xmrig | 76d093fb5990868386e6718b1cab2d15588b615b7ad606efd1b11d6a3769d2d6

Analysis

max time kernel
146s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
Size

1.3MB
MD5

074a90d116ca5c282577406c6bc5c445
SHA1

d76691f7fe76d4b4db1775a4fcc731383ebe5b69
SHA256

76d093fb5990868386e6718b1cab2d15588b615b7ad606efd1b11d6a3769d2d6
SHA512

af819266ac26e25c0ba4b8da6ca1e4104bfef1a3fd6a3710225199d5aadc06dd530614e72508e3e56ba95876b79dbc793f91b1319acef14d90aa8703b6271b87
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO6zRIhRmuSOBBnm19+:knw9oUUEEDlGUh+hNBBE9+

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/944-26-0x00007FF628030000-0x00007FF628421000-memory.dmp	xmrig
behavioral2/memory/4372-68-0x00007FF6A7590000-0x00007FF6A7981000-memory.dmp	xmrig
behavioral2/memory/740-78-0x00007FF680240000-0x00007FF680631000-memory.dmp	xmrig
behavioral2/memory/4640-91-0x00007FF78DD60000-0x00007FF78E151000-memory.dmp	xmrig
behavioral2/memory/3028-95-0x00007FF7C1380000-0x00007FF7C1771000-memory.dmp	xmrig
behavioral2/memory/3684-495-0x00007FF7FE750000-0x00007FF7FEB41000-memory.dmp	xmrig
behavioral2/memory/2516-496-0x00007FF742A70000-0x00007FF742E61000-memory.dmp	xmrig
behavioral2/memory/2132-510-0x00007FF7B29E0000-0x00007FF7B2DD1000-memory.dmp	xmrig
behavioral2/memory/4984-518-0x00007FF612370000-0x00007FF612761000-memory.dmp	xmrig
behavioral2/memory/2372-506-0x00007FF76BE90000-0x00007FF76C281000-memory.dmp	xmrig
behavioral2/memory/2948-106-0x00007FF69CC60000-0x00007FF69D051000-memory.dmp	xmrig
behavioral2/memory/2296-103-0x00007FF7A8900000-0x00007FF7A8CF1000-memory.dmp	xmrig
behavioral2/memory/2596-99-0x00007FF644100000-0x00007FF6444F1000-memory.dmp	xmrig
behavioral2/memory/1480-96-0x00007FF7A7F20000-0x00007FF7A8311000-memory.dmp	xmrig
behavioral2/memory/1628-90-0x00007FF7F8B20000-0x00007FF7F8F11000-memory.dmp	xmrig
behavioral2/memory/2244-85-0x00007FF6CA890000-0x00007FF6CAC81000-memory.dmp	xmrig
behavioral2/memory/2068-82-0x00007FF6DE430000-0x00007FF6DE821000-memory.dmp	xmrig
behavioral2/memory/116-1212-0x00007FF760070000-0x00007FF760461000-memory.dmp	xmrig
behavioral2/memory/3584-1704-0x00007FF7C1730000-0x00007FF7C1B21000-memory.dmp	xmrig
behavioral2/memory/1204-1965-0x00007FF788AC0000-0x00007FF788EB1000-memory.dmp	xmrig
behavioral2/memory/1628-1966-0x00007FF7F8B20000-0x00007FF7F8F11000-memory.dmp	xmrig
behavioral2/memory/1912-1967-0x00007FF657380000-0x00007FF657771000-memory.dmp	xmrig
behavioral2/memory/2596-1968-0x00007FF644100000-0x00007FF6444F1000-memory.dmp	xmrig
behavioral2/memory/3712-1975-0x00007FF6B5EF0000-0x00007FF6B62E1000-memory.dmp	xmrig
behavioral2/memory/116-2003-0x00007FF760070000-0x00007FF760461000-memory.dmp	xmrig
behavioral2/memory/2168-2005-0x00007FF6972E0000-0x00007FF6976D1000-memory.dmp	xmrig
behavioral2/memory/3584-2009-0x00007FF7C1730000-0x00007FF7C1B21000-memory.dmp	xmrig
behavioral2/memory/2880-2011-0x00007FF72A420000-0x00007FF72A811000-memory.dmp	xmrig
behavioral2/memory/3480-2020-0x00007FF738FC0000-0x00007FF7393B1000-memory.dmp	xmrig
behavioral2/memory/944-2018-0x00007FF628030000-0x00007FF628421000-memory.dmp	xmrig
behavioral2/memory/1204-2022-0x00007FF788AC0000-0x00007FF788EB1000-memory.dmp	xmrig
behavioral2/memory/1912-2024-0x00007FF657380000-0x00007FF657771000-memory.dmp	xmrig
behavioral2/memory/1480-2032-0x00007FF7A7F20000-0x00007FF7A8311000-memory.dmp	xmrig
behavioral2/memory/4640-2034-0x00007FF78DD60000-0x00007FF78E151000-memory.dmp	xmrig
behavioral2/memory/2068-2038-0x00007FF6DE430000-0x00007FF6DE821000-memory.dmp	xmrig
behavioral2/memory/1628-2040-0x00007FF7F8B20000-0x00007FF7F8F11000-memory.dmp	xmrig
behavioral2/memory/2244-2036-0x00007FF6CA890000-0x00007FF6CAC81000-memory.dmp	xmrig
behavioral2/memory/740-2030-0x00007FF680240000-0x00007FF680631000-memory.dmp	xmrig
behavioral2/memory/4372-2028-0x00007FF6A7590000-0x00007FF6A7981000-memory.dmp	xmrig
behavioral2/memory/3028-2026-0x00007FF7C1380000-0x00007FF7C1771000-memory.dmp	xmrig
behavioral2/memory/2948-2056-0x00007FF69CC60000-0x00007FF69D051000-memory.dmp	xmrig
behavioral2/memory/2296-2058-0x00007FF7A8900000-0x00007FF7A8CF1000-memory.dmp	xmrig
behavioral2/memory/3712-2054-0x00007FF6B5EF0000-0x00007FF6B62E1000-memory.dmp	xmrig
behavioral2/memory/2168-2052-0x00007FF6972E0000-0x00007FF6976D1000-memory.dmp	xmrig
behavioral2/memory/3684-2051-0x00007FF7FE750000-0x00007FF7FEB41000-memory.dmp	xmrig
behavioral2/memory/2516-2048-0x00007FF742A70000-0x00007FF742E61000-memory.dmp	xmrig
behavioral2/memory/2132-2046-0x00007FF7B29E0000-0x00007FF7B2DD1000-memory.dmp	xmrig
behavioral2/memory/2372-2045-0x00007FF76BE90000-0x00007FF76C281000-memory.dmp	xmrig
behavioral2/memory/4984-2042-0x00007FF612370000-0x00007FF612761000-memory.dmp	xmrig
behavioral2/memory/2596-2204-0x00007FF644100000-0x00007FF6444F1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3584	bZoUnkI.exe
2880	HOJyiLm.exe
3480	gppfswL.exe
944	rVulzbl.exe
1204	TSUJwZE.exe
3028	iQCYmBu.exe
1912	uEAEGbF.exe
4372	SPjZuXI.exe
1480	COIInuR.exe
740	rfaRCqh.exe
2068	AWKvbwB.exe
2244	ZUirXLp.exe
1628	uAmwjWa.exe
4640	tetHzlc.exe
2596	lMPJstO.exe
2296	fozvcUo.exe
2948	ihtqQiM.exe
3712	duluJCx.exe
2168	kPYGCLd.exe
3684	WAtwgpa.exe
2516	HruJgAb.exe
2372	PnLImfh.exe
2132	rTAfXYz.exe
4984	PBprzLu.exe
4604	wbHXdlX.exe
2872	DTvjZnv.exe
2136	FevWyHp.exe
2080	lDazdDV.exe
2964	bRcuVZX.exe
4572	hgaYgSa.exe
2308	NzfqyWP.exe
2960	FLwgupP.exe
3212	MGoeGMQ.exe
4772	YsPMbzH.exe
4992	sOpelDJ.exe
3564	EqUYxFa.exe
2940	RqlFGWb.exe
3660	iOBqmXj.exe
5092	vmvtvCM.exe
1740	WNMCVSM.exe
3260	YlYntkJ.exe
2304	gWncwCc.exe
3180	ilNKXiR.exe
1080	BqFkXbi.exe
4840	RCqIjYx.exe
2732	NXMfWCE.exe
3112	FYkkXvW.exe
3764	DUGEevX.exe
1776	TWxkpSA.exe
3628	vDtedqh.exe
4236	eZLVjju.exe
1608	oBEvopv.exe
3292	pgOkAoo.exe
4708	CdqqvdW.exe
4448	BXkeDFa.exe
3080	MjWWZCt.exe
1760	RaiCwwl.exe
3052	HeOEIfz.exe
3248	etULXWG.exe
4780	AFnTYcr.exe
4120	TzPIHnN.exe
1860	dYFXItq.exe
1600	VHghWcS.exe
804	SdCxmWE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/116-0-0x00007FF760070000-0x00007FF760461000-memory.dmp	upx
behavioral2/files/0x000c000000023b4c-5.dat	upx
behavioral2/files/0x000a000000023ba7-7.dat	upx
behavioral2/files/0x000a000000023ba8-23.dat	upx
behavioral2/memory/944-26-0x00007FF628030000-0x00007FF628421000-memory.dmp	upx
behavioral2/memory/3480-17-0x00007FF738FC0000-0x00007FF7393B1000-memory.dmp	upx
behavioral2/files/0x000b000000023ba6-16.dat	upx
behavioral2/memory/2880-15-0x00007FF72A420000-0x00007FF72A811000-memory.dmp	upx
behavioral2/memory/3584-8-0x00007FF7C1730000-0x00007FF7C1B21000-memory.dmp	upx
behavioral2/files/0x000b000000023ba4-36.dat	upx
behavioral2/files/0x000a000000023ba9-29.dat	upx
behavioral2/files/0x000a000000023baa-34.dat	upx
behavioral2/files/0x000a000000023bac-52.dat	upx
behavioral2/files/0x000a000000023bab-46.dat	upx
behavioral2/memory/1204-39-0x00007FF788AC0000-0x00007FF788EB1000-memory.dmp	upx
behavioral2/memory/1912-48-0x00007FF657380000-0x00007FF657771000-memory.dmp	upx
behavioral2/files/0x000a000000023baf-61.dat	upx
behavioral2/files/0x000a000000023bae-60.dat	upx
behavioral2/memory/4372-68-0x00007FF6A7590000-0x00007FF6A7981000-memory.dmp	upx
behavioral2/memory/740-78-0x00007FF680240000-0x00007FF680631000-memory.dmp	upx
behavioral2/files/0x000a000000023bb0-83.dat	upx
behavioral2/files/0x000a000000023bb3-88.dat	upx
behavioral2/memory/4640-91-0x00007FF78DD60000-0x00007FF78E151000-memory.dmp	upx
behavioral2/memory/3028-95-0x00007FF7C1380000-0x00007FF7C1771000-memory.dmp	upx
behavioral2/files/0x000a000000023bb4-100.dat	upx
behavioral2/files/0x000a000000023bb5-104.dat	upx
behavioral2/files/0x000a000000023bb7-117.dat	upx
behavioral2/files/0x000a000000023bb9-129.dat	upx
behavioral2/files/0x000a000000023bbb-139.dat	upx
behavioral2/files/0x000a000000023bc1-167.dat	upx
behavioral2/memory/3684-495-0x00007FF7FE750000-0x00007FF7FEB41000-memory.dmp	upx
behavioral2/memory/2516-496-0x00007FF742A70000-0x00007FF742E61000-memory.dmp	upx
behavioral2/memory/2132-510-0x00007FF7B29E0000-0x00007FF7B2DD1000-memory.dmp	upx
behavioral2/memory/4984-518-0x00007FF612370000-0x00007FF612761000-memory.dmp	upx
behavioral2/memory/2372-506-0x00007FF76BE90000-0x00007FF76C281000-memory.dmp	upx
behavioral2/files/0x000a000000023bc3-180.dat	upx
behavioral2/files/0x000a000000023bc2-175.dat	upx
behavioral2/files/0x000a000000023bc0-164.dat	upx
behavioral2/files/0x0031000000023bbf-160.dat	upx
behavioral2/files/0x0031000000023bbe-154.dat	upx
behavioral2/files/0x0031000000023bbd-149.dat	upx
behavioral2/files/0x000a000000023bbc-144.dat	upx
behavioral2/files/0x000a000000023bba-135.dat	upx
behavioral2/files/0x000a000000023bb8-124.dat	upx
behavioral2/files/0x000a000000023bb6-115.dat	upx
behavioral2/memory/2168-113-0x00007FF6972E0000-0x00007FF6976D1000-memory.dmp	upx
behavioral2/memory/3712-108-0x00007FF6B5EF0000-0x00007FF6B62E1000-memory.dmp	upx
behavioral2/memory/2948-106-0x00007FF69CC60000-0x00007FF69D051000-memory.dmp	upx
behavioral2/memory/2296-103-0x00007FF7A8900000-0x00007FF7A8CF1000-memory.dmp	upx
behavioral2/memory/2596-99-0x00007FF644100000-0x00007FF6444F1000-memory.dmp	upx
behavioral2/memory/1480-96-0x00007FF7A7F20000-0x00007FF7A8311000-memory.dmp	upx
behavioral2/memory/1628-90-0x00007FF7F8B20000-0x00007FF7F8F11000-memory.dmp	upx
behavioral2/files/0x000a000000023bb2-86.dat	upx
behavioral2/memory/2244-85-0x00007FF6CA890000-0x00007FF6CAC81000-memory.dmp	upx
behavioral2/memory/2068-82-0x00007FF6DE430000-0x00007FF6DE821000-memory.dmp	upx
behavioral2/files/0x000a000000023bb1-75.dat	upx
behavioral2/files/0x000a000000023bad-63.dat	upx
behavioral2/memory/116-1212-0x00007FF760070000-0x00007FF760461000-memory.dmp	upx
behavioral2/memory/3584-1704-0x00007FF7C1730000-0x00007FF7C1B21000-memory.dmp	upx
behavioral2/memory/1204-1965-0x00007FF788AC0000-0x00007FF788EB1000-memory.dmp	upx
behavioral2/memory/1628-1966-0x00007FF7F8B20000-0x00007FF7F8F11000-memory.dmp	upx
behavioral2/memory/1912-1967-0x00007FF657380000-0x00007FF657771000-memory.dmp	upx
behavioral2/memory/2596-1968-0x00007FF644100000-0x00007FF6444F1000-memory.dmp	upx
behavioral2/memory/3712-1975-0x00007FF6B5EF0000-0x00007FF6B62E1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\AWgHUoU.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\QgDztVF.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\pwIRMpw.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\hcsxXUM.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\BXkeDFa.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\CYMxlSE.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\weYXSGi.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\bpFyxBl.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\YGvXgaq.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\qrisFIc.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\jCDxRPA.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\ciKdkEP.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\gWncwCc.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\ufTNZxC.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\gIftpRG.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\CnjwqCy.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\rSTyOmC.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\iOBqmXj.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\etULXWG.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\TvAFBgo.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\ExMTKOr.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\OtRzHJE.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\uuQbFYN.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\DqdQdxt.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\tMpkoqW.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\GeBqMRk.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\GOStsFs.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\hLmylNa.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\vhWuXIL.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\WkxRmYb.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\ETKfdpi.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\bQruPgg.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\bnVqVnc.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\EAWjWPO.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\JrYFqAy.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\jWjDvKm.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\yzOaRUM.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\TDJXyOb.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\nkwUJmI.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\VcSjHjt.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\wYDgZcc.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\HHKKcnn.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\aILMGRv.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\IVgmfNK.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\TWZSUpk.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\tEkGvWd.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\dFZyPIZ.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\dbFiTCj.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\fxiWYvq.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\FmCqTjK.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\NXMfWCE.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\fvAQVhY.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\yhBcrQv.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\BWcfLFx.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\kZEKKWr.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\eXUEtxa.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\rQrjZyO.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\gppfswL.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\tetHzlc.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\iRxJJuU.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\FjwOLZJ.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\bcrnSuZ.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\wMqVbXv.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
File created	C:\Windows\System32\ekHHdms.exe	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2000	dwm.exe
Token: SeChangeNotifyPrivilege	2000	dwm.exe
Token: 33	2000	dwm.exe
Token: SeIncBasePriorityPrivilege	2000	dwm.exe
Token: SeShutdownPrivilege	2000	dwm.exe
Token: SeCreatePagefilePrivilege	2000	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 3584	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	85
PID 116 wrote to memory of 3584	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	85
PID 116 wrote to memory of 2880	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	86
PID 116 wrote to memory of 2880	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	86
PID 116 wrote to memory of 3480	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	87
PID 116 wrote to memory of 3480	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	87
PID 116 wrote to memory of 944	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	88
PID 116 wrote to memory of 944	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	88
PID 116 wrote to memory of 1204	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	89
PID 116 wrote to memory of 1204	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	89
PID 116 wrote to memory of 3028	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	90
PID 116 wrote to memory of 3028	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	90
PID 116 wrote to memory of 1912	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	91
PID 116 wrote to memory of 1912	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	91
PID 116 wrote to memory of 4372	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	92
PID 116 wrote to memory of 4372	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	92
PID 116 wrote to memory of 1480	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	93
PID 116 wrote to memory of 1480	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	93
PID 116 wrote to memory of 740	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	94
PID 116 wrote to memory of 740	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	94
PID 116 wrote to memory of 2068	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	95
PID 116 wrote to memory of 2068	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	95
PID 116 wrote to memory of 2244	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	96
PID 116 wrote to memory of 2244	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	96
PID 116 wrote to memory of 1628	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	97
PID 116 wrote to memory of 1628	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	97
PID 116 wrote to memory of 4640	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	98
PID 116 wrote to memory of 4640	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	98
PID 116 wrote to memory of 2596	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	99
PID 116 wrote to memory of 2596	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	99
PID 116 wrote to memory of 2296	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	100
PID 116 wrote to memory of 2296	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	100
PID 116 wrote to memory of 2948	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	101
PID 116 wrote to memory of 2948	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	101
PID 116 wrote to memory of 3712	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	102
PID 116 wrote to memory of 3712	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	102
PID 116 wrote to memory of 2168	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	103
PID 116 wrote to memory of 2168	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	103
PID 116 wrote to memory of 3684	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	104
PID 116 wrote to memory of 3684	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	104
PID 116 wrote to memory of 2516	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	105
PID 116 wrote to memory of 2516	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	105
PID 116 wrote to memory of 2372	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	106
PID 116 wrote to memory of 2372	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	106
PID 116 wrote to memory of 2132	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	107
PID 116 wrote to memory of 2132	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	107
PID 116 wrote to memory of 4984	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	108
PID 116 wrote to memory of 4984	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	108
PID 116 wrote to memory of 4604	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	109
PID 116 wrote to memory of 4604	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	109
PID 116 wrote to memory of 2872	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	110
PID 116 wrote to memory of 2872	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	110
PID 116 wrote to memory of 2136	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	111
PID 116 wrote to memory of 2136	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	111
PID 116 wrote to memory of 2080	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	112
PID 116 wrote to memory of 2080	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	112
PID 116 wrote to memory of 2964	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	113
PID 116 wrote to memory of 2964	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	113
PID 116 wrote to memory of 4572	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	114
PID 116 wrote to memory of 4572	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	114
PID 116 wrote to memory of 2308	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	115
PID 116 wrote to memory of 2308	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	115
PID 116 wrote to memory of 2960	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	116
PID 116 wrote to memory of 2960	116	074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\074a90d116ca5c282577406c6bc5c445_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\System32\bZoUnkI.exe
  C:\Windows\System32\bZoUnkI.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System32\HOJyiLm.exe
  C:\Windows\System32\HOJyiLm.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System32\gppfswL.exe
  C:\Windows\System32\gppfswL.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System32\rVulzbl.exe
  C:\Windows\System32\rVulzbl.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System32\TSUJwZE.exe
  C:\Windows\System32\TSUJwZE.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System32\iQCYmBu.exe
  C:\Windows\System32\iQCYmBu.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System32\uEAEGbF.exe
  C:\Windows\System32\uEAEGbF.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System32\SPjZuXI.exe
  C:\Windows\System32\SPjZuXI.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System32\COIInuR.exe
  C:\Windows\System32\COIInuR.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System32\rfaRCqh.exe
  C:\Windows\System32\rfaRCqh.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System32\AWKvbwB.exe
  C:\Windows\System32\AWKvbwB.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System32\ZUirXLp.exe
  C:\Windows\System32\ZUirXLp.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System32\uAmwjWa.exe
  C:\Windows\System32\uAmwjWa.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System32\tetHzlc.exe
  C:\Windows\System32\tetHzlc.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System32\lMPJstO.exe
  C:\Windows\System32\lMPJstO.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System32\fozvcUo.exe
  C:\Windows\System32\fozvcUo.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System32\ihtqQiM.exe
  C:\Windows\System32\ihtqQiM.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System32\duluJCx.exe
  C:\Windows\System32\duluJCx.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System32\kPYGCLd.exe
  C:\Windows\System32\kPYGCLd.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System32\WAtwgpa.exe
  C:\Windows\System32\WAtwgpa.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System32\HruJgAb.exe
  C:\Windows\System32\HruJgAb.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System32\PnLImfh.exe
  C:\Windows\System32\PnLImfh.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System32\rTAfXYz.exe
  C:\Windows\System32\rTAfXYz.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System32\PBprzLu.exe
  C:\Windows\System32\PBprzLu.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System32\wbHXdlX.exe
  C:\Windows\System32\wbHXdlX.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System32\DTvjZnv.exe
  C:\Windows\System32\DTvjZnv.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System32\FevWyHp.exe
  C:\Windows\System32\FevWyHp.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System32\lDazdDV.exe
  C:\Windows\System32\lDazdDV.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System32\bRcuVZX.exe
  C:\Windows\System32\bRcuVZX.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System32\hgaYgSa.exe
  C:\Windows\System32\hgaYgSa.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System32\NzfqyWP.exe
  C:\Windows\System32\NzfqyWP.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System32\FLwgupP.exe
  C:\Windows\System32\FLwgupP.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System32\MGoeGMQ.exe
  C:\Windows\System32\MGoeGMQ.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System32\YsPMbzH.exe
  C:\Windows\System32\YsPMbzH.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System32\sOpelDJ.exe
  C:\Windows\System32\sOpelDJ.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System32\EqUYxFa.exe
  C:\Windows\System32\EqUYxFa.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System32\RqlFGWb.exe
  C:\Windows\System32\RqlFGWb.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System32\iOBqmXj.exe
  C:\Windows\System32\iOBqmXj.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System32\vmvtvCM.exe
  C:\Windows\System32\vmvtvCM.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System32\WNMCVSM.exe
  C:\Windows\System32\WNMCVSM.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System32\YlYntkJ.exe
  C:\Windows\System32\YlYntkJ.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System32\gWncwCc.exe
  C:\Windows\System32\gWncwCc.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System32\ilNKXiR.exe
  C:\Windows\System32\ilNKXiR.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System32\BqFkXbi.exe
  C:\Windows\System32\BqFkXbi.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System32\RCqIjYx.exe
  C:\Windows\System32\RCqIjYx.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System32\NXMfWCE.exe
  C:\Windows\System32\NXMfWCE.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System32\FYkkXvW.exe
  C:\Windows\System32\FYkkXvW.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System32\DUGEevX.exe
  C:\Windows\System32\DUGEevX.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System32\TWxkpSA.exe
  C:\Windows\System32\TWxkpSA.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System32\vDtedqh.exe
  C:\Windows\System32\vDtedqh.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System32\eZLVjju.exe
  C:\Windows\System32\eZLVjju.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System32\oBEvopv.exe
  C:\Windows\System32\oBEvopv.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System32\pgOkAoo.exe
  C:\Windows\System32\pgOkAoo.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System32\CdqqvdW.exe
  C:\Windows\System32\CdqqvdW.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\BXkeDFa.exe
  C:\Windows\System32\BXkeDFa.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System32\MjWWZCt.exe
  C:\Windows\System32\MjWWZCt.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System32\RaiCwwl.exe
  C:\Windows\System32\RaiCwwl.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System32\HeOEIfz.exe
  C:\Windows\System32\HeOEIfz.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System32\etULXWG.exe
  C:\Windows\System32\etULXWG.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System32\AFnTYcr.exe
  C:\Windows\System32\AFnTYcr.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\TzPIHnN.exe
  C:\Windows\System32\TzPIHnN.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System32\dYFXItq.exe
  C:\Windows\System32\dYFXItq.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System32\VHghWcS.exe
  C:\Windows\System32\VHghWcS.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System32\SdCxmWE.exe
  C:\Windows\System32\SdCxmWE.exe
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\System32\XYCpVhs.exe
  C:\Windows\System32\XYCpVhs.exe
  2⤵
  PID:3476
- C:\Windows\System32\AmMLHJr.exe
  C:\Windows\System32\AmMLHJr.exe
  2⤵
  PID:5052
- C:\Windows\System32\vUkyFEx.exe
  C:\Windows\System32\vUkyFEx.exe
  2⤵
  PID:3644
- C:\Windows\System32\tfHjtpa.exe
  C:\Windows\System32\tfHjtpa.exe
  2⤵
  PID:660
- C:\Windows\System32\GixAhtG.exe
  C:\Windows\System32\GixAhtG.exe
  2⤵
  PID:4316
- C:\Windows\System32\iRxJJuU.exe
  C:\Windows\System32\iRxJJuU.exe
  2⤵
  PID:1500
- C:\Windows\System32\HvWtPtq.exe
  C:\Windows\System32\HvWtPtq.exe
  2⤵
  PID:3484
- C:\Windows\System32\cqbOIAB.exe
  C:\Windows\System32\cqbOIAB.exe
  2⤵
  PID:2936
- C:\Windows\System32\UpSGQAN.exe
  C:\Windows\System32\UpSGQAN.exe
  2⤵
  PID:4584
- C:\Windows\System32\VPNhtRm.exe
  C:\Windows\System32\VPNhtRm.exe
  2⤵
  PID:4928
- C:\Windows\System32\eXUEtxa.exe
  C:\Windows\System32\eXUEtxa.exe
  2⤵
  PID:1000
- C:\Windows\System32\pwYwRXZ.exe
  C:\Windows\System32\pwYwRXZ.exe
  2⤵
  PID:4852
- C:\Windows\System32\vJhEhHy.exe
  C:\Windows\System32\vJhEhHy.exe
  2⤵
  PID:2652
- C:\Windows\System32\fvAQVhY.exe
  C:\Windows\System32\fvAQVhY.exe
  2⤵
  PID:2876
- C:\Windows\System32\fAgBMdU.exe
  C:\Windows\System32\fAgBMdU.exe
  2⤵
  PID:4620
- C:\Windows\System32\HPZTAJJ.exe
  C:\Windows\System32\HPZTAJJ.exe
  2⤵
  PID:4740
- C:\Windows\System32\kiRATuq.exe
  C:\Windows\System32\kiRATuq.exe
  2⤵
  PID:4100
- C:\Windows\System32\fUcdVHR.exe
  C:\Windows\System32\fUcdVHR.exe
  2⤵
  PID:2592
- C:\Windows\System32\lGBeMPY.exe
  C:\Windows\System32\lGBeMPY.exe
  2⤵
  PID:3504
- C:\Windows\System32\EaCRtMG.exe
  C:\Windows\System32\EaCRtMG.exe
  2⤵
  PID:3804
- C:\Windows\System32\BgvNsTo.exe
  C:\Windows\System32\BgvNsTo.exe
  2⤵
  PID:4952
- C:\Windows\System32\VbsXyWg.exe
  C:\Windows\System32\VbsXyWg.exe
  2⤵
  PID:1852
- C:\Windows\System32\wAmmTFR.exe
  C:\Windows\System32\wAmmTFR.exe
  2⤵
  PID:2532
- C:\Windows\System32\JbGxEjq.exe
  C:\Windows\System32\JbGxEjq.exe
  2⤵
  PID:544
- C:\Windows\System32\iVRHpum.exe
  C:\Windows\System32\iVRHpum.exe
  2⤵
  PID:3576
- C:\Windows\System32\SCMSzdM.exe
  C:\Windows\System32\SCMSzdM.exe
  2⤵
  PID:5140
- C:\Windows\System32\QCfuIsq.exe
  C:\Windows\System32\QCfuIsq.exe
  2⤵
  PID:5172
- C:\Windows\System32\VxLBsLj.exe
  C:\Windows\System32\VxLBsLj.exe
  2⤵
  PID:5196
- C:\Windows\System32\kgwgZJb.exe
  C:\Windows\System32\kgwgZJb.exe
  2⤵
  PID:5220
- C:\Windows\System32\GkwcvRN.exe
  C:\Windows\System32\GkwcvRN.exe
  2⤵
  PID:5252
- C:\Windows\System32\tFqEqQm.exe
  C:\Windows\System32\tFqEqQm.exe
  2⤵
  PID:5280
- C:\Windows\System32\kUylMIu.exe
  C:\Windows\System32\kUylMIu.exe
  2⤵
  PID:5304
- C:\Windows\System32\WXcvrAY.exe
  C:\Windows\System32\WXcvrAY.exe
  2⤵
  PID:5336
- C:\Windows\System32\VzVaANd.exe
  C:\Windows\System32\VzVaANd.exe
  2⤵
  PID:5364
- C:\Windows\System32\loWLyKz.exe
  C:\Windows\System32\loWLyKz.exe
  2⤵
  PID:5392
- C:\Windows\System32\sisSyDC.exe
  C:\Windows\System32\sisSyDC.exe
  2⤵
  PID:5416
- C:\Windows\System32\lOYnGdT.exe
  C:\Windows\System32\lOYnGdT.exe
  2⤵
  PID:5448
- C:\Windows\System32\sqiEAfc.exe
  C:\Windows\System32\sqiEAfc.exe
  2⤵
  PID:5476
- C:\Windows\System32\MEpcSMO.exe
  C:\Windows\System32\MEpcSMO.exe
  2⤵
  PID:5504
- C:\Windows\System32\jjQoqjJ.exe
  C:\Windows\System32\jjQoqjJ.exe
  2⤵
  PID:5532
- C:\Windows\System32\GkvHguz.exe
  C:\Windows\System32\GkvHguz.exe
  2⤵
  PID:5556
- C:\Windows\System32\zaQswSX.exe
  C:\Windows\System32\zaQswSX.exe
  2⤵
  PID:5588
- C:\Windows\System32\pOZeLxo.exe
  C:\Windows\System32\pOZeLxo.exe
  2⤵
  PID:5616
- C:\Windows\System32\SZvXqIA.exe
  C:\Windows\System32\SZvXqIA.exe
  2⤵
  PID:5640
- C:\Windows\System32\sdhowda.exe
  C:\Windows\System32\sdhowda.exe
  2⤵
  PID:5672
- C:\Windows\System32\rQrjZyO.exe
  C:\Windows\System32\rQrjZyO.exe
  2⤵
  PID:5700
- C:\Windows\System32\JyzFWpM.exe
  C:\Windows\System32\JyzFWpM.exe
  2⤵
  PID:5724
- C:\Windows\System32\LwlDQim.exe
  C:\Windows\System32\LwlDQim.exe
  2⤵
  PID:5756
- C:\Windows\System32\nZwmGJN.exe
  C:\Windows\System32\nZwmGJN.exe
  2⤵
  PID:5788
- C:\Windows\System32\JdVKBfa.exe
  C:\Windows\System32\JdVKBfa.exe
  2⤵
  PID:5812
- C:\Windows\System32\mTEpxXG.exe
  C:\Windows\System32\mTEpxXG.exe
  2⤵
  PID:5840
- C:\Windows\System32\ARoAwqC.exe
  C:\Windows\System32\ARoAwqC.exe
  2⤵
  PID:5864
- C:\Windows\System32\wWloiET.exe
  C:\Windows\System32\wWloiET.exe
  2⤵
  PID:5896
- C:\Windows\System32\yLVxiTs.exe
  C:\Windows\System32\yLVxiTs.exe
  2⤵
  PID:5924
- C:\Windows\System32\VcSjHjt.exe
  C:\Windows\System32\VcSjHjt.exe
  2⤵
  PID:5948
- C:\Windows\System32\aYaSxSR.exe
  C:\Windows\System32\aYaSxSR.exe
  2⤵
  PID:5980
- C:\Windows\System32\rMZMYhR.exe
  C:\Windows\System32\rMZMYhR.exe
  2⤵
  PID:6008
- C:\Windows\System32\kCoTcnu.exe
  C:\Windows\System32\kCoTcnu.exe
  2⤵
  PID:6032
- C:\Windows\System32\vySeflR.exe
  C:\Windows\System32\vySeflR.exe
  2⤵
  PID:6064
- C:\Windows\System32\IjskVUf.exe
  C:\Windows\System32\IjskVUf.exe
  2⤵
  PID:6092
- C:\Windows\System32\XIfuULl.exe
  C:\Windows\System32\XIfuULl.exe
  2⤵
  PID:6120
- C:\Windows\System32\ufTNZxC.exe
  C:\Windows\System32\ufTNZxC.exe
  2⤵
  PID:1968
- C:\Windows\System32\LDFHtRJ.exe
  C:\Windows\System32\LDFHtRJ.exe
  2⤵
  PID:3224
- C:\Windows\System32\yXxdnee.exe
  C:\Windows\System32\yXxdnee.exe
  2⤵
  PID:2456
- C:\Windows\System32\nfRugEg.exe
  C:\Windows\System32\nfRugEg.exe
  2⤵
  PID:4108
- C:\Windows\System32\ogWaYDx.exe
  C:\Windows\System32\ogWaYDx.exe
  2⤵
  PID:5160
- C:\Windows\System32\HhJZGDY.exe
  C:\Windows\System32\HhJZGDY.exe
  2⤵
  PID:5216
- C:\Windows\System32\cpahahy.exe
  C:\Windows\System32\cpahahy.exe
  2⤵
  PID:5260
- C:\Windows\System32\GLJWjCG.exe
  C:\Windows\System32\GLJWjCG.exe
  2⤵
  PID:5352
- C:\Windows\System32\KzpnGss.exe
  C:\Windows\System32\KzpnGss.exe
  2⤵
  PID:5372
- C:\Windows\System32\dFZyPIZ.exe
  C:\Windows\System32\dFZyPIZ.exe
  2⤵
  PID:5464
- C:\Windows\System32\gIftpRG.exe
  C:\Windows\System32\gIftpRG.exe
  2⤵
  PID:5100
- C:\Windows\System32\foqxEHx.exe
  C:\Windows\System32\foqxEHx.exe
  2⤵
  PID:1696
- C:\Windows\System32\dlTQjrT.exe
  C:\Windows\System32\dlTQjrT.exe
  2⤵
  PID:2544
- C:\Windows\System32\qeNADGE.exe
  C:\Windows\System32\qeNADGE.exe
  2⤵
  PID:5692
- C:\Windows\System32\KjzFtFN.exe
  C:\Windows\System32\KjzFtFN.exe
  2⤵
  PID:5716
- C:\Windows\System32\SfQKWlf.exe
  C:\Windows\System32\SfQKWlf.exe
  2⤵
  PID:5732
- C:\Windows\System32\hHQDFyA.exe
  C:\Windows\System32\hHQDFyA.exe
  2⤵
  PID:5764
- C:\Windows\System32\dDqGaua.exe
  C:\Windows\System32\dDqGaua.exe
  2⤵
  PID:5804
- C:\Windows\System32\YcCJUxX.exe
  C:\Windows\System32\YcCJUxX.exe
  2⤵
  PID:2528
- C:\Windows\System32\BXGTzHm.exe
  C:\Windows\System32\BXGTzHm.exe
  2⤵
  PID:5848
- C:\Windows\System32\QwXWVwj.exe
  C:\Windows\System32\QwXWVwj.exe
  2⤵
  PID:5904
- C:\Windows\System32\YYRkevQ.exe
  C:\Windows\System32\YYRkevQ.exe
  2⤵
  PID:6100
- C:\Windows\System32\LrRSsks.exe
  C:\Windows\System32\LrRSsks.exe
  2⤵
  PID:1552
- C:\Windows\System32\YHLEQVa.exe
  C:\Windows\System32\YHLEQVa.exe
  2⤵
  PID:3844
- C:\Windows\System32\jWSuETR.exe
  C:\Windows\System32\jWSuETR.exe
  2⤵
  PID:5344
- C:\Windows\System32\gdwdsLq.exe
  C:\Windows\System32\gdwdsLq.exe
  2⤵
  PID:5408
- C:\Windows\System32\qbSyQrO.exe
  C:\Windows\System32\qbSyQrO.exe
  2⤵
  PID:1932
- C:\Windows\System32\XnAcOtz.exe
  C:\Windows\System32\XnAcOtz.exe
  2⤵
  PID:1580
- C:\Windows\System32\QfATCzK.exe
  C:\Windows\System32\QfATCzK.exe
  2⤵
  PID:4132
- C:\Windows\System32\ycVQxdI.exe
  C:\Windows\System32\ycVQxdI.exe
  2⤵
  PID:1660
- C:\Windows\System32\BbpdijI.exe
  C:\Windows\System32\BbpdijI.exe
  2⤵
  PID:1248
- C:\Windows\System32\jsjIGxz.exe
  C:\Windows\System32\jsjIGxz.exe
  2⤵
  PID:2276
- C:\Windows\System32\SSTtxef.exe
  C:\Windows\System32\SSTtxef.exe
  2⤵
  PID:1764
- C:\Windows\System32\eGaiEbk.exe
  C:\Windows\System32\eGaiEbk.exe
  2⤵
  PID:5820
- C:\Windows\System32\lWTYSGP.exe
  C:\Windows\System32\lWTYSGP.exe
  2⤵
  PID:6048
- C:\Windows\System32\AkuteZX.exe
  C:\Windows\System32\AkuteZX.exe
  2⤵
  PID:6140
- C:\Windows\System32\UHXvKjM.exe
  C:\Windows\System32\UHXvKjM.exe
  2⤵
  PID:5180
- C:\Windows\System32\hkzToBj.exe
  C:\Windows\System32\hkzToBj.exe
  2⤵
  PID:5524
- C:\Windows\System32\NNFJqFp.exe
  C:\Windows\System32\NNFJqFp.exe
  2⤵
  PID:5988
- C:\Windows\System32\eFNNOHR.exe
  C:\Windows\System32\eFNNOHR.exe
  2⤵
  PID:4256
- C:\Windows\System32\ORgfUAI.exe
  C:\Windows\System32\ORgfUAI.exe
  2⤵
  PID:6128
- C:\Windows\System32\yhBcrQv.exe
  C:\Windows\System32\yhBcrQv.exe
  2⤵
  PID:5320
- C:\Windows\System32\mMnxwTL.exe
  C:\Windows\System32\mMnxwTL.exe
  2⤵
  PID:6148
- C:\Windows\System32\ZKIQVSY.exe
  C:\Windows\System32\ZKIQVSY.exe
  2⤵
  PID:6168
- C:\Windows\System32\Exnyliv.exe
  C:\Windows\System32\Exnyliv.exe
  2⤵
  PID:6196
- C:\Windows\System32\qCbRroF.exe
  C:\Windows\System32\qCbRroF.exe
  2⤵
  PID:6272
- C:\Windows\System32\zYimLad.exe
  C:\Windows\System32\zYimLad.exe
  2⤵
  PID:6300
- C:\Windows\System32\OSDoGWb.exe
  C:\Windows\System32\OSDoGWb.exe
  2⤵
  PID:6320
- C:\Windows\System32\NrPAqgv.exe
  C:\Windows\System32\NrPAqgv.exe
  2⤵
  PID:6364
- C:\Windows\System32\FjwOLZJ.exe
  C:\Windows\System32\FjwOLZJ.exe
  2⤵
  PID:6408
- C:\Windows\System32\mmkFbsf.exe
  C:\Windows\System32\mmkFbsf.exe
  2⤵
  PID:6428
- C:\Windows\System32\jcoFZFt.exe
  C:\Windows\System32\jcoFZFt.exe
  2⤵
  PID:6452
- C:\Windows\System32\wYDgZcc.exe
  C:\Windows\System32\wYDgZcc.exe
  2⤵
  PID:6484
- C:\Windows\System32\IgMNXXz.exe
  C:\Windows\System32\IgMNXXz.exe
  2⤵
  PID:6512
- C:\Windows\System32\ZQpyWGQ.exe
  C:\Windows\System32\ZQpyWGQ.exe
  2⤵
  PID:6528
- C:\Windows\System32\lqSCkxL.exe
  C:\Windows\System32\lqSCkxL.exe
  2⤵
  PID:6568
- C:\Windows\System32\TAqVjHR.exe
  C:\Windows\System32\TAqVjHR.exe
  2⤵
  PID:6596
- C:\Windows\System32\CYMxlSE.exe
  C:\Windows\System32\CYMxlSE.exe
  2⤵
  PID:6620
- C:\Windows\System32\mbyAyxe.exe
  C:\Windows\System32\mbyAyxe.exe
  2⤵
  PID:6640
- C:\Windows\System32\MSoYuoA.exe
  C:\Windows\System32\MSoYuoA.exe
  2⤵
  PID:6676
- C:\Windows\System32\ywiQBbj.exe
  C:\Windows\System32\ywiQBbj.exe
  2⤵
  PID:6696
- C:\Windows\System32\pwywXwu.exe
  C:\Windows\System32\pwywXwu.exe
  2⤵
  PID:6732
- C:\Windows\System32\gsPCPFy.exe
  C:\Windows\System32\gsPCPFy.exe
  2⤵
  PID:6752
- C:\Windows\System32\VomoxHG.exe
  C:\Windows\System32\VomoxHG.exe
  2⤵
  PID:6768
- C:\Windows\System32\DafgLXy.exe
  C:\Windows\System32\DafgLXy.exe
  2⤵
  PID:6796
- C:\Windows\System32\BWcFzHT.exe
  C:\Windows\System32\BWcFzHT.exe
  2⤵
  PID:6820
- C:\Windows\System32\kSDfjOd.exe
  C:\Windows\System32\kSDfjOd.exe
  2⤵
  PID:6844
- C:\Windows\System32\WGVUKUr.exe
  C:\Windows\System32\WGVUKUr.exe
  2⤵
  PID:6864
- C:\Windows\System32\mIEUtMt.exe
  C:\Windows\System32\mIEUtMt.exe
  2⤵
  PID:6880
- C:\Windows\System32\ygFOPqs.exe
  C:\Windows\System32\ygFOPqs.exe
  2⤵
  PID:6948
- C:\Windows\System32\XmtYlTd.exe
  C:\Windows\System32\XmtYlTd.exe
  2⤵
  PID:6968
- C:\Windows\System32\weYXSGi.exe
  C:\Windows\System32\weYXSGi.exe
  2⤵
  PID:7000
- C:\Windows\System32\TcCSBYM.exe
  C:\Windows\System32\TcCSBYM.exe
  2⤵
  PID:7016
- C:\Windows\System32\SmFRBIf.exe
  C:\Windows\System32\SmFRBIf.exe
  2⤵
  PID:7036
- C:\Windows\System32\qfxPTdw.exe
  C:\Windows\System32\qfxPTdw.exe
  2⤵
  PID:7052
- C:\Windows\System32\JXjJGLg.exe
  C:\Windows\System32\JXjJGLg.exe
  2⤵
  PID:7076
- C:\Windows\System32\TMAeKYq.exe
  C:\Windows\System32\TMAeKYq.exe
  2⤵
  PID:7108
- C:\Windows\System32\sulaJyH.exe
  C:\Windows\System32\sulaJyH.exe
  2⤵
  PID:7164
- C:\Windows\System32\vhWuXIL.exe
  C:\Windows\System32\vhWuXIL.exe
  2⤵
  PID:3936
- C:\Windows\System32\neCXUFe.exe
  C:\Windows\System32\neCXUFe.exe
  2⤵
  PID:5916
- C:\Windows\System32\fugWfRP.exe
  C:\Windows\System32\fugWfRP.exe
  2⤵
  PID:6236
- C:\Windows\System32\YSJIagy.exe
  C:\Windows\System32\YSJIagy.exe
  2⤵
  PID:6252
- C:\Windows\System32\AWGiBRa.exe
  C:\Windows\System32\AWGiBRa.exe
  2⤵
  PID:6372
- C:\Windows\System32\TwVOtWR.exe
  C:\Windows\System32\TwVOtWR.exe
  2⤵
  PID:6436
- C:\Windows\System32\mCNJOoy.exe
  C:\Windows\System32\mCNJOoy.exe
  2⤵
  PID:6464
- C:\Windows\System32\GDscIXC.exe
  C:\Windows\System32\GDscIXC.exe
  2⤵
  PID:6520
- C:\Windows\System32\msNkdSC.exe
  C:\Windows\System32\msNkdSC.exe
  2⤵
  PID:6604
- C:\Windows\System32\qLCJIjY.exe
  C:\Windows\System32\qLCJIjY.exe
  2⤵
  PID:6656
- C:\Windows\System32\BVxebNu.exe
  C:\Windows\System32\BVxebNu.exe
  2⤵
  PID:6764
- C:\Windows\System32\JKXiHni.exe
  C:\Windows\System32\JKXiHni.exe
  2⤵
  PID:6836
- C:\Windows\System32\xQeyZuQ.exe
  C:\Windows\System32\xQeyZuQ.exe
  2⤵
  PID:6876
- C:\Windows\System32\pMxmVME.exe
  C:\Windows\System32\pMxmVME.exe
  2⤵
  PID:6940
- C:\Windows\System32\DKbfxoF.exe
  C:\Windows\System32\DKbfxoF.exe
  2⤵
  PID:6980
- C:\Windows\System32\FnzBLxv.exe
  C:\Windows\System32\FnzBLxv.exe
  2⤵
  PID:7012
- C:\Windows\System32\BkkZxSk.exe
  C:\Windows\System32\BkkZxSk.exe
  2⤵
  PID:7144
- C:\Windows\System32\lSqWvhd.exe
  C:\Windows\System32\lSqWvhd.exe
  2⤵
  PID:5412
- C:\Windows\System32\PJLOMIX.exe
  C:\Windows\System32\PJLOMIX.exe
  2⤵
  PID:6296
- C:\Windows\System32\CXfVBkV.exe
  C:\Windows\System32\CXfVBkV.exe
  2⤵
  PID:6608
- C:\Windows\System32\RuXelYh.exe
  C:\Windows\System32\RuXelYh.exe
  2⤵
  PID:6748
- C:\Windows\System32\WhNQjFe.exe
  C:\Windows\System32\WhNQjFe.exe
  2⤵
  PID:6872
- C:\Windows\System32\lOMubMA.exe
  C:\Windows\System32\lOMubMA.exe
  2⤵
  PID:7060
- C:\Windows\System32\qiPyJEU.exe
  C:\Windows\System32\qiPyJEU.exe
  2⤵
  PID:6420
- C:\Windows\System32\ikfgruI.exe
  C:\Windows\System32\ikfgruI.exe
  2⤵
  PID:6664
- C:\Windows\System32\ZNuFaVY.exe
  C:\Windows\System32\ZNuFaVY.exe
  2⤵
  PID:6960
- C:\Windows\System32\EzUCaGc.exe
  C:\Windows\System32\EzUCaGc.exe
  2⤵
  PID:6648
- C:\Windows\System32\rXdMSdv.exe
  C:\Windows\System32\rXdMSdv.exe
  2⤵
  PID:7172
- C:\Windows\System32\fVxoGPa.exe
  C:\Windows\System32\fVxoGPa.exe
  2⤵
  PID:7212
- C:\Windows\System32\gRxKwnI.exe
  C:\Windows\System32\gRxKwnI.exe
  2⤵
  PID:7228
- C:\Windows\System32\DVuXOFt.exe
  C:\Windows\System32\DVuXOFt.exe
  2⤵
  PID:7248
- C:\Windows\System32\dbFiTCj.exe
  C:\Windows\System32\dbFiTCj.exe
  2⤵
  PID:7272
- C:\Windows\System32\ceHSaat.exe
  C:\Windows\System32\ceHSaat.exe
  2⤵
  PID:7296
- C:\Windows\System32\CQteACO.exe
  C:\Windows\System32\CQteACO.exe
  2⤵
  PID:7316
- C:\Windows\System32\TvAFBgo.exe
  C:\Windows\System32\TvAFBgo.exe
  2⤵
  PID:7340
- C:\Windows\System32\SEpASrJ.exe
  C:\Windows\System32\SEpASrJ.exe
  2⤵
  PID:7368
- C:\Windows\System32\XBCZdKd.exe
  C:\Windows\System32\XBCZdKd.exe
  2⤵
  PID:7388
- C:\Windows\System32\PHpRfro.exe
  C:\Windows\System32\PHpRfro.exe
  2⤵
  PID:7432
- C:\Windows\System32\WkxRmYb.exe
  C:\Windows\System32\WkxRmYb.exe
  2⤵
  PID:7488
- C:\Windows\System32\gaKfZaJ.exe
  C:\Windows\System32\gaKfZaJ.exe
  2⤵
  PID:7508
- C:\Windows\System32\CnjwqCy.exe
  C:\Windows\System32\CnjwqCy.exe
  2⤵
  PID:7528
- C:\Windows\System32\ILHWbcF.exe
  C:\Windows\System32\ILHWbcF.exe
  2⤵
  PID:7552
- C:\Windows\System32\DkkJhYB.exe
  C:\Windows\System32\DkkJhYB.exe
  2⤵
  PID:7588
- C:\Windows\System32\zBYkivK.exe
  C:\Windows\System32\zBYkivK.exe
  2⤵
  PID:7608
- C:\Windows\System32\DTBNHMs.exe
  C:\Windows\System32\DTBNHMs.exe
  2⤵
  PID:7628
- C:\Windows\System32\uLtcTtO.exe
  C:\Windows\System32\uLtcTtO.exe
  2⤵
  PID:7644
- C:\Windows\System32\bcrnSuZ.exe
  C:\Windows\System32\bcrnSuZ.exe
  2⤵
  PID:7672
- C:\Windows\System32\CphcTOc.exe
  C:\Windows\System32\CphcTOc.exe
  2⤵
  PID:7688
- C:\Windows\System32\UyfcYhE.exe
  C:\Windows\System32\UyfcYhE.exe
  2⤵
  PID:7708
- C:\Windows\System32\GAczyCM.exe
  C:\Windows\System32\GAczyCM.exe
  2⤵
  PID:7752
- C:\Windows\System32\cgvIcyY.exe
  C:\Windows\System32\cgvIcyY.exe
  2⤵
  PID:7780
- C:\Windows\System32\YhcYajU.exe
  C:\Windows\System32\YhcYajU.exe
  2⤵
  PID:7852
- C:\Windows\System32\UOVowaN.exe
  C:\Windows\System32\UOVowaN.exe
  2⤵
  PID:7876
- C:\Windows\System32\mduXrbN.exe
  C:\Windows\System32\mduXrbN.exe
  2⤵
  PID:7904
- C:\Windows\System32\TRUNDhZ.exe
  C:\Windows\System32\TRUNDhZ.exe
  2⤵
  PID:7928
- C:\Windows\System32\notSxYN.exe
  C:\Windows\System32\notSxYN.exe
  2⤵
  PID:7944
- C:\Windows\System32\qzCkNGf.exe
  C:\Windows\System32\qzCkNGf.exe
  2⤵
  PID:7984
- C:\Windows\System32\FnHeQxI.exe
  C:\Windows\System32\FnHeQxI.exe
  2⤵
  PID:8008
- C:\Windows\System32\ngwZDWv.exe
  C:\Windows\System32\ngwZDWv.exe
  2⤵
  PID:8024
- C:\Windows\System32\snivNTp.exe
  C:\Windows\System32\snivNTp.exe
  2⤵
  PID:8040
- C:\Windows\System32\SnvMNlA.exe
  C:\Windows\System32\SnvMNlA.exe
  2⤵
  PID:8068
- C:\Windows\System32\gVphOVS.exe
  C:\Windows\System32\gVphOVS.exe
  2⤵
  PID:8112
- C:\Windows\System32\vBtqtZC.exe
  C:\Windows\System32\vBtqtZC.exe
  2⤵
  PID:8136
- C:\Windows\System32\okgHHHv.exe
  C:\Windows\System32\okgHHHv.exe
  2⤵
  PID:8188
- C:\Windows\System32\MTbRvIh.exe
  C:\Windows\System32\MTbRvIh.exe
  2⤵
  PID:7180
- C:\Windows\System32\CHfeWah.exe
  C:\Windows\System32\CHfeWah.exe
  2⤵
  PID:7244
- C:\Windows\System32\BRuKQSF.exe
  C:\Windows\System32\BRuKQSF.exe
  2⤵
  PID:7356
- C:\Windows\System32\LBRWIdS.exe
  C:\Windows\System32\LBRWIdS.exe
  2⤵
  PID:7288
- C:\Windows\System32\OqGyZxv.exe
  C:\Windows\System32\OqGyZxv.exe
  2⤵
  PID:7328
- C:\Windows\System32\RwYWOzg.exe
  C:\Windows\System32\RwYWOzg.exe
  2⤵
  PID:7480
- C:\Windows\System32\zSmMOsV.exe
  C:\Windows\System32\zSmMOsV.exe
  2⤵
  PID:7536
- C:\Windows\System32\tIGUuio.exe
  C:\Windows\System32\tIGUuio.exe
  2⤵
  PID:7564
- C:\Windows\System32\FVBrFOH.exe
  C:\Windows\System32\FVBrFOH.exe
  2⤵
  PID:7664
- C:\Windows\System32\fhQBMhY.exe
  C:\Windows\System32\fhQBMhY.exe
  2⤵
  PID:7720
- C:\Windows\System32\ETKfdpi.exe
  C:\Windows\System32\ETKfdpi.exe
  2⤵
  PID:7864
- C:\Windows\System32\amwXdpO.exe
  C:\Windows\System32\amwXdpO.exe
  2⤵
  PID:7920
- C:\Windows\System32\FbYcSlj.exe
  C:\Windows\System32\FbYcSlj.exe
  2⤵
  PID:7980
- C:\Windows\System32\bxSoPSk.exe
  C:\Windows\System32\bxSoPSk.exe
  2⤵
  PID:8056
- C:\Windows\System32\FXBenJh.exe
  C:\Windows\System32\FXBenJh.exe
  2⤵
  PID:8108
- C:\Windows\System32\nRQsiZM.exe
  C:\Windows\System32\nRQsiZM.exe
  2⤵
  PID:8164
- C:\Windows\System32\FtUlbWo.exe
  C:\Windows\System32\FtUlbWo.exe
  2⤵
  PID:7308
- C:\Windows\System32\AWgHUoU.exe
  C:\Windows\System32\AWgHUoU.exe
  2⤵
  PID:7352
- C:\Windows\System32\NrssusL.exe
  C:\Windows\System32\NrssusL.exe
  2⤵
  PID:7540
- C:\Windows\System32\Dsugwnu.exe
  C:\Windows\System32\Dsugwnu.exe
  2⤵
  PID:7520
- C:\Windows\System32\aDCGgxH.exe
  C:\Windows\System32\aDCGgxH.exe
  2⤵
  PID:7772
- C:\Windows\System32\ExMTKOr.exe
  C:\Windows\System32\ExMTKOr.exe
  2⤵
  PID:7940
- C:\Windows\System32\IdswFtx.exe
  C:\Windows\System32\IdswFtx.exe
  2⤵
  PID:7196
- C:\Windows\System32\qZWDWqm.exe
  C:\Windows\System32\qZWDWqm.exe
  2⤵
  PID:7256
- C:\Windows\System32\XPOcLgJ.exe
  C:\Windows\System32\XPOcLgJ.exe
  2⤵
  PID:7660
- C:\Windows\System32\jeCMvOp.exe
  C:\Windows\System32\jeCMvOp.exe
  2⤵
  PID:8160
- C:\Windows\System32\TORJLXy.exe
  C:\Windows\System32\TORJLXy.exe
  2⤵
  PID:8080
- C:\Windows\System32\lHLpzpC.exe
  C:\Windows\System32\lHLpzpC.exe
  2⤵
  PID:7596
- C:\Windows\System32\fxiWYvq.exe
  C:\Windows\System32\fxiWYvq.exe
  2⤵
  PID:8204
- C:\Windows\System32\TbMtJCI.exe
  C:\Windows\System32\TbMtJCI.exe
  2⤵
  PID:8224
- C:\Windows\System32\MTAbTIH.exe
  C:\Windows\System32\MTAbTIH.exe
  2⤵
  PID:8244
- C:\Windows\System32\etifDop.exe
  C:\Windows\System32\etifDop.exe
  2⤵
  PID:8300
- C:\Windows\System32\tEQTPzg.exe
  C:\Windows\System32\tEQTPzg.exe
  2⤵
  PID:8320
- C:\Windows\System32\JAVDuLa.exe
  C:\Windows\System32\JAVDuLa.exe
  2⤵
  PID:8348
- C:\Windows\System32\lujnzNY.exe
  C:\Windows\System32\lujnzNY.exe
  2⤵
  PID:8392
- C:\Windows\System32\mxEGXSt.exe
  C:\Windows\System32\mxEGXSt.exe
  2⤵
  PID:8408
- C:\Windows\System32\eabosjI.exe
  C:\Windows\System32\eabosjI.exe
  2⤵
  PID:8432
- C:\Windows\System32\rdzNXOC.exe
  C:\Windows\System32\rdzNXOC.exe
  2⤵
  PID:8460
- C:\Windows\System32\CXhhrHY.exe
  C:\Windows\System32\CXhhrHY.exe
  2⤵
  PID:8500
- C:\Windows\System32\LpkHMug.exe
  C:\Windows\System32\LpkHMug.exe
  2⤵
  PID:8520
- C:\Windows\System32\HyTjdlK.exe
  C:\Windows\System32\HyTjdlK.exe
  2⤵
  PID:8564
- C:\Windows\System32\pGnGtQr.exe
  C:\Windows\System32\pGnGtQr.exe
  2⤵
  PID:8596
- C:\Windows\System32\HFfSiiU.exe
  C:\Windows\System32\HFfSiiU.exe
  2⤵
  PID:8612
- C:\Windows\System32\rEljlND.exe
  C:\Windows\System32\rEljlND.exe
  2⤵
  PID:8640
- C:\Windows\System32\TtHQcTY.exe
  C:\Windows\System32\TtHQcTY.exe
  2⤵
  PID:8660
- C:\Windows\System32\kgfwGbs.exe
  C:\Windows\System32\kgfwGbs.exe
  2⤵
  PID:8692
- C:\Windows\System32\lNGVehU.exe
  C:\Windows\System32\lNGVehU.exe
  2⤵
  PID:8716
- C:\Windows\System32\VfIXboz.exe
  C:\Windows\System32\VfIXboz.exe
  2⤵
  PID:8744
- C:\Windows\System32\UaALPpN.exe
  C:\Windows\System32\UaALPpN.exe
  2⤵
  PID:8772
- C:\Windows\System32\BPeSPOo.exe
  C:\Windows\System32\BPeSPOo.exe
  2⤵
  PID:8796
- C:\Windows\System32\ROdEPmF.exe
  C:\Windows\System32\ROdEPmF.exe
  2⤵
  PID:8812
- C:\Windows\System32\vQxEggY.exe
  C:\Windows\System32\vQxEggY.exe
  2⤵
  PID:8852
- C:\Windows\System32\CdKjcOD.exe
  C:\Windows\System32\CdKjcOD.exe
  2⤵
  PID:8884
- C:\Windows\System32\LTUbFCy.exe
  C:\Windows\System32\LTUbFCy.exe
  2⤵
  PID:8904
- C:\Windows\System32\lUfYgKT.exe
  C:\Windows\System32\lUfYgKT.exe
  2⤵
  PID:8920
- C:\Windows\System32\BCEUSqc.exe
  C:\Windows\System32\BCEUSqc.exe
  2⤵
  PID:8948
- C:\Windows\System32\NggYszM.exe
  C:\Windows\System32\NggYszM.exe
  2⤵
  PID:9000
- C:\Windows\System32\cmMQWRT.exe
  C:\Windows\System32\cmMQWRT.exe
  2⤵
  PID:9020
- C:\Windows\System32\McTRuNN.exe
  C:\Windows\System32\McTRuNN.exe
  2⤵
  PID:9072
- C:\Windows\System32\mwsbjne.exe
  C:\Windows\System32\mwsbjne.exe
  2⤵
  PID:9112
- C:\Windows\System32\BWcfLFx.exe
  C:\Windows\System32\BWcfLFx.exe
  2⤵
  PID:9132
- C:\Windows\System32\HqRGZdT.exe
  C:\Windows\System32\HqRGZdT.exe
  2⤵
  PID:9156
- C:\Windows\System32\BAsFACv.exe
  C:\Windows\System32\BAsFACv.exe
  2⤵
  PID:9184
- C:\Windows\System32\LXiOpSV.exe
  C:\Windows\System32\LXiOpSV.exe
  2⤵
  PID:8196
- C:\Windows\System32\yFSkiuK.exe
  C:\Windows\System32\yFSkiuK.exe
  2⤵
  PID:8284
- C:\Windows\System32\nSrUshy.exe
  C:\Windows\System32\nSrUshy.exe
  2⤵
  PID:8316
- C:\Windows\System32\XMtyaAT.exe
  C:\Windows\System32\XMtyaAT.exe
  2⤵
  PID:8372
- C:\Windows\System32\lcCtEWp.exe
  C:\Windows\System32\lcCtEWp.exe
  2⤵
  PID:8428
- C:\Windows\System32\qMQQyIx.exe
  C:\Windows\System32\qMQQyIx.exe
  2⤵
  PID:8424
- C:\Windows\System32\gkBytde.exe
  C:\Windows\System32\gkBytde.exe
  2⤵
  PID:8552
- C:\Windows\System32\enKZfTq.exe
  C:\Windows\System32\enKZfTq.exe
  2⤵
  PID:8620
- C:\Windows\System32\qKEiZxE.exe
  C:\Windows\System32\qKEiZxE.exe
  2⤵
  PID:8652
- C:\Windows\System32\MeoaGDH.exe
  C:\Windows\System32\MeoaGDH.exe
  2⤵
  PID:8732
- C:\Windows\System32\ZJywdCF.exe
  C:\Windows\System32\ZJywdCF.exe
  2⤵
  PID:8724
- C:\Windows\System32\SpvcFDA.exe
  C:\Windows\System32\SpvcFDA.exe
  2⤵
  PID:8828
- C:\Windows\System32\flNYxEY.exe
  C:\Windows\System32\flNYxEY.exe
  2⤵
  PID:8860
- C:\Windows\System32\wMqVbXv.exe
  C:\Windows\System32\wMqVbXv.exe
  2⤵
  PID:8928
- C:\Windows\System32\NKBDHdT.exe
  C:\Windows\System32\NKBDHdT.exe
  2⤵
  PID:3532
- C:\Windows\System32\tROsWiv.exe
  C:\Windows\System32\tROsWiv.exe
  2⤵
  PID:9080
- C:\Windows\System32\DnorMli.exe
  C:\Windows\System32\DnorMli.exe
  2⤵
  PID:8200
- C:\Windows\System32\FmCqTjK.exe
  C:\Windows\System32\FmCqTjK.exe
  2⤵
  PID:8308
- C:\Windows\System32\qrxjmjk.exe
  C:\Windows\System32\qrxjmjk.exe
  2⤵
  PID:8540
- C:\Windows\System32\eVWfKdW.exe
  C:\Windows\System32\eVWfKdW.exe
  2⤵
  PID:8784
- C:\Windows\System32\EMRkoHO.exe
  C:\Windows\System32\EMRkoHO.exe
  2⤵
  PID:8676
- C:\Windows\System32\xWgtarH.exe
  C:\Windows\System32\xWgtarH.exe
  2⤵
  PID:8980
- C:\Windows\System32\OtRzHJE.exe
  C:\Windows\System32\OtRzHJE.exe
  2⤵
  PID:8876
- C:\Windows\System32\xzvBOVr.exe
  C:\Windows\System32\xzvBOVr.exe
  2⤵
  PID:9140
- C:\Windows\System32\QZdWwIY.exe
  C:\Windows\System32\QZdWwIY.exe
  2⤵
  PID:8804
- C:\Windows\System32\kteEtbG.exe
  C:\Windows\System32\kteEtbG.exe
  2⤵
  PID:8380
- C:\Windows\System32\TlJNDwS.exe
  C:\Windows\System32\TlJNDwS.exe
  2⤵
  PID:8492
- C:\Windows\System32\lQieldc.exe
  C:\Windows\System32\lQieldc.exe
  2⤵
  PID:9220
- C:\Windows\System32\HguPSps.exe
  C:\Windows\System32\HguPSps.exe
  2⤵
  PID:9236
- C:\Windows\System32\cGPOKqQ.exe
  C:\Windows\System32\cGPOKqQ.exe
  2⤵
  PID:9292
- C:\Windows\System32\aQwAtjT.exe
  C:\Windows\System32\aQwAtjT.exe
  2⤵
  PID:9312
- C:\Windows\System32\rjpxXTH.exe
  C:\Windows\System32\rjpxXTH.exe
  2⤵
  PID:9372
- C:\Windows\System32\KhiJoWp.exe
  C:\Windows\System32\KhiJoWp.exe
  2⤵
  PID:9388
- C:\Windows\System32\WebYHqK.exe
  C:\Windows\System32\WebYHqK.exe
  2⤵
  PID:9536
- C:\Windows\System32\hetOdaY.exe
  C:\Windows\System32\hetOdaY.exe
  2⤵
  PID:9624
- C:\Windows\System32\Tseimka.exe
  C:\Windows\System32\Tseimka.exe
  2⤵
  PID:9652
- C:\Windows\System32\bFQNqmf.exe
  C:\Windows\System32\bFQNqmf.exe
  2⤵
  PID:9680
- C:\Windows\System32\bQruPgg.exe
  C:\Windows\System32\bQruPgg.exe
  2⤵
  PID:9696
- C:\Windows\System32\HHKKcnn.exe
  C:\Windows\System32\HHKKcnn.exe
  2⤵
  PID:9720
- C:\Windows\System32\XyRjPHd.exe
  C:\Windows\System32\XyRjPHd.exe
  2⤵
  PID:9740
- C:\Windows\System32\HKJPOcY.exe
  C:\Windows\System32\HKJPOcY.exe
  2⤵
  PID:9760
- C:\Windows\System32\QgDztVF.exe
  C:\Windows\System32\QgDztVF.exe
  2⤵
  PID:9788
- C:\Windows\System32\hnFEMDn.exe
  C:\Windows\System32\hnFEMDn.exe
  2⤵
  PID:9804
- C:\Windows\System32\owTgZLL.exe
  C:\Windows\System32\owTgZLL.exe
  2⤵
  PID:9828
- C:\Windows\System32\RQAvhJL.exe
  C:\Windows\System32\RQAvhJL.exe
  2⤵
  PID:9844
- C:\Windows\System32\pYUSZhQ.exe
  C:\Windows\System32\pYUSZhQ.exe
  2⤵
  PID:9892
- C:\Windows\System32\qUiVzLE.exe
  C:\Windows\System32\qUiVzLE.exe
  2⤵
  PID:9920
- C:\Windows\System32\mEFiHwP.exe
  C:\Windows\System32\mEFiHwP.exe
  2⤵
  PID:9948
- C:\Windows\System32\WaSQEJv.exe
  C:\Windows\System32\WaSQEJv.exe
  2⤵
  PID:9968
- C:\Windows\System32\IfejEAJ.exe
  C:\Windows\System32\IfejEAJ.exe
  2⤵
  PID:9996
- C:\Windows\System32\FvajwwQ.exe
  C:\Windows\System32\FvajwwQ.exe
  2⤵
  PID:10068
- C:\Windows\System32\jngBcNe.exe
  C:\Windows\System32\jngBcNe.exe
  2⤵
  PID:10112
- C:\Windows\System32\lKzAsUz.exe
  C:\Windows\System32\lKzAsUz.exe
  2⤵
  PID:10128
- C:\Windows\System32\bpFyxBl.exe
  C:\Windows\System32\bpFyxBl.exe
  2⤵
  PID:10168
- C:\Windows\System32\fMEbNUC.exe
  C:\Windows\System32\fMEbNUC.exe
  2⤵
  PID:10188
- C:\Windows\System32\JAuOmau.exe
  C:\Windows\System32\JAuOmau.exe
  2⤵
  PID:10208
- C:\Windows\System32\yetNQEn.exe
  C:\Windows\System32\yetNQEn.exe
  2⤵
  PID:10232
- C:\Windows\System32\cMCVplY.exe
  C:\Windows\System32\cMCVplY.exe
  2⤵
  PID:7384
- C:\Windows\System32\ZVhplrT.exe
  C:\Windows\System32\ZVhplrT.exe
  2⤵
  PID:9288
- C:\Windows\System32\IALqYCf.exe
  C:\Windows\System32\IALqYCf.exe
  2⤵
  PID:9232
- C:\Windows\System32\MkATsgB.exe
  C:\Windows\System32\MkATsgB.exe
  2⤵
  PID:9308
- C:\Windows\System32\tOblhwr.exe
  C:\Windows\System32\tOblhwr.exe
  2⤵
  PID:9468
- C:\Windows\System32\CEhDNmn.exe
  C:\Windows\System32\CEhDNmn.exe
  2⤵
  PID:9368
- C:\Windows\System32\eIXSzLR.exe
  C:\Windows\System32\eIXSzLR.exe
  2⤵
  PID:9584
- C:\Windows\System32\zAoQzGX.exe
  C:\Windows\System32\zAoQzGX.exe
  2⤵
  PID:9504
- C:\Windows\System32\LipoaiO.exe
  C:\Windows\System32\LipoaiO.exe
  2⤵
  PID:9404
- C:\Windows\System32\SzadrhQ.exe
  C:\Windows\System32\SzadrhQ.exe
  2⤵
  PID:9612
- C:\Windows\System32\KXyLTff.exe
  C:\Windows\System32\KXyLTff.exe
  2⤵
  PID:9668
- C:\Windows\System32\cKtoyev.exe
  C:\Windows\System32\cKtoyev.exe
  2⤵
  PID:9732
- C:\Windows\System32\kPqBfTz.exe
  C:\Windows\System32\kPqBfTz.exe
  2⤵
  PID:9836
- C:\Windows\System32\aILMGRv.exe
  C:\Windows\System32\aILMGRv.exe
  2⤵
  PID:9852
- C:\Windows\System32\beCQACR.exe
  C:\Windows\System32\beCQACR.exe
  2⤵
  PID:9912
- C:\Windows\System32\SWZOggJ.exe
  C:\Windows\System32\SWZOggJ.exe
  2⤵
  PID:10004
- C:\Windows\System32\rSTyOmC.exe
  C:\Windows\System32\rSTyOmC.exe
  2⤵
  PID:10084
- C:\Windows\System32\JCOFhaI.exe
  C:\Windows\System32\JCOFhaI.exe
  2⤵
  PID:9596
- C:\Windows\System32\FPOiPmW.exe
  C:\Windows\System32\FPOiPmW.exe
  2⤵
  PID:10120
- C:\Windows\System32\sscvLxG.exe
  C:\Windows\System32\sscvLxG.exe
  2⤵
  PID:10204
- C:\Windows\System32\ZyOYYdg.exe
  C:\Windows\System32\ZyOYYdg.exe
  2⤵
  PID:9128
- C:\Windows\System32\TqkXNqR.exe
  C:\Windows\System32\TqkXNqR.exe
  2⤵
  PID:9252
- C:\Windows\System32\nIfMpWJ.exe
  C:\Windows\System32\nIfMpWJ.exe
  2⤵
  PID:9500
- C:\Windows\System32\ZcAnmEM.exe
  C:\Windows\System32\ZcAnmEM.exe
  2⤵
  PID:9452
- C:\Windows\System32\WmgQFPs.exe
  C:\Windows\System32\WmgQFPs.exe
  2⤵
  PID:9456
- C:\Windows\System32\mqFFnNJ.exe
  C:\Windows\System32\mqFFnNJ.exe
  2⤵
  PID:9688
- C:\Windows\System32\LOWGIpE.exe
  C:\Windows\System32\LOWGIpE.exe
  2⤵
  PID:9816
- C:\Windows\System32\wEaEjZA.exe
  C:\Windows\System32\wEaEjZA.exe
  2⤵
  PID:9900
- C:\Windows\System32\bnVqVnc.exe
  C:\Windows\System32\bnVqVnc.exe
  2⤵
  PID:10140
- C:\Windows\System32\FkrvXJH.exe
  C:\Windows\System32\FkrvXJH.exe
  2⤵
  PID:10176
- C:\Windows\System32\pWdQwZb.exe
  C:\Windows\System32\pWdQwZb.exe
  2⤵
  PID:9756
- C:\Windows\System32\gUicqVR.exe
  C:\Windows\System32\gUicqVR.exe
  2⤵
  PID:9840
- C:\Windows\System32\xjAJhou.exe
  C:\Windows\System32\xjAJhou.exe
  2⤵
  PID:9812
- C:\Windows\System32\hWrtoAk.exe
  C:\Windows\System32\hWrtoAk.exe
  2⤵
  PID:9576
- C:\Windows\System32\INNzaoR.exe
  C:\Windows\System32\INNzaoR.exe
  2⤵
  PID:9228
- C:\Windows\System32\tMqCYoB.exe
  C:\Windows\System32\tMqCYoB.exe
  2⤵
  PID:10248
- C:\Windows\System32\QNGmMFW.exe
  C:\Windows\System32\QNGmMFW.exe
  2⤵
  PID:10264
- C:\Windows\System32\dxhXiBl.exe
  C:\Windows\System32\dxhXiBl.exe
  2⤵
  PID:10284
- C:\Windows\System32\pIBGpJY.exe
  C:\Windows\System32\pIBGpJY.exe
  2⤵
  PID:10300
- C:\Windows\System32\Hzhjoju.exe
  C:\Windows\System32\Hzhjoju.exe
  2⤵
  PID:10328
- C:\Windows\System32\QDvSYfs.exe
  C:\Windows\System32\QDvSYfs.exe
  2⤵
  PID:10344
- C:\Windows\System32\fBQArSO.exe
  C:\Windows\System32\fBQArSO.exe
  2⤵
  PID:10412
- C:\Windows\System32\iLDFENI.exe
  C:\Windows\System32\iLDFENI.exe
  2⤵
  PID:10476
- C:\Windows\System32\IBlxAdx.exe
  C:\Windows\System32\IBlxAdx.exe
  2⤵
  PID:10496
- C:\Windows\System32\SEeyOxa.exe
  C:\Windows\System32\SEeyOxa.exe
  2⤵
  PID:10520
- C:\Windows\System32\IMWnoGc.exe
  C:\Windows\System32\IMWnoGc.exe
  2⤵
  PID:10540
- C:\Windows\System32\rAEQAmw.exe
  C:\Windows\System32\rAEQAmw.exe
  2⤵
  PID:10560
- C:\Windows\System32\OZGltze.exe
  C:\Windows\System32\OZGltze.exe
  2⤵
  PID:10580
- C:\Windows\System32\tqVDgio.exe
  C:\Windows\System32\tqVDgio.exe
  2⤵
  PID:10616
- C:\Windows\System32\uZvUaxc.exe
  C:\Windows\System32\uZvUaxc.exe
  2⤵
  PID:10648
- C:\Windows\System32\wkguzVA.exe
  C:\Windows\System32\wkguzVA.exe
  2⤵
  PID:10684
- C:\Windows\System32\SHvHIzO.exe
  C:\Windows\System32\SHvHIzO.exe
  2⤵
  PID:10708
- C:\Windows\System32\thobWbW.exe
  C:\Windows\System32\thobWbW.exe
  2⤵
  PID:10752
- C:\Windows\System32\AUmndJU.exe
  C:\Windows\System32\AUmndJU.exe
  2⤵
  PID:10784
- C:\Windows\System32\dFrCduN.exe
  C:\Windows\System32\dFrCduN.exe
  2⤵
  PID:10808
- C:\Windows\System32\hQvAwSh.exe
  C:\Windows\System32\hQvAwSh.exe
  2⤵
  PID:10832
- C:\Windows\System32\JLdznAc.exe
  C:\Windows\System32\JLdznAc.exe
  2⤵
  PID:10868
- C:\Windows\System32\EAWjWPO.exe
  C:\Windows\System32\EAWjWPO.exe
  2⤵
  PID:10896
- C:\Windows\System32\IVgmfNK.exe
  C:\Windows\System32\IVgmfNK.exe
  2⤵
  PID:10920
- C:\Windows\System32\MEGxqgh.exe
  C:\Windows\System32\MEGxqgh.exe
  2⤵
  PID:10940
- C:\Windows\System32\SKEzCbh.exe
  C:\Windows\System32\SKEzCbh.exe
  2⤵
  PID:10960
- C:\Windows\System32\fWMjovp.exe
  C:\Windows\System32\fWMjovp.exe
  2⤵
  PID:10976
- C:\Windows\System32\YGvXgaq.exe
  C:\Windows\System32\YGvXgaq.exe
  2⤵
  PID:11004
- C:\Windows\System32\uHqhBJc.exe
  C:\Windows\System32\uHqhBJc.exe
  2⤵
  PID:11028
- C:\Windows\System32\zkqOZJQ.exe
  C:\Windows\System32\zkqOZJQ.exe
  2⤵
  PID:11092
- C:\Windows\System32\svNcMuX.exe
  C:\Windows\System32\svNcMuX.exe
  2⤵
  PID:11120
- C:\Windows\System32\RXYvoIv.exe
  C:\Windows\System32\RXYvoIv.exe
  2⤵
  PID:11140
- C:\Windows\System32\isUMCzg.exe
  C:\Windows\System32\isUMCzg.exe
  2⤵
  PID:11164
- C:\Windows\System32\kziNPXy.exe
  C:\Windows\System32\kziNPXy.exe
  2⤵
  PID:11204
- C:\Windows\System32\NxmtExH.exe
  C:\Windows\System32\NxmtExH.exe
  2⤵
  PID:11224
- C:\Windows\System32\AOBbCrp.exe
  C:\Windows\System32\AOBbCrp.exe
  2⤵
  PID:9640
- C:\Windows\System32\azEZCJH.exe
  C:\Windows\System32\azEZCJH.exe
  2⤵
  PID:10308
- C:\Windows\System32\hEFQNAF.exe
  C:\Windows\System32\hEFQNAF.exe
  2⤵
  PID:10292
- C:\Windows\System32\ElBYpAL.exe
  C:\Windows\System32\ElBYpAL.exe
  2⤵
  PID:10392
- C:\Windows\System32\UNjdxRb.exe
  C:\Windows\System32\UNjdxRb.exe
  2⤵
  PID:10484
- C:\Windows\System32\THIELXY.exe
  C:\Windows\System32\THIELXY.exe
  2⤵
  PID:10532
- C:\Windows\System32\IYWMUmD.exe
  C:\Windows\System32\IYWMUmD.exe
  2⤵
  PID:10592
- C:\Windows\System32\UPeNtSP.exe
  C:\Windows\System32\UPeNtSP.exe
  2⤵
  PID:10640
- C:\Windows\System32\OmYrVxQ.exe
  C:\Windows\System32\OmYrVxQ.exe
  2⤵
  PID:10672
- C:\Windows\System32\nsAmmKD.exe
  C:\Windows\System32\nsAmmKD.exe
  2⤵
  PID:10768
- C:\Windows\System32\qmfXLik.exe
  C:\Windows\System32\qmfXLik.exe
  2⤵
  PID:10848
- C:\Windows\System32\ExRRCfX.exe
  C:\Windows\System32\ExRRCfX.exe
  2⤵
  PID:10892
- C:\Windows\System32\ngBwznM.exe
  C:\Windows\System32\ngBwznM.exe
  2⤵
  PID:10984
- C:\Windows\System32\JrYFqAy.exe
  C:\Windows\System32\JrYFqAy.exe
  2⤵
  PID:4804
- C:\Windows\System32\VeKjqrK.exe
  C:\Windows\System32\VeKjqrK.exe
  2⤵
  PID:11060
- C:\Windows\System32\ButTJMG.exe
  C:\Windows\System32\ButTJMG.exe
  2⤵
  PID:11112
- C:\Windows\System32\HqSjtaR.exe
  C:\Windows\System32\HqSjtaR.exe
  2⤵
  PID:11148
- C:\Windows\System32\pCybFbQ.exe
  C:\Windows\System32\pCybFbQ.exe
  2⤵
  PID:11256
- C:\Windows\System32\uuQbFYN.exe
  C:\Windows\System32\uuQbFYN.exe
  2⤵
  PID:10356
- C:\Windows\System32\sCQGAQD.exe
  C:\Windows\System32\sCQGAQD.exe
  2⤵
  PID:3668
- C:\Windows\System32\hLmylNa.exe
  C:\Windows\System32\hLmylNa.exe
  2⤵
  PID:10528
- C:\Windows\System32\tQkuEFK.exe
  C:\Windows\System32\tQkuEFK.exe
  2⤵
  PID:10864
- C:\Windows\System32\nWmCQwL.exe
  C:\Windows\System32\nWmCQwL.exe
  2⤵
  PID:11016
- C:\Windows\System32\joDsgDm.exe
  C:\Windows\System32\joDsgDm.exe
  2⤵
  PID:11052
- C:\Windows\System32\STuiKhT.exe
  C:\Windows\System32\STuiKhT.exe
  2⤵
  PID:11184
- C:\Windows\System32\KQzJTSK.exe
  C:\Windows\System32\KQzJTSK.exe
  2⤵
  PID:11188
- C:\Windows\System32\iRqvXLV.exe
  C:\Windows\System32\iRqvXLV.exe
  2⤵
  PID:10380
- C:\Windows\System32\NEJQYRg.exe
  C:\Windows\System32\NEJQYRg.exe
  2⤵
  PID:11068
- C:\Windows\System32\DqdQdxt.exe
  C:\Windows\System32\DqdQdxt.exe
  2⤵
  PID:10280
- C:\Windows\System32\Mcjhjse.exe
  C:\Windows\System32\Mcjhjse.exe
  2⤵
  PID:10780
- C:\Windows\System32\ddVvSQC.exe
  C:\Windows\System32\ddVvSQC.exe
  2⤵
  PID:11072
- C:\Windows\System32\IuHkiZx.exe
  C:\Windows\System32\IuHkiZx.exe
  2⤵
  PID:2248
- C:\Windows\System32\oSZRCzN.exe
  C:\Windows\System32\oSZRCzN.exe
  2⤵
  PID:11284
- C:\Windows\System32\LjbfVAs.exe
  C:\Windows\System32\LjbfVAs.exe
  2⤵
  PID:11324
- C:\Windows\System32\pwIRMpw.exe
  C:\Windows\System32\pwIRMpw.exe
  2⤵
  PID:11340
- C:\Windows\System32\YOuFBNJ.exe
  C:\Windows\System32\YOuFBNJ.exe
  2⤵
  PID:11400
- C:\Windows\System32\wsBZIvd.exe
  C:\Windows\System32\wsBZIvd.exe
  2⤵
  PID:11432
- C:\Windows\System32\pdPZftJ.exe
  C:\Windows\System32\pdPZftJ.exe
  2⤵
  PID:11464
- C:\Windows\System32\POIBllM.exe
  C:\Windows\System32\POIBllM.exe
  2⤵
  PID:11492
- C:\Windows\System32\kZEKKWr.exe
  C:\Windows\System32\kZEKKWr.exe
  2⤵
  PID:11516
- C:\Windows\System32\qrisFIc.exe
  C:\Windows\System32\qrisFIc.exe
  2⤵
  PID:11536
- C:\Windows\System32\mBlFMJk.exe
  C:\Windows\System32\mBlFMJk.exe
  2⤵
  PID:11556
- C:\Windows\System32\CsYoAmi.exe
  C:\Windows\System32\CsYoAmi.exe
  2⤵
  PID:11572
- C:\Windows\System32\GRgcJfZ.exe
  C:\Windows\System32\GRgcJfZ.exe
  2⤵
  PID:11596
- C:\Windows\System32\BjOUKMR.exe
  C:\Windows\System32\BjOUKMR.exe
  2⤵
  PID:11632
- C:\Windows\System32\jCDxRPA.exe
  C:\Windows\System32\jCDxRPA.exe
  2⤵
  PID:11696
- C:\Windows\System32\YYUvjNl.exe
  C:\Windows\System32\YYUvjNl.exe
  2⤵
  PID:11716
- C:\Windows\System32\GEUaDgG.exe
  C:\Windows\System32\GEUaDgG.exe
  2⤵
  PID:11732
- C:\Windows\System32\GXQoWTf.exe
  C:\Windows\System32\GXQoWTf.exe
  2⤵
  PID:11768
- C:\Windows\System32\KqPLRvX.exe
  C:\Windows\System32\KqPLRvX.exe
  2⤵
  PID:11800
- C:\Windows\System32\FbVcYqS.exe
  C:\Windows\System32\FbVcYqS.exe
  2⤵
  PID:11816
- C:\Windows\System32\hcsxXUM.exe
  C:\Windows\System32\hcsxXUM.exe
  2⤵
  PID:11860
- C:\Windows\System32\itlkZCc.exe
  C:\Windows\System32\itlkZCc.exe
  2⤵
  PID:11876
- C:\Windows\System32\PVbSyXX.exe
  C:\Windows\System32\PVbSyXX.exe
  2⤵
  PID:11900
- C:\Windows\System32\CJiynJG.exe
  C:\Windows\System32\CJiynJG.exe
  2⤵
  PID:11936
- C:\Windows\System32\ciKdkEP.exe
  C:\Windows\System32\ciKdkEP.exe
  2⤵
  PID:11956
- C:\Windows\System32\kVouiSz.exe
  C:\Windows\System32\kVouiSz.exe
  2⤵
  PID:11980
- C:\Windows\System32\jWjDvKm.exe
  C:\Windows\System32\jWjDvKm.exe
  2⤵
  PID:12024
- C:\Windows\System32\SLwYuDO.exe
  C:\Windows\System32\SLwYuDO.exe
  2⤵
  PID:12040
- C:\Windows\System32\lWnayQm.exe
  C:\Windows\System32\lWnayQm.exe
  2⤵
  PID:12056
- C:\Windows\System32\eWfVhkO.exe
  C:\Windows\System32\eWfVhkO.exe
  2⤵
  PID:12092
- C:\Windows\System32\BUGRfsK.exe
  C:\Windows\System32\BUGRfsK.exe
  2⤵
  PID:12136
- C:\Windows\System32\xWpQyBO.exe
  C:\Windows\System32\xWpQyBO.exe
  2⤵
  PID:12172
- C:\Windows\System32\pllwgSN.exe
  C:\Windows\System32\pllwgSN.exe
  2⤵
  PID:12200
- C:\Windows\System32\NtqZtaN.exe
  C:\Windows\System32\NtqZtaN.exe
  2⤵
  PID:12228
- C:\Windows\System32\KfQAkjf.exe
  C:\Windows\System32\KfQAkjf.exe
  2⤵
  PID:12264
- C:\Windows\System32\uMDJejv.exe
  C:\Windows\System32\uMDJejv.exe
  2⤵
  PID:11308
- C:\Windows\System32\TUGmgXX.exe
  C:\Windows\System32\TUGmgXX.exe
  2⤵
  PID:11276
- C:\Windows\System32\XiRrSAV.exe
  C:\Windows\System32\XiRrSAV.exe
  2⤵
  PID:11332
- C:\Windows\System32\aFNRNSc.exe
  C:\Windows\System32\aFNRNSc.exe
  2⤵
  PID:11416
- C:\Windows\System32\yzOaRUM.exe
  C:\Windows\System32\yzOaRUM.exe
  2⤵
  PID:2196
- C:\Windows\System32\PaiAOue.exe
  C:\Windows\System32\PaiAOue.exe
  2⤵
  PID:11472
- C:\Windows\System32\XEyXSnc.exe
  C:\Windows\System32\XEyXSnc.exe
  2⤵
  PID:11532
- C:\Windows\System32\TTngJUm.exe
  C:\Windows\System32\TTngJUm.exe
  2⤵
  PID:11608
- C:\Windows\System32\lhMEPgx.exe
  C:\Windows\System32\lhMEPgx.exe
  2⤵
  PID:11672
- C:\Windows\System32\cCIwHHv.exe
  C:\Windows\System32\cCIwHHv.exe
  2⤵
  PID:11776
- C:\Windows\System32\apyfyJQ.exe
  C:\Windows\System32\apyfyJQ.exe
  2⤵
  PID:11848
- C:\Windows\System32\netxxsy.exe
  C:\Windows\System32\netxxsy.exe
  2⤵
  PID:11884
- C:\Windows\System32\OLFjThq.exe
  C:\Windows\System32\OLFjThq.exe
  2⤵
  PID:11952
- C:\Windows\System32\XCzIvVq.exe
  C:\Windows\System32\XCzIvVq.exe
  2⤵
  PID:12008
- C:\Windows\System32\tMpkoqW.exe
  C:\Windows\System32\tMpkoqW.exe
  2⤵
  PID:12036
- C:\Windows\System32\bVcQcSt.exe
  C:\Windows\System32\bVcQcSt.exe
  2⤵
  PID:12116
- C:\Windows\System32\fehCsGV.exe
  C:\Windows\System32\fehCsGV.exe
  2⤵
  PID:12148
- C:\Windows\System32\oUuWCZu.exe
  C:\Windows\System32\oUuWCZu.exe
  2⤵
  PID:12192
- C:\Windows\System32\SgQuXQm.exe
  C:\Windows\System32\SgQuXQm.exe
  2⤵
  PID:12224
- C:\Windows\System32\KDrvzGD.exe
  C:\Windows\System32\KDrvzGD.exe
  2⤵
  PID:11364
- C:\Windows\System32\ByZZvgC.exe
  C:\Windows\System32\ByZZvgC.exe
  2⤵
  PID:11456
- C:\Windows\System32\qGzagyU.exe
  C:\Windows\System32\qGzagyU.exe
  2⤵
  PID:11544
- C:\Windows\System32\GtyKcYt.exe
  C:\Windows\System32\GtyKcYt.exe
  2⤵
  PID:11824
- C:\Windows\System32\zRipVrI.exe
  C:\Windows\System32\zRipVrI.exe
  2⤵
  PID:12112
- C:\Windows\System32\DiSpkwH.exe
  C:\Windows\System32\DiSpkwH.exe
  2⤵
  PID:12032
- C:\Windows\System32\HMNBhYR.exe
  C:\Windows\System32\HMNBhYR.exe
  2⤵
  PID:2032
- C:\Windows\System32\KruCOMA.exe
  C:\Windows\System32\KruCOMA.exe
  2⤵
  PID:4376
- C:\Windows\System32\mnpwhdF.exe
  C:\Windows\System32\mnpwhdF.exe
  2⤵
  PID:11584
- C:\Windows\System32\lPOkZGW.exe
  C:\Windows\System32\lPOkZGW.exe
  2⤵
  PID:11844
- C:\Windows\System32\jzWRrKu.exe
  C:\Windows\System32\jzWRrKu.exe
  2⤵
  PID:12048
- C:\Windows\System32\qPjjLgM.exe
  C:\Windows\System32\qPjjLgM.exe
  2⤵
  PID:11704
- C:\Windows\System32\xsgddYk.exe
  C:\Windows\System32\xsgddYk.exe
  2⤵
  PID:696
- C:\Windows\System32\HoOIuxU.exe
  C:\Windows\System32\HoOIuxU.exe
  2⤵
  PID:12184
- C:\Windows\System32\LMbwITK.exe
  C:\Windows\System32\LMbwITK.exe
  2⤵
  PID:12296
- C:\Windows\System32\fmkGBTK.exe
  C:\Windows\System32\fmkGBTK.exe
  2⤵
  PID:12312
- C:\Windows\System32\qkKyNCR.exe
  C:\Windows\System32\qkKyNCR.exe
  2⤵
  PID:12340
- C:\Windows\System32\GeBqMRk.exe
  C:\Windows\System32\GeBqMRk.exe
  2⤵
  PID:12360
- C:\Windows\System32\NKqcbQW.exe
  C:\Windows\System32\NKqcbQW.exe
  2⤵
  PID:12388
- C:\Windows\System32\GIDqaex.exe
  C:\Windows\System32\GIDqaex.exe
  2⤵
  PID:12404
- C:\Windows\System32\JHvsTWQ.exe
  C:\Windows\System32\JHvsTWQ.exe
  2⤵
  PID:12428
- C:\Windows\System32\kdkGnDj.exe
  C:\Windows\System32\kdkGnDj.exe
  2⤵
  PID:12460
- C:\Windows\System32\TWZSUpk.exe
  C:\Windows\System32\TWZSUpk.exe
  2⤵
  PID:12532
- C:\Windows\System32\SSVwLmJ.exe
  C:\Windows\System32\SSVwLmJ.exe
  2⤵
  PID:12568
- C:\Windows\System32\QQluwUJ.exe
  C:\Windows\System32\QQluwUJ.exe
  2⤵
  PID:12584
- C:\Windows\System32\wYCFdKl.exe
  C:\Windows\System32\wYCFdKl.exe
  2⤵
  PID:12604
- C:\Windows\System32\hnqZelU.exe
  C:\Windows\System32\hnqZelU.exe
  2⤵
  PID:12628
- C:\Windows\System32\anNEvlO.exe
  C:\Windows\System32\anNEvlO.exe
  2⤵
  PID:12672
- C:\Windows\System32\lbqYZTm.exe
  C:\Windows\System32\lbqYZTm.exe
  2⤵
  PID:12696
- C:\Windows\System32\GOStsFs.exe
  C:\Windows\System32\GOStsFs.exe
  2⤵
  PID:12724
- C:\Windows\System32\hUeqdiA.exe
  C:\Windows\System32\hUeqdiA.exe
  2⤵
  PID:12760
- C:\Windows\System32\jSDbUFW.exe
  C:\Windows\System32\jSDbUFW.exe
  2⤵
  PID:12776
- C:\Windows\System32\HaMgkvz.exe
  C:\Windows\System32\HaMgkvz.exe
  2⤵
  PID:12820
- C:\Windows\System32\BeXMAbM.exe
  C:\Windows\System32\BeXMAbM.exe
  2⤵
  PID:12860
- C:\Windows\System32\wzpHDWl.exe
  C:\Windows\System32\wzpHDWl.exe
  2⤵
  PID:12888
- C:\Windows\System32\TLgUMhp.exe
  C:\Windows\System32\TLgUMhp.exe
  2⤵
  PID:12920
- C:\Windows\System32\GuegxeV.exe
  C:\Windows\System32\GuegxeV.exe
  2⤵
  PID:12940
- C:\Windows\System32\iWqbVyM.exe
  C:\Windows\System32\iWqbVyM.exe
  2⤵
  PID:12964
- C:\Windows\System32\czpjtqB.exe
  C:\Windows\System32\czpjtqB.exe
  2⤵
  PID:12980
- C:\Windows\System32\PpLsBeh.exe
  C:\Windows\System32\PpLsBeh.exe
  2⤵
  PID:13032
- C:\Windows\System32\jnVrtnb.exe
  C:\Windows\System32\jnVrtnb.exe
  2⤵
  PID:13060
- C:\Windows\System32\MTSKMzn.exe
  C:\Windows\System32\MTSKMzn.exe
  2⤵
  PID:13084
- C:\Windows\System32\cqNLvsn.exe
  C:\Windows\System32\cqNLvsn.exe
  2⤵
  PID:13104
- C:\Windows\System32\UXWfgyj.exe
  C:\Windows\System32\UXWfgyj.exe
  2⤵
  PID:13124
- C:\Windows\System32\lhbiDyt.exe
  C:\Windows\System32\lhbiDyt.exe
  2⤵
  PID:13156
- C:\Windows\System32\YgVuxQY.exe
  C:\Windows\System32\YgVuxQY.exe
  2⤵
  PID:13180
- C:\Windows\System32\BKvbGGM.exe
  C:\Windows\System32\BKvbGGM.exe
  2⤵
  PID:13216
- C:\Windows\System32\xcVqNYn.exe
  C:\Windows\System32\xcVqNYn.exe
  2⤵
  PID:13252
- C:\Windows\System32\NKWWyOz.exe
  C:\Windows\System32\NKWWyOz.exe
  2⤵
  PID:13276
- C:\Windows\System32\TDJXyOb.exe
  C:\Windows\System32\TDJXyOb.exe
  2⤵
  PID:13300
- C:\Windows\System32\ekHHdms.exe
  C:\Windows\System32\ekHHdms.exe
  2⤵
  PID:12304
- C:\Windows\System32\yTuPbxa.exe
  C:\Windows\System32\yTuPbxa.exe
  2⤵
  PID:12380

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AWKvbwB.exe

Filesize
1.3MB

MD5
bcf5b7ca854ac9192fdc837f3f6f000c

SHA1
38528f76b046d29c69a5222af0dcfe2a7ec28a75

SHA256
fd147618755bee3284532e3bf896426c897b07823a8ffaa71989de2cab911426

SHA512
a7ef874644b596ff6629ab4676d2abb01aaffdd957241c5a8b38c4b1603cc72f61358bf05169238b011f269090ee68c1c2650837c69f6e6fca8c3ed8d5d7acbb

Download Submit
C:\Windows\System32\COIInuR.exe

Filesize
1.3MB

MD5
6d89423726021270a38d59ad622be4a9

SHA1
c3a6c7f4db51d550629ad219f08a40ce2166905b

SHA256
471b1987cc41fb3b0830c3205763c176ff8edc6d4175d938e9fe6eb45658bd1e

SHA512
c782b3c679a9d42bcd8c768d2fb32ff97d06008087776d4e57ab30dadd665dd6eb1e2219e37a98047f6a9a4a5a26ada33503407b0d30ae71356728b23e611382

Download Submit
C:\Windows\System32\DTvjZnv.exe

Filesize
1.3MB

MD5
23267b2e648cdede88e2e57bfd36fcb6

SHA1
a1cb3679fcf8a2b13e4ac772c70b8c9726f9fa8f

SHA256
48905e2998dd2e9846f024f198f295751a54c673e98e47377f3e00aad81c919d

SHA512
f3172a44d53335f28cea392c597ab4b85a92fea8866a2c8fb442475d1c202928edfe40eb3f69de59060a8749b4a447536b830211b93a262b48db3968e16ed738

Download Submit
C:\Windows\System32\FLwgupP.exe

Filesize
1.3MB

MD5
6163fb14cf08104ea4e96013df64eb9d

SHA1
369a8f71b358b2f7bcb333645003b53564e17f48

SHA256
686be02193e45eb97ecab32708bb0f17b800c02b398843a6dfe3ca6539d576ae

SHA512
f58cb2a9bd770bb277f50de63fc242e29b81c0cccc75bec26478c154fa9ba173e31eb4b47d82ef7af716f98c5440965340d6bf9af0397c38f63a4af0c530333b

Download Submit
C:\Windows\System32\FevWyHp.exe

Filesize
1.3MB

MD5
29fa8bcf542fed6d77a62d0d8f867da2

SHA1
dab5b0fa295ce7b6ef2f3be4306fff4d68d5f9d7

SHA256
9e8625b7c032ccff018f7c8801e2ecbfd8e4d08482ab3ef2a713e04c8df4e128

SHA512
994e046091695ff15dcfdeaaf4df043d258ea679f84342a07aac2d13423f64050784e00f7377d068e64ef7078bc53fdde39759cc694820c1260bfcded5f65a76

Download Submit
C:\Windows\System32\HOJyiLm.exe

Filesize
1.3MB

MD5
780c3fdcf09eb9652dea139846181b37

SHA1
534696ddaef4b155970798be9656ba647ba5afd6

SHA256
5c50b2694014e164207a1e321b6e79ec1004825c79fef5c4165d44cae19760a9

SHA512
d169cf0a3b3b4de3e9296a7bbf4b97a0d54b8b4fba569aa030d625b1b5fe99b675be44e549346fcf06455aeadd0f1de10452dc8510a66218d1a13f5e6c3855b0

Download Submit
C:\Windows\System32\HruJgAb.exe

Filesize
1.3MB

MD5
bcf8b232002f3adc83e06570391b0516

SHA1
5b05ff867091ab6d5aacf3ee01821ea12fa029bd

SHA256
99e9378bc3778e25814aa4b46051ece676796c07500ab215646ba04016b7ae76

SHA512
bcd03a0f514a71a99c96f85ecc9c4fc8a3e3a8f9543e6de6308b47ad544fc22a2ef26d9957f39f20f0116fbd26ac9a947ea968dfc25e69b5c2ede773423dd070

Download Submit
C:\Windows\System32\NzfqyWP.exe

Filesize
1.3MB

MD5
0706ba38ad5f37293e22ed40d13f44fd

SHA1
50a58d69b14425e42991a3226190b8031ee586cb

SHA256
385dad1beb6014df4856e775c3e118774232643131ac12a60a96b717a2b0a442

SHA512
10a88bdd267024262ba550be5978b5eb653e35f37d44f4439f74a25f269a3490928957498d6a99777b8ea8ac5fefe0227a9bee47c5e18722df8e016d07e18729

Download Submit
C:\Windows\System32\PBprzLu.exe

Filesize
1.3MB

MD5
ed66203f15105c7b17f24cae14ffaf83

SHA1
11bd51fc1b2b845a19eb2f644059bb5bdcd8d441

SHA256
811dba68e8606db04e8fd97ea0c1ae103a62f1b0d106aff96366e28b15db26fd

SHA512
ec20637ce2ebca279b4261f125834b4bdecbd64af06f142dc24dfda709b35f879e6ff0644c80addd67ee41ffd01b679855b9649817ecb38be466f9ee85a6e3b0

Download Submit
C:\Windows\System32\PnLImfh.exe

Filesize
1.3MB

MD5
241ab6909e45bf592b488df92bc925ad

SHA1
6b0bb812726cdc3b48a217cff23737a1e24cda05

SHA256
2c844929622b4b41db0fe64b876d6cc1f0c4eee19e41fa41f4471cd24ed8224f

SHA512
203920518efbbb6d87349c54bbff89da5d4e52180b0416eac0420986acb5182bd88e4ba12ae93603f5968cd6f581d34e3ca60aab223632ec3c22dc9d5d6192fd

Download Submit
C:\Windows\System32\SPjZuXI.exe

Filesize
1.3MB

MD5
68dea4cdf92664e59b7b474e24cc4b7d

SHA1
98f18f4d5c4d6d1a2b88aafeffa3778ce0977613

SHA256
73940e05e113718231f81af5e2b2e3db04b1abc229dd27e91cb1bd6a7929b521

SHA512
01694c77e7826b233989fd345ec5297f3d18be241fba9c58d65bfe3b100a34c05325ba0f6aeb68c089cdff920e2ce91112ca2c8a3fba315603df7f6e0a456cd3

Download Submit
C:\Windows\System32\TSUJwZE.exe

Filesize
1.3MB

MD5
664b8769959d1023e653fa1b760a61e4

SHA1
79a6c8639ca39022e8bb13fc6f29ac872f2ac8cb

SHA256
6c17584b2866fef2d6034d674844771ff98ea09e69dfaffdb9039d0ad27a4417

SHA512
8df5282f8953ad0c612dd53f518cea4817830438d751f9c6579a4e5df5f9078287ad766598905d1970e083ce41ef2249745336605fa870078e920fd3bb837565

Download Submit
C:\Windows\System32\WAtwgpa.exe

Filesize
1.3MB

MD5
f47ec816269cc66b1f32a7f5b0cf22a4

SHA1
deb27265d90b2b85f6d781be8f8a6d9dbe4c3753

SHA256
85767789e149225a23528da270535107399c2ab0d8b27e99bf6be80cf2026175

SHA512
8436476ff8351f0e3ce87a402203696672c1d4ead5e4e9a74e17d2eb2f632942ac6d37cbb3b73b1b85d99f3c7f9bd30b4dac95b29ed38e678af993f0cac41a64

Download Submit
C:\Windows\System32\ZUirXLp.exe

Filesize
1.3MB

MD5
4783341b3c5dc4915f4a08e229c4d05e

SHA1
6a5bfa02adb643f6e7511a5a175f30c5389f2f23

SHA256
2379c56f3e21f6b7d4bb050b96279c2224b77b3a2e1879fe0fd9e1602f3ebc5d

SHA512
19fdb4f84d4de478c1d98cc984c43b46eca4b1849838316f1ab6bbaeba04cc649dabdd462c9a14e5b74a68fa95fbc86bb26804ca43b40c617f2a358a1cadcc81

Download Submit
C:\Windows\System32\bRcuVZX.exe

Filesize
1.3MB

MD5
b474d1cf5e2d8a7c052bedf6caafe340

SHA1
98d10247935e2062adf133a315a103b390f509a4

SHA256
7b2687757352f218f3674950e9b0fce00f4d6257cbfee3da340ed4c588c0f9ef

SHA512
9aa5ed92415b8a238eba1397e040052f29612fb5234e03708bb9fb99b56a5dcd9264676492761497f254ba7f82d535c4fbbea481895d0bc17c5a170952799353

Download Submit
C:\Windows\System32\bZoUnkI.exe

Filesize
1.3MB

MD5
5cbd260714925bbb7b89a9c164914f2b

SHA1
3980f8af7af2c909a248d3e11e40a93bca563b11

SHA256
7b1688bb89959bafb69779b03ed72e31ac1dbd3b6c6a8a75a35dc566630a387f

SHA512
5c6db0b4fb90ddf6bf30f4a1518590461a281ca11617319ebb6c62c5013bcb188ba263dd2fd254b658fa593f77d4d44c275dd399545698aa2dc34e3f0f58e590

Download Submit
C:\Windows\System32\duluJCx.exe

Filesize
1.3MB

MD5
2acb1a360abc4d34c74b0c1b0ed5e872

SHA1
eb164ca741756bfad6116073cb53c56e168551c9

SHA256
349f2d05b8b867c65d8d22e7debace99bdeca1b0ff309ec6a0d61445454d3291

SHA512
912afdb66db06dd8b008bbea97b3f05f61daf2353036a3776ef70de9337df83cc705c9af2de2c4ef010efe1b53878b881dfaffa549d58e612bbd1d97a916b576

Download Submit
C:\Windows\System32\fozvcUo.exe

Filesize
1.3MB

MD5
1c5b071bfe261e3f6361bda4344cdab1

SHA1
40cfc228d062b973db5bd4267495ba35b968679a

SHA256
6ced8742058f73e79020af2dd5c37a8c6d17c6cddd16d0a0c73b9531f9ddd356

SHA512
e9d81bbea1ce3550cf5f13abbf2766baa27294290832652931e310a1e797953831a054dc6cb10b12674a95c67183d9a537413e6824465b88e661e4f305dc9ee6

Download Submit
C:\Windows\System32\gppfswL.exe

Filesize
1.3MB

MD5
6da342ad1b630efb6d77d8f1c198b6c5

SHA1
e7a9aea7719bf68c24ac8563cd9d0f92040c6f0b

SHA256
067c592d22655b0ed3f463019d4f9655a35c9eb0fcb0a1e4efd0194955a40bca

SHA512
478df10be5d7f6bbbff269724494180da6135323c6a742c95c342934e3c7630174acde0c8ad8dcd64f0543656e51d028b36389d688a121a65cb889f887c5794c

Download Submit
C:\Windows\System32\hgaYgSa.exe

Filesize
1.3MB

MD5
4e56b204b610e6cd6a6647c1914c753a

SHA1
fa1f2db79b34593ebab3fdd578915ed6ce8d7143

SHA256
f43d9983a02c8a8b5a25af609c4d6b4e19ef0980698b4ad3598af29e22ae3b44

SHA512
0e31a5cdd9ba91555ad3fa6043ccfcd82575f912c5ede97c0ff5800a6e79d17ebd5854db15477ceb6d6c95ae2aa248b61120a601ded5d5a9a751c80b1680732a

Download Submit
C:\Windows\System32\iQCYmBu.exe

Filesize
1.3MB

MD5
62f8f8c15409fa7c36920882b9726647

SHA1
26b7ef694720f012a6e3829b6d8e371a136a6ea7

SHA256
d28dbb6f5ec3062bc9f8950d2d41bdd2b1a813a477dc91b20fa0ff105e978ec0

SHA512
4787d63c60318d83e89e8f8577d45a133b0a180c83eebe10befd7fc019ff1f85b0d4633c3e3d59ab0cb6216d6e9b607dc1513ddefba5e4ed71e00bb7a59ee534

Download Submit
C:\Windows\System32\ihtqQiM.exe

Filesize
1.3MB

MD5
31dbf86cf4cceb935b934ce5f7564de6

SHA1
e78870fa5262cb02e8eb65371c9be27f972b6697

SHA256
22fdb439d56e71b5524a6b9a8e275a2bff89153d92f4483f8b9e1bd8f740dac5

SHA512
b465b88dbb5ab29a0aee25cbf8c08cda72a000c37ba384e2958f280acf5364ab935224f9ae62f04787834040b298e92bfba2fcdb281749a01bd4965f185a79ef

Download Submit
C:\Windows\System32\kPYGCLd.exe

Filesize
1.3MB

MD5
0ec8d286e832135ae4ae355f897014d3

SHA1
ebe8c8a066ea0f267b1b8af73281a8b394dad7b3

SHA256
6ca15ae58a7437453ffae3a0777b8b3a8d037dce6c5fd1f63417b81ddc4af761

SHA512
a9976f2fbe0cd0c6c39689bcbcf2b6c07badec9caeae7da0ee1a4af14b20211d83e66a255fa35feb024bb13291589e2293a107c4f89ab813c04f47476ab99ada

Download Submit
C:\Windows\System32\lDazdDV.exe

Filesize
1.3MB

MD5
eb7b7c9d782f16ec28a66a28d6703924

SHA1
307abff2c967a9103ef1f79ca5b76824cbcabca0

SHA256
d7b235c89441e215bb720d35210f023c98b89aed3ad7d7adabb96684521bac69

SHA512
0a01e718561dd82d746c167d7388e879705bc70168735d4af045b1d1a33f96c94534f33f06b5036bf083cc1a161a0ca02ec7f12a9f407bd0e4352b8a250a2134

Download Submit
C:\Windows\System32\lMPJstO.exe

Filesize
1.3MB

MD5
73788183e4a34997cabb9c0d26f207f7

SHA1
21e6e628319a44194fecaa15a0fa41100a4335de

SHA256
1af15bbdb83d410870443782ac6b901b26fd25cb4ae0389f48b58bea3235ba0b

SHA512
838a6c4188e14e00e1f861821e07cc41ec76d5ad0cfedc89977548e17333db20898be85efed2aaca264bcc823378a88d8e4edc2483835e634a131118106900cb

Download Submit
C:\Windows\System32\rTAfXYz.exe

Filesize
1.3MB

MD5
7409b6f9661d1fac602610a39c40c073

SHA1
403a037c6885bddddb0334834541577eab0e2883

SHA256
c0d096bf3462dbb8502dd679370988590dc436dcac3e78d1b536ce9d7e6c23e6

SHA512
e060cd22fe5dcaf00ee1660a3206c3a9db3c8b9ae8f8ad9b563940eac181651e4abd842c9536b56b4c5470c347c8960ac145847a819320565c273fc6d9ae60fe

Download Submit
C:\Windows\System32\rVulzbl.exe

Filesize
1.3MB

MD5
b981e354d33b6aefd7c0a2f77cec5ad7

SHA1
233b8563689764fe2b31434432ff2bcef78802c7

SHA256
e17359b8369f12b77578447c38a54e27a150cfb94b9f8a08009bc44b2c6f5da2

SHA512
1c73c87364bff7b0113cd7d8a72c9363cf0f7d671d442a027eb303bde0de2186efb20710368c1df9cf4c59bc7c626db6ee531d5a5dd305045d1372ed24d92fa3

Download Submit
C:\Windows\System32\rfaRCqh.exe

Filesize
1.3MB

MD5
e5f743302b2c8d3c3fd3e6caa4fd14de

SHA1
6fc1d66b79571b00c8c5e17f4a7755c98c050108

SHA256
47fe107df24728367af54779253603fa3b830e40bb25059a8082193b4fafb5e8

SHA512
25751b84ffea5d4fbb5ecf0028e38eebea01047510040d096ab6b31f690dc44c60865ee1d0ede2551552ec409538f64278a0d797206799fc188f25c8440e3602

Download Submit
C:\Windows\System32\tetHzlc.exe

Filesize
1.3MB

MD5
4049eb65e8de034a2c3c1d3f83f07a73

SHA1
37998f87afe1f13be68cfdd095179b0797648c84

SHA256
71c1d59758f27c4a8950db5f5186b1fc361431fcdef641e6d392270600366043

SHA512
3bf9c3447d493be36810b636f5f875949effb87d93b2330f59bf932514aaecc42df23765d8b6d53ef355dd83fed30c716f0f72000271aa98f2f66d636ea6e76a

Download Submit
C:\Windows\System32\uAmwjWa.exe

Filesize
1.3MB

MD5
35824a3f15c33e2de4e19ba228d73a08

SHA1
e4372bf4f3ab4acc1ca0046278e788610a256a4f

SHA256
72fc19fb79130da1bdbe93a26c63e21ac4aefdce314735246ce13f08de031436

SHA512
5a537643455bc7a24ea1d3c9535065c1564fd01a91588a91e147c3a895f3d63dcaad54f4697f8eb881b479a207414e176e5ebdc7819069a8d07edb3daee3e35b

Download Submit
C:\Windows\System32\uEAEGbF.exe

Filesize
1.3MB

MD5
c96e7b1eaedaf6d8f34dc05ddc56ba66

SHA1
9e7e35b02321d8449fad381d3d66fa16bb07d477

SHA256
6aa3119ef9163ad835941033d180f96176db3bcace77dfb88ae713d6a3c47208

SHA512
8110f69833450ffe0de89dd74e44ce349f6f43296927e0d76ed51dd572533e9bfd209c2f4fc9119c38e137001e08f4d083babd08202b15096bb103b7238392fe

Download Submit
C:\Windows\System32\wbHXdlX.exe

Filesize
1.3MB

MD5
ae6dc41d2be01086e5af7110ca02e4d6

SHA1
fee1c33770efdbdc64c5c6d2f81fd908bcf35c88

SHA256
f7c91b7d7d384271d67f2815480b9c9d03333f442401e79ce28e792cbf954b8e

SHA512
9aca6d0de547f02fa138c06425b612729736fbcc1bbf3cae7b3859561304c5e4857654677b0b019b199cdf0b79be306d3ff5d2e6096ae5e8df531cd18d770846

Download Submit
memory/116-1-0x0000025C36750000-0x0000025C36760000-memory.dmp

Filesize
64KB

Download
memory/116-1212-0x00007FF760070000-0x00007FF760461000-memory.dmp

Filesize
3.9MB

Download
memory/116-2003-0x00007FF760070000-0x00007FF760461000-memory.dmp

Filesize
3.9MB

Download
memory/116-0-0x00007FF760070000-0x00007FF760461000-memory.dmp

Filesize
3.9MB

Download
memory/740-78-0x00007FF680240000-0x00007FF680631000-memory.dmp

Filesize
3.9MB

Download
memory/740-2030-0x00007FF680240000-0x00007FF680631000-memory.dmp

Filesize
3.9MB

Download
memory/944-2018-0x00007FF628030000-0x00007FF628421000-memory.dmp

Filesize
3.9MB

Download
memory/944-26-0x00007FF628030000-0x00007FF628421000-memory.dmp

Filesize
3.9MB

Download
memory/1204-2022-0x00007FF788AC0000-0x00007FF788EB1000-memory.dmp

Filesize
3.9MB

Download
memory/1204-39-0x00007FF788AC0000-0x00007FF788EB1000-memory.dmp

Filesize
3.9MB

Download
memory/1204-1965-0x00007FF788AC0000-0x00007FF788EB1000-memory.dmp

Filesize
3.9MB

Download
memory/1480-96-0x00007FF7A7F20000-0x00007FF7A8311000-memory.dmp

Filesize
3.9MB

Download
memory/1480-2032-0x00007FF7A7F20000-0x00007FF7A8311000-memory.dmp

Filesize
3.9MB

Download
memory/1628-1966-0x00007FF7F8B20000-0x00007FF7F8F11000-memory.dmp

Filesize
3.9MB

Download
memory/1628-2040-0x00007FF7F8B20000-0x00007FF7F8F11000-memory.dmp

Filesize
3.9MB

Download
memory/1628-90-0x00007FF7F8B20000-0x00007FF7F8F11000-memory.dmp

Filesize
3.9MB

Download
memory/1912-1967-0x00007FF657380000-0x00007FF657771000-memory.dmp

Filesize
3.9MB

Download
memory/1912-48-0x00007FF657380000-0x00007FF657771000-memory.dmp

Filesize
3.9MB

Download
memory/1912-2024-0x00007FF657380000-0x00007FF657771000-memory.dmp

Filesize
3.9MB

Download
memory/2068-2038-0x00007FF6DE430000-0x00007FF6DE821000-memory.dmp

Filesize
3.9MB

Download
memory/2068-82-0x00007FF6DE430000-0x00007FF6DE821000-memory.dmp

Filesize
3.9MB

Download
memory/2132-510-0x00007FF7B29E0000-0x00007FF7B2DD1000-memory.dmp

Filesize
3.9MB

Download
memory/2132-2046-0x00007FF7B29E0000-0x00007FF7B2DD1000-memory.dmp

Filesize
3.9MB

Download
memory/2168-2005-0x00007FF6972E0000-0x00007FF6976D1000-memory.dmp

Filesize
3.9MB

Download
memory/2168-2052-0x00007FF6972E0000-0x00007FF6976D1000-memory.dmp

Filesize
3.9MB

Download
memory/2168-113-0x00007FF6972E0000-0x00007FF6976D1000-memory.dmp

Filesize
3.9MB

Download
memory/2244-85-0x00007FF6CA890000-0x00007FF6CAC81000-memory.dmp

Filesize
3.9MB

Download
memory/2244-2036-0x00007FF6CA890000-0x00007FF6CAC81000-memory.dmp

Filesize
3.9MB

Download
memory/2296-103-0x00007FF7A8900000-0x00007FF7A8CF1000-memory.dmp

Filesize
3.9MB

Download
memory/2296-2058-0x00007FF7A8900000-0x00007FF7A8CF1000-memory.dmp

Filesize
3.9MB

Download
memory/2372-506-0x00007FF76BE90000-0x00007FF76C281000-memory.dmp

Filesize
3.9MB

Download
memory/2372-2045-0x00007FF76BE90000-0x00007FF76C281000-memory.dmp

Filesize
3.9MB

Download
memory/2516-496-0x00007FF742A70000-0x00007FF742E61000-memory.dmp

Filesize
3.9MB

Download
memory/2516-2048-0x00007FF742A70000-0x00007FF742E61000-memory.dmp

Filesize
3.9MB

Download
memory/2596-99-0x00007FF644100000-0x00007FF6444F1000-memory.dmp

Filesize
3.9MB

Download
memory/2596-1968-0x00007FF644100000-0x00007FF6444F1000-memory.dmp

Filesize
3.9MB

Download
memory/2596-2204-0x00007FF644100000-0x00007FF6444F1000-memory.dmp

Filesize
3.9MB

Download
memory/2880-2011-0x00007FF72A420000-0x00007FF72A811000-memory.dmp

Filesize
3.9MB

Download
memory/2880-15-0x00007FF72A420000-0x00007FF72A811000-memory.dmp

Filesize
3.9MB

Download
memory/2948-106-0x00007FF69CC60000-0x00007FF69D051000-memory.dmp

Filesize
3.9MB

Download
memory/2948-2056-0x00007FF69CC60000-0x00007FF69D051000-memory.dmp

Filesize
3.9MB

Download
memory/3028-95-0x00007FF7C1380000-0x00007FF7C1771000-memory.dmp

Filesize
3.9MB

Download
memory/3028-2026-0x00007FF7C1380000-0x00007FF7C1771000-memory.dmp

Filesize
3.9MB

Download
memory/3480-2020-0x00007FF738FC0000-0x00007FF7393B1000-memory.dmp

Filesize
3.9MB

Download
memory/3480-17-0x00007FF738FC0000-0x00007FF7393B1000-memory.dmp

Filesize
3.9MB

Download
memory/3584-1704-0x00007FF7C1730000-0x00007FF7C1B21000-memory.dmp

Filesize
3.9MB

Download
memory/3584-8-0x00007FF7C1730000-0x00007FF7C1B21000-memory.dmp

Filesize
3.9MB

Download
memory/3584-2009-0x00007FF7C1730000-0x00007FF7C1B21000-memory.dmp

Filesize
3.9MB

Download
memory/3684-2051-0x00007FF7FE750000-0x00007FF7FEB41000-memory.dmp

Filesize
3.9MB

Download
memory/3684-495-0x00007FF7FE750000-0x00007FF7FEB41000-memory.dmp

Filesize
3.9MB

Download
memory/3712-108-0x00007FF6B5EF0000-0x00007FF6B62E1000-memory.dmp

Filesize
3.9MB

Download
memory/3712-1975-0x00007FF6B5EF0000-0x00007FF6B62E1000-memory.dmp

Filesize
3.9MB

Download
memory/3712-2054-0x00007FF6B5EF0000-0x00007FF6B62E1000-memory.dmp

Filesize
3.9MB

Download
memory/4372-2028-0x00007FF6A7590000-0x00007FF6A7981000-memory.dmp

Filesize
3.9MB

Download
memory/4372-68-0x00007FF6A7590000-0x00007FF6A7981000-memory.dmp

Filesize
3.9MB

Download
memory/4640-2034-0x00007FF78DD60000-0x00007FF78E151000-memory.dmp

Filesize
3.9MB

Download
memory/4640-91-0x00007FF78DD60000-0x00007FF78E151000-memory.dmp

Filesize
3.9MB

Download
memory/4984-518-0x00007FF612370000-0x00007FF612761000-memory.dmp

Filesize
3.9MB

Download
memory/4984-2042-0x00007FF612370000-0x00007FF612761000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads