xmrig | 75238f60a251645dedb3f5ab6937a6da0691bb1a2cbcd8a6bd2ebdf6fcd1909e

Analysis

max time kernel
126s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
Size

1.3MB
MD5

15afec5ca02670f6172dd0358c34e15b
SHA1

a79d32529fea493575db85fd0a17de0b11f0438c
SHA256

75238f60a251645dedb3f5ab6937a6da0691bb1a2cbcd8a6bd2ebdf6fcd1909e
SHA512

f6599c58071e31db5af3f5ea4755acb3f2113a26ebcf54dda68444387b9aaa021cf0f4a936c11365fa4bc1bfb4a2274a4b36823a04d114274c0c182b2b2c1e40
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO6zRIhRmuSOj1xNQ:knw9oUUEEDlGUh+hNj3y

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/3324-362-0x00007FF601F60000-0x00007FF602351000-memory.dmp	xmrig
behavioral2/memory/4456-364-0x00007FF70A310000-0x00007FF70A701000-memory.dmp	xmrig
behavioral2/memory/4288-365-0x00007FF6994A0000-0x00007FF699891000-memory.dmp	xmrig
behavioral2/memory/4968-366-0x00007FF66C560000-0x00007FF66C951000-memory.dmp	xmrig
behavioral2/memory/3800-376-0x00007FF7E2910000-0x00007FF7E2D01000-memory.dmp	xmrig
behavioral2/memory/3644-387-0x00007FF6A2370000-0x00007FF6A2761000-memory.dmp	xmrig
behavioral2/memory/2676-371-0x00007FF684400000-0x00007FF6847F1000-memory.dmp	xmrig
behavioral2/memory/3580-393-0x00007FF7938F0000-0x00007FF793CE1000-memory.dmp	xmrig
behavioral2/memory/1756-397-0x00007FF629FA0000-0x00007FF62A391000-memory.dmp	xmrig
behavioral2/memory/2416-407-0x00007FF7B8DC0000-0x00007FF7B91B1000-memory.dmp	xmrig
behavioral2/memory/4000-10-0x00007FF6F7D10000-0x00007FF6F8101000-memory.dmp	xmrig
behavioral2/memory/1584-416-0x00007FF7F0770000-0x00007FF7F0B61000-memory.dmp	xmrig
behavioral2/memory/4976-424-0x00007FF743FF0000-0x00007FF7443E1000-memory.dmp	xmrig
behavioral2/memory/4168-430-0x00007FF6609E0000-0x00007FF660DD1000-memory.dmp	xmrig
behavioral2/memory/4868-449-0x00007FF69E450000-0x00007FF69E841000-memory.dmp	xmrig
behavioral2/memory/3640-452-0x00007FF688CC0000-0x00007FF6890B1000-memory.dmp	xmrig
behavioral2/memory/704-457-0x00007FF7CC430000-0x00007FF7CC821000-memory.dmp	xmrig
behavioral2/memory/2620-461-0x00007FF7A01D0000-0x00007FF7A05C1000-memory.dmp	xmrig
behavioral2/memory/3200-470-0x00007FF77ACF0000-0x00007FF77B0E1000-memory.dmp	xmrig
behavioral2/memory/3844-472-0x00007FF79C4B0000-0x00007FF79C8A1000-memory.dmp	xmrig
behavioral2/memory/4516-473-0x00007FF7D71E0000-0x00007FF7D75D1000-memory.dmp	xmrig
behavioral2/memory/3984-476-0x00007FF746920000-0x00007FF746D11000-memory.dmp	xmrig
behavioral2/memory/4032-477-0x00007FF784040000-0x00007FF784431000-memory.dmp	xmrig
behavioral2/memory/4872-479-0x00007FF6AB180000-0x00007FF6AB571000-memory.dmp	xmrig
behavioral2/memory/4000-1980-0x00007FF6F7D10000-0x00007FF6F8101000-memory.dmp	xmrig
behavioral2/memory/4000-1998-0x00007FF6F7D10000-0x00007FF6F8101000-memory.dmp	xmrig
behavioral2/memory/3324-2000-0x00007FF601F60000-0x00007FF602351000-memory.dmp	xmrig
behavioral2/memory/4288-2002-0x00007FF6994A0000-0x00007FF699891000-memory.dmp	xmrig
behavioral2/memory/4456-2006-0x00007FF70A310000-0x00007FF70A701000-memory.dmp	xmrig
behavioral2/memory/3800-2012-0x00007FF7E2910000-0x00007FF7E2D01000-memory.dmp	xmrig
behavioral2/memory/2676-2010-0x00007FF684400000-0x00007FF6847F1000-memory.dmp	xmrig
behavioral2/memory/3580-2016-0x00007FF7938F0000-0x00007FF793CE1000-memory.dmp	xmrig
behavioral2/memory/3644-2014-0x00007FF6A2370000-0x00007FF6A2761000-memory.dmp	xmrig
behavioral2/memory/4872-2008-0x00007FF6AB180000-0x00007FF6AB571000-memory.dmp	xmrig
behavioral2/memory/4968-2004-0x00007FF66C560000-0x00007FF66C951000-memory.dmp	xmrig
behavioral2/memory/2416-2022-0x00007FF7B8DC0000-0x00007FF7B91B1000-memory.dmp	xmrig
behavioral2/memory/4032-2033-0x00007FF784040000-0x00007FF784431000-memory.dmp	xmrig
behavioral2/memory/4868-2049-0x00007FF69E450000-0x00007FF69E841000-memory.dmp	xmrig
behavioral2/memory/2620-2044-0x00007FF7A01D0000-0x00007FF7A05C1000-memory.dmp	xmrig
behavioral2/memory/4168-2042-0x00007FF6609E0000-0x00007FF660DD1000-memory.dmp	xmrig
behavioral2/memory/704-2038-0x00007FF7CC430000-0x00007FF7CC821000-memory.dmp	xmrig
behavioral2/memory/3844-2036-0x00007FF79C4B0000-0x00007FF79C8A1000-memory.dmp	xmrig
behavioral2/memory/1584-2047-0x00007FF7F0770000-0x00007FF7F0B61000-memory.dmp	xmrig
behavioral2/memory/3640-2024-0x00007FF688CC0000-0x00007FF6890B1000-memory.dmp	xmrig
behavioral2/memory/4516-2031-0x00007FF7D71E0000-0x00007FF7D75D1000-memory.dmp	xmrig
behavioral2/memory/4976-2028-0x00007FF743FF0000-0x00007FF7443E1000-memory.dmp	xmrig
behavioral2/memory/3200-2026-0x00007FF77ACF0000-0x00007FF77B0E1000-memory.dmp	xmrig
behavioral2/memory/3984-2020-0x00007FF746920000-0x00007FF746D11000-memory.dmp	xmrig
behavioral2/memory/1756-2018-0x00007FF629FA0000-0x00007FF62A391000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4000	FLuSCSq.exe
3324	pcTfXdm.exe
4456	PPwdcWw.exe
4872	pZcoSQv.exe
4288	zZfGLor.exe
4968	paREdGC.exe
2676	MhkHxkO.exe
3800	xmugDEH.exe
3644	DGuQtwj.exe
3580	hZlgHPg.exe
1756	DiYjNaP.exe
2416	YkCPRiV.exe
1584	xdvNHdt.exe
4976	Utbbuct.exe
4168	nHFBsIX.exe
4868	lkAYuTc.exe
3640	HRGDpWA.exe
704	WubElDq.exe
2620	xDljxBZ.exe
3200	tpXlCWj.exe
3844	QzHkdaz.exe
4516	GvWjiaN.exe
3984	IpiiGYt.exe
4032	wpcGvGM.exe
2780	kzPmZsc.exe
2368	xgHCXnp.exe
1064	vPOXbzk.exe
3768	xehXZWF.exe
452	JaxHMtF.exe
2208	QFTxjal.exe
4936	ImQGrlw.exe
3480	MiOhrSe.exe
4644	KGMbmTd.exe
2648	PiKUzih.exe
868	xAiINfz.exe
4576	IIOJevy.exe
4308	xQxPKTD.exe
1160	WGIFKhC.exe
5016	dzVcNZG.exe
4940	MbKablY.exe
4840	kZSfQVQ.exe
4784	cQCMGbV.exe
4064	DkxetXE.exe
2956	UaeJteO.exe
4148	YBYUApC.exe
3020	SSZqUul.exe
4244	egFOIOP.exe
4208	xImcFIa.exe
1148	bOyfnoY.exe
3948	onnBPRR.exe
3516	XkLoDGh.exe
4612	bRUeArl.exe
3944	djsIhra.exe
2484	yDGsACS.exe
2792	qfDXBix.exe
680	Uvtenpu.exe
3436	JMCXpDT.exe
2328	xOuEOAQ.exe
2052	xkxwbpT.exe
4552	sObUXqJ.exe
456	uzzFoXr.exe
2436	EiVMURE.exe
3292	RiuOQcf.exe
2540	veQQTcT.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1496-0-0x00007FF6E4BB0000-0x00007FF6E4FA1000-memory.dmp	upx
behavioral2/files/0x000c000000023b3d-5.dat	upx
behavioral2/files/0x000a000000023ba2-14.dat	upx
behavioral2/files/0x000a000000023ba1-15.dat	upx
behavioral2/files/0x000a000000023ba3-20.dat	upx
behavioral2/files/0x000a000000023ba5-32.dat	upx
behavioral2/files/0x000a000000023ba6-37.dat	upx
behavioral2/files/0x000a000000023ba7-42.dat	upx
behavioral2/files/0x000a000000023ba8-47.dat	upx
behavioral2/files/0x000a000000023baa-55.dat	upx
behavioral2/files/0x000a000000023bab-60.dat	upx
behavioral2/files/0x000a000000023bac-67.dat	upx
behavioral2/files/0x000a000000023baf-82.dat	upx
behavioral2/files/0x000a000000023bb1-92.dat	upx
behavioral2/files/0x0031000000023bb4-107.dat	upx
behavioral2/files/0x000a000000023bb9-132.dat	upx
behavioral2/files/0x000a000000023bbe-157.dat	upx
behavioral2/memory/3324-362-0x00007FF601F60000-0x00007FF602351000-memory.dmp	upx
behavioral2/memory/4456-364-0x00007FF70A310000-0x00007FF70A701000-memory.dmp	upx
behavioral2/memory/4288-365-0x00007FF6994A0000-0x00007FF699891000-memory.dmp	upx
behavioral2/memory/4968-366-0x00007FF66C560000-0x00007FF66C951000-memory.dmp	upx
behavioral2/memory/3800-376-0x00007FF7E2910000-0x00007FF7E2D01000-memory.dmp	upx
behavioral2/memory/3644-387-0x00007FF6A2370000-0x00007FF6A2761000-memory.dmp	upx
behavioral2/memory/2676-371-0x00007FF684400000-0x00007FF6847F1000-memory.dmp	upx
behavioral2/memory/3580-393-0x00007FF7938F0000-0x00007FF793CE1000-memory.dmp	upx
behavioral2/memory/1756-397-0x00007FF629FA0000-0x00007FF62A391000-memory.dmp	upx
behavioral2/memory/2416-407-0x00007FF7B8DC0000-0x00007FF7B91B1000-memory.dmp	upx
behavioral2/files/0x000a000000023bbf-162.dat	upx
behavioral2/files/0x000a000000023bbd-152.dat	upx
behavioral2/files/0x000a000000023bbc-147.dat	upx
behavioral2/files/0x000a000000023bbb-142.dat	upx
behavioral2/files/0x000a000000023bba-137.dat	upx
behavioral2/files/0x000a000000023bb8-127.dat	upx
behavioral2/files/0x000a000000023bb7-122.dat	upx
behavioral2/files/0x0031000000023bb6-117.dat	upx
behavioral2/files/0x0031000000023bb5-112.dat	upx
behavioral2/files/0x000a000000023bb3-102.dat	upx
behavioral2/files/0x000a000000023bb2-97.dat	upx
behavioral2/files/0x000a000000023bb0-87.dat	upx
behavioral2/files/0x000a000000023bae-77.dat	upx
behavioral2/files/0x000a000000023bad-72.dat	upx
behavioral2/files/0x000a000000023ba9-52.dat	upx
behavioral2/files/0x000a000000023ba4-27.dat	upx
behavioral2/memory/4000-10-0x00007FF6F7D10000-0x00007FF6F8101000-memory.dmp	upx
behavioral2/memory/1584-416-0x00007FF7F0770000-0x00007FF7F0B61000-memory.dmp	upx
behavioral2/memory/4976-424-0x00007FF743FF0000-0x00007FF7443E1000-memory.dmp	upx
behavioral2/memory/4168-430-0x00007FF6609E0000-0x00007FF660DD1000-memory.dmp	upx
behavioral2/memory/4868-449-0x00007FF69E450000-0x00007FF69E841000-memory.dmp	upx
behavioral2/memory/3640-452-0x00007FF688CC0000-0x00007FF6890B1000-memory.dmp	upx
behavioral2/memory/704-457-0x00007FF7CC430000-0x00007FF7CC821000-memory.dmp	upx
behavioral2/memory/2620-461-0x00007FF7A01D0000-0x00007FF7A05C1000-memory.dmp	upx
behavioral2/memory/3200-470-0x00007FF77ACF0000-0x00007FF77B0E1000-memory.dmp	upx
behavioral2/memory/3844-472-0x00007FF79C4B0000-0x00007FF79C8A1000-memory.dmp	upx
behavioral2/memory/4516-473-0x00007FF7D71E0000-0x00007FF7D75D1000-memory.dmp	upx
behavioral2/memory/3984-476-0x00007FF746920000-0x00007FF746D11000-memory.dmp	upx
behavioral2/memory/4032-477-0x00007FF784040000-0x00007FF784431000-memory.dmp	upx
behavioral2/memory/4872-479-0x00007FF6AB180000-0x00007FF6AB571000-memory.dmp	upx
behavioral2/memory/4000-1980-0x00007FF6F7D10000-0x00007FF6F8101000-memory.dmp	upx
behavioral2/memory/4000-1998-0x00007FF6F7D10000-0x00007FF6F8101000-memory.dmp	upx
behavioral2/memory/3324-2000-0x00007FF601F60000-0x00007FF602351000-memory.dmp	upx
behavioral2/memory/4288-2002-0x00007FF6994A0000-0x00007FF699891000-memory.dmp	upx
behavioral2/memory/4456-2006-0x00007FF70A310000-0x00007FF70A701000-memory.dmp	upx
behavioral2/memory/3800-2012-0x00007FF7E2910000-0x00007FF7E2D01000-memory.dmp	upx
behavioral2/memory/2676-2010-0x00007FF684400000-0x00007FF6847F1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\JoeuMMc.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\NAkMzTR.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\ImQGrlw.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\oxMzTcI.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\UqywiRM.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\ahCFGKG.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\paREdGC.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\MbKablY.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\RftNxog.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\lIDomCT.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\hfcnDQa.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\pZcoSQv.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\sBCIwMt.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\dKKcfBn.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\VynkOhd.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\zIqXuKp.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\CKGtkhY.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\uHRwQuq.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\wNioUJC.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\xBojzQi.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\dbLYEhG.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\oCgxSwr.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\jumOgDL.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\XYPAuGk.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\noWGOzf.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\BjmIsRx.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\mZFqVwP.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\oJSgAVx.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\ccFxKcx.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\HitgeCv.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\uLWKogU.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\aXwuKVw.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\AXsldmh.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\fXqCdtB.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\LhNGbgC.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\qRalQcH.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\JrkHlVi.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\auTuHVV.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\TPlSGMS.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\KQpyQIs.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\CptHaEf.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\PQjfVgt.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\VqrgnZT.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\pQFftbo.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\uvhFwYW.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\kusHVsF.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\YQEtmrN.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\SOIKFfA.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\nmJdkDT.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\kZSfQVQ.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\aoDYiKH.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\GBAPrEP.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\swagghM.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\aFgsDIE.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\HQCWriS.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\RQrVskW.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\jWXKXNg.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\pfRryYx.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\mGadLJj.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\ZhnYLxQ.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\nhFhgnq.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\NJDhTkS.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\mDXhQaN.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
File created	C:\Windows\System32\cQCMGbV.exe	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13032	dwm.exe
Token: SeChangeNotifyPrivilege	13032	dwm.exe
Token: 33	13032	dwm.exe
Token: SeIncBasePriorityPrivilege	13032	dwm.exe
Token: SeShutdownPrivilege	13032	dwm.exe
Token: SeCreatePagefilePrivilege	13032	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 4000	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	85
PID 1496 wrote to memory of 4000	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	85
PID 1496 wrote to memory of 4456	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	86
PID 1496 wrote to memory of 4456	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	86
PID 1496 wrote to memory of 3324	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	87
PID 1496 wrote to memory of 3324	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	87
PID 1496 wrote to memory of 4872	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	88
PID 1496 wrote to memory of 4872	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	88
PID 1496 wrote to memory of 4288	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	89
PID 1496 wrote to memory of 4288	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	89
PID 1496 wrote to memory of 4968	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	90
PID 1496 wrote to memory of 4968	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	90
PID 1496 wrote to memory of 2676	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	91
PID 1496 wrote to memory of 2676	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	91
PID 1496 wrote to memory of 3800	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	92
PID 1496 wrote to memory of 3800	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	92
PID 1496 wrote to memory of 3644	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	93
PID 1496 wrote to memory of 3644	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	93
PID 1496 wrote to memory of 3580	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	94
PID 1496 wrote to memory of 3580	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	94
PID 1496 wrote to memory of 1756	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	95
PID 1496 wrote to memory of 1756	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	95
PID 1496 wrote to memory of 2416	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	96
PID 1496 wrote to memory of 2416	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	96
PID 1496 wrote to memory of 1584	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	97
PID 1496 wrote to memory of 1584	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	97
PID 1496 wrote to memory of 4976	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	98
PID 1496 wrote to memory of 4976	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	98
PID 1496 wrote to memory of 4168	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	99
PID 1496 wrote to memory of 4168	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	99
PID 1496 wrote to memory of 4868	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	100
PID 1496 wrote to memory of 4868	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	100
PID 1496 wrote to memory of 3640	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	101
PID 1496 wrote to memory of 3640	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	101
PID 1496 wrote to memory of 704	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	102
PID 1496 wrote to memory of 704	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	102
PID 1496 wrote to memory of 2620	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	103
PID 1496 wrote to memory of 2620	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	103
PID 1496 wrote to memory of 3200	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	104
PID 1496 wrote to memory of 3200	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	104
PID 1496 wrote to memory of 3844	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	105
PID 1496 wrote to memory of 3844	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	105
PID 1496 wrote to memory of 4516	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	106
PID 1496 wrote to memory of 4516	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	106
PID 1496 wrote to memory of 3984	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	107
PID 1496 wrote to memory of 3984	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	107
PID 1496 wrote to memory of 4032	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	108
PID 1496 wrote to memory of 4032	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	108
PID 1496 wrote to memory of 2780	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	109
PID 1496 wrote to memory of 2780	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	109
PID 1496 wrote to memory of 2368	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	110
PID 1496 wrote to memory of 2368	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	110
PID 1496 wrote to memory of 1064	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	111
PID 1496 wrote to memory of 1064	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	111
PID 1496 wrote to memory of 3768	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	112
PID 1496 wrote to memory of 3768	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	112
PID 1496 wrote to memory of 452	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	113
PID 1496 wrote to memory of 452	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	113
PID 1496 wrote to memory of 2208	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	114
PID 1496 wrote to memory of 2208	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	114
PID 1496 wrote to memory of 4936	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	115
PID 1496 wrote to memory of 4936	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	115
PID 1496 wrote to memory of 3480	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	116
PID 1496 wrote to memory of 3480	1496	15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15afec5ca02670f6172dd0358c34e15b_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\System32\FLuSCSq.exe
  C:\Windows\System32\FLuSCSq.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System32\PPwdcWw.exe
  C:\Windows\System32\PPwdcWw.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System32\pcTfXdm.exe
  C:\Windows\System32\pcTfXdm.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System32\pZcoSQv.exe
  C:\Windows\System32\pZcoSQv.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System32\zZfGLor.exe
  C:\Windows\System32\zZfGLor.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System32\paREdGC.exe
  C:\Windows\System32\paREdGC.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System32\MhkHxkO.exe
  C:\Windows\System32\MhkHxkO.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System32\xmugDEH.exe
  C:\Windows\System32\xmugDEH.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\System32\DGuQtwj.exe
  C:\Windows\System32\DGuQtwj.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System32\hZlgHPg.exe
  C:\Windows\System32\hZlgHPg.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System32\DiYjNaP.exe
  C:\Windows\System32\DiYjNaP.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System32\YkCPRiV.exe
  C:\Windows\System32\YkCPRiV.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System32\xdvNHdt.exe
  C:\Windows\System32\xdvNHdt.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System32\Utbbuct.exe
  C:\Windows\System32\Utbbuct.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System32\nHFBsIX.exe
  C:\Windows\System32\nHFBsIX.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System32\lkAYuTc.exe
  C:\Windows\System32\lkAYuTc.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System32\HRGDpWA.exe
  C:\Windows\System32\HRGDpWA.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System32\WubElDq.exe
  C:\Windows\System32\WubElDq.exe
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\System32\xDljxBZ.exe
  C:\Windows\System32\xDljxBZ.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System32\tpXlCWj.exe
  C:\Windows\System32\tpXlCWj.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System32\QzHkdaz.exe
  C:\Windows\System32\QzHkdaz.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System32\GvWjiaN.exe
  C:\Windows\System32\GvWjiaN.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System32\IpiiGYt.exe
  C:\Windows\System32\IpiiGYt.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System32\wpcGvGM.exe
  C:\Windows\System32\wpcGvGM.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System32\kzPmZsc.exe
  C:\Windows\System32\kzPmZsc.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System32\xgHCXnp.exe
  C:\Windows\System32\xgHCXnp.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System32\vPOXbzk.exe
  C:\Windows\System32\vPOXbzk.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\System32\xehXZWF.exe
  C:\Windows\System32\xehXZWF.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System32\JaxHMtF.exe
  C:\Windows\System32\JaxHMtF.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System32\QFTxjal.exe
  C:\Windows\System32\QFTxjal.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System32\ImQGrlw.exe
  C:\Windows\System32\ImQGrlw.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System32\MiOhrSe.exe
  C:\Windows\System32\MiOhrSe.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System32\KGMbmTd.exe
  C:\Windows\System32\KGMbmTd.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System32\PiKUzih.exe
  C:\Windows\System32\PiKUzih.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System32\xAiINfz.exe
  C:\Windows\System32\xAiINfz.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System32\IIOJevy.exe
  C:\Windows\System32\IIOJevy.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System32\xQxPKTD.exe
  C:\Windows\System32\xQxPKTD.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System32\WGIFKhC.exe
  C:\Windows\System32\WGIFKhC.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System32\dzVcNZG.exe
  C:\Windows\System32\dzVcNZG.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System32\MbKablY.exe
  C:\Windows\System32\MbKablY.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System32\kZSfQVQ.exe
  C:\Windows\System32\kZSfQVQ.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System32\cQCMGbV.exe
  C:\Windows\System32\cQCMGbV.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System32\DkxetXE.exe
  C:\Windows\System32\DkxetXE.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System32\UaeJteO.exe
  C:\Windows\System32\UaeJteO.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System32\YBYUApC.exe
  C:\Windows\System32\YBYUApC.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System32\SSZqUul.exe
  C:\Windows\System32\SSZqUul.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System32\egFOIOP.exe
  C:\Windows\System32\egFOIOP.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System32\xImcFIa.exe
  C:\Windows\System32\xImcFIa.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System32\bOyfnoY.exe
  C:\Windows\System32\bOyfnoY.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System32\onnBPRR.exe
  C:\Windows\System32\onnBPRR.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System32\XkLoDGh.exe
  C:\Windows\System32\XkLoDGh.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System32\bRUeArl.exe
  C:\Windows\System32\bRUeArl.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System32\djsIhra.exe
  C:\Windows\System32\djsIhra.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\yDGsACS.exe
  C:\Windows\System32\yDGsACS.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System32\qfDXBix.exe
  C:\Windows\System32\qfDXBix.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System32\Uvtenpu.exe
  C:\Windows\System32\Uvtenpu.exe
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Windows\System32\JMCXpDT.exe
  C:\Windows\System32\JMCXpDT.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System32\xOuEOAQ.exe
  C:\Windows\System32\xOuEOAQ.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System32\xkxwbpT.exe
  C:\Windows\System32\xkxwbpT.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System32\sObUXqJ.exe
  C:\Windows\System32\sObUXqJ.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System32\uzzFoXr.exe
  C:\Windows\System32\uzzFoXr.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System32\EiVMURE.exe
  C:\Windows\System32\EiVMURE.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System32\RiuOQcf.exe
  C:\Windows\System32\RiuOQcf.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System32\veQQTcT.exe
  C:\Windows\System32\veQQTcT.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System32\aoDYiKH.exe
  C:\Windows\System32\aoDYiKH.exe
  2⤵
  PID:1424
- C:\Windows\System32\GwRZNAi.exe
  C:\Windows\System32\GwRZNAi.exe
  2⤵
  PID:2524
- C:\Windows\System32\VfiDjWt.exe
  C:\Windows\System32\VfiDjWt.exe
  2⤵
  PID:4860
- C:\Windows\System32\tTFdVoR.exe
  C:\Windows\System32\tTFdVoR.exe
  2⤵
  PID:2476
- C:\Windows\System32\dWnHvSX.exe
  C:\Windows\System32\dWnHvSX.exe
  2⤵
  PID:2952
- C:\Windows\System32\OvCjzri.exe
  C:\Windows\System32\OvCjzri.exe
  2⤵
  PID:1668
- C:\Windows\System32\TYoErwy.exe
  C:\Windows\System32\TYoErwy.exe
  2⤵
  PID:4892
- C:\Windows\System32\EUrQhEf.exe
  C:\Windows\System32\EUrQhEf.exe
  2⤵
  PID:1544
- C:\Windows\System32\xBojzQi.exe
  C:\Windows\System32\xBojzQi.exe
  2⤵
  PID:2380
- C:\Windows\System32\zKAIZNE.exe
  C:\Windows\System32\zKAIZNE.exe
  2⤵
  PID:5044
- C:\Windows\System32\motjUEy.exe
  C:\Windows\System32\motjUEy.exe
  2⤵
  PID:4204
- C:\Windows\System32\yENXjUa.exe
  C:\Windows\System32\yENXjUa.exe
  2⤵
  PID:3296
- C:\Windows\System32\LMlRwqb.exe
  C:\Windows\System32\LMlRwqb.exe
  2⤵
  PID:2308
- C:\Windows\System32\YccuKXF.exe
  C:\Windows\System32\YccuKXF.exe
  2⤵
  PID:216
- C:\Windows\System32\tXksKpu.exe
  C:\Windows\System32\tXksKpu.exe
  2⤵
  PID:4412
- C:\Windows\System32\SzaxhSV.exe
  C:\Windows\System32\SzaxhSV.exe
  2⤵
  PID:3440
- C:\Windows\System32\gSkumqy.exe
  C:\Windows\System32\gSkumqy.exe
  2⤵
  PID:3836
- C:\Windows\System32\eriAXCb.exe
  C:\Windows\System32\eriAXCb.exe
  2⤵
  PID:3304
- C:\Windows\System32\bHXCrCU.exe
  C:\Windows\System32\bHXCrCU.exe
  2⤵
  PID:1420
- C:\Windows\System32\WufOHvp.exe
  C:\Windows\System32\WufOHvp.exe
  2⤵
  PID:1016
- C:\Windows\System32\GiLrFOs.exe
  C:\Windows\System32\GiLrFOs.exe
  2⤵
  PID:5144
- C:\Windows\System32\Cpgkoam.exe
  C:\Windows\System32\Cpgkoam.exe
  2⤵
  PID:5172
- C:\Windows\System32\EHswxgX.exe
  C:\Windows\System32\EHswxgX.exe
  2⤵
  PID:5196
- C:\Windows\System32\DQDpaxy.exe
  C:\Windows\System32\DQDpaxy.exe
  2⤵
  PID:5228
- C:\Windows\System32\PQjfVgt.exe
  C:\Windows\System32\PQjfVgt.exe
  2⤵
  PID:5256
- C:\Windows\System32\oxMzTcI.exe
  C:\Windows\System32\oxMzTcI.exe
  2⤵
  PID:5280
- C:\Windows\System32\sBCIwMt.exe
  C:\Windows\System32\sBCIwMt.exe
  2⤵
  PID:5312
- C:\Windows\System32\fXqCdtB.exe
  C:\Windows\System32\fXqCdtB.exe
  2⤵
  PID:5344
- C:\Windows\System32\Xxgeehh.exe
  C:\Windows\System32\Xxgeehh.exe
  2⤵
  PID:5364
- C:\Windows\System32\RSKuMen.exe
  C:\Windows\System32\RSKuMen.exe
  2⤵
  PID:5396
- C:\Windows\System32\NPkmxqt.exe
  C:\Windows\System32\NPkmxqt.exe
  2⤵
  PID:5424
- C:\Windows\System32\dkhAOGY.exe
  C:\Windows\System32\dkhAOGY.exe
  2⤵
  PID:5452
- C:\Windows\System32\dmFGlUb.exe
  C:\Windows\System32\dmFGlUb.exe
  2⤵
  PID:5484
- C:\Windows\System32\RxgZDWN.exe
  C:\Windows\System32\RxgZDWN.exe
  2⤵
  PID:5508
- C:\Windows\System32\fAOeVyw.exe
  C:\Windows\System32\fAOeVyw.exe
  2⤵
  PID:5532
- C:\Windows\System32\QqHirMJ.exe
  C:\Windows\System32\QqHirMJ.exe
  2⤵
  PID:5628
- C:\Windows\System32\QIoAidy.exe
  C:\Windows\System32\QIoAidy.exe
  2⤵
  PID:5656
- C:\Windows\System32\EcxavLa.exe
  C:\Windows\System32\EcxavLa.exe
  2⤵
  PID:5676
- C:\Windows\System32\DczLPUt.exe
  C:\Windows\System32\DczLPUt.exe
  2⤵
  PID:5692
- C:\Windows\System32\djcLJzq.exe
  C:\Windows\System32\djcLJzq.exe
  2⤵
  PID:5720
- C:\Windows\System32\RamEbMi.exe
  C:\Windows\System32\RamEbMi.exe
  2⤵
  PID:5736
- C:\Windows\System32\WoPIdNx.exe
  C:\Windows\System32\WoPIdNx.exe
  2⤵
  PID:5756
- C:\Windows\System32\vdFKpcX.exe
  C:\Windows\System32\vdFKpcX.exe
  2⤵
  PID:5780
- C:\Windows\System32\RQrVskW.exe
  C:\Windows\System32\RQrVskW.exe
  2⤵
  PID:5828
- C:\Windows\System32\oJSgAVx.exe
  C:\Windows\System32\oJSgAVx.exe
  2⤵
  PID:5920
- C:\Windows\System32\qrgfAcn.exe
  C:\Windows\System32\qrgfAcn.exe
  2⤵
  PID:5936
- C:\Windows\System32\RftNxog.exe
  C:\Windows\System32\RftNxog.exe
  2⤵
  PID:5952
- C:\Windows\System32\fjrFVCm.exe
  C:\Windows\System32\fjrFVCm.exe
  2⤵
  PID:5976
- C:\Windows\System32\WQMXWlj.exe
  C:\Windows\System32\WQMXWlj.exe
  2⤵
  PID:6004
- C:\Windows\System32\dZurUKb.exe
  C:\Windows\System32\dZurUKb.exe
  2⤵
  PID:6020
- C:\Windows\System32\zqeQVxi.exe
  C:\Windows\System32\zqeQVxi.exe
  2⤵
  PID:6052
- C:\Windows\System32\FlHDbhX.exe
  C:\Windows\System32\FlHDbhX.exe
  2⤵
  PID:6072
- C:\Windows\System32\TRTXpXT.exe
  C:\Windows\System32\TRTXpXT.exe
  2⤵
  PID:6092
- C:\Windows\System32\rNYaRDc.exe
  C:\Windows\System32\rNYaRDc.exe
  2⤵
  PID:6112
- C:\Windows\System32\dbLYEhG.exe
  C:\Windows\System32\dbLYEhG.exe
  2⤵
  PID:6132
- C:\Windows\System32\lLtPtVS.exe
  C:\Windows\System32\lLtPtVS.exe
  2⤵
  PID:4932
- C:\Windows\System32\bzPyyTz.exe
  C:\Windows\System32\bzPyyTz.exe
  2⤵
  PID:1812
- C:\Windows\System32\dKKcfBn.exe
  C:\Windows\System32\dKKcfBn.exe
  2⤵
  PID:1920
- C:\Windows\System32\aGoQRdR.exe
  C:\Windows\System32\aGoQRdR.exe
  2⤵
  PID:4924
- C:\Windows\System32\hFaKngn.exe
  C:\Windows\System32\hFaKngn.exe
  2⤵
  PID:5164
- C:\Windows\System32\eLbRRJR.exe
  C:\Windows\System32\eLbRRJR.exe
  2⤵
  PID:5180
- C:\Windows\System32\IBmceki.exe
  C:\Windows\System32\IBmceki.exe
  2⤵
  PID:4248
- C:\Windows\System32\cPeiBeQ.exe
  C:\Windows\System32\cPeiBeQ.exe
  2⤵
  PID:5320
- C:\Windows\System32\kAxLnYZ.exe
  C:\Windows\System32\kAxLnYZ.exe
  2⤵
  PID:2948
- C:\Windows\System32\yNrDXNW.exe
  C:\Windows\System32\yNrDXNW.exe
  2⤵
  PID:5480
- C:\Windows\System32\KIQFIxA.exe
  C:\Windows\System32\KIQFIxA.exe
  2⤵
  PID:3584
- C:\Windows\System32\ogiLuDo.exe
  C:\Windows\System32\ogiLuDo.exe
  2⤵
  PID:5624
- C:\Windows\System32\PtRQEKt.exe
  C:\Windows\System32\PtRQEKt.exe
  2⤵
  PID:5732
- C:\Windows\System32\kNdjxMS.exe
  C:\Windows\System32\kNdjxMS.exe
  2⤵
  PID:5752
- C:\Windows\System32\lIDomCT.exe
  C:\Windows\System32\lIDomCT.exe
  2⤵
  PID:5800
- C:\Windows\System32\JEMZFlD.exe
  C:\Windows\System32\JEMZFlD.exe
  2⤵
  PID:5900
- C:\Windows\System32\LxqbGpP.exe
  C:\Windows\System32\LxqbGpP.exe
  2⤵
  PID:5960
- C:\Windows\System32\Bgpjjim.exe
  C:\Windows\System32\Bgpjjim.exe
  2⤵
  PID:6012
- C:\Windows\System32\uJwDOHE.exe
  C:\Windows\System32\uJwDOHE.exe
  2⤵
  PID:6100
- C:\Windows\System32\zbgflJU.exe
  C:\Windows\System32\zbgflJU.exe
  2⤵
  PID:5212
- C:\Windows\System32\ufUxvZl.exe
  C:\Windows\System32\ufUxvZl.exe
  2⤵
  PID:4972
- C:\Windows\System32\dVwHjUM.exe
  C:\Windows\System32\dVwHjUM.exe
  2⤵
  PID:5152
- C:\Windows\System32\XTtyLIf.exe
  C:\Windows\System32\XTtyLIf.exe
  2⤵
  PID:1480
- C:\Windows\System32\JSvMVYf.exe
  C:\Windows\System32\JSvMVYf.exe
  2⤵
  PID:5444
- C:\Windows\System32\ghmtaFq.exe
  C:\Windows\System32\ghmtaFq.exe
  2⤵
  PID:2736
- C:\Windows\System32\UURDmsb.exe
  C:\Windows\System32\UURDmsb.exe
  2⤵
  PID:5500
- C:\Windows\System32\OiyDXJi.exe
  C:\Windows\System32\OiyDXJi.exe
  2⤵
  PID:5588
- C:\Windows\System32\Fpbbwvz.exe
  C:\Windows\System32\Fpbbwvz.exe
  2⤵
  PID:2932
- C:\Windows\System32\hHiLgvM.exe
  C:\Windows\System32\hHiLgvM.exe
  2⤵
  PID:5704
- C:\Windows\System32\EgZmmdk.exe
  C:\Windows\System32\EgZmmdk.exe
  2⤵
  PID:5744
- C:\Windows\System32\RYiebFo.exe
  C:\Windows\System32\RYiebFo.exe
  2⤵
  PID:5848
- C:\Windows\System32\GYaUAyn.exe
  C:\Windows\System32\GYaUAyn.exe
  2⤵
  PID:5928
- C:\Windows\System32\XkDUcPP.exe
  C:\Windows\System32\XkDUcPP.exe
  2⤵
  PID:6036
- C:\Windows\System32\slPFNnU.exe
  C:\Windows\System32\slPFNnU.exe
  2⤵
  PID:6140
- C:\Windows\System32\IhjHdNu.exe
  C:\Windows\System32\IhjHdNu.exe
  2⤵
  PID:5188
- C:\Windows\System32\RacgKwC.exe
  C:\Windows\System32\RacgKwC.exe
  2⤵
  PID:5204
- C:\Windows\System32\ohDzNbO.exe
  C:\Windows\System32\ohDzNbO.exe
  2⤵
  PID:5360
- C:\Windows\System32\qNFhCEQ.exe
  C:\Windows\System32\qNFhCEQ.exe
  2⤵
  PID:2564
- C:\Windows\System32\gDVJmIP.exe
  C:\Windows\System32\gDVJmIP.exe
  2⤵
  PID:996
- C:\Windows\System32\JLwjNkE.exe
  C:\Windows\System32\JLwjNkE.exe
  2⤵
  PID:5688
- C:\Windows\System32\CNdTrqt.exe
  C:\Windows\System32\CNdTrqt.exe
  2⤵
  PID:5868
- C:\Windows\System32\uvhFwYW.exe
  C:\Windows\System32\uvhFwYW.exe
  2⤵
  PID:6120
- C:\Windows\System32\npgeOJs.exe
  C:\Windows\System32\npgeOJs.exe
  2⤵
  PID:344
- C:\Windows\System32\VynkOhd.exe
  C:\Windows\System32\VynkOhd.exe
  2⤵
  PID:5236
- C:\Windows\System32\rTTNNfq.exe
  C:\Windows\System32\rTTNNfq.exe
  2⤵
  PID:5384
- C:\Windows\System32\TekoCkF.exe
  C:\Windows\System32\TekoCkF.exe
  2⤵
  PID:5668
- C:\Windows\System32\pJNHkTA.exe
  C:\Windows\System32\pJNHkTA.exe
  2⤵
  PID:4680
- C:\Windows\System32\kusHVsF.exe
  C:\Windows\System32\kusHVsF.exe
  2⤵
  PID:6032
- C:\Windows\System32\bcPTZuP.exe
  C:\Windows\System32\bcPTZuP.exe
  2⤵
  PID:6160
- C:\Windows\System32\dzuWvNJ.exe
  C:\Windows\System32\dzuWvNJ.exe
  2⤵
  PID:6176
- C:\Windows\System32\mCaevzY.exe
  C:\Windows\System32\mCaevzY.exe
  2⤵
  PID:6192
- C:\Windows\System32\wYTRfeZ.exe
  C:\Windows\System32\wYTRfeZ.exe
  2⤵
  PID:6208
- C:\Windows\System32\INUtQkk.exe
  C:\Windows\System32\INUtQkk.exe
  2⤵
  PID:6224
- C:\Windows\System32\JvrUnow.exe
  C:\Windows\System32\JvrUnow.exe
  2⤵
  PID:6240
- C:\Windows\System32\oYfeVUQ.exe
  C:\Windows\System32\oYfeVUQ.exe
  2⤵
  PID:6256
- C:\Windows\System32\mHbFHEG.exe
  C:\Windows\System32\mHbFHEG.exe
  2⤵
  PID:6272
- C:\Windows\System32\pfqgwlr.exe
  C:\Windows\System32\pfqgwlr.exe
  2⤵
  PID:6288
- C:\Windows\System32\DqFoFoY.exe
  C:\Windows\System32\DqFoFoY.exe
  2⤵
  PID:6304
- C:\Windows\System32\YVXUjcN.exe
  C:\Windows\System32\YVXUjcN.exe
  2⤵
  PID:6320
- C:\Windows\System32\vNyTtgP.exe
  C:\Windows\System32\vNyTtgP.exe
  2⤵
  PID:6336
- C:\Windows\System32\mGadLJj.exe
  C:\Windows\System32\mGadLJj.exe
  2⤵
  PID:6352
- C:\Windows\System32\aGgZQGi.exe
  C:\Windows\System32\aGgZQGi.exe
  2⤵
  PID:6368
- C:\Windows\System32\oUGpGLD.exe
  C:\Windows\System32\oUGpGLD.exe
  2⤵
  PID:6384
- C:\Windows\System32\bfOagqd.exe
  C:\Windows\System32\bfOagqd.exe
  2⤵
  PID:6400
- C:\Windows\System32\zIqXuKp.exe
  C:\Windows\System32\zIqXuKp.exe
  2⤵
  PID:6416
- C:\Windows\System32\nSdvLwc.exe
  C:\Windows\System32\nSdvLwc.exe
  2⤵
  PID:6432
- C:\Windows\System32\NdbLOyJ.exe
  C:\Windows\System32\NdbLOyJ.exe
  2⤵
  PID:6448
- C:\Windows\System32\gRYsBlK.exe
  C:\Windows\System32\gRYsBlK.exe
  2⤵
  PID:6464
- C:\Windows\System32\FlFpstr.exe
  C:\Windows\System32\FlFpstr.exe
  2⤵
  PID:6480
- C:\Windows\System32\LYplJnu.exe
  C:\Windows\System32\LYplJnu.exe
  2⤵
  PID:6496
- C:\Windows\System32\XsLRYZw.exe
  C:\Windows\System32\XsLRYZw.exe
  2⤵
  PID:6512
- C:\Windows\System32\hIZITxM.exe
  C:\Windows\System32\hIZITxM.exe
  2⤵
  PID:6528
- C:\Windows\System32\NPcZtkS.exe
  C:\Windows\System32\NPcZtkS.exe
  2⤵
  PID:6544
- C:\Windows\System32\AFHUoyj.exe
  C:\Windows\System32\AFHUoyj.exe
  2⤵
  PID:6560
- C:\Windows\System32\nZEjeyu.exe
  C:\Windows\System32\nZEjeyu.exe
  2⤵
  PID:6576
- C:\Windows\System32\xzYDvsX.exe
  C:\Windows\System32\xzYDvsX.exe
  2⤵
  PID:6592
- C:\Windows\System32\DyhjMCz.exe
  C:\Windows\System32\DyhjMCz.exe
  2⤵
  PID:6608
- C:\Windows\System32\cCEiJTU.exe
  C:\Windows\System32\cCEiJTU.exe
  2⤵
  PID:6624
- C:\Windows\System32\jSwyOXa.exe
  C:\Windows\System32\jSwyOXa.exe
  2⤵
  PID:6640
- C:\Windows\System32\BPbDYZD.exe
  C:\Windows\System32\BPbDYZD.exe
  2⤵
  PID:6656
- C:\Windows\System32\HkLVemu.exe
  C:\Windows\System32\HkLVemu.exe
  2⤵
  PID:6672
- C:\Windows\System32\JLnTfuQ.exe
  C:\Windows\System32\JLnTfuQ.exe
  2⤵
  PID:6688
- C:\Windows\System32\VuKxpBP.exe
  C:\Windows\System32\VuKxpBP.exe
  2⤵
  PID:6704
- C:\Windows\System32\nhFhgnq.exe
  C:\Windows\System32\nhFhgnq.exe
  2⤵
  PID:6720
- C:\Windows\System32\JrzAfUq.exe
  C:\Windows\System32\JrzAfUq.exe
  2⤵
  PID:6736
- C:\Windows\System32\wYlIWGx.exe
  C:\Windows\System32\wYlIWGx.exe
  2⤵
  PID:6752
- C:\Windows\System32\xyGcQgm.exe
  C:\Windows\System32\xyGcQgm.exe
  2⤵
  PID:6768
- C:\Windows\System32\EOJFVZy.exe
  C:\Windows\System32\EOJFVZy.exe
  2⤵
  PID:6784
- C:\Windows\System32\alnwKcy.exe
  C:\Windows\System32\alnwKcy.exe
  2⤵
  PID:6800
- C:\Windows\System32\OSikABd.exe
  C:\Windows\System32\OSikABd.exe
  2⤵
  PID:6816
- C:\Windows\System32\PYfVpFi.exe
  C:\Windows\System32\PYfVpFi.exe
  2⤵
  PID:6832
- C:\Windows\System32\HCQcwQa.exe
  C:\Windows\System32\HCQcwQa.exe
  2⤵
  PID:6848
- C:\Windows\System32\ccFxKcx.exe
  C:\Windows\System32\ccFxKcx.exe
  2⤵
  PID:6864
- C:\Windows\System32\PYMIiFf.exe
  C:\Windows\System32\PYMIiFf.exe
  2⤵
  PID:6880
- C:\Windows\System32\jWXKXNg.exe
  C:\Windows\System32\jWXKXNg.exe
  2⤵
  PID:6896
- C:\Windows\System32\ruvdAqF.exe
  C:\Windows\System32\ruvdAqF.exe
  2⤵
  PID:6912
- C:\Windows\System32\jDJCECc.exe
  C:\Windows\System32\jDJCECc.exe
  2⤵
  PID:6928
- C:\Windows\System32\sqOYuHE.exe
  C:\Windows\System32\sqOYuHE.exe
  2⤵
  PID:6944
- C:\Windows\System32\JXHKmSE.exe
  C:\Windows\System32\JXHKmSE.exe
  2⤵
  PID:6960
- C:\Windows\System32\vMrXYBb.exe
  C:\Windows\System32\vMrXYBb.exe
  2⤵
  PID:6976
- C:\Windows\System32\bqgQbaV.exe
  C:\Windows\System32\bqgQbaV.exe
  2⤵
  PID:6992
- C:\Windows\System32\ZoIaRcr.exe
  C:\Windows\System32\ZoIaRcr.exe
  2⤵
  PID:7008
- C:\Windows\System32\jMQkdox.exe
  C:\Windows\System32\jMQkdox.exe
  2⤵
  PID:7024
- C:\Windows\System32\HMrlNRs.exe
  C:\Windows\System32\HMrlNRs.exe
  2⤵
  PID:7040
- C:\Windows\System32\HDbZjWG.exe
  C:\Windows\System32\HDbZjWG.exe
  2⤵
  PID:7056
- C:\Windows\System32\iclSvGs.exe
  C:\Windows\System32\iclSvGs.exe
  2⤵
  PID:7072
- C:\Windows\System32\GUVKbAc.exe
  C:\Windows\System32\GUVKbAc.exe
  2⤵
  PID:7088
- C:\Windows\System32\kClQbwB.exe
  C:\Windows\System32\kClQbwB.exe
  2⤵
  PID:7104
- C:\Windows\System32\xhrNbkI.exe
  C:\Windows\System32\xhrNbkI.exe
  2⤵
  PID:7120
- C:\Windows\System32\bLqTkWs.exe
  C:\Windows\System32\bLqTkWs.exe
  2⤵
  PID:7136
- C:\Windows\System32\sfyyWlY.exe
  C:\Windows\System32\sfyyWlY.exe
  2⤵
  PID:7152
- C:\Windows\System32\McNYonf.exe
  C:\Windows\System32\McNYonf.exe
  2⤵
  PID:2292
- C:\Windows\System32\NNFPQZE.exe
  C:\Windows\System32\NNFPQZE.exe
  2⤵
  PID:4072
- C:\Windows\System32\cgxGLsm.exe
  C:\Windows\System32\cgxGLsm.exe
  2⤵
  PID:5616
- C:\Windows\System32\VqrgnZT.exe
  C:\Windows\System32\VqrgnZT.exe
  2⤵
  PID:5620
- C:\Windows\System32\tRffsnT.exe
  C:\Windows\System32\tRffsnT.exe
  2⤵
  PID:6172
- C:\Windows\System32\yHZnoqf.exe
  C:\Windows\System32\yHZnoqf.exe
  2⤵
  PID:6204
- C:\Windows\System32\PbwXIYv.exe
  C:\Windows\System32\PbwXIYv.exe
  2⤵
  PID:6232
- C:\Windows\System32\xVimnze.exe
  C:\Windows\System32\xVimnze.exe
  2⤵
  PID:6268
- C:\Windows\System32\yTOLBvd.exe
  C:\Windows\System32\yTOLBvd.exe
  2⤵
  PID:6300
- C:\Windows\System32\knWvtRL.exe
  C:\Windows\System32\knWvtRL.exe
  2⤵
  PID:6332
- C:\Windows\System32\GIyfEhf.exe
  C:\Windows\System32\GIyfEhf.exe
  2⤵
  PID:6360
- C:\Windows\System32\TTWjBhS.exe
  C:\Windows\System32\TTWjBhS.exe
  2⤵
  PID:6392
- C:\Windows\System32\kjguMvj.exe
  C:\Windows\System32\kjguMvj.exe
  2⤵
  PID:6424
- C:\Windows\System32\GHFgnkl.exe
  C:\Windows\System32\GHFgnkl.exe
  2⤵
  PID:6456
- C:\Windows\System32\FRSPuiW.exe
  C:\Windows\System32\FRSPuiW.exe
  2⤵
  PID:6476
- C:\Windows\System32\ffHBQkE.exe
  C:\Windows\System32\ffHBQkE.exe
  2⤵
  PID:6508
- C:\Windows\System32\XmRRQqW.exe
  C:\Windows\System32\XmRRQqW.exe
  2⤵
  PID:6536
- C:\Windows\System32\ywdrJbQ.exe
  C:\Windows\System32\ywdrJbQ.exe
  2⤵
  PID:6568
- C:\Windows\System32\qRalQcH.exe
  C:\Windows\System32\qRalQcH.exe
  2⤵
  PID:6600
- C:\Windows\System32\mSCOkfL.exe
  C:\Windows\System32\mSCOkfL.exe
  2⤵
  PID:6632
- C:\Windows\System32\mzWGrCS.exe
  C:\Windows\System32\mzWGrCS.exe
  2⤵
  PID:6664
- C:\Windows\System32\YQEtmrN.exe
  C:\Windows\System32\YQEtmrN.exe
  2⤵
  PID:6696
- C:\Windows\System32\VsMwDRu.exe
  C:\Windows\System32\VsMwDRu.exe
  2⤵
  PID:6716
- C:\Windows\System32\wjMnnQt.exe
  C:\Windows\System32\wjMnnQt.exe
  2⤵
  PID:6748
- C:\Windows\System32\RdZjVjl.exe
  C:\Windows\System32\RdZjVjl.exe
  2⤵
  PID:6776
- C:\Windows\System32\rxVXWsj.exe
  C:\Windows\System32\rxVXWsj.exe
  2⤵
  PID:6808
- C:\Windows\System32\CerxKwh.exe
  C:\Windows\System32\CerxKwh.exe
  2⤵
  PID:6860
- C:\Windows\System32\QxyRLcr.exe
  C:\Windows\System32\QxyRLcr.exe
  2⤵
  PID:6892
- C:\Windows\System32\CsTFyhR.exe
  C:\Windows\System32\CsTFyhR.exe
  2⤵
  PID:6924
- C:\Windows\System32\SEpzJsi.exe
  C:\Windows\System32\SEpzJsi.exe
  2⤵
  PID:6956
- C:\Windows\System32\plclluD.exe
  C:\Windows\System32\plclluD.exe
  2⤵
  PID:6984
- C:\Windows\System32\wYYRaSm.exe
  C:\Windows\System32\wYYRaSm.exe
  2⤵
  PID:7016
- C:\Windows\System32\MTiTTjc.exe
  C:\Windows\System32\MTiTTjc.exe
  2⤵
  PID:7048
- C:\Windows\System32\sZBWAHA.exe
  C:\Windows\System32\sZBWAHA.exe
  2⤵
  PID:7080
- C:\Windows\System32\iCwJElI.exe
  C:\Windows\System32\iCwJElI.exe
  2⤵
  PID:7112
- C:\Windows\System32\RedrLsi.exe
  C:\Windows\System32\RedrLsi.exe
  2⤵
  PID:7148
- C:\Windows\System32\BpneqQf.exe
  C:\Windows\System32\BpneqQf.exe
  2⤵
  PID:1892
- C:\Windows\System32\CKGtkhY.exe
  C:\Windows\System32\CKGtkhY.exe
  2⤵
  PID:7860
- C:\Windows\System32\YpwxqUe.exe
  C:\Windows\System32\YpwxqUe.exe
  2⤵
  PID:7884
- C:\Windows\System32\RRGqWNn.exe
  C:\Windows\System32\RRGqWNn.exe
  2⤵
  PID:8208
- C:\Windows\System32\JrkHlVi.exe
  C:\Windows\System32\JrkHlVi.exe
  2⤵
  PID:8260
- C:\Windows\System32\hHrGhfe.exe
  C:\Windows\System32\hHrGhfe.exe
  2⤵
  PID:8316
- C:\Windows\System32\Lcjrabc.exe
  C:\Windows\System32\Lcjrabc.exe
  2⤵
  PID:8388
- C:\Windows\System32\kDHmPIp.exe
  C:\Windows\System32\kDHmPIp.exe
  2⤵
  PID:8408
- C:\Windows\System32\XYPAuGk.exe
  C:\Windows\System32\XYPAuGk.exe
  2⤵
  PID:8432
- C:\Windows\System32\UJItdIM.exe
  C:\Windows\System32\UJItdIM.exe
  2⤵
  PID:8456
- C:\Windows\System32\TRVaVVH.exe
  C:\Windows\System32\TRVaVVH.exe
  2⤵
  PID:8500
- C:\Windows\System32\LhNGbgC.exe
  C:\Windows\System32\LhNGbgC.exe
  2⤵
  PID:8524
- C:\Windows\System32\jAEPFNY.exe
  C:\Windows\System32\jAEPFNY.exe
  2⤵
  PID:8548
- C:\Windows\System32\EXROzth.exe
  C:\Windows\System32\EXROzth.exe
  2⤵
  PID:8572
- C:\Windows\System32\uHRwQuq.exe
  C:\Windows\System32\uHRwQuq.exe
  2⤵
  PID:8620
- C:\Windows\System32\ueFYtYe.exe
  C:\Windows\System32\ueFYtYe.exe
  2⤵
  PID:8640
- C:\Windows\System32\GVTBfFT.exe
  C:\Windows\System32\GVTBfFT.exe
  2⤵
  PID:8664
- C:\Windows\System32\BYYHFEm.exe
  C:\Windows\System32\BYYHFEm.exe
  2⤵
  PID:8680
- C:\Windows\System32\NFIarIl.exe
  C:\Windows\System32\NFIarIl.exe
  2⤵
  PID:8708
- C:\Windows\System32\HputIaY.exe
  C:\Windows\System32\HputIaY.exe
  2⤵
  PID:8740
- C:\Windows\System32\YCyxlEq.exe
  C:\Windows\System32\YCyxlEq.exe
  2⤵
  PID:8768
- C:\Windows\System32\CYOmJaj.exe
  C:\Windows\System32\CYOmJaj.exe
  2⤵
  PID:8808
- C:\Windows\System32\gBpxbpT.exe
  C:\Windows\System32\gBpxbpT.exe
  2⤵
  PID:8836
- C:\Windows\System32\adTWnAX.exe
  C:\Windows\System32\adTWnAX.exe
  2⤵
  PID:8864
- C:\Windows\System32\HwBsGod.exe
  C:\Windows\System32\HwBsGod.exe
  2⤵
  PID:8888
- C:\Windows\System32\SPnaOfg.exe
  C:\Windows\System32\SPnaOfg.exe
  2⤵
  PID:8904
- C:\Windows\System32\wNioUJC.exe
  C:\Windows\System32\wNioUJC.exe
  2⤵
  PID:8948
- C:\Windows\System32\SVWtVBh.exe
  C:\Windows\System32\SVWtVBh.exe
  2⤵
  PID:8976
- C:\Windows\System32\CeOmYQz.exe
  C:\Windows\System32\CeOmYQz.exe
  2⤵
  PID:9004
- C:\Windows\System32\YrAuNAY.exe
  C:\Windows\System32\YrAuNAY.exe
  2⤵
  PID:9024
- C:\Windows\System32\dZLOAJI.exe
  C:\Windows\System32\dZLOAJI.exe
  2⤵
  PID:9056
- C:\Windows\System32\SdRJPAy.exe
  C:\Windows\System32\SdRJPAy.exe
  2⤵
  PID:9076
- C:\Windows\System32\nEUEEpQ.exe
  C:\Windows\System32\nEUEEpQ.exe
  2⤵
  PID:9100
- C:\Windows\System32\HpBuWeg.exe
  C:\Windows\System32\HpBuWeg.exe
  2⤵
  PID:9116
- C:\Windows\System32\FKEpcAF.exe
  C:\Windows\System32\FKEpcAF.exe
  2⤵
  PID:9136
- C:\Windows\System32\MKIjFLp.exe
  C:\Windows\System32\MKIjFLp.exe
  2⤵
  PID:9200
- C:\Windows\System32\FUEVTny.exe
  C:\Windows\System32\FUEVTny.exe
  2⤵
  PID:7940
- C:\Windows\System32\zQUhucb.exe
  C:\Windows\System32\zQUhucb.exe
  2⤵
  PID:7300
- C:\Windows\System32\YyeelxE.exe
  C:\Windows\System32\YyeelxE.exe
  2⤵
  PID:7488
- C:\Windows\System32\noWGOzf.exe
  C:\Windows\System32\noWGOzf.exe
  2⤵
  PID:6524
- C:\Windows\System32\qiEgivn.exe
  C:\Windows\System32\qiEgivn.exe
  2⤵
  PID:7780
- C:\Windows\System32\YsMYIJl.exe
  C:\Windows\System32\YsMYIJl.exe
  2⤵
  PID:1412
- C:\Windows\System32\VWaEmSV.exe
  C:\Windows\System32\VWaEmSV.exe
  2⤵
  PID:7096
- C:\Windows\System32\MmoOXQP.exe
  C:\Windows\System32\MmoOXQP.exe
  2⤵
  PID:5460
- C:\Windows\System32\SOIKFfA.exe
  C:\Windows\System32\SOIKFfA.exe
  2⤵
  PID:8016
- C:\Windows\System32\hhxNUUq.exe
  C:\Windows\System32\hhxNUUq.exe
  2⤵
  PID:7416
- C:\Windows\System32\YsiTzSE.exe
  C:\Windows\System32\YsiTzSE.exe
  2⤵
  PID:8236
- C:\Windows\System32\ABbLBkN.exe
  C:\Windows\System32\ABbLBkN.exe
  2⤵
  PID:8124
- C:\Windows\System32\ROWgUfO.exe
  C:\Windows\System32\ROWgUfO.exe
  2⤵
  PID:7572
- C:\Windows\System32\JoeuMMc.exe
  C:\Windows\System32\JoeuMMc.exe
  2⤵
  PID:7616
- C:\Windows\System32\nmJdkDT.exe
  C:\Windows\System32\nmJdkDT.exe
  2⤵
  PID:8156
- C:\Windows\System32\kesPKtv.exe
  C:\Windows\System32\kesPKtv.exe
  2⤵
  PID:8376
- C:\Windows\System32\LGvfgfP.exe
  C:\Windows\System32\LGvfgfP.exe
  2⤵
  PID:8360
- C:\Windows\System32\uMfrilI.exe
  C:\Windows\System32\uMfrilI.exe
  2⤵
  PID:8400
- C:\Windows\System32\BjmIsRx.exe
  C:\Windows\System32\BjmIsRx.exe
  2⤵
  PID:8488
- C:\Windows\System32\yjtxuxH.exe
  C:\Windows\System32\yjtxuxH.exe
  2⤵
  PID:8628
- C:\Windows\System32\oLQWZPX.exe
  C:\Windows\System32\oLQWZPX.exe
  2⤵
  PID:8676
- C:\Windows\System32\oCgxSwr.exe
  C:\Windows\System32\oCgxSwr.exe
  2⤵
  PID:8720
- C:\Windows\System32\auTuHVV.exe
  C:\Windows\System32\auTuHVV.exe
  2⤵
  PID:8764
- C:\Windows\System32\ruEFXDw.exe
  C:\Windows\System32\ruEFXDw.exe
  2⤵
  PID:8820
- C:\Windows\System32\mDZAUry.exe
  C:\Windows\System32\mDZAUry.exe
  2⤵
  PID:8932
- C:\Windows\System32\mZFqVwP.exe
  C:\Windows\System32\mZFqVwP.exe
  2⤵
  PID:8912
- C:\Windows\System32\HVsQNdd.exe
  C:\Windows\System32\HVsQNdd.exe
  2⤵
  PID:8992
- C:\Windows\System32\unefzys.exe
  C:\Windows\System32\unefzys.exe
  2⤵
  PID:9088
- C:\Windows\System32\XIznjWs.exe
  C:\Windows\System32\XIznjWs.exe
  2⤵
  PID:9148
- C:\Windows\System32\CiMONdw.exe
  C:\Windows\System32\CiMONdw.exe
  2⤵
  PID:7324
- C:\Windows\System32\sZIxauy.exe
  C:\Windows\System32\sZIxauy.exe
  2⤵
  PID:6876
- C:\Windows\System32\wcaKoZl.exe
  C:\Windows\System32\wcaKoZl.exe
  2⤵
  PID:7900
- C:\Windows\System32\lrFKSGo.exe
  C:\Windows\System32\lrFKSGo.exe
  2⤵
  PID:7896
- C:\Windows\System32\pkPrXmJ.exe
  C:\Windows\System32\pkPrXmJ.exe
  2⤵
  PID:7432
- C:\Windows\System32\OWnHBLB.exe
  C:\Windows\System32\OWnHBLB.exe
  2⤵
  PID:7868
- C:\Windows\System32\GBAPrEP.exe
  C:\Windows\System32\GBAPrEP.exe
  2⤵
  PID:7128
- C:\Windows\System32\HJjMTXy.exe
  C:\Windows\System32\HJjMTXy.exe
  2⤵
  PID:8444
- C:\Windows\System32\AWuSsWY.exe
  C:\Windows\System32\AWuSsWY.exe
  2⤵
  PID:8300
- C:\Windows\System32\HtEKvtN.exe
  C:\Windows\System32\HtEKvtN.exe
  2⤵
  PID:8700
- C:\Windows\System32\KUNXIwi.exe
  C:\Windows\System32\KUNXIwi.exe
  2⤵
  PID:8856
- C:\Windows\System32\JyluKBt.exe
  C:\Windows\System32\JyluKBt.exe
  2⤵
  PID:8920
- C:\Windows\System32\hyeGoIF.exe
  C:\Windows\System32\hyeGoIF.exe
  2⤵
  PID:9160
- C:\Windows\System32\bAbePXi.exe
  C:\Windows\System32\bAbePXi.exe
  2⤵
  PID:6680
- C:\Windows\System32\wooVThP.exe
  C:\Windows\System32\wooVThP.exe
  2⤵
  PID:8152
- C:\Windows\System32\tHyfmuP.exe
  C:\Windows\System32\tHyfmuP.exe
  2⤵
  PID:8308
- C:\Windows\System32\FGYKbEs.exe
  C:\Windows\System32\FGYKbEs.exe
  2⤵
  PID:8440
- C:\Windows\System32\qEpWPoz.exe
  C:\Windows\System32\qEpWPoz.exe
  2⤵
  PID:8968
- C:\Windows\System32\bioLfqZ.exe
  C:\Windows\System32\bioLfqZ.exe
  2⤵
  PID:8428
- C:\Windows\System32\ETtlShF.exe
  C:\Windows\System32\ETtlShF.exe
  2⤵
  PID:8800
- C:\Windows\System32\YfEeyDo.exe
  C:\Windows\System32\YfEeyDo.exe
  2⤵
  PID:9228
- C:\Windows\System32\tOYUEnI.exe
  C:\Windows\System32\tOYUEnI.exe
  2⤵
  PID:9252
- C:\Windows\System32\ywIklHR.exe
  C:\Windows\System32\ywIklHR.exe
  2⤵
  PID:9268
- C:\Windows\System32\wUrnjjZ.exe
  C:\Windows\System32\wUrnjjZ.exe
  2⤵
  PID:9324
- C:\Windows\System32\dZKkNkG.exe
  C:\Windows\System32\dZKkNkG.exe
  2⤵
  PID:9368
- C:\Windows\System32\VJvSnQU.exe
  C:\Windows\System32\VJvSnQU.exe
  2⤵
  PID:9400
- C:\Windows\System32\GvZeQrY.exe
  C:\Windows\System32\GvZeQrY.exe
  2⤵
  PID:9424
- C:\Windows\System32\DQbtJrV.exe
  C:\Windows\System32\DQbtJrV.exe
  2⤵
  PID:9460
- C:\Windows\System32\ULMHqbc.exe
  C:\Windows\System32\ULMHqbc.exe
  2⤵
  PID:9480
- C:\Windows\System32\UqywiRM.exe
  C:\Windows\System32\UqywiRM.exe
  2⤵
  PID:9504
- C:\Windows\System32\TtJpgSI.exe
  C:\Windows\System32\TtJpgSI.exe
  2⤵
  PID:9520
- C:\Windows\System32\BFnAaTR.exe
  C:\Windows\System32\BFnAaTR.exe
  2⤵
  PID:9564
- C:\Windows\System32\azlWbwf.exe
  C:\Windows\System32\azlWbwf.exe
  2⤵
  PID:9588
- C:\Windows\System32\juFbzxL.exe
  C:\Windows\System32\juFbzxL.exe
  2⤵
  PID:9604
- C:\Windows\System32\bvKtYWD.exe
  C:\Windows\System32\bvKtYWD.exe
  2⤵
  PID:9620
- C:\Windows\System32\bEFlLyx.exe
  C:\Windows\System32\bEFlLyx.exe
  2⤵
  PID:9644
- C:\Windows\System32\vnMeEDy.exe
  C:\Windows\System32\vnMeEDy.exe
  2⤵
  PID:9692
- C:\Windows\System32\NQGmmKO.exe
  C:\Windows\System32\NQGmmKO.exe
  2⤵
  PID:9724
- C:\Windows\System32\beggFIj.exe
  C:\Windows\System32\beggFIj.exe
  2⤵
  PID:9760
- C:\Windows\System32\UQFMOrb.exe
  C:\Windows\System32\UQFMOrb.exe
  2⤵
  PID:9784
- C:\Windows\System32\xVWitbm.exe
  C:\Windows\System32\xVWitbm.exe
  2⤵
  PID:9804
- C:\Windows\System32\tdgMZaA.exe
  C:\Windows\System32\tdgMZaA.exe
  2⤵
  PID:9824
- C:\Windows\System32\UVwQWRT.exe
  C:\Windows\System32\UVwQWRT.exe
  2⤵
  PID:9860
- C:\Windows\System32\zvyXLfs.exe
  C:\Windows\System32\zvyXLfs.exe
  2⤵
  PID:9892
- C:\Windows\System32\VtnDgBs.exe
  C:\Windows\System32\VtnDgBs.exe
  2⤵
  PID:9912
- C:\Windows\System32\cgbDlqD.exe
  C:\Windows\System32\cgbDlqD.exe
  2⤵
  PID:9936
- C:\Windows\System32\uSZkYSe.exe
  C:\Windows\System32\uSZkYSe.exe
  2⤵
  PID:9956
- C:\Windows\System32\VojJoEa.exe
  C:\Windows\System32\VojJoEa.exe
  2⤵
  PID:9992
- C:\Windows\System32\NAkMzTR.exe
  C:\Windows\System32\NAkMzTR.exe
  2⤵
  PID:10044
- C:\Windows\System32\qCMKnhf.exe
  C:\Windows\System32\qCMKnhf.exe
  2⤵
  PID:10076
- C:\Windows\System32\ndXbTUr.exe
  C:\Windows\System32\ndXbTUr.exe
  2⤵
  PID:10108
- C:\Windows\System32\swagghM.exe
  C:\Windows\System32\swagghM.exe
  2⤵
  PID:10124
- C:\Windows\System32\NabjBto.exe
  C:\Windows\System32\NabjBto.exe
  2⤵
  PID:10152
- C:\Windows\System32\IhhMLoO.exe
  C:\Windows\System32\IhhMLoO.exe
  2⤵
  PID:10176
- C:\Windows\System32\wfzdgzE.exe
  C:\Windows\System32\wfzdgzE.exe
  2⤵
  PID:10200
- C:\Windows\System32\yIPDidM.exe
  C:\Windows\System32\yIPDidM.exe
  2⤵
  PID:10216
- C:\Windows\System32\dhjDjLV.exe
  C:\Windows\System32\dhjDjLV.exe
  2⤵
  PID:9220
- C:\Windows\System32\ParDPMK.exe
  C:\Windows\System32\ParDPMK.exe
  2⤵
  PID:9280
- C:\Windows\System32\tcXzAGg.exe
  C:\Windows\System32\tcXzAGg.exe
  2⤵
  PID:9300
- C:\Windows\System32\ibrGgZi.exe
  C:\Windows\System32\ibrGgZi.exe
  2⤵
  PID:9388
- C:\Windows\System32\cKSKcJp.exe
  C:\Windows\System32\cKSKcJp.exe
  2⤵
  PID:9440
- C:\Windows\System32\aFgsDIE.exe
  C:\Windows\System32\aFgsDIE.exe
  2⤵
  PID:9580
- C:\Windows\System32\TPlSGMS.exe
  C:\Windows\System32\TPlSGMS.exe
  2⤵
  PID:9616
- C:\Windows\System32\qgpaPUx.exe
  C:\Windows\System32\qgpaPUx.exe
  2⤵
  PID:9652
- C:\Windows\System32\QatBzux.exe
  C:\Windows\System32\QatBzux.exe
  2⤵
  PID:9756
- C:\Windows\System32\JmaTwAi.exe
  C:\Windows\System32\JmaTwAi.exe
  2⤵
  PID:9792
- C:\Windows\System32\hbGiATm.exe
  C:\Windows\System32\hbGiATm.exe
  2⤵
  PID:9832
- C:\Windows\System32\ArneAik.exe
  C:\Windows\System32\ArneAik.exe
  2⤵
  PID:8176
- C:\Windows\System32\aySwXmV.exe
  C:\Windows\System32\aySwXmV.exe
  2⤵
  PID:9980
- C:\Windows\System32\kIjIoSU.exe
  C:\Windows\System32\kIjIoSU.exe
  2⤵
  PID:10072
- C:\Windows\System32\BoOTBkK.exe
  C:\Windows\System32\BoOTBkK.exe
  2⤵
  PID:10116
- C:\Windows\System32\bEheXpf.exe
  C:\Windows\System32\bEheXpf.exe
  2⤵
  PID:10184
- C:\Windows\System32\evggkie.exe
  C:\Windows\System32\evggkie.exe
  2⤵
  PID:10208
- C:\Windows\System32\svEZHdQ.exe
  C:\Windows\System32\svEZHdQ.exe
  2⤵
  PID:6616
- C:\Windows\System32\nbFWanL.exe
  C:\Windows\System32\nbFWanL.exe
  2⤵
  PID:9288
- C:\Windows\System32\KQpyQIs.exe
  C:\Windows\System32\KQpyQIs.exe
  2⤵
  PID:9572
- C:\Windows\System32\ILpqMfh.exe
  C:\Windows\System32\ILpqMfh.exe
  2⤵
  PID:9852
- C:\Windows\System32\HitgeCv.exe
  C:\Windows\System32\HitgeCv.exe
  2⤵
  PID:10020
- C:\Windows\System32\KlJVEHM.exe
  C:\Windows\System32\KlJVEHM.exe
  2⤵
  PID:10120
- C:\Windows\System32\VEWfPvD.exe
  C:\Windows\System32\VEWfPvD.exe
  2⤵
  PID:7448
- C:\Windows\System32\lMcXTVs.exe
  C:\Windows\System32\lMcXTVs.exe
  2⤵
  PID:9676
- C:\Windows\System32\jlxkuFV.exe
  C:\Windows\System32\jlxkuFV.exe
  2⤵
  PID:9836
- C:\Windows\System32\Bcaewkg.exe
  C:\Windows\System32\Bcaewkg.exe
  2⤵
  PID:10284
- C:\Windows\System32\zMDDgQC.exe
  C:\Windows\System32\zMDDgQC.exe
  2⤵
  PID:10312
- C:\Windows\System32\UgWOaXY.exe
  C:\Windows\System32\UgWOaXY.exe
  2⤵
  PID:10328
- C:\Windows\System32\xbygCQe.exe
  C:\Windows\System32\xbygCQe.exe
  2⤵
  PID:10344
- C:\Windows\System32\uFylLXv.exe
  C:\Windows\System32\uFylLXv.exe
  2⤵
  PID:10360
- C:\Windows\System32\UKrtwLk.exe
  C:\Windows\System32\UKrtwLk.exe
  2⤵
  PID:10376
- C:\Windows\System32\DgBbdwx.exe
  C:\Windows\System32\DgBbdwx.exe
  2⤵
  PID:10392
- C:\Windows\System32\DwumtvZ.exe
  C:\Windows\System32\DwumtvZ.exe
  2⤵
  PID:10408
- C:\Windows\System32\xhMEHTM.exe
  C:\Windows\System32\xhMEHTM.exe
  2⤵
  PID:10424
- C:\Windows\System32\aeDCaYQ.exe
  C:\Windows\System32\aeDCaYQ.exe
  2⤵
  PID:10440
- C:\Windows\System32\IJqkoyc.exe
  C:\Windows\System32\IJqkoyc.exe
  2⤵
  PID:10456
- C:\Windows\System32\XEgLQyO.exe
  C:\Windows\System32\XEgLQyO.exe
  2⤵
  PID:10472
- C:\Windows\System32\ssOQhVG.exe
  C:\Windows\System32\ssOQhVG.exe
  2⤵
  PID:10488
- C:\Windows\System32\cUHTbFh.exe
  C:\Windows\System32\cUHTbFh.exe
  2⤵
  PID:10504
- C:\Windows\System32\wFVnCNv.exe
  C:\Windows\System32\wFVnCNv.exe
  2⤵
  PID:10520
- C:\Windows\System32\zxkzthV.exe
  C:\Windows\System32\zxkzthV.exe
  2⤵
  PID:10540
- C:\Windows\System32\DkbNYPO.exe
  C:\Windows\System32\DkbNYPO.exe
  2⤵
  PID:10572
- C:\Windows\System32\HQCWriS.exe
  C:\Windows\System32\HQCWriS.exe
  2⤵
  PID:10604
- C:\Windows\System32\wtVyCXh.exe
  C:\Windows\System32\wtVyCXh.exe
  2⤵
  PID:10720
- C:\Windows\System32\EiyYbuF.exe
  C:\Windows\System32\EiyYbuF.exe
  2⤵
  PID:10840
- C:\Windows\System32\AfPCDen.exe
  C:\Windows\System32\AfPCDen.exe
  2⤵
  PID:10856
- C:\Windows\System32\nQUQNie.exe
  C:\Windows\System32\nQUQNie.exe
  2⤵
  PID:10952
- C:\Windows\System32\kDnwUgU.exe
  C:\Windows\System32\kDnwUgU.exe
  2⤵
  PID:10968
- C:\Windows\System32\amLryOW.exe
  C:\Windows\System32\amLryOW.exe
  2⤵
  PID:11020
- C:\Windows\System32\TUcraBl.exe
  C:\Windows\System32\TUcraBl.exe
  2⤵
  PID:11048
- C:\Windows\System32\DjEGVch.exe
  C:\Windows\System32\DjEGVch.exe
  2⤵
  PID:11072
- C:\Windows\System32\CXfDorW.exe
  C:\Windows\System32\CXfDorW.exe
  2⤵
  PID:11096
- C:\Windows\System32\XTColoP.exe
  C:\Windows\System32\XTColoP.exe
  2⤵
  PID:11120
- C:\Windows\System32\oNtIuTP.exe
  C:\Windows\System32\oNtIuTP.exe
  2⤵
  PID:11144
- C:\Windows\System32\xYqlXZK.exe
  C:\Windows\System32\xYqlXZK.exe
  2⤵
  PID:11164
- C:\Windows\System32\okRnCgE.exe
  C:\Windows\System32\okRnCgE.exe
  2⤵
  PID:11212
- C:\Windows\System32\RkoXlDC.exe
  C:\Windows\System32\RkoXlDC.exe
  2⤵
  PID:11232
- C:\Windows\System32\khjtjKw.exe
  C:\Windows\System32\khjtjKw.exe
  2⤵
  PID:11252
- C:\Windows\System32\cJQecqV.exe
  C:\Windows\System32\cJQecqV.exe
  2⤵
  PID:10324
- C:\Windows\System32\ZmBWKyQ.exe
  C:\Windows\System32\ZmBWKyQ.exe
  2⤵
  PID:10272
- C:\Windows\System32\RGsFvxm.exe
  C:\Windows\System32\RGsFvxm.exe
  2⤵
  PID:10280
- C:\Windows\System32\QaBkhJE.exe
  C:\Windows\System32\QaBkhJE.exe
  2⤵
  PID:10628
- C:\Windows\System32\ZfvqdCF.exe
  C:\Windows\System32\ZfvqdCF.exe
  2⤵
  PID:10368
- C:\Windows\System32\EjuDWrN.exe
  C:\Windows\System32\EjuDWrN.exe
  2⤵
  PID:10432
- C:\Windows\System32\mAEPeLY.exe
  C:\Windows\System32\mAEPeLY.exe
  2⤵
  PID:10496
- C:\Windows\System32\NmiFmzZ.exe
  C:\Windows\System32\NmiFmzZ.exe
  2⤵
  PID:10588
- C:\Windows\System32\oINxSFE.exe
  C:\Windows\System32\oINxSFE.exe
  2⤵
  PID:10664
- C:\Windows\System32\GhVgmiu.exe
  C:\Windows\System32\GhVgmiu.exe
  2⤵
  PID:10780
- C:\Windows\System32\PEcmugp.exe
  C:\Windows\System32\PEcmugp.exe
  2⤵
  PID:10692
- C:\Windows\System32\lIRpYrk.exe
  C:\Windows\System32\lIRpYrk.exe
  2⤵
  PID:10824
- C:\Windows\System32\RyUFBqJ.exe
  C:\Windows\System32\RyUFBqJ.exe
  2⤵
  PID:10852
- C:\Windows\System32\BiPkuFk.exe
  C:\Windows\System32\BiPkuFk.exe
  2⤵
  PID:10848
- C:\Windows\System32\fKCVZrF.exe
  C:\Windows\System32\fKCVZrF.exe
  2⤵
  PID:11032
- C:\Windows\System32\hzpUALb.exe
  C:\Windows\System32\hzpUALb.exe
  2⤵
  PID:11136
- C:\Windows\System32\OYQoarR.exe
  C:\Windows\System32\OYQoarR.exe
  2⤵
  PID:11192
- C:\Windows\System32\znOfdCb.exe
  C:\Windows\System32\znOfdCb.exe
  2⤵
  PID:11244
- C:\Windows\System32\ZDmekex.exe
  C:\Windows\System32\ZDmekex.exe
  2⤵
  PID:11260
- C:\Windows\System32\AyHpbYM.exe
  C:\Windows\System32\AyHpbYM.exe
  2⤵
  PID:10260
- C:\Windows\System32\gBFHJDk.exe
  C:\Windows\System32\gBFHJDk.exe
  2⤵
  PID:10404
- C:\Windows\System32\bItXswB.exe
  C:\Windows\System32\bItXswB.exe
  2⤵
  PID:10672
- C:\Windows\System32\VYGUGlu.exe
  C:\Windows\System32\VYGUGlu.exe
  2⤵
  PID:10812
- C:\Windows\System32\sylmQQJ.exe
  C:\Windows\System32\sylmQQJ.exe
  2⤵
  PID:10532
- C:\Windows\System32\FaAnbJU.exe
  C:\Windows\System32\FaAnbJU.exe
  2⤵
  PID:11016
- C:\Windows\System32\LqpArXw.exe
  C:\Windows\System32\LqpArXw.exe
  2⤵
  PID:11116
- C:\Windows\System32\dELsekW.exe
  C:\Windows\System32\dELsekW.exe
  2⤵
  PID:10452
- C:\Windows\System32\BrcMDwl.exe
  C:\Windows\System32\BrcMDwl.exe
  2⤵
  PID:10248
- C:\Windows\System32\hfcnDQa.exe
  C:\Windows\System32\hfcnDQa.exe
  2⤵
  PID:10728
- C:\Windows\System32\eeXZmpp.exe
  C:\Windows\System32\eeXZmpp.exe
  2⤵
  PID:10736
- C:\Windows\System32\ZsJqjFW.exe
  C:\Windows\System32\ZsJqjFW.exe
  2⤵
  PID:11276
- C:\Windows\System32\yFLWBVA.exe
  C:\Windows\System32\yFLWBVA.exe
  2⤵
  PID:11304
- C:\Windows\System32\EihFmFh.exe
  C:\Windows\System32\EihFmFh.exe
  2⤵
  PID:11348
- C:\Windows\System32\ojLwAEg.exe
  C:\Windows\System32\ojLwAEg.exe
  2⤵
  PID:11380
- C:\Windows\System32\jVlegae.exe
  C:\Windows\System32\jVlegae.exe
  2⤵
  PID:11408
- C:\Windows\System32\EoWubLp.exe
  C:\Windows\System32\EoWubLp.exe
  2⤵
  PID:11424
- C:\Windows\System32\WnAmPLL.exe
  C:\Windows\System32\WnAmPLL.exe
  2⤵
  PID:11492
- C:\Windows\System32\PynLeZq.exe
  C:\Windows\System32\PynLeZq.exe
  2⤵
  PID:11516
- C:\Windows\System32\ahCFGKG.exe
  C:\Windows\System32\ahCFGKG.exe
  2⤵
  PID:11532
- C:\Windows\System32\jTvTQGe.exe
  C:\Windows\System32\jTvTQGe.exe
  2⤵
  PID:11552
- C:\Windows\System32\cYKDIQk.exe
  C:\Windows\System32\cYKDIQk.exe
  2⤵
  PID:11588
- C:\Windows\System32\pSeMGFI.exe
  C:\Windows\System32\pSeMGFI.exe
  2⤵
  PID:11624
- C:\Windows\System32\MqZyPSp.exe
  C:\Windows\System32\MqZyPSp.exe
  2⤵
  PID:11656
- C:\Windows\System32\qlJuYXg.exe
  C:\Windows\System32\qlJuYXg.exe
  2⤵
  PID:11676
- C:\Windows\System32\YyxBCfx.exe
  C:\Windows\System32\YyxBCfx.exe
  2⤵
  PID:11700
- C:\Windows\System32\QXctJzZ.exe
  C:\Windows\System32\QXctJzZ.exe
  2⤵
  PID:11720
- C:\Windows\System32\rloyBJy.exe
  C:\Windows\System32\rloyBJy.exe
  2⤵
  PID:11752
- C:\Windows\System32\XeMhguS.exe
  C:\Windows\System32\XeMhguS.exe
  2⤵
  PID:11768
- C:\Windows\System32\ZhnYLxQ.exe
  C:\Windows\System32\ZhnYLxQ.exe
  2⤵
  PID:11784
- C:\Windows\System32\lEEdqus.exe
  C:\Windows\System32\lEEdqus.exe
  2⤵
  PID:11800
- C:\Windows\System32\CptHaEf.exe
  C:\Windows\System32\CptHaEf.exe
  2⤵
  PID:11828
- C:\Windows\System32\hWICsgb.exe
  C:\Windows\System32\hWICsgb.exe
  2⤵
  PID:11876
- C:\Windows\System32\vKNXfOZ.exe
  C:\Windows\System32\vKNXfOZ.exe
  2⤵
  PID:11928
- C:\Windows\System32\aQdUuvk.exe
  C:\Windows\System32\aQdUuvk.exe
  2⤵
  PID:11972
- C:\Windows\System32\cxgNmqc.exe
  C:\Windows\System32\cxgNmqc.exe
  2⤵
  PID:11988
- C:\Windows\System32\tLEjPXA.exe
  C:\Windows\System32\tLEjPXA.exe
  2⤵
  PID:12016
- C:\Windows\System32\uLWKogU.exe
  C:\Windows\System32\uLWKogU.exe
  2⤵
  PID:12032
- C:\Windows\System32\jDkfWIb.exe
  C:\Windows\System32\jDkfWIb.exe
  2⤵
  PID:12060
- C:\Windows\System32\ZbqSVcN.exe
  C:\Windows\System32\ZbqSVcN.exe
  2⤵
  PID:12080
- C:\Windows\System32\UeDrLhj.exe
  C:\Windows\System32\UeDrLhj.exe
  2⤵
  PID:12112
- C:\Windows\System32\yaesIyN.exe
  C:\Windows\System32\yaesIyN.exe
  2⤵
  PID:12132
- C:\Windows\System32\ZgaAizI.exe
  C:\Windows\System32\ZgaAizI.exe
  2⤵
  PID:12152
- C:\Windows\System32\FgaSuup.exe
  C:\Windows\System32\FgaSuup.exe
  2⤵
  PID:12196
- C:\Windows\System32\McejlVb.exe
  C:\Windows\System32\McejlVb.exe
  2⤵
  PID:12216
- C:\Windows\System32\aDexIwF.exe
  C:\Windows\System32\aDexIwF.exe
  2⤵
  PID:12236
- C:\Windows\System32\BwEwdOb.exe
  C:\Windows\System32\BwEwdOb.exe
  2⤵
  PID:12268
- C:\Windows\System32\ZDSrIJC.exe
  C:\Windows\System32\ZDSrIJC.exe
  2⤵
  PID:11060
- C:\Windows\System32\jumOgDL.exe
  C:\Windows\System32\jumOgDL.exe
  2⤵
  PID:11284
- C:\Windows\System32\dxBhrAS.exe
  C:\Windows\System32\dxBhrAS.exe
  2⤵
  PID:11132
- C:\Windows\System32\JhUQdmf.exe
  C:\Windows\System32\JhUQdmf.exe
  2⤵
  PID:11420
- C:\Windows\System32\IrDWgis.exe
  C:\Windows\System32\IrDWgis.exe
  2⤵
  PID:1260
- C:\Windows\System32\IAFxdPo.exe
  C:\Windows\System32\IAFxdPo.exe
  2⤵
  PID:10640
- C:\Windows\System32\ycelUkw.exe
  C:\Windows\System32\ycelUkw.exe
  2⤵
  PID:11584
- C:\Windows\System32\KLiOzQg.exe
  C:\Windows\System32\KLiOzQg.exe
  2⤵
  PID:11608
- C:\Windows\System32\MQPcFLj.exe
  C:\Windows\System32\MQPcFLj.exe
  2⤵
  PID:4592
- C:\Windows\System32\MQXXkSB.exe
  C:\Windows\System32\MQXXkSB.exe
  2⤵
  PID:11632
- C:\Windows\System32\pfRryYx.exe
  C:\Windows\System32\pfRryYx.exe
  2⤵
  PID:11716
- C:\Windows\System32\FqwFVjN.exe
  C:\Windows\System32\FqwFVjN.exe
  2⤵
  PID:11684
- C:\Windows\System32\FgXyEdw.exe
  C:\Windows\System32\FgXyEdw.exe
  2⤵
  PID:11792
- C:\Windows\System32\keczwtL.exe
  C:\Windows\System32\keczwtL.exe
  2⤵
  PID:11912
- C:\Windows\System32\BsYixno.exe
  C:\Windows\System32\BsYixno.exe
  2⤵
  PID:11936
- C:\Windows\System32\kJreWpq.exe
  C:\Windows\System32\kJreWpq.exe
  2⤵
  PID:12028
- C:\Windows\System32\ghRqxlj.exe
  C:\Windows\System32\ghRqxlj.exe
  2⤵
  PID:12088
- C:\Windows\System32\MaRreAV.exe
  C:\Windows\System32\MaRreAV.exe
  2⤵
  PID:12124
- C:\Windows\System32\eIucSpV.exe
  C:\Windows\System32\eIucSpV.exe
  2⤵
  PID:12164
- C:\Windows\System32\qauvucS.exe
  C:\Windows\System32\qauvucS.exe
  2⤵
  PID:12248
- C:\Windows\System32\jiiGXNE.exe
  C:\Windows\System32\jiiGXNE.exe
  2⤵
  PID:10964
- C:\Windows\System32\WKdTXLu.exe
  C:\Windows\System32\WKdTXLu.exe
  2⤵
  PID:11356
- C:\Windows\System32\fBoaSrm.exe
  C:\Windows\System32\fBoaSrm.exe
  2⤵
  PID:11328
- C:\Windows\System32\abLhwmn.exe
  C:\Windows\System32\abLhwmn.exe
  2⤵
  PID:11560
- C:\Windows\System32\eRosyPX.exe
  C:\Windows\System32\eRosyPX.exe
  2⤵
  PID:11736
- C:\Windows\System32\BvlLtCd.exe
  C:\Windows\System32\BvlLtCd.exe
  2⤵
  PID:11696
- C:\Windows\System32\bEzFZmx.exe
  C:\Windows\System32\bEzFZmx.exe
  2⤵
  PID:11900
- C:\Windows\System32\zguoHss.exe
  C:\Windows\System32\zguoHss.exe
  2⤵
  PID:11980
- C:\Windows\System32\LZAnnSn.exe
  C:\Windows\System32\LZAnnSn.exe
  2⤵
  PID:12104
- C:\Windows\System32\VzfcmLG.exe
  C:\Windows\System32\VzfcmLG.exe
  2⤵
  PID:11272
- C:\Windows\System32\nLjRtdl.exe
  C:\Windows\System32\nLjRtdl.exe
  2⤵
  PID:11728
- C:\Windows\System32\toBhVRb.exe
  C:\Windows\System32\toBhVRb.exe
  2⤵
  PID:11824
- C:\Windows\System32\UirYvCP.exe
  C:\Windows\System32\UirYvCP.exe
  2⤵
  PID:1408
- C:\Windows\System32\OKXaFTj.exe
  C:\Windows\System32\OKXaFTj.exe
  2⤵
  PID:12228
- C:\Windows\System32\MdXzQXa.exe
  C:\Windows\System32\MdXzQXa.exe
  2⤵
  PID:228
- C:\Windows\System32\SZZZXtg.exe
  C:\Windows\System32\SZZZXtg.exe
  2⤵
  PID:2840
- C:\Windows\System32\VnIkhGL.exe
  C:\Windows\System32\VnIkhGL.exe
  2⤵
  PID:4336
- C:\Windows\System32\oeuLpCy.exe
  C:\Windows\System32\oeuLpCy.exe
  2⤵
  PID:12292
- C:\Windows\System32\dPlmeFu.exe
  C:\Windows\System32\dPlmeFu.exe
  2⤵
  PID:12328
- C:\Windows\System32\LBIUOdL.exe
  C:\Windows\System32\LBIUOdL.exe
  2⤵
  PID:12344
- C:\Windows\System32\Xzqvbkm.exe
  C:\Windows\System32\Xzqvbkm.exe
  2⤵
  PID:12380
- C:\Windows\System32\RYizZWR.exe
  C:\Windows\System32\RYizZWR.exe
  2⤵
  PID:12416
- C:\Windows\System32\YNhnIxB.exe
  C:\Windows\System32\YNhnIxB.exe
  2⤵
  PID:12436
- C:\Windows\System32\XVOsYcA.exe
  C:\Windows\System32\XVOsYcA.exe
  2⤵
  PID:12464
- C:\Windows\System32\nUytXiz.exe
  C:\Windows\System32\nUytXiz.exe
  2⤵
  PID:12484
- C:\Windows\System32\pQFftbo.exe
  C:\Windows\System32\pQFftbo.exe
  2⤵
  PID:12508
- C:\Windows\System32\uioDcmj.exe
  C:\Windows\System32\uioDcmj.exe
  2⤵
  PID:12528
- C:\Windows\System32\jmYPMyO.exe
  C:\Windows\System32\jmYPMyO.exe
  2⤵
  PID:12544
- C:\Windows\System32\TrAXpLe.exe
  C:\Windows\System32\TrAXpLe.exe
  2⤵
  PID:12564
- C:\Windows\System32\oPbdjOy.exe
  C:\Windows\System32\oPbdjOy.exe
  2⤵
  PID:12636
- C:\Windows\System32\rODhzOj.exe
  C:\Windows\System32\rODhzOj.exe
  2⤵
  PID:12684
- C:\Windows\System32\fNaoyNK.exe
  C:\Windows\System32\fNaoyNK.exe
  2⤵
  PID:12712
- C:\Windows\System32\DKOqNyq.exe
  C:\Windows\System32\DKOqNyq.exe
  2⤵
  PID:12736
- C:\Windows\System32\BGQBsnZ.exe
  C:\Windows\System32\BGQBsnZ.exe
  2⤵
  PID:12764
- C:\Windows\System32\ILHPYKJ.exe
  C:\Windows\System32\ILHPYKJ.exe
  2⤵
  PID:12804
- C:\Windows\System32\sFveuFw.exe
  C:\Windows\System32\sFveuFw.exe
  2⤵
  PID:12828
- C:\Windows\System32\Fjdamrg.exe
  C:\Windows\System32\Fjdamrg.exe
  2⤵
  PID:12848
- C:\Windows\System32\EuKpyfj.exe
  C:\Windows\System32\EuKpyfj.exe
  2⤵
  PID:12872
- C:\Windows\System32\HaZWUHj.exe
  C:\Windows\System32\HaZWUHj.exe
  2⤵
  PID:12892
- C:\Windows\System32\NJDhTkS.exe
  C:\Windows\System32\NJDhTkS.exe
  2⤵
  PID:12916
- C:\Windows\System32\iXFEhgc.exe
  C:\Windows\System32\iXFEhgc.exe
  2⤵
  PID:12944
- C:\Windows\System32\rEgHfPo.exe
  C:\Windows\System32\rEgHfPo.exe
  2⤵
  PID:12964
- C:\Windows\System32\DEbhCEu.exe
  C:\Windows\System32\DEbhCEu.exe
  2⤵
  PID:13016
- C:\Windows\System32\DpZhfzq.exe
  C:\Windows\System32\DpZhfzq.exe
  2⤵
  PID:13044
- C:\Windows\System32\PJnKhyp.exe
  C:\Windows\System32\PJnKhyp.exe
  2⤵
  PID:13084
- C:\Windows\System32\AgkQipD.exe
  C:\Windows\System32\AgkQipD.exe
  2⤵
  PID:13108
- C:\Windows\System32\lBFzkOT.exe
  C:\Windows\System32\lBFzkOT.exe
  2⤵
  PID:13128
- C:\Windows\System32\uMeCwfS.exe
  C:\Windows\System32\uMeCwfS.exe
  2⤵
  PID:13156
- C:\Windows\System32\MJcwUVB.exe
  C:\Windows\System32\MJcwUVB.exe
  2⤵
  PID:13180
- C:\Windows\System32\aPbWcVs.exe
  C:\Windows\System32\aPbWcVs.exe
  2⤵
  PID:13212
- C:\Windows\System32\iQDGiYR.exe
  C:\Windows\System32\iQDGiYR.exe
  2⤵
  PID:13240
- C:\Windows\System32\aXwuKVw.exe
  C:\Windows\System32\aXwuKVw.exe
  2⤵
  PID:13264
- C:\Windows\System32\OAGMtMn.exe
  C:\Windows\System32\OAGMtMn.exe
  2⤵
  PID:13280
- C:\Windows\System32\TSWMrte.exe
  C:\Windows\System32\TSWMrte.exe
  2⤵
  PID:13300
- C:\Windows\System32\qJkEtfd.exe
  C:\Windows\System32\qJkEtfd.exe
  2⤵
  PID:12320
- C:\Windows\System32\XvgTJXb.exe
  C:\Windows\System32\XvgTJXb.exe
  2⤵
  PID:12360
- C:\Windows\System32\gwuDKQD.exe
  C:\Windows\System32\gwuDKQD.exe
  2⤵
  PID:12492
- C:\Windows\System32\ZGmctVw.exe
  C:\Windows\System32\ZGmctVw.exe
  2⤵
  PID:12472

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\DGuQtwj.exe

Filesize
1.3MB

MD5
0dabd5bbe2f9d23c877299e9365a0981

SHA1
986f861156cff0a27b8cef642e5ebb8baf991820

SHA256
e4ab178b346af321c3e9acc828b15f42d4a3ed6df60009b3126966bc13bb12f7

SHA512
ffc5895f0bddbb778680b018fa8b4fd66f59e049d46ab2e49efab612a6ed24158db77811d24818c1ef264a17c422f43cbb4c80c94fc46fb30e7e6eb2fe0c35df

Download Submit
C:\Windows\System32\DiYjNaP.exe

Filesize
1.3MB

MD5
43f611d864c03dc1832ddfefadc24cdf

SHA1
294d5b1106971c50a7397add44e2c03b7e8429f8

SHA256
7a823afdf606828859b0e102004b5622d927b80286ab236b9bcf1954ac732535

SHA512
aa1415ed67d46a1a54276d762170d130bcfccb054623d913bdd004c822555dadda52c24e74e655f2816d734444c981b1e5d0c99c662f6e34ca12b6ecb5014785

Download Submit
C:\Windows\System32\FLuSCSq.exe

Filesize
1.3MB

MD5
71aaaca151d902a6c1df13d5f8f9bf42

SHA1
2286ca23e3ec9544797c2d8c659a5f9c44e57d8a

SHA256
3d7f1beb4826946878500113b6ec2c039ccea36a204188bcf3ae1aefbd0d2b1d

SHA512
c0371417b55a1a4297d88165593edb3eb01e0a11c2a67212927c596ae406ef7229a5009ff1b19c3fb602d5808957a33b6de8eb1d2e99b3548cf500199317275e

Download Submit
C:\Windows\System32\GvWjiaN.exe

Filesize
1.3MB

MD5
3a002c3c147c9462fa042a03da639c67

SHA1
9d7dce6d74bc637e7c617b25a7be06126e073aa6

SHA256
8c2e494a201e98d3da7447018422b9505861d1492755ee4276bd7389a61cab5f

SHA512
0079a3906dd602cab0650393fa41a82fd81e6acef9cdb79db1bfd5f35d926763c57724890317893a834a7f4f520592974622fd264d1a9e27a4bf27374a8ad5ce

Download Submit
C:\Windows\System32\HRGDpWA.exe

Filesize
1.3MB

MD5
d0e813a215460c4dce25c35c40abb2d9

SHA1
072b4511374c76d0c13c897827a3a7302738e3f7

SHA256
ca6f345b36e7bad983469e905a8425ae123e54c548f36eb49cafc88011363893

SHA512
693653f59ed3f57a9828a4f1c442767d9ea168c64c9138fbd09b9b8916624a398dba0fd13002683a72338527e83465d07483dcaee6ee57e35671561f71c4f338

Download Submit
C:\Windows\System32\ImQGrlw.exe

Filesize
1.3MB

MD5
548c728af42a9f4c4d78f0aae2dfeb94

SHA1
d10fbd86c6d91709f5cd1fdea2fa53ff35a5ef93

SHA256
b3e10a4debeedd20b7a052fd12c8af330145427c293c2f4ce9f89f5800950cde

SHA512
430b55dd17e16bf9fb5a0c9788c4f5293935c4db33c85cba0792112737c30dc4dfb241ba91eb8bae9eecb68bf33954a7c0f02ba22484c2b005974644793b3c11

Download Submit
C:\Windows\System32\IpiiGYt.exe

Filesize
1.3MB

MD5
92501512c38be1bbc5d70ab592355951

SHA1
47dc3b4eb049c87ff5bba7f12d790fa200a4865d

SHA256
58c5aeaf6183445877f0c56a8a96d5ff0c42b1e104d1368aa3cbac34645a78f7

SHA512
98698ad7f15f592b8280c4904c264fb162fbea40d274fcfc3eaf37bcfa90ca82f416df74f54cfb859d98e8a815d6ed11e08de4cfbbee164c9c9ba81ed143b57b

Download Submit
C:\Windows\System32\JaxHMtF.exe

Filesize
1.3MB

MD5
21bb99c909516994ac638fbf414758b6

SHA1
8b50a669d352f82a4dd2855346c1aa6c5ef5c5ff

SHA256
3373fe4bf1d491aefe25096319976e31fe1dd931425d3b6b62638e1c1ce0fd7f

SHA512
f2ae86b4d92527162c11245dd9e8f8dad84c9d717c0bd67a0e6e037d28e8b3dde52856d62559fac4ff1a99c71ac8855e469a701f9d6e9ae17d65d1ed6d7825fa

Download Submit
C:\Windows\System32\MhkHxkO.exe

Filesize
1.3MB

MD5
7659b31d8b5ba350e2c9493897570245

SHA1
038bdf5f43ad82938cbff9d7be8132f6ee83c7d7

SHA256
38c86c9cd371f0ae175879b9732d70021ba542a8723a3d8714498a02edf54012

SHA512
9e0a920744bbcdd8c8da572b7e42e4cc4f81a51c2c6ec69c9e62264fc13275fdd41dbb84008c5ad87a0d93deca4e80029c08a912dbd7faa3ed540a4baccffc83

Download Submit
C:\Windows\System32\MiOhrSe.exe

Filesize
1.3MB

MD5
8c2b277846717640e500e143b65e84c5

SHA1
c7e8f1476a2e77038b10df077c06b45a0e32727c

SHA256
16bdd6148e4d4a5f2d5025910161bebe8a78259f4fb40829ecb12c63079e23f9

SHA512
3b65c2fd376950e9f29ed254460de6e73442e90607b566aa401c009014e018e62fa70ea1b82cc2df0b0c80b16d93a35527f29b764513faacec933b23ddb3c42c

Download Submit
C:\Windows\System32\PPwdcWw.exe

Filesize
1.3MB

MD5
6cbe332305cf4b62be481024bc2120fb

SHA1
b586e990db25f4dc1590a00f0c598b3360dd7f39

SHA256
9448ed9563a18b84be13c8bf7ad68c7ee3f44bdb4a5606bd085756cebf5d715e

SHA512
44c0933e7093e73100048b1ecdf7aa7fb1230353fb5e2f6c5e993af3c32e7ae57a5153cf03a53caab893c352da53e07bacf946534858ee352b2a23a6838c9ae6

Download Submit
C:\Windows\System32\QFTxjal.exe

Filesize
1.3MB

MD5
fc2a93f867b9234665f72e48b76fb3b4

SHA1
394839d6156ce167b6244c0a88bce4572724035d

SHA256
a2085903107a5feb82c55d818e10356bd1c15aa7d17231bc7efc684f0ace5ab9

SHA512
76d42536097097ff6d7c4d5512f0b852e669a4f7c99b87518d964af876f458c25d09556bee52c453d118169f0481700d4e7047c245a1348a0937c38e8ba8f32a

Download Submit
C:\Windows\System32\QzHkdaz.exe

Filesize
1.3MB

MD5
277b0dff48185ff3675c2939b33ca46a

SHA1
945f648207333ce3262454e4a7bf0f868b35f1e8

SHA256
f2e71ce818c163e3c93852538604c7ba6673f0304c4dfe127b589273af5bddb9

SHA512
bf4ac5d8e0f4a97066682bc821ecd33a882e2a6cc29fbfa23f428e6d16104ab1a50a1ca5e3a1c9e3be8a34a4c00e6726fd16519ff5b6b1ddf7d328f78c07a928

Download Submit
C:\Windows\System32\Utbbuct.exe

Filesize
1.3MB

MD5
d7463f623b52da925c806cf7036df59a

SHA1
af81bfc53720a191ac76675e3f08a1eeac4a24c5

SHA256
1c50e7bc33c17efe9beb4cc38a91f8d95dd21a568fbf1cfaa6eaac76508db780

SHA512
bcc94cefd75c6430d831f3e6731051cef5860abf6358c579b9b26206519a8ffa384801688ced8c9ae444fe5c817ffa14aa2cac7b54d69a736030e1f96ae0ff78

Download Submit
C:\Windows\System32\WubElDq.exe

Filesize
1.3MB

MD5
d964b6dd4d6309557be54e909d233ec9

SHA1
5bf15bc661efb4bd29e22f590303ee272c37d95c

SHA256
6ed75f1c890ee6ff6df72631e832036b850aaeb155d607dd63164755d377a134

SHA512
421e135cb433a7c701bb857e8eb7792fe63cb050a48161b5ab3881c197603b4b07f823ba2de1a82dd6583a00abf5a3ed43a9fac412bf132965a2330f1e121eae

Download Submit
C:\Windows\System32\YkCPRiV.exe

Filesize
1.3MB

MD5
0b42aab42092776b260c3f7640bc1e6e

SHA1
57dcf08c93b0c5f94b07289ad35a057f8bd47e93

SHA256
43f7e47360c139762ccdf788fbc8883c42afad8e168c606135a19c9364edaa8e

SHA512
506d57fc2df1b950e95932b699758a1756fd224d66b561accb2b56e04d1be5e8afc6f61b0dfbae9a82123b94d55735f93b214a0871a5626a6608f5fdc8e585b8

Download Submit
C:\Windows\System32\hZlgHPg.exe

Filesize
1.3MB

MD5
4186c08d7ebf7940f56ea773660ba715

SHA1
b4c2d4d4117ac35adc788d739a6968bf0fc8fb4d

SHA256
cc93f982acf61d09938d7786e70b52229983d2447bb5f775c99e58b210e70e4e

SHA512
7f04196c5a05b628b2427bac817c732d994c67639a74c59f81eee03c07cba23a6537d98e860976235236bbe6d7fda97989084133c3dff02cdd3c4694e8651d91

Download Submit
C:\Windows\System32\kzPmZsc.exe

Filesize
1.3MB

MD5
fabb663c219911e5e5eabb90ea862209

SHA1
35e6523f2f1495b0b6dcb64e0058fd43910bae67

SHA256
c53a4a67adac64bb9269e56f165d30b7b8faf2efa0e2fe49235d7483580ea827

SHA512
1bcc1c441af9cc39b5dee71a03a23a1e2266d3e64751904067e2f38da2d7996c585b1a17b218f2afe94e5b8036fa0d29da40fdf3e5074a9ffc5dc6d461c7b750

Download Submit
C:\Windows\System32\lkAYuTc.exe

Filesize
1.3MB

MD5
b4023289b20b67ec7cb715a64dcb8a6e

SHA1
f2b0bf952ed529694718631b3158e26fe04640ce

SHA256
55832991a211af885f4625ca13cbbcf16273e098d3d65ad0ebe65570c718ea49

SHA512
26d8b2f75c2e524b84a8142e4cab43e594e408ef3ab25f65409122b9b471ffced2bf8916a23138fb12b373f9f0a47d995037e95f833ec72c733543b6da3d3c03

Download Submit
C:\Windows\System32\nHFBsIX.exe

Filesize
1.3MB

MD5
8d1459c0c6b5ccb6f85dd97e850043ff

SHA1
90367a3c0fe260f95c91207a9d22bb4b93463094

SHA256
63fefc8282acac4548726252e3801d0272af760c571833bcc5155004c41b4a10

SHA512
9cc40a6cf92ca12c57004bdd7f8f8dbebcd4369cbaa50d7e39320bd0eeb40cbe74c4f0e6b179921ab7b2b52a0db3eb25216abd9c84ec02a32c238ca554649428

Download Submit
C:\Windows\System32\pZcoSQv.exe

Filesize
1.3MB

MD5
0f804423d6b83efb9020e9a03bee91c5

SHA1
4aca69468204f0edba8daca75964f38aed62d57c

SHA256
e729a9c9d6c48e9cece29d1604c3657c367fc0b2ca85a80f82041ee70f8e38fd

SHA512
24d42c5c29c2b20abcce74d74f2c012ed4c85f5e3b3538ae9fe4bc7abb20463cb42b1be9017782d453597917a5acd115641a9bb9681299de364a373d9ff4dfce

Download Submit
C:\Windows\System32\paREdGC.exe

Filesize
1.3MB

MD5
cffa84cc4e67080ef5aff2a6814fd84c

SHA1
14b2a36076f12f70c34ba2208ca3435c840ade5d

SHA256
f839a19a07055d0290b2d2518e33593b9510948c365e46685f48b9490be0f0f9

SHA512
e4db73799cafc1e48b067fab8fdc7f0a1fa0ba44db12cd143e9dc7d401da3f416a253bc804d3d75d984e9a4ae4428b1be604c16ce156627d217f318ef0fe96a8

Download Submit
C:\Windows\System32\pcTfXdm.exe

Filesize
1.3MB

MD5
566477d03ebacfee21a0705726660be4

SHA1
8c6daf47910660d177d59bcea2a2952430070736

SHA256
1e4711e5fcc3a6e9261f0225b77bedc4ca38255ea359f9582e35c54c4565b6e0

SHA512
bd8653de2b3c053baea55739a947b81b340a2f6560edd9de85da3431399878866ff25266db054f6256e54ecbb8713af774e3f0e87d134d8637bfc85ba9f2bcc3

Download Submit
C:\Windows\System32\tpXlCWj.exe

Filesize
1.3MB

MD5
cf5d16a7b98286b8cfb4479bde1e5d47

SHA1
761184f30e289cf97a27e6f212388a96b10e710e

SHA256
474f3a6b9f2efbf3413563e2779c2878359464b37a0c93f2e017e2230b2df371

SHA512
3e0b313a7f9fd5c36247d49bb0740b5b8c34d66a63c17dfb4e98b385eb31d0c55c092efba316ee33460161a72551d806b94a8492bd06b6a803a0539832d6aa6a

Download Submit
C:\Windows\System32\vPOXbzk.exe

Filesize
1.3MB

MD5
49be4056e1320c32d9ce0eabe02ebce8

SHA1
9f98f6188c9f4e06fe15ab92d25f6eee61d6e726

SHA256
9085c889b03d25c6d72144f7b1e2cc5e0c7cd7c3124b06cf7b1344e722bbfcee

SHA512
5353009aecb6eefd58cd6607d7dd4abb4490a464473d6ddf0d11b024c40a2a23d0fc8cc34d63d8389ff617c8168f12edd096c324575c6047f296b7a923c766f6

Download Submit
C:\Windows\System32\wpcGvGM.exe

Filesize
1.3MB

MD5
b5dc7320bd27348fcb6ac8803972549f

SHA1
02c458cb594a07b21bffdbfb3275d1d08d8dbb69

SHA256
647483642bb402bd92e44b9da770c440e2b1406ae026866d676805a336238355

SHA512
9f3a8a2cebab1f952a34d75598f9d9a550945a0c363804d85da5024946e1cba66ba8e217c7d2eb4a0395963453e258be75b77cc05fff22a61496a7181846b90d

Download Submit
C:\Windows\System32\xDljxBZ.exe

Filesize
1.3MB

MD5
253277b2fec2fd8f95eab3c048a641a7

SHA1
202488957ac9446c079e7fdc33f20797fc857fd5

SHA256
43504d42291741f06465c2a26bcf4c774d75679dc2962b1632c8b2b230bd46bd

SHA512
1bbb94f5371c36f16e87079998123937ab08fa2f9e0ca48e5621e1a56535af56828955e4a5b37cbdc53c4f982263825cb1ba2e4cb9dce857ed4dbaecaaf5d74f

Download Submit
C:\Windows\System32\xdvNHdt.exe

Filesize
1.3MB

MD5
f22236c4e0bfb7c2fd215d83a5797c13

SHA1
8301db0d066c0ac655c510f7dab22048332eea08

SHA256
6bd72daff0b4b7c797327f4885399ac399887bbeff4c395e58a0e750870d8602

SHA512
2e3daf2501339a110ad23b4391172d936258d0f8b2394b9203c10f954af86cdb0078b22c1b7820640ee69f0226dae607cd8d6a2469463f8b993ad6827310c5a1

Download Submit
C:\Windows\System32\xehXZWF.exe

Filesize
1.3MB

MD5
d7832fee6bcc9bc866ed452e4bcdb23f

SHA1
fa954ca039b53838292a0145046d616d726ef953

SHA256
bc5474f887b61cf10ab3a8b2e7cdfe260249c87fb103d65c1640854509c54e1b

SHA512
520c924e9ffda15846e6eedc45bf21d3266394b35eb45ea9b15605540aa057ce208b80c689743e3de65aea4586d167ce18353e49907c571875013a60a4407c1a

Download Submit
C:\Windows\System32\xgHCXnp.exe

Filesize
1.3MB

MD5
d86eb54a09bbdacecc6d37903f6bd37d

SHA1
dcd5f7022a8697e7b9085d55dfaef3a4f111e692

SHA256
278875e13fc475e1f367c7cdfca3eef4c6e196300f12370d5232e9f21766c695

SHA512
ebe97ab947effd4e687ca478139b81b17ae0e02e50f65951aa81b3318aa40c6d56544383af36e8a78bd3f60614a012b29c46467e0085d866f4fcf6b92dbee36b

Download Submit
C:\Windows\System32\xmugDEH.exe

Filesize
1.3MB

MD5
165666d5128e37570ebe138d7e552af6

SHA1
b39d7326c8e77d64c5d8222b92f0379d14385f02

SHA256
07e5ceb1b87606b0d4e9281b5c2e4aaf28a11a9e64ef02ef4d3f7e3305cf388b

SHA512
0c6c1714474a24eda1949ffe7a1b43a7730fb20c314ce1cf7980f4b21b5cce94e6e3436f7b009d2cf21ce8d392bdb7ca72e48ce292595c2dcf2016c91ed01159

Download Submit
C:\Windows\System32\zZfGLor.exe

Filesize
1.3MB

MD5
02f8b59244d4a5486d6bcaa2d80d0d9d

SHA1
b17c58084da41cb4350fee068a37fd2351f3421f

SHA256
ad0ed95e50d7bbba4f62eece12ee60ea2a7c1cdfbc8c19b4689e345fd5c80c59

SHA512
5b0322226277a1fe1639b60fd36afbfc063adf7f2f5d941b0149ec6e54717cf6948ab21c3e8c2827b956f4ee2d59d96803b1b00df6ee3090e281e1d6766a0669

Download Submit
memory/704-2038-0x00007FF7CC430000-0x00007FF7CC821000-memory.dmp

Filesize
3.9MB

Download
memory/704-457-0x00007FF7CC430000-0x00007FF7CC821000-memory.dmp

Filesize
3.9MB

Download
memory/1496-0-0x00007FF6E4BB0000-0x00007FF6E4FA1000-memory.dmp

Filesize
3.9MB

Download
memory/1496-1-0x000001CE6B210000-0x000001CE6B220000-memory.dmp

Filesize
64KB

Download
memory/1584-2047-0x00007FF7F0770000-0x00007FF7F0B61000-memory.dmp

Filesize
3.9MB

Download
memory/1584-416-0x00007FF7F0770000-0x00007FF7F0B61000-memory.dmp

Filesize
3.9MB

Download
memory/1756-2018-0x00007FF629FA0000-0x00007FF62A391000-memory.dmp

Filesize
3.9MB

Download
memory/1756-397-0x00007FF629FA0000-0x00007FF62A391000-memory.dmp

Filesize
3.9MB

Download
memory/2416-2022-0x00007FF7B8DC0000-0x00007FF7B91B1000-memory.dmp

Filesize
3.9MB

Download
memory/2416-407-0x00007FF7B8DC0000-0x00007FF7B91B1000-memory.dmp

Filesize
3.9MB

Download
memory/2620-461-0x00007FF7A01D0000-0x00007FF7A05C1000-memory.dmp

Filesize
3.9MB

Download
memory/2620-2044-0x00007FF7A01D0000-0x00007FF7A05C1000-memory.dmp

Filesize
3.9MB

Download
memory/2676-371-0x00007FF684400000-0x00007FF6847F1000-memory.dmp

Filesize
3.9MB

Download
memory/2676-2010-0x00007FF684400000-0x00007FF6847F1000-memory.dmp

Filesize
3.9MB

Download
memory/3200-470-0x00007FF77ACF0000-0x00007FF77B0E1000-memory.dmp

Filesize
3.9MB

Download
memory/3200-2026-0x00007FF77ACF0000-0x00007FF77B0E1000-memory.dmp

Filesize
3.9MB

Download
memory/3324-362-0x00007FF601F60000-0x00007FF602351000-memory.dmp

Filesize
3.9MB

Download
memory/3324-2000-0x00007FF601F60000-0x00007FF602351000-memory.dmp

Filesize
3.9MB

Download
memory/3580-2016-0x00007FF7938F0000-0x00007FF793CE1000-memory.dmp

Filesize
3.9MB

Download
memory/3580-393-0x00007FF7938F0000-0x00007FF793CE1000-memory.dmp

Filesize
3.9MB

Download
memory/3640-452-0x00007FF688CC0000-0x00007FF6890B1000-memory.dmp

Filesize
3.9MB

Download
memory/3640-2024-0x00007FF688CC0000-0x00007FF6890B1000-memory.dmp

Filesize
3.9MB

Download
memory/3644-387-0x00007FF6A2370000-0x00007FF6A2761000-memory.dmp

Filesize
3.9MB

Download
memory/3644-2014-0x00007FF6A2370000-0x00007FF6A2761000-memory.dmp

Filesize
3.9MB

Download
memory/3800-376-0x00007FF7E2910000-0x00007FF7E2D01000-memory.dmp

Filesize
3.9MB

Download
memory/3800-2012-0x00007FF7E2910000-0x00007FF7E2D01000-memory.dmp

Filesize
3.9MB

Download
memory/3844-2036-0x00007FF79C4B0000-0x00007FF79C8A1000-memory.dmp

Filesize
3.9MB

Download
memory/3844-472-0x00007FF79C4B0000-0x00007FF79C8A1000-memory.dmp

Filesize
3.9MB

Download
memory/3984-476-0x00007FF746920000-0x00007FF746D11000-memory.dmp

Filesize
3.9MB

Download
memory/3984-2020-0x00007FF746920000-0x00007FF746D11000-memory.dmp

Filesize
3.9MB

Download
memory/4000-1998-0x00007FF6F7D10000-0x00007FF6F8101000-memory.dmp

Filesize
3.9MB

Download
memory/4000-1980-0x00007FF6F7D10000-0x00007FF6F8101000-memory.dmp

Filesize
3.9MB

Download
memory/4000-10-0x00007FF6F7D10000-0x00007FF6F8101000-memory.dmp

Filesize
3.9MB

Download
memory/4032-477-0x00007FF784040000-0x00007FF784431000-memory.dmp

Filesize
3.9MB

Download
memory/4032-2033-0x00007FF784040000-0x00007FF784431000-memory.dmp

Filesize
3.9MB

Download
memory/4168-2042-0x00007FF6609E0000-0x00007FF660DD1000-memory.dmp

Filesize
3.9MB

Download
memory/4168-430-0x00007FF6609E0000-0x00007FF660DD1000-memory.dmp

Filesize
3.9MB

Download
memory/4288-2002-0x00007FF6994A0000-0x00007FF699891000-memory.dmp

Filesize
3.9MB

Download
memory/4288-365-0x00007FF6994A0000-0x00007FF699891000-memory.dmp

Filesize
3.9MB

Download
memory/4456-364-0x00007FF70A310000-0x00007FF70A701000-memory.dmp

Filesize
3.9MB

Download
memory/4456-2006-0x00007FF70A310000-0x00007FF70A701000-memory.dmp

Filesize
3.9MB

Download
memory/4516-2031-0x00007FF7D71E0000-0x00007FF7D75D1000-memory.dmp

Filesize
3.9MB

Download
memory/4516-473-0x00007FF7D71E0000-0x00007FF7D75D1000-memory.dmp

Filesize
3.9MB

Download
memory/4868-449-0x00007FF69E450000-0x00007FF69E841000-memory.dmp

Filesize
3.9MB

Download
memory/4868-2049-0x00007FF69E450000-0x00007FF69E841000-memory.dmp

Filesize
3.9MB

Download
memory/4872-2008-0x00007FF6AB180000-0x00007FF6AB571000-memory.dmp

Filesize
3.9MB

Download
memory/4872-479-0x00007FF6AB180000-0x00007FF6AB571000-memory.dmp

Filesize
3.9MB

Download
memory/4968-2004-0x00007FF66C560000-0x00007FF66C951000-memory.dmp

Filesize
3.9MB

Download
memory/4968-366-0x00007FF66C560000-0x00007FF66C951000-memory.dmp

Filesize
3.9MB

Download
memory/4976-424-0x00007FF743FF0000-0x00007FF7443E1000-memory.dmp

Filesize
3.9MB

Download
memory/4976-2028-0x00007FF743FF0000-0x00007FF7443E1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads