xmrig | ce1a5c9f0d7b55fd69f52153ca1ba647ecd7710a3a3f71d93a4356b9192afb18

Analysis

max time kernel
127s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
Size

1.2MB
MD5

091327fd26278605cf69936f612ab01b
SHA1

499d18e9e08af8cf512321191e6b8eb2e7617874
SHA256

ce1a5c9f0d7b55fd69f52153ca1ba647ecd7710a3a3f71d93a4356b9192afb18
SHA512

60c47295b18809a74645a7e118b4e0489c2e03dd0d5e516e5587369c9a51bf5f319922fe8251d40912c0c273c683d9cc529ae078378f1ca5b6accca3868da810
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zjP+sjI1Th/:knw9oUUEEDl37jcq4nPs

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/4176-384-0x00007FF6AF790000-0x00007FF6AFB81000-memory.dmp	xmrig
behavioral2/memory/3208-12-0x00007FF7109E0000-0x00007FF710DD1000-memory.dmp	xmrig
behavioral2/memory/3216-393-0x00007FF65FEE0000-0x00007FF6602D1000-memory.dmp	xmrig
behavioral2/memory/3504-387-0x00007FF625410000-0x00007FF625801000-memory.dmp	xmrig
behavioral2/memory/1292-396-0x00007FF6163E0000-0x00007FF6167D1000-memory.dmp	xmrig
behavioral2/memory/3868-404-0x00007FF7A3310000-0x00007FF7A3701000-memory.dmp	xmrig
behavioral2/memory/4040-420-0x00007FF686130000-0x00007FF686521000-memory.dmp	xmrig
behavioral2/memory/424-426-0x00007FF75D340000-0x00007FF75D731000-memory.dmp	xmrig
behavioral2/memory/1684-413-0x00007FF6FAFE0000-0x00007FF6FB3D1000-memory.dmp	xmrig
behavioral2/memory/3036-428-0x00007FF647F90000-0x00007FF648381000-memory.dmp	xmrig
behavioral2/memory/3308-431-0x00007FF793460000-0x00007FF793851000-memory.dmp	xmrig
behavioral2/memory/4864-452-0x00007FF76DCE0000-0x00007FF76E0D1000-memory.dmp	xmrig
behavioral2/memory/976-446-0x00007FF72B630000-0x00007FF72BA21000-memory.dmp	xmrig
behavioral2/memory/1992-438-0x00007FF692140000-0x00007FF692531000-memory.dmp	xmrig
behavioral2/memory/4028-463-0x00007FF761560000-0x00007FF761951000-memory.dmp	xmrig
behavioral2/memory/4728-472-0x00007FF71E000000-0x00007FF71E3F1000-memory.dmp	xmrig
behavioral2/memory/1476-481-0x00007FF7DD1F0000-0x00007FF7DD5E1000-memory.dmp	xmrig
behavioral2/memory/1928-480-0x00007FF7A50C0000-0x00007FF7A54B1000-memory.dmp	xmrig
behavioral2/memory/1648-471-0x00007FF6C5F50000-0x00007FF6C6341000-memory.dmp	xmrig
behavioral2/memory/3512-2003-0x00007FF6D1EC0000-0x00007FF6D22B1000-memory.dmp	xmrig
behavioral2/memory/4648-2004-0x00007FF78E2F0000-0x00007FF78E6E1000-memory.dmp	xmrig
behavioral2/memory/2808-2005-0x00007FF787220000-0x00007FF787611000-memory.dmp	xmrig
behavioral2/memory/2036-2011-0x00007FF706130000-0x00007FF706521000-memory.dmp	xmrig
behavioral2/memory/1812-2009-0x00007FF6439C0000-0x00007FF643DB1000-memory.dmp	xmrig
behavioral2/memory/3208-2013-0x00007FF7109E0000-0x00007FF710DD1000-memory.dmp	xmrig
behavioral2/memory/1812-2015-0x00007FF6439C0000-0x00007FF643DB1000-memory.dmp	xmrig
behavioral2/memory/4728-2017-0x00007FF71E000000-0x00007FF71E3F1000-memory.dmp	xmrig
behavioral2/memory/4648-2021-0x00007FF78E2F0000-0x00007FF78E6E1000-memory.dmp	xmrig
behavioral2/memory/1928-2027-0x00007FF7A50C0000-0x00007FF7A54B1000-memory.dmp	xmrig
behavioral2/memory/2808-2025-0x00007FF787220000-0x00007FF787611000-memory.dmp	xmrig
behavioral2/memory/2036-2023-0x00007FF706130000-0x00007FF706521000-memory.dmp	xmrig
behavioral2/memory/3512-2019-0x00007FF6D1EC0000-0x00007FF6D22B1000-memory.dmp	xmrig
behavioral2/memory/4176-2029-0x00007FF6AF790000-0x00007FF6AFB81000-memory.dmp	xmrig
behavioral2/memory/1476-2031-0x00007FF7DD1F0000-0x00007FF7DD5E1000-memory.dmp	xmrig
behavioral2/memory/3308-2049-0x00007FF793460000-0x00007FF793851000-memory.dmp	xmrig
behavioral2/memory/1684-2047-0x00007FF6FAFE0000-0x00007FF6FB3D1000-memory.dmp	xmrig
behavioral2/memory/1292-2043-0x00007FF6163E0000-0x00007FF6167D1000-memory.dmp	xmrig
behavioral2/memory/3036-2041-0x00007FF647F90000-0x00007FF648381000-memory.dmp	xmrig
behavioral2/memory/4040-2037-0x00007FF686130000-0x00007FF686521000-memory.dmp	xmrig
behavioral2/memory/3216-2035-0x00007FF65FEE0000-0x00007FF6602D1000-memory.dmp	xmrig
behavioral2/memory/3504-2033-0x00007FF625410000-0x00007FF625801000-memory.dmp	xmrig
behavioral2/memory/3868-2045-0x00007FF7A3310000-0x00007FF7A3701000-memory.dmp	xmrig
behavioral2/memory/424-2039-0x00007FF75D340000-0x00007FF75D731000-memory.dmp	xmrig
behavioral2/memory/1992-2057-0x00007FF692140000-0x00007FF692531000-memory.dmp	xmrig
behavioral2/memory/976-2055-0x00007FF72B630000-0x00007FF72BA21000-memory.dmp	xmrig
behavioral2/memory/4028-2051-0x00007FF761560000-0x00007FF761951000-memory.dmp	xmrig
behavioral2/memory/4864-2053-0x00007FF76DCE0000-0x00007FF76E0D1000-memory.dmp	xmrig
behavioral2/memory/1648-2070-0x00007FF6C5F50000-0x00007FF6C6341000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3208	JmUznxc.exe
3512	DSZnLGx.exe
1812	wDLQWxf.exe
4728	bjBEouv.exe
4648	gpYaEIu.exe
1928	DFVwxIC.exe
2036	QpTxbcA.exe
2808	ujxOlBK.exe
1476	WpEXKER.exe
4176	aZexxfS.exe
3504	xuMaqYP.exe
3216	EMoiHRh.exe
1292	jevEhNz.exe
3868	vbDXTVM.exe
1684	CRbOxXK.exe
4040	YyKQPRG.exe
424	PoSDmOM.exe
3036	SlsLOGQ.exe
3308	OIiyBhY.exe
1992	jvBvDZM.exe
976	sMSbOcT.exe
4864	QiODTGg.exe
4028	CgJWBYg.exe
1648	yWFbTdV.exe
4080	llVhzJn.exe
3528	zzQmyir.exe
2244	ABHdJFh.exe
2336	YGmneBR.exe
4488	yyvJarP.exe
2008	TXCPGwH.exe
3264	FDMDuPQ.exe
2404	UBVQyWy.exe
1072	rIpgfuV.exe
1240	rDyOwFa.exe
4988	TcVBeSa.exe
400	IkRHQDI.exe
332	cDPfjcT.exe
452	RrrefqK.exe
5068	Ypkfius.exe
2260	VVmJQER.exe
4132	NSwOjcm.exe
4392	nEUNTkX.exe
952	PcVwUSg.exe
3740	KexlAdL.exe
748	peszwgd.exe
3936	XrxyRKx.exe
1116	hOYeLOI.exe
4468	GQZEqaS.exe
1376	aZYIitE.exe
3708	CbqadrP.exe
3780	khlCdvW.exe
4416	KgjUkNQ.exe
2848	qDZpTgq.exe
4928	umUYimD.exe
2692	UHAEvYF.exe
1816	iZdiDdc.exe
4600	mvZiSpW.exe
3084	lyGVmLJ.exe
2752	PzvqwSM.exe
3080	XYUQoOi.exe
1836	MMGFWrC.exe
1440	aKzqLrh.exe
3736	UfKvFMw.exe
2068	sAwsPwQ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4048-0-0x00007FF6A1930000-0x00007FF6A1D21000-memory.dmp	upx
behavioral2/files/0x000c000000023b47-4.dat	upx
behavioral2/files/0x000a000000023ba4-15.dat	upx
behavioral2/files/0x000c000000023ba0-16.dat	upx
behavioral2/files/0x000a000000023ba9-41.dat	upx
behavioral2/memory/4648-42-0x00007FF78E2F0000-0x00007FF78E6E1000-memory.dmp	upx
behavioral2/files/0x000a000000023bab-51.dat	upx
behavioral2/files/0x000a000000023baa-59.dat	upx
behavioral2/files/0x000a000000023bb2-91.dat	upx
behavioral2/files/0x0031000000023bb4-101.dat	upx
behavioral2/files/0x000a000000023bb7-114.dat	upx
behavioral2/files/0x000a000000023bb9-126.dat	upx
behavioral2/files/0x000a000000023bbc-139.dat	upx
behavioral2/files/0x000a000000023bbe-151.dat	upx
behavioral2/files/0x000a000000023bc1-166.dat	upx
behavioral2/memory/2808-380-0x00007FF787220000-0x00007FF787611000-memory.dmp	upx
behavioral2/memory/4176-384-0x00007FF6AF790000-0x00007FF6AFB81000-memory.dmp	upx
behavioral2/files/0x000a000000023bc0-161.dat	upx
behavioral2/files/0x000a000000023bbf-156.dat	upx
behavioral2/files/0x000a000000023bbd-146.dat	upx
behavioral2/files/0x000a000000023bbb-136.dat	upx
behavioral2/files/0x000a000000023bba-131.dat	upx
behavioral2/files/0x000a000000023bb8-121.dat	upx
behavioral2/files/0x0031000000023bb6-111.dat	upx
behavioral2/files/0x0031000000023bb5-106.dat	upx
behavioral2/files/0x000a000000023bb3-96.dat	upx
behavioral2/files/0x000a000000023bb1-86.dat	upx
behavioral2/files/0x000a000000023bb0-81.dat	upx
behavioral2/files/0x000a000000023baf-76.dat	upx
behavioral2/files/0x000a000000023bae-71.dat	upx
behavioral2/files/0x000a000000023bad-66.dat	upx
behavioral2/files/0x000a000000023bac-61.dat	upx
behavioral2/memory/2036-49-0x00007FF706130000-0x00007FF706521000-memory.dmp	upx
behavioral2/files/0x000a000000023ba8-46.dat	upx
behavioral2/files/0x000a000000023ba7-38.dat	upx
behavioral2/files/0x000a000000023ba6-34.dat	upx
behavioral2/files/0x000a000000023ba5-32.dat	upx
behavioral2/memory/1812-30-0x00007FF6439C0000-0x00007FF643DB1000-memory.dmp	upx
behavioral2/memory/3512-22-0x00007FF6D1EC0000-0x00007FF6D22B1000-memory.dmp	upx
behavioral2/memory/3208-12-0x00007FF7109E0000-0x00007FF710DD1000-memory.dmp	upx
behavioral2/memory/3216-393-0x00007FF65FEE0000-0x00007FF6602D1000-memory.dmp	upx
behavioral2/memory/3504-387-0x00007FF625410000-0x00007FF625801000-memory.dmp	upx
behavioral2/memory/1292-396-0x00007FF6163E0000-0x00007FF6167D1000-memory.dmp	upx
behavioral2/memory/3868-404-0x00007FF7A3310000-0x00007FF7A3701000-memory.dmp	upx
behavioral2/memory/4040-420-0x00007FF686130000-0x00007FF686521000-memory.dmp	upx
behavioral2/memory/424-426-0x00007FF75D340000-0x00007FF75D731000-memory.dmp	upx
behavioral2/memory/1684-413-0x00007FF6FAFE0000-0x00007FF6FB3D1000-memory.dmp	upx
behavioral2/memory/3036-428-0x00007FF647F90000-0x00007FF648381000-memory.dmp	upx
behavioral2/memory/3308-431-0x00007FF793460000-0x00007FF793851000-memory.dmp	upx
behavioral2/memory/4864-452-0x00007FF76DCE0000-0x00007FF76E0D1000-memory.dmp	upx
behavioral2/memory/976-446-0x00007FF72B630000-0x00007FF72BA21000-memory.dmp	upx
behavioral2/memory/1992-438-0x00007FF692140000-0x00007FF692531000-memory.dmp	upx
behavioral2/memory/4028-463-0x00007FF761560000-0x00007FF761951000-memory.dmp	upx
behavioral2/memory/4728-472-0x00007FF71E000000-0x00007FF71E3F1000-memory.dmp	upx
behavioral2/memory/1476-481-0x00007FF7DD1F0000-0x00007FF7DD5E1000-memory.dmp	upx
behavioral2/memory/1928-480-0x00007FF7A50C0000-0x00007FF7A54B1000-memory.dmp	upx
behavioral2/memory/1648-471-0x00007FF6C5F50000-0x00007FF6C6341000-memory.dmp	upx
behavioral2/memory/3512-2003-0x00007FF6D1EC0000-0x00007FF6D22B1000-memory.dmp	upx
behavioral2/memory/4648-2004-0x00007FF78E2F0000-0x00007FF78E6E1000-memory.dmp	upx
behavioral2/memory/2808-2005-0x00007FF787220000-0x00007FF787611000-memory.dmp	upx
behavioral2/memory/2036-2011-0x00007FF706130000-0x00007FF706521000-memory.dmp	upx
behavioral2/memory/1812-2009-0x00007FF6439C0000-0x00007FF643DB1000-memory.dmp	upx
behavioral2/memory/3208-2013-0x00007FF7109E0000-0x00007FF710DD1000-memory.dmp	upx
behavioral2/memory/1812-2015-0x00007FF6439C0000-0x00007FF643DB1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\gxAXdpA.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\qyysCaH.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\KbRfSbE.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\sYqnBAG.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\MsBhhyb.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\ebxyYfI.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\IcSIxpO.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\jZwgXOR.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\uxDTCah.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\ZZrthOo.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\QqLxEES.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\kCBsfAn.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\xQqZjZv.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\UAKlkiO.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\nNuRlJr.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\sMSbOcT.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\Ypkfius.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\XQCgtkQ.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\VGrZhfJ.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\dvZLgHl.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\wDlCZdw.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\DcRsQEy.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\uCmvlal.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\JRZALew.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\pUagTXI.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\UeESKss.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\ArOcNAf.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\exqXNje.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\KexlAdL.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\PheMjAe.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\ZcBkBGQ.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\ZMQIQaP.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\wDLQWxf.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\mfcjjtv.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\wIjsfei.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\qUIYPtV.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\qmYWrjh.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\AwhHvxX.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\OMNyCET.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\CmVQgZp.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\rDyOwFa.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\CbqadrP.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\xfVBNgP.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\RTPFGgD.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\ZMJvwyc.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\IiOgbzN.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\VGOnyIe.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\PymTedl.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\BMJnFqX.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\NoHCwxO.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\IWjJxbr.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\bpHpbNH.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\hYAvqvS.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\aUvkeBm.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\EiunSzp.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\KGMUxZz.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\ItSmqsj.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\iQSDAzS.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\ysJfDQp.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\xwKjAkH.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\UYJjsmJ.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\hVTXYec.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\riTTNss.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
File created	C:\Windows\System32\dzEzhsu.exe	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	4808	dwm.exe
Token: SeChangeNotifyPrivilege	4808	dwm.exe
Token: 33	4808	dwm.exe
Token: SeIncBasePriorityPrivilege	4808	dwm.exe
Token: SeShutdownPrivilege	4808	dwm.exe
Token: SeCreatePagefilePrivilege	4808	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 3208	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	86
PID 4048 wrote to memory of 3208	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	86
PID 4048 wrote to memory of 1812	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	87
PID 4048 wrote to memory of 1812	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	87
PID 4048 wrote to memory of 3512	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	88
PID 4048 wrote to memory of 3512	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	88
PID 4048 wrote to memory of 4728	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	89
PID 4048 wrote to memory of 4728	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	89
PID 4048 wrote to memory of 4648	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	90
PID 4048 wrote to memory of 4648	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	90
PID 4048 wrote to memory of 1928	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	91
PID 4048 wrote to memory of 1928	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	91
PID 4048 wrote to memory of 2036	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	92
PID 4048 wrote to memory of 2036	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	92
PID 4048 wrote to memory of 2808	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	93
PID 4048 wrote to memory of 2808	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	93
PID 4048 wrote to memory of 1476	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	94
PID 4048 wrote to memory of 1476	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	94
PID 4048 wrote to memory of 4176	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	95
PID 4048 wrote to memory of 4176	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	95
PID 4048 wrote to memory of 3504	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	96
PID 4048 wrote to memory of 3504	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	96
PID 4048 wrote to memory of 3216	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	97
PID 4048 wrote to memory of 3216	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	97
PID 4048 wrote to memory of 1292	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	98
PID 4048 wrote to memory of 1292	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	98
PID 4048 wrote to memory of 3868	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	99
PID 4048 wrote to memory of 3868	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	99
PID 4048 wrote to memory of 1684	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	100
PID 4048 wrote to memory of 1684	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	100
PID 4048 wrote to memory of 4040	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	101
PID 4048 wrote to memory of 4040	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	101
PID 4048 wrote to memory of 424	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	102
PID 4048 wrote to memory of 424	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	102
PID 4048 wrote to memory of 3036	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	103
PID 4048 wrote to memory of 3036	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	103
PID 4048 wrote to memory of 3308	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	104
PID 4048 wrote to memory of 3308	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	104
PID 4048 wrote to memory of 1992	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	105
PID 4048 wrote to memory of 1992	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	105
PID 4048 wrote to memory of 976	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	106
PID 4048 wrote to memory of 976	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	106
PID 4048 wrote to memory of 4864	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	107
PID 4048 wrote to memory of 4864	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	107
PID 4048 wrote to memory of 4028	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	108
PID 4048 wrote to memory of 4028	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	108
PID 4048 wrote to memory of 1648	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	109
PID 4048 wrote to memory of 1648	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	109
PID 4048 wrote to memory of 4080	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	110
PID 4048 wrote to memory of 4080	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	110
PID 4048 wrote to memory of 3528	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	111
PID 4048 wrote to memory of 3528	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	111
PID 4048 wrote to memory of 2244	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	112
PID 4048 wrote to memory of 2244	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	112
PID 4048 wrote to memory of 2336	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	113
PID 4048 wrote to memory of 2336	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	113
PID 4048 wrote to memory of 4488	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	114
PID 4048 wrote to memory of 4488	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	114
PID 4048 wrote to memory of 2008	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	115
PID 4048 wrote to memory of 2008	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	115
PID 4048 wrote to memory of 3264	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	116
PID 4048 wrote to memory of 3264	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	116
PID 4048 wrote to memory of 2404	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	117
PID 4048 wrote to memory of 2404	4048	091327fd26278605cf69936f612ab01b_JaffaCakes118.exe	117

C:\Users\Admin\AppData\Local\Temp\091327fd26278605cf69936f612ab01b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\091327fd26278605cf69936f612ab01b_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\System32\JmUznxc.exe
  C:\Windows\System32\JmUznxc.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System32\wDLQWxf.exe
  C:\Windows\System32\wDLQWxf.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System32\DSZnLGx.exe
  C:\Windows\System32\DSZnLGx.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System32\bjBEouv.exe
  C:\Windows\System32\bjBEouv.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System32\gpYaEIu.exe
  C:\Windows\System32\gpYaEIu.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System32\DFVwxIC.exe
  C:\Windows\System32\DFVwxIC.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System32\QpTxbcA.exe
  C:\Windows\System32\QpTxbcA.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System32\ujxOlBK.exe
  C:\Windows\System32\ujxOlBK.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System32\WpEXKER.exe
  C:\Windows\System32\WpEXKER.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System32\aZexxfS.exe
  C:\Windows\System32\aZexxfS.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System32\xuMaqYP.exe
  C:\Windows\System32\xuMaqYP.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System32\EMoiHRh.exe
  C:\Windows\System32\EMoiHRh.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System32\jevEhNz.exe
  C:\Windows\System32\jevEhNz.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System32\vbDXTVM.exe
  C:\Windows\System32\vbDXTVM.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System32\CRbOxXK.exe
  C:\Windows\System32\CRbOxXK.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System32\YyKQPRG.exe
  C:\Windows\System32\YyKQPRG.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System32\PoSDmOM.exe
  C:\Windows\System32\PoSDmOM.exe
  2⤵
  - Executes dropped EXE
  PID:424
- C:\Windows\System32\SlsLOGQ.exe
  C:\Windows\System32\SlsLOGQ.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System32\OIiyBhY.exe
  C:\Windows\System32\OIiyBhY.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System32\jvBvDZM.exe
  C:\Windows\System32\jvBvDZM.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System32\sMSbOcT.exe
  C:\Windows\System32\sMSbOcT.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System32\QiODTGg.exe
  C:\Windows\System32\QiODTGg.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System32\CgJWBYg.exe
  C:\Windows\System32\CgJWBYg.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System32\yWFbTdV.exe
  C:\Windows\System32\yWFbTdV.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System32\llVhzJn.exe
  C:\Windows\System32\llVhzJn.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System32\zzQmyir.exe
  C:\Windows\System32\zzQmyir.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System32\ABHdJFh.exe
  C:\Windows\System32\ABHdJFh.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System32\YGmneBR.exe
  C:\Windows\System32\YGmneBR.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System32\yyvJarP.exe
  C:\Windows\System32\yyvJarP.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System32\TXCPGwH.exe
  C:\Windows\System32\TXCPGwH.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System32\FDMDuPQ.exe
  C:\Windows\System32\FDMDuPQ.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System32\UBVQyWy.exe
  C:\Windows\System32\UBVQyWy.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System32\rIpgfuV.exe
  C:\Windows\System32\rIpgfuV.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System32\rDyOwFa.exe
  C:\Windows\System32\rDyOwFa.exe
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\System32\TcVBeSa.exe
  C:\Windows\System32\TcVBeSa.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\IkRHQDI.exe
  C:\Windows\System32\IkRHQDI.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System32\cDPfjcT.exe
  C:\Windows\System32\cDPfjcT.exe
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\System32\RrrefqK.exe
  C:\Windows\System32\RrrefqK.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System32\Ypkfius.exe
  C:\Windows\System32\Ypkfius.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System32\VVmJQER.exe
  C:\Windows\System32\VVmJQER.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System32\NSwOjcm.exe
  C:\Windows\System32\NSwOjcm.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System32\nEUNTkX.exe
  C:\Windows\System32\nEUNTkX.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System32\PcVwUSg.exe
  C:\Windows\System32\PcVwUSg.exe
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\System32\KexlAdL.exe
  C:\Windows\System32\KexlAdL.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System32\peszwgd.exe
  C:\Windows\System32\peszwgd.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System32\XrxyRKx.exe
  C:\Windows\System32\XrxyRKx.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System32\hOYeLOI.exe
  C:\Windows\System32\hOYeLOI.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System32\GQZEqaS.exe
  C:\Windows\System32\GQZEqaS.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System32\aZYIitE.exe
  C:\Windows\System32\aZYIitE.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System32\CbqadrP.exe
  C:\Windows\System32\CbqadrP.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System32\khlCdvW.exe
  C:\Windows\System32\khlCdvW.exe
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Windows\System32\KgjUkNQ.exe
  C:\Windows\System32\KgjUkNQ.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System32\qDZpTgq.exe
  C:\Windows\System32\qDZpTgq.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System32\umUYimD.exe
  C:\Windows\System32\umUYimD.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System32\UHAEvYF.exe
  C:\Windows\System32\UHAEvYF.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System32\iZdiDdc.exe
  C:\Windows\System32\iZdiDdc.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System32\mvZiSpW.exe
  C:\Windows\System32\mvZiSpW.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System32\lyGVmLJ.exe
  C:\Windows\System32\lyGVmLJ.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System32\PzvqwSM.exe
  C:\Windows\System32\PzvqwSM.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System32\XYUQoOi.exe
  C:\Windows\System32\XYUQoOi.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System32\MMGFWrC.exe
  C:\Windows\System32\MMGFWrC.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System32\aKzqLrh.exe
  C:\Windows\System32\aKzqLrh.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System32\UfKvFMw.exe
  C:\Windows\System32\UfKvFMw.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System32\sAwsPwQ.exe
  C:\Windows\System32\sAwsPwQ.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System32\bkAbZvY.exe
  C:\Windows\System32\bkAbZvY.exe
  2⤵
  PID:3692
- C:\Windows\System32\NrvjFRO.exe
  C:\Windows\System32\NrvjFRO.exe
  2⤵
  PID:2176
- C:\Windows\System32\WmeGqlh.exe
  C:\Windows\System32\WmeGqlh.exe
  2⤵
  PID:1348
- C:\Windows\System32\SQDYqBH.exe
  C:\Windows\System32\SQDYqBH.exe
  2⤵
  PID:5080
- C:\Windows\System32\xAbGvNl.exe
  C:\Windows\System32\xAbGvNl.exe
  2⤵
  PID:3468
- C:\Windows\System32\sbyxIlk.exe
  C:\Windows\System32\sbyxIlk.exe
  2⤵
  PID:2928
- C:\Windows\System32\kOVMSkt.exe
  C:\Windows\System32\kOVMSkt.exe
  2⤵
  PID:4060
- C:\Windows\System32\xtmEkhP.exe
  C:\Windows\System32\xtmEkhP.exe
  2⤵
  PID:4900
- C:\Windows\System32\QaCGgJW.exe
  C:\Windows\System32\QaCGgJW.exe
  2⤵
  PID:2332
- C:\Windows\System32\XQCgtkQ.exe
  C:\Windows\System32\XQCgtkQ.exe
  2⤵
  PID:3000
- C:\Windows\System32\OdeUMZy.exe
  C:\Windows\System32\OdeUMZy.exe
  2⤵
  PID:2080
- C:\Windows\System32\JQyQmqy.exe
  C:\Windows\System32\JQyQmqy.exe
  2⤵
  PID:1956
- C:\Windows\System32\tezCOGy.exe
  C:\Windows\System32\tezCOGy.exe
  2⤵
  PID:3624
- C:\Windows\System32\nvNRKEp.exe
  C:\Windows\System32\nvNRKEp.exe
  2⤵
  PID:2436
- C:\Windows\System32\IstNmfp.exe
  C:\Windows\System32\IstNmfp.exe
  2⤵
  PID:1572
- C:\Windows\System32\LvTPpQm.exe
  C:\Windows\System32\LvTPpQm.exe
  2⤵
  PID:212
- C:\Windows\System32\ERYEvCA.exe
  C:\Windows\System32\ERYEvCA.exe
  2⤵
  PID:3252
- C:\Windows\System32\zATOgyy.exe
  C:\Windows\System32\zATOgyy.exe
  2⤵
  PID:2284
- C:\Windows\System32\OYfnKbB.exe
  C:\Windows\System32\OYfnKbB.exe
  2⤵
  PID:4572
- C:\Windows\System32\wKQrSYZ.exe
  C:\Windows\System32\wKQrSYZ.exe
  2⤵
  PID:4812
- C:\Windows\System32\UTTKgBJ.exe
  C:\Windows\System32\UTTKgBJ.exe
  2⤵
  PID:5136
- C:\Windows\System32\AfFRiRF.exe
  C:\Windows\System32\AfFRiRF.exe
  2⤵
  PID:5168
- C:\Windows\System32\uCmvlal.exe
  C:\Windows\System32\uCmvlal.exe
  2⤵
  PID:5192
- C:\Windows\System32\RJydelC.exe
  C:\Windows\System32\RJydelC.exe
  2⤵
  PID:5224
- C:\Windows\System32\DLSqaBT.exe
  C:\Windows\System32\DLSqaBT.exe
  2⤵
  PID:5252
- C:\Windows\System32\pVwCXRJ.exe
  C:\Windows\System32\pVwCXRJ.exe
  2⤵
  PID:5280
- C:\Windows\System32\xelgLDp.exe
  C:\Windows\System32\xelgLDp.exe
  2⤵
  PID:5308
- C:\Windows\System32\JeTPhRG.exe
  C:\Windows\System32\JeTPhRG.exe
  2⤵
  PID:5332
- C:\Windows\System32\jABzflJ.exe
  C:\Windows\System32\jABzflJ.exe
  2⤵
  PID:5364
- C:\Windows\System32\yffUByg.exe
  C:\Windows\System32\yffUByg.exe
  2⤵
  PID:5388
- C:\Windows\System32\mqMQHhW.exe
  C:\Windows\System32\mqMQHhW.exe
  2⤵
  PID:5420
- C:\Windows\System32\mfcjjtv.exe
  C:\Windows\System32\mfcjjtv.exe
  2⤵
  PID:5452
- C:\Windows\System32\hmIeuRV.exe
  C:\Windows\System32\hmIeuRV.exe
  2⤵
  PID:5472
- C:\Windows\System32\NlVEVjR.exe
  C:\Windows\System32\NlVEVjR.exe
  2⤵
  PID:5508
- C:\Windows\System32\nuthqQK.exe
  C:\Windows\System32\nuthqQK.exe
  2⤵
  PID:5536
- C:\Windows\System32\XyKwWPz.exe
  C:\Windows\System32\XyKwWPz.exe
  2⤵
  PID:5564
- C:\Windows\System32\vBDHudp.exe
  C:\Windows\System32\vBDHudp.exe
  2⤵
  PID:5588
- C:\Windows\System32\VlmsQtL.exe
  C:\Windows\System32\VlmsQtL.exe
  2⤵
  PID:5620
- C:\Windows\System32\thaostX.exe
  C:\Windows\System32\thaostX.exe
  2⤵
  PID:5644
- C:\Windows\System32\pLDFgLy.exe
  C:\Windows\System32\pLDFgLy.exe
  2⤵
  PID:5668
- C:\Windows\System32\VyiTpQk.exe
  C:\Windows\System32\VyiTpQk.exe
  2⤵
  PID:5728
- C:\Windows\System32\jaegWCv.exe
  C:\Windows\System32\jaegWCv.exe
  2⤵
  PID:5768
- C:\Windows\System32\qSRqhja.exe
  C:\Windows\System32\qSRqhja.exe
  2⤵
  PID:5788
- C:\Windows\System32\xczeyim.exe
  C:\Windows\System32\xczeyim.exe
  2⤵
  PID:5820
- C:\Windows\System32\rLffvgE.exe
  C:\Windows\System32\rLffvgE.exe
  2⤵
  PID:5868
- C:\Windows\System32\ZiPrWMP.exe
  C:\Windows\System32\ZiPrWMP.exe
  2⤵
  PID:5888
- C:\Windows\System32\zqkmmHW.exe
  C:\Windows\System32\zqkmmHW.exe
  2⤵
  PID:5920
- C:\Windows\System32\stTvRik.exe
  C:\Windows\System32\stTvRik.exe
  2⤵
  PID:5960
- C:\Windows\System32\DvUPQCv.exe
  C:\Windows\System32\DvUPQCv.exe
  2⤵
  PID:5988
- C:\Windows\System32\TrMMxKl.exe
  C:\Windows\System32\TrMMxKl.exe
  2⤵
  PID:6012
- C:\Windows\System32\JTBVckP.exe
  C:\Windows\System32\JTBVckP.exe
  2⤵
  PID:6032
- C:\Windows\System32\uPAIQGM.exe
  C:\Windows\System32\uPAIQGM.exe
  2⤵
  PID:6060
- C:\Windows\System32\IWLHiFG.exe
  C:\Windows\System32\IWLHiFG.exe
  2⤵
  PID:6128
- C:\Windows\System32\pcikarn.exe
  C:\Windows\System32\pcikarn.exe
  2⤵
  PID:3688
- C:\Windows\System32\KkiEeVj.exe
  C:\Windows\System32\KkiEeVj.exe
  2⤵
  PID:3224
- C:\Windows\System32\SGMPjoF.exe
  C:\Windows\System32\SGMPjoF.exe
  2⤵
  PID:3972
- C:\Windows\System32\KwPeEsc.exe
  C:\Windows\System32\KwPeEsc.exe
  2⤵
  PID:3188
- C:\Windows\System32\yofiCqd.exe
  C:\Windows\System32\yofiCqd.exe
  2⤵
  PID:5128
- C:\Windows\System32\rYyNiJi.exe
  C:\Windows\System32\rYyNiJi.exe
  2⤵
  PID:5156
- C:\Windows\System32\OvdQKCZ.exe
  C:\Windows\System32\OvdQKCZ.exe
  2⤵
  PID:760
- C:\Windows\System32\iHEdBHM.exe
  C:\Windows\System32\iHEdBHM.exe
  2⤵
  PID:4216
- C:\Windows\System32\EpwxtgD.exe
  C:\Windows\System32\EpwxtgD.exe
  2⤵
  PID:2716
- C:\Windows\System32\NGwlXvh.exe
  C:\Windows\System32\NGwlXvh.exe
  2⤵
  PID:5348
- C:\Windows\System32\tatDZDk.exe
  C:\Windows\System32\tatDZDk.exe
  2⤵
  PID:5380
- C:\Windows\System32\xfVBNgP.exe
  C:\Windows\System32\xfVBNgP.exe
  2⤵
  PID:3540
- C:\Windows\System32\gLxfzVq.exe
  C:\Windows\System32\gLxfzVq.exe
  2⤵
  PID:2256
- C:\Windows\System32\eOtwNCS.exe
  C:\Windows\System32\eOtwNCS.exe
  2⤵
  PID:5448
- C:\Windows\System32\OCGOZnW.exe
  C:\Windows\System32\OCGOZnW.exe
  2⤵
  PID:4692
- C:\Windows\System32\zxMGXfV.exe
  C:\Windows\System32\zxMGXfV.exe
  2⤵
  PID:4828
- C:\Windows\System32\gxAXdpA.exe
  C:\Windows\System32\gxAXdpA.exe
  2⤵
  PID:2408
- C:\Windows\System32\jZwgXOR.exe
  C:\Windows\System32\jZwgXOR.exe
  2⤵
  PID:2556
- C:\Windows\System32\uxDTCah.exe
  C:\Windows\System32\uxDTCah.exe
  2⤵
  PID:5756
- C:\Windows\System32\qhFPJlt.exe
  C:\Windows\System32\qhFPJlt.exe
  2⤵
  PID:5800
- C:\Windows\System32\WioMgrt.exe
  C:\Windows\System32\WioMgrt.exe
  2⤵
  PID:5900
- C:\Windows\System32\oPbZITT.exe
  C:\Windows\System32\oPbZITT.exe
  2⤵
  PID:6040
- C:\Windows\System32\qhgMHOf.exe
  C:\Windows\System32\qhgMHOf.exe
  2⤵
  PID:6104
- C:\Windows\System32\wtVoKVp.exe
  C:\Windows\System32\wtVoKVp.exe
  2⤵
  PID:2892
- C:\Windows\System32\iYfKOOo.exe
  C:\Windows\System32\iYfKOOo.exe
  2⤵
  PID:5176
- C:\Windows\System32\OMvyyCn.exe
  C:\Windows\System32\OMvyyCn.exe
  2⤵
  PID:816
- C:\Windows\System32\Ygjbotm.exe
  C:\Windows\System32\Ygjbotm.exe
  2⤵
  PID:5748
- C:\Windows\System32\ZMfoqBV.exe
  C:\Windows\System32\ZMfoqBV.exe
  2⤵
  PID:3744
- C:\Windows\System32\ZtwamHJ.exe
  C:\Windows\System32\ZtwamHJ.exe
  2⤵
  PID:5764
- C:\Windows\System32\wIjsfei.exe
  C:\Windows\System32\wIjsfei.exe
  2⤵
  PID:4124
- C:\Windows\System32\QNzgmec.exe
  C:\Windows\System32\QNzgmec.exe
  2⤵
  PID:4364
- C:\Windows\System32\gGuJniH.exe
  C:\Windows\System32\gGuJniH.exe
  2⤵
  PID:5580
- C:\Windows\System32\bxRBaHs.exe
  C:\Windows\System32\bxRBaHs.exe
  2⤵
  PID:1092
- C:\Windows\System32\hJcaufs.exe
  C:\Windows\System32\hJcaufs.exe
  2⤵
  PID:3704
- C:\Windows\System32\JPBvwSL.exe
  C:\Windows\System32\JPBvwSL.exe
  2⤵
  PID:6008
- C:\Windows\System32\RmMhvzG.exe
  C:\Windows\System32\RmMhvzG.exe
  2⤵
  PID:5212
- C:\Windows\System32\MKifyhr.exe
  C:\Windows\System32\MKifyhr.exe
  2⤵
  PID:6068
- C:\Windows\System32\EXimBXO.exe
  C:\Windows\System32\EXimBXO.exe
  2⤵
  PID:6136
- C:\Windows\System32\eXBOHce.exe
  C:\Windows\System32\eXBOHce.exe
  2⤵
  PID:5916
- C:\Windows\System32\OkWBIPj.exe
  C:\Windows\System32\OkWBIPj.exe
  2⤵
  PID:5904
- C:\Windows\System32\GRtrWDD.exe
  C:\Windows\System32\GRtrWDD.exe
  2⤵
  PID:1356
- C:\Windows\System32\upxOZRT.exe
  C:\Windows\System32\upxOZRT.exe
  2⤵
  PID:5912
- C:\Windows\System32\toGpkYd.exe
  C:\Windows\System32\toGpkYd.exe
  2⤵
  PID:5832
- C:\Windows\System32\KmPdXwv.exe
  C:\Windows\System32\KmPdXwv.exe
  2⤵
  PID:5288
- C:\Windows\System32\VGrZhfJ.exe
  C:\Windows\System32\VGrZhfJ.exe
  2⤵
  PID:5200
- C:\Windows\System32\sTHqTTj.exe
  C:\Windows\System32\sTHqTTj.exe
  2⤵
  PID:6156
- C:\Windows\System32\CskUWHN.exe
  C:\Windows\System32\CskUWHN.exe
  2⤵
  PID:6176
- C:\Windows\System32\AiKTpcL.exe
  C:\Windows\System32\AiKTpcL.exe
  2⤵
  PID:6200
- C:\Windows\System32\NgKMVTT.exe
  C:\Windows\System32\NgKMVTT.exe
  2⤵
  PID:6216
- C:\Windows\System32\muFsTKg.exe
  C:\Windows\System32\muFsTKg.exe
  2⤵
  PID:6244
- C:\Windows\System32\TFGKEnl.exe
  C:\Windows\System32\TFGKEnl.exe
  2⤵
  PID:6280
- C:\Windows\System32\dvZLgHl.exe
  C:\Windows\System32\dvZLgHl.exe
  2⤵
  PID:6352
- C:\Windows\System32\pwOEBRn.exe
  C:\Windows\System32\pwOEBRn.exe
  2⤵
  PID:6400
- C:\Windows\System32\jnPnKiA.exe
  C:\Windows\System32\jnPnKiA.exe
  2⤵
  PID:6420
- C:\Windows\System32\owZZqqE.exe
  C:\Windows\System32\owZZqqE.exe
  2⤵
  PID:6452
- C:\Windows\System32\DvwnFRX.exe
  C:\Windows\System32\DvwnFRX.exe
  2⤵
  PID:6472
- C:\Windows\System32\GxpKGNU.exe
  C:\Windows\System32\GxpKGNU.exe
  2⤵
  PID:6496
- C:\Windows\System32\AKFQung.exe
  C:\Windows\System32\AKFQung.exe
  2⤵
  PID:6516
- C:\Windows\System32\gFNbDPm.exe
  C:\Windows\System32\gFNbDPm.exe
  2⤵
  PID:6532
- C:\Windows\System32\PiNIIPo.exe
  C:\Windows\System32\PiNIIPo.exe
  2⤵
  PID:6556
- C:\Windows\System32\GeUNddc.exe
  C:\Windows\System32\GeUNddc.exe
  2⤵
  PID:6596
- C:\Windows\System32\rgYcmtZ.exe
  C:\Windows\System32\rgYcmtZ.exe
  2⤵
  PID:6628
- C:\Windows\System32\ebhflxv.exe
  C:\Windows\System32\ebhflxv.exe
  2⤵
  PID:6664
- C:\Windows\System32\UkoGMHL.exe
  C:\Windows\System32\UkoGMHL.exe
  2⤵
  PID:6680
- C:\Windows\System32\oOcRLaZ.exe
  C:\Windows\System32\oOcRLaZ.exe
  2⤵
  PID:6700
- C:\Windows\System32\DFAeKqU.exe
  C:\Windows\System32\DFAeKqU.exe
  2⤵
  PID:6724
- C:\Windows\System32\rFjbLUL.exe
  C:\Windows\System32\rFjbLUL.exe
  2⤵
  PID:6776
- C:\Windows\System32\JRZALew.exe
  C:\Windows\System32\JRZALew.exe
  2⤵
  PID:6816
- C:\Windows\System32\IgaOlWJ.exe
  C:\Windows\System32\IgaOlWJ.exe
  2⤵
  PID:6832
- C:\Windows\System32\kcMgsZZ.exe
  C:\Windows\System32\kcMgsZZ.exe
  2⤵
  PID:6852
- C:\Windows\System32\MbTaDAi.exe
  C:\Windows\System32\MbTaDAi.exe
  2⤵
  PID:6868
- C:\Windows\System32\OJIhrFS.exe
  C:\Windows\System32\OJIhrFS.exe
  2⤵
  PID:6896
- C:\Windows\System32\RBuDlxs.exe
  C:\Windows\System32\RBuDlxs.exe
  2⤵
  PID:6912
- C:\Windows\System32\pOzxaJZ.exe
  C:\Windows\System32\pOzxaJZ.exe
  2⤵
  PID:6948
- C:\Windows\System32\LvjeuIU.exe
  C:\Windows\System32\LvjeuIU.exe
  2⤵
  PID:7016
- C:\Windows\System32\yHidSZR.exe
  C:\Windows\System32\yHidSZR.exe
  2⤵
  PID:7036
- C:\Windows\System32\ISKrJTC.exe
  C:\Windows\System32\ISKrJTC.exe
  2⤵
  PID:7056
- C:\Windows\System32\YxLjnMv.exe
  C:\Windows\System32\YxLjnMv.exe
  2⤵
  PID:7076
- C:\Windows\System32\ItSmqsj.exe
  C:\Windows\System32\ItSmqsj.exe
  2⤵
  PID:7092
- C:\Windows\System32\Daxpuje.exe
  C:\Windows\System32\Daxpuje.exe
  2⤵
  PID:7108
- C:\Windows\System32\IZycMtf.exe
  C:\Windows\System32\IZycMtf.exe
  2⤵
  PID:7128
- C:\Windows\System32\WMbnVHw.exe
  C:\Windows\System32\WMbnVHw.exe
  2⤵
  PID:7144
- C:\Windows\System32\xUeBQMc.exe
  C:\Windows\System32\xUeBQMc.exe
  2⤵
  PID:5752
- C:\Windows\System32\ThsBngT.exe
  C:\Windows\System32\ThsBngT.exe
  2⤵
  PID:6208
- C:\Windows\System32\rMKsmjw.exe
  C:\Windows\System32\rMKsmjw.exe
  2⤵
  PID:6288
- C:\Windows\System32\gUzDtXz.exe
  C:\Windows\System32\gUzDtXz.exe
  2⤵
  PID:6332
- C:\Windows\System32\yDfCOiS.exe
  C:\Windows\System32\yDfCOiS.exe
  2⤵
  PID:6428
- C:\Windows\System32\lnWeLhQ.exe
  C:\Windows\System32\lnWeLhQ.exe
  2⤵
  PID:6492
- C:\Windows\System32\xqKcIje.exe
  C:\Windows\System32\xqKcIje.exe
  2⤵
  PID:6564
- C:\Windows\System32\npOtukU.exe
  C:\Windows\System32\npOtukU.exe
  2⤵
  PID:6660
- C:\Windows\System32\LkhLSyO.exe
  C:\Windows\System32\LkhLSyO.exe
  2⤵
  PID:6652
- C:\Windows\System32\lgPqHPq.exe
  C:\Windows\System32\lgPqHPq.exe
  2⤵
  PID:6736
- C:\Windows\System32\EqQmgpM.exe
  C:\Windows\System32\EqQmgpM.exe
  2⤵
  PID:6844
- C:\Windows\System32\zWmcHeF.exe
  C:\Windows\System32\zWmcHeF.exe
  2⤵
  PID:6988
- C:\Windows\System32\LifMVDy.exe
  C:\Windows\System32\LifMVDy.exe
  2⤵
  PID:7048
- C:\Windows\System32\HjEbZlK.exe
  C:\Windows\System32\HjEbZlK.exe
  2⤵
  PID:7088
- C:\Windows\System32\KYpEEMq.exe
  C:\Windows\System32\KYpEEMq.exe
  2⤵
  PID:7124
- C:\Windows\System32\QtCIlXq.exe
  C:\Windows\System32\QtCIlXq.exe
  2⤵
  PID:5340
- C:\Windows\System32\zciGBVp.exe
  C:\Windows\System32\zciGBVp.exe
  2⤵
  PID:7136
- C:\Windows\System32\amaDlVL.exe
  C:\Windows\System32\amaDlVL.exe
  2⤵
  PID:6228
- C:\Windows\System32\NyHsCWt.exe
  C:\Windows\System32\NyHsCWt.exe
  2⤵
  PID:6640
- C:\Windows\System32\wblmubT.exe
  C:\Windows\System32\wblmubT.exe
  2⤵
  PID:6808
- C:\Windows\System32\uubjWWF.exe
  C:\Windows\System32\uubjWWF.exe
  2⤵
  PID:6908
- C:\Windows\System32\iQSDAzS.exe
  C:\Windows\System32\iQSDAzS.exe
  2⤵
  PID:7044
- C:\Windows\System32\dTfElHx.exe
  C:\Windows\System32\dTfElHx.exe
  2⤵
  PID:7156
- C:\Windows\System32\iBSDipC.exe
  C:\Windows\System32\iBSDipC.exe
  2⤵
  PID:6888
- C:\Windows\System32\KtyINJo.exe
  C:\Windows\System32\KtyINJo.exe
  2⤵
  PID:7152
- C:\Windows\System32\jTOaFyo.exe
  C:\Windows\System32\jTOaFyo.exe
  2⤵
  PID:6340
- C:\Windows\System32\iGzjQPl.exe
  C:\Windows\System32\iGzjQPl.exe
  2⤵
  PID:7184
- C:\Windows\System32\ysJfDQp.exe
  C:\Windows\System32\ysJfDQp.exe
  2⤵
  PID:7200
- C:\Windows\System32\RUGNcGS.exe
  C:\Windows\System32\RUGNcGS.exe
  2⤵
  PID:7220
- C:\Windows\System32\HacicMK.exe
  C:\Windows\System32\HacicMK.exe
  2⤵
  PID:7236
- C:\Windows\System32\pxvSFIx.exe
  C:\Windows\System32\pxvSFIx.exe
  2⤵
  PID:7276
- C:\Windows\System32\HgNuILs.exe
  C:\Windows\System32\HgNuILs.exe
  2⤵
  PID:7292
- C:\Windows\System32\XaNuczk.exe
  C:\Windows\System32\XaNuczk.exe
  2⤵
  PID:7316
- C:\Windows\System32\tlxRJiw.exe
  C:\Windows\System32\tlxRJiw.exe
  2⤵
  PID:7392
- C:\Windows\System32\pxUbnZg.exe
  C:\Windows\System32\pxUbnZg.exe
  2⤵
  PID:7424
- C:\Windows\System32\CkUeqqw.exe
  C:\Windows\System32\CkUeqqw.exe
  2⤵
  PID:7444
- C:\Windows\System32\SglLcNU.exe
  C:\Windows\System32\SglLcNU.exe
  2⤵
  PID:7460
- C:\Windows\System32\NHBffjL.exe
  C:\Windows\System32\NHBffjL.exe
  2⤵
  PID:7484
- C:\Windows\System32\fmlcvqH.exe
  C:\Windows\System32\fmlcvqH.exe
  2⤵
  PID:7508
- C:\Windows\System32\pUagTXI.exe
  C:\Windows\System32\pUagTXI.exe
  2⤵
  PID:7548
- C:\Windows\System32\FQRLEmV.exe
  C:\Windows\System32\FQRLEmV.exe
  2⤵
  PID:7576
- C:\Windows\System32\vufjWeL.exe
  C:\Windows\System32\vufjWeL.exe
  2⤵
  PID:7596
- C:\Windows\System32\Lwrjsug.exe
  C:\Windows\System32\Lwrjsug.exe
  2⤵
  PID:7640
- C:\Windows\System32\HYyqUQU.exe
  C:\Windows\System32\HYyqUQU.exe
  2⤵
  PID:7660
- C:\Windows\System32\dkQcoMV.exe
  C:\Windows\System32\dkQcoMV.exe
  2⤵
  PID:7680
- C:\Windows\System32\ZZrthOo.exe
  C:\Windows\System32\ZZrthOo.exe
  2⤵
  PID:7724
- C:\Windows\System32\HuyRudy.exe
  C:\Windows\System32\HuyRudy.exe
  2⤵
  PID:7764
- C:\Windows\System32\DQGWvaL.exe
  C:\Windows\System32\DQGWvaL.exe
  2⤵
  PID:7788
- C:\Windows\System32\qUIYPtV.exe
  C:\Windows\System32\qUIYPtV.exe
  2⤵
  PID:7812
- C:\Windows\System32\xknBUXz.exe
  C:\Windows\System32\xknBUXz.exe
  2⤵
  PID:7828
- C:\Windows\System32\AgYDxom.exe
  C:\Windows\System32\AgYDxom.exe
  2⤵
  PID:7868
- C:\Windows\System32\vLIjRew.exe
  C:\Windows\System32\vLIjRew.exe
  2⤵
  PID:7888
- C:\Windows\System32\nMtixGm.exe
  C:\Windows\System32\nMtixGm.exe
  2⤵
  PID:7916
- C:\Windows\System32\LCLxtfR.exe
  C:\Windows\System32\LCLxtfR.exe
  2⤵
  PID:7932
- C:\Windows\System32\ieoDisz.exe
  C:\Windows\System32\ieoDisz.exe
  2⤵
  PID:7952
- C:\Windows\System32\ZbeCnOk.exe
  C:\Windows\System32\ZbeCnOk.exe
  2⤵
  PID:7968
- C:\Windows\System32\XfFZjdB.exe
  C:\Windows\System32\XfFZjdB.exe
  2⤵
  PID:8004
- C:\Windows\System32\blAYSUR.exe
  C:\Windows\System32\blAYSUR.exe
  2⤵
  PID:8028
- C:\Windows\System32\anCnPeq.exe
  C:\Windows\System32\anCnPeq.exe
  2⤵
  PID:8044
- C:\Windows\System32\XHIyZjk.exe
  C:\Windows\System32\XHIyZjk.exe
  2⤵
  PID:8060
- C:\Windows\System32\nhSIkZj.exe
  C:\Windows\System32\nhSIkZj.exe
  2⤵
  PID:8084
- C:\Windows\System32\IWjJxbr.exe
  C:\Windows\System32\IWjJxbr.exe
  2⤵
  PID:8132
- C:\Windows\System32\MqNTMzd.exe
  C:\Windows\System32\MqNTMzd.exe
  2⤵
  PID:8148
- C:\Windows\System32\ptXYtTh.exe
  C:\Windows\System32\ptXYtTh.exe
  2⤵
  PID:7196
- C:\Windows\System32\hzjkpwI.exe
  C:\Windows\System32\hzjkpwI.exe
  2⤵
  PID:7212
- C:\Windows\System32\tyouqiD.exe
  C:\Windows\System32\tyouqiD.exe
  2⤵
  PID:7308
- C:\Windows\System32\xwKjAkH.exe
  C:\Windows\System32\xwKjAkH.exe
  2⤵
  PID:7380
- C:\Windows\System32\dcBKZDl.exe
  C:\Windows\System32\dcBKZDl.exe
  2⤵
  PID:7432
- C:\Windows\System32\CfLrOYz.exe
  C:\Windows\System32\CfLrOYz.exe
  2⤵
  PID:7516
- C:\Windows\System32\cYhojxo.exe
  C:\Windows\System32\cYhojxo.exe
  2⤵
  PID:7572
- C:\Windows\System32\MduRUzb.exe
  C:\Windows\System32\MduRUzb.exe
  2⤵
  PID:7672
- C:\Windows\System32\UXKithX.exe
  C:\Windows\System32\UXKithX.exe
  2⤵
  PID:7756
- C:\Windows\System32\XGKvjVn.exe
  C:\Windows\System32\XGKvjVn.exe
  2⤵
  PID:7820
- C:\Windows\System32\VYTaqoN.exe
  C:\Windows\System32\VYTaqoN.exe
  2⤵
  PID:7824
- C:\Windows\System32\qhqeSAI.exe
  C:\Windows\System32\qhqeSAI.exe
  2⤵
  PID:7896
- C:\Windows\System32\gEPhrHD.exe
  C:\Windows\System32\gEPhrHD.exe
  2⤵
  PID:7960
- C:\Windows\System32\XffuAQD.exe
  C:\Windows\System32\XffuAQD.exe
  2⤵
  PID:7976
- C:\Windows\System32\uMhauIJ.exe
  C:\Windows\System32\uMhauIJ.exe
  2⤵
  PID:8068
- C:\Windows\System32\YcqUUZy.exe
  C:\Windows\System32\YcqUUZy.exe
  2⤵
  PID:8052
- C:\Windows\System32\mORvBSz.exe
  C:\Windows\System32\mORvBSz.exe
  2⤵
  PID:6876
- C:\Windows\System32\bpHpbNH.exe
  C:\Windows\System32\bpHpbNH.exe
  2⤵
  PID:7176
- C:\Windows\System32\cbxeZOb.exe
  C:\Windows\System32\cbxeZOb.exe
  2⤵
  PID:7368
- C:\Windows\System32\IezchgE.exe
  C:\Windows\System32\IezchgE.exe
  2⤵
  PID:7564
- C:\Windows\System32\GmvZDJA.exe
  C:\Windows\System32\GmvZDJA.exe
  2⤵
  PID:7688
- C:\Windows\System32\mdKevgi.exe
  C:\Windows\System32\mdKevgi.exe
  2⤵
  PID:7928
- C:\Windows\System32\UjMlsch.exe
  C:\Windows\System32\UjMlsch.exe
  2⤵
  PID:8140
- C:\Windows\System32\fLujZmx.exe
  C:\Windows\System32\fLujZmx.exe
  2⤵
  PID:5072
- C:\Windows\System32\KHwibYI.exe
  C:\Windows\System32\KHwibYI.exe
  2⤵
  PID:7492
- C:\Windows\System32\NgZnmbn.exe
  C:\Windows\System32\NgZnmbn.exe
  2⤵
  PID:7692
- C:\Windows\System32\ghbqVXI.exe
  C:\Windows\System32\ghbqVXI.exe
  2⤵
  PID:7252
- C:\Windows\System32\QqLxEES.exe
  C:\Windows\System32\QqLxEES.exe
  2⤵
  PID:8212
- C:\Windows\System32\DLVIaND.exe
  C:\Windows\System32\DLVIaND.exe
  2⤵
  PID:8236
- C:\Windows\System32\vFMMrgl.exe
  C:\Windows\System32\vFMMrgl.exe
  2⤵
  PID:8260
- C:\Windows\System32\nukyLBi.exe
  C:\Windows\System32\nukyLBi.exe
  2⤵
  PID:8276
- C:\Windows\System32\oaYKSMy.exe
  C:\Windows\System32\oaYKSMy.exe
  2⤵
  PID:8332
- C:\Windows\System32\jEpRTzy.exe
  C:\Windows\System32\jEpRTzy.exe
  2⤵
  PID:8356
- C:\Windows\System32\wrerXdQ.exe
  C:\Windows\System32\wrerXdQ.exe
  2⤵
  PID:8380
- C:\Windows\System32\sxBBbXZ.exe
  C:\Windows\System32\sxBBbXZ.exe
  2⤵
  PID:8396
- C:\Windows\System32\mNuLpGN.exe
  C:\Windows\System32\mNuLpGN.exe
  2⤵
  PID:8416
- C:\Windows\System32\GgLgKjr.exe
  C:\Windows\System32\GgLgKjr.exe
  2⤵
  PID:8432
- C:\Windows\System32\oeBOfvH.exe
  C:\Windows\System32\oeBOfvH.exe
  2⤵
  PID:8456
- C:\Windows\System32\EVvYhTY.exe
  C:\Windows\System32\EVvYhTY.exe
  2⤵
  PID:8472
- C:\Windows\System32\YcRLtme.exe
  C:\Windows\System32\YcRLtme.exe
  2⤵
  PID:8500
- C:\Windows\System32\WHsLHCO.exe
  C:\Windows\System32\WHsLHCO.exe
  2⤵
  PID:8556
- C:\Windows\System32\wmDrOJl.exe
  C:\Windows\System32\wmDrOJl.exe
  2⤵
  PID:8584
- C:\Windows\System32\XfOclpu.exe
  C:\Windows\System32\XfOclpu.exe
  2⤵
  PID:8624
- C:\Windows\System32\JNxJEsM.exe
  C:\Windows\System32\JNxJEsM.exe
  2⤵
  PID:8652
- C:\Windows\System32\RTPFGgD.exe
  C:\Windows\System32\RTPFGgD.exe
  2⤵
  PID:8672
- C:\Windows\System32\cCWntGp.exe
  C:\Windows\System32\cCWntGp.exe
  2⤵
  PID:8700
- C:\Windows\System32\QRpcDPW.exe
  C:\Windows\System32\QRpcDPW.exe
  2⤵
  PID:8720
- C:\Windows\System32\BfiGfTS.exe
  C:\Windows\System32\BfiGfTS.exe
  2⤵
  PID:8740
- C:\Windows\System32\IAORfwy.exe
  C:\Windows\System32\IAORfwy.exe
  2⤵
  PID:8760
- C:\Windows\System32\POLJqzo.exe
  C:\Windows\System32\POLJqzo.exe
  2⤵
  PID:8776
- C:\Windows\System32\jMznfIk.exe
  C:\Windows\System32\jMznfIk.exe
  2⤵
  PID:8800
- C:\Windows\System32\pTpwEPw.exe
  C:\Windows\System32\pTpwEPw.exe
  2⤵
  PID:8816
- C:\Windows\System32\UeESKss.exe
  C:\Windows\System32\UeESKss.exe
  2⤵
  PID:8844
- C:\Windows\System32\wGpAUrI.exe
  C:\Windows\System32\wGpAUrI.exe
  2⤵
  PID:8880
- C:\Windows\System32\qmYWrjh.exe
  C:\Windows\System32\qmYWrjh.exe
  2⤵
  PID:8900
- C:\Windows\System32\eYXehLt.exe
  C:\Windows\System32\eYXehLt.exe
  2⤵
  PID:8956
- C:\Windows\System32\oZnuCPN.exe
  C:\Windows\System32\oZnuCPN.exe
  2⤵
  PID:8976
- C:\Windows\System32\kCBsfAn.exe
  C:\Windows\System32\kCBsfAn.exe
  2⤵
  PID:9000
- C:\Windows\System32\gAzYGXs.exe
  C:\Windows\System32\gAzYGXs.exe
  2⤵
  PID:9040
- C:\Windows\System32\ZMJvwyc.exe
  C:\Windows\System32\ZMJvwyc.exe
  2⤵
  PID:9056
- C:\Windows\System32\sgjVjPf.exe
  C:\Windows\System32\sgjVjPf.exe
  2⤵
  PID:9112
- C:\Windows\System32\lvLpMoq.exe
  C:\Windows\System32\lvLpMoq.exe
  2⤵
  PID:9136
- C:\Windows\System32\MlNNfRd.exe
  C:\Windows\System32\MlNNfRd.exe
  2⤵
  PID:9152
- C:\Windows\System32\fwkpSdB.exe
  C:\Windows\System32\fwkpSdB.exe
  2⤵
  PID:9172
- C:\Windows\System32\fzzzrnd.exe
  C:\Windows\System32\fzzzrnd.exe
  2⤵
  PID:9208
- C:\Windows\System32\zVjjGsU.exe
  C:\Windows\System32\zVjjGsU.exe
  2⤵
  PID:7452
- C:\Windows\System32\ioEyTHW.exe
  C:\Windows\System32\ioEyTHW.exe
  2⤵
  PID:8204
- C:\Windows\System32\JMMHSKK.exe
  C:\Windows\System32\JMMHSKK.exe
  2⤵
  PID:8428
- C:\Windows\System32\ArOcNAf.exe
  C:\Windows\System32\ArOcNAf.exe
  2⤵
  PID:8448
- C:\Windows\System32\ivvlAiz.exe
  C:\Windows\System32\ivvlAiz.exe
  2⤵
  PID:8484
- C:\Windows\System32\AsvaGPF.exe
  C:\Windows\System32\AsvaGPF.exe
  2⤵
  PID:8596
- C:\Windows\System32\qyysCaH.exe
  C:\Windows\System32\qyysCaH.exe
  2⤵
  PID:7608
- C:\Windows\System32\MXyuBxh.exe
  C:\Windows\System32\MXyuBxh.exe
  2⤵
  PID:8708
- C:\Windows\System32\hMiTklN.exe
  C:\Windows\System32\hMiTklN.exe
  2⤵
  PID:8728
- C:\Windows\System32\dqQwOUO.exe
  C:\Windows\System32\dqQwOUO.exe
  2⤵
  PID:8824
- C:\Windows\System32\kYMaXUE.exe
  C:\Windows\System32\kYMaXUE.exe
  2⤵
  PID:8832
- C:\Windows\System32\yVLCWar.exe
  C:\Windows\System32\yVLCWar.exe
  2⤵
  PID:8988
- C:\Windows\System32\eSZCSby.exe
  C:\Windows\System32\eSZCSby.exe
  2⤵
  PID:9052
- C:\Windows\System32\MkYBvhp.exe
  C:\Windows\System32\MkYBvhp.exe
  2⤵
  PID:9084
- C:\Windows\System32\SlorVQF.exe
  C:\Windows\System32\SlorVQF.exe
  2⤵
  PID:9120
- C:\Windows\System32\oQNgrpb.exe
  C:\Windows\System32\oQNgrpb.exe
  2⤵
  PID:9180
- C:\Windows\System32\kYeQoRm.exe
  C:\Windows\System32\kYeQoRm.exe
  2⤵
  PID:6460
- C:\Windows\System32\IVpUilu.exe
  C:\Windows\System32\IVpUilu.exe
  2⤵
  PID:8452
- C:\Windows\System32\kMJxwjw.exe
  C:\Windows\System32\kMJxwjw.exe
  2⤵
  PID:8736
- C:\Windows\System32\lgjwIfL.exe
  C:\Windows\System32\lgjwIfL.exe
  2⤵
  PID:8812
- C:\Windows\System32\WSxrtkm.exe
  C:\Windows\System32\WSxrtkm.exe
  2⤵
  PID:8924
- C:\Windows\System32\zNgnrDd.exe
  C:\Windows\System32\zNgnrDd.exe
  2⤵
  PID:8984
- C:\Windows\System32\WTRAbck.exe
  C:\Windows\System32\WTRAbck.exe
  2⤵
  PID:9108
- C:\Windows\System32\xuCvjas.exe
  C:\Windows\System32\xuCvjas.exe
  2⤵
  PID:8772
- C:\Windows\System32\JvGeGjP.exe
  C:\Windows\System32\JvGeGjP.exe
  2⤵
  PID:9128
- C:\Windows\System32\hYAvqvS.exe
  C:\Windows\System32\hYAvqvS.exe
  2⤵
  PID:8948
- C:\Windows\System32\ZoMMXTg.exe
  C:\Windows\System32\ZoMMXTg.exe
  2⤵
  PID:9228
- C:\Windows\System32\xGnROgJ.exe
  C:\Windows\System32\xGnROgJ.exe
  2⤵
  PID:9268
- C:\Windows\System32\FjQGfdr.exe
  C:\Windows\System32\FjQGfdr.exe
  2⤵
  PID:9292
- C:\Windows\System32\xAPLdrC.exe
  C:\Windows\System32\xAPLdrC.exe
  2⤵
  PID:9308
- C:\Windows\System32\rZWAtLm.exe
  C:\Windows\System32\rZWAtLm.exe
  2⤵
  PID:9328
- C:\Windows\System32\XESLYeX.exe
  C:\Windows\System32\XESLYeX.exe
  2⤵
  PID:9368
- C:\Windows\System32\LaJQeAo.exe
  C:\Windows\System32\LaJQeAo.exe
  2⤵
  PID:9384
- C:\Windows\System32\OZubPsC.exe
  C:\Windows\System32\OZubPsC.exe
  2⤵
  PID:9412
- C:\Windows\System32\AwhHvxX.exe
  C:\Windows\System32\AwhHvxX.exe
  2⤵
  PID:9436
- C:\Windows\System32\wDlCZdw.exe
  C:\Windows\System32\wDlCZdw.exe
  2⤵
  PID:9476
- C:\Windows\System32\ZdFYfBd.exe
  C:\Windows\System32\ZdFYfBd.exe
  2⤵
  PID:9500
- C:\Windows\System32\NTdQKrh.exe
  C:\Windows\System32\NTdQKrh.exe
  2⤵
  PID:9528
- C:\Windows\System32\wHdJdpG.exe
  C:\Windows\System32\wHdJdpG.exe
  2⤵
  PID:9640
- C:\Windows\System32\aHjrcPX.exe
  C:\Windows\System32\aHjrcPX.exe
  2⤵
  PID:9688
- C:\Windows\System32\VEojHxZ.exe
  C:\Windows\System32\VEojHxZ.exe
  2⤵
  PID:9724
- C:\Windows\System32\aqJTSnv.exe
  C:\Windows\System32\aqJTSnv.exe
  2⤵
  PID:9740
- C:\Windows\System32\IiOgbzN.exe
  C:\Windows\System32\IiOgbzN.exe
  2⤵
  PID:9808
- C:\Windows\System32\MCCkrNX.exe
  C:\Windows\System32\MCCkrNX.exe
  2⤵
  PID:9844
- C:\Windows\System32\XiqUPnv.exe
  C:\Windows\System32\XiqUPnv.exe
  2⤵
  PID:9860
- C:\Windows\System32\YkVzQEQ.exe
  C:\Windows\System32\YkVzQEQ.exe
  2⤵
  PID:9880
- C:\Windows\System32\fUiWxQs.exe
  C:\Windows\System32\fUiWxQs.exe
  2⤵
  PID:9896
- C:\Windows\System32\nsCdDuO.exe
  C:\Windows\System32\nsCdDuO.exe
  2⤵
  PID:9932
- C:\Windows\System32\drNWInX.exe
  C:\Windows\System32\drNWInX.exe
  2⤵
  PID:9964
- C:\Windows\System32\WQnADzE.exe
  C:\Windows\System32\WQnADzE.exe
  2⤵
  PID:10000
- C:\Windows\System32\MthFqOO.exe
  C:\Windows\System32\MthFqOO.exe
  2⤵
  PID:10016
- C:\Windows\System32\GLFSyLZ.exe
  C:\Windows\System32\GLFSyLZ.exe
  2⤵
  PID:10036
- C:\Windows\System32\iZoshfO.exe
  C:\Windows\System32\iZoshfO.exe
  2⤵
  PID:10096
- C:\Windows\System32\OaMSQEp.exe
  C:\Windows\System32\OaMSQEp.exe
  2⤵
  PID:10124
- C:\Windows\System32\KIjGOAJ.exe
  C:\Windows\System32\KIjGOAJ.exe
  2⤵
  PID:10140
- C:\Windows\System32\zwLsyuN.exe
  C:\Windows\System32\zwLsyuN.exe
  2⤵
  PID:10160
- C:\Windows\System32\rYovfkx.exe
  C:\Windows\System32\rYovfkx.exe
  2⤵
  PID:10176
- C:\Windows\System32\wLmnYMO.exe
  C:\Windows\System32\wLmnYMO.exe
  2⤵
  PID:10224
- C:\Windows\System32\exqXNje.exe
  C:\Windows\System32\exqXNje.exe
  2⤵
  PID:9260
- C:\Windows\System32\DcRsQEy.exe
  C:\Windows\System32\DcRsQEy.exe
  2⤵
  PID:9304
- C:\Windows\System32\iSJXxvn.exe
  C:\Windows\System32\iSJXxvn.exe
  2⤵
  PID:9360
- C:\Windows\System32\YzZKtHk.exe
  C:\Windows\System32\YzZKtHk.exe
  2⤵
  PID:9392
- C:\Windows\System32\mzckayo.exe
  C:\Windows\System32\mzckayo.exe
  2⤵
  PID:9400
- C:\Windows\System32\dKMoeab.exe
  C:\Windows\System32\dKMoeab.exe
  2⤵
  PID:9492
- C:\Windows\System32\nmeWLOQ.exe
  C:\Windows\System32\nmeWLOQ.exe
  2⤵
  PID:9604
- C:\Windows\System32\KbRfSbE.exe
  C:\Windows\System32\KbRfSbE.exe
  2⤵
  PID:9564
- C:\Windows\System32\bHVTEVj.exe
  C:\Windows\System32\bHVTEVj.exe
  2⤵
  PID:9632
- C:\Windows\System32\lmROsfK.exe
  C:\Windows\System32\lmROsfK.exe
  2⤵
  PID:9608
- C:\Windows\System32\FtoiEPm.exe
  C:\Windows\System32\FtoiEPm.exe
  2⤵
  PID:9656
- C:\Windows\System32\RrgpdyO.exe
  C:\Windows\System32\RrgpdyO.exe
  2⤵
  PID:9712
- C:\Windows\System32\kbzgJtV.exe
  C:\Windows\System32\kbzgJtV.exe
  2⤵
  PID:9840
- C:\Windows\System32\Efrzjgd.exe
  C:\Windows\System32\Efrzjgd.exe
  2⤵
  PID:9816
- C:\Windows\System32\kddrZqo.exe
  C:\Windows\System32\kddrZqo.exe
  2⤵
  PID:9924
- C:\Windows\System32\kRVMDwP.exe
  C:\Windows\System32\kRVMDwP.exe
  2⤵
  PID:9952
- C:\Windows\System32\ZCTmjGt.exe
  C:\Windows\System32\ZCTmjGt.exe
  2⤵
  PID:10012
- C:\Windows\System32\vhtQhBP.exe
  C:\Windows\System32\vhtQhBP.exe
  2⤵
  PID:10092
- C:\Windows\System32\Iqywtqw.exe
  C:\Windows\System32\Iqywtqw.exe
  2⤵
  PID:10132
- C:\Windows\System32\nDCBEzi.exe
  C:\Windows\System32\nDCBEzi.exe
  2⤵
  PID:10188
- C:\Windows\System32\Asqwcjn.exe
  C:\Windows\System32\Asqwcjn.exe
  2⤵
  PID:10168
- C:\Windows\System32\ywlsbqZ.exe
  C:\Windows\System32\ywlsbqZ.exe
  2⤵
  PID:9512
- C:\Windows\System32\TzrPALm.exe
  C:\Windows\System32\TzrPALm.exe
  2⤵
  PID:9488
- C:\Windows\System32\NddIdZn.exe
  C:\Windows\System32\NddIdZn.exe
  2⤵
  PID:9596
- C:\Windows\System32\mmueegA.exe
  C:\Windows\System32\mmueegA.exe
  2⤵
  PID:9664
- C:\Windows\System32\KlKvEPe.exe
  C:\Windows\System32\KlKvEPe.exe
  2⤵
  PID:9892
- C:\Windows\System32\JoeuRAE.exe
  C:\Windows\System32\JoeuRAE.exe
  2⤵
  PID:10028
- C:\Windows\System32\pCwamyZ.exe
  C:\Windows\System32\pCwamyZ.exe
  2⤵
  PID:9344
- C:\Windows\System32\IVtTWBe.exe
  C:\Windows\System32\IVtTWBe.exe
  2⤵
  PID:9404
- C:\Windows\System32\UZSeAHk.exe
  C:\Windows\System32\UZSeAHk.exe
  2⤵
  PID:9752
- C:\Windows\System32\XJKiWPU.exe
  C:\Windows\System32\XJKiWPU.exe
  2⤵
  PID:10252
- C:\Windows\System32\JdtDhSP.exe
  C:\Windows\System32\JdtDhSP.exe
  2⤵
  PID:10268
- C:\Windows\System32\PCFulvC.exe
  C:\Windows\System32\PCFulvC.exe
  2⤵
  PID:10292
- C:\Windows\System32\UMcuhYU.exe
  C:\Windows\System32\UMcuhYU.exe
  2⤵
  PID:10332
- C:\Windows\System32\OisGWKg.exe
  C:\Windows\System32\OisGWKg.exe
  2⤵
  PID:10360
- C:\Windows\System32\pCsPPCD.exe
  C:\Windows\System32\pCsPPCD.exe
  2⤵
  PID:10388
- C:\Windows\System32\WQMsZto.exe
  C:\Windows\System32\WQMsZto.exe
  2⤵
  PID:10412
- C:\Windows\System32\vqnoOVb.exe
  C:\Windows\System32\vqnoOVb.exe
  2⤵
  PID:10432
- C:\Windows\System32\rYTpIFN.exe
  C:\Windows\System32\rYTpIFN.exe
  2⤵
  PID:10468
- C:\Windows\System32\hfHkAYR.exe
  C:\Windows\System32\hfHkAYR.exe
  2⤵
  PID:10508
- C:\Windows\System32\NXAPQJZ.exe
  C:\Windows\System32\NXAPQJZ.exe
  2⤵
  PID:10528
- C:\Windows\System32\bUSBUYh.exe
  C:\Windows\System32\bUSBUYh.exe
  2⤵
  PID:10548
- C:\Windows\System32\KBXAWZl.exe
  C:\Windows\System32\KBXAWZl.exe
  2⤵
  PID:10568
- C:\Windows\System32\MMpIXZO.exe
  C:\Windows\System32\MMpIXZO.exe
  2⤵
  PID:10600
- C:\Windows\System32\ErOlvXi.exe
  C:\Windows\System32\ErOlvXi.exe
  2⤵
  PID:10620
- C:\Windows\System32\yEmOaQX.exe
  C:\Windows\System32\yEmOaQX.exe
  2⤵
  PID:10644
- C:\Windows\System32\vdcfXzS.exe
  C:\Windows\System32\vdcfXzS.exe
  2⤵
  PID:10672
- C:\Windows\System32\FthsdQS.exe
  C:\Windows\System32\FthsdQS.exe
  2⤵
  PID:10732
- C:\Windows\System32\eFtWNva.exe
  C:\Windows\System32\eFtWNva.exe
  2⤵
  PID:10752
- C:\Windows\System32\xrUUsvX.exe
  C:\Windows\System32\xrUUsvX.exe
  2⤵
  PID:10768
- C:\Windows\System32\deanTHg.exe
  C:\Windows\System32\deanTHg.exe
  2⤵
  PID:10788
- C:\Windows\System32\urlCRyH.exe
  C:\Windows\System32\urlCRyH.exe
  2⤵
  PID:10804
- C:\Windows\System32\tHKQdcp.exe
  C:\Windows\System32\tHKQdcp.exe
  2⤵
  PID:10836
- C:\Windows\System32\jKagmXq.exe
  C:\Windows\System32\jKagmXq.exe
  2⤵
  PID:10856
- C:\Windows\System32\MnOzLvH.exe
  C:\Windows\System32\MnOzLvH.exe
  2⤵
  PID:10932
- C:\Windows\System32\suTXtav.exe
  C:\Windows\System32\suTXtav.exe
  2⤵
  PID:10948
- C:\Windows\System32\RSPOEHY.exe
  C:\Windows\System32\RSPOEHY.exe
  2⤵
  PID:10964
- C:\Windows\System32\WIWBOAu.exe
  C:\Windows\System32\WIWBOAu.exe
  2⤵
  PID:10984
- C:\Windows\System32\zNReQuN.exe
  C:\Windows\System32\zNReQuN.exe
  2⤵
  PID:11008
- C:\Windows\System32\kYbLFRC.exe
  C:\Windows\System32\kYbLFRC.exe
  2⤵
  PID:11036
- C:\Windows\System32\WUzosVs.exe
  C:\Windows\System32\WUzosVs.exe
  2⤵
  PID:11056
- C:\Windows\System32\WlBdEVU.exe
  C:\Windows\System32\WlBdEVU.exe
  2⤵
  PID:11076
- C:\Windows\System32\guBWSAM.exe
  C:\Windows\System32\guBWSAM.exe
  2⤵
  PID:11104
- C:\Windows\System32\UYmooVm.exe
  C:\Windows\System32\UYmooVm.exe
  2⤵
  PID:11136
- C:\Windows\System32\ZcBkBGQ.exe
  C:\Windows\System32\ZcBkBGQ.exe
  2⤵
  PID:11164
- C:\Windows\System32\UYJjsmJ.exe
  C:\Windows\System32\UYJjsmJ.exe
  2⤵
  PID:11180
- C:\Windows\System32\EZvEVtr.exe
  C:\Windows\System32\EZvEVtr.exe
  2⤵
  PID:11196
- C:\Windows\System32\Howaqzz.exe
  C:\Windows\System32\Howaqzz.exe
  2⤵
  PID:11236
- C:\Windows\System32\EwZlHai.exe
  C:\Windows\System32\EwZlHai.exe
  2⤵
  PID:9668
- C:\Windows\System32\SLSzXgY.exe
  C:\Windows\System32\SLSzXgY.exe
  2⤵
  PID:10384
- C:\Windows\System32\cKgNXJh.exe
  C:\Windows\System32\cKgNXJh.exe
  2⤵
  PID:10420
- C:\Windows\System32\iLLOaGM.exe
  C:\Windows\System32\iLLOaGM.exe
  2⤵
  PID:10520
- C:\Windows\System32\uVBTNVD.exe
  C:\Windows\System32\uVBTNVD.exe
  2⤵
  PID:10556
- C:\Windows\System32\DvzlTTl.exe
  C:\Windows\System32\DvzlTTl.exe
  2⤵
  PID:10616
- C:\Windows\System32\orKhVzg.exe
  C:\Windows\System32\orKhVzg.exe
  2⤵
  PID:10668
- C:\Windows\System32\hVTXYec.exe
  C:\Windows\System32\hVTXYec.exe
  2⤵
  PID:10740
- C:\Windows\System32\uyMfBGd.exe
  C:\Windows\System32\uyMfBGd.exe
  2⤵
  PID:10760
- C:\Windows\System32\khhHazF.exe
  C:\Windows\System32\khhHazF.exe
  2⤵
  PID:10864
- C:\Windows\System32\lVGweEr.exe
  C:\Windows\System32\lVGweEr.exe
  2⤵
  PID:10892
- C:\Windows\System32\fuvbfGm.exe
  C:\Windows\System32\fuvbfGm.exe
  2⤵
  PID:10996
- C:\Windows\System32\nLurodT.exe
  C:\Windows\System32\nLurodT.exe
  2⤵
  PID:11020
- C:\Windows\System32\ksqNwCU.exe
  C:\Windows\System32\ksqNwCU.exe
  2⤵
  PID:11160
- C:\Windows\System32\GDZlFDl.exe
  C:\Windows\System32\GDZlFDl.exe
  2⤵
  PID:11192
- C:\Windows\System32\kxCMxyL.exe
  C:\Windows\System32\kxCMxyL.exe
  2⤵
  PID:11232
- C:\Windows\System32\FLBfhgj.exe
  C:\Windows\System32\FLBfhgj.exe
  2⤵
  PID:11252
- C:\Windows\System32\zYeSojJ.exe
  C:\Windows\System32\zYeSojJ.exe
  2⤵
  PID:10328
- C:\Windows\System32\EhrScuT.exe
  C:\Windows\System32\EhrScuT.exe
  2⤵
  PID:9544
- C:\Windows\System32\JFWuWTv.exe
  C:\Windows\System32\JFWuWTv.exe
  2⤵
  PID:10576
- C:\Windows\System32\CmVQgZp.exe
  C:\Windows\System32\CmVQgZp.exe
  2⤵
  PID:10828
- C:\Windows\System32\hhYPAMF.exe
  C:\Windows\System32\hhYPAMF.exe
  2⤵
  PID:11004
- C:\Windows\System32\EiunSzp.exe
  C:\Windows\System32\EiunSzp.exe
  2⤵
  PID:11224
- C:\Windows\System32\LKmMZCT.exe
  C:\Windows\System32\LKmMZCT.exe
  2⤵
  PID:11156
- C:\Windows\System32\xQqZjZv.exe
  C:\Windows\System32\xQqZjZv.exe
  2⤵
  PID:10680
- C:\Windows\System32\aadHPPF.exe
  C:\Windows\System32\aadHPPF.exe
  2⤵
  PID:10708
- C:\Windows\System32\zOpxdUd.exe
  C:\Windows\System32\zOpxdUd.exe
  2⤵
  PID:10596
- C:\Windows\System32\wivlGIL.exe
  C:\Windows\System32\wivlGIL.exe
  2⤵
  PID:11268
- C:\Windows\System32\ajoIIQl.exe
  C:\Windows\System32\ajoIIQl.exe
  2⤵
  PID:11288
- C:\Windows\System32\pwMojwE.exe
  C:\Windows\System32\pwMojwE.exe
  2⤵
  PID:11308
- C:\Windows\System32\bPkjSNP.exe
  C:\Windows\System32\bPkjSNP.exe
  2⤵
  PID:11368
- C:\Windows\System32\yvgrUqh.exe
  C:\Windows\System32\yvgrUqh.exe
  2⤵
  PID:11384
- C:\Windows\System32\sxPnffF.exe
  C:\Windows\System32\sxPnffF.exe
  2⤵
  PID:11416
- C:\Windows\System32\SlBeNWS.exe
  C:\Windows\System32\SlBeNWS.exe
  2⤵
  PID:11436
- C:\Windows\System32\pmYOeKm.exe
  C:\Windows\System32\pmYOeKm.exe
  2⤵
  PID:11460
- C:\Windows\System32\eStWUPC.exe
  C:\Windows\System32\eStWUPC.exe
  2⤵
  PID:11476
- C:\Windows\System32\zYlPxNl.exe
  C:\Windows\System32\zYlPxNl.exe
  2⤵
  PID:11496
- C:\Windows\System32\pGlrDgr.exe
  C:\Windows\System32\pGlrDgr.exe
  2⤵
  PID:11520
- C:\Windows\System32\PeRRqxY.exe
  C:\Windows\System32\PeRRqxY.exe
  2⤵
  PID:11548
- C:\Windows\System32\QQztsnh.exe
  C:\Windows\System32\QQztsnh.exe
  2⤵
  PID:11576
- C:\Windows\System32\rsMbrEg.exe
  C:\Windows\System32\rsMbrEg.exe
  2⤵
  PID:11620
- C:\Windows\System32\VGOnyIe.exe
  C:\Windows\System32\VGOnyIe.exe
  2⤵
  PID:11648
- C:\Windows\System32\jsOQcOn.exe
  C:\Windows\System32\jsOQcOn.exe
  2⤵
  PID:11684
- C:\Windows\System32\wqJINsY.exe
  C:\Windows\System32\wqJINsY.exe
  2⤵
  PID:11712
- C:\Windows\System32\dYyEPwk.exe
  C:\Windows\System32\dYyEPwk.exe
  2⤵
  PID:11740
- C:\Windows\System32\QMwvwis.exe
  C:\Windows\System32\QMwvwis.exe
  2⤵
  PID:11780
- C:\Windows\System32\nYDkQGU.exe
  C:\Windows\System32\nYDkQGU.exe
  2⤵
  PID:11800
- C:\Windows\System32\yACOtub.exe
  C:\Windows\System32\yACOtub.exe
  2⤵
  PID:11816
- C:\Windows\System32\igLMKMp.exe
  C:\Windows\System32\igLMKMp.exe
  2⤵
  PID:11844
- C:\Windows\System32\SpABOIw.exe
  C:\Windows\System32\SpABOIw.exe
  2⤵
  PID:11888
- C:\Windows\System32\WrOYFJE.exe
  C:\Windows\System32\WrOYFJE.exe
  2⤵
  PID:11908
- C:\Windows\System32\KtUslTE.exe
  C:\Windows\System32\KtUslTE.exe
  2⤵
  PID:11948
- C:\Windows\System32\QeQnepg.exe
  C:\Windows\System32\QeQnepg.exe
  2⤵
  PID:11972
- C:\Windows\System32\HwlBitI.exe
  C:\Windows\System32\HwlBitI.exe
  2⤵
  PID:11992
- C:\Windows\System32\cnCuMtU.exe
  C:\Windows\System32\cnCuMtU.exe
  2⤵
  PID:12028
- C:\Windows\System32\veUPVEr.exe
  C:\Windows\System32\veUPVEr.exe
  2⤵
  PID:12048
- C:\Windows\System32\RNsZARm.exe
  C:\Windows\System32\RNsZARm.exe
  2⤵
  PID:12064
- C:\Windows\System32\wKnPczV.exe
  C:\Windows\System32\wKnPczV.exe
  2⤵
  PID:12084
- C:\Windows\System32\OSBCOmf.exe
  C:\Windows\System32\OSBCOmf.exe
  2⤵
  PID:12136
- C:\Windows\System32\PymTedl.exe
  C:\Windows\System32\PymTedl.exe
  2⤵
  PID:12160
- C:\Windows\System32\KGMUxZz.exe
  C:\Windows\System32\KGMUxZz.exe
  2⤵
  PID:12184
- C:\Windows\System32\eWwDZKR.exe
  C:\Windows\System32\eWwDZKR.exe
  2⤵
  PID:12200
- C:\Windows\System32\QOebKaZ.exe
  C:\Windows\System32\QOebKaZ.exe
  2⤵
  PID:12276
- C:\Windows\System32\LVZmUQr.exe
  C:\Windows\System32\LVZmUQr.exe
  2⤵
  PID:10800
- C:\Windows\System32\ypOdChe.exe
  C:\Windows\System32\ypOdChe.exe
  2⤵
  PID:11300
- C:\Windows\System32\DcEsFEw.exe
  C:\Windows\System32\DcEsFEw.exe
  2⤵
  PID:11340
- C:\Windows\System32\WVUITQD.exe
  C:\Windows\System32\WVUITQD.exe
  2⤵
  PID:11376
- C:\Windows\System32\GcBUsxf.exe
  C:\Windows\System32\GcBUsxf.exe
  2⤵
  PID:11468
- C:\Windows\System32\zqkMmaZ.exe
  C:\Windows\System32\zqkMmaZ.exe
  2⤵
  PID:11556
- C:\Windows\System32\LocfJUF.exe
  C:\Windows\System32\LocfJUF.exe
  2⤵
  PID:11632
- C:\Windows\System32\fLAWMag.exe
  C:\Windows\System32\fLAWMag.exe
  2⤵
  PID:11724
- C:\Windows\System32\CvZKWAr.exe
  C:\Windows\System32\CvZKWAr.exe
  2⤵
  PID:11764
- C:\Windows\System32\bmGMTTR.exe
  C:\Windows\System32\bmGMTTR.exe
  2⤵
  PID:11812
- C:\Windows\System32\TIPdTIK.exe
  C:\Windows\System32\TIPdTIK.exe
  2⤵
  PID:11856
- C:\Windows\System32\UtpUqsi.exe
  C:\Windows\System32\UtpUqsi.exe
  2⤵
  PID:11936
- C:\Windows\System32\NrKXIIv.exe
  C:\Windows\System32\NrKXIIv.exe
  2⤵
  PID:11988
- C:\Windows\System32\TLffkgx.exe
  C:\Windows\System32\TLffkgx.exe
  2⤵
  PID:12040
- C:\Windows\System32\YKOCiDV.exe
  C:\Windows\System32\YKOCiDV.exe
  2⤵
  PID:12192
- C:\Windows\System32\wdsHHEQ.exe
  C:\Windows\System32\wdsHHEQ.exe
  2⤵
  PID:12264
- C:\Windows\System32\XulHpit.exe
  C:\Windows\System32\XulHpit.exe
  2⤵
  PID:12284
- C:\Windows\System32\igNkLdO.exe
  C:\Windows\System32\igNkLdO.exe
  2⤵
  PID:11448
- C:\Windows\System32\EyPWHCF.exe
  C:\Windows\System32\EyPWHCF.exe
  2⤵
  PID:11544
- C:\Windows\System32\WiSFcWc.exe
  C:\Windows\System32\WiSFcWc.exe
  2⤵
  PID:11564
- C:\Windows\System32\cnTiBEm.exe
  C:\Windows\System32\cnTiBEm.exe
  2⤵
  PID:11756
- C:\Windows\System32\rqXVWwP.exe
  C:\Windows\System32\rqXVWwP.exe
  2⤵
  PID:11896
- C:\Windows\System32\tdQbbyx.exe
  C:\Windows\System32\tdQbbyx.exe
  2⤵
  PID:12020
- C:\Windows\System32\yzgfmpN.exe
  C:\Windows\System32\yzgfmpN.exe
  2⤵
  PID:10640
- C:\Windows\System32\ENmXPYI.exe
  C:\Windows\System32\ENmXPYI.exe
  2⤵
  PID:2448
- C:\Windows\System32\aUvkeBm.exe
  C:\Windows\System32\aUvkeBm.exe
  2⤵
  PID:11392
- C:\Windows\System32\IwKPXru.exe
  C:\Windows\System32\IwKPXru.exe
  2⤵
  PID:11492
- C:\Windows\System32\kSqtQDf.exe
  C:\Windows\System32\kSqtQDf.exe
  2⤵
  PID:4352
- C:\Windows\System32\ktuZQCZ.exe
  C:\Windows\System32\ktuZQCZ.exe
  2⤵
  PID:2704
- C:\Windows\System32\rXlLtys.exe
  C:\Windows\System32\rXlLtys.exe
  2⤵
  PID:11508
- C:\Windows\System32\wtGJteR.exe
  C:\Windows\System32\wtGJteR.exe
  2⤵
  PID:12300
- C:\Windows\System32\swBvscl.exe
  C:\Windows\System32\swBvscl.exe
  2⤵
  PID:12316
- C:\Windows\System32\pPLgBUL.exe
  C:\Windows\System32\pPLgBUL.exe
  2⤵
  PID:12336
- C:\Windows\System32\WffDvwF.exe
  C:\Windows\System32\WffDvwF.exe
  2⤵
  PID:12356
- C:\Windows\System32\dlsqzHO.exe
  C:\Windows\System32\dlsqzHO.exe
  2⤵
  PID:12400
- C:\Windows\System32\UTjnAYB.exe
  C:\Windows\System32\UTjnAYB.exe
  2⤵
  PID:12424
- C:\Windows\System32\Mignkhv.exe
  C:\Windows\System32\Mignkhv.exe
  2⤵
  PID:12476
- C:\Windows\System32\CVFwuTU.exe
  C:\Windows\System32\CVFwuTU.exe
  2⤵
  PID:12500
- C:\Windows\System32\PCHmepp.exe
  C:\Windows\System32\PCHmepp.exe
  2⤵
  PID:12524
- C:\Windows\System32\DdjlLzx.exe
  C:\Windows\System32\DdjlLzx.exe
  2⤵
  PID:12544
- C:\Windows\System32\ebxyYfI.exe
  C:\Windows\System32\ebxyYfI.exe
  2⤵
  PID:12560
- C:\Windows\System32\yfHrwMM.exe
  C:\Windows\System32\yfHrwMM.exe
  2⤵
  PID:12620
- C:\Windows\System32\QBnikrX.exe
  C:\Windows\System32\QBnikrX.exe
  2⤵
  PID:12644
- C:\Windows\System32\VXHQoWN.exe
  C:\Windows\System32\VXHQoWN.exe
  2⤵
  PID:12672
- C:\Windows\System32\msShXvx.exe
  C:\Windows\System32\msShXvx.exe
  2⤵
  PID:12692
- C:\Windows\System32\BZTjVOb.exe
  C:\Windows\System32\BZTjVOb.exe
  2⤵
  PID:12708
- C:\Windows\System32\wErqMGG.exe
  C:\Windows\System32\wErqMGG.exe
  2⤵
  PID:12728
- C:\Windows\System32\xDYUDdr.exe
  C:\Windows\System32\xDYUDdr.exe
  2⤵
  PID:12752
- C:\Windows\System32\DJLJZzD.exe
  C:\Windows\System32\DJLJZzD.exe
  2⤵
  PID:12768
- C:\Windows\System32\aVpKROz.exe
  C:\Windows\System32\aVpKROz.exe
  2⤵
  PID:12804
- C:\Windows\System32\xOdUwzE.exe
  C:\Windows\System32\xOdUwzE.exe
  2⤵
  PID:12820
- C:\Windows\System32\pdYRyrl.exe
  C:\Windows\System32\pdYRyrl.exe
  2⤵
  PID:12892
- C:\Windows\System32\XSKfWYA.exe
  C:\Windows\System32\XSKfWYA.exe
  2⤵
  PID:12928
- C:\Windows\System32\AWzBolo.exe
  C:\Windows\System32\AWzBolo.exe
  2⤵
  PID:12948
- C:\Windows\System32\fzGhNga.exe
  C:\Windows\System32\fzGhNga.exe
  2⤵
  PID:12964
- C:\Windows\System32\IFAtqiJ.exe
  C:\Windows\System32\IFAtqiJ.exe
  2⤵
  PID:13000
- C:\Windows\System32\FTggadu.exe
  C:\Windows\System32\FTggadu.exe
  2⤵
  PID:13044
- C:\Windows\System32\sYqnBAG.exe
  C:\Windows\System32\sYqnBAG.exe
  2⤵
  PID:13060
- C:\Windows\System32\itqztks.exe
  C:\Windows\System32\itqztks.exe
  2⤵
  PID:13080
- C:\Windows\System32\ueERodw.exe
  C:\Windows\System32\ueERodw.exe
  2⤵
  PID:13104
- C:\Windows\System32\SZrsBIj.exe
  C:\Windows\System32\SZrsBIj.exe
  2⤵
  PID:13120
- C:\Windows\System32\MsBhhyb.exe
  C:\Windows\System32\MsBhhyb.exe
  2⤵
  PID:13140
- C:\Windows\System32\hQiWRei.exe
  C:\Windows\System32\hQiWRei.exe
  2⤵
  PID:13188
- C:\Windows\System32\RMiUYSS.exe
  C:\Windows\System32\RMiUYSS.exe
  2⤵
  PID:13212
- C:\Windows\System32\BMJnFqX.exe
  C:\Windows\System32\BMJnFqX.exe
  2⤵
  PID:13232
- C:\Windows\System32\cAgXSzp.exe
  C:\Windows\System32\cAgXSzp.exe
  2⤵
  PID:13252
- C:\Windows\System32\UTPIeVa.exe
  C:\Windows\System32\UTPIeVa.exe
  2⤵
  PID:13288
- C:\Windows\System32\PfnIOVK.exe
  C:\Windows\System32\PfnIOVK.exe
  2⤵
  PID:12324
- C:\Windows\System32\hbUTYPJ.exe
  C:\Windows\System32\hbUTYPJ.exe
  2⤵
  PID:4824
- C:\Windows\System32\lCdkWxH.exe
  C:\Windows\System32\lCdkWxH.exe
  2⤵
  PID:12364
- C:\Windows\System32\NoHCwxO.exe
  C:\Windows\System32\NoHCwxO.exe
  2⤵
  PID:12388
- C:\Windows\System32\dcLVEYv.exe
  C:\Windows\System32\dcLVEYv.exe
  2⤵
  PID:12512
- C:\Windows\System32\UAKlkiO.exe
  C:\Windows\System32\UAKlkiO.exe
  2⤵
  PID:12532
- C:\Windows\System32\QPhUzXf.exe
  C:\Windows\System32\QPhUzXf.exe
  2⤵
  PID:12660
- C:\Windows\System32\moiJOVX.exe
  C:\Windows\System32\moiJOVX.exe
  2⤵
  PID:12724
- C:\Windows\System32\dDQlZIP.exe
  C:\Windows\System32\dDQlZIP.exe
  2⤵
  PID:12788
- C:\Windows\System32\TVxqmpf.exe
  C:\Windows\System32\TVxqmpf.exe
  2⤵
  PID:12900

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ABHdJFh.exe

Filesize
1.2MB

MD5
d170df4a52c97115ef8ec0db2e0b3c71

SHA1
e1a0dd26c417eef444edd544357639a9ee35ceec

SHA256
0dbceeb027a1af6d67c91ffa89b6a3551e62d62cd7dd32d84c4c994dcaa6ac3b

SHA512
1f26648e8109334986d444480eff256f93ddb6c4b4ed66527b7dee0f5dee08907673cbf0c7cd23228f5beca4ca1b3dc6fa819090d45c8808fb7ff6996a2b8959

Download Submit
C:\Windows\System32\CRbOxXK.exe

Filesize
1.2MB

MD5
43414d925c69b14eaf949ca8829b2627

SHA1
e2d9dd7fc0c916fc9ac7c9bcff1d4b356bd08670

SHA256
d4afcec5805b543bfd48c4244685b13189867b0a671b35e5fdceb6e664b2759d

SHA512
7d16adee1f4cb6d050f1d54b89d3a1558c838e2fa206eabe918b516d80261a8bb5f75a092e7c72365040ae089bce8e69eacf748ab97dd082fab439d976ed319f

Download Submit
C:\Windows\System32\CgJWBYg.exe

Filesize
1.2MB

MD5
74fcd788dbdcef67527eb0d1971eb5c5

SHA1
99c4bbfba0497a198ff7bc16d0996647ba274072

SHA256
6005566e27858349893e899a767f3ec5c65a113c43c50cae1a5f531c2e8bb094

SHA512
18d0e422e1c886bf37fe0d41f533fca29314eb9e56a231040cadc405c2ac93cb5ed1af49c98924b9785f70aa0cd0ba9e89d03d4f328e762278570ef019ef0e34

Download Submit
C:\Windows\System32\DFVwxIC.exe

Filesize
1.2MB

MD5
151c54ee4f4597de7f3eb72cea24486a

SHA1
fee9fe3bacbc377f861a949b8cc8e2f8ba967391

SHA256
edc73f0264eb5c1cb50963df4bc1568bb41c1a24d00bab8d0d938208cde62727

SHA512
6ad5baa3dc0454a782c9fe21c14df6f8564ccc1ef51b9c7a27e2f3353d88c766f4e113c50023d9d00a957140dcd64a683522bfbb3c1d24878d21f5f0c543312f

Download Submit
C:\Windows\System32\DSZnLGx.exe

Filesize
1.2MB

MD5
4190336915f7a3309391134d77c2cf65

SHA1
77fb77b6c08fdc533fd6817e3f1f27eb1eb40937

SHA256
7645b81fd5a8f960c12a1a19213f390fd88b742cf79fbf29ab210646cca9eb1e

SHA512
1c8de9be694768dfe794d5dcf19a9243a70e7bbb2f11b888cef069f2862c954c51c8d43d0f8488677761e0968ff6ee96e5058029daf2d2e48b9f9ab6ae48fdbe

Download Submit
C:\Windows\System32\EMoiHRh.exe

Filesize
1.2MB

MD5
7447d95a6507065cea258654eae29812

SHA1
6e6c8d50bec7e0ce509546cbe5cf3bb382e5ca6b

SHA256
2b7a84be72d50c3a6c6126543148e9cd07d17d43a1c79629556550d42d3cef0c

SHA512
0beec5665620a2040f47a5085c7a71a1df9c436c99d8acaca0d56dc21e24954d27859b19c6c3c4af17cfab734a641f8ff057a5546b8ad1439f993ba9f8c06c94

Download Submit
C:\Windows\System32\FDMDuPQ.exe

Filesize
1.2MB

MD5
481250d6a91c17497431bd3215cc9b55

SHA1
44388e75608b7d3a34dc9de8d3d2c2fa26fa0b35

SHA256
58a71c232cb2f9b637f54a5ca1c13cb46e026c22a34c5a3a38d18d1e199b1268

SHA512
a8ecc6e829098458ff34bf402ebc0f4786222697908a9cf6a6ba7c8a13c2e4f081da62057991388ffa3bfa177718c65d5165e7ebfc2fb16f85a16670e478b069

Download Submit
C:\Windows\System32\JmUznxc.exe

Filesize
1.2MB

MD5
484d3644781307d4c9afd548d78edaba

SHA1
32717c6e3defbdf449d7e3cad8e4a8ac7d3f7208

SHA256
856e696df03ed5df4acf73863d2aca992fa0493e9ee038ef3d0ff45863463a8c

SHA512
5cea6c5c1e239fe8af39dd9a9830b8932b72775b37ff65fdcbf09f0f9d01b14fffffd2b5440fee6c0e084542fb78d7275b49d63756635140632158064ed85f5d

Download Submit
C:\Windows\System32\OIiyBhY.exe

Filesize
1.2MB

MD5
5c5dd0b04483be29550497dcb91c512e

SHA1
da57338a145bad97172d432a1126d474acbf1285

SHA256
f4f79e47ed127c8b0f4f4a7ad9c1e2c3a45c982ed38e53375e93ccecccdd602c

SHA512
69dd5518c1592f1cf0173c4bc5ceefd20eff0bb184556d11397796683ebdb31529cb8007b663cc77155fe9d7c86fbd096d9cf0e476a2ccd54b809b9e722f6c58

Download Submit
C:\Windows\System32\PoSDmOM.exe

Filesize
1.2MB

MD5
e382837770a3d885cb2b92274b44e7de

SHA1
485d7ed94c7f376c1a3b1f7b11926da6538d6925

SHA256
16bc6b172f8c37da42505e9b23a68ba16997c3dfa5384c3faa80403aed8de820

SHA512
5e522b774d07daddcb5666de4602cbc91e95820465867dbe7ef820b19251a1009949eed493f5b9bd70170e2dfd88bcf2cd2720da88363674dceb6a6838ab008b

Download Submit
C:\Windows\System32\QiODTGg.exe

Filesize
1.2MB

MD5
9d022dd3dc700037e7a288ced5040a1e

SHA1
b7599adc5d6336867e377e7662de62e4b75e4598

SHA256
fc7a2703309c14bdde2580ab0100c5bdb4a71295aedd5988e8e10d5493789f4e

SHA512
dfbabb4d97cbb7047caacba07ac92d58c639cc9d0f14264d3e5f6bce6a20f3adc0d06ddf31b391118dabc9f671515b9ff070b00e4d5edc8d4a8131ad6f86ff4d

Download Submit
C:\Windows\System32\QpTxbcA.exe

Filesize
1.2MB

MD5
3e031f896612347c9829e0f79f57cf58

SHA1
c87977f0e26429e8853e7bed262eb00fe6bd5e9e

SHA256
f36abf57a1df8a2eeef9f66f8aadf7396c99eca71bd863c082ae10d438fe7bb5

SHA512
82f9047c94e16516ab86a213fa3b7e730ec100455dd5f6d2ae12f9c72623579edf4b66b5325e9b04723823a706324e81deeaaca02f58e0a64d84b85f1b89ac26

Download Submit
C:\Windows\System32\SlsLOGQ.exe

Filesize
1.2MB

MD5
ab1b02bc0df3d3f2b67ccf11bf9f5132

SHA1
dec0b3bf7357b32432e647e7848174d15555e82e

SHA256
2ffb63bb7cf470c927d7ce992d4bf601386c632fb23aa9e225cb0f107efb631e

SHA512
83140eb4b4b213ca66f5ac18d231bb3d60bc7ef3769165bae4ac64e0617175307f4ddbede90b048bc4c6b6a8de1b0111d997a110973882a7fac73daa469b8f13

Download Submit
C:\Windows\System32\TXCPGwH.exe

Filesize
1.2MB

MD5
af27e46e38ba10e652e935bd34896b4c

SHA1
908c829614c749b186adf82d7bbef97bc3160985

SHA256
1efe7ecde070d49f128b49c8032fe0c78ff79c17f448561d5d60f3ad5d43a74b

SHA512
433b3dd63930bafe3704e4e309c5d938e41f7fc879e7ca823af1fdc1247b1abaccb37cd7eeafccc2edf423f32ede695d724a3396ac8b40db77724f5e61d05b07

Download Submit
C:\Windows\System32\UBVQyWy.exe

Filesize
1.2MB

MD5
10761e2a23826ccfacf091cce11f66ca

SHA1
ea168f98683a1ae957a5b43df8a6e62f0698e6ef

SHA256
9ebc51056c0462a03a9e121e6910c5aa365001023ae951549d69f15a48e58b1b

SHA512
77c7c3a3830798f00d45de3bec508c4bea0bf1f802b4254b15c075baff89bbb2fd576eb5f16709fda4d2719fbb798f9cbae007832fe56cf63215a16dfe7bd774

Download Submit
C:\Windows\System32\WpEXKER.exe

Filesize
1.2MB

MD5
17d016926373750b170af59131cea214

SHA1
0af8495e2e3223b8f84492ec31b2f8b668a9a7c6

SHA256
379ff165cdb5ba447c969785b1be169b9bdddced9828919f7ce131d02dbd6b2a

SHA512
6113ccbd33ec9488288f7aefa6c0c9c7d538b056484873a7cdc87a3df60ea35a8215530506d7246bb0119a184f0e1f714b6ad23936b1250d095167fb3f6108bf

Download Submit
C:\Windows\System32\YGmneBR.exe

Filesize
1.2MB

MD5
c5ffc0f91b490248fcfecc9199565644

SHA1
09e93ad42f0fb9d4c231272afd8a81e8192693a3

SHA256
ebe3bdd92d88d41e13608427328ba251a08a9fe58798213bd48b315f9b9b6bec

SHA512
5e9bf876805a3359ec3d5c154b5bf2409750014eb374c0f55d0ea7cbc88e94884b2ab726d5eb7a226ab0ad24f0d1f31e1074d5e6a524f46b1839a81162565068

Download Submit
C:\Windows\System32\YyKQPRG.exe

Filesize
1.2MB

MD5
f12a356facbfb55f8bfdf8cf7384f1e8

SHA1
8f265cb6ad8e2c64b69ba2e38b0d739ad70ab40b

SHA256
e213fc67e43075fd2d37695c86fa3894792e123525c720ab2387518dbd789b2e

SHA512
2aac7fd9d883b2c70622a608bfbcf6aeb61281e7b19219b32855f69081ace182e4bcc52d99c091890d0eaf27e3238a510376156452d88db782c3edc38d2c0443

Download Submit
C:\Windows\System32\aZexxfS.exe

Filesize
1.2MB

MD5
7224ef8cb59addd9e525e481fa9327dc

SHA1
9ab8245c9bb5b61c31bec6d54c59fe9cf6bfcc9e

SHA256
f9925e9b00902e2d13b9195f5c612c6e98abc18e7ecd82073e9d5bb7e2cbe61e

SHA512
359893def709b1aa18680484c208acae4e326a45945c630340aed516daa38b336a4509f121ddb6ff49ff628e66b09bea1f4e14832340a8e90db0016273bd32eb

Download Submit
C:\Windows\System32\bjBEouv.exe

Filesize
1.2MB

MD5
ebe8e1544d14b52c99b11dce1711139c

SHA1
bc709d89d1a31a41b06f6dfa96ba43a23efa9e02

SHA256
490f04aababa5669c28c93658d6e1542f6b87ab4f9e58c7072052c3996cef9ad

SHA512
ca103486cf02da9d18515b45dbd72f837c3ad6f8d41d46329d19f70c129057eeea427bc1684c95d3e4e8f7c4796e0eea898494c86836e368e8a8e9c77987b50c

Download Submit
C:\Windows\System32\gpYaEIu.exe

Filesize
1.2MB

MD5
de4f04b05050fc41258404caa2b1a273

SHA1
47dafd8de90713887d11026b52c3765c73e1108f

SHA256
c7cd14206ab95e80387bd9944be83414cecc584fab9e78c61c653d8b9add2bc1

SHA512
10987332247c7c1e848de9be86583a07cc20dd8293183f4a2f20eeaf4da67188df9e93aaf2320392554c88e099ded34d76eb134e1f6eca0458a45415dbce5ea1

Download Submit
C:\Windows\System32\jevEhNz.exe

Filesize
1.2MB

MD5
6587f0ca5d273b7acb6fc3c0ce6a0f5a

SHA1
21b6a58e0f7d46456a9fd415520052add9262b7a

SHA256
53263252f9bec32c3b3ee494f300460c2ffc73a86fc8883d5050753053967192

SHA512
92f0bb712250469c76e5cb0cc70616ca67ce7dd05c30849f67c3dd14986ad78a47d115fd77e818e99ab625d90315657dbbf1964caac49c11304262af9f98d033

Download Submit
C:\Windows\System32\jvBvDZM.exe

Filesize
1.2MB

MD5
211ec488d94d7d5772f4fb0abc995926

SHA1
e3ac36cb784e192a7291ad949bc8e39c6ddb6901

SHA256
a9281698681ac006d2154ae7011bf92110ffbced2d08103312ccada9712f82b4

SHA512
a9984aa44a0afd349287a42e254b4da4eee4b386c66bc0667ca586c0c2eec07bc5ddade36cb1520a7041412c7f4ecf2c93b899f4c07dffa96bd2740919a8bce3

Download Submit
C:\Windows\System32\llVhzJn.exe

Filesize
1.2MB

MD5
5b9b39a34e11ecc89c56b24fd871e659

SHA1
c2de0d2f5d21fe66f616d50117082f1b245126e0

SHA256
b3b6f8a5f2b01ea5f1246ffd12909743d399a62d94716274b97ab7c18d7de9d1

SHA512
b957dc9a4279e82988f4b89eaf7745afa495867228a05030a9b5e551dfca1ef0aa8d3493da01f04c1e5b7cc8a4536bf7132dbe2b060968f04c9915071dc25127

Download Submit
C:\Windows\System32\sMSbOcT.exe

Filesize
1.2MB

MD5
f6f105d98d27bded4fecc1d1272e819b

SHA1
ba23663a1607d635fde24f72f814cc8431c6ef6e

SHA256
3571663586dd77564354d3d0be835ed864c3a38494d9f93f19adcfb02dee5c1c

SHA512
4c60cfd3106e6e9d9dff7e2e4a09121927b25237643b7068e7fc7eda2c79618dbe07735a44ceae6c6f7f45ee3f778fb4765a9436c0905a5bd160fe49c5ce1eab

Download Submit
C:\Windows\System32\ujxOlBK.exe

Filesize
1.2MB

MD5
c18f14fe784552004c24ddfccbee46e7

SHA1
93635cbc563858f11966decc4f65c1ff7c5e0564

SHA256
2131eea5fc6aa7cfc5de6897881d0329309933c7815b3f9017b66ce4ae37b0e0

SHA512
5f7c97a2ad5299b887961fd67f5dd2f9d3ba6a6b3da230070ab54e27bf96907ec7ee90ac10ce52dbfb8507903e40a561e6f76a6ac43cf521ae7832a01dfa3e76

Download Submit
C:\Windows\System32\vbDXTVM.exe

Filesize
1.2MB

MD5
f205a3ab960ec438d3ccf21036ecdef1

SHA1
1649365197b441607f2bf6659dda933bf957fd26

SHA256
7f5335743fa87df8ea65c0011a367ca3075e4fc3dc92e1b08b790d523ee40ad7

SHA512
6d8c880e33521f440dfccff128669188908cd687701497939f9955b5f270753b310da72bfa0bf60617e6b94d48b79a141eda04ce6ee2f822e8e1bc578f63a76a

Download Submit
C:\Windows\System32\wDLQWxf.exe

Filesize
1.2MB

MD5
e6343476b4f1bec8c2e722a547f50ec1

SHA1
78efeab16ce3f5adb86782bf680b66d9c4354c59

SHA256
643b265101b7aca01ea8ea5de919b010c9209935748d7fc3673eb291f31c8342

SHA512
48de729fa06d62207320c535e9f53bf1cde5471d2ec5cb5163078ac2fec4eb4278c5638b7522d4a4887943e2095084c17a6d22071af5eb559586db949fefe42d

Download Submit
C:\Windows\System32\xuMaqYP.exe

Filesize
1.2MB

MD5
02175918616529e283755965f024d9b3

SHA1
bf6f6747c21c078a1e0d1acfc7c44d8dc776531a

SHA256
862709ec618e2f9046ee1daa5ac8b586b3964933b8a5602445075121400267fc

SHA512
0bf06ea479b0c159a558221f95c933968696bd5da03e969ea4a9758ed365c6d90dcc75f6af0744db6de50c01103f86ffa5e4fcd514691268e21166b14b4a1ac2

Download Submit
C:\Windows\System32\yWFbTdV.exe

Filesize
1.2MB

MD5
a94a61619923ceb8d4ca7c5d1576785f

SHA1
2d3c3800eaae49d86409aea86ff0a2d5ae787c19

SHA256
4c9363b81b9f2fb9d4e926f63877e89e7f5f669a284ed052d9e6c1c861bcb9ea

SHA512
f6a3aa46815c756cafb666b58036283999d020db61058b8365313f6a9908ae9db6c9893e065d99bdb9b72a00aaa16951b82f1baeb048fc99c06ad3766ef6ecbf

Download Submit
C:\Windows\System32\yyvJarP.exe

Filesize
1.2MB

MD5
4703f8a9a3451e4a79dddcfd30b1ccc6

SHA1
0156153d7896434dde311a269309f98482e866ba

SHA256
5221a33f525b411284e82da84100d8746fcc8f69a8fbaecb573dce6ab10bd0a1

SHA512
8a1ed7a12fcc6022e0d4d70e900d121a766e39158243dbe7ca8ed76010e4440fd75cef24b34a1127239112c0aa7065906272bf0a4d26ad2d2c9c1a3a78cd268c

Download Submit
C:\Windows\System32\zzQmyir.exe

Filesize
1.2MB

MD5
b425f1fdf8074c7d8af18de61b48d35a

SHA1
b12e1a60314b406481026c3df85547e824dfc2e9

SHA256
f22be30ba95a6ccd9d4c515fc5eabb855f73b9060de7e3ac43f714160472748f

SHA512
1d58a8615eec694ac40833e1ec125d6f47aed5bd098221d81f29a6a4b8f5e2a38b741e23af264d561ffbba036fa3fd091ee4b9b9544af557a07d8a684e8b602b

Download Submit
memory/424-426-0x00007FF75D340000-0x00007FF75D731000-memory.dmp

Filesize
3.9MB

Download
memory/424-2039-0x00007FF75D340000-0x00007FF75D731000-memory.dmp

Filesize
3.9MB

Download
memory/976-2055-0x00007FF72B630000-0x00007FF72BA21000-memory.dmp

Filesize
3.9MB

Download
memory/976-446-0x00007FF72B630000-0x00007FF72BA21000-memory.dmp

Filesize
3.9MB

Download
memory/1292-2043-0x00007FF6163E0000-0x00007FF6167D1000-memory.dmp

Filesize
3.9MB

Download
memory/1292-396-0x00007FF6163E0000-0x00007FF6167D1000-memory.dmp

Filesize
3.9MB

Download
memory/1476-2031-0x00007FF7DD1F0000-0x00007FF7DD5E1000-memory.dmp

Filesize
3.9MB

Download
memory/1476-481-0x00007FF7DD1F0000-0x00007FF7DD5E1000-memory.dmp

Filesize
3.9MB

Download
memory/1648-2070-0x00007FF6C5F50000-0x00007FF6C6341000-memory.dmp

Filesize
3.9MB

Download
memory/1648-471-0x00007FF6C5F50000-0x00007FF6C6341000-memory.dmp

Filesize
3.9MB

Download
memory/1684-2047-0x00007FF6FAFE0000-0x00007FF6FB3D1000-memory.dmp

Filesize
3.9MB

Download
memory/1684-413-0x00007FF6FAFE0000-0x00007FF6FB3D1000-memory.dmp

Filesize
3.9MB

Download
memory/1812-2015-0x00007FF6439C0000-0x00007FF643DB1000-memory.dmp

Filesize
3.9MB

Download
memory/1812-30-0x00007FF6439C0000-0x00007FF643DB1000-memory.dmp

Filesize
3.9MB

Download
memory/1812-2009-0x00007FF6439C0000-0x00007FF643DB1000-memory.dmp

Filesize
3.9MB

Download
memory/1928-2027-0x00007FF7A50C0000-0x00007FF7A54B1000-memory.dmp

Filesize
3.9MB

Download
memory/1928-480-0x00007FF7A50C0000-0x00007FF7A54B1000-memory.dmp

Filesize
3.9MB

Download
memory/1992-438-0x00007FF692140000-0x00007FF692531000-memory.dmp

Filesize
3.9MB

Download
memory/1992-2057-0x00007FF692140000-0x00007FF692531000-memory.dmp

Filesize
3.9MB

Download
memory/2036-2023-0x00007FF706130000-0x00007FF706521000-memory.dmp

Filesize
3.9MB

Download
memory/2036-49-0x00007FF706130000-0x00007FF706521000-memory.dmp

Filesize
3.9MB

Download
memory/2036-2011-0x00007FF706130000-0x00007FF706521000-memory.dmp

Filesize
3.9MB

Download
memory/2808-2005-0x00007FF787220000-0x00007FF787611000-memory.dmp

Filesize
3.9MB

Download
memory/2808-2025-0x00007FF787220000-0x00007FF787611000-memory.dmp

Filesize
3.9MB

Download
memory/2808-380-0x00007FF787220000-0x00007FF787611000-memory.dmp

Filesize
3.9MB

Download
memory/3036-2041-0x00007FF647F90000-0x00007FF648381000-memory.dmp

Filesize
3.9MB

Download
memory/3036-428-0x00007FF647F90000-0x00007FF648381000-memory.dmp

Filesize
3.9MB

Download
memory/3208-12-0x00007FF7109E0000-0x00007FF710DD1000-memory.dmp

Filesize
3.9MB

Download
memory/3208-2013-0x00007FF7109E0000-0x00007FF710DD1000-memory.dmp

Filesize
3.9MB

Download
memory/3216-393-0x00007FF65FEE0000-0x00007FF6602D1000-memory.dmp

Filesize
3.9MB

Download
memory/3216-2035-0x00007FF65FEE0000-0x00007FF6602D1000-memory.dmp

Filesize
3.9MB

Download
memory/3308-431-0x00007FF793460000-0x00007FF793851000-memory.dmp

Filesize
3.9MB

Download
memory/3308-2049-0x00007FF793460000-0x00007FF793851000-memory.dmp

Filesize
3.9MB

Download
memory/3504-2033-0x00007FF625410000-0x00007FF625801000-memory.dmp

Filesize
3.9MB

Download
memory/3504-387-0x00007FF625410000-0x00007FF625801000-memory.dmp

Filesize
3.9MB

Download
memory/3512-2019-0x00007FF6D1EC0000-0x00007FF6D22B1000-memory.dmp

Filesize
3.9MB

Download
memory/3512-2003-0x00007FF6D1EC0000-0x00007FF6D22B1000-memory.dmp

Filesize
3.9MB

Download
memory/3512-22-0x00007FF6D1EC0000-0x00007FF6D22B1000-memory.dmp

Filesize
3.9MB

Download
memory/3868-2045-0x00007FF7A3310000-0x00007FF7A3701000-memory.dmp

Filesize
3.9MB

Download
memory/3868-404-0x00007FF7A3310000-0x00007FF7A3701000-memory.dmp

Filesize
3.9MB

Download
memory/4028-2051-0x00007FF761560000-0x00007FF761951000-memory.dmp

Filesize
3.9MB

Download
memory/4028-463-0x00007FF761560000-0x00007FF761951000-memory.dmp

Filesize
3.9MB

Download
memory/4040-420-0x00007FF686130000-0x00007FF686521000-memory.dmp

Filesize
3.9MB

Download
memory/4040-2037-0x00007FF686130000-0x00007FF686521000-memory.dmp

Filesize
3.9MB

Download
memory/4048-0-0x00007FF6A1930000-0x00007FF6A1D21000-memory.dmp

Filesize
3.9MB

Download
memory/4048-1-0x0000025C75290000-0x0000025C752A0000-memory.dmp

Filesize
64KB

Download
memory/4176-384-0x00007FF6AF790000-0x00007FF6AFB81000-memory.dmp

Filesize
3.9MB

Download
memory/4176-2029-0x00007FF6AF790000-0x00007FF6AFB81000-memory.dmp

Filesize
3.9MB

Download
memory/4648-2021-0x00007FF78E2F0000-0x00007FF78E6E1000-memory.dmp

Filesize
3.9MB

Download
memory/4648-2004-0x00007FF78E2F0000-0x00007FF78E6E1000-memory.dmp

Filesize
3.9MB

Download
memory/4648-42-0x00007FF78E2F0000-0x00007FF78E6E1000-memory.dmp

Filesize
3.9MB

Download
memory/4728-2017-0x00007FF71E000000-0x00007FF71E3F1000-memory.dmp

Filesize
3.9MB

Download
memory/4728-472-0x00007FF71E000000-0x00007FF71E3F1000-memory.dmp

Filesize
3.9MB

Download
memory/4864-2053-0x00007FF76DCE0000-0x00007FF76E0D1000-memory.dmp

Filesize
3.9MB

Download
memory/4864-452-0x00007FF76DCE0000-0x00007FF76E0D1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads