xmrig | 7db88cda262c8395ca9f4a171e4087fdabb4cbb16e217fd53c8f30b1c9532919

Analysis

max time kernel
125s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
Size

1.7MB
MD5

21db03efb50a3301aa5b28a56debd7ad
SHA1

dc9e3dbe12f092849dca79a82d89a8b9b52f4ec5
SHA256

7db88cda262c8395ca9f4a171e4087fdabb4cbb16e217fd53c8f30b1c9532919
SHA512

2e065d558b3c4847153a7ff932513a5c0685556c9126f4b23ea6a6fa7b35494083e9eaed1a9c51e50734856da4294394b4c875631e8377b482616da2db89ded6
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO9C1MKTbcMfHhGjw2Do+BRrCfULGf/:knw9oUUEEDlGUjc2HhG82Di9f/

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/4012-413-0x00007FF71D330000-0x00007FF71D721000-memory.dmp	xmrig
behavioral2/memory/4472-19-0x00007FF770210000-0x00007FF770601000-memory.dmp	xmrig
behavioral2/memory/432-414-0x00007FF669A90000-0x00007FF669E81000-memory.dmp	xmrig
behavioral2/memory/3916-416-0x00007FF76AEC0000-0x00007FF76B2B1000-memory.dmp	xmrig
behavioral2/memory/3236-415-0x00007FF730F30000-0x00007FF731321000-memory.dmp	xmrig
behavioral2/memory/4412-417-0x00007FF65AC50000-0x00007FF65B041000-memory.dmp	xmrig
behavioral2/memory/3096-418-0x00007FF61AFD0000-0x00007FF61B3C1000-memory.dmp	xmrig
behavioral2/memory/3652-419-0x00007FF6129C0000-0x00007FF612DB1000-memory.dmp	xmrig
behavioral2/memory/4896-420-0x00007FF794CC0000-0x00007FF7950B1000-memory.dmp	xmrig
behavioral2/memory/4216-421-0x00007FF796D00000-0x00007FF7970F1000-memory.dmp	xmrig
behavioral2/memory/3320-422-0x00007FF6709E0000-0x00007FF670DD1000-memory.dmp	xmrig
behavioral2/memory/4108-423-0x00007FF77D990000-0x00007FF77DD81000-memory.dmp	xmrig
behavioral2/memory/2304-424-0x00007FF716100000-0x00007FF7164F1000-memory.dmp	xmrig
behavioral2/memory/4460-433-0x00007FF7766A0000-0x00007FF776A91000-memory.dmp	xmrig
behavioral2/memory/2780-441-0x00007FF781C80000-0x00007FF782071000-memory.dmp	xmrig
behavioral2/memory/4748-450-0x00007FF713A50000-0x00007FF713E41000-memory.dmp	xmrig
behavioral2/memory/1452-454-0x00007FF750610000-0x00007FF750A01000-memory.dmp	xmrig
behavioral2/memory/2940-457-0x00007FF661220000-0x00007FF661611000-memory.dmp	xmrig
behavioral2/memory/3216-459-0x00007FF79C7B0000-0x00007FF79CBA1000-memory.dmp	xmrig
behavioral2/memory/856-449-0x00007FF6E16F0000-0x00007FF6E1AE1000-memory.dmp	xmrig
behavioral2/memory/5108-1948-0x00007FF6EDEF0000-0x00007FF6EE2E1000-memory.dmp	xmrig
behavioral2/memory/2764-1981-0x00007FF767E70000-0x00007FF768261000-memory.dmp	xmrig
behavioral2/memory/3528-1982-0x00007FF678BA0000-0x00007FF678F91000-memory.dmp	xmrig
behavioral2/memory/3392-1983-0x00007FF7310D0000-0x00007FF7314C1000-memory.dmp	xmrig
behavioral2/memory/4876-1989-0x00007FF71A140000-0x00007FF71A531000-memory.dmp	xmrig
behavioral2/memory/4472-1991-0x00007FF770210000-0x00007FF770601000-memory.dmp	xmrig
behavioral2/memory/3392-1997-0x00007FF7310D0000-0x00007FF7314C1000-memory.dmp	xmrig
behavioral2/memory/2764-1995-0x00007FF767E70000-0x00007FF768261000-memory.dmp	xmrig
behavioral2/memory/3528-1993-0x00007FF678BA0000-0x00007FF678F91000-memory.dmp	xmrig
behavioral2/memory/3236-2003-0x00007FF730F30000-0x00007FF731321000-memory.dmp	xmrig
behavioral2/memory/4412-2009-0x00007FF65AC50000-0x00007FF65B041000-memory.dmp	xmrig
behavioral2/memory/4216-2015-0x00007FF796D00000-0x00007FF7970F1000-memory.dmp	xmrig
behavioral2/memory/4896-2013-0x00007FF794CC0000-0x00007FF7950B1000-memory.dmp	xmrig
behavioral2/memory/3652-2011-0x00007FF6129C0000-0x00007FF612DB1000-memory.dmp	xmrig
behavioral2/memory/3096-2007-0x00007FF61AFD0000-0x00007FF61B3C1000-memory.dmp	xmrig
behavioral2/memory/3916-2005-0x00007FF76AEC0000-0x00007FF76B2B1000-memory.dmp	xmrig
behavioral2/memory/432-2001-0x00007FF669A90000-0x00007FF669E81000-memory.dmp	xmrig
behavioral2/memory/4012-1999-0x00007FF71D330000-0x00007FF71D721000-memory.dmp	xmrig
behavioral2/memory/856-2045-0x00007FF6E16F0000-0x00007FF6E1AE1000-memory.dmp	xmrig
behavioral2/memory/2940-2041-0x00007FF661220000-0x00007FF661611000-memory.dmp	xmrig
behavioral2/memory/1452-2039-0x00007FF750610000-0x00007FF750A01000-memory.dmp	xmrig
behavioral2/memory/3216-2036-0x00007FF79C7B0000-0x00007FF79CBA1000-memory.dmp	xmrig
behavioral2/memory/2780-2043-0x00007FF781C80000-0x00007FF782071000-memory.dmp	xmrig
behavioral2/memory/4748-2021-0x00007FF713A50000-0x00007FF713E41000-memory.dmp	xmrig
behavioral2/memory/2304-2029-0x00007FF716100000-0x00007FF7164F1000-memory.dmp	xmrig
behavioral2/memory/4108-2019-0x00007FF77D990000-0x00007FF77DD81000-memory.dmp	xmrig
behavioral2/memory/3320-2017-0x00007FF6709E0000-0x00007FF670DD1000-memory.dmp	xmrig
behavioral2/memory/4460-2064-0x00007FF7766A0000-0x00007FF776A91000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4876	NWtDKVV.exe
4472	kQVcxjz.exe
2764	mDDpcGk.exe
3528	oizQcIS.exe
3392	PvTnTGQ.exe
4012	pEwbLhM.exe
432	gksgNHT.exe
3236	eNfPinN.exe
3916	WWmWzXq.exe
4412	mjeriPZ.exe
3096	BGRpXUl.exe
3652	tPbulxX.exe
4896	vdlHrfg.exe
4216	tdxhfxU.exe
3320	vJPclDi.exe
4108	Cccbzgv.exe
2304	DKzUoXY.exe
4460	NuDcCQL.exe
2780	UchKOwJ.exe
856	gJnVGET.exe
4748	qzAPrxt.exe
1452	suDxmrq.exe
2940	dRTGvsn.exe
3216	vRhxYdN.exe
4816	vllvmWH.exe
4684	tOmrPIA.exe
5056	JeWFUjB.exe
1036	XhMJIJY.exe
3704	ZaSVTGU.exe
1436	BOMKFwc.exe
2176	EyVHhry.exe
4428	lfBdYiN.exe
1340	koFhzGW.exe
4804	QQgJzWK.exe
4652	WYNyLMJ.exe
2284	agrxnQe.exe
1568	UZHXyww.exe
4288	FdBJiUb.exe
4372	mxfyNDT.exe
5008	vebKGEu.exe
212	PHplpQw.exe
1496	rzqIklj.exe
4668	HFGGzvP.exe
4348	KCNJKMK.exe
3412	BZKUNHf.exe
396	vaQnAFv.exe
860	cSTXxhQ.exe
4336	PTnEkOD.exe
1960	GhAjUDM.exe
400	cpFfGUh.exe
4844	MNCCtNf.exe
2408	jdVAcZD.exe
2396	DyWDgrH.exe
1560	EIYEhdT.exe
2020	LVjQSam.exe
3596	LNrvnTi.exe
548	ioTFZGd.exe
1528	TySPJQr.exe
3604	AkTZIdF.exe
3268	FpRyunz.exe
3004	CStcqPW.exe
3176	XTtUKyp.exe
2800	pgqTkdy.exe
2384	wHtJvfw.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5108-0-0x00007FF6EDEF0000-0x00007FF6EE2E1000-memory.dmp	upx
behavioral2/files/0x000c000000023b48-5.dat	upx
behavioral2/files/0x000a000000023ba6-7.dat	upx
behavioral2/memory/4876-15-0x00007FF71A140000-0x00007FF71A531000-memory.dmp	upx
behavioral2/files/0x000a000000023ba7-27.dat	upx
behavioral2/files/0x000a000000023bab-46.dat	upx
behavioral2/files/0x000a000000023bac-51.dat	upx
behavioral2/files/0x000a000000023baf-66.dat	upx
behavioral2/files/0x000a000000023bb0-71.dat	upx
behavioral2/files/0x0031000000023bb5-96.dat	upx
behavioral2/files/0x000a000000023bb8-111.dat	upx
behavioral2/files/0x000a000000023bba-121.dat	upx
behavioral2/files/0x000a000000023bbf-144.dat	upx
behavioral2/memory/4012-413-0x00007FF71D330000-0x00007FF71D721000-memory.dmp	upx
behavioral2/files/0x000a000000023bc3-166.dat	upx
behavioral2/files/0x000a000000023bc2-161.dat	upx
behavioral2/files/0x000a000000023bc1-156.dat	upx
behavioral2/files/0x000a000000023bc0-151.dat	upx
behavioral2/files/0x000a000000023bbe-141.dat	upx
behavioral2/files/0x000a000000023bbd-136.dat	upx
behavioral2/files/0x000a000000023bbc-131.dat	upx
behavioral2/files/0x000a000000023bbb-126.dat	upx
behavioral2/files/0x000a000000023bb9-116.dat	upx
behavioral2/files/0x0031000000023bb7-106.dat	upx
behavioral2/files/0x0031000000023bb6-101.dat	upx
behavioral2/files/0x000a000000023bb4-91.dat	upx
behavioral2/files/0x000a000000023bb3-86.dat	upx
behavioral2/files/0x000a000000023bb2-81.dat	upx
behavioral2/files/0x000a000000023bb1-76.dat	upx
behavioral2/files/0x000a000000023bae-61.dat	upx
behavioral2/files/0x000a000000023bad-56.dat	upx
behavioral2/files/0x000a000000023baa-41.dat	upx
behavioral2/files/0x000a000000023ba9-36.dat	upx
behavioral2/files/0x000a000000023ba8-31.dat	upx
behavioral2/memory/3392-30-0x00007FF7310D0000-0x00007FF7314C1000-memory.dmp	upx
behavioral2/memory/3528-29-0x00007FF678BA0000-0x00007FF678F91000-memory.dmp	upx
behavioral2/memory/2764-20-0x00007FF767E70000-0x00007FF768261000-memory.dmp	upx
behavioral2/memory/4472-19-0x00007FF770210000-0x00007FF770601000-memory.dmp	upx
behavioral2/files/0x000a000000023ba5-13.dat	upx
behavioral2/memory/432-414-0x00007FF669A90000-0x00007FF669E81000-memory.dmp	upx
behavioral2/memory/3916-416-0x00007FF76AEC0000-0x00007FF76B2B1000-memory.dmp	upx
behavioral2/memory/3236-415-0x00007FF730F30000-0x00007FF731321000-memory.dmp	upx
behavioral2/memory/4412-417-0x00007FF65AC50000-0x00007FF65B041000-memory.dmp	upx
behavioral2/memory/3096-418-0x00007FF61AFD0000-0x00007FF61B3C1000-memory.dmp	upx
behavioral2/memory/3652-419-0x00007FF6129C0000-0x00007FF612DB1000-memory.dmp	upx
behavioral2/memory/4896-420-0x00007FF794CC0000-0x00007FF7950B1000-memory.dmp	upx
behavioral2/memory/4216-421-0x00007FF796D00000-0x00007FF7970F1000-memory.dmp	upx
behavioral2/memory/3320-422-0x00007FF6709E0000-0x00007FF670DD1000-memory.dmp	upx
behavioral2/memory/4108-423-0x00007FF77D990000-0x00007FF77DD81000-memory.dmp	upx
behavioral2/memory/2304-424-0x00007FF716100000-0x00007FF7164F1000-memory.dmp	upx
behavioral2/memory/4460-433-0x00007FF7766A0000-0x00007FF776A91000-memory.dmp	upx
behavioral2/memory/2780-441-0x00007FF781C80000-0x00007FF782071000-memory.dmp	upx
behavioral2/memory/4748-450-0x00007FF713A50000-0x00007FF713E41000-memory.dmp	upx
behavioral2/memory/1452-454-0x00007FF750610000-0x00007FF750A01000-memory.dmp	upx
behavioral2/memory/2940-457-0x00007FF661220000-0x00007FF661611000-memory.dmp	upx
behavioral2/memory/3216-459-0x00007FF79C7B0000-0x00007FF79CBA1000-memory.dmp	upx
behavioral2/memory/856-449-0x00007FF6E16F0000-0x00007FF6E1AE1000-memory.dmp	upx
behavioral2/memory/5108-1948-0x00007FF6EDEF0000-0x00007FF6EE2E1000-memory.dmp	upx
behavioral2/memory/2764-1981-0x00007FF767E70000-0x00007FF768261000-memory.dmp	upx
behavioral2/memory/3528-1982-0x00007FF678BA0000-0x00007FF678F91000-memory.dmp	upx
behavioral2/memory/3392-1983-0x00007FF7310D0000-0x00007FF7314C1000-memory.dmp	upx
behavioral2/memory/4876-1989-0x00007FF71A140000-0x00007FF71A531000-memory.dmp	upx
behavioral2/memory/4472-1991-0x00007FF770210000-0x00007FF770601000-memory.dmp	upx
behavioral2/memory/3392-1997-0x00007FF7310D0000-0x00007FF7314C1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\ArNaEug.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\qbMadVE.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\kQVcxjz.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\TFOhDtm.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\KbTuxln.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\FufFcYd.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\PmdgEzg.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\gvGZDOf.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\QGpAgzt.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\RfknaKE.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\ZfOAchz.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\RivwFap.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\tYfjNbM.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\hSOfAfj.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\hczNCcn.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\aQwTybQ.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\YgbOzNL.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\DOiGUtm.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\UchKOwJ.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\mZOkAXa.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\YwDinox.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\eCbhWJj.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\mFDPJGM.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\OrxVZQR.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\mjeriPZ.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\cYbvAZJ.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\rAtfUqC.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\MbnXIhw.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\yaBiZlF.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\TMwQYcz.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\NEaVRCJ.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\jEYLDpX.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\sntOYeX.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\HveyIok.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\ZOkDEjS.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\jRJGMrd.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\MNCCtNf.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\EBCQuUW.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\AgCOFjB.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\ohbazQI.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\JCsSRVh.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\hPBDKLp.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\QLcZWkb.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\DKzUoXY.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\ioTFZGd.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\ULOrUSz.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\IhacMCj.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\BaJOGEJ.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\OWKDKhB.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\IrJYnap.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\vavAPPC.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\HPotRRT.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\pOsjhkV.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\idAwcDm.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\ddnVZvu.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\gffwAaN.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\IZUhVWy.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\SexWUzM.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\FyZudsN.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\tdxhfxU.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\xRXECxH.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\zETxvLa.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\dmBWkCo.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
File created	C:\Windows\System32\zzpcuPL.exe	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2992	dwm.exe
Token: SeChangeNotifyPrivilege	2992	dwm.exe
Token: 33	2992	dwm.exe
Token: SeIncBasePriorityPrivilege	2992	dwm.exe
Token: SeShutdownPrivilege	2992	dwm.exe
Token: SeCreatePagefilePrivilege	2992	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 4876	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	86
PID 5108 wrote to memory of 4876	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	86
PID 5108 wrote to memory of 4472	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	87
PID 5108 wrote to memory of 4472	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	87
PID 5108 wrote to memory of 2764	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	88
PID 5108 wrote to memory of 2764	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	88
PID 5108 wrote to memory of 3528	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	89
PID 5108 wrote to memory of 3528	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	89
PID 5108 wrote to memory of 3392	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	90
PID 5108 wrote to memory of 3392	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	90
PID 5108 wrote to memory of 4012	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	91
PID 5108 wrote to memory of 4012	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	91
PID 5108 wrote to memory of 432	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	92
PID 5108 wrote to memory of 432	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	92
PID 5108 wrote to memory of 3236	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	93
PID 5108 wrote to memory of 3236	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	93
PID 5108 wrote to memory of 3916	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	94
PID 5108 wrote to memory of 3916	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	94
PID 5108 wrote to memory of 4412	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	95
PID 5108 wrote to memory of 4412	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	95
PID 5108 wrote to memory of 3096	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	96
PID 5108 wrote to memory of 3096	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	96
PID 5108 wrote to memory of 3652	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	97
PID 5108 wrote to memory of 3652	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	97
PID 5108 wrote to memory of 4896	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	98
PID 5108 wrote to memory of 4896	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	98
PID 5108 wrote to memory of 4216	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	99
PID 5108 wrote to memory of 4216	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	99
PID 5108 wrote to memory of 3320	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	100
PID 5108 wrote to memory of 3320	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	100
PID 5108 wrote to memory of 4108	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	101
PID 5108 wrote to memory of 4108	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	101
PID 5108 wrote to memory of 2304	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	102
PID 5108 wrote to memory of 2304	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	102
PID 5108 wrote to memory of 4460	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	103
PID 5108 wrote to memory of 4460	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	103
PID 5108 wrote to memory of 2780	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	104
PID 5108 wrote to memory of 2780	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	104
PID 5108 wrote to memory of 856	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	105
PID 5108 wrote to memory of 856	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	105
PID 5108 wrote to memory of 4748	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	106
PID 5108 wrote to memory of 4748	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	106
PID 5108 wrote to memory of 1452	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	107
PID 5108 wrote to memory of 1452	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	107
PID 5108 wrote to memory of 2940	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	108
PID 5108 wrote to memory of 2940	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	108
PID 5108 wrote to memory of 3216	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	109
PID 5108 wrote to memory of 3216	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	109
PID 5108 wrote to memory of 4816	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	110
PID 5108 wrote to memory of 4816	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	110
PID 5108 wrote to memory of 4684	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	111
PID 5108 wrote to memory of 4684	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	111
PID 5108 wrote to memory of 5056	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	112
PID 5108 wrote to memory of 5056	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	112
PID 5108 wrote to memory of 1036	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	113
PID 5108 wrote to memory of 1036	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	113
PID 5108 wrote to memory of 3704	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	114
PID 5108 wrote to memory of 3704	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	114
PID 5108 wrote to memory of 1436	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	115
PID 5108 wrote to memory of 1436	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	115
PID 5108 wrote to memory of 2176	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	116
PID 5108 wrote to memory of 2176	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	116
PID 5108 wrote to memory of 4428	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	117
PID 5108 wrote to memory of 4428	5108	21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe	117

C:\Users\Admin\AppData\Local\Temp\21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21db03efb50a3301aa5b28a56debd7ad_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\System32\NWtDKVV.exe
  C:\Windows\System32\NWtDKVV.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System32\kQVcxjz.exe
  C:\Windows\System32\kQVcxjz.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System32\mDDpcGk.exe
  C:\Windows\System32\mDDpcGk.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System32\oizQcIS.exe
  C:\Windows\System32\oizQcIS.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System32\PvTnTGQ.exe
  C:\Windows\System32\PvTnTGQ.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System32\pEwbLhM.exe
  C:\Windows\System32\pEwbLhM.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System32\gksgNHT.exe
  C:\Windows\System32\gksgNHT.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System32\eNfPinN.exe
  C:\Windows\System32\eNfPinN.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System32\WWmWzXq.exe
  C:\Windows\System32\WWmWzXq.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System32\mjeriPZ.exe
  C:\Windows\System32\mjeriPZ.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System32\BGRpXUl.exe
  C:\Windows\System32\BGRpXUl.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System32\tPbulxX.exe
  C:\Windows\System32\tPbulxX.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System32\vdlHrfg.exe
  C:\Windows\System32\vdlHrfg.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System32\tdxhfxU.exe
  C:\Windows\System32\tdxhfxU.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System32\vJPclDi.exe
  C:\Windows\System32\vJPclDi.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System32\Cccbzgv.exe
  C:\Windows\System32\Cccbzgv.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System32\DKzUoXY.exe
  C:\Windows\System32\DKzUoXY.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System32\NuDcCQL.exe
  C:\Windows\System32\NuDcCQL.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System32\UchKOwJ.exe
  C:\Windows\System32\UchKOwJ.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System32\gJnVGET.exe
  C:\Windows\System32\gJnVGET.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System32\qzAPrxt.exe
  C:\Windows\System32\qzAPrxt.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System32\suDxmrq.exe
  C:\Windows\System32\suDxmrq.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System32\dRTGvsn.exe
  C:\Windows\System32\dRTGvsn.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System32\vRhxYdN.exe
  C:\Windows\System32\vRhxYdN.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System32\vllvmWH.exe
  C:\Windows\System32\vllvmWH.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System32\tOmrPIA.exe
  C:\Windows\System32\tOmrPIA.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System32\JeWFUjB.exe
  C:\Windows\System32\JeWFUjB.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\XhMJIJY.exe
  C:\Windows\System32\XhMJIJY.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System32\ZaSVTGU.exe
  C:\Windows\System32\ZaSVTGU.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System32\BOMKFwc.exe
  C:\Windows\System32\BOMKFwc.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System32\EyVHhry.exe
  C:\Windows\System32\EyVHhry.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System32\lfBdYiN.exe
  C:\Windows\System32\lfBdYiN.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System32\koFhzGW.exe
  C:\Windows\System32\koFhzGW.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\System32\QQgJzWK.exe
  C:\Windows\System32\QQgJzWK.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\WYNyLMJ.exe
  C:\Windows\System32\WYNyLMJ.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System32\agrxnQe.exe
  C:\Windows\System32\agrxnQe.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System32\UZHXyww.exe
  C:\Windows\System32\UZHXyww.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System32\FdBJiUb.exe
  C:\Windows\System32\FdBJiUb.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System32\mxfyNDT.exe
  C:\Windows\System32\mxfyNDT.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System32\vebKGEu.exe
  C:\Windows\System32\vebKGEu.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System32\PHplpQw.exe
  C:\Windows\System32\PHplpQw.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System32\rzqIklj.exe
  C:\Windows\System32\rzqIklj.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System32\HFGGzvP.exe
  C:\Windows\System32\HFGGzvP.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System32\KCNJKMK.exe
  C:\Windows\System32\KCNJKMK.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System32\BZKUNHf.exe
  C:\Windows\System32\BZKUNHf.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System32\vaQnAFv.exe
  C:\Windows\System32\vaQnAFv.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System32\cSTXxhQ.exe
  C:\Windows\System32\cSTXxhQ.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System32\PTnEkOD.exe
  C:\Windows\System32\PTnEkOD.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System32\GhAjUDM.exe
  C:\Windows\System32\GhAjUDM.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System32\cpFfGUh.exe
  C:\Windows\System32\cpFfGUh.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System32\MNCCtNf.exe
  C:\Windows\System32\MNCCtNf.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System32\jdVAcZD.exe
  C:\Windows\System32\jdVAcZD.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System32\DyWDgrH.exe
  C:\Windows\System32\DyWDgrH.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System32\EIYEhdT.exe
  C:\Windows\System32\EIYEhdT.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System32\LVjQSam.exe
  C:\Windows\System32\LVjQSam.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System32\LNrvnTi.exe
  C:\Windows\System32\LNrvnTi.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System32\ioTFZGd.exe
  C:\Windows\System32\ioTFZGd.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System32\TySPJQr.exe
  C:\Windows\System32\TySPJQr.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System32\AkTZIdF.exe
  C:\Windows\System32\AkTZIdF.exe
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Windows\System32\FpRyunz.exe
  C:\Windows\System32\FpRyunz.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System32\CStcqPW.exe
  C:\Windows\System32\CStcqPW.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System32\XTtUKyp.exe
  C:\Windows\System32\XTtUKyp.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System32\pgqTkdy.exe
  C:\Windows\System32\pgqTkdy.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System32\wHtJvfw.exe
  C:\Windows\System32\wHtJvfw.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System32\wdIKPud.exe
  C:\Windows\System32\wdIKPud.exe
  2⤵
  PID:1064
- C:\Windows\System32\GAljvBN.exe
  C:\Windows\System32\GAljvBN.exe
  2⤵
  PID:4824
- C:\Windows\System32\dIAcgGe.exe
  C:\Windows\System32\dIAcgGe.exe
  2⤵
  PID:712
- C:\Windows\System32\VJlVVcE.exe
  C:\Windows\System32\VJlVVcE.exe
  2⤵
  PID:3936
- C:\Windows\System32\AKEwtxy.exe
  C:\Windows\System32\AKEwtxy.exe
  2⤵
  PID:4124
- C:\Windows\System32\uJEnNzr.exe
  C:\Windows\System32\uJEnNzr.exe
  2⤵
  PID:2628
- C:\Windows\System32\fbAovJc.exe
  C:\Windows\System32\fbAovJc.exe
  2⤵
  PID:60
- C:\Windows\System32\NEaVRCJ.exe
  C:\Windows\System32\NEaVRCJ.exe
  2⤵
  PID:4368
- C:\Windows\System32\BcsGnhn.exe
  C:\Windows\System32\BcsGnhn.exe
  2⤵
  PID:4264
- C:\Windows\System32\wUkjYUJ.exe
  C:\Windows\System32\wUkjYUJ.exe
  2⤵
  PID:4496
- C:\Windows\System32\fWbjutZ.exe
  C:\Windows\System32\fWbjutZ.exe
  2⤵
  PID:1500
- C:\Windows\System32\uTUqotC.exe
  C:\Windows\System32\uTUqotC.exe
  2⤵
  PID:1652
- C:\Windows\System32\etdSnrm.exe
  C:\Windows\System32\etdSnrm.exe
  2⤵
  PID:4892
- C:\Windows\System32\eczytWz.exe
  C:\Windows\System32\eczytWz.exe
  2⤵
  PID:5148
- C:\Windows\System32\QNYHOhh.exe
  C:\Windows\System32\QNYHOhh.exe
  2⤵
  PID:5176
- C:\Windows\System32\jvRrflr.exe
  C:\Windows\System32\jvRrflr.exe
  2⤵
  PID:5204
- C:\Windows\System32\ThtQpYu.exe
  C:\Windows\System32\ThtQpYu.exe
  2⤵
  PID:5232
- C:\Windows\System32\HOqZuHZ.exe
  C:\Windows\System32\HOqZuHZ.exe
  2⤵
  PID:5260
- C:\Windows\System32\BMKpzcm.exe
  C:\Windows\System32\BMKpzcm.exe
  2⤵
  PID:5288
- C:\Windows\System32\YnOqYwN.exe
  C:\Windows\System32\YnOqYwN.exe
  2⤵
  PID:5316
- C:\Windows\System32\TFOhDtm.exe
  C:\Windows\System32\TFOhDtm.exe
  2⤵
  PID:5340
- C:\Windows\System32\KbTuxln.exe
  C:\Windows\System32\KbTuxln.exe
  2⤵
  PID:5372
- C:\Windows\System32\aKjwCYq.exe
  C:\Windows\System32\aKjwCYq.exe
  2⤵
  PID:5400
- C:\Windows\System32\qtlFyAy.exe
  C:\Windows\System32\qtlFyAy.exe
  2⤵
  PID:5428
- C:\Windows\System32\gAfCztn.exe
  C:\Windows\System32\gAfCztn.exe
  2⤵
  PID:5460
- C:\Windows\System32\TkmPYQZ.exe
  C:\Windows\System32\TkmPYQZ.exe
  2⤵
  PID:5484
- C:\Windows\System32\kvnCeXu.exe
  C:\Windows\System32\kvnCeXu.exe
  2⤵
  PID:5512
- C:\Windows\System32\xWdsUOV.exe
  C:\Windows\System32\xWdsUOV.exe
  2⤵
  PID:5536
- C:\Windows\System32\gvQulXa.exe
  C:\Windows\System32\gvQulXa.exe
  2⤵
  PID:5568
- C:\Windows\System32\wODBwrR.exe
  C:\Windows\System32\wODBwrR.exe
  2⤵
  PID:5596
- C:\Windows\System32\mKeTpmz.exe
  C:\Windows\System32\mKeTpmz.exe
  2⤵
  PID:5624
- C:\Windows\System32\tuqWynV.exe
  C:\Windows\System32\tuqWynV.exe
  2⤵
  PID:5656
- C:\Windows\System32\bdxMeBk.exe
  C:\Windows\System32\bdxMeBk.exe
  2⤵
  PID:5680
- C:\Windows\System32\nzPZsYr.exe
  C:\Windows\System32\nzPZsYr.exe
  2⤵
  PID:5708
- C:\Windows\System32\jEYLDpX.exe
  C:\Windows\System32\jEYLDpX.exe
  2⤵
  PID:5740
- C:\Windows\System32\XSlSFIy.exe
  C:\Windows\System32\XSlSFIy.exe
  2⤵
  PID:5760
- C:\Windows\System32\tJQMxmH.exe
  C:\Windows\System32\tJQMxmH.exe
  2⤵
  PID:5792
- C:\Windows\System32\TUqOblw.exe
  C:\Windows\System32\TUqOblw.exe
  2⤵
  PID:5820
- C:\Windows\System32\bsaELHs.exe
  C:\Windows\System32\bsaELHs.exe
  2⤵
  PID:5848
- C:\Windows\System32\ogvrACS.exe
  C:\Windows\System32\ogvrACS.exe
  2⤵
  PID:5876
- C:\Windows\System32\gamsVCF.exe
  C:\Windows\System32\gamsVCF.exe
  2⤵
  PID:5904
- C:\Windows\System32\lVzQKhs.exe
  C:\Windows\System32\lVzQKhs.exe
  2⤵
  PID:5932
- C:\Windows\System32\durkOjc.exe
  C:\Windows\System32\durkOjc.exe
  2⤵
  PID:5960
- C:\Windows\System32\pOsjhkV.exe
  C:\Windows\System32\pOsjhkV.exe
  2⤵
  PID:5988
- C:\Windows\System32\WdMgzbV.exe
  C:\Windows\System32\WdMgzbV.exe
  2⤵
  PID:6016
- C:\Windows\System32\ipqGdoC.exe
  C:\Windows\System32\ipqGdoC.exe
  2⤵
  PID:6040
- C:\Windows\System32\eQZqPnh.exe
  C:\Windows\System32\eQZqPnh.exe
  2⤵
  PID:6072
- C:\Windows\System32\fEYQoJo.exe
  C:\Windows\System32\fEYQoJo.exe
  2⤵
  PID:6100
- C:\Windows\System32\KTjAyDI.exe
  C:\Windows\System32\KTjAyDI.exe
  2⤵
  PID:6128
- C:\Windows\System32\vtOSygj.exe
  C:\Windows\System32\vtOSygj.exe
  2⤵
  PID:1648
- C:\Windows\System32\eQZyERb.exe
  C:\Windows\System32\eQZyERb.exe
  2⤵
  PID:5076
- C:\Windows\System32\HJlFEYL.exe
  C:\Windows\System32\HJlFEYL.exe
  2⤵
  PID:5272
- C:\Windows\System32\GNoBUJy.exe
  C:\Windows\System32\GNoBUJy.exe
  2⤵
  PID:5308
- C:\Windows\System32\fMhXJjj.exe
  C:\Windows\System32\fMhXJjj.exe
  2⤵
  PID:5336
- C:\Windows\System32\WmetlMN.exe
  C:\Windows\System32\WmetlMN.exe
  2⤵
  PID:5356
- C:\Windows\System32\oEhZjOi.exe
  C:\Windows\System32\oEhZjOi.exe
  2⤵
  PID:5392
- C:\Windows\System32\ZnNyirl.exe
  C:\Windows\System32\ZnNyirl.exe
  2⤵
  PID:4020
- C:\Windows\System32\ldjXeGi.exe
  C:\Windows\System32\ldjXeGi.exe
  2⤵
  PID:5532
- C:\Windows\System32\vzYhnbf.exe
  C:\Windows\System32\vzYhnbf.exe
  2⤵
  PID:5644
- C:\Windows\System32\bCpfqBJ.exe
  C:\Windows\System32\bCpfqBJ.exe
  2⤵
  PID:5700
- C:\Windows\System32\DSpqDsg.exe
  C:\Windows\System32\DSpqDsg.exe
  2⤵
  PID:5756
- C:\Windows\System32\sPjmbvC.exe
  C:\Windows\System32\sPjmbvC.exe
  2⤵
  PID:5828
- C:\Windows\System32\czgQFTd.exe
  C:\Windows\System32\czgQFTd.exe
  2⤵
  PID:5892
- C:\Windows\System32\fMniNTo.exe
  C:\Windows\System32\fMniNTo.exe
  2⤵
  PID:2776
- C:\Windows\System32\XFUmbot.exe
  C:\Windows\System32\XFUmbot.exe
  2⤵
  PID:4916
- C:\Windows\System32\fCOZTop.exe
  C:\Windows\System32\fCOZTop.exe
  2⤵
  PID:1924
- C:\Windows\System32\XcdaSob.exe
  C:\Windows\System32\XcdaSob.exe
  2⤵
  PID:3256
- C:\Windows\System32\idAwcDm.exe
  C:\Windows\System32\idAwcDm.exe
  2⤵
  PID:3536
- C:\Windows\System32\IDkIYCm.exe
  C:\Windows\System32\IDkIYCm.exe
  2⤵
  PID:1780
- C:\Windows\System32\lSvxnvK.exe
  C:\Windows\System32\lSvxnvK.exe
  2⤵
  PID:2504
- C:\Windows\System32\OvOZhbM.exe
  C:\Windows\System32\OvOZhbM.exe
  2⤵
  PID:676
- C:\Windows\System32\Aeozips.exe
  C:\Windows\System32\Aeozips.exe
  2⤵
  PID:5100
- C:\Windows\System32\BPszHdc.exe
  C:\Windows\System32\BPszHdc.exe
  2⤵
  PID:3544
- C:\Windows\System32\FbBYmOT.exe
  C:\Windows\System32\FbBYmOT.exe
  2⤵
  PID:2996
- C:\Windows\System32\BskUXUf.exe
  C:\Windows\System32\BskUXUf.exe
  2⤵
  PID:5364
- C:\Windows\System32\fnqQnCs.exe
  C:\Windows\System32\fnqQnCs.exe
  2⤵
  PID:5500
- C:\Windows\System32\loJsQnn.exe
  C:\Windows\System32\loJsQnn.exe
  2⤵
  PID:5224
- C:\Windows\System32\IDtkJXW.exe
  C:\Windows\System32\IDtkJXW.exe
  2⤵
  PID:1008
- C:\Windows\System32\eVLAxWU.exe
  C:\Windows\System32\eVLAxWU.exe
  2⤵
  PID:5948
- C:\Windows\System32\DxdvkHV.exe
  C:\Windows\System32\DxdvkHV.exe
  2⤵
  PID:3476
- C:\Windows\System32\UKluNsN.exe
  C:\Windows\System32\UKluNsN.exe
  2⤵
  PID:1004
- C:\Windows\System32\MtFOcmC.exe
  C:\Windows\System32\MtFOcmC.exe
  2⤵
  PID:5244
- C:\Windows\System32\JawvpBp.exe
  C:\Windows\System32\JawvpBp.exe
  2⤵
  PID:5280
- C:\Windows\System32\VJUEllr.exe
  C:\Windows\System32\VJUEllr.exe
  2⤵
  PID:5560
- C:\Windows\System32\SOIeYFZ.exe
  C:\Windows\System32\SOIeYFZ.exe
  2⤵
  PID:5924
- C:\Windows\System32\OFJySGl.exe
  C:\Windows\System32\OFJySGl.exe
  2⤵
  PID:2644
- C:\Windows\System32\ECxTEji.exe
  C:\Windows\System32\ECxTEji.exe
  2⤵
  PID:5164
- C:\Windows\System32\xLOVqtZ.exe
  C:\Windows\System32\xLOVqtZ.exe
  2⤵
  PID:5724
- C:\Windows\System32\eogCPbD.exe
  C:\Windows\System32\eogCPbD.exe
  2⤵
  PID:3016
- C:\Windows\System32\ltrOpMN.exe
  C:\Windows\System32\ltrOpMN.exe
  2⤵
  PID:5196
- C:\Windows\System32\aXPHxfJ.exe
  C:\Windows\System32\aXPHxfJ.exe
  2⤵
  PID:5384
- C:\Windows\System32\JbYcnFq.exe
  C:\Windows\System32\JbYcnFq.exe
  2⤵
  PID:6168
- C:\Windows\System32\ynCeocj.exe
  C:\Windows\System32\ynCeocj.exe
  2⤵
  PID:6204
- C:\Windows\System32\MCtClBb.exe
  C:\Windows\System32\MCtClBb.exe
  2⤵
  PID:6232
- C:\Windows\System32\eiZBUnY.exe
  C:\Windows\System32\eiZBUnY.exe
  2⤵
  PID:6252
- C:\Windows\System32\bQYCohb.exe
  C:\Windows\System32\bQYCohb.exe
  2⤵
  PID:6268
- C:\Windows\System32\ILyhLHD.exe
  C:\Windows\System32\ILyhLHD.exe
  2⤵
  PID:6288
- C:\Windows\System32\yQKqzbG.exe
  C:\Windows\System32\yQKqzbG.exe
  2⤵
  PID:6324
- C:\Windows\System32\fDIDXPm.exe
  C:\Windows\System32\fDIDXPm.exe
  2⤵
  PID:6344
- C:\Windows\System32\qoeyKTK.exe
  C:\Windows\System32\qoeyKTK.exe
  2⤵
  PID:6372
- C:\Windows\System32\tbVspNT.exe
  C:\Windows\System32\tbVspNT.exe
  2⤵
  PID:6412
- C:\Windows\System32\SYmZGFp.exe
  C:\Windows\System32\SYmZGFp.exe
  2⤵
  PID:6436
- C:\Windows\System32\FojgZVQ.exe
  C:\Windows\System32\FojgZVQ.exe
  2⤵
  PID:6476
- C:\Windows\System32\gtwXHVI.exe
  C:\Windows\System32\gtwXHVI.exe
  2⤵
  PID:6496
- C:\Windows\System32\OZhoAPO.exe
  C:\Windows\System32\OZhoAPO.exe
  2⤵
  PID:6528
- C:\Windows\System32\VWldFFz.exe
  C:\Windows\System32\VWldFFz.exe
  2⤵
  PID:6552
- C:\Windows\System32\KVdJLfb.exe
  C:\Windows\System32\KVdJLfb.exe
  2⤵
  PID:6584
- C:\Windows\System32\RnKULzn.exe
  C:\Windows\System32\RnKULzn.exe
  2⤵
  PID:6632
- C:\Windows\System32\WbelWXA.exe
  C:\Windows\System32\WbelWXA.exe
  2⤵
  PID:6648
- C:\Windows\System32\HducFGt.exe
  C:\Windows\System32\HducFGt.exe
  2⤵
  PID:6684
- C:\Windows\System32\ULOrUSz.exe
  C:\Windows\System32\ULOrUSz.exe
  2⤵
  PID:6724
- C:\Windows\System32\SsVvyKX.exe
  C:\Windows\System32\SsVvyKX.exe
  2⤵
  PID:6744
- C:\Windows\System32\jhQSYWY.exe
  C:\Windows\System32\jhQSYWY.exe
  2⤵
  PID:6760
- C:\Windows\System32\iPPcicu.exe
  C:\Windows\System32\iPPcicu.exe
  2⤵
  PID:6812
- C:\Windows\System32\YiNyNal.exe
  C:\Windows\System32\YiNyNal.exe
  2⤵
  PID:6844
- C:\Windows\System32\xtzkLBD.exe
  C:\Windows\System32\xtzkLBD.exe
  2⤵
  PID:6860
- C:\Windows\System32\JLqOtrO.exe
  C:\Windows\System32\JLqOtrO.exe
  2⤵
  PID:6884
- C:\Windows\System32\IoVTMPq.exe
  C:\Windows\System32\IoVTMPq.exe
  2⤵
  PID:6912
- C:\Windows\System32\nXgDnYt.exe
  C:\Windows\System32\nXgDnYt.exe
  2⤵
  PID:6932
- C:\Windows\System32\cCsLFDw.exe
  C:\Windows\System32\cCsLFDw.exe
  2⤵
  PID:6964
- C:\Windows\System32\uvdJOJl.exe
  C:\Windows\System32\uvdJOJl.exe
  2⤵
  PID:7004
- C:\Windows\System32\OkYWhkG.exe
  C:\Windows\System32\OkYWhkG.exe
  2⤵
  PID:7072
- C:\Windows\System32\ZEJKnhs.exe
  C:\Windows\System32\ZEJKnhs.exe
  2⤵
  PID:7088
- C:\Windows\System32\dMLeNiS.exe
  C:\Windows\System32\dMLeNiS.exe
  2⤵
  PID:7112
- C:\Windows\System32\vZRZRWE.exe
  C:\Windows\System32\vZRZRWE.exe
  2⤵
  PID:7148
- C:\Windows\System32\DsUJIeE.exe
  C:\Windows\System32\DsUJIeE.exe
  2⤵
  PID:5160
- C:\Windows\System32\cRASOXJ.exe
  C:\Windows\System32\cRASOXJ.exe
  2⤵
  PID:6188
- C:\Windows\System32\pLBCgTn.exe
  C:\Windows\System32\pLBCgTn.exe
  2⤵
  PID:6304
- C:\Windows\System32\YRbQCyp.exe
  C:\Windows\System32\YRbQCyp.exe
  2⤵
  PID:6336
- C:\Windows\System32\UbrLMHD.exe
  C:\Windows\System32\UbrLMHD.exe
  2⤵
  PID:6420
- C:\Windows\System32\RivwFap.exe
  C:\Windows\System32\RivwFap.exe
  2⤵
  PID:6452
- C:\Windows\System32\JeWMbxg.exe
  C:\Windows\System32\JeWMbxg.exe
  2⤵
  PID:6548
- C:\Windows\System32\oPhUNDU.exe
  C:\Windows\System32\oPhUNDU.exe
  2⤵
  PID:6600
- C:\Windows\System32\otrJgSF.exe
  C:\Windows\System32\otrJgSF.exe
  2⤵
  PID:6740
- C:\Windows\System32\XnaXCjB.exe
  C:\Windows\System32\XnaXCjB.exe
  2⤵
  PID:6772
- C:\Windows\System32\FufFcYd.exe
  C:\Windows\System32\FufFcYd.exe
  2⤵
  PID:6808
- C:\Windows\System32\uOmbtLJ.exe
  C:\Windows\System32\uOmbtLJ.exe
  2⤵
  PID:6856
- C:\Windows\System32\xRXECxH.exe
  C:\Windows\System32\xRXECxH.exe
  2⤵
  PID:6984
- C:\Windows\System32\dJeiEWT.exe
  C:\Windows\System32\dJeiEWT.exe
  2⤵
  PID:7052
- C:\Windows\System32\KkTvBbr.exe
  C:\Windows\System32\KkTvBbr.exe
  2⤵
  PID:7084
- C:\Windows\System32\rRtiWwN.exe
  C:\Windows\System32\rRtiWwN.exe
  2⤵
  PID:6176
- C:\Windows\System32\PvcIZJN.exe
  C:\Windows\System32\PvcIZJN.exe
  2⤵
  PID:6308
- C:\Windows\System32\tCZWbpM.exe
  C:\Windows\System32\tCZWbpM.exe
  2⤵
  PID:6408
- C:\Windows\System32\iOGmqxx.exe
  C:\Windows\System32\iOGmqxx.exe
  2⤵
  PID:6576
- C:\Windows\System32\KmwxzOr.exe
  C:\Windows\System32\KmwxzOr.exe
  2⤵
  PID:6792
- C:\Windows\System32\gioaPbF.exe
  C:\Windows\System32\gioaPbF.exe
  2⤵
  PID:6868
- C:\Windows\System32\YzFBsSq.exe
  C:\Windows\System32\YzFBsSq.exe
  2⤵
  PID:7124
- C:\Windows\System32\vDrDpyu.exe
  C:\Windows\System32\vDrDpyu.exe
  2⤵
  PID:6260
- C:\Windows\System32\YeeHVDT.exe
  C:\Windows\System32\YeeHVDT.exe
  2⤵
  PID:6536
- C:\Windows\System32\rLFHHei.exe
  C:\Windows\System32\rLFHHei.exe
  2⤵
  PID:6980
- C:\Windows\System32\vMGMiNe.exe
  C:\Windows\System32\vMGMiNe.exe
  2⤵
  PID:6148
- C:\Windows\System32\awuVadr.exe
  C:\Windows\System32\awuVadr.exe
  2⤵
  PID:7108
- C:\Windows\System32\FFPIjLH.exe
  C:\Windows\System32\FFPIjLH.exe
  2⤵
  PID:7184
- C:\Windows\System32\BtEpQQW.exe
  C:\Windows\System32\BtEpQQW.exe
  2⤵
  PID:7204
- C:\Windows\System32\bSgfyIP.exe
  C:\Windows\System32\bSgfyIP.exe
  2⤵
  PID:7248
- C:\Windows\System32\XhJdaLI.exe
  C:\Windows\System32\XhJdaLI.exe
  2⤵
  PID:7272
- C:\Windows\System32\cpgyIaS.exe
  C:\Windows\System32\cpgyIaS.exe
  2⤵
  PID:7288
- C:\Windows\System32\REUMxpq.exe
  C:\Windows\System32\REUMxpq.exe
  2⤵
  PID:7316
- C:\Windows\System32\yASYSDe.exe
  C:\Windows\System32\yASYSDe.exe
  2⤵
  PID:7340
- C:\Windows\System32\NZmqUcq.exe
  C:\Windows\System32\NZmqUcq.exe
  2⤵
  PID:7384
- C:\Windows\System32\BSiIkMV.exe
  C:\Windows\System32\BSiIkMV.exe
  2⤵
  PID:7444
- C:\Windows\System32\cYaWuib.exe
  C:\Windows\System32\cYaWuib.exe
  2⤵
  PID:7472
- C:\Windows\System32\qprCMBs.exe
  C:\Windows\System32\qprCMBs.exe
  2⤵
  PID:7496
- C:\Windows\System32\hrZzicL.exe
  C:\Windows\System32\hrZzicL.exe
  2⤵
  PID:7520
- C:\Windows\System32\EBCQuUW.exe
  C:\Windows\System32\EBCQuUW.exe
  2⤵
  PID:7552
- C:\Windows\System32\LdYxZvS.exe
  C:\Windows\System32\LdYxZvS.exe
  2⤵
  PID:7572
- C:\Windows\System32\AgCOFjB.exe
  C:\Windows\System32\AgCOFjB.exe
  2⤵
  PID:7596
- C:\Windows\System32\rhlOQRv.exe
  C:\Windows\System32\rhlOQRv.exe
  2⤵
  PID:7636
- C:\Windows\System32\iETeKbr.exe
  C:\Windows\System32\iETeKbr.exe
  2⤵
  PID:7652
- C:\Windows\System32\wFrQJKM.exe
  C:\Windows\System32\wFrQJKM.exe
  2⤵
  PID:7684
- C:\Windows\System32\OAHiplY.exe
  C:\Windows\System32\OAHiplY.exe
  2⤵
  PID:7704
- C:\Windows\System32\KwOWYpK.exe
  C:\Windows\System32\KwOWYpK.exe
  2⤵
  PID:7756
- C:\Windows\System32\KEQRngO.exe
  C:\Windows\System32\KEQRngO.exe
  2⤵
  PID:7780
- C:\Windows\System32\dmBWkCo.exe
  C:\Windows\System32\dmBWkCo.exe
  2⤵
  PID:7808
- C:\Windows\System32\YyYKgtM.exe
  C:\Windows\System32\YyYKgtM.exe
  2⤵
  PID:7824
- C:\Windows\System32\lySWVOU.exe
  C:\Windows\System32\lySWVOU.exe
  2⤵
  PID:7840
- C:\Windows\System32\acceQTh.exe
  C:\Windows\System32\acceQTh.exe
  2⤵
  PID:7868
- C:\Windows\System32\jAEGYIs.exe
  C:\Windows\System32\jAEGYIs.exe
  2⤵
  PID:7912
- C:\Windows\System32\BaJOGEJ.exe
  C:\Windows\System32\BaJOGEJ.exe
  2⤵
  PID:7948
- C:\Windows\System32\kXjJZUj.exe
  C:\Windows\System32\kXjJZUj.exe
  2⤵
  PID:7976
- C:\Windows\System32\PwUCMHI.exe
  C:\Windows\System32\PwUCMHI.exe
  2⤵
  PID:7996
- C:\Windows\System32\FYuhLCl.exe
  C:\Windows\System32\FYuhLCl.exe
  2⤵
  PID:8036
- C:\Windows\System32\tYfjNbM.exe
  C:\Windows\System32\tYfjNbM.exe
  2⤵
  PID:8052
- C:\Windows\System32\TuuEEMt.exe
  C:\Windows\System32\TuuEEMt.exe
  2⤵
  PID:8076
- C:\Windows\System32\MUHmZvB.exe
  C:\Windows\System32\MUHmZvB.exe
  2⤵
  PID:8100
- C:\Windows\System32\OENgsLZ.exe
  C:\Windows\System32\OENgsLZ.exe
  2⤵
  PID:8148
- C:\Windows\System32\eIClQJP.exe
  C:\Windows\System32\eIClQJP.exe
  2⤵
  PID:8172
- C:\Windows\System32\RyfGXJw.exe
  C:\Windows\System32\RyfGXJw.exe
  2⤵
  PID:6384
- C:\Windows\System32\qWNzDoq.exe
  C:\Windows\System32\qWNzDoq.exe
  2⤵
  PID:6756
- C:\Windows\System32\HFLfcsn.exe
  C:\Windows\System32\HFLfcsn.exe
  2⤵
  PID:7256
- C:\Windows\System32\hRujSyc.exe
  C:\Windows\System32\hRujSyc.exe
  2⤵
  PID:7368
- C:\Windows\System32\XBrSYYo.exe
  C:\Windows\System32\XBrSYYo.exe
  2⤵
  PID:7392
- C:\Windows\System32\WnsEcmW.exe
  C:\Windows\System32\WnsEcmW.exe
  2⤵
  PID:7488
- C:\Windows\System32\XShpqCP.exe
  C:\Windows\System32\XShpqCP.exe
  2⤵
  PID:7548
- C:\Windows\System32\pzFSJga.exe
  C:\Windows\System32\pzFSJga.exe
  2⤵
  PID:7588
- C:\Windows\System32\KPOOsmr.exe
  C:\Windows\System32\KPOOsmr.exe
  2⤵
  PID:7680
- C:\Windows\System32\KBeAfMc.exe
  C:\Windows\System32\KBeAfMc.exe
  2⤵
  PID:7740
- C:\Windows\System32\FkeKMXF.exe
  C:\Windows\System32\FkeKMXF.exe
  2⤵
  PID:7792
- C:\Windows\System32\dYMTSxF.exe
  C:\Windows\System32\dYMTSxF.exe
  2⤵
  PID:7864
- C:\Windows\System32\WxdHPVI.exe
  C:\Windows\System32\WxdHPVI.exe
  2⤵
  PID:7920
- C:\Windows\System32\oeHUXwX.exe
  C:\Windows\System32\oeHUXwX.exe
  2⤵
  PID:7192
- C:\Windows\System32\UBpTrkJ.exe
  C:\Windows\System32\UBpTrkJ.exe
  2⤵
  PID:7224
- C:\Windows\System32\pBwKaGN.exe
  C:\Windows\System32\pBwKaGN.exe
  2⤵
  PID:7360
- C:\Windows\System32\iKScxyx.exe
  C:\Windows\System32\iKScxyx.exe
  2⤵
  PID:7468
- C:\Windows\System32\jJlYZle.exe
  C:\Windows\System32\jJlYZle.exe
  2⤵
  PID:7540
- C:\Windows\System32\roFirHk.exe
  C:\Windows\System32\roFirHk.exe
  2⤵
  PID:7900
- C:\Windows\System32\iwAJJmH.exe
  C:\Windows\System32\iwAJJmH.exe
  2⤵
  PID:7328
- C:\Windows\System32\curwWww.exe
  C:\Windows\System32\curwWww.exe
  2⤵
  PID:7988
- C:\Windows\System32\tcomBaV.exe
  C:\Windows\System32\tcomBaV.exe
  2⤵
  PID:7648
- C:\Windows\System32\LSHGoAB.exe
  C:\Windows\System32\LSHGoAB.exe
  2⤵
  PID:7796
- C:\Windows\System32\urbiUMy.exe
  C:\Windows\System32\urbiUMy.exe
  2⤵
  PID:7860
- C:\Windows\System32\mLIBtVU.exe
  C:\Windows\System32\mLIBtVU.exe
  2⤵
  PID:8180
- C:\Windows\System32\RgswUoW.exe
  C:\Windows\System32\RgswUoW.exe
  2⤵
  PID:7324
- C:\Windows\System32\tyPNvIX.exe
  C:\Windows\System32\tyPNvIX.exe
  2⤵
  PID:7172
- C:\Windows\System32\fyQnTlx.exe
  C:\Windows\System32\fyQnTlx.exe
  2⤵
  PID:8188
- C:\Windows\System32\zETxvLa.exe
  C:\Windows\System32\zETxvLa.exe
  2⤵
  PID:8196
- C:\Windows\System32\aCMPxqr.exe
  C:\Windows\System32\aCMPxqr.exe
  2⤵
  PID:8216
- C:\Windows\System32\RPJDhhi.exe
  C:\Windows\System32\RPJDhhi.exe
  2⤵
  PID:8256
- C:\Windows\System32\sntOYeX.exe
  C:\Windows\System32\sntOYeX.exe
  2⤵
  PID:8276
- C:\Windows\System32\lgBZEsS.exe
  C:\Windows\System32\lgBZEsS.exe
  2⤵
  PID:8300
- C:\Windows\System32\sZWiCoz.exe
  C:\Windows\System32\sZWiCoz.exe
  2⤵
  PID:8324
- C:\Windows\System32\sVyAdAk.exe
  C:\Windows\System32\sVyAdAk.exe
  2⤵
  PID:8376
- C:\Windows\System32\MtFVkVH.exe
  C:\Windows\System32\MtFVkVH.exe
  2⤵
  PID:8404
- C:\Windows\System32\aAkNsno.exe
  C:\Windows\System32\aAkNsno.exe
  2⤵
  PID:8420
- C:\Windows\System32\PmdgEzg.exe
  C:\Windows\System32\PmdgEzg.exe
  2⤵
  PID:8444
- C:\Windows\System32\ZzRWqzX.exe
  C:\Windows\System32\ZzRWqzX.exe
  2⤵
  PID:8476
- C:\Windows\System32\ohbazQI.exe
  C:\Windows\System32\ohbazQI.exe
  2⤵
  PID:8516
- C:\Windows\System32\mvGupPb.exe
  C:\Windows\System32\mvGupPb.exe
  2⤵
  PID:8536
- C:\Windows\System32\eIbLUcf.exe
  C:\Windows\System32\eIbLUcf.exe
  2⤵
  PID:8556
- C:\Windows\System32\oKjbCvo.exe
  C:\Windows\System32\oKjbCvo.exe
  2⤵
  PID:8604
- C:\Windows\System32\ddnVZvu.exe
  C:\Windows\System32\ddnVZvu.exe
  2⤵
  PID:8620
- C:\Windows\System32\GLVeeqt.exe
  C:\Windows\System32\GLVeeqt.exe
  2⤵
  PID:8640
- C:\Windows\System32\zZXmYSo.exe
  C:\Windows\System32\zZXmYSo.exe
  2⤵
  PID:8688
- C:\Windows\System32\zzpcuPL.exe
  C:\Windows\System32\zzpcuPL.exe
  2⤵
  PID:8716
- C:\Windows\System32\FMZfEWE.exe
  C:\Windows\System32\FMZfEWE.exe
  2⤵
  PID:8740
- C:\Windows\System32\JCsSRVh.exe
  C:\Windows\System32\JCsSRVh.exe
  2⤵
  PID:8768
- C:\Windows\System32\gffwAaN.exe
  C:\Windows\System32\gffwAaN.exe
  2⤵
  PID:8788
- C:\Windows\System32\rXZjedj.exe
  C:\Windows\System32\rXZjedj.exe
  2⤵
  PID:8816
- C:\Windows\System32\NuVHrmC.exe
  C:\Windows\System32\NuVHrmC.exe
  2⤵
  PID:8836
- C:\Windows\System32\GHDVlkg.exe
  C:\Windows\System32\GHDVlkg.exe
  2⤵
  PID:8864
- C:\Windows\System32\WYBgnfR.exe
  C:\Windows\System32\WYBgnfR.exe
  2⤵
  PID:8904
- C:\Windows\System32\YvCgXlw.exe
  C:\Windows\System32\YvCgXlw.exe
  2⤵
  PID:8940
- C:\Windows\System32\hFMlteH.exe
  C:\Windows\System32\hFMlteH.exe
  2⤵
  PID:8964
- C:\Windows\System32\sgeXOnU.exe
  C:\Windows\System32\sgeXOnU.exe
  2⤵
  PID:8984
- C:\Windows\System32\QMmLnfl.exe
  C:\Windows\System32\QMmLnfl.exe
  2⤵
  PID:9012
- C:\Windows\System32\QGpAgzt.exe
  C:\Windows\System32\QGpAgzt.exe
  2⤵
  PID:9052
- C:\Windows\System32\vjJwxIY.exe
  C:\Windows\System32\vjJwxIY.exe
  2⤵
  PID:9080
- C:\Windows\System32\tRdOIun.exe
  C:\Windows\System32\tRdOIun.exe
  2⤵
  PID:9108
- C:\Windows\System32\vavAPPC.exe
  C:\Windows\System32\vavAPPC.exe
  2⤵
  PID:9132
- C:\Windows\System32\uMujlrm.exe
  C:\Windows\System32\uMujlrm.exe
  2⤵
  PID:9164
- C:\Windows\System32\eCbhWJj.exe
  C:\Windows\System32\eCbhWJj.exe
  2⤵
  PID:9192
- C:\Windows\System32\mZOkAXa.exe
  C:\Windows\System32\mZOkAXa.exe
  2⤵
  PID:8084
- C:\Windows\System32\QyqMjvm.exe
  C:\Windows\System32\QyqMjvm.exe
  2⤵
  PID:8232
- C:\Windows\System32\YwDinox.exe
  C:\Windows\System32\YwDinox.exe
  2⤵
  PID:8264
- C:\Windows\System32\PlCklIQ.exe
  C:\Windows\System32\PlCklIQ.exe
  2⤵
  PID:8356
- C:\Windows\System32\bhlhhdH.exe
  C:\Windows\System32\bhlhhdH.exe
  2⤵
  PID:8452
- C:\Windows\System32\hczNCcn.exe
  C:\Windows\System32\hczNCcn.exe
  2⤵
  PID:8500
- C:\Windows\System32\xYCPpnW.exe
  C:\Windows\System32\xYCPpnW.exe
  2⤵
  PID:8584
- C:\Windows\System32\lrujmPB.exe
  C:\Windows\System32\lrujmPB.exe
  2⤵
  PID:8664
- C:\Windows\System32\XVEKpdZ.exe
  C:\Windows\System32\XVEKpdZ.exe
  2⤵
  PID:8708
- C:\Windows\System32\oqvrxKq.exe
  C:\Windows\System32\oqvrxKq.exe
  2⤵
  PID:8780
- C:\Windows\System32\rvLpPPM.exe
  C:\Windows\System32\rvLpPPM.exe
  2⤵
  PID:8812
- C:\Windows\System32\IZUhVWy.exe
  C:\Windows\System32\IZUhVWy.exe
  2⤵
  PID:8860
- C:\Windows\System32\WrUgjxJ.exe
  C:\Windows\System32\WrUgjxJ.exe
  2⤵
  PID:8976
- C:\Windows\System32\HveyIok.exe
  C:\Windows\System32\HveyIok.exe
  2⤵
  PID:8996
- C:\Windows\System32\eBjyFbS.exe
  C:\Windows\System32\eBjyFbS.exe
  2⤵
  PID:9076
- C:\Windows\System32\UbSDial.exe
  C:\Windows\System32\UbSDial.exe
  2⤵
  PID:9128
- C:\Windows\System32\zcHTpHA.exe
  C:\Windows\System32\zcHTpHA.exe
  2⤵
  PID:8272
- C:\Windows\System32\TsBKFnQ.exe
  C:\Windows\System32\TsBKFnQ.exe
  2⤵
  PID:8268
- C:\Windows\System32\lxQJFTM.exe
  C:\Windows\System32\lxQJFTM.exe
  2⤵
  PID:8436
- C:\Windows\System32\jGaOOLj.exe
  C:\Windows\System32\jGaOOLj.exe
  2⤵
  PID:8784
- C:\Windows\System32\JQUXvoQ.exe
  C:\Windows\System32\JQUXvoQ.exe
  2⤵
  PID:8756
- C:\Windows\System32\BNTQKus.exe
  C:\Windows\System32\BNTQKus.exe
  2⤵
  PID:9024
- C:\Windows\System32\uxrdJdk.exe
  C:\Windows\System32\uxrdJdk.exe
  2⤵
  PID:9204
- C:\Windows\System32\URdPJaf.exe
  C:\Windows\System32\URdPJaf.exe
  2⤵
  PID:8528
- C:\Windows\System32\vbsUbyz.exe
  C:\Windows\System32\vbsUbyz.exe
  2⤵
  PID:8636
- C:\Windows\System32\CVWsRmY.exe
  C:\Windows\System32\CVWsRmY.exe
  2⤵
  PID:8932
- C:\Windows\System32\xiARGMB.exe
  C:\Windows\System32\xiARGMB.exe
  2⤵
  PID:8388
- C:\Windows\System32\tMNjnUl.exe
  C:\Windows\System32\tMNjnUl.exe
  2⤵
  PID:9228
- C:\Windows\System32\OGIYWlk.exe
  C:\Windows\System32\OGIYWlk.exe
  2⤵
  PID:9268
- C:\Windows\System32\vQjIPvw.exe
  C:\Windows\System32\vQjIPvw.exe
  2⤵
  PID:9308
- C:\Windows\System32\cEGyKHI.exe
  C:\Windows\System32\cEGyKHI.exe
  2⤵
  PID:9332
- C:\Windows\System32\HTSNysx.exe
  C:\Windows\System32\HTSNysx.exe
  2⤵
  PID:9368
- C:\Windows\System32\kvmqMPb.exe
  C:\Windows\System32\kvmqMPb.exe
  2⤵
  PID:9384
- C:\Windows\System32\oVMlkbu.exe
  C:\Windows\System32\oVMlkbu.exe
  2⤵
  PID:9432
- C:\Windows\System32\UUqSfyy.exe
  C:\Windows\System32\UUqSfyy.exe
  2⤵
  PID:9456
- C:\Windows\System32\iMKEUKN.exe
  C:\Windows\System32\iMKEUKN.exe
  2⤵
  PID:9476
- C:\Windows\System32\qmqVKHI.exe
  C:\Windows\System32\qmqVKHI.exe
  2⤵
  PID:9500
- C:\Windows\System32\fepyqxq.exe
  C:\Windows\System32\fepyqxq.exe
  2⤵
  PID:9528
- C:\Windows\System32\RBYZwLw.exe
  C:\Windows\System32\RBYZwLw.exe
  2⤵
  PID:9552
- C:\Windows\System32\lsLJyPJ.exe
  C:\Windows\System32\lsLJyPJ.exe
  2⤵
  PID:9592
- C:\Windows\System32\ArNaEug.exe
  C:\Windows\System32\ArNaEug.exe
  2⤵
  PID:9616
- C:\Windows\System32\obIqvMb.exe
  C:\Windows\System32\obIqvMb.exe
  2⤵
  PID:9644
- C:\Windows\System32\jkBvnTJ.exe
  C:\Windows\System32\jkBvnTJ.exe
  2⤵
  PID:9684
- C:\Windows\System32\mLKlXVD.exe
  C:\Windows\System32\mLKlXVD.exe
  2⤵
  PID:9700
- C:\Windows\System32\jcChcnR.exe
  C:\Windows\System32\jcChcnR.exe
  2⤵
  PID:9728
- C:\Windows\System32\ZOkDEjS.exe
  C:\Windows\System32\ZOkDEjS.exe
  2⤵
  PID:9768
- C:\Windows\System32\ZzDjhJR.exe
  C:\Windows\System32\ZzDjhJR.exe
  2⤵
  PID:9796
- C:\Windows\System32\cYbvAZJ.exe
  C:\Windows\System32\cYbvAZJ.exe
  2⤵
  PID:9820
- C:\Windows\System32\BYgLIQT.exe
  C:\Windows\System32\BYgLIQT.exe
  2⤵
  PID:9840
- C:\Windows\System32\VVBILkT.exe
  C:\Windows\System32\VVBILkT.exe
  2⤵
  PID:9880
- C:\Windows\System32\zgLloye.exe
  C:\Windows\System32\zgLloye.exe
  2⤵
  PID:9908
- C:\Windows\System32\HPotRRT.exe
  C:\Windows\System32\HPotRRT.exe
  2⤵
  PID:9932
- C:\Windows\System32\XeIrCKV.exe
  C:\Windows\System32\XeIrCKV.exe
  2⤵
  PID:9948
- C:\Windows\System32\KMVnGqW.exe
  C:\Windows\System32\KMVnGqW.exe
  2⤵
  PID:10000
- C:\Windows\System32\spzxmfW.exe
  C:\Windows\System32\spzxmfW.exe
  2⤵
  PID:10020
- C:\Windows\System32\UywEldc.exe
  C:\Windows\System32\UywEldc.exe
  2⤵
  PID:10036
- C:\Windows\System32\NqirqMc.exe
  C:\Windows\System32\NqirqMc.exe
  2⤵
  PID:10064
- C:\Windows\System32\IqEvYXs.exe
  C:\Windows\System32\IqEvYXs.exe
  2⤵
  PID:10108
- C:\Windows\System32\oUbNJPo.exe
  C:\Windows\System32\oUbNJPo.exe
  2⤵
  PID:10132
- C:\Windows\System32\bKFnUdY.exe
  C:\Windows\System32\bKFnUdY.exe
  2⤵
  PID:10148
- C:\Windows\System32\nXYCxYk.exe
  C:\Windows\System32\nXYCxYk.exe
  2⤵
  PID:10172
- C:\Windows\System32\rAtfUqC.exe
  C:\Windows\System32\rAtfUqC.exe
  2⤵
  PID:10196
- C:\Windows\System32\EujoLbt.exe
  C:\Windows\System32\EujoLbt.exe
  2⤵
  PID:8564
- C:\Windows\System32\NgwMlly.exe
  C:\Windows\System32\NgwMlly.exe
  2⤵
  PID:9180
- C:\Windows\System32\cRmAUXf.exe
  C:\Windows\System32\cRmAUXf.exe
  2⤵
  PID:9260
- C:\Windows\System32\tlupIiU.exe
  C:\Windows\System32\tlupIiU.exe
  2⤵
  PID:9340
- C:\Windows\System32\ueymJDH.exe
  C:\Windows\System32\ueymJDH.exe
  2⤵
  PID:9396
- C:\Windows\System32\GqJoPAH.exe
  C:\Windows\System32\GqJoPAH.exe
  2⤵
  PID:9488
- C:\Windows\System32\yZbAoYg.exe
  C:\Windows\System32\yZbAoYg.exe
  2⤵
  PID:9548
- C:\Windows\System32\FHxfCiz.exe
  C:\Windows\System32\FHxfCiz.exe
  2⤵
  PID:5000
- C:\Windows\System32\jZvYNky.exe
  C:\Windows\System32\jZvYNky.exe
  2⤵
  PID:9696
- C:\Windows\System32\QRIHAjC.exe
  C:\Windows\System32\QRIHAjC.exe
  2⤵
  PID:9756
- C:\Windows\System32\dwkbdmc.exe
  C:\Windows\System32\dwkbdmc.exe
  2⤵
  PID:9808
- C:\Windows\System32\VesSBZS.exe
  C:\Windows\System32\VesSBZS.exe
  2⤵
  PID:9860
- C:\Windows\System32\uTCtpmY.exe
  C:\Windows\System32\uTCtpmY.exe
  2⤵
  PID:9920
- C:\Windows\System32\gvGZDOf.exe
  C:\Windows\System32\gvGZDOf.exe
  2⤵
  PID:9980
- C:\Windows\System32\JLLsNfY.exe
  C:\Windows\System32\JLLsNfY.exe
  2⤵
  PID:10028
- C:\Windows\System32\joimYqd.exe
  C:\Windows\System32\joimYqd.exe
  2⤵
  PID:10180
- C:\Windows\System32\LKtdEQw.exe
  C:\Windows\System32\LKtdEQw.exe
  2⤵
  PID:10208
- C:\Windows\System32\aQwTybQ.exe
  C:\Windows\System32\aQwTybQ.exe
  2⤵
  PID:9276
- C:\Windows\System32\tLmLhbj.exe
  C:\Windows\System32\tLmLhbj.exe
  2⤵
  PID:9472
- C:\Windows\System32\SdyXqlZ.exe
  C:\Windows\System32\SdyXqlZ.exe
  2⤵
  PID:9604
- C:\Windows\System32\bjKuyCj.exe
  C:\Windows\System32\bjKuyCj.exe
  2⤵
  PID:9724
- C:\Windows\System32\RFaRCuH.exe
  C:\Windows\System32\RFaRCuH.exe
  2⤵
  PID:9868
- C:\Windows\System32\ZJZRUAH.exe
  C:\Windows\System32\ZJZRUAH.exe
  2⤵
  PID:10044
- C:\Windows\System32\WwkUvon.exe
  C:\Windows\System32\WwkUvon.exe
  2⤵
  PID:9152
- C:\Windows\System32\PyuoXnN.exe
  C:\Windows\System32\PyuoXnN.exe
  2⤵
  PID:9352
- C:\Windows\System32\kynIkVy.exe
  C:\Windows\System32\kynIkVy.exe
  2⤵
  PID:9568
- C:\Windows\System32\drVQhLZ.exe
  C:\Windows\System32\drVQhLZ.exe
  2⤵
  PID:9692
- C:\Windows\System32\KAQIiRc.exe
  C:\Windows\System32\KAQIiRc.exe
  2⤵
  PID:9416
- C:\Windows\System32\hSOfAfj.exe
  C:\Windows\System32\hSOfAfj.exe
  2⤵
  PID:10164
- C:\Windows\System32\LHIFCiB.exe
  C:\Windows\System32\LHIFCiB.exe
  2⤵
  PID:10256
- C:\Windows\System32\lLtetLn.exe
  C:\Windows\System32\lLtetLn.exe
  2⤵
  PID:10276
- C:\Windows\System32\SexWUzM.exe
  C:\Windows\System32\SexWUzM.exe
  2⤵
  PID:10324
- C:\Windows\System32\ObcLkCA.exe
  C:\Windows\System32\ObcLkCA.exe
  2⤵
  PID:10344
- C:\Windows\System32\yBjEyjg.exe
  C:\Windows\System32\yBjEyjg.exe
  2⤵
  PID:10380
- C:\Windows\System32\VzKcotZ.exe
  C:\Windows\System32\VzKcotZ.exe
  2⤵
  PID:10420
- C:\Windows\System32\bfzkAjM.exe
  C:\Windows\System32\bfzkAjM.exe
  2⤵
  PID:10440
- C:\Windows\System32\cvAZhnw.exe
  C:\Windows\System32\cvAZhnw.exe
  2⤵
  PID:10468
- C:\Windows\System32\KHCUMKb.exe
  C:\Windows\System32\KHCUMKb.exe
  2⤵
  PID:10484
- C:\Windows\System32\ZekcZDG.exe
  C:\Windows\System32\ZekcZDG.exe
  2⤵
  PID:10504
- C:\Windows\System32\nffpkel.exe
  C:\Windows\System32\nffpkel.exe
  2⤵
  PID:10528
- C:\Windows\System32\sxAcDRA.exe
  C:\Windows\System32\sxAcDRA.exe
  2⤵
  PID:10548
- C:\Windows\System32\tazbTrh.exe
  C:\Windows\System32\tazbTrh.exe
  2⤵
  PID:10596
- C:\Windows\System32\vgOEZyl.exe
  C:\Windows\System32\vgOEZyl.exe
  2⤵
  PID:10648
- C:\Windows\System32\wcVZgxY.exe
  C:\Windows\System32\wcVZgxY.exe
  2⤵
  PID:10664
- C:\Windows\System32\yWiYrdj.exe
  C:\Windows\System32\yWiYrdj.exe
  2⤵
  PID:10684
- C:\Windows\System32\hVQPJuE.exe
  C:\Windows\System32\hVQPJuE.exe
  2⤵
  PID:10700
- C:\Windows\System32\MbnXIhw.exe
  C:\Windows\System32\MbnXIhw.exe
  2⤵
  PID:10740
- C:\Windows\System32\wjEyMCD.exe
  C:\Windows\System32\wjEyMCD.exe
  2⤵
  PID:10764
- C:\Windows\System32\tSmZxgw.exe
  C:\Windows\System32\tSmZxgw.exe
  2⤵
  PID:10784
- C:\Windows\System32\FyZudsN.exe
  C:\Windows\System32\FyZudsN.exe
  2⤵
  PID:10820
- C:\Windows\System32\hDCSnli.exe
  C:\Windows\System32\hDCSnli.exe
  2⤵
  PID:10848
- C:\Windows\System32\iiECzfz.exe
  C:\Windows\System32\iiECzfz.exe
  2⤵
  PID:10888
- C:\Windows\System32\IzIMMqC.exe
  C:\Windows\System32\IzIMMqC.exe
  2⤵
  PID:10916
- C:\Windows\System32\SQJofzp.exe
  C:\Windows\System32\SQJofzp.exe
  2⤵
  PID:10948
- C:\Windows\System32\zgNQlgZ.exe
  C:\Windows\System32\zgNQlgZ.exe
  2⤵
  PID:10968
- C:\Windows\System32\YJDIQXP.exe
  C:\Windows\System32\YJDIQXP.exe
  2⤵
  PID:10984
- C:\Windows\System32\nOFSDua.exe
  C:\Windows\System32\nOFSDua.exe
  2⤵
  PID:11016
- C:\Windows\System32\evsLmkC.exe
  C:\Windows\System32\evsLmkC.exe
  2⤵
  PID:11052
- C:\Windows\System32\TttsRXR.exe
  C:\Windows\System32\TttsRXR.exe
  2⤵
  PID:11072
- C:\Windows\System32\bnqWqBJ.exe
  C:\Windows\System32\bnqWqBJ.exe
  2⤵
  PID:11096
- C:\Windows\System32\xmKsguc.exe
  C:\Windows\System32\xmKsguc.exe
  2⤵
  PID:11140
- C:\Windows\System32\QlvoPzo.exe
  C:\Windows\System32\QlvoPzo.exe
  2⤵
  PID:11156
- C:\Windows\System32\frnbbry.exe
  C:\Windows\System32\frnbbry.exe
  2⤵
  PID:11176
- C:\Windows\System32\EGRtZjr.exe
  C:\Windows\System32\EGRtZjr.exe
  2⤵
  PID:11232
- C:\Windows\System32\GbEOmsi.exe
  C:\Windows\System32\GbEOmsi.exe
  2⤵
  PID:11256
- C:\Windows\System32\nbRnqej.exe
  C:\Windows\System32\nbRnqej.exe
  2⤵
  PID:10268
- C:\Windows\System32\jRJGMrd.exe
  C:\Windows\System32\jRJGMrd.exe
  2⤵
  PID:10352
- C:\Windows\System32\uKHumqt.exe
  C:\Windows\System32\uKHumqt.exe
  2⤵
  PID:10428
- C:\Windows\System32\eqYcipa.exe
  C:\Windows\System32\eqYcipa.exe
  2⤵
  PID:10476
- C:\Windows\System32\DbhBEfX.exe
  C:\Windows\System32\DbhBEfX.exe
  2⤵
  PID:10540
- C:\Windows\System32\RWRzvij.exe
  C:\Windows\System32\RWRzvij.exe
  2⤵
  PID:10616
- C:\Windows\System32\OSAYOOk.exe
  C:\Windows\System32\OSAYOOk.exe
  2⤵
  PID:10708
- C:\Windows\System32\MAlFihN.exe
  C:\Windows\System32\MAlFihN.exe
  2⤵
  PID:10760
- C:\Windows\System32\RiOcgot.exe
  C:\Windows\System32\RiOcgot.exe
  2⤵
  PID:10776
- C:\Windows\System32\JHKaUui.exe
  C:\Windows\System32\JHKaUui.exe
  2⤵
  PID:10840
- C:\Windows\System32\xgasigY.exe
  C:\Windows\System32\xgasigY.exe
  2⤵
  PID:10880
- C:\Windows\System32\TkDfLLQ.exe
  C:\Windows\System32\TkDfLLQ.exe
  2⤵
  PID:10960
- C:\Windows\System32\pKzOpNE.exe
  C:\Windows\System32\pKzOpNE.exe
  2⤵
  PID:10976
- C:\Windows\System32\QiuJnxV.exe
  C:\Windows\System32\QiuJnxV.exe
  2⤵
  PID:11088
- C:\Windows\System32\lihcTXP.exe
  C:\Windows\System32\lihcTXP.exe
  2⤵
  PID:11172
- C:\Windows\System32\bjgQkBl.exe
  C:\Windows\System32\bjgQkBl.exe
  2⤵
  PID:10016
- C:\Windows\System32\PLSiIwU.exe
  C:\Windows\System32\PLSiIwU.exe
  2⤵
  PID:10576
- C:\Windows\System32\BWLtTSO.exe
  C:\Windows\System32\BWLtTSO.exe
  2⤵
  PID:10748
- C:\Windows\System32\kFHfZBM.exe
  C:\Windows\System32\kFHfZBM.exe
  2⤵
  PID:11000
- C:\Windows\System32\jWyYCvP.exe
  C:\Windows\System32\jWyYCvP.exe
  2⤵
  PID:11012
- C:\Windows\System32\RoQCJTr.exe
  C:\Windows\System32\RoQCJTr.exe
  2⤵
  PID:11068
- C:\Windows\System32\YgbOzNL.exe
  C:\Windows\System32\YgbOzNL.exe
  2⤵
  PID:10676
- C:\Windows\System32\drTyqcq.exe
  C:\Windows\System32\drTyqcq.exe
  2⤵
  PID:10904
- C:\Windows\System32\DGWfDSQ.exe
  C:\Windows\System32\DGWfDSQ.exe
  2⤵
  PID:10296
- C:\Windows\System32\sNxUzho.exe
  C:\Windows\System32\sNxUzho.exe
  2⤵
  PID:11152
- C:\Windows\System32\rttuSyU.exe
  C:\Windows\System32\rttuSyU.exe
  2⤵
  PID:11280
- C:\Windows\System32\dCqbAFG.exe
  C:\Windows\System32\dCqbAFG.exe
  2⤵
  PID:11300
- C:\Windows\System32\XvPvNhc.exe
  C:\Windows\System32\XvPvNhc.exe
  2⤵
  PID:11320
- C:\Windows\System32\bbRgMaV.exe
  C:\Windows\System32\bbRgMaV.exe
  2⤵
  PID:11344
- C:\Windows\System32\DHiUKzF.exe
  C:\Windows\System32\DHiUKzF.exe
  2⤵
  PID:11368
- C:\Windows\System32\qZwngeF.exe
  C:\Windows\System32\qZwngeF.exe
  2⤵
  PID:11384
- C:\Windows\System32\TFBVMhK.exe
  C:\Windows\System32\TFBVMhK.exe
  2⤵
  PID:11440
- C:\Windows\System32\MONbnDX.exe
  C:\Windows\System32\MONbnDX.exe
  2⤵
  PID:11468
- C:\Windows\System32\SMIsrJw.exe
  C:\Windows\System32\SMIsrJw.exe
  2⤵
  PID:11508
- C:\Windows\System32\pbWXMHH.exe
  C:\Windows\System32\pbWXMHH.exe
  2⤵
  PID:11544
- C:\Windows\System32\CHVqipH.exe
  C:\Windows\System32\CHVqipH.exe
  2⤵
  PID:11572
- C:\Windows\System32\DDjejYp.exe
  C:\Windows\System32\DDjejYp.exe
  2⤵
  PID:11596
- C:\Windows\System32\fRieWsX.exe
  C:\Windows\System32\fRieWsX.exe
  2⤵
  PID:11628
- C:\Windows\System32\xgAqJZQ.exe
  C:\Windows\System32\xgAqJZQ.exe
  2⤵
  PID:11660
- C:\Windows\System32\KXXGPfp.exe
  C:\Windows\System32\KXXGPfp.exe
  2⤵
  PID:11680
- C:\Windows\System32\difBVEH.exe
  C:\Windows\System32\difBVEH.exe
  2⤵
  PID:11696
- C:\Windows\System32\DBxcCWN.exe
  C:\Windows\System32\DBxcCWN.exe
  2⤵
  PID:11720
- C:\Windows\System32\oUzvxbf.exe
  C:\Windows\System32\oUzvxbf.exe
  2⤵
  PID:11760
- C:\Windows\System32\ndEnydB.exe
  C:\Windows\System32\ndEnydB.exe
  2⤵
  PID:11788
- C:\Windows\System32\JgbLGiB.exe
  C:\Windows\System32\JgbLGiB.exe
  2⤵
  PID:11816
- C:\Windows\System32\MREhlXU.exe
  C:\Windows\System32\MREhlXU.exe
  2⤵
  PID:11832
- C:\Windows\System32\cxWDLtt.exe
  C:\Windows\System32\cxWDLtt.exe
  2⤵
  PID:11848
- C:\Windows\System32\lsIspbm.exe
  C:\Windows\System32\lsIspbm.exe
  2⤵
  PID:11872
- C:\Windows\System32\OnECzTC.exe
  C:\Windows\System32\OnECzTC.exe
  2⤵
  PID:11888
- C:\Windows\System32\bzqXRlS.exe
  C:\Windows\System32\bzqXRlS.exe
  2⤵
  PID:11924
- C:\Windows\System32\WVeBIOl.exe
  C:\Windows\System32\WVeBIOl.exe
  2⤵
  PID:11940
- C:\Windows\System32\bFPOodF.exe
  C:\Windows\System32\bFPOodF.exe
  2⤵
  PID:11968
- C:\Windows\System32\mGMibgv.exe
  C:\Windows\System32\mGMibgv.exe
  2⤵
  PID:12016
- C:\Windows\System32\OViacTj.exe
  C:\Windows\System32\OViacTj.exe
  2⤵
  PID:12076
- C:\Windows\System32\rfHnhHw.exe
  C:\Windows\System32\rfHnhHw.exe
  2⤵
  PID:12096
- C:\Windows\System32\phqGKxw.exe
  C:\Windows\System32\phqGKxw.exe
  2⤵
  PID:12136
- C:\Windows\System32\vFMlwMb.exe
  C:\Windows\System32\vFMlwMb.exe
  2⤵
  PID:12156
- C:\Windows\System32\CpmXgZS.exe
  C:\Windows\System32\CpmXgZS.exe
  2⤵
  PID:12200
- C:\Windows\System32\uKBtBGY.exe
  C:\Windows\System32\uKBtBGY.exe
  2⤵
  PID:12228
- C:\Windows\System32\vesMXfo.exe
  C:\Windows\System32\vesMXfo.exe
  2⤵
  PID:12256
- C:\Windows\System32\aVjWpJp.exe
  C:\Windows\System32\aVjWpJp.exe
  2⤵
  PID:12272
- C:\Windows\System32\jSunaKv.exe
  C:\Windows\System32\jSunaKv.exe
  2⤵
  PID:10556
- C:\Windows\System32\XGAIwzj.exe
  C:\Windows\System32\XGAIwzj.exe
  2⤵
  PID:11316
- C:\Windows\System32\OWKDKhB.exe
  C:\Windows\System32\OWKDKhB.exe
  2⤵
  PID:11412
- C:\Windows\System32\YSzRTca.exe
  C:\Windows\System32\YSzRTca.exe
  2⤵
  PID:11520
- C:\Windows\System32\fyqhqgg.exe
  C:\Windows\System32\fyqhqgg.exe
  2⤵
  PID:11552
- C:\Windows\System32\hiXyyjD.exe
  C:\Windows\System32\hiXyyjD.exe
  2⤵
  PID:11604
- C:\Windows\System32\GCfALBE.exe
  C:\Windows\System32\GCfALBE.exe
  2⤵
  PID:11704
- C:\Windows\System32\YVMIwYr.exe
  C:\Windows\System32\YVMIwYr.exe
  2⤵
  PID:11732
- C:\Windows\System32\TjsdcmR.exe
  C:\Windows\System32\TjsdcmR.exe
  2⤵
  PID:11780
- C:\Windows\System32\kJuSwMp.exe
  C:\Windows\System32\kJuSwMp.exe
  2⤵
  PID:2640
- C:\Windows\System32\YavRkEV.exe
  C:\Windows\System32\YavRkEV.exe
  2⤵
  PID:11984
- C:\Windows\System32\qhsEkVy.exe
  C:\Windows\System32\qhsEkVy.exe
  2⤵
  PID:11948
- C:\Windows\System32\diXGCNh.exe
  C:\Windows\System32\diXGCNh.exe
  2⤵
  PID:11956
- C:\Windows\System32\IhvONMJ.exe
  C:\Windows\System32\IhvONMJ.exe
  2⤵
  PID:12092
- C:\Windows\System32\odbnXfH.exe
  C:\Windows\System32\odbnXfH.exe
  2⤵
  PID:12164
- C:\Windows\System32\QxBwBKK.exe
  C:\Windows\System32\QxBwBKK.exe
  2⤵
  PID:12240
- C:\Windows\System32\VnFRnMc.exe
  C:\Windows\System32\VnFRnMc.exe
  2⤵
  PID:2236
- C:\Windows\System32\gBiDurt.exe
  C:\Windows\System32\gBiDurt.exe
  2⤵
  PID:11360
- C:\Windows\System32\bCWmFCX.exe
  C:\Windows\System32\bCWmFCX.exe
  2⤵
  PID:11488
- C:\Windows\System32\zdRVPir.exe
  C:\Windows\System32\zdRVPir.exe
  2⤵
  PID:11656
- C:\Windows\System32\FeXogQZ.exe
  C:\Windows\System32\FeXogQZ.exe
  2⤵
  PID:11776
- C:\Windows\System32\eYbMYcd.exe
  C:\Windows\System32\eYbMYcd.exe
  2⤵
  PID:11916
- C:\Windows\System32\kFbxxza.exe
  C:\Windows\System32\kFbxxza.exe
  2⤵
  PID:4456
- C:\Windows\System32\aYMUHTz.exe
  C:\Windows\System32\aYMUHTz.exe
  2⤵
  PID:11904
- C:\Windows\System32\vakXjjO.exe
  C:\Windows\System32\vakXjjO.exe
  2⤵
  PID:4340
- C:\Windows\System32\kvMaQLR.exe
  C:\Windows\System32\kvMaQLR.exe
  2⤵
  PID:12244
- C:\Windows\System32\bpWxcep.exe
  C:\Windows\System32\bpWxcep.exe
  2⤵
  PID:11356
- C:\Windows\System32\LbfEQdI.exe
  C:\Windows\System32\LbfEQdI.exe
  2⤵
  PID:3444
- C:\Windows\System32\fLXuiTv.exe
  C:\Windows\System32\fLXuiTv.exe
  2⤵
  PID:11856
- C:\Windows\System32\WbxGbBy.exe
  C:\Windows\System32\WbxGbBy.exe
  2⤵
  PID:11272
- C:\Windows\System32\dNOQlaO.exe
  C:\Windows\System32\dNOQlaO.exe
  2⤵
  PID:3724
- C:\Windows\System32\TIgdxBy.exe
  C:\Windows\System32\TIgdxBy.exe
  2⤵
  PID:12300
- C:\Windows\System32\IprOoKF.exe
  C:\Windows\System32\IprOoKF.exe
  2⤵
  PID:12324
- C:\Windows\System32\zZiUjnu.exe
  C:\Windows\System32\zZiUjnu.exe
  2⤵
  PID:12344
- C:\Windows\System32\DOiGUtm.exe
  C:\Windows\System32\DOiGUtm.exe
  2⤵
  PID:12388
- C:\Windows\System32\pqOFlbX.exe
  C:\Windows\System32\pqOFlbX.exe
  2⤵
  PID:12412
- C:\Windows\System32\xBIylYe.exe
  C:\Windows\System32\xBIylYe.exe
  2⤵
  PID:12432
- C:\Windows\System32\KvsFywh.exe
  C:\Windows\System32\KvsFywh.exe
  2⤵
  PID:12460
- C:\Windows\System32\drzdGva.exe
  C:\Windows\System32\drzdGva.exe
  2⤵
  PID:12484
- C:\Windows\System32\xTXeVZP.exe
  C:\Windows\System32\xTXeVZP.exe
  2⤵
  PID:12536
- C:\Windows\System32\IrJYnap.exe
  C:\Windows\System32\IrJYnap.exe
  2⤵
  PID:12552
- C:\Windows\System32\AGCVmPz.exe
  C:\Windows\System32\AGCVmPz.exe
  2⤵
  PID:12572
- C:\Windows\System32\wgblMhp.exe
  C:\Windows\System32\wgblMhp.exe
  2⤵
  PID:12608
- C:\Windows\System32\XFXjAeQ.exe
  C:\Windows\System32\XFXjAeQ.exe
  2⤵
  PID:12632
- C:\Windows\System32\gjTlmUK.exe
  C:\Windows\System32\gjTlmUK.exe
  2⤵
  PID:12648
- C:\Windows\System32\PGIFYRx.exe
  C:\Windows\System32\PGIFYRx.exe
  2⤵
  PID:12676
- C:\Windows\System32\lBMPIUD.exe
  C:\Windows\System32\lBMPIUD.exe
  2⤵
  PID:12704
- C:\Windows\System32\CMNlSoC.exe
  C:\Windows\System32\CMNlSoC.exe
  2⤵
  PID:12744
- C:\Windows\System32\TKtXAOe.exe
  C:\Windows\System32\TKtXAOe.exe
  2⤵
  PID:12808
- C:\Windows\System32\hwSJcdX.exe
  C:\Windows\System32\hwSJcdX.exe
  2⤵
  PID:12824
- C:\Windows\System32\MEDhLbK.exe
  C:\Windows\System32\MEDhLbK.exe
  2⤵
  PID:12860
- C:\Windows\System32\BiORLgi.exe
  C:\Windows\System32\BiORLgi.exe
  2⤵
  PID:12888
- C:\Windows\System32\OrxVZQR.exe
  C:\Windows\System32\OrxVZQR.exe
  2⤵
  PID:12940
- C:\Windows\System32\hPBDKLp.exe
  C:\Windows\System32\hPBDKLp.exe
  2⤵
  PID:12980
- C:\Windows\System32\ydIRHOx.exe
  C:\Windows\System32\ydIRHOx.exe
  2⤵
  PID:13096
- C:\Windows\System32\YUZVrMl.exe
  C:\Windows\System32\YUZVrMl.exe
  2⤵
  PID:13112
- C:\Windows\System32\Yskvtbr.exe
  C:\Windows\System32\Yskvtbr.exe
  2⤵
  PID:13128
- C:\Windows\System32\PllHNxx.exe
  C:\Windows\System32\PllHNxx.exe
  2⤵
  PID:13144
- C:\Windows\System32\qbMadVE.exe
  C:\Windows\System32\qbMadVE.exe
  2⤵
  PID:13160
- C:\Windows\System32\PDZyHUG.exe
  C:\Windows\System32\PDZyHUG.exe
  2⤵
  PID:13176
- C:\Windows\System32\HJtEdmn.exe
  C:\Windows\System32\HJtEdmn.exe
  2⤵
  PID:13192
- C:\Windows\System32\nsPYltJ.exe
  C:\Windows\System32\nsPYltJ.exe
  2⤵
  PID:13208
- C:\Windows\System32\mKkmlLI.exe
  C:\Windows\System32\mKkmlLI.exe
  2⤵
  PID:13224
- C:\Windows\System32\yaBiZlF.exe
  C:\Windows\System32\yaBiZlF.exe
  2⤵
  PID:13296
- C:\Windows\System32\NTtXrvG.exe
  C:\Windows\System32\NTtXrvG.exe
  2⤵
  PID:12504
- C:\Windows\System32\aGJUfVU.exe
  C:\Windows\System32\aGJUfVU.exe
  2⤵
  PID:12532
- C:\Windows\System32\mwLQffK.exe
  C:\Windows\System32\mwLQffK.exe
  2⤵
  PID:12584
- C:\Windows\System32\RfknaKE.exe
  C:\Windows\System32\RfknaKE.exe
  2⤵
  PID:12760
- C:\Windows\System32\hkhlQFe.exe
  C:\Windows\System32\hkhlQFe.exe
  2⤵
  PID:12920
- C:\Windows\System32\clIKmMo.exe
  C:\Windows\System32\clIKmMo.exe
  2⤵
  PID:13064
- C:\Windows\System32\QLcZWkb.exe
  C:\Windows\System32\QLcZWkb.exe
  2⤵
  PID:13020
- C:\Windows\System32\TMwQYcz.exe
  C:\Windows\System32\TMwQYcz.exe
  2⤵
  PID:13036
- C:\Windows\System32\PmOnmGs.exe
  C:\Windows\System32\PmOnmGs.exe
  2⤵
  PID:13188
- C:\Windows\System32\cOtBWdq.exe
  C:\Windows\System32\cOtBWdq.exe
  2⤵
  PID:13260
- C:\Windows\System32\fHlNonU.exe
  C:\Windows\System32\fHlNonU.exe
  2⤵
  PID:13236
- C:\Windows\System32\HzTnaHN.exe
  C:\Windows\System32\HzTnaHN.exe
  2⤵
  PID:13284
- C:\Windows\System32\LfRUYTs.exe
  C:\Windows\System32\LfRUYTs.exe
  2⤵
  PID:13220
- C:\Windows\System32\vdBIoJo.exe
  C:\Windows\System32\vdBIoJo.exe
  2⤵
  PID:12548
- C:\Windows\System32\jXkQXBw.exe
  C:\Windows\System32\jXkQXBw.exe
  2⤵
  PID:12688
- C:\Windows\System32\nRmdJun.exe
  C:\Windows\System32\nRmdJun.exe
  2⤵
  PID:12972
- C:\Windows\System32\prVkcbq.exe
  C:\Windows\System32\prVkcbq.exe
  2⤵
  PID:13052
- C:\Windows\System32\TwFgzNr.exe
  C:\Windows\System32\TwFgzNr.exe
  2⤵
  PID:13124
- C:\Windows\System32\SDJzcFs.exe
  C:\Windows\System32\SDJzcFs.exe
  2⤵
  PID:13216

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BGRpXUl.exe

Filesize
1.7MB

MD5
9b14cb5b780f3bfa974bb7b8bff198d1

SHA1
d087f946f1e3fd57996460dda84c8125074752ac

SHA256
79fd283bae015abc3d99421d0b435b4e25bc63d75d5d027fc998cc02fb0648e1

SHA512
1c13e4d20fe52cabb967c47fb596b68f85b05c0af0bfbc8e351fa9fbf9c9465ed5c0838f4c5b27c1a040c504d276617c4d399bdb1d86bd8620da6867240e8127

Download Submit
C:\Windows\System32\BOMKFwc.exe

Filesize
1.7MB

MD5
8f661808ef91a1f9cad0e06f358bef3e

SHA1
2a73709868e2c40216204ae124e0bf7eeeafb777

SHA256
24192598dfe6217ec9e57a3fec718651477b5f0d23c9b5de39b5a51d1df148f2

SHA512
1fe6cf3d25ae55e3fa6b9cdb702afd19184682ec04881e4996b50854cbf8d7f1dbe5a89945bc16f925b7aab7a7d46ee5de81e5e7d4717737b00e5975d2d78d8e

Download Submit
C:\Windows\System32\Cccbzgv.exe

Filesize
1.7MB

MD5
767f074a03876188f8140fc182f2e45b

SHA1
8f43115186f41315d4909ccba6477d28621dd752

SHA256
3770285b12ca5d9d6d6e762b6b09d3c027a849f56515c3236ca116ed90e718f6

SHA512
bafc382870a26f44b498d080500ed800f5fcc9ba896becc37e258f4f1890ae19ebdddfc9f0007c80909ce1f42cf66bebff5bff7291abf581902fc78eb095b3c2

Download Submit
C:\Windows\System32\DKzUoXY.exe

Filesize
1.7MB

MD5
5a4cfbf366646af353e3c310803a5774

SHA1
c1ec622311c8c59f08ac1ac78b83f15b02f86eb5

SHA256
a985a5b1b4f3d64a500026b03bddb8002fab459f0418db7864f86c1aa6558c9d

SHA512
d9e1002f2a19a5a1a01162dfdbf4f2391009fd754b483b1bbf3d7fa3e83de68d0a1dcde8678b39b500da114a269109db96b0994fc670789262b46b170d87a564

Download Submit
C:\Windows\System32\EyVHhry.exe

Filesize
1.7MB

MD5
a1b935d84ce718e614ff5c3f5a8b32fe

SHA1
678050c2432da68c92fc9ae1503b27372b5668a4

SHA256
60e5953ef978c9a459c2b0de3b3d9a822b9e5b2c1c1db115a60eb871a97efd3e

SHA512
d4be1b1467b1ec2f8f7ad72924fb442f84628972aff1f45b6e318ae7e5bc81cbefdb9feff694b97bcc0b5a026194af6a87bf68661080eb7d2da81ad3ca6c3405

Download Submit
C:\Windows\System32\JeWFUjB.exe

Filesize
1.7MB

MD5
88b032a4f8d7466675aa8c2665e7140a

SHA1
18c4e5e5ce7e8de97a1584cf4de9bf88b67e7efb

SHA256
e9e2d5d8f16f055ca4d17cc28207767a7c09c4014e0cf7b2e345d657317dc92a

SHA512
5035746e37dc29ccf7d5166b551cffbef27092ff14a71d999e87404a16656c5e95ca94043c52f023b1e76ba7f75e21012dcae44b2abe4bb3ab6900335cb78c91

Download Submit
C:\Windows\System32\NWtDKVV.exe

Filesize
1.7MB

MD5
4fea28369c5e157f79518802aaebe821

SHA1
0c6543b0e264c5f5e5062e4482fbc7f28c22b111

SHA256
6b310ff1e63e2701827611b42656aed8397ab04f19e750418a2fe5c5c0059964

SHA512
c7f42bdabd7826d66b8b505b5e89d22507120ca90572554688127c56f3c8ea712d2ef36100fb5241d166896aa47abe10f0859deaea6aac49f148e0642bd28b28

Download Submit
C:\Windows\System32\NuDcCQL.exe

Filesize
1.7MB

MD5
4c0cbdf7d37472205c02900b38d8d591

SHA1
f84c42499ab03c31c955e6c1da414782e3a1057e

SHA256
07141eb71639ba989c888aa42c1ec32204395ee91cb358019b60dbff83e3669e

SHA512
900f801c328f00a95521849180867e9cf1e649ae44c837892f769b64bb429c5e792f4951a384f5abfd165d80736f9dcea71717da680d557b4a8eeba2a8b11bc2

Download Submit
C:\Windows\System32\PvTnTGQ.exe

Filesize
1.7MB

MD5
b3a31cb0b1d048da5cc7e40fdf3557bb

SHA1
f78b76a041955e7aa2f7a201a56faa6c45c3c8d3

SHA256
2a07575b24f8031a6b715676041b9a5f497e4bb885a7f97b2d64c09e08220bd5

SHA512
18a1262bd1c35a509f11e5aefecf38825212c017c50361bcb02a505c749fbaa14ac4a44c1dc7ff38b9e11b027c72a017959bdce11587d576e406a37c0dec8814

Download Submit
C:\Windows\System32\UchKOwJ.exe

Filesize
1.7MB

MD5
d745867526f8711429afbaf11171231d

SHA1
6a43b082b21cebf06e04e1a5c44ebcccdfa3044a

SHA256
b20b3d5523fcea574e866391598d23e46c8eec236183b36d14274538e1ef1f7b

SHA512
f4a54ff7e29093b8a1765cb0160b720395eccababe2e0527c43f5d19605344b8356a2cce51c4da70b3303d7d04e07a02fd106f43b50b662c2148447ee6bc6c49

Download Submit
C:\Windows\System32\WWmWzXq.exe

Filesize
1.7MB

MD5
8e3c65c51bb0d6d5cb664a008f0b2d35

SHA1
c546c35f8e4552bc38b811f648c6da0fd1a2d9c7

SHA256
ab58d72cc417395f343c9c2bcead192e7193297992c796161e115d6c2ebbdc1f

SHA512
013619687c6ea0e814ab7d82790da3c274e178da33790011499e88a03c498179a1595c075cc1348317c8f489ab0071da7aa0894f58e20f3c0757ede55dbbf7ea

Download Submit
C:\Windows\System32\XhMJIJY.exe

Filesize
1.7MB

MD5
b4214183d9be07431455d1ae0c10c34c

SHA1
d0d5baf7857a4d6038a3e10573387b6f411af7f5

SHA256
d2d0d34a7b8687be622293d10c2e34212feb6b1a73ca1f7ed8aa9991c1690a01

SHA512
a2f37de72c7dfdf1660b6496b691e9a9a7b2b1b76fee9185e92be37537fa480ee09bc7d0526449617f301b02eb12e30985b920e99e3f15547fe9ac1693da2adb

Download Submit
C:\Windows\System32\ZaSVTGU.exe

Filesize
1.7MB

MD5
88b99ccb0bd55d249f37369d68e0c2dd

SHA1
c1e064f53e6cb7a784bf632ea03e49a1cbe85eea

SHA256
a03341c840651649eb3fd482352c24b2915d00b8f42f80abf0ae3b42e61c2d7a

SHA512
2ce3fe319c32c068b76e0d1980a5d0e919d7cfb63c834f0dfbac57fc874f95e5a33c242ac56e06f82f5d9c5422102ec333f80c89f3f170aa8bd7013a82fd15e2

Download Submit
C:\Windows\System32\dRTGvsn.exe

Filesize
1.7MB

MD5
d87ad43c82e3a50aa3ff8299ca5de909

SHA1
c0ed20e3827e93169d6e9ffb38a37eeca4e9fce3

SHA256
34089247fdbf8a10fda956eb150986262172b93a12c051e3d5443e7446ba3be9

SHA512
5501f959e6f036242dd3c0a8b57ce2e08eef88b255ed3af9a45a7b96be8c322fdfa6608eccd72f1b07d76f573fc44919355364dbff9d6494b62f5a5dd674f2ea

Download Submit
C:\Windows\System32\eNfPinN.exe

Filesize
1.7MB

MD5
c24bd442e254d16765ed7f8ed71f1ad5

SHA1
e4bcf26b41643e0c4e867c64eaacffaa839547c5

SHA256
91ca70c78e6132e3a3cbbb0982bdb07f48600ce4e179cd4bc2523a3e65fce9ef

SHA512
19bef6fe8ecf3ac40919e529e28290c7021cd309401600728395d48e895499a67a3124708ee47545c364730fcb952a7100f2744f44f3368377d4ddd2151f0a77

Download Submit
C:\Windows\System32\gJnVGET.exe

Filesize
1.7MB

MD5
8d0b42ae3d29d634fdd8a7076317753c

SHA1
e905ccb183ff964f8af580a666b40d9def9fcd86

SHA256
eee488c949e81d55030730685f6c86c9cb6200cc4da50aa905d169a4e8347c09

SHA512
f4a75a614b5f4c2d23465239915770c2c929e5099ce803507bf1aebdd4f0991ec1545057ad254db3e3f69495d4e83442557f79221c57bc8232a4316ad654addf

Download Submit
C:\Windows\System32\gksgNHT.exe

Filesize
1.7MB

MD5
555bbbf7b0e00fbb7e1fd040358002e8

SHA1
6096765157a92c54055caff658e2cae6c33d554b

SHA256
a968fa65fdd6abf81a7ff2f32c82ae8472cb9fb30893cbcdf8f9e15276d04b44

SHA512
37daeebeb73a0d1cd52c0448cbd38de2d7ab406072bd138ea104309e376f0125e5615889f21a7162e97484a96520a7a041a18e1cc32d020401efd647dbe2a885

Download Submit
C:\Windows\System32\kQVcxjz.exe

Filesize
1.7MB

MD5
3f8a822fea7b831b137b0ebd2444f5c2

SHA1
63be8f81403424edcc22d866dac8d2ddf555e12f

SHA256
62a203ea7c8893230ee2770c7b57f1898a83a18fd4a4019f0cb509fc0cc56cb2

SHA512
7591510fe6b89eb25d9820d5f56759995e002eba09948f0afec181f888a5c1699a12266eb6ffbba2863a02e233197dbcff54f7de1106a505ec161a6df9e2b14d

Download Submit
C:\Windows\System32\lfBdYiN.exe

Filesize
1.7MB

MD5
38d5abba0ee3f2e841739756816e253a

SHA1
9a1c13debc3a404ec446d57c5454fb2f17892865

SHA256
7350c5c547300f2407fe3d93dae154c3c436d23fb1280e4de38cab9e96a9a76d

SHA512
ea72c2cfd7f2ce7c5697c9b112b63b0459aec086759f11e60cc3efcbe677b0bc78893a9b18d98f896b15917f7d4755f3efd89635765d90ae9c36cc24737d4d94

Download Submit
C:\Windows\System32\mDDpcGk.exe

Filesize
1.7MB

MD5
b7cd05bec9834ec036acb42cbeecde5c

SHA1
a79fd86342ac1bceb8791ebe18e950bf16091875

SHA256
fcdb65b3f859d29dbd4c14a12036d0db679bfe39629e17456fc6f52521485953

SHA512
d59e16d9b7054754c193e21b1fb647e2580f31a824c4e271b4ff853f7606a201cf198163b8ccc9e802b48faa41f98b69052626dbc402365379287895a3596993

Download Submit
C:\Windows\System32\mjeriPZ.exe

Filesize
1.7MB

MD5
e15db3507f256f49f826f26afdc3fe25

SHA1
21ab05fcc518fcd22ec11e23055d97e88e813fbf

SHA256
0c15e24af15c1fbfccb686e0ab3d9f97bb3dd3018a64216ba0d4cc240f2b5911

SHA512
f135ae448da981304b2c755cecda100f6534cd133cc50762313a2e1b29db23c7945727c7b4bf5b2ae40a0acb2c186150ab6763bf4a6a223032d86a024380de50

Download Submit
C:\Windows\System32\oizQcIS.exe

Filesize
1.7MB

MD5
009642918837067ce9670c2dfdc5c5fe

SHA1
e40bb193de7949b0dd7f4809f7c588f814786d02

SHA256
c18557cc97a3742794a87afe15edbee6f1fa295d53ee56e5ac542881e79660b2

SHA512
454ee7707ebab0b359f5d8a1dcfacd499416274bdd5def840a444b9d745b17e336c69052c62e145dac4619daa0b5de8d07b6eb13f609880b20c1838cb8dced2e

Download Submit
C:\Windows\System32\pEwbLhM.exe

Filesize
1.7MB

MD5
7ed471cf383eb022f568ba082a78e285

SHA1
a49d0390113d8ee35b0c6071f5f3d8b13b5c3e0c

SHA256
4c87d6597ea71623d92e26d8758a18beebf2a3aaabefdccaa2a5918e88a29b1d

SHA512
f697c482cb96ceed1091b26623b493c5542f9a201c2c829f774e3705bd6e4e1a42152899a6a9e29d73f18d384c04121b9a71f8bd89818520282ea9d5fa0a7e27

Download Submit
C:\Windows\System32\qzAPrxt.exe

Filesize
1.7MB

MD5
48158bf40d57cb93371d6b742140847a

SHA1
ad4b15e567df545567de3c84ed10b87b129ca579

SHA256
7986a60ad238d30ec73d4c741383a81a00c0e38ea421c80534da2a821c4943ab

SHA512
cad4f920a8e7c18cd179b879011ae0ddaf7b5142005be611df0f782c9b75f9e0b38cfeb6b575b073671a6ab94928f069dee39112233fe99e2d1b8ef63eafb5db

Download Submit
C:\Windows\System32\suDxmrq.exe

Filesize
1.7MB

MD5
0fa46c4eae95f3b0d4ee11c19bae400e

SHA1
a6ef748ad0adcd4728ae2b454cfdd061f59fa4b9

SHA256
1bfc97051dc833f77b0ea81bbbb4b4f70e1209f6d0d831af00559ba15aded317

SHA512
2cd31f3000ea04f28bd9cce972ff1b361c14f37d51889d8fd7146c496b464f9ff41333f1a4348f67923a7123028a47a078db2e5e8324a8b438845ddc23de05a7

Download Submit
C:\Windows\System32\tOmrPIA.exe

Filesize
1.7MB

MD5
1eaf98c554bc1f10a906c61be5c13b3d

SHA1
5c0c34712d95f763c36ba1ce17271866302e47f2

SHA256
c3271ae59e06e82a64ac9d2a970d50bd9636eb211f8b6d2bf76ff62abcd9d25d

SHA512
dfd4a40e1ea5e331fc8ab6fd750286f7b5a51b414cc0c325935b9f5575d4493bf9ec7793b43255b372591cabd3474a337f14ac6b0f03af90c5894aefa2d89f64

Download Submit
C:\Windows\System32\tPbulxX.exe

Filesize
1.7MB

MD5
b08b938c65864e7cab534ad4452ba97d

SHA1
5678b958c78204a72a7ff5778362bfe87950979e

SHA256
ea2d27edac2213cea7fa5d2e0580259e320eb457bea2b52ccc9d65ffb6ffc95c

SHA512
0e074fbc58c3ac1571e541c130c844dd2c68b85508e18ecb59c828775335687b9e087d94ada689e23b685c695aabb8911408633756d0670a17786ccb6710dfe6

Download Submit
C:\Windows\System32\tdxhfxU.exe

Filesize
1.7MB

MD5
c39aac354fb16452700fabec88327089

SHA1
9ed006d2e1da381a2a6d9813dda03b23c2f4592b

SHA256
c5bc040ee5b6279bb39fee31415e67267cc465da28ab3faa6a20978c1d62c42a

SHA512
e441362268f38f88e44c0fbdd8c25314f33bdb3e14f9466b4abc1c056a7b1088d55b04fdd52dee5990fb8ca5ce561410919b665f2f8fac7357da9600af57934f

Download Submit
C:\Windows\System32\vJPclDi.exe

Filesize
1.7MB

MD5
91ec8b77ef7818c5819b70d7d47c6761

SHA1
54c4053150cdaffec29c4e75669297cd35e7c68a

SHA256
738cdf5c7317c9ba06848d05c7c4efded1f7b34736a4491bf708e74597a7050a

SHA512
c97e00f4079596939949e1fc3121ee3b6443a1b0670d35a850fbd6ecca27f0dbc0e29f5e79de344f8194bf619343b3d3af2797742e9a2eaf852d9c54da0cb93d

Download Submit
C:\Windows\System32\vRhxYdN.exe

Filesize
1.7MB

MD5
f86788be4b417e33f4cc898dc106307c

SHA1
9c3e06671f2f14da1f894f11438561e1883782ba

SHA256
ba4909875845f2f4017a4261d396f6b38779528e96fcca7e5ac26f4225277050

SHA512
6b10bcab3736fa70c0ccc5c4ced7a1c74414ed1b34048622902e935cefa5257966271a0442606bfa931f03b01861400ea6c9c81cd0f0e88cf370843ddd26caf5

Download Submit
C:\Windows\System32\vdlHrfg.exe

Filesize
1.7MB

MD5
f4c75a911a09c11d08fce9f2b5ee2601

SHA1
9c6d7b7f7a8e4fff1bd4fe7cbe65faf91454c54d

SHA256
d8ef1d8acd84390432dc01654c37eb52adebeb32597aa68c246c91beaedb870d

SHA512
a1948487fb52746bb3bc15e9083f5587d13a60fb3cb4d442199dd3025cf487389fb993a450b3fa929311086695e1ba9678097c2a83401a0338db53faaba2a0cc

Download Submit
C:\Windows\System32\vllvmWH.exe

Filesize
1.7MB

MD5
eb0e766f3816aa75bd4bbc9ec0690fc3

SHA1
e842ba19e7e45e67b32421b9700d8bbea295768a

SHA256
e0fcdcfe4245fb1ecf4debbdd217c5eb2b7d4b6019d69b3e1436caf80936ae39

SHA512
a42601c6f33be309a8c447194b0bf3a4a84706be589f0aad6c293e02b6728eb8e7042697aadef50f10dcdcfa66d8b5a44ffe8a9ba6096fb31ab8111e6e6e22ba

Download Submit
memory/432-414-0x00007FF669A90000-0x00007FF669E81000-memory.dmp

Filesize
3.9MB

Download
memory/432-2001-0x00007FF669A90000-0x00007FF669E81000-memory.dmp

Filesize
3.9MB

Download
memory/856-449-0x00007FF6E16F0000-0x00007FF6E1AE1000-memory.dmp

Filesize
3.9MB

Download
memory/856-2045-0x00007FF6E16F0000-0x00007FF6E1AE1000-memory.dmp

Filesize
3.9MB

Download
memory/1452-2039-0x00007FF750610000-0x00007FF750A01000-memory.dmp

Filesize
3.9MB

Download
memory/1452-454-0x00007FF750610000-0x00007FF750A01000-memory.dmp

Filesize
3.9MB

Download
memory/2304-424-0x00007FF716100000-0x00007FF7164F1000-memory.dmp

Filesize
3.9MB

Download
memory/2304-2029-0x00007FF716100000-0x00007FF7164F1000-memory.dmp

Filesize
3.9MB

Download
memory/2764-20-0x00007FF767E70000-0x00007FF768261000-memory.dmp

Filesize
3.9MB

Download
memory/2764-1981-0x00007FF767E70000-0x00007FF768261000-memory.dmp

Filesize
3.9MB

Download
memory/2764-1995-0x00007FF767E70000-0x00007FF768261000-memory.dmp

Filesize
3.9MB

Download
memory/2780-441-0x00007FF781C80000-0x00007FF782071000-memory.dmp

Filesize
3.9MB

Download
memory/2780-2043-0x00007FF781C80000-0x00007FF782071000-memory.dmp

Filesize
3.9MB

Download
memory/2940-2041-0x00007FF661220000-0x00007FF661611000-memory.dmp

Filesize
3.9MB

Download
memory/2940-457-0x00007FF661220000-0x00007FF661611000-memory.dmp

Filesize
3.9MB

Download
memory/3096-418-0x00007FF61AFD0000-0x00007FF61B3C1000-memory.dmp

Filesize
3.9MB

Download
memory/3096-2007-0x00007FF61AFD0000-0x00007FF61B3C1000-memory.dmp

Filesize
3.9MB

Download
memory/3216-459-0x00007FF79C7B0000-0x00007FF79CBA1000-memory.dmp

Filesize
3.9MB

Download
memory/3216-2036-0x00007FF79C7B0000-0x00007FF79CBA1000-memory.dmp

Filesize
3.9MB

Download
memory/3236-415-0x00007FF730F30000-0x00007FF731321000-memory.dmp

Filesize
3.9MB

Download
memory/3236-2003-0x00007FF730F30000-0x00007FF731321000-memory.dmp

Filesize
3.9MB

Download
memory/3320-422-0x00007FF6709E0000-0x00007FF670DD1000-memory.dmp

Filesize
3.9MB

Download
memory/3320-2017-0x00007FF6709E0000-0x00007FF670DD1000-memory.dmp

Filesize
3.9MB

Download
memory/3392-1997-0x00007FF7310D0000-0x00007FF7314C1000-memory.dmp

Filesize
3.9MB

Download
memory/3392-1983-0x00007FF7310D0000-0x00007FF7314C1000-memory.dmp

Filesize
3.9MB

Download
memory/3392-30-0x00007FF7310D0000-0x00007FF7314C1000-memory.dmp

Filesize
3.9MB

Download
memory/3528-1993-0x00007FF678BA0000-0x00007FF678F91000-memory.dmp

Filesize
3.9MB

Download
memory/3528-29-0x00007FF678BA0000-0x00007FF678F91000-memory.dmp

Filesize
3.9MB

Download
memory/3528-1982-0x00007FF678BA0000-0x00007FF678F91000-memory.dmp

Filesize
3.9MB

Download
memory/3652-2011-0x00007FF6129C0000-0x00007FF612DB1000-memory.dmp

Filesize
3.9MB

Download
memory/3652-419-0x00007FF6129C0000-0x00007FF612DB1000-memory.dmp

Filesize
3.9MB

Download
memory/3916-416-0x00007FF76AEC0000-0x00007FF76B2B1000-memory.dmp

Filesize
3.9MB

Download
memory/3916-2005-0x00007FF76AEC0000-0x00007FF76B2B1000-memory.dmp

Filesize
3.9MB

Download
memory/4012-413-0x00007FF71D330000-0x00007FF71D721000-memory.dmp

Filesize
3.9MB

Download
memory/4012-1999-0x00007FF71D330000-0x00007FF71D721000-memory.dmp

Filesize
3.9MB

Download
memory/4108-423-0x00007FF77D990000-0x00007FF77DD81000-memory.dmp

Filesize
3.9MB

Download
memory/4108-2019-0x00007FF77D990000-0x00007FF77DD81000-memory.dmp

Filesize
3.9MB

Download
memory/4216-421-0x00007FF796D00000-0x00007FF7970F1000-memory.dmp

Filesize
3.9MB

Download
memory/4216-2015-0x00007FF796D00000-0x00007FF7970F1000-memory.dmp

Filesize
3.9MB

Download
memory/4412-2009-0x00007FF65AC50000-0x00007FF65B041000-memory.dmp

Filesize
3.9MB

Download
memory/4412-417-0x00007FF65AC50000-0x00007FF65B041000-memory.dmp

Filesize
3.9MB

Download
memory/4460-433-0x00007FF7766A0000-0x00007FF776A91000-memory.dmp

Filesize
3.9MB

Download
memory/4460-2064-0x00007FF7766A0000-0x00007FF776A91000-memory.dmp

Filesize
3.9MB

Download
memory/4472-19-0x00007FF770210000-0x00007FF770601000-memory.dmp

Filesize
3.9MB

Download
memory/4472-1991-0x00007FF770210000-0x00007FF770601000-memory.dmp

Filesize
3.9MB

Download
memory/4748-450-0x00007FF713A50000-0x00007FF713E41000-memory.dmp

Filesize
3.9MB

Download
memory/4748-2021-0x00007FF713A50000-0x00007FF713E41000-memory.dmp

Filesize
3.9MB

Download
memory/4876-15-0x00007FF71A140000-0x00007FF71A531000-memory.dmp

Filesize
3.9MB

Download
memory/4876-1989-0x00007FF71A140000-0x00007FF71A531000-memory.dmp

Filesize
3.9MB

Download
memory/4896-2013-0x00007FF794CC0000-0x00007FF7950B1000-memory.dmp

Filesize
3.9MB

Download
memory/4896-420-0x00007FF794CC0000-0x00007FF7950B1000-memory.dmp

Filesize
3.9MB

Download
memory/5108-1948-0x00007FF6EDEF0000-0x00007FF6EE2E1000-memory.dmp

Filesize
3.9MB

Download
memory/5108-0-0x00007FF6EDEF0000-0x00007FF6EE2E1000-memory.dmp

Filesize
3.9MB

Download
memory/5108-1-0x0000015D82290000-0x0000015D822A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads