xmrig | 6928fae051a0741ba4ed04baa57ebb600918be640e5080cc5750d83f133c09aa

Analysis

max time kernel
111s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
Size

1.4MB
MD5

05b02ff987de54190feb4999b5e27a0b
SHA1

790762f83bcef982dfc8b09536854049658afca1
SHA256

6928fae051a0741ba4ed04baa57ebb600918be640e5080cc5750d83f133c09aa
SHA512

de6a1d46fe3b202213a408bdb04ec4bb8328d465d3889bcb63c19593c858510437ae8df8f714714c70493f37e485cfa40deac8218cdbf5c4feda6d385b1b5e6f
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO9C1MKTbcMfHhGjw2qPIC4+X+:knw9oUUEEDlGUjc2HhG82qwf

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/4808-17-0x00007FF7815C0000-0x00007FF7819B1000-memory.dmp	xmrig
behavioral2/memory/4620-395-0x00007FF6D7660000-0x00007FF6D7A51000-memory.dmp	xmrig
behavioral2/memory/3716-396-0x00007FF62CCA0000-0x00007FF62D091000-memory.dmp	xmrig
behavioral2/memory/4460-399-0x00007FF7992F0000-0x00007FF7996E1000-memory.dmp	xmrig
behavioral2/memory/5024-406-0x00007FF6E5C00000-0x00007FF6E5FF1000-memory.dmp	xmrig
behavioral2/memory/2852-411-0x00007FF6BB7A0000-0x00007FF6BBB91000-memory.dmp	xmrig
behavioral2/memory/1552-418-0x00007FF79A3A0000-0x00007FF79A791000-memory.dmp	xmrig
behavioral2/memory/4492-417-0x00007FF643CD0000-0x00007FF6440C1000-memory.dmp	xmrig
behavioral2/memory/3772-420-0x00007FF7CC810000-0x00007FF7CCC01000-memory.dmp	xmrig
behavioral2/memory/1812-412-0x00007FF7E1E80000-0x00007FF7E2271000-memory.dmp	xmrig
behavioral2/memory/5060-404-0x00007FF6D51D0000-0x00007FF6D55C1000-memory.dmp	xmrig
behavioral2/memory/4688-402-0x00007FF74AA70000-0x00007FF74AE61000-memory.dmp	xmrig
behavioral2/memory/5044-425-0x00007FF65F050000-0x00007FF65F441000-memory.dmp	xmrig
behavioral2/memory/3464-428-0x00007FF7AAA90000-0x00007FF7AAE81000-memory.dmp	xmrig
behavioral2/memory/2068-426-0x00007FF761DF0000-0x00007FF7621E1000-memory.dmp	xmrig
behavioral2/memory/1644-435-0x00007FF7B3200000-0x00007FF7B35F1000-memory.dmp	xmrig
behavioral2/memory/4720-438-0x00007FF7B0800000-0x00007FF7B0BF1000-memory.dmp	xmrig
behavioral2/memory/4556-441-0x00007FF7200B0000-0x00007FF7204A1000-memory.dmp	xmrig
behavioral2/memory/3176-451-0x00007FF7E3C70000-0x00007FF7E4061000-memory.dmp	xmrig
behavioral2/memory/4984-457-0x00007FF772590000-0x00007FF772981000-memory.dmp	xmrig
behavioral2/memory/5020-448-0x00007FF791A90000-0x00007FF791E81000-memory.dmp	xmrig
behavioral2/memory/4436-1961-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp	xmrig
behavioral2/memory/2988-1970-0x00007FF69CC60000-0x00007FF69D051000-memory.dmp	xmrig
behavioral2/memory/3032-1971-0x00007FF72AC80000-0x00007FF72B071000-memory.dmp	xmrig
behavioral2/memory/4436-1976-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp	xmrig
behavioral2/memory/4808-1978-0x00007FF7815C0000-0x00007FF7819B1000-memory.dmp	xmrig
behavioral2/memory/3032-1980-0x00007FF72AC80000-0x00007FF72B071000-memory.dmp	xmrig
behavioral2/memory/4984-1984-0x00007FF772590000-0x00007FF772981000-memory.dmp	xmrig
behavioral2/memory/2988-1982-0x00007FF69CC60000-0x00007FF69D051000-memory.dmp	xmrig
behavioral2/memory/5024-1996-0x00007FF6E5C00000-0x00007FF6E5FF1000-memory.dmp	xmrig
behavioral2/memory/4688-1994-0x00007FF74AA70000-0x00007FF74AE61000-memory.dmp	xmrig
behavioral2/memory/5060-2002-0x00007FF6D51D0000-0x00007FF6D55C1000-memory.dmp	xmrig
behavioral2/memory/4492-2004-0x00007FF643CD0000-0x00007FF6440C1000-memory.dmp	xmrig
behavioral2/memory/3772-2006-0x00007FF7CC810000-0x00007FF7CCC01000-memory.dmp	xmrig
behavioral2/memory/1812-1998-0x00007FF7E1E80000-0x00007FF7E2271000-memory.dmp	xmrig
behavioral2/memory/1552-2000-0x00007FF79A3A0000-0x00007FF79A791000-memory.dmp	xmrig
behavioral2/memory/4460-1990-0x00007FF7992F0000-0x00007FF7996E1000-memory.dmp	xmrig
behavioral2/memory/2852-1992-0x00007FF6BB7A0000-0x00007FF6BBB91000-memory.dmp	xmrig
behavioral2/memory/4620-1986-0x00007FF6D7660000-0x00007FF6D7A51000-memory.dmp	xmrig
behavioral2/memory/3716-1988-0x00007FF62CCA0000-0x00007FF62D091000-memory.dmp	xmrig
behavioral2/memory/5020-2087-0x00007FF791A90000-0x00007FF791E81000-memory.dmp	xmrig
behavioral2/memory/4720-2041-0x00007FF7B0800000-0x00007FF7B0BF1000-memory.dmp	xmrig
behavioral2/memory/4556-2021-0x00007FF7200B0000-0x00007FF7204A1000-memory.dmp	xmrig
behavioral2/memory/2068-2012-0x00007FF761DF0000-0x00007FF7621E1000-memory.dmp	xmrig
behavioral2/memory/3464-2010-0x00007FF7AAA90000-0x00007FF7AAE81000-memory.dmp	xmrig
behavioral2/memory/3176-2019-0x00007FF7E3C70000-0x00007FF7E4061000-memory.dmp	xmrig
behavioral2/memory/1644-2017-0x00007FF7B3200000-0x00007FF7B35F1000-memory.dmp	xmrig
behavioral2/memory/5044-2008-0x00007FF65F050000-0x00007FF65F441000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4436	HgJAZrB.exe
4808	QaITVqL.exe
2988	DxBICOn.exe
3032	bgGKwfX.exe
4984	mqcBMAt.exe
4620	NbAuWDp.exe
3716	jDEjxQQ.exe
4460	vtQysQV.exe
4688	dorEQlk.exe
5060	AyCHaDI.exe
5024	WsieQnU.exe
2852	asUSrvn.exe
1812	CjveQSq.exe
4492	uFFBszA.exe
1552	IvtEBBs.exe
3772	uiVafVn.exe
5044	gkjmpXx.exe
2068	mhRPIXb.exe
3464	CyMDNgB.exe
1644	maKJZff.exe
4720	IAeMMBu.exe
4556	mOmnCBc.exe
5020	BbIHAZh.exe
3176	cpvwMRj.exe
3908	qNAFlWw.exe
2504	nePwjWJ.exe
4816	LPjAveQ.exe
2124	FfffSJF.exe
3944	BTagsJv.exe
2944	SfWjHYs.exe
4932	SZTKxwC.exe
436	dEJHwPS.exe
3144	uhwLFpT.exe
4880	bugdTWW.exe
1336	IUgHprV.exe
2240	gUvNpUZ.exe
1432	ZIkbABR.exe
3056	HpVWkUR.exe
1788	qztlqTo.exe
2336	wBDdXKv.exe
1800	FGihJRh.exe
2720	uXoEQGr.exe
3140	lWFOTYN.exe
2416	RrvSCzU.exe
4104	UibEsix.exe
2728	IddeBaw.exe
3828	TrdWOVT.exe
4828	uyhcrgF.exe
4864	bKKcudG.exe
2752	WRMpUjW.exe
4444	ZrTeyOd.exe
3664	tUMTAhE.exe
4768	CKngHxV.exe
4376	WVcRtaU.exe
4348	wRAARJx.exe
4480	medPZDq.exe
3340	oMQfstY.exe
868	SeonPwO.exe
5052	MkRaEqd.exe
3456	JGbUSoa.exe
1848	AjhpZtE.exe
3988	sJFLsHx.exe
2212	iXjPnAs.exe
3552	IZScDCv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/116-0-0x00007FF7BC780000-0x00007FF7BCB71000-memory.dmp	upx
behavioral2/files/0x000c000000023b77-5.dat	upx
behavioral2/memory/4436-9-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-8.dat	upx
behavioral2/files/0x000a000000023b8a-11.dat	upx
behavioral2/memory/2988-19-0x00007FF69CC60000-0x00007FF69D051000-memory.dmp	upx
behavioral2/files/0x000a000000023b8c-22.dat	upx
behavioral2/files/0x000a000000023b8d-29.dat	upx
behavioral2/files/0x000a000000023b8e-34.dat	upx
behavioral2/files/0x000a000000023b8f-39.dat	upx
behavioral2/files/0x000a000000023b90-44.dat	upx
behavioral2/files/0x000a000000023b91-49.dat	upx
behavioral2/files/0x000a000000023b92-54.dat	upx
behavioral2/files/0x000a000000023b94-62.dat	upx
behavioral2/files/0x000a000000023b95-69.dat	upx
behavioral2/files/0x000a000000023b98-84.dat	upx
behavioral2/files/0x000a000000023b99-89.dat	upx
behavioral2/files/0x000a000000023b9d-109.dat	upx
behavioral2/files/0x000a000000023ba0-122.dat	upx
behavioral2/files/0x000a000000023ba8-164.dat	upx
behavioral2/files/0x000a000000023ba7-159.dat	upx
behavioral2/files/0x000a000000023ba6-154.dat	upx
behavioral2/files/0x000a000000023ba5-149.dat	upx
behavioral2/files/0x000a000000023ba4-144.dat	upx
behavioral2/files/0x000a000000023ba3-139.dat	upx
behavioral2/files/0x000a000000023ba2-134.dat	upx
behavioral2/files/0x000a000000023ba1-129.dat	upx
behavioral2/files/0x000a000000023b9f-119.dat	upx
behavioral2/files/0x000a000000023b9e-114.dat	upx
behavioral2/files/0x000a000000023b9c-104.dat	upx
behavioral2/files/0x000a000000023b9b-99.dat	upx
behavioral2/files/0x000a000000023b9a-94.dat	upx
behavioral2/files/0x000a000000023b97-79.dat	upx
behavioral2/files/0x000a000000023b96-74.dat	upx
behavioral2/files/0x000a000000023b93-59.dat	upx
behavioral2/memory/4808-17-0x00007FF7815C0000-0x00007FF7819B1000-memory.dmp	upx
behavioral2/memory/3032-394-0x00007FF72AC80000-0x00007FF72B071000-memory.dmp	upx
behavioral2/memory/4620-395-0x00007FF6D7660000-0x00007FF6D7A51000-memory.dmp	upx
behavioral2/memory/3716-396-0x00007FF62CCA0000-0x00007FF62D091000-memory.dmp	upx
behavioral2/memory/4460-399-0x00007FF7992F0000-0x00007FF7996E1000-memory.dmp	upx
behavioral2/memory/5024-406-0x00007FF6E5C00000-0x00007FF6E5FF1000-memory.dmp	upx
behavioral2/memory/2852-411-0x00007FF6BB7A0000-0x00007FF6BBB91000-memory.dmp	upx
behavioral2/memory/1552-418-0x00007FF79A3A0000-0x00007FF79A791000-memory.dmp	upx
behavioral2/memory/4492-417-0x00007FF643CD0000-0x00007FF6440C1000-memory.dmp	upx
behavioral2/memory/3772-420-0x00007FF7CC810000-0x00007FF7CCC01000-memory.dmp	upx
behavioral2/memory/1812-412-0x00007FF7E1E80000-0x00007FF7E2271000-memory.dmp	upx
behavioral2/memory/5060-404-0x00007FF6D51D0000-0x00007FF6D55C1000-memory.dmp	upx
behavioral2/memory/4688-402-0x00007FF74AA70000-0x00007FF74AE61000-memory.dmp	upx
behavioral2/memory/5044-425-0x00007FF65F050000-0x00007FF65F441000-memory.dmp	upx
behavioral2/memory/3464-428-0x00007FF7AAA90000-0x00007FF7AAE81000-memory.dmp	upx
behavioral2/memory/2068-426-0x00007FF761DF0000-0x00007FF7621E1000-memory.dmp	upx
behavioral2/memory/1644-435-0x00007FF7B3200000-0x00007FF7B35F1000-memory.dmp	upx
behavioral2/memory/4720-438-0x00007FF7B0800000-0x00007FF7B0BF1000-memory.dmp	upx
behavioral2/memory/4556-441-0x00007FF7200B0000-0x00007FF7204A1000-memory.dmp	upx
behavioral2/memory/3176-451-0x00007FF7E3C70000-0x00007FF7E4061000-memory.dmp	upx
behavioral2/memory/4984-457-0x00007FF772590000-0x00007FF772981000-memory.dmp	upx
behavioral2/memory/5020-448-0x00007FF791A90000-0x00007FF791E81000-memory.dmp	upx
behavioral2/memory/4436-1961-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp	upx
behavioral2/memory/2988-1970-0x00007FF69CC60000-0x00007FF69D051000-memory.dmp	upx
behavioral2/memory/3032-1971-0x00007FF72AC80000-0x00007FF72B071000-memory.dmp	upx
behavioral2/memory/4436-1976-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp	upx
behavioral2/memory/4808-1978-0x00007FF7815C0000-0x00007FF7819B1000-memory.dmp	upx
behavioral2/memory/3032-1980-0x00007FF72AC80000-0x00007FF72B071000-memory.dmp	upx
behavioral2/memory/4984-1984-0x00007FF772590000-0x00007FF772981000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\gUvNpUZ.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\MurmBxV.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\WZVMsfl.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\xpkfbaw.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\JINIacP.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\DkJFWxa.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\MMcpZNz.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\DvoRfSd.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\xVaPegk.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\ZODktge.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\lUvYIPE.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\WlDCrbn.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\IcNNEHQ.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\cYTwnaW.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\ZayuRNK.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\AIwpiid.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\sZoiwDO.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\sypGflR.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\ciAPisl.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\AVWXzlE.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\folQGhz.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\mcmwYuM.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\QwVXLNZ.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\ePXZLIN.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\pJWoJeq.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\zDRLgsM.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\dlFyXTy.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\vfZExbC.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\yjTsszA.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\AMnVKWz.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\QaITVqL.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\PhcKIRS.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\AqcDbks.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\KPUTRBW.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\deZZLaR.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\HGifGRx.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\lyJjPCN.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\sKNiFxH.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\EfugVIb.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\lhdReAF.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\vquunfj.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\uwhMHkV.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\mRAFxRz.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\DpQTNuN.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\mOmnCBc.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\FGihJRh.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\WPEsZGr.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\alHzXsN.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\aOPzDmE.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\phLQlBU.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\lFnBXQF.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\HXWkEYf.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\gwwoKUB.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\kwWmDLT.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\MsVrchd.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\WIVloeF.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\QxDRUZu.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\FDLUBJT.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\lZSlnfE.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\gjLOLly.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\XBcbzuB.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\wtevmbn.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\EFCgrqw.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
File created	C:\Windows\System32\HgkrFho.exe	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13100	dwm.exe
Token: SeChangeNotifyPrivilege	13100	dwm.exe
Token: 33	13100	dwm.exe
Token: SeIncBasePriorityPrivilege	13100	dwm.exe
Token: SeShutdownPrivilege	13100	dwm.exe
Token: SeCreatePagefilePrivilege	13100	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 4436	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	86
PID 116 wrote to memory of 4436	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	86
PID 116 wrote to memory of 4808	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	87
PID 116 wrote to memory of 4808	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	87
PID 116 wrote to memory of 2988	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	88
PID 116 wrote to memory of 2988	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	88
PID 116 wrote to memory of 3032	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	89
PID 116 wrote to memory of 3032	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	89
PID 116 wrote to memory of 4984	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	90
PID 116 wrote to memory of 4984	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	90
PID 116 wrote to memory of 4620	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	91
PID 116 wrote to memory of 4620	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	91
PID 116 wrote to memory of 3716	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	92
PID 116 wrote to memory of 3716	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	92
PID 116 wrote to memory of 4460	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	93
PID 116 wrote to memory of 4460	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	93
PID 116 wrote to memory of 4688	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	94
PID 116 wrote to memory of 4688	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	94
PID 116 wrote to memory of 5060	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	95
PID 116 wrote to memory of 5060	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	95
PID 116 wrote to memory of 5024	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	96
PID 116 wrote to memory of 5024	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	96
PID 116 wrote to memory of 2852	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	97
PID 116 wrote to memory of 2852	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	97
PID 116 wrote to memory of 1812	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	98
PID 116 wrote to memory of 1812	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	98
PID 116 wrote to memory of 4492	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	99
PID 116 wrote to memory of 4492	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	99
PID 116 wrote to memory of 1552	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	100
PID 116 wrote to memory of 1552	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	100
PID 116 wrote to memory of 3772	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	101
PID 116 wrote to memory of 3772	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	101
PID 116 wrote to memory of 5044	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	102
PID 116 wrote to memory of 5044	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	102
PID 116 wrote to memory of 2068	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	103
PID 116 wrote to memory of 2068	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	103
PID 116 wrote to memory of 3464	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	104
PID 116 wrote to memory of 3464	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	104
PID 116 wrote to memory of 1644	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	105
PID 116 wrote to memory of 1644	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	105
PID 116 wrote to memory of 4720	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	106
PID 116 wrote to memory of 4720	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	106
PID 116 wrote to memory of 4556	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	107
PID 116 wrote to memory of 4556	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	107
PID 116 wrote to memory of 5020	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	108
PID 116 wrote to memory of 5020	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	108
PID 116 wrote to memory of 3176	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	109
PID 116 wrote to memory of 3176	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	109
PID 116 wrote to memory of 3908	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	110
PID 116 wrote to memory of 3908	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	110
PID 116 wrote to memory of 2504	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	111
PID 116 wrote to memory of 2504	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	111
PID 116 wrote to memory of 4816	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	112
PID 116 wrote to memory of 4816	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	112
PID 116 wrote to memory of 2124	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	113
PID 116 wrote to memory of 2124	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	113
PID 116 wrote to memory of 3944	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	114
PID 116 wrote to memory of 3944	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	114
PID 116 wrote to memory of 2944	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	115
PID 116 wrote to memory of 2944	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	115
PID 116 wrote to memory of 4932	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	116
PID 116 wrote to memory of 4932	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	116
PID 116 wrote to memory of 436	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	117
PID 116 wrote to memory of 436	116	05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe	117

C:\Users\Admin\AppData\Local\Temp\05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05b02ff987de54190feb4999b5e27a0b_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\System32\HgJAZrB.exe
  C:\Windows\System32\HgJAZrB.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\QaITVqL.exe
  C:\Windows\System32\QaITVqL.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System32\DxBICOn.exe
  C:\Windows\System32\DxBICOn.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System32\bgGKwfX.exe
  C:\Windows\System32\bgGKwfX.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System32\mqcBMAt.exe
  C:\Windows\System32\mqcBMAt.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System32\NbAuWDp.exe
  C:\Windows\System32\NbAuWDp.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System32\jDEjxQQ.exe
  C:\Windows\System32\jDEjxQQ.exe
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Windows\System32\vtQysQV.exe
  C:\Windows\System32\vtQysQV.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System32\dorEQlk.exe
  C:\Windows\System32\dorEQlk.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System32\AyCHaDI.exe
  C:\Windows\System32\AyCHaDI.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System32\WsieQnU.exe
  C:\Windows\System32\WsieQnU.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System32\asUSrvn.exe
  C:\Windows\System32\asUSrvn.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System32\CjveQSq.exe
  C:\Windows\System32\CjveQSq.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System32\uFFBszA.exe
  C:\Windows\System32\uFFBszA.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System32\IvtEBBs.exe
  C:\Windows\System32\IvtEBBs.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System32\uiVafVn.exe
  C:\Windows\System32\uiVafVn.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System32\gkjmpXx.exe
  C:\Windows\System32\gkjmpXx.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System32\mhRPIXb.exe
  C:\Windows\System32\mhRPIXb.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System32\CyMDNgB.exe
  C:\Windows\System32\CyMDNgB.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System32\maKJZff.exe
  C:\Windows\System32\maKJZff.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System32\IAeMMBu.exe
  C:\Windows\System32\IAeMMBu.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System32\mOmnCBc.exe
  C:\Windows\System32\mOmnCBc.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System32\BbIHAZh.exe
  C:\Windows\System32\BbIHAZh.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System32\cpvwMRj.exe
  C:\Windows\System32\cpvwMRj.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System32\qNAFlWw.exe
  C:\Windows\System32\qNAFlWw.exe
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\System32\nePwjWJ.exe
  C:\Windows\System32\nePwjWJ.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System32\LPjAveQ.exe
  C:\Windows\System32\LPjAveQ.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System32\FfffSJF.exe
  C:\Windows\System32\FfffSJF.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System32\BTagsJv.exe
  C:\Windows\System32\BTagsJv.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\SfWjHYs.exe
  C:\Windows\System32\SfWjHYs.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System32\SZTKxwC.exe
  C:\Windows\System32\SZTKxwC.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System32\dEJHwPS.exe
  C:\Windows\System32\dEJHwPS.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\uhwLFpT.exe
  C:\Windows\System32\uhwLFpT.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System32\bugdTWW.exe
  C:\Windows\System32\bugdTWW.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System32\IUgHprV.exe
  C:\Windows\System32\IUgHprV.exe
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\System32\gUvNpUZ.exe
  C:\Windows\System32\gUvNpUZ.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System32\ZIkbABR.exe
  C:\Windows\System32\ZIkbABR.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System32\HpVWkUR.exe
  C:\Windows\System32\HpVWkUR.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System32\qztlqTo.exe
  C:\Windows\System32\qztlqTo.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System32\wBDdXKv.exe
  C:\Windows\System32\wBDdXKv.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System32\FGihJRh.exe
  C:\Windows\System32\FGihJRh.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System32\uXoEQGr.exe
  C:\Windows\System32\uXoEQGr.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System32\lWFOTYN.exe
  C:\Windows\System32\lWFOTYN.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System32\RrvSCzU.exe
  C:\Windows\System32\RrvSCzU.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System32\UibEsix.exe
  C:\Windows\System32\UibEsix.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System32\IddeBaw.exe
  C:\Windows\System32\IddeBaw.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System32\TrdWOVT.exe
  C:\Windows\System32\TrdWOVT.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System32\uyhcrgF.exe
  C:\Windows\System32\uyhcrgF.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\bKKcudG.exe
  C:\Windows\System32\bKKcudG.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System32\WRMpUjW.exe
  C:\Windows\System32\WRMpUjW.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System32\ZrTeyOd.exe
  C:\Windows\System32\ZrTeyOd.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System32\tUMTAhE.exe
  C:\Windows\System32\tUMTAhE.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System32\CKngHxV.exe
  C:\Windows\System32\CKngHxV.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System32\WVcRtaU.exe
  C:\Windows\System32\WVcRtaU.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System32\wRAARJx.exe
  C:\Windows\System32\wRAARJx.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System32\medPZDq.exe
  C:\Windows\System32\medPZDq.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System32\oMQfstY.exe
  C:\Windows\System32\oMQfstY.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System32\SeonPwO.exe
  C:\Windows\System32\SeonPwO.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System32\MkRaEqd.exe
  C:\Windows\System32\MkRaEqd.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System32\JGbUSoa.exe
  C:\Windows\System32\JGbUSoa.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System32\AjhpZtE.exe
  C:\Windows\System32\AjhpZtE.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System32\sJFLsHx.exe
  C:\Windows\System32\sJFLsHx.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System32\iXjPnAs.exe
  C:\Windows\System32\iXjPnAs.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System32\IZScDCv.exe
  C:\Windows\System32\IZScDCv.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System32\HIYAUEA.exe
  C:\Windows\System32\HIYAUEA.exe
  2⤵
  PID:4504
- C:\Windows\System32\WPEsZGr.exe
  C:\Windows\System32\WPEsZGr.exe
  2⤵
  PID:4640
- C:\Windows\System32\AxCVERu.exe
  C:\Windows\System32\AxCVERu.exe
  2⤵
  PID:4336
- C:\Windows\System32\tzOmFPo.exe
  C:\Windows\System32\tzOmFPo.exe
  2⤵
  PID:3880
- C:\Windows\System32\nfODjBj.exe
  C:\Windows\System32\nfODjBj.exe
  2⤵
  PID:1608
- C:\Windows\System32\xyxbhCo.exe
  C:\Windows\System32\xyxbhCo.exe
  2⤵
  PID:1964
- C:\Windows\System32\gurXdXl.exe
  C:\Windows\System32\gurXdXl.exe
  2⤵
  PID:624
- C:\Windows\System32\eaTLRaT.exe
  C:\Windows\System32\eaTLRaT.exe
  2⤵
  PID:2816
- C:\Windows\System32\qZIpjrB.exe
  C:\Windows\System32\qZIpjrB.exe
  2⤵
  PID:912
- C:\Windows\System32\sXOqfnH.exe
  C:\Windows\System32\sXOqfnH.exe
  2⤵
  PID:3676
- C:\Windows\System32\epNCBlH.exe
  C:\Windows\System32\epNCBlH.exe
  2⤵
  PID:3576
- C:\Windows\System32\yFYnrkX.exe
  C:\Windows\System32\yFYnrkX.exe
  2⤵
  PID:2540
- C:\Windows\System32\hsmhsvE.exe
  C:\Windows\System32\hsmhsvE.exe
  2⤵
  PID:2832
- C:\Windows\System32\WlDCrbn.exe
  C:\Windows\System32\WlDCrbn.exe
  2⤵
  PID:2824
- C:\Windows\System32\PlgoYMv.exe
  C:\Windows\System32\PlgoYMv.exe
  2⤵
  PID:3384
- C:\Windows\System32\qFEIIdI.exe
  C:\Windows\System32\qFEIIdI.exe
  2⤵
  PID:5140
- C:\Windows\System32\IcNNEHQ.exe
  C:\Windows\System32\IcNNEHQ.exe
  2⤵
  PID:5172
- C:\Windows\System32\MMcpZNz.exe
  C:\Windows\System32\MMcpZNz.exe
  2⤵
  PID:5192
- C:\Windows\System32\OXPclKi.exe
  C:\Windows\System32\OXPclKi.exe
  2⤵
  PID:5224
- C:\Windows\System32\BUfFZUK.exe
  C:\Windows\System32\BUfFZUK.exe
  2⤵
  PID:5256
- C:\Windows\System32\dzDWXGY.exe
  C:\Windows\System32\dzDWXGY.exe
  2⤵
  PID:5280
- C:\Windows\System32\ChKyprI.exe
  C:\Windows\System32\ChKyprI.exe
  2⤵
  PID:5304
- C:\Windows\System32\GzbvesF.exe
  C:\Windows\System32\GzbvesF.exe
  2⤵
  PID:5336
- C:\Windows\System32\QNmDmFd.exe
  C:\Windows\System32\QNmDmFd.exe
  2⤵
  PID:5364
- C:\Windows\System32\sYFRtoZ.exe
  C:\Windows\System32\sYFRtoZ.exe
  2⤵
  PID:5392
- C:\Windows\System32\AfbhqVt.exe
  C:\Windows\System32\AfbhqVt.exe
  2⤵
  PID:5416
- C:\Windows\System32\Ngnlavj.exe
  C:\Windows\System32\Ngnlavj.exe
  2⤵
  PID:5448
- C:\Windows\System32\tpKzPyd.exe
  C:\Windows\System32\tpKzPyd.exe
  2⤵
  PID:5480
- C:\Windows\System32\svEUhnF.exe
  C:\Windows\System32\svEUhnF.exe
  2⤵
  PID:5500
- C:\Windows\System32\PAhQXnH.exe
  C:\Windows\System32\PAhQXnH.exe
  2⤵
  PID:5536
- C:\Windows\System32\Jkdchms.exe
  C:\Windows\System32\Jkdchms.exe
  2⤵
  PID:5560
- C:\Windows\System32\ZODktge.exe
  C:\Windows\System32\ZODktge.exe
  2⤵
  PID:5584
- C:\Windows\System32\cLrmyKY.exe
  C:\Windows\System32\cLrmyKY.exe
  2⤵
  PID:5616
- C:\Windows\System32\IixGubo.exe
  C:\Windows\System32\IixGubo.exe
  2⤵
  PID:5648
- C:\Windows\System32\cYTwnaW.exe
  C:\Windows\System32\cYTwnaW.exe
  2⤵
  PID:5668
- C:\Windows\System32\AePMNHD.exe
  C:\Windows\System32\AePMNHD.exe
  2⤵
  PID:5704
- C:\Windows\System32\rHOPQYw.exe
  C:\Windows\System32\rHOPQYw.exe
  2⤵
  PID:5728
- C:\Windows\System32\hOPCpjG.exe
  C:\Windows\System32\hOPCpjG.exe
  2⤵
  PID:5756
- C:\Windows\System32\nzOajYL.exe
  C:\Windows\System32\nzOajYL.exe
  2⤵
  PID:5780
- C:\Windows\System32\myITcQc.exe
  C:\Windows\System32\myITcQc.exe
  2⤵
  PID:5816
- C:\Windows\System32\qdBfxlE.exe
  C:\Windows\System32\qdBfxlE.exe
  2⤵
  PID:5836
- C:\Windows\System32\maDtPKH.exe
  C:\Windows\System32\maDtPKH.exe
  2⤵
  PID:5872
- C:\Windows\System32\phLQlBU.exe
  C:\Windows\System32\phLQlBU.exe
  2⤵
  PID:5896
- C:\Windows\System32\RdpMqBf.exe
  C:\Windows\System32\RdpMqBf.exe
  2⤵
  PID:5920
- C:\Windows\System32\pfQHgTZ.exe
  C:\Windows\System32\pfQHgTZ.exe
  2⤵
  PID:5952
- C:\Windows\System32\wltwJPi.exe
  C:\Windows\System32\wltwJPi.exe
  2⤵
  PID:6008
- C:\Windows\System32\gUUBcbT.exe
  C:\Windows\System32\gUUBcbT.exe
  2⤵
  PID:6056
- C:\Windows\System32\LzjEKva.exe
  C:\Windows\System32\LzjEKva.exe
  2⤵
  PID:6076
- C:\Windows\System32\RgENsxG.exe
  C:\Windows\System32\RgENsxG.exe
  2⤵
  PID:6104
- C:\Windows\System32\MsVrchd.exe
  C:\Windows\System32\MsVrchd.exe
  2⤵
  PID:4616
- C:\Windows\System32\wLHvHxg.exe
  C:\Windows\System32\wLHvHxg.exe
  2⤵
  PID:3600
- C:\Windows\System32\mFdPLKV.exe
  C:\Windows\System32\mFdPLKV.exe
  2⤵
  PID:4844
- C:\Windows\System32\cjPNrpL.exe
  C:\Windows\System32\cjPNrpL.exe
  2⤵
  PID:5168
- C:\Windows\System32\jzIDLgw.exe
  C:\Windows\System32\jzIDLgw.exe
  2⤵
  PID:5204
- C:\Windows\System32\deZZLaR.exe
  C:\Windows\System32\deZZLaR.exe
  2⤵
  PID:5240
- C:\Windows\System32\JFhKmLY.exe
  C:\Windows\System32\JFhKmLY.exe
  2⤵
  PID:5296
- C:\Windows\System32\ebkwRAo.exe
  C:\Windows\System32\ebkwRAo.exe
  2⤵
  PID:5352
- C:\Windows\System32\AtEOUGa.exe
  C:\Windows\System32\AtEOUGa.exe
  2⤵
  PID:5404
- C:\Windows\System32\OLMRwty.exe
  C:\Windows\System32\OLMRwty.exe
  2⤵
  PID:5440
- C:\Windows\System32\WIVloeF.exe
  C:\Windows\System32\WIVloeF.exe
  2⤵
  PID:5464
- C:\Windows\System32\BXRdaDk.exe
  C:\Windows\System32\BXRdaDk.exe
  2⤵
  PID:5492
- C:\Windows\System32\MaZFdEU.exe
  C:\Windows\System32\MaZFdEU.exe
  2⤵
  PID:3128
- C:\Windows\System32\folQGhz.exe
  C:\Windows\System32\folQGhz.exe
  2⤵
  PID:5680
- C:\Windows\System32\EvrAydU.exe
  C:\Windows\System32\EvrAydU.exe
  2⤵
  PID:3396
- C:\Windows\System32\PhcKIRS.exe
  C:\Windows\System32\PhcKIRS.exe
  2⤵
  PID:1500
- C:\Windows\System32\iTGgsUQ.exe
  C:\Windows\System32\iTGgsUQ.exe
  2⤵
  PID:5828
- C:\Windows\System32\jlaLecZ.exe
  C:\Windows\System32\jlaLecZ.exe
  2⤵
  PID:5916
- C:\Windows\System32\mcmwYuM.exe
  C:\Windows\System32\mcmwYuM.exe
  2⤵
  PID:2876
- C:\Windows\System32\SkHKdjX.exe
  C:\Windows\System32\SkHKdjX.exe
  2⤵
  PID:4312
- C:\Windows\System32\ZayuRNK.exe
  C:\Windows\System32\ZayuRNK.exe
  2⤵
  PID:3524
- C:\Windows\System32\semqjGb.exe
  C:\Windows\System32\semqjGb.exe
  2⤵
  PID:6024
- C:\Windows\System32\culllxz.exe
  C:\Windows\System32\culllxz.exe
  2⤵
  PID:6092
- C:\Windows\System32\mAOgQxL.exe
  C:\Windows\System32\mAOgQxL.exe
  2⤵
  PID:6124
- C:\Windows\System32\NAlJspz.exe
  C:\Windows\System32\NAlJspz.exe
  2⤵
  PID:6096
- C:\Windows\System32\TxLJJlG.exe
  C:\Windows\System32\TxLJJlG.exe
  2⤵
  PID:4332
- C:\Windows\System32\lvgJosZ.exe
  C:\Windows\System32\lvgJosZ.exe
  2⤵
  PID:2836
- C:\Windows\System32\hIcVAka.exe
  C:\Windows\System32\hIcVAka.exe
  2⤵
  PID:5376
- C:\Windows\System32\xKWJXJh.exe
  C:\Windows\System32\xKWJXJh.exe
  2⤵
  PID:5328
- C:\Windows\System32\WhoCtCU.exe
  C:\Windows\System32\WhoCtCU.exe
  2⤵
  PID:5384
- C:\Windows\System32\wIOplOh.exe
  C:\Windows\System32\wIOplOh.exe
  2⤵
  PID:5524
- C:\Windows\System32\AWgWlWe.exe
  C:\Windows\System32\AWgWlWe.exe
  2⤵
  PID:5572
- C:\Windows\System32\NTObBwc.exe
  C:\Windows\System32\NTObBwc.exe
  2⤵
  PID:5852
- C:\Windows\System32\HTYwepT.exe
  C:\Windows\System32\HTYwepT.exe
  2⤵
  PID:5316
- C:\Windows\System32\sSQoKoQ.exe
  C:\Windows\System32\sSQoKoQ.exe
  2⤵
  PID:3480
- C:\Windows\System32\TdKxRhK.exe
  C:\Windows\System32\TdKxRhK.exe
  2⤵
  PID:3048
- C:\Windows\System32\GleEOcZ.exe
  C:\Windows\System32\GleEOcZ.exe
  2⤵
  PID:1728
- C:\Windows\System32\zsDONSF.exe
  C:\Windows\System32\zsDONSF.exe
  2⤵
  PID:2552
- C:\Windows\System32\uoDuvpp.exe
  C:\Windows\System32\uoDuvpp.exe
  2⤵
  PID:6004
- C:\Windows\System32\pFjccVU.exe
  C:\Windows\System32\pFjccVU.exe
  2⤵
  PID:400
- C:\Windows\System32\SEHWhRW.exe
  C:\Windows\System32\SEHWhRW.exe
  2⤵
  PID:2252
- C:\Windows\System32\LkZXctg.exe
  C:\Windows\System32\LkZXctg.exe
  2⤵
  PID:5804
- C:\Windows\System32\uMrxupY.exe
  C:\Windows\System32\uMrxupY.exe
  2⤵
  PID:6048
- C:\Windows\System32\IaWNBxs.exe
  C:\Windows\System32\IaWNBxs.exe
  2⤵
  PID:5184
- C:\Windows\System32\cjgiFNC.exe
  C:\Windows\System32\cjgiFNC.exe
  2⤵
  PID:5152
- C:\Windows\System32\AIwpiid.exe
  C:\Windows\System32\AIwpiid.exe
  2⤵
  PID:5832
- C:\Windows\System32\WmQmeFz.exe
  C:\Windows\System32\WmQmeFz.exe
  2⤵
  PID:6152
- C:\Windows\System32\FDLUBJT.exe
  C:\Windows\System32\FDLUBJT.exe
  2⤵
  PID:6168
- C:\Windows\System32\XRZbiBz.exe
  C:\Windows\System32\XRZbiBz.exe
  2⤵
  PID:6188
- C:\Windows\System32\avfqYrf.exe
  C:\Windows\System32\avfqYrf.exe
  2⤵
  PID:6232
- C:\Windows\System32\zdciGaU.exe
  C:\Windows\System32\zdciGaU.exe
  2⤵
  PID:6272
- C:\Windows\System32\XWKQslj.exe
  C:\Windows\System32\XWKQslj.exe
  2⤵
  PID:6288
- C:\Windows\System32\jdogxha.exe
  C:\Windows\System32\jdogxha.exe
  2⤵
  PID:6320
- C:\Windows\System32\nXLaqcp.exe
  C:\Windows\System32\nXLaqcp.exe
  2⤵
  PID:6356
- C:\Windows\System32\SVrxjUq.exe
  C:\Windows\System32\SVrxjUq.exe
  2⤵
  PID:6384
- C:\Windows\System32\igmcjri.exe
  C:\Windows\System32\igmcjri.exe
  2⤵
  PID:6444
- C:\Windows\System32\ElCCpmz.exe
  C:\Windows\System32\ElCCpmz.exe
  2⤵
  PID:6472
- C:\Windows\System32\MmUBfsj.exe
  C:\Windows\System32\MmUBfsj.exe
  2⤵
  PID:6500
- C:\Windows\System32\kjkgwrg.exe
  C:\Windows\System32\kjkgwrg.exe
  2⤵
  PID:6528
- C:\Windows\System32\QjbHrlG.exe
  C:\Windows\System32\QjbHrlG.exe
  2⤵
  PID:6556
- C:\Windows\System32\fvaUKff.exe
  C:\Windows\System32\fvaUKff.exe
  2⤵
  PID:6588
- C:\Windows\System32\NGwKIwi.exe
  C:\Windows\System32\NGwKIwi.exe
  2⤵
  PID:6604
- C:\Windows\System32\tTREljt.exe
  C:\Windows\System32\tTREljt.exe
  2⤵
  PID:6628
- C:\Windows\System32\XgTpfrp.exe
  C:\Windows\System32\XgTpfrp.exe
  2⤵
  PID:6652
- C:\Windows\System32\nuwFQdI.exe
  C:\Windows\System32\nuwFQdI.exe
  2⤵
  PID:6672
- C:\Windows\System32\ILCgfYP.exe
  C:\Windows\System32\ILCgfYP.exe
  2⤵
  PID:6712
- C:\Windows\System32\TGXJbVT.exe
  C:\Windows\System32\TGXJbVT.exe
  2⤵
  PID:6732
- C:\Windows\System32\qLdmzeO.exe
  C:\Windows\System32\qLdmzeO.exe
  2⤵
  PID:6768
- C:\Windows\System32\NupAOdT.exe
  C:\Windows\System32\NupAOdT.exe
  2⤵
  PID:6808
- C:\Windows\System32\ejbhoWU.exe
  C:\Windows\System32\ejbhoWU.exe
  2⤵
  PID:6824
- C:\Windows\System32\JIchbIy.exe
  C:\Windows\System32\JIchbIy.exe
  2⤵
  PID:6840
- C:\Windows\System32\LoUMJja.exe
  C:\Windows\System32\LoUMJja.exe
  2⤵
  PID:6868
- C:\Windows\System32\TrzdYks.exe
  C:\Windows\System32\TrzdYks.exe
  2⤵
  PID:6888
- C:\Windows\System32\hgyBEOC.exe
  C:\Windows\System32\hgyBEOC.exe
  2⤵
  PID:6952
- C:\Windows\System32\eoUEcnX.exe
  C:\Windows\System32\eoUEcnX.exe
  2⤵
  PID:6976
- C:\Windows\System32\phLibeZ.exe
  C:\Windows\System32\phLibeZ.exe
  2⤵
  PID:7000
- C:\Windows\System32\lFnBXQF.exe
  C:\Windows\System32\lFnBXQF.exe
  2⤵
  PID:7036
- C:\Windows\System32\gvEPOlS.exe
  C:\Windows\System32\gvEPOlS.exe
  2⤵
  PID:7064
- C:\Windows\System32\uBnvJVl.exe
  C:\Windows\System32\uBnvJVl.exe
  2⤵
  PID:7084
- C:\Windows\System32\bjMPlgb.exe
  C:\Windows\System32\bjMPlgb.exe
  2⤵
  PID:7112
- C:\Windows\System32\gtHJfju.exe
  C:\Windows\System32\gtHJfju.exe
  2⤵
  PID:7128
- C:\Windows\System32\ojwZTJQ.exe
  C:\Windows\System32\ojwZTJQ.exe
  2⤵
  PID:7156
- C:\Windows\System32\SRotMsf.exe
  C:\Windows\System32\SRotMsf.exe
  2⤵
  PID:5108
- C:\Windows\System32\qAGBCHG.exe
  C:\Windows\System32\qAGBCHG.exe
  2⤵
  PID:6160
- C:\Windows\System32\EzVDHyf.exe
  C:\Windows\System32\EzVDHyf.exe
  2⤵
  PID:6240
- C:\Windows\System32\QvaPnYp.exe
  C:\Windows\System32\QvaPnYp.exe
  2⤵
  PID:6364
- C:\Windows\System32\aFenkyn.exe
  C:\Windows\System32\aFenkyn.exe
  2⤵
  PID:6432
- C:\Windows\System32\KMwKnRk.exe
  C:\Windows\System32\KMwKnRk.exe
  2⤵
  PID:6468
- C:\Windows\System32\DAGEAkf.exe
  C:\Windows\System32\DAGEAkf.exe
  2⤵
  PID:6496
- C:\Windows\System32\WZrxtKi.exe
  C:\Windows\System32\WZrxtKi.exe
  2⤵
  PID:6552
- C:\Windows\System32\olRmrPN.exe
  C:\Windows\System32\olRmrPN.exe
  2⤵
  PID:6616
- C:\Windows\System32\DvoRfSd.exe
  C:\Windows\System32\DvoRfSd.exe
  2⤵
  PID:6660
- C:\Windows\System32\xIKiJnp.exe
  C:\Windows\System32\xIKiJnp.exe
  2⤵
  PID:6708
- C:\Windows\System32\FVkWwfY.exe
  C:\Windows\System32\FVkWwfY.exe
  2⤵
  PID:6700
- C:\Windows\System32\TRXfxpU.exe
  C:\Windows\System32\TRXfxpU.exe
  2⤵
  PID:6752
- C:\Windows\System32\zIvAnQW.exe
  C:\Windows\System32\zIvAnQW.exe
  2⤵
  PID:6820
- C:\Windows\System32\bdbxVIq.exe
  C:\Windows\System32\bdbxVIq.exe
  2⤵
  PID:6912
- C:\Windows\System32\mTUxGZF.exe
  C:\Windows\System32\mTUxGZF.exe
  2⤵
  PID:6960
- C:\Windows\System32\zyCNVTk.exe
  C:\Windows\System32\zyCNVTk.exe
  2⤵
  PID:6148
- C:\Windows\System32\STMciVm.exe
  C:\Windows\System32\STMciVm.exe
  2⤵
  PID:6204
- C:\Windows\System32\hzccEpS.exe
  C:\Windows\System32\hzccEpS.exe
  2⤵
  PID:6492
- C:\Windows\System32\QibWGgv.exe
  C:\Windows\System32\QibWGgv.exe
  2⤵
  PID:6544
- C:\Windows\System32\lFMNPrt.exe
  C:\Windows\System32\lFMNPrt.exe
  2⤵
  PID:6644
- C:\Windows\System32\TGudwGi.exe
  C:\Windows\System32\TGudwGi.exe
  2⤵
  PID:6740
- C:\Windows\System32\OoJXTHf.exe
  C:\Windows\System32\OoJXTHf.exe
  2⤵
  PID:6796
- C:\Windows\System32\UTScGop.exe
  C:\Windows\System32\UTScGop.exe
  2⤵
  PID:6948
- C:\Windows\System32\VgAaiUZ.exe
  C:\Windows\System32\VgAaiUZ.exe
  2⤵
  PID:6164
- C:\Windows\System32\iQllehv.exe
  C:\Windows\System32\iQllehv.exe
  2⤵
  PID:6344
- C:\Windows\System32\IOXrkTr.exe
  C:\Windows\System32\IOXrkTr.exe
  2⤵
  PID:6516
- C:\Windows\System32\HxHrRmt.exe
  C:\Windows\System32\HxHrRmt.exe
  2⤵
  PID:6664
- C:\Windows\System32\stDcmcZ.exe
  C:\Windows\System32\stDcmcZ.exe
  2⤵
  PID:7028
- C:\Windows\System32\ffjLdMx.exe
  C:\Windows\System32\ffjLdMx.exe
  2⤵
  PID:6612
- C:\Windows\System32\LgHAAgH.exe
  C:\Windows\System32\LgHAAgH.exe
  2⤵
  PID:7180
- C:\Windows\System32\duzoNYt.exe
  C:\Windows\System32\duzoNYt.exe
  2⤵
  PID:7212
- C:\Windows\System32\xNtpKkI.exe
  C:\Windows\System32\xNtpKkI.exe
  2⤵
  PID:7232
- C:\Windows\System32\oPshXDU.exe
  C:\Windows\System32\oPshXDU.exe
  2⤵
  PID:7276
- C:\Windows\System32\YwXopaI.exe
  C:\Windows\System32\YwXopaI.exe
  2⤵
  PID:7332
- C:\Windows\System32\zwBAqEm.exe
  C:\Windows\System32\zwBAqEm.exe
  2⤵
  PID:7348
- C:\Windows\System32\QwVXLNZ.exe
  C:\Windows\System32\QwVXLNZ.exe
  2⤵
  PID:7396
- C:\Windows\System32\CBKaTln.exe
  C:\Windows\System32\CBKaTln.exe
  2⤵
  PID:7448
- C:\Windows\System32\nmOfHoD.exe
  C:\Windows\System32\nmOfHoD.exe
  2⤵
  PID:7480
- C:\Windows\System32\vjobpTM.exe
  C:\Windows\System32\vjobpTM.exe
  2⤵
  PID:7496
- C:\Windows\System32\rCzSkPI.exe
  C:\Windows\System32\rCzSkPI.exe
  2⤵
  PID:7524
- C:\Windows\System32\AqcDbks.exe
  C:\Windows\System32\AqcDbks.exe
  2⤵
  PID:7552
- C:\Windows\System32\mhEqcSP.exe
  C:\Windows\System32\mhEqcSP.exe
  2⤵
  PID:7580
- C:\Windows\System32\hiElZBz.exe
  C:\Windows\System32\hiElZBz.exe
  2⤵
  PID:7600
- C:\Windows\System32\JuUXroD.exe
  C:\Windows\System32\JuUXroD.exe
  2⤵
  PID:7624
- C:\Windows\System32\IBvHMBv.exe
  C:\Windows\System32\IBvHMBv.exe
  2⤵
  PID:7652
- C:\Windows\System32\ILezoJU.exe
  C:\Windows\System32\ILezoJU.exe
  2⤵
  PID:7676
- C:\Windows\System32\qOvpXtb.exe
  C:\Windows\System32\qOvpXtb.exe
  2⤵
  PID:7696
- C:\Windows\System32\PAmhEkl.exe
  C:\Windows\System32\PAmhEkl.exe
  2⤵
  PID:7712
- C:\Windows\System32\HGifGRx.exe
  C:\Windows\System32\HGifGRx.exe
  2⤵
  PID:7740
- C:\Windows\System32\alHzXsN.exe
  C:\Windows\System32\alHzXsN.exe
  2⤵
  PID:7820
- C:\Windows\System32\CeJetVh.exe
  C:\Windows\System32\CeJetVh.exe
  2⤵
  PID:7840
- C:\Windows\System32\oZSQLiE.exe
  C:\Windows\System32\oZSQLiE.exe
  2⤵
  PID:7856
- C:\Windows\System32\UCZKShs.exe
  C:\Windows\System32\UCZKShs.exe
  2⤵
  PID:7884
- C:\Windows\System32\UBVoAYp.exe
  C:\Windows\System32\UBVoAYp.exe
  2⤵
  PID:7920
- C:\Windows\System32\bVWwAjo.exe
  C:\Windows\System32\bVWwAjo.exe
  2⤵
  PID:7940
- C:\Windows\System32\ZEvyxkb.exe
  C:\Windows\System32\ZEvyxkb.exe
  2⤵
  PID:7972
- C:\Windows\System32\CDgnnKf.exe
  C:\Windows\System32\CDgnnKf.exe
  2⤵
  PID:8008
- C:\Windows\System32\dlFyXTy.exe
  C:\Windows\System32\dlFyXTy.exe
  2⤵
  PID:8024
- C:\Windows\System32\AKcVIID.exe
  C:\Windows\System32\AKcVIID.exe
  2⤵
  PID:8052
- C:\Windows\System32\RepTXOf.exe
  C:\Windows\System32\RepTXOf.exe
  2⤵
  PID:8084
- C:\Windows\System32\mfJlVum.exe
  C:\Windows\System32\mfJlVum.exe
  2⤵
  PID:8124
- C:\Windows\System32\rDqyVWI.exe
  C:\Windows\System32\rDqyVWI.exe
  2⤵
  PID:8148
- C:\Windows\System32\KFJHwbt.exe
  C:\Windows\System32\KFJHwbt.exe
  2⤵
  PID:8176
- C:\Windows\System32\vQlLuqY.exe
  C:\Windows\System32\vQlLuqY.exe
  2⤵
  PID:6428
- C:\Windows\System32\wvYkcXz.exe
  C:\Windows\System32\wvYkcXz.exe
  2⤵
  PID:7172
- C:\Windows\System32\Hdfbbjz.exe
  C:\Windows\System32\Hdfbbjz.exe
  2⤵
  PID:7288
- C:\Windows\System32\LhaGcxF.exe
  C:\Windows\System32\LhaGcxF.exe
  2⤵
  PID:7316
- C:\Windows\System32\rrttgXz.exe
  C:\Windows\System32\rrttgXz.exe
  2⤵
  PID:7356
- C:\Windows\System32\yGrZftQ.exe
  C:\Windows\System32\yGrZftQ.exe
  2⤵
  PID:7472
- C:\Windows\System32\nnGTgBI.exe
  C:\Windows\System32\nnGTgBI.exe
  2⤵
  PID:7564
- C:\Windows\System32\HXWkEYf.exe
  C:\Windows\System32\HXWkEYf.exe
  2⤵
  PID:7612
- C:\Windows\System32\DBuBfpQ.exe
  C:\Windows\System32\DBuBfpQ.exe
  2⤵
  PID:7688
- C:\Windows\System32\KifFqOx.exe
  C:\Windows\System32\KifFqOx.exe
  2⤵
  PID:7764
- C:\Windows\System32\rbmxQIA.exe
  C:\Windows\System32\rbmxQIA.exe
  2⤵
  PID:7828
- C:\Windows\System32\zXBcoLD.exe
  C:\Windows\System32\zXBcoLD.exe
  2⤵
  PID:7904
- C:\Windows\System32\ESeltUn.exe
  C:\Windows\System32\ESeltUn.exe
  2⤵
  PID:7892
- C:\Windows\System32\iEztrpR.exe
  C:\Windows\System32\iEztrpR.exe
  2⤵
  PID:7984
- C:\Windows\System32\udyjYJE.exe
  C:\Windows\System32\udyjYJE.exe
  2⤵
  PID:8032
- C:\Windows\System32\DGiuunn.exe
  C:\Windows\System32\DGiuunn.exe
  2⤵
  PID:8100
- C:\Windows\System32\tfhkhRO.exe
  C:\Windows\System32\tfhkhRO.exe
  2⤵
  PID:8132
- C:\Windows\System32\EUZLjKB.exe
  C:\Windows\System32\EUZLjKB.exe
  2⤵
  PID:6996
- C:\Windows\System32\YBWuUAd.exe
  C:\Windows\System32\YBWuUAd.exe
  2⤵
  PID:7324
- C:\Windows\System32\VenhFcH.exe
  C:\Windows\System32\VenhFcH.exe
  2⤵
  PID:7412
- C:\Windows\System32\eqeUnie.exe
  C:\Windows\System32\eqeUnie.exe
  2⤵
  PID:7596
- C:\Windows\System32\vMJkSRv.exe
  C:\Windows\System32\vMJkSRv.exe
  2⤵
  PID:7864
- C:\Windows\System32\AzuYkNt.exe
  C:\Windows\System32\AzuYkNt.exe
  2⤵
  PID:8044
- C:\Windows\System32\KdFKjsT.exe
  C:\Windows\System32\KdFKjsT.exe
  2⤵
  PID:8140
- C:\Windows\System32\lROskiF.exe
  C:\Windows\System32\lROskiF.exe
  2⤵
  PID:7440
- C:\Windows\System32\yNMSpOP.exe
  C:\Windows\System32\yNMSpOP.exe
  2⤵
  PID:7936
- C:\Windows\System32\jiHWRXe.exe
  C:\Windows\System32\jiHWRXe.exe
  2⤵
  PID:8168
- C:\Windows\System32\dDjUSVT.exe
  C:\Windows\System32\dDjUSVT.exe
  2⤵
  PID:7932
- C:\Windows\System32\ZsVGKET.exe
  C:\Windows\System32\ZsVGKET.exe
  2⤵
  PID:8228
- C:\Windows\System32\ERkUouS.exe
  C:\Windows\System32\ERkUouS.exe
  2⤵
  PID:8244
- C:\Windows\System32\ltclXNA.exe
  C:\Windows\System32\ltclXNA.exe
  2⤵
  PID:8272
- C:\Windows\System32\CHFWejc.exe
  C:\Windows\System32\CHFWejc.exe
  2⤵
  PID:8300
- C:\Windows\System32\PWzvmFK.exe
  C:\Windows\System32\PWzvmFK.exe
  2⤵
  PID:8324
- C:\Windows\System32\mjJyPvl.exe
  C:\Windows\System32\mjJyPvl.exe
  2⤵
  PID:8356
- C:\Windows\System32\NtmiYGc.exe
  C:\Windows\System32\NtmiYGc.exe
  2⤵
  PID:8404
- C:\Windows\System32\yvMIAaJ.exe
  C:\Windows\System32\yvMIAaJ.exe
  2⤵
  PID:8424
- C:\Windows\System32\fhydWUc.exe
  C:\Windows\System32\fhydWUc.exe
  2⤵
  PID:8440
- C:\Windows\System32\mvgqESa.exe
  C:\Windows\System32\mvgqESa.exe
  2⤵
  PID:8468
- C:\Windows\System32\ArWAVnh.exe
  C:\Windows\System32\ArWAVnh.exe
  2⤵
  PID:8492
- C:\Windows\System32\JHqRaQp.exe
  C:\Windows\System32\JHqRaQp.exe
  2⤵
  PID:8508
- C:\Windows\System32\pnTCFDK.exe
  C:\Windows\System32\pnTCFDK.exe
  2⤵
  PID:8560
- C:\Windows\System32\PsIvxUu.exe
  C:\Windows\System32\PsIvxUu.exe
  2⤵
  PID:8584
- C:\Windows\System32\lNGXVoJ.exe
  C:\Windows\System32\lNGXVoJ.exe
  2⤵
  PID:8616
- C:\Windows\System32\ZiBKAIf.exe
  C:\Windows\System32\ZiBKAIf.exe
  2⤵
  PID:8648
- C:\Windows\System32\LxvPFqH.exe
  C:\Windows\System32\LxvPFqH.exe
  2⤵
  PID:8664
- C:\Windows\System32\hzrrLWr.exe
  C:\Windows\System32\hzrrLWr.exe
  2⤵
  PID:8688
- C:\Windows\System32\afHhnLB.exe
  C:\Windows\System32\afHhnLB.exe
  2⤵
  PID:8732
- C:\Windows\System32\VpzyKnM.exe
  C:\Windows\System32\VpzyKnM.exe
  2⤵
  PID:8756
- C:\Windows\System32\fsdDgOd.exe
  C:\Windows\System32\fsdDgOd.exe
  2⤵
  PID:8784
- C:\Windows\System32\BgewBMJ.exe
  C:\Windows\System32\BgewBMJ.exe
  2⤵
  PID:8820
- C:\Windows\System32\XfNsOjm.exe
  C:\Windows\System32\XfNsOjm.exe
  2⤵
  PID:8980
- C:\Windows\System32\vaoupzd.exe
  C:\Windows\System32\vaoupzd.exe
  2⤵
  PID:8996
- C:\Windows\System32\fNKXPuf.exe
  C:\Windows\System32\fNKXPuf.exe
  2⤵
  PID:9016
- C:\Windows\System32\AFqCoaM.exe
  C:\Windows\System32\AFqCoaM.exe
  2⤵
  PID:9036
- C:\Windows\System32\ehVAElg.exe
  C:\Windows\System32\ehVAElg.exe
  2⤵
  PID:9060
- C:\Windows\System32\SdFUbKm.exe
  C:\Windows\System32\SdFUbKm.exe
  2⤵
  PID:9120
- C:\Windows\System32\MeftbXy.exe
  C:\Windows\System32\MeftbXy.exe
  2⤵
  PID:9148
- C:\Windows\System32\gwwoKUB.exe
  C:\Windows\System32\gwwoKUB.exe
  2⤵
  PID:9168
- C:\Windows\System32\MurmBxV.exe
  C:\Windows\System32\MurmBxV.exe
  2⤵
  PID:9184
- C:\Windows\System32\orUhbzC.exe
  C:\Windows\System32\orUhbzC.exe
  2⤵
  PID:9208
- C:\Windows\System32\HGvHAIF.exe
  C:\Windows\System32\HGvHAIF.exe
  2⤵
  PID:6460
- C:\Windows\System32\QzOBKMU.exe
  C:\Windows\System32\QzOBKMU.exe
  2⤵
  PID:8268
- C:\Windows\System32\nBATUTu.exe
  C:\Windows\System32\nBATUTu.exe
  2⤵
  PID:8340
- C:\Windows\System32\imYtYXW.exe
  C:\Windows\System32\imYtYXW.exe
  2⤵
  PID:8436
- C:\Windows\System32\TLPoWuL.exe
  C:\Windows\System32\TLPoWuL.exe
  2⤵
  PID:8464
- C:\Windows\System32\vBgTEJY.exe
  C:\Windows\System32\vBgTEJY.exe
  2⤵
  PID:8476
- C:\Windows\System32\eIPEgfN.exe
  C:\Windows\System32\eIPEgfN.exe
  2⤵
  PID:8604
- C:\Windows\System32\SIHvLQH.exe
  C:\Windows\System32\SIHvLQH.exe
  2⤵
  PID:8704
- C:\Windows\System32\tcPLCud.exe
  C:\Windows\System32\tcPLCud.exe
  2⤵
  PID:8712
- C:\Windows\System32\hUbqljD.exe
  C:\Windows\System32\hUbqljD.exe
  2⤵
  PID:8808
- C:\Windows\System32\lyJjPCN.exe
  C:\Windows\System32\lyJjPCN.exe
  2⤵
  PID:8884
- C:\Windows\System32\NhAQnfg.exe
  C:\Windows\System32\NhAQnfg.exe
  2⤵
  PID:8860
- C:\Windows\System32\JHUzBqy.exe
  C:\Windows\System32\JHUzBqy.exe
  2⤵
  PID:8932
- C:\Windows\System32\TcMlFfu.exe
  C:\Windows\System32\TcMlFfu.exe
  2⤵
  PID:8912
- C:\Windows\System32\qjuLSEy.exe
  C:\Windows\System32\qjuLSEy.exe
  2⤵
  PID:8944
- C:\Windows\System32\ZGqUyiA.exe
  C:\Windows\System32\ZGqUyiA.exe
  2⤵
  PID:9056
- C:\Windows\System32\zOUjZBq.exe
  C:\Windows\System32\zOUjZBq.exe
  2⤵
  PID:9104
- C:\Windows\System32\hkPgMee.exe
  C:\Windows\System32\hkPgMee.exe
  2⤵
  PID:9204
- C:\Windows\System32\AdQFbnb.exe
  C:\Windows\System32\AdQFbnb.exe
  2⤵
  PID:8236
- C:\Windows\System32\JjobdNW.exe
  C:\Windows\System32\JjobdNW.exe
  2⤵
  PID:8292
- C:\Windows\System32\nZdBXGI.exe
  C:\Windows\System32\nZdBXGI.exe
  2⤵
  PID:8448
- C:\Windows\System32\TTMOoci.exe
  C:\Windows\System32\TTMOoci.exe
  2⤵
  PID:8544
- C:\Windows\System32\HVMiqfn.exe
  C:\Windows\System32\HVMiqfn.exe
  2⤵
  PID:8740
- C:\Windows\System32\pKESNcr.exe
  C:\Windows\System32\pKESNcr.exe
  2⤵
  PID:8956
- C:\Windows\System32\sCETfiE.exe
  C:\Windows\System32\sCETfiE.exe
  2⤵
  PID:8988
- C:\Windows\System32\cIRZpbW.exe
  C:\Windows\System32\cIRZpbW.exe
  2⤵
  PID:9068
- C:\Windows\System32\bdJeOlU.exe
  C:\Windows\System32\bdJeOlU.exe
  2⤵
  PID:9144
- C:\Windows\System32\mDcUAll.exe
  C:\Windows\System32\mDcUAll.exe
  2⤵
  PID:7568
- C:\Windows\System32\sfYlHrv.exe
  C:\Windows\System32\sfYlHrv.exe
  2⤵
  PID:8816
- C:\Windows\System32\baxDBUk.exe
  C:\Windows\System32\baxDBUk.exe
  2⤵
  PID:8208
- C:\Windows\System32\LYIzXrR.exe
  C:\Windows\System32\LYIzXrR.exe
  2⤵
  PID:8672
- C:\Windows\System32\HiTPUfo.exe
  C:\Windows\System32\HiTPUfo.exe
  2⤵
  PID:9044
- C:\Windows\System32\jBGIeJS.exe
  C:\Windows\System32\jBGIeJS.exe
  2⤵
  PID:9248
- C:\Windows\System32\AkakzHZ.exe
  C:\Windows\System32\AkakzHZ.exe
  2⤵
  PID:9272
- C:\Windows\System32\hOXqtaJ.exe
  C:\Windows\System32\hOXqtaJ.exe
  2⤵
  PID:9304
- C:\Windows\System32\JgOEmDv.exe
  C:\Windows\System32\JgOEmDv.exe
  2⤵
  PID:9328
- C:\Windows\System32\RkuGRxz.exe
  C:\Windows\System32\RkuGRxz.exe
  2⤵
  PID:9356
- C:\Windows\System32\vfZExbC.exe
  C:\Windows\System32\vfZExbC.exe
  2⤵
  PID:9400
- C:\Windows\System32\qzaHQhU.exe
  C:\Windows\System32\qzaHQhU.exe
  2⤵
  PID:9416
- C:\Windows\System32\BzzvAoL.exe
  C:\Windows\System32\BzzvAoL.exe
  2⤵
  PID:9444
- C:\Windows\System32\ciVQNXj.exe
  C:\Windows\System32\ciVQNXj.exe
  2⤵
  PID:9460
- C:\Windows\System32\lZSlnfE.exe
  C:\Windows\System32\lZSlnfE.exe
  2⤵
  PID:9512
- C:\Windows\System32\aXwueyC.exe
  C:\Windows\System32\aXwueyC.exe
  2⤵
  PID:9540
- C:\Windows\System32\gjLOLly.exe
  C:\Windows\System32\gjLOLly.exe
  2⤵
  PID:9556
- C:\Windows\System32\XJzcEmv.exe
  C:\Windows\System32\XJzcEmv.exe
  2⤵
  PID:9584
- C:\Windows\System32\yVbLEJR.exe
  C:\Windows\System32\yVbLEJR.exe
  2⤵
  PID:9608
- C:\Windows\System32\XKVtDWK.exe
  C:\Windows\System32\XKVtDWK.exe
  2⤵
  PID:9624
- C:\Windows\System32\RsLKhLq.exe
  C:\Windows\System32\RsLKhLq.exe
  2⤵
  PID:9668
- C:\Windows\System32\CqgTmRu.exe
  C:\Windows\System32\CqgTmRu.exe
  2⤵
  PID:9696
- C:\Windows\System32\NDwtLxW.exe
  C:\Windows\System32\NDwtLxW.exe
  2⤵
  PID:9724
- C:\Windows\System32\yvmTStm.exe
  C:\Windows\System32\yvmTStm.exe
  2⤵
  PID:9756
- C:\Windows\System32\GaxzSmR.exe
  C:\Windows\System32\GaxzSmR.exe
  2⤵
  PID:9780
- C:\Windows\System32\PAVvAbL.exe
  C:\Windows\System32\PAVvAbL.exe
  2⤵
  PID:9800
- C:\Windows\System32\ZCBqARi.exe
  C:\Windows\System32\ZCBqARi.exe
  2⤵
  PID:9856
- C:\Windows\System32\XBcbzuB.exe
  C:\Windows\System32\XBcbzuB.exe
  2⤵
  PID:9880
- C:\Windows\System32\nHEwGUc.exe
  C:\Windows\System32\nHEwGUc.exe
  2⤵
  PID:9900
- C:\Windows\System32\QNpznWL.exe
  C:\Windows\System32\QNpznWL.exe
  2⤵
  PID:9920
- C:\Windows\System32\ldUgMWe.exe
  C:\Windows\System32\ldUgMWe.exe
  2⤵
  PID:9956
- C:\Windows\System32\Wlvfrzj.exe
  C:\Windows\System32\Wlvfrzj.exe
  2⤵
  PID:9976
- C:\Windows\System32\qAesGWl.exe
  C:\Windows\System32\qAesGWl.exe
  2⤵
  PID:10000
- C:\Windows\System32\XlszMGk.exe
  C:\Windows\System32\XlszMGk.exe
  2⤵
  PID:10076
- C:\Windows\System32\MkDNaCs.exe
  C:\Windows\System32\MkDNaCs.exe
  2⤵
  PID:10092
- C:\Windows\System32\nsSEESq.exe
  C:\Windows\System32\nsSEESq.exe
  2⤵
  PID:10116
- C:\Windows\System32\gNlCsAg.exe
  C:\Windows\System32\gNlCsAg.exe
  2⤵
  PID:10136
- C:\Windows\System32\xVaPegk.exe
  C:\Windows\System32\xVaPegk.exe
  2⤵
  PID:10164
- C:\Windows\System32\zAocsER.exe
  C:\Windows\System32\zAocsER.exe
  2⤵
  PID:10196
- C:\Windows\System32\adxhldu.exe
  C:\Windows\System32\adxhldu.exe
  2⤵
  PID:10212
- C:\Windows\System32\vCSjYPX.exe
  C:\Windows\System32\vCSjYPX.exe
  2⤵
  PID:9256
- C:\Windows\System32\iciKDOG.exe
  C:\Windows\System32\iciKDOG.exe
  2⤵
  PID:9312
- C:\Windows\System32\ZmnTlMW.exe
  C:\Windows\System32\ZmnTlMW.exe
  2⤵
  PID:9340
- C:\Windows\System32\YdjPnqW.exe
  C:\Windows\System32\YdjPnqW.exe
  2⤵
  PID:9380
- C:\Windows\System32\RYZbLsV.exe
  C:\Windows\System32\RYZbLsV.exe
  2⤵
  PID:9452
- C:\Windows\System32\JwbSFuj.exe
  C:\Windows\System32\JwbSFuj.exe
  2⤵
  PID:9492
- C:\Windows\System32\FjPKhhU.exe
  C:\Windows\System32\FjPKhhU.exe
  2⤵
  PID:9552
- C:\Windows\System32\MHmCOoE.exe
  C:\Windows\System32\MHmCOoE.exe
  2⤵
  PID:9636
- C:\Windows\System32\ttcgWjW.exe
  C:\Windows\System32\ttcgWjW.exe
  2⤵
  PID:9744
- C:\Windows\System32\HZDmZya.exe
  C:\Windows\System32\HZDmZya.exe
  2⤵
  PID:3788
- C:\Windows\System32\pQpdTkb.exe
  C:\Windows\System32\pQpdTkb.exe
  2⤵
  PID:9928
- C:\Windows\System32\sZoiwDO.exe
  C:\Windows\System32\sZoiwDO.exe
  2⤵
  PID:9944
- C:\Windows\System32\GfcjRsE.exe
  C:\Windows\System32\GfcjRsE.exe
  2⤵
  PID:9992
- C:\Windows\System32\XpIhsjn.exe
  C:\Windows\System32\XpIhsjn.exe
  2⤵
  PID:10052
- C:\Windows\System32\vugpThP.exe
  C:\Windows\System32\vugpThP.exe
  2⤵
  PID:10148
- C:\Windows\System32\SwofyeO.exe
  C:\Windows\System32\SwofyeO.exe
  2⤵
  PID:10208
- C:\Windows\System32\hsHgUxm.exe
  C:\Windows\System32\hsHgUxm.exe
  2⤵
  PID:9300
- C:\Windows\System32\sUVwPvI.exe
  C:\Windows\System32\sUVwPvI.exe
  2⤵
  PID:9428
- C:\Windows\System32\LedepfT.exe
  C:\Windows\System32\LedepfT.exe
  2⤵
  PID:9536
- C:\Windows\System32\JabQRgn.exe
  C:\Windows\System32\JabQRgn.exe
  2⤵
  PID:9648
- C:\Windows\System32\YICFLfl.exe
  C:\Windows\System32\YICFLfl.exe
  2⤵
  PID:9768
- C:\Windows\System32\wSAePrC.exe
  C:\Windows\System32\wSAePrC.exe
  2⤵
  PID:9984
- C:\Windows\System32\DdlwSBg.exe
  C:\Windows\System32\DdlwSBg.exe
  2⤵
  PID:10084
- C:\Windows\System32\oWrPntX.exe
  C:\Windows\System32\oWrPntX.exe
  2⤵
  PID:9180
- C:\Windows\System32\zTpCVss.exe
  C:\Windows\System32\zTpCVss.exe
  2⤵
  PID:9764
- C:\Windows\System32\yjTsszA.exe
  C:\Windows\System32\yjTsszA.exe
  2⤵
  PID:9596
- C:\Windows\System32\WZVMsfl.exe
  C:\Windows\System32\WZVMsfl.exe
  2⤵
  PID:9384
- C:\Windows\System32\qXSmsiq.exe
  C:\Windows\System32\qXSmsiq.exe
  2⤵
  PID:10248
- C:\Windows\System32\ALdAAUU.exe
  C:\Windows\System32\ALdAAUU.exe
  2⤵
  PID:10268
- C:\Windows\System32\WyZihbp.exe
  C:\Windows\System32\WyZihbp.exe
  2⤵
  PID:10304
- C:\Windows\System32\ckQqtjz.exe
  C:\Windows\System32\ckQqtjz.exe
  2⤵
  PID:10344
- C:\Windows\System32\miCDeFO.exe
  C:\Windows\System32\miCDeFO.exe
  2⤵
  PID:10372
- C:\Windows\System32\hrpOKPP.exe
  C:\Windows\System32\hrpOKPP.exe
  2⤵
  PID:10408
- C:\Windows\System32\uslctZP.exe
  C:\Windows\System32\uslctZP.exe
  2⤵
  PID:10424
- C:\Windows\System32\xiXJUAs.exe
  C:\Windows\System32\xiXJUAs.exe
  2⤵
  PID:10444
- C:\Windows\System32\Sqmqekq.exe
  C:\Windows\System32\Sqmqekq.exe
  2⤵
  PID:10484
- C:\Windows\System32\bnTrpck.exe
  C:\Windows\System32\bnTrpck.exe
  2⤵
  PID:10520
- C:\Windows\System32\vquunfj.exe
  C:\Windows\System32\vquunfj.exe
  2⤵
  PID:10540
- C:\Windows\System32\cpguTWE.exe
  C:\Windows\System32\cpguTWE.exe
  2⤵
  PID:10556
- C:\Windows\System32\vewHHHV.exe
  C:\Windows\System32\vewHHHV.exe
  2⤵
  PID:10576
- C:\Windows\System32\FlGsAMU.exe
  C:\Windows\System32\FlGsAMU.exe
  2⤵
  PID:10592
- C:\Windows\System32\obQIMov.exe
  C:\Windows\System32\obQIMov.exe
  2⤵
  PID:10616
- C:\Windows\System32\EBtrqsI.exe
  C:\Windows\System32\EBtrqsI.exe
  2⤵
  PID:10632
- C:\Windows\System32\JUBGaHa.exe
  C:\Windows\System32\JUBGaHa.exe
  2⤵
  PID:10676
- C:\Windows\System32\MTSDrpz.exe
  C:\Windows\System32\MTSDrpz.exe
  2⤵
  PID:10740
- C:\Windows\System32\LnQPnZP.exe
  C:\Windows\System32\LnQPnZP.exe
  2⤵
  PID:10756
- C:\Windows\System32\xDFBREk.exe
  C:\Windows\System32\xDFBREk.exe
  2⤵
  PID:10776
- C:\Windows\System32\gBPxUFk.exe
  C:\Windows\System32\gBPxUFk.exe
  2⤵
  PID:10816
- C:\Windows\System32\ZmusUiP.exe
  C:\Windows\System32\ZmusUiP.exe
  2⤵
  PID:10860
- C:\Windows\System32\KWRNfTp.exe
  C:\Windows\System32\KWRNfTp.exe
  2⤵
  PID:10880
- C:\Windows\System32\qGCXOLL.exe
  C:\Windows\System32\qGCXOLL.exe
  2⤵
  PID:10912
- C:\Windows\System32\vknAhbG.exe
  C:\Windows\System32\vknAhbG.exe
  2⤵
  PID:10944
- C:\Windows\System32\ShwAhpV.exe
  C:\Windows\System32\ShwAhpV.exe
  2⤵
  PID:10964
- C:\Windows\System32\jAuOikX.exe
  C:\Windows\System32\jAuOikX.exe
  2⤵
  PID:10988
- C:\Windows\System32\QCjMWlH.exe
  C:\Windows\System32\QCjMWlH.exe
  2⤵
  PID:11028
- C:\Windows\System32\YMlHRTu.exe
  C:\Windows\System32\YMlHRTu.exe
  2⤵
  PID:11060
- C:\Windows\System32\USCMJvQ.exe
  C:\Windows\System32\USCMJvQ.exe
  2⤵
  PID:11088
- C:\Windows\System32\OZJrSfo.exe
  C:\Windows\System32\OZJrSfo.exe
  2⤵
  PID:11124
- C:\Windows\System32\CfYONuc.exe
  C:\Windows\System32\CfYONuc.exe
  2⤵
  PID:11144
- C:\Windows\System32\GnakxDb.exe
  C:\Windows\System32\GnakxDb.exe
  2⤵
  PID:11172
- C:\Windows\System32\boKyvlV.exe
  C:\Windows\System32\boKyvlV.exe
  2⤵
  PID:11200
- C:\Windows\System32\GcZHHZM.exe
  C:\Windows\System32\GcZHHZM.exe
  2⤵
  PID:11224
- C:\Windows\System32\BrKRBMk.exe
  C:\Windows\System32\BrKRBMk.exe
  2⤵
  PID:11256
- C:\Windows\System32\acJmLhW.exe
  C:\Windows\System32\acJmLhW.exe
  2⤵
  PID:10264
- C:\Windows\System32\SWvtAkp.exe
  C:\Windows\System32\SWvtAkp.exe
  2⤵
  PID:10296
- C:\Windows\System32\VmWrWpH.exe
  C:\Windows\System32\VmWrWpH.exe
  2⤵
  PID:10368
- C:\Windows\System32\PCxadAc.exe
  C:\Windows\System32\PCxadAc.exe
  2⤵
  PID:10440
- C:\Windows\System32\ePXZLIN.exe
  C:\Windows\System32\ePXZLIN.exe
  2⤵
  PID:10500
- C:\Windows\System32\wdnIduM.exe
  C:\Windows\System32\wdnIduM.exe
  2⤵
  PID:10600
- C:\Windows\System32\WQagPPx.exe
  C:\Windows\System32\WQagPPx.exe
  2⤵
  PID:10572
- C:\Windows\System32\LYgoGWM.exe
  C:\Windows\System32\LYgoGWM.exe
  2⤵
  PID:10064
- C:\Windows\System32\NgGWtYe.exe
  C:\Windows\System32\NgGWtYe.exe
  2⤵
  PID:10752
- C:\Windows\System32\PlDUBsV.exe
  C:\Windows\System32\PlDUBsV.exe
  2⤵
  PID:10764
- C:\Windows\System32\QEeTaeB.exe
  C:\Windows\System32\QEeTaeB.exe
  2⤵
  PID:10868
- C:\Windows\System32\eQDZJfJ.exe
  C:\Windows\System32\eQDZJfJ.exe
  2⤵
  PID:10940
- C:\Windows\System32\GfuwNVh.exe
  C:\Windows\System32\GfuwNVh.exe
  2⤵
  PID:11008
- C:\Windows\System32\rszzORq.exe
  C:\Windows\System32\rszzORq.exe
  2⤵
  PID:11056
- C:\Windows\System32\JTLznyM.exe
  C:\Windows\System32\JTLznyM.exe
  2⤵
  PID:11160
- C:\Windows\System32\JRKlAMZ.exe
  C:\Windows\System32\JRKlAMZ.exe
  2⤵
  PID:10284
- C:\Windows\System32\XmDKwTT.exe
  C:\Windows\System32\XmDKwTT.exe
  2⤵
  PID:10420
- C:\Windows\System32\bYqmDeW.exe
  C:\Windows\System32\bYqmDeW.exe
  2⤵
  PID:10508
- C:\Windows\System32\ZlVCITO.exe
  C:\Windows\System32\ZlVCITO.exe
  2⤵
  PID:10588
- C:\Windows\System32\VoGNtDQ.exe
  C:\Windows\System32\VoGNtDQ.exe
  2⤵
  PID:10812
- C:\Windows\System32\jgrAGNC.exe
  C:\Windows\System32\jgrAGNC.exe
  2⤵
  PID:11136
- C:\Windows\System32\sypGflR.exe
  C:\Windows\System32\sypGflR.exe
  2⤵
  PID:11076
- C:\Windows\System32\ycLyuFM.exe
  C:\Windows\System32\ycLyuFM.exe
  2⤵
  PID:10388
- C:\Windows\System32\Lqudpys.exe
  C:\Windows\System32\Lqudpys.exe
  2⤵
  PID:10924
- C:\Windows\System32\uCoRfLD.exe
  C:\Windows\System32\uCoRfLD.exe
  2⤵
  PID:1128
- C:\Windows\System32\CDYMZXs.exe
  C:\Windows\System32\CDYMZXs.exe
  2⤵
  PID:10536
- C:\Windows\System32\poeFnmo.exe
  C:\Windows\System32\poeFnmo.exe
  2⤵
  PID:11024
- C:\Windows\System32\LEryDzr.exe
  C:\Windows\System32\LEryDzr.exe
  2⤵
  PID:11284
- C:\Windows\System32\ciAPisl.exe
  C:\Windows\System32\ciAPisl.exe
  2⤵
  PID:11332
- C:\Windows\System32\dYOrtQe.exe
  C:\Windows\System32\dYOrtQe.exe
  2⤵
  PID:11348
- C:\Windows\System32\UmfAXuB.exe
  C:\Windows\System32\UmfAXuB.exe
  2⤵
  PID:11376
- C:\Windows\System32\whzZsnb.exe
  C:\Windows\System32\whzZsnb.exe
  2⤵
  PID:11396
- C:\Windows\System32\dduNUNh.exe
  C:\Windows\System32\dduNUNh.exe
  2⤵
  PID:11436
- C:\Windows\System32\rSzMaxb.exe
  C:\Windows\System32\rSzMaxb.exe
  2⤵
  PID:11464
- C:\Windows\System32\DINArfB.exe
  C:\Windows\System32\DINArfB.exe
  2⤵
  PID:11508
- C:\Windows\System32\ArADyTX.exe
  C:\Windows\System32\ArADyTX.exe
  2⤵
  PID:11536
- C:\Windows\System32\imrORSC.exe
  C:\Windows\System32\imrORSC.exe
  2⤵
  PID:11564
- C:\Windows\System32\CxcGcMb.exe
  C:\Windows\System32\CxcGcMb.exe
  2⤵
  PID:11584
- C:\Windows\System32\XtzAhNA.exe
  C:\Windows\System32\XtzAhNA.exe
  2⤵
  PID:11604
- C:\Windows\System32\yuzNZNn.exe
  C:\Windows\System32\yuzNZNn.exe
  2⤵
  PID:11652
- C:\Windows\System32\sQoRLSo.exe
  C:\Windows\System32\sQoRLSo.exe
  2⤵
  PID:11680
- C:\Windows\System32\TeUjscb.exe
  C:\Windows\System32\TeUjscb.exe
  2⤵
  PID:11708
- C:\Windows\System32\WvWXWRN.exe
  C:\Windows\System32\WvWXWRN.exe
  2⤵
  PID:11744
- C:\Windows\System32\TtNHsnE.exe
  C:\Windows\System32\TtNHsnE.exe
  2⤵
  PID:11764
- C:\Windows\System32\iDFdYaI.exe
  C:\Windows\System32\iDFdYaI.exe
  2⤵
  PID:11792
- C:\Windows\System32\XaBPDCj.exe
  C:\Windows\System32\XaBPDCj.exe
  2⤵
  PID:11816
- C:\Windows\System32\uuakQjY.exe
  C:\Windows\System32\uuakQjY.exe
  2⤵
  PID:11848
- C:\Windows\System32\lUvYIPE.exe
  C:\Windows\System32\lUvYIPE.exe
  2⤵
  PID:11872
- C:\Windows\System32\zfsQTmu.exe
  C:\Windows\System32\zfsQTmu.exe
  2⤵
  PID:11916
- C:\Windows\System32\ZKCRjXu.exe
  C:\Windows\System32\ZKCRjXu.exe
  2⤵
  PID:11932
- C:\Windows\System32\NBeWvmJ.exe
  C:\Windows\System32\NBeWvmJ.exe
  2⤵
  PID:11960
- C:\Windows\System32\huFZMth.exe
  C:\Windows\System32\huFZMth.exe
  2⤵
  PID:11980
- C:\Windows\System32\LxPPJTz.exe
  C:\Windows\System32\LxPPJTz.exe
  2⤵
  PID:12004
- C:\Windows\System32\JQNqpYd.exe
  C:\Windows\System32\JQNqpYd.exe
  2⤵
  PID:12020
- C:\Windows\System32\oGyOFPg.exe
  C:\Windows\System32\oGyOFPg.exe
  2⤵
  PID:12040
- C:\Windows\System32\wtevmbn.exe
  C:\Windows\System32\wtevmbn.exe
  2⤵
  PID:12064
- C:\Windows\System32\zNVegzb.exe
  C:\Windows\System32\zNVegzb.exe
  2⤵
  PID:12080
- C:\Windows\System32\gfFozBs.exe
  C:\Windows\System32\gfFozBs.exe
  2⤵
  PID:12108
- C:\Windows\System32\omnNlkv.exe
  C:\Windows\System32\omnNlkv.exe
  2⤵
  PID:12136
- C:\Windows\System32\xpkfbaw.exe
  C:\Windows\System32\xpkfbaw.exe
  2⤵
  PID:12152
- C:\Windows\System32\IETrEOm.exe
  C:\Windows\System32\IETrEOm.exe
  2⤵
  PID:12216
- C:\Windows\System32\uwhMHkV.exe
  C:\Windows\System32\uwhMHkV.exe
  2⤵
  PID:12236
- C:\Windows\System32\EFCgrqw.exe
  C:\Windows\System32\EFCgrqw.exe
  2⤵
  PID:12272
- C:\Windows\System32\eXecTHG.exe
  C:\Windows\System32\eXecTHG.exe
  2⤵
  PID:11276
- C:\Windows\System32\cnvjEVy.exe
  C:\Windows\System32\cnvjEVy.exe
  2⤵
  PID:11328
- C:\Windows\System32\PwSovbo.exe
  C:\Windows\System32\PwSovbo.exe
  2⤵
  PID:11408
- C:\Windows\System32\QVKCjnm.exe
  C:\Windows\System32\QVKCjnm.exe
  2⤵
  PID:11480
- C:\Windows\System32\sKNiFxH.exe
  C:\Windows\System32\sKNiFxH.exe
  2⤵
  PID:11560
- C:\Windows\System32\sJMpexH.exe
  C:\Windows\System32\sJMpexH.exe
  2⤵
  PID:11600
- C:\Windows\System32\ewmgVXj.exe
  C:\Windows\System32\ewmgVXj.exe
  2⤵
  PID:11696
- C:\Windows\System32\xuEnJtU.exe
  C:\Windows\System32\xuEnJtU.exe
  2⤵
  PID:11752
- C:\Windows\System32\pJWoJeq.exe
  C:\Windows\System32\pJWoJeq.exe
  2⤵
  PID:11780
- C:\Windows\System32\EbJhHtq.exe
  C:\Windows\System32\EbJhHtq.exe
  2⤵
  PID:11864
- C:\Windows\System32\WoEEnbw.exe
  C:\Windows\System32\WoEEnbw.exe
  2⤵
  PID:11940
- C:\Windows\System32\BpGXdEX.exe
  C:\Windows\System32\BpGXdEX.exe
  2⤵
  PID:11992
- C:\Windows\System32\jPplKDn.exe
  C:\Windows\System32\jPplKDn.exe
  2⤵
  PID:12076
- C:\Windows\System32\XrAAHmL.exe
  C:\Windows\System32\XrAAHmL.exe
  2⤵
  PID:12096
- C:\Windows\System32\AqWqJGj.exe
  C:\Windows\System32\AqWqJGj.exe
  2⤵
  PID:12072
- C:\Windows\System32\gsFNtmR.exe
  C:\Windows\System32\gsFNtmR.exe
  2⤵
  PID:12176
- C:\Windows\System32\CVtuGBD.exe
  C:\Windows\System32\CVtuGBD.exe
  2⤵
  PID:11312
- C:\Windows\System32\JINIacP.exe
  C:\Windows\System32\JINIacP.exe
  2⤵
  PID:11444
- C:\Windows\System32\KovjZjj.exe
  C:\Windows\System32\KovjZjj.exe
  2⤵
  PID:3636
- C:\Windows\System32\SuHBfhk.exe
  C:\Windows\System32\SuHBfhk.exe
  2⤵
  PID:4136
- C:\Windows\System32\dCJBwpu.exe
  C:\Windows\System32\dCJBwpu.exe
  2⤵
  PID:4876
- C:\Windows\System32\InTqsZk.exe
  C:\Windows\System32\InTqsZk.exe
  2⤵
  PID:11776
- C:\Windows\System32\fCktAaA.exe
  C:\Windows\System32\fCktAaA.exe
  2⤵
  PID:11996
- C:\Windows\System32\NlYNohI.exe
  C:\Windows\System32\NlYNohI.exe
  2⤵
  PID:12132
- C:\Windows\System32\mRAFxRz.exe
  C:\Windows\System32\mRAFxRz.exe
  2⤵
  PID:3508
- C:\Windows\System32\aOPzDmE.exe
  C:\Windows\System32\aOPzDmE.exe
  2⤵
  PID:11448
- C:\Windows\System32\eWeKxYM.exe
  C:\Windows\System32\eWeKxYM.exe
  2⤵
  PID:11828
- C:\Windows\System32\ThKoQBC.exe
  C:\Windows\System32\ThKoQBC.exe
  2⤵
  PID:12036
- C:\Windows\System32\duczBkO.exe
  C:\Windows\System32\duczBkO.exe
  2⤵
  PID:11364
- C:\Windows\System32\KriTJZr.exe
  C:\Windows\System32\KriTJZr.exe
  2⤵
  PID:11884
- C:\Windows\System32\ZztQMTi.exe
  C:\Windows\System32\ZztQMTi.exe
  2⤵
  PID:12200
- C:\Windows\System32\yJjmeSu.exe
  C:\Windows\System32\yJjmeSu.exe
  2⤵
  PID:12308
- C:\Windows\System32\nEqHRJq.exe
  C:\Windows\System32\nEqHRJq.exe
  2⤵
  PID:12348
- C:\Windows\System32\ePKuMdj.exe
  C:\Windows\System32\ePKuMdj.exe
  2⤵
  PID:12388
- C:\Windows\System32\HgkrFho.exe
  C:\Windows\System32\HgkrFho.exe
  2⤵
  PID:12416
- C:\Windows\System32\YydGuxu.exe
  C:\Windows\System32\YydGuxu.exe
  2⤵
  PID:12444
- C:\Windows\System32\dQgYLbu.exe
  C:\Windows\System32\dQgYLbu.exe
  2⤵
  PID:12468
- C:\Windows\System32\RooFKaO.exe
  C:\Windows\System32\RooFKaO.exe
  2⤵
  PID:12488
- C:\Windows\System32\DENyFzN.exe
  C:\Windows\System32\DENyFzN.exe
  2⤵
  PID:12532
- C:\Windows\System32\trWDvbK.exe
  C:\Windows\System32\trWDvbK.exe
  2⤵
  PID:12556
- C:\Windows\System32\YRnhlmZ.exe
  C:\Windows\System32\YRnhlmZ.exe
  2⤵
  PID:12580
- C:\Windows\System32\AVWXzlE.exe
  C:\Windows\System32\AVWXzlE.exe
  2⤵
  PID:12600
- C:\Windows\System32\zjVZsBj.exe
  C:\Windows\System32\zjVZsBj.exe
  2⤵
  PID:12616
- C:\Windows\System32\GMMTCBa.exe
  C:\Windows\System32\GMMTCBa.exe
  2⤵
  PID:12668
- C:\Windows\System32\fYrbBcl.exe
  C:\Windows\System32\fYrbBcl.exe
  2⤵
  PID:12704
- C:\Windows\System32\rvuynBl.exe
  C:\Windows\System32\rvuynBl.exe
  2⤵
  PID:12724
- C:\Windows\System32\KTYcpaN.exe
  C:\Windows\System32\KTYcpaN.exe
  2⤵
  PID:12740
- C:\Windows\System32\StXAAtO.exe
  C:\Windows\System32\StXAAtO.exe
  2⤵
  PID:12760
- C:\Windows\System32\EfugVIb.exe
  C:\Windows\System32\EfugVIb.exe
  2⤵
  PID:12784
- C:\Windows\System32\AobOoRt.exe
  C:\Windows\System32\AobOoRt.exe
  2⤵
  PID:12824
- C:\Windows\System32\DpQTNuN.exe
  C:\Windows\System32\DpQTNuN.exe
  2⤵
  PID:12852
- C:\Windows\System32\wVsIRcL.exe
  C:\Windows\System32\wVsIRcL.exe
  2⤵
  PID:12872
- C:\Windows\System32\JEoimhE.exe
  C:\Windows\System32\JEoimhE.exe
  2⤵
  PID:12896
- C:\Windows\System32\WKgJizV.exe
  C:\Windows\System32\WKgJizV.exe
  2⤵
  PID:12940
- C:\Windows\System32\kwWmDLT.exe
  C:\Windows\System32\kwWmDLT.exe
  2⤵
  PID:12968
- C:\Windows\System32\GHsdgfu.exe
  C:\Windows\System32\GHsdgfu.exe
  2⤵
  PID:12992
- C:\Windows\System32\HIKnvkN.exe
  C:\Windows\System32\HIKnvkN.exe
  2⤵
  PID:13032
- C:\Windows\System32\MGfWGdP.exe
  C:\Windows\System32\MGfWGdP.exe
  2⤵
  PID:13068
- C:\Windows\System32\ZzfAYUp.exe
  C:\Windows\System32\ZzfAYUp.exe
  2⤵
  PID:13084
- C:\Windows\System32\lhdReAF.exe
  C:\Windows\System32\lhdReAF.exe
  2⤵
  PID:13112
- C:\Windows\System32\mTyRlgV.exe
  C:\Windows\System32\mTyRlgV.exe
  2⤵
  PID:13132
- C:\Windows\System32\eNgDgFP.exe
  C:\Windows\System32\eNgDgFP.exe
  2⤵
  PID:13152
- C:\Windows\System32\cxbVlLD.exe
  C:\Windows\System32\cxbVlLD.exe
  2⤵
  PID:13180
- C:\Windows\System32\vKSsfJF.exe
  C:\Windows\System32\vKSsfJF.exe
  2⤵
  PID:13212
- C:\Windows\System32\DkJFWxa.exe
  C:\Windows\System32\DkJFWxa.exe
  2⤵
  PID:13228
- C:\Windows\System32\nQTNhys.exe
  C:\Windows\System32\nQTNhys.exe
  2⤵
  PID:13244
- C:\Windows\System32\xuguOPD.exe
  C:\Windows\System32\xuguOPD.exe
  2⤵
  PID:11668
- C:\Windows\System32\vmjzJcc.exe
  C:\Windows\System32\vmjzJcc.exe
  2⤵
  PID:12332
- C:\Windows\System32\uIcSEYT.exe
  C:\Windows\System32\uIcSEYT.exe
  2⤵
  PID:12372
- C:\Windows\System32\lNWnxRz.exe
  C:\Windows\System32\lNWnxRz.exe
  2⤵
  PID:12412
- C:\Windows\System32\ffateAE.exe
  C:\Windows\System32\ffateAE.exe
  2⤵
  PID:12460
- C:\Windows\System32\SAEhCIU.exe
  C:\Windows\System32\SAEhCIU.exe
  2⤵
  PID:12524
- C:\Windows\System32\rsEaZZr.exe
  C:\Windows\System32\rsEaZZr.exe
  2⤵
  PID:12544
- C:\Windows\System32\YGKlxye.exe
  C:\Windows\System32\YGKlxye.exe
  2⤵
  PID:12696
- C:\Windows\System32\fKIMEeU.exe
  C:\Windows\System32\fKIMEeU.exe
  2⤵
  PID:12736
- C:\Windows\System32\mWzsaaf.exe
  C:\Windows\System32\mWzsaaf.exe
  2⤵
  PID:12820
- C:\Windows\System32\HylqPFu.exe
  C:\Windows\System32\HylqPFu.exe
  2⤵
  PID:12884
- C:\Windows\System32\UwjeHjT.exe
  C:\Windows\System32\UwjeHjT.exe
  2⤵
  PID:12920

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AyCHaDI.exe

Filesize
1.4MB

MD5
168eccb99912753f11a1ba75ba908bfb

SHA1
a6ce6fd4644c02c1637ae9a6322548b0dc412ac7

SHA256
9a675313bfb28dec6ac102654abe213d7d53c9ed57c7afa86db0a27e1d434520

SHA512
010b48f28db337e637a756ae7a66506b1b3b9c49dabc464924003323886e104aa3893697b3cb164a396659d5c0da99bbeb85b6f69f59b8d1b27b21a2e3c493b0

Download Submit
C:\Windows\System32\BTagsJv.exe

Filesize
1.4MB

MD5
41ca02dda97c40a0bf3f18ea164a0509

SHA1
ac72d68f02f3e2a83146e56d8056a75ea8b299c8

SHA256
0012e81f3eaf0f9383477c41758c04d0f03edfc8e1d8a79ff5127fa7d7a70201

SHA512
e2f2accfff1e1049cb5e52e5975374d6b89b820fb838c9c8975afead2b26db2688282ee9b83fcde8ea0bdc56299b0d0702c5c105ff15e973806f669f49c77c10

Download Submit
C:\Windows\System32\BbIHAZh.exe

Filesize
1.4MB

MD5
da6b385ba1148978dd06da6cf484293c

SHA1
e33d7bab4aa78c56bdacb1853dfea4a4deda7f64

SHA256
e18e196277e0ff82a5a951ace1e1be07ecab296cd94712a1d17f1f0a345d662a

SHA512
8020334665410bd22988539267a20b69f9294f993dc05697aa4fe3a59125ceb3d5e875bb338562b27b68097e155b6688a6f457bf1ba5addedc0b77695196d818

Download Submit
C:\Windows\System32\CjveQSq.exe

Filesize
1.4MB

MD5
da5669944abaa310b99ddece13f8a1f3

SHA1
fd1f668b8138995d6f047ece35424ac4d10ce363

SHA256
3b1397b4e619fa344b37fe9565305a8dab65c7ebd028002c0b4f59c1ed2c979b

SHA512
23938b278202ceb0e645497385d85cbe7c487563a82ac7d6d0973a28b6c8c9dd6892451c09cd8fb248bdcca9819029394a47a4166cd51cfa0a3788973aaa8ed7

Download Submit
C:\Windows\System32\CyMDNgB.exe

Filesize
1.4MB

MD5
70da4832506b26451caa2818bc316df8

SHA1
99705ff751a39ea007ff0843f6934b992b0fd2d8

SHA256
5e98d1412f57972dbb5f8460c31b03ccbcca2a7465fd01f6f20518591bca1b0c

SHA512
0650d3a05af7db4cfb0cc86c1914622fcf427d426ff735c03c9304c3e726c3c87c4a2545cecb65fd9f9efb25c404e5f70c2ac332a15a51b90aaa020e6a15b50d

Download Submit
C:\Windows\System32\DxBICOn.exe

Filesize
1.4MB

MD5
0b2c0f6432b6ed5fc4c6d8d530dfe358

SHA1
c021b36d4eafde10994532a99aa7122aafea5659

SHA256
3dc27e7da17f4e1f824d7fdc7a134ab82265318dc91886f4eee098282c22f503

SHA512
697b8e6a4798373861b26a890ef3409376f696e19d9c6ef67b9a52c71bfe7489a4a30ae8fead6d5e92ea7b3488f114119458acbd98f172244c62be896068db15

Download Submit
C:\Windows\System32\FfffSJF.exe

Filesize
1.4MB

MD5
854767bb667c872fb8b73dcd2781500f

SHA1
fdbbf51d39ef54de7abe57f1f71178969134cf2c

SHA256
61781797ee0913a7ca2c1eb077230e4402898402a0c47ba59d13afe6bb15b2b6

SHA512
036cbcfae76a1a5060f6cb1e09159786164d8a3cf35d6014f834735449b699679cc6c5b35640aacd87cef1c69aac9a6be2b954e111554c47ab42d3438e1a79b5

Download Submit
C:\Windows\System32\HgJAZrB.exe

Filesize
1.4MB

MD5
39a18210f2ff305876d3f6be42e402cd

SHA1
7cbbd3ca499af4d5e2361eca19ba254ed901f024

SHA256
f514732c1940da1908d31d7ca0941a9dfa40c52bebcc25345d4d45ddb45b0173

SHA512
238347fd4f709762d0bf7576522dd820282a829470824422ac41f698af079992785db182f9597ef0923d261468222000c806b35823d9d300e90593b26c6614b9

Download Submit
C:\Windows\System32\IAeMMBu.exe

Filesize
1.4MB

MD5
a70d130625051f5bc87e545814026769

SHA1
2c374c95d43ac977c869dbe89536d430e638f397

SHA256
fb7add300e2e0af3cbef27a8aec5142a14b30a437c430d52198d9edc2959cefb

SHA512
7dc3f43083f30834357c5ad5ac03359bb52c9adfdf9469f4bc329a39f20b89aa2a1765f2a2e8377b35d8614ebde63bfb1481c6ae85be64aae2b280ae2414f307

Download Submit
C:\Windows\System32\IvtEBBs.exe

Filesize
1.4MB

MD5
d2fd420793a064050a651280704bef62

SHA1
c1af6cf86591d92c2da42d74898db0340d791afa

SHA256
f2f3c42ca738323dc6862750a4a0042943d8387da1c00090da66d50728eebeed

SHA512
272239fc924b1b1f0c55789a132848a0423baf9360fb7ed37047a62ee12ee15d2bc9ebab371854ef259b5226f71e1d7537213e76f0520caf654f7a6eedeee596

Download Submit
C:\Windows\System32\LPjAveQ.exe

Filesize
1.4MB

MD5
bbb0bb026245fe9dfa03cf6de491752c

SHA1
83a7423cedb8f66e808c679ad3970e5c6af3ac77

SHA256
8a4e4f3996d85581cd85f97983a9011a90c1c665dcefbeb31a88c1c5554115cc

SHA512
0df1772bd9ae091e96e430c853472b7aed4cd920e38ee79810764565bda1d87b8f2c811076082dea86ce1147c18f887400dc0a73492600ecd7c8ab4ec68d501e

Download Submit
C:\Windows\System32\NbAuWDp.exe

Filesize
1.4MB

MD5
8cc10ef8ce67dd2e216765e13d737609

SHA1
16b9936cd93ba204bc2de2fdc580b83f2c85269b

SHA256
783da505f15900a93f24eceb1ad3e4514acfec8735695d2c812e17111761fe51

SHA512
32b3d7ee8865f5ba2c5b05b588ea265ab80a377b6725f91188386fabf11a349e3a5cb01dcfdb23dd5ff0113120cde0ece7902614fa4ca5a26468c01d08823ec4

Download Submit
C:\Windows\System32\QaITVqL.exe

Filesize
1.4MB

MD5
d87e90c5d0e2b944c267b673181a51e3

SHA1
d9bc42ac99b14ee60ebe07342081a608e2b27a55

SHA256
f255938ef8804ac63356c270c93f2e4c76ec779198b1295a9fcb9018d8a7944e

SHA512
aaf02e78df3ce82bf467c525b5c4f1ef6dda16dd19ca6d7146760ab9a9ceffd4dc31f827a3ef2917e9f6843197466f0a2fa41a51fb9ad219ce7f33752a33ac1a

Download Submit
C:\Windows\System32\SZTKxwC.exe

Filesize
1.4MB

MD5
15d6ef5895884ce34229a54d2397962f

SHA1
b0b9027c6ee7ec48063176e36c9d641612265eb5

SHA256
f1070ac9c2b7f4ef2837cb8675de9dd5a1c06cf8a10f069d378eba31f861022c

SHA512
2ed0b42ac3b18e52081ed9bb1675e47318304070faf32c812c7478b94280c54b5a81b56d59c1058c9d9af5db381a37ceda89ba0a8eac00534914e04858c2d8ef

Download Submit
C:\Windows\System32\SfWjHYs.exe

Filesize
1.4MB

MD5
cfb4169f6cbfe6daba3fcafda1c8e889

SHA1
fa9c220807bf2ddd2274f83dfb3ada0f22f499e6

SHA256
47bcf3bedb3cf25c8f4f6e97c8e8ef026f1601421b4dbd894549767b80ff3242

SHA512
47846e05248cdabb8afac59e7e07c9e7cd39a60d07e94a32a6032c020307481bd5a41057bf88150307f4941f62d8385ffa7c6da7c5fe1d564bd6661c18cf516f

Download Submit
C:\Windows\System32\WsieQnU.exe

Filesize
1.4MB

MD5
bbe8b499ac13cdbfda222136611d61c4

SHA1
ae4319ab8ebd9237c80ab5bcca6b9fe883ee0855

SHA256
93943c42983594c08eb792f8bb78f3a2e6fa69eeb76e8f1e76bc452d6dc4561d

SHA512
184b4b4f84246d158a5707a904415af2ec7124aad4bec7702a4f88c1042e06e16b10b7161a7442c0a6fd67da68cdcaaa26f1a725381c279d75fb9f539a8428b7

Download Submit
C:\Windows\System32\asUSrvn.exe

Filesize
1.4MB

MD5
17c3ad514d460bfd4ba18234f7c732a5

SHA1
979603b28ed59b8d6cacbe29962a04271c7112f9

SHA256
230401490eb6b615e5cb68ddf6d15a69bd46180930a6fa125d4137eb736a2c4e

SHA512
36af38d27009a3ed6c2459b8f737796f592e3ec131bc9c1b93e8ba1967d9d9f7c39d60b5aaeb1d1ff55d023215e75d65cf74568f5d13b61544ffbb064e394996

Download Submit
C:\Windows\System32\bgGKwfX.exe

Filesize
1.4MB

MD5
8225eb4121402e2df8306d11cbb8e05e

SHA1
9986663ff8b752777e6091d2b7582602009ae188

SHA256
8cc6951a5d77dcbef72f5aea5fbe57977accbe8943f904bf2be7b2b2cdf67a13

SHA512
acaa0ef0b53969cfb89b6402ed38e11bfa83fdb9b9c370fc813ed5ac6cc790e2954259b3e8e63dd4a387b7e930a9a70aa9056f2d16862b805465369139ab92be

Download Submit
C:\Windows\System32\cpvwMRj.exe

Filesize
1.4MB

MD5
f938666381943feacd6195800363b3fd

SHA1
71e6193aef3e1b6cc205adfecbb9e57656803f05

SHA256
9e8f0b03f5c36a2c30bb29192b83840317a6ef5c25b025bcfa1ce5bc622035e1

SHA512
a19dcc939e23fcfe84400c055ef003eb48d9685839dbb16b99034e6de062b1356b2f20adb1c007e9e4cb1d151d5156b4a1418f3fa59db3dee15f4b0979cfe8c2

Download Submit
C:\Windows\System32\dEJHwPS.exe

Filesize
1.4MB

MD5
1fa6a129474803c07b4372748caf3fd5

SHA1
6302efd3a893f3e6623717a6cfd8fd2ead37b9c1

SHA256
7f7747a6e4aaa95e584a96c6ab45d65594f7d99732334e768c112e1b7951ccbe

SHA512
8cde4d9ceb9e5b5f424183ac37cefc8d9cea3e7423b11792e15afa989b7eb4447f072b0d05590cf8eab5be8345650b32b0454d33055a8aa0757b5ee376dda913

Download Submit
C:\Windows\System32\dorEQlk.exe

Filesize
1.4MB

MD5
e47cc3e9c39aec1778b9861310eb9142

SHA1
d5b9acac5d45df2e9b975d1451b5ca200c78bcb6

SHA256
ef9592e118d5bbc3514d6027d7bbbb955a859089811993ab9b6cb8219de835ce

SHA512
c53417def01e80e223d7a1499be91c519f06dd84663f0b3e36b0265aa36e468ebe6dad7af83a68fca043c4190d0086788a368eb0fe0016120152804c8b18e313

Download Submit
C:\Windows\System32\gkjmpXx.exe

Filesize
1.4MB

MD5
f9f05d0bed49917592c5bf75c1ac0fae

SHA1
3086f15ce29af765ab1eb1fcf10a2ccd231a9e89

SHA256
a51e83deb4a1d9bcadeec316adb234dac98ba753e1710f9ad21dcd0d7c48bb19

SHA512
ac033cf4ae6a9fff322ba2ba0519bfda60997af4f819e1b4aff6ac60e1e2be7e0a9651e17cf808230e7d73a63af95e5fa5a0b05c6769631b97bd216bc843b459

Download Submit
C:\Windows\System32\jDEjxQQ.exe

Filesize
1.4MB

MD5
1edda77a209f536bb111c3dc0532acd2

SHA1
d23358bc7a5b64ef672d1d61670aee5556a201e5

SHA256
052a38dc64d0ad5e239ec6bb1902eb123d338ed7312872616bc6eba61300e21b

SHA512
721a0455fded49c3310d376b7790b4c718d519f57c1dbf8447d6e2c1bea01657d88ee69be2bd510189729145d92e07ec23184958c47f1fb60ed65373ae632f23

Download Submit
C:\Windows\System32\mOmnCBc.exe

Filesize
1.4MB

MD5
39bd2f05ec5fb9b23ee97a1caaa550ab

SHA1
5b6ab308b6a11c587c728c34e76e6bc0c39b61d4

SHA256
dabf5a4e3acc13ff881d6cb46f5392a86c7a5a77f0b5f11e26ca0668958dfca9

SHA512
dc0085a77b469eae8115c47212d72bc57ae0708ef73dbb61d2bf95b5760da74f0a2de82e3bb7aea6de55f46faf9f2447bb16ae770970f0ff3cc836bf56c793a0

Download Submit
C:\Windows\System32\maKJZff.exe

Filesize
1.4MB

MD5
e3ca50ea44e93a71a41168e59c2d8e36

SHA1
c450e23c9503757c76137126d26af84360c131ce

SHA256
87a8c16c6cbfdcda7609c9cee7041ddc203cb69c1d813192703fddda70de090c

SHA512
3b6d01ab6d076cee1ce6335d0dc000454d4bb8d64753127dcb030ad319a76e89f093a1a67948c8840685570af83d2e38c527c0be58cacdcac62b755337ff417d

Download Submit
C:\Windows\System32\mhRPIXb.exe

Filesize
1.4MB

MD5
3514467d1a45f589726d8265038ac7c2

SHA1
854fae69e2ac0c0888f1cae5f118fc5f8d5b0f45

SHA256
0d173787ebc97a320a81da21be77ba75f8a3efe2b10a0a033b7a338c4d7fb8f9

SHA512
889793b8e1d2825893ac51a3822f62f59bf83e924e9f65ca53eb1c05f515507871992b4999e363dc2a717feb1268614d53eeb2f91f90b489d871c103582011aa

Download Submit
C:\Windows\System32\mqcBMAt.exe

Filesize
1.4MB

MD5
5a070e3dc4e553a6195a5ec003961686

SHA1
d0070c6d70b4b5ab7523f70c50d988970c6ff352

SHA256
d0de8f6e669ce0bb4b7b7255014d710de90a94366eb707d68d368d9ff5095473

SHA512
cc0dfeb46e5acbeed80b5eb631b98421972cf51bf1ca9fd66ab68fde942fd3a70194bbd80f863db0d0f95f8e76c2848937fd04c6ebe5ee0bc2f08d7522d659a4

Download Submit
C:\Windows\System32\nePwjWJ.exe

Filesize
1.4MB

MD5
ea74f4e277d64ce6cba59db857baa259

SHA1
329e5f409d322ad0cd8b17b3013ad80ac361148f

SHA256
f7b6d104bc4d344ed5d6e239125fdc17301c5f276cd0ee13b24414a55f86a807

SHA512
9658dcb00147c72f904f1c25ca7fb0cd7315d081feb18c3851823b1748f13a604d417bd60b10dcaef626da732f864dc12826e307ca0bc35cb079c6de656f720e

Download Submit
C:\Windows\System32\qNAFlWw.exe

Filesize
1.4MB

MD5
ac0f230e88116b3325ca4bd01137f0ba

SHA1
e895e3ef362d0b6bf61e8446effcf4622cb18d0a

SHA256
8744444c5375a2b599effc06005fae71909b2b400d5070e8707d418efc83d370

SHA512
309de97587f8de2341dc6f07b3e4fa25be281969f4b4ac039f21f70a2a425d506992735e1e98c47157997ac62e543e7ef112ad096c5037cdaf6514ae4e6dabd0

Download Submit
C:\Windows\System32\uFFBszA.exe

Filesize
1.4MB

MD5
2218d03613fd265ca25b4cba08d09237

SHA1
99553e8fe022422cda501f4ec46c9a860939481c

SHA256
eb4844563f71dc8ce47bbcfae125eb3ff2f6b8d25956e32589df507aa3daff9d

SHA512
22f8f1f25ce9da541707772c3f31c9edb88acab23d667d407a71964d6e7225ff067fa98c2d3669a7130fa7ab0999160f374bd0ac78e10e7e700da1dfae780f90

Download Submit
C:\Windows\System32\uiVafVn.exe

Filesize
1.4MB

MD5
0df0aa95c6b635a30a7978ede1fe4c91

SHA1
e1e06a7de8163436b930067151d85e288c8c0695

SHA256
cbb271c70811b40ac35f30f4e9272779f4701eeada86bb964d084afef1cbbffb

SHA512
85c13a2fd5e4be6afb08903a6564105fe10d54f7c90d680da13e3a939b6b9d734562a2e66f327f10e4dc830b8f3e33c7e5d3bba6a6cd584a11e123e15fe75c5e

Download Submit
C:\Windows\System32\vtQysQV.exe

Filesize
1.4MB

MD5
6309ca55c36b12dfe937e35d141595aa

SHA1
91432df3400679a403789c37d6a94ca7dc3b1c34

SHA256
53bf03b7d8d329d898afda0927f269574a6945663bc65484b2421985b72d7ab1

SHA512
eda21e470ce5ad25bed976599c2b611c771056459b81b2bec544a3bbe2461e39da59c1ec4f206fdf7fd5730e7bcadf716dbe903afa9cc26a52ec8c919f47afa9

Download Submit
memory/116-1-0x00000161B7780000-0x00000161B7790000-memory.dmp

Filesize
64KB

Download
memory/116-0-0x00007FF7BC780000-0x00007FF7BCB71000-memory.dmp

Filesize
3.9MB

Download
memory/1552-2000-0x00007FF79A3A0000-0x00007FF79A791000-memory.dmp

Filesize
3.9MB

Download
memory/1552-418-0x00007FF79A3A0000-0x00007FF79A791000-memory.dmp

Filesize
3.9MB

Download
memory/1644-2017-0x00007FF7B3200000-0x00007FF7B35F1000-memory.dmp

Filesize
3.9MB

Download
memory/1644-435-0x00007FF7B3200000-0x00007FF7B35F1000-memory.dmp

Filesize
3.9MB

Download
memory/1812-1998-0x00007FF7E1E80000-0x00007FF7E2271000-memory.dmp

Filesize
3.9MB

Download
memory/1812-412-0x00007FF7E1E80000-0x00007FF7E2271000-memory.dmp

Filesize
3.9MB

Download
memory/2068-2012-0x00007FF761DF0000-0x00007FF7621E1000-memory.dmp

Filesize
3.9MB

Download
memory/2068-426-0x00007FF761DF0000-0x00007FF7621E1000-memory.dmp

Filesize
3.9MB

Download
memory/2852-411-0x00007FF6BB7A0000-0x00007FF6BBB91000-memory.dmp

Filesize
3.9MB

Download
memory/2852-1992-0x00007FF6BB7A0000-0x00007FF6BBB91000-memory.dmp

Filesize
3.9MB

Download
memory/2988-1970-0x00007FF69CC60000-0x00007FF69D051000-memory.dmp

Filesize
3.9MB

Download
memory/2988-19-0x00007FF69CC60000-0x00007FF69D051000-memory.dmp

Filesize
3.9MB

Download
memory/2988-1982-0x00007FF69CC60000-0x00007FF69D051000-memory.dmp

Filesize
3.9MB

Download
memory/3032-1971-0x00007FF72AC80000-0x00007FF72B071000-memory.dmp

Filesize
3.9MB

Download
memory/3032-1980-0x00007FF72AC80000-0x00007FF72B071000-memory.dmp

Filesize
3.9MB

Download
memory/3032-394-0x00007FF72AC80000-0x00007FF72B071000-memory.dmp

Filesize
3.9MB

Download
memory/3176-2019-0x00007FF7E3C70000-0x00007FF7E4061000-memory.dmp

Filesize
3.9MB

Download
memory/3176-451-0x00007FF7E3C70000-0x00007FF7E4061000-memory.dmp

Filesize
3.9MB

Download
memory/3464-2010-0x00007FF7AAA90000-0x00007FF7AAE81000-memory.dmp

Filesize
3.9MB

Download
memory/3464-428-0x00007FF7AAA90000-0x00007FF7AAE81000-memory.dmp

Filesize
3.9MB

Download
memory/3716-396-0x00007FF62CCA0000-0x00007FF62D091000-memory.dmp

Filesize
3.9MB

Download
memory/3716-1988-0x00007FF62CCA0000-0x00007FF62D091000-memory.dmp

Filesize
3.9MB

Download
memory/3772-2006-0x00007FF7CC810000-0x00007FF7CCC01000-memory.dmp

Filesize
3.9MB

Download
memory/3772-420-0x00007FF7CC810000-0x00007FF7CCC01000-memory.dmp

Filesize
3.9MB

Download
memory/4436-1976-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp

Filesize
3.9MB

Download
memory/4436-1961-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp

Filesize
3.9MB

Download
memory/4436-9-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp

Filesize
3.9MB

Download
memory/4460-1990-0x00007FF7992F0000-0x00007FF7996E1000-memory.dmp

Filesize
3.9MB

Download
memory/4460-399-0x00007FF7992F0000-0x00007FF7996E1000-memory.dmp

Filesize
3.9MB

Download
memory/4492-417-0x00007FF643CD0000-0x00007FF6440C1000-memory.dmp

Filesize
3.9MB

Download
memory/4492-2004-0x00007FF643CD0000-0x00007FF6440C1000-memory.dmp

Filesize
3.9MB

Download
memory/4556-2021-0x00007FF7200B0000-0x00007FF7204A1000-memory.dmp

Filesize
3.9MB

Download
memory/4556-441-0x00007FF7200B0000-0x00007FF7204A1000-memory.dmp

Filesize
3.9MB

Download
memory/4620-395-0x00007FF6D7660000-0x00007FF6D7A51000-memory.dmp

Filesize
3.9MB

Download
memory/4620-1986-0x00007FF6D7660000-0x00007FF6D7A51000-memory.dmp

Filesize
3.9MB

Download
memory/4688-402-0x00007FF74AA70000-0x00007FF74AE61000-memory.dmp

Filesize
3.9MB

Download
memory/4688-1994-0x00007FF74AA70000-0x00007FF74AE61000-memory.dmp

Filesize
3.9MB

Download
memory/4720-2041-0x00007FF7B0800000-0x00007FF7B0BF1000-memory.dmp

Filesize
3.9MB

Download
memory/4720-438-0x00007FF7B0800000-0x00007FF7B0BF1000-memory.dmp

Filesize
3.9MB

Download
memory/4808-17-0x00007FF7815C0000-0x00007FF7819B1000-memory.dmp

Filesize
3.9MB

Download
memory/4808-1978-0x00007FF7815C0000-0x00007FF7819B1000-memory.dmp

Filesize
3.9MB

Download
memory/4984-457-0x00007FF772590000-0x00007FF772981000-memory.dmp

Filesize
3.9MB

Download
memory/4984-1984-0x00007FF772590000-0x00007FF772981000-memory.dmp

Filesize
3.9MB

Download
memory/5020-2087-0x00007FF791A90000-0x00007FF791E81000-memory.dmp

Filesize
3.9MB

Download
memory/5020-448-0x00007FF791A90000-0x00007FF791E81000-memory.dmp

Filesize
3.9MB

Download
memory/5024-406-0x00007FF6E5C00000-0x00007FF6E5FF1000-memory.dmp

Filesize
3.9MB

Download
memory/5024-1996-0x00007FF6E5C00000-0x00007FF6E5FF1000-memory.dmp

Filesize
3.9MB

Download
memory/5044-425-0x00007FF65F050000-0x00007FF65F441000-memory.dmp

Filesize
3.9MB

Download
memory/5044-2008-0x00007FF65F050000-0x00007FF65F441000-memory.dmp

Filesize
3.9MB

Download
memory/5060-2002-0x00007FF6D51D0000-0x00007FF6D55C1000-memory.dmp

Filesize
3.9MB

Download
memory/5060-404-0x00007FF6D51D0000-0x00007FF6D55C1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads