xmrig | 714f1b5e88c8ec13a04e3ce21f0e7bb0b78c07396c4dd86b5dbc8e6685ed5d39

Analysis

max time kernel
141s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
Size

1.1MB
MD5

3b855ab9f390229f475e996911953dfd
SHA1

3a82d3017e0b42b4b23e84179511764f5961fc6e
SHA256

714f1b5e88c8ec13a04e3ce21f0e7bb0b78c07396c4dd86b5dbc8e6685ed5d39
SHA512

50bc33d32200b4b1571b5f8f47c31b6e98da7f602c516e3b9609625ec333403fd303c53380b19df33a1058f3ffa557a3eea8b8276388fa9945c8e0c9ccecac22
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XCejIODosTigQytOF2V:knw9oUUEEDlGUrMNXV

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/4136-18-0x00007FF65F6E0000-0x00007FF65FAD1000-memory.dmp	xmrig
behavioral2/memory/5088-38-0x00007FF76E270000-0x00007FF76E661000-memory.dmp	xmrig
behavioral2/memory/2544-413-0x00007FF7EC700000-0x00007FF7ECAF1000-memory.dmp	xmrig
behavioral2/memory/3880-415-0x00007FF67CDA0000-0x00007FF67D191000-memory.dmp	xmrig
behavioral2/memory/392-423-0x00007FF710000000-0x00007FF7103F1000-memory.dmp	xmrig
behavioral2/memory/4396-466-0x00007FF7425F0000-0x00007FF7429E1000-memory.dmp	xmrig
behavioral2/memory/4732-462-0x00007FF732D70000-0x00007FF733161000-memory.dmp	xmrig
behavioral2/memory/3844-471-0x00007FF6F5BA0000-0x00007FF6F5F91000-memory.dmp	xmrig
behavioral2/memory/4036-479-0x00007FF6424E0000-0x00007FF6428D1000-memory.dmp	xmrig
behavioral2/memory/4472-478-0x00007FF6F3700000-0x00007FF6F3AF1000-memory.dmp	xmrig
behavioral2/memory/5008-476-0x00007FF701010000-0x00007FF701401000-memory.dmp	xmrig
behavioral2/memory/4000-474-0x00007FF668C20000-0x00007FF669011000-memory.dmp	xmrig
behavioral2/memory/1212-473-0x00007FF706720000-0x00007FF706B11000-memory.dmp	xmrig
behavioral2/memory/448-461-0x00007FF7059D0000-0x00007FF705DC1000-memory.dmp	xmrig
behavioral2/memory/1892-480-0x00007FF7B6160000-0x00007FF7B6551000-memory.dmp	xmrig
behavioral2/memory/3736-489-0x00007FF7FF410000-0x00007FF7FF801000-memory.dmp	xmrig
behavioral2/memory/1748-103-0x00007FF64E2A0000-0x00007FF64E691000-memory.dmp	xmrig
behavioral2/memory/4576-92-0x00007FF7C92A0000-0x00007FF7C9691000-memory.dmp	xmrig
behavioral2/memory/4756-91-0x00007FF728180000-0x00007FF728571000-memory.dmp	xmrig
behavioral2/memory/3716-81-0x00007FF6C6A90000-0x00007FF6C6E81000-memory.dmp	xmrig
behavioral2/memory/1016-65-0x00007FF7A3F70000-0x00007FF7A4361000-memory.dmp	xmrig
behavioral2/memory/4152-34-0x00007FF6A7BC0000-0x00007FF6A7FB1000-memory.dmp	xmrig
behavioral2/memory/1496-32-0x00007FF783F50000-0x00007FF784341000-memory.dmp	xmrig
behavioral2/memory/4304-1956-0x00007FF6B5500000-0x00007FF6B58F1000-memory.dmp	xmrig
behavioral2/memory/3540-2023-0x00007FF790D10000-0x00007FF791101000-memory.dmp	xmrig
behavioral2/memory/4136-2022-0x00007FF65F6E0000-0x00007FF65FAD1000-memory.dmp	xmrig
behavioral2/memory/4136-2025-0x00007FF65F6E0000-0x00007FF65FAD1000-memory.dmp	xmrig
behavioral2/memory/5088-2027-0x00007FF76E270000-0x00007FF76E661000-memory.dmp	xmrig
behavioral2/memory/4152-2029-0x00007FF6A7BC0000-0x00007FF6A7FB1000-memory.dmp	xmrig
behavioral2/memory/1496-2031-0x00007FF783F50000-0x00007FF784341000-memory.dmp	xmrig
behavioral2/memory/1016-2033-0x00007FF7A3F70000-0x00007FF7A4361000-memory.dmp	xmrig
behavioral2/memory/3540-2035-0x00007FF790D10000-0x00007FF791101000-memory.dmp	xmrig
behavioral2/memory/4576-2043-0x00007FF7C92A0000-0x00007FF7C9691000-memory.dmp	xmrig
behavioral2/memory/3716-2041-0x00007FF6C6A90000-0x00007FF6C6E81000-memory.dmp	xmrig
behavioral2/memory/5008-2039-0x00007FF701010000-0x00007FF701401000-memory.dmp	xmrig
behavioral2/memory/1748-2037-0x00007FF64E2A0000-0x00007FF64E691000-memory.dmp	xmrig
behavioral2/memory/2544-2051-0x00007FF7EC700000-0x00007FF7ECAF1000-memory.dmp	xmrig
behavioral2/memory/4000-2067-0x00007FF668C20000-0x00007FF669011000-memory.dmp	xmrig
behavioral2/memory/4036-2065-0x00007FF6424E0000-0x00007FF6428D1000-memory.dmp	xmrig
behavioral2/memory/3880-2063-0x00007FF67CDA0000-0x00007FF67D191000-memory.dmp	xmrig
behavioral2/memory/448-2061-0x00007FF7059D0000-0x00007FF705DC1000-memory.dmp	xmrig
behavioral2/memory/392-2057-0x00007FF710000000-0x00007FF7103F1000-memory.dmp	xmrig
behavioral2/memory/1892-2055-0x00007FF7B6160000-0x00007FF7B6551000-memory.dmp	xmrig
behavioral2/memory/1212-2072-0x00007FF706720000-0x00007FF706B11000-memory.dmp	xmrig
behavioral2/memory/3736-2049-0x00007FF7FF410000-0x00007FF7FF801000-memory.dmp	xmrig
behavioral2/memory/4732-2059-0x00007FF732D70000-0x00007FF733161000-memory.dmp	xmrig
behavioral2/memory/3844-2053-0x00007FF6F5BA0000-0x00007FF6F5F91000-memory.dmp	xmrig
behavioral2/memory/4396-2047-0x00007FF7425F0000-0x00007FF7429E1000-memory.dmp	xmrig
behavioral2/memory/4756-2045-0x00007FF728180000-0x00007FF728571000-memory.dmp	xmrig
behavioral2/memory/4472-2069-0x00007FF6F3700000-0x00007FF6F3AF1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4136	PdCfjIi.exe
5088	GAVnqOJ.exe
1496	mmHRjDl.exe
4152	ZRWdBKh.exe
1016	NnCOvBn.exe
3540	LwtezqO.exe
3716	jaeopsc.exe
5008	LImRhMT.exe
4756	ffsBeiH.exe
4576	TxXksUK.exe
1748	hYDFgLA.exe
2544	xWLqSBB.exe
4472	GnnfYDB.exe
4036	poczDcS.exe
3880	hGudFCK.exe
392	OIiDuNP.exe
448	uolNWgV.exe
4732	dtYkrFT.exe
1892	EHVLkPh.exe
3736	dExNjoD.exe
4396	ZUTAKUh.exe
3844	GvJHTLb.exe
1212	DfjLkRn.exe
4000	wVqlwte.exe
4360	PhcQgJF.exe
4416	qKAPFRf.exe
4924	HvyJwhl.exe
1528	wmnBllr.exe
3356	EpduASl.exe
3180	lHItxZu.exe
3612	OoaJopX.exe
5056	DjjQAxE.exe
1844	rTYzLee.exe
3568	vQVFNwA.exe
2500	wmNEKaG.exe
3796	dbbJgMm.exe
768	SadzlpE.exe
4252	phYYdCe.exe
3028	YUltgxy.exe
3092	CRetqzO.exe
3556	nKVgVPT.exe
4392	LUWLAUv.exe
1712	qMnlAJl.exe
4512	BYmZUzc.exe
3748	CIfdjHK.exe
4508	NkCaQMh.exe
5016	oHmjFQO.exe
3080	ZOBAyyk.exe
4764	mkvcZna.exe
100	dJVCjOg.exe
4980	pMlqNaB.exe
4316	NpvqZfC.exe
4320	oaziqJk.exe
2948	PvJZUAM.exe
4260	kenqBhX.exe
2612	hrfYzUw.exe
1404	FMgbVIF.exe
3484	vSDvBgh.exe
3728	SEOgEXA.exe
3488	ZKAogAj.exe
2488	qrOrEmR.exe
4840	NArZMxe.exe
640	ILvimHs.exe
384	NQbSiSj.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4304-0-0x00007FF6B5500000-0x00007FF6B58F1000-memory.dmp	upx
behavioral2/files/0x000a000000023400-5.dat	upx
behavioral2/files/0x000800000002341a-12.dat	upx
behavioral2/memory/4136-18-0x00007FF65F6E0000-0x00007FF65FAD1000-memory.dmp	upx
behavioral2/files/0x000700000002341e-26.dat	upx
behavioral2/files/0x000700000002341b-30.dat	upx
behavioral2/memory/3540-37-0x00007FF790D10000-0x00007FF791101000-memory.dmp	upx
behavioral2/memory/5088-38-0x00007FF76E270000-0x00007FF76E661000-memory.dmp	upx
behavioral2/files/0x000700000002341f-53.dat	upx
behavioral2/files/0x0007000000023420-58.dat	upx
behavioral2/files/0x0007000000023426-82.dat	upx
behavioral2/files/0x0007000000023427-83.dat	upx
behavioral2/files/0x000700000002342a-100.dat	upx
behavioral2/files/0x000700000002342c-111.dat	upx
behavioral2/files/0x000700000002342d-121.dat	upx
behavioral2/files/0x0007000000023430-139.dat	upx
behavioral2/files/0x0007000000023433-154.dat	upx
behavioral2/files/0x0007000000023438-172.dat	upx
behavioral2/memory/2544-413-0x00007FF7EC700000-0x00007FF7ECAF1000-memory.dmp	upx
behavioral2/memory/3880-415-0x00007FF67CDA0000-0x00007FF67D191000-memory.dmp	upx
behavioral2/memory/392-423-0x00007FF710000000-0x00007FF7103F1000-memory.dmp	upx
behavioral2/memory/4396-466-0x00007FF7425F0000-0x00007FF7429E1000-memory.dmp	upx
behavioral2/memory/4732-462-0x00007FF732D70000-0x00007FF733161000-memory.dmp	upx
behavioral2/memory/3844-471-0x00007FF6F5BA0000-0x00007FF6F5F91000-memory.dmp	upx
behavioral2/memory/4036-479-0x00007FF6424E0000-0x00007FF6428D1000-memory.dmp	upx
behavioral2/memory/4472-478-0x00007FF6F3700000-0x00007FF6F3AF1000-memory.dmp	upx
behavioral2/memory/5008-476-0x00007FF701010000-0x00007FF701401000-memory.dmp	upx
behavioral2/memory/4000-474-0x00007FF668C20000-0x00007FF669011000-memory.dmp	upx
behavioral2/memory/1212-473-0x00007FF706720000-0x00007FF706B11000-memory.dmp	upx
behavioral2/memory/448-461-0x00007FF7059D0000-0x00007FF705DC1000-memory.dmp	upx
behavioral2/memory/1892-480-0x00007FF7B6160000-0x00007FF7B6551000-memory.dmp	upx
behavioral2/memory/3736-489-0x00007FF7FF410000-0x00007FF7FF801000-memory.dmp	upx
behavioral2/files/0x0007000000023437-169.dat	upx
behavioral2/files/0x0007000000023436-166.dat	upx
behavioral2/files/0x0007000000023435-161.dat	upx
behavioral2/files/0x0007000000023434-156.dat	upx
behavioral2/files/0x0007000000023432-149.dat	upx
behavioral2/files/0x0007000000023431-141.dat	upx
behavioral2/files/0x000700000002342f-131.dat	upx
behavioral2/files/0x000700000002342e-129.dat	upx
behavioral2/files/0x0008000000023418-116.dat	upx
behavioral2/files/0x000700000002342b-109.dat	upx
behavioral2/files/0x0007000000023428-104.dat	upx
behavioral2/memory/1748-103-0x00007FF64E2A0000-0x00007FF64E691000-memory.dmp	upx
behavioral2/files/0x0007000000023429-99.dat	upx
behavioral2/files/0x0007000000023425-93.dat	upx
behavioral2/memory/4576-92-0x00007FF7C92A0000-0x00007FF7C9691000-memory.dmp	upx
behavioral2/memory/4756-91-0x00007FF728180000-0x00007FF728571000-memory.dmp	upx
behavioral2/memory/3716-81-0x00007FF6C6A90000-0x00007FF6C6E81000-memory.dmp	upx
behavioral2/files/0x0007000000023424-80.dat	upx
behavioral2/memory/1016-65-0x00007FF7A3F70000-0x00007FF7A4361000-memory.dmp	upx
behavioral2/files/0x0007000000023421-64.dat	upx
behavioral2/files/0x0007000000023423-62.dat	upx
behavioral2/files/0x0007000000023422-60.dat	upx
behavioral2/memory/4152-34-0x00007FF6A7BC0000-0x00007FF6A7FB1000-memory.dmp	upx
behavioral2/memory/1496-32-0x00007FF783F50000-0x00007FF784341000-memory.dmp	upx
behavioral2/files/0x000700000002341d-28.dat	upx
behavioral2/files/0x000700000002341c-23.dat	upx
behavioral2/memory/4304-1956-0x00007FF6B5500000-0x00007FF6B58F1000-memory.dmp	upx
behavioral2/memory/3540-2023-0x00007FF790D10000-0x00007FF791101000-memory.dmp	upx
behavioral2/memory/4136-2022-0x00007FF65F6E0000-0x00007FF65FAD1000-memory.dmp	upx
behavioral2/memory/4136-2025-0x00007FF65F6E0000-0x00007FF65FAD1000-memory.dmp	upx
behavioral2/memory/5088-2027-0x00007FF76E270000-0x00007FF76E661000-memory.dmp	upx
behavioral2/memory/4152-2029-0x00007FF6A7BC0000-0x00007FF6A7FB1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\CLJoYic.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\vcAYpvv.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\LsDigMz.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\SmHBSqi.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\nRwFgBu.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\YfqVxaA.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\qMnlAJl.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\qwqXRYy.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\ZUSfeIZ.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\HISIAiG.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\JbXWZkG.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\BseAOAp.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\kBaolhC.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\qVCWFhy.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\OcQYiRf.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\ebyfUiJ.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\upfUolZ.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\OgZSOhc.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\yiUotgB.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\ZIGmCyI.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\ZJxyiIO.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\FHFIuZm.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\MQfEVtw.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\gsqtShB.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\urtAjrb.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\XrcihTu.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\UrbeMqz.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\hrfYzUw.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\kzjaucK.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\dvolfSk.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\EEHNhPO.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\PvJZUAM.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\ckiXEMf.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\LmlxqUs.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\BJMcGTG.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\GBpqHEI.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\qlBDHIf.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\dtZbVrJ.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\kcXwqRm.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\XkAYHyu.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\sJXHmpP.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\IUNAFMY.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\okzvpxK.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\wzSrMpr.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\EbgaLHF.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\kGnComH.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\ZYvxUdC.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\oBMxdkJ.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\nJAeUFE.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\uGSAwpx.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\ZHIHZLa.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\DmXcnIA.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\jaeopsc.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\RDfLkXY.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\HLyGzcb.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\jABfgQo.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\bqSrmdw.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\lchfsWk.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\tSAuAJf.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\uolNWgV.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\dExNjoD.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\ILvimHs.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\NQbSiSj.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
File created	C:\Windows\System32\UbBstfR.exe	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12724	dwm.exe
Token: SeChangeNotifyPrivilege	12724	dwm.exe
Token: 33	12724	dwm.exe
Token: SeIncBasePriorityPrivilege	12724	dwm.exe
Token: SeShutdownPrivilege	12724	dwm.exe
Token: SeCreatePagefilePrivilege	12724	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 4136	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	83
PID 4304 wrote to memory of 4136	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	83
PID 4304 wrote to memory of 5088	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	84
PID 4304 wrote to memory of 5088	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	84
PID 4304 wrote to memory of 1496	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	85
PID 4304 wrote to memory of 1496	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	85
PID 4304 wrote to memory of 4152	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	86
PID 4304 wrote to memory of 4152	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	86
PID 4304 wrote to memory of 1016	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	87
PID 4304 wrote to memory of 1016	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	87
PID 4304 wrote to memory of 3540	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	88
PID 4304 wrote to memory of 3540	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	88
PID 4304 wrote to memory of 3716	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	89
PID 4304 wrote to memory of 3716	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	89
PID 4304 wrote to memory of 5008	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	90
PID 4304 wrote to memory of 5008	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	90
PID 4304 wrote to memory of 4756	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	91
PID 4304 wrote to memory of 4756	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	91
PID 4304 wrote to memory of 4576	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	92
PID 4304 wrote to memory of 4576	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	92
PID 4304 wrote to memory of 1748	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	93
PID 4304 wrote to memory of 1748	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	93
PID 4304 wrote to memory of 2544	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	94
PID 4304 wrote to memory of 2544	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	94
PID 4304 wrote to memory of 4472	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	95
PID 4304 wrote to memory of 4472	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	95
PID 4304 wrote to memory of 4036	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	96
PID 4304 wrote to memory of 4036	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	96
PID 4304 wrote to memory of 3880	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	97
PID 4304 wrote to memory of 3880	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	97
PID 4304 wrote to memory of 392	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	98
PID 4304 wrote to memory of 392	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	98
PID 4304 wrote to memory of 448	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	99
PID 4304 wrote to memory of 448	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	99
PID 4304 wrote to memory of 4732	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	100
PID 4304 wrote to memory of 4732	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	100
PID 4304 wrote to memory of 1892	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	101
PID 4304 wrote to memory of 1892	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	101
PID 4304 wrote to memory of 3736	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	102
PID 4304 wrote to memory of 3736	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	102
PID 4304 wrote to memory of 4396	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	103
PID 4304 wrote to memory of 4396	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	103
PID 4304 wrote to memory of 3844	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	104
PID 4304 wrote to memory of 3844	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	104
PID 4304 wrote to memory of 1212	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	105
PID 4304 wrote to memory of 1212	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	105
PID 4304 wrote to memory of 4000	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	106
PID 4304 wrote to memory of 4000	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	106
PID 4304 wrote to memory of 4360	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	107
PID 4304 wrote to memory of 4360	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	107
PID 4304 wrote to memory of 4416	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	108
PID 4304 wrote to memory of 4416	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	108
PID 4304 wrote to memory of 4924	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	109
PID 4304 wrote to memory of 4924	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	109
PID 4304 wrote to memory of 1528	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	110
PID 4304 wrote to memory of 1528	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	110
PID 4304 wrote to memory of 3356	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	111
PID 4304 wrote to memory of 3356	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	111
PID 4304 wrote to memory of 3180	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	112
PID 4304 wrote to memory of 3180	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	112
PID 4304 wrote to memory of 3612	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	113
PID 4304 wrote to memory of 3612	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	113
PID 4304 wrote to memory of 5056	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	114
PID 4304 wrote to memory of 5056	4304	3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe	114

C:\Users\Admin\AppData\Local\Temp\3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b855ab9f390229f475e996911953dfd_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\System32\PdCfjIi.exe
  C:\Windows\System32\PdCfjIi.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System32\GAVnqOJ.exe
  C:\Windows\System32\GAVnqOJ.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System32\mmHRjDl.exe
  C:\Windows\System32\mmHRjDl.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System32\ZRWdBKh.exe
  C:\Windows\System32\ZRWdBKh.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System32\NnCOvBn.exe
  C:\Windows\System32\NnCOvBn.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System32\LwtezqO.exe
  C:\Windows\System32\LwtezqO.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System32\jaeopsc.exe
  C:\Windows\System32\jaeopsc.exe
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Windows\System32\LImRhMT.exe
  C:\Windows\System32\LImRhMT.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System32\ffsBeiH.exe
  C:\Windows\System32\ffsBeiH.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System32\TxXksUK.exe
  C:\Windows\System32\TxXksUK.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System32\hYDFgLA.exe
  C:\Windows\System32\hYDFgLA.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System32\xWLqSBB.exe
  C:\Windows\System32\xWLqSBB.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System32\GnnfYDB.exe
  C:\Windows\System32\GnnfYDB.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System32\poczDcS.exe
  C:\Windows\System32\poczDcS.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System32\hGudFCK.exe
  C:\Windows\System32\hGudFCK.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System32\OIiDuNP.exe
  C:\Windows\System32\OIiDuNP.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System32\uolNWgV.exe
  C:\Windows\System32\uolNWgV.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System32\dtYkrFT.exe
  C:\Windows\System32\dtYkrFT.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System32\EHVLkPh.exe
  C:\Windows\System32\EHVLkPh.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System32\dExNjoD.exe
  C:\Windows\System32\dExNjoD.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System32\ZUTAKUh.exe
  C:\Windows\System32\ZUTAKUh.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System32\GvJHTLb.exe
  C:\Windows\System32\GvJHTLb.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System32\DfjLkRn.exe
  C:\Windows\System32\DfjLkRn.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System32\wVqlwte.exe
  C:\Windows\System32\wVqlwte.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System32\PhcQgJF.exe
  C:\Windows\System32\PhcQgJF.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System32\qKAPFRf.exe
  C:\Windows\System32\qKAPFRf.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System32\HvyJwhl.exe
  C:\Windows\System32\HvyJwhl.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\wmnBllr.exe
  C:\Windows\System32\wmnBllr.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System32\EpduASl.exe
  C:\Windows\System32\EpduASl.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System32\lHItxZu.exe
  C:\Windows\System32\lHItxZu.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System32\OoaJopX.exe
  C:\Windows\System32\OoaJopX.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System32\DjjQAxE.exe
  C:\Windows\System32\DjjQAxE.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\rTYzLee.exe
  C:\Windows\System32\rTYzLee.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System32\vQVFNwA.exe
  C:\Windows\System32\vQVFNwA.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System32\wmNEKaG.exe
  C:\Windows\System32\wmNEKaG.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System32\dbbJgMm.exe
  C:\Windows\System32\dbbJgMm.exe
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Windows\System32\SadzlpE.exe
  C:\Windows\System32\SadzlpE.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System32\phYYdCe.exe
  C:\Windows\System32\phYYdCe.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System32\YUltgxy.exe
  C:\Windows\System32\YUltgxy.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System32\CRetqzO.exe
  C:\Windows\System32\CRetqzO.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System32\nKVgVPT.exe
  C:\Windows\System32\nKVgVPT.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System32\LUWLAUv.exe
  C:\Windows\System32\LUWLAUv.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System32\qMnlAJl.exe
  C:\Windows\System32\qMnlAJl.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System32\BYmZUzc.exe
  C:\Windows\System32\BYmZUzc.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\CIfdjHK.exe
  C:\Windows\System32\CIfdjHK.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System32\NkCaQMh.exe
  C:\Windows\System32\NkCaQMh.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System32\oHmjFQO.exe
  C:\Windows\System32\oHmjFQO.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System32\ZOBAyyk.exe
  C:\Windows\System32\ZOBAyyk.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System32\mkvcZna.exe
  C:\Windows\System32\mkvcZna.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System32\dJVCjOg.exe
  C:\Windows\System32\dJVCjOg.exe
  2⤵
  - Executes dropped EXE
  PID:100
- C:\Windows\System32\pMlqNaB.exe
  C:\Windows\System32\pMlqNaB.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System32\NpvqZfC.exe
  C:\Windows\System32\NpvqZfC.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System32\oaziqJk.exe
  C:\Windows\System32\oaziqJk.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System32\PvJZUAM.exe
  C:\Windows\System32\PvJZUAM.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System32\kenqBhX.exe
  C:\Windows\System32\kenqBhX.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System32\hrfYzUw.exe
  C:\Windows\System32\hrfYzUw.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System32\FMgbVIF.exe
  C:\Windows\System32\FMgbVIF.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System32\vSDvBgh.exe
  C:\Windows\System32\vSDvBgh.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System32\SEOgEXA.exe
  C:\Windows\System32\SEOgEXA.exe
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Windows\System32\ZKAogAj.exe
  C:\Windows\System32\ZKAogAj.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System32\qrOrEmR.exe
  C:\Windows\System32\qrOrEmR.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System32\NArZMxe.exe
  C:\Windows\System32\NArZMxe.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System32\ILvimHs.exe
  C:\Windows\System32\ILvimHs.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\NQbSiSj.exe
  C:\Windows\System32\NQbSiSj.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System32\Lmvayva.exe
  C:\Windows\System32\Lmvayva.exe
  2⤵
  PID:904
- C:\Windows\System32\GXITRdl.exe
  C:\Windows\System32\GXITRdl.exe
  2⤵
  PID:1120
- C:\Windows\System32\DkyLAgh.exe
  C:\Windows\System32\DkyLAgh.exe
  2⤵
  PID:2060
- C:\Windows\System32\QOidggD.exe
  C:\Windows\System32\QOidggD.exe
  2⤵
  PID:464
- C:\Windows\System32\ggfuzov.exe
  C:\Windows\System32\ggfuzov.exe
  2⤵
  PID:3620
- C:\Windows\System32\yxhyFtp.exe
  C:\Windows\System32\yxhyFtp.exe
  2⤵
  PID:2088
- C:\Windows\System32\vPRwsns.exe
  C:\Windows\System32\vPRwsns.exe
  2⤵
  PID:3216
- C:\Windows\System32\ImImWUx.exe
  C:\Windows\System32\ImImWUx.exe
  2⤵
  PID:1468
- C:\Windows\System32\URZnzjY.exe
  C:\Windows\System32\URZnzjY.exe
  2⤵
  PID:2920
- C:\Windows\System32\iDmIpsM.exe
  C:\Windows\System32\iDmIpsM.exe
  2⤵
  PID:4644
- C:\Windows\System32\NmOnHaY.exe
  C:\Windows\System32\NmOnHaY.exe
  2⤵
  PID:2008
- C:\Windows\System32\oSBnzPO.exe
  C:\Windows\System32\oSBnzPO.exe
  2⤵
  PID:3760
- C:\Windows\System32\DvyPRjN.exe
  C:\Windows\System32\DvyPRjN.exe
  2⤵
  PID:2268
- C:\Windows\System32\uIqakUt.exe
  C:\Windows\System32\uIqakUt.exe
  2⤵
  PID:2336
- C:\Windows\System32\oUGCJic.exe
  C:\Windows\System32\oUGCJic.exe
  2⤵
  PID:4452
- C:\Windows\System32\ModSMSo.exe
  C:\Windows\System32\ModSMSo.exe
  2⤵
  PID:412
- C:\Windows\System32\XkAYHyu.exe
  C:\Windows\System32\XkAYHyu.exe
  2⤵
  PID:792
- C:\Windows\System32\MHwJmvG.exe
  C:\Windows\System32\MHwJmvG.exe
  2⤵
  PID:2352
- C:\Windows\System32\KWProtS.exe
  C:\Windows\System32\KWProtS.exe
  2⤵
  PID:576
- C:\Windows\System32\urtAjrb.exe
  C:\Windows\System32\urtAjrb.exe
  2⤵
  PID:2780
- C:\Windows\System32\Ckokmer.exe
  C:\Windows\System32\Ckokmer.exe
  2⤵
  PID:4404
- C:\Windows\System32\xHsYENo.exe
  C:\Windows\System32\xHsYENo.exe
  2⤵
  PID:1940
- C:\Windows\System32\pHdlWgt.exe
  C:\Windows\System32\pHdlWgt.exe
  2⤵
  PID:3292
- C:\Windows\System32\wHVmDyI.exe
  C:\Windows\System32\wHVmDyI.exe
  2⤵
  PID:1636
- C:\Windows\System32\BvAsSDk.exe
  C:\Windows\System32\BvAsSDk.exe
  2⤵
  PID:4952
- C:\Windows\System32\lQypUtd.exe
  C:\Windows\System32\lQypUtd.exe
  2⤵
  PID:2476
- C:\Windows\System32\jlPYNdG.exe
  C:\Windows\System32\jlPYNdG.exe
  2⤵
  PID:4596
- C:\Windows\System32\rNoDicD.exe
  C:\Windows\System32\rNoDicD.exe
  2⤵
  PID:2392
- C:\Windows\System32\ftGPyrQ.exe
  C:\Windows\System32\ftGPyrQ.exe
  2⤵
  PID:2452
- C:\Windows\System32\UXGQJSq.exe
  C:\Windows\System32\UXGQJSq.exe
  2⤵
  PID:4276
- C:\Windows\System32\dhtbKku.exe
  C:\Windows\System32\dhtbKku.exe
  2⤵
  PID:692
- C:\Windows\System32\bqSrmdw.exe
  C:\Windows\System32\bqSrmdw.exe
  2⤵
  PID:5000
- C:\Windows\System32\eEgxmei.exe
  C:\Windows\System32\eEgxmei.exe
  2⤵
  PID:4108
- C:\Windows\System32\OUwpMtl.exe
  C:\Windows\System32\OUwpMtl.exe
  2⤵
  PID:5144
- C:\Windows\System32\RpQBbgb.exe
  C:\Windows\System32\RpQBbgb.exe
  2⤵
  PID:5172
- C:\Windows\System32\icZkODA.exe
  C:\Windows\System32\icZkODA.exe
  2⤵
  PID:5200
- C:\Windows\System32\ufkBARP.exe
  C:\Windows\System32\ufkBARP.exe
  2⤵
  PID:5228
- C:\Windows\System32\KPgozWp.exe
  C:\Windows\System32\KPgozWp.exe
  2⤵
  PID:5256
- C:\Windows\System32\NfFicLg.exe
  C:\Windows\System32\NfFicLg.exe
  2⤵
  PID:5284
- C:\Windows\System32\rMkxtel.exe
  C:\Windows\System32\rMkxtel.exe
  2⤵
  PID:5308
- C:\Windows\System32\UumnUTR.exe
  C:\Windows\System32\UumnUTR.exe
  2⤵
  PID:5340
- C:\Windows\System32\rxDFnzg.exe
  C:\Windows\System32\rxDFnzg.exe
  2⤵
  PID:5368
- C:\Windows\System32\oBMxdkJ.exe
  C:\Windows\System32\oBMxdkJ.exe
  2⤵
  PID:5404
- C:\Windows\System32\QNQrzEs.exe
  C:\Windows\System32\QNQrzEs.exe
  2⤵
  PID:5432
- C:\Windows\System32\aJeJkem.exe
  C:\Windows\System32\aJeJkem.exe
  2⤵
  PID:5452
- C:\Windows\System32\onpeuUN.exe
  C:\Windows\System32\onpeuUN.exe
  2⤵
  PID:5492
- C:\Windows\System32\deCDYgM.exe
  C:\Windows\System32\deCDYgM.exe
  2⤵
  PID:5508
- C:\Windows\System32\RJeRWPo.exe
  C:\Windows\System32\RJeRWPo.exe
  2⤵
  PID:5540
- C:\Windows\System32\dFFCeaI.exe
  C:\Windows\System32\dFFCeaI.exe
  2⤵
  PID:5580
- C:\Windows\System32\HVNbHiB.exe
  C:\Windows\System32\HVNbHiB.exe
  2⤵
  PID:5628
- C:\Windows\System32\zZPSNqT.exe
  C:\Windows\System32\zZPSNqT.exe
  2⤵
  PID:5644
- C:\Windows\System32\ckiXEMf.exe
  C:\Windows\System32\ckiXEMf.exe
  2⤵
  PID:5672
- C:\Windows\System32\fhSoIkd.exe
  C:\Windows\System32\fhSoIkd.exe
  2⤵
  PID:5716
- C:\Windows\System32\kMzRkXB.exe
  C:\Windows\System32\kMzRkXB.exe
  2⤵
  PID:5732
- C:\Windows\System32\ysnJxQH.exe
  C:\Windows\System32\ysnJxQH.exe
  2⤵
  PID:5760
- C:\Windows\System32\BCqVeDq.exe
  C:\Windows\System32\BCqVeDq.exe
  2⤵
  PID:5788
- C:\Windows\System32\fgZvQJp.exe
  C:\Windows\System32\fgZvQJp.exe
  2⤵
  PID:5816
- C:\Windows\System32\HYDCiRi.exe
  C:\Windows\System32\HYDCiRi.exe
  2⤵
  PID:5844
- C:\Windows\System32\zSNGDPo.exe
  C:\Windows\System32\zSNGDPo.exe
  2⤵
  PID:5880
- C:\Windows\System32\dQmbCGA.exe
  C:\Windows\System32\dQmbCGA.exe
  2⤵
  PID:5912
- C:\Windows\System32\BIfUmFV.exe
  C:\Windows\System32\BIfUmFV.exe
  2⤵
  PID:5928
- C:\Windows\System32\JHeeqFd.exe
  C:\Windows\System32\JHeeqFd.exe
  2⤵
  PID:5956
- C:\Windows\System32\NiVrMLn.exe
  C:\Windows\System32\NiVrMLn.exe
  2⤵
  PID:5984
- C:\Windows\System32\KOYrOSm.exe
  C:\Windows\System32\KOYrOSm.exe
  2⤵
  PID:6020
- C:\Windows\System32\JEmLrou.exe
  C:\Windows\System32\JEmLrou.exe
  2⤵
  PID:6048
- C:\Windows\System32\hMPrcMP.exe
  C:\Windows\System32\hMPrcMP.exe
  2⤵
  PID:6072
- C:\Windows\System32\swJbegL.exe
  C:\Windows\System32\swJbegL.exe
  2⤵
  PID:6112
- C:\Windows\System32\AcvzZcN.exe
  C:\Windows\System32\AcvzZcN.exe
  2⤵
  PID:6140
- C:\Windows\System32\ickuEAo.exe
  C:\Windows\System32\ickuEAo.exe
  2⤵
  PID:1424
- C:\Windows\System32\WXUcmGF.exe
  C:\Windows\System32\WXUcmGF.exe
  2⤵
  PID:3204
- C:\Windows\System32\NAiLqtw.exe
  C:\Windows\System32\NAiLqtw.exe
  2⤵
  PID:3132
- C:\Windows\System32\dXCeZdF.exe
  C:\Windows\System32\dXCeZdF.exe
  2⤵
  PID:3296
- C:\Windows\System32\RDfLkXY.exe
  C:\Windows\System32\RDfLkXY.exe
  2⤵
  PID:5124
- C:\Windows\System32\UPlrLDw.exe
  C:\Windows\System32\UPlrLDw.exe
  2⤵
  PID:3520
- C:\Windows\System32\gGxFnlX.exe
  C:\Windows\System32\gGxFnlX.exe
  2⤵
  PID:5192
- C:\Windows\System32\PSwRXfw.exe
  C:\Windows\System32\PSwRXfw.exe
  2⤵
  PID:5248
- C:\Windows\System32\XmebPYi.exe
  C:\Windows\System32\XmebPYi.exe
  2⤵
  PID:5264
- C:\Windows\System32\BdjqbLz.exe
  C:\Windows\System32\BdjqbLz.exe
  2⤵
  PID:5296
- C:\Windows\System32\UkdKrEu.exe
  C:\Windows\System32\UkdKrEu.exe
  2⤵
  PID:1144
- C:\Windows\System32\UKRBCUv.exe
  C:\Windows\System32\UKRBCUv.exe
  2⤵
  PID:3588
- C:\Windows\System32\BRKeMPn.exe
  C:\Windows\System32\BRKeMPn.exe
  2⤵
  PID:4856
- C:\Windows\System32\xYMGnXw.exe
  C:\Windows\System32\xYMGnXw.exe
  2⤵
  PID:5516
- C:\Windows\System32\rYJTNMd.exe
  C:\Windows\System32\rYJTNMd.exe
  2⤵
  PID:3536
- C:\Windows\System32\QmbAVlY.exe
  C:\Windows\System32\QmbAVlY.exe
  2⤵
  PID:5600
- C:\Windows\System32\KWVkoVH.exe
  C:\Windows\System32\KWVkoVH.exe
  2⤵
  PID:5924
- C:\Windows\System32\lchfsWk.exe
  C:\Windows\System32\lchfsWk.exe
  2⤵
  PID:5896
- C:\Windows\System32\sVKBXnb.exe
  C:\Windows\System32\sVKBXnb.exe
  2⤵
  PID:5836
- C:\Windows\System32\jrTUnzj.exe
  C:\Windows\System32\jrTUnzj.exe
  2⤵
  PID:5768
- C:\Windows\System32\jZGZCIe.exe
  C:\Windows\System32\jZGZCIe.exe
  2⤵
  PID:5728
- C:\Windows\System32\yVvGwql.exe
  C:\Windows\System32\yVvGwql.exe
  2⤵
  PID:5696
- C:\Windows\System32\GHIMPhq.exe
  C:\Windows\System32\GHIMPhq.exe
  2⤵
  PID:5624
- C:\Windows\System32\sJXHmpP.exe
  C:\Windows\System32\sJXHmpP.exe
  2⤵
  PID:1124
- C:\Windows\System32\qwqXRYy.exe
  C:\Windows\System32\qwqXRYy.exe
  2⤵
  PID:6004
- C:\Windows\System32\QsGmwGz.exe
  C:\Windows\System32\QsGmwGz.exe
  2⤵
  PID:4296
- C:\Windows\System32\dYWjEih.exe
  C:\Windows\System32\dYWjEih.exe
  2⤵
  PID:4960
- C:\Windows\System32\ifSGBWd.exe
  C:\Windows\System32\ifSGBWd.exe
  2⤵
  PID:2368
- C:\Windows\System32\eCitjVb.exe
  C:\Windows\System32\eCitjVb.exe
  2⤵
  PID:5164
- C:\Windows\System32\lPDlAWw.exe
  C:\Windows\System32\lPDlAWw.exe
  2⤵
  PID:5292
- C:\Windows\System32\JbXWZkG.exe
  C:\Windows\System32\JbXWZkG.exe
  2⤵
  PID:5684
- C:\Windows\System32\ZvGdrZC.exe
  C:\Windows\System32\ZvGdrZC.exe
  2⤵
  PID:4972
- C:\Windows\System32\eeDSXZs.exe
  C:\Windows\System32\eeDSXZs.exe
  2⤵
  PID:5380
- C:\Windows\System32\ZVBYcFF.exe
  C:\Windows\System32\ZVBYcFF.exe
  2⤵
  PID:4604
- C:\Windows\System32\TWMdgcu.exe
  C:\Windows\System32\TWMdgcu.exe
  2⤵
  PID:5796
- C:\Windows\System32\muZtYBO.exe
  C:\Windows\System32\muZtYBO.exe
  2⤵
  PID:5688
- C:\Windows\System32\ueaMHuQ.exe
  C:\Windows\System32\ueaMHuQ.exe
  2⤵
  PID:5116
- C:\Windows\System32\jUByXML.exe
  C:\Windows\System32\jUByXML.exe
  2⤵
  PID:4624
- C:\Windows\System32\RJFkogz.exe
  C:\Windows\System32\RJFkogz.exe
  2⤵
  PID:1500
- C:\Windows\System32\gfdipcj.exe
  C:\Windows\System32\gfdipcj.exe
  2⤵
  PID:6016
- C:\Windows\System32\xSKNWFl.exe
  C:\Windows\System32\xSKNWFl.exe
  2⤵
  PID:2740
- C:\Windows\System32\buXOfeK.exe
  C:\Windows\System32\buXOfeK.exe
  2⤵
  PID:6084
- C:\Windows\System32\XerxysC.exe
  C:\Windows\System32\XerxysC.exe
  2⤵
  PID:1112
- C:\Windows\System32\bDEKIZS.exe
  C:\Windows\System32\bDEKIZS.exe
  2⤵
  PID:2192
- C:\Windows\System32\CuCKmFF.exe
  C:\Windows\System32\CuCKmFF.exe
  2⤵
  PID:6168
- C:\Windows\System32\MohzBUc.exe
  C:\Windows\System32\MohzBUc.exe
  2⤵
  PID:6188
- C:\Windows\System32\wwqWfwc.exe
  C:\Windows\System32\wwqWfwc.exe
  2⤵
  PID:6212
- C:\Windows\System32\NYbfmXA.exe
  C:\Windows\System32\NYbfmXA.exe
  2⤵
  PID:6228
- C:\Windows\System32\EvthcjQ.exe
  C:\Windows\System32\EvthcjQ.exe
  2⤵
  PID:6268
- C:\Windows\System32\HdnyIWl.exe
  C:\Windows\System32\HdnyIWl.exe
  2⤵
  PID:6316
- C:\Windows\System32\qUFxwNL.exe
  C:\Windows\System32\qUFxwNL.exe
  2⤵
  PID:6340
- C:\Windows\System32\wjpmTLX.exe
  C:\Windows\System32\wjpmTLX.exe
  2⤵
  PID:6376
- C:\Windows\System32\uQXROhK.exe
  C:\Windows\System32\uQXROhK.exe
  2⤵
  PID:6400
- C:\Windows\System32\iwitJyi.exe
  C:\Windows\System32\iwitJyi.exe
  2⤵
  PID:6416
- C:\Windows\System32\sDkbQHL.exe
  C:\Windows\System32\sDkbQHL.exe
  2⤵
  PID:6436
- C:\Windows\System32\KWiYEje.exe
  C:\Windows\System32\KWiYEje.exe
  2⤵
  PID:6456
- C:\Windows\System32\jwocmoj.exe
  C:\Windows\System32\jwocmoj.exe
  2⤵
  PID:6480
- C:\Windows\System32\lXrUTko.exe
  C:\Windows\System32\lXrUTko.exe
  2⤵
  PID:6520
- C:\Windows\System32\gEpOBme.exe
  C:\Windows\System32\gEpOBme.exe
  2⤵
  PID:6556
- C:\Windows\System32\CSCYYbn.exe
  C:\Windows\System32\CSCYYbn.exe
  2⤵
  PID:6588
- C:\Windows\System32\fSvOUAb.exe
  C:\Windows\System32\fSvOUAb.exe
  2⤵
  PID:6612
- C:\Windows\System32\isHzxHU.exe
  C:\Windows\System32\isHzxHU.exe
  2⤵
  PID:6628
- C:\Windows\System32\sDdcpyn.exe
  C:\Windows\System32\sDdcpyn.exe
  2⤵
  PID:6680
- C:\Windows\System32\xXOXWrH.exe
  C:\Windows\System32\xXOXWrH.exe
  2⤵
  PID:6700
- C:\Windows\System32\vCtlyUo.exe
  C:\Windows\System32\vCtlyUo.exe
  2⤵
  PID:6720
- C:\Windows\System32\DdhYbaM.exe
  C:\Windows\System32\DdhYbaM.exe
  2⤵
  PID:6764
- C:\Windows\System32\kxaLKZf.exe
  C:\Windows\System32\kxaLKZf.exe
  2⤵
  PID:6792
- C:\Windows\System32\cynCJzk.exe
  C:\Windows\System32\cynCJzk.exe
  2⤵
  PID:6816
- C:\Windows\System32\wJrVsWd.exe
  C:\Windows\System32\wJrVsWd.exe
  2⤵
  PID:6836
- C:\Windows\System32\ZJxyiIO.exe
  C:\Windows\System32\ZJxyiIO.exe
  2⤵
  PID:6860
- C:\Windows\System32\nJAeUFE.exe
  C:\Windows\System32\nJAeUFE.exe
  2⤵
  PID:6880
- C:\Windows\System32\XqShrnO.exe
  C:\Windows\System32\XqShrnO.exe
  2⤵
  PID:6896
- C:\Windows\System32\asKGWlG.exe
  C:\Windows\System32\asKGWlG.exe
  2⤵
  PID:6944
- C:\Windows\System32\VPpvGkK.exe
  C:\Windows\System32\VPpvGkK.exe
  2⤵
  PID:6976
- C:\Windows\System32\gIhzRZI.exe
  C:\Windows\System32\gIhzRZI.exe
  2⤵
  PID:6996
- C:\Windows\System32\xMYEGyQ.exe
  C:\Windows\System32\xMYEGyQ.exe
  2⤵
  PID:7020
- C:\Windows\System32\gHmFTvZ.exe
  C:\Windows\System32\gHmFTvZ.exe
  2⤵
  PID:7040
- C:\Windows\System32\aYUDlCM.exe
  C:\Windows\System32\aYUDlCM.exe
  2⤵
  PID:7064
- C:\Windows\System32\YFUKDcL.exe
  C:\Windows\System32\YFUKDcL.exe
  2⤵
  PID:7084
- C:\Windows\System32\LWrOzOq.exe
  C:\Windows\System32\LWrOzOq.exe
  2⤵
  PID:7128
- C:\Windows\System32\ZUSfeIZ.exe
  C:\Windows\System32\ZUSfeIZ.exe
  2⤵
  PID:7160
- C:\Windows\System32\aWgjPas.exe
  C:\Windows\System32\aWgjPas.exe
  2⤵
  PID:6180
- C:\Windows\System32\YOZKoHZ.exe
  C:\Windows\System32\YOZKoHZ.exe
  2⤵
  PID:6260
- C:\Windows\System32\uGSAwpx.exe
  C:\Windows\System32\uGSAwpx.exe
  2⤵
  PID:6304
- C:\Windows\System32\PINoSDp.exe
  C:\Windows\System32\PINoSDp.exe
  2⤵
  PID:6348
- C:\Windows\System32\vYlPhME.exe
  C:\Windows\System32\vYlPhME.exe
  2⤵
  PID:6432
- C:\Windows\System32\IGVvCGD.exe
  C:\Windows\System32\IGVvCGD.exe
  2⤵
  PID:6508
- C:\Windows\System32\xyMBhlH.exe
  C:\Windows\System32\xyMBhlH.exe
  2⤵
  PID:6504
- C:\Windows\System32\YJjXldd.exe
  C:\Windows\System32\YJjXldd.exe
  2⤵
  PID:6584
- C:\Windows\System32\NOcBDgc.exe
  C:\Windows\System32\NOcBDgc.exe
  2⤵
  PID:6736
- C:\Windows\System32\CLJoYic.exe
  C:\Windows\System32\CLJoYic.exe
  2⤵
  PID:6760
- C:\Windows\System32\UbBstfR.exe
  C:\Windows\System32\UbBstfR.exe
  2⤵
  PID:6776
- C:\Windows\System32\QhSWniP.exe
  C:\Windows\System32\QhSWniP.exe
  2⤵
  PID:6832
- C:\Windows\System32\mkSlygC.exe
  C:\Windows\System32\mkSlygC.exe
  2⤵
  PID:6868
- C:\Windows\System32\QLiaNTb.exe
  C:\Windows\System32\QLiaNTb.exe
  2⤵
  PID:6988
- C:\Windows\System32\ESAnrVE.exe
  C:\Windows\System32\ESAnrVE.exe
  2⤵
  PID:5448
- C:\Windows\System32\RkakQVG.exe
  C:\Windows\System32\RkakQVG.exe
  2⤵
  PID:7156
- C:\Windows\System32\crNzUGQ.exe
  C:\Windows\System32\crNzUGQ.exe
  2⤵
  PID:6220
- C:\Windows\System32\DiMKSQY.exe
  C:\Windows\System32\DiMKSQY.exe
  2⤵
  PID:6388
- C:\Windows\System32\xmDFlFC.exe
  C:\Windows\System32\xmDFlFC.exe
  2⤵
  PID:6492
- C:\Windows\System32\hDXGgAb.exe
  C:\Windows\System32\hDXGgAb.exe
  2⤵
  PID:6708
- C:\Windows\System32\NWGmBMo.exe
  C:\Windows\System32\NWGmBMo.exe
  2⤵
  PID:6812
- C:\Windows\System32\VTerLwb.exe
  C:\Windows\System32\VTerLwb.exe
  2⤵
  PID:6992
- C:\Windows\System32\hGojKPv.exe
  C:\Windows\System32\hGojKPv.exe
  2⤵
  PID:7152
- C:\Windows\System32\wBKgiNm.exe
  C:\Windows\System32\wBKgiNm.exe
  2⤵
  PID:6424
- C:\Windows\System32\IWXFsvD.exe
  C:\Windows\System32\IWXFsvD.exe
  2⤵
  PID:5352
- C:\Windows\System32\fifdoWE.exe
  C:\Windows\System32\fifdoWE.exe
  2⤵
  PID:7172
- C:\Windows\System32\pMqiCvC.exe
  C:\Windows\System32\pMqiCvC.exe
  2⤵
  PID:7200
- C:\Windows\System32\rctAdSf.exe
  C:\Windows\System32\rctAdSf.exe
  2⤵
  PID:7240
- C:\Windows\System32\gpGYfqx.exe
  C:\Windows\System32\gpGYfqx.exe
  2⤵
  PID:7260
- C:\Windows\System32\wyYtGGn.exe
  C:\Windows\System32\wyYtGGn.exe
  2⤵
  PID:7284
- C:\Windows\System32\nIyXHCR.exe
  C:\Windows\System32\nIyXHCR.exe
  2⤵
  PID:7304
- C:\Windows\System32\JUUGBKu.exe
  C:\Windows\System32\JUUGBKu.exe
  2⤵
  PID:7324
- C:\Windows\System32\zXxRDri.exe
  C:\Windows\System32\zXxRDri.exe
  2⤵
  PID:7344
- C:\Windows\System32\bcpTORf.exe
  C:\Windows\System32\bcpTORf.exe
  2⤵
  PID:7376
- C:\Windows\System32\ZHIHZLa.exe
  C:\Windows\System32\ZHIHZLa.exe
  2⤵
  PID:7396
- C:\Windows\System32\WhcdDXD.exe
  C:\Windows\System32\WhcdDXD.exe
  2⤵
  PID:7416
- C:\Windows\System32\smmHBUA.exe
  C:\Windows\System32\smmHBUA.exe
  2⤵
  PID:7460
- C:\Windows\System32\UifciJk.exe
  C:\Windows\System32\UifciJk.exe
  2⤵
  PID:7488
- C:\Windows\System32\BFtGxCw.exe
  C:\Windows\System32\BFtGxCw.exe
  2⤵
  PID:7532
- C:\Windows\System32\AHxsDwr.exe
  C:\Windows\System32\AHxsDwr.exe
  2⤵
  PID:7588
- C:\Windows\System32\vjKADGD.exe
  C:\Windows\System32\vjKADGD.exe
  2⤵
  PID:7608
- C:\Windows\System32\kMXuVIF.exe
  C:\Windows\System32\kMXuVIF.exe
  2⤵
  PID:7624
- C:\Windows\System32\iOsgalB.exe
  C:\Windows\System32\iOsgalB.exe
  2⤵
  PID:7640
- C:\Windows\System32\jpneMfA.exe
  C:\Windows\System32\jpneMfA.exe
  2⤵
  PID:7668
- C:\Windows\System32\HLyGzcb.exe
  C:\Windows\System32\HLyGzcb.exe
  2⤵
  PID:7688
- C:\Windows\System32\fRggNQB.exe
  C:\Windows\System32\fRggNQB.exe
  2⤵
  PID:7744
- C:\Windows\System32\LnDYuZd.exe
  C:\Windows\System32\LnDYuZd.exe
  2⤵
  PID:7760
- C:\Windows\System32\sLuJJli.exe
  C:\Windows\System32\sLuJJli.exe
  2⤵
  PID:7784
- C:\Windows\System32\xwvJHJc.exe
  C:\Windows\System32\xwvJHJc.exe
  2⤵
  PID:7804
- C:\Windows\System32\cMYkWUr.exe
  C:\Windows\System32\cMYkWUr.exe
  2⤵
  PID:7840
- C:\Windows\System32\LMNdGdc.exe
  C:\Windows\System32\LMNdGdc.exe
  2⤵
  PID:7860
- C:\Windows\System32\DJuczna.exe
  C:\Windows\System32\DJuczna.exe
  2⤵
  PID:7880
- C:\Windows\System32\FHFIuZm.exe
  C:\Windows\System32\FHFIuZm.exe
  2⤵
  PID:7940
- C:\Windows\System32\YfHPSlI.exe
  C:\Windows\System32\YfHPSlI.exe
  2⤵
  PID:7980
- C:\Windows\System32\AnKrBgM.exe
  C:\Windows\System32\AnKrBgM.exe
  2⤵
  PID:7996
- C:\Windows\System32\UwWxuks.exe
  C:\Windows\System32\UwWxuks.exe
  2⤵
  PID:8016
- C:\Windows\System32\mxmzQhx.exe
  C:\Windows\System32\mxmzQhx.exe
  2⤵
  PID:8032
- C:\Windows\System32\yEclKEq.exe
  C:\Windows\System32\yEclKEq.exe
  2⤵
  PID:8088
- C:\Windows\System32\EIESjgw.exe
  C:\Windows\System32\EIESjgw.exe
  2⤵
  PID:8120
- C:\Windows\System32\glQtOBH.exe
  C:\Windows\System32\glQtOBH.exe
  2⤵
  PID:8144
- C:\Windows\System32\ZmJHcjj.exe
  C:\Windows\System32\ZmJHcjj.exe
  2⤵
  PID:8180
- C:\Windows\System32\EIKpHEj.exe
  C:\Windows\System32\EIKpHEj.exe
  2⤵
  PID:6468
- C:\Windows\System32\YOcmrSD.exe
  C:\Windows\System32\YOcmrSD.exe
  2⤵
  PID:7180
- C:\Windows\System32\kzjaucK.exe
  C:\Windows\System32\kzjaucK.exe
  2⤵
  PID:7268
- C:\Windows\System32\BseAOAp.exe
  C:\Windows\System32\BseAOAp.exe
  2⤵
  PID:7256
- C:\Windows\System32\lpvpbDT.exe
  C:\Windows\System32\lpvpbDT.exe
  2⤵
  PID:7360
- C:\Windows\System32\XjFFGYB.exe
  C:\Windows\System32\XjFFGYB.exe
  2⤵
  PID:7412
- C:\Windows\System32\MQfEVtw.exe
  C:\Windows\System32\MQfEVtw.exe
  2⤵
  PID:7456
- C:\Windows\System32\jSGfAaV.exe
  C:\Windows\System32\jSGfAaV.exe
  2⤵
  PID:7556
- C:\Windows\System32\SlKCLDb.exe
  C:\Windows\System32\SlKCLDb.exe
  2⤵
  PID:7632
- C:\Windows\System32\kjcAnjz.exe
  C:\Windows\System32\kjcAnjz.exe
  2⤵
  PID:7652
- C:\Windows\System32\NNIjSAW.exe
  C:\Windows\System32\NNIjSAW.exe
  2⤵
  PID:7716
- C:\Windows\System32\rNxhIpt.exe
  C:\Windows\System32\rNxhIpt.exe
  2⤵
  PID:7752
- C:\Windows\System32\wzSrMpr.exe
  C:\Windows\System32\wzSrMpr.exe
  2⤵
  PID:7872
- C:\Windows\System32\xGhTblL.exe
  C:\Windows\System32\xGhTblL.exe
  2⤵
  PID:7928
- C:\Windows\System32\eEVFjmE.exe
  C:\Windows\System32\eEVFjmE.exe
  2⤵
  PID:8044
- C:\Windows\System32\HISIAiG.exe
  C:\Windows\System32\HISIAiG.exe
  2⤵
  PID:8072
- C:\Windows\System32\XWuWKci.exe
  C:\Windows\System32\XWuWKci.exe
  2⤵
  PID:8152
- C:\Windows\System32\dZsjHEO.exe
  C:\Windows\System32\dZsjHEO.exe
  2⤵
  PID:6164
- C:\Windows\System32\zcJkmyv.exe
  C:\Windows\System32\zcJkmyv.exe
  2⤵
  PID:7228
- C:\Windows\System32\ZfTbrOc.exe
  C:\Windows\System32\ZfTbrOc.exe
  2⤵
  PID:7392
- C:\Windows\System32\UbvJfGq.exe
  C:\Windows\System32\UbvJfGq.exe
  2⤵
  PID:7620
- C:\Windows\System32\QKhUWOn.exe
  C:\Windows\System32\QKhUWOn.exe
  2⤵
  PID:7696
- C:\Windows\System32\StnGlhq.exe
  C:\Windows\System32\StnGlhq.exe
  2⤵
  PID:7868
- C:\Windows\System32\jHMPMSA.exe
  C:\Windows\System32\jHMPMSA.exe
  2⤵
  PID:8096
- C:\Windows\System32\AAkywpi.exe
  C:\Windows\System32\AAkywpi.exe
  2⤵
  PID:7444
- C:\Windows\System32\LmlxqUs.exe
  C:\Windows\System32\LmlxqUs.exe
  2⤵
  PID:7316
- C:\Windows\System32\BaKGuFx.exe
  C:\Windows\System32\BaKGuFx.exe
  2⤵
  PID:7852
- C:\Windows\System32\dvolfSk.exe
  C:\Windows\System32\dvolfSk.exe
  2⤵
  PID:7988
- C:\Windows\System32\XrcihTu.exe
  C:\Windows\System32\XrcihTu.exe
  2⤵
  PID:7684
- C:\Windows\System32\Bjwqyup.exe
  C:\Windows\System32\Bjwqyup.exe
  2⤵
  PID:8204
- C:\Windows\System32\aGaMjNs.exe
  C:\Windows\System32\aGaMjNs.exe
  2⤵
  PID:8244
- C:\Windows\System32\fAKkXlJ.exe
  C:\Windows\System32\fAKkXlJ.exe
  2⤵
  PID:8268
- C:\Windows\System32\rvzgukT.exe
  C:\Windows\System32\rvzgukT.exe
  2⤵
  PID:8288
- C:\Windows\System32\mRryrKn.exe
  C:\Windows\System32\mRryrKn.exe
  2⤵
  PID:8308
- C:\Windows\System32\tvDLXDt.exe
  C:\Windows\System32\tvDLXDt.exe
  2⤵
  PID:8324
- C:\Windows\System32\whSptqq.exe
  C:\Windows\System32\whSptqq.exe
  2⤵
  PID:8348
- C:\Windows\System32\kZXbPAP.exe
  C:\Windows\System32\kZXbPAP.exe
  2⤵
  PID:8368
- C:\Windows\System32\GubDIkr.exe
  C:\Windows\System32\GubDIkr.exe
  2⤵
  PID:8392
- C:\Windows\System32\snLWsAA.exe
  C:\Windows\System32\snLWsAA.exe
  2⤵
  PID:8412
- C:\Windows\System32\anKKSvD.exe
  C:\Windows\System32\anKKSvD.exe
  2⤵
  PID:8428
- C:\Windows\System32\fbHdhaK.exe
  C:\Windows\System32\fbHdhaK.exe
  2⤵
  PID:8452
- C:\Windows\System32\YRteZwq.exe
  C:\Windows\System32\YRteZwq.exe
  2⤵
  PID:8468
- C:\Windows\System32\RsyzZNO.exe
  C:\Windows\System32\RsyzZNO.exe
  2⤵
  PID:8496
- C:\Windows\System32\WIUdaqq.exe
  C:\Windows\System32\WIUdaqq.exe
  2⤵
  PID:8524
- C:\Windows\System32\AUfnRJJ.exe
  C:\Windows\System32\AUfnRJJ.exe
  2⤵
  PID:8572
- C:\Windows\System32\ETlcWHX.exe
  C:\Windows\System32\ETlcWHX.exe
  2⤵
  PID:8604
- C:\Windows\System32\cFYvzcc.exe
  C:\Windows\System32\cFYvzcc.exe
  2⤵
  PID:8632
- C:\Windows\System32\jQmxtMv.exe
  C:\Windows\System32\jQmxtMv.exe
  2⤵
  PID:8652
- C:\Windows\System32\BJMcGTG.exe
  C:\Windows\System32\BJMcGTG.exe
  2⤵
  PID:8696
- C:\Windows\System32\mTvPRyP.exe
  C:\Windows\System32\mTvPRyP.exe
  2⤵
  PID:8720
- C:\Windows\System32\bLzPZWy.exe
  C:\Windows\System32\bLzPZWy.exe
  2⤵
  PID:8736
- C:\Windows\System32\gjkcFms.exe
  C:\Windows\System32\gjkcFms.exe
  2⤵
  PID:8764
- C:\Windows\System32\VPLfplE.exe
  C:\Windows\System32\VPLfplE.exe
  2⤵
  PID:8780
- C:\Windows\System32\cUoFcQT.exe
  C:\Windows\System32\cUoFcQT.exe
  2⤵
  PID:8800
- C:\Windows\System32\ERucxjj.exe
  C:\Windows\System32\ERucxjj.exe
  2⤵
  PID:8844
- C:\Windows\System32\EbgaLHF.exe
  C:\Windows\System32\EbgaLHF.exe
  2⤵
  PID:8868
- C:\Windows\System32\VfTTRal.exe
  C:\Windows\System32\VfTTRal.exe
  2⤵
  PID:8920
- C:\Windows\System32\fRcuzhq.exe
  C:\Windows\System32\fRcuzhq.exe
  2⤵
  PID:8976
- C:\Windows\System32\tDCHnWc.exe
  C:\Windows\System32\tDCHnWc.exe
  2⤵
  PID:9016
- C:\Windows\System32\IUNAFMY.exe
  C:\Windows\System32\IUNAFMY.exe
  2⤵
  PID:9036
- C:\Windows\System32\BSRNmCU.exe
  C:\Windows\System32\BSRNmCU.exe
  2⤵
  PID:9056
- C:\Windows\System32\yiUotgB.exe
  C:\Windows\System32\yiUotgB.exe
  2⤵
  PID:9076
- C:\Windows\System32\BYMjYeA.exe
  C:\Windows\System32\BYMjYeA.exe
  2⤵
  PID:9120
- C:\Windows\System32\wXRfcUf.exe
  C:\Windows\System32\wXRfcUf.exe
  2⤵
  PID:9140
- C:\Windows\System32\LadcHtR.exe
  C:\Windows\System32\LadcHtR.exe
  2⤵
  PID:9188
- C:\Windows\System32\Nshzfsc.exe
  C:\Windows\System32\Nshzfsc.exe
  2⤵
  PID:9212
- C:\Windows\System32\tyYRixA.exe
  C:\Windows\System32\tyYRixA.exe
  2⤵
  PID:8276
- C:\Windows\System32\MqRgXdy.exe
  C:\Windows\System32\MqRgXdy.exe
  2⤵
  PID:8320
- C:\Windows\System32\gsqtShB.exe
  C:\Windows\System32\gsqtShB.exe
  2⤵
  PID:8316
- C:\Windows\System32\vnxxyHL.exe
  C:\Windows\System32\vnxxyHL.exe
  2⤵
  PID:8408
- C:\Windows\System32\uYUDbOb.exe
  C:\Windows\System32\uYUDbOb.exe
  2⤵
  PID:8504
- C:\Windows\System32\qfgfTlI.exe
  C:\Windows\System32\qfgfTlI.exe
  2⤵
  PID:8616
- C:\Windows\System32\WmAwsWV.exe
  C:\Windows\System32\WmAwsWV.exe
  2⤵
  PID:8596
- C:\Windows\System32\odJgZkr.exe
  C:\Windows\System32\odJgZkr.exe
  2⤵
  PID:8588
- C:\Windows\System32\FPFOtHC.exe
  C:\Windows\System32\FPFOtHC.exe
  2⤵
  PID:8776
- C:\Windows\System32\PMXwBYu.exe
  C:\Windows\System32\PMXwBYu.exe
  2⤵
  PID:8792
- C:\Windows\System32\oPeHbnH.exe
  C:\Windows\System32\oPeHbnH.exe
  2⤵
  PID:8876
- C:\Windows\System32\pPNUxvT.exe
  C:\Windows\System32\pPNUxvT.exe
  2⤵
  PID:9200
- C:\Windows\System32\tMdSFdV.exe
  C:\Windows\System32\tMdSFdV.exe
  2⤵
  PID:8136
- C:\Windows\System32\CntuHyI.exe
  C:\Windows\System32\CntuHyI.exe
  2⤵
  PID:8280
- C:\Windows\System32\IsmWDlo.exe
  C:\Windows\System32\IsmWDlo.exe
  2⤵
  PID:8344
- C:\Windows\System32\iezNpCB.exe
  C:\Windows\System32\iezNpCB.exe
  2⤵
  PID:8448
- C:\Windows\System32\AXxJwEX.exe
  C:\Windows\System32\AXxJwEX.exe
  2⤵
  PID:8460
- C:\Windows\System32\zCjtFRw.exe
  C:\Windows\System32\zCjtFRw.exe
  2⤵
  PID:8556
- C:\Windows\System32\hwkVcLM.exe
  C:\Windows\System32\hwkVcLM.exe
  2⤵
  PID:8612
- C:\Windows\System32\pXArNbv.exe
  C:\Windows\System32\pXArNbv.exe
  2⤵
  PID:8708
- C:\Windows\System32\bbQvpkx.exe
  C:\Windows\System32\bbQvpkx.exe
  2⤵
  PID:8840
- C:\Windows\System32\EmyLvct.exe
  C:\Windows\System32\EmyLvct.exe
  2⤵
  PID:9220
- C:\Windows\System32\yYVgNCa.exe
  C:\Windows\System32\yYVgNCa.exe
  2⤵
  PID:9236
- C:\Windows\System32\eyUhdUA.exe
  C:\Windows\System32\eyUhdUA.exe
  2⤵
  PID:9252
- C:\Windows\System32\iiicoWy.exe
  C:\Windows\System32\iiicoWy.exe
  2⤵
  PID:9268
- C:\Windows\System32\sYAPRsR.exe
  C:\Windows\System32\sYAPRsR.exe
  2⤵
  PID:9284
- C:\Windows\System32\VAMRwyZ.exe
  C:\Windows\System32\VAMRwyZ.exe
  2⤵
  PID:9300
- C:\Windows\System32\phWqiWm.exe
  C:\Windows\System32\phWqiWm.exe
  2⤵
  PID:9316
- C:\Windows\System32\eJhhkPq.exe
  C:\Windows\System32\eJhhkPq.exe
  2⤵
  PID:9332
- C:\Windows\System32\djDTgAW.exe
  C:\Windows\System32\djDTgAW.exe
  2⤵
  PID:9348
- C:\Windows\System32\eaRirjW.exe
  C:\Windows\System32\eaRirjW.exe
  2⤵
  PID:9364
- C:\Windows\System32\WiuGTqI.exe
  C:\Windows\System32\WiuGTqI.exe
  2⤵
  PID:9380
- C:\Windows\System32\EsvUOoX.exe
  C:\Windows\System32\EsvUOoX.exe
  2⤵
  PID:9468
- C:\Windows\System32\OcQYiRf.exe
  C:\Windows\System32\OcQYiRf.exe
  2⤵
  PID:9524
- C:\Windows\System32\zmjowqr.exe
  C:\Windows\System32\zmjowqr.exe
  2⤵
  PID:9576
- C:\Windows\System32\qfKPUxy.exe
  C:\Windows\System32\qfKPUxy.exe
  2⤵
  PID:9596
- C:\Windows\System32\XmIJXkp.exe
  C:\Windows\System32\XmIJXkp.exe
  2⤵
  PID:9620
- C:\Windows\System32\ebyfUiJ.exe
  C:\Windows\System32\ebyfUiJ.exe
  2⤵
  PID:9700
- C:\Windows\System32\JsSxttv.exe
  C:\Windows\System32\JsSxttv.exe
  2⤵
  PID:9720
- C:\Windows\System32\QtQrgYE.exe
  C:\Windows\System32\QtQrgYE.exe
  2⤵
  PID:9744
- C:\Windows\System32\kIzzsaT.exe
  C:\Windows\System32\kIzzsaT.exe
  2⤵
  PID:9900
- C:\Windows\System32\upfUolZ.exe
  C:\Windows\System32\upfUolZ.exe
  2⤵
  PID:9920
- C:\Windows\System32\yZWzHgs.exe
  C:\Windows\System32\yZWzHgs.exe
  2⤵
  PID:9936
- C:\Windows\System32\uQzMTey.exe
  C:\Windows\System32\uQzMTey.exe
  2⤵
  PID:9964
- C:\Windows\System32\SxEzxgh.exe
  C:\Windows\System32\SxEzxgh.exe
  2⤵
  PID:10000
- C:\Windows\System32\Pghwdam.exe
  C:\Windows\System32\Pghwdam.exe
  2⤵
  PID:10048
- C:\Windows\System32\mUbrxiU.exe
  C:\Windows\System32\mUbrxiU.exe
  2⤵
  PID:10076
- C:\Windows\System32\ejpbbtu.exe
  C:\Windows\System32\ejpbbtu.exe
  2⤵
  PID:10112
- C:\Windows\System32\GBpqHEI.exe
  C:\Windows\System32\GBpqHEI.exe
  2⤵
  PID:10140
- C:\Windows\System32\hIHdfmD.exe
  C:\Windows\System32\hIHdfmD.exe
  2⤵
  PID:10160
- C:\Windows\System32\MmtUnxQ.exe
  C:\Windows\System32\MmtUnxQ.exe
  2⤵
  PID:10176
- C:\Windows\System32\BXCzggr.exe
  C:\Windows\System32\BXCzggr.exe
  2⤵
  PID:10208
- C:\Windows\System32\OlVfXFE.exe
  C:\Windows\System32\OlVfXFE.exe
  2⤵
  PID:8424
- C:\Windows\System32\CVIIRBN.exe
  C:\Windows\System32\CVIIRBN.exe
  2⤵
  PID:8744
- C:\Windows\System32\tWGwVct.exe
  C:\Windows\System32\tWGwVct.exe
  2⤵
  PID:9244
- C:\Windows\System32\jABfgQo.exe
  C:\Windows\System32\jABfgQo.exe
  2⤵
  PID:9420
- C:\Windows\System32\psShCGO.exe
  C:\Windows\System32\psShCGO.exe
  2⤵
  PID:8944
- C:\Windows\System32\ATKiFxz.exe
  C:\Windows\System32\ATKiFxz.exe
  2⤵
  PID:9048
- C:\Windows\System32\SLwfqPH.exe
  C:\Windows\System32\SLwfqPH.exe
  2⤵
  PID:9484
- C:\Windows\System32\jjQxMcN.exe
  C:\Windows\System32\jjQxMcN.exe
  2⤵
  PID:8284
- C:\Windows\System32\DveTZeC.exe
  C:\Windows\System32\DveTZeC.exe
  2⤵
  PID:8812
- C:\Windows\System32\CDWeNqV.exe
  C:\Windows\System32\CDWeNqV.exe
  2⤵
  PID:9248
- C:\Windows\System32\hbsehDZ.exe
  C:\Windows\System32\hbsehDZ.exe
  2⤵
  PID:9344
- C:\Windows\System32\INLuWMq.exe
  C:\Windows\System32\INLuWMq.exe
  2⤵
  PID:9388
- C:\Windows\System32\hTanQiN.exe
  C:\Windows\System32\hTanQiN.exe
  2⤵
  PID:9564
- C:\Windows\System32\ZWXZINL.exe
  C:\Windows\System32\ZWXZINL.exe
  2⤵
  PID:9696
- C:\Windows\System32\HAXMQiT.exe
  C:\Windows\System32\HAXMQiT.exe
  2⤵
  PID:9716
- C:\Windows\System32\niQQqzY.exe
  C:\Windows\System32\niQQqzY.exe
  2⤵
  PID:9664
- C:\Windows\System32\yhWikpK.exe
  C:\Windows\System32\yhWikpK.exe
  2⤵
  PID:9840
- C:\Windows\System32\ECmnshk.exe
  C:\Windows\System32\ECmnshk.exe
  2⤵
  PID:9932
- C:\Windows\System32\OtBqPEF.exe
  C:\Windows\System32\OtBqPEF.exe
  2⤵
  PID:10024
- C:\Windows\System32\lIdjBMn.exe
  C:\Windows\System32\lIdjBMn.exe
  2⤵
  PID:10096
- C:\Windows\System32\UVadBOc.exe
  C:\Windows\System32\UVadBOc.exe
  2⤵
  PID:10188
- C:\Windows\System32\AfUQlyn.exe
  C:\Windows\System32\AfUQlyn.exe
  2⤵
  PID:10184
- C:\Windows\System32\EEHNhPO.exe
  C:\Windows\System32\EEHNhPO.exe
  2⤵
  PID:10224
- C:\Windows\System32\ATpCwOi.exe
  C:\Windows\System32\ATpCwOi.exe
  2⤵
  PID:9276
- C:\Windows\System32\uVMUHOC.exe
  C:\Windows\System32\uVMUHOC.exe
  2⤵
  PID:9424
- C:\Windows\System32\RAllMCI.exe
  C:\Windows\System32\RAllMCI.exe
  2⤵
  PID:9436
- C:\Windows\System32\pIlZSOb.exe
  C:\Windows\System32\pIlZSOb.exe
  2⤵
  PID:9448
- C:\Windows\System32\ZPgwbWP.exe
  C:\Windows\System32\ZPgwbWP.exe
  2⤵
  PID:9232
- C:\Windows\System32\NhoVYvY.exe
  C:\Windows\System32\NhoVYvY.exe
  2⤵
  PID:9656
- C:\Windows\System32\uLtMPeX.exe
  C:\Windows\System32\uLtMPeX.exe
  2⤵
  PID:9868
- C:\Windows\System32\kGnComH.exe
  C:\Windows\System32\kGnComH.exe
  2⤵
  PID:6580
- C:\Windows\System32\xkKpBxE.exe
  C:\Windows\System32\xkKpBxE.exe
  2⤵
  PID:9044
- C:\Windows\System32\NKcPkmo.exe
  C:\Windows\System32\NKcPkmo.exe
  2⤵
  PID:8580
- C:\Windows\System32\IIMCgjU.exe
  C:\Windows\System32\IIMCgjU.exe
  2⤵
  PID:9572
- C:\Windows\System32\EiTOskl.exe
  C:\Windows\System32\EiTOskl.exe
  2⤵
  PID:9980
- C:\Windows\System32\ejdnMyc.exe
  C:\Windows\System32\ejdnMyc.exe
  2⤵
  PID:10136
- C:\Windows\System32\ytCibEx.exe
  C:\Windows\System32\ytCibEx.exe
  2⤵
  PID:9408
- C:\Windows\System32\sCmSjVW.exe
  C:\Windows\System32\sCmSjVW.exe
  2⤵
  PID:9308
- C:\Windows\System32\cLaavgr.exe
  C:\Windows\System32\cLaavgr.exe
  2⤵
  PID:10264
- C:\Windows\System32\MBYZseY.exe
  C:\Windows\System32\MBYZseY.exe
  2⤵
  PID:10308
- C:\Windows\System32\nNLDpUc.exe
  C:\Windows\System32\nNLDpUc.exe
  2⤵
  PID:10332
- C:\Windows\System32\fsPrdgV.exe
  C:\Windows\System32\fsPrdgV.exe
  2⤵
  PID:10364
- C:\Windows\System32\vcAYpvv.exe
  C:\Windows\System32\vcAYpvv.exe
  2⤵
  PID:10380
- C:\Windows\System32\TZTnpsG.exe
  C:\Windows\System32\TZTnpsG.exe
  2⤵
  PID:10408
- C:\Windows\System32\aBWcblL.exe
  C:\Windows\System32\aBWcblL.exe
  2⤵
  PID:10436
- C:\Windows\System32\ZYxnyJY.exe
  C:\Windows\System32\ZYxnyJY.exe
  2⤵
  PID:10452
- C:\Windows\System32\EICvTKA.exe
  C:\Windows\System32\EICvTKA.exe
  2⤵
  PID:10480
- C:\Windows\System32\ZciepTY.exe
  C:\Windows\System32\ZciepTY.exe
  2⤵
  PID:10500
- C:\Windows\System32\jZseKrW.exe
  C:\Windows\System32\jZseKrW.exe
  2⤵
  PID:10552
- C:\Windows\System32\imeNnSZ.exe
  C:\Windows\System32\imeNnSZ.exe
  2⤵
  PID:10576
- C:\Windows\System32\mrKYKMm.exe
  C:\Windows\System32\mrKYKMm.exe
  2⤵
  PID:10596
- C:\Windows\System32\mSlWePD.exe
  C:\Windows\System32\mSlWePD.exe
  2⤵
  PID:10620
- C:\Windows\System32\HmsNgsS.exe
  C:\Windows\System32\HmsNgsS.exe
  2⤵
  PID:10684
- C:\Windows\System32\nPhxyyw.exe
  C:\Windows\System32\nPhxyyw.exe
  2⤵
  PID:10700
- C:\Windows\System32\dyeQdtw.exe
  C:\Windows\System32\dyeQdtw.exe
  2⤵
  PID:10716
- C:\Windows\System32\zLazlBf.exe
  C:\Windows\System32\zLazlBf.exe
  2⤵
  PID:10756
- C:\Windows\System32\pGaInfK.exe
  C:\Windows\System32\pGaInfK.exe
  2⤵
  PID:10776
- C:\Windows\System32\JHNOTUH.exe
  C:\Windows\System32\JHNOTUH.exe
  2⤵
  PID:10800
- C:\Windows\System32\mOzqgmt.exe
  C:\Windows\System32\mOzqgmt.exe
  2⤵
  PID:10820
- C:\Windows\System32\MUYBRWp.exe
  C:\Windows\System32\MUYBRWp.exe
  2⤵
  PID:10844
- C:\Windows\System32\keCUdvZ.exe
  C:\Windows\System32\keCUdvZ.exe
  2⤵
  PID:10860
- C:\Windows\System32\WAYDEgz.exe
  C:\Windows\System32\WAYDEgz.exe
  2⤵
  PID:10892
- C:\Windows\System32\bWJLpoQ.exe
  C:\Windows\System32\bWJLpoQ.exe
  2⤵
  PID:10912
- C:\Windows\System32\ZJAqMUK.exe
  C:\Windows\System32\ZJAqMUK.exe
  2⤵
  PID:10936
- C:\Windows\System32\FeeLjmF.exe
  C:\Windows\System32\FeeLjmF.exe
  2⤵
  PID:10996
- C:\Windows\System32\geYBZwn.exe
  C:\Windows\System32\geYBZwn.exe
  2⤵
  PID:11016
- C:\Windows\System32\UAunveW.exe
  C:\Windows\System32\UAunveW.exe
  2⤵
  PID:11040
- C:\Windows\System32\UrbeMqz.exe
  C:\Windows\System32\UrbeMqz.exe
  2⤵
  PID:11056
- C:\Windows\System32\FIiTZWP.exe
  C:\Windows\System32\FIiTZWP.exe
  2⤵
  PID:11080
- C:\Windows\System32\QXxqUJa.exe
  C:\Windows\System32\QXxqUJa.exe
  2⤵
  PID:11112
- C:\Windows\System32\HGRWgqi.exe
  C:\Windows\System32\HGRWgqi.exe
  2⤵
  PID:11184
- C:\Windows\System32\MjEeZUn.exe
  C:\Windows\System32\MjEeZUn.exe
  2⤵
  PID:11208
- C:\Windows\System32\HvrxlAE.exe
  C:\Windows\System32\HvrxlAE.exe
  2⤵
  PID:11232
- C:\Windows\System32\XVrJEsy.exe
  C:\Windows\System32\XVrJEsy.exe
  2⤵
  PID:11248
- C:\Windows\System32\ieXIMhP.exe
  C:\Windows\System32\ieXIMhP.exe
  2⤵
  PID:9464
- C:\Windows\System32\LsDigMz.exe
  C:\Windows\System32\LsDigMz.exe
  2⤵
  PID:10260
- C:\Windows\System32\FaLprkM.exe
  C:\Windows\System32\FaLprkM.exe
  2⤵
  PID:10296
- C:\Windows\System32\jKaPsjw.exe
  C:\Windows\System32\jKaPsjw.exe
  2⤵
  PID:10372
- C:\Windows\System32\okzvpxK.exe
  C:\Windows\System32\okzvpxK.exe
  2⤵
  PID:10400
- C:\Windows\System32\SkbosDu.exe
  C:\Windows\System32\SkbosDu.exe
  2⤵
  PID:10464
- C:\Windows\System32\KOqIomS.exe
  C:\Windows\System32\KOqIomS.exe
  2⤵
  PID:10616
- C:\Windows\System32\hEAyCJo.exe
  C:\Windows\System32\hEAyCJo.exe
  2⤵
  PID:10628
- C:\Windows\System32\lcLkSkX.exe
  C:\Windows\System32\lcLkSkX.exe
  2⤵
  PID:10708
- C:\Windows\System32\ffLehmn.exe
  C:\Windows\System32\ffLehmn.exe
  2⤵
  PID:10772
- C:\Windows\System32\egEsxfM.exe
  C:\Windows\System32\egEsxfM.exe
  2⤵
  PID:10840
- C:\Windows\System32\FkqpgrQ.exe
  C:\Windows\System32\FkqpgrQ.exe
  2⤵
  PID:11028
- C:\Windows\System32\SmHBSqi.exe
  C:\Windows\System32\SmHBSqi.exe
  2⤵
  PID:11036
- C:\Windows\System32\CBRjRum.exe
  C:\Windows\System32\CBRjRum.exe
  2⤵
  PID:11120
- C:\Windows\System32\gulQYmr.exe
  C:\Windows\System32\gulQYmr.exe
  2⤵
  PID:11156
- C:\Windows\System32\nkJHCqe.exe
  C:\Windows\System32\nkJHCqe.exe
  2⤵
  PID:11196
- C:\Windows\System32\dfdEOhp.exe
  C:\Windows\System32\dfdEOhp.exe
  2⤵
  PID:11240
- C:\Windows\System32\ZYvxUdC.exe
  C:\Windows\System32\ZYvxUdC.exe
  2⤵
  PID:10248
- C:\Windows\System32\stwpGen.exe
  C:\Windows\System32\stwpGen.exe
  2⤵
  PID:10444
- C:\Windows\System32\qItNDyU.exe
  C:\Windows\System32\qItNDyU.exe
  2⤵
  PID:10736
- C:\Windows\System32\QUsVToN.exe
  C:\Windows\System32\QUsVToN.exe
  2⤵
  PID:10888
- C:\Windows\System32\hvsIuAg.exe
  C:\Windows\System32\hvsIuAg.exe
  2⤵
  PID:11048
- C:\Windows\System32\xSSbaOo.exe
  C:\Windows\System32\xSSbaOo.exe
  2⤵
  PID:964
- C:\Windows\System32\rgqNyWa.exe
  C:\Windows\System32\rgqNyWa.exe
  2⤵
  PID:11168
- C:\Windows\System32\gjYHAXB.exe
  C:\Windows\System32\gjYHAXB.exe
  2⤵
  PID:10392
- C:\Windows\System32\HkpSVnk.exe
  C:\Windows\System32\HkpSVnk.exe
  2⤵
  PID:10828
- C:\Windows\System32\JWakPXv.exe
  C:\Windows\System32\JWakPXv.exe
  2⤵
  PID:11092
- C:\Windows\System32\VoHfshz.exe
  C:\Windows\System32\VoHfshz.exe
  2⤵
  PID:10272
- C:\Windows\System32\kBaolhC.exe
  C:\Windows\System32\kBaolhC.exe
  2⤵
  PID:5108
- C:\Windows\System32\DkmYrzB.exe
  C:\Windows\System32\DkmYrzB.exe
  2⤵
  PID:11284
- C:\Windows\System32\xhmfVwi.exe
  C:\Windows\System32\xhmfVwi.exe
  2⤵
  PID:11300
- C:\Windows\System32\AfkdIBP.exe
  C:\Windows\System32\AfkdIBP.exe
  2⤵
  PID:11356
- C:\Windows\System32\cBveIMf.exe
  C:\Windows\System32\cBveIMf.exe
  2⤵
  PID:11376
- C:\Windows\System32\hDnjjoL.exe
  C:\Windows\System32\hDnjjoL.exe
  2⤵
  PID:11400
- C:\Windows\System32\nUKXQTJ.exe
  C:\Windows\System32\nUKXQTJ.exe
  2⤵
  PID:11432
- C:\Windows\System32\iYjpZBd.exe
  C:\Windows\System32\iYjpZBd.exe
  2⤵
  PID:11456
- C:\Windows\System32\RrWcKME.exe
  C:\Windows\System32\RrWcKME.exe
  2⤵
  PID:11500
- C:\Windows\System32\sWthDuj.exe
  C:\Windows\System32\sWthDuj.exe
  2⤵
  PID:11544
- C:\Windows\System32\jkZowkk.exe
  C:\Windows\System32\jkZowkk.exe
  2⤵
  PID:11572
- C:\Windows\System32\pfmCoin.exe
  C:\Windows\System32\pfmCoin.exe
  2⤵
  PID:11592
- C:\Windows\System32\WQBkYIY.exe
  C:\Windows\System32\WQBkYIY.exe
  2⤵
  PID:11608
- C:\Windows\System32\IzUnfBx.exe
  C:\Windows\System32\IzUnfBx.exe
  2⤵
  PID:11632
- C:\Windows\System32\dHVoRGy.exe
  C:\Windows\System32\dHVoRGy.exe
  2⤵
  PID:11648
- C:\Windows\System32\OVQMuab.exe
  C:\Windows\System32\OVQMuab.exe
  2⤵
  PID:11680
- C:\Windows\System32\OgZSOhc.exe
  C:\Windows\System32\OgZSOhc.exe
  2⤵
  PID:11716
- C:\Windows\System32\nRwFgBu.exe
  C:\Windows\System32\nRwFgBu.exe
  2⤵
  PID:11744
- C:\Windows\System32\uEenbAT.exe
  C:\Windows\System32\uEenbAT.exe
  2⤵
  PID:11760
- C:\Windows\System32\yAVspHv.exe
  C:\Windows\System32\yAVspHv.exe
  2⤵
  PID:11812
- C:\Windows\System32\yWbtJbT.exe
  C:\Windows\System32\yWbtJbT.exe
  2⤵
  PID:11836
- C:\Windows\System32\WqSJJaT.exe
  C:\Windows\System32\WqSJJaT.exe
  2⤵
  PID:11856
- C:\Windows\System32\xSUZlSL.exe
  C:\Windows\System32\xSUZlSL.exe
  2⤵
  PID:11888
- C:\Windows\System32\JmfvgGI.exe
  C:\Windows\System32\JmfvgGI.exe
  2⤵
  PID:11924
- C:\Windows\System32\sHrjVhB.exe
  C:\Windows\System32\sHrjVhB.exe
  2⤵
  PID:11956
- C:\Windows\System32\URPcexr.exe
  C:\Windows\System32\URPcexr.exe
  2⤵
  PID:11984
- C:\Windows\System32\dYJILmf.exe
  C:\Windows\System32\dYJILmf.exe
  2⤵
  PID:12008
- C:\Windows\System32\QOFGpoY.exe
  C:\Windows\System32\QOFGpoY.exe
  2⤵
  PID:12028
- C:\Windows\System32\Kcmbhxm.exe
  C:\Windows\System32\Kcmbhxm.exe
  2⤵
  PID:12056
- C:\Windows\System32\SuTinmB.exe
  C:\Windows\System32\SuTinmB.exe
  2⤵
  PID:12072
- C:\Windows\System32\HLHsqGZ.exe
  C:\Windows\System32\HLHsqGZ.exe
  2⤵
  PID:12092
- C:\Windows\System32\KoesCwm.exe
  C:\Windows\System32\KoesCwm.exe
  2⤵
  PID:12140
- C:\Windows\System32\VJwXqEZ.exe
  C:\Windows\System32\VJwXqEZ.exe
  2⤵
  PID:12156
- C:\Windows\System32\EJBDqFj.exe
  C:\Windows\System32\EJBDqFj.exe
  2⤵
  PID:12188
- C:\Windows\System32\YwtAEAm.exe
  C:\Windows\System32\YwtAEAm.exe
  2⤵
  PID:12208
- C:\Windows\System32\AikEXHd.exe
  C:\Windows\System32\AikEXHd.exe
  2⤵
  PID:12228
- C:\Windows\System32\aUaODzr.exe
  C:\Windows\System32\aUaODzr.exe
  2⤵
  PID:12244
- C:\Windows\System32\cDCxZJB.exe
  C:\Windows\System32\cDCxZJB.exe
  2⤵
  PID:10904
- C:\Windows\System32\UVNvzPF.exe
  C:\Windows\System32\UVNvzPF.exe
  2⤵
  PID:10276
- C:\Windows\System32\uukvfgt.exe
  C:\Windows\System32\uukvfgt.exe
  2⤵
  PID:11368
- C:\Windows\System32\OZNdhHI.exe
  C:\Windows\System32\OZNdhHI.exe
  2⤵
  PID:4168
- C:\Windows\System32\zofjXsq.exe
  C:\Windows\System32\zofjXsq.exe
  2⤵
  PID:11440
- C:\Windows\System32\zAFPgnx.exe
  C:\Windows\System32\zAFPgnx.exe
  2⤵
  PID:11520
- C:\Windows\System32\twPdZFt.exe
  C:\Windows\System32\twPdZFt.exe
  2⤵
  PID:11604
- C:\Windows\System32\TVdhHAg.exe
  C:\Windows\System32\TVdhHAg.exe
  2⤵
  PID:11664
- C:\Windows\System32\iLTwEXg.exe
  C:\Windows\System32\iLTwEXg.exe
  2⤵
  PID:11792
- C:\Windows\System32\vjhifXG.exe
  C:\Windows\System32\vjhifXG.exe
  2⤵
  PID:11848
- C:\Windows\System32\ocTcubZ.exe
  C:\Windows\System32\ocTcubZ.exe
  2⤵
  PID:11936
- C:\Windows\System32\BchHDEu.exe
  C:\Windows\System32\BchHDEu.exe
  2⤵
  PID:11972
- C:\Windows\System32\caZzvnQ.exe
  C:\Windows\System32\caZzvnQ.exe
  2⤵
  PID:12044
- C:\Windows\System32\foMVAcw.exe
  C:\Windows\System32\foMVAcw.exe
  2⤵
  PID:12064
- C:\Windows\System32\ovpwkjK.exe
  C:\Windows\System32\ovpwkjK.exe
  2⤵
  PID:12176
- C:\Windows\System32\ccVKoAJ.exe
  C:\Windows\System32\ccVKoAJ.exe
  2⤵
  PID:12240
- C:\Windows\System32\OWwUgDx.exe
  C:\Windows\System32\OWwUgDx.exe
  2⤵
  PID:12252
- C:\Windows\System32\CYLcktx.exe
  C:\Windows\System32\CYLcktx.exe
  2⤵
  PID:11296
- C:\Windows\System32\DmXcnIA.exe
  C:\Windows\System32\DmXcnIA.exe
  2⤵
  PID:11308
- C:\Windows\System32\NjDycJM.exe
  C:\Windows\System32\NjDycJM.exe
  2⤵
  PID:11420
- C:\Windows\System32\vAfJcjq.exe
  C:\Windows\System32\vAfJcjq.exe
  2⤵
  PID:11728
- C:\Windows\System32\auOCnxP.exe
  C:\Windows\System32\auOCnxP.exe
  2⤵
  PID:11828
- C:\Windows\System32\dvkMGiG.exe
  C:\Windows\System32\dvkMGiG.exe
  2⤵
  PID:11896
- C:\Windows\System32\YfqVxaA.exe
  C:\Windows\System32\YfqVxaA.exe
  2⤵
  PID:12016
- C:\Windows\System32\aiivWTh.exe
  C:\Windows\System32\aiivWTh.exe
  2⤵
  PID:12256
- C:\Windows\System32\PSLRYGy.exe
  C:\Windows\System32\PSLRYGy.exe
  2⤵
  PID:4612
- C:\Windows\System32\HPldLvV.exe
  C:\Windows\System32\HPldLvV.exe
  2⤵
  PID:3744
- C:\Windows\System32\BJRoiMl.exe
  C:\Windows\System32\BJRoiMl.exe
  2⤵
  PID:11580
- C:\Windows\System32\EKwizgk.exe
  C:\Windows\System32\EKwizgk.exe
  2⤵
  PID:12204
- C:\Windows\System32\UicBkGN.exe
  C:\Windows\System32\UicBkGN.exe
  2⤵
  PID:4516
- C:\Windows\System32\XBZEQqb.exe
  C:\Windows\System32\XBZEQqb.exe
  2⤵
  PID:11620
- C:\Windows\System32\scGXtRc.exe
  C:\Windows\System32\scGXtRc.exe
  2⤵
  PID:12132
- C:\Windows\System32\IjMIgbR.exe
  C:\Windows\System32\IjMIgbR.exe
  2⤵
  PID:12024
- C:\Windows\System32\ThtHDuh.exe
  C:\Windows\System32\ThtHDuh.exe
  2⤵
  PID:12296
- C:\Windows\System32\ztUIcLG.exe
  C:\Windows\System32\ztUIcLG.exe
  2⤵
  PID:12320
- C:\Windows\System32\neZmUWZ.exe
  C:\Windows\System32\neZmUWZ.exe
  2⤵
  PID:12344
- C:\Windows\System32\hQJIzpk.exe
  C:\Windows\System32\hQJIzpk.exe
  2⤵
  PID:12432
- C:\Windows\System32\KVVsJvN.exe
  C:\Windows\System32\KVVsJvN.exe
  2⤵
  PID:12452
- C:\Windows\System32\rbeChXM.exe
  C:\Windows\System32\rbeChXM.exe
  2⤵
  PID:12476
- C:\Windows\System32\qlBDHIf.exe
  C:\Windows\System32\qlBDHIf.exe
  2⤵
  PID:12504
- C:\Windows\System32\ghVpYJU.exe
  C:\Windows\System32\ghVpYJU.exe
  2⤵
  PID:12524
- C:\Windows\System32\iPvmIWa.exe
  C:\Windows\System32\iPvmIWa.exe
  2⤵
  PID:12552
- C:\Windows\System32\xdCMetD.exe
  C:\Windows\System32\xdCMetD.exe
  2⤵
  PID:12568
- C:\Windows\System32\jPWeCIo.exe
  C:\Windows\System32\jPWeCIo.exe
  2⤵
  PID:12588
- C:\Windows\System32\iVGsIKc.exe
  C:\Windows\System32\iVGsIKc.exe
  2⤵
  PID:12632
- C:\Windows\System32\zuEvXMF.exe
  C:\Windows\System32\zuEvXMF.exe
  2⤵
  PID:12660
- C:\Windows\System32\jEdBEqE.exe
  C:\Windows\System32\jEdBEqE.exe
  2⤵
  PID:12688
- C:\Windows\System32\AtbzfUs.exe
  C:\Windows\System32\AtbzfUs.exe
  2⤵
  PID:12716
- C:\Windows\System32\qVCWFhy.exe
  C:\Windows\System32\qVCWFhy.exe
  2⤵
  PID:12740
- C:\Windows\System32\ZIGmCyI.exe
  C:\Windows\System32\ZIGmCyI.exe
  2⤵
  PID:12788
- C:\Windows\System32\FclYIJE.exe
  C:\Windows\System32\FclYIJE.exe
  2⤵
  PID:12808
- C:\Windows\System32\hVEgBxO.exe
  C:\Windows\System32\hVEgBxO.exe
  2⤵
  PID:12844
- C:\Windows\System32\OYZhMqy.exe
  C:\Windows\System32\OYZhMqy.exe
  2⤵
  PID:12868
- C:\Windows\System32\jjagOMY.exe
  C:\Windows\System32\jjagOMY.exe
  2⤵
  PID:12884
- C:\Windows\System32\UwtDXAb.exe
  C:\Windows\System32\UwtDXAb.exe
  2⤵
  PID:12908
- C:\Windows\System32\XrRutVE.exe
  C:\Windows\System32\XrRutVE.exe
  2⤵
  PID:12956
- C:\Windows\System32\NLSwJtI.exe
  C:\Windows\System32\NLSwJtI.exe
  2⤵
  PID:12972
- C:\Windows\System32\VovxXsy.exe
  C:\Windows\System32\VovxXsy.exe
  2⤵
  PID:12996
- C:\Windows\System32\JtGPvFt.exe
  C:\Windows\System32\JtGPvFt.exe
  2⤵
  PID:13020
- C:\Windows\System32\hRhKKoH.exe
  C:\Windows\System32\hRhKKoH.exe
  2⤵
  PID:13056
- C:\Windows\System32\vfJbhfR.exe
  C:\Windows\System32\vfJbhfR.exe
  2⤵
  PID:13088
- C:\Windows\System32\NleArkt.exe
  C:\Windows\System32\NleArkt.exe
  2⤵
  PID:13108
- C:\Windows\System32\LhhCEqp.exe
  C:\Windows\System32\LhhCEqp.exe
  2⤵
  PID:13124
- C:\Windows\System32\dtZbVrJ.exe
  C:\Windows\System32\dtZbVrJ.exe
  2⤵
  PID:13176
- C:\Windows\System32\KWusmOv.exe
  C:\Windows\System32\KWusmOv.exe
  2⤵
  PID:13200

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\DfjLkRn.exe

Filesize
1.1MB

MD5
97f3a29d503767fcfecb3e0a2725b3bc

SHA1
f08d0bd07264aacb4f29c8fe34915aa16a2da14a

SHA256
33751024b2b56537bb8c2429e815e50fd2f30091c763c3b720a58a6c7edc28dd

SHA512
099e1ee8cd32ef4fa579682098eb9ed83fc7e25fddc9ad2ebe5300fb732e356c5325a3cad0047e7059c14288d1759a8a8d3d9086ea511a29d24d145b4f6ee213

Download Submit
C:\Windows\System32\DjjQAxE.exe

Filesize
1.1MB

MD5
67748f717beebcab752dffaa6714da84

SHA1
be19a8ee0b811f855941463159557f5531e4a9a1

SHA256
f16d59a4b10a03009981ad4332fdf2baee11552c36057e168ae2036a1caeffcb

SHA512
b625691edad2716d8f1e8e73bf5332be78fdc59697d4ade2eb6394cd0ae26f6c28664ff7dec3582137e42ac4dce8068849ce20684d5f433f20188f0c8ca65df5

Download Submit
C:\Windows\System32\EHVLkPh.exe

Filesize
1.1MB

MD5
c06f801d460230151f87f674002c7774

SHA1
369b7a9f0dbbff64b52567c4ce70cc5738309420

SHA256
abd50f3fb0f9987fe3f2c8e7409d72384cec80ca11708d53ff6aef96f7056409

SHA512
6496e61a7c678263d3c7ae7e5a379a87dda675b5df98cc1f3872a38e6a91d95ac8f1f75afc114e701fb2baaff5a8fd24ca2853cdd9a6fb2f39e556d44beae6b5

Download Submit
C:\Windows\System32\EpduASl.exe

Filesize
1.1MB

MD5
bab9d77624c1571f657d8eda10dcb806

SHA1
c8aee59e552b3b528314d86bd31d6153e08fb794

SHA256
e9147a152e5000e62eda9f671216e0e1a4bfad68438c5837fc70d0049927be25

SHA512
2c3ecbf73117f30b90bc24f4b74be4322c5b3993bbb88a6faf8b044de6dc0be33d493dd5fd3f0d31966aad781cc8b07137a229de021d4f55b7e55305fdb799db

Download Submit
C:\Windows\System32\GAVnqOJ.exe

Filesize
1.1MB

MD5
e05f12499a8b5d32aa08fdb368f1ecc0

SHA1
f65bcff43db7dd6863e29481ed44a8f30ccd86d1

SHA256
b16b563b3bf700701136f4de69a53b1e19395fd530c4ac2c6627c0c791931ec5

SHA512
091618679778a0c97120c599234d1c52fa9eb6570d6a300ec5f9b44f573a5536e37c1c37ce944d180b73e3f8f4f735e9f3c897855a34ef94e870868d2768809d

Download Submit
C:\Windows\System32\GnnfYDB.exe

Filesize
1.1MB

MD5
51d71b902e754499edaf040f21395f6b

SHA1
9c6c6aaa42bc3324dcd2077b2e8a3314bd8a34cc

SHA256
8613444321365b52953360d1acc9183aa0cd40c558af24a87cbcd5c359bfd9b5

SHA512
22b0a7e1f8f7a0f9f358445410903e657dfdc30249cd84c11bae8b4f58916013f23e9ad80001fd0bfcde6501df5436ada3dcb30358557a6eee84872133c05f2f

Download Submit
C:\Windows\System32\GvJHTLb.exe

Filesize
1.1MB

MD5
d4531d6db4bab962b298572bb0f23b12

SHA1
9dec809eb2b3fa20f42f397dbc1781abf826dfc8

SHA256
f88b996732506417c95700803e265a5b787d21c54497407bc4c08e7c0b9a659e

SHA512
29736b567cebbdbabbccf3b43ec6ae62cf2ddfa134739983a74ede231e49ddc0c366adeb6e148ed2b67e576c0f9de2750ced0b77d31ddf45e5fb9559e334a165

Download Submit
C:\Windows\System32\HvyJwhl.exe

Filesize
1.1MB

MD5
c85caf065a5d7ca5e95688ad205db3cc

SHA1
08243443ceb3978eb8649ace4c8ac8f631eccc03

SHA256
0057bb3e92481dc4c252f71b50f684409ce1c03ab508901dda12b6bab20595ad

SHA512
7ce37914413f543f857cb8b666f20076da434f205f5c69fd35ed94cc8c4588acfec56fd54cdeef63c735dc98a0d1fb0a5989699c8ad88411336628f2045a1189

Download Submit
C:\Windows\System32\LImRhMT.exe

Filesize
1.1MB

MD5
8735828af22555d6e0caf0d7c28dc3db

SHA1
adba95af68506f6914e3dea174bec4baff813a33

SHA256
ca927b9f75ce43097be645099911ab82c92c4069a241f24fcb9d3e11b1634713

SHA512
27f61c92aca5dfc3396cddf856d12d0414a425a4d63445ab9eb18ec138fbc345e8d2012bf25951a195cb0bdebc647e6330d7dfa267c06201b72aec5623765177

Download Submit
C:\Windows\System32\LwtezqO.exe

Filesize
1.1MB

MD5
8b4ee85caf8d49bbeac787ec67b2589a

SHA1
6624b853803a5fa067425079b9d9c7f2950e803c

SHA256
50d083818ca6fc9f8b8c65c91ad3744a95480891559b2ffbede257b7ffb77a71

SHA512
eef2cbc22a5a66e1403b25dd633668c04fe7ba0153076cab80f7ae307280dd3dbe9cf88cee35e02fd68d5a5fa41002910abbb2927ef49e5f192cc920841baa23

Download Submit
C:\Windows\System32\NnCOvBn.exe

Filesize
1.1MB

MD5
cde36cb531764758f80c0482f847c337

SHA1
8617a6e3d5609f9434195539da87ab2bd20130da

SHA256
4c4550284f52531eb4d12c64e30cc5efbc68e1262fd7bdf2d87c962218cd2205

SHA512
9bbb524bbca5029488ebab0f51211a7daf2688b2cf939d68170f80234a89ed39de61cd340407be27b68f902dc986e5204168d9be5abb85767d6ae37d8d6a1a79

Download Submit
C:\Windows\System32\OIiDuNP.exe

Filesize
1.1MB

MD5
24984698b082e84f8708c01453cacf8c

SHA1
cf8a08594b52e005c9fb00768e1dca90970edfb6

SHA256
ba1f438640349d02ad44d026dfa888a8ffde51ae43b630adfc84511c818b58b6

SHA512
10c55719870401ea3100b0e07f88800ceee64b88533cf76736db151e5b19b446ae92d915c87f06fa334b52e24bf2fa1169cf3c8ec64f9d8d569b6a99379058bd

Download Submit
C:\Windows\System32\OoaJopX.exe

Filesize
1.1MB

MD5
674dc3bd8bc7707a39c0b5145d188e53

SHA1
511b88de9e2b1bcf23ac14e5998e901c8ecfe5d0

SHA256
b4a4e8e1c3d7809614839d59d27d7042d6c10dad88c687ec5bf44bc136df9cfc

SHA512
e0945b1ccaa273a4426e93edf3b4845cee19d99c11f72063e98ad45ab5fe2eb4d4e8ebcca9d1568b49efe62c76d2b844773c3730a4376844988bc167a21823a5

Download Submit
C:\Windows\System32\PdCfjIi.exe

Filesize
1.1MB

MD5
3d906fd489284a50e9f02cbf14c4b9e1

SHA1
ddc319587d073a5078ffaea8d9b1599f09d533ea

SHA256
17cdaf4672fcd1e07072b32435df71348eec902c238e7b9af70f8e0c2d31310b

SHA512
b099a2da7aec6a89cdc662954b7f569e13e96135e5acb30cd45d88d00b0e34b06117166bff43ee2c57866b5e173148cc3e664697c9fdd08a8ae5ca03bcf5c1c6

Download Submit
C:\Windows\System32\PhcQgJF.exe

Filesize
1.1MB

MD5
35d0287700ba91b9e76636b843489993

SHA1
f6296830f872af254d82d899ac25dbbe68485934

SHA256
60b3a688312db382f32c98b9c1a4643cf01b441e7e5d37f9dab0bde31a98c8f9

SHA512
40f1bad4480d0433ea32b4a95ab6dcc619e7b66d1697b388a44383126e11a0f1d210f1ce21df4236a0eaede078708e81886eb2e1130e2e2dc02d43b812f80e02

Download Submit
C:\Windows\System32\TxXksUK.exe

Filesize
1.1MB

MD5
bd28d82aa549c6b097c0d2f52cccf2be

SHA1
f83b72cf11e8303bdf8703b02c51317bf77931ae

SHA256
36863fe79fc895f8c89d9673ae68b316abb500596970041112efbca9e0490447

SHA512
1991e1b4141a1646d6b03f6ae67b21b4ab6a18bf22d1786f2902f553fb206f65900c1e439fd4653a38d8dbd1b6c926211eef3d84ba23904387b02230e5c57b3a

Download Submit
C:\Windows\System32\ZRWdBKh.exe

Filesize
1.1MB

MD5
9cecc457666de534fb73ac8d56ea55cd

SHA1
fcf740e6cc611b5d26d57ef474795af3ee168b1f

SHA256
d3840982ac019f492f14cc4c1d3c6078ce237ebdb6ccccc1e010889357f5dbe3

SHA512
d1ca77ba22a1d8bcfad348fa9abff4c6d5c0fb3907d2c2d14b148dd5f9efa317e955c1fb49e655a8a047c9c71c045e7066a5f0de83d2c07660e3c50e287006f4

Download Submit
C:\Windows\System32\ZUTAKUh.exe

Filesize
1.1MB

MD5
2de768ac8f5de1fd9413b01ef82b39aa

SHA1
086bf9cda2c487fd37c753b8db7db552920fc340

SHA256
760f3cc0fad05b4fac2def6cd82eed0c208fc59fdc2f17061193071ad1a2f44a

SHA512
4efa20b5d917a33570d07d483a87c4929e8554e947e110d4046df404a0f075c41684d8bec9ccf5d56e3bb46f5f01f1b114da7239ae4d63375a7a6bc493050508

Download Submit
C:\Windows\System32\dExNjoD.exe

Filesize
1.1MB

MD5
8192049531c4600692e067e5c329cd77

SHA1
7077ca8b93efb49a5fb3089c1b9ec108178e44ca

SHA256
ae53b98f09bcb8a1d12673919b354a31e705596cc9ef7c5130bfa741a92e06c6

SHA512
f300ef866cfb864bf50a83730a3228b7ac6a7e804d14868f632dd8a1ce7778f28b7c38f42e33dd902bde55066f98f7a341976047b40fdea801b648486613ce29

Download Submit
C:\Windows\System32\dtYkrFT.exe

Filesize
1.1MB

MD5
20847aa1748b29b10114dee91eeac338

SHA1
4bb9419bd151b9c4506b2a243d52a0cf78b0343d

SHA256
6e546435d5c6d80332f5ab562562e9f9158237c831a8ef35cb0471ac4cfb98ff

SHA512
940c2fa714f7b3b9a4de01cfd7b6fd6eef742903447a2430af6e60fde2e05d6f5a477a442706a2ad246390ae03f5aebe217eafcfb87e6dd5619bd9a44dffe823

Download Submit
C:\Windows\System32\ffsBeiH.exe

Filesize
1.1MB

MD5
dde1a5fe03254636921c2ce6dfe963f6

SHA1
595a44c6d66afb8ae3751566f026027a8c812f49

SHA256
4499c00ba774b9939a79ae495cd1942e50b67357eefd6c3d64ff9222f1fb8d59

SHA512
271397d36289f12f72924574fe86398be718b2e3425c0d39ddcf21fd59fcf68ad79632805f0e525ac76a04d1c96bdc924e823caeda3a7bd99a903e897808cf1d

Download Submit
C:\Windows\System32\hGudFCK.exe

Filesize
1.1MB

MD5
ae8aa2463ba6d6f0cd246a417c2f75f6

SHA1
a99f38bba9fff349297e0a9c84eef4e7cee2f0fa

SHA256
2e894d42f864a00d55ef7057e6f45664e0cf69c2ac8b39b9b421282ec425d96d

SHA512
ea3e047d25a91a7d1b09779020eb8834cb502479cfea6817daba90efb7e66b635117d5946dde2ecf2827dca53910202a49d0cb92a82261994a26a57ee63de7fa

Download Submit
C:\Windows\System32\hYDFgLA.exe

Filesize
1.1MB

MD5
dee4c7cb8a89c921cbe7d4e26813eb18

SHA1
dceec010c909e5958bd3fc272077e18cca58301b

SHA256
d573aef20b3259de8a17b2321ef3edda04531fc942b612c4af0298af71801406

SHA512
01cf452876b40a950b83bfa163989e06f759f2d46e3da68c8b1615dc8a4ed64be9ef2c5c2975ad5902187d74483d4826748ae4c4e180fafcfa0e968179bb9f46

Download Submit
C:\Windows\System32\jaeopsc.exe

Filesize
1.1MB

MD5
f915ce281ce3019fd844b4a734ad521a

SHA1
e4544be079cf355504b82b93f2586c4bd68c6775

SHA256
da45da1bbf0d4e4cdf56b22a98a2e27c0e3e384471f338c01474c9e0a32d202d

SHA512
c67c01c50f61df06d03022e5bbfa886523929b36352483ddd019f2b58f41dc08c850b714085acf2b3b04456d1aca0e139149991a69286ca4dbf822ffe32342a5

Download Submit
C:\Windows\System32\lHItxZu.exe

Filesize
1.1MB

MD5
00707961ae93c355c576fd55fb5a7abf

SHA1
b4fe202d07d23ec205fd8cd6126af86db9229e1c

SHA256
48d128925a04f950d9d678c6fe10ee45bc0eda60979273f1ccd43dff06b75b3e

SHA512
14e8bb9b3a8284b790dd6a3ebb631f4dfbd3af34c346a6566e02cac2a528ea28d20e3db4646cac70b3922cb6d06fbce66515e757727fcff46dbafa0ddebdeca9

Download Submit
C:\Windows\System32\mmHRjDl.exe

Filesize
1.1MB

MD5
ab68dd3b66c3bb862f50e33a759a2d8b

SHA1
b69b3ecaadc6ed4a014697ff743018d7fe9e4724

SHA256
f8ffdeade712cb4e7076e56983020e88d7ba0e8ac4321b2fd5d0b85586efcb4c

SHA512
4f6e4eb9cc18751a3191f84f37aa659f6fa919551c9b0436fe05ebfeca65b2a1925df69e632fda3741782e84d39db8be89e3f6ef7974a063462d7e74ab71a846

Download Submit
C:\Windows\System32\poczDcS.exe

Filesize
1.1MB

MD5
f69d94b46c714c486875f3fdb722be51

SHA1
aba3a0d3c474689663e2a3c04a705646d6cf2451

SHA256
3c26b9dda7b20fb0b1cc5efec9c884694ce9076323ca1179880197338a3e17d7

SHA512
48f8a2781e0812753fc5157e9ee56673936203f167f25fd2b215a0193b01f4f3975316db5a9084036493ba50ea68253e941ed3c70444678d584a70639638531f

Download Submit
C:\Windows\System32\qKAPFRf.exe

Filesize
1.1MB

MD5
64a9b1706e3afb07c825ff3f5f56ba01

SHA1
c957de9ca5118305c3d3d26cc0b243544bc72cda

SHA256
ae6b0bfcc74e24384e54fea667c828e3b517b0b7024f99c0bf7b236d21d38107

SHA512
f2f19ccc77109b6ed36032d0d6af38261be44222449f2ec7d82d930e0509d4221c1d79b3190508bfaf6bf78ff95560b1b718ff61c91cdd1db69afc857993f1f1

Download Submit
C:\Windows\System32\rTYzLee.exe

Filesize
1.1MB

MD5
3d29cde20f50e1a980f97632aa86a4c1

SHA1
a1e4faf7aa28db62b5e5e74b733b89443f02cfa8

SHA256
7c938ef847c93dcf3bf4d5273ef31f6d0bcf780d9c0e9f216ec0d1bfbd3974a8

SHA512
a57630e23ed22b785da3825f6bf646ebedd021c8a1ead68e7fd5cc2dda39d9a7c29bf7a519bd577cafa62df1e1832c6fe7d6f809687df60447422885bfbf2f76

Download Submit
C:\Windows\System32\uolNWgV.exe

Filesize
1.1MB

MD5
589fd2093f8e9302d8ac3c669b2697ec

SHA1
8d06e0198d626e5126b55ae96f67a30ec1c871f3

SHA256
2ba374332043c9ec144f7d648f7923a4d3f743b06dd52f9fa09717fe3f0a7b67

SHA512
bff2ba60a62e294acffa47a44a784e14b9f604b4de2753c4599e8122b3350155b6cdd45e983f350a26e2202cfb12eb544656c51859d487602fed18c6f6b9847c

Download Submit
C:\Windows\System32\wVqlwte.exe

Filesize
1.1MB

MD5
f23581b40541be7ff01805c9d9bc7c6c

SHA1
689e02dbafec67f49708a60ad0653647bdfab58e

SHA256
4ca861e2fdb4f1384179f1af3ed9430e6d02dd52493b4934ece2104b55166be4

SHA512
dce2487e2448f6dd4056cc647a752e67fd4274f03f35d8233479f1105f0f7080fad6f2b35194d504406b7964036b07fd11f5308c1e63d5bb9f639b26e61dd7e3

Download Submit
C:\Windows\System32\wmnBllr.exe

Filesize
1.1MB

MD5
fcd5e817c56c63ba46c241608c44e3c2

SHA1
77fd3c6a4afe4dc784e5ec03c887fa146c42577f

SHA256
7ec0044e5780127185502430be68a895e934e208fc32a2e888743f5c99fcb434

SHA512
4d223d6f03089ae969637ae2bd281f2dc356bfd89f84a9133b8fea52466b31aaf487095915ddefce041386853900c272484e159b6dada599d857f9916d50a9b3

Download Submit
C:\Windows\System32\xWLqSBB.exe

Filesize
1.1MB

MD5
435288928d8d0bd0df2a584791ae0afb

SHA1
e9f22d03e1d4432d76c15e62491f2618915e4ee7

SHA256
741dc28b4ef8428b39a05d1419f7b923e74577017fab82fcc3794061620f18d0

SHA512
b00b0ab94940e87a68379525b8789d692157b37bc65eef7852e076b26d4d9480d78bd303c7093cb5b76525d7074c1a4ea4cb38678dfccac4a4818ada6323ff48

Download Submit
memory/392-2057-0x00007FF710000000-0x00007FF7103F1000-memory.dmp

Filesize
3.9MB

Download
memory/392-423-0x00007FF710000000-0x00007FF7103F1000-memory.dmp

Filesize
3.9MB

Download
memory/448-2061-0x00007FF7059D0000-0x00007FF705DC1000-memory.dmp

Filesize
3.9MB

Download
memory/448-461-0x00007FF7059D0000-0x00007FF705DC1000-memory.dmp

Filesize
3.9MB

Download
memory/1016-65-0x00007FF7A3F70000-0x00007FF7A4361000-memory.dmp

Filesize
3.9MB

Download
memory/1016-2033-0x00007FF7A3F70000-0x00007FF7A4361000-memory.dmp

Filesize
3.9MB

Download
memory/1212-473-0x00007FF706720000-0x00007FF706B11000-memory.dmp

Filesize
3.9MB

Download
memory/1212-2072-0x00007FF706720000-0x00007FF706B11000-memory.dmp

Filesize
3.9MB

Download
memory/1496-2031-0x00007FF783F50000-0x00007FF784341000-memory.dmp

Filesize
3.9MB

Download
memory/1496-32-0x00007FF783F50000-0x00007FF784341000-memory.dmp

Filesize
3.9MB

Download
memory/1748-103-0x00007FF64E2A0000-0x00007FF64E691000-memory.dmp

Filesize
3.9MB

Download
memory/1748-2037-0x00007FF64E2A0000-0x00007FF64E691000-memory.dmp

Filesize
3.9MB

Download
memory/1892-2055-0x00007FF7B6160000-0x00007FF7B6551000-memory.dmp

Filesize
3.9MB

Download
memory/1892-480-0x00007FF7B6160000-0x00007FF7B6551000-memory.dmp

Filesize
3.9MB

Download
memory/2544-413-0x00007FF7EC700000-0x00007FF7ECAF1000-memory.dmp

Filesize
3.9MB

Download
memory/2544-2051-0x00007FF7EC700000-0x00007FF7ECAF1000-memory.dmp

Filesize
3.9MB

Download
memory/3540-37-0x00007FF790D10000-0x00007FF791101000-memory.dmp

Filesize
3.9MB

Download
memory/3540-2035-0x00007FF790D10000-0x00007FF791101000-memory.dmp

Filesize
3.9MB

Download
memory/3540-2023-0x00007FF790D10000-0x00007FF791101000-memory.dmp

Filesize
3.9MB

Download
memory/3716-81-0x00007FF6C6A90000-0x00007FF6C6E81000-memory.dmp

Filesize
3.9MB

Download
memory/3716-2041-0x00007FF6C6A90000-0x00007FF6C6E81000-memory.dmp

Filesize
3.9MB

Download
memory/3736-2049-0x00007FF7FF410000-0x00007FF7FF801000-memory.dmp

Filesize
3.9MB

Download
memory/3736-489-0x00007FF7FF410000-0x00007FF7FF801000-memory.dmp

Filesize
3.9MB

Download
memory/3844-471-0x00007FF6F5BA0000-0x00007FF6F5F91000-memory.dmp

Filesize
3.9MB

Download
memory/3844-2053-0x00007FF6F5BA0000-0x00007FF6F5F91000-memory.dmp

Filesize
3.9MB

Download
memory/3880-415-0x00007FF67CDA0000-0x00007FF67D191000-memory.dmp

Filesize
3.9MB

Download
memory/3880-2063-0x00007FF67CDA0000-0x00007FF67D191000-memory.dmp

Filesize
3.9MB

Download
memory/4000-2067-0x00007FF668C20000-0x00007FF669011000-memory.dmp

Filesize
3.9MB

Download
memory/4000-474-0x00007FF668C20000-0x00007FF669011000-memory.dmp

Filesize
3.9MB

Download
memory/4036-2065-0x00007FF6424E0000-0x00007FF6428D1000-memory.dmp

Filesize
3.9MB

Download
memory/4036-479-0x00007FF6424E0000-0x00007FF6428D1000-memory.dmp

Filesize
3.9MB

Download
memory/4136-2022-0x00007FF65F6E0000-0x00007FF65FAD1000-memory.dmp

Filesize
3.9MB

Download
memory/4136-2025-0x00007FF65F6E0000-0x00007FF65FAD1000-memory.dmp

Filesize
3.9MB

Download
memory/4136-18-0x00007FF65F6E0000-0x00007FF65FAD1000-memory.dmp

Filesize
3.9MB

Download
memory/4152-34-0x00007FF6A7BC0000-0x00007FF6A7FB1000-memory.dmp

Filesize
3.9MB

Download
memory/4152-2029-0x00007FF6A7BC0000-0x00007FF6A7FB1000-memory.dmp

Filesize
3.9MB

Download
memory/4304-1-0x000001837FDB0000-0x000001837FDC0000-memory.dmp

Filesize
64KB

Download
memory/4304-1956-0x00007FF6B5500000-0x00007FF6B58F1000-memory.dmp

Filesize
3.9MB

Download
memory/4304-0-0x00007FF6B5500000-0x00007FF6B58F1000-memory.dmp

Filesize
3.9MB

Download
memory/4396-466-0x00007FF7425F0000-0x00007FF7429E1000-memory.dmp

Filesize
3.9MB

Download
memory/4396-2047-0x00007FF7425F0000-0x00007FF7429E1000-memory.dmp

Filesize
3.9MB

Download
memory/4472-478-0x00007FF6F3700000-0x00007FF6F3AF1000-memory.dmp

Filesize
3.9MB

Download
memory/4472-2069-0x00007FF6F3700000-0x00007FF6F3AF1000-memory.dmp

Filesize
3.9MB

Download
memory/4576-2043-0x00007FF7C92A0000-0x00007FF7C9691000-memory.dmp

Filesize
3.9MB

Download
memory/4576-92-0x00007FF7C92A0000-0x00007FF7C9691000-memory.dmp

Filesize
3.9MB

Download
memory/4732-462-0x00007FF732D70000-0x00007FF733161000-memory.dmp

Filesize
3.9MB

Download
memory/4732-2059-0x00007FF732D70000-0x00007FF733161000-memory.dmp

Filesize
3.9MB

Download
memory/4756-91-0x00007FF728180000-0x00007FF728571000-memory.dmp

Filesize
3.9MB

Download
memory/4756-2045-0x00007FF728180000-0x00007FF728571000-memory.dmp

Filesize
3.9MB

Download
memory/5008-2039-0x00007FF701010000-0x00007FF701401000-memory.dmp

Filesize
3.9MB

Download
memory/5008-476-0x00007FF701010000-0x00007FF701401000-memory.dmp

Filesize
3.9MB

Download
memory/5088-38-0x00007FF76E270000-0x00007FF76E661000-memory.dmp

Filesize
3.9MB

Download
memory/5088-2027-0x00007FF76E270000-0x00007FF76E661000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads