ac3fd872de89218a65c321eb798dd3644ea9d61dae7b4fe1a3aaf8829cc109fef843da9c9eed5f5493259dfc547c9d0a8ef5cf91e2217eb

Download Submit
C:\Windows\System32\sZcfmsY.exe

Filesize
1.6MB

MD5
70cf3b0646033bd7986177505159ef3b

SHA1
acec40fe73b7b6ec04b34f2b6e97a1faf243180c

SHA256
6d05d99ec8e1db794653317534fd6b1999ff5a12961bea03ec30476210f0404d

SHA512
d9bcbda94bd443ff2384295d14539a7a3fe7658a27a5b2b1e39df87e0bb8296548e49ad0683c545fc394c66305698dfe9e708aac90352d7c5ae362ec4e645689

Download Submit
C:\Windows\System32\sbUgXIM.exe

Filesize
1.6MB

MD5
5429493aac851e5cc26383c9d0e7fff8

SHA1
9b86b5ac6e9700ca12f8e26f5638e9e95daf430b

SHA256
cee0671eca9817a7a7f70ed97519185034f5b472155f3d735f19120996ad9542

SHA512
0bb374a0dad7bd171840a6b77d65c62e98f682d6ca7dc4838e7e8ae0ccaae06e8641a3e84d6b7db2e8c486c1b6e12cde8638b96883b499fd1bceb4136ee0753c

Download Submit
C:\Windows\System32\sqryetU.exe

Filesize
1.6MB

MD5
918990d560dc277bd1b86e714d45b51b

SHA1
1ad516a0b8ef5defd3975ab559db5207bba7e51d

SHA256
10b6c60ae698033c9ced098ef68d7f550c7cc7fef47abe35b71ebc5dd5b901c6

SHA512
eb883ebac9a57a66b52086c1f5075ce8918e766b7503531b1e0718964c19187417722eb7a70824e29ad6fbd858b63077d553aa9e9051971d906bb73ba01cecc7

Download Submit
C:\Windows\System32\tzMRJZA.exe

Filesize
1.6MB

MD5
7c20a9476e4ce2b0629f588a10d20522

SHA1
ef7e137f70f054dbecf7926274a2a6a00e5eeb7a

SHA256
86f9b50d6edff91daee9ed50d1f040bae6730ad2d153eb25b2ba666f78af6196

SHA512
44103d1a30fc16d4f5641b4f71ff3ed766b1f068267cb661bbcc4bdd979be1a4f59160974e1e8dde026cf7f754745aed68d0d8f595e562e5e5c9f8fbeda12999

Download Submit
C:\Windows\System32\uNDfDES.exe

Filesize
1.6MB

MD5
d2dde498b96e547c9a084cfebf481e90

SHA1
65c2d5472e673f20367dcb1aaa2a9a8536854794

SHA256
be24d43be3470d5e2b531649cff2a20def16aa4c40b8f6e8452a0b690f6956c6

SHA512
dcf34b0a9edacdc6993f3ade4d7944353bd68de12d39e25404a497ef9a7ba3cb7c8ab3181b80315514da8181e18dfe0cc16d8615ccb047434e97653c4848777b

Download Submit
C:\Windows\System32\wmKZslz.exe

Filesize
1.6MB

MD5
a30d15ff4f3425758709406c6a8a33c4

SHA1
7dab45ba8f274bf3ec5b3fed515d6484a8fa4092

SHA256
2953f1c50dd1b14657c8d3bb5fae9e6bcf7c78132a9f1435460d5be0ed3b461c

SHA512
1647e45a9aab8ca1d9c69c9b91dd4d7b12806bae8304ab0ebbe8e6053978bd0e7ed09a3da244794a043cc34097e827d952413a515491bc8635a8fe64f9348ab1

Download Submit
C:\Windows\System32\yVyTBwG.exe

Filesize
1.6MB

MD5
2f50b35d1228cbc676d702906fb91776

SHA1
463e200010cf8bd2a463482b7a4aeeb632bfbe48

SHA256
d7cc40c22708a9e284b9a2f95192b455c6bd6ba3404ddf4e9063fae67e004fe0

SHA512
b01585cfe567a386381fa7c47efae10a3660bdbc6ccc07ac02c42e4989514fd4b569378dff0de9e4cafc15fbad6426dc39a39749f9f128ff196c013c5e3f4d33

Download Submit
C:\Windows\System32\zfHaQrU.exe

Filesize
1.6MB

MD5
08f33093ae88243070e7a8b4887a473e

SHA1
0fff2f83c52df767d4cb448fd7dd5aad973ad02a

SHA256
59a1ad2732bb4c78511dc5e0fe1a1e6beb73219aabec73ca60c6c2f03a89d9b5

SHA512
30e24937c3018d1660cd919d3409c680951c07b88c7b36c8e156f228c12b3d97bdf5fc8a5f4c86a548a88c290e4e285f07c1873f95653bb8b08645a4c301cb63

Download Submit
memory/688-2018-0x00007FF60D5A0000-0x00007FF60D991000-memory.dmp

Filesize
3.9MB

Download
memory/688-459-0x00007FF60D5A0000-0x00007FF60D991000-memory.dmp

Filesize
3.9MB

Download
memory/740-466-0x00007FF7161F0000-0x00007FF7165E1000-memory.dmp

Filesize
3.9MB

Download
memory/740-2037-0x00007FF7161F0000-0x00007FF7165E1000-memory.dmp

Filesize
3.9MB

Download
memory/888-2002-0x00007FF785C80000-0x00007FF786071000-memory.dmp

Filesize
3.9MB

Download
memory/888-36-0x00007FF785C80000-0x00007FF786071000-memory.dmp

Filesize
3.9MB

Download
memory/1144-455-0x00007FF6B7200000-0x00007FF6B75F1000-memory.dmp

Filesize
3.9MB

Download
memory/1144-2008-0x00007FF6B7200000-0x00007FF6B75F1000-memory.dmp

Filesize
3.9MB

Download
memory/1176-40-0x00007FF728A60000-0x00007FF728E51000-memory.dmp

Filesize
3.9MB

Download
memory/1176-1988-0x00007FF728A60000-0x00007FF728E51000-memory.dmp

Filesize
3.9MB

Download
memory/1176-2006-0x00007FF728A60000-0x00007FF728E51000-memory.dmp

Filesize
3.9MB

Download
memory/1528-2020-0x00007FF78AF30000-0x00007FF78B321000-memory.dmp

Filesize
3.9MB

Download
memory/1528-495-0x00007FF78AF30000-0x00007FF78B321000-memory.dmp

Filesize
3.9MB

Download
memory/1648-2031-0x00007FF6B6390000-0x00007FF6B6781000-memory.dmp

Filesize
3.9MB

Download
memory/1648-463-0x00007FF6B6390000-0x00007FF6B6781000-memory.dmp

Filesize
3.9MB

Download
memory/1928-45-0x00007FF79E9F0000-0x00007FF79EDE1000-memory.dmp

Filesize
3.9MB

Download
memory/1928-2004-0x00007FF79E9F0000-0x00007FF79EDE1000-memory.dmp

Filesize
3.9MB

Download
memory/1976-462-0x00007FF6FF870000-0x00007FF6FFC61000-memory.dmp

Filesize
3.9MB

Download
memory/1976-2029-0x00007FF6FF870000-0x00007FF6FFC61000-memory.dmp

Filesize
3.9MB

Download
memory/2288-2012-0x00007FF616CB0000-0x00007FF6170A1000-memory.dmp

Filesize
3.9MB

Download
memory/2288-457-0x00007FF616CB0000-0x00007FF6170A1000-memory.dmp

Filesize
3.9MB

Download
memory/2312-1998-0x00007FF6B32F0000-0x00007FF6B36E1000-memory.dmp

Filesize
3.9MB

Download
memory/2312-1976-0x00007FF6B32F0000-0x00007FF6B36E1000-memory.dmp

Filesize
3.9MB

Download
memory/2312-19-0x00007FF6B32F0000-0x00007FF6B36E1000-memory.dmp

Filesize
3.9MB

Download
memory/2564-464-0x00007FF78D680000-0x00007FF78DA71000-memory.dmp

Filesize
3.9MB

Download
memory/2564-2041-0x00007FF78D680000-0x00007FF78DA71000-memory.dmp

Filesize
3.9MB

Download
memory/2636-2016-0x00007FF617720000-0x00007FF617B11000-memory.dmp

Filesize
3.9MB

Download
memory/2636-460-0x00007FF617720000-0x00007FF617B11000-memory.dmp

Filesize
3.9MB

Download
memory/2896-2039-0x00007FF6639E0000-0x00007FF663DD1000-memory.dmp

Filesize
3.9MB

Download
memory/2896-465-0x00007FF6639E0000-0x00007FF663DD1000-memory.dmp

Filesize
3.9MB

Download
memory/3008-461-0x00007FF7FCF50000-0x00007FF7FD341000-memory.dmp

Filesize
3.9MB

Download
memory/3008-2027-0x00007FF7FCF50000-0x00007FF7FD341000-memory.dmp

Filesize
3.9MB

Download
memory/3248-456-0x00007FF7D77C0000-0x00007FF7D7BB1000-memory.dmp

Filesize
3.9MB

Download
memory/3248-2010-0x00007FF7D77C0000-0x00007FF7D7BB1000-memory.dmp

Filesize
3.9MB

Download
memory/3472-493-0x00007FF6CEFA0000-0x00007FF6CF391000-memory.dmp

Filesize
3.9MB

Download
memory/3472-2022-0x00007FF6CEFA0000-0x00007FF6CF391000-memory.dmp

Filesize
3.9MB

Download
memory/3480-0-0x00007FF6F0F20000-0x00007FF6F1311000-memory.dmp

Filesize
3.9MB

Download
memory/3480-1-0x000002502C360000-0x000002502C370000-memory.dmp

Filesize
64KB

Download
memory/3808-2033-0x00007FF62FC30000-0x00007FF630021000-memory.dmp

Filesize
3.9MB

Download
memory/3808-468-0x00007FF62FC30000-0x00007FF630021000-memory.dmp

Filesize
3.9MB

Download
memory/4304-9-0x00007FF78FD20000-0x00007FF790111000-memory.dmp

Filesize
3.9MB

Download
memory/4304-1994-0x00007FF78FD20000-0x00007FF790111000-memory.dmp

Filesize
3.9MB

Download
memory/4468-458-0x00007FF6010D0000-0x00007FF6014C1000-memory.dmp

Filesize
3.9MB

Download
memory/4468-2014-0x00007FF6010D0000-0x00007FF6014C1000-memory.dmp

Filesize
3.9MB

Download
memory/4548-467-0x00007FF7EAEF0000-0x00007FF7EB2E1000-memory.dmp

Filesize
3.9MB

Download
memory/4548-2036-0x00007FF7EAEF0000-0x00007FF7EB2E1000-memory.dmp

Filesize
3.9MB

Download
memory/4572-24-0x00007FF72C240000-0x00007FF72C631000-memory.dmp

Filesize
3.9MB

Download
memory/4572-1977-0x00007FF72C240000-0x00007FF72C631000-memory.dmp

Filesize
3.9MB

Download
memory/4572-2000-0x00007FF72C240000-0x00007FF72C631000-memory.dmp

Filesize
3.9MB

Download
memory/4640-2024-0x00007FF6C2500000-0x00007FF6C28F1000-memory.dmp

Filesize
3.9MB

Download
memory/4640-492-0x00007FF6C2500000-0x00007FF6C28F1000-memory.dmp

Filesize
3.9MB

Download
memory/4824-1996-0x00007FF7C08A0000-0x00007FF7C0C91000-memory.dmp

Filesize
3.9MB

Download
memory/4824-1953-0x00007FF7C08A0000-0x00007FF7C0C91000-memory.dmp

Filesize
3.9MB

Download
memory/4824-14-0x00007FF7C08A0000-0x00007FF7C0C91000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads