xmrig | 87514ec88fd6d5091f7651e8f77c0e899a85ea600a80d82768b0806e17c9d848

Analysis

max time kernel
141s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 07:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
Size

1.2MB
MD5

0ffdb86232060094189d1e2d0d624cc4
SHA1

b4c7b4def106d146c37ccabbebca69ae6c6bd1e2
SHA256

87514ec88fd6d5091f7651e8f77c0e899a85ea600a80d82768b0806e17c9d848
SHA512

273baa470c41011b33592969126158f9b24a4ff83dc06cb1be10192929896c77e440e4791e8d827d5e57640d492163abde3b3a54f276f485da3ab7e9e47437f2
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zjP+sjI1j:knw9oUUEEDl37jcq4nPC

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/1852-33-0x00007FF671F90000-0x00007FF672381000-memory.dmp	xmrig
behavioral2/memory/1468-380-0x00007FF6C3760000-0x00007FF6C3B51000-memory.dmp	xmrig
behavioral2/memory/2928-386-0x00007FF6A59C0000-0x00007FF6A5DB1000-memory.dmp	xmrig
behavioral2/memory/1464-388-0x00007FF777C10000-0x00007FF778001000-memory.dmp	xmrig
behavioral2/memory/2168-387-0x00007FF6445F0000-0x00007FF6449E1000-memory.dmp	xmrig
behavioral2/memory/4544-373-0x00007FF604910000-0x00007FF604D01000-memory.dmp	xmrig
behavioral2/memory/3920-389-0x00007FF7BB930000-0x00007FF7BBD21000-memory.dmp	xmrig
behavioral2/memory/2084-393-0x00007FF64B710000-0x00007FF64BB01000-memory.dmp	xmrig
behavioral2/memory/1980-403-0x00007FF6EABB0000-0x00007FF6EAFA1000-memory.dmp	xmrig
behavioral2/memory/972-406-0x00007FF770230000-0x00007FF770621000-memory.dmp	xmrig
behavioral2/memory/1196-413-0x00007FF69D320000-0x00007FF69D711000-memory.dmp	xmrig
behavioral2/memory/4620-416-0x00007FF63B250000-0x00007FF63B641000-memory.dmp	xmrig
behavioral2/memory/4752-421-0x00007FF68A9B0000-0x00007FF68ADA1000-memory.dmp	xmrig
behavioral2/memory/3792-444-0x00007FF763080000-0x00007FF763471000-memory.dmp	xmrig
behavioral2/memory/3908-447-0x00007FF601D10000-0x00007FF602101000-memory.dmp	xmrig
behavioral2/memory/2420-439-0x00007FF698D00000-0x00007FF6990F1000-memory.dmp	xmrig
behavioral2/memory/3428-434-0x00007FF728CB0000-0x00007FF7290A1000-memory.dmp	xmrig
behavioral2/memory/4532-429-0x00007FF67C8F0000-0x00007FF67CCE1000-memory.dmp	xmrig
behavioral2/memory/3044-424-0x00007FF781AD0000-0x00007FF781EC1000-memory.dmp	xmrig
behavioral2/memory/3776-35-0x00007FF7B2560000-0x00007FF7B2951000-memory.dmp	xmrig
behavioral2/memory/1832-1959-0x00007FF73B5A0000-0x00007FF73B991000-memory.dmp	xmrig
behavioral2/memory/3256-1960-0x00007FF772DB0000-0x00007FF7731A1000-memory.dmp	xmrig
behavioral2/memory/3412-1961-0x00007FF6A09B0000-0x00007FF6A0DA1000-memory.dmp	xmrig
behavioral2/memory/2012-1994-0x00007FF74EC10000-0x00007FF74F001000-memory.dmp	xmrig
behavioral2/memory/2228-1995-0x00007FF676AA0000-0x00007FF676E91000-memory.dmp	xmrig
behavioral2/memory/3256-2001-0x00007FF772DB0000-0x00007FF7731A1000-memory.dmp	xmrig
behavioral2/memory/3412-2003-0x00007FF6A09B0000-0x00007FF6A0DA1000-memory.dmp	xmrig
behavioral2/memory/3776-2009-0x00007FF7B2560000-0x00007FF7B2951000-memory.dmp	xmrig
behavioral2/memory/1852-2008-0x00007FF671F90000-0x00007FF672381000-memory.dmp	xmrig
behavioral2/memory/2012-2005-0x00007FF74EC10000-0x00007FF74F001000-memory.dmp	xmrig
behavioral2/memory/1468-2013-0x00007FF6C3760000-0x00007FF6C3B51000-memory.dmp	xmrig
behavioral2/memory/4544-2011-0x00007FF604910000-0x00007FF604D01000-memory.dmp	xmrig
behavioral2/memory/1464-2019-0x00007FF777C10000-0x00007FF778001000-memory.dmp	xmrig
behavioral2/memory/972-2037-0x00007FF770230000-0x00007FF770621000-memory.dmp	xmrig
behavioral2/memory/3792-2043-0x00007FF763080000-0x00007FF763471000-memory.dmp	xmrig
behavioral2/memory/3908-2048-0x00007FF601D10000-0x00007FF602101000-memory.dmp	xmrig
behavioral2/memory/2420-2041-0x00007FF698D00000-0x00007FF6990F1000-memory.dmp	xmrig
behavioral2/memory/3428-2039-0x00007FF728CB0000-0x00007FF7290A1000-memory.dmp	xmrig
behavioral2/memory/4620-2035-0x00007FF63B250000-0x00007FF63B641000-memory.dmp	xmrig
behavioral2/memory/1980-2033-0x00007FF6EABB0000-0x00007FF6EAFA1000-memory.dmp	xmrig
behavioral2/memory/1196-2031-0x00007FF69D320000-0x00007FF69D711000-memory.dmp	xmrig
behavioral2/memory/2084-2029-0x00007FF64B710000-0x00007FF64BB01000-memory.dmp	xmrig
behavioral2/memory/4752-2027-0x00007FF68A9B0000-0x00007FF68ADA1000-memory.dmp	xmrig
behavioral2/memory/3920-2025-0x00007FF7BB930000-0x00007FF7BBD21000-memory.dmp	xmrig
behavioral2/memory/4532-2021-0x00007FF67C8F0000-0x00007FF67CCE1000-memory.dmp	xmrig
behavioral2/memory/2928-2017-0x00007FF6A59C0000-0x00007FF6A5DB1000-memory.dmp	xmrig
behavioral2/memory/2168-2015-0x00007FF6445F0000-0x00007FF6449E1000-memory.dmp	xmrig
behavioral2/memory/3044-2023-0x00007FF781AD0000-0x00007FF781EC1000-memory.dmp	xmrig
behavioral2/memory/2228-2116-0x00007FF676AA0000-0x00007FF676E91000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3256	LgeeevS.exe
3412	budyfSf.exe
2012	fYqwXrg.exe
1852	Qwxwuhu.exe
3776	UgJJMvk.exe
2228	WaENIbN.exe
4544	bdqSiEA.exe
1468	gnCyLRS.exe
2928	kePiext.exe
2168	BRcGyBW.exe
1464	KtvfuVs.exe
3920	KbFqIfI.exe
2084	gAtEKTz.exe
1980	YwINqGT.exe
972	DpqejJO.exe
1196	DSiGwlP.exe
4620	HTNMgfx.exe
4752	KHwQLQr.exe
3044	MbEcYLC.exe
4532	QwDXcmM.exe
3428	rDSrgCY.exe
2420	KeUvPSb.exe
3792	kCPDiYZ.exe
3908	BoSjGuD.exe
948	rEJYDLE.exe
4176	rArMjQM.exe
4456	IAryQBZ.exe
884	OaOHYTo.exe
4568	wKniCkp.exe
1716	oKRlUuQ.exe
4012	wzRbRYG.exe
2844	JWCzEyL.exe
4732	WhIivGE.exe
384	HETgyex.exe
1456	MhHeqtF.exe
4084	CUWBKIT.exe
3836	WDStBYG.exe
3484	RVlTKnw.exe
2924	QwSXtUz.exe
1580	rmtlXPx.exe
4304	XbmlYpL.exe
528	ichhZns.exe
1984	udIDHkU.exe
1536	mJrcMtw.exe
3636	GceYtoe.exe
3260	NWojLiA.exe
1828	qhFERfj.exe
1944	houwHRO.exe
2696	CRDfvtD.exe
2268	AMWASPu.exe
1476	AvLJspt.exe
2248	fSJdHBu.exe
4468	tDGdOvB.exe
2360	xKBNLFX.exe
1336	mWdDKzP.exe
3580	NxWkmnD.exe
1724	aQIRkUT.exe
3000	okdgzYb.exe
5068	KMBLyrv.exe
1928	mPtmiGh.exe
4496	UwddJsM.exe
2800	vFfveBX.exe
3892	SoMpNRA.exe
3940	HvTflZw.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1832-0-0x00007FF73B5A0000-0x00007FF73B991000-memory.dmp	upx
behavioral2/memory/3256-8-0x00007FF772DB0000-0x00007FF7731A1000-memory.dmp	upx
behavioral2/files/0x000a000000023bbb-9.dat	upx
behavioral2/memory/3412-16-0x00007FF6A09B0000-0x00007FF6A0DA1000-memory.dmp	upx
behavioral2/files/0x0031000000023bbc-22.dat	upx
behavioral2/files/0x0031000000023bbd-29.dat	upx
behavioral2/memory/1852-33-0x00007FF671F90000-0x00007FF672381000-memory.dmp	upx
behavioral2/files/0x0031000000023bbe-36.dat	upx
behavioral2/files/0x000a000000023bc1-49.dat	upx
behavioral2/files/0x000a000000023bc2-56.dat	upx
behavioral2/files/0x000a000000023bc3-61.dat	upx
behavioral2/files/0x000a000000023bc5-69.dat	upx
behavioral2/files/0x000a000000023bc8-86.dat	upx
behavioral2/files/0x000a000000023bca-96.dat	upx
behavioral2/files/0x000a000000023bcc-106.dat	upx
behavioral2/files/0x000a000000023bce-116.dat	upx
behavioral2/files/0x000a000000023bd6-156.dat	upx
behavioral2/memory/1468-380-0x00007FF6C3760000-0x00007FF6C3B51000-memory.dmp	upx
behavioral2/memory/2928-386-0x00007FF6A59C0000-0x00007FF6A5DB1000-memory.dmp	upx
behavioral2/memory/1464-388-0x00007FF777C10000-0x00007FF778001000-memory.dmp	upx
behavioral2/memory/2168-387-0x00007FF6445F0000-0x00007FF6449E1000-memory.dmp	upx
behavioral2/memory/4544-373-0x00007FF604910000-0x00007FF604D01000-memory.dmp	upx
behavioral2/memory/3920-389-0x00007FF7BB930000-0x00007FF7BBD21000-memory.dmp	upx
behavioral2/memory/2084-393-0x00007FF64B710000-0x00007FF64BB01000-memory.dmp	upx
behavioral2/memory/1980-403-0x00007FF6EABB0000-0x00007FF6EAFA1000-memory.dmp	upx
behavioral2/memory/972-406-0x00007FF770230000-0x00007FF770621000-memory.dmp	upx
behavioral2/memory/1196-413-0x00007FF69D320000-0x00007FF69D711000-memory.dmp	upx
behavioral2/memory/4620-416-0x00007FF63B250000-0x00007FF63B641000-memory.dmp	upx
behavioral2/memory/4752-421-0x00007FF68A9B0000-0x00007FF68ADA1000-memory.dmp	upx
behavioral2/files/0x000a000000023bd8-166.dat	upx
behavioral2/files/0x000a000000023bd7-161.dat	upx
behavioral2/files/0x000a000000023bd5-151.dat	upx
behavioral2/files/0x000a000000023bd4-146.dat	upx
behavioral2/files/0x000a000000023bd3-141.dat	upx
behavioral2/files/0x000a000000023bd2-136.dat	upx
behavioral2/files/0x000a000000023bd1-131.dat	upx
behavioral2/files/0x000a000000023bd0-126.dat	upx
behavioral2/files/0x000a000000023bcf-121.dat	upx
behavioral2/files/0x000a000000023bcd-111.dat	upx
behavioral2/files/0x000a000000023bcb-101.dat	upx
behavioral2/files/0x000a000000023bc9-91.dat	upx
behavioral2/memory/3792-444-0x00007FF763080000-0x00007FF763471000-memory.dmp	upx
behavioral2/memory/3908-447-0x00007FF601D10000-0x00007FF602101000-memory.dmp	upx
behavioral2/memory/2420-439-0x00007FF698D00000-0x00007FF6990F1000-memory.dmp	upx
behavioral2/memory/3428-434-0x00007FF728CB0000-0x00007FF7290A1000-memory.dmp	upx
behavioral2/memory/4532-429-0x00007FF67C8F0000-0x00007FF67CCE1000-memory.dmp	upx
behavioral2/memory/3044-424-0x00007FF781AD0000-0x00007FF781EC1000-memory.dmp	upx
behavioral2/files/0x000a000000023bc7-81.dat	upx
behavioral2/files/0x000a000000023bc6-76.dat	upx
behavioral2/files/0x000a000000023bc4-66.dat	upx
behavioral2/files/0x000a000000023bc0-46.dat	upx
behavioral2/files/0x000a000000023bbf-41.dat	upx
behavioral2/memory/2228-37-0x00007FF676AA0000-0x00007FF676E91000-memory.dmp	upx
behavioral2/memory/3776-35-0x00007FF7B2560000-0x00007FF7B2951000-memory.dmp	upx
behavioral2/memory/2012-20-0x00007FF74EC10000-0x00007FF74F001000-memory.dmp	upx
behavioral2/files/0x000a000000023bba-14.dat	upx
behavioral2/files/0x000b000000023bb6-11.dat	upx
behavioral2/memory/1832-1959-0x00007FF73B5A0000-0x00007FF73B991000-memory.dmp	upx
behavioral2/memory/3256-1960-0x00007FF772DB0000-0x00007FF7731A1000-memory.dmp	upx
behavioral2/memory/3412-1961-0x00007FF6A09B0000-0x00007FF6A0DA1000-memory.dmp	upx
behavioral2/memory/2012-1994-0x00007FF74EC10000-0x00007FF74F001000-memory.dmp	upx
behavioral2/memory/2228-1995-0x00007FF676AA0000-0x00007FF676E91000-memory.dmp	upx
behavioral2/memory/3256-2001-0x00007FF772DB0000-0x00007FF7731A1000-memory.dmp	upx
behavioral2/memory/3412-2003-0x00007FF6A09B0000-0x00007FF6A0DA1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\ZuZOlZi.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\gHztCRz.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\uizPHKQ.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\DpqejJO.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\EUQBPrU.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\hJaiJbF.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\FJfpJiq.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\rRPZBvw.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\njCQPhA.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\XRndADJ.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\RKeMIhi.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\GldFBuv.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\aPOcBSX.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\mtVhXWM.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\HTNMgfx.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\cViMTaa.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\TSMsbQz.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\YjhoEai.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\WklPGPF.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\rtcBOxh.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\tcmzOTz.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\bLDSGkg.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\gnCyLRS.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\SVmUzYh.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\CidtAvw.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\OsKPHQG.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\dXtifFe.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\FNeCnRg.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\gVHCtMd.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\BSFzLzq.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\fxFOcor.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\INDEjKU.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\NoXDFgP.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\xCQRrJN.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\OmMtJyk.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\MbEcYLC.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\vUIytcC.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\sUSHRyC.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\XTSxweF.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\ATrNHYk.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\kFaMrBB.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\RQbykNI.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\rmtlXPx.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\YtlZvXL.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\EJosuLy.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\ImbKFzn.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\vJkAxwY.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\lrbYlue.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\LtgaFUq.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\PCIPRLn.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\hSuVvOZ.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\vHPHBeW.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\QQOCFRY.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\ichhZns.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\fjrlaQy.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\sAgPIMJ.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\VkNOWYK.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\zynYZYG.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\MPXCEmk.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\CpApguf.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\DSiGwlP.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\LMPkVWg.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\WBbyMZV.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
File created	C:\Windows\System32\SmBjvec.exe	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12160	dwm.exe
Token: SeChangeNotifyPrivilege	12160	dwm.exe
Token: 33	12160	dwm.exe
Token: SeIncBasePriorityPrivilege	12160	dwm.exe
Token: SeShutdownPrivilege	12160	dwm.exe
Token: SeCreatePagefilePrivilege	12160	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 3256	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	85
PID 1832 wrote to memory of 3256	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	85
PID 1832 wrote to memory of 3412	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	86
PID 1832 wrote to memory of 3412	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	86
PID 1832 wrote to memory of 2012	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	87
PID 1832 wrote to memory of 2012	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	87
PID 1832 wrote to memory of 1852	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	88
PID 1832 wrote to memory of 1852	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	88
PID 1832 wrote to memory of 3776	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	89
PID 1832 wrote to memory of 3776	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	89
PID 1832 wrote to memory of 2228	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	90
PID 1832 wrote to memory of 2228	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	90
PID 1832 wrote to memory of 4544	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	91
PID 1832 wrote to memory of 4544	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	91
PID 1832 wrote to memory of 1468	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	92
PID 1832 wrote to memory of 1468	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	92
PID 1832 wrote to memory of 2928	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	93
PID 1832 wrote to memory of 2928	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	93
PID 1832 wrote to memory of 2168	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	94
PID 1832 wrote to memory of 2168	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	94
PID 1832 wrote to memory of 1464	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	95
PID 1832 wrote to memory of 1464	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	95
PID 1832 wrote to memory of 3920	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	96
PID 1832 wrote to memory of 3920	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	96
PID 1832 wrote to memory of 2084	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	97
PID 1832 wrote to memory of 2084	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	97
PID 1832 wrote to memory of 1980	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	98
PID 1832 wrote to memory of 1980	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	98
PID 1832 wrote to memory of 972	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	99
PID 1832 wrote to memory of 972	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	99
PID 1832 wrote to memory of 1196	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	100
PID 1832 wrote to memory of 1196	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	100
PID 1832 wrote to memory of 4620	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	101
PID 1832 wrote to memory of 4620	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	101
PID 1832 wrote to memory of 4752	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	102
PID 1832 wrote to memory of 4752	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	102
PID 1832 wrote to memory of 3044	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	103
PID 1832 wrote to memory of 3044	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	103
PID 1832 wrote to memory of 4532	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	104
PID 1832 wrote to memory of 4532	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	104
PID 1832 wrote to memory of 3428	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	105
PID 1832 wrote to memory of 3428	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	105
PID 1832 wrote to memory of 2420	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	106
PID 1832 wrote to memory of 2420	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	106
PID 1832 wrote to memory of 3792	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	107
PID 1832 wrote to memory of 3792	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	107
PID 1832 wrote to memory of 3908	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	108
PID 1832 wrote to memory of 3908	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	108
PID 1832 wrote to memory of 948	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	109
PID 1832 wrote to memory of 948	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	109
PID 1832 wrote to memory of 4176	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	110
PID 1832 wrote to memory of 4176	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	110
PID 1832 wrote to memory of 4456	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	111
PID 1832 wrote to memory of 4456	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	111
PID 1832 wrote to memory of 884	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	112
PID 1832 wrote to memory of 884	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	112
PID 1832 wrote to memory of 4568	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	113
PID 1832 wrote to memory of 4568	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	113
PID 1832 wrote to memory of 1716	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	114
PID 1832 wrote to memory of 1716	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	114
PID 1832 wrote to memory of 4012	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	115
PID 1832 wrote to memory of 4012	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	115
PID 1832 wrote to memory of 2844	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	116
PID 1832 wrote to memory of 2844	1832	0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ffdb86232060094189d1e2d0d624cc4_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\System32\LgeeevS.exe
  C:\Windows\System32\LgeeevS.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System32\budyfSf.exe
  C:\Windows\System32\budyfSf.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System32\fYqwXrg.exe
  C:\Windows\System32\fYqwXrg.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System32\Qwxwuhu.exe
  C:\Windows\System32\Qwxwuhu.exe
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\System32\UgJJMvk.exe
  C:\Windows\System32\UgJJMvk.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System32\WaENIbN.exe
  C:\Windows\System32\WaENIbN.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System32\bdqSiEA.exe
  C:\Windows\System32\bdqSiEA.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System32\gnCyLRS.exe
  C:\Windows\System32\gnCyLRS.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System32\kePiext.exe
  C:\Windows\System32\kePiext.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System32\BRcGyBW.exe
  C:\Windows\System32\BRcGyBW.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System32\KtvfuVs.exe
  C:\Windows\System32\KtvfuVs.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System32\KbFqIfI.exe
  C:\Windows\System32\KbFqIfI.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System32\gAtEKTz.exe
  C:\Windows\System32\gAtEKTz.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System32\YwINqGT.exe
  C:\Windows\System32\YwINqGT.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System32\DpqejJO.exe
  C:\Windows\System32\DpqejJO.exe
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\System32\DSiGwlP.exe
  C:\Windows\System32\DSiGwlP.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System32\HTNMgfx.exe
  C:\Windows\System32\HTNMgfx.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System32\KHwQLQr.exe
  C:\Windows\System32\KHwQLQr.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System32\MbEcYLC.exe
  C:\Windows\System32\MbEcYLC.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System32\QwDXcmM.exe
  C:\Windows\System32\QwDXcmM.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System32\rDSrgCY.exe
  C:\Windows\System32\rDSrgCY.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System32\KeUvPSb.exe
  C:\Windows\System32\KeUvPSb.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System32\kCPDiYZ.exe
  C:\Windows\System32\kCPDiYZ.exe
  2⤵
  - Executes dropped EXE
  PID:3792
- C:\Windows\System32\BoSjGuD.exe
  C:\Windows\System32\BoSjGuD.exe
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\System32\rEJYDLE.exe
  C:\Windows\System32\rEJYDLE.exe
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\System32\rArMjQM.exe
  C:\Windows\System32\rArMjQM.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System32\IAryQBZ.exe
  C:\Windows\System32\IAryQBZ.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System32\OaOHYTo.exe
  C:\Windows\System32\OaOHYTo.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System32\wKniCkp.exe
  C:\Windows\System32\wKniCkp.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System32\oKRlUuQ.exe
  C:\Windows\System32\oKRlUuQ.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System32\wzRbRYG.exe
  C:\Windows\System32\wzRbRYG.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System32\JWCzEyL.exe
  C:\Windows\System32\JWCzEyL.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System32\WhIivGE.exe
  C:\Windows\System32\WhIivGE.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System32\HETgyex.exe
  C:\Windows\System32\HETgyex.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System32\MhHeqtF.exe
  C:\Windows\System32\MhHeqtF.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System32\CUWBKIT.exe
  C:\Windows\System32\CUWBKIT.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System32\WDStBYG.exe
  C:\Windows\System32\WDStBYG.exe
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\System32\RVlTKnw.exe
  C:\Windows\System32\RVlTKnw.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System32\QwSXtUz.exe
  C:\Windows\System32\QwSXtUz.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System32\rmtlXPx.exe
  C:\Windows\System32\rmtlXPx.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System32\XbmlYpL.exe
  C:\Windows\System32\XbmlYpL.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System32\ichhZns.exe
  C:\Windows\System32\ichhZns.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System32\udIDHkU.exe
  C:\Windows\System32\udIDHkU.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System32\mJrcMtw.exe
  C:\Windows\System32\mJrcMtw.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System32\GceYtoe.exe
  C:\Windows\System32\GceYtoe.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System32\NWojLiA.exe
  C:\Windows\System32\NWojLiA.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System32\qhFERfj.exe
  C:\Windows\System32\qhFERfj.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System32\houwHRO.exe
  C:\Windows\System32\houwHRO.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System32\CRDfvtD.exe
  C:\Windows\System32\CRDfvtD.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System32\AMWASPu.exe
  C:\Windows\System32\AMWASPu.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System32\AvLJspt.exe
  C:\Windows\System32\AvLJspt.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System32\fSJdHBu.exe
  C:\Windows\System32\fSJdHBu.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System32\tDGdOvB.exe
  C:\Windows\System32\tDGdOvB.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System32\xKBNLFX.exe
  C:\Windows\System32\xKBNLFX.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System32\mWdDKzP.exe
  C:\Windows\System32\mWdDKzP.exe
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\System32\NxWkmnD.exe
  C:\Windows\System32\NxWkmnD.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System32\aQIRkUT.exe
  C:\Windows\System32\aQIRkUT.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System32\okdgzYb.exe
  C:\Windows\System32\okdgzYb.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System32\KMBLyrv.exe
  C:\Windows\System32\KMBLyrv.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System32\mPtmiGh.exe
  C:\Windows\System32\mPtmiGh.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System32\UwddJsM.exe
  C:\Windows\System32\UwddJsM.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System32\vFfveBX.exe
  C:\Windows\System32\vFfveBX.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System32\SoMpNRA.exe
  C:\Windows\System32\SoMpNRA.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System32\HvTflZw.exe
  C:\Windows\System32\HvTflZw.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System32\VyftVwr.exe
  C:\Windows\System32\VyftVwr.exe
  2⤵
  PID:1228
- C:\Windows\System32\MZynCKB.exe
  C:\Windows\System32\MZynCKB.exe
  2⤵
  PID:3216
- C:\Windows\System32\eLrePvh.exe
  C:\Windows\System32\eLrePvh.exe
  2⤵
  PID:4380
- C:\Windows\System32\wqxWIiS.exe
  C:\Windows\System32\wqxWIiS.exe
  2⤵
  PID:3832
- C:\Windows\System32\ZuZOlZi.exe
  C:\Windows\System32\ZuZOlZi.exe
  2⤵
  PID:396
- C:\Windows\System32\ITnKROp.exe
  C:\Windows\System32\ITnKROp.exe
  2⤵
  PID:2516
- C:\Windows\System32\fZBmwhI.exe
  C:\Windows\System32\fZBmwhI.exe
  2⤵
  PID:3624
- C:\Windows\System32\QlUoPbk.exe
  C:\Windows\System32\QlUoPbk.exe
  2⤵
  PID:2020
- C:\Windows\System32\fULgYon.exe
  C:\Windows\System32\fULgYon.exe
  2⤵
  PID:628
- C:\Windows\System32\aJdTDjJ.exe
  C:\Windows\System32\aJdTDjJ.exe
  2⤵
  PID:3416
- C:\Windows\System32\Wdhotvf.exe
  C:\Windows\System32\Wdhotvf.exe
  2⤵
  PID:4720
- C:\Windows\System32\SVmUzYh.exe
  C:\Windows\System32\SVmUzYh.exe
  2⤵
  PID:4368
- C:\Windows\System32\NKFWiiS.exe
  C:\Windows\System32\NKFWiiS.exe
  2⤵
  PID:1472
- C:\Windows\System32\DQTqidz.exe
  C:\Windows\System32\DQTqidz.exe
  2⤵
  PID:2264
- C:\Windows\System32\SHLYOBw.exe
  C:\Windows\System32\SHLYOBw.exe
  2⤵
  PID:4944
- C:\Windows\System32\FOQZMOZ.exe
  C:\Windows\System32\FOQZMOZ.exe
  2⤵
  PID:4584
- C:\Windows\System32\ulgoskq.exe
  C:\Windows\System32\ulgoskq.exe
  2⤵
  PID:4816
- C:\Windows\System32\BhUkwNN.exe
  C:\Windows\System32\BhUkwNN.exe
  2⤵
  PID:4896
- C:\Windows\System32\WURfMnN.exe
  C:\Windows\System32\WURfMnN.exe
  2⤵
  PID:1940
- C:\Windows\System32\AJORqnF.exe
  C:\Windows\System32\AJORqnF.exe
  2⤵
  PID:2412
- C:\Windows\System32\hDkGWkB.exe
  C:\Windows\System32\hDkGWkB.exe
  2⤵
  PID:1180
- C:\Windows\System32\GPhhyYe.exe
  C:\Windows\System32\GPhhyYe.exe
  2⤵
  PID:4476
- C:\Windows\System32\erNFOhF.exe
  C:\Windows\System32\erNFOhF.exe
  2⤵
  PID:4428
- C:\Windows\System32\qRjcsMt.exe
  C:\Windows\System32\qRjcsMt.exe
  2⤵
  PID:544
- C:\Windows\System32\YjhoEai.exe
  C:\Windows\System32\YjhoEai.exe
  2⤵
  PID:2520
- C:\Windows\System32\rAMVnYb.exe
  C:\Windows\System32\rAMVnYb.exe
  2⤵
  PID:2668
- C:\Windows\System32\jYGwCGc.exe
  C:\Windows\System32\jYGwCGc.exe
  2⤵
  PID:5000
- C:\Windows\System32\TVKiyku.exe
  C:\Windows\System32\TVKiyku.exe
  2⤵
  PID:4716
- C:\Windows\System32\bPnkjAY.exe
  C:\Windows\System32\bPnkjAY.exe
  2⤵
  PID:1264
- C:\Windows\System32\JnezPRP.exe
  C:\Windows\System32\JnezPRP.exe
  2⤵
  PID:4996
- C:\Windows\System32\dxwvFQr.exe
  C:\Windows\System32\dxwvFQr.exe
  2⤵
  PID:3672
- C:\Windows\System32\oUlUaHH.exe
  C:\Windows\System32\oUlUaHH.exe
  2⤵
  PID:4372
- C:\Windows\System32\AGPsLwV.exe
  C:\Windows\System32\AGPsLwV.exe
  2⤵
  PID:1564
- C:\Windows\System32\yfHpPGM.exe
  C:\Windows\System32\yfHpPGM.exe
  2⤵
  PID:1016
- C:\Windows\System32\NEwRhrv.exe
  C:\Windows\System32\NEwRhrv.exe
  2⤵
  PID:4052
- C:\Windows\System32\ndErqpb.exe
  C:\Windows\System32\ndErqpb.exe
  2⤵
  PID:2128
- C:\Windows\System32\ynQsaxz.exe
  C:\Windows\System32\ynQsaxz.exe
  2⤵
  PID:5140
- C:\Windows\System32\LMPkVWg.exe
  C:\Windows\System32\LMPkVWg.exe
  2⤵
  PID:5164
- C:\Windows\System32\CNhZevJ.exe
  C:\Windows\System32\CNhZevJ.exe
  2⤵
  PID:5180
- C:\Windows\System32\zDnvxdw.exe
  C:\Windows\System32\zDnvxdw.exe
  2⤵
  PID:5196
- C:\Windows\System32\dSLRxqS.exe
  C:\Windows\System32\dSLRxqS.exe
  2⤵
  PID:5216
- C:\Windows\System32\TGEECcF.exe
  C:\Windows\System32\TGEECcF.exe
  2⤵
  PID:5232
- C:\Windows\System32\SXIebuq.exe
  C:\Windows\System32\SXIebuq.exe
  2⤵
  PID:5340
- C:\Windows\System32\YPkkqsg.exe
  C:\Windows\System32\YPkkqsg.exe
  2⤵
  PID:5368
- C:\Windows\System32\xqvzDgB.exe
  C:\Windows\System32\xqvzDgB.exe
  2⤵
  PID:5392
- C:\Windows\System32\aOPNiAd.exe
  C:\Windows\System32\aOPNiAd.exe
  2⤵
  PID:5428
- C:\Windows\System32\BOIqFTB.exe
  C:\Windows\System32\BOIqFTB.exe
  2⤵
  PID:5464
- C:\Windows\System32\XrVdsdv.exe
  C:\Windows\System32\XrVdsdv.exe
  2⤵
  PID:5492
- C:\Windows\System32\VztWkCg.exe
  C:\Windows\System32\VztWkCg.exe
  2⤵
  PID:5508
- C:\Windows\System32\Jimwthd.exe
  C:\Windows\System32\Jimwthd.exe
  2⤵
  PID:5600
- C:\Windows\System32\goUlTKg.exe
  C:\Windows\System32\goUlTKg.exe
  2⤵
  PID:5628
- C:\Windows\System32\bevabqb.exe
  C:\Windows\System32\bevabqb.exe
  2⤵
  PID:5644
- C:\Windows\System32\GFFqtEQ.exe
  C:\Windows\System32\GFFqtEQ.exe
  2⤵
  PID:5664
- C:\Windows\System32\BSFzLzq.exe
  C:\Windows\System32\BSFzLzq.exe
  2⤵
  PID:5708
- C:\Windows\System32\HIsHFqB.exe
  C:\Windows\System32\HIsHFqB.exe
  2⤵
  PID:5728
- C:\Windows\System32\feKOmqx.exe
  C:\Windows\System32\feKOmqx.exe
  2⤵
  PID:5744
- C:\Windows\System32\yxpjfZK.exe
  C:\Windows\System32\yxpjfZK.exe
  2⤵
  PID:5760
- C:\Windows\System32\HOUjTst.exe
  C:\Windows\System32\HOUjTst.exe
  2⤵
  PID:5792
- C:\Windows\System32\EelrNHZ.exe
  C:\Windows\System32\EelrNHZ.exe
  2⤵
  PID:5844
- C:\Windows\System32\qnmfzhN.exe
  C:\Windows\System32\qnmfzhN.exe
  2⤵
  PID:5892
- C:\Windows\System32\gRtTFtc.exe
  C:\Windows\System32\gRtTFtc.exe
  2⤵
  PID:5908
- C:\Windows\System32\ewOCMzs.exe
  C:\Windows\System32\ewOCMzs.exe
  2⤵
  PID:5972
- C:\Windows\System32\vumYWoZ.exe
  C:\Windows\System32\vumYWoZ.exe
  2⤵
  PID:6000
- C:\Windows\System32\hDsvXpw.exe
  C:\Windows\System32\hDsvXpw.exe
  2⤵
  PID:6032
- C:\Windows\System32\kCZHeKQ.exe
  C:\Windows\System32\kCZHeKQ.exe
  2⤵
  PID:6052
- C:\Windows\System32\ogmddLh.exe
  C:\Windows\System32\ogmddLh.exe
  2⤵
  PID:6084
- C:\Windows\System32\YXXRYSj.exe
  C:\Windows\System32\YXXRYSj.exe
  2⤵
  PID:6116
- C:\Windows\System32\OnBshKm.exe
  C:\Windows\System32\OnBshKm.exe
  2⤵
  PID:6140
- C:\Windows\System32\wBUDjQV.exe
  C:\Windows\System32\wBUDjQV.exe
  2⤵
  PID:3932
- C:\Windows\System32\byYmNBF.exe
  C:\Windows\System32\byYmNBF.exe
  2⤵
  PID:4492
- C:\Windows\System32\cnNyvKf.exe
  C:\Windows\System32\cnNyvKf.exe
  2⤵
  PID:3156
- C:\Windows\System32\SmBjvec.exe
  C:\Windows\System32\SmBjvec.exe
  2⤵
  PID:5156
- C:\Windows\System32\TotmUTo.exe
  C:\Windows\System32\TotmUTo.exe
  2⤵
  PID:5128
- C:\Windows\System32\lxmoQne.exe
  C:\Windows\System32\lxmoQne.exe
  2⤵
  PID:864
- C:\Windows\System32\ZhDGdkn.exe
  C:\Windows\System32\ZhDGdkn.exe
  2⤵
  PID:5308
- C:\Windows\System32\xocCtVT.exe
  C:\Windows\System32\xocCtVT.exe
  2⤵
  PID:5416
- C:\Windows\System32\FcWmGOD.exe
  C:\Windows\System32\FcWmGOD.exe
  2⤵
  PID:5532
- C:\Windows\System32\GWXNMJa.exe
  C:\Windows\System32\GWXNMJa.exe
  2⤵
  PID:5540
- C:\Windows\System32\GHZKjFW.exe
  C:\Windows\System32\GHZKjFW.exe
  2⤵
  PID:1796
- C:\Windows\System32\WmFBOKI.exe
  C:\Windows\System32\WmFBOKI.exe
  2⤵
  PID:5280
- C:\Windows\System32\ySRnaJe.exe
  C:\Windows\System32\ySRnaJe.exe
  2⤵
  PID:5316
- C:\Windows\System32\fPnBxMN.exe
  C:\Windows\System32\fPnBxMN.exe
  2⤵
  PID:5620
- C:\Windows\System32\QkjEVBZ.exe
  C:\Windows\System32\QkjEVBZ.exe
  2⤵
  PID:5716
- C:\Windows\System32\ggfleVF.exe
  C:\Windows\System32\ggfleVF.exe
  2⤵
  PID:5828
- C:\Windows\System32\xfyettT.exe
  C:\Windows\System32\xfyettT.exe
  2⤵
  PID:5868
- C:\Windows\System32\qaFiQKl.exe
  C:\Windows\System32\qaFiQKl.exe
  2⤵
  PID:5688
- C:\Windows\System32\tPpSZuE.exe
  C:\Windows\System32\tPpSZuE.exe
  2⤵
  PID:5984
- C:\Windows\System32\ShTLadk.exe
  C:\Windows\System32\ShTLadk.exe
  2⤵
  PID:6024
- C:\Windows\System32\DhCQXJz.exe
  C:\Windows\System32\DhCQXJz.exe
  2⤵
  PID:6068
- C:\Windows\System32\ahQjTLV.exe
  C:\Windows\System32\ahQjTLV.exe
  2⤵
  PID:6128
- C:\Windows\System32\QcQWRVF.exe
  C:\Windows\System32\QcQWRVF.exe
  2⤵
  PID:2944
- C:\Windows\System32\tqQVypn.exe
  C:\Windows\System32\tqQVypn.exe
  2⤵
  PID:5224
- C:\Windows\System32\AAeqFCs.exe
  C:\Windows\System32\AAeqFCs.exe
  2⤵
  PID:5248
- C:\Windows\System32\ePOMcRu.exe
  C:\Windows\System32\ePOMcRu.exe
  2⤵
  PID:5500
- C:\Windows\System32\CidtAvw.exe
  C:\Windows\System32\CidtAvw.exe
  2⤵
  PID:5488
- C:\Windows\System32\OGQykLd.exe
  C:\Windows\System32\OGQykLd.exe
  2⤵
  PID:5804
- C:\Windows\System32\zRUalSS.exe
  C:\Windows\System32\zRUalSS.exe
  2⤵
  PID:5652
- C:\Windows\System32\DKvEAtZ.exe
  C:\Windows\System32\DKvEAtZ.exe
  2⤵
  PID:6028
- C:\Windows\System32\AbgsYWO.exe
  C:\Windows\System32\AbgsYWO.exe
  2⤵
  PID:2936
- C:\Windows\System32\UIIUkqX.exe
  C:\Windows\System32\UIIUkqX.exe
  2⤵
  PID:4312
- C:\Windows\System32\ZjGMQTx.exe
  C:\Windows\System32\ZjGMQTx.exe
  2⤵
  PID:5900
- C:\Windows\System32\iefozRQ.exe
  C:\Windows\System32\iefozRQ.exe
  2⤵
  PID:6064
- C:\Windows\System32\xEKWdmD.exe
  C:\Windows\System32\xEKWdmD.exe
  2⤵
  PID:5564
- C:\Windows\System32\nxkjjBU.exe
  C:\Windows\System32\nxkjjBU.exe
  2⤵
  PID:5328
- C:\Windows\System32\HHCtNPF.exe
  C:\Windows\System32\HHCtNPF.exe
  2⤵
  PID:6148
- C:\Windows\System32\GMqUTYV.exe
  C:\Windows\System32\GMqUTYV.exe
  2⤵
  PID:6164
- C:\Windows\System32\MtITbSG.exe
  C:\Windows\System32\MtITbSG.exe
  2⤵
  PID:6192
- C:\Windows\System32\uobCQYz.exe
  C:\Windows\System32\uobCQYz.exe
  2⤵
  PID:6264
- C:\Windows\System32\tkXHFaf.exe
  C:\Windows\System32\tkXHFaf.exe
  2⤵
  PID:6288
- C:\Windows\System32\fVcOAFu.exe
  C:\Windows\System32\fVcOAFu.exe
  2⤵
  PID:6320
- C:\Windows\System32\eNtHALf.exe
  C:\Windows\System32\eNtHALf.exe
  2⤵
  PID:6336
- C:\Windows\System32\zVAkeIF.exe
  C:\Windows\System32\zVAkeIF.exe
  2⤵
  PID:6376
- C:\Windows\System32\hKgxAnT.exe
  C:\Windows\System32\hKgxAnT.exe
  2⤵
  PID:6396
- C:\Windows\System32\MIFeBWd.exe
  C:\Windows\System32\MIFeBWd.exe
  2⤵
  PID:6424
- C:\Windows\System32\egpzWil.exe
  C:\Windows\System32\egpzWil.exe
  2⤵
  PID:6444
- C:\Windows\System32\UDHOFMw.exe
  C:\Windows\System32\UDHOFMw.exe
  2⤵
  PID:6464
- C:\Windows\System32\lktNsjt.exe
  C:\Windows\System32\lktNsjt.exe
  2⤵
  PID:6480
- C:\Windows\System32\VgYTndh.exe
  C:\Windows\System32\VgYTndh.exe
  2⤵
  PID:6520
- C:\Windows\System32\AxoWrNW.exe
  C:\Windows\System32\AxoWrNW.exe
  2⤵
  PID:6556
- C:\Windows\System32\AqOJjIB.exe
  C:\Windows\System32\AqOJjIB.exe
  2⤵
  PID:6588
- C:\Windows\System32\nLkkeqZ.exe
  C:\Windows\System32\nLkkeqZ.exe
  2⤵
  PID:6612
- C:\Windows\System32\AUeovyh.exe
  C:\Windows\System32\AUeovyh.exe
  2⤵
  PID:6628
- C:\Windows\System32\lptYYdZ.exe
  C:\Windows\System32\lptYYdZ.exe
  2⤵
  PID:6672
- C:\Windows\System32\OaEcPIk.exe
  C:\Windows\System32\OaEcPIk.exe
  2⤵
  PID:6716
- C:\Windows\System32\WjgKVJI.exe
  C:\Windows\System32\WjgKVJI.exe
  2⤵
  PID:6756
- C:\Windows\System32\OwmRxAJ.exe
  C:\Windows\System32\OwmRxAJ.exe
  2⤵
  PID:6772
- C:\Windows\System32\ZVFCPjB.exe
  C:\Windows\System32\ZVFCPjB.exe
  2⤵
  PID:6796
- C:\Windows\System32\ePpsKMo.exe
  C:\Windows\System32\ePpsKMo.exe
  2⤵
  PID:6812
- C:\Windows\System32\jcBsRkp.exe
  C:\Windows\System32\jcBsRkp.exe
  2⤵
  PID:6832
- C:\Windows\System32\nnilljf.exe
  C:\Windows\System32\nnilljf.exe
  2⤵
  PID:6872
- C:\Windows\System32\ImbKFzn.exe
  C:\Windows\System32\ImbKFzn.exe
  2⤵
  PID:6924
- C:\Windows\System32\XRndADJ.exe
  C:\Windows\System32\XRndADJ.exe
  2⤵
  PID:6956
- C:\Windows\System32\qDsWtqX.exe
  C:\Windows\System32\qDsWtqX.exe
  2⤵
  PID:6972
- C:\Windows\System32\uXHuUkk.exe
  C:\Windows\System32\uXHuUkk.exe
  2⤵
  PID:7004
- C:\Windows\System32\KjnNSTv.exe
  C:\Windows\System32\KjnNSTv.exe
  2⤵
  PID:7024
- C:\Windows\System32\izmbHnZ.exe
  C:\Windows\System32\izmbHnZ.exe
  2⤵
  PID:7060
- C:\Windows\System32\oCpQQSd.exe
  C:\Windows\System32\oCpQQSd.exe
  2⤵
  PID:7084
- C:\Windows\System32\YumbBaY.exe
  C:\Windows\System32\YumbBaY.exe
  2⤵
  PID:7100
- C:\Windows\System32\iyFpdjV.exe
  C:\Windows\System32\iyFpdjV.exe
  2⤵
  PID:7120
- C:\Windows\System32\iqfKiDk.exe
  C:\Windows\System32\iqfKiDk.exe
  2⤵
  PID:5936
- C:\Windows\System32\LWWuCtB.exe
  C:\Windows\System32\LWWuCtB.exe
  2⤵
  PID:6188
- C:\Windows\System32\WuEAOol.exe
  C:\Windows\System32\WuEAOol.exe
  2⤵
  PID:6260
- C:\Windows\System32\jtZvsRb.exe
  C:\Windows\System32\jtZvsRb.exe
  2⤵
  PID:6304
- C:\Windows\System32\mOWWoLe.exe
  C:\Windows\System32\mOWWoLe.exe
  2⤵
  PID:6328
- C:\Windows\System32\jYXwwpF.exe
  C:\Windows\System32\jYXwwpF.exe
  2⤵
  PID:6392
- C:\Windows\System32\cViMTaa.exe
  C:\Windows\System32\cViMTaa.exe
  2⤵
  PID:6436
- C:\Windows\System32\IIsyOZC.exe
  C:\Windows\System32\IIsyOZC.exe
  2⤵
  PID:6636
- C:\Windows\System32\NJqACPS.exe
  C:\Windows\System32\NJqACPS.exe
  2⤵
  PID:6684
- C:\Windows\System32\wfLngPa.exe
  C:\Windows\System32\wfLngPa.exe
  2⤵
  PID:6744
- C:\Windows\System32\HQSqYEk.exe
  C:\Windows\System32\HQSqYEk.exe
  2⤵
  PID:6804
- C:\Windows\System32\tcmzOTz.exe
  C:\Windows\System32\tcmzOTz.exe
  2⤵
  PID:6852
- C:\Windows\System32\YlXmRsV.exe
  C:\Windows\System32\YlXmRsV.exe
  2⤵
  PID:6884
- C:\Windows\System32\OkNjdQc.exe
  C:\Windows\System32\OkNjdQc.exe
  2⤵
  PID:6936
- C:\Windows\System32\fxFOcor.exe
  C:\Windows\System32\fxFOcor.exe
  2⤵
  PID:7068
- C:\Windows\System32\QcJShGM.exe
  C:\Windows\System32\QcJShGM.exe
  2⤵
  PID:7140
- C:\Windows\System32\QibHaXA.exe
  C:\Windows\System32\QibHaXA.exe
  2⤵
  PID:6460
- C:\Windows\System32\vttaEaZ.exe
  C:\Windows\System32\vttaEaZ.exe
  2⤵
  PID:6440
- C:\Windows\System32\EMbBYoB.exe
  C:\Windows\System32\EMbBYoB.exe
  2⤵
  PID:6372
- C:\Windows\System32\kFnniGl.exe
  C:\Windows\System32\kFnniGl.exe
  2⤵
  PID:6768
- C:\Windows\System32\WBbyMZV.exe
  C:\Windows\System32\WBbyMZV.exe
  2⤵
  PID:6856
- C:\Windows\System32\HbXymAi.exe
  C:\Windows\System32\HbXymAi.exe
  2⤵
  PID:6948
- C:\Windows\System32\INDEjKU.exe
  C:\Windows\System32\INDEjKU.exe
  2⤵
  PID:7092
- C:\Windows\System32\SjcxHAD.exe
  C:\Windows\System32\SjcxHAD.exe
  2⤵
  PID:6276
- C:\Windows\System32\GatJpGu.exe
  C:\Windows\System32\GatJpGu.exe
  2⤵
  PID:6748
- C:\Windows\System32\msnRysZ.exe
  C:\Windows\System32\msnRysZ.exe
  2⤵
  PID:6788
- C:\Windows\System32\OiYjbBT.exe
  C:\Windows\System32\OiYjbBT.exe
  2⤵
  PID:7184
- C:\Windows\System32\ZtVqDhU.exe
  C:\Windows\System32\ZtVqDhU.exe
  2⤵
  PID:7200
- C:\Windows\System32\FGhMWkS.exe
  C:\Windows\System32\FGhMWkS.exe
  2⤵
  PID:7228
- C:\Windows\System32\uirPwAo.exe
  C:\Windows\System32\uirPwAo.exe
  2⤵
  PID:7252
- C:\Windows\System32\TrQNWFu.exe
  C:\Windows\System32\TrQNWFu.exe
  2⤵
  PID:7268
- C:\Windows\System32\QPjtsLH.exe
  C:\Windows\System32\QPjtsLH.exe
  2⤵
  PID:7324
- C:\Windows\System32\VTIUcry.exe
  C:\Windows\System32\VTIUcry.exe
  2⤵
  PID:7340
- C:\Windows\System32\RKeMIhi.exe
  C:\Windows\System32\RKeMIhi.exe
  2⤵
  PID:7368
- C:\Windows\System32\CSLPZLa.exe
  C:\Windows\System32\CSLPZLa.exe
  2⤵
  PID:7392
- C:\Windows\System32\XuAoesI.exe
  C:\Windows\System32\XuAoesI.exe
  2⤵
  PID:7412
- C:\Windows\System32\azHQskN.exe
  C:\Windows\System32\azHQskN.exe
  2⤵
  PID:7464
- C:\Windows\System32\KQxGCcb.exe
  C:\Windows\System32\KQxGCcb.exe
  2⤵
  PID:7480
- C:\Windows\System32\WfQhBsP.exe
  C:\Windows\System32\WfQhBsP.exe
  2⤵
  PID:7500
- C:\Windows\System32\QVqdhnA.exe
  C:\Windows\System32\QVqdhnA.exe
  2⤵
  PID:7524
- C:\Windows\System32\VXhZxSM.exe
  C:\Windows\System32\VXhZxSM.exe
  2⤵
  PID:7544
- C:\Windows\System32\TSMsbQz.exe
  C:\Windows\System32\TSMsbQz.exe
  2⤵
  PID:7568
- C:\Windows\System32\SpfzcQj.exe
  C:\Windows\System32\SpfzcQj.exe
  2⤵
  PID:7588
- C:\Windows\System32\WkLEfQb.exe
  C:\Windows\System32\WkLEfQb.exe
  2⤵
  PID:7636
- C:\Windows\System32\MrWBgkL.exe
  C:\Windows\System32\MrWBgkL.exe
  2⤵
  PID:7656
- C:\Windows\System32\EUQBPrU.exe
  C:\Windows\System32\EUQBPrU.exe
  2⤵
  PID:7680
- C:\Windows\System32\JnEZBez.exe
  C:\Windows\System32\JnEZBez.exe
  2⤵
  PID:7708
- C:\Windows\System32\BHZiAFW.exe
  C:\Windows\System32\BHZiAFW.exe
  2⤵
  PID:7724
- C:\Windows\System32\vKowCsD.exe
  C:\Windows\System32\vKowCsD.exe
  2⤵
  PID:7760
- C:\Windows\System32\HsCnOSf.exe
  C:\Windows\System32\HsCnOSf.exe
  2⤵
  PID:7784
- C:\Windows\System32\aLYDcmO.exe
  C:\Windows\System32\aLYDcmO.exe
  2⤵
  PID:7808
- C:\Windows\System32\TvWDSzq.exe
  C:\Windows\System32\TvWDSzq.exe
  2⤵
  PID:7824
- C:\Windows\System32\OThGNFf.exe
  C:\Windows\System32\OThGNFf.exe
  2⤵
  PID:7868
- C:\Windows\System32\fNCALaR.exe
  C:\Windows\System32\fNCALaR.exe
  2⤵
  PID:7900
- C:\Windows\System32\RaGdBFf.exe
  C:\Windows\System32\RaGdBFf.exe
  2⤵
  PID:7936
- C:\Windows\System32\DKzTDGx.exe
  C:\Windows\System32\DKzTDGx.exe
  2⤵
  PID:7964
- C:\Windows\System32\OevoXgM.exe
  C:\Windows\System32\OevoXgM.exe
  2⤵
  PID:7984
- C:\Windows\System32\fynqwuh.exe
  C:\Windows\System32\fynqwuh.exe
  2⤵
  PID:8028
- C:\Windows\System32\WeLpiYs.exe
  C:\Windows\System32\WeLpiYs.exe
  2⤵
  PID:8048
- C:\Windows\System32\gqLezYe.exe
  C:\Windows\System32\gqLezYe.exe
  2⤵
  PID:8084
- C:\Windows\System32\uFnYZro.exe
  C:\Windows\System32\uFnYZro.exe
  2⤵
  PID:8104
- C:\Windows\System32\lrbYlue.exe
  C:\Windows\System32\lrbYlue.exe
  2⤵
  PID:8120
- C:\Windows\System32\dueqUWo.exe
  C:\Windows\System32\dueqUWo.exe
  2⤵
  PID:8156
- C:\Windows\System32\CiqGDoJ.exe
  C:\Windows\System32\CiqGDoJ.exe
  2⤵
  PID:6224
- C:\Windows\System32\TmVpRFl.exe
  C:\Windows\System32\TmVpRFl.exe
  2⤵
  PID:7216
- C:\Windows\System32\gchMXmd.exe
  C:\Windows\System32\gchMXmd.exe
  2⤵
  PID:7284
- C:\Windows\System32\usjeyQj.exe
  C:\Windows\System32\usjeyQj.exe
  2⤵
  PID:7364
- C:\Windows\System32\dJKbeSt.exe
  C:\Windows\System32\dJKbeSt.exe
  2⤵
  PID:7436
- C:\Windows\System32\pHqRbXN.exe
  C:\Windows\System32\pHqRbXN.exe
  2⤵
  PID:7460
- C:\Windows\System32\ohHtrPR.exe
  C:\Windows\System32\ohHtrPR.exe
  2⤵
  PID:7508
- C:\Windows\System32\HMBnyhZ.exe
  C:\Windows\System32\HMBnyhZ.exe
  2⤵
  PID:7596
- C:\Windows\System32\axUYgMa.exe
  C:\Windows\System32\axUYgMa.exe
  2⤵
  PID:7732
- C:\Windows\System32\OsKPHQG.exe
  C:\Windows\System32\OsKPHQG.exe
  2⤵
  PID:7772
- C:\Windows\System32\VQcxwXw.exe
  C:\Windows\System32\VQcxwXw.exe
  2⤵
  PID:7816
- C:\Windows\System32\UzIOTLG.exe
  C:\Windows\System32\UzIOTLG.exe
  2⤵
  PID:7884
- C:\Windows\System32\VkNOWYK.exe
  C:\Windows\System32\VkNOWYK.exe
  2⤵
  PID:7916
- C:\Windows\System32\tOzrwxX.exe
  C:\Windows\System32\tOzrwxX.exe
  2⤵
  PID:8008
- C:\Windows\System32\FeSxlUt.exe
  C:\Windows\System32\FeSxlUt.exe
  2⤵
  PID:8060
- C:\Windows\System32\mGcyVzI.exe
  C:\Windows\System32\mGcyVzI.exe
  2⤵
  PID:8152
- C:\Windows\System32\fVHuFao.exe
  C:\Windows\System32\fVHuFao.exe
  2⤵
  PID:7072
- C:\Windows\System32\jvYVYox.exe
  C:\Windows\System32\jvYVYox.exe
  2⤵
  PID:7096
- C:\Windows\System32\abkrgoN.exe
  C:\Windows\System32\abkrgoN.exe
  2⤵
  PID:7584
- C:\Windows\System32\rwJFHIn.exe
  C:\Windows\System32\rwJFHIn.exe
  2⤵
  PID:7704
- C:\Windows\System32\LhbYeaJ.exe
  C:\Windows\System32\LhbYeaJ.exe
  2⤵
  PID:7848
- C:\Windows\System32\dXtifFe.exe
  C:\Windows\System32\dXtifFe.exe
  2⤵
  PID:7908
- C:\Windows\System32\rqXCRGT.exe
  C:\Windows\System32\rqXCRGT.exe
  2⤵
  PID:8036
- C:\Windows\System32\OpPNhpI.exe
  C:\Windows\System32\OpPNhpI.exe
  2⤵
  PID:8180
- C:\Windows\System32\ezDojkW.exe
  C:\Windows\System32\ezDojkW.exe
  2⤵
  PID:7280
- C:\Windows\System32\JpzQZvR.exe
  C:\Windows\System32\JpzQZvR.exe
  2⤵
  PID:7856
- C:\Windows\System32\mwLEWXr.exe
  C:\Windows\System32\mwLEWXr.exe
  2⤵
  PID:8200
- C:\Windows\System32\vUIytcC.exe
  C:\Windows\System32\vUIytcC.exe
  2⤵
  PID:8220
- C:\Windows\System32\mNhhvJY.exe
  C:\Windows\System32\mNhhvJY.exe
  2⤵
  PID:8256
- C:\Windows\System32\FYFWCcG.exe
  C:\Windows\System32\FYFWCcG.exe
  2⤵
  PID:8332
- C:\Windows\System32\GAVxZSr.exe
  C:\Windows\System32\GAVxZSr.exe
  2⤵
  PID:8420
- C:\Windows\System32\QdWXUVF.exe
  C:\Windows\System32\QdWXUVF.exe
  2⤵
  PID:8448
- C:\Windows\System32\EmrYNrh.exe
  C:\Windows\System32\EmrYNrh.exe
  2⤵
  PID:8472
- C:\Windows\System32\QgiZyLI.exe
  C:\Windows\System32\QgiZyLI.exe
  2⤵
  PID:8512
- C:\Windows\System32\LleGoXT.exe
  C:\Windows\System32\LleGoXT.exe
  2⤵
  PID:8528
- C:\Windows\System32\oCbOcFn.exe
  C:\Windows\System32\oCbOcFn.exe
  2⤵
  PID:8552
- C:\Windows\System32\FCYTyYB.exe
  C:\Windows\System32\FCYTyYB.exe
  2⤵
  PID:8572
- C:\Windows\System32\YtlZvXL.exe
  C:\Windows\System32\YtlZvXL.exe
  2⤵
  PID:8596
- C:\Windows\System32\IksGzFS.exe
  C:\Windows\System32\IksGzFS.exe
  2⤵
  PID:8616
- C:\Windows\System32\OxKKiJf.exe
  C:\Windows\System32\OxKKiJf.exe
  2⤵
  PID:8676
- C:\Windows\System32\MaWQSfM.exe
  C:\Windows\System32\MaWQSfM.exe
  2⤵
  PID:8712
- C:\Windows\System32\GyEHobL.exe
  C:\Windows\System32\GyEHobL.exe
  2⤵
  PID:8740
- C:\Windows\System32\gNiVoQI.exe
  C:\Windows\System32\gNiVoQI.exe
  2⤵
  PID:8768
- C:\Windows\System32\krFCted.exe
  C:\Windows\System32\krFCted.exe
  2⤵
  PID:8792
- C:\Windows\System32\VFqtmDE.exe
  C:\Windows\System32\VFqtmDE.exe
  2⤵
  PID:8808
- C:\Windows\System32\OPOnKKK.exe
  C:\Windows\System32\OPOnKKK.exe
  2⤵
  PID:8824
- C:\Windows\System32\uXRUDNO.exe
  C:\Windows\System32\uXRUDNO.exe
  2⤵
  PID:8848
- C:\Windows\System32\USmQWgy.exe
  C:\Windows\System32\USmQWgy.exe
  2⤵
  PID:8892
- C:\Windows\System32\LtgaFUq.exe
  C:\Windows\System32\LtgaFUq.exe
  2⤵
  PID:8936
- C:\Windows\System32\xBWaPMt.exe
  C:\Windows\System32\xBWaPMt.exe
  2⤵
  PID:8964
- C:\Windows\System32\XFpgsdD.exe
  C:\Windows\System32\XFpgsdD.exe
  2⤵
  PID:8988
- C:\Windows\System32\fjrlaQy.exe
  C:\Windows\System32\fjrlaQy.exe
  2⤵
  PID:9008
- C:\Windows\System32\SXJsHSh.exe
  C:\Windows\System32\SXJsHSh.exe
  2⤵
  PID:9036
- C:\Windows\System32\sQyhhdf.exe
  C:\Windows\System32\sQyhhdf.exe
  2⤵
  PID:9072
- C:\Windows\System32\kbxfcQl.exe
  C:\Windows\System32\kbxfcQl.exe
  2⤵
  PID:9108
- C:\Windows\System32\FNeCnRg.exe
  C:\Windows\System32\FNeCnRg.exe
  2⤵
  PID:9132
- C:\Windows\System32\hJaiJbF.exe
  C:\Windows\System32\hJaiJbF.exe
  2⤵
  PID:9160
- C:\Windows\System32\FgFfcRj.exe
  C:\Windows\System32\FgFfcRj.exe
  2⤵
  PID:9192
- C:\Windows\System32\yYpnLYG.exe
  C:\Windows\System32\yYpnLYG.exe
  2⤵
  PID:7832
- C:\Windows\System32\bPJDazm.exe
  C:\Windows\System32\bPJDazm.exe
  2⤵
  PID:7376
- C:\Windows\System32\KCkrTKs.exe
  C:\Windows\System32\KCkrTKs.exe
  2⤵
  PID:8284
- C:\Windows\System32\IDPTfcx.exe
  C:\Windows\System32\IDPTfcx.exe
  2⤵
  PID:8212
- C:\Windows\System32\nFiTadi.exe
  C:\Windows\System32\nFiTadi.exe
  2⤵
  PID:8264
- C:\Windows\System32\QrZXTBB.exe
  C:\Windows\System32\QrZXTBB.exe
  2⤵
  PID:8340
- C:\Windows\System32\hTbzAzz.exe
  C:\Windows\System32\hTbzAzz.exe
  2⤵
  PID:8356
- C:\Windows\System32\ZVgITWV.exe
  C:\Windows\System32\ZVgITWV.exe
  2⤵
  PID:8408
- C:\Windows\System32\jPgbVJK.exe
  C:\Windows\System32\jPgbVJK.exe
  2⤵
  PID:8480
- C:\Windows\System32\sAgPIMJ.exe
  C:\Windows\System32\sAgPIMJ.exe
  2⤵
  PID:8536
- C:\Windows\System32\ngJGkyl.exe
  C:\Windows\System32\ngJGkyl.exe
  2⤵
  PID:8612
- C:\Windows\System32\uruwuQJ.exe
  C:\Windows\System32\uruwuQJ.exe
  2⤵
  PID:8692
- C:\Windows\System32\KEVJaEz.exe
  C:\Windows\System32\KEVJaEz.exe
  2⤵
  PID:8764
- C:\Windows\System32\kyzIhbl.exe
  C:\Windows\System32\kyzIhbl.exe
  2⤵
  PID:8844
- C:\Windows\System32\kaEMPQi.exe
  C:\Windows\System32\kaEMPQi.exe
  2⤵
  PID:8864
- C:\Windows\System32\VVQxciF.exe
  C:\Windows\System32\VVQxciF.exe
  2⤵
  PID:8948
- C:\Windows\System32\RJgENiT.exe
  C:\Windows\System32\RJgENiT.exe
  2⤵
  PID:9060
- C:\Windows\System32\GldFBuv.exe
  C:\Windows\System32\GldFBuv.exe
  2⤵
  PID:9104
- C:\Windows\System32\qymBYWF.exe
  C:\Windows\System32\qymBYWF.exe
  2⤵
  PID:9180
- C:\Windows\System32\QzuFYsH.exe
  C:\Windows\System32\QzuFYsH.exe
  2⤵
  PID:7960
- C:\Windows\System32\RuxOwHR.exe
  C:\Windows\System32\RuxOwHR.exe
  2⤵
  PID:8208
- C:\Windows\System32\tGUnsAu.exe
  C:\Windows\System32\tGUnsAu.exe
  2⤵
  PID:8240
- C:\Windows\System32\EJosuLy.exe
  C:\Windows\System32\EJosuLy.exe
  2⤵
  PID:8300
- C:\Windows\System32\XTSxweF.exe
  C:\Windows\System32\XTSxweF.exe
  2⤵
  PID:8544
- C:\Windows\System32\vIGFkpW.exe
  C:\Windows\System32\vIGFkpW.exe
  2⤵
  PID:8752
- C:\Windows\System32\WeGfkIl.exe
  C:\Windows\System32\WeGfkIl.exe
  2⤵
  PID:8880
- C:\Windows\System32\uMVDVhI.exe
  C:\Windows\System32\uMVDVhI.exe
  2⤵
  PID:8952
- C:\Windows\System32\DhzIIbx.exe
  C:\Windows\System32\DhzIIbx.exe
  2⤵
  PID:9204
- C:\Windows\System32\gIRpnAi.exe
  C:\Windows\System32\gIRpnAi.exe
  2⤵
  PID:8244
- C:\Windows\System32\sUSHRyC.exe
  C:\Windows\System32\sUSHRyC.exe
  2⤵
  PID:8292
- C:\Windows\System32\FCbbYmu.exe
  C:\Windows\System32\FCbbYmu.exe
  2⤵
  PID:8920
- C:\Windows\System32\wvMqfgP.exe
  C:\Windows\System32\wvMqfgP.exe
  2⤵
  PID:8360
- C:\Windows\System32\tpYXNES.exe
  C:\Windows\System32\tpYXNES.exe
  2⤵
  PID:8460
- C:\Windows\System32\IFQPbwd.exe
  C:\Windows\System32\IFQPbwd.exe
  2⤵
  PID:8432
- C:\Windows\System32\HWzUSsZ.exe
  C:\Windows\System32\HWzUSsZ.exe
  2⤵
  PID:9240
- C:\Windows\System32\UGpJCHg.exe
  C:\Windows\System32\UGpJCHg.exe
  2⤵
  PID:9268
- C:\Windows\System32\efRqgHZ.exe
  C:\Windows\System32\efRqgHZ.exe
  2⤵
  PID:9316
- C:\Windows\System32\nAofDXB.exe
  C:\Windows\System32\nAofDXB.exe
  2⤵
  PID:9344
- C:\Windows\System32\GMFEAOB.exe
  C:\Windows\System32\GMFEAOB.exe
  2⤵
  PID:9364
- C:\Windows\System32\NPiZMXf.exe
  C:\Windows\System32\NPiZMXf.exe
  2⤵
  PID:9404
- C:\Windows\System32\kXVyAPB.exe
  C:\Windows\System32\kXVyAPB.exe
  2⤵
  PID:9420
- C:\Windows\System32\YfkVmmy.exe
  C:\Windows\System32\YfkVmmy.exe
  2⤵
  PID:9664
- C:\Windows\System32\LfWWUdi.exe
  C:\Windows\System32\LfWWUdi.exe
  2⤵
  PID:9680
- C:\Windows\System32\sMXvTbG.exe
  C:\Windows\System32\sMXvTbG.exe
  2⤵
  PID:9708
- C:\Windows\System32\eisqHih.exe
  C:\Windows\System32\eisqHih.exe
  2⤵
  PID:9736
- C:\Windows\System32\ljwjswc.exe
  C:\Windows\System32\ljwjswc.exe
  2⤵
  PID:9768
- C:\Windows\System32\eWehbky.exe
  C:\Windows\System32\eWehbky.exe
  2⤵
  PID:9804
- C:\Windows\System32\VmBMGeb.exe
  C:\Windows\System32\VmBMGeb.exe
  2⤵
  PID:9820
- C:\Windows\System32\DEFXpFd.exe
  C:\Windows\System32\DEFXpFd.exe
  2⤵
  PID:9836
- C:\Windows\System32\KgYVIxC.exe
  C:\Windows\System32\KgYVIxC.exe
  2⤵
  PID:9884
- C:\Windows\System32\skYeQPw.exe
  C:\Windows\System32\skYeQPw.exe
  2⤵
  PID:9908
- C:\Windows\System32\rYRhwXi.exe
  C:\Windows\System32\rYRhwXi.exe
  2⤵
  PID:9924
- C:\Windows\System32\IQAHRaw.exe
  C:\Windows\System32\IQAHRaw.exe
  2⤵
  PID:9944
- C:\Windows\System32\NoXDFgP.exe
  C:\Windows\System32\NoXDFgP.exe
  2⤵
  PID:9964
- C:\Windows\System32\DUOOqQq.exe
  C:\Windows\System32\DUOOqQq.exe
  2⤵
  PID:9988
- C:\Windows\System32\DSpUzfT.exe
  C:\Windows\System32\DSpUzfT.exe
  2⤵
  PID:10008
- C:\Windows\System32\NDbjKHp.exe
  C:\Windows\System32\NDbjKHp.exe
  2⤵
  PID:10044
- C:\Windows\System32\xastaGF.exe
  C:\Windows\System32\xastaGF.exe
  2⤵
  PID:10064
- C:\Windows\System32\WpGbwaV.exe
  C:\Windows\System32\WpGbwaV.exe
  2⤵
  PID:10096
- C:\Windows\System32\dUppmeZ.exe
  C:\Windows\System32\dUppmeZ.exe
  2⤵
  PID:10116
- C:\Windows\System32\FAaanmx.exe
  C:\Windows\System32\FAaanmx.exe
  2⤵
  PID:10156
- C:\Windows\System32\DdMhUsv.exe
  C:\Windows\System32\DdMhUsv.exe
  2⤵
  PID:10188
- C:\Windows\System32\pdtSsOG.exe
  C:\Windows\System32\pdtSsOG.exe
  2⤵
  PID:8236
- C:\Windows\System32\QRcFTWF.exe
  C:\Windows\System32\QRcFTWF.exe
  2⤵
  PID:9256
- C:\Windows\System32\ATrNHYk.exe
  C:\Windows\System32\ATrNHYk.exe
  2⤵
  PID:9336
- C:\Windows\System32\JGZnkDR.exe
  C:\Windows\System32\JGZnkDR.exe
  2⤵
  PID:9400
- C:\Windows\System32\mVPvZHy.exe
  C:\Windows\System32\mVPvZHy.exe
  2⤵
  PID:9444
- C:\Windows\System32\csjLVsH.exe
  C:\Windows\System32\csjLVsH.exe
  2⤵
  PID:9484
- C:\Windows\System32\WaKCZFu.exe
  C:\Windows\System32\WaKCZFu.exe
  2⤵
  PID:9496
- C:\Windows\System32\nkRNqWB.exe
  C:\Windows\System32\nkRNqWB.exe
  2⤵
  PID:9544
- C:\Windows\System32\CHQSfIy.exe
  C:\Windows\System32\CHQSfIy.exe
  2⤵
  PID:9560
- C:\Windows\System32\bBglkIZ.exe
  C:\Windows\System32\bBglkIZ.exe
  2⤵
  PID:9608
- C:\Windows\System32\ZJbfcKS.exe
  C:\Windows\System32\ZJbfcKS.exe
  2⤵
  PID:9652
- C:\Windows\System32\JGHPhMr.exe
  C:\Windows\System32\JGHPhMr.exe
  2⤵
  PID:9672
- C:\Windows\System32\RwqEjXW.exe
  C:\Windows\System32\RwqEjXW.exe
  2⤵
  PID:9716
- C:\Windows\System32\lQqlOgj.exe
  C:\Windows\System32\lQqlOgj.exe
  2⤵
  PID:9764
- C:\Windows\System32\QBAofdy.exe
  C:\Windows\System32\QBAofdy.exe
  2⤵
  PID:9816
- C:\Windows\System32\FJpqJHc.exe
  C:\Windows\System32\FJpqJHc.exe
  2⤵
  PID:9904
- C:\Windows\System32\Dfsxmfp.exe
  C:\Windows\System32\Dfsxmfp.exe
  2⤵
  PID:9972
- C:\Windows\System32\fcUtfNs.exe
  C:\Windows\System32\fcUtfNs.exe
  2⤵
  PID:10052
- C:\Windows\System32\PGYRWST.exe
  C:\Windows\System32\PGYRWST.exe
  2⤵
  PID:10088
- C:\Windows\System32\gVHCtMd.exe
  C:\Windows\System32\gVHCtMd.exe
  2⤵
  PID:10208
- C:\Windows\System32\PCIPRLn.exe
  C:\Windows\System32\PCIPRLn.exe
  2⤵
  PID:9264
- C:\Windows\System32\rUdDZqk.exe
  C:\Windows\System32\rUdDZqk.exe
  2⤵
  PID:9436
- C:\Windows\System32\WklPGPF.exe
  C:\Windows\System32\WklPGPF.exe
  2⤵
  PID:9468
- C:\Windows\System32\FnftiYR.exe
  C:\Windows\System32\FnftiYR.exe
  2⤵
  PID:9552
- C:\Windows\System32\keQLsPC.exe
  C:\Windows\System32\keQLsPC.exe
  2⤵
  PID:9612
- C:\Windows\System32\clmcPcd.exe
  C:\Windows\System32\clmcPcd.exe
  2⤵
  PID:9724
- C:\Windows\System32\yWzNwEY.exe
  C:\Windows\System32\yWzNwEY.exe
  2⤵
  PID:9868
- C:\Windows\System32\mxsxEsb.exe
  C:\Windows\System32\mxsxEsb.exe
  2⤵
  PID:9828
- C:\Windows\System32\GugOLdT.exe
  C:\Windows\System32\GugOLdT.exe
  2⤵
  PID:9952
- C:\Windows\System32\HsRPJYS.exe
  C:\Windows\System32\HsRPJYS.exe
  2⤵
  PID:9464
- C:\Windows\System32\qLUzkfa.exe
  C:\Windows\System32\qLUzkfa.exe
  2⤵
  PID:9488
- C:\Windows\System32\wkNSxKy.exe
  C:\Windows\System32\wkNSxKy.exe
  2⤵
  PID:9776
- C:\Windows\System32\mipzKKg.exe
  C:\Windows\System32\mipzKKg.exe
  2⤵
  PID:10108
- C:\Windows\System32\ovysANl.exe
  C:\Windows\System32\ovysANl.exe
  2⤵
  PID:10176
- C:\Windows\System32\CGcwCLn.exe
  C:\Windows\System32\CGcwCLn.exe
  2⤵
  PID:10256
- C:\Windows\System32\WHvAGIr.exe
  C:\Windows\System32\WHvAGIr.exe
  2⤵
  PID:10280
- C:\Windows\System32\QqbiwIl.exe
  C:\Windows\System32\QqbiwIl.exe
  2⤵
  PID:10304
- C:\Windows\System32\OTdJLYn.exe
  C:\Windows\System32\OTdJLYn.exe
  2⤵
  PID:10324
- C:\Windows\System32\vVCurha.exe
  C:\Windows\System32\vVCurha.exe
  2⤵
  PID:10356
- C:\Windows\System32\sXdLTKn.exe
  C:\Windows\System32\sXdLTKn.exe
  2⤵
  PID:10400
- C:\Windows\System32\WvIRGWD.exe
  C:\Windows\System32\WvIRGWD.exe
  2⤵
  PID:10420
- C:\Windows\System32\phzAMfQ.exe
  C:\Windows\System32\phzAMfQ.exe
  2⤵
  PID:10444
- C:\Windows\System32\HqMGtyV.exe
  C:\Windows\System32\HqMGtyV.exe
  2⤵
  PID:10460
- C:\Windows\System32\QusODku.exe
  C:\Windows\System32\QusODku.exe
  2⤵
  PID:10500
- C:\Windows\System32\WTqctNK.exe
  C:\Windows\System32\WTqctNK.exe
  2⤵
  PID:10536
- C:\Windows\System32\vTsafeP.exe
  C:\Windows\System32\vTsafeP.exe
  2⤵
  PID:10560
- C:\Windows\System32\RyWlNwP.exe
  C:\Windows\System32\RyWlNwP.exe
  2⤵
  PID:10600
- C:\Windows\System32\zmKhKUr.exe
  C:\Windows\System32\zmKhKUr.exe
  2⤵
  PID:10632
- C:\Windows\System32\jTGGIwZ.exe
  C:\Windows\System32\jTGGIwZ.exe
  2⤵
  PID:10652
- C:\Windows\System32\cIvoHcq.exe
  C:\Windows\System32\cIvoHcq.exe
  2⤵
  PID:10672
- C:\Windows\System32\BbeWKth.exe
  C:\Windows\System32\BbeWKth.exe
  2⤵
  PID:10688
- C:\Windows\System32\dnhiRsf.exe
  C:\Windows\System32\dnhiRsf.exe
  2⤵
  PID:10756
- C:\Windows\System32\QVblQqU.exe
  C:\Windows\System32\QVblQqU.exe
  2⤵
  PID:10772
- C:\Windows\System32\bBHgvtx.exe
  C:\Windows\System32\bBHgvtx.exe
  2⤵
  PID:10800
- C:\Windows\System32\vzxtuka.exe
  C:\Windows\System32\vzxtuka.exe
  2⤵
  PID:10820
- C:\Windows\System32\pjocoHl.exe
  C:\Windows\System32\pjocoHl.exe
  2⤵
  PID:10852
- C:\Windows\System32\TTFkoHg.exe
  C:\Windows\System32\TTFkoHg.exe
  2⤵
  PID:10888
- C:\Windows\System32\GAOJGvZ.exe
  C:\Windows\System32\GAOJGvZ.exe
  2⤵
  PID:10920
- C:\Windows\System32\CgMLFDo.exe
  C:\Windows\System32\CgMLFDo.exe
  2⤵
  PID:10944
- C:\Windows\System32\jnDoBEx.exe
  C:\Windows\System32\jnDoBEx.exe
  2⤵
  PID:10972
- C:\Windows\System32\KZcuDuo.exe
  C:\Windows\System32\KZcuDuo.exe
  2⤵
  PID:11000
- C:\Windows\System32\thJKQJk.exe
  C:\Windows\System32\thJKQJk.exe
  2⤵
  PID:11024
- C:\Windows\System32\rvsTZRk.exe
  C:\Windows\System32\rvsTZRk.exe
  2⤵
  PID:11044
- C:\Windows\System32\FUHdvEX.exe
  C:\Windows\System32\FUHdvEX.exe
  2⤵
  PID:11064
- C:\Windows\System32\IZPjwnl.exe
  C:\Windows\System32\IZPjwnl.exe
  2⤵
  PID:11080
- C:\Windows\System32\oshKtvD.exe
  C:\Windows\System32\oshKtvD.exe
  2⤵
  PID:11116
- C:\Windows\System32\AGJssSM.exe
  C:\Windows\System32\AGJssSM.exe
  2⤵
  PID:11144
- C:\Windows\System32\HYGQNPj.exe
  C:\Windows\System32\HYGQNPj.exe
  2⤵
  PID:11196
- C:\Windows\System32\WtTWuxs.exe
  C:\Windows\System32\WtTWuxs.exe
  2⤵
  PID:11224
- C:\Windows\System32\ravTcCT.exe
  C:\Windows\System32\ravTcCT.exe
  2⤵
  PID:11256
- C:\Windows\System32\JcdHOwd.exe
  C:\Windows\System32\JcdHOwd.exe
  2⤵
  PID:10268
- C:\Windows\System32\rhzoOlF.exe
  C:\Windows\System32\rhzoOlF.exe
  2⤵
  PID:10296
- C:\Windows\System32\eMIKiXC.exe
  C:\Windows\System32\eMIKiXC.exe
  2⤵
  PID:10348
- C:\Windows\System32\iPvqbuB.exe
  C:\Windows\System32\iPvqbuB.exe
  2⤵
  PID:10432
- C:\Windows\System32\RAqEzFq.exe
  C:\Windows\System32\RAqEzFq.exe
  2⤵
  PID:10476
- C:\Windows\System32\wrHapkE.exe
  C:\Windows\System32\wrHapkE.exe
  2⤵
  PID:10544
- C:\Windows\System32\RPZNCUG.exe
  C:\Windows\System32\RPZNCUG.exe
  2⤵
  PID:10620
- C:\Windows\System32\DhpmOaj.exe
  C:\Windows\System32\DhpmOaj.exe
  2⤵
  PID:10664
- C:\Windows\System32\PNcPrDY.exe
  C:\Windows\System32\PNcPrDY.exe
  2⤵
  PID:10704
- C:\Windows\System32\gHztCRz.exe
  C:\Windows\System32\gHztCRz.exe
  2⤵
  PID:10764
- C:\Windows\System32\KoQQiDV.exe
  C:\Windows\System32\KoQQiDV.exe
  2⤵
  PID:10828
- C:\Windows\System32\jmVlNvb.exe
  C:\Windows\System32\jmVlNvb.exe
  2⤵
  PID:10984
- C:\Windows\System32\sXMesVK.exe
  C:\Windows\System32\sXMesVK.exe
  2⤵
  PID:11100
- C:\Windows\System32\rzCroLK.exe
  C:\Windows\System32\rzCroLK.exe
  2⤵
  PID:11160
- C:\Windows\System32\JggoFdM.exe
  C:\Windows\System32\JggoFdM.exe
  2⤵
  PID:11248
- C:\Windows\System32\DtQMepc.exe
  C:\Windows\System32\DtQMepc.exe
  2⤵
  PID:2028
- C:\Windows\System32\wZuWSuA.exe
  C:\Windows\System32\wZuWSuA.exe
  2⤵
  PID:10312
- C:\Windows\System32\FwOMeVf.exe
  C:\Windows\System32\FwOMeVf.exe
  2⤵
  PID:10388
- C:\Windows\System32\DXELyRD.exe
  C:\Windows\System32\DXELyRD.exe
  2⤵
  PID:10644
- C:\Windows\System32\BVgHNGY.exe
  C:\Windows\System32\BVgHNGY.exe
  2⤵
  PID:10768
- C:\Windows\System32\pDJNpMg.exe
  C:\Windows\System32\pDJNpMg.exe
  2⤵
  PID:10936
- C:\Windows\System32\bLDSGkg.exe
  C:\Windows\System32\bLDSGkg.exe
  2⤵
  PID:11040
- C:\Windows\System32\CNtoHxa.exe
  C:\Windows\System32\CNtoHxa.exe
  2⤵
  PID:11184
- C:\Windows\System32\yzGPvuE.exe
  C:\Windows\System32\yzGPvuE.exe
  2⤵
  PID:10524
- C:\Windows\System32\kFaMrBB.exe
  C:\Windows\System32\kFaMrBB.exe
  2⤵
  PID:10368
- C:\Windows\System32\OvPiODz.exe
  C:\Windows\System32\OvPiODz.exe
  2⤵
  PID:10900
- C:\Windows\System32\KKwhUxk.exe
  C:\Windows\System32\KKwhUxk.exe
  2⤵
  PID:4884
- C:\Windows\System32\JZFFXHD.exe
  C:\Windows\System32\JZFFXHD.exe
  2⤵
  PID:11292
- C:\Windows\System32\OPzSzpK.exe
  C:\Windows\System32\OPzSzpK.exe
  2⤵
  PID:11328
- C:\Windows\System32\IgWTlAp.exe
  C:\Windows\System32\IgWTlAp.exe
  2⤵
  PID:11356
- C:\Windows\System32\eUQiUDs.exe
  C:\Windows\System32\eUQiUDs.exe
  2⤵
  PID:11384
- C:\Windows\System32\riJKdfD.exe
  C:\Windows\System32\riJKdfD.exe
  2⤵
  PID:11412
- C:\Windows\System32\pdttkzM.exe
  C:\Windows\System32\pdttkzM.exe
  2⤵
  PID:11440
- C:\Windows\System32\QaNdocz.exe
  C:\Windows\System32\QaNdocz.exe
  2⤵
  PID:11468
- C:\Windows\System32\KGaoOAj.exe
  C:\Windows\System32\KGaoOAj.exe
  2⤵
  PID:11496
- C:\Windows\System32\bgCvSbW.exe
  C:\Windows\System32\bgCvSbW.exe
  2⤵
  PID:11520
- C:\Windows\System32\xsygSqW.exe
  C:\Windows\System32\xsygSqW.exe
  2⤵
  PID:11536
- C:\Windows\System32\ocAzevB.exe
  C:\Windows\System32\ocAzevB.exe
  2⤵
  PID:11556
- C:\Windows\System32\FJfpJiq.exe
  C:\Windows\System32\FJfpJiq.exe
  2⤵
  PID:11572
- C:\Windows\System32\dxxqQDy.exe
  C:\Windows\System32\dxxqQDy.exe
  2⤵
  PID:11636
- C:\Windows\System32\MFCrOhB.exe
  C:\Windows\System32\MFCrOhB.exe
  2⤵
  PID:11660
- C:\Windows\System32\rRPZBvw.exe
  C:\Windows\System32\rRPZBvw.exe
  2⤵
  PID:11688
- C:\Windows\System32\HwRhfWS.exe
  C:\Windows\System32\HwRhfWS.exe
  2⤵
  PID:11708
- C:\Windows\System32\QpvgmuY.exe
  C:\Windows\System32\QpvgmuY.exe
  2⤵
  PID:11740
- C:\Windows\System32\CqkmAfC.exe
  C:\Windows\System32\CqkmAfC.exe
  2⤵
  PID:11780
- C:\Windows\System32\cszGlzU.exe
  C:\Windows\System32\cszGlzU.exe
  2⤵
  PID:11808
- C:\Windows\System32\cUkjrKQ.exe
  C:\Windows\System32\cUkjrKQ.exe
  2⤵
  PID:11836
- C:\Windows\System32\hSuVvOZ.exe
  C:\Windows\System32\hSuVvOZ.exe
  2⤵
  PID:11856
- C:\Windows\System32\XxAeOGb.exe
  C:\Windows\System32\XxAeOGb.exe
  2⤵
  PID:11872
- C:\Windows\System32\oGIaEXF.exe
  C:\Windows\System32\oGIaEXF.exe
  2⤵
  PID:11896
- C:\Windows\System32\kqvqCUQ.exe
  C:\Windows\System32\kqvqCUQ.exe
  2⤵
  PID:11936
- C:\Windows\System32\VFMxTYu.exe
  C:\Windows\System32\VFMxTYu.exe
  2⤵
  PID:11956
- C:\Windows\System32\iGxglJJ.exe
  C:\Windows\System32\iGxglJJ.exe
  2⤵
  PID:11992
- C:\Windows\System32\uizPHKQ.exe
  C:\Windows\System32\uizPHKQ.exe
  2⤵
  PID:12028
- C:\Windows\System32\KEfHYyP.exe
  C:\Windows\System32\KEfHYyP.exe
  2⤵
  PID:12060
- C:\Windows\System32\vCUxKTV.exe
  C:\Windows\System32\vCUxKTV.exe
  2⤵
  PID:12080
- C:\Windows\System32\iTMoGTX.exe
  C:\Windows\System32\iTMoGTX.exe
  2⤵
  PID:12104
- C:\Windows\System32\RERKKOt.exe
  C:\Windows\System32\RERKKOt.exe
  2⤵
  PID:12152
- C:\Windows\System32\JdelYiJ.exe
  C:\Windows\System32\JdelYiJ.exe
  2⤵
  PID:12180
- C:\Windows\System32\pVbjCsZ.exe
  C:\Windows\System32\pVbjCsZ.exe
  2⤵
  PID:12200
- C:\Windows\System32\HROdSvJ.exe
  C:\Windows\System32\HROdSvJ.exe
  2⤵
  PID:12236
- C:\Windows\System32\FvVLxLc.exe
  C:\Windows\System32\FvVLxLc.exe
  2⤵
  PID:12276
- C:\Windows\System32\uUdpeHe.exe
  C:\Windows\System32\uUdpeHe.exe
  2⤵
  PID:10780
- C:\Windows\System32\JlmtAmc.exe
  C:\Windows\System32\JlmtAmc.exe
  2⤵
  PID:11316
- C:\Windows\System32\RdRciYl.exe
  C:\Windows\System32\RdRciYl.exe
  2⤵
  PID:11452
- C:\Windows\System32\zmKxfyg.exe
  C:\Windows\System32\zmKxfyg.exe
  2⤵
  PID:11492
- C:\Windows\System32\FRInuxp.exe
  C:\Windows\System32\FRInuxp.exe
  2⤵
  PID:11544
- C:\Windows\System32\asWWVkQ.exe
  C:\Windows\System32\asWWVkQ.exe
  2⤵
  PID:11648
- C:\Windows\System32\pPUaqnF.exe
  C:\Windows\System32\pPUaqnF.exe
  2⤵
  PID:11764
- C:\Windows\System32\rZcJUod.exe
  C:\Windows\System32\rZcJUod.exe
  2⤵
  PID:11864
- C:\Windows\System32\QUlyHhp.exe
  C:\Windows\System32\QUlyHhp.exe
  2⤵
  PID:11924
- C:\Windows\System32\clMJXOE.exe
  C:\Windows\System32\clMJXOE.exe
  2⤵
  PID:11988
- C:\Windows\System32\zynYZYG.exe
  C:\Windows\System32\zynYZYG.exe
  2⤵
  PID:12088
- C:\Windows\System32\xCQRrJN.exe
  C:\Windows\System32\xCQRrJN.exe
  2⤵
  PID:12216
- C:\Windows\System32\ndLnCCn.exe
  C:\Windows\System32\ndLnCCn.exe
  2⤵
  PID:11280
- C:\Windows\System32\LZcchVF.exe
  C:\Windows\System32\LZcchVF.exe
  2⤵
  PID:11480
- C:\Windows\System32\cozlHGp.exe
  C:\Windows\System32\cozlHGp.exe
  2⤵
  PID:11504
- C:\Windows\System32\vHPHBeW.exe
  C:\Windows\System32\vHPHBeW.exe
  2⤵
  PID:11716
- C:\Windows\System32\UhpITiS.exe
  C:\Windows\System32\UhpITiS.exe
  2⤵
  PID:11888
- C:\Windows\System32\rayhEvQ.exe
  C:\Windows\System32\rayhEvQ.exe
  2⤵
  PID:12136
- C:\Windows\System32\aPOcBSX.exe
  C:\Windows\System32\aPOcBSX.exe
  2⤵
  PID:11464
- C:\Windows\System32\rtcBOxh.exe
  C:\Windows\System32\rtcBOxh.exe
  2⤵
  PID:12076
- C:\Windows\System32\wvIopFN.exe
  C:\Windows\System32\wvIopFN.exe
  2⤵
  PID:11736
- C:\Windows\System32\PjzJOkj.exe
  C:\Windows\System32\PjzJOkj.exe
  2⤵
  PID:12296
- C:\Windows\System32\qdOvzbG.exe
  C:\Windows\System32\qdOvzbG.exe
  2⤵
  PID:12324
- C:\Windows\System32\AwIagkh.exe
  C:\Windows\System32\AwIagkh.exe
  2⤵
  PID:12340
- C:\Windows\System32\fOLKeNx.exe
  C:\Windows\System32\fOLKeNx.exe
  2⤵
  PID:12368
- C:\Windows\System32\UqfkFrw.exe
  C:\Windows\System32\UqfkFrw.exe
  2⤵
  PID:12428
- C:\Windows\System32\vJkAxwY.exe
  C:\Windows\System32\vJkAxwY.exe
  2⤵
  PID:12444
- C:\Windows\System32\rXtXTHW.exe
  C:\Windows\System32\rXtXTHW.exe
  2⤵
  PID:12476
- C:\Windows\System32\lbizWhN.exe
  C:\Windows\System32\lbizWhN.exe
  2⤵
  PID:12508
- C:\Windows\System32\WNjMdoI.exe
  C:\Windows\System32\WNjMdoI.exe
  2⤵
  PID:12536
- C:\Windows\System32\NsaJVEW.exe
  C:\Windows\System32\NsaJVEW.exe
  2⤵
  PID:12556
- C:\Windows\System32\fqciaEC.exe
  C:\Windows\System32\fqciaEC.exe
  2⤵
  PID:12596
- C:\Windows\System32\NzPiPHE.exe
  C:\Windows\System32\NzPiPHE.exe
  2⤵
  PID:12616
- C:\Windows\System32\ywMhvMd.exe
  C:\Windows\System32\ywMhvMd.exe
  2⤵
  PID:12636
- C:\Windows\System32\njCQPhA.exe
  C:\Windows\System32\njCQPhA.exe
  2⤵
  PID:12656
- C:\Windows\System32\zFxMBoo.exe
  C:\Windows\System32\zFxMBoo.exe
  2⤵
  PID:12684
- C:\Windows\System32\jtHfKAY.exe
  C:\Windows\System32\jtHfKAY.exe
  2⤵
  PID:12704
- C:\Windows\System32\pqHgfbf.exe
  C:\Windows\System32\pqHgfbf.exe
  2⤵
  PID:12744
- C:\Windows\System32\xbMTUYi.exe
  C:\Windows\System32\xbMTUYi.exe
  2⤵
  PID:12764
- C:\Windows\System32\GHPfPRg.exe
  C:\Windows\System32\GHPfPRg.exe
  2⤵
  PID:12852
- C:\Windows\System32\WEGVQTR.exe
  C:\Windows\System32\WEGVQTR.exe
  2⤵
  PID:12872
- C:\Windows\System32\ZAiHpGK.exe
  C:\Windows\System32\ZAiHpGK.exe
  2⤵
  PID:12900
- C:\Windows\System32\oRvUCLT.exe
  C:\Windows\System32\oRvUCLT.exe
  2⤵
  PID:12928
- C:\Windows\System32\KAIhoUS.exe
  C:\Windows\System32\KAIhoUS.exe
  2⤵
  PID:12952
- C:\Windows\System32\OmMtJyk.exe
  C:\Windows\System32\OmMtJyk.exe
  2⤵
  PID:12972
- C:\Windows\System32\grVPjkG.exe
  C:\Windows\System32\grVPjkG.exe
  2⤵
  PID:13008
- C:\Windows\System32\lRVjfXw.exe
  C:\Windows\System32\lRVjfXw.exe
  2⤵
  PID:13032
- C:\Windows\System32\MPXCEmk.exe
  C:\Windows\System32\MPXCEmk.exe
  2⤵
  PID:13068
- C:\Windows\System32\xKCpVmb.exe
  C:\Windows\System32\xKCpVmb.exe
  2⤵
  PID:13088
- C:\Windows\System32\CTsnnoS.exe
  C:\Windows\System32\CTsnnoS.exe
  2⤵
  PID:13124
- C:\Windows\System32\jsMWAAo.exe
  C:\Windows\System32\jsMWAAo.exe
  2⤵
  PID:13148
- C:\Windows\System32\CpApguf.exe
  C:\Windows\System32\CpApguf.exe
  2⤵
  PID:13164
- C:\Windows\System32\lYsGOLu.exe
  C:\Windows\System32\lYsGOLu.exe
  2⤵
  PID:13188
- C:\Windows\System32\thIlSkP.exe
  C:\Windows\System32\thIlSkP.exe
  2⤵
  PID:13228
- C:\Windows\System32\QQOCFRY.exe
  C:\Windows\System32\QQOCFRY.exe
  2⤵
  PID:13260
- C:\Windows\System32\dLtFIIO.exe
  C:\Windows\System32\dLtFIIO.exe
  2⤵
  PID:13292
- C:\Windows\System32\EsgkcGR.exe
  C:\Windows\System32\EsgkcGR.exe
  2⤵
  PID:12332
- C:\Windows\System32\EPuQwak.exe
  C:\Windows\System32\EPuQwak.exe
  2⤵
  PID:12380
- C:\Windows\System32\ZSmUJWi.exe
  C:\Windows\System32\ZSmUJWi.exe
  2⤵
  PID:3112
- C:\Windows\System32\PUjkBrB.exe
  C:\Windows\System32\PUjkBrB.exe
  2⤵
  PID:4648
- C:\Windows\System32\KefgtYD.exe
  C:\Windows\System32\KefgtYD.exe
  2⤵
  PID:12484
- C:\Windows\System32\HALOlyG.exe
  C:\Windows\System32\HALOlyG.exe
  2⤵
  PID:12552
- C:\Windows\System32\RQbykNI.exe
  C:\Windows\System32\RQbykNI.exe
  2⤵
  PID:12668
- C:\Windows\System32\JZBpQDm.exe
  C:\Windows\System32\JZBpQDm.exe
  2⤵
  PID:12652
- C:\Windows\System32\LNhqgwv.exe
  C:\Windows\System32\LNhqgwv.exe
  2⤵
  PID:12792
- C:\Windows\System32\yHFYlMf.exe
  C:\Windows\System32\yHFYlMf.exe
  2⤵
  PID:12796
- C:\Windows\System32\qEqoJAj.exe
  C:\Windows\System32\qEqoJAj.exe
  2⤵
  PID:12896
- C:\Windows\System32\JvkeBlo.exe
  C:\Windows\System32\JvkeBlo.exe
  2⤵
  PID:12940
- C:\Windows\System32\mekFykx.exe
  C:\Windows\System32\mekFykx.exe
  2⤵
  PID:13060
- C:\Windows\System32\aLglRmD.exe
  C:\Windows\System32\aLglRmD.exe
  2⤵
  PID:13120

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BRcGyBW.exe

Filesize
1.2MB

MD5
3741494c1811fe86e8ea2000fbd9bbd5

SHA1
31c47fde8e13d5d86b9adfa07541417d813b8141

SHA256
5eaee28c4027573229189d328e5c5205b349e8df867d5e1b67f41ec055289636

SHA512
1d48f8bb88e41fab81771d471b6f126932560d0f6d2eb72e736e51d7f138ff0200752c4bf2146762b13ef3964fb2235079ee8fcc0ad222282ef0cce0b559f947

Download Submit
C:\Windows\System32\BoSjGuD.exe

Filesize
1.2MB

MD5
e62018efcb2e16ceda430bd478894492

SHA1
ebfb3eae8eb3423c7198e83dab6d01679c343d49

SHA256
e093e9aacd38f710faf66671f66eb6edba02aac11bd331a7008595bf7c027729

SHA512
c897fe6d642a2d2ed7057f3c04845f05ad5692a987eb825999c2b6632f041c83fffd88a09fa39de8a1864b58f74a38636993418a69b1b7c2da455616df39ad7f

Download Submit
C:\Windows\System32\DSiGwlP.exe

Filesize
1.2MB

MD5
91175a6836187c361bc72a72976dd077

SHA1
f1b599c27924799679b0888eca4f60c760bec35d

SHA256
65ab9215eb79300a9209a2d00a751b8352fc1bc6843262c6a3b0cae17f66abe5

SHA512
58fef0be6f3295ff3488ac3157c587d12a6ffea3cb5504f0a19b45edbeee00321cdd21b37626104a9cc577826a028d1edb7f63fd24f47bded8aa432f528caf70

Download Submit
C:\Windows\System32\DpqejJO.exe

Filesize
1.2MB

MD5
1e58be133163bcce21bbcce1449558df

SHA1
865579fcab59358dc14b5de8456df89b7105e42a

SHA256
82573622800dd9eabeb120cb5558be34e1dcd224d8d15211a743be51945d5c31

SHA512
791805e165da5dd295b722bd97b6d5e85f58c3ab362c1c72d2ec879ef567ca9092b03d58545690c8a2e5e0e0ec9e6300ccfbb8f4e1ab3892eb3fa58c1402ea43

Download Submit
C:\Windows\System32\HTNMgfx.exe

Filesize
1.2MB

MD5
f4e01f8dd12f2afae0cb03e9e492622d

SHA1
ddf304a8c96a2636faee76e0a711ca7416546ba0

SHA256
32e9031928f5312abe3ba603afdf640d4af6d851e91643fdd4fa236e617d9955

SHA512
e2712ec0ef7f13542c40216608ef79293d216d583aa66e7c8220da23e5bec697a473058b7671bcf34e850aa3bbe339aeb1666d5ca7fd0e9eae149063dc3ddf36

Download Submit
C:\Windows\System32\IAryQBZ.exe

Filesize
1.2MB

MD5
de6dcd76a73565ff5ef5cdc3e6e6ee0a

SHA1
80bf06c0c143cf7b99a4ed8f78be90153c36a86f

SHA256
b6cede543589d656649da1c452477fcb9b190521b0677bbf6255fd54df874884

SHA512
1ac3e76d1b24c3a1d43447baf301ad522fa71670882aca36134119496b2c1c2ef9e74d60339924f9e9d2cb27c3e5a6e8081691ac4e1349ffda030fc4c4ba9203

Download Submit
C:\Windows\System32\JWCzEyL.exe

Filesize
1.2MB

MD5
2d9d55558098d2246b223006718ce902

SHA1
276a924a37a6cc02763173d35ce1fd06243b48a0

SHA256
be9870eafe66d6d4f96f598c53516fd356951e0b450dedaf8fed578e52d702fe

SHA512
3701054f0e4a293abc50a4ce008abaf0efdffb7ec982d80ad00b2617603c328a8bc7bc8970a34f5780618bf7f0fa9b176919037a1a185d848ddd303c35979df4

Download Submit
C:\Windows\System32\KHwQLQr.exe

Filesize
1.2MB

MD5
4f37472de8c2f64dfa56ee5b8875c354

SHA1
2ee18c16c78251682745ff8d5f49c632cb59b7a5

SHA256
4db7f71c6ae27a36fd9ef5ff851943c36e13071362ba996fc227591ac0ae0893

SHA512
b98e9b77e31a8d700f5a24a97e7786acfcdd8fa06cb4673b6ae0c4a68f72ae1abb3be79ad62b3b3399373b8d1be0c3dccf9fa54f4c3b470f9d92ce9fbf07d701

Download Submit
C:\Windows\System32\KbFqIfI.exe

Filesize
1.2MB

MD5
1afd5928737eb3578aa25ddf0a20dcf4

SHA1
407b81fad0d718ffa1e78175a36e0061e5367e0b

SHA256
0c647ec718c494064a68e0e4e3675034bb940baa08b4876cd08651f4aa6409f6

SHA512
154aa44a8ab2025a99238b38d67b0cd1762551fc602c20b19fc0ca3d92e7736ea737172c6dcecab2e46c670fefda08d562b44bbb95f7564b1cd56e2d9ad50892

Download Submit
C:\Windows\System32\KeUvPSb.exe

Filesize
1.2MB

MD5
8775f3bbb5166d4d2ca1b78e29a2c4bb

SHA1
4d5587155faadb4c63cf83e6e7b4eb724715f744

SHA256
556d090286ec2d5bdd2f453e11e3c837a013ee527993b431188ae5a406ce0efb

SHA512
fe923f8260c0798eb06cf1427fbd0cd84d8a71990e74ab0d66b5ec2e4e332ecd0b799abb90ca9af277c6113aba307bc4dc984660b0b74555b7dd438a34bfb5b6

Download Submit
C:\Windows\System32\KtvfuVs.exe

Filesize
1.2MB

MD5
83a8a0d2103b542811decfe3c8f566ca

SHA1
ddf8cdf645c5efec0209d619ee776cc76f4b6145

SHA256
6d9056b939decccf7199d7a00e869c5efc331d51812108bb20e2ad967108d605

SHA512
19bde1f5d8a307f1f05c7f8ba1ae3c76b65e36d2547350b40606fc9f807b9d7c2ffe632002e6d457ccbb2134911a3ceb40112072692f006159437b0330de74b4

Download Submit
C:\Windows\System32\LgeeevS.exe

Filesize
1.2MB

MD5
480e8e1182a7d8dfe29ae0180c20f823

SHA1
222db592a366f2007524159741fb223ebebb76a2

SHA256
05e047bfb95ed2531361570185fde1cc82c6e24bcb720893c2270b7bf4417cf7

SHA512
31066b2b229ced8277bc481e765b8b5ed2309c8d48adce58f7663b76867657714cc21567457923ab2ef1c3cf21797d90ac07fac48c3d3041f88812372fb7a2fc

Download Submit
C:\Windows\System32\MbEcYLC.exe

Filesize
1.2MB

MD5
79735e870cbbff24e2b679f2a097becb

SHA1
4fbcf7baed43dadc5b27d96ead2f2c91a273cfbb

SHA256
5065c71a6a3fcf17c1bd1a2dff749bd8b6cb981ce247aefdfdd80b505f2de016

SHA512
82953851234387cbbe78d6e5c4eb83ccb20e58807e579da56f612ded9c685fd5ed2e097cd549d605c77bc05be6720850b92eab5fc6bec8752ed815dd8b382352

Download Submit
C:\Windows\System32\OaOHYTo.exe

Filesize
1.2MB

MD5
123566dfebf08ea441219a650f40bc02

SHA1
3cb6b5114bf8a1ada94133186554bcabc90fbf5e

SHA256
631f0cf33475abe989905c0d65ad68ca4f366b426c5dae36d03c287c06c21dea

SHA512
1425f3ffb413e5542c371a6ed7ccf6e257c184c984961d65d1616a7d771d717b2176cd3dd089910ae21c3e240c50bb8fa86b26d27c12c51e815af17727a72257

Download Submit
C:\Windows\System32\QwDXcmM.exe

Filesize
1.2MB

MD5
75867c599ed5975b09af48b73413ba16

SHA1
de625c60eac6f640a4c314f9c71573d75284bd3b

SHA256
39ea2a07c1d0e98dc652582c5d40b415268e5302067c210e3ad38c2c22d4d2d8

SHA512
5d85f665e74917a10c05b164256650590a3190e20f4192a66c51202e3b84952ed22a2cc4655d4dc2520c7e6f42099d842de7fb25c318c4acb959ee3a3a898716

Download Submit
C:\Windows\System32\Qwxwuhu.exe

Filesize
1.2MB

MD5
c17de774b7516ad90c4b422dece6f9f8

SHA1
35b10e815ea7500e264bfb3ca1c7c4499bfa763f

SHA256
daca3faaf141837ff10e9f1a50ed119b32cda5d76cbd559d3221007b05128d1d

SHA512
9ac214b86255588a67da63ac93fd79f40ed543368d1197cc46001d28d9cd1647f3524f259d19dffc01a5e4af670a8b975d15018e54b012e0d97e0246371d4987

Download Submit
C:\Windows\System32\UgJJMvk.exe

Filesize
1.2MB

MD5
04b6ab3b6a22d2959302f6c2da07fcfe

SHA1
94cda03e0e6a9b70e08af4b6378e37e6fcd416d4

SHA256
12b542204e2524485c390446cbd1e089fd6f9bafcf69da982d90c330357f4c68

SHA512
bd84c7c0078261abe29e7297dbfa33ada8ca89d17541fd99ec4d62b547dd7f1ed5cb5f06a47e62c8e797a4e6b8b0e74627d02c6e936766e7cc80d06c79d43135

Download Submit
C:\Windows\System32\WaENIbN.exe

Filesize
1.2MB

MD5
cd3a310018ab590e50783f8f0c446a8f

SHA1
7ce4b01bfc96c6fa2811b0f4d35414619f30f3ac

SHA256
1f89c0611d4a37bb5b3a42c47f22fb03ca22f72b93da16a425bee68c2ec09bf2

SHA512
c920b8f39b9675ac5b88647b752c9b1974612ec99c90d17b523d57a86ab37641cbb52c6fd17ece858bbcab5699130f3c5145e3d9a1761752de00c17afec4d479

Download Submit
C:\Windows\System32\YwINqGT.exe

Filesize
1.2MB

MD5
efbfb8c3aca92dd9d9cc533ac15f4565

SHA1
0240b0183f90fb6260c7f48057484e255cd8b942

SHA256
ef19dae6f203c6abf818666ebb8050a112365199e6b699b2dc54ab913676923c

SHA512
b657dc0ed041101fb256f66ad43a1d46904103618f72f306a17208c8f27f8f7fbc05a0a1cc5fd63648d5a1a008bd3949a72923611199219a804c8204f2273a07

Download Submit
C:\Windows\System32\bdqSiEA.exe

Filesize
1.2MB

MD5
66b81e578e539319e3913a483bdafd77

SHA1
e2bac31e556f0f241c4c95a95d5eb6d826216b96

SHA256
16e1b97794d65aa787cdfd49f06efa5b59cd2dc9de87a81104dcfec19a5a62d2

SHA512
b611f33755db3ef718501e473e71f775b809920dc1ced264195f5cd076e249313d00912fd3e8da856ad1d594101a80badac1282bfcbd55697cc7d7dd7e64d6d9

Download Submit
C:\Windows\System32\budyfSf.exe

Filesize
1.2MB

MD5
235387a19ea668fee02a2ebe873f2bd8

SHA1
c6f3f94414c84f18cf5ba50c696f1a44b0ec28da

SHA256
8460efd09d4f6d0132a39b18564c82a2185ea531bd0012fe981400bab052214b

SHA512
6585265769ca4183940c170fea14da260c2218e0eafc013183e75acc05d3563798d037eec0b55985634f0883fbd19d8b80e19552efdf18a24b70aa438e322b01

Download Submit
C:\Windows\System32\fYqwXrg.exe

Filesize
1.2MB

MD5
34563887ad0c9d6c594caca4cd4d8d5f

SHA1
5492d2dfc5cd8c3b06effdeb8a85e11fe43d32c0

SHA256
f630973df5c72c2393b9ce466ac5315ddd12ff5a0992026c4382465927233586

SHA512
715edf275e998018439c507ea32cc8b3b40f9f34c638ac8687ffa1d10939964b63f31f62f8d86759a2cf2e1aaef19e04a2757be30dc8bb370f74df57c666f693

Download Submit
C:\Windows\System32\gAtEKTz.exe

Filesize
1.2MB

MD5
239d613c887ae599bea361eff85aeae0

SHA1
db2dea79e22307848bdd4f7ace4da09d14affe2b

SHA256
e413858dbb5cfd4c4c30004e10ea52cb674681ee58a26c1e5eebba83b50d36ae

SHA512
d9a6ae332ec53d899c286cb4d8685001a2b41592343e441bbddc72699e56b76949c7aa52ec2dd483f8c123bbcb5ebfdd1b26183fe9e3124f7bcff9fc5b0ff1e5

Download Submit
C:\Windows\System32\gnCyLRS.exe

Filesize
1.2MB

MD5
493da01890bf4e7ba9916814cc8cc913

SHA1
ced9662fe785d0fab6596f97d1e593bcb64d0322

SHA256
79d67bf1c91038ec953ce1a27f213347a82eaaf585fa110c36296e36bafe3f2c

SHA512
6b16aeb5d7e28bca69996956e44d3f0239962d27cc39b047518ccd417fe5cd7b8775750b1e0b5b635858fff32cd4b730cbde811258ed4bd445d795438d0d5a1f

Download Submit
C:\Windows\System32\kCPDiYZ.exe

Filesize
1.2MB

MD5
bf156e78750d702ef6e573639e7abbd7

SHA1
1b7a8030b469cd6e9211e266d216519ac9d224ca

SHA256
16d9dc5429f046a18c838f7dd0d3ddb3165e67e095d0e3776f97653d2b28215a

SHA512
d995d329a17c9c735bd2bd75cf89040b711ab29dcc533cf12af41c9fd99340387c914c5201fedbb5bfd8759f5d897c5f42777a1c373a2391aa715074ce9648c7

Download Submit
C:\Windows\System32\kePiext.exe

Filesize
1.2MB

MD5
3b724672e1794d769362be0ffee47364

SHA1
8994ef7a913dcf7d6713dc7d531b84e33d903ab2

SHA256
7474a6c104553a60ea133f6007e6e64fc4ff67ff6554cf97c3a161395469e962

SHA512
c591b754d53107a72fd25d750fac48793c85ff56e42157cb74b518e30632264423361c01a3fc059bf052787b669b10ce561d61896b84a5fbbb49029bc4b07aa8

Download Submit
C:\Windows\System32\oKRlUuQ.exe

Filesize
1.2MB

MD5
dbcf7ead5afd9e74d63843df39ce0e38

SHA1
cf084dd90c2d7178c685a8c93b11260b0cf52899

SHA256
e9ffbe5d23aff2e04fb95456db0e3bd44ccc90d67348d6478a3ce72b2ab90755

SHA512
6cf9956a77ed496efaf1927f3b4c082c618bb38b83648141db58898db27e502422a528cab58dac7e01c312b281ec741960b6766965459db00ff97dbb5551fc4c

Download Submit
C:\Windows\System32\rArMjQM.exe

Filesize
1.2MB

MD5
389c9a82587a7bd4b691a9aafb039f2a

SHA1
d2ccc92a74cc81c47f58128e2dfe46fc52f5877c

SHA256
304ef47e16dc30579d19f2e25638461b8343cd264c2608020a626370af87d98d

SHA512
b7a2285b02ce7068271e395bf42494c4235e2a6293503e4fec4bed2c88efd883f0056cf200e1f9659b5128d9015ff5b46759c8c10fe3c34e7d3f5f7c48c06bc1

Download Submit
C:\Windows\System32\rDSrgCY.exe

Filesize
1.2MB

MD5
a8638cc938515f9e0c4f4cf407c1c62e

SHA1
cf851881f337314ad9300d985c2992ea79f890d1

SHA256
89f68b2de5bf0b6ad14e7773134013eecdfd8605e493a9effb129c5c26f26241

SHA512
195144dd9a59d4267d1a4947436356b15156cdf3f0c027d3448caa3e0122f460ad855e4bd5aa7ab6c86da2639eac7d4823e6eb013bb2a24c01bf084bcee4d227

Download Submit
C:\Windows\System32\rEJYDLE.exe

Filesize
1.2MB

MD5
07cdceeb595ddc4c0a0b641d4f67b461

SHA1
87da44f0600f09e9eba7bba52229017673e7314d

SHA256
74cf0ae73d751de1ab0ddc25a0eb751fd584788b16f7aacc2ea8ef75b750268f

SHA512
aed01584b2fbf8c1c9a034ba0e53b52d7f31e0ffdd5fc465b8a4b5e19c8cb1ab5c4ceccd3d282f2eb84d78698f210d17c72490d5e5e3aac918fa547d891bdf06

Download Submit
C:\Windows\System32\wKniCkp.exe

Filesize
1.2MB

MD5
a7cdedafdd86c206075598103f329c83

SHA1
cef122334fe352e69aae0c10b66b14ce205f9963

SHA256
4a5b4f5cf0ee1f351cb30d29cb1790fe4d0fe2560a3687971332ed53acca54a5

SHA512
fbcc2d264d4096fc309f86a8731517ee091149111a24a4b75ed7b00d5cfb416460a4aa0a1da9619bef053594e1c8a321fab4c770d6d967ab5d2e972ff43e4f90

Download Submit
C:\Windows\System32\wzRbRYG.exe

Filesize
1.2MB

MD5
8b29d1fb04704f52c25e22112891d3f7

SHA1
0e8d5c832801a181c353d8ed7f20f5dd5e477772

SHA256
92b33f65862e6ba9b0de2dea52b805f92ef197dffb17d163b3238b2aee6ccbca

SHA512
98310c83e391423852410dbfd9d0b84976a89630e87644294ccb569df29c0eeeb13371e4ae749b93450c2d6dabffef6841e1df278bc8b36e12267e67ce712200

Download Submit
memory/972-406-0x00007FF770230000-0x00007FF770621000-memory.dmp

Filesize
3.9MB

Download
memory/972-2037-0x00007FF770230000-0x00007FF770621000-memory.dmp

Filesize
3.9MB

Download
memory/1196-2031-0x00007FF69D320000-0x00007FF69D711000-memory.dmp

Filesize
3.9MB

Download
memory/1196-413-0x00007FF69D320000-0x00007FF69D711000-memory.dmp

Filesize
3.9MB

Download
memory/1464-388-0x00007FF777C10000-0x00007FF778001000-memory.dmp

Filesize
3.9MB

Download
memory/1464-2019-0x00007FF777C10000-0x00007FF778001000-memory.dmp

Filesize
3.9MB

Download
memory/1468-2013-0x00007FF6C3760000-0x00007FF6C3B51000-memory.dmp

Filesize
3.9MB

Download
memory/1468-380-0x00007FF6C3760000-0x00007FF6C3B51000-memory.dmp

Filesize
3.9MB

Download
memory/1832-1-0x0000024ABE890000-0x0000024ABE8A0000-memory.dmp

Filesize
64KB

Download
memory/1832-0-0x00007FF73B5A0000-0x00007FF73B991000-memory.dmp

Filesize
3.9MB

Download
memory/1832-1959-0x00007FF73B5A0000-0x00007FF73B991000-memory.dmp

Filesize
3.9MB

Download
memory/1852-33-0x00007FF671F90000-0x00007FF672381000-memory.dmp

Filesize
3.9MB

Download
memory/1852-2008-0x00007FF671F90000-0x00007FF672381000-memory.dmp

Filesize
3.9MB

Download
memory/1980-403-0x00007FF6EABB0000-0x00007FF6EAFA1000-memory.dmp

Filesize
3.9MB

Download
memory/1980-2033-0x00007FF6EABB0000-0x00007FF6EAFA1000-memory.dmp

Filesize
3.9MB

Download
memory/2012-2005-0x00007FF74EC10000-0x00007FF74F001000-memory.dmp

Filesize
3.9MB

Download
memory/2012-1994-0x00007FF74EC10000-0x00007FF74F001000-memory.dmp

Filesize
3.9MB

Download
memory/2012-20-0x00007FF74EC10000-0x00007FF74F001000-memory.dmp

Filesize
3.9MB

Download
memory/2084-393-0x00007FF64B710000-0x00007FF64BB01000-memory.dmp

Filesize
3.9MB

Download
memory/2084-2029-0x00007FF64B710000-0x00007FF64BB01000-memory.dmp

Filesize
3.9MB

Download
memory/2168-387-0x00007FF6445F0000-0x00007FF6449E1000-memory.dmp

Filesize
3.9MB

Download
memory/2168-2015-0x00007FF6445F0000-0x00007FF6449E1000-memory.dmp

Filesize
3.9MB

Download
memory/2228-37-0x00007FF676AA0000-0x00007FF676E91000-memory.dmp

Filesize
3.9MB

Download
memory/2228-2116-0x00007FF676AA0000-0x00007FF676E91000-memory.dmp

Filesize
3.9MB

Download
memory/2228-1995-0x00007FF676AA0000-0x00007FF676E91000-memory.dmp

Filesize
3.9MB

Download
memory/2420-439-0x00007FF698D00000-0x00007FF6990F1000-memory.dmp

Filesize
3.9MB

Download
memory/2420-2041-0x00007FF698D00000-0x00007FF6990F1000-memory.dmp

Filesize
3.9MB

Download
memory/2928-386-0x00007FF6A59C0000-0x00007FF6A5DB1000-memory.dmp

Filesize
3.9MB

Download
memory/2928-2017-0x00007FF6A59C0000-0x00007FF6A5DB1000-memory.dmp

Filesize
3.9MB

Download
memory/3044-2023-0x00007FF781AD0000-0x00007FF781EC1000-memory.dmp

Filesize
3.9MB

Download
memory/3044-424-0x00007FF781AD0000-0x00007FF781EC1000-memory.dmp

Filesize
3.9MB

Download
memory/3256-2001-0x00007FF772DB0000-0x00007FF7731A1000-memory.dmp

Filesize
3.9MB

Download
memory/3256-1960-0x00007FF772DB0000-0x00007FF7731A1000-memory.dmp

Filesize
3.9MB

Download
memory/3256-8-0x00007FF772DB0000-0x00007FF7731A1000-memory.dmp

Filesize
3.9MB

Download
memory/3412-16-0x00007FF6A09B0000-0x00007FF6A0DA1000-memory.dmp

Filesize
3.9MB

Download
memory/3412-1961-0x00007FF6A09B0000-0x00007FF6A0DA1000-memory.dmp

Filesize
3.9MB

Download
memory/3412-2003-0x00007FF6A09B0000-0x00007FF6A0DA1000-memory.dmp

Filesize
3.9MB

Download
memory/3428-434-0x00007FF728CB0000-0x00007FF7290A1000-memory.dmp

Filesize
3.9MB

Download
memory/3428-2039-0x00007FF728CB0000-0x00007FF7290A1000-memory.dmp

Filesize
3.9MB

Download
memory/3776-35-0x00007FF7B2560000-0x00007FF7B2951000-memory.dmp

Filesize
3.9MB

Download
memory/3776-2009-0x00007FF7B2560000-0x00007FF7B2951000-memory.dmp

Filesize
3.9MB

Download
memory/3792-2043-0x00007FF763080000-0x00007FF763471000-memory.dmp

Filesize
3.9MB

Download
memory/3792-444-0x00007FF763080000-0x00007FF763471000-memory.dmp

Filesize
3.9MB

Download
memory/3908-2048-0x00007FF601D10000-0x00007FF602101000-memory.dmp

Filesize
3.9MB

Download
memory/3908-447-0x00007FF601D10000-0x00007FF602101000-memory.dmp

Filesize
3.9MB

Download
memory/3920-2025-0x00007FF7BB930000-0x00007FF7BBD21000-memory.dmp

Filesize
3.9MB

Download
memory/3920-389-0x00007FF7BB930000-0x00007FF7BBD21000-memory.dmp

Filesize
3.9MB

Download
memory/4532-429-0x00007FF67C8F0000-0x00007FF67CCE1000-memory.dmp

Filesize
3.9MB

Download
memory/4532-2021-0x00007FF67C8F0000-0x00007FF67CCE1000-memory.dmp

Filesize
3.9MB

Download
memory/4544-2011-0x00007FF604910000-0x00007FF604D01000-memory.dmp

Filesize
3.9MB

Download
memory/4544-373-0x00007FF604910000-0x00007FF604D01000-memory.dmp

Filesize
3.9MB

Download
memory/4620-416-0x00007FF63B250000-0x00007FF63B641000-memory.dmp

Filesize
3.9MB

Download
memory/4620-2035-0x00007FF63B250000-0x00007FF63B641000-memory.dmp

Filesize
3.9MB

Download
memory/4752-2027-0x00007FF68A9B0000-0x00007FF68ADA1000-memory.dmp

Filesize
3.9MB

Download
memory/4752-421-0x00007FF68A9B0000-0x00007FF68ADA1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads