xmrig | 8914e691ed3967d05d1fe48710b077b3ed865de7d6242ba465afc2931e4deaa8

Analysis

max time kernel
111s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
Size

1.2MB
MD5

08110cf57c016aa6cc73b201e43b4610
SHA1

768fdbc57083c3994b3e656717e54ba26f136b11
SHA256

8914e691ed3967d05d1fe48710b077b3ed865de7d6242ba465afc2931e4deaa8
SHA512

0883f97bca3f31305b887bdac60fc6380e0c1e9bcdce57c02fe78132dad396192969006a745d3931c93d7011b8196d87323ed7a9a06dd98c0df72514b4793d8b
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zjP+sjI1M:knw9oUUEEDl37jcq4nPt

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/4884-11-0x00007FF6C25E0000-0x00007FF6C29D1000-memory.dmp	xmrig
behavioral2/memory/2096-372-0x00007FF7EBAE0000-0x00007FF7EBED1000-memory.dmp	xmrig
behavioral2/memory/1192-369-0x00007FF672790000-0x00007FF672B81000-memory.dmp	xmrig
behavioral2/memory/3216-379-0x00007FF7CD750000-0x00007FF7CDB41000-memory.dmp	xmrig
behavioral2/memory/1016-384-0x00007FF6CE590000-0x00007FF6CE981000-memory.dmp	xmrig
behavioral2/memory/1996-389-0x00007FF6E2AA0000-0x00007FF6E2E91000-memory.dmp	xmrig
behavioral2/memory/1780-398-0x00007FF622740000-0x00007FF622B31000-memory.dmp	xmrig
behavioral2/memory/2288-418-0x00007FF7B31A0000-0x00007FF7B3591000-memory.dmp	xmrig
behavioral2/memory/2604-411-0x00007FF61A050000-0x00007FF61A441000-memory.dmp	xmrig
behavioral2/memory/4112-424-0x00007FF6584D0000-0x00007FF6588C1000-memory.dmp	xmrig
behavioral2/memory/1356-434-0x00007FF7CD820000-0x00007FF7CDC11000-memory.dmp	xmrig
behavioral2/memory/1460-448-0x00007FF64D400000-0x00007FF64D7F1000-memory.dmp	xmrig
behavioral2/memory/4920-451-0x00007FF623690000-0x00007FF623A81000-memory.dmp	xmrig
behavioral2/memory/4652-450-0x00007FF7E4A80000-0x00007FF7E4E71000-memory.dmp	xmrig
behavioral2/memory/1020-460-0x00007FF7B39B0000-0x00007FF7B3DA1000-memory.dmp	xmrig
behavioral2/memory/3920-474-0x00007FF6BD930000-0x00007FF6BDD21000-memory.dmp	xmrig
behavioral2/memory/1376-552-0x00007FF688CF0000-0x00007FF6890E1000-memory.dmp	xmrig
behavioral2/memory/3280-555-0x00007FF7B9C00000-0x00007FF7B9FF1000-memory.dmp	xmrig
behavioral2/memory/3812-458-0x00007FF691100000-0x00007FF6914F1000-memory.dmp	xmrig
behavioral2/memory/2644-432-0x00007FF7059E0000-0x00007FF705DD1000-memory.dmp	xmrig
behavioral2/memory/4336-404-0x00007FF705530000-0x00007FF705921000-memory.dmp	xmrig
behavioral2/memory/432-2006-0x00007FF60C560000-0x00007FF60C951000-memory.dmp	xmrig
behavioral2/memory/3864-2008-0x00007FF69BC30000-0x00007FF69C021000-memory.dmp	xmrig
behavioral2/memory/2040-2007-0x00007FF7145F0000-0x00007FF7149E1000-memory.dmp	xmrig
behavioral2/memory/4884-2010-0x00007FF6C25E0000-0x00007FF6C29D1000-memory.dmp	xmrig
behavioral2/memory/432-2012-0x00007FF60C560000-0x00007FF60C951000-memory.dmp	xmrig
behavioral2/memory/3864-2020-0x00007FF69BC30000-0x00007FF69C021000-memory.dmp	xmrig
behavioral2/memory/1376-2016-0x00007FF688CF0000-0x00007FF6890E1000-memory.dmp	xmrig
behavioral2/memory/2040-2014-0x00007FF7145F0000-0x00007FF7149E1000-memory.dmp	xmrig
behavioral2/memory/3920-2018-0x00007FF6BD930000-0x00007FF6BDD21000-memory.dmp	xmrig
behavioral2/memory/3216-2031-0x00007FF7CD750000-0x00007FF7CDB41000-memory.dmp	xmrig
behavioral2/memory/1192-2022-0x00007FF672790000-0x00007FF672B81000-memory.dmp	xmrig
behavioral2/memory/2096-2026-0x00007FF7EBAE0000-0x00007FF7EBED1000-memory.dmp	xmrig
behavioral2/memory/3280-2033-0x00007FF7B9C00000-0x00007FF7B9FF1000-memory.dmp	xmrig
behavioral2/memory/4336-2036-0x00007FF705530000-0x00007FF705921000-memory.dmp	xmrig
behavioral2/memory/4112-2042-0x00007FF6584D0000-0x00007FF6588C1000-memory.dmp	xmrig
behavioral2/memory/2288-2040-0x00007FF7B31A0000-0x00007FF7B3591000-memory.dmp	xmrig
behavioral2/memory/2604-2038-0x00007FF61A050000-0x00007FF61A441000-memory.dmp	xmrig
behavioral2/memory/1780-2034-0x00007FF622740000-0x00007FF622B31000-memory.dmp	xmrig
behavioral2/memory/1016-2029-0x00007FF6CE590000-0x00007FF6CE981000-memory.dmp	xmrig
behavioral2/memory/1996-2027-0x00007FF6E2AA0000-0x00007FF6E2E91000-memory.dmp	xmrig
behavioral2/memory/1020-2060-0x00007FF7B39B0000-0x00007FF7B3DA1000-memory.dmp	xmrig
behavioral2/memory/4652-2058-0x00007FF7E4A80000-0x00007FF7E4E71000-memory.dmp	xmrig
behavioral2/memory/4920-2056-0x00007FF623690000-0x00007FF623A81000-memory.dmp	xmrig
behavioral2/memory/1356-2052-0x00007FF7CD820000-0x00007FF7CDC11000-memory.dmp	xmrig
behavioral2/memory/1460-2049-0x00007FF64D400000-0x00007FF64D7F1000-memory.dmp	xmrig
behavioral2/memory/2644-2053-0x00007FF7059E0000-0x00007FF705DD1000-memory.dmp	xmrig
behavioral2/memory/3812-2054-0x00007FF691100000-0x00007FF6914F1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4884	CdYJmDd.exe
432	qBXIAHp.exe
3920	niUunJp.exe
2040	OATsBhC.exe
3864	PQrhQKt.exe
1376	TrcvvfF.exe
3280	EoxKaDI.exe
1192	byTnHUQ.exe
2096	gVLictl.exe
3216	yCVaijZ.exe
1016	xtQdWPh.exe
1996	tDLYVrF.exe
1780	lUUjyUs.exe
4336	PqsTieA.exe
2604	hdNNanJ.exe
2288	VdomGJC.exe
4112	quPMusi.exe
2644	BrWtFmL.exe
1356	iKehBVU.exe
1460	TUVMBnl.exe
4652	dTJtzLW.exe
4920	sphdXZZ.exe
3812	CLvhIjJ.exe
1020	PmkspPB.exe
4024	gjnxFRV.exe
3428	gXPAEAS.exe
2652	osvfIPE.exe
976	pryjbsC.exe
1824	YLXPjXH.exe
4452	urCxKkv.exe
4524	imbPRcG.exe
4132	MgITcIa.exe
4848	yeglbit.exe
2596	SmuMcFE.exe
3080	uSclXHi.exe
1936	ljANMhF.exe
4332	PfwPzSL.exe
1940	oVsCnvd.exe
4056	eZNVmZP.exe
624	wAomcUA.exe
1348	HvodYZe.exe
3484	KwZBcok.exe
2464	szbzcMs.exe
4804	sTqabEU.exe
4692	NkZSjGm.exe
3380	BFWhfmy.exe
4288	guEAXMz.exe
3580	WpehOlx.exe
4328	eqXYXwM.exe
4596	qSLiSSq.exe
3024	LRBuvgP.exe
3928	PfXSltg.exe
5060	fvjMMMm.exe
3868	GSZQrvC.exe
1336	fsmorEk.exe
436	hBktPJp.exe
1988	UGxGPxZ.exe
3360	puSrzZn.exe
3704	oTyNgjo.exe
1040	QQmkmlL.exe
1268	dIjblWF.exe
2380	cFnDaim.exe
4604	emeyMSf.exe
4840	gRhWbOP.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1112-0-0x00007FF69C250000-0x00007FF69C641000-memory.dmp	upx
behavioral2/files/0x000e000000023b59-5.dat	upx
behavioral2/files/0x000a000000023ba0-9.dat	upx
behavioral2/files/0x000c000000023b8d-14.dat	upx
behavioral2/files/0x000a000000023ba3-27.dat	upx
behavioral2/files/0x000a000000023ba2-34.dat	upx
behavioral2/files/0x000a000000023ba4-36.dat	upx
behavioral2/memory/3864-38-0x00007FF69BC30000-0x00007FF69C021000-memory.dmp	upx
behavioral2/memory/2040-32-0x00007FF7145F0000-0x00007FF7149E1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba1-31.dat	upx
behavioral2/files/0x000a000000023ba6-50.dat	upx
behavioral2/files/0x000a000000023ba7-55.dat	upx
behavioral2/files/0x000a000000023baa-70.dat	upx
behavioral2/files/0x000a000000023bad-85.dat	upx
behavioral2/files/0x000a000000023bae-91.dat	upx
behavioral2/files/0x000a000000023bb1-103.dat	upx
behavioral2/files/0x000a000000023bb3-113.dat	upx
behavioral2/files/0x000a000000023bb5-125.dat	upx
behavioral2/files/0x000a000000023bbd-165.dat	upx
behavioral2/files/0x000a000000023bbc-161.dat	upx
behavioral2/files/0x000a000000023bbb-155.dat	upx
behavioral2/files/0x000a000000023bba-150.dat	upx
behavioral2/files/0x000a000000023bb9-145.dat	upx
behavioral2/files/0x0031000000023bb8-141.dat	upx
behavioral2/files/0x0031000000023bb7-135.dat	upx
behavioral2/files/0x0031000000023bb6-131.dat	upx
behavioral2/files/0x000a000000023bb4-120.dat	upx
behavioral2/files/0x000a000000023bb2-110.dat	upx
behavioral2/files/0x000a000000023bb0-101.dat	upx
behavioral2/files/0x000a000000023baf-95.dat	upx
behavioral2/files/0x000a000000023bac-81.dat	upx
behavioral2/files/0x000a000000023bab-75.dat	upx
behavioral2/files/0x000a000000023ba9-65.dat	upx
behavioral2/files/0x000a000000023ba8-61.dat	upx
behavioral2/files/0x000a000000023ba5-46.dat	upx
behavioral2/memory/432-20-0x00007FF60C560000-0x00007FF60C951000-memory.dmp	upx
behavioral2/memory/4884-11-0x00007FF6C25E0000-0x00007FF6C29D1000-memory.dmp	upx
behavioral2/memory/2096-372-0x00007FF7EBAE0000-0x00007FF7EBED1000-memory.dmp	upx
behavioral2/memory/1192-369-0x00007FF672790000-0x00007FF672B81000-memory.dmp	upx
behavioral2/memory/3216-379-0x00007FF7CD750000-0x00007FF7CDB41000-memory.dmp	upx
behavioral2/memory/1016-384-0x00007FF6CE590000-0x00007FF6CE981000-memory.dmp	upx
behavioral2/memory/1996-389-0x00007FF6E2AA0000-0x00007FF6E2E91000-memory.dmp	upx
behavioral2/memory/1780-398-0x00007FF622740000-0x00007FF622B31000-memory.dmp	upx
behavioral2/memory/2288-418-0x00007FF7B31A0000-0x00007FF7B3591000-memory.dmp	upx
behavioral2/memory/2604-411-0x00007FF61A050000-0x00007FF61A441000-memory.dmp	upx
behavioral2/memory/4112-424-0x00007FF6584D0000-0x00007FF6588C1000-memory.dmp	upx
behavioral2/memory/1356-434-0x00007FF7CD820000-0x00007FF7CDC11000-memory.dmp	upx
behavioral2/memory/1460-448-0x00007FF64D400000-0x00007FF64D7F1000-memory.dmp	upx
behavioral2/memory/4920-451-0x00007FF623690000-0x00007FF623A81000-memory.dmp	upx
behavioral2/memory/4652-450-0x00007FF7E4A80000-0x00007FF7E4E71000-memory.dmp	upx
behavioral2/memory/1020-460-0x00007FF7B39B0000-0x00007FF7B3DA1000-memory.dmp	upx
behavioral2/memory/3920-474-0x00007FF6BD930000-0x00007FF6BDD21000-memory.dmp	upx
behavioral2/memory/1376-552-0x00007FF688CF0000-0x00007FF6890E1000-memory.dmp	upx
behavioral2/memory/3280-555-0x00007FF7B9C00000-0x00007FF7B9FF1000-memory.dmp	upx
behavioral2/memory/3812-458-0x00007FF691100000-0x00007FF6914F1000-memory.dmp	upx
behavioral2/memory/2644-432-0x00007FF7059E0000-0x00007FF705DD1000-memory.dmp	upx
behavioral2/memory/4336-404-0x00007FF705530000-0x00007FF705921000-memory.dmp	upx
behavioral2/memory/432-2006-0x00007FF60C560000-0x00007FF60C951000-memory.dmp	upx
behavioral2/memory/3864-2008-0x00007FF69BC30000-0x00007FF69C021000-memory.dmp	upx
behavioral2/memory/2040-2007-0x00007FF7145F0000-0x00007FF7149E1000-memory.dmp	upx
behavioral2/memory/4884-2010-0x00007FF6C25E0000-0x00007FF6C29D1000-memory.dmp	upx
behavioral2/memory/432-2012-0x00007FF60C560000-0x00007FF60C951000-memory.dmp	upx
behavioral2/memory/3864-2020-0x00007FF69BC30000-0x00007FF69C021000-memory.dmp	upx
behavioral2/memory/1376-2016-0x00007FF688CF0000-0x00007FF6890E1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\BFWhfmy.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\TzdcbxN.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\wCWXJUw.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\RQedQTH.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\zidQsYj.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\AGdaulU.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\INEhGvP.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\UUpNgzb.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\iggLSwl.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\nJbALDQ.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\rCijSRf.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\fKIqkdM.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\LWfplvW.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\fMRhclP.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\CalJTyv.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\IUSEEBR.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\VMQbBkv.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\QccObDO.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\ppdEhDm.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\XkmZgIF.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\NYIZCkT.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\ximtNiF.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\omYBgRy.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\fRDERFG.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\qBXIAHp.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\JuRXjmi.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\DWIaNah.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\YHeWxoW.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\CfYWjAY.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\ThOWKFu.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\QcAJTvO.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\XdINSJy.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\TwRnbRg.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\bRXhVpO.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\kEhhtNm.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\IAOifdQ.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\qUdFcDK.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\kznEabP.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\zNGqQAa.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\ypKBVAP.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\mEEJEth.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\BdiYPDL.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\CAlMPKc.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\gVLictl.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\FTLEoFx.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\zkKsorV.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\HdvbEyr.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\cZjJizb.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\tlVugpz.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\urCxKkv.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\SmuMcFE.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\WFPQaIJ.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\gpTCLQH.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\jSpSiVM.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\SiZWbNI.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\DDivakG.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\XSSBXZX.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\GeVsvaV.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\FszBMnV.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\XkQymKQ.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\cECkFQL.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\Geipcyo.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\SYBCMgG.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
File created	C:\Windows\System32\UdzoRYk.exe	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13096	dwm.exe
Token: SeChangeNotifyPrivilege	13096	dwm.exe
Token: 33	13096	dwm.exe
Token: SeIncBasePriorityPrivilege	13096	dwm.exe
Token: SeShutdownPrivilege	13096	dwm.exe
Token: SeCreatePagefilePrivilege	13096	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 4884	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	85
PID 1112 wrote to memory of 4884	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	85
PID 1112 wrote to memory of 432	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	86
PID 1112 wrote to memory of 432	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	86
PID 1112 wrote to memory of 3920	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	87
PID 1112 wrote to memory of 3920	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	87
PID 1112 wrote to memory of 2040	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	88
PID 1112 wrote to memory of 2040	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	88
PID 1112 wrote to memory of 3864	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	89
PID 1112 wrote to memory of 3864	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	89
PID 1112 wrote to memory of 1376	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	90
PID 1112 wrote to memory of 1376	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	90
PID 1112 wrote to memory of 3280	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	91
PID 1112 wrote to memory of 3280	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	91
PID 1112 wrote to memory of 1192	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	92
PID 1112 wrote to memory of 1192	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	92
PID 1112 wrote to memory of 2096	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	93
PID 1112 wrote to memory of 2096	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	93
PID 1112 wrote to memory of 3216	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	94
PID 1112 wrote to memory of 3216	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	94
PID 1112 wrote to memory of 1016	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	95
PID 1112 wrote to memory of 1016	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	95
PID 1112 wrote to memory of 1996	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	96
PID 1112 wrote to memory of 1996	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	96
PID 1112 wrote to memory of 1780	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	97
PID 1112 wrote to memory of 1780	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	97
PID 1112 wrote to memory of 4336	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	98
PID 1112 wrote to memory of 4336	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	98
PID 1112 wrote to memory of 2604	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	99
PID 1112 wrote to memory of 2604	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	99
PID 1112 wrote to memory of 2288	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	100
PID 1112 wrote to memory of 2288	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	100
PID 1112 wrote to memory of 4112	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	101
PID 1112 wrote to memory of 4112	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	101
PID 1112 wrote to memory of 2644	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	102
PID 1112 wrote to memory of 2644	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	102
PID 1112 wrote to memory of 1356	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	103
PID 1112 wrote to memory of 1356	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	103
PID 1112 wrote to memory of 1460	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	104
PID 1112 wrote to memory of 1460	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	104
PID 1112 wrote to memory of 4652	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	105
PID 1112 wrote to memory of 4652	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	105
PID 1112 wrote to memory of 4920	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	106
PID 1112 wrote to memory of 4920	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	106
PID 1112 wrote to memory of 3812	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	107
PID 1112 wrote to memory of 3812	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	107
PID 1112 wrote to memory of 1020	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	108
PID 1112 wrote to memory of 1020	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	108
PID 1112 wrote to memory of 4024	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	109
PID 1112 wrote to memory of 4024	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	109
PID 1112 wrote to memory of 3428	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	110
PID 1112 wrote to memory of 3428	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	110
PID 1112 wrote to memory of 2652	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	111
PID 1112 wrote to memory of 2652	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	111
PID 1112 wrote to memory of 976	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	112
PID 1112 wrote to memory of 976	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	112
PID 1112 wrote to memory of 1824	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	113
PID 1112 wrote to memory of 1824	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	113
PID 1112 wrote to memory of 4452	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	114
PID 1112 wrote to memory of 4452	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	114
PID 1112 wrote to memory of 4524	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	115
PID 1112 wrote to memory of 4524	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	115
PID 1112 wrote to memory of 4132	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	116
PID 1112 wrote to memory of 4132	1112	08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08110cf57c016aa6cc73b201e43b4610_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\System32\CdYJmDd.exe
  C:\Windows\System32\CdYJmDd.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System32\qBXIAHp.exe
  C:\Windows\System32\qBXIAHp.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System32\niUunJp.exe
  C:\Windows\System32\niUunJp.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System32\OATsBhC.exe
  C:\Windows\System32\OATsBhC.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System32\PQrhQKt.exe
  C:\Windows\System32\PQrhQKt.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System32\TrcvvfF.exe
  C:\Windows\System32\TrcvvfF.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System32\EoxKaDI.exe
  C:\Windows\System32\EoxKaDI.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System32\byTnHUQ.exe
  C:\Windows\System32\byTnHUQ.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System32\gVLictl.exe
  C:\Windows\System32\gVLictl.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System32\yCVaijZ.exe
  C:\Windows\System32\yCVaijZ.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System32\xtQdWPh.exe
  C:\Windows\System32\xtQdWPh.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System32\tDLYVrF.exe
  C:\Windows\System32\tDLYVrF.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System32\lUUjyUs.exe
  C:\Windows\System32\lUUjyUs.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System32\PqsTieA.exe
  C:\Windows\System32\PqsTieA.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System32\hdNNanJ.exe
  C:\Windows\System32\hdNNanJ.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System32\VdomGJC.exe
  C:\Windows\System32\VdomGJC.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System32\quPMusi.exe
  C:\Windows\System32\quPMusi.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System32\BrWtFmL.exe
  C:\Windows\System32\BrWtFmL.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System32\iKehBVU.exe
  C:\Windows\System32\iKehBVU.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System32\TUVMBnl.exe
  C:\Windows\System32\TUVMBnl.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System32\dTJtzLW.exe
  C:\Windows\System32\dTJtzLW.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System32\sphdXZZ.exe
  C:\Windows\System32\sphdXZZ.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System32\CLvhIjJ.exe
  C:\Windows\System32\CLvhIjJ.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System32\PmkspPB.exe
  C:\Windows\System32\PmkspPB.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System32\gjnxFRV.exe
  C:\Windows\System32\gjnxFRV.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System32\gXPAEAS.exe
  C:\Windows\System32\gXPAEAS.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System32\osvfIPE.exe
  C:\Windows\System32\osvfIPE.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System32\pryjbsC.exe
  C:\Windows\System32\pryjbsC.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System32\YLXPjXH.exe
  C:\Windows\System32\YLXPjXH.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System32\urCxKkv.exe
  C:\Windows\System32\urCxKkv.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\imbPRcG.exe
  C:\Windows\System32\imbPRcG.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System32\MgITcIa.exe
  C:\Windows\System32\MgITcIa.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System32\yeglbit.exe
  C:\Windows\System32\yeglbit.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System32\SmuMcFE.exe
  C:\Windows\System32\SmuMcFE.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System32\uSclXHi.exe
  C:\Windows\System32\uSclXHi.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System32\ljANMhF.exe
  C:\Windows\System32\ljANMhF.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System32\PfwPzSL.exe
  C:\Windows\System32\PfwPzSL.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System32\oVsCnvd.exe
  C:\Windows\System32\oVsCnvd.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System32\eZNVmZP.exe
  C:\Windows\System32\eZNVmZP.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System32\wAomcUA.exe
  C:\Windows\System32\wAomcUA.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System32\HvodYZe.exe
  C:\Windows\System32\HvodYZe.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System32\KwZBcok.exe
  C:\Windows\System32\KwZBcok.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System32\szbzcMs.exe
  C:\Windows\System32\szbzcMs.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System32\sTqabEU.exe
  C:\Windows\System32\sTqabEU.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\NkZSjGm.exe
  C:\Windows\System32\NkZSjGm.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System32\BFWhfmy.exe
  C:\Windows\System32\BFWhfmy.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System32\guEAXMz.exe
  C:\Windows\System32\guEAXMz.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System32\WpehOlx.exe
  C:\Windows\System32\WpehOlx.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System32\eqXYXwM.exe
  C:\Windows\System32\eqXYXwM.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System32\qSLiSSq.exe
  C:\Windows\System32\qSLiSSq.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System32\LRBuvgP.exe
  C:\Windows\System32\LRBuvgP.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System32\PfXSltg.exe
  C:\Windows\System32\PfXSltg.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System32\fvjMMMm.exe
  C:\Windows\System32\fvjMMMm.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System32\GSZQrvC.exe
  C:\Windows\System32\GSZQrvC.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System32\fsmorEk.exe
  C:\Windows\System32\fsmorEk.exe
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\System32\hBktPJp.exe
  C:\Windows\System32\hBktPJp.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\UGxGPxZ.exe
  C:\Windows\System32\UGxGPxZ.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System32\puSrzZn.exe
  C:\Windows\System32\puSrzZn.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System32\oTyNgjo.exe
  C:\Windows\System32\oTyNgjo.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System32\QQmkmlL.exe
  C:\Windows\System32\QQmkmlL.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System32\dIjblWF.exe
  C:\Windows\System32\dIjblWF.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System32\cFnDaim.exe
  C:\Windows\System32\cFnDaim.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System32\emeyMSf.exe
  C:\Windows\System32\emeyMSf.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System32\gRhWbOP.exe
  C:\Windows\System32\gRhWbOP.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System32\ThOWKFu.exe
  C:\Windows\System32\ThOWKFu.exe
  2⤵
  PID:2232
- C:\Windows\System32\EwuoivN.exe
  C:\Windows\System32\EwuoivN.exe
  2⤵
  PID:4564
- C:\Windows\System32\kXyILAc.exe
  C:\Windows\System32\kXyILAc.exe
  2⤵
  PID:868
- C:\Windows\System32\ebbnpRK.exe
  C:\Windows\System32\ebbnpRK.exe
  2⤵
  PID:3684
- C:\Windows\System32\ZGajbgv.exe
  C:\Windows\System32\ZGajbgv.exe
  2⤵
  PID:4960
- C:\Windows\System32\zNGqQAa.exe
  C:\Windows\System32\zNGqQAa.exe
  2⤵
  PID:4476
- C:\Windows\System32\QkWPjCT.exe
  C:\Windows\System32\QkWPjCT.exe
  2⤵
  PID:100
- C:\Windows\System32\BQEqqyY.exe
  C:\Windows\System32\BQEqqyY.exe
  2⤵
  PID:4136
- C:\Windows\System32\CsLywem.exe
  C:\Windows\System32\CsLywem.exe
  2⤵
  PID:4340
- C:\Windows\System32\KIYVNun.exe
  C:\Windows\System32\KIYVNun.exe
  2⤵
  PID:2800
- C:\Windows\System32\YQQrkfI.exe
  C:\Windows\System32\YQQrkfI.exe
  2⤵
  PID:1424
- C:\Windows\System32\HRClzcL.exe
  C:\Windows\System32\HRClzcL.exe
  2⤵
  PID:2528
- C:\Windows\System32\YAUsyId.exe
  C:\Windows\System32\YAUsyId.exe
  2⤵
  PID:2408
- C:\Windows\System32\OTurHkg.exe
  C:\Windows\System32\OTurHkg.exe
  2⤵
  PID:4868
- C:\Windows\System32\zXmuOsu.exe
  C:\Windows\System32\zXmuOsu.exe
  2⤵
  PID:2984
- C:\Windows\System32\bqZHCKH.exe
  C:\Windows\System32\bqZHCKH.exe
  2⤵
  PID:3564
- C:\Windows\System32\jVTiNom.exe
  C:\Windows\System32\jVTiNom.exe
  2⤵
  PID:2388
- C:\Windows\System32\HgzJMrm.exe
  C:\Windows\System32\HgzJMrm.exe
  2⤵
  PID:2264
- C:\Windows\System32\dPhpGlp.exe
  C:\Windows\System32\dPhpGlp.exe
  2⤵
  PID:3244
- C:\Windows\System32\QpdiKOS.exe
  C:\Windows\System32\QpdiKOS.exe
  2⤵
  PID:5064
- C:\Windows\System32\paffZZa.exe
  C:\Windows\System32\paffZZa.exe
  2⤵
  PID:1188
- C:\Windows\System32\PHZZLYs.exe
  C:\Windows\System32\PHZZLYs.exe
  2⤵
  PID:3040
- C:\Windows\System32\OoYQaqb.exe
  C:\Windows\System32\OoYQaqb.exe
  2⤵
  PID:1204
- C:\Windows\System32\NhoQspb.exe
  C:\Windows\System32\NhoQspb.exe
  2⤵
  PID:1944
- C:\Windows\System32\OiaDGwy.exe
  C:\Windows\System32\OiaDGwy.exe
  2⤵
  PID:4936
- C:\Windows\System32\fsBMowc.exe
  C:\Windows\System32\fsBMowc.exe
  2⤵
  PID:5144
- C:\Windows\System32\zfPKjoX.exe
  C:\Windows\System32\zfPKjoX.exe
  2⤵
  PID:5176
- C:\Windows\System32\StUbFET.exe
  C:\Windows\System32\StUbFET.exe
  2⤵
  PID:5196
- C:\Windows\System32\jsqszqr.exe
  C:\Windows\System32\jsqszqr.exe
  2⤵
  PID:5232
- C:\Windows\System32\ykYcvRm.exe
  C:\Windows\System32\ykYcvRm.exe
  2⤵
  PID:5256
- C:\Windows\System32\LvuplSi.exe
  C:\Windows\System32\LvuplSi.exe
  2⤵
  PID:5280
- C:\Windows\System32\VOimPlZ.exe
  C:\Windows\System32\VOimPlZ.exe
  2⤵
  PID:5312
- C:\Windows\System32\TzdcbxN.exe
  C:\Windows\System32\TzdcbxN.exe
  2⤵
  PID:5336
- C:\Windows\System32\NzwqYxk.exe
  C:\Windows\System32\NzwqYxk.exe
  2⤵
  PID:5368
- C:\Windows\System32\UFWWJkR.exe
  C:\Windows\System32\UFWWJkR.exe
  2⤵
  PID:5392
- C:\Windows\System32\FKnaVtc.exe
  C:\Windows\System32\FKnaVtc.exe
  2⤵
  PID:5464
- C:\Windows\System32\MtJpuZD.exe
  C:\Windows\System32\MtJpuZD.exe
  2⤵
  PID:5500
- C:\Windows\System32\wcYyUFh.exe
  C:\Windows\System32\wcYyUFh.exe
  2⤵
  PID:5528
- C:\Windows\System32\AEjASEj.exe
  C:\Windows\System32\AEjASEj.exe
  2⤵
  PID:5564
- C:\Windows\System32\raEvZBj.exe
  C:\Windows\System32\raEvZBj.exe
  2⤵
  PID:5592
- C:\Windows\System32\HlVYrtM.exe
  C:\Windows\System32\HlVYrtM.exe
  2⤵
  PID:5608
- C:\Windows\System32\omxJLzx.exe
  C:\Windows\System32\omxJLzx.exe
  2⤵
  PID:5660
- C:\Windows\System32\uKIFOMR.exe
  C:\Windows\System32\uKIFOMR.exe
  2⤵
  PID:5684
- C:\Windows\System32\nYSLcxy.exe
  C:\Windows\System32\nYSLcxy.exe
  2⤵
  PID:5704
- C:\Windows\System32\JdVpFsT.exe
  C:\Windows\System32\JdVpFsT.exe
  2⤵
  PID:5736
- C:\Windows\System32\OZVYuXD.exe
  C:\Windows\System32\OZVYuXD.exe
  2⤵
  PID:5764
- C:\Windows\System32\uIwSMWc.exe
  C:\Windows\System32\uIwSMWc.exe
  2⤵
  PID:5780
- C:\Windows\System32\raoRBvI.exe
  C:\Windows\System32\raoRBvI.exe
  2⤵
  PID:5800
- C:\Windows\System32\baSrDmv.exe
  C:\Windows\System32\baSrDmv.exe
  2⤵
  PID:5816
- C:\Windows\System32\xRvAqFN.exe
  C:\Windows\System32\xRvAqFN.exe
  2⤵
  PID:5848
- C:\Windows\System32\XEDlikj.exe
  C:\Windows\System32\XEDlikj.exe
  2⤵
  PID:5872
- C:\Windows\System32\MDClcGH.exe
  C:\Windows\System32\MDClcGH.exe
  2⤵
  PID:5888
- C:\Windows\System32\OmRdirI.exe
  C:\Windows\System32\OmRdirI.exe
  2⤵
  PID:5940
- C:\Windows\System32\FszBMnV.exe
  C:\Windows\System32\FszBMnV.exe
  2⤵
  PID:6012
- C:\Windows\System32\UXbmoeE.exe
  C:\Windows\System32\UXbmoeE.exe
  2⤵
  PID:6048
- C:\Windows\System32\XGbCMGI.exe
  C:\Windows\System32\XGbCMGI.exe
  2⤵
  PID:6084
- C:\Windows\System32\gAIsCoP.exe
  C:\Windows\System32\gAIsCoP.exe
  2⤵
  PID:6104
- C:\Windows\System32\rmiIXZT.exe
  C:\Windows\System32\rmiIXZT.exe
  2⤵
  PID:6120
- C:\Windows\System32\SZKPqJF.exe
  C:\Windows\System32\SZKPqJF.exe
  2⤵
  PID:6136
- C:\Windows\System32\jRpbcxu.exe
  C:\Windows\System32\jRpbcxu.exe
  2⤵
  PID:3620
- C:\Windows\System32\IjNCLUl.exe
  C:\Windows\System32\IjNCLUl.exe
  2⤵
  PID:3308
- C:\Windows\System32\RRRpxXP.exe
  C:\Windows\System32\RRRpxXP.exe
  2⤵
  PID:5160
- C:\Windows\System32\PHfRIKe.exe
  C:\Windows\System32\PHfRIKe.exe
  2⤵
  PID:4768
- C:\Windows\System32\rHRtVjQ.exe
  C:\Windows\System32\rHRtVjQ.exe
  2⤵
  PID:5204
- C:\Windows\System32\YKhJPmN.exe
  C:\Windows\System32\YKhJPmN.exe
  2⤵
  PID:2200
- C:\Windows\System32\FTLEoFx.exe
  C:\Windows\System32\FTLEoFx.exe
  2⤵
  PID:5272
- C:\Windows\System32\KUDGqHg.exe
  C:\Windows\System32\KUDGqHg.exe
  2⤵
  PID:4812
- C:\Windows\System32\ewUtvbw.exe
  C:\Windows\System32\ewUtvbw.exe
  2⤵
  PID:4280
- C:\Windows\System32\BksCyIV.exe
  C:\Windows\System32\BksCyIV.exe
  2⤵
  PID:1432
- C:\Windows\System32\HpUOjHJ.exe
  C:\Windows\System32\HpUOjHJ.exe
  2⤵
  PID:5400
- C:\Windows\System32\YNYxeaA.exe
  C:\Windows\System32\YNYxeaA.exe
  2⤵
  PID:5508
- C:\Windows\System32\dwUmlZf.exe
  C:\Windows\System32\dwUmlZf.exe
  2⤵
  PID:5572
- C:\Windows\System32\LlYTdyN.exe
  C:\Windows\System32\LlYTdyN.exe
  2⤵
  PID:5648
- C:\Windows\System32\eCNRoBB.exe
  C:\Windows\System32\eCNRoBB.exe
  2⤵
  PID:5048
- C:\Windows\System32\xredtoI.exe
  C:\Windows\System32\xredtoI.exe
  2⤵
  PID:5748
- C:\Windows\System32\MgWkGxP.exe
  C:\Windows\System32\MgWkGxP.exe
  2⤵
  PID:5788
- C:\Windows\System32\davhWsO.exe
  C:\Windows\System32\davhWsO.exe
  2⤵
  PID:5864
- C:\Windows\System32\pulaxRO.exe
  C:\Windows\System32\pulaxRO.exe
  2⤵
  PID:5984
- C:\Windows\System32\xSkhHzV.exe
  C:\Windows\System32\xSkhHzV.exe
  2⤵
  PID:6028
- C:\Windows\System32\rLtAtBU.exe
  C:\Windows\System32\rLtAtBU.exe
  2⤵
  PID:6056
- C:\Windows\System32\DCtDhyM.exe
  C:\Windows\System32\DCtDhyM.exe
  2⤵
  PID:6132
- C:\Windows\System32\bJfpRJh.exe
  C:\Windows\System32\bJfpRJh.exe
  2⤵
  PID:5152
- C:\Windows\System32\JUaKTfO.exe
  C:\Windows\System32\JUaKTfO.exe
  2⤵
  PID:5184
- C:\Windows\System32\AaKvhgV.exe
  C:\Windows\System32\AaKvhgV.exe
  2⤵
  PID:2172
- C:\Windows\System32\ToWAHZm.exe
  C:\Windows\System32\ToWAHZm.exe
  2⤵
  PID:5344
- C:\Windows\System32\WqBMphK.exe
  C:\Windows\System32\WqBMphK.exe
  2⤵
  PID:5472
- C:\Windows\System32\iJRltMo.exe
  C:\Windows\System32\iJRltMo.exe
  2⤵
  PID:5628
- C:\Windows\System32\obrnzBS.exe
  C:\Windows\System32\obrnzBS.exe
  2⤵
  PID:5796
- C:\Windows\System32\fjnjovh.exe
  C:\Windows\System32\fjnjovh.exe
  2⤵
  PID:5868
- C:\Windows\System32\IAuBElP.exe
  C:\Windows\System32\IAuBElP.exe
  2⤵
  PID:6072
- C:\Windows\System32\MYJldKD.exe
  C:\Windows\System32\MYJldKD.exe
  2⤵
  PID:4464
- C:\Windows\System32\QFUtxLL.exe
  C:\Windows\System32\QFUtxLL.exe
  2⤵
  PID:1680
- C:\Windows\System32\PdnIXnf.exe
  C:\Windows\System32\PdnIXnf.exe
  2⤵
  PID:1184
- C:\Windows\System32\NaCNVRQ.exe
  C:\Windows\System32\NaCNVRQ.exe
  2⤵
  PID:5776
- C:\Windows\System32\wxqyKHc.exe
  C:\Windows\System32\wxqyKHc.exe
  2⤵
  PID:5192
- C:\Windows\System32\vbEiZzk.exe
  C:\Windows\System32\vbEiZzk.exe
  2⤵
  PID:1052
- C:\Windows\System32\IoXcpkA.exe
  C:\Windows\System32\IoXcpkA.exe
  2⤵
  PID:5556
- C:\Windows\System32\qEcQopo.exe
  C:\Windows\System32\qEcQopo.exe
  2⤵
  PID:6116
- C:\Windows\System32\PjKWVit.exe
  C:\Windows\System32\PjKWVit.exe
  2⤵
  PID:5524
- C:\Windows\System32\tzWAgZO.exe
  C:\Windows\System32\tzWAgZO.exe
  2⤵
  PID:2484
- C:\Windows\System32\yCwQAaA.exe
  C:\Windows\System32\yCwQAaA.exe
  2⤵
  PID:6152
- C:\Windows\System32\sAlIkKf.exe
  C:\Windows\System32\sAlIkKf.exe
  2⤵
  PID:6172
- C:\Windows\System32\Bohewzu.exe
  C:\Windows\System32\Bohewzu.exe
  2⤵
  PID:6192
- C:\Windows\System32\vhwVNjD.exe
  C:\Windows\System32\vhwVNjD.exe
  2⤵
  PID:6236
- C:\Windows\System32\SICAfsp.exe
  C:\Windows\System32\SICAfsp.exe
  2⤵
  PID:6252
- C:\Windows\System32\wDghdUB.exe
  C:\Windows\System32\wDghdUB.exe
  2⤵
  PID:6280
- C:\Windows\System32\RsQfXWr.exe
  C:\Windows\System32\RsQfXWr.exe
  2⤵
  PID:6300
- C:\Windows\System32\rmLFGdk.exe
  C:\Windows\System32\rmLFGdk.exe
  2⤵
  PID:6316
- C:\Windows\System32\nJbALDQ.exe
  C:\Windows\System32\nJbALDQ.exe
  2⤵
  PID:6388
- C:\Windows\System32\vaANjEz.exe
  C:\Windows\System32\vaANjEz.exe
  2⤵
  PID:6444
- C:\Windows\System32\QccObDO.exe
  C:\Windows\System32\QccObDO.exe
  2⤵
  PID:6476
- C:\Windows\System32\SKRqsXc.exe
  C:\Windows\System32\SKRqsXc.exe
  2⤵
  PID:6492
- C:\Windows\System32\Geipcyo.exe
  C:\Windows\System32\Geipcyo.exe
  2⤵
  PID:6512
- C:\Windows\System32\NvOOqGJ.exe
  C:\Windows\System32\NvOOqGJ.exe
  2⤵
  PID:6532
- C:\Windows\System32\rykEJUB.exe
  C:\Windows\System32\rykEJUB.exe
  2⤵
  PID:6548
- C:\Windows\System32\lipDECq.exe
  C:\Windows\System32\lipDECq.exe
  2⤵
  PID:6564
- C:\Windows\System32\DMmPcnj.exe
  C:\Windows\System32\DMmPcnj.exe
  2⤵
  PID:6596
- C:\Windows\System32\PAWFnKq.exe
  C:\Windows\System32\PAWFnKq.exe
  2⤵
  PID:6624
- C:\Windows\System32\arxeKky.exe
  C:\Windows\System32\arxeKky.exe
  2⤵
  PID:6680
- C:\Windows\System32\zidQsYj.exe
  C:\Windows\System32\zidQsYj.exe
  2⤵
  PID:6716
- C:\Windows\System32\LnVvLGY.exe
  C:\Windows\System32\LnVvLGY.exe
  2⤵
  PID:6744
- C:\Windows\System32\zKgIKnM.exe
  C:\Windows\System32\zKgIKnM.exe
  2⤵
  PID:6788
- C:\Windows\System32\CCWiAkj.exe
  C:\Windows\System32\CCWiAkj.exe
  2⤵
  PID:6804
- C:\Windows\System32\jzooaMb.exe
  C:\Windows\System32\jzooaMb.exe
  2⤵
  PID:6848
- C:\Windows\System32\ppdEhDm.exe
  C:\Windows\System32\ppdEhDm.exe
  2⤵
  PID:6872
- C:\Windows\System32\iibZvWW.exe
  C:\Windows\System32\iibZvWW.exe
  2⤵
  PID:6896
- C:\Windows\System32\rCijSRf.exe
  C:\Windows\System32\rCijSRf.exe
  2⤵
  PID:6912
- C:\Windows\System32\YQDtSRC.exe
  C:\Windows\System32\YQDtSRC.exe
  2⤵
  PID:6948
- C:\Windows\System32\BtxXyyg.exe
  C:\Windows\System32\BtxXyyg.exe
  2⤵
  PID:6988
- C:\Windows\System32\WFPQaIJ.exe
  C:\Windows\System32\WFPQaIJ.exe
  2⤵
  PID:7004
- C:\Windows\System32\XkmZgIF.exe
  C:\Windows\System32\XkmZgIF.exe
  2⤵
  PID:7028
- C:\Windows\System32\FdpwnVF.exe
  C:\Windows\System32\FdpwnVF.exe
  2⤵
  PID:7052
- C:\Windows\System32\iYJQRmw.exe
  C:\Windows\System32\iYJQRmw.exe
  2⤵
  PID:7096
- C:\Windows\System32\SyHmjyL.exe
  C:\Windows\System32\SyHmjyL.exe
  2⤵
  PID:7124
- C:\Windows\System32\DALSbEs.exe
  C:\Windows\System32\DALSbEs.exe
  2⤵
  PID:7148
- C:\Windows\System32\uETpDyw.exe
  C:\Windows\System32\uETpDyw.exe
  2⤵
  PID:7164
- C:\Windows\System32\wCWXJUw.exe
  C:\Windows\System32\wCWXJUw.exe
  2⤵
  PID:6148
- C:\Windows\System32\RyRpaGg.exe
  C:\Windows\System32\RyRpaGg.exe
  2⤵
  PID:812
- C:\Windows\System32\nNfvmKk.exe
  C:\Windows\System32\nNfvmKk.exe
  2⤵
  PID:6204
- C:\Windows\System32\ugnVAEt.exe
  C:\Windows\System32\ugnVAEt.exe
  2⤵
  PID:6296
- C:\Windows\System32\XkQymKQ.exe
  C:\Windows\System32\XkQymKQ.exe
  2⤵
  PID:6420
- C:\Windows\System32\oFVShJH.exe
  C:\Windows\System32\oFVShJH.exe
  2⤵
  PID:6436
- C:\Windows\System32\GWXSzCX.exe
  C:\Windows\System32\GWXSzCX.exe
  2⤵
  PID:6484
- C:\Windows\System32\UDrNzBK.exe
  C:\Windows\System32\UDrNzBK.exe
  2⤵
  PID:6652
- C:\Windows\System32\yjnxMAM.exe
  C:\Windows\System32\yjnxMAM.exe
  2⤵
  PID:6660
- C:\Windows\System32\sVRJnwt.exe
  C:\Windows\System32\sVRJnwt.exe
  2⤵
  PID:6780
- C:\Windows\System32\GTWqEaX.exe
  C:\Windows\System32\GTWqEaX.exe
  2⤵
  PID:6868
- C:\Windows\System32\dpbyumG.exe
  C:\Windows\System32\dpbyumG.exe
  2⤵
  PID:6920
- C:\Windows\System32\fKIqkdM.exe
  C:\Windows\System32\fKIqkdM.exe
  2⤵
  PID:6924
- C:\Windows\System32\BmWohZu.exe
  C:\Windows\System32\BmWohZu.exe
  2⤵
  PID:6980
- C:\Windows\System32\lAboqhw.exe
  C:\Windows\System32\lAboqhw.exe
  2⤵
  PID:7036
- C:\Windows\System32\kdoHRGC.exe
  C:\Windows\System32\kdoHRGC.exe
  2⤵
  PID:7064
- C:\Windows\System32\gpTCLQH.exe
  C:\Windows\System32\gpTCLQH.exe
  2⤵
  PID:7108
- C:\Windows\System32\jAGyTLq.exe
  C:\Windows\System32\jAGyTLq.exe
  2⤵
  PID:5672
- C:\Windows\System32\vNdQjdD.exe
  C:\Windows\System32\vNdQjdD.exe
  2⤵
  PID:6560
- C:\Windows\System32\VJPlXWx.exe
  C:\Windows\System32\VJPlXWx.exe
  2⤵
  PID:6632
- C:\Windows\System32\ssjRnVA.exe
  C:\Windows\System32\ssjRnVA.exe
  2⤵
  PID:6732
- C:\Windows\System32\rCBspUt.exe
  C:\Windows\System32\rCBspUt.exe
  2⤵
  PID:6884
- C:\Windows\System32\wdbFUYx.exe
  C:\Windows\System32\wdbFUYx.exe
  2⤵
  PID:6976
- C:\Windows\System32\SonqmWN.exe
  C:\Windows\System32\SonqmWN.exe
  2⤵
  PID:6588
- C:\Windows\System32\ErhyhZF.exe
  C:\Windows\System32\ErhyhZF.exe
  2⤵
  PID:6432
- C:\Windows\System32\tXAinvZ.exe
  C:\Windows\System32\tXAinvZ.exe
  2⤵
  PID:7012
- C:\Windows\System32\ARAjWRa.exe
  C:\Windows\System32\ARAjWRa.exe
  2⤵
  PID:7120
- C:\Windows\System32\wNJoEUS.exe
  C:\Windows\System32\wNJoEUS.exe
  2⤵
  PID:6964
- C:\Windows\System32\zWCLPgC.exe
  C:\Windows\System32\zWCLPgC.exe
  2⤵
  PID:7184
- C:\Windows\System32\niCsNSM.exe
  C:\Windows\System32\niCsNSM.exe
  2⤵
  PID:7208
- C:\Windows\System32\GBgtgsT.exe
  C:\Windows\System32\GBgtgsT.exe
  2⤵
  PID:7268
- C:\Windows\System32\Jqxvdms.exe
  C:\Windows\System32\Jqxvdms.exe
  2⤵
  PID:7292
- C:\Windows\System32\dUALxaV.exe
  C:\Windows\System32\dUALxaV.exe
  2⤵
  PID:7308
- C:\Windows\System32\FztpzRT.exe
  C:\Windows\System32\FztpzRT.exe
  2⤵
  PID:7328
- C:\Windows\System32\SOeNLBy.exe
  C:\Windows\System32\SOeNLBy.exe
  2⤵
  PID:7352
- C:\Windows\System32\NYIZCkT.exe
  C:\Windows\System32\NYIZCkT.exe
  2⤵
  PID:7368
- C:\Windows\System32\iozfUzf.exe
  C:\Windows\System32\iozfUzf.exe
  2⤵
  PID:7388
- C:\Windows\System32\ozMhGgN.exe
  C:\Windows\System32\ozMhGgN.exe
  2⤵
  PID:7404
- C:\Windows\System32\RIRYvME.exe
  C:\Windows\System32\RIRYvME.exe
  2⤵
  PID:7452
- C:\Windows\System32\ilsnqHM.exe
  C:\Windows\System32\ilsnqHM.exe
  2⤵
  PID:7488
- C:\Windows\System32\KtaJXyA.exe
  C:\Windows\System32\KtaJXyA.exe
  2⤵
  PID:7508
- C:\Windows\System32\ztoAVYB.exe
  C:\Windows\System32\ztoAVYB.exe
  2⤵
  PID:7548
- C:\Windows\System32\OXTuMiu.exe
  C:\Windows\System32\OXTuMiu.exe
  2⤵
  PID:7572
- C:\Windows\System32\lFxndQL.exe
  C:\Windows\System32\lFxndQL.exe
  2⤵
  PID:7628
- C:\Windows\System32\ypKBVAP.exe
  C:\Windows\System32\ypKBVAP.exe
  2⤵
  PID:7648
- C:\Windows\System32\SYBCMgG.exe
  C:\Windows\System32\SYBCMgG.exe
  2⤵
  PID:7672
- C:\Windows\System32\DpPASon.exe
  C:\Windows\System32\DpPASon.exe
  2⤵
  PID:7724
- C:\Windows\System32\QNhGQnP.exe
  C:\Windows\System32\QNhGQnP.exe
  2⤵
  PID:7744
- C:\Windows\System32\CMyIJXH.exe
  C:\Windows\System32\CMyIJXH.exe
  2⤵
  PID:7760
- C:\Windows\System32\UFRNBNx.exe
  C:\Windows\System32\UFRNBNx.exe
  2⤵
  PID:7788
- C:\Windows\System32\LWfplvW.exe
  C:\Windows\System32\LWfplvW.exe
  2⤵
  PID:7812
- C:\Windows\System32\JuRXjmi.exe
  C:\Windows\System32\JuRXjmi.exe
  2⤵
  PID:7840
- C:\Windows\System32\waonOIb.exe
  C:\Windows\System32\waonOIb.exe
  2⤵
  PID:7864
- C:\Windows\System32\aEvTeBg.exe
  C:\Windows\System32\aEvTeBg.exe
  2⤵
  PID:7888
- C:\Windows\System32\LqBrhLf.exe
  C:\Windows\System32\LqBrhLf.exe
  2⤵
  PID:7952
- C:\Windows\System32\mEEJEth.exe
  C:\Windows\System32\mEEJEth.exe
  2⤵
  PID:7968
- C:\Windows\System32\WQKiKJQ.exe
  C:\Windows\System32\WQKiKJQ.exe
  2⤵
  PID:7992
- C:\Windows\System32\KqWYPEH.exe
  C:\Windows\System32\KqWYPEH.exe
  2⤵
  PID:8008
- C:\Windows\System32\gWccKGa.exe
  C:\Windows\System32\gWccKGa.exe
  2⤵
  PID:8036
- C:\Windows\System32\AAfhLpZ.exe
  C:\Windows\System32\AAfhLpZ.exe
  2⤵
  PID:8052
- C:\Windows\System32\JsYHfkE.exe
  C:\Windows\System32\JsYHfkE.exe
  2⤵
  PID:8072
- C:\Windows\System32\lwuDBrz.exe
  C:\Windows\System32\lwuDBrz.exe
  2⤵
  PID:8092
- C:\Windows\System32\qQelapX.exe
  C:\Windows\System32\qQelapX.exe
  2⤵
  PID:8108
- C:\Windows\System32\NbgJtHh.exe
  C:\Windows\System32\NbgJtHh.exe
  2⤵
  PID:8136
- C:\Windows\System32\gpgJZGA.exe
  C:\Windows\System32\gpgJZGA.exe
  2⤵
  PID:4972
- C:\Windows\System32\IKMQEUk.exe
  C:\Windows\System32\IKMQEUk.exe
  2⤵
  PID:7204
- C:\Windows\System32\LyqhGpB.exe
  C:\Windows\System32\LyqhGpB.exe
  2⤵
  PID:7220
- C:\Windows\System32\iesZWnq.exe
  C:\Windows\System32\iesZWnq.exe
  2⤵
  PID:7336
- C:\Windows\System32\fVAnloT.exe
  C:\Windows\System32\fVAnloT.exe
  2⤵
  PID:7364
- C:\Windows\System32\HNVZasG.exe
  C:\Windows\System32\HNVZasG.exe
  2⤵
  PID:7384
- C:\Windows\System32\HzmdnEQ.exe
  C:\Windows\System32\HzmdnEQ.exe
  2⤵
  PID:7472
- C:\Windows\System32\DWIaNah.exe
  C:\Windows\System32\DWIaNah.exe
  2⤵
  PID:7660
- C:\Windows\System32\SiZWbNI.exe
  C:\Windows\System32\SiZWbNI.exe
  2⤵
  PID:7700
- C:\Windows\System32\nQGdAxt.exe
  C:\Windows\System32\nQGdAxt.exe
  2⤵
  PID:7752
- C:\Windows\System32\SegroGy.exe
  C:\Windows\System32\SegroGy.exe
  2⤵
  PID:7836
- C:\Windows\System32\VVNnAav.exe
  C:\Windows\System32\VVNnAav.exe
  2⤵
  PID:7908
- C:\Windows\System32\oKFsVbl.exe
  C:\Windows\System32\oKFsVbl.exe
  2⤵
  PID:7960
- C:\Windows\System32\rvYvKJV.exe
  C:\Windows\System32\rvYvKJV.exe
  2⤵
  PID:8020
- C:\Windows\System32\kEhhtNm.exe
  C:\Windows\System32\kEhhtNm.exe
  2⤵
  PID:8064
- C:\Windows\System32\jxEvLHC.exe
  C:\Windows\System32\jxEvLHC.exe
  2⤵
  PID:8016
- C:\Windows\System32\QEhGZZo.exe
  C:\Windows\System32\QEhGZZo.exe
  2⤵
  PID:8084
- C:\Windows\System32\vGQfZOS.exe
  C:\Windows\System32\vGQfZOS.exe
  2⤵
  PID:7360
- C:\Windows\System32\jxQPMyY.exe
  C:\Windows\System32\jxQPMyY.exe
  2⤵
  PID:7520
- C:\Windows\System32\xTATuzi.exe
  C:\Windows\System32\xTATuzi.exe
  2⤵
  PID:7656
- C:\Windows\System32\DDivakG.exe
  C:\Windows\System32\DDivakG.exe
  2⤵
  PID:7800
- C:\Windows\System32\irwinCU.exe
  C:\Windows\System32\irwinCU.exe
  2⤵
  PID:7900
- C:\Windows\System32\UtQtNco.exe
  C:\Windows\System32\UtQtNco.exe
  2⤵
  PID:8044
- C:\Windows\System32\zgamPqS.exe
  C:\Windows\System32\zgamPqS.exe
  2⤵
  PID:7436
- C:\Windows\System32\BXHiuqJ.exe
  C:\Windows\System32\BXHiuqJ.exe
  2⤵
  PID:7772
- C:\Windows\System32\RqBYalz.exe
  C:\Windows\System32\RqBYalz.exe
  2⤵
  PID:7624
- C:\Windows\System32\HhSUaOY.exe
  C:\Windows\System32\HhSUaOY.exe
  2⤵
  PID:7928
- C:\Windows\System32\fMKbGTp.exe
  C:\Windows\System32\fMKbGTp.exe
  2⤵
  PID:8204
- C:\Windows\System32\YiKZxyc.exe
  C:\Windows\System32\YiKZxyc.exe
  2⤵
  PID:8228
- C:\Windows\System32\CpTaUSI.exe
  C:\Windows\System32\CpTaUSI.exe
  2⤵
  PID:8264
- C:\Windows\System32\foAnxRL.exe
  C:\Windows\System32\foAnxRL.exe
  2⤵
  PID:8288
- C:\Windows\System32\ximtNiF.exe
  C:\Windows\System32\ximtNiF.exe
  2⤵
  PID:8332
- C:\Windows\System32\XFekdor.exe
  C:\Windows\System32\XFekdor.exe
  2⤵
  PID:8352
- C:\Windows\System32\ciFYxoI.exe
  C:\Windows\System32\ciFYxoI.exe
  2⤵
  PID:8372
- C:\Windows\System32\VeHrsgN.exe
  C:\Windows\System32\VeHrsgN.exe
  2⤵
  PID:8420
- C:\Windows\System32\kINgEGC.exe
  C:\Windows\System32\kINgEGC.exe
  2⤵
  PID:8436
- C:\Windows\System32\uTiKxgd.exe
  C:\Windows\System32\uTiKxgd.exe
  2⤵
  PID:8456
- C:\Windows\System32\kedfujK.exe
  C:\Windows\System32\kedfujK.exe
  2⤵
  PID:8504
- C:\Windows\System32\OimBQnb.exe
  C:\Windows\System32\OimBQnb.exe
  2⤵
  PID:8520
- C:\Windows\System32\PcalkoN.exe
  C:\Windows\System32\PcalkoN.exe
  2⤵
  PID:8540
- C:\Windows\System32\NwbzAIb.exe
  C:\Windows\System32\NwbzAIb.exe
  2⤵
  PID:8560
- C:\Windows\System32\zJFSIXe.exe
  C:\Windows\System32\zJFSIXe.exe
  2⤵
  PID:8576
- C:\Windows\System32\CbFVpMx.exe
  C:\Windows\System32\CbFVpMx.exe
  2⤵
  PID:8600
- C:\Windows\System32\IBZVoqq.exe
  C:\Windows\System32\IBZVoqq.exe
  2⤵
  PID:8668
- C:\Windows\System32\mVkTuiv.exe
  C:\Windows\System32\mVkTuiv.exe
  2⤵
  PID:8688
- C:\Windows\System32\AGdaulU.exe
  C:\Windows\System32\AGdaulU.exe
  2⤵
  PID:8708
- C:\Windows\System32\bLawoAn.exe
  C:\Windows\System32\bLawoAn.exe
  2⤵
  PID:8724
- C:\Windows\System32\HfJEwff.exe
  C:\Windows\System32\HfJEwff.exe
  2⤵
  PID:8776
- C:\Windows\System32\geIwVTh.exe
  C:\Windows\System32\geIwVTh.exe
  2⤵
  PID:8808
- C:\Windows\System32\ALkigVT.exe
  C:\Windows\System32\ALkigVT.exe
  2⤵
  PID:8828
- C:\Windows\System32\iFoAPgN.exe
  C:\Windows\System32\iFoAPgN.exe
  2⤵
  PID:8848
- C:\Windows\System32\oSZYNfA.exe
  C:\Windows\System32\oSZYNfA.exe
  2⤵
  PID:8864
- C:\Windows\System32\ovWPfxB.exe
  C:\Windows\System32\ovWPfxB.exe
  2⤵
  PID:8904
- C:\Windows\System32\eTejKik.exe
  C:\Windows\System32\eTejKik.exe
  2⤵
  PID:8924
- C:\Windows\System32\PnUJepG.exe
  C:\Windows\System32\PnUJepG.exe
  2⤵
  PID:8944
- C:\Windows\System32\uHsWtyQ.exe
  C:\Windows\System32\uHsWtyQ.exe
  2⤵
  PID:8988
- C:\Windows\System32\WdTbkwE.exe
  C:\Windows\System32\WdTbkwE.exe
  2⤵
  PID:9012
- C:\Windows\System32\zCXcsOx.exe
  C:\Windows\System32\zCXcsOx.exe
  2⤵
  PID:9036
- C:\Windows\System32\YElnIJf.exe
  C:\Windows\System32\YElnIJf.exe
  2⤵
  PID:9080
- C:\Windows\System32\LHexCNj.exe
  C:\Windows\System32\LHexCNj.exe
  2⤵
  PID:9120
- C:\Windows\System32\hzaOMzA.exe
  C:\Windows\System32\hzaOMzA.exe
  2⤵
  PID:9148
- C:\Windows\System32\YHeWxoW.exe
  C:\Windows\System32\YHeWxoW.exe
  2⤵
  PID:9176
- C:\Windows\System32\xhGpKVc.exe
  C:\Windows\System32\xhGpKVc.exe
  2⤵
  PID:9200
- C:\Windows\System32\RYQlHmi.exe
  C:\Windows\System32\RYQlHmi.exe
  2⤵
  PID:7804
- C:\Windows\System32\BtXFsDY.exe
  C:\Windows\System32\BtXFsDY.exe
  2⤵
  PID:8240
- C:\Windows\System32\ipRMZPk.exe
  C:\Windows\System32\ipRMZPk.exe
  2⤵
  PID:8308
- C:\Windows\System32\cWcHTKn.exe
  C:\Windows\System32\cWcHTKn.exe
  2⤵
  PID:8368
- C:\Windows\System32\vsunjVe.exe
  C:\Windows\System32\vsunjVe.exe
  2⤵
  PID:8404
- C:\Windows\System32\cFOQUYi.exe
  C:\Windows\System32\cFOQUYi.exe
  2⤵
  PID:8476
- C:\Windows\System32\oLiGxrw.exe
  C:\Windows\System32\oLiGxrw.exe
  2⤵
  PID:8512
- C:\Windows\System32\YpGvKdT.exe
  C:\Windows\System32\YpGvKdT.exe
  2⤵
  PID:8608
- C:\Windows\System32\boTTrcB.exe
  C:\Windows\System32\boTTrcB.exe
  2⤵
  PID:8744
- C:\Windows\System32\oWkJROy.exe
  C:\Windows\System32\oWkJROy.exe
  2⤵
  PID:8800
- C:\Windows\System32\YBKlUWO.exe
  C:\Windows\System32\YBKlUWO.exe
  2⤵
  PID:8816
- C:\Windows\System32\zkKsorV.exe
  C:\Windows\System32\zkKsorV.exe
  2⤵
  PID:8884
- C:\Windows\System32\UiUGgWB.exe
  C:\Windows\System32\UiUGgWB.exe
  2⤵
  PID:8940
- C:\Windows\System32\jSpSiVM.exe
  C:\Windows\System32\jSpSiVM.exe
  2⤵
  PID:9004
- C:\Windows\System32\oKycxvH.exe
  C:\Windows\System32\oKycxvH.exe
  2⤵
  PID:9068
- C:\Windows\System32\yVotOcD.exe
  C:\Windows\System32\yVotOcD.exe
  2⤵
  PID:8568
- C:\Windows\System32\HdvbEyr.exe
  C:\Windows\System32\HdvbEyr.exe
  2⤵
  PID:8628
- C:\Windows\System32\gILtnBH.exe
  C:\Windows\System32\gILtnBH.exe
  2⤵
  PID:8756
- C:\Windows\System32\NMdYsqG.exe
  C:\Windows\System32\NMdYsqG.exe
  2⤵
  PID:8768
- C:\Windows\System32\hEOOpXO.exe
  C:\Windows\System32\hEOOpXO.exe
  2⤵
  PID:8936
- C:\Windows\System32\RupDXwh.exe
  C:\Windows\System32\RupDXwh.exe
  2⤵
  PID:8920
- C:\Windows\System32\UdzoRYk.exe
  C:\Windows\System32\UdzoRYk.exe
  2⤵
  PID:9096
- C:\Windows\System32\QcAJTvO.exe
  C:\Windows\System32\QcAJTvO.exe
  2⤵
  PID:9228
- C:\Windows\System32\svqUSjK.exe
  C:\Windows\System32\svqUSjK.exe
  2⤵
  PID:9244
- C:\Windows\System32\SPPHUPr.exe
  C:\Windows\System32\SPPHUPr.exe
  2⤵
  PID:9260
- C:\Windows\System32\QIPtxqI.exe
  C:\Windows\System32\QIPtxqI.exe
  2⤵
  PID:9276
- C:\Windows\System32\nvmHIdF.exe
  C:\Windows\System32\nvmHIdF.exe
  2⤵
  PID:9292
- C:\Windows\System32\DZJVWbq.exe
  C:\Windows\System32\DZJVWbq.exe
  2⤵
  PID:9308
- C:\Windows\System32\dIDwdAX.exe
  C:\Windows\System32\dIDwdAX.exe
  2⤵
  PID:9324
- C:\Windows\System32\kUKMaqW.exe
  C:\Windows\System32\kUKMaqW.exe
  2⤵
  PID:9340
- C:\Windows\System32\oACGcEG.exe
  C:\Windows\System32\oACGcEG.exe
  2⤵
  PID:9360
- C:\Windows\System32\fTwnEBO.exe
  C:\Windows\System32\fTwnEBO.exe
  2⤵
  PID:9376
- C:\Windows\System32\yutrZbP.exe
  C:\Windows\System32\yutrZbP.exe
  2⤵
  PID:9392
- C:\Windows\System32\lIWPasY.exe
  C:\Windows\System32\lIWPasY.exe
  2⤵
  PID:9408
- C:\Windows\System32\cZjJizb.exe
  C:\Windows\System32\cZjJizb.exe
  2⤵
  PID:9424
- C:\Windows\System32\JmOlXVB.exe
  C:\Windows\System32\JmOlXVB.exe
  2⤵
  PID:9440
- C:\Windows\System32\yGfZnQH.exe
  C:\Windows\System32\yGfZnQH.exe
  2⤵
  PID:9456
- C:\Windows\System32\hIolmLB.exe
  C:\Windows\System32\hIolmLB.exe
  2⤵
  PID:9472
- C:\Windows\System32\UCarsJt.exe
  C:\Windows\System32\UCarsJt.exe
  2⤵
  PID:9512
- C:\Windows\System32\exkbMqi.exe
  C:\Windows\System32\exkbMqi.exe
  2⤵
  PID:9544
- C:\Windows\System32\fJrSCDT.exe
  C:\Windows\System32\fJrSCDT.exe
  2⤵
  PID:9580
- C:\Windows\System32\kohXyCw.exe
  C:\Windows\System32\kohXyCw.exe
  2⤵
  PID:9596
- C:\Windows\System32\INEhGvP.exe
  C:\Windows\System32\INEhGvP.exe
  2⤵
  PID:9616
- C:\Windows\System32\IfKojsg.exe
  C:\Windows\System32\IfKojsg.exe
  2⤵
  PID:9692
- C:\Windows\System32\cLextEA.exe
  C:\Windows\System32\cLextEA.exe
  2⤵
  PID:9880
- C:\Windows\System32\YARhmFg.exe
  C:\Windows\System32\YARhmFg.exe
  2⤵
  PID:10000
- C:\Windows\System32\txGwyhJ.exe
  C:\Windows\System32\txGwyhJ.exe
  2⤵
  PID:10028
- C:\Windows\System32\MTlbjSR.exe
  C:\Windows\System32\MTlbjSR.exe
  2⤵
  PID:10044
- C:\Windows\System32\IAOifdQ.exe
  C:\Windows\System32\IAOifdQ.exe
  2⤵
  PID:10064
- C:\Windows\System32\eQulfSd.exe
  C:\Windows\System32\eQulfSd.exe
  2⤵
  PID:10084
- C:\Windows\System32\oIKTOiy.exe
  C:\Windows\System32\oIKTOiy.exe
  2⤵
  PID:10128
- C:\Windows\System32\PUPUnXN.exe
  C:\Windows\System32\PUPUnXN.exe
  2⤵
  PID:10168
- C:\Windows\System32\ykjjtrN.exe
  C:\Windows\System32\ykjjtrN.exe
  2⤵
  PID:10196
- C:\Windows\System32\dKfWccU.exe
  C:\Windows\System32\dKfWccU.exe
  2⤵
  PID:10216
- C:\Windows\System32\uXzeJrz.exe
  C:\Windows\System32\uXzeJrz.exe
  2⤵
  PID:9168
- C:\Windows\System32\DRUotNX.exe
  C:\Windows\System32\DRUotNX.exe
  2⤵
  PID:9520
- C:\Windows\System32\oODKRoQ.exe
  C:\Windows\System32\oODKRoQ.exe
  2⤵
  PID:8200
- C:\Windows\System32\BeELENS.exe
  C:\Windows\System32\BeELENS.exe
  2⤵
  PID:9208
- C:\Windows\System32\WdKIYIP.exe
  C:\Windows\System32\WdKIYIP.exe
  2⤵
  PID:8428
- C:\Windows\System32\luAmCBa.exe
  C:\Windows\System32\luAmCBa.exe
  2⤵
  PID:9500
- C:\Windows\System32\tMRvCYE.exe
  C:\Windows\System32\tMRvCYE.exe
  2⤵
  PID:9236
- C:\Windows\System32\vNKtKIF.exe
  C:\Windows\System32\vNKtKIF.exe
  2⤵
  PID:9368
- C:\Windows\System32\jTfTiwg.exe
  C:\Windows\System32\jTfTiwg.exe
  2⤵
  PID:8716
- C:\Windows\System32\TzmgPdc.exe
  C:\Windows\System32\TzmgPdc.exe
  2⤵
  PID:9436
- C:\Windows\System32\AFqVQZJ.exe
  C:\Windows\System32\AFqVQZJ.exe
  2⤵
  PID:9484
- C:\Windows\System32\JeuTMHq.exe
  C:\Windows\System32\JeuTMHq.exe
  2⤵
  PID:9604
- C:\Windows\System32\VDldKHR.exe
  C:\Windows\System32\VDldKHR.exe
  2⤵
  PID:8844
- C:\Windows\System32\fZppyvx.exe
  C:\Windows\System32\fZppyvx.exe
  2⤵
  PID:9220
- C:\Windows\System32\PkJaBSh.exe
  C:\Windows\System32\PkJaBSh.exe
  2⤵
  PID:9612
- C:\Windows\System32\jAzVTlq.exe
  C:\Windows\System32\jAzVTlq.exe
  2⤵
  PID:9716
- C:\Windows\System32\KpQxqRR.exe
  C:\Windows\System32\KpQxqRR.exe
  2⤵
  PID:9772
- C:\Windows\System32\NFaiquZ.exe
  C:\Windows\System32\NFaiquZ.exe
  2⤵
  PID:9792
- C:\Windows\System32\VdlQhXJ.exe
  C:\Windows\System32\VdlQhXJ.exe
  2⤵
  PID:9984
- C:\Windows\System32\HPojwNq.exe
  C:\Windows\System32\HPojwNq.exe
  2⤵
  PID:10040
- C:\Windows\System32\WSBiBBc.exe
  C:\Windows\System32\WSBiBBc.exe
  2⤵
  PID:10076
- C:\Windows\System32\NZRhHyM.exe
  C:\Windows\System32\NZRhHyM.exe
  2⤵
  PID:10140
- C:\Windows\System32\XYcrOMb.exe
  C:\Windows\System32\XYcrOMb.exe
  2⤵
  PID:10212
- C:\Windows\System32\kFzsedr.exe
  C:\Windows\System32\kFzsedr.exe
  2⤵
  PID:9284
- C:\Windows\System32\CBlbCpD.exe
  C:\Windows\System32\CBlbCpD.exe
  2⤵
  PID:9320
- C:\Windows\System32\ogkSMza.exe
  C:\Windows\System32\ogkSMza.exe
  2⤵
  PID:9404
- C:\Windows\System32\IYIHJag.exe
  C:\Windows\System32\IYIHJag.exe
  2⤵
  PID:9588
- C:\Windows\System32\IiFxUMk.exe
  C:\Windows\System32\IiFxUMk.exe
  2⤵
  PID:9656
- C:\Windows\System32\BMQlyIL.exe
  C:\Windows\System32\BMQlyIL.exe
  2⤵
  PID:9800
- C:\Windows\System32\YOGZGmQ.exe
  C:\Windows\System32\YOGZGmQ.exe
  2⤵
  PID:10012
- C:\Windows\System32\hFHFaEn.exe
  C:\Windows\System32\hFHFaEn.exe
  2⤵
  PID:9820
- C:\Windows\System32\XSSBXZX.exe
  C:\Windows\System32\XSSBXZX.exe
  2⤵
  PID:10208
- C:\Windows\System32\dThaknK.exe
  C:\Windows\System32\dThaknK.exe
  2⤵
  PID:8388
- C:\Windows\System32\XdINSJy.exe
  C:\Windows\System32\XdINSJy.exe
  2⤵
  PID:9660
- C:\Windows\System32\fwzTcaW.exe
  C:\Windows\System32\fwzTcaW.exe
  2⤵
  PID:9732
- C:\Windows\System32\oyzGFxN.exe
  C:\Windows\System32\oyzGFxN.exe
  2⤵
  PID:9416
- C:\Windows\System32\fcthTaA.exe
  C:\Windows\System32\fcthTaA.exe
  2⤵
  PID:8152
- C:\Windows\System32\xTceReQ.exe
  C:\Windows\System32\xTceReQ.exe
  2⤵
  PID:10252
- C:\Windows\System32\fqkvawn.exe
  C:\Windows\System32\fqkvawn.exe
  2⤵
  PID:10272
- C:\Windows\System32\hWPsPzu.exe
  C:\Windows\System32\hWPsPzu.exe
  2⤵
  PID:10320
- C:\Windows\System32\DVhxCxz.exe
  C:\Windows\System32\DVhxCxz.exe
  2⤵
  PID:10336
- C:\Windows\System32\fMRhclP.exe
  C:\Windows\System32\fMRhclP.exe
  2⤵
  PID:10356
- C:\Windows\System32\ZUbpsRG.exe
  C:\Windows\System32\ZUbpsRG.exe
  2⤵
  PID:10416
- C:\Windows\System32\HLtYFUb.exe
  C:\Windows\System32\HLtYFUb.exe
  2⤵
  PID:10436
- C:\Windows\System32\uiURHsS.exe
  C:\Windows\System32\uiURHsS.exe
  2⤵
  PID:10460
- C:\Windows\System32\zpInbfh.exe
  C:\Windows\System32\zpInbfh.exe
  2⤵
  PID:10480
- C:\Windows\System32\YIusYUn.exe
  C:\Windows\System32\YIusYUn.exe
  2⤵
  PID:10496
- C:\Windows\System32\pdgQqed.exe
  C:\Windows\System32\pdgQqed.exe
  2⤵
  PID:10528
- C:\Windows\System32\TgcxTSf.exe
  C:\Windows\System32\TgcxTSf.exe
  2⤵
  PID:10560
- C:\Windows\System32\nNbkdkv.exe
  C:\Windows\System32\nNbkdkv.exe
  2⤵
  PID:10580
- C:\Windows\System32\IyeDrfC.exe
  C:\Windows\System32\IyeDrfC.exe
  2⤵
  PID:10604
- C:\Windows\System32\GuLdCfE.exe
  C:\Windows\System32\GuLdCfE.exe
  2⤵
  PID:10632
- C:\Windows\System32\TjlnkEZ.exe
  C:\Windows\System32\TjlnkEZ.exe
  2⤵
  PID:10676
- C:\Windows\System32\vFRjUlU.exe
  C:\Windows\System32\vFRjUlU.exe
  2⤵
  PID:10720
- C:\Windows\System32\jxAAToR.exe
  C:\Windows\System32\jxAAToR.exe
  2⤵
  PID:10744
- C:\Windows\System32\TXsPCVF.exe
  C:\Windows\System32\TXsPCVF.exe
  2⤵
  PID:10768
- C:\Windows\System32\WljsrkN.exe
  C:\Windows\System32\WljsrkN.exe
  2⤵
  PID:10788
- C:\Windows\System32\HEVPIYS.exe
  C:\Windows\System32\HEVPIYS.exe
  2⤵
  PID:10804
- C:\Windows\System32\jIHsmXq.exe
  C:\Windows\System32\jIHsmXq.exe
  2⤵
  PID:10820
- C:\Windows\System32\LAVtydI.exe
  C:\Windows\System32\LAVtydI.exe
  2⤵
  PID:10848
- C:\Windows\System32\bonVUAV.exe
  C:\Windows\System32\bonVUAV.exe
  2⤵
  PID:10868
- C:\Windows\System32\dptHYuu.exe
  C:\Windows\System32\dptHYuu.exe
  2⤵
  PID:10896
- C:\Windows\System32\UmdlqOR.exe
  C:\Windows\System32\UmdlqOR.exe
  2⤵
  PID:10940
- C:\Windows\System32\RQedQTH.exe
  C:\Windows\System32\RQedQTH.exe
  2⤵
  PID:10960
- C:\Windows\System32\hVUeUPt.exe
  C:\Windows\System32\hVUeUPt.exe
  2⤵
  PID:10976
- C:\Windows\System32\CgxjtJz.exe
  C:\Windows\System32\CgxjtJz.exe
  2⤵
  PID:11000
- C:\Windows\System32\bzEiNbg.exe
  C:\Windows\System32\bzEiNbg.exe
  2⤵
  PID:11016
- C:\Windows\System32\gxGxxWO.exe
  C:\Windows\System32\gxGxxWO.exe
  2⤵
  PID:11048
- C:\Windows\System32\qUdFcDK.exe
  C:\Windows\System32\qUdFcDK.exe
  2⤵
  PID:11064
- C:\Windows\System32\MKiBrmF.exe
  C:\Windows\System32\MKiBrmF.exe
  2⤵
  PID:11084
- C:\Windows\System32\jKNPAyU.exe
  C:\Windows\System32\jKNPAyU.exe
  2⤵
  PID:11104
- C:\Windows\System32\riNMbRX.exe
  C:\Windows\System32\riNMbRX.exe
  2⤵
  PID:11196
- C:\Windows\System32\VBMrdnA.exe
  C:\Windows\System32\VBMrdnA.exe
  2⤵
  PID:11248
- C:\Windows\System32\ZektiYe.exe
  C:\Windows\System32\ZektiYe.exe
  2⤵
  PID:8968
- C:\Windows\System32\TanpByj.exe
  C:\Windows\System32\TanpByj.exe
  2⤵
  PID:10296
- C:\Windows\System32\csWfWHX.exe
  C:\Windows\System32\csWfWHX.exe
  2⤵
  PID:10332
- C:\Windows\System32\GcXZvtn.exe
  C:\Windows\System32\GcXZvtn.exe
  2⤵
  PID:10412
- C:\Windows\System32\QcsYOCL.exe
  C:\Windows\System32\QcsYOCL.exe
  2⤵
  PID:10448
- C:\Windows\System32\mtoQZCC.exe
  C:\Windows\System32\mtoQZCC.exe
  2⤵
  PID:10504
- C:\Windows\System32\sfbTdfi.exe
  C:\Windows\System32\sfbTdfi.exe
  2⤵
  PID:10592
- C:\Windows\System32\zRyigts.exe
  C:\Windows\System32\zRyigts.exe
  2⤵
  PID:10640
- C:\Windows\System32\pFHMAtB.exe
  C:\Windows\System32\pFHMAtB.exe
  2⤵
  PID:10812
- C:\Windows\System32\RxqiWzK.exe
  C:\Windows\System32\RxqiWzK.exe
  2⤵
  PID:10888
- C:\Windows\System32\pVwWBPS.exe
  C:\Windows\System32\pVwWBPS.exe
  2⤵
  PID:10924
- C:\Windows\System32\mnaCtUq.exe
  C:\Windows\System32\mnaCtUq.exe
  2⤵
  PID:10984
- C:\Windows\System32\tdkeCZo.exe
  C:\Windows\System32\tdkeCZo.exe
  2⤵
  PID:10996
- C:\Windows\System32\KzIfZGP.exe
  C:\Windows\System32\KzIfZGP.exe
  2⤵
  PID:11076
- C:\Windows\System32\KjsWSKX.exe
  C:\Windows\System32\KjsWSKX.exe
  2⤵
  PID:11152
- C:\Windows\System32\LSMwgaO.exe
  C:\Windows\System32\LSMwgaO.exe
  2⤵
  PID:11128
- C:\Windows\System32\CfYWjAY.exe
  C:\Windows\System32\CfYWjAY.exe
  2⤵
  PID:11260
- C:\Windows\System32\zagLuga.exe
  C:\Windows\System32\zagLuga.exe
  2⤵
  PID:10248
- C:\Windows\System32\XIxYaWR.exe
  C:\Windows\System32\XIxYaWR.exe
  2⤵
  PID:10348
- C:\Windows\System32\GwTinrN.exe
  C:\Windows\System32\GwTinrN.exe
  2⤵
  PID:10472
- C:\Windows\System32\hjFZWaH.exe
  C:\Windows\System32\hjFZWaH.exe
  2⤵
  PID:10816
- C:\Windows\System32\JrxeiXE.exe
  C:\Windows\System32\JrxeiXE.exe
  2⤵
  PID:11056
- C:\Windows\System32\PSlPFHn.exe
  C:\Windows\System32\PSlPFHn.exe
  2⤵
  PID:11112
- C:\Windows\System32\ufeyibp.exe
  C:\Windows\System32\ufeyibp.exe
  2⤵
  PID:11220
- C:\Windows\System32\exrQjix.exe
  C:\Windows\System32\exrQjix.exe
  2⤵
  PID:10280
- C:\Windows\System32\lhRsENA.exe
  C:\Windows\System32\lhRsENA.exe
  2⤵
  PID:10864
- C:\Windows\System32\beHQjLZ.exe
  C:\Windows\System32\beHQjLZ.exe
  2⤵
  PID:10444
- C:\Windows\System32\cECkFQL.exe
  C:\Windows\System32\cECkFQL.exe
  2⤵
  PID:11148
- C:\Windows\System32\BxNTkyn.exe
  C:\Windows\System32\BxNTkyn.exe
  2⤵
  PID:11280
- C:\Windows\System32\RUqflYi.exe
  C:\Windows\System32\RUqflYi.exe
  2⤵
  PID:11304
- C:\Windows\System32\PGwjYOV.exe
  C:\Windows\System32\PGwjYOV.exe
  2⤵
  PID:11348
- C:\Windows\System32\hTQWuib.exe
  C:\Windows\System32\hTQWuib.exe
  2⤵
  PID:11364
- C:\Windows\System32\PZSlmDP.exe
  C:\Windows\System32\PZSlmDP.exe
  2⤵
  PID:11412
- C:\Windows\System32\meDXeJF.exe
  C:\Windows\System32\meDXeJF.exe
  2⤵
  PID:11432
- C:\Windows\System32\scSoKHB.exe
  C:\Windows\System32\scSoKHB.exe
  2⤵
  PID:11456
- C:\Windows\System32\ebgBXGW.exe
  C:\Windows\System32\ebgBXGW.exe
  2⤵
  PID:11504
- C:\Windows\System32\TPZqCGz.exe
  C:\Windows\System32\TPZqCGz.exe
  2⤵
  PID:11524
- C:\Windows\System32\pfOtrAp.exe
  C:\Windows\System32\pfOtrAp.exe
  2⤵
  PID:11548
- C:\Windows\System32\WhTQybe.exe
  C:\Windows\System32\WhTQybe.exe
  2⤵
  PID:11576
- C:\Windows\System32\SqCNsCQ.exe
  C:\Windows\System32\SqCNsCQ.exe
  2⤵
  PID:11596
- C:\Windows\System32\WWqmPZr.exe
  C:\Windows\System32\WWqmPZr.exe
  2⤵
  PID:11628
- C:\Windows\System32\eOExwgF.exe
  C:\Windows\System32\eOExwgF.exe
  2⤵
  PID:11644
- C:\Windows\System32\UUpNgzb.exe
  C:\Windows\System32\UUpNgzb.exe
  2⤵
  PID:11668
- C:\Windows\System32\MhWySmI.exe
  C:\Windows\System32\MhWySmI.exe
  2⤵
  PID:11708
- C:\Windows\System32\UTbCVXc.exe
  C:\Windows\System32\UTbCVXc.exe
  2⤵
  PID:11728
- C:\Windows\System32\pdaQEzZ.exe
  C:\Windows\System32\pdaQEzZ.exe
  2⤵
  PID:11748
- C:\Windows\System32\QQyZSzD.exe
  C:\Windows\System32\QQyZSzD.exe
  2⤵
  PID:11776
- C:\Windows\System32\HbZKWqz.exe
  C:\Windows\System32\HbZKWqz.exe
  2⤵
  PID:11808
- C:\Windows\System32\HaWSOdl.exe
  C:\Windows\System32\HaWSOdl.exe
  2⤵
  PID:11876
- C:\Windows\System32\PEyylrU.exe
  C:\Windows\System32\PEyylrU.exe
  2⤵
  PID:11892
- C:\Windows\System32\wJUPPXi.exe
  C:\Windows\System32\wJUPPXi.exe
  2⤵
  PID:11936
- C:\Windows\System32\XIbiFHl.exe
  C:\Windows\System32\XIbiFHl.exe
  2⤵
  PID:11964
- C:\Windows\System32\VytyASD.exe
  C:\Windows\System32\VytyASD.exe
  2⤵
  PID:11996
- C:\Windows\System32\ligwJZj.exe
  C:\Windows\System32\ligwJZj.exe
  2⤵
  PID:12024
- C:\Windows\System32\KaLBgUT.exe
  C:\Windows\System32\KaLBgUT.exe
  2⤵
  PID:12056
- C:\Windows\System32\UvVxqWh.exe
  C:\Windows\System32\UvVxqWh.exe
  2⤵
  PID:12080
- C:\Windows\System32\xlTbHTu.exe
  C:\Windows\System32\xlTbHTu.exe
  2⤵
  PID:12100
- C:\Windows\System32\gobHtbq.exe
  C:\Windows\System32\gobHtbq.exe
  2⤵
  PID:12116
- C:\Windows\System32\HJBBkap.exe
  C:\Windows\System32\HJBBkap.exe
  2⤵
  PID:12140
- C:\Windows\System32\wtulMUS.exe
  C:\Windows\System32\wtulMUS.exe
  2⤵
  PID:12156
- C:\Windows\System32\YRGAEws.exe
  C:\Windows\System32\YRGAEws.exe
  2⤵
  PID:12180
- C:\Windows\System32\thlJwrO.exe
  C:\Windows\System32\thlJwrO.exe
  2⤵
  PID:12236
- C:\Windows\System32\lyDcvoR.exe
  C:\Windows\System32\lyDcvoR.exe
  2⤵
  PID:12252
- C:\Windows\System32\OXeNdSz.exe
  C:\Windows\System32\OXeNdSz.exe
  2⤵
  PID:12268
- C:\Windows\System32\CalJTyv.exe
  C:\Windows\System32\CalJTyv.exe
  2⤵
  PID:11008
- C:\Windows\System32\VpPmpQz.exe
  C:\Windows\System32\VpPmpQz.exe
  2⤵
  PID:11332
- C:\Windows\System32\Hzjytha.exe
  C:\Windows\System32\Hzjytha.exe
  2⤵
  PID:11380
- C:\Windows\System32\pQYxvjh.exe
  C:\Windows\System32\pQYxvjh.exe
  2⤵
  PID:11428
- C:\Windows\System32\iJWWYJL.exe
  C:\Windows\System32\iJWWYJL.exe
  2⤵
  PID:11468
- C:\Windows\System32\dfoQWpS.exe
  C:\Windows\System32\dfoQWpS.exe
  2⤵
  PID:11536
- C:\Windows\System32\aoBQDmn.exe
  C:\Windows\System32\aoBQDmn.exe
  2⤵
  PID:11556
- C:\Windows\System32\omYBgRy.exe
  C:\Windows\System32\omYBgRy.exe
  2⤵
  PID:11688
- C:\Windows\System32\EHYjHTc.exe
  C:\Windows\System32\EHYjHTc.exe
  2⤵
  PID:11888
- C:\Windows\System32\bUZkmIL.exe
  C:\Windows\System32\bUZkmIL.exe
  2⤵
  PID:11928
- C:\Windows\System32\TwRnbRg.exe
  C:\Windows\System32\TwRnbRg.exe
  2⤵
  PID:11992
- C:\Windows\System32\jCxbAFV.exe
  C:\Windows\System32\jCxbAFV.exe
  2⤵
  PID:12048
- C:\Windows\System32\nYRcNaJ.exe
  C:\Windows\System32\nYRcNaJ.exe
  2⤵
  PID:12128
- C:\Windows\System32\gbgkWjO.exe
  C:\Windows\System32\gbgkWjO.exe
  2⤵
  PID:12148
- C:\Windows\System32\SELQlAD.exe
  C:\Windows\System32\SELQlAD.exe
  2⤵
  PID:12212
- C:\Windows\System32\fMAbkKo.exe
  C:\Windows\System32\fMAbkKo.exe
  2⤵
  PID:12244
- C:\Windows\System32\joFvlJd.exe
  C:\Windows\System32\joFvlJd.exe
  2⤵
  PID:11296
- C:\Windows\System32\gPOgveh.exe
  C:\Windows\System32\gPOgveh.exe
  2⤵
  PID:11408
- C:\Windows\System32\uAQhKnM.exe
  C:\Windows\System32\uAQhKnM.exe
  2⤵
  PID:11676
- C:\Windows\System32\BrjEpKP.exe
  C:\Windows\System32\BrjEpKP.exe
  2⤵
  PID:11844
- C:\Windows\System32\kznEabP.exe
  C:\Windows\System32\kznEabP.exe
  2⤵
  PID:12012
- C:\Windows\System32\oxwYMVM.exe
  C:\Windows\System32\oxwYMVM.exe
  2⤵
  PID:4796
- C:\Windows\System32\BdiYPDL.exe
  C:\Windows\System32\BdiYPDL.exe
  2⤵
  PID:972
- C:\Windows\System32\nREETdD.exe
  C:\Windows\System32\nREETdD.exe
  2⤵
  PID:11512
- C:\Windows\System32\pWbqaSn.exe
  C:\Windows\System32\pWbqaSn.exe
  2⤵
  PID:12004
- C:\Windows\System32\hGagYCw.exe
  C:\Windows\System32\hGagYCw.exe
  2⤵
  PID:3624
- C:\Windows\System32\GKQlnhc.exe
  C:\Windows\System32\GKQlnhc.exe
  2⤵
  PID:11788
- C:\Windows\System32\XDnCqXP.exe
  C:\Windows\System32\XDnCqXP.exe
  2⤵
  PID:12308
- C:\Windows\System32\yKJkavv.exe
  C:\Windows\System32\yKJkavv.exe
  2⤵
  PID:12328
- C:\Windows\System32\OUxblvL.exe
  C:\Windows\System32\OUxblvL.exe
  2⤵
  PID:12344
- C:\Windows\System32\XqPioRy.exe
  C:\Windows\System32\XqPioRy.exe
  2⤵
  PID:12392
- C:\Windows\System32\GeVsvaV.exe
  C:\Windows\System32\GeVsvaV.exe
  2⤵
  PID:12412
- C:\Windows\System32\iggLSwl.exe
  C:\Windows\System32\iggLSwl.exe
  2⤵
  PID:12428
- C:\Windows\System32\snOBFdl.exe
  C:\Windows\System32\snOBFdl.exe
  2⤵
  PID:12452
- C:\Windows\System32\VijJAtO.exe
  C:\Windows\System32\VijJAtO.exe
  2⤵
  PID:12492
- C:\Windows\System32\TfzZXVi.exe
  C:\Windows\System32\TfzZXVi.exe
  2⤵
  PID:12540
- C:\Windows\System32\YEUghHU.exe
  C:\Windows\System32\YEUghHU.exe
  2⤵
  PID:12560
- C:\Windows\System32\yAKsjHy.exe
  C:\Windows\System32\yAKsjHy.exe
  2⤵
  PID:12584
- C:\Windows\System32\xoNzulz.exe
  C:\Windows\System32\xoNzulz.exe
  2⤵
  PID:12632
- C:\Windows\System32\daBPryr.exe
  C:\Windows\System32\daBPryr.exe
  2⤵
  PID:12656
- C:\Windows\System32\yQmHnFm.exe
  C:\Windows\System32\yQmHnFm.exe
  2⤵
  PID:12676
- C:\Windows\System32\WFBSFVY.exe
  C:\Windows\System32\WFBSFVY.exe
  2⤵
  PID:12712
- C:\Windows\System32\CAlMPKc.exe
  C:\Windows\System32\CAlMPKc.exe
  2⤵
  PID:12736
- C:\Windows\System32\GqkhXuf.exe
  C:\Windows\System32\GqkhXuf.exe
  2⤵
  PID:12760
- C:\Windows\System32\DfXSGux.exe
  C:\Windows\System32\DfXSGux.exe
  2⤵
  PID:12776
- C:\Windows\System32\jShnFGv.exe
  C:\Windows\System32\jShnFGv.exe
  2⤵
  PID:12796
- C:\Windows\System32\fRDERFG.exe
  C:\Windows\System32\fRDERFG.exe
  2⤵
  PID:12832
- C:\Windows\System32\rlTXrUk.exe
  C:\Windows\System32\rlTXrUk.exe
  2⤵
  PID:12872
- C:\Windows\System32\KxLHjCf.exe
  C:\Windows\System32\KxLHjCf.exe
  2⤵
  PID:12920
- C:\Windows\System32\gqUsjkL.exe
  C:\Windows\System32\gqUsjkL.exe
  2⤵
  PID:12936
- C:\Windows\System32\ZDlzWzK.exe
  C:\Windows\System32\ZDlzWzK.exe
  2⤵
  PID:12968
- C:\Windows\System32\ZmxvacO.exe
  C:\Windows\System32\ZmxvacO.exe
  2⤵
  PID:12992
- C:\Windows\System32\jSkCbIp.exe
  C:\Windows\System32\jSkCbIp.exe
  2⤵
  PID:13008
- C:\Windows\System32\qzzquOj.exe
  C:\Windows\System32\qzzquOj.exe
  2⤵
  PID:13028
- C:\Windows\System32\gDYlXOT.exe
  C:\Windows\System32\gDYlXOT.exe
  2⤵
  PID:13072
- C:\Windows\System32\bPDGBgE.exe
  C:\Windows\System32\bPDGBgE.exe
  2⤵
  PID:13088
- C:\Windows\System32\zWlxvJD.exe
  C:\Windows\System32\zWlxvJD.exe
  2⤵
  PID:13112
- C:\Windows\System32\rzFotkD.exe
  C:\Windows\System32\rzFotkD.exe
  2⤵
  PID:13128
- C:\Windows\System32\mqJTdVX.exe
  C:\Windows\System32\mqJTdVX.exe
  2⤵
  PID:13144
- C:\Windows\System32\YGtmfuH.exe
  C:\Windows\System32\YGtmfuH.exe
  2⤵
  PID:13168
- C:\Windows\System32\isZkgIl.exe
  C:\Windows\System32\isZkgIl.exe
  2⤵
  PID:13236
- C:\Windows\System32\mZmlhfa.exe
  C:\Windows\System32\mZmlhfa.exe
  2⤵
  PID:13264
- C:\Windows\System32\YKDnTwA.exe
  C:\Windows\System32\YKDnTwA.exe
  2⤵
  PID:13292
- C:\Windows\System32\wrFJXnN.exe
  C:\Windows\System32\wrFJXnN.exe
  2⤵
  PID:1472
- C:\Windows\System32\rPgqGub.exe
  C:\Windows\System32\rPgqGub.exe
  2⤵
  PID:12340
- C:\Windows\System32\AXxWBnb.exe
  C:\Windows\System32\AXxWBnb.exe
  2⤵
  PID:4624
- C:\Windows\System32\CQkKePg.exe
  C:\Windows\System32\CQkKePg.exe
  2⤵
  PID:2888
- C:\Windows\System32\xrkqnPj.exe
  C:\Windows\System32\xrkqnPj.exe
  2⤵
  PID:12460
- C:\Windows\System32\GmTRXCT.exe
  C:\Windows\System32\GmTRXCT.exe
  2⤵
  PID:12508
- C:\Windows\System32\gaAfRgM.exe
  C:\Windows\System32\gaAfRgM.exe
  2⤵
  PID:12568
- C:\Windows\System32\GkyWcCV.exe
  C:\Windows\System32\GkyWcCV.exe
  2⤵
  PID:12596
- C:\Windows\System32\VMQbBkv.exe
  C:\Windows\System32\VMQbBkv.exe
  2⤵
  PID:12748
- C:\Windows\System32\zCvBQtO.exe
  C:\Windows\System32\zCvBQtO.exe
  2⤵
  PID:12772
- C:\Windows\System32\KnHVPnd.exe
  C:\Windows\System32\KnHVPnd.exe
  2⤵
  PID:12816
- C:\Windows\System32\kczvvVs.exe
  C:\Windows\System32\kczvvVs.exe
  2⤵
  PID:12868

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BrWtFmL.exe

Filesize
1.2MB

MD5
f448e987e3057921cf9bcfcb63e44aa1

SHA1
a143ee6e12e517eccd17089c18dab0070c6735d1

SHA256
93855aa86113534269440dc85c47f91a3012670f7ce44ce76c42295efeefee03

SHA512
28dc0eef40b6d8af72a91a544bd3a930028e62b8846b4622ec5fde8ce141061f14dd09972be9f05d695dd3631deb93817c6275b8075971fa6259415e17a16076

Download Submit
C:\Windows\System32\CLvhIjJ.exe

Filesize
1.2MB

MD5
e531087b625542b1fce4f3a11654405b

SHA1
703cc35d2c2cb22636ef7694cdc36afb5beee942

SHA256
3072ebf303db3e41ddb50bb5666f95b075c2a0786be86073e50b32b4df8408c1

SHA512
6673215bf6bc25f6690b0c87c0cbe0f3b30bd1305b228ca5946bf2cf74c95df0900e0c389d854ecb983854ec97c12e70adade7853c12104b9ff0c60a5985e16e

Download Submit
C:\Windows\System32\CdYJmDd.exe

Filesize
1.2MB

MD5
1485645370251a53acb8ec2fc7d2bf1b

SHA1
126b99849e8f8938b595bd588f7257464f770f6f

SHA256
9a3aa755a7d5a173b26e35f927b85f2a5583090177dac6eff787aaca9b9f1ab9

SHA512
b47d3152969212109b2126478fa0a38825fe0eb42d16e263d31d4d917d9524932249ec51aedf5248132c9f258aced0d11ab7324ee8ea4d536904361bb84c47ab

Download Submit
C:\Windows\System32\EoxKaDI.exe

Filesize
1.2MB

MD5
1761e1277d5e6a38de0da0b5db829139

SHA1
b3c00fee1b047c7294811d1283b453227f3144ed

SHA256
633485b43fa7c33dea1bfaab5da2369af61d92a50260e669fee3cc4d6d578a8a

SHA512
e88c1929e243e64c71d37271badfcac02fe5b2e8506d1b0253699906d0caabaef6b1f12def5ffcfa89a415f808ad1acdc6cf8e8462ab3496ba7910e99dcfcf48

Download Submit
C:\Windows\System32\MgITcIa.exe

Filesize
1.2MB

MD5
b248c60bcc088c77acc5e14ad096a545

SHA1
ba18595bff3aedc5887d273cf502d3d72a187e9d

SHA256
1c7fdc10bd47d1ad6bd1d2472ba8aee3ecaebdb7cfc1f39eb8ba102a298007bf

SHA512
90121e36afa6b491661b91487b80fbedd659727aff495568e8c29f42a838f70cd1c1b5521ffd2f877a276dad655849389e260249061a7bf41555afde28a43351

Download Submit
C:\Windows\System32\OATsBhC.exe

Filesize
1.2MB

MD5
d188d86f40f05c2f67905307d11d7990

SHA1
bd9f59517c2b0ec197d2f8cae2f8ba9f92762f52

SHA256
8a0a53bbb58f8e6a13b6a248b371249dde6980bbaf8d75b5a67113a705f0fbfc

SHA512
309d41db9720cbe99b15089a68161bd44e97315cb8a68117a7f95afd6c63e197510a4c2c307a7d7ba439effe587d99f143452f6745c668cb43445990c0721c58

Download Submit
C:\Windows\System32\PQrhQKt.exe

Filesize
1.2MB

MD5
2765c6d0c13f0383a1440dbf3fd050f5

SHA1
fe52c198f0ce2cac292828aab47b226b082aed1e

SHA256
37d320ac4659ae033d658abcf695e8a0bf43949de8ca467eeecb7fde50e16c7a

SHA512
d0753b69f7682aee6ab85354b27b7d97e7f2e8c1de062e58f5eec5b2383e2d96551d3df9b034ab5dd984c0b1640c1a5daab9facbabb3f6813fbf3d1ba96fee66

Download Submit
C:\Windows\System32\PmkspPB.exe

Filesize
1.2MB

MD5
c93d3aecc3034b2faf66e1472d4fbbda

SHA1
42a1959716c1b7d53abb5ac11724307888de02c9

SHA256
be76376367bfeb4cbd35a296cf02c22ff6636dc73f6d43f9cb68c90632bfd12e

SHA512
9f7f4a071652387a4b5bc21565e310f36d0025777d8a845e8a5e88c29fc0ba25f7f97f327bdfbae960af233693cb079c65a4e4361f6879320f0f13fe124fa1d9

Download Submit
C:\Windows\System32\PqsTieA.exe

Filesize
1.2MB

MD5
c1fdd1ce2b5bdcbc7c5b7876adef680f

SHA1
f1819bfdd016ae9824ae5a2fb40eb08a6c1b3576

SHA256
302347b38d442b09dbb8ab9a4c72fb9fa192437d9750aa6091b4e529c1a8e4d9

SHA512
c932fff50e8d3f11fa40aaaaa037c7fc9f44fb56a942ecd88f70fc4c2c2c3d19583306ee22fc3642cfb1747fbf86db816bbe4909674eae354f5e09be6cbd8601

Download Submit
C:\Windows\System32\TUVMBnl.exe

Filesize
1.2MB

MD5
acefd7b3e7a667b429faa984b94cf7e4

SHA1
cb3bdc72ed9d887a36da061795a66376b35c010f

SHA256
72e7e38097691248b0422e8282abbb68809d48fed6d99b18d88708d4679d1d46

SHA512
2f73b7601b8ceb3ccd863cca52a5e18e0ecce9f802e73ffa0d12fc342086762a6243b4b15eb85e9ec72ce09ae44bf96032742a4a2042ff250e54782a217e0921

Download Submit
C:\Windows\System32\TrcvvfF.exe

Filesize
1.2MB

MD5
24d0da2070cc6fc6e6af0202ee2b1c36

SHA1
a356e6579126b62223a0e968975ff7beae4631fe

SHA256
d342729ab4d0972722b9597259a46c3838cc75f134494644e2393ad7c9ad87d9

SHA512
26ea2647fb5b34de3ae3194889cf9c1dd973dc1dfa7ca5c4bb4ad3c9c37e0959454eb398d19a5257fda59346d5c055bfe6637caa6fa13f92f73a8a3ca4af93d8

Download Submit
C:\Windows\System32\VdomGJC.exe

Filesize
1.2MB

MD5
1e660cf1d10e7d17226463d3604ef48e

SHA1
fbb23ff86a4f4202fb86f3adcb6ef703e2de88ac

SHA256
a71451067265ac79653ec89e9ea6de3caa62c2711217325dc9975837557bc078

SHA512
e593433401d086e47e112f6642d26dbdd19c76fb56ad5fbb1074cdc9d4b956fb0fc36af0284d0f478fc46aa80f47a471f354908acd5587a901c3ee4bcc1ff656

Download Submit
C:\Windows\System32\YLXPjXH.exe

Filesize
1.2MB

MD5
88fca353e9b14c6860f7402639bb2922

SHA1
8b4ca443de633497d8747e0ede722628bafaa52c

SHA256
fcfbebf88c0c5e77fa23a7faee051527da113b7f5007c75810c98c2580dac545

SHA512
9671e2d80baaa3ff4e74fb5d31ab995fc6c99a159c3546edd88fb2a59fa2c7094d0f41ccd2701ffaaa14b5d8172dab718050d84d3c2882de21b2ef6d2a92e03c

Download Submit
C:\Windows\System32\byTnHUQ.exe

Filesize
1.2MB

MD5
04b82737da66ccc5ca221f209f2eb5f2

SHA1
3aed0bcd50c8f7361a879e153485a16055c88260

SHA256
6dcae7848a7755c1e1b4a45d6f594d2094b5448eeb1d98fd26a3e44f2f16f716

SHA512
94e57bbc8dc58e206225a34bae6a3fc7f5b853cea2b4ee8d1a4bf6badee2e2c943c069c728344ffe3cf683cbee364009af9062d1744099562f7241197c83308f

Download Submit
C:\Windows\System32\dTJtzLW.exe

Filesize
1.2MB

MD5
173c0c44be661490048dc435e30807da

SHA1
ed9cd6ea43a93aed7b6f5432542ba857c218ea53

SHA256
9a99e184ec6e422591f75af4b114312d4a2e4762a756c8289c31ad8d2d8b0348

SHA512
9a642ee7776cb60f1ca11a1bd4a3b131ac372ef92d5e9691836c245193383c6d63753233a488a09e05101c37b3b449bf625d17e02e80ff610b427615ab4490ab

Download Submit
C:\Windows\System32\gVLictl.exe

Filesize
1.2MB

MD5
5aa031c0325fd20950d2d171b6574369

SHA1
9327c7b25a1dd6f13db65047b43b4520aa520958

SHA256
6b41d96c2b024848f04056f758f145e28ebd855e009e68f27e9c41772c0b20a9

SHA512
4557ece6344177762b625cc595f05a3b5664768531144445ac88c94041c56ef30f5854d4d57c9f39cef8c721d471262817a03a9da32d605ff67837887f83d4ec

Download Submit
C:\Windows\System32\gXPAEAS.exe

Filesize
1.2MB

MD5
29930c020753225828c8f9b9f4ac4c5d

SHA1
033d0b5105a95d499e4dffdc65ca933591dbd12b

SHA256
ff5d93fb5b11f0e4cc2986d2c87ad6a4f4eb7baabbd7787235609d8e55e5b353

SHA512
f747b512cf4952eb6612a935a5f4878514235bcb00e0dad23eb0c93e056699dec95b91ffddf4904936370892241c89dc1fdae92a357952061218c8e5b27a7d61

Download Submit
C:\Windows\System32\gjnxFRV.exe

Filesize
1.2MB

MD5
783747aa566af3baa2661cba2c236d39

SHA1
b9dc26e9e60903696d8edd83e1ceeaaf93fed010

SHA256
40a6455bff4518453fcb927b74c5c89a0cfe0a28867e9ec2dd2bb99f7a7b1fe9

SHA512
de1e2748d17ff82f4f0c3581ca4b09db203984e392befd5bc8dbdad86c584f7d353c2dc3a4d94940b628dbb6945f1841eb5e7393337db2bc752b0123fb10068e

Download Submit
C:\Windows\System32\hdNNanJ.exe

Filesize
1.2MB

MD5
daed5545ba4272be95682f26dbcf0da2

SHA1
6840ab467d71b96ca3427726d6de562f206f8b88

SHA256
a95fb57b02ade7ff232eca3a1d7c957494ef2d835da714693ebf05046aefbfa3

SHA512
f7cbc91b8d93a9c9e93de7fe73e3aeed9de8060aeeb62519367b664de3d057bec2298a4ce1f6fab8d1a8d6eac7adb8d8de591d61e5369ad85f3864a20afa0a09

Download Submit
C:\Windows\System32\iKehBVU.exe

Filesize
1.2MB

MD5
0cc58c20acf1b142824b3bd27cfc4504

SHA1
fad6239cb9c5d5251b27b1669a237acc5a45d9bb

SHA256
00f816ceea62df470988baa406c22c81506d2335317958979f09ef41ca1e44a0

SHA512
72863be5f155545d0a224f82336733125e221e96d52f91c76274805ff066527310e4dda9f8cad67410f57425de1b53524843ebe4f8812663215c5201cd621929

Download Submit
C:\Windows\System32\imbPRcG.exe

Filesize
1.2MB

MD5
d27376a6ec8a0bfeafc59818ec278b2d

SHA1
c956e0192e7a6db59222560eadf16a8998b741bd

SHA256
84d1381e3d55e98b43700d9122bd83556fb3c01a0447988150d746d7d781ce22

SHA512
3a5e6f530d631692ecf8301d3fb2a50fd1c775387189954108385ce814d5b33ffe4541a6aada26289842c6513697b8beaf2a372d8d1c9af3ad80017651525415

Download Submit
C:\Windows\System32\lUUjyUs.exe

Filesize
1.2MB

MD5
c6d2e4d08ffc1c7a5b1e8534c74066cc

SHA1
1cd75d2d3e72fef2da50b82faf5546d987cba298

SHA256
25b965fb8fa451198ac4357ff70d8631c431a51bf8f55b214ebc72100e815f64

SHA512
aec5df542b2694ebaa8ed89597c3bc3b37d763b62b0f94eff3ea1c28c58bedc4b1dbe6d882238523467a70fc8042804e6cf948cc1af2c397a37b9668bd5dca16

Download Submit
C:\Windows\System32\niUunJp.exe

Filesize
1.2MB

MD5
d60dd0f1ee72755a92ff3aaa8d305e8a

SHA1
95a6cd7ca57ed8678c49f8401a097c30bcd2dba4

SHA256
6f59ac4fa4a92ea0e2331f7eb98e4502bcc1538b364404e071134367a71df9b3

SHA512
10593b87ca331278fadcd39ef0db82213e1aabc178fbc4e0094e1480c119e3a5c30f95c6b6261fdff3b382094129a29f8847f56cadb9ecda08b11c7baacbbef5

Download Submit
C:\Windows\System32\osvfIPE.exe

Filesize
1.2MB

MD5
3ec15e81ecb886aa68b02c43e18566f7

SHA1
b6de17311a773a9b534c2ed8fe2b0f7161cac216

SHA256
72f190ca0bfba9adfe52f840101fadcf0cb3f36f1f5dafd8174fc40ac530562c

SHA512
283201018236dfd78c377962c8a9089de75c4377242291a90b15d69c10c0117487b6cb02337ccd1494c354a9533ceb921792194b24d010589e456a7ac88702c5

Download Submit
C:\Windows\System32\pryjbsC.exe

Filesize
1.2MB

MD5
e791c96c6bd3ae9a862ca703c1ea5e3a

SHA1
0ad9c917d45d95698929c91e7d544b607ee699c5

SHA256
5afbc1ab585018ba5815d70e3002f13cd6ab0e9633b0b6e92fb431018933ee5b

SHA512
3839057a75fb7bf834295f5eb374709c10221bd3cf85ce7737e5c7ae6d7d7d101c8e942931890fd15de4669045c26b052da9f1ae500652762bb021870fc5e0ba

Download Submit
C:\Windows\System32\qBXIAHp.exe

Filesize
1.2MB

MD5
3ce5a90ce4141b145e7b7a0efe0569e9

SHA1
63bfd2b7f93c57acf92af403ce4e5e34609259d9

SHA256
d8e7fe784c3e19d9379e851724ba1ca2421a05d5853fab168b5c318e7d4ef2ae

SHA512
52e19e94aa5389f7542e279147d9465325ee1ec180bf24635814d5af7517c0c745caaf57a24d0e5e03e63bc66769b2484440f8612461cc6b29abc96e4e00b062

Download Submit
C:\Windows\System32\quPMusi.exe

Filesize
1.2MB

MD5
6051342950e675ebc55d60eb918bdc7b

SHA1
b69667858d7671f2641bdaf7b0e1868d91b796e7

SHA256
61594591233dce9a4b7db39758f8815e7c4091bf3d320778b8379ee9a3f2748c

SHA512
5f378317089d2f1bba1e42fb8dc40fed2e5ec68412a6928255535d89fdf20100f478db6aaf2f5e3880b46072e161ae27a77beeed1eba7a6176d2dd9e3e60c994

Download Submit
C:\Windows\System32\sphdXZZ.exe

Filesize
1.2MB

MD5
efd7441ad45d3d148718f1cfd351ce07

SHA1
1e37ffd7c00bb4fa787641817650e2224ea24b62

SHA256
a24dcbd3af50098bcd30e7179e58c6d9c2c307f4b01dc37415b8bc638d7069d6

SHA512
7639f790a30b1ee06a9c37ca8a12fbceb113aced62cbb78166d0f8883752e6f76d6b5998a2863ac3acd0fc8f1594725479248b005486bfc8d052e3602e4f6148

Download Submit
C:\Windows\System32\tDLYVrF.exe

Filesize
1.2MB

MD5
3b2c6e6882295d44e35062ee68222055

SHA1
cb263925f8a4efa77c4ec67b9389c9fd59e0a42b

SHA256
3240938cf64a95ded987fdf38bb0573081322aa5be3f54ca43302060c97b5d93

SHA512
09b60c6a8b9af60613d1499626254b4580b967bd4d6c414d94f7c6313c93cf8be4dfb274422ab5a251fe1200ad1f8016082e0979cb361fe7b6390dcc6a51deda

Download Submit
C:\Windows\System32\urCxKkv.exe

Filesize
1.2MB

MD5
dcec4618959dc6a615d18811956e708e

SHA1
acfc77574d4c6cf4fe7331cc09bc7ed7d05f9ad2

SHA256
275c5170a5d0d18227243302f048f6502113a719a72da4530dbeda179bf5ce97

SHA512
fbb37ce8628d9cb273206687237fd574d9379bdad90fafe1e02c57156fdaa4ff3469147bbda9477166d765a959de1a4135536314bf4d7516f664000e367f5897

Download Submit
C:\Windows\System32\xtQdWPh.exe

Filesize
1.2MB

MD5
5a62d54c09f556ba82cd8d44fd52b1f8

SHA1
87f6f0c866b3abfc2d9ed880f37be9c73e2a5409

SHA256
617b097fd0d6b0e1f679244e689d7d1abcbb58c8ac74a94aefb4f2b25871ca61

SHA512
6e33851f40c67dbe81e9872e71f75ad3eab089e892d087270b35c31720d9b09ec9a2b146c5facdffb36a0ec48eeacb3e383c6ce40740167a7e07187d248f0734

Download Submit
C:\Windows\System32\yCVaijZ.exe

Filesize
1.2MB

MD5
83fbdf4ce066e9ec18445bfb925a3cb9

SHA1
4077db63e2d103ecee287595fc410ee4d8eb4460

SHA256
47f7c37b36bae9647a39d48c7cf916c05e8df0f25b4ab461215e1fc7e685bc49

SHA512
cc44bca24cfea7896d46253d5e1c1f75ed2dc57bcb43b4d5e738213a1dec2e985190531eae7ff06ae8831858504a04d590b96031a0609ebec99d04f9c5c73228

Download Submit
memory/432-2006-0x00007FF60C560000-0x00007FF60C951000-memory.dmp

Filesize
3.9MB

Download
memory/432-2012-0x00007FF60C560000-0x00007FF60C951000-memory.dmp

Filesize
3.9MB

Download
memory/432-20-0x00007FF60C560000-0x00007FF60C951000-memory.dmp

Filesize
3.9MB

Download
memory/1016-2029-0x00007FF6CE590000-0x00007FF6CE981000-memory.dmp

Filesize
3.9MB

Download
memory/1016-384-0x00007FF6CE590000-0x00007FF6CE981000-memory.dmp

Filesize
3.9MB

Download
memory/1020-460-0x00007FF7B39B0000-0x00007FF7B3DA1000-memory.dmp

Filesize
3.9MB

Download
memory/1020-2060-0x00007FF7B39B0000-0x00007FF7B3DA1000-memory.dmp

Filesize
3.9MB

Download
memory/1112-0-0x00007FF69C250000-0x00007FF69C641000-memory.dmp

Filesize
3.9MB

Download
memory/1112-1-0x000001C6C08A0000-0x000001C6C08B0000-memory.dmp

Filesize
64KB

Download
memory/1192-369-0x00007FF672790000-0x00007FF672B81000-memory.dmp

Filesize
3.9MB

Download
memory/1192-2022-0x00007FF672790000-0x00007FF672B81000-memory.dmp

Filesize
3.9MB

Download
memory/1356-434-0x00007FF7CD820000-0x00007FF7CDC11000-memory.dmp

Filesize
3.9MB

Download
memory/1356-2052-0x00007FF7CD820000-0x00007FF7CDC11000-memory.dmp

Filesize
3.9MB

Download
memory/1376-2016-0x00007FF688CF0000-0x00007FF6890E1000-memory.dmp

Filesize
3.9MB

Download
memory/1376-552-0x00007FF688CF0000-0x00007FF6890E1000-memory.dmp

Filesize
3.9MB

Download
memory/1460-2049-0x00007FF64D400000-0x00007FF64D7F1000-memory.dmp

Filesize
3.9MB

Download
memory/1460-448-0x00007FF64D400000-0x00007FF64D7F1000-memory.dmp

Filesize
3.9MB

Download
memory/1780-398-0x00007FF622740000-0x00007FF622B31000-memory.dmp

Filesize
3.9MB

Download
memory/1780-2034-0x00007FF622740000-0x00007FF622B31000-memory.dmp

Filesize
3.9MB

Download
memory/1996-2027-0x00007FF6E2AA0000-0x00007FF6E2E91000-memory.dmp

Filesize
3.9MB

Download
memory/1996-389-0x00007FF6E2AA0000-0x00007FF6E2E91000-memory.dmp

Filesize
3.9MB

Download
memory/2040-2007-0x00007FF7145F0000-0x00007FF7149E1000-memory.dmp

Filesize
3.9MB

Download
memory/2040-32-0x00007FF7145F0000-0x00007FF7149E1000-memory.dmp

Filesize
3.9MB

Download
memory/2040-2014-0x00007FF7145F0000-0x00007FF7149E1000-memory.dmp

Filesize
3.9MB

Download
memory/2096-372-0x00007FF7EBAE0000-0x00007FF7EBED1000-memory.dmp

Filesize
3.9MB

Download
memory/2096-2026-0x00007FF7EBAE0000-0x00007FF7EBED1000-memory.dmp

Filesize
3.9MB

Download
memory/2288-418-0x00007FF7B31A0000-0x00007FF7B3591000-memory.dmp

Filesize
3.9MB

Download
memory/2288-2040-0x00007FF7B31A0000-0x00007FF7B3591000-memory.dmp

Filesize
3.9MB

Download
memory/2604-411-0x00007FF61A050000-0x00007FF61A441000-memory.dmp

Filesize
3.9MB

Download
memory/2604-2038-0x00007FF61A050000-0x00007FF61A441000-memory.dmp

Filesize
3.9MB

Download
memory/2644-432-0x00007FF7059E0000-0x00007FF705DD1000-memory.dmp

Filesize
3.9MB

Download
memory/2644-2053-0x00007FF7059E0000-0x00007FF705DD1000-memory.dmp

Filesize
3.9MB

Download
memory/3216-379-0x00007FF7CD750000-0x00007FF7CDB41000-memory.dmp

Filesize
3.9MB

Download
memory/3216-2031-0x00007FF7CD750000-0x00007FF7CDB41000-memory.dmp

Filesize
3.9MB

Download
memory/3280-2033-0x00007FF7B9C00000-0x00007FF7B9FF1000-memory.dmp

Filesize
3.9MB

Download
memory/3280-555-0x00007FF7B9C00000-0x00007FF7B9FF1000-memory.dmp

Filesize
3.9MB

Download
memory/3812-458-0x00007FF691100000-0x00007FF6914F1000-memory.dmp

Filesize
3.9MB

Download
memory/3812-2054-0x00007FF691100000-0x00007FF6914F1000-memory.dmp

Filesize
3.9MB

Download
memory/3864-38-0x00007FF69BC30000-0x00007FF69C021000-memory.dmp

Filesize
3.9MB

Download
memory/3864-2008-0x00007FF69BC30000-0x00007FF69C021000-memory.dmp

Filesize
3.9MB

Download
memory/3864-2020-0x00007FF69BC30000-0x00007FF69C021000-memory.dmp

Filesize
3.9MB

Download
memory/3920-474-0x00007FF6BD930000-0x00007FF6BDD21000-memory.dmp

Filesize
3.9MB

Download
memory/3920-2018-0x00007FF6BD930000-0x00007FF6BDD21000-memory.dmp

Filesize
3.9MB

Download
memory/4112-2042-0x00007FF6584D0000-0x00007FF6588C1000-memory.dmp

Filesize
3.9MB

Download
memory/4112-424-0x00007FF6584D0000-0x00007FF6588C1000-memory.dmp

Filesize
3.9MB

Download
memory/4336-404-0x00007FF705530000-0x00007FF705921000-memory.dmp

Filesize
3.9MB

Download
memory/4336-2036-0x00007FF705530000-0x00007FF705921000-memory.dmp

Filesize
3.9MB

Download
memory/4652-2058-0x00007FF7E4A80000-0x00007FF7E4E71000-memory.dmp

Filesize
3.9MB

Download
memory/4652-450-0x00007FF7E4A80000-0x00007FF7E4E71000-memory.dmp

Filesize
3.9MB

Download
memory/4884-11-0x00007FF6C25E0000-0x00007FF6C29D1000-memory.dmp

Filesize
3.9MB

Download
memory/4884-2010-0x00007FF6C25E0000-0x00007FF6C29D1000-memory.dmp

Filesize
3.9MB

Download
memory/4920-2056-0x00007FF623690000-0x00007FF623A81000-memory.dmp

Filesize
3.9MB

Download
memory/4920-451-0x00007FF623690000-0x00007FF623A81000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads