xmrig | cf57d1f76f5bf4b7a5fb21dd606a0f46f8be6695817b720e67c444deae29772c

Analysis

max time kernel
104s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 05:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
Size

1.1MB
MD5

06f6b74324083825d6b59c126140fdea
SHA1

383ae84ab4c1bb25d05a1880f4a85a02f034041c
SHA256

cf57d1f76f5bf4b7a5fb21dd606a0f46f8be6695817b720e67c444deae29772c
SHA512

28043a7856d7b338099a6c6386e19e272ff7a13435864ae18df3a9d268906141095a10835a189cda0e6f2297dbfb2f4b5c88143b28528bb8c04f55d14bba6980
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcmC3f/DFNkTir:knw9oUUEEDl37jcmWH/fr

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/4496-24-0x00007FF71A1B0000-0x00007FF71A5A1000-memory.dmp	xmrig
behavioral2/memory/3472-318-0x00007FF62D090000-0x00007FF62D481000-memory.dmp	xmrig
behavioral2/memory/3788-328-0x00007FF7BE700000-0x00007FF7BEAF1000-memory.dmp	xmrig
behavioral2/memory/1088-327-0x00007FF6502D0000-0x00007FF6506C1000-memory.dmp	xmrig
behavioral2/memory/5008-321-0x00007FF604A30000-0x00007FF604E21000-memory.dmp	xmrig
behavioral2/memory/3264-336-0x00007FF7B0F00000-0x00007FF7B12F1000-memory.dmp	xmrig
behavioral2/memory/2592-341-0x00007FF6C4340000-0x00007FF6C4731000-memory.dmp	xmrig
behavioral2/memory/2448-347-0x00007FF666E80000-0x00007FF667271000-memory.dmp	xmrig
behavioral2/memory/2664-354-0x00007FF622260000-0x00007FF622651000-memory.dmp	xmrig
behavioral2/memory/3196-365-0x00007FF74BFA0000-0x00007FF74C391000-memory.dmp	xmrig
behavioral2/memory/1744-372-0x00007FF7A8E30000-0x00007FF7A9221000-memory.dmp	xmrig
behavioral2/memory/2424-373-0x00007FF7A4770000-0x00007FF7A4B61000-memory.dmp	xmrig
behavioral2/memory/1860-380-0x00007FF6A6DE0000-0x00007FF6A71D1000-memory.dmp	xmrig
behavioral2/memory/4544-376-0x00007FF62E310000-0x00007FF62E701000-memory.dmp	xmrig
behavioral2/memory/4904-454-0x00007FF75C4F0000-0x00007FF75C8E1000-memory.dmp	xmrig
behavioral2/memory/3444-456-0x00007FF7E2DC0000-0x00007FF7E31B1000-memory.dmp	xmrig
behavioral2/memory/1560-458-0x00007FF74E8B0000-0x00007FF74ECA1000-memory.dmp	xmrig
behavioral2/memory/2672-457-0x00007FF727E90000-0x00007FF728281000-memory.dmp	xmrig
behavioral2/memory/1928-361-0x00007FF7C5530000-0x00007FF7C5921000-memory.dmp	xmrig
behavioral2/memory/2700-359-0x00007FF7A17D0000-0x00007FF7A1BC1000-memory.dmp	xmrig
behavioral2/memory/2956-355-0x00007FF6A9540000-0x00007FF6A9931000-memory.dmp	xmrig
behavioral2/memory/1284-459-0x00007FF68DBF0000-0x00007FF68DFE1000-memory.dmp	xmrig
behavioral2/memory/4036-1975-0x00007FF64F6E0000-0x00007FF64FAD1000-memory.dmp	xmrig
behavioral2/memory/2188-1976-0x00007FF6D05F0000-0x00007FF6D09E1000-memory.dmp	xmrig
behavioral2/memory/4828-2013-0x00007FF61E600000-0x00007FF61E9F1000-memory.dmp	xmrig
behavioral2/memory/3788-2047-0x00007FF7BE700000-0x00007FF7BEAF1000-memory.dmp	xmrig
behavioral2/memory/2956-2067-0x00007FF6A9540000-0x00007FF6A9931000-memory.dmp	xmrig
behavioral2/memory/2672-2090-0x00007FF727E90000-0x00007FF728281000-memory.dmp	xmrig
behavioral2/memory/1560-2088-0x00007FF74E8B0000-0x00007FF74ECA1000-memory.dmp	xmrig
behavioral2/memory/1860-2083-0x00007FF6A6DE0000-0x00007FF6A71D1000-memory.dmp	xmrig
behavioral2/memory/4904-2081-0x00007FF75C4F0000-0x00007FF75C8E1000-memory.dmp	xmrig
behavioral2/memory/3444-2085-0x00007FF7E2DC0000-0x00007FF7E31B1000-memory.dmp	xmrig
behavioral2/memory/2424-2079-0x00007FF7A4770000-0x00007FF7A4B61000-memory.dmp	xmrig
behavioral2/memory/4544-2077-0x00007FF62E310000-0x00007FF62E701000-memory.dmp	xmrig
behavioral2/memory/1928-2075-0x00007FF7C5530000-0x00007FF7C5921000-memory.dmp	xmrig
behavioral2/memory/2700-2071-0x00007FF7A17D0000-0x00007FF7A1BC1000-memory.dmp	xmrig
behavioral2/memory/1744-2069-0x00007FF7A8E30000-0x00007FF7A9221000-memory.dmp	xmrig
behavioral2/memory/2664-2065-0x00007FF622260000-0x00007FF622651000-memory.dmp	xmrig
behavioral2/memory/3196-2073-0x00007FF74BFA0000-0x00007FF74C391000-memory.dmp	xmrig
behavioral2/memory/1284-2059-0x00007FF68DBF0000-0x00007FF68DFE1000-memory.dmp	xmrig
behavioral2/memory/5008-2057-0x00007FF604A30000-0x00007FF604E21000-memory.dmp	xmrig
behavioral2/memory/2448-2063-0x00007FF666E80000-0x00007FF667271000-memory.dmp	xmrig
behavioral2/memory/3472-2055-0x00007FF62D090000-0x00007FF62D481000-memory.dmp	xmrig
behavioral2/memory/4496-2053-0x00007FF71A1B0000-0x00007FF71A5A1000-memory.dmp	xmrig
behavioral2/memory/2592-2051-0x00007FF6C4340000-0x00007FF6C4731000-memory.dmp	xmrig
behavioral2/memory/3264-2049-0x00007FF7B0F00000-0x00007FF7B12F1000-memory.dmp	xmrig
behavioral2/memory/1088-2061-0x00007FF6502D0000-0x00007FF6506C1000-memory.dmp	xmrig
behavioral2/memory/2188-2045-0x00007FF6D05F0000-0x00007FF6D09E1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4828	ddEejit.exe
4496	EJWRdnW.exe
2188	MHipyns.exe
3472	hrtdTOM.exe
5008	jRJPagZ.exe
1284	BCiWjcJ.exe
1088	hoXRdUL.exe
3788	LOZmksL.exe
3264	YpiGbkH.exe
2592	eikrvyj.exe
2448	StGbYrE.exe
2664	axmKmcg.exe
2956	cbbfwWZ.exe
2700	PoiFyvp.exe
1928	QoXZlzE.exe
3196	RWLEBij.exe
1744	WhmWjUz.exe
2424	PGwbdae.exe
4544	yCnKvGX.exe
1860	nYvVLIB.exe
4904	CepjwFT.exe
3444	RIvtVNA.exe
2672	VFPjoCS.exe
1560	NpjodAh.exe
964	iVuINkw.exe
2512	DgUioSH.exe
3180	PhrwkPa.exe
2212	vCWhlOV.exe
4044	xinJSTf.exe
392	USwlLZI.exe
808	NKPJeQN.exe
3536	VFxmajY.exe
2108	GtbIbty.exe
2384	llLHEEh.exe
3412	eorYWXq.exe
2128	xQWNicl.exe
4384	oOIRtCa.exe
2204	RcZeJrJ.exe
1680	aBarazI.exe
448	jezqqzK.exe
1732	taSEqhy.exe
1396	yLuLLUu.exe
3736	BGYEhON.exe
4988	XQbiZqq.exe
2292	DMOHPUX.exe
1512	VlaHSJK.exe
5080	DwxhnNB.exe
4840	CKugawa.exe
4656	rCqBCGP.exe
3764	HpvciNd.exe
4432	tcrBJod.exe
1416	wHlgnKR.exe
4344	hrylZiG.exe
5112	fiWXtCe.exe
4472	aijVYSS.exe
2328	MMTqFwU.exe
644	FTRUOJD.exe
2736	ZerFFPh.exe
1056	zRZpSwJ.exe
1604	liWLSUz.exe
568	MbYEDKc.exe
4308	KBpnWVY.exe
4540	vXCvkmQ.exe
4032	VKKNswa.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4036-0-0x00007FF64F6E0000-0x00007FF64FAD1000-memory.dmp	upx
behavioral2/files/0x0007000000023443-7.dat	upx
behavioral2/files/0x000800000002343f-5.dat	upx
behavioral2/memory/4828-14-0x00007FF61E600000-0x00007FF61E9F1000-memory.dmp	upx
behavioral2/files/0x0008000000023442-17.dat	upx
behavioral2/files/0x0007000000023444-22.dat	upx
behavioral2/memory/4496-24-0x00007FF71A1B0000-0x00007FF71A5A1000-memory.dmp	upx
behavioral2/files/0x0007000000023445-27.dat	upx
behavioral2/files/0x0007000000023446-34.dat	upx
behavioral2/files/0x0007000000023447-39.dat	upx
behavioral2/files/0x000700000002344a-54.dat	upx
behavioral2/files/0x000700000002344b-59.dat	upx
behavioral2/files/0x000700000002344e-72.dat	upx
behavioral2/files/0x000700000002344f-79.dat	upx
behavioral2/files/0x0007000000023454-104.dat	upx
behavioral2/files/0x0007000000023456-114.dat	upx
behavioral2/files/0x0007000000023458-124.dat	upx
behavioral2/files/0x0007000000023460-164.dat	upx
behavioral2/files/0x000700000002345f-159.dat	upx
behavioral2/files/0x000700000002345e-154.dat	upx
behavioral2/files/0x000700000002345d-149.dat	upx
behavioral2/files/0x000700000002345c-144.dat	upx
behavioral2/files/0x000700000002345b-139.dat	upx
behavioral2/files/0x000700000002345a-134.dat	upx
behavioral2/files/0x0007000000023459-129.dat	upx
behavioral2/files/0x0007000000023457-119.dat	upx
behavioral2/files/0x0007000000023455-109.dat	upx
behavioral2/files/0x0007000000023453-99.dat	upx
behavioral2/files/0x0007000000023452-94.dat	upx
behavioral2/files/0x0007000000023451-89.dat	upx
behavioral2/files/0x0007000000023450-84.dat	upx
behavioral2/files/0x000700000002344d-69.dat	upx
behavioral2/files/0x000700000002344c-64.dat	upx
behavioral2/files/0x0007000000023449-49.dat	upx
behavioral2/files/0x0007000000023448-44.dat	upx
behavioral2/memory/2188-19-0x00007FF6D05F0000-0x00007FF6D09E1000-memory.dmp	upx
behavioral2/memory/3472-318-0x00007FF62D090000-0x00007FF62D481000-memory.dmp	upx
behavioral2/memory/3788-328-0x00007FF7BE700000-0x00007FF7BEAF1000-memory.dmp	upx
behavioral2/memory/1088-327-0x00007FF6502D0000-0x00007FF6506C1000-memory.dmp	upx
behavioral2/memory/5008-321-0x00007FF604A30000-0x00007FF604E21000-memory.dmp	upx
behavioral2/memory/3264-336-0x00007FF7B0F00000-0x00007FF7B12F1000-memory.dmp	upx
behavioral2/memory/2592-341-0x00007FF6C4340000-0x00007FF6C4731000-memory.dmp	upx
behavioral2/memory/2448-347-0x00007FF666E80000-0x00007FF667271000-memory.dmp	upx
behavioral2/memory/2664-354-0x00007FF622260000-0x00007FF622651000-memory.dmp	upx
behavioral2/memory/3196-365-0x00007FF74BFA0000-0x00007FF74C391000-memory.dmp	upx
behavioral2/memory/1744-372-0x00007FF7A8E30000-0x00007FF7A9221000-memory.dmp	upx
behavioral2/memory/2424-373-0x00007FF7A4770000-0x00007FF7A4B61000-memory.dmp	upx
behavioral2/memory/1860-380-0x00007FF6A6DE0000-0x00007FF6A71D1000-memory.dmp	upx
behavioral2/memory/4544-376-0x00007FF62E310000-0x00007FF62E701000-memory.dmp	upx
behavioral2/memory/4904-454-0x00007FF75C4F0000-0x00007FF75C8E1000-memory.dmp	upx
behavioral2/memory/3444-456-0x00007FF7E2DC0000-0x00007FF7E31B1000-memory.dmp	upx
behavioral2/memory/1560-458-0x00007FF74E8B0000-0x00007FF74ECA1000-memory.dmp	upx
behavioral2/memory/2672-457-0x00007FF727E90000-0x00007FF728281000-memory.dmp	upx
behavioral2/memory/1928-361-0x00007FF7C5530000-0x00007FF7C5921000-memory.dmp	upx
behavioral2/memory/2700-359-0x00007FF7A17D0000-0x00007FF7A1BC1000-memory.dmp	upx
behavioral2/memory/2956-355-0x00007FF6A9540000-0x00007FF6A9931000-memory.dmp	upx
behavioral2/memory/1284-459-0x00007FF68DBF0000-0x00007FF68DFE1000-memory.dmp	upx
behavioral2/memory/4036-1975-0x00007FF64F6E0000-0x00007FF64FAD1000-memory.dmp	upx
behavioral2/memory/2188-1976-0x00007FF6D05F0000-0x00007FF6D09E1000-memory.dmp	upx
behavioral2/memory/4828-2013-0x00007FF61E600000-0x00007FF61E9F1000-memory.dmp	upx
behavioral2/memory/3788-2047-0x00007FF7BE700000-0x00007FF7BEAF1000-memory.dmp	upx
behavioral2/memory/2956-2067-0x00007FF6A9540000-0x00007FF6A9931000-memory.dmp	upx
behavioral2/memory/2672-2090-0x00007FF727E90000-0x00007FF728281000-memory.dmp	upx
behavioral2/memory/1560-2088-0x00007FF74E8B0000-0x00007FF74ECA1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\tMdtCbH.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\yFYtkkV.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\BycIsnE.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\VFxmajY.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\MbYEDKc.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\OJNhGgF.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\rDOGBrL.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\ETdJgpz.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\RaFWOFi.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\sfMxUth.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\USwlLZI.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\RcbTXDT.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\YYQwulU.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\yXJJJQJ.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\eYnwVvg.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\LqLNjho.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\fRvUPSt.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\FnaAddd.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\AURsGPF.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\LDKyIgU.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\jIZfuEN.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\gBRCzeY.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\aNtdxtM.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\odqbFAE.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\YejBYQB.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\bCZeOyi.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\epTsUER.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\JKCatDT.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\wuKIrCV.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\RnwetRZ.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\YWLESDF.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\DOKvCkc.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\zPmvwdv.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\MaEZGOV.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\qvNepdf.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\UwTDRSc.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\gVGTKSR.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\hGdFDfv.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\VKKNswa.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\uaDQzdO.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\iqTNCJV.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\qwPtjUk.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\mbilIuM.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\pbEuyuH.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\WQJgsha.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\QNwTPJN.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\RIvtVNA.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\bvoDKlF.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\qmwgxZL.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\JbfVFMY.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\UZUemCH.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\CaZjWmL.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\rOzOWcd.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\zcZeUcX.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\aedlNJK.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\QXaSXsz.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\DRaJjsi.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\CTMUGad.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\teNBXXV.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\yliOPev.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\owFqGPt.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\nNrmnxz.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\ypyTBEi.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
File created	C:\Windows\System32\PgKmaHA.exe	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2396	dwm.exe
Token: SeChangeNotifyPrivilege	2396	dwm.exe
Token: 33	2396	dwm.exe
Token: SeIncBasePriorityPrivilege	2396	dwm.exe
Token: SeShutdownPrivilege	2396	dwm.exe
Token: SeCreatePagefilePrivilege	2396	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 4828	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	85
PID 4036 wrote to memory of 4828	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	85
PID 4036 wrote to memory of 4496	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	86
PID 4036 wrote to memory of 4496	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	86
PID 4036 wrote to memory of 2188	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	87
PID 4036 wrote to memory of 2188	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	87
PID 4036 wrote to memory of 3472	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	88
PID 4036 wrote to memory of 3472	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	88
PID 4036 wrote to memory of 5008	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	89
PID 4036 wrote to memory of 5008	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	89
PID 4036 wrote to memory of 1284	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	90
PID 4036 wrote to memory of 1284	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	90
PID 4036 wrote to memory of 1088	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	91
PID 4036 wrote to memory of 1088	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	91
PID 4036 wrote to memory of 3788	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	92
PID 4036 wrote to memory of 3788	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	92
PID 4036 wrote to memory of 3264	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	93
PID 4036 wrote to memory of 3264	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	93
PID 4036 wrote to memory of 2592	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	94
PID 4036 wrote to memory of 2592	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	94
PID 4036 wrote to memory of 2448	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	95
PID 4036 wrote to memory of 2448	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	95
PID 4036 wrote to memory of 2664	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	96
PID 4036 wrote to memory of 2664	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	96
PID 4036 wrote to memory of 2956	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	97
PID 4036 wrote to memory of 2956	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	97
PID 4036 wrote to memory of 2700	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	98
PID 4036 wrote to memory of 2700	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	98
PID 4036 wrote to memory of 1928	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	99
PID 4036 wrote to memory of 1928	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	99
PID 4036 wrote to memory of 3196	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	100
PID 4036 wrote to memory of 3196	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	100
PID 4036 wrote to memory of 1744	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	101
PID 4036 wrote to memory of 1744	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	101
PID 4036 wrote to memory of 2424	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	102
PID 4036 wrote to memory of 2424	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	102
PID 4036 wrote to memory of 4544	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	103
PID 4036 wrote to memory of 4544	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	103
PID 4036 wrote to memory of 1860	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	104
PID 4036 wrote to memory of 1860	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	104
PID 4036 wrote to memory of 4904	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	105
PID 4036 wrote to memory of 4904	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	105
PID 4036 wrote to memory of 3444	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	106
PID 4036 wrote to memory of 3444	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	106
PID 4036 wrote to memory of 2672	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	107
PID 4036 wrote to memory of 2672	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	107
PID 4036 wrote to memory of 1560	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	108
PID 4036 wrote to memory of 1560	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	108
PID 4036 wrote to memory of 964	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	109
PID 4036 wrote to memory of 964	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	109
PID 4036 wrote to memory of 2512	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	110
PID 4036 wrote to memory of 2512	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	110
PID 4036 wrote to memory of 3180	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	111
PID 4036 wrote to memory of 3180	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	111
PID 4036 wrote to memory of 2212	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	112
PID 4036 wrote to memory of 2212	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	112
PID 4036 wrote to memory of 4044	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	113
PID 4036 wrote to memory of 4044	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	113
PID 4036 wrote to memory of 392	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	114
PID 4036 wrote to memory of 392	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	114
PID 4036 wrote to memory of 808	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	115
PID 4036 wrote to memory of 808	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	115
PID 4036 wrote to memory of 3536	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	116
PID 4036 wrote to memory of 3536	4036	06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06f6b74324083825d6b59c126140fdea_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\System32\ddEejit.exe
  C:\Windows\System32\ddEejit.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\EJWRdnW.exe
  C:\Windows\System32\EJWRdnW.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System32\MHipyns.exe
  C:\Windows\System32\MHipyns.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System32\hrtdTOM.exe
  C:\Windows\System32\hrtdTOM.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System32\jRJPagZ.exe
  C:\Windows\System32\jRJPagZ.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System32\BCiWjcJ.exe
  C:\Windows\System32\BCiWjcJ.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\System32\hoXRdUL.exe
  C:\Windows\System32\hoXRdUL.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System32\LOZmksL.exe
  C:\Windows\System32\LOZmksL.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System32\YpiGbkH.exe
  C:\Windows\System32\YpiGbkH.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System32\eikrvyj.exe
  C:\Windows\System32\eikrvyj.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System32\StGbYrE.exe
  C:\Windows\System32\StGbYrE.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System32\axmKmcg.exe
  C:\Windows\System32\axmKmcg.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System32\cbbfwWZ.exe
  C:\Windows\System32\cbbfwWZ.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System32\PoiFyvp.exe
  C:\Windows\System32\PoiFyvp.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System32\QoXZlzE.exe
  C:\Windows\System32\QoXZlzE.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System32\RWLEBij.exe
  C:\Windows\System32\RWLEBij.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System32\WhmWjUz.exe
  C:\Windows\System32\WhmWjUz.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System32\PGwbdae.exe
  C:\Windows\System32\PGwbdae.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System32\yCnKvGX.exe
  C:\Windows\System32\yCnKvGX.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System32\nYvVLIB.exe
  C:\Windows\System32\nYvVLIB.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System32\CepjwFT.exe
  C:\Windows\System32\CepjwFT.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System32\RIvtVNA.exe
  C:\Windows\System32\RIvtVNA.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System32\VFPjoCS.exe
  C:\Windows\System32\VFPjoCS.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System32\NpjodAh.exe
  C:\Windows\System32\NpjodAh.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System32\iVuINkw.exe
  C:\Windows\System32\iVuINkw.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System32\DgUioSH.exe
  C:\Windows\System32\DgUioSH.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System32\PhrwkPa.exe
  C:\Windows\System32\PhrwkPa.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System32\vCWhlOV.exe
  C:\Windows\System32\vCWhlOV.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System32\xinJSTf.exe
  C:\Windows\System32\xinJSTf.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System32\USwlLZI.exe
  C:\Windows\System32\USwlLZI.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System32\NKPJeQN.exe
  C:\Windows\System32\NKPJeQN.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System32\VFxmajY.exe
  C:\Windows\System32\VFxmajY.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System32\GtbIbty.exe
  C:\Windows\System32\GtbIbty.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System32\llLHEEh.exe
  C:\Windows\System32\llLHEEh.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System32\eorYWXq.exe
  C:\Windows\System32\eorYWXq.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System32\xQWNicl.exe
  C:\Windows\System32\xQWNicl.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System32\oOIRtCa.exe
  C:\Windows\System32\oOIRtCa.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System32\RcZeJrJ.exe
  C:\Windows\System32\RcZeJrJ.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System32\aBarazI.exe
  C:\Windows\System32\aBarazI.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System32\jezqqzK.exe
  C:\Windows\System32\jezqqzK.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System32\taSEqhy.exe
  C:\Windows\System32\taSEqhy.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System32\yLuLLUu.exe
  C:\Windows\System32\yLuLLUu.exe
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\System32\BGYEhON.exe
  C:\Windows\System32\BGYEhON.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System32\XQbiZqq.exe
  C:\Windows\System32\XQbiZqq.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\DMOHPUX.exe
  C:\Windows\System32\DMOHPUX.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System32\VlaHSJK.exe
  C:\Windows\System32\VlaHSJK.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System32\DwxhnNB.exe
  C:\Windows\System32\DwxhnNB.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System32\CKugawa.exe
  C:\Windows\System32\CKugawa.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System32\rCqBCGP.exe
  C:\Windows\System32\rCqBCGP.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System32\HpvciNd.exe
  C:\Windows\System32\HpvciNd.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System32\tcrBJod.exe
  C:\Windows\System32\tcrBJod.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System32\wHlgnKR.exe
  C:\Windows\System32\wHlgnKR.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System32\hrylZiG.exe
  C:\Windows\System32\hrylZiG.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System32\fiWXtCe.exe
  C:\Windows\System32\fiWXtCe.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System32\aijVYSS.exe
  C:\Windows\System32\aijVYSS.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System32\MMTqFwU.exe
  C:\Windows\System32\MMTqFwU.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System32\FTRUOJD.exe
  C:\Windows\System32\FTRUOJD.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\System32\ZerFFPh.exe
  C:\Windows\System32\ZerFFPh.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System32\zRZpSwJ.exe
  C:\Windows\System32\zRZpSwJ.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System32\liWLSUz.exe
  C:\Windows\System32\liWLSUz.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System32\MbYEDKc.exe
  C:\Windows\System32\MbYEDKc.exe
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Windows\System32\KBpnWVY.exe
  C:\Windows\System32\KBpnWVY.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System32\vXCvkmQ.exe
  C:\Windows\System32\vXCvkmQ.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System32\VKKNswa.exe
  C:\Windows\System32\VKKNswa.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System32\zAUCGPp.exe
  C:\Windows\System32\zAUCGPp.exe
  2⤵
  PID:3508
- C:\Windows\System32\tUAWVeX.exe
  C:\Windows\System32\tUAWVeX.exe
  2⤵
  PID:3116
- C:\Windows\System32\skhpiCT.exe
  C:\Windows\System32\skhpiCT.exe
  2⤵
  PID:4040
- C:\Windows\System32\qvNepdf.exe
  C:\Windows\System32\qvNepdf.exe
  2⤵
  PID:2428
- C:\Windows\System32\zCQbpYc.exe
  C:\Windows\System32\zCQbpYc.exe
  2⤵
  PID:1180
- C:\Windows\System32\scauZBG.exe
  C:\Windows\System32\scauZBG.exe
  2⤵
  PID:4724
- C:\Windows\System32\epTsUER.exe
  C:\Windows\System32\epTsUER.exe
  2⤵
  PID:1096
- C:\Windows\System32\IvsCsrf.exe
  C:\Windows\System32\IvsCsrf.exe
  2⤵
  PID:4528
- C:\Windows\System32\zfhPyGX.exe
  C:\Windows\System32\zfhPyGX.exe
  2⤵
  PID:2320
- C:\Windows\System32\aOHidMH.exe
  C:\Windows\System32\aOHidMH.exe
  2⤵
  PID:4072
- C:\Windows\System32\hViumvs.exe
  C:\Windows\System32\hViumvs.exe
  2⤵
  PID:5044
- C:\Windows\System32\yliOPev.exe
  C:\Windows\System32\yliOPev.exe
  2⤵
  PID:2640
- C:\Windows\System32\FVOQkVI.exe
  C:\Windows\System32\FVOQkVI.exe
  2⤵
  PID:572
- C:\Windows\System32\pVpaSbR.exe
  C:\Windows\System32\pVpaSbR.exe
  2⤵
  PID:4156
- C:\Windows\System32\Iiobahy.exe
  C:\Windows\System32\Iiobahy.exe
  2⤵
  PID:1436
- C:\Windows\System32\HssNhjO.exe
  C:\Windows\System32\HssNhjO.exe
  2⤵
  PID:1444
- C:\Windows\System32\WcivmKN.exe
  C:\Windows\System32\WcivmKN.exe
  2⤵
  PID:1756
- C:\Windows\System32\weBXLux.exe
  C:\Windows\System32\weBXLux.exe
  2⤵
  PID:1736
- C:\Windows\System32\MfWqDkE.exe
  C:\Windows\System32\MfWqDkE.exe
  2⤵
  PID:796
- C:\Windows\System32\zSUdTeA.exe
  C:\Windows\System32\zSUdTeA.exe
  2⤵
  PID:1496
- C:\Windows\System32\gStsYMi.exe
  C:\Windows\System32\gStsYMi.exe
  2⤵
  PID:1976
- C:\Windows\System32\wmPISyC.exe
  C:\Windows\System32\wmPISyC.exe
  2⤵
  PID:1340
- C:\Windows\System32\VfztQbo.exe
  C:\Windows\System32\VfztQbo.exe
  2⤵
  PID:1888
- C:\Windows\System32\yvExjMx.exe
  C:\Windows\System32\yvExjMx.exe
  2⤵
  PID:2460
- C:\Windows\System32\PgCjZsb.exe
  C:\Windows\System32\PgCjZsb.exe
  2⤵
  PID:1676
- C:\Windows\System32\UWqcqfd.exe
  C:\Windows\System32\UWqcqfd.exe
  2⤵
  PID:496
- C:\Windows\System32\bXCzuVE.exe
  C:\Windows\System32\bXCzuVE.exe
  2⤵
  PID:3656
- C:\Windows\System32\BXCXrNP.exe
  C:\Windows\System32\BXCXrNP.exe
  2⤵
  PID:4444
- C:\Windows\System32\vBAVsTu.exe
  C:\Windows\System32\vBAVsTu.exe
  2⤵
  PID:1368
- C:\Windows\System32\ELkAcoE.exe
  C:\Windows\System32\ELkAcoE.exe
  2⤵
  PID:3040
- C:\Windows\System32\OIERPfw.exe
  C:\Windows\System32\OIERPfw.exe
  2⤵
  PID:4004
- C:\Windows\System32\uaDQzdO.exe
  C:\Windows\System32\uaDQzdO.exe
  2⤵
  PID:2340
- C:\Windows\System32\VGoAnWE.exe
  C:\Windows\System32\VGoAnWE.exe
  2⤵
  PID:3872
- C:\Windows\System32\IzzbmYt.exe
  C:\Windows\System32\IzzbmYt.exe
  2⤵
  PID:3640
- C:\Windows\System32\clRKMCf.exe
  C:\Windows\System32\clRKMCf.exe
  2⤵
  PID:2800
- C:\Windows\System32\GqfKCia.exe
  C:\Windows\System32\GqfKCia.exe
  2⤵
  PID:2344
- C:\Windows\System32\TwEIMYd.exe
  C:\Windows\System32\TwEIMYd.exe
  2⤵
  PID:4984
- C:\Windows\System32\PcuvkvA.exe
  C:\Windows\System32\PcuvkvA.exe
  2⤵
  PID:4548
- C:\Windows\System32\qflQNfn.exe
  C:\Windows\System32\qflQNfn.exe
  2⤵
  PID:4676
- C:\Windows\System32\ObRQROZ.exe
  C:\Windows\System32\ObRQROZ.exe
  2⤵
  PID:4084
- C:\Windows\System32\OkEzcJG.exe
  C:\Windows\System32\OkEzcJG.exe
  2⤵
  PID:3188
- C:\Windows\System32\WtyGyFv.exe
  C:\Windows\System32\WtyGyFv.exe
  2⤵
  PID:3940
- C:\Windows\System32\EXsAYIW.exe
  C:\Windows\System32\EXsAYIW.exe
  2⤵
  PID:5136
- C:\Windows\System32\OJNhGgF.exe
  C:\Windows\System32\OJNhGgF.exe
  2⤵
  PID:5160
- C:\Windows\System32\qNriqjN.exe
  C:\Windows\System32\qNriqjN.exe
  2⤵
  PID:5192
- C:\Windows\System32\BlwqWXj.exe
  C:\Windows\System32\BlwqWXj.exe
  2⤵
  PID:5216
- C:\Windows\System32\PJYAqPd.exe
  C:\Windows\System32\PJYAqPd.exe
  2⤵
  PID:5248
- C:\Windows\System32\sawNDYu.exe
  C:\Windows\System32\sawNDYu.exe
  2⤵
  PID:5276
- C:\Windows\System32\ofuHSES.exe
  C:\Windows\System32\ofuHSES.exe
  2⤵
  PID:5300
- C:\Windows\System32\VURtjaK.exe
  C:\Windows\System32\VURtjaK.exe
  2⤵
  PID:5332
- C:\Windows\System32\YrYvAft.exe
  C:\Windows\System32\YrYvAft.exe
  2⤵
  PID:5356
- C:\Windows\System32\MvsIMjS.exe
  C:\Windows\System32\MvsIMjS.exe
  2⤵
  PID:5388
- C:\Windows\System32\vlHNVQe.exe
  C:\Windows\System32\vlHNVQe.exe
  2⤵
  PID:5464
- C:\Windows\System32\cjXSQDq.exe
  C:\Windows\System32\cjXSQDq.exe
  2⤵
  PID:5488
- C:\Windows\System32\gJOCUBM.exe
  C:\Windows\System32\gJOCUBM.exe
  2⤵
  PID:5532
- C:\Windows\System32\bKnaCUv.exe
  C:\Windows\System32\bKnaCUv.exe
  2⤵
  PID:5564
- C:\Windows\System32\JewipTG.exe
  C:\Windows\System32\JewipTG.exe
  2⤵
  PID:5592
- C:\Windows\System32\GlWDnOb.exe
  C:\Windows\System32\GlWDnOb.exe
  2⤵
  PID:5620
- C:\Windows\System32\fJYzoYn.exe
  C:\Windows\System32\fJYzoYn.exe
  2⤵
  PID:5648
- C:\Windows\System32\bAdgEcJ.exe
  C:\Windows\System32\bAdgEcJ.exe
  2⤵
  PID:5676
- C:\Windows\System32\uojBseb.exe
  C:\Windows\System32\uojBseb.exe
  2⤵
  PID:5744
- C:\Windows\System32\RjwFXJU.exe
  C:\Windows\System32\RjwFXJU.exe
  2⤵
  PID:5772
- C:\Windows\System32\RgAUCQF.exe
  C:\Windows\System32\RgAUCQF.exe
  2⤵
  PID:5792
- C:\Windows\System32\mNILWkN.exe
  C:\Windows\System32\mNILWkN.exe
  2⤵
  PID:5808
- C:\Windows\System32\LDKyIgU.exe
  C:\Windows\System32\LDKyIgU.exe
  2⤵
  PID:5844
- C:\Windows\System32\xWXvlqD.exe
  C:\Windows\System32\xWXvlqD.exe
  2⤵
  PID:5880
- C:\Windows\System32\bpxNDuz.exe
  C:\Windows\System32\bpxNDuz.exe
  2⤵
  PID:5896
- C:\Windows\System32\HzsAmWi.exe
  C:\Windows\System32\HzsAmWi.exe
  2⤵
  PID:5928
- C:\Windows\System32\RNQeMoN.exe
  C:\Windows\System32\RNQeMoN.exe
  2⤵
  PID:5976
- C:\Windows\System32\vbRVqIX.exe
  C:\Windows\System32\vbRVqIX.exe
  2⤵
  PID:5996
- C:\Windows\System32\tjFEDGo.exe
  C:\Windows\System32\tjFEDGo.exe
  2⤵
  PID:6028
- C:\Windows\System32\xHIKhew.exe
  C:\Windows\System32\xHIKhew.exe
  2⤵
  PID:6048
- C:\Windows\System32\XVLNrob.exe
  C:\Windows\System32\XVLNrob.exe
  2⤵
  PID:6064
- C:\Windows\System32\eYnwVvg.exe
  C:\Windows\System32\eYnwVvg.exe
  2⤵
  PID:6088
- C:\Windows\System32\kAqJlky.exe
  C:\Windows\System32\kAqJlky.exe
  2⤵
  PID:6104
- C:\Windows\System32\oqHLbyT.exe
  C:\Windows\System32\oqHLbyT.exe
  2⤵
  PID:6128
- C:\Windows\System32\aedlNJK.exe
  C:\Windows\System32\aedlNJK.exe
  2⤵
  PID:4600
- C:\Windows\System32\waqhBjC.exe
  C:\Windows\System32\waqhBjC.exe
  2⤵
  PID:2544
- C:\Windows\System32\BlkzyKX.exe
  C:\Windows\System32\BlkzyKX.exe
  2⤵
  PID:5144
- C:\Windows\System32\FIWaOdv.exe
  C:\Windows\System32\FIWaOdv.exe
  2⤵
  PID:5256
- C:\Windows\System32\HYvlQzO.exe
  C:\Windows\System32\HYvlQzO.exe
  2⤵
  PID:5316
- C:\Windows\System32\owFqGPt.exe
  C:\Windows\System32\owFqGPt.exe
  2⤵
  PID:5340
- C:\Windows\System32\VuqOgjn.exe
  C:\Windows\System32\VuqOgjn.exe
  2⤵
  PID:5472
- C:\Windows\System32\UZUemCH.exe
  C:\Windows\System32\UZUemCH.exe
  2⤵
  PID:4736
- C:\Windows\System32\BAKMMkm.exe
  C:\Windows\System32\BAKMMkm.exe
  2⤵
  PID:3292
- C:\Windows\System32\xNtfDCq.exe
  C:\Windows\System32\xNtfDCq.exe
  2⤵
  PID:5752
- C:\Windows\System32\OPtEYzl.exe
  C:\Windows\System32\OPtEYzl.exe
  2⤵
  PID:5788
- C:\Windows\System32\eYKnmYj.exe
  C:\Windows\System32\eYKnmYj.exe
  2⤵
  PID:5804
- C:\Windows\System32\dPEUfza.exe
  C:\Windows\System32\dPEUfza.exe
  2⤵
  PID:5840
- C:\Windows\System32\NuBtkIU.exe
  C:\Windows\System32\NuBtkIU.exe
  2⤵
  PID:5948
- C:\Windows\System32\yDglIAr.exe
  C:\Windows\System32\yDglIAr.exe
  2⤵
  PID:5984
- C:\Windows\System32\plQCQnp.exe
  C:\Windows\System32\plQCQnp.exe
  2⤵
  PID:1848
- C:\Windows\System32\bKFsXMI.exe
  C:\Windows\System32\bKFsXMI.exe
  2⤵
  PID:6072
- C:\Windows\System32\RhNdgBs.exe
  C:\Windows\System32\RhNdgBs.exe
  2⤵
  PID:1408
- C:\Windows\System32\ArDLcpb.exe
  C:\Windows\System32\ArDLcpb.exe
  2⤵
  PID:5224
- C:\Windows\System32\rDOGBrL.exe
  C:\Windows\System32\rDOGBrL.exe
  2⤵
  PID:2564
- C:\Windows\System32\xkXhvJx.exe
  C:\Windows\System32\xkXhvJx.exe
  2⤵
  PID:1000
- C:\Windows\System32\VIYpZYo.exe
  C:\Windows\System32\VIYpZYo.exe
  2⤵
  PID:5732
- C:\Windows\System32\ZgOsznz.exe
  C:\Windows\System32\ZgOsznz.exe
  2⤵
  PID:5784
- C:\Windows\System32\lkrBlrL.exe
  C:\Windows\System32\lkrBlrL.exe
  2⤵
  PID:5988
- C:\Windows\System32\RAgXQyH.exe
  C:\Windows\System32\RAgXQyH.exe
  2⤵
  PID:6008
- C:\Windows\System32\gmaWaxb.exe
  C:\Windows\System32\gmaWaxb.exe
  2⤵
  PID:5616
- C:\Windows\System32\naWsXrZ.exe
  C:\Windows\System32\naWsXrZ.exe
  2⤵
  PID:4008
- C:\Windows\System32\QWuaYdV.exe
  C:\Windows\System32\QWuaYdV.exe
  2⤵
  PID:5708
- C:\Windows\System32\VbJwyYu.exe
  C:\Windows\System32\VbJwyYu.exe
  2⤵
  PID:6044
- C:\Windows\System32\GJKFaDq.exe
  C:\Windows\System32\GJKFaDq.exe
  2⤵
  PID:5404
- C:\Windows\System32\WjQrHzJ.exe
  C:\Windows\System32\WjQrHzJ.exe
  2⤵
  PID:5872
- C:\Windows\System32\GSmQOWw.exe
  C:\Windows\System32\GSmQOWw.exe
  2⤵
  PID:5124
- C:\Windows\System32\YdcxxXO.exe
  C:\Windows\System32\YdcxxXO.exe
  2⤵
  PID:6168
- C:\Windows\System32\LqwcpME.exe
  C:\Windows\System32\LqwcpME.exe
  2⤵
  PID:6200
- C:\Windows\System32\lCsZUTI.exe
  C:\Windows\System32\lCsZUTI.exe
  2⤵
  PID:6228
- C:\Windows\System32\BECuYwk.exe
  C:\Windows\System32\BECuYwk.exe
  2⤵
  PID:6256
- C:\Windows\System32\ZNBeKwR.exe
  C:\Windows\System32\ZNBeKwR.exe
  2⤵
  PID:6284
- C:\Windows\System32\nFolAfB.exe
  C:\Windows\System32\nFolAfB.exe
  2⤵
  PID:6308
- C:\Windows\System32\HamkMer.exe
  C:\Windows\System32\HamkMer.exe
  2⤵
  PID:6328
- C:\Windows\System32\OEJWpuz.exe
  C:\Windows\System32\OEJWpuz.exe
  2⤵
  PID:6364
- C:\Windows\System32\IEUsKWL.exe
  C:\Windows\System32\IEUsKWL.exe
  2⤵
  PID:6396
- C:\Windows\System32\FBaXOXM.exe
  C:\Windows\System32\FBaXOXM.exe
  2⤵
  PID:6412
- C:\Windows\System32\QUorvdB.exe
  C:\Windows\System32\QUorvdB.exe
  2⤵
  PID:6448
- C:\Windows\System32\EqyNXRs.exe
  C:\Windows\System32\EqyNXRs.exe
  2⤵
  PID:6476
- C:\Windows\System32\teNBXXV.exe
  C:\Windows\System32\teNBXXV.exe
  2⤵
  PID:6500
- C:\Windows\System32\RWAMWCD.exe
  C:\Windows\System32\RWAMWCD.exe
  2⤵
  PID:6524
- C:\Windows\System32\OiTZzaA.exe
  C:\Windows\System32\OiTZzaA.exe
  2⤵
  PID:6548
- C:\Windows\System32\JKCatDT.exe
  C:\Windows\System32\JKCatDT.exe
  2⤵
  PID:6576
- C:\Windows\System32\MVSKGng.exe
  C:\Windows\System32\MVSKGng.exe
  2⤵
  PID:6616
- C:\Windows\System32\QdMZOEg.exe
  C:\Windows\System32\QdMZOEg.exe
  2⤵
  PID:6636
- C:\Windows\System32\MmEOQpf.exe
  C:\Windows\System32\MmEOQpf.exe
  2⤵
  PID:6652
- C:\Windows\System32\uzHVJpL.exe
  C:\Windows\System32\uzHVJpL.exe
  2⤵
  PID:6676
- C:\Windows\System32\MnyttHj.exe
  C:\Windows\System32\MnyttHj.exe
  2⤵
  PID:6724
- C:\Windows\System32\wuKIrCV.exe
  C:\Windows\System32\wuKIrCV.exe
  2⤵
  PID:6768
- C:\Windows\System32\yoIUtLq.exe
  C:\Windows\System32\yoIUtLq.exe
  2⤵
  PID:6788
- C:\Windows\System32\KogHDfB.exe
  C:\Windows\System32\KogHDfB.exe
  2⤵
  PID:6812
- C:\Windows\System32\nWEUtMw.exe
  C:\Windows\System32\nWEUtMw.exe
  2⤵
  PID:6832
- C:\Windows\System32\QXFVxeB.exe
  C:\Windows\System32\QXFVxeB.exe
  2⤵
  PID:6848
- C:\Windows\System32\lSNiFaz.exe
  C:\Windows\System32\lSNiFaz.exe
  2⤵
  PID:6876
- C:\Windows\System32\oWHtWKs.exe
  C:\Windows\System32\oWHtWKs.exe
  2⤵
  PID:6892
- C:\Windows\System32\kcCBYAv.exe
  C:\Windows\System32\kcCBYAv.exe
  2⤵
  PID:6928
- C:\Windows\System32\dKmzZro.exe
  C:\Windows\System32\dKmzZro.exe
  2⤵
  PID:6964
- C:\Windows\System32\FKacKlf.exe
  C:\Windows\System32\FKacKlf.exe
  2⤵
  PID:6984
- C:\Windows\System32\jLDBnAa.exe
  C:\Windows\System32\jLDBnAa.exe
  2⤵
  PID:7036
- C:\Windows\System32\yZUuLxl.exe
  C:\Windows\System32\yZUuLxl.exe
  2⤵
  PID:7068
- C:\Windows\System32\ETdJgpz.exe
  C:\Windows\System32\ETdJgpz.exe
  2⤵
  PID:7088
- C:\Windows\System32\bVdpKCo.exe
  C:\Windows\System32\bVdpKCo.exe
  2⤵
  PID:7104
- C:\Windows\System32\WIbHxAK.exe
  C:\Windows\System32\WIbHxAK.exe
  2⤵
  PID:7140
- C:\Windows\System32\lsnxpXQ.exe
  C:\Windows\System32\lsnxpXQ.exe
  2⤵
  PID:6160
- C:\Windows\System32\etmIupj.exe
  C:\Windows\System32\etmIupj.exe
  2⤵
  PID:6244
- C:\Windows\System32\ejFyCbE.exe
  C:\Windows\System32\ejFyCbE.exe
  2⤵
  PID:6276
- C:\Windows\System32\CQrplhO.exe
  C:\Windows\System32\CQrplhO.exe
  2⤵
  PID:6320
- C:\Windows\System32\aRvraBV.exe
  C:\Windows\System32\aRvraBV.exe
  2⤵
  PID:6436
- C:\Windows\System32\HtxYutx.exe
  C:\Windows\System32\HtxYutx.exe
  2⤵
  PID:6492
- C:\Windows\System32\EvikPRj.exe
  C:\Windows\System32\EvikPRj.exe
  2⤵
  PID:6540
- C:\Windows\System32\pvDQeZf.exe
  C:\Windows\System32\pvDQeZf.exe
  2⤵
  PID:6560
- C:\Windows\System32\RnwetRZ.exe
  C:\Windows\System32\RnwetRZ.exe
  2⤵
  PID:6664
- C:\Windows\System32\YZgLsSZ.exe
  C:\Windows\System32\YZgLsSZ.exe
  2⤵
  PID:6740
- C:\Windows\System32\ZOfygkh.exe
  C:\Windows\System32\ZOfygkh.exe
  2⤵
  PID:6828
- C:\Windows\System32\qPwblXk.exe
  C:\Windows\System32\qPwblXk.exe
  2⤵
  PID:6888
- C:\Windows\System32\zpPbgVM.exe
  C:\Windows\System32\zpPbgVM.exe
  2⤵
  PID:6912
- C:\Windows\System32\bYhwPNI.exe
  C:\Windows\System32\bYhwPNI.exe
  2⤵
  PID:7044
- C:\Windows\System32\oPEizBz.exe
  C:\Windows\System32\oPEizBz.exe
  2⤵
  PID:7064
- C:\Windows\System32\qOorNSS.exe
  C:\Windows\System32\qOorNSS.exe
  2⤵
  PID:7136
- C:\Windows\System32\mWkxWgn.exe
  C:\Windows\System32\mWkxWgn.exe
  2⤵
  PID:6280
- C:\Windows\System32\SgJcVlR.exe
  C:\Windows\System32\SgJcVlR.exe
  2⤵
  PID:6324
- C:\Windows\System32\pbcVAQR.exe
  C:\Windows\System32\pbcVAQR.exe
  2⤵
  PID:6472
- C:\Windows\System32\UcIGfOw.exe
  C:\Windows\System32\UcIGfOw.exe
  2⤵
  PID:6720
- C:\Windows\System32\mToBmdM.exe
  C:\Windows\System32\mToBmdM.exe
  2⤵
  PID:6868
- C:\Windows\System32\RcbTXDT.exe
  C:\Windows\System32\RcbTXDT.exe
  2⤵
  PID:6976
- C:\Windows\System32\aNtdxtM.exe
  C:\Windows\System32\aNtdxtM.exe
  2⤵
  PID:7028
- C:\Windows\System32\ZkfnAaM.exe
  C:\Windows\System32\ZkfnAaM.exe
  2⤵
  PID:6408
- C:\Windows\System32\IiXjCRC.exe
  C:\Windows\System32\IiXjCRC.exe
  2⤵
  PID:6952
- C:\Windows\System32\kvxPPln.exe
  C:\Windows\System32\kvxPPln.exe
  2⤵
  PID:6236
- C:\Windows\System32\vmglsLL.exe
  C:\Windows\System32\vmglsLL.exe
  2⤵
  PID:6924
- C:\Windows\System32\TDdSpiU.exe
  C:\Windows\System32\TDdSpiU.exe
  2⤵
  PID:7192
- C:\Windows\System32\WcdMeoc.exe
  C:\Windows\System32\WcdMeoc.exe
  2⤵
  PID:7216
- C:\Windows\System32\dYiHfjJ.exe
  C:\Windows\System32\dYiHfjJ.exe
  2⤵
  PID:7236
- C:\Windows\System32\UwTDRSc.exe
  C:\Windows\System32\UwTDRSc.exe
  2⤵
  PID:7268
- C:\Windows\System32\KAXCLpc.exe
  C:\Windows\System32\KAXCLpc.exe
  2⤵
  PID:7296
- C:\Windows\System32\YgZnAfx.exe
  C:\Windows\System32\YgZnAfx.exe
  2⤵
  PID:7332
- C:\Windows\System32\nNrmnxz.exe
  C:\Windows\System32\nNrmnxz.exe
  2⤵
  PID:7360
- C:\Windows\System32\ZbgywKb.exe
  C:\Windows\System32\ZbgywKb.exe
  2⤵
  PID:7380
- C:\Windows\System32\wtAGdso.exe
  C:\Windows\System32\wtAGdso.exe
  2⤵
  PID:7396
- C:\Windows\System32\IHhIxlj.exe
  C:\Windows\System32\IHhIxlj.exe
  2⤵
  PID:7444
- C:\Windows\System32\TnHtbBl.exe
  C:\Windows\System32\TnHtbBl.exe
  2⤵
  PID:7472
- C:\Windows\System32\tBQTGxD.exe
  C:\Windows\System32\tBQTGxD.exe
  2⤵
  PID:7524
- C:\Windows\System32\xsFMeuv.exe
  C:\Windows\System32\xsFMeuv.exe
  2⤵
  PID:7540
- C:\Windows\System32\PvACgGF.exe
  C:\Windows\System32\PvACgGF.exe
  2⤵
  PID:7568
- C:\Windows\System32\FajtKOK.exe
  C:\Windows\System32\FajtKOK.exe
  2⤵
  PID:7584
- C:\Windows\System32\QXaSXsz.exe
  C:\Windows\System32\QXaSXsz.exe
  2⤵
  PID:7612
- C:\Windows\System32\xRJmNpK.exe
  C:\Windows\System32\xRJmNpK.exe
  2⤵
  PID:7648
- C:\Windows\System32\egOmttv.exe
  C:\Windows\System32\egOmttv.exe
  2⤵
  PID:7680
- C:\Windows\System32\xIbPxpU.exe
  C:\Windows\System32\xIbPxpU.exe
  2⤵
  PID:7720
- C:\Windows\System32\wcPilxQ.exe
  C:\Windows\System32\wcPilxQ.exe
  2⤵
  PID:7736
- C:\Windows\System32\dPeuZSf.exe
  C:\Windows\System32\dPeuZSf.exe
  2⤵
  PID:7764
- C:\Windows\System32\CMcFxkX.exe
  C:\Windows\System32\CMcFxkX.exe
  2⤵
  PID:7784
- C:\Windows\System32\iFdAtnh.exe
  C:\Windows\System32\iFdAtnh.exe
  2⤵
  PID:7800
- C:\Windows\System32\ENskQwL.exe
  C:\Windows\System32\ENskQwL.exe
  2⤵
  PID:7860
- C:\Windows\System32\iqTNCJV.exe
  C:\Windows\System32\iqTNCJV.exe
  2⤵
  PID:7876
- C:\Windows\System32\IGAfDJl.exe
  C:\Windows\System32\IGAfDJl.exe
  2⤵
  PID:7900
- C:\Windows\System32\ezESkzK.exe
  C:\Windows\System32\ezESkzK.exe
  2⤵
  PID:7924
- C:\Windows\System32\SyrOKua.exe
  C:\Windows\System32\SyrOKua.exe
  2⤵
  PID:7948
- C:\Windows\System32\zXfgBPq.exe
  C:\Windows\System32\zXfgBPq.exe
  2⤵
  PID:7984
- C:\Windows\System32\eQAGkjY.exe
  C:\Windows\System32\eQAGkjY.exe
  2⤵
  PID:8028
- C:\Windows\System32\DRaJjsi.exe
  C:\Windows\System32\DRaJjsi.exe
  2⤵
  PID:8044
- C:\Windows\System32\imaSXIp.exe
  C:\Windows\System32\imaSXIp.exe
  2⤵
  PID:8060
- C:\Windows\System32\zFYGiKq.exe
  C:\Windows\System32\zFYGiKq.exe
  2⤵
  PID:8088
- C:\Windows\System32\ZWTbaan.exe
  C:\Windows\System32\ZWTbaan.exe
  2⤵
  PID:8120
- C:\Windows\System32\xFartKE.exe
  C:\Windows\System32\xFartKE.exe
  2⤵
  PID:8160
- C:\Windows\System32\vZhANgO.exe
  C:\Windows\System32\vZhANgO.exe
  2⤵
  PID:8184
- C:\Windows\System32\hlRTcED.exe
  C:\Windows\System32\hlRTcED.exe
  2⤵
  PID:7188
- C:\Windows\System32\oRcqdNx.exe
  C:\Windows\System32\oRcqdNx.exe
  2⤵
  PID:7176
- C:\Windows\System32\cYfeDPg.exe
  C:\Windows\System32\cYfeDPg.exe
  2⤵
  PID:7260
- C:\Windows\System32\tMdtCbH.exe
  C:\Windows\System32\tMdtCbH.exe
  2⤵
  PID:7324
- C:\Windows\System32\lcrmCWV.exe
  C:\Windows\System32\lcrmCWV.exe
  2⤵
  PID:7344
- C:\Windows\System32\BJkSpSG.exe
  C:\Windows\System32\BJkSpSG.exe
  2⤵
  PID:7460
- C:\Windows\System32\eKvXlus.exe
  C:\Windows\System32\eKvXlus.exe
  2⤵
  PID:7556
- C:\Windows\System32\LHFPAmp.exe
  C:\Windows\System32\LHFPAmp.exe
  2⤵
  PID:7604
- C:\Windows\System32\cxxxrjm.exe
  C:\Windows\System32\cxxxrjm.exe
  2⤵
  PID:7752
- C:\Windows\System32\VgeuGOk.exe
  C:\Windows\System32\VgeuGOk.exe
  2⤵
  PID:7776
- C:\Windows\System32\PTrANNJ.exe
  C:\Windows\System32\PTrANNJ.exe
  2⤵
  PID:7832
- C:\Windows\System32\OceEdUR.exe
  C:\Windows\System32\OceEdUR.exe
  2⤵
  PID:7940
- C:\Windows\System32\kKaCEai.exe
  C:\Windows\System32\kKaCEai.exe
  2⤵
  PID:7960
- C:\Windows\System32\lckltDH.exe
  C:\Windows\System32\lckltDH.exe
  2⤵
  PID:7992
- C:\Windows\System32\aXjAJbg.exe
  C:\Windows\System32\aXjAJbg.exe
  2⤵
  PID:8056
- C:\Windows\System32\RAsqykf.exe
  C:\Windows\System32\RAsqykf.exe
  2⤵
  PID:8144
- C:\Windows\System32\ZDPYRBC.exe
  C:\Windows\System32\ZDPYRBC.exe
  2⤵
  PID:7372
- C:\Windows\System32\hZPGnxc.exe
  C:\Windows\System32\hZPGnxc.exe
  2⤵
  PID:7308
- C:\Windows\System32\quySrqI.exe
  C:\Windows\System32\quySrqI.exe
  2⤵
  PID:7500
- C:\Windows\System32\FLmSxZI.exe
  C:\Windows\System32\FLmSxZI.exe
  2⤵
  PID:7624
- C:\Windows\System32\dHEcowq.exe
  C:\Windows\System32\dHEcowq.exe
  2⤵
  PID:7760
- C:\Windows\System32\LUkwAgy.exe
  C:\Windows\System32\LUkwAgy.exe
  2⤵
  PID:7816
- C:\Windows\System32\PmLFMLK.exe
  C:\Windows\System32\PmLFMLK.exe
  2⤵
  PID:8076
- C:\Windows\System32\hRiXNtT.exe
  C:\Windows\System32\hRiXNtT.exe
  2⤵
  PID:7228
- C:\Windows\System32\GhNTySZ.exe
  C:\Windows\System32\GhNTySZ.exe
  2⤵
  PID:7852
- C:\Windows\System32\BiMLqpH.exe
  C:\Windows\System32\BiMLqpH.exe
  2⤵
  PID:7968
- C:\Windows\System32\dsFQJAe.exe
  C:\Windows\System32\dsFQJAe.exe
  2⤵
  PID:8140
- C:\Windows\System32\XksPefi.exe
  C:\Windows\System32\XksPefi.exe
  2⤵
  PID:8204
- C:\Windows\System32\lBGBMoH.exe
  C:\Windows\System32\lBGBMoH.exe
  2⤵
  PID:8232
- C:\Windows\System32\WpuSIpt.exe
  C:\Windows\System32\WpuSIpt.exe
  2⤵
  PID:8264
- C:\Windows\System32\lSaIwJO.exe
  C:\Windows\System32\lSaIwJO.exe
  2⤵
  PID:8292
- C:\Windows\System32\UPooFQn.exe
  C:\Windows\System32\UPooFQn.exe
  2⤵
  PID:8324
- C:\Windows\System32\NXVSrvS.exe
  C:\Windows\System32\NXVSrvS.exe
  2⤵
  PID:8340
- C:\Windows\System32\zfcFytN.exe
  C:\Windows\System32\zfcFytN.exe
  2⤵
  PID:8384
- C:\Windows\System32\PIPiSHz.exe
  C:\Windows\System32\PIPiSHz.exe
  2⤵
  PID:8400
- C:\Windows\System32\ammOuXB.exe
  C:\Windows\System32\ammOuXB.exe
  2⤵
  PID:8440
- C:\Windows\System32\AjKwUBx.exe
  C:\Windows\System32\AjKwUBx.exe
  2⤵
  PID:8464
- C:\Windows\System32\HcqTMNd.exe
  C:\Windows\System32\HcqTMNd.exe
  2⤵
  PID:8496
- C:\Windows\System32\fanNYuq.exe
  C:\Windows\System32\fanNYuq.exe
  2⤵
  PID:8512
- C:\Windows\System32\vCWQTTt.exe
  C:\Windows\System32\vCWQTTt.exe
  2⤵
  PID:8540
- C:\Windows\System32\hiFTegA.exe
  C:\Windows\System32\hiFTegA.exe
  2⤵
  PID:8580
- C:\Windows\System32\LUJhtow.exe
  C:\Windows\System32\LUJhtow.exe
  2⤵
  PID:8600
- C:\Windows\System32\vxayobH.exe
  C:\Windows\System32\vxayobH.exe
  2⤵
  PID:8632
- C:\Windows\System32\dyRXgCo.exe
  C:\Windows\System32\dyRXgCo.exe
  2⤵
  PID:8672
- C:\Windows\System32\ZEuEQBN.exe
  C:\Windows\System32\ZEuEQBN.exe
  2⤵
  PID:8692
- C:\Windows\System32\GtdrlgQ.exe
  C:\Windows\System32\GtdrlgQ.exe
  2⤵
  PID:8720
- C:\Windows\System32\zkMOvZI.exe
  C:\Windows\System32\zkMOvZI.exe
  2⤵
  PID:8748
- C:\Windows\System32\JeTPhPS.exe
  C:\Windows\System32\JeTPhPS.exe
  2⤵
  PID:8776
- C:\Windows\System32\DyZnaEh.exe
  C:\Windows\System32\DyZnaEh.exe
  2⤵
  PID:8800
- C:\Windows\System32\ZyEfoRL.exe
  C:\Windows\System32\ZyEfoRL.exe
  2⤵
  PID:8820
- C:\Windows\System32\MaxUhdj.exe
  C:\Windows\System32\MaxUhdj.exe
  2⤵
  PID:8860
- C:\Windows\System32\QRcKciS.exe
  C:\Windows\System32\QRcKciS.exe
  2⤵
  PID:8876
- C:\Windows\System32\fMEwNjU.exe
  C:\Windows\System32\fMEwNjU.exe
  2⤵
  PID:8896
- C:\Windows\System32\ENcchnh.exe
  C:\Windows\System32\ENcchnh.exe
  2⤵
  PID:8924
- C:\Windows\System32\dglVWqX.exe
  C:\Windows\System32\dglVWqX.exe
  2⤵
  PID:8952
- C:\Windows\System32\YWLESDF.exe
  C:\Windows\System32\YWLESDF.exe
  2⤵
  PID:8968
- C:\Windows\System32\RXyuZkx.exe
  C:\Windows\System32\RXyuZkx.exe
  2⤵
  PID:8992
- C:\Windows\System32\qwPtjUk.exe
  C:\Windows\System32\qwPtjUk.exe
  2⤵
  PID:9040
- C:\Windows\System32\ocSiiJb.exe
  C:\Windows\System32\ocSiiJb.exe
  2⤵
  PID:9080
- C:\Windows\System32\mcCwmCp.exe
  C:\Windows\System32\mcCwmCp.exe
  2⤵
  PID:9104
- C:\Windows\System32\YUwUoWZ.exe
  C:\Windows\System32\YUwUoWZ.exe
  2⤵
  PID:9136
- C:\Windows\System32\rTDfysz.exe
  C:\Windows\System32\rTDfysz.exe
  2⤵
  PID:9164
- C:\Windows\System32\TciWeJt.exe
  C:\Windows\System32\TciWeJt.exe
  2⤵
  PID:9188
- C:\Windows\System32\LqLNjho.exe
  C:\Windows\System32\LqLNjho.exe
  2⤵
  PID:9212
- C:\Windows\System32\seHWwMG.exe
  C:\Windows\System32\seHWwMG.exe
  2⤵
  PID:8224
- C:\Windows\System32\pzwaAmf.exe
  C:\Windows\System32\pzwaAmf.exe
  2⤵
  PID:8284
- C:\Windows\System32\SOlglmv.exe
  C:\Windows\System32\SOlglmv.exe
  2⤵
  PID:8336
- C:\Windows\System32\QytnGsZ.exe
  C:\Windows\System32\QytnGsZ.exe
  2⤵
  PID:8352
- C:\Windows\System32\KkZgjyN.exe
  C:\Windows\System32\KkZgjyN.exe
  2⤵
  PID:8484
- C:\Windows\System32\UMmducQ.exe
  C:\Windows\System32\UMmducQ.exe
  2⤵
  PID:8552
- C:\Windows\System32\iLjYHCj.exe
  C:\Windows\System32\iLjYHCj.exe
  2⤵
  PID:8620
- C:\Windows\System32\coSaJxX.exe
  C:\Windows\System32\coSaJxX.exe
  2⤵
  PID:8664
- C:\Windows\System32\aKmVKmS.exe
  C:\Windows\System32\aKmVKmS.exe
  2⤵
  PID:8712
- C:\Windows\System32\TGyjVxo.exe
  C:\Windows\System32\TGyjVxo.exe
  2⤵
  PID:8792
- C:\Windows\System32\RjKgLAn.exe
  C:\Windows\System32\RjKgLAn.exe
  2⤵
  PID:8888
- C:\Windows\System32\rJSkqNT.exe
  C:\Windows\System32\rJSkqNT.exe
  2⤵
  PID:8948
- C:\Windows\System32\YieyrUJ.exe
  C:\Windows\System32\YieyrUJ.exe
  2⤵
  PID:9064
- C:\Windows\System32\fhxvMej.exe
  C:\Windows\System32\fhxvMej.exe
  2⤵
  PID:9172
- C:\Windows\System32\PPGDnsA.exe
  C:\Windows\System32\PPGDnsA.exe
  2⤵
  PID:9204
- C:\Windows\System32\XthNDqu.exe
  C:\Windows\System32\XthNDqu.exe
  2⤵
  PID:8308
- C:\Windows\System32\znmpDKV.exe
  C:\Windows\System32\znmpDKV.exe
  2⤵
  PID:8396
- C:\Windows\System32\hxMowUa.exe
  C:\Windows\System32\hxMowUa.exe
  2⤵
  PID:8704
- C:\Windows\System32\VKsfBES.exe
  C:\Windows\System32\VKsfBES.exe
  2⤵
  PID:8612
- C:\Windows\System32\bXYjMDq.exe
  C:\Windows\System32\bXYjMDq.exe
  2⤵
  PID:8768
- C:\Windows\System32\WkqwshD.exe
  C:\Windows\System32\WkqwshD.exe
  2⤵
  PID:9144
- C:\Windows\System32\akFtXwK.exe
  C:\Windows\System32\akFtXwK.exe
  2⤵
  PID:8272
- C:\Windows\System32\SRdlQKl.exe
  C:\Windows\System32\SRdlQKl.exe
  2⤵
  PID:8560
- C:\Windows\System32\ypyTBEi.exe
  C:\Windows\System32\ypyTBEi.exe
  2⤵
  PID:8812
- C:\Windows\System32\tEzcMkM.exe
  C:\Windows\System32\tEzcMkM.exe
  2⤵
  PID:8524
- C:\Windows\System32\nyTFEYv.exe
  C:\Windows\System32\nyTFEYv.exe
  2⤵
  PID:8716
- C:\Windows\System32\CopmFDM.exe
  C:\Windows\System32\CopmFDM.exe
  2⤵
  PID:9220
- C:\Windows\System32\bQUNWoz.exe
  C:\Windows\System32\bQUNWoz.exe
  2⤵
  PID:9252
- C:\Windows\System32\VEUeVKz.exe
  C:\Windows\System32\VEUeVKz.exe
  2⤵
  PID:9280
- C:\Windows\System32\WQkoLbQ.exe
  C:\Windows\System32\WQkoLbQ.exe
  2⤵
  PID:9296
- C:\Windows\System32\uqVOQmv.exe
  C:\Windows\System32\uqVOQmv.exe
  2⤵
  PID:9328
- C:\Windows\System32\NaDNZEX.exe
  C:\Windows\System32\NaDNZEX.exe
  2⤵
  PID:9392
- C:\Windows\System32\cpPxYRf.exe
  C:\Windows\System32\cpPxYRf.exe
  2⤵
  PID:9408
- C:\Windows\System32\UfBhTVo.exe
  C:\Windows\System32\UfBhTVo.exe
  2⤵
  PID:9436
- C:\Windows\System32\lyaxTPl.exe
  C:\Windows\System32\lyaxTPl.exe
  2⤵
  PID:9468
- C:\Windows\System32\mAADxYS.exe
  C:\Windows\System32\mAADxYS.exe
  2⤵
  PID:9500
- C:\Windows\System32\VaJPGIL.exe
  C:\Windows\System32\VaJPGIL.exe
  2⤵
  PID:9520
- C:\Windows\System32\dUjRBpB.exe
  C:\Windows\System32\dUjRBpB.exe
  2⤵
  PID:9536
- C:\Windows\System32\QBEeHNg.exe
  C:\Windows\System32\QBEeHNg.exe
  2⤵
  PID:9556
- C:\Windows\System32\STtusIb.exe
  C:\Windows\System32\STtusIb.exe
  2⤵
  PID:9592
- C:\Windows\System32\JtRNbXc.exe
  C:\Windows\System32\JtRNbXc.exe
  2⤵
  PID:9608
- C:\Windows\System32\vRRxUkg.exe
  C:\Windows\System32\vRRxUkg.exe
  2⤵
  PID:9672
- C:\Windows\System32\YvhGzQl.exe
  C:\Windows\System32\YvhGzQl.exe
  2⤵
  PID:9688
- C:\Windows\System32\VcEknZv.exe
  C:\Windows\System32\VcEknZv.exe
  2⤵
  PID:9720
- C:\Windows\System32\DoKrOUj.exe
  C:\Windows\System32\DoKrOUj.exe
  2⤵
  PID:9744
- C:\Windows\System32\lCBaaLP.exe
  C:\Windows\System32\lCBaaLP.exe
  2⤵
  PID:9768
- C:\Windows\System32\qQvzEjE.exe
  C:\Windows\System32\qQvzEjE.exe
  2⤵
  PID:9784
- C:\Windows\System32\EapqwoA.exe
  C:\Windows\System32\EapqwoA.exe
  2⤵
  PID:9808
- C:\Windows\System32\wrQjAmV.exe
  C:\Windows\System32\wrQjAmV.exe
  2⤵
  PID:9836
- C:\Windows\System32\FAriHgO.exe
  C:\Windows\System32\FAriHgO.exe
  2⤵
  PID:9884
- C:\Windows\System32\MOUQCYY.exe
  C:\Windows\System32\MOUQCYY.exe
  2⤵
  PID:9900
- C:\Windows\System32\cYEFdBT.exe
  C:\Windows\System32\cYEFdBT.exe
  2⤵
  PID:9924
- C:\Windows\System32\ObLYbzT.exe
  C:\Windows\System32\ObLYbzT.exe
  2⤵
  PID:9964
- C:\Windows\System32\zepGmZS.exe
  C:\Windows\System32\zepGmZS.exe
  2⤵
  PID:10000
- C:\Windows\System32\NeAuUQF.exe
  C:\Windows\System32\NeAuUQF.exe
  2⤵
  PID:10040
- C:\Windows\System32\DOKvCkc.exe
  C:\Windows\System32\DOKvCkc.exe
  2⤵
  PID:10068
- C:\Windows\System32\iuCAHiP.exe
  C:\Windows\System32\iuCAHiP.exe
  2⤵
  PID:10092
- C:\Windows\System32\ChFexYJ.exe
  C:\Windows\System32\ChFexYJ.exe
  2⤵
  PID:10112
- C:\Windows\System32\gVGTKSR.exe
  C:\Windows\System32\gVGTKSR.exe
  2⤵
  PID:10144
- C:\Windows\System32\VWqCGGY.exe
  C:\Windows\System32\VWqCGGY.exe
  2⤵
  PID:10196
- C:\Windows\System32\GHCrxwl.exe
  C:\Windows\System32\GHCrxwl.exe
  2⤵
  PID:10216
- C:\Windows\System32\sKWesaM.exe
  C:\Windows\System32\sKWesaM.exe
  2⤵
  PID:8276
- C:\Windows\System32\yfrMWYD.exe
  C:\Windows\System32\yfrMWYD.exe
  2⤵
  PID:9248
- C:\Windows\System32\RHzYYFS.exe
  C:\Windows\System32\RHzYYFS.exe
  2⤵
  PID:9288
- C:\Windows\System32\PFFKuYs.exe
  C:\Windows\System32\PFFKuYs.exe
  2⤵
  PID:9384
- C:\Windows\System32\eZeaCSF.exe
  C:\Windows\System32\eZeaCSF.exe
  2⤵
  PID:9456
- C:\Windows\System32\mbilIuM.exe
  C:\Windows\System32\mbilIuM.exe
  2⤵
  PID:9544
- C:\Windows\System32\pkBawaw.exe
  C:\Windows\System32\pkBawaw.exe
  2⤵
  PID:9580
- C:\Windows\System32\TxioKNg.exe
  C:\Windows\System32\TxioKNg.exe
  2⤵
  PID:9656
- C:\Windows\System32\WpTDfHZ.exe
  C:\Windows\System32\WpTDfHZ.exe
  2⤵
  PID:9716
- C:\Windows\System32\LMemYZf.exe
  C:\Windows\System32\LMemYZf.exe
  2⤵
  PID:9752
- C:\Windows\System32\JKxgGrF.exe
  C:\Windows\System32\JKxgGrF.exe
  2⤵
  PID:9780
- C:\Windows\System32\GVkxxFp.exe
  C:\Windows\System32\GVkxxFp.exe
  2⤵
  PID:9844
- C:\Windows\System32\uYpnIaX.exe
  C:\Windows\System32\uYpnIaX.exe
  2⤵
  PID:9948
- C:\Windows\System32\dWdUiMH.exe
  C:\Windows\System32\dWdUiMH.exe
  2⤵
  PID:9984
- C:\Windows\System32\zgNtpvT.exe
  C:\Windows\System32\zgNtpvT.exe
  2⤵
  PID:8256
- C:\Windows\System32\kmZktsg.exe
  C:\Windows\System32\kmZktsg.exe
  2⤵
  PID:10104
- C:\Windows\System32\wcTBnll.exe
  C:\Windows\System32\wcTBnll.exe
  2⤵
  PID:10232
- C:\Windows\System32\JfYGDsc.exe
  C:\Windows\System32\JfYGDsc.exe
  2⤵
  PID:9304
- C:\Windows\System32\RuwxUey.exe
  C:\Windows\System32\RuwxUey.exe
  2⤵
  PID:9488
- C:\Windows\System32\wCBNqSa.exe
  C:\Windows\System32\wCBNqSa.exe
  2⤵
  PID:9648
- C:\Windows\System32\FdIoMbU.exe
  C:\Windows\System32\FdIoMbU.exe
  2⤵
  PID:9792
- C:\Windows\System32\fidZxjx.exe
  C:\Windows\System32\fidZxjx.exe
  2⤵
  PID:9972
- C:\Windows\System32\gtGjAaX.exe
  C:\Windows\System32\gtGjAaX.exe
  2⤵
  PID:10084
- C:\Windows\System32\xxapYcN.exe
  C:\Windows\System32\xxapYcN.exe
  2⤵
  PID:9260
- C:\Windows\System32\hXhSgRp.exe
  C:\Windows\System32\hXhSgRp.exe
  2⤵
  PID:9620
- C:\Windows\System32\HFNferd.exe
  C:\Windows\System32\HFNferd.exe
  2⤵
  PID:9892
- C:\Windows\System32\sGHRsax.exe
  C:\Windows\System32\sGHRsax.exe
  2⤵
  PID:10140
- C:\Windows\System32\gGdQUml.exe
  C:\Windows\System32\gGdQUml.exe
  2⤵
  PID:9532
- C:\Windows\System32\yoIxWNg.exe
  C:\Windows\System32\yoIxWNg.exe
  2⤵
  PID:10244
- C:\Windows\System32\yzRzxTX.exe
  C:\Windows\System32\yzRzxTX.exe
  2⤵
  PID:10288
- C:\Windows\System32\pbEuyuH.exe
  C:\Windows\System32\pbEuyuH.exe
  2⤵
  PID:10328
- C:\Windows\System32\qkiEeFf.exe
  C:\Windows\System32\qkiEeFf.exe
  2⤵
  PID:10352
- C:\Windows\System32\tjaqvtJ.exe
  C:\Windows\System32\tjaqvtJ.exe
  2⤵
  PID:10376
- C:\Windows\System32\gBRCzeY.exe
  C:\Windows\System32\gBRCzeY.exe
  2⤵
  PID:10404
- C:\Windows\System32\zmwFTPP.exe
  C:\Windows\System32\zmwFTPP.exe
  2⤵
  PID:10420
- C:\Windows\System32\xWBESkd.exe
  C:\Windows\System32\xWBESkd.exe
  2⤵
  PID:10440
- C:\Windows\System32\qQAeKoY.exe
  C:\Windows\System32\qQAeKoY.exe
  2⤵
  PID:10464
- C:\Windows\System32\byJctrA.exe
  C:\Windows\System32\byJctrA.exe
  2⤵
  PID:10504
- C:\Windows\System32\xdaXiWR.exe
  C:\Windows\System32\xdaXiWR.exe
  2⤵
  PID:10556
- C:\Windows\System32\fRvUPSt.exe
  C:\Windows\System32\fRvUPSt.exe
  2⤵
  PID:10572
- C:\Windows\System32\aGBDPKj.exe
  C:\Windows\System32\aGBDPKj.exe
  2⤵
  PID:10592
- C:\Windows\System32\ahstdnB.exe
  C:\Windows\System32\ahstdnB.exe
  2⤵
  PID:10624
- C:\Windows\System32\eBATjbZ.exe
  C:\Windows\System32\eBATjbZ.exe
  2⤵
  PID:10664
- C:\Windows\System32\fgVfNiV.exe
  C:\Windows\System32\fgVfNiV.exe
  2⤵
  PID:10680
- C:\Windows\System32\IMejOTn.exe
  C:\Windows\System32\IMejOTn.exe
  2⤵
  PID:10700
- C:\Windows\System32\FTpCeny.exe
  C:\Windows\System32\FTpCeny.exe
  2⤵
  PID:10720
- C:\Windows\System32\YYQwulU.exe
  C:\Windows\System32\YYQwulU.exe
  2⤵
  PID:10736
- C:\Windows\System32\uVkrvNW.exe
  C:\Windows\System32\uVkrvNW.exe
  2⤵
  PID:10804
- C:\Windows\System32\QRwmcGp.exe
  C:\Windows\System32\QRwmcGp.exe
  2⤵
  PID:10836
- C:\Windows\System32\yFYtkkV.exe
  C:\Windows\System32\yFYtkkV.exe
  2⤵
  PID:10852
- C:\Windows\System32\PieHnYq.exe
  C:\Windows\System32\PieHnYq.exe
  2⤵
  PID:10872
- C:\Windows\System32\RXnrIyb.exe
  C:\Windows\System32\RXnrIyb.exe
  2⤵
  PID:10900
- C:\Windows\System32\WevrVZK.exe
  C:\Windows\System32\WevrVZK.exe
  2⤵
  PID:10916
- C:\Windows\System32\sVvLpDi.exe
  C:\Windows\System32\sVvLpDi.exe
  2⤵
  PID:10972
- C:\Windows\System32\rOoPYYm.exe
  C:\Windows\System32\rOoPYYm.exe
  2⤵
  PID:11004
- C:\Windows\System32\lOQOUJj.exe
  C:\Windows\System32\lOQOUJj.exe
  2⤵
  PID:11020
- C:\Windows\System32\VaRXrsu.exe
  C:\Windows\System32\VaRXrsu.exe
  2⤵
  PID:11056
- C:\Windows\System32\WQJgsha.exe
  C:\Windows\System32\WQJgsha.exe
  2⤵
  PID:11080
- C:\Windows\System32\ogfXQrT.exe
  C:\Windows\System32\ogfXQrT.exe
  2⤵
  PID:11112
- C:\Windows\System32\eXySJoI.exe
  C:\Windows\System32\eXySJoI.exe
  2⤵
  PID:11152
- C:\Windows\System32\cOBpKPy.exe
  C:\Windows\System32\cOBpKPy.exe
  2⤵
  PID:11168
- C:\Windows\System32\bNvYXhF.exe
  C:\Windows\System32\bNvYXhF.exe
  2⤵
  PID:11192
- C:\Windows\System32\POrrelh.exe
  C:\Windows\System32\POrrelh.exe
  2⤵
  PID:11236
- C:\Windows\System32\FnaAddd.exe
  C:\Windows\System32\FnaAddd.exe
  2⤵
  PID:11256
- C:\Windows\System32\QvaGaFF.exe
  C:\Windows\System32\QvaGaFF.exe
  2⤵
  PID:10228
- C:\Windows\System32\LrrvVQM.exe
  C:\Windows\System32\LrrvVQM.exe
  2⤵
  PID:10304
- C:\Windows\System32\cKREoTg.exe
  C:\Windows\System32\cKREoTg.exe
  2⤵
  PID:10368
- C:\Windows\System32\UDDhpmU.exe
  C:\Windows\System32\UDDhpmU.exe
  2⤵
  PID:10428
- C:\Windows\System32\RcipwQz.exe
  C:\Windows\System32\RcipwQz.exe
  2⤵
  PID:10448
- C:\Windows\System32\JGUONSn.exe
  C:\Windows\System32\JGUONSn.exe
  2⤵
  PID:10568
- C:\Windows\System32\ysZrPYq.exe
  C:\Windows\System32\ysZrPYq.exe
  2⤵
  PID:10644
- C:\Windows\System32\WXEKFeg.exe
  C:\Windows\System32\WXEKFeg.exe
  2⤵
  PID:10652
- C:\Windows\System32\nQhFFWo.exe
  C:\Windows\System32\nQhFFWo.exe
  2⤵
  PID:10796
- C:\Windows\System32\WrOSoGj.exe
  C:\Windows\System32\WrOSoGj.exe
  2⤵
  PID:10824
- C:\Windows\System32\odqbFAE.exe
  C:\Windows\System32\odqbFAE.exe
  2⤵
  PID:10896
- C:\Windows\System32\qzWFawl.exe
  C:\Windows\System32\qzWFawl.exe
  2⤵
  PID:10940
- C:\Windows\System32\CaZjWmL.exe
  C:\Windows\System32\CaZjWmL.exe
  2⤵
  PID:11012
- C:\Windows\System32\VfUULEd.exe
  C:\Windows\System32\VfUULEd.exe
  2⤵
  PID:11048
- C:\Windows\System32\Glspypl.exe
  C:\Windows\System32\Glspypl.exe
  2⤵
  PID:11120
- C:\Windows\System32\ezOUGXH.exe
  C:\Windows\System32\ezOUGXH.exe
  2⤵
  PID:11208
- C:\Windows\System32\EHNeYhi.exe
  C:\Windows\System32\EHNeYhi.exe
  2⤵
  PID:11252
- C:\Windows\System32\TxUzjLh.exe
  C:\Windows\System32\TxUzjLh.exe
  2⤵
  PID:10316
- C:\Windows\System32\CBGGAdO.exe
  C:\Windows\System32\CBGGAdO.exe
  2⤵
  PID:10400
- C:\Windows\System32\IrVVmoq.exe
  C:\Windows\System32\IrVVmoq.exe
  2⤵
  PID:11160
- C:\Windows\System32\fKViUXC.exe
  C:\Windows\System32\fKViUXC.exe
  2⤵
  PID:10348
- C:\Windows\System32\EQLKKmz.exe
  C:\Windows\System32\EQLKKmz.exe
  2⤵
  PID:10488
- C:\Windows\System32\BCEnNNF.exe
  C:\Windows\System32\BCEnNNF.exe
  2⤵
  PID:10764
- C:\Windows\System32\RzwUKqH.exe
  C:\Windows\System32\RzwUKqH.exe
  2⤵
  PID:11276
- C:\Windows\System32\bQtDaaN.exe
  C:\Windows\System32\bQtDaaN.exe
  2⤵
  PID:11292
- C:\Windows\System32\NmTaAvt.exe
  C:\Windows\System32\NmTaAvt.exe
  2⤵
  PID:11308
- C:\Windows\System32\rUzliup.exe
  C:\Windows\System32\rUzliup.exe
  2⤵
  PID:11324
- C:\Windows\System32\taHfBZc.exe
  C:\Windows\System32\taHfBZc.exe
  2⤵
  PID:11340
- C:\Windows\System32\rNzmjNd.exe
  C:\Windows\System32\rNzmjNd.exe
  2⤵
  PID:11356
- C:\Windows\System32\cwqfPMo.exe
  C:\Windows\System32\cwqfPMo.exe
  2⤵
  PID:11372
- C:\Windows\System32\bgNfDUR.exe
  C:\Windows\System32\bgNfDUR.exe
  2⤵
  PID:11448
- C:\Windows\System32\rQdcVcP.exe
  C:\Windows\System32\rQdcVcP.exe
  2⤵
  PID:11484
- C:\Windows\System32\rYHbYYM.exe
  C:\Windows\System32\rYHbYYM.exe
  2⤵
  PID:11500
- C:\Windows\System32\DRAcOMy.exe
  C:\Windows\System32\DRAcOMy.exe
  2⤵
  PID:11524
- C:\Windows\System32\vCzpZpj.exe
  C:\Windows\System32\vCzpZpj.exe
  2⤵
  PID:11540
- C:\Windows\System32\aRUrSke.exe
  C:\Windows\System32\aRUrSke.exe
  2⤵
  PID:11564
- C:\Windows\System32\FlJlZOc.exe
  C:\Windows\System32\FlJlZOc.exe
  2⤵
  PID:11580
- C:\Windows\System32\kAZHgbC.exe
  C:\Windows\System32\kAZHgbC.exe
  2⤵
  PID:11604
- C:\Windows\System32\QNwTPJN.exe
  C:\Windows\System32\QNwTPJN.exe
  2⤵
  PID:11628
- C:\Windows\System32\uFzuPPW.exe
  C:\Windows\System32\uFzuPPW.exe
  2⤵
  PID:11800
- C:\Windows\System32\PfOlGbL.exe
  C:\Windows\System32\PfOlGbL.exe
  2⤵
  PID:11816
- C:\Windows\System32\hGdFDfv.exe
  C:\Windows\System32\hGdFDfv.exe
  2⤵
  PID:11856
- C:\Windows\System32\PogxSZg.exe
  C:\Windows\System32\PogxSZg.exe
  2⤵
  PID:11872
- C:\Windows\System32\YJFwcyl.exe
  C:\Windows\System32\YJFwcyl.exe
  2⤵
  PID:11896
- C:\Windows\System32\zPmvwdv.exe
  C:\Windows\System32\zPmvwdv.exe
  2⤵
  PID:11936
- C:\Windows\System32\ECcanJJ.exe
  C:\Windows\System32\ECcanJJ.exe
  2⤵
  PID:11964
- C:\Windows\System32\ffbYLpj.exe
  C:\Windows\System32\ffbYLpj.exe
  2⤵
  PID:11980
- C:\Windows\System32\uCLuImt.exe
  C:\Windows\System32\uCLuImt.exe
  2⤵
  PID:12016
- C:\Windows\System32\taIJTLN.exe
  C:\Windows\System32\taIJTLN.exe
  2⤵
  PID:12044
- C:\Windows\System32\YejBYQB.exe
  C:\Windows\System32\YejBYQB.exe
  2⤵
  PID:12072
- C:\Windows\System32\kShVcqI.exe
  C:\Windows\System32\kShVcqI.exe
  2⤵
  PID:12112
- C:\Windows\System32\IOqbdVD.exe
  C:\Windows\System32\IOqbdVD.exe
  2⤵
  PID:12148
- C:\Windows\System32\IOORRBH.exe
  C:\Windows\System32\IOORRBH.exe
  2⤵
  PID:12164
- C:\Windows\System32\PCbqUuH.exe
  C:\Windows\System32\PCbqUuH.exe
  2⤵
  PID:12204
- C:\Windows\System32\hKdYkHj.exe
  C:\Windows\System32\hKdYkHj.exe
  2⤵
  PID:12228
- C:\Windows\System32\tDrGUGT.exe
  C:\Windows\System32\tDrGUGT.exe
  2⤵
  PID:12244
- C:\Windows\System32\aVakdIf.exe
  C:\Windows\System32\aVakdIf.exe
  2⤵
  PID:12264
- C:\Windows\System32\InAgrsQ.exe
  C:\Windows\System32\InAgrsQ.exe
  2⤵
  PID:10688
- C:\Windows\System32\RaFWOFi.exe
  C:\Windows\System32\RaFWOFi.exe
  2⤵
  PID:10844
- C:\Windows\System32\prurZUK.exe
  C:\Windows\System32\prurZUK.exe
  2⤵
  PID:11304
- C:\Windows\System32\blwFzMW.exe
  C:\Windows\System32\blwFzMW.exe
  2⤵
  PID:11104
- C:\Windows\System32\JbfVFMY.exe
  C:\Windows\System32\JbfVFMY.exe
  2⤵
  PID:11384
- C:\Windows\System32\FNbwsqv.exe
  C:\Windows\System32\FNbwsqv.exe
  2⤵
  PID:11420
- C:\Windows\System32\lThrkJt.exe
  C:\Windows\System32\lThrkJt.exe
  2⤵
  PID:11412
- C:\Windows\System32\YDaVeoD.exe
  C:\Windows\System32\YDaVeoD.exe
  2⤵
  PID:11576
- C:\Windows\System32\gIoTbQV.exe
  C:\Windows\System32\gIoTbQV.exe
  2⤵
  PID:11612
- C:\Windows\System32\AUdeLQW.exe
  C:\Windows\System32\AUdeLQW.exe
  2⤵
  PID:11332
- C:\Windows\System32\kPmbdfJ.exe
  C:\Windows\System32\kPmbdfJ.exe
  2⤵
  PID:11736
- C:\Windows\System32\sfMxUth.exe
  C:\Windows\System32\sfMxUth.exe
  2⤵
  PID:11724
- C:\Windows\System32\MsxnCno.exe
  C:\Windows\System32\MsxnCno.exe
  2⤵
  PID:11792
- C:\Windows\System32\avKReXW.exe
  C:\Windows\System32\avKReXW.exe
  2⤵
  PID:11852
- C:\Windows\System32\xNJpreE.exe
  C:\Windows\System32\xNJpreE.exe
  2⤵
  PID:11848
- C:\Windows\System32\nLmTpVC.exe
  C:\Windows\System32\nLmTpVC.exe
  2⤵
  PID:12004
- C:\Windows\System32\tOtDnqj.exe
  C:\Windows\System32\tOtDnqj.exe
  2⤵
  PID:12064
- C:\Windows\System32\EUVgLrm.exe
  C:\Windows\System32\EUVgLrm.exe
  2⤵
  PID:12124
- C:\Windows\System32\BHcAIQI.exe
  C:\Windows\System32\BHcAIQI.exe
  2⤵
  PID:12132
- C:\Windows\System32\TdYuIVb.exe
  C:\Windows\System32\TdYuIVb.exe
  2⤵
  PID:12252
- C:\Windows\System32\hDIvsed.exe
  C:\Windows\System32\hDIvsed.exe
  2⤵
  PID:10620
- C:\Windows\System32\siAhHnp.exe
  C:\Windows\System32\siAhHnp.exe
  2⤵
  PID:11320
- C:\Windows\System32\odMlSdy.exe
  C:\Windows\System32\odMlSdy.exe
  2⤵
  PID:9048
- C:\Windows\System32\TwfHGmt.exe
  C:\Windows\System32\TwfHGmt.exe
  2⤵
  PID:11600
- C:\Windows\System32\rOzOWcd.exe
  C:\Windows\System32\rOzOWcd.exe
  2⤵
  PID:11572
- C:\Windows\System32\bnyZDqa.exe
  C:\Windows\System32\bnyZDqa.exe
  2⤵
  PID:5056
- C:\Windows\System32\HgQgLmT.exe
  C:\Windows\System32\HgQgLmT.exe
  2⤵
  PID:11680
- C:\Windows\System32\iUhBirM.exe
  C:\Windows\System32\iUhBirM.exe
  2⤵
  PID:11880
- C:\Windows\System32\wEsevOG.exe
  C:\Windows\System32\wEsevOG.exe
  2⤵
  PID:12052
- C:\Windows\System32\BBKCTSt.exe
  C:\Windows\System32\BBKCTSt.exe
  2⤵
  PID:12180
- C:\Windows\System32\SBERcbU.exe
  C:\Windows\System32\SBERcbU.exe
  2⤵
  PID:12216
- C:\Windows\System32\roScREQ.exe
  C:\Windows\System32\roScREQ.exe
  2⤵
  PID:11076
- C:\Windows\System32\DjLLFhB.exe
  C:\Windows\System32\DjLLFhB.exe
  2⤵
  PID:1228
- C:\Windows\System32\vOhKrxw.exe
  C:\Windows\System32\vOhKrxw.exe
  2⤵
  PID:11924
- C:\Windows\System32\aFtybwp.exe
  C:\Windows\System32\aFtybwp.exe
  2⤵
  PID:10036
- C:\Windows\System32\gksRLHq.exe
  C:\Windows\System32\gksRLHq.exe
  2⤵
  PID:11272
- C:\Windows\System32\OnOopho.exe
  C:\Windows\System32\OnOopho.exe
  2⤵
  PID:12144
- C:\Windows\System32\AURsGPF.exe
  C:\Windows\System32\AURsGPF.exe
  2⤵
  PID:12040
- C:\Windows\System32\eJKhIhf.exe
  C:\Windows\System32\eJKhIhf.exe
  2⤵
  PID:12300
- C:\Windows\System32\IzRIuIh.exe
  C:\Windows\System32\IzRIuIh.exe
  2⤵
  PID:12336
- C:\Windows\System32\biQHfoT.exe
  C:\Windows\System32\biQHfoT.exe
  2⤵
  PID:12376
- C:\Windows\System32\fPcwSlL.exe
  C:\Windows\System32\fPcwSlL.exe
  2⤵
  PID:12404
- C:\Windows\System32\qaGJisx.exe
  C:\Windows\System32\qaGJisx.exe
  2⤵
  PID:12444
- C:\Windows\System32\OPICEaZ.exe
  C:\Windows\System32\OPICEaZ.exe
  2⤵
  PID:12464
- C:\Windows\System32\oGdaIsf.exe
  C:\Windows\System32\oGdaIsf.exe
  2⤵
  PID:12492
- C:\Windows\System32\RHWyRMM.exe
  C:\Windows\System32\RHWyRMM.exe
  2⤵
  PID:12516
- C:\Windows\System32\vWAejiM.exe
  C:\Windows\System32\vWAejiM.exe
  2⤵
  PID:12536
- C:\Windows\System32\bvoDKlF.exe
  C:\Windows\System32\bvoDKlF.exe
  2⤵
  PID:12564
- C:\Windows\System32\ZHtIEPR.exe
  C:\Windows\System32\ZHtIEPR.exe
  2⤵
  PID:12612
- C:\Windows\System32\pXScMOq.exe
  C:\Windows\System32\pXScMOq.exe
  2⤵
  PID:12628
- C:\Windows\System32\tNJdwXD.exe
  C:\Windows\System32\tNJdwXD.exe
  2⤵
  PID:12648
- C:\Windows\System32\qmwgxZL.exe
  C:\Windows\System32\qmwgxZL.exe
  2⤵
  PID:12676
- C:\Windows\System32\jnrlZdX.exe
  C:\Windows\System32\jnrlZdX.exe
  2⤵
  PID:12704
- C:\Windows\System32\IxDsNyU.exe
  C:\Windows\System32\IxDsNyU.exe
  2⤵
  PID:12744
- C:\Windows\System32\HoFWnoo.exe
  C:\Windows\System32\HoFWnoo.exe
  2⤵
  PID:12768
- C:\Windows\System32\CWssITq.exe
  C:\Windows\System32\CWssITq.exe
  2⤵
  PID:12784
- C:\Windows\System32\CswvSqG.exe
  C:\Windows\System32\CswvSqG.exe
  2⤵
  PID:12804
- C:\Windows\System32\ekeNVvS.exe
  C:\Windows\System32\ekeNVvS.exe
  2⤵
  PID:12860
- C:\Windows\System32\ngKiuKZ.exe
  C:\Windows\System32\ngKiuKZ.exe
  2⤵
  PID:12884
- C:\Windows\System32\cSvStwH.exe
  C:\Windows\System32\cSvStwH.exe
  2⤵
  PID:12908
- C:\Windows\System32\ImrcYPt.exe
  C:\Windows\System32\ImrcYPt.exe
  2⤵
  PID:12936
- C:\Windows\System32\zcZeUcX.exe
  C:\Windows\System32\zcZeUcX.exe
  2⤵
  PID:12968
- C:\Windows\System32\bLAPnan.exe
  C:\Windows\System32\bLAPnan.exe
  2⤵
  PID:12992
- C:\Windows\System32\buuwgoD.exe
  C:\Windows\System32\buuwgoD.exe
  2⤵
  PID:13008
- C:\Windows\System32\bCZeOyi.exe
  C:\Windows\System32\bCZeOyi.exe
  2⤵
  PID:13028
- C:\Windows\System32\sUaCfVC.exe
  C:\Windows\System32\sUaCfVC.exe
  2⤵
  PID:13056
- C:\Windows\System32\wRGQFjG.exe
  C:\Windows\System32\wRGQFjG.exe
  2⤵
  PID:13096
- C:\Windows\System32\bbMiiAb.exe
  C:\Windows\System32\bbMiiAb.exe
  2⤵
  PID:13136
- C:\Windows\System32\rUnJMLR.exe
  C:\Windows\System32\rUnJMLR.exe
  2⤵
  PID:13160
- C:\Windows\System32\BycIsnE.exe
  C:\Windows\System32\BycIsnE.exe
  2⤵
  PID:13184
- C:\Windows\System32\jIZfuEN.exe
  C:\Windows\System32\jIZfuEN.exe
  2⤵
  PID:13208
- C:\Windows\System32\CWGzvUb.exe
  C:\Windows\System32\CWGzvUb.exe
  2⤵
  PID:13224
- C:\Windows\System32\XpMBUWH.exe
  C:\Windows\System32\XpMBUWH.exe
  2⤵
  PID:13268
- C:\Windows\System32\xIcVBrQ.exe
  C:\Windows\System32\xIcVBrQ.exe
  2⤵
  PID:13292
- C:\Windows\System32\MaEZGOV.exe
  C:\Windows\System32\MaEZGOV.exe
  2⤵
  PID:12296
- C:\Windows\System32\JHhaMkP.exe
  C:\Windows\System32\JHhaMkP.exe
  2⤵
  PID:12368
- C:\Windows\System32\FpDLRUT.exe
  C:\Windows\System32\FpDLRUT.exe
  2⤵
  PID:12424
- C:\Windows\System32\xIKGvPI.exe
  C:\Windows\System32\xIKGvPI.exe
  2⤵
  PID:12524

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BCiWjcJ.exe

Filesize
1.1MB

MD5
1f9f5d9425910d12ac90044c154c6f66

SHA1
76572576a21538cac2cb0e68a733a59d7ab4d7d0

SHA256
2b6ecc2a5b38eb3885747fde9b9e8fef75899e569ba386720d6a65926ef5915b

SHA512
654e8bb2042fe85a5c1f0c2790bc9847f99f5547598d672bb762097c28d65cba24067ebcc15cc1f833d6100d57cc68e44349104cad4c3af1ee3c36b49809635a

Download Submit
C:\Windows\System32\CepjwFT.exe

Filesize
1.1MB

MD5
7004032d6edfe62ed698e95f032a9d5a

SHA1
3049ff906fb2a3f099465e05d957f3641e399b37

SHA256
e5df308f1c606af122c62fe5e5d0be130648e1f06b0546f3c81dde891ecf3801

SHA512
fb24234c3680ceec2208c9e395e3e85c6346ccb6a2e20866569adb9e8b9cd45173526d2835f7b0c430f479a363ce031c6103497d05bfbff590c4bda68c0b894f

Download Submit
C:\Windows\System32\DgUioSH.exe

Filesize
1.1MB

MD5
c3e6e4cce947a6d5d276c8f75c809148

SHA1
6166c4ec4a78080e3c7fe29beaef08c35674084f

SHA256
505c31719f1c8647152ccdaeec0bbe475cef5c39fb5ec83778f1927d609f1e5a

SHA512
9c7e799c3711cadb9a4bad6c51f3e5788a7311dd237a1e817e6009e971de23695b8d94ff187a7a70d0a02066846b8e7a48f4413a2dc64ca2b4988c050d3c1222

Download Submit
C:\Windows\System32\EJWRdnW.exe

Filesize
1.1MB

MD5
56f4c71b4fc1fd71bc2f83a3faa9360e

SHA1
789d1a27e68d3dd3480e11a207b270d418c89b69

SHA256
b01090058ded72292db601e02447561f12acdf6619bad46294b0f2616f06a360

SHA512
96b9c500ca5a095b22f022698bd23c09f33ae40ba57c93518c63371b98b616f36f57ceba0a6c91a11299c4681f4086f2409eb0ef3f4d005a920dac204c6f4fa4

Download Submit
C:\Windows\System32\LOZmksL.exe

Filesize
1.1MB

MD5
187db56ba3e8de9b4f9c689aba6ea295

SHA1
a722b252c8288ee24516882fc65834e85e602b74

SHA256
2c9b83d4033973349d890370ebfe557911586ea7abd64a04fb2713da837f5007

SHA512
ae61ea1c8aa49eb1de044a70a2a8ed71281c27268dae5172971b0f310a51bd8b07c987345c0a65f433992a35ef91903ab51b60ff07833490435dccaff66a6039

Download Submit
C:\Windows\System32\MHipyns.exe

Filesize
1.1MB

MD5
117977a43eb8b72a8726e48a15128514

SHA1
42b3a3b330bd0d38cb96a21519f4e38f41d8b3ae

SHA256
38bef91c0760f1a8ea604cc57ceae8db730cb344f6752f3595fa6328f08e5d56

SHA512
8ee973e1b25b3f3175ed06393f103e2ef8af0a161647cc157b482d8761f6876a0addf067eae452c405cf860fd8ff2cafb391cd11a709418176d62e397e54b7bc

Download Submit
C:\Windows\System32\NKPJeQN.exe

Filesize
1.1MB

MD5
f6ed29d286a37266230f56a6e13442c6

SHA1
cdaded88b042f7cbfc11f80eac4e2e452ba034fe

SHA256
9ba2e82c0c7e16db0616dcefa48d76c8fdf53e68142c99ce5de30ebd8734f4e6

SHA512
0d9355e076439a85528c4c7b97fb3235122d30d438d30f2c78bb98005a0c9929b3f5518973494d68ad69495507198814771be93a004bc33988a57e98a2b14a2d

Download Submit
C:\Windows\System32\NpjodAh.exe

Filesize
1.1MB

MD5
43f883ea31e4d59e6dd6d57dbcb96a7d

SHA1
9af3d080991e4ed0c5290942199d20a406ff440c

SHA256
03078bc0f2ce27ab06965b6e4f86be61525a2d9a52a838576cd65b03afdf5290

SHA512
2349b5f711f07d53ea95f577e484a289ef38290ff2b886d6e0dd67f0efe5cce6e07700c0f3e39545da8a3cf6eeba9f7bdf35dc079c718d11c5b959653512a2f0

Download Submit
C:\Windows\System32\PGwbdae.exe

Filesize
1.1MB

MD5
0f39d8e78473127b7f092efccfa8fd39

SHA1
990f7ada6971df1abd0236fdc146e7ce2ae4c6c9

SHA256
4e49f70451a1d529391acc0eee1c19fd9e1b7428c8ed21b827b7fba525f29389

SHA512
9abb9645568b6aeaa7bf3155aa6ad9138237586c0186183b6a93227b1732709ec67dc858f27c4bca7088002eb743f26b378a32e6612d79ccd2687355dee1f1b4

Download Submit
C:\Windows\System32\PhrwkPa.exe

Filesize
1.1MB

MD5
1a7d9a05f4b6d98539fbe530e6f9c906

SHA1
b99e8642f3b1bd74d8f563d95ca0cb804a7b37d5

SHA256
c557329f5cea5a031286a452fa18e93cfa1bcba22410b9708f19eb2f7941c01f

SHA512
e6517e93172a2800c8fb6d691d814265a4d079dc1284019429d5aa9c1c4b4b72461c475e20d856734fc1ea8fab94595b12f6cc4a6cad25d53be6435272f927ae

Download Submit
C:\Windows\System32\PoiFyvp.exe

Filesize
1.1MB

MD5
20452f67a000fc9e993ae8a394ca1631

SHA1
d7d0199e997a21b4cea0ae274392e110e3faf02a

SHA256
7755435504c19ac37d3fde6d5ebec0d4fe51c517cf806de5b5f53108a8e97779

SHA512
77331d7ac4a66a116d8ab3da0af6cd8c7f2846c44fb47e5d71b26b21f287b4af14e45a4d8e86126d4d13944711774ff4829b7d74b4f7b1a308d030ce5faaacf6

Download Submit
C:\Windows\System32\QoXZlzE.exe

Filesize
1.1MB

MD5
e2d154c6ff5055ef6005fe519ac9787a

SHA1
d616bdd0e4380c42d11a61930c7c286a9fac3107

SHA256
1b1e56722a440bf7f69d29a794588d71e0d438b88765a38cad20cc939ed0acd0

SHA512
58c0cea482d3caf65a65cf3256e8d87f4ecd47ba71ad3f37e8a9b9ff91173c7c954e42a533aaddd2994fece71409a3e2d326c32e4a72c4c1ef30eadade603983

Download Submit
C:\Windows\System32\RIvtVNA.exe

Filesize
1.1MB

MD5
8479f963da19139082b3198be74aa061

SHA1
57347914e937af0691ec2ff3a7537f417f2b951c

SHA256
8fa273b6646026c758086d0e05cfd56e23047aa0c05aee15ce867e0af94b1deb

SHA512
579fdcac99951b3b3f84dd2ff20265f94ebd860d6397c3d6dfd6e999f9090eb7c5cc0cd75ddc9f38b74b81c5fb4c92d9748e4fe5e92a3e964f86414ab3a8a7c4

Download Submit
C:\Windows\System32\RWLEBij.exe

Filesize
1.1MB

MD5
cf85ca47acf79f3517ee9004c91dfd9d

SHA1
1c8504f0f05a3f29c7077c4c0efaae58f2bd2acb

SHA256
1d06bfe32d468805904ee56d985648e89a4bdeb1daed808e4eeed6863db6e011

SHA512
64d6fdb8b733aa57774d38b3e78cab21dae6a939c31b27ad16c4450957ab0be1a865468bd2d54d9187757d3338e3fec395ec2d4befcc2e5562a50928f96aa789

Download Submit
C:\Windows\System32\StGbYrE.exe

Filesize
1.1MB

MD5
293bcccc64b5b40908d57094aca042e9

SHA1
4f5aedba135546bbfdfbfaa6eaa11e30a70f6c54

SHA256
30bbdd6a8e9231eb624b08c11f020bd6a13c6c984d114a78eecf8382606fffea

SHA512
01c0df5ce1b9aa4a488ce69ed0183ab9cf0c1d24dab74310b198a3f114ddc31e18578a11e225cf268b44ca5dd7fcb719b32c262c5cd9e4be1b89dc69c4e255dd

Download Submit
C:\Windows\System32\USwlLZI.exe

Filesize
1.1MB

MD5
7b80ed6c00dfbe943a249526ae167db9

SHA1
86d6a43c0d1b8c73731575f57f718b9f84d8110c

SHA256
51d120d6144d2bfbe6d97600d102f5daa2efcc259df0215da449afd03d38436c

SHA512
8dbf00098f3095003023e939f12cc1721982151cc039618f48fb9cd1fa689daaf0574b25f0b2bd9796c8d202f7dbf66f2b76e359a67bc5d395547088c6c305e5

Download Submit
C:\Windows\System32\VFPjoCS.exe

Filesize
1.1MB

MD5
5a71e12495ddf2540418058a72c59c1a

SHA1
fcd68a8676cd1572c794c7ab6c81c1e5777022b8

SHA256
4b290a493656bb800fea48b37426a91afd4027a77b84123708577623e40825fc

SHA512
97650ea5a701c3a3d1f75c35b7a40edfba3c2acf9b89416b99c33056179d94f48a6cd29138aeb4dde7290f3b58f966f33fc83874f125b1d40badaa045dcf64c7

Download Submit
C:\Windows\System32\VFxmajY.exe

Filesize
1.1MB

MD5
8dd9b03843d5748e65f56680e3c133ff

SHA1
f711f010b138b3ac566a2bd2780817f28e8f8213

SHA256
0648c9daebb707a30d6114f44145d0b6be6d5ef851b58658633f10a5b4c188ab

SHA512
a5511b3eb6cf39c65a3d5325e3bcdb6d40303e8d8168550bc358b132e5650b742a8d71fbaf6214b137d7ab26c1cd6cb5ddfaa6ba734df81bbc1d53228a1acd9e

Download Submit
C:\Windows\System32\WhmWjUz.exe

Filesize
1.1MB

MD5
7a8835c8143dad114e866902b4372d82

SHA1
8c1808d0f99f744e8dbe489f08181936a1d683b2

SHA256
294fc2ac65dbdcdea17b3968a8cc4670dc307e0c5e3002971e42444105930241

SHA512
61caa5502951e28a79a0833daf4f9a7bfc24f206efbd28d7369ecb90a038104d072ea2dac32e7c7138db64b521cb7196b5ea0df8e3d9f617ff163879ae0d1de9

Download Submit
C:\Windows\System32\YpiGbkH.exe

Filesize
1.1MB

MD5
d168b17f67eabdda94fca58020463762

SHA1
a9f41cd4329108e729933ca54d4fccb49e537369

SHA256
b56ead141b1238eebe60f87a51dea75b4f36137d570fcd54389d4bb0944742f1

SHA512
f5edcf1ca83dee717b3e8d6bbf9f5cc6aa1bc8d1bbaf24359c1188879db0490c7d7625291774b5bdc504c25417623b2484a0ecab705fff58ea674f268c2b56b8

Download Submit
C:\Windows\System32\axmKmcg.exe

Filesize
1.1MB

MD5
e125bea69e5a541540c171a125fbf908

SHA1
59e32ef474f19eff37abad6f3ce107833e05b8a9

SHA256
9bee6180671970c8fd391dd9dbc67ee31b593c0b0ac07bb0425172171cbeea2e

SHA512
08319690c51a824730a20975064c04015b54673029ed8816906138eddc0918e23d7fef5fb5a2ac67f13acbb6705870a95ea7681d0075abf92e9a4333f57b236e

Download Submit
C:\Windows\System32\cbbfwWZ.exe

Filesize
1.1MB

MD5
14bdceedfd3deff302f97f960a8e04e5

SHA1
796d9e215629c327ebe5bd9dd4eadd97b64944be

SHA256
4fd8f9032013054a03f2d14f24bc4482936af1b3cb814d3e33c6d2cb8cb3b288

SHA512
43b0b1f1f6f16e298b534fe5836cec72f73e4ffc9db5aa5573882149b89803dcf1037fa2f84b5095ea7369e00adc91c9bdc912f443c36457ea22f11737b707bd

Download Submit
C:\Windows\System32\ddEejit.exe

Filesize
1.1MB

MD5
9d71b1e9ae845d203817cf8f2eb87a75

SHA1
7637ef5fac716cb55a119c7ba5a7d878dbc1f311

SHA256
b4789ce8291b53a61aced58623250f95404a75f7d47f37c5609f423a9c4a83d9

SHA512
1dabdab5bd7dcbe873f46745b24e833777d3a456f187c2789db0d7ec8d547d3a7d0ea4c6b08bca9cf3c501d5f9819dfee3fb98167240995d35ac480fe61b0138

Download Submit
C:\Windows\System32\eikrvyj.exe

Filesize
1.1MB

MD5
11afe69b19f603f93f1040538be25bc4

SHA1
9d9b07db3b60dc6e8e046a8da3e0d742a10c5a12

SHA256
80e93a5986d341130cafad358ce96fa7c84b698492d06171c47e77bdc52e0c2a

SHA512
aebe67a682bc1e467509ec2c4e63f7d5891ef3bf2097af6159f82e60ab99cfa3242724266bed8cd623431be5bfdc50a78cae169ed45bccf4650df125c4065205

Download Submit
C:\Windows\System32\hoXRdUL.exe

Filesize
1.1MB

MD5
86054c7ab9a9254353fa84ad8469c651

SHA1
4e350c16f70a4bfa513b6221af6bbb417786b05b

SHA256
6479224e2b8c923befdb10ac248c99f522789f1dd46bad0d24d54dd157d4a119

SHA512
3b31216fc7f51ddf02de10e2ac2a666cd2cf33f0650789854514ce4376939f895ef92af742435cd04d54fad614cb32f7477207592b9d067cf48069e7b2127e63

Download Submit
C:\Windows\System32\hrtdTOM.exe

Filesize
1.1MB

MD5
bffbd8332e43d2b88b1adbcb37addaff

SHA1
fdc5318d0cd5779a7f3d7a143e313b085a6fcf83

SHA256
9fc10fc671b80078e7c828c2db7031ec59fc040f48fa65eb60ee6604f1be906f

SHA512
64b59818e6204e6823df4f2b8b8150a5fc750e74dd26d6e4578932d402cba179d316ed8b81b39f1d51c4578549283340dae7341c18c8599232b56fe5cb6173a9

Download Submit
C:\Windows\System32\iVuINkw.exe

Filesize
1.1MB

MD5
fa0ee82dfa9489de26775003eb57c3a6

SHA1
8ab9fa1e671f18505d55e01c9d1cfd091c4b96c4

SHA256
ab07d19fa246007d502ba70c4c7265448db4562ad9bd90d4d61e95148461adcc

SHA512
184454d62744974c5d35d763ead9c842e96db368380c8104de32ff133db3259fdccbe86d70303f704c47b2dc4f384bc184c789660e815313341d29e15f70ca4e

Download Submit
C:\Windows\System32\jRJPagZ.exe

Filesize
1.1MB

MD5
c2b3f9ed22fed8f09d150359fb955c68

SHA1
a2c96491130a9e9ffb259a71f5b7f57c1fa9ab79

SHA256
b47d9b1ef20eba8988ddf8ffe79d13de144a868aa0eb5c7d794257f77a51d684

SHA512
ab3326ef1067bdb1fd418922e5abaf75d60104f44a5230821da3850659c5539697b8a19e53ca373e8f413397460925400825adf735c44059a32586a213841c4c

Download Submit
C:\Windows\System32\nYvVLIB.exe

Filesize
1.1MB

MD5
6fc6cbc4fc4cf833607ee019fd920f72

SHA1
70b49dabcb9796e58cf8db553a56ef3d8b46fecd

SHA256
89615220a4b014e77657d4f990c7a2b3124444189c81124170ed33debaa5b8f3

SHA512
d27f632052b758911d6878fdb030795b03f22f3e76e985b2881a01b07d222e31df926a85e9c483e04e010b69a501c3f8673ab1750b64371d69a875ae5bb0d60a

Download Submit
C:\Windows\System32\vCWhlOV.exe

Filesize
1.1MB

MD5
ed0dd458e72323ffcf79ed6448017219

SHA1
da2ffd0b696f6a94ae238ee010a12b63109ad5c4

SHA256
ba24b1c33508d3ec99bd07b95cf1a9eed62735fa2211fe5bf8184a36ffc47c19

SHA512
7e5a1ed86146a226434a7b62d5b9692a3b9e3a6a9294e4f6f6f297b54c8998ded59f34f08b59ad67cd02f196cc6dd9622987f2986d6866f39a5d3438dcd18024

Download Submit
C:\Windows\System32\xinJSTf.exe

Filesize
1.1MB

MD5
52a55c6a79555dc85c7f75154dba15ec

SHA1
65b4a918744b3c99e5bc6a15ae6f127e0d3f482b

SHA256
e9dcff9f271a32dcfb49f171068396a65c80027987cfc796251da2c7193a97b4

SHA512
3238eb5ffbe19fec82b7f6e1c45205aaf45fb9e9ce81842a69534a931e0226ec945c31269a3b488bf71ceae4d53ef71bf73bee86f5751eb111de0599479deb0b

Download Submit
C:\Windows\System32\yCnKvGX.exe

Filesize
1.1MB

MD5
cfdcac8dcc62811e04fda8df89edaafd

SHA1
f2ea01630af6018e47bcacbcc4b05e0652f7c04a

SHA256
3d58fe9e1d3f44f66c514b1cc7ad06355d5b5fa7bc02bb3a95c64d26429488eb

SHA512
a2a646d0c4f83ed6076f0315af04da91469b7c7a9be7a5e60cc1f16bf08f77caf66d5a63f01ebf7abdc9f8ed4cd37689af8fad6afa8510fcf25a3d8239354121

Download Submit
memory/1088-2061-0x00007FF6502D0000-0x00007FF6506C1000-memory.dmp

Filesize
3.9MB

Download
memory/1088-327-0x00007FF6502D0000-0x00007FF6506C1000-memory.dmp

Filesize
3.9MB

Download
memory/1284-459-0x00007FF68DBF0000-0x00007FF68DFE1000-memory.dmp

Filesize
3.9MB

Download
memory/1284-2059-0x00007FF68DBF0000-0x00007FF68DFE1000-memory.dmp

Filesize
3.9MB

Download
memory/1560-458-0x00007FF74E8B0000-0x00007FF74ECA1000-memory.dmp

Filesize
3.9MB

Download
memory/1560-2088-0x00007FF74E8B0000-0x00007FF74ECA1000-memory.dmp

Filesize
3.9MB

Download
memory/1744-372-0x00007FF7A8E30000-0x00007FF7A9221000-memory.dmp

Filesize
3.9MB

Download
memory/1744-2069-0x00007FF7A8E30000-0x00007FF7A9221000-memory.dmp

Filesize
3.9MB

Download
memory/1860-2083-0x00007FF6A6DE0000-0x00007FF6A71D1000-memory.dmp

Filesize
3.9MB

Download
memory/1860-380-0x00007FF6A6DE0000-0x00007FF6A71D1000-memory.dmp

Filesize
3.9MB

Download
memory/1928-2075-0x00007FF7C5530000-0x00007FF7C5921000-memory.dmp

Filesize
3.9MB

Download
memory/1928-361-0x00007FF7C5530000-0x00007FF7C5921000-memory.dmp

Filesize
3.9MB

Download
memory/2188-19-0x00007FF6D05F0000-0x00007FF6D09E1000-memory.dmp

Filesize
3.9MB

Download
memory/2188-1976-0x00007FF6D05F0000-0x00007FF6D09E1000-memory.dmp

Filesize
3.9MB

Download
memory/2188-2045-0x00007FF6D05F0000-0x00007FF6D09E1000-memory.dmp

Filesize
3.9MB

Download
memory/2424-2079-0x00007FF7A4770000-0x00007FF7A4B61000-memory.dmp

Filesize
3.9MB

Download
memory/2424-373-0x00007FF7A4770000-0x00007FF7A4B61000-memory.dmp

Filesize
3.9MB

Download
memory/2448-347-0x00007FF666E80000-0x00007FF667271000-memory.dmp

Filesize
3.9MB

Download
memory/2448-2063-0x00007FF666E80000-0x00007FF667271000-memory.dmp

Filesize
3.9MB

Download
memory/2592-341-0x00007FF6C4340000-0x00007FF6C4731000-memory.dmp

Filesize
3.9MB

Download
memory/2592-2051-0x00007FF6C4340000-0x00007FF6C4731000-memory.dmp

Filesize
3.9MB

Download
memory/2664-354-0x00007FF622260000-0x00007FF622651000-memory.dmp

Filesize
3.9MB

Download
memory/2664-2065-0x00007FF622260000-0x00007FF622651000-memory.dmp

Filesize
3.9MB

Download
memory/2672-457-0x00007FF727E90000-0x00007FF728281000-memory.dmp

Filesize
3.9MB

Download
memory/2672-2090-0x00007FF727E90000-0x00007FF728281000-memory.dmp

Filesize
3.9MB

Download
memory/2700-359-0x00007FF7A17D0000-0x00007FF7A1BC1000-memory.dmp

Filesize
3.9MB

Download
memory/2700-2071-0x00007FF7A17D0000-0x00007FF7A1BC1000-memory.dmp

Filesize
3.9MB

Download
memory/2956-355-0x00007FF6A9540000-0x00007FF6A9931000-memory.dmp

Filesize
3.9MB

Download
memory/2956-2067-0x00007FF6A9540000-0x00007FF6A9931000-memory.dmp

Filesize
3.9MB

Download
memory/3196-2073-0x00007FF74BFA0000-0x00007FF74C391000-memory.dmp

Filesize
3.9MB

Download
memory/3196-365-0x00007FF74BFA0000-0x00007FF74C391000-memory.dmp

Filesize
3.9MB

Download
memory/3264-2049-0x00007FF7B0F00000-0x00007FF7B12F1000-memory.dmp

Filesize
3.9MB

Download
memory/3264-336-0x00007FF7B0F00000-0x00007FF7B12F1000-memory.dmp

Filesize
3.9MB

Download
memory/3444-456-0x00007FF7E2DC0000-0x00007FF7E31B1000-memory.dmp

Filesize
3.9MB

Download
memory/3444-2085-0x00007FF7E2DC0000-0x00007FF7E31B1000-memory.dmp

Filesize
3.9MB

Download
memory/3472-2055-0x00007FF62D090000-0x00007FF62D481000-memory.dmp

Filesize
3.9MB

Download
memory/3472-318-0x00007FF62D090000-0x00007FF62D481000-memory.dmp

Filesize
3.9MB

Download
memory/3788-2047-0x00007FF7BE700000-0x00007FF7BEAF1000-memory.dmp

Filesize
3.9MB

Download
memory/3788-328-0x00007FF7BE700000-0x00007FF7BEAF1000-memory.dmp

Filesize
3.9MB

Download
memory/4036-1-0x0000021201220000-0x0000021201230000-memory.dmp

Filesize
64KB

Download
memory/4036-0-0x00007FF64F6E0000-0x00007FF64FAD1000-memory.dmp

Filesize
3.9MB

Download
memory/4036-1975-0x00007FF64F6E0000-0x00007FF64FAD1000-memory.dmp

Filesize
3.9MB

Download
memory/4496-2053-0x00007FF71A1B0000-0x00007FF71A5A1000-memory.dmp

Filesize
3.9MB

Download
memory/4496-24-0x00007FF71A1B0000-0x00007FF71A5A1000-memory.dmp

Filesize
3.9MB

Download
memory/4544-2077-0x00007FF62E310000-0x00007FF62E701000-memory.dmp

Filesize
3.9MB

Download
memory/4544-376-0x00007FF62E310000-0x00007FF62E701000-memory.dmp

Filesize
3.9MB

Download
memory/4828-2013-0x00007FF61E600000-0x00007FF61E9F1000-memory.dmp

Filesize
3.9MB

Download
memory/4828-14-0x00007FF61E600000-0x00007FF61E9F1000-memory.dmp

Filesize
3.9MB

Download
memory/4904-2081-0x00007FF75C4F0000-0x00007FF75C8E1000-memory.dmp

Filesize
3.9MB

Download
memory/4904-454-0x00007FF75C4F0000-0x00007FF75C8E1000-memory.dmp

Filesize
3.9MB

Download
memory/5008-2057-0x00007FF604A30000-0x00007FF604E21000-memory.dmp

Filesize
3.9MB

Download
memory/5008-321-0x00007FF604A30000-0x00007FF604E21000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads