xmrig | c26ea55c8beddd58efb458a05340896258da0f512baa22e7e0c5d6490ac48a83

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
Size

1.1MB
MD5

0c3474b64bc3ea24db0aad9c2801ca13
SHA1

d99abda473fc1c03bec9930f3c842caf2f91a3ee
SHA256

c26ea55c8beddd58efb458a05340896258da0f512baa22e7e0c5d6490ac48a83
SHA512

369e60c573d722117de5e869f7ff635abf18ef9e872feeb76756553ae9278e1e6ac2aa791a4660801422511264a769f6580fd9c80f41c77af4835d4ec9f28d47
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcmC3f/DFNkTQC:knw9oUUEEDl37jcmWH/xC

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/4232-351-0x00007FF68BE50000-0x00007FF68C241000-memory.dmp	xmrig
behavioral2/memory/2396-356-0x00007FF727B70000-0x00007FF727F61000-memory.dmp	xmrig
behavioral2/memory/1084-360-0x00007FF760720000-0x00007FF760B11000-memory.dmp	xmrig
behavioral2/memory/2892-369-0x00007FF7FF5B0000-0x00007FF7FF9A1000-memory.dmp	xmrig
behavioral2/memory/1240-377-0x00007FF6E1C10000-0x00007FF6E2001000-memory.dmp	xmrig
behavioral2/memory/3712-378-0x00007FF600E70000-0x00007FF601261000-memory.dmp	xmrig
behavioral2/memory/4528-373-0x00007FF67CCC0000-0x00007FF67D0B1000-memory.dmp	xmrig
behavioral2/memory/1384-384-0x00007FF6FF570000-0x00007FF6FF961000-memory.dmp	xmrig
behavioral2/memory/536-408-0x00007FF781E60000-0x00007FF782251000-memory.dmp	xmrig
behavioral2/memory/3992-411-0x00007FF6F91D0000-0x00007FF6F95C1000-memory.dmp	xmrig
behavioral2/memory/2164-416-0x00007FF6A41B0000-0x00007FF6A45A1000-memory.dmp	xmrig
behavioral2/memory/516-420-0x00007FF7D4740000-0x00007FF7D4B31000-memory.dmp	xmrig
behavioral2/memory/4448-421-0x00007FF7BC2B0000-0x00007FF7BC6A1000-memory.dmp	xmrig
behavioral2/memory/1780-418-0x00007FF723E20000-0x00007FF724211000-memory.dmp	xmrig
behavioral2/memory/2472-403-0x00007FF7C8DD0000-0x00007FF7C91C1000-memory.dmp	xmrig
behavioral2/memory/1420-395-0x00007FF686910000-0x00007FF686D01000-memory.dmp	xmrig
behavioral2/memory/440-394-0x00007FF742D90000-0x00007FF743181000-memory.dmp	xmrig
behavioral2/memory/4692-390-0x00007FF7483F0000-0x00007FF7487E1000-memory.dmp	xmrig
behavioral2/memory/4864-386-0x00007FF700150000-0x00007FF700541000-memory.dmp	xmrig
behavioral2/memory/3960-1987-0x00007FF7E7570000-0x00007FF7E7961000-memory.dmp	xmrig
behavioral2/memory/2876-1988-0x00007FF73B2A0000-0x00007FF73B691000-memory.dmp	xmrig
behavioral2/memory/1304-1989-0x00007FF69B5A0000-0x00007FF69B991000-memory.dmp	xmrig
behavioral2/memory/3652-1991-0x00007FF6A0710000-0x00007FF6A0B01000-memory.dmp	xmrig
behavioral2/memory/3388-2023-0x00007FF7D4890000-0x00007FF7D4C81000-memory.dmp	xmrig
behavioral2/memory/3960-2029-0x00007FF7E7570000-0x00007FF7E7961000-memory.dmp	xmrig
behavioral2/memory/2876-2031-0x00007FF73B2A0000-0x00007FF73B691000-memory.dmp	xmrig
behavioral2/memory/1304-2035-0x00007FF69B5A0000-0x00007FF69B991000-memory.dmp	xmrig
behavioral2/memory/3388-2037-0x00007FF7D4890000-0x00007FF7D4C81000-memory.dmp	xmrig
behavioral2/memory/3652-2033-0x00007FF6A0710000-0x00007FF6A0B01000-memory.dmp	xmrig
behavioral2/memory/2396-2043-0x00007FF727B70000-0x00007FF727F61000-memory.dmp	xmrig
behavioral2/memory/4448-2039-0x00007FF7BC2B0000-0x00007FF7BC6A1000-memory.dmp	xmrig
behavioral2/memory/1084-2045-0x00007FF760720000-0x00007FF760B11000-memory.dmp	xmrig
behavioral2/memory/4528-2051-0x00007FF67CCC0000-0x00007FF67D0B1000-memory.dmp	xmrig
behavioral2/memory/1384-2055-0x00007FF6FF570000-0x00007FF6FF961000-memory.dmp	xmrig
behavioral2/memory/4692-2059-0x00007FF7483F0000-0x00007FF7487E1000-memory.dmp	xmrig
behavioral2/memory/4864-2057-0x00007FF700150000-0x00007FF700541000-memory.dmp	xmrig
behavioral2/memory/3712-2053-0x00007FF600E70000-0x00007FF601261000-memory.dmp	xmrig
behavioral2/memory/1240-2049-0x00007FF6E1C10000-0x00007FF6E2001000-memory.dmp	xmrig
behavioral2/memory/2892-2047-0x00007FF7FF5B0000-0x00007FF7FF9A1000-memory.dmp	xmrig
behavioral2/memory/4232-2041-0x00007FF68BE50000-0x00007FF68C241000-memory.dmp	xmrig
behavioral2/memory/1420-2080-0x00007FF686910000-0x00007FF686D01000-memory.dmp	xmrig
behavioral2/memory/516-2067-0x00007FF7D4740000-0x00007FF7D4B31000-memory.dmp	xmrig
behavioral2/memory/440-2061-0x00007FF742D90000-0x00007FF743181000-memory.dmp	xmrig
behavioral2/memory/2164-2078-0x00007FF6A41B0000-0x00007FF6A45A1000-memory.dmp	xmrig
behavioral2/memory/2472-2076-0x00007FF7C8DD0000-0x00007FF7C91C1000-memory.dmp	xmrig
behavioral2/memory/3992-2074-0x00007FF6F91D0000-0x00007FF6F95C1000-memory.dmp	xmrig
behavioral2/memory/536-2072-0x00007FF781E60000-0x00007FF782251000-memory.dmp	xmrig
behavioral2/memory/1780-2070-0x00007FF723E20000-0x00007FF724211000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3960	BkUWsfc.exe
2876	LlYbQGO.exe
1304	ZghggEn.exe
3652	SqCQbGb.exe
3388	moqkiez.exe
4448	KYkGris.exe
4232	uPHuWhq.exe
2396	DnAtyuf.exe
1084	ZYkXwzn.exe
2892	bvidOoS.exe
4528	HfsMqct.exe
1240	iBtoEFC.exe
3712	BlnfRnv.exe
1384	hEspdUB.exe
4864	yhgmGyx.exe
4692	kgiedct.exe
440	uuGYUwx.exe
1420	SQPNqQP.exe
2472	qHioDSc.exe
536	MOBHoEz.exe
3992	galRlYA.exe
2164	vjLWNpi.exe
1780	SMLHZtB.exe
516	SeUdruz.exe
1912	qYylvqR.exe
4224	NQyFPLq.exe
2596	hsdyXIt.exe
2568	EMVNipl.exe
968	YQSBCNx.exe
4964	KjkSywZ.exe
2820	mAIBCtO.exe
2940	IlxsFuY.exe
2984	GIHJvZU.exe
4848	QjAEkVB.exe
4348	NzRTniE.exe
4852	MGuxOtp.exe
3616	PNPNONb.exe
3092	jiIpQkR.exe
2152	AhlvPdG.exe
640	gejFWwB.exe
4880	UQSImVg.exe
716	kusYQlx.exe
1676	ZbeWOnf.exe
2308	ucRhllV.exe
2028	DoYkAvL.exe
4412	UTnpeYz.exe
2712	JwigwKk.exe
1664	ldcenUN.exe
5092	mmPfsAO.exe
4064	dFBBWkj.exe
4316	pbyTyZi.exe
3580	jGgiRYf.exe
3164	ioXLHEh.exe
3640	ghtTLWF.exe
1764	hAzDAUL.exe
3912	MlFnuHe.exe
4524	AXxDeEC.exe
4200	ePInPAQ.exe
2696	zAYEcve.exe
1028	PqVcypA.exe
432	YGgJAlZ.exe
928	eceSAil.exe
3336	xlkAmsm.exe
4716	hvYIBLk.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2784-0-0x00007FF7E7770000-0x00007FF7E7B61000-memory.dmp	upx
behavioral2/files/0x000d000000023b8c-5.dat	upx
behavioral2/memory/3960-6-0x00007FF7E7570000-0x00007FF7E7961000-memory.dmp	upx
behavioral2/files/0x000a000000023b92-9.dat	upx
behavioral2/memory/2876-17-0x00007FF73B2A0000-0x00007FF73B691000-memory.dmp	upx
behavioral2/memory/1304-24-0x00007FF69B5A0000-0x00007FF69B991000-memory.dmp	upx
behavioral2/files/0x000a000000023b93-28.dat	upx
behavioral2/memory/3388-32-0x00007FF7D4890000-0x00007FF7D4C81000-memory.dmp	upx
behavioral2/files/0x000a000000023b97-46.dat	upx
behavioral2/files/0x000a000000023b99-56.dat	upx
behavioral2/files/0x000a000000023b9b-66.dat	upx
behavioral2/files/0x000a000000023b9e-79.dat	upx
behavioral2/files/0x000a000000023ba9-136.dat	upx
behavioral2/files/0x000a000000023bac-149.dat	upx
behavioral2/files/0x000a000000023bae-161.dat	upx
behavioral2/memory/4232-351-0x00007FF68BE50000-0x00007FF68C241000-memory.dmp	upx
behavioral2/memory/2396-356-0x00007FF727B70000-0x00007FF727F61000-memory.dmp	upx
behavioral2/memory/1084-360-0x00007FF760720000-0x00007FF760B11000-memory.dmp	upx
behavioral2/files/0x000a000000023baf-166.dat	upx
behavioral2/files/0x000a000000023bad-156.dat	upx
behavioral2/files/0x000a000000023bab-146.dat	upx
behavioral2/files/0x000a000000023baa-141.dat	upx
behavioral2/files/0x000a000000023ba8-131.dat	upx
behavioral2/files/0x000a000000023ba7-126.dat	upx
behavioral2/files/0x000a000000023ba6-121.dat	upx
behavioral2/files/0x000a000000023ba5-116.dat	upx
behavioral2/files/0x000a000000023ba4-111.dat	upx
behavioral2/memory/2892-369-0x00007FF7FF5B0000-0x00007FF7FF9A1000-memory.dmp	upx
behavioral2/memory/1240-377-0x00007FF6E1C10000-0x00007FF6E2001000-memory.dmp	upx
behavioral2/memory/3712-378-0x00007FF600E70000-0x00007FF601261000-memory.dmp	upx
behavioral2/memory/4528-373-0x00007FF67CCC0000-0x00007FF67D0B1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba3-106.dat	upx
behavioral2/files/0x000a000000023ba2-101.dat	upx
behavioral2/files/0x000a000000023ba1-96.dat	upx
behavioral2/files/0x000a000000023ba0-91.dat	upx
behavioral2/files/0x000a000000023b9f-86.dat	upx
behavioral2/files/0x000a000000023b9d-76.dat	upx
behavioral2/files/0x000a000000023b9c-71.dat	upx
behavioral2/files/0x000a000000023b9a-61.dat	upx
behavioral2/files/0x000a000000023b98-51.dat	upx
behavioral2/files/0x000a000000023b96-41.dat	upx
behavioral2/files/0x000a000000023b95-36.dat	upx
behavioral2/files/0x000a000000023b94-30.dat	upx
behavioral2/memory/3652-27-0x00007FF6A0710000-0x00007FF6A0B01000-memory.dmp	upx
behavioral2/files/0x000a000000023b91-14.dat	upx
behavioral2/memory/1384-384-0x00007FF6FF570000-0x00007FF6FF961000-memory.dmp	upx
behavioral2/memory/536-408-0x00007FF781E60000-0x00007FF782251000-memory.dmp	upx
behavioral2/memory/3992-411-0x00007FF6F91D0000-0x00007FF6F95C1000-memory.dmp	upx
behavioral2/memory/2164-416-0x00007FF6A41B0000-0x00007FF6A45A1000-memory.dmp	upx
behavioral2/memory/516-420-0x00007FF7D4740000-0x00007FF7D4B31000-memory.dmp	upx
behavioral2/memory/4448-421-0x00007FF7BC2B0000-0x00007FF7BC6A1000-memory.dmp	upx
behavioral2/memory/1780-418-0x00007FF723E20000-0x00007FF724211000-memory.dmp	upx
behavioral2/memory/2472-403-0x00007FF7C8DD0000-0x00007FF7C91C1000-memory.dmp	upx
behavioral2/memory/1420-395-0x00007FF686910000-0x00007FF686D01000-memory.dmp	upx
behavioral2/memory/440-394-0x00007FF742D90000-0x00007FF743181000-memory.dmp	upx
behavioral2/memory/4692-390-0x00007FF7483F0000-0x00007FF7487E1000-memory.dmp	upx
behavioral2/memory/4864-386-0x00007FF700150000-0x00007FF700541000-memory.dmp	upx
behavioral2/memory/3960-1987-0x00007FF7E7570000-0x00007FF7E7961000-memory.dmp	upx
behavioral2/memory/2876-1988-0x00007FF73B2A0000-0x00007FF73B691000-memory.dmp	upx
behavioral2/memory/1304-1989-0x00007FF69B5A0000-0x00007FF69B991000-memory.dmp	upx
behavioral2/memory/3652-1991-0x00007FF6A0710000-0x00007FF6A0B01000-memory.dmp	upx
behavioral2/memory/3388-2023-0x00007FF7D4890000-0x00007FF7D4C81000-memory.dmp	upx
behavioral2/memory/3960-2029-0x00007FF7E7570000-0x00007FF7E7961000-memory.dmp	upx
behavioral2/memory/2876-2031-0x00007FF73B2A0000-0x00007FF73B691000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\ndjCHeB.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\MOBHoEz.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\QdvJAdq.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\NSRpNBi.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\ghtTLWF.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\GewsNzO.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\vjEZGyU.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\jLzlloe.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\iidNjZF.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\QAyskCi.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\pPLvzZk.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\ZTWNOlw.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\EiRdeDA.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\xdgotLS.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\PxlpFzB.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\lLbVaQW.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\WUIaAlx.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\ovBkYmI.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\qYylvqR.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\GGfOTzj.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\cdPAhbK.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\EyoHNDx.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\lxJEvNz.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\OayEsKY.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\XtEpJsU.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\iNldNde.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\OcivFzx.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\avDTRZa.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\TWAWpbI.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\SzCvTjK.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\AoGPltP.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\CjrHLPC.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\ITEYrLk.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\BhWkJKS.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\ZIInwOk.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\aDPwPQW.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\mJbcOqE.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\FeMlEzg.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\MFsmxBT.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\ePRVCMk.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\AQJaDkU.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\wUifPvB.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\gchJoFo.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\KXqLjVo.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\fZYSnro.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\qkYKTDm.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\xcInyDG.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\fsrgFFR.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\KYkGris.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\JHPEwNa.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\ElvIUON.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\iDWBsMs.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\PWqoAqR.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\PPgfSgH.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\wDviJma.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\ppulhPG.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\KtwNeOR.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\OvLajoa.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\JRUPBOC.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\pbyTyZi.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\SSsxnlK.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\YJAhbfv.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\YQSBCNx.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
File created	C:\Windows\System32\eceSAil.exe	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	4516	dwm.exe
Token: SeChangeNotifyPrivilege	4516	dwm.exe
Token: 33	4516	dwm.exe
Token: SeIncBasePriorityPrivilege	4516	dwm.exe
Token: SeShutdownPrivilege	4516	dwm.exe
Token: SeCreatePagefilePrivilege	4516	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 3960	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	85
PID 2784 wrote to memory of 3960	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	85
PID 2784 wrote to memory of 2876	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	86
PID 2784 wrote to memory of 2876	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	86
PID 2784 wrote to memory of 1304	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	87
PID 2784 wrote to memory of 1304	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	87
PID 2784 wrote to memory of 3652	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	88
PID 2784 wrote to memory of 3652	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	88
PID 2784 wrote to memory of 3388	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	89
PID 2784 wrote to memory of 3388	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	89
PID 2784 wrote to memory of 4448	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	90
PID 2784 wrote to memory of 4448	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	90
PID 2784 wrote to memory of 4232	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	91
PID 2784 wrote to memory of 4232	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	91
PID 2784 wrote to memory of 2396	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	92
PID 2784 wrote to memory of 2396	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	92
PID 2784 wrote to memory of 1084	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	93
PID 2784 wrote to memory of 1084	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	93
PID 2784 wrote to memory of 2892	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	94
PID 2784 wrote to memory of 2892	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	94
PID 2784 wrote to memory of 4528	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	95
PID 2784 wrote to memory of 4528	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	95
PID 2784 wrote to memory of 1240	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	96
PID 2784 wrote to memory of 1240	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	96
PID 2784 wrote to memory of 3712	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	97
PID 2784 wrote to memory of 3712	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	97
PID 2784 wrote to memory of 1384	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	98
PID 2784 wrote to memory of 1384	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	98
PID 2784 wrote to memory of 4864	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	99
PID 2784 wrote to memory of 4864	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	99
PID 2784 wrote to memory of 4692	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	100
PID 2784 wrote to memory of 4692	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	100
PID 2784 wrote to memory of 440	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	101
PID 2784 wrote to memory of 440	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	101
PID 2784 wrote to memory of 1420	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	102
PID 2784 wrote to memory of 1420	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	102
PID 2784 wrote to memory of 2472	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	103
PID 2784 wrote to memory of 2472	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	103
PID 2784 wrote to memory of 536	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	104
PID 2784 wrote to memory of 536	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	104
PID 2784 wrote to memory of 3992	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	105
PID 2784 wrote to memory of 3992	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	105
PID 2784 wrote to memory of 2164	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	106
PID 2784 wrote to memory of 2164	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	106
PID 2784 wrote to memory of 1780	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	107
PID 2784 wrote to memory of 1780	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	107
PID 2784 wrote to memory of 516	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	108
PID 2784 wrote to memory of 516	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	108
PID 2784 wrote to memory of 1912	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	109
PID 2784 wrote to memory of 1912	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	109
PID 2784 wrote to memory of 4224	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	110
PID 2784 wrote to memory of 4224	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	110
PID 2784 wrote to memory of 2596	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	111
PID 2784 wrote to memory of 2596	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	111
PID 2784 wrote to memory of 2568	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	112
PID 2784 wrote to memory of 2568	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	112
PID 2784 wrote to memory of 968	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	113
PID 2784 wrote to memory of 968	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	113
PID 2784 wrote to memory of 4964	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	114
PID 2784 wrote to memory of 4964	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	114
PID 2784 wrote to memory of 2820	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	115
PID 2784 wrote to memory of 2820	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	115
PID 2784 wrote to memory of 2940	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	116
PID 2784 wrote to memory of 2940	2784	0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c3474b64bc3ea24db0aad9c2801ca13_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\System32\BkUWsfc.exe
  C:\Windows\System32\BkUWsfc.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System32\LlYbQGO.exe
  C:\Windows\System32\LlYbQGO.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System32\ZghggEn.exe
  C:\Windows\System32\ZghggEn.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\System32\SqCQbGb.exe
  C:\Windows\System32\SqCQbGb.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System32\moqkiez.exe
  C:\Windows\System32\moqkiez.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System32\KYkGris.exe
  C:\Windows\System32\KYkGris.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System32\uPHuWhq.exe
  C:\Windows\System32\uPHuWhq.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System32\DnAtyuf.exe
  C:\Windows\System32\DnAtyuf.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System32\ZYkXwzn.exe
  C:\Windows\System32\ZYkXwzn.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System32\bvidOoS.exe
  C:\Windows\System32\bvidOoS.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System32\HfsMqct.exe
  C:\Windows\System32\HfsMqct.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System32\iBtoEFC.exe
  C:\Windows\System32\iBtoEFC.exe
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\System32\BlnfRnv.exe
  C:\Windows\System32\BlnfRnv.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System32\hEspdUB.exe
  C:\Windows\System32\hEspdUB.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System32\yhgmGyx.exe
  C:\Windows\System32\yhgmGyx.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System32\kgiedct.exe
  C:\Windows\System32\kgiedct.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System32\uuGYUwx.exe
  C:\Windows\System32\uuGYUwx.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System32\SQPNqQP.exe
  C:\Windows\System32\SQPNqQP.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System32\qHioDSc.exe
  C:\Windows\System32\qHioDSc.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System32\MOBHoEz.exe
  C:\Windows\System32\MOBHoEz.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System32\galRlYA.exe
  C:\Windows\System32\galRlYA.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System32\vjLWNpi.exe
  C:\Windows\System32\vjLWNpi.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System32\SMLHZtB.exe
  C:\Windows\System32\SMLHZtB.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System32\SeUdruz.exe
  C:\Windows\System32\SeUdruz.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System32\qYylvqR.exe
  C:\Windows\System32\qYylvqR.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System32\NQyFPLq.exe
  C:\Windows\System32\NQyFPLq.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System32\hsdyXIt.exe
  C:\Windows\System32\hsdyXIt.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System32\EMVNipl.exe
  C:\Windows\System32\EMVNipl.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System32\YQSBCNx.exe
  C:\Windows\System32\YQSBCNx.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System32\KjkSywZ.exe
  C:\Windows\System32\KjkSywZ.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System32\mAIBCtO.exe
  C:\Windows\System32\mAIBCtO.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System32\IlxsFuY.exe
  C:\Windows\System32\IlxsFuY.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System32\GIHJvZU.exe
  C:\Windows\System32\GIHJvZU.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System32\QjAEkVB.exe
  C:\Windows\System32\QjAEkVB.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System32\NzRTniE.exe
  C:\Windows\System32\NzRTniE.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System32\MGuxOtp.exe
  C:\Windows\System32\MGuxOtp.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System32\PNPNONb.exe
  C:\Windows\System32\PNPNONb.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System32\jiIpQkR.exe
  C:\Windows\System32\jiIpQkR.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System32\AhlvPdG.exe
  C:\Windows\System32\AhlvPdG.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System32\gejFWwB.exe
  C:\Windows\System32\gejFWwB.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\UQSImVg.exe
  C:\Windows\System32\UQSImVg.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System32\kusYQlx.exe
  C:\Windows\System32\kusYQlx.exe
  2⤵
  - Executes dropped EXE
  PID:716
- C:\Windows\System32\ZbeWOnf.exe
  C:\Windows\System32\ZbeWOnf.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System32\ucRhllV.exe
  C:\Windows\System32\ucRhllV.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System32\DoYkAvL.exe
  C:\Windows\System32\DoYkAvL.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System32\UTnpeYz.exe
  C:\Windows\System32\UTnpeYz.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System32\JwigwKk.exe
  C:\Windows\System32\JwigwKk.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System32\ldcenUN.exe
  C:\Windows\System32\ldcenUN.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System32\mmPfsAO.exe
  C:\Windows\System32\mmPfsAO.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System32\dFBBWkj.exe
  C:\Windows\System32\dFBBWkj.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System32\pbyTyZi.exe
  C:\Windows\System32\pbyTyZi.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System32\jGgiRYf.exe
  C:\Windows\System32\jGgiRYf.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System32\ioXLHEh.exe
  C:\Windows\System32\ioXLHEh.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System32\ghtTLWF.exe
  C:\Windows\System32\ghtTLWF.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System32\hAzDAUL.exe
  C:\Windows\System32\hAzDAUL.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System32\MlFnuHe.exe
  C:\Windows\System32\MlFnuHe.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System32\AXxDeEC.exe
  C:\Windows\System32\AXxDeEC.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System32\ePInPAQ.exe
  C:\Windows\System32\ePInPAQ.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System32\zAYEcve.exe
  C:\Windows\System32\zAYEcve.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System32\PqVcypA.exe
  C:\Windows\System32\PqVcypA.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System32\YGgJAlZ.exe
  C:\Windows\System32\YGgJAlZ.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System32\eceSAil.exe
  C:\Windows\System32\eceSAil.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System32\xlkAmsm.exe
  C:\Windows\System32\xlkAmsm.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System32\hvYIBLk.exe
  C:\Windows\System32\hvYIBLk.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System32\XUvyhus.exe
  C:\Windows\System32\XUvyhus.exe
  2⤵
  PID:4452
- C:\Windows\System32\lxJEvNz.exe
  C:\Windows\System32\lxJEvNz.exe
  2⤵
  PID:1504
- C:\Windows\System32\VKGJBYr.exe
  C:\Windows\System32\VKGJBYr.exe
  2⤵
  PID:5016
- C:\Windows\System32\QdvJAdq.exe
  C:\Windows\System32\QdvJAdq.exe
  2⤵
  PID:5024
- C:\Windows\System32\otHEXnp.exe
  C:\Windows\System32\otHEXnp.exe
  2⤵
  PID:3884
- C:\Windows\System32\JXxnxpL.exe
  C:\Windows\System32\JXxnxpL.exe
  2⤵
  PID:1884
- C:\Windows\System32\uRjaLRx.exe
  C:\Windows\System32\uRjaLRx.exe
  2⤵
  PID:2296
- C:\Windows\System32\ImRtPQb.exe
  C:\Windows\System32\ImRtPQb.exe
  2⤵
  PID:1636
- C:\Windows\System32\qbnFCNC.exe
  C:\Windows\System32\qbnFCNC.exe
  2⤵
  PID:2108
- C:\Windows\System32\ZSinaPQ.exe
  C:\Windows\System32\ZSinaPQ.exe
  2⤵
  PID:4648
- C:\Windows\System32\PugHoRz.exe
  C:\Windows\System32\PugHoRz.exe
  2⤵
  PID:2544
- C:\Windows\System32\DtRlBZX.exe
  C:\Windows\System32\DtRlBZX.exe
  2⤵
  PID:2904
- C:\Windows\System32\qeFIFEW.exe
  C:\Windows\System32\qeFIFEW.exe
  2⤵
  PID:4732
- C:\Windows\System32\SSsxnlK.exe
  C:\Windows\System32\SSsxnlK.exe
  2⤵
  PID:4740
- C:\Windows\System32\vwkfEgR.exe
  C:\Windows\System32\vwkfEgR.exe
  2⤵
  PID:2952
- C:\Windows\System32\GqnSxdA.exe
  C:\Windows\System32\GqnSxdA.exe
  2⤵
  PID:3048
- C:\Windows\System32\SbkjmXG.exe
  C:\Windows\System32\SbkjmXG.exe
  2⤵
  PID:2112
- C:\Windows\System32\ZodPxdQ.exe
  C:\Windows\System32\ZodPxdQ.exe
  2⤵
  PID:1604
- C:\Windows\System32\BxTrBOu.exe
  C:\Windows\System32\BxTrBOu.exe
  2⤵
  PID:3964
- C:\Windows\System32\iYfGLOF.exe
  C:\Windows\System32\iYfGLOF.exe
  2⤵
  PID:2076
- C:\Windows\System32\GzOVUKF.exe
  C:\Windows\System32\GzOVUKF.exe
  2⤵
  PID:1800
- C:\Windows\System32\JHPEwNa.exe
  C:\Windows\System32\JHPEwNa.exe
  2⤵
  PID:1700
- C:\Windows\System32\qbqfrky.exe
  C:\Windows\System32\qbqfrky.exe
  2⤵
  PID:3228
- C:\Windows\System32\zDiJwtD.exe
  C:\Windows\System32\zDiJwtD.exe
  2⤵
  PID:2900
- C:\Windows\System32\OMcsDxG.exe
  C:\Windows\System32\OMcsDxG.exe
  2⤵
  PID:2716
- C:\Windows\System32\qRMsgFt.exe
  C:\Windows\System32\qRMsgFt.exe
  2⤵
  PID:5060
- C:\Windows\System32\vtviBLv.exe
  C:\Windows\System32\vtviBLv.exe
  2⤵
  PID:4728
- C:\Windows\System32\dZpnsas.exe
  C:\Windows\System32\dZpnsas.exe
  2⤵
  PID:3140
- C:\Windows\System32\WKtmWzL.exe
  C:\Windows\System32\WKtmWzL.exe
  2⤵
  PID:3996
- C:\Windows\System32\TWAWpbI.exe
  C:\Windows\System32\TWAWpbI.exe
  2⤵
  PID:5128
- C:\Windows\System32\lLbVaQW.exe
  C:\Windows\System32\lLbVaQW.exe
  2⤵
  PID:5148
- C:\Windows\System32\SzCvTjK.exe
  C:\Windows\System32\SzCvTjK.exe
  2⤵
  PID:5196
- C:\Windows\System32\jjWacfB.exe
  C:\Windows\System32\jjWacfB.exe
  2⤵
  PID:5228
- C:\Windows\System32\KOWPtGn.exe
  C:\Windows\System32\KOWPtGn.exe
  2⤵
  PID:5252
- C:\Windows\System32\FtAmNjS.exe
  C:\Windows\System32\FtAmNjS.exe
  2⤵
  PID:5272
- C:\Windows\System32\VMzHGgE.exe
  C:\Windows\System32\VMzHGgE.exe
  2⤵
  PID:5296
- C:\Windows\System32\rQCphAF.exe
  C:\Windows\System32\rQCphAF.exe
  2⤵
  PID:5320
- C:\Windows\System32\hMBkqiR.exe
  C:\Windows\System32\hMBkqiR.exe
  2⤵
  PID:5344
- C:\Windows\System32\lbuDGAD.exe
  C:\Windows\System32\lbuDGAD.exe
  2⤵
  PID:5404
- C:\Windows\System32\ZtxGYDv.exe
  C:\Windows\System32\ZtxGYDv.exe
  2⤵
  PID:5464
- C:\Windows\System32\yQKayFJ.exe
  C:\Windows\System32\yQKayFJ.exe
  2⤵
  PID:5492
- C:\Windows\System32\QqmmITP.exe
  C:\Windows\System32\QqmmITP.exe
  2⤵
  PID:5516
- C:\Windows\System32\XstKrvM.exe
  C:\Windows\System32\XstKrvM.exe
  2⤵
  PID:5540
- C:\Windows\System32\AsSeUjk.exe
  C:\Windows\System32\AsSeUjk.exe
  2⤵
  PID:5572
- C:\Windows\System32\AoGPltP.exe
  C:\Windows\System32\AoGPltP.exe
  2⤵
  PID:5596
- C:\Windows\System32\HtEkBHC.exe
  C:\Windows\System32\HtEkBHC.exe
  2⤵
  PID:5620
- C:\Windows\System32\ZZKSXXA.exe
  C:\Windows\System32\ZZKSXXA.exe
  2⤵
  PID:5644
- C:\Windows\System32\NlrSqoE.exe
  C:\Windows\System32\NlrSqoE.exe
  2⤵
  PID:5728
- C:\Windows\System32\KpBYTEN.exe
  C:\Windows\System32\KpBYTEN.exe
  2⤵
  PID:5764
- C:\Windows\System32\MFoRFqZ.exe
  C:\Windows\System32\MFoRFqZ.exe
  2⤵
  PID:5784
- C:\Windows\System32\swTkZVm.exe
  C:\Windows\System32\swTkZVm.exe
  2⤵
  PID:5816
- C:\Windows\System32\JjmeIGu.exe
  C:\Windows\System32\JjmeIGu.exe
  2⤵
  PID:5848
- C:\Windows\System32\efmadMh.exe
  C:\Windows\System32\efmadMh.exe
  2⤵
  PID:5868
- C:\Windows\System32\RzVljma.exe
  C:\Windows\System32\RzVljma.exe
  2⤵
  PID:5900
- C:\Windows\System32\ekkbEIK.exe
  C:\Windows\System32\ekkbEIK.exe
  2⤵
  PID:5924
- C:\Windows\System32\KRHBwwo.exe
  C:\Windows\System32\KRHBwwo.exe
  2⤵
  PID:5956
- C:\Windows\System32\yIJSryV.exe
  C:\Windows\System32\yIJSryV.exe
  2⤵
  PID:5980
- C:\Windows\System32\AlUPPlL.exe
  C:\Windows\System32\AlUPPlL.exe
  2⤵
  PID:6016
- C:\Windows\System32\TPUhuBE.exe
  C:\Windows\System32\TPUhuBE.exe
  2⤵
  PID:6036
- C:\Windows\System32\sYbpnwW.exe
  C:\Windows\System32\sYbpnwW.exe
  2⤵
  PID:6068
- C:\Windows\System32\OnjMtIZ.exe
  C:\Windows\System32\OnjMtIZ.exe
  2⤵
  PID:6096
- C:\Windows\System32\gryldDy.exe
  C:\Windows\System32\gryldDy.exe
  2⤵
  PID:6120
- C:\Windows\System32\sXXZCPL.exe
  C:\Windows\System32\sXXZCPL.exe
  2⤵
  PID:3664
- C:\Windows\System32\CjrHLPC.exe
  C:\Windows\System32\CjrHLPC.exe
  2⤵
  PID:3920
- C:\Windows\System32\QiKEHEK.exe
  C:\Windows\System32\QiKEHEK.exe
  2⤵
  PID:384
- C:\Windows\System32\vcHOUPi.exe
  C:\Windows\System32\vcHOUPi.exe
  2⤵
  PID:5144
- C:\Windows\System32\tgVfMOH.exe
  C:\Windows\System32\tgVfMOH.exe
  2⤵
  PID:2936
- C:\Windows\System32\YaoYNbG.exe
  C:\Windows\System32\YaoYNbG.exe
  2⤵
  PID:5240
- C:\Windows\System32\NSRpNBi.exe
  C:\Windows\System32\NSRpNBi.exe
  2⤵
  PID:1520
- C:\Windows\System32\XUWMADz.exe
  C:\Windows\System32\XUWMADz.exe
  2⤵
  PID:5292
- C:\Windows\System32\dkedUJx.exe
  C:\Windows\System32\dkedUJx.exe
  2⤵
  PID:5260
- C:\Windows\System32\wqTBGsT.exe
  C:\Windows\System32\wqTBGsT.exe
  2⤵
  PID:5444
- C:\Windows\System32\ZgYybqe.exe
  C:\Windows\System32\ZgYybqe.exe
  2⤵
  PID:5568
- C:\Windows\System32\AoDahQB.exe
  C:\Windows\System32\AoDahQB.exe
  2⤵
  PID:5632
- C:\Windows\System32\Lshzkgb.exe
  C:\Windows\System32\Lshzkgb.exe
  2⤵
  PID:1156
- C:\Windows\System32\RWxwGQh.exe
  C:\Windows\System32\RWxwGQh.exe
  2⤵
  PID:5140
- C:\Windows\System32\yToOEyz.exe
  C:\Windows\System32\yToOEyz.exe
  2⤵
  PID:2796
- C:\Windows\System32\alWDEuz.exe
  C:\Windows\System32\alWDEuz.exe
  2⤵
  PID:6112
- C:\Windows\System32\WUIaAlx.exe
  C:\Windows\System32\WUIaAlx.exe
  2⤵
  PID:6088
- C:\Windows\System32\FYcyTgb.exe
  C:\Windows\System32\FYcyTgb.exe
  2⤵
  PID:6028
- C:\Windows\System32\xdOVlGx.exe
  C:\Windows\System32\xdOVlGx.exe
  2⤵
  PID:5968
- C:\Windows\System32\lAlhKkz.exe
  C:\Windows\System32\lAlhKkz.exe
  2⤵
  PID:5864
- C:\Windows\System32\RFxzWff.exe
  C:\Windows\System32\RFxzWff.exe
  2⤵
  PID:5760
- C:\Windows\System32\vvBXjzR.exe
  C:\Windows\System32\vvBXjzR.exe
  2⤵
  PID:5680
- C:\Windows\System32\ksMAdQZ.exe
  C:\Windows\System32\ksMAdQZ.exe
  2⤵
  PID:5304
- C:\Windows\System32\FFKUbIT.exe
  C:\Windows\System32\FFKUbIT.exe
  2⤵
  PID:5456
- C:\Windows\System32\IoxDOSQ.exe
  C:\Windows\System32\IoxDOSQ.exe
  2⤵
  PID:5524
- C:\Windows\System32\JTBFzTj.exe
  C:\Windows\System32\JTBFzTj.exe
  2⤵
  PID:5308
- C:\Windows\System32\ZTWNOlw.exe
  C:\Windows\System32\ZTWNOlw.exe
  2⤵
  PID:5312
- C:\Windows\System32\qRvsYYT.exe
  C:\Windows\System32\qRvsYYT.exe
  2⤵
  PID:6136
- C:\Windows\System32\dOmYWIt.exe
  C:\Windows\System32\dOmYWIt.exe
  2⤵
  PID:6048
- C:\Windows\System32\bEkrnvs.exe
  C:\Windows\System32\bEkrnvs.exe
  2⤵
  PID:5920
- C:\Windows\System32\gHVoxDc.exe
  C:\Windows\System32\gHVoxDc.exe
  2⤵
  PID:5668
- C:\Windows\System32\aTGZZGM.exe
  C:\Windows\System32\aTGZZGM.exe
  2⤵
  PID:5352
- C:\Windows\System32\brCYOaE.exe
  C:\Windows\System32\brCYOaE.exe
  2⤵
  PID:5560
- C:\Windows\System32\gtcCoXI.exe
  C:\Windows\System32\gtcCoXI.exe
  2⤵
  PID:5268
- C:\Windows\System32\WEAdFBX.exe
  C:\Windows\System32\WEAdFBX.exe
  2⤵
  PID:5716
- C:\Windows\System32\ARJkbAA.exe
  C:\Windows\System32\ARJkbAA.exe
  2⤵
  PID:6084
- C:\Windows\System32\BfzOpNP.exe
  C:\Windows\System32\BfzOpNP.exe
  2⤵
  PID:6164
- C:\Windows\System32\tQrcwXQ.exe
  C:\Windows\System32\tQrcwXQ.exe
  2⤵
  PID:6184
- C:\Windows\System32\LiHqzGt.exe
  C:\Windows\System32\LiHqzGt.exe
  2⤵
  PID:6200
- C:\Windows\System32\SItKdoh.exe
  C:\Windows\System32\SItKdoh.exe
  2⤵
  PID:6216
- C:\Windows\System32\FfaRZqO.exe
  C:\Windows\System32\FfaRZqO.exe
  2⤵
  PID:6244
- C:\Windows\System32\GoTJkYE.exe
  C:\Windows\System32\GoTJkYE.exe
  2⤵
  PID:6272
- C:\Windows\System32\ixKWmgA.exe
  C:\Windows\System32\ixKWmgA.exe
  2⤵
  PID:6288
- C:\Windows\System32\EiRdeDA.exe
  C:\Windows\System32\EiRdeDA.exe
  2⤵
  PID:6320
- C:\Windows\System32\dsoDSMp.exe
  C:\Windows\System32\dsoDSMp.exe
  2⤵
  PID:6348
- C:\Windows\System32\kvvwbcE.exe
  C:\Windows\System32\kvvwbcE.exe
  2⤵
  PID:6372
- C:\Windows\System32\tpBMdUW.exe
  C:\Windows\System32\tpBMdUW.exe
  2⤵
  PID:6388
- C:\Windows\System32\XRgphme.exe
  C:\Windows\System32\XRgphme.exe
  2⤵
  PID:6420
- C:\Windows\System32\kESautt.exe
  C:\Windows\System32\kESautt.exe
  2⤵
  PID:6436
- C:\Windows\System32\WRPDvWS.exe
  C:\Windows\System32\WRPDvWS.exe
  2⤵
  PID:6456
- C:\Windows\System32\oaejdHM.exe
  C:\Windows\System32\oaejdHM.exe
  2⤵
  PID:6484
- C:\Windows\System32\jlUWzRG.exe
  C:\Windows\System32\jlUWzRG.exe
  2⤵
  PID:6504
- C:\Windows\System32\vRmXnft.exe
  C:\Windows\System32\vRmXnft.exe
  2⤵
  PID:6560
- C:\Windows\System32\tVrhxba.exe
  C:\Windows\System32\tVrhxba.exe
  2⤵
  PID:6596
- C:\Windows\System32\KWPKdyx.exe
  C:\Windows\System32\KWPKdyx.exe
  2⤵
  PID:6616
- C:\Windows\System32\MrszylI.exe
  C:\Windows\System32\MrszylI.exe
  2⤵
  PID:6632
- C:\Windows\System32\JFsONcb.exe
  C:\Windows\System32\JFsONcb.exe
  2⤵
  PID:6652
- C:\Windows\System32\ElvIUON.exe
  C:\Windows\System32\ElvIUON.exe
  2⤵
  PID:6668
- C:\Windows\System32\pHMPNPS.exe
  C:\Windows\System32\pHMPNPS.exe
  2⤵
  PID:6700
- C:\Windows\System32\TbaPujJ.exe
  C:\Windows\System32\TbaPujJ.exe
  2⤵
  PID:6776
- C:\Windows\System32\nNiHFxx.exe
  C:\Windows\System32\nNiHFxx.exe
  2⤵
  PID:6800
- C:\Windows\System32\gYXhIDM.exe
  C:\Windows\System32\gYXhIDM.exe
  2⤵
  PID:6856
- C:\Windows\System32\IhcFsdQ.exe
  C:\Windows\System32\IhcFsdQ.exe
  2⤵
  PID:6896
- C:\Windows\System32\wUifPvB.exe
  C:\Windows\System32\wUifPvB.exe
  2⤵
  PID:6916
- C:\Windows\System32\FLSBeNx.exe
  C:\Windows\System32\FLSBeNx.exe
  2⤵
  PID:6932
- C:\Windows\System32\qWozjhz.exe
  C:\Windows\System32\qWozjhz.exe
  2⤵
  PID:6948
- C:\Windows\System32\qukRIWI.exe
  C:\Windows\System32\qukRIWI.exe
  2⤵
  PID:6972
- C:\Windows\System32\yCrpUed.exe
  C:\Windows\System32\yCrpUed.exe
  2⤵
  PID:7020
- C:\Windows\System32\iNldNde.exe
  C:\Windows\System32\iNldNde.exe
  2⤵
  PID:7036
- C:\Windows\System32\TFUeaOL.exe
  C:\Windows\System32\TFUeaOL.exe
  2⤵
  PID:7052
- C:\Windows\System32\XiYSadP.exe
  C:\Windows\System32\XiYSadP.exe
  2⤵
  PID:7080
- C:\Windows\System32\iXlXClo.exe
  C:\Windows\System32\iXlXClo.exe
  2⤵
  PID:7124
- C:\Windows\System32\hBDKpFK.exe
  C:\Windows\System32\hBDKpFK.exe
  2⤵
  PID:7144
- C:\Windows\System32\ZoquPGS.exe
  C:\Windows\System32\ZoquPGS.exe
  2⤵
  PID:7160
- C:\Windows\System32\Oftupnj.exe
  C:\Windows\System32\Oftupnj.exe
  2⤵
  PID:6228
- C:\Windows\System32\GuVBGzC.exe
  C:\Windows\System32\GuVBGzC.exe
  2⤵
  PID:6212
- C:\Windows\System32\XzbkmEz.exe
  C:\Windows\System32\XzbkmEz.exe
  2⤵
  PID:6264
- C:\Windows\System32\SFfCTzf.exe
  C:\Windows\System32\SFfCTzf.exe
  2⤵
  PID:6340
- C:\Windows\System32\PDQwpqk.exe
  C:\Windows\System32\PDQwpqk.exe
  2⤵
  PID:6552
- C:\Windows\System32\DBAzSOa.exe
  C:\Windows\System32\DBAzSOa.exe
  2⤵
  PID:6640
- C:\Windows\System32\QSbMLKf.exe
  C:\Windows\System32\QSbMLKf.exe
  2⤵
  PID:6664
- C:\Windows\System32\IOTnXFZ.exe
  C:\Windows\System32\IOTnXFZ.exe
  2⤵
  PID:6644
- C:\Windows\System32\WBiyfdJ.exe
  C:\Windows\System32\WBiyfdJ.exe
  2⤵
  PID:6796
- C:\Windows\System32\AcGElQm.exe
  C:\Windows\System32\AcGElQm.exe
  2⤵
  PID:6880
- C:\Windows\System32\IChUIdA.exe
  C:\Windows\System32\IChUIdA.exe
  2⤵
  PID:6956
- C:\Windows\System32\aAtHYEF.exe
  C:\Windows\System32\aAtHYEF.exe
  2⤵
  PID:7000
- C:\Windows\System32\GkLRJVx.exe
  C:\Windows\System32\GkLRJVx.exe
  2⤵
  PID:7032
- C:\Windows\System32\fsdPfze.exe
  C:\Windows\System32\fsdPfze.exe
  2⤵
  PID:7092
- C:\Windows\System32\ISWxtgY.exe
  C:\Windows\System32\ISWxtgY.exe
  2⤵
  PID:7136
- C:\Windows\System32\bTduomN.exe
  C:\Windows\System32\bTduomN.exe
  2⤵
  PID:6192
- C:\Windows\System32\aSLeWML.exe
  C:\Windows\System32\aSLeWML.exe
  2⤵
  PID:6480
- C:\Windows\System32\fswZFto.exe
  C:\Windows\System32\fswZFto.exe
  2⤵
  PID:6548
- C:\Windows\System32\HqaWoTy.exe
  C:\Windows\System32\HqaWoTy.exe
  2⤵
  PID:6540
- C:\Windows\System32\foieqgd.exe
  C:\Windows\System32\foieqgd.exe
  2⤵
  PID:6660
- C:\Windows\System32\RUWfJYg.exe
  C:\Windows\System32\RUWfJYg.exe
  2⤵
  PID:6840
- C:\Windows\System32\HNDSIUp.exe
  C:\Windows\System32\HNDSIUp.exe
  2⤵
  PID:7096
- C:\Windows\System32\jCDRaMr.exe
  C:\Windows\System32\jCDRaMr.exe
  2⤵
  PID:6156
- C:\Windows\System32\LTfbfEh.exe
  C:\Windows\System32\LTfbfEh.exe
  2⤵
  PID:6396
- C:\Windows\System32\HmVknfW.exe
  C:\Windows\System32\HmVknfW.exe
  2⤵
  PID:6516
- C:\Windows\System32\HHphwIB.exe
  C:\Windows\System32\HHphwIB.exe
  2⤵
  PID:7244
- C:\Windows\System32\ScIzItb.exe
  C:\Windows\System32\ScIzItb.exe
  2⤵
  PID:7284
- C:\Windows\System32\CZGDlAG.exe
  C:\Windows\System32\CZGDlAG.exe
  2⤵
  PID:7312
- C:\Windows\System32\ftoYLcp.exe
  C:\Windows\System32\ftoYLcp.exe
  2⤵
  PID:7340
- C:\Windows\System32\QicyLOD.exe
  C:\Windows\System32\QicyLOD.exe
  2⤵
  PID:7364
- C:\Windows\System32\OhxNYjC.exe
  C:\Windows\System32\OhxNYjC.exe
  2⤵
  PID:7380
- C:\Windows\System32\vPuQDSk.exe
  C:\Windows\System32\vPuQDSk.exe
  2⤵
  PID:7396
- C:\Windows\System32\lJINVnX.exe
  C:\Windows\System32\lJINVnX.exe
  2⤵
  PID:7416
- C:\Windows\System32\VSuxSMc.exe
  C:\Windows\System32\VSuxSMc.exe
  2⤵
  PID:7436
- C:\Windows\System32\DEEIvXI.exe
  C:\Windows\System32\DEEIvXI.exe
  2⤵
  PID:7496
- C:\Windows\System32\OSLiaxS.exe
  C:\Windows\System32\OSLiaxS.exe
  2⤵
  PID:7532
- C:\Windows\System32\NRyAPhk.exe
  C:\Windows\System32\NRyAPhk.exe
  2⤵
  PID:7560
- C:\Windows\System32\GuDJlkn.exe
  C:\Windows\System32\GuDJlkn.exe
  2⤵
  PID:7600
- C:\Windows\System32\MFsmxBT.exe
  C:\Windows\System32\MFsmxBT.exe
  2⤵
  PID:7628
- C:\Windows\System32\SgIojBs.exe
  C:\Windows\System32\SgIojBs.exe
  2⤵
  PID:7664
- C:\Windows\System32\nVeNMeY.exe
  C:\Windows\System32\nVeNMeY.exe
  2⤵
  PID:7692
- C:\Windows\System32\HgKbkWy.exe
  C:\Windows\System32\HgKbkWy.exe
  2⤵
  PID:7708
- C:\Windows\System32\LlmeyqD.exe
  C:\Windows\System32\LlmeyqD.exe
  2⤵
  PID:7748
- C:\Windows\System32\jlXWtQe.exe
  C:\Windows\System32\jlXWtQe.exe
  2⤵
  PID:7764
- C:\Windows\System32\iotTgFs.exe
  C:\Windows\System32\iotTgFs.exe
  2⤵
  PID:7808
- C:\Windows\System32\NNZbusb.exe
  C:\Windows\System32\NNZbusb.exe
  2⤵
  PID:7828
- C:\Windows\System32\qYnPeMh.exe
  C:\Windows\System32\qYnPeMh.exe
  2⤵
  PID:7864
- C:\Windows\System32\SkkTWSR.exe
  C:\Windows\System32\SkkTWSR.exe
  2⤵
  PID:7880
- C:\Windows\System32\jQGavwc.exe
  C:\Windows\System32\jQGavwc.exe
  2⤵
  PID:7908
- C:\Windows\System32\OpFMyKN.exe
  C:\Windows\System32\OpFMyKN.exe
  2⤵
  PID:7928
- C:\Windows\System32\YLEdvSC.exe
  C:\Windows\System32\YLEdvSC.exe
  2⤵
  PID:7944
- C:\Windows\System32\hZfPBac.exe
  C:\Windows\System32\hZfPBac.exe
  2⤵
  PID:7980
- C:\Windows\System32\xxSuqXq.exe
  C:\Windows\System32\xxSuqXq.exe
  2⤵
  PID:8000
- C:\Windows\System32\Pjpblzs.exe
  C:\Windows\System32\Pjpblzs.exe
  2⤵
  PID:8016
- C:\Windows\System32\EwjEySd.exe
  C:\Windows\System32\EwjEySd.exe
  2⤵
  PID:8044
- C:\Windows\System32\PmlstpM.exe
  C:\Windows\System32\PmlstpM.exe
  2⤵
  PID:8068
- C:\Windows\System32\ePRVCMk.exe
  C:\Windows\System32\ePRVCMk.exe
  2⤵
  PID:8088
- C:\Windows\System32\INcYOmP.exe
  C:\Windows\System32\INcYOmP.exe
  2⤵
  PID:8104
- C:\Windows\System32\OayEsKY.exe
  C:\Windows\System32\OayEsKY.exe
  2⤵
  PID:8168
- C:\Windows\System32\zBTjPLd.exe
  C:\Windows\System32\zBTjPLd.exe
  2⤵
  PID:7140
- C:\Windows\System32\GewsNzO.exe
  C:\Windows\System32\GewsNzO.exe
  2⤵
  PID:7192
- C:\Windows\System32\UnkcVbz.exe
  C:\Windows\System32\UnkcVbz.exe
  2⤵
  PID:7272
- C:\Windows\System32\gMsKasF.exe
  C:\Windows\System32\gMsKasF.exe
  2⤵
  PID:7304
- C:\Windows\System32\KXqLjVo.exe
  C:\Windows\System32\KXqLjVo.exe
  2⤵
  PID:7348
- C:\Windows\System32\mriQfcN.exe
  C:\Windows\System32\mriQfcN.exe
  2⤵
  PID:7408
- C:\Windows\System32\BzolyLl.exe
  C:\Windows\System32\BzolyLl.exe
  2⤵
  PID:7484
- C:\Windows\System32\TQuiiem.exe
  C:\Windows\System32\TQuiiem.exe
  2⤵
  PID:7580
- C:\Windows\System32\VudzANE.exe
  C:\Windows\System32\VudzANE.exe
  2⤵
  PID:7652
- C:\Windows\System32\cTtAwsE.exe
  C:\Windows\System32\cTtAwsE.exe
  2⤵
  PID:7732
- C:\Windows\System32\HodakeG.exe
  C:\Windows\System32\HodakeG.exe
  2⤵
  PID:7780
- C:\Windows\System32\ExtsmPZ.exe
  C:\Windows\System32\ExtsmPZ.exe
  2⤵
  PID:7836
- C:\Windows\System32\STvlOHC.exe
  C:\Windows\System32\STvlOHC.exe
  2⤵
  PID:7896
- C:\Windows\System32\JOmliUS.exe
  C:\Windows\System32\JOmliUS.exe
  2⤵
  PID:7976
- C:\Windows\System32\zrAHOOY.exe
  C:\Windows\System32\zrAHOOY.exe
  2⤵
  PID:8052
- C:\Windows\System32\jSBZhig.exe
  C:\Windows\System32\jSBZhig.exe
  2⤵
  PID:8100
- C:\Windows\System32\nPxBMpW.exe
  C:\Windows\System32\nPxBMpW.exe
  2⤵
  PID:6908
- C:\Windows\System32\oQgSqXX.exe
  C:\Windows\System32\oQgSqXX.exe
  2⤵
  PID:6864
- C:\Windows\System32\XcSQbSK.exe
  C:\Windows\System32\XcSQbSK.exe
  2⤵
  PID:7264
- C:\Windows\System32\yavRwNw.exe
  C:\Windows\System32\yavRwNw.exe
  2⤵
  PID:7456
- C:\Windows\System32\pKiDCin.exe
  C:\Windows\System32\pKiDCin.exe
  2⤵
  PID:7596
- C:\Windows\System32\hgLsGbg.exe
  C:\Windows\System32\hgLsGbg.exe
  2⤵
  PID:7724
- C:\Windows\System32\XkViBTE.exe
  C:\Windows\System32\XkViBTE.exe
  2⤵
  PID:7844
- C:\Windows\System32\xdgotLS.exe
  C:\Windows\System32\xdgotLS.exe
  2⤵
  PID:7872
- C:\Windows\System32\CmLcdgs.exe
  C:\Windows\System32\CmLcdgs.exe
  2⤵
  PID:8084
- C:\Windows\System32\fZYSnro.exe
  C:\Windows\System32\fZYSnro.exe
  2⤵
  PID:7464
- C:\Windows\System32\asIyUeb.exe
  C:\Windows\System32\asIyUeb.exe
  2⤵
  PID:7876
- C:\Windows\System32\uNIxOZP.exe
  C:\Windows\System32\uNIxOZP.exe
  2⤵
  PID:8140
- C:\Windows\System32\agffIWJ.exe
  C:\Windows\System32\agffIWJ.exe
  2⤵
  PID:7556
- C:\Windows\System32\rOaFdUm.exe
  C:\Windows\System32\rOaFdUm.exe
  2⤵
  PID:7356
- C:\Windows\System32\xpnGWVo.exe
  C:\Windows\System32\xpnGWVo.exe
  2⤵
  PID:8228
- C:\Windows\System32\iBJVMvD.exe
  C:\Windows\System32\iBJVMvD.exe
  2⤵
  PID:8260
- C:\Windows\System32\aQNFGeF.exe
  C:\Windows\System32\aQNFGeF.exe
  2⤵
  PID:8296
- C:\Windows\System32\jvHedNt.exe
  C:\Windows\System32\jvHedNt.exe
  2⤵
  PID:8316
- C:\Windows\System32\ZxqJCwO.exe
  C:\Windows\System32\ZxqJCwO.exe
  2⤵
  PID:8356
- C:\Windows\System32\CUUIHgP.exe
  C:\Windows\System32\CUUIHgP.exe
  2⤵
  PID:8384
- C:\Windows\System32\gZbzHeM.exe
  C:\Windows\System32\gZbzHeM.exe
  2⤵
  PID:8424
- C:\Windows\System32\xyyWtqM.exe
  C:\Windows\System32\xyyWtqM.exe
  2⤵
  PID:8448
- C:\Windows\System32\mlISJHf.exe
  C:\Windows\System32\mlISJHf.exe
  2⤵
  PID:8476
- C:\Windows\System32\qIqqjIj.exe
  C:\Windows\System32\qIqqjIj.exe
  2⤵
  PID:8500
- C:\Windows\System32\aQKqxpE.exe
  C:\Windows\System32\aQKqxpE.exe
  2⤵
  PID:8536
- C:\Windows\System32\qkYKTDm.exe
  C:\Windows\System32\qkYKTDm.exe
  2⤵
  PID:8564
- C:\Windows\System32\HlNjUau.exe
  C:\Windows\System32\HlNjUau.exe
  2⤵
  PID:8592
- C:\Windows\System32\bXKrlKu.exe
  C:\Windows\System32\bXKrlKu.exe
  2⤵
  PID:8616
- C:\Windows\System32\TbHykmw.exe
  C:\Windows\System32\TbHykmw.exe
  2⤵
  PID:8636
- C:\Windows\System32\qdiCCQC.exe
  C:\Windows\System32\qdiCCQC.exe
  2⤵
  PID:8656
- C:\Windows\System32\mvscyJa.exe
  C:\Windows\System32\mvscyJa.exe
  2⤵
  PID:8684
- C:\Windows\System32\eBfVkfl.exe
  C:\Windows\System32\eBfVkfl.exe
  2⤵
  PID:8708
- C:\Windows\System32\XKGhFQQ.exe
  C:\Windows\System32\XKGhFQQ.exe
  2⤵
  PID:8748
- C:\Windows\System32\qqQgYGm.exe
  C:\Windows\System32\qqQgYGm.exe
  2⤵
  PID:8764
- C:\Windows\System32\kZyRNmj.exe
  C:\Windows\System32\kZyRNmj.exe
  2⤵
  PID:8804
- C:\Windows\System32\dtdvnvJ.exe
  C:\Windows\System32\dtdvnvJ.exe
  2⤵
  PID:8844
- C:\Windows\System32\wodfeLs.exe
  C:\Windows\System32\wodfeLs.exe
  2⤵
  PID:8872
- C:\Windows\System32\LKQkNUL.exe
  C:\Windows\System32\LKQkNUL.exe
  2⤵
  PID:8896
- C:\Windows\System32\AqJOdLV.exe
  C:\Windows\System32\AqJOdLV.exe
  2⤵
  PID:8916
- C:\Windows\System32\YpwMPVN.exe
  C:\Windows\System32\YpwMPVN.exe
  2⤵
  PID:8944
- C:\Windows\System32\RYaoOUp.exe
  C:\Windows\System32\RYaoOUp.exe
  2⤵
  PID:8996
- C:\Windows\System32\zetAxLL.exe
  C:\Windows\System32\zetAxLL.exe
  2⤵
  PID:9012
- C:\Windows\System32\bQrjDfd.exe
  C:\Windows\System32\bQrjDfd.exe
  2⤵
  PID:9036
- C:\Windows\System32\tjTJvox.exe
  C:\Windows\System32\tjTJvox.exe
  2⤵
  PID:9084
- C:\Windows\System32\oxUphWj.exe
  C:\Windows\System32\oxUphWj.exe
  2⤵
  PID:9104
- C:\Windows\System32\VKdfIZF.exe
  C:\Windows\System32\VKdfIZF.exe
  2⤵
  PID:9124
- C:\Windows\System32\XiqkVIA.exe
  C:\Windows\System32\XiqkVIA.exe
  2⤵
  PID:9152
- C:\Windows\System32\nzJcOoZ.exe
  C:\Windows\System32\nzJcOoZ.exe
  2⤵
  PID:9168
- C:\Windows\System32\GbJClFF.exe
  C:\Windows\System32\GbJClFF.exe
  2⤵
  PID:9188
- C:\Windows\System32\YKZemut.exe
  C:\Windows\System32\YKZemut.exe
  2⤵
  PID:7176
- C:\Windows\System32\EpuBDMG.exe
  C:\Windows\System32\EpuBDMG.exe
  2⤵
  PID:7660
- C:\Windows\System32\ZwwkrDo.exe
  C:\Windows\System32\ZwwkrDo.exe
  2⤵
  PID:8308
- C:\Windows\System32\HdnBwqJ.exe
  C:\Windows\System32\HdnBwqJ.exe
  2⤵
  PID:8588
- C:\Windows\System32\PFhRJtY.exe
  C:\Windows\System32\PFhRJtY.exe
  2⤵
  PID:8628
- C:\Windows\System32\AQJaDkU.exe
  C:\Windows\System32\AQJaDkU.exe
  2⤵
  PID:8652
- C:\Windows\System32\HCWgNBt.exe
  C:\Windows\System32\HCWgNBt.exe
  2⤵
  PID:8704
- C:\Windows\System32\KgVztHl.exe
  C:\Windows\System32\KgVztHl.exe
  2⤵
  PID:8700
- C:\Windows\System32\JmTDlnC.exe
  C:\Windows\System32\JmTDlnC.exe
  2⤵
  PID:8784
- C:\Windows\System32\hYwkaKb.exe
  C:\Windows\System32\hYwkaKb.exe
  2⤵
  PID:8812
- C:\Windows\System32\WLiLdPR.exe
  C:\Windows\System32\WLiLdPR.exe
  2⤵
  PID:8828
- C:\Windows\System32\xcInyDG.exe
  C:\Windows\System32\xcInyDG.exe
  2⤵
  PID:8880
- C:\Windows\System32\qOtfByc.exe
  C:\Windows\System32\qOtfByc.exe
  2⤵
  PID:8940
- C:\Windows\System32\nGbfOKg.exe
  C:\Windows\System32\nGbfOKg.exe
  2⤵
  PID:8984
- C:\Windows\System32\zNzPMYb.exe
  C:\Windows\System32\zNzPMYb.exe
  2⤵
  PID:9008
- C:\Windows\System32\uvUmglR.exe
  C:\Windows\System32\uvUmglR.exe
  2⤵
  PID:9048
- C:\Windows\System32\WEdrqKQ.exe
  C:\Windows\System32\WEdrqKQ.exe
  2⤵
  PID:9100
- C:\Windows\System32\ZLzouUz.exe
  C:\Windows\System32\ZLzouUz.exe
  2⤵
  PID:8404
- C:\Windows\System32\OIjUXKm.exe
  C:\Windows\System32\OIjUXKm.exe
  2⤵
  PID:8560
- C:\Windows\System32\XRxhgBA.exe
  C:\Windows\System32\XRxhgBA.exe
  2⤵
  PID:8836
- C:\Windows\System32\GnOqChd.exe
  C:\Windows\System32\GnOqChd.exe
  2⤵
  PID:9072
- C:\Windows\System32\ITEYrLk.exe
  C:\Windows\System32\ITEYrLk.exe
  2⤵
  PID:9204
- C:\Windows\System32\gJWPgpJ.exe
  C:\Windows\System32\gJWPgpJ.exe
  2⤵
  PID:9200
- C:\Windows\System32\qagcAgL.exe
  C:\Windows\System32\qagcAgL.exe
  2⤵
  PID:8432
- C:\Windows\System32\dVkyAwT.exe
  C:\Windows\System32\dVkyAwT.exe
  2⤵
  PID:9160
- C:\Windows\System32\ESPJwLy.exe
  C:\Windows\System32\ESPJwLy.exe
  2⤵
  PID:9140
- C:\Windows\System32\eDgsDuk.exe
  C:\Windows\System32\eDgsDuk.exe
  2⤵
  PID:8736
- C:\Windows\System32\VUUpPCo.exe
  C:\Windows\System32\VUUpPCo.exe
  2⤵
  PID:9228
- C:\Windows\System32\xAyADBk.exe
  C:\Windows\System32\xAyADBk.exe
  2⤵
  PID:9252
- C:\Windows\System32\gPhEfkP.exe
  C:\Windows\System32\gPhEfkP.exe
  2⤵
  PID:9296
- C:\Windows\System32\vpkLGaW.exe
  C:\Windows\System32\vpkLGaW.exe
  2⤵
  PID:9324
- C:\Windows\System32\bVnuDXl.exe
  C:\Windows\System32\bVnuDXl.exe
  2⤵
  PID:9360
- C:\Windows\System32\oMzFxHz.exe
  C:\Windows\System32\oMzFxHz.exe
  2⤵
  PID:9392
- C:\Windows\System32\QpfLRRi.exe
  C:\Windows\System32\QpfLRRi.exe
  2⤵
  PID:9416
- C:\Windows\System32\sZieSBF.exe
  C:\Windows\System32\sZieSBF.exe
  2⤵
  PID:9448
- C:\Windows\System32\ZHtEmIa.exe
  C:\Windows\System32\ZHtEmIa.exe
  2⤵
  PID:9488
- C:\Windows\System32\QkHTtIm.exe
  C:\Windows\System32\QkHTtIm.exe
  2⤵
  PID:9504
- C:\Windows\System32\LcHfBLd.exe
  C:\Windows\System32\LcHfBLd.exe
  2⤵
  PID:9544
- C:\Windows\System32\ovBkYmI.exe
  C:\Windows\System32\ovBkYmI.exe
  2⤵
  PID:9564
- C:\Windows\System32\cvhxMZM.exe
  C:\Windows\System32\cvhxMZM.exe
  2⤵
  PID:9592
- C:\Windows\System32\zUGEFnO.exe
  C:\Windows\System32\zUGEFnO.exe
  2⤵
  PID:9608
- C:\Windows\System32\CardZfJ.exe
  C:\Windows\System32\CardZfJ.exe
  2⤵
  PID:9648
- C:\Windows\System32\gLeQgqP.exe
  C:\Windows\System32\gLeQgqP.exe
  2⤵
  PID:9672
- C:\Windows\System32\YKrZYJM.exe
  C:\Windows\System32\YKrZYJM.exe
  2⤵
  PID:9696
- C:\Windows\System32\ufchhqB.exe
  C:\Windows\System32\ufchhqB.exe
  2⤵
  PID:9724
- C:\Windows\System32\CyYPKds.exe
  C:\Windows\System32\CyYPKds.exe
  2⤵
  PID:9748
- C:\Windows\System32\uoFxYON.exe
  C:\Windows\System32\uoFxYON.exe
  2⤵
  PID:9776
- C:\Windows\System32\hRVAOwc.exe
  C:\Windows\System32\hRVAOwc.exe
  2⤵
  PID:9820
- C:\Windows\System32\rjcafYX.exe
  C:\Windows\System32\rjcafYX.exe
  2⤵
  PID:9848
- C:\Windows\System32\GWKLRMA.exe
  C:\Windows\System32\GWKLRMA.exe
  2⤵
  PID:9880
- C:\Windows\System32\eTTxZOp.exe
  C:\Windows\System32\eTTxZOp.exe
  2⤵
  PID:9904
- C:\Windows\System32\ySUrcyq.exe
  C:\Windows\System32\ySUrcyq.exe
  2⤵
  PID:9924
- C:\Windows\System32\xSoFLgn.exe
  C:\Windows\System32\xSoFLgn.exe
  2⤵
  PID:9956
- C:\Windows\System32\rTyESmY.exe
  C:\Windows\System32\rTyESmY.exe
  2⤵
  PID:9976
- C:\Windows\System32\kyNrNKE.exe
  C:\Windows\System32\kyNrNKE.exe
  2⤵
  PID:10000
- C:\Windows\System32\OccvXav.exe
  C:\Windows\System32\OccvXav.exe
  2⤵
  PID:10028
- C:\Windows\System32\NapabID.exe
  C:\Windows\System32\NapabID.exe
  2⤵
  PID:10056
- C:\Windows\System32\leAMFCn.exe
  C:\Windows\System32\leAMFCn.exe
  2⤵
  PID:10096
- C:\Windows\System32\oTjZvpj.exe
  C:\Windows\System32\oTjZvpj.exe
  2⤵
  PID:10112
- C:\Windows\System32\FnMfzlu.exe
  C:\Windows\System32\FnMfzlu.exe
  2⤵
  PID:10132
- C:\Windows\System32\mmAUGOz.exe
  C:\Windows\System32\mmAUGOz.exe
  2⤵
  PID:10180
- C:\Windows\System32\BYVkzsg.exe
  C:\Windows\System32\BYVkzsg.exe
  2⤵
  PID:10208
- C:\Windows\System32\vTAotRV.exe
  C:\Windows\System32\vTAotRV.exe
  2⤵
  PID:9220
- C:\Windows\System32\mKWgGOp.exe
  C:\Windows\System32\mKWgGOp.exe
  2⤵
  PID:9284
- C:\Windows\System32\OJcFerb.exe
  C:\Windows\System32\OJcFerb.exe
  2⤵
  PID:9376
- C:\Windows\System32\mFPkqpL.exe
  C:\Windows\System32\mFPkqpL.exe
  2⤵
  PID:9440
- C:\Windows\System32\HdvJgSV.exe
  C:\Windows\System32\HdvJgSV.exe
  2⤵
  PID:9516
- C:\Windows\System32\xTxsgUN.exe
  C:\Windows\System32\xTxsgUN.exe
  2⤵
  PID:9580
- C:\Windows\System32\DcLIrNh.exe
  C:\Windows\System32\DcLIrNh.exe
  2⤵
  PID:9640
- C:\Windows\System32\bleXaLC.exe
  C:\Windows\System32\bleXaLC.exe
  2⤵
  PID:9716
- C:\Windows\System32\wDviJma.exe
  C:\Windows\System32\wDviJma.exe
  2⤵
  PID:9828
- C:\Windows\System32\mUNBuRD.exe
  C:\Windows\System32\mUNBuRD.exe
  2⤵
  PID:9876
- C:\Windows\System32\qpiYkss.exe
  C:\Windows\System32\qpiYkss.exe
  2⤵
  PID:9936
- C:\Windows\System32\lFvRsZt.exe
  C:\Windows\System32\lFvRsZt.exe
  2⤵
  PID:9984
- C:\Windows\System32\ppulhPG.exe
  C:\Windows\System32\ppulhPG.exe
  2⤵
  PID:10016
- C:\Windows\System32\scaiBYe.exe
  C:\Windows\System32\scaiBYe.exe
  2⤵
  PID:10104
- C:\Windows\System32\VzfQocT.exe
  C:\Windows\System32\VzfQocT.exe
  2⤵
  PID:10176
- C:\Windows\System32\TUbMDHo.exe
  C:\Windows\System32\TUbMDHo.exe
  2⤵
  PID:9332
- C:\Windows\System32\PxlpFzB.exe
  C:\Windows\System32\PxlpFzB.exe
  2⤵
  PID:9496
- C:\Windows\System32\vByKtBh.exe
  C:\Windows\System32\vByKtBh.exe
  2⤵
  PID:3804
- C:\Windows\System32\sTYugIV.exe
  C:\Windows\System32\sTYugIV.exe
  2⤵
  PID:9664
- C:\Windows\System32\WzuKWOw.exe
  C:\Windows\System32\WzuKWOw.exe
  2⤵
  PID:9796
- C:\Windows\System32\JbyCTeZ.exe
  C:\Windows\System32\JbyCTeZ.exe
  2⤵
  PID:10080
- C:\Windows\System32\hkogDMw.exe
  C:\Windows\System32\hkogDMw.exe
  2⤵
  PID:9280
- C:\Windows\System32\posGiTU.exe
  C:\Windows\System32\posGiTU.exe
  2⤵
  PID:9576
- C:\Windows\System32\FtzHvtT.exe
  C:\Windows\System32\FtzHvtT.exe
  2⤵
  PID:10088
- C:\Windows\System32\CkyDlhL.exe
  C:\Windows\System32\CkyDlhL.exe
  2⤵
  PID:10128
- C:\Windows\System32\JzLLLUM.exe
  C:\Windows\System32\JzLLLUM.exe
  2⤵
  PID:10148
- C:\Windows\System32\MRIDDGk.exe
  C:\Windows\System32\MRIDDGk.exe
  2⤵
  PID:10256
- C:\Windows\System32\rAeWNke.exe
  C:\Windows\System32\rAeWNke.exe
  2⤵
  PID:10284
- C:\Windows\System32\wmfFzPm.exe
  C:\Windows\System32\wmfFzPm.exe
  2⤵
  PID:10336
- C:\Windows\System32\AhvzAka.exe
  C:\Windows\System32\AhvzAka.exe
  2⤵
  PID:10360
- C:\Windows\System32\sPsGQKu.exe
  C:\Windows\System32\sPsGQKu.exe
  2⤵
  PID:10384
- C:\Windows\System32\nMtLedR.exe
  C:\Windows\System32\nMtLedR.exe
  2⤵
  PID:10408
- C:\Windows\System32\YJAhbfv.exe
  C:\Windows\System32\YJAhbfv.exe
  2⤵
  PID:10424
- C:\Windows\System32\jLzlloe.exe
  C:\Windows\System32\jLzlloe.exe
  2⤵
  PID:10472
- C:\Windows\System32\MZYQPfk.exe
  C:\Windows\System32\MZYQPfk.exe
  2⤵
  PID:10492
- C:\Windows\System32\ZIInwOk.exe
  C:\Windows\System32\ZIInwOk.exe
  2⤵
  PID:10508
- C:\Windows\System32\kMaapeA.exe
  C:\Windows\System32\kMaapeA.exe
  2⤵
  PID:10532
- C:\Windows\System32\OxYhGjA.exe
  C:\Windows\System32\OxYhGjA.exe
  2⤵
  PID:10592
- C:\Windows\System32\RISNOmB.exe
  C:\Windows\System32\RISNOmB.exe
  2⤵
  PID:10612
- C:\Windows\System32\oTDkDVD.exe
  C:\Windows\System32\oTDkDVD.exe
  2⤵
  PID:10640
- C:\Windows\System32\nihrwiN.exe
  C:\Windows\System32\nihrwiN.exe
  2⤵
  PID:10668
- C:\Windows\System32\sIGCjUx.exe
  C:\Windows\System32\sIGCjUx.exe
  2⤵
  PID:10688
- C:\Windows\System32\NPKbiFS.exe
  C:\Windows\System32\NPKbiFS.exe
  2⤵
  PID:10712
- C:\Windows\System32\PMLYtAC.exe
  C:\Windows\System32\PMLYtAC.exe
  2⤵
  PID:10736
- C:\Windows\System32\HJeTUZs.exe
  C:\Windows\System32\HJeTUZs.exe
  2⤵
  PID:10752
- C:\Windows\System32\poDcONj.exe
  C:\Windows\System32\poDcONj.exe
  2⤵
  PID:10808
- C:\Windows\System32\wLNzMnI.exe
  C:\Windows\System32\wLNzMnI.exe
  2⤵
  PID:10836
- C:\Windows\System32\GURiNjN.exe
  C:\Windows\System32\GURiNjN.exe
  2⤵
  PID:10856
- C:\Windows\System32\uvMCuKt.exe
  C:\Windows\System32\uvMCuKt.exe
  2⤵
  PID:10872
- C:\Windows\System32\paiJSEM.exe
  C:\Windows\System32\paiJSEM.exe
  2⤵
  PID:10896
- C:\Windows\System32\LgydIMv.exe
  C:\Windows\System32\LgydIMv.exe
  2⤵
  PID:10948
- C:\Windows\System32\lBmzliD.exe
  C:\Windows\System32\lBmzliD.exe
  2⤵
  PID:10968
- C:\Windows\System32\eDDeakm.exe
  C:\Windows\System32\eDDeakm.exe
  2⤵
  PID:10992
- C:\Windows\System32\xtxgcHo.exe
  C:\Windows\System32\xtxgcHo.exe
  2⤵
  PID:11012
- C:\Windows\System32\KMcAhwU.exe
  C:\Windows\System32\KMcAhwU.exe
  2⤵
  PID:11028
- C:\Windows\System32\GzMrpjy.exe
  C:\Windows\System32\GzMrpjy.exe
  2⤵
  PID:11076
- C:\Windows\System32\NLvDdsR.exe
  C:\Windows\System32\NLvDdsR.exe
  2⤵
  PID:11096
- C:\Windows\System32\KXhZBXC.exe
  C:\Windows\System32\KXhZBXC.exe
  2⤵
  PID:11112
- C:\Windows\System32\YSmVvny.exe
  C:\Windows\System32\YSmVvny.exe
  2⤵
  PID:11136
- C:\Windows\System32\iidNjZF.exe
  C:\Windows\System32\iidNjZF.exe
  2⤵
  PID:11184
- C:\Windows\System32\ixVMQVW.exe
  C:\Windows\System32\ixVMQVW.exe
  2⤵
  PID:11208
- C:\Windows\System32\WZZNnyP.exe
  C:\Windows\System32\WZZNnyP.exe
  2⤵
  PID:11256
- C:\Windows\System32\QAyskCi.exe
  C:\Windows\System32\QAyskCi.exe
  2⤵
  PID:10264
- C:\Windows\System32\YJhtzKU.exe
  C:\Windows\System32\YJhtzKU.exe
  2⤵
  PID:10324
- C:\Windows\System32\czwtTys.exe
  C:\Windows\System32\czwtTys.exe
  2⤵
  PID:10392
- C:\Windows\System32\ZvOhAKX.exe
  C:\Windows\System32\ZvOhAKX.exe
  2⤵
  PID:10460
- C:\Windows\System32\RMLhrKY.exe
  C:\Windows\System32\RMLhrKY.exe
  2⤵
  PID:10516
- C:\Windows\System32\mijtNad.exe
  C:\Windows\System32\mijtNad.exe
  2⤵
  PID:10604
- C:\Windows\System32\MpOZGIm.exe
  C:\Windows\System32\MpOZGIm.exe
  2⤵
  PID:10664
- C:\Windows\System32\ikZfOIM.exe
  C:\Windows\System32\ikZfOIM.exe
  2⤵
  PID:10760
- C:\Windows\System32\ZtFShAK.exe
  C:\Windows\System32\ZtFShAK.exe
  2⤵
  PID:10772
- C:\Windows\System32\idwRkYv.exe
  C:\Windows\System32\idwRkYv.exe
  2⤵
  PID:10868
- C:\Windows\System32\QUxesBb.exe
  C:\Windows\System32\QUxesBb.exe
  2⤵
  PID:10864
- C:\Windows\System32\TicxnWa.exe
  C:\Windows\System32\TicxnWa.exe
  2⤵
  PID:10964
- C:\Windows\System32\fYrlheG.exe
  C:\Windows\System32\fYrlheG.exe
  2⤵
  PID:11036
- C:\Windows\System32\XUWYCUg.exe
  C:\Windows\System32\XUWYCUg.exe
  2⤵
  PID:11060
- C:\Windows\System32\buatlmQ.exe
  C:\Windows\System32\buatlmQ.exe
  2⤵
  PID:11192
- C:\Windows\System32\HoyOCfA.exe
  C:\Windows\System32\HoyOCfA.exe
  2⤵
  PID:9764
- C:\Windows\System32\ONIHnVo.exe
  C:\Windows\System32\ONIHnVo.exe
  2⤵
  PID:10436
- C:\Windows\System32\beFhbuz.exe
  C:\Windows\System32\beFhbuz.exe
  2⤵
  PID:10540
- C:\Windows\System32\PgRssIq.exe
  C:\Windows\System32\PgRssIq.exe
  2⤵
  PID:10704
- C:\Windows\System32\fsrgFFR.exe
  C:\Windows\System32\fsrgFFR.exe
  2⤵
  PID:10832
- C:\Windows\System32\rKQsjrl.exe
  C:\Windows\System32\rKQsjrl.exe
  2⤵
  PID:10928
- C:\Windows\System32\dUlnqzg.exe
  C:\Windows\System32\dUlnqzg.exe
  2⤵
  PID:10976
- C:\Windows\System32\xcAOOCx.exe
  C:\Windows\System32\xcAOOCx.exe
  2⤵
  PID:11204
- C:\Windows\System32\ASRMcOD.exe
  C:\Windows\System32\ASRMcOD.exe
  2⤵
  PID:10248
- C:\Windows\System32\nChxTcw.exe
  C:\Windows\System32\nChxTcw.exe
  2⤵
  PID:10708
- C:\Windows\System32\ygYGpsM.exe
  C:\Windows\System32\ygYGpsM.exe
  2⤵
  PID:11000
- C:\Windows\System32\ROKkkKU.exe
  C:\Windows\System32\ROKkkKU.exe
  2⤵
  PID:11268
- C:\Windows\System32\yayILvO.exe
  C:\Windows\System32\yayILvO.exe
  2⤵
  PID:11284
- C:\Windows\System32\OBCgMyB.exe
  C:\Windows\System32\OBCgMyB.exe
  2⤵
  PID:11348
- C:\Windows\System32\BJcGlxA.exe
  C:\Windows\System32\BJcGlxA.exe
  2⤵
  PID:11376
- C:\Windows\System32\RjJxQre.exe
  C:\Windows\System32\RjJxQre.exe
  2⤵
  PID:11392
- C:\Windows\System32\DlqOHsL.exe
  C:\Windows\System32\DlqOHsL.exe
  2⤵
  PID:11412
- C:\Windows\System32\KMmvfWS.exe
  C:\Windows\System32\KMmvfWS.exe
  2⤵
  PID:11456
- C:\Windows\System32\pZRfzXR.exe
  C:\Windows\System32\pZRfzXR.exe
  2⤵
  PID:11476
- C:\Windows\System32\BhhVVaA.exe
  C:\Windows\System32\BhhVVaA.exe
  2⤵
  PID:11516
- C:\Windows\System32\pPLvzZk.exe
  C:\Windows\System32\pPLvzZk.exe
  2⤵
  PID:11536
- C:\Windows\System32\FmKwUgp.exe
  C:\Windows\System32\FmKwUgp.exe
  2⤵
  PID:11552
- C:\Windows\System32\wEHKDKi.exe
  C:\Windows\System32\wEHKDKi.exe
  2⤵
  PID:11604
- C:\Windows\System32\qECtNaA.exe
  C:\Windows\System32\qECtNaA.exe
  2⤵
  PID:11628
- C:\Windows\System32\oewGxwF.exe
  C:\Windows\System32\oewGxwF.exe
  2⤵
  PID:11652
- C:\Windows\System32\witzSzR.exe
  C:\Windows\System32\witzSzR.exe
  2⤵
  PID:11668
- C:\Windows\System32\ZRcLEtn.exe
  C:\Windows\System32\ZRcLEtn.exe
  2⤵
  PID:11708
- C:\Windows\System32\RgqnFId.exe
  C:\Windows\System32\RgqnFId.exe
  2⤵
  PID:11736
- C:\Windows\System32\GGfOTzj.exe
  C:\Windows\System32\GGfOTzj.exe
  2⤵
  PID:11776
- C:\Windows\System32\mhzCIos.exe
  C:\Windows\System32\mhzCIos.exe
  2⤵
  PID:11804
- C:\Windows\System32\CQrDVAs.exe
  C:\Windows\System32\CQrDVAs.exe
  2⤵
  PID:11820
- C:\Windows\System32\gwRYMtD.exe
  C:\Windows\System32\gwRYMtD.exe
  2⤵
  PID:11840
- C:\Windows\System32\DWJgeLl.exe
  C:\Windows\System32\DWJgeLl.exe
  2⤵
  PID:11880
- C:\Windows\System32\IwOzPNN.exe
  C:\Windows\System32\IwOzPNN.exe
  2⤵
  PID:11896
- C:\Windows\System32\NePNxvi.exe
  C:\Windows\System32\NePNxvi.exe
  2⤵
  PID:11916
- C:\Windows\System32\CqUkOcv.exe
  C:\Windows\System32\CqUkOcv.exe
  2⤵
  PID:11936
- C:\Windows\System32\TgrErfx.exe
  C:\Windows\System32\TgrErfx.exe
  2⤵
  PID:11956
- C:\Windows\System32\cVAUXqG.exe
  C:\Windows\System32\cVAUXqG.exe
  2⤵
  PID:11976
- C:\Windows\System32\rBMVVzP.exe
  C:\Windows\System32\rBMVVzP.exe
  2⤵
  PID:11992
- C:\Windows\System32\ndjCHeB.exe
  C:\Windows\System32\ndjCHeB.exe
  2⤵
  PID:12084
- C:\Windows\System32\rTCuPtd.exe
  C:\Windows\System32\rTCuPtd.exe
  2⤵
  PID:12108
- C:\Windows\System32\YHXnXAK.exe
  C:\Windows\System32\YHXnXAK.exe
  2⤵
  PID:12124
- C:\Windows\System32\dfHCits.exe
  C:\Windows\System32\dfHCits.exe
  2⤵
  PID:12160
- C:\Windows\System32\aDPwPQW.exe
  C:\Windows\System32\aDPwPQW.exe
  2⤵
  PID:12188
- C:\Windows\System32\MuBGSMa.exe
  C:\Windows\System32\MuBGSMa.exe
  2⤵
  PID:12208
- C:\Windows\System32\OtFkBgh.exe
  C:\Windows\System32\OtFkBgh.exe
  2⤵
  PID:12248
- C:\Windows\System32\BjAYBva.exe
  C:\Windows\System32\BjAYBva.exe
  2⤵
  PID:12268
- C:\Windows\System32\WAPFVhS.exe
  C:\Windows\System32\WAPFVhS.exe
  2⤵
  PID:10828
- C:\Windows\System32\XnXQhUQ.exe
  C:\Windows\System32\XnXQhUQ.exe
  2⤵
  PID:11148
- C:\Windows\System32\tYoKCqG.exe
  C:\Windows\System32\tYoKCqG.exe
  2⤵
  PID:11308
- C:\Windows\System32\fqCPKty.exe
  C:\Windows\System32\fqCPKty.exe
  2⤵
  PID:11420
- C:\Windows\System32\VLeLDWj.exe
  C:\Windows\System32\VLeLDWj.exe
  2⤵
  PID:11464
- C:\Windows\System32\CmuYunt.exe
  C:\Windows\System32\CmuYunt.exe
  2⤵
  PID:11524
- C:\Windows\System32\vjEZGyU.exe
  C:\Windows\System32\vjEZGyU.exe
  2⤵
  PID:11640
- C:\Windows\System32\AJiFMyo.exe
  C:\Windows\System32\AJiFMyo.exe
  2⤵
  PID:11700
- C:\Windows\System32\gmbvvqt.exe
  C:\Windows\System32\gmbvvqt.exe
  2⤵
  PID:11764
- C:\Windows\System32\ndBPGyj.exe
  C:\Windows\System32\ndBPGyj.exe
  2⤵
  PID:11836
- C:\Windows\System32\RkRngQt.exe
  C:\Windows\System32\RkRngQt.exe
  2⤵
  PID:11912
- C:\Windows\System32\hdcwYnn.exe
  C:\Windows\System32\hdcwYnn.exe
  2⤵
  PID:11944
- C:\Windows\System32\toNidlq.exe
  C:\Windows\System32\toNidlq.exe
  2⤵
  PID:11952
- C:\Windows\System32\ONmNFnX.exe
  C:\Windows\System32\ONmNFnX.exe
  2⤵
  PID:12032
- C:\Windows\System32\leMvxuC.exe
  C:\Windows\System32\leMvxuC.exe
  2⤵
  PID:12136
- C:\Windows\System32\vtjFhOk.exe
  C:\Windows\System32\vtjFhOk.exe
  2⤵
  PID:12204
- C:\Windows\System32\skcYQxc.exe
  C:\Windows\System32\skcYQxc.exe
  2⤵
  PID:12264
- C:\Windows\System32\XwOitAG.exe
  C:\Windows\System32\XwOitAG.exe
  2⤵
  PID:11304
- C:\Windows\System32\KtwNeOR.exe
  C:\Windows\System32\KtwNeOR.exe
  2⤵
  PID:11500
- C:\Windows\System32\akbnwSm.exe
  C:\Windows\System32\akbnwSm.exe
  2⤵
  PID:11612
- C:\Windows\System32\rGaQxTG.exe
  C:\Windows\System32\rGaQxTG.exe
  2⤵
  PID:11748
- C:\Windows\System32\wtrlekr.exe
  C:\Windows\System32\wtrlekr.exe
  2⤵
  PID:11928
- C:\Windows\System32\qJtYBfg.exe
  C:\Windows\System32\qJtYBfg.exe
  2⤵
  PID:3648
- C:\Windows\System32\RPTbacg.exe
  C:\Windows\System32\RPTbacg.exe
  2⤵
  PID:11892
- C:\Windows\System32\YihdKuK.exe
  C:\Windows\System32\YihdKuK.exe
  2⤵
  PID:12020
- C:\Windows\System32\aArwcBB.exe
  C:\Windows\System32\aArwcBB.exe
  2⤵
  PID:12096
- C:\Windows\System32\iCZCXWh.exe
  C:\Windows\System32\iCZCXWh.exe
  2⤵
  PID:11368
- C:\Windows\System32\YmKRRBl.exe
  C:\Windows\System32\YmKRRBl.exe
  2⤵
  PID:11948
- C:\Windows\System32\XtEpJsU.exe
  C:\Windows\System32\XtEpJsU.exe
  2⤵
  PID:12184
- C:\Windows\System32\pvwImuc.exe
  C:\Windows\System32\pvwImuc.exe
  2⤵
  PID:11404
- C:\Windows\System32\MUNuLYB.exe
  C:\Windows\System32\MUNuLYB.exe
  2⤵
  PID:4204
- C:\Windows\System32\VrtkVBy.exe
  C:\Windows\System32\VrtkVBy.exe
  2⤵
  PID:12312
- C:\Windows\System32\cdPAhbK.exe
  C:\Windows\System32\cdPAhbK.exe
  2⤵
  PID:12336
- C:\Windows\System32\agnZFdj.exe
  C:\Windows\System32\agnZFdj.exe
  2⤵
  PID:12372
- C:\Windows\System32\CHbbZuL.exe
  C:\Windows\System32\CHbbZuL.exe
  2⤵
  PID:12392
- C:\Windows\System32\AaTHmvJ.exe
  C:\Windows\System32\AaTHmvJ.exe
  2⤵
  PID:12408
- C:\Windows\System32\mJbcOqE.exe
  C:\Windows\System32\mJbcOqE.exe
  2⤵
  PID:12432
- C:\Windows\System32\FcaMkZL.exe
  C:\Windows\System32\FcaMkZL.exe
  2⤵
  PID:12476
- C:\Windows\System32\VSlRiDp.exe
  C:\Windows\System32\VSlRiDp.exe
  2⤵
  PID:12500
- C:\Windows\System32\NBmDCWp.exe
  C:\Windows\System32\NBmDCWp.exe
  2⤵
  PID:12524
- C:\Windows\System32\iShzJBF.exe
  C:\Windows\System32\iShzJBF.exe
  2⤵
  PID:12552
- C:\Windows\System32\VShkSGF.exe
  C:\Windows\System32\VShkSGF.exe
  2⤵
  PID:12592
- C:\Windows\System32\RmwjiZm.exe
  C:\Windows\System32\RmwjiZm.exe
  2⤵
  PID:12624
- C:\Windows\System32\CHCFzaT.exe
  C:\Windows\System32\CHCFzaT.exe
  2⤵
  PID:12660
- C:\Windows\System32\EyoHNDx.exe
  C:\Windows\System32\EyoHNDx.exe
  2⤵
  PID:12676
- C:\Windows\System32\zOCNWWu.exe
  C:\Windows\System32\zOCNWWu.exe
  2⤵
  PID:12700
- C:\Windows\System32\nzWOhpS.exe
  C:\Windows\System32\nzWOhpS.exe
  2⤵
  PID:12716
- C:\Windows\System32\zOusZZm.exe
  C:\Windows\System32\zOusZZm.exe
  2⤵
  PID:12744
- C:\Windows\System32\PFrknMr.exe
  C:\Windows\System32\PFrknMr.exe
  2⤵
  PID:12764
- C:\Windows\System32\oTUkMmG.exe
  C:\Windows\System32\oTUkMmG.exe
  2⤵
  PID:12820
- C:\Windows\System32\DLmiDln.exe
  C:\Windows\System32\DLmiDln.exe
  2⤵
  PID:12848
- C:\Windows\System32\JzeeEQC.exe
  C:\Windows\System32\JzeeEQC.exe
  2⤵
  PID:12864
- C:\Windows\System32\uESetcR.exe
  C:\Windows\System32\uESetcR.exe
  2⤵
  PID:12888
- C:\Windows\System32\QIzLMCc.exe
  C:\Windows\System32\QIzLMCc.exe
  2⤵
  PID:12904
- C:\Windows\System32\ZtMkYCl.exe
  C:\Windows\System32\ZtMkYCl.exe
  2⤵
  PID:12948
- C:\Windows\System32\PvBmpwz.exe
  C:\Windows\System32\PvBmpwz.exe
  2⤵
  PID:12996
- C:\Windows\System32\XolopHN.exe
  C:\Windows\System32\XolopHN.exe
  2⤵
  PID:13012
- C:\Windows\System32\ytQorZU.exe
  C:\Windows\System32\ytQorZU.exe
  2⤵
  PID:13032
- C:\Windows\System32\pQZDKfO.exe
  C:\Windows\System32\pQZDKfO.exe
  2⤵
  PID:13072
- C:\Windows\System32\ZfwfJhw.exe
  C:\Windows\System32\ZfwfJhw.exe
  2⤵
  PID:13096
- C:\Windows\System32\ezHhjWy.exe
  C:\Windows\System32\ezHhjWy.exe
  2⤵
  PID:13116
- C:\Windows\System32\gchJoFo.exe
  C:\Windows\System32\gchJoFo.exe
  2⤵
  PID:13144
- C:\Windows\System32\dQIIpGa.exe
  C:\Windows\System32\dQIIpGa.exe
  2⤵
  PID:13164
- C:\Windows\System32\Zajuwhv.exe
  C:\Windows\System32\Zajuwhv.exe
  2⤵
  PID:13184
- C:\Windows\System32\rCwRVRD.exe
  C:\Windows\System32\rCwRVRD.exe
  2⤵
  PID:13228
- C:\Windows\System32\lhCcSEw.exe
  C:\Windows\System32\lhCcSEw.exe
  2⤵
  PID:13276
- C:\Windows\System32\QNNGEys.exe
  C:\Windows\System32\QNNGEys.exe
  2⤵
  PID:13292
- C:\Windows\System32\CWsuqxM.exe
  C:\Windows\System32\CWsuqxM.exe
  2⤵
  PID:12324
- C:\Windows\System32\muZBUro.exe
  C:\Windows\System32\muZBUro.exe
  2⤵
  PID:12360
- C:\Windows\System32\leMGnXN.exe
  C:\Windows\System32\leMGnXN.exe
  2⤵
  PID:12420
- C:\Windows\System32\qNqiwgb.exe
  C:\Windows\System32\qNqiwgb.exe
  2⤵
  PID:12464
- C:\Windows\System32\cRgcISE.exe
  C:\Windows\System32\cRgcISE.exe
  2⤵
  PID:12516
- C:\Windows\System32\pVEstQR.exe
  C:\Windows\System32\pVEstQR.exe
  2⤵
  PID:12580
- C:\Windows\System32\tGbnUNg.exe
  C:\Windows\System32\tGbnUNg.exe
  2⤵
  PID:12712
- C:\Windows\System32\fYRGqap.exe
  C:\Windows\System32\fYRGqap.exe
  2⤵
  PID:12760
- C:\Windows\System32\YRVjFXW.exe
  C:\Windows\System32\YRVjFXW.exe
  2⤵
  PID:12796
- C:\Windows\System32\aoCqnXJ.exe
  C:\Windows\System32\aoCqnXJ.exe
  2⤵
  PID:12860
- C:\Windows\System32\EOXzOIx.exe
  C:\Windows\System32\EOXzOIx.exe
  2⤵
  PID:12900
- C:\Windows\System32\OcbRTIh.exe
  C:\Windows\System32\OcbRTIh.exe
  2⤵
  PID:13024
- C:\Windows\System32\OvLajoa.exe
  C:\Windows\System32\OvLajoa.exe
  2⤵
  PID:13080

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BkUWsfc.exe

Filesize
1.1MB

MD5
d7cb38a6f93b6d3d8f4dba9ed7ba6993

SHA1
7a8f89220ec67147673107bd8d8ae587a2fc1498

SHA256
8bb44673b22be08d483f197c4f27a744f8f184ccdb572e57f0f2eed23c0c3486

SHA512
02a15cbed0d8bafcb81126e9006cdd366cd546b56eebdbf2402ac978cb17ca6ab59c58c8760975b0008b8ba12b5a2020feaa3109bcb69133aec6cf3d04786e1b

Download Submit
C:\Windows\System32\BlnfRnv.exe

Filesize
1.1MB

MD5
24b63b44661189454cee04852535a8af

SHA1
5809eacd4292aab8a16d9a44060c350a71a62165

SHA256
1b183f4674c0514e8e750c26b855ff4a9d0162924386769a4461a3d18c1c53e9

SHA512
2b96953f3c0c80d81267d0db5ecb49ea9ce850532015d915d6c8ddc2e094f8c659080f5d5ac4bcd6ec265d9c88287b15b54c85cea8b794a41be0030af0b674ed

Download Submit
C:\Windows\System32\DnAtyuf.exe

Filesize
1.1MB

MD5
24c772d717af14cde0069d325e5b6ddb

SHA1
87d62e310cc63e363885439addddf5874860e155

SHA256
8fd3c1a521cb0f4f014549058d31ff66b8267e726f4c43d4539ae37448307454

SHA512
350731237eac58f0ab51cc3175f5a3ccfd0c4cb275d1d8fe67a01be0ebdf619ea2b997e861f6d950bbf08ed4ac8f448c0496daf31526402f616a3545c220e86e

Download Submit
C:\Windows\System32\EMVNipl.exe

Filesize
1.1MB

MD5
30fbbc8dbbd53d49811ed0fdbccb0d05

SHA1
c6b92f79a9c2192b72728047e994311ff009abea

SHA256
c02658d6632d83b97b1cf5119d997bb63c4b44749ecb03cab640f850cdc8d38b

SHA512
0bbf65fadc1907e3479d30aedff4c231ed61406c8c24c94c86599100f7042a4de267c001d0537f547e13d42d01cc0fac84c0a84f7ba3f66a88945479c8ca8539

Download Submit
C:\Windows\System32\HfsMqct.exe

Filesize
1.1MB

MD5
9a0fddb46fc596f2a7a7100d1f5e1b5b

SHA1
baeb971767325b4f9a9b5126d911b731f95f8f2e

SHA256
8614bf64c2c0188a9d1e47a7d8ed33ee13e0978acbb579edc0a422faf1a08afa

SHA512
3e6d19c6b95f0520e304a4275744ef1f9b5589e4be99b07dceb78d4c9f3b5302ab241c09c44c798f3fc61675d02cf237be743b6f7d114efc11e1ecb2fe70fdda

Download Submit
C:\Windows\System32\IlxsFuY.exe

Filesize
1.1MB

MD5
75838f7aae299d921222588e42f0329e

SHA1
5601eafe59afdb0a87f961fdfaa3820038a6a011

SHA256
7efb7d8cf816fa5f9c46bbcb26f54c04f936ca40755e7c75ba2b6a8714cfafc4

SHA512
399d5b3f63cfb659192e5b2f97057cc57b532b8d822f0395df6d3f71f20bfa6e09a2d3b932ca6d9d9b9ece56967e7f2e3a5cf5a813dda06c9e3e65baa573f2fc

Download Submit
C:\Windows\System32\KYkGris.exe

Filesize
1.1MB

MD5
2e056a9b6b09c40c00bd3c547e9fb3ab

SHA1
345c9f75487852d20ff3afa22fea03f7895842f2

SHA256
7268a5d1fb94d57c1aaa8c844818b5d0675d671f247c58d053406fc6056dadfc

SHA512
37d45bc623dcd143a94b3a546d43094f27011fa6ecdb913ecf62cce0be7b067aad5dd9c232a608cb85874cb4e4783a9623645093248fc13cf4018d1405f4d4d2

Download Submit
C:\Windows\System32\KjkSywZ.exe

Filesize
1.1MB

MD5
f68781df7ed8a6a6ee8b530dabfc39e0

SHA1
7095dd61751f360f63f32e42f7e572f7366c4c9e

SHA256
3aa72950bd4787ffcbf8873de07c10876768b94baa33e67e95fd5aca91da0b54

SHA512
d8f0b021d12503ba73e22eb232ee952ec0e90c66dae0a18fd137b6b983cc2bf76cab54e4308ac40b2cc76840e8def24749a9e5d5e906cbbbf4a41b820edbc527

Download Submit
C:\Windows\System32\LlYbQGO.exe

Filesize
1.1MB

MD5
99f95f99371c08ca54b363192bb19314

SHA1
2d8c253f1d6babd08fc4fde9ac1b93b8621f7db6

SHA256
62ca2833966eb3bd47a0920c213982a62caa59c153f45c6562734c84f28ac343

SHA512
95005b90e129822d0a74d2cac10b42cf7c991c01a570aa53afe1890ee7bdad22187c31eb53e96520b62ee30764bcbd2d05224b7fa0f9319973ad829c728d6ef8

Download Submit
C:\Windows\System32\MOBHoEz.exe

Filesize
1.1MB

MD5
bd781cbfe2b0f7bbe935a34dfee8c82a

SHA1
c2d907b6824ddf92ddc8d28deda2e1bbba923fa3

SHA256
92fd31baa9b21b61a747019d0d1bc2070aaf907b8aa7dec971deb2427f063581

SHA512
d8ed86c0b6faf53819284ec37429dcf883ca25bb9cfc2e153ab45a9de0be0ef00ffd85d534cb0b479f6b04aa8ed77474f6347e4396545c46f19ef6c130e187a1

Download Submit
C:\Windows\System32\NQyFPLq.exe

Filesize
1.1MB

MD5
ce5b1d034313d8a27a13b051ec92a39d

SHA1
dbd30d7fd9db49243fe9344b080784a11a1b6474

SHA256
12adb98ab6b0792900afd018babc7d10de84244af283ce2011a3a15b512f186c

SHA512
6bca9c43bc722f763e1f70f6a1e78843e65e99ac7e3bd4edb647a09f1973218834ddc8033f1ffb1da052a5b4c7343ea582435d378b75e56cfb6b140bdd9d7a08

Download Submit
C:\Windows\System32\SMLHZtB.exe

Filesize
1.1MB

MD5
3bfdbe837c202a99a1475ca6a7dcd72a

SHA1
dadb32166e3d599fc4fa33c7d2db4e0cbac6fe75

SHA256
c5749ab8341d7bdda313a7ea76a4ca63326b310d57d3977bd4af2ba1cbc39912

SHA512
8940f3de57851f97457bb55d6df693fb85451c994cfce08d929d9a6879fa8f8ad3fc14d6c8ce785f7429996088a988ed362966af951c0bafed065c880d5964a4

Download Submit
C:\Windows\System32\SQPNqQP.exe

Filesize
1.1MB

MD5
ca00480cc6b4b2a1f924be200d97d27a

SHA1
88957d7902066344b9d70cf7f08cfc170f4934a1

SHA256
569e55efd26f71ae8be6070e5aec49c2c7181faa7f9b4c4a78f0003dec44d5b2

SHA512
525ac3e6318307adde78033eadd8d97500e2fa3e49d9d547b190133506c5b2cdf2b61fa554f90007d79e69411aa242bea0421d735eeb869e98e91c8616d4a2f9

Download Submit
C:\Windows\System32\SeUdruz.exe

Filesize
1.1MB

MD5
145d2c5b33a951247ab765b02f77ddc0

SHA1
f24846a6d3ce3ef84cdc0c596510c1838f39d160

SHA256
34a3ad364f3df4908ce1bf40ca4117d393986ac2b4f905099b4ebedc7ef309ba

SHA512
bba7445bd1d5f7059f772acfd72dcfd62d018fbc811715099d11490a659117b31f3b8cce39287a0a2c4058ee6b7b7a3655111a8972f85339d96bccfea860a7e7

Download Submit
C:\Windows\System32\SqCQbGb.exe

Filesize
1.1MB

MD5
ed8542d36ac4eadf60f9cc529f79606b

SHA1
52d2fc662aff9188a7df1354b32f2dfc4f2649af

SHA256
ed131bf5edfff7e8186ac794fce92b07f701f8170a4e3f9e535391c7c119e873

SHA512
9a9a679e7869715a6a7ee757c86e6bf432baf4f1b04a0934f0902896acc90845d51946a8670998beb63435a1f842b816b588ebc9cfb434a64b3a4f750cb2f9f2

Download Submit
C:\Windows\System32\YQSBCNx.exe

Filesize
1.1MB

MD5
76b5dec2612ae9babd1f88daa01f6e61

SHA1
b99d8bd108b72ca31e95819f9f28d0f6c7f21a95

SHA256
1803f0a9ec85a44014aa9069bb06f84882db8914ad351968358a5e2e97bbe8e4

SHA512
caa488fc84562def31c3238959fbcd3b86c0b3542a8a90bea529a4c4309a8a60c98981c0fc746fc1b0cd42ad2402ef2e5426ef53553354176644fb9b0b65b05f

Download Submit
C:\Windows\System32\ZYkXwzn.exe

Filesize
1.1MB

MD5
f74c1ae4a622ebfcf49f44cbc72f157e

SHA1
53e41e7f98117fd18ab90854506cb1d9e091765b

SHA256
b109429188cf3f3082694a31d8b453fda3fc40260408814d645cbba508f59a53

SHA512
f5e82f4432fa5587c20afbe68f890d6b1e348143e088d6f5c9a4fb1e3daa730724875bf8b581979d8e76675797a0cb963b3214f8ab01f5c9584cc0c21b034fc4

Download Submit
C:\Windows\System32\ZghggEn.exe

Filesize
1.1MB

MD5
0af6c48cb58ef3423b7328b8cf295a81

SHA1
a43a7dd6142741d05debc8b5095b3ae6467d08ee

SHA256
3b952cfb059765db222d65f4df46659dd9935e735ae16090b3afaf251c2d09b8

SHA512
c437db70260943e6873b4119e9c03357a145af736596396f17335c15588f3e8f540c9cbc270bfa2d62eec43781dfb3fd9a28d9fbdf6fd6d1af9d895a6025217e

Download Submit
C:\Windows\System32\bvidOoS.exe

Filesize
1.1MB

MD5
740d1c77c14bc9ab15e38fe7c7085399

SHA1
76de5b34aa690400f6936adc2d0a0debd26fa273

SHA256
1bd57d1b99b16e207862bc6eebc95637c5d0a9f3a4f18d92239fe39a780edbff

SHA512
a0ebf32f3af95a670520eff75060d7f3691a5f0be70407a4875807c58cee835d82a978cc700a5d8203d3caba87a6bcb6691fd0b407f32774c555a4923011a4bc

Download Submit
C:\Windows\System32\galRlYA.exe

Filesize
1.1MB

MD5
4e712ba71ff56606bd5bd9b5a22d0610

SHA1
162864da67caaee4e3a6c93cc770adb80a636d55

SHA256
2bada887d3f476e4645ff18374d3f74f67b238b2bba3c97a0f832bce373957f5

SHA512
0aae05c90402210cc24e0fb8fec2eb9e11549df16c64dad6916602866afbeb471feb694f9bf179e1fc91c2519ff5e560554fc213c40872498af9cac34abfa0b6

Download Submit
C:\Windows\System32\hEspdUB.exe

Filesize
1.1MB

MD5
886174b0aeabe0369df51b3ff86d39e8

SHA1
25527f1416f5ec93117828e6c04720da64d5b112

SHA256
2b4215220df642193eac83177dcf1617b4d1ca8a3cbd56d7345a44d59974e574

SHA512
1aa56b0b26a27dcc129850898d4ec5c1873e5f1c85960592c0899adeead8d5c554e28b6e33b03b1cb730b92f36b92c7aed42a7f6ccf6e45472c40441f9472c0c

Download Submit
C:\Windows\System32\hsdyXIt.exe

Filesize
1.1MB

MD5
2c9816d804a683a432f8761106e19257

SHA1
ee06d1adf19a3bcabac189626e8e2d71eb131c4a

SHA256
8c909903498bc080b2679b6acafb89cf4842f879e7ede5df124264409bca9039

SHA512
3c0ce5daff770844a0133e11cee4efa751a3404480ca51767b4cce8d6381ba69c023d73592789ee14805bedb4681d14bb9c755873f4774548df30dc7e79cb30c

Download Submit
C:\Windows\System32\iBtoEFC.exe

Filesize
1.1MB

MD5
47e074a3ccc88428f7b438e5496f4ef3

SHA1
6ae557abb210627d2967cf25fc03d413d3b82de6

SHA256
e84f1a1a07c75b289eaeb0c1d8a555c7573601ec144848cbeba0cfd30abf59d1

SHA512
61d831721e39020c6a8f09df245093f59b37678e0cac37ee2e467cf6875406b4b222afac0056aeb044660c234ee96cf6eff524cd662670ec5b2b99832ae03c20

Download Submit
C:\Windows\System32\kgiedct.exe

Filesize
1.1MB

MD5
7f0b9da220462ed0b2a22cf14c80e535

SHA1
c62e9930f882f8c80d55e43af1a1b9cf250d0a65

SHA256
389466b6ffa75eac3ab4290e358655a32656799c6d990ee00b8abb0160adf43e

SHA512
f68bfc465c04124974464d6a334ad69ac2b619c4ad5708d9214ed6010a268f1e7b0d2475eb85aeeb853ec5997f26fa93bddcf4f7c9fee3f37459fa41364f06ae

Download Submit
C:\Windows\System32\mAIBCtO.exe

Filesize
1.1MB

MD5
53f25688598b79de6e891b57b1be106a

SHA1
37c8eff8af6a6a533299e513f4e99e91dffccb03

SHA256
f7ceae1a1eac3f9275fa4b4741c846b2bd10292ecf783a7717ccc955551cc5a5

SHA512
5276a919506dba11c4983c31a78c24c6c66d42f3c16aee7b2c64bd6cfd519c3140628260ceb373c4376d672d5cccb7040692d21fd8b164d20bc09a8fdfeff22b

Download Submit
C:\Windows\System32\moqkiez.exe

Filesize
1.1MB

MD5
3f37ae3d418ebc5ffce88fd0e7857f32

SHA1
d0889e1f30a3f7d433410a14af381c829dd05d07

SHA256
48c835c94988eb3f16c176c7c4165573f525de8ebc6db9e5d63ff5a3378847a7

SHA512
2f14fbf27ae9647344b2aa8647f7b20acb04ac42c5c51042c1e75afaf9d1ce917b8a1105a102ea1bffe7b5091b94ecacda6e14698f3a059920d64dec5bf5a25e

Download Submit
C:\Windows\System32\qHioDSc.exe

Filesize
1.1MB

MD5
a8c7d680d8759f9d58ebb0cefd48ed7e

SHA1
3de29f03386eaf12ac8cba8205e338abfcd61b15

SHA256
3e37b80bb8766bba5b217d584e276ba194859c0ac81bd41297b7e1bec27931cf

SHA512
94c6567c7016133e273fab0e7def75b19a3403e1edde59839635b536a7334e94ec1b7a80ecba843f6efe9459f9608a2295f1f7f18cc1b6fdb6bd58c57ae130b4

Download Submit
C:\Windows\System32\qYylvqR.exe

Filesize
1.1MB

MD5
c78cd82d78efff05adff219c1d5edb97

SHA1
cc33b28eaf7fa7ff3794948aaf610ae6fb3b8b3b

SHA256
69b69768604cd7f24f1a7e2203915c3327861be7219f3aa093efb6659a003062

SHA512
0d84c413eef8f6218b69d9bf3c0e5a420d6b6bfa26958c929c9a475c069f7bde1c9ead330cf472a8a4198da6486cce6e9d37c91b84d0a198fb1fb3d0c8516fce

Download Submit
C:\Windows\System32\uPHuWhq.exe

Filesize
1.1MB

MD5
293f41bbb16ecc39f1b66aff623fcc08

SHA1
5179546bd3dd515d2934361c837f60733adc1c5f

SHA256
888093a06f263b9581b73e7343b9aacf6c413b4e73d1e6bc150d57570af506f2

SHA512
b144e7c2c9732f05e86730cd231c4dd84f5c98bcd55b1dbbe3e7987e4d96e11186d2665b1daf508b7e0ac4a2ce32c94ebbe6f3ab9f24a7ca204d29e65f657d1e

Download Submit
C:\Windows\System32\uuGYUwx.exe

Filesize
1.1MB

MD5
1655619e2b4dd7f9b9994c7581d8e459

SHA1
12e51215fe07096c817d559433b77bcaaa6d5ee5

SHA256
81b7c654fc43c6290450ec0f3e9a929f0cdcc974a73fd1032d81100c4f8dbc01

SHA512
b587d63f4c1cd491c33124bf4acdbbcee10d4d8855889fcce201d8df299163b5315730ac954639f736c0199cdf3498b9f528f721c1f779a9cdb89a9ea91121c0

Download Submit
C:\Windows\System32\vjLWNpi.exe

Filesize
1.1MB

MD5
417efce1708150c6ef8c330954d9572f

SHA1
ea385daf994c97b139efb1a94c516eddef5081d4

SHA256
2bad3d06f2fda5172c992cab0b50a9ba20d7cefb3e3faf04a42d409d230b8c6f

SHA512
ffed866bfc1143493cc0914b81e84492c8438bf8637f734dc5944599d8ef1892ec3b80fb46ae5c4c3aeefb291ae3a12c561d80e07a25c4937ed5d759872aa066

Download Submit
C:\Windows\System32\yhgmGyx.exe

Filesize
1.1MB

MD5
8df239c6fa28c83b49be259e2a108928

SHA1
b7b640fa3d7b492c53d7247ca80c634b09f1a986

SHA256
31cc50999152e7406cbf4b610b2ebfd7df28b11a4f31d5bd05cbed7ad5d23a8c

SHA512
7f4ed45ff820fe73f5d5441846cf1390cb2766d32582641cbe181fafd4a63ed3be0b52649597884e5e38a950c2d7246122e3447f70c1107630d59e2837df1242

Download Submit
memory/440-394-0x00007FF742D90000-0x00007FF743181000-memory.dmp

Filesize
3.9MB

Download
memory/440-2061-0x00007FF742D90000-0x00007FF743181000-memory.dmp

Filesize
3.9MB

Download
memory/516-420-0x00007FF7D4740000-0x00007FF7D4B31000-memory.dmp

Filesize
3.9MB

Download
memory/516-2067-0x00007FF7D4740000-0x00007FF7D4B31000-memory.dmp

Filesize
3.9MB

Download
memory/536-2072-0x00007FF781E60000-0x00007FF782251000-memory.dmp

Filesize
3.9MB

Download
memory/536-408-0x00007FF781E60000-0x00007FF782251000-memory.dmp

Filesize
3.9MB

Download
memory/1084-2045-0x00007FF760720000-0x00007FF760B11000-memory.dmp

Filesize
3.9MB

Download
memory/1084-360-0x00007FF760720000-0x00007FF760B11000-memory.dmp

Filesize
3.9MB

Download
memory/1240-377-0x00007FF6E1C10000-0x00007FF6E2001000-memory.dmp

Filesize
3.9MB

Download
memory/1240-2049-0x00007FF6E1C10000-0x00007FF6E2001000-memory.dmp

Filesize
3.9MB

Download
memory/1304-24-0x00007FF69B5A0000-0x00007FF69B991000-memory.dmp

Filesize
3.9MB

Download
memory/1304-2035-0x00007FF69B5A0000-0x00007FF69B991000-memory.dmp

Filesize
3.9MB

Download
memory/1304-1989-0x00007FF69B5A0000-0x00007FF69B991000-memory.dmp

Filesize
3.9MB

Download
memory/1384-2055-0x00007FF6FF570000-0x00007FF6FF961000-memory.dmp

Filesize
3.9MB

Download
memory/1384-384-0x00007FF6FF570000-0x00007FF6FF961000-memory.dmp

Filesize
3.9MB

Download
memory/1420-2080-0x00007FF686910000-0x00007FF686D01000-memory.dmp

Filesize
3.9MB

Download
memory/1420-395-0x00007FF686910000-0x00007FF686D01000-memory.dmp

Filesize
3.9MB

Download
memory/1780-2070-0x00007FF723E20000-0x00007FF724211000-memory.dmp

Filesize
3.9MB

Download
memory/1780-418-0x00007FF723E20000-0x00007FF724211000-memory.dmp

Filesize
3.9MB

Download
memory/2164-2078-0x00007FF6A41B0000-0x00007FF6A45A1000-memory.dmp

Filesize
3.9MB

Download
memory/2164-416-0x00007FF6A41B0000-0x00007FF6A45A1000-memory.dmp

Filesize
3.9MB

Download
memory/2396-2043-0x00007FF727B70000-0x00007FF727F61000-memory.dmp

Filesize
3.9MB

Download
memory/2396-356-0x00007FF727B70000-0x00007FF727F61000-memory.dmp

Filesize
3.9MB

Download
memory/2472-403-0x00007FF7C8DD0000-0x00007FF7C91C1000-memory.dmp

Filesize
3.9MB

Download
memory/2472-2076-0x00007FF7C8DD0000-0x00007FF7C91C1000-memory.dmp

Filesize
3.9MB

Download
memory/2784-1-0x0000022635850000-0x0000022635860000-memory.dmp

Filesize
64KB

Download
memory/2784-0-0x00007FF7E7770000-0x00007FF7E7B61000-memory.dmp

Filesize
3.9MB

Download
memory/2876-17-0x00007FF73B2A0000-0x00007FF73B691000-memory.dmp

Filesize
3.9MB

Download
memory/2876-2031-0x00007FF73B2A0000-0x00007FF73B691000-memory.dmp

Filesize
3.9MB

Download
memory/2876-1988-0x00007FF73B2A0000-0x00007FF73B691000-memory.dmp

Filesize
3.9MB

Download
memory/2892-369-0x00007FF7FF5B0000-0x00007FF7FF9A1000-memory.dmp

Filesize
3.9MB

Download
memory/2892-2047-0x00007FF7FF5B0000-0x00007FF7FF9A1000-memory.dmp

Filesize
3.9MB

Download
memory/3388-32-0x00007FF7D4890000-0x00007FF7D4C81000-memory.dmp

Filesize
3.9MB

Download
memory/3388-2023-0x00007FF7D4890000-0x00007FF7D4C81000-memory.dmp

Filesize
3.9MB

Download
memory/3388-2037-0x00007FF7D4890000-0x00007FF7D4C81000-memory.dmp

Filesize
3.9MB

Download
memory/3652-1991-0x00007FF6A0710000-0x00007FF6A0B01000-memory.dmp

Filesize
3.9MB

Download
memory/3652-2033-0x00007FF6A0710000-0x00007FF6A0B01000-memory.dmp

Filesize
3.9MB

Download
memory/3652-27-0x00007FF6A0710000-0x00007FF6A0B01000-memory.dmp

Filesize
3.9MB

Download
memory/3712-378-0x00007FF600E70000-0x00007FF601261000-memory.dmp

Filesize
3.9MB

Download
memory/3712-2053-0x00007FF600E70000-0x00007FF601261000-memory.dmp

Filesize
3.9MB

Download
memory/3960-6-0x00007FF7E7570000-0x00007FF7E7961000-memory.dmp

Filesize
3.9MB

Download
memory/3960-2029-0x00007FF7E7570000-0x00007FF7E7961000-memory.dmp

Filesize
3.9MB

Download
memory/3960-1987-0x00007FF7E7570000-0x00007FF7E7961000-memory.dmp

Filesize
3.9MB

Download
memory/3992-2074-0x00007FF6F91D0000-0x00007FF6F95C1000-memory.dmp

Filesize
3.9MB

Download
memory/3992-411-0x00007FF6F91D0000-0x00007FF6F95C1000-memory.dmp

Filesize
3.9MB

Download
memory/4232-2041-0x00007FF68BE50000-0x00007FF68C241000-memory.dmp

Filesize
3.9MB

Download
memory/4232-351-0x00007FF68BE50000-0x00007FF68C241000-memory.dmp

Filesize
3.9MB

Download
memory/4448-421-0x00007FF7BC2B0000-0x00007FF7BC6A1000-memory.dmp

Filesize
3.9MB

Download
memory/4448-2039-0x00007FF7BC2B0000-0x00007FF7BC6A1000-memory.dmp

Filesize
3.9MB

Download
memory/4528-2051-0x00007FF67CCC0000-0x00007FF67D0B1000-memory.dmp

Filesize
3.9MB

Download
memory/4528-373-0x00007FF67CCC0000-0x00007FF67D0B1000-memory.dmp

Filesize
3.9MB

Download
memory/4692-2059-0x00007FF7483F0000-0x00007FF7487E1000-memory.dmp

Filesize
3.9MB

Download
memory/4692-390-0x00007FF7483F0000-0x00007FF7487E1000-memory.dmp

Filesize
3.9MB

Download
memory/4864-2057-0x00007FF700150000-0x00007FF700541000-memory.dmp

Filesize
3.9MB

Download
memory/4864-386-0x00007FF700150000-0x00007FF700541000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads