xmrig | 3b1df5415a83157fd329966f23006b6f12286fade323f1a85badb1432c837be5

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
Size

1.1MB
MD5

0250c0f96d3ab5db62c9220858db5744
SHA1

67c3e1500344e910a1d1802e55752f12194f2447
SHA256

3b1df5415a83157fd329966f23006b6f12286fade323f1a85badb1432c837be5
SHA512

920b1be59a24f9f9d119e699b175c8b4b656cb2a72626198706fcdff138d82782898eb2fbdfc0f2d4f32e6b1751b461a0472af9b3cdc5e1427cd36be0be340bf
SSDEEP

24576:JanwhSe11QSONCpGJCjETPl+Me7bPMS8Ykgc8R4zo9F6XSs:knw9oUUEEDl+xTMS8TgtA

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/1392-12-0x00007FF7A3600000-0x00007FF7A39F1000-memory.dmp	xmrig
behavioral2/memory/1164-251-0x00007FF6FDC20000-0x00007FF6FE011000-memory.dmp	xmrig
behavioral2/memory/3356-259-0x00007FF62DCE0000-0x00007FF62E0D1000-memory.dmp	xmrig
behavioral2/memory/4980-261-0x00007FF7047B0000-0x00007FF704BA1000-memory.dmp	xmrig
behavioral2/memory/4176-274-0x00007FF74AB40000-0x00007FF74AF31000-memory.dmp	xmrig
behavioral2/memory/2016-278-0x00007FF650070000-0x00007FF650461000-memory.dmp	xmrig
behavioral2/memory/3636-286-0x00007FF680300000-0x00007FF6806F1000-memory.dmp	xmrig
behavioral2/memory/768-316-0x00007FF797080000-0x00007FF797471000-memory.dmp	xmrig
behavioral2/memory/1892-335-0x00007FF7B1B10000-0x00007FF7B1F01000-memory.dmp	xmrig
behavioral2/memory/1964-336-0x00007FF75E900000-0x00007FF75ECF1000-memory.dmp	xmrig
behavioral2/memory/2996-332-0x00007FF7E99A0000-0x00007FF7E9D91000-memory.dmp	xmrig
behavioral2/memory/212-308-0x00007FF7DD280000-0x00007FF7DD671000-memory.dmp	xmrig
behavioral2/memory/4408-287-0x00007FF792C30000-0x00007FF793021000-memory.dmp	xmrig
behavioral2/memory/2452-349-0x00007FF71CEF0000-0x00007FF71D2E1000-memory.dmp	xmrig
behavioral2/memory/2896-257-0x00007FF7CF2A0000-0x00007FF7CF691000-memory.dmp	xmrig
behavioral2/memory/1344-356-0x00007FF7BFAD0000-0x00007FF7BFEC1000-memory.dmp	xmrig
behavioral2/memory/1820-379-0x00007FF7608D0000-0x00007FF760CC1000-memory.dmp	xmrig
behavioral2/memory/1412-384-0x00007FF7B17D0000-0x00007FF7B1BC1000-memory.dmp	xmrig
behavioral2/memory/1092-403-0x00007FF70EB30000-0x00007FF70EF21000-memory.dmp	xmrig
behavioral2/memory/3092-408-0x00007FF732200000-0x00007FF7325F1000-memory.dmp	xmrig
behavioral2/memory/1528-416-0x00007FF7D87D0000-0x00007FF7D8BC1000-memory.dmp	xmrig
behavioral2/memory/1968-371-0x00007FF6FE850000-0x00007FF6FEC41000-memory.dmp	xmrig
behavioral2/memory/2868-360-0x00007FF791D30000-0x00007FF792121000-memory.dmp	xmrig
behavioral2/memory/2904-2009-0x00007FF65BB90000-0x00007FF65BF81000-memory.dmp	xmrig
behavioral2/memory/1392-2016-0x00007FF7A3600000-0x00007FF7A39F1000-memory.dmp	xmrig
behavioral2/memory/1092-2018-0x00007FF70EB30000-0x00007FF70EF21000-memory.dmp	xmrig
behavioral2/memory/2904-2020-0x00007FF65BB90000-0x00007FF65BF81000-memory.dmp	xmrig
behavioral2/memory/3092-2022-0x00007FF732200000-0x00007FF7325F1000-memory.dmp	xmrig
behavioral2/memory/1164-2024-0x00007FF6FDC20000-0x00007FF6FE011000-memory.dmp	xmrig
behavioral2/memory/2896-2026-0x00007FF7CF2A0000-0x00007FF7CF691000-memory.dmp	xmrig
behavioral2/memory/3356-2028-0x00007FF62DCE0000-0x00007FF62E0D1000-memory.dmp	xmrig
behavioral2/memory/4408-2038-0x00007FF792C30000-0x00007FF793021000-memory.dmp	xmrig
behavioral2/memory/768-2042-0x00007FF797080000-0x00007FF797471000-memory.dmp	xmrig
behavioral2/memory/1344-2054-0x00007FF7BFAD0000-0x00007FF7BFEC1000-memory.dmp	xmrig
behavioral2/memory/1412-2062-0x00007FF7B17D0000-0x00007FF7B1BC1000-memory.dmp	xmrig
behavioral2/memory/1820-2060-0x00007FF7608D0000-0x00007FF760CC1000-memory.dmp	xmrig
behavioral2/memory/2452-2052-0x00007FF71CEF0000-0x00007FF71D2E1000-memory.dmp	xmrig
behavioral2/memory/1968-2058-0x00007FF6FE850000-0x00007FF6FEC41000-memory.dmp	xmrig
behavioral2/memory/2868-2056-0x00007FF791D30000-0x00007FF792121000-memory.dmp	xmrig
behavioral2/memory/1964-2050-0x00007FF75E900000-0x00007FF75ECF1000-memory.dmp	xmrig
behavioral2/memory/2996-2046-0x00007FF7E99A0000-0x00007FF7E9D91000-memory.dmp	xmrig
behavioral2/memory/212-2044-0x00007FF7DD280000-0x00007FF7DD671000-memory.dmp	xmrig
behavioral2/memory/1892-2048-0x00007FF7B1B10000-0x00007FF7B1F01000-memory.dmp	xmrig
behavioral2/memory/4176-2036-0x00007FF74AB40000-0x00007FF74AF31000-memory.dmp	xmrig
behavioral2/memory/3636-2034-0x00007FF680300000-0x00007FF6806F1000-memory.dmp	xmrig
behavioral2/memory/2016-2033-0x00007FF650070000-0x00007FF650461000-memory.dmp	xmrig
behavioral2/memory/1528-2040-0x00007FF7D87D0000-0x00007FF7D8BC1000-memory.dmp	xmrig
behavioral2/memory/4980-2030-0x00007FF7047B0000-0x00007FF704BA1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1392	beyUKrA.exe
1092	qZuaPCO.exe
2904	RrxYSkl.exe
3092	gHXOIek.exe
1164	BFuxWZN.exe
2896	CYTkTHq.exe
3356	cZTXQWK.exe
1528	zkjcskX.exe
4980	QiOSDok.exe
4176	bEtInMJ.exe
2016	geDwBzo.exe
3636	QFiqSzF.exe
4408	wfGPfBv.exe
212	KerJpfr.exe
768	vtPpjhv.exe
2996	IMvaTsS.exe
1892	hEBeJVY.exe
1964	YLQhhDY.exe
2452	JLjrpiW.exe
1344	RLLCxWL.exe
2868	eIccckB.exe
1968	UjzhtSI.exe
1820	wHydsPv.exe
1412	xeUgRdX.exe
932	MCJGAZX.exe
4916	BJgrnHQ.exe
3236	HDLEevM.exe
2336	wcVlhtb.exe
4080	RtpImPQ.exe
3028	AlMDPTA.exe
1108	tulgWCk.exe
2692	YoCHGbV.exe
4816	hJvjReW.exe
4536	ZNWsfSK.exe
3188	bBZGroO.exe
2548	jGCUKwi.exe
3140	oRyTHWf.exe
1676	qRGpibD.exe
4804	cduhoIX.exe
2856	lOxSlBg.exe
4644	dCvuQtB.exe
4860	BNPAGhN.exe
5028	MOEEXNX.exe
4384	CBCbSkk.exe
4132	lPnqqff.exe
4952	sfvejZU.exe
4932	GQsWTio.exe
2136	JAqrXtB.exe
3920	orNpFQL.exe
4496	VnIPEWr.exe
2680	GJijdOj.exe
3868	qslkxhP.exe
4004	sjjwUBI.exe
5100	ihQhtKm.exe
5024	kpTsUFT.exe
2836	JPOToVv.exe
2400	bZpogsi.exe
4032	lpkXQhA.exe
1640	MySffOm.exe
5016	QzYozfD.exe
4708	sFnovsQ.exe
388	FrpweJN.exe
3420	ZKFdbre.exe
4448	kHTQVCR.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2208-0-0x00007FF606910000-0x00007FF606D01000-memory.dmp	upx
behavioral2/files/0x0009000000023423-5.dat	upx
behavioral2/files/0x000700000002342b-9.dat	upx
behavioral2/memory/1392-12-0x00007FF7A3600000-0x00007FF7A39F1000-memory.dmp	upx
behavioral2/files/0x000700000002342a-15.dat	upx
behavioral2/files/0x000700000002342d-26.dat	upx
behavioral2/files/0x000700000002342e-34.dat	upx
behavioral2/memory/2904-36-0x00007FF65BB90000-0x00007FF65BF81000-memory.dmp	upx
behavioral2/files/0x000700000002342f-40.dat	upx
behavioral2/files/0x0007000000023430-44.dat	upx
behavioral2/files/0x0007000000023431-45.dat	upx
behavioral2/files/0x0007000000023432-53.dat	upx
behavioral2/files/0x0007000000023434-60.dat	upx
behavioral2/files/0x0007000000023435-71.dat	upx
behavioral2/files/0x0007000000023438-81.dat	upx
behavioral2/files/0x0007000000023439-91.dat	upx
behavioral2/files/0x0007000000023443-135.dat	upx
behavioral2/files/0x0007000000023444-146.dat	upx
behavioral2/memory/1164-251-0x00007FF6FDC20000-0x00007FF6FE011000-memory.dmp	upx
behavioral2/memory/3356-259-0x00007FF62DCE0000-0x00007FF62E0D1000-memory.dmp	upx
behavioral2/memory/4980-261-0x00007FF7047B0000-0x00007FF704BA1000-memory.dmp	upx
behavioral2/memory/4176-274-0x00007FF74AB40000-0x00007FF74AF31000-memory.dmp	upx
behavioral2/memory/2016-278-0x00007FF650070000-0x00007FF650461000-memory.dmp	upx
behavioral2/memory/3636-286-0x00007FF680300000-0x00007FF6806F1000-memory.dmp	upx
behavioral2/memory/768-316-0x00007FF797080000-0x00007FF797471000-memory.dmp	upx
behavioral2/memory/1892-335-0x00007FF7B1B10000-0x00007FF7B1F01000-memory.dmp	upx
behavioral2/memory/1964-336-0x00007FF75E900000-0x00007FF75ECF1000-memory.dmp	upx
behavioral2/memory/2996-332-0x00007FF7E99A0000-0x00007FF7E9D91000-memory.dmp	upx
behavioral2/memory/212-308-0x00007FF7DD280000-0x00007FF7DD671000-memory.dmp	upx
behavioral2/memory/4408-287-0x00007FF792C30000-0x00007FF793021000-memory.dmp	upx
behavioral2/memory/2452-349-0x00007FF71CEF0000-0x00007FF71D2E1000-memory.dmp	upx
behavioral2/memory/2896-257-0x00007FF7CF2A0000-0x00007FF7CF691000-memory.dmp	upx
behavioral2/files/0x0007000000023448-163.dat	upx
behavioral2/files/0x0007000000023447-158.dat	upx
behavioral2/files/0x0007000000023446-156.dat	upx
behavioral2/files/0x0007000000023445-151.dat	upx
behavioral2/files/0x0007000000023442-133.dat	upx
behavioral2/files/0x0007000000023441-128.dat	upx
behavioral2/memory/1344-356-0x00007FF7BFAD0000-0x00007FF7BFEC1000-memory.dmp	upx
behavioral2/memory/1820-379-0x00007FF7608D0000-0x00007FF760CC1000-memory.dmp	upx
behavioral2/memory/1412-384-0x00007FF7B17D0000-0x00007FF7B1BC1000-memory.dmp	upx
behavioral2/memory/1092-403-0x00007FF70EB30000-0x00007FF70EF21000-memory.dmp	upx
behavioral2/memory/3092-408-0x00007FF732200000-0x00007FF7325F1000-memory.dmp	upx
behavioral2/memory/1528-416-0x00007FF7D87D0000-0x00007FF7D8BC1000-memory.dmp	upx
behavioral2/memory/1968-371-0x00007FF6FE850000-0x00007FF6FEC41000-memory.dmp	upx
behavioral2/memory/2868-360-0x00007FF791D30000-0x00007FF792121000-memory.dmp	upx
behavioral2/files/0x0007000000023440-123.dat	upx
behavioral2/files/0x000700000002343f-121.dat	upx
behavioral2/files/0x000700000002343e-116.dat	upx
behavioral2/files/0x000700000002343d-111.dat	upx
behavioral2/files/0x000700000002343c-106.dat	upx
behavioral2/files/0x000700000002343b-101.dat	upx
behavioral2/files/0x000700000002343a-93.dat	upx
behavioral2/files/0x0007000000023437-78.dat	upx
behavioral2/files/0x0007000000023436-76.dat	upx
behavioral2/files/0x0007000000023433-58.dat	upx
behavioral2/files/0x000700000002342c-22.dat	upx
behavioral2/memory/2904-2009-0x00007FF65BB90000-0x00007FF65BF81000-memory.dmp	upx
behavioral2/memory/1392-2016-0x00007FF7A3600000-0x00007FF7A39F1000-memory.dmp	upx
behavioral2/memory/1092-2018-0x00007FF70EB30000-0x00007FF70EF21000-memory.dmp	upx
behavioral2/memory/2904-2020-0x00007FF65BB90000-0x00007FF65BF81000-memory.dmp	upx
behavioral2/memory/3092-2022-0x00007FF732200000-0x00007FF7325F1000-memory.dmp	upx
behavioral2/memory/1164-2024-0x00007FF6FDC20000-0x00007FF6FE011000-memory.dmp	upx
behavioral2/memory/2896-2026-0x00007FF7CF2A0000-0x00007FF7CF691000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\RrxYSkl.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\cduhoIX.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\uszUWcT.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\nwCYUdy.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\KvMHttW.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\ZaWdecO.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\KUtGmgf.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\BwHGQQz.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\Zdcnbjq.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\bQhNLvA.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\hzfEjzR.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\aooYncC.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\ykebfSp.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\zzAIdgh.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\kiruJoL.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\yhyZbVv.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\sYnZnIG.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\TJajGkj.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\dJMkSyf.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\TlEnJdN.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\ZryEGBb.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\LjXScHe.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\yAZlJGD.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\Rxksjyr.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\MCJGAZX.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\BNPAGhN.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\FOzOMta.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\XgynFso.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\bkFiAgR.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\NJhXSla.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\begPjwC.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\lDCoEQA.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\cXQFEbf.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\ZNWsfSK.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\hjqvKVV.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\HpCsFQw.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\yiCtVjg.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\OGNIabE.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\MZZRrAJ.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\VnIPEWr.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\fhvnPPp.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\WyQxQHf.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\QouULRV.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\sjjwUBI.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\ncmwiOS.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\nsaeaUa.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\UNrBinC.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\iZOwyhX.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\MJJvpuN.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\snYNgwg.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\gHXOIek.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\AlMDPTA.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\dnYsIpN.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\foXKisG.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\ibtzIXs.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\RtpImPQ.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\xjFCkcb.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\JmTReBu.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\EIKkNnt.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\OCNGZPP.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\PUzrWfG.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\YsGWoDI.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\QFoCpWz.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
File created	C:\Windows\System32\CYTkTHq.exe	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12544	dwm.exe
Token: SeChangeNotifyPrivilege	12544	dwm.exe
Token: 33	12544	dwm.exe
Token: SeIncBasePriorityPrivilege	12544	dwm.exe
Token: SeShutdownPrivilege	12544	dwm.exe
Token: SeCreatePagefilePrivilege	12544	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1392	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	84
PID 2208 wrote to memory of 1392	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	84
PID 2208 wrote to memory of 1092	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	85
PID 2208 wrote to memory of 1092	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	85
PID 2208 wrote to memory of 2904	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	86
PID 2208 wrote to memory of 2904	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	86
PID 2208 wrote to memory of 3092	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	87
PID 2208 wrote to memory of 3092	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	87
PID 2208 wrote to memory of 1164	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	88
PID 2208 wrote to memory of 1164	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	88
PID 2208 wrote to memory of 2896	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	89
PID 2208 wrote to memory of 2896	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	89
PID 2208 wrote to memory of 3356	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	90
PID 2208 wrote to memory of 3356	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	90
PID 2208 wrote to memory of 1528	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	91
PID 2208 wrote to memory of 1528	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	91
PID 2208 wrote to memory of 4980	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	92
PID 2208 wrote to memory of 4980	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	92
PID 2208 wrote to memory of 4176	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	93
PID 2208 wrote to memory of 4176	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	93
PID 2208 wrote to memory of 2016	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	94
PID 2208 wrote to memory of 2016	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	94
PID 2208 wrote to memory of 3636	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	95
PID 2208 wrote to memory of 3636	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	95
PID 2208 wrote to memory of 4408	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	96
PID 2208 wrote to memory of 4408	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	96
PID 2208 wrote to memory of 212	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	97
PID 2208 wrote to memory of 212	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	97
PID 2208 wrote to memory of 768	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	98
PID 2208 wrote to memory of 768	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	98
PID 2208 wrote to memory of 2996	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	99
PID 2208 wrote to memory of 2996	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	99
PID 2208 wrote to memory of 1892	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	100
PID 2208 wrote to memory of 1892	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	100
PID 2208 wrote to memory of 1964	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	101
PID 2208 wrote to memory of 1964	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	101
PID 2208 wrote to memory of 2452	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	102
PID 2208 wrote to memory of 2452	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	102
PID 2208 wrote to memory of 1344	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	103
PID 2208 wrote to memory of 1344	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	103
PID 2208 wrote to memory of 2868	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	104
PID 2208 wrote to memory of 2868	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	104
PID 2208 wrote to memory of 1968	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	105
PID 2208 wrote to memory of 1968	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	105
PID 2208 wrote to memory of 1820	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	106
PID 2208 wrote to memory of 1820	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	106
PID 2208 wrote to memory of 1412	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	107
PID 2208 wrote to memory of 1412	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	107
PID 2208 wrote to memory of 932	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	108
PID 2208 wrote to memory of 932	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	108
PID 2208 wrote to memory of 4916	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	109
PID 2208 wrote to memory of 4916	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	109
PID 2208 wrote to memory of 3236	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	110
PID 2208 wrote to memory of 3236	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	110
PID 2208 wrote to memory of 2336	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	111
PID 2208 wrote to memory of 2336	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	111
PID 2208 wrote to memory of 4080	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	112
PID 2208 wrote to memory of 4080	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	112
PID 2208 wrote to memory of 3028	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	113
PID 2208 wrote to memory of 3028	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	113
PID 2208 wrote to memory of 1108	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	114
PID 2208 wrote to memory of 1108	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	114
PID 2208 wrote to memory of 2692	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	115
PID 2208 wrote to memory of 2692	2208	0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe	115

C:\Users\Admin\AppData\Local\Temp\0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0250c0f96d3ab5db62c9220858db5744_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\System32\beyUKrA.exe
  C:\Windows\System32\beyUKrA.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System32\qZuaPCO.exe
  C:\Windows\System32\qZuaPCO.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System32\RrxYSkl.exe
  C:\Windows\System32\RrxYSkl.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System32\gHXOIek.exe
  C:\Windows\System32\gHXOIek.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System32\BFuxWZN.exe
  C:\Windows\System32\BFuxWZN.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System32\CYTkTHq.exe
  C:\Windows\System32\CYTkTHq.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System32\cZTXQWK.exe
  C:\Windows\System32\cZTXQWK.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System32\zkjcskX.exe
  C:\Windows\System32\zkjcskX.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System32\QiOSDok.exe
  C:\Windows\System32\QiOSDok.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System32\bEtInMJ.exe
  C:\Windows\System32\bEtInMJ.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System32\geDwBzo.exe
  C:\Windows\System32\geDwBzo.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System32\QFiqSzF.exe
  C:\Windows\System32\QFiqSzF.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System32\wfGPfBv.exe
  C:\Windows\System32\wfGPfBv.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System32\KerJpfr.exe
  C:\Windows\System32\KerJpfr.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System32\vtPpjhv.exe
  C:\Windows\System32\vtPpjhv.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System32\IMvaTsS.exe
  C:\Windows\System32\IMvaTsS.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System32\hEBeJVY.exe
  C:\Windows\System32\hEBeJVY.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System32\YLQhhDY.exe
  C:\Windows\System32\YLQhhDY.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System32\JLjrpiW.exe
  C:\Windows\System32\JLjrpiW.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System32\RLLCxWL.exe
  C:\Windows\System32\RLLCxWL.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System32\eIccckB.exe
  C:\Windows\System32\eIccckB.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System32\UjzhtSI.exe
  C:\Windows\System32\UjzhtSI.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System32\wHydsPv.exe
  C:\Windows\System32\wHydsPv.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System32\xeUgRdX.exe
  C:\Windows\System32\xeUgRdX.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System32\MCJGAZX.exe
  C:\Windows\System32\MCJGAZX.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\System32\BJgrnHQ.exe
  C:\Windows\System32\BJgrnHQ.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System32\HDLEevM.exe
  C:\Windows\System32\HDLEevM.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System32\wcVlhtb.exe
  C:\Windows\System32\wcVlhtb.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System32\RtpImPQ.exe
  C:\Windows\System32\RtpImPQ.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System32\AlMDPTA.exe
  C:\Windows\System32\AlMDPTA.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System32\tulgWCk.exe
  C:\Windows\System32\tulgWCk.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System32\YoCHGbV.exe
  C:\Windows\System32\YoCHGbV.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System32\hJvjReW.exe
  C:\Windows\System32\hJvjReW.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System32\ZNWsfSK.exe
  C:\Windows\System32\ZNWsfSK.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System32\bBZGroO.exe
  C:\Windows\System32\bBZGroO.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System32\jGCUKwi.exe
  C:\Windows\System32\jGCUKwi.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System32\oRyTHWf.exe
  C:\Windows\System32\oRyTHWf.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System32\qRGpibD.exe
  C:\Windows\System32\qRGpibD.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System32\cduhoIX.exe
  C:\Windows\System32\cduhoIX.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\lOxSlBg.exe
  C:\Windows\System32\lOxSlBg.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System32\dCvuQtB.exe
  C:\Windows\System32\dCvuQtB.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System32\BNPAGhN.exe
  C:\Windows\System32\BNPAGhN.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\MOEEXNX.exe
  C:\Windows\System32\MOEEXNX.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System32\CBCbSkk.exe
  C:\Windows\System32\CBCbSkk.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System32\lPnqqff.exe
  C:\Windows\System32\lPnqqff.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System32\sfvejZU.exe
  C:\Windows\System32\sfvejZU.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System32\GQsWTio.exe
  C:\Windows\System32\GQsWTio.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System32\JAqrXtB.exe
  C:\Windows\System32\JAqrXtB.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System32\orNpFQL.exe
  C:\Windows\System32\orNpFQL.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System32\VnIPEWr.exe
  C:\Windows\System32\VnIPEWr.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System32\GJijdOj.exe
  C:\Windows\System32\GJijdOj.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System32\qslkxhP.exe
  C:\Windows\System32\qslkxhP.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System32\sjjwUBI.exe
  C:\Windows\System32\sjjwUBI.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System32\ihQhtKm.exe
  C:\Windows\System32\ihQhtKm.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System32\kpTsUFT.exe
  C:\Windows\System32\kpTsUFT.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System32\JPOToVv.exe
  C:\Windows\System32\JPOToVv.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System32\bZpogsi.exe
  C:\Windows\System32\bZpogsi.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System32\lpkXQhA.exe
  C:\Windows\System32\lpkXQhA.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System32\MySffOm.exe
  C:\Windows\System32\MySffOm.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System32\QzYozfD.exe
  C:\Windows\System32\QzYozfD.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System32\sFnovsQ.exe
  C:\Windows\System32\sFnovsQ.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\FrpweJN.exe
  C:\Windows\System32\FrpweJN.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System32\ZKFdbre.exe
  C:\Windows\System32\ZKFdbre.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System32\kHTQVCR.exe
  C:\Windows\System32\kHTQVCR.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System32\KPDHYKD.exe
  C:\Windows\System32\KPDHYKD.exe
  2⤵
  PID:3360
- C:\Windows\System32\QhVgQou.exe
  C:\Windows\System32\QhVgQou.exe
  2⤵
  PID:316
- C:\Windows\System32\cKBvwLC.exe
  C:\Windows\System32\cKBvwLC.exe
  2⤵
  PID:4992
- C:\Windows\System32\hvvdobX.exe
  C:\Windows\System32\hvvdobX.exe
  2⤵
  PID:4768
- C:\Windows\System32\qUognqI.exe
  C:\Windows\System32\qUognqI.exe
  2⤵
  PID:4964
- C:\Windows\System32\GUfVlYb.exe
  C:\Windows\System32\GUfVlYb.exe
  2⤵
  PID:3928
- C:\Windows\System32\DjXfHlp.exe
  C:\Windows\System32\DjXfHlp.exe
  2⤵
  PID:1744
- C:\Windows\System32\dljlYXC.exe
  C:\Windows\System32\dljlYXC.exe
  2⤵
  PID:4792
- C:\Windows\System32\PUzrWfG.exe
  C:\Windows\System32\PUzrWfG.exe
  2⤵
  PID:3424
- C:\Windows\System32\ncmwiOS.exe
  C:\Windows\System32\ncmwiOS.exe
  2⤵
  PID:1972
- C:\Windows\System32\ytwqRxk.exe
  C:\Windows\System32\ytwqRxk.exe
  2⤵
  PID:4124
- C:\Windows\System32\fWAPNsx.exe
  C:\Windows\System32\fWAPNsx.exe
  2⤵
  PID:3572
- C:\Windows\System32\uszUWcT.exe
  C:\Windows\System32\uszUWcT.exe
  2⤵
  PID:3600
- C:\Windows\System32\ebeYDEy.exe
  C:\Windows\System32\ebeYDEy.exe
  2⤵
  PID:8
- C:\Windows\System32\dKuBluX.exe
  C:\Windows\System32\dKuBluX.exe
  2⤵
  PID:5052
- C:\Windows\System32\HiBHcFR.exe
  C:\Windows\System32\HiBHcFR.exe
  2⤵
  PID:5020
- C:\Windows\System32\wLtOcZf.exe
  C:\Windows\System32\wLtOcZf.exe
  2⤵
  PID:5112
- C:\Windows\System32\MUeeARk.exe
  C:\Windows\System32\MUeeARk.exe
  2⤵
  PID:1952
- C:\Windows\System32\PZKcmvO.exe
  C:\Windows\System32\PZKcmvO.exe
  2⤵
  PID:2180
- C:\Windows\System32\hcpoTaF.exe
  C:\Windows\System32\hcpoTaF.exe
  2⤵
  PID:5068
- C:\Windows\System32\PshWahb.exe
  C:\Windows\System32\PshWahb.exe
  2⤵
  PID:1480
- C:\Windows\System32\cLmLMsZ.exe
  C:\Windows\System32\cLmLMsZ.exe
  2⤵
  PID:2064
- C:\Windows\System32\dZDXBgo.exe
  C:\Windows\System32\dZDXBgo.exe
  2⤵
  PID:2448
- C:\Windows\System32\loHkLgz.exe
  C:\Windows\System32\loHkLgz.exe
  2⤵
  PID:220
- C:\Windows\System32\UAzNyay.exe
  C:\Windows\System32\UAzNyay.exe
  2⤵
  PID:4412
- C:\Windows\System32\nwCYUdy.exe
  C:\Windows\System32\nwCYUdy.exe
  2⤵
  PID:4796
- C:\Windows\System32\LBhSJeF.exe
  C:\Windows\System32\LBhSJeF.exe
  2⤵
  PID:1960
- C:\Windows\System32\dFLQdHA.exe
  C:\Windows\System32\dFLQdHA.exe
  2⤵
  PID:2800
- C:\Windows\System32\xczRmap.exe
  C:\Windows\System32\xczRmap.exe
  2⤵
  PID:2888
- C:\Windows\System32\FGAcLyM.exe
  C:\Windows\System32\FGAcLyM.exe
  2⤵
  PID:4428
- C:\Windows\System32\kOvJxgY.exe
  C:\Windows\System32\kOvJxgY.exe
  2⤵
  PID:3492
- C:\Windows\System32\jSTrzLM.exe
  C:\Windows\System32\jSTrzLM.exe
  2⤵
  PID:4316
- C:\Windows\System32\OmNuPNz.exe
  C:\Windows\System32\OmNuPNz.exe
  2⤵
  PID:3900
- C:\Windows\System32\XVSuOFh.exe
  C:\Windows\System32\XVSuOFh.exe
  2⤵
  PID:4688
- C:\Windows\System32\FAUWBlG.exe
  C:\Windows\System32\FAUWBlG.exe
  2⤵
  PID:2088
- C:\Windows\System32\POXXxJg.exe
  C:\Windows\System32\POXXxJg.exe
  2⤵
  PID:2268
- C:\Windows\System32\bmgKeTv.exe
  C:\Windows\System32\bmgKeTv.exe
  2⤵
  PID:1572
- C:\Windows\System32\FOzOMta.exe
  C:\Windows\System32\FOzOMta.exe
  2⤵
  PID:1984
- C:\Windows\System32\INabdVO.exe
  C:\Windows\System32\INabdVO.exe
  2⤵
  PID:2832
- C:\Windows\System32\vHDcGqe.exe
  C:\Windows\System32\vHDcGqe.exe
  2⤵
  PID:4556
- C:\Windows\System32\dNfphOk.exe
  C:\Windows\System32\dNfphOk.exe
  2⤵
  PID:4188
- C:\Windows\System32\mcsMMbz.exe
  C:\Windows\System32\mcsMMbz.exe
  2⤵
  PID:1720
- C:\Windows\System32\bQhNLvA.exe
  C:\Windows\System32\bQhNLvA.exe
  2⤵
  PID:5136
- C:\Windows\System32\LQguSHk.exe
  C:\Windows\System32\LQguSHk.exe
  2⤵
  PID:5152
- C:\Windows\System32\fOilGsb.exe
  C:\Windows\System32\fOilGsb.exe
  2⤵
  PID:5172
- C:\Windows\System32\wyVPbsr.exe
  C:\Windows\System32\wyVPbsr.exe
  2⤵
  PID:5204
- C:\Windows\System32\bEUOqcK.exe
  C:\Windows\System32\bEUOqcK.exe
  2⤵
  PID:5264
- C:\Windows\System32\qFELXhK.exe
  C:\Windows\System32\qFELXhK.exe
  2⤵
  PID:5284
- C:\Windows\System32\mGudYIp.exe
  C:\Windows\System32\mGudYIp.exe
  2⤵
  PID:5352
- C:\Windows\System32\VktJURn.exe
  C:\Windows\System32\VktJURn.exe
  2⤵
  PID:5412
- C:\Windows\System32\vojhHUC.exe
  C:\Windows\System32\vojhHUC.exe
  2⤵
  PID:5440
- C:\Windows\System32\xlgubJD.exe
  C:\Windows\System32\xlgubJD.exe
  2⤵
  PID:5456
- C:\Windows\System32\WRsUpgz.exe
  C:\Windows\System32\WRsUpgz.exe
  2⤵
  PID:5476
- C:\Windows\System32\scVbUta.exe
  C:\Windows\System32\scVbUta.exe
  2⤵
  PID:5508
- C:\Windows\System32\qkfADkk.exe
  C:\Windows\System32\qkfADkk.exe
  2⤵
  PID:5540
- C:\Windows\System32\ImsYeGe.exe
  C:\Windows\System32\ImsYeGe.exe
  2⤵
  PID:5580
- C:\Windows\System32\ZQftOrt.exe
  C:\Windows\System32\ZQftOrt.exe
  2⤵
  PID:5596
- C:\Windows\System32\MWaPgvH.exe
  C:\Windows\System32\MWaPgvH.exe
  2⤵
  PID:5620
- C:\Windows\System32\ymZJdRd.exe
  C:\Windows\System32\ymZJdRd.exe
  2⤵
  PID:5636
- C:\Windows\System32\qGetFhA.exe
  C:\Windows\System32\qGetFhA.exe
  2⤵
  PID:5664
- C:\Windows\System32\DtLSwpM.exe
  C:\Windows\System32\DtLSwpM.exe
  2⤵
  PID:5688
- C:\Windows\System32\rxcPMGF.exe
  C:\Windows\System32\rxcPMGF.exe
  2⤵
  PID:5708
- C:\Windows\System32\ulxufSR.exe
  C:\Windows\System32\ulxufSR.exe
  2⤵
  PID:5796
- C:\Windows\System32\VxdjxNq.exe
  C:\Windows\System32\VxdjxNq.exe
  2⤵
  PID:5820
- C:\Windows\System32\OieGGdT.exe
  C:\Windows\System32\OieGGdT.exe
  2⤵
  PID:5840
- C:\Windows\System32\yKLDElk.exe
  C:\Windows\System32\yKLDElk.exe
  2⤵
  PID:5856
- C:\Windows\System32\zPqoDpa.exe
  C:\Windows\System32\zPqoDpa.exe
  2⤵
  PID:5880
- C:\Windows\System32\gDypHwv.exe
  C:\Windows\System32\gDypHwv.exe
  2⤵
  PID:5896
- C:\Windows\System32\WcKNRWZ.exe
  C:\Windows\System32\WcKNRWZ.exe
  2⤵
  PID:5916
- C:\Windows\System32\roNHbTQ.exe
  C:\Windows\System32\roNHbTQ.exe
  2⤵
  PID:5952
- C:\Windows\System32\QkaWWsN.exe
  C:\Windows\System32\QkaWWsN.exe
  2⤵
  PID:6052
- C:\Windows\System32\XDjLKGg.exe
  C:\Windows\System32\XDjLKGg.exe
  2⤵
  PID:6080
- C:\Windows\System32\spzghrB.exe
  C:\Windows\System32\spzghrB.exe
  2⤵
  PID:6100
- C:\Windows\System32\fhvnPPp.exe
  C:\Windows\System32\fhvnPPp.exe
  2⤵
  PID:6120
- C:\Windows\System32\YWxmYPm.exe
  C:\Windows\System32\YWxmYPm.exe
  2⤵
  PID:6140
- C:\Windows\System32\UGNsGNx.exe
  C:\Windows\System32\UGNsGNx.exe
  2⤵
  PID:5124
- C:\Windows\System32\QLpLWjO.exe
  C:\Windows\System32\QLpLWjO.exe
  2⤵
  PID:5180
- C:\Windows\System32\PjUmVOh.exe
  C:\Windows\System32\PjUmVOh.exe
  2⤵
  PID:744
- C:\Windows\System32\qafGsAD.exe
  C:\Windows\System32\qafGsAD.exe
  2⤵
  PID:5276
- C:\Windows\System32\VuUfLxr.exe
  C:\Windows\System32\VuUfLxr.exe
  2⤵
  PID:5164
- C:\Windows\System32\tCkySOA.exe
  C:\Windows\System32\tCkySOA.exe
  2⤵
  PID:5220
- C:\Windows\System32\zOVlRiH.exe
  C:\Windows\System32\zOVlRiH.exe
  2⤵
  PID:5316
- C:\Windows\System32\xFBeVrs.exe
  C:\Windows\System32\xFBeVrs.exe
  2⤵
  PID:5332
- C:\Windows\System32\KlRWBjj.exe
  C:\Windows\System32\KlRWBjj.exe
  2⤵
  PID:5388
- C:\Windows\System32\rwveZIM.exe
  C:\Windows\System32\rwveZIM.exe
  2⤵
  PID:5436
- C:\Windows\System32\uxYCGwf.exe
  C:\Windows\System32\uxYCGwf.exe
  2⤵
  PID:5484
- C:\Windows\System32\HOvhueY.exe
  C:\Windows\System32\HOvhueY.exe
  2⤵
  PID:5524
- C:\Windows\System32\gzILqnR.exe
  C:\Windows\System32\gzILqnR.exe
  2⤵
  PID:5564
- C:\Windows\System32\DFYEegG.exe
  C:\Windows\System32\DFYEegG.exe
  2⤵
  PID:5684
- C:\Windows\System32\oLtMUjb.exe
  C:\Windows\System32\oLtMUjb.exe
  2⤵
  PID:5716
- C:\Windows\System32\WcAnKUR.exe
  C:\Windows\System32\WcAnKUR.exe
  2⤵
  PID:5748
- C:\Windows\System32\LdxXtPp.exe
  C:\Windows\System32\LdxXtPp.exe
  2⤵
  PID:5872
- C:\Windows\System32\bcpUAol.exe
  C:\Windows\System32\bcpUAol.exe
  2⤵
  PID:6040
- C:\Windows\System32\XqewzqE.exe
  C:\Windows\System32\XqewzqE.exe
  2⤵
  PID:6076
- C:\Windows\System32\YWQXEMQ.exe
  C:\Windows\System32\YWQXEMQ.exe
  2⤵
  PID:6112
- C:\Windows\System32\aWhtSVC.exe
  C:\Windows\System32\aWhtSVC.exe
  2⤵
  PID:1804
- C:\Windows\System32\JRSRNeV.exe
  C:\Windows\System32\JRSRNeV.exe
  2⤵
  PID:4044
- C:\Windows\System32\JDXyagu.exe
  C:\Windows\System32\JDXyagu.exe
  2⤵
  PID:5272
- C:\Windows\System32\UVQEmJJ.exe
  C:\Windows\System32\UVQEmJJ.exe
  2⤵
  PID:5372
- C:\Windows\System32\wuDaYsG.exe
  C:\Windows\System32\wuDaYsG.exe
  2⤵
  PID:5292
- C:\Windows\System32\ptzKArt.exe
  C:\Windows\System32\ptzKArt.exe
  2⤵
  PID:4444
- C:\Windows\System32\ZpCTKEK.exe
  C:\Windows\System32\ZpCTKEK.exe
  2⤵
  PID:5532
- C:\Windows\System32\SUsVCPG.exe
  C:\Windows\System32\SUsVCPG.exe
  2⤵
  PID:5876
- C:\Windows\System32\FJFLYmn.exe
  C:\Windows\System32\FJFLYmn.exe
  2⤵
  PID:5604
- C:\Windows\System32\cUShqIz.exe
  C:\Windows\System32\cUShqIz.exe
  2⤵
  PID:5944
- C:\Windows\System32\YsGWoDI.exe
  C:\Windows\System32\YsGWoDI.exe
  2⤵
  PID:6036
- C:\Windows\System32\TLPIAgH.exe
  C:\Windows\System32\TLPIAgH.exe
  2⤵
  PID:5864
- C:\Windows\System32\Vmkpubp.exe
  C:\Windows\System32\Vmkpubp.exe
  2⤵
  PID:1120
- C:\Windows\System32\tVvpXsZ.exe
  C:\Windows\System32\tVvpXsZ.exe
  2⤵
  PID:6096
- C:\Windows\System32\afqTbFf.exe
  C:\Windows\System32\afqTbFf.exe
  2⤵
  PID:6164
- C:\Windows\System32\eAPTvKd.exe
  C:\Windows\System32\eAPTvKd.exe
  2⤵
  PID:6204
- C:\Windows\System32\yMryUAW.exe
  C:\Windows\System32\yMryUAW.exe
  2⤵
  PID:6224
- C:\Windows\System32\yhyZbVv.exe
  C:\Windows\System32\yhyZbVv.exe
  2⤵
  PID:6240
- C:\Windows\System32\XbuNlQt.exe
  C:\Windows\System32\XbuNlQt.exe
  2⤵
  PID:6260
- C:\Windows\System32\RwAQmuc.exe
  C:\Windows\System32\RwAQmuc.exe
  2⤵
  PID:6296
- C:\Windows\System32\JlyRBTD.exe
  C:\Windows\System32\JlyRBTD.exe
  2⤵
  PID:6324
- C:\Windows\System32\MgCTfLh.exe
  C:\Windows\System32\MgCTfLh.exe
  2⤵
  PID:6340
- C:\Windows\System32\JOcSeWe.exe
  C:\Windows\System32\JOcSeWe.exe
  2⤵
  PID:6368
- C:\Windows\System32\hjqvKVV.exe
  C:\Windows\System32\hjqvKVV.exe
  2⤵
  PID:6392
- C:\Windows\System32\DRPLKmk.exe
  C:\Windows\System32\DRPLKmk.exe
  2⤵
  PID:6432
- C:\Windows\System32\geqWxcV.exe
  C:\Windows\System32\geqWxcV.exe
  2⤵
  PID:6468
- C:\Windows\System32\nsaeaUa.exe
  C:\Windows\System32\nsaeaUa.exe
  2⤵
  PID:6492
- C:\Windows\System32\rrIUMvS.exe
  C:\Windows\System32\rrIUMvS.exe
  2⤵
  PID:6528
- C:\Windows\System32\JjLemXu.exe
  C:\Windows\System32\JjLemXu.exe
  2⤵
  PID:6552
- C:\Windows\System32\WKbSzlX.exe
  C:\Windows\System32\WKbSzlX.exe
  2⤵
  PID:6572
- C:\Windows\System32\ezmFBBu.exe
  C:\Windows\System32\ezmFBBu.exe
  2⤵
  PID:6592
- C:\Windows\System32\hYbDNGL.exe
  C:\Windows\System32\hYbDNGL.exe
  2⤵
  PID:6616
- C:\Windows\System32\hzfEjzR.exe
  C:\Windows\System32\hzfEjzR.exe
  2⤵
  PID:6640
- C:\Windows\System32\ERstrOT.exe
  C:\Windows\System32\ERstrOT.exe
  2⤵
  PID:6656
- C:\Windows\System32\MErABqx.exe
  C:\Windows\System32\MErABqx.exe
  2⤵
  PID:6684
- C:\Windows\System32\FokbcLs.exe
  C:\Windows\System32\FokbcLs.exe
  2⤵
  PID:6748
- C:\Windows\System32\oqTQGnI.exe
  C:\Windows\System32\oqTQGnI.exe
  2⤵
  PID:6784
- C:\Windows\System32\uNlIuaR.exe
  C:\Windows\System32\uNlIuaR.exe
  2⤵
  PID:6808
- C:\Windows\System32\KXWccaX.exe
  C:\Windows\System32\KXWccaX.exe
  2⤵
  PID:6828
- C:\Windows\System32\LAACVRB.exe
  C:\Windows\System32\LAACVRB.exe
  2⤵
  PID:6852
- C:\Windows\System32\VKMARPk.exe
  C:\Windows\System32\VKMARPk.exe
  2⤵
  PID:6884
- C:\Windows\System32\vVJOTwQ.exe
  C:\Windows\System32\vVJOTwQ.exe
  2⤵
  PID:6908
- C:\Windows\System32\KwlYOHv.exe
  C:\Windows\System32\KwlYOHv.exe
  2⤵
  PID:6924
- C:\Windows\System32\hzXAkvr.exe
  C:\Windows\System32\hzXAkvr.exe
  2⤵
  PID:6956
- C:\Windows\System32\juMOYka.exe
  C:\Windows\System32\juMOYka.exe
  2⤵
  PID:6976
- C:\Windows\System32\ujDFlpz.exe
  C:\Windows\System32\ujDFlpz.exe
  2⤵
  PID:6992
- C:\Windows\System32\RKodKBZ.exe
  C:\Windows\System32\RKodKBZ.exe
  2⤵
  PID:7012
- C:\Windows\System32\LeDKdHI.exe
  C:\Windows\System32\LeDKdHI.exe
  2⤵
  PID:7040
- C:\Windows\System32\InfBLAg.exe
  C:\Windows\System32\InfBLAg.exe
  2⤵
  PID:7056
- C:\Windows\System32\DvtyZsU.exe
  C:\Windows\System32\DvtyZsU.exe
  2⤵
  PID:7084
- C:\Windows\System32\uGYSIeg.exe
  C:\Windows\System32\uGYSIeg.exe
  2⤵
  PID:7100
- C:\Windows\System32\uetDWmR.exe
  C:\Windows\System32\uetDWmR.exe
  2⤵
  PID:7144
- C:\Windows\System32\VoExrdt.exe
  C:\Windows\System32\VoExrdt.exe
  2⤵
  PID:6160
- C:\Windows\System32\SxZcKqM.exe
  C:\Windows\System32\SxZcKqM.exe
  2⤵
  PID:6252
- C:\Windows\System32\dnYsIpN.exe
  C:\Windows\System32\dnYsIpN.exe
  2⤵
  PID:6236
- C:\Windows\System32\TWxHbhi.exe
  C:\Windows\System32\TWxHbhi.exe
  2⤵
  PID:6276
- C:\Windows\System32\SDFXqQu.exe
  C:\Windows\System32\SDFXqQu.exe
  2⤵
  PID:6348
- C:\Windows\System32\rozAzXj.exe
  C:\Windows\System32\rozAzXj.exe
  2⤵
  PID:5432
- C:\Windows\System32\NsEpJDn.exe
  C:\Windows\System32\NsEpJDn.exe
  2⤵
  PID:6428
- C:\Windows\System32\ZDLCgdw.exe
  C:\Windows\System32\ZDLCgdw.exe
  2⤵
  PID:6540
- C:\Windows\System32\MwBncRf.exe
  C:\Windows\System32\MwBncRf.exe
  2⤵
  PID:6632
- C:\Windows\System32\CFLdUWr.exe
  C:\Windows\System32\CFLdUWr.exe
  2⤵
  PID:6732
- C:\Windows\System32\UNrBinC.exe
  C:\Windows\System32\UNrBinC.exe
  2⤵
  PID:6756
- C:\Windows\System32\aooYncC.exe
  C:\Windows\System32\aooYncC.exe
  2⤵
  PID:6836
- C:\Windows\System32\EbTxfjn.exe
  C:\Windows\System32\EbTxfjn.exe
  2⤵
  PID:6876
- C:\Windows\System32\SjdIyHQ.exe
  C:\Windows\System32\SjdIyHQ.exe
  2⤵
  PID:6892
- C:\Windows\System32\fdtdAiq.exe
  C:\Windows\System32\fdtdAiq.exe
  2⤵
  PID:7008
- C:\Windows\System32\OUAknEH.exe
  C:\Windows\System32\OUAknEH.exe
  2⤵
  PID:6988
- C:\Windows\System32\HouGTrV.exe
  C:\Windows\System32\HouGTrV.exe
  2⤵
  PID:7108
- C:\Windows\System32\yUKMTir.exe
  C:\Windows\System32\yUKMTir.exe
  2⤵
  PID:7152
- C:\Windows\System32\nrkdPBv.exe
  C:\Windows\System32\nrkdPBv.exe
  2⤵
  PID:6304
- C:\Windows\System32\iuxTaiu.exe
  C:\Windows\System32\iuxTaiu.exe
  2⤵
  PID:6216
- C:\Windows\System32\ucQlQtf.exe
  C:\Windows\System32\ucQlQtf.exe
  2⤵
  PID:6600
- C:\Windows\System32\rFUASou.exe
  C:\Windows\System32\rFUASou.exe
  2⤵
  PID:6604
- C:\Windows\System32\kxRqFWP.exe
  C:\Windows\System32\kxRqFWP.exe
  2⤵
  PID:7024
- C:\Windows\System32\pfdhPoa.exe
  C:\Windows\System32\pfdhPoa.exe
  2⤵
  PID:6388
- C:\Windows\System32\MjmNdEm.exe
  C:\Windows\System32\MjmNdEm.exe
  2⤵
  PID:6412
- C:\Windows\System32\uOzPagK.exe
  C:\Windows\System32\uOzPagK.exe
  2⤵
  PID:6184
- C:\Windows\System32\OACEiHw.exe
  C:\Windows\System32\OACEiHw.exe
  2⤵
  PID:7000
- C:\Windows\System32\ifQnNGo.exe
  C:\Windows\System32\ifQnNGo.exe
  2⤵
  PID:7232
- C:\Windows\System32\CjXDPrA.exe
  C:\Windows\System32\CjXDPrA.exe
  2⤵
  PID:7288
- C:\Windows\System32\XaxBlAa.exe
  C:\Windows\System32\XaxBlAa.exe
  2⤵
  PID:7304
- C:\Windows\System32\KvMHttW.exe
  C:\Windows\System32\KvMHttW.exe
  2⤵
  PID:7356
- C:\Windows\System32\miDWbvU.exe
  C:\Windows\System32\miDWbvU.exe
  2⤵
  PID:7372
- C:\Windows\System32\ykebfSp.exe
  C:\Windows\System32\ykebfSp.exe
  2⤵
  PID:7400
- C:\Windows\System32\SMIMalm.exe
  C:\Windows\System32\SMIMalm.exe
  2⤵
  PID:7424
- C:\Windows\System32\bvhYwbq.exe
  C:\Windows\System32\bvhYwbq.exe
  2⤵
  PID:7448
- C:\Windows\System32\uwPgwvO.exe
  C:\Windows\System32\uwPgwvO.exe
  2⤵
  PID:7492
- C:\Windows\System32\JaGBDdU.exe
  C:\Windows\System32\JaGBDdU.exe
  2⤵
  PID:7524
- C:\Windows\System32\RQBkLKG.exe
  C:\Windows\System32\RQBkLKG.exe
  2⤵
  PID:7548
- C:\Windows\System32\WrdiuIG.exe
  C:\Windows\System32\WrdiuIG.exe
  2⤵
  PID:7568
- C:\Windows\System32\EdvGdIG.exe
  C:\Windows\System32\EdvGdIG.exe
  2⤵
  PID:7600
- C:\Windows\System32\KcGwYzQ.exe
  C:\Windows\System32\KcGwYzQ.exe
  2⤵
  PID:7628
- C:\Windows\System32\krUoIkQ.exe
  C:\Windows\System32\krUoIkQ.exe
  2⤵
  PID:7660
- C:\Windows\System32\jzeAOhL.exe
  C:\Windows\System32\jzeAOhL.exe
  2⤵
  PID:7696
- C:\Windows\System32\WyQxQHf.exe
  C:\Windows\System32\WyQxQHf.exe
  2⤵
  PID:7712
- C:\Windows\System32\ZryEGBb.exe
  C:\Windows\System32\ZryEGBb.exe
  2⤵
  PID:7756
- C:\Windows\System32\gXIkAwl.exe
  C:\Windows\System32\gXIkAwl.exe
  2⤵
  PID:7784
- C:\Windows\System32\ajbkERk.exe
  C:\Windows\System32\ajbkERk.exe
  2⤵
  PID:7808
- C:\Windows\System32\jfXUHLV.exe
  C:\Windows\System32\jfXUHLV.exe
  2⤵
  PID:7832
- C:\Windows\System32\SEjAsEF.exe
  C:\Windows\System32\SEjAsEF.exe
  2⤵
  PID:7852
- C:\Windows\System32\xjFCkcb.exe
  C:\Windows\System32\xjFCkcb.exe
  2⤵
  PID:7868
- C:\Windows\System32\bdRddvu.exe
  C:\Windows\System32\bdRddvu.exe
  2⤵
  PID:7892
- C:\Windows\System32\HcAWHni.exe
  C:\Windows\System32\HcAWHni.exe
  2⤵
  PID:7916
- C:\Windows\System32\myeXqkr.exe
  C:\Windows\System32\myeXqkr.exe
  2⤵
  PID:7936
- C:\Windows\System32\QoiDBKE.exe
  C:\Windows\System32\QoiDBKE.exe
  2⤵
  PID:7956
- C:\Windows\System32\wzQDeWv.exe
  C:\Windows\System32\wzQDeWv.exe
  2⤵
  PID:8004
- C:\Windows\System32\xaCcdTP.exe
  C:\Windows\System32\xaCcdTP.exe
  2⤵
  PID:8024
- C:\Windows\System32\XgynFso.exe
  C:\Windows\System32\XgynFso.exe
  2⤵
  PID:8088
- C:\Windows\System32\zRSQIZj.exe
  C:\Windows\System32\zRSQIZj.exe
  2⤵
  PID:8112
- C:\Windows\System32\esDsjRa.exe
  C:\Windows\System32\esDsjRa.exe
  2⤵
  PID:8132
- C:\Windows\System32\GIaGzoS.exe
  C:\Windows\System32\GIaGzoS.exe
  2⤵
  PID:8160
- C:\Windows\System32\htrFlak.exe
  C:\Windows\System32\htrFlak.exe
  2⤵
  PID:8176
- C:\Windows\System32\rUxCqHu.exe
  C:\Windows\System32\rUxCqHu.exe
  2⤵
  PID:6772
- C:\Windows\System32\sqopodI.exe
  C:\Windows\System32\sqopodI.exe
  2⤵
  PID:6672
- C:\Windows\System32\bkFiAgR.exe
  C:\Windows\System32\bkFiAgR.exe
  2⤵
  PID:7188
- C:\Windows\System32\NbNAUgB.exe
  C:\Windows\System32\NbNAUgB.exe
  2⤵
  PID:7228
- C:\Windows\System32\SwwcYDq.exe
  C:\Windows\System32\SwwcYDq.exe
  2⤵
  PID:7392
- C:\Windows\System32\ewPjCrc.exe
  C:\Windows\System32\ewPjCrc.exe
  2⤵
  PID:7396
- C:\Windows\System32\hpmhHtM.exe
  C:\Windows\System32\hpmhHtM.exe
  2⤵
  PID:7480
- C:\Windows\System32\cFjNxpC.exe
  C:\Windows\System32\cFjNxpC.exe
  2⤵
  PID:7580
- C:\Windows\System32\lnknDAA.exe
  C:\Windows\System32\lnknDAA.exe
  2⤵
  PID:7668
- C:\Windows\System32\uqcZHHl.exe
  C:\Windows\System32\uqcZHHl.exe
  2⤵
  PID:7708
- C:\Windows\System32\HYPysuB.exe
  C:\Windows\System32\HYPysuB.exe
  2⤵
  PID:7724
- C:\Windows\System32\pnLCkLO.exe
  C:\Windows\System32\pnLCkLO.exe
  2⤵
  PID:7864
- C:\Windows\System32\sUGEJiX.exe
  C:\Windows\System32\sUGEJiX.exe
  2⤵
  PID:7968
- C:\Windows\System32\SqaOhqX.exe
  C:\Windows\System32\SqaOhqX.exe
  2⤵
  PID:7932
- C:\Windows\System32\eVzVVeX.exe
  C:\Windows\System32\eVzVVeX.exe
  2⤵
  PID:8056
- C:\Windows\System32\CqSIVYq.exe
  C:\Windows\System32\CqSIVYq.exe
  2⤵
  PID:8120
- C:\Windows\System32\IJfAyNY.exe
  C:\Windows\System32\IJfAyNY.exe
  2⤵
  PID:6460
- C:\Windows\System32\cdDucDN.exe
  C:\Windows\System32\cdDucDN.exe
  2⤵
  PID:7280
- C:\Windows\System32\snsTneD.exe
  C:\Windows\System32\snsTneD.exe
  2⤵
  PID:7036
- C:\Windows\System32\cpjuNMl.exe
  C:\Windows\System32\cpjuNMl.exe
  2⤵
  PID:7504
- C:\Windows\System32\nNSJYge.exe
  C:\Windows\System32\nNSJYge.exe
  2⤵
  PID:7656
- C:\Windows\System32\GppiHiA.exe
  C:\Windows\System32\GppiHiA.exe
  2⤵
  PID:7888
- C:\Windows\System32\jjUFrTf.exe
  C:\Windows\System32\jjUFrTf.exe
  2⤵
  PID:7848
- C:\Windows\System32\bhYBqUx.exe
  C:\Windows\System32\bhYBqUx.exe
  2⤵
  PID:8060
- C:\Windows\System32\MqEgCRX.exe
  C:\Windows\System32\MqEgCRX.exe
  2⤵
  PID:7300
- C:\Windows\System32\NfMgMZZ.exe
  C:\Windows\System32\NfMgMZZ.exe
  2⤵
  PID:7596
- C:\Windows\System32\coltTjS.exe
  C:\Windows\System32\coltTjS.exe
  2⤵
  PID:7532
- C:\Windows\System32\JTwswnY.exe
  C:\Windows\System32\JTwswnY.exe
  2⤵
  PID:8172
- C:\Windows\System32\TIlYvCl.exe
  C:\Windows\System32\TIlYvCl.exe
  2⤵
  PID:7324
- C:\Windows\System32\DoEtVBp.exe
  C:\Windows\System32\DoEtVBp.exe
  2⤵
  PID:8244
- C:\Windows\System32\IJhfmvA.exe
  C:\Windows\System32\IJhfmvA.exe
  2⤵
  PID:8264
- C:\Windows\System32\WbbSQkh.exe
  C:\Windows\System32\WbbSQkh.exe
  2⤵
  PID:8284
- C:\Windows\System32\ZaWdecO.exe
  C:\Windows\System32\ZaWdecO.exe
  2⤵
  PID:8316
- C:\Windows\System32\skePiCJ.exe
  C:\Windows\System32\skePiCJ.exe
  2⤵
  PID:8344
- C:\Windows\System32\OgJKOPP.exe
  C:\Windows\System32\OgJKOPP.exe
  2⤵
  PID:8396
- C:\Windows\System32\hiViImG.exe
  C:\Windows\System32\hiViImG.exe
  2⤵
  PID:8416
- C:\Windows\System32\nhUbTWe.exe
  C:\Windows\System32\nhUbTWe.exe
  2⤵
  PID:8436
- C:\Windows\System32\rAWbWuA.exe
  C:\Windows\System32\rAWbWuA.exe
  2⤵
  PID:8472
- C:\Windows\System32\pBrgORR.exe
  C:\Windows\System32\pBrgORR.exe
  2⤵
  PID:8496
- C:\Windows\System32\zcGgmLr.exe
  C:\Windows\System32\zcGgmLr.exe
  2⤵
  PID:8532
- C:\Windows\System32\MQSZdBg.exe
  C:\Windows\System32\MQSZdBg.exe
  2⤵
  PID:8552
- C:\Windows\System32\kopxYki.exe
  C:\Windows\System32\kopxYki.exe
  2⤵
  PID:8580
- C:\Windows\System32\sRHawQk.exe
  C:\Windows\System32\sRHawQk.exe
  2⤵
  PID:8612
- C:\Windows\System32\JMMxAIb.exe
  C:\Windows\System32\JMMxAIb.exe
  2⤵
  PID:8632
- C:\Windows\System32\eSKwaGw.exe
  C:\Windows\System32\eSKwaGw.exe
  2⤵
  PID:8668
- C:\Windows\System32\OLxrHiy.exe
  C:\Windows\System32\OLxrHiy.exe
  2⤵
  PID:8696
- C:\Windows\System32\ZjAmClT.exe
  C:\Windows\System32\ZjAmClT.exe
  2⤵
  PID:8712
- C:\Windows\System32\xkBBHhb.exe
  C:\Windows\System32\xkBBHhb.exe
  2⤵
  PID:8736
- C:\Windows\System32\xofjNrO.exe
  C:\Windows\System32\xofjNrO.exe
  2⤵
  PID:8776
- C:\Windows\System32\LjXScHe.exe
  C:\Windows\System32\LjXScHe.exe
  2⤵
  PID:8812
- C:\Windows\System32\kDGgzrR.exe
  C:\Windows\System32\kDGgzrR.exe
  2⤵
  PID:8836
- C:\Windows\System32\iZOwyhX.exe
  C:\Windows\System32\iZOwyhX.exe
  2⤵
  PID:8860
- C:\Windows\System32\MKBtTWw.exe
  C:\Windows\System32\MKBtTWw.exe
  2⤵
  PID:8884
- C:\Windows\System32\JefHCtd.exe
  C:\Windows\System32\JefHCtd.exe
  2⤵
  PID:8920
- C:\Windows\System32\tiqfVif.exe
  C:\Windows\System32\tiqfVif.exe
  2⤵
  PID:8940
- C:\Windows\System32\zzAIdgh.exe
  C:\Windows\System32\zzAIdgh.exe
  2⤵
  PID:8972
- C:\Windows\System32\ueOxLhd.exe
  C:\Windows\System32\ueOxLhd.exe
  2⤵
  PID:8996
- C:\Windows\System32\jkEJkYL.exe
  C:\Windows\System32\jkEJkYL.exe
  2⤵
  PID:9012
- C:\Windows\System32\phlfFCd.exe
  C:\Windows\System32\phlfFCd.exe
  2⤵
  PID:9036
- C:\Windows\System32\JmTReBu.exe
  C:\Windows\System32\JmTReBu.exe
  2⤵
  PID:9064
- C:\Windows\System32\wjyCSRa.exe
  C:\Windows\System32\wjyCSRa.exe
  2⤵
  PID:9084
- C:\Windows\System32\cOhvwjj.exe
  C:\Windows\System32\cOhvwjj.exe
  2⤵
  PID:9104
- C:\Windows\System32\racrAhA.exe
  C:\Windows\System32\racrAhA.exe
  2⤵
  PID:9132
- C:\Windows\System32\joXrQfW.exe
  C:\Windows\System32\joXrQfW.exe
  2⤵
  PID:9164
- C:\Windows\System32\dkESsDX.exe
  C:\Windows\System32\dkESsDX.exe
  2⤵
  PID:9180
- C:\Windows\System32\KUtGmgf.exe
  C:\Windows\System32\KUtGmgf.exe
  2⤵
  PID:9212
- C:\Windows\System32\wnPLXmH.exe
  C:\Windows\System32\wnPLXmH.exe
  2⤵
  PID:7208
- C:\Windows\System32\ftealBh.exe
  C:\Windows\System32\ftealBh.exe
  2⤵
  PID:8260
- C:\Windows\System32\BwHGQQz.exe
  C:\Windows\System32\BwHGQQz.exe
  2⤵
  PID:8280
- C:\Windows\System32\hEFlLLw.exe
  C:\Windows\System32\hEFlLLw.exe
  2⤵
  PID:8428
- C:\Windows\System32\YEdTaba.exe
  C:\Windows\System32\YEdTaba.exe
  2⤵
  PID:8520
- C:\Windows\System32\ynJiYEE.exe
  C:\Windows\System32\ynJiYEE.exe
  2⤵
  PID:8572
- C:\Windows\System32\NJhXSla.exe
  C:\Windows\System32\NJhXSla.exe
  2⤵
  PID:8620
- C:\Windows\System32\aZVnnWm.exe
  C:\Windows\System32\aZVnnWm.exe
  2⤵
  PID:8676
- C:\Windows\System32\yGcFmRR.exe
  C:\Windows\System32\yGcFmRR.exe
  2⤵
  PID:8704
- C:\Windows\System32\lsxaKGN.exe
  C:\Windows\System32\lsxaKGN.exe
  2⤵
  PID:8768
- C:\Windows\System32\ZXGJAiX.exe
  C:\Windows\System32\ZXGJAiX.exe
  2⤵
  PID:8856
- C:\Windows\System32\RwlTIua.exe
  C:\Windows\System32\RwlTIua.exe
  2⤵
  PID:8900
- C:\Windows\System32\begPjwC.exe
  C:\Windows\System32\begPjwC.exe
  2⤵
  PID:9020
- C:\Windows\System32\HpCsFQw.exe
  C:\Windows\System32\HpCsFQw.exe
  2⤵
  PID:9100
- C:\Windows\System32\AufTrNE.exe
  C:\Windows\System32\AufTrNE.exe
  2⤵
  PID:9160
- C:\Windows\System32\puKYZTD.exe
  C:\Windows\System32\puKYZTD.exe
  2⤵
  PID:8212
- C:\Windows\System32\lfSfELa.exe
  C:\Windows\System32\lfSfELa.exe
  2⤵
  PID:9188
- C:\Windows\System32\GiDKjqt.exe
  C:\Windows\System32\GiDKjqt.exe
  2⤵
  PID:8412
- C:\Windows\System32\IXLAmOV.exe
  C:\Windows\System32\IXLAmOV.exe
  2⤵
  PID:8984
- C:\Windows\System32\DScoMpG.exe
  C:\Windows\System32\DScoMpG.exe
  2⤵
  PID:8748
- C:\Windows\System32\SPeHGAJ.exe
  C:\Windows\System32\SPeHGAJ.exe
  2⤵
  PID:4868
- C:\Windows\System32\EHlrFtS.exe
  C:\Windows\System32\EHlrFtS.exe
  2⤵
  PID:9232
- C:\Windows\System32\nCPDRDk.exe
  C:\Windows\System32\nCPDRDk.exe
  2⤵
  PID:9264
- C:\Windows\System32\JKoUNrx.exe
  C:\Windows\System32\JKoUNrx.exe
  2⤵
  PID:9284
- C:\Windows\System32\qWoGlSS.exe
  C:\Windows\System32\qWoGlSS.exe
  2⤵
  PID:9324
- C:\Windows\System32\ouAgDXi.exe
  C:\Windows\System32\ouAgDXi.exe
  2⤵
  PID:9364
- C:\Windows\System32\wWiTNrj.exe
  C:\Windows\System32\wWiTNrj.exe
  2⤵
  PID:9384
- C:\Windows\System32\WHVuwxy.exe
  C:\Windows\System32\WHVuwxy.exe
  2⤵
  PID:9400
- C:\Windows\System32\YvroPhB.exe
  C:\Windows\System32\YvroPhB.exe
  2⤵
  PID:9424
- C:\Windows\System32\NpEjihc.exe
  C:\Windows\System32\NpEjihc.exe
  2⤵
  PID:9480
- C:\Windows\System32\CqyWTEu.exe
  C:\Windows\System32\CqyWTEu.exe
  2⤵
  PID:9528
- C:\Windows\System32\KKhpAiv.exe
  C:\Windows\System32\KKhpAiv.exe
  2⤵
  PID:9568
- C:\Windows\System32\vYxMbiQ.exe
  C:\Windows\System32\vYxMbiQ.exe
  2⤵
  PID:9616
- C:\Windows\System32\WHLpRbg.exe
  C:\Windows\System32\WHLpRbg.exe
  2⤵
  PID:9636
- C:\Windows\System32\nTTQqik.exe
  C:\Windows\System32\nTTQqik.exe
  2⤵
  PID:9676
- C:\Windows\System32\kDhSvaq.exe
  C:\Windows\System32\kDhSvaq.exe
  2⤵
  PID:9692
- C:\Windows\System32\BNGUMJs.exe
  C:\Windows\System32\BNGUMJs.exe
  2⤵
  PID:9712
- C:\Windows\System32\MjDGPFp.exe
  C:\Windows\System32\MjDGPFp.exe
  2⤵
  PID:9736
- C:\Windows\System32\IoNfbNS.exe
  C:\Windows\System32\IoNfbNS.exe
  2⤵
  PID:9756
- C:\Windows\System32\WBiqHqk.exe
  C:\Windows\System32\WBiqHqk.exe
  2⤵
  PID:9772
- C:\Windows\System32\MRoAhHy.exe
  C:\Windows\System32\MRoAhHy.exe
  2⤵
  PID:9796
- C:\Windows\System32\RPxbJuD.exe
  C:\Windows\System32\RPxbJuD.exe
  2⤵
  PID:9816
- C:\Windows\System32\vLUyRfn.exe
  C:\Windows\System32\vLUyRfn.exe
  2⤵
  PID:9836
- C:\Windows\System32\aZuyoos.exe
  C:\Windows\System32\aZuyoos.exe
  2⤵
  PID:9900
- C:\Windows\System32\lDCoEQA.exe
  C:\Windows\System32\lDCoEQA.exe
  2⤵
  PID:9924
- C:\Windows\System32\sxtJSgv.exe
  C:\Windows\System32\sxtJSgv.exe
  2⤵
  PID:9960
- C:\Windows\System32\rJdjFHh.exe
  C:\Windows\System32\rJdjFHh.exe
  2⤵
  PID:10020
- C:\Windows\System32\HdwiaRb.exe
  C:\Windows\System32\HdwiaRb.exe
  2⤵
  PID:10036
- C:\Windows\System32\yAZlJGD.exe
  C:\Windows\System32\yAZlJGD.exe
  2⤵
  PID:10056
- C:\Windows\System32\jpXwMvC.exe
  C:\Windows\System32\jpXwMvC.exe
  2⤵
  PID:10080
- C:\Windows\System32\PPKLsbQ.exe
  C:\Windows\System32\PPKLsbQ.exe
  2⤵
  PID:10104
- C:\Windows\System32\QPwpWIh.exe
  C:\Windows\System32\QPwpWIh.exe
  2⤵
  PID:10124
- C:\Windows\System32\BEUXOWx.exe
  C:\Windows\System32\BEUXOWx.exe
  2⤵
  PID:10148
- C:\Windows\System32\bZDLVXx.exe
  C:\Windows\System32\bZDLVXx.exe
  2⤵
  PID:10188
- C:\Windows\System32\NwsDodu.exe
  C:\Windows\System32\NwsDodu.exe
  2⤵
  PID:10208
- C:\Windows\System32\QmIUzFs.exe
  C:\Windows\System32\QmIUzFs.exe
  2⤵
  PID:8524
- C:\Windows\System32\RqpzpMy.exe
  C:\Windows\System32\RqpzpMy.exe
  2⤵
  PID:8564
- C:\Windows\System32\hPKSifR.exe
  C:\Windows\System32\hPKSifR.exe
  2⤵
  PID:8252
- C:\Windows\System32\siKOVQT.exe
  C:\Windows\System32\siKOVQT.exe
  2⤵
  PID:7764
- C:\Windows\System32\wyZWINd.exe
  C:\Windows\System32\wyZWINd.exe
  2⤵
  PID:8956
- C:\Windows\System32\iHDXkHX.exe
  C:\Windows\System32\iHDXkHX.exe
  2⤵
  PID:8760
- C:\Windows\System32\gwFnNTn.exe
  C:\Windows\System32\gwFnNTn.exe
  2⤵
  PID:9260
- C:\Windows\System32\QLdTNMy.exe
  C:\Windows\System32\QLdTNMy.exe
  2⤵
  PID:9396
- C:\Windows\System32\ULedBVY.exe
  C:\Windows\System32\ULedBVY.exe
  2⤵
  PID:9508
- C:\Windows\System32\IPYutio.exe
  C:\Windows\System32\IPYutio.exe
  2⤵
  PID:9456
- C:\Windows\System32\iGRBCvF.exe
  C:\Windows\System32\iGRBCvF.exe
  2⤵
  PID:9576
- C:\Windows\System32\foXKisG.exe
  C:\Windows\System32\foXKisG.exe
  2⤵
  PID:9648
- C:\Windows\System32\VzpgMDI.exe
  C:\Windows\System32\VzpgMDI.exe
  2⤵
  PID:9684
- C:\Windows\System32\FdjaWFN.exe
  C:\Windows\System32\FdjaWFN.exe
  2⤵
  PID:9768
- C:\Windows\System32\TjwYKbB.exe
  C:\Windows\System32\TjwYKbB.exe
  2⤵
  PID:9844
- C:\Windows\System32\unTaeYI.exe
  C:\Windows\System32\unTaeYI.exe
  2⤵
  PID:9932
- C:\Windows\System32\aZujFwd.exe
  C:\Windows\System32\aZujFwd.exe
  2⤵
  PID:10016
- C:\Windows\System32\bhFyBQj.exe
  C:\Windows\System32\bhFyBQj.exe
  2⤵
  PID:10092
- C:\Windows\System32\OhVhFXJ.exe
  C:\Windows\System32\OhVhFXJ.exe
  2⤵
  PID:10180
- C:\Windows\System32\HIywxRl.exe
  C:\Windows\System32\HIywxRl.exe
  2⤵
  PID:10196
- C:\Windows\System32\acBEGuN.exe
  C:\Windows\System32\acBEGuN.exe
  2⤵
  PID:10224
- C:\Windows\System32\ixnQBUZ.exe
  C:\Windows\System32\ixnQBUZ.exe
  2⤵
  PID:8832
- C:\Windows\System32\oRqPPTQ.exe
  C:\Windows\System32\oRqPPTQ.exe
  2⤵
  PID:9360
- C:\Windows\System32\mRKezFt.exe
  C:\Windows\System32\mRKezFt.exe
  2⤵
  PID:9492
- C:\Windows\System32\mwGJYKn.exe
  C:\Windows\System32\mwGJYKn.exe
  2⤵
  PID:9632
- C:\Windows\System32\yNUWLvU.exe
  C:\Windows\System32\yNUWLvU.exe
  2⤵
  PID:9724
- C:\Windows\System32\WtNattu.exe
  C:\Windows\System32\WtNattu.exe
  2⤵
  PID:9988
- C:\Windows\System32\pOMEeuC.exe
  C:\Windows\System32\pOMEeuC.exe
  2⤵
  PID:10032
- C:\Windows\System32\RaaSkIY.exe
  C:\Windows\System32\RaaSkIY.exe
  2⤵
  PID:2148
- C:\Windows\System32\emzGpLP.exe
  C:\Windows\System32\emzGpLP.exe
  2⤵
  PID:9420
- C:\Windows\System32\MFGzGSN.exe
  C:\Windows\System32\MFGzGSN.exe
  2⤵
  PID:9688
- C:\Windows\System32\MJJvpuN.exe
  C:\Windows\System32\MJJvpuN.exe
  2⤵
  PID:9976
- C:\Windows\System32\xzUHHDY.exe
  C:\Windows\System32\xzUHHDY.exe
  2⤵
  PID:9276
- C:\Windows\System32\saBKtzY.exe
  C:\Windows\System32\saBKtzY.exe
  2⤵
  PID:10140
- C:\Windows\System32\EIKkNnt.exe
  C:\Windows\System32\EIKkNnt.exe
  2⤵
  PID:8628
- C:\Windows\System32\sGNDhww.exe
  C:\Windows\System32\sGNDhww.exe
  2⤵
  PID:10256
- C:\Windows\System32\uRkTueR.exe
  C:\Windows\System32\uRkTueR.exe
  2⤵
  PID:10308
- C:\Windows\System32\RjgJAkS.exe
  C:\Windows\System32\RjgJAkS.exe
  2⤵
  PID:10336
- C:\Windows\System32\AUheGhC.exe
  C:\Windows\System32\AUheGhC.exe
  2⤵
  PID:10364
- C:\Windows\System32\sUxiUGb.exe
  C:\Windows\System32\sUxiUGb.exe
  2⤵
  PID:10384
- C:\Windows\System32\HtxSQxM.exe
  C:\Windows\System32\HtxSQxM.exe
  2⤵
  PID:10404
- C:\Windows\System32\nhFkBQV.exe
  C:\Windows\System32\nhFkBQV.exe
  2⤵
  PID:10424
- C:\Windows\System32\EkLwFtr.exe
  C:\Windows\System32\EkLwFtr.exe
  2⤵
  PID:10456
- C:\Windows\System32\knEkPdJ.exe
  C:\Windows\System32\knEkPdJ.exe
  2⤵
  PID:10504
- C:\Windows\System32\DWihMzs.exe
  C:\Windows\System32\DWihMzs.exe
  2⤵
  PID:10524
- C:\Windows\System32\TwoEJSL.exe
  C:\Windows\System32\TwoEJSL.exe
  2⤵
  PID:10556
- C:\Windows\System32\ivQydxJ.exe
  C:\Windows\System32\ivQydxJ.exe
  2⤵
  PID:10588
- C:\Windows\System32\qKTdQik.exe
  C:\Windows\System32\qKTdQik.exe
  2⤵
  PID:10604
- C:\Windows\System32\woElXgl.exe
  C:\Windows\System32\woElXgl.exe
  2⤵
  PID:10628
- C:\Windows\System32\wfCcTpd.exe
  C:\Windows\System32\wfCcTpd.exe
  2⤵
  PID:10644
- C:\Windows\System32\nVEVRhn.exe
  C:\Windows\System32\nVEVRhn.exe
  2⤵
  PID:10668
- C:\Windows\System32\koOnbcQ.exe
  C:\Windows\System32\koOnbcQ.exe
  2⤵
  PID:10688
- C:\Windows\System32\UrGBAII.exe
  C:\Windows\System32\UrGBAII.exe
  2⤵
  PID:10704
- C:\Windows\System32\bmrJtJx.exe
  C:\Windows\System32\bmrJtJx.exe
  2⤵
  PID:10724
- C:\Windows\System32\rUaWabM.exe
  C:\Windows\System32\rUaWabM.exe
  2⤵
  PID:10792
- C:\Windows\System32\IwlmMsg.exe
  C:\Windows\System32\IwlmMsg.exe
  2⤵
  PID:10820
- C:\Windows\System32\YPigaSq.exe
  C:\Windows\System32\YPigaSq.exe
  2⤵
  PID:10852
- C:\Windows\System32\yiCtVjg.exe
  C:\Windows\System32\yiCtVjg.exe
  2⤵
  PID:10880
- C:\Windows\System32\RgboRrZ.exe
  C:\Windows\System32\RgboRrZ.exe
  2⤵
  PID:10896
- C:\Windows\System32\Zdcnbjq.exe
  C:\Windows\System32\Zdcnbjq.exe
  2⤵
  PID:10932
- C:\Windows\System32\KKHnBle.exe
  C:\Windows\System32\KKHnBle.exe
  2⤵
  PID:10952
- C:\Windows\System32\ahUXDLA.exe
  C:\Windows\System32\ahUXDLA.exe
  2⤵
  PID:10968
- C:\Windows\System32\LEqECaQ.exe
  C:\Windows\System32\LEqECaQ.exe
  2⤵
  PID:11016
- C:\Windows\System32\nAtQFjE.exe
  C:\Windows\System32\nAtQFjE.exe
  2⤵
  PID:11032
- C:\Windows\System32\WlwFoFZ.exe
  C:\Windows\System32\WlwFoFZ.exe
  2⤵
  PID:11084
- C:\Windows\System32\pYGWUFZ.exe
  C:\Windows\System32\pYGWUFZ.exe
  2⤵
  PID:11128
- C:\Windows\System32\KvAkSfI.exe
  C:\Windows\System32\KvAkSfI.exe
  2⤵
  PID:11144
- C:\Windows\System32\sbPsSiv.exe
  C:\Windows\System32\sbPsSiv.exe
  2⤵
  PID:11164
- C:\Windows\System32\FakRQBQ.exe
  C:\Windows\System32\FakRQBQ.exe
  2⤵
  PID:11200
- C:\Windows\System32\OLestze.exe
  C:\Windows\System32\OLestze.exe
  2⤵
  PID:11228
- C:\Windows\System32\BdKlYyq.exe
  C:\Windows\System32\BdKlYyq.exe
  2⤵
  PID:11248
- C:\Windows\System32\dlRnOzl.exe
  C:\Windows\System32\dlRnOzl.exe
  2⤵
  PID:10292
- C:\Windows\System32\dSAjudY.exe
  C:\Windows\System32\dSAjudY.exe
  2⤵
  PID:10328
- C:\Windows\System32\rMvfUWT.exe
  C:\Windows\System32\rMvfUWT.exe
  2⤵
  PID:10396
- C:\Windows\System32\DCyAGdX.exe
  C:\Windows\System32\DCyAGdX.exe
  2⤵
  PID:10464
- C:\Windows\System32\pWUlFvk.exe
  C:\Windows\System32\pWUlFvk.exe
  2⤵
  PID:10548
- C:\Windows\System32\WBcjFBN.exe
  C:\Windows\System32\WBcjFBN.exe
  2⤵
  PID:10572
- C:\Windows\System32\QuMAhph.exe
  C:\Windows\System32\QuMAhph.exe
  2⤵
  PID:10636
- C:\Windows\System32\oTPNBtF.exe
  C:\Windows\System32\oTPNBtF.exe
  2⤵
  PID:10660
- C:\Windows\System32\oPtuBEP.exe
  C:\Windows\System32\oPtuBEP.exe
  2⤵
  PID:10832
- C:\Windows\System32\lGAZJxb.exe
  C:\Windows\System32\lGAZJxb.exe
  2⤵
  PID:10848
- C:\Windows\System32\xCrummg.exe
  C:\Windows\System32\xCrummg.exe
  2⤵
  PID:10904
- C:\Windows\System32\sYnZnIG.exe
  C:\Windows\System32\sYnZnIG.exe
  2⤵
  PID:10996
- C:\Windows\System32\EOvyLbl.exe
  C:\Windows\System32\EOvyLbl.exe
  2⤵
  PID:11024
- C:\Windows\System32\lzdtYwd.exe
  C:\Windows\System32\lzdtYwd.exe
  2⤵
  PID:11108
- C:\Windows\System32\rkFyWJp.exe
  C:\Windows\System32\rkFyWJp.exe
  2⤵
  PID:11136
- C:\Windows\System32\hjfUuBX.exe
  C:\Windows\System32\hjfUuBX.exe
  2⤵
  PID:11208
- C:\Windows\System32\BQIKezq.exe
  C:\Windows\System32\BQIKezq.exe
  2⤵
  PID:11260
- C:\Windows\System32\yXyIcAB.exe
  C:\Windows\System32\yXyIcAB.exe
  2⤵
  PID:10296
- C:\Windows\System32\fbWyTHg.exe
  C:\Windows\System32\fbWyTHg.exe
  2⤵
  PID:10496
- C:\Windows\System32\MAHeWRb.exe
  C:\Windows\System32\MAHeWRb.exe
  2⤵
  PID:10596
- C:\Windows\System32\VWizUKS.exe
  C:\Windows\System32\VWizUKS.exe
  2⤵
  PID:10620
- C:\Windows\System32\VlecHJL.exe
  C:\Windows\System32\VlecHJL.exe
  2⤵
  PID:10928
- C:\Windows\System32\cBGQkLW.exe
  C:\Windows\System32\cBGQkLW.exe
  2⤵
  PID:11140
- C:\Windows\System32\QFoCpWz.exe
  C:\Windows\System32\QFoCpWz.exe
  2⤵
  PID:10436
- C:\Windows\System32\ezRPfer.exe
  C:\Windows\System32\ezRPfer.exe
  2⤵
  PID:10736
- C:\Windows\System32\oUtXTvO.exe
  C:\Windows\System32\oUtXTvO.exe
  2⤵
  PID:11220
- C:\Windows\System32\VORPWMt.exe
  C:\Windows\System32\VORPWMt.exe
  2⤵
  PID:10780
- C:\Windows\System32\WGDobZd.exe
  C:\Windows\System32\WGDobZd.exe
  2⤵
  PID:11288
- C:\Windows\System32\UIcKfsj.exe
  C:\Windows\System32\UIcKfsj.exe
  2⤵
  PID:11304
- C:\Windows\System32\saXwYdf.exe
  C:\Windows\System32\saXwYdf.exe
  2⤵
  PID:11348
- C:\Windows\System32\snYNgwg.exe
  C:\Windows\System32\snYNgwg.exe
  2⤵
  PID:11368
- C:\Windows\System32\PrHYTcH.exe
  C:\Windows\System32\PrHYTcH.exe
  2⤵
  PID:11392
- C:\Windows\System32\vWafhFx.exe
  C:\Windows\System32\vWafhFx.exe
  2⤵
  PID:11412
- C:\Windows\System32\IOlYSTX.exe
  C:\Windows\System32\IOlYSTX.exe
  2⤵
  PID:11436
- C:\Windows\System32\OiKaBNn.exe
  C:\Windows\System32\OiKaBNn.exe
  2⤵
  PID:11464
- C:\Windows\System32\ErWHBoD.exe
  C:\Windows\System32\ErWHBoD.exe
  2⤵
  PID:11492
- C:\Windows\System32\YHpdJQI.exe
  C:\Windows\System32\YHpdJQI.exe
  2⤵
  PID:11536
- C:\Windows\System32\DcGAMxM.exe
  C:\Windows\System32\DcGAMxM.exe
  2⤵
  PID:11552
- C:\Windows\System32\KqfVqEv.exe
  C:\Windows\System32\KqfVqEv.exe
  2⤵
  PID:11572
- C:\Windows\System32\eQOvBBk.exe
  C:\Windows\System32\eQOvBBk.exe
  2⤵
  PID:11600
- C:\Windows\System32\pQwHwJE.exe
  C:\Windows\System32\pQwHwJE.exe
  2⤵
  PID:11648
- C:\Windows\System32\lASGlks.exe
  C:\Windows\System32\lASGlks.exe
  2⤵
  PID:11668
- C:\Windows\System32\zycaqaE.exe
  C:\Windows\System32\zycaqaE.exe
  2⤵
  PID:11708
- C:\Windows\System32\eaaHBRE.exe
  C:\Windows\System32\eaaHBRE.exe
  2⤵
  PID:11736
- C:\Windows\System32\tCGFiTs.exe
  C:\Windows\System32\tCGFiTs.exe
  2⤵
  PID:11752
- C:\Windows\System32\gcNIrMQ.exe
  C:\Windows\System32\gcNIrMQ.exe
  2⤵
  PID:11784
- C:\Windows\System32\aMivOaT.exe
  C:\Windows\System32\aMivOaT.exe
  2⤵
  PID:11816
- C:\Windows\System32\iUvmcxt.exe
  C:\Windows\System32\iUvmcxt.exe
  2⤵
  PID:11840
- C:\Windows\System32\GDEmIGL.exe
  C:\Windows\System32\GDEmIGL.exe
  2⤵
  PID:11856
- C:\Windows\System32\wHpcXuE.exe
  C:\Windows\System32\wHpcXuE.exe
  2⤵
  PID:11872
- C:\Windows\System32\TJajGkj.exe
  C:\Windows\System32\TJajGkj.exe
  2⤵
  PID:11888
- C:\Windows\System32\OGNIabE.exe
  C:\Windows\System32\OGNIabE.exe
  2⤵
  PID:11916
- C:\Windows\System32\zPCdMSX.exe
  C:\Windows\System32\zPCdMSX.exe
  2⤵
  PID:11936
- C:\Windows\System32\ZlZhBKD.exe
  C:\Windows\System32\ZlZhBKD.exe
  2⤵
  PID:11952
- C:\Windows\System32\ZFnYkCr.exe
  C:\Windows\System32\ZFnYkCr.exe
  2⤵
  PID:11976
- C:\Windows\System32\TdCcyjZ.exe
  C:\Windows\System32\TdCcyjZ.exe
  2⤵
  PID:12004
- C:\Windows\System32\KMFWGyn.exe
  C:\Windows\System32\KMFWGyn.exe
  2⤵
  PID:12044
- C:\Windows\System32\nxyBPFI.exe
  C:\Windows\System32\nxyBPFI.exe
  2⤵
  PID:12108
- C:\Windows\System32\IvrTwBX.exe
  C:\Windows\System32\IvrTwBX.exe
  2⤵
  PID:12148
- C:\Windows\System32\FaIOKTw.exe
  C:\Windows\System32\FaIOKTw.exe
  2⤵
  PID:12180
- C:\Windows\System32\IBsYwUO.exe
  C:\Windows\System32\IBsYwUO.exe
  2⤵
  PID:12208
- C:\Windows\System32\YBxwAiH.exe
  C:\Windows\System32\YBxwAiH.exe
  2⤵
  PID:12228
- C:\Windows\System32\kmbNFAe.exe
  C:\Windows\System32\kmbNFAe.exe
  2⤵
  PID:12280
- C:\Windows\System32\lrBhEtA.exe
  C:\Windows\System32\lrBhEtA.exe
  2⤵
  PID:10664
- C:\Windows\System32\jXYASCZ.exe
  C:\Windows\System32\jXYASCZ.exe
  2⤵
  PID:11356
- C:\Windows\System32\uzjeBVz.exe
  C:\Windows\System32\uzjeBVz.exe
  2⤵
  PID:11432
- C:\Windows\System32\DvaGoVp.exe
  C:\Windows\System32\DvaGoVp.exe
  2⤵
  PID:11460
- C:\Windows\System32\SxWcidx.exe
  C:\Windows\System32\SxWcidx.exe
  2⤵
  PID:11520
- C:\Windows\System32\vNBtCIt.exe
  C:\Windows\System32\vNBtCIt.exe
  2⤵
  PID:11544
- C:\Windows\System32\OCNGZPP.exe
  C:\Windows\System32\OCNGZPP.exe
  2⤵
  PID:11608
- C:\Windows\System32\gyzzfBG.exe
  C:\Windows\System32\gyzzfBG.exe
  2⤵
  PID:11732
- C:\Windows\System32\dJMkSyf.exe
  C:\Windows\System32\dJMkSyf.exe
  2⤵
  PID:11824
- C:\Windows\System32\hKhmHVb.exe
  C:\Windows\System32\hKhmHVb.exe
  2⤵
  PID:11852
- C:\Windows\System32\wFytCVw.exe
  C:\Windows\System32\wFytCVw.exe
  2⤵
  PID:11984
- C:\Windows\System32\ibtzIXs.exe
  C:\Windows\System32\ibtzIXs.exe
  2⤵
  PID:11960
- C:\Windows\System32\cXQFEbf.exe
  C:\Windows\System32\cXQFEbf.exe
  2⤵
  PID:12052
- C:\Windows\System32\MZZRrAJ.exe
  C:\Windows\System32\MZZRrAJ.exe
  2⤵
  PID:12140
- C:\Windows\System32\pePXyHJ.exe
  C:\Windows\System32\pePXyHJ.exe
  2⤵
  PID:12216
- C:\Windows\System32\BGWULrZ.exe
  C:\Windows\System32\BGWULrZ.exe
  2⤵
  PID:12256
- C:\Windows\System32\dhJDGyR.exe
  C:\Windows\System32\dhJDGyR.exe
  2⤵
  PID:11296
- C:\Windows\System32\OmkalmE.exe
  C:\Windows\System32\OmkalmE.exe
  2⤵
  PID:11596
- C:\Windows\System32\dPfJuCG.exe
  C:\Windows\System32\dPfJuCG.exe
  2⤵
  PID:11584
- C:\Windows\System32\jjytVlP.exe
  C:\Windows\System32\jjytVlP.exe
  2⤵
  PID:11780
- C:\Windows\System32\zOSuDKV.exe
  C:\Windows\System32\zOSuDKV.exe
  2⤵
  PID:11900
- C:\Windows\System32\NMMwHJk.exe
  C:\Windows\System32\NMMwHJk.exe
  2⤵
  PID:12016
- C:\Windows\System32\vnJeWTP.exe
  C:\Windows\System32\vnJeWTP.exe
  2⤵
  PID:11656
- C:\Windows\System32\IusHTUG.exe
  C:\Windows\System32\IusHTUG.exe
  2⤵
  PID:11836
- C:\Windows\System32\fuqipho.exe
  C:\Windows\System32\fuqipho.exe
  2⤵
  PID:11932
- C:\Windows\System32\GkkXyDG.exe
  C:\Windows\System32\GkkXyDG.exe
  2⤵
  PID:2664
- C:\Windows\System32\jXaywOq.exe
  C:\Windows\System32\jXaywOq.exe
  2⤵
  PID:1776
- C:\Windows\System32\uYbzhDc.exe
  C:\Windows\System32\uYbzhDc.exe
  2⤵
  PID:11684
- C:\Windows\System32\iKXswwB.exe
  C:\Windows\System32\iKXswwB.exe
  2⤵
  PID:11360
- C:\Windows\System32\viIkyvd.exe
  C:\Windows\System32\viIkyvd.exe
  2⤵
  PID:12308
- C:\Windows\System32\kiruJoL.exe
  C:\Windows\System32\kiruJoL.exe
  2⤵
  PID:12340
- C:\Windows\System32\xRvuXaK.exe
  C:\Windows\System32\xRvuXaK.exe
  2⤵
  PID:12356
- C:\Windows\System32\RwurWKC.exe
  C:\Windows\System32\RwurWKC.exe
  2⤵
  PID:12384
- C:\Windows\System32\gnqARZn.exe
  C:\Windows\System32\gnqARZn.exe
  2⤵
  PID:12412
- C:\Windows\System32\JPSZKoJ.exe
  C:\Windows\System32\JPSZKoJ.exe
  2⤵
  PID:12428
- C:\Windows\System32\RqjvyNt.exe
  C:\Windows\System32\RqjvyNt.exe
  2⤵
  PID:12448
- C:\Windows\System32\qqjydFf.exe
  C:\Windows\System32\qqjydFf.exe
  2⤵
  PID:12472
- C:\Windows\System32\gdKlAda.exe
  C:\Windows\System32\gdKlAda.exe
  2⤵
  PID:12488
- C:\Windows\System32\KRFfYEU.exe
  C:\Windows\System32\KRFfYEU.exe
  2⤵
  PID:12508
- C:\Windows\System32\PQaqqos.exe
  C:\Windows\System32\PQaqqos.exe
  2⤵
  PID:12568
- C:\Windows\System32\LmUPzfl.exe
  C:\Windows\System32\LmUPzfl.exe
  2⤵
  PID:12608
- C:\Windows\System32\XhYdVcQ.exe
  C:\Windows\System32\XhYdVcQ.exe
  2⤵
  PID:12624
- C:\Windows\System32\yxxphEm.exe
  C:\Windows\System32\yxxphEm.exe
  2⤵
  PID:12656
- C:\Windows\System32\qiaXUbt.exe
  C:\Windows\System32\qiaXUbt.exe
  2⤵
  PID:12676
- C:\Windows\System32\bzyRUHa.exe
  C:\Windows\System32\bzyRUHa.exe
  2⤵
  PID:12696
- C:\Windows\System32\JWimqKr.exe
  C:\Windows\System32\JWimqKr.exe
  2⤵
  PID:12752
- C:\Windows\System32\BkiojGd.exe
  C:\Windows\System32\BkiojGd.exe
  2⤵
  PID:12776
- C:\Windows\System32\fGpBnRe.exe
  C:\Windows\System32\fGpBnRe.exe
  2⤵
  PID:12808
- C:\Windows\System32\kGJIIdY.exe
  C:\Windows\System32\kGJIIdY.exe
  2⤵
  PID:12832
- C:\Windows\System32\hMOOHiE.exe
  C:\Windows\System32\hMOOHiE.exe
  2⤵
  PID:12864
- C:\Windows\System32\bIAauRh.exe
  C:\Windows\System32\bIAauRh.exe
  2⤵
  PID:12892
- C:\Windows\System32\TlEnJdN.exe
  C:\Windows\System32\TlEnJdN.exe
  2⤵
  PID:12936
- C:\Windows\System32\QouULRV.exe
  C:\Windows\System32\QouULRV.exe
  2⤵
  PID:12980
- C:\Windows\System32\NPNRydz.exe
  C:\Windows\System32\NPNRydz.exe
  2⤵
  PID:12996
- C:\Windows\System32\NqFfcRd.exe
  C:\Windows\System32\NqFfcRd.exe
  2⤵
  PID:13020
- C:\Windows\System32\lwAdQpH.exe
  C:\Windows\System32\lwAdQpH.exe
  2⤵
  PID:13048
- C:\Windows\System32\mKXBnHZ.exe
  C:\Windows\System32\mKXBnHZ.exe
  2⤵
  PID:13068
- C:\Windows\System32\aDfAqxq.exe
  C:\Windows\System32\aDfAqxq.exe
  2⤵
  PID:13088
- C:\Windows\System32\kqYrjoh.exe
  C:\Windows\System32\kqYrjoh.exe
  2⤵
  PID:13136
- C:\Windows\System32\LcZdGYc.exe
  C:\Windows\System32\LcZdGYc.exe
  2⤵
  PID:13152
- C:\Windows\System32\hcAgFZJ.exe
  C:\Windows\System32\hcAgFZJ.exe
  2⤵
  PID:13172
- C:\Windows\System32\zLLGMUj.exe
  C:\Windows\System32\zLLGMUj.exe
  2⤵
  PID:13200
- C:\Windows\System32\MqJUrQv.exe
  C:\Windows\System32\MqJUrQv.exe
  2⤵
  PID:13220
- C:\Windows\System32\fgLGAiL.exe
  C:\Windows\System32\fgLGAiL.exe
  2⤵
  PID:13252
- C:\Windows\System32\JjgUqvd.exe
  C:\Windows\System32\JjgUqvd.exe
  2⤵
  PID:13268
- C:\Windows\System32\vzZhaXh.exe
  C:\Windows\System32\vzZhaXh.exe
  2⤵
  PID:13292
- C:\Windows\System32\KhqoZYE.exe
  C:\Windows\System32\KhqoZYE.exe
  2⤵
  PID:12372
- C:\Windows\System32\yOCImTm.exe
  C:\Windows\System32\yOCImTm.exe
  2⤵
  PID:12444

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AlMDPTA.exe

Filesize
1.1MB

MD5
f56e4bc9fd325ba967f165c5bdbf8ac2

SHA1
d88e246dc03dda0db52c7e543c2112695b6259a7

SHA256
9d5ebc24f7564bc95b3423414007d4ff359f6f5645e4b8a25b530b72d5dc175f

SHA512
9dd91aaf2a0870f093ae90a6f78e66e215183e32abf47fd5b92dea3067a084a99b70875635207ae0baea630e60f408bafd9b9eff004e69b61084176e4a0c8238

Download Submit
C:\Windows\System32\BFuxWZN.exe

Filesize
1.1MB

MD5
6b8cba58fdc96de4cf00160740a7f1db

SHA1
7e138ee02c5ebb4f560d8545f151892eb58961ee

SHA256
67d75224ed12fa6b796aac2cdb9bccad39758c5b7a0dd8ac0f254bcb1a2e98a4

SHA512
56f18b6161095bb3a81849ebf7ee259d86a666dd2891611545706b93fa12eb46c9dec167a2820d9a0b0b8ccb19c519d8012033ba7da21263125ab2cc323e324b

Download Submit
C:\Windows\System32\BJgrnHQ.exe

Filesize
1.1MB

MD5
28894b704b2c1b96adeb8d296f045d8d

SHA1
b7beb8d34f11a87d5eabf99f4c208dcab53f8bcd

SHA256
14f52ceb7be87f658e62ef59d7d467c3d7f85030f720583803526690166e7df5

SHA512
804d64c3699f11c3503e17fe497af82d0b25625a13dad69e336056951958575413a6e96fb4a476a8485671874d39b8f8aa56f6b0dd5c760c1d881cdc8784c2b4

Download Submit
C:\Windows\System32\CYTkTHq.exe

Filesize
1.1MB

MD5
23a686222e38bea9ff8749c07ae7ef0a

SHA1
41af3c6c5a7450724673bb1698f893e672cb05e8

SHA256
17ae0916ff2d886d421127d8e096333e0569cfa8edb05e4f3fc08b0bf9250a72

SHA512
dbeb02be6e414e31dff17a78cb50c1d92a7681045e10c7c160360db159fc96dd7c3a7f1df928b18d2d22b7e1bb8222d07d929d7c056c19617f5970d4d92487dd

Download Submit
C:\Windows\System32\HDLEevM.exe

Filesize
1.1MB

MD5
a420112db9c5ada0a71f3c092c9973be

SHA1
b1be2f59c48a6ac6a5409f5b45f697cd6ea16f9e

SHA256
5609778fa8eca4900de652b596925caede88474998ca39f187b502c881b13e36

SHA512
9d6298f36bf837cf34c38dfca5cf0d2d98787b9f324650a3ba067935ffaef62059dc071e4f5c54337d14fefbb853023173ae7e5dbdeda0cc7ef110f151a03f9d

Download Submit
C:\Windows\System32\IMvaTsS.exe

Filesize
1.1MB

MD5
b488e5e092dc22526eec699bfe6c73a3

SHA1
c03903bd57aea0598118416a3b66e3564bcc9721

SHA256
92d8fcde1151f6e7f775274851d0fbd8b3e953b7b2155f3cb915d3e58a0cae6a

SHA512
15ea349160b6db22706020cfbf41019825d175a0cdf78ec02ced2271af01e6c5acddcbb7ee7b6f542d80a5f47fd121473dd690c41b72fbd556f5f05a717ea182

Download Submit
C:\Windows\System32\JLjrpiW.exe

Filesize
1.1MB

MD5
6286516503b4c005da56435050b6fc9e

SHA1
492ce3e9ca5e9bcdaca5be19efb2d09e136051f4

SHA256
e42fe3c16e55054a744a41cdf8fa0308f43c453f8919a8576d59c01c766c996d

SHA512
20088c8a9da357857f5994c042a875c9606ca0a538b1d30b21a060983581bcdec472cc27ea2540673b0ed7f0e974f2ada808a8768ffdca6228fbe596f1b4702c

Download Submit
C:\Windows\System32\KerJpfr.exe

Filesize
1.1MB

MD5
9bf91792bfaba0236c35b5225653b601

SHA1
721cf0942e518d205b963ba74c1e76d7d7e61f47

SHA256
e046886171e4e60a9e9d64cb246b4bbb4a44a76e3a474fb4dde26200151fa8ba

SHA512
30106a5d388b621d725561e8dd9623f15769c76e58e436f683a1690732da01b4a7730f6a5424769914e4380c8fb4aaa6320768eca3a5b0fa16c80fbae6e74863

Download Submit
C:\Windows\System32\MCJGAZX.exe

Filesize
1.1MB

MD5
79715d29679a93a2c0221b82a810cdc9

SHA1
4d7fca5f1f0082d775fb5ac90de88c7311c3b5f2

SHA256
4d9f89f8e4fe1809458f347f43a4fb84535373c882cfae099aa808e395d2ef22

SHA512
cb100f3dd5081a67bcfed3a9df8d484de9906bb04ebaefff7c0d815512ed703b02c63f0439e5b150623bff03960a5a01cabdd6673135947076a7083f32c0e41d

Download Submit
C:\Windows\System32\QFiqSzF.exe

Filesize
1.1MB

MD5
af2ae5bc34aa52fe6ce0874bd8e669a6

SHA1
fdceec930bee36532a23c198a58f03f5f9385106

SHA256
cb5e05a3003d982ac9a7b36c4bef4aceab7a3d07f3a53bad9e08636c4171c422

SHA512
dccc3b857a91c73f8527265a842924aea89390aa3087a00c69a7b65643f4efcdd23a4e7bcef1224ebdcea00bd6f628f628dead657025753c1a02185997f1c373

Download Submit
C:\Windows\System32\QiOSDok.exe

Filesize
1.1MB

MD5
84049836739ca01cf9722ec0c64ad4f9

SHA1
51c45fb59cac80467a1599e52e59b1677eadd85c

SHA256
10e08e85a591dd4f36195f5bb82448180d9628dae780ddf7c32bdbb742ced0af

SHA512
919d4bfdd51d555925a83a537fe26333ed5a2a59da2ebc44cdb081581aee5316b1dee4c162348871c23536846d4fe1c49a8c11a6118dda59be449643d09b429f

Download Submit
C:\Windows\System32\RLLCxWL.exe

Filesize
1.1MB

MD5
aa94b484a4e1273db4c447df549d30eb

SHA1
2db33b26c7edb1ae77ca339d5825d8d596558983

SHA256
6a343d318a5c114ff70eb93ab4d071e6493c320cdd6dc16d3294beb98048d1be

SHA512
16734742b282cc5ffcfa195939135255e512a5dba608dfe285c4805f7690737a225820fe9ef7d717fa01b5b61ccf1adffa6d675ae8c0e97c5143a26da3e38146

Download Submit
C:\Windows\System32\RrxYSkl.exe

Filesize
1.1MB

MD5
e44793d5079469488d77e323fcbab62a

SHA1
201b0e262a99c3960807139e7c31439204def8df

SHA256
63685150bbe7aaad45a6ed210df637c66e2e12ba84f6b8c0d4d462dcac7860d6

SHA512
327af0163fbe59095fd7cfc7262b07849b0f3b5c7c636b5161d571d79694c007d18ba97e883934eaf01a5019d77518b885d1c850058b842623e85c68bf2db5d9

Download Submit
C:\Windows\System32\RtpImPQ.exe

Filesize
1.1MB

MD5
8cab418f0a3cd71bcbc423bceb94da8f

SHA1
2dee87b0d7b1dfcceba98adbbf7648771dbe3ab5

SHA256
b413c13ef21f91276c453d50df92dd5c7c6c79ee95eb2f372ed027831308965a

SHA512
5c3ddb220a6a3fd5dafddbfd39d9becf1f7643bfb55f87da875366bab4e17c52be93deaec792403d425f2ec8331306d990e8f7d5e4d000fe4e08af265d72dd40

Download Submit
C:\Windows\System32\UjzhtSI.exe

Filesize
1.1MB

MD5
b87fa94303c6c7de7c60cc60d7640c1b

SHA1
ebf428942608ce1f76629fdf975cd5160d8dedf1

SHA256
97bad3b6f59e7b48cdfe3314d67e894592c7f37038b544dc6f7f0bdd1e3883f0

SHA512
71fbd1046f9e541da4d9459d79997902de32426bf36ec603de718927832741f08e48e42400c45593be35756064d801a2daf49a7c4afe51d2f239a8815c69c6fd

Download Submit
C:\Windows\System32\YLQhhDY.exe

Filesize
1.1MB

MD5
64cc99d60c3a5eaf1a90b4175890ce4f

SHA1
eae7bc5b4705f48fa4d700e85070737cad134867

SHA256
864b80fd8a32c53ff1f710ae99d4bb3e67dc97ab77de0b590a8043a9fb5aba64

SHA512
e8b3331eee719c92a66b956a89c5cebea8beb8c91fee92a0fcfbab63bfebbf1dbc6694a7b0f2ca3b0bb7e861ac55724b4716fe9ab591182dbfb0ea74aad027d3

Download Submit
C:\Windows\System32\YoCHGbV.exe

Filesize
1.1MB

MD5
66e8c83236c82eb3d29c5f92b95b9c8c

SHA1
32144e6cf322938dd83b2ceb24f5c6db6329b495

SHA256
7f8ff531c6d5498b2a4c0be01e7088ef3f39476dcfc1d5c3b78d344698146855

SHA512
405c799c49ad7f8886a8fe1ac22190598a7d72842d14f5169709a9aaf93bf282a2bbe1b470f20ddd4438c797ea6029a5c2ce3bb3874c306211d10c996fae218b

Download Submit
C:\Windows\System32\bEtInMJ.exe

Filesize
1.1MB

MD5
864c6a21bf4b0079225292c69f9a04e3

SHA1
e6e7945209223679239105144b99f0498e6e2798

SHA256
9ed7b7a67757ad3148081a440bba00284202d1c8325204cb75cfc55ed6f8a318

SHA512
c4ba4d5f12a488ae03af4e41f84d44bea11d0d580a099424bf8534af5c6c9fb54966e1c44602cff036fe3999d81f50d12b0fe4d525dce4f9d93a6520922a5286

Download Submit
C:\Windows\System32\beyUKrA.exe

Filesize
1.1MB

MD5
b84c608c86075472b936f17f9bfe298d

SHA1
7d4696f9d10f5881f52457a88c0d1895f0a130c1

SHA256
6ffeb56d92f5db4fe719fc1eea6936c28d5166dbdc1ee6fc2fe1d02b4c6c560a

SHA512
60710486bd9c73cda695e4d2ac142c1f66ae4f320b9a8dc0182fb60f800c2520681364306e52f867b45715b1a720dad4017df8ec18fd2ef6a0f3a98cff48640e

Download Submit
C:\Windows\System32\cZTXQWK.exe

Filesize
1.1MB

MD5
0add616d0a7329be1aee5f92ed306c50

SHA1
cd3fc2683b5bd5207b0f44ff619bb54bd33a3a34

SHA256
fa4207d8f9692769d20b36f55e2d4d908bf03fa717ec8db859b687371069906b

SHA512
bd734423b51cc635cca7dfdafbb317a7811c815d2a6023a6472e1f808d0234b01d2d152e8ffced7928261e0e8fe728534ac06f849889f40c96620f8a77426fad

Download Submit
C:\Windows\System32\eIccckB.exe

Filesize
1.1MB

MD5
3cf0fb0e60ca6cf1ab950351afd05a79

SHA1
e52dec1105ae4777450590f000ea3641ab143cd9

SHA256
2d6546095222d8f342d1751ed3aa118c3cac6b7834ecba6e8054446ebbaa5772

SHA512
915f197243904477d3e3a963232ab93e8bdde5a7a48a309f287ecc76d986db32907da200ccbbd2297dbd992b4858e0b4bd30136a47628afea9da5761cebf2b96

Download Submit
C:\Windows\System32\gHXOIek.exe

Filesize
1.1MB

MD5
3efef4686529e2aa80576ffb5943233d

SHA1
274cf5b2653734d07ecb1356dce7a47b041e7cf2

SHA256
3725a40490f849e7cb450e8bfb3890807ec17d51884ea9ceaee053deb3cebcf7

SHA512
478d7c9f7d1a755107b6b6d1aa8e3ce0aa074f483d6607223a1228930526c1ebd03305bda01854e7394ee07eea9dad5efb9cb620cb3ebbf3741c1c1804b4b2f5

Download Submit
C:\Windows\System32\geDwBzo.exe

Filesize
1.1MB

MD5
23ae7dc95d5dd8fa584bc64bfce58a4a

SHA1
e985a8672b5b8d55b416d4c3e82fc8cca871374c

SHA256
593455f14ea17fd315cc1c3931b57135c1888f88ab0951306bdac97c88c46534

SHA512
93843f718c08663655075ce564c260326cc32fc5054ba9689fb70a07e0db649d5dda7178fe0fa0b76161e316eafd4919977cdee5a5c66f8f45adfcb14d32396b

Download Submit
C:\Windows\System32\hEBeJVY.exe

Filesize
1.1MB

MD5
5320bae92806101beaabbdf2a144c58e

SHA1
28230a1dcf802757856b25b012422967704f9d89

SHA256
97e0d82375ede8fa4e08627049136de13a6dbec8588c68e5fca7429ca4392a40

SHA512
173123be08ec1f601d49985a0638a800d0ae4291be25d9b0f597bfb2fd20a31f42b09879e83c88616e93e96463e087231513c24c3be13c1253604e7e2df2a85b

Download Submit
C:\Windows\System32\qZuaPCO.exe

Filesize
1.1MB

MD5
490e2b49d055a729604dc2d9607e3354

SHA1
03e8577d2ae96737f53c81cb21f7af89bd400b83

SHA256
27ec038229bdbe2abf2ff3b8bf270971fe64960413d40c0bcc5a8c192ae766cc

SHA512
63530eb0666973896f87f5ed34fa33fa900399275418be410f36e70ee2e4fdc48edbc7be200110f69dd05d5a94eecf22ccd8a5812cbf22b3e3a664204d94698a

Download Submit
C:\Windows\System32\tulgWCk.exe

Filesize
1.1MB

MD5
844b040240731d355f10d16dd1163ce1

SHA1
ffe1322ea3726bb1b5f53ef02527e03228692e33

SHA256
5d687d9d4c40c4a4032939bc40440fa8851ab501fa3b0c9edcc5db249f8db2de

SHA512
089633dac8370c322edf7984ac5e6f74cc5e836c603b0a689710260f8e793318660be4bd5137328450c8cd34fce849f062babd0314eef33609f6f03535a0cf30

Download Submit
C:\Windows\System32\vtPpjhv.exe

Filesize
1.1MB

MD5
e57fa09dcd7eddb547a2be3fffd3c406

SHA1
05b744a5213b1b5e7f579b5b44c03da794291f4b

SHA256
bcbdb724c679ecfdd4bb70cbf5cacfe2b672e1c2c039adf26755a2720c49672e

SHA512
869569db276c2eea6302a2aff747629af687d27f6b3471f7158fa1a4de8f2440023490b7eb3ef11641d40e7d5dafddd53acdd8dccf154061f843a1ab06f01382

Download Submit
C:\Windows\System32\wHydsPv.exe

Filesize
1.1MB

MD5
460e111a6bf7ffb6eb5949e6cd053d6a

SHA1
ae9af9b29a61104c4bba6d22e37a4bcfc28e647f

SHA256
704a0637e3ceebcad9ddb54e9bca913b23c7a6720c2b2e3bc08ed99a77be0b4e

SHA512
fa7fc2e88907fc966c006462d2daf04dbccf61c500057a302ca96c22d82e46417fa7bebc1d99d0cda6aaba5e06787cb80c03b5dbb56808d96642c0ecf3e30c08

Download Submit
C:\Windows\System32\wcVlhtb.exe

Filesize
1.1MB

MD5
414b4d103241d66d540195a4670a14ee

SHA1
453ffd1178a23f2e080df18e5da32c376936d68b

SHA256
f23480a367eeef86f46fa032a579febf5c582f3a6705a8bafb405f193f1bf754

SHA512
74e155f1712a1f2444a5bb507f63afaac26728544ed19c869587eb34b6d2d5918f1bf7e39617c815f9da5b88edcd58d17e6e1b2e369737f84feaec6d51ee12f7

Download Submit
C:\Windows\System32\wfGPfBv.exe

Filesize
1.1MB

MD5
474476b2df41b968e030b9b88309f46d

SHA1
e86ce33c6417adfec760356267a1716244b81998

SHA256
41813406f27dcba4a39b8e13f9269996af1c19efacb076878f0e9e4d5843bea2

SHA512
f8185a8509b455b31f8cb5ab262b0777068b1aee2878b491176fee7ac93d8d35b7a53f5d2d7dad35bba8f74b391541d477bd66a4747a2b0dae1886edcc2e8340

Download Submit
C:\Windows\System32\xeUgRdX.exe

Filesize
1.1MB

MD5
f20a23ac6968902e45b71ca1bad86b2f

SHA1
9f6eac43212437930f4f597a0f0815ea44f1fea3

SHA256
c40464b331489c4fbfbf1992d2d981a137c45bb4b69f082f38c1fad7b71aeda0

SHA512
cc391a52d24a58b584d3d8ffe8786344c600edfde382ca818995580057410157b45707eeeea4dc2cc9dcfa48870eb527806bb972c2a537099640a1fae7a1fa1f

Download Submit
C:\Windows\System32\zkjcskX.exe

Filesize
1.1MB

MD5
47e88babf484266a398b586a06bfbe9a

SHA1
f1623ef931299455971314674257760f60ae7b8c

SHA256
d6ab9ca5df8178e56631990943c04428beb2c803de36a1d039fd9d6416181e49

SHA512
0ac86824925cddbc777fae2124859fecbf1a2a40f5c53217864319eb20915b47a8e40c74b3cc9c97ed723317b97e9722a66ee8c380b792d6ab6f2b770544e372

Download Submit
memory/212-308-0x00007FF7DD280000-0x00007FF7DD671000-memory.dmp

Filesize
3.9MB

Download
memory/212-2044-0x00007FF7DD280000-0x00007FF7DD671000-memory.dmp

Filesize
3.9MB

Download
memory/768-316-0x00007FF797080000-0x00007FF797471000-memory.dmp

Filesize
3.9MB

Download
memory/768-2042-0x00007FF797080000-0x00007FF797471000-memory.dmp

Filesize
3.9MB

Download
memory/1092-2018-0x00007FF70EB30000-0x00007FF70EF21000-memory.dmp

Filesize
3.9MB

Download
memory/1092-403-0x00007FF70EB30000-0x00007FF70EF21000-memory.dmp

Filesize
3.9MB

Download
memory/1164-2024-0x00007FF6FDC20000-0x00007FF6FE011000-memory.dmp

Filesize
3.9MB

Download
memory/1164-251-0x00007FF6FDC20000-0x00007FF6FE011000-memory.dmp

Filesize
3.9MB

Download
memory/1344-2054-0x00007FF7BFAD0000-0x00007FF7BFEC1000-memory.dmp

Filesize
3.9MB

Download
memory/1344-356-0x00007FF7BFAD0000-0x00007FF7BFEC1000-memory.dmp

Filesize
3.9MB

Download
memory/1392-12-0x00007FF7A3600000-0x00007FF7A39F1000-memory.dmp

Filesize
3.9MB

Download
memory/1392-2016-0x00007FF7A3600000-0x00007FF7A39F1000-memory.dmp

Filesize
3.9MB

Download
memory/1412-384-0x00007FF7B17D0000-0x00007FF7B1BC1000-memory.dmp

Filesize
3.9MB

Download
memory/1412-2062-0x00007FF7B17D0000-0x00007FF7B1BC1000-memory.dmp

Filesize
3.9MB

Download
memory/1528-416-0x00007FF7D87D0000-0x00007FF7D8BC1000-memory.dmp

Filesize
3.9MB

Download
memory/1528-2040-0x00007FF7D87D0000-0x00007FF7D8BC1000-memory.dmp

Filesize
3.9MB

Download
memory/1820-2060-0x00007FF7608D0000-0x00007FF760CC1000-memory.dmp

Filesize
3.9MB

Download
memory/1820-379-0x00007FF7608D0000-0x00007FF760CC1000-memory.dmp

Filesize
3.9MB

Download
memory/1892-335-0x00007FF7B1B10000-0x00007FF7B1F01000-memory.dmp

Filesize
3.9MB

Download
memory/1892-2048-0x00007FF7B1B10000-0x00007FF7B1F01000-memory.dmp

Filesize
3.9MB

Download
memory/1964-2050-0x00007FF75E900000-0x00007FF75ECF1000-memory.dmp

Filesize
3.9MB

Download
memory/1964-336-0x00007FF75E900000-0x00007FF75ECF1000-memory.dmp

Filesize
3.9MB

Download
memory/1968-2058-0x00007FF6FE850000-0x00007FF6FEC41000-memory.dmp

Filesize
3.9MB

Download
memory/1968-371-0x00007FF6FE850000-0x00007FF6FEC41000-memory.dmp

Filesize
3.9MB

Download
memory/2016-2033-0x00007FF650070000-0x00007FF650461000-memory.dmp

Filesize
3.9MB

Download
memory/2016-278-0x00007FF650070000-0x00007FF650461000-memory.dmp

Filesize
3.9MB

Download
memory/2208-1-0x000001E3BF8E0000-0x000001E3BF8F0000-memory.dmp

Filesize
64KB

Download
memory/2208-0-0x00007FF606910000-0x00007FF606D01000-memory.dmp

Filesize
3.9MB

Download
memory/2452-349-0x00007FF71CEF0000-0x00007FF71D2E1000-memory.dmp

Filesize
3.9MB

Download
memory/2452-2052-0x00007FF71CEF0000-0x00007FF71D2E1000-memory.dmp

Filesize
3.9MB

Download
memory/2868-2056-0x00007FF791D30000-0x00007FF792121000-memory.dmp

Filesize
3.9MB

Download
memory/2868-360-0x00007FF791D30000-0x00007FF792121000-memory.dmp

Filesize
3.9MB

Download
memory/2896-2026-0x00007FF7CF2A0000-0x00007FF7CF691000-memory.dmp

Filesize
3.9MB

Download
memory/2896-257-0x00007FF7CF2A0000-0x00007FF7CF691000-memory.dmp

Filesize
3.9MB

Download
memory/2904-2020-0x00007FF65BB90000-0x00007FF65BF81000-memory.dmp

Filesize
3.9MB

Download
memory/2904-2009-0x00007FF65BB90000-0x00007FF65BF81000-memory.dmp

Filesize
3.9MB

Download
memory/2904-36-0x00007FF65BB90000-0x00007FF65BF81000-memory.dmp

Filesize
3.9MB

Download
memory/2996-332-0x00007FF7E99A0000-0x00007FF7E9D91000-memory.dmp

Filesize
3.9MB

Download
memory/2996-2046-0x00007FF7E99A0000-0x00007FF7E9D91000-memory.dmp

Filesize
3.9MB

Download
memory/3092-408-0x00007FF732200000-0x00007FF7325F1000-memory.dmp

Filesize
3.9MB

Download
memory/3092-2022-0x00007FF732200000-0x00007FF7325F1000-memory.dmp

Filesize
3.9MB

Download
memory/3356-2028-0x00007FF62DCE0000-0x00007FF62E0D1000-memory.dmp

Filesize
3.9MB

Download
memory/3356-259-0x00007FF62DCE0000-0x00007FF62E0D1000-memory.dmp

Filesize
3.9MB

Download
memory/3636-286-0x00007FF680300000-0x00007FF6806F1000-memory.dmp

Filesize
3.9MB

Download
memory/3636-2034-0x00007FF680300000-0x00007FF6806F1000-memory.dmp

Filesize
3.9MB

Download
memory/4176-274-0x00007FF74AB40000-0x00007FF74AF31000-memory.dmp

Filesize
3.9MB

Download
memory/4176-2036-0x00007FF74AB40000-0x00007FF74AF31000-memory.dmp

Filesize
3.9MB

Download
memory/4408-287-0x00007FF792C30000-0x00007FF793021000-memory.dmp

Filesize
3.9MB

Download
memory/4408-2038-0x00007FF792C30000-0x00007FF793021000-memory.dmp

Filesize
3.9MB

Download
memory/4980-261-0x00007FF7047B0000-0x00007FF704BA1000-memory.dmp

Filesize
3.9MB

Download
memory/4980-2030-0x00007FF7047B0000-0x00007FF704BA1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads