xmrig | a71cb8aeae5419041ed76f4cf2ccb825e0a6630045ca6c496501a6cb76f9f94b

Analysis

max time kernel
147s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
Size

1.2MB
MD5

09cfe051bc40c2279b315b17af974a89
SHA1

44925ed4ecf7594b86b1c5aedf3f438893d64a71
SHA256

a71cb8aeae5419041ed76f4cf2ccb825e0a6630045ca6c496501a6cb76f9f94b
SHA512

9240560e7d68514d95839a343c7c23f00ad12ca6e1e82f3b25c877561a736a6ad3df20e543db788494e19240b87edb755ad6160256dd087459951d9785b87373
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zjP+sjI1XPIEq:knw9oUUEEDl37jcq4nPU9q

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/4708-378-0x00007FF795630000-0x00007FF795A21000-memory.dmp	xmrig
behavioral2/memory/4092-377-0x00007FF720390000-0x00007FF720781000-memory.dmp	xmrig
behavioral2/memory/1328-25-0x00007FF7528C0000-0x00007FF752CB1000-memory.dmp	xmrig
behavioral2/memory/4824-379-0x00007FF6850D0000-0x00007FF6854C1000-memory.dmp	xmrig
behavioral2/memory/1968-380-0x00007FF69C640000-0x00007FF69CA31000-memory.dmp	xmrig
behavioral2/memory/5028-381-0x00007FF65AF10000-0x00007FF65B301000-memory.dmp	xmrig
behavioral2/memory/3772-382-0x00007FF63F490000-0x00007FF63F881000-memory.dmp	xmrig
behavioral2/memory/3632-384-0x00007FF606650000-0x00007FF606A41000-memory.dmp	xmrig
behavioral2/memory/980-383-0x00007FF7FA3B0000-0x00007FF7FA7A1000-memory.dmp	xmrig
behavioral2/memory/2688-385-0x00007FF74D910000-0x00007FF74DD01000-memory.dmp	xmrig
behavioral2/memory/3848-386-0x00007FF64C950000-0x00007FF64CD41000-memory.dmp	xmrig
behavioral2/memory/1648-387-0x00007FF78BED0000-0x00007FF78C2C1000-memory.dmp	xmrig
behavioral2/memory/3608-392-0x00007FF79E8D0000-0x00007FF79ECC1000-memory.dmp	xmrig
behavioral2/memory/1932-400-0x00007FF6445A0000-0x00007FF644991000-memory.dmp	xmrig
behavioral2/memory/4660-411-0x00007FF6120A0000-0x00007FF612491000-memory.dmp	xmrig
behavioral2/memory/4220-414-0x00007FF6DD1E0000-0x00007FF6DD5D1000-memory.dmp	xmrig
behavioral2/memory/2784-440-0x00007FF731630000-0x00007FF731A21000-memory.dmp	xmrig
behavioral2/memory/4584-468-0x00007FF624390000-0x00007FF624781000-memory.dmp	xmrig
behavioral2/memory/4304-461-0x00007FF6A5440000-0x00007FF6A5831000-memory.dmp	xmrig
behavioral2/memory/2904-435-0x00007FF7D7680000-0x00007FF7D7A71000-memory.dmp	xmrig
behavioral2/memory/844-397-0x00007FF7018C0000-0x00007FF701CB1000-memory.dmp	xmrig
behavioral2/memory/4736-471-0x00007FF762D90000-0x00007FF763181000-memory.dmp	xmrig
behavioral2/memory/4200-1964-0x00007FF761170000-0x00007FF761561000-memory.dmp	xmrig
behavioral2/memory/3720-2027-0x00007FF65F670000-0x00007FF65FA61000-memory.dmp	xmrig
behavioral2/memory/4508-2025-0x00007FF6F4440000-0x00007FF6F4831000-memory.dmp	xmrig
behavioral2/memory/4736-2033-0x00007FF762D90000-0x00007FF763181000-memory.dmp	xmrig
behavioral2/memory/1328-2031-0x00007FF7528C0000-0x00007FF752CB1000-memory.dmp	xmrig
behavioral2/memory/1968-2037-0x00007FF69C640000-0x00007FF69CA31000-memory.dmp	xmrig
behavioral2/memory/3772-2043-0x00007FF63F490000-0x00007FF63F881000-memory.dmp	xmrig
behavioral2/memory/980-2045-0x00007FF7FA3B0000-0x00007FF7FA7A1000-memory.dmp	xmrig
behavioral2/memory/3632-2049-0x00007FF606650000-0x00007FF606A41000-memory.dmp	xmrig
behavioral2/memory/5028-2041-0x00007FF65AF10000-0x00007FF65B301000-memory.dmp	xmrig
behavioral2/memory/2688-2047-0x00007FF74D910000-0x00007FF74DD01000-memory.dmp	xmrig
behavioral2/memory/4824-2039-0x00007FF6850D0000-0x00007FF6854C1000-memory.dmp	xmrig
behavioral2/memory/4708-2035-0x00007FF795630000-0x00007FF795A21000-memory.dmp	xmrig
behavioral2/memory/4092-2029-0x00007FF720390000-0x00007FF720781000-memory.dmp	xmrig
behavioral2/memory/4660-2065-0x00007FF6120A0000-0x00007FF612491000-memory.dmp	xmrig
behavioral2/memory/4584-2093-0x00007FF624390000-0x00007FF624781000-memory.dmp	xmrig
behavioral2/memory/2904-2088-0x00007FF7D7680000-0x00007FF7D7A71000-memory.dmp	xmrig
behavioral2/memory/4220-2086-0x00007FF6DD1E0000-0x00007FF6DD5D1000-memory.dmp	xmrig
behavioral2/memory/2784-2066-0x00007FF731630000-0x00007FF731A21000-memory.dmp	xmrig
behavioral2/memory/1648-2064-0x00007FF78BED0000-0x00007FF78C2C1000-memory.dmp	xmrig
behavioral2/memory/4304-2059-0x00007FF6A5440000-0x00007FF6A5831000-memory.dmp	xmrig
behavioral2/memory/1932-2057-0x00007FF6445A0000-0x00007FF644991000-memory.dmp	xmrig
behavioral2/memory/3848-2056-0x00007FF64C950000-0x00007FF64CD41000-memory.dmp	xmrig
behavioral2/memory/3608-2055-0x00007FF79E8D0000-0x00007FF79ECC1000-memory.dmp	xmrig
behavioral2/memory/844-2054-0x00007FF7018C0000-0x00007FF701CB1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4508	bTDuZFJ.exe
3720	wXbNjAB.exe
1328	QnMfboT.exe
4736	ZgfGQjk.exe
4092	yWTBSUZ.exe
4708	HeqsPkY.exe
4824	nKbmAtc.exe
1968	VNCQcAF.exe
5028	wWXMswa.exe
3772	MbdOwGq.exe
980	BnHBAgD.exe
3632	YnquLwi.exe
2688	CSnmhUz.exe
3848	ARQABCR.exe
1648	UebtDxw.exe
3608	ENihHKy.exe
844	BwuVqlx.exe
1932	szSaLls.exe
4660	pCfsmgV.exe
4220	XWoBIui.exe
2904	VxVADBY.exe
2784	GtVAebZ.exe
4304	pAWgQzh.exe
4584	KVADOfv.exe
2028	PzJtQLI.exe
1380	LNWJsZT.exe
1316	sfUNura.exe
1788	PRMjlgt.exe
3428	qGSYqUI.exe
4040	mdqmVRo.exe
2932	GfmcmJI.exe
1776	BOOCZEc.exe
1596	CXFbRTu.exe
4932	ilBnYhu.exe
3292	XllEzKh.exe
1964	SNDmFuy.exe
3520	lhOapNH.exe
1792	yBfrxzw.exe
1796	AaxoNBf.exe
3092	OgmHrHg.exe
2508	kQEZKix.exe
2844	IYhmMOK.exe
2596	SKkEuSu.exe
3660	lOcsnGH.exe
2676	oAevnLR.exe
228	COxkvRt.exe
5092	XeFJFmK.exe
4808	qpOyuaa.exe
4276	LksMMqB.exe
3796	cgPUXwu.exe
4944	zJoeihZ.exe
3724	cxuNUdr.exe
4860	MSdwHbM.exe
2776	UgnPLeE.exe
1576	XwLOGuh.exe
4772	njftMhP.exe
3616	FzyjCeL.exe
4020	KrBxXSY.exe
2640	lgEatGe.exe
3604	wvmzkcF.exe
5004	XrPljFE.exe
3168	ZiONIjk.exe
1076	ILFjbdJ.exe
4548	SZmjoij.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4200-0-0x00007FF761170000-0x00007FF761561000-memory.dmp	upx
behavioral2/files/0x0009000000023b08-4.dat	upx
behavioral2/files/0x000b000000023b78-7.dat	upx
behavioral2/files/0x000a000000023b7c-9.dat	upx
behavioral2/files/0x000a000000023b81-39.dat	upx
behavioral2/files/0x000a000000023b82-44.dat	upx
behavioral2/files/0x000a000000023b84-52.dat	upx
behavioral2/files/0x000a000000023b85-59.dat	upx
behavioral2/files/0x000a000000023b88-74.dat	upx
behavioral2/files/0x000a000000023b8b-90.dat	upx
behavioral2/files/0x000a000000023b8f-109.dat	upx
behavioral2/files/0x000a000000023b91-117.dat	upx
behavioral2/files/0x000a000000023b94-132.dat	upx
behavioral2/files/0x000a000000023b96-144.dat	upx
behavioral2/files/0x000a000000023b99-159.dat	upx
behavioral2/files/0x000a000000023b9a-164.dat	upx
behavioral2/files/0x000a000000023b98-154.dat	upx
behavioral2/files/0x000a000000023b97-150.dat	upx
behavioral2/files/0x000a000000023b95-140.dat	upx
behavioral2/files/0x000a000000023b93-130.dat	upx
behavioral2/files/0x000a000000023b92-124.dat	upx
behavioral2/memory/4708-378-0x00007FF795630000-0x00007FF795A21000-memory.dmp	upx
behavioral2/memory/4092-377-0x00007FF720390000-0x00007FF720781000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-114.dat	upx
behavioral2/files/0x000a000000023b8e-104.dat	upx
behavioral2/files/0x000a000000023b8d-100.dat	upx
behavioral2/files/0x000a000000023b8c-94.dat	upx
behavioral2/files/0x000a000000023b8a-84.dat	upx
behavioral2/files/0x000a000000023b89-80.dat	upx
behavioral2/files/0x000a000000023b87-69.dat	upx
behavioral2/files/0x000a000000023b86-65.dat	upx
behavioral2/files/0x000a000000023b83-50.dat	upx
behavioral2/files/0x000a000000023b7f-34.dat	upx
behavioral2/files/0x000a000000023b7e-29.dat	upx
behavioral2/files/0x000a000000023b7d-27.dat	upx
behavioral2/memory/1328-25-0x00007FF7528C0000-0x00007FF752CB1000-memory.dmp	upx
behavioral2/memory/3720-11-0x00007FF65F670000-0x00007FF65FA61000-memory.dmp	upx
behavioral2/memory/4508-8-0x00007FF6F4440000-0x00007FF6F4831000-memory.dmp	upx
behavioral2/memory/4824-379-0x00007FF6850D0000-0x00007FF6854C1000-memory.dmp	upx
behavioral2/memory/1968-380-0x00007FF69C640000-0x00007FF69CA31000-memory.dmp	upx
behavioral2/memory/5028-381-0x00007FF65AF10000-0x00007FF65B301000-memory.dmp	upx
behavioral2/memory/3772-382-0x00007FF63F490000-0x00007FF63F881000-memory.dmp	upx
behavioral2/memory/3632-384-0x00007FF606650000-0x00007FF606A41000-memory.dmp	upx
behavioral2/memory/980-383-0x00007FF7FA3B0000-0x00007FF7FA7A1000-memory.dmp	upx
behavioral2/memory/2688-385-0x00007FF74D910000-0x00007FF74DD01000-memory.dmp	upx
behavioral2/memory/3848-386-0x00007FF64C950000-0x00007FF64CD41000-memory.dmp	upx
behavioral2/memory/1648-387-0x00007FF78BED0000-0x00007FF78C2C1000-memory.dmp	upx
behavioral2/memory/3608-392-0x00007FF79E8D0000-0x00007FF79ECC1000-memory.dmp	upx
behavioral2/memory/1932-400-0x00007FF6445A0000-0x00007FF644991000-memory.dmp	upx
behavioral2/memory/4660-411-0x00007FF6120A0000-0x00007FF612491000-memory.dmp	upx
behavioral2/memory/4220-414-0x00007FF6DD1E0000-0x00007FF6DD5D1000-memory.dmp	upx
behavioral2/memory/2784-440-0x00007FF731630000-0x00007FF731A21000-memory.dmp	upx
behavioral2/memory/4584-468-0x00007FF624390000-0x00007FF624781000-memory.dmp	upx
behavioral2/memory/4304-461-0x00007FF6A5440000-0x00007FF6A5831000-memory.dmp	upx
behavioral2/memory/2904-435-0x00007FF7D7680000-0x00007FF7D7A71000-memory.dmp	upx
behavioral2/memory/844-397-0x00007FF7018C0000-0x00007FF701CB1000-memory.dmp	upx
behavioral2/memory/4736-471-0x00007FF762D90000-0x00007FF763181000-memory.dmp	upx
behavioral2/memory/4200-1964-0x00007FF761170000-0x00007FF761561000-memory.dmp	upx
behavioral2/memory/3720-2027-0x00007FF65F670000-0x00007FF65FA61000-memory.dmp	upx
behavioral2/memory/4508-2025-0x00007FF6F4440000-0x00007FF6F4831000-memory.dmp	upx
behavioral2/memory/4736-2033-0x00007FF762D90000-0x00007FF763181000-memory.dmp	upx
behavioral2/memory/1328-2031-0x00007FF7528C0000-0x00007FF752CB1000-memory.dmp	upx
behavioral2/memory/1968-2037-0x00007FF69C640000-0x00007FF69CA31000-memory.dmp	upx
behavioral2/memory/3772-2043-0x00007FF63F490000-0x00007FF63F881000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\oAevnLR.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\KsUErrL.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\KxMJKMt.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\iLEnDsF.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\UtVpoAl.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\tEPrbkT.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\NPbuoSi.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\dUOcAfS.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\QSKboaJ.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\yVhVjTZ.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\MErjkgC.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\jFtpjqZ.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\QpohkqD.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\ARQABCR.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\ljQlmZL.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\qjwABFO.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\zwzEZyX.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\crBlPaX.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\KYhEdst.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\sCKlzTP.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\BfyYOhT.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\mmoInfZ.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\idVNwCC.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\uXbiwbW.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\bqkYjBY.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\aMFhEOf.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\JqoGGxf.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\qEbtrGe.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\jVWBWXf.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\zaRZzoT.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\NAOfqUM.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\zFavmal.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\WgsDWXw.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\fKIUHVT.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\RteSyge.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\oHdMrkw.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\xsCVokZ.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\wWXMswa.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\MtLOTKs.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\bQhqJyG.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\veGWVlu.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\mJHCUSh.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\wqAGzTm.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\oYbgusU.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\PNCAFBP.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\kvTXRfR.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\wpNAErI.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\MEMpRDk.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\CTPmpOo.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\tYQABCt.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\GfmcmJI.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\tEBKVOo.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\LloypZm.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\yeJhhbd.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\QqyjheE.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\njftMhP.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\WoPJtkU.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\kXBtsiD.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\bQvFjCj.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\grAeDSi.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\LNaKMlv.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\qflespg.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\IEdDtKz.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
File created	C:\Windows\System32\BqCfZBP.exe	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	1696	dwm.exe
Token: SeChangeNotifyPrivilege	1696	dwm.exe
Token: 33	1696	dwm.exe
Token: SeIncBasePriorityPrivilege	1696	dwm.exe
Token: SeShutdownPrivilege	1696	dwm.exe
Token: SeCreatePagefilePrivilege	1696	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 4508	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	85
PID 4200 wrote to memory of 4508	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	85
PID 4200 wrote to memory of 3720	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	86
PID 4200 wrote to memory of 3720	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	86
PID 4200 wrote to memory of 1328	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	87
PID 4200 wrote to memory of 1328	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	87
PID 4200 wrote to memory of 4736	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	88
PID 4200 wrote to memory of 4736	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	88
PID 4200 wrote to memory of 4092	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	89
PID 4200 wrote to memory of 4092	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	89
PID 4200 wrote to memory of 4708	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	90
PID 4200 wrote to memory of 4708	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	90
PID 4200 wrote to memory of 4824	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	91
PID 4200 wrote to memory of 4824	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	91
PID 4200 wrote to memory of 1968	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	92
PID 4200 wrote to memory of 1968	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	92
PID 4200 wrote to memory of 5028	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	93
PID 4200 wrote to memory of 5028	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	93
PID 4200 wrote to memory of 3772	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	94
PID 4200 wrote to memory of 3772	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	94
PID 4200 wrote to memory of 980	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	95
PID 4200 wrote to memory of 980	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	95
PID 4200 wrote to memory of 3632	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	96
PID 4200 wrote to memory of 3632	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	96
PID 4200 wrote to memory of 2688	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	97
PID 4200 wrote to memory of 2688	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	97
PID 4200 wrote to memory of 3848	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	98
PID 4200 wrote to memory of 3848	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	98
PID 4200 wrote to memory of 1648	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	99
PID 4200 wrote to memory of 1648	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	99
PID 4200 wrote to memory of 3608	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	100
PID 4200 wrote to memory of 3608	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	100
PID 4200 wrote to memory of 844	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	101
PID 4200 wrote to memory of 844	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	101
PID 4200 wrote to memory of 1932	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	102
PID 4200 wrote to memory of 1932	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	102
PID 4200 wrote to memory of 4660	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	103
PID 4200 wrote to memory of 4660	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	103
PID 4200 wrote to memory of 4220	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	104
PID 4200 wrote to memory of 4220	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	104
PID 4200 wrote to memory of 2904	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	105
PID 4200 wrote to memory of 2904	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	105
PID 4200 wrote to memory of 2784	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	106
PID 4200 wrote to memory of 2784	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	106
PID 4200 wrote to memory of 4304	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	107
PID 4200 wrote to memory of 4304	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	107
PID 4200 wrote to memory of 4584	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	108
PID 4200 wrote to memory of 4584	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	108
PID 4200 wrote to memory of 2028	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	109
PID 4200 wrote to memory of 2028	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	109
PID 4200 wrote to memory of 1380	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	110
PID 4200 wrote to memory of 1380	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	110
PID 4200 wrote to memory of 1316	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	111
PID 4200 wrote to memory of 1316	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	111
PID 4200 wrote to memory of 1788	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	112
PID 4200 wrote to memory of 1788	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	112
PID 4200 wrote to memory of 3428	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	113
PID 4200 wrote to memory of 3428	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	113
PID 4200 wrote to memory of 4040	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	114
PID 4200 wrote to memory of 4040	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	114
PID 4200 wrote to memory of 2932	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	115
PID 4200 wrote to memory of 2932	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	115
PID 4200 wrote to memory of 1776	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	116
PID 4200 wrote to memory of 1776	4200	09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09cfe051bc40c2279b315b17af974a89_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\System32\bTDuZFJ.exe
  C:\Windows\System32\bTDuZFJ.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System32\wXbNjAB.exe
  C:\Windows\System32\wXbNjAB.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System32\QnMfboT.exe
  C:\Windows\System32\QnMfboT.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System32\ZgfGQjk.exe
  C:\Windows\System32\ZgfGQjk.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System32\yWTBSUZ.exe
  C:\Windows\System32\yWTBSUZ.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System32\HeqsPkY.exe
  C:\Windows\System32\HeqsPkY.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\nKbmAtc.exe
  C:\Windows\System32\nKbmAtc.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System32\VNCQcAF.exe
  C:\Windows\System32\VNCQcAF.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System32\wWXMswa.exe
  C:\Windows\System32\wWXMswa.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System32\MbdOwGq.exe
  C:\Windows\System32\MbdOwGq.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System32\BnHBAgD.exe
  C:\Windows\System32\BnHBAgD.exe
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Windows\System32\YnquLwi.exe
  C:\Windows\System32\YnquLwi.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System32\CSnmhUz.exe
  C:\Windows\System32\CSnmhUz.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System32\ARQABCR.exe
  C:\Windows\System32\ARQABCR.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System32\UebtDxw.exe
  C:\Windows\System32\UebtDxw.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System32\ENihHKy.exe
  C:\Windows\System32\ENihHKy.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System32\BwuVqlx.exe
  C:\Windows\System32\BwuVqlx.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System32\szSaLls.exe
  C:\Windows\System32\szSaLls.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System32\pCfsmgV.exe
  C:\Windows\System32\pCfsmgV.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System32\XWoBIui.exe
  C:\Windows\System32\XWoBIui.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System32\VxVADBY.exe
  C:\Windows\System32\VxVADBY.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System32\GtVAebZ.exe
  C:\Windows\System32\GtVAebZ.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System32\pAWgQzh.exe
  C:\Windows\System32\pAWgQzh.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System32\KVADOfv.exe
  C:\Windows\System32\KVADOfv.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System32\PzJtQLI.exe
  C:\Windows\System32\PzJtQLI.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System32\LNWJsZT.exe
  C:\Windows\System32\LNWJsZT.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System32\sfUNura.exe
  C:\Windows\System32\sfUNura.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System32\PRMjlgt.exe
  C:\Windows\System32\PRMjlgt.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System32\qGSYqUI.exe
  C:\Windows\System32\qGSYqUI.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System32\mdqmVRo.exe
  C:\Windows\System32\mdqmVRo.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System32\GfmcmJI.exe
  C:\Windows\System32\GfmcmJI.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System32\BOOCZEc.exe
  C:\Windows\System32\BOOCZEc.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System32\CXFbRTu.exe
  C:\Windows\System32\CXFbRTu.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System32\ilBnYhu.exe
  C:\Windows\System32\ilBnYhu.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System32\XllEzKh.exe
  C:\Windows\System32\XllEzKh.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System32\SNDmFuy.exe
  C:\Windows\System32\SNDmFuy.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System32\lhOapNH.exe
  C:\Windows\System32\lhOapNH.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System32\yBfrxzw.exe
  C:\Windows\System32\yBfrxzw.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System32\AaxoNBf.exe
  C:\Windows\System32\AaxoNBf.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System32\OgmHrHg.exe
  C:\Windows\System32\OgmHrHg.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System32\kQEZKix.exe
  C:\Windows\System32\kQEZKix.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System32\IYhmMOK.exe
  C:\Windows\System32\IYhmMOK.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System32\SKkEuSu.exe
  C:\Windows\System32\SKkEuSu.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System32\lOcsnGH.exe
  C:\Windows\System32\lOcsnGH.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System32\oAevnLR.exe
  C:\Windows\System32\oAevnLR.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System32\COxkvRt.exe
  C:\Windows\System32\COxkvRt.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System32\XeFJFmK.exe
  C:\Windows\System32\XeFJFmK.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System32\qpOyuaa.exe
  C:\Windows\System32\qpOyuaa.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System32\LksMMqB.exe
  C:\Windows\System32\LksMMqB.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System32\cgPUXwu.exe
  C:\Windows\System32\cgPUXwu.exe
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Windows\System32\zJoeihZ.exe
  C:\Windows\System32\zJoeihZ.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System32\cxuNUdr.exe
  C:\Windows\System32\cxuNUdr.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\Windows\System32\MSdwHbM.exe
  C:\Windows\System32\MSdwHbM.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\UgnPLeE.exe
  C:\Windows\System32\UgnPLeE.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System32\XwLOGuh.exe
  C:\Windows\System32\XwLOGuh.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System32\njftMhP.exe
  C:\Windows\System32\njftMhP.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System32\FzyjCeL.exe
  C:\Windows\System32\FzyjCeL.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System32\KrBxXSY.exe
  C:\Windows\System32\KrBxXSY.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System32\lgEatGe.exe
  C:\Windows\System32\lgEatGe.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System32\wvmzkcF.exe
  C:\Windows\System32\wvmzkcF.exe
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Windows\System32\XrPljFE.exe
  C:\Windows\System32\XrPljFE.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System32\ZiONIjk.exe
  C:\Windows\System32\ZiONIjk.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System32\ILFjbdJ.exe
  C:\Windows\System32\ILFjbdJ.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System32\SZmjoij.exe
  C:\Windows\System32\SZmjoij.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System32\bkIGDMm.exe
  C:\Windows\System32\bkIGDMm.exe
  2⤵
  PID:712
- C:\Windows\System32\qRCCvba.exe
  C:\Windows\System32\qRCCvba.exe
  2⤵
  PID:4872
- C:\Windows\System32\grAeDSi.exe
  C:\Windows\System32\grAeDSi.exe
  2⤵
  PID:1872
- C:\Windows\System32\dUOcAfS.exe
  C:\Windows\System32\dUOcAfS.exe
  2⤵
  PID:2948
- C:\Windows\System32\qOKfGmi.exe
  C:\Windows\System32\qOKfGmi.exe
  2⤵
  PID:2584
- C:\Windows\System32\IBeSyav.exe
  C:\Windows\System32\IBeSyav.exe
  2⤵
  PID:2960
- C:\Windows\System32\iykkknW.exe
  C:\Windows\System32\iykkknW.exe
  2⤵
  PID:536
- C:\Windows\System32\lMSlXST.exe
  C:\Windows\System32\lMSlXST.exe
  2⤵
  PID:1952
- C:\Windows\System32\CkvSorP.exe
  C:\Windows\System32\CkvSorP.exe
  2⤵
  PID:1384
- C:\Windows\System32\QBQBsod.exe
  C:\Windows\System32\QBQBsod.exe
  2⤵
  PID:380
- C:\Windows\System32\FQdfTNr.exe
  C:\Windows\System32\FQdfTNr.exe
  2⤵
  PID:4360
- C:\Windows\System32\YiNlALV.exe
  C:\Windows\System32\YiNlALV.exe
  2⤵
  PID:944
- C:\Windows\System32\lNbqwsX.exe
  C:\Windows\System32\lNbqwsX.exe
  2⤵
  PID:1816
- C:\Windows\System32\PsJPhPM.exe
  C:\Windows\System32\PsJPhPM.exe
  2⤵
  PID:2956
- C:\Windows\System32\rcXbccV.exe
  C:\Windows\System32\rcXbccV.exe
  2⤵
  PID:1488
- C:\Windows\System32\XSleJZu.exe
  C:\Windows\System32\XSleJZu.exe
  2⤵
  PID:4480
- C:\Windows\System32\csapXkZ.exe
  C:\Windows\System32\csapXkZ.exe
  2⤵
  PID:2864
- C:\Windows\System32\lmglQnQ.exe
  C:\Windows\System32\lmglQnQ.exe
  2⤵
  PID:2000
- C:\Windows\System32\vtEwAHq.exe
  C:\Windows\System32\vtEwAHq.exe
  2⤵
  PID:1492
- C:\Windows\System32\tGYpGFJ.exe
  C:\Windows\System32\tGYpGFJ.exe
  2⤵
  PID:1464
- C:\Windows\System32\oYbgusU.exe
  C:\Windows\System32\oYbgusU.exe
  2⤵
  PID:4404
- C:\Windows\System32\nigGlqf.exe
  C:\Windows\System32\nigGlqf.exe
  2⤵
  PID:4444
- C:\Windows\System32\hujDMhf.exe
  C:\Windows\System32\hujDMhf.exe
  2⤵
  PID:5140
- C:\Windows\System32\eknKtgB.exe
  C:\Windows\System32\eknKtgB.exe
  2⤵
  PID:5164
- C:\Windows\System32\FgcotLq.exe
  C:\Windows\System32\FgcotLq.exe
  2⤵
  PID:5196
- C:\Windows\System32\QkRcgnH.exe
  C:\Windows\System32\QkRcgnH.exe
  2⤵
  PID:5224
- C:\Windows\System32\phKiILa.exe
  C:\Windows\System32\phKiILa.exe
  2⤵
  PID:5256
- C:\Windows\System32\YzHgmQE.exe
  C:\Windows\System32\YzHgmQE.exe
  2⤵
  PID:5280
- C:\Windows\System32\tEBKVOo.exe
  C:\Windows\System32\tEBKVOo.exe
  2⤵
  PID:5304
- C:\Windows\System32\RvXWCjm.exe
  C:\Windows\System32\RvXWCjm.exe
  2⤵
  PID:5336
- C:\Windows\System32\AvdeuBw.exe
  C:\Windows\System32\AvdeuBw.exe
  2⤵
  PID:5360
- C:\Windows\System32\uWDpaVT.exe
  C:\Windows\System32\uWDpaVT.exe
  2⤵
  PID:5392
- C:\Windows\System32\SGBdIET.exe
  C:\Windows\System32\SGBdIET.exe
  2⤵
  PID:5420
- C:\Windows\System32\BacGbHI.exe
  C:\Windows\System32\BacGbHI.exe
  2⤵
  PID:5444
- C:\Windows\System32\RteSyge.exe
  C:\Windows\System32\RteSyge.exe
  2⤵
  PID:5476
- C:\Windows\System32\vCSCCIo.exe
  C:\Windows\System32\vCSCCIo.exe
  2⤵
  PID:5500
- C:\Windows\System32\dpQRJoT.exe
  C:\Windows\System32\dpQRJoT.exe
  2⤵
  PID:5532
- C:\Windows\System32\dJjLqoQ.exe
  C:\Windows\System32\dJjLqoQ.exe
  2⤵
  PID:5560
- C:\Windows\System32\qZniQzn.exe
  C:\Windows\System32\qZniQzn.exe
  2⤵
  PID:5584
- C:\Windows\System32\MimSNRj.exe
  C:\Windows\System32\MimSNRj.exe
  2⤵
  PID:5712
- C:\Windows\System32\ZeMvTpl.exe
  C:\Windows\System32\ZeMvTpl.exe
  2⤵
  PID:5744
- C:\Windows\System32\QSKboaJ.exe
  C:\Windows\System32\QSKboaJ.exe
  2⤵
  PID:5760
- C:\Windows\System32\ibMPbxB.exe
  C:\Windows\System32\ibMPbxB.exe
  2⤵
  PID:5792
- C:\Windows\System32\ACUvCqB.exe
  C:\Windows\System32\ACUvCqB.exe
  2⤵
  PID:5812
- C:\Windows\System32\GASapuP.exe
  C:\Windows\System32\GASapuP.exe
  2⤵
  PID:5828
- C:\Windows\System32\LwoPwKW.exe
  C:\Windows\System32\LwoPwKW.exe
  2⤵
  PID:5848
- C:\Windows\System32\XtZlnkn.exe
  C:\Windows\System32\XtZlnkn.exe
  2⤵
  PID:5864
- C:\Windows\System32\UiABQeS.exe
  C:\Windows\System32\UiABQeS.exe
  2⤵
  PID:5880
- C:\Windows\System32\HdgvUkq.exe
  C:\Windows\System32\HdgvUkq.exe
  2⤵
  PID:5936
- C:\Windows\System32\gtpSetk.exe
  C:\Windows\System32\gtpSetk.exe
  2⤵
  PID:5976
- C:\Windows\System32\vqldnQQ.exe
  C:\Windows\System32\vqldnQQ.exe
  2⤵
  PID:5992
- C:\Windows\System32\CxRmQyS.exe
  C:\Windows\System32\CxRmQyS.exe
  2⤵
  PID:6020
- C:\Windows\System32\zaRZzoT.exe
  C:\Windows\System32\zaRZzoT.exe
  2⤵
  PID:6036
- C:\Windows\System32\qCKHQDX.exe
  C:\Windows\System32\qCKHQDX.exe
  2⤵
  PID:6052
- C:\Windows\System32\aJJRHVV.exe
  C:\Windows\System32\aJJRHVV.exe
  2⤵
  PID:6072
- C:\Windows\System32\RlaMipW.exe
  C:\Windows\System32\RlaMipW.exe
  2⤵
  PID:6088
- C:\Windows\System32\LQLGLTy.exe
  C:\Windows\System32\LQLGLTy.exe
  2⤵
  PID:6108
- C:\Windows\System32\kEaJwZA.exe
  C:\Windows\System32\kEaJwZA.exe
  2⤵
  PID:4012
- C:\Windows\System32\qGQdvgm.exe
  C:\Windows\System32\qGQdvgm.exe
  2⤵
  PID:4272
- C:\Windows\System32\PNCAFBP.exe
  C:\Windows\System32\PNCAFBP.exe
  2⤵
  PID:3248
- C:\Windows\System32\kvTXRfR.exe
  C:\Windows\System32\kvTXRfR.exe
  2⤵
  PID:4728
- C:\Windows\System32\DPlpOmG.exe
  C:\Windows\System32\DPlpOmG.exe
  2⤵
  PID:4424
- C:\Windows\System32\IovTVwt.exe
  C:\Windows\System32\IovTVwt.exe
  2⤵
  PID:5156
- C:\Windows\System32\DdKPakV.exe
  C:\Windows\System32\DdKPakV.exe
  2⤵
  PID:5180
- C:\Windows\System32\kxwDYIz.exe
  C:\Windows\System32\kxwDYIz.exe
  2⤵
  PID:5212
- C:\Windows\System32\jdgkdJN.exe
  C:\Windows\System32\jdgkdJN.exe
  2⤵
  PID:3704
- C:\Windows\System32\wpNAErI.exe
  C:\Windows\System32\wpNAErI.exe
  2⤵
  PID:5440
- C:\Windows\System32\PWoaUIJ.exe
  C:\Windows\System32\PWoaUIJ.exe
  2⤵
  PID:2612
- C:\Windows\System32\KTizTvG.exe
  C:\Windows\System32\KTizTvG.exe
  2⤵
  PID:5492
- C:\Windows\System32\PPxAVFz.exe
  C:\Windows\System32\PPxAVFz.exe
  2⤵
  PID:5568
- C:\Windows\System32\DkTqrZV.exe
  C:\Windows\System32\DkTqrZV.exe
  2⤵
  PID:5636
- C:\Windows\System32\cgGAgrQ.exe
  C:\Windows\System32\cgGAgrQ.exe
  2⤵
  PID:2364
- C:\Windows\System32\SiFQpnV.exe
  C:\Windows\System32\SiFQpnV.exe
  2⤵
  PID:2516
- C:\Windows\System32\EknHYdz.exe
  C:\Windows\System32\EknHYdz.exe
  2⤵
  PID:5784
- C:\Windows\System32\VBIYRpF.exe
  C:\Windows\System32\VBIYRpF.exe
  2⤵
  PID:5824
- C:\Windows\System32\WtjsPsV.exe
  C:\Windows\System32\WtjsPsV.exe
  2⤵
  PID:5872
- C:\Windows\System32\NcMfRWK.exe
  C:\Windows\System32\NcMfRWK.exe
  2⤵
  PID:5916
- C:\Windows\System32\XepyORb.exe
  C:\Windows\System32\XepyORb.exe
  2⤵
  PID:5984
- C:\Windows\System32\sdPBoty.exe
  C:\Windows\System32\sdPBoty.exe
  2⤵
  PID:6044
- C:\Windows\System32\tftuQjh.exe
  C:\Windows\System32\tftuQjh.exe
  2⤵
  PID:6080
- C:\Windows\System32\RWNKxte.exe
  C:\Windows\System32\RWNKxte.exe
  2⤵
  PID:6032
- C:\Windows\System32\HWGCWLE.exe
  C:\Windows\System32\HWGCWLE.exe
  2⤵
  PID:6104
- C:\Windows\System32\YNvijFm.exe
  C:\Windows\System32\YNvijFm.exe
  2⤵
  PID:5252
- C:\Windows\System32\MgydroM.exe
  C:\Windows\System32\MgydroM.exe
  2⤵
  PID:5232
- C:\Windows\System32\jQVynfK.exe
  C:\Windows\System32\jQVynfK.exe
  2⤵
  PID:5496
- C:\Windows\System32\NBeZbdW.exe
  C:\Windows\System32\NBeZbdW.exe
  2⤵
  PID:5548
- C:\Windows\System32\KnWbBFu.exe
  C:\Windows\System32\KnWbBFu.exe
  2⤵
  PID:5664
- C:\Windows\System32\eByTugF.exe
  C:\Windows\System32\eByTugF.exe
  2⤵
  PID:5736
- C:\Windows\System32\NAOfqUM.exe
  C:\Windows\System32\NAOfqUM.exe
  2⤵
  PID:1064
- C:\Windows\System32\hFAtzsu.exe
  C:\Windows\System32\hFAtzsu.exe
  2⤵
  PID:5904
- C:\Windows\System32\OntiyPJ.exe
  C:\Windows\System32\OntiyPJ.exe
  2⤵
  PID:5836
- C:\Windows\System32\Sxwwzil.exe
  C:\Windows\System32\Sxwwzil.exe
  2⤵
  PID:6140
- C:\Windows\System32\EUlbyrS.exe
  C:\Windows\System32\EUlbyrS.exe
  2⤵
  PID:400
- C:\Windows\System32\uXbiwbW.exe
  C:\Windows\System32\uXbiwbW.exe
  2⤵
  PID:6068
- C:\Windows\System32\FCnwOSQ.exe
  C:\Windows\System32\FCnwOSQ.exe
  2⤵
  PID:4928
- C:\Windows\System32\nbFWYVx.exe
  C:\Windows\System32\nbFWYVx.exe
  2⤵
  PID:5324
- C:\Windows\System32\QllAbPd.exe
  C:\Windows\System32\QllAbPd.exe
  2⤵
  PID:1032
- C:\Windows\System32\AkzQfhF.exe
  C:\Windows\System32\AkzQfhF.exe
  2⤵
  PID:5920
- C:\Windows\System32\mprjqRp.exe
  C:\Windows\System32\mprjqRp.exe
  2⤵
  PID:5988
- C:\Windows\System32\pTTKAQH.exe
  C:\Windows\System32\pTTKAQH.exe
  2⤵
  PID:6156
- C:\Windows\System32\JzueTLa.exe
  C:\Windows\System32\JzueTLa.exe
  2⤵
  PID:6176
- C:\Windows\System32\AJxsfVE.exe
  C:\Windows\System32\AJxsfVE.exe
  2⤵
  PID:6200
- C:\Windows\System32\mDwJbWw.exe
  C:\Windows\System32\mDwJbWw.exe
  2⤵
  PID:6216
- C:\Windows\System32\CxCoweO.exe
  C:\Windows\System32\CxCoweO.exe
  2⤵
  PID:6236
- C:\Windows\System32\bjEamGV.exe
  C:\Windows\System32\bjEamGV.exe
  2⤵
  PID:6256
- C:\Windows\System32\seXJhEC.exe
  C:\Windows\System32\seXJhEC.exe
  2⤵
  PID:6272
- C:\Windows\System32\ypNBtyX.exe
  C:\Windows\System32\ypNBtyX.exe
  2⤵
  PID:6296
- C:\Windows\System32\ZYaHGjz.exe
  C:\Windows\System32\ZYaHGjz.exe
  2⤵
  PID:6416
- C:\Windows\System32\iunrssX.exe
  C:\Windows\System32\iunrssX.exe
  2⤵
  PID:6488
- C:\Windows\System32\LNaKMlv.exe
  C:\Windows\System32\LNaKMlv.exe
  2⤵
  PID:6508
- C:\Windows\System32\tYkuFLg.exe
  C:\Windows\System32\tYkuFLg.exe
  2⤵
  PID:6532
- C:\Windows\System32\NVSFses.exe
  C:\Windows\System32\NVSFses.exe
  2⤵
  PID:6560
- C:\Windows\System32\sCKlzTP.exe
  C:\Windows\System32\sCKlzTP.exe
  2⤵
  PID:6576
- C:\Windows\System32\vbLqfZg.exe
  C:\Windows\System32\vbLqfZg.exe
  2⤵
  PID:6596
- C:\Windows\System32\CZwDpKh.exe
  C:\Windows\System32\CZwDpKh.exe
  2⤵
  PID:6628
- C:\Windows\System32\yJTdPki.exe
  C:\Windows\System32\yJTdPki.exe
  2⤵
  PID:6648
- C:\Windows\System32\qmFskZQ.exe
  C:\Windows\System32\qmFskZQ.exe
  2⤵
  PID:6664
- C:\Windows\System32\xQvbYdi.exe
  C:\Windows\System32\xQvbYdi.exe
  2⤵
  PID:6688
- C:\Windows\System32\OitRLae.exe
  C:\Windows\System32\OitRLae.exe
  2⤵
  PID:6720
- C:\Windows\System32\qcRQKNk.exe
  C:\Windows\System32\qcRQKNk.exe
  2⤵
  PID:6736
- C:\Windows\System32\qYKlkhP.exe
  C:\Windows\System32\qYKlkhP.exe
  2⤵
  PID:6800
- C:\Windows\System32\sJgDXHS.exe
  C:\Windows\System32\sJgDXHS.exe
  2⤵
  PID:6816
- C:\Windows\System32\GVFOLhE.exe
  C:\Windows\System32\GVFOLhE.exe
  2⤵
  PID:6836
- C:\Windows\System32\cKAYVjW.exe
  C:\Windows\System32\cKAYVjW.exe
  2⤵
  PID:6856
- C:\Windows\System32\RWXGtAQ.exe
  C:\Windows\System32\RWXGtAQ.exe
  2⤵
  PID:6872
- C:\Windows\System32\fniVLGn.exe
  C:\Windows\System32\fniVLGn.exe
  2⤵
  PID:6896
- C:\Windows\System32\FYpcPby.exe
  C:\Windows\System32\FYpcPby.exe
  2⤵
  PID:6912
- C:\Windows\System32\kzCFlmm.exe
  C:\Windows\System32\kzCFlmm.exe
  2⤵
  PID:6936
- C:\Windows\System32\rdPLhWp.exe
  C:\Windows\System32\rdPLhWp.exe
  2⤵
  PID:6952
- C:\Windows\System32\EaYFNWA.exe
  C:\Windows\System32\EaYFNWA.exe
  2⤵
  PID:6976
- C:\Windows\System32\Xkjcngl.exe
  C:\Windows\System32\Xkjcngl.exe
  2⤵
  PID:6996
- C:\Windows\System32\KsUErrL.exe
  C:\Windows\System32\KsUErrL.exe
  2⤵
  PID:7016
- C:\Windows\System32\OhfKSjg.exe
  C:\Windows\System32\OhfKSjg.exe
  2⤵
  PID:7084
- C:\Windows\System32\AsPSoJo.exe
  C:\Windows\System32\AsPSoJo.exe
  2⤵
  PID:7120
- C:\Windows\System32\JyVxuBc.exe
  C:\Windows\System32\JyVxuBc.exe
  2⤵
  PID:3044
- C:\Windows\System32\cOPJmcM.exe
  C:\Windows\System32\cOPJmcM.exe
  2⤵
  PID:5016
- C:\Windows\System32\LfmHMNQ.exe
  C:\Windows\System32\LfmHMNQ.exe
  2⤵
  PID:6192
- C:\Windows\System32\MtLOTKs.exe
  C:\Windows\System32\MtLOTKs.exe
  2⤵
  PID:6252
- C:\Windows\System32\tbnOwYi.exe
  C:\Windows\System32\tbnOwYi.exe
  2⤵
  PID:6264
- C:\Windows\System32\xTnDPxG.exe
  C:\Windows\System32\xTnDPxG.exe
  2⤵
  PID:6208
- C:\Windows\System32\vEpgXof.exe
  C:\Windows\System32\vEpgXof.exe
  2⤵
  PID:6528
- C:\Windows\System32\GDolGYP.exe
  C:\Windows\System32\GDolGYP.exe
  2⤵
  PID:6500
- C:\Windows\System32\bxhvrjT.exe
  C:\Windows\System32\bxhvrjT.exe
  2⤵
  PID:6572
- C:\Windows\System32\eeeDEQS.exe
  C:\Windows\System32\eeeDEQS.exe
  2⤵
  PID:6680
- C:\Windows\System32\DYmGyrn.exe
  C:\Windows\System32\DYmGyrn.exe
  2⤵
  PID:6840
- C:\Windows\System32\cGRpCHq.exe
  C:\Windows\System32\cGRpCHq.exe
  2⤵
  PID:6868
- C:\Windows\System32\NmFHYKE.exe
  C:\Windows\System32\NmFHYKE.exe
  2⤵
  PID:6960
- C:\Windows\System32\UFcJUck.exe
  C:\Windows\System32\UFcJUck.exe
  2⤵
  PID:5652
- C:\Windows\System32\pBEChBD.exe
  C:\Windows\System32\pBEChBD.exe
  2⤵
  PID:6888
- C:\Windows\System32\CJfHKqC.exe
  C:\Windows\System32\CJfHKqC.exe
  2⤵
  PID:6968
- C:\Windows\System32\lzEGtSy.exe
  C:\Windows\System32\lzEGtSy.exe
  2⤵
  PID:7080
- C:\Windows\System32\djGXRct.exe
  C:\Windows\System32\djGXRct.exe
  2⤵
  PID:3696
- C:\Windows\System32\LkuWzjW.exe
  C:\Windows\System32\LkuWzjW.exe
  2⤵
  PID:1916
- C:\Windows\System32\OTkxCYU.exe
  C:\Windows\System32\OTkxCYU.exe
  2⤵
  PID:5708
- C:\Windows\System32\mLdsDyn.exe
  C:\Windows\System32\mLdsDyn.exe
  2⤵
  PID:6324
- C:\Windows\System32\pNPYfdG.exe
  C:\Windows\System32\pNPYfdG.exe
  2⤵
  PID:6756
- C:\Windows\System32\DkutVwn.exe
  C:\Windows\System32\DkutVwn.exe
  2⤵
  PID:6932
- C:\Windows\System32\tPBORba.exe
  C:\Windows\System32\tPBORba.exe
  2⤵
  PID:6984
- C:\Windows\System32\TEAOOzV.exe
  C:\Windows\System32\TEAOOzV.exe
  2⤵
  PID:6172
- C:\Windows\System32\PlsxtYZ.exe
  C:\Windows\System32\PlsxtYZ.exe
  2⤵
  PID:5820
- C:\Windows\System32\MeHqGTY.exe
  C:\Windows\System32\MeHqGTY.exe
  2⤵
  PID:6224
- C:\Windows\System32\fPjQeVt.exe
  C:\Windows\System32\fPjQeVt.exe
  2⤵
  PID:6524
- C:\Windows\System32\DnBuDNU.exe
  C:\Windows\System32\DnBuDNU.exe
  2⤵
  PID:6248
- C:\Windows\System32\eabmZhe.exe
  C:\Windows\System32\eabmZhe.exe
  2⤵
  PID:7180
- C:\Windows\System32\ENZiXMc.exe
  C:\Windows\System32\ENZiXMc.exe
  2⤵
  PID:7204
- C:\Windows\System32\CsOkPQd.exe
  C:\Windows\System32\CsOkPQd.exe
  2⤵
  PID:7220
- C:\Windows\System32\HcHzqay.exe
  C:\Windows\System32\HcHzqay.exe
  2⤵
  PID:7240
- C:\Windows\System32\PZDZpWm.exe
  C:\Windows\System32\PZDZpWm.exe
  2⤵
  PID:7260
- C:\Windows\System32\jgWoeEe.exe
  C:\Windows\System32\jgWoeEe.exe
  2⤵
  PID:7296
- C:\Windows\System32\kfSilSm.exe
  C:\Windows\System32\kfSilSm.exe
  2⤵
  PID:7316
- C:\Windows\System32\VovABHn.exe
  C:\Windows\System32\VovABHn.exe
  2⤵
  PID:7332
- C:\Windows\System32\LloypZm.exe
  C:\Windows\System32\LloypZm.exe
  2⤵
  PID:7356
- C:\Windows\System32\LlVWxly.exe
  C:\Windows\System32\LlVWxly.exe
  2⤵
  PID:7372
- C:\Windows\System32\gqGpIcl.exe
  C:\Windows\System32\gqGpIcl.exe
  2⤵
  PID:7396
- C:\Windows\System32\tBhiKbr.exe
  C:\Windows\System32\tBhiKbr.exe
  2⤵
  PID:7416
- C:\Windows\System32\fAtolFN.exe
  C:\Windows\System32\fAtolFN.exe
  2⤵
  PID:7460
- C:\Windows\System32\fBXcZEQ.exe
  C:\Windows\System32\fBXcZEQ.exe
  2⤵
  PID:7484
- C:\Windows\System32\tHCkahs.exe
  C:\Windows\System32\tHCkahs.exe
  2⤵
  PID:7540
- C:\Windows\System32\hpfWdrp.exe
  C:\Windows\System32\hpfWdrp.exe
  2⤵
  PID:7560
- C:\Windows\System32\zcojKbv.exe
  C:\Windows\System32\zcojKbv.exe
  2⤵
  PID:7592
- C:\Windows\System32\QgiuXoJ.exe
  C:\Windows\System32\QgiuXoJ.exe
  2⤵
  PID:7660
- C:\Windows\System32\OgiYgca.exe
  C:\Windows\System32\OgiYgca.exe
  2⤵
  PID:7684
- C:\Windows\System32\juEUqTo.exe
  C:\Windows\System32\juEUqTo.exe
  2⤵
  PID:7700
- C:\Windows\System32\XJOTfUE.exe
  C:\Windows\System32\XJOTfUE.exe
  2⤵
  PID:7720
- C:\Windows\System32\iHPVAoM.exe
  C:\Windows\System32\iHPVAoM.exe
  2⤵
  PID:7744
- C:\Windows\System32\ZvSPgpf.exe
  C:\Windows\System32\ZvSPgpf.exe
  2⤵
  PID:7788
- C:\Windows\System32\iVHhwCl.exe
  C:\Windows\System32\iVHhwCl.exe
  2⤵
  PID:7816
- C:\Windows\System32\yeJhhbd.exe
  C:\Windows\System32\yeJhhbd.exe
  2⤵
  PID:7836
- C:\Windows\System32\VdcYqgz.exe
  C:\Windows\System32\VdcYqgz.exe
  2⤵
  PID:7860
- C:\Windows\System32\cOqpona.exe
  C:\Windows\System32\cOqpona.exe
  2⤵
  PID:7888
- C:\Windows\System32\wolgcTv.exe
  C:\Windows\System32\wolgcTv.exe
  2⤵
  PID:7928
- C:\Windows\System32\YajVuqN.exe
  C:\Windows\System32\YajVuqN.exe
  2⤵
  PID:7964
- C:\Windows\System32\fkIUeEg.exe
  C:\Windows\System32\fkIUeEg.exe
  2⤵
  PID:7992
- C:\Windows\System32\ZnMkKeV.exe
  C:\Windows\System32\ZnMkKeV.exe
  2⤵
  PID:8016
- C:\Windows\System32\KUhWXYJ.exe
  C:\Windows\System32\KUhWXYJ.exe
  2⤵
  PID:8048
- C:\Windows\System32\DtnrFWT.exe
  C:\Windows\System32\DtnrFWT.exe
  2⤵
  PID:8072
- C:\Windows\System32\xQkXuGB.exe
  C:\Windows\System32\xQkXuGB.exe
  2⤵
  PID:8096
- C:\Windows\System32\OwLtCvF.exe
  C:\Windows\System32\OwLtCvF.exe
  2⤵
  PID:8116
- C:\Windows\System32\VaePIWQ.exe
  C:\Windows\System32\VaePIWQ.exe
  2⤵
  PID:8152
- C:\Windows\System32\fVgUyYy.exe
  C:\Windows\System32\fVgUyYy.exe
  2⤵
  PID:8172
- C:\Windows\System32\WSFBoHL.exe
  C:\Windows\System32\WSFBoHL.exe
  2⤵
  PID:8188
- C:\Windows\System32\bqkYjBY.exe
  C:\Windows\System32\bqkYjBY.exe
  2⤵
  PID:6928
- C:\Windows\System32\gHXTtni.exe
  C:\Windows\System32\gHXTtni.exe
  2⤵
  PID:7284
- C:\Windows\System32\CIhvZwP.exe
  C:\Windows\System32\CIhvZwP.exe
  2⤵
  PID:7428
- C:\Windows\System32\CCrOLZX.exe
  C:\Windows\System32\CCrOLZX.exe
  2⤵
  PID:7324
- C:\Windows\System32\BfyYOhT.exe
  C:\Windows\System32\BfyYOhT.exe
  2⤵
  PID:7448
- C:\Windows\System32\vgSOSZS.exe
  C:\Windows\System32\vgSOSZS.exe
  2⤵
  PID:7480
- C:\Windows\System32\TuPTbdz.exe
  C:\Windows\System32\TuPTbdz.exe
  2⤵
  PID:7600
- C:\Windows\System32\zFavmal.exe
  C:\Windows\System32\zFavmal.exe
  2⤵
  PID:7708
- C:\Windows\System32\ARknkKC.exe
  C:\Windows\System32\ARknkKC.exe
  2⤵
  PID:7756
- C:\Windows\System32\yVhVjTZ.exe
  C:\Windows\System32\yVhVjTZ.exe
  2⤵
  PID:7812
- C:\Windows\System32\nWPxNCl.exe
  C:\Windows\System32\nWPxNCl.exe
  2⤵
  PID:7872
- C:\Windows\System32\rfnkliK.exe
  C:\Windows\System32\rfnkliK.exe
  2⤵
  PID:7916
- C:\Windows\System32\HTmmYPm.exe
  C:\Windows\System32\HTmmYPm.exe
  2⤵
  PID:8068
- C:\Windows\System32\ZegOAsO.exe
  C:\Windows\System32\ZegOAsO.exe
  2⤵
  PID:8060
- C:\Windows\System32\ECTlBLm.exe
  C:\Windows\System32\ECTlBLm.exe
  2⤵
  PID:8144
- C:\Windows\System32\KuVtXTe.exe
  C:\Windows\System32\KuVtXTe.exe
  2⤵
  PID:7200
- C:\Windows\System32\uqRawjk.exe
  C:\Windows\System32\uqRawjk.exe
  2⤵
  PID:7288
- C:\Windows\System32\OYtgtsz.exe
  C:\Windows\System32\OYtgtsz.exe
  2⤵
  PID:7408
- C:\Windows\System32\PhiJfRz.exe
  C:\Windows\System32\PhiJfRz.exe
  2⤵
  PID:7536
- C:\Windows\System32\JibexPr.exe
  C:\Windows\System32\JibexPr.exe
  2⤵
  PID:7832
- C:\Windows\System32\xGCqNNm.exe
  C:\Windows\System32\xGCqNNm.exe
  2⤵
  PID:7876
- C:\Windows\System32\rRfdNqL.exe
  C:\Windows\System32\rRfdNqL.exe
  2⤵
  PID:8056
- C:\Windows\System32\rUgCqKY.exe
  C:\Windows\System32\rUgCqKY.exe
  2⤵
  PID:8136
- C:\Windows\System32\hrfNtcb.exe
  C:\Windows\System32\hrfNtcb.exe
  2⤵
  PID:7216
- C:\Windows\System32\ljQlmZL.exe
  C:\Windows\System32\ljQlmZL.exe
  2⤵
  PID:7492
- C:\Windows\System32\wpTTSsw.exe
  C:\Windows\System32\wpTTSsw.exe
  2⤵
  PID:7880
- C:\Windows\System32\bQhqJyG.exe
  C:\Windows\System32\bQhqJyG.exe
  2⤵
  PID:8092
- C:\Windows\System32\nZVEUxY.exe
  C:\Windows\System32\nZVEUxY.exe
  2⤵
  PID:8204
- C:\Windows\System32\diuJvEP.exe
  C:\Windows\System32\diuJvEP.exe
  2⤵
  PID:8220
- C:\Windows\System32\FUdmtcY.exe
  C:\Windows\System32\FUdmtcY.exe
  2⤵
  PID:8244
- C:\Windows\System32\LepbESe.exe
  C:\Windows\System32\LepbESe.exe
  2⤵
  PID:8280
- C:\Windows\System32\hTvCJXr.exe
  C:\Windows\System32\hTvCJXr.exe
  2⤵
  PID:8308
- C:\Windows\System32\HyFtlPF.exe
  C:\Windows\System32\HyFtlPF.exe
  2⤵
  PID:8336
- C:\Windows\System32\kQhSPjW.exe
  C:\Windows\System32\kQhSPjW.exe
  2⤵
  PID:8380
- C:\Windows\System32\OigCABO.exe
  C:\Windows\System32\OigCABO.exe
  2⤵
  PID:8420
- C:\Windows\System32\DZoTECb.exe
  C:\Windows\System32\DZoTECb.exe
  2⤵
  PID:8448
- C:\Windows\System32\uJscjVI.exe
  C:\Windows\System32\uJscjVI.exe
  2⤵
  PID:8464
- C:\Windows\System32\GmRCjJd.exe
  C:\Windows\System32\GmRCjJd.exe
  2⤵
  PID:8508
- C:\Windows\System32\clQVUzY.exe
  C:\Windows\System32\clQVUzY.exe
  2⤵
  PID:8532
- C:\Windows\System32\gDqPwFe.exe
  C:\Windows\System32\gDqPwFe.exe
  2⤵
  PID:8548
- C:\Windows\System32\cLmFKLy.exe
  C:\Windows\System32\cLmFKLy.exe
  2⤵
  PID:8592
- C:\Windows\System32\sGSoCzH.exe
  C:\Windows\System32\sGSoCzH.exe
  2⤵
  PID:8616
- C:\Windows\System32\CGfRMfc.exe
  C:\Windows\System32\CGfRMfc.exe
  2⤵
  PID:8640
- C:\Windows\System32\mvsdcfX.exe
  C:\Windows\System32\mvsdcfX.exe
  2⤵
  PID:8660
- C:\Windows\System32\xUBsogb.exe
  C:\Windows\System32\xUBsogb.exe
  2⤵
  PID:8676
- C:\Windows\System32\SJaoyWL.exe
  C:\Windows\System32\SJaoyWL.exe
  2⤵
  PID:8696
- C:\Windows\System32\EKyAWLP.exe
  C:\Windows\System32\EKyAWLP.exe
  2⤵
  PID:8724
- C:\Windows\System32\wdAkwQB.exe
  C:\Windows\System32\wdAkwQB.exe
  2⤵
  PID:8744
- C:\Windows\System32\hPlByyK.exe
  C:\Windows\System32\hPlByyK.exe
  2⤵
  PID:8784
- C:\Windows\System32\uHayzec.exe
  C:\Windows\System32\uHayzec.exe
  2⤵
  PID:8844
- C:\Windows\System32\yhlpRvp.exe
  C:\Windows\System32\yhlpRvp.exe
  2⤵
  PID:8868
- C:\Windows\System32\BRSUpzY.exe
  C:\Windows\System32\BRSUpzY.exe
  2⤵
  PID:8892
- C:\Windows\System32\ntYlJVV.exe
  C:\Windows\System32\ntYlJVV.exe
  2⤵
  PID:8912
- C:\Windows\System32\tCXsVZp.exe
  C:\Windows\System32\tCXsVZp.exe
  2⤵
  PID:8936
- C:\Windows\System32\gOlgpqY.exe
  C:\Windows\System32\gOlgpqY.exe
  2⤵
  PID:8964
- C:\Windows\System32\daMpOMn.exe
  C:\Windows\System32\daMpOMn.exe
  2⤵
  PID:9004
- C:\Windows\System32\FipxVCc.exe
  C:\Windows\System32\FipxVCc.exe
  2⤵
  PID:9036
- C:\Windows\System32\oWUytaT.exe
  C:\Windows\System32\oWUytaT.exe
  2⤵
  PID:9060
- C:\Windows\System32\aMFhEOf.exe
  C:\Windows\System32\aMFhEOf.exe
  2⤵
  PID:9088
- C:\Windows\System32\gkmFclt.exe
  C:\Windows\System32\gkmFclt.exe
  2⤵
  PID:9128
- C:\Windows\System32\eUyjDdn.exe
  C:\Windows\System32\eUyjDdn.exe
  2⤵
  PID:9156
- C:\Windows\System32\jqtSrch.exe
  C:\Windows\System32\jqtSrch.exe
  2⤵
  PID:9180
- C:\Windows\System32\FJWZXbK.exe
  C:\Windows\System32\FJWZXbK.exe
  2⤵
  PID:9200
- C:\Windows\System32\zhHArrq.exe
  C:\Windows\System32\zhHArrq.exe
  2⤵
  PID:7628
- C:\Windows\System32\apBsYLG.exe
  C:\Windows\System32\apBsYLG.exe
  2⤵
  PID:8232
- C:\Windows\System32\GbQtDYk.exe
  C:\Windows\System32\GbQtDYk.exe
  2⤵
  PID:8212
- C:\Windows\System32\MErjkgC.exe
  C:\Windows\System32\MErjkgC.exe
  2⤵
  PID:8400
- C:\Windows\System32\kESmBlt.exe
  C:\Windows\System32\kESmBlt.exe
  2⤵
  PID:8432
- C:\Windows\System32\jaycxmk.exe
  C:\Windows\System32\jaycxmk.exe
  2⤵
  PID:8504
- C:\Windows\System32\xjtkFRh.exe
  C:\Windows\System32\xjtkFRh.exe
  2⤵
  PID:8564
- C:\Windows\System32\wEVJnYN.exe
  C:\Windows\System32\wEVJnYN.exe
  2⤵
  PID:8608
- C:\Windows\System32\tZFfmSo.exe
  C:\Windows\System32\tZFfmSo.exe
  2⤵
  PID:8684
- C:\Windows\System32\cAUWjQu.exe
  C:\Windows\System32\cAUWjQu.exe
  2⤵
  PID:8740
- C:\Windows\System32\ucEKLKt.exe
  C:\Windows\System32\ucEKLKt.exe
  2⤵
  PID:8820
- C:\Windows\System32\veGWVlu.exe
  C:\Windows\System32\veGWVlu.exe
  2⤵
  PID:8880
- C:\Windows\System32\NPLEHyM.exe
  C:\Windows\System32\NPLEHyM.exe
  2⤵
  PID:8904
- C:\Windows\System32\zwzEZyX.exe
  C:\Windows\System32\zwzEZyX.exe
  2⤵
  PID:9084
- C:\Windows\System32\PBHKTLz.exe
  C:\Windows\System32\PBHKTLz.exe
  2⤵
  PID:9152
- C:\Windows\System32\zWEtfwL.exe
  C:\Windows\System32\zWEtfwL.exe
  2⤵
  PID:9212
- C:\Windows\System32\PAHBrEO.exe
  C:\Windows\System32\PAHBrEO.exe
  2⤵
  PID:8480
- C:\Windows\System32\OGiNXpP.exe
  C:\Windows\System32\OGiNXpP.exe
  2⤵
  PID:8572
- C:\Windows\System32\maqTxai.exe
  C:\Windows\System32\maqTxai.exe
  2⤵
  PID:8732
- C:\Windows\System32\OQXWDCy.exe
  C:\Windows\System32\OQXWDCy.exe
  2⤵
  PID:8716
- C:\Windows\System32\jFtpjqZ.exe
  C:\Windows\System32\jFtpjqZ.exe
  2⤵
  PID:8760
- C:\Windows\System32\fMOeesk.exe
  C:\Windows\System32\fMOeesk.exe
  2⤵
  PID:9048
- C:\Windows\System32\hppngPJ.exe
  C:\Windows\System32\hppngPJ.exe
  2⤵
  PID:9148
- C:\Windows\System32\zBoWert.exe
  C:\Windows\System32\zBoWert.exe
  2⤵
  PID:9280
- C:\Windows\System32\YjDInvS.exe
  C:\Windows\System32\YjDInvS.exe
  2⤵
  PID:9296
- C:\Windows\System32\DhdRLEQ.exe
  C:\Windows\System32\DhdRLEQ.exe
  2⤵
  PID:9312
- C:\Windows\System32\cFGnvyU.exe
  C:\Windows\System32\cFGnvyU.exe
  2⤵
  PID:9328
- C:\Windows\System32\zqSTdRn.exe
  C:\Windows\System32\zqSTdRn.exe
  2⤵
  PID:9344
- C:\Windows\System32\CmZMLtD.exe
  C:\Windows\System32\CmZMLtD.exe
  2⤵
  PID:9360
- C:\Windows\System32\qTItGJN.exe
  C:\Windows\System32\qTItGJN.exe
  2⤵
  PID:9376
- C:\Windows\System32\ejeBPWz.exe
  C:\Windows\System32\ejeBPWz.exe
  2⤵
  PID:9396
- C:\Windows\System32\UoETIkw.exe
  C:\Windows\System32\UoETIkw.exe
  2⤵
  PID:9412
- C:\Windows\System32\sROtkbx.exe
  C:\Windows\System32\sROtkbx.exe
  2⤵
  PID:9428
- C:\Windows\System32\xtQKMPf.exe
  C:\Windows\System32\xtQKMPf.exe
  2⤵
  PID:9444
- C:\Windows\System32\ihQCuKf.exe
  C:\Windows\System32\ihQCuKf.exe
  2⤵
  PID:9460
- C:\Windows\System32\cFiZSdu.exe
  C:\Windows\System32\cFiZSdu.exe
  2⤵
  PID:9476
- C:\Windows\System32\XyLDkNf.exe
  C:\Windows\System32\XyLDkNf.exe
  2⤵
  PID:9604
- C:\Windows\System32\jkegrnY.exe
  C:\Windows\System32\jkegrnY.exe
  2⤵
  PID:9636
- C:\Windows\System32\pmIHIPt.exe
  C:\Windows\System32\pmIHIPt.exe
  2⤵
  PID:9688
- C:\Windows\System32\sLJvJsG.exe
  C:\Windows\System32\sLJvJsG.exe
  2⤵
  PID:9748
- C:\Windows\System32\KxMJKMt.exe
  C:\Windows\System32\KxMJKMt.exe
  2⤵
  PID:9788
- C:\Windows\System32\CFODcBO.exe
  C:\Windows\System32\CFODcBO.exe
  2⤵
  PID:9816
- C:\Windows\System32\WszMdaU.exe
  C:\Windows\System32\WszMdaU.exe
  2⤵
  PID:9848
- C:\Windows\System32\fkEwCkR.exe
  C:\Windows\System32\fkEwCkR.exe
  2⤵
  PID:9864
- C:\Windows\System32\XPSmWwJ.exe
  C:\Windows\System32\XPSmWwJ.exe
  2⤵
  PID:9880
- C:\Windows\System32\xXOhbKI.exe
  C:\Windows\System32\xXOhbKI.exe
  2⤵
  PID:9896
- C:\Windows\System32\fHWEoiC.exe
  C:\Windows\System32\fHWEoiC.exe
  2⤵
  PID:9944
- C:\Windows\System32\kZcPLEF.exe
  C:\Windows\System32\kZcPLEF.exe
  2⤵
  PID:9976
- C:\Windows\System32\IqfUwyb.exe
  C:\Windows\System32\IqfUwyb.exe
  2⤵
  PID:9996
- C:\Windows\System32\gjduatF.exe
  C:\Windows\System32\gjduatF.exe
  2⤵
  PID:10044
- C:\Windows\System32\JdNuLkD.exe
  C:\Windows\System32\JdNuLkD.exe
  2⤵
  PID:10064
- C:\Windows\System32\YYnCUdR.exe
  C:\Windows\System32\YYnCUdR.exe
  2⤵
  PID:10112
- C:\Windows\System32\JqoGGxf.exe
  C:\Windows\System32\JqoGGxf.exe
  2⤵
  PID:10136
- C:\Windows\System32\MiliRYg.exe
  C:\Windows\System32\MiliRYg.exe
  2⤵
  PID:10160
- C:\Windows\System32\jklRGoL.exe
  C:\Windows\System32\jklRGoL.exe
  2⤵
  PID:10180
- C:\Windows\System32\IfPURZk.exe
  C:\Windows\System32\IfPURZk.exe
  2⤵
  PID:10220
- C:\Windows\System32\BITCSFX.exe
  C:\Windows\System32\BITCSFX.exe
  2⤵
  PID:9244
- C:\Windows\System32\FWzoNAq.exe
  C:\Windows\System32\FWzoNAq.exe
  2⤵
  PID:8276
- C:\Windows\System32\CAPZwQr.exe
  C:\Windows\System32\CAPZwQr.exe
  2⤵
  PID:9252
- C:\Windows\System32\CExwGwE.exe
  C:\Windows\System32\CExwGwE.exe
  2⤵
  PID:9472
- C:\Windows\System32\qSBeoSn.exe
  C:\Windows\System32\qSBeoSn.exe
  2⤵
  PID:8812
- C:\Windows\System32\ovsKdxd.exe
  C:\Windows\System32\ovsKdxd.exe
  2⤵
  PID:8348
- C:\Windows\System32\uFvVkLi.exe
  C:\Windows\System32\uFvVkLi.exe
  2⤵
  PID:9320
- C:\Windows\System32\nJpJzdO.exe
  C:\Windows\System32\nJpJzdO.exe
  2⤵
  PID:9368
- C:\Windows\System32\Vzgipkr.exe
  C:\Windows\System32\Vzgipkr.exe
  2⤵
  PID:9220
- C:\Windows\System32\hdDCwNj.exe
  C:\Windows\System32\hdDCwNj.exe
  2⤵
  PID:9276
- C:\Windows\System32\Mhdmvtp.exe
  C:\Windows\System32\Mhdmvtp.exe
  2⤵
  PID:9408
- C:\Windows\System32\IjTeuVA.exe
  C:\Windows\System32\IjTeuVA.exe
  2⤵
  PID:9612
- C:\Windows\System32\xElBcUf.exe
  C:\Windows\System32\xElBcUf.exe
  2⤵
  PID:9764
- C:\Windows\System32\SsIfgJq.exe
  C:\Windows\System32\SsIfgJq.exe
  2⤵
  PID:9812
- C:\Windows\System32\VYXnsCQ.exe
  C:\Windows\System32\VYXnsCQ.exe
  2⤵
  PID:9892
- C:\Windows\System32\wWzdkLT.exe
  C:\Windows\System32\wWzdkLT.exe
  2⤵
  PID:9888
- C:\Windows\System32\kYaMizb.exe
  C:\Windows\System32\kYaMizb.exe
  2⤵
  PID:9924
- C:\Windows\System32\EclETZz.exe
  C:\Windows\System32\EclETZz.exe
  2⤵
  PID:10080
- C:\Windows\System32\mBNRVNr.exe
  C:\Windows\System32\mBNRVNr.exe
  2⤵
  PID:10132
- C:\Windows\System32\sdvmptQ.exe
  C:\Windows\System32\sdvmptQ.exe
  2⤵
  PID:10208
- C:\Windows\System32\aEYfGJR.exe
  C:\Windows\System32\aEYfGJR.exe
  2⤵
  PID:9324
- C:\Windows\System32\YEXPeSB.exe
  C:\Windows\System32\YEXPeSB.exe
  2⤵
  PID:9540
- C:\Windows\System32\XnYCKkc.exe
  C:\Windows\System32\XnYCKkc.exe
  2⤵
  PID:8460
- C:\Windows\System32\lnCfjVi.exe
  C:\Windows\System32\lnCfjVi.exe
  2⤵
  PID:8996
- C:\Windows\System32\qEbtrGe.exe
  C:\Windows\System32\qEbtrGe.exe
  2⤵
  PID:9468
- C:\Windows\System32\NbgnMqo.exe
  C:\Windows\System32\NbgnMqo.exe
  2⤵
  PID:9800
- C:\Windows\System32\JdTDWyj.exe
  C:\Windows\System32\JdTDWyj.exe
  2⤵
  PID:10020
- C:\Windows\System32\OaGqWkY.exe
  C:\Windows\System32\OaGqWkY.exe
  2⤵
  PID:10192
- C:\Windows\System32\cZjieoK.exe
  C:\Windows\System32\cZjieoK.exe
  2⤵
  PID:9188
- C:\Windows\System32\KxQvVDa.exe
  C:\Windows\System32\KxQvVDa.exe
  2⤵
  PID:9536
- C:\Windows\System32\QEeuGIQ.exe
  C:\Windows\System32\QEeuGIQ.exe
  2⤵
  PID:9232
- C:\Windows\System32\iLEnDsF.exe
  C:\Windows\System32\iLEnDsF.exe
  2⤵
  PID:9928
- C:\Windows\System32\BuMHwST.exe
  C:\Windows\System32\BuMHwST.exe
  2⤵
  PID:9452
- C:\Windows\System32\VHHMCiX.exe
  C:\Windows\System32\VHHMCiX.exe
  2⤵
  PID:9668
- C:\Windows\System32\oKiQRkC.exe
  C:\Windows\System32\oKiQRkC.exe
  2⤵
  PID:9356
- C:\Windows\System32\QqyjheE.exe
  C:\Windows\System32\QqyjheE.exe
  2⤵
  PID:10252
- C:\Windows\System32\IcKCTYw.exe
  C:\Windows\System32\IcKCTYw.exe
  2⤵
  PID:10280
- C:\Windows\System32\kDtGick.exe
  C:\Windows\System32\kDtGick.exe
  2⤵
  PID:10296
- C:\Windows\System32\giRUIWr.exe
  C:\Windows\System32\giRUIWr.exe
  2⤵
  PID:10348
- C:\Windows\System32\gUzGKiA.exe
  C:\Windows\System32\gUzGKiA.exe
  2⤵
  PID:10384
- C:\Windows\System32\pTEcKos.exe
  C:\Windows\System32\pTEcKos.exe
  2⤵
  PID:10404
- C:\Windows\System32\QpohkqD.exe
  C:\Windows\System32\QpohkqD.exe
  2⤵
  PID:10468
- C:\Windows\System32\kTMorcY.exe
  C:\Windows\System32\kTMorcY.exe
  2⤵
  PID:10492
- C:\Windows\System32\TgPpkeb.exe
  C:\Windows\System32\TgPpkeb.exe
  2⤵
  PID:10512
- C:\Windows\System32\utqUuYh.exe
  C:\Windows\System32\utqUuYh.exe
  2⤵
  PID:10536
- C:\Windows\System32\FmSLFDo.exe
  C:\Windows\System32\FmSLFDo.exe
  2⤵
  PID:10564
- C:\Windows\System32\ephMUKY.exe
  C:\Windows\System32\ephMUKY.exe
  2⤵
  PID:10616
- C:\Windows\System32\gexdAxf.exe
  C:\Windows\System32\gexdAxf.exe
  2⤵
  PID:10632
- C:\Windows\System32\mmoInfZ.exe
  C:\Windows\System32\mmoInfZ.exe
  2⤵
  PID:10656
- C:\Windows\System32\nwzoQux.exe
  C:\Windows\System32\nwzoQux.exe
  2⤵
  PID:10676
- C:\Windows\System32\MPLiyMM.exe
  C:\Windows\System32\MPLiyMM.exe
  2⤵
  PID:10696
- C:\Windows\System32\SIxaIqU.exe
  C:\Windows\System32\SIxaIqU.exe
  2⤵
  PID:10712
- C:\Windows\System32\RwhqaVJ.exe
  C:\Windows\System32\RwhqaVJ.exe
  2⤵
  PID:10748
- C:\Windows\System32\Hxxaugq.exe
  C:\Windows\System32\Hxxaugq.exe
  2⤵
  PID:10800
- C:\Windows\System32\tUNQzSa.exe
  C:\Windows\System32\tUNQzSa.exe
  2⤵
  PID:10828
- C:\Windows\System32\oRecpch.exe
  C:\Windows\System32\oRecpch.exe
  2⤵
  PID:10844
- C:\Windows\System32\dGAsLoK.exe
  C:\Windows\System32\dGAsLoK.exe
  2⤵
  PID:10864
- C:\Windows\System32\UtVpoAl.exe
  C:\Windows\System32\UtVpoAl.exe
  2⤵
  PID:10888
- C:\Windows\System32\AZYfWWP.exe
  C:\Windows\System32\AZYfWWP.exe
  2⤵
  PID:10932
- C:\Windows\System32\vVwLrkT.exe
  C:\Windows\System32\vVwLrkT.exe
  2⤵
  PID:10964
- C:\Windows\System32\ctHmAfZ.exe
  C:\Windows\System32\ctHmAfZ.exe
  2⤵
  PID:10984
- C:\Windows\System32\qflespg.exe
  C:\Windows\System32\qflespg.exe
  2⤵
  PID:11004
- C:\Windows\System32\zNFaWry.exe
  C:\Windows\System32\zNFaWry.exe
  2⤵
  PID:11024
- C:\Windows\System32\DByXDbU.exe
  C:\Windows\System32\DByXDbU.exe
  2⤵
  PID:11040
- C:\Windows\System32\WgsDWXw.exe
  C:\Windows\System32\WgsDWXw.exe
  2⤵
  PID:11088
- C:\Windows\System32\crBlPaX.exe
  C:\Windows\System32\crBlPaX.exe
  2⤵
  PID:11136
- C:\Windows\System32\QQXdZRH.exe
  C:\Windows\System32\QQXdZRH.exe
  2⤵
  PID:11172
- C:\Windows\System32\wqAGzTm.exe
  C:\Windows\System32\wqAGzTm.exe
  2⤵
  PID:11188
- C:\Windows\System32\MEMpRDk.exe
  C:\Windows\System32\MEMpRDk.exe
  2⤵
  PID:11204
- C:\Windows\System32\rogJJOA.exe
  C:\Windows\System32\rogJJOA.exe
  2⤵
  PID:11236
- C:\Windows\System32\HvMkiDs.exe
  C:\Windows\System32\HvMkiDs.exe
  2⤵
  PID:10292
- C:\Windows\System32\dQgGnuY.exe
  C:\Windows\System32\dQgGnuY.exe
  2⤵
  PID:10260
- C:\Windows\System32\RMLlfxk.exe
  C:\Windows\System32\RMLlfxk.exe
  2⤵
  PID:10356
- C:\Windows\System32\zGZGxCW.exe
  C:\Windows\System32\zGZGxCW.exe
  2⤵
  PID:10376
- C:\Windows\System32\WoPJtkU.exe
  C:\Windows\System32\WoPJtkU.exe
  2⤵
  PID:10488
- C:\Windows\System32\yhZywjM.exe
  C:\Windows\System32\yhZywjM.exe
  2⤵
  PID:10508
- C:\Windows\System32\idVNwCC.exe
  C:\Windows\System32\idVNwCC.exe
  2⤵
  PID:10600
- C:\Windows\System32\TmmnTxI.exe
  C:\Windows\System32\TmmnTxI.exe
  2⤵
  PID:10668
- C:\Windows\System32\CRjqucB.exe
  C:\Windows\System32\CRjqucB.exe
  2⤵
  PID:10720
- C:\Windows\System32\ARTXAdT.exe
  C:\Windows\System32\ARTXAdT.exe
  2⤵
  PID:10732
- C:\Windows\System32\lKutudn.exe
  C:\Windows\System32\lKutudn.exe
  2⤵
  PID:10796
- C:\Windows\System32\XVarqeA.exe
  C:\Windows\System32\XVarqeA.exe
  2⤵
  PID:10872
- C:\Windows\System32\iLuWJDk.exe
  C:\Windows\System32\iLuWJDk.exe
  2⤵
  PID:10980
- C:\Windows\System32\PvOHQxL.exe
  C:\Windows\System32\PvOHQxL.exe
  2⤵
  PID:10996
- C:\Windows\System32\rlJDugt.exe
  C:\Windows\System32\rlJDugt.exe
  2⤵
  PID:11084
- C:\Windows\System32\KUiOvHT.exe
  C:\Windows\System32\KUiOvHT.exe
  2⤵
  PID:11128
- C:\Windows\System32\MzUiEhi.exe
  C:\Windows\System32\MzUiEhi.exe
  2⤵
  PID:11196
- C:\Windows\System32\mKMXgxz.exe
  C:\Windows\System32\mKMXgxz.exe
  2⤵
  PID:10288
- C:\Windows\System32\WEqQqhn.exe
  C:\Windows\System32\WEqQqhn.exe
  2⤵
  PID:10268
- C:\Windows\System32\QRjHGro.exe
  C:\Windows\System32\QRjHGro.exe
  2⤵
  PID:10360
- C:\Windows\System32\YdduduT.exe
  C:\Windows\System32\YdduduT.exe
  2⤵
  PID:10484
- C:\Windows\System32\UHQfcvo.exe
  C:\Windows\System32\UHQfcvo.exe
  2⤵
  PID:10692
- C:\Windows\System32\xmqBAlZ.exe
  C:\Windows\System32\xmqBAlZ.exe
  2⤵
  PID:10684
- C:\Windows\System32\vBtQJkc.exe
  C:\Windows\System32\vBtQJkc.exe
  2⤵
  PID:11048
- C:\Windows\System32\kXBtsiD.exe
  C:\Windows\System32\kXBtsiD.exe
  2⤵
  PID:11180
- C:\Windows\System32\NNmfFzw.exe
  C:\Windows\System32\NNmfFzw.exe
  2⤵
  PID:8364
- C:\Windows\System32\HctuCbw.exe
  C:\Windows\System32\HctuCbw.exe
  2⤵
  PID:10840
- C:\Windows\System32\yvVwnLi.exe
  C:\Windows\System32\yvVwnLi.exe
  2⤵
  PID:10416
- C:\Windows\System32\rImAVha.exe
  C:\Windows\System32\rImAVha.exe
  2⤵
  PID:11080
- C:\Windows\System32\GmsUFTK.exe
  C:\Windows\System32\GmsUFTK.exe
  2⤵
  PID:10664
- C:\Windows\System32\CTPmpOo.exe
  C:\Windows\System32\CTPmpOo.exe
  2⤵
  PID:11276
- C:\Windows\System32\BGlHATf.exe
  C:\Windows\System32\BGlHATf.exe
  2⤵
  PID:11300
- C:\Windows\System32\rzfvVvL.exe
  C:\Windows\System32\rzfvVvL.exe
  2⤵
  PID:11332
- C:\Windows\System32\TYGCSOw.exe
  C:\Windows\System32\TYGCSOw.exe
  2⤵
  PID:11376
- C:\Windows\System32\kjkGILv.exe
  C:\Windows\System32\kjkGILv.exe
  2⤵
  PID:11408
- C:\Windows\System32\iPNaSAh.exe
  C:\Windows\System32\iPNaSAh.exe
  2⤵
  PID:11432
- C:\Windows\System32\qjwABFO.exe
  C:\Windows\System32\qjwABFO.exe
  2⤵
  PID:11452
- C:\Windows\System32\rmfpOdF.exe
  C:\Windows\System32\rmfpOdF.exe
  2⤵
  PID:11472
- C:\Windows\System32\xgvQCyC.exe
  C:\Windows\System32\xgvQCyC.exe
  2⤵
  PID:11488
- C:\Windows\System32\YjsXcbs.exe
  C:\Windows\System32\YjsXcbs.exe
  2⤵
  PID:11524
- C:\Windows\System32\AzVZkjN.exe
  C:\Windows\System32\AzVZkjN.exe
  2⤵
  PID:11584
- C:\Windows\System32\MKfMEky.exe
  C:\Windows\System32\MKfMEky.exe
  2⤵
  PID:11604
- C:\Windows\System32\gRHPxsx.exe
  C:\Windows\System32\gRHPxsx.exe
  2⤵
  PID:11620
- C:\Windows\System32\IEdDtKz.exe
  C:\Windows\System32\IEdDtKz.exe
  2⤵
  PID:11636
- C:\Windows\System32\JQVqMyC.exe
  C:\Windows\System32\JQVqMyC.exe
  2⤵
  PID:11652
- C:\Windows\System32\SAYZNWT.exe
  C:\Windows\System32\SAYZNWT.exe
  2⤵
  PID:11720
- C:\Windows\System32\pLJfzlk.exe
  C:\Windows\System32\pLJfzlk.exe
  2⤵
  PID:11736
- C:\Windows\System32\aaLrlwY.exe
  C:\Windows\System32\aaLrlwY.exe
  2⤵
  PID:11760
- C:\Windows\System32\iQysdQe.exe
  C:\Windows\System32\iQysdQe.exe
  2⤵
  PID:11788
- C:\Windows\System32\UGhjpkg.exe
  C:\Windows\System32\UGhjpkg.exe
  2⤵
  PID:11828
- C:\Windows\System32\QORTusS.exe
  C:\Windows\System32\QORTusS.exe
  2⤵
  PID:11848
- C:\Windows\System32\KAGFfKV.exe
  C:\Windows\System32\KAGFfKV.exe
  2⤵
  PID:11872
- C:\Windows\System32\fRpbNjX.exe
  C:\Windows\System32\fRpbNjX.exe
  2⤵
  PID:11888
- C:\Windows\System32\AOPESjs.exe
  C:\Windows\System32\AOPESjs.exe
  2⤵
  PID:11908
- C:\Windows\System32\nNGAknW.exe
  C:\Windows\System32\nNGAknW.exe
  2⤵
  PID:11948
- C:\Windows\System32\KXbPcSV.exe
  C:\Windows\System32\KXbPcSV.exe
  2⤵
  PID:11988
- C:\Windows\System32\cRzDWMC.exe
  C:\Windows\System32\cRzDWMC.exe
  2⤵
  PID:12028
- C:\Windows\System32\FAizici.exe
  C:\Windows\System32\FAizici.exe
  2⤵
  PID:12044
- C:\Windows\System32\tYQABCt.exe
  C:\Windows\System32\tYQABCt.exe
  2⤵
  PID:12064
- C:\Windows\System32\fSgYXKb.exe
  C:\Windows\System32\fSgYXKb.exe
  2⤵
  PID:12100
- C:\Windows\System32\VsggAKZ.exe
  C:\Windows\System32\VsggAKZ.exe
  2⤵
  PID:12132
- C:\Windows\System32\fLmZtGo.exe
  C:\Windows\System32\fLmZtGo.exe
  2⤵
  PID:12164
- C:\Windows\System32\iIPrQeT.exe
  C:\Windows\System32\iIPrQeT.exe
  2⤵
  PID:12184
- C:\Windows\System32\QpfoaEQ.exe
  C:\Windows\System32\QpfoaEQ.exe
  2⤵
  PID:12204
- C:\Windows\System32\tEPrbkT.exe
  C:\Windows\System32\tEPrbkT.exe
  2⤵
  PID:12220
- C:\Windows\System32\zHEuKaI.exe
  C:\Windows\System32\zHEuKaI.exe
  2⤵
  PID:12252
- C:\Windows\System32\KYhEdst.exe
  C:\Windows\System32\KYhEdst.exe
  2⤵
  PID:11288
- C:\Windows\System32\BIkZDiE.exe
  C:\Windows\System32\BIkZDiE.exe
  2⤵
  PID:11404
- C:\Windows\System32\MoxeQzC.exe
  C:\Windows\System32\MoxeQzC.exe
  2⤵
  PID:11440
- C:\Windows\System32\JbmmVar.exe
  C:\Windows\System32\JbmmVar.exe
  2⤵
  PID:11504
- C:\Windows\System32\bLmQjPB.exe
  C:\Windows\System32\bLmQjPB.exe
  2⤵
  PID:11560
- C:\Windows\System32\BqCfZBP.exe
  C:\Windows\System32\BqCfZBP.exe
  2⤵
  PID:11632
- C:\Windows\System32\ZFTRkfp.exe
  C:\Windows\System32\ZFTRkfp.exe
  2⤵
  PID:11732
- C:\Windows\System32\YiSnYSB.exe
  C:\Windows\System32\YiSnYSB.exe
  2⤵
  PID:11748
- C:\Windows\System32\jDITtcz.exe
  C:\Windows\System32\jDITtcz.exe
  2⤵
  PID:11768
- C:\Windows\System32\GggBChP.exe
  C:\Windows\System32\GggBChP.exe
  2⤵
  PID:11868
- C:\Windows\System32\tOIxKoo.exe
  C:\Windows\System32\tOIxKoo.exe
  2⤵
  PID:11880
- C:\Windows\System32\sIxgrkW.exe
  C:\Windows\System32\sIxgrkW.exe
  2⤵
  PID:11916
- C:\Windows\System32\nwHmBJn.exe
  C:\Windows\System32\nwHmBJn.exe
  2⤵
  PID:12012
- C:\Windows\System32\PTcBIRC.exe
  C:\Windows\System32\PTcBIRC.exe
  2⤵
  PID:12140
- C:\Windows\System32\zPfGywh.exe
  C:\Windows\System32\zPfGywh.exe
  2⤵
  PID:12176
- C:\Windows\System32\QRLFHwc.exe
  C:\Windows\System32\QRLFHwc.exe
  2⤵
  PID:12236
- C:\Windows\System32\EvUMcpp.exe
  C:\Windows\System32\EvUMcpp.exe
  2⤵
  PID:10852
- C:\Windows\System32\jVWBWXf.exe
  C:\Windows\System32\jVWBWXf.exe
  2⤵
  PID:11424
- C:\Windows\System32\CaMeaES.exe
  C:\Windows\System32\CaMeaES.exe
  2⤵
  PID:11484
- C:\Windows\System32\oHdMrkw.exe
  C:\Windows\System32\oHdMrkw.exe
  2⤵
  PID:11644
- C:\Windows\System32\aYimKFn.exe
  C:\Windows\System32\aYimKFn.exe
  2⤵
  PID:11884
- C:\Windows\System32\ykFUcHz.exe
  C:\Windows\System32\ykFUcHz.exe
  2⤵
  PID:12120
- C:\Windows\System32\TwzseKj.exe
  C:\Windows\System32\TwzseKj.exe
  2⤵
  PID:12052
- C:\Windows\System32\YpLImWR.exe
  C:\Windows\System32\YpLImWR.exe
  2⤵
  PID:11532
- C:\Windows\System32\nNYBrQJ.exe
  C:\Windows\System32\nNYBrQJ.exe
  2⤵
  PID:4640
- C:\Windows\System32\LkwWaHu.exe
  C:\Windows\System32\LkwWaHu.exe
  2⤵
  PID:12040
- C:\Windows\System32\eXXRPYy.exe
  C:\Windows\System32\eXXRPYy.exe
  2⤵
  PID:12212
- C:\Windows\System32\eVNJcNQ.exe
  C:\Windows\System32\eVNJcNQ.exe
  2⤵
  PID:11728
- C:\Windows\System32\LnJElYj.exe
  C:\Windows\System32\LnJElYj.exe
  2⤵
  PID:11904
- C:\Windows\System32\alrAfkn.exe
  C:\Windows\System32\alrAfkn.exe
  2⤵
  PID:12324
- C:\Windows\System32\BkTCiJY.exe
  C:\Windows\System32\BkTCiJY.exe
  2⤵
  PID:12340
- C:\Windows\System32\HKChLeZ.exe
  C:\Windows\System32\HKChLeZ.exe
  2⤵
  PID:12360
- C:\Windows\System32\YrIhmyP.exe
  C:\Windows\System32\YrIhmyP.exe
  2⤵
  PID:12400
- C:\Windows\System32\jmuOZGD.exe
  C:\Windows\System32\jmuOZGD.exe
  2⤵
  PID:12416
- C:\Windows\System32\nvcSJao.exe
  C:\Windows\System32\nvcSJao.exe
  2⤵
  PID:12452
- C:\Windows\System32\xrehjZH.exe
  C:\Windows\System32\xrehjZH.exe
  2⤵
  PID:12476
- C:\Windows\System32\EhXWTjC.exe
  C:\Windows\System32\EhXWTjC.exe
  2⤵
  PID:12508
- C:\Windows\System32\xDlHaUm.exe
  C:\Windows\System32\xDlHaUm.exe
  2⤵
  PID:12544
- C:\Windows\System32\nlQyUpq.exe
  C:\Windows\System32\nlQyUpq.exe
  2⤵
  PID:12572
- C:\Windows\System32\kjldFKs.exe
  C:\Windows\System32\kjldFKs.exe
  2⤵
  PID:12596
- C:\Windows\System32\HUtviqa.exe
  C:\Windows\System32\HUtviqa.exe
  2⤵
  PID:12612
- C:\Windows\System32\BJHbsdT.exe
  C:\Windows\System32\BJHbsdT.exe
  2⤵
  PID:12660
- C:\Windows\System32\qFzQwiv.exe
  C:\Windows\System32\qFzQwiv.exe
  2⤵
  PID:12716
- C:\Windows\System32\DqNQiLG.exe
  C:\Windows\System32\DqNQiLG.exe
  2⤵
  PID:12736
- C:\Windows\System32\KOZLuQB.exe
  C:\Windows\System32\KOZLuQB.exe
  2⤵
  PID:12752
- C:\Windows\System32\fKIUHVT.exe
  C:\Windows\System32\fKIUHVT.exe
  2⤵
  PID:12780
- C:\Windows\System32\ngzYvQD.exe
  C:\Windows\System32\ngzYvQD.exe
  2⤵
  PID:12808
- C:\Windows\System32\XQEsrKy.exe
  C:\Windows\System32\XQEsrKy.exe
  2⤵
  PID:12860
- C:\Windows\System32\NIDTNNu.exe
  C:\Windows\System32\NIDTNNu.exe
  2⤵
  PID:12888
- C:\Windows\System32\dgvUwrf.exe
  C:\Windows\System32\dgvUwrf.exe
  2⤵
  PID:12908
- C:\Windows\System32\prOYLMF.exe
  C:\Windows\System32\prOYLMF.exe
  2⤵
  PID:12928
- C:\Windows\System32\jqWZsgX.exe
  C:\Windows\System32\jqWZsgX.exe
  2⤵
  PID:12944
- C:\Windows\System32\epqsCLF.exe
  C:\Windows\System32\epqsCLF.exe
  2⤵
  PID:12968
- C:\Windows\System32\flkUrhX.exe
  C:\Windows\System32\flkUrhX.exe
  2⤵
  PID:13012
- C:\Windows\System32\rEcwtia.exe
  C:\Windows\System32\rEcwtia.exe
  2⤵
  PID:13056
- C:\Windows\System32\woaefxK.exe
  C:\Windows\System32\woaefxK.exe
  2⤵
  PID:13076
- C:\Windows\System32\GSixcaf.exe
  C:\Windows\System32\GSixcaf.exe
  2⤵
  PID:13092
- C:\Windows\System32\mJHCUSh.exe
  C:\Windows\System32\mJHCUSh.exe
  2⤵
  PID:13112
- C:\Windows\System32\SClstNN.exe
  C:\Windows\System32\SClstNN.exe
  2⤵
  PID:13136
- C:\Windows\System32\oneIFfm.exe
  C:\Windows\System32\oneIFfm.exe
  2⤵
  PID:13152
- C:\Windows\System32\TMcWxxd.exe
  C:\Windows\System32\TMcWxxd.exe
  2⤵
  PID:13228
- C:\Windows\System32\LBUjmDE.exe
  C:\Windows\System32\LBUjmDE.exe
  2⤵
  PID:13244
- C:\Windows\System32\uoQPALS.exe
  C:\Windows\System32\uoQPALS.exe
  2⤵
  PID:13272
- C:\Windows\System32\ELtsGWH.exe
  C:\Windows\System32\ELtsGWH.exe
  2⤵
  PID:13304
- C:\Windows\System32\VEBrTIY.exe
  C:\Windows\System32\VEBrTIY.exe
  2⤵
  PID:12336
- C:\Windows\System32\aYMFDxZ.exe
  C:\Windows\System32\aYMFDxZ.exe
  2⤵
  PID:12384
- C:\Windows\System32\xlZGdxv.exe
  C:\Windows\System32\xlZGdxv.exe
  2⤵
  PID:12432
- C:\Windows\System32\mbOmyGg.exe
  C:\Windows\System32\mbOmyGg.exe
  2⤵
  PID:12524
- C:\Windows\System32\Qyvdjku.exe
  C:\Windows\System32\Qyvdjku.exe
  2⤵
  PID:12592
- C:\Windows\System32\BywznLT.exe
  C:\Windows\System32\BywznLT.exe
  2⤵
  PID:12608
- C:\Windows\System32\KkoIVYr.exe
  C:\Windows\System32\KkoIVYr.exe
  2⤵
  PID:12672
- C:\Windows\System32\bQvFjCj.exe
  C:\Windows\System32\bQvFjCj.exe
  2⤵
  PID:4252
- C:\Windows\System32\nEVIfpo.exe
  C:\Windows\System32\nEVIfpo.exe
  2⤵
  PID:12820

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ARQABCR.exe

Filesize
1.2MB

MD5
fa0a43a4148228d487fd6df0e5320192

SHA1
990029d0e2689745b410a6b8f5ae22e547767731

SHA256
558b97cb00ba8c59e8a77271920bee0335d525ea56a9c999253f74250506d082

SHA512
ed79c93d0f0a1baf3ac5a6781bdfe7760ecbda976c7c5f5c7f53dea3eed8ab36f0c06cb9c66054fcc5bc5b3cb20689ad5740eb8cd77b03202c33b8fe62d374f7

Download Submit
C:\Windows\System32\BOOCZEc.exe

Filesize
1.2MB

MD5
bca3438253bc7b599cba3e93ced593c6

SHA1
228d44f1e83b708eb8907f840628876973d2fb83

SHA256
4dc6610dbe78d88c465dca91aa3a301f8cdfc7afcf47e2178dac7008855cfe95

SHA512
29ae0041ac640a30d237f1f172d8c431a6dc4999fe92a3997327ac38cb2ec3f0994dc82dbf5e380c62255aa82ca83fcd183030d6bbeb9c38bcb1dee8d599fca4

Download Submit
C:\Windows\System32\BnHBAgD.exe

Filesize
1.2MB

MD5
63d1a5518509c1e6f292e35d6f38e89a

SHA1
5e265ef98be94de992c8a91ef01a70997709acae

SHA256
3438aa37d83e2eca4485d1436f6d1c2a1d706ce7580e3b181effc7ae5b42337a

SHA512
3ec0480778ff9890171b8f9f5283d8001114a9a6f7dbdf15c397a0dcd2849f06cfb74b090810c4d4b4aa7df3a0b87328cf9e3227589cd04cc02c33598b6f4e21

Download Submit
C:\Windows\System32\BwuVqlx.exe

Filesize
1.2MB

MD5
069467429a5a83f5d0f97740b086157a

SHA1
2608c64ef3e453defbd01056f68b29fc7beba4bb

SHA256
4b5e842ed7bfc953247577a41ee71c7d226caf840bd11be2de0efade5b45ea0f

SHA512
2a70d5177c8165d7999d32668546cb5a4286a7f760a7cabebe6d1e293f216ba695e22976a16ede47c8c667d8ed6b3bcc1c722f45968bbd6a4ef0341692e9f225

Download Submit
C:\Windows\System32\CSnmhUz.exe

Filesize
1.2MB

MD5
0d2f5f802894d1932fe95b6f9eec6b76

SHA1
a1dbe0783720701675319a82749565292da7d948

SHA256
8361d63aefa3beff3994842b7129de3e3d713a858334a639e6b8705c5bc842bf

SHA512
d6f0c30e0cec5ddd12ff307e2be3ec767bb019a16b019da256a52ae60826dc16c69367ae2ed395d81ff9c1990707bb3990025bc34bfbd1821afa177a7c042233

Download Submit
C:\Windows\System32\ENihHKy.exe

Filesize
1.2MB

MD5
ad224875ea61cc3394acfd8ca82c9941

SHA1
f781ee0a074e971998792afb277d6203212119e3

SHA256
140fb4ebebf1475566a67f42f0641d4c50909752316dac33bf9c8c2cef9d4f9e

SHA512
170a6df734cf1459850698bf9271b276c9fc77e16d38bdf0973f7950a544d772827775a0043028dac6d997aed3a561a284e660a197f3333f5e7c5351abd02817

Download Submit
C:\Windows\System32\GfmcmJI.exe

Filesize
1.2MB

MD5
b085c846840a0db201732816755cc1bc

SHA1
c6f9eee7386078a2faf382c933aeb8b2115d00cb

SHA256
c3dfd463c5acf12429f09c1e134d13cf1ae01869c59644ccfd227aab8d7cf13c

SHA512
0c945a308b3d10733d9ad9e36385cae67382da1ecfc8a63affaa4fae5bf893826ed65cd7fe5540dd463e4cdb38380318e358393fff21eaf1f5d2d3128049a224

Download Submit
C:\Windows\System32\GtVAebZ.exe

Filesize
1.2MB

MD5
67a285995667c11c166157c62e905368

SHA1
b37b8e7042965ace047395b0e5913667060f3559

SHA256
037e64aee81b9f2ff9778b53920d131224b06fb62aafaa3c7676ea0712994b69

SHA512
58fd8e9be293a33f49bfb34cc4ceb8102118f9b757037e5664ab3f9c869bca29c90a6e661e14ea6e38d7bb45504fc3a1ea176c03ef76aa1738b3817544018aaf

Download Submit
C:\Windows\System32\HeqsPkY.exe

Filesize
1.2MB

MD5
4afdd225ad226afeccf7017d455bc98d

SHA1
2e4a365926aea653e0c227cd35744a724602f65d

SHA256
def1db6c23e62ba8f22ffb9ba10cd8a3a7a677ce08964bd2828aa973eae489e7

SHA512
389fbe2a92fb763318c693aa0fa6e048b2c499f4f2202dc148b100b9791eee7e43ac40f61d73dbb1c4accf308f36b28bab5a5763c71ce3eb341366ad5fb85c5c

Download Submit
C:\Windows\System32\KVADOfv.exe

Filesize
1.2MB

MD5
0e26bc68d734a02b60ad40dfa8e19c20

SHA1
127b345c450b75bbed81c65c39870a08e147c5cd

SHA256
f6e50e21adef9b35749479d6519ef60e517bf67389e0c6024a22593a99a74fd2

SHA512
492706e964beee9f00f7ce7b2f7cf7c09c061d0242e64138f5b800b996c0b7aa90a097b33fb779a4acaa83e44dbcd07ee64f6290e1fe37e06abefda77b2953a4

Download Submit
C:\Windows\System32\LNWJsZT.exe

Filesize
1.2MB

MD5
7c90b8e524e4bb632ee60021c0cdf0d4

SHA1
4e9f3a637f440cc478e811a0b4ecd23e57d377f8

SHA256
4c4ef6e1b42c42f395489fd9f7631dde4ac86b93ba196d84561028339a0fc84c

SHA512
8a32422d49371873146efc974819074aa566dc0e79fa3bfc4e0915737fd4430fe11e523ab310ada82fbfff1eae903b005212c949b7143efc45f48f99f87c3828

Download Submit
C:\Windows\System32\MbdOwGq.exe

Filesize
1.2MB

MD5
a5af05ad88b6327efd6659067f336cab

SHA1
15ada035f96441e0585dbb9df07bde5b0d98a524

SHA256
6b5d0fa9eedea82c037cce32f6701d898ef163c9141519a01bc529d96729d5a2

SHA512
6c474d9e5387bbc50d3f5157b5d92d9ae279eb9db74a25bb624b241294c5a49e585324dc4d5cde90a30f317da7e806fa9e1d5b153c3bfca5b4f0967915de1e6f

Download Submit
C:\Windows\System32\PRMjlgt.exe

Filesize
1.2MB

MD5
0df342ed10934204b6a3282824173262

SHA1
5730d1cf08bef0caeb1ad449819116562dc37bcb

SHA256
616c0e963e0984b70eab0a518cd4baa3aa85ce0c9ea52c5496d3c2ba6ebc2949

SHA512
501fc322d2782ee7ee0749822e366b7737bdbb00c2fe135c9f3704d064d41a8854fb9fe92d1d524a62cfaff91ad6b60c27f14f332d465feb8fb7cb9ca7a9b776

Download Submit
C:\Windows\System32\PzJtQLI.exe

Filesize
1.2MB

MD5
9b097a8ee88b5ec60e20cc24daff15db

SHA1
74348c11d87e28a9052d205ea7ccdfd14ebc3627

SHA256
49a90925286b9434af06afb069b75b8bd9c144ae47169f7cc5931d0ab7493004

SHA512
af03b7fa0900da4788f0af901bc2cb0de2689cd98709e020257b8c382c404dcdc853af0fd6b47daee78b6ab5528c229c61a7bd2c6b7c3262a3aa58a3955b195d

Download Submit
C:\Windows\System32\QnMfboT.exe

Filesize
1.2MB

MD5
1631b5c9d1f9f056af2b907d1ea47500

SHA1
c9e746d8a422aa3f3fa60d686474b0646e00978d

SHA256
78b3308514dbde0d724cf4bc08d2babfd517c952665181e167afeef7c92f4037

SHA512
391bf5157dd86912d115cbfc3d31b6b3e2ad307951857f1a0449c9477eb2361c6d274ee0fa6292c41c880b2fd1ee1e5ad4ad3d7947fa2d6fcd445a350183eeda

Download Submit
C:\Windows\System32\UebtDxw.exe

Filesize
1.2MB

MD5
ede4b0af7add9226c0cfa76125c6d524

SHA1
882f8a623a6d16f6b8a9ea1a17471c6837c91d0a

SHA256
079e2ab33c663998ff0d9f999f94b9662189dbd06eb15d4b41dc2800bc5c1aac

SHA512
e50f34573a26b05283c39ab88d42cf6f20582bdd87b4aa96847fc2c00ab9ea48b49a92b7dee339bf146af88f976e7dff0e7de5fbff2667a493e9feb9943a5fbf

Download Submit
C:\Windows\System32\VNCQcAF.exe

Filesize
1.2MB

MD5
c42ab4b387449fb6ad321c1a18c00838

SHA1
133f7e3228fb12d2bb01bdf6dc6fa35fdb6e42df

SHA256
e4be397eb72ebf24e039f3e64df3a751c1a20c7724068bbd43a938c4fef2750e

SHA512
3284d00c190d485bdbbd02b81c23fb34d71281060a8aa75170d49c784ac524eae490eb3e6e4a0213960634e135df2294d508a1431f732fed290c5009c153b70e

Download Submit
C:\Windows\System32\VxVADBY.exe

Filesize
1.2MB

MD5
2abd5528ad253ac4d7a292070da98c15

SHA1
00bd8053daf4a0e75927313a962b1d42e79e3d88

SHA256
7f6e821b17d88f1b67d1a2dc420c8dfda9e7a6b9652c304d6a3df7b643d15df9

SHA512
0061d84112b865b8225c97f19f1ca55fc2b5feac8432ddac996743317166866384d2f7158802a05ff2de14a732a2ee7e8f3f236ea280b3c54ea55f5a59732dbe

Download Submit
C:\Windows\System32\XWoBIui.exe

Filesize
1.2MB

MD5
7aa34019f2ded9eac526d494bf5b479d

SHA1
4d5d54f9b1c6735a54dfebdb47f64330bfcea10f

SHA256
7028931972e50a8ed27c17b8f82591a3bba3aab76e34db669715c0cd249dc4a0

SHA512
c18223471312f37b023f2363a37d57d1393644162177cfef829eb4972e2617d36fc38567cf5f48488b4f0a88adde42166d0f11a855076d4f877501ca28a3598d

Download Submit
C:\Windows\System32\YnquLwi.exe

Filesize
1.2MB

MD5
00e7b5754ef609ebd67ba9ba85545742

SHA1
871a523d55a34f2bb1f4e68cf94332882d481cf2

SHA256
245683e439ce1ceb2f08513bb74a82ee434250421400fe590ac6d666e22d6c79

SHA512
dbd7cd007658f8050018081b6b4b839a26f30f0e9bb0bfca602bd3a86e2d35c84ba08a17552da102cbdc035740a6559abda1dc9a2daa0d0c391eeca6bf9ac631

Download Submit
C:\Windows\System32\ZgfGQjk.exe

Filesize
1.2MB

MD5
a8cf37287efee08ed4052436342a5e1b

SHA1
1d3c356134ce10a372d46c1296bf65da8058a4b3

SHA256
a602fec28f24ab2e95f3f74a95e1bee59ad9de3c551aa03216a9773071bb8456

SHA512
c903e8c09cb9b015150be3a68a2709ca19da005106df7d25e258702ad448d852592f214357c7f98948bd060871bddbdd4f76ab9ca5ea26d1e79129967726732e

Download Submit
C:\Windows\System32\bTDuZFJ.exe

Filesize
1.2MB

MD5
93b62be1cb69efa42ced8c9d559b16c1

SHA1
1a3395dc619058f45eaa15e1774853c704fd99ed

SHA256
a01a743e5276ca0c7f0c795c401e329796d999a89818dcad2b45c15ae059b9e1

SHA512
504b8dbee3257ae7a61c7be03925e4b6bd80e74eb38f441588a7a3f58b224e3e729c263cd75be2838a0e0caa8c62fb07a08bf98390c2c0cbcd8109402265012e

Download Submit
C:\Windows\System32\mdqmVRo.exe

Filesize
1.2MB

MD5
79933fa33cec40d7f63c83b8e841e899

SHA1
72b81a70e8b2f56e3392e58d1aea335f3a2e95e0

SHA256
8ca6809eeab7745c37e0883d7ce58e04d28a01200de4e1da06e2f097868b6486

SHA512
32ac72e18c43e42e4dc8e388e3f574bb1b765ec13d46c5d5cf87df38f3b47f3c2dd0f6177dd63f6d5ea90c8cbdfc178c6580709b972394172b2516fba5edca4b

Download Submit
C:\Windows\System32\nKbmAtc.exe

Filesize
1.2MB

MD5
f06c9c081fa84433321043ba1ae2b465

SHA1
318c826d53f2cbba7e83236be452cb9fe35c1743

SHA256
c3b40b988872efbe101d7bc67ae1f164f97ca6d4426d676b29eef4f2442a04c8

SHA512
2c32866ee7a2370f9c109d6c02a8e94f1c5a8c9c51966b0edf7b1a97107df0d8b1bd953e2b7a900f93a7b1499494d1812f76cb83ff219f71c38ada6d6555df00

Download Submit
C:\Windows\System32\pAWgQzh.exe

Filesize
1.2MB

MD5
a9ffa8e300dc02dd5c1ba0f93c9c7907

SHA1
f01961136e8aed48e509fc85101f229f08f27d71

SHA256
1684f5ecade79967de7a2e7cfcc1d2a3f1584de3b7ab1d80549c30ab1fe4430d

SHA512
6ae9a987cdae9431872278eccd4aea9277004a4fd1406cf2a5d4ac393d9fb834da5b2957e4a7d1a347ad6f100c22fe3957eb57b1f9f944b6448a1d2e571b8b91

Download Submit
C:\Windows\System32\pCfsmgV.exe

Filesize
1.2MB

MD5
8c49b6066f742787e33b3b58572814a4

SHA1
519b7be8735abb1aba0f3a310a4785dd49e87473

SHA256
0b290130ae62a44e54116865b117227303ff8d1221d8be2c20439701355a93ca

SHA512
0e159766fbea7078def0781855ac376800e7b16445a71d91ebf80ffa0e69bf0e3fd3aca7a9d7efe551274797fc6099e5b8f1cd6efb4bc07e31f62bf39ac9fd17

Download Submit
C:\Windows\System32\qGSYqUI.exe

Filesize
1.2MB

MD5
2de4115f93d74ef9258b558af0862ec5

SHA1
3e5f1aa0473746baf673d9ca01237b57e29f0c38

SHA256
b81e934124927e070f94cab021fe8ae2d9a115771e278c7764e8b00db6122ccd

SHA512
06a17a0c54ee801a26dfa3a29c82dc056a598570d9e378b9240da313b222cf197d085eb2ec0096ee803775aa1a43849ca0367cb08cc0f353760057162d1dc567

Download Submit
C:\Windows\System32\sfUNura.exe

Filesize
1.2MB

MD5
aafd76303542ab98d974e7eafd4e3abe

SHA1
cb5fbbdf481fbe0aa5e6660439469a4557156674

SHA256
c1491fce82df6cb114958923981a6183afd17b5aff2629430d1ab073c999c7ce

SHA512
72b86eec584940e7cecfd9d9570a078e98fc7a9bc7bc156dbc7c1ffd2ad73a00cbbb761582e5a17098b36261192efd583b5d4defe20c1d173649df4d3a5faa29

Download Submit
C:\Windows\System32\szSaLls.exe

Filesize
1.2MB

MD5
8a7d1a18988aca44b168212124570c34

SHA1
dd1d6207f567a93af64fd05d620c54675cbb4c62

SHA256
2c8deb6dfe61cdc694571e1af01e928d3d35ac1da593fa12bc3f7893bf06ee3e

SHA512
8468c3c5044689653926b38f440ea6629144608f4a79d95229fb2dcbb30c183fff9957eba6ffefb3f1dfe4114989aeedd3197f4072d6fff750676e92a1c71f86

Download Submit
C:\Windows\System32\wWXMswa.exe

Filesize
1.2MB

MD5
cf0268c915e20967fcefe435671e2a70

SHA1
17490092f98bf60efb26d45a3e6eb559446edb0f

SHA256
87f2d2d3e6a00c890cf700b6e8cb33d4edf4c11ae8aec2a07ac58b17abc97136

SHA512
dd8b2180e37f56370c9675dc0bb1e8a88f1d66f893be467f5c2bd40fe0c5648a08d57801e7f87c07f7c8e34aecc686528653ccbcb88cf20d648dcd7ce5a14db7

Download Submit
C:\Windows\System32\wXbNjAB.exe

Filesize
1.2MB

MD5
7a5a86272bcd9dc18bfc28dfe6b6efc8

SHA1
0a332821764fac9598eac3abcc904523b6af26aa

SHA256
37a57129b46d3a3940f1e3d9f809660ead2d03a01abc6cf0cd49c4c8df890aaa

SHA512
bd73ef29fe49eedfd3ce860fbef52ae6468ed66d70b55e8054f0c88a9b02dd0040f280d4a1d29ad2ec0470c69b5fae216e0e7eee3532bae696e37e43d067d338

Download Submit
C:\Windows\System32\yWTBSUZ.exe

Filesize
1.2MB

MD5
07f8c659cdb3e090fa1da7988adbf8cc

SHA1
d98ba316159a43aeb75f811a844f2cebd17823e9

SHA256
9fe6671bb392e48b5f9139e12716b16ffa95530a158a421ad463145dbb008f14

SHA512
190620ab385087e719fc2ca532a43605e80ba5df2cc407b417a6e3f72b522a4c31509128b9368c8eb8a16002407bab3adc6ae240154fd3f86cc2887208ac22f4

Download Submit
memory/844-397-0x00007FF7018C0000-0x00007FF701CB1000-memory.dmp

Filesize
3.9MB

Download
memory/844-2054-0x00007FF7018C0000-0x00007FF701CB1000-memory.dmp

Filesize
3.9MB

Download
memory/980-383-0x00007FF7FA3B0000-0x00007FF7FA7A1000-memory.dmp

Filesize
3.9MB

Download
memory/980-2045-0x00007FF7FA3B0000-0x00007FF7FA7A1000-memory.dmp

Filesize
3.9MB

Download
memory/1328-25-0x00007FF7528C0000-0x00007FF752CB1000-memory.dmp

Filesize
3.9MB

Download
memory/1328-2031-0x00007FF7528C0000-0x00007FF752CB1000-memory.dmp

Filesize
3.9MB

Download
memory/1648-387-0x00007FF78BED0000-0x00007FF78C2C1000-memory.dmp

Filesize
3.9MB

Download
memory/1648-2064-0x00007FF78BED0000-0x00007FF78C2C1000-memory.dmp

Filesize
3.9MB

Download
memory/1932-400-0x00007FF6445A0000-0x00007FF644991000-memory.dmp

Filesize
3.9MB

Download
memory/1932-2057-0x00007FF6445A0000-0x00007FF644991000-memory.dmp

Filesize
3.9MB

Download
memory/1968-380-0x00007FF69C640000-0x00007FF69CA31000-memory.dmp

Filesize
3.9MB

Download
memory/1968-2037-0x00007FF69C640000-0x00007FF69CA31000-memory.dmp

Filesize
3.9MB

Download
memory/2688-2047-0x00007FF74D910000-0x00007FF74DD01000-memory.dmp

Filesize
3.9MB

Download
memory/2688-385-0x00007FF74D910000-0x00007FF74DD01000-memory.dmp

Filesize
3.9MB

Download
memory/2784-2066-0x00007FF731630000-0x00007FF731A21000-memory.dmp

Filesize
3.9MB

Download
memory/2784-440-0x00007FF731630000-0x00007FF731A21000-memory.dmp

Filesize
3.9MB

Download
memory/2904-2088-0x00007FF7D7680000-0x00007FF7D7A71000-memory.dmp

Filesize
3.9MB

Download
memory/2904-435-0x00007FF7D7680000-0x00007FF7D7A71000-memory.dmp

Filesize
3.9MB

Download
memory/3608-2055-0x00007FF79E8D0000-0x00007FF79ECC1000-memory.dmp

Filesize
3.9MB

Download
memory/3608-392-0x00007FF79E8D0000-0x00007FF79ECC1000-memory.dmp

Filesize
3.9MB

Download
memory/3632-2049-0x00007FF606650000-0x00007FF606A41000-memory.dmp

Filesize
3.9MB

Download
memory/3632-384-0x00007FF606650000-0x00007FF606A41000-memory.dmp

Filesize
3.9MB

Download
memory/3720-11-0x00007FF65F670000-0x00007FF65FA61000-memory.dmp

Filesize
3.9MB

Download
memory/3720-2027-0x00007FF65F670000-0x00007FF65FA61000-memory.dmp

Filesize
3.9MB

Download
memory/3772-2043-0x00007FF63F490000-0x00007FF63F881000-memory.dmp

Filesize
3.9MB

Download
memory/3772-382-0x00007FF63F490000-0x00007FF63F881000-memory.dmp

Filesize
3.9MB

Download
memory/3848-2056-0x00007FF64C950000-0x00007FF64CD41000-memory.dmp

Filesize
3.9MB

Download
memory/3848-386-0x00007FF64C950000-0x00007FF64CD41000-memory.dmp

Filesize
3.9MB

Download
memory/4092-377-0x00007FF720390000-0x00007FF720781000-memory.dmp

Filesize
3.9MB

Download
memory/4092-2029-0x00007FF720390000-0x00007FF720781000-memory.dmp

Filesize
3.9MB

Download
memory/4200-0-0x00007FF761170000-0x00007FF761561000-memory.dmp

Filesize
3.9MB

Download
memory/4200-1964-0x00007FF761170000-0x00007FF761561000-memory.dmp

Filesize
3.9MB

Download
memory/4200-1-0x000001B431130000-0x000001B431140000-memory.dmp

Filesize
64KB

Download
memory/4220-2086-0x00007FF6DD1E0000-0x00007FF6DD5D1000-memory.dmp

Filesize
3.9MB

Download
memory/4220-414-0x00007FF6DD1E0000-0x00007FF6DD5D1000-memory.dmp

Filesize
3.9MB

Download
memory/4304-461-0x00007FF6A5440000-0x00007FF6A5831000-memory.dmp

Filesize
3.9MB

Download
memory/4304-2059-0x00007FF6A5440000-0x00007FF6A5831000-memory.dmp

Filesize
3.9MB

Download
memory/4508-2025-0x00007FF6F4440000-0x00007FF6F4831000-memory.dmp

Filesize
3.9MB

Download
memory/4508-8-0x00007FF6F4440000-0x00007FF6F4831000-memory.dmp

Filesize
3.9MB

Download
memory/4584-468-0x00007FF624390000-0x00007FF624781000-memory.dmp

Filesize
3.9MB

Download
memory/4584-2093-0x00007FF624390000-0x00007FF624781000-memory.dmp

Filesize
3.9MB

Download
memory/4660-2065-0x00007FF6120A0000-0x00007FF612491000-memory.dmp

Filesize
3.9MB

Download
memory/4660-411-0x00007FF6120A0000-0x00007FF612491000-memory.dmp

Filesize
3.9MB

Download
memory/4708-378-0x00007FF795630000-0x00007FF795A21000-memory.dmp

Filesize
3.9MB

Download
memory/4708-2035-0x00007FF795630000-0x00007FF795A21000-memory.dmp

Filesize
3.9MB

Download
memory/4736-471-0x00007FF762D90000-0x00007FF763181000-memory.dmp

Filesize
3.9MB

Download
memory/4736-2033-0x00007FF762D90000-0x00007FF763181000-memory.dmp

Filesize
3.9MB

Download
memory/4824-379-0x00007FF6850D0000-0x00007FF6854C1000-memory.dmp

Filesize
3.9MB

Download
memory/4824-2039-0x00007FF6850D0000-0x00007FF6854C1000-memory.dmp

Filesize
3.9MB

Download
memory/5028-381-0x00007FF65AF10000-0x00007FF65B301000-memory.dmp

Filesize
3.9MB

Download
memory/5028-2041-0x00007FF65AF10000-0x00007FF65B301000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads