xmrig | c721a24adb8e4bec06347e51cba9994f2a681364acdeba5eb726b9cf22d76ebb

Analysis

max time kernel
98s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 02:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
Size

1.7MB
MD5

0af59a59d8156a6034bac3e012832e26
SHA1

fcd9edb6c59aed09f72d0e9e7cd4dd0b2052f225
SHA256

c721a24adb8e4bec06347e51cba9994f2a681364acdeba5eb726b9cf22d76ebb
SHA512

b34f8d1827c55998619cadee022ac39ba9da6b1302c49b6b128fedd8446a02189fb5c250b552ccdc133408b14c376c66027c5fe20aa0d031228de67a4929470f
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO9C1MKTbcMfHhGjw2Do+BRrCfULfq:knw9oUUEEDlGUjc2HhG82DiGq

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/1792-33-0x00007FF6112B0000-0x00007FF6116A1000-memory.dmp	xmrig
behavioral2/memory/4080-440-0x00007FF73EFD0000-0x00007FF73F3C1000-memory.dmp	xmrig
behavioral2/memory/1988-442-0x00007FF6392F0000-0x00007FF6396E1000-memory.dmp	xmrig
behavioral2/memory/1040-441-0x00007FF742560000-0x00007FF742951000-memory.dmp	xmrig
behavioral2/memory/860-444-0x00007FF6A2D10000-0x00007FF6A3101000-memory.dmp	xmrig
behavioral2/memory/440-445-0x00007FF748610000-0x00007FF748A01000-memory.dmp	xmrig
behavioral2/memory/2060-443-0x00007FF7D4E80000-0x00007FF7D5271000-memory.dmp	xmrig
behavioral2/memory/3388-452-0x00007FF7EFC90000-0x00007FF7F0081000-memory.dmp	xmrig
behavioral2/memory/2920-457-0x00007FF720DF0000-0x00007FF7211E1000-memory.dmp	xmrig
behavioral2/memory/4384-464-0x00007FF7EF3B0000-0x00007FF7EF7A1000-memory.dmp	xmrig
behavioral2/memory/4880-489-0x00007FF6A14D0000-0x00007FF6A18C1000-memory.dmp	xmrig
behavioral2/memory/3944-488-0x00007FF686660000-0x00007FF686A51000-memory.dmp	xmrig
behavioral2/memory/624-519-0x00007FF68F6B0000-0x00007FF68FAA1000-memory.dmp	xmrig
behavioral2/memory/1632-515-0x00007FF770080000-0x00007FF770471000-memory.dmp	xmrig
behavioral2/memory/1172-512-0x00007FF6ED430000-0x00007FF6ED821000-memory.dmp	xmrig
behavioral2/memory/4924-505-0x00007FF7879F0000-0x00007FF787DE1000-memory.dmp	xmrig
behavioral2/memory/2988-494-0x00007FF77BB70000-0x00007FF77BF61000-memory.dmp	xmrig
behavioral2/memory/1624-480-0x00007FF650BD0000-0x00007FF650FC1000-memory.dmp	xmrig
behavioral2/memory/2728-476-0x00007FF6ED220000-0x00007FF6ED611000-memory.dmp	xmrig
behavioral2/memory/3652-472-0x00007FF68E630000-0x00007FF68EA21000-memory.dmp	xmrig
behavioral2/memory/5112-475-0x00007FF777B50000-0x00007FF777F41000-memory.dmp	xmrig
behavioral2/memory/4068-1998-0x00007FF6E5470000-0x00007FF6E5861000-memory.dmp	xmrig
behavioral2/memory/1692-1999-0x00007FF7DA440000-0x00007FF7DA831000-memory.dmp	xmrig
behavioral2/memory/2092-2004-0x00007FF6F2990000-0x00007FF6F2D81000-memory.dmp	xmrig
behavioral2/memory/4068-2006-0x00007FF6E5470000-0x00007FF6E5861000-memory.dmp	xmrig
behavioral2/memory/1692-2008-0x00007FF7DA440000-0x00007FF7DA831000-memory.dmp	xmrig
behavioral2/memory/1040-2016-0x00007FF742560000-0x00007FF742951000-memory.dmp	xmrig
behavioral2/memory/2060-2024-0x00007FF7D4E80000-0x00007FF7D5271000-memory.dmp	xmrig
behavioral2/memory/860-2026-0x00007FF6A2D10000-0x00007FF6A3101000-memory.dmp	xmrig
behavioral2/memory/1988-2022-0x00007FF6392F0000-0x00007FF6396E1000-memory.dmp	xmrig
behavioral2/memory/4080-2014-0x00007FF73EFD0000-0x00007FF73F3C1000-memory.dmp	xmrig
behavioral2/memory/624-2020-0x00007FF68F6B0000-0x00007FF68FAA1000-memory.dmp	xmrig
behavioral2/memory/1632-2018-0x00007FF770080000-0x00007FF770471000-memory.dmp	xmrig
behavioral2/memory/2092-2012-0x00007FF6F2990000-0x00007FF6F2D81000-memory.dmp	xmrig
behavioral2/memory/1792-2010-0x00007FF6112B0000-0x00007FF6116A1000-memory.dmp	xmrig
behavioral2/memory/3944-2045-0x00007FF686660000-0x00007FF686A51000-memory.dmp	xmrig
behavioral2/memory/3652-2072-0x00007FF68E630000-0x00007FF68EA21000-memory.dmp	xmrig
behavioral2/memory/4924-2052-0x00007FF7879F0000-0x00007FF787DE1000-memory.dmp	xmrig
behavioral2/memory/1172-2050-0x00007FF6ED430000-0x00007FF6ED821000-memory.dmp	xmrig
behavioral2/memory/2988-2048-0x00007FF77BB70000-0x00007FF77BF61000-memory.dmp	xmrig
behavioral2/memory/2920-2043-0x00007FF720DF0000-0x00007FF7211E1000-memory.dmp	xmrig
behavioral2/memory/4880-2041-0x00007FF6A14D0000-0x00007FF6A18C1000-memory.dmp	xmrig
behavioral2/memory/3388-2039-0x00007FF7EFC90000-0x00007FF7F0081000-memory.dmp	xmrig
behavioral2/memory/1624-2037-0x00007FF650BD0000-0x00007FF650FC1000-memory.dmp	xmrig
behavioral2/memory/440-2035-0x00007FF748610000-0x00007FF748A01000-memory.dmp	xmrig
behavioral2/memory/5112-2033-0x00007FF777B50000-0x00007FF777F41000-memory.dmp	xmrig
behavioral2/memory/2728-2032-0x00007FF6ED220000-0x00007FF6ED611000-memory.dmp	xmrig
behavioral2/memory/4384-2028-0x00007FF7EF3B0000-0x00007FF7EF7A1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4068	YIQAwMF.exe
1692	hnwvdFD.exe
1792	OJrGGpL.exe
1632	xKnDaxw.exe
2092	GOIHytt.exe
4080	cSwSiis.exe
1040	vNxyxeP.exe
624	XepMaik.exe
1988	qtxaOXv.exe
2060	CyGTyDh.exe
860	JmkGaTp.exe
440	jDRolbZ.exe
3388	UsPVmFl.exe
2920	mHRTPBU.exe
4384	PJEVxkE.exe
3652	QjetQdp.exe
5112	XymMaob.exe
2728	VgyVuHG.exe
1624	uohvqyA.exe
3944	yaYbGFi.exe
4880	bLMKpCp.exe
2988	NpayJTv.exe
4924	YSZkwdC.exe
1172	gZuBdMI.exe
1236	QTnBeih.exe
4304	JLQCcWJ.exe
1060	ESGBwhR.exe
3220	DPMcPxP.exe
3000	WJEykMH.exe
4600	UursJAd.exe
2512	QVOJIPB.exe
4732	QjDSFnc.exe
3552	GfJBiFE.exe
4624	ZPjMgcE.exe
4416	iEcvCtp.exe
1056	UBpkRjC.exe
2072	QebHZMm.exe
1688	YJzMUNR.exe
3720	RBzEfBx.exe
4712	nCHuknr.exe
2140	hARxyQU.exe
4232	pmgRgEz.exe
2364	vdFIbyw.exe
2004	NjqplKu.exe
4312	AVURZeD.exe
2436	mVRJcaY.exe
864	YCgsSOg.exe
5092	LIUTsem.exe
3424	oCdKWir.exe
2996	tazrtAB.exe
4484	rWlArij.exe
2124	cxIWxGP.exe
4828	KTsokgw.exe
4500	DvGOTBn.exe
4672	BJrlZRU.exe
4908	QYuMzMQ.exe
4996	SUTHjqC.exe
3248	WhSAZvy.exe
5084	vczUYCv.exe
3864	GhmYNiR.exe
388	dAPmMTV.exe
428	GkuPivc.exe
1332	bcwZBDD.exe
2468	ipKJigp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4528-0-0x00007FF676EB0000-0x00007FF6772A1000-memory.dmp	upx
behavioral2/files/0x000c000000023b93-5.dat	upx
behavioral2/files/0x000a000000023b99-14.dat	upx
behavioral2/files/0x000a000000023b9b-29.dat	upx
behavioral2/files/0x000a000000023b9e-46.dat	upx
behavioral2/files/0x000a000000023b9f-50.dat	upx
behavioral2/files/0x000a000000023ba0-55.dat	upx
behavioral2/files/0x000a000000023ba1-60.dat	upx
behavioral2/files/0x000a000000023ba3-68.dat	upx
behavioral2/files/0x000a000000023ba6-83.dat	upx
behavioral2/files/0x000a000000023ba8-93.dat	upx
behavioral2/files/0x000a000000023baa-103.dat	upx
behavioral2/files/0x000a000000023bac-115.dat	upx
behavioral2/files/0x000a000000023bb1-140.dat	upx
behavioral2/files/0x000a000000023bb3-150.dat	upx
behavioral2/files/0x000a000000023bb6-165.dat	upx
behavioral2/files/0x000a000000023bb5-160.dat	upx
behavioral2/files/0x000a000000023bb4-156.dat	upx
behavioral2/files/0x000a000000023bb2-146.dat	upx
behavioral2/files/0x000a000000023bb0-135.dat	upx
behavioral2/files/0x000a000000023baf-130.dat	upx
behavioral2/files/0x000a000000023bae-125.dat	upx
behavioral2/files/0x000a000000023bad-120.dat	upx
behavioral2/files/0x000a000000023bab-110.dat	upx
behavioral2/files/0x000a000000023ba9-100.dat	upx
behavioral2/files/0x000a000000023ba7-90.dat	upx
behavioral2/files/0x000a000000023ba5-80.dat	upx
behavioral2/files/0x000a000000023ba4-75.dat	upx
behavioral2/files/0x000a000000023ba2-65.dat	upx
behavioral2/memory/2092-42-0x00007FF6F2990000-0x00007FF6F2D81000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-39.dat	upx
behavioral2/files/0x000a000000023b9a-36.dat	upx
behavioral2/files/0x000a000000023b9c-35.dat	upx
behavioral2/memory/1792-33-0x00007FF6112B0000-0x00007FF6116A1000-memory.dmp	upx
behavioral2/memory/1692-32-0x00007FF7DA440000-0x00007FF7DA831000-memory.dmp	upx
behavioral2/files/0x000a000000023b98-19.dat	upx
behavioral2/memory/4068-9-0x00007FF6E5470000-0x00007FF6E5861000-memory.dmp	upx
behavioral2/memory/4080-440-0x00007FF73EFD0000-0x00007FF73F3C1000-memory.dmp	upx
behavioral2/memory/1988-442-0x00007FF6392F0000-0x00007FF6396E1000-memory.dmp	upx
behavioral2/memory/1040-441-0x00007FF742560000-0x00007FF742951000-memory.dmp	upx
behavioral2/memory/860-444-0x00007FF6A2D10000-0x00007FF6A3101000-memory.dmp	upx
behavioral2/memory/440-445-0x00007FF748610000-0x00007FF748A01000-memory.dmp	upx
behavioral2/memory/2060-443-0x00007FF7D4E80000-0x00007FF7D5271000-memory.dmp	upx
behavioral2/memory/3388-452-0x00007FF7EFC90000-0x00007FF7F0081000-memory.dmp	upx
behavioral2/memory/2920-457-0x00007FF720DF0000-0x00007FF7211E1000-memory.dmp	upx
behavioral2/memory/4384-464-0x00007FF7EF3B0000-0x00007FF7EF7A1000-memory.dmp	upx
behavioral2/memory/4880-489-0x00007FF6A14D0000-0x00007FF6A18C1000-memory.dmp	upx
behavioral2/memory/3944-488-0x00007FF686660000-0x00007FF686A51000-memory.dmp	upx
behavioral2/memory/624-519-0x00007FF68F6B0000-0x00007FF68FAA1000-memory.dmp	upx
behavioral2/memory/1632-515-0x00007FF770080000-0x00007FF770471000-memory.dmp	upx
behavioral2/memory/1172-512-0x00007FF6ED430000-0x00007FF6ED821000-memory.dmp	upx
behavioral2/memory/4924-505-0x00007FF7879F0000-0x00007FF787DE1000-memory.dmp	upx
behavioral2/memory/2988-494-0x00007FF77BB70000-0x00007FF77BF61000-memory.dmp	upx
behavioral2/memory/1624-480-0x00007FF650BD0000-0x00007FF650FC1000-memory.dmp	upx
behavioral2/memory/2728-476-0x00007FF6ED220000-0x00007FF6ED611000-memory.dmp	upx
behavioral2/memory/3652-472-0x00007FF68E630000-0x00007FF68EA21000-memory.dmp	upx
behavioral2/memory/5112-475-0x00007FF777B50000-0x00007FF777F41000-memory.dmp	upx
behavioral2/memory/4068-1998-0x00007FF6E5470000-0x00007FF6E5861000-memory.dmp	upx
behavioral2/memory/1692-1999-0x00007FF7DA440000-0x00007FF7DA831000-memory.dmp	upx
behavioral2/memory/2092-2004-0x00007FF6F2990000-0x00007FF6F2D81000-memory.dmp	upx
behavioral2/memory/4068-2006-0x00007FF6E5470000-0x00007FF6E5861000-memory.dmp	upx
behavioral2/memory/1692-2008-0x00007FF7DA440000-0x00007FF7DA831000-memory.dmp	upx
behavioral2/memory/1040-2016-0x00007FF742560000-0x00007FF742951000-memory.dmp	upx
behavioral2/memory/2060-2024-0x00007FF7D4E80000-0x00007FF7D5271000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\eGgMavR.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\cYOdokc.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\YDJLYHZ.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\VkKjILx.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\bQZIMnM.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\tlJGaMo.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\mgupQcF.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\mcbgawQ.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\KTsokgw.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\jyWqmJu.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\UsPVmFl.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\YOgNeHN.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\RWFPKzP.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\jzdDPVh.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\qegOZrZ.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\BJrlZRU.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\sSBEhCh.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\mIcqeNy.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\cZxVnfR.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\FGcJuzU.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\hARxyQU.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\JniYtbz.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\YBSTMxr.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\rBMNycc.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\cmAxZeT.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\buBCgjb.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\BHgEcBu.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\vdENipX.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\CDjThjV.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\GHFuBCI.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\eeovUSn.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\ezSfrxy.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\LzrSPuA.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\rkxvcqC.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\FkhgnhB.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\bRrWAGp.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\hOvhzCx.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\qGKTqCX.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\ToWJmZG.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\bLdrZit.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\FyecoFv.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\QTzolWK.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\cxIWxGP.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\RYixWaO.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\GCXHvrU.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\qiFBMzM.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\gMyXmGE.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\gxyjNXw.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\rWlArij.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\ctxWbKJ.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\ThoBSpN.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\pmgRgEz.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\QLRvoVK.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\mQIIFJU.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\wMzYZSM.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\XxCGpMV.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\LXjuJnU.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\xCZybtN.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\Vzhrvmj.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\DYMBJBA.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\svrOpNG.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\DHeCYKW.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\dbWlngV.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
File created	C:\Windows\System32\VRBxapK.exe	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	3452	dwm.exe
Token: SeChangeNotifyPrivilege	3452	dwm.exe
Token: 33	3452	dwm.exe
Token: SeIncBasePriorityPrivilege	3452	dwm.exe
Token: SeShutdownPrivilege	3452	dwm.exe
Token: SeCreatePagefilePrivilege	3452	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4068	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	84
PID 4528 wrote to memory of 4068	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	84
PID 4528 wrote to memory of 1692	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	85
PID 4528 wrote to memory of 1692	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	85
PID 4528 wrote to memory of 1792	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	86
PID 4528 wrote to memory of 1792	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	86
PID 4528 wrote to memory of 1632	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	87
PID 4528 wrote to memory of 1632	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	87
PID 4528 wrote to memory of 4080	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	88
PID 4528 wrote to memory of 4080	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	88
PID 4528 wrote to memory of 1040	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	89
PID 4528 wrote to memory of 1040	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	89
PID 4528 wrote to memory of 2092	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	90
PID 4528 wrote to memory of 2092	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	90
PID 4528 wrote to memory of 624	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	91
PID 4528 wrote to memory of 624	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	91
PID 4528 wrote to memory of 1988	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	92
PID 4528 wrote to memory of 1988	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	92
PID 4528 wrote to memory of 2060	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	93
PID 4528 wrote to memory of 2060	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	93
PID 4528 wrote to memory of 860	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	94
PID 4528 wrote to memory of 860	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	94
PID 4528 wrote to memory of 440	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	95
PID 4528 wrote to memory of 440	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	95
PID 4528 wrote to memory of 3388	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	96
PID 4528 wrote to memory of 3388	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	96
PID 4528 wrote to memory of 2920	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	97
PID 4528 wrote to memory of 2920	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	97
PID 4528 wrote to memory of 4384	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	98
PID 4528 wrote to memory of 4384	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	98
PID 4528 wrote to memory of 3652	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	99
PID 4528 wrote to memory of 3652	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	99
PID 4528 wrote to memory of 5112	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	100
PID 4528 wrote to memory of 5112	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	100
PID 4528 wrote to memory of 2728	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	101
PID 4528 wrote to memory of 2728	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	101
PID 4528 wrote to memory of 1624	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	102
PID 4528 wrote to memory of 1624	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	102
PID 4528 wrote to memory of 3944	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	103
PID 4528 wrote to memory of 3944	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	103
PID 4528 wrote to memory of 4880	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	104
PID 4528 wrote to memory of 4880	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	104
PID 4528 wrote to memory of 2988	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	105
PID 4528 wrote to memory of 2988	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	105
PID 4528 wrote to memory of 4924	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	106
PID 4528 wrote to memory of 4924	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	106
PID 4528 wrote to memory of 1172	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	107
PID 4528 wrote to memory of 1172	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	107
PID 4528 wrote to memory of 1236	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	108
PID 4528 wrote to memory of 1236	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	108
PID 4528 wrote to memory of 4304	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	109
PID 4528 wrote to memory of 4304	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	109
PID 4528 wrote to memory of 1060	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	110
PID 4528 wrote to memory of 1060	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	110
PID 4528 wrote to memory of 3220	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	111
PID 4528 wrote to memory of 3220	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	111
PID 4528 wrote to memory of 3000	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	112
PID 4528 wrote to memory of 3000	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	112
PID 4528 wrote to memory of 4600	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	113
PID 4528 wrote to memory of 4600	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	113
PID 4528 wrote to memory of 2512	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	114
PID 4528 wrote to memory of 2512	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	114
PID 4528 wrote to memory of 4732	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	115
PID 4528 wrote to memory of 4732	4528	0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe	115

C:\Users\Admin\AppData\Local\Temp\0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0af59a59d8156a6034bac3e012832e26_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\System32\YIQAwMF.exe
  C:\Windows\System32\YIQAwMF.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System32\hnwvdFD.exe
  C:\Windows\System32\hnwvdFD.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System32\OJrGGpL.exe
  C:\Windows\System32\OJrGGpL.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System32\xKnDaxw.exe
  C:\Windows\System32\xKnDaxw.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System32\cSwSiis.exe
  C:\Windows\System32\cSwSiis.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System32\vNxyxeP.exe
  C:\Windows\System32\vNxyxeP.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System32\GOIHytt.exe
  C:\Windows\System32\GOIHytt.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System32\XepMaik.exe
  C:\Windows\System32\XepMaik.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System32\qtxaOXv.exe
  C:\Windows\System32\qtxaOXv.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System32\CyGTyDh.exe
  C:\Windows\System32\CyGTyDh.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System32\JmkGaTp.exe
  C:\Windows\System32\JmkGaTp.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System32\jDRolbZ.exe
  C:\Windows\System32\jDRolbZ.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System32\UsPVmFl.exe
  C:\Windows\System32\UsPVmFl.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System32\mHRTPBU.exe
  C:\Windows\System32\mHRTPBU.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System32\PJEVxkE.exe
  C:\Windows\System32\PJEVxkE.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System32\QjetQdp.exe
  C:\Windows\System32\QjetQdp.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System32\XymMaob.exe
  C:\Windows\System32\XymMaob.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System32\VgyVuHG.exe
  C:\Windows\System32\VgyVuHG.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System32\uohvqyA.exe
  C:\Windows\System32\uohvqyA.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System32\yaYbGFi.exe
  C:\Windows\System32\yaYbGFi.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\bLMKpCp.exe
  C:\Windows\System32\bLMKpCp.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System32\NpayJTv.exe
  C:\Windows\System32\NpayJTv.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System32\YSZkwdC.exe
  C:\Windows\System32\YSZkwdC.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\gZuBdMI.exe
  C:\Windows\System32\gZuBdMI.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System32\QTnBeih.exe
  C:\Windows\System32\QTnBeih.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System32\JLQCcWJ.exe
  C:\Windows\System32\JLQCcWJ.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System32\ESGBwhR.exe
  C:\Windows\System32\ESGBwhR.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System32\DPMcPxP.exe
  C:\Windows\System32\DPMcPxP.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System32\WJEykMH.exe
  C:\Windows\System32\WJEykMH.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System32\UursJAd.exe
  C:\Windows\System32\UursJAd.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System32\QVOJIPB.exe
  C:\Windows\System32\QVOJIPB.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System32\QjDSFnc.exe
  C:\Windows\System32\QjDSFnc.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System32\GfJBiFE.exe
  C:\Windows\System32\GfJBiFE.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System32\ZPjMgcE.exe
  C:\Windows\System32\ZPjMgcE.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System32\iEcvCtp.exe
  C:\Windows\System32\iEcvCtp.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System32\UBpkRjC.exe
  C:\Windows\System32\UBpkRjC.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System32\QebHZMm.exe
  C:\Windows\System32\QebHZMm.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System32\YJzMUNR.exe
  C:\Windows\System32\YJzMUNR.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System32\RBzEfBx.exe
  C:\Windows\System32\RBzEfBx.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System32\nCHuknr.exe
  C:\Windows\System32\nCHuknr.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System32\hARxyQU.exe
  C:\Windows\System32\hARxyQU.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System32\pmgRgEz.exe
  C:\Windows\System32\pmgRgEz.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System32\vdFIbyw.exe
  C:\Windows\System32\vdFIbyw.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System32\NjqplKu.exe
  C:\Windows\System32\NjqplKu.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System32\AVURZeD.exe
  C:\Windows\System32\AVURZeD.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System32\mVRJcaY.exe
  C:\Windows\System32\mVRJcaY.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System32\YCgsSOg.exe
  C:\Windows\System32\YCgsSOg.exe
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\System32\LIUTsem.exe
  C:\Windows\System32\LIUTsem.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System32\oCdKWir.exe
  C:\Windows\System32\oCdKWir.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System32\tazrtAB.exe
  C:\Windows\System32\tazrtAB.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System32\rWlArij.exe
  C:\Windows\System32\rWlArij.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System32\cxIWxGP.exe
  C:\Windows\System32\cxIWxGP.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System32\KTsokgw.exe
  C:\Windows\System32\KTsokgw.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\DvGOTBn.exe
  C:\Windows\System32\DvGOTBn.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System32\BJrlZRU.exe
  C:\Windows\System32\BJrlZRU.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System32\QYuMzMQ.exe
  C:\Windows\System32\QYuMzMQ.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System32\SUTHjqC.exe
  C:\Windows\System32\SUTHjqC.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System32\WhSAZvy.exe
  C:\Windows\System32\WhSAZvy.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System32\vczUYCv.exe
  C:\Windows\System32\vczUYCv.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System32\GhmYNiR.exe
  C:\Windows\System32\GhmYNiR.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System32\dAPmMTV.exe
  C:\Windows\System32\dAPmMTV.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System32\GkuPivc.exe
  C:\Windows\System32\GkuPivc.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System32\bcwZBDD.exe
  C:\Windows\System32\bcwZBDD.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System32\ipKJigp.exe
  C:\Windows\System32\ipKJigp.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System32\VubFfvW.exe
  C:\Windows\System32\VubFfvW.exe
  2⤵
  PID:3408
- C:\Windows\System32\VwmKCss.exe
  C:\Windows\System32\VwmKCss.exe
  2⤵
  PID:1900
- C:\Windows\System32\VkKjILx.exe
  C:\Windows\System32\VkKjILx.exe
  2⤵
  PID:1680
- C:\Windows\System32\haXhfmo.exe
  C:\Windows\System32\haXhfmo.exe
  2⤵
  PID:5088
- C:\Windows\System32\DvJEMjl.exe
  C:\Windows\System32\DvJEMjl.exe
  2⤵
  PID:1248
- C:\Windows\System32\FaWFWrQ.exe
  C:\Windows\System32\FaWFWrQ.exe
  2⤵
  PID:4976
- C:\Windows\System32\QXCwDwI.exe
  C:\Windows\System32\QXCwDwI.exe
  2⤵
  PID:3676
- C:\Windows\System32\CafkVhT.exe
  C:\Windows\System32\CafkVhT.exe
  2⤵
  PID:3824
- C:\Windows\System32\JVzlmHC.exe
  C:\Windows\System32\JVzlmHC.exe
  2⤵
  PID:4380
- C:\Windows\System32\wUuAuAQ.exe
  C:\Windows\System32\wUuAuAQ.exe
  2⤵
  PID:1048
- C:\Windows\System32\yZsuyhM.exe
  C:\Windows\System32\yZsuyhM.exe
  2⤵
  PID:4444
- C:\Windows\System32\oSXSUAW.exe
  C:\Windows\System32\oSXSUAW.exe
  2⤵
  PID:1936
- C:\Windows\System32\MzFmikT.exe
  C:\Windows\System32\MzFmikT.exe
  2⤵
  PID:2584
- C:\Windows\System32\kkoRqSO.exe
  C:\Windows\System32\kkoRqSO.exe
  2⤵
  PID:1368
- C:\Windows\System32\sGzYenX.exe
  C:\Windows\System32\sGzYenX.exe
  2⤵
  PID:3492
- C:\Windows\System32\ndzKYRr.exe
  C:\Windows\System32\ndzKYRr.exe
  2⤵
  PID:4292
- C:\Windows\System32\XloyFxx.exe
  C:\Windows\System32\XloyFxx.exe
  2⤵
  PID:3996
- C:\Windows\System32\GjxyNNf.exe
  C:\Windows\System32\GjxyNNf.exe
  2⤵
  PID:2800
- C:\Windows\System32\RUDvchj.exe
  C:\Windows\System32\RUDvchj.exe
  2⤵
  PID:3884
- C:\Windows\System32\eGgMavR.exe
  C:\Windows\System32\eGgMavR.exe
  2⤵
  PID:1292
- C:\Windows\System32\impNRxh.exe
  C:\Windows\System32\impNRxh.exe
  2⤵
  PID:764
- C:\Windows\System32\IcpXnLJ.exe
  C:\Windows\System32\IcpXnLJ.exe
  2⤵
  PID:4240
- C:\Windows\System32\hCqzrTr.exe
  C:\Windows\System32\hCqzrTr.exe
  2⤵
  PID:1408
- C:\Windows\System32\goNnwWC.exe
  C:\Windows\System32\goNnwWC.exe
  2⤵
  PID:5140
- C:\Windows\System32\lRQLgWS.exe
  C:\Windows\System32\lRQLgWS.exe
  2⤵
  PID:5168
- C:\Windows\System32\NUmOQUE.exe
  C:\Windows\System32\NUmOQUE.exe
  2⤵
  PID:5196
- C:\Windows\System32\bQZIMnM.exe
  C:\Windows\System32\bQZIMnM.exe
  2⤵
  PID:5224
- C:\Windows\System32\LRuFgNv.exe
  C:\Windows\System32\LRuFgNv.exe
  2⤵
  PID:5252
- C:\Windows\System32\abjMHKH.exe
  C:\Windows\System32\abjMHKH.exe
  2⤵
  PID:5280
- C:\Windows\System32\sSBEhCh.exe
  C:\Windows\System32\sSBEhCh.exe
  2⤵
  PID:5308
- C:\Windows\System32\bcnBaBN.exe
  C:\Windows\System32\bcnBaBN.exe
  2⤵
  PID:5332
- C:\Windows\System32\evYjUWo.exe
  C:\Windows\System32\evYjUWo.exe
  2⤵
  PID:5364
- C:\Windows\System32\GGzmEaE.exe
  C:\Windows\System32\GGzmEaE.exe
  2⤵
  PID:5392
- C:\Windows\System32\Bqohpbu.exe
  C:\Windows\System32\Bqohpbu.exe
  2⤵
  PID:5420
- C:\Windows\System32\lmHhnjf.exe
  C:\Windows\System32\lmHhnjf.exe
  2⤵
  PID:5448
- C:\Windows\System32\PDDGRfW.exe
  C:\Windows\System32\PDDGRfW.exe
  2⤵
  PID:5476
- C:\Windows\System32\ZgKVRXi.exe
  C:\Windows\System32\ZgKVRXi.exe
  2⤵
  PID:5504
- C:\Windows\System32\DTWzwha.exe
  C:\Windows\System32\DTWzwha.exe
  2⤵
  PID:5532
- C:\Windows\System32\LJFvWtl.exe
  C:\Windows\System32\LJFvWtl.exe
  2⤵
  PID:5564
- C:\Windows\System32\BqJEDCW.exe
  C:\Windows\System32\BqJEDCW.exe
  2⤵
  PID:5588
- C:\Windows\System32\XjAbQpN.exe
  C:\Windows\System32\XjAbQpN.exe
  2⤵
  PID:5616
- C:\Windows\System32\UhmNWEo.exe
  C:\Windows\System32\UhmNWEo.exe
  2⤵
  PID:5640
- C:\Windows\System32\pJHDudd.exe
  C:\Windows\System32\pJHDudd.exe
  2⤵
  PID:5672
- C:\Windows\System32\WaFvhnB.exe
  C:\Windows\System32\WaFvhnB.exe
  2⤵
  PID:5700
- C:\Windows\System32\DfqTRNJ.exe
  C:\Windows\System32\DfqTRNJ.exe
  2⤵
  PID:5728
- C:\Windows\System32\XaEdcto.exe
  C:\Windows\System32\XaEdcto.exe
  2⤵
  PID:5756
- C:\Windows\System32\ONhmPEb.exe
  C:\Windows\System32\ONhmPEb.exe
  2⤵
  PID:5784
- C:\Windows\System32\rfnznIW.exe
  C:\Windows\System32\rfnznIW.exe
  2⤵
  PID:5812
- C:\Windows\System32\VDRIZmw.exe
  C:\Windows\System32\VDRIZmw.exe
  2⤵
  PID:5840
- C:\Windows\System32\ZYZdFWe.exe
  C:\Windows\System32\ZYZdFWe.exe
  2⤵
  PID:5868
- C:\Windows\System32\wgGGxNX.exe
  C:\Windows\System32\wgGGxNX.exe
  2⤵
  PID:5896
- C:\Windows\System32\nKfIEXJ.exe
  C:\Windows\System32\nKfIEXJ.exe
  2⤵
  PID:5924
- C:\Windows\System32\afLCBZO.exe
  C:\Windows\System32\afLCBZO.exe
  2⤵
  PID:5952
- C:\Windows\System32\EEoSUrs.exe
  C:\Windows\System32\EEoSUrs.exe
  2⤵
  PID:5980
- C:\Windows\System32\CRcDZEW.exe
  C:\Windows\System32\CRcDZEW.exe
  2⤵
  PID:6008
- C:\Windows\System32\zOYjOhu.exe
  C:\Windows\System32\zOYjOhu.exe
  2⤵
  PID:6032
- C:\Windows\System32\oyBLHDo.exe
  C:\Windows\System32\oyBLHDo.exe
  2⤵
  PID:6064
- C:\Windows\System32\PINbnaA.exe
  C:\Windows\System32\PINbnaA.exe
  2⤵
  PID:6092
- C:\Windows\System32\LzrSPuA.exe
  C:\Windows\System32\LzrSPuA.exe
  2⤵
  PID:6120
- C:\Windows\System32\mzssfjy.exe
  C:\Windows\System32\mzssfjy.exe
  2⤵
  PID:3764
- C:\Windows\System32\VRBxapK.exe
  C:\Windows\System32\VRBxapK.exe
  2⤵
  PID:5124
- C:\Windows\System32\PIwVzxZ.exe
  C:\Windows\System32\PIwVzxZ.exe
  2⤵
  PID:5160
- C:\Windows\System32\wgbRWbD.exe
  C:\Windows\System32\wgbRWbD.exe
  2⤵
  PID:5184
- C:\Windows\System32\tlJGaMo.exe
  C:\Windows\System32\tlJGaMo.exe
  2⤵
  PID:5216
- C:\Windows\System32\PbUOgjO.exe
  C:\Windows\System32\PbUOgjO.exe
  2⤵
  PID:5232
- C:\Windows\System32\MqjpuDi.exe
  C:\Windows\System32\MqjpuDi.exe
  2⤵
  PID:5300
- C:\Windows\System32\LdczJdI.exe
  C:\Windows\System32\LdczJdI.exe
  2⤵
  PID:5328
- C:\Windows\System32\uNUfnNX.exe
  C:\Windows\System32\uNUfnNX.exe
  2⤵
  PID:5400
- C:\Windows\System32\ImKJiTA.exe
  C:\Windows\System32\ImKJiTA.exe
  2⤵
  PID:5580
- C:\Windows\System32\vKEhWtb.exe
  C:\Windows\System32\vKEhWtb.exe
  2⤵
  PID:5596
- C:\Windows\System32\SYxGGNS.exe
  C:\Windows\System32\SYxGGNS.exe
  2⤵
  PID:5636
- C:\Windows\System32\nZAWVvn.exe
  C:\Windows\System32\nZAWVvn.exe
  2⤵
  PID:5680
- C:\Windows\System32\XEiWRRg.exe
  C:\Windows\System32\XEiWRRg.exe
  2⤵
  PID:2036
- C:\Windows\System32\NwyYiuU.exe
  C:\Windows\System32\NwyYiuU.exe
  2⤵
  PID:2892
- C:\Windows\System32\mhgAqzM.exe
  C:\Windows\System32\mhgAqzM.exe
  2⤵
  PID:5876
- C:\Windows\System32\dNfCFyX.exe
  C:\Windows\System32\dNfCFyX.exe
  2⤵
  PID:5904
- C:\Windows\System32\iQWhqAG.exe
  C:\Windows\System32\iQWhqAG.exe
  2⤵
  PID:4388
- C:\Windows\System32\VKzfWmi.exe
  C:\Windows\System32\VKzfWmi.exe
  2⤵
  PID:3880
- C:\Windows\System32\MWDnRIt.exe
  C:\Windows\System32\MWDnRIt.exe
  2⤵
  PID:6016
- C:\Windows\System32\rwYqkuh.exe
  C:\Windows\System32\rwYqkuh.exe
  2⤵
  PID:6052
- C:\Windows\System32\XhyIePa.exe
  C:\Windows\System32\XhyIePa.exe
  2⤵
  PID:4584
- C:\Windows\System32\RYPilLx.exe
  C:\Windows\System32\RYPilLx.exe
  2⤵
  PID:3124
- C:\Windows\System32\VBsfHUH.exe
  C:\Windows\System32\VBsfHUH.exe
  2⤵
  PID:4904
- C:\Windows\System32\nRBiQmD.exe
  C:\Windows\System32\nRBiQmD.exe
  2⤵
  PID:5156
- C:\Windows\System32\naqiRnC.exe
  C:\Windows\System32\naqiRnC.exe
  2⤵
  PID:4892
- C:\Windows\System32\wrdETol.exe
  C:\Windows\System32\wrdETol.exe
  2⤵
  PID:5316
- C:\Windows\System32\eGAPYvv.exe
  C:\Windows\System32\eGAPYvv.exe
  2⤵
  PID:5428
- C:\Windows\System32\KpTDqfR.exe
  C:\Windows\System32\KpTDqfR.exe
  2⤵
  PID:5720
- C:\Windows\System32\KbPecHa.exe
  C:\Windows\System32\KbPecHa.exe
  2⤵
  PID:5104
- C:\Windows\System32\rkHQcxk.exe
  C:\Windows\System32\rkHQcxk.exe
  2⤵
  PID:4124
- C:\Windows\System32\cYOdokc.exe
  C:\Windows\System32\cYOdokc.exe
  2⤵
  PID:6024
- C:\Windows\System32\jyQvazq.exe
  C:\Windows\System32\jyQvazq.exe
  2⤵
  PID:6084
- C:\Windows\System32\oeNNOQl.exe
  C:\Windows\System32\oeNNOQl.exe
  2⤵
  PID:2500
- C:\Windows\System32\hfcxItP.exe
  C:\Windows\System32\hfcxItP.exe
  2⤵
  PID:1880
- C:\Windows\System32\iyhBhIE.exe
  C:\Windows\System32\iyhBhIE.exe
  2⤵
  PID:5548
- C:\Windows\System32\bUlYmIx.exe
  C:\Windows\System32\bUlYmIx.exe
  2⤵
  PID:4776
- C:\Windows\System32\tJuvgFo.exe
  C:\Windows\System32\tJuvgFo.exe
  2⤵
  PID:5340
- C:\Windows\System32\mbttauR.exe
  C:\Windows\System32\mbttauR.exe
  2⤵
  PID:5624
- C:\Windows\System32\aFFuNsD.exe
  C:\Windows\System32\aFFuNsD.exe
  2⤵
  PID:4468
- C:\Windows\System32\mgupQcF.exe
  C:\Windows\System32\mgupQcF.exe
  2⤵
  PID:1260
- C:\Windows\System32\DYMBJBA.exe
  C:\Windows\System32\DYMBJBA.exe
  2⤵
  PID:5736
- C:\Windows\System32\vezfrPB.exe
  C:\Windows\System32\vezfrPB.exe
  2⤵
  PID:6040
- C:\Windows\System32\RGRjuaV.exe
  C:\Windows\System32\RGRjuaV.exe
  2⤵
  PID:412
- C:\Windows\System32\ijJAPAP.exe
  C:\Windows\System32\ijJAPAP.exe
  2⤵
  PID:5604
- C:\Windows\System32\OajSrYp.exe
  C:\Windows\System32\OajSrYp.exe
  2⤵
  PID:3624
- C:\Windows\System32\yuiAxvG.exe
  C:\Windows\System32\yuiAxvG.exe
  2⤵
  PID:6148
- C:\Windows\System32\pawpctc.exe
  C:\Windows\System32\pawpctc.exe
  2⤵
  PID:6168
- C:\Windows\System32\HchsDaE.exe
  C:\Windows\System32\HchsDaE.exe
  2⤵
  PID:6204
- C:\Windows\System32\knTThgI.exe
  C:\Windows\System32\knTThgI.exe
  2⤵
  PID:6252
- C:\Windows\System32\lrpyppa.exe
  C:\Windows\System32\lrpyppa.exe
  2⤵
  PID:6272
- C:\Windows\System32\FPoKhLV.exe
  C:\Windows\System32\FPoKhLV.exe
  2⤵
  PID:6296
- C:\Windows\System32\IEpaRqw.exe
  C:\Windows\System32\IEpaRqw.exe
  2⤵
  PID:6332
- C:\Windows\System32\fBnSJYF.exe
  C:\Windows\System32\fBnSJYF.exe
  2⤵
  PID:6352
- C:\Windows\System32\nLSixco.exe
  C:\Windows\System32\nLSixco.exe
  2⤵
  PID:6380
- C:\Windows\System32\UQvaIDX.exe
  C:\Windows\System32\UQvaIDX.exe
  2⤵
  PID:6400
- C:\Windows\System32\WUXCFRD.exe
  C:\Windows\System32\WUXCFRD.exe
  2⤵
  PID:6424
- C:\Windows\System32\QLRvoVK.exe
  C:\Windows\System32\QLRvoVK.exe
  2⤵
  PID:6488
- C:\Windows\System32\CwacQDE.exe
  C:\Windows\System32\CwacQDE.exe
  2⤵
  PID:6512
- C:\Windows\System32\ncPtXpk.exe
  C:\Windows\System32\ncPtXpk.exe
  2⤵
  PID:6528
- C:\Windows\System32\wZhcFfa.exe
  C:\Windows\System32\wZhcFfa.exe
  2⤵
  PID:6552
- C:\Windows\System32\RQdAghC.exe
  C:\Windows\System32\RQdAghC.exe
  2⤵
  PID:6580
- C:\Windows\System32\OoEJVJO.exe
  C:\Windows\System32\OoEJVJO.exe
  2⤵
  PID:6600
- C:\Windows\System32\RraCBBT.exe
  C:\Windows\System32\RraCBBT.exe
  2⤵
  PID:6636
- C:\Windows\System32\qwvfuZW.exe
  C:\Windows\System32\qwvfuZW.exe
  2⤵
  PID:6652
- C:\Windows\System32\CDjThjV.exe
  C:\Windows\System32\CDjThjV.exe
  2⤵
  PID:6680
- C:\Windows\System32\bYsomJd.exe
  C:\Windows\System32\bYsomJd.exe
  2⤵
  PID:6712
- C:\Windows\System32\lcQNFxx.exe
  C:\Windows\System32\lcQNFxx.exe
  2⤵
  PID:6736
- C:\Windows\System32\aLPRzkP.exe
  C:\Windows\System32\aLPRzkP.exe
  2⤵
  PID:6752
- C:\Windows\System32\FkhgnhB.exe
  C:\Windows\System32\FkhgnhB.exe
  2⤵
  PID:6812
- C:\Windows\System32\kuLNzaC.exe
  C:\Windows\System32\kuLNzaC.exe
  2⤵
  PID:6832
- C:\Windows\System32\Hvdxfqg.exe
  C:\Windows\System32\Hvdxfqg.exe
  2⤵
  PID:6856
- C:\Windows\System32\rcKrgBy.exe
  C:\Windows\System32\rcKrgBy.exe
  2⤵
  PID:6876
- C:\Windows\System32\oiOhAwc.exe
  C:\Windows\System32\oiOhAwc.exe
  2⤵
  PID:6900
- C:\Windows\System32\gGnCMBG.exe
  C:\Windows\System32\gGnCMBG.exe
  2⤵
  PID:6916
- C:\Windows\System32\oUdQAAb.exe
  C:\Windows\System32\oUdQAAb.exe
  2⤵
  PID:6948
- C:\Windows\System32\mQIIFJU.exe
  C:\Windows\System32\mQIIFJU.exe
  2⤵
  PID:6964
- C:\Windows\System32\SjXbWBK.exe
  C:\Windows\System32\SjXbWBK.exe
  2⤵
  PID:7040
- C:\Windows\System32\MSoCWTo.exe
  C:\Windows\System32\MSoCWTo.exe
  2⤵
  PID:7060
- C:\Windows\System32\fvPybcB.exe
  C:\Windows\System32\fvPybcB.exe
  2⤵
  PID:7084
- C:\Windows\System32\qrzygSD.exe
  C:\Windows\System32\qrzygSD.exe
  2⤵
  PID:7104
- C:\Windows\System32\OzzOSOR.exe
  C:\Windows\System32\OzzOSOR.exe
  2⤵
  PID:7124
- C:\Windows\System32\PTUCNDP.exe
  C:\Windows\System32\PTUCNDP.exe
  2⤵
  PID:7156
- C:\Windows\System32\xOUjSqr.exe
  C:\Windows\System32\xOUjSqr.exe
  2⤵
  PID:6164
- C:\Windows\System32\uCMsxRh.exe
  C:\Windows\System32\uCMsxRh.exe
  2⤵
  PID:6196
- C:\Windows\System32\fTaXyDS.exe
  C:\Windows\System32\fTaXyDS.exe
  2⤵
  PID:6264
- C:\Windows\System32\OukVpJn.exe
  C:\Windows\System32\OukVpJn.exe
  2⤵
  PID:6312
- C:\Windows\System32\gMsZZis.exe
  C:\Windows\System32\gMsZZis.exe
  2⤵
  PID:6340
- C:\Windows\System32\cNoMMTA.exe
  C:\Windows\System32\cNoMMTA.exe
  2⤵
  PID:6392
- C:\Windows\System32\urBGBZV.exe
  C:\Windows\System32\urBGBZV.exe
  2⤵
  PID:6456
- C:\Windows\System32\AtHalCl.exe
  C:\Windows\System32\AtHalCl.exe
  2⤵
  PID:6508
- C:\Windows\System32\XdIAihG.exe
  C:\Windows\System32\XdIAihG.exe
  2⤵
  PID:6540
- C:\Windows\System32\BLnKFAx.exe
  C:\Windows\System32\BLnKFAx.exe
  2⤵
  PID:6612
- C:\Windows\System32\slDpjzF.exe
  C:\Windows\System32\slDpjzF.exe
  2⤵
  PID:6592
- C:\Windows\System32\bRrWAGp.exe
  C:\Windows\System32\bRrWAGp.exe
  2⤵
  PID:6676
- C:\Windows\System32\LVzBhNt.exe
  C:\Windows\System32\LVzBhNt.exe
  2⤵
  PID:6704
- C:\Windows\System32\nYsRzuz.exe
  C:\Windows\System32\nYsRzuz.exe
  2⤵
  PID:6796
- C:\Windows\System32\trCMhOR.exe
  C:\Windows\System32\trCMhOR.exe
  2⤵
  PID:6872
- C:\Windows\System32\BeImgBl.exe
  C:\Windows\System32\BeImgBl.exe
  2⤵
  PID:7076
- C:\Windows\System32\BogmXgb.exe
  C:\Windows\System32\BogmXgb.exe
  2⤵
  PID:7004
- C:\Windows\System32\tTILVxX.exe
  C:\Windows\System32\tTILVxX.exe
  2⤵
  PID:5176
- C:\Windows\System32\RYixWaO.exe
  C:\Windows\System32\RYixWaO.exe
  2⤵
  PID:6524
- C:\Windows\System32\WGxfjsV.exe
  C:\Windows\System32\WGxfjsV.exe
  2⤵
  PID:6972
- C:\Windows\System32\xXqRPWc.exe
  C:\Windows\System32\xXqRPWc.exe
  2⤵
  PID:6660
- C:\Windows\System32\QNvARXj.exe
  C:\Windows\System32\QNvARXj.exe
  2⤵
  PID:6808
- C:\Windows\System32\rpyAhTu.exe
  C:\Windows\System32\rpyAhTu.exe
  2⤵
  PID:5056
- C:\Windows\System32\nMYMYyP.exe
  C:\Windows\System32\nMYMYyP.exe
  2⤵
  PID:6576
- C:\Windows\System32\LSdooNM.exe
  C:\Windows\System32\LSdooNM.exe
  2⤵
  PID:7096
- C:\Windows\System32\ctxWbKJ.exe
  C:\Windows\System32\ctxWbKJ.exe
  2⤵
  PID:6176
- C:\Windows\System32\QhoOFUk.exe
  C:\Windows\System32\QhoOFUk.exe
  2⤵
  PID:6788
- C:\Windows\System32\aUiSnpi.exe
  C:\Windows\System32\aUiSnpi.exe
  2⤵
  PID:7188
- C:\Windows\System32\IcVOykn.exe
  C:\Windows\System32\IcVOykn.exe
  2⤵
  PID:7212
- C:\Windows\System32\IWuLLHO.exe
  C:\Windows\System32\IWuLLHO.exe
  2⤵
  PID:7268
- C:\Windows\System32\fNDGxPx.exe
  C:\Windows\System32\fNDGxPx.exe
  2⤵
  PID:7288
- C:\Windows\System32\uESjlvM.exe
  C:\Windows\System32\uESjlvM.exe
  2⤵
  PID:7328
- C:\Windows\System32\soTqNci.exe
  C:\Windows\System32\soTqNci.exe
  2⤵
  PID:7348
- C:\Windows\System32\siXwwEK.exe
  C:\Windows\System32\siXwwEK.exe
  2⤵
  PID:7376
- C:\Windows\System32\xRFmwDc.exe
  C:\Windows\System32\xRFmwDc.exe
  2⤵
  PID:7408
- C:\Windows\System32\vorqJeT.exe
  C:\Windows\System32\vorqJeT.exe
  2⤵
  PID:7428
- C:\Windows\System32\hOvhzCx.exe
  C:\Windows\System32\hOvhzCx.exe
  2⤵
  PID:7448
- C:\Windows\System32\FQgZdwA.exe
  C:\Windows\System32\FQgZdwA.exe
  2⤵
  PID:7468
- C:\Windows\System32\smivKxz.exe
  C:\Windows\System32\smivKxz.exe
  2⤵
  PID:7484
- C:\Windows\System32\skyyRhk.exe
  C:\Windows\System32\skyyRhk.exe
  2⤵
  PID:7512
- C:\Windows\System32\QnDArwI.exe
  C:\Windows\System32\QnDArwI.exe
  2⤵
  PID:7540
- C:\Windows\System32\DKOcsXP.exe
  C:\Windows\System32\DKOcsXP.exe
  2⤵
  PID:7568
- C:\Windows\System32\jtxeYJj.exe
  C:\Windows\System32\jtxeYJj.exe
  2⤵
  PID:7616
- C:\Windows\System32\fKumMYy.exe
  C:\Windows\System32\fKumMYy.exe
  2⤵
  PID:7636
- C:\Windows\System32\muFOnQP.exe
  C:\Windows\System32\muFOnQP.exe
  2⤵
  PID:7656
- C:\Windows\System32\SlXwQRe.exe
  C:\Windows\System32\SlXwQRe.exe
  2⤵
  PID:7680
- C:\Windows\System32\BXvkIJJ.exe
  C:\Windows\System32\BXvkIJJ.exe
  2⤵
  PID:7712
- C:\Windows\System32\kkhHQiE.exe
  C:\Windows\System32\kkhHQiE.exe
  2⤵
  PID:7736
- C:\Windows\System32\yEGKWJr.exe
  C:\Windows\System32\yEGKWJr.exe
  2⤵
  PID:7800
- C:\Windows\System32\ajYMwUw.exe
  C:\Windows\System32\ajYMwUw.exe
  2⤵
  PID:7824
- C:\Windows\System32\LJUbQoL.exe
  C:\Windows\System32\LJUbQoL.exe
  2⤵
  PID:7844
- C:\Windows\System32\njCVIIf.exe
  C:\Windows\System32\njCVIIf.exe
  2⤵
  PID:7864
- C:\Windows\System32\GraCFPJ.exe
  C:\Windows\System32\GraCFPJ.exe
  2⤵
  PID:7904
- C:\Windows\System32\rHJvUTP.exe
  C:\Windows\System32\rHJvUTP.exe
  2⤵
  PID:7920
- C:\Windows\System32\JswHqnV.exe
  C:\Windows\System32\JswHqnV.exe
  2⤵
  PID:7956
- C:\Windows\System32\GCXHvrU.exe
  C:\Windows\System32\GCXHvrU.exe
  2⤵
  PID:8000
- C:\Windows\System32\zcuDLYM.exe
  C:\Windows\System32\zcuDLYM.exe
  2⤵
  PID:8028
- C:\Windows\System32\jazEJHe.exe
  C:\Windows\System32\jazEJHe.exe
  2⤵
  PID:8060
- C:\Windows\System32\pBYNBuW.exe
  C:\Windows\System32\pBYNBuW.exe
  2⤵
  PID:8080
- C:\Windows\System32\UlJTjvO.exe
  C:\Windows\System32\UlJTjvO.exe
  2⤵
  PID:8096
- C:\Windows\System32\vuCCHdb.exe
  C:\Windows\System32\vuCCHdb.exe
  2⤵
  PID:8116
- C:\Windows\System32\bNlvNzb.exe
  C:\Windows\System32\bNlvNzb.exe
  2⤵
  PID:8152
- C:\Windows\System32\cgmmyJa.exe
  C:\Windows\System32\cgmmyJa.exe
  2⤵
  PID:8172
- C:\Windows\System32\sHixuyy.exe
  C:\Windows\System32\sHixuyy.exe
  2⤵
  PID:7172
- C:\Windows\System32\qGKTqCX.exe
  C:\Windows\System32\qGKTqCX.exe
  2⤵
  PID:7204
- C:\Windows\System32\ToWJmZG.exe
  C:\Windows\System32\ToWJmZG.exe
  2⤵
  PID:7296
- C:\Windows\System32\zajfflx.exe
  C:\Windows\System32\zajfflx.exe
  2⤵
  PID:7368
- C:\Windows\System32\KSUipyf.exe
  C:\Windows\System32\KSUipyf.exe
  2⤵
  PID:7436
- C:\Windows\System32\VAfVMsj.exe
  C:\Windows\System32\VAfVMsj.exe
  2⤵
  PID:7464
- C:\Windows\System32\pHnTDpR.exe
  C:\Windows\System32\pHnTDpR.exe
  2⤵
  PID:7564
- C:\Windows\System32\HbAdxvY.exe
  C:\Windows\System32\HbAdxvY.exe
  2⤵
  PID:7632
- C:\Windows\System32\EuVkOuo.exe
  C:\Windows\System32\EuVkOuo.exe
  2⤵
  PID:7692
- C:\Windows\System32\gnAFURg.exe
  C:\Windows\System32\gnAFURg.exe
  2⤵
  PID:7840
- C:\Windows\System32\PjDzAtH.exe
  C:\Windows\System32\PjDzAtH.exe
  2⤵
  PID:7872
- C:\Windows\System32\SabRvzH.exe
  C:\Windows\System32\SabRvzH.exe
  2⤵
  PID:7912
- C:\Windows\System32\qYjhoKE.exe
  C:\Windows\System32\qYjhoKE.exe
  2⤵
  PID:8008
- C:\Windows\System32\wMzYZSM.exe
  C:\Windows\System32\wMzYZSM.exe
  2⤵
  PID:8104
- C:\Windows\System32\bVJMazQ.exe
  C:\Windows\System32\bVJMazQ.exe
  2⤵
  PID:8108
- C:\Windows\System32\ECuKQch.exe
  C:\Windows\System32\ECuKQch.exe
  2⤵
  PID:6408
- C:\Windows\System32\WuhjSXS.exe
  C:\Windows\System32\WuhjSXS.exe
  2⤵
  PID:7256
- C:\Windows\System32\YVVfzfA.exe
  C:\Windows\System32\YVVfzfA.exe
  2⤵
  PID:7300
- C:\Windows\System32\dHXAYfz.exe
  C:\Windows\System32\dHXAYfz.exe
  2⤵
  PID:7676
- C:\Windows\System32\BLLUCcE.exe
  C:\Windows\System32\BLLUCcE.exe
  2⤵
  PID:7836
- C:\Windows\System32\Iikccei.exe
  C:\Windows\System32\Iikccei.exe
  2⤵
  PID:7884
- C:\Windows\System32\ORCkhfF.exe
  C:\Windows\System32\ORCkhfF.exe
  2⤵
  PID:7984
- C:\Windows\System32\vSVVLgc.exe
  C:\Windows\System32\vSVVLgc.exe
  2⤵
  PID:8092
- C:\Windows\System32\WLGVlBe.exe
  C:\Windows\System32\WLGVlBe.exe
  2⤵
  PID:7280
- C:\Windows\System32\TFLiTeB.exe
  C:\Windows\System32\TFLiTeB.exe
  2⤵
  PID:7888
- C:\Windows\System32\advBFyC.exe
  C:\Windows\System32\advBFyC.exe
  2⤵
  PID:8188
- C:\Windows\System32\gGUbnon.exe
  C:\Windows\System32\gGUbnon.exe
  2⤵
  PID:7936
- C:\Windows\System32\ffbuufS.exe
  C:\Windows\System32\ffbuufS.exe
  2⤵
  PID:8208
- C:\Windows\System32\DBBeZgi.exe
  C:\Windows\System32\DBBeZgi.exe
  2⤵
  PID:8248
- C:\Windows\System32\llRRVak.exe
  C:\Windows\System32\llRRVak.exe
  2⤵
  PID:8276
- C:\Windows\System32\mIcqeNy.exe
  C:\Windows\System32\mIcqeNy.exe
  2⤵
  PID:8304
- C:\Windows\System32\IESXVtS.exe
  C:\Windows\System32\IESXVtS.exe
  2⤵
  PID:8320
- C:\Windows\System32\wotZjzM.exe
  C:\Windows\System32\wotZjzM.exe
  2⤵
  PID:8344
- C:\Windows\System32\XmkOAXq.exe
  C:\Windows\System32\XmkOAXq.exe
  2⤵
  PID:8360
- C:\Windows\System32\utLYjZu.exe
  C:\Windows\System32\utLYjZu.exe
  2⤵
  PID:8380
- C:\Windows\System32\buBCgjb.exe
  C:\Windows\System32\buBCgjb.exe
  2⤵
  PID:8400
- C:\Windows\System32\ZbzdJTs.exe
  C:\Windows\System32\ZbzdJTs.exe
  2⤵
  PID:8424
- C:\Windows\System32\ZBufmrl.exe
  C:\Windows\System32\ZBufmrl.exe
  2⤵
  PID:8496
- C:\Windows\System32\wpuUGNg.exe
  C:\Windows\System32\wpuUGNg.exe
  2⤵
  PID:8520
- C:\Windows\System32\uCGhYgV.exe
  C:\Windows\System32\uCGhYgV.exe
  2⤵
  PID:8536
- C:\Windows\System32\yYvBoQa.exe
  C:\Windows\System32\yYvBoQa.exe
  2⤵
  PID:8564
- C:\Windows\System32\iFQTRUA.exe
  C:\Windows\System32\iFQTRUA.exe
  2⤵
  PID:8592
- C:\Windows\System32\IxVXDoB.exe
  C:\Windows\System32\IxVXDoB.exe
  2⤵
  PID:8640
- C:\Windows\System32\tqiYBiq.exe
  C:\Windows\System32\tqiYBiq.exe
  2⤵
  PID:8676
- C:\Windows\System32\GCyVWKX.exe
  C:\Windows\System32\GCyVWKX.exe
  2⤵
  PID:8696
- C:\Windows\System32\sxKwajg.exe
  C:\Windows\System32\sxKwajg.exe
  2⤵
  PID:8724
- C:\Windows\System32\qiFBMzM.exe
  C:\Windows\System32\qiFBMzM.exe
  2⤵
  PID:8764
- C:\Windows\System32\XRnbHWN.exe
  C:\Windows\System32\XRnbHWN.exe
  2⤵
  PID:8780
- C:\Windows\System32\tPyDvhr.exe
  C:\Windows\System32\tPyDvhr.exe
  2⤵
  PID:8796
- C:\Windows\System32\HrxsZWU.exe
  C:\Windows\System32\HrxsZWU.exe
  2⤵
  PID:8844
- C:\Windows\System32\fUkNgHy.exe
  C:\Windows\System32\fUkNgHy.exe
  2⤵
  PID:8896
- C:\Windows\System32\pRUanhx.exe
  C:\Windows\System32\pRUanhx.exe
  2⤵
  PID:8916
- C:\Windows\System32\QKVjKaQ.exe
  C:\Windows\System32\QKVjKaQ.exe
  2⤵
  PID:8932
- C:\Windows\System32\qtaKzsk.exe
  C:\Windows\System32\qtaKzsk.exe
  2⤵
  PID:8960
- C:\Windows\System32\omqnmfY.exe
  C:\Windows\System32\omqnmfY.exe
  2⤵
  PID:8996
- C:\Windows\System32\JniYtbz.exe
  C:\Windows\System32\JniYtbz.exe
  2⤵
  PID:9016
- C:\Windows\System32\YOgNeHN.exe
  C:\Windows\System32\YOgNeHN.exe
  2⤵
  PID:9036
- C:\Windows\System32\NjcjNZX.exe
  C:\Windows\System32\NjcjNZX.exe
  2⤵
  PID:9060
- C:\Windows\System32\XxCGpMV.exe
  C:\Windows\System32\XxCGpMV.exe
  2⤵
  PID:9092
- C:\Windows\System32\zTDPCle.exe
  C:\Windows\System32\zTDPCle.exe
  2⤵
  PID:9124
- C:\Windows\System32\faOvPve.exe
  C:\Windows\System32\faOvPve.exe
  2⤵
  PID:9160
- C:\Windows\System32\VPvUwte.exe
  C:\Windows\System32\VPvUwte.exe
  2⤵
  PID:9192
- C:\Windows\System32\gTjwZuJ.exe
  C:\Windows\System32\gTjwZuJ.exe
  2⤵
  PID:9212
- C:\Windows\System32\wNhFSfc.exe
  C:\Windows\System32\wNhFSfc.exe
  2⤵
  PID:8224
- C:\Windows\System32\GHFuBCI.exe
  C:\Windows\System32\GHFuBCI.exe
  2⤵
  PID:8268
- C:\Windows\System32\TxRYnIr.exe
  C:\Windows\System32\TxRYnIr.exe
  2⤵
  PID:8284
- C:\Windows\System32\GJAljEJ.exe
  C:\Windows\System32\GJAljEJ.exe
  2⤵
  PID:8388
- C:\Windows\System32\XIxPTVX.exe
  C:\Windows\System32\XIxPTVX.exe
  2⤵
  PID:8460
- C:\Windows\System32\LXjuJnU.exe
  C:\Windows\System32\LXjuJnU.exe
  2⤵
  PID:8484
- C:\Windows\System32\jeuEfOy.exe
  C:\Windows\System32\jeuEfOy.exe
  2⤵
  PID:8544
- C:\Windows\System32\WmwPXVc.exe
  C:\Windows\System32\WmwPXVc.exe
  2⤵
  PID:8600
- C:\Windows\System32\WoROmgY.exe
  C:\Windows\System32\WoROmgY.exe
  2⤵
  PID:8772
- C:\Windows\System32\wsIzQAi.exe
  C:\Windows\System32\wsIzQAi.exe
  2⤵
  PID:9104
- C:\Windows\System32\BOeHLOl.exe
  C:\Windows\System32\BOeHLOl.exe
  2⤵
  PID:9208
- C:\Windows\System32\jErIDRh.exe
  C:\Windows\System32\jErIDRh.exe
  2⤵
  PID:8132
- C:\Windows\System32\oHFyiGQ.exe
  C:\Windows\System32\oHFyiGQ.exe
  2⤵
  PID:8328
- C:\Windows\System32\eAVYNCD.exe
  C:\Windows\System32\eAVYNCD.exe
  2⤵
  PID:8452
- C:\Windows\System32\AlihKWz.exe
  C:\Windows\System32\AlihKWz.exe
  2⤵
  PID:8740
- C:\Windows\System32\PpfgnxZ.exe
  C:\Windows\System32\PpfgnxZ.exe
  2⤵
  PID:8584
- C:\Windows\System32\sHeqbVq.exe
  C:\Windows\System32\sHeqbVq.exe
  2⤵
  PID:8976
- C:\Windows\System32\fJUyDTG.exe
  C:\Windows\System32\fJUyDTG.exe
  2⤵
  PID:8836
- C:\Windows\System32\DieVujg.exe
  C:\Windows\System32\DieVujg.exe
  2⤵
  PID:9076
- C:\Windows\System32\wdRByIn.exe
  C:\Windows\System32\wdRByIn.exe
  2⤵
  PID:9132
- C:\Windows\System32\ddawgYR.exe
  C:\Windows\System32\ddawgYR.exe
  2⤵
  PID:8528
- C:\Windows\System32\XkevhQl.exe
  C:\Windows\System32\XkevhQl.exe
  2⤵
  PID:8880
- C:\Windows\System32\tKNQrLg.exe
  C:\Windows\System32\tKNQrLg.exe
  2⤵
  PID:9204
- C:\Windows\System32\racKhuQ.exe
  C:\Windows\System32\racKhuQ.exe
  2⤵
  PID:9140
- C:\Windows\System32\HMWJOqS.exe
  C:\Windows\System32\HMWJOqS.exe
  2⤵
  PID:9172
- C:\Windows\System32\XbzscpS.exe
  C:\Windows\System32\XbzscpS.exe
  2⤵
  PID:9236
- C:\Windows\System32\YBSTMxr.exe
  C:\Windows\System32\YBSTMxr.exe
  2⤵
  PID:9268
- C:\Windows\System32\jDFTrRj.exe
  C:\Windows\System32\jDFTrRj.exe
  2⤵
  PID:9296
- C:\Windows\System32\KhyGcuz.exe
  C:\Windows\System32\KhyGcuz.exe
  2⤵
  PID:9332
- C:\Windows\System32\XaoJEGs.exe
  C:\Windows\System32\XaoJEGs.exe
  2⤵
  PID:9360
- C:\Windows\System32\QqcPUsu.exe
  C:\Windows\System32\QqcPUsu.exe
  2⤵
  PID:9376
- C:\Windows\System32\zynpSJe.exe
  C:\Windows\System32\zynpSJe.exe
  2⤵
  PID:9404
- C:\Windows\System32\fFovVft.exe
  C:\Windows\System32\fFovVft.exe
  2⤵
  PID:9452
- C:\Windows\System32\qgUTzQs.exe
  C:\Windows\System32\qgUTzQs.exe
  2⤵
  PID:9468
- C:\Windows\System32\nHtoZHu.exe
  C:\Windows\System32\nHtoZHu.exe
  2⤵
  PID:9504
- C:\Windows\System32\OXXDVaj.exe
  C:\Windows\System32\OXXDVaj.exe
  2⤵
  PID:9528
- C:\Windows\System32\xCZybtN.exe
  C:\Windows\System32\xCZybtN.exe
  2⤵
  PID:9544
- C:\Windows\System32\aHhGyjl.exe
  C:\Windows\System32\aHhGyjl.exe
  2⤵
  PID:9588
- C:\Windows\System32\zCgcdNd.exe
  C:\Windows\System32\zCgcdNd.exe
  2⤵
  PID:9612
- C:\Windows\System32\XVRguEH.exe
  C:\Windows\System32\XVRguEH.exe
  2⤵
  PID:9636
- C:\Windows\System32\SkBxXfQ.exe
  C:\Windows\System32\SkBxXfQ.exe
  2⤵
  PID:9664
- C:\Windows\System32\Ezlkasj.exe
  C:\Windows\System32\Ezlkasj.exe
  2⤵
  PID:9684
- C:\Windows\System32\TUyLJSr.exe
  C:\Windows\System32\TUyLJSr.exe
  2⤵
  PID:9704
- C:\Windows\System32\rBMNycc.exe
  C:\Windows\System32\rBMNycc.exe
  2⤵
  PID:9744
- C:\Windows\System32\bLdrZit.exe
  C:\Windows\System32\bLdrZit.exe
  2⤵
  PID:9768
- C:\Windows\System32\QbKiBgF.exe
  C:\Windows\System32\QbKiBgF.exe
  2⤵
  PID:9812
- C:\Windows\System32\wGTQFhO.exe
  C:\Windows\System32\wGTQFhO.exe
  2⤵
  PID:9836
- C:\Windows\System32\nOvHSeG.exe
  C:\Windows\System32\nOvHSeG.exe
  2⤵
  PID:9864
- C:\Windows\System32\rIuRiTb.exe
  C:\Windows\System32\rIuRiTb.exe
  2⤵
  PID:9880
- C:\Windows\System32\RuhIlul.exe
  C:\Windows\System32\RuhIlul.exe
  2⤵
  PID:9900
- C:\Windows\System32\EONjOFE.exe
  C:\Windows\System32\EONjOFE.exe
  2⤵
  PID:9916
- C:\Windows\System32\PiQcpGx.exe
  C:\Windows\System32\PiQcpGx.exe
  2⤵
  PID:9952
- C:\Windows\System32\vdFuEYN.exe
  C:\Windows\System32\vdFuEYN.exe
  2⤵
  PID:9980
- C:\Windows\System32\TrmcjMv.exe
  C:\Windows\System32\TrmcjMv.exe
  2⤵
  PID:9996
- C:\Windows\System32\owkklgv.exe
  C:\Windows\System32\owkklgv.exe
  2⤵
  PID:10028
- C:\Windows\System32\mcbgawQ.exe
  C:\Windows\System32\mcbgawQ.exe
  2⤵
  PID:10068
- C:\Windows\System32\vYbLLOv.exe
  C:\Windows\System32\vYbLLOv.exe
  2⤵
  PID:10088
- C:\Windows\System32\ONaXKgG.exe
  C:\Windows\System32\ONaXKgG.exe
  2⤵
  PID:10132
- C:\Windows\System32\XGYrFwS.exe
  C:\Windows\System32\XGYrFwS.exe
  2⤵
  PID:10180
- C:\Windows\System32\cWLPZGK.exe
  C:\Windows\System32\cWLPZGK.exe
  2⤵
  PID:10204
- C:\Windows\System32\eQvjiqt.exe
  C:\Windows\System32\eQvjiqt.exe
  2⤵
  PID:10224
- C:\Windows\System32\QxixcbK.exe
  C:\Windows\System32\QxixcbK.exe
  2⤵
  PID:8904
- C:\Windows\System32\ZmjStVf.exe
  C:\Windows\System32\ZmjStVf.exe
  2⤵
  PID:9276
- C:\Windows\System32\awzWGjG.exe
  C:\Windows\System32\awzWGjG.exe
  2⤵
  PID:9328
- C:\Windows\System32\WBqKCpo.exe
  C:\Windows\System32\WBqKCpo.exe
  2⤵
  PID:9344
- C:\Windows\System32\MbaGugR.exe
  C:\Windows\System32\MbaGugR.exe
  2⤵
  PID:9416
- C:\Windows\System32\xnpxjfu.exe
  C:\Windows\System32\xnpxjfu.exe
  2⤵
  PID:9496
- C:\Windows\System32\Pvxfzjw.exe
  C:\Windows\System32\Pvxfzjw.exe
  2⤵
  PID:9596
- C:\Windows\System32\PiQwJKs.exe
  C:\Windows\System32\PiQwJKs.exe
  2⤵
  PID:9644
- C:\Windows\System32\KmdcCfX.exe
  C:\Windows\System32\KmdcCfX.exe
  2⤵
  PID:9720
- C:\Windows\System32\AireWzb.exe
  C:\Windows\System32\AireWzb.exe
  2⤵
  PID:9756
- C:\Windows\System32\zDuHezb.exe
  C:\Windows\System32\zDuHezb.exe
  2⤵
  PID:9844
- C:\Windows\System32\jyWqmJu.exe
  C:\Windows\System32\jyWqmJu.exe
  2⤵
  PID:9932
- C:\Windows\System32\IRFDNoD.exe
  C:\Windows\System32\IRFDNoD.exe
  2⤵
  PID:9964
- C:\Windows\System32\rXkxAwa.exe
  C:\Windows\System32\rXkxAwa.exe
  2⤵
  PID:10040
- C:\Windows\System32\dkZWaVV.exe
  C:\Windows\System32\dkZWaVV.exe
  2⤵
  PID:10148
- C:\Windows\System32\ardnrSZ.exe
  C:\Windows\System32\ardnrSZ.exe
  2⤵
  PID:10192
- C:\Windows\System32\UyaFVOE.exe
  C:\Windows\System32\UyaFVOE.exe
  2⤵
  PID:9252
- C:\Windows\System32\NnQtLeo.exe
  C:\Windows\System32\NnQtLeo.exe
  2⤵
  PID:9356
- C:\Windows\System32\cJqMKNI.exe
  C:\Windows\System32\cJqMKNI.exe
  2⤵
  PID:9464
- C:\Windows\System32\ThoBSpN.exe
  C:\Windows\System32\ThoBSpN.exe
  2⤵
  PID:9576
- C:\Windows\System32\srvhqdO.exe
  C:\Windows\System32\srvhqdO.exe
  2⤵
  PID:9788
- C:\Windows\System32\WrZYyAo.exe
  C:\Windows\System32\WrZYyAo.exe
  2⤵
  PID:9856
- C:\Windows\System32\ccVLlIJ.exe
  C:\Windows\System32\ccVLlIJ.exe
  2⤵
  PID:9992
- C:\Windows\System32\KShAUBt.exe
  C:\Windows\System32\KShAUBt.exe
  2⤵
  PID:10188
- C:\Windows\System32\tzLVHls.exe
  C:\Windows\System32\tzLVHls.exe
  2⤵
  PID:9368
- C:\Windows\System32\vsbwdLg.exe
  C:\Windows\System32\vsbwdLg.exe
  2⤵
  PID:9912
- C:\Windows\System32\eeovUSn.exe
  C:\Windows\System32\eeovUSn.exe
  2⤵
  PID:9804
- C:\Windows\System32\VKgIWLI.exe
  C:\Windows\System32\VKgIWLI.exe
  2⤵
  PID:10256
- C:\Windows\System32\LvsXHAV.exe
  C:\Windows\System32\LvsXHAV.exe
  2⤵
  PID:10276
- C:\Windows\System32\jDuagtM.exe
  C:\Windows\System32\jDuagtM.exe
  2⤵
  PID:10320
- C:\Windows\System32\HLuCXag.exe
  C:\Windows\System32\HLuCXag.exe
  2⤵
  PID:10348
- C:\Windows\System32\xuCwcwr.exe
  C:\Windows\System32\xuCwcwr.exe
  2⤵
  PID:10376
- C:\Windows\System32\RWFPKzP.exe
  C:\Windows\System32\RWFPKzP.exe
  2⤵
  PID:10392
- C:\Windows\System32\VqWQnul.exe
  C:\Windows\System32\VqWQnul.exe
  2⤵
  PID:10420
- C:\Windows\System32\AnUylmB.exe
  C:\Windows\System32\AnUylmB.exe
  2⤵
  PID:10444
- C:\Windows\System32\AvpWZBJ.exe
  C:\Windows\System32\AvpWZBJ.exe
  2⤵
  PID:10460
- C:\Windows\System32\MIprqbH.exe
  C:\Windows\System32\MIprqbH.exe
  2⤵
  PID:10492
- C:\Windows\System32\yzwhHBQ.exe
  C:\Windows\System32\yzwhHBQ.exe
  2⤵
  PID:10516
- C:\Windows\System32\AqRlIOt.exe
  C:\Windows\System32\AqRlIOt.exe
  2⤵
  PID:10560
- C:\Windows\System32\IVTbwlq.exe
  C:\Windows\System32\IVTbwlq.exe
  2⤵
  PID:10604
- C:\Windows\System32\cljJSEE.exe
  C:\Windows\System32\cljJSEE.exe
  2⤵
  PID:10628
- C:\Windows\System32\rkxvcqC.exe
  C:\Windows\System32\rkxvcqC.exe
  2⤵
  PID:10648
- C:\Windows\System32\aBNJzJB.exe
  C:\Windows\System32\aBNJzJB.exe
  2⤵
  PID:10672
- C:\Windows\System32\JLsVFKg.exe
  C:\Windows\System32\JLsVFKg.exe
  2⤵
  PID:10704
- C:\Windows\System32\GCEEefs.exe
  C:\Windows\System32\GCEEefs.exe
  2⤵
  PID:10724
- C:\Windows\System32\RdxYzFB.exe
  C:\Windows\System32\RdxYzFB.exe
  2⤵
  PID:10756
- C:\Windows\System32\cfKxxMp.exe
  C:\Windows\System32\cfKxxMp.exe
  2⤵
  PID:10796
- C:\Windows\System32\Vzhrvmj.exe
  C:\Windows\System32\Vzhrvmj.exe
  2⤵
  PID:10824
- C:\Windows\System32\XOhPjdw.exe
  C:\Windows\System32\XOhPjdw.exe
  2⤵
  PID:10844
- C:\Windows\System32\TprTIjd.exe
  C:\Windows\System32\TprTIjd.exe
  2⤵
  PID:10868
- C:\Windows\System32\HqjFXTn.exe
  C:\Windows\System32\HqjFXTn.exe
  2⤵
  PID:10912
- C:\Windows\System32\NVAxqvu.exe
  C:\Windows\System32\NVAxqvu.exe
  2⤵
  PID:10936
- C:\Windows\System32\OheFlYV.exe
  C:\Windows\System32\OheFlYV.exe
  2⤵
  PID:10952
- C:\Windows\System32\BAqShNM.exe
  C:\Windows\System32\BAqShNM.exe
  2⤵
  PID:10972
- C:\Windows\System32\tPGaWEt.exe
  C:\Windows\System32\tPGaWEt.exe
  2⤵
  PID:11008
- C:\Windows\System32\xRPGYUV.exe
  C:\Windows\System32\xRPGYUV.exe
  2⤵
  PID:11060
- C:\Windows\System32\gVLzARP.exe
  C:\Windows\System32\gVLzARP.exe
  2⤵
  PID:11076
- C:\Windows\System32\JlKtLsA.exe
  C:\Windows\System32\JlKtLsA.exe
  2⤵
  PID:11092
- C:\Windows\System32\bRCKFPT.exe
  C:\Windows\System32\bRCKFPT.exe
  2⤵
  PID:11120
- C:\Windows\System32\rLkFqlr.exe
  C:\Windows\System32\rLkFqlr.exe
  2⤵
  PID:11140
- C:\Windows\System32\dHCCQaZ.exe
  C:\Windows\System32\dHCCQaZ.exe
  2⤵
  PID:11168
- C:\Windows\System32\GBsUXpk.exe
  C:\Windows\System32\GBsUXpk.exe
  2⤵
  PID:11184
- C:\Windows\System32\kgoHFij.exe
  C:\Windows\System32\kgoHFij.exe
  2⤵
  PID:11260
- C:\Windows\System32\yKAifkS.exe
  C:\Windows\System32\yKAifkS.exe
  2⤵
  PID:10328
- C:\Windows\System32\HlZSEyf.exe
  C:\Windows\System32\HlZSEyf.exe
  2⤵
  PID:10372
- C:\Windows\System32\bGDdiBg.exe
  C:\Windows\System32\bGDdiBg.exe
  2⤵
  PID:10436
- C:\Windows\System32\vdENipX.exe
  C:\Windows\System32\vdENipX.exe
  2⤵
  PID:10432
- C:\Windows\System32\KuLnWeo.exe
  C:\Windows\System32\KuLnWeo.exe
  2⤵
  PID:10568
- C:\Windows\System32\WuXgxQe.exe
  C:\Windows\System32\WuXgxQe.exe
  2⤵
  PID:10664
- C:\Windows\System32\qOvYlUg.exe
  C:\Windows\System32\qOvYlUg.exe
  2⤵
  PID:10716
- C:\Windows\System32\mnmsQhR.exe
  C:\Windows\System32\mnmsQhR.exe
  2⤵
  PID:10816
- C:\Windows\System32\TLhhtsR.exe
  C:\Windows\System32\TLhhtsR.exe
  2⤵
  PID:10864
- C:\Windows\System32\EDPpWze.exe
  C:\Windows\System32\EDPpWze.exe
  2⤵
  PID:10888
- C:\Windows\System32\vPImlsZ.exe
  C:\Windows\System32\vPImlsZ.exe
  2⤵
  PID:10948
- C:\Windows\System32\wpMwraF.exe
  C:\Windows\System32\wpMwraF.exe
  2⤵
  PID:10992
- C:\Windows\System32\bymdPqh.exe
  C:\Windows\System32\bymdPqh.exe
  2⤵
  PID:11056
- C:\Windows\System32\QNLLAtT.exe
  C:\Windows\System32\QNLLAtT.exe
  2⤵
  PID:9672
- C:\Windows\System32\dVkYzhJ.exe
  C:\Windows\System32\dVkYzhJ.exe
  2⤵
  PID:11248
- C:\Windows\System32\asGQWte.exe
  C:\Windows\System32\asGQWte.exe
  2⤵
  PID:10336
- C:\Windows\System32\QvpNqLB.exe
  C:\Windows\System32\QvpNqLB.exe
  2⤵
  PID:10404
- C:\Windows\System32\xqzkWpV.exe
  C:\Windows\System32\xqzkWpV.exe
  2⤵
  PID:10660
- C:\Windows\System32\hSynAqu.exe
  C:\Windows\System32\hSynAqu.exe
  2⤵
  PID:10736
- C:\Windows\System32\MRakvLm.exe
  C:\Windows\System32\MRakvLm.exe
  2⤵
  PID:10880
- C:\Windows\System32\gMyXmGE.exe
  C:\Windows\System32\gMyXmGE.exe
  2⤵
  PID:11016
- C:\Windows\System32\dGccuwg.exe
  C:\Windows\System32\dGccuwg.exe
  2⤵
  PID:11216
- C:\Windows\System32\WLQbYgr.exe
  C:\Windows\System32\WLQbYgr.exe
  2⤵
  PID:10932
- C:\Windows\System32\vBRVQJH.exe
  C:\Windows\System32\vBRVQJH.exe
  2⤵
  PID:10272
- C:\Windows\System32\SIeMLEt.exe
  C:\Windows\System32\SIeMLEt.exe
  2⤵
  PID:11072
- C:\Windows\System32\mwzqQmp.exe
  C:\Windows\System32\mwzqQmp.exe
  2⤵
  PID:11284
- C:\Windows\System32\iUFmrzS.exe
  C:\Windows\System32\iUFmrzS.exe
  2⤵
  PID:11300
- C:\Windows\System32\JpFFxQa.exe
  C:\Windows\System32\JpFFxQa.exe
  2⤵
  PID:11324
- C:\Windows\System32\GROtvzr.exe
  C:\Windows\System32\GROtvzr.exe
  2⤵
  PID:11348
- C:\Windows\System32\PQSGEmQ.exe
  C:\Windows\System32\PQSGEmQ.exe
  2⤵
  PID:11408
- C:\Windows\System32\ByrJfOH.exe
  C:\Windows\System32\ByrJfOH.exe
  2⤵
  PID:11432
- C:\Windows\System32\aInTHim.exe
  C:\Windows\System32\aInTHim.exe
  2⤵
  PID:11456
- C:\Windows\System32\gLcGzPy.exe
  C:\Windows\System32\gLcGzPy.exe
  2⤵
  PID:11476
- C:\Windows\System32\WLpvVsH.exe
  C:\Windows\System32\WLpvVsH.exe
  2⤵
  PID:11508
- C:\Windows\System32\gbnDysZ.exe
  C:\Windows\System32\gbnDysZ.exe
  2⤵
  PID:11524
- C:\Windows\System32\qbxTmlM.exe
  C:\Windows\System32\qbxTmlM.exe
  2⤵
  PID:11560
- C:\Windows\System32\YfhIuqO.exe
  C:\Windows\System32\YfhIuqO.exe
  2⤵
  PID:11580
- C:\Windows\System32\yPTiCnB.exe
  C:\Windows\System32\yPTiCnB.exe
  2⤵
  PID:11600
- C:\Windows\System32\BHgEcBu.exe
  C:\Windows\System32\BHgEcBu.exe
  2⤵
  PID:11644
- C:\Windows\System32\xWThYvA.exe
  C:\Windows\System32\xWThYvA.exe
  2⤵
  PID:11676
- C:\Windows\System32\GIqtTbq.exe
  C:\Windows\System32\GIqtTbq.exe
  2⤵
  PID:11696
- C:\Windows\System32\FgAczPU.exe
  C:\Windows\System32\FgAczPU.exe
  2⤵
  PID:11716
- C:\Windows\System32\lRFBnyw.exe
  C:\Windows\System32\lRFBnyw.exe
  2⤵
  PID:11736
- C:\Windows\System32\BcXinDm.exe
  C:\Windows\System32\BcXinDm.exe
  2⤵
  PID:11772
- C:\Windows\System32\xodfIJl.exe
  C:\Windows\System32\xodfIJl.exe
  2⤵
  PID:11808
- C:\Windows\System32\dMBsgyo.exe
  C:\Windows\System32\dMBsgyo.exe
  2⤵
  PID:11828
- C:\Windows\System32\uzyCgyy.exe
  C:\Windows\System32\uzyCgyy.exe
  2⤵
  PID:11868
- C:\Windows\System32\vnPHwvG.exe
  C:\Windows\System32\vnPHwvG.exe
  2⤵
  PID:11912
- C:\Windows\System32\jzdDPVh.exe
  C:\Windows\System32\jzdDPVh.exe
  2⤵
  PID:11940
- C:\Windows\System32\hCgtuio.exe
  C:\Windows\System32\hCgtuio.exe
  2⤵
  PID:11968
- C:\Windows\System32\zWKFfQh.exe
  C:\Windows\System32\zWKFfQh.exe
  2⤵
  PID:11984
- C:\Windows\System32\cmAxZeT.exe
  C:\Windows\System32\cmAxZeT.exe
  2⤵
  PID:12016
- C:\Windows\System32\ZPRIJom.exe
  C:\Windows\System32\ZPRIJom.exe
  2⤵
  PID:12044
- C:\Windows\System32\wzjvjAZ.exe
  C:\Windows\System32\wzjvjAZ.exe
  2⤵
  PID:12076
- C:\Windows\System32\XCABbzm.exe
  C:\Windows\System32\XCABbzm.exe
  2⤵
  PID:12100
- C:\Windows\System32\ghQnDyz.exe
  C:\Windows\System32\ghQnDyz.exe
  2⤵
  PID:12124
- C:\Windows\System32\IQGzlOs.exe
  C:\Windows\System32\IQGzlOs.exe
  2⤵
  PID:12140
- C:\Windows\System32\bBnZeSg.exe
  C:\Windows\System32\bBnZeSg.exe
  2⤵
  PID:12160
- C:\Windows\System32\fbfIlki.exe
  C:\Windows\System32\fbfIlki.exe
  2⤵
  PID:12184
- C:\Windows\System32\YzpQJrB.exe
  C:\Windows\System32\YzpQJrB.exe
  2⤵
  PID:12244
- C:\Windows\System32\pkLBNrp.exe
  C:\Windows\System32\pkLBNrp.exe
  2⤵
  PID:12264
- C:\Windows\System32\TODGkLc.exe
  C:\Windows\System32\TODGkLc.exe
  2⤵
  PID:12284
- C:\Windows\System32\dbWlngV.exe
  C:\Windows\System32\dbWlngV.exe
  2⤵
  PID:11068
- C:\Windows\System32\GUXNCWe.exe
  C:\Windows\System32\GUXNCWe.exe
  2⤵
  PID:11312
- C:\Windows\System32\FCKLXgz.exe
  C:\Windows\System32\FCKLXgz.exe
  2⤵
  PID:11368
- C:\Windows\System32\svrOpNG.exe
  C:\Windows\System32\svrOpNG.exe
  2⤵
  PID:11428
- C:\Windows\System32\TwtEDIT.exe
  C:\Windows\System32\TwtEDIT.exe
  2⤵
  PID:11496
- C:\Windows\System32\FyecoFv.exe
  C:\Windows\System32\FyecoFv.exe
  2⤵
  PID:11544
- C:\Windows\System32\VtTpDrd.exe
  C:\Windows\System32\VtTpDrd.exe
  2⤵
  PID:11672
- C:\Windows\System32\AVZiLxW.exe
  C:\Windows\System32\AVZiLxW.exe
  2⤵
  PID:11732
- C:\Windows\System32\UYdjFal.exe
  C:\Windows\System32\UYdjFal.exe
  2⤵
  PID:11824
- C:\Windows\System32\QIRbOXC.exe
  C:\Windows\System32\QIRbOXC.exe
  2⤵
  PID:11876
- C:\Windows\System32\IYuvDdc.exe
  C:\Windows\System32\IYuvDdc.exe
  2⤵
  PID:11952
- C:\Windows\System32\gxYpLbm.exe
  C:\Windows\System32\gxYpLbm.exe
  2⤵
  PID:11976
- C:\Windows\System32\lCYShpE.exe
  C:\Windows\System32\lCYShpE.exe
  2⤵
  PID:12052
- C:\Windows\System32\qegOZrZ.exe
  C:\Windows\System32\qegOZrZ.exe
  2⤵
  PID:12176
- C:\Windows\System32\UMRaYqB.exe
  C:\Windows\System32\UMRaYqB.exe
  2⤵
  PID:12212
- C:\Windows\System32\pNasdMu.exe
  C:\Windows\System32\pNasdMu.exe
  2⤵
  PID:5052
- C:\Windows\System32\OaZcxaY.exe
  C:\Windows\System32\OaZcxaY.exe
  2⤵
  PID:11296
- C:\Windows\System32\AnvQtgU.exe
  C:\Windows\System32\AnvQtgU.exe
  2⤵
  PID:11424
- C:\Windows\System32\WDeQDjX.exe
  C:\Windows\System32\WDeQDjX.exe
  2⤵
  PID:2552
- C:\Windows\System32\MTnCvEQ.exe
  C:\Windows\System32\MTnCvEQ.exe
  2⤵
  PID:11712
- C:\Windows\System32\vgqphlt.exe
  C:\Windows\System32\vgqphlt.exe
  2⤵
  PID:11784
- C:\Windows\System32\BEUmDSg.exe
  C:\Windows\System32\BEUmDSg.exe
  2⤵
  PID:11956
- C:\Windows\System32\fOiYNCV.exe
  C:\Windows\System32\fOiYNCV.exe
  2⤵
  PID:12152
- C:\Windows\System32\qMWQBwt.exe
  C:\Windows\System32\qMWQBwt.exe
  2⤵
  PID:12192
- C:\Windows\System32\NHZPRYN.exe
  C:\Windows\System32\NHZPRYN.exe
  2⤵
  PID:11532
- C:\Windows\System32\sMxBkRv.exe
  C:\Windows\System32\sMxBkRv.exe
  2⤵
  PID:11592
- C:\Windows\System32\HFHmzJr.exe
  C:\Windows\System32\HFHmzJr.exe
  2⤵
  PID:11892
- C:\Windows\System32\gzrZGDG.exe
  C:\Windows\System32\gzrZGDG.exe
  2⤵
  PID:11684
- C:\Windows\System32\gxyjNXw.exe
  C:\Windows\System32\gxyjNXw.exe
  2⤵
  PID:12300
- C:\Windows\System32\txTEkvr.exe
  C:\Windows\System32\txTEkvr.exe
  2⤵
  PID:12316
- C:\Windows\System32\eqjxMDH.exe
  C:\Windows\System32\eqjxMDH.exe
  2⤵
  PID:12360
- C:\Windows\System32\skJSQNH.exe
  C:\Windows\System32\skJSQNH.exe
  2⤵
  PID:12388
- C:\Windows\System32\soNpUCa.exe
  C:\Windows\System32\soNpUCa.exe
  2⤵
  PID:12404
- C:\Windows\System32\DHeCYKW.exe
  C:\Windows\System32\DHeCYKW.exe
  2⤵
  PID:12432
- C:\Windows\System32\vkCcHbB.exe
  C:\Windows\System32\vkCcHbB.exe
  2⤵
  PID:12448
- C:\Windows\System32\IFluIxM.exe
  C:\Windows\System32\IFluIxM.exe
  2⤵
  PID:12480
- C:\Windows\System32\JeTdZtC.exe
  C:\Windows\System32\JeTdZtC.exe
  2⤵
  PID:12504
- C:\Windows\System32\IkAEFex.exe
  C:\Windows\System32\IkAEFex.exe
  2⤵
  PID:12552
- C:\Windows\System32\CNRfGXk.exe
  C:\Windows\System32\CNRfGXk.exe
  2⤵
  PID:12592
- C:\Windows\System32\IWeLYKT.exe
  C:\Windows\System32\IWeLYKT.exe
  2⤵
  PID:12608
- C:\Windows\System32\FztrnKi.exe
  C:\Windows\System32\FztrnKi.exe
  2⤵
  PID:12636
- C:\Windows\System32\fUYoreE.exe
  C:\Windows\System32\fUYoreE.exe
  2⤵
  PID:12656
- C:\Windows\System32\hTigcGR.exe
  C:\Windows\System32\hTigcGR.exe
  2⤵
  PID:12688
- C:\Windows\System32\cZxVnfR.exe
  C:\Windows\System32\cZxVnfR.exe
  2⤵
  PID:12716
- C:\Windows\System32\FGcJuzU.exe
  C:\Windows\System32\FGcJuzU.exe
  2⤵
  PID:12736
- C:\Windows\System32\tfJcJyu.exe
  C:\Windows\System32\tfJcJyu.exe
  2⤵
  PID:12764
- C:\Windows\System32\AjqjHvD.exe
  C:\Windows\System32\AjqjHvD.exe
  2⤵
  PID:12792
- C:\Windows\System32\TKGigIr.exe
  C:\Windows\System32\TKGigIr.exe
  2⤵
  PID:12812
- C:\Windows\System32\cYzTexT.exe
  C:\Windows\System32\cYzTexT.exe
  2⤵
  PID:12852
- C:\Windows\System32\xMrZsSA.exe
  C:\Windows\System32\xMrZsSA.exe
  2⤵
  PID:12876
- C:\Windows\System32\FDvodtF.exe
  C:\Windows\System32\FDvodtF.exe
  2⤵
  PID:12912
- C:\Windows\System32\FIFndfm.exe
  C:\Windows\System32\FIFndfm.exe
  2⤵
  PID:12928
- C:\Windows\System32\GUQyilX.exe
  C:\Windows\System32\GUQyilX.exe
  2⤵
  PID:12952
- C:\Windows\System32\olSExKa.exe
  C:\Windows\System32\olSExKa.exe
  2⤵
  PID:12972
- C:\Windows\System32\nvdetXk.exe
  C:\Windows\System32\nvdetXk.exe
  2⤵
  PID:12992
- C:\Windows\System32\lwppDxU.exe
  C:\Windows\System32\lwppDxU.exe
  2⤵
  PID:13020
- C:\Windows\System32\YcUyCTr.exe
  C:\Windows\System32\YcUyCTr.exe
  2⤵
  PID:13084
- C:\Windows\System32\eEUfVAx.exe
  C:\Windows\System32\eEUfVAx.exe
  2⤵
  PID:13100
- C:\Windows\System32\nuuktCi.exe
  C:\Windows\System32\nuuktCi.exe
  2⤵
  PID:13140
- C:\Windows\System32\sSOucWf.exe
  C:\Windows\System32\sSOucWf.exe
  2⤵
  PID:13180
- C:\Windows\System32\konWELo.exe
  C:\Windows\System32\konWELo.exe
  2⤵
  PID:13208
- C:\Windows\System32\ezSfrxy.exe
  C:\Windows\System32\ezSfrxy.exe
  2⤵
  PID:13224
- C:\Windows\System32\FuhhHhz.exe
  C:\Windows\System32\FuhhHhz.exe
  2⤵
  PID:13252
- C:\Windows\System32\aXcijFN.exe
  C:\Windows\System32\aXcijFN.exe
  2⤵
  PID:13280
- C:\Windows\System32\whJbJEJ.exe
  C:\Windows\System32\whJbJEJ.exe
  2⤵
  PID:11548
- C:\Windows\System32\CBKyqGi.exe
  C:\Windows\System32\CBKyqGi.exe
  2⤵
  PID:12308
- C:\Windows\System32\UzBUglb.exe
  C:\Windows\System32\UzBUglb.exe
  2⤵
  PID:12384
- C:\Windows\System32\QSYkOIq.exe
  C:\Windows\System32\QSYkOIq.exe
  2⤵
  PID:12464
- C:\Windows\System32\hMflkTr.exe
  C:\Windows\System32\hMflkTr.exe
  2⤵
  PID:12532
- C:\Windows\System32\TaOEYTW.exe
  C:\Windows\System32\TaOEYTW.exe
  2⤵
  PID:12560
- C:\Windows\System32\eWmSsIw.exe
  C:\Windows\System32\eWmSsIw.exe
  2⤵
  PID:12588
- C:\Windows\System32\GMJtCsc.exe
  C:\Windows\System32\GMJtCsc.exe
  2⤵
  PID:12668
- C:\Windows\System32\VtBuXGZ.exe
  C:\Windows\System32\VtBuXGZ.exe
  2⤵
  PID:12752
- C:\Windows\System32\TbMxPNl.exe
  C:\Windows\System32\TbMxPNl.exe
  2⤵
  PID:12824

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\CyGTyDh.exe

Filesize
1.7MB

MD5
63ca26f32fd2a88111c8911e1dc0e2fa

SHA1
5708c60056a7d81bb0cb5c4ce821af1ce5d8b54b

SHA256
0742a16ae60cf82a1dd7c881444317b73926e72666b6effcc14373a107e0ec6f

SHA512
fdeaac7d1db3c1e68de2f61fc656ad7c10387fee418a35fe34bec66d86054d3af28f80575a87e53882dc7580abe5e8ae8944b370e9cd0e93429b97d3a357d663

Download Submit
C:\Windows\System32\DPMcPxP.exe

Filesize
1.7MB

MD5
3fcb3cc2fa4a57640edf5097baa57ce1

SHA1
113288d9b1704ba7134fafd8e41029d73eb68a58

SHA256
d97618e0cf26c2ce290aec7b8d06408790022b60f1d10c1c5cce7e3b8d33b8eb

SHA512
4887c92251819719d60fbe2790d73bd812632f5a9772109eddad3c5446f9563cf5686db67202c751e6e24d0128c27031316cfe65fd3918167bc2afdafdaa5e07

Download Submit
C:\Windows\System32\ESGBwhR.exe

Filesize
1.7MB

MD5
67e2b30ffcf0a6a6ffdc604be61b307b

SHA1
7d4e686b736d3fcd4e738502568e9a88f892b3c8

SHA256
e878a261baa95609b14783bd3d317467f71a148fd339efe74c306e4268a619a0

SHA512
decb4fcf97282047ee01ea57424c248bd4a7d432c36709652d756df1b6f6864ea5748e7c5c2e78f75abb78a2cb5b22260b31a00ad9c3c87d6b95babbae33ee4e

Download Submit
C:\Windows\System32\GOIHytt.exe

Filesize
1.7MB

MD5
a145d84de6a57fc930d330b210672212

SHA1
e787d55d42481ed9028ad8c9c66215da6350c92a

SHA256
dcaee902baa33795927ababb756453f3264badf99ad637ca6ee32cf838356cdd

SHA512
d5e7abcf15919c01f82d1de64d6cebcc1691ab18cb81b34cf8b2bc17bd56458cda65229e9f185a3bba1f73a50f9cc2277d1c8ad876cbada6340cb7f07840036d

Download Submit
C:\Windows\System32\JLQCcWJ.exe

Filesize
1.7MB

MD5
c19ae268e4e664ac89bda8bc70c5c7bf

SHA1
846b794f7c645f8d81083808258bf054d23b41e0

SHA256
7bd8f8beacc4e500936d1dfac89275988ecd2c88271ce4a95a580f288273979e

SHA512
64391c51e043d6c243633dec5b8cc241e9cb7c6f801a6472d2da5b1e65c245a218cb7bc774b47005462c56fcef8a06f2a7b293d0193d227ec38a5e6194a3fe3f

Download Submit
C:\Windows\System32\JmkGaTp.exe

Filesize
1.7MB

MD5
68f45310d141bb540ef231d31767704a

SHA1
fdd5da33c69293d8f9f8ba395484c6429002d407

SHA256
c805616cac2f13e64dc88e5dd0697d20a3c170d7710738a02975972dfeb50bf9

SHA512
9fd002869c6a5e375231498d85636af48de319828105ebe8532acc46ace30136c1d93bf2e8689dbda0036dae44955258b101779fa9eb6236a680e8616a04752f

Download Submit
C:\Windows\System32\NpayJTv.exe

Filesize
1.7MB

MD5
12813546717541c6e6474b30111d5fbb

SHA1
aaa7c91e8f50e43c6997ab409ca4befc37d8eeb4

SHA256
f760c6ae628a085af0da3678eb06910ec89954c1db0c191ad799a1028a4c8494

SHA512
70d9313dbbfdd753d2262fae5c2fe7052b75010af44d35122f721dbb49568546ef64848a9eaab158a9fd0ce7d1ec82cb9b13500cf6b801be227eaeb1574d54f3

Download Submit
C:\Windows\System32\OJrGGpL.exe

Filesize
1.7MB

MD5
62fdb890a75230713525bd31ed85f5ff

SHA1
ed2bad961e8730facacceb90f8fbdf2a1d617787

SHA256
8be1cce94b63f66e9eea58b67a5d7ea0f023bd9cd366af91e1f99dbeb5fa00b9

SHA512
f40f9fbf636fe5c428b7fe3ac4f632dfe001fda83f3698b55b8c535431815f65989fdb5c2800e5a0cd744bbce1215488984fc7e675fb25f01f1c97a0b163816a

Download Submit
C:\Windows\System32\PJEVxkE.exe

Filesize
1.7MB

MD5
a6927707b0576bc460c94127d73184d4

SHA1
ade31e95f2de317b5ba39be547dad4efab1787ac

SHA256
7c565f74ad2e654b83d454a23d2fe385fe8f70b8165b27438874649356a4a204

SHA512
5fb28459e0607fdb2300b5556891a8b465b283c07e13d6c0f61958f96b8198032f96024c9d5ca5d03c23069366ae0670f7882c6f2822606b080aa8ee6fd2201e

Download Submit
C:\Windows\System32\QTnBeih.exe

Filesize
1.7MB

MD5
714f13fc99192ba5b16dc9c0af46d6ac

SHA1
df8e1d6bd99eb353d057107b85ee926b5eb1a338

SHA256
0d6e309f312a0ee612fd57efac8dc1c463a7abb353437a36997d40fc80266a39

SHA512
71ba160e7549d6a21cd269228cb11dd3531018a2c60a8aa31d77ae0d0a1f2442f49aaa0c855fb508fb3e031a8c907d17c21dfcc9fec51c4b8c09abe9d1948a5c

Download Submit
C:\Windows\System32\QVOJIPB.exe

Filesize
1.7MB

MD5
b585616d51148ae9d4a69222f293a896

SHA1
6924bcbe1a108205d79a6a55c6f7e417c22fdfeb

SHA256
0172a7d238710c6f7b32bccfc0713e2f05cd6e3b2571304bfd433267271eae25

SHA512
7477ed79947c64dd568f262ac9ded9f2936dd173cf377c7480e10f716586c765ecf8efd659033866e2215d746e957bcd86d4b62bd952a71abbd8b997681c4e88

Download Submit
C:\Windows\System32\QjDSFnc.exe

Filesize
1.7MB

MD5
9a3851af0e6a223e5f329ba68fea95f7

SHA1
8347301a42cf3c29b83a942c5ef0834da9a01fb8

SHA256
9327f6b563a62c2887510900a656da3cdfd895020b0d3117efa1d12081de4a80

SHA512
d1210bdfe4f8ec20f3b97844db4065e0672c881708a570de10225db0deaed0311544668cc28928ab317d0ed99cdf8904988f9272768e35ec9761aa97ff676cb6

Download Submit
C:\Windows\System32\QjetQdp.exe

Filesize
1.7MB

MD5
d119cebf25f47ea0f1518ca28986f2ac

SHA1
4a0fbbe9edf50d93a353a2f88adf191285617da4

SHA256
4a9434db391f310f62c62b2c85e7a2acf4e95ffe25a93f7f3e2b465680d329ee

SHA512
735f19c7c335241c0ec5804ad9965e159b05817eeb2d303dd2cf73a88dbd2138eeca97fa9cbddde7e21c6c5791db2abc5ae80137789673e5c825675f7e27d414

Download Submit
C:\Windows\System32\UsPVmFl.exe

Filesize
1.7MB

MD5
a93b3c0e1aa35c28288bca9d71faf995

SHA1
fe4e9cedc1d89d5e128fd1dfdda738122eb25387

SHA256
c75d1b969ca0ab591e2daf766fb13feeedf23c96b8db04de33d676dfb9602d74

SHA512
1e5659ddd5eb16da3bd518b66179f4bd7ebf1b33dd95a98660a7011ecc8e6f719e58bf1a4ac1c75524606d738480561e543a883f5cfd72b569c2c5741ef98105

Download Submit
C:\Windows\System32\UursJAd.exe

Filesize
1.7MB

MD5
45c4ea0a963db6a385f221c2fb41544c

SHA1
bcfbfc9bf2997e44457d572ddd9c43603d8839fa

SHA256
130bd336bfe1b46dddda256fa33da6aec3c07c8beb43e629a10b7dc26ab1ad49

SHA512
64bed0b555f8d9cedce4c8f874d45fa54a422388228dbf61a4363b8f266fd448e44cc3aa06acfb320b423873e596b63e6c2bb64826ae1b4dbe88a4b8416db636

Download Submit
C:\Windows\System32\VgyVuHG.exe

Filesize
1.7MB

MD5
c9fc36b450232edb924406b731776c46

SHA1
79c3618866ccc5befb2dfa72332dfc434ea4b668

SHA256
23bb0f24157e4631e6176ccc7330fbe64d5bc56e6a31ef29cd4d6894ab5d41cd

SHA512
bc02bbc9f1c56076ddff5350668f5e54588b511905ba4d233b10b1a3af5fdfa0280af27c917204c2e92a636985340156e82daebd0f2820492e3e12e8b8b5ac6f

Download Submit
C:\Windows\System32\WJEykMH.exe

Filesize
1.7MB

MD5
fc50fef30ab91c4ada6639d339fafc8a

SHA1
0e6ae4235531abaf0741d2fb3564d10de9a4c9af

SHA256
bd68931923b930a39fbb5a6c7137c7727dcb69a70538503a2e3274ac96099aa7

SHA512
450af7ed58ff67a73e38ea04d7f51252c1a83bb7712cc6f221b273e7960337cdf795aac7e817e1a3808190a21472b6ecad283d65ab1559a4d9455662dc121956

Download Submit
C:\Windows\System32\XepMaik.exe

Filesize
1.7MB

MD5
f1a55e75161c66f614d74ec045206ae8

SHA1
5e7ae130ba2137a2a780a3349c09a487a40a2adf

SHA256
242d5588dc0a026c8f43ee794804ce6792e4ec4d4186ad5a10e49c436f3a9897

SHA512
b7afc8ddc48b685b1f2ea8d86772a2b10e87f083753d1d7d56014b430b0f0e9745c69dbc63480367e8306735fd569400ce0687cd84cc5ae3b662bd9b9e2b3875

Download Submit
C:\Windows\System32\XymMaob.exe

Filesize
1.7MB

MD5
ebdc6b45dae3f5c04e741b617b4a3825

SHA1
ec0b39b85ab6faf0c996d1c0f654711d56186627

SHA256
a54763c7829612efd808dddef126fdb3ed857e8b7af9b4ed08315ee448768425

SHA512
8db36a69d790f82ca1a727bd1f044ae50d80daab82d9b4d7f70a8ca96bf4ab00df3ade3954acfbc2cb0b6cc5ad3d89838046a05b10608d862b8ac6ae4eccfcc4

Download Submit
C:\Windows\System32\YIQAwMF.exe

Filesize
1.7MB

MD5
d524a536df7cd7f202bd66fb0f1ee1ad

SHA1
87c663b4f03782f9b6b5accd58ac12cb53422253

SHA256
52f6ccb19226ce94f3c5b5e1a8ae8eaa226e2933e7e9dc4587c67a6ff2e7dc04

SHA512
1c0487d03ff8f862eb3b816183f783a5205285a49a01253ac95954d07e864b64770a1f5e32c5a0459f1518a7013bad84617ca7620ee3309af484cf882762f187

Download Submit
C:\Windows\System32\YSZkwdC.exe

Filesize
1.7MB

MD5
e82bdb56de16a796897cf5645aa9ef88

SHA1
34fc8a8c65ae32668df5bc4c39b33024b8d4ba88

SHA256
48dfb21d8e2149988219d3d62887e2fb2a0b378f15d1252104f5e5cf70559500

SHA512
faa7baa12485fe28ec0f691d8500f9474d7a492fd43bdbbcd58f5af2fd7bd8e00b51b9c0050acac2e19813443b89ab9764b08c91816cea6209f2ae94b0ed920d

Download Submit
C:\Windows\System32\bLMKpCp.exe

Filesize
1.7MB

MD5
066489609bd631f7d73a8c758bce668b

SHA1
1532e09f38996a27e83fd000df4bc7d2bcd5d7ef

SHA256
65c6f26b1ccd6f27e7e15b3ec39e7689e3a41a02773c14cb04bfcd9cef0c1e53

SHA512
738f1f97f3981f2b2756f13a6cbc9b02aa5859f3c1e4864f1997a2513a44c075b1457b78d39ae253b59898b93fd3f76d2233041c181fd0a89e89dd7e38d1614d

Download Submit
C:\Windows\System32\cSwSiis.exe

Filesize
1.7MB

MD5
976eff745269f8bf8093c459ba3d8108

SHA1
68ca0e003fede2715b397a695579bc69e253790f

SHA256
b3d8c7a0a21d1be120012fb541ebd24a2dd372e751dc47103e4bd3ac86d271b5

SHA512
5569fee144d95f94f72d0fe9809b2417a92397229e995a54e5f362e96a03c67d6fb07d4771eab6d755f3986ba6066b6263f7ecac2fee3d1cf26dd22caab75281

Download Submit
C:\Windows\System32\gZuBdMI.exe

Filesize
1.7MB

MD5
bd1a7eedfeb97b1bfce763ffeab2d81a

SHA1
22a22a1e3eef1ae26e36a60f49d27a8c5878a38f

SHA256
932a99a6d07ddb7745d623a64d586222682c49a9dff5c52383bb8a26f86ade40

SHA512
50756f3243330d81ba02345922522fcd39e24bce0ea555bf6d2d0015d066b46706a86ba6ce7e2dd88049a6ec88df6ded65e42616576db2e0bc21b55d64021679

Download Submit
C:\Windows\System32\hnwvdFD.exe

Filesize
1.7MB

MD5
973f44accb1c47478fa926ca5364face

SHA1
d5f9ba993e7ca7f1922bf1b4287e6478d833e2d8

SHA256
cba161624b974c66d3d2279535ed125a749a085feaeaeeeaeb477f73bcbba19c

SHA512
219afe1570e9b8c93797423bdb3f05c4690976e7867dd7946d2df12aa926ef337b5bcee912fae8cce83be1bb57ec9b769d0e8fb2832e42a8667b073150b07121

Download Submit
C:\Windows\System32\jDRolbZ.exe

Filesize
1.7MB

MD5
34545671ce095602896e25349f083a94

SHA1
c60c0ad8124cfa057bd3a2b24a39088dacc150d8

SHA256
0d5912e5c15bc803d836eded21238d35e34808587261813ae62e18d5e795729b

SHA512
12966abfaed583929111ae7de50722c79248028449ca1951f88a912275c61491472e9b973a32c9fd9127b61edb63aad7811e04a63726c5d5877061f77401845b

Download Submit
C:\Windows\System32\mHRTPBU.exe

Filesize
1.7MB

MD5
8379c743066510001a7eb38719568718

SHA1
4a53b53216a9806f77ae48a1ac6f2ab018e65c06

SHA256
923ba45af62c7ab79e6a612cfa8d1cdb669a1e6c2d539b3269dc104a5c5114e2

SHA512
af1c4ec9da991964963683be6a83e663151d847ff87d82ee33d4f5362ac59607825e04da2fe6282184055d25867ab3a4758f72d10037c0345fa98f5351c1ff13

Download Submit
C:\Windows\System32\qtxaOXv.exe

Filesize
1.7MB

MD5
9a5c19cd44bd747ef6c8d3f85b224c3d

SHA1
75ec233029ba2f0ec8abaf26690b797813e234ac

SHA256
a6c9af972b514d14aaf872c87786540a5536d174674b1d2a0b33469351d6b05d

SHA512
448b26d3bc6d0d3104d47069eea5ab84ce057306df11d458353b1ae3ca253bb5bd56b466ce3c87fd24c226f58f29b7425a0e2ba1338a7535bad524e5def0e430

Download Submit
C:\Windows\System32\uohvqyA.exe

Filesize
1.7MB

MD5
08dcd9608a03714e8785b2382345a3f1

SHA1
0fcdcffd537a5fcbf28d9c5f78c70470fad7b58d

SHA256
49ddde2d1af49215b394d107ba8b4f81267ac67e43953f2b81ec3bd15e7574f1

SHA512
d4298b9576f760c0bfe01d4f82d6c286bdf726b3dbdadfdfecc1bac5df0c287d192fddcc7f5681cb9469cbb8e183aee57781751788a497f0d75eb9c4c8135cbe

Download Submit
C:\Windows\System32\vNxyxeP.exe

Filesize
1.7MB

MD5
0489cc9008fb6aaac0e4fd0e7788055e

SHA1
24ab66757dc471cf7256fcdee6bd1061ee2a8bef

SHA256
d9e7f52862e9e120b0477b2a6c95d263b0c214c1b2d9d644dcaf152ea8879505

SHA512
f19362f4db6ebd6e9b7edf86cbcb46f320a1258d489667c8ba623910cc6d6555f94189345c9843e18c6be475db08ad8c4c15c771d7d6833dde924e01fcd368fd

Download Submit
C:\Windows\System32\xKnDaxw.exe

Filesize
1.7MB

MD5
0d4144eedceaefed511eace1101ebb25

SHA1
41ec5796322882365c98517f93a4d00a31e3d7ec

SHA256
6264a0a6d76a0cbf7862ced9a41ab58d57e8dbf3d2eecb6853e8983c4af12179

SHA512
7f8723bb55812319c7c24fddc19fa15d7e76a27d0d1f69af4df576d7a1a8871628e27ce29b5e7b2f1653303ff33e7f372c5bbfdc5d947aeeea8f57a82dc1f1be

Download Submit
C:\Windows\System32\yaYbGFi.exe

Filesize
1.7MB

MD5
3f756e7cd1a99b4993b6d1dc82561ad5

SHA1
77427a93836949d93957270e0aa51acdec4b9f3e

SHA256
638e0763e850dfc40b856b4d2dc87a92c3ed8d4cd1aaea0cf4b46f6c1c8e5528

SHA512
e9e055cfd8607b12867808c99b51448eb0f57bf2970d2a14ebc118aff57074744899802a1266fcfd53610e56d6890fede141e8980622963b981f5142b2599bfc

Download Submit
memory/440-2035-0x00007FF748610000-0x00007FF748A01000-memory.dmp

Filesize
3.9MB

Download
memory/440-445-0x00007FF748610000-0x00007FF748A01000-memory.dmp

Filesize
3.9MB

Download
memory/624-2020-0x00007FF68F6B0000-0x00007FF68FAA1000-memory.dmp

Filesize
3.9MB

Download
memory/624-519-0x00007FF68F6B0000-0x00007FF68FAA1000-memory.dmp

Filesize
3.9MB

Download
memory/860-444-0x00007FF6A2D10000-0x00007FF6A3101000-memory.dmp

Filesize
3.9MB

Download
memory/860-2026-0x00007FF6A2D10000-0x00007FF6A3101000-memory.dmp

Filesize
3.9MB

Download
memory/1040-2016-0x00007FF742560000-0x00007FF742951000-memory.dmp

Filesize
3.9MB

Download
memory/1040-441-0x00007FF742560000-0x00007FF742951000-memory.dmp

Filesize
3.9MB

Download
memory/1172-512-0x00007FF6ED430000-0x00007FF6ED821000-memory.dmp

Filesize
3.9MB

Download
memory/1172-2050-0x00007FF6ED430000-0x00007FF6ED821000-memory.dmp

Filesize
3.9MB

Download
memory/1624-2037-0x00007FF650BD0000-0x00007FF650FC1000-memory.dmp

Filesize
3.9MB

Download
memory/1624-480-0x00007FF650BD0000-0x00007FF650FC1000-memory.dmp

Filesize
3.9MB

Download
memory/1632-2018-0x00007FF770080000-0x00007FF770471000-memory.dmp

Filesize
3.9MB

Download
memory/1632-515-0x00007FF770080000-0x00007FF770471000-memory.dmp

Filesize
3.9MB

Download
memory/1692-2008-0x00007FF7DA440000-0x00007FF7DA831000-memory.dmp

Filesize
3.9MB

Download
memory/1692-1999-0x00007FF7DA440000-0x00007FF7DA831000-memory.dmp

Filesize
3.9MB

Download
memory/1692-32-0x00007FF7DA440000-0x00007FF7DA831000-memory.dmp

Filesize
3.9MB

Download
memory/1792-2010-0x00007FF6112B0000-0x00007FF6116A1000-memory.dmp

Filesize
3.9MB

Download
memory/1792-33-0x00007FF6112B0000-0x00007FF6116A1000-memory.dmp

Filesize
3.9MB

Download
memory/1988-442-0x00007FF6392F0000-0x00007FF6396E1000-memory.dmp

Filesize
3.9MB

Download
memory/1988-2022-0x00007FF6392F0000-0x00007FF6396E1000-memory.dmp

Filesize
3.9MB

Download
memory/2060-2024-0x00007FF7D4E80000-0x00007FF7D5271000-memory.dmp

Filesize
3.9MB

Download
memory/2060-443-0x00007FF7D4E80000-0x00007FF7D5271000-memory.dmp

Filesize
3.9MB

Download
memory/2092-2004-0x00007FF6F2990000-0x00007FF6F2D81000-memory.dmp

Filesize
3.9MB

Download
memory/2092-2012-0x00007FF6F2990000-0x00007FF6F2D81000-memory.dmp

Filesize
3.9MB

Download
memory/2092-42-0x00007FF6F2990000-0x00007FF6F2D81000-memory.dmp

Filesize
3.9MB

Download
memory/2728-476-0x00007FF6ED220000-0x00007FF6ED611000-memory.dmp

Filesize
3.9MB

Download
memory/2728-2032-0x00007FF6ED220000-0x00007FF6ED611000-memory.dmp

Filesize
3.9MB

Download
memory/2920-457-0x00007FF720DF0000-0x00007FF7211E1000-memory.dmp

Filesize
3.9MB

Download
memory/2920-2043-0x00007FF720DF0000-0x00007FF7211E1000-memory.dmp

Filesize
3.9MB

Download
memory/2988-494-0x00007FF77BB70000-0x00007FF77BF61000-memory.dmp

Filesize
3.9MB

Download
memory/2988-2048-0x00007FF77BB70000-0x00007FF77BF61000-memory.dmp

Filesize
3.9MB

Download
memory/3388-452-0x00007FF7EFC90000-0x00007FF7F0081000-memory.dmp

Filesize
3.9MB

Download
memory/3388-2039-0x00007FF7EFC90000-0x00007FF7F0081000-memory.dmp

Filesize
3.9MB

Download
memory/3652-2072-0x00007FF68E630000-0x00007FF68EA21000-memory.dmp

Filesize
3.9MB

Download
memory/3652-472-0x00007FF68E630000-0x00007FF68EA21000-memory.dmp

Filesize
3.9MB

Download
memory/3944-488-0x00007FF686660000-0x00007FF686A51000-memory.dmp

Filesize
3.9MB

Download
memory/3944-2045-0x00007FF686660000-0x00007FF686A51000-memory.dmp

Filesize
3.9MB

Download
memory/4068-2006-0x00007FF6E5470000-0x00007FF6E5861000-memory.dmp

Filesize
3.9MB

Download
memory/4068-1998-0x00007FF6E5470000-0x00007FF6E5861000-memory.dmp

Filesize
3.9MB

Download
memory/4068-9-0x00007FF6E5470000-0x00007FF6E5861000-memory.dmp

Filesize
3.9MB

Download
memory/4080-440-0x00007FF73EFD0000-0x00007FF73F3C1000-memory.dmp

Filesize
3.9MB

Download
memory/4080-2014-0x00007FF73EFD0000-0x00007FF73F3C1000-memory.dmp

Filesize
3.9MB

Download
memory/4384-464-0x00007FF7EF3B0000-0x00007FF7EF7A1000-memory.dmp

Filesize
3.9MB

Download
memory/4384-2028-0x00007FF7EF3B0000-0x00007FF7EF7A1000-memory.dmp

Filesize
3.9MB

Download
memory/4528-0-0x00007FF676EB0000-0x00007FF6772A1000-memory.dmp

Filesize
3.9MB

Download
memory/4528-1-0x000001C7421E0000-0x000001C7421F0000-memory.dmp

Filesize
64KB

Download
memory/4880-489-0x00007FF6A14D0000-0x00007FF6A18C1000-memory.dmp

Filesize
3.9MB

Download
memory/4880-2041-0x00007FF6A14D0000-0x00007FF6A18C1000-memory.dmp

Filesize
3.9MB

Download
memory/4924-505-0x00007FF7879F0000-0x00007FF787DE1000-memory.dmp

Filesize
3.9MB

Download
memory/4924-2052-0x00007FF7879F0000-0x00007FF787DE1000-memory.dmp

Filesize
3.9MB

Download
memory/5112-2033-0x00007FF777B50000-0x00007FF777F41000-memory.dmp

Filesize
3.9MB

Download
memory/5112-475-0x00007FF777B50000-0x00007FF777F41000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads