xmrig | b799772189dff123adc6a0c802df084b491f830aa6c7ebc8fd4411dac46e533a

Analysis

max time kernel
141s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
Size

1.1MB
MD5

098c1e6359e2c2df99bad6e673a1293a
SHA1

3cc74933a60feab0a50212de94a65a22fc829f8b
SHA256

b799772189dff123adc6a0c802df084b491f830aa6c7ebc8fd4411dac46e533a
SHA512

45c208b1e07e8beafe120e54cec5d77edb09849d6fe51c0db2e794f25e2406e02fc2e0f961b7666ed3e2b36a929a8151e7eee7ad671dfdba54f9e248d8b76b5c
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XCejIODosAtlF0E1:knw9oUUEEDlGUrMglF0E1

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/1584-10-0x00007FF71DE20000-0x00007FF71E211000-memory.dmp	xmrig
behavioral2/memory/4488-17-0x00007FF7D5D80000-0x00007FF7D6171000-memory.dmp	xmrig
behavioral2/memory/1832-361-0x00007FF752260000-0x00007FF752651000-memory.dmp	xmrig
behavioral2/memory/4544-371-0x00007FF7762F0000-0x00007FF7766E1000-memory.dmp	xmrig
behavioral2/memory/2404-365-0x00007FF7B1490000-0x00007FF7B1881000-memory.dmp	xmrig
behavioral2/memory/972-380-0x00007FF645730000-0x00007FF645B21000-memory.dmp	xmrig
behavioral2/memory/2672-391-0x00007FF641820000-0x00007FF641C11000-memory.dmp	xmrig
behavioral2/memory/1784-389-0x00007FF7135B0000-0x00007FF7139A1000-memory.dmp	xmrig
behavioral2/memory/4000-395-0x00007FF68DBC0000-0x00007FF68DFB1000-memory.dmp	xmrig
behavioral2/memory/4164-398-0x00007FF735600000-0x00007FF7359F1000-memory.dmp	xmrig
behavioral2/memory/3012-404-0x00007FF6E9AB0000-0x00007FF6E9EA1000-memory.dmp	xmrig
behavioral2/memory/3056-405-0x00007FF71DE60000-0x00007FF71E251000-memory.dmp	xmrig
behavioral2/memory/4984-406-0x00007FF60BB40000-0x00007FF60BF31000-memory.dmp	xmrig
behavioral2/memory/4580-407-0x00007FF7F9D60000-0x00007FF7FA151000-memory.dmp	xmrig
behavioral2/memory/2980-382-0x00007FF7C3ED0000-0x00007FF7C42C1000-memory.dmp	xmrig
behavioral2/memory/3172-472-0x00007FF6F4CE0000-0x00007FF6F50D1000-memory.dmp	xmrig
behavioral2/memory/1512-480-0x00007FF665D80000-0x00007FF666171000-memory.dmp	xmrig
behavioral2/memory/1016-470-0x00007FF6EEA30000-0x00007FF6EEE21000-memory.dmp	xmrig
behavioral2/memory/700-502-0x00007FF7F4A20000-0x00007FF7F4E11000-memory.dmp	xmrig
behavioral2/memory/3944-498-0x00007FF612720000-0x00007FF612B11000-memory.dmp	xmrig
behavioral2/memory/2160-495-0x00007FF6B95E0000-0x00007FF6B99D1000-memory.dmp	xmrig
behavioral2/memory/2348-492-0x00007FF6A7A80000-0x00007FF6A7E71000-memory.dmp	xmrig
behavioral2/memory/4468-487-0x00007FF678F30000-0x00007FF679321000-memory.dmp	xmrig
behavioral2/memory/2096-1948-0x00007FF7B3FA0000-0x00007FF7B4391000-memory.dmp	xmrig
behavioral2/memory/1584-1970-0x00007FF71DE20000-0x00007FF71E211000-memory.dmp	xmrig
behavioral2/memory/4488-1972-0x00007FF7D5D80000-0x00007FF7D6171000-memory.dmp	xmrig
behavioral2/memory/700-1978-0x00007FF7F4A20000-0x00007FF7F4E11000-memory.dmp	xmrig
behavioral2/memory/972-1984-0x00007FF645730000-0x00007FF645B21000-memory.dmp	xmrig
behavioral2/memory/2980-1986-0x00007FF7C3ED0000-0x00007FF7C42C1000-memory.dmp	xmrig
behavioral2/memory/1832-1976-0x00007FF752260000-0x00007FF752651000-memory.dmp	xmrig
behavioral2/memory/2096-1974-0x00007FF7B3FA0000-0x00007FF7B4391000-memory.dmp	xmrig
behavioral2/memory/2404-1982-0x00007FF7B1490000-0x00007FF7B1881000-memory.dmp	xmrig
behavioral2/memory/4544-1980-0x00007FF7762F0000-0x00007FF7766E1000-memory.dmp	xmrig
behavioral2/memory/4164-2014-0x00007FF735600000-0x00007FF7359F1000-memory.dmp	xmrig
behavioral2/memory/3944-2019-0x00007FF612720000-0x00007FF612B11000-memory.dmp	xmrig
behavioral2/memory/2348-2021-0x00007FF6A7A80000-0x00007FF6A7E71000-memory.dmp	xmrig
behavioral2/memory/4580-2016-0x00007FF7F9D60000-0x00007FF7FA151000-memory.dmp	xmrig
behavioral2/memory/3012-2012-0x00007FF6E9AB0000-0x00007FF6E9EA1000-memory.dmp	xmrig
behavioral2/memory/2160-2010-0x00007FF6B95E0000-0x00007FF6B99D1000-memory.dmp	xmrig
behavioral2/memory/3172-2003-0x00007FF6F4CE0000-0x00007FF6F50D1000-memory.dmp	xmrig
behavioral2/memory/1512-2001-0x00007FF665D80000-0x00007FF666171000-memory.dmp	xmrig
behavioral2/memory/4468-1999-0x00007FF678F30000-0x00007FF679321000-memory.dmp	xmrig
behavioral2/memory/3056-1997-0x00007FF71DE60000-0x00007FF71E251000-memory.dmp	xmrig
behavioral2/memory/2672-1990-0x00007FF641820000-0x00007FF641C11000-memory.dmp	xmrig
behavioral2/memory/1016-2005-0x00007FF6EEA30000-0x00007FF6EEE21000-memory.dmp	xmrig
behavioral2/memory/4984-1995-0x00007FF60BB40000-0x00007FF60BF31000-memory.dmp	xmrig
behavioral2/memory/1784-1988-0x00007FF7135B0000-0x00007FF7139A1000-memory.dmp	xmrig
behavioral2/memory/4000-1992-0x00007FF68DBC0000-0x00007FF68DFB1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1584	GJjKCIz.exe
4488	yaBlMpj.exe
2096	udiAdtn.exe
700	pFruFpl.exe
1832	reZTWPH.exe
2404	pBRLGOl.exe
4544	llVAiVC.exe
972	xIHxMev.exe
2980	MLNbZMg.exe
1784	lXiEjlS.exe
2672	PstkiUr.exe
4000	DAttFsN.exe
4164	BMdymrE.exe
3012	OBtaGJe.exe
3056	hauhcLY.exe
4984	YHLNiqk.exe
4580	cBVrGeT.exe
1016	azaHRnh.exe
3172	TphyFqM.exe
1512	rdbUyeZ.exe
4468	BrDiCkT.exe
2348	czNaEvA.exe
2160	HbpIqpw.exe
3944	cjEDDQl.exe
4636	ryutooS.exe
2928	pSRRtJm.exe
3112	btvlSUQ.exe
1552	BgoZRAI.exe
4464	hKZDwcf.exe
4308	sZbXcbq.exe
656	uZWCucU.exe
4032	bcTNFrx.exe
3988	QuFfmPE.exe
4768	elYGkal.exe
1588	WqRPueO.exe
428	DlpOVtB.exe
1952	RcKQXbE.exe
2940	xNfijVJ.exe
3168	RHYZbwf.exe
4352	PRhFAUQ.exe
3876	TTjAdku.exe
4808	KXNFEEz.exe
4384	KUrbvBo.exe
2796	cGvxkph.exe
4296	uYrZDaI.exe
3200	irRFeYv.exe
2216	oArcAWQ.exe
4452	NSbuDln.exe
4460	ZBsQvyS.exe
4520	TDKnEeR.exe
4864	NbihXab.exe
2524	BKIJQlQ.exe
1664	ewnBoNs.exe
1880	bSERSTC.exe
5032	cIIRwRi.exe
4276	jFEmHkT.exe
2932	aTbsnji.exe
4120	kFiPDpp.exe
1208	EZTZWjE.exe
4424	ekIwqkm.exe
3148	nvEJddR.exe
5048	VzLRjcE.exe
2828	lytFPXq.exe
3536	LHqNLZd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2012-0-0x00007FF6C3D70000-0x00007FF6C4161000-memory.dmp	upx
behavioral2/files/0x000c000000023b98-5.dat	upx
behavioral2/files/0x000a000000023ba0-9.dat	upx
behavioral2/memory/1584-10-0x00007FF71DE20000-0x00007FF71E211000-memory.dmp	upx
behavioral2/files/0x000a000000023b9f-11.dat	upx
behavioral2/memory/4488-17-0x00007FF7D5D80000-0x00007FF7D6171000-memory.dmp	upx
behavioral2/files/0x000a000000023ba3-31.dat	upx
behavioral2/files/0x000a000000023ba4-36.dat	upx
behavioral2/files/0x000a000000023ba5-43.dat	upx
behavioral2/files/0x000a000000023ba6-48.dat	upx
behavioral2/files/0x000a000000023ba8-56.dat	upx
behavioral2/files/0x000a000000023ba9-63.dat	upx
behavioral2/files/0x000a000000023bac-76.dat	upx
behavioral2/files/0x000a000000023baf-93.dat	upx
behavioral2/files/0x000a000000023bb4-116.dat	upx
behavioral2/files/0x000a000000023bb6-128.dat	upx
behavioral2/files/0x000a000000023bb9-141.dat	upx
behavioral2/files/0x000a000000023bbc-156.dat	upx
behavioral2/memory/2096-357-0x00007FF7B3FA0000-0x00007FF7B4391000-memory.dmp	upx
behavioral2/memory/1832-361-0x00007FF752260000-0x00007FF752651000-memory.dmp	upx
behavioral2/memory/4544-371-0x00007FF7762F0000-0x00007FF7766E1000-memory.dmp	upx
behavioral2/memory/2404-365-0x00007FF7B1490000-0x00007FF7B1881000-memory.dmp	upx
behavioral2/files/0x0031000000023bbd-163.dat	upx
behavioral2/files/0x000a000000023bbb-153.dat	upx
behavioral2/files/0x000a000000023bba-149.dat	upx
behavioral2/files/0x000a000000023bb8-139.dat	upx
behavioral2/files/0x000a000000023bb7-133.dat	upx
behavioral2/files/0x000a000000023bb5-123.dat	upx
behavioral2/files/0x000a000000023bb3-113.dat	upx
behavioral2/files/0x000a000000023bb2-109.dat	upx
behavioral2/files/0x000a000000023bb1-103.dat	upx
behavioral2/files/0x000a000000023bb0-99.dat	upx
behavioral2/files/0x000a000000023bae-88.dat	upx
behavioral2/files/0x000a000000023bad-84.dat	upx
behavioral2/files/0x000a000000023bab-73.dat	upx
behavioral2/files/0x000a000000023baa-69.dat	upx
behavioral2/files/0x000a000000023ba7-54.dat	upx
behavioral2/memory/972-380-0x00007FF645730000-0x00007FF645B21000-memory.dmp	upx
behavioral2/memory/2672-391-0x00007FF641820000-0x00007FF641C11000-memory.dmp	upx
behavioral2/memory/1784-389-0x00007FF7135B0000-0x00007FF7139A1000-memory.dmp	upx
behavioral2/memory/4000-395-0x00007FF68DBC0000-0x00007FF68DFB1000-memory.dmp	upx
behavioral2/memory/4164-398-0x00007FF735600000-0x00007FF7359F1000-memory.dmp	upx
behavioral2/memory/3012-404-0x00007FF6E9AB0000-0x00007FF6E9EA1000-memory.dmp	upx
behavioral2/memory/3056-405-0x00007FF71DE60000-0x00007FF71E251000-memory.dmp	upx
behavioral2/memory/4984-406-0x00007FF60BB40000-0x00007FF60BF31000-memory.dmp	upx
behavioral2/memory/4580-407-0x00007FF7F9D60000-0x00007FF7FA151000-memory.dmp	upx
behavioral2/memory/2980-382-0x00007FF7C3ED0000-0x00007FF7C42C1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba2-28.dat	upx
behavioral2/memory/3172-472-0x00007FF6F4CE0000-0x00007FF6F50D1000-memory.dmp	upx
behavioral2/memory/1512-480-0x00007FF665D80000-0x00007FF666171000-memory.dmp	upx
behavioral2/memory/1016-470-0x00007FF6EEA30000-0x00007FF6EEE21000-memory.dmp	upx
behavioral2/files/0x000a000000023ba1-23.dat	upx
behavioral2/memory/700-502-0x00007FF7F4A20000-0x00007FF7F4E11000-memory.dmp	upx
behavioral2/memory/3944-498-0x00007FF612720000-0x00007FF612B11000-memory.dmp	upx
behavioral2/memory/2160-495-0x00007FF6B95E0000-0x00007FF6B99D1000-memory.dmp	upx
behavioral2/memory/2348-492-0x00007FF6A7A80000-0x00007FF6A7E71000-memory.dmp	upx
behavioral2/memory/4468-487-0x00007FF678F30000-0x00007FF679321000-memory.dmp	upx
behavioral2/memory/2096-1948-0x00007FF7B3FA0000-0x00007FF7B4391000-memory.dmp	upx
behavioral2/memory/1584-1970-0x00007FF71DE20000-0x00007FF71E211000-memory.dmp	upx
behavioral2/memory/4488-1972-0x00007FF7D5D80000-0x00007FF7D6171000-memory.dmp	upx
behavioral2/memory/700-1978-0x00007FF7F4A20000-0x00007FF7F4E11000-memory.dmp	upx
behavioral2/memory/972-1984-0x00007FF645730000-0x00007FF645B21000-memory.dmp	upx
behavioral2/memory/2980-1986-0x00007FF7C3ED0000-0x00007FF7C42C1000-memory.dmp	upx
behavioral2/memory/1832-1976-0x00007FF752260000-0x00007FF752651000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\gOgnLUd.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\LHYmlXK.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\UAzVhQJ.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\XOkjNwW.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\HbpIqpw.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\ewnBoNs.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\wijYNHg.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\dxzDiUd.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\KWoWEzO.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\hUwiEzo.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\ZBsQvyS.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\jPlHfmm.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\jMbvrCP.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\ifHAFLb.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\yBUYWwY.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\RAoMGOd.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\VGKPzmR.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\JbUBJuh.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\JxZexlT.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\mKaZlFu.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\qmSliAm.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\NUNRXzH.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\GdNEdvr.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\kLPkvDy.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\YMhFwal.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\qnvJlZv.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\jnZaxQK.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\nhzMfQe.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\xMjIGOs.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\jFEmHkT.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\lytFPXq.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\fnmvtqd.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\viQXmjv.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\BrDiCkT.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\sZbXcbq.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\FIxPsFq.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\wKoHIjb.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\toijRTf.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\BVeqLcp.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\ZUKpOMb.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\MtxGgca.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\BiYyVtD.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\kxQthJU.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\lcnHduJ.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\Jyrtdvh.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\BxRFQrq.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\KoAtpqm.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\VBgUNmb.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\SyaIoQN.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\zicVfSb.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\ozNmnoz.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\ZDvWlGO.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\pXvgkHs.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\MKNjGoE.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\xiQAtsF.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\wtCWPsr.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\nPfJDUn.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\TWzTpmc.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\AuUKsrL.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\YenyTxc.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\SczBUyp.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\YsFHsZe.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\ucCcPVu.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
File created	C:\Windows\System32\nmKLbPb.exe	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13120	dwm.exe
Token: SeChangeNotifyPrivilege	13120	dwm.exe
Token: 33	13120	dwm.exe
Token: SeIncBasePriorityPrivilege	13120	dwm.exe
Token: SeShutdownPrivilege	13120	dwm.exe
Token: SeCreatePagefilePrivilege	13120	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1584	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	85
PID 2012 wrote to memory of 1584	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	85
PID 2012 wrote to memory of 4488	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	86
PID 2012 wrote to memory of 4488	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	86
PID 2012 wrote to memory of 2096	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	87
PID 2012 wrote to memory of 2096	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	87
PID 2012 wrote to memory of 700	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	88
PID 2012 wrote to memory of 700	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	88
PID 2012 wrote to memory of 1832	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	89
PID 2012 wrote to memory of 1832	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	89
PID 2012 wrote to memory of 2404	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	90
PID 2012 wrote to memory of 2404	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	90
PID 2012 wrote to memory of 4544	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	91
PID 2012 wrote to memory of 4544	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	91
PID 2012 wrote to memory of 972	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	92
PID 2012 wrote to memory of 972	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	92
PID 2012 wrote to memory of 2980	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	93
PID 2012 wrote to memory of 2980	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	93
PID 2012 wrote to memory of 1784	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	94
PID 2012 wrote to memory of 1784	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	94
PID 2012 wrote to memory of 2672	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	95
PID 2012 wrote to memory of 2672	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	95
PID 2012 wrote to memory of 4000	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	96
PID 2012 wrote to memory of 4000	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	96
PID 2012 wrote to memory of 4164	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	97
PID 2012 wrote to memory of 4164	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	97
PID 2012 wrote to memory of 3012	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	98
PID 2012 wrote to memory of 3012	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	98
PID 2012 wrote to memory of 3056	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	99
PID 2012 wrote to memory of 3056	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	99
PID 2012 wrote to memory of 4984	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	100
PID 2012 wrote to memory of 4984	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	100
PID 2012 wrote to memory of 4580	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	101
PID 2012 wrote to memory of 4580	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	101
PID 2012 wrote to memory of 1016	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	102
PID 2012 wrote to memory of 1016	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	102
PID 2012 wrote to memory of 3172	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	103
PID 2012 wrote to memory of 3172	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	103
PID 2012 wrote to memory of 1512	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	104
PID 2012 wrote to memory of 1512	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	104
PID 2012 wrote to memory of 4468	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	105
PID 2012 wrote to memory of 4468	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	105
PID 2012 wrote to memory of 2348	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	106
PID 2012 wrote to memory of 2348	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	106
PID 2012 wrote to memory of 2160	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	107
PID 2012 wrote to memory of 2160	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	107
PID 2012 wrote to memory of 3944	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	108
PID 2012 wrote to memory of 3944	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	108
PID 2012 wrote to memory of 4636	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	109
PID 2012 wrote to memory of 4636	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	109
PID 2012 wrote to memory of 2928	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	110
PID 2012 wrote to memory of 2928	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	110
PID 2012 wrote to memory of 3112	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	111
PID 2012 wrote to memory of 3112	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	111
PID 2012 wrote to memory of 1552	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	112
PID 2012 wrote to memory of 1552	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	112
PID 2012 wrote to memory of 4464	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	113
PID 2012 wrote to memory of 4464	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	113
PID 2012 wrote to memory of 4308	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	114
PID 2012 wrote to memory of 4308	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	114
PID 2012 wrote to memory of 656	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	115
PID 2012 wrote to memory of 656	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	115
PID 2012 wrote to memory of 4032	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	116
PID 2012 wrote to memory of 4032	2012	098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\098c1e6359e2c2df99bad6e673a1293a_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\System32\GJjKCIz.exe
  C:\Windows\System32\GJjKCIz.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System32\yaBlMpj.exe
  C:\Windows\System32\yaBlMpj.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System32\udiAdtn.exe
  C:\Windows\System32\udiAdtn.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System32\pFruFpl.exe
  C:\Windows\System32\pFruFpl.exe
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\System32\reZTWPH.exe
  C:\Windows\System32\reZTWPH.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System32\pBRLGOl.exe
  C:\Windows\System32\pBRLGOl.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System32\llVAiVC.exe
  C:\Windows\System32\llVAiVC.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System32\xIHxMev.exe
  C:\Windows\System32\xIHxMev.exe
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\System32\MLNbZMg.exe
  C:\Windows\System32\MLNbZMg.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System32\lXiEjlS.exe
  C:\Windows\System32\lXiEjlS.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\System32\PstkiUr.exe
  C:\Windows\System32\PstkiUr.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System32\DAttFsN.exe
  C:\Windows\System32\DAttFsN.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System32\BMdymrE.exe
  C:\Windows\System32\BMdymrE.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System32\OBtaGJe.exe
  C:\Windows\System32\OBtaGJe.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System32\hauhcLY.exe
  C:\Windows\System32\hauhcLY.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System32\YHLNiqk.exe
  C:\Windows\System32\YHLNiqk.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System32\cBVrGeT.exe
  C:\Windows\System32\cBVrGeT.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System32\azaHRnh.exe
  C:\Windows\System32\azaHRnh.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System32\TphyFqM.exe
  C:\Windows\System32\TphyFqM.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System32\rdbUyeZ.exe
  C:\Windows\System32\rdbUyeZ.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System32\BrDiCkT.exe
  C:\Windows\System32\BrDiCkT.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System32\czNaEvA.exe
  C:\Windows\System32\czNaEvA.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System32\HbpIqpw.exe
  C:\Windows\System32\HbpIqpw.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System32\cjEDDQl.exe
  C:\Windows\System32\cjEDDQl.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\ryutooS.exe
  C:\Windows\System32\ryutooS.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System32\pSRRtJm.exe
  C:\Windows\System32\pSRRtJm.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System32\btvlSUQ.exe
  C:\Windows\System32\btvlSUQ.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System32\BgoZRAI.exe
  C:\Windows\System32\BgoZRAI.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System32\hKZDwcf.exe
  C:\Windows\System32\hKZDwcf.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System32\sZbXcbq.exe
  C:\Windows\System32\sZbXcbq.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System32\uZWCucU.exe
  C:\Windows\System32\uZWCucU.exe
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\System32\bcTNFrx.exe
  C:\Windows\System32\bcTNFrx.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System32\QuFfmPE.exe
  C:\Windows\System32\QuFfmPE.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System32\elYGkal.exe
  C:\Windows\System32\elYGkal.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System32\WqRPueO.exe
  C:\Windows\System32\WqRPueO.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System32\DlpOVtB.exe
  C:\Windows\System32\DlpOVtB.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System32\RcKQXbE.exe
  C:\Windows\System32\RcKQXbE.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System32\xNfijVJ.exe
  C:\Windows\System32\xNfijVJ.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System32\RHYZbwf.exe
  C:\Windows\System32\RHYZbwf.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System32\PRhFAUQ.exe
  C:\Windows\System32\PRhFAUQ.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System32\TTjAdku.exe
  C:\Windows\System32\TTjAdku.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System32\KXNFEEz.exe
  C:\Windows\System32\KXNFEEz.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System32\KUrbvBo.exe
  C:\Windows\System32\KUrbvBo.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System32\cGvxkph.exe
  C:\Windows\System32\cGvxkph.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System32\uYrZDaI.exe
  C:\Windows\System32\uYrZDaI.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System32\irRFeYv.exe
  C:\Windows\System32\irRFeYv.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System32\oArcAWQ.exe
  C:\Windows\System32\oArcAWQ.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System32\NSbuDln.exe
  C:\Windows\System32\NSbuDln.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\ZBsQvyS.exe
  C:\Windows\System32\ZBsQvyS.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System32\TDKnEeR.exe
  C:\Windows\System32\TDKnEeR.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System32\NbihXab.exe
  C:\Windows\System32\NbihXab.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System32\BKIJQlQ.exe
  C:\Windows\System32\BKIJQlQ.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System32\ewnBoNs.exe
  C:\Windows\System32\ewnBoNs.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System32\bSERSTC.exe
  C:\Windows\System32\bSERSTC.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System32\cIIRwRi.exe
  C:\Windows\System32\cIIRwRi.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System32\jFEmHkT.exe
  C:\Windows\System32\jFEmHkT.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System32\aTbsnji.exe
  C:\Windows\System32\aTbsnji.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System32\kFiPDpp.exe
  C:\Windows\System32\kFiPDpp.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System32\EZTZWjE.exe
  C:\Windows\System32\EZTZWjE.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System32\ekIwqkm.exe
  C:\Windows\System32\ekIwqkm.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System32\nvEJddR.exe
  C:\Windows\System32\nvEJddR.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\System32\VzLRjcE.exe
  C:\Windows\System32\VzLRjcE.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System32\lytFPXq.exe
  C:\Windows\System32\lytFPXq.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System32\LHqNLZd.exe
  C:\Windows\System32\LHqNLZd.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System32\srsoFES.exe
  C:\Windows\System32\srsoFES.exe
  2⤵
  PID:4236
- C:\Windows\System32\FLrtvUQ.exe
  C:\Windows\System32\FLrtvUQ.exe
  2⤵
  PID:3372
- C:\Windows\System32\FUgQzVb.exe
  C:\Windows\System32\FUgQzVb.exe
  2⤵
  PID:512
- C:\Windows\System32\PVMHUhy.exe
  C:\Windows\System32\PVMHUhy.exe
  2⤵
  PID:2424
- C:\Windows\System32\RjfDuLO.exe
  C:\Windows\System32\RjfDuLO.exe
  2⤵
  PID:684
- C:\Windows\System32\oExFQHx.exe
  C:\Windows\System32\oExFQHx.exe
  2⤵
  PID:4328
- C:\Windows\System32\anyyfhd.exe
  C:\Windows\System32\anyyfhd.exe
  2⤵
  PID:3388
- C:\Windows\System32\VzGyGJf.exe
  C:\Windows\System32\VzGyGJf.exe
  2⤵
  PID:3420
- C:\Windows\System32\aXLyWHF.exe
  C:\Windows\System32\aXLyWHF.exe
  2⤵
  PID:2148
- C:\Windows\System32\QgWFXom.exe
  C:\Windows\System32\QgWFXom.exe
  2⤵
  PID:2300
- C:\Windows\System32\KOhIirC.exe
  C:\Windows\System32\KOhIirC.exe
  2⤵
  PID:748
- C:\Windows\System32\zSMVlXQ.exe
  C:\Windows\System32\zSMVlXQ.exe
  2⤵
  PID:4284
- C:\Windows\System32\WKFTHuq.exe
  C:\Windows\System32\WKFTHuq.exe
  2⤵
  PID:3924
- C:\Windows\System32\BuWsjYf.exe
  C:\Windows\System32\BuWsjYf.exe
  2⤵
  PID:3128
- C:\Windows\System32\IkqVeIC.exe
  C:\Windows\System32\IkqVeIC.exe
  2⤵
  PID:3020
- C:\Windows\System32\rUkfMLJ.exe
  C:\Windows\System32\rUkfMLJ.exe
  2⤵
  PID:1736
- C:\Windows\System32\OYKnSan.exe
  C:\Windows\System32\OYKnSan.exe
  2⤵
  PID:940
- C:\Windows\System32\OblAksJ.exe
  C:\Windows\System32\OblAksJ.exe
  2⤵
  PID:1252
- C:\Windows\System32\UWCoyJk.exe
  C:\Windows\System32\UWCoyJk.exe
  2⤵
  PID:4980
- C:\Windows\System32\jIXgwwJ.exe
  C:\Windows\System32\jIXgwwJ.exe
  2⤵
  PID:3896
- C:\Windows\System32\GhtYKsb.exe
  C:\Windows\System32\GhtYKsb.exe
  2⤵
  PID:3608
- C:\Windows\System32\LHGyujK.exe
  C:\Windows\System32\LHGyujK.exe
  2⤵
  PID:3092
- C:\Windows\System32\NCMEpBG.exe
  C:\Windows\System32\NCMEpBG.exe
  2⤵
  PID:5144
- C:\Windows\System32\pVAsBVT.exe
  C:\Windows\System32\pVAsBVT.exe
  2⤵
  PID:5172
- C:\Windows\System32\XkCSjER.exe
  C:\Windows\System32\XkCSjER.exe
  2⤵
  PID:5196
- C:\Windows\System32\VjXXXcM.exe
  C:\Windows\System32\VjXXXcM.exe
  2⤵
  PID:5228
- C:\Windows\System32\csZxLzH.exe
  C:\Windows\System32\csZxLzH.exe
  2⤵
  PID:5252
- C:\Windows\System32\Ochgybx.exe
  C:\Windows\System32\Ochgybx.exe
  2⤵
  PID:5284
- C:\Windows\System32\ucCcPVu.exe
  C:\Windows\System32\ucCcPVu.exe
  2⤵
  PID:5312
- C:\Windows\System32\fnmvtqd.exe
  C:\Windows\System32\fnmvtqd.exe
  2⤵
  PID:5336
- C:\Windows\System32\ycbnkIE.exe
  C:\Windows\System32\ycbnkIE.exe
  2⤵
  PID:5368
- C:\Windows\System32\FLMGHKw.exe
  C:\Windows\System32\FLMGHKw.exe
  2⤵
  PID:5392
- C:\Windows\System32\okyWHos.exe
  C:\Windows\System32\okyWHos.exe
  2⤵
  PID:5424
- C:\Windows\System32\QjXoano.exe
  C:\Windows\System32\QjXoano.exe
  2⤵
  PID:5468
- C:\Windows\System32\baXhwMw.exe
  C:\Windows\System32\baXhwMw.exe
  2⤵
  PID:5484
- C:\Windows\System32\nmKLbPb.exe
  C:\Windows\System32\nmKLbPb.exe
  2⤵
  PID:5528
- C:\Windows\System32\uLzzEjI.exe
  C:\Windows\System32\uLzzEjI.exe
  2⤵
  PID:5552
- C:\Windows\System32\JYbVYfe.exe
  C:\Windows\System32\JYbVYfe.exe
  2⤵
  PID:5576
- C:\Windows\System32\ZPXRNDF.exe
  C:\Windows\System32\ZPXRNDF.exe
  2⤵
  PID:5600
- C:\Windows\System32\xKSgFdK.exe
  C:\Windows\System32\xKSgFdK.exe
  2⤵
  PID:5616
- C:\Windows\System32\FBPBrGF.exe
  C:\Windows\System32\FBPBrGF.exe
  2⤵
  PID:5632
- C:\Windows\System32\hbYBGLW.exe
  C:\Windows\System32\hbYBGLW.exe
  2⤵
  PID:5672
- C:\Windows\System32\ddeOwFc.exe
  C:\Windows\System32\ddeOwFc.exe
  2⤵
  PID:5736
- C:\Windows\System32\sGBcQjf.exe
  C:\Windows\System32\sGBcQjf.exe
  2⤵
  PID:5764
- C:\Windows\System32\pXvgkHs.exe
  C:\Windows\System32\pXvgkHs.exe
  2⤵
  PID:5812
- C:\Windows\System32\TuLVniL.exe
  C:\Windows\System32\TuLVniL.exe
  2⤵
  PID:5840
- C:\Windows\System32\pWjNZAT.exe
  C:\Windows\System32\pWjNZAT.exe
  2⤵
  PID:5888
- C:\Windows\System32\stOwePs.exe
  C:\Windows\System32\stOwePs.exe
  2⤵
  PID:5936
- C:\Windows\System32\IQuktqb.exe
  C:\Windows\System32\IQuktqb.exe
  2⤵
  PID:5960
- C:\Windows\System32\RALqzxX.exe
  C:\Windows\System32\RALqzxX.exe
  2⤵
  PID:5984
- C:\Windows\System32\IRsZOgN.exe
  C:\Windows\System32\IRsZOgN.exe
  2⤵
  PID:6016
- C:\Windows\System32\qRwJMQd.exe
  C:\Windows\System32\qRwJMQd.exe
  2⤵
  PID:6044
- C:\Windows\System32\KWsDNGk.exe
  C:\Windows\System32\KWsDNGk.exe
  2⤵
  PID:6072
- C:\Windows\System32\XyKprcB.exe
  C:\Windows\System32\XyKprcB.exe
  2⤵
  PID:6096
- C:\Windows\System32\hKJwrNO.exe
  C:\Windows\System32\hKJwrNO.exe
  2⤵
  PID:6128
- C:\Windows\System32\ylZoITb.exe
  C:\Windows\System32\ylZoITb.exe
  2⤵
  PID:764
- C:\Windows\System32\pDsPmCc.exe
  C:\Windows\System32\pDsPmCc.exe
  2⤵
  PID:1312
- C:\Windows\System32\zibMuvb.exe
  C:\Windows\System32\zibMuvb.exe
  2⤵
  PID:1340
- C:\Windows\System32\kqBpVhL.exe
  C:\Windows\System32\kqBpVhL.exe
  2⤵
  PID:3460
- C:\Windows\System32\CObNfbG.exe
  C:\Windows\System32\CObNfbG.exe
  2⤵
  PID:5160
- C:\Windows\System32\mSOMvAi.exe
  C:\Windows\System32\mSOMvAi.exe
  2⤵
  PID:5192
- C:\Windows\System32\bDHotqC.exe
  C:\Windows\System32\bDHotqC.exe
  2⤵
  PID:5076
- C:\Windows\System32\ZRJCUtz.exe
  C:\Windows\System32\ZRJCUtz.exe
  2⤵
  PID:5260
- C:\Windows\System32\NNhaGPC.exe
  C:\Windows\System32\NNhaGPC.exe
  2⤵
  PID:5292
- C:\Windows\System32\VBgUNmb.exe
  C:\Windows\System32\VBgUNmb.exe
  2⤵
  PID:3412
- C:\Windows\System32\Jyrtdvh.exe
  C:\Windows\System32\Jyrtdvh.exe
  2⤵
  PID:5352
- C:\Windows\System32\lWzwLID.exe
  C:\Windows\System32\lWzwLID.exe
  2⤵
  PID:1936
- C:\Windows\System32\kuUoRvE.exe
  C:\Windows\System32\kuUoRvE.exe
  2⤵
  PID:5384
- C:\Windows\System32\jFOBJDl.exe
  C:\Windows\System32\jFOBJDl.exe
  2⤵
  PID:5420
- C:\Windows\System32\NDxhHRj.exe
  C:\Windows\System32\NDxhHRj.exe
  2⤵
  PID:4780
- C:\Windows\System32\JJTYdvx.exe
  C:\Windows\System32\JJTYdvx.exe
  2⤵
  PID:5644
- C:\Windows\System32\GpLTuxP.exe
  C:\Windows\System32\GpLTuxP.exe
  2⤵
  PID:5712
- C:\Windows\System32\Mcsedsr.exe
  C:\Windows\System32\Mcsedsr.exe
  2⤵
  PID:5784
- C:\Windows\System32\DCrQFEk.exe
  C:\Windows\System32\DCrQFEk.exe
  2⤵
  PID:5828
- C:\Windows\System32\XyrWRXR.exe
  C:\Windows\System32\XyrWRXR.exe
  2⤵
  PID:740
- C:\Windows\System32\mgsjptN.exe
  C:\Windows\System32\mgsjptN.exe
  2⤵
  PID:5920
- C:\Windows\System32\XuisImb.exe
  C:\Windows\System32\XuisImb.exe
  2⤵
  PID:5944
- C:\Windows\System32\SiWTzAJ.exe
  C:\Windows\System32\SiWTzAJ.exe
  2⤵
  PID:6004
- C:\Windows\System32\CaOeFoK.exe
  C:\Windows\System32\CaOeFoK.exe
  2⤵
  PID:5016
- C:\Windows\System32\mKaZlFu.exe
  C:\Windows\System32\mKaZlFu.exe
  2⤵
  PID:5152
- C:\Windows\System32\eLHgtHi.exe
  C:\Windows\System32\eLHgtHi.exe
  2⤵
  PID:4608
- C:\Windows\System32\WGqYPZP.exe
  C:\Windows\System32\WGqYPZP.exe
  2⤵
  PID:1968
- C:\Windows\System32\CQNmthQ.exe
  C:\Windows\System32\CQNmthQ.exe
  2⤵
  PID:5400
- C:\Windows\System32\WwWNGAu.exe
  C:\Windows\System32\WwWNGAu.exe
  2⤵
  PID:5584
- C:\Windows\System32\XKRRdZT.exe
  C:\Windows\System32\XKRRdZT.exe
  2⤵
  PID:5780
- C:\Windows\System32\cHfLptu.exe
  C:\Windows\System32\cHfLptu.exe
  2⤵
  PID:5680
- C:\Windows\System32\ByjxMAZ.exe
  C:\Windows\System32\ByjxMAZ.exe
  2⤵
  PID:5756
- C:\Windows\System32\SunomPg.exe
  C:\Windows\System32\SunomPg.exe
  2⤵
  PID:6064
- C:\Windows\System32\RGxkLai.exe
  C:\Windows\System32\RGxkLai.exe
  2⤵
  PID:3028
- C:\Windows\System32\VGKPzmR.exe
  C:\Windows\System32\VGKPzmR.exe
  2⤵
  PID:2220
- C:\Windows\System32\pEehUKF.exe
  C:\Windows\System32\pEehUKF.exe
  2⤵
  PID:5456
- C:\Windows\System32\mgvgwxt.exe
  C:\Windows\System32\mgvgwxt.exe
  2⤵
  PID:5548
- C:\Windows\System32\YMhFwal.exe
  C:\Windows\System32\YMhFwal.exe
  2⤵
  PID:2400
- C:\Windows\System32\tKgQDIu.exe
  C:\Windows\System32\tKgQDIu.exe
  2⤵
  PID:5980
- C:\Windows\System32\LTkeLLa.exe
  C:\Windows\System32\LTkeLLa.exe
  2⤵
  PID:3916
- C:\Windows\System32\PYOzXlV.exe
  C:\Windows\System32\PYOzXlV.exe
  2⤵
  PID:5772
- C:\Windows\System32\ymqulDm.exe
  C:\Windows\System32\ymqulDm.exe
  2⤵
  PID:5512
- C:\Windows\System32\eULSTwv.exe
  C:\Windows\System32\eULSTwv.exe
  2⤵
  PID:6184
- C:\Windows\System32\dQzKDVi.exe
  C:\Windows\System32\dQzKDVi.exe
  2⤵
  PID:6208
- C:\Windows\System32\ROfySiC.exe
  C:\Windows\System32\ROfySiC.exe
  2⤵
  PID:6276
- C:\Windows\System32\BxRFQrq.exe
  C:\Windows\System32\BxRFQrq.exe
  2⤵
  PID:6292
- C:\Windows\System32\MzXdmCJ.exe
  C:\Windows\System32\MzXdmCJ.exe
  2⤵
  PID:6308
- C:\Windows\System32\gbpLQEx.exe
  C:\Windows\System32\gbpLQEx.exe
  2⤵
  PID:6336
- C:\Windows\System32\wkHqoTv.exe
  C:\Windows\System32\wkHqoTv.exe
  2⤵
  PID:6356
- C:\Windows\System32\qbSACyz.exe
  C:\Windows\System32\qbSACyz.exe
  2⤵
  PID:6380
- C:\Windows\System32\UhwcpvU.exe
  C:\Windows\System32\UhwcpvU.exe
  2⤵
  PID:6408
- C:\Windows\System32\eJDkIhi.exe
  C:\Windows\System32\eJDkIhi.exe
  2⤵
  PID:6428
- C:\Windows\System32\qaWNdsf.exe
  C:\Windows\System32\qaWNdsf.exe
  2⤵
  PID:6448
- C:\Windows\System32\kcWuwBX.exe
  C:\Windows\System32\kcWuwBX.exe
  2⤵
  PID:6480
- C:\Windows\System32\cACaAqd.exe
  C:\Windows\System32\cACaAqd.exe
  2⤵
  PID:6528
- C:\Windows\System32\Uxraulk.exe
  C:\Windows\System32\Uxraulk.exe
  2⤵
  PID:6548
- C:\Windows\System32\jvrlkIF.exe
  C:\Windows\System32\jvrlkIF.exe
  2⤵
  PID:6584
- C:\Windows\System32\igvOTpK.exe
  C:\Windows\System32\igvOTpK.exe
  2⤵
  PID:6624
- C:\Windows\System32\UspXAUL.exe
  C:\Windows\System32\UspXAUL.exe
  2⤵
  PID:6660
- C:\Windows\System32\xEjXpVK.exe
  C:\Windows\System32\xEjXpVK.exe
  2⤵
  PID:6684
- C:\Windows\System32\KUrztRj.exe
  C:\Windows\System32\KUrztRj.exe
  2⤵
  PID:6700
- C:\Windows\System32\wijYNHg.exe
  C:\Windows\System32\wijYNHg.exe
  2⤵
  PID:6728
- C:\Windows\System32\FemGhjS.exe
  C:\Windows\System32\FemGhjS.exe
  2⤵
  PID:6748
- C:\Windows\System32\xQVPCOc.exe
  C:\Windows\System32\xQVPCOc.exe
  2⤵
  PID:6764
- C:\Windows\System32\RbxKszC.exe
  C:\Windows\System32\RbxKszC.exe
  2⤵
  PID:6796
- C:\Windows\System32\uctgibj.exe
  C:\Windows\System32\uctgibj.exe
  2⤵
  PID:6816
- C:\Windows\System32\UQtIvOg.exe
  C:\Windows\System32\UQtIvOg.exe
  2⤵
  PID:6832
- C:\Windows\System32\yOAEbow.exe
  C:\Windows\System32\yOAEbow.exe
  2⤵
  PID:6880
- C:\Windows\System32\lUakVwZ.exe
  C:\Windows\System32\lUakVwZ.exe
  2⤵
  PID:6904
- C:\Windows\System32\OHqCDHL.exe
  C:\Windows\System32\OHqCDHL.exe
  2⤵
  PID:6960
- C:\Windows\System32\YgDgfTS.exe
  C:\Windows\System32\YgDgfTS.exe
  2⤵
  PID:6984
- C:\Windows\System32\IRedepl.exe
  C:\Windows\System32\IRedepl.exe
  2⤵
  PID:7008
- C:\Windows\System32\HJiyjSE.exe
  C:\Windows\System32\HJiyjSE.exe
  2⤵
  PID:7036
- C:\Windows\System32\JbUBJuh.exe
  C:\Windows\System32\JbUBJuh.exe
  2⤵
  PID:7052
- C:\Windows\System32\KoAtpqm.exe
  C:\Windows\System32\KoAtpqm.exe
  2⤵
  PID:7076
- C:\Windows\System32\llTaacW.exe
  C:\Windows\System32\llTaacW.exe
  2⤵
  PID:7108
- C:\Windows\System32\MKNjGoE.exe
  C:\Windows\System32\MKNjGoE.exe
  2⤵
  PID:7144
- C:\Windows\System32\pWDXeDw.exe
  C:\Windows\System32\pWDXeDw.exe
  2⤵
  PID:7160
- C:\Windows\System32\VTplLmD.exe
  C:\Windows\System32\VTplLmD.exe
  2⤵
  PID:6168
- C:\Windows\System32\cLHwgzz.exe
  C:\Windows\System32\cLHwgzz.exe
  2⤵
  PID:5588
- C:\Windows\System32\DMCCtgi.exe
  C:\Windows\System32\DMCCtgi.exe
  2⤵
  PID:6304
- C:\Windows\System32\sUNTIwb.exe
  C:\Windows\System32\sUNTIwb.exe
  2⤵
  PID:6420
- C:\Windows\System32\ijKjWAv.exe
  C:\Windows\System32\ijKjWAv.exe
  2⤵
  PID:6388
- C:\Windows\System32\DdKgejI.exe
  C:\Windows\System32\DdKgejI.exe
  2⤵
  PID:6496
- C:\Windows\System32\YenyTxc.exe
  C:\Windows\System32\YenyTxc.exe
  2⤵
  PID:6576
- C:\Windows\System32\hJlgLZI.exe
  C:\Windows\System32\hJlgLZI.exe
  2⤵
  PID:6596
- C:\Windows\System32\hXazNUi.exe
  C:\Windows\System32\hXazNUi.exe
  2⤵
  PID:5640
- C:\Windows\System32\LdhhVmA.exe
  C:\Windows\System32\LdhhVmA.exe
  2⤵
  PID:6692
- C:\Windows\System32\dLpxQeW.exe
  C:\Windows\System32\dLpxQeW.exe
  2⤵
  PID:6776
- C:\Windows\System32\ViYeCXV.exe
  C:\Windows\System32\ViYeCXV.exe
  2⤵
  PID:6848
- C:\Windows\System32\jPlHfmm.exe
  C:\Windows\System32\jPlHfmm.exe
  2⤵
  PID:6912
- C:\Windows\System32\gJRumFP.exe
  C:\Windows\System32\gJRumFP.exe
  2⤵
  PID:6996
- C:\Windows\System32\fbJThmy.exe
  C:\Windows\System32\fbJThmy.exe
  2⤵
  PID:7024
- C:\Windows\System32\tlSimeX.exe
  C:\Windows\System32\tlSimeX.exe
  2⤵
  PID:7048
- C:\Windows\System32\krcsFhH.exe
  C:\Windows\System32\krcsFhH.exe
  2⤵
  PID:7152
- C:\Windows\System32\cvFHowd.exe
  C:\Windows\System32\cvFHowd.exe
  2⤵
  PID:7156
- C:\Windows\System32\ruPbaIx.exe
  C:\Windows\System32\ruPbaIx.exe
  2⤵
  PID:5804
- C:\Windows\System32\VpUojGw.exe
  C:\Windows\System32\VpUojGw.exe
  2⤵
  PID:6216
- C:\Windows\System32\Rngnqdf.exe
  C:\Windows\System32\Rngnqdf.exe
  2⤵
  PID:6632
- C:\Windows\System32\DzEfPBm.exe
  C:\Windows\System32\DzEfPBm.exe
  2⤵
  PID:6928
- C:\Windows\System32\gNrxLGq.exe
  C:\Windows\System32\gNrxLGq.exe
  2⤵
  PID:7032
- C:\Windows\System32\KChlIfw.exe
  C:\Windows\System32\KChlIfw.exe
  2⤵
  PID:6172
- C:\Windows\System32\lMOuqbJ.exe
  C:\Windows\System32\lMOuqbJ.exe
  2⤵
  PID:5648
- C:\Windows\System32\YiAhzdF.exe
  C:\Windows\System32\YiAhzdF.exe
  2⤵
  PID:6544
- C:\Windows\System32\qnaquDz.exe
  C:\Windows\System32\qnaquDz.exe
  2⤵
  PID:6708
- C:\Windows\System32\qdyzoIV.exe
  C:\Windows\System32\qdyzoIV.exe
  2⤵
  PID:6192
- C:\Windows\System32\FiKyydq.exe
  C:\Windows\System32\FiKyydq.exe
  2⤵
  PID:6620
- C:\Windows\System32\wowSRHf.exe
  C:\Windows\System32\wowSRHf.exe
  2⤵
  PID:7124
- C:\Windows\System32\GSjtNkG.exe
  C:\Windows\System32\GSjtNkG.exe
  2⤵
  PID:7232
- C:\Windows\System32\cMZKzrx.exe
  C:\Windows\System32\cMZKzrx.exe
  2⤵
  PID:7296
- C:\Windows\System32\JqzifQi.exe
  C:\Windows\System32\JqzifQi.exe
  2⤵
  PID:7336
- C:\Windows\System32\tnPFjwG.exe
  C:\Windows\System32\tnPFjwG.exe
  2⤵
  PID:7360
- C:\Windows\System32\ERDLqcI.exe
  C:\Windows\System32\ERDLqcI.exe
  2⤵
  PID:7380
- C:\Windows\System32\NShrtFp.exe
  C:\Windows\System32\NShrtFp.exe
  2⤵
  PID:7404
- C:\Windows\System32\oxOSULn.exe
  C:\Windows\System32\oxOSULn.exe
  2⤵
  PID:7440
- C:\Windows\System32\LChZbFB.exe
  C:\Windows\System32\LChZbFB.exe
  2⤵
  PID:7464
- C:\Windows\System32\EmKmrfM.exe
  C:\Windows\System32\EmKmrfM.exe
  2⤵
  PID:7484
- C:\Windows\System32\dMlsGWZ.exe
  C:\Windows\System32\dMlsGWZ.exe
  2⤵
  PID:7512
- C:\Windows\System32\frntOwE.exe
  C:\Windows\System32\frntOwE.exe
  2⤵
  PID:7540
- C:\Windows\System32\ODyNgvW.exe
  C:\Windows\System32\ODyNgvW.exe
  2⤵
  PID:7560
- C:\Windows\System32\XfpeJeR.exe
  C:\Windows\System32\XfpeJeR.exe
  2⤵
  PID:7600
- C:\Windows\System32\qnvJlZv.exe
  C:\Windows\System32\qnvJlZv.exe
  2⤵
  PID:7620
- C:\Windows\System32\LGUzgjQ.exe
  C:\Windows\System32\LGUzgjQ.exe
  2⤵
  PID:7644
- C:\Windows\System32\ViQZpLE.exe
  C:\Windows\System32\ViQZpLE.exe
  2⤵
  PID:7664
- C:\Windows\System32\ZUKpOMb.exe
  C:\Windows\System32\ZUKpOMb.exe
  2⤵
  PID:7736
- C:\Windows\System32\CkHkLcb.exe
  C:\Windows\System32\CkHkLcb.exe
  2⤵
  PID:7784
- C:\Windows\System32\iHfdPoY.exe
  C:\Windows\System32\iHfdPoY.exe
  2⤵
  PID:7800
- C:\Windows\System32\LOhojek.exe
  C:\Windows\System32\LOhojek.exe
  2⤵
  PID:7816
- C:\Windows\System32\EbZPXeF.exe
  C:\Windows\System32\EbZPXeF.exe
  2⤵
  PID:7832
- C:\Windows\System32\mwuCKSp.exe
  C:\Windows\System32\mwuCKSp.exe
  2⤵
  PID:7852
- C:\Windows\System32\JASjPpZ.exe
  C:\Windows\System32\JASjPpZ.exe
  2⤵
  PID:7872
- C:\Windows\System32\AIdOMTS.exe
  C:\Windows\System32\AIdOMTS.exe
  2⤵
  PID:7892
- C:\Windows\System32\riFYgLQ.exe
  C:\Windows\System32\riFYgLQ.exe
  2⤵
  PID:7976
- C:\Windows\System32\OWPMGnY.exe
  C:\Windows\System32\OWPMGnY.exe
  2⤵
  PID:8000
- C:\Windows\System32\jorJSVD.exe
  C:\Windows\System32\jorJSVD.exe
  2⤵
  PID:8020
- C:\Windows\System32\GoOGgvF.exe
  C:\Windows\System32\GoOGgvF.exe
  2⤵
  PID:8056
- C:\Windows\System32\anBJPFd.exe
  C:\Windows\System32\anBJPFd.exe
  2⤵
  PID:8092
- C:\Windows\System32\fSviKwd.exe
  C:\Windows\System32\fSviKwd.exe
  2⤵
  PID:8112
- C:\Windows\System32\HvzrMtu.exe
  C:\Windows\System32\HvzrMtu.exe
  2⤵
  PID:8136
- C:\Windows\System32\SyaIoQN.exe
  C:\Windows\System32\SyaIoQN.exe
  2⤵
  PID:8160
- C:\Windows\System32\mHxvXrR.exe
  C:\Windows\System32\mHxvXrR.exe
  2⤵
  PID:6720
- C:\Windows\System32\AkqwrPq.exe
  C:\Windows\System32\AkqwrPq.exe
  2⤵
  PID:6932
- C:\Windows\System32\gOgnLUd.exe
  C:\Windows\System32\gOgnLUd.exe
  2⤵
  PID:7284
- C:\Windows\System32\UqHNwlL.exe
  C:\Windows\System32\UqHNwlL.exe
  2⤵
  PID:7308
- C:\Windows\System32\puyJuAd.exe
  C:\Windows\System32\puyJuAd.exe
  2⤵
  PID:7344
- C:\Windows\System32\GlKBjil.exe
  C:\Windows\System32\GlKBjil.exe
  2⤵
  PID:7448
- C:\Windows\System32\SKmxaEN.exe
  C:\Windows\System32\SKmxaEN.exe
  2⤵
  PID:7480
- C:\Windows\System32\tloBbXW.exe
  C:\Windows\System32\tloBbXW.exe
  2⤵
  PID:7584
- C:\Windows\System32\xFVRtmU.exe
  C:\Windows\System32\xFVRtmU.exe
  2⤵
  PID:7660
- C:\Windows\System32\ommbRYk.exe
  C:\Windows\System32\ommbRYk.exe
  2⤵
  PID:7796
- C:\Windows\System32\YjVcbRc.exe
  C:\Windows\System32\YjVcbRc.exe
  2⤵
  PID:7864
- C:\Windows\System32\arEYVxT.exe
  C:\Windows\System32\arEYVxT.exe
  2⤵
  PID:7848
- C:\Windows\System32\qmSliAm.exe
  C:\Windows\System32\qmSliAm.exe
  2⤵
  PID:7948
- C:\Windows\System32\jWpVfEz.exe
  C:\Windows\System32\jWpVfEz.exe
  2⤵
  PID:8044
- C:\Windows\System32\ECWJDXU.exe
  C:\Windows\System32\ECWJDXU.exe
  2⤵
  PID:8104
- C:\Windows\System32\AAOVSwi.exe
  C:\Windows\System32\AAOVSwi.exe
  2⤵
  PID:6516
- C:\Windows\System32\LHYmlXK.exe
  C:\Windows\System32\LHYmlXK.exe
  2⤵
  PID:7312
- C:\Windows\System32\HjZFmHu.exe
  C:\Windows\System32\HjZFmHu.exe
  2⤵
  PID:7436
- C:\Windows\System32\WwYzejq.exe
  C:\Windows\System32\WwYzejq.exe
  2⤵
  PID:7508
- C:\Windows\System32\hzvuNnD.exe
  C:\Windows\System32\hzvuNnD.exe
  2⤵
  PID:7724
- C:\Windows\System32\xrFKzOi.exe
  C:\Windows\System32\xrFKzOi.exe
  2⤵
  PID:7844
- C:\Windows\System32\NLTUzoQ.exe
  C:\Windows\System32\NLTUzoQ.exe
  2⤵
  PID:7984
- C:\Windows\System32\nPfJDUn.exe
  C:\Windows\System32\nPfJDUn.exe
  2⤵
  PID:8148
- C:\Windows\System32\GwTxdMb.exe
  C:\Windows\System32\GwTxdMb.exe
  2⤵
  PID:7176
- C:\Windows\System32\BNQTWgx.exe
  C:\Windows\System32\BNQTWgx.exe
  2⤵
  PID:7456
- C:\Windows\System32\ImfriZy.exe
  C:\Windows\System32\ImfriZy.exe
  2⤵
  PID:7612
- C:\Windows\System32\YnXSBpZ.exe
  C:\Windows\System32\YnXSBpZ.exe
  2⤵
  PID:8200
- C:\Windows\System32\bKkmHsV.exe
  C:\Windows\System32\bKkmHsV.exe
  2⤵
  PID:8216
- C:\Windows\System32\JYMlDao.exe
  C:\Windows\System32\JYMlDao.exe
  2⤵
  PID:8236
- C:\Windows\System32\WPZWfrW.exe
  C:\Windows\System32\WPZWfrW.exe
  2⤵
  PID:8268
- C:\Windows\System32\BPKSVaw.exe
  C:\Windows\System32\BPKSVaw.exe
  2⤵
  PID:8284
- C:\Windows\System32\PXjlmJU.exe
  C:\Windows\System32\PXjlmJU.exe
  2⤵
  PID:8300
- C:\Windows\System32\KLCiFks.exe
  C:\Windows\System32\KLCiFks.exe
  2⤵
  PID:8320
- C:\Windows\System32\DSWPhjr.exe
  C:\Windows\System32\DSWPhjr.exe
  2⤵
  PID:8340
- C:\Windows\System32\VKqESXE.exe
  C:\Windows\System32\VKqESXE.exe
  2⤵
  PID:8360
- C:\Windows\System32\hvNhSZo.exe
  C:\Windows\System32\hvNhSZo.exe
  2⤵
  PID:8380
- C:\Windows\System32\Yckfzep.exe
  C:\Windows\System32\Yckfzep.exe
  2⤵
  PID:8460
- C:\Windows\System32\TdgAtOe.exe
  C:\Windows\System32\TdgAtOe.exe
  2⤵
  PID:8488
- C:\Windows\System32\dbJcRPE.exe
  C:\Windows\System32\dbJcRPE.exe
  2⤵
  PID:8516
- C:\Windows\System32\JxZexlT.exe
  C:\Windows\System32\JxZexlT.exe
  2⤵
  PID:8544
- C:\Windows\System32\jvDcZHj.exe
  C:\Windows\System32\jvDcZHj.exe
  2⤵
  PID:8564
- C:\Windows\System32\Gerwnbc.exe
  C:\Windows\System32\Gerwnbc.exe
  2⤵
  PID:8596
- C:\Windows\System32\oZwVwNZ.exe
  C:\Windows\System32\oZwVwNZ.exe
  2⤵
  PID:8620
- C:\Windows\System32\fmhdzMO.exe
  C:\Windows\System32\fmhdzMO.exe
  2⤵
  PID:8640
- C:\Windows\System32\MkxdYwl.exe
  C:\Windows\System32\MkxdYwl.exe
  2⤵
  PID:8716
- C:\Windows\System32\xiQAtsF.exe
  C:\Windows\System32\xiQAtsF.exe
  2⤵
  PID:8756
- C:\Windows\System32\vOOPPeo.exe
  C:\Windows\System32\vOOPPeo.exe
  2⤵
  PID:8772
- C:\Windows\System32\naXWZRI.exe
  C:\Windows\System32\naXWZRI.exe
  2⤵
  PID:8804
- C:\Windows\System32\CosNBeY.exe
  C:\Windows\System32\CosNBeY.exe
  2⤵
  PID:8852
- C:\Windows\System32\FIxPsFq.exe
  C:\Windows\System32\FIxPsFq.exe
  2⤵
  PID:8888
- C:\Windows\System32\ifHAFLb.exe
  C:\Windows\System32\ifHAFLb.exe
  2⤵
  PID:8912
- C:\Windows\System32\soJyzkV.exe
  C:\Windows\System32\soJyzkV.exe
  2⤵
  PID:8936
- C:\Windows\System32\hpsXwmQ.exe
  C:\Windows\System32\hpsXwmQ.exe
  2⤵
  PID:8968
- C:\Windows\System32\BFvBLPn.exe
  C:\Windows\System32\BFvBLPn.exe
  2⤵
  PID:9000
- C:\Windows\System32\rLHpSsy.exe
  C:\Windows\System32\rLHpSsy.exe
  2⤵
  PID:9028
- C:\Windows\System32\jMbvrCP.exe
  C:\Windows\System32\jMbvrCP.exe
  2⤵
  PID:9048
- C:\Windows\System32\nhzMfQe.exe
  C:\Windows\System32\nhzMfQe.exe
  2⤵
  PID:9068
- C:\Windows\System32\AXZcUGk.exe
  C:\Windows\System32\AXZcUGk.exe
  2⤵
  PID:9084
- C:\Windows\System32\uFGSSyX.exe
  C:\Windows\System32\uFGSSyX.exe
  2⤵
  PID:9100
- C:\Windows\System32\ikaXSHK.exe
  C:\Windows\System32\ikaXSHK.exe
  2⤵
  PID:9140
- C:\Windows\System32\SzKfWke.exe
  C:\Windows\System32\SzKfWke.exe
  2⤵
  PID:9168
- C:\Windows\System32\jEDBnIv.exe
  C:\Windows\System32\jEDBnIv.exe
  2⤵
  PID:7692
- C:\Windows\System32\dZQsBAm.exe
  C:\Windows\System32\dZQsBAm.exe
  2⤵
  PID:7828
- C:\Windows\System32\AmGJgQg.exe
  C:\Windows\System32\AmGJgQg.exe
  2⤵
  PID:8256
- C:\Windows\System32\bDAASEY.exe
  C:\Windows\System32\bDAASEY.exe
  2⤵
  PID:8296
- C:\Windows\System32\khaQpjw.exe
  C:\Windows\System32\khaQpjw.exe
  2⤵
  PID:8440
- C:\Windows\System32\tGXmYFY.exe
  C:\Windows\System32\tGXmYFY.exe
  2⤵
  PID:8368
- C:\Windows\System32\MweYMaF.exe
  C:\Windows\System32\MweYMaF.exe
  2⤵
  PID:8436
- C:\Windows\System32\MOkjKrz.exe
  C:\Windows\System32\MOkjKrz.exe
  2⤵
  PID:8500
- C:\Windows\System32\ANyNTps.exe
  C:\Windows\System32\ANyNTps.exe
  2⤵
  PID:8648
- C:\Windows\System32\jnZaxQK.exe
  C:\Windows\System32\jnZaxQK.exe
  2⤵
  PID:8732
- C:\Windows\System32\nzHIBHo.exe
  C:\Windows\System32\nzHIBHo.exe
  2⤵
  PID:8788
- C:\Windows\System32\Mvjivye.exe
  C:\Windows\System32\Mvjivye.exe
  2⤵
  PID:8812
- C:\Windows\System32\jcoptcs.exe
  C:\Windows\System32\jcoptcs.exe
  2⤵
  PID:8904
- C:\Windows\System32\lwECykT.exe
  C:\Windows\System32\lwECykT.exe
  2⤵
  PID:8944
- C:\Windows\System32\surpqDE.exe
  C:\Windows\System32\surpqDE.exe
  2⤵
  PID:9056
- C:\Windows\System32\GLNcWqC.exe
  C:\Windows\System32\GLNcWqC.exe
  2⤵
  PID:9132
- C:\Windows\System32\MtxGgca.exe
  C:\Windows\System32\MtxGgca.exe
  2⤵
  PID:9092
- C:\Windows\System32\urkOtoy.exe
  C:\Windows\System32\urkOtoy.exe
  2⤵
  PID:9180
- C:\Windows\System32\zFmQZAZ.exe
  C:\Windows\System32\zFmQZAZ.exe
  2⤵
  PID:8124
- C:\Windows\System32\OyDOtBd.exe
  C:\Windows\System32\OyDOtBd.exe
  2⤵
  PID:8476
- C:\Windows\System32\CGGgwBA.exe
  C:\Windows\System32\CGGgwBA.exe
  2⤵
  PID:8524
- C:\Windows\System32\XInAnwj.exe
  C:\Windows\System32\XInAnwj.exe
  2⤵
  PID:8696
- C:\Windows\System32\NvYDOgL.exe
  C:\Windows\System32\NvYDOgL.exe
  2⤵
  PID:8176
- C:\Windows\System32\wKoHIjb.exe
  C:\Windows\System32\wKoHIjb.exe
  2⤵
  PID:9012
- C:\Windows\System32\KiVGxUa.exe
  C:\Windows\System32\KiVGxUa.exe
  2⤵
  PID:9160
- C:\Windows\System32\BszvEfw.exe
  C:\Windows\System32\BszvEfw.exe
  2⤵
  PID:8336
- C:\Windows\System32\tfFVZPs.exe
  C:\Windows\System32\tfFVZPs.exe
  2⤵
  PID:8332
- C:\Windows\System32\pukDJkx.exe
  C:\Windows\System32\pukDJkx.exe
  2⤵
  PID:8860
- C:\Windows\System32\swiRrWI.exe
  C:\Windows\System32\swiRrWI.exe
  2⤵
  PID:9320
- C:\Windows\System32\BiYyVtD.exe
  C:\Windows\System32\BiYyVtD.exe
  2⤵
  PID:9336
- C:\Windows\System32\sWjYodX.exe
  C:\Windows\System32\sWjYodX.exe
  2⤵
  PID:9352
- C:\Windows\System32\JoLjQFU.exe
  C:\Windows\System32\JoLjQFU.exe
  2⤵
  PID:9368
- C:\Windows\System32\gCYBqEE.exe
  C:\Windows\System32\gCYBqEE.exe
  2⤵
  PID:9384
- C:\Windows\System32\lJfFRvp.exe
  C:\Windows\System32\lJfFRvp.exe
  2⤵
  PID:9400
- C:\Windows\System32\vHEXGzd.exe
  C:\Windows\System32\vHEXGzd.exe
  2⤵
  PID:9416
- C:\Windows\System32\wcSLRek.exe
  C:\Windows\System32\wcSLRek.exe
  2⤵
  PID:9432
- C:\Windows\System32\wiZetTp.exe
  C:\Windows\System32\wiZetTp.exe
  2⤵
  PID:9448
- C:\Windows\System32\UtUApRs.exe
  C:\Windows\System32\UtUApRs.exe
  2⤵
  PID:9464
- C:\Windows\System32\oUOmvow.exe
  C:\Windows\System32\oUOmvow.exe
  2⤵
  PID:9480
- C:\Windows\System32\dxzDiUd.exe
  C:\Windows\System32\dxzDiUd.exe
  2⤵
  PID:9496
- C:\Windows\System32\MXOWKtA.exe
  C:\Windows\System32\MXOWKtA.exe
  2⤵
  PID:9512
- C:\Windows\System32\ePGcdzG.exe
  C:\Windows\System32\ePGcdzG.exe
  2⤵
  PID:9528
- C:\Windows\System32\PzHVZtF.exe
  C:\Windows\System32\PzHVZtF.exe
  2⤵
  PID:9544
- C:\Windows\System32\mXzEUiQ.exe
  C:\Windows\System32\mXzEUiQ.exe
  2⤵
  PID:9560
- C:\Windows\System32\nuCczJC.exe
  C:\Windows\System32\nuCczJC.exe
  2⤵
  PID:9576
- C:\Windows\System32\NUNRXzH.exe
  C:\Windows\System32\NUNRXzH.exe
  2⤵
  PID:9592
- C:\Windows\System32\mobyajU.exe
  C:\Windows\System32\mobyajU.exe
  2⤵
  PID:9608
- C:\Windows\System32\xMjIGOs.exe
  C:\Windows\System32\xMjIGOs.exe
  2⤵
  PID:9624
- C:\Windows\System32\zaTxRBh.exe
  C:\Windows\System32\zaTxRBh.exe
  2⤵
  PID:9640
- C:\Windows\System32\boleRhn.exe
  C:\Windows\System32\boleRhn.exe
  2⤵
  PID:9656
- C:\Windows\System32\hEvqDrt.exe
  C:\Windows\System32\hEvqDrt.exe
  2⤵
  PID:9672
- C:\Windows\System32\OLDGvxX.exe
  C:\Windows\System32\OLDGvxX.exe
  2⤵
  PID:9688
- C:\Windows\System32\IzwdMeB.exe
  C:\Windows\System32\IzwdMeB.exe
  2⤵
  PID:9704
- C:\Windows\System32\EsCRBYt.exe
  C:\Windows\System32\EsCRBYt.exe
  2⤵
  PID:9720
- C:\Windows\System32\rLQxxcD.exe
  C:\Windows\System32\rLQxxcD.exe
  2⤵
  PID:9736
- C:\Windows\System32\uCAiACm.exe
  C:\Windows\System32\uCAiACm.exe
  2⤵
  PID:9756
- C:\Windows\System32\eCzKtPo.exe
  C:\Windows\System32\eCzKtPo.exe
  2⤵
  PID:9772
- C:\Windows\System32\ZgXfEPq.exe
  C:\Windows\System32\ZgXfEPq.exe
  2⤵
  PID:9820
- C:\Windows\System32\TWzTpmc.exe
  C:\Windows\System32\TWzTpmc.exe
  2⤵
  PID:10036
- C:\Windows\System32\aXFOjMV.exe
  C:\Windows\System32\aXFOjMV.exe
  2⤵
  PID:10220
- C:\Windows\System32\NKyXkuc.exe
  C:\Windows\System32\NKyXkuc.exe
  2⤵
  PID:8780
- C:\Windows\System32\bKZeelk.exe
  C:\Windows\System32\bKZeelk.exe
  2⤵
  PID:9312
- C:\Windows\System32\VrtpGGZ.exe
  C:\Windows\System32\VrtpGGZ.exe
  2⤵
  PID:8924
- C:\Windows\System32\SWwgEPG.exe
  C:\Windows\System32\SWwgEPG.exe
  2⤵
  PID:9364
- C:\Windows\System32\jHRyprG.exe
  C:\Windows\System32\jHRyprG.exe
  2⤵
  PID:9412
- C:\Windows\System32\IUXtRfO.exe
  C:\Windows\System32\IUXtRfO.exe
  2⤵
  PID:9240
- C:\Windows\System32\CYPNrcb.exe
  C:\Windows\System32\CYPNrcb.exe
  2⤵
  PID:9252
- C:\Windows\System32\vITKMzg.exe
  C:\Windows\System32\vITKMzg.exe
  2⤵
  PID:9524
- C:\Windows\System32\xQYvHsp.exe
  C:\Windows\System32\xQYvHsp.exe
  2⤵
  PID:9552
- C:\Windows\System32\pxOySkx.exe
  C:\Windows\System32\pxOySkx.exe
  2⤵
  PID:9616
- C:\Windows\System32\eWtTMwA.exe
  C:\Windows\System32\eWtTMwA.exe
  2⤵
  PID:9728
- C:\Windows\System32\TYUcEPm.exe
  C:\Windows\System32\TYUcEPm.exe
  2⤵
  PID:9472
- C:\Windows\System32\POqlQjN.exe
  C:\Windows\System32\POqlQjN.exe
  2⤵
  PID:9276
- C:\Windows\System32\saQeKAj.exe
  C:\Windows\System32\saQeKAj.exe
  2⤵
  PID:9292
- C:\Windows\System32\JcHPvHy.exe
  C:\Windows\System32\JcHPvHy.exe
  2⤵
  PID:9668
- C:\Windows\System32\lmFleEF.exe
  C:\Windows\System32\lmFleEF.exe
  2⤵
  PID:9952
- C:\Windows\System32\LtMyYbE.exe
  C:\Windows\System32\LtMyYbE.exe
  2⤵
  PID:9892
- C:\Windows\System32\wdryJRB.exe
  C:\Windows\System32\wdryJRB.exe
  2⤵
  PID:10016
- C:\Windows\System32\FpVGjfD.exe
  C:\Windows\System32\FpVGjfD.exe
  2⤵
  PID:10212
- C:\Windows\System32\MaCqSsR.exe
  C:\Windows\System32\MaCqSsR.exe
  2⤵
  PID:7352
- C:\Windows\System32\nRIHiSj.exe
  C:\Windows\System32\nRIHiSj.exe
  2⤵
  PID:9264
- C:\Windows\System32\RWUSGJn.exe
  C:\Windows\System32\RWUSGJn.exe
  2⤵
  PID:9332
- C:\Windows\System32\QcTivAX.exe
  C:\Windows\System32\QcTivAX.exe
  2⤵
  PID:9236
- C:\Windows\System32\jCZgWKR.exe
  C:\Windows\System32\jCZgWKR.exe
  2⤵
  PID:9584
- C:\Windows\System32\yjkKNCv.exe
  C:\Windows\System32\yjkKNCv.exe
  2⤵
  PID:9764
- C:\Windows\System32\SlHlMSN.exe
  C:\Windows\System32\SlHlMSN.exe
  2⤵
  PID:9300
- C:\Windows\System32\MgBwUDV.exe
  C:\Windows\System32\MgBwUDV.exe
  2⤵
  PID:9980
- C:\Windows\System32\LQlAPZf.exe
  C:\Windows\System32\LQlAPZf.exe
  2⤵
  PID:9268
- C:\Windows\System32\nhPZLbV.exe
  C:\Windows\System32\nhPZLbV.exe
  2⤵
  PID:8676
- C:\Windows\System32\vwWMyCc.exe
  C:\Windows\System32\vwWMyCc.exe
  2⤵
  PID:9796
- C:\Windows\System32\pZYlNuJ.exe
  C:\Windows\System32\pZYlNuJ.exe
  2⤵
  PID:9928
- C:\Windows\System32\viQXmjv.exe
  C:\Windows\System32\viQXmjv.exe
  2⤵
  PID:9440
- C:\Windows\System32\oFgaHom.exe
  C:\Windows\System32\oFgaHom.exe
  2⤵
  PID:9220
- C:\Windows\System32\GdNEdvr.exe
  C:\Windows\System32\GdNEdvr.exe
  2⤵
  PID:10248
- C:\Windows\System32\AtDbmtv.exe
  C:\Windows\System32\AtDbmtv.exe
  2⤵
  PID:10264
- C:\Windows\System32\yBUYWwY.exe
  C:\Windows\System32\yBUYWwY.exe
  2⤵
  PID:10332
- C:\Windows\System32\UonajcV.exe
  C:\Windows\System32\UonajcV.exe
  2⤵
  PID:10356
- C:\Windows\System32\mmOrdUf.exe
  C:\Windows\System32\mmOrdUf.exe
  2⤵
  PID:10372
- C:\Windows\System32\AiDFkpl.exe
  C:\Windows\System32\AiDFkpl.exe
  2⤵
  PID:10400
- C:\Windows\System32\BFpqfiR.exe
  C:\Windows\System32\BFpqfiR.exe
  2⤵
  PID:10440
- C:\Windows\System32\oEeFrYm.exe
  C:\Windows\System32\oEeFrYm.exe
  2⤵
  PID:10476
- C:\Windows\System32\ZtHkdxu.exe
  C:\Windows\System32\ZtHkdxu.exe
  2⤵
  PID:10492
- C:\Windows\System32\JsTXYKy.exe
  C:\Windows\System32\JsTXYKy.exe
  2⤵
  PID:10516
- C:\Windows\System32\SczBUyp.exe
  C:\Windows\System32\SczBUyp.exe
  2⤵
  PID:10532
- C:\Windows\System32\zicVfSb.exe
  C:\Windows\System32\zicVfSb.exe
  2⤵
  PID:10560
- C:\Windows\System32\PxgMMDP.exe
  C:\Windows\System32\PxgMMDP.exe
  2⤵
  PID:10584
- C:\Windows\System32\GDWkfey.exe
  C:\Windows\System32\GDWkfey.exe
  2⤵
  PID:10604
- C:\Windows\System32\DQeVzbC.exe
  C:\Windows\System32\DQeVzbC.exe
  2⤵
  PID:10624
- C:\Windows\System32\toijRTf.exe
  C:\Windows\System32\toijRTf.exe
  2⤵
  PID:10668
- C:\Windows\System32\DfODDzf.exe
  C:\Windows\System32\DfODDzf.exe
  2⤵
  PID:10692
- C:\Windows\System32\ADthSwz.exe
  C:\Windows\System32\ADthSwz.exe
  2⤵
  PID:10724
- C:\Windows\System32\HSiFCkc.exe
  C:\Windows\System32\HSiFCkc.exe
  2⤵
  PID:10768
- C:\Windows\System32\rWHHhwv.exe
  C:\Windows\System32\rWHHhwv.exe
  2⤵
  PID:10808
- C:\Windows\System32\IdxfdVK.exe
  C:\Windows\System32\IdxfdVK.exe
  2⤵
  PID:10824
- C:\Windows\System32\oRxWcxR.exe
  C:\Windows\System32\oRxWcxR.exe
  2⤵
  PID:10860
- C:\Windows\System32\tbwIPXY.exe
  C:\Windows\System32\tbwIPXY.exe
  2⤵
  PID:10880
- C:\Windows\System32\AfNmioH.exe
  C:\Windows\System32\AfNmioH.exe
  2⤵
  PID:10904
- C:\Windows\System32\JQVTJUY.exe
  C:\Windows\System32\JQVTJUY.exe
  2⤵
  PID:10948
- C:\Windows\System32\VtTxTOE.exe
  C:\Windows\System32\VtTxTOE.exe
  2⤵
  PID:10976
- C:\Windows\System32\zQOtueo.exe
  C:\Windows\System32\zQOtueo.exe
  2⤵
  PID:10996
- C:\Windows\System32\mzWznYS.exe
  C:\Windows\System32\mzWznYS.exe
  2⤵
  PID:11020
- C:\Windows\System32\QWgzgGm.exe
  C:\Windows\System32\QWgzgGm.exe
  2⤵
  PID:11040
- C:\Windows\System32\vOhHFFw.exe
  C:\Windows\System32\vOhHFFw.exe
  2⤵
  PID:11060
- C:\Windows\System32\MafpAdi.exe
  C:\Windows\System32\MafpAdi.exe
  2⤵
  PID:11080
- C:\Windows\System32\goMefJL.exe
  C:\Windows\System32\goMefJL.exe
  2⤵
  PID:11108
- C:\Windows\System32\iLPaHmW.exe
  C:\Windows\System32\iLPaHmW.exe
  2⤵
  PID:11164
- C:\Windows\System32\jrYlOae.exe
  C:\Windows\System32\jrYlOae.exe
  2⤵
  PID:11196
- C:\Windows\System32\zmnNguC.exe
  C:\Windows\System32\zmnNguC.exe
  2⤵
  PID:11212
- C:\Windows\System32\ZykzcDf.exe
  C:\Windows\System32\ZykzcDf.exe
  2⤵
  PID:11228
- C:\Windows\System32\XSuUYbN.exe
  C:\Windows\System32\XSuUYbN.exe
  2⤵
  PID:11248
- C:\Windows\System32\lXioAIt.exe
  C:\Windows\System32\lXioAIt.exe
  2⤵
  PID:9864
- C:\Windows\System32\FxaOEML.exe
  C:\Windows\System32\FxaOEML.exe
  2⤵
  PID:10364
- C:\Windows\System32\CZvFTUW.exe
  C:\Windows\System32\CZvFTUW.exe
  2⤵
  PID:10424
- C:\Windows\System32\MlonIVH.exe
  C:\Windows\System32\MlonIVH.exe
  2⤵
  PID:10484
- C:\Windows\System32\mFEfuJw.exe
  C:\Windows\System32\mFEfuJw.exe
  2⤵
  PID:10612
- C:\Windows\System32\vsZMWzj.exe
  C:\Windows\System32\vsZMWzj.exe
  2⤵
  PID:10620
- C:\Windows\System32\eTyjaDP.exe
  C:\Windows\System32\eTyjaDP.exe
  2⤵
  PID:10720
- C:\Windows\System32\yUOxmok.exe
  C:\Windows\System32\yUOxmok.exe
  2⤵
  PID:10792
- C:\Windows\System32\ozNmnoz.exe
  C:\Windows\System32\ozNmnoz.exe
  2⤵
  PID:10820
- C:\Windows\System32\WlqQegr.exe
  C:\Windows\System32\WlqQegr.exe
  2⤵
  PID:10876
- C:\Windows\System32\zEFiOPH.exe
  C:\Windows\System32\zEFiOPH.exe
  2⤵
  PID:10992
- C:\Windows\System32\mCFmtBT.exe
  C:\Windows\System32\mCFmtBT.exe
  2⤵
  PID:10188
- C:\Windows\System32\kUDpVxf.exe
  C:\Windows\System32\kUDpVxf.exe
  2⤵
  PID:11048
- C:\Windows\System32\WDUIjGg.exe
  C:\Windows\System32\WDUIjGg.exe
  2⤵
  PID:11176
- C:\Windows\System32\ckMKdyV.exe
  C:\Windows\System32\ckMKdyV.exe
  2⤵
  PID:11172
- C:\Windows\System32\JExeJXY.exe
  C:\Windows\System32\JExeJXY.exe
  2⤵
  PID:10304
- C:\Windows\System32\pOhuDtB.exe
  C:\Windows\System32\pOhuDtB.exe
  2⤵
  PID:10580
- C:\Windows\System32\TeyLcsi.exe
  C:\Windows\System32\TeyLcsi.exe
  2⤵
  PID:10656
- C:\Windows\System32\OrMHdnZ.exe
  C:\Windows\System32\OrMHdnZ.exe
  2⤵
  PID:10712
- C:\Windows\System32\lyiXXzJ.exe
  C:\Windows\System32\lyiXXzJ.exe
  2⤵
  PID:10816
- C:\Windows\System32\tMqrmIA.exe
  C:\Windows\System32\tMqrmIA.exe
  2⤵
  PID:10892
- C:\Windows\System32\zIPQNHm.exe
  C:\Windows\System32\zIPQNHm.exe
  2⤵
  PID:11036
- C:\Windows\System32\CwJJSnK.exe
  C:\Windows\System32\CwJJSnK.exe
  2⤵
  PID:11240
- C:\Windows\System32\yOVUQKk.exe
  C:\Windows\System32\yOVUQKk.exe
  2⤵
  PID:10632
- C:\Windows\System32\RAoMGOd.exe
  C:\Windows\System32\RAoMGOd.exe
  2⤵
  PID:11152
- C:\Windows\System32\kLPkvDy.exe
  C:\Windows\System32\kLPkvDy.exe
  2⤵
  PID:11204
- C:\Windows\System32\gjCuVqv.exe
  C:\Windows\System32\gjCuVqv.exe
  2⤵
  PID:11280
- C:\Windows\System32\gYxXmvc.exe
  C:\Windows\System32\gYxXmvc.exe
  2⤵
  PID:11308
- C:\Windows\System32\HxVXEWJ.exe
  C:\Windows\System32\HxVXEWJ.exe
  2⤵
  PID:11332
- C:\Windows\System32\vxWgMvU.exe
  C:\Windows\System32\vxWgMvU.exe
  2⤵
  PID:11356
- C:\Windows\System32\wPtMklm.exe
  C:\Windows\System32\wPtMklm.exe
  2⤵
  PID:11424
- C:\Windows\System32\nprwHuM.exe
  C:\Windows\System32\nprwHuM.exe
  2⤵
  PID:11444
- C:\Windows\System32\hPPNRPF.exe
  C:\Windows\System32\hPPNRPF.exe
  2⤵
  PID:11468
- C:\Windows\System32\omfagss.exe
  C:\Windows\System32\omfagss.exe
  2⤵
  PID:11484
- C:\Windows\System32\mkQXFgD.exe
  C:\Windows\System32\mkQXFgD.exe
  2⤵
  PID:11504
- C:\Windows\System32\tlJGaLN.exe
  C:\Windows\System32\tlJGaLN.exe
  2⤵
  PID:11552
- C:\Windows\System32\lhkiFZu.exe
  C:\Windows\System32\lhkiFZu.exe
  2⤵
  PID:11584
- C:\Windows\System32\MhVnhwA.exe
  C:\Windows\System32\MhVnhwA.exe
  2⤵
  PID:11612
- C:\Windows\System32\JJBWlFQ.exe
  C:\Windows\System32\JJBWlFQ.exe
  2⤵
  PID:11636
- C:\Windows\System32\mStrxzz.exe
  C:\Windows\System32\mStrxzz.exe
  2⤵
  PID:11652
- C:\Windows\System32\tJXZFyL.exe
  C:\Windows\System32\tJXZFyL.exe
  2⤵
  PID:11680
- C:\Windows\System32\aQSeDPC.exe
  C:\Windows\System32\aQSeDPC.exe
  2⤵
  PID:11704
- C:\Windows\System32\EcwcOYs.exe
  C:\Windows\System32\EcwcOYs.exe
  2⤵
  PID:11728
- C:\Windows\System32\NGSevyF.exe
  C:\Windows\System32\NGSevyF.exe
  2⤵
  PID:11752
- C:\Windows\System32\ISvcWnw.exe
  C:\Windows\System32\ISvcWnw.exe
  2⤵
  PID:11816
- C:\Windows\System32\ZDvWlGO.exe
  C:\Windows\System32\ZDvWlGO.exe
  2⤵
  PID:11836
- C:\Windows\System32\CVGWyNi.exe
  C:\Windows\System32\CVGWyNi.exe
  2⤵
  PID:11860
- C:\Windows\System32\mzrUPsx.exe
  C:\Windows\System32\mzrUPsx.exe
  2⤵
  PID:11880
- C:\Windows\System32\jncUPLp.exe
  C:\Windows\System32\jncUPLp.exe
  2⤵
  PID:11904
- C:\Windows\System32\GnSjmaD.exe
  C:\Windows\System32\GnSjmaD.exe
  2⤵
  PID:11920
- C:\Windows\System32\RikjHFZ.exe
  C:\Windows\System32\RikjHFZ.exe
  2⤵
  PID:11940
- C:\Windows\System32\hZgeZiQ.exe
  C:\Windows\System32\hZgeZiQ.exe
  2⤵
  PID:11956
- C:\Windows\System32\lwZqSeJ.exe
  C:\Windows\System32\lwZqSeJ.exe
  2⤵
  PID:11996
- C:\Windows\System32\qdNCwyF.exe
  C:\Windows\System32\qdNCwyF.exe
  2⤵
  PID:12028
- C:\Windows\System32\MwWuywd.exe
  C:\Windows\System32\MwWuywd.exe
  2⤵
  PID:12044
- C:\Windows\System32\XrSrjxR.exe
  C:\Windows\System32\XrSrjxR.exe
  2⤵
  PID:12064
- C:\Windows\System32\TZMREtw.exe
  C:\Windows\System32\TZMREtw.exe
  2⤵
  PID:12112
- C:\Windows\System32\kxQthJU.exe
  C:\Windows\System32\kxQthJU.exe
  2⤵
  PID:12156
- C:\Windows\System32\HkXvVJW.exe
  C:\Windows\System32\HkXvVJW.exe
  2⤵
  PID:12176
- C:\Windows\System32\YsFHsZe.exe
  C:\Windows\System32\YsFHsZe.exe
  2⤵
  PID:12204
- C:\Windows\System32\nLDBWdE.exe
  C:\Windows\System32\nLDBWdE.exe
  2⤵
  PID:12224
- C:\Windows\System32\dJFsjRi.exe
  C:\Windows\System32\dJFsjRi.exe
  2⤵
  PID:12240
- C:\Windows\System32\pwGhrym.exe
  C:\Windows\System32\pwGhrym.exe
  2⤵
  PID:12264
- C:\Windows\System32\jKkHFmD.exe
  C:\Windows\System32\jKkHFmD.exe
  2⤵
  PID:12284
- C:\Windows\System32\ppHChEi.exe
  C:\Windows\System32\ppHChEi.exe
  2⤵
  PID:11368
- C:\Windows\System32\KWoWEzO.exe
  C:\Windows\System32\KWoWEzO.exe
  2⤵
  PID:11460
- C:\Windows\System32\ccoStFf.exe
  C:\Windows\System32\ccoStFf.exe
  2⤵
  PID:11496
- C:\Windows\System32\xVpJHAn.exe
  C:\Windows\System32\xVpJHAn.exe
  2⤵
  PID:11604
- C:\Windows\System32\GUOxToX.exe
  C:\Windows\System32\GUOxToX.exe
  2⤵
  PID:11648
- C:\Windows\System32\vSXflvN.exe
  C:\Windows\System32\vSXflvN.exe
  2⤵
  PID:11720
- C:\Windows\System32\HgNaoZn.exe
  C:\Windows\System32\HgNaoZn.exe
  2⤵
  PID:11784
- C:\Windows\System32\xHpQAkB.exe
  C:\Windows\System32\xHpQAkB.exe
  2⤵
  PID:11828
- C:\Windows\System32\sEtXJIo.exe
  C:\Windows\System32\sEtXJIo.exe
  2⤵
  PID:11868
- C:\Windows\System32\gbIonKR.exe
  C:\Windows\System32\gbIonKR.exe
  2⤵
  PID:11892
- C:\Windows\System32\QlUVqTO.exe
  C:\Windows\System32\QlUVqTO.exe
  2⤵
  PID:12012
- C:\Windows\System32\LLLwqvI.exe
  C:\Windows\System32\LLLwqvI.exe
  2⤵
  PID:12056
- C:\Windows\System32\KjBxYWQ.exe
  C:\Windows\System32\KjBxYWQ.exe
  2⤵
  PID:12120
- C:\Windows\System32\tenwoZb.exe
  C:\Windows\System32\tenwoZb.exe
  2⤵
  PID:12184
- C:\Windows\System32\UAzVhQJ.exe
  C:\Windows\System32\UAzVhQJ.exe
  2⤵
  PID:11292
- C:\Windows\System32\ZzoojFN.exe
  C:\Windows\System32\ZzoojFN.exe
  2⤵
  PID:11540
- C:\Windows\System32\rxxmWBD.exe
  C:\Windows\System32\rxxmWBD.exe
  2⤵
  PID:11620
- C:\Windows\System32\myHSGdZ.exe
  C:\Windows\System32\myHSGdZ.exe
  2⤵
  PID:11852
- C:\Windows\System32\fBxHbdW.exe
  C:\Windows\System32\fBxHbdW.exe
  2⤵
  PID:11876
- C:\Windows\System32\iHdbqli.exe
  C:\Windows\System32\iHdbqli.exe
  2⤵
  PID:12084
- C:\Windows\System32\tRujmMp.exe
  C:\Windows\System32\tRujmMp.exe
  2⤵
  PID:11480
- C:\Windows\System32\QBTTylh.exe
  C:\Windows\System32\QBTTylh.exe
  2⤵
  PID:11668
- C:\Windows\System32\Inmypqk.exe
  C:\Windows\System32\Inmypqk.exe
  2⤵
  PID:11696
- C:\Windows\System32\qGXzMZT.exe
  C:\Windows\System32\qGXzMZT.exe
  2⤵
  PID:11984
- C:\Windows\System32\yFOmylB.exe
  C:\Windows\System32\yFOmylB.exe
  2⤵
  PID:11576
- C:\Windows\System32\MUCjUuz.exe
  C:\Windows\System32\MUCjUuz.exe
  2⤵
  PID:12004
- C:\Windows\System32\eATZKcU.exe
  C:\Windows\System32\eATZKcU.exe
  2⤵
  PID:11492
- C:\Windows\System32\yXlfUhH.exe
  C:\Windows\System32\yXlfUhH.exe
  2⤵
  PID:12304
- C:\Windows\System32\ZpUUTuo.exe
  C:\Windows\System32\ZpUUTuo.exe
  2⤵
  PID:12324
- C:\Windows\System32\pnvnQzs.exe
  C:\Windows\System32\pnvnQzs.exe
  2⤵
  PID:12344
- C:\Windows\System32\OWnfdxm.exe
  C:\Windows\System32\OWnfdxm.exe
  2⤵
  PID:12364
- C:\Windows\System32\mSxgHoA.exe
  C:\Windows\System32\mSxgHoA.exe
  2⤵
  PID:12380
- C:\Windows\System32\nWMVESI.exe
  C:\Windows\System32\nWMVESI.exe
  2⤵
  PID:12400
- C:\Windows\System32\avFDHsB.exe
  C:\Windows\System32\avFDHsB.exe
  2⤵
  PID:12448
- C:\Windows\System32\wWcfNFP.exe
  C:\Windows\System32\wWcfNFP.exe
  2⤵
  PID:12472
- C:\Windows\System32\fBuRDfm.exe
  C:\Windows\System32\fBuRDfm.exe
  2⤵
  PID:12492
- C:\Windows\System32\AuUKsrL.exe
  C:\Windows\System32\AuUKsrL.exe
  2⤵
  PID:12512
- C:\Windows\System32\jMMwUOg.exe
  C:\Windows\System32\jMMwUOg.exe
  2⤵
  PID:12564
- C:\Windows\System32\dgmfvGL.exe
  C:\Windows\System32\dgmfvGL.exe
  2⤵
  PID:12584
- C:\Windows\System32\loDxsYc.exe
  C:\Windows\System32\loDxsYc.exe
  2⤵
  PID:12604
- C:\Windows\System32\GJueNbA.exe
  C:\Windows\System32\GJueNbA.exe
  2⤵
  PID:12648
- C:\Windows\System32\kFotcAA.exe
  C:\Windows\System32\kFotcAA.exe
  2⤵
  PID:12692
- C:\Windows\System32\MSEBFKR.exe
  C:\Windows\System32\MSEBFKR.exe
  2⤵
  PID:12712
- C:\Windows\System32\diWTErA.exe
  C:\Windows\System32\diWTErA.exe
  2⤵
  PID:12744
- C:\Windows\System32\MFkgfJP.exe
  C:\Windows\System32\MFkgfJP.exe
  2⤵
  PID:12772
- C:\Windows\System32\gJturJp.exe
  C:\Windows\System32\gJturJp.exe
  2⤵
  PID:12788
- C:\Windows\System32\fpprogn.exe
  C:\Windows\System32\fpprogn.exe
  2⤵
  PID:12812
- C:\Windows\System32\AoXBEYg.exe
  C:\Windows\System32\AoXBEYg.exe
  2⤵
  PID:12828
- C:\Windows\System32\vwRVVqE.exe
  C:\Windows\System32\vwRVVqE.exe
  2⤵
  PID:12844
- C:\Windows\System32\iTrADoH.exe
  C:\Windows\System32\iTrADoH.exe
  2⤵
  PID:12860
- C:\Windows\System32\KPIefDi.exe
  C:\Windows\System32\KPIefDi.exe
  2⤵
  PID:12880
- C:\Windows\System32\TCfeblH.exe
  C:\Windows\System32\TCfeblH.exe
  2⤵
  PID:12928
- C:\Windows\System32\dnTVNUh.exe
  C:\Windows\System32\dnTVNUh.exe
  2⤵
  PID:12984
- C:\Windows\System32\NASrnyu.exe
  C:\Windows\System32\NASrnyu.exe
  2⤵
  PID:13012
- C:\Windows\System32\BxBtCif.exe
  C:\Windows\System32\BxBtCif.exe
  2⤵
  PID:13060
- C:\Windows\System32\fGnhEVB.exe
  C:\Windows\System32\fGnhEVB.exe
  2⤵
  PID:13080
- C:\Windows\System32\ZJRLeIL.exe
  C:\Windows\System32\ZJRLeIL.exe
  2⤵
  PID:13100
- C:\Windows\System32\jktWbbo.exe
  C:\Windows\System32\jktWbbo.exe
  2⤵
  PID:13136
- C:\Windows\System32\ytxEVtB.exe
  C:\Windows\System32\ytxEVtB.exe
  2⤵
  PID:13176
- C:\Windows\System32\JBrqaqw.exe
  C:\Windows\System32\JBrqaqw.exe
  2⤵
  PID:13204
- C:\Windows\System32\aLxvTmI.exe
  C:\Windows\System32\aLxvTmI.exe
  2⤵
  PID:13240
- C:\Windows\System32\nWEPUQB.exe
  C:\Windows\System32\nWEPUQB.exe
  2⤵
  PID:13268
- C:\Windows\System32\gDPBbLi.exe
  C:\Windows\System32\gDPBbLi.exe
  2⤵
  PID:13300
- C:\Windows\System32\DMDdVuK.exe
  C:\Windows\System32\DMDdVuK.exe
  2⤵
  PID:12296
- C:\Windows\System32\RtmLrUb.exe
  C:\Windows\System32\RtmLrUb.exe
  2⤵
  PID:12352
- C:\Windows\System32\BbeQpgs.exe
  C:\Windows\System32\BbeQpgs.exe
  2⤵
  PID:12376
- C:\Windows\System32\ipvuzFn.exe
  C:\Windows\System32\ipvuzFn.exe
  2⤵
  PID:12440
- C:\Windows\System32\Rdnpyhh.exe
  C:\Windows\System32\Rdnpyhh.exe
  2⤵
  PID:12520
- C:\Windows\System32\crcfKYC.exe
  C:\Windows\System32\crcfKYC.exe
  2⤵
  PID:12636
- C:\Windows\System32\kDspYTG.exe
  C:\Windows\System32\kDspYTG.exe
  2⤵
  PID:864
- C:\Windows\System32\naUNfmp.exe
  C:\Windows\System32\naUNfmp.exe
  2⤵
  PID:12644
- C:\Windows\System32\chmttJJ.exe
  C:\Windows\System32\chmttJJ.exe
  2⤵
  PID:12780
- C:\Windows\System32\lvGbbNk.exe
  C:\Windows\System32\lvGbbNk.exe
  2⤵
  PID:12800
- C:\Windows\System32\iKQqMny.exe
  C:\Windows\System32\iKQqMny.exe
  2⤵
  PID:12876
- C:\Windows\System32\uldklXt.exe
  C:\Windows\System32\uldklXt.exe
  2⤵
  PID:13008

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BMdymrE.exe

Filesize
1.1MB

MD5
7294239f30fecf44b611adec78b02769

SHA1
6835948c462b534148d9ee89e19e77a450b96849

SHA256
0f9467667955c64a55257dadf9e4e71e007bae71b7120a814a3f47c49fc0f545

SHA512
6076335eba00ce900dcb5ca23614671eecc6f91c9e008ba15922db84897b48692be8289cc4e35dac2271b7a7d058123b50599a68d665da5cab805458606b1aa1

Download Submit
C:\Windows\System32\BgoZRAI.exe

Filesize
1.1MB

MD5
46e0216f39dc665e72c9ad68c0a70497

SHA1
32614dd023256ddb205f86d7c847758495eb7cf6

SHA256
15bfc89a2b58c21f6bc508c5f21c9550bc77ef6a57c3b62387c00fd4b8e8fc7f

SHA512
bcbce995e2f4ae7333e6b2ef709d8b9dfd95cacadc8d795266c223571884b5dc1652d83f38eea90bd53769443be3b9c4dd63ef3e1d9d3fbe8556d8890ad1ee29

Download Submit
C:\Windows\System32\BrDiCkT.exe

Filesize
1.1MB

MD5
291f38e01668eed4da4f51f9eee592fe

SHA1
277c4ff3c338ddf31c2c04b64dfac8b21167f0ba

SHA256
a4a040fd7952034d4f19490ea063b1aa284c85612633d038dd5cb417125e1d68

SHA512
49bccec93b7f07bc3db86e75ed518698ca64aa6925741b718557ea6cd5630d98d39242e9bee88655dc450cde1f57828001bb0949a8171e361c2884dbc0e96af1

Download Submit
C:\Windows\System32\DAttFsN.exe

Filesize
1.1MB

MD5
a23fcdaa73fef58fe27fe0c378fa3879

SHA1
81565cd93c26d8475ddc2d1ad3ff0cf9ff15d3d3

SHA256
ce9e1f7d8a9f204df8a9a625efbda7709aae1b56753ddefa277ff5ba3bdf5773

SHA512
26d31299ea972bd9b1d6e28138476388af9923f260237271291efd43b2a40d67a9887827973f5ee4e7c7b0bccb08f79e656d194ba882e378512597b25f532043

Download Submit
C:\Windows\System32\GJjKCIz.exe

Filesize
1.1MB

MD5
b46fd399d13ba5236c62b78c3adc7fa3

SHA1
6ccd753c596a40c6cc0d1941c1313b04ff3d021b

SHA256
caa5b434e03a4c99d6eb22ffa86333153f756db135e892bca5cb37de754d3fda

SHA512
e8e807b47809520b4f60cda115972a2874444580ee09a035171ead7865bbaa1b11e5533d736a0e0cf9cdc59a0c0f36ff042dbeb1bb1ad1826ed90d4b25fb37da

Download Submit
C:\Windows\System32\HbpIqpw.exe

Filesize
1.1MB

MD5
85c8a1c10e80894cd6c8d9ec1d2d9e6e

SHA1
715773d022df74f2cd1a8abe957a68fd6c1cbbd2

SHA256
7b82b6b6d5861383e6b46b45016d19bcb48138e5cb0237e3dd300f28686810dd

SHA512
4f73654873e5cf6f1ceaccdbcc7d652d44240a1fe9dd61d11e165b9e0fdae6765c2cd4be572245e1affa41e9242dcf68342a94db290a91817f59ef82f2c6a8bf

Download Submit
C:\Windows\System32\MLNbZMg.exe

Filesize
1.1MB

MD5
b19f49f503114ed2567f4956517be480

SHA1
7e8d7efd688c2aa3555ff4655c036e8343bde3c1

SHA256
593145a8c69dbe06138934f419ed7cf2f941f6d236b432978dde07f16918e856

SHA512
8b218d0b7fc428e9edd6a9d37e4352314d92cf54a7c62c79f3b36b3d78cfd32e43a5ecadd74c62c608b5edcc485daa14a208687bcd5095f0f9d425fb6b2061a4

Download Submit
C:\Windows\System32\OBtaGJe.exe

Filesize
1.1MB

MD5
024d49768589a85ba2095f5743d242f1

SHA1
25a802d86ffce008e61218584797d2d740b75c70

SHA256
00c42907171023590295894ec1f0d5d62276720007fb90315f31bee1a1cd5868

SHA512
ab128280112d7546fd5fa95b12c805db8228d0be5144d7f8dbcc59ce5d2e9c85073b4e8a992c5a31d8b5f717aa9bff442f2781c6d09f8a25a01651ff0975422b

Download Submit
C:\Windows\System32\PstkiUr.exe

Filesize
1.1MB

MD5
8a3a09e60fdaa68222a6587115e44592

SHA1
5c8e7d127d74860302a36cf816e504b8f7a211a0

SHA256
f223a01c3c8f913db2d6e9b925fadb010bd45bb1a142a1f7519e9189753d72c9

SHA512
5eb808b95f5777d083fa8a0ad70c456bf567ae5ecb24c3822393ba1fd7d56ba9f00e7771cfdaa26aebb7414fa8063781678af3f0e61eb7164ca2f249150ef5c0

Download Submit
C:\Windows\System32\TphyFqM.exe

Filesize
1.1MB

MD5
980f3e5bfce6d3037dce325a22a52966

SHA1
17ad50545497b9653c32d4f23e4584ec17425362

SHA256
4f57ad75517f39e6c21d0b994f6acb9c3aacca0caca41c3e6983bf0c1e125f9e

SHA512
7e33fd1279299b9013fae867639e3de44eb043082d2d9117aa556066bef09df8909a18b90e0d6d94d8fb92124dc0a258a38f0dbf5cee21407f185ee833539a4f

Download Submit
C:\Windows\System32\YHLNiqk.exe

Filesize
1.1MB

MD5
c79de3cfb5828e34364b34f1a25ef7fb

SHA1
5514bae982f1bdf0b44b016e988178a009bb874d

SHA256
0eb7cfa848fc5a9655a414410ff26ae31aa43ebe7b592b54cca2c4a90a5cb5c7

SHA512
c2a5f1a99ed10c4a52a0c717541103e36c0f6dc30689d7300db255787f7f9d00eebc9180684f9ee59c61ff6afc183d508f1c51503b72fdf29c9c71f9ac280f6b

Download Submit
C:\Windows\System32\azaHRnh.exe

Filesize
1.1MB

MD5
178a39c952ef5889f657ff903e5d8593

SHA1
1206bb8a2d8fa0928b36fb0a5d6845a7cc1bcd40

SHA256
92039c29d7203623b353b5987f7a389f21773830d131b414f66fc200f05cd958

SHA512
051869ca19f457900d94316b215c266bbf89ecc85bf256d391f09f2a426a9dfae6abd658accdc3bb2b92d523a3015cf14997770b5c94991fd1a56246e98045cf

Download Submit
C:\Windows\System32\bcTNFrx.exe

Filesize
1.1MB

MD5
55522722b98c234586751e51ca55f6b8

SHA1
7175c2cb7310f24596f25799b80ecbb7ebbe0006

SHA256
c4c407ab190d1ba07b4cfdc270735b672203c9e4decd51f2fc26fc5584209fe2

SHA512
7145c622cb3ad7d4cd984a4405e3315f01ae06f88d1902d7d9671417e9975e1cfd50339d942c0f02d107cb02726697838fcdd7da9bb585a8c2110a66a33a099b

Download Submit
C:\Windows\System32\btvlSUQ.exe

Filesize
1.1MB

MD5
7e96d6436f46a107cd70c2bdf2d9e227

SHA1
cc03159965ce685d053e20712b87af099835d664

SHA256
04993f13f4912dfc3c55bf81f3a026954ea7245b1b17880f98632f7934862787

SHA512
5e2fc7836a7cc7997b898e41521223c34209fcb8ab7fa97756def600b068e6a0df1e71942cc75e76373e39578893fe5a66ce1e2b08087ace2973485a4208332e

Download Submit
C:\Windows\System32\cBVrGeT.exe

Filesize
1.1MB

MD5
3e601455c587438384cafd0968966206

SHA1
c8e4a2187216bc2fdbedb08656e70bd23ab14782

SHA256
0af11126269b113776c710c778ba628dcaeeb5ace0cdb48f1cb4bdb145faa04e

SHA512
ab986af93a5735c419eb55c6551594220446d6709d84b0cbb98906d38d64e255263f06ee89c414038f478fac6be5eec2616ce43c20f2771b71f783dea8ddd4c7

Download Submit
C:\Windows\System32\cjEDDQl.exe

Filesize
1.1MB

MD5
3afe3bbc6420d2af98993d2694875717

SHA1
1bec55a21306fc7d9bf3bf213cec823d3011a367

SHA256
3c9b7eaf480af385e3764bf345ed7a6d9fe308cd2d1f6e58286bb1fce0e67196

SHA512
3e909029d435021e0a3afcda9f2d3fafabf8eb984824012e98cdea8e9dfdc64c3c9dd9971f19727c12503bd02d970ea40df38c2db4e69e29737d3d570945eb75

Download Submit
C:\Windows\System32\czNaEvA.exe

Filesize
1.1MB

MD5
f5c8137a16f8ca1fe3f4cc81d5bd4cc2

SHA1
d0e4acd6b5ccbe90fee07ff724336f1331478bdd

SHA256
b8024dcead8e5074c4edea2ddbeadef3c2debdbcf770f8cb0c260a39925861d5

SHA512
e163d9c98db30baeb24423864c5877928dfc02d2097182836faad6e48de3186b38d20d86f7ee4844c0146fe4bf064af9728e7f4a0f0a314487494d8d569e3912

Download Submit
C:\Windows\System32\hKZDwcf.exe

Filesize
1.1MB

MD5
82b91e9a0922bbf00ac7a7399115b006

SHA1
26e71c9d7ef895cb1a62f6de342e803d4ddfafa2

SHA256
21a93fa201ef3e82a3208e5ede394ea2277c32a8ab5ebfdc681bb13a68ceb101

SHA512
1dfb92fda11a81f81e5de2420504278f3a1aa847271d95bc4f5d5eff8bc1aff1b6992a9d607d03c3379516c4e4bd21c65dbf7f12ed113bcfe1d7cd1e89a6f060

Download Submit
C:\Windows\System32\hauhcLY.exe

Filesize
1.1MB

MD5
bda20416358d714a6691d6fc878a48c7

SHA1
3af0da294622659795145a48a7dd5bb449f3ee1c

SHA256
114a6bf093675f133adcec8343db06d7aa7b6d66d4ca56b9edb9ed283fd992c7

SHA512
b16a63d503965caac59a702a95fba8607f72553937e9ddc47d98756855eaf7094c073b9604e14c89820a8d706fb970ee606bafe28af54ab1fffdd1a880480065

Download Submit
C:\Windows\System32\lXiEjlS.exe

Filesize
1.1MB

MD5
04c2fde24a4c2808fcc0d37eb4f19d54

SHA1
82c6db1792a7a92af146207df908362f5be3da4a

SHA256
fe0b0f2419649b005e54add9691e81adf2e80375c9c576cb097b088cf2804e23

SHA512
1a3a110df6ad20166df96e4c36cd710da70bd9ddd8f1eb59d2fdaae5fe0a327350531eee1d6d1a608b738cd2e7e84a67adaafa5da93c3d6d2b7e72896e60e3c3

Download Submit
C:\Windows\System32\llVAiVC.exe

Filesize
1.1MB

MD5
437762d6c9a5bcee0a20893a27e7e62e

SHA1
c753f676e369064eb2f49f7652b4c6695670f160

SHA256
91bf46408e7c83d21491cc900cc33246795471f5c1df07a2dc361768b4230553

SHA512
52aa11e41cda5adba39ce44dc89cd3fad61e7620a370121b675897f03fab3605e819cb0a33ff8babaa77d3a3c97e78f9fb66ec2f31ebac450253bba7d1dc586c

Download Submit
C:\Windows\System32\pBRLGOl.exe

Filesize
1.1MB

MD5
0c7b441dcb59f02af76c0379bea2bec2

SHA1
75a7fbea96890b0011eafb59845861d9f5cd9172

SHA256
2be3c6dd0a7246fad0ef24c92af57d69b8d1533bcd67c018854e84faf1e48056

SHA512
e4c4268461fe8aaf802e4fb98413cc9af26b9662671110d5082e115962fa571d6dfbf34fb632fccacaab51e9ca9487ecf35c911995c8241d1e6fd6ba575d8e85

Download Submit
C:\Windows\System32\pFruFpl.exe

Filesize
1.1MB

MD5
72ac18463b69c9a299a96080b8b30b7c

SHA1
4c7984f0157b5ab5817d8ec604f1ef227bae0d75

SHA256
350bcdbcc23a983419e0b821023680c6543884b715d4fc70695623b5d62fe205

SHA512
244946a696a8cadaaa9d8b2fb1ba248a93339c9aeaab686f212c758b371a2c0b9dc1a26a0d96eef168e34999dccb20cdabea79af7f5693cd95d9e2346704efb6

Download Submit
C:\Windows\System32\pSRRtJm.exe

Filesize
1.1MB

MD5
0b7b9c65e4f4597a42b6f8b2569b5e43

SHA1
4301c870ee45867320c526f882b7c88c87409954

SHA256
34e0fe528fc95fc914c7f601e7fa8d1c8f47139cebe6df687b76cf6ba54eae01

SHA512
489f1e1ee71847e9c95e713a85691c14efa03ac46e006147ac226ffc2bd49911cee016c9088586ac7dc80901d10493542d319fb4d8ae2cf232e08a4c19e70147

Download Submit
C:\Windows\System32\rdbUyeZ.exe

Filesize
1.1MB

MD5
3326dee9ead603a04320635ecc7d1150

SHA1
385819a08a7bafef1f8aef265f1548cb260c7f0d

SHA256
eec5c957cd5b9e88fcbd99a34f64d487a608f5d3efa3ec3e73cf6f40cddcac4f

SHA512
0f29dd53a4cedd8817cecd1511f54fb9d7e36502a9173bde5c67d1785936503e894cd2e38e149ab270a37b135f4e4d07c2aff1a777861b206309c15e21651d95

Download Submit
C:\Windows\System32\reZTWPH.exe

Filesize
1.1MB

MD5
b352d4444b9a6c70dc02332d5779194f

SHA1
045250a00931bf92be77751a3cc8774d83812eb9

SHA256
c986fb934c5179c9ee5d1fb41b00313898cbb018d98a228e9b9e3d9c3ab1396a

SHA512
a71fe189530d9fa826ad7567437d5bb929a35e794ce9cf6455d46db675f57d84f423e7bcc905ecc09e426797101f69533a83862d9d0ab5e7bf1deebab797d091

Download Submit
C:\Windows\System32\ryutooS.exe

Filesize
1.1MB

MD5
f2840284592a3c84fc1b1b44e4dc5bf6

SHA1
95841904985bb0c0fd876a21b8e2a909a90e1bf5

SHA256
f97afc3f6c70ca7807d139e8b7ed57af0b510cfc11978109d32846f8699eef5c

SHA512
6db03c9bd8cb90b811bb9820650bfcf201ddc46c71462a5e0aa155e2c290789795f441f0eaf4cd32f6856c3f84f97f3dbb04463a598487540182adb7fa1cb8db

Download Submit
C:\Windows\System32\sZbXcbq.exe

Filesize
1.1MB

MD5
a33ad793f2b57e2e8f1da6682fe59400

SHA1
ad9a7aaef7d64b8415bca5841615ba98a710f3aa

SHA256
d830f1a1bcb701299cd28ab00093ac15f28fdb25332455cec1cc8c8b23c7afea

SHA512
ea4cc445bfa5723cffa6c2da9cbe6df5bb1b0cf1d6954876889233e66c9fc5980aacb49f9a199aea99a7847b7c68c75bb352169735803fd58645c09016a632d9

Download Submit
C:\Windows\System32\uZWCucU.exe

Filesize
1.1MB

MD5
cc1e95b811cb753aca3a38c302d201d0

SHA1
d49d3cd306316195c5ac44813bf6edc6a1e38714

SHA256
cedd8285ab4d7b6d2f398a55fcb49c764c1b89a67e694c2c15cb6d0829f85899

SHA512
5c3ff059b16d6164a037394ea7fb0085deac8e43407de71e973b0e758a7be8d240fc36d144abdebeceb10cb8be8beebf946282de03232b16f225acaaa04f72ff

Download Submit
C:\Windows\System32\udiAdtn.exe

Filesize
1.1MB

MD5
5d8467bddea5c68c5da5b149dfe6c542

SHA1
bed674285f3b3de83c95a21ec721fa0bdd475705

SHA256
0677f94bf6eb0380084d2430bd1023cce9c2f8a2c861e9fb6d1e69e565b70717

SHA512
de9c525af1072ab5c81ab0f85fe3589e4c4176bc75ddf84b694c54d454f10f78a49016b952b659f970b680dd068a3e05a080b347a229670fd2cf876060ab884b

Download Submit
C:\Windows\System32\xIHxMev.exe

Filesize
1.1MB

MD5
12965059254980cfb3c70cd4bc382039

SHA1
3abc3a277d0ba2bb769d8fb7417bb3f9f4eeb6f2

SHA256
3553f63e1817520aa19a201c6f063684b04b6442a3bf2b7b18c993eb627053cf

SHA512
bd5f2aca3733721d948adeb54df0e3aa83522543384be1b0e232fd3c51dba32bcbd4295585c62134ac7fb475e325a63ba02313566fa1456e4e0427aa40f42002

Download Submit
C:\Windows\System32\yaBlMpj.exe

Filesize
1.1MB

MD5
79d4248fc9f6232ef55fc1e6fe2062ba

SHA1
3b3c6d8cfc3643aecf2c52adbcbf4dc1c7321278

SHA256
21f22a4e03811d24d966e2da3c1d5d0828608a1558b0b3ba426a0b3a9d03bcee

SHA512
40b36b31d77a0a73d592a381aa4b3b5cb490c9328a72164d9c69b50cf142e6d023053e1780e71607891a34dd200b0a01b202e7cae1d0d50e1755ca2ed6227167

Download Submit
memory/700-1978-0x00007FF7F4A20000-0x00007FF7F4E11000-memory.dmp

Filesize
3.9MB

Download
memory/700-502-0x00007FF7F4A20000-0x00007FF7F4E11000-memory.dmp

Filesize
3.9MB

Download
memory/972-380-0x00007FF645730000-0x00007FF645B21000-memory.dmp

Filesize
3.9MB

Download
memory/972-1984-0x00007FF645730000-0x00007FF645B21000-memory.dmp

Filesize
3.9MB

Download
memory/1016-470-0x00007FF6EEA30000-0x00007FF6EEE21000-memory.dmp

Filesize
3.9MB

Download
memory/1016-2005-0x00007FF6EEA30000-0x00007FF6EEE21000-memory.dmp

Filesize
3.9MB

Download
memory/1512-480-0x00007FF665D80000-0x00007FF666171000-memory.dmp

Filesize
3.9MB

Download
memory/1512-2001-0x00007FF665D80000-0x00007FF666171000-memory.dmp

Filesize
3.9MB

Download
memory/1584-1970-0x00007FF71DE20000-0x00007FF71E211000-memory.dmp

Filesize
3.9MB

Download
memory/1584-10-0x00007FF71DE20000-0x00007FF71E211000-memory.dmp

Filesize
3.9MB

Download
memory/1784-389-0x00007FF7135B0000-0x00007FF7139A1000-memory.dmp

Filesize
3.9MB

Download
memory/1784-1988-0x00007FF7135B0000-0x00007FF7139A1000-memory.dmp

Filesize
3.9MB

Download
memory/1832-1976-0x00007FF752260000-0x00007FF752651000-memory.dmp

Filesize
3.9MB

Download
memory/1832-361-0x00007FF752260000-0x00007FF752651000-memory.dmp

Filesize
3.9MB

Download
memory/2012-1-0x000001FBB4A90000-0x000001FBB4AA0000-memory.dmp

Filesize
64KB

Download
memory/2012-0-0x00007FF6C3D70000-0x00007FF6C4161000-memory.dmp

Filesize
3.9MB

Download
memory/2096-357-0x00007FF7B3FA0000-0x00007FF7B4391000-memory.dmp

Filesize
3.9MB

Download
memory/2096-1948-0x00007FF7B3FA0000-0x00007FF7B4391000-memory.dmp

Filesize
3.9MB

Download
memory/2096-1974-0x00007FF7B3FA0000-0x00007FF7B4391000-memory.dmp

Filesize
3.9MB

Download
memory/2160-2010-0x00007FF6B95E0000-0x00007FF6B99D1000-memory.dmp

Filesize
3.9MB

Download
memory/2160-495-0x00007FF6B95E0000-0x00007FF6B99D1000-memory.dmp

Filesize
3.9MB

Download
memory/2348-2021-0x00007FF6A7A80000-0x00007FF6A7E71000-memory.dmp

Filesize
3.9MB

Download
memory/2348-492-0x00007FF6A7A80000-0x00007FF6A7E71000-memory.dmp

Filesize
3.9MB

Download
memory/2404-365-0x00007FF7B1490000-0x00007FF7B1881000-memory.dmp

Filesize
3.9MB

Download
memory/2404-1982-0x00007FF7B1490000-0x00007FF7B1881000-memory.dmp

Filesize
3.9MB

Download
memory/2672-1990-0x00007FF641820000-0x00007FF641C11000-memory.dmp

Filesize
3.9MB

Download
memory/2672-391-0x00007FF641820000-0x00007FF641C11000-memory.dmp

Filesize
3.9MB

Download
memory/2980-382-0x00007FF7C3ED0000-0x00007FF7C42C1000-memory.dmp

Filesize
3.9MB

Download
memory/2980-1986-0x00007FF7C3ED0000-0x00007FF7C42C1000-memory.dmp

Filesize
3.9MB

Download
memory/3012-2012-0x00007FF6E9AB0000-0x00007FF6E9EA1000-memory.dmp

Filesize
3.9MB

Download
memory/3012-404-0x00007FF6E9AB0000-0x00007FF6E9EA1000-memory.dmp

Filesize
3.9MB

Download
memory/3056-405-0x00007FF71DE60000-0x00007FF71E251000-memory.dmp

Filesize
3.9MB

Download
memory/3056-1997-0x00007FF71DE60000-0x00007FF71E251000-memory.dmp

Filesize
3.9MB

Download
memory/3172-472-0x00007FF6F4CE0000-0x00007FF6F50D1000-memory.dmp

Filesize
3.9MB

Download
memory/3172-2003-0x00007FF6F4CE0000-0x00007FF6F50D1000-memory.dmp

Filesize
3.9MB

Download
memory/3944-498-0x00007FF612720000-0x00007FF612B11000-memory.dmp

Filesize
3.9MB

Download
memory/3944-2019-0x00007FF612720000-0x00007FF612B11000-memory.dmp

Filesize
3.9MB

Download
memory/4000-395-0x00007FF68DBC0000-0x00007FF68DFB1000-memory.dmp

Filesize
3.9MB

Download
memory/4000-1992-0x00007FF68DBC0000-0x00007FF68DFB1000-memory.dmp

Filesize
3.9MB

Download
memory/4164-2014-0x00007FF735600000-0x00007FF7359F1000-memory.dmp

Filesize
3.9MB

Download
memory/4164-398-0x00007FF735600000-0x00007FF7359F1000-memory.dmp

Filesize
3.9MB

Download
memory/4468-1999-0x00007FF678F30000-0x00007FF679321000-memory.dmp

Filesize
3.9MB

Download
memory/4468-487-0x00007FF678F30000-0x00007FF679321000-memory.dmp

Filesize
3.9MB

Download
memory/4488-1972-0x00007FF7D5D80000-0x00007FF7D6171000-memory.dmp

Filesize
3.9MB

Download
memory/4488-17-0x00007FF7D5D80000-0x00007FF7D6171000-memory.dmp

Filesize
3.9MB

Download
memory/4544-1980-0x00007FF7762F0000-0x00007FF7766E1000-memory.dmp

Filesize
3.9MB

Download
memory/4544-371-0x00007FF7762F0000-0x00007FF7766E1000-memory.dmp

Filesize
3.9MB

Download
memory/4580-2016-0x00007FF7F9D60000-0x00007FF7FA151000-memory.dmp

Filesize
3.9MB

Download
memory/4580-407-0x00007FF7F9D60000-0x00007FF7FA151000-memory.dmp

Filesize
3.9MB

Download
memory/4984-406-0x00007FF60BB40000-0x00007FF60BF31000-memory.dmp

Filesize
3.9MB

Download
memory/4984-1995-0x00007FF60BB40000-0x00007FF60BF31000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads