xmrig | 850e3b3d50362e4642c3a1ce8d6a99ba04d54cc4c945675b12cc99823859888e

Analysis

max time kernel
125s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
Size

938KB
MD5

0f2ea9757e346e0dbd42b2362aee3517
SHA1

d196a89c26d6ae10a21cf34454a8994140a2a311
SHA256

850e3b3d50362e4642c3a1ce8d6a99ba04d54cc4c945675b12cc99823859888e
SHA512

f68f4c85af0c9ab199c246d1218e953ab3debcff457df888ff6389cbf8e9c54659731d12dd268ed60c7837a632d1f4a2041adaa36d5ceddc4631ecb231a5322b
SSDEEP

24576:JanwhSe11QSONCpGJCjETPl+Me7bPMS8YkgcWT:knw9oUUEEDl+xTMS8TgF

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/3796-31-0x00007FF641F00000-0x00007FF6422F1000-memory.dmp	xmrig
behavioral2/memory/1032-352-0x00007FF777C00000-0x00007FF777FF1000-memory.dmp	xmrig
behavioral2/memory/3440-371-0x00007FF6151E0000-0x00007FF6155D1000-memory.dmp	xmrig
behavioral2/memory/1864-381-0x00007FF78BC60000-0x00007FF78C051000-memory.dmp	xmrig
behavioral2/memory/4964-390-0x00007FF7884C0000-0x00007FF7888B1000-memory.dmp	xmrig
behavioral2/memory/3464-385-0x00007FF70FAE0000-0x00007FF70FED1000-memory.dmp	xmrig
behavioral2/memory/5088-394-0x00007FF780BC0000-0x00007FF780FB1000-memory.dmp	xmrig
behavioral2/memory/4388-399-0x00007FF781720000-0x00007FF781B11000-memory.dmp	xmrig
behavioral2/memory/1424-408-0x00007FF749CB0000-0x00007FF74A0A1000-memory.dmp	xmrig
behavioral2/memory/2396-410-0x00007FF694DA0000-0x00007FF695191000-memory.dmp	xmrig
behavioral2/memory/3376-420-0x00007FF67EAF0000-0x00007FF67EEE1000-memory.dmp	xmrig
behavioral2/memory/1264-429-0x00007FF650D30000-0x00007FF651121000-memory.dmp	xmrig
behavioral2/memory/4828-440-0x00007FF67A690000-0x00007FF67AA81000-memory.dmp	xmrig
behavioral2/memory/3260-441-0x00007FF6C0AA0000-0x00007FF6C0E91000-memory.dmp	xmrig
behavioral2/memory/2324-442-0x00007FF7D2380000-0x00007FF7D2771000-memory.dmp	xmrig
behavioral2/memory/3760-443-0x00007FF60F620000-0x00007FF60FA11000-memory.dmp	xmrig
behavioral2/memory/1372-444-0x00007FF6AC770000-0x00007FF6ACB61000-memory.dmp	xmrig
behavioral2/memory/4132-439-0x00007FF74ADF0000-0x00007FF74B1E1000-memory.dmp	xmrig
behavioral2/memory/4628-435-0x00007FF658980000-0x00007FF658D71000-memory.dmp	xmrig
behavioral2/memory/3396-422-0x00007FF689B70000-0x00007FF689F61000-memory.dmp	xmrig
behavioral2/memory/748-38-0x00007FF6F01F0000-0x00007FF6F05E1000-memory.dmp	xmrig
behavioral2/memory/3796-2006-0x00007FF641F00000-0x00007FF6422F1000-memory.dmp	xmrig
behavioral2/memory/5024-2005-0x00007FF7CA340000-0x00007FF7CA731000-memory.dmp	xmrig
behavioral2/memory/3388-2004-0x00007FF703690000-0x00007FF703A81000-memory.dmp	xmrig
behavioral2/memory/2900-2039-0x00007FF7CB780000-0x00007FF7CBB71000-memory.dmp	xmrig
behavioral2/memory/3388-2041-0x00007FF703690000-0x00007FF703A81000-memory.dmp	xmrig
behavioral2/memory/748-2043-0x00007FF6F01F0000-0x00007FF6F05E1000-memory.dmp	xmrig
behavioral2/memory/2900-2047-0x00007FF7CB780000-0x00007FF7CBB71000-memory.dmp	xmrig
behavioral2/memory/3796-2049-0x00007FF641F00000-0x00007FF6422F1000-memory.dmp	xmrig
behavioral2/memory/5024-2045-0x00007FF7CA340000-0x00007FF7CA731000-memory.dmp	xmrig
behavioral2/memory/4132-2082-0x00007FF74ADF0000-0x00007FF74B1E1000-memory.dmp	xmrig
behavioral2/memory/4628-2079-0x00007FF658980000-0x00007FF658D71000-memory.dmp	xmrig
behavioral2/memory/1264-2077-0x00007FF650D30000-0x00007FF651121000-memory.dmp	xmrig
behavioral2/memory/3376-2073-0x00007FF67EAF0000-0x00007FF67EEE1000-memory.dmp	xmrig
behavioral2/memory/3396-2075-0x00007FF689B70000-0x00007FF689F61000-memory.dmp	xmrig
behavioral2/memory/2396-2071-0x00007FF694DA0000-0x00007FF695191000-memory.dmp	xmrig
behavioral2/memory/3464-2069-0x00007FF70FAE0000-0x00007FF70FED1000-memory.dmp	xmrig
behavioral2/memory/1424-2063-0x00007FF749CB0000-0x00007FF74A0A1000-memory.dmp	xmrig
behavioral2/memory/3440-2057-0x00007FF6151E0000-0x00007FF6155D1000-memory.dmp	xmrig
behavioral2/memory/5088-2067-0x00007FF780BC0000-0x00007FF780FB1000-memory.dmp	xmrig
behavioral2/memory/4964-2053-0x00007FF7884C0000-0x00007FF7888B1000-memory.dmp	xmrig
behavioral2/memory/4388-2065-0x00007FF781720000-0x00007FF781B11000-memory.dmp	xmrig
behavioral2/memory/1864-2061-0x00007FF78BC60000-0x00007FF78C051000-memory.dmp	xmrig
behavioral2/memory/1372-2059-0x00007FF6AC770000-0x00007FF6ACB61000-memory.dmp	xmrig
behavioral2/memory/3760-2055-0x00007FF60F620000-0x00007FF60FA11000-memory.dmp	xmrig
behavioral2/memory/1032-2051-0x00007FF777C00000-0x00007FF777FF1000-memory.dmp	xmrig
behavioral2/memory/2324-2088-0x00007FF7D2380000-0x00007FF7D2771000-memory.dmp	xmrig
behavioral2/memory/4828-2086-0x00007FF67A690000-0x00007FF67AA81000-memory.dmp	xmrig
behavioral2/memory/3260-2084-0x00007FF6C0AA0000-0x00007FF6C0E91000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3388	JdTNMXN.exe
748	meDvoRp.exe
2900	XzhTgdP.exe
3796	eKqcCHR.exe
5024	GlUtTdj.exe
1032	oiNLijO.exe
3760	pAIaGFN.exe
1372	guToiex.exe
3440	zPOfvyl.exe
1864	lEfckWA.exe
3464	vSiJMPX.exe
4964	NmbCFTb.exe
5088	gIaUGCp.exe
4388	WGMKDAc.exe
1424	BdrkMTe.exe
2396	tFGPSpp.exe
3376	KeZzFBv.exe
3396	JMWzAsg.exe
1264	QZgnKis.exe
4628	HaaWmAw.exe
4132	FhYXrLQ.exe
4828	eTCZQhH.exe
3260	pNmCQzC.exe
2324	OLPRNKQ.exe
532	rPojgVS.exe
4672	kvTupsn.exe
920	qyKmPMZ.exe
4304	JbkCirH.exe
1004	LrOXzci.exe
1128	LEkzlzE.exe
3744	SjqjXky.exe
2936	pcIcOAh.exe
4004	tXTHsQp.exe
4696	WAfUPMU.exe
4544	aHZHtJS.exe
2840	FjntOSa.exe
2956	DiDbFVf.exe
1916	yplxHsq.exe
2708	pLzcxAq.exe
2244	OvWSvdc.exe
4688	wrbXJPV.exe
4068	gwbtrCH.exe
2320	KLWmITq.exe
4988	zTeGQIs.exe
1156	aImgbFy.exe
4280	ODEyzcZ.exe
4064	cEueyea.exe
4968	rlbdngh.exe
840	mPKWIWc.exe
4184	URrsQwQ.exe
4896	KtLrVUa.exe
4948	XWFEdEs.exe
1152	zheAwDI.exe
4900	YATzoao.exe
1164	FTdJEaT.exe
4812	KYEmUhl.exe
1324	FATCZsf.exe
2252	OFqpWgD.exe
4880	okgcdjK.exe
4504	kFJMJJe.exe
4568	MfvDtzd.exe
4684	ubrsPGi.exe
624	ewKVxrf.exe
4860	jTbSiYU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/8-0-0x00007FF78D8A0000-0x00007FF78DC91000-memory.dmp	upx
behavioral2/files/0x000d000000023b87-5.dat	upx
behavioral2/files/0x000a000000023b9b-7.dat	upx
behavioral2/memory/3388-22-0x00007FF703690000-0x00007FF703A81000-memory.dmp	upx
behavioral2/memory/2900-27-0x00007FF7CB780000-0x00007FF7CBB71000-memory.dmp	upx
behavioral2/memory/3796-31-0x00007FF641F00000-0x00007FF6422F1000-memory.dmp	upx
behavioral2/memory/5024-36-0x00007FF7CA340000-0x00007FF7CA731000-memory.dmp	upx
behavioral2/files/0x000a000000023b9f-39.dat	upx
behavioral2/files/0x000a000000023ba0-46.dat	upx
behavioral2/files/0x000a000000023ba1-51.dat	upx
behavioral2/files/0x000a000000023ba6-74.dat	upx
behavioral2/files/0x000a000000023ba8-84.dat	upx
behavioral2/files/0x000a000000023baa-96.dat	upx
behavioral2/files/0x000a000000023bac-107.dat	upx
behavioral2/files/0x000a000000023bae-116.dat	upx
behavioral2/memory/1032-352-0x00007FF777C00000-0x00007FF777FF1000-memory.dmp	upx
behavioral2/memory/3440-371-0x00007FF6151E0000-0x00007FF6155D1000-memory.dmp	upx
behavioral2/memory/1864-381-0x00007FF78BC60000-0x00007FF78C051000-memory.dmp	upx
behavioral2/memory/4964-390-0x00007FF7884C0000-0x00007FF7888B1000-memory.dmp	upx
behavioral2/memory/3464-385-0x00007FF70FAE0000-0x00007FF70FED1000-memory.dmp	upx
behavioral2/memory/5088-394-0x00007FF780BC0000-0x00007FF780FB1000-memory.dmp	upx
behavioral2/memory/4388-399-0x00007FF781720000-0x00007FF781B11000-memory.dmp	upx
behavioral2/memory/1424-408-0x00007FF749CB0000-0x00007FF74A0A1000-memory.dmp	upx
behavioral2/memory/2396-410-0x00007FF694DA0000-0x00007FF695191000-memory.dmp	upx
behavioral2/memory/3376-420-0x00007FF67EAF0000-0x00007FF67EEE1000-memory.dmp	upx
behavioral2/memory/1264-429-0x00007FF650D30000-0x00007FF651121000-memory.dmp	upx
behavioral2/memory/4828-440-0x00007FF67A690000-0x00007FF67AA81000-memory.dmp	upx
behavioral2/memory/3260-441-0x00007FF6C0AA0000-0x00007FF6C0E91000-memory.dmp	upx
behavioral2/memory/2324-442-0x00007FF7D2380000-0x00007FF7D2771000-memory.dmp	upx
behavioral2/memory/3760-443-0x00007FF60F620000-0x00007FF60FA11000-memory.dmp	upx
behavioral2/memory/1372-444-0x00007FF6AC770000-0x00007FF6ACB61000-memory.dmp	upx
behavioral2/memory/4132-439-0x00007FF74ADF0000-0x00007FF74B1E1000-memory.dmp	upx
behavioral2/memory/4628-435-0x00007FF658980000-0x00007FF658D71000-memory.dmp	upx
behavioral2/memory/3396-422-0x00007FF689B70000-0x00007FF689F61000-memory.dmp	upx
behavioral2/files/0x000a000000023bb8-167.dat	upx
behavioral2/files/0x000a000000023bb7-161.dat	upx
behavioral2/files/0x000a000000023bb6-157.dat	upx
behavioral2/files/0x000a000000023bb5-151.dat	upx
behavioral2/files/0x000a000000023bb4-147.dat	upx
behavioral2/files/0x000a000000023bb3-142.dat	upx
behavioral2/files/0x000a000000023bb2-137.dat	upx
behavioral2/files/0x000a000000023bb1-132.dat	upx
behavioral2/files/0x000a000000023bb0-127.dat	upx
behavioral2/files/0x000a000000023baf-121.dat	upx
behavioral2/files/0x000a000000023bad-111.dat	upx
behavioral2/files/0x000a000000023bab-101.dat	upx
behavioral2/files/0x000a000000023ba9-91.dat	upx
behavioral2/files/0x000a000000023ba7-81.dat	upx
behavioral2/files/0x000a000000023ba5-71.dat	upx
behavioral2/files/0x000a000000023ba4-67.dat	upx
behavioral2/files/0x000a000000023ba3-61.dat	upx
behavioral2/files/0x000a000000023ba2-57.dat	upx
behavioral2/memory/748-38-0x00007FF6F01F0000-0x00007FF6F05E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-33.dat	upx
behavioral2/files/0x000a000000023b9d-29.dat	upx
behavioral2/files/0x000a000000023b9c-26.dat	upx
behavioral2/files/0x000b000000023b95-13.dat	upx
behavioral2/memory/3796-2006-0x00007FF641F00000-0x00007FF6422F1000-memory.dmp	upx
behavioral2/memory/5024-2005-0x00007FF7CA340000-0x00007FF7CA731000-memory.dmp	upx
behavioral2/memory/3388-2004-0x00007FF703690000-0x00007FF703A81000-memory.dmp	upx
behavioral2/memory/2900-2039-0x00007FF7CB780000-0x00007FF7CBB71000-memory.dmp	upx
behavioral2/memory/3388-2041-0x00007FF703690000-0x00007FF703A81000-memory.dmp	upx
behavioral2/memory/748-2043-0x00007FF6F01F0000-0x00007FF6F05E1000-memory.dmp	upx
behavioral2/memory/2900-2047-0x00007FF7CB780000-0x00007FF7CBB71000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\wtrtuxa.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\mfknVcg.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\BxrJrPa.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\iuiiDVo.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\fSxpJOm.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\erHPMZO.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\pAIaGFN.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\Obdxupm.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\xajswgV.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\lzCMrZw.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\PhFZWkG.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\NHkuxfs.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\DlWFfOQ.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\MFjDULH.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\OawACKm.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\guToiex.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\YgzNvXO.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\zhDjRgq.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\OeHoljS.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\YzeDjrb.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\OyQUMXh.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\LXmUTzO.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\CwLeNkw.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\WrbtPKj.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\TWMzVES.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\jyLJATS.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\YuTlnvZ.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\hqsEeei.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\RTxbkWX.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\jGQPlNL.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\httsPVp.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\CvUDuNp.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\PttAIfM.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\tFGPSpp.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\DagZXSX.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\GXDnhxj.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\CVctXnm.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\zlAljiz.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\bPeWMyR.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\kHmWPnT.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\bcMpknE.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\WdiDPFd.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\xkxBdme.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\ZWgqnbO.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\mMgDQhU.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\QZgnKis.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\oegrxYE.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\wbDrISE.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\VDCltcK.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\UlzWiya.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\xOojlbU.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\iUntZVy.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\aJrGqYo.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\hxEUtyE.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\JwlfKoH.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\bUIlwpw.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\jPFGGNx.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\NJgWFBl.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\OMLVcTL.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\CzhrmPU.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\mfLaDJE.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\QjnHqIb.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\pcXtWjZ.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
File created	C:\Windows\System32\XdwDhFf.exe	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12644	dwm.exe
Token: SeChangeNotifyPrivilege	12644	dwm.exe
Token: 33	12644	dwm.exe
Token: SeIncBasePriorityPrivilege	12644	dwm.exe
Token: SeShutdownPrivilege	12644	dwm.exe
Token: SeCreatePagefilePrivilege	12644	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 3388	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	84
PID 8 wrote to memory of 3388	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	84
PID 8 wrote to memory of 748	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	85
PID 8 wrote to memory of 748	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	85
PID 8 wrote to memory of 2900	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	86
PID 8 wrote to memory of 2900	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	86
PID 8 wrote to memory of 3796	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	87
PID 8 wrote to memory of 3796	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	87
PID 8 wrote to memory of 5024	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	88
PID 8 wrote to memory of 5024	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	88
PID 8 wrote to memory of 1032	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	89
PID 8 wrote to memory of 1032	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	89
PID 8 wrote to memory of 3760	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	90
PID 8 wrote to memory of 3760	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	90
PID 8 wrote to memory of 1372	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	91
PID 8 wrote to memory of 1372	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	91
PID 8 wrote to memory of 3440	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	92
PID 8 wrote to memory of 3440	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	92
PID 8 wrote to memory of 1864	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	93
PID 8 wrote to memory of 1864	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	93
PID 8 wrote to memory of 3464	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	94
PID 8 wrote to memory of 3464	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	94
PID 8 wrote to memory of 4964	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	95
PID 8 wrote to memory of 4964	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	95
PID 8 wrote to memory of 5088	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	96
PID 8 wrote to memory of 5088	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	96
PID 8 wrote to memory of 4388	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	97
PID 8 wrote to memory of 4388	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	97
PID 8 wrote to memory of 1424	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	98
PID 8 wrote to memory of 1424	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	98
PID 8 wrote to memory of 2396	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	99
PID 8 wrote to memory of 2396	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	99
PID 8 wrote to memory of 3376	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	100
PID 8 wrote to memory of 3376	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	100
PID 8 wrote to memory of 3396	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	101
PID 8 wrote to memory of 3396	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	101
PID 8 wrote to memory of 1264	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	102
PID 8 wrote to memory of 1264	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	102
PID 8 wrote to memory of 4628	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	103
PID 8 wrote to memory of 4628	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	103
PID 8 wrote to memory of 4132	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	104
PID 8 wrote to memory of 4132	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	104
PID 8 wrote to memory of 4828	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	105
PID 8 wrote to memory of 4828	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	105
PID 8 wrote to memory of 3260	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	106
PID 8 wrote to memory of 3260	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	106
PID 8 wrote to memory of 2324	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	107
PID 8 wrote to memory of 2324	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	107
PID 8 wrote to memory of 532	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	108
PID 8 wrote to memory of 532	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	108
PID 8 wrote to memory of 4672	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	109
PID 8 wrote to memory of 4672	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	109
PID 8 wrote to memory of 920	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	110
PID 8 wrote to memory of 920	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	110
PID 8 wrote to memory of 4304	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	111
PID 8 wrote to memory of 4304	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	111
PID 8 wrote to memory of 1004	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	112
PID 8 wrote to memory of 1004	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	112
PID 8 wrote to memory of 1128	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	113
PID 8 wrote to memory of 1128	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	113
PID 8 wrote to memory of 3744	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	114
PID 8 wrote to memory of 3744	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	114
PID 8 wrote to memory of 2936	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	115
PID 8 wrote to memory of 2936	8	0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe	115

C:\Users\Admin\AppData\Local\Temp\0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f2ea9757e346e0dbd42b2362aee3517_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\System32\JdTNMXN.exe
  C:\Windows\System32\JdTNMXN.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System32\meDvoRp.exe
  C:\Windows\System32\meDvoRp.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System32\XzhTgdP.exe
  C:\Windows\System32\XzhTgdP.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System32\eKqcCHR.exe
  C:\Windows\System32\eKqcCHR.exe
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Windows\System32\GlUtTdj.exe
  C:\Windows\System32\GlUtTdj.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System32\oiNLijO.exe
  C:\Windows\System32\oiNLijO.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System32\pAIaGFN.exe
  C:\Windows\System32\pAIaGFN.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System32\guToiex.exe
  C:\Windows\System32\guToiex.exe
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\System32\zPOfvyl.exe
  C:\Windows\System32\zPOfvyl.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System32\lEfckWA.exe
  C:\Windows\System32\lEfckWA.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System32\vSiJMPX.exe
  C:\Windows\System32\vSiJMPX.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System32\NmbCFTb.exe
  C:\Windows\System32\NmbCFTb.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System32\gIaUGCp.exe
  C:\Windows\System32\gIaUGCp.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System32\WGMKDAc.exe
  C:\Windows\System32\WGMKDAc.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System32\BdrkMTe.exe
  C:\Windows\System32\BdrkMTe.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System32\tFGPSpp.exe
  C:\Windows\System32\tFGPSpp.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System32\KeZzFBv.exe
  C:\Windows\System32\KeZzFBv.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System32\JMWzAsg.exe
  C:\Windows\System32\JMWzAsg.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System32\QZgnKis.exe
  C:\Windows\System32\QZgnKis.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System32\HaaWmAw.exe
  C:\Windows\System32\HaaWmAw.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System32\FhYXrLQ.exe
  C:\Windows\System32\FhYXrLQ.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System32\eTCZQhH.exe
  C:\Windows\System32\eTCZQhH.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\pNmCQzC.exe
  C:\Windows\System32\pNmCQzC.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System32\OLPRNKQ.exe
  C:\Windows\System32\OLPRNKQ.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System32\rPojgVS.exe
  C:\Windows\System32\rPojgVS.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System32\kvTupsn.exe
  C:\Windows\System32\kvTupsn.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System32\qyKmPMZ.exe
  C:\Windows\System32\qyKmPMZ.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System32\JbkCirH.exe
  C:\Windows\System32\JbkCirH.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System32\LrOXzci.exe
  C:\Windows\System32\LrOXzci.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System32\LEkzlzE.exe
  C:\Windows\System32\LEkzlzE.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System32\SjqjXky.exe
  C:\Windows\System32\SjqjXky.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System32\pcIcOAh.exe
  C:\Windows\System32\pcIcOAh.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System32\tXTHsQp.exe
  C:\Windows\System32\tXTHsQp.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System32\WAfUPMU.exe
  C:\Windows\System32\WAfUPMU.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System32\aHZHtJS.exe
  C:\Windows\System32\aHZHtJS.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System32\FjntOSa.exe
  C:\Windows\System32\FjntOSa.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System32\DiDbFVf.exe
  C:\Windows\System32\DiDbFVf.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System32\yplxHsq.exe
  C:\Windows\System32\yplxHsq.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System32\pLzcxAq.exe
  C:\Windows\System32\pLzcxAq.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System32\OvWSvdc.exe
  C:\Windows\System32\OvWSvdc.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System32\wrbXJPV.exe
  C:\Windows\System32\wrbXJPV.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System32\gwbtrCH.exe
  C:\Windows\System32\gwbtrCH.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System32\KLWmITq.exe
  C:\Windows\System32\KLWmITq.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System32\zTeGQIs.exe
  C:\Windows\System32\zTeGQIs.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\aImgbFy.exe
  C:\Windows\System32\aImgbFy.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System32\ODEyzcZ.exe
  C:\Windows\System32\ODEyzcZ.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System32\cEueyea.exe
  C:\Windows\System32\cEueyea.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System32\rlbdngh.exe
  C:\Windows\System32\rlbdngh.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System32\mPKWIWc.exe
  C:\Windows\System32\mPKWIWc.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System32\URrsQwQ.exe
  C:\Windows\System32\URrsQwQ.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System32\KtLrVUa.exe
  C:\Windows\System32\KtLrVUa.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System32\XWFEdEs.exe
  C:\Windows\System32\XWFEdEs.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System32\zheAwDI.exe
  C:\Windows\System32\zheAwDI.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System32\YATzoao.exe
  C:\Windows\System32\YATzoao.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System32\FTdJEaT.exe
  C:\Windows\System32\FTdJEaT.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System32\KYEmUhl.exe
  C:\Windows\System32\KYEmUhl.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System32\FATCZsf.exe
  C:\Windows\System32\FATCZsf.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System32\OFqpWgD.exe
  C:\Windows\System32\OFqpWgD.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System32\okgcdjK.exe
  C:\Windows\System32\okgcdjK.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System32\kFJMJJe.exe
  C:\Windows\System32\kFJMJJe.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System32\MfvDtzd.exe
  C:\Windows\System32\MfvDtzd.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System32\ubrsPGi.exe
  C:\Windows\System32\ubrsPGi.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System32\ewKVxrf.exe
  C:\Windows\System32\ewKVxrf.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System32\jTbSiYU.exe
  C:\Windows\System32\jTbSiYU.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\YqdwraQ.exe
  C:\Windows\System32\YqdwraQ.exe
  2⤵
  PID:540
- C:\Windows\System32\GhjKZKb.exe
  C:\Windows\System32\GhjKZKb.exe
  2⤵
  PID:2968
- C:\Windows\System32\fGyXifV.exe
  C:\Windows\System32\fGyXifV.exe
  2⤵
  PID:2368
- C:\Windows\System32\atEjMdf.exe
  C:\Windows\System32\atEjMdf.exe
  2⤵
  PID:5056
- C:\Windows\System32\DZhgtDP.exe
  C:\Windows\System32\DZhgtDP.exe
  2⤵
  PID:5068
- C:\Windows\System32\hqsEeei.exe
  C:\Windows\System32\hqsEeei.exe
  2⤵
  PID:3916
- C:\Windows\System32\HKAHKLa.exe
  C:\Windows\System32\HKAHKLa.exe
  2⤵
  PID:1840
- C:\Windows\System32\wGPZKEq.exe
  C:\Windows\System32\wGPZKEq.exe
  2⤵
  PID:948
- C:\Windows\System32\QSNzvMq.exe
  C:\Windows\System32\QSNzvMq.exe
  2⤵
  PID:3140
- C:\Windows\System32\GRxDrKL.exe
  C:\Windows\System32\GRxDrKL.exe
  2⤵
  PID:4012
- C:\Windows\System32\KjKxaMk.exe
  C:\Windows\System32\KjKxaMk.exe
  2⤵
  PID:4332
- C:\Windows\System32\ptHexvg.exe
  C:\Windows\System32\ptHexvg.exe
  2⤵
  PID:4648
- C:\Windows\System32\eFuVIqg.exe
  C:\Windows\System32\eFuVIqg.exe
  2⤵
  PID:884
- C:\Windows\System32\hygUDZT.exe
  C:\Windows\System32\hygUDZT.exe
  2⤵
  PID:1872
- C:\Windows\System32\gGOImgT.exe
  C:\Windows\System32\gGOImgT.exe
  2⤵
  PID:4076
- C:\Windows\System32\tdkZYXH.exe
  C:\Windows\System32\tdkZYXH.exe
  2⤵
  PID:1512
- C:\Windows\System32\DagZXSX.exe
  C:\Windows\System32\DagZXSX.exe
  2⤵
  PID:1260
- C:\Windows\System32\JonvVND.exe
  C:\Windows\System32\JonvVND.exe
  2⤵
  PID:2656
- C:\Windows\System32\ObcCCWK.exe
  C:\Windows\System32\ObcCCWK.exe
  2⤵
  PID:4604
- C:\Windows\System32\chaBJJF.exe
  C:\Windows\System32\chaBJJF.exe
  2⤵
  PID:5092
- C:\Windows\System32\VJZqJfV.exe
  C:\Windows\System32\VJZqJfV.exe
  2⤵
  PID:3960
- C:\Windows\System32\KtJKAKw.exe
  C:\Windows\System32\KtJKAKw.exe
  2⤵
  PID:2232
- C:\Windows\System32\bjszUfy.exe
  C:\Windows\System32\bjszUfy.exe
  2⤵
  PID:2220
- C:\Windows\System32\dYhPZXC.exe
  C:\Windows\System32\dYhPZXC.exe
  2⤵
  PID:4156
- C:\Windows\System32\kxtSgJU.exe
  C:\Windows\System32\kxtSgJU.exe
  2⤵
  PID:4060
- C:\Windows\System32\CmHcuGY.exe
  C:\Windows\System32\CmHcuGY.exe
  2⤵
  PID:3804
- C:\Windows\System32\lMccqas.exe
  C:\Windows\System32\lMccqas.exe
  2⤵
  PID:3272
- C:\Windows\System32\NKqpXVi.exe
  C:\Windows\System32\NKqpXVi.exe
  2⤵
  PID:2340
- C:\Windows\System32\BlyyMXG.exe
  C:\Windows\System32\BlyyMXG.exe
  2⤵
  PID:2648
- C:\Windows\System32\Obdxupm.exe
  C:\Windows\System32\Obdxupm.exe
  2⤵
  PID:4540
- C:\Windows\System32\ovZyBjg.exe
  C:\Windows\System32\ovZyBjg.exe
  2⤵
  PID:1580
- C:\Windows\System32\ngdzXNj.exe
  C:\Windows\System32\ngdzXNj.exe
  2⤵
  PID:3460
- C:\Windows\System32\wPnWkwc.exe
  C:\Windows\System32\wPnWkwc.exe
  2⤵
  PID:3700
- C:\Windows\System32\MrDQiPO.exe
  C:\Windows\System32\MrDQiPO.exe
  2⤵
  PID:2012
- C:\Windows\System32\zyvAKFp.exe
  C:\Windows\System32\zyvAKFp.exe
  2⤵
  PID:4624
- C:\Windows\System32\KRAPZME.exe
  C:\Windows\System32\KRAPZME.exe
  2⤵
  PID:5100
- C:\Windows\System32\YgzNvXO.exe
  C:\Windows\System32\YgzNvXO.exe
  2⤵
  PID:1676
- C:\Windows\System32\nczWUoS.exe
  C:\Windows\System32\nczWUoS.exe
  2⤵
  PID:5136
- C:\Windows\System32\uezDIoN.exe
  C:\Windows\System32\uezDIoN.exe
  2⤵
  PID:5224
- C:\Windows\System32\XsDPBoK.exe
  C:\Windows\System32\XsDPBoK.exe
  2⤵
  PID:5252
- C:\Windows\System32\HHnBQDo.exe
  C:\Windows\System32\HHnBQDo.exe
  2⤵
  PID:5276
- C:\Windows\System32\wonfDSF.exe
  C:\Windows\System32\wonfDSF.exe
  2⤵
  PID:5292
- C:\Windows\System32\IxwAfkt.exe
  C:\Windows\System32\IxwAfkt.exe
  2⤵
  PID:5324
- C:\Windows\System32\ZUzujWy.exe
  C:\Windows\System32\ZUzujWy.exe
  2⤵
  PID:5368
- C:\Windows\System32\CNJrTqV.exe
  C:\Windows\System32\CNJrTqV.exe
  2⤵
  PID:5404
- C:\Windows\System32\jTQRiWH.exe
  C:\Windows\System32\jTQRiWH.exe
  2⤵
  PID:5436
- C:\Windows\System32\PYrOKoz.exe
  C:\Windows\System32\PYrOKoz.exe
  2⤵
  PID:5452
- C:\Windows\System32\KjCmRKW.exe
  C:\Windows\System32\KjCmRKW.exe
  2⤵
  PID:5480
- C:\Windows\System32\kmLXgHs.exe
  C:\Windows\System32\kmLXgHs.exe
  2⤵
  PID:5524
- C:\Windows\System32\yKslfaE.exe
  C:\Windows\System32\yKslfaE.exe
  2⤵
  PID:5548
- C:\Windows\System32\SLTHDBE.exe
  C:\Windows\System32\SLTHDBE.exe
  2⤵
  PID:5592
- C:\Windows\System32\NskXCVR.exe
  C:\Windows\System32\NskXCVR.exe
  2⤵
  PID:5608
- C:\Windows\System32\CLGGGjE.exe
  C:\Windows\System32\CLGGGjE.exe
  2⤵
  PID:5624
- C:\Windows\System32\RhxQJzh.exe
  C:\Windows\System32\RhxQJzh.exe
  2⤵
  PID:5652
- C:\Windows\System32\xajswgV.exe
  C:\Windows\System32\xajswgV.exe
  2⤵
  PID:5668
- C:\Windows\System32\ThJFtnw.exe
  C:\Windows\System32\ThJFtnw.exe
  2⤵
  PID:5684
- C:\Windows\System32\UHpbVuE.exe
  C:\Windows\System32\UHpbVuE.exe
  2⤵
  PID:5704
- C:\Windows\System32\jezdHhY.exe
  C:\Windows\System32\jezdHhY.exe
  2⤵
  PID:5744
- C:\Windows\System32\TtMxctA.exe
  C:\Windows\System32\TtMxctA.exe
  2⤵
  PID:5760
- C:\Windows\System32\SlnpwlH.exe
  C:\Windows\System32\SlnpwlH.exe
  2⤵
  PID:5844
- C:\Windows\System32\zhDjRgq.exe
  C:\Windows\System32\zhDjRgq.exe
  2⤵
  PID:5912
- C:\Windows\System32\TcBTijl.exe
  C:\Windows\System32\TcBTijl.exe
  2⤵
  PID:5936
- C:\Windows\System32\kXQkcKE.exe
  C:\Windows\System32\kXQkcKE.exe
  2⤵
  PID:5968
- C:\Windows\System32\dxiUPIl.exe
  C:\Windows\System32\dxiUPIl.exe
  2⤵
  PID:5992
- C:\Windows\System32\XmNNUKL.exe
  C:\Windows\System32\XmNNUKL.exe
  2⤵
  PID:6024
- C:\Windows\System32\UlzWiya.exe
  C:\Windows\System32\UlzWiya.exe
  2⤵
  PID:6052
- C:\Windows\System32\yhXchkt.exe
  C:\Windows\System32\yhXchkt.exe
  2⤵
  PID:6080
- C:\Windows\System32\PiPVhEB.exe
  C:\Windows\System32\PiPVhEB.exe
  2⤵
  PID:6104
- C:\Windows\System32\rlLkkHN.exe
  C:\Windows\System32\rlLkkHN.exe
  2⤵
  PID:6136
- C:\Windows\System32\nDhFphN.exe
  C:\Windows\System32\nDhFphN.exe
  2⤵
  PID:5144
- C:\Windows\System32\Szlrcsk.exe
  C:\Windows\System32\Szlrcsk.exe
  2⤵
  PID:4840
- C:\Windows\System32\mfknVcg.exe
  C:\Windows\System32\mfknVcg.exe
  2⤵
  PID:5216
- C:\Windows\System32\lzZRxqm.exe
  C:\Windows\System32\lzZRxqm.exe
  2⤵
  PID:5300
- C:\Windows\System32\lzCMrZw.exe
  C:\Windows\System32\lzCMrZw.exe
  2⤵
  PID:5352
- C:\Windows\System32\bvSHNUz.exe
  C:\Windows\System32\bvSHNUz.exe
  2⤵
  PID:5448
- C:\Windows\System32\WCVArTA.exe
  C:\Windows\System32\WCVArTA.exe
  2⤵
  PID:5512
- C:\Windows\System32\TaJgmUw.exe
  C:\Windows\System32\TaJgmUw.exe
  2⤵
  PID:5680
- C:\Windows\System32\cbgtRdv.exe
  C:\Windows\System32\cbgtRdv.exe
  2⤵
  PID:5564
- C:\Windows\System32\PamcviE.exe
  C:\Windows\System32\PamcviE.exe
  2⤵
  PID:776
- C:\Windows\System32\PhFZWkG.exe
  C:\Windows\System32\PhFZWkG.exe
  2⤵
  PID:5768
- C:\Windows\System32\lBItxKf.exe
  C:\Windows\System32\lBItxKf.exe
  2⤵
  PID:6168
- C:\Windows\System32\LlXsGcb.exe
  C:\Windows\System32\LlXsGcb.exe
  2⤵
  PID:6192
- C:\Windows\System32\iFovqBt.exe
  C:\Windows\System32\iFovqBt.exe
  2⤵
  PID:6224
- C:\Windows\System32\uSbYfXS.exe
  C:\Windows\System32\uSbYfXS.exe
  2⤵
  PID:6248
- C:\Windows\System32\LCjuLCL.exe
  C:\Windows\System32\LCjuLCL.exe
  2⤵
  PID:6280
- C:\Windows\System32\TFLJWKQ.exe
  C:\Windows\System32\TFLJWKQ.exe
  2⤵
  PID:6304
- C:\Windows\System32\qDzrLax.exe
  C:\Windows\System32\qDzrLax.exe
  2⤵
  PID:6336
- C:\Windows\System32\HGuDZKe.exe
  C:\Windows\System32\HGuDZKe.exe
  2⤵
  PID:6360
- C:\Windows\System32\FqDpfdu.exe
  C:\Windows\System32\FqDpfdu.exe
  2⤵
  PID:6392
- C:\Windows\System32\KiqePtD.exe
  C:\Windows\System32\KiqePtD.exe
  2⤵
  PID:6424
- C:\Windows\System32\LXmUTzO.exe
  C:\Windows\System32\LXmUTzO.exe
  2⤵
  PID:6444
- C:\Windows\System32\CzhrmPU.exe
  C:\Windows\System32\CzhrmPU.exe
  2⤵
  PID:6480
- C:\Windows\System32\mfLaDJE.exe
  C:\Windows\System32\mfLaDJE.exe
  2⤵
  PID:6500
- C:\Windows\System32\CwLeNkw.exe
  C:\Windows\System32\CwLeNkw.exe
  2⤵
  PID:6532
- C:\Windows\System32\eheEOKV.exe
  C:\Windows\System32\eheEOKV.exe
  2⤵
  PID:6556
- C:\Windows\System32\lZqDpsD.exe
  C:\Windows\System32\lZqDpsD.exe
  2⤵
  PID:6592
- C:\Windows\System32\nauLDQH.exe
  C:\Windows\System32\nauLDQH.exe
  2⤵
  PID:6612
- C:\Windows\System32\MqLUdvK.exe
  C:\Windows\System32\MqLUdvK.exe
  2⤵
  PID:6644
- C:\Windows\System32\kRUOLbx.exe
  C:\Windows\System32\kRUOLbx.exe
  2⤵
  PID:6676
- C:\Windows\System32\XoSwPre.exe
  C:\Windows\System32\XoSwPre.exe
  2⤵
  PID:6700
- C:\Windows\System32\kqCLCKX.exe
  C:\Windows\System32\kqCLCKX.exe
  2⤵
  PID:6724
- C:\Windows\System32\FVvGIzJ.exe
  C:\Windows\System32\FVvGIzJ.exe
  2⤵
  PID:6756
- C:\Windows\System32\XUuIFYl.exe
  C:\Windows\System32\XUuIFYl.exe
  2⤵
  PID:6780
- C:\Windows\System32\aojdfsZ.exe
  C:\Windows\System32\aojdfsZ.exe
  2⤵
  PID:6812
- C:\Windows\System32\LFsFRvS.exe
  C:\Windows\System32\LFsFRvS.exe
  2⤵
  PID:6840
- C:\Windows\System32\qvJKgUg.exe
  C:\Windows\System32\qvJKgUg.exe
  2⤵
  PID:6872
- C:\Windows\System32\gkSIaDr.exe
  C:\Windows\System32\gkSIaDr.exe
  2⤵
  PID:6904
- C:\Windows\System32\EyRuhwB.exe
  C:\Windows\System32\EyRuhwB.exe
  2⤵
  PID:6932
- C:\Windows\System32\orYigJC.exe
  C:\Windows\System32\orYigJC.exe
  2⤵
  PID:6956
- C:\Windows\System32\waZIoVk.exe
  C:\Windows\System32\waZIoVk.exe
  2⤵
  PID:6984
- C:\Windows\System32\aPWhQmr.exe
  C:\Windows\System32\aPWhQmr.exe
  2⤵
  PID:7004
- C:\Windows\System32\sxJdjaI.exe
  C:\Windows\System32\sxJdjaI.exe
  2⤵
  PID:7028
- C:\Windows\System32\rrSLuUU.exe
  C:\Windows\System32\rrSLuUU.exe
  2⤵
  PID:7056
- C:\Windows\System32\JSVCTWt.exe
  C:\Windows\System32\JSVCTWt.exe
  2⤵
  PID:7084
- C:\Windows\System32\AFzwylU.exe
  C:\Windows\System32\AFzwylU.exe
  2⤵
  PID:7104
- C:\Windows\System32\XAgZlrh.exe
  C:\Windows\System32\XAgZlrh.exe
  2⤵
  PID:7128
- C:\Windows\System32\wdhMIpx.exe
  C:\Windows\System32\wdhMIpx.exe
  2⤵
  PID:7152
- C:\Windows\System32\mUankrd.exe
  C:\Windows\System32\mUankrd.exe
  2⤵
  PID:6720
- C:\Windows\System32\ivXxWeO.exe
  C:\Windows\System32\ivXxWeO.exe
  2⤵
  PID:6692
- C:\Windows\System32\KrrRYUc.exe
  C:\Windows\System32\KrrRYUc.exe
  2⤵
  PID:6620
- C:\Windows\System32\AULDHwU.exe
  C:\Windows\System32\AULDHwU.exe
  2⤵
  PID:6552
- C:\Windows\System32\CoHPJDJ.exe
  C:\Windows\System32\CoHPJDJ.exe
  2⤵
  PID:6516
- C:\Windows\System32\oegrxYE.exe
  C:\Windows\System32\oegrxYE.exe
  2⤵
  PID:6464
- C:\Windows\System32\WrbtPKj.exe
  C:\Windows\System32\WrbtPKj.exe
  2⤵
  PID:6420
- C:\Windows\System32\RzvntjY.exe
  C:\Windows\System32\RzvntjY.exe
  2⤵
  PID:6320
- C:\Windows\System32\VuwlsEx.exe
  C:\Windows\System32\VuwlsEx.exe
  2⤵
  PID:6156
- C:\Windows\System32\PIDBCae.exe
  C:\Windows\System32\PIDBCae.exe
  2⤵
  PID:5756
- C:\Windows\System32\eDFetqo.exe
  C:\Windows\System32\eDFetqo.exe
  2⤵
  PID:5660
- C:\Windows\System32\WAiSlKW.exe
  C:\Windows\System32\WAiSlKW.exe
  2⤵
  PID:5472
- C:\Windows\System32\WwDbMMT.exe
  C:\Windows\System32\WwDbMMT.exe
  2⤵
  PID:5188
- C:\Windows\System32\EtYnQrS.exe
  C:\Windows\System32\EtYnQrS.exe
  2⤵
  PID:4264
- C:\Windows\System32\lhkZbWW.exe
  C:\Windows\System32\lhkZbWW.exe
  2⤵
  PID:6100
- C:\Windows\System32\OmkFjyJ.exe
  C:\Windows\System32\OmkFjyJ.exe
  2⤵
  PID:6032
- C:\Windows\System32\ejUFiZY.exe
  C:\Windows\System32\ejUFiZY.exe
  2⤵
  PID:5984
- C:\Windows\System32\dBxelSV.exe
  C:\Windows\System32\dBxelSV.exe
  2⤵
  PID:5920
- C:\Windows\System32\ffkmmeU.exe
  C:\Windows\System32\ffkmmeU.exe
  2⤵
  PID:5832
- C:\Windows\System32\HFjzOkG.exe
  C:\Windows\System32\HFjzOkG.exe
  2⤵
  PID:6856
- C:\Windows\System32\XliNIXa.exe
  C:\Windows\System32\XliNIXa.exe
  2⤵
  PID:6828
- C:\Windows\System32\DIJhpmH.exe
  C:\Windows\System32\DIJhpmH.exe
  2⤵
  PID:6772
- C:\Windows\System32\YiIFsws.exe
  C:\Windows\System32\YiIFsws.exe
  2⤵
  PID:6880
- C:\Windows\System32\PbMQQsp.exe
  C:\Windows\System32\PbMQQsp.exe
  2⤵
  PID:6928
- C:\Windows\System32\YLvNuGy.exe
  C:\Windows\System32\YLvNuGy.exe
  2⤵
  PID:5692
- C:\Windows\System32\efMqKJY.exe
  C:\Windows\System32\efMqKJY.exe
  2⤵
  PID:5728
- C:\Windows\System32\xpeSFnz.exe
  C:\Windows\System32\xpeSFnz.exe
  2⤵
  PID:6992
- C:\Windows\System32\sBRBcDr.exe
  C:\Windows\System32\sBRBcDr.exe
  2⤵
  PID:7040
- C:\Windows\System32\AJsrQRB.exe
  C:\Windows\System32\AJsrQRB.exe
  2⤵
  PID:5244
- C:\Windows\System32\OjoMgtK.exe
  C:\Windows\System32\OjoMgtK.exe
  2⤵
  PID:6600
- C:\Windows\System32\tCLRYxO.exe
  C:\Windows\System32\tCLRYxO.exe
  2⤵
  PID:6356
- C:\Windows\System32\FSEMtjo.exe
  C:\Windows\System32\FSEMtjo.exe
  2⤵
  PID:6232
- C:\Windows\System32\lbuorfL.exe
  C:\Windows\System32\lbuorfL.exe
  2⤵
  PID:5576
- C:\Windows\System32\mFLaheo.exe
  C:\Windows\System32\mFLaheo.exe
  2⤵
  PID:5308
- C:\Windows\System32\QjnHqIb.exe
  C:\Windows\System32\QjnHqIb.exe
  2⤵
  PID:5236
- C:\Windows\System32\vcOmklk.exe
  C:\Windows\System32\vcOmklk.exe
  2⤵
  PID:6096
- C:\Windows\System32\UFYGZXX.exe
  C:\Windows\System32\UFYGZXX.exe
  2⤵
  PID:5852
- C:\Windows\System32\EqPwDxU.exe
  C:\Windows\System32\EqPwDxU.exe
  2⤵
  PID:6888
- C:\Windows\System32\oCmVLiu.exe
  C:\Windows\System32\oCmVLiu.exe
  2⤵
  PID:7012
- C:\Windows\System32\CBSnJdz.exe
  C:\Windows\System32\CBSnJdz.exe
  2⤵
  PID:7068
- C:\Windows\System32\eMXGyDR.exe
  C:\Windows\System32\eMXGyDR.exe
  2⤵
  PID:6716
- C:\Windows\System32\RRwJtJq.exe
  C:\Windows\System32\RRwJtJq.exe
  2⤵
  PID:6380
- C:\Windows\System32\YdflTuA.exe
  C:\Windows\System32\YdflTuA.exe
  2⤵
  PID:5424
- C:\Windows\System32\rfSjpwh.exe
  C:\Windows\System32\rfSjpwh.exe
  2⤵
  PID:5932
- C:\Windows\System32\DiOKqig.exe
  C:\Windows\System32\DiOKqig.exe
  2⤵
  PID:5752
- C:\Windows\System32\bcMpknE.exe
  C:\Windows\System32\bcMpknE.exe
  2⤵
  PID:5540
- C:\Windows\System32\FSmITaP.exe
  C:\Windows\System32\FSmITaP.exe
  2⤵
  PID:6288
- C:\Windows\System32\OxVDOzu.exe
  C:\Windows\System32\OxVDOzu.exe
  2⤵
  PID:7180
- C:\Windows\System32\APIWzPj.exe
  C:\Windows\System32\APIWzPj.exe
  2⤵
  PID:7212
- C:\Windows\System32\ovyBCMr.exe
  C:\Windows\System32\ovyBCMr.exe
  2⤵
  PID:7232
- C:\Windows\System32\pcXtWjZ.exe
  C:\Windows\System32\pcXtWjZ.exe
  2⤵
  PID:7248
- C:\Windows\System32\PhrsFvz.exe
  C:\Windows\System32\PhrsFvz.exe
  2⤵
  PID:7268
- C:\Windows\System32\MLICBkd.exe
  C:\Windows\System32\MLICBkd.exe
  2⤵
  PID:7284
- C:\Windows\System32\vczhqMG.exe
  C:\Windows\System32\vczhqMG.exe
  2⤵
  PID:7308
- C:\Windows\System32\syqBdDr.exe
  C:\Windows\System32\syqBdDr.exe
  2⤵
  PID:7324
- C:\Windows\System32\VsfyNKZ.exe
  C:\Windows\System32\VsfyNKZ.exe
  2⤵
  PID:7340
- C:\Windows\System32\bGFasIx.exe
  C:\Windows\System32\bGFasIx.exe
  2⤵
  PID:7400
- C:\Windows\System32\GXDnhxj.exe
  C:\Windows\System32\GXDnhxj.exe
  2⤵
  PID:7488
- C:\Windows\System32\NHskeED.exe
  C:\Windows\System32\NHskeED.exe
  2⤵
  PID:7504
- C:\Windows\System32\iuiiDVo.exe
  C:\Windows\System32\iuiiDVo.exe
  2⤵
  PID:7528
- C:\Windows\System32\sKVRDQU.exe
  C:\Windows\System32\sKVRDQU.exe
  2⤵
  PID:7544
- C:\Windows\System32\lXqniSi.exe
  C:\Windows\System32\lXqniSi.exe
  2⤵
  PID:7564
- C:\Windows\System32\ejCuzFB.exe
  C:\Windows\System32\ejCuzFB.exe
  2⤵
  PID:7616
- C:\Windows\System32\dwAcfdM.exe
  C:\Windows\System32\dwAcfdM.exe
  2⤵
  PID:7640
- C:\Windows\System32\kGbtDoI.exe
  C:\Windows\System32\kGbtDoI.exe
  2⤵
  PID:7684
- C:\Windows\System32\gmoOXgT.exe
  C:\Windows\System32\gmoOXgT.exe
  2⤵
  PID:7704
- C:\Windows\System32\osIBTOm.exe
  C:\Windows\System32\osIBTOm.exe
  2⤵
  PID:7720
- C:\Windows\System32\IYMOHSv.exe
  C:\Windows\System32\IYMOHSv.exe
  2⤵
  PID:7740
- C:\Windows\System32\gWwtvQh.exe
  C:\Windows\System32\gWwtvQh.exe
  2⤵
  PID:7756
- C:\Windows\System32\vTbniCe.exe
  C:\Windows\System32\vTbniCe.exe
  2⤵
  PID:7780
- C:\Windows\System32\RTxbkWX.exe
  C:\Windows\System32\RTxbkWX.exe
  2⤵
  PID:7824
- C:\Windows\System32\WJzlrvE.exe
  C:\Windows\System32\WJzlrvE.exe
  2⤵
  PID:7880
- C:\Windows\System32\jGQPlNL.exe
  C:\Windows\System32\jGQPlNL.exe
  2⤵
  PID:7912
- C:\Windows\System32\OjFiepK.exe
  C:\Windows\System32\OjFiepK.exe
  2⤵
  PID:7936
- C:\Windows\System32\NFwKTDw.exe
  C:\Windows\System32\NFwKTDw.exe
  2⤵
  PID:7952
- C:\Windows\System32\uExOrWg.exe
  C:\Windows\System32\uExOrWg.exe
  2⤵
  PID:7976
- C:\Windows\System32\CDepzrx.exe
  C:\Windows\System32\CDepzrx.exe
  2⤵
  PID:8020
- C:\Windows\System32\oIgazgR.exe
  C:\Windows\System32\oIgazgR.exe
  2⤵
  PID:8044
- C:\Windows\System32\HauFtJn.exe
  C:\Windows\System32\HauFtJn.exe
  2⤵
  PID:8060
- C:\Windows\System32\XzJvvGa.exe
  C:\Windows\System32\XzJvvGa.exe
  2⤵
  PID:8100
- C:\Windows\System32\RpMBSRT.exe
  C:\Windows\System32\RpMBSRT.exe
  2⤵
  PID:8120
- C:\Windows\System32\lmVBgkd.exe
  C:\Windows\System32\lmVBgkd.exe
  2⤵
  PID:8160
- C:\Windows\System32\zAgqXiN.exe
  C:\Windows\System32\zAgqXiN.exe
  2⤵
  PID:8180
- C:\Windows\System32\OeHoljS.exe
  C:\Windows\System32\OeHoljS.exe
  2⤵
  PID:6964
- C:\Windows\System32\oqSsOiN.exe
  C:\Windows\System32\oqSsOiN.exe
  2⤵
  PID:7244
- C:\Windows\System32\FqkQpnF.exe
  C:\Windows\System32\FqkQpnF.exe
  2⤵
  PID:7348
- C:\Windows\System32\SHJiAQk.exe
  C:\Windows\System32\SHJiAQk.exe
  2⤵
  PID:7360
- C:\Windows\System32\qAKJorN.exe
  C:\Windows\System32\qAKJorN.exe
  2⤵
  PID:7412
- C:\Windows\System32\ZZfZijV.exe
  C:\Windows\System32\ZZfZijV.exe
  2⤵
  PID:7496
- C:\Windows\System32\rbgXMDI.exe
  C:\Windows\System32\rbgXMDI.exe
  2⤵
  PID:7536
- C:\Windows\System32\ouXUQQd.exe
  C:\Windows\System32\ouXUQQd.exe
  2⤵
  PID:7592
- C:\Windows\System32\YDFDPQa.exe
  C:\Windows\System32\YDFDPQa.exe
  2⤵
  PID:7700
- C:\Windows\System32\UGgCfsR.exe
  C:\Windows\System32\UGgCfsR.exe
  2⤵
  PID:7752
- C:\Windows\System32\UGfTaMw.exe
  C:\Windows\System32\UGfTaMw.exe
  2⤵
  PID:7788
- C:\Windows\System32\gTLyrTu.exe
  C:\Windows\System32\gTLyrTu.exe
  2⤵
  PID:7872
- C:\Windows\System32\RnpuAKB.exe
  C:\Windows\System32\RnpuAKB.exe
  2⤵
  PID:7932
- C:\Windows\System32\gsaevzz.exe
  C:\Windows\System32\gsaevzz.exe
  2⤵
  PID:7984
- C:\Windows\System32\atpEtum.exe
  C:\Windows\System32\atpEtum.exe
  2⤵
  PID:8072
- C:\Windows\System32\fVEkLrm.exe
  C:\Windows\System32\fVEkLrm.exe
  2⤵
  PID:8172
- C:\Windows\System32\ugIrEmd.exe
  C:\Windows\System32\ugIrEmd.exe
  2⤵
  PID:7192
- C:\Windows\System32\mBqfvnq.exe
  C:\Windows\System32\mBqfvnq.exe
  2⤵
  PID:7320
- C:\Windows\System32\vSMuomt.exe
  C:\Windows\System32\vSMuomt.exe
  2⤵
  PID:7444
- C:\Windows\System32\yXAlMco.exe
  C:\Windows\System32\yXAlMco.exe
  2⤵
  PID:7636
- C:\Windows\System32\ckGZhHf.exe
  C:\Windows\System32\ckGZhHf.exe
  2⤵
  PID:7648
- C:\Windows\System32\uJAVWap.exe
  C:\Windows\System32\uJAVWap.exe
  2⤵
  PID:7220
- C:\Windows\System32\oHMdeQr.exe
  C:\Windows\System32\oHMdeQr.exe
  2⤵
  PID:7848
- C:\Windows\System32\XdwDhFf.exe
  C:\Windows\System32\XdwDhFf.exe
  2⤵
  PID:7964
- C:\Windows\System32\gOHbRsb.exe
  C:\Windows\System32\gOHbRsb.exe
  2⤵
  PID:7560
- C:\Windows\System32\YJlFHvf.exe
  C:\Windows\System32\YJlFHvf.exe
  2⤵
  PID:7924
- C:\Windows\System32\hoUhGVH.exe
  C:\Windows\System32\hoUhGVH.exe
  2⤵
  PID:8004
- C:\Windows\System32\bWPUeFM.exe
  C:\Windows\System32\bWPUeFM.exe
  2⤵
  PID:8204
- C:\Windows\System32\GLEzWXK.exe
  C:\Windows\System32\GLEzWXK.exe
  2⤵
  PID:8228
- C:\Windows\System32\ocHRYPy.exe
  C:\Windows\System32\ocHRYPy.exe
  2⤵
  PID:8248
- C:\Windows\System32\XBzNEQC.exe
  C:\Windows\System32\XBzNEQC.exe
  2⤵
  PID:8264
- C:\Windows\System32\aJrGqYo.exe
  C:\Windows\System32\aJrGqYo.exe
  2⤵
  PID:8284
- C:\Windows\System32\AKEXYUV.exe
  C:\Windows\System32\AKEXYUV.exe
  2⤵
  PID:8300
- C:\Windows\System32\YzeDjrb.exe
  C:\Windows\System32\YzeDjrb.exe
  2⤵
  PID:8364
- C:\Windows\System32\ZHUPWLH.exe
  C:\Windows\System32\ZHUPWLH.exe
  2⤵
  PID:8400
- C:\Windows\System32\oJTwYxg.exe
  C:\Windows\System32\oJTwYxg.exe
  2⤵
  PID:8432
- C:\Windows\System32\NRBkyOZ.exe
  C:\Windows\System32\NRBkyOZ.exe
  2⤵
  PID:8448
- C:\Windows\System32\OhOOvnh.exe
  C:\Windows\System32\OhOOvnh.exe
  2⤵
  PID:8468
- C:\Windows\System32\zOCIcTH.exe
  C:\Windows\System32\zOCIcTH.exe
  2⤵
  PID:8492
- C:\Windows\System32\wpGxCII.exe
  C:\Windows\System32\wpGxCII.exe
  2⤵
  PID:8512
- C:\Windows\System32\pAgcTmf.exe
  C:\Windows\System32\pAgcTmf.exe
  2⤵
  PID:8556
- C:\Windows\System32\VntOkcp.exe
  C:\Windows\System32\VntOkcp.exe
  2⤵
  PID:8576
- C:\Windows\System32\IqVaeCR.exe
  C:\Windows\System32\IqVaeCR.exe
  2⤵
  PID:8596
- C:\Windows\System32\GTqCzLF.exe
  C:\Windows\System32\GTqCzLF.exe
  2⤵
  PID:8632
- C:\Windows\System32\EjaxCjE.exe
  C:\Windows\System32\EjaxCjE.exe
  2⤵
  PID:8688
- C:\Windows\System32\zhXjLtD.exe
  C:\Windows\System32\zhXjLtD.exe
  2⤵
  PID:8712
- C:\Windows\System32\rjvtyyL.exe
  C:\Windows\System32\rjvtyyL.exe
  2⤵
  PID:8728
- C:\Windows\System32\NisDCvy.exe
  C:\Windows\System32\NisDCvy.exe
  2⤵
  PID:8748
- C:\Windows\System32\NdKpvhe.exe
  C:\Windows\System32\NdKpvhe.exe
  2⤵
  PID:8764
- C:\Windows\System32\RYUhmbG.exe
  C:\Windows\System32\RYUhmbG.exe
  2⤵
  PID:8816
- C:\Windows\System32\WdiDPFd.exe
  C:\Windows\System32\WdiDPFd.exe
  2⤵
  PID:8852
- C:\Windows\System32\CVctXnm.exe
  C:\Windows\System32\CVctXnm.exe
  2⤵
  PID:8880
- C:\Windows\System32\qgOMAGh.exe
  C:\Windows\System32\qgOMAGh.exe
  2⤵
  PID:8912
- C:\Windows\System32\agHwtiK.exe
  C:\Windows\System32\agHwtiK.exe
  2⤵
  PID:8928
- C:\Windows\System32\pcYOdsz.exe
  C:\Windows\System32\pcYOdsz.exe
  2⤵
  PID:8956
- C:\Windows\System32\isKbeFd.exe
  C:\Windows\System32\isKbeFd.exe
  2⤵
  PID:8980
- C:\Windows\System32\fSxpJOm.exe
  C:\Windows\System32\fSxpJOm.exe
  2⤵
  PID:8996
- C:\Windows\System32\oLYFiZl.exe
  C:\Windows\System32\oLYFiZl.exe
  2⤵
  PID:9040
- C:\Windows\System32\XMQzQka.exe
  C:\Windows\System32\XMQzQka.exe
  2⤵
  PID:9080
- C:\Windows\System32\Wtfctow.exe
  C:\Windows\System32\Wtfctow.exe
  2⤵
  PID:9100
- C:\Windows\System32\HftjIxZ.exe
  C:\Windows\System32\HftjIxZ.exe
  2⤵
  PID:9124
- C:\Windows\System32\llpfpcJ.exe
  C:\Windows\System32\llpfpcJ.exe
  2⤵
  PID:9152
- C:\Windows\System32\hUQmqGJ.exe
  C:\Windows\System32\hUQmqGJ.exe
  2⤵
  PID:9192
- C:\Windows\System32\tYvHVcI.exe
  C:\Windows\System32\tYvHVcI.exe
  2⤵
  PID:9212
- C:\Windows\System32\httsPVp.exe
  C:\Windows\System32\httsPVp.exe
  2⤵
  PID:8220
- C:\Windows\System32\PomIYLH.exe
  C:\Windows\System32\PomIYLH.exe
  2⤵
  PID:8256
- C:\Windows\System32\rTrlOtl.exe
  C:\Windows\System32\rTrlOtl.exe
  2⤵
  PID:8340
- C:\Windows\System32\AXMWGVQ.exe
  C:\Windows\System32\AXMWGVQ.exe
  2⤵
  PID:8408
- C:\Windows\System32\zisbILx.exe
  C:\Windows\System32\zisbILx.exe
  2⤵
  PID:8476
- C:\Windows\System32\eJtDIsn.exe
  C:\Windows\System32\eJtDIsn.exe
  2⤵
  PID:8592
- C:\Windows\System32\LMtwtpn.exe
  C:\Windows\System32\LMtwtpn.exe
  2⤵
  PID:8604
- C:\Windows\System32\vmjbsXB.exe
  C:\Windows\System32\vmjbsXB.exe
  2⤵
  PID:8668
- C:\Windows\System32\zwNloWV.exe
  C:\Windows\System32\zwNloWV.exe
  2⤵
  PID:8700
- C:\Windows\System32\umTzyRP.exe
  C:\Windows\System32\umTzyRP.exe
  2⤵
  PID:8804
- C:\Windows\System32\oIOHEZg.exe
  C:\Windows\System32\oIOHEZg.exe
  2⤵
  PID:8868
- C:\Windows\System32\IfyaxVm.exe
  C:\Windows\System32\IfyaxVm.exe
  2⤵
  PID:8972
- C:\Windows\System32\vUByIfx.exe
  C:\Windows\System32\vUByIfx.exe
  2⤵
  PID:9024
- C:\Windows\System32\TWMzVES.exe
  C:\Windows\System32\TWMzVES.exe
  2⤵
  PID:9068
- C:\Windows\System32\DjRhYuY.exe
  C:\Windows\System32\DjRhYuY.exe
  2⤵
  PID:9136
- C:\Windows\System32\xrIPlhe.exe
  C:\Windows\System32\xrIPlhe.exe
  2⤵
  PID:8236
- C:\Windows\System32\hXaLTWG.exe
  C:\Windows\System32\hXaLTWG.exe
  2⤵
  PID:8292
- C:\Windows\System32\NJgBvcd.exe
  C:\Windows\System32\NJgBvcd.exe
  2⤵
  PID:8464
- C:\Windows\System32\ZRotCND.exe
  C:\Windows\System32\ZRotCND.exe
  2⤵
  PID:8544
- C:\Windows\System32\hCosbzR.exe
  C:\Windows\System32\hCosbzR.exe
  2⤵
  PID:8840
- C:\Windows\System32\capxxnu.exe
  C:\Windows\System32\capxxnu.exe
  2⤵
  PID:8988
- C:\Windows\System32\gIjPRJB.exe
  C:\Windows\System32\gIjPRJB.exe
  2⤵
  PID:9076
- C:\Windows\System32\ZfaIzAX.exe
  C:\Windows\System32\ZfaIzAX.exe
  2⤵
  PID:9172
- C:\Windows\System32\cSMeRPb.exe
  C:\Windows\System32\cSMeRPb.exe
  2⤵
  PID:8528
- C:\Windows\System32\RXrdPER.exe
  C:\Windows\System32\RXrdPER.exe
  2⤵
  PID:9008
- C:\Windows\System32\MdoVIaQ.exe
  C:\Windows\System32\MdoVIaQ.exe
  2⤵
  PID:8260
- C:\Windows\System32\pnUWhVN.exe
  C:\Windows\System32\pnUWhVN.exe
  2⤵
  PID:8848
- C:\Windows\System32\uBerLso.exe
  C:\Windows\System32\uBerLso.exe
  2⤵
  PID:9092
- C:\Windows\System32\VeqRnUE.exe
  C:\Windows\System32\VeqRnUE.exe
  2⤵
  PID:9256
- C:\Windows\System32\wbDrISE.exe
  C:\Windows\System32\wbDrISE.exe
  2⤵
  PID:9292
- C:\Windows\System32\exGESoA.exe
  C:\Windows\System32\exGESoA.exe
  2⤵
  PID:9316
- C:\Windows\System32\VKeTywI.exe
  C:\Windows\System32\VKeTywI.exe
  2⤵
  PID:9336
- C:\Windows\System32\VDCltcK.exe
  C:\Windows\System32\VDCltcK.exe
  2⤵
  PID:9360
- C:\Windows\System32\GzYWpLE.exe
  C:\Windows\System32\GzYWpLE.exe
  2⤵
  PID:9404
- C:\Windows\System32\CCkujkt.exe
  C:\Windows\System32\CCkujkt.exe
  2⤵
  PID:9424
- C:\Windows\System32\tWHRiAu.exe
  C:\Windows\System32\tWHRiAu.exe
  2⤵
  PID:9448
- C:\Windows\System32\frLbVLO.exe
  C:\Windows\System32\frLbVLO.exe
  2⤵
  PID:9468
- C:\Windows\System32\RiAKRqW.exe
  C:\Windows\System32\RiAKRqW.exe
  2⤵
  PID:9496
- C:\Windows\System32\snesaxq.exe
  C:\Windows\System32\snesaxq.exe
  2⤵
  PID:9512
- C:\Windows\System32\FMUqvyn.exe
  C:\Windows\System32\FMUqvyn.exe
  2⤵
  PID:9528
- C:\Windows\System32\mPoiifF.exe
  C:\Windows\System32\mPoiifF.exe
  2⤵
  PID:9576
- C:\Windows\System32\ogAbWbP.exe
  C:\Windows\System32\ogAbWbP.exe
  2⤵
  PID:9596
- C:\Windows\System32\mBUjrYi.exe
  C:\Windows\System32\mBUjrYi.exe
  2⤵
  PID:9612
- C:\Windows\System32\SObuTZJ.exe
  C:\Windows\System32\SObuTZJ.exe
  2⤵
  PID:9648
- C:\Windows\System32\Slofqze.exe
  C:\Windows\System32\Slofqze.exe
  2⤵
  PID:9668
- C:\Windows\System32\OnXIfmm.exe
  C:\Windows\System32\OnXIfmm.exe
  2⤵
  PID:9740
- C:\Windows\System32\KyXglgD.exe
  C:\Windows\System32\KyXglgD.exe
  2⤵
  PID:9768
- C:\Windows\System32\IgcSLdP.exe
  C:\Windows\System32\IgcSLdP.exe
  2⤵
  PID:9800
- C:\Windows\System32\ndeCBzN.exe
  C:\Windows\System32\ndeCBzN.exe
  2⤵
  PID:9948
- C:\Windows\System32\EyjxBkA.exe
  C:\Windows\System32\EyjxBkA.exe
  2⤵
  PID:9968
- C:\Windows\System32\nWYwpjC.exe
  C:\Windows\System32\nWYwpjC.exe
  2⤵
  PID:9984
- C:\Windows\System32\fdNOScm.exe
  C:\Windows\System32\fdNOScm.exe
  2⤵
  PID:10040
- C:\Windows\System32\MaNkToQ.exe
  C:\Windows\System32\MaNkToQ.exe
  2⤵
  PID:10064
- C:\Windows\System32\qtjnbPQ.exe
  C:\Windows\System32\qtjnbPQ.exe
  2⤵
  PID:10092
- C:\Windows\System32\yAotrcn.exe
  C:\Windows\System32\yAotrcn.exe
  2⤵
  PID:10108
- C:\Windows\System32\HCgxOWl.exe
  C:\Windows\System32\HCgxOWl.exe
  2⤵
  PID:10124
- C:\Windows\System32\xOojlbU.exe
  C:\Windows\System32\xOojlbU.exe
  2⤵
  PID:10168
- C:\Windows\System32\KvPhCJD.exe
  C:\Windows\System32\KvPhCJD.exe
  2⤵
  PID:10188
- C:\Windows\System32\ZnkxVNI.exe
  C:\Windows\System32\ZnkxVNI.exe
  2⤵
  PID:10204
- C:\Windows\System32\leAzofh.exe
  C:\Windows\System32\leAzofh.exe
  2⤵
  PID:10232
- C:\Windows\System32\SoxXxVi.exe
  C:\Windows\System32\SoxXxVi.exe
  2⤵
  PID:9228
- C:\Windows\System32\FTNUyIi.exe
  C:\Windows\System32\FTNUyIi.exe
  2⤵
  PID:9284
- C:\Windows\System32\HBwznwt.exe
  C:\Windows\System32\HBwznwt.exe
  2⤵
  PID:9400
- C:\Windows\System32\ylqSzMB.exe
  C:\Windows\System32\ylqSzMB.exe
  2⤵
  PID:9444
- C:\Windows\System32\dqcwoMo.exe
  C:\Windows\System32\dqcwoMo.exe
  2⤵
  PID:9524
- C:\Windows\System32\RSCRCTG.exe
  C:\Windows\System32\RSCRCTG.exe
  2⤵
  PID:9628
- C:\Windows\System32\uAFfXRe.exe
  C:\Windows\System32\uAFfXRe.exe
  2⤵
  PID:9728
- C:\Windows\System32\zlAljiz.exe
  C:\Windows\System32\zlAljiz.exe
  2⤵
  PID:9752
- C:\Windows\System32\eQqPoSc.exe
  C:\Windows\System32\eQqPoSc.exe
  2⤵
  PID:9796
- C:\Windows\System32\krAlJxl.exe
  C:\Windows\System32\krAlJxl.exe
  2⤵
  PID:9832
- C:\Windows\System32\NAUgAcm.exe
  C:\Windows\System32\NAUgAcm.exe
  2⤵
  PID:9856
- C:\Windows\System32\UTLfBdr.exe
  C:\Windows\System32\UTLfBdr.exe
  2⤵
  PID:9888
- C:\Windows\System32\MOciwXz.exe
  C:\Windows\System32\MOciwXz.exe
  2⤵
  PID:9812
- C:\Windows\System32\vfTpehi.exe
  C:\Windows\System32\vfTpehi.exe
  2⤵
  PID:9932
- C:\Windows\System32\gnAgPQC.exe
  C:\Windows\System32\gnAgPQC.exe
  2⤵
  PID:9956
- C:\Windows\System32\dNKNZfd.exe
  C:\Windows\System32\dNKNZfd.exe
  2⤵
  PID:10020
- C:\Windows\System32\MExCFWe.exe
  C:\Windows\System32\MExCFWe.exe
  2⤵
  PID:10148
- C:\Windows\System32\CvUDuNp.exe
  C:\Windows\System32\CvUDuNp.exe
  2⤵
  PID:9252
- C:\Windows\System32\gUuCRnG.exe
  C:\Windows\System32\gUuCRnG.exe
  2⤵
  PID:9248
- C:\Windows\System32\aAYuHxV.exe
  C:\Windows\System32\aAYuHxV.exe
  2⤵
  PID:9416
- C:\Windows\System32\dPfSwXL.exe
  C:\Windows\System32\dPfSwXL.exe
  2⤵
  PID:9620
- C:\Windows\System32\oNegWUn.exe
  C:\Windows\System32\oNegWUn.exe
  2⤵
  PID:9760
- C:\Windows\System32\xkxBdme.exe
  C:\Windows\System32\xkxBdme.exe
  2⤵
  PID:9876
- C:\Windows\System32\UnuvQeG.exe
  C:\Windows\System32\UnuvQeG.exe
  2⤵
  PID:9960
- C:\Windows\System32\wtrtuxa.exe
  C:\Windows\System32\wtrtuxa.exe
  2⤵
  PID:10184
- C:\Windows\System32\OeEEeoV.exe
  C:\Windows\System32\OeEEeoV.exe
  2⤵
  PID:9304
- C:\Windows\System32\tSFDarj.exe
  C:\Windows\System32\tSFDarj.exe
  2⤵
  PID:9352
- C:\Windows\System32\fmPHZLx.exe
  C:\Windows\System32\fmPHZLx.exe
  2⤵
  PID:9548
- C:\Windows\System32\TGAjhtO.exe
  C:\Windows\System32\TGAjhtO.exe
  2⤵
  PID:9900
- C:\Windows\System32\adOyiLS.exe
  C:\Windows\System32\adOyiLS.exe
  2⤵
  PID:10196
- C:\Windows\System32\IfHIcQE.exe
  C:\Windows\System32\IfHIcQE.exe
  2⤵
  PID:9224
- C:\Windows\System32\aBicLHN.exe
  C:\Windows\System32\aBicLHN.exe
  2⤵
  PID:10248
- C:\Windows\System32\zFUAtIn.exe
  C:\Windows\System32\zFUAtIn.exe
  2⤵
  PID:10304
- C:\Windows\System32\xYKkLmx.exe
  C:\Windows\System32\xYKkLmx.exe
  2⤵
  PID:10336
- C:\Windows\System32\VWbeaoh.exe
  C:\Windows\System32\VWbeaoh.exe
  2⤵
  PID:10356
- C:\Windows\System32\jPFGGNx.exe
  C:\Windows\System32\jPFGGNx.exe
  2⤵
  PID:10380
- C:\Windows\System32\ftKSpFi.exe
  C:\Windows\System32\ftKSpFi.exe
  2⤵
  PID:10428
- C:\Windows\System32\TPdxgSi.exe
  C:\Windows\System32\TPdxgSi.exe
  2⤵
  PID:10452
- C:\Windows\System32\duQLhAd.exe
  C:\Windows\System32\duQLhAd.exe
  2⤵
  PID:10476
- C:\Windows\System32\nscVmDf.exe
  C:\Windows\System32\nscVmDf.exe
  2⤵
  PID:10504
- C:\Windows\System32\sIdDbXe.exe
  C:\Windows\System32\sIdDbXe.exe
  2⤵
  PID:10552
- C:\Windows\System32\NJgWFBl.exe
  C:\Windows\System32\NJgWFBl.exe
  2⤵
  PID:10572
- C:\Windows\System32\eykHXQt.exe
  C:\Windows\System32\eykHXQt.exe
  2⤵
  PID:10604
- C:\Windows\System32\GbqRwug.exe
  C:\Windows\System32\GbqRwug.exe
  2⤵
  PID:10632
- C:\Windows\System32\btRenVT.exe
  C:\Windows\System32\btRenVT.exe
  2⤵
  PID:10656
- C:\Windows\System32\OMLVcTL.exe
  C:\Windows\System32\OMLVcTL.exe
  2⤵
  PID:10684
- C:\Windows\System32\iTGEBgY.exe
  C:\Windows\System32\iTGEBgY.exe
  2⤵
  PID:10700
- C:\Windows\System32\LnqgkfY.exe
  C:\Windows\System32\LnqgkfY.exe
  2⤵
  PID:10716
- C:\Windows\System32\PICPHBy.exe
  C:\Windows\System32\PICPHBy.exe
  2⤵
  PID:10752
- C:\Windows\System32\CmiLJDh.exe
  C:\Windows\System32\CmiLJDh.exe
  2⤵
  PID:10808
- C:\Windows\System32\lwKKZGG.exe
  C:\Windows\System32\lwKKZGG.exe
  2⤵
  PID:10836
- C:\Windows\System32\epAPUWG.exe
  C:\Windows\System32\epAPUWG.exe
  2⤵
  PID:10864
- C:\Windows\System32\pvLDBmo.exe
  C:\Windows\System32\pvLDBmo.exe
  2⤵
  PID:10880
- C:\Windows\System32\qovnmXJ.exe
  C:\Windows\System32\qovnmXJ.exe
  2⤵
  PID:10900
- C:\Windows\System32\TESTYDg.exe
  C:\Windows\System32\TESTYDg.exe
  2⤵
  PID:10928
- C:\Windows\System32\twbbuNY.exe
  C:\Windows\System32\twbbuNY.exe
  2⤵
  PID:10944
- C:\Windows\System32\QxbhiXB.exe
  C:\Windows\System32\QxbhiXB.exe
  2⤵
  PID:10968
- C:\Windows\System32\mUceAMC.exe
  C:\Windows\System32\mUceAMC.exe
  2⤵
  PID:10984
- C:\Windows\System32\XRSnHbb.exe
  C:\Windows\System32\XRSnHbb.exe
  2⤵
  PID:11028
- C:\Windows\System32\aRCYqpS.exe
  C:\Windows\System32\aRCYqpS.exe
  2⤵
  PID:11084
- C:\Windows\System32\PwjcYbN.exe
  C:\Windows\System32\PwjcYbN.exe
  2⤵
  PID:11108
- C:\Windows\System32\qrhnWje.exe
  C:\Windows\System32\qrhnWje.exe
  2⤵
  PID:11132
- C:\Windows\System32\xDzYPBk.exe
  C:\Windows\System32\xDzYPBk.exe
  2⤵
  PID:11168
- C:\Windows\System32\hxEUtyE.exe
  C:\Windows\System32\hxEUtyE.exe
  2⤵
  PID:11188
- C:\Windows\System32\PRFhzss.exe
  C:\Windows\System32\PRFhzss.exe
  2⤵
  PID:11204
- C:\Windows\System32\vjWFaAg.exe
  C:\Windows\System32\vjWFaAg.exe
  2⤵
  PID:11240
- C:\Windows\System32\dAVWqXh.exe
  C:\Windows\System32\dAVWqXh.exe
  2⤵
  PID:11260
- C:\Windows\System32\BOdNauM.exe
  C:\Windows\System32\BOdNauM.exe
  2⤵
  PID:9692
- C:\Windows\System32\ZWgqnbO.exe
  C:\Windows\System32\ZWgqnbO.exe
  2⤵
  PID:9640
- C:\Windows\System32\JwlfKoH.exe
  C:\Windows\System32\JwlfKoH.exe
  2⤵
  PID:10352
- C:\Windows\System32\hSPGJsV.exe
  C:\Windows\System32\hSPGJsV.exe
  2⤵
  PID:10496
- C:\Windows\System32\jBmznXN.exe
  C:\Windows\System32\jBmznXN.exe
  2⤵
  PID:10584
- C:\Windows\System32\wRofqjg.exe
  C:\Windows\System32\wRofqjg.exe
  2⤵
  PID:10624
- C:\Windows\System32\qvtlMTj.exe
  C:\Windows\System32\qvtlMTj.exe
  2⤵
  PID:10648
- C:\Windows\System32\rulnKSV.exe
  C:\Windows\System32\rulnKSV.exe
  2⤵
  PID:10696
- C:\Windows\System32\LHGlSkm.exe
  C:\Windows\System32\LHGlSkm.exe
  2⤵
  PID:10712
- C:\Windows\System32\dPUeGtp.exe
  C:\Windows\System32\dPUeGtp.exe
  2⤵
  PID:10784
- C:\Windows\System32\zctcPmy.exe
  C:\Windows\System32\zctcPmy.exe
  2⤵
  PID:10852
- C:\Windows\System32\CeiznBt.exe
  C:\Windows\System32\CeiznBt.exe
  2⤵
  PID:10936
- C:\Windows\System32\mMgDQhU.exe
  C:\Windows\System32\mMgDQhU.exe
  2⤵
  PID:11100
- C:\Windows\System32\wlkcyLQ.exe
  C:\Windows\System32\wlkcyLQ.exe
  2⤵
  PID:11164
- C:\Windows\System32\qNFzpyP.exe
  C:\Windows\System32\qNFzpyP.exe
  2⤵
  PID:11228
- C:\Windows\System32\SupdBbr.exe
  C:\Windows\System32\SupdBbr.exe
  2⤵
  PID:10016
- C:\Windows\System32\xmEfXqo.exe
  C:\Windows\System32\xmEfXqo.exe
  2⤵
  PID:10412
- C:\Windows\System32\SOBcIQD.exe
  C:\Windows\System32\SOBcIQD.exe
  2⤵
  PID:10440
- C:\Windows\System32\BxrJrPa.exe
  C:\Windows\System32\BxrJrPa.exe
  2⤵
  PID:10680
- C:\Windows\System32\wEQmslc.exe
  C:\Windows\System32\wEQmslc.exe
  2⤵
  PID:10908
- C:\Windows\System32\szxhkJL.exe
  C:\Windows\System32\szxhkJL.exe
  2⤵
  PID:11008
- C:\Windows\System32\VrSTfpP.exe
  C:\Windows\System32\VrSTfpP.exe
  2⤵
  PID:11236
- C:\Windows\System32\YuTlnvZ.exe
  C:\Windows\System32\YuTlnvZ.exe
  2⤵
  PID:10288
- C:\Windows\System32\DiewTHL.exe
  C:\Windows\System32\DiewTHL.exe
  2⤵
  PID:10620
- C:\Windows\System32\SXTAlRR.exe
  C:\Windows\System32\SXTAlRR.exe
  2⤵
  PID:10876
- C:\Windows\System32\VXyMltz.exe
  C:\Windows\System32\VXyMltz.exe
  2⤵
  PID:10580
- C:\Windows\System32\wNYAxam.exe
  C:\Windows\System32\wNYAxam.exe
  2⤵
  PID:10744
- C:\Windows\System32\BrKEsgd.exe
  C:\Windows\System32\BrKEsgd.exe
  2⤵
  PID:11272
- C:\Windows\System32\GfBhiCo.exe
  C:\Windows\System32\GfBhiCo.exe
  2⤵
  PID:11288
- C:\Windows\System32\osJQnuk.exe
  C:\Windows\System32\osJQnuk.exe
  2⤵
  PID:11340
- C:\Windows\System32\CTVcsmC.exe
  C:\Windows\System32\CTVcsmC.exe
  2⤵
  PID:11372
- C:\Windows\System32\xTafhIT.exe
  C:\Windows\System32\xTafhIT.exe
  2⤵
  PID:11388
- C:\Windows\System32\ksnmYUo.exe
  C:\Windows\System32\ksnmYUo.exe
  2⤵
  PID:11440
- C:\Windows\System32\edfCQxK.exe
  C:\Windows\System32\edfCQxK.exe
  2⤵
  PID:11456
- C:\Windows\System32\bPeWMyR.exe
  C:\Windows\System32\bPeWMyR.exe
  2⤵
  PID:11472
- C:\Windows\System32\uFMwPlL.exe
  C:\Windows\System32\uFMwPlL.exe
  2⤵
  PID:11492
- C:\Windows\System32\BBWppCz.exe
  C:\Windows\System32\BBWppCz.exe
  2⤵
  PID:11516
- C:\Windows\System32\EmesLJL.exe
  C:\Windows\System32\EmesLJL.exe
  2⤵
  PID:11536
- C:\Windows\System32\KfqMHht.exe
  C:\Windows\System32\KfqMHht.exe
  2⤵
  PID:11560
- C:\Windows\System32\RTPaaXn.exe
  C:\Windows\System32\RTPaaXn.exe
  2⤵
  PID:11604
- C:\Windows\System32\oxLBddi.exe
  C:\Windows\System32\oxLBddi.exe
  2⤵
  PID:11640
- C:\Windows\System32\cVoyemt.exe
  C:\Windows\System32\cVoyemt.exe
  2⤵
  PID:11660
- C:\Windows\System32\DlWFfOQ.exe
  C:\Windows\System32\DlWFfOQ.exe
  2⤵
  PID:11676
- C:\Windows\System32\CKorfqs.exe
  C:\Windows\System32\CKorfqs.exe
  2⤵
  PID:11704
- C:\Windows\System32\NiDCVBC.exe
  C:\Windows\System32\NiDCVBC.exe
  2⤵
  PID:11740
- C:\Windows\System32\CvkrEBw.exe
  C:\Windows\System32\CvkrEBw.exe
  2⤵
  PID:11760
- C:\Windows\System32\zYyimMn.exe
  C:\Windows\System32\zYyimMn.exe
  2⤵
  PID:11780
- C:\Windows\System32\CTdvVdq.exe
  C:\Windows\System32\CTdvVdq.exe
  2⤵
  PID:11812
- C:\Windows\System32\rHXYBhH.exe
  C:\Windows\System32\rHXYBhH.exe
  2⤵
  PID:11888
- C:\Windows\System32\YGazhpm.exe
  C:\Windows\System32\YGazhpm.exe
  2⤵
  PID:11904
- C:\Windows\System32\ymtaCAr.exe
  C:\Windows\System32\ymtaCAr.exe
  2⤵
  PID:11920
- C:\Windows\System32\VdYfwJA.exe
  C:\Windows\System32\VdYfwJA.exe
  2⤵
  PID:11936
- C:\Windows\System32\jgvKaif.exe
  C:\Windows\System32\jgvKaif.exe
  2⤵
  PID:11956
- C:\Windows\System32\fsCreQk.exe
  C:\Windows\System32\fsCreQk.exe
  2⤵
  PID:11996
- C:\Windows\System32\TkLIbGr.exe
  C:\Windows\System32\TkLIbGr.exe
  2⤵
  PID:12052
- C:\Windows\System32\AdqkSPy.exe
  C:\Windows\System32\AdqkSPy.exe
  2⤵
  PID:12068
- C:\Windows\System32\zYnsnaU.exe
  C:\Windows\System32\zYnsnaU.exe
  2⤵
  PID:12116
- C:\Windows\System32\xQllBQW.exe
  C:\Windows\System32\xQllBQW.exe
  2⤵
  PID:12136
- C:\Windows\System32\kHmWPnT.exe
  C:\Windows\System32\kHmWPnT.exe
  2⤵
  PID:12164
- C:\Windows\System32\MvCMNiW.exe
  C:\Windows\System32\MvCMNiW.exe
  2⤵
  PID:12188
- C:\Windows\System32\qLpxKyU.exe
  C:\Windows\System32\qLpxKyU.exe
  2⤵
  PID:12208
- C:\Windows\System32\nGMbuxM.exe
  C:\Windows\System32\nGMbuxM.exe
  2⤵
  PID:12248
- C:\Windows\System32\sRgtERp.exe
  C:\Windows\System32\sRgtERp.exe
  2⤵
  PID:12276
- C:\Windows\System32\bxwpIdg.exe
  C:\Windows\System32\bxwpIdg.exe
  2⤵
  PID:11296
- C:\Windows\System32\EbrqOzg.exe
  C:\Windows\System32\EbrqOzg.exe
  2⤵
  PID:11384
- C:\Windows\System32\KTXEZdU.exe
  C:\Windows\System32\KTXEZdU.exe
  2⤵
  PID:11364
- C:\Windows\System32\ALcmegt.exe
  C:\Windows\System32\ALcmegt.exe
  2⤵
  PID:11448
- C:\Windows\System32\OAwijEJ.exe
  C:\Windows\System32\OAwijEJ.exe
  2⤵
  PID:11504
- C:\Windows\System32\MvBcVMU.exe
  C:\Windows\System32\MvBcVMU.exe
  2⤵
  PID:11584
- C:\Windows\System32\dXFcIae.exe
  C:\Windows\System32\dXFcIae.exe
  2⤵
  PID:11596
- C:\Windows\System32\NdHdiAs.exe
  C:\Windows\System32\NdHdiAs.exe
  2⤵
  PID:11752
- C:\Windows\System32\yCTRnln.exe
  C:\Windows\System32\yCTRnln.exe
  2⤵
  PID:11796
- C:\Windows\System32\pghLwZH.exe
  C:\Windows\System32\pghLwZH.exe
  2⤵
  PID:11864
- C:\Windows\System32\bKGlvWD.exe
  C:\Windows\System32\bKGlvWD.exe
  2⤵
  PID:11900
- C:\Windows\System32\RtsQEWk.exe
  C:\Windows\System32\RtsQEWk.exe
  2⤵
  PID:11948
- C:\Windows\System32\SBkawEO.exe
  C:\Windows\System32\SBkawEO.exe
  2⤵
  PID:12080
- C:\Windows\System32\MrnouXv.exe
  C:\Windows\System32\MrnouXv.exe
  2⤵
  PID:12152
- C:\Windows\System32\PWoXHLI.exe
  C:\Windows\System32\PWoXHLI.exe
  2⤵
  PID:12220
- C:\Windows\System32\HmMtjDJ.exe
  C:\Windows\System32\HmMtjDJ.exe
  2⤵
  PID:12272
- C:\Windows\System32\pracsAg.exe
  C:\Windows\System32\pracsAg.exe
  2⤵
  PID:11332
- C:\Windows\System32\bxTNnKi.exe
  C:\Windows\System32\bxTNnKi.exe
  2⤵
  PID:11464
- C:\Windows\System32\rThinpz.exe
  C:\Windows\System32\rThinpz.exe
  2⤵
  PID:11468
- C:\Windows\System32\ZdvSwLj.exe
  C:\Windows\System32\ZdvSwLj.exe
  2⤵
  PID:11600
- C:\Windows\System32\OQoEICv.exe
  C:\Windows\System32\OQoEICv.exe
  2⤵
  PID:11772
- C:\Windows\System32\NYuqrMn.exe
  C:\Windows\System32\NYuqrMn.exe
  2⤵
  PID:11980
- C:\Windows\System32\aCLWxsW.exe
  C:\Windows\System32\aCLWxsW.exe
  2⤵
  PID:12200
- C:\Windows\System32\gwHVlDQ.exe
  C:\Windows\System32\gwHVlDQ.exe
  2⤵
  PID:12260
- C:\Windows\System32\JxRhoPe.exe
  C:\Windows\System32\JxRhoPe.exe
  2⤵
  PID:11548
- C:\Windows\System32\Ssynmxf.exe
  C:\Windows\System32\Ssynmxf.exe
  2⤵
  PID:11380
- C:\Windows\System32\oXGgLmQ.exe
  C:\Windows\System32\oXGgLmQ.exe
  2⤵
  PID:12100
- C:\Windows\System32\PttAIfM.exe
  C:\Windows\System32\PttAIfM.exe
  2⤵
  PID:2864
- C:\Windows\System32\NHtwljL.exe
  C:\Windows\System32\NHtwljL.exe
  2⤵
  PID:11932
- C:\Windows\System32\bUIlwpw.exe
  C:\Windows\System32\bUIlwpw.exe
  2⤵
  PID:12304
- C:\Windows\System32\LXuBqGD.exe
  C:\Windows\System32\LXuBqGD.exe
  2⤵
  PID:12368
- C:\Windows\System32\MFjDULH.exe
  C:\Windows\System32\MFjDULH.exe
  2⤵
  PID:12384
- C:\Windows\System32\GxmQOdw.exe
  C:\Windows\System32\GxmQOdw.exe
  2⤵
  PID:12400
- C:\Windows\System32\cVdLiWd.exe
  C:\Windows\System32\cVdLiWd.exe
  2⤵
  PID:12416
- C:\Windows\System32\RsSRxyu.exe
  C:\Windows\System32\RsSRxyu.exe
  2⤵
  PID:12444
- C:\Windows\System32\erHPMZO.exe
  C:\Windows\System32\erHPMZO.exe
  2⤵
  PID:12464
- C:\Windows\System32\mhLWGNW.exe
  C:\Windows\System32\mhLWGNW.exe
  2⤵
  PID:12484
- C:\Windows\System32\METYKhz.exe
  C:\Windows\System32\METYKhz.exe
  2⤵
  PID:12500
- C:\Windows\System32\GwHKTpZ.exe
  C:\Windows\System32\GwHKTpZ.exe
  2⤵
  PID:12528
- C:\Windows\System32\LiVNZMA.exe
  C:\Windows\System32\LiVNZMA.exe
  2⤵
  PID:12580
- C:\Windows\System32\gyczoVR.exe
  C:\Windows\System32\gyczoVR.exe
  2⤵
  PID:12628
- C:\Windows\System32\SIkmcCW.exe
  C:\Windows\System32\SIkmcCW.exe
  2⤵
  PID:12652
- C:\Windows\System32\ajFEhIH.exe
  C:\Windows\System32\ajFEhIH.exe
  2⤵
  PID:12680
- C:\Windows\System32\PuAxnzn.exe
  C:\Windows\System32\PuAxnzn.exe
  2⤵
  PID:12704
- C:\Windows\System32\vdubCiq.exe
  C:\Windows\System32\vdubCiq.exe
  2⤵
  PID:12732
- C:\Windows\System32\zThLAzx.exe
  C:\Windows\System32\zThLAzx.exe
  2⤵
  PID:12760
- C:\Windows\System32\nnVdikP.exe
  C:\Windows\System32\nnVdikP.exe
  2⤵
  PID:12780
- C:\Windows\System32\MkYINtF.exe
  C:\Windows\System32\MkYINtF.exe
  2⤵
  PID:12812
- C:\Windows\System32\jdLjPTc.exe
  C:\Windows\System32\jdLjPTc.exe
  2⤵
  PID:12880
- C:\Windows\System32\WWOGPSJ.exe
  C:\Windows\System32\WWOGPSJ.exe
  2⤵
  PID:12896
- C:\Windows\System32\jAKxjIf.exe
  C:\Windows\System32\jAKxjIf.exe
  2⤵
  PID:12912
- C:\Windows\System32\JYUCgfq.exe
  C:\Windows\System32\JYUCgfq.exe
  2⤵
  PID:12948
- C:\Windows\System32\ufJDIOy.exe
  C:\Windows\System32\ufJDIOy.exe
  2⤵
  PID:12972
- C:\Windows\System32\SfpMQDN.exe
  C:\Windows\System32\SfpMQDN.exe
  2⤵
  PID:13004
- C:\Windows\System32\Jzfracr.exe
  C:\Windows\System32\Jzfracr.exe
  2⤵
  PID:13024
- C:\Windows\System32\NHkuxfs.exe
  C:\Windows\System32\NHkuxfs.exe
  2⤵
  PID:13052
- C:\Windows\System32\TDXwEHZ.exe
  C:\Windows\System32\TDXwEHZ.exe
  2⤵
  PID:13072
- C:\Windows\System32\vnjOcto.exe
  C:\Windows\System32\vnjOcto.exe
  2⤵
  PID:13096
- C:\Windows\System32\xbwoZUi.exe
  C:\Windows\System32\xbwoZUi.exe
  2⤵
  PID:13116
- C:\Windows\System32\FfwupyV.exe
  C:\Windows\System32\FfwupyV.exe
  2⤵
  PID:13172
- C:\Windows\System32\OLwpIyx.exe
  C:\Windows\System32\OLwpIyx.exe
  2⤵
  PID:13196
- C:\Windows\System32\njTAgVL.exe
  C:\Windows\System32\njTAgVL.exe
  2⤵
  PID:13220
- C:\Windows\System32\lzzbhcd.exe
  C:\Windows\System32\lzzbhcd.exe
  2⤵
  PID:13260
- C:\Windows\System32\jCdHRdp.exe
  C:\Windows\System32\jCdHRdp.exe
  2⤵
  PID:13284
- C:\Windows\System32\WlRjtMi.exe
  C:\Windows\System32\WlRjtMi.exe
  2⤵
  PID:13308
- C:\Windows\System32\okFTSBR.exe
  C:\Windows\System32\okFTSBR.exe
  2⤵
  PID:11688
- C:\Windows\System32\MjTEpgt.exe
  C:\Windows\System32\MjTEpgt.exe
  2⤵
  PID:12396
- C:\Windows\System32\itqeSap.exe
  C:\Windows\System32\itqeSap.exe
  2⤵
  PID:12408
- C:\Windows\System32\pRJPTTf.exe
  C:\Windows\System32\pRJPTTf.exe
  2⤵
  PID:12536
- C:\Windows\System32\NPucSNS.exe
  C:\Windows\System32\NPucSNS.exe
  2⤵
  PID:12516
- C:\Windows\System32\Ntxrmzp.exe
  C:\Windows\System32\Ntxrmzp.exe
  2⤵
  PID:12620
- C:\Windows\System32\dKkQbSR.exe
  C:\Windows\System32\dKkQbSR.exe
  2⤵
  PID:12664
- C:\Windows\System32\NBXaKwx.exe
  C:\Windows\System32\NBXaKwx.exe
  2⤵
  PID:12768
- C:\Windows\System32\KZonLBW.exe
  C:\Windows\System32\KZonLBW.exe
  2⤵
  PID:12840
- C:\Windows\System32\qXVgPAw.exe
  C:\Windows\System32\qXVgPAw.exe
  2⤵
  PID:12860
- C:\Windows\System32\tSWxaQM.exe
  C:\Windows\System32\tSWxaQM.exe
  2⤵
  PID:12956

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BdrkMTe.exe

Filesize
942KB

MD5
1eafacdaf6eb70d2232b3bed22d16c6f

SHA1
2a6cb33084693dd757fc837ea36cc79e23e44d3a

SHA256
bd4bbd918a8da969dbd2ea1ed90754a0ebbd4cc49332f373d8c80e3f4df69ed8

SHA512
71d273a3846ad3e1752bdbf940847ecc49b23900d0c3e6540e5092df28213d222de09665d79187a26680886a77e56cfcb98fb68dbe75a552b65f2825e0a613f7

Download Submit
C:\Windows\System32\FhYXrLQ.exe

Filesize
943KB

MD5
d316dec964347e418cb54829ee02b986

SHA1
bd2d166e07be50c3af1222dd0e9148fac1ba3b59

SHA256
b2ca3fc7976a54fc0ed75e94c8f6396800ffacd31a6e34ddb4b2a0098d8eb766

SHA512
8264709c9c5bf9a30240ca89846a416ea30f3508c150cfb621fd94a6c6abae8578c7edf6b04a3e99c56f3abf8b5941b0c6e6261e2371268ed7a3ec7f80e38f61

Download Submit
C:\Windows\System32\GlUtTdj.exe

Filesize
939KB

MD5
c53a5ad99d1ca909dfea8e9636b575fe

SHA1
41d7861667eb550df1eb479f176067c11a330856

SHA256
70a50a163163cc1e358517a90a4546b240b90296a5a68e0074cd22e12ffd90e2

SHA512
e27534ca35f06b048ae28172f39ef3f6f8fd47e2f199858cad96df515599043ef18803a986f6d5c78b85887f6bc62a09ed9a4083018b3bd50b6e1233da86eb0a

Download Submit
C:\Windows\System32\HaaWmAw.exe

Filesize
943KB

MD5
ab25bcd5f911c1d53991c80f2ffae048

SHA1
b2164d51ec962becc5847a9178d4fe09c486dca5

SHA256
5dfabb56bdb70b5e0a07b09b2f7dc746371007f023b34a7d3e71ef7bf833f4e6

SHA512
11a8952fde2e0916367c3e611a11e0b96717b75767cf6c309f544f6d218254e552fc67d02f1fcf13f89ab7b2ce7e705037157bba6c0f140e889a3c94aeb54534

Download Submit
C:\Windows\System32\JMWzAsg.exe

Filesize
942KB

MD5
e1b0935ad92a2ea7589907eaceee1a7f

SHA1
403e0b32e6704cd811fae0fd9fb176efd92f21d0

SHA256
a3d5b2199cb53f1c4a4b0a098b7e38e28b543650fc453d6d5bc16ebf0d26279a

SHA512
51f66fd56f1b1bdb35ddd50f34a3092e63618685ab360507b8d8cd2a8ad9c5b30d4664805c0f75ecad508450f7311108a69eeb718c43bd2bcf8b81f47bc495a5

Download Submit
C:\Windows\System32\JbkCirH.exe

Filesize
945KB

MD5
a52f0d89791dab8924c3adc447f384a6

SHA1
05c85c969fdecd88299ac34360233f4e9cc6f043

SHA256
fa4c51ff50708678def94688a9bac8f3e1f08e14611b1eb843d2dba4300db6c1

SHA512
c69de979c75986f8e1d81765e9640a0d52cc1428decc738a94127784e660600f78d82018b3e29afd4e79524e0a1290b579241c4ea0bcfbc74b31924b96cf9697

Download Submit
C:\Windows\System32\JdTNMXN.exe

Filesize
938KB

MD5
db93cfb69bf7f446d9877bd5758402c5

SHA1
29b9f18792da4df0147d63b3a089ce8fc56da5aa

SHA256
193bef307308f776a0a431ddb6c8be83ac8ea1684d19cec5a631487255e90e29

SHA512
06fa669e0e63405ef819e8292db06ae8be891744cd054f941e413aea3bf16d3ea685a125a5ae8a1bf7bd83388d3c4d149ba6b99b299d9f83c5bd86c1990b414d

Download Submit
C:\Windows\System32\KeZzFBv.exe

Filesize
942KB

MD5
57c22ece048b4d4f1e0dccc3c192657c

SHA1
20b02054dd60bd47bd2ac4da3d028f9f3f97fe6f

SHA256
322e8d64fa9536d7c3dcccc271f26bf17d9bf601d61db299ce631cac8ef371f9

SHA512
11c11dd79f392744db44452b37262260f9adedb738a09703152f5aef15ddc195fc418d6eb9ad2126ca8f01611384b1e8d102d5b4a81b328fb5afd2791776d0fc

Download Submit
C:\Windows\System32\LEkzlzE.exe

Filesize
945KB

MD5
b565ed4c82b765c83fdac4a1c5e7424e

SHA1
1bab5f5b6b0fd352d529812fc3f7fc5b9b2074c6

SHA256
fda0caa76ebb5ba4705a8aef9bf6b3dfac3744781c8928707d9a504f2cc22457

SHA512
8e366e4639b810efa8f88ca099bd5f5a2ec9eb805f41b221f1e532f4ad4427e9fd9b3d05fbf6160919ecc5269b8917c1987dac98e2e265a5558a9f28a4e47c1b

Download Submit
C:\Windows\System32\LrOXzci.exe

Filesize
945KB

MD5
2c4d952793cd069e7fcfe8dadfe4229e

SHA1
07f7e5bce24362afb1fe713eef46ec18bc15301a

SHA256
3f00161ab8338181f8262e69e2a8e241cb6e80ce722fce66f3ca1f19af197987

SHA512
b56b5d0d8445e5a00120999bfef22a81783efc3287187df8d963d2a9fe95bff97d3f8f86b77df9c6b7a3662b69dec381d3893db8677c95c3ba80f5a62738c423

Download Submit
C:\Windows\System32\NmbCFTb.exe

Filesize
941KB

MD5
06a138ab53ba9b553430708aa21590f8

SHA1
b22e42273c985dd7b2bd876677da065e3aa6319c

SHA256
dc6ddbec9202d5dce63147c781b5ab08b2730a8a9d33e0cab72f093e1d51c953

SHA512
4aacddb4a13f9ea480e6e850cc9ede49f8934f55efd0a2bccae8cd93764d32474c70a2eede9ffb3c0db25de09f2430475925e4bf66e3a19f252b056ddea753ef

Download Submit
C:\Windows\System32\OLPRNKQ.exe

Filesize
944KB

MD5
9cb38454bd66b0e51ef99cdde444deaf

SHA1
f7a749f15373dc3dd7c97659f178f94521c1df0c

SHA256
48efe313dbaf065a58c471e29c1a8ecacaa28b9fa67f293c0f3355aa5aab0c86

SHA512
a72396b7dd31784ab71651e06fbf22ecc76178df0daf1866fdd13e9973c976ac344cdce6ab3dc7582039e975b8771ef2786d58b210005c2aec7f9eb9e3fec478

Download Submit
C:\Windows\System32\QZgnKis.exe

Filesize
943KB

MD5
be4bb88a3813d1a942fe396febd4da00

SHA1
8c9e6e20d9f4789305310ad781100df628516f5f

SHA256
d037acfa3ce78959fe8d9230df77b162bce494b6d137d89333d9ba031451f141

SHA512
a24f3eee921d3959f855babd37b69fbbd555294deaf7b54bd7b616b7175183e3eff2f655c314eb432672f5ce918a070b1fe9da43edb3c14a9b29bc7fffc63e51

Download Submit
C:\Windows\System32\SjqjXky.exe

Filesize
946KB

MD5
3c4c9c834aadc62fb49743cd3f7b7242

SHA1
04f32cdd930dd1d8e2c9bc307bf74f51de852f6e

SHA256
55853d133eb95a80b6413477a5262d43223831eead66c48a50b30ac96dc818e5

SHA512
0bdbafc6eb389221aee8bc295b9f56251892ef06574d38e82c22a075364ab0a4f7d2a63c6d1b674821231ea2793082f3f67aa21a630bb2e695673a27f331d76d

Download Submit
C:\Windows\System32\WGMKDAc.exe

Filesize
942KB

MD5
94ae7338ed865bdd1245febbce39d84d

SHA1
94346f2a8aaf351469094f6f074dfbc9c405f710

SHA256
75457fd4e4c6bb97c1ce5410a845711e856cfadf7ecad2e1b2d8ef5c8d72da44

SHA512
1faf644325476d63b5a9a2106f50950d12c0468b69b1055d40c0c84aa3ed0733d89fa7063a54953d1abb097ab401df4acd42861dda3c5bf4452786de3d20e97a

Download Submit
C:\Windows\System32\XzhTgdP.exe

Filesize
939KB

MD5
d34e89ab16ca87d6a124f5c2dcb54505

SHA1
f404647c47bce71892f42efd768e59e912e669c5

SHA256
000677e57b26ab1162fab8552102ae72a7d51c28b30fb221f993e564d10db46f

SHA512
9e73eb84247d4f18e67b0cd4bd050233f2c494fee0fc83e5d247ac7e965408292b08d65ad252eec5daf881a544db8d8eaf6d4fbd0f6d72de53cd6dfb266c077f

Download Submit
C:\Windows\System32\eKqcCHR.exe

Filesize
939KB

MD5
98ee80f87d48059a93c6e0f5dcdada4b

SHA1
7972292f18e89ba37ba96405f7ca4426483a3267

SHA256
76af8a82c97df71df8ca50db6c2597a7201f8e363a94cc1b0166e60fe35a8730

SHA512
96bfc7366f7d3b1d9ee1f973e38cbd6de552e755a52749c71880f030c68a28837defbec05f3359d12235567696c3526809260531b99183f945faf1f6d6752936

Download Submit
C:\Windows\System32\eTCZQhH.exe

Filesize
943KB

MD5
29c58b21ea17e8c875478ac76442163c

SHA1
3da43c7fbb29989f5da22ad628711bac6a866cb3

SHA256
26d6f4b259bf53e9890480083cf13692f0d5af994658a8c893a25d914595a450

SHA512
fb3026ce1e410b105738f61c5cd3550908d682138fd468b32d77771dfe4cc0eff196dd216786d4bb5e81454d1cd2b4ed1b91e1d2dc6f59dc741890606351545f

Download Submit
C:\Windows\System32\gIaUGCp.exe

Filesize
941KB

MD5
bfd8790968701821f92fcee4d72c9311

SHA1
1c8b32a261889726445f4c9bbe297199ae5bfab7

SHA256
43c79e697d333416a15e5dba5fc6685554690f401c7875fb9afcfce7c33541f1

SHA512
ea9f7e533ff649648455cd0d722f5badc8c635a12f2ffacce18cc467e97026c9aa441de91550a69b4bb7b488e71f7c3958cd822d9c7cd837ae1942073547eaa0

Download Submit
C:\Windows\System32\guToiex.exe

Filesize
940KB

MD5
15c80708d7bcfba89993c53d9aa47f6c

SHA1
bb22095120c016509e2f1a7f32e55a46486d0558

SHA256
f95b2f99b3555b049bc9de10dab18d37e25974679bb4127f90d9dd72846a191c

SHA512
60e31c4116327ac8f36104bf5c138a4f86b086594b0a09edfd097cbc8f4c70cbc4ffc92f5eb7b4d8cdf702d4964aad4db11e3e052f3fe84805f026c1f744d2f1

Download Submit
C:\Windows\System32\kvTupsn.exe

Filesize
944KB

MD5
0abb50b1dd50651d35de7bbe7dc78431

SHA1
7d6c670ee348c03b452f71900fcc8e3d60061d24

SHA256
6cc435c449f6aa28880b806cbd64b598ff295f39a068841f34960c24db30f5e3

SHA512
a32a5f50d17e4cf73199b1c36c4d5606c7df274a773fb19983e8c2575c2a171e7715829e4d8da32d87ca765075eebd7d9c7e9bfc8f7dc1d8dc7696ad7b0e6a2d

Download Submit
C:\Windows\System32\lEfckWA.exe

Filesize
941KB

MD5
8bc0f13c1b5dd463ba7795884036e3c3

SHA1
dd5fd759b1683b508a5709bd3cf76281712e2e6d

SHA256
1d3f8ff6d4ea6b7922d26af269f182ca2f08159efb8e003fa7cb310a1a1a1a1b

SHA512
0dd94e1960e4617f1a1a907b87a58cd52e8bb91cfcf2e11ebdf36ced9ade56ecd4cafadb3174f8a03989c8749fb9beb219bf80ce6de18a6dc2550746b274125c

Download Submit
C:\Windows\System32\meDvoRp.exe

Filesize
939KB

MD5
b2293621d3f4ffe5795979c47746d0e6

SHA1
61edb3112c5aacb3e8436b9fa4bff077fa906c9a

SHA256
2db7843c42c59c55cbdad3fc7b8216bfe738f9a2b3e9b624b2261840fa47d190

SHA512
88457c38f1b06b32f440e8db338ec6884120e19a9951411931aec7f22bae2d211b18b3a63cf15b3953fc50e616538610b543c1b409b611ddede8529f1431ee9e

Download Submit
C:\Windows\System32\oiNLijO.exe

Filesize
940KB

MD5
e91f710abf2863879d05da7e53543ff2

SHA1
aeff6e7120550cd41ea48c99d25320e80e4b0582

SHA256
8e2e135888d36f2679b457a750526bd43eac4600306e37e3f0886374ac7aab26

SHA512
18222d59eb01c04f74577900d08dee9d90d260180bfa8abec90f8b4103be497ca9cb5e3244fee4dc5e46193b1d008e9552fb368dc57c15a8c1ba5acc78c1a805

Download Submit
C:\Windows\System32\pAIaGFN.exe

Filesize
940KB

MD5
89856ebc5ca12dfb2b429e102097c05f

SHA1
78c19c7c49a336051266c926a1b35a72e98fc9fd

SHA256
4438603f2b64e492bf70ee971f3a4ea5c93aa55353b0b8605d347ad997ba4972

SHA512
d1d8afc39b35d0ce68963d0e12a99df49a0a4875db5493019165ff7fe6e85a273bc3a51d26a9ca66632e5ac6d8f6309faf8a8ae6c5399ff6634508bb48845c04

Download Submit
C:\Windows\System32\pNmCQzC.exe

Filesize
944KB

MD5
509073b22fd3e0dd23b59a38ab18f6a2

SHA1
1d5e9e3801f5c66853b22c2cea1336f9bb16040e

SHA256
1b1c2dd89dc58a81aacfd5f5a1d05ee4f68da4ed0158ed216331509246cc9795

SHA512
abd4d6c9d13062895a04539b11106a4ff5414c73859c9f536b6927154278aed6fdf8a23aef25afbacad885b9a704ac1bf28a3216e104950bee9b123ebe93e77e

Download Submit
C:\Windows\System32\pcIcOAh.exe

Filesize
946KB

MD5
106ea50630f6bb5843418db482faea68

SHA1
9a4981de31beaa4ecfa2e96b4ac03e9524ec03d0

SHA256
633fa893dba2f27b70a613ec61e4074bc901e5a123497363c7faf55251c5817c

SHA512
b5381c75221d86d39a108cff327d819dcd04d8bc191f14cc6ae44808337c62eeca965e6fc9b12d824af10d70214dc845269740142c3b83915f5ef29dddf160cb

Download Submit
C:\Windows\System32\qyKmPMZ.exe

Filesize
945KB

MD5
6462f17db9ad0fea5a4119844dce7a99

SHA1
0033a43a2d110099b1c1ce6bfc4795126606088d

SHA256
59601d26e977448193891c822a57efc32ce8c9d37579d4ae2a344a1b58e4867e

SHA512
0e381d8970472862514afe99256a4411b445a541fbb88c2bab93a85afea77aac51c326da580e7794087498d4dde38a61bd4f377155f02b2009ecc68dceba4c9c

Download Submit
C:\Windows\System32\rPojgVS.exe

Filesize
944KB

MD5
e12232ac8698c72e3fa6dbb5f4e62813

SHA1
f7e59f91768070663f73b448728fb69d89ce8537

SHA256
333ae79615f348262bac50d3f64ac174c6f8e660583c705ccd39e40ba0b0da8d

SHA512
7ce78be6be7e98060ca2616c652ce48199eece77ede9e0f477bc263e644bc038662336550b01aab544d95af144b8da442c0df2669dab42089b1c3de0958e15d6

Download Submit
C:\Windows\System32\tFGPSpp.exe

Filesize
942KB

MD5
e5c8d18d2e05ea91b55d265288eb90fb

SHA1
5df5fde87b793a54ee010b2299e39fcf05f8c449

SHA256
03ab5015df680c19f864eacbba565187b3874e52ad65b89ff343d5a5d9e11883

SHA512
22ac0916dd6188f6f05b5e9e7fc4f1e66da896436b0463ecb72ad15df680e17a81c1517e56d43a24defb44beb9da682acb0ceeda95fcdc87013823c59ba5aeef

Download Submit
C:\Windows\System32\vSiJMPX.exe

Filesize
941KB

MD5
cd8151e8fee2697470067135e80b9821

SHA1
896cf5f61f1a3de10e0585f91c3290d1e26dd047

SHA256
58a2b3bdb5f05e7f0607e5bac7638052ba676b0ae68d5d54ffd3ac63eb62ea56

SHA512
2ca9ed35023de9a80347a72590a412eeeeccaf3e193ea898f3dbfe5da58020415744fdbe2a565746e7f8bafbb71f94c2bf13cfb563c9d2861435a22f28f9d8e6

Download Submit
C:\Windows\System32\zPOfvyl.exe

Filesize
940KB

MD5
65eaa700871074f2f7638dd06af03ccb

SHA1
9825a9c5eadaf264865a391f346668e5fe195d06

SHA256
05b547b0a0079fa4483b4674f38c914b34d3efce8bce94b9bffb30bb38447b6c

SHA512
d3ae57e29d50d75e1bd025140e37be534914e489b56917b852a70d5630ca170e4c8c7c6db8bff2e6756f7a43951b6fb1656765c149266ac06223aac7e63748ab

Download Submit
memory/8-0-0x00007FF78D8A0000-0x00007FF78DC91000-memory.dmp

Filesize
3.9MB

Download
memory/8-1-0x0000015703D90000-0x0000015703DA0000-memory.dmp

Filesize
64KB

Download
memory/748-38-0x00007FF6F01F0000-0x00007FF6F05E1000-memory.dmp

Filesize
3.9MB

Download
memory/748-2043-0x00007FF6F01F0000-0x00007FF6F05E1000-memory.dmp

Filesize
3.9MB

Download
memory/1032-2051-0x00007FF777C00000-0x00007FF777FF1000-memory.dmp

Filesize
3.9MB

Download
memory/1032-352-0x00007FF777C00000-0x00007FF777FF1000-memory.dmp

Filesize
3.9MB

Download
memory/1264-2077-0x00007FF650D30000-0x00007FF651121000-memory.dmp

Filesize
3.9MB

Download
memory/1264-429-0x00007FF650D30000-0x00007FF651121000-memory.dmp

Filesize
3.9MB

Download
memory/1372-444-0x00007FF6AC770000-0x00007FF6ACB61000-memory.dmp

Filesize
3.9MB

Download
memory/1372-2059-0x00007FF6AC770000-0x00007FF6ACB61000-memory.dmp

Filesize
3.9MB

Download
memory/1424-408-0x00007FF749CB0000-0x00007FF74A0A1000-memory.dmp

Filesize
3.9MB

Download
memory/1424-2063-0x00007FF749CB0000-0x00007FF74A0A1000-memory.dmp

Filesize
3.9MB

Download
memory/1864-2061-0x00007FF78BC60000-0x00007FF78C051000-memory.dmp

Filesize
3.9MB

Download
memory/1864-381-0x00007FF78BC60000-0x00007FF78C051000-memory.dmp

Filesize
3.9MB

Download
memory/2324-442-0x00007FF7D2380000-0x00007FF7D2771000-memory.dmp

Filesize
3.9MB

Download
memory/2324-2088-0x00007FF7D2380000-0x00007FF7D2771000-memory.dmp

Filesize
3.9MB

Download
memory/2396-410-0x00007FF694DA0000-0x00007FF695191000-memory.dmp

Filesize
3.9MB

Download
memory/2396-2071-0x00007FF694DA0000-0x00007FF695191000-memory.dmp

Filesize
3.9MB

Download
memory/2900-2047-0x00007FF7CB780000-0x00007FF7CBB71000-memory.dmp

Filesize
3.9MB

Download
memory/2900-2039-0x00007FF7CB780000-0x00007FF7CBB71000-memory.dmp

Filesize
3.9MB

Download
memory/2900-27-0x00007FF7CB780000-0x00007FF7CBB71000-memory.dmp

Filesize
3.9MB

Download
memory/3260-441-0x00007FF6C0AA0000-0x00007FF6C0E91000-memory.dmp

Filesize
3.9MB

Download
memory/3260-2084-0x00007FF6C0AA0000-0x00007FF6C0E91000-memory.dmp

Filesize
3.9MB

Download
memory/3376-2073-0x00007FF67EAF0000-0x00007FF67EEE1000-memory.dmp

Filesize
3.9MB

Download
memory/3376-420-0x00007FF67EAF0000-0x00007FF67EEE1000-memory.dmp

Filesize
3.9MB

Download
memory/3388-2004-0x00007FF703690000-0x00007FF703A81000-memory.dmp

Filesize
3.9MB

Download
memory/3388-2041-0x00007FF703690000-0x00007FF703A81000-memory.dmp

Filesize
3.9MB

Download
memory/3388-22-0x00007FF703690000-0x00007FF703A81000-memory.dmp

Filesize
3.9MB

Download
memory/3396-2075-0x00007FF689B70000-0x00007FF689F61000-memory.dmp

Filesize
3.9MB

Download
memory/3396-422-0x00007FF689B70000-0x00007FF689F61000-memory.dmp

Filesize
3.9MB

Download
memory/3440-2057-0x00007FF6151E0000-0x00007FF6155D1000-memory.dmp

Filesize
3.9MB

Download
memory/3440-371-0x00007FF6151E0000-0x00007FF6155D1000-memory.dmp

Filesize
3.9MB

Download
memory/3464-2069-0x00007FF70FAE0000-0x00007FF70FED1000-memory.dmp

Filesize
3.9MB

Download
memory/3464-385-0x00007FF70FAE0000-0x00007FF70FED1000-memory.dmp

Filesize
3.9MB

Download
memory/3760-2055-0x00007FF60F620000-0x00007FF60FA11000-memory.dmp

Filesize
3.9MB

Download
memory/3760-443-0x00007FF60F620000-0x00007FF60FA11000-memory.dmp

Filesize
3.9MB

Download
memory/3796-2006-0x00007FF641F00000-0x00007FF6422F1000-memory.dmp

Filesize
3.9MB

Download
memory/3796-31-0x00007FF641F00000-0x00007FF6422F1000-memory.dmp

Filesize
3.9MB

Download
memory/3796-2049-0x00007FF641F00000-0x00007FF6422F1000-memory.dmp

Filesize
3.9MB

Download
memory/4132-2082-0x00007FF74ADF0000-0x00007FF74B1E1000-memory.dmp

Filesize
3.9MB

Download
memory/4132-439-0x00007FF74ADF0000-0x00007FF74B1E1000-memory.dmp

Filesize
3.9MB

Download
memory/4388-2065-0x00007FF781720000-0x00007FF781B11000-memory.dmp

Filesize
3.9MB

Download
memory/4388-399-0x00007FF781720000-0x00007FF781B11000-memory.dmp

Filesize
3.9MB

Download
memory/4628-2079-0x00007FF658980000-0x00007FF658D71000-memory.dmp

Filesize
3.9MB

Download
memory/4628-435-0x00007FF658980000-0x00007FF658D71000-memory.dmp

Filesize
3.9MB

Download
memory/4828-2086-0x00007FF67A690000-0x00007FF67AA81000-memory.dmp

Filesize
3.9MB

Download
memory/4828-440-0x00007FF67A690000-0x00007FF67AA81000-memory.dmp

Filesize
3.9MB

Download
memory/4964-390-0x00007FF7884C0000-0x00007FF7888B1000-memory.dmp

Filesize
3.9MB

Download
memory/4964-2053-0x00007FF7884C0000-0x00007FF7888B1000-memory.dmp

Filesize
3.9MB

Download
memory/5024-2005-0x00007FF7CA340000-0x00007FF7CA731000-memory.dmp

Filesize
3.9MB

Download
memory/5024-36-0x00007FF7CA340000-0x00007FF7CA731000-memory.dmp

Filesize
3.9MB

Download
memory/5024-2045-0x00007FF7CA340000-0x00007FF7CA731000-memory.dmp

Filesize
3.9MB

Download
memory/5088-2067-0x00007FF780BC0000-0x00007FF780FB1000-memory.dmp

Filesize
3.9MB

Download
memory/5088-394-0x00007FF780BC0000-0x00007FF780FB1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads