xmrig | 643024755caa4b63af34b0a1cbdc44edb5eabcfb64d663813231f286fe3e5ab9

Analysis

max time kernel
122s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
Size

1.5MB
MD5

0de1a5167a0ff0f473e0aefb65249649
SHA1

2f3419795e70e0a14c936a4475ee41d88032995d
SHA256

643024755caa4b63af34b0a1cbdc44edb5eabcfb64d663813231f286fe3e5ab9
SHA512

609b654ed60d0242dbff3027193fb4a82b38eba7c7aab399ead684c3778b5b3c82ff120a8fbe618c6ecb123be0efcfe8cefab6695efa2b47c84d8bda764956bf
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO9C1MKTbcMfHhGjw2qPIC42AsKL/KXvqqh:knw9oUUEEDlGUjc2HhG82qw77cqs

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/4460-10-0x00007FF7FCF30000-0x00007FF7FD321000-memory.dmp	xmrig
behavioral2/memory/1676-427-0x00007FF67FF60000-0x00007FF680351000-memory.dmp	xmrig
behavioral2/memory/2032-428-0x00007FF63BA30000-0x00007FF63BE21000-memory.dmp	xmrig
behavioral2/memory/4168-430-0x00007FF6832C0000-0x00007FF6836B1000-memory.dmp	xmrig
behavioral2/memory/2448-432-0x00007FF7448D0000-0x00007FF744CC1000-memory.dmp	xmrig
behavioral2/memory/952-433-0x00007FF77D2F0000-0x00007FF77D6E1000-memory.dmp	xmrig
behavioral2/memory/2944-431-0x00007FF765210000-0x00007FF765601000-memory.dmp	xmrig
behavioral2/memory/4944-429-0x00007FF62C4B0000-0x00007FF62C8A1000-memory.dmp	xmrig
behavioral2/memory/3408-436-0x00007FF633F40000-0x00007FF634331000-memory.dmp	xmrig
behavioral2/memory/4640-440-0x00007FF7C3DA0000-0x00007FF7C4191000-memory.dmp	xmrig
behavioral2/memory/2656-449-0x00007FF68B000000-0x00007FF68B3F1000-memory.dmp	xmrig
behavioral2/memory/3048-456-0x00007FF7083E0000-0x00007FF7087D1000-memory.dmp	xmrig
behavioral2/memory/1812-447-0x00007FF6CDCF0000-0x00007FF6CE0E1000-memory.dmp	xmrig
behavioral2/memory/2992-457-0x00007FF7D4130000-0x00007FF7D4521000-memory.dmp	xmrig
behavioral2/memory/3144-461-0x00007FF701540000-0x00007FF701931000-memory.dmp	xmrig
behavioral2/memory/4692-467-0x00007FF7EF2C0000-0x00007FF7EF6B1000-memory.dmp	xmrig
behavioral2/memory/4924-476-0x00007FF63CBD0000-0x00007FF63CFC1000-memory.dmp	xmrig
behavioral2/memory/1692-484-0x00007FF6EC1C0000-0x00007FF6EC5B1000-memory.dmp	xmrig
behavioral2/memory/424-487-0x00007FF7A8350000-0x00007FF7A8741000-memory.dmp	xmrig
behavioral2/memory/4332-493-0x00007FF613A40000-0x00007FF613E31000-memory.dmp	xmrig
behavioral2/memory/1356-500-0x00007FF614350000-0x00007FF614741000-memory.dmp	xmrig
behavioral2/memory/1052-478-0x00007FF7DA7D0000-0x00007FF7DABC1000-memory.dmp	xmrig
behavioral2/memory/5096-2013-0x00007FF777CD0000-0x00007FF7780C1000-memory.dmp	xmrig
behavioral2/memory/3012-2014-0x00007FF63E360000-0x00007FF63E751000-memory.dmp	xmrig
behavioral2/memory/4460-2020-0x00007FF7FCF30000-0x00007FF7FD321000-memory.dmp	xmrig
behavioral2/memory/2032-2051-0x00007FF63BA30000-0x00007FF63BE21000-memory.dmp	xmrig
behavioral2/memory/952-2065-0x00007FF77D2F0000-0x00007FF77D6E1000-memory.dmp	xmrig
behavioral2/memory/3408-2067-0x00007FF633F40000-0x00007FF634331000-memory.dmp	xmrig
behavioral2/memory/1812-2071-0x00007FF6CDCF0000-0x00007FF6CE0E1000-memory.dmp	xmrig
behavioral2/memory/3048-2075-0x00007FF7083E0000-0x00007FF7087D1000-memory.dmp	xmrig
behavioral2/memory/2992-2077-0x00007FF7D4130000-0x00007FF7D4521000-memory.dmp	xmrig
behavioral2/memory/2656-2073-0x00007FF68B000000-0x00007FF68B3F1000-memory.dmp	xmrig
behavioral2/memory/4640-2069-0x00007FF7C3DA0000-0x00007FF7C4191000-memory.dmp	xmrig
behavioral2/memory/2448-2063-0x00007FF7448D0000-0x00007FF744CC1000-memory.dmp	xmrig
behavioral2/memory/2944-2061-0x00007FF765210000-0x00007FF765601000-memory.dmp	xmrig
behavioral2/memory/4168-2059-0x00007FF6832C0000-0x00007FF6836B1000-memory.dmp	xmrig
behavioral2/memory/3012-2055-0x00007FF63E360000-0x00007FF63E751000-memory.dmp	xmrig
behavioral2/memory/1676-2054-0x00007FF67FF60000-0x00007FF680351000-memory.dmp	xmrig
behavioral2/memory/5096-2049-0x00007FF777CD0000-0x00007FF7780C1000-memory.dmp	xmrig
behavioral2/memory/4944-2057-0x00007FF62C4B0000-0x00007FF62C8A1000-memory.dmp	xmrig
behavioral2/memory/4924-2139-0x00007FF63CBD0000-0x00007FF63CFC1000-memory.dmp	xmrig
behavioral2/memory/1692-2098-0x00007FF6EC1C0000-0x00007FF6EC5B1000-memory.dmp	xmrig
behavioral2/memory/424-2090-0x00007FF7A8350000-0x00007FF7A8741000-memory.dmp	xmrig
behavioral2/memory/1356-2086-0x00007FF614350000-0x00007FF614741000-memory.dmp	xmrig
behavioral2/memory/1052-2101-0x00007FF7DA7D0000-0x00007FF7DABC1000-memory.dmp	xmrig
behavioral2/memory/4692-2081-0x00007FF7EF2C0000-0x00007FF7EF6B1000-memory.dmp	xmrig
behavioral2/memory/3144-2080-0x00007FF701540000-0x00007FF701931000-memory.dmp	xmrig
behavioral2/memory/4332-2083-0x00007FF613A40000-0x00007FF613E31000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4460	RIHDNfT.exe
5096	DEGycfT.exe
3012	YSpGDbZ.exe
1676	vlqdzXQ.exe
2032	NACgZQs.exe
4944	HdDYrgp.exe
4168	msdqimY.exe
2944	OHQSqkS.exe
2448	emXUVSd.exe
952	EmBLhGK.exe
3408	nOgpQjd.exe
4640	eIvUpJu.exe
1812	wDBqwrO.exe
2656	kuGHBdx.exe
3048	ECUnexd.exe
2992	PzsJyPZ.exe
3144	rRnLcwW.exe
4692	iThrhWo.exe
4924	frAYGsm.exe
1052	qSxhraQ.exe
1692	manzPTq.exe
424	hGpGhzy.exe
4332	FTHBZki.exe
1356	ehxTPFD.exe
1236	JWgCBBu.exe
4728	hgaFswn.exe
1528	lrJYESz.exe
3196	pbsukkC.exe
1960	eGAcfmb.exe
548	WzRkjMJ.exe
1224	VOtCfug.exe
3908	SYCcsWC.exe
4144	jlnZLhE.exe
3720	nDONuFW.exe
2492	KlfFdlA.exe
3948	HeXnfNJ.exe
2260	rHFuWBr.exe
4928	xShOPyr.exe
2816	SLRLUSV.exe
4080	kdRGEMd.exe
2828	vdJHyNN.exe
3112	gychASs.exe
4684	UbfVvlY.exe
216	EIAiBqc.exe
1488	mrZQLbe.exe
1264	GIPbicU.exe
4580	CxFfWkM.exe
2464	BknHyTN.exe
876	BWWWCNw.exe
3976	KUGRTRg.exe
1484	fiRqJmi.exe
2972	PEPSdFT.exe
2768	Rgdkazj.exe
5028	zfuXdgC.exe
4496	vXNLOgs.exe
4668	BSvdtbi.exe
4968	DzDZjfs.exe
3728	hxzcEiu.exe
3676	jFGGYNi.exe
1608	ElpccDH.exe
4492	klqdypb.exe
2696	PSEZLvd.exe
1440	ihVPSVo.exe
3828	SkToCwY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3672-0-0x00007FF7B9E70000-0x00007FF7BA261000-memory.dmp	upx
behavioral2/files/0x0007000000022a9c-4.dat	upx
behavioral2/memory/4460-10-0x00007FF7FCF30000-0x00007FF7FD321000-memory.dmp	upx
behavioral2/files/0x000a000000023bcc-9.dat	upx
behavioral2/files/0x000a000000023bcb-11.dat	upx
behavioral2/files/0x000a000000023bcd-24.dat	upx
behavioral2/files/0x000a000000023bd0-39.dat	upx
behavioral2/files/0x000a000000023bd1-44.dat	upx
behavioral2/files/0x000a000000023bd3-52.dat	upx
behavioral2/files/0x000a000000023bd4-59.dat	upx
behavioral2/files/0x000a000000023bd7-74.dat	upx
behavioral2/files/0x000a000000023bda-89.dat	upx
behavioral2/files/0x000a000000023bdc-99.dat	upx
behavioral2/files/0x000a000000023bdf-112.dat	upx
behavioral2/files/0x000b000000023be1-124.dat	upx
behavioral2/files/0x0009000000023bff-149.dat	upx
behavioral2/files/0x000e000000023c05-164.dat	upx
behavioral2/memory/1676-427-0x00007FF67FF60000-0x00007FF680351000-memory.dmp	upx
behavioral2/files/0x0009000000023c01-159.dat	upx
behavioral2/files/0x0009000000023c00-154.dat	upx
behavioral2/files/0x0008000000023bfa-144.dat	upx
behavioral2/files/0x000e000000023bf1-139.dat	upx
behavioral2/files/0x000a000000023bea-134.dat	upx
behavioral2/files/0x000b000000023be2-129.dat	upx
behavioral2/files/0x000b000000023be0-119.dat	upx
behavioral2/files/0x000a000000023bde-109.dat	upx
behavioral2/files/0x000a000000023bdd-104.dat	upx
behavioral2/files/0x000a000000023bdb-94.dat	upx
behavioral2/files/0x000a000000023bd9-84.dat	upx
behavioral2/files/0x000a000000023bd8-79.dat	upx
behavioral2/files/0x000a000000023bd6-69.dat	upx
behavioral2/files/0x000a000000023bd5-64.dat	upx
behavioral2/files/0x000a000000023bd2-49.dat	upx
behavioral2/files/0x000a000000023bcf-34.dat	upx
behavioral2/files/0x000a000000023bce-29.dat	upx
behavioral2/memory/3012-19-0x00007FF63E360000-0x00007FF63E751000-memory.dmp	upx
behavioral2/memory/5096-16-0x00007FF777CD0000-0x00007FF7780C1000-memory.dmp	upx
behavioral2/memory/2032-428-0x00007FF63BA30000-0x00007FF63BE21000-memory.dmp	upx
behavioral2/memory/4168-430-0x00007FF6832C0000-0x00007FF6836B1000-memory.dmp	upx
behavioral2/memory/2448-432-0x00007FF7448D0000-0x00007FF744CC1000-memory.dmp	upx
behavioral2/memory/952-433-0x00007FF77D2F0000-0x00007FF77D6E1000-memory.dmp	upx
behavioral2/memory/2944-431-0x00007FF765210000-0x00007FF765601000-memory.dmp	upx
behavioral2/memory/4944-429-0x00007FF62C4B0000-0x00007FF62C8A1000-memory.dmp	upx
behavioral2/memory/3408-436-0x00007FF633F40000-0x00007FF634331000-memory.dmp	upx
behavioral2/memory/4640-440-0x00007FF7C3DA0000-0x00007FF7C4191000-memory.dmp	upx
behavioral2/memory/2656-449-0x00007FF68B000000-0x00007FF68B3F1000-memory.dmp	upx
behavioral2/memory/3048-456-0x00007FF7083E0000-0x00007FF7087D1000-memory.dmp	upx
behavioral2/memory/1812-447-0x00007FF6CDCF0000-0x00007FF6CE0E1000-memory.dmp	upx
behavioral2/memory/2992-457-0x00007FF7D4130000-0x00007FF7D4521000-memory.dmp	upx
behavioral2/memory/3144-461-0x00007FF701540000-0x00007FF701931000-memory.dmp	upx
behavioral2/memory/4692-467-0x00007FF7EF2C0000-0x00007FF7EF6B1000-memory.dmp	upx
behavioral2/memory/4924-476-0x00007FF63CBD0000-0x00007FF63CFC1000-memory.dmp	upx
behavioral2/memory/1692-484-0x00007FF6EC1C0000-0x00007FF6EC5B1000-memory.dmp	upx
behavioral2/memory/424-487-0x00007FF7A8350000-0x00007FF7A8741000-memory.dmp	upx
behavioral2/memory/4332-493-0x00007FF613A40000-0x00007FF613E31000-memory.dmp	upx
behavioral2/memory/1356-500-0x00007FF614350000-0x00007FF614741000-memory.dmp	upx
behavioral2/memory/1052-478-0x00007FF7DA7D0000-0x00007FF7DABC1000-memory.dmp	upx
behavioral2/memory/5096-2013-0x00007FF777CD0000-0x00007FF7780C1000-memory.dmp	upx
behavioral2/memory/3012-2014-0x00007FF63E360000-0x00007FF63E751000-memory.dmp	upx
behavioral2/memory/4460-2020-0x00007FF7FCF30000-0x00007FF7FD321000-memory.dmp	upx
behavioral2/memory/2032-2051-0x00007FF63BA30000-0x00007FF63BE21000-memory.dmp	upx
behavioral2/memory/952-2065-0x00007FF77D2F0000-0x00007FF77D6E1000-memory.dmp	upx
behavioral2/memory/3408-2067-0x00007FF633F40000-0x00007FF634331000-memory.dmp	upx
behavioral2/memory/1812-2071-0x00007FF6CDCF0000-0x00007FF6CE0E1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\GzKDfCM.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\fQpymbr.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\SZFNUWI.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\BbnpZOi.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\SBPNAyo.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\NflDcCg.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\tsiOsme.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\JUujfjG.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\dWZhdjp.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\dkZEhYJ.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\wWtyOOw.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\ncsXqzy.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\UmeJXLW.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\WrQqezQ.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\xKUWkdb.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\jixUoHZ.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\nIKTBAq.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\rYbwuGH.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\smMugqf.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\EeFnRKe.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\qMTVNDM.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\CYmFdsm.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\ytWpjjR.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\OPfvzQM.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\OHQSqkS.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\zQOEdFd.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\pxWOyDm.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\zoooYVf.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\zZVUsDI.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\RNZjpgO.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\EybFirs.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\SibPSua.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\EnvhsBj.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\xifkkGl.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\kYHGyKw.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\rHFuWBr.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\vdJHyNN.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\isrtWdq.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\yzuxZCY.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\GUUWOzT.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\QoQpDyY.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\eQbEded.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\KNWGbzW.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\YCtbkVI.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\NGTBuEp.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\NtESEXL.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\TcCafgZ.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\tLoSDSH.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\sJeCSWt.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\TkZIirA.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\fWTuugc.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\hHbscVI.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\mmigDzF.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\iqcYzjA.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\jYcPNKa.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\CVKnyGH.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\JpVJnes.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\kUWekgU.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\dALityc.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\zhYjxYe.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\hDarxbu.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\vXNLOgs.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\ngyButi.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
File created	C:\Windows\System32\fbZLjHM.exe	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12880	dwm.exe
Token: SeChangeNotifyPrivilege	12880	dwm.exe
Token: 33	12880	dwm.exe
Token: SeIncBasePriorityPrivilege	12880	dwm.exe
Token: SeShutdownPrivilege	12880	dwm.exe
Token: SeCreatePagefilePrivilege	12880	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4460	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	85
PID 3672 wrote to memory of 4460	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	85
PID 3672 wrote to memory of 5096	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	86
PID 3672 wrote to memory of 5096	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	86
PID 3672 wrote to memory of 3012	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	87
PID 3672 wrote to memory of 3012	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	87
PID 3672 wrote to memory of 1676	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	88
PID 3672 wrote to memory of 1676	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	88
PID 3672 wrote to memory of 2032	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	89
PID 3672 wrote to memory of 2032	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	89
PID 3672 wrote to memory of 4944	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	90
PID 3672 wrote to memory of 4944	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	90
PID 3672 wrote to memory of 4168	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	91
PID 3672 wrote to memory of 4168	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	91
PID 3672 wrote to memory of 2944	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	92
PID 3672 wrote to memory of 2944	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	92
PID 3672 wrote to memory of 2448	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	93
PID 3672 wrote to memory of 2448	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	93
PID 3672 wrote to memory of 952	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	94
PID 3672 wrote to memory of 952	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	94
PID 3672 wrote to memory of 3408	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	95
PID 3672 wrote to memory of 3408	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	95
PID 3672 wrote to memory of 4640	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	96
PID 3672 wrote to memory of 4640	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	96
PID 3672 wrote to memory of 1812	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	97
PID 3672 wrote to memory of 1812	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	97
PID 3672 wrote to memory of 2656	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	98
PID 3672 wrote to memory of 2656	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	98
PID 3672 wrote to memory of 3048	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	99
PID 3672 wrote to memory of 3048	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	99
PID 3672 wrote to memory of 2992	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	100
PID 3672 wrote to memory of 2992	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	100
PID 3672 wrote to memory of 3144	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	101
PID 3672 wrote to memory of 3144	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	101
PID 3672 wrote to memory of 4692	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	102
PID 3672 wrote to memory of 4692	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	102
PID 3672 wrote to memory of 4924	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	103
PID 3672 wrote to memory of 4924	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	103
PID 3672 wrote to memory of 1052	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	104
PID 3672 wrote to memory of 1052	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	104
PID 3672 wrote to memory of 1692	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	105
PID 3672 wrote to memory of 1692	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	105
PID 3672 wrote to memory of 424	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	106
PID 3672 wrote to memory of 424	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	106
PID 3672 wrote to memory of 4332	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	107
PID 3672 wrote to memory of 4332	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	107
PID 3672 wrote to memory of 1356	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	108
PID 3672 wrote to memory of 1356	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	108
PID 3672 wrote to memory of 1236	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	109
PID 3672 wrote to memory of 1236	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	109
PID 3672 wrote to memory of 4728	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	110
PID 3672 wrote to memory of 4728	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	110
PID 3672 wrote to memory of 1528	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	111
PID 3672 wrote to memory of 1528	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	111
PID 3672 wrote to memory of 3196	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	112
PID 3672 wrote to memory of 3196	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	112
PID 3672 wrote to memory of 1960	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	113
PID 3672 wrote to memory of 1960	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	113
PID 3672 wrote to memory of 548	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	114
PID 3672 wrote to memory of 548	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	114
PID 3672 wrote to memory of 1224	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	115
PID 3672 wrote to memory of 1224	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	115
PID 3672 wrote to memory of 3908	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	116
PID 3672 wrote to memory of 3908	3672	0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0de1a5167a0ff0f473e0aefb65249649_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\System32\RIHDNfT.exe
  C:\Windows\System32\RIHDNfT.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System32\DEGycfT.exe
  C:\Windows\System32\DEGycfT.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System32\YSpGDbZ.exe
  C:\Windows\System32\YSpGDbZ.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System32\vlqdzXQ.exe
  C:\Windows\System32\vlqdzXQ.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System32\NACgZQs.exe
  C:\Windows\System32\NACgZQs.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System32\HdDYrgp.exe
  C:\Windows\System32\HdDYrgp.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System32\msdqimY.exe
  C:\Windows\System32\msdqimY.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System32\OHQSqkS.exe
  C:\Windows\System32\OHQSqkS.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System32\emXUVSd.exe
  C:\Windows\System32\emXUVSd.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System32\EmBLhGK.exe
  C:\Windows\System32\EmBLhGK.exe
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\System32\nOgpQjd.exe
  C:\Windows\System32\nOgpQjd.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System32\eIvUpJu.exe
  C:\Windows\System32\eIvUpJu.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System32\wDBqwrO.exe
  C:\Windows\System32\wDBqwrO.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System32\kuGHBdx.exe
  C:\Windows\System32\kuGHBdx.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System32\ECUnexd.exe
  C:\Windows\System32\ECUnexd.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System32\PzsJyPZ.exe
  C:\Windows\System32\PzsJyPZ.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System32\rRnLcwW.exe
  C:\Windows\System32\rRnLcwW.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System32\iThrhWo.exe
  C:\Windows\System32\iThrhWo.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System32\frAYGsm.exe
  C:\Windows\System32\frAYGsm.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\qSxhraQ.exe
  C:\Windows\System32\qSxhraQ.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System32\manzPTq.exe
  C:\Windows\System32\manzPTq.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System32\hGpGhzy.exe
  C:\Windows\System32\hGpGhzy.exe
  2⤵
  - Executes dropped EXE
  PID:424
- C:\Windows\System32\FTHBZki.exe
  C:\Windows\System32\FTHBZki.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System32\ehxTPFD.exe
  C:\Windows\System32\ehxTPFD.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System32\JWgCBBu.exe
  C:\Windows\System32\JWgCBBu.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System32\hgaFswn.exe
  C:\Windows\System32\hgaFswn.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System32\lrJYESz.exe
  C:\Windows\System32\lrJYESz.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System32\pbsukkC.exe
  C:\Windows\System32\pbsukkC.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System32\eGAcfmb.exe
  C:\Windows\System32\eGAcfmb.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System32\WzRkjMJ.exe
  C:\Windows\System32\WzRkjMJ.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System32\VOtCfug.exe
  C:\Windows\System32\VOtCfug.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System32\SYCcsWC.exe
  C:\Windows\System32\SYCcsWC.exe
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\System32\jlnZLhE.exe
  C:\Windows\System32\jlnZLhE.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System32\nDONuFW.exe
  C:\Windows\System32\nDONuFW.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System32\KlfFdlA.exe
  C:\Windows\System32\KlfFdlA.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System32\HeXnfNJ.exe
  C:\Windows\System32\HeXnfNJ.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System32\rHFuWBr.exe
  C:\Windows\System32\rHFuWBr.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System32\xShOPyr.exe
  C:\Windows\System32\xShOPyr.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System32\SLRLUSV.exe
  C:\Windows\System32\SLRLUSV.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System32\kdRGEMd.exe
  C:\Windows\System32\kdRGEMd.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System32\vdJHyNN.exe
  C:\Windows\System32\vdJHyNN.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System32\gychASs.exe
  C:\Windows\System32\gychASs.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System32\UbfVvlY.exe
  C:\Windows\System32\UbfVvlY.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System32\EIAiBqc.exe
  C:\Windows\System32\EIAiBqc.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System32\mrZQLbe.exe
  C:\Windows\System32\mrZQLbe.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System32\GIPbicU.exe
  C:\Windows\System32\GIPbicU.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System32\CxFfWkM.exe
  C:\Windows\System32\CxFfWkM.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System32\BknHyTN.exe
  C:\Windows\System32\BknHyTN.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System32\BWWWCNw.exe
  C:\Windows\System32\BWWWCNw.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System32\KUGRTRg.exe
  C:\Windows\System32\KUGRTRg.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System32\fiRqJmi.exe
  C:\Windows\System32\fiRqJmi.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System32\PEPSdFT.exe
  C:\Windows\System32\PEPSdFT.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System32\Rgdkazj.exe
  C:\Windows\System32\Rgdkazj.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System32\zfuXdgC.exe
  C:\Windows\System32\zfuXdgC.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System32\vXNLOgs.exe
  C:\Windows\System32\vXNLOgs.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System32\BSvdtbi.exe
  C:\Windows\System32\BSvdtbi.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System32\DzDZjfs.exe
  C:\Windows\System32\DzDZjfs.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System32\hxzcEiu.exe
  C:\Windows\System32\hxzcEiu.exe
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Windows\System32\jFGGYNi.exe
  C:\Windows\System32\jFGGYNi.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System32\ElpccDH.exe
  C:\Windows\System32\ElpccDH.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System32\klqdypb.exe
  C:\Windows\System32\klqdypb.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System32\PSEZLvd.exe
  C:\Windows\System32\PSEZLvd.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System32\ihVPSVo.exe
  C:\Windows\System32\ihVPSVo.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System32\SkToCwY.exe
  C:\Windows\System32\SkToCwY.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System32\esHLnbV.exe
  C:\Windows\System32\esHLnbV.exe
  2⤵
  PID:1228
- C:\Windows\System32\khzvhIL.exe
  C:\Windows\System32\khzvhIL.exe
  2⤵
  PID:1844
- C:\Windows\System32\yzlrwVI.exe
  C:\Windows\System32\yzlrwVI.exe
  2⤵
  PID:3788
- C:\Windows\System32\XkVxtQr.exe
  C:\Windows\System32\XkVxtQr.exe
  2⤵
  PID:2928
- C:\Windows\System32\lETKson.exe
  C:\Windows\System32\lETKson.exe
  2⤵
  PID:2024
- C:\Windows\System32\IrzhsTt.exe
  C:\Windows\System32\IrzhsTt.exe
  2⤵
  PID:4712
- C:\Windows\System32\qCgOuZu.exe
  C:\Windows\System32\qCgOuZu.exe
  2⤵
  PID:3656
- C:\Windows\System32\pIQyhjf.exe
  C:\Windows\System32\pIQyhjf.exe
  2⤵
  PID:3212
- C:\Windows\System32\jSwkiuy.exe
  C:\Windows\System32\jSwkiuy.exe
  2⤵
  PID:3736
- C:\Windows\System32\xTluyGM.exe
  C:\Windows\System32\xTluyGM.exe
  2⤵
  PID:3468
- C:\Windows\System32\fGZGKcj.exe
  C:\Windows\System32\fGZGKcj.exe
  2⤵
  PID:3432
- C:\Windows\System32\jYcPNKa.exe
  C:\Windows\System32\jYcPNKa.exe
  2⤵
  PID:220
- C:\Windows\System32\VXhRYRL.exe
  C:\Windows\System32\VXhRYRL.exe
  2⤵
  PID:5124
- C:\Windows\System32\TkZIirA.exe
  C:\Windows\System32\TkZIirA.exe
  2⤵
  PID:5148
- C:\Windows\System32\eQbEded.exe
  C:\Windows\System32\eQbEded.exe
  2⤵
  PID:5184
- C:\Windows\System32\OWHkRCc.exe
  C:\Windows\System32\OWHkRCc.exe
  2⤵
  PID:5208
- C:\Windows\System32\eXELkge.exe
  C:\Windows\System32\eXELkge.exe
  2⤵
  PID:5236
- C:\Windows\System32\OcnjhZS.exe
  C:\Windows\System32\OcnjhZS.exe
  2⤵
  PID:5260
- C:\Windows\System32\mbMFXAx.exe
  C:\Windows\System32\mbMFXAx.exe
  2⤵
  PID:5292
- C:\Windows\System32\SibPSua.exe
  C:\Windows\System32\SibPSua.exe
  2⤵
  PID:5320
- C:\Windows\System32\DfUMwGe.exe
  C:\Windows\System32\DfUMwGe.exe
  2⤵
  PID:5348
- C:\Windows\System32\gOJcJKw.exe
  C:\Windows\System32\gOJcJKw.exe
  2⤵
  PID:5380
- C:\Windows\System32\wJIhlAj.exe
  C:\Windows\System32\wJIhlAj.exe
  2⤵
  PID:5400
- C:\Windows\System32\kGieMHH.exe
  C:\Windows\System32\kGieMHH.exe
  2⤵
  PID:5436
- C:\Windows\System32\hVwkyvu.exe
  C:\Windows\System32\hVwkyvu.exe
  2⤵
  PID:5464
- C:\Windows\System32\WOcQpoE.exe
  C:\Windows\System32\WOcQpoE.exe
  2⤵
  PID:5484
- C:\Windows\System32\MBAGLco.exe
  C:\Windows\System32\MBAGLco.exe
  2⤵
  PID:5520
- C:\Windows\System32\ZWPfjyg.exe
  C:\Windows\System32\ZWPfjyg.exe
  2⤵
  PID:5548
- C:\Windows\System32\hqTGNnn.exe
  C:\Windows\System32\hqTGNnn.exe
  2⤵
  PID:5576
- C:\Windows\System32\oNbRzIX.exe
  C:\Windows\System32\oNbRzIX.exe
  2⤵
  PID:5600
- C:\Windows\System32\oSZgAUh.exe
  C:\Windows\System32\oSZgAUh.exe
  2⤵
  PID:5624
- C:\Windows\System32\retVRIL.exe
  C:\Windows\System32\retVRIL.exe
  2⤵
  PID:5656
- C:\Windows\System32\bknssls.exe
  C:\Windows\System32\bknssls.exe
  2⤵
  PID:5688
- C:\Windows\System32\rGAvrWA.exe
  C:\Windows\System32\rGAvrWA.exe
  2⤵
  PID:5712
- C:\Windows\System32\sJAaNot.exe
  C:\Windows\System32\sJAaNot.exe
  2⤵
  PID:5744
- C:\Windows\System32\RYOWYqx.exe
  C:\Windows\System32\RYOWYqx.exe
  2⤵
  PID:5768
- C:\Windows\System32\sBxfPLO.exe
  C:\Windows\System32\sBxfPLO.exe
  2⤵
  PID:5796
- C:\Windows\System32\fOlTbMc.exe
  C:\Windows\System32\fOlTbMc.exe
  2⤵
  PID:5820
- C:\Windows\System32\tuLjxPe.exe
  C:\Windows\System32\tuLjxPe.exe
  2⤵
  PID:5852
- C:\Windows\System32\yBKzaPF.exe
  C:\Windows\System32\yBKzaPF.exe
  2⤵
  PID:5880
- C:\Windows\System32\VKJhlDi.exe
  C:\Windows\System32\VKJhlDi.exe
  2⤵
  PID:5908
- C:\Windows\System32\BsECXJK.exe
  C:\Windows\System32\BsECXJK.exe
  2⤵
  PID:5936
- C:\Windows\System32\dRbAvxH.exe
  C:\Windows\System32\dRbAvxH.exe
  2⤵
  PID:5968
- C:\Windows\System32\hgIzdor.exe
  C:\Windows\System32\hgIzdor.exe
  2⤵
  PID:5992
- C:\Windows\System32\RuTDbmG.exe
  C:\Windows\System32\RuTDbmG.exe
  2⤵
  PID:6020
- C:\Windows\System32\tGlxYLK.exe
  C:\Windows\System32\tGlxYLK.exe
  2⤵
  PID:6052
- C:\Windows\System32\EBfTHtN.exe
  C:\Windows\System32\EBfTHtN.exe
  2⤵
  PID:6076
- C:\Windows\System32\NYRdapQ.exe
  C:\Windows\System32\NYRdapQ.exe
  2⤵
  PID:6108
- C:\Windows\System32\mbYOdOe.exe
  C:\Windows\System32\mbYOdOe.exe
  2⤵
  PID:6136
- C:\Windows\System32\JZmOyuA.exe
  C:\Windows\System32\JZmOyuA.exe
  2⤵
  PID:3848
- C:\Windows\System32\ZRiAeyI.exe
  C:\Windows\System32\ZRiAeyI.exe
  2⤵
  PID:2092
- C:\Windows\System32\srtvuEr.exe
  C:\Windows\System32\srtvuEr.exe
  2⤵
  PID:528
- C:\Windows\System32\HKhblcX.exe
  C:\Windows\System32\HKhblcX.exe
  2⤵
  PID:1704
- C:\Windows\System32\vxTnYzq.exe
  C:\Windows\System32\vxTnYzq.exe
  2⤵
  PID:5140
- C:\Windows\System32\aScdDCQ.exe
  C:\Windows\System32\aScdDCQ.exe
  2⤵
  PID:5180
- C:\Windows\System32\azatiZF.exe
  C:\Windows\System32\azatiZF.exe
  2⤵
  PID:5392
- C:\Windows\System32\LYcENSI.exe
  C:\Windows\System32\LYcENSI.exe
  2⤵
  PID:5508
- C:\Windows\System32\bVttfIH.exe
  C:\Windows\System32\bVttfIH.exe
  2⤵
  PID:4704
- C:\Windows\System32\fZBBwGM.exe
  C:\Windows\System32\fZBBwGM.exe
  2⤵
  PID:5616
- C:\Windows\System32\kNDawbQ.exe
  C:\Windows\System32\kNDawbQ.exe
  2⤵
  PID:5676
- C:\Windows\System32\RFGCYuJ.exe
  C:\Windows\System32\RFGCYuJ.exe
  2⤵
  PID:5724
- C:\Windows\System32\JQIgYkK.exe
  C:\Windows\System32\JQIgYkK.exe
  2⤵
  PID:5780
- C:\Windows\System32\PMRQCmT.exe
  C:\Windows\System32\PMRQCmT.exe
  2⤵
  PID:5808
- C:\Windows\System32\UYuEcwt.exe
  C:\Windows\System32\UYuEcwt.exe
  2⤵
  PID:5892
- C:\Windows\System32\QMghKbG.exe
  C:\Windows\System32\QMghKbG.exe
  2⤵
  PID:1268
- C:\Windows\System32\HcKRWyb.exe
  C:\Windows\System32\HcKRWyb.exe
  2⤵
  PID:932
- C:\Windows\System32\eTQXYNf.exe
  C:\Windows\System32\eTQXYNf.exe
  2⤵
  PID:6004
- C:\Windows\System32\zdsydME.exe
  C:\Windows\System32\zdsydME.exe
  2⤵
  PID:4600
- C:\Windows\System32\ngyButi.exe
  C:\Windows\System32\ngyButi.exe
  2⤵
  PID:6048
- C:\Windows\System32\QeHkLFc.exe
  C:\Windows\System32\QeHkLFc.exe
  2⤵
  PID:2888
- C:\Windows\System32\oyILlzr.exe
  C:\Windows\System32\oyILlzr.exe
  2⤵
  PID:1328
- C:\Windows\System32\awCfYHF.exe
  C:\Windows\System32\awCfYHF.exe
  2⤵
  PID:2148
- C:\Windows\System32\ksGaRJP.exe
  C:\Windows\System32\ksGaRJP.exe
  2⤵
  PID:1368
- C:\Windows\System32\oaQFrDC.exe
  C:\Windows\System32\oaQFrDC.exe
  2⤵
  PID:5220
- C:\Windows\System32\sOxcILu.exe
  C:\Windows\System32\sOxcILu.exe
  2⤵
  PID:2220
- C:\Windows\System32\blGleSE.exe
  C:\Windows\System32\blGleSE.exe
  2⤵
  PID:5452
- C:\Windows\System32\zJBjDQN.exe
  C:\Windows\System32\zJBjDQN.exe
  2⤵
  PID:5536
- C:\Windows\System32\irqqYMy.exe
  C:\Windows\System32\irqqYMy.exe
  2⤵
  PID:5788
- C:\Windows\System32\ayOMBKX.exe
  C:\Windows\System32\ayOMBKX.exe
  2⤵
  PID:5784
- C:\Windows\System32\mjAIDrv.exe
  C:\Windows\System32\mjAIDrv.exe
  2⤵
  PID:5928
- C:\Windows\System32\xGSGVcs.exe
  C:\Windows\System32\xGSGVcs.exe
  2⤵
  PID:2668
- C:\Windows\System32\jcUUIGd.exe
  C:\Windows\System32\jcUUIGd.exe
  2⤵
  PID:1500
- C:\Windows\System32\DuinFBh.exe
  C:\Windows\System32\DuinFBh.exe
  2⤵
  PID:4740
- C:\Windows\System32\SfdQiVi.exe
  C:\Windows\System32\SfdQiVi.exe
  2⤵
  PID:2408
- C:\Windows\System32\easoIxv.exe
  C:\Windows\System32\easoIxv.exe
  2⤵
  PID:5684
- C:\Windows\System32\WoqUqFF.exe
  C:\Windows\System32\WoqUqFF.exe
  2⤵
  PID:6096
- C:\Windows\System32\xkOETke.exe
  C:\Windows\System32\xkOETke.exe
  2⤵
  PID:6064
- C:\Windows\System32\QTKaWev.exe
  C:\Windows\System32\QTKaWev.exe
  2⤵
  PID:2908
- C:\Windows\System32\BqsIoMF.exe
  C:\Windows\System32\BqsIoMF.exe
  2⤵
  PID:3424
- C:\Windows\System32\QzOjuqV.exe
  C:\Windows\System32\QzOjuqV.exe
  2⤵
  PID:4724
- C:\Windows\System32\NqfbMna.exe
  C:\Windows\System32\NqfbMna.exe
  2⤵
  PID:5844
- C:\Windows\System32\dPYWggJ.exe
  C:\Windows\System32\dPYWggJ.exe
  2⤵
  PID:5480
- C:\Windows\System32\BJgXfaP.exe
  C:\Windows\System32\BJgXfaP.exe
  2⤵
  PID:5164
- C:\Windows\System32\xjZRlDA.exe
  C:\Windows\System32\xjZRlDA.exe
  2⤵
  PID:6036
- C:\Windows\System32\ubFcGhZ.exe
  C:\Windows\System32\ubFcGhZ.exe
  2⤵
  PID:6188
- C:\Windows\System32\hwLTZeL.exe
  C:\Windows\System32\hwLTZeL.exe
  2⤵
  PID:6216
- C:\Windows\System32\ubkuisW.exe
  C:\Windows\System32\ubkuisW.exe
  2⤵
  PID:6248
- C:\Windows\System32\QFBpbAT.exe
  C:\Windows\System32\QFBpbAT.exe
  2⤵
  PID:6268
- C:\Windows\System32\jNYzxcn.exe
  C:\Windows\System32\jNYzxcn.exe
  2⤵
  PID:6288
- C:\Windows\System32\GzKDfCM.exe
  C:\Windows\System32\GzKDfCM.exe
  2⤵
  PID:6308
- C:\Windows\System32\OOvUHDi.exe
  C:\Windows\System32\OOvUHDi.exe
  2⤵
  PID:6324
- C:\Windows\System32\VgJFBql.exe
  C:\Windows\System32\VgJFBql.exe
  2⤵
  PID:6360
- C:\Windows\System32\UOhawue.exe
  C:\Windows\System32\UOhawue.exe
  2⤵
  PID:6412
- C:\Windows\System32\GkNQRPt.exe
  C:\Windows\System32\GkNQRPt.exe
  2⤵
  PID:6440
- C:\Windows\System32\dkZEhYJ.exe
  C:\Windows\System32\dkZEhYJ.exe
  2⤵
  PID:6460
- C:\Windows\System32\lVibWdw.exe
  C:\Windows\System32\lVibWdw.exe
  2⤵
  PID:6484
- C:\Windows\System32\UGiobOq.exe
  C:\Windows\System32\UGiobOq.exe
  2⤵
  PID:6504
- C:\Windows\System32\KqIdXqh.exe
  C:\Windows\System32\KqIdXqh.exe
  2⤵
  PID:6532
- C:\Windows\System32\isrtWdq.exe
  C:\Windows\System32\isrtWdq.exe
  2⤵
  PID:6580
- C:\Windows\System32\EyTIiCf.exe
  C:\Windows\System32\EyTIiCf.exe
  2⤵
  PID:6608
- C:\Windows\System32\fWTuugc.exe
  C:\Windows\System32\fWTuugc.exe
  2⤵
  PID:6636
- C:\Windows\System32\urVeOMw.exe
  C:\Windows\System32\urVeOMw.exe
  2⤵
  PID:6652
- C:\Windows\System32\zQOEdFd.exe
  C:\Windows\System32\zQOEdFd.exe
  2⤵
  PID:6692
- C:\Windows\System32\lxQSOzp.exe
  C:\Windows\System32\lxQSOzp.exe
  2⤵
  PID:6720
- C:\Windows\System32\sQtiPsO.exe
  C:\Windows\System32\sQtiPsO.exe
  2⤵
  PID:6748
- C:\Windows\System32\KaYaVXp.exe
  C:\Windows\System32\KaYaVXp.exe
  2⤵
  PID:6764
- C:\Windows\System32\DDYhXZo.exe
  C:\Windows\System32\DDYhXZo.exe
  2⤵
  PID:6784
- C:\Windows\System32\fdsWwts.exe
  C:\Windows\System32\fdsWwts.exe
  2⤵
  PID:6808
- C:\Windows\System32\XtwhFbT.exe
  C:\Windows\System32\XtwhFbT.exe
  2⤵
  PID:6860
- C:\Windows\System32\grzVUNz.exe
  C:\Windows\System32\grzVUNz.exe
  2⤵
  PID:6884
- C:\Windows\System32\vNbtIVi.exe
  C:\Windows\System32\vNbtIVi.exe
  2⤵
  PID:6912
- C:\Windows\System32\dgeqFsg.exe
  C:\Windows\System32\dgeqFsg.exe
  2⤵
  PID:6948
- C:\Windows\System32\BMGdkDq.exe
  C:\Windows\System32\BMGdkDq.exe
  2⤵
  PID:6972
- C:\Windows\System32\wWtyOOw.exe
  C:\Windows\System32\wWtyOOw.exe
  2⤵
  PID:6988
- C:\Windows\System32\FHEgixj.exe
  C:\Windows\System32\FHEgixj.exe
  2⤵
  PID:7012
- C:\Windows\System32\qnVRuNJ.exe
  C:\Windows\System32\qnVRuNJ.exe
  2⤵
  PID:7060
- C:\Windows\System32\fbZLjHM.exe
  C:\Windows\System32\fbZLjHM.exe
  2⤵
  PID:7080
- C:\Windows\System32\Ouvnuqy.exe
  C:\Windows\System32\Ouvnuqy.exe
  2⤵
  PID:7100
- C:\Windows\System32\Jqpqjhi.exe
  C:\Windows\System32\Jqpqjhi.exe
  2⤵
  PID:7128
- C:\Windows\System32\PbAWGRQ.exe
  C:\Windows\System32\PbAWGRQ.exe
  2⤵
  PID:7144
- C:\Windows\System32\IytkUeD.exe
  C:\Windows\System32\IytkUeD.exe
  2⤵
  PID:4288
- C:\Windows\System32\WrQqezQ.exe
  C:\Windows\System32\WrQqezQ.exe
  2⤵
  PID:6232
- C:\Windows\System32\WjUEtnq.exe
  C:\Windows\System32\WjUEtnq.exe
  2⤵
  PID:6256
- C:\Windows\System32\YzcyIOe.exe
  C:\Windows\System32\YzcyIOe.exe
  2⤵
  PID:6300
- C:\Windows\System32\LPcbIQi.exe
  C:\Windows\System32\LPcbIQi.exe
  2⤵
  PID:6408
- C:\Windows\System32\ZHXpGgA.exe
  C:\Windows\System32\ZHXpGgA.exe
  2⤵
  PID:6480
- C:\Windows\System32\VCFPmIK.exe
  C:\Windows\System32\VCFPmIK.exe
  2⤵
  PID:6528
- C:\Windows\System32\gtdwDNV.exe
  C:\Windows\System32\gtdwDNV.exe
  2⤵
  PID:6572
- C:\Windows\System32\cVzNuqS.exe
  C:\Windows\System32\cVzNuqS.exe
  2⤵
  PID:6620
- C:\Windows\System32\gvFQNgt.exe
  C:\Windows\System32\gvFQNgt.exe
  2⤵
  PID:6676
- C:\Windows\System32\SiTKyYY.exe
  C:\Windows\System32\SiTKyYY.exe
  2⤵
  PID:6744
- C:\Windows\System32\sjzjghW.exe
  C:\Windows\System32\sjzjghW.exe
  2⤵
  PID:6796
- C:\Windows\System32\OyRBShs.exe
  C:\Windows\System32\OyRBShs.exe
  2⤵
  PID:6868
- C:\Windows\System32\lsUgFdT.exe
  C:\Windows\System32\lsUgFdT.exe
  2⤵
  PID:6924
- C:\Windows\System32\wuIAFEJ.exe
  C:\Windows\System32\wuIAFEJ.exe
  2⤵
  PID:6980
- C:\Windows\System32\aXXJzkE.exe
  C:\Windows\System32\aXXJzkE.exe
  2⤵
  PID:7008
- C:\Windows\System32\pjrhZHp.exe
  C:\Windows\System32\pjrhZHp.exe
  2⤵
  PID:7040
- C:\Windows\System32\dtMyMjS.exe
  C:\Windows\System32\dtMyMjS.exe
  2⤵
  PID:7160
- C:\Windows\System32\HZDRUBM.exe
  C:\Windows\System32\HZDRUBM.exe
  2⤵
  PID:6424
- C:\Windows\System32\rSkShHF.exe
  C:\Windows\System32\rSkShHF.exe
  2⤵
  PID:6596
- C:\Windows\System32\jkolGzo.exe
  C:\Windows\System32\jkolGzo.exe
  2⤵
  PID:2184
- C:\Windows\System32\JexbTmA.exe
  C:\Windows\System32\JexbTmA.exe
  2⤵
  PID:6928
- C:\Windows\System32\VMtapdr.exe
  C:\Windows\System32\VMtapdr.exe
  2⤵
  PID:6996
- C:\Windows\System32\rYCaOsj.exe
  C:\Windows\System32\rYCaOsj.exe
  2⤵
  PID:7124
- C:\Windows\System32\EPcVKDB.exe
  C:\Windows\System32\EPcVKDB.exe
  2⤵
  PID:6196
- C:\Windows\System32\MAkjqdd.exe
  C:\Windows\System32\MAkjqdd.exe
  2⤵
  PID:6512
- C:\Windows\System32\PnvVlJb.exe
  C:\Windows\System32\PnvVlJb.exe
  2⤵
  PID:6984
- C:\Windows\System32\LCEoIln.exe
  C:\Windows\System32\LCEoIln.exe
  2⤵
  PID:2544
- C:\Windows\System32\ZJCSSZQ.exe
  C:\Windows\System32\ZJCSSZQ.exe
  2⤵
  PID:6428
- C:\Windows\System32\FkLRVbR.exe
  C:\Windows\System32\FkLRVbR.exe
  2⤵
  PID:7176
- C:\Windows\System32\wTGGFOC.exe
  C:\Windows\System32\wTGGFOC.exe
  2⤵
  PID:7216
- C:\Windows\System32\TEIKjDi.exe
  C:\Windows\System32\TEIKjDi.exe
  2⤵
  PID:7248
- C:\Windows\System32\DDigZCB.exe
  C:\Windows\System32\DDigZCB.exe
  2⤵
  PID:7272
- C:\Windows\System32\TcCafgZ.exe
  C:\Windows\System32\TcCafgZ.exe
  2⤵
  PID:7288
- C:\Windows\System32\ijMlXIG.exe
  C:\Windows\System32\ijMlXIG.exe
  2⤵
  PID:7340
- C:\Windows\System32\LrOSwTU.exe
  C:\Windows\System32\LrOSwTU.exe
  2⤵
  PID:7360
- C:\Windows\System32\aHXidVB.exe
  C:\Windows\System32\aHXidVB.exe
  2⤵
  PID:7376
- C:\Windows\System32\IXnpztK.exe
  C:\Windows\System32\IXnpztK.exe
  2⤵
  PID:7416
- C:\Windows\System32\CzmmGUk.exe
  C:\Windows\System32\CzmmGUk.exe
  2⤵
  PID:7440
- C:\Windows\System32\KFbYQhv.exe
  C:\Windows\System32\KFbYQhv.exe
  2⤵
  PID:7460
- C:\Windows\System32\IusEyMO.exe
  C:\Windows\System32\IusEyMO.exe
  2⤵
  PID:7500
- C:\Windows\System32\KpVeDKR.exe
  C:\Windows\System32\KpVeDKR.exe
  2⤵
  PID:7520
- C:\Windows\System32\QtvwgyH.exe
  C:\Windows\System32\QtvwgyH.exe
  2⤵
  PID:7544
- C:\Windows\System32\yXbKHsP.exe
  C:\Windows\System32\yXbKHsP.exe
  2⤵
  PID:7572
- C:\Windows\System32\pxWOyDm.exe
  C:\Windows\System32\pxWOyDm.exe
  2⤵
  PID:7592
- C:\Windows\System32\pNwcWNR.exe
  C:\Windows\System32\pNwcWNR.exe
  2⤵
  PID:7616
- C:\Windows\System32\UjxwrEo.exe
  C:\Windows\System32\UjxwrEo.exe
  2⤵
  PID:7648
- C:\Windows\System32\ekdvhya.exe
  C:\Windows\System32\ekdvhya.exe
  2⤵
  PID:7680
- C:\Windows\System32\JlIwMis.exe
  C:\Windows\System32\JlIwMis.exe
  2⤵
  PID:7704
- C:\Windows\System32\jHrQOku.exe
  C:\Windows\System32\jHrQOku.exe
  2⤵
  PID:7728
- C:\Windows\System32\FHicZYm.exe
  C:\Windows\System32\FHicZYm.exe
  2⤵
  PID:7768
- C:\Windows\System32\SDmkizV.exe
  C:\Windows\System32\SDmkizV.exe
  2⤵
  PID:7812
- C:\Windows\System32\tKJvFYo.exe
  C:\Windows\System32\tKJvFYo.exe
  2⤵
  PID:7828
- C:\Windows\System32\UmjmARG.exe
  C:\Windows\System32\UmjmARG.exe
  2⤵
  PID:7864
- C:\Windows\System32\mLSlZrr.exe
  C:\Windows\System32\mLSlZrr.exe
  2⤵
  PID:7880
- C:\Windows\System32\qmajAND.exe
  C:\Windows\System32\qmajAND.exe
  2⤵
  PID:7908
- C:\Windows\System32\dKCczCZ.exe
  C:\Windows\System32\dKCczCZ.exe
  2⤵
  PID:7940
- C:\Windows\System32\TEdAREr.exe
  C:\Windows\System32\TEdAREr.exe
  2⤵
  PID:7960
- C:\Windows\System32\CtpyoNW.exe
  C:\Windows\System32\CtpyoNW.exe
  2⤵
  PID:8000
- C:\Windows\System32\TrroyQs.exe
  C:\Windows\System32\TrroyQs.exe
  2⤵
  PID:8020
- C:\Windows\System32\zMfEOSs.exe
  C:\Windows\System32\zMfEOSs.exe
  2⤵
  PID:8056
- C:\Windows\System32\jQfjUxv.exe
  C:\Windows\System32\jQfjUxv.exe
  2⤵
  PID:8088
- C:\Windows\System32\RVLphSA.exe
  C:\Windows\System32\RVLphSA.exe
  2⤵
  PID:8112
- C:\Windows\System32\tgJguVW.exe
  C:\Windows\System32\tgJguVW.exe
  2⤵
  PID:8132
- C:\Windows\System32\YgBZIQE.exe
  C:\Windows\System32\YgBZIQE.exe
  2⤵
  PID:8156
- C:\Windows\System32\pewBxSK.exe
  C:\Windows\System32\pewBxSK.exe
  2⤵
  PID:7196
- C:\Windows\System32\HpVXWaH.exe
  C:\Windows\System32\HpVXWaH.exe
  2⤵
  PID:7236
- C:\Windows\System32\fQpymbr.exe
  C:\Windows\System32\fQpymbr.exe
  2⤵
  PID:7356
- C:\Windows\System32\psNwucU.exe
  C:\Windows\System32\psNwucU.exe
  2⤵
  PID:7392
- C:\Windows\System32\adaicqY.exe
  C:\Windows\System32\adaicqY.exe
  2⤵
  PID:7452
- C:\Windows\System32\xKUWkdb.exe
  C:\Windows\System32\xKUWkdb.exe
  2⤵
  PID:7480
- C:\Windows\System32\ubOLPVw.exe
  C:\Windows\System32\ubOLPVw.exe
  2⤵
  PID:7556
- C:\Windows\System32\oqozffm.exe
  C:\Windows\System32\oqozffm.exe
  2⤵
  PID:7644
- C:\Windows\System32\MvguNTM.exe
  C:\Windows\System32\MvguNTM.exe
  2⤵
  PID:4204
- C:\Windows\System32\MjPsRNr.exe
  C:\Windows\System32\MjPsRNr.exe
  2⤵
  PID:7724
- C:\Windows\System32\ylcaFIx.exe
  C:\Windows\System32\ylcaFIx.exe
  2⤵
  PID:7764
- C:\Windows\System32\aTqRqLI.exe
  C:\Windows\System32\aTqRqLI.exe
  2⤵
  PID:7824
- C:\Windows\System32\tvnIycg.exe
  C:\Windows\System32\tvnIycg.exe
  2⤵
  PID:7932
- C:\Windows\System32\DXDfZmp.exe
  C:\Windows\System32\DXDfZmp.exe
  2⤵
  PID:8012
- C:\Windows\System32\ueCOqAI.exe
  C:\Windows\System32\ueCOqAI.exe
  2⤵
  PID:8048
- C:\Windows\System32\pEPXWGW.exe
  C:\Windows\System32\pEPXWGW.exe
  2⤵
  PID:8148
- C:\Windows\System32\HYgrngM.exe
  C:\Windows\System32\HYgrngM.exe
  2⤵
  PID:8184
- C:\Windows\System32\lDAyYzG.exe
  C:\Windows\System32\lDAyYzG.exe
  2⤵
  PID:7448
- C:\Windows\System32\tqCTmEP.exe
  C:\Windows\System32\tqCTmEP.exe
  2⤵
  PID:7532
- C:\Windows\System32\cxvZLBN.exe
  C:\Windows\System32\cxvZLBN.exe
  2⤵
  PID:7332
- C:\Windows\System32\kNGbcrm.exe
  C:\Windows\System32\kNGbcrm.exe
  2⤵
  PID:7748
- C:\Windows\System32\MPeCioT.exe
  C:\Windows\System32\MPeCioT.exe
  2⤵
  PID:7968
- C:\Windows\System32\JXFpuAS.exe
  C:\Windows\System32\JXFpuAS.exe
  2⤵
  PID:8108
- C:\Windows\System32\gufDPMA.exe
  C:\Windows\System32\gufDPMA.exe
  2⤵
  PID:8176
- C:\Windows\System32\rTWmyNv.exe
  C:\Windows\System32\rTWmyNv.exe
  2⤵
  PID:7784
- C:\Windows\System32\PVibzRx.exe
  C:\Windows\System32\PVibzRx.exe
  2⤵
  PID:8072
- C:\Windows\System32\gPgEEeN.exe
  C:\Windows\System32\gPgEEeN.exe
  2⤵
  PID:7956
- C:\Windows\System32\uATGEMt.exe
  C:\Windows\System32\uATGEMt.exe
  2⤵
  PID:7712
- C:\Windows\System32\qvmbYoO.exe
  C:\Windows\System32\qvmbYoO.exe
  2⤵
  PID:8220
- C:\Windows\System32\ncsXqzy.exe
  C:\Windows\System32\ncsXqzy.exe
  2⤵
  PID:8248
- C:\Windows\System32\MFOgXUm.exe
  C:\Windows\System32\MFOgXUm.exe
  2⤵
  PID:8276
- C:\Windows\System32\BBjNogw.exe
  C:\Windows\System32\BBjNogw.exe
  2⤵
  PID:8300
- C:\Windows\System32\kJPLheo.exe
  C:\Windows\System32\kJPLheo.exe
  2⤵
  PID:8320
- C:\Windows\System32\cyMuGuE.exe
  C:\Windows\System32\cyMuGuE.exe
  2⤵
  PID:8348
- C:\Windows\System32\sLYhOuC.exe
  C:\Windows\System32\sLYhOuC.exe
  2⤵
  PID:8392
- C:\Windows\System32\UmeJXLW.exe
  C:\Windows\System32\UmeJXLW.exe
  2⤵
  PID:8412
- C:\Windows\System32\ThgGMTg.exe
  C:\Windows\System32\ThgGMTg.exe
  2⤵
  PID:8448
- C:\Windows\System32\iLTOZXB.exe
  C:\Windows\System32\iLTOZXB.exe
  2⤵
  PID:8464
- C:\Windows\System32\JhyBGzb.exe
  C:\Windows\System32\JhyBGzb.exe
  2⤵
  PID:8496
- C:\Windows\System32\ZmUDtvG.exe
  C:\Windows\System32\ZmUDtvG.exe
  2⤵
  PID:8524
- C:\Windows\System32\SBPNAyo.exe
  C:\Windows\System32\SBPNAyo.exe
  2⤵
  PID:8564
- C:\Windows\System32\UtwDHvU.exe
  C:\Windows\System32\UtwDHvU.exe
  2⤵
  PID:8588
- C:\Windows\System32\YpXOlFZ.exe
  C:\Windows\System32\YpXOlFZ.exe
  2⤵
  PID:8620
- C:\Windows\System32\fEPZddr.exe
  C:\Windows\System32\fEPZddr.exe
  2⤵
  PID:8644
- C:\Windows\System32\GquGFGG.exe
  C:\Windows\System32\GquGFGG.exe
  2⤵
  PID:8732
- C:\Windows\System32\MGcjHqp.exe
  C:\Windows\System32\MGcjHqp.exe
  2⤵
  PID:8764
- C:\Windows\System32\teRUTCc.exe
  C:\Windows\System32\teRUTCc.exe
  2⤵
  PID:8780
- C:\Windows\System32\smMugqf.exe
  C:\Windows\System32\smMugqf.exe
  2⤵
  PID:8796
- C:\Windows\System32\vVvEclt.exe
  C:\Windows\System32\vVvEclt.exe
  2⤵
  PID:8816
- C:\Windows\System32\EbDjWdY.exe
  C:\Windows\System32\EbDjWdY.exe
  2⤵
  PID:8880
- C:\Windows\System32\ahhPqQI.exe
  C:\Windows\System32\ahhPqQI.exe
  2⤵
  PID:8912
- C:\Windows\System32\NHiXzPc.exe
  C:\Windows\System32\NHiXzPc.exe
  2⤵
  PID:8964
- C:\Windows\System32\OoFmJjC.exe
  C:\Windows\System32\OoFmJjC.exe
  2⤵
  PID:9028
- C:\Windows\System32\RXKCMsP.exe
  C:\Windows\System32\RXKCMsP.exe
  2⤵
  PID:9060
- C:\Windows\System32\sPcwdIq.exe
  C:\Windows\System32\sPcwdIq.exe
  2⤵
  PID:9084
- C:\Windows\System32\CfFoepd.exe
  C:\Windows\System32\CfFoepd.exe
  2⤵
  PID:9112
- C:\Windows\System32\JwAZBWg.exe
  C:\Windows\System32\JwAZBWg.exe
  2⤵
  PID:9128
- C:\Windows\System32\EeFnRKe.exe
  C:\Windows\System32\EeFnRKe.exe
  2⤵
  PID:9148
- C:\Windows\System32\UsJmzjN.exe
  C:\Windows\System32\UsJmzjN.exe
  2⤵
  PID:9184
- C:\Windows\System32\zBEcHxm.exe
  C:\Windows\System32\zBEcHxm.exe
  2⤵
  PID:9204
- C:\Windows\System32\RNZjpgO.exe
  C:\Windows\System32\RNZjpgO.exe
  2⤵
  PID:2284
- C:\Windows\System32\NRteFHo.exe
  C:\Windows\System32\NRteFHo.exe
  2⤵
  PID:8244
- C:\Windows\System32\RJYORes.exe
  C:\Windows\System32\RJYORes.exe
  2⤵
  PID:8336
- C:\Windows\System32\BWLWrXB.exe
  C:\Windows\System32\BWLWrXB.exe
  2⤵
  PID:8408
- C:\Windows\System32\vCRVavv.exe
  C:\Windows\System32\vCRVavv.exe
  2⤵
  PID:8440
- C:\Windows\System32\teIqoGo.exe
  C:\Windows\System32\teIqoGo.exe
  2⤵
  PID:8480
- C:\Windows\System32\WLnfCCu.exe
  C:\Windows\System32\WLnfCCu.exe
  2⤵
  PID:8540
- C:\Windows\System32\PrTExcx.exe
  C:\Windows\System32\PrTExcx.exe
  2⤵
  PID:8636
- C:\Windows\System32\EeofpxU.exe
  C:\Windows\System32\EeofpxU.exe
  2⤵
  PID:8664
- C:\Windows\System32\trsLImY.exe
  C:\Windows\System32\trsLImY.exe
  2⤵
  PID:8752
- C:\Windows\System32\KDAOLlE.exe
  C:\Windows\System32\KDAOLlE.exe
  2⤵
  PID:8656
- C:\Windows\System32\zjIBkZW.exe
  C:\Windows\System32\zjIBkZW.exe
  2⤵
  PID:8676
- C:\Windows\System32\gTgyrcS.exe
  C:\Windows\System32\gTgyrcS.exe
  2⤵
  PID:8788
- C:\Windows\System32\DPyjzUb.exe
  C:\Windows\System32\DPyjzUb.exe
  2⤵
  PID:8804
- C:\Windows\System32\cLOGgXr.exe
  C:\Windows\System32\cLOGgXr.exe
  2⤵
  PID:8992
- C:\Windows\System32\OVDDnda.exe
  C:\Windows\System32\OVDDnda.exe
  2⤵
  PID:8976
- C:\Windows\System32\qaoUDcC.exe
  C:\Windows\System32\qaoUDcC.exe
  2⤵
  PID:9104
- C:\Windows\System32\NRPAwTL.exe
  C:\Windows\System32\NRPAwTL.exe
  2⤵
  PID:9160
- C:\Windows\System32\QnejUQI.exe
  C:\Windows\System32\QnejUQI.exe
  2⤵
  PID:9200
- C:\Windows\System32\GpNBKOE.exe
  C:\Windows\System32\GpNBKOE.exe
  2⤵
  PID:9196
- C:\Windows\System32\apECQsY.exe
  C:\Windows\System32\apECQsY.exe
  2⤵
  PID:8432
- C:\Windows\System32\hXULTaZ.exe
  C:\Windows\System32\hXULTaZ.exe
  2⤵
  PID:8616
- C:\Windows\System32\xjdtsRI.exe
  C:\Windows\System32\xjdtsRI.exe
  2⤵
  PID:8856
- C:\Windows\System32\dALityc.exe
  C:\Windows\System32\dALityc.exe
  2⤵
  PID:8744
- C:\Windows\System32\NflDcCg.exe
  C:\Windows\System32\NflDcCg.exe
  2⤵
  PID:8824
- C:\Windows\System32\bzosKzi.exe
  C:\Windows\System32\bzosKzi.exe
  2⤵
  PID:8924
- C:\Windows\System32\sOSgetl.exe
  C:\Windows\System32\sOSgetl.exe
  2⤵
  PID:9156
- C:\Windows\System32\SZFNUWI.exe
  C:\Windows\System32\SZFNUWI.exe
  2⤵
  PID:8368
- C:\Windows\System32\CzgDPHA.exe
  C:\Windows\System32\CzgDPHA.exe
  2⤵
  PID:8512
- C:\Windows\System32\ZRmAMny.exe
  C:\Windows\System32\ZRmAMny.exe
  2⤵
  PID:8836
- C:\Windows\System32\gFgOjDN.exe
  C:\Windows\System32\gFgOjDN.exe
  2⤵
  PID:9052
- C:\Windows\System32\UIhBTaR.exe
  C:\Windows\System32\UIhBTaR.exe
  2⤵
  PID:9180
- C:\Windows\System32\tasNbqV.exe
  C:\Windows\System32\tasNbqV.exe
  2⤵
  PID:9072
- C:\Windows\System32\FnvPtLI.exe
  C:\Windows\System32\FnvPtLI.exe
  2⤵
  PID:9244
- C:\Windows\System32\mBDyKyf.exe
  C:\Windows\System32\mBDyKyf.exe
  2⤵
  PID:9272
- C:\Windows\System32\hKDKbcs.exe
  C:\Windows\System32\hKDKbcs.exe
  2⤵
  PID:9300
- C:\Windows\System32\csseEXL.exe
  C:\Windows\System32\csseEXL.exe
  2⤵
  PID:9316
- C:\Windows\System32\vRvTOsV.exe
  C:\Windows\System32\vRvTOsV.exe
  2⤵
  PID:9336
- C:\Windows\System32\tsiOsme.exe
  C:\Windows\System32\tsiOsme.exe
  2⤵
  PID:9384
- C:\Windows\System32\KNWGbzW.exe
  C:\Windows\System32\KNWGbzW.exe
  2⤵
  PID:9408
- C:\Windows\System32\MFjsSPv.exe
  C:\Windows\System32\MFjsSPv.exe
  2⤵
  PID:9428
- C:\Windows\System32\qliYeOo.exe
  C:\Windows\System32\qliYeOo.exe
  2⤵
  PID:9468
- C:\Windows\System32\tLoSDSH.exe
  C:\Windows\System32\tLoSDSH.exe
  2⤵
  PID:9496
- C:\Windows\System32\VczvQwz.exe
  C:\Windows\System32\VczvQwz.exe
  2⤵
  PID:9520
- C:\Windows\System32\tOxdPMx.exe
  C:\Windows\System32\tOxdPMx.exe
  2⤵
  PID:9540
- C:\Windows\System32\OUlOUKy.exe
  C:\Windows\System32\OUlOUKy.exe
  2⤵
  PID:9572
- C:\Windows\System32\KkLYNNe.exe
  C:\Windows\System32\KkLYNNe.exe
  2⤵
  PID:9600
- C:\Windows\System32\oUAWgGX.exe
  C:\Windows\System32\oUAWgGX.exe
  2⤵
  PID:9624
- C:\Windows\System32\hHbscVI.exe
  C:\Windows\System32\hHbscVI.exe
  2⤵
  PID:9664
- C:\Windows\System32\EvEDQfc.exe
  C:\Windows\System32\EvEDQfc.exe
  2⤵
  PID:9692
- C:\Windows\System32\mzPBVPH.exe
  C:\Windows\System32\mzPBVPH.exe
  2⤵
  PID:9716
- C:\Windows\System32\QdIgEvT.exe
  C:\Windows\System32\QdIgEvT.exe
  2⤵
  PID:9736
- C:\Windows\System32\TcLaYBP.exe
  C:\Windows\System32\TcLaYBP.exe
  2⤵
  PID:9776
- C:\Windows\System32\wZuKjur.exe
  C:\Windows\System32\wZuKjur.exe
  2⤵
  PID:9792
- C:\Windows\System32\IsoUTXC.exe
  C:\Windows\System32\IsoUTXC.exe
  2⤵
  PID:9832
- C:\Windows\System32\mathGKG.exe
  C:\Windows\System32\mathGKG.exe
  2⤵
  PID:9856
- C:\Windows\System32\tSKiZqX.exe
  C:\Windows\System32\tSKiZqX.exe
  2⤵
  PID:9880
- C:\Windows\System32\wYuNUUF.exe
  C:\Windows\System32\wYuNUUF.exe
  2⤵
  PID:9924
- C:\Windows\System32\kbFhDjF.exe
  C:\Windows\System32\kbFhDjF.exe
  2⤵
  PID:9952
- C:\Windows\System32\pEnAtmp.exe
  C:\Windows\System32\pEnAtmp.exe
  2⤵
  PID:9968
- C:\Windows\System32\wwJHwmw.exe
  C:\Windows\System32\wwJHwmw.exe
  2⤵
  PID:10004
- C:\Windows\System32\oyrFSgG.exe
  C:\Windows\System32\oyrFSgG.exe
  2⤵
  PID:10044
- C:\Windows\System32\AmXNPlV.exe
  C:\Windows\System32\AmXNPlV.exe
  2⤵
  PID:10072
- C:\Windows\System32\qMTVNDM.exe
  C:\Windows\System32\qMTVNDM.exe
  2⤵
  PID:10104
- C:\Windows\System32\ZRDgmph.exe
  C:\Windows\System32\ZRDgmph.exe
  2⤵
  PID:10128
- C:\Windows\System32\tGNFzPw.exe
  C:\Windows\System32\tGNFzPw.exe
  2⤵
  PID:10152
- C:\Windows\System32\CBasRgH.exe
  C:\Windows\System32\CBasRgH.exe
  2⤵
  PID:10176
- C:\Windows\System32\XGYvezr.exe
  C:\Windows\System32\XGYvezr.exe
  2⤵
  PID:10196
- C:\Windows\System32\tHfvgYn.exe
  C:\Windows\System32\tHfvgYn.exe
  2⤵
  PID:10212
- C:\Windows\System32\ZWSFJUO.exe
  C:\Windows\System32\ZWSFJUO.exe
  2⤵
  PID:8984
- C:\Windows\System32\YCtbkVI.exe
  C:\Windows\System32\YCtbkVI.exe
  2⤵
  PID:9308
- C:\Windows\System32\NHBiyGQ.exe
  C:\Windows\System32\NHBiyGQ.exe
  2⤵
  PID:9400
- C:\Windows\System32\MqtRGld.exe
  C:\Windows\System32\MqtRGld.exe
  2⤵
  PID:9464
- C:\Windows\System32\wBwCuWe.exe
  C:\Windows\System32\wBwCuWe.exe
  2⤵
  PID:9528
- C:\Windows\System32\vDOWOzR.exe
  C:\Windows\System32\vDOWOzR.exe
  2⤵
  PID:9556
- C:\Windows\System32\XMOjEoQ.exe
  C:\Windows\System32\XMOjEoQ.exe
  2⤵
  PID:9620
- C:\Windows\System32\btRAvAT.exe
  C:\Windows\System32\btRAvAT.exe
  2⤵
  PID:9652
- C:\Windows\System32\PqgakjP.exe
  C:\Windows\System32\PqgakjP.exe
  2⤵
  PID:9724
- C:\Windows\System32\lzlxsFP.exe
  C:\Windows\System32\lzlxsFP.exe
  2⤵
  PID:9756
- C:\Windows\System32\RMsTpVz.exe
  C:\Windows\System32\RMsTpVz.exe
  2⤵
  PID:1768
- C:\Windows\System32\RYbwsVM.exe
  C:\Windows\System32\RYbwsVM.exe
  2⤵
  PID:9848
- C:\Windows\System32\iorMwwo.exe
  C:\Windows\System32\iorMwwo.exe
  2⤵
  PID:9892
- C:\Windows\System32\oECUySR.exe
  C:\Windows\System32\oECUySR.exe
  2⤵
  PID:9948
- C:\Windows\System32\BcyzWke.exe
  C:\Windows\System32\BcyzWke.exe
  2⤵
  PID:10092
- C:\Windows\System32\catzjrk.exe
  C:\Windows\System32\catzjrk.exe
  2⤵
  PID:10172
- C:\Windows\System32\qLGRmBw.exe
  C:\Windows\System32\qLGRmBw.exe
  2⤵
  PID:9264
- C:\Windows\System32\yhJdwUn.exe
  C:\Windows\System32\yhJdwUn.exe
  2⤵
  PID:9360
- C:\Windows\System32\BbnpZOi.exe
  C:\Windows\System32\BbnpZOi.exe
  2⤵
  PID:9512
- C:\Windows\System32\zoooYVf.exe
  C:\Windows\System32\zoooYVf.exe
  2⤵
  PID:9592
- C:\Windows\System32\ZorZyMv.exe
  C:\Windows\System32\ZorZyMv.exe
  2⤵
  PID:5036
- C:\Windows\System32\kguoxHN.exe
  C:\Windows\System32\kguoxHN.exe
  2⤵
  PID:9908
- C:\Windows\System32\mPKDcRk.exe
  C:\Windows\System32\mPKDcRk.exe
  2⤵
  PID:9868
- C:\Windows\System32\MgXnPdf.exe
  C:\Windows\System32\MgXnPdf.exe
  2⤵
  PID:8708
- C:\Windows\System32\XdaGYpt.exe
  C:\Windows\System32\XdaGYpt.exe
  2⤵
  PID:9448
- C:\Windows\System32\QYFfDaI.exe
  C:\Windows\System32\QYFfDaI.exe
  2⤵
  PID:9552
- C:\Windows\System32\RpElBbX.exe
  C:\Windows\System32\RpElBbX.exe
  2⤵
  PID:10164
- C:\Windows\System32\hgtPmZw.exe
  C:\Windows\System32\hgtPmZw.exe
  2⤵
  PID:9588
- C:\Windows\System32\yzuxZCY.exe
  C:\Windows\System32\yzuxZCY.exe
  2⤵
  PID:10276
- C:\Windows\System32\qVKhVIo.exe
  C:\Windows\System32\qVKhVIo.exe
  2⤵
  PID:10292
- C:\Windows\System32\nmCfSFk.exe
  C:\Windows\System32\nmCfSFk.exe
  2⤵
  PID:10324
- C:\Windows\System32\ooqUmYX.exe
  C:\Windows\System32\ooqUmYX.exe
  2⤵
  PID:10348
- C:\Windows\System32\wbgAkBg.exe
  C:\Windows\System32\wbgAkBg.exe
  2⤵
  PID:10380
- C:\Windows\System32\FyldVQJ.exe
  C:\Windows\System32\FyldVQJ.exe
  2⤵
  PID:10408
- C:\Windows\System32\DmnxNLF.exe
  C:\Windows\System32\DmnxNLF.exe
  2⤵
  PID:10448
- C:\Windows\System32\zhhhHki.exe
  C:\Windows\System32\zhhhHki.exe
  2⤵
  PID:10472
- C:\Windows\System32\pnwsgHm.exe
  C:\Windows\System32\pnwsgHm.exe
  2⤵
  PID:10492
- C:\Windows\System32\zZVUsDI.exe
  C:\Windows\System32\zZVUsDI.exe
  2⤵
  PID:10544
- C:\Windows\System32\SShTOyR.exe
  C:\Windows\System32\SShTOyR.exe
  2⤵
  PID:10564
- C:\Windows\System32\EQkYQeR.exe
  C:\Windows\System32\EQkYQeR.exe
  2⤵
  PID:10580
- C:\Windows\System32\qTMNCqZ.exe
  C:\Windows\System32\qTMNCqZ.exe
  2⤵
  PID:10612
- C:\Windows\System32\nQsgOli.exe
  C:\Windows\System32\nQsgOli.exe
  2⤵
  PID:10632
- C:\Windows\System32\FuWxSex.exe
  C:\Windows\System32\FuWxSex.exe
  2⤵
  PID:10656
- C:\Windows\System32\NqufrEi.exe
  C:\Windows\System32\NqufrEi.exe
  2⤵
  PID:10672
- C:\Windows\System32\kddSfvP.exe
  C:\Windows\System32\kddSfvP.exe
  2⤵
  PID:10700
- C:\Windows\System32\VzAvfta.exe
  C:\Windows\System32\VzAvfta.exe
  2⤵
  PID:10720
- C:\Windows\System32\SkKijFk.exe
  C:\Windows\System32\SkKijFk.exe
  2⤵
  PID:10776
- C:\Windows\System32\XMQCtAj.exe
  C:\Windows\System32\XMQCtAj.exe
  2⤵
  PID:10808
- C:\Windows\System32\XPoGEUC.exe
  C:\Windows\System32\XPoGEUC.exe
  2⤵
  PID:10836
- C:\Windows\System32\blYECCf.exe
  C:\Windows\System32\blYECCf.exe
  2⤵
  PID:10856
- C:\Windows\System32\SuzifDE.exe
  C:\Windows\System32\SuzifDE.exe
  2⤵
  PID:10900
- C:\Windows\System32\eCWPRCY.exe
  C:\Windows\System32\eCWPRCY.exe
  2⤵
  PID:10928
- C:\Windows\System32\eKLzuTa.exe
  C:\Windows\System32\eKLzuTa.exe
  2⤵
  PID:10948
- C:\Windows\System32\hXovoTZ.exe
  C:\Windows\System32\hXovoTZ.exe
  2⤵
  PID:10976
- C:\Windows\System32\RHPYrUa.exe
  C:\Windows\System32\RHPYrUa.exe
  2⤵
  PID:11004
- C:\Windows\System32\aKebcSz.exe
  C:\Windows\System32\aKebcSz.exe
  2⤵
  PID:11040
- C:\Windows\System32\ySoLOnr.exe
  C:\Windows\System32\ySoLOnr.exe
  2⤵
  PID:11072
- C:\Windows\System32\YVPvzOT.exe
  C:\Windows\System32\YVPvzOT.exe
  2⤵
  PID:11088
- C:\Windows\System32\dQWVZcj.exe
  C:\Windows\System32\dQWVZcj.exe
  2⤵
  PID:11108
- C:\Windows\System32\ahmsvfY.exe
  C:\Windows\System32\ahmsvfY.exe
  2⤵
  PID:11136
- C:\Windows\System32\NowSCyy.exe
  C:\Windows\System32\NowSCyy.exe
  2⤵
  PID:11156
- C:\Windows\System32\JUujfjG.exe
  C:\Windows\System32\JUujfjG.exe
  2⤵
  PID:11180
- C:\Windows\System32\sewpQcm.exe
  C:\Windows\System32\sewpQcm.exe
  2⤵
  PID:11200
- C:\Windows\System32\jixUoHZ.exe
  C:\Windows\System32\jixUoHZ.exe
  2⤵
  PID:11220
- C:\Windows\System32\vqCUNyd.exe
  C:\Windows\System32\vqCUNyd.exe
  2⤵
  PID:9788
- C:\Windows\System32\PTcWXWM.exe
  C:\Windows\System32\PTcWXWM.exe
  2⤵
  PID:10284
- C:\Windows\System32\OlAuMwG.exe
  C:\Windows\System32\OlAuMwG.exe
  2⤵
  PID:10360
- C:\Windows\System32\FSEKTfq.exe
  C:\Windows\System32\FSEKTfq.exe
  2⤵
  PID:10428
- C:\Windows\System32\fAOflps.exe
  C:\Windows\System32\fAOflps.exe
  2⤵
  PID:10460
- C:\Windows\System32\SDadtmi.exe
  C:\Windows\System32\SDadtmi.exe
  2⤵
  PID:10600
- C:\Windows\System32\FTblIke.exe
  C:\Windows\System32\FTblIke.exe
  2⤵
  PID:10644
- C:\Windows\System32\OEOMRXK.exe
  C:\Windows\System32\OEOMRXK.exe
  2⤵
  PID:10740
- C:\Windows\System32\tIBtWro.exe
  C:\Windows\System32\tIBtWro.exe
  2⤵
  PID:10764
- C:\Windows\System32\uDRCTpa.exe
  C:\Windows\System32\uDRCTpa.exe
  2⤵
  PID:10168
- C:\Windows\System32\IkeNKZW.exe
  C:\Windows\System32\IkeNKZW.exe
  2⤵
  PID:10844
- C:\Windows\System32\ixicRfK.exe
  C:\Windows\System32\ixicRfK.exe
  2⤵
  PID:10916
- C:\Windows\System32\sJIhNno.exe
  C:\Windows\System32\sJIhNno.exe
  2⤵
  PID:11036
- C:\Windows\System32\VIcJIsv.exe
  C:\Windows\System32\VIcJIsv.exe
  2⤵
  PID:11120
- C:\Windows\System32\WqhypWR.exe
  C:\Windows\System32\WqhypWR.exe
  2⤵
  PID:11116
- C:\Windows\System32\ddOabui.exe
  C:\Windows\System32\ddOabui.exe
  2⤵
  PID:10256
- C:\Windows\System32\RrbCRGH.exe
  C:\Windows\System32\RrbCRGH.exe
  2⤵
  PID:10304
- C:\Windows\System32\CkVUmyN.exe
  C:\Windows\System32\CkVUmyN.exe
  2⤵
  PID:10484
- C:\Windows\System32\hbErrRb.exe
  C:\Windows\System32\hbErrRb.exe
  2⤵
  PID:10624
- C:\Windows\System32\LstsUqG.exe
  C:\Windows\System32\LstsUqG.exe
  2⤵
  PID:10804
- C:\Windows\System32\fbmAdRs.exe
  C:\Windows\System32\fbmAdRs.exe
  2⤵
  PID:10876
- C:\Windows\System32\qVhvcSy.exe
  C:\Windows\System32\qVhvcSy.exe
  2⤵
  PID:11000
- C:\Windows\System32\DwSlIeR.exe
  C:\Windows\System32\DwSlIeR.exe
  2⤵
  PID:11196
- C:\Windows\System32\mmigDzF.exe
  C:\Windows\System32\mmigDzF.exe
  2⤵
  PID:10344
- C:\Windows\System32\QkYMQxc.exe
  C:\Windows\System32\QkYMQxc.exe
  2⤵
  PID:10708
- C:\Windows\System32\AcXpMpN.exe
  C:\Windows\System32\AcXpMpN.exe
  2⤵
  PID:10884
- C:\Windows\System32\qrvIDkw.exe
  C:\Windows\System32\qrvIDkw.exe
  2⤵
  PID:10504
- C:\Windows\System32\scgOUqw.exe
  C:\Windows\System32\scgOUqw.exe
  2⤵
  PID:11272
- C:\Windows\System32\EnvhsBj.exe
  C:\Windows\System32\EnvhsBj.exe
  2⤵
  PID:11296
- C:\Windows\System32\IHDzsEq.exe
  C:\Windows\System32\IHDzsEq.exe
  2⤵
  PID:11332
- C:\Windows\System32\WJTdYiV.exe
  C:\Windows\System32\WJTdYiV.exe
  2⤵
  PID:11348
- C:\Windows\System32\HVtjsHT.exe
  C:\Windows\System32\HVtjsHT.exe
  2⤵
  PID:11372
- C:\Windows\System32\akAFHqC.exe
  C:\Windows\System32\akAFHqC.exe
  2⤵
  PID:11408
- C:\Windows\System32\pdsCnBP.exe
  C:\Windows\System32\pdsCnBP.exe
  2⤵
  PID:11444
- C:\Windows\System32\sQoaEbm.exe
  C:\Windows\System32\sQoaEbm.exe
  2⤵
  PID:11460
- C:\Windows\System32\zwOnHuF.exe
  C:\Windows\System32\zwOnHuF.exe
  2⤵
  PID:11484
- C:\Windows\System32\oLECMMH.exe
  C:\Windows\System32\oLECMMH.exe
  2⤵
  PID:11548
- C:\Windows\System32\PxAtdgi.exe
  C:\Windows\System32\PxAtdgi.exe
  2⤵
  PID:11564
- C:\Windows\System32\AjtMkMf.exe
  C:\Windows\System32\AjtMkMf.exe
  2⤵
  PID:11580
- C:\Windows\System32\zPXZqrI.exe
  C:\Windows\System32\zPXZqrI.exe
  2⤵
  PID:11608
- C:\Windows\System32\zAukPDM.exe
  C:\Windows\System32\zAukPDM.exe
  2⤵
  PID:11644
- C:\Windows\System32\DpyOZrM.exe
  C:\Windows\System32\DpyOZrM.exe
  2⤵
  PID:11668
- C:\Windows\System32\utpeNlq.exe
  C:\Windows\System32\utpeNlq.exe
  2⤵
  PID:11684
- C:\Windows\System32\SJzlhdl.exe
  C:\Windows\System32\SJzlhdl.exe
  2⤵
  PID:11708
- C:\Windows\System32\TImWXmb.exe
  C:\Windows\System32\TImWXmb.exe
  2⤵
  PID:11760
- C:\Windows\System32\lmjAlge.exe
  C:\Windows\System32\lmjAlge.exe
  2⤵
  PID:11776
- C:\Windows\System32\NGTBuEp.exe
  C:\Windows\System32\NGTBuEp.exe
  2⤵
  PID:11796
- C:\Windows\System32\uVqchCL.exe
  C:\Windows\System32\uVqchCL.exe
  2⤵
  PID:11820
- C:\Windows\System32\zvslYoP.exe
  C:\Windows\System32\zvslYoP.exe
  2⤵
  PID:11840
- C:\Windows\System32\FaheKIe.exe
  C:\Windows\System32\FaheKIe.exe
  2⤵
  PID:11868
- C:\Windows\System32\uzCJKIz.exe
  C:\Windows\System32\uzCJKIz.exe
  2⤵
  PID:11892
- C:\Windows\System32\hWYcEwe.exe
  C:\Windows\System32\hWYcEwe.exe
  2⤵
  PID:11908
- C:\Windows\System32\gsxzJWR.exe
  C:\Windows\System32\gsxzJWR.exe
  2⤵
  PID:11956
- C:\Windows\System32\EJScoZC.exe
  C:\Windows\System32\EJScoZC.exe
  2⤵
  PID:12000
- C:\Windows\System32\jamkBDz.exe
  C:\Windows\System32\jamkBDz.exe
  2⤵
  PID:12032
- C:\Windows\System32\nMDGJMI.exe
  C:\Windows\System32\nMDGJMI.exe
  2⤵
  PID:12052
- C:\Windows\System32\FwLRmIg.exe
  C:\Windows\System32\FwLRmIg.exe
  2⤵
  PID:12088
- C:\Windows\System32\gOLKqKk.exe
  C:\Windows\System32\gOLKqKk.exe
  2⤵
  PID:12104
- C:\Windows\System32\HRhyrYG.exe
  C:\Windows\System32\HRhyrYG.exe
  2⤵
  PID:12136
- C:\Windows\System32\dXporiA.exe
  C:\Windows\System32\dXporiA.exe
  2⤵
  PID:12152
- C:\Windows\System32\UAJxPgO.exe
  C:\Windows\System32\UAJxPgO.exe
  2⤵
  PID:12188
- C:\Windows\System32\FmpZWIT.exe
  C:\Windows\System32\FmpZWIT.exe
  2⤵
  PID:12236
- C:\Windows\System32\iImuKnR.exe
  C:\Windows\System32\iImuKnR.exe
  2⤵
  PID:12252
- C:\Windows\System32\YZUfiWa.exe
  C:\Windows\System32\YZUfiWa.exe
  2⤵
  PID:12276
- C:\Windows\System32\mwVoOSE.exe
  C:\Windows\System32\mwVoOSE.exe
  2⤵
  PID:11324
- C:\Windows\System32\NtESEXL.exe
  C:\Windows\System32\NtESEXL.exe
  2⤵
  PID:11396
- C:\Windows\System32\enPMUkC.exe
  C:\Windows\System32\enPMUkC.exe
  2⤵
  PID:11452
- C:\Windows\System32\YQGgbVk.exe
  C:\Windows\System32\YQGgbVk.exe
  2⤵
  PID:11468
- C:\Windows\System32\esnymHo.exe
  C:\Windows\System32\esnymHo.exe
  2⤵
  PID:11524
- C:\Windows\System32\WRAFQhU.exe
  C:\Windows\System32\WRAFQhU.exe
  2⤵
  PID:11592
- C:\Windows\System32\ENmbESY.exe
  C:\Windows\System32\ENmbESY.exe
  2⤵
  PID:11676
- C:\Windows\System32\UMQygew.exe
  C:\Windows\System32\UMQygew.exe
  2⤵
  PID:11756
- C:\Windows\System32\JZYYTVx.exe
  C:\Windows\System32\JZYYTVx.exe
  2⤵
  PID:11804
- C:\Windows\System32\XRRWjFc.exe
  C:\Windows\System32\XRRWjFc.exe
  2⤵
  PID:11876
- C:\Windows\System32\KddZcIw.exe
  C:\Windows\System32\KddZcIw.exe
  2⤵
  PID:11940
- C:\Windows\System32\JZzNlzS.exe
  C:\Windows\System32\JZzNlzS.exe
  2⤵
  PID:11988
- C:\Windows\System32\lXCpUqy.exe
  C:\Windows\System32\lXCpUqy.exe
  2⤵
  PID:12060
- C:\Windows\System32\oblrtQZ.exe
  C:\Windows\System32\oblrtQZ.exe
  2⤵
  PID:12176
- C:\Windows\System32\kAvAEic.exe
  C:\Windows\System32\kAvAEic.exe
  2⤵
  PID:12268
- C:\Windows\System32\zhYjxYe.exe
  C:\Windows\System32\zhYjxYe.exe
  2⤵
  PID:11280
- C:\Windows\System32\epPfTwM.exe
  C:\Windows\System32\epPfTwM.exe
  2⤵
  PID:11472
- C:\Windows\System32\CYmFdsm.exe
  C:\Windows\System32\CYmFdsm.exe
  2⤵
  PID:11576
- C:\Windows\System32\dhqLqMq.exe
  C:\Windows\System32\dhqLqMq.exe
  2⤵
  PID:11860
- C:\Windows\System32\cUopHsn.exe
  C:\Windows\System32\cUopHsn.exe
  2⤵
  PID:572
- C:\Windows\System32\JaawBtG.exe
  C:\Windows\System32\JaawBtG.exe
  2⤵
  PID:2044
- C:\Windows\System32\CVKnyGH.exe
  C:\Windows\System32\CVKnyGH.exe
  2⤵
  PID:12080
- C:\Windows\System32\aUcTAfz.exe
  C:\Windows\System32\aUcTAfz.exe
  2⤵
  PID:11368
- C:\Windows\System32\bZKwuLJ.exe
  C:\Windows\System32\bZKwuLJ.exe
  2⤵
  PID:11700
- C:\Windows\System32\WWdPseI.exe
  C:\Windows\System32\WWdPseI.exe
  2⤵
  PID:4528
- C:\Windows\System32\IxRmELq.exe
  C:\Windows\System32\IxRmELq.exe
  2⤵
  PID:12196
- C:\Windows\System32\ebDEPjU.exe
  C:\Windows\System32\ebDEPjU.exe
  2⤵
  PID:12072
- C:\Windows\System32\gIhQmIc.exe
  C:\Windows\System32\gIhQmIc.exe
  2⤵
  PID:12308
- C:\Windows\System32\sprcXuV.exe
  C:\Windows\System32\sprcXuV.exe
  2⤵
  PID:12340
- C:\Windows\System32\bNEJadE.exe
  C:\Windows\System32\bNEJadE.exe
  2⤵
  PID:12364
- C:\Windows\System32\vvOGaZD.exe
  C:\Windows\System32\vvOGaZD.exe
  2⤵
  PID:12384
- C:\Windows\System32\OrAZJld.exe
  C:\Windows\System32\OrAZJld.exe
  2⤵
  PID:12440
- C:\Windows\System32\nIKTBAq.exe
  C:\Windows\System32\nIKTBAq.exe
  2⤵
  PID:12464
- C:\Windows\System32\JSYRXFn.exe
  C:\Windows\System32\JSYRXFn.exe
  2⤵
  PID:12492
- C:\Windows\System32\dfqtRpO.exe
  C:\Windows\System32\dfqtRpO.exe
  2⤵
  PID:12512
- C:\Windows\System32\FeBVzhi.exe
  C:\Windows\System32\FeBVzhi.exe
  2⤵
  PID:12540
- C:\Windows\System32\GUUWOzT.exe
  C:\Windows\System32\GUUWOzT.exe
  2⤵
  PID:12576
- C:\Windows\System32\IRCTeGk.exe
  C:\Windows\System32\IRCTeGk.exe
  2⤵
  PID:12592
- C:\Windows\System32\lHDANci.exe
  C:\Windows\System32\lHDANci.exe
  2⤵
  PID:12628
- C:\Windows\System32\pkPVybZ.exe
  C:\Windows\System32\pkPVybZ.exe
  2⤵
  PID:12652
- C:\Windows\System32\dxezkho.exe
  C:\Windows\System32\dxezkho.exe
  2⤵
  PID:12684
- C:\Windows\System32\IDdaGRZ.exe
  C:\Windows\System32\IDdaGRZ.exe
  2⤵
  PID:12704
- C:\Windows\System32\eEYxSQd.exe
  C:\Windows\System32\eEYxSQd.exe
  2⤵
  PID:12724
- C:\Windows\System32\iqcYzjA.exe
  C:\Windows\System32\iqcYzjA.exe
  2⤵
  PID:12756
- C:\Windows\System32\pgMNBEH.exe
  C:\Windows\System32\pgMNBEH.exe
  2⤵
  PID:12784
- C:\Windows\System32\WhBJWgP.exe
  C:\Windows\System32\WhBJWgP.exe
  2⤵
  PID:12812
- C:\Windows\System32\iTaAZgK.exe
  C:\Windows\System32\iTaAZgK.exe
  2⤵
  PID:12844
- C:\Windows\System32\SftAZLQ.exe
  C:\Windows\System32\SftAZLQ.exe
  2⤵
  PID:12872
- C:\Windows\System32\MHTdQEj.exe
  C:\Windows\System32\MHTdQEj.exe
  2⤵
  PID:12916
- C:\Windows\System32\CtOlkiM.exe
  C:\Windows\System32\CtOlkiM.exe
  2⤵
  PID:12940
- C:\Windows\System32\NJyNyIq.exe
  C:\Windows\System32\NJyNyIq.exe
  2⤵
  PID:12956
- C:\Windows\System32\JpVJnes.exe
  C:\Windows\System32\JpVJnes.exe
  2⤵
  PID:12972
- C:\Windows\System32\lNXkqPv.exe
  C:\Windows\System32\lNXkqPv.exe
  2⤵
  PID:12988
- C:\Windows\System32\ZjmWpAb.exe
  C:\Windows\System32\ZjmWpAb.exe
  2⤵
  PID:13012
- C:\Windows\System32\DgLtGDV.exe
  C:\Windows\System32\DgLtGDV.exe
  2⤵
  PID:13032
- C:\Windows\System32\dYyHtmQ.exe
  C:\Windows\System32\dYyHtmQ.exe
  2⤵
  PID:13060
- C:\Windows\System32\attMqdS.exe
  C:\Windows\System32\attMqdS.exe
  2⤵
  PID:13076
- C:\Windows\System32\rYbwuGH.exe
  C:\Windows\System32\rYbwuGH.exe
  2⤵
  PID:13104
- C:\Windows\System32\ijmOiXf.exe
  C:\Windows\System32\ijmOiXf.exe
  2⤵
  PID:13136
- C:\Windows\System32\ytWpjjR.exe
  C:\Windows\System32\ytWpjjR.exe
  2⤵
  PID:13212
- C:\Windows\System32\iAKOxpB.exe
  C:\Windows\System32\iAKOxpB.exe
  2⤵
  PID:13248
- C:\Windows\System32\rvrcUFv.exe
  C:\Windows\System32\rvrcUFv.exe
  2⤵
  PID:13276
- C:\Windows\System32\xifkkGl.exe
  C:\Windows\System32\xifkkGl.exe
  2⤵
  PID:13300
- C:\Windows\System32\JOEDhQJ.exe
  C:\Windows\System32\JOEDhQJ.exe
  2⤵
  PID:12292
- C:\Windows\System32\byPHtDc.exe
  C:\Windows\System32\byPHtDc.exe
  2⤵
  PID:12336
- C:\Windows\System32\mAkwnnM.exe
  C:\Windows\System32\mAkwnnM.exe
  2⤵
  PID:12432
- C:\Windows\System32\jHjdecd.exe
  C:\Windows\System32\jHjdecd.exe
  2⤵
  PID:12480
- C:\Windows\System32\FqnaTZq.exe
  C:\Windows\System32\FqnaTZq.exe
  2⤵
  PID:12572
- C:\Windows\System32\oSqzkQD.exe
  C:\Windows\System32\oSqzkQD.exe
  2⤵
  PID:12664
- C:\Windows\System32\gCiVaKL.exe
  C:\Windows\System32\gCiVaKL.exe
  2⤵
  PID:12660
- C:\Windows\System32\BPIiUAD.exe
  C:\Windows\System32\BPIiUAD.exe
  2⤵
  PID:12700
- C:\Windows\System32\qduOkwx.exe
  C:\Windows\System32\qduOkwx.exe
  2⤵
  PID:12792
- C:\Windows\System32\DdSkTgw.exe
  C:\Windows\System32\DdSkTgw.exe
  2⤵
  PID:12868
- C:\Windows\System32\vgtfItE.exe
  C:\Windows\System32\vgtfItE.exe
  2⤵
  PID:12948

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\DEGycfT.exe

Filesize
1.5MB

MD5
69a806d7ca04b862e0db0e5fbc77e21c

SHA1
aa8bc4bf65b9c5f254461ab138cf8ab75450f316

SHA256
337f0c523eb0a3ff517f2e59c6617a4af64f073e2eb9f94fa3eb78bd12eb43e8

SHA512
1f35a6d4d8bb03150826b61972a477d9167a6877001b4498e0fa103de0011cfd166a2c7909355ec9c62f8ac87359881be2b6998aa6349d9117f0fd4198ba40ce

Download Submit
C:\Windows\System32\ECUnexd.exe

Filesize
1.5MB

MD5
3f7786ceac708de5a68fda0aec485fb8

SHA1
4ea3a4ab56e9412914f8051ebdc8db5ade2db17f

SHA256
264554fbc0c201e6a95691ab79a4a91c014cdcf11db56957f69173ec466a048b

SHA512
e7923706f71c7e1bd3f137ca4e98446666bca5ae1bef8c2bd8532ec1e06fd9bb46620d4a511a40db3b15d4f744b4fbeef1249cc86eb660719da6eceba5481277

Download Submit
C:\Windows\System32\EmBLhGK.exe

Filesize
1.5MB

MD5
ddefb337bcef3cb0e24d71cf5caa11cb

SHA1
b09a732acb38692e57aeb102d3541b31500e5394

SHA256
a9b23d0a911c1f5f0f9e06155360a4c03bf22b5367e06b2886c22499a2fdfe90

SHA512
7e06f63b55f1ab5e0cc9c185f680fc0313bce1cb8b0ca4fd0319b06fe9ff883a8b9c93f21fcb2e616a513a7db5596851b12e4a211c966f714deee2858186f330

Download Submit
C:\Windows\System32\FTHBZki.exe

Filesize
1.5MB

MD5
728b567fd8d42bee4f973b5be755f672

SHA1
c0b68ee7ba87d903861412d679716c8e0c8f53f9

SHA256
1da8f069c0b5d8937560d7970cf3e33ce626517b19c45adc433fee682de9a14c

SHA512
02919963581310042d537432ac0244d5eefa4d1d956e2f1f9756393317cc57f9f51a5110144738115e4354d0ec64e76099a2687bd8cb3f4c3ab97cc37730ccd7

Download Submit
C:\Windows\System32\HdDYrgp.exe

Filesize
1.5MB

MD5
861deefc9c01f094ed9c5b1bebdf2a1a

SHA1
3f0cdad88873d83a4681f433c79c7d425019dd4a

SHA256
bb0354e922189b50f0d277572bc4c38e7a406264e6f023ef4fd0e318f4649a28

SHA512
d40d805e510f0c39b745215bd294178252f7bb178337f2940ec00908911908d9ce20f5a786ebad620edee739821b5130601f6284d245a789eb40430c7eb4ea57

Download Submit
C:\Windows\System32\JWgCBBu.exe

Filesize
1.5MB

MD5
59a59d94313c5e5271c1e5ca89df223c

SHA1
2dd43635ef0e0b4b0f6c6726c89038d9a651123d

SHA256
bc723162e8834dafaba9b2dc82cfd7e27a716f953eacc067dca4e146233ed682

SHA512
13a192db45b01b07465df11ec8f5c6d85644a7a5828abc681a89ffc82d4a22c6d6d8727c7c47ee22a61b36745153f409e6fbe1f53234fe0081990a4d433e007b

Download Submit
C:\Windows\System32\NACgZQs.exe

Filesize
1.5MB

MD5
27bedfdf4641c9941652a99edb726014

SHA1
3dadccd7b1c01169f0b97c9c63add8490bac3f5b

SHA256
3eadd32c720357a166095a69f029ef9d73c952cd17893e55c256bb4912d6705f

SHA512
af87be03bd25820f130e576f3e89b084b9721be4258df414d3be2f863c481de8f71847f2293715ed2a8e923a4111429ea555cd93ddced93e50aa76e1907100d8

Download Submit
C:\Windows\System32\OHQSqkS.exe

Filesize
1.5MB

MD5
07c98200ff0db13072ca20ef9c88a209

SHA1
9e189068c3071c6350194d52698c0fb7a627565e

SHA256
60cf3a1c273b4de8768ceeed17248e69382225fe95c2610d53871a8ccdf3ff69

SHA512
c7e7a9e459ed8103f6c82d17181eceb2feb277d67fbcdc2e64818f0be94bb4298ece8887652ad94531925d17f1750b9a72d1b4152a3892851dbb16f1c598fe9d

Download Submit
C:\Windows\System32\PzsJyPZ.exe

Filesize
1.5MB

MD5
9b6f655eea54af95f72cad4931b4d551

SHA1
8f04b2604ad7837cfb3b457c62329a2a376c3bfb

SHA256
b4a29bca3ddbb08ebc1a8b2b4268af39e4cd24118c1a730a726179329516198a

SHA512
725b51e712d10e99a0df21724c63f67d2aa996053db3ad89fd589289c44f80e0f4ea14bb3e541035df87144083181fdac2a01fcde9288f310997a4c6ea6e3f34

Download Submit
C:\Windows\System32\RIHDNfT.exe

Filesize
1.5MB

MD5
883c379cea02b6dc70c434d3966b6389

SHA1
521f59e3f621ef2ad285a43857f6857f8c7c7c1a

SHA256
a1734f814798b1b840816b71cf71d28254ac7aa08357913b029da5bdb1e584b6

SHA512
262c152281ca7d974e81452cc4d9fdcfbd50daf8c369ecb371f446a8e7d93c87e90a5ee069f32707b66f1693651e10b8761c3b3755f71c9392701688b449510e

Download Submit
C:\Windows\System32\SYCcsWC.exe

Filesize
1.5MB

MD5
8e86c9ceca86d5273d97efe003626fb7

SHA1
b59316ed13b914e66aed8a206ea5611a007db263

SHA256
a5a84b6f2cee202eaa6185ad14eca9bcce43638a3d90b12883ac6b59f7c09e8b

SHA512
b3797c5fe6e04c7c9ef9818b79702b7faa16297057281022fbf340d5ec206df18a8a7848af80d63f9fca7acccc661190fca9d1e76dc42ab834a4dcd3bde5f663

Download Submit
C:\Windows\System32\VOtCfug.exe

Filesize
1.5MB

MD5
b1abdf48186d4213bd1e2174624bec4e

SHA1
5c9d12e4fb9cfdbb953d799475b80218d4a0a54c

SHA256
cefe860cebf1bf908be611b523e98efd08d03cda971f0a8116b7213d6be2337a

SHA512
6d8b26cda917d404c9f634fffc035eb63c04a9c05e41410629c486b0690ac0706cc24bea47d8ffe59aaca360eba5f8455083a5560cd8ab9061f476f7872c0be0

Download Submit
C:\Windows\System32\WzRkjMJ.exe

Filesize
1.5MB

MD5
ddf13cd33442cdec5c38fdea83afd0b2

SHA1
304629ba11be7601d5cdc16259ef81708ad64b7b

SHA256
fdf30a16e2e48eabfc6c3fbdc18b4caacdab34fd6c583301f0fbd1d8138234c3

SHA512
2c3f3224c2ac630086756e3ff106953caf4acf9c7285dab13303be301b09a0bc9abcfe217570bfd32d5969dfc0dd6f55e080131da631cd9e810fe859246777b1

Download Submit
C:\Windows\System32\YSpGDbZ.exe

Filesize
1.5MB

MD5
1f662edcdc01d54f8dc22e31e79fa1fa

SHA1
6dc4ea5f271c7cfb5b03c2cfe3613bc1ee608679

SHA256
3e20683ac3f50728bcd661dc50261e4155b6a9265f8e7c5f0b5e8dcaff85810f

SHA512
e9126e08607df2271c430fac006bb5f6a731fde27895904df1a5b3c2243d2f9cac57c079f84074302aa71da2e1eebfdb1dfd58d5dbdcd32976d12ec7adc8f0bc

Download Submit
C:\Windows\System32\eGAcfmb.exe

Filesize
1.5MB

MD5
5320da14d6457593d4973724b1668e79

SHA1
21017bf51ff5ef1fa789b011a33a6c894cf5b23a

SHA256
1d2a1a97fd23f92234e85b3de7ea08ca990006462ef7f35d324e4b6edd28ed91

SHA512
1f6a869b2332a3a9c46159f941646038652fb641c8cdfd8af07d0b21026d24e97fbbad579e3380fd64249f53da27c00ffd18d6d62b4e5118ed1032de7e796f60

Download Submit
C:\Windows\System32\eIvUpJu.exe

Filesize
1.5MB

MD5
dcc021037638fdc9e9840f76ba229e1a

SHA1
e2be685d4648b8e7f7358e708d6a4cfd5c26eb44

SHA256
603d4fae5efe36c233a64dafbadf33091442dc8d6575a072f70f775e0b056052

SHA512
f1e035c58f006381264f9ffa345c0904bd8f6c11cc19d4b9b474735de5e29ed014f0daf961bee1e625f87c31f11fa764c085a88c67868824820e644b7a0b8948

Download Submit
C:\Windows\System32\ehxTPFD.exe

Filesize
1.5MB

MD5
41468c6c8a8be5f1b0914e7327ce2b8b

SHA1
51428027189d0ce9939111acfd893d4e1d4c232b

SHA256
5e7c3a2eed3aeb52d7ba9f0c1873d7ee102ef4917ff255b9dc237944ad0adab5

SHA512
e5699e92d0b574f9e20206a2c2f7336ffd800bb4c81ffc58cb0f02833f87ee2906826661c6757c9282617275e9e9a8feb14d91f656bfb3e6374246106267a6bd

Download Submit
C:\Windows\System32\emXUVSd.exe

Filesize
1.5MB

MD5
369f6d243d1661149204f7d0d2947182

SHA1
07db21999bbd186b42e30ed9d6ef5a256040327a

SHA256
bce7eeac907fc73126e156af3324cbec3e7cb912e2c4d48d382aa0dc0c8a3e08

SHA512
bc54a9d77e1e9355627496fef71b6253b9019ba0bb09a03d194288520e71a22c0723f4aebfec93f952150357d16a621ba7d44a402b7b6d97b58b4ad0f35fe015

Download Submit
C:\Windows\System32\frAYGsm.exe

Filesize
1.5MB

MD5
d40f1a70f2f669e6c8543003be4220f7

SHA1
8c89713e90c1b896bfbbfdb5e8c6e01affca61c8

SHA256
03d994839f612b98f14016c2a8c1d66d150b47dd7a5bed8bc02da303400de112

SHA512
f0a84fe8a8a66cf441457a3e8cc000a2df8ce3085ec6307513d675618773ff9a362ce826561aa46f9152c6d41e546e879b52eaff0d8470f891d95292d24fd03e

Download Submit
C:\Windows\System32\hGpGhzy.exe

Filesize
1.5MB

MD5
ae0ab9109ec9afee43e8b9c0352aee2e

SHA1
75dcf2579c0922e82ebfab3a4bb21d61a31f5dcf

SHA256
67592d7f9f3aeb59c05a48cf3ee29c77c95860e12f938984c979b8a98d9ae1c0

SHA512
e9ff2e37b4fbe618bf686e3157564b391bbb7c7bf16a59f54efcdc9f77fc5eabe353eb36db0e682d66deb36256770d730efb0bc2fa12e3a1518cc681cf5c19c0

Download Submit
C:\Windows\System32\hgaFswn.exe

Filesize
1.5MB

MD5
a4aa056a8ffc6e5737481bea1798bb21

SHA1
a46352675af04d648dd359d06759c8fbd1b29260

SHA256
86691c42cf0e60b85eb88c29495e5abce3068da5e0d2ed9785a13fe3fc7853a0

SHA512
bb9968c80d0178009bc4d289416fe94c9ff343b4ecb95e721ffb9e62284f1f0104cfd8e27f2f8f7438441fa7a552ec3f781344ed6f6de12c630ea0274c2657c9

Download Submit
C:\Windows\System32\iThrhWo.exe

Filesize
1.5MB

MD5
768d097eb5c7a6a84750607b09d10507

SHA1
806b4e4103dafd4259683bcb3d713f15b02025aa

SHA256
9de6e35f1ace3088cbbf818d380d9b8a36414f776d06833f158dbaf610645874

SHA512
96e4811fb51f91ba9adf74ec367633218cd8017110cabf9ed047550e361b225dd1566201521a0dbe6ad31a481a5174375d6b15d8448ca3a7ab029a8e2229ecc4

Download Submit
C:\Windows\System32\kuGHBdx.exe

Filesize
1.5MB

MD5
00a29d2ecbe36f0cac586305d93eda41

SHA1
a98723982be71a82e6d5f9127e472825497573ea

SHA256
e2cf7385989c1bb4dfbf4d0fd2bf9437feb46abae9d5f24e04940661957517c9

SHA512
1186158ae3d6c14b39792e23522853bfca74b0dc03c9ff5faf7f1395a418dae7dadc13f558b070d27cc71c86c251327f5ffb888d9cb982a57eb60f296f5dc4fa

Download Submit
C:\Windows\System32\lrJYESz.exe

Filesize
1.5MB

MD5
49266ac17908236e38848464d184b212

SHA1
0f9dfba67c9a342174f36108f83f17df2e419d10

SHA256
c502c53be705564551eb1acf1bdecdb00440ffbf340ad3df2d5f3d013393ad81

SHA512
044a328542a0b85413bc423e454239b1ad7bd14b405a019aaef687a955f51c08d9d2064a2d01bba717156a041efcfa930bdba9d4a130b351e1d380bd66f54b1f

Download Submit
C:\Windows\System32\manzPTq.exe

Filesize
1.5MB

MD5
91dff5c814261549491b36dde48d0725

SHA1
0a18af1b756f3b02bfb0b6d3f3e521b221e2afae

SHA256
5f91b8b351378bbe5ea2c2f2a6c71071e72351bd155bab237212c1db1ee9be45

SHA512
15fb7c11be3a51e2f8e2cc69277913f892438be5231825859f662176443d1fc50a0a53bc2dfac76fae5fd0afe3ff57b890674e59a785817c901b8532c99b69a0

Download Submit
C:\Windows\System32\msdqimY.exe

Filesize
1.5MB

MD5
bea5d4a4335eb7d9b7248a5092dd979f

SHA1
05c53eca4cc53dd05fc42c9272c613f2a8ccc487

SHA256
7316627c145baa9f447bb02683ea61f415021d8edb877a3184e40b589862cba0

SHA512
ae2df59a2e9f48574d3cfaa22d88ce04aac6942d0286f05713b4aa3a271e89b0051137a94464922dee9196efdb78ec4e36e2cc569ab0cc3295055c2fc69a8e65

Download Submit
C:\Windows\System32\nOgpQjd.exe

Filesize
1.5MB

MD5
5fd473ffbf7f9142d0392c61b4b18380

SHA1
9ecf2c6583e5cfe97ac154ceb23cf64df87ff520

SHA256
715862ec8e5888218d1123336078e3a66c7783c10b7684b1c4f49d8d930e7af8

SHA512
ba93304f8e173daf747d81a2615b0d234e150a85cd379a7897692a1fd9c24d26076b9906742c6a96ffe74ff814db3ac2739c6967313041e243128313ef1816fd

Download Submit
C:\Windows\System32\pbsukkC.exe

Filesize
1.5MB

MD5
b73adac55861ee2612594f4c80273803

SHA1
40d2d35880469bc21461093db336a07b2c237e5b

SHA256
4d077347b5e2ae3ccabd2c1d1abd0108d341c25bc7f361749f2fe7c582bd0828

SHA512
4b7d2342702ae41d88c2da8fedaee545da9efbd55ef16be8078eaaea22e6b21c5d28eb309795994bad4095f94925cc94c53e1b583f4b8f4107c2446fff506139

Download Submit
C:\Windows\System32\qSxhraQ.exe

Filesize
1.5MB

MD5
3a32d388b5adf98ca83c6cb33a72f2ba

SHA1
a024435ca1730af04354e13210808456385a72fb

SHA256
6995bc3755ae5b269929daf3e8a3c8a3fe13ff75b7fe18452d685f39996ff17f

SHA512
04bbb26e876dae920ea4641d058c47040f333fddda58b84db713ede807588323439e846e3a856ffbbe2abf6b0d1e68a2805e591e10d06083ac07962cdc6fdce0

Download Submit
C:\Windows\System32\rRnLcwW.exe

Filesize
1.5MB

MD5
89bd61bf25fa59af318ac619869ae191

SHA1
d6eb2fa0b0f7c7b10c34dfe19b68fe1f0262e6c5

SHA256
571c6c7ed0e0ab169f676c43f886df81b98e4a06ba97bfb5389d65ac8348da6c

SHA512
2eb17020675b83039cdba0de95dee03de17b83a2e4df39cdab80b1d7f5116c5389c82ed24987ace4ac5296c6a79eb63257b3d9a279febbf7a2187f1f979bef9c

Download Submit
C:\Windows\System32\vlqdzXQ.exe

Filesize
1.5MB

MD5
1924ee93a581aacbff7780448b0a6bce

SHA1
5c7b9ca70fbb8cbcbb67465c14a76b35800b060e

SHA256
c5d9cc7730115cb1141d9213d0b7f9227c23bba3acd5d7638bede0da936523bc

SHA512
1f51e554354d193857cfbe0fc7f93d18cff95625f3e1a2c9ea84b8b32b40320f9400bcf475b92749899cc7d10f632cd3a4c1d7acd3b6486bdc582c3882a27a4f

Download Submit
C:\Windows\System32\wDBqwrO.exe

Filesize
1.5MB

MD5
c479269d5781b6f3210100c6536ccdde

SHA1
e3c16c42c7cc6a11314eb6498fb119975ae01461

SHA256
18584ce529b60b3bc0fe631a16aca8739c46f3030b96f146867a6c12b67e92c9

SHA512
93fc7a19754e163932070cbfa9b19a9901cf85828464ff0a1a4f0041c3c9021803aa7b76739fe0e37b0c0370c038aec443706a79b40660a3845262ff18474b9d

Download Submit
memory/424-487-0x00007FF7A8350000-0x00007FF7A8741000-memory.dmp

Filesize
3.9MB

Download
memory/424-2090-0x00007FF7A8350000-0x00007FF7A8741000-memory.dmp

Filesize
3.9MB

Download
memory/952-2065-0x00007FF77D2F0000-0x00007FF77D6E1000-memory.dmp

Filesize
3.9MB

Download
memory/952-433-0x00007FF77D2F0000-0x00007FF77D6E1000-memory.dmp

Filesize
3.9MB

Download
memory/1052-2101-0x00007FF7DA7D0000-0x00007FF7DABC1000-memory.dmp

Filesize
3.9MB

Download
memory/1052-478-0x00007FF7DA7D0000-0x00007FF7DABC1000-memory.dmp

Filesize
3.9MB

Download
memory/1356-2086-0x00007FF614350000-0x00007FF614741000-memory.dmp

Filesize
3.9MB

Download
memory/1356-500-0x00007FF614350000-0x00007FF614741000-memory.dmp

Filesize
3.9MB

Download
memory/1676-2054-0x00007FF67FF60000-0x00007FF680351000-memory.dmp

Filesize
3.9MB

Download
memory/1676-427-0x00007FF67FF60000-0x00007FF680351000-memory.dmp

Filesize
3.9MB

Download
memory/1692-2098-0x00007FF6EC1C0000-0x00007FF6EC5B1000-memory.dmp

Filesize
3.9MB

Download
memory/1692-484-0x00007FF6EC1C0000-0x00007FF6EC5B1000-memory.dmp

Filesize
3.9MB

Download
memory/1812-2071-0x00007FF6CDCF0000-0x00007FF6CE0E1000-memory.dmp

Filesize
3.9MB

Download
memory/1812-447-0x00007FF6CDCF0000-0x00007FF6CE0E1000-memory.dmp

Filesize
3.9MB

Download
memory/2032-2051-0x00007FF63BA30000-0x00007FF63BE21000-memory.dmp

Filesize
3.9MB

Download
memory/2032-428-0x00007FF63BA30000-0x00007FF63BE21000-memory.dmp

Filesize
3.9MB

Download
memory/2448-432-0x00007FF7448D0000-0x00007FF744CC1000-memory.dmp

Filesize
3.9MB

Download
memory/2448-2063-0x00007FF7448D0000-0x00007FF744CC1000-memory.dmp

Filesize
3.9MB

Download
memory/2656-449-0x00007FF68B000000-0x00007FF68B3F1000-memory.dmp

Filesize
3.9MB

Download
memory/2656-2073-0x00007FF68B000000-0x00007FF68B3F1000-memory.dmp

Filesize
3.9MB

Download
memory/2944-2061-0x00007FF765210000-0x00007FF765601000-memory.dmp

Filesize
3.9MB

Download
memory/2944-431-0x00007FF765210000-0x00007FF765601000-memory.dmp

Filesize
3.9MB

Download
memory/2992-457-0x00007FF7D4130000-0x00007FF7D4521000-memory.dmp

Filesize
3.9MB

Download
memory/2992-2077-0x00007FF7D4130000-0x00007FF7D4521000-memory.dmp

Filesize
3.9MB

Download
memory/3012-2055-0x00007FF63E360000-0x00007FF63E751000-memory.dmp

Filesize
3.9MB

Download
memory/3012-19-0x00007FF63E360000-0x00007FF63E751000-memory.dmp

Filesize
3.9MB

Download
memory/3012-2014-0x00007FF63E360000-0x00007FF63E751000-memory.dmp

Filesize
3.9MB

Download
memory/3048-456-0x00007FF7083E0000-0x00007FF7087D1000-memory.dmp

Filesize
3.9MB

Download
memory/3048-2075-0x00007FF7083E0000-0x00007FF7087D1000-memory.dmp

Filesize
3.9MB

Download
memory/3144-2080-0x00007FF701540000-0x00007FF701931000-memory.dmp

Filesize
3.9MB

Download
memory/3144-461-0x00007FF701540000-0x00007FF701931000-memory.dmp

Filesize
3.9MB

Download
memory/3408-2067-0x00007FF633F40000-0x00007FF634331000-memory.dmp

Filesize
3.9MB

Download
memory/3408-436-0x00007FF633F40000-0x00007FF634331000-memory.dmp

Filesize
3.9MB

Download
memory/3672-0-0x00007FF7B9E70000-0x00007FF7BA261000-memory.dmp

Filesize
3.9MB

Download
memory/3672-1-0x000002B934DB0000-0x000002B934DC0000-memory.dmp

Filesize
64KB

Download
memory/4168-430-0x00007FF6832C0000-0x00007FF6836B1000-memory.dmp

Filesize
3.9MB

Download
memory/4168-2059-0x00007FF6832C0000-0x00007FF6836B1000-memory.dmp

Filesize
3.9MB

Download
memory/4332-493-0x00007FF613A40000-0x00007FF613E31000-memory.dmp

Filesize
3.9MB

Download
memory/4332-2083-0x00007FF613A40000-0x00007FF613E31000-memory.dmp

Filesize
3.9MB

Download
memory/4460-2020-0x00007FF7FCF30000-0x00007FF7FD321000-memory.dmp

Filesize
3.9MB

Download
memory/4460-10-0x00007FF7FCF30000-0x00007FF7FD321000-memory.dmp

Filesize
3.9MB

Download
memory/4640-2069-0x00007FF7C3DA0000-0x00007FF7C4191000-memory.dmp

Filesize
3.9MB

Download
memory/4640-440-0x00007FF7C3DA0000-0x00007FF7C4191000-memory.dmp

Filesize
3.9MB

Download
memory/4692-467-0x00007FF7EF2C0000-0x00007FF7EF6B1000-memory.dmp

Filesize
3.9MB

Download
memory/4692-2081-0x00007FF7EF2C0000-0x00007FF7EF6B1000-memory.dmp

Filesize
3.9MB

Download
memory/4924-2139-0x00007FF63CBD0000-0x00007FF63CFC1000-memory.dmp

Filesize
3.9MB

Download
memory/4924-476-0x00007FF63CBD0000-0x00007FF63CFC1000-memory.dmp

Filesize
3.9MB

Download
memory/4944-2057-0x00007FF62C4B0000-0x00007FF62C8A1000-memory.dmp

Filesize
3.9MB

Download
memory/4944-429-0x00007FF62C4B0000-0x00007FF62C8A1000-memory.dmp

Filesize
3.9MB

Download
memory/5096-2013-0x00007FF777CD0000-0x00007FF7780C1000-memory.dmp

Filesize
3.9MB

Download
memory/5096-16-0x00007FF777CD0000-0x00007FF7780C1000-memory.dmp

Filesize
3.9MB

Download
memory/5096-2049-0x00007FF777CD0000-0x00007FF7780C1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads