xmrig | b84bd9b99208037f7614f8018cf491e09dd7b2c54aa82548f1f1bb2ac54bd1de

Analysis

max time kernel
113s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 01:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
Size

1.1MB
MD5

0f6370118a08adf9c6877c45bff79ea4
SHA1

137bc589445b7a76d5ddc1d6232dfcdb9251939a
SHA256

b84bd9b99208037f7614f8018cf491e09dd7b2c54aa82548f1f1bb2ac54bd1de
SHA512

997983cac03e4843113a48febf5af2c6362e714c3623df2af26285a8af8b561da139ee7781ea6acd9ada8a449e966ccc8e74c8a51217c79df6c2c6b8bbf6a2d5
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcmC3f/DFNkTQOb:knw9oUUEEDl37jcmWH/xs

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/376-324-0x00007FF7C04A0000-0x00007FF7C0891000-memory.dmp	xmrig
behavioral2/memory/3032-334-0x00007FF72FC10000-0x00007FF730001000-memory.dmp	xmrig
behavioral2/memory/3588-336-0x00007FF666700000-0x00007FF666AF1000-memory.dmp	xmrig
behavioral2/memory/3284-329-0x00007FF7B5590000-0x00007FF7B5981000-memory.dmp	xmrig
behavioral2/memory/3208-343-0x00007FF720EE0000-0x00007FF7212D1000-memory.dmp	xmrig
behavioral2/memory/2004-348-0x00007FF62C670000-0x00007FF62CA61000-memory.dmp	xmrig
behavioral2/memory/3252-350-0x00007FF667DB0000-0x00007FF6681A1000-memory.dmp	xmrig
behavioral2/memory/2552-359-0x00007FF6468B0000-0x00007FF646CA1000-memory.dmp	xmrig
behavioral2/memory/2468-358-0x00007FF6247F0000-0x00007FF624BE1000-memory.dmp	xmrig
behavioral2/memory/2272-366-0x00007FF7575B0000-0x00007FF7579A1000-memory.dmp	xmrig
behavioral2/memory/3168-362-0x00007FF6FB960000-0x00007FF6FBD51000-memory.dmp	xmrig
behavioral2/memory/4756-375-0x00007FF702780000-0x00007FF702B71000-memory.dmp	xmrig
behavioral2/memory/3128-374-0x00007FF681520000-0x00007FF681911000-memory.dmp	xmrig
behavioral2/memory/4528-371-0x00007FF6DC850000-0x00007FF6DCC41000-memory.dmp	xmrig
behavioral2/memory/4732-379-0x00007FF67E650000-0x00007FF67EA41000-memory.dmp	xmrig
behavioral2/memory/444-394-0x00007FF7F26C0000-0x00007FF7F2AB1000-memory.dmp	xmrig
behavioral2/memory/4496-402-0x00007FF7C70B0000-0x00007FF7C74A1000-memory.dmp	xmrig
behavioral2/memory/2884-404-0x00007FF6E6230000-0x00007FF6E6621000-memory.dmp	xmrig
behavioral2/memory/4308-408-0x00007FF6F38D0000-0x00007FF6F3CC1000-memory.dmp	xmrig
behavioral2/memory/4356-412-0x00007FF766940000-0x00007FF766D31000-memory.dmp	xmrig
behavioral2/memory/4260-411-0x00007FF76A760000-0x00007FF76AB51000-memory.dmp	xmrig
behavioral2/memory/2404-409-0x00007FF6BEFB0000-0x00007FF6BF3A1000-memory.dmp	xmrig
behavioral2/memory/424-1981-0x00007FF77CFA0000-0x00007FF77D391000-memory.dmp	xmrig
behavioral2/memory/1636-1983-0x00007FF6B17C0000-0x00007FF6B1BB1000-memory.dmp	xmrig
behavioral2/memory/1080-1984-0x00007FF793390000-0x00007FF793781000-memory.dmp	xmrig
behavioral2/memory/1636-2028-0x00007FF6B17C0000-0x00007FF6B1BB1000-memory.dmp	xmrig
behavioral2/memory/376-2030-0x00007FF7C04A0000-0x00007FF7C0891000-memory.dmp	xmrig
behavioral2/memory/1080-2036-0x00007FF793390000-0x00007FF793781000-memory.dmp	xmrig
behavioral2/memory/3032-2034-0x00007FF72FC10000-0x00007FF730001000-memory.dmp	xmrig
behavioral2/memory/3284-2032-0x00007FF7B5590000-0x00007FF7B5981000-memory.dmp	xmrig
behavioral2/memory/3588-2040-0x00007FF666700000-0x00007FF666AF1000-memory.dmp	xmrig
behavioral2/memory/4356-2038-0x00007FF766940000-0x00007FF766D31000-memory.dmp	xmrig
behavioral2/memory/3252-2050-0x00007FF667DB0000-0x00007FF6681A1000-memory.dmp	xmrig
behavioral2/memory/4260-2073-0x00007FF76A760000-0x00007FF76AB51000-memory.dmp	xmrig
behavioral2/memory/2404-2075-0x00007FF6BEFB0000-0x00007FF6BF3A1000-memory.dmp	xmrig
behavioral2/memory/2884-2068-0x00007FF6E6230000-0x00007FF6E6621000-memory.dmp	xmrig
behavioral2/memory/4308-2071-0x00007FF6F38D0000-0x00007FF6F3CC1000-memory.dmp	xmrig
behavioral2/memory/4496-2064-0x00007FF7C70B0000-0x00007FF7C74A1000-memory.dmp	xmrig
behavioral2/memory/3168-2058-0x00007FF6FB960000-0x00007FF6FBD51000-memory.dmp	xmrig
behavioral2/memory/3128-2056-0x00007FF681520000-0x00007FF681911000-memory.dmp	xmrig
behavioral2/memory/4756-2052-0x00007FF702780000-0x00007FF702B71000-memory.dmp	xmrig
behavioral2/memory/2004-2066-0x00007FF62C670000-0x00007FF62CA61000-memory.dmp	xmrig
behavioral2/memory/2272-2062-0x00007FF7575B0000-0x00007FF7579A1000-memory.dmp	xmrig
behavioral2/memory/2552-2060-0x00007FF6468B0000-0x00007FF646CA1000-memory.dmp	xmrig
behavioral2/memory/4528-2054-0x00007FF6DC850000-0x00007FF6DCC41000-memory.dmp	xmrig
behavioral2/memory/4732-2046-0x00007FF67E650000-0x00007FF67EA41000-memory.dmp	xmrig
behavioral2/memory/444-2044-0x00007FF7F26C0000-0x00007FF7F2AB1000-memory.dmp	xmrig
behavioral2/memory/3208-2042-0x00007FF720EE0000-0x00007FF7212D1000-memory.dmp	xmrig
behavioral2/memory/2468-2048-0x00007FF6247F0000-0x00007FF624BE1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1636	MBnhsRe.exe
376	RrMreHc.exe
3284	pSgEpwd.exe
1080	lFmuzgf.exe
3032	bzbDHvp.exe
4356	VbZDhgu.exe
3588	rTKkZUu.exe
3208	apAXLOt.exe
2004	jmBSJNe.exe
3252	VFaBpVZ.exe
2468	eOSVMiY.exe
2552	IRwyhog.exe
3168	oZPSIyq.exe
2272	MteAllX.exe
4528	WHULIal.exe
3128	EnJTtyg.exe
4756	yKKTwEp.exe
4732	goRdyEn.exe
444	Fioraki.exe
4496	QXExAyQ.exe
2884	QdYOthZ.exe
4308	WeCKcKK.exe
2404	fIIztww.exe
4260	NINDcXv.exe
1900	oHfVIqh.exe
3340	QTfpaDt.exe
4808	zBQPKfg.exe
2412	WphKrpV.exe
2704	yhhplBc.exe
220	UuxVgwG.exe
628	HltDFTf.exe
3628	QkobPwk.exe
4196	uEQdNCs.exe
4008	SMODVNn.exe
2720	mcJwwvy.exe
368	oDruhls.exe
4884	NLYUXJq.exe
4380	FMGYAXx.exe
1944	bTkWjFd.exe
3344	hCEYEqd.exe
400	uNcCayP.exe
3916	LGDDUeb.exe
3308	yfWqtHZ.exe
4220	BdGexxZ.exe
4044	GOwQipk.exe
4340	hlaBfzo.exe
4348	IAizOml.exe
1352	DsVwVIM.exe
5016	gencywb.exe
3708	XwvkZOC.exe
880	VEqemcI.exe
4176	rfyhUvb.exe
1660	FHHhKLp.exe
1204	xMQnZYn.exe
1828	xuOhEhy.exe
1500	iDtjtrj.exe
4204	LVuDQoK.exe
2308	YFlDuql.exe
512	STqVXOF.exe
4760	TtZclvr.exe
4692	FdOBUse.exe
4904	sgAhmCG.exe
3560	VQoDtZk.exe
4864	XriWpNu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/424-0-0x00007FF77CFA0000-0x00007FF77D391000-memory.dmp	upx
behavioral2/files/0x000b000000023bbe-5.dat	upx
behavioral2/files/0x000a000000023bc0-9.dat	upx
behavioral2/files/0x000a000000023bbf-7.dat	upx
behavioral2/memory/1636-15-0x00007FF6B17C0000-0x00007FF6B1BB1000-memory.dmp	upx
behavioral2/files/0x000a000000023bc1-18.dat	upx
behavioral2/files/0x000a000000023bc2-26.dat	upx
behavioral2/files/0x000a000000023bc3-33.dat	upx
behavioral2/files/0x000a000000023bc4-38.dat	upx
behavioral2/files/0x000a000000023bc8-56.dat	upx
behavioral2/files/0x000a000000023bc9-63.dat	upx
behavioral2/files/0x000a000000023bca-68.dat	upx
behavioral2/files/0x000a000000023bcc-76.dat	upx
behavioral2/files/0x000a000000023bcd-83.dat	upx
behavioral2/files/0x000a000000023bd1-103.dat	upx
behavioral2/files/0x000a000000023bd3-113.dat	upx
behavioral2/files/0x000a000000023bd5-123.dat	upx
behavioral2/files/0x000a000000023bd8-136.dat	upx
behavioral2/files/0x000a000000023bdd-163.dat	upx
behavioral2/memory/376-324-0x00007FF7C04A0000-0x00007FF7C0891000-memory.dmp	upx
behavioral2/files/0x000a000000023bdc-158.dat	upx
behavioral2/memory/3032-334-0x00007FF72FC10000-0x00007FF730001000-memory.dmp	upx
behavioral2/memory/3588-336-0x00007FF666700000-0x00007FF666AF1000-memory.dmp	upx
behavioral2/memory/3284-329-0x00007FF7B5590000-0x00007FF7B5981000-memory.dmp	upx
behavioral2/files/0x000a000000023bdb-153.dat	upx
behavioral2/memory/3208-343-0x00007FF720EE0000-0x00007FF7212D1000-memory.dmp	upx
behavioral2/memory/2004-348-0x00007FF62C670000-0x00007FF62CA61000-memory.dmp	upx
behavioral2/memory/3252-350-0x00007FF667DB0000-0x00007FF6681A1000-memory.dmp	upx
behavioral2/memory/2552-359-0x00007FF6468B0000-0x00007FF646CA1000-memory.dmp	upx
behavioral2/memory/2468-358-0x00007FF6247F0000-0x00007FF624BE1000-memory.dmp	upx
behavioral2/memory/2272-366-0x00007FF7575B0000-0x00007FF7579A1000-memory.dmp	upx
behavioral2/memory/3168-362-0x00007FF6FB960000-0x00007FF6FBD51000-memory.dmp	upx
behavioral2/files/0x000a000000023bda-148.dat	upx
behavioral2/files/0x000a000000023bd9-143.dat	upx
behavioral2/memory/4756-375-0x00007FF702780000-0x00007FF702B71000-memory.dmp	upx
behavioral2/memory/3128-374-0x00007FF681520000-0x00007FF681911000-memory.dmp	upx
behavioral2/memory/4528-371-0x00007FF6DC850000-0x00007FF6DCC41000-memory.dmp	upx
behavioral2/files/0x000a000000023bd7-133.dat	upx
behavioral2/files/0x000a000000023bd6-128.dat	upx
behavioral2/files/0x000a000000023bd4-118.dat	upx
behavioral2/files/0x000a000000023bd2-108.dat	upx
behavioral2/files/0x000a000000023bd0-98.dat	upx
behavioral2/memory/4732-379-0x00007FF67E650000-0x00007FF67EA41000-memory.dmp	upx
behavioral2/files/0x000a000000023bcf-93.dat	upx
behavioral2/memory/444-394-0x00007FF7F26C0000-0x00007FF7F2AB1000-memory.dmp	upx
behavioral2/memory/4496-402-0x00007FF7C70B0000-0x00007FF7C74A1000-memory.dmp	upx
behavioral2/memory/2884-404-0x00007FF6E6230000-0x00007FF6E6621000-memory.dmp	upx
behavioral2/memory/4308-408-0x00007FF6F38D0000-0x00007FF6F3CC1000-memory.dmp	upx
behavioral2/memory/4356-412-0x00007FF766940000-0x00007FF766D31000-memory.dmp	upx
behavioral2/memory/4260-411-0x00007FF76A760000-0x00007FF76AB51000-memory.dmp	upx
behavioral2/memory/2404-409-0x00007FF6BEFB0000-0x00007FF6BF3A1000-memory.dmp	upx
behavioral2/files/0x000a000000023bce-88.dat	upx
behavioral2/files/0x000a000000023bcb-73.dat	upx
behavioral2/files/0x000a000000023bc7-53.dat	upx
behavioral2/files/0x000a000000023bc6-48.dat	upx
behavioral2/files/0x000a000000023bc5-43.dat	upx
behavioral2/memory/1080-24-0x00007FF793390000-0x00007FF793781000-memory.dmp	upx
behavioral2/memory/424-1981-0x00007FF77CFA0000-0x00007FF77D391000-memory.dmp	upx
behavioral2/memory/1636-1983-0x00007FF6B17C0000-0x00007FF6B1BB1000-memory.dmp	upx
behavioral2/memory/1080-1984-0x00007FF793390000-0x00007FF793781000-memory.dmp	upx
behavioral2/memory/1636-2028-0x00007FF6B17C0000-0x00007FF6B1BB1000-memory.dmp	upx
behavioral2/memory/376-2030-0x00007FF7C04A0000-0x00007FF7C0891000-memory.dmp	upx
behavioral2/memory/1080-2036-0x00007FF793390000-0x00007FF793781000-memory.dmp	upx
behavioral2/memory/3032-2034-0x00007FF72FC10000-0x00007FF730001000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\Fioraki.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\sgAhmCG.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\FJChlhl.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\VwlWrIV.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\huBHrFW.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\WVKaDPN.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\zeoGxKB.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\HEdLaIj.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\JfjEjEa.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\yhYTOkK.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\mqaAfHl.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\LHlTboE.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\GOwQipk.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\TPzAzWD.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\pSbgjUz.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\buunnNt.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\HljmvZZ.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\oEkDDoS.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\DvbIhsf.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\PCXcnLO.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\FHqYBrP.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\cUsdxWK.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\bRhbGWm.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\qpDiwzW.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\bQbxivY.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\quHbPRt.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\QTfpaDt.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\xMtSvFq.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\ABInkTl.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\rkrvRwV.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\jxBhVwi.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\TjDbzkT.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\NOHMvzn.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\TmmXhas.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\TeZzbhs.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\goRdyEn.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\hLIsyLn.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\gIrEZmE.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\YCRfGsz.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\aPoiKEG.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\iKyuezb.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\YglYrJF.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\OKWFpRJ.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\vUrErZI.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\kJOhoxO.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\uEQdNCs.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\OTgpVgW.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\shWcQDA.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\QttOzHk.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\IBCCiHA.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\vkFROSy.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\vmaveaD.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\vpRTvvA.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\GrHVKHg.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\ivRSsIC.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\MWtOJTO.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\WwSpoyZ.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\wckQKBZ.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\JEAJlWu.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\grZiTfs.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\hosCKdC.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\ygfcbUv.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\dDhFmXy.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
File created	C:\Windows\System32\MqXPBhC.exe	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12204	dwm.exe
Token: SeChangeNotifyPrivilege	12204	dwm.exe
Token: 33	12204	dwm.exe
Token: SeIncBasePriorityPrivilege	12204	dwm.exe
Token: SeShutdownPrivilege	12204	dwm.exe
Token: SeCreatePagefilePrivilege	12204	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 424 wrote to memory of 1636	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	86
PID 424 wrote to memory of 1636	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	86
PID 424 wrote to memory of 376	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	87
PID 424 wrote to memory of 376	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	87
PID 424 wrote to memory of 3284	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	88
PID 424 wrote to memory of 3284	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	88
PID 424 wrote to memory of 1080	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	89
PID 424 wrote to memory of 1080	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	89
PID 424 wrote to memory of 3032	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	90
PID 424 wrote to memory of 3032	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	90
PID 424 wrote to memory of 4356	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	91
PID 424 wrote to memory of 4356	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	91
PID 424 wrote to memory of 3588	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	92
PID 424 wrote to memory of 3588	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	92
PID 424 wrote to memory of 3208	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	93
PID 424 wrote to memory of 3208	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	93
PID 424 wrote to memory of 2004	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	94
PID 424 wrote to memory of 2004	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	94
PID 424 wrote to memory of 3252	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	95
PID 424 wrote to memory of 3252	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	95
PID 424 wrote to memory of 2468	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	96
PID 424 wrote to memory of 2468	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	96
PID 424 wrote to memory of 2552	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	97
PID 424 wrote to memory of 2552	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	97
PID 424 wrote to memory of 3168	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	98
PID 424 wrote to memory of 3168	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	98
PID 424 wrote to memory of 2272	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	99
PID 424 wrote to memory of 2272	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	99
PID 424 wrote to memory of 4528	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	100
PID 424 wrote to memory of 4528	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	100
PID 424 wrote to memory of 3128	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	101
PID 424 wrote to memory of 3128	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	101
PID 424 wrote to memory of 4756	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	102
PID 424 wrote to memory of 4756	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	102
PID 424 wrote to memory of 4732	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	103
PID 424 wrote to memory of 4732	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	103
PID 424 wrote to memory of 444	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	104
PID 424 wrote to memory of 444	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	104
PID 424 wrote to memory of 4496	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	105
PID 424 wrote to memory of 4496	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	105
PID 424 wrote to memory of 2884	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	106
PID 424 wrote to memory of 2884	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	106
PID 424 wrote to memory of 4308	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	107
PID 424 wrote to memory of 4308	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	107
PID 424 wrote to memory of 2404	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	108
PID 424 wrote to memory of 2404	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	108
PID 424 wrote to memory of 4260	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	109
PID 424 wrote to memory of 4260	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	109
PID 424 wrote to memory of 1900	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	110
PID 424 wrote to memory of 1900	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	110
PID 424 wrote to memory of 3340	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	111
PID 424 wrote to memory of 3340	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	111
PID 424 wrote to memory of 4808	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	112
PID 424 wrote to memory of 4808	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	112
PID 424 wrote to memory of 2412	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	113
PID 424 wrote to memory of 2412	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	113
PID 424 wrote to memory of 2704	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	114
PID 424 wrote to memory of 2704	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	114
PID 424 wrote to memory of 220	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	115
PID 424 wrote to memory of 220	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	115
PID 424 wrote to memory of 628	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	116
PID 424 wrote to memory of 628	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	116
PID 424 wrote to memory of 3628	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	117
PID 424 wrote to memory of 3628	424	0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe	117

C:\Users\Admin\AppData\Local\Temp\0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f6370118a08adf9c6877c45bff79ea4_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:424
- C:\Windows\System32\MBnhsRe.exe
  C:\Windows\System32\MBnhsRe.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System32\RrMreHc.exe
  C:\Windows\System32\RrMreHc.exe
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\System32\pSgEpwd.exe
  C:\Windows\System32\pSgEpwd.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System32\lFmuzgf.exe
  C:\Windows\System32\lFmuzgf.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System32\bzbDHvp.exe
  C:\Windows\System32\bzbDHvp.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System32\VbZDhgu.exe
  C:\Windows\System32\VbZDhgu.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System32\rTKkZUu.exe
  C:\Windows\System32\rTKkZUu.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System32\apAXLOt.exe
  C:\Windows\System32\apAXLOt.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System32\jmBSJNe.exe
  C:\Windows\System32\jmBSJNe.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System32\VFaBpVZ.exe
  C:\Windows\System32\VFaBpVZ.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System32\eOSVMiY.exe
  C:\Windows\System32\eOSVMiY.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System32\IRwyhog.exe
  C:\Windows\System32\IRwyhog.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System32\oZPSIyq.exe
  C:\Windows\System32\oZPSIyq.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System32\MteAllX.exe
  C:\Windows\System32\MteAllX.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System32\WHULIal.exe
  C:\Windows\System32\WHULIal.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System32\EnJTtyg.exe
  C:\Windows\System32\EnJTtyg.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System32\yKKTwEp.exe
  C:\Windows\System32\yKKTwEp.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System32\goRdyEn.exe
  C:\Windows\System32\goRdyEn.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System32\Fioraki.exe
  C:\Windows\System32\Fioraki.exe
  2⤵
  - Executes dropped EXE
  PID:444
- C:\Windows\System32\QXExAyQ.exe
  C:\Windows\System32\QXExAyQ.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System32\QdYOthZ.exe
  C:\Windows\System32\QdYOthZ.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System32\WeCKcKK.exe
  C:\Windows\System32\WeCKcKK.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System32\fIIztww.exe
  C:\Windows\System32\fIIztww.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System32\NINDcXv.exe
  C:\Windows\System32\NINDcXv.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System32\oHfVIqh.exe
  C:\Windows\System32\oHfVIqh.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System32\QTfpaDt.exe
  C:\Windows\System32\QTfpaDt.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System32\zBQPKfg.exe
  C:\Windows\System32\zBQPKfg.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System32\WphKrpV.exe
  C:\Windows\System32\WphKrpV.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System32\yhhplBc.exe
  C:\Windows\System32\yhhplBc.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System32\UuxVgwG.exe
  C:\Windows\System32\UuxVgwG.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System32\HltDFTf.exe
  C:\Windows\System32\HltDFTf.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System32\QkobPwk.exe
  C:\Windows\System32\QkobPwk.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System32\uEQdNCs.exe
  C:\Windows\System32\uEQdNCs.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System32\SMODVNn.exe
  C:\Windows\System32\SMODVNn.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System32\mcJwwvy.exe
  C:\Windows\System32\mcJwwvy.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System32\oDruhls.exe
  C:\Windows\System32\oDruhls.exe
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\System32\NLYUXJq.exe
  C:\Windows\System32\NLYUXJq.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System32\FMGYAXx.exe
  C:\Windows\System32\FMGYAXx.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System32\bTkWjFd.exe
  C:\Windows\System32\bTkWjFd.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System32\hCEYEqd.exe
  C:\Windows\System32\hCEYEqd.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System32\uNcCayP.exe
  C:\Windows\System32\uNcCayP.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System32\LGDDUeb.exe
  C:\Windows\System32\LGDDUeb.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System32\yfWqtHZ.exe
  C:\Windows\System32\yfWqtHZ.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System32\BdGexxZ.exe
  C:\Windows\System32\BdGexxZ.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System32\GOwQipk.exe
  C:\Windows\System32\GOwQipk.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System32\hlaBfzo.exe
  C:\Windows\System32\hlaBfzo.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System32\IAizOml.exe
  C:\Windows\System32\IAizOml.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System32\DsVwVIM.exe
  C:\Windows\System32\DsVwVIM.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\System32\gencywb.exe
  C:\Windows\System32\gencywb.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System32\XwvkZOC.exe
  C:\Windows\System32\XwvkZOC.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System32\VEqemcI.exe
  C:\Windows\System32\VEqemcI.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System32\rfyhUvb.exe
  C:\Windows\System32\rfyhUvb.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System32\FHHhKLp.exe
  C:\Windows\System32\FHHhKLp.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System32\xMQnZYn.exe
  C:\Windows\System32\xMQnZYn.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System32\xuOhEhy.exe
  C:\Windows\System32\xuOhEhy.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System32\iDtjtrj.exe
  C:\Windows\System32\iDtjtrj.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System32\LVuDQoK.exe
  C:\Windows\System32\LVuDQoK.exe
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Windows\System32\YFlDuql.exe
  C:\Windows\System32\YFlDuql.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System32\STqVXOF.exe
  C:\Windows\System32\STqVXOF.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System32\TtZclvr.exe
  C:\Windows\System32\TtZclvr.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System32\FdOBUse.exe
  C:\Windows\System32\FdOBUse.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System32\sgAhmCG.exe
  C:\Windows\System32\sgAhmCG.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System32\VQoDtZk.exe
  C:\Windows\System32\VQoDtZk.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System32\XriWpNu.exe
  C:\Windows\System32\XriWpNu.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System32\tqyuWGP.exe
  C:\Windows\System32\tqyuWGP.exe
  2⤵
  PID:1180
- C:\Windows\System32\PfNBdrQ.exe
  C:\Windows\System32\PfNBdrQ.exe
  2⤵
  PID:952
- C:\Windows\System32\ncYWcvx.exe
  C:\Windows\System32\ncYWcvx.exe
  2⤵
  PID:2036
- C:\Windows\System32\utOSnRI.exe
  C:\Windows\System32\utOSnRI.exe
  2⤵
  PID:4916
- C:\Windows\System32\qRGfTzu.exe
  C:\Windows\System32\qRGfTzu.exe
  2⤵
  PID:3796
- C:\Windows\System32\lVlNbgz.exe
  C:\Windows\System32\lVlNbgz.exe
  2⤵
  PID:4984
- C:\Windows\System32\mOkXhYp.exe
  C:\Windows\System32\mOkXhYp.exe
  2⤵
  PID:4612
- C:\Windows\System32\vvLSDIM.exe
  C:\Windows\System32\vvLSDIM.exe
  2⤵
  PID:5096
- C:\Windows\System32\WrhkyLH.exe
  C:\Windows\System32\WrhkyLH.exe
  2⤵
  PID:3324
- C:\Windows\System32\TGUjCwd.exe
  C:\Windows\System32\TGUjCwd.exe
  2⤵
  PID:3688
- C:\Windows\System32\FhgleTG.exe
  C:\Windows\System32\FhgleTG.exe
  2⤵
  PID:3316
- C:\Windows\System32\xTpVBqz.exe
  C:\Windows\System32\xTpVBqz.exe
  2⤵
  PID:2612
- C:\Windows\System32\EKKfOkw.exe
  C:\Windows\System32\EKKfOkw.exe
  2⤵
  PID:4364
- C:\Windows\System32\MKBumNY.exe
  C:\Windows\System32\MKBumNY.exe
  2⤵
  PID:3336
- C:\Windows\System32\lzsUmqK.exe
  C:\Windows\System32\lzsUmqK.exe
  2⤵
  PID:1064
- C:\Windows\System32\fEXzTMz.exe
  C:\Windows\System32\fEXzTMz.exe
  2⤵
  PID:3552
- C:\Windows\System32\EkAqXAR.exe
  C:\Windows\System32\EkAqXAR.exe
  2⤵
  PID:3600
- C:\Windows\System32\NbmXomG.exe
  C:\Windows\System32\NbmXomG.exe
  2⤵
  PID:212
- C:\Windows\System32\fBpCJjX.exe
  C:\Windows\System32\fBpCJjX.exe
  2⤵
  PID:3572
- C:\Windows\System32\oEkDDoS.exe
  C:\Windows\System32\oEkDDoS.exe
  2⤵
  PID:3228
- C:\Windows\System32\sQZHqyk.exe
  C:\Windows\System32\sQZHqyk.exe
  2⤵
  PID:4144
- C:\Windows\System32\fEBJUtT.exe
  C:\Windows\System32\fEBJUtT.exe
  2⤵
  PID:3968
- C:\Windows\System32\kgBEksP.exe
  C:\Windows\System32\kgBEksP.exe
  2⤵
  PID:436
- C:\Windows\System32\jZOKzvt.exe
  C:\Windows\System32\jZOKzvt.exe
  2⤵
  PID:5004
- C:\Windows\System32\ptSxTQl.exe
  C:\Windows\System32\ptSxTQl.exe
  2⤵
  PID:3612
- C:\Windows\System32\xMtSvFq.exe
  C:\Windows\System32\xMtSvFq.exe
  2⤵
  PID:3532
- C:\Windows\System32\dImrnDS.exe
  C:\Windows\System32\dImrnDS.exe
  2⤵
  PID:5036
- C:\Windows\System32\IBCCiHA.exe
  C:\Windows\System32\IBCCiHA.exe
  2⤵
  PID:4112
- C:\Windows\System32\zNUVacp.exe
  C:\Windows\System32\zNUVacp.exe
  2⤵
  PID:2016
- C:\Windows\System32\ygfcbUv.exe
  C:\Windows\System32\ygfcbUv.exe
  2⤵
  PID:3108
- C:\Windows\System32\DXPCFNz.exe
  C:\Windows\System32\DXPCFNz.exe
  2⤵
  PID:936
- C:\Windows\System32\dDhFmXy.exe
  C:\Windows\System32\dDhFmXy.exe
  2⤵
  PID:2460
- C:\Windows\System32\ogOjjPQ.exe
  C:\Windows\System32\ogOjjPQ.exe
  2⤵
  PID:5176
- C:\Windows\System32\qgXtbWv.exe
  C:\Windows\System32\qgXtbWv.exe
  2⤵
  PID:5208
- C:\Windows\System32\JCpKqgf.exe
  C:\Windows\System32\JCpKqgf.exe
  2⤵
  PID:5240
- C:\Windows\System32\pheRRrF.exe
  C:\Windows\System32\pheRRrF.exe
  2⤵
  PID:5264
- C:\Windows\System32\IblWjhG.exe
  C:\Windows\System32\IblWjhG.exe
  2⤵
  PID:5288
- C:\Windows\System32\QhpuMzK.exe
  C:\Windows\System32\QhpuMzK.exe
  2⤵
  PID:5304
- C:\Windows\System32\gDXTbXF.exe
  C:\Windows\System32\gDXTbXF.exe
  2⤵
  PID:5324
- C:\Windows\System32\XhOMyFg.exe
  C:\Windows\System32\XhOMyFg.exe
  2⤵
  PID:5344
- C:\Windows\System32\vHMGbiV.exe
  C:\Windows\System32\vHMGbiV.exe
  2⤵
  PID:5360
- C:\Windows\System32\ItrGeIC.exe
  C:\Windows\System32\ItrGeIC.exe
  2⤵
  PID:5432
- C:\Windows\System32\oguBUoB.exe
  C:\Windows\System32\oguBUoB.exe
  2⤵
  PID:5452
- C:\Windows\System32\ExVzZdq.exe
  C:\Windows\System32\ExVzZdq.exe
  2⤵
  PID:5504
- C:\Windows\System32\LbndjDr.exe
  C:\Windows\System32\LbndjDr.exe
  2⤵
  PID:5568
- C:\Windows\System32\TPzAzWD.exe
  C:\Windows\System32\TPzAzWD.exe
  2⤵
  PID:5612
- C:\Windows\System32\nYpQxJa.exe
  C:\Windows\System32\nYpQxJa.exe
  2⤵
  PID:5628
- C:\Windows\System32\GzlCfCG.exe
  C:\Windows\System32\GzlCfCG.exe
  2⤵
  PID:5660
- C:\Windows\System32\aPoiKEG.exe
  C:\Windows\System32\aPoiKEG.exe
  2⤵
  PID:5684
- C:\Windows\System32\VvkaZda.exe
  C:\Windows\System32\VvkaZda.exe
  2⤵
  PID:5716
- C:\Windows\System32\IXPhroi.exe
  C:\Windows\System32\IXPhroi.exe
  2⤵
  PID:5740
- C:\Windows\System32\APCLchl.exe
  C:\Windows\System32\APCLchl.exe
  2⤵
  PID:5772
- C:\Windows\System32\twylMHj.exe
  C:\Windows\System32\twylMHj.exe
  2⤵
  PID:5800
- C:\Windows\System32\iKyuezb.exe
  C:\Windows\System32\iKyuezb.exe
  2⤵
  PID:5824
- C:\Windows\System32\hLIsyLn.exe
  C:\Windows\System32\hLIsyLn.exe
  2⤵
  PID:5856
- C:\Windows\System32\FEaaerS.exe
  C:\Windows\System32\FEaaerS.exe
  2⤵
  PID:5880
- C:\Windows\System32\eUyRacR.exe
  C:\Windows\System32\eUyRacR.exe
  2⤵
  PID:5912
- C:\Windows\System32\dkRTTXE.exe
  C:\Windows\System32\dkRTTXE.exe
  2⤵
  PID:5936
- C:\Windows\System32\nUxkBJG.exe
  C:\Windows\System32\nUxkBJG.exe
  2⤵
  PID:5992
- C:\Windows\System32\HWaiIXv.exe
  C:\Windows\System32\HWaiIXv.exe
  2⤵
  PID:6020
- C:\Windows\System32\klxuDcl.exe
  C:\Windows\System32\klxuDcl.exe
  2⤵
  PID:6044
- C:\Windows\System32\UzLKRYE.exe
  C:\Windows\System32\UzLKRYE.exe
  2⤵
  PID:6076
- C:\Windows\System32\tlQAdns.exe
  C:\Windows\System32\tlQAdns.exe
  2⤵
  PID:6100
- C:\Windows\System32\mgISMjj.exe
  C:\Windows\System32\mgISMjj.exe
  2⤵
  PID:6132
- C:\Windows\System32\LRDDBXD.exe
  C:\Windows\System32\LRDDBXD.exe
  2⤵
  PID:4652
- C:\Windows\System32\wLfYmSN.exe
  C:\Windows\System32\wLfYmSN.exe
  2⤵
  PID:5460
- C:\Windows\System32\YasgktT.exe
  C:\Windows\System32\YasgktT.exe
  2⤵
  PID:5528
- C:\Windows\System32\FqoQdDc.exe
  C:\Windows\System32\FqoQdDc.exe
  2⤵
  PID:5576
- C:\Windows\System32\taxPkSY.exe
  C:\Windows\System32\taxPkSY.exe
  2⤵
  PID:5644
- C:\Windows\System32\MJzrsoo.exe
  C:\Windows\System32\MJzrsoo.exe
  2⤵
  PID:5680
- C:\Windows\System32\aLPCwMX.exe
  C:\Windows\System32\aLPCwMX.exe
  2⤵
  PID:5736
- C:\Windows\System32\WSmShgJ.exe
  C:\Windows\System32\WSmShgJ.exe
  2⤵
  PID:5788
- C:\Windows\System32\NHGVNdL.exe
  C:\Windows\System32\NHGVNdL.exe
  2⤵
  PID:5876
- C:\Windows\System32\cHNBIyD.exe
  C:\Windows\System32\cHNBIyD.exe
  2⤵
  PID:5984
- C:\Windows\System32\bUJaVTm.exe
  C:\Windows\System32\bUJaVTm.exe
  2⤵
  PID:6004
- C:\Windows\System32\aQMnAhC.exe
  C:\Windows\System32\aQMnAhC.exe
  2⤵
  PID:6040
- C:\Windows\System32\mDyehcA.exe
  C:\Windows\System32\mDyehcA.exe
  2⤵
  PID:6116
- C:\Windows\System32\okiCqBo.exe
  C:\Windows\System32\okiCqBo.exe
  2⤵
  PID:4684
- C:\Windows\System32\AvFxudb.exe
  C:\Windows\System32\AvFxudb.exe
  2⤵
  PID:3536
- C:\Windows\System32\ClGQFxo.exe
  C:\Windows\System32\ClGQFxo.exe
  2⤵
  PID:5164
- C:\Windows\System32\DTvTQso.exe
  C:\Windows\System32\DTvTQso.exe
  2⤵
  PID:5184
- C:\Windows\System32\bqCFCGP.exe
  C:\Windows\System32\bqCFCGP.exe
  2⤵
  PID:5316
- C:\Windows\System32\jxBhVwi.exe
  C:\Windows\System32\jxBhVwi.exe
  2⤵
  PID:5384
- C:\Windows\System32\BsKccXc.exe
  C:\Windows\System32\BsKccXc.exe
  2⤵
  PID:5404
- C:\Windows\System32\LTymwtS.exe
  C:\Windows\System32\LTymwtS.exe
  2⤵
  PID:5580
- C:\Windows\System32\MJyArEW.exe
  C:\Windows\System32\MJyArEW.exe
  2⤵
  PID:5692
- C:\Windows\System32\OTgpVgW.exe
  C:\Windows\System32\OTgpVgW.exe
  2⤵
  PID:5560
- C:\Windows\System32\sCgRWxJ.exe
  C:\Windows\System32\sCgRWxJ.exe
  2⤵
  PID:5816
- C:\Windows\System32\maWrRKJ.exe
  C:\Windows\System32\maWrRKJ.exe
  2⤵
  PID:6012
- C:\Windows\System32\gFeZQdI.exe
  C:\Windows\System32\gFeZQdI.exe
  2⤵
  PID:4316
- C:\Windows\System32\WjXRlFK.exe
  C:\Windows\System32\WjXRlFK.exe
  2⤵
  PID:5296
- C:\Windows\System32\TTxCQCe.exe
  C:\Windows\System32\TTxCQCe.exe
  2⤵
  PID:5368
- C:\Windows\System32\jBGHLiI.exe
  C:\Windows\System32\jBGHLiI.exe
  2⤵
  PID:5252
- C:\Windows\System32\ktEjCNn.exe
  C:\Windows\System32\ktEjCNn.exe
  2⤵
  PID:5552
- C:\Windows\System32\HvXLvTr.exe
  C:\Windows\System32\HvXLvTr.exe
  2⤵
  PID:6120
- C:\Windows\System32\DuBBOrd.exe
  C:\Windows\System32\DuBBOrd.exe
  2⤵
  PID:5312
- C:\Windows\System32\iuuHIgg.exe
  C:\Windows\System32\iuuHIgg.exe
  2⤵
  PID:6204
- C:\Windows\System32\cUsdxWK.exe
  C:\Windows\System32\cUsdxWK.exe
  2⤵
  PID:6220
- C:\Windows\System32\DtMQfWN.exe
  C:\Windows\System32\DtMQfWN.exe
  2⤵
  PID:6244
- C:\Windows\System32\MqXPBhC.exe
  C:\Windows\System32\MqXPBhC.exe
  2⤵
  PID:6272
- C:\Windows\System32\emxhkLM.exe
  C:\Windows\System32\emxhkLM.exe
  2⤵
  PID:6296
- C:\Windows\System32\lkuravT.exe
  C:\Windows\System32\lkuravT.exe
  2⤵
  PID:6328
- C:\Windows\System32\CZjLBFy.exe
  C:\Windows\System32\CZjLBFy.exe
  2⤵
  PID:6344
- C:\Windows\System32\nPdVOOe.exe
  C:\Windows\System32\nPdVOOe.exe
  2⤵
  PID:6360
- C:\Windows\System32\YfeIxDT.exe
  C:\Windows\System32\YfeIxDT.exe
  2⤵
  PID:6384
- C:\Windows\System32\YEGfFFK.exe
  C:\Windows\System32\YEGfFFK.exe
  2⤵
  PID:6408
- C:\Windows\System32\VJhMXyQ.exe
  C:\Windows\System32\VJhMXyQ.exe
  2⤵
  PID:6428
- C:\Windows\System32\rSBuHZO.exe
  C:\Windows\System32\rSBuHZO.exe
  2⤵
  PID:6492
- C:\Windows\System32\PsuVokL.exe
  C:\Windows\System32\PsuVokL.exe
  2⤵
  PID:6512
- C:\Windows\System32\mnYqWcQ.exe
  C:\Windows\System32\mnYqWcQ.exe
  2⤵
  PID:6532
- C:\Windows\System32\LKRwqob.exe
  C:\Windows\System32\LKRwqob.exe
  2⤵
  PID:6548
- C:\Windows\System32\TeZCZZJ.exe
  C:\Windows\System32\TeZCZZJ.exe
  2⤵
  PID:6580
- C:\Windows\System32\yiiHVQx.exe
  C:\Windows\System32\yiiHVQx.exe
  2⤵
  PID:6596
- C:\Windows\System32\BScJWyA.exe
  C:\Windows\System32\BScJWyA.exe
  2⤵
  PID:6660
- C:\Windows\System32\SKHdhfu.exe
  C:\Windows\System32\SKHdhfu.exe
  2⤵
  PID:6680
- C:\Windows\System32\pSbgjUz.exe
  C:\Windows\System32\pSbgjUz.exe
  2⤵
  PID:6700
- C:\Windows\System32\HlwbKVX.exe
  C:\Windows\System32\HlwbKVX.exe
  2⤵
  PID:6716
- C:\Windows\System32\bRhbGWm.exe
  C:\Windows\System32\bRhbGWm.exe
  2⤵
  PID:6732
- C:\Windows\System32\tLrizJX.exe
  C:\Windows\System32\tLrizJX.exe
  2⤵
  PID:6764
- C:\Windows\System32\fSbuPeb.exe
  C:\Windows\System32\fSbuPeb.exe
  2⤵
  PID:6780
- C:\Windows\System32\WejVIMb.exe
  C:\Windows\System32\WejVIMb.exe
  2⤵
  PID:6804
- C:\Windows\System32\jkgthGd.exe
  C:\Windows\System32\jkgthGd.exe
  2⤵
  PID:6844
- C:\Windows\System32\StwcMGR.exe
  C:\Windows\System32\StwcMGR.exe
  2⤵
  PID:6860
- C:\Windows\System32\VBSLBfk.exe
  C:\Windows\System32\VBSLBfk.exe
  2⤵
  PID:6880
- C:\Windows\System32\pBLoGCU.exe
  C:\Windows\System32\pBLoGCU.exe
  2⤵
  PID:6896
- C:\Windows\System32\wxhKajW.exe
  C:\Windows\System32\wxhKajW.exe
  2⤵
  PID:6920
- C:\Windows\System32\GkfhxqH.exe
  C:\Windows\System32\GkfhxqH.exe
  2⤵
  PID:6936
- C:\Windows\System32\shWcQDA.exe
  C:\Windows\System32\shWcQDA.exe
  2⤵
  PID:6952
- C:\Windows\System32\BOaPMXn.exe
  C:\Windows\System32\BOaPMXn.exe
  2⤵
  PID:7076
- C:\Windows\System32\szAAmvI.exe
  C:\Windows\System32\szAAmvI.exe
  2⤵
  PID:7148
- C:\Windows\System32\ztnzUhO.exe
  C:\Windows\System32\ztnzUhO.exe
  2⤵
  PID:7164
- C:\Windows\System32\DdfKFUx.exe
  C:\Windows\System32\DdfKFUx.exe
  2⤵
  PID:1984
- C:\Windows\System32\uHfBJbA.exe
  C:\Windows\System32\uHfBJbA.exe
  2⤵
  PID:6168
- C:\Windows\System32\VrnnEQE.exe
  C:\Windows\System32\VrnnEQE.exe
  2⤵
  PID:6192
- C:\Windows\System32\OKkzKYW.exe
  C:\Windows\System32\OKkzKYW.exe
  2⤵
  PID:6212
- C:\Windows\System32\PcQzynn.exe
  C:\Windows\System32\PcQzynn.exe
  2⤵
  PID:6304
- C:\Windows\System32\poRprLn.exe
  C:\Windows\System32\poRprLn.exe
  2⤵
  PID:6420
- C:\Windows\System32\TEDFflq.exe
  C:\Windows\System32\TEDFflq.exe
  2⤵
  PID:6460
- C:\Windows\System32\nLpMBVj.exe
  C:\Windows\System32\nLpMBVj.exe
  2⤵
  PID:6524
- C:\Windows\System32\HfJNGHQ.exe
  C:\Windows\System32\HfJNGHQ.exe
  2⤵
  PID:6592
- C:\Windows\System32\UwZadpR.exe
  C:\Windows\System32\UwZadpR.exe
  2⤵
  PID:6604
- C:\Windows\System32\ZJJeoWQ.exe
  C:\Windows\System32\ZJJeoWQ.exe
  2⤵
  PID:6588
- C:\Windows\System32\oQsRtAf.exe
  C:\Windows\System32\oQsRtAf.exe
  2⤵
  PID:6796
- C:\Windows\System32\mKruIzu.exe
  C:\Windows\System32\mKruIzu.exe
  2⤵
  PID:6728
- C:\Windows\System32\ThBAkEr.exe
  C:\Windows\System32\ThBAkEr.exe
  2⤵
  PID:6788
- C:\Windows\System32\xymodBx.exe
  C:\Windows\System32\xymodBx.exe
  2⤵
  PID:7064
- C:\Windows\System32\acFihEf.exe
  C:\Windows\System32\acFihEf.exe
  2⤵
  PID:7012
- C:\Windows\System32\zyShZlx.exe
  C:\Windows\System32\zyShZlx.exe
  2⤵
  PID:7060
- C:\Windows\System32\lrieCGk.exe
  C:\Windows\System32\lrieCGk.exe
  2⤵
  PID:6164
- C:\Windows\System32\BnghsAK.exe
  C:\Windows\System32\BnghsAK.exe
  2⤵
  PID:6216
- C:\Windows\System32\pUFwKcI.exe
  C:\Windows\System32\pUFwKcI.exe
  2⤵
  PID:6292
- C:\Windows\System32\fkdGGVj.exe
  C:\Windows\System32\fkdGGVj.exe
  2⤵
  PID:6468
- C:\Windows\System32\YxdBWUZ.exe
  C:\Windows\System32\YxdBWUZ.exe
  2⤵
  PID:6652
- C:\Windows\System32\GrHVKHg.exe
  C:\Windows\System32\GrHVKHg.exe
  2⤵
  PID:6620
- C:\Windows\System32\FuTnMRc.exe
  C:\Windows\System32\FuTnMRc.exe
  2⤵
  PID:6640
- C:\Windows\System32\ngNdEUU.exe
  C:\Windows\System32\ngNdEUU.exe
  2⤵
  PID:7036
- C:\Windows\System32\uCYWhdB.exe
  C:\Windows\System32\uCYWhdB.exe
  2⤵
  PID:7160
- C:\Windows\System32\jLKwfVu.exe
  C:\Windows\System32\jLKwfVu.exe
  2⤵
  PID:6356
- C:\Windows\System32\QMAwPWW.exe
  C:\Windows\System32\QMAwPWW.exe
  2⤵
  PID:6564
- C:\Windows\System32\htYxKmF.exe
  C:\Windows\System32\htYxKmF.exe
  2⤵
  PID:5144
- C:\Windows\System32\RGYvIRD.exe
  C:\Windows\System32\RGYvIRD.exe
  2⤵
  PID:7196
- C:\Windows\System32\xpdKdgl.exe
  C:\Windows\System32\xpdKdgl.exe
  2⤵
  PID:7220
- C:\Windows\System32\krzwSrS.exe
  C:\Windows\System32\krzwSrS.exe
  2⤵
  PID:7244
- C:\Windows\System32\bkpMnCe.exe
  C:\Windows\System32\bkpMnCe.exe
  2⤵
  PID:7276
- C:\Windows\System32\yChmKyv.exe
  C:\Windows\System32\yChmKyv.exe
  2⤵
  PID:7292
- C:\Windows\System32\tZNTvDH.exe
  C:\Windows\System32\tZNTvDH.exe
  2⤵
  PID:7340
- C:\Windows\System32\FlhqWTm.exe
  C:\Windows\System32\FlhqWTm.exe
  2⤵
  PID:7356
- C:\Windows\System32\WSyTeKF.exe
  C:\Windows\System32\WSyTeKF.exe
  2⤵
  PID:7392
- C:\Windows\System32\WVKaDPN.exe
  C:\Windows\System32\WVKaDPN.exe
  2⤵
  PID:7432
- C:\Windows\System32\fkCuIrZ.exe
  C:\Windows\System32\fkCuIrZ.exe
  2⤵
  PID:7452
- C:\Windows\System32\hWjRHfA.exe
  C:\Windows\System32\hWjRHfA.exe
  2⤵
  PID:7492
- C:\Windows\System32\zWaFEKy.exe
  C:\Windows\System32\zWaFEKy.exe
  2⤵
  PID:7528
- C:\Windows\System32\txdNyLV.exe
  C:\Windows\System32\txdNyLV.exe
  2⤵
  PID:7564
- C:\Windows\System32\xZcrgXm.exe
  C:\Windows\System32\xZcrgXm.exe
  2⤵
  PID:7596
- C:\Windows\System32\TjDbzkT.exe
  C:\Windows\System32\TjDbzkT.exe
  2⤵
  PID:7612
- C:\Windows\System32\DFZKZGG.exe
  C:\Windows\System32\DFZKZGG.exe
  2⤵
  PID:7632
- C:\Windows\System32\WyuzWsQ.exe
  C:\Windows\System32\WyuzWsQ.exe
  2⤵
  PID:7648
- C:\Windows\System32\kxMFLWP.exe
  C:\Windows\System32\kxMFLWP.exe
  2⤵
  PID:7672
- C:\Windows\System32\COfrgXc.exe
  C:\Windows\System32\COfrgXc.exe
  2⤵
  PID:7700
- C:\Windows\System32\PLlsJDs.exe
  C:\Windows\System32\PLlsJDs.exe
  2⤵
  PID:7720
- C:\Windows\System32\ErKtUxd.exe
  C:\Windows\System32\ErKtUxd.exe
  2⤵
  PID:7748
- C:\Windows\System32\RXuwlFJ.exe
  C:\Windows\System32\RXuwlFJ.exe
  2⤵
  PID:7768
- C:\Windows\System32\uZQDSjj.exe
  C:\Windows\System32\uZQDSjj.exe
  2⤵
  PID:7812
- C:\Windows\System32\obUrWHF.exe
  C:\Windows\System32\obUrWHF.exe
  2⤵
  PID:7848
- C:\Windows\System32\iSKEEpp.exe
  C:\Windows\System32\iSKEEpp.exe
  2⤵
  PID:7868
- C:\Windows\System32\hnzfDHg.exe
  C:\Windows\System32\hnzfDHg.exe
  2⤵
  PID:7884
- C:\Windows\System32\xWuaPWN.exe
  C:\Windows\System32\xWuaPWN.exe
  2⤵
  PID:7912
- C:\Windows\System32\DvbIhsf.exe
  C:\Windows\System32\DvbIhsf.exe
  2⤵
  PID:7932
- C:\Windows\System32\dmBUKyG.exe
  C:\Windows\System32\dmBUKyG.exe
  2⤵
  PID:7972
- C:\Windows\System32\CATpzdH.exe
  C:\Windows\System32\CATpzdH.exe
  2⤵
  PID:7992
- C:\Windows\System32\PgjaLUn.exe
  C:\Windows\System32\PgjaLUn.exe
  2⤵
  PID:8012
- C:\Windows\System32\NLcbYts.exe
  C:\Windows\System32\NLcbYts.exe
  2⤵
  PID:8064
- C:\Windows\System32\MePmdxe.exe
  C:\Windows\System32\MePmdxe.exe
  2⤵
  PID:8108
- C:\Windows\System32\TABSAuF.exe
  C:\Windows\System32\TABSAuF.exe
  2⤵
  PID:8132
- C:\Windows\System32\Vsxghaf.exe
  C:\Windows\System32\Vsxghaf.exe
  2⤵
  PID:8148
- C:\Windows\System32\PrkKlmB.exe
  C:\Windows\System32\PrkKlmB.exe
  2⤵
  PID:8172
- C:\Windows\System32\ChZMrWe.exe
  C:\Windows\System32\ChZMrWe.exe
  2⤵
  PID:6976
- C:\Windows\System32\aXoDfFk.exe
  C:\Windows\System32\aXoDfFk.exe
  2⤵
  PID:7268
- C:\Windows\System32\rDGACgT.exe
  C:\Windows\System32\rDGACgT.exe
  2⤵
  PID:7300
- C:\Windows\System32\srJCdPv.exe
  C:\Windows\System32\srJCdPv.exe
  2⤵
  PID:7352
- C:\Windows\System32\xjZAcKu.exe
  C:\Windows\System32\xjZAcKu.exe
  2⤵
  PID:7400
- C:\Windows\System32\JuTGKvf.exe
  C:\Windows\System32\JuTGKvf.exe
  2⤵
  PID:7560
- C:\Windows\System32\WOeotBe.exe
  C:\Windows\System32\WOeotBe.exe
  2⤵
  PID:7576
- C:\Windows\System32\xIEJiCl.exe
  C:\Windows\System32\xIEJiCl.exe
  2⤵
  PID:7624
- C:\Windows\System32\PZPSJps.exe
  C:\Windows\System32\PZPSJps.exe
  2⤵
  PID:7732
- C:\Windows\System32\mopRtjH.exe
  C:\Windows\System32\mopRtjH.exe
  2⤵
  PID:7764
- C:\Windows\System32\UbFILYn.exe
  C:\Windows\System32\UbFILYn.exe
  2⤵
  PID:7776
- C:\Windows\System32\ivRSsIC.exe
  C:\Windows\System32\ivRSsIC.exe
  2⤵
  PID:7840
- C:\Windows\System32\fJgwjcl.exe
  C:\Windows\System32\fJgwjcl.exe
  2⤵
  PID:8032
- C:\Windows\System32\FJChlhl.exe
  C:\Windows\System32\FJChlhl.exe
  2⤵
  PID:8060
- C:\Windows\System32\wckQKBZ.exe
  C:\Windows\System32\wckQKBZ.exe
  2⤵
  PID:8120
- C:\Windows\System32\mOXUIUu.exe
  C:\Windows\System32\mOXUIUu.exe
  2⤵
  PID:8164
- C:\Windows\System32\BeFkNCF.exe
  C:\Windows\System32\BeFkNCF.exe
  2⤵
  PID:7256
- C:\Windows\System32\ggHWcTl.exe
  C:\Windows\System32\ggHWcTl.exe
  2⤵
  PID:7232
- C:\Windows\System32\wKOrgAe.exe
  C:\Windows\System32\wKOrgAe.exe
  2⤵
  PID:7500
- C:\Windows\System32\ZNtbyXa.exe
  C:\Windows\System32\ZNtbyXa.exe
  2⤵
  PID:7640
- C:\Windows\System32\zeoGxKB.exe
  C:\Windows\System32\zeoGxKB.exe
  2⤵
  PID:7828
- C:\Windows\System32\TEQmMTx.exe
  C:\Windows\System32\TEQmMTx.exe
  2⤵
  PID:7900
- C:\Windows\System32\SuELXYD.exe
  C:\Windows\System32\SuELXYD.exe
  2⤵
  PID:8140
- C:\Windows\System32\PCXcnLO.exe
  C:\Windows\System32\PCXcnLO.exe
  2⤵
  PID:6904
- C:\Windows\System32\bSJKvqL.exe
  C:\Windows\System32\bSJKvqL.exe
  2⤵
  PID:7952
- C:\Windows\System32\vkFROSy.exe
  C:\Windows\System32\vkFROSy.exe
  2⤵
  PID:7664
- C:\Windows\System32\ysrLHoh.exe
  C:\Windows\System32\ysrLHoh.exe
  2⤵
  PID:7176
- C:\Windows\System32\VFkvPzA.exe
  C:\Windows\System32\VFkvPzA.exe
  2⤵
  PID:8196
- C:\Windows\System32\QZbJfqH.exe
  C:\Windows\System32\QZbJfqH.exe
  2⤵
  PID:8212
- C:\Windows\System32\VNOokkz.exe
  C:\Windows\System32\VNOokkz.exe
  2⤵
  PID:8236
- C:\Windows\System32\vOVCJGX.exe
  C:\Windows\System32\vOVCJGX.exe
  2⤵
  PID:8252
- C:\Windows\System32\ulFIDMK.exe
  C:\Windows\System32\ulFIDMK.exe
  2⤵
  PID:8320
- C:\Windows\System32\hFhDMsv.exe
  C:\Windows\System32\hFhDMsv.exe
  2⤵
  PID:8336
- C:\Windows\System32\rMNvrUX.exe
  C:\Windows\System32\rMNvrUX.exe
  2⤵
  PID:8360
- C:\Windows\System32\JEAJlWu.exe
  C:\Windows\System32\JEAJlWu.exe
  2⤵
  PID:8380
- C:\Windows\System32\kEwxCry.exe
  C:\Windows\System32\kEwxCry.exe
  2⤵
  PID:8400
- C:\Windows\System32\xivPTvf.exe
  C:\Windows\System32\xivPTvf.exe
  2⤵
  PID:8432
- C:\Windows\System32\sDwBbIE.exe
  C:\Windows\System32\sDwBbIE.exe
  2⤵
  PID:8452
- C:\Windows\System32\vkhzjOt.exe
  C:\Windows\System32\vkhzjOt.exe
  2⤵
  PID:8472
- C:\Windows\System32\jsVDYeS.exe
  C:\Windows\System32\jsVDYeS.exe
  2⤵
  PID:8512
- C:\Windows\System32\eTHipId.exe
  C:\Windows\System32\eTHipId.exe
  2⤵
  PID:8536
- C:\Windows\System32\VdVvsuz.exe
  C:\Windows\System32\VdVvsuz.exe
  2⤵
  PID:8552
- C:\Windows\System32\HduqCrj.exe
  C:\Windows\System32\HduqCrj.exe
  2⤵
  PID:8576
- C:\Windows\System32\alYIFmR.exe
  C:\Windows\System32\alYIFmR.exe
  2⤵
  PID:8604
- C:\Windows\System32\yhYTOkK.exe
  C:\Windows\System32\yhYTOkK.exe
  2⤵
  PID:8624
- C:\Windows\System32\xlXaxXc.exe
  C:\Windows\System32\xlXaxXc.exe
  2⤵
  PID:8640
- C:\Windows\System32\BuiFMtb.exe
  C:\Windows\System32\BuiFMtb.exe
  2⤵
  PID:8696
- C:\Windows\System32\KOpTVKd.exe
  C:\Windows\System32\KOpTVKd.exe
  2⤵
  PID:8720
- C:\Windows\System32\woElAog.exe
  C:\Windows\System32\woElAog.exe
  2⤵
  PID:8760
- C:\Windows\System32\MaMYmBg.exe
  C:\Windows\System32\MaMYmBg.exe
  2⤵
  PID:8820
- C:\Windows\System32\cJPjchf.exe
  C:\Windows\System32\cJPjchf.exe
  2⤵
  PID:8856
- C:\Windows\System32\nZBuEGh.exe
  C:\Windows\System32\nZBuEGh.exe
  2⤵
  PID:8872
- C:\Windows\System32\rUbzXVi.exe
  C:\Windows\System32\rUbzXVi.exe
  2⤵
  PID:8904
- C:\Windows\System32\tDqvems.exe
  C:\Windows\System32\tDqvems.exe
  2⤵
  PID:8920
- C:\Windows\System32\uQEYeTU.exe
  C:\Windows\System32\uQEYeTU.exe
  2⤵
  PID:8940
- C:\Windows\System32\JiNkDlj.exe
  C:\Windows\System32\JiNkDlj.exe
  2⤵
  PID:8960
- C:\Windows\System32\seORrZF.exe
  C:\Windows\System32\seORrZF.exe
  2⤵
  PID:8992
- C:\Windows\System32\QiIXKIF.exe
  C:\Windows\System32\QiIXKIF.exe
  2⤵
  PID:9040
- C:\Windows\System32\JntlLiR.exe
  C:\Windows\System32\JntlLiR.exe
  2⤵
  PID:9068
- C:\Windows\System32\oYNDdVt.exe
  C:\Windows\System32\oYNDdVt.exe
  2⤵
  PID:9084
- C:\Windows\System32\cfhMJuJ.exe
  C:\Windows\System32\cfhMJuJ.exe
  2⤵
  PID:9104
- C:\Windows\System32\oIFUCXb.exe
  C:\Windows\System32\oIFUCXb.exe
  2⤵
  PID:9144
- C:\Windows\System32\iaQVzGK.exe
  C:\Windows\System32\iaQVzGK.exe
  2⤵
  PID:9164
- C:\Windows\System32\GSbmqck.exe
  C:\Windows\System32\GSbmqck.exe
  2⤵
  PID:9184
- C:\Windows\System32\IeqQZrO.exe
  C:\Windows\System32\IeqQZrO.exe
  2⤵
  PID:7784
- C:\Windows\System32\gZTacxQ.exe
  C:\Windows\System32\gZTacxQ.exe
  2⤵
  PID:8264
- C:\Windows\System32\tXrUlwV.exe
  C:\Windows\System32\tXrUlwV.exe
  2⤵
  PID:8292
- C:\Windows\System32\LSvlwKJ.exe
  C:\Windows\System32\LSvlwKJ.exe
  2⤵
  PID:8396
- C:\Windows\System32\WdTDfEq.exe
  C:\Windows\System32\WdTDfEq.exe
  2⤵
  PID:8496
- C:\Windows\System32\ycQryaV.exe
  C:\Windows\System32\ycQryaV.exe
  2⤵
  PID:8568
- C:\Windows\System32\kCygqfK.exe
  C:\Windows\System32\kCygqfK.exe
  2⤵
  PID:8560
- C:\Windows\System32\QPfAxoX.exe
  C:\Windows\System32\QPfAxoX.exe
  2⤵
  PID:8616
- C:\Windows\System32\mzxMWHY.exe
  C:\Windows\System32\mzxMWHY.exe
  2⤵
  PID:8716
- C:\Windows\System32\UKDHoEC.exe
  C:\Windows\System32\UKDHoEC.exe
  2⤵
  PID:8784
- C:\Windows\System32\BpLqrnX.exe
  C:\Windows\System32\BpLqrnX.exe
  2⤵
  PID:8888
- C:\Windows\System32\wFuKACT.exe
  C:\Windows\System32\wFuKACT.exe
  2⤵
  PID:9016
- C:\Windows\System32\knUvJkD.exe
  C:\Windows\System32\knUvJkD.exe
  2⤵
  PID:9028
- C:\Windows\System32\scFTxcz.exe
  C:\Windows\System32\scFTxcz.exe
  2⤵
  PID:9076
- C:\Windows\System32\wrIvctZ.exe
  C:\Windows\System32\wrIvctZ.exe
  2⤵
  PID:9100
- C:\Windows\System32\VUKLBvL.exe
  C:\Windows\System32\VUKLBvL.exe
  2⤵
  PID:9160
- C:\Windows\System32\MWtOJTO.exe
  C:\Windows\System32\MWtOJTO.exe
  2⤵
  PID:8448
- C:\Windows\System32\LPZxvrY.exe
  C:\Windows\System32\LPZxvrY.exe
  2⤵
  PID:8544
- C:\Windows\System32\IPmcWFL.exe
  C:\Windows\System32\IPmcWFL.exe
  2⤵
  PID:8636
- C:\Windows\System32\OHiCjfX.exe
  C:\Windows\System32\OHiCjfX.exe
  2⤵
  PID:7716
- C:\Windows\System32\uJmmvVI.exe
  C:\Windows\System32\uJmmvVI.exe
  2⤵
  PID:8712
- C:\Windows\System32\iKBgXVM.exe
  C:\Windows\System32\iKBgXVM.exe
  2⤵
  PID:8968
- C:\Windows\System32\XlsYjAk.exe
  C:\Windows\System32\XlsYjAk.exe
  2⤵
  PID:8916
- C:\Windows\System32\QHuBENv.exe
  C:\Windows\System32\QHuBENv.exe
  2⤵
  PID:9032
- C:\Windows\System32\vmaveaD.exe
  C:\Windows\System32\vmaveaD.exe
  2⤵
  PID:9128
- C:\Windows\System32\PrbhNfk.exe
  C:\Windows\System32\PrbhNfk.exe
  2⤵
  PID:9200
- C:\Windows\System32\UaYKVTQ.exe
  C:\Windows\System32\UaYKVTQ.exe
  2⤵
  PID:9292
- C:\Windows\System32\LEzNYDo.exe
  C:\Windows\System32\LEzNYDo.exe
  2⤵
  PID:9308
- C:\Windows\System32\ABInkTl.exe
  C:\Windows\System32\ABInkTl.exe
  2⤵
  PID:9324
- C:\Windows\System32\HxCzhqx.exe
  C:\Windows\System32\HxCzhqx.exe
  2⤵
  PID:9340
- C:\Windows\System32\VhcIRLr.exe
  C:\Windows\System32\VhcIRLr.exe
  2⤵
  PID:9356
- C:\Windows\System32\PkSEaqN.exe
  C:\Windows\System32\PkSEaqN.exe
  2⤵
  PID:9372
- C:\Windows\System32\qpIKHoy.exe
  C:\Windows\System32\qpIKHoy.exe
  2⤵
  PID:9388
- C:\Windows\System32\BpWNJtb.exe
  C:\Windows\System32\BpWNJtb.exe
  2⤵
  PID:9404
- C:\Windows\System32\VwlWrIV.exe
  C:\Windows\System32\VwlWrIV.exe
  2⤵
  PID:9420
- C:\Windows\System32\QTxGwDY.exe
  C:\Windows\System32\QTxGwDY.exe
  2⤵
  PID:9436
- C:\Windows\System32\ogGbmwM.exe
  C:\Windows\System32\ogGbmwM.exe
  2⤵
  PID:9552
- C:\Windows\System32\EDXhXeS.exe
  C:\Windows\System32\EDXhXeS.exe
  2⤵
  PID:9700
- C:\Windows\System32\slTOQfh.exe
  C:\Windows\System32\slTOQfh.exe
  2⤵
  PID:9724
- C:\Windows\System32\UFuUKrV.exe
  C:\Windows\System32\UFuUKrV.exe
  2⤵
  PID:9740
- C:\Windows\System32\uYZFQfq.exe
  C:\Windows\System32\uYZFQfq.exe
  2⤵
  PID:9776
- C:\Windows\System32\tPfTTto.exe
  C:\Windows\System32\tPfTTto.exe
  2⤵
  PID:9804
- C:\Windows\System32\NOHMvzn.exe
  C:\Windows\System32\NOHMvzn.exe
  2⤵
  PID:9836
- C:\Windows\System32\rkrvRwV.exe
  C:\Windows\System32\rkrvRwV.exe
  2⤵
  PID:9852
- C:\Windows\System32\bynxNgs.exe
  C:\Windows\System32\bynxNgs.exe
  2⤵
  PID:9884
- C:\Windows\System32\lMrcMXi.exe
  C:\Windows\System32\lMrcMXi.exe
  2⤵
  PID:9904
- C:\Windows\System32\ClNwXyE.exe
  C:\Windows\System32\ClNwXyE.exe
  2⤵
  PID:9988
- C:\Windows\System32\KszBwVd.exe
  C:\Windows\System32\KszBwVd.exe
  2⤵
  PID:10008
- C:\Windows\System32\WWRWwgl.exe
  C:\Windows\System32\WWRWwgl.exe
  2⤵
  PID:10036
- C:\Windows\System32\rUMQiNj.exe
  C:\Windows\System32\rUMQiNj.exe
  2⤵
  PID:10064
- C:\Windows\System32\mjYWZra.exe
  C:\Windows\System32\mjYWZra.exe
  2⤵
  PID:10088
- C:\Windows\System32\FfxBIgH.exe
  C:\Windows\System32\FfxBIgH.exe
  2⤵
  PID:10112
- C:\Windows\System32\YEtdcdv.exe
  C:\Windows\System32\YEtdcdv.exe
  2⤵
  PID:10132
- C:\Windows\System32\zmQXxPG.exe
  C:\Windows\System32\zmQXxPG.exe
  2⤵
  PID:10148
- C:\Windows\System32\xlCvDLv.exe
  C:\Windows\System32\xlCvDLv.exe
  2⤵
  PID:10188
- C:\Windows\System32\ZMlfcRy.exe
  C:\Windows\System32\ZMlfcRy.exe
  2⤵
  PID:10204
- C:\Windows\System32\djbOctm.exe
  C:\Windows\System32\djbOctm.exe
  2⤵
  PID:10228
- C:\Windows\System32\yCqxzjp.exe
  C:\Windows\System32\yCqxzjp.exe
  2⤵
  PID:8844
- C:\Windows\System32\nkEfvlo.exe
  C:\Windows\System32\nkEfvlo.exe
  2⤵
  PID:8288
- C:\Windows\System32\ieFtzjg.exe
  C:\Windows\System32\ieFtzjg.exe
  2⤵
  PID:9276
- C:\Windows\System32\grZiTfs.exe
  C:\Windows\System32\grZiTfs.exe
  2⤵
  PID:9064
- C:\Windows\System32\TRRQxeT.exe
  C:\Windows\System32\TRRQxeT.exe
  2⤵
  PID:9224
- C:\Windows\System32\JBVUNlq.exe
  C:\Windows\System32\JBVUNlq.exe
  2⤵
  PID:9316
- C:\Windows\System32\rMXdbCI.exe
  C:\Windows\System32\rMXdbCI.exe
  2⤵
  PID:9492
- C:\Windows\System32\RgndUin.exe
  C:\Windows\System32\RgndUin.exe
  2⤵
  PID:9368
- C:\Windows\System32\upHAjyc.exe
  C:\Windows\System32\upHAjyc.exe
  2⤵
  PID:9428
- C:\Windows\System32\roAfqhm.exe
  C:\Windows\System32\roAfqhm.exe
  2⤵
  PID:9332
- C:\Windows\System32\owISPLc.exe
  C:\Windows\System32\owISPLc.exe
  2⤵
  PID:9736
- C:\Windows\System32\gIrEZmE.exe
  C:\Windows\System32\gIrEZmE.exe
  2⤵
  PID:9812
- C:\Windows\System32\tlcOvQe.exe
  C:\Windows\System32\tlcOvQe.exe
  2⤵
  PID:9824
- C:\Windows\System32\QttOzHk.exe
  C:\Windows\System32\QttOzHk.exe
  2⤵
  PID:9896
- C:\Windows\System32\vpRTvvA.exe
  C:\Windows\System32\vpRTvvA.exe
  2⤵
  PID:9960
- C:\Windows\System32\voXrDjm.exe
  C:\Windows\System32\voXrDjm.exe
  2⤵
  PID:10076
- C:\Windows\System32\rJCgPZh.exe
  C:\Windows\System32\rJCgPZh.exe
  2⤵
  PID:10128
- C:\Windows\System32\nIvbOPG.exe
  C:\Windows\System32\nIvbOPG.exe
  2⤵
  PID:10144
- C:\Windows\System32\MGyYlXC.exe
  C:\Windows\System32\MGyYlXC.exe
  2⤵
  PID:10184
- C:\Windows\System32\ZLOBBok.exe
  C:\Windows\System32\ZLOBBok.exe
  2⤵
  PID:10120
- C:\Windows\System32\hosCKdC.exe
  C:\Windows\System32\hosCKdC.exe
  2⤵
  PID:9336
- C:\Windows\System32\vDynaWb.exe
  C:\Windows\System32\vDynaWb.exe
  2⤵
  PID:9400
- C:\Windows\System32\tRTBJuH.exe
  C:\Windows\System32\tRTBJuH.exe
  2⤵
  PID:9500
- C:\Windows\System32\qGoZhzi.exe
  C:\Windows\System32\qGoZhzi.exe
  2⤵
  PID:9652
- C:\Windows\System32\OHfgULC.exe
  C:\Windows\System32\OHfgULC.exe
  2⤵
  PID:9788
- C:\Windows\System32\dGPBSpI.exe
  C:\Windows\System32\dGPBSpI.exe
  2⤵
  PID:10028
- C:\Windows\System32\xBNKFde.exe
  C:\Windows\System32\xBNKFde.exe
  2⤵
  PID:10108
- C:\Windows\System32\yyFCMHD.exe
  C:\Windows\System32\yyFCMHD.exe
  2⤵
  PID:8980
- C:\Windows\System32\YglYrJF.exe
  C:\Windows\System32\YglYrJF.exe
  2⤵
  PID:9504
- C:\Windows\System32\qpDiwzW.exe
  C:\Windows\System32\qpDiwzW.exe
  2⤵
  PID:9632
- C:\Windows\System32\eezppUM.exe
  C:\Windows\System32\eezppUM.exe
  2⤵
  PID:10044
- C:\Windows\System32\uPXamrJ.exe
  C:\Windows\System32\uPXamrJ.exe
  2⤵
  PID:9616
- C:\Windows\System32\cLFndUv.exe
  C:\Windows\System32\cLFndUv.exe
  2⤵
  PID:8664
- C:\Windows\System32\zSOUpCO.exe
  C:\Windows\System32\zSOUpCO.exe
  2⤵
  PID:10260
- C:\Windows\System32\lwNleoN.exe
  C:\Windows\System32\lwNleoN.exe
  2⤵
  PID:10284
- C:\Windows\System32\lgrUHFw.exe
  C:\Windows\System32\lgrUHFw.exe
  2⤵
  PID:10324
- C:\Windows\System32\MiWfefy.exe
  C:\Windows\System32\MiWfefy.exe
  2⤵
  PID:10344
- C:\Windows\System32\CAlDhKv.exe
  C:\Windows\System32\CAlDhKv.exe
  2⤵
  PID:10364
- C:\Windows\System32\kcFOUYs.exe
  C:\Windows\System32\kcFOUYs.exe
  2⤵
  PID:10404
- C:\Windows\System32\PhrJmSe.exe
  C:\Windows\System32\PhrJmSe.exe
  2⤵
  PID:10428
- C:\Windows\System32\stueCZW.exe
  C:\Windows\System32\stueCZW.exe
  2⤵
  PID:10452
- C:\Windows\System32\lTAbYag.exe
  C:\Windows\System32\lTAbYag.exe
  2⤵
  PID:10472
- C:\Windows\System32\HaSbGNI.exe
  C:\Windows\System32\HaSbGNI.exe
  2⤵
  PID:10488
- C:\Windows\System32\sVWCXco.exe
  C:\Windows\System32\sVWCXco.exe
  2⤵
  PID:10524
- C:\Windows\System32\PzFHUbB.exe
  C:\Windows\System32\PzFHUbB.exe
  2⤵
  PID:10568
- C:\Windows\System32\YfRbqqe.exe
  C:\Windows\System32\YfRbqqe.exe
  2⤵
  PID:10604
- C:\Windows\System32\ujxFvkb.exe
  C:\Windows\System32\ujxFvkb.exe
  2⤵
  PID:10640
- C:\Windows\System32\IaDosgF.exe
  C:\Windows\System32\IaDosgF.exe
  2⤵
  PID:10668
- C:\Windows\System32\uvwqYEw.exe
  C:\Windows\System32\uvwqYEw.exe
  2⤵
  PID:10688
- C:\Windows\System32\rEOUoje.exe
  C:\Windows\System32\rEOUoje.exe
  2⤵
  PID:10716
- C:\Windows\System32\HEdLaIj.exe
  C:\Windows\System32\HEdLaIj.exe
  2⤵
  PID:10740
- C:\Windows\System32\xuknzpd.exe
  C:\Windows\System32\xuknzpd.exe
  2⤵
  PID:10776
- C:\Windows\System32\EYdUrlK.exe
  C:\Windows\System32\EYdUrlK.exe
  2⤵
  PID:10792
- C:\Windows\System32\vxMpYtq.exe
  C:\Windows\System32\vxMpYtq.exe
  2⤵
  PID:10828
- C:\Windows\System32\urCqRwl.exe
  C:\Windows\System32\urCqRwl.exe
  2⤵
  PID:10852
- C:\Windows\System32\nYKgwTD.exe
  C:\Windows\System32\nYKgwTD.exe
  2⤵
  PID:10876
- C:\Windows\System32\HkqWVMh.exe
  C:\Windows\System32\HkqWVMh.exe
  2⤵
  PID:10896
- C:\Windows\System32\JnalQOV.exe
  C:\Windows\System32\JnalQOV.exe
  2⤵
  PID:10920
- C:\Windows\System32\WVcBsvX.exe
  C:\Windows\System32\WVcBsvX.exe
  2⤵
  PID:10940
- C:\Windows\System32\mqVGgiT.exe
  C:\Windows\System32\mqVGgiT.exe
  2⤵
  PID:10956
- C:\Windows\System32\guuZxbZ.exe
  C:\Windows\System32\guuZxbZ.exe
  2⤵
  PID:10976
- C:\Windows\System32\oTrUftA.exe
  C:\Windows\System32\oTrUftA.exe
  2⤵
  PID:11000
- C:\Windows\System32\wwnpfqE.exe
  C:\Windows\System32\wwnpfqE.exe
  2⤵
  PID:11044
- C:\Windows\System32\JXflyQs.exe
  C:\Windows\System32\JXflyQs.exe
  2⤵
  PID:11068
- C:\Windows\System32\JsCRbKy.exe
  C:\Windows\System32\JsCRbKy.exe
  2⤵
  PID:11124
- C:\Windows\System32\iIRpFgC.exe
  C:\Windows\System32\iIRpFgC.exe
  2⤵
  PID:11168
- C:\Windows\System32\jrGDZkM.exe
  C:\Windows\System32\jrGDZkM.exe
  2⤵
  PID:11196
- C:\Windows\System32\hhiyMwq.exe
  C:\Windows\System32\hhiyMwq.exe
  2⤵
  PID:11216
- C:\Windows\System32\CRtgoMg.exe
  C:\Windows\System32\CRtgoMg.exe
  2⤵
  PID:11236
- C:\Windows\System32\vUrErZI.exe
  C:\Windows\System32\vUrErZI.exe
  2⤵
  PID:11252
- C:\Windows\System32\kMlnuML.exe
  C:\Windows\System32\kMlnuML.exe
  2⤵
  PID:9596
- C:\Windows\System32\AaYLkbu.exe
  C:\Windows\System32\AaYLkbu.exe
  2⤵
  PID:10272
- C:\Windows\System32\NoxxJHf.exe
  C:\Windows\System32\NoxxJHf.exe
  2⤵
  PID:10360
- C:\Windows\System32\OgodetX.exe
  C:\Windows\System32\OgodetX.exe
  2⤵
  PID:10416
- C:\Windows\System32\InUQHpZ.exe
  C:\Windows\System32\InUQHpZ.exe
  2⤵
  PID:10460
- C:\Windows\System32\yuUpihj.exe
  C:\Windows\System32\yuUpihj.exe
  2⤵
  PID:10540
- C:\Windows\System32\fDQzUoX.exe
  C:\Windows\System32\fDQzUoX.exe
  2⤵
  PID:10664
- C:\Windows\System32\PlZtNFI.exe
  C:\Windows\System32\PlZtNFI.exe
  2⤵
  PID:10756
- C:\Windows\System32\fgcVnmY.exe
  C:\Windows\System32\fgcVnmY.exe
  2⤵
  PID:10848
- C:\Windows\System32\qyVnxeq.exe
  C:\Windows\System32\qyVnxeq.exe
  2⤵
  PID:10860
- C:\Windows\System32\eKrcDyT.exe
  C:\Windows\System32\eKrcDyT.exe
  2⤵
  PID:10888
- C:\Windows\System32\VicHAbp.exe
  C:\Windows\System32\VicHAbp.exe
  2⤵
  PID:10968
- C:\Windows\System32\kobSmar.exe
  C:\Windows\System32\kobSmar.exe
  2⤵
  PID:11020
- C:\Windows\System32\buunnNt.exe
  C:\Windows\System32\buunnNt.exe
  2⤵
  PID:11180
- C:\Windows\System32\JzyWvAH.exe
  C:\Windows\System32\JzyWvAH.exe
  2⤵
  PID:11232
- C:\Windows\System32\tfRwNue.exe
  C:\Windows\System32\tfRwNue.exe
  2⤵
  PID:10376
- C:\Windows\System32\dTdeISz.exe
  C:\Windows\System32\dTdeISz.exe
  2⤵
  PID:10248
- C:\Windows\System32\eGHGCJn.exe
  C:\Windows\System32\eGHGCJn.exe
  2⤵
  PID:10596
- C:\Windows\System32\eqsikWo.exe
  C:\Windows\System32\eqsikWo.exe
  2⤵
  PID:10700
- C:\Windows\System32\WwSpoyZ.exe
  C:\Windows\System32\WwSpoyZ.exe
  2⤵
  PID:10840
- C:\Windows\System32\TPlPsCG.exe
  C:\Windows\System32\TPlPsCG.exe
  2⤵
  PID:10996
- C:\Windows\System32\eVOgzCt.exe
  C:\Windows\System32\eVOgzCt.exe
  2⤵
  PID:11108
- C:\Windows\System32\UWYADIf.exe
  C:\Windows\System32\UWYADIf.exe
  2⤵
  PID:11228
- C:\Windows\System32\bNCtlAW.exe
  C:\Windows\System32\bNCtlAW.exe
  2⤵
  PID:9880
- C:\Windows\System32\YzCpbvk.exe
  C:\Windows\System32\YzCpbvk.exe
  2⤵
  PID:11188
- C:\Windows\System32\bQbxivY.exe
  C:\Windows\System32\bQbxivY.exe
  2⤵
  PID:11056
- C:\Windows\System32\OKWFpRJ.exe
  C:\Windows\System32\OKWFpRJ.exe
  2⤵
  PID:11092
- C:\Windows\System32\uEyhJYM.exe
  C:\Windows\System32\uEyhJYM.exe
  2⤵
  PID:11280
- C:\Windows\System32\ZUPaJHw.exe
  C:\Windows\System32\ZUPaJHw.exe
  2⤵
  PID:11300
- C:\Windows\System32\elTkqym.exe
  C:\Windows\System32\elTkqym.exe
  2⤵
  PID:11320
- C:\Windows\System32\gfJMYhU.exe
  C:\Windows\System32\gfJMYhU.exe
  2⤵
  PID:11344
- C:\Windows\System32\JfjEjEa.exe
  C:\Windows\System32\JfjEjEa.exe
  2⤵
  PID:11388
- C:\Windows\System32\FHqYBrP.exe
  C:\Windows\System32\FHqYBrP.exe
  2⤵
  PID:11420
- C:\Windows\System32\RRSWyTL.exe
  C:\Windows\System32\RRSWyTL.exe
  2⤵
  PID:11456
- C:\Windows\System32\vazTtKF.exe
  C:\Windows\System32\vazTtKF.exe
  2⤵
  PID:11484
- C:\Windows\System32\GkoabRT.exe
  C:\Windows\System32\GkoabRT.exe
  2⤵
  PID:11512
- C:\Windows\System32\kJOhoxO.exe
  C:\Windows\System32\kJOhoxO.exe
  2⤵
  PID:11552
- C:\Windows\System32\VAIkPhU.exe
  C:\Windows\System32\VAIkPhU.exe
  2⤵
  PID:11580
- C:\Windows\System32\QHCuOOF.exe
  C:\Windows\System32\QHCuOOF.exe
  2⤵
  PID:11616
- C:\Windows\System32\CBCcFYw.exe
  C:\Windows\System32\CBCcFYw.exe
  2⤵
  PID:11636
- C:\Windows\System32\kgxoWBK.exe
  C:\Windows\System32\kgxoWBK.exe
  2⤵
  PID:11668
- C:\Windows\System32\ZcQlwHS.exe
  C:\Windows\System32\ZcQlwHS.exe
  2⤵
  PID:11688
- C:\Windows\System32\YqmHMPk.exe
  C:\Windows\System32\YqmHMPk.exe
  2⤵
  PID:11708
- C:\Windows\System32\dtmUTnh.exe
  C:\Windows\System32\dtmUTnh.exe
  2⤵
  PID:11736
- C:\Windows\System32\SAbgUuD.exe
  C:\Windows\System32\SAbgUuD.exe
  2⤵
  PID:11784
- C:\Windows\System32\TTHQrZi.exe
  C:\Windows\System32\TTHQrZi.exe
  2⤵
  PID:11800
- C:\Windows\System32\FXAwDlv.exe
  C:\Windows\System32\FXAwDlv.exe
  2⤵
  PID:11820
- C:\Windows\System32\ttCrFeG.exe
  C:\Windows\System32\ttCrFeG.exe
  2⤵
  PID:11852
- C:\Windows\System32\mVzfxLM.exe
  C:\Windows\System32\mVzfxLM.exe
  2⤵
  PID:11868
- C:\Windows\System32\XOKbCQb.exe
  C:\Windows\System32\XOKbCQb.exe
  2⤵
  PID:11904
- C:\Windows\System32\YCRfGsz.exe
  C:\Windows\System32\YCRfGsz.exe
  2⤵
  PID:11928
- C:\Windows\System32\YlpKyJY.exe
  C:\Windows\System32\YlpKyJY.exe
  2⤵
  PID:11956
- C:\Windows\System32\JHIDQZY.exe
  C:\Windows\System32\JHIDQZY.exe
  2⤵
  PID:11976
- C:\Windows\System32\xifperw.exe
  C:\Windows\System32\xifperw.exe
  2⤵
  PID:12016
- C:\Windows\System32\gWAQSkS.exe
  C:\Windows\System32\gWAQSkS.exe
  2⤵
  PID:12036
- C:\Windows\System32\FVAxtIv.exe
  C:\Windows\System32\FVAxtIv.exe
  2⤵
  PID:12068
- C:\Windows\System32\tiXCVHT.exe
  C:\Windows\System32\tiXCVHT.exe
  2⤵
  PID:12112
- C:\Windows\System32\ckktxZg.exe
  C:\Windows\System32\ckktxZg.exe
  2⤵
  PID:12132
- C:\Windows\System32\BcDZClq.exe
  C:\Windows\System32\BcDZClq.exe
  2⤵
  PID:12148
- C:\Windows\System32\mZMiVbU.exe
  C:\Windows\System32\mZMiVbU.exe
  2⤵
  PID:12172
- C:\Windows\System32\yFWTwGS.exe
  C:\Windows\System32\yFWTwGS.exe
  2⤵
  PID:12192
- C:\Windows\System32\bAtWkKA.exe
  C:\Windows\System32\bAtWkKA.exe
  2⤵
  PID:12208
- C:\Windows\System32\fSgeoXL.exe
  C:\Windows\System32\fSgeoXL.exe
  2⤵
  PID:12236
- C:\Windows\System32\ADkNHXj.exe
  C:\Windows\System32\ADkNHXj.exe
  2⤵
  PID:12260
- C:\Windows\System32\eGgFgLx.exe
  C:\Windows\System32\eGgFgLx.exe
  2⤵
  PID:11272
- C:\Windows\System32\CccXUuO.exe
  C:\Windows\System32\CccXUuO.exe
  2⤵
  PID:11292
- C:\Windows\System32\VsFJagF.exe
  C:\Windows\System32\VsFJagF.exe
  2⤵
  PID:11412
- C:\Windows\System32\SCBaASX.exe
  C:\Windows\System32\SCBaASX.exe
  2⤵
  PID:11464
- C:\Windows\System32\TTEXIPX.exe
  C:\Windows\System32\TTEXIPX.exe
  2⤵
  PID:11520
- C:\Windows\System32\xSjAlsF.exe
  C:\Windows\System32\xSjAlsF.exe
  2⤵
  PID:11656
- C:\Windows\System32\zRHkWej.exe
  C:\Windows\System32\zRHkWej.exe
  2⤵
  PID:11724
- C:\Windows\System32\pVkhYOG.exe
  C:\Windows\System32\pVkhYOG.exe
  2⤵
  PID:11816
- C:\Windows\System32\AOFOCZQ.exe
  C:\Windows\System32\AOFOCZQ.exe
  2⤵
  PID:11864
- C:\Windows\System32\QoWdoqs.exe
  C:\Windows\System32\QoWdoqs.exe
  2⤵
  PID:11936
- C:\Windows\System32\mqaAfHl.exe
  C:\Windows\System32\mqaAfHl.exe
  2⤵
  PID:11996
- C:\Windows\System32\wqLzMXY.exe
  C:\Windows\System32\wqLzMXY.exe
  2⤵
  PID:12032
- C:\Windows\System32\VyvKgjq.exe
  C:\Windows\System32\VyvKgjq.exe
  2⤵
  PID:12156
- C:\Windows\System32\yOvjBBS.exe
  C:\Windows\System32\yOvjBBS.exe
  2⤵
  PID:12184
- C:\Windows\System32\fbVDeZF.exe
  C:\Windows\System32\fbVDeZF.exe
  2⤵
  PID:12200
- C:\Windows\System32\tAPShUX.exe
  C:\Windows\System32\tAPShUX.exe
  2⤵
  PID:11296
- C:\Windows\System32\ewRiZBu.exe
  C:\Windows\System32\ewRiZBu.exe
  2⤵
  PID:11332
- C:\Windows\System32\huBHrFW.exe
  C:\Windows\System32\huBHrFW.exe
  2⤵
  PID:4976
- C:\Windows\System32\fPCDPWF.exe
  C:\Windows\System32\fPCDPWF.exe
  2⤵
  PID:11588
- C:\Windows\System32\rfPkuax.exe
  C:\Windows\System32\rfPkuax.exe
  2⤵
  PID:11792
- C:\Windows\System32\HJItDME.exe
  C:\Windows\System32\HJItDME.exe
  2⤵
  PID:11900
- C:\Windows\System32\POsadZb.exe
  C:\Windows\System32\POsadZb.exe
  2⤵
  PID:12044
- C:\Windows\System32\gsQNUIn.exe
  C:\Windows\System32\gsQNUIn.exe
  2⤵
  PID:12120
- C:\Windows\System32\wMlJDrk.exe
  C:\Windows\System32\wMlJDrk.exe
  2⤵
  PID:11536
- C:\Windows\System32\TmmXhas.exe
  C:\Windows\System32\TmmXhas.exe
  2⤵
  PID:1652
- C:\Windows\System32\HljmvZZ.exe
  C:\Windows\System32\HljmvZZ.exe
  2⤵
  PID:11912
- C:\Windows\System32\sIsjzOb.exe
  C:\Windows\System32\sIsjzOb.exe
  2⤵
  PID:11508
- C:\Windows\System32\KRPeuPd.exe
  C:\Windows\System32\KRPeuPd.exe
  2⤵
  PID:11844
- C:\Windows\System32\LUhAktV.exe
  C:\Windows\System32\LUhAktV.exe
  2⤵
  PID:12300
- C:\Windows\System32\kQkXPgc.exe
  C:\Windows\System32\kQkXPgc.exe
  2⤵
  PID:12328
- C:\Windows\System32\CPUOKak.exe
  C:\Windows\System32\CPUOKak.exe
  2⤵
  PID:12344
- C:\Windows\System32\TWQdYbm.exe
  C:\Windows\System32\TWQdYbm.exe
  2⤵
  PID:12404
- C:\Windows\System32\zogJQFV.exe
  C:\Windows\System32\zogJQFV.exe
  2⤵
  PID:12428
- C:\Windows\System32\bNccfNL.exe
  C:\Windows\System32\bNccfNL.exe
  2⤵
  PID:12448
- C:\Windows\System32\HuZjEPA.exe
  C:\Windows\System32\HuZjEPA.exe
  2⤵
  PID:12488
- C:\Windows\System32\MeqpNAZ.exe
  C:\Windows\System32\MeqpNAZ.exe
  2⤵
  PID:12508
- C:\Windows\System32\oEyRPjh.exe
  C:\Windows\System32\oEyRPjh.exe
  2⤵
  PID:12528
- C:\Windows\System32\ORcCRyo.exe
  C:\Windows\System32\ORcCRyo.exe
  2⤵
  PID:12548
- C:\Windows\System32\knbJczU.exe
  C:\Windows\System32\knbJczU.exe
  2⤵
  PID:12564
- C:\Windows\System32\XriPobQ.exe
  C:\Windows\System32\XriPobQ.exe
  2⤵
  PID:12624
- C:\Windows\System32\LGaGJek.exe
  C:\Windows\System32\LGaGJek.exe
  2⤵
  PID:12656
- C:\Windows\System32\BaRrpFE.exe
  C:\Windows\System32\BaRrpFE.exe
  2⤵
  PID:12672
- C:\Windows\System32\GHhobig.exe
  C:\Windows\System32\GHhobig.exe
  2⤵
  PID:12696
- C:\Windows\System32\ZAkXkTn.exe
  C:\Windows\System32\ZAkXkTn.exe
  2⤵
  PID:12716
- C:\Windows\System32\XzZnvOo.exe
  C:\Windows\System32\XzZnvOo.exe
  2⤵
  PID:12768
- C:\Windows\System32\ySnIteK.exe
  C:\Windows\System32\ySnIteK.exe
  2⤵
  PID:12792
- C:\Windows\System32\VDZibLT.exe
  C:\Windows\System32\VDZibLT.exe
  2⤵
  PID:12812
- C:\Windows\System32\feUOLtI.exe
  C:\Windows\System32\feUOLtI.exe
  2⤵
  PID:12840
- C:\Windows\System32\AYSuALg.exe
  C:\Windows\System32\AYSuALg.exe
  2⤵
  PID:12876
- C:\Windows\System32\NUSXXPN.exe
  C:\Windows\System32\NUSXXPN.exe
  2⤵
  PID:12896
- C:\Windows\System32\RqmomQs.exe
  C:\Windows\System32\RqmomQs.exe
  2⤵
  PID:12924
- C:\Windows\System32\IFWvHPK.exe
  C:\Windows\System32\IFWvHPK.exe
  2⤵
  PID:12944
- C:\Windows\System32\uJDWuwy.exe
  C:\Windows\System32\uJDWuwy.exe
  2⤵
  PID:13004
- C:\Windows\System32\sBKFYIH.exe
  C:\Windows\System32\sBKFYIH.exe
  2⤵
  PID:13020
- C:\Windows\System32\fCRoXAR.exe
  C:\Windows\System32\fCRoXAR.exe
  2⤵
  PID:13036
- C:\Windows\System32\UPBEvyI.exe
  C:\Windows\System32\UPBEvyI.exe
  2⤵
  PID:13056
- C:\Windows\System32\COMaGFB.exe
  C:\Windows\System32\COMaGFB.exe
  2⤵
  PID:13080
- C:\Windows\System32\ttbCIMi.exe
  C:\Windows\System32\ttbCIMi.exe
  2⤵
  PID:13120
- C:\Windows\System32\SmODrwB.exe
  C:\Windows\System32\SmODrwB.exe
  2⤵
  PID:13152
- C:\Windows\System32\yIoVMiR.exe
  C:\Windows\System32\yIoVMiR.exe
  2⤵
  PID:13196
- C:\Windows\System32\gvZnArl.exe
  C:\Windows\System32\gvZnArl.exe
  2⤵
  PID:13216
- C:\Windows\System32\tCtlegd.exe
  C:\Windows\System32\tCtlegd.exe
  2⤵
  PID:13232
- C:\Windows\System32\uPnRVZk.exe
  C:\Windows\System32\uPnRVZk.exe
  2⤵
  PID:13268
- C:\Windows\System32\LHlTboE.exe
  C:\Windows\System32\LHlTboE.exe
  2⤵
  PID:13308
- C:\Windows\System32\VSBBApb.exe
  C:\Windows\System32\VSBBApb.exe
  2⤵
  PID:2364
- C:\Windows\System32\jKEHdcc.exe
  C:\Windows\System32\jKEHdcc.exe
  2⤵
  PID:12324
- C:\Windows\System32\xLfkiJs.exe
  C:\Windows\System32\xLfkiJs.exe
  2⤵
  PID:12308
- C:\Windows\System32\eacXCHj.exe
  C:\Windows\System32\eacXCHj.exe
  2⤵
  PID:12380
- C:\Windows\System32\xmgjuOj.exe
  C:\Windows\System32\xmgjuOj.exe
  2⤵
  PID:12440
- C:\Windows\System32\ZoAHTzn.exe
  C:\Windows\System32\ZoAHTzn.exe
  2⤵
  PID:12504
- C:\Windows\System32\mXiWMqQ.exe
  C:\Windows\System32\mXiWMqQ.exe
  2⤵
  PID:12540
- C:\Windows\System32\hFuizkI.exe
  C:\Windows\System32\hFuizkI.exe
  2⤵
  PID:12640
- C:\Windows\System32\BNkynRE.exe
  C:\Windows\System32\BNkynRE.exe
  2⤵
  PID:12680
- C:\Windows\System32\RGurzwf.exe
  C:\Windows\System32\RGurzwf.exe
  2⤵
  PID:12724
- C:\Windows\System32\jEiaFsG.exe
  C:\Windows\System32\jEiaFsG.exe
  2⤵
  PID:12800
- C:\Windows\System32\zsIZXfG.exe
  C:\Windows\System32\zsIZXfG.exe
  2⤵
  PID:12836

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\EnJTtyg.exe

Filesize
1.1MB

MD5
34f009fc52ff7fc58619b2a6569cb11b

SHA1
1b6be72b1baa66e3b873902e2eba28f04ee3c3e7

SHA256
8d84066f20be19bd2309585720b1f3a83f0700b08e83d2185e51583e980cb5db

SHA512
8d6b21dd3f7c9e9cd0a71a63ece744bea1eeca581737734bd9b4e200b78f1e19c422b44548c71868b073b665b9f0ff666d6fc26a6dc290fa9a11d2cb08bde0dd

Download Submit
C:\Windows\System32\Fioraki.exe

Filesize
1.1MB

MD5
8d19f8e177db9974ebbd234fd38d8665

SHA1
f4b0b1338d5dd2c0f575ed5908c852a6fe66667e

SHA256
60a93f4ce487b630c02348593728041e791620e3818fd88636867823b96a2de0

SHA512
9f594fcf52f6f93aa5938f0f513812766b291450a3a1e2889726c789db50c4b5965d994a405590b5cad047f98dca94da9d45d6b33c50f2be996d0e1b4f4b1f62

Download Submit
C:\Windows\System32\HltDFTf.exe

Filesize
1.1MB

MD5
256d7c60508eafe87a57c03ff60ca3dd

SHA1
aed506dad19d4a7f362c0a31504a10ad14f54f21

SHA256
ed743d37f3a654288ed121a1d1f6af4cb4f85d0c9308ae5518e44798f5d254be

SHA512
48d466c9d8166da0af55f29f4cc03a87eb8a21d055768a1d3e53700fceca37232ad8a4a7c8f0ef5ed482f42698088bc3ad5ee3be953d45adc7ca5a65012cd4ae

Download Submit
C:\Windows\System32\IRwyhog.exe

Filesize
1.1MB

MD5
efb4233a3ee30dd7e66a909745c73ecd

SHA1
74e2be9e074e98fa1ffdaac171e3de17f9a21114

SHA256
37361af967ae0ad67b6af7652fbeaa6570759320b4b03d2ebfb8f379009769a7

SHA512
4dda69966b91d76d299f2930bdaa3f8035f4970d448d4a8189846461227cadb6a3b0591b480d1dd18eed75ca22e23bde4a491e58b9cd8d029db9b22419bfb864

Download Submit
C:\Windows\System32\MBnhsRe.exe

Filesize
1.1MB

MD5
6f8a717207eb5f9d766debc37abb727e

SHA1
925be4fb07c80dd454f6c0789df999a67a1ff0e0

SHA256
b1112f68fa64d306fa96bc5cb0711d4f89bea357047063aa473e8dcbb9344587

SHA512
685eb4ee0786ab265fb080977ab750f01b2f918355c4ce16411725ed54827f7f23b36b0ab6a299bcac66fb649840811cd7e5d43522762dbbcafb4bb6ed782b64

Download Submit
C:\Windows\System32\MteAllX.exe

Filesize
1.1MB

MD5
5333b648546201909512c0da9a57b3d6

SHA1
54179ce2db2543b91ed628b238ffd74f46228327

SHA256
68ac65add309d3a9d040e980c0e4338dcc2e1fab96998e01d44fc72b3b823207

SHA512
ada78d3c83976b2e51f764dff8adc891348f1d99157a650b392aa629177c675b033346ff8c16d4f4d44ee03744ca86d4f37d8bd4cf4aa322e560b9f2ecf92ed4

Download Submit
C:\Windows\System32\NINDcXv.exe

Filesize
1.1MB

MD5
bdb982f57dfed8faf2a309d214406956

SHA1
c24ae3410afbbf91210d4267fefad3a2ca432449

SHA256
d2961e485331ecac5b413e7d51f3765d469dde01e44854d169bcb31e9cecabb4

SHA512
df082be9ecbde3e74c285d740e6c3018dcc54f1ef7b6ebb1f09e9835dafadeff352cf477bb3a68ce3499bbab0e79ae17e30fa7b0fdd0ff31bdb85cbc0826ec62

Download Submit
C:\Windows\System32\QTfpaDt.exe

Filesize
1.1MB

MD5
21ab5640f0936e4a58355407e21d4f17

SHA1
75290fd0b38c5b46f2b1b3cc8122677562e7a945

SHA256
2d879d311bcef9b90a8fa196504a56477aeea56166b7264adc68a5f0966d61e1

SHA512
507562e2b71c9ff80ac898a24dcc04f4af8b1e71a8fc7075e20c53b320ecf53f55aaafc37adadbb09614360cc4ac5761e62f88262017a99e2bde88a70d2c18ad

Download Submit
C:\Windows\System32\QXExAyQ.exe

Filesize
1.1MB

MD5
809870b7c9d24dabc7b88249c0f4dd5e

SHA1
74daeb39102c69119e87d4e32edbbd9a99fc286b

SHA256
9bac833c0de12520f38d8ef67b713fb6cde27922e58563d88a96a51cae3bae0f

SHA512
739e971983e7128aec93c5da666677d8030661bd619f0b1782eb517e70770cda30c5d3904f8cb7fa39af03cbe22ed1fc324d3b2adccd4d5d6a5782c983e516f0

Download Submit
C:\Windows\System32\QdYOthZ.exe

Filesize
1.1MB

MD5
c7e9f6094e705dc7918a027e0af990ed

SHA1
ad6105fb79068ad0ff8fab0fbef25e51a3f60249

SHA256
c3a9c4aff739712a599b7781c83a679125fed48ab44150596bd8f038e02c2d46

SHA512
6962ee0b3abc29f371b5567e1e52dc7b633146ef81788dc40ae4d4be4f87de322c1db39378fae4429ae6742a62ea10f30386708395eac24a20a376313c7018e3

Download Submit
C:\Windows\System32\QkobPwk.exe

Filesize
1.1MB

MD5
a67c3a9b5b99e250a834fb2254752422

SHA1
08f47f67261d64f5c701bd03f73a5c69cb17bedb

SHA256
4291983533cc6ae6442d70644ebe38d9ac53e3041378382be920a52103c645a3

SHA512
e20796142c663c69a93f1fb49a71cf5a015d6438ddd149ef299228eeee2344eb88500a0d585bd142de3680dcab6dfed8ccf9b7ea292819d66191127d504cee72

Download Submit
C:\Windows\System32\RrMreHc.exe

Filesize
1.1MB

MD5
d80edee21ef94c6273f00208a3169a05

SHA1
83cb96779e57ec56e86d539c553b40b87654d803

SHA256
3cfc410e28d46e87506d02ba3fb337360307f70b4efbc021d2598a70b4103664

SHA512
ceae44ed3970244312e2bf54daee98fd7b0aa2609eb0a286169595e880c6b886136a98c704a0f2e9e1d371ef6edbf02500a41f18bdf8386ca861daee1f0fd095

Download Submit
C:\Windows\System32\UuxVgwG.exe

Filesize
1.1MB

MD5
d594ce327f81662b1057c737607d04de

SHA1
cbf6ae8176be31e7458de439aa16847d85e33dd6

SHA256
0e5ce111960e9d8268061fefb30709e185e0d29546ae1554faf0fa6c14a17976

SHA512
c169a6d373ef7bfe60af340b752eb95e6b4fbe4446b10b81594208906b0ba6e8a00bd948619e28ff86abaea9e332ee3637fedcb25676972d30138195f22841aa

Download Submit
C:\Windows\System32\VFaBpVZ.exe

Filesize
1.1MB

MD5
e029bdc19d664867a9c8e18f8d53baac

SHA1
7c46e5907edef5212d7fd795033ff8c503730271

SHA256
93843a0176f61297454eb7cdf4ed3640444f8452ca04f362ac6a7000f1a5a5e4

SHA512
a83046b1e0ab60cd5b5e8a4713b08c0a719aa05bb181f25ec022517b7ec803494a41914c0b55b686cedc34e412c3c15c40f6755d162ce9b817aa9e17dac8ffda

Download Submit
C:\Windows\System32\VbZDhgu.exe

Filesize
1.1MB

MD5
b8f4237f4a479a6f532fcd25bb300cbb

SHA1
93f517b9739f59efdb0d202281eccf31377d5423

SHA256
96652ae17b5545d95f0482b9a9605ada8a4f1a5279e7bbaead58997a9ec63d50

SHA512
fad36bd96f9a7bedc0dc0233e6fd3765ee3ac588580c1c53d35230710865acd0f40a76a69bbbf7cdc7394f223b50a483cc9dcec3be62c0b3b15b36670d321e29

Download Submit
C:\Windows\System32\WHULIal.exe

Filesize
1.1MB

MD5
d4fc765dc98bbb2b29d05077187345c1

SHA1
42b89ad5339a2930bc7ee4807f389668e2f81a05

SHA256
cf2b815b75a8afc6d00e07a4887be92b52ffd58a62bf5278255716555f737246

SHA512
53d193e9eb794361528659297d7205f0ea396e53628a1a7639a77722d5bcfe24454aeffdee03dfaadd6c51ed8c850f27debafd4476c69653a831c59ecc4e0b51

Download Submit
C:\Windows\System32\WeCKcKK.exe

Filesize
1.1MB

MD5
9f59cacedbceaf7d0bd67c560d261de4

SHA1
f41749e337eb279877f7d6f01667b368226efe2c

SHA256
e9055f94f47eff636670832dc29c9fc0b439712a0d6be98d83a1e7231286a296

SHA512
5e806fbda66ff453653f7e645ca5b00fe8ebdda17c04c546d500752195cc58770f2a3053e78dd11a8e88a7f5412e2e5f601e4bc693672606d4363c1d92bc36f9

Download Submit
C:\Windows\System32\WphKrpV.exe

Filesize
1.1MB

MD5
536ee6fce52ef7ff0c30dbb58fe2e5b2

SHA1
d8332ac1b1dcc1a005d943500057bc6c975ff696

SHA256
7ce0abf17390122851662e417c571c2e0f9d84ef8ee7ab12c89e067825045d80

SHA512
0878f1f107e7221a897b313a5979be6729c989f5b5df8477b4c5ef1c992106c6c35a3314051a5375ad2824f256dc5d206e447d09ee454b5d14f1326a6acfebe9

Download Submit
C:\Windows\System32\apAXLOt.exe

Filesize
1.1MB

MD5
2a9b57f900b68dda1b8f97c2b262aaf0

SHA1
561ef26a9d0e3b7c51eff5cba146de7fdf4bc443

SHA256
b37a6a27b362edf272b9eb0ff71a636d5e7ecbb2010e6df6acdac1ece37b1042

SHA512
b01c05c6d9e30a857f2b0e54718350755f8afd68c731ea9aae95385cfb9990ac5f24c5947d266fd58a29265ae6f2144b904fd6dbcb2c431323a364429bcdbe5c

Download Submit
C:\Windows\System32\bzbDHvp.exe

Filesize
1.1MB

MD5
d86464355b54f7f9039d4881ea5bf59e

SHA1
cc3c21fee0450fdd697ef99c2debda4409977283

SHA256
51a9e5e7c1f42fd79ecb9934c137bd28e1a08525fde5a2b9c729cebf28f0019b

SHA512
fac15e5f6c9625b35c19e191980f410640d93129d57d78a650acdd0584551e54c08c5a4d83097747d359ad07197214eb2e9dc1ba7cae5b74d3220795b4c2acbd

Download Submit
C:\Windows\System32\eOSVMiY.exe

Filesize
1.1MB

MD5
07a4c8d9d82dfb3a25fcb57541a86ef0

SHA1
8651c511f8e635d13a833baccad48d3f6848cd39

SHA256
7e3923f799e741f51ba08c324adf90835771b42eda08c978dd1f168c559bc668

SHA512
caf91026a25f601f0e1a0b4e8602a4dc7d042fa6e2e48db9550e33750a4ec8cedbb5f022243605eb83fd613cd11d9e74427337f7e4ac6482ae21badc858dbbe2

Download Submit
C:\Windows\System32\fIIztww.exe

Filesize
1.1MB

MD5
e5ad0dae696565b922b65bcce25efe75

SHA1
9feaa0ed53a75e18cdfdcd80cba660886fef9b95

SHA256
a4eed5783aeb53b271f052a6524f41edf47d7bdd5a948a93d9ab976a698326a5

SHA512
b9d33bbb2fb8ae35ca24f77a076a04d9a734c753ad5bfa425bc40040cec56d5fdc0d9503257020cd942be96a923f521fad694cabb5b97baebedfc839a12e7266

Download Submit
C:\Windows\System32\goRdyEn.exe

Filesize
1.1MB

MD5
c3e9c5040fa9f5b4e55b22825bec3e67

SHA1
6892e05e182245c8225b5a7e11e6937e80b3da57

SHA256
87fa264fd51f5371d267775d1f8b18a5a53dcbfcc4cbb9237a297b939924a1d7

SHA512
690dd9f2fec18b570c3a7c02aced0a70db733b1e986b6b31eebdfffcf6ac2b44e4d56723237524a72fe3d343d8b36689f433241b00aa9c56c5225afb8192e155

Download Submit
C:\Windows\System32\jmBSJNe.exe

Filesize
1.1MB

MD5
d4708a8182bf82ada3eb65719298fe5f

SHA1
6304598272acce8a3416f8928cdbc1d2b42547e3

SHA256
6761fd40358b9727e806ebddeb4de241db2343b446fd3476376495af8beea810

SHA512
e67298a75ebc07390203255a46303caaef29dd051ddb3ccc93e5b301fb6df07bf0d98d9553d4bb35c409c307d4a0a2dfe16469f9ed03e5ed3893daffebfbc149

Download Submit
C:\Windows\System32\lFmuzgf.exe

Filesize
1.1MB

MD5
9404a14149f13352ad0ed49ab48fcc61

SHA1
487b6b0d394d68cc8e710ff5291c1271af470a3c

SHA256
9e9729cc8eb13939813648fceeb5f957369331cae0853b518a048e6f3369555c

SHA512
2e730d0f10068a609c76c779f8bc8f14a6df1a2f35de020206bbca58f8aac019558a8414c4b07b57ddf888936240b87154561b82adcbf46ecad0d86d9cbfe1a1

Download Submit
C:\Windows\System32\oHfVIqh.exe

Filesize
1.1MB

MD5
e194ccb6d7ce0a46f77bcbd96795c524

SHA1
cbf471fc2cbe9e7333d9e0a73153c4b54fd39da4

SHA256
64cf49bd634c14e1e0aadd83abf1178bdcb1f30eedd3719d9d9328f99aae67ac

SHA512
48ca825ccd61d386d252505c236927d0da47686e703c8609befd99143adfbeec1bc876820c238ce6def51f3265010e1412fde52ab7615abb61188915651cd9b6

Download Submit
C:\Windows\System32\oZPSIyq.exe

Filesize
1.1MB

MD5
799fec41c4d965c6f5b9197ba92cc1ce

SHA1
3312d8681ab01a34871d174f393d7e64db1ce3f3

SHA256
eacc40f17596accb8e05a0d1fd68632f4f1bb64bcc30b14fa043a5aa5b5714b9

SHA512
0edb7675f90cdc17aaa2caf6efb6d1f0894c0d49bb515bdc2de4594aa5f908ca847e041a0c309af8bb26827750a1a2755f083bd9856b1100dec096ab40500f56

Download Submit
C:\Windows\System32\pSgEpwd.exe

Filesize
1.1MB

MD5
1144e5cee9318e86cfca262121cc4fb4

SHA1
32ad8e3463cc765956a5f70d7d1fe15d69372acc

SHA256
ca0675025b4ae708b220191561c5cb220cb98d614ab8a6579011e5d55459d3c9

SHA512
2eade9cd1d3813783fff4141ae02f4e33641269c935513034a4f0977231f1f9048483e8db4e5810303251a669c3cda5c5fc32019226374044677d03d8304cb05

Download Submit
C:\Windows\System32\rTKkZUu.exe

Filesize
1.1MB

MD5
dc3f5d523f42c9952d087155e2f56938

SHA1
9368d2c4f68fc6d1142e93dbf7d84a21bca461c1

SHA256
c4e4bbdc479aeb33da9f6d4a9ec6c534acbff783649e98234606f9c2e7ccda36

SHA512
4e9223e8f69a0af35743250ca0c62f35c46430c7d5ea36380ba8710020e166725788351738172371d1a5967221b0b175ea26a0915b8f6b11ae383454d735d198

Download Submit
C:\Windows\System32\yKKTwEp.exe

Filesize
1.1MB

MD5
d2d545b19480acfdf3fb4b450404e514

SHA1
55ffb043fbe3b30d3d28863bfdb198aab5abaff2

SHA256
27e1e2a1beced0459b07280d3b69c4d9d24f167075895b0441b957923d3891ec

SHA512
6ddf6568433c161b3bd8758352e14d8387fac3f609ae7a9cddc9cba4098a4b24e6f889c5b8b14c465a945c97e0e84e0c4e8a1cc6f218dac3c1fc0114a0a4c044

Download Submit
C:\Windows\System32\yhhplBc.exe

Filesize
1.1MB

MD5
c09033a93a48ddfd1f5dccb33a75b827

SHA1
8228c77e046aff4cc5abfc0ed21d31a647ee350e

SHA256
1692465ece21f5c39b348465e76418e28f090e5c30a071382912f36533b61a4c

SHA512
0af2f67bea041666493dd63c7a59daf180a5b9f3f7fa3f219c1cd963b6b79aece1e535a8d98894a8c0fa2a9a5f706c8e8304ffe6d98fee63f721d6257b40a19f

Download Submit
C:\Windows\System32\zBQPKfg.exe

Filesize
1.1MB

MD5
da01ff425832420784fb7c9714c474b1

SHA1
6432713dfc99c1aa543b4b9d6a09c838d283864b

SHA256
190d4fbfc4f84b387829cb0cecfd1ed13ff008c45aa5081d21f72eb839a9244b

SHA512
b972c80c0d65452d262ba79b39b91df3009ea7c04ae21c076b2a1add75713e7b003a562cdeec4498f6df8c16f6df9be2da8b3fdfad57748dacda4e07309cf554

Download Submit
memory/376-324-0x00007FF7C04A0000-0x00007FF7C0891000-memory.dmp

Filesize
3.9MB

Download
memory/376-2030-0x00007FF7C04A0000-0x00007FF7C0891000-memory.dmp

Filesize
3.9MB

Download
memory/424-1-0x000001AC1E860000-0x000001AC1E870000-memory.dmp

Filesize
64KB

Download
memory/424-0-0x00007FF77CFA0000-0x00007FF77D391000-memory.dmp

Filesize
3.9MB

Download
memory/424-1981-0x00007FF77CFA0000-0x00007FF77D391000-memory.dmp

Filesize
3.9MB

Download
memory/444-394-0x00007FF7F26C0000-0x00007FF7F2AB1000-memory.dmp

Filesize
3.9MB

Download
memory/444-2044-0x00007FF7F26C0000-0x00007FF7F2AB1000-memory.dmp

Filesize
3.9MB

Download
memory/1080-24-0x00007FF793390000-0x00007FF793781000-memory.dmp

Filesize
3.9MB

Download
memory/1080-2036-0x00007FF793390000-0x00007FF793781000-memory.dmp

Filesize
3.9MB

Download
memory/1080-1984-0x00007FF793390000-0x00007FF793781000-memory.dmp

Filesize
3.9MB

Download
memory/1636-15-0x00007FF6B17C0000-0x00007FF6B1BB1000-memory.dmp

Filesize
3.9MB

Download
memory/1636-1983-0x00007FF6B17C0000-0x00007FF6B1BB1000-memory.dmp

Filesize
3.9MB

Download
memory/1636-2028-0x00007FF6B17C0000-0x00007FF6B1BB1000-memory.dmp

Filesize
3.9MB

Download
memory/2004-348-0x00007FF62C670000-0x00007FF62CA61000-memory.dmp

Filesize
3.9MB

Download
memory/2004-2066-0x00007FF62C670000-0x00007FF62CA61000-memory.dmp

Filesize
3.9MB

Download
memory/2272-2062-0x00007FF7575B0000-0x00007FF7579A1000-memory.dmp

Filesize
3.9MB

Download
memory/2272-366-0x00007FF7575B0000-0x00007FF7579A1000-memory.dmp

Filesize
3.9MB

Download
memory/2404-2075-0x00007FF6BEFB0000-0x00007FF6BF3A1000-memory.dmp

Filesize
3.9MB

Download
memory/2404-409-0x00007FF6BEFB0000-0x00007FF6BF3A1000-memory.dmp

Filesize
3.9MB

Download
memory/2468-358-0x00007FF6247F0000-0x00007FF624BE1000-memory.dmp

Filesize
3.9MB

Download
memory/2468-2048-0x00007FF6247F0000-0x00007FF624BE1000-memory.dmp

Filesize
3.9MB

Download
memory/2552-359-0x00007FF6468B0000-0x00007FF646CA1000-memory.dmp

Filesize
3.9MB

Download
memory/2552-2060-0x00007FF6468B0000-0x00007FF646CA1000-memory.dmp

Filesize
3.9MB

Download
memory/2884-404-0x00007FF6E6230000-0x00007FF6E6621000-memory.dmp

Filesize
3.9MB

Download
memory/2884-2068-0x00007FF6E6230000-0x00007FF6E6621000-memory.dmp

Filesize
3.9MB

Download
memory/3032-334-0x00007FF72FC10000-0x00007FF730001000-memory.dmp

Filesize
3.9MB

Download
memory/3032-2034-0x00007FF72FC10000-0x00007FF730001000-memory.dmp

Filesize
3.9MB

Download
memory/3128-374-0x00007FF681520000-0x00007FF681911000-memory.dmp

Filesize
3.9MB

Download
memory/3128-2056-0x00007FF681520000-0x00007FF681911000-memory.dmp

Filesize
3.9MB

Download
memory/3168-362-0x00007FF6FB960000-0x00007FF6FBD51000-memory.dmp

Filesize
3.9MB

Download
memory/3168-2058-0x00007FF6FB960000-0x00007FF6FBD51000-memory.dmp

Filesize
3.9MB

Download
memory/3208-2042-0x00007FF720EE0000-0x00007FF7212D1000-memory.dmp

Filesize
3.9MB

Download
memory/3208-343-0x00007FF720EE0000-0x00007FF7212D1000-memory.dmp

Filesize
3.9MB

Download
memory/3252-2050-0x00007FF667DB0000-0x00007FF6681A1000-memory.dmp

Filesize
3.9MB

Download
memory/3252-350-0x00007FF667DB0000-0x00007FF6681A1000-memory.dmp

Filesize
3.9MB

Download
memory/3284-329-0x00007FF7B5590000-0x00007FF7B5981000-memory.dmp

Filesize
3.9MB

Download
memory/3284-2032-0x00007FF7B5590000-0x00007FF7B5981000-memory.dmp

Filesize
3.9MB

Download
memory/3588-336-0x00007FF666700000-0x00007FF666AF1000-memory.dmp

Filesize
3.9MB

Download
memory/3588-2040-0x00007FF666700000-0x00007FF666AF1000-memory.dmp

Filesize
3.9MB

Download
memory/4260-2073-0x00007FF76A760000-0x00007FF76AB51000-memory.dmp

Filesize
3.9MB

Download
memory/4260-411-0x00007FF76A760000-0x00007FF76AB51000-memory.dmp

Filesize
3.9MB

Download
memory/4308-2071-0x00007FF6F38D0000-0x00007FF6F3CC1000-memory.dmp

Filesize
3.9MB

Download
memory/4308-408-0x00007FF6F38D0000-0x00007FF6F3CC1000-memory.dmp

Filesize
3.9MB

Download
memory/4356-2038-0x00007FF766940000-0x00007FF766D31000-memory.dmp

Filesize
3.9MB

Download
memory/4356-412-0x00007FF766940000-0x00007FF766D31000-memory.dmp

Filesize
3.9MB

Download
memory/4496-2064-0x00007FF7C70B0000-0x00007FF7C74A1000-memory.dmp

Filesize
3.9MB

Download
memory/4496-402-0x00007FF7C70B0000-0x00007FF7C74A1000-memory.dmp

Filesize
3.9MB

Download
memory/4528-2054-0x00007FF6DC850000-0x00007FF6DCC41000-memory.dmp

Filesize
3.9MB

Download
memory/4528-371-0x00007FF6DC850000-0x00007FF6DCC41000-memory.dmp

Filesize
3.9MB

Download
memory/4732-2046-0x00007FF67E650000-0x00007FF67EA41000-memory.dmp

Filesize
3.9MB

Download
memory/4732-379-0x00007FF67E650000-0x00007FF67EA41000-memory.dmp

Filesize
3.9MB

Download
memory/4756-2052-0x00007FF702780000-0x00007FF702B71000-memory.dmp

Filesize
3.9MB

Download
memory/4756-375-0x00007FF702780000-0x00007FF702B71000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads