xmrig | 6215d62424e4a13d47e7af64c1fac6672c75a1b4df83770260770018bc44c406

Analysis

max time kernel
136s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
Size

1.2MB
MD5

0f4825161825fd6597425623c9db248b
SHA1

3aac09948b046f14466c01e268854dff44ff6cad
SHA256

6215d62424e4a13d47e7af64c1fac6672c75a1b4df83770260770018bc44c406
SHA512

a3d2b54aecbbe6d10e724a7011d447d4df4e6694d776a6a99cc03ecf1e52009ceea9ac2f1d97b0d35df7d650dcbe850f49ce89a5fff06be18727279328e7429a
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zjP+sjI1T1:knw9oUUEEDl37jcq4nPY

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/2464-11-0x00007FF7A3470000-0x00007FF7A3861000-memory.dmp	xmrig
behavioral2/memory/2148-38-0x00007FF6E3A30000-0x00007FF6E3E21000-memory.dmp	xmrig
behavioral2/memory/1160-59-0x00007FF616890000-0x00007FF616C81000-memory.dmp	xmrig
behavioral2/memory/5080-324-0x00007FF6376F0000-0x00007FF637AE1000-memory.dmp	xmrig
behavioral2/memory/4632-334-0x00007FF66B6D0000-0x00007FF66BAC1000-memory.dmp	xmrig
behavioral2/memory/8-348-0x00007FF7768A0000-0x00007FF776C91000-memory.dmp	xmrig
behavioral2/memory/804-353-0x00007FF70B5B0000-0x00007FF70B9A1000-memory.dmp	xmrig
behavioral2/memory/3968-354-0x00007FF71B0F0000-0x00007FF71B4E1000-memory.dmp	xmrig
behavioral2/memory/3596-363-0x00007FF7920F0000-0x00007FF7924E1000-memory.dmp	xmrig
behavioral2/memory/3184-373-0x00007FF61FC00000-0x00007FF61FFF1000-memory.dmp	xmrig
behavioral2/memory/3080-371-0x00007FF700D10000-0x00007FF701101000-memory.dmp	xmrig
behavioral2/memory/4400-369-0x00007FF6DAB20000-0x00007FF6DAF11000-memory.dmp	xmrig
behavioral2/memory/4472-367-0x00007FF706D30000-0x00007FF707121000-memory.dmp	xmrig
behavioral2/memory/4064-345-0x00007FF7D95A0000-0x00007FF7D9991000-memory.dmp	xmrig
behavioral2/memory/3232-342-0x00007FF671800000-0x00007FF671BF1000-memory.dmp	xmrig
behavioral2/memory/4536-331-0x00007FF7008D0000-0x00007FF700CC1000-memory.dmp	xmrig
behavioral2/memory/1840-330-0x00007FF75FD80000-0x00007FF760171000-memory.dmp	xmrig
behavioral2/memory/4236-32-0x00007FF72E330000-0x00007FF72E721000-memory.dmp	xmrig
behavioral2/memory/3060-1951-0x00007FF7EFC80000-0x00007FF7F0071000-memory.dmp	xmrig
behavioral2/memory/2012-1977-0x00007FF6048B0000-0x00007FF604CA1000-memory.dmp	xmrig
behavioral2/memory/1320-1985-0x00007FF738270000-0x00007FF738661000-memory.dmp	xmrig
behavioral2/memory/976-1986-0x00007FF662470000-0x00007FF662861000-memory.dmp	xmrig
behavioral2/memory/1588-1987-0x00007FF6EA7D0000-0x00007FF6EABC1000-memory.dmp	xmrig
behavioral2/memory/2064-2004-0x00007FF732FD0000-0x00007FF7333C1000-memory.dmp	xmrig
behavioral2/memory/3008-2007-0x00007FF77C660000-0x00007FF77CA51000-memory.dmp	xmrig
behavioral2/memory/2464-2050-0x00007FF7A3470000-0x00007FF7A3861000-memory.dmp	xmrig
behavioral2/memory/2148-2054-0x00007FF6E3A30000-0x00007FF6E3E21000-memory.dmp	xmrig
behavioral2/memory/2012-2052-0x00007FF6048B0000-0x00007FF604CA1000-memory.dmp	xmrig
behavioral2/memory/3060-2048-0x00007FF7EFC80000-0x00007FF7F0071000-memory.dmp	xmrig
behavioral2/memory/4236-2056-0x00007FF72E330000-0x00007FF72E721000-memory.dmp	xmrig
behavioral2/memory/976-2058-0x00007FF662470000-0x00007FF662861000-memory.dmp	xmrig
behavioral2/memory/1160-2064-0x00007FF616890000-0x00007FF616C81000-memory.dmp	xmrig
behavioral2/memory/1588-2062-0x00007FF6EA7D0000-0x00007FF6EABC1000-memory.dmp	xmrig
behavioral2/memory/1320-2060-0x00007FF738270000-0x00007FF738661000-memory.dmp	xmrig
behavioral2/memory/3232-2072-0x00007FF671800000-0x00007FF671BF1000-memory.dmp	xmrig
behavioral2/memory/4632-2076-0x00007FF66B6D0000-0x00007FF66BAC1000-memory.dmp	xmrig
behavioral2/memory/8-2082-0x00007FF7768A0000-0x00007FF776C91000-memory.dmp	xmrig
behavioral2/memory/3596-2086-0x00007FF7920F0000-0x00007FF7924E1000-memory.dmp	xmrig
behavioral2/memory/4472-2088-0x00007FF706D30000-0x00007FF707121000-memory.dmp	xmrig
behavioral2/memory/3968-2084-0x00007FF71B0F0000-0x00007FF71B4E1000-memory.dmp	xmrig
behavioral2/memory/4064-2080-0x00007FF7D95A0000-0x00007FF7D9991000-memory.dmp	xmrig
behavioral2/memory/804-2079-0x00007FF70B5B0000-0x00007FF70B9A1000-memory.dmp	xmrig
behavioral2/memory/1840-2070-0x00007FF75FD80000-0x00007FF760171000-memory.dmp	xmrig
behavioral2/memory/4536-2074-0x00007FF7008D0000-0x00007FF700CC1000-memory.dmp	xmrig
behavioral2/memory/2064-2068-0x00007FF732FD0000-0x00007FF7333C1000-memory.dmp	xmrig
behavioral2/memory/5080-2066-0x00007FF6376F0000-0x00007FF637AE1000-memory.dmp	xmrig
behavioral2/memory/3080-2104-0x00007FF700D10000-0x00007FF701101000-memory.dmp	xmrig
behavioral2/memory/3184-2101-0x00007FF61FC00000-0x00007FF61FFF1000-memory.dmp	xmrig
behavioral2/memory/4400-2090-0x00007FF6DAB20000-0x00007FF6DAF11000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2464	YRMSgbr.exe
3060	XfoqRzw.exe
2012	WmcvtdD.exe
2148	ZqZbMlL.exe
4236	MFRFJbJ.exe
1320	LqkYlNx.exe
976	KCnLQyz.exe
1588	ISVNbRn.exe
1160	OsbgcLV.exe
2064	uyXpvYD.exe
5080	aosRqjo.exe
1840	UbTtUPo.exe
4536	znFoStT.exe
4632	Qxsfqen.exe
3232	oSdqxzL.exe
4064	LBrUALS.exe
8	iKRCbtC.exe
804	BnpEefr.exe
3968	FkdWQsb.exe
3596	Xogcihu.exe
4472	VlCAyFL.exe
4400	uILMCpD.exe
3080	RsdCriw.exe
3184	CfUoIae.exe
4856	jMUxRIX.exe
1072	xoIWhiT.exe
548	TjnXppJ.exe
2460	shVkMwt.exe
4688	vvUcrkb.exe
1288	RTeSzKx.exe
1216	ZjZWCHe.exe
1844	QbnGoyq.exe
2112	hEfppjh.exe
3992	OaWZBHn.exe
3400	apyMJMH.exe
2588	EqPvJgh.exe
1616	uvpeulB.exe
4124	RqXtOxQ.exe
2316	JYHrnXf.exe
4144	NQZagbY.exe
1692	VUTRMjA.exe
1232	fxvXYXK.exe
3408	wNOSjeX.exe
3096	PvBipXa.exe
456	HPccwks.exe
1156	lBUktfL.exe
876	NCvuZxe.exe
3692	UCjtrOq.exe
1436	JUzuynE.exe
2604	ZwYEkwY.exe
2700	bzutKYy.exe
4368	ipjZFLz.exe
2116	UPWskRV.exe
4560	DMLShIr.exe
2764	kuJZInh.exe
1020	tDAiekx.exe
3892	oWWUVXG.exe
4556	nmXqOKW.exe
2824	GjBtFJZ.exe
2932	UxOSBWr.exe
1476	tdTWmTK.exe
1416	BGfWsAW.exe
4572	IycyrLm.exe
3196	igImIvY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3008-0-0x00007FF77C660000-0x00007FF77CA51000-memory.dmp	upx
behavioral2/files/0x000800000002340f-5.dat	upx
behavioral2/files/0x0007000000023413-8.dat	upx
behavioral2/memory/2464-11-0x00007FF7A3470000-0x00007FF7A3861000-memory.dmp	upx
behavioral2/files/0x0008000000023412-13.dat	upx
behavioral2/files/0x0007000000023415-27.dat	upx
behavioral2/memory/2012-25-0x00007FF6048B0000-0x00007FF604CA1000-memory.dmp	upx
behavioral2/files/0x0007000000023414-23.dat	upx
behavioral2/memory/3060-16-0x00007FF7EFC80000-0x00007FF7F0071000-memory.dmp	upx
behavioral2/files/0x0007000000023416-33.dat	upx
behavioral2/memory/2148-38-0x00007FF6E3A30000-0x00007FF6E3E21000-memory.dmp	upx
behavioral2/memory/1320-42-0x00007FF738270000-0x00007FF738661000-memory.dmp	upx
behavioral2/memory/1588-46-0x00007FF6EA7D0000-0x00007FF6EABC1000-memory.dmp	upx
behavioral2/files/0x0007000000023419-52.dat	upx
behavioral2/memory/1160-59-0x00007FF616890000-0x00007FF616C81000-memory.dmp	upx
behavioral2/files/0x0007000000023420-91.dat	upx
behavioral2/files/0x0007000000023422-99.dat	upx
behavioral2/files/0x0007000000023423-106.dat	upx
behavioral2/files/0x0007000000023425-116.dat	upx
behavioral2/files/0x0007000000023428-131.dat	upx
behavioral2/files/0x000700000002342f-164.dat	upx
behavioral2/memory/5080-324-0x00007FF6376F0000-0x00007FF637AE1000-memory.dmp	upx
behavioral2/memory/4632-334-0x00007FF66B6D0000-0x00007FF66BAC1000-memory.dmp	upx
behavioral2/memory/8-348-0x00007FF7768A0000-0x00007FF776C91000-memory.dmp	upx
behavioral2/memory/804-353-0x00007FF70B5B0000-0x00007FF70B9A1000-memory.dmp	upx
behavioral2/memory/3968-354-0x00007FF71B0F0000-0x00007FF71B4E1000-memory.dmp	upx
behavioral2/memory/3596-363-0x00007FF7920F0000-0x00007FF7924E1000-memory.dmp	upx
behavioral2/memory/3184-373-0x00007FF61FC00000-0x00007FF61FFF1000-memory.dmp	upx
behavioral2/memory/3080-371-0x00007FF700D10000-0x00007FF701101000-memory.dmp	upx
behavioral2/memory/4400-369-0x00007FF6DAB20000-0x00007FF6DAF11000-memory.dmp	upx
behavioral2/memory/4472-367-0x00007FF706D30000-0x00007FF707121000-memory.dmp	upx
behavioral2/memory/4064-345-0x00007FF7D95A0000-0x00007FF7D9991000-memory.dmp	upx
behavioral2/memory/3232-342-0x00007FF671800000-0x00007FF671BF1000-memory.dmp	upx
behavioral2/memory/4536-331-0x00007FF7008D0000-0x00007FF700CC1000-memory.dmp	upx
behavioral2/memory/1840-330-0x00007FF75FD80000-0x00007FF760171000-memory.dmp	upx
behavioral2/files/0x0007000000023430-171.dat	upx
behavioral2/files/0x000700000002342e-161.dat	upx
behavioral2/files/0x000700000002342d-156.dat	upx
behavioral2/files/0x000700000002342c-151.dat	upx
behavioral2/files/0x000700000002342b-146.dat	upx
behavioral2/files/0x000700000002342a-141.dat	upx
behavioral2/files/0x0007000000023429-136.dat	upx
behavioral2/files/0x0007000000023427-126.dat	upx
behavioral2/files/0x0007000000023426-121.dat	upx
behavioral2/files/0x0007000000023424-111.dat	upx
behavioral2/files/0x0007000000023421-96.dat	upx
behavioral2/files/0x000700000002341f-86.dat	upx
behavioral2/files/0x000700000002341e-81.dat	upx
behavioral2/files/0x000700000002341d-76.dat	upx
behavioral2/files/0x000700000002341c-71.dat	upx
behavioral2/files/0x000700000002341b-66.dat	upx
behavioral2/files/0x000700000002341a-61.dat	upx
behavioral2/memory/2064-60-0x00007FF732FD0000-0x00007FF7333C1000-memory.dmp	upx
behavioral2/files/0x0007000000023418-50.dat	upx
behavioral2/files/0x0007000000023417-47.dat	upx
behavioral2/memory/976-44-0x00007FF662470000-0x00007FF662861000-memory.dmp	upx
behavioral2/memory/4236-32-0x00007FF72E330000-0x00007FF72E721000-memory.dmp	upx
behavioral2/memory/3060-1951-0x00007FF7EFC80000-0x00007FF7F0071000-memory.dmp	upx
behavioral2/memory/2012-1977-0x00007FF6048B0000-0x00007FF604CA1000-memory.dmp	upx
behavioral2/memory/1320-1985-0x00007FF738270000-0x00007FF738661000-memory.dmp	upx
behavioral2/memory/976-1986-0x00007FF662470000-0x00007FF662861000-memory.dmp	upx
behavioral2/memory/1588-1987-0x00007FF6EA7D0000-0x00007FF6EABC1000-memory.dmp	upx
behavioral2/memory/2064-2004-0x00007FF732FD0000-0x00007FF7333C1000-memory.dmp	upx
behavioral2/memory/3008-2007-0x00007FF77C660000-0x00007FF77CA51000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\jZiVuJk.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\UbTtUPo.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\bzutKYy.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\tQWThsE.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\pkezobV.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\lRmtasc.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\dzMcldW.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\VlnYOnK.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\bLKBRlx.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\PvBipXa.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\tDAiekx.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\gtIzDjI.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\ALUAUMN.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\jDpNfha.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\UkwMDXb.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\pOGaRXQ.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\dcRfLaK.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\iOdtxHM.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\nmQLUPD.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\oyDwTzd.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\fdzfYoL.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\rVWVzbt.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\yZMcZCz.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\QODmQEE.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\jesjCln.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\wFbcjxc.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\HjHMxCz.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\wlrotJN.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\FUvauja.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\ticKnTD.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\QSycwQg.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\QbnGoyq.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\SvMcpSO.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\pCepYhY.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\koIeRbi.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\DVltUQa.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\wNOSjeX.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\XRgDzoR.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\OVrvhYS.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\vxMyzsX.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\dvFBIKf.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\CIcpLie.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\BUEJMbZ.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\ZKfogXD.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\hfDtBcm.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\BlAsfWS.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\vDSaBaI.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\uoOysRz.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\dDHAOJV.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\LhYGhyC.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\GSsTFOs.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\lTckxhZ.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\QQpyHaG.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\ZAeoymd.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\JYHrnXf.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\WxmchmR.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\sluEqaW.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\fuYxFTB.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\iFgEcZE.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\lXRAala.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\LqkYlNx.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\tdTWmTK.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\QXKVnhL.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
File created	C:\Windows\System32\AcQiLsN.exe	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13272	dwm.exe
Token: SeChangeNotifyPrivilege	13272	dwm.exe
Token: 33	13272	dwm.exe
Token: SeIncBasePriorityPrivilege	13272	dwm.exe
Token: SeShutdownPrivilege	13272	dwm.exe
Token: SeCreatePagefilePrivilege	13272	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2464	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	83
PID 3008 wrote to memory of 2464	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	83
PID 3008 wrote to memory of 3060	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	84
PID 3008 wrote to memory of 3060	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	84
PID 3008 wrote to memory of 2012	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	85
PID 3008 wrote to memory of 2012	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	85
PID 3008 wrote to memory of 2148	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	86
PID 3008 wrote to memory of 2148	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	86
PID 3008 wrote to memory of 4236	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	87
PID 3008 wrote to memory of 4236	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	87
PID 3008 wrote to memory of 1320	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	88
PID 3008 wrote to memory of 1320	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	88
PID 3008 wrote to memory of 976	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	89
PID 3008 wrote to memory of 976	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	89
PID 3008 wrote to memory of 1588	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	90
PID 3008 wrote to memory of 1588	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	90
PID 3008 wrote to memory of 1160	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	91
PID 3008 wrote to memory of 1160	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	91
PID 3008 wrote to memory of 2064	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	92
PID 3008 wrote to memory of 2064	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	92
PID 3008 wrote to memory of 5080	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	93
PID 3008 wrote to memory of 5080	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	93
PID 3008 wrote to memory of 1840	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	94
PID 3008 wrote to memory of 1840	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	94
PID 3008 wrote to memory of 4536	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	95
PID 3008 wrote to memory of 4536	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	95
PID 3008 wrote to memory of 4632	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	96
PID 3008 wrote to memory of 4632	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	96
PID 3008 wrote to memory of 3232	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	97
PID 3008 wrote to memory of 3232	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	97
PID 3008 wrote to memory of 4064	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	98
PID 3008 wrote to memory of 4064	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	98
PID 3008 wrote to memory of 8	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	99
PID 3008 wrote to memory of 8	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	99
PID 3008 wrote to memory of 804	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	100
PID 3008 wrote to memory of 804	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	100
PID 3008 wrote to memory of 3968	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	101
PID 3008 wrote to memory of 3968	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	101
PID 3008 wrote to memory of 3596	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	102
PID 3008 wrote to memory of 3596	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	102
PID 3008 wrote to memory of 4472	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	103
PID 3008 wrote to memory of 4472	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	103
PID 3008 wrote to memory of 4400	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	104
PID 3008 wrote to memory of 4400	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	104
PID 3008 wrote to memory of 3080	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	105
PID 3008 wrote to memory of 3080	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	105
PID 3008 wrote to memory of 3184	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	106
PID 3008 wrote to memory of 3184	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	106
PID 3008 wrote to memory of 4856	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	107
PID 3008 wrote to memory of 4856	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	107
PID 3008 wrote to memory of 1072	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	108
PID 3008 wrote to memory of 1072	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	108
PID 3008 wrote to memory of 548	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	109
PID 3008 wrote to memory of 548	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	109
PID 3008 wrote to memory of 2460	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	110
PID 3008 wrote to memory of 2460	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	110
PID 3008 wrote to memory of 4688	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	111
PID 3008 wrote to memory of 4688	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	111
PID 3008 wrote to memory of 1288	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	112
PID 3008 wrote to memory of 1288	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	112
PID 3008 wrote to memory of 1216	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	113
PID 3008 wrote to memory of 1216	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	113
PID 3008 wrote to memory of 1844	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	114
PID 3008 wrote to memory of 1844	3008	0f4825161825fd6597425623c9db248b_JaffaCakes118.exe	114

C:\Users\Admin\AppData\Local\Temp\0f4825161825fd6597425623c9db248b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f4825161825fd6597425623c9db248b_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\System32\YRMSgbr.exe
  C:\Windows\System32\YRMSgbr.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System32\XfoqRzw.exe
  C:\Windows\System32\XfoqRzw.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System32\WmcvtdD.exe
  C:\Windows\System32\WmcvtdD.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System32\ZqZbMlL.exe
  C:\Windows\System32\ZqZbMlL.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System32\MFRFJbJ.exe
  C:\Windows\System32\MFRFJbJ.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System32\LqkYlNx.exe
  C:\Windows\System32\LqkYlNx.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System32\KCnLQyz.exe
  C:\Windows\System32\KCnLQyz.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System32\ISVNbRn.exe
  C:\Windows\System32\ISVNbRn.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System32\OsbgcLV.exe
  C:\Windows\System32\OsbgcLV.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System32\uyXpvYD.exe
  C:\Windows\System32\uyXpvYD.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System32\aosRqjo.exe
  C:\Windows\System32\aosRqjo.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System32\UbTtUPo.exe
  C:\Windows\System32\UbTtUPo.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System32\znFoStT.exe
  C:\Windows\System32\znFoStT.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System32\Qxsfqen.exe
  C:\Windows\System32\Qxsfqen.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System32\oSdqxzL.exe
  C:\Windows\System32\oSdqxzL.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System32\LBrUALS.exe
  C:\Windows\System32\LBrUALS.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System32\iKRCbtC.exe
  C:\Windows\System32\iKRCbtC.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System32\BnpEefr.exe
  C:\Windows\System32\BnpEefr.exe
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\System32\FkdWQsb.exe
  C:\Windows\System32\FkdWQsb.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System32\Xogcihu.exe
  C:\Windows\System32\Xogcihu.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System32\VlCAyFL.exe
  C:\Windows\System32\VlCAyFL.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System32\uILMCpD.exe
  C:\Windows\System32\uILMCpD.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System32\RsdCriw.exe
  C:\Windows\System32\RsdCriw.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System32\CfUoIae.exe
  C:\Windows\System32\CfUoIae.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System32\jMUxRIX.exe
  C:\Windows\System32\jMUxRIX.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System32\xoIWhiT.exe
  C:\Windows\System32\xoIWhiT.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System32\TjnXppJ.exe
  C:\Windows\System32\TjnXppJ.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System32\shVkMwt.exe
  C:\Windows\System32\shVkMwt.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System32\vvUcrkb.exe
  C:\Windows\System32\vvUcrkb.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System32\RTeSzKx.exe
  C:\Windows\System32\RTeSzKx.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System32\ZjZWCHe.exe
  C:\Windows\System32\ZjZWCHe.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System32\QbnGoyq.exe
  C:\Windows\System32\QbnGoyq.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System32\hEfppjh.exe
  C:\Windows\System32\hEfppjh.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System32\OaWZBHn.exe
  C:\Windows\System32\OaWZBHn.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System32\apyMJMH.exe
  C:\Windows\System32\apyMJMH.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System32\EqPvJgh.exe
  C:\Windows\System32\EqPvJgh.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System32\uvpeulB.exe
  C:\Windows\System32\uvpeulB.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System32\RqXtOxQ.exe
  C:\Windows\System32\RqXtOxQ.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System32\JYHrnXf.exe
  C:\Windows\System32\JYHrnXf.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System32\NQZagbY.exe
  C:\Windows\System32\NQZagbY.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System32\VUTRMjA.exe
  C:\Windows\System32\VUTRMjA.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System32\fxvXYXK.exe
  C:\Windows\System32\fxvXYXK.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System32\wNOSjeX.exe
  C:\Windows\System32\wNOSjeX.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System32\PvBipXa.exe
  C:\Windows\System32\PvBipXa.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System32\HPccwks.exe
  C:\Windows\System32\HPccwks.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System32\lBUktfL.exe
  C:\Windows\System32\lBUktfL.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System32\NCvuZxe.exe
  C:\Windows\System32\NCvuZxe.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System32\UCjtrOq.exe
  C:\Windows\System32\UCjtrOq.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System32\JUzuynE.exe
  C:\Windows\System32\JUzuynE.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System32\ZwYEkwY.exe
  C:\Windows\System32\ZwYEkwY.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System32\bzutKYy.exe
  C:\Windows\System32\bzutKYy.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System32\ipjZFLz.exe
  C:\Windows\System32\ipjZFLz.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System32\UPWskRV.exe
  C:\Windows\System32\UPWskRV.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System32\DMLShIr.exe
  C:\Windows\System32\DMLShIr.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System32\kuJZInh.exe
  C:\Windows\System32\kuJZInh.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System32\tDAiekx.exe
  C:\Windows\System32\tDAiekx.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System32\oWWUVXG.exe
  C:\Windows\System32\oWWUVXG.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System32\nmXqOKW.exe
  C:\Windows\System32\nmXqOKW.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System32\GjBtFJZ.exe
  C:\Windows\System32\GjBtFJZ.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System32\UxOSBWr.exe
  C:\Windows\System32\UxOSBWr.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System32\tdTWmTK.exe
  C:\Windows\System32\tdTWmTK.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System32\BGfWsAW.exe
  C:\Windows\System32\BGfWsAW.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System32\IycyrLm.exe
  C:\Windows\System32\IycyrLm.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System32\igImIvY.exe
  C:\Windows\System32\igImIvY.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System32\jLfYKhJ.exe
  C:\Windows\System32\jLfYKhJ.exe
  2⤵
  PID:3424
- C:\Windows\System32\Nnrbxyj.exe
  C:\Windows\System32\Nnrbxyj.exe
  2⤵
  PID:2644
- C:\Windows\System32\mOzsUoE.exe
  C:\Windows\System32\mOzsUoE.exe
  2⤵
  PID:2528
- C:\Windows\System32\qjSNisb.exe
  C:\Windows\System32\qjSNisb.exe
  2⤵
  PID:4996
- C:\Windows\System32\bqntOYS.exe
  C:\Windows\System32\bqntOYS.exe
  2⤵
  PID:4936
- C:\Windows\System32\yXrmrvu.exe
  C:\Windows\System32\yXrmrvu.exe
  2⤵
  PID:2936
- C:\Windows\System32\enmECTA.exe
  C:\Windows\System32\enmECTA.exe
  2⤵
  PID:4440
- C:\Windows\System32\MhFsmVo.exe
  C:\Windows\System32\MhFsmVo.exe
  2⤵
  PID:4860
- C:\Windows\System32\czNaSGi.exe
  C:\Windows\System32\czNaSGi.exe
  2⤵
  PID:2756
- C:\Windows\System32\OCqWClb.exe
  C:\Windows\System32\OCqWClb.exe
  2⤵
  PID:5008
- C:\Windows\System32\zOnYmKe.exe
  C:\Windows\System32\zOnYmKe.exe
  2⤵
  PID:1512
- C:\Windows\System32\rTCtZbP.exe
  C:\Windows\System32\rTCtZbP.exe
  2⤵
  PID:2740
- C:\Windows\System32\ndVctBj.exe
  C:\Windows\System32\ndVctBj.exe
  2⤵
  PID:4784
- C:\Windows\System32\yDFgOLj.exe
  C:\Windows\System32\yDFgOLj.exe
  2⤵
  PID:3904
- C:\Windows\System32\CIcpLie.exe
  C:\Windows\System32\CIcpLie.exe
  2⤵
  PID:2656
- C:\Windows\System32\XRgDzoR.exe
  C:\Windows\System32\XRgDzoR.exe
  2⤵
  PID:4052
- C:\Windows\System32\AWtPXOA.exe
  C:\Windows\System32\AWtPXOA.exe
  2⤵
  PID:1900
- C:\Windows\System32\ZykFfdE.exe
  C:\Windows\System32\ZykFfdE.exe
  2⤵
  PID:2412
- C:\Windows\System32\MNLRBxN.exe
  C:\Windows\System32\MNLRBxN.exe
  2⤵
  PID:116
- C:\Windows\System32\EBEDUYx.exe
  C:\Windows\System32\EBEDUYx.exe
  2⤵
  PID:3664
- C:\Windows\System32\hvHDnsd.exe
  C:\Windows\System32\hvHDnsd.exe
  2⤵
  PID:4468
- C:\Windows\System32\IHpZiGs.exe
  C:\Windows\System32\IHpZiGs.exe
  2⤵
  PID:1496
- C:\Windows\System32\FZjULnu.exe
  C:\Windows\System32\FZjULnu.exe
  2⤵
  PID:4100
- C:\Windows\System32\kKUXjNN.exe
  C:\Windows\System32\kKUXjNN.exe
  2⤵
  PID:864
- C:\Windows\System32\SvMcpSO.exe
  C:\Windows\System32\SvMcpSO.exe
  2⤵
  PID:4636
- C:\Windows\System32\okYNdTC.exe
  C:\Windows\System32\okYNdTC.exe
  2⤵
  PID:3676
- C:\Windows\System32\blPjGgP.exe
  C:\Windows\System32\blPjGgP.exe
  2⤵
  PID:4588
- C:\Windows\System32\MwvYAHq.exe
  C:\Windows\System32\MwvYAHq.exe
  2⤵
  PID:3736
- C:\Windows\System32\BvIhezd.exe
  C:\Windows\System32\BvIhezd.exe
  2⤵
  PID:1796
- C:\Windows\System32\iISLCXx.exe
  C:\Windows\System32\iISLCXx.exe
  2⤵
  PID:2504
- C:\Windows\System32\dDHAOJV.exe
  C:\Windows\System32\dDHAOJV.exe
  2⤵
  PID:5096
- C:\Windows\System32\hRTrGue.exe
  C:\Windows\System32\hRTrGue.exe
  2⤵
  PID:2164
- C:\Windows\System32\ksDElIl.exe
  C:\Windows\System32\ksDElIl.exe
  2⤵
  PID:4296
- C:\Windows\System32\tyXMlvI.exe
  C:\Windows\System32\tyXMlvI.exe
  2⤵
  PID:2492
- C:\Windows\System32\iZbWCzE.exe
  C:\Windows\System32\iZbWCzE.exe
  2⤵
  PID:3056
- C:\Windows\System32\dBVltKU.exe
  C:\Windows\System32\dBVltKU.exe
  2⤵
  PID:5132
- C:\Windows\System32\lBEqtoT.exe
  C:\Windows\System32\lBEqtoT.exe
  2⤵
  PID:5160
- C:\Windows\System32\huMAeaz.exe
  C:\Windows\System32\huMAeaz.exe
  2⤵
  PID:5184
- C:\Windows\System32\UWhbJdU.exe
  C:\Windows\System32\UWhbJdU.exe
  2⤵
  PID:5216
- C:\Windows\System32\LXSbSLz.exe
  C:\Windows\System32\LXSbSLz.exe
  2⤵
  PID:5240
- C:\Windows\System32\yQkiprh.exe
  C:\Windows\System32\yQkiprh.exe
  2⤵
  PID:5272
- C:\Windows\System32\bGVFoXm.exe
  C:\Windows\System32\bGVFoXm.exe
  2⤵
  PID:5300
- C:\Windows\System32\GkRMXcy.exe
  C:\Windows\System32\GkRMXcy.exe
  2⤵
  PID:5324
- C:\Windows\System32\hfDtBcm.exe
  C:\Windows\System32\hfDtBcm.exe
  2⤵
  PID:5356
- C:\Windows\System32\tQWThsE.exe
  C:\Windows\System32\tQWThsE.exe
  2⤵
  PID:5380
- C:\Windows\System32\BHEMpWD.exe
  C:\Windows\System32\BHEMpWD.exe
  2⤵
  PID:5412
- C:\Windows\System32\fKceJDL.exe
  C:\Windows\System32\fKceJDL.exe
  2⤵
  PID:5440
- C:\Windows\System32\IOgMuiS.exe
  C:\Windows\System32\IOgMuiS.exe
  2⤵
  PID:5464
- C:\Windows\System32\UnJZwkk.exe
  C:\Windows\System32\UnJZwkk.exe
  2⤵
  PID:5496
- C:\Windows\System32\TeFejOM.exe
  C:\Windows\System32\TeFejOM.exe
  2⤵
  PID:5524
- C:\Windows\System32\cTNGROk.exe
  C:\Windows\System32\cTNGROk.exe
  2⤵
  PID:5548
- C:\Windows\System32\oQZNFVX.exe
  C:\Windows\System32\oQZNFVX.exe
  2⤵
  PID:5584
- C:\Windows\System32\kbYWamo.exe
  C:\Windows\System32\kbYWamo.exe
  2⤵
  PID:5604
- C:\Windows\System32\aSFMvcS.exe
  C:\Windows\System32\aSFMvcS.exe
  2⤵
  PID:5632
- C:\Windows\System32\vTChYpv.exe
  C:\Windows\System32\vTChYpv.exe
  2⤵
  PID:5660
- C:\Windows\System32\hNWTQvP.exe
  C:\Windows\System32\hNWTQvP.exe
  2⤵
  PID:5688
- C:\Windows\System32\tBFNdeo.exe
  C:\Windows\System32\tBFNdeo.exe
  2⤵
  PID:5716
- C:\Windows\System32\WzXJmOm.exe
  C:\Windows\System32\WzXJmOm.exe
  2⤵
  PID:5752
- C:\Windows\System32\CaJNHXQ.exe
  C:\Windows\System32\CaJNHXQ.exe
  2⤵
  PID:5772
- C:\Windows\System32\KdWZErE.exe
  C:\Windows\System32\KdWZErE.exe
  2⤵
  PID:5788
- C:\Windows\System32\IgaQHHk.exe
  C:\Windows\System32\IgaQHHk.exe
  2⤵
  PID:5816
- C:\Windows\System32\Rzyenyv.exe
  C:\Windows\System32\Rzyenyv.exe
  2⤵
  PID:5836
- C:\Windows\System32\BwSNdAY.exe
  C:\Windows\System32\BwSNdAY.exe
  2⤵
  PID:5856
- C:\Windows\System32\nygDClN.exe
  C:\Windows\System32\nygDClN.exe
  2⤵
  PID:5872
- C:\Windows\System32\bSkHgmT.exe
  C:\Windows\System32\bSkHgmT.exe
  2⤵
  PID:5904
- C:\Windows\System32\mqmLLuj.exe
  C:\Windows\System32\mqmLLuj.exe
  2⤵
  PID:5928
- C:\Windows\System32\wFbcjxc.exe
  C:\Windows\System32\wFbcjxc.exe
  2⤵
  PID:5944
- C:\Windows\System32\LIVYoNH.exe
  C:\Windows\System32\LIVYoNH.exe
  2⤵
  PID:5972
- C:\Windows\System32\WxmchmR.exe
  C:\Windows\System32\WxmchmR.exe
  2⤵
  PID:6012
- C:\Windows\System32\ChuJBMr.exe
  C:\Windows\System32\ChuJBMr.exe
  2⤵
  PID:6068
- C:\Windows\System32\PinDvzO.exe
  C:\Windows\System32\PinDvzO.exe
  2⤵
  PID:6128
- C:\Windows\System32\cAxuTpO.exe
  C:\Windows\System32\cAxuTpO.exe
  2⤵
  PID:5628
- C:\Windows\System32\LcYayPg.exe
  C:\Windows\System32\LcYayPg.exe
  2⤵
  PID:5564
- C:\Windows\System32\NhxfWTU.exe
  C:\Windows\System32\NhxfWTU.exe
  2⤵
  PID:5508
- C:\Windows\System32\MzRjbur.exe
  C:\Windows\System32\MzRjbur.exe
  2⤵
  PID:5456
- C:\Windows\System32\PToaFqP.exe
  C:\Windows\System32\PToaFqP.exe
  2⤵
  PID:5376
- C:\Windows\System32\XRSFEaC.exe
  C:\Windows\System32\XRSFEaC.exe
  2⤵
  PID:5288
- C:\Windows\System32\sVNXVHn.exe
  C:\Windows\System32\sVNXVHn.exe
  2⤵
  PID:5252
- C:\Windows\System32\JKCyJIR.exe
  C:\Windows\System32\JKCyJIR.exe
  2⤵
  PID:5176
- C:\Windows\System32\zzhRCrZ.exe
  C:\Windows\System32\zzhRCrZ.exe
  2⤵
  PID:1524
- C:\Windows\System32\wHLGndO.exe
  C:\Windows\System32\wHLGndO.exe
  2⤵
  PID:3432
- C:\Windows\System32\jfPFNQX.exe
  C:\Windows\System32\jfPFNQX.exe
  2⤵
  PID:3504
- C:\Windows\System32\WlMDfCa.exe
  C:\Windows\System32\WlMDfCa.exe
  2⤵
  PID:388
- C:\Windows\System32\HjHMxCz.exe
  C:\Windows\System32\HjHMxCz.exe
  2⤵
  PID:5656
- C:\Windows\System32\ZYARtgC.exe
  C:\Windows\System32\ZYARtgC.exe
  2⤵
  PID:5108
- C:\Windows\System32\XrAjeiV.exe
  C:\Windows\System32\XrAjeiV.exe
  2⤵
  PID:5780
- C:\Windows\System32\DrDzTWd.exe
  C:\Windows\System32\DrDzTWd.exe
  2⤵
  PID:5812
- C:\Windows\System32\ePEVscK.exe
  C:\Windows\System32\ePEVscK.exe
  2⤵
  PID:2108
- C:\Windows\System32\NrGYlfd.exe
  C:\Windows\System32\NrGYlfd.exe
  2⤵
  PID:5964
- C:\Windows\System32\PzozeSv.exe
  C:\Windows\System32\PzozeSv.exe
  2⤵
  PID:6080
- C:\Windows\System32\fdzfYoL.exe
  C:\Windows\System32\fdzfYoL.exe
  2⤵
  PID:6060
- C:\Windows\System32\koLJGCm.exe
  C:\Windows\System32\koLJGCm.exe
  2⤵
  PID:6096
- C:\Windows\System32\mJJJhfn.exe
  C:\Windows\System32\mJJJhfn.exe
  2⤵
  PID:5540
- C:\Windows\System32\pycLYWS.exe
  C:\Windows\System32\pycLYWS.exe
  2⤵
  PID:5476
- C:\Windows\System32\nnWVZNl.exe
  C:\Windows\System32\nnWVZNl.exe
  2⤵
  PID:5396
- C:\Windows\System32\ycXxBSV.exe
  C:\Windows\System32\ycXxBSV.exe
  2⤵
  PID:5264
- C:\Windows\System32\ZJxhQBN.exe
  C:\Windows\System32\ZJxhQBN.exe
  2⤵
  PID:32
- C:\Windows\System32\fUsOFDU.exe
  C:\Windows\System32\fUsOFDU.exe
  2⤵
  PID:5060
- C:\Windows\System32\ffZdgIH.exe
  C:\Windows\System32\ffZdgIH.exe
  2⤵
  PID:5672
- C:\Windows\System32\LlahgqG.exe
  C:\Windows\System32\LlahgqG.exe
  2⤵
  PID:1000
- C:\Windows\System32\bmqVEpP.exe
  C:\Windows\System32\bmqVEpP.exe
  2⤵
  PID:832
- C:\Windows\System32\tuzIJDu.exe
  C:\Windows\System32\tuzIJDu.exe
  2⤵
  PID:2192
- C:\Windows\System32\QVBMZGa.exe
  C:\Windows\System32\QVBMZGa.exe
  2⤵
  PID:6116
- C:\Windows\System32\wNQXZwE.exe
  C:\Windows\System32\wNQXZwE.exe
  2⤵
  PID:5316
- C:\Windows\System32\YFSpxdP.exe
  C:\Windows\System32\YFSpxdP.exe
  2⤵
  PID:5172
- C:\Windows\System32\GCkOcvx.exe
  C:\Windows\System32\GCkOcvx.exe
  2⤵
  PID:220
- C:\Windows\System32\GSsTFOs.exe
  C:\Windows\System32\GSsTFOs.exe
  2⤵
  PID:5732
- C:\Windows\System32\cAIpcQW.exe
  C:\Windows\System32\cAIpcQW.exe
  2⤵
  PID:908
- C:\Windows\System32\WPBZyFl.exe
  C:\Windows\System32\WPBZyFl.exe
  2⤵
  PID:4432
- C:\Windows\System32\iGjCIPT.exe
  C:\Windows\System32\iGjCIPT.exe
  2⤵
  PID:5936
- C:\Windows\System32\jWLccEk.exe
  C:\Windows\System32\jWLccEk.exe
  2⤵
  PID:2484
- C:\Windows\System32\kWdSbaY.exe
  C:\Windows\System32\kWdSbaY.exe
  2⤵
  PID:6168
- C:\Windows\System32\gyckVik.exe
  C:\Windows\System32\gyckVik.exe
  2⤵
  PID:6188
- C:\Windows\System32\XzCJYdm.exe
  C:\Windows\System32\XzCJYdm.exe
  2⤵
  PID:6212
- C:\Windows\System32\IasmNzz.exe
  C:\Windows\System32\IasmNzz.exe
  2⤵
  PID:6260
- C:\Windows\System32\XctmYqY.exe
  C:\Windows\System32\XctmYqY.exe
  2⤵
  PID:6280
- C:\Windows\System32\TttkZVy.exe
  C:\Windows\System32\TttkZVy.exe
  2⤵
  PID:6304
- C:\Windows\System32\pkezobV.exe
  C:\Windows\System32\pkezobV.exe
  2⤵
  PID:6328
- C:\Windows\System32\HlNLHum.exe
  C:\Windows\System32\HlNLHum.exe
  2⤵
  PID:6348
- C:\Windows\System32\sCMjzLb.exe
  C:\Windows\System32\sCMjzLb.exe
  2⤵
  PID:6392
- C:\Windows\System32\LxygQcz.exe
  C:\Windows\System32\LxygQcz.exe
  2⤵
  PID:6432
- C:\Windows\System32\ETLbQyp.exe
  C:\Windows\System32\ETLbQyp.exe
  2⤵
  PID:6452
- C:\Windows\System32\lTckxhZ.exe
  C:\Windows\System32\lTckxhZ.exe
  2⤵
  PID:6468
- C:\Windows\System32\NttNaPV.exe
  C:\Windows\System32\NttNaPV.exe
  2⤵
  PID:6496
- C:\Windows\System32\zWtmVHE.exe
  C:\Windows\System32\zWtmVHE.exe
  2⤵
  PID:6512
- C:\Windows\System32\yZjIojs.exe
  C:\Windows\System32\yZjIojs.exe
  2⤵
  PID:6564
- C:\Windows\System32\ETuTisJ.exe
  C:\Windows\System32\ETuTisJ.exe
  2⤵
  PID:6588
- C:\Windows\System32\cfYFqMF.exe
  C:\Windows\System32\cfYFqMF.exe
  2⤵
  PID:6632
- C:\Windows\System32\wlrotJN.exe
  C:\Windows\System32\wlrotJN.exe
  2⤵
  PID:6660
- C:\Windows\System32\yERbSia.exe
  C:\Windows\System32\yERbSia.exe
  2⤵
  PID:6676
- C:\Windows\System32\OHKYkxq.exe
  C:\Windows\System32\OHKYkxq.exe
  2⤵
  PID:6720
- C:\Windows\System32\aKrpEpg.exe
  C:\Windows\System32\aKrpEpg.exe
  2⤵
  PID:6736
- C:\Windows\System32\bfYnRsW.exe
  C:\Windows\System32\bfYnRsW.exe
  2⤵
  PID:6760
- C:\Windows\System32\nnaGhPo.exe
  C:\Windows\System32\nnaGhPo.exe
  2⤵
  PID:6776
- C:\Windows\System32\WVvHHNj.exe
  C:\Windows\System32\WVvHHNj.exe
  2⤵
  PID:6800
- C:\Windows\System32\PBhIwCj.exe
  C:\Windows\System32\PBhIwCj.exe
  2⤵
  PID:6832
- C:\Windows\System32\sluEqaW.exe
  C:\Windows\System32\sluEqaW.exe
  2⤵
  PID:6876
- C:\Windows\System32\YWUEbuo.exe
  C:\Windows\System32\YWUEbuo.exe
  2⤵
  PID:6912
- C:\Windows\System32\fuYxFTB.exe
  C:\Windows\System32\fuYxFTB.exe
  2⤵
  PID:6936
- C:\Windows\System32\dZvxjvb.exe
  C:\Windows\System32\dZvxjvb.exe
  2⤵
  PID:6956
- C:\Windows\System32\NbXVoLq.exe
  C:\Windows\System32\NbXVoLq.exe
  2⤵
  PID:6984
- C:\Windows\System32\TJvLkiX.exe
  C:\Windows\System32\TJvLkiX.exe
  2⤵
  PID:7004
- C:\Windows\System32\lRmtasc.exe
  C:\Windows\System32\lRmtasc.exe
  2⤵
  PID:7028
- C:\Windows\System32\agSHPdR.exe
  C:\Windows\System32\agSHPdR.exe
  2⤵
  PID:7044
- C:\Windows\System32\YMAXefM.exe
  C:\Windows\System32\YMAXefM.exe
  2⤵
  PID:7064
- C:\Windows\System32\JbaJYLU.exe
  C:\Windows\System32\JbaJYLU.exe
  2⤵
  PID:7084
- C:\Windows\System32\sHupCYg.exe
  C:\Windows\System32\sHupCYg.exe
  2⤵
  PID:7144
- C:\Windows\System32\LhYGhyC.exe
  C:\Windows\System32\LhYGhyC.exe
  2⤵
  PID:5952
- C:\Windows\System32\DYqLgpd.exe
  C:\Windows\System32\DYqLgpd.exe
  2⤵
  PID:6160
- C:\Windows\System32\gsKMUUW.exe
  C:\Windows\System32\gsKMUUW.exe
  2⤵
  PID:6268
- C:\Windows\System32\GVJDmMf.exe
  C:\Windows\System32\GVJDmMf.exe
  2⤵
  PID:6344
- C:\Windows\System32\aTnDKQx.exe
  C:\Windows\System32\aTnDKQx.exe
  2⤵
  PID:6364
- C:\Windows\System32\qbeaXaM.exe
  C:\Windows\System32\qbeaXaM.exe
  2⤵
  PID:6420
- C:\Windows\System32\IAYRYke.exe
  C:\Windows\System32\IAYRYke.exe
  2⤵
  PID:6572
- C:\Windows\System32\VgSmDxR.exe
  C:\Windows\System32\VgSmDxR.exe
  2⤵
  PID:6612
- C:\Windows\System32\CwdpYbr.exe
  C:\Windows\System32\CwdpYbr.exe
  2⤵
  PID:6644
- C:\Windows\System32\vvGhiHO.exe
  C:\Windows\System32\vvGhiHO.exe
  2⤵
  PID:6772
- C:\Windows\System32\UYlXFAD.exe
  C:\Windows\System32\UYlXFAD.exe
  2⤵
  PID:6792
- C:\Windows\System32\HcDLYME.exe
  C:\Windows\System32\HcDLYME.exe
  2⤵
  PID:6872
- C:\Windows\System32\RHTWRPJ.exe
  C:\Windows\System32\RHTWRPJ.exe
  2⤵
  PID:6932
- C:\Windows\System32\WSFijrd.exe
  C:\Windows\System32\WSFijrd.exe
  2⤵
  PID:7024
- C:\Windows\System32\dBtUvLV.exe
  C:\Windows\System32\dBtUvLV.exe
  2⤵
  PID:6996
- C:\Windows\System32\mAyKfRA.exe
  C:\Windows\System32\mAyKfRA.exe
  2⤵
  PID:7160
- C:\Windows\System32\iNUruFV.exe
  C:\Windows\System32\iNUruFV.exe
  2⤵
  PID:6340
- C:\Windows\System32\oZRvNJN.exe
  C:\Windows\System32\oZRvNJN.exe
  2⤵
  PID:6376
- C:\Windows\System32\TWNeHdF.exe
  C:\Windows\System32\TWNeHdF.exe
  2⤵
  PID:6444
- C:\Windows\System32\pNgbpGr.exe
  C:\Windows\System32\pNgbpGr.exe
  2⤵
  PID:6648
- C:\Windows\System32\wVCDpVw.exe
  C:\Windows\System32\wVCDpVw.exe
  2⤵
  PID:6904
- C:\Windows\System32\LubSMiJ.exe
  C:\Windows\System32\LubSMiJ.exe
  2⤵
  PID:6852
- C:\Windows\System32\oBDqykN.exe
  C:\Windows\System32\oBDqykN.exe
  2⤵
  PID:6228
- C:\Windows\System32\pLzVjRP.exe
  C:\Windows\System32\pLzVjRP.exe
  2⤵
  PID:6812
- C:\Windows\System32\HOGuaPC.exe
  C:\Windows\System32\HOGuaPC.exe
  2⤵
  PID:6700
- C:\Windows\System32\aJsfxnF.exe
  C:\Windows\System32\aJsfxnF.exe
  2⤵
  PID:7080
- C:\Windows\System32\wxclWDz.exe
  C:\Windows\System32\wxclWDz.exe
  2⤵
  PID:6656
- C:\Windows\System32\zHADacW.exe
  C:\Windows\System32\zHADacW.exe
  2⤵
  PID:7188
- C:\Windows\System32\KYCcEcg.exe
  C:\Windows\System32\KYCcEcg.exe
  2⤵
  PID:7220
- C:\Windows\System32\xpGmhQo.exe
  C:\Windows\System32\xpGmhQo.exe
  2⤵
  PID:7236
- C:\Windows\System32\qfnCuBO.exe
  C:\Windows\System32\qfnCuBO.exe
  2⤵
  PID:7256
- C:\Windows\System32\jMQBPZN.exe
  C:\Windows\System32\jMQBPZN.exe
  2⤵
  PID:7284
- C:\Windows\System32\HlvuOWJ.exe
  C:\Windows\System32\HlvuOWJ.exe
  2⤵
  PID:7300
- C:\Windows\System32\xGLpMYW.exe
  C:\Windows\System32\xGLpMYW.exe
  2⤵
  PID:7356
- C:\Windows\System32\GHQhUcg.exe
  C:\Windows\System32\GHQhUcg.exe
  2⤵
  PID:7376
- C:\Windows\System32\EnuPOpR.exe
  C:\Windows\System32\EnuPOpR.exe
  2⤵
  PID:7420
- C:\Windows\System32\GZeqsMx.exe
  C:\Windows\System32\GZeqsMx.exe
  2⤵
  PID:7436
- C:\Windows\System32\HZBJuoS.exe
  C:\Windows\System32\HZBJuoS.exe
  2⤵
  PID:7456
- C:\Windows\System32\dNHoHEx.exe
  C:\Windows\System32\dNHoHEx.exe
  2⤵
  PID:7496
- C:\Windows\System32\DjIPZUA.exe
  C:\Windows\System32\DjIPZUA.exe
  2⤵
  PID:7544
- C:\Windows\System32\WCHUzli.exe
  C:\Windows\System32\WCHUzli.exe
  2⤵
  PID:7572
- C:\Windows\System32\ZfQgULj.exe
  C:\Windows\System32\ZfQgULj.exe
  2⤵
  PID:7604
- C:\Windows\System32\koCAViV.exe
  C:\Windows\System32\koCAViV.exe
  2⤵
  PID:7644
- C:\Windows\System32\UGVhqee.exe
  C:\Windows\System32\UGVhqee.exe
  2⤵
  PID:7672
- C:\Windows\System32\XfAtePu.exe
  C:\Windows\System32\XfAtePu.exe
  2⤵
  PID:7688
- C:\Windows\System32\TZozNzr.exe
  C:\Windows\System32\TZozNzr.exe
  2⤵
  PID:7716
- C:\Windows\System32\NQxbjvH.exe
  C:\Windows\System32\NQxbjvH.exe
  2⤵
  PID:7732
- C:\Windows\System32\KPekBXu.exe
  C:\Windows\System32\KPekBXu.exe
  2⤵
  PID:7780
- C:\Windows\System32\dZyjsXp.exe
  C:\Windows\System32\dZyjsXp.exe
  2⤵
  PID:7796
- C:\Windows\System32\AnTqqUN.exe
  C:\Windows\System32\AnTqqUN.exe
  2⤵
  PID:7816
- C:\Windows\System32\dzMcldW.exe
  C:\Windows\System32\dzMcldW.exe
  2⤵
  PID:7856
- C:\Windows\System32\JIUVWOB.exe
  C:\Windows\System32\JIUVWOB.exe
  2⤵
  PID:7876
- C:\Windows\System32\QJBunMR.exe
  C:\Windows\System32\QJBunMR.exe
  2⤵
  PID:7908
- C:\Windows\System32\pKdXlks.exe
  C:\Windows\System32\pKdXlks.exe
  2⤵
  PID:7948
- C:\Windows\System32\ufXxtZZ.exe
  C:\Windows\System32\ufXxtZZ.exe
  2⤵
  PID:7976
- C:\Windows\System32\usfjMEq.exe
  C:\Windows\System32\usfjMEq.exe
  2⤵
  PID:7992
- C:\Windows\System32\jvpVVLz.exe
  C:\Windows\System32\jvpVVLz.exe
  2⤵
  PID:8016
- C:\Windows\System32\DUgYChF.exe
  C:\Windows\System32\DUgYChF.exe
  2⤵
  PID:8048
- C:\Windows\System32\coulBPX.exe
  C:\Windows\System32\coulBPX.exe
  2⤵
  PID:8076
- C:\Windows\System32\alctJPM.exe
  C:\Windows\System32\alctJPM.exe
  2⤵
  PID:8116
- C:\Windows\System32\wTnBVhm.exe
  C:\Windows\System32\wTnBVhm.exe
  2⤵
  PID:8132
- C:\Windows\System32\dSPxoEm.exe
  C:\Windows\System32\dSPxoEm.exe
  2⤵
  PID:8152
- C:\Windows\System32\mGuJdTD.exe
  C:\Windows\System32\mGuJdTD.exe
  2⤵
  PID:8176
- C:\Windows\System32\QIrfdTl.exe
  C:\Windows\System32\QIrfdTl.exe
  2⤵
  PID:7232
- C:\Windows\System32\gALKpZA.exe
  C:\Windows\System32\gALKpZA.exe
  2⤵
  PID:7272
- C:\Windows\System32\gikMput.exe
  C:\Windows\System32\gikMput.exe
  2⤵
  PID:7248
- C:\Windows\System32\xlKmCUY.exe
  C:\Windows\System32\xlKmCUY.exe
  2⤵
  PID:7372
- C:\Windows\System32\aMdVcZi.exe
  C:\Windows\System32\aMdVcZi.exe
  2⤵
  PID:7480
- C:\Windows\System32\WNfFRlm.exe
  C:\Windows\System32\WNfFRlm.exe
  2⤵
  PID:7508
- C:\Windows\System32\ccMyxkP.exe
  C:\Windows\System32\ccMyxkP.exe
  2⤵
  PID:7588
- C:\Windows\System32\BYUuEAc.exe
  C:\Windows\System32\BYUuEAc.exe
  2⤵
  PID:7664
- C:\Windows\System32\rVWVzbt.exe
  C:\Windows\System32\rVWVzbt.exe
  2⤵
  PID:7712
- C:\Windows\System32\RphGkaA.exe
  C:\Windows\System32\RphGkaA.exe
  2⤵
  PID:7772
- C:\Windows\System32\WezoQAL.exe
  C:\Windows\System32\WezoQAL.exe
  2⤵
  PID:7844
- C:\Windows\System32\RzXqdxx.exe
  C:\Windows\System32\RzXqdxx.exe
  2⤵
  PID:7940
- C:\Windows\System32\Lqfedus.exe
  C:\Windows\System32\Lqfedus.exe
  2⤵
  PID:7988
- C:\Windows\System32\ocUniBI.exe
  C:\Windows\System32\ocUniBI.exe
  2⤵
  PID:8036
- C:\Windows\System32\BkratBx.exe
  C:\Windows\System32\BkratBx.exe
  2⤵
  PID:8108
- C:\Windows\System32\WkvxCRV.exe
  C:\Windows\System32\WkvxCRV.exe
  2⤵
  PID:6224
- C:\Windows\System32\UkwMDXb.exe
  C:\Windows\System32\UkwMDXb.exe
  2⤵
  PID:7324
- C:\Windows\System32\qalWzOs.exe
  C:\Windows\System32\qalWzOs.exe
  2⤵
  PID:7384
- C:\Windows\System32\APXCGPF.exe
  C:\Windows\System32\APXCGPF.exe
  2⤵
  PID:7520
- C:\Windows\System32\BUEJMbZ.exe
  C:\Windows\System32\BUEJMbZ.exe
  2⤵
  PID:7560
- C:\Windows\System32\PkpEEAV.exe
  C:\Windows\System32\PkpEEAV.exe
  2⤵
  PID:7696
- C:\Windows\System32\cdECOXq.exe
  C:\Windows\System32\cdECOXq.exe
  2⤵
  PID:6948
- C:\Windows\System32\romYbZf.exe
  C:\Windows\System32\romYbZf.exe
  2⤵
  PID:7184
- C:\Windows\System32\NnirUaY.exe
  C:\Windows\System32\NnirUaY.exe
  2⤵
  PID:7724
- C:\Windows\System32\rGKyDFl.exe
  C:\Windows\System32\rGKyDFl.exe
  2⤵
  PID:8028
- C:\Windows\System32\RAnCEsq.exe
  C:\Windows\System32\RAnCEsq.exe
  2⤵
  PID:7684
- C:\Windows\System32\lNzZRxL.exe
  C:\Windows\System32\lNzZRxL.exe
  2⤵
  PID:7896
- C:\Windows\System32\DCPmrpo.exe
  C:\Windows\System32\DCPmrpo.exe
  2⤵
  PID:8204
- C:\Windows\System32\dljYIeX.exe
  C:\Windows\System32\dljYIeX.exe
  2⤵
  PID:8224
- C:\Windows\System32\ANIWnFW.exe
  C:\Windows\System32\ANIWnFW.exe
  2⤵
  PID:8268
- C:\Windows\System32\XSaVVsV.exe
  C:\Windows\System32\XSaVVsV.exe
  2⤵
  PID:8296
- C:\Windows\System32\ptVktto.exe
  C:\Windows\System32\ptVktto.exe
  2⤵
  PID:8324
- C:\Windows\System32\REMllEI.exe
  C:\Windows\System32\REMllEI.exe
  2⤵
  PID:8352
- C:\Windows\System32\RuHqvUp.exe
  C:\Windows\System32\RuHqvUp.exe
  2⤵
  PID:8380
- C:\Windows\System32\SdVzRnE.exe
  C:\Windows\System32\SdVzRnE.exe
  2⤵
  PID:8404
- C:\Windows\System32\oftHvAk.exe
  C:\Windows\System32\oftHvAk.exe
  2⤵
  PID:8436
- C:\Windows\System32\TyNYLbH.exe
  C:\Windows\System32\TyNYLbH.exe
  2⤵
  PID:8464
- C:\Windows\System32\LbYyBpl.exe
  C:\Windows\System32\LbYyBpl.exe
  2⤵
  PID:8480
- C:\Windows\System32\LCSsLMN.exe
  C:\Windows\System32\LCSsLMN.exe
  2⤵
  PID:8524
- C:\Windows\System32\lKLGDRL.exe
  C:\Windows\System32\lKLGDRL.exe
  2⤵
  PID:8548
- C:\Windows\System32\EysmSAh.exe
  C:\Windows\System32\EysmSAh.exe
  2⤵
  PID:8572
- C:\Windows\System32\bbaPLKH.exe
  C:\Windows\System32\bbaPLKH.exe
  2⤵
  PID:8596
- C:\Windows\System32\KeLmRxX.exe
  C:\Windows\System32\KeLmRxX.exe
  2⤵
  PID:8636
- C:\Windows\System32\gXYhNgm.exe
  C:\Windows\System32\gXYhNgm.exe
  2⤵
  PID:8660
- C:\Windows\System32\pOGaRXQ.exe
  C:\Windows\System32\pOGaRXQ.exe
  2⤵
  PID:8676
- C:\Windows\System32\tZNOYru.exe
  C:\Windows\System32\tZNOYru.exe
  2⤵
  PID:8728
- C:\Windows\System32\OVrvhYS.exe
  C:\Windows\System32\OVrvhYS.exe
  2⤵
  PID:8748
- C:\Windows\System32\XyIDIEt.exe
  C:\Windows\System32\XyIDIEt.exe
  2⤵
  PID:8768
- C:\Windows\System32\GCiLUtF.exe
  C:\Windows\System32\GCiLUtF.exe
  2⤵
  PID:8804
- C:\Windows\System32\CsIkHUV.exe
  C:\Windows\System32\CsIkHUV.exe
  2⤵
  PID:8832
- C:\Windows\System32\gXCgJva.exe
  C:\Windows\System32\gXCgJva.exe
  2⤵
  PID:8856
- C:\Windows\System32\UasQcyT.exe
  C:\Windows\System32\UasQcyT.exe
  2⤵
  PID:8884
- C:\Windows\System32\yZMcZCz.exe
  C:\Windows\System32\yZMcZCz.exe
  2⤵
  PID:8900
- C:\Windows\System32\dcRfLaK.exe
  C:\Windows\System32\dcRfLaK.exe
  2⤵
  PID:8920
- C:\Windows\System32\IILcTNW.exe
  C:\Windows\System32\IILcTNW.exe
  2⤵
  PID:8944
- C:\Windows\System32\LxehkZV.exe
  C:\Windows\System32\LxehkZV.exe
  2⤵
  PID:8968
- C:\Windows\System32\EkCkYah.exe
  C:\Windows\System32\EkCkYah.exe
  2⤵
  PID:9000
- C:\Windows\System32\XRRcOlP.exe
  C:\Windows\System32\XRRcOlP.exe
  2⤵
  PID:9056
- C:\Windows\System32\EQFEAIi.exe
  C:\Windows\System32\EQFEAIi.exe
  2⤵
  PID:9092
- C:\Windows\System32\BxYxiTk.exe
  C:\Windows\System32\BxYxiTk.exe
  2⤵
  PID:9112
- C:\Windows\System32\kdovcVT.exe
  C:\Windows\System32\kdovcVT.exe
  2⤵
  PID:9136
- C:\Windows\System32\ZJArQdt.exe
  C:\Windows\System32\ZJArQdt.exe
  2⤵
  PID:9156
- C:\Windows\System32\QsUJJXs.exe
  C:\Windows\System32\QsUJJXs.exe
  2⤵
  PID:9184
- C:\Windows\System32\avxALkt.exe
  C:\Windows\System32\avxALkt.exe
  2⤵
  PID:9204
- C:\Windows\System32\EcVszuw.exe
  C:\Windows\System32\EcVszuw.exe
  2⤵
  PID:8260
- C:\Windows\System32\KPFfczH.exe
  C:\Windows\System32\KPFfczH.exe
  2⤵
  PID:8336
- C:\Windows\System32\RLadCEg.exe
  C:\Windows\System32\RLadCEg.exe
  2⤵
  PID:8400
- C:\Windows\System32\wfoVDMp.exe
  C:\Windows\System32\wfoVDMp.exe
  2⤵
  PID:8476
- C:\Windows\System32\vTXFhcB.exe
  C:\Windows\System32\vTXFhcB.exe
  2⤵
  PID:8520
- C:\Windows\System32\laQqxfq.exe
  C:\Windows\System32\laQqxfq.exe
  2⤵
  PID:8592
- C:\Windows\System32\bZYjFwi.exe
  C:\Windows\System32\bZYjFwi.exe
  2⤵
  PID:8652
- C:\Windows\System32\QWcLwwH.exe
  C:\Windows\System32\QWcLwwH.exe
  2⤵
  PID:8740
- C:\Windows\System32\nCKzFJc.exe
  C:\Windows\System32\nCKzFJc.exe
  2⤵
  PID:8780
- C:\Windows\System32\ALUAUMN.exe
  C:\Windows\System32\ALUAUMN.exe
  2⤵
  PID:8816
- C:\Windows\System32\BlAsfWS.exe
  C:\Windows\System32\BlAsfWS.exe
  2⤵
  PID:8872
- C:\Windows\System32\fnwGgga.exe
  C:\Windows\System32\fnwGgga.exe
  2⤵
  PID:9028
- C:\Windows\System32\kIRsCWT.exe
  C:\Windows\System32\kIRsCWT.exe
  2⤵
  PID:9052
- C:\Windows\System32\CIMjVDN.exe
  C:\Windows\System32\CIMjVDN.exe
  2⤵
  PID:9148
- C:\Windows\System32\tHkbZhV.exe
  C:\Windows\System32\tHkbZhV.exe
  2⤵
  PID:9200
- C:\Windows\System32\KiofOar.exe
  C:\Windows\System32\KiofOar.exe
  2⤵
  PID:8280
- C:\Windows\System32\pCepYhY.exe
  C:\Windows\System32\pCepYhY.exe
  2⤵
  PID:8392
- C:\Windows\System32\IYAjMvi.exe
  C:\Windows\System32\IYAjMvi.exe
  2⤵
  PID:8508
- C:\Windows\System32\LjKnFBI.exe
  C:\Windows\System32\LjKnFBI.exe
  2⤵
  PID:8172
- C:\Windows\System32\pKhuJfl.exe
  C:\Windows\System32\pKhuJfl.exe
  2⤵
  PID:8940
- C:\Windows\System32\ehXqZJv.exe
  C:\Windows\System32\ehXqZJv.exe
  2⤵
  PID:9144
- C:\Windows\System32\GqqxcKm.exe
  C:\Windows\System32\GqqxcKm.exe
  2⤵
  PID:8292
- C:\Windows\System32\QzHrAfp.exe
  C:\Windows\System32\QzHrAfp.exe
  2⤵
  PID:8616
- C:\Windows\System32\enVrgkx.exe
  C:\Windows\System32\enVrgkx.exe
  2⤵
  PID:9100
- C:\Windows\System32\tgVgoFF.exe
  C:\Windows\System32\tgVgoFF.exe
  2⤵
  PID:9180
- C:\Windows\System32\fzevUAm.exe
  C:\Windows\System32\fzevUAm.exe
  2⤵
  PID:8912
- C:\Windows\System32\YFauTwn.exe
  C:\Windows\System32\YFauTwn.exe
  2⤵
  PID:9240
- C:\Windows\System32\HKgwnKA.exe
  C:\Windows\System32\HKgwnKA.exe
  2⤵
  PID:9276
- C:\Windows\System32\rDwvIXF.exe
  C:\Windows\System32\rDwvIXF.exe
  2⤵
  PID:9292
- C:\Windows\System32\tcpnucK.exe
  C:\Windows\System32\tcpnucK.exe
  2⤵
  PID:9320
- C:\Windows\System32\myUhnzp.exe
  C:\Windows\System32\myUhnzp.exe
  2⤵
  PID:9340
- C:\Windows\System32\aNKJdmR.exe
  C:\Windows\System32\aNKJdmR.exe
  2⤵
  PID:9356
- C:\Windows\System32\CnIghoW.exe
  C:\Windows\System32\CnIghoW.exe
  2⤵
  PID:9392
- C:\Windows\System32\jDpNfha.exe
  C:\Windows\System32\jDpNfha.exe
  2⤵
  PID:9412
- C:\Windows\System32\qwLHwbM.exe
  C:\Windows\System32\qwLHwbM.exe
  2⤵
  PID:9460
- C:\Windows\System32\bvAMhLI.exe
  C:\Windows\System32\bvAMhLI.exe
  2⤵
  PID:9480
- C:\Windows\System32\CmCqkjK.exe
  C:\Windows\System32\CmCqkjK.exe
  2⤵
  PID:9516
- C:\Windows\System32\XrudQXr.exe
  C:\Windows\System32\XrudQXr.exe
  2⤵
  PID:9560
- C:\Windows\System32\RcqwTFA.exe
  C:\Windows\System32\RcqwTFA.exe
  2⤵
  PID:9580
- C:\Windows\System32\QODmQEE.exe
  C:\Windows\System32\QODmQEE.exe
  2⤵
  PID:9604
- C:\Windows\System32\ZIMocxJ.exe
  C:\Windows\System32\ZIMocxJ.exe
  2⤵
  PID:9640
- C:\Windows\System32\VFTZXVM.exe
  C:\Windows\System32\VFTZXVM.exe
  2⤵
  PID:9672
- C:\Windows\System32\HYGfmvF.exe
  C:\Windows\System32\HYGfmvF.exe
  2⤵
  PID:9696
- C:\Windows\System32\obbEMxY.exe
  C:\Windows\System32\obbEMxY.exe
  2⤵
  PID:9724
- C:\Windows\System32\PzJsAXa.exe
  C:\Windows\System32\PzJsAXa.exe
  2⤵
  PID:9748
- C:\Windows\System32\zyRyPAA.exe
  C:\Windows\System32\zyRyPAA.exe
  2⤵
  PID:9772
- C:\Windows\System32\zWpqjLE.exe
  C:\Windows\System32\zWpqjLE.exe
  2⤵
  PID:9792
- C:\Windows\System32\FUvauja.exe
  C:\Windows\System32\FUvauja.exe
  2⤵
  PID:9808
- C:\Windows\System32\dAtGAAl.exe
  C:\Windows\System32\dAtGAAl.exe
  2⤵
  PID:9836
- C:\Windows\System32\koIeRbi.exe
  C:\Windows\System32\koIeRbi.exe
  2⤵
  PID:9856
- C:\Windows\System32\DVltUQa.exe
  C:\Windows\System32\DVltUQa.exe
  2⤵
  PID:9896
- C:\Windows\System32\pDLOuZp.exe
  C:\Windows\System32\pDLOuZp.exe
  2⤵
  PID:9920
- C:\Windows\System32\oSGhCgx.exe
  C:\Windows\System32\oSGhCgx.exe
  2⤵
  PID:9956
- C:\Windows\System32\mRFYQdR.exe
  C:\Windows\System32\mRFYQdR.exe
  2⤵
  PID:9988
- C:\Windows\System32\YvPasIo.exe
  C:\Windows\System32\YvPasIo.exe
  2⤵
  PID:10024
- C:\Windows\System32\nDtUgiH.exe
  C:\Windows\System32\nDtUgiH.exe
  2⤵
  PID:10060
- C:\Windows\System32\mHBFRFm.exe
  C:\Windows\System32\mHBFRFm.exe
  2⤵
  PID:10088
- C:\Windows\System32\YojPOWz.exe
  C:\Windows\System32\YojPOWz.exe
  2⤵
  PID:10104
- C:\Windows\System32\QHyPgHd.exe
  C:\Windows\System32\QHyPgHd.exe
  2⤵
  PID:10124
- C:\Windows\System32\oOECGxo.exe
  C:\Windows\System32\oOECGxo.exe
  2⤵
  PID:10160
- C:\Windows\System32\DBrTStn.exe
  C:\Windows\System32\DBrTStn.exe
  2⤵
  PID:10192
- C:\Windows\System32\yyyUVmS.exe
  C:\Windows\System32\yyyUVmS.exe
  2⤵
  PID:10232
- C:\Windows\System32\YQbmpZX.exe
  C:\Windows\System32\YQbmpZX.exe
  2⤵
  PID:9232
- C:\Windows\System32\BHsDRNs.exe
  C:\Windows\System32\BHsDRNs.exe
  2⤵
  PID:9268
- C:\Windows\System32\fevZxuU.exe
  C:\Windows\System32\fevZxuU.exe
  2⤵
  PID:9348
- C:\Windows\System32\NbMftPK.exe
  C:\Windows\System32\NbMftPK.exe
  2⤵
  PID:9376
- C:\Windows\System32\oDMSZSF.exe
  C:\Windows\System32\oDMSZSF.exe
  2⤵
  PID:9472
- C:\Windows\System32\XecnPin.exe
  C:\Windows\System32\XecnPin.exe
  2⤵
  PID:9496
- C:\Windows\System32\RbPXteM.exe
  C:\Windows\System32\RbPXteM.exe
  2⤵
  PID:9588
- C:\Windows\System32\jesjCln.exe
  C:\Windows\System32\jesjCln.exe
  2⤵
  PID:9648
- C:\Windows\System32\zbnWJvR.exe
  C:\Windows\System32\zbnWJvR.exe
  2⤵
  PID:9768
- C:\Windows\System32\fHkgyAp.exe
  C:\Windows\System32\fHkgyAp.exe
  2⤵
  PID:9800
- C:\Windows\System32\LsXhTrY.exe
  C:\Windows\System32\LsXhTrY.exe
  2⤵
  PID:9844
- C:\Windows\System32\CSgEDdT.exe
  C:\Windows\System32\CSgEDdT.exe
  2⤵
  PID:9928
- C:\Windows\System32\PuBivko.exe
  C:\Windows\System32\PuBivko.exe
  2⤵
  PID:10052
- C:\Windows\System32\GDaobic.exe
  C:\Windows\System32\GDaobic.exe
  2⤵
  PID:10076
- C:\Windows\System32\DzNyuRf.exe
  C:\Windows\System32\DzNyuRf.exe
  2⤵
  PID:10116
- C:\Windows\System32\jKInkiM.exe
  C:\Windows\System32\jKInkiM.exe
  2⤵
  PID:10172
- C:\Windows\System32\GCyOZrW.exe
  C:\Windows\System32\GCyOZrW.exe
  2⤵
  PID:8284
- C:\Windows\System32\ZPirXVn.exe
  C:\Windows\System32\ZPirXVn.exe
  2⤵
  PID:9380
- C:\Windows\System32\CfQmjkg.exe
  C:\Windows\System32\CfQmjkg.exe
  2⤵
  PID:9332
- C:\Windows\System32\OmtSPxJ.exe
  C:\Windows\System32\OmtSPxJ.exe
  2⤵
  PID:9576
- C:\Windows\System32\iOdtxHM.exe
  C:\Windows\System32\iOdtxHM.exe
  2⤵
  PID:9740
- C:\Windows\System32\SExJoFc.exe
  C:\Windows\System32\SExJoFc.exe
  2⤵
  PID:10020
- C:\Windows\System32\vSwGaMF.exe
  C:\Windows\System32\vSwGaMF.exe
  2⤵
  PID:2688
- C:\Windows\System32\cvYEAlc.exe
  C:\Windows\System32\cvYEAlc.exe
  2⤵
  PID:10180
- C:\Windows\System32\zKiFFsX.exe
  C:\Windows\System32\zKiFFsX.exe
  2⤵
  PID:9704
- C:\Windows\System32\OCVepHM.exe
  C:\Windows\System32\OCVepHM.exe
  2⤵
  PID:10080
- C:\Windows\System32\CUkZBef.exe
  C:\Windows\System32\CUkZBef.exe
  2⤵
  PID:9716
- C:\Windows\System32\iGvpQKu.exe
  C:\Windows\System32\iGvpQKu.exe
  2⤵
  PID:10144
- C:\Windows\System32\BuRuhgt.exe
  C:\Windows\System32\BuRuhgt.exe
  2⤵
  PID:10260
- C:\Windows\System32\tcvgCmI.exe
  C:\Windows\System32\tcvgCmI.exe
  2⤵
  PID:10296
- C:\Windows\System32\nmQLUPD.exe
  C:\Windows\System32\nmQLUPD.exe
  2⤵
  PID:10328
- C:\Windows\System32\oyDwTzd.exe
  C:\Windows\System32\oyDwTzd.exe
  2⤵
  PID:10356
- C:\Windows\System32\ucUwRcW.exe
  C:\Windows\System32\ucUwRcW.exe
  2⤵
  PID:10380
- C:\Windows\System32\vxMyzsX.exe
  C:\Windows\System32\vxMyzsX.exe
  2⤵
  PID:10404
- C:\Windows\System32\yggGyMq.exe
  C:\Windows\System32\yggGyMq.exe
  2⤵
  PID:10424
- C:\Windows\System32\bOWNGoD.exe
  C:\Windows\System32\bOWNGoD.exe
  2⤵
  PID:10444
- C:\Windows\System32\ZUdITMS.exe
  C:\Windows\System32\ZUdITMS.exe
  2⤵
  PID:10496
- C:\Windows\System32\YcmmrEn.exe
  C:\Windows\System32\YcmmrEn.exe
  2⤵
  PID:10536
- C:\Windows\System32\DSSqsrl.exe
  C:\Windows\System32\DSSqsrl.exe
  2⤵
  PID:10556
- C:\Windows\System32\XGMLThI.exe
  C:\Windows\System32\XGMLThI.exe
  2⤵
  PID:10580
- C:\Windows\System32\nGQFHqs.exe
  C:\Windows\System32\nGQFHqs.exe
  2⤵
  PID:10608
- C:\Windows\System32\qdHDavG.exe
  C:\Windows\System32\qdHDavG.exe
  2⤵
  PID:10628
- C:\Windows\System32\QQpyHaG.exe
  C:\Windows\System32\QQpyHaG.exe
  2⤵
  PID:10644
- C:\Windows\System32\ZQnQRDx.exe
  C:\Windows\System32\ZQnQRDx.exe
  2⤵
  PID:10672
- C:\Windows\System32\aQlvNFa.exe
  C:\Windows\System32\aQlvNFa.exe
  2⤵
  PID:10692
- C:\Windows\System32\SglcmIZ.exe
  C:\Windows\System32\SglcmIZ.exe
  2⤵
  PID:10748
- C:\Windows\System32\KkNotRz.exe
  C:\Windows\System32\KkNotRz.exe
  2⤵
  PID:10776
- C:\Windows\System32\zaGmjpA.exe
  C:\Windows\System32\zaGmjpA.exe
  2⤵
  PID:10816
- C:\Windows\System32\YMQdFBr.exe
  C:\Windows\System32\YMQdFBr.exe
  2⤵
  PID:10844
- C:\Windows\System32\RknMaFG.exe
  C:\Windows\System32\RknMaFG.exe
  2⤵
  PID:10876
- C:\Windows\System32\zotMZrI.exe
  C:\Windows\System32\zotMZrI.exe
  2⤵
  PID:10900
- C:\Windows\System32\jBqxKxz.exe
  C:\Windows\System32\jBqxKxz.exe
  2⤵
  PID:10936
- C:\Windows\System32\hNArVFw.exe
  C:\Windows\System32\hNArVFw.exe
  2⤵
  PID:10952
- C:\Windows\System32\OjAyjvL.exe
  C:\Windows\System32\OjAyjvL.exe
  2⤵
  PID:10980
- C:\Windows\System32\DrygXlb.exe
  C:\Windows\System32\DrygXlb.exe
  2⤵
  PID:11000
- C:\Windows\System32\NkNhGZi.exe
  C:\Windows\System32\NkNhGZi.exe
  2⤵
  PID:11020
- C:\Windows\System32\hTRucXW.exe
  C:\Windows\System32\hTRucXW.exe
  2⤵
  PID:11048
- C:\Windows\System32\yfcMSPH.exe
  C:\Windows\System32\yfcMSPH.exe
  2⤵
  PID:11104
- C:\Windows\System32\WdpmIsh.exe
  C:\Windows\System32\WdpmIsh.exe
  2⤵
  PID:11120
- C:\Windows\System32\KUnFOyL.exe
  C:\Windows\System32\KUnFOyL.exe
  2⤵
  PID:11136
- C:\Windows\System32\TAHRlmO.exe
  C:\Windows\System32\TAHRlmO.exe
  2⤵
  PID:11168
- C:\Windows\System32\ckDBUKd.exe
  C:\Windows\System32\ckDBUKd.exe
  2⤵
  PID:11208
- C:\Windows\System32\kLvAAIz.exe
  C:\Windows\System32\kLvAAIz.exe
  2⤵
  PID:11236
- C:\Windows\System32\VlnYOnK.exe
  C:\Windows\System32\VlnYOnK.exe
  2⤵
  PID:11260
- C:\Windows\System32\ZrUxIGF.exe
  C:\Windows\System32\ZrUxIGF.exe
  2⤵
  PID:9336
- C:\Windows\System32\UKMNVju.exe
  C:\Windows\System32\UKMNVju.exe
  2⤵
  PID:10324
- C:\Windows\System32\dvFBIKf.exe
  C:\Windows\System32\dvFBIKf.exe
  2⤵
  PID:10388
- C:\Windows\System32\ZAeoymd.exe
  C:\Windows\System32\ZAeoymd.exe
  2⤵
  PID:10416
- C:\Windows\System32\zVeqZpp.exe
  C:\Windows\System32\zVeqZpp.exe
  2⤵
  PID:10512
- C:\Windows\System32\wFSZdKd.exe
  C:\Windows\System32\wFSZdKd.exe
  2⤵
  PID:10552
- C:\Windows\System32\EgiSUST.exe
  C:\Windows\System32\EgiSUST.exe
  2⤵
  PID:10620
- C:\Windows\System32\swonAjj.exe
  C:\Windows\System32\swonAjj.exe
  2⤵
  PID:10660
- C:\Windows\System32\JmIiYRo.exe
  C:\Windows\System32\JmIiYRo.exe
  2⤵
  PID:10804
- C:\Windows\System32\xboYQaI.exe
  C:\Windows\System32\xboYQaI.exe
  2⤵
  PID:10856
- C:\Windows\System32\KaDOPvX.exe
  C:\Windows\System32\KaDOPvX.exe
  2⤵
  PID:10916
- C:\Windows\System32\sRjqhgs.exe
  C:\Windows\System32\sRjqhgs.exe
  2⤵
  PID:11016
- C:\Windows\System32\oKOxMbw.exe
  C:\Windows\System32\oKOxMbw.exe
  2⤵
  PID:11084
- C:\Windows\System32\asHPwzJ.exe
  C:\Windows\System32\asHPwzJ.exe
  2⤵
  PID:11116
- C:\Windows\System32\fOvrNrr.exe
  C:\Windows\System32\fOvrNrr.exe
  2⤵
  PID:11164
- C:\Windows\System32\PHpLpNB.exe
  C:\Windows\System32\PHpLpNB.exe
  2⤵
  PID:10548
- C:\Windows\System32\wqnvYhK.exe
  C:\Windows\System32\wqnvYhK.exe
  2⤵
  PID:10688
- C:\Windows\System32\faHkpIN.exe
  C:\Windows\System32\faHkpIN.exe
  2⤵
  PID:11036
- C:\Windows\System32\OmGuDot.exe
  C:\Windows\System32\OmGuDot.exe
  2⤵
  PID:11180
- C:\Windows\System32\aNcGSnR.exe
  C:\Windows\System32\aNcGSnR.exe
  2⤵
  PID:9952
- C:\Windows\System32\HEMGmzD.exe
  C:\Windows\System32\HEMGmzD.exe
  2⤵
  PID:10392
- C:\Windows\System32\ckDxLGI.exe
  C:\Windows\System32\ckDxLGI.exe
  2⤵
  PID:10248
- C:\Windows\System32\gcDvDGf.exe
  C:\Windows\System32\gcDvDGf.exe
  2⤵
  PID:10472
- C:\Windows\System32\JePmMpM.exe
  C:\Windows\System32\JePmMpM.exe
  2⤵
  PID:11276
- C:\Windows\System32\ieHcAAy.exe
  C:\Windows\System32\ieHcAAy.exe
  2⤵
  PID:11296
- C:\Windows\System32\EzAZfmR.exe
  C:\Windows\System32\EzAZfmR.exe
  2⤵
  PID:11328
- C:\Windows\System32\mznFsXr.exe
  C:\Windows\System32\mznFsXr.exe
  2⤵
  PID:11400
- C:\Windows\System32\DOOubvz.exe
  C:\Windows\System32\DOOubvz.exe
  2⤵
  PID:11424
- C:\Windows\System32\arNLVAp.exe
  C:\Windows\System32\arNLVAp.exe
  2⤵
  PID:11456
- C:\Windows\System32\bewqkEh.exe
  C:\Windows\System32\bewqkEh.exe
  2⤵
  PID:11500
- C:\Windows\System32\cKddWJd.exe
  C:\Windows\System32\cKddWJd.exe
  2⤵
  PID:11568
- C:\Windows\System32\bLUpFSR.exe
  C:\Windows\System32\bLUpFSR.exe
  2⤵
  PID:11588
- C:\Windows\System32\MSuEekK.exe
  C:\Windows\System32\MSuEekK.exe
  2⤵
  PID:11608
- C:\Windows\System32\vDSaBaI.exe
  C:\Windows\System32\vDSaBaI.exe
  2⤵
  PID:11628
- C:\Windows\System32\iFgEcZE.exe
  C:\Windows\System32\iFgEcZE.exe
  2⤵
  PID:11652
- C:\Windows\System32\cpQzVjY.exe
  C:\Windows\System32\cpQzVjY.exe
  2⤵
  PID:11696
- C:\Windows\System32\vQDATuu.exe
  C:\Windows\System32\vQDATuu.exe
  2⤵
  PID:11728
- C:\Windows\System32\FJdBroT.exe
  C:\Windows\System32\FJdBroT.exe
  2⤵
  PID:11760
- C:\Windows\System32\NvvoPcR.exe
  C:\Windows\System32\NvvoPcR.exe
  2⤵
  PID:11784
- C:\Windows\System32\tIbKAcj.exe
  C:\Windows\System32\tIbKAcj.exe
  2⤵
  PID:11800
- C:\Windows\System32\ThLhFhD.exe
  C:\Windows\System32\ThLhFhD.exe
  2⤵
  PID:11820
- C:\Windows\System32\gGczROX.exe
  C:\Windows\System32\gGczROX.exe
  2⤵
  PID:11868
- C:\Windows\System32\vaJnvjC.exe
  C:\Windows\System32\vaJnvjC.exe
  2⤵
  PID:11884
- C:\Windows\System32\Orssrwb.exe
  C:\Windows\System32\Orssrwb.exe
  2⤵
  PID:11912
- C:\Windows\System32\APFzVFR.exe
  C:\Windows\System32\APFzVFR.exe
  2⤵
  PID:11960
- C:\Windows\System32\YFNnfCT.exe
  C:\Windows\System32\YFNnfCT.exe
  2⤵
  PID:11980
- C:\Windows\System32\WGZJKqd.exe
  C:\Windows\System32\WGZJKqd.exe
  2⤵
  PID:12004
- C:\Windows\System32\nMGRRPS.exe
  C:\Windows\System32\nMGRRPS.exe
  2⤵
  PID:12020
- C:\Windows\System32\LSKSVed.exe
  C:\Windows\System32\LSKSVed.exe
  2⤵
  PID:12044
- C:\Windows\System32\ZCbDrVT.exe
  C:\Windows\System32\ZCbDrVT.exe
  2⤵
  PID:12088
- C:\Windows\System32\FTuCjjg.exe
  C:\Windows\System32\FTuCjjg.exe
  2⤵
  PID:12104
- C:\Windows\System32\PaKSaup.exe
  C:\Windows\System32\PaKSaup.exe
  2⤵
  PID:12124
- C:\Windows\System32\CkbwuuX.exe
  C:\Windows\System32\CkbwuuX.exe
  2⤵
  PID:12152
- C:\Windows\System32\BNrvQvd.exe
  C:\Windows\System32\BNrvQvd.exe
  2⤵
  PID:12184
- C:\Windows\System32\XhMkKod.exe
  C:\Windows\System32\XhMkKod.exe
  2⤵
  PID:12200
- C:\Windows\System32\bLKBRlx.exe
  C:\Windows\System32\bLKBRlx.exe
  2⤵
  PID:12220
- C:\Windows\System32\fnqgjjl.exe
  C:\Windows\System32\fnqgjjl.exe
  2⤵
  PID:12268
- C:\Windows\System32\UqYvEly.exe
  C:\Windows\System32\UqYvEly.exe
  2⤵
  PID:10664
- C:\Windows\System32\hSQCDEm.exe
  C:\Windows\System32\hSQCDEm.exe
  2⤵
  PID:10256
- C:\Windows\System32\NNFkwFc.exe
  C:\Windows\System32\NNFkwFc.exe
  2⤵
  PID:10396
- C:\Windows\System32\qjNDDzl.exe
  C:\Windows\System32\qjNDDzl.exe
  2⤵
  PID:11320
- C:\Windows\System32\VqXuqBN.exe
  C:\Windows\System32\VqXuqBN.exe
  2⤵
  PID:11112
- C:\Windows\System32\hxamkpn.exe
  C:\Windows\System32\hxamkpn.exe
  2⤵
  PID:11228
- C:\Windows\System32\ArplJhk.exe
  C:\Windows\System32\ArplJhk.exe
  2⤵
  PID:11452
- C:\Windows\System32\zoLKjJU.exe
  C:\Windows\System32\zoLKjJU.exe
  2⤵
  PID:11412
- C:\Windows\System32\ljskGey.exe
  C:\Windows\System32\ljskGey.exe
  2⤵
  PID:11604
- C:\Windows\System32\aiLpNUp.exe
  C:\Windows\System32\aiLpNUp.exe
  2⤵
  PID:11624
- C:\Windows\System32\vJNOafd.exe
  C:\Windows\System32\vJNOafd.exe
  2⤵
  PID:11720
- C:\Windows\System32\NGMuaJq.exe
  C:\Windows\System32\NGMuaJq.exe
  2⤵
  PID:11752
- C:\Windows\System32\uoOysRz.exe
  C:\Windows\System32\uoOysRz.exe
  2⤵
  PID:11792
- C:\Windows\System32\NJCyHtm.exe
  C:\Windows\System32\NJCyHtm.exe
  2⤵
  PID:11836
- C:\Windows\System32\MpxHsLQ.exe
  C:\Windows\System32\MpxHsLQ.exe
  2⤵
  PID:11928
- C:\Windows\System32\jZiVuJk.exe
  C:\Windows\System32\jZiVuJk.exe
  2⤵
  PID:12016
- C:\Windows\System32\ahtokou.exe
  C:\Windows\System32\ahtokou.exe
  2⤵
  PID:12116
- C:\Windows\System32\ZKfogXD.exe
  C:\Windows\System32\ZKfogXD.exe
  2⤵
  PID:12100
- C:\Windows\System32\nUTWiuK.exe
  C:\Windows\System32\nUTWiuK.exe
  2⤵
  PID:12216
- C:\Windows\System32\oAsPiHV.exe
  C:\Windows\System32\oAsPiHV.exe
  2⤵
  PID:12284
- C:\Windows\System32\YOyMdCz.exe
  C:\Windows\System32\YOyMdCz.exe
  2⤵
  PID:11204
- C:\Windows\System32\TODFvDf.exe
  C:\Windows\System32\TODFvDf.exe
  2⤵
  PID:10348
- C:\Windows\System32\PauKzdw.exe
  C:\Windows\System32\PauKzdw.exe
  2⤵
  PID:11392
- C:\Windows\System32\QXKVnhL.exe
  C:\Windows\System32\QXKVnhL.exe
  2⤵
  PID:11560
- C:\Windows\System32\McRMooS.exe
  C:\Windows\System32\McRMooS.exe
  2⤵
  PID:11708
- C:\Windows\System32\AcQiLsN.exe
  C:\Windows\System32\AcQiLsN.exe
  2⤵
  PID:11776
- C:\Windows\System32\yUJkEvU.exe
  C:\Windows\System32\yUJkEvU.exe
  2⤵
  PID:11900
- C:\Windows\System32\ghgvofY.exe
  C:\Windows\System32\ghgvofY.exe
  2⤵
  PID:12176
- C:\Windows\System32\jwXTNyE.exe
  C:\Windows\System32\jwXTNyE.exe
  2⤵
  PID:12232
- C:\Windows\System32\fbYGaHx.exe
  C:\Windows\System32\fbYGaHx.exe
  2⤵
  PID:2176
- C:\Windows\System32\lXRAala.exe
  C:\Windows\System32\lXRAala.exe
  2⤵
  PID:10760
- C:\Windows\System32\LOiArac.exe
  C:\Windows\System32\LOiArac.exe
  2⤵
  PID:10436
- C:\Windows\System32\ajUsqKV.exe
  C:\Windows\System32\ajUsqKV.exe
  2⤵
  PID:11772
- C:\Windows\System32\AhfRxFt.exe
  C:\Windows\System32\AhfRxFt.exe
  2⤵
  PID:12076
- C:\Windows\System32\APjrlbn.exe
  C:\Windows\System32\APjrlbn.exe
  2⤵
  PID:2356
- C:\Windows\System32\SmsjxYb.exe
  C:\Windows\System32\SmsjxYb.exe
  2⤵
  PID:11584
- C:\Windows\System32\XNjBSdS.exe
  C:\Windows\System32\XNjBSdS.exe
  2⤵
  PID:12300
- C:\Windows\System32\WadgoqL.exe
  C:\Windows\System32\WadgoqL.exe
  2⤵
  PID:12324
- C:\Windows\System32\hKmJwfs.exe
  C:\Windows\System32\hKmJwfs.exe
  2⤵
  PID:12344
- C:\Windows\System32\StvRyKP.exe
  C:\Windows\System32\StvRyKP.exe
  2⤵
  PID:12388
- C:\Windows\System32\SfbGJhX.exe
  C:\Windows\System32\SfbGJhX.exe
  2⤵
  PID:12404
- C:\Windows\System32\ATYODuJ.exe
  C:\Windows\System32\ATYODuJ.exe
  2⤵
  PID:12432
- C:\Windows\System32\WsJOSjS.exe
  C:\Windows\System32\WsJOSjS.exe
  2⤵
  PID:12460
- C:\Windows\System32\paRAtkk.exe
  C:\Windows\System32\paRAtkk.exe
  2⤵
  PID:12512
- C:\Windows\System32\PHOjLuT.exe
  C:\Windows\System32\PHOjLuT.exe
  2⤵
  PID:12536
- C:\Windows\System32\YlXQpFI.exe
  C:\Windows\System32\YlXQpFI.exe
  2⤵
  PID:12552
- C:\Windows\System32\jwxrebn.exe
  C:\Windows\System32\jwxrebn.exe
  2⤵
  PID:12596
- C:\Windows\System32\IlRyneX.exe
  C:\Windows\System32\IlRyneX.exe
  2⤵
  PID:12628
- C:\Windows\System32\ElwLCCW.exe
  C:\Windows\System32\ElwLCCW.exe
  2⤵
  PID:12660
- C:\Windows\System32\ocaclRD.exe
  C:\Windows\System32\ocaclRD.exe
  2⤵
  PID:12676
- C:\Windows\System32\ITUPPHo.exe
  C:\Windows\System32\ITUPPHo.exe
  2⤵
  PID:12724
- C:\Windows\System32\eFQPipy.exe
  C:\Windows\System32\eFQPipy.exe
  2⤵
  PID:12740
- C:\Windows\System32\YPCurHh.exe
  C:\Windows\System32\YPCurHh.exe
  2⤵
  PID:12772
- C:\Windows\System32\DsGkFZb.exe
  C:\Windows\System32\DsGkFZb.exe
  2⤵
  PID:12788
- C:\Windows\System32\KlLkrxi.exe
  C:\Windows\System32\KlLkrxi.exe
  2⤵
  PID:12808
- C:\Windows\System32\vxqdBdw.exe
  C:\Windows\System32\vxqdBdw.exe
  2⤵
  PID:12832
- C:\Windows\System32\oPDoUdq.exe
  C:\Windows\System32\oPDoUdq.exe
  2⤵
  PID:12896
- C:\Windows\System32\VMOUzkz.exe
  C:\Windows\System32\VMOUzkz.exe
  2⤵
  PID:12916
- C:\Windows\System32\AfdBKiq.exe
  C:\Windows\System32\AfdBKiq.exe
  2⤵
  PID:12932
- C:\Windows\System32\OquYRAp.exe
  C:\Windows\System32\OquYRAp.exe
  2⤵
  PID:12960
- C:\Windows\System32\YDzhnHP.exe
  C:\Windows\System32\YDzhnHP.exe
  2⤵
  PID:13000
- C:\Windows\System32\AkQadig.exe
  C:\Windows\System32\AkQadig.exe
  2⤵
  PID:13020
- C:\Windows\System32\JEqUtxq.exe
  C:\Windows\System32\JEqUtxq.exe
  2⤵
  PID:13044
- C:\Windows\System32\GnwQJrj.exe
  C:\Windows\System32\GnwQJrj.exe
  2⤵
  PID:13064
- C:\Windows\System32\iLXVgDy.exe
  C:\Windows\System32\iLXVgDy.exe
  2⤵
  PID:13104
- C:\Windows\System32\oBnmYYh.exe
  C:\Windows\System32\oBnmYYh.exe
  2⤵
  PID:13140
- C:\Windows\System32\pWZViRE.exe
  C:\Windows\System32\pWZViRE.exe
  2⤵
  PID:13164
- C:\Windows\System32\LyvhKoL.exe
  C:\Windows\System32\LyvhKoL.exe
  2⤵
  PID:13180
- C:\Windows\System32\LdJQPIS.exe
  C:\Windows\System32\LdJQPIS.exe
  2⤵
  PID:13216
- C:\Windows\System32\wrHLfpP.exe
  C:\Windows\System32\wrHLfpP.exe
  2⤵
  PID:13244
- C:\Windows\System32\xMnhUYr.exe
  C:\Windows\System32\xMnhUYr.exe
  2⤵
  PID:13260
- C:\Windows\System32\etNUkLf.exe
  C:\Windows\System32\etNUkLf.exe
  2⤵
  PID:13284
- C:\Windows\System32\uzwhAdc.exe
  C:\Windows\System32\uzwhAdc.exe
  2⤵
  PID:11748

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BnpEefr.exe

Filesize
1.2MB

MD5
bf53409d48f8a08941dd4fd1c762a50b

SHA1
30ba584a49f043edd214746c2cd4885c05399232

SHA256
f7e807e094e1577db3ecdb9b7fe2b5f11210d021b09991604eed6b1e5160932b

SHA512
a58706504af363b8e6c5631f12d920392d8a4b9b3b64c15b69fec4a8a3060295c4af25297d81689a67b0cfe6e5062b32e4533961421d4a61e65321a5d86bd331

Download Submit
C:\Windows\System32\CfUoIae.exe

Filesize
1.2MB

MD5
b16ed9d37738989aeedcd78b2d0c0d2b

SHA1
5920bdcd32bad513f5109399bc222dd429a17c10

SHA256
8af94ff3fb1b54e87fb8e9a1bb0b63c047c48e6d16c408b1ed570da266ceefbd

SHA512
6b475bb6a19032dbc3f6f65940631b6dfff0633b0313b6cfb1f2035be0b04b9b9ed552eed5e339536ec0ae09e2f4c4da0574255a7a918f4f3da4389799b59b61

Download Submit
C:\Windows\System32\FkdWQsb.exe

Filesize
1.2MB

MD5
2ab524d75db6483eb6e72fa3d0771748

SHA1
0e32cf46df5805174daa474311f688c5f9119006

SHA256
5f7f9bbc6cd07cd933f48445f6ba00878fe39ff0b74eca46562c5d5d89df1cd6

SHA512
a2103fef96cf081f31a9956ba74d0a261fef91de13baf04698a04780395cbf745f6029f79bc6bf9804034d159fa69f77316db067e52b261ba6b8cf7b1ef6e3bf

Download Submit
C:\Windows\System32\ISVNbRn.exe

Filesize
1.2MB

MD5
8977acb65990dc50640af89ca12e6c2d

SHA1
4aa1407f74a07b8fbda7aedd076d021ee791cbf5

SHA256
72add5d187304abe8a75cc77e6c9dad5887bd9ad6b8d968d9cfc31a278d66d38

SHA512
9ecc82328f9e8fdfde645020d571546e97f1151f35d061e00938676e7c15fb61658ad2d350e350e5b980dc0b7212747fc1862f5e6cdfd515eded787783e2f476

Download Submit
C:\Windows\System32\KCnLQyz.exe

Filesize
1.2MB

MD5
2361ea0d6e25f4b9448abd4dc8b93afe

SHA1
f4a459dd4fd32a38addce8c1d5e624550fee46a9

SHA256
03eb1a79bebc0ba8c2f5a0f0ef31eadfe3bdbaf8db52971959d6b12174a4276b

SHA512
2117fbe3dfa9e0ae7c2a2f6242683712ac03258af1a771f4429da8be7683f035a2c5eb5b40208414b6841f8a0fea221aa28854beff69cb14b05cbcae96e4e784

Download Submit
C:\Windows\System32\LBrUALS.exe

Filesize
1.2MB

MD5
f2efa690233a7bcf8c5e5b4e2f9e3b25

SHA1
9193680341db6e129675bf40e6b54ffc37f7b232

SHA256
2726213ac3c8ac46c0233973e27014f18b09dabcd475840ec69ab0ea91d27de4

SHA512
141596e4e9625a09aeb1d61974972c8b2a65a8a5edfeff121b7d00b92efa7c7f15f307e23748d0038429567c7cd4b3e5ecb31269dd1f456506f401797046a16d

Download Submit
C:\Windows\System32\LqkYlNx.exe

Filesize
1.2MB

MD5
bbc203c052d0891f941b3ee547de8511

SHA1
3accbf6c51a76ab1d98423bb92ba247699041fe1

SHA256
099f6e4e64b6f84dfc16706ba666be161a88d0732f6144f1642a521c6762d1a9

SHA512
7e6f4c107bc1a62ae130e553fc8e097230a9b9a4fa50b728331c35cfe0431a7f38816d911fdd28ded61db6fdb080ecd318d580010049b3d7b806852c421be92a

Download Submit
C:\Windows\System32\MFRFJbJ.exe

Filesize
1.2MB

MD5
df552698d086aa06bc02b8d3a416f621

SHA1
4c64ab311b579b2e2da123474b6b308e4f8bd739

SHA256
ac4f06c3a90c00af80eada6b0928ae57b9cc68d6f57204b80df6079c9c260208

SHA512
47d39f96163138fe0c7b42615f26c07676a26430c5c8507c8a4215d1ffe0e75decdecae94afae572a79d29e7bf012cce4efbd6483ff63a39da4d500e4cfb3549

Download Submit
C:\Windows\System32\OsbgcLV.exe

Filesize
1.2MB

MD5
28ada471bfe0dc9c9f0a0b41762fe1f6

SHA1
ef0c2dd7bf1fb32f01d25fe9a145319d08290c57

SHA256
01fc76de15148f1af14c0f17b0f979a45cce2439dc47880148e10dad2bfe026d

SHA512
697a7937b737f720984933f2babb7262821413ef74e4053e7d9f2376775dc10aeada6ecd65d56e748c606464c31c6f35452594aeb17f26db0e2b4f8ee3d472e3

Download Submit
C:\Windows\System32\QbnGoyq.exe

Filesize
1.2MB

MD5
60aa240069a487d7daff5541d27a2724

SHA1
4d17774d88ff82366f2bb9489498a2e76de7a539

SHA256
96d4411b8ba50e295e34b91de62f5a7c0922c8cc6e49dea2ae5f0bcc30198a60

SHA512
c77db2df9b152b2675bd1aeb0460b1d0cdc14a0d33ac34355c24e893223608ea46a14d59a30b555e3e93a0ebf64f88cfba68e93f1a2090fba6f944fe93f7d5af

Download Submit
C:\Windows\System32\Qxsfqen.exe

Filesize
1.2MB

MD5
d5e36b045405459597126763f1dbcdac

SHA1
3c0b26bd0ac9bb5ed279c64c0cd4734d87244af3

SHA256
cf956cabaf3f7a60b184b8e37a6854e288259ea1559e8fc2141b27303b5753b4

SHA512
fbdadfcba6a5c53c442d031bed10291fa90249a368d4b9d2ad0817379c805c05a9da2b945ec90f634533765e2866903b42aff2b7d4e2f6f0e24bebd1f40ecce5

Download Submit
C:\Windows\System32\RTeSzKx.exe

Filesize
1.2MB

MD5
11121e4cdaa8788f099843903b7ab225

SHA1
72c559349b3648eb71060ab3362322b83cdb026a

SHA256
4763303daf6bea7e215d50c66741704ccc00862260294959d3b658b1e1e04253

SHA512
54096796ab5137565f4b4330f66ac1b05490d5e03966ba7b8c32b298a1249ec608a953d53cf2acd8106836eafabdf012f95879bdf5c3d47389b4f78f3852dc21

Download Submit
C:\Windows\System32\RsdCriw.exe

Filesize
1.2MB

MD5
138508212f80f9191067afc4d9c3bfef

SHA1
4a20ce97c5c241cea25e393589b54276eb8bb704

SHA256
8bd24b6a5e9f0b2f0589ffe6f303118ea0abae15214f607c8b23f0e958a2810a

SHA512
948c509c9972a88f23b0ede9833b0268fb0fdc170c52763bec480c2fe866d397054327d06ad7397307527b12b46d06722a72be164f550d2f8f125e42d721b8fa

Download Submit
C:\Windows\System32\TjnXppJ.exe

Filesize
1.2MB

MD5
b156b2acdc5179f1212b69f5e596caaf

SHA1
f88cb755bfaec48339ce09dcfeb0e335bde05186

SHA256
01b9baf2fff7a28b17af112d506602845f99dc27ae45df6e7409ce69e11b67d2

SHA512
edb2e599be471a27986bc572109b3d4eacbf77a96ca7d61fc9935b3243cd9e1400607c50c8d1a417bc43a67948fdfba11f7787beae7e3de58a74b03311408774

Download Submit
C:\Windows\System32\UbTtUPo.exe

Filesize
1.2MB

MD5
b4a74d1969a66667adbd4e162453c9b3

SHA1
118595b7c1b367dcf6ed41a3e53c0d83261b7491

SHA256
9ab9c0135e073ec8aed4a7ed2861132c58c5368ca2b491246e4dbc8d518ef74f

SHA512
1637d86462c4079810ad19d6768bf1d6a42e2a920bf9ea917f6bc68b0a3a5ea33f029ed1ba4ceadc19892a86d1d6069b672b90b9bbf4d421c28b5b4613bb662f

Download Submit
C:\Windows\System32\VlCAyFL.exe

Filesize
1.2MB

MD5
e0e90c3a8a1ab05e99950532ac7a54ee

SHA1
d16c39d23ee9f64a6081b202821f0961230a3e1f

SHA256
21d2e3ede63f25c0eeb8bc6960f0ece94ca1a1ee9c623e000f37baeb5425c0f9

SHA512
82efbdda429470b61255a5749f95711078662770d5cec66186757f1585399ecef8db06a543020f199698fc45e172074d13d0fdde2eca81eada15081ecd447a5e

Download Submit
C:\Windows\System32\WmcvtdD.exe

Filesize
1.2MB

MD5
84a935a75800dc2cf7a26e68f28ebd82

SHA1
be315640e28ad244fdd1cc5984e161af85f2f9fc

SHA256
7ec33d5799f195b78e55d476cb9b06a646652291690c0c1ec97adaec6c6a13a7

SHA512
403d25d7f160e0fb39b30ebf3ee725585d29ad07c97a8e3da237b48025ce311f2998a68346e06286a5188ebaef4f0719cacd5b33f3bbf5e5c81c844b7d99489f

Download Submit
C:\Windows\System32\XfoqRzw.exe

Filesize
1.2MB

MD5
7dae85f39929504e98b5e786e0b5b19a

SHA1
56efa4aa1fcf58c8cdc21eae1d4f9d0543f8ca6c

SHA256
719a53a0898857df6d924f8948a32c3f24d5da1bb142a5acf1f0cfeb807328ed

SHA512
2736cc23fe3332287b89a7553bf5bba6eaab1dd6909021e33aac693492fe68447b3472544565ca5622d55959a3a97c8548db210c2ad3ed1a39b71fce80e918fa

Download Submit
C:\Windows\System32\Xogcihu.exe

Filesize
1.2MB

MD5
7b9fd3b03ecc8bdc319a424e4e343bda

SHA1
eb766342ce5735163a22e480d28ce35da1378bed

SHA256
816ba70fbe471747a07bfdb603652f6d57d3d27cf07d180acbe0a902a10070b0

SHA512
acf9c3e4fd74601df2c1f783d986d0f02742406fd3cdb9e869120ef065c93fca603a88c65d866b23887a5d587abe6487b5d1bc986ad1269ff03bc88f3de77dd3

Download Submit
C:\Windows\System32\YRMSgbr.exe

Filesize
1.2MB

MD5
268840cf578259a508d11107de6652f8

SHA1
ba3f57bac337631af37f7fc1037a16dc9bb814be

SHA256
0a3156bad6fc061cffa6d50a5a3fd2bbdf5205dc69c826d6d7f6905fe5a2d7d0

SHA512
13907e950ab9c4ecb93ab7706c5ddf8af58a635a70e43bf71f7c8b95062b242b7307abec5f7e7efad1cc3cd9b0e9e4d6e7c6ab25a8f8a45b080c2771b471e11d

Download Submit
C:\Windows\System32\ZjZWCHe.exe

Filesize
1.2MB

MD5
74fb386dfde16238dd0c829c0e9c6bed

SHA1
946e11e0bf0deab76a86d454b4c41800a851411d

SHA256
94929b07d3562a170200c5597f56b58b7971996b64f294997dd1240d01aa73a5

SHA512
3561067b60fc95c512a1802650d325be9efb42625ce41f59f538e235b9bfc86b2d1970367b640140a65e6eacea4a07c4ef483fdfbd5fbe6277e14a926275ab09

Download Submit
C:\Windows\System32\ZqZbMlL.exe

Filesize
1.2MB

MD5
48d5a6aa8d0a2f68ac2c52c9203d29b8

SHA1
4980edadb8a8ab746bffeb8cc9a37faf4afe8d99

SHA256
060b1fb973e269289071945ad033e823b37a0d82fc87b5da1be2b9d111c49b70

SHA512
1de1aac8ef28250e24b324af3d46564a8c55eb65b106db5e688f4ad109757d0b797cb3aa8852020ef332cafb5d0b8e5b9e1d01d98727a1212e042cb7c8045602

Download Submit
C:\Windows\System32\aosRqjo.exe

Filesize
1.2MB

MD5
b7ff75a69bf9498d07fd43eb7926abfd

SHA1
633cca6d96e93828c3d64fe25762473869b2137e

SHA256
bd606a5bc0378141656aca2b943fc526464d92f09e75eb9ba1637b90b5f540ee

SHA512
5de96eac7872aef64b0b0b75aaa18997f06afed119aee18f35e495fc7d5c8493905bbf1e77b23e65eeb3fd39b9854cea1940caeafa37e96c41173abdac6cc8d2

Download Submit
C:\Windows\System32\iKRCbtC.exe

Filesize
1.2MB

MD5
e7e4781383a3c90f2b29c1726ae07c42

SHA1
3b408bbce3b03c6e1365f83954c590442c436508

SHA256
8bed42331160d7965a14f527588058a67dcf16dff1ace69695f85cf1d4f86765

SHA512
170bf631ff1ec265d121b65b1f6609e978ac16b4e5ceb6861995dfa6136aaa31614942159bd2b15c08c0259040604f5c4855fda9ffcc9af7dccb17e03ad8bc67

Download Submit
C:\Windows\System32\jMUxRIX.exe

Filesize
1.2MB

MD5
8c639e109f335b6e77e39f45802b8ce7

SHA1
fdbf6f1740dedd346fec934aeda60196713334df

SHA256
63250074949d1eeda9116603cabcf4ae1b88761e4cf8222a88cc67832c4984a3

SHA512
422d1f786c71dbbb7be25ce6e752403a889049217079b583e35caac5c4f149bf1650521869420338997be171e217af09162e3d13fb0c033e00fb545f55f4d963

Download Submit
C:\Windows\System32\oSdqxzL.exe

Filesize
1.2MB

MD5
f035df54d2366368474daa455b0c04dc

SHA1
654e773c2aee64aa3af0dcf6f859a861c9ec2cbf

SHA256
a8294d96b2efb97551c16e3903bf4e3f52a601197549d01a7586febc44b8e099

SHA512
c2513916744260c0b5058423f141bfa302b8e31a24be8a3b490b9e142cfca53926937a2d95f4c28da831e4644490c2e1bcf2977e427c41699930150ef87cda61

Download Submit
C:\Windows\System32\shVkMwt.exe

Filesize
1.2MB

MD5
8d3bdc61144f776f97128260aa8351e4

SHA1
b9d321009f8640e23c0efdc60d5d7a22b2cfa344

SHA256
ab1bd11d778fc58383fd5b8a5b7b7366d181b267aed4cd7bd919940a74233768

SHA512
bb2135aad6cd92a33e67e5a4ea5ebffe364ae0747960157730557ecaabc0527ee6e5f5dc20a6d629475bfa8db5ac6c10e65238204717ed3672841dfa863b5ca9

Download Submit
C:\Windows\System32\uILMCpD.exe

Filesize
1.2MB

MD5
d564d7044214a5104be7e4b447a4246e

SHA1
1c3b7ff3be6bcbe1694dd3f75bd0063ce0eb6ec4

SHA256
e3003182df65b827119105de22a8a52d93fb114646f39adbea5444def304bfb9

SHA512
ca5be4a6d94bd15b13be65d72fa3632f673c7a227b34f7858b03795f8fc2ac76a1821e02ac4e1dd9bb74410faa0bc0daaca53265f00e657752a9d570a536caf5

Download Submit
C:\Windows\System32\uyXpvYD.exe

Filesize
1.2MB

MD5
dd2841029adc69837e6ff7d27483cca9

SHA1
97ac42b3a6c7cb79c62ab45b08d656a55a5d69b1

SHA256
8b3a774f7a2f208c6e6cb4a0353a91b3bda57e61d7c257507c8ab7aca52e8d8a

SHA512
dfac3f13984ab8bf57f8d2a273ca0cc034157341f58bfaf3e7747ed5ed8fdbb38a491fd80d031f4926554d6a51c6bd42675863ed395b37a2275bd5e1fc1a7c9e

Download Submit
C:\Windows\System32\vvUcrkb.exe

Filesize
1.2MB

MD5
309f3f222c4b7936d911d1e41fb97fae

SHA1
0b2f430f09487b13efdf5f73deba227a8f9142d0

SHA256
383561f7a75a3bec8ea78af7f2362d648c8cee6cb75d5a5065ffa915d6ce6c56

SHA512
5ea507f7fff7e862e3acbb242b6ea856f35960cc9182668b43504121ea0a87cf5794a51f725704d2b61e2e5690cca6d42a879ad6b46bb50572e8c86e720e2577

Download Submit
C:\Windows\System32\xoIWhiT.exe

Filesize
1.2MB

MD5
74466128fc9744c50b747cced82d80b0

SHA1
c4cc45b186fed75b6e1cefca4c6383bc8777e1a9

SHA256
21f374e13ce5298d017095f5ef7aa37db2692575e1104c27eaa4fbf064084653

SHA512
dbdeb6569677d8143165279b67aafa64ed6da85e44bb5da9cee0822a3e195363e3691b285b27d490dc6abd5fa64b9d45fe59a214bc7870e4bdd96318315e6660

Download Submit
C:\Windows\System32\znFoStT.exe

Filesize
1.2MB

MD5
cfeb253062efaa8e6a3b7859845b98e2

SHA1
3a91d6ce4b79b7a0c790a721017bcfd27525d5e0

SHA256
27c15b9bb21482d97afa98602732f6d9dace842d52ea4215d365507c10ee5d49

SHA512
786a214528fb134a2a3030c6a26a942bca9384a334fabd37635496097d4d0edd02c0604ad1c5e609c069fd2c2cd0cf1d5c3abe9ab72617d9ba71d50e27ac07f7

Download Submit
memory/8-348-0x00007FF7768A0000-0x00007FF776C91000-memory.dmp

Filesize
3.9MB

Download
memory/8-2082-0x00007FF7768A0000-0x00007FF776C91000-memory.dmp

Filesize
3.9MB

Download
memory/804-2079-0x00007FF70B5B0000-0x00007FF70B9A1000-memory.dmp

Filesize
3.9MB

Download
memory/804-353-0x00007FF70B5B0000-0x00007FF70B9A1000-memory.dmp

Filesize
3.9MB

Download
memory/976-2058-0x00007FF662470000-0x00007FF662861000-memory.dmp

Filesize
3.9MB

Download
memory/976-1986-0x00007FF662470000-0x00007FF662861000-memory.dmp

Filesize
3.9MB

Download
memory/976-44-0x00007FF662470000-0x00007FF662861000-memory.dmp

Filesize
3.9MB

Download
memory/1160-2064-0x00007FF616890000-0x00007FF616C81000-memory.dmp

Filesize
3.9MB

Download
memory/1160-59-0x00007FF616890000-0x00007FF616C81000-memory.dmp

Filesize
3.9MB

Download
memory/1320-2060-0x00007FF738270000-0x00007FF738661000-memory.dmp

Filesize
3.9MB

Download
memory/1320-42-0x00007FF738270000-0x00007FF738661000-memory.dmp

Filesize
3.9MB

Download
memory/1320-1985-0x00007FF738270000-0x00007FF738661000-memory.dmp

Filesize
3.9MB

Download
memory/1588-46-0x00007FF6EA7D0000-0x00007FF6EABC1000-memory.dmp

Filesize
3.9MB

Download
memory/1588-2062-0x00007FF6EA7D0000-0x00007FF6EABC1000-memory.dmp

Filesize
3.9MB

Download
memory/1588-1987-0x00007FF6EA7D0000-0x00007FF6EABC1000-memory.dmp

Filesize
3.9MB

Download
memory/1840-330-0x00007FF75FD80000-0x00007FF760171000-memory.dmp

Filesize
3.9MB

Download
memory/1840-2070-0x00007FF75FD80000-0x00007FF760171000-memory.dmp

Filesize
3.9MB

Download
memory/2012-2052-0x00007FF6048B0000-0x00007FF604CA1000-memory.dmp

Filesize
3.9MB

Download
memory/2012-1977-0x00007FF6048B0000-0x00007FF604CA1000-memory.dmp

Filesize
3.9MB

Download
memory/2012-25-0x00007FF6048B0000-0x00007FF604CA1000-memory.dmp

Filesize
3.9MB

Download
memory/2064-2004-0x00007FF732FD0000-0x00007FF7333C1000-memory.dmp

Filesize
3.9MB

Download
memory/2064-60-0x00007FF732FD0000-0x00007FF7333C1000-memory.dmp

Filesize
3.9MB

Download
memory/2064-2068-0x00007FF732FD0000-0x00007FF7333C1000-memory.dmp

Filesize
3.9MB

Download
memory/2148-2054-0x00007FF6E3A30000-0x00007FF6E3E21000-memory.dmp

Filesize
3.9MB

Download
memory/2148-38-0x00007FF6E3A30000-0x00007FF6E3E21000-memory.dmp

Filesize
3.9MB

Download
memory/2464-11-0x00007FF7A3470000-0x00007FF7A3861000-memory.dmp

Filesize
3.9MB

Download
memory/2464-2050-0x00007FF7A3470000-0x00007FF7A3861000-memory.dmp

Filesize
3.9MB

Download
memory/3008-0-0x00007FF77C660000-0x00007FF77CA51000-memory.dmp

Filesize
3.9MB

Download
memory/3008-2007-0x00007FF77C660000-0x00007FF77CA51000-memory.dmp

Filesize
3.9MB

Download
memory/3008-1-0x0000024BE3C40000-0x0000024BE3C50000-memory.dmp

Filesize
64KB

Download
memory/3060-2048-0x00007FF7EFC80000-0x00007FF7F0071000-memory.dmp

Filesize
3.9MB

Download
memory/3060-1951-0x00007FF7EFC80000-0x00007FF7F0071000-memory.dmp

Filesize
3.9MB

Download
memory/3060-16-0x00007FF7EFC80000-0x00007FF7F0071000-memory.dmp

Filesize
3.9MB

Download
memory/3080-371-0x00007FF700D10000-0x00007FF701101000-memory.dmp

Filesize
3.9MB

Download
memory/3080-2104-0x00007FF700D10000-0x00007FF701101000-memory.dmp

Filesize
3.9MB

Download
memory/3184-373-0x00007FF61FC00000-0x00007FF61FFF1000-memory.dmp

Filesize
3.9MB

Download
memory/3184-2101-0x00007FF61FC00000-0x00007FF61FFF1000-memory.dmp

Filesize
3.9MB

Download
memory/3232-342-0x00007FF671800000-0x00007FF671BF1000-memory.dmp

Filesize
3.9MB

Download
memory/3232-2072-0x00007FF671800000-0x00007FF671BF1000-memory.dmp

Filesize
3.9MB

Download
memory/3596-363-0x00007FF7920F0000-0x00007FF7924E1000-memory.dmp

Filesize
3.9MB

Download
memory/3596-2086-0x00007FF7920F0000-0x00007FF7924E1000-memory.dmp

Filesize
3.9MB

Download
memory/3968-354-0x00007FF71B0F0000-0x00007FF71B4E1000-memory.dmp

Filesize
3.9MB

Download
memory/3968-2084-0x00007FF71B0F0000-0x00007FF71B4E1000-memory.dmp

Filesize
3.9MB

Download
memory/4064-2080-0x00007FF7D95A0000-0x00007FF7D9991000-memory.dmp

Filesize
3.9MB

Download
memory/4064-345-0x00007FF7D95A0000-0x00007FF7D9991000-memory.dmp

Filesize
3.9MB

Download
memory/4236-32-0x00007FF72E330000-0x00007FF72E721000-memory.dmp

Filesize
3.9MB

Download
memory/4236-2056-0x00007FF72E330000-0x00007FF72E721000-memory.dmp

Filesize
3.9MB

Download
memory/4400-2090-0x00007FF6DAB20000-0x00007FF6DAF11000-memory.dmp

Filesize
3.9MB

Download
memory/4400-369-0x00007FF6DAB20000-0x00007FF6DAF11000-memory.dmp

Filesize
3.9MB

Download
memory/4472-2088-0x00007FF706D30000-0x00007FF707121000-memory.dmp

Filesize
3.9MB

Download
memory/4472-367-0x00007FF706D30000-0x00007FF707121000-memory.dmp

Filesize
3.9MB

Download
memory/4536-331-0x00007FF7008D0000-0x00007FF700CC1000-memory.dmp

Filesize
3.9MB

Download
memory/4536-2074-0x00007FF7008D0000-0x00007FF700CC1000-memory.dmp

Filesize
3.9MB

Download
memory/4632-334-0x00007FF66B6D0000-0x00007FF66BAC1000-memory.dmp

Filesize
3.9MB

Download
memory/4632-2076-0x00007FF66B6D0000-0x00007FF66BAC1000-memory.dmp

Filesize
3.9MB

Download
memory/5080-2066-0x00007FF6376F0000-0x00007FF637AE1000-memory.dmp

Filesize
3.9MB

Download
memory/5080-324-0x00007FF6376F0000-0x00007FF637AE1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads