xmrig | 89d789b6b5344cf490fa928e0c504e351ff21bbb03fb5a17e2117be1daca345e

Analysis

max time kernel
97s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 11:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
Size

979KB
MD5

0babea5faabb3d636fa3ab96de0d29a7
SHA1

5eadc8719e0622639f57f43575cf4fff884e7ff5
SHA256

89d789b6b5344cf490fa928e0c504e351ff21bbb03fb5a17e2117be1daca345e
SHA512

0502e22c65cde66ed71a53efc802c4d81b96f51743090de1fedc943f7005728a0774166aecdb710ebb610d37d0524529457666b615cad3774d20b664ffbaa88f
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlOqzJO0RD/J54y9K6aY:knw9oUUEEDlOuJnRRkY

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/3932-347-0x00007FF71C000000-0x00007FF71C3F1000-memory.dmp	xmrig
behavioral2/memory/3752-354-0x00007FF646440000-0x00007FF646831000-memory.dmp	xmrig
behavioral2/memory/744-371-0x00007FF6E35D0000-0x00007FF6E39C1000-memory.dmp	xmrig
behavioral2/memory/4612-361-0x00007FF7E9080000-0x00007FF7E9471000-memory.dmp	xmrig
behavioral2/memory/2448-22-0x00007FF7648C0000-0x00007FF764CB1000-memory.dmp	xmrig
behavioral2/memory/1436-382-0x00007FF7AA470000-0x00007FF7AA861000-memory.dmp	xmrig
behavioral2/memory/3676-394-0x00007FF6658E0000-0x00007FF665CD1000-memory.dmp	xmrig
behavioral2/memory/1268-402-0x00007FF66FD10000-0x00007FF670101000-memory.dmp	xmrig
behavioral2/memory/2076-409-0x00007FF744550000-0x00007FF744941000-memory.dmp	xmrig
behavioral2/memory/1488-415-0x00007FF773AF0000-0x00007FF773EE1000-memory.dmp	xmrig
behavioral2/memory/4864-400-0x00007FF617200000-0x00007FF6175F1000-memory.dmp	xmrig
behavioral2/memory/5028-420-0x00007FF763FC0000-0x00007FF7643B1000-memory.dmp	xmrig
behavioral2/memory/4076-436-0x00007FF7A0D60000-0x00007FF7A1151000-memory.dmp	xmrig
behavioral2/memory/2536-447-0x00007FF6B7B80000-0x00007FF6B7F71000-memory.dmp	xmrig
behavioral2/memory/2648-485-0x00007FF762550000-0x00007FF762941000-memory.dmp	xmrig
behavioral2/memory/4460-492-0x00007FF6A4750000-0x00007FF6A4B41000-memory.dmp	xmrig
behavioral2/memory/392-468-0x00007FF61C250000-0x00007FF61C641000-memory.dmp	xmrig
behavioral2/memory/1628-458-0x00007FF7EA5E0000-0x00007FF7EA9D1000-memory.dmp	xmrig
behavioral2/memory/2660-455-0x00007FF79F6E0000-0x00007FF79FAD1000-memory.dmp	xmrig
behavioral2/memory/2428-449-0x00007FF6B1720000-0x00007FF6B1B11000-memory.dmp	xmrig
behavioral2/memory/1636-433-0x00007FF6E4BD0000-0x00007FF6E4FC1000-memory.dmp	xmrig
behavioral2/memory/2132-421-0x00007FF6B1FC0000-0x00007FF6B23B1000-memory.dmp	xmrig
behavioral2/memory/3448-1942-0x00007FF6A1600000-0x00007FF6A19F1000-memory.dmp	xmrig
behavioral2/memory/4648-1975-0x00007FF647FF0000-0x00007FF6483E1000-memory.dmp	xmrig
behavioral2/memory/3028-1976-0x00007FF7416F0000-0x00007FF741AE1000-memory.dmp	xmrig
behavioral2/memory/4648-1982-0x00007FF647FF0000-0x00007FF6483E1000-memory.dmp	xmrig
behavioral2/memory/3028-1984-0x00007FF7416F0000-0x00007FF741AE1000-memory.dmp	xmrig
behavioral2/memory/2448-1986-0x00007FF7648C0000-0x00007FF764CB1000-memory.dmp	xmrig
behavioral2/memory/3932-1992-0x00007FF71C000000-0x00007FF71C3F1000-memory.dmp	xmrig
behavioral2/memory/4076-2014-0x00007FF7A0D60000-0x00007FF7A1151000-memory.dmp	xmrig
behavioral2/memory/744-2010-0x00007FF6E35D0000-0x00007FF6E39C1000-memory.dmp	xmrig
behavioral2/memory/3676-2008-0x00007FF6658E0000-0x00007FF665CD1000-memory.dmp	xmrig
behavioral2/memory/1488-2004-0x00007FF773AF0000-0x00007FF773EE1000-memory.dmp	xmrig
behavioral2/memory/1268-2000-0x00007FF66FD10000-0x00007FF670101000-memory.dmp	xmrig
behavioral2/memory/1436-1998-0x00007FF7AA470000-0x00007FF7AA861000-memory.dmp	xmrig
behavioral2/memory/5028-1996-0x00007FF763FC0000-0x00007FF7643B1000-memory.dmp	xmrig
behavioral2/memory/4612-1994-0x00007FF7E9080000-0x00007FF7E9471000-memory.dmp	xmrig
behavioral2/memory/2076-2006-0x00007FF744550000-0x00007FF744941000-memory.dmp	xmrig
behavioral2/memory/4864-1990-0x00007FF617200000-0x00007FF6175F1000-memory.dmp	xmrig
behavioral2/memory/2132-2002-0x00007FF6B1FC0000-0x00007FF6B23B1000-memory.dmp	xmrig
behavioral2/memory/3752-1988-0x00007FF646440000-0x00007FF646831000-memory.dmp	xmrig
behavioral2/memory/2660-2024-0x00007FF79F6E0000-0x00007FF79FAD1000-memory.dmp	xmrig
behavioral2/memory/1628-2022-0x00007FF7EA5E0000-0x00007FF7EA9D1000-memory.dmp	xmrig
behavioral2/memory/4460-2028-0x00007FF6A4750000-0x00007FF6A4B41000-memory.dmp	xmrig
behavioral2/memory/392-2020-0x00007FF61C250000-0x00007FF61C641000-memory.dmp	xmrig
behavioral2/memory/2428-2018-0x00007FF6B1720000-0x00007FF6B1B11000-memory.dmp	xmrig
behavioral2/memory/2536-2016-0x00007FF6B7B80000-0x00007FF6B7F71000-memory.dmp	xmrig
behavioral2/memory/2648-2026-0x00007FF762550000-0x00007FF762941000-memory.dmp	xmrig
behavioral2/memory/1636-2012-0x00007FF6E4BD0000-0x00007FF6E4FC1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4648	BgNDbPC.exe
3028	ccemWWt.exe
2448	iNXHkbb.exe
3932	HuvKOLA.exe
3752	TxPtjJG.exe
4612	TLJVkmn.exe
744	wmcmhlG.exe
1436	pCXdYnF.exe
3676	naULmdx.exe
4864	RwDcLvd.exe
1268	sRWQIfp.exe
2076	qSqtUov.exe
1488	rZNcQNH.exe
5028	oiQYqVH.exe
2132	tvUlTuu.exe
1636	PFInHtQ.exe
4076	VwCZUrv.exe
2536	bAsVPPk.exe
2428	pBPVHRZ.exe
2660	psDosHx.exe
1628	dTuYrgj.exe
392	JlwlIZw.exe
2648	WeCudKT.exe
4460	cGqyama.exe
4240	VJSJZqX.exe
4492	XaDRFKZ.exe
2376	NUQEpDi.exe
3492	rbprMYW.exe
2420	SXsHcwa.exe
4320	SJYWajL.exe
536	lIgDxRL.exe
3880	AtVOKbE.exe
2404	ySuKhag.exe
2984	HLSkvYj.exe
1984	MHKZUxO.exe
2172	zXOHmZP.exe
2068	oBipCEK.exe
3892	veMjbuR.exe
5032	AcNmkqk.exe
4160	TWYMyWa.exe
2624	TfYmNFw.exe
4052	ywhjZtu.exe
2392	WwRHdCJ.exe
4700	FiGAYMR.exe
2456	CBVNkYN.exe
1808	gfwogat.exe
976	afaztiQ.exe
1192	bgGwKOX.exe
4116	lcsbNAf.exe
2472	utoFAWL.exe
1740	fCizoRv.exe
1532	Vcczgfo.exe
3576	MEZjfET.exe
4296	cywBLzO.exe
464	kDvYCBW.exe
2424	SImkDhN.exe
4200	UAaYszi.exe
2640	QKVingH.exe
4960	fUWteOj.exe
2464	lBOrArM.exe
4452	sJnGsIl.exe
1304	QVLlelm.exe
3820	FKvuvbX.exe
4792	RkHpXMh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3448-0-0x00007FF6A1600000-0x00007FF6A19F1000-memory.dmp	upx
behavioral2/files/0x000e000000023baf-8.dat	upx
behavioral2/files/0x000c000000023b5e-6.dat	upx
behavioral2/memory/3028-13-0x00007FF7416F0000-0x00007FF741AE1000-memory.dmp	upx
behavioral2/files/0x000a000000023bbc-17.dat	upx
behavioral2/files/0x000a000000023bbf-34.dat	upx
behavioral2/files/0x000a000000023bc0-39.dat	upx
behavioral2/files/0x000a000000023bc1-45.dat	upx
behavioral2/files/0x000a000000023bc4-59.dat	upx
behavioral2/files/0x000a000000023bc6-67.dat	upx
behavioral2/files/0x000a000000023bc9-84.dat	upx
behavioral2/files/0x000a000000023bcb-94.dat	upx
behavioral2/files/0x000a000000023bcd-104.dat	upx
behavioral2/files/0x000a000000023bd0-117.dat	upx
behavioral2/files/0x000a000000023bd2-129.dat	upx
behavioral2/files/0x000a000000023bd8-157.dat	upx
behavioral2/memory/3932-347-0x00007FF71C000000-0x00007FF71C3F1000-memory.dmp	upx
behavioral2/files/0x000a000000023bd9-164.dat	upx
behavioral2/files/0x000a000000023bd7-154.dat	upx
behavioral2/files/0x000a000000023bd6-150.dat	upx
behavioral2/files/0x000a000000023bd5-144.dat	upx
behavioral2/files/0x000a000000023bd4-139.dat	upx
behavioral2/files/0x000a000000023bd3-135.dat	upx
behavioral2/files/0x000a000000023bd1-125.dat	upx
behavioral2/files/0x000a000000023bcf-114.dat	upx
behavioral2/memory/3752-354-0x00007FF646440000-0x00007FF646831000-memory.dmp	upx
behavioral2/memory/744-371-0x00007FF6E35D0000-0x00007FF6E39C1000-memory.dmp	upx
behavioral2/memory/4612-361-0x00007FF7E9080000-0x00007FF7E9471000-memory.dmp	upx
behavioral2/files/0x000a000000023bce-110.dat	upx
behavioral2/files/0x000a000000023bcc-100.dat	upx
behavioral2/files/0x000a000000023bca-89.dat	upx
behavioral2/files/0x000a000000023bc8-80.dat	upx
behavioral2/files/0x000a000000023bc7-75.dat	upx
behavioral2/files/0x000a000000023bc5-65.dat	upx
behavioral2/files/0x000a000000023bc3-55.dat	upx
behavioral2/files/0x000a000000023bc2-49.dat	upx
behavioral2/files/0x000a000000023bbe-29.dat	upx
behavioral2/files/0x000a000000023bbd-27.dat	upx
behavioral2/memory/2448-22-0x00007FF7648C0000-0x00007FF764CB1000-memory.dmp	upx
behavioral2/memory/4648-9-0x00007FF647FF0000-0x00007FF6483E1000-memory.dmp	upx
behavioral2/memory/1436-382-0x00007FF7AA470000-0x00007FF7AA861000-memory.dmp	upx
behavioral2/memory/3676-394-0x00007FF6658E0000-0x00007FF665CD1000-memory.dmp	upx
behavioral2/memory/1268-402-0x00007FF66FD10000-0x00007FF670101000-memory.dmp	upx
behavioral2/memory/2076-409-0x00007FF744550000-0x00007FF744941000-memory.dmp	upx
behavioral2/memory/1488-415-0x00007FF773AF0000-0x00007FF773EE1000-memory.dmp	upx
behavioral2/memory/4864-400-0x00007FF617200000-0x00007FF6175F1000-memory.dmp	upx
behavioral2/memory/5028-420-0x00007FF763FC0000-0x00007FF7643B1000-memory.dmp	upx
behavioral2/memory/4076-436-0x00007FF7A0D60000-0x00007FF7A1151000-memory.dmp	upx
behavioral2/memory/2536-447-0x00007FF6B7B80000-0x00007FF6B7F71000-memory.dmp	upx
behavioral2/memory/2648-485-0x00007FF762550000-0x00007FF762941000-memory.dmp	upx
behavioral2/memory/4460-492-0x00007FF6A4750000-0x00007FF6A4B41000-memory.dmp	upx
behavioral2/memory/392-468-0x00007FF61C250000-0x00007FF61C641000-memory.dmp	upx
behavioral2/memory/1628-458-0x00007FF7EA5E0000-0x00007FF7EA9D1000-memory.dmp	upx
behavioral2/memory/2660-455-0x00007FF79F6E0000-0x00007FF79FAD1000-memory.dmp	upx
behavioral2/memory/2428-449-0x00007FF6B1720000-0x00007FF6B1B11000-memory.dmp	upx
behavioral2/memory/1636-433-0x00007FF6E4BD0000-0x00007FF6E4FC1000-memory.dmp	upx
behavioral2/memory/2132-421-0x00007FF6B1FC0000-0x00007FF6B23B1000-memory.dmp	upx
behavioral2/memory/3448-1942-0x00007FF6A1600000-0x00007FF6A19F1000-memory.dmp	upx
behavioral2/memory/4648-1975-0x00007FF647FF0000-0x00007FF6483E1000-memory.dmp	upx
behavioral2/memory/3028-1976-0x00007FF7416F0000-0x00007FF741AE1000-memory.dmp	upx
behavioral2/memory/4648-1982-0x00007FF647FF0000-0x00007FF6483E1000-memory.dmp	upx
behavioral2/memory/3028-1984-0x00007FF7416F0000-0x00007FF741AE1000-memory.dmp	upx
behavioral2/memory/2448-1986-0x00007FF7648C0000-0x00007FF764CB1000-memory.dmp	upx
behavioral2/memory/3932-1992-0x00007FF71C000000-0x00007FF71C3F1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\pBPVHRZ.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\lkIbiNl.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\EmRZXAC.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\TWYMyWa.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\zPheRsf.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\hEQuAuE.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\taulxbt.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\CCgXtmK.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\JEZTaZz.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\iUptuKA.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\LFhVkuU.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\xPKLFUP.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\raoIrjg.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\oBipCEK.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\ScznwJE.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\rZFhWho.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\TmZJthB.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\qIdykmH.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\RkHpXMh.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\XBCwubJ.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\ULKBaol.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\XinDDEP.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\XEVVyey.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\AAOGgbW.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\XvAyeGe.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\FiNDogK.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\rIETKbX.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\BPVoamt.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\banAycz.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\irLxKCx.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\RuZCPYr.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\KMaaaSX.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\yNPNftf.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\mAoDWyB.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\dfPFtXI.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\asOAgmB.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\tmksNsU.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\wmcmhlG.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\VJSJZqX.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\QVLlelm.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\LjtwErM.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\eXOBBbd.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\vwZenFj.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\WSetxvP.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\XBSYBtu.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\dHzmvBA.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\zVEKhBD.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\utoFAWL.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\seMnBsT.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\figuilm.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\igxJvmT.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\qLaPfxJ.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\hopZeTu.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\QKVingH.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\tCxItuQ.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\JJOzxKA.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\ovIDtds.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\WGHlHRo.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\hDlVRNv.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\PSfUIZL.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\OlmGYIl.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\PyBRCHg.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\obYhBYT.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
File created	C:\Windows\System32\WZhdmtx.exe	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13184	dwm.exe
Token: SeChangeNotifyPrivilege	13184	dwm.exe
Token: 33	13184	dwm.exe
Token: SeIncBasePriorityPrivilege	13184	dwm.exe
Token: SeShutdownPrivilege	13184	dwm.exe
Token: SeCreatePagefilePrivilege	13184	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 4648	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	84
PID 3448 wrote to memory of 4648	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	84
PID 3448 wrote to memory of 3028	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	85
PID 3448 wrote to memory of 3028	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	85
PID 3448 wrote to memory of 2448	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	86
PID 3448 wrote to memory of 2448	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	86
PID 3448 wrote to memory of 3932	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	87
PID 3448 wrote to memory of 3932	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	87
PID 3448 wrote to memory of 3752	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	88
PID 3448 wrote to memory of 3752	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	88
PID 3448 wrote to memory of 4612	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	89
PID 3448 wrote to memory of 4612	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	89
PID 3448 wrote to memory of 744	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	90
PID 3448 wrote to memory of 744	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	90
PID 3448 wrote to memory of 1436	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	91
PID 3448 wrote to memory of 1436	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	91
PID 3448 wrote to memory of 3676	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	92
PID 3448 wrote to memory of 3676	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	92
PID 3448 wrote to memory of 4864	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	93
PID 3448 wrote to memory of 4864	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	93
PID 3448 wrote to memory of 1268	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	94
PID 3448 wrote to memory of 1268	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	94
PID 3448 wrote to memory of 2076	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	95
PID 3448 wrote to memory of 2076	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	95
PID 3448 wrote to memory of 1488	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	96
PID 3448 wrote to memory of 1488	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	96
PID 3448 wrote to memory of 5028	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	97
PID 3448 wrote to memory of 5028	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	97
PID 3448 wrote to memory of 2132	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	98
PID 3448 wrote to memory of 2132	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	98
PID 3448 wrote to memory of 1636	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	99
PID 3448 wrote to memory of 1636	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	99
PID 3448 wrote to memory of 4076	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	100
PID 3448 wrote to memory of 4076	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	100
PID 3448 wrote to memory of 2536	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	101
PID 3448 wrote to memory of 2536	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	101
PID 3448 wrote to memory of 2428	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	102
PID 3448 wrote to memory of 2428	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	102
PID 3448 wrote to memory of 2660	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	103
PID 3448 wrote to memory of 2660	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	103
PID 3448 wrote to memory of 1628	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	104
PID 3448 wrote to memory of 1628	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	104
PID 3448 wrote to memory of 392	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	105
PID 3448 wrote to memory of 392	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	105
PID 3448 wrote to memory of 2648	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	106
PID 3448 wrote to memory of 2648	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	106
PID 3448 wrote to memory of 4460	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	107
PID 3448 wrote to memory of 4460	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	107
PID 3448 wrote to memory of 4240	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	108
PID 3448 wrote to memory of 4240	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	108
PID 3448 wrote to memory of 4492	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	109
PID 3448 wrote to memory of 4492	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	109
PID 3448 wrote to memory of 2376	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	110
PID 3448 wrote to memory of 2376	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	110
PID 3448 wrote to memory of 3492	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	111
PID 3448 wrote to memory of 3492	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	111
PID 3448 wrote to memory of 2420	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	112
PID 3448 wrote to memory of 2420	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	112
PID 3448 wrote to memory of 4320	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	113
PID 3448 wrote to memory of 4320	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	113
PID 3448 wrote to memory of 536	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	114
PID 3448 wrote to memory of 536	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	114
PID 3448 wrote to memory of 3880	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	115
PID 3448 wrote to memory of 3880	3448	0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe	115

C:\Users\Admin\AppData\Local\Temp\0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0babea5faabb3d636fa3ab96de0d29a7_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\System32\BgNDbPC.exe
  C:\Windows\System32\BgNDbPC.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System32\ccemWWt.exe
  C:\Windows\System32\ccemWWt.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System32\iNXHkbb.exe
  C:\Windows\System32\iNXHkbb.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System32\HuvKOLA.exe
  C:\Windows\System32\HuvKOLA.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System32\TxPtjJG.exe
  C:\Windows\System32\TxPtjJG.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System32\TLJVkmn.exe
  C:\Windows\System32\TLJVkmn.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System32\wmcmhlG.exe
  C:\Windows\System32\wmcmhlG.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System32\pCXdYnF.exe
  C:\Windows\System32\pCXdYnF.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System32\naULmdx.exe
  C:\Windows\System32\naULmdx.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System32\RwDcLvd.exe
  C:\Windows\System32\RwDcLvd.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System32\sRWQIfp.exe
  C:\Windows\System32\sRWQIfp.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System32\qSqtUov.exe
  C:\Windows\System32\qSqtUov.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System32\rZNcQNH.exe
  C:\Windows\System32\rZNcQNH.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System32\oiQYqVH.exe
  C:\Windows\System32\oiQYqVH.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System32\tvUlTuu.exe
  C:\Windows\System32\tvUlTuu.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System32\PFInHtQ.exe
  C:\Windows\System32\PFInHtQ.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System32\VwCZUrv.exe
  C:\Windows\System32\VwCZUrv.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System32\bAsVPPk.exe
  C:\Windows\System32\bAsVPPk.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System32\pBPVHRZ.exe
  C:\Windows\System32\pBPVHRZ.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System32\psDosHx.exe
  C:\Windows\System32\psDosHx.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System32\dTuYrgj.exe
  C:\Windows\System32\dTuYrgj.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System32\JlwlIZw.exe
  C:\Windows\System32\JlwlIZw.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System32\WeCudKT.exe
  C:\Windows\System32\WeCudKT.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System32\cGqyama.exe
  C:\Windows\System32\cGqyama.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System32\VJSJZqX.exe
  C:\Windows\System32\VJSJZqX.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System32\XaDRFKZ.exe
  C:\Windows\System32\XaDRFKZ.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System32\NUQEpDi.exe
  C:\Windows\System32\NUQEpDi.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System32\rbprMYW.exe
  C:\Windows\System32\rbprMYW.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System32\SXsHcwa.exe
  C:\Windows\System32\SXsHcwa.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System32\SJYWajL.exe
  C:\Windows\System32\SJYWajL.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System32\lIgDxRL.exe
  C:\Windows\System32\lIgDxRL.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System32\AtVOKbE.exe
  C:\Windows\System32\AtVOKbE.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System32\ySuKhag.exe
  C:\Windows\System32\ySuKhag.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System32\HLSkvYj.exe
  C:\Windows\System32\HLSkvYj.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System32\MHKZUxO.exe
  C:\Windows\System32\MHKZUxO.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System32\zXOHmZP.exe
  C:\Windows\System32\zXOHmZP.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System32\oBipCEK.exe
  C:\Windows\System32\oBipCEK.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System32\veMjbuR.exe
  C:\Windows\System32\veMjbuR.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System32\AcNmkqk.exe
  C:\Windows\System32\AcNmkqk.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System32\TWYMyWa.exe
  C:\Windows\System32\TWYMyWa.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System32\TfYmNFw.exe
  C:\Windows\System32\TfYmNFw.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System32\ywhjZtu.exe
  C:\Windows\System32\ywhjZtu.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System32\WwRHdCJ.exe
  C:\Windows\System32\WwRHdCJ.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System32\FiGAYMR.exe
  C:\Windows\System32\FiGAYMR.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System32\CBVNkYN.exe
  C:\Windows\System32\CBVNkYN.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System32\gfwogat.exe
  C:\Windows\System32\gfwogat.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System32\afaztiQ.exe
  C:\Windows\System32\afaztiQ.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System32\bgGwKOX.exe
  C:\Windows\System32\bgGwKOX.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System32\lcsbNAf.exe
  C:\Windows\System32\lcsbNAf.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System32\utoFAWL.exe
  C:\Windows\System32\utoFAWL.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System32\fCizoRv.exe
  C:\Windows\System32\fCizoRv.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System32\Vcczgfo.exe
  C:\Windows\System32\Vcczgfo.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System32\MEZjfET.exe
  C:\Windows\System32\MEZjfET.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System32\cywBLzO.exe
  C:\Windows\System32\cywBLzO.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System32\kDvYCBW.exe
  C:\Windows\System32\kDvYCBW.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System32\SImkDhN.exe
  C:\Windows\System32\SImkDhN.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System32\UAaYszi.exe
  C:\Windows\System32\UAaYszi.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System32\QKVingH.exe
  C:\Windows\System32\QKVingH.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System32\fUWteOj.exe
  C:\Windows\System32\fUWteOj.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System32\lBOrArM.exe
  C:\Windows\System32\lBOrArM.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System32\sJnGsIl.exe
  C:\Windows\System32\sJnGsIl.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\QVLlelm.exe
  C:\Windows\System32\QVLlelm.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\System32\FKvuvbX.exe
  C:\Windows\System32\FKvuvbX.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System32\RkHpXMh.exe
  C:\Windows\System32\RkHpXMh.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System32\ummmTWI.exe
  C:\Windows\System32\ummmTWI.exe
  2⤵
  PID:2912
- C:\Windows\System32\LjzLJdg.exe
  C:\Windows\System32\LjzLJdg.exe
  2⤵
  PID:1960
- C:\Windows\System32\FlRKJWx.exe
  C:\Windows\System32\FlRKJWx.exe
  2⤵
  PID:2976
- C:\Windows\System32\idjMRDk.exe
  C:\Windows\System32\idjMRDk.exe
  2⤵
  PID:4876
- C:\Windows\System32\AEAgcWq.exe
  C:\Windows\System32\AEAgcWq.exe
  2⤵
  PID:4588
- C:\Windows\System32\yqOVKPu.exe
  C:\Windows\System32\yqOVKPu.exe
  2⤵
  PID:1588
- C:\Windows\System32\ucUpyeI.exe
  C:\Windows\System32\ucUpyeI.exe
  2⤵
  PID:4912
- C:\Windows\System32\wkODSNV.exe
  C:\Windows\System32\wkODSNV.exe
  2⤵
  PID:460
- C:\Windows\System32\PrrvkXA.exe
  C:\Windows\System32\PrrvkXA.exe
  2⤵
  PID:4184
- C:\Windows\System32\facaNXf.exe
  C:\Windows\System32\facaNXf.exe
  2⤵
  PID:1580
- C:\Windows\System32\vTaQpzz.exe
  C:\Windows\System32\vTaQpzz.exe
  2⤵
  PID:4236
- C:\Windows\System32\dLbDrfZ.exe
  C:\Windows\System32\dLbDrfZ.exe
  2⤵
  PID:3344
- C:\Windows\System32\NFrQduT.exe
  C:\Windows\System32\NFrQduT.exe
  2⤵
  PID:3628
- C:\Windows\System32\VnTvCbb.exe
  C:\Windows\System32\VnTvCbb.exe
  2⤵
  PID:2996
- C:\Windows\System32\FChjRsP.exe
  C:\Windows\System32\FChjRsP.exe
  2⤵
  PID:3836
- C:\Windows\System32\FDLsDPi.exe
  C:\Windows\System32\FDLsDPi.exe
  2⤵
  PID:940
- C:\Windows\System32\OlmGYIl.exe
  C:\Windows\System32\OlmGYIl.exe
  2⤵
  PID:2768
- C:\Windows\System32\LwByUJs.exe
  C:\Windows\System32\LwByUJs.exe
  2⤵
  PID:4660
- C:\Windows\System32\HNTqzpl.exe
  C:\Windows\System32\HNTqzpl.exe
  2⤵
  PID:4672
- C:\Windows\System32\WPBVVOQ.exe
  C:\Windows\System32\WPBVVOQ.exe
  2⤵
  PID:624
- C:\Windows\System32\zPheRsf.exe
  C:\Windows\System32\zPheRsf.exe
  2⤵
  PID:3788
- C:\Windows\System32\lXwSTLA.exe
  C:\Windows\System32\lXwSTLA.exe
  2⤵
  PID:1772
- C:\Windows\System32\ybvnImG.exe
  C:\Windows\System32\ybvnImG.exe
  2⤵
  PID:1804
- C:\Windows\System32\IOhMdkG.exe
  C:\Windows\System32\IOhMdkG.exe
  2⤵
  PID:3512
- C:\Windows\System32\yONHZuX.exe
  C:\Windows\System32\yONHZuX.exe
  2⤵
  PID:1948
- C:\Windows\System32\XBCwubJ.exe
  C:\Windows\System32\XBCwubJ.exe
  2⤵
  PID:1560
- C:\Windows\System32\ydlFtod.exe
  C:\Windows\System32\ydlFtod.exe
  2⤵
  PID:2112
- C:\Windows\System32\EFyLpUu.exe
  C:\Windows\System32\EFyLpUu.exe
  2⤵
  PID:1480
- C:\Windows\System32\MAOdzBG.exe
  C:\Windows\System32\MAOdzBG.exe
  2⤵
  PID:1516
- C:\Windows\System32\oCDHRLM.exe
  C:\Windows\System32\oCDHRLM.exe
  2⤵
  PID:2964
- C:\Windows\System32\IiRCwcE.exe
  C:\Windows\System32\IiRCwcE.exe
  2⤵
  PID:1072
- C:\Windows\System32\GHzSjjZ.exe
  C:\Windows\System32\GHzSjjZ.exe
  2⤵
  PID:4644
- C:\Windows\System32\hEQuAuE.exe
  C:\Windows\System32\hEQuAuE.exe
  2⤵
  PID:1792
- C:\Windows\System32\mziJTUd.exe
  C:\Windows\System32\mziJTUd.exe
  2⤵
  PID:3988
- C:\Windows\System32\KMaaaSX.exe
  C:\Windows\System32\KMaaaSX.exe
  2⤵
  PID:1828
- C:\Windows\System32\UJoVQpt.exe
  C:\Windows\System32\UJoVQpt.exe
  2⤵
  PID:5020
- C:\Windows\System32\crPAmJE.exe
  C:\Windows\System32\crPAmJE.exe
  2⤵
  PID:5108
- C:\Windows\System32\lMvjBfT.exe
  C:\Windows\System32\lMvjBfT.exe
  2⤵
  PID:2136
- C:\Windows\System32\zcdYfyn.exe
  C:\Windows\System32\zcdYfyn.exe
  2⤵
  PID:2476
- C:\Windows\System32\qRlPRut.exe
  C:\Windows\System32\qRlPRut.exe
  2⤵
  PID:2384
- C:\Windows\System32\MeuYdBY.exe
  C:\Windows\System32\MeuYdBY.exe
  2⤵
  PID:3204
- C:\Windows\System32\qAnwbUS.exe
  C:\Windows\System32\qAnwbUS.exe
  2⤵
  PID:880
- C:\Windows\System32\QJZvFSo.exe
  C:\Windows\System32\QJZvFSo.exe
  2⤵
  PID:4220
- C:\Windows\System32\VdpgNZs.exe
  C:\Windows\System32\VdpgNZs.exe
  2⤵
  PID:4436
- C:\Windows\System32\rVppWzg.exe
  C:\Windows\System32\rVppWzg.exe
  2⤵
  PID:5180
- C:\Windows\System32\mtKWOWd.exe
  C:\Windows\System32\mtKWOWd.exe
  2⤵
  PID:5256
- C:\Windows\System32\USAwTpg.exe
  C:\Windows\System32\USAwTpg.exe
  2⤵
  PID:5272
- C:\Windows\System32\TktMSzW.exe
  C:\Windows\System32\TktMSzW.exe
  2⤵
  PID:5288
- C:\Windows\System32\tdtMNhs.exe
  C:\Windows\System32\tdtMNhs.exe
  2⤵
  PID:5308
- C:\Windows\System32\iqHfGZz.exe
  C:\Windows\System32\iqHfGZz.exe
  2⤵
  PID:5324
- C:\Windows\System32\wiEJxLS.exe
  C:\Windows\System32\wiEJxLS.exe
  2⤵
  PID:5368
- C:\Windows\System32\NPPpBYN.exe
  C:\Windows\System32\NPPpBYN.exe
  2⤵
  PID:5448
- C:\Windows\System32\LjtwErM.exe
  C:\Windows\System32\LjtwErM.exe
  2⤵
  PID:5464
- C:\Windows\System32\SXulKiw.exe
  C:\Windows\System32\SXulKiw.exe
  2⤵
  PID:5480
- C:\Windows\System32\IHDAbUK.exe
  C:\Windows\System32\IHDAbUK.exe
  2⤵
  PID:5496
- C:\Windows\System32\ScznwJE.exe
  C:\Windows\System32\ScznwJE.exe
  2⤵
  PID:5528
- C:\Windows\System32\yatMSJb.exe
  C:\Windows\System32\yatMSJb.exe
  2⤵
  PID:5592
- C:\Windows\System32\ZMMMDIJ.exe
  C:\Windows\System32\ZMMMDIJ.exe
  2⤵
  PID:5612
- C:\Windows\System32\SDMtdSI.exe
  C:\Windows\System32\SDMtdSI.exe
  2⤵
  PID:5656
- C:\Windows\System32\fQitDrJ.exe
  C:\Windows\System32\fQitDrJ.exe
  2⤵
  PID:5672
- C:\Windows\System32\aXvlgOh.exe
  C:\Windows\System32\aXvlgOh.exe
  2⤵
  PID:5688
- C:\Windows\System32\XDBouYf.exe
  C:\Windows\System32\XDBouYf.exe
  2⤵
  PID:5724
- C:\Windows\System32\rbRZCeP.exe
  C:\Windows\System32\rbRZCeP.exe
  2⤵
  PID:5752
- C:\Windows\System32\FZOYzEA.exe
  C:\Windows\System32\FZOYzEA.exe
  2⤵
  PID:5768
- C:\Windows\System32\krQyByX.exe
  C:\Windows\System32\krQyByX.exe
  2⤵
  PID:5784
- C:\Windows\System32\tHAKquS.exe
  C:\Windows\System32\tHAKquS.exe
  2⤵
  PID:5800
- C:\Windows\System32\XSncbgo.exe
  C:\Windows\System32\XSncbgo.exe
  2⤵
  PID:5832
- C:\Windows\System32\unODzQe.exe
  C:\Windows\System32\unODzQe.exe
  2⤵
  PID:5852
- C:\Windows\System32\CxNJLFx.exe
  C:\Windows\System32\CxNJLFx.exe
  2⤵
  PID:5880
- C:\Windows\System32\zwaNscD.exe
  C:\Windows\System32\zwaNscD.exe
  2⤵
  PID:5896
- C:\Windows\System32\yNPNftf.exe
  C:\Windows\System32\yNPNftf.exe
  2⤵
  PID:5912
- C:\Windows\System32\PIiMSGX.exe
  C:\Windows\System32\PIiMSGX.exe
  2⤵
  PID:5932
- C:\Windows\System32\JEZTaZz.exe
  C:\Windows\System32\JEZTaZz.exe
  2⤵
  PID:5968
- C:\Windows\System32\lcDyuaV.exe
  C:\Windows\System32\lcDyuaV.exe
  2⤵
  PID:6012
- C:\Windows\System32\jSXLgaz.exe
  C:\Windows\System32\jSXLgaz.exe
  2⤵
  PID:6128
- C:\Windows\System32\yoGVumt.exe
  C:\Windows\System32\yoGVumt.exe
  2⤵
  PID:212
- C:\Windows\System32\eaupouR.exe
  C:\Windows\System32\eaupouR.exe
  2⤵
  PID:5220
- C:\Windows\System32\HrluaST.exe
  C:\Windows\System32\HrluaST.exe
  2⤵
  PID:5304
- C:\Windows\System32\dhIwLrF.exe
  C:\Windows\System32\dhIwLrF.exe
  2⤵
  PID:2120
- C:\Windows\System32\yvjUCvf.exe
  C:\Windows\System32\yvjUCvf.exe
  2⤵
  PID:5476
- C:\Windows\System32\RllXstE.exe
  C:\Windows\System32\RllXstE.exe
  2⤵
  PID:5564
- C:\Windows\System32\HafgCKf.exe
  C:\Windows\System32\HafgCKf.exe
  2⤵
  PID:5576
- C:\Windows\System32\EJrdJRs.exe
  C:\Windows\System32\EJrdJRs.exe
  2⤵
  PID:5620
- C:\Windows\System32\JeSCmTE.exe
  C:\Windows\System32\JeSCmTE.exe
  2⤵
  PID:5704
- C:\Windows\System32\gAOZAGS.exe
  C:\Windows\System32\gAOZAGS.exe
  2⤵
  PID:5860
- C:\Windows\System32\mAoDWyB.exe
  C:\Windows\System32\mAoDWyB.exe
  2⤵
  PID:5744
- C:\Windows\System32\jQzJCjC.exe
  C:\Windows\System32\jQzJCjC.exe
  2⤵
  PID:5976
- C:\Windows\System32\kCgoWdp.exe
  C:\Windows\System32\kCgoWdp.exe
  2⤵
  PID:5844
- C:\Windows\System32\dfPFtXI.exe
  C:\Windows\System32\dfPFtXI.exe
  2⤵
  PID:5960
- C:\Windows\System32\jeFBgef.exe
  C:\Windows\System32\jeFBgef.exe
  2⤵
  PID:6040
- C:\Windows\System32\banAycz.exe
  C:\Windows\System32\banAycz.exe
  2⤵
  PID:6088
- C:\Windows\System32\uhywpar.exe
  C:\Windows\System32\uhywpar.exe
  2⤵
  PID:5508
- C:\Windows\System32\mfRKTBl.exe
  C:\Windows\System32\mfRKTBl.exe
  2⤵
  PID:2796
- C:\Windows\System32\MiJYLoR.exe
  C:\Windows\System32\MiJYLoR.exe
  2⤵
  PID:5248
- C:\Windows\System32\erUQXpV.exe
  C:\Windows\System32\erUQXpV.exe
  2⤵
  PID:5392
- C:\Windows\System32\vWacWim.exe
  C:\Windows\System32\vWacWim.exe
  2⤵
  PID:5584
- C:\Windows\System32\jlYObSp.exe
  C:\Windows\System32\jlYObSp.exe
  2⤵
  PID:5632
- C:\Windows\System32\oTmtVOT.exe
  C:\Windows\System32\oTmtVOT.exe
  2⤵
  PID:5940
- C:\Windows\System32\sGnUUeS.exe
  C:\Windows\System32\sGnUUeS.exe
  2⤵
  PID:5840
- C:\Windows\System32\MrEEqLt.exe
  C:\Windows\System32\MrEEqLt.exe
  2⤵
  PID:5232
- C:\Windows\System32\redkDoM.exe
  C:\Windows\System32\redkDoM.exe
  2⤵
  PID:5812
- C:\Windows\System32\EVknnuq.exe
  C:\Windows\System32\EVknnuq.exe
  2⤵
  PID:5512
- C:\Windows\System32\rnrpxHa.exe
  C:\Windows\System32\rnrpxHa.exe
  2⤵
  PID:5904
- C:\Windows\System32\FFXhdYu.exe
  C:\Windows\System32\FFXhdYu.exe
  2⤵
  PID:5160
- C:\Windows\System32\GszLRKn.exe
  C:\Windows\System32\GszLRKn.exe
  2⤵
  PID:5888
- C:\Windows\System32\RFqsWHU.exe
  C:\Windows\System32\RFqsWHU.exe
  2⤵
  PID:6160
- C:\Windows\System32\wruYPQq.exe
  C:\Windows\System32\wruYPQq.exe
  2⤵
  PID:6180
- C:\Windows\System32\OoohCWc.exe
  C:\Windows\System32\OoohCWc.exe
  2⤵
  PID:6208
- C:\Windows\System32\cfKTCwK.exe
  C:\Windows\System32\cfKTCwK.exe
  2⤵
  PID:6232
- C:\Windows\System32\BjnjQsa.exe
  C:\Windows\System32\BjnjQsa.exe
  2⤵
  PID:6260
- C:\Windows\System32\QrxyVID.exe
  C:\Windows\System32\QrxyVID.exe
  2⤵
  PID:6308
- C:\Windows\System32\SKCvrLI.exe
  C:\Windows\System32\SKCvrLI.exe
  2⤵
  PID:6348
- C:\Windows\System32\TMNhZPl.exe
  C:\Windows\System32\TMNhZPl.exe
  2⤵
  PID:6368
- C:\Windows\System32\VgfKFMN.exe
  C:\Windows\System32\VgfKFMN.exe
  2⤵
  PID:6396
- C:\Windows\System32\erzFDxo.exe
  C:\Windows\System32\erzFDxo.exe
  2⤵
  PID:6420
- C:\Windows\System32\LxFualf.exe
  C:\Windows\System32\LxFualf.exe
  2⤵
  PID:6440
- C:\Windows\System32\iiKzGtY.exe
  C:\Windows\System32\iiKzGtY.exe
  2⤵
  PID:6480
- C:\Windows\System32\WwraQJH.exe
  C:\Windows\System32\WwraQJH.exe
  2⤵
  PID:6520
- C:\Windows\System32\StrXPza.exe
  C:\Windows\System32\StrXPza.exe
  2⤵
  PID:6536
- C:\Windows\System32\xFtwNPm.exe
  C:\Windows\System32\xFtwNPm.exe
  2⤵
  PID:6556
- C:\Windows\System32\mUTJIgI.exe
  C:\Windows\System32\mUTJIgI.exe
  2⤵
  PID:6572
- C:\Windows\System32\LjoIBPF.exe
  C:\Windows\System32\LjoIBPF.exe
  2⤵
  PID:6636
- C:\Windows\System32\pzWLVmL.exe
  C:\Windows\System32\pzWLVmL.exe
  2⤵
  PID:6668
- C:\Windows\System32\OahDpfq.exe
  C:\Windows\System32\OahDpfq.exe
  2⤵
  PID:6688
- C:\Windows\System32\seMnBsT.exe
  C:\Windows\System32\seMnBsT.exe
  2⤵
  PID:6716
- C:\Windows\System32\glHryct.exe
  C:\Windows\System32\glHryct.exe
  2⤵
  PID:6732
- C:\Windows\System32\ngGDcTX.exe
  C:\Windows\System32\ngGDcTX.exe
  2⤵
  PID:6780
- C:\Windows\System32\ITRSYCK.exe
  C:\Windows\System32\ITRSYCK.exe
  2⤵
  PID:6804
- C:\Windows\System32\AAOGgbW.exe
  C:\Windows\System32\AAOGgbW.exe
  2⤵
  PID:6828
- C:\Windows\System32\bACHIqT.exe
  C:\Windows\System32\bACHIqT.exe
  2⤵
  PID:6860
- C:\Windows\System32\ZdeXSaH.exe
  C:\Windows\System32\ZdeXSaH.exe
  2⤵
  PID:6888
- C:\Windows\System32\IVMVIfs.exe
  C:\Windows\System32\IVMVIfs.exe
  2⤵
  PID:6936
- C:\Windows\System32\LGOEbMH.exe
  C:\Windows\System32\LGOEbMH.exe
  2⤵
  PID:6956
- C:\Windows\System32\dhxlePg.exe
  C:\Windows\System32\dhxlePg.exe
  2⤵
  PID:6972
- C:\Windows\System32\ndVoPEu.exe
  C:\Windows\System32\ndVoPEu.exe
  2⤵
  PID:6996
- C:\Windows\System32\JgGvfLD.exe
  C:\Windows\System32\JgGvfLD.exe
  2⤵
  PID:7020
- C:\Windows\System32\ETZHMYL.exe
  C:\Windows\System32\ETZHMYL.exe
  2⤵
  PID:7036
- C:\Windows\System32\CoypDvc.exe
  C:\Windows\System32\CoypDvc.exe
  2⤵
  PID:7076
- C:\Windows\System32\lvYztRS.exe
  C:\Windows\System32\lvYztRS.exe
  2⤵
  PID:7092
- C:\Windows\System32\xMTnxSR.exe
  C:\Windows\System32\xMTnxSR.exe
  2⤵
  PID:7112
- C:\Windows\System32\iFNkAJG.exe
  C:\Windows\System32\iFNkAJG.exe
  2⤵
  PID:7132
- C:\Windows\System32\PyBRCHg.exe
  C:\Windows\System32\PyBRCHg.exe
  2⤵
  PID:7156
- C:\Windows\System32\gCXWovj.exe
  C:\Windows\System32\gCXWovj.exe
  2⤵
  PID:6240
- C:\Windows\System32\XvAyeGe.exe
  C:\Windows\System32\XvAyeGe.exe
  2⤵
  PID:6300
- C:\Windows\System32\CYmEXDP.exe
  C:\Windows\System32\CYmEXDP.exe
  2⤵
  PID:6356
- C:\Windows\System32\iUptuKA.exe
  C:\Windows\System32\iUptuKA.exe
  2⤵
  PID:6452
- C:\Windows\System32\JDsmgUF.exe
  C:\Windows\System32\JDsmgUF.exe
  2⤵
  PID:6492
- C:\Windows\System32\uQtYjlY.exe
  C:\Windows\System32\uQtYjlY.exe
  2⤵
  PID:6568
- C:\Windows\System32\hhSHdsH.exe
  C:\Windows\System32\hhSHdsH.exe
  2⤵
  PID:6564
- C:\Windows\System32\cHucwum.exe
  C:\Windows\System32\cHucwum.exe
  2⤵
  PID:1868
- C:\Windows\System32\yweSRVG.exe
  C:\Windows\System32\yweSRVG.exe
  2⤵
  PID:6652
- C:\Windows\System32\jMZrRhC.exe
  C:\Windows\System32\jMZrRhC.exe
  2⤵
  PID:6704
- C:\Windows\System32\tWwvVUN.exe
  C:\Windows\System32\tWwvVUN.exe
  2⤵
  PID:6724
- C:\Windows\System32\iExoAJp.exe
  C:\Windows\System32\iExoAJp.exe
  2⤵
  PID:6800
- C:\Windows\System32\rNZVJYA.exe
  C:\Windows\System32\rNZVJYA.exe
  2⤵
  PID:6900
- C:\Windows\System32\CVkMeRA.exe
  C:\Windows\System32\CVkMeRA.exe
  2⤵
  PID:7064
- C:\Windows\System32\obYhBYT.exe
  C:\Windows\System32\obYhBYT.exe
  2⤵
  PID:7104
- C:\Windows\System32\ZlqusfH.exe
  C:\Windows\System32\ZlqusfH.exe
  2⤵
  PID:7128
- C:\Windows\System32\MvSXVSk.exe
  C:\Windows\System32\MvSXVSk.exe
  2⤵
  PID:6156
- C:\Windows\System32\ULKBaol.exe
  C:\Windows\System32\ULKBaol.exe
  2⤵
  PID:6332
- C:\Windows\System32\VpXSBAe.exe
  C:\Windows\System32\VpXSBAe.exe
  2⤵
  PID:6432
- C:\Windows\System32\WpeswEX.exe
  C:\Windows\System32\WpeswEX.exe
  2⤵
  PID:6544
- C:\Windows\System32\ehwhVcQ.exe
  C:\Windows\System32\ehwhVcQ.exe
  2⤵
  PID:5548
- C:\Windows\System32\gcrjDqx.exe
  C:\Windows\System32\gcrjDqx.exe
  2⤵
  PID:1368
- C:\Windows\System32\JSXOTOX.exe
  C:\Windows\System32\JSXOTOX.exe
  2⤵
  PID:7048
- C:\Windows\System32\dyIfghV.exe
  C:\Windows\System32\dyIfghV.exe
  2⤵
  PID:7088
- C:\Windows\System32\ZkQiXZV.exe
  C:\Windows\System32\ZkQiXZV.exe
  2⤵
  PID:6168
- C:\Windows\System32\TGeJLKS.exe
  C:\Windows\System32\TGeJLKS.exe
  2⤵
  PID:6852
- C:\Windows\System32\idCRYYE.exe
  C:\Windows\System32\idCRYYE.exe
  2⤵
  PID:5780
- C:\Windows\System32\QXFhisZ.exe
  C:\Windows\System32\QXFhisZ.exe
  2⤵
  PID:7124
- C:\Windows\System32\tScwyeq.exe
  C:\Windows\System32\tScwyeq.exe
  2⤵
  PID:7208
- C:\Windows\System32\WZhdmtx.exe
  C:\Windows\System32\WZhdmtx.exe
  2⤵
  PID:7236
- C:\Windows\System32\lCPIbNq.exe
  C:\Windows\System32\lCPIbNq.exe
  2⤵
  PID:7256
- C:\Windows\System32\qkqAZDL.exe
  C:\Windows\System32\qkqAZDL.exe
  2⤵
  PID:7304
- C:\Windows\System32\ZcxwmRY.exe
  C:\Windows\System32\ZcxwmRY.exe
  2⤵
  PID:7324
- C:\Windows\System32\NBqcKmx.exe
  C:\Windows\System32\NBqcKmx.exe
  2⤵
  PID:7340
- C:\Windows\System32\KTryYKi.exe
  C:\Windows\System32\KTryYKi.exe
  2⤵
  PID:7400
- C:\Windows\System32\sXMkdtJ.exe
  C:\Windows\System32\sXMkdtJ.exe
  2⤵
  PID:7432
- C:\Windows\System32\albHnRA.exe
  C:\Windows\System32\albHnRA.exe
  2⤵
  PID:7460
- C:\Windows\System32\iLeMiLK.exe
  C:\Windows\System32\iLeMiLK.exe
  2⤵
  PID:7484
- C:\Windows\System32\NqbgliP.exe
  C:\Windows\System32\NqbgliP.exe
  2⤵
  PID:7508
- C:\Windows\System32\HTyHCau.exe
  C:\Windows\System32\HTyHCau.exe
  2⤵
  PID:7540
- C:\Windows\System32\ifsGDgr.exe
  C:\Windows\System32\ifsGDgr.exe
  2⤵
  PID:7556
- C:\Windows\System32\IHgMsRC.exe
  C:\Windows\System32\IHgMsRC.exe
  2⤵
  PID:7588
- C:\Windows\System32\HxDZdkp.exe
  C:\Windows\System32\HxDZdkp.exe
  2⤵
  PID:7624
- C:\Windows\System32\kXJaoFn.exe
  C:\Windows\System32\kXJaoFn.exe
  2⤵
  PID:7640
- C:\Windows\System32\XQRXjVi.exe
  C:\Windows\System32\XQRXjVi.exe
  2⤵
  PID:7660
- C:\Windows\System32\GXnGboT.exe
  C:\Windows\System32\GXnGboT.exe
  2⤵
  PID:7696
- C:\Windows\System32\xWeffAo.exe
  C:\Windows\System32\xWeffAo.exe
  2⤵
  PID:7712
- C:\Windows\System32\OhvnONQ.exe
  C:\Windows\System32\OhvnONQ.exe
  2⤵
  PID:7728
- C:\Windows\System32\NgByCJw.exe
  C:\Windows\System32\NgByCJw.exe
  2⤵
  PID:7772
- C:\Windows\System32\vqJlIAq.exe
  C:\Windows\System32\vqJlIAq.exe
  2⤵
  PID:7792
- C:\Windows\System32\CjeGetq.exe
  C:\Windows\System32\CjeGetq.exe
  2⤵
  PID:7816
- C:\Windows\System32\pGFecpy.exe
  C:\Windows\System32\pGFecpy.exe
  2⤵
  PID:7836
- C:\Windows\System32\LFhVkuU.exe
  C:\Windows\System32\LFhVkuU.exe
  2⤵
  PID:7860
- C:\Windows\System32\QpUAaiq.exe
  C:\Windows\System32\QpUAaiq.exe
  2⤵
  PID:7900
- C:\Windows\System32\zZROOOH.exe
  C:\Windows\System32\zZROOOH.exe
  2⤵
  PID:7956
- C:\Windows\System32\AZmVXvC.exe
  C:\Windows\System32\AZmVXvC.exe
  2⤵
  PID:7972
- C:\Windows\System32\CthgzhW.exe
  C:\Windows\System32\CthgzhW.exe
  2⤵
  PID:7996
- C:\Windows\System32\DmHolSD.exe
  C:\Windows\System32\DmHolSD.exe
  2⤵
  PID:8040
- C:\Windows\System32\cGHsZtk.exe
  C:\Windows\System32\cGHsZtk.exe
  2⤵
  PID:8068
- C:\Windows\System32\vwZenFj.exe
  C:\Windows\System32\vwZenFj.exe
  2⤵
  PID:8088
- C:\Windows\System32\IgiOryI.exe
  C:\Windows\System32\IgiOryI.exe
  2⤵
  PID:8104
- C:\Windows\System32\xjwaeIq.exe
  C:\Windows\System32\xjwaeIq.exe
  2⤵
  PID:8160
- C:\Windows\System32\TIoWaYi.exe
  C:\Windows\System32\TIoWaYi.exe
  2⤵
  PID:7028
- C:\Windows\System32\tYwMCEy.exe
  C:\Windows\System32\tYwMCEy.exe
  2⤵
  PID:6528
- C:\Windows\System32\EbLoOBC.exe
  C:\Windows\System32\EbLoOBC.exe
  2⤵
  PID:7200
- C:\Windows\System32\AoBabxQ.exe
  C:\Windows\System32\AoBabxQ.exe
  2⤵
  PID:7224
- C:\Windows\System32\YyeFmzr.exe
  C:\Windows\System32\YyeFmzr.exe
  2⤵
  PID:7284
- C:\Windows\System32\UUsHnxg.exe
  C:\Windows\System32\UUsHnxg.exe
  2⤵
  PID:7412
- C:\Windows\System32\taulxbt.exe
  C:\Windows\System32\taulxbt.exe
  2⤵
  PID:7536
- C:\Windows\System32\YGfKngA.exe
  C:\Windows\System32\YGfKngA.exe
  2⤵
  PID:7572
- C:\Windows\System32\FwYzPNv.exe
  C:\Windows\System32\FwYzPNv.exe
  2⤵
  PID:7604
- C:\Windows\System32\QWHtKEc.exe
  C:\Windows\System32\QWHtKEc.exe
  2⤵
  PID:7672
- C:\Windows\System32\CkvYeoX.exe
  C:\Windows\System32\CkvYeoX.exe
  2⤵
  PID:7740
- C:\Windows\System32\WTGzxsi.exe
  C:\Windows\System32\WTGzxsi.exe
  2⤵
  PID:7784
- C:\Windows\System32\HELaovb.exe
  C:\Windows\System32\HELaovb.exe
  2⤵
  PID:7804
- C:\Windows\System32\tqSZqHl.exe
  C:\Windows\System32\tqSZqHl.exe
  2⤵
  PID:7844
- C:\Windows\System32\ApIgKqM.exe
  C:\Windows\System32\ApIgKqM.exe
  2⤵
  PID:7968
- C:\Windows\System32\jwtlesC.exe
  C:\Windows\System32\jwtlesC.exe
  2⤵
  PID:7964
- C:\Windows\System32\JQkaMqj.exe
  C:\Windows\System32\JQkaMqj.exe
  2⤵
  PID:8024
- C:\Windows\System32\BrBviKK.exe
  C:\Windows\System32\BrBviKK.exe
  2⤵
  PID:8100
- C:\Windows\System32\JmfyrBP.exe
  C:\Windows\System32\JmfyrBP.exe
  2⤵
  PID:8156
- C:\Windows\System32\lNyvoOe.exe
  C:\Windows\System32\lNyvoOe.exe
  2⤵
  PID:8184
- C:\Windows\System32\aAsLnHZ.exe
  C:\Windows\System32\aAsLnHZ.exe
  2⤵
  PID:7180
- C:\Windows\System32\oQXYpxt.exe
  C:\Windows\System32\oQXYpxt.exe
  2⤵
  PID:7752
- C:\Windows\System32\kJeADHY.exe
  C:\Windows\System32\kJeADHY.exe
  2⤵
  PID:7868
- C:\Windows\System32\HkUZIvG.exe
  C:\Windows\System32\HkUZIvG.exe
  2⤵
  PID:8004
- C:\Windows\System32\YfxrUUl.exe
  C:\Windows\System32\YfxrUUl.exe
  2⤵
  PID:5716
- C:\Windows\System32\LiWHVdB.exe
  C:\Windows\System32\LiWHVdB.exe
  2⤵
  PID:7760
- C:\Windows\System32\dFgINFa.exe
  C:\Windows\System32\dFgINFa.exe
  2⤵
  PID:7492
- C:\Windows\System32\lwVbqjh.exe
  C:\Windows\System32\lwVbqjh.exe
  2⤵
  PID:7724
- C:\Windows\System32\zNsjzvx.exe
  C:\Windows\System32\zNsjzvx.exe
  2⤵
  PID:8096
- C:\Windows\System32\faxlxNV.exe
  C:\Windows\System32\faxlxNV.exe
  2⤵
  PID:7632
- C:\Windows\System32\BumOYgB.exe
  C:\Windows\System32\BumOYgB.exe
  2⤵
  PID:8216
- C:\Windows\System32\figuilm.exe
  C:\Windows\System32\figuilm.exe
  2⤵
  PID:8232
- C:\Windows\System32\hfhCadt.exe
  C:\Windows\System32\hfhCadt.exe
  2⤵
  PID:8256
- C:\Windows\System32\xnMFzTl.exe
  C:\Windows\System32\xnMFzTl.exe
  2⤵
  PID:8284
- C:\Windows\System32\IMbmHLR.exe
  C:\Windows\System32\IMbmHLR.exe
  2⤵
  PID:8300
- C:\Windows\System32\wBcfewQ.exe
  C:\Windows\System32\wBcfewQ.exe
  2⤵
  PID:8368
- C:\Windows\System32\PlgXPOR.exe
  C:\Windows\System32\PlgXPOR.exe
  2⤵
  PID:8396
- C:\Windows\System32\mHFAPCw.exe
  C:\Windows\System32\mHFAPCw.exe
  2⤵
  PID:8416
- C:\Windows\System32\bVPktxb.exe
  C:\Windows\System32\bVPktxb.exe
  2⤵
  PID:8448
- C:\Windows\System32\TgVGSHl.exe
  C:\Windows\System32\TgVGSHl.exe
  2⤵
  PID:8468
- C:\Windows\System32\zAZPvPI.exe
  C:\Windows\System32\zAZPvPI.exe
  2⤵
  PID:8508
- C:\Windows\System32\ntIZkcG.exe
  C:\Windows\System32\ntIZkcG.exe
  2⤵
  PID:8572
- C:\Windows\System32\XfwKTtk.exe
  C:\Windows\System32\XfwKTtk.exe
  2⤵
  PID:8592
- C:\Windows\System32\PXHRRqm.exe
  C:\Windows\System32\PXHRRqm.exe
  2⤵
  PID:8612
- C:\Windows\System32\KZJJyGz.exe
  C:\Windows\System32\KZJJyGz.exe
  2⤵
  PID:8636
- C:\Windows\System32\xNmykSJ.exe
  C:\Windows\System32\xNmykSJ.exe
  2⤵
  PID:8656
- C:\Windows\System32\dXoVaHC.exe
  C:\Windows\System32\dXoVaHC.exe
  2⤵
  PID:8700
- C:\Windows\System32\FUrEFOK.exe
  C:\Windows\System32\FUrEFOK.exe
  2⤵
  PID:8740
- C:\Windows\System32\iwopwcM.exe
  C:\Windows\System32\iwopwcM.exe
  2⤵
  PID:8772
- C:\Windows\System32\CRheFLL.exe
  C:\Windows\System32\CRheFLL.exe
  2⤵
  PID:8792
- C:\Windows\System32\UXHZsUh.exe
  C:\Windows\System32\UXHZsUh.exe
  2⤵
  PID:8812
- C:\Windows\System32\VqaflVV.exe
  C:\Windows\System32\VqaflVV.exe
  2⤵
  PID:8832
- C:\Windows\System32\FiNDogK.exe
  C:\Windows\System32\FiNDogK.exe
  2⤵
  PID:8852
- C:\Windows\System32\uJUESAI.exe
  C:\Windows\System32\uJUESAI.exe
  2⤵
  PID:8876
- C:\Windows\System32\Epipfag.exe
  C:\Windows\System32\Epipfag.exe
  2⤵
  PID:8896
- C:\Windows\System32\ldbvbPh.exe
  C:\Windows\System32\ldbvbPh.exe
  2⤵
  PID:8920
- C:\Windows\System32\XZcFBYS.exe
  C:\Windows\System32\XZcFBYS.exe
  2⤵
  PID:8992
- C:\Windows\System32\SAKtEoM.exe
  C:\Windows\System32\SAKtEoM.exe
  2⤵
  PID:9028
- C:\Windows\System32\nHADWjD.exe
  C:\Windows\System32\nHADWjD.exe
  2⤵
  PID:9044
- C:\Windows\System32\lkIbiNl.exe
  C:\Windows\System32\lkIbiNl.exe
  2⤵
  PID:9068
- C:\Windows\System32\SXlkyHZ.exe
  C:\Windows\System32\SXlkyHZ.exe
  2⤵
  PID:9084
- C:\Windows\System32\katogJD.exe
  C:\Windows\System32\katogJD.exe
  2⤵
  PID:9104
- C:\Windows\System32\FDwPPbh.exe
  C:\Windows\System32\FDwPPbh.exe
  2⤵
  PID:9136
- C:\Windows\System32\jBXYAqw.exe
  C:\Windows\System32\jBXYAqw.exe
  2⤵
  PID:9180
- C:\Windows\System32\rZFhWho.exe
  C:\Windows\System32\rZFhWho.exe
  2⤵
  PID:8020
- C:\Windows\System32\tCxItuQ.exe
  C:\Windows\System32\tCxItuQ.exe
  2⤵
  PID:8204
- C:\Windows\System32\NSHaGHV.exe
  C:\Windows\System32\NSHaGHV.exe
  2⤵
  PID:8252
- C:\Windows\System32\MbjQTWI.exe
  C:\Windows\System32\MbjQTWI.exe
  2⤵
  PID:8324
- C:\Windows\System32\cXgjVjg.exe
  C:\Windows\System32\cXgjVjg.exe
  2⤵
  PID:8412
- C:\Windows\System32\WEbsOoL.exe
  C:\Windows\System32\WEbsOoL.exe
  2⤵
  PID:8464
- C:\Windows\System32\eSwDfYn.exe
  C:\Windows\System32\eSwDfYn.exe
  2⤵
  PID:8500
- C:\Windows\System32\kmIkXEe.exe
  C:\Windows\System32\kmIkXEe.exe
  2⤵
  PID:8544
- C:\Windows\System32\GJypkNi.exe
  C:\Windows\System32\GJypkNi.exe
  2⤵
  PID:8652
- C:\Windows\System32\KsiycWu.exe
  C:\Windows\System32\KsiycWu.exe
  2⤵
  PID:8644
- C:\Windows\System32\AuGRggl.exe
  C:\Windows\System32\AuGRggl.exe
  2⤵
  PID:8768
- C:\Windows\System32\MLPCOCx.exe
  C:\Windows\System32\MLPCOCx.exe
  2⤵
  PID:8788
- C:\Windows\System32\HulELnW.exe
  C:\Windows\System32\HulELnW.exe
  2⤵
  PID:8916
- C:\Windows\System32\zKbEmsT.exe
  C:\Windows\System32\zKbEmsT.exe
  2⤵
  PID:8960
- C:\Windows\System32\oCkCwXO.exe
  C:\Windows\System32\oCkCwXO.exe
  2⤵
  PID:9020
- C:\Windows\System32\TmZJthB.exe
  C:\Windows\System32\TmZJthB.exe
  2⤵
  PID:9056
- C:\Windows\System32\aGMFxPj.exe
  C:\Windows\System32\aGMFxPj.exe
  2⤵
  PID:7452
- C:\Windows\System32\FgTAzHx.exe
  C:\Windows\System32\FgTAzHx.exe
  2⤵
  PID:8228
- C:\Windows\System32\TRqRBQi.exe
  C:\Windows\System32\TRqRBQi.exe
  2⤵
  PID:8356
- C:\Windows\System32\psbUEWm.exe
  C:\Windows\System32\psbUEWm.exe
  2⤵
  PID:8492
- C:\Windows\System32\MCUjATD.exe
  C:\Windows\System32\MCUjATD.exe
  2⤵
  PID:8748
- C:\Windows\System32\pwtOvte.exe
  C:\Windows\System32\pwtOvte.exe
  2⤵
  PID:8688
- C:\Windows\System32\Fqctjcj.exe
  C:\Windows\System32\Fqctjcj.exe
  2⤵
  PID:8848
- C:\Windows\System32\bjRgVMA.exe
  C:\Windows\System32\bjRgVMA.exe
  2⤵
  PID:8600
- C:\Windows\System32\yylFutl.exe
  C:\Windows\System32\yylFutl.exe
  2⤵
  PID:9296
- C:\Windows\System32\IMvzuLO.exe
  C:\Windows\System32\IMvzuLO.exe
  2⤵
  PID:9328
- C:\Windows\System32\jNyWelT.exe
  C:\Windows\System32\jNyWelT.exe
  2⤵
  PID:9344
- C:\Windows\System32\uXxXbfG.exe
  C:\Windows\System32\uXxXbfG.exe
  2⤵
  PID:9360
- C:\Windows\System32\ioZCWUC.exe
  C:\Windows\System32\ioZCWUC.exe
  2⤵
  PID:9376
- C:\Windows\System32\xPKLFUP.exe
  C:\Windows\System32\xPKLFUP.exe
  2⤵
  PID:9392
- C:\Windows\System32\pjJZewT.exe
  C:\Windows\System32\pjJZewT.exe
  2⤵
  PID:9408
- C:\Windows\System32\NJPypPM.exe
  C:\Windows\System32\NJPypPM.exe
  2⤵
  PID:9424
- C:\Windows\System32\gcUDugP.exe
  C:\Windows\System32\gcUDugP.exe
  2⤵
  PID:9440
- C:\Windows\System32\VSFTTAT.exe
  C:\Windows\System32\VSFTTAT.exe
  2⤵
  PID:9456
- C:\Windows\System32\EIYsbFX.exe
  C:\Windows\System32\EIYsbFX.exe
  2⤵
  PID:9476
- C:\Windows\System32\mGKAoFC.exe
  C:\Windows\System32\mGKAoFC.exe
  2⤵
  PID:9492
- C:\Windows\System32\GeEAFXo.exe
  C:\Windows\System32\GeEAFXo.exe
  2⤵
  PID:9508
- C:\Windows\System32\EYzSfmS.exe
  C:\Windows\System32\EYzSfmS.exe
  2⤵
  PID:9524
- C:\Windows\System32\nhrWcUB.exe
  C:\Windows\System32\nhrWcUB.exe
  2⤵
  PID:9540
- C:\Windows\System32\icHIOfY.exe
  C:\Windows\System32\icHIOfY.exe
  2⤵
  PID:9556
- C:\Windows\System32\ZHnYmvE.exe
  C:\Windows\System32\ZHnYmvE.exe
  2⤵
  PID:9572
- C:\Windows\System32\zDReWar.exe
  C:\Windows\System32\zDReWar.exe
  2⤵
  PID:9648
- C:\Windows\System32\arPSuQW.exe
  C:\Windows\System32\arPSuQW.exe
  2⤵
  PID:9772
- C:\Windows\System32\pPfhwRk.exe
  C:\Windows\System32\pPfhwRk.exe
  2⤵
  PID:9788
- C:\Windows\System32\OQPiHEm.exe
  C:\Windows\System32\OQPiHEm.exe
  2⤵
  PID:9828
- C:\Windows\System32\lXHkjDR.exe
  C:\Windows\System32\lXHkjDR.exe
  2⤵
  PID:9908
- C:\Windows\System32\ryoWHkB.exe
  C:\Windows\System32\ryoWHkB.exe
  2⤵
  PID:9924
- C:\Windows\System32\ZjmTmeV.exe
  C:\Windows\System32\ZjmTmeV.exe
  2⤵
  PID:9948
- C:\Windows\System32\HmWdNXL.exe
  C:\Windows\System32\HmWdNXL.exe
  2⤵
  PID:9988
- C:\Windows\System32\DsXyDaa.exe
  C:\Windows\System32\DsXyDaa.exe
  2⤵
  PID:10008
- C:\Windows\System32\xhEUyMX.exe
  C:\Windows\System32\xhEUyMX.exe
  2⤵
  PID:10044
- C:\Windows\System32\rcfqXNa.exe
  C:\Windows\System32\rcfqXNa.exe
  2⤵
  PID:10060
- C:\Windows\System32\KLKTNVv.exe
  C:\Windows\System32\KLKTNVv.exe
  2⤵
  PID:10088
- C:\Windows\System32\fGYPtap.exe
  C:\Windows\System32\fGYPtap.exe
  2⤵
  PID:10108
- C:\Windows\System32\pbGrPkm.exe
  C:\Windows\System32\pbGrPkm.exe
  2⤵
  PID:10124
- C:\Windows\System32\cPFinZF.exe
  C:\Windows\System32\cPFinZF.exe
  2⤵
  PID:10160
- C:\Windows\System32\XinDDEP.exe
  C:\Windows\System32\XinDDEP.exe
  2⤵
  PID:10196
- C:\Windows\System32\lSYJUuj.exe
  C:\Windows\System32\lSYJUuj.exe
  2⤵
  PID:10216
- C:\Windows\System32\JJOzxKA.exe
  C:\Windows\System32\JJOzxKA.exe
  2⤵
  PID:9160
- C:\Windows\System32\asOAgmB.exe
  C:\Windows\System32\asOAgmB.exe
  2⤵
  PID:9220
- C:\Windows\System32\igxJvmT.exe
  C:\Windows\System32\igxJvmT.exe
  2⤵
  PID:8584
- C:\Windows\System32\MJmpnYL.exe
  C:\Windows\System32\MJmpnYL.exe
  2⤵
  PID:8860
- C:\Windows\System32\bHUWNHr.exe
  C:\Windows\System32\bHUWNHr.exe
  2⤵
  PID:9240
- C:\Windows\System32\CCgXtmK.exe
  C:\Windows\System32\CCgXtmK.exe
  2⤵
  PID:9356
- C:\Windows\System32\qLaPfxJ.exe
  C:\Windows\System32\qLaPfxJ.exe
  2⤵
  PID:9312
- C:\Windows\System32\yeVHDuD.exe
  C:\Windows\System32\yeVHDuD.exe
  2⤵
  PID:9372
- C:\Windows\System32\AtpkPyp.exe
  C:\Windows\System32\AtpkPyp.exe
  2⤵
  PID:9552
- C:\Windows\System32\wblssHg.exe
  C:\Windows\System32\wblssHg.exe
  2⤵
  PID:9416
- C:\Windows\System32\VoVkDFt.exe
  C:\Windows\System32\VoVkDFt.exe
  2⤵
  PID:9588
- C:\Windows\System32\oKobrZs.exe
  C:\Windows\System32\oKobrZs.exe
  2⤵
  PID:9800
- C:\Windows\System32\dHzmvBA.exe
  C:\Windows\System32\dHzmvBA.exe
  2⤵
  PID:9728
- C:\Windows\System32\FJPCupQ.exe
  C:\Windows\System32\FJPCupQ.exe
  2⤵
  PID:9748
- C:\Windows\System32\ZOJmJUD.exe
  C:\Windows\System32\ZOJmJUD.exe
  2⤵
  PID:9824
- C:\Windows\System32\udIcGhR.exe
  C:\Windows\System32\udIcGhR.exe
  2⤵
  PID:9944
- C:\Windows\System32\ovIDtds.exe
  C:\Windows\System32\ovIDtds.exe
  2⤵
  PID:10020
- C:\Windows\System32\CseWqQO.exe
  C:\Windows\System32\CseWqQO.exe
  2⤵
  PID:10132
- C:\Windows\System32\cqOPJwZ.exe
  C:\Windows\System32\cqOPJwZ.exe
  2⤵
  PID:10180
- C:\Windows\System32\JgVinMZ.exe
  C:\Windows\System32\JgVinMZ.exe
  2⤵
  PID:10188
- C:\Windows\System32\vIsJoYe.exe
  C:\Windows\System32\vIsJoYe.exe
  2⤵
  PID:9252
- C:\Windows\System32\zvjCcMI.exe
  C:\Windows\System32\zvjCcMI.exe
  2⤵
  PID:9144
- C:\Windows\System32\aReecTU.exe
  C:\Windows\System32\aReecTU.exe
  2⤵
  PID:9288
- C:\Windows\System32\UQYqDth.exe
  C:\Windows\System32\UQYqDth.exe
  2⤵
  PID:9436
- C:\Windows\System32\iGYcWZC.exe
  C:\Windows\System32\iGYcWZC.exe
  2⤵
  PID:9548
- C:\Windows\System32\VwVGlKF.exe
  C:\Windows\System32\VwVGlKF.exe
  2⤵
  PID:9692
- C:\Windows\System32\IzfTqQH.exe
  C:\Windows\System32\IzfTqQH.exe
  2⤵
  PID:9744
- C:\Windows\System32\GRDnrha.exe
  C:\Windows\System32\GRDnrha.exe
  2⤵
  PID:10224
- C:\Windows\System32\pdEwAcx.exe
  C:\Windows\System32\pdEwAcx.exe
  2⤵
  PID:9320
- C:\Windows\System32\FtnLxqa.exe
  C:\Windows\System32\FtnLxqa.exe
  2⤵
  PID:8200
- C:\Windows\System32\gdQSmlw.exe
  C:\Windows\System32\gdQSmlw.exe
  2⤵
  PID:9936
- C:\Windows\System32\GOfrqmr.exe
  C:\Windows\System32\GOfrqmr.exe
  2⤵
  PID:9340
- C:\Windows\System32\OxbkHLE.exe
  C:\Windows\System32\OxbkHLE.exe
  2⤵
  PID:9784
- C:\Windows\System32\XEVVyey.exe
  C:\Windows\System32\XEVVyey.exe
  2⤵
  PID:10256
- C:\Windows\System32\PTQNtps.exe
  C:\Windows\System32\PTQNtps.exe
  2⤵
  PID:10292
- C:\Windows\System32\nIrHiDY.exe
  C:\Windows\System32\nIrHiDY.exe
  2⤵
  PID:10320
- C:\Windows\System32\gZAUTXv.exe
  C:\Windows\System32\gZAUTXv.exe
  2⤵
  PID:10344
- C:\Windows\System32\OcgHMJC.exe
  C:\Windows\System32\OcgHMJC.exe
  2⤵
  PID:10360
- C:\Windows\System32\gOjaNeD.exe
  C:\Windows\System32\gOjaNeD.exe
  2⤵
  PID:10384
- C:\Windows\System32\vEMNsKC.exe
  C:\Windows\System32\vEMNsKC.exe
  2⤵
  PID:10416
- C:\Windows\System32\KizyUuJ.exe
  C:\Windows\System32\KizyUuJ.exe
  2⤵
  PID:10468
- C:\Windows\System32\sktncpW.exe
  C:\Windows\System32\sktncpW.exe
  2⤵
  PID:10496
- C:\Windows\System32\qeGmnxb.exe
  C:\Windows\System32\qeGmnxb.exe
  2⤵
  PID:10520
- C:\Windows\System32\CKxeNZX.exe
  C:\Windows\System32\CKxeNZX.exe
  2⤵
  PID:10536
- C:\Windows\System32\aXZrRiR.exe
  C:\Windows\System32\aXZrRiR.exe
  2⤵
  PID:10560
- C:\Windows\System32\uTvStZw.exe
  C:\Windows\System32\uTvStZw.exe
  2⤵
  PID:10588
- C:\Windows\System32\bemXqNq.exe
  C:\Windows\System32\bemXqNq.exe
  2⤵
  PID:10640
- C:\Windows\System32\xgQLbOh.exe
  C:\Windows\System32\xgQLbOh.exe
  2⤵
  PID:10668
- C:\Windows\System32\CSdSRIF.exe
  C:\Windows\System32\CSdSRIF.exe
  2⤵
  PID:10692
- C:\Windows\System32\vJMqYsE.exe
  C:\Windows\System32\vJMqYsE.exe
  2⤵
  PID:10716
- C:\Windows\System32\tGjXjsh.exe
  C:\Windows\System32\tGjXjsh.exe
  2⤵
  PID:10736
- C:\Windows\System32\tjetfnf.exe
  C:\Windows\System32\tjetfnf.exe
  2⤵
  PID:10764
- C:\Windows\System32\sDBEegD.exe
  C:\Windows\System32\sDBEegD.exe
  2⤵
  PID:10796
- C:\Windows\System32\qOMWnGY.exe
  C:\Windows\System32\qOMWnGY.exe
  2⤵
  PID:10816
- C:\Windows\System32\raKIpQk.exe
  C:\Windows\System32\raKIpQk.exe
  2⤵
  PID:10832
- C:\Windows\System32\jWXuCjf.exe
  C:\Windows\System32\jWXuCjf.exe
  2⤵
  PID:10856
- C:\Windows\System32\rWnnjeh.exe
  C:\Windows\System32\rWnnjeh.exe
  2⤵
  PID:10896
- C:\Windows\System32\RShUrse.exe
  C:\Windows\System32\RShUrse.exe
  2⤵
  PID:10944
- C:\Windows\System32\VsCIqLR.exe
  C:\Windows\System32\VsCIqLR.exe
  2⤵
  PID:10976
- C:\Windows\System32\sEVlCKA.exe
  C:\Windows\System32\sEVlCKA.exe
  2⤵
  PID:10992
- C:\Windows\System32\aCQbeaT.exe
  C:\Windows\System32\aCQbeaT.exe
  2⤵
  PID:11008
- C:\Windows\System32\pJZVbAN.exe
  C:\Windows\System32\pJZVbAN.exe
  2⤵
  PID:11056
- C:\Windows\System32\rIETKbX.exe
  C:\Windows\System32\rIETKbX.exe
  2⤵
  PID:11076
- C:\Windows\System32\qIdykmH.exe
  C:\Windows\System32\qIdykmH.exe
  2⤵
  PID:11104
- C:\Windows\System32\pVqfAPy.exe
  C:\Windows\System32\pVqfAPy.exe
  2⤵
  PID:11120
- C:\Windows\System32\HxlPPnE.exe
  C:\Windows\System32\HxlPPnE.exe
  2⤵
  PID:11176
- C:\Windows\System32\sYzSDaC.exe
  C:\Windows\System32\sYzSDaC.exe
  2⤵
  PID:11200
- C:\Windows\System32\gtQsTmF.exe
  C:\Windows\System32\gtQsTmF.exe
  2⤵
  PID:11224
- C:\Windows\System32\MYfDYal.exe
  C:\Windows\System32\MYfDYal.exe
  2⤵
  PID:11240
- C:\Windows\System32\jLQWqXY.exe
  C:\Windows\System32\jLQWqXY.exe
  2⤵
  PID:11260
- C:\Windows\System32\VyjviBh.exe
  C:\Windows\System32\VyjviBh.exe
  2⤵
  PID:9244
- C:\Windows\System32\AmbLdbi.exe
  C:\Windows\System32\AmbLdbi.exe
  2⤵
  PID:10312
- C:\Windows\System32\tjCyLzG.exe
  C:\Windows\System32\tjCyLzG.exe
  2⤵
  PID:10372
- C:\Windows\System32\YfAeurZ.exe
  C:\Windows\System32\YfAeurZ.exe
  2⤵
  PID:10480
- C:\Windows\System32\orNBhsP.exe
  C:\Windows\System32\orNBhsP.exe
  2⤵
  PID:10548
- C:\Windows\System32\ahIAlCH.exe
  C:\Windows\System32\ahIAlCH.exe
  2⤵
  PID:10676
- C:\Windows\System32\pZvMZcM.exe
  C:\Windows\System32\pZvMZcM.exe
  2⤵
  PID:10700
- C:\Windows\System32\MwdsRnO.exe
  C:\Windows\System32\MwdsRnO.exe
  2⤵
  PID:10756
- C:\Windows\System32\xUMEZqm.exe
  C:\Windows\System32\xUMEZqm.exe
  2⤵
  PID:10784
- C:\Windows\System32\TCpFvml.exe
  C:\Windows\System32\TCpFvml.exe
  2⤵
  PID:10824
- C:\Windows\System32\NItVpML.exe
  C:\Windows\System32\NItVpML.exe
  2⤵
  PID:10884
- C:\Windows\System32\EmRZXAC.exe
  C:\Windows\System32\EmRZXAC.exe
  2⤵
  PID:11004
- C:\Windows\System32\vmJijfE.exe
  C:\Windows\System32\vmJijfE.exe
  2⤵
  PID:11112
- C:\Windows\System32\jKwuePk.exe
  C:\Windows\System32\jKwuePk.exe
  2⤵
  PID:11152
- C:\Windows\System32\mHVfSYh.exe
  C:\Windows\System32\mHVfSYh.exe
  2⤵
  PID:11188
- C:\Windows\System32\CjMHnHo.exe
  C:\Windows\System32\CjMHnHo.exe
  2⤵
  PID:11248
- C:\Windows\System32\ShjOUGp.exe
  C:\Windows\System32\ShjOUGp.exe
  2⤵
  PID:10376
- C:\Windows\System32\sYjsPAm.exe
  C:\Windows\System32\sYjsPAm.exe
  2⤵
  PID:10412
- C:\Windows\System32\wvMjfjf.exe
  C:\Windows\System32\wvMjfjf.exe
  2⤵
  PID:10532
- C:\Windows\System32\EtTHQcG.exe
  C:\Windows\System32\EtTHQcG.exe
  2⤵
  PID:10620
- C:\Windows\System32\JbosKqv.exe
  C:\Windows\System32\JbosKqv.exe
  2⤵
  PID:10724
- C:\Windows\System32\eXOBBbd.exe
  C:\Windows\System32\eXOBBbd.exe
  2⤵
  PID:10808
- C:\Windows\System32\eEbBTXx.exe
  C:\Windows\System32\eEbBTXx.exe
  2⤵
  PID:10964
- C:\Windows\System32\UjtClOs.exe
  C:\Windows\System32\UjtClOs.exe
  2⤵
  PID:11220
- C:\Windows\System32\RKZBYUx.exe
  C:\Windows\System32\RKZBYUx.exe
  2⤵
  PID:10912
- C:\Windows\System32\BPVoamt.exe
  C:\Windows\System32\BPVoamt.exe
  2⤵
  PID:9388
- C:\Windows\System32\jvSuIOO.exe
  C:\Windows\System32\jvSuIOO.exe
  2⤵
  PID:11236
- C:\Windows\System32\UdGuntA.exe
  C:\Windows\System32\UdGuntA.exe
  2⤵
  PID:11280
- C:\Windows\System32\BkCgXMH.exe
  C:\Windows\System32\BkCgXMH.exe
  2⤵
  PID:11296
- C:\Windows\System32\hDlVRNv.exe
  C:\Windows\System32\hDlVRNv.exe
  2⤵
  PID:11316
- C:\Windows\System32\nZgsJqe.exe
  C:\Windows\System32\nZgsJqe.exe
  2⤵
  PID:11340
- C:\Windows\System32\jSngXtx.exe
  C:\Windows\System32\jSngXtx.exe
  2⤵
  PID:11360
- C:\Windows\System32\zOfbELu.exe
  C:\Windows\System32\zOfbELu.exe
  2⤵
  PID:11376
- C:\Windows\System32\ySGvUhq.exe
  C:\Windows\System32\ySGvUhq.exe
  2⤵
  PID:11400
- C:\Windows\System32\GndYHHk.exe
  C:\Windows\System32\GndYHHk.exe
  2⤵
  PID:11416
- C:\Windows\System32\tUIJFtB.exe
  C:\Windows\System32\tUIJFtB.exe
  2⤵
  PID:11456
- C:\Windows\System32\PtzLRFY.exe
  C:\Windows\System32\PtzLRFY.exe
  2⤵
  PID:11472
- C:\Windows\System32\QuRcwnu.exe
  C:\Windows\System32\QuRcwnu.exe
  2⤵
  PID:11496
- C:\Windows\System32\ZCvZTHQ.exe
  C:\Windows\System32\ZCvZTHQ.exe
  2⤵
  PID:11564
- C:\Windows\System32\QJDIIQl.exe
  C:\Windows\System32\QJDIIQl.exe
  2⤵
  PID:11628
- C:\Windows\System32\AruclTP.exe
  C:\Windows\System32\AruclTP.exe
  2⤵
  PID:11644
- C:\Windows\System32\NMuVksT.exe
  C:\Windows\System32\NMuVksT.exe
  2⤵
  PID:11660
- C:\Windows\System32\kkxKflk.exe
  C:\Windows\System32\kkxKflk.exe
  2⤵
  PID:11688
- C:\Windows\System32\JENOarn.exe
  C:\Windows\System32\JENOarn.exe
  2⤵
  PID:11708
- C:\Windows\System32\wvZYrRJ.exe
  C:\Windows\System32\wvZYrRJ.exe
  2⤵
  PID:11732
- C:\Windows\System32\IMdUARs.exe
  C:\Windows\System32\IMdUARs.exe
  2⤵
  PID:11752
- C:\Windows\System32\BxSZvXY.exe
  C:\Windows\System32\BxSZvXY.exe
  2⤵
  PID:11768
- C:\Windows\System32\KcEpQMg.exe
  C:\Windows\System32\KcEpQMg.exe
  2⤵
  PID:11792
- C:\Windows\System32\bXOgWdL.exe
  C:\Windows\System32\bXOgWdL.exe
  2⤵
  PID:11808
- C:\Windows\System32\zmVdQMT.exe
  C:\Windows\System32\zmVdQMT.exe
  2⤵
  PID:11872
- C:\Windows\System32\jGIPjUM.exe
  C:\Windows\System32\jGIPjUM.exe
  2⤵
  PID:11912
- C:\Windows\System32\SeHspWh.exe
  C:\Windows\System32\SeHspWh.exe
  2⤵
  PID:11932
- C:\Windows\System32\ZsRUPRk.exe
  C:\Windows\System32\ZsRUPRk.exe
  2⤵
  PID:11980
- C:\Windows\System32\weWwAOJ.exe
  C:\Windows\System32\weWwAOJ.exe
  2⤵
  PID:12004
- C:\Windows\System32\WSetxvP.exe
  C:\Windows\System32\WSetxvP.exe
  2⤵
  PID:12020
- C:\Windows\System32\zSMAzka.exe
  C:\Windows\System32\zSMAzka.exe
  2⤵
  PID:12036
- C:\Windows\System32\eLoZOia.exe
  C:\Windows\System32\eLoZOia.exe
  2⤵
  PID:12084
- C:\Windows\System32\QJJCguX.exe
  C:\Windows\System32\QJJCguX.exe
  2⤵
  PID:12120
- C:\Windows\System32\vNFTDkB.exe
  C:\Windows\System32\vNFTDkB.exe
  2⤵
  PID:12144
- C:\Windows\System32\fPYxsHS.exe
  C:\Windows\System32\fPYxsHS.exe
  2⤵
  PID:12160
- C:\Windows\System32\zvVDPnR.exe
  C:\Windows\System32\zvVDPnR.exe
  2⤵
  PID:12184
- C:\Windows\System32\rCCpFEC.exe
  C:\Windows\System32\rCCpFEC.exe
  2⤵
  PID:12208
- C:\Windows\System32\JmMiZAB.exe
  C:\Windows\System32\JmMiZAB.exe
  2⤵
  PID:12236
- C:\Windows\System32\WGHlHRo.exe
  C:\Windows\System32\WGHlHRo.exe
  2⤵
  PID:12264
- C:\Windows\System32\IWdFjoH.exe
  C:\Windows\System32\IWdFjoH.exe
  2⤵
  PID:10744
- C:\Windows\System32\UAZLfci.exe
  C:\Windows\System32\UAZLfci.exe
  2⤵
  PID:11348
- C:\Windows\System32\sspISFD.exe
  C:\Windows\System32\sspISFD.exe
  2⤵
  PID:11396
- C:\Windows\System32\jtobKKS.exe
  C:\Windows\System32\jtobKKS.exe
  2⤵
  PID:11524
- C:\Windows\System32\UCPfbst.exe
  C:\Windows\System32\UCPfbst.exe
  2⤵
  PID:11512
- C:\Windows\System32\XBSYBtu.exe
  C:\Windows\System32\XBSYBtu.exe
  2⤵
  PID:11508
- C:\Windows\System32\UVTQsXC.exe
  C:\Windows\System32\UVTQsXC.exe
  2⤵
  PID:11608
- C:\Windows\System32\lyJmkjF.exe
  C:\Windows\System32\lyJmkjF.exe
  2⤵
  PID:11672
- C:\Windows\System32\MYMIqwJ.exe
  C:\Windows\System32\MYMIqwJ.exe
  2⤵
  PID:11784
- C:\Windows\System32\RZYHvsW.exe
  C:\Windows\System32\RZYHvsW.exe
  2⤵
  PID:11888
- C:\Windows\System32\UIlDmAe.exe
  C:\Windows\System32\UIlDmAe.exe
  2⤵
  PID:11928
- C:\Windows\System32\KFsixwM.exe
  C:\Windows\System32\KFsixwM.exe
  2⤵
  PID:12016
- C:\Windows\System32\AZvJFCF.exe
  C:\Windows\System32\AZvJFCF.exe
  2⤵
  PID:12056
- C:\Windows\System32\gpbfKef.exe
  C:\Windows\System32\gpbfKef.exe
  2⤵
  PID:12100
- C:\Windows\System32\RvHfBXf.exe
  C:\Windows\System32\RvHfBXf.exe
  2⤵
  PID:12168
- C:\Windows\System32\CrTEBPl.exe
  C:\Windows\System32\CrTEBPl.exe
  2⤵
  PID:12216
- C:\Windows\System32\WHqzqVj.exe
  C:\Windows\System32\WHqzqVj.exe
  2⤵
  PID:12256
- C:\Windows\System32\RuZCPYr.exe
  C:\Windows\System32\RuZCPYr.exe
  2⤵
  PID:1104
- C:\Windows\System32\jvnqsKx.exe
  C:\Windows\System32\jvnqsKx.exe
  2⤵
  PID:4344
- C:\Windows\System32\bfWqFOK.exe
  C:\Windows\System32\bfWqFOK.exe
  2⤵
  PID:11428
- C:\Windows\System32\gfMlHRD.exe
  C:\Windows\System32\gfMlHRD.exe
  2⤵
  PID:11572
- C:\Windows\System32\ieeKAkK.exe
  C:\Windows\System32\ieeKAkK.exe
  2⤵
  PID:11652
- C:\Windows\System32\GBAgUSM.exe
  C:\Windows\System32\GBAgUSM.exe
  2⤵
  PID:11976
- C:\Windows\System32\RrVypfo.exe
  C:\Windows\System32\RrVypfo.exe
  2⤵
  PID:12044
- C:\Windows\System32\iMWuMWR.exe
  C:\Windows\System32\iMWuMWR.exe
  2⤵
  PID:12128
- C:\Windows\System32\SQKVWHw.exe
  C:\Windows\System32\SQKVWHw.exe
  2⤵
  PID:3364
- C:\Windows\System32\JcZYAJJ.exe
  C:\Windows\System32\JcZYAJJ.exe
  2⤵
  PID:11272
- C:\Windows\System32\kIEsVmh.exe
  C:\Windows\System32\kIEsVmh.exe
  2⤵
  PID:11484
- C:\Windows\System32\lBHjsvj.exe
  C:\Windows\System32\lBHjsvj.exe
  2⤵
  PID:11988
- C:\Windows\System32\irLxKCx.exe
  C:\Windows\System32\irLxKCx.exe
  2⤵
  PID:12232
- C:\Windows\System32\aClyAkr.exe
  C:\Windows\System32\aClyAkr.exe
  2⤵
  PID:11308
- C:\Windows\System32\HLRVdZZ.exe
  C:\Windows\System32\HLRVdZZ.exe
  2⤵
  PID:11908
- C:\Windows\System32\VPLGmDU.exe
  C:\Windows\System32\VPLGmDU.exe
  2⤵
  PID:2720
- C:\Windows\System32\PSfUIZL.exe
  C:\Windows\System32\PSfUIZL.exe
  2⤵
  PID:12320
- C:\Windows\System32\fgGqPxU.exe
  C:\Windows\System32\fgGqPxU.exe
  2⤵
  PID:12340
- C:\Windows\System32\uUEUQTv.exe
  C:\Windows\System32\uUEUQTv.exe
  2⤵
  PID:12364
- C:\Windows\System32\TfLdGpc.exe
  C:\Windows\System32\TfLdGpc.exe
  2⤵
  PID:12380
- C:\Windows\System32\tmksNsU.exe
  C:\Windows\System32\tmksNsU.exe
  2⤵
  PID:12404
- C:\Windows\System32\AShKffa.exe
  C:\Windows\System32\AShKffa.exe
  2⤵
  PID:12424
- C:\Windows\System32\vKgGqgT.exe
  C:\Windows\System32\vKgGqgT.exe
  2⤵
  PID:12448
- C:\Windows\System32\pNLoNsT.exe
  C:\Windows\System32\pNLoNsT.exe
  2⤵
  PID:12500
- C:\Windows\System32\bvfbEyR.exe
  C:\Windows\System32\bvfbEyR.exe
  2⤵
  PID:12568
- C:\Windows\System32\ECgmNPQ.exe
  C:\Windows\System32\ECgmNPQ.exe
  2⤵
  PID:12592
- C:\Windows\System32\OXrwhsp.exe
  C:\Windows\System32\OXrwhsp.exe
  2⤵
  PID:12616
- C:\Windows\System32\KUadqne.exe
  C:\Windows\System32\KUadqne.exe
  2⤵
  PID:12636
- C:\Windows\System32\raoIrjg.exe
  C:\Windows\System32\raoIrjg.exe
  2⤵
  PID:12684
- C:\Windows\System32\yjQIpaT.exe
  C:\Windows\System32\yjQIpaT.exe
  2⤵
  PID:12704
- C:\Windows\System32\mETgYDN.exe
  C:\Windows\System32\mETgYDN.exe
  2⤵
  PID:12720
- C:\Windows\System32\fJunVpN.exe
  C:\Windows\System32\fJunVpN.exe
  2⤵
  PID:12752
- C:\Windows\System32\CHChljN.exe
  C:\Windows\System32\CHChljN.exe
  2⤵
  PID:12776
- C:\Windows\System32\xBNiIYM.exe
  C:\Windows\System32\xBNiIYM.exe
  2⤵
  PID:12804
- C:\Windows\System32\HznCUQu.exe
  C:\Windows\System32\HznCUQu.exe
  2⤵
  PID:12844
- C:\Windows\System32\PDeBvpr.exe
  C:\Windows\System32\PDeBvpr.exe
  2⤵
  PID:12868
- C:\Windows\System32\ouYCVxK.exe
  C:\Windows\System32\ouYCVxK.exe
  2⤵
  PID:12888
- C:\Windows\System32\BYBiXzN.exe
  C:\Windows\System32\BYBiXzN.exe
  2⤵
  PID:12920
- C:\Windows\System32\fiRHKuk.exe
  C:\Windows\System32\fiRHKuk.exe
  2⤵
  PID:12936
- C:\Windows\System32\hHmtpMz.exe
  C:\Windows\System32\hHmtpMz.exe
  2⤵
  PID:12964
- C:\Windows\System32\ogXbXgc.exe
  C:\Windows\System32\ogXbXgc.exe
  2⤵
  PID:12988
- C:\Windows\System32\aEiPNyU.exe
  C:\Windows\System32\aEiPNyU.exe
  2⤵
  PID:13004
- C:\Windows\System32\LSMIfai.exe
  C:\Windows\System32\LSMIfai.exe
  2⤵
  PID:13060
- C:\Windows\System32\MRoUyRN.exe
  C:\Windows\System32\MRoUyRN.exe
  2⤵
  PID:13096
- C:\Windows\System32\acdxJZt.exe
  C:\Windows\System32\acdxJZt.exe
  2⤵
  PID:13112
- C:\Windows\System32\mBtjDhU.exe
  C:\Windows\System32\mBtjDhU.exe
  2⤵
  PID:13128
- C:\Windows\System32\SNBsTYc.exe
  C:\Windows\System32\SNBsTYc.exe
  2⤵
  PID:13148
- C:\Windows\System32\vTYFlic.exe
  C:\Windows\System32\vTYFlic.exe
  2⤵
  PID:13176
- C:\Windows\System32\qqRLpTD.exe
  C:\Windows\System32\qqRLpTD.exe
  2⤵
  PID:13212
- C:\Windows\System32\AwXTtMN.exe
  C:\Windows\System32\AwXTtMN.exe
  2⤵
  PID:13228
- C:\Windows\System32\OAgpgcg.exe
  C:\Windows\System32\OAgpgcg.exe
  2⤵
  PID:13264

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AtVOKbE.exe

Filesize
986KB

MD5
80b3c91fe5aeb8296c8db715aa6302a3

SHA1
49e0e20af45c63aa10c3f412ad2611d04efb8136

SHA256
308053c9aeca50065d75e775b63ad6071c0b8b73ff5c256900c3311d99891360

SHA512
53ab5570b060c8ffe1546cca5e21e8e7746ccd97d0de086d99a84dcbe40b7258c0c44743c3cb80a079955b7cbd94c6857544aaf4227be63aaba989549008e5f7

Download Submit
C:\Windows\System32\BgNDbPC.exe

Filesize
979KB

MD5
11315dfc9293aa6bb6d44513ab5cf154

SHA1
9ba8ee92109b9fc1ed69264d2f181660a62f35ec

SHA256
29b9c430db6e02fa2c192f2f3ecd4547bc4e747d6255a1dd4e158e6d7db5d474

SHA512
a3cd3e2427e1470499c6ae103da66fdeeaa055bbe0dd168c8257d5ea64e9f49f6f2b9733161bf0d788d4214a2e29a972b86b0d4d211e785a08c7dd92b52afd62

Download Submit
C:\Windows\System32\HuvKOLA.exe

Filesize
980KB

MD5
6934b0087dfc6743ee719d07249b3e63

SHA1
e0c684ed81cdc2c0b4a78260861712f969b2dfae

SHA256
1a598186b4b9835c97f66fec04224069de993105e49896e5c4c6249864732181

SHA512
f4410d742f6248ce764e5a3962ef5510175fa7b844239ae37457815b88b1ec45a4e2f0b0819105072376048055fb45f1668ffcd2064f15e723f88307fbfabb6e

Download Submit
C:\Windows\System32\JlwlIZw.exe

Filesize
984KB

MD5
92d23e87fee0e99e02385ffbc8254bb9

SHA1
a5dd97d89de5c8c525184b9d39a316726fcbd0c9

SHA256
fd95708328e6da3f6653c06c0aac8e04ce49ef8219e0e5a5d26f80cb5e66ff09

SHA512
ae6f72ac137bf7ed8f2f26536967b72b99891d6b7d7a093a8019a331bc28ca62878652ae6481239d0d38689c8a57df758abc2c57a7f4b06d9edb4a7e52239204

Download Submit
C:\Windows\System32\NUQEpDi.exe

Filesize
985KB

MD5
1965a97dcdce4168592621537e754520

SHA1
ef2d660ed5cc9a637b3d08a5d1ea657793085a4f

SHA256
6484dfa2734a4fd5a4ee343ab01eada40554a968fe656e92779fd87c81666131

SHA512
338be49674c95045c36b0a8569b71c3cd959cb5c213c40b0647d30f552c13400da60e0cc2ca80656f40ba93f8573e8af791ec1fd5bdf555b2202479ee9e264f1

Download Submit
C:\Windows\System32\PFInHtQ.exe

Filesize
983KB

MD5
8bf19611a7a82e6303243db8c0e673f8

SHA1
e2edf755d7e51021368b7b63dda85d8cc0d5ac14

SHA256
7f577e85bd0ae21d4f25315b0c6d8f117ec25ce44915ef475e309cc9f51345c0

SHA512
b4839548bf8d1ebd222f447f850cefb91e47718a826344fd7fd641e84789ff461ded5f363688bb6adc401fbf8567a0cb314910039d9adb7b8ea8257459276c52

Download Submit
C:\Windows\System32\RwDcLvd.exe

Filesize
981KB

MD5
75e6fe00f189991ee36732b5bddc2bdd

SHA1
96d6da2c1a2c5c6875f996533a4b3e6cbcac73c9

SHA256
d3c68fca9eb0d11ddf8b728af59f6f476cd687a4a3c8b6e9c6cc3c29c604190b

SHA512
d92bd207513d9009aae89a248ece0613feb2e59f1ee28a03958fa33f5d2f375b18e55a21c7a5db1f3a5589f4f90aefdc2200a3fc61de747b180f2f72fe331c42

Download Submit
C:\Windows\System32\SJYWajL.exe

Filesize
986KB

MD5
b1944ffce1a3184fbc02c6a6415d15c9

SHA1
b1672a8d2369d9aaaeba4ea467ea7643f61a0f19

SHA256
7e5f2cdf79fb2d89940a799872618e76ea49517552dc95aa135a318cd2011dfe

SHA512
e2c747ae57111ea58bda8e48f32a146abff7e7be7b6dcd6d7ba1380a90c84214870135453178ec27375df8879345195dfc2611bad8daa20c9eea545fafb969e8

Download Submit
C:\Windows\System32\SXsHcwa.exe

Filesize
986KB

MD5
358118066c3cac668d9d675b0e6991e1

SHA1
5897e493e9aed9afbb20f2e3c63d28d3787fdca9

SHA256
965b4a58933362ce5ef71ae4b1a95c2f5202221ba29a2453e7b0b644f1a5bac0

SHA512
71213705f4aa6b3fea83167ee1a49ec9acf164cf683028b965d942dee613c4530603bc2b88e781ba72e6b57ba85f339ec5ab3d146e178a44ef37f0b2eee156c4

Download Submit
C:\Windows\System32\TLJVkmn.exe

Filesize
980KB

MD5
85a9d40aeb6b998584e6b97e8228fc81

SHA1
5f662506248e6c00ab988a3286642d025197b53f

SHA256
b6736539f08b61799d359a721c39db43726103aaa032377e0e3605e68ae575e0

SHA512
8d219e87b38013dcbbe5f8f49b57f4f6d6b7d2720c521c28caa078fe5fedb533e2310466a8be954ca439949347ec0b1d35489d9faa58dfe7766eeb8a0fd12af2

Download Submit
C:\Windows\System32\TxPtjJG.exe

Filesize
980KB

MD5
1960a039fa29e096d17bf9cba59f6c3f

SHA1
8b3bd4ab9deb6e43700979e2300b0cc78e066c5c

SHA256
41b2340f434dc37ebf283be60faed854e21ced0e05444e7cb0beb588ca5f4bc7

SHA512
cfa8b19dabb0466e5127b989580af93f67b78cfbe3594dc3954de8f2635364da4de010efa55301ba24429622c931fb35ddf417eb4b1ca73a82ba58d68103e27f

Download Submit
C:\Windows\System32\VJSJZqX.exe

Filesize
985KB

MD5
dca8129877ae5993c5ed0ce7e3dbfd25

SHA1
22aa37c28440138e12f98abe13a46263da49b228

SHA256
2f7e9105ec16858af93939b8ae44e1f6c682a5f79bc67c092942d26c146d3a02

SHA512
5c2a83f64e0d184196be3d9d2d7f69255bad8c487f5319ff55e251ef3c658749447787f8224f0f47c0b5159f5b340b42bd17437c921e72de1e434391cd95643a

Download Submit
C:\Windows\System32\VwCZUrv.exe

Filesize
983KB

MD5
4ce7f78286deab277bd596b31c00c1ae

SHA1
cf3dc86bc2fb791a84fcaec7f6a48a99e61803bc

SHA256
caebeb2681a1f28dbde87f718b21c60938eb378b46c119ff7894df8d777c67e2

SHA512
e56003e5f8ac7deee76e7a6832ac6140b05ba108e504bf962aadcaeb75610973f9cc3ef41a6aa3872ccc3e26584b26cff67e6e5604f8670cbf3e82ee6002348a

Download Submit
C:\Windows\System32\WeCudKT.exe

Filesize
984KB

MD5
2e5e5c476af8b0f847e78cf68d49bf66

SHA1
ccad2f4843c2a4b08d4fb238e18b32abd863a971

SHA256
054aa9dd9113edc9070b9ca70d78fd420572ef8b86112f8f405060f21e1bad1b

SHA512
4be36ed03890122dca9d87a65d4061e727a1dab478b2351294b443eef54558b993816e83f7c05fa6f6442d202f77a041a8362747b2e13b07ec840e54cbac3b24

Download Submit
C:\Windows\System32\XaDRFKZ.exe

Filesize
985KB

MD5
257ae3243824acaa2155914520d51ede

SHA1
49449f4c49eaf459102ab7f105263e60873ddb43

SHA256
bfa311ce3ede86f3b6b61a79d196a8661c95afa4b0a9fe524e65aafb965f5d94

SHA512
e9c9bc6b84a1ac457152d09ab019723650005baf13aff90443eb8bf44d02381b5c85109f5e38dda6fab6ba63f714efec369528d30951f14fe803a55aaaf7c8ee

Download Submit
C:\Windows\System32\bAsVPPk.exe

Filesize
983KB

MD5
ab674d94afc923ef1351f131e349c8f9

SHA1
1ffe4218452c2da3a7ec4a01167a898f15de6595

SHA256
69f8ab01f0ff07192b0cafd5fb120ad6dcfb74b1f8b8b95461a68146662c63d7

SHA512
e474fb40fb379ee74924b3b3fc3d4382f98934b173d6017a1752402bf946186781ef437d183250a23321b31796879838db9f1d6d4a0bdc4a98710c516efc9fe7

Download Submit
C:\Windows\System32\cGqyama.exe

Filesize
984KB

MD5
b57f7019ed1c844dfcb63328aa33828e

SHA1
acea628652cfee763fbef12afa91f4cd071ff12f

SHA256
c8f1bf0d777afbd0ad4be0f28234991dceb251c62e6844b7377fa9d7bdb7e90c

SHA512
b23eb2d8bb49dd893c1976f4f854a7c9b99234f8ff400f7f85137ea09eaab9a48e36c1d32c7ee2dc576ee15594e0c3e60b65d2492d331e9ea182396f1e165881

Download Submit
C:\Windows\System32\ccemWWt.exe

Filesize
979KB

MD5
25740017b2a07c8754ab495cd5bee7b0

SHA1
16c953e1c2df9e53aa28b1e929f67684aa0d3d7b

SHA256
81265b00acc3235a748456a447d9d55ea3fe31dae54c5c72fb346369ebb4f5a0

SHA512
24948d8b3f48c978de566e37809666575edda19ef8a615375020d01c50ce7306630f722dd66381086f37b23cfaa9e38ad6ce24f95a8ff1118523c6bb5df7b6b4

Download Submit
C:\Windows\System32\dTuYrgj.exe

Filesize
984KB

MD5
36ac7bbe89e1f25f745f864a07d015c1

SHA1
4f238c8de1dc33b21786f142b0852e719c55ffc3

SHA256
4b017c90b31a0ccbbbfc6c4358ad1b8e4bf70893acf8648d856342c39f5a4786

SHA512
602f1243bff6293a74d3eeb89c8e134c5a3dc8600de6a053d5fdc52ff0c241ca0280a0f80826ccdf494852278687355534ea7cd052d7b36976761609612270ad

Download Submit
C:\Windows\System32\iNXHkbb.exe

Filesize
979KB

MD5
3d0ac956f21965b2efc0be38d61e3932

SHA1
2b65441055400b8bdd713429bad4e9a758e711f2

SHA256
76adba4ea6a0d74a4a3722d2b6c4b97f1e4951214317634755e4535dbcaca2a9

SHA512
38a2e851bd781716312f207f2a2b589ff16b9c3f4414a32630af30ee8dff1f345b6c80c26085ab7c4b92d02891e5a349d49e3a738ea4945e01c2dbe01e91789d

Download Submit
C:\Windows\System32\lIgDxRL.exe

Filesize
986KB

MD5
1669ce11ce6b69ec248141ce5f6ec421

SHA1
de019e205ea22b2fa48981e918555e412e3a501f

SHA256
e2282253f8562fcd29a3a2db9bb66e086a4da4abac86c39702722eb4ef98efe1

SHA512
4c840a81f15a3de14980c1644bdcf1ecf21e1f2d1b6881499d7a1ec4d8d4f7b2e642517f4423d857e109435e0137c73d8edf2dcd8060f148a97ce9439cd663a2

Download Submit
C:\Windows\System32\naULmdx.exe

Filesize
981KB

MD5
c098feed8259a7f7f775696a17925fda

SHA1
43fd862d74a2512eb7dbc23be275cd8d3fe2fad7

SHA256
2ff744e7c9f1050a4e017c629b5e66dcd489644f8553f4cd5d59c73cbcb405e9

SHA512
979a777958a04e3b568d167ab711904a3cd6c9f88d96c03393d11c68cd8cbe8bd36fae3d71922de30bb7002940649ecd9693bb7383a99756a7cd36c219231909

Download Submit
C:\Windows\System32\oiQYqVH.exe

Filesize
982KB

MD5
8f0ea7e3f61c4d58be473144ba8c8805

SHA1
d7a105507f79f6b7b8a8a856310981688e7ae4d5

SHA256
708277d736783c7c780ade95cd3cf86fa23e31667e454091ecb8f2d0aae8840e

SHA512
13aa409e5268e88470403996163afcf37eb3441e88a6bda96400ed46ae4652cfdcc4f7e5f9e00dabdaf240508eaa8c7021f5c40f13bc97f513e7ae74db09c6b6

Download Submit
C:\Windows\System32\pBPVHRZ.exe

Filesize
983KB

MD5
904b298cc413afb1e63f44dc29189576

SHA1
c210536c8c6d1ae8559896662eca70bf285a7ec6

SHA256
fdde26db6b6aaa2970cfa40ab14278615b71377a53c853d1392897147d9095d8

SHA512
0c7541aea5ea2bd8f0af69c18c3bed49d3ae24d846b46ebd7f2ffa9267a3dbe6cde589ece034092d78dc818aab6306fcde5e3bfe15d067c16b96b80bdbdc27e4

Download Submit
C:\Windows\System32\pCXdYnF.exe

Filesize
981KB

MD5
751e6f0298f8850c48a438dd2a240998

SHA1
2e251da4636c438df2df6df32ac9e1d429f2f99d

SHA256
84edbad2559c0a97d272c252b25aa87e1647e09173465bbdf0f76eaffee6b637

SHA512
9e9b1994e8c036a3e513f92ec2735371dca1644602e3940c7e5e26c625859544f769e60f3c7e6e63d0724b3708ecbac837185eb316de75de6211ed2d0bc6cbf1

Download Submit
C:\Windows\System32\psDosHx.exe

Filesize
984KB

MD5
80625419d0cd203e412427fe2da2a145

SHA1
718fb264a3dfc46a7a418bc7df3638e3d3ce9e8d

SHA256
9af8a2e9c2a0fc615b9afc6829534ed7ecc7cc6597ce77d834696d86f7b98dcf

SHA512
3bdb4da21d4997d9c3caeba40d6e6f7ed259d2914adf55cb3076fbedd6e17373a3e83b4eaf64aafc31b62ba771285798911c0bc52a64c98ee7dc5d8a5c9b4840

Download Submit
C:\Windows\System32\qSqtUov.exe

Filesize
982KB

MD5
64e7bf49d6192cd1abceabfdbf15716d

SHA1
dc1c207063913af7ce6b7eeec54a0de55075b938

SHA256
1923705e7bec413b1ae5697e73a68300eb776e991ca5e0bde4fb6db44e69762b

SHA512
ccff8466dd6d71a703e63a7eb6b844396933299d035947d60e5b982859fe4128a78f3e6ec6ae6391dcc1a7527020ba5cc0ffe4d09f268309a9e0cf2141514d1d

Download Submit
C:\Windows\System32\rZNcQNH.exe

Filesize
982KB

MD5
daccdde6c2fcc14a27730e52e3d4bf4c

SHA1
accd46bd52c05abbbb6b24968e78b5cf2f3d3757

SHA256
f002a3a35587156f8f25ffb2acfdee902d8198eb1f2aedc82a102a5842cda625

SHA512
805bd27af3cb78585d10c22ac02188e99b4c3a269c74e2a09b7ae545715d44bd73f4bdf1dfa1f55438d5985f369d7bbd9d9c27e41ca7b5504518f93b9aabd561

Download Submit
C:\Windows\System32\rbprMYW.exe

Filesize
985KB

MD5
cedaf5f6a2f38c0e37f4b8703c603d06

SHA1
ccca73490e449a629ba72a8b54b572f0a8ef61f9

SHA256
215061ef1616783521603ceb545df8e58c0912790d29d76306a16ee475bfbd0b

SHA512
2a612c22006ac4a550495b9a8444a64b9f96a99d9cb47de281e430ad4decb3a25be0c23f3c0e971c291ad3a463b05fa8cf6ccab168d9a319817d214e4493d9b7

Download Submit
C:\Windows\System32\sRWQIfp.exe

Filesize
981KB

MD5
18b9825d8bb9d804049780eff21ae419

SHA1
35fb66243f8ef84d59422065676bb10469c21f36

SHA256
1038f40e3bbe183b04a64509717f768003fa8a4397d2eb663c7725cc09a339f3

SHA512
563246dc8132b771cc87bbbd862f780306a234a89cffb2ce216b4283f8df7b34c0404701b476898c4f21073c6e753410a3508344723cafe323734c5767eef1f1

Download Submit
C:\Windows\System32\tvUlTuu.exe

Filesize
982KB

MD5
b5d4079c6070bcda2f9e3b1d93fe7abe

SHA1
73ab49114a1f7d3eeb4a43975b5f71c1834a4855

SHA256
1d215db7619dd0930c5a9563c31e03646b6603dd6bd6d451fd4a6746e08d7252

SHA512
8fc538f38f0bbd281ccac562699f261252cd7e4cf4446199c7d6a894165b204b8909cfbee7f0958a49a4530cdeea530835c883da99861d022897061297fc8c05

Download Submit
C:\Windows\System32\wmcmhlG.exe

Filesize
980KB

MD5
9d77592949ea55597eea1cb04da0c401

SHA1
07a4d3d5c1eaf73101b3609ad0b0295459868c68

SHA256
7d88aa2dab6d48356344261fa4d18121ea117b45636aa1f308366c98d4cea1b5

SHA512
58847e039f8b8333acc6d89e30a6ba580ae48ef04202ee0d2bcc70f7aae81facb38c6aa3ac493f92c9e01f50d107deeecace4f1d16fc3e99414b77a316f6298f

Download Submit
memory/392-468-0x00007FF61C250000-0x00007FF61C641000-memory.dmp

Filesize
3.9MB

Download
memory/392-2020-0x00007FF61C250000-0x00007FF61C641000-memory.dmp

Filesize
3.9MB

Download
memory/744-371-0x00007FF6E35D0000-0x00007FF6E39C1000-memory.dmp

Filesize
3.9MB

Download
memory/744-2010-0x00007FF6E35D0000-0x00007FF6E39C1000-memory.dmp

Filesize
3.9MB

Download
memory/1268-402-0x00007FF66FD10000-0x00007FF670101000-memory.dmp

Filesize
3.9MB

Download
memory/1268-2000-0x00007FF66FD10000-0x00007FF670101000-memory.dmp

Filesize
3.9MB

Download
memory/1436-382-0x00007FF7AA470000-0x00007FF7AA861000-memory.dmp

Filesize
3.9MB

Download
memory/1436-1998-0x00007FF7AA470000-0x00007FF7AA861000-memory.dmp

Filesize
3.9MB

Download
memory/1488-415-0x00007FF773AF0000-0x00007FF773EE1000-memory.dmp

Filesize
3.9MB

Download
memory/1488-2004-0x00007FF773AF0000-0x00007FF773EE1000-memory.dmp

Filesize
3.9MB

Download
memory/1628-2022-0x00007FF7EA5E0000-0x00007FF7EA9D1000-memory.dmp

Filesize
3.9MB

Download
memory/1628-458-0x00007FF7EA5E0000-0x00007FF7EA9D1000-memory.dmp

Filesize
3.9MB

Download
memory/1636-2012-0x00007FF6E4BD0000-0x00007FF6E4FC1000-memory.dmp

Filesize
3.9MB

Download
memory/1636-433-0x00007FF6E4BD0000-0x00007FF6E4FC1000-memory.dmp

Filesize
3.9MB

Download
memory/2076-409-0x00007FF744550000-0x00007FF744941000-memory.dmp

Filesize
3.9MB

Download
memory/2076-2006-0x00007FF744550000-0x00007FF744941000-memory.dmp

Filesize
3.9MB

Download
memory/2132-2002-0x00007FF6B1FC0000-0x00007FF6B23B1000-memory.dmp

Filesize
3.9MB

Download
memory/2132-421-0x00007FF6B1FC0000-0x00007FF6B23B1000-memory.dmp

Filesize
3.9MB

Download
memory/2428-449-0x00007FF6B1720000-0x00007FF6B1B11000-memory.dmp

Filesize
3.9MB

Download
memory/2428-2018-0x00007FF6B1720000-0x00007FF6B1B11000-memory.dmp

Filesize
3.9MB

Download
memory/2448-22-0x00007FF7648C0000-0x00007FF764CB1000-memory.dmp

Filesize
3.9MB

Download
memory/2448-1986-0x00007FF7648C0000-0x00007FF764CB1000-memory.dmp

Filesize
3.9MB

Download
memory/2536-2016-0x00007FF6B7B80000-0x00007FF6B7F71000-memory.dmp

Filesize
3.9MB

Download
memory/2536-447-0x00007FF6B7B80000-0x00007FF6B7F71000-memory.dmp

Filesize
3.9MB

Download
memory/2648-2026-0x00007FF762550000-0x00007FF762941000-memory.dmp

Filesize
3.9MB

Download
memory/2648-485-0x00007FF762550000-0x00007FF762941000-memory.dmp

Filesize
3.9MB

Download
memory/2660-2024-0x00007FF79F6E0000-0x00007FF79FAD1000-memory.dmp

Filesize
3.9MB

Download
memory/2660-455-0x00007FF79F6E0000-0x00007FF79FAD1000-memory.dmp

Filesize
3.9MB

Download
memory/3028-1976-0x00007FF7416F0000-0x00007FF741AE1000-memory.dmp

Filesize
3.9MB

Download
memory/3028-1984-0x00007FF7416F0000-0x00007FF741AE1000-memory.dmp

Filesize
3.9MB

Download
memory/3028-13-0x00007FF7416F0000-0x00007FF741AE1000-memory.dmp

Filesize
3.9MB

Download
memory/3448-0-0x00007FF6A1600000-0x00007FF6A19F1000-memory.dmp

Filesize
3.9MB

Download
memory/3448-1942-0x00007FF6A1600000-0x00007FF6A19F1000-memory.dmp

Filesize
3.9MB

Download
memory/3448-1-0x0000016DF4C10000-0x0000016DF4C20000-memory.dmp

Filesize
64KB

Download
memory/3676-394-0x00007FF6658E0000-0x00007FF665CD1000-memory.dmp

Filesize
3.9MB

Download
memory/3676-2008-0x00007FF6658E0000-0x00007FF665CD1000-memory.dmp

Filesize
3.9MB

Download
memory/3752-354-0x00007FF646440000-0x00007FF646831000-memory.dmp

Filesize
3.9MB

Download
memory/3752-1988-0x00007FF646440000-0x00007FF646831000-memory.dmp

Filesize
3.9MB

Download
memory/3932-347-0x00007FF71C000000-0x00007FF71C3F1000-memory.dmp

Filesize
3.9MB

Download
memory/3932-1992-0x00007FF71C000000-0x00007FF71C3F1000-memory.dmp

Filesize
3.9MB

Download
memory/4076-2014-0x00007FF7A0D60000-0x00007FF7A1151000-memory.dmp

Filesize
3.9MB

Download
memory/4076-436-0x00007FF7A0D60000-0x00007FF7A1151000-memory.dmp

Filesize
3.9MB

Download
memory/4460-2028-0x00007FF6A4750000-0x00007FF6A4B41000-memory.dmp

Filesize
3.9MB

Download
memory/4460-492-0x00007FF6A4750000-0x00007FF6A4B41000-memory.dmp

Filesize
3.9MB

Download
memory/4612-1994-0x00007FF7E9080000-0x00007FF7E9471000-memory.dmp

Filesize
3.9MB

Download
memory/4612-361-0x00007FF7E9080000-0x00007FF7E9471000-memory.dmp

Filesize
3.9MB

Download
memory/4648-1982-0x00007FF647FF0000-0x00007FF6483E1000-memory.dmp

Filesize
3.9MB

Download
memory/4648-1975-0x00007FF647FF0000-0x00007FF6483E1000-memory.dmp

Filesize
3.9MB

Download
memory/4648-9-0x00007FF647FF0000-0x00007FF6483E1000-memory.dmp

Filesize
3.9MB

Download
memory/4864-1990-0x00007FF617200000-0x00007FF6175F1000-memory.dmp

Filesize
3.9MB

Download
memory/4864-400-0x00007FF617200000-0x00007FF6175F1000-memory.dmp

Filesize
3.9MB

Download
memory/5028-1996-0x00007FF763FC0000-0x00007FF7643B1000-memory.dmp

Filesize
3.9MB

Download
memory/5028-420-0x00007FF763FC0000-0x00007FF7643B1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads