xmrig | 02a11e80d114fefa609b1b84722b16ff84104c8b8b7725cab864a98daff378ec

Analysis

max time kernel
136s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
Size

1.2MB
MD5

181c67844d6b197521538b68569ee7ab
SHA1

09d117318ea524927c188584e1708efe1d152ecf
SHA256

02a11e80d114fefa609b1b84722b16ff84104c8b8b7725cab864a98daff378ec
SHA512

29cae7d79aea17029a8d0b35fc4e842d985f737e8aeedbf33e70d375175215750c77c8f6c4ab76c4fc13fcd43e88cc5e0e64ee25faaf8f3cddfce7809ddca1d4
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcmC3f/DFNkTF8t2oplIH:knw9oUUEEDl37jcmWH/IcIH

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/704-394-0x00007FF60C900000-0x00007FF60CCF1000-memory.dmp	xmrig
behavioral2/memory/532-395-0x00007FF6F6010000-0x00007FF6F6401000-memory.dmp	xmrig
behavioral2/memory/436-401-0x00007FF745940000-0x00007FF745D31000-memory.dmp	xmrig
behavioral2/memory/4808-407-0x00007FF763D50000-0x00007FF764141000-memory.dmp	xmrig
behavioral2/memory/776-410-0x00007FF729000000-0x00007FF7293F1000-memory.dmp	xmrig
behavioral2/memory/1492-416-0x00007FF68F980000-0x00007FF68FD71000-memory.dmp	xmrig
behavioral2/memory/4376-423-0x00007FF63CF60000-0x00007FF63D351000-memory.dmp	xmrig
behavioral2/memory/4108-430-0x00007FF6FCE20000-0x00007FF6FD211000-memory.dmp	xmrig
behavioral2/memory/3828-434-0x00007FF796B40000-0x00007FF796F31000-memory.dmp	xmrig
behavioral2/memory/4632-439-0x00007FF63CA30000-0x00007FF63CE21000-memory.dmp	xmrig
behavioral2/memory/2628-440-0x00007FF6250E0000-0x00007FF6254D1000-memory.dmp	xmrig
behavioral2/memory/1480-449-0x00007FF6BE6C0000-0x00007FF6BEAB1000-memory.dmp	xmrig
behavioral2/memory/2036-452-0x00007FF683420000-0x00007FF683811000-memory.dmp	xmrig
behavioral2/memory/3572-454-0x00007FF67E530000-0x00007FF67E921000-memory.dmp	xmrig
behavioral2/memory/2864-461-0x00007FF635620000-0x00007FF635A11000-memory.dmp	xmrig
behavioral2/memory/2920-463-0x00007FF633BB0000-0x00007FF633FA1000-memory.dmp	xmrig
behavioral2/memory/644-447-0x00007FF7AC940000-0x00007FF7ACD31000-memory.dmp	xmrig
behavioral2/memory/2572-427-0x00007FF672980000-0x00007FF672D71000-memory.dmp	xmrig
behavioral2/memory/4088-41-0x00007FF63CD10000-0x00007FF63D101000-memory.dmp	xmrig
behavioral2/memory/2972-32-0x00007FF650990000-0x00007FF650D81000-memory.dmp	xmrig
behavioral2/memory/1880-1966-0x00007FF7D89E0000-0x00007FF7D8DD1000-memory.dmp	xmrig
behavioral2/memory/2544-1967-0x00007FF726310000-0x00007FF726701000-memory.dmp	xmrig
behavioral2/memory/3708-2000-0x00007FF6C9740000-0x00007FF6C9B31000-memory.dmp	xmrig
behavioral2/memory/4008-2010-0x00007FF78CF50000-0x00007FF78D341000-memory.dmp	xmrig
behavioral2/memory/1880-2012-0x00007FF7D89E0000-0x00007FF7D8DD1000-memory.dmp	xmrig
behavioral2/memory/4088-2018-0x00007FF63CD10000-0x00007FF63D101000-memory.dmp	xmrig
behavioral2/memory/2972-2016-0x00007FF650990000-0x00007FF650D81000-memory.dmp	xmrig
behavioral2/memory/2544-2014-0x00007FF726310000-0x00007FF726701000-memory.dmp	xmrig
behavioral2/memory/4808-2032-0x00007FF763D50000-0x00007FF764141000-memory.dmp	xmrig
behavioral2/memory/4376-2036-0x00007FF63CF60000-0x00007FF63D351000-memory.dmp	xmrig
behavioral2/memory/4632-2052-0x00007FF63CA30000-0x00007FF63CE21000-memory.dmp	xmrig
behavioral2/memory/2864-2056-0x00007FF635620000-0x00007FF635A11000-memory.dmp	xmrig
behavioral2/memory/3572-2054-0x00007FF67E530000-0x00007FF67E921000-memory.dmp	xmrig
behavioral2/memory/1480-2044-0x00007FF6BE6C0000-0x00007FF6BEAB1000-memory.dmp	xmrig
behavioral2/memory/2628-2042-0x00007FF6250E0000-0x00007FF6254D1000-memory.dmp	xmrig
behavioral2/memory/3828-2050-0x00007FF796B40000-0x00007FF796F31000-memory.dmp	xmrig
behavioral2/memory/644-2048-0x00007FF7AC940000-0x00007FF7ACD31000-memory.dmp	xmrig
behavioral2/memory/2036-2046-0x00007FF683420000-0x00007FF683811000-memory.dmp	xmrig
behavioral2/memory/4108-2040-0x00007FF6FCE20000-0x00007FF6FD211000-memory.dmp	xmrig
behavioral2/memory/2920-2038-0x00007FF633BB0000-0x00007FF633FA1000-memory.dmp	xmrig
behavioral2/memory/1492-2034-0x00007FF68F980000-0x00007FF68FD71000-memory.dmp	xmrig
behavioral2/memory/2572-2030-0x00007FF672980000-0x00007FF672D71000-memory.dmp	xmrig
behavioral2/memory/776-2028-0x00007FF729000000-0x00007FF7293F1000-memory.dmp	xmrig
behavioral2/memory/436-2026-0x00007FF745940000-0x00007FF745D31000-memory.dmp	xmrig
behavioral2/memory/704-2024-0x00007FF60C900000-0x00007FF60CCF1000-memory.dmp	xmrig
behavioral2/memory/532-2022-0x00007FF6F6010000-0x00007FF6F6401000-memory.dmp	xmrig
behavioral2/memory/3708-2020-0x00007FF6C9740000-0x00007FF6C9B31000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4008	RFFsByB.exe
1880	eLxpBrd.exe
2544	CLuNMSK.exe
2972	GIdwkay.exe
3708	nXUhKTR.exe
4088	MfBwpIa.exe
704	FMhzzZQ.exe
532	dIcECmW.exe
2920	YgWFAsk.exe
436	joVZdzO.exe
4808	ykNnvrl.exe
776	JcfpGQh.exe
1492	hgaUaiE.exe
4376	yLGtPJJ.exe
2572	xqYSWWG.exe
4108	cmddQPD.exe
3828	pMVAoOX.exe
4632	ZvYSfVn.exe
2628	GLMGEGH.exe
644	OUrsgaZ.exe
1480	rBonEEE.exe
2036	EDZdrUe.exe
3572	HITjrMO.exe
2864	tRCfPlO.exe
2256	szJCfDx.exe
2936	SrvuGkW.exe
4204	YeUDpDV.exe
1584	NKFHcWN.exe
1272	lXLQZyT.exe
3476	mRfzVOJ.exe
3464	FScmyrV.exe
1292	paLUJEl.exe
3852	LsAwkwD.exe
2128	AQTfHLB.exe
4940	FDPJdQv.exe
2904	bibZoSe.exe
1744	YFryixx.exe
4156	ewrQeMT.exe
4712	tJYoKvn.exe
4492	qgzGqRH.exe
3672	oErLMYH.exe
2260	nsQEZCW.exe
2564	CrLxYDP.exe
4988	LCRKGei.exe
4480	iUlYjns.exe
4452	qGSVKJr.exe
4260	LdOGODi.exe
4552	mahEXSV.exe
4648	wpichaX.exe
408	JWUxRQY.exe
2020	ESvcOPy.exe
2652	NdctLxA.exe
3112	OjRTebl.exe
896	LKetTeN.exe
4476	URnNtdZ.exe
3276	fwWIajv.exe
3020	bZRAUSx.exe
772	TZbbzei.exe
3156	xcrvwRj.exe
4600	aeIfVbL.exe
2320	fNdeaqA.exe
1140	XpLtXem.exe
4528	VagVMVP.exe
3764	xVlXUHM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1108-0-0x00007FF79C100000-0x00007FF79C4F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b72-7.dat	upx
behavioral2/files/0x000a000000023b73-8.dat	upx
behavioral2/memory/4008-11-0x00007FF78CF50000-0x00007FF78D341000-memory.dmp	upx
behavioral2/memory/1880-16-0x00007FF7D89E0000-0x00007FF7D8DD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b74-25.dat	upx
behavioral2/files/0x000a000000023b76-33.dat	upx
behavioral2/files/0x000a000000023b75-34.dat	upx
behavioral2/files/0x000a000000023b78-42.dat	upx
behavioral2/files/0x000a000000023b77-47.dat	upx
behavioral2/files/0x000a000000023b79-52.dat	upx
behavioral2/files/0x000a000000023b7e-77.dat	upx
behavioral2/files/0x000a000000023b84-107.dat	upx
behavioral2/files/0x000a000000023b89-130.dat	upx
behavioral2/files/0x000a000000023b8b-142.dat	upx
behavioral2/files/0x000a000000023b8f-160.dat	upx
behavioral2/memory/704-394-0x00007FF60C900000-0x00007FF60CCF1000-memory.dmp	upx
behavioral2/memory/532-395-0x00007FF6F6010000-0x00007FF6F6401000-memory.dmp	upx
behavioral2/memory/436-401-0x00007FF745940000-0x00007FF745D31000-memory.dmp	upx
behavioral2/memory/4808-407-0x00007FF763D50000-0x00007FF764141000-memory.dmp	upx
behavioral2/memory/776-410-0x00007FF729000000-0x00007FF7293F1000-memory.dmp	upx
behavioral2/memory/1492-416-0x00007FF68F980000-0x00007FF68FD71000-memory.dmp	upx
behavioral2/memory/4376-423-0x00007FF63CF60000-0x00007FF63D351000-memory.dmp	upx
behavioral2/memory/4108-430-0x00007FF6FCE20000-0x00007FF6FD211000-memory.dmp	upx
behavioral2/memory/3828-434-0x00007FF796B40000-0x00007FF796F31000-memory.dmp	upx
behavioral2/memory/4632-439-0x00007FF63CA30000-0x00007FF63CE21000-memory.dmp	upx
behavioral2/memory/2628-440-0x00007FF6250E0000-0x00007FF6254D1000-memory.dmp	upx
behavioral2/memory/1480-449-0x00007FF6BE6C0000-0x00007FF6BEAB1000-memory.dmp	upx
behavioral2/memory/2036-452-0x00007FF683420000-0x00007FF683811000-memory.dmp	upx
behavioral2/memory/3572-454-0x00007FF67E530000-0x00007FF67E921000-memory.dmp	upx
behavioral2/memory/2864-461-0x00007FF635620000-0x00007FF635A11000-memory.dmp	upx
behavioral2/memory/2920-463-0x00007FF633BB0000-0x00007FF633FA1000-memory.dmp	upx
behavioral2/memory/644-447-0x00007FF7AC940000-0x00007FF7ACD31000-memory.dmp	upx
behavioral2/memory/2572-427-0x00007FF672980000-0x00007FF672D71000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-167.dat	upx
behavioral2/files/0x000a000000023b8e-157.dat	upx
behavioral2/files/0x000a000000023b8d-152.dat	upx
behavioral2/files/0x000a000000023b8c-147.dat	upx
behavioral2/files/0x000a000000023b8a-137.dat	upx
behavioral2/files/0x000a000000023b88-127.dat	upx
behavioral2/files/0x000a000000023b87-122.dat	upx
behavioral2/files/0x000a000000023b86-117.dat	upx
behavioral2/files/0x000a000000023b85-112.dat	upx
behavioral2/files/0x000a000000023b83-102.dat	upx
behavioral2/files/0x000a000000023b82-97.dat	upx
behavioral2/files/0x000a000000023b81-92.dat	upx
behavioral2/files/0x000a000000023b80-87.dat	upx
behavioral2/files/0x000a000000023b7f-82.dat	upx
behavioral2/files/0x000a000000023b7d-72.dat	upx
behavioral2/files/0x000a000000023b7c-67.dat	upx
behavioral2/files/0x000a000000023b7b-62.dat	upx
behavioral2/files/0x000a000000023b7a-57.dat	upx
behavioral2/memory/4088-41-0x00007FF63CD10000-0x00007FF63D101000-memory.dmp	upx
behavioral2/memory/3708-38-0x00007FF6C9740000-0x00007FF6C9B31000-memory.dmp	upx
behavioral2/memory/2972-32-0x00007FF650990000-0x00007FF650D81000-memory.dmp	upx
behavioral2/memory/2544-20-0x00007FF726310000-0x00007FF726701000-memory.dmp	upx
behavioral2/files/0x000c000000023b6e-9.dat	upx
behavioral2/memory/1880-1966-0x00007FF7D89E0000-0x00007FF7D8DD1000-memory.dmp	upx
behavioral2/memory/2544-1967-0x00007FF726310000-0x00007FF726701000-memory.dmp	upx
behavioral2/memory/3708-2000-0x00007FF6C9740000-0x00007FF6C9B31000-memory.dmp	upx
behavioral2/memory/4008-2010-0x00007FF78CF50000-0x00007FF78D341000-memory.dmp	upx
behavioral2/memory/1880-2012-0x00007FF7D89E0000-0x00007FF7D8DD1000-memory.dmp	upx
behavioral2/memory/4088-2018-0x00007FF63CD10000-0x00007FF63D101000-memory.dmp	upx
behavioral2/memory/2972-2016-0x00007FF650990000-0x00007FF650D81000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\gWxcdus.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\ftqSIEl.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\kdPtZLk.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\VHjISDf.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\msAurLR.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\ANgcuIa.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\fNdeaqA.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\wILQXWJ.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\hmolZYJ.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\vTCeYDM.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\MbGSvXm.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\cnlSLto.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\cFQeiIh.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\GaJPdSk.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\DgcEgvU.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\pMVAoOX.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\fzXyQrd.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\CbasOHz.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\RfHznxI.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\lcMcLWQ.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\VTHQZzr.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\gbNsBms.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\CYzYMRI.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\AAErKpH.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\HZLChob.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\Pujxmtu.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\iMzzyUH.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\Fwxamfa.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\dEPkwIx.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\LTHxJsw.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\WKQWdjD.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\tAGIGwz.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\ShgQxQo.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\rGdmvza.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\JyClJpi.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\kcCHQOR.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\SSWvbHl.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\JBvuCVd.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\bJbhCRH.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\VxfqTjB.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\EaKXgyR.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\PTwfNfe.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\fbbdlcc.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\zQUWPUC.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\zyOSXOt.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\XazvmPX.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\cTyNXSQ.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\RtIFrwk.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\wbNweMF.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\eThBbni.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\svTEwBP.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\sMQTCeV.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\vBJGhPI.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\sRjWQjl.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\GKIupEx.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\RAsIsnW.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\wtvfDwc.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\FmZZNqh.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\KbNymAA.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\KbXjjkf.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\vVLOoUG.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\alFErfI.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\GzyAwFs.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
File created	C:\Windows\System32\XkqGnhu.exe	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	1612	dwm.exe
Token: SeChangeNotifyPrivilege	1612	dwm.exe
Token: 33	1612	dwm.exe
Token: SeIncBasePriorityPrivilege	1612	dwm.exe
Token: SeShutdownPrivilege	1612	dwm.exe
Token: SeCreatePagefilePrivilege	1612	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 4008	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	85
PID 1108 wrote to memory of 4008	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	85
PID 1108 wrote to memory of 1880	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	86
PID 1108 wrote to memory of 1880	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	86
PID 1108 wrote to memory of 2544	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	87
PID 1108 wrote to memory of 2544	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	87
PID 1108 wrote to memory of 2972	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	88
PID 1108 wrote to memory of 2972	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	88
PID 1108 wrote to memory of 3708	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	89
PID 1108 wrote to memory of 3708	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	89
PID 1108 wrote to memory of 4088	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	90
PID 1108 wrote to memory of 4088	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	90
PID 1108 wrote to memory of 532	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	91
PID 1108 wrote to memory of 532	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	91
PID 1108 wrote to memory of 704	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	92
PID 1108 wrote to memory of 704	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	92
PID 1108 wrote to memory of 2920	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	93
PID 1108 wrote to memory of 2920	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	93
PID 1108 wrote to memory of 436	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	94
PID 1108 wrote to memory of 436	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	94
PID 1108 wrote to memory of 4808	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	95
PID 1108 wrote to memory of 4808	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	95
PID 1108 wrote to memory of 776	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	96
PID 1108 wrote to memory of 776	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	96
PID 1108 wrote to memory of 1492	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	97
PID 1108 wrote to memory of 1492	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	97
PID 1108 wrote to memory of 4376	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	98
PID 1108 wrote to memory of 4376	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	98
PID 1108 wrote to memory of 2572	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	99
PID 1108 wrote to memory of 2572	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	99
PID 1108 wrote to memory of 4108	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	100
PID 1108 wrote to memory of 4108	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	100
PID 1108 wrote to memory of 3828	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	101
PID 1108 wrote to memory of 3828	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	101
PID 1108 wrote to memory of 4632	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	102
PID 1108 wrote to memory of 4632	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	102
PID 1108 wrote to memory of 2628	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	103
PID 1108 wrote to memory of 2628	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	103
PID 1108 wrote to memory of 644	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	104
PID 1108 wrote to memory of 644	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	104
PID 1108 wrote to memory of 1480	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	105
PID 1108 wrote to memory of 1480	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	105
PID 1108 wrote to memory of 2036	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	106
PID 1108 wrote to memory of 2036	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	106
PID 1108 wrote to memory of 3572	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	107
PID 1108 wrote to memory of 3572	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	107
PID 1108 wrote to memory of 2864	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	108
PID 1108 wrote to memory of 2864	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	108
PID 1108 wrote to memory of 2256	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	109
PID 1108 wrote to memory of 2256	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	109
PID 1108 wrote to memory of 2936	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	110
PID 1108 wrote to memory of 2936	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	110
PID 1108 wrote to memory of 4204	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	111
PID 1108 wrote to memory of 4204	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	111
PID 1108 wrote to memory of 1584	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	112
PID 1108 wrote to memory of 1584	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	112
PID 1108 wrote to memory of 1272	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	113
PID 1108 wrote to memory of 1272	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	113
PID 1108 wrote to memory of 3476	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	114
PID 1108 wrote to memory of 3476	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	114
PID 1108 wrote to memory of 3464	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	115
PID 1108 wrote to memory of 3464	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	115
PID 1108 wrote to memory of 1292	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	116
PID 1108 wrote to memory of 1292	1108	181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\181c67844d6b197521538b68569ee7ab_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\System32\RFFsByB.exe
  C:\Windows\System32\RFFsByB.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System32\eLxpBrd.exe
  C:\Windows\System32\eLxpBrd.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System32\CLuNMSK.exe
  C:\Windows\System32\CLuNMSK.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System32\GIdwkay.exe
  C:\Windows\System32\GIdwkay.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System32\nXUhKTR.exe
  C:\Windows\System32\nXUhKTR.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System32\MfBwpIa.exe
  C:\Windows\System32\MfBwpIa.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System32\dIcECmW.exe
  C:\Windows\System32\dIcECmW.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System32\FMhzzZQ.exe
  C:\Windows\System32\FMhzzZQ.exe
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\System32\YgWFAsk.exe
  C:\Windows\System32\YgWFAsk.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System32\joVZdzO.exe
  C:\Windows\System32\joVZdzO.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\ykNnvrl.exe
  C:\Windows\System32\ykNnvrl.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System32\JcfpGQh.exe
  C:\Windows\System32\JcfpGQh.exe
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\System32\hgaUaiE.exe
  C:\Windows\System32\hgaUaiE.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System32\yLGtPJJ.exe
  C:\Windows\System32\yLGtPJJ.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System32\xqYSWWG.exe
  C:\Windows\System32\xqYSWWG.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System32\cmddQPD.exe
  C:\Windows\System32\cmddQPD.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System32\pMVAoOX.exe
  C:\Windows\System32\pMVAoOX.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System32\ZvYSfVn.exe
  C:\Windows\System32\ZvYSfVn.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System32\GLMGEGH.exe
  C:\Windows\System32\GLMGEGH.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System32\OUrsgaZ.exe
  C:\Windows\System32\OUrsgaZ.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\System32\rBonEEE.exe
  C:\Windows\System32\rBonEEE.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System32\EDZdrUe.exe
  C:\Windows\System32\EDZdrUe.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System32\HITjrMO.exe
  C:\Windows\System32\HITjrMO.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System32\tRCfPlO.exe
  C:\Windows\System32\tRCfPlO.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System32\szJCfDx.exe
  C:\Windows\System32\szJCfDx.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System32\SrvuGkW.exe
  C:\Windows\System32\SrvuGkW.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System32\YeUDpDV.exe
  C:\Windows\System32\YeUDpDV.exe
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Windows\System32\NKFHcWN.exe
  C:\Windows\System32\NKFHcWN.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System32\lXLQZyT.exe
  C:\Windows\System32\lXLQZyT.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System32\mRfzVOJ.exe
  C:\Windows\System32\mRfzVOJ.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System32\FScmyrV.exe
  C:\Windows\System32\FScmyrV.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System32\paLUJEl.exe
  C:\Windows\System32\paLUJEl.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System32\LsAwkwD.exe
  C:\Windows\System32\LsAwkwD.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System32\AQTfHLB.exe
  C:\Windows\System32\AQTfHLB.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System32\FDPJdQv.exe
  C:\Windows\System32\FDPJdQv.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System32\bibZoSe.exe
  C:\Windows\System32\bibZoSe.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System32\YFryixx.exe
  C:\Windows\System32\YFryixx.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System32\ewrQeMT.exe
  C:\Windows\System32\ewrQeMT.exe
  2⤵
  - Executes dropped EXE
  PID:4156
- C:\Windows\System32\tJYoKvn.exe
  C:\Windows\System32\tJYoKvn.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System32\qgzGqRH.exe
  C:\Windows\System32\qgzGqRH.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System32\oErLMYH.exe
  C:\Windows\System32\oErLMYH.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System32\nsQEZCW.exe
  C:\Windows\System32\nsQEZCW.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System32\CrLxYDP.exe
  C:\Windows\System32\CrLxYDP.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System32\LCRKGei.exe
  C:\Windows\System32\LCRKGei.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\iUlYjns.exe
  C:\Windows\System32\iUlYjns.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System32\qGSVKJr.exe
  C:\Windows\System32\qGSVKJr.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\LdOGODi.exe
  C:\Windows\System32\LdOGODi.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System32\mahEXSV.exe
  C:\Windows\System32\mahEXSV.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System32\wpichaX.exe
  C:\Windows\System32\wpichaX.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System32\JWUxRQY.exe
  C:\Windows\System32\JWUxRQY.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System32\ESvcOPy.exe
  C:\Windows\System32\ESvcOPy.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System32\NdctLxA.exe
  C:\Windows\System32\NdctLxA.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System32\OjRTebl.exe
  C:\Windows\System32\OjRTebl.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System32\LKetTeN.exe
  C:\Windows\System32\LKetTeN.exe
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\System32\URnNtdZ.exe
  C:\Windows\System32\URnNtdZ.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System32\fwWIajv.exe
  C:\Windows\System32\fwWIajv.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System32\bZRAUSx.exe
  C:\Windows\System32\bZRAUSx.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System32\TZbbzei.exe
  C:\Windows\System32\TZbbzei.exe
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\System32\xcrvwRj.exe
  C:\Windows\System32\xcrvwRj.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System32\aeIfVbL.exe
  C:\Windows\System32\aeIfVbL.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System32\fNdeaqA.exe
  C:\Windows\System32\fNdeaqA.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System32\XpLtXem.exe
  C:\Windows\System32\XpLtXem.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System32\VagVMVP.exe
  C:\Windows\System32\VagVMVP.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System32\xVlXUHM.exe
  C:\Windows\System32\xVlXUHM.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System32\koprXjb.exe
  C:\Windows\System32\koprXjb.exe
  2⤵
  PID:2416
- C:\Windows\System32\MLWgyVh.exe
  C:\Windows\System32\MLWgyVh.exe
  2⤵
  PID:2732
- C:\Windows\System32\alFErfI.exe
  C:\Windows\System32\alFErfI.exe
  2⤵
  PID:4212
- C:\Windows\System32\PgDVMbW.exe
  C:\Windows\System32\PgDVMbW.exe
  2⤵
  PID:4936
- C:\Windows\System32\JXfSIBU.exe
  C:\Windows\System32\JXfSIBU.exe
  2⤵
  PID:944
- C:\Windows\System32\zqENFti.exe
  C:\Windows\System32\zqENFti.exe
  2⤵
  PID:1960
- C:\Windows\System32\eFrfZjI.exe
  C:\Windows\System32\eFrfZjI.exe
  2⤵
  PID:3644
- C:\Windows\System32\yIscLQo.exe
  C:\Windows\System32\yIscLQo.exe
  2⤵
  PID:1908
- C:\Windows\System32\OBdiPmd.exe
  C:\Windows\System32\OBdiPmd.exe
  2⤵
  PID:516
- C:\Windows\System32\xhtoMDf.exe
  C:\Windows\System32\xhtoMDf.exe
  2⤵
  PID:3080
- C:\Windows\System32\neaHwbU.exe
  C:\Windows\System32\neaHwbU.exe
  2⤵
  PID:2296
- C:\Windows\System32\iksBfEk.exe
  C:\Windows\System32\iksBfEk.exe
  2⤵
  PID:1876
- C:\Windows\System32\reeNsSf.exe
  C:\Windows\System32\reeNsSf.exe
  2⤵
  PID:2808
- C:\Windows\System32\USjmqvk.exe
  C:\Windows\System32\USjmqvk.exe
  2⤵
  PID:5124
- C:\Windows\System32\PekIBSN.exe
  C:\Windows\System32\PekIBSN.exe
  2⤵
  PID:5156
- C:\Windows\System32\jwQkosj.exe
  C:\Windows\System32\jwQkosj.exe
  2⤵
  PID:5184
- C:\Windows\System32\nQgBMBU.exe
  C:\Windows\System32\nQgBMBU.exe
  2⤵
  PID:5208
- C:\Windows\System32\hoDnpGv.exe
  C:\Windows\System32\hoDnpGv.exe
  2⤵
  PID:5240
- C:\Windows\System32\ipOQKnj.exe
  C:\Windows\System32\ipOQKnj.exe
  2⤵
  PID:5264
- C:\Windows\System32\JIyPcXC.exe
  C:\Windows\System32\JIyPcXC.exe
  2⤵
  PID:5296
- C:\Windows\System32\fZUMpAH.exe
  C:\Windows\System32\fZUMpAH.exe
  2⤵
  PID:5324
- C:\Windows\System32\bkwLyTI.exe
  C:\Windows\System32\bkwLyTI.exe
  2⤵
  PID:5348
- C:\Windows\System32\UgKbBAn.exe
  C:\Windows\System32\UgKbBAn.exe
  2⤵
  PID:5380
- C:\Windows\System32\rfTtITc.exe
  C:\Windows\System32\rfTtITc.exe
  2⤵
  PID:5408
- C:\Windows\System32\XeFkxgd.exe
  C:\Windows\System32\XeFkxgd.exe
  2⤵
  PID:5432
- C:\Windows\System32\XDunaUa.exe
  C:\Windows\System32\XDunaUa.exe
  2⤵
  PID:5464
- C:\Windows\System32\grwtbCa.exe
  C:\Windows\System32\grwtbCa.exe
  2⤵
  PID:5492
- C:\Windows\System32\CYzYMRI.exe
  C:\Windows\System32\CYzYMRI.exe
  2⤵
  PID:5516
- C:\Windows\System32\cuqechb.exe
  C:\Windows\System32\cuqechb.exe
  2⤵
  PID:5548
- C:\Windows\System32\pvViQbL.exe
  C:\Windows\System32\pvViQbL.exe
  2⤵
  PID:5576
- C:\Windows\System32\fnsVmha.exe
  C:\Windows\System32\fnsVmha.exe
  2⤵
  PID:5600
- C:\Windows\System32\JlYsxSp.exe
  C:\Windows\System32\JlYsxSp.exe
  2⤵
  PID:5632
- C:\Windows\System32\fcRGkHl.exe
  C:\Windows\System32\fcRGkHl.exe
  2⤵
  PID:5660
- C:\Windows\System32\QSKSctM.exe
  C:\Windows\System32\QSKSctM.exe
  2⤵
  PID:5684
- C:\Windows\System32\kPQEAIo.exe
  C:\Windows\System32\kPQEAIo.exe
  2⤵
  PID:5716
- C:\Windows\System32\CLGJGdR.exe
  C:\Windows\System32\CLGJGdR.exe
  2⤵
  PID:5740
- C:\Windows\System32\eMjFUcN.exe
  C:\Windows\System32\eMjFUcN.exe
  2⤵
  PID:5772
- C:\Windows\System32\rcIRsLy.exe
  C:\Windows\System32\rcIRsLy.exe
  2⤵
  PID:5800
- C:\Windows\System32\EoutNoO.exe
  C:\Windows\System32\EoutNoO.exe
  2⤵
  PID:5824
- C:\Windows\System32\ZaVfWDL.exe
  C:\Windows\System32\ZaVfWDL.exe
  2⤵
  PID:5856
- C:\Windows\System32\NLOlTmu.exe
  C:\Windows\System32\NLOlTmu.exe
  2⤵
  PID:5880
- C:\Windows\System32\ipcJNrZ.exe
  C:\Windows\System32\ipcJNrZ.exe
  2⤵
  PID:5912
- C:\Windows\System32\TYRryoI.exe
  C:\Windows\System32\TYRryoI.exe
  2⤵
  PID:5940
- C:\Windows\System32\iIdTHOy.exe
  C:\Windows\System32\iIdTHOy.exe
  2⤵
  PID:5964
- C:\Windows\System32\SMQZYXH.exe
  C:\Windows\System32\SMQZYXH.exe
  2⤵
  PID:6032
- C:\Windows\System32\PUnohny.exe
  C:\Windows\System32\PUnohny.exe
  2⤵
  PID:6056
- C:\Windows\System32\eigvyFz.exe
  C:\Windows\System32\eigvyFz.exe
  2⤵
  PID:6076
- C:\Windows\System32\FPlyNoP.exe
  C:\Windows\System32\FPlyNoP.exe
  2⤵
  PID:6108
- C:\Windows\System32\jKnzrTT.exe
  C:\Windows\System32\jKnzrTT.exe
  2⤵
  PID:6128
- C:\Windows\System32\rWaumkg.exe
  C:\Windows\System32\rWaumkg.exe
  2⤵
  PID:2552
- C:\Windows\System32\rGdmvza.exe
  C:\Windows\System32\rGdmvza.exe
  2⤵
  PID:520
- C:\Windows\System32\SidoRDv.exe
  C:\Windows\System32\SidoRDv.exe
  2⤵
  PID:4520
- C:\Windows\System32\CmyqUnZ.exe
  C:\Windows\System32\CmyqUnZ.exe
  2⤵
  PID:3912
- C:\Windows\System32\MbGSvXm.exe
  C:\Windows\System32\MbGSvXm.exe
  2⤵
  PID:5220
- C:\Windows\System32\MHBDfZD.exe
  C:\Windows\System32\MHBDfZD.exe
  2⤵
  PID:5260
- C:\Windows\System32\QkOeGIU.exe
  C:\Windows\System32\QkOeGIU.exe
  2⤵
  PID:5308
- C:\Windows\System32\orEniLS.exe
  C:\Windows\System32\orEniLS.exe
  2⤵
  PID:3104
- C:\Windows\System32\wFSmQTs.exe
  C:\Windows\System32\wFSmQTs.exe
  2⤵
  PID:5396
- C:\Windows\System32\wILQXWJ.exe
  C:\Windows\System32\wILQXWJ.exe
  2⤵
  PID:1828
- C:\Windows\System32\STlKQSS.exe
  C:\Windows\System32\STlKQSS.exe
  2⤵
  PID:5532
- C:\Windows\System32\ROLgnXI.exe
  C:\Windows\System32\ROLgnXI.exe
  2⤵
  PID:5564
- C:\Windows\System32\cBBlWfg.exe
  C:\Windows\System32\cBBlWfg.exe
  2⤵
  PID:1632
- C:\Windows\System32\vlCLOub.exe
  C:\Windows\System32\vlCLOub.exe
  2⤵
  PID:5728
- C:\Windows\System32\tgalhGN.exe
  C:\Windows\System32\tgalhGN.exe
  2⤵
  PID:5784
- C:\Windows\System32\xoANdvb.exe
  C:\Windows\System32\xoANdvb.exe
  2⤵
  PID:4032
- C:\Windows\System32\uejFJJA.exe
  C:\Windows\System32\uejFJJA.exe
  2⤵
  PID:2708
- C:\Windows\System32\GaIkEuI.exe
  C:\Windows\System32\GaIkEuI.exe
  2⤵
  PID:5868
- C:\Windows\System32\LTHxJsw.exe
  C:\Windows\System32\LTHxJsw.exe
  2⤵
  PID:5892
- C:\Windows\System32\YlDgPUy.exe
  C:\Windows\System32\YlDgPUy.exe
  2⤵
  PID:3948
- C:\Windows\System32\lSKYNCA.exe
  C:\Windows\System32\lSKYNCA.exe
  2⤵
  PID:5932
- C:\Windows\System32\ovwRNMk.exe
  C:\Windows\System32\ovwRNMk.exe
  2⤵
  PID:5992
- C:\Windows\System32\GUwlSug.exe
  C:\Windows\System32\GUwlSug.exe
  2⤵
  PID:6052
- C:\Windows\System32\fbbdlcc.exe
  C:\Windows\System32\fbbdlcc.exe
  2⤵
  PID:6084
- C:\Windows\System32\gWxcdus.exe
  C:\Windows\System32\gWxcdus.exe
  2⤵
  PID:1608
- C:\Windows\System32\HakzTpe.exe
  C:\Windows\System32\HakzTpe.exe
  2⤵
  PID:1680
- C:\Windows\System32\wtvfDwc.exe
  C:\Windows\System32\wtvfDwc.exe
  2⤵
  PID:5200
- C:\Windows\System32\xWYygkW.exe
  C:\Windows\System32\xWYygkW.exe
  2⤵
  PID:5280
- C:\Windows\System32\dPsKjgv.exe
  C:\Windows\System32\dPsKjgv.exe
  2⤵
  PID:5480
- C:\Windows\System32\ncIljqh.exe
  C:\Windows\System32\ncIljqh.exe
  2⤵
  PID:5588
- C:\Windows\System32\OFkNKrD.exe
  C:\Windows\System32\OFkNKrD.exe
  2⤵
  PID:3972
- C:\Windows\System32\servcjm.exe
  C:\Windows\System32\servcjm.exe
  2⤵
  PID:2892
- C:\Windows\System32\RyfsZRz.exe
  C:\Windows\System32\RyfsZRz.exe
  2⤵
  PID:5792
- C:\Windows\System32\qCaHqGy.exe
  C:\Windows\System32\qCaHqGy.exe
  2⤵
  PID:1628
- C:\Windows\System32\WKQWdjD.exe
  C:\Windows\System32\WKQWdjD.exe
  2⤵
  PID:5956
- C:\Windows\System32\ftqSIEl.exe
  C:\Windows\System32\ftqSIEl.exe
  2⤵
  PID:6048
- C:\Windows\System32\QuyjcRM.exe
  C:\Windows\System32\QuyjcRM.exe
  2⤵
  PID:6012
- C:\Windows\System32\DkYzXDi.exe
  C:\Windows\System32\DkYzXDi.exe
  2⤵
  PID:3576
- C:\Windows\System32\WNugLfE.exe
  C:\Windows\System32\WNugLfE.exe
  2⤵
  PID:4016
- C:\Windows\System32\giNprFj.exe
  C:\Windows\System32\giNprFj.exe
  2⤵
  PID:5596
- C:\Windows\System32\RTWQZmg.exe
  C:\Windows\System32\RTWQZmg.exe
  2⤵
  PID:6064
- C:\Windows\System32\nCNYoQS.exe
  C:\Windows\System32\nCNYoQS.exe
  2⤵
  PID:3452
- C:\Windows\System32\ZbHAHEr.exe
  C:\Windows\System32\ZbHAHEr.exe
  2⤵
  PID:6020
- C:\Windows\System32\MRaswRr.exe
  C:\Windows\System32\MRaswRr.exe
  2⤵
  PID:5476
- C:\Windows\System32\SSWvbHl.exe
  C:\Windows\System32\SSWvbHl.exe
  2⤵
  PID:5624
- C:\Windows\System32\refWeXw.exe
  C:\Windows\System32\refWeXw.exe
  2⤵
  PID:5680
- C:\Windows\System32\tzlRfuc.exe
  C:\Windows\System32\tzlRfuc.exe
  2⤵
  PID:5952
- C:\Windows\System32\dRFgEpb.exe
  C:\Windows\System32\dRFgEpb.exe
  2⤵
  PID:2240
- C:\Windows\System32\onmneYj.exe
  C:\Windows\System32\onmneYj.exe
  2⤵
  PID:1588
- C:\Windows\System32\GzyAwFs.exe
  C:\Windows\System32\GzyAwFs.exe
  2⤵
  PID:6160
- C:\Windows\System32\TegEwjJ.exe
  C:\Windows\System32\TegEwjJ.exe
  2⤵
  PID:6180
- C:\Windows\System32\hmolZYJ.exe
  C:\Windows\System32\hmolZYJ.exe
  2⤵
  PID:6204
- C:\Windows\System32\dpDsnOy.exe
  C:\Windows\System32\dpDsnOy.exe
  2⤵
  PID:6220
- C:\Windows\System32\eyIwkQK.exe
  C:\Windows\System32\eyIwkQK.exe
  2⤵
  PID:6248
- C:\Windows\System32\PoLBIbu.exe
  C:\Windows\System32\PoLBIbu.exe
  2⤵
  PID:6264
- C:\Windows\System32\IIMuqwZ.exe
  C:\Windows\System32\IIMuqwZ.exe
  2⤵
  PID:6288
- C:\Windows\System32\VKRLPeM.exe
  C:\Windows\System32\VKRLPeM.exe
  2⤵
  PID:6328
- C:\Windows\System32\ItfiGLX.exe
  C:\Windows\System32\ItfiGLX.exe
  2⤵
  PID:6380
- C:\Windows\System32\wlcDEKK.exe
  C:\Windows\System32\wlcDEKK.exe
  2⤵
  PID:6420
- C:\Windows\System32\BaBbHnx.exe
  C:\Windows\System32\BaBbHnx.exe
  2⤵
  PID:6444
- C:\Windows\System32\acvZikW.exe
  C:\Windows\System32\acvZikW.exe
  2⤵
  PID:6464
- C:\Windows\System32\EQUzOTS.exe
  C:\Windows\System32\EQUzOTS.exe
  2⤵
  PID:6504
- C:\Windows\System32\gcyJMgj.exe
  C:\Windows\System32\gcyJMgj.exe
  2⤵
  PID:6532
- C:\Windows\System32\kdPtZLk.exe
  C:\Windows\System32\kdPtZLk.exe
  2⤵
  PID:6560
- C:\Windows\System32\RtEslpD.exe
  C:\Windows\System32\RtEslpD.exe
  2⤵
  PID:6588
- C:\Windows\System32\JBvuCVd.exe
  C:\Windows\System32\JBvuCVd.exe
  2⤵
  PID:6604
- C:\Windows\System32\IFJODSv.exe
  C:\Windows\System32\IFJODSv.exe
  2⤵
  PID:6628
- C:\Windows\System32\RuISUdV.exe
  C:\Windows\System32\RuISUdV.exe
  2⤵
  PID:6644
- C:\Windows\System32\CuqGAzh.exe
  C:\Windows\System32\CuqGAzh.exe
  2⤵
  PID:6664
- C:\Windows\System32\eXzTRIC.exe
  C:\Windows\System32\eXzTRIC.exe
  2⤵
  PID:6684
- C:\Windows\System32\AzTRQrc.exe
  C:\Windows\System32\AzTRQrc.exe
  2⤵
  PID:6700
- C:\Windows\System32\MSviEkp.exe
  C:\Windows\System32\MSviEkp.exe
  2⤵
  PID:6764
- C:\Windows\System32\eJTegFc.exe
  C:\Windows\System32\eJTegFc.exe
  2⤵
  PID:6796
- C:\Windows\System32\snRZRkf.exe
  C:\Windows\System32\snRZRkf.exe
  2⤵
  PID:6824
- C:\Windows\System32\MJhLcAS.exe
  C:\Windows\System32\MJhLcAS.exe
  2⤵
  PID:6860
- C:\Windows\System32\rfxLHXb.exe
  C:\Windows\System32\rfxLHXb.exe
  2⤵
  PID:6884
- C:\Windows\System32\ITOohnr.exe
  C:\Windows\System32\ITOohnr.exe
  2⤵
  PID:6920
- C:\Windows\System32\ocGEchc.exe
  C:\Windows\System32\ocGEchc.exe
  2⤵
  PID:6944
- C:\Windows\System32\tVYIbPG.exe
  C:\Windows\System32\tVYIbPG.exe
  2⤵
  PID:6960
- C:\Windows\System32\vTCeYDM.exe
  C:\Windows\System32\vTCeYDM.exe
  2⤵
  PID:6984
- C:\Windows\System32\oZyJmTV.exe
  C:\Windows\System32\oZyJmTV.exe
  2⤵
  PID:7000
- C:\Windows\System32\DwtdHmY.exe
  C:\Windows\System32\DwtdHmY.exe
  2⤵
  PID:7072
- C:\Windows\System32\pWnXhwX.exe
  C:\Windows\System32\pWnXhwX.exe
  2⤵
  PID:7088
- C:\Windows\System32\WktethH.exe
  C:\Windows\System32\WktethH.exe
  2⤵
  PID:7108
- C:\Windows\System32\RRnHJCq.exe
  C:\Windows\System32\RRnHJCq.exe
  2⤵
  PID:7148
- C:\Windows\System32\tzRZUcw.exe
  C:\Windows\System32\tzRZUcw.exe
  2⤵
  PID:6176
- C:\Windows\System32\PDhLndS.exe
  C:\Windows\System32\PDhLndS.exe
  2⤵
  PID:6196
- C:\Windows\System32\VKVXQCU.exe
  C:\Windows\System32\VKVXQCU.exe
  2⤵
  PID:6300
- C:\Windows\System32\rbbkNJo.exe
  C:\Windows\System32\rbbkNJo.exe
  2⤵
  PID:6372
- C:\Windows\System32\svTEwBP.exe
  C:\Windows\System32\svTEwBP.exe
  2⤵
  PID:6416
- C:\Windows\System32\FsuwIQp.exe
  C:\Windows\System32\FsuwIQp.exe
  2⤵
  PID:6484
- C:\Windows\System32\bjTkuIs.exe
  C:\Windows\System32\bjTkuIs.exe
  2⤵
  PID:6548
- C:\Windows\System32\vyHFHlT.exe
  C:\Windows\System32\vyHFHlT.exe
  2⤵
  PID:6692
- C:\Windows\System32\FjaYNym.exe
  C:\Windows\System32\FjaYNym.exe
  2⤵
  PID:6740
- C:\Windows\System32\AqqymbF.exe
  C:\Windows\System32\AqqymbF.exe
  2⤵
  PID:6760
- C:\Windows\System32\CSJZJdN.exe
  C:\Windows\System32\CSJZJdN.exe
  2⤵
  PID:2820
- C:\Windows\System32\daRiuNV.exe
  C:\Windows\System32\daRiuNV.exe
  2⤵
  PID:6852
- C:\Windows\System32\fzXyQrd.exe
  C:\Windows\System32\fzXyQrd.exe
  2⤵
  PID:6976
- C:\Windows\System32\alCvFjC.exe
  C:\Windows\System32\alCvFjC.exe
  2⤵
  PID:7044
- C:\Windows\System32\uwlMlPJ.exe
  C:\Windows\System32\uwlMlPJ.exe
  2⤵
  PID:7080
- C:\Windows\System32\sxuOSYB.exe
  C:\Windows\System32\sxuOSYB.exe
  2⤵
  PID:6212
- C:\Windows\System32\ZDCBiiV.exe
  C:\Windows\System32\ZDCBiiV.exe
  2⤵
  PID:5904
- C:\Windows\System32\wiJTtEz.exe
  C:\Windows\System32\wiJTtEz.exe
  2⤵
  PID:6524
- C:\Windows\System32\axLpNmy.exe
  C:\Windows\System32\axLpNmy.exe
  2⤵
  PID:6572
- C:\Windows\System32\Pabzidu.exe
  C:\Windows\System32\Pabzidu.exe
  2⤵
  PID:6660
- C:\Windows\System32\HmbzyHp.exe
  C:\Windows\System32\HmbzyHp.exe
  2⤵
  PID:6936
- C:\Windows\System32\TxnbPeH.exe
  C:\Windows\System32\TxnbPeH.exe
  2⤵
  PID:7100
- C:\Windows\System32\gbjkXbZ.exe
  C:\Windows\System32\gbjkXbZ.exe
  2⤵
  PID:6396
- C:\Windows\System32\okfjafp.exe
  C:\Windows\System32\okfjafp.exe
  2⤵
  PID:6752
- C:\Windows\System32\cnlSLto.exe
  C:\Windows\System32\cnlSLto.exe
  2⤵
  PID:6820
- C:\Windows\System32\ZwsOXgm.exe
  C:\Windows\System32\ZwsOXgm.exe
  2⤵
  PID:7052
- C:\Windows\System32\tsBEoSm.exe
  C:\Windows\System32\tsBEoSm.exe
  2⤵
  PID:7176
- C:\Windows\System32\BIQYaYw.exe
  C:\Windows\System32\BIQYaYw.exe
  2⤵
  PID:7192
- C:\Windows\System32\guZpywM.exe
  C:\Windows\System32\guZpywM.exe
  2⤵
  PID:7260
- C:\Windows\System32\qbBSbFG.exe
  C:\Windows\System32\qbBSbFG.exe
  2⤵
  PID:7284
- C:\Windows\System32\sNiuICX.exe
  C:\Windows\System32\sNiuICX.exe
  2⤵
  PID:7324
- C:\Windows\System32\OQuBxoj.exe
  C:\Windows\System32\OQuBxoj.exe
  2⤵
  PID:7348
- C:\Windows\System32\ioIVgwH.exe
  C:\Windows\System32\ioIVgwH.exe
  2⤵
  PID:7368
- C:\Windows\System32\ytXcIRA.exe
  C:\Windows\System32\ytXcIRA.exe
  2⤵
  PID:7396
- C:\Windows\System32\FmZZNqh.exe
  C:\Windows\System32\FmZZNqh.exe
  2⤵
  PID:7416
- C:\Windows\System32\QaDeTrR.exe
  C:\Windows\System32\QaDeTrR.exe
  2⤵
  PID:7452
- C:\Windows\System32\EFnWUEq.exe
  C:\Windows\System32\EFnWUEq.exe
  2⤵
  PID:7472
- C:\Windows\System32\MKahwhw.exe
  C:\Windows\System32\MKahwhw.exe
  2⤵
  PID:7508
- C:\Windows\System32\NBGdlWG.exe
  C:\Windows\System32\NBGdlWG.exe
  2⤵
  PID:7524
- C:\Windows\System32\bJbhCRH.exe
  C:\Windows\System32\bJbhCRH.exe
  2⤵
  PID:7544
- C:\Windows\System32\zQUWPUC.exe
  C:\Windows\System32\zQUWPUC.exe
  2⤵
  PID:7560
- C:\Windows\System32\nBooxhn.exe
  C:\Windows\System32\nBooxhn.exe
  2⤵
  PID:7588
- C:\Windows\System32\UtburyJ.exe
  C:\Windows\System32\UtburyJ.exe
  2⤵
  PID:7604
- C:\Windows\System32\wrsOxUh.exe
  C:\Windows\System32\wrsOxUh.exe
  2⤵
  PID:7664
- C:\Windows\System32\jkXJbkb.exe
  C:\Windows\System32\jkXJbkb.exe
  2⤵
  PID:7688
- C:\Windows\System32\cFQeiIh.exe
  C:\Windows\System32\cFQeiIh.exe
  2⤵
  PID:7712
- C:\Windows\System32\RpTnfAb.exe
  C:\Windows\System32\RpTnfAb.exe
  2⤵
  PID:7732
- C:\Windows\System32\GaIEQnI.exe
  C:\Windows\System32\GaIEQnI.exe
  2⤵
  PID:7748
- C:\Windows\System32\bkwXYny.exe
  C:\Windows\System32\bkwXYny.exe
  2⤵
  PID:7816
- C:\Windows\System32\RDlhVXD.exe
  C:\Windows\System32\RDlhVXD.exe
  2⤵
  PID:7836
- C:\Windows\System32\KbNymAA.exe
  C:\Windows\System32\KbNymAA.exe
  2⤵
  PID:7880
- C:\Windows\System32\AAErKpH.exe
  C:\Windows\System32\AAErKpH.exe
  2⤵
  PID:7904
- C:\Windows\System32\MCQCcwc.exe
  C:\Windows\System32\MCQCcwc.exe
  2⤵
  PID:7936
- C:\Windows\System32\VaMnQyH.exe
  C:\Windows\System32\VaMnQyH.exe
  2⤵
  PID:7960
- C:\Windows\System32\hXVWRwF.exe
  C:\Windows\System32\hXVWRwF.exe
  2⤵
  PID:7980
- C:\Windows\System32\GrahMzT.exe
  C:\Windows\System32\GrahMzT.exe
  2⤵
  PID:8040
- C:\Windows\System32\Puusite.exe
  C:\Windows\System32\Puusite.exe
  2⤵
  PID:8056
- C:\Windows\System32\BbErUux.exe
  C:\Windows\System32\BbErUux.exe
  2⤵
  PID:8076
- C:\Windows\System32\wqjVqvK.exe
  C:\Windows\System32\wqjVqvK.exe
  2⤵
  PID:8108
- C:\Windows\System32\OzKPlrS.exe
  C:\Windows\System32\OzKPlrS.exe
  2⤵
  PID:8136
- C:\Windows\System32\HZLChob.exe
  C:\Windows\System32\HZLChob.exe
  2⤵
  PID:8152
- C:\Windows\System32\tAGIGwz.exe
  C:\Windows\System32\tAGIGwz.exe
  2⤵
  PID:8180
- C:\Windows\System32\ViPFFUD.exe
  C:\Windows\System32\ViPFFUD.exe
  2⤵
  PID:6904
- C:\Windows\System32\GUXsKyu.exe
  C:\Windows\System32\GUXsKyu.exe
  2⤵
  PID:7224
- C:\Windows\System32\gFpwsfu.exe
  C:\Windows\System32\gFpwsfu.exe
  2⤵
  PID:7332
- C:\Windows\System32\IGUCGZY.exe
  C:\Windows\System32\IGUCGZY.exe
  2⤵
  PID:7392
- C:\Windows\System32\FMGDgzt.exe
  C:\Windows\System32\FMGDgzt.exe
  2⤵
  PID:6716
- C:\Windows\System32\CbasOHz.exe
  C:\Windows\System32\CbasOHz.exe
  2⤵
  PID:7500
- C:\Windows\System32\tDnKfaE.exe
  C:\Windows\System32\tDnKfaE.exe
  2⤵
  PID:7552
- C:\Windows\System32\AMccNvL.exe
  C:\Windows\System32\AMccNvL.exe
  2⤵
  PID:7616
- C:\Windows\System32\RfHznxI.exe
  C:\Windows\System32\RfHznxI.exe
  2⤵
  PID:7728
- C:\Windows\System32\zyOSXOt.exe
  C:\Windows\System32\zyOSXOt.exe
  2⤵
  PID:7744
- C:\Windows\System32\KIMyPRJ.exe
  C:\Windows\System32\KIMyPRJ.exe
  2⤵
  PID:7856
- C:\Windows\System32\QCpAxla.exe
  C:\Windows\System32\QCpAxla.exe
  2⤵
  PID:7900
- C:\Windows\System32\yXNJpaJ.exe
  C:\Windows\System32\yXNJpaJ.exe
  2⤵
  PID:7952
- C:\Windows\System32\VHjISDf.exe
  C:\Windows\System32\VHjISDf.exe
  2⤵
  PID:8012
- C:\Windows\System32\HsJTslL.exe
  C:\Windows\System32\HsJTslL.exe
  2⤵
  PID:8104
- C:\Windows\System32\XazvmPX.exe
  C:\Windows\System32\XazvmPX.exe
  2⤵
  PID:8168
- C:\Windows\System32\mfIXJjV.exe
  C:\Windows\System32\mfIXJjV.exe
  2⤵
  PID:6708
- C:\Windows\System32\VSqUdxP.exe
  C:\Windows\System32\VSqUdxP.exe
  2⤵
  PID:6348
- C:\Windows\System32\oHLBcti.exe
  C:\Windows\System32\oHLBcti.exe
  2⤵
  PID:7572
- C:\Windows\System32\TDFDYre.exe
  C:\Windows\System32\TDFDYre.exe
  2⤵
  PID:7596
- C:\Windows\System32\DoQrTWH.exe
  C:\Windows\System32\DoQrTWH.exe
  2⤵
  PID:7784
- C:\Windows\System32\JBleESX.exe
  C:\Windows\System32\JBleESX.exe
  2⤵
  PID:7916
- C:\Windows\System32\zVHzTID.exe
  C:\Windows\System32\zVHzTID.exe
  2⤵
  PID:8052
- C:\Windows\System32\SMGMzkh.exe
  C:\Windows\System32\SMGMzkh.exe
  2⤵
  PID:8144
- C:\Windows\System32\ECiPIfP.exe
  C:\Windows\System32\ECiPIfP.exe
  2⤵
  PID:7708
- C:\Windows\System32\diOGOKi.exe
  C:\Windows\System32\diOGOKi.exe
  2⤵
  PID:7956
- C:\Windows\System32\MCWRzuN.exe
  C:\Windows\System32\MCWRzuN.exe
  2⤵
  PID:7584
- C:\Windows\System32\JhQkxET.exe
  C:\Windows\System32\JhQkxET.exe
  2⤵
  PID:7824
- C:\Windows\System32\aVHTFED.exe
  C:\Windows\System32\aVHTFED.exe
  2⤵
  PID:8200
- C:\Windows\System32\pEyCkHA.exe
  C:\Windows\System32\pEyCkHA.exe
  2⤵
  PID:8224
- C:\Windows\System32\XkqGnhu.exe
  C:\Windows\System32\XkqGnhu.exe
  2⤵
  PID:8272
- C:\Windows\System32\vBJGhPI.exe
  C:\Windows\System32\vBJGhPI.exe
  2⤵
  PID:8296
- C:\Windows\System32\HyxnRKZ.exe
  C:\Windows\System32\HyxnRKZ.exe
  2⤵
  PID:8320
- C:\Windows\System32\FFAyUZu.exe
  C:\Windows\System32\FFAyUZu.exe
  2⤵
  PID:8364
- C:\Windows\System32\sRjWQjl.exe
  C:\Windows\System32\sRjWQjl.exe
  2⤵
  PID:8412
- C:\Windows\System32\JCADmda.exe
  C:\Windows\System32\JCADmda.exe
  2⤵
  PID:8456
- C:\Windows\System32\puGPYTv.exe
  C:\Windows\System32\puGPYTv.exe
  2⤵
  PID:8476
- C:\Windows\System32\Pujxmtu.exe
  C:\Windows\System32\Pujxmtu.exe
  2⤵
  PID:8500
- C:\Windows\System32\RlUiIyU.exe
  C:\Windows\System32\RlUiIyU.exe
  2⤵
  PID:8540
- C:\Windows\System32\CeoqhAj.exe
  C:\Windows\System32\CeoqhAj.exe
  2⤵
  PID:8556
- C:\Windows\System32\qLgssCL.exe
  C:\Windows\System32\qLgssCL.exe
  2⤵
  PID:8572
- C:\Windows\System32\rEVjCxh.exe
  C:\Windows\System32\rEVjCxh.exe
  2⤵
  PID:8624
- C:\Windows\System32\tuzUrKP.exe
  C:\Windows\System32\tuzUrKP.exe
  2⤵
  PID:8644
- C:\Windows\System32\axnkVgW.exe
  C:\Windows\System32\axnkVgW.exe
  2⤵
  PID:8672
- C:\Windows\System32\lrptWFg.exe
  C:\Windows\System32\lrptWFg.exe
  2⤵
  PID:8700
- C:\Windows\System32\uhRloBf.exe
  C:\Windows\System32\uhRloBf.exe
  2⤵
  PID:8740
- C:\Windows\System32\WbbuyFk.exe
  C:\Windows\System32\WbbuyFk.exe
  2⤵
  PID:8756
- C:\Windows\System32\rzupgFb.exe
  C:\Windows\System32\rzupgFb.exe
  2⤵
  PID:8780
- C:\Windows\System32\twkIThE.exe
  C:\Windows\System32\twkIThE.exe
  2⤵
  PID:8796
- C:\Windows\System32\xwSFZHd.exe
  C:\Windows\System32\xwSFZHd.exe
  2⤵
  PID:8828
- C:\Windows\System32\hjRBfNs.exe
  C:\Windows\System32\hjRBfNs.exe
  2⤵
  PID:8856
- C:\Windows\System32\OdkxzFV.exe
  C:\Windows\System32\OdkxzFV.exe
  2⤵
  PID:8876
- C:\Windows\System32\CReaYYh.exe
  C:\Windows\System32\CReaYYh.exe
  2⤵
  PID:8900
- C:\Windows\System32\jbDoure.exe
  C:\Windows\System32\jbDoure.exe
  2⤵
  PID:8932
- C:\Windows\System32\YVEZOCI.exe
  C:\Windows\System32\YVEZOCI.exe
  2⤵
  PID:8968
- C:\Windows\System32\jHrKgEt.exe
  C:\Windows\System32\jHrKgEt.exe
  2⤵
  PID:8996
- C:\Windows\System32\PLeLZSi.exe
  C:\Windows\System32\PLeLZSi.exe
  2⤵
  PID:9040
- C:\Windows\System32\qlxdnit.exe
  C:\Windows\System32\qlxdnit.exe
  2⤵
  PID:9136
- C:\Windows\System32\wlpGhsR.exe
  C:\Windows\System32\wlpGhsR.exe
  2⤵
  PID:9152
- C:\Windows\System32\lcMcLWQ.exe
  C:\Windows\System32\lcMcLWQ.exe
  2⤵
  PID:9168
- C:\Windows\System32\TAvHMCh.exe
  C:\Windows\System32\TAvHMCh.exe
  2⤵
  PID:9184
- C:\Windows\System32\tFcpzIK.exe
  C:\Windows\System32\tFcpzIK.exe
  2⤵
  PID:9200
- C:\Windows\System32\QJmzJLZ.exe
  C:\Windows\System32\QJmzJLZ.exe
  2⤵
  PID:8196
- C:\Windows\System32\TvsYOLb.exe
  C:\Windows\System32\TvsYOLb.exe
  2⤵
  PID:8120
- C:\Windows\System32\wnHMnsa.exe
  C:\Windows\System32\wnHMnsa.exe
  2⤵
  PID:8252
- C:\Windows\System32\SqnHrmz.exe
  C:\Windows\System32\SqnHrmz.exe
  2⤵
  PID:8292
- C:\Windows\System32\ZYUyXXM.exe
  C:\Windows\System32\ZYUyXXM.exe
  2⤵
  PID:8344
- C:\Windows\System32\VxfqTjB.exe
  C:\Windows\System32\VxfqTjB.exe
  2⤵
  PID:8396
- C:\Windows\System32\sPlzPwn.exe
  C:\Windows\System32\sPlzPwn.exe
  2⤵
  PID:8376
- C:\Windows\System32\JLaiGaC.exe
  C:\Windows\System32\JLaiGaC.exe
  2⤵
  PID:8432
- C:\Windows\System32\KLQxcBc.exe
  C:\Windows\System32\KLQxcBc.exe
  2⤵
  PID:8464
- C:\Windows\System32\NehGiGz.exe
  C:\Windows\System32\NehGiGz.exe
  2⤵
  PID:8516
- C:\Windows\System32\XfsKxoE.exe
  C:\Windows\System32\XfsKxoE.exe
  2⤵
  PID:8552
- C:\Windows\System32\CMMhzas.exe
  C:\Windows\System32\CMMhzas.exe
  2⤵
  PID:8584
- C:\Windows\System32\cjgjeYQ.exe
  C:\Windows\System32\cjgjeYQ.exe
  2⤵
  PID:8632
- C:\Windows\System32\DOUeihn.exe
  C:\Windows\System32\DOUeihn.exe
  2⤵
  PID:8664
- C:\Windows\System32\JGNbdfr.exe
  C:\Windows\System32\JGNbdfr.exe
  2⤵
  PID:8708
- C:\Windows\System32\qnGUsqw.exe
  C:\Windows\System32\qnGUsqw.exe
  2⤵
  PID:8748
- C:\Windows\System32\UhlDCVM.exe
  C:\Windows\System32\UhlDCVM.exe
  2⤵
  PID:8788
- C:\Windows\System32\PVGJefk.exe
  C:\Windows\System32\PVGJefk.exe
  2⤵
  PID:8836
- C:\Windows\System32\mWlfmFo.exe
  C:\Windows\System32\mWlfmFo.exe
  2⤵
  PID:8956
- C:\Windows\System32\BNGIcbC.exe
  C:\Windows\System32\BNGIcbC.exe
  2⤵
  PID:8980
- C:\Windows\System32\ukmlfno.exe
  C:\Windows\System32\ukmlfno.exe
  2⤵
  PID:9048
- C:\Windows\System32\uQPAOAY.exe
  C:\Windows\System32\uQPAOAY.exe
  2⤵
  PID:9036
- C:\Windows\System32\GaJPdSk.exe
  C:\Windows\System32\GaJPdSk.exe
  2⤵
  PID:9252
- C:\Windows\System32\gMhZhpj.exe
  C:\Windows\System32\gMhZhpj.exe
  2⤵
  PID:9352
- C:\Windows\System32\XbAsSSp.exe
  C:\Windows\System32\XbAsSSp.exe
  2⤵
  PID:9572
- C:\Windows\System32\osccvOj.exe
  C:\Windows\System32\osccvOj.exe
  2⤵
  PID:9608
- C:\Windows\System32\JLpszMQ.exe
  C:\Windows\System32\JLpszMQ.exe
  2⤵
  PID:9664
- C:\Windows\System32\cyRzBqQ.exe
  C:\Windows\System32\cyRzBqQ.exe
  2⤵
  PID:9700
- C:\Windows\System32\naXWkjL.exe
  C:\Windows\System32\naXWkjL.exe
  2⤵
  PID:9720
- C:\Windows\System32\VqFyFxM.exe
  C:\Windows\System32\VqFyFxM.exe
  2⤵
  PID:9748
- C:\Windows\System32\fjtExBN.exe
  C:\Windows\System32\fjtExBN.exe
  2⤵
  PID:9772
- C:\Windows\System32\SkykZvQ.exe
  C:\Windows\System32\SkykZvQ.exe
  2⤵
  PID:9812
- C:\Windows\System32\WLnsKzk.exe
  C:\Windows\System32\WLnsKzk.exe
  2⤵
  PID:9836
- C:\Windows\System32\qRxBYcA.exe
  C:\Windows\System32\qRxBYcA.exe
  2⤵
  PID:9856
- C:\Windows\System32\OQBJEzW.exe
  C:\Windows\System32\OQBJEzW.exe
  2⤵
  PID:9884
- C:\Windows\System32\yfRZSjx.exe
  C:\Windows\System32\yfRZSjx.exe
  2⤵
  PID:9904
- C:\Windows\System32\cTyNXSQ.exe
  C:\Windows\System32\cTyNXSQ.exe
  2⤵
  PID:9952
- C:\Windows\System32\YbmTSeC.exe
  C:\Windows\System32\YbmTSeC.exe
  2⤵
  PID:9996
- C:\Windows\System32\qwBPrPF.exe
  C:\Windows\System32\qwBPrPF.exe
  2⤵
  PID:10016
- C:\Windows\System32\OiQsCFC.exe
  C:\Windows\System32\OiQsCFC.exe
  2⤵
  PID:10040
- C:\Windows\System32\SghDiVW.exe
  C:\Windows\System32\SghDiVW.exe
  2⤵
  PID:10072
- C:\Windows\System32\eeVdmTz.exe
  C:\Windows\System32\eeVdmTz.exe
  2⤵
  PID:10088
- C:\Windows\System32\eYcQeDu.exe
  C:\Windows\System32\eYcQeDu.exe
  2⤵
  PID:10104
- C:\Windows\System32\EtncXVF.exe
  C:\Windows\System32\EtncXVF.exe
  2⤵
  PID:10144
- C:\Windows\System32\EaKXgyR.exe
  C:\Windows\System32\EaKXgyR.exe
  2⤵
  PID:10168
- C:\Windows\System32\RtIFrwk.exe
  C:\Windows\System32\RtIFrwk.exe
  2⤵
  PID:10216
- C:\Windows\System32\xLTfQYw.exe
  C:\Windows\System32\xLTfQYw.exe
  2⤵
  PID:10232
- C:\Windows\System32\VTHQZzr.exe
  C:\Windows\System32\VTHQZzr.exe
  2⤵
  PID:9032
- C:\Windows\System32\lxFLrgV.exe
  C:\Windows\System32\lxFLrgV.exe
  2⤵
  PID:9180
- C:\Windows\System32\cObCnvv.exe
  C:\Windows\System32\cObCnvv.exe
  2⤵
  PID:9060
- C:\Windows\System32\peNyyHt.exe
  C:\Windows\System32\peNyyHt.exe
  2⤵
  PID:9108
- C:\Windows\System32\tMqhpqq.exe
  C:\Windows\System32\tMqhpqq.exe
  2⤵
  PID:9088
- C:\Windows\System32\ibwJeTi.exe
  C:\Windows\System32\ibwJeTi.exe
  2⤵
  PID:9028
- C:\Windows\System32\jUIewQO.exe
  C:\Windows\System32\jUIewQO.exe
  2⤵
  PID:8340
- C:\Windows\System32\MlSIuvP.exe
  C:\Windows\System32\MlSIuvP.exe
  2⤵
  PID:8512
- C:\Windows\System32\RVfKouH.exe
  C:\Windows\System32\RVfKouH.exe
  2⤵
  PID:8688
- C:\Windows\System32\kcNUGhT.exe
  C:\Windows\System32\kcNUGhT.exe
  2⤵
  PID:9148
- C:\Windows\System32\ATcLUeQ.exe
  C:\Windows\System32\ATcLUeQ.exe
  2⤵
  PID:8568
- C:\Windows\System32\RfwTPSv.exe
  C:\Windows\System32\RfwTPSv.exe
  2⤵
  PID:9260
- C:\Windows\System32\sIfAPdU.exe
  C:\Windows\System32\sIfAPdU.exe
  2⤵
  PID:9364
- C:\Windows\System32\nenOjnZ.exe
  C:\Windows\System32\nenOjnZ.exe
  2⤵
  PID:9316
- C:\Windows\System32\BwOMJwK.exe
  C:\Windows\System32\BwOMJwK.exe
  2⤵
  PID:9512
- C:\Windows\System32\cfCAzkq.exe
  C:\Windows\System32\cfCAzkq.exe
  2⤵
  PID:9536
- C:\Windows\System32\bXaDqTS.exe
  C:\Windows\System32\bXaDqTS.exe
  2⤵
  PID:9584
- C:\Windows\System32\ZFCFGNe.exe
  C:\Windows\System32\ZFCFGNe.exe
  2⤵
  PID:9696
- C:\Windows\System32\jMlCXey.exe
  C:\Windows\System32\jMlCXey.exe
  2⤵
  PID:9728
- C:\Windows\System32\zgUAnWB.exe
  C:\Windows\System32\zgUAnWB.exe
  2⤵
  PID:9800
- C:\Windows\System32\NhFSPNh.exe
  C:\Windows\System32\NhFSPNh.exe
  2⤵
  PID:9924
- C:\Windows\System32\JtaWfCg.exe
  C:\Windows\System32\JtaWfCg.exe
  2⤵
  PID:9968
- C:\Windows\System32\WnTyunR.exe
  C:\Windows\System32\WnTyunR.exe
  2⤵
  PID:10052
- C:\Windows\System32\UfsceMK.exe
  C:\Windows\System32\UfsceMK.exe
  2⤵
  PID:10084
- C:\Windows\System32\pmTUbrH.exe
  C:\Windows\System32\pmTUbrH.exe
  2⤵
  PID:10156
- C:\Windows\System32\nSvYTuj.exe
  C:\Windows\System32\nSvYTuj.exe
  2⤵
  PID:10204
- C:\Windows\System32\lOazXMr.exe
  C:\Windows\System32\lOazXMr.exe
  2⤵
  PID:8952
- C:\Windows\System32\yuaaOAE.exe
  C:\Windows\System32\yuaaOAE.exe
  2⤵
  PID:9192
- C:\Windows\System32\bvhYwac.exe
  C:\Windows\System32\bvhYwac.exe
  2⤵
  PID:9120
- C:\Windows\System32\pvgqMDd.exe
  C:\Windows\System32\pvgqMDd.exe
  2⤵
  PID:8692
- C:\Windows\System32\iNJpwqL.exe
  C:\Windows\System32\iNJpwqL.exe
  2⤵
  PID:9284
- C:\Windows\System32\WGZxeQF.exe
  C:\Windows\System32\WGZxeQF.exe
  2⤵
  PID:9468
- C:\Windows\System32\OenHQUU.exe
  C:\Windows\System32\OenHQUU.exe
  2⤵
  PID:9580
- C:\Windows\System32\VplZiGX.exe
  C:\Windows\System32\VplZiGX.exe
  2⤵
  PID:9740
- C:\Windows\System32\hFtinaq.exe
  C:\Windows\System32\hFtinaq.exe
  2⤵
  PID:9916
- C:\Windows\System32\iMzzyUH.exe
  C:\Windows\System32\iMzzyUH.exe
  2⤵
  PID:9948
- C:\Windows\System32\CqQjSMG.exe
  C:\Windows\System32\CqQjSMG.exe
  2⤵
  PID:10068
- C:\Windows\System32\efdiSxz.exe
  C:\Windows\System32\efdiSxz.exe
  2⤵
  PID:8256
- C:\Windows\System32\RcGlKax.exe
  C:\Windows\System32\RcGlKax.exe
  2⤵
  PID:8356
- C:\Windows\System32\YMxzAtK.exe
  C:\Windows\System32\YMxzAtK.exe
  2⤵
  PID:9348
- C:\Windows\System32\aTtFtBi.exe
  C:\Windows\System32\aTtFtBi.exe
  2⤵
  PID:9684
- C:\Windows\System32\bSNFeSF.exe
  C:\Windows\System32\bSNFeSF.exe
  2⤵
  PID:10184
- C:\Windows\System32\IqJXTDj.exe
  C:\Windows\System32\IqJXTDj.exe
  2⤵
  PID:8912
- C:\Windows\System32\FFxRVHr.exe
  C:\Windows\System32\FFxRVHr.exe
  2⤵
  PID:9640
- C:\Windows\System32\WgfHlcv.exe
  C:\Windows\System32\WgfHlcv.exe
  2⤵
  PID:10268
- C:\Windows\System32\zXmiADq.exe
  C:\Windows\System32\zXmiADq.exe
  2⤵
  PID:10296
- C:\Windows\System32\tHLdnTj.exe
  C:\Windows\System32\tHLdnTj.exe
  2⤵
  PID:10324
- C:\Windows\System32\RPOcahk.exe
  C:\Windows\System32\RPOcahk.exe
  2⤵
  PID:10344
- C:\Windows\System32\KbXjjkf.exe
  C:\Windows\System32\KbXjjkf.exe
  2⤵
  PID:10360
- C:\Windows\System32\lxKTrjc.exe
  C:\Windows\System32\lxKTrjc.exe
  2⤵
  PID:10384
- C:\Windows\System32\fTsHvNR.exe
  C:\Windows\System32\fTsHvNR.exe
  2⤵
  PID:10416
- C:\Windows\System32\BNTLtOa.exe
  C:\Windows\System32\BNTLtOa.exe
  2⤵
  PID:10464
- C:\Windows\System32\hrBKlwW.exe
  C:\Windows\System32\hrBKlwW.exe
  2⤵
  PID:10504
- C:\Windows\System32\uqkiztZ.exe
  C:\Windows\System32\uqkiztZ.exe
  2⤵
  PID:10532
- C:\Windows\System32\THVXkUG.exe
  C:\Windows\System32\THVXkUG.exe
  2⤵
  PID:10556
- C:\Windows\System32\msAurLR.exe
  C:\Windows\System32\msAurLR.exe
  2⤵
  PID:10576
- C:\Windows\System32\xZZkJTx.exe
  C:\Windows\System32\xZZkJTx.exe
  2⤵
  PID:10616
- C:\Windows\System32\vwEkDDy.exe
  C:\Windows\System32\vwEkDDy.exe
  2⤵
  PID:10640
- C:\Windows\System32\tpcjzdE.exe
  C:\Windows\System32\tpcjzdE.exe
  2⤵
  PID:10660
- C:\Windows\System32\iaNoWfN.exe
  C:\Windows\System32\iaNoWfN.exe
  2⤵
  PID:10692
- C:\Windows\System32\crXUDdZ.exe
  C:\Windows\System32\crXUDdZ.exe
  2⤵
  PID:10728
- C:\Windows\System32\qvjaUPI.exe
  C:\Windows\System32\qvjaUPI.exe
  2⤵
  PID:10748
- C:\Windows\System32\Fwxamfa.exe
  C:\Windows\System32\Fwxamfa.exe
  2⤵
  PID:10764
- C:\Windows\System32\fgPcvPV.exe
  C:\Windows\System32\fgPcvPV.exe
  2⤵
  PID:10788
- C:\Windows\System32\DJepJzL.exe
  C:\Windows\System32\DJepJzL.exe
  2⤵
  PID:10840
- C:\Windows\System32\ULgFLAk.exe
  C:\Windows\System32\ULgFLAk.exe
  2⤵
  PID:10868
- C:\Windows\System32\qLILuvo.exe
  C:\Windows\System32\qLILuvo.exe
  2⤵
  PID:10884
- C:\Windows\System32\pIQFnkF.exe
  C:\Windows\System32\pIQFnkF.exe
  2⤵
  PID:10904
- C:\Windows\System32\QRSLytF.exe
  C:\Windows\System32\QRSLytF.exe
  2⤵
  PID:10940
- C:\Windows\System32\FVGMFNS.exe
  C:\Windows\System32\FVGMFNS.exe
  2⤵
  PID:10964
- C:\Windows\System32\cyJYTFj.exe
  C:\Windows\System32\cyJYTFj.exe
  2⤵
  PID:10988
- C:\Windows\System32\sfVgteO.exe
  C:\Windows\System32\sfVgteO.exe
  2⤵
  PID:11012
- C:\Windows\System32\DgcEgvU.exe
  C:\Windows\System32\DgcEgvU.exe
  2⤵
  PID:11032
- C:\Windows\System32\cukDAqF.exe
  C:\Windows\System32\cukDAqF.exe
  2⤵
  PID:11080
- C:\Windows\System32\LEFjYvQ.exe
  C:\Windows\System32\LEFjYvQ.exe
  2⤵
  PID:11124
- C:\Windows\System32\smHhPIe.exe
  C:\Windows\System32\smHhPIe.exe
  2⤵
  PID:11148
- C:\Windows\System32\NAoRGgP.exe
  C:\Windows\System32\NAoRGgP.exe
  2⤵
  PID:11176
- C:\Windows\System32\tRkGWFb.exe
  C:\Windows\System32\tRkGWFb.exe
  2⤵
  PID:11196
- C:\Windows\System32\uxpKMjj.exe
  C:\Windows\System32\uxpKMjj.exe
  2⤵
  PID:11220
- C:\Windows\System32\UwNHaPX.exe
  C:\Windows\System32\UwNHaPX.exe
  2⤵
  PID:11256
- C:\Windows\System32\StBLcfw.exe
  C:\Windows\System32\StBLcfw.exe
  2⤵
  PID:9144
- C:\Windows\System32\mNXoKDe.exe
  C:\Windows\System32\mNXoKDe.exe
  2⤵
  PID:10280
- C:\Windows\System32\WWRTsBZ.exe
  C:\Windows\System32\WWRTsBZ.exe
  2⤵
  PID:10308
- C:\Windows\System32\OZqVBqS.exe
  C:\Windows\System32\OZqVBqS.exe
  2⤵
  PID:10404
- C:\Windows\System32\FxPbEIc.exe
  C:\Windows\System32\FxPbEIc.exe
  2⤵
  PID:10548
- C:\Windows\System32\mvHhDwp.exe
  C:\Windows\System32\mvHhDwp.exe
  2⤵
  PID:10544
- C:\Windows\System32\fttCfxQ.exe
  C:\Windows\System32\fttCfxQ.exe
  2⤵
  PID:10652
- C:\Windows\System32\nZOFSMy.exe
  C:\Windows\System32\nZOFSMy.exe
  2⤵
  PID:10684
- C:\Windows\System32\MBSSndf.exe
  C:\Windows\System32\MBSSndf.exe
  2⤵
  PID:10736
- C:\Windows\System32\YVmTZkI.exe
  C:\Windows\System32\YVmTZkI.exe
  2⤵
  PID:10804
- C:\Windows\System32\intCoWh.exe
  C:\Windows\System32\intCoWh.exe
  2⤵
  PID:10876
- C:\Windows\System32\YStvRXa.exe
  C:\Windows\System32\YStvRXa.exe
  2⤵
  PID:10936
- C:\Windows\System32\VgFJxuJ.exe
  C:\Windows\System32\VgFJxuJ.exe
  2⤵
  PID:10996
- C:\Windows\System32\UVnczJD.exe
  C:\Windows\System32\UVnczJD.exe
  2⤵
  PID:11100
- C:\Windows\System32\lEDohFC.exe
  C:\Windows\System32\lEDohFC.exe
  2⤵
  PID:11164
- C:\Windows\System32\gYndzYJ.exe
  C:\Windows\System32\gYndzYJ.exe
  2⤵
  PID:11188
- C:\Windows\System32\rGZsiSr.exe
  C:\Windows\System32\rGZsiSr.exe
  2⤵
  PID:10256
- C:\Windows\System32\WQWTpaz.exe
  C:\Windows\System32\WQWTpaz.exe
  2⤵
  PID:10356
- C:\Windows\System32\ZTDdUkO.exe
  C:\Windows\System32\ZTDdUkO.exe
  2⤵
  PID:10500
- C:\Windows\System32\OCTQwJM.exe
  C:\Windows\System32\OCTQwJM.exe
  2⤵
  PID:10676
- C:\Windows\System32\GAVhJhs.exe
  C:\Windows\System32\GAVhJhs.exe
  2⤵
  PID:10896
- C:\Windows\System32\bYTnBaH.exe
  C:\Windows\System32\bYTnBaH.exe
  2⤵
  PID:10972
- C:\Windows\System32\kcCHQOR.exe
  C:\Windows\System32\kcCHQOR.exe
  2⤵
  PID:11132
- C:\Windows\System32\XFotmEu.exe
  C:\Windows\System32\XFotmEu.exe
  2⤵
  PID:11216
- C:\Windows\System32\FkjiCOk.exe
  C:\Windows\System32\FkjiCOk.exe
  2⤵
  PID:10568
- C:\Windows\System32\rzQzNkF.exe
  C:\Windows\System32\rzQzNkF.exe
  2⤵
  PID:10880
- C:\Windows\System32\iadEfMk.exe
  C:\Windows\System32\iadEfMk.exe
  2⤵
  PID:10376
- C:\Windows\System32\WyTrAwq.exe
  C:\Windows\System32\WyTrAwq.exe
  2⤵
  PID:10292
- C:\Windows\System32\ZocKAzn.exe
  C:\Windows\System32\ZocKAzn.exe
  2⤵
  PID:11276
- C:\Windows\System32\dqZFhDi.exe
  C:\Windows\System32\dqZFhDi.exe
  2⤵
  PID:11296
- C:\Windows\System32\mnSpnsa.exe
  C:\Windows\System32\mnSpnsa.exe
  2⤵
  PID:11336
- C:\Windows\System32\hBOGLRI.exe
  C:\Windows\System32\hBOGLRI.exe
  2⤵
  PID:11364
- C:\Windows\System32\TfFDMjl.exe
  C:\Windows\System32\TfFDMjl.exe
  2⤵
  PID:11380
- C:\Windows\System32\oCuKiRw.exe
  C:\Windows\System32\oCuKiRw.exe
  2⤵
  PID:11400
- C:\Windows\System32\zWdziCq.exe
  C:\Windows\System32\zWdziCq.exe
  2⤵
  PID:11416
- C:\Windows\System32\sOBKoCl.exe
  C:\Windows\System32\sOBKoCl.exe
  2⤵
  PID:11464
- C:\Windows\System32\PgwycAH.exe
  C:\Windows\System32\PgwycAH.exe
  2⤵
  PID:11504
- C:\Windows\System32\fXAibzC.exe
  C:\Windows\System32\fXAibzC.exe
  2⤵
  PID:11528
- C:\Windows\System32\qDVkEAV.exe
  C:\Windows\System32\qDVkEAV.exe
  2⤵
  PID:11548
- C:\Windows\System32\cdRkiXO.exe
  C:\Windows\System32\cdRkiXO.exe
  2⤵
  PID:11576
- C:\Windows\System32\JkAddeT.exe
  C:\Windows\System32\JkAddeT.exe
  2⤵
  PID:11600
- C:\Windows\System32\MShGRqC.exe
  C:\Windows\System32\MShGRqC.exe
  2⤵
  PID:11628
- C:\Windows\System32\hlrgpfC.exe
  C:\Windows\System32\hlrgpfC.exe
  2⤵
  PID:11648
- C:\Windows\System32\byLFvAG.exe
  C:\Windows\System32\byLFvAG.exe
  2⤵
  PID:11676
- C:\Windows\System32\qXXyYce.exe
  C:\Windows\System32\qXXyYce.exe
  2⤵
  PID:11708
- C:\Windows\System32\KlLzZbp.exe
  C:\Windows\System32\KlLzZbp.exe
  2⤵
  PID:11732
- C:\Windows\System32\gHUkcWS.exe
  C:\Windows\System32\gHUkcWS.exe
  2⤵
  PID:11768
- C:\Windows\System32\nXbDilk.exe
  C:\Windows\System32\nXbDilk.exe
  2⤵
  PID:11792
- C:\Windows\System32\GauZutN.exe
  C:\Windows\System32\GauZutN.exe
  2⤵
  PID:11824
- C:\Windows\System32\bQwXgGb.exe
  C:\Windows\System32\bQwXgGb.exe
  2⤵
  PID:11868
- C:\Windows\System32\DWvBBwO.exe
  C:\Windows\System32\DWvBBwO.exe
  2⤵
  PID:11892
- C:\Windows\System32\OlkAyCM.exe
  C:\Windows\System32\OlkAyCM.exe
  2⤵
  PID:11908
- C:\Windows\System32\NQRQfTl.exe
  C:\Windows\System32\NQRQfTl.exe
  2⤵
  PID:11928
- C:\Windows\System32\OpgOoOz.exe
  C:\Windows\System32\OpgOoOz.exe
  2⤵
  PID:11948
- C:\Windows\System32\eEQSIYy.exe
  C:\Windows\System32\eEQSIYy.exe
  2⤵
  PID:11980
- C:\Windows\System32\nyEobxu.exe
  C:\Windows\System32\nyEobxu.exe
  2⤵
  PID:11996
- C:\Windows\System32\OZOvGWM.exe
  C:\Windows\System32\OZOvGWM.exe
  2⤵
  PID:12036
- C:\Windows\System32\YPfjQMS.exe
  C:\Windows\System32\YPfjQMS.exe
  2⤵
  PID:12052
- C:\Windows\System32\wOgRgDS.exe
  C:\Windows\System32\wOgRgDS.exe
  2⤵
  PID:12096
- C:\Windows\System32\KMTfCHF.exe
  C:\Windows\System32\KMTfCHF.exe
  2⤵
  PID:12132
- C:\Windows\System32\bzFNOmI.exe
  C:\Windows\System32\bzFNOmI.exe
  2⤵
  PID:12160
- C:\Windows\System32\MJQjJnK.exe
  C:\Windows\System32\MJQjJnK.exe
  2⤵
  PID:12188
- C:\Windows\System32\ShgQxQo.exe
  C:\Windows\System32\ShgQxQo.exe
  2⤵
  PID:12216
- C:\Windows\System32\JyClJpi.exe
  C:\Windows\System32\JyClJpi.exe
  2⤵
  PID:12244
- C:\Windows\System32\NyeXwdp.exe
  C:\Windows\System32\NyeXwdp.exe
  2⤵
  PID:12276
- C:\Windows\System32\LcZMUka.exe
  C:\Windows\System32\LcZMUka.exe
  2⤵
  PID:11284
- C:\Windows\System32\GKIupEx.exe
  C:\Windows\System32\GKIupEx.exe
  2⤵
  PID:11352
- C:\Windows\System32\KuxiuHD.exe
  C:\Windows\System32\KuxiuHD.exe
  2⤵
  PID:11444
- C:\Windows\System32\fkrilKI.exe
  C:\Windows\System32\fkrilKI.exe
  2⤵
  PID:11544
- C:\Windows\System32\pTXqzyj.exe
  C:\Windows\System32\pTXqzyj.exe
  2⤵
  PID:11588
- C:\Windows\System32\AXIQPYz.exe
  C:\Windows\System32\AXIQPYz.exe
  2⤵
  PID:11636
- C:\Windows\System32\cxYEBww.exe
  C:\Windows\System32\cxYEBww.exe
  2⤵
  PID:11716
- C:\Windows\System32\sEteJFX.exe
  C:\Windows\System32\sEteJFX.exe
  2⤵
  PID:11744
- C:\Windows\System32\dEPkwIx.exe
  C:\Windows\System32\dEPkwIx.exe
  2⤵
  PID:11740
- C:\Windows\System32\huvFVor.exe
  C:\Windows\System32\huvFVor.exe
  2⤵
  PID:11920
- C:\Windows\System32\foKYWKb.exe
  C:\Windows\System32\foKYWKb.exe
  2⤵
  PID:11956
- C:\Windows\System32\qbIMNVn.exe
  C:\Windows\System32\qbIMNVn.exe
  2⤵
  PID:12008
- C:\Windows\System32\VkNweTG.exe
  C:\Windows\System32\VkNweTG.exe
  2⤵
  PID:12080
- C:\Windows\System32\ZPOFcqQ.exe
  C:\Windows\System32\ZPOFcqQ.exe
  2⤵
  PID:12156
- C:\Windows\System32\NUwjkIi.exe
  C:\Windows\System32\NUwjkIi.exe
  2⤵
  PID:12196
- C:\Windows\System32\YdXJXfZ.exe
  C:\Windows\System32\YdXJXfZ.exe
  2⤵
  PID:11316
- C:\Windows\System32\XcBhVWF.exe
  C:\Windows\System32\XcBhVWF.exe
  2⤵
  PID:11484
- C:\Windows\System32\PTwfNfe.exe
  C:\Windows\System32\PTwfNfe.exe
  2⤵
  PID:11572
- C:\Windows\System32\vXXZkwg.exe
  C:\Windows\System32\vXXZkwg.exe
  2⤵
  PID:11620
- C:\Windows\System32\MjlFkZG.exe
  C:\Windows\System32\MjlFkZG.exe
  2⤵
  PID:5016
- C:\Windows\System32\PzsWEfl.exe
  C:\Windows\System32\PzsWEfl.exe
  2⤵
  PID:11784
- C:\Windows\System32\cwztczg.exe
  C:\Windows\System32\cwztczg.exe
  2⤵
  PID:11884
- C:\Windows\System32\kraxZGH.exe
  C:\Windows\System32\kraxZGH.exe
  2⤵
  PID:12032
- C:\Windows\System32\DCGTxuS.exe
  C:\Windows\System32\DCGTxuS.exe
  2⤵
  PID:12104
- C:\Windows\System32\fdUlyrk.exe
  C:\Windows\System32\fdUlyrk.exe
  2⤵
  PID:11564
- C:\Windows\System32\SksDfZy.exe
  C:\Windows\System32\SksDfZy.exe
  2⤵
  PID:11880
- C:\Windows\System32\ummhVCE.exe
  C:\Windows\System32\ummhVCE.exe
  2⤵
  PID:11924
- C:\Windows\System32\KpEjoFF.exe
  C:\Windows\System32\KpEjoFF.exe
  2⤵
  PID:11944
- C:\Windows\System32\SvmGKLj.exe
  C:\Windows\System32\SvmGKLj.exe
  2⤵
  PID:12296
- C:\Windows\System32\iOTCqOg.exe
  C:\Windows\System32\iOTCqOg.exe
  2⤵
  PID:12316
- C:\Windows\System32\oMhEwRV.exe
  C:\Windows\System32\oMhEwRV.exe
  2⤵
  PID:12352
- C:\Windows\System32\IpkvLQa.exe
  C:\Windows\System32\IpkvLQa.exe
  2⤵
  PID:12376
- C:\Windows\System32\jDrWbQb.exe
  C:\Windows\System32\jDrWbQb.exe
  2⤵
  PID:12396
- C:\Windows\System32\InSORSt.exe
  C:\Windows\System32\InSORSt.exe
  2⤵
  PID:12432
- C:\Windows\System32\TiByGZz.exe
  C:\Windows\System32\TiByGZz.exe
  2⤵
  PID:12464
- C:\Windows\System32\GHiNHVm.exe
  C:\Windows\System32\GHiNHVm.exe
  2⤵
  PID:12480
- C:\Windows\System32\BWMtwBZ.exe
  C:\Windows\System32\BWMtwBZ.exe
  2⤵
  PID:12508
- C:\Windows\System32\SmKmDCv.exe
  C:\Windows\System32\SmKmDCv.exe
  2⤵
  PID:12524
- C:\Windows\System32\gbiISjk.exe
  C:\Windows\System32\gbiISjk.exe
  2⤵
  PID:12552
- C:\Windows\System32\FSYbsvw.exe
  C:\Windows\System32\FSYbsvw.exe
  2⤵
  PID:12592
- C:\Windows\System32\CteNOyQ.exe
  C:\Windows\System32\CteNOyQ.exe
  2⤵
  PID:12612
- C:\Windows\System32\wbNweMF.exe
  C:\Windows\System32\wbNweMF.exe
  2⤵
  PID:12632
- C:\Windows\System32\oTCnfOr.exe
  C:\Windows\System32\oTCnfOr.exe
  2⤵
  PID:12668
- C:\Windows\System32\uBGHVfZ.exe
  C:\Windows\System32\uBGHVfZ.exe
  2⤵
  PID:12704
- C:\Windows\System32\AGffWea.exe
  C:\Windows\System32\AGffWea.exe
  2⤵
  PID:12724
- C:\Windows\System32\oWHyQwC.exe
  C:\Windows\System32\oWHyQwC.exe
  2⤵
  PID:12772
- C:\Windows\System32\xnqlFCn.exe
  C:\Windows\System32\xnqlFCn.exe
  2⤵
  PID:12804
- C:\Windows\System32\paAzZkv.exe
  C:\Windows\System32\paAzZkv.exe
  2⤵
  PID:12824
- C:\Windows\System32\mKpCgmB.exe
  C:\Windows\System32\mKpCgmB.exe
  2⤵
  PID:12840
- C:\Windows\System32\GmWHsoN.exe
  C:\Windows\System32\GmWHsoN.exe
  2⤵
  PID:12864
- C:\Windows\System32\uHBUTxC.exe
  C:\Windows\System32\uHBUTxC.exe
  2⤵
  PID:12916
- C:\Windows\System32\cxHrQeC.exe
  C:\Windows\System32\cxHrQeC.exe
  2⤵
  PID:12936
- C:\Windows\System32\ZSVHvzp.exe
  C:\Windows\System32\ZSVHvzp.exe
  2⤵
  PID:12960
- C:\Windows\System32\XpXdHYB.exe
  C:\Windows\System32\XpXdHYB.exe
  2⤵
  PID:12976
- C:\Windows\System32\rvJeWIQ.exe
  C:\Windows\System32\rvJeWIQ.exe
  2⤵
  PID:13004
- C:\Windows\System32\xbNbzKP.exe
  C:\Windows\System32\xbNbzKP.exe
  2⤵
  PID:13044
- C:\Windows\System32\ANgcuIa.exe
  C:\Windows\System32\ANgcuIa.exe
  2⤵
  PID:13060
- C:\Windows\System32\jKjiVYU.exe
  C:\Windows\System32\jKjiVYU.exe
  2⤵
  PID:13080
- C:\Windows\System32\RLAluQm.exe
  C:\Windows\System32\RLAluQm.exe
  2⤵
  PID:13116
- C:\Windows\System32\HnZIaUW.exe
  C:\Windows\System32\HnZIaUW.exe
  2⤵
  PID:13156
- C:\Windows\System32\WigIQcV.exe
  C:\Windows\System32\WigIQcV.exe
  2⤵
  PID:13188
- C:\Windows\System32\vIVWBDD.exe
  C:\Windows\System32\vIVWBDD.exe
  2⤵
  PID:13208
- C:\Windows\System32\dWfSsKB.exe
  C:\Windows\System32\dWfSsKB.exe
  2⤵
  PID:13244
- C:\Windows\System32\oGrTaNK.exe
  C:\Windows\System32\oGrTaNK.exe
  2⤵
  PID:13268
- C:\Windows\System32\gbNsBms.exe
  C:\Windows\System32\gbNsBms.exe
  2⤵
  PID:13308
- C:\Windows\System32\pEjlKif.exe
  C:\Windows\System32\pEjlKif.exe
  2⤵
  PID:12308
- C:\Windows\System32\xSNEEKP.exe
  C:\Windows\System32\xSNEEKP.exe
  2⤵
  PID:12340
- C:\Windows\System32\kYPAesh.exe
  C:\Windows\System32\kYPAesh.exe
  2⤵
  PID:12364
- C:\Windows\System32\vVLOoUG.exe
  C:\Windows\System32\vVLOoUG.exe
  2⤵
  PID:12472
- C:\Windows\System32\CMEClAw.exe
  C:\Windows\System32\CMEClAw.exe
  2⤵
  PID:12516
- C:\Windows\System32\fusFRja.exe
  C:\Windows\System32\fusFRja.exe
  2⤵
  PID:12640
- C:\Windows\System32\EKORpve.exe
  C:\Windows\System32\EKORpve.exe
  2⤵
  PID:12680
- C:\Windows\System32\LOtdmBK.exe
  C:\Windows\System32\LOtdmBK.exe
  2⤵
  PID:12712
- C:\Windows\System32\rnphLJH.exe
  C:\Windows\System32\rnphLJH.exe
  2⤵
  PID:12796
- C:\Windows\System32\xzTiJUL.exe
  C:\Windows\System32\xzTiJUL.exe
  2⤵
  PID:12816
- C:\Windows\System32\ZnLuCjW.exe
  C:\Windows\System32\ZnLuCjW.exe
  2⤵
  PID:12896
- C:\Windows\System32\EJWARdK.exe
  C:\Windows\System32\EJWARdK.exe
  2⤵
  PID:12952
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 12952 -s 244
    3⤵
    PID:4332
- C:\Windows\System32\NmGhJcR.exe
  C:\Windows\System32\NmGhJcR.exe
  2⤵
  PID:13040
- C:\Windows\System32\MhkwdIk.exe
  C:\Windows\System32\MhkwdIk.exe
  2⤵
  PID:13052

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\CLuNMSK.exe

Filesize
1.2MB

MD5
0adf457e30e9783805b7771770c96eb0

SHA1
790afe6a03d06896f87a62770a191da91b926628

SHA256
ca89fec30b254f9e7e8337b24f1a27be7e3b5a6541f8953afbbb610893c21adb

SHA512
d003e004aac1c90f5b97ec3d51d281cc648b21a92b529be225fd91a85d211e5d9253206dc8935460104eaf66bed51517616db4da51abac286b944e2bac21c537

Download Submit
C:\Windows\System32\EDZdrUe.exe

Filesize
1.2MB

MD5
8b283ea9bd0ed94cfbcada34da84cea6

SHA1
9699f0d5e113f62759a0242414247fd3740e393d

SHA256
c2881cc70123dd6cc3f66ebe731f83abcf7ae9fbbe733e35bb2564e83a962c71

SHA512
6ecd2b0943a43f1c24a6f22da3aab8de8c08dab1a991ad0560d8faf24be2be25ab3da041e3de905ae954b1dea41286383ac0b30c07bc706f922dfcb428a6f26f

Download Submit
C:\Windows\System32\FMhzzZQ.exe

Filesize
1.2MB

MD5
829b02506ab4d18e42f1c617154a64eb

SHA1
3c69f42f48a928f7ff33b76ad78f78a7c3daf570

SHA256
effe672f42bbc2a0032fb93a9bd76db68389f237c7865a9f65fc117c0de773f8

SHA512
dc36b079a25456b1ff197d902157270b90bced2906af55874f6c9a72a410953bf27d2de821232ed854f50dea8733937b68afcbd6e0f65c71f6e469ca11b007d9

Download Submit
C:\Windows\System32\FScmyrV.exe

Filesize
1.2MB

MD5
4a6f62cac5b1058eaa9fc783d445901b

SHA1
89fc5a9fd0a36f82ea3e9226f7fb3ae7f524e11e

SHA256
10fe8b1fdd27c0c6bd5191659489289d2d3531a945fa3041b6d91c7e1fcf225e

SHA512
2e1d125439c56379f969871845cd07b08260a80ff61abc4733e2aa30ce3ca1d6496e911a3e54cd9ae9763d7ec3b059e9fb9947c89f6e81435000bd7f9751aa41

Download Submit
C:\Windows\System32\GIdwkay.exe

Filesize
1.2MB

MD5
1cef048bf4e078e2067941f20ffd2f48

SHA1
f091da093aa92b3c12a9faf4aa38c3a8b519289f

SHA256
2e72247ab3f25ea2ac5ae588680ffbbb60a12c04904e20bd8f77b22c930f7412

SHA512
102ff39b2ad1f640f22f45fcada593e825474b5b3f6ae77df02fa49cac3c237a2bfe163febffa7a5f897ac0840def02669e2717177f64c21f763ee50bdd72cc1

Download Submit
C:\Windows\System32\GLMGEGH.exe

Filesize
1.2MB

MD5
4e2ea3d640d827f0b856a786cb2681d5

SHA1
792fe40f0de8550251a5c3fcef37c764cff78c2b

SHA256
557e89da2935dfdd6403e300a0c66c571daa23ebc88e3836a4cb15ca3984018c

SHA512
e369030db6feb8795903c31fdff58b12a0b79dfc248aa78b431daa047922e9ae686f339457245aacbeff0e79624ad0bda846c65652d0cead3d42d2a79962d734

Download Submit
C:\Windows\System32\HITjrMO.exe

Filesize
1.2MB

MD5
37779aa5115c4723b3813d3a572af719

SHA1
c0a7b9a69a99eaef4e98154f59cad378925402a8

SHA256
7306031328642b6dc1d0ada901e2022fd746a46ec7ba3ab72a72885f9cc5e687

SHA512
abbfebe98565b0166f2ffd03cc97d4b20345d4bd1286b5ee8479400b58dc70c286a4845ee3ec2575fc54dee1c23d8b2c837558aa328d1fd5df5963d1ee63d4b0

Download Submit
C:\Windows\System32\JcfpGQh.exe

Filesize
1.2MB

MD5
c983868d4974ccf8200a7b147370ba6c

SHA1
6bbdc82d73d2e1cc1c8bf93f88b949152f3f28fa

SHA256
bd73bef491c0b41a6c3b91fc47e18a08dc8a9ffcd749ee5d00b3cb6b1e98c285

SHA512
ca1be7a36adffb59d06261bdd826f06ce9a47b983c266e351a3aba9b5ccbf43120f15bdf36ca7337febae57a12097f6b52084eed042017646d72a6ebef5aecd9

Download Submit
C:\Windows\System32\MfBwpIa.exe

Filesize
1.2MB

MD5
bd82a7c0b29eeb6e9ee5219822ebaa9f

SHA1
71f73507cf0985d384aedc466ce7f61f2f2e51e4

SHA256
002a6a9fd9c0cb38384073b959cfb8b68ecd44619fbc52b6673326e43a052f21

SHA512
c334b52d2dbfbda80c1c66f18b7547c1bbe161b351bb3cbdf976c9cfde7b299c6fe2fb6d53c69bfd92b9ce1eead0d967c5c8c28418bedf9bb7435d0f1d38bd38

Download Submit
C:\Windows\System32\NKFHcWN.exe

Filesize
1.2MB

MD5
b1920b83154d1f78ff4df41065166774

SHA1
38fa074ddb5aeb90fe2b8c6ac43ac6c6705c54c0

SHA256
243155db5576854ff1dfc86e399cd22e24dd72ce473ee889f0a54341f1747819

SHA512
af41a73b346772d5a906ba257043ccbf7b22c643763f3497dbfff5c9ee4cbf947e09831d9f95be953d1f8765dad8f16c14130e20aba06c107e207cdeddab6fa4

Download Submit
C:\Windows\System32\OUrsgaZ.exe

Filesize
1.2MB

MD5
525cf4b8517afb8b98add1ba8360734a

SHA1
95818ac0440994e29a8efcc2abcec9d47472a2eb

SHA256
5e6798caefe1352df242483ddad3c8276d5eeef1ceaf74dac7601bf5d90f9143

SHA512
2d9a30e8c98c76152ca066ebbb2b649c164da9481a718567c8009848d07f6b9b3b6ee591e78eadd300444456e244f43b5d08f4e652d2bc7b9ce735c570e8160e

Download Submit
C:\Windows\System32\RFFsByB.exe

Filesize
1.2MB

MD5
a22dc4b37642ad16bce6fad0070d67c7

SHA1
44ed14373be6c6a525a6b6988b829b07ed20a3b3

SHA256
638d6d1a686bda2861362ebf79500d4d7531df58ac24d6ecee29cf2991374213

SHA512
f9053124f72c0ab4bb986e97793f008cf3f5411d414747667e11c5e63d25d9b7c12817102b60427f7448f5fa63088e863370df2039d50ec295d99491e5711fc5

Download Submit
C:\Windows\System32\SrvuGkW.exe

Filesize
1.2MB

MD5
2a537180e0b4edf22bc6e950cd2c11bd

SHA1
b744fe38adc459a97e405ae734950ba5a9c8d4ed

SHA256
57c47fda45da639181665050781fae06e145a43e26e7d243e015e07d894a975e

SHA512
19c52d3ffe96776b18cf64f348fdbb8a159f571a5b0a8aaba330423ddb5c28756778a74bf8102cdfe576beb402108505b9ff7f3845e0c7a050087237afdba272

Download Submit
C:\Windows\System32\YeUDpDV.exe

Filesize
1.2MB

MD5
2dcef52cd7802da8320c4560f94e80f4

SHA1
b37eb1b1c26b6b4f5cdf79c03399b0c1e905ea88

SHA256
f7a4cfb89ffcba3133d19f5ce5e549e2ba7b76737afd6ee380e1b0d31330c34a

SHA512
139e99fcb6bc0948e34afea9645dd8be6cf005e20d30a3f0c8306d0cd53ca748df5d5eb05817f5e63fdcd89cc3bf1ab0ecc5a09d60a36f821f8cac0eadef8579

Download Submit
C:\Windows\System32\YgWFAsk.exe

Filesize
1.2MB

MD5
aa89ff136da250be72836429c94937de

SHA1
92764ce9ca52c1d2bdc31a8708f4c798aab84ee1

SHA256
1f815eee843c263bbafcb00a45287bae66f6f22dccc7e45740f96c5655c3799a

SHA512
31dfb1d8f76685eeb9ddbd16c5f0482041dea11de9acbd10adad619d23c11d3423aa0cc4d2d555c575863162153478a5cc1d61f4327df7f066139bc9239568b2

Download Submit
C:\Windows\System32\ZvYSfVn.exe

Filesize
1.2MB

MD5
9aaf9aa6d46fd35ba3a7b11d79233ce8

SHA1
08dfaea8d20e29b3b5beb74f2fc909a28cdf3be8

SHA256
18535c2523388f1697222204f14f4e3081e8832aba7a6374b0a226be2c69c53e

SHA512
8d2d0b28619f7a1b235c0c9aa4699f1b04f3fe4c31de478e457fb9d29851fa6aba8bb7ad25921cdec131173612d2ba91eb9ae8ff7eca175b6beb10b899d82b19

Download Submit
C:\Windows\System32\cmddQPD.exe

Filesize
1.2MB

MD5
549361322368409d4138bbe9dfa7ce15

SHA1
34986ac9eaac65485f1107dc563bae4003e1d64f

SHA256
5a4eea2523ed38c0247bba2a9450ad2941ec6cd3687b6cd2130a2f845ee99ccc

SHA512
d0f2e71318a693a1b603547565a9e8dfce38a94a90aba8338ccba1a0f7821c60b27ce879e8c342d3d0cb1a0cb3310d2216e9561eb09b5ca9551a713c49064406

Download Submit
C:\Windows\System32\dIcECmW.exe

Filesize
1.2MB

MD5
befdfeb7e61a5211f9d849dea4329691

SHA1
adabde307b8c1067feb4e7c6922f9838f476ce2e

SHA256
92d7249c63b46de4d46b4c9979d9f2a429dcf8c77ff32b6a4e6d236b6feba391

SHA512
e25c5d9f70ebcef3a6943f07f8513529c7f864af8590d9c755fb2d6081d892b926651aef03dd6cd9fed3ad37080f5e2fa95a2c2e2130de661586404ae4686d48

Download Submit
C:\Windows\System32\eLxpBrd.exe

Filesize
1.2MB

MD5
d6a33cb2142bd35f2420e0cbead7b2a7

SHA1
2ed5c05d5be2933aa583bf64dd992e5f370b8dc1

SHA256
f64e3c306688d7775562b825edaf487baf4ee04ec70edce78d64aed9c7edaade

SHA512
a2c75f8677088123bb738cc77dd0e47510954cf564b56e088fe321a8bd9e5c8ebd3873d66a7502dda2458f6ad36f9698f181d616186a4d6ae12ff50c6350af3c

Download Submit
C:\Windows\System32\hgaUaiE.exe

Filesize
1.2MB

MD5
40986e1ce3473bcbe83958d6336e91b8

SHA1
93b6748bf95f99564900466babf7ee1fabda7123

SHA256
dd3e9c9960fe1ec4608208377782765f764f31ca6670c8078eeb3fc3b0ebf79e

SHA512
08bd397c47ca90d942fb729b3fde7906f693a10a4f83d39dba5d80f8cfa7c6f93fafd8176b9ec6e8f103d42bc2a78c241a71d36b3d646d7c63c900cf35f02c30

Download Submit
C:\Windows\System32\joVZdzO.exe

Filesize
1.2MB

MD5
aba34d2245562e37cfe41b08a0097d8b

SHA1
430a8ebaa1c400d86b7713fbb6e4f05b7933f360

SHA256
2898955265dbea7708f6f7e9a0460bd1d08699f8488072542cdfb167842e5d6b

SHA512
5033f2abd51893a17b3f54dabbe5eb010b6d8fab42123b978f7b50e1d23d6e59e4acfdf0830676a45335b28e65ba317734610d701717d7a85d4e298908da313a

Download Submit
C:\Windows\System32\lXLQZyT.exe

Filesize
1.2MB

MD5
4e403ad25f2eaa42e24d70204d17222d

SHA1
879062fd17360f50011dad2398cd8014a758b5d6

SHA256
2acb90b2422ed42d2d1a56fa199eb08e2c0a47428aeac9255ebf155c803bdca5

SHA512
5175827e123fb018707dc7f208b4a189d4db13203327c3d5ca847da720fa5ef983341ba148bfc94faa2a661e630134e5edcb9894dfb00b9b0b03dfb7e468d41c

Download Submit
C:\Windows\System32\mRfzVOJ.exe

Filesize
1.2MB

MD5
3d3da27b1f2df03f78638f4142e4675c

SHA1
0819d21efc1f7b0c59454d0ecb7e424619bb266d

SHA256
3c7154a38a5be531cf8c33264518c8f927bd032fcd48ec747060345605c65b9f

SHA512
d6bf45fa3e77be442decfd678a67f5badb62a8f710e7ab9c28757c1e31efb31453515b01c19748367a3be195088b62cba5baf1b196aee73b927440635be6924e

Download Submit
C:\Windows\System32\nXUhKTR.exe

Filesize
1.2MB

MD5
c2bf8bdc268de1ce66d10eb4e7b269bf

SHA1
621a6309b42df94564aa730e434fe609fb3e7913

SHA256
e669163f5add9b0bff6f22fc4e572221c3f5fc821bd265371c1fc523caeb0bec

SHA512
ac43a3d69ae72b89ae5b54b8ab51236434a43d63335783be30cfc1770e7b8660e7c043597a0046d5c49b596ddafcf6d72bdc563c340cb2f3f4d14e456308f5e1

Download Submit
C:\Windows\System32\pMVAoOX.exe

Filesize
1.2MB

MD5
e5af9b74efe596a61af3e25d07369664

SHA1
c2327b6956dc063a84ece67c6546924177591e60

SHA256
47a225c44e8803ea7c9c6e1a2eeffd3375334ecdb741262e1242dad945658e0c

SHA512
14e729c1c4359c1ac7767543d7a0dd471a7b74ef834abcc7ebc44508244bfae3ef52707a088ad8876ae98a8028be0528a96fe65ec55aa1fe4cb77fed1179f056

Download Submit
C:\Windows\System32\paLUJEl.exe

Filesize
1.2MB

MD5
3323808ae290d8f83dc598a5d9250e57

SHA1
b520fb431de4635cdfed6dce38063e24eff0c880

SHA256
c6e4e231774187d7dd0b19ced35a986cdb276e41be9507d3b21914328f7342c1

SHA512
8843e7f6445ad00c7101a5dd64d36ba36fc584524cd6d1c3dfde1aee6ee69511c071a4fa88c1c5d041ce83cad2661441a266df1d547f2ddcd32637d754918843

Download Submit
C:\Windows\System32\rBonEEE.exe

Filesize
1.2MB

MD5
1441526a824cd8787ade7d4dd76c3f2a

SHA1
d6984ab201dba42e0f5d4daf0b6ec028546bc172

SHA256
7fd5d519e279a06c4082220d7c9999eebb0c459cfd0758b67fe4ab2d40ffa6ff

SHA512
f9fc56693e9b44089cf9c9dc1a1089e78923a0b88eb00c81dda37b2867ca0236f23129ee55f5cf790d1d69c93e45a3f964788973652d35093d49030a07d8e45d

Download Submit
C:\Windows\System32\szJCfDx.exe

Filesize
1.2MB

MD5
24776fd3ffbd42ed59b05125400b99bd

SHA1
198f97f028d3bde5828e949ae945cb1811dd38e6

SHA256
bd2c0c2b6a6aefe4ded827348b76a0ffabc0e7a12512db8ea804e3656666cddf

SHA512
dd134ed039367828eaa0f924e57c151e84fec494215c49198ec2254b7de4160ef896729fa48141b9bdeda64615f9a495c72355b138e3cf1171a387ffcfa93f90

Download Submit
C:\Windows\System32\tRCfPlO.exe

Filesize
1.2MB

MD5
d1463216c184dae996f5fde3d732b644

SHA1
1331c90f900ad26b0af7e1d3746b1367178710c2

SHA256
76c030f2e039b5eb13beb7b32ccb33e4860fb00b7d97566ce505daf4c6214746

SHA512
78ad646b49a970c972c7f7595b2d201995946b53c1fe44b1f003ab055eb5613bc4f87138bff8cbc68d1737d984013e761ea55e87bd4e9572199e24ff78855faf

Download Submit
C:\Windows\System32\xqYSWWG.exe

Filesize
1.2MB

MD5
e751f16e870a3cd860165e2b2f732388

SHA1
cafb1d34be302855ca427acc583363ba5c6355db

SHA256
49714864cd7842635616b388a90fe65960f5c4da3d317c84ee907f3fe7d8c24d

SHA512
e0b48981f0dcf31f087c909d85617b71804d1ef476e027df577e43d8948819e412ba8e06e915c42d9f5de03c94a3f347268e7fc53912affd897e4da54b066a77

Download Submit
C:\Windows\System32\yLGtPJJ.exe

Filesize
1.2MB

MD5
56fde6934ac1196c3bf83b9b9bc8e442

SHA1
d7aa917be6fa7e7f74fdfb504b3994452d79bdb8

SHA256
2ab4d61fedb3718aaa4244fbf71e77951b5880b8446e42f1c0e9b2c1725f5051

SHA512
33152bb2912b2a0d082c8d248f22834624bd9502906ded412b7d2a42d5336320358798bd59f115ed628dcd10a8bab8fb978e3725418927e0192fb936bc12e9f0

Download Submit
C:\Windows\System32\ykNnvrl.exe

Filesize
1.2MB

MD5
2758fe6368ee8af1be3c78f9afe47c1e

SHA1
5a3fa2854735a6e93cc6afb6002fc376d8e6889f

SHA256
934f6c3d5fd18d480b515cdb53eaf0f27886d5801a1b184752032755e203d23f

SHA512
ba5d4315ce634e385d81d28f135406260ec87fc92af9308cf4ffb7e231425ca886dd70bd5966d740c71bb0590db0018d0cf9b044d55b3a93b36c5d306d14f465

Download Submit
memory/436-2026-0x00007FF745940000-0x00007FF745D31000-memory.dmp

Filesize
3.9MB

Download
memory/436-401-0x00007FF745940000-0x00007FF745D31000-memory.dmp

Filesize
3.9MB

Download
memory/532-395-0x00007FF6F6010000-0x00007FF6F6401000-memory.dmp

Filesize
3.9MB

Download
memory/532-2022-0x00007FF6F6010000-0x00007FF6F6401000-memory.dmp

Filesize
3.9MB

Download
memory/644-447-0x00007FF7AC940000-0x00007FF7ACD31000-memory.dmp

Filesize
3.9MB

Download
memory/644-2048-0x00007FF7AC940000-0x00007FF7ACD31000-memory.dmp

Filesize
3.9MB

Download
memory/704-394-0x00007FF60C900000-0x00007FF60CCF1000-memory.dmp

Filesize
3.9MB

Download
memory/704-2024-0x00007FF60C900000-0x00007FF60CCF1000-memory.dmp

Filesize
3.9MB

Download
memory/776-2028-0x00007FF729000000-0x00007FF7293F1000-memory.dmp

Filesize
3.9MB

Download
memory/776-410-0x00007FF729000000-0x00007FF7293F1000-memory.dmp

Filesize
3.9MB

Download
memory/1108-0-0x00007FF79C100000-0x00007FF79C4F1000-memory.dmp

Filesize
3.9MB

Download
memory/1108-1-0x00000201B4890000-0x00000201B48A0000-memory.dmp

Filesize
64KB

Download
memory/1480-449-0x00007FF6BE6C0000-0x00007FF6BEAB1000-memory.dmp

Filesize
3.9MB

Download
memory/1480-2044-0x00007FF6BE6C0000-0x00007FF6BEAB1000-memory.dmp

Filesize
3.9MB

Download
memory/1492-416-0x00007FF68F980000-0x00007FF68FD71000-memory.dmp

Filesize
3.9MB

Download
memory/1492-2034-0x00007FF68F980000-0x00007FF68FD71000-memory.dmp

Filesize
3.9MB

Download
memory/1880-1966-0x00007FF7D89E0000-0x00007FF7D8DD1000-memory.dmp

Filesize
3.9MB

Download
memory/1880-16-0x00007FF7D89E0000-0x00007FF7D8DD1000-memory.dmp

Filesize
3.9MB

Download
memory/1880-2012-0x00007FF7D89E0000-0x00007FF7D8DD1000-memory.dmp

Filesize
3.9MB

Download
memory/2036-2046-0x00007FF683420000-0x00007FF683811000-memory.dmp

Filesize
3.9MB

Download
memory/2036-452-0x00007FF683420000-0x00007FF683811000-memory.dmp

Filesize
3.9MB

Download
memory/2544-2014-0x00007FF726310000-0x00007FF726701000-memory.dmp

Filesize
3.9MB

Download
memory/2544-20-0x00007FF726310000-0x00007FF726701000-memory.dmp

Filesize
3.9MB

Download
memory/2544-1967-0x00007FF726310000-0x00007FF726701000-memory.dmp

Filesize
3.9MB

Download
memory/2572-427-0x00007FF672980000-0x00007FF672D71000-memory.dmp

Filesize
3.9MB

Download
memory/2572-2030-0x00007FF672980000-0x00007FF672D71000-memory.dmp

Filesize
3.9MB

Download
memory/2628-440-0x00007FF6250E0000-0x00007FF6254D1000-memory.dmp

Filesize
3.9MB

Download
memory/2628-2042-0x00007FF6250E0000-0x00007FF6254D1000-memory.dmp

Filesize
3.9MB

Download
memory/2864-461-0x00007FF635620000-0x00007FF635A11000-memory.dmp

Filesize
3.9MB

Download
memory/2864-2056-0x00007FF635620000-0x00007FF635A11000-memory.dmp

Filesize
3.9MB

Download
memory/2920-463-0x00007FF633BB0000-0x00007FF633FA1000-memory.dmp

Filesize
3.9MB

Download
memory/2920-2038-0x00007FF633BB0000-0x00007FF633FA1000-memory.dmp

Filesize
3.9MB

Download
memory/2972-2016-0x00007FF650990000-0x00007FF650D81000-memory.dmp

Filesize
3.9MB

Download
memory/2972-32-0x00007FF650990000-0x00007FF650D81000-memory.dmp

Filesize
3.9MB

Download
memory/3572-454-0x00007FF67E530000-0x00007FF67E921000-memory.dmp

Filesize
3.9MB

Download
memory/3572-2054-0x00007FF67E530000-0x00007FF67E921000-memory.dmp

Filesize
3.9MB

Download
memory/3708-38-0x00007FF6C9740000-0x00007FF6C9B31000-memory.dmp

Filesize
3.9MB

Download
memory/3708-2000-0x00007FF6C9740000-0x00007FF6C9B31000-memory.dmp

Filesize
3.9MB

Download
memory/3708-2020-0x00007FF6C9740000-0x00007FF6C9B31000-memory.dmp

Filesize
3.9MB

Download
memory/3828-2050-0x00007FF796B40000-0x00007FF796F31000-memory.dmp

Filesize
3.9MB

Download
memory/3828-434-0x00007FF796B40000-0x00007FF796F31000-memory.dmp

Filesize
3.9MB

Download
memory/4008-2010-0x00007FF78CF50000-0x00007FF78D341000-memory.dmp

Filesize
3.9MB

Download
memory/4008-11-0x00007FF78CF50000-0x00007FF78D341000-memory.dmp

Filesize
3.9MB

Download
memory/4088-2018-0x00007FF63CD10000-0x00007FF63D101000-memory.dmp

Filesize
3.9MB

Download
memory/4088-41-0x00007FF63CD10000-0x00007FF63D101000-memory.dmp

Filesize
3.9MB

Download
memory/4108-430-0x00007FF6FCE20000-0x00007FF6FD211000-memory.dmp

Filesize
3.9MB

Download
memory/4108-2040-0x00007FF6FCE20000-0x00007FF6FD211000-memory.dmp

Filesize
3.9MB

Download
memory/4376-2036-0x00007FF63CF60000-0x00007FF63D351000-memory.dmp

Filesize
3.9MB

Download
memory/4376-423-0x00007FF63CF60000-0x00007FF63D351000-memory.dmp

Filesize
3.9MB

Download
memory/4632-2052-0x00007FF63CA30000-0x00007FF63CE21000-memory.dmp

Filesize
3.9MB

Download
memory/4632-439-0x00007FF63CA30000-0x00007FF63CE21000-memory.dmp

Filesize
3.9MB

Download
memory/4808-2032-0x00007FF763D50000-0x00007FF764141000-memory.dmp

Filesize
3.9MB

Download
memory/4808-407-0x00007FF763D50000-0x00007FF764141000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads