xmrig | 79a7aec4843a9d52938105ebb920db3ea3e2637720648f37d0dfcfa333d42a2b

Analysis

max time kernel
139s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
Size

1.2MB
MD5

0f84cd053d59c6edf216394b05c10d27
SHA1

dfcab73117b65c418ca603b7c94a66f92dafd526
SHA256

79a7aec4843a9d52938105ebb920db3ea3e2637720648f37d0dfcfa333d42a2b
SHA512

ea68ecfcb676c72202db3814d089eaf39682cb1a3a3f9f776eabd9048b4a40f1f3bc1e0cf9b6358a1b0375569d070a075195a650377648a6f0cfd23f9aff689f
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcmC3f/DFNkTQjQUj3L6:knw9oUUEEDl37jcmWH/xM/

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/4440-13-0x00007FF70E1D0000-0x00007FF70E5C1000-memory.dmp	xmrig
behavioral2/memory/3596-14-0x00007FF7F1980000-0x00007FF7F1D71000-memory.dmp	xmrig
behavioral2/memory/3252-33-0x00007FF663BC0000-0x00007FF663FB1000-memory.dmp	xmrig
behavioral2/memory/4188-27-0x00007FF7D71C0000-0x00007FF7D75B1000-memory.dmp	xmrig
behavioral2/memory/5084-20-0x00007FF769B20000-0x00007FF769F11000-memory.dmp	xmrig
behavioral2/memory/2576-383-0x00007FF655F70000-0x00007FF656361000-memory.dmp	xmrig
behavioral2/memory/1148-385-0x00007FF630B90000-0x00007FF630F81000-memory.dmp	xmrig
behavioral2/memory/2672-384-0x00007FF6A32F0000-0x00007FF6A36E1000-memory.dmp	xmrig
behavioral2/memory/1376-388-0x00007FF755160000-0x00007FF755551000-memory.dmp	xmrig
behavioral2/memory/2044-393-0x00007FF7FDC40000-0x00007FF7FE031000-memory.dmp	xmrig
behavioral2/memory/1192-398-0x00007FF6F5020000-0x00007FF6F5411000-memory.dmp	xmrig
behavioral2/memory/3104-409-0x00007FF79A0D0000-0x00007FF79A4C1000-memory.dmp	xmrig
behavioral2/memory/3636-406-0x00007FF7FEF10000-0x00007FF7FF301000-memory.dmp	xmrig
behavioral2/memory/1976-415-0x00007FF6483D0000-0x00007FF6487C1000-memory.dmp	xmrig
behavioral2/memory/2828-420-0x00007FF699EC0000-0x00007FF69A2B1000-memory.dmp	xmrig
behavioral2/memory/1952-414-0x00007FF6B4E10000-0x00007FF6B5201000-memory.dmp	xmrig
behavioral2/memory/4496-402-0x00007FF730270000-0x00007FF730661000-memory.dmp	xmrig
behavioral2/memory/4708-425-0x00007FF638850000-0x00007FF638C41000-memory.dmp	xmrig
behavioral2/memory/980-427-0x00007FF71F060000-0x00007FF71F451000-memory.dmp	xmrig
behavioral2/memory/4616-432-0x00007FF7C7230000-0x00007FF7C7621000-memory.dmp	xmrig
behavioral2/memory/1220-441-0x00007FF740310000-0x00007FF740701000-memory.dmp	xmrig
behavioral2/memory/3368-446-0x00007FF79A430000-0x00007FF79A821000-memory.dmp	xmrig
behavioral2/memory/1632-436-0x00007FF6FB710000-0x00007FF6FBB01000-memory.dmp	xmrig
behavioral2/memory/3732-430-0x00007FF633620000-0x00007FF633A11000-memory.dmp	xmrig
behavioral2/memory/4440-1991-0x00007FF70E1D0000-0x00007FF70E5C1000-memory.dmp	xmrig
behavioral2/memory/3596-1993-0x00007FF7F1980000-0x00007FF7F1D71000-memory.dmp	xmrig
behavioral2/memory/5084-1995-0x00007FF769B20000-0x00007FF769F11000-memory.dmp	xmrig
behavioral2/memory/3252-1999-0x00007FF663BC0000-0x00007FF663FB1000-memory.dmp	xmrig
behavioral2/memory/4188-1997-0x00007FF7D71C0000-0x00007FF7D75B1000-memory.dmp	xmrig
behavioral2/memory/1376-2007-0x00007FF755160000-0x00007FF755551000-memory.dmp	xmrig
behavioral2/memory/1192-2011-0x00007FF6F5020000-0x00007FF6F5411000-memory.dmp	xmrig
behavioral2/memory/4496-2013-0x00007FF730270000-0x00007FF730661000-memory.dmp	xmrig
behavioral2/memory/4708-2059-0x00007FF638850000-0x00007FF638C41000-memory.dmp	xmrig
behavioral2/memory/2828-2057-0x00007FF699EC0000-0x00007FF69A2B1000-memory.dmp	xmrig
behavioral2/memory/4616-2061-0x00007FF7C7230000-0x00007FF7C7621000-memory.dmp	xmrig
behavioral2/memory/1220-2067-0x00007FF740310000-0x00007FF740701000-memory.dmp	xmrig
behavioral2/memory/3368-2069-0x00007FF79A430000-0x00007FF79A821000-memory.dmp	xmrig
behavioral2/memory/1632-2065-0x00007FF6FB710000-0x00007FF6FBB01000-memory.dmp	xmrig
behavioral2/memory/1976-2055-0x00007FF6483D0000-0x00007FF6487C1000-memory.dmp	xmrig
behavioral2/memory/980-2053-0x00007FF71F060000-0x00007FF71F451000-memory.dmp	xmrig
behavioral2/memory/1952-2051-0x00007FF6B4E10000-0x00007FF6B5201000-memory.dmp	xmrig
behavioral2/memory/3732-2063-0x00007FF633620000-0x00007FF633A11000-memory.dmp	xmrig
behavioral2/memory/3104-2049-0x00007FF79A0D0000-0x00007FF79A4C1000-memory.dmp	xmrig
behavioral2/memory/3636-2042-0x00007FF7FEF10000-0x00007FF7FF301000-memory.dmp	xmrig
behavioral2/memory/2044-2009-0x00007FF7FDC40000-0x00007FF7FE031000-memory.dmp	xmrig
behavioral2/memory/2576-2005-0x00007FF655F70000-0x00007FF656361000-memory.dmp	xmrig
behavioral2/memory/2672-2003-0x00007FF6A32F0000-0x00007FF6A36E1000-memory.dmp	xmrig
behavioral2/memory/1148-2001-0x00007FF630B90000-0x00007FF630F81000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4440	tffJAtX.exe
3596	NFunvjz.exe
5084	ULcUhdh.exe
4188	tpozWIN.exe
3252	IVcIekE.exe
2576	PYJcbtQ.exe
2672	RNvmMuS.exe
1148	BmLaSUm.exe
1376	oByANao.exe
2044	bvpEfPt.exe
1192	DAOxOHx.exe
4496	fzUsWXU.exe
3636	WSdrXIO.exe
3104	zmVARCv.exe
1952	zagQvJJ.exe
1976	qjGstnz.exe
2828	GsonZHq.exe
4708	tewRzVp.exe
980	qRhgXKX.exe
3732	XmBHbMA.exe
4616	TxBPIhh.exe
1632	fSdsDLe.exe
1220	CzwhhgL.exe
3368	TnPyVoc.exe
4968	EnEYszI.exe
1256	ZGQaIeG.exe
4652	AfbBaKX.exe
3192	NazXTsH.exe
4456	ZLHMLBA.exe
456	qjmuOUL.exe
4312	zoeGFgo.exe
4876	AdmrxMR.exe
2108	Qhxbeud.exe
3496	dSibnxU.exe
4712	jRwquRJ.exe
4628	XZzckuC.exe
4064	JBbUJPN.exe
4548	sDnWxjz.exe
3480	nrKHkco.exe
2792	DbUAbOn.exe
868	XBpkEck.exe
3124	VYvOzrg.exe
3844	uvZPpIE.exe
3520	opogjxQ.exe
3380	tcxmzVA.exe
2180	wkbFAKj.exe
856	bYxpSBz.exe
3008	tCXXleP.exe
2720	wUjEbyM.exe
4504	CBcTFWK.exe
2556	bzKxbvw.exe
1800	mFPIaZn.exe
2684	zewKIlR.exe
5056	rvgWhbp.exe
3000	AGVkueK.exe
4428	ZSNWXBF.exe
1980	ViKUlbY.exe
4140	OuNCRIL.exe
1176	uhwxVKl.exe
1440	YnzDPBD.exe
3448	oLriggi.exe
1648	juGqRtc.exe
3660	aNRrInc.exe
3488	vMHpKkN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/404-0-0x00007FF7C4640000-0x00007FF7C4A31000-memory.dmp	upx
behavioral2/files/0x000b000000023b8b-5.dat	upx
behavioral2/files/0x000a000000023b8f-8.dat	upx
behavioral2/files/0x000a000000023b90-10.dat	upx
behavioral2/memory/4440-13-0x00007FF70E1D0000-0x00007FF70E5C1000-memory.dmp	upx
behavioral2/memory/3596-14-0x00007FF7F1980000-0x00007FF7F1D71000-memory.dmp	upx
behavioral2/files/0x000a000000023b92-24.dat	upx
behavioral2/files/0x000a000000023b93-28.dat	upx
behavioral2/files/0x000a000000023b94-36.dat	upx
behavioral2/files/0x000a000000023b97-51.dat	upx
behavioral2/files/0x000a000000023b98-56.dat	upx
behavioral2/files/0x000a000000023b9b-71.dat	upx
behavioral2/files/0x000a000000023b9e-86.dat	upx
behavioral2/files/0x000a000000023ba6-124.dat	upx
behavioral2/files/0x000a000000023ba9-141.dat	upx
behavioral2/files/0x000a000000023bab-151.dat	upx
behavioral2/files/0x000a000000023bae-166.dat	upx
behavioral2/files/0x000a000000023bad-161.dat	upx
behavioral2/files/0x000a000000023bac-156.dat	upx
behavioral2/files/0x000a000000023baa-146.dat	upx
behavioral2/files/0x000a000000023ba8-136.dat	upx
behavioral2/files/0x000a000000023ba7-131.dat	upx
behavioral2/files/0x000a000000023ba5-121.dat	upx
behavioral2/files/0x000a000000023ba4-116.dat	upx
behavioral2/files/0x000a000000023ba3-111.dat	upx
behavioral2/files/0x000a000000023ba2-106.dat	upx
behavioral2/files/0x000a000000023ba1-101.dat	upx
behavioral2/files/0x000a000000023ba0-96.dat	upx
behavioral2/files/0x000a000000023b9f-91.dat	upx
behavioral2/files/0x000a000000023b9d-81.dat	upx
behavioral2/files/0x000a000000023b9c-76.dat	upx
behavioral2/files/0x000a000000023b9a-66.dat	upx
behavioral2/files/0x000a000000023b99-61.dat	upx
behavioral2/files/0x000a000000023b96-46.dat	upx
behavioral2/files/0x000a000000023b95-41.dat	upx
behavioral2/memory/3252-33-0x00007FF663BC0000-0x00007FF663FB1000-memory.dmp	upx
behavioral2/memory/4188-27-0x00007FF7D71C0000-0x00007FF7D75B1000-memory.dmp	upx
behavioral2/memory/5084-20-0x00007FF769B20000-0x00007FF769F11000-memory.dmp	upx
behavioral2/memory/2576-383-0x00007FF655F70000-0x00007FF656361000-memory.dmp	upx
behavioral2/memory/1148-385-0x00007FF630B90000-0x00007FF630F81000-memory.dmp	upx
behavioral2/memory/2672-384-0x00007FF6A32F0000-0x00007FF6A36E1000-memory.dmp	upx
behavioral2/memory/1376-388-0x00007FF755160000-0x00007FF755551000-memory.dmp	upx
behavioral2/memory/2044-393-0x00007FF7FDC40000-0x00007FF7FE031000-memory.dmp	upx
behavioral2/memory/1192-398-0x00007FF6F5020000-0x00007FF6F5411000-memory.dmp	upx
behavioral2/memory/3104-409-0x00007FF79A0D0000-0x00007FF79A4C1000-memory.dmp	upx
behavioral2/memory/3636-406-0x00007FF7FEF10000-0x00007FF7FF301000-memory.dmp	upx
behavioral2/memory/1976-415-0x00007FF6483D0000-0x00007FF6487C1000-memory.dmp	upx
behavioral2/memory/2828-420-0x00007FF699EC0000-0x00007FF69A2B1000-memory.dmp	upx
behavioral2/memory/1952-414-0x00007FF6B4E10000-0x00007FF6B5201000-memory.dmp	upx
behavioral2/memory/4496-402-0x00007FF730270000-0x00007FF730661000-memory.dmp	upx
behavioral2/memory/4708-425-0x00007FF638850000-0x00007FF638C41000-memory.dmp	upx
behavioral2/memory/980-427-0x00007FF71F060000-0x00007FF71F451000-memory.dmp	upx
behavioral2/memory/4616-432-0x00007FF7C7230000-0x00007FF7C7621000-memory.dmp	upx
behavioral2/memory/1220-441-0x00007FF740310000-0x00007FF740701000-memory.dmp	upx
behavioral2/memory/3368-446-0x00007FF79A430000-0x00007FF79A821000-memory.dmp	upx
behavioral2/memory/1632-436-0x00007FF6FB710000-0x00007FF6FBB01000-memory.dmp	upx
behavioral2/memory/3732-430-0x00007FF633620000-0x00007FF633A11000-memory.dmp	upx
behavioral2/memory/4440-1991-0x00007FF70E1D0000-0x00007FF70E5C1000-memory.dmp	upx
behavioral2/memory/3596-1993-0x00007FF7F1980000-0x00007FF7F1D71000-memory.dmp	upx
behavioral2/memory/5084-1995-0x00007FF769B20000-0x00007FF769F11000-memory.dmp	upx
behavioral2/memory/3252-1999-0x00007FF663BC0000-0x00007FF663FB1000-memory.dmp	upx
behavioral2/memory/4188-1997-0x00007FF7D71C0000-0x00007FF7D75B1000-memory.dmp	upx
behavioral2/memory/1376-2007-0x00007FF755160000-0x00007FF755551000-memory.dmp	upx
behavioral2/memory/1192-2011-0x00007FF6F5020000-0x00007FF6F5411000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\ZOgjtfk.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\xIhgiXZ.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\ZLHMLBA.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\mrRdeiM.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\SMIbtMS.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\nxaxPDC.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\tdLRNZV.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\dtjcJuN.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\QDDZjUm.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\nrKHkco.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\fJoGSSh.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\UMtdtEl.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\UhwDBwf.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\tMmevSP.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\qXIWhTP.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\OkPExTV.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\VQFRodk.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\LJsqKqH.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\bTTAJbb.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\HEYMnBW.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\bYxpSBz.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\KOgRCHZ.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\XKuZmjL.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\KMuIZNM.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\iKVsZjh.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\rllEuOX.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\czMCEAQ.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\JIuQIRN.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\GCxpUaL.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\PDSOYqd.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\hWgElUz.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\LnMlZVF.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\ZROOFiF.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\kxeYptN.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\PvWaiSa.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\PUayjWC.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\IbwRBbE.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\CneiUoN.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\AkXFUlG.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\QoEvGaN.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\hUSRlAd.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\bKDznsB.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\ZkHTEUa.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\NqlNPZs.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\SxPcsaP.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\uPcLQnE.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\VLYyJCD.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\QeIosZl.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\SMTwrUz.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\YkAmUJK.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\WfWSWgk.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\YzMgaIw.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\ouoSHSG.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\vJlxrah.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\wOWItIe.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\hnvZVdA.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\jvkyIkV.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\FoIPpHl.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\ysPvqur.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\TGAMWDQ.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\VnIizZq.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\QpsHAPr.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\czyJmBC.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
File created	C:\Windows\System32\qdQmxNU.exe	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13504	dwm.exe
Token: SeChangeNotifyPrivilege	13504	dwm.exe
Token: 33	13504	dwm.exe
Token: SeIncBasePriorityPrivilege	13504	dwm.exe
Token: SeShutdownPrivilege	13504	dwm.exe
Token: SeCreatePagefilePrivilege	13504	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 4440	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	84
PID 404 wrote to memory of 4440	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	84
PID 404 wrote to memory of 3596	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	85
PID 404 wrote to memory of 3596	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	85
PID 404 wrote to memory of 5084	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	86
PID 404 wrote to memory of 5084	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	86
PID 404 wrote to memory of 4188	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	87
PID 404 wrote to memory of 4188	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	87
PID 404 wrote to memory of 3252	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	88
PID 404 wrote to memory of 3252	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	88
PID 404 wrote to memory of 2576	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	89
PID 404 wrote to memory of 2576	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	89
PID 404 wrote to memory of 2672	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	90
PID 404 wrote to memory of 2672	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	90
PID 404 wrote to memory of 1148	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	91
PID 404 wrote to memory of 1148	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	91
PID 404 wrote to memory of 1376	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	92
PID 404 wrote to memory of 1376	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	92
PID 404 wrote to memory of 2044	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	93
PID 404 wrote to memory of 2044	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	93
PID 404 wrote to memory of 1192	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	94
PID 404 wrote to memory of 1192	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	94
PID 404 wrote to memory of 4496	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	95
PID 404 wrote to memory of 4496	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	95
PID 404 wrote to memory of 3636	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	96
PID 404 wrote to memory of 3636	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	96
PID 404 wrote to memory of 3104	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	97
PID 404 wrote to memory of 3104	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	97
PID 404 wrote to memory of 1952	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	98
PID 404 wrote to memory of 1952	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	98
PID 404 wrote to memory of 1976	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	99
PID 404 wrote to memory of 1976	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	99
PID 404 wrote to memory of 2828	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	100
PID 404 wrote to memory of 2828	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	100
PID 404 wrote to memory of 4708	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	101
PID 404 wrote to memory of 4708	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	101
PID 404 wrote to memory of 980	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	102
PID 404 wrote to memory of 980	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	102
PID 404 wrote to memory of 3732	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	103
PID 404 wrote to memory of 3732	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	103
PID 404 wrote to memory of 4616	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	104
PID 404 wrote to memory of 4616	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	104
PID 404 wrote to memory of 1632	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	105
PID 404 wrote to memory of 1632	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	105
PID 404 wrote to memory of 1220	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	106
PID 404 wrote to memory of 1220	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	106
PID 404 wrote to memory of 3368	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	107
PID 404 wrote to memory of 3368	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	107
PID 404 wrote to memory of 4968	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	108
PID 404 wrote to memory of 4968	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	108
PID 404 wrote to memory of 1256	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	109
PID 404 wrote to memory of 1256	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	109
PID 404 wrote to memory of 4652	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	110
PID 404 wrote to memory of 4652	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	110
PID 404 wrote to memory of 3192	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	111
PID 404 wrote to memory of 3192	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	111
PID 404 wrote to memory of 4456	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	112
PID 404 wrote to memory of 4456	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	112
PID 404 wrote to memory of 456	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	113
PID 404 wrote to memory of 456	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	113
PID 404 wrote to memory of 4312	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	114
PID 404 wrote to memory of 4312	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	114
PID 404 wrote to memory of 4876	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	115
PID 404 wrote to memory of 4876	404	0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe	115

C:\Users\Admin\AppData\Local\Temp\0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f84cd053d59c6edf216394b05c10d27_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\System32\tffJAtX.exe
  C:\Windows\System32\tffJAtX.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System32\NFunvjz.exe
  C:\Windows\System32\NFunvjz.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System32\ULcUhdh.exe
  C:\Windows\System32\ULcUhdh.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System32\tpozWIN.exe
  C:\Windows\System32\tpozWIN.exe
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\System32\IVcIekE.exe
  C:\Windows\System32\IVcIekE.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System32\PYJcbtQ.exe
  C:\Windows\System32\PYJcbtQ.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System32\RNvmMuS.exe
  C:\Windows\System32\RNvmMuS.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System32\BmLaSUm.exe
  C:\Windows\System32\BmLaSUm.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System32\oByANao.exe
  C:\Windows\System32\oByANao.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System32\bvpEfPt.exe
  C:\Windows\System32\bvpEfPt.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System32\DAOxOHx.exe
  C:\Windows\System32\DAOxOHx.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System32\fzUsWXU.exe
  C:\Windows\System32\fzUsWXU.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System32\WSdrXIO.exe
  C:\Windows\System32\WSdrXIO.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System32\zmVARCv.exe
  C:\Windows\System32\zmVARCv.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System32\zagQvJJ.exe
  C:\Windows\System32\zagQvJJ.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System32\qjGstnz.exe
  C:\Windows\System32\qjGstnz.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System32\GsonZHq.exe
  C:\Windows\System32\GsonZHq.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System32\tewRzVp.exe
  C:\Windows\System32\tewRzVp.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\qRhgXKX.exe
  C:\Windows\System32\qRhgXKX.exe
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Windows\System32\XmBHbMA.exe
  C:\Windows\System32\XmBHbMA.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System32\TxBPIhh.exe
  C:\Windows\System32\TxBPIhh.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System32\fSdsDLe.exe
  C:\Windows\System32\fSdsDLe.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System32\CzwhhgL.exe
  C:\Windows\System32\CzwhhgL.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System32\TnPyVoc.exe
  C:\Windows\System32\TnPyVoc.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System32\EnEYszI.exe
  C:\Windows\System32\EnEYszI.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System32\ZGQaIeG.exe
  C:\Windows\System32\ZGQaIeG.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\System32\AfbBaKX.exe
  C:\Windows\System32\AfbBaKX.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System32\NazXTsH.exe
  C:\Windows\System32\NazXTsH.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System32\ZLHMLBA.exe
  C:\Windows\System32\ZLHMLBA.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System32\qjmuOUL.exe
  C:\Windows\System32\qjmuOUL.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System32\zoeGFgo.exe
  C:\Windows\System32\zoeGFgo.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System32\AdmrxMR.exe
  C:\Windows\System32\AdmrxMR.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System32\Qhxbeud.exe
  C:\Windows\System32\Qhxbeud.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System32\dSibnxU.exe
  C:\Windows\System32\dSibnxU.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System32\jRwquRJ.exe
  C:\Windows\System32\jRwquRJ.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System32\XZzckuC.exe
  C:\Windows\System32\XZzckuC.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System32\JBbUJPN.exe
  C:\Windows\System32\JBbUJPN.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System32\sDnWxjz.exe
  C:\Windows\System32\sDnWxjz.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System32\nrKHkco.exe
  C:\Windows\System32\nrKHkco.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System32\DbUAbOn.exe
  C:\Windows\System32\DbUAbOn.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System32\XBpkEck.exe
  C:\Windows\System32\XBpkEck.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System32\VYvOzrg.exe
  C:\Windows\System32\VYvOzrg.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System32\uvZPpIE.exe
  C:\Windows\System32\uvZPpIE.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System32\opogjxQ.exe
  C:\Windows\System32\opogjxQ.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System32\tcxmzVA.exe
  C:\Windows\System32\tcxmzVA.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System32\wkbFAKj.exe
  C:\Windows\System32\wkbFAKj.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System32\bYxpSBz.exe
  C:\Windows\System32\bYxpSBz.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System32\tCXXleP.exe
  C:\Windows\System32\tCXXleP.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System32\wUjEbyM.exe
  C:\Windows\System32\wUjEbyM.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System32\CBcTFWK.exe
  C:\Windows\System32\CBcTFWK.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System32\bzKxbvw.exe
  C:\Windows\System32\bzKxbvw.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System32\mFPIaZn.exe
  C:\Windows\System32\mFPIaZn.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System32\zewKIlR.exe
  C:\Windows\System32\zewKIlR.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System32\rvgWhbp.exe
  C:\Windows\System32\rvgWhbp.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\AGVkueK.exe
  C:\Windows\System32\AGVkueK.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System32\ZSNWXBF.exe
  C:\Windows\System32\ZSNWXBF.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System32\ViKUlbY.exe
  C:\Windows\System32\ViKUlbY.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System32\OuNCRIL.exe
  C:\Windows\System32\OuNCRIL.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System32\uhwxVKl.exe
  C:\Windows\System32\uhwxVKl.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System32\YnzDPBD.exe
  C:\Windows\System32\YnzDPBD.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System32\oLriggi.exe
  C:\Windows\System32\oLriggi.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System32\juGqRtc.exe
  C:\Windows\System32\juGqRtc.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System32\aNRrInc.exe
  C:\Windows\System32\aNRrInc.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System32\vMHpKkN.exe
  C:\Windows\System32\vMHpKkN.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System32\aUjhpot.exe
  C:\Windows\System32\aUjhpot.exe
  2⤵
  PID:3916
- C:\Windows\System32\TBUItDq.exe
  C:\Windows\System32\TBUItDq.exe
  2⤵
  PID:1028
- C:\Windows\System32\cSuCTcj.exe
  C:\Windows\System32\cSuCTcj.exe
  2⤵
  PID:1644
- C:\Windows\System32\kLVwzKG.exe
  C:\Windows\System32\kLVwzKG.exe
  2⤵
  PID:448
- C:\Windows\System32\WfuwUpx.exe
  C:\Windows\System32\WfuwUpx.exe
  2⤵
  PID:2696
- C:\Windows\System32\YzMgaIw.exe
  C:\Windows\System32\YzMgaIw.exe
  2⤵
  PID:3064
- C:\Windows\System32\vCrrUKT.exe
  C:\Windows\System32\vCrrUKT.exe
  2⤵
  PID:2588
- C:\Windows\System32\JUGhZRC.exe
  C:\Windows\System32\JUGhZRC.exe
  2⤵
  PID:4128
- C:\Windows\System32\yoUStUL.exe
  C:\Windows\System32\yoUStUL.exe
  2⤵
  PID:4008
- C:\Windows\System32\Blwdlih.exe
  C:\Windows\System32\Blwdlih.exe
  2⤵
  PID:4580
- C:\Windows\System32\GCxpUaL.exe
  C:\Windows\System32\GCxpUaL.exe
  2⤵
  PID:1664
- C:\Windows\System32\csbEelK.exe
  C:\Windows\System32\csbEelK.exe
  2⤵
  PID:3052
- C:\Windows\System32\ZDXDcQz.exe
  C:\Windows\System32\ZDXDcQz.exe
  2⤵
  PID:5044
- C:\Windows\System32\FZKtdtm.exe
  C:\Windows\System32\FZKtdtm.exe
  2⤵
  PID:3384
- C:\Windows\System32\JzYQcpC.exe
  C:\Windows\System32\JzYQcpC.exe
  2⤵
  PID:2352
- C:\Windows\System32\jjPbaut.exe
  C:\Windows\System32\jjPbaut.exe
  2⤵
  PID:4216
- C:\Windows\System32\PkIoVqP.exe
  C:\Windows\System32\PkIoVqP.exe
  2⤵
  PID:4032
- C:\Windows\System32\OkdoKwe.exe
  C:\Windows\System32\OkdoKwe.exe
  2⤵
  PID:4744
- C:\Windows\System32\PgbSlvo.exe
  C:\Windows\System32\PgbSlvo.exe
  2⤵
  PID:640
- C:\Windows\System32\SUmHVTf.exe
  C:\Windows\System32\SUmHVTf.exe
  2⤵
  PID:1568
- C:\Windows\System32\LxGUqgj.exe
  C:\Windows\System32\LxGUqgj.exe
  2⤵
  PID:5124
- C:\Windows\System32\VToSgcF.exe
  C:\Windows\System32\VToSgcF.exe
  2⤵
  PID:5152
- C:\Windows\System32\OkPExTV.exe
  C:\Windows\System32\OkPExTV.exe
  2⤵
  PID:5180
- C:\Windows\System32\SIpTSVH.exe
  C:\Windows\System32\SIpTSVH.exe
  2⤵
  PID:5204
- C:\Windows\System32\QiDcwls.exe
  C:\Windows\System32\QiDcwls.exe
  2⤵
  PID:5236
- C:\Windows\System32\rnsOJpw.exe
  C:\Windows\System32\rnsOJpw.exe
  2⤵
  PID:5264
- C:\Windows\System32\PltXCqw.exe
  C:\Windows\System32\PltXCqw.exe
  2⤵
  PID:5288
- C:\Windows\System32\ouoSHSG.exe
  C:\Windows\System32\ouoSHSG.exe
  2⤵
  PID:5320
- C:\Windows\System32\XWwWtgm.exe
  C:\Windows\System32\XWwWtgm.exe
  2⤵
  PID:5344
- C:\Windows\System32\WmwKakP.exe
  C:\Windows\System32\WmwKakP.exe
  2⤵
  PID:5380
- C:\Windows\System32\JssEpbl.exe
  C:\Windows\System32\JssEpbl.exe
  2⤵
  PID:5404
- C:\Windows\System32\abJXzOd.exe
  C:\Windows\System32\abJXzOd.exe
  2⤵
  PID:5428
- C:\Windows\System32\DxoovtX.exe
  C:\Windows\System32\DxoovtX.exe
  2⤵
  PID:5460
- C:\Windows\System32\fJoGSSh.exe
  C:\Windows\System32\fJoGSSh.exe
  2⤵
  PID:5488
- C:\Windows\System32\UoqXZht.exe
  C:\Windows\System32\UoqXZht.exe
  2⤵
  PID:5512
- C:\Windows\System32\iCEuhAY.exe
  C:\Windows\System32\iCEuhAY.exe
  2⤵
  PID:5544
- C:\Windows\System32\opkYGHp.exe
  C:\Windows\System32\opkYGHp.exe
  2⤵
  PID:5572
- C:\Windows\System32\oIyfIeP.exe
  C:\Windows\System32\oIyfIeP.exe
  2⤵
  PID:5596
- C:\Windows\System32\qdQmxNU.exe
  C:\Windows\System32\qdQmxNU.exe
  2⤵
  PID:5628
- C:\Windows\System32\jdLhaEF.exe
  C:\Windows\System32\jdLhaEF.exe
  2⤵
  PID:5656
- C:\Windows\System32\mCcxSLC.exe
  C:\Windows\System32\mCcxSLC.exe
  2⤵
  PID:5716
- C:\Windows\System32\AsZasYr.exe
  C:\Windows\System32\AsZasYr.exe
  2⤵
  PID:5752
- C:\Windows\System32\rbybbaq.exe
  C:\Windows\System32\rbybbaq.exe
  2⤵
  PID:5776
- C:\Windows\System32\CfFPNRp.exe
  C:\Windows\System32\CfFPNRp.exe
  2⤵
  PID:5804
- C:\Windows\System32\coQZZGa.exe
  C:\Windows\System32\coQZZGa.exe
  2⤵
  PID:5844
- C:\Windows\System32\HJVWOEd.exe
  C:\Windows\System32\HJVWOEd.exe
  2⤵
  PID:5864
- C:\Windows\System32\YEGeXNR.exe
  C:\Windows\System32\YEGeXNR.exe
  2⤵
  PID:5892
- C:\Windows\System32\PfbRRYF.exe
  C:\Windows\System32\PfbRRYF.exe
  2⤵
  PID:5916
- C:\Windows\System32\njnXnly.exe
  C:\Windows\System32\njnXnly.exe
  2⤵
  PID:5980
- C:\Windows\System32\HjKQqDI.exe
  C:\Windows\System32\HjKQqDI.exe
  2⤵
  PID:6024
- C:\Windows\System32\sKNuOQP.exe
  C:\Windows\System32\sKNuOQP.exe
  2⤵
  PID:6072
- C:\Windows\System32\DXzJpEK.exe
  C:\Windows\System32\DXzJpEK.exe
  2⤵
  PID:6136
- C:\Windows\System32\ZjPTaTL.exe
  C:\Windows\System32\ZjPTaTL.exe
  2⤵
  PID:224
- C:\Windows\System32\EzjZLlE.exe
  C:\Windows\System32\EzjZLlE.exe
  2⤵
  PID:3644
- C:\Windows\System32\EnZaPvr.exe
  C:\Windows\System32\EnZaPvr.exe
  2⤵
  PID:808
- C:\Windows\System32\UvvhFHV.exe
  C:\Windows\System32\UvvhFHV.exe
  2⤵
  PID:5136
- C:\Windows\System32\qGnnkHy.exe
  C:\Windows\System32\qGnnkHy.exe
  2⤵
  PID:5192
- C:\Windows\System32\ZFvyFmx.exe
  C:\Windows\System32\ZFvyFmx.exe
  2⤵
  PID:5252
- C:\Windows\System32\ThOUZVl.exe
  C:\Windows\System32\ThOUZVl.exe
  2⤵
  PID:5304
- C:\Windows\System32\AMCFFdw.exe
  C:\Windows\System32\AMCFFdw.exe
  2⤵
  PID:4752
- C:\Windows\System32\qahyYtF.exe
  C:\Windows\System32\qahyYtF.exe
  2⤵
  PID:3984
- C:\Windows\System32\fGVdwnf.exe
  C:\Windows\System32\fGVdwnf.exe
  2⤵
  PID:5392
- C:\Windows\System32\fkrZMNI.exe
  C:\Windows\System32\fkrZMNI.exe
  2⤵
  PID:4436
- C:\Windows\System32\jzlxvsI.exe
  C:\Windows\System32\jzlxvsI.exe
  2⤵
  PID:5444
- C:\Windows\System32\coZMzIw.exe
  C:\Windows\System32\coZMzIw.exe
  2⤵
  PID:4568
- C:\Windows\System32\hUSRlAd.exe
  C:\Windows\System32\hUSRlAd.exe
  2⤵
  PID:2204
- C:\Windows\System32\VQFRodk.exe
  C:\Windows\System32\VQFRodk.exe
  2⤵
  PID:5528
- C:\Windows\System32\CnCYsEh.exe
  C:\Windows\System32\CnCYsEh.exe
  2⤵
  PID:5560
- C:\Windows\System32\jkGgQDO.exe
  C:\Windows\System32\jkGgQDO.exe
  2⤵
  PID:5648
- C:\Windows\System32\LbXngyU.exe
  C:\Windows\System32\LbXngyU.exe
  2⤵
  PID:1736
- C:\Windows\System32\TZDKkNa.exe
  C:\Windows\System32\TZDKkNa.exe
  2⤵
  PID:1740
- C:\Windows\System32\hFtlKwO.exe
  C:\Windows\System32\hFtlKwO.exe
  2⤵
  PID:5796
- C:\Windows\System32\PNxSaBA.exe
  C:\Windows\System32\PNxSaBA.exe
  2⤵
  PID:5852
- C:\Windows\System32\KaUmBag.exe
  C:\Windows\System32\KaUmBag.exe
  2⤵
  PID:5932
- C:\Windows\System32\tEohhjU.exe
  C:\Windows\System32\tEohhjU.exe
  2⤵
  PID:5992
- C:\Windows\System32\HnFqCeF.exe
  C:\Windows\System32\HnFqCeF.exe
  2⤵
  PID:5700
- C:\Windows\System32\xoHLPqy.exe
  C:\Windows\System32\xoHLPqy.exe
  2⤵
  PID:5860
- C:\Windows\System32\BLlkKtP.exe
  C:\Windows\System32\BLlkKtP.exe
  2⤵
  PID:5928
- C:\Windows\System32\VesGBQE.exe
  C:\Windows\System32\VesGBQE.exe
  2⤵
  PID:3076
- C:\Windows\System32\vSxKhSr.exe
  C:\Windows\System32\vSxKhSr.exe
  2⤵
  PID:2708
- C:\Windows\System32\yuEIJwl.exe
  C:\Windows\System32\yuEIJwl.exe
  2⤵
  PID:5900
- C:\Windows\System32\nKPrcBO.exe
  C:\Windows\System32\nKPrcBO.exe
  2⤵
  PID:5440
- C:\Windows\System32\NvzptGV.exe
  C:\Windows\System32\NvzptGV.exe
  2⤵
  PID:760
- C:\Windows\System32\WgZOgNi.exe
  C:\Windows\System32\WgZOgNi.exe
  2⤵
  PID:2124
- C:\Windows\System32\uZLpvBQ.exe
  C:\Windows\System32\uZLpvBQ.exe
  2⤵
  PID:3716
- C:\Windows\System32\MmDbmhA.exe
  C:\Windows\System32\MmDbmhA.exe
  2⤵
  PID:5740
- C:\Windows\System32\HKcdRuw.exe
  C:\Windows\System32\HKcdRuw.exe
  2⤵
  PID:5876
- C:\Windows\System32\FsncQnQ.exe
  C:\Windows\System32\FsncQnQ.exe
  2⤵
  PID:5996
- C:\Windows\System32\SqmzYuB.exe
  C:\Windows\System32\SqmzYuB.exe
  2⤵
  PID:5792
- C:\Windows\System32\gsUGYlG.exe
  C:\Windows\System32\gsUGYlG.exe
  2⤵
  PID:2104
- C:\Windows\System32\iPlXBXM.exe
  C:\Windows\System32\iPlXBXM.exe
  2⤵
  PID:4432
- C:\Windows\System32\hZAbLfd.exe
  C:\Windows\System32\hZAbLfd.exe
  2⤵
  PID:5564
- C:\Windows\System32\qOvVRNn.exe
  C:\Windows\System32\qOvVRNn.exe
  2⤵
  PID:4964
- C:\Windows\System32\nztIrvw.exe
  C:\Windows\System32\nztIrvw.exe
  2⤵
  PID:5884
- C:\Windows\System32\JdlgFhK.exe
  C:\Windows\System32\JdlgFhK.exe
  2⤵
  PID:5396
- C:\Windows\System32\ZoWHWNk.exe
  C:\Windows\System32\ZoWHWNk.exe
  2⤵
  PID:5840
- C:\Windows\System32\pfOoUgm.exe
  C:\Windows\System32\pfOoUgm.exe
  2⤵
  PID:6168
- C:\Windows\System32\londTNl.exe
  C:\Windows\System32\londTNl.exe
  2⤵
  PID:6196
- C:\Windows\System32\wZFIrjv.exe
  C:\Windows\System32\wZFIrjv.exe
  2⤵
  PID:6220
- C:\Windows\System32\LJsqKqH.exe
  C:\Windows\System32\LJsqKqH.exe
  2⤵
  PID:6236
- C:\Windows\System32\kxeYptN.exe
  C:\Windows\System32\kxeYptN.exe
  2⤵
  PID:6272
- C:\Windows\System32\iLPoagc.exe
  C:\Windows\System32\iLPoagc.exe
  2⤵
  PID:6308
- C:\Windows\System32\vJlxrah.exe
  C:\Windows\System32\vJlxrah.exe
  2⤵
  PID:6336
- C:\Windows\System32\bGXTMUK.exe
  C:\Windows\System32\bGXTMUK.exe
  2⤵
  PID:6364
- C:\Windows\System32\IoegEDZ.exe
  C:\Windows\System32\IoegEDZ.exe
  2⤵
  PID:6384
- C:\Windows\System32\oHPocne.exe
  C:\Windows\System32\oHPocne.exe
  2⤵
  PID:6404
- C:\Windows\System32\YaYHCSX.exe
  C:\Windows\System32\YaYHCSX.exe
  2⤵
  PID:6420
- C:\Windows\System32\jPphLkP.exe
  C:\Windows\System32\jPphLkP.exe
  2⤵
  PID:6444
- C:\Windows\System32\UhwDBwf.exe
  C:\Windows\System32\UhwDBwf.exe
  2⤵
  PID:6460
- C:\Windows\System32\svixVVh.exe
  C:\Windows\System32\svixVVh.exe
  2⤵
  PID:6488
- C:\Windows\System32\DKdSYUg.exe
  C:\Windows\System32\DKdSYUg.exe
  2⤵
  PID:6552
- C:\Windows\System32\SMTwrUz.exe
  C:\Windows\System32\SMTwrUz.exe
  2⤵
  PID:6568
- C:\Windows\System32\RfSsbLc.exe
  C:\Windows\System32\RfSsbLc.exe
  2⤵
  PID:6596
- C:\Windows\System32\YkAmUJK.exe
  C:\Windows\System32\YkAmUJK.exe
  2⤵
  PID:6612
- C:\Windows\System32\xkunbsi.exe
  C:\Windows\System32\xkunbsi.exe
  2⤵
  PID:6636
- C:\Windows\System32\XBuGzKH.exe
  C:\Windows\System32\XBuGzKH.exe
  2⤵
  PID:6660
- C:\Windows\System32\PNTNFXv.exe
  C:\Windows\System32\PNTNFXv.exe
  2⤵
  PID:6696
- C:\Windows\System32\CcZjQeV.exe
  C:\Windows\System32\CcZjQeV.exe
  2⤵
  PID:6760
- C:\Windows\System32\bzMLRso.exe
  C:\Windows\System32\bzMLRso.exe
  2⤵
  PID:6780
- C:\Windows\System32\UTilEps.exe
  C:\Windows\System32\UTilEps.exe
  2⤵
  PID:6816
- C:\Windows\System32\ZDbJOqt.exe
  C:\Windows\System32\ZDbJOqt.exe
  2⤵
  PID:6848
- C:\Windows\System32\tMmevSP.exe
  C:\Windows\System32\tMmevSP.exe
  2⤵
  PID:6864
- C:\Windows\System32\sUInPZY.exe
  C:\Windows\System32\sUInPZY.exe
  2⤵
  PID:6888
- C:\Windows\System32\SYHazgS.exe
  C:\Windows\System32\SYHazgS.exe
  2⤵
  PID:6908
- C:\Windows\System32\dZYnZCI.exe
  C:\Windows\System32\dZYnZCI.exe
  2⤵
  PID:6932
- C:\Windows\System32\KckTrAH.exe
  C:\Windows\System32\KckTrAH.exe
  2⤵
  PID:6984
- C:\Windows\System32\fsbzcHi.exe
  C:\Windows\System32\fsbzcHi.exe
  2⤵
  PID:7008
- C:\Windows\System32\oKsNRGD.exe
  C:\Windows\System32\oKsNRGD.exe
  2⤵
  PID:7028
- C:\Windows\System32\hkHJYSk.exe
  C:\Windows\System32\hkHJYSk.exe
  2⤵
  PID:7044
- C:\Windows\System32\QKujfsu.exe
  C:\Windows\System32\QKujfsu.exe
  2⤵
  PID:7060
- C:\Windows\System32\pNcUuwg.exe
  C:\Windows\System32\pNcUuwg.exe
  2⤵
  PID:7104
- C:\Windows\System32\mwWeCxE.exe
  C:\Windows\System32\mwWeCxE.exe
  2⤵
  PID:7132
- C:\Windows\System32\tWmpeoR.exe
  C:\Windows\System32\tWmpeoR.exe
  2⤵
  PID:6184
- C:\Windows\System32\EZYBSYG.exe
  C:\Windows\System32\EZYBSYG.exe
  2⤵
  PID:6208
- C:\Windows\System32\BaGvUkG.exe
  C:\Windows\System32\BaGvUkG.exe
  2⤵
  PID:6284
- C:\Windows\System32\JuJldYx.exe
  C:\Windows\System32\JuJldYx.exe
  2⤵
  PID:6324
- C:\Windows\System32\pQtgyux.exe
  C:\Windows\System32\pQtgyux.exe
  2⤵
  PID:6468
- C:\Windows\System32\YSqPsbm.exe
  C:\Windows\System32\YSqPsbm.exe
  2⤵
  PID:6512
- C:\Windows\System32\MBhVzCd.exe
  C:\Windows\System32\MBhVzCd.exe
  2⤵
  PID:6576
- C:\Windows\System32\FEHTifS.exe
  C:\Windows\System32\FEHTifS.exe
  2⤵
  PID:6632
- C:\Windows\System32\IArVIlV.exe
  C:\Windows\System32\IArVIlV.exe
  2⤵
  PID:6732
- C:\Windows\System32\bKDznsB.exe
  C:\Windows\System32\bKDznsB.exe
  2⤵
  PID:6808
- C:\Windows\System32\nSUDmnQ.exe
  C:\Windows\System32\nSUDmnQ.exe
  2⤵
  PID:6836
- C:\Windows\System32\MRxtyYQ.exe
  C:\Windows\System32\MRxtyYQ.exe
  2⤵
  PID:6904
- C:\Windows\System32\jBinKZQ.exe
  C:\Windows\System32\jBinKZQ.exe
  2⤵
  PID:7016
- C:\Windows\System32\dDinjwV.exe
  C:\Windows\System32\dDinjwV.exe
  2⤵
  PID:7128
- C:\Windows\System32\eVUkfmh.exe
  C:\Windows\System32\eVUkfmh.exe
  2⤵
  PID:6192
- C:\Windows\System32\RawkazD.exe
  C:\Windows\System32\RawkazD.exe
  2⤵
  PID:6300
- C:\Windows\System32\CEOflgo.exe
  C:\Windows\System32\CEOflgo.exe
  2⤵
  PID:6436
- C:\Windows\System32\CaNGfSd.exe
  C:\Windows\System32\CaNGfSd.exe
  2⤵
  PID:6676
- C:\Windows\System32\rWtKxVQ.exe
  C:\Windows\System32\rWtKxVQ.exe
  2⤵
  PID:6856
- C:\Windows\System32\wUPHZCd.exe
  C:\Windows\System32\wUPHZCd.exe
  2⤵
  PID:6360
- C:\Windows\System32\WhPAhjC.exe
  C:\Windows\System32\WhPAhjC.exe
  2⤵
  PID:6768
- C:\Windows\System32\KxOLtXb.exe
  C:\Windows\System32\KxOLtXb.exe
  2⤵
  PID:7160
- C:\Windows\System32\poOenST.exe
  C:\Windows\System32\poOenST.exe
  2⤵
  PID:7180
- C:\Windows\System32\sZrCfAG.exe
  C:\Windows\System32\sZrCfAG.exe
  2⤵
  PID:7196
- C:\Windows\System32\oxCkkEI.exe
  C:\Windows\System32\oxCkkEI.exe
  2⤵
  PID:7228
- C:\Windows\System32\HROBsem.exe
  C:\Windows\System32\HROBsem.exe
  2⤵
  PID:7244
- C:\Windows\System32\oIxfBbx.exe
  C:\Windows\System32\oIxfBbx.exe
  2⤵
  PID:7288
- C:\Windows\System32\wEHzoZd.exe
  C:\Windows\System32\wEHzoZd.exe
  2⤵
  PID:7308
- C:\Windows\System32\YPIGdvj.exe
  C:\Windows\System32\YPIGdvj.exe
  2⤵
  PID:7328
- C:\Windows\System32\EKINyJc.exe
  C:\Windows\System32\EKINyJc.exe
  2⤵
  PID:7352
- C:\Windows\System32\cPqVyXp.exe
  C:\Windows\System32\cPqVyXp.exe
  2⤵
  PID:7368
- C:\Windows\System32\yNjusbr.exe
  C:\Windows\System32\yNjusbr.exe
  2⤵
  PID:7396
- C:\Windows\System32\gMttysA.exe
  C:\Windows\System32\gMttysA.exe
  2⤵
  PID:7412
- C:\Windows\System32\eksXVqW.exe
  C:\Windows\System32\eksXVqW.exe
  2⤵
  PID:7508
- C:\Windows\System32\qyetNXA.exe
  C:\Windows\System32\qyetNXA.exe
  2⤵
  PID:7524
- C:\Windows\System32\LbQCRdK.exe
  C:\Windows\System32\LbQCRdK.exe
  2⤵
  PID:7544
- C:\Windows\System32\oLsiTRh.exe
  C:\Windows\System32\oLsiTRh.exe
  2⤵
  PID:7560
- C:\Windows\System32\jZbiyrU.exe
  C:\Windows\System32\jZbiyrU.exe
  2⤵
  PID:7580
- C:\Windows\System32\tljcgra.exe
  C:\Windows\System32\tljcgra.exe
  2⤵
  PID:7660
- C:\Windows\System32\qBspGXa.exe
  C:\Windows\System32\qBspGXa.exe
  2⤵
  PID:7684
- C:\Windows\System32\fwdnzAb.exe
  C:\Windows\System32\fwdnzAb.exe
  2⤵
  PID:7732
- C:\Windows\System32\PDSOYqd.exe
  C:\Windows\System32\PDSOYqd.exe
  2⤵
  PID:7764
- C:\Windows\System32\EhQkNXg.exe
  C:\Windows\System32\EhQkNXg.exe
  2⤵
  PID:7784
- C:\Windows\System32\hwZQPhf.exe
  C:\Windows\System32\hwZQPhf.exe
  2⤵
  PID:7820
- C:\Windows\System32\CiElsgw.exe
  C:\Windows\System32\CiElsgw.exe
  2⤵
  PID:7848
- C:\Windows\System32\hWgElUz.exe
  C:\Windows\System32\hWgElUz.exe
  2⤵
  PID:7880
- C:\Windows\System32\jLvZehr.exe
  C:\Windows\System32\jLvZehr.exe
  2⤵
  PID:7904
- C:\Windows\System32\liMRFkU.exe
  C:\Windows\System32\liMRFkU.exe
  2⤵
  PID:7924
- C:\Windows\System32\MCIDzlb.exe
  C:\Windows\System32\MCIDzlb.exe
  2⤵
  PID:7944
- C:\Windows\System32\DMrEGji.exe
  C:\Windows\System32\DMrEGji.exe
  2⤵
  PID:7992
- C:\Windows\System32\vbXGHFz.exe
  C:\Windows\System32\vbXGHFz.exe
  2⤵
  PID:8016
- C:\Windows\System32\PvWaiSa.exe
  C:\Windows\System32\PvWaiSa.exe
  2⤵
  PID:8036
- C:\Windows\System32\OaKutVp.exe
  C:\Windows\System32\OaKutVp.exe
  2⤵
  PID:8052
- C:\Windows\System32\cueHzGr.exe
  C:\Windows\System32\cueHzGr.exe
  2⤵
  PID:8076
- C:\Windows\System32\CbjwTfP.exe
  C:\Windows\System32\CbjwTfP.exe
  2⤵
  PID:8128
- C:\Windows\System32\yFotiHB.exe
  C:\Windows\System32\yFotiHB.exe
  2⤵
  PID:7208
- C:\Windows\System32\fcdVlei.exe
  C:\Windows\System32\fcdVlei.exe
  2⤵
  PID:7192
- C:\Windows\System32\anqbyNP.exe
  C:\Windows\System32\anqbyNP.exe
  2⤵
  PID:7236
- C:\Windows\System32\IeWvQFC.exe
  C:\Windows\System32\IeWvQFC.exe
  2⤵
  PID:7260
- C:\Windows\System32\hkcOyiQ.exe
  C:\Windows\System32\hkcOyiQ.exe
  2⤵
  PID:7460
- C:\Windows\System32\PLckppp.exe
  C:\Windows\System32\PLckppp.exe
  2⤵
  PID:7520
- C:\Windows\System32\uIzVrhP.exe
  C:\Windows\System32\uIzVrhP.exe
  2⤵
  PID:7576
- C:\Windows\System32\BWBkXtP.exe
  C:\Windows\System32\BWBkXtP.exe
  2⤵
  PID:7404
- C:\Windows\System32\lHtmHqF.exe
  C:\Windows\System32\lHtmHqF.exe
  2⤵
  PID:7500
- C:\Windows\System32\fPMiimM.exe
  C:\Windows\System32\fPMiimM.exe
  2⤵
  PID:7696
- C:\Windows\System32\HNQVtpE.exe
  C:\Windows\System32\HNQVtpE.exe
  2⤵
  PID:7832
- C:\Windows\System32\lcArYGL.exe
  C:\Windows\System32\lcArYGL.exe
  2⤵
  PID:7836
- C:\Windows\System32\VLzSyWH.exe
  C:\Windows\System32\VLzSyWH.exe
  2⤵
  PID:8044
- C:\Windows\System32\utMWfPo.exe
  C:\Windows\System32\utMWfPo.exe
  2⤵
  PID:8084
- C:\Windows\System32\qXIWhTP.exe
  C:\Windows\System32\qXIWhTP.exe
  2⤵
  PID:8176
- C:\Windows\System32\veffESI.exe
  C:\Windows\System32\veffESI.exe
  2⤵
  PID:7304
- C:\Windows\System32\lOYDaAL.exe
  C:\Windows\System32\lOYDaAL.exe
  2⤵
  PID:7240
- C:\Windows\System32\UvxSXmy.exe
  C:\Windows\System32\UvxSXmy.exe
  2⤵
  PID:7428
- C:\Windows\System32\PnxjAjA.exe
  C:\Windows\System32\PnxjAjA.exe
  2⤵
  PID:7680
- C:\Windows\System32\bUiTPyY.exe
  C:\Windows\System32\bUiTPyY.exe
  2⤵
  PID:7776
- C:\Windows\System32\JbJNGAk.exe
  C:\Windows\System32\JbJNGAk.exe
  2⤵
  PID:7960
- C:\Windows\System32\KOgRCHZ.exe
  C:\Windows\System32\KOgRCHZ.exe
  2⤵
  PID:8064
- C:\Windows\System32\KMuIZNM.exe
  C:\Windows\System32\KMuIZNM.exe
  2⤵
  PID:7320
- C:\Windows\System32\jkKcMIs.exe
  C:\Windows\System32\jkKcMIs.exe
  2⤵
  PID:7792
- C:\Windows\System32\qZZstBF.exe
  C:\Windows\System32\qZZstBF.exe
  2⤵
  PID:7940
- C:\Windows\System32\WfWSWgk.exe
  C:\Windows\System32\WfWSWgk.exe
  2⤵
  PID:8228
- C:\Windows\System32\GMTIRDr.exe
  C:\Windows\System32\GMTIRDr.exe
  2⤵
  PID:8244
- C:\Windows\System32\QvBEZLt.exe
  C:\Windows\System32\QvBEZLt.exe
  2⤵
  PID:8268
- C:\Windows\System32\jvkyIkV.exe
  C:\Windows\System32\jvkyIkV.exe
  2⤵
  PID:8308
- C:\Windows\System32\AJgICXx.exe
  C:\Windows\System32\AJgICXx.exe
  2⤵
  PID:8328
- C:\Windows\System32\ItkEQXL.exe
  C:\Windows\System32\ItkEQXL.exe
  2⤵
  PID:8368
- C:\Windows\System32\tZATqzN.exe
  C:\Windows\System32\tZATqzN.exe
  2⤵
  PID:8384
- C:\Windows\System32\hTuVrsU.exe
  C:\Windows\System32\hTuVrsU.exe
  2⤵
  PID:8404
- C:\Windows\System32\rPXMJAD.exe
  C:\Windows\System32\rPXMJAD.exe
  2⤵
  PID:8428
- C:\Windows\System32\VNxgBVy.exe
  C:\Windows\System32\VNxgBVy.exe
  2⤵
  PID:8460
- C:\Windows\System32\IkooNVN.exe
  C:\Windows\System32\IkooNVN.exe
  2⤵
  PID:8480
- C:\Windows\System32\LdqhYPq.exe
  C:\Windows\System32\LdqhYPq.exe
  2⤵
  PID:8496
- C:\Windows\System32\ucUPHNt.exe
  C:\Windows\System32\ucUPHNt.exe
  2⤵
  PID:8520
- C:\Windows\System32\estWgfm.exe
  C:\Windows\System32\estWgfm.exe
  2⤵
  PID:8540
- C:\Windows\System32\ZkHTEUa.exe
  C:\Windows\System32\ZkHTEUa.exe
  2⤵
  PID:8564
- C:\Windows\System32\vCOgZfl.exe
  C:\Windows\System32\vCOgZfl.exe
  2⤵
  PID:8580
- C:\Windows\System32\DnZTVxq.exe
  C:\Windows\System32\DnZTVxq.exe
  2⤵
  PID:8656
- C:\Windows\System32\YncwXXF.exe
  C:\Windows\System32\YncwXXF.exe
  2⤵
  PID:8708
- C:\Windows\System32\HluNbXk.exe
  C:\Windows\System32\HluNbXk.exe
  2⤵
  PID:8736
- C:\Windows\System32\LLGlfHK.exe
  C:\Windows\System32\LLGlfHK.exe
  2⤵
  PID:8760
- C:\Windows\System32\tNcXiwG.exe
  C:\Windows\System32\tNcXiwG.exe
  2⤵
  PID:8800
- C:\Windows\System32\vXAExqR.exe
  C:\Windows\System32\vXAExqR.exe
  2⤵
  PID:8816
- C:\Windows\System32\ucTGEnN.exe
  C:\Windows\System32\ucTGEnN.exe
  2⤵
  PID:8836
- C:\Windows\System32\CAGMMSy.exe
  C:\Windows\System32\CAGMMSy.exe
  2⤵
  PID:8864
- C:\Windows\System32\XIPrgWy.exe
  C:\Windows\System32\XIPrgWy.exe
  2⤵
  PID:8884
- C:\Windows\System32\EoRSfvj.exe
  C:\Windows\System32\EoRSfvj.exe
  2⤵
  PID:8928
- C:\Windows\System32\TmaBSxF.exe
  C:\Windows\System32\TmaBSxF.exe
  2⤵
  PID:8944
- C:\Windows\System32\gswohfD.exe
  C:\Windows\System32\gswohfD.exe
  2⤵
  PID:8964
- C:\Windows\System32\AhtbQpZ.exe
  C:\Windows\System32\AhtbQpZ.exe
  2⤵
  PID:8988
- C:\Windows\System32\fTVPwlH.exe
  C:\Windows\System32\fTVPwlH.exe
  2⤵
  PID:9008
- C:\Windows\System32\wseTfXv.exe
  C:\Windows\System32\wseTfXv.exe
  2⤵
  PID:9028
- C:\Windows\System32\QQlSEGP.exe
  C:\Windows\System32\QQlSEGP.exe
  2⤵
  PID:9084
- C:\Windows\System32\uPjOXcm.exe
  C:\Windows\System32\uPjOXcm.exe
  2⤵
  PID:9132
- C:\Windows\System32\GJEzAbl.exe
  C:\Windows\System32\GJEzAbl.exe
  2⤵
  PID:7384
- C:\Windows\System32\misoFRb.exe
  C:\Windows\System32\misoFRb.exe
  2⤵
  PID:8208
- C:\Windows\System32\ySYzCUU.exe
  C:\Windows\System32\ySYzCUU.exe
  2⤵
  PID:8444
- C:\Windows\System32\NzBBnrb.exe
  C:\Windows\System32\NzBBnrb.exe
  2⤵
  PID:8504
- C:\Windows\System32\gocNJdH.exe
  C:\Windows\System32\gocNJdH.exe
  2⤵
  PID:8576
- C:\Windows\System32\TGAMWDQ.exe
  C:\Windows\System32\TGAMWDQ.exe
  2⤵
  PID:8616
- C:\Windows\System32\kbEWkFS.exe
  C:\Windows\System32\kbEWkFS.exe
  2⤵
  PID:8676
- C:\Windows\System32\mqajPPv.exe
  C:\Windows\System32\mqajPPv.exe
  2⤵
  PID:8728
- C:\Windows\System32\JUDWlFN.exe
  C:\Windows\System32\JUDWlFN.exe
  2⤵
  PID:8828
- C:\Windows\System32\AtlKcCm.exe
  C:\Windows\System32\AtlKcCm.exe
  2⤵
  PID:8936
- C:\Windows\System32\CytMNDo.exe
  C:\Windows\System32\CytMNDo.exe
  2⤵
  PID:8956
- C:\Windows\System32\kTQrnfz.exe
  C:\Windows\System32\kTQrnfz.exe
  2⤵
  PID:8976
- C:\Windows\System32\VGhgtTn.exe
  C:\Windows\System32\VGhgtTn.exe
  2⤵
  PID:9168
- C:\Windows\System32\urDoOjd.exe
  C:\Windows\System32\urDoOjd.exe
  2⤵
  PID:9100
- C:\Windows\System32\pzHmlvP.exe
  C:\Windows\System32\pzHmlvP.exe
  2⤵
  PID:9192
- C:\Windows\System32\ZvbUYhx.exe
  C:\Windows\System32\ZvbUYhx.exe
  2⤵
  PID:9172
- C:\Windows\System32\dCYsUrQ.exe
  C:\Windows\System32\dCYsUrQ.exe
  2⤵
  PID:8236
- C:\Windows\System32\bUKmMRN.exe
  C:\Windows\System32\bUKmMRN.exe
  2⤵
  PID:8364
- C:\Windows\System32\irqjSVM.exe
  C:\Windows\System32\irqjSVM.exe
  2⤵
  PID:8456
- C:\Windows\System32\RLaOLfr.exe
  C:\Windows\System32\RLaOLfr.exe
  2⤵
  PID:8608
- C:\Windows\System32\rTspIMs.exe
  C:\Windows\System32\rTspIMs.exe
  2⤵
  PID:8772
- C:\Windows\System32\eLNRjAu.exe
  C:\Windows\System32\eLNRjAu.exe
  2⤵
  PID:8880
- C:\Windows\System32\bivRfEa.exe
  C:\Windows\System32\bivRfEa.exe
  2⤵
  PID:9048
- C:\Windows\System32\srTFtUj.exe
  C:\Windows\System32\srTFtUj.exe
  2⤵
  PID:9120
- C:\Windows\System32\uttXxdY.exe
  C:\Windows\System32\uttXxdY.exe
  2⤵
  PID:9156
- C:\Windows\System32\VgTmlYa.exe
  C:\Windows\System32\VgTmlYa.exe
  2⤵
  PID:8324
- C:\Windows\System32\fhLWHaP.exe
  C:\Windows\System32\fhLWHaP.exe
  2⤵
  PID:8876
- C:\Windows\System32\DAhpyIW.exe
  C:\Windows\System32\DAhpyIW.exe
  2⤵
  PID:9092
- C:\Windows\System32\AlYZFCt.exe
  C:\Windows\System32\AlYZFCt.exe
  2⤵
  PID:8296
- C:\Windows\System32\VhGxCjy.exe
  C:\Windows\System32\VhGxCjy.exe
  2⤵
  PID:8812
- C:\Windows\System32\JeabnrY.exe
  C:\Windows\System32\JeabnrY.exe
  2⤵
  PID:9256
- C:\Windows\System32\ahXVZeG.exe
  C:\Windows\System32\ahXVZeG.exe
  2⤵
  PID:9296
- C:\Windows\System32\rAzxDHy.exe
  C:\Windows\System32\rAzxDHy.exe
  2⤵
  PID:9324
- C:\Windows\System32\EOoCRxg.exe
  C:\Windows\System32\EOoCRxg.exe
  2⤵
  PID:9352
- C:\Windows\System32\LnmdIrz.exe
  C:\Windows\System32\LnmdIrz.exe
  2⤵
  PID:9388
- C:\Windows\System32\ZeguiIx.exe
  C:\Windows\System32\ZeguiIx.exe
  2⤵
  PID:9424
- C:\Windows\System32\WBYmeFj.exe
  C:\Windows\System32\WBYmeFj.exe
  2⤵
  PID:9472
- C:\Windows\System32\QtvEHGy.exe
  C:\Windows\System32\QtvEHGy.exe
  2⤵
  PID:9500
- C:\Windows\System32\AGPOoIz.exe
  C:\Windows\System32\AGPOoIz.exe
  2⤵
  PID:9516
- C:\Windows\System32\uJxZkqW.exe
  C:\Windows\System32\uJxZkqW.exe
  2⤵
  PID:9560
- C:\Windows\System32\hbTneny.exe
  C:\Windows\System32\hbTneny.exe
  2⤵
  PID:9588
- C:\Windows\System32\nzWsual.exe
  C:\Windows\System32\nzWsual.exe
  2⤵
  PID:9612
- C:\Windows\System32\CAyvFXy.exe
  C:\Windows\System32\CAyvFXy.exe
  2⤵
  PID:9636
- C:\Windows\System32\uPcLQnE.exe
  C:\Windows\System32\uPcLQnE.exe
  2⤵
  PID:9660
- C:\Windows\System32\ZaMHLus.exe
  C:\Windows\System32\ZaMHLus.exe
  2⤵
  PID:9688
- C:\Windows\System32\dAlmAbF.exe
  C:\Windows\System32\dAlmAbF.exe
  2⤵
  PID:9708
- C:\Windows\System32\eurAXEb.exe
  C:\Windows\System32\eurAXEb.exe
  2⤵
  PID:9724
- C:\Windows\System32\olqJvzE.exe
  C:\Windows\System32\olqJvzE.exe
  2⤵
  PID:9752
- C:\Windows\System32\BjvpqEu.exe
  C:\Windows\System32\BjvpqEu.exe
  2⤵
  PID:9776
- C:\Windows\System32\mucvlDU.exe
  C:\Windows\System32\mucvlDU.exe
  2⤵
  PID:9792
- C:\Windows\System32\sPxYDII.exe
  C:\Windows\System32\sPxYDII.exe
  2⤵
  PID:9876
- C:\Windows\System32\NoIacCc.exe
  C:\Windows\System32\NoIacCc.exe
  2⤵
  PID:9892
- C:\Windows\System32\DZqrThd.exe
  C:\Windows\System32\DZqrThd.exe
  2⤵
  PID:9912
- C:\Windows\System32\TblUWwH.exe
  C:\Windows\System32\TblUWwH.exe
  2⤵
  PID:9952
- C:\Windows\System32\VRPuGcT.exe
  C:\Windows\System32\VRPuGcT.exe
  2⤵
  PID:9976
- C:\Windows\System32\HvGsipd.exe
  C:\Windows\System32\HvGsipd.exe
  2⤵
  PID:9996
- C:\Windows\System32\MEXRyPW.exe
  C:\Windows\System32\MEXRyPW.exe
  2⤵
  PID:10036
- C:\Windows\System32\QtXxUfz.exe
  C:\Windows\System32\QtXxUfz.exe
  2⤵
  PID:10064
- C:\Windows\System32\ooBBqjC.exe
  C:\Windows\System32\ooBBqjC.exe
  2⤵
  PID:10084
- C:\Windows\System32\IjShpSQ.exe
  C:\Windows\System32\IjShpSQ.exe
  2⤵
  PID:10100
- C:\Windows\System32\djviJoi.exe
  C:\Windows\System32\djviJoi.exe
  2⤵
  PID:10156
- C:\Windows\System32\amSKTQj.exe
  C:\Windows\System32\amSKTQj.exe
  2⤵
  PID:10176
- C:\Windows\System32\yslbfLa.exe
  C:\Windows\System32\yslbfLa.exe
  2⤵
  PID:10200
- C:\Windows\System32\gbXCgxQ.exe
  C:\Windows\System32\gbXCgxQ.exe
  2⤵
  PID:10228
- C:\Windows\System32\fTwRCbc.exe
  C:\Windows\System32\fTwRCbc.exe
  2⤵
  PID:9228
- C:\Windows\System32\bWlxHxE.exe
  C:\Windows\System32\bWlxHxE.exe
  2⤵
  PID:9288
- C:\Windows\System32\eZKFIQw.exe
  C:\Windows\System32\eZKFIQw.exe
  2⤵
  PID:9348
- C:\Windows\System32\zWSfKBZ.exe
  C:\Windows\System32\zWSfKBZ.exe
  2⤵
  PID:9408
- C:\Windows\System32\ISCbZRW.exe
  C:\Windows\System32\ISCbZRW.exe
  2⤵
  PID:9512
- C:\Windows\System32\IQaqekp.exe
  C:\Windows\System32\IQaqekp.exe
  2⤵
  PID:9532
- C:\Windows\System32\tLLfaLr.exe
  C:\Windows\System32\tLLfaLr.exe
  2⤵
  PID:9604
- C:\Windows\System32\lQdWLaX.exe
  C:\Windows\System32\lQdWLaX.exe
  2⤵
  PID:9744
- C:\Windows\System32\uvnbgKg.exe
  C:\Windows\System32\uvnbgKg.exe
  2⤵
  PID:9732
- C:\Windows\System32\mezzFET.exe
  C:\Windows\System32\mezzFET.exe
  2⤵
  PID:9860
- C:\Windows\System32\QgkuaVc.exe
  C:\Windows\System32\QgkuaVc.exe
  2⤵
  PID:9888
- C:\Windows\System32\LZvkUhv.exe
  C:\Windows\System32\LZvkUhv.exe
  2⤵
  PID:9964
- C:\Windows\System32\HzZMyjG.exe
  C:\Windows\System32\HzZMyjG.exe
  2⤵
  PID:10016
- C:\Windows\System32\PUayjWC.exe
  C:\Windows\System32\PUayjWC.exe
  2⤵
  PID:10080
- C:\Windows\System32\nBEgbjq.exe
  C:\Windows\System32\nBEgbjq.exe
  2⤵
  PID:10128
- C:\Windows\System32\znvzRze.exe
  C:\Windows\System32\znvzRze.exe
  2⤵
  PID:10188
- C:\Windows\System32\spaCjUd.exe
  C:\Windows\System32\spaCjUd.exe
  2⤵
  PID:9280
- C:\Windows\System32\wReIgWl.exe
  C:\Windows\System32\wReIgWl.exe
  2⤵
  PID:9364
- C:\Windows\System32\CrWBfqk.exe
  C:\Windows\System32\CrWBfqk.exe
  2⤵
  PID:9556
- C:\Windows\System32\aTnsIns.exe
  C:\Windows\System32\aTnsIns.exe
  2⤵
  PID:9740
- C:\Windows\System32\ByooZnX.exe
  C:\Windows\System32\ByooZnX.exe
  2⤵
  PID:9984
- C:\Windows\System32\WHhLIQI.exe
  C:\Windows\System32\WHhLIQI.exe
  2⤵
  PID:10096
- C:\Windows\System32\TguWTsa.exe
  C:\Windows\System32\TguWTsa.exe
  2⤵
  PID:9320
- C:\Windows\System32\ohjsURv.exe
  C:\Windows\System32\ohjsURv.exe
  2⤵
  PID:9652
- C:\Windows\System32\mdBpODW.exe
  C:\Windows\System32\mdBpODW.exe
  2⤵
  PID:9808
- C:\Windows\System32\ZZELqqw.exe
  C:\Windows\System32\ZZELqqw.exe
  2⤵
  PID:7420
- C:\Windows\System32\cTirqRa.exe
  C:\Windows\System32\cTirqRa.exe
  2⤵
  PID:8240
- C:\Windows\System32\nBVTrMN.exe
  C:\Windows\System32\nBVTrMN.exe
  2⤵
  PID:10264
- C:\Windows\System32\OFSTXSa.exe
  C:\Windows\System32\OFSTXSa.exe
  2⤵
  PID:10280
- C:\Windows\System32\vjSSOcz.exe
  C:\Windows\System32\vjSSOcz.exe
  2⤵
  PID:10304
- C:\Windows\System32\StWNSQA.exe
  C:\Windows\System32\StWNSQA.exe
  2⤵
  PID:10324
- C:\Windows\System32\mrRdeiM.exe
  C:\Windows\System32\mrRdeiM.exe
  2⤵
  PID:10356
- C:\Windows\System32\YuuIQzz.exe
  C:\Windows\System32\YuuIQzz.exe
  2⤵
  PID:10388
- C:\Windows\System32\CfiKxDo.exe
  C:\Windows\System32\CfiKxDo.exe
  2⤵
  PID:10424
- C:\Windows\System32\ShNVjXd.exe
  C:\Windows\System32\ShNVjXd.exe
  2⤵
  PID:10448
- C:\Windows\System32\rVjcrve.exe
  C:\Windows\System32\rVjcrve.exe
  2⤵
  PID:10488
- C:\Windows\System32\UMtdtEl.exe
  C:\Windows\System32\UMtdtEl.exe
  2⤵
  PID:10516
- C:\Windows\System32\fZDCHuK.exe
  C:\Windows\System32\fZDCHuK.exe
  2⤵
  PID:10532
- C:\Windows\System32\CzEBQsD.exe
  C:\Windows\System32\CzEBQsD.exe
  2⤵
  PID:10568
- C:\Windows\System32\VLYyJCD.exe
  C:\Windows\System32\VLYyJCD.exe
  2⤵
  PID:10592
- C:\Windows\System32\XORLfJo.exe
  C:\Windows\System32\XORLfJo.exe
  2⤵
  PID:10612
- C:\Windows\System32\smnfufH.exe
  C:\Windows\System32\smnfufH.exe
  2⤵
  PID:10636
- C:\Windows\System32\iAnJtJZ.exe
  C:\Windows\System32\iAnJtJZ.exe
  2⤵
  PID:10664
- C:\Windows\System32\wkGNysY.exe
  C:\Windows\System32\wkGNysY.exe
  2⤵
  PID:10688
- C:\Windows\System32\IbwRBbE.exe
  C:\Windows\System32\IbwRBbE.exe
  2⤵
  PID:10732
- C:\Windows\System32\OplSSAU.exe
  C:\Windows\System32\OplSSAU.exe
  2⤵
  PID:10752
- C:\Windows\System32\AXgLZsG.exe
  C:\Windows\System32\AXgLZsG.exe
  2⤵
  PID:10784
- C:\Windows\System32\wPhgmDM.exe
  C:\Windows\System32\wPhgmDM.exe
  2⤵
  PID:10808
- C:\Windows\System32\fRFHtlb.exe
  C:\Windows\System32\fRFHtlb.exe
  2⤵
  PID:10844
- C:\Windows\System32\AwKwEiq.exe
  C:\Windows\System32\AwKwEiq.exe
  2⤵
  PID:10880
- C:\Windows\System32\czyJmBC.exe
  C:\Windows\System32\czyJmBC.exe
  2⤵
  PID:10896
- C:\Windows\System32\vcXAvIM.exe
  C:\Windows\System32\vcXAvIM.exe
  2⤵
  PID:10920
- C:\Windows\System32\DjdLzro.exe
  C:\Windows\System32\DjdLzro.exe
  2⤵
  PID:10940
- C:\Windows\System32\xlbXGOA.exe
  C:\Windows\System32\xlbXGOA.exe
  2⤵
  PID:10992
- C:\Windows\System32\aroGhdq.exe
  C:\Windows\System32\aroGhdq.exe
  2⤵
  PID:11008
- C:\Windows\System32\fyGlDGG.exe
  C:\Windows\System32\fyGlDGG.exe
  2⤵
  PID:11028
- C:\Windows\System32\FoIPpHl.exe
  C:\Windows\System32\FoIPpHl.exe
  2⤵
  PID:11056
- C:\Windows\System32\sBLbpxy.exe
  C:\Windows\System32\sBLbpxy.exe
  2⤵
  PID:11096
- C:\Windows\System32\jgaPcdI.exe
  C:\Windows\System32\jgaPcdI.exe
  2⤵
  PID:11136
- C:\Windows\System32\LCxYlDX.exe
  C:\Windows\System32\LCxYlDX.exe
  2⤵
  PID:11160
- C:\Windows\System32\CneiUoN.exe
  C:\Windows\System32\CneiUoN.exe
  2⤵
  PID:11176
- C:\Windows\System32\grDqwiy.exe
  C:\Windows\System32\grDqwiy.exe
  2⤵
  PID:11224
- C:\Windows\System32\qtJxWsf.exe
  C:\Windows\System32\qtJxWsf.exe
  2⤵
  PID:11240
- C:\Windows\System32\HfnmUvh.exe
  C:\Windows\System32\HfnmUvh.exe
  2⤵
  PID:11260
- C:\Windows\System32\GrTFbmh.exe
  C:\Windows\System32\GrTFbmh.exe
  2⤵
  PID:10296
- C:\Windows\System32\aPUUeQi.exe
  C:\Windows\System32\aPUUeQi.exe
  2⤵
  PID:10352
- C:\Windows\System32\hEmzgRs.exe
  C:\Windows\System32\hEmzgRs.exe
  2⤵
  PID:10432
- C:\Windows\System32\CFHcRbt.exe
  C:\Windows\System32\CFHcRbt.exe
  2⤵
  PID:10496
- C:\Windows\System32\kIyWcDQ.exe
  C:\Windows\System32\kIyWcDQ.exe
  2⤵
  PID:10588
- C:\Windows\System32\iKVsZjh.exe
  C:\Windows\System32\iKVsZjh.exe
  2⤵
  PID:10672
- C:\Windows\System32\rJZSdFu.exe
  C:\Windows\System32\rJZSdFu.exe
  2⤵
  PID:10696
- C:\Windows\System32\kiAJJan.exe
  C:\Windows\System32\kiAJJan.exe
  2⤵
  PID:10804
- C:\Windows\System32\tnynzhZ.exe
  C:\Windows\System32\tnynzhZ.exe
  2⤵
  PID:10840
- C:\Windows\System32\SMIbtMS.exe
  C:\Windows\System32\SMIbtMS.exe
  2⤵
  PID:10892
- C:\Windows\System32\ttXxBGX.exe
  C:\Windows\System32\ttXxBGX.exe
  2⤵
  PID:10980
- C:\Windows\System32\ccFvKGr.exe
  C:\Windows\System32\ccFvKGr.exe
  2⤵
  PID:11044
- C:\Windows\System32\uwFQgds.exe
  C:\Windows\System32\uwFQgds.exe
  2⤵
  PID:11068
- C:\Windows\System32\foqvesL.exe
  C:\Windows\System32\foqvesL.exe
  2⤵
  PID:11168
- C:\Windows\System32\IxIMhzy.exe
  C:\Windows\System32\IxIMhzy.exe
  2⤵
  PID:11252
- C:\Windows\System32\VnIizZq.exe
  C:\Windows\System32\VnIizZq.exe
  2⤵
  PID:10336
- C:\Windows\System32\GekeuIf.exe
  C:\Windows\System32\GekeuIf.exe
  2⤵
  PID:10420
- C:\Windows\System32\KcNkNEp.exe
  C:\Windows\System32\KcNkNEp.exe
  2⤵
  PID:10528
- C:\Windows\System32\DvCErBn.exe
  C:\Windows\System32\DvCErBn.exe
  2⤵
  PID:10720
- C:\Windows\System32\dUYhZDC.exe
  C:\Windows\System32\dUYhZDC.exe
  2⤵
  PID:10828
- C:\Windows\System32\nuywgze.exe
  C:\Windows\System32\nuywgze.exe
  2⤵
  PID:11040
- C:\Windows\System32\JrryDJN.exe
  C:\Windows\System32\JrryDJN.exe
  2⤵
  PID:11144
- C:\Windows\System32\ZvEuckb.exe
  C:\Windows\System32\ZvEuckb.exe
  2⤵
  PID:10256
- C:\Windows\System32\ogIbCya.exe
  C:\Windows\System32\ogIbCya.exe
  2⤵
  PID:10760
- C:\Windows\System32\JaIuvds.exe
  C:\Windows\System32\JaIuvds.exe
  2⤵
  PID:11152
- C:\Windows\System32\MwDSEcY.exe
  C:\Windows\System32\MwDSEcY.exe
  2⤵
  PID:10468
- C:\Windows\System32\VstBEZP.exe
  C:\Windows\System32\VstBEZP.exe
  2⤵
  PID:10244
- C:\Windows\System32\QeIosZl.exe
  C:\Windows\System32\QeIosZl.exe
  2⤵
  PID:11280
- C:\Windows\System32\nxaxPDC.exe
  C:\Windows\System32\nxaxPDC.exe
  2⤵
  PID:11320
- C:\Windows\System32\ZckoBDv.exe
  C:\Windows\System32\ZckoBDv.exe
  2⤵
  PID:11344
- C:\Windows\System32\tNxdtlW.exe
  C:\Windows\System32\tNxdtlW.exe
  2⤵
  PID:11380
- C:\Windows\System32\ONdhlzN.exe
  C:\Windows\System32\ONdhlzN.exe
  2⤵
  PID:11396
- C:\Windows\System32\GxJyDiQ.exe
  C:\Windows\System32\GxJyDiQ.exe
  2⤵
  PID:11428
- C:\Windows\System32\WibBJkE.exe
  C:\Windows\System32\WibBJkE.exe
  2⤵
  PID:11456
- C:\Windows\System32\qkliNZP.exe
  C:\Windows\System32\qkliNZP.exe
  2⤵
  PID:11484
- C:\Windows\System32\ImmrMHw.exe
  C:\Windows\System32\ImmrMHw.exe
  2⤵
  PID:11508
- C:\Windows\System32\mYPwDYn.exe
  C:\Windows\System32\mYPwDYn.exe
  2⤵
  PID:11548
- C:\Windows\System32\XpVUQLi.exe
  C:\Windows\System32\XpVUQLi.exe
  2⤵
  PID:11576
- C:\Windows\System32\OmUAZsM.exe
  C:\Windows\System32\OmUAZsM.exe
  2⤵
  PID:11592
- C:\Windows\System32\sAVwMTo.exe
  C:\Windows\System32\sAVwMTo.exe
  2⤵
  PID:11612
- C:\Windows\System32\bzCjEvT.exe
  C:\Windows\System32\bzCjEvT.exe
  2⤵
  PID:11636
- C:\Windows\System32\HgEEPnL.exe
  C:\Windows\System32\HgEEPnL.exe
  2⤵
  PID:11696
- C:\Windows\System32\NzNowAo.exe
  C:\Windows\System32\NzNowAo.exe
  2⤵
  PID:11740
- C:\Windows\System32\kycWcdp.exe
  C:\Windows\System32\kycWcdp.exe
  2⤵
  PID:11780
- C:\Windows\System32\fMJgcWM.exe
  C:\Windows\System32\fMJgcWM.exe
  2⤵
  PID:11812
- C:\Windows\System32\DJiCCKC.exe
  C:\Windows\System32\DJiCCKC.exe
  2⤵
  PID:11848
- C:\Windows\System32\MZkRXrz.exe
  C:\Windows\System32\MZkRXrz.exe
  2⤵
  PID:11864
- C:\Windows\System32\whAsMhU.exe
  C:\Windows\System32\whAsMhU.exe
  2⤵
  PID:11900
- C:\Windows\System32\AkXFUlG.exe
  C:\Windows\System32\AkXFUlG.exe
  2⤵
  PID:11928
- C:\Windows\System32\LkTXmaN.exe
  C:\Windows\System32\LkTXmaN.exe
  2⤵
  PID:11972
- C:\Windows\System32\BynCGVj.exe
  C:\Windows\System32\BynCGVj.exe
  2⤵
  PID:11992
- C:\Windows\System32\XGtUaFY.exe
  C:\Windows\System32\XGtUaFY.exe
  2⤵
  PID:12024
- C:\Windows\System32\HAysNKS.exe
  C:\Windows\System32\HAysNKS.exe
  2⤵
  PID:12052
- C:\Windows\System32\TifSwCN.exe
  C:\Windows\System32\TifSwCN.exe
  2⤵
  PID:12072
- C:\Windows\System32\eLTZsTh.exe
  C:\Windows\System32\eLTZsTh.exe
  2⤵
  PID:12100
- C:\Windows\System32\nsILdpr.exe
  C:\Windows\System32\nsILdpr.exe
  2⤵
  PID:12116
- C:\Windows\System32\hnFfUmG.exe
  C:\Windows\System32\hnFfUmG.exe
  2⤵
  PID:12164
- C:\Windows\System32\FnCEzCL.exe
  C:\Windows\System32\FnCEzCL.exe
  2⤵
  PID:12184
- C:\Windows\System32\LnMlZVF.exe
  C:\Windows\System32\LnMlZVF.exe
  2⤵
  PID:12208
- C:\Windows\System32\DuAraHj.exe
  C:\Windows\System32\DuAraHj.exe
  2⤵
  PID:12240
- C:\Windows\System32\EPOfxTq.exe
  C:\Windows\System32\EPOfxTq.exe
  2⤵
  PID:12272
- C:\Windows\System32\OUFqARs.exe
  C:\Windows\System32\OUFqARs.exe
  2⤵
  PID:11272
- C:\Windows\System32\FAInxlV.exe
  C:\Windows\System32\FAInxlV.exe
  2⤵
  PID:11340
- C:\Windows\System32\JylzfvS.exe
  C:\Windows\System32\JylzfvS.exe
  2⤵
  PID:11392
- C:\Windows\System32\rllEuOX.exe
  C:\Windows\System32\rllEuOX.exe
  2⤵
  PID:11528
- C:\Windows\System32\HKDfojd.exe
  C:\Windows\System32\HKDfojd.exe
  2⤵
  PID:11564
- C:\Windows\System32\diLqaQm.exe
  C:\Windows\System32\diLqaQm.exe
  2⤵
  PID:11632
- C:\Windows\System32\knXnocy.exe
  C:\Windows\System32\knXnocy.exe
  2⤵
  PID:11676
- C:\Windows\System32\EQSONrp.exe
  C:\Windows\System32\EQSONrp.exe
  2⤵
  PID:11764
- C:\Windows\System32\LntWtTk.exe
  C:\Windows\System32\LntWtTk.exe
  2⤵
  PID:11832
- C:\Windows\System32\ooXrEKm.exe
  C:\Windows\System32\ooXrEKm.exe
  2⤵
  PID:11948
- C:\Windows\System32\HvxdBUl.exe
  C:\Windows\System32\HvxdBUl.exe
  2⤵
  PID:11984
- C:\Windows\System32\vEEWqhK.exe
  C:\Windows\System32\vEEWqhK.exe
  2⤵
  PID:12036
- C:\Windows\System32\cdwaSQC.exe
  C:\Windows\System32\cdwaSQC.exe
  2⤵
  PID:12096
- C:\Windows\System32\fGAoqAM.exe
  C:\Windows\System32\fGAoqAM.exe
  2⤵
  PID:12136
- C:\Windows\System32\vpvOUjF.exe
  C:\Windows\System32\vpvOUjF.exe
  2⤵
  PID:12216
- C:\Windows\System32\tdLRNZV.exe
  C:\Windows\System32\tdLRNZV.exe
  2⤵
  PID:10540
- C:\Windows\System32\kfICfjf.exe
  C:\Windows\System32\kfICfjf.exe
  2⤵
  PID:11364
- C:\Windows\System32\XKUPTSn.exe
  C:\Windows\System32\XKUPTSn.exe
  2⤵
  PID:11444
- C:\Windows\System32\wfyuQON.exe
  C:\Windows\System32\wfyuQON.exe
  2⤵
  PID:11532
- C:\Windows\System32\qIVBVcy.exe
  C:\Windows\System32\qIVBVcy.exe
  2⤵
  PID:12000
- C:\Windows\System32\HRoWxND.exe
  C:\Windows\System32\HRoWxND.exe
  2⤵
  PID:12088
- C:\Windows\System32\bmJDRJu.exe
  C:\Windows\System32\bmJDRJu.exe
  2⤵
  PID:12172
- C:\Windows\System32\ufDFauZ.exe
  C:\Windows\System32\ufDFauZ.exe
  2⤵
  PID:11424
- C:\Windows\System32\WhFhFxo.exe
  C:\Windows\System32\WhFhFxo.exe
  2⤵
  PID:11656
- C:\Windows\System32\hCduMwY.exe
  C:\Windows\System32\hCduMwY.exe
  2⤵
  PID:12152
- C:\Windows\System32\tkBUlvl.exe
  C:\Windows\System32\tkBUlvl.exe
  2⤵
  PID:3620
- C:\Windows\System32\wOCAReV.exe
  C:\Windows\System32\wOCAReV.exe
  2⤵
  PID:12068
- C:\Windows\System32\WduFtGU.exe
  C:\Windows\System32\WduFtGU.exe
  2⤵
  PID:12228
- C:\Windows\System32\ZVaoGtF.exe
  C:\Windows\System32\ZVaoGtF.exe
  2⤵
  PID:11708
- C:\Windows\System32\PlCUEQY.exe
  C:\Windows\System32\PlCUEQY.exe
  2⤵
  PID:12328
- C:\Windows\System32\wOWItIe.exe
  C:\Windows\System32\wOWItIe.exe
  2⤵
  PID:12380
- C:\Windows\System32\dtjcJuN.exe
  C:\Windows\System32\dtjcJuN.exe
  2⤵
  PID:12408
- C:\Windows\System32\TQqTyIT.exe
  C:\Windows\System32\TQqTyIT.exe
  2⤵
  PID:12428
- C:\Windows\System32\iWcYQtM.exe
  C:\Windows\System32\iWcYQtM.exe
  2⤵
  PID:12452
- C:\Windows\System32\fWpKmKk.exe
  C:\Windows\System32\fWpKmKk.exe
  2⤵
  PID:12488
- C:\Windows\System32\qhjmdFK.exe
  C:\Windows\System32\qhjmdFK.exe
  2⤵
  PID:12520
- C:\Windows\System32\ouUCWJW.exe
  C:\Windows\System32\ouUCWJW.exe
  2⤵
  PID:12536
- C:\Windows\System32\yOjzklD.exe
  C:\Windows\System32\yOjzklD.exe
  2⤵
  PID:12568
- C:\Windows\System32\OsrCBCc.exe
  C:\Windows\System32\OsrCBCc.exe
  2⤵
  PID:12588
- C:\Windows\System32\YCiMOzT.exe
  C:\Windows\System32\YCiMOzT.exe
  2⤵
  PID:12604
- C:\Windows\System32\vQfrAjw.exe
  C:\Windows\System32\vQfrAjw.exe
  2⤵
  PID:12664
- C:\Windows\System32\XKuZmjL.exe
  C:\Windows\System32\XKuZmjL.exe
  2⤵
  PID:12684
- C:\Windows\System32\LqaipyM.exe
  C:\Windows\System32\LqaipyM.exe
  2⤵
  PID:12704
- C:\Windows\System32\diuRuIb.exe
  C:\Windows\System32\diuRuIb.exe
  2⤵
  PID:12736
- C:\Windows\System32\AvjwsnP.exe
  C:\Windows\System32\AvjwsnP.exe
  2⤵
  PID:12764
- C:\Windows\System32\FmgkMFp.exe
  C:\Windows\System32\FmgkMFp.exe
  2⤵
  PID:12788
- C:\Windows\System32\SSJmuOD.exe
  C:\Windows\System32\SSJmuOD.exe
  2⤵
  PID:12828
- C:\Windows\System32\ysPvqur.exe
  C:\Windows\System32\ysPvqur.exe
  2⤵
  PID:12852
- C:\Windows\System32\AMITQeg.exe
  C:\Windows\System32\AMITQeg.exe
  2⤵
  PID:12880
- C:\Windows\System32\FhHGxvx.exe
  C:\Windows\System32\FhHGxvx.exe
  2⤵
  PID:12900
- C:\Windows\System32\sCVwrMi.exe
  C:\Windows\System32\sCVwrMi.exe
  2⤵
  PID:12916
- C:\Windows\System32\LZTZUpR.exe
  C:\Windows\System32\LZTZUpR.exe
  2⤵
  PID:12944
- C:\Windows\System32\VhwxNgR.exe
  C:\Windows\System32\VhwxNgR.exe
  2⤵
  PID:13004
- C:\Windows\System32\edCPNaj.exe
  C:\Windows\System32\edCPNaj.exe
  2⤵
  PID:13024
- C:\Windows\System32\dmuQCOG.exe
  C:\Windows\System32\dmuQCOG.exe
  2⤵
  PID:13052
- C:\Windows\System32\zULlWTX.exe
  C:\Windows\System32\zULlWTX.exe
  2⤵
  PID:13076
- C:\Windows\System32\czMCEAQ.exe
  C:\Windows\System32\czMCEAQ.exe
  2⤵
  PID:13096
- C:\Windows\System32\LNCznMy.exe
  C:\Windows\System32\LNCznMy.exe
  2⤵
  PID:13116
- C:\Windows\System32\LOruiNL.exe
  C:\Windows\System32\LOruiNL.exe
  2⤵
  PID:13144
- C:\Windows\System32\jbYRwNJ.exe
  C:\Windows\System32\jbYRwNJ.exe
  2⤵
  PID:13168
- C:\Windows\System32\ZOgjtfk.exe
  C:\Windows\System32\ZOgjtfk.exe
  2⤵
  PID:13208
- C:\Windows\System32\atAQEit.exe
  C:\Windows\System32\atAQEit.exe
  2⤵
  PID:13236
- C:\Windows\System32\GRywXGh.exe
  C:\Windows\System32\GRywXGh.exe
  2⤵
  PID:13264
- C:\Windows\System32\GaMhMeT.exe
  C:\Windows\System32\GaMhMeT.exe
  2⤵
  PID:13288
- C:\Windows\System32\QoEvGaN.exe
  C:\Windows\System32\QoEvGaN.exe
  2⤵
  PID:12312
- C:\Windows\System32\xwtzgVQ.exe
  C:\Windows\System32\xwtzgVQ.exe
  2⤵
  PID:12356
- C:\Windows\System32\PNIwDBh.exe
  C:\Windows\System32\PNIwDBh.exe
  2⤵
  PID:12436
- C:\Windows\System32\qVuyQIS.exe
  C:\Windows\System32\qVuyQIS.exe
  2⤵
  PID:12516
- C:\Windows\System32\GnBXrGe.exe
  C:\Windows\System32\GnBXrGe.exe
  2⤵
  PID:12580
- C:\Windows\System32\BgdSGUs.exe
  C:\Windows\System32\BgdSGUs.exe
  2⤵
  PID:12644
- C:\Windows\System32\cWKhkBv.exe
  C:\Windows\System32\cWKhkBv.exe
  2⤵
  PID:12692
- C:\Windows\System32\pxAakEF.exe
  C:\Windows\System32\pxAakEF.exe
  2⤵
  PID:12760
- C:\Windows\System32\dYWZIFa.exe
  C:\Windows\System32\dYWZIFa.exe
  2⤵
  PID:12800
- C:\Windows\System32\vqLsTDX.exe
  C:\Windows\System32\vqLsTDX.exe
  2⤵
  PID:12840
- C:\Windows\System32\SQLuHUS.exe
  C:\Windows\System32\SQLuHUS.exe
  2⤵
  PID:12952
- C:\Windows\System32\iwqHaQo.exe
  C:\Windows\System32\iwqHaQo.exe
  2⤵
  PID:13048
- C:\Windows\System32\wujjDEO.exe
  C:\Windows\System32\wujjDEO.exe
  2⤵
  PID:13084
- C:\Windows\System32\oLaItDZ.exe
  C:\Windows\System32\oLaItDZ.exe
  2⤵
  PID:13104
- C:\Windows\System32\IcvOqHI.exe
  C:\Windows\System32\IcvOqHI.exe
  2⤵
  PID:13156
- C:\Windows\System32\IVBLYqJ.exe
  C:\Windows\System32\IVBLYqJ.exe
  2⤵
  PID:13224
- C:\Windows\System32\tXCJevN.exe
  C:\Windows\System32\tXCJevN.exe
  2⤵
  PID:13260
- C:\Windows\System32\spWFpNB.exe
  C:\Windows\System32\spWFpNB.exe
  2⤵
  PID:12396
- C:\Windows\System32\iqVjvAX.exe
  C:\Windows\System32\iqVjvAX.exe
  2⤵
  PID:12528
- C:\Windows\System32\fQhiIMT.exe
  C:\Windows\System32\fQhiIMT.exe
  2⤵
  PID:12860
- C:\Windows\System32\pbyAOxJ.exe
  C:\Windows\System32\pbyAOxJ.exe
  2⤵
  PID:12968
- C:\Windows\System32\QpsHAPr.exe
  C:\Windows\System32\QpsHAPr.exe
  2⤵
  PID:13140
- C:\Windows\System32\JIuQIRN.exe
  C:\Windows\System32\JIuQIRN.exe
  2⤵
  PID:13228
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 13228 -s 244
    3⤵
    PID:13440
- C:\Windows\System32\sTFGkkV.exe
  C:\Windows\System32\sTFGkkV.exe
  2⤵
  PID:12304
- C:\Windows\System32\JFsqQJn.exe
  C:\Windows\System32\JFsqQJn.exe
  2⤵
  PID:12700
- C:\Windows\System32\PqhVyhE.exe
  C:\Windows\System32\PqhVyhE.exe
  2⤵
  PID:12932

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AdmrxMR.exe

Filesize
1.2MB

MD5
f51fe6a09b236b7b069afc000c2a139d

SHA1
a7bcaa4c121bcdeabfc98372825ab5f4ef8c445d

SHA256
c9685cdaceb0ad871f9965372ec46e5b54889df05a4b0840688f1e270b301e48

SHA512
9e7d56387302030c5ee25e4c63902defa1eb866b5df6cdd3868ed5f5b86c28aa0000d1119f283c944ec010db5fed79415e07ffe8e22f4b04ecfa7a6c51cd49e7

Download Submit
C:\Windows\System32\AfbBaKX.exe

Filesize
1.2MB

MD5
da245d5886dc13b19767c792c1ee1b56

SHA1
d3c9f49adefbf4774a3cb8e614505a3c20298816

SHA256
6fe6f9d0f6ff7d5cca98bb5d2a1afc917f0b5881e2983e64f979ca9fc4623e20

SHA512
a1055b90d982c370ef3864fef3eba467038937a1483dc8a4c06fe511c7efd96701dee5e0bc53b1b57507290846b785db2430c067f4c7b5e91d3a568cb8307fe9

Download Submit
C:\Windows\System32\BmLaSUm.exe

Filesize
1.2MB

MD5
44cb0c3101a856d9b7ddb0bd2b1717c2

SHA1
dcbf44c9437a98d9821f7274a280046be43c8d83

SHA256
17588a1b1de8168df3e1abfbd2b8b5d373a6cb5aba9f7e74e148f28028f25f6f

SHA512
77bf95a49ff96a73a712bc81bcba4906b127e96d0aa0d94f6daad1e88a7a650e0f332c732b955ede8c597ee7e541365e64c91f243db7a33ff6f4534e6a48679d

Download Submit
C:\Windows\System32\CzwhhgL.exe

Filesize
1.2MB

MD5
908f24033e4d20d1d79a798aa6662188

SHA1
5224d25864da8f4e87f0a125852b71f4e69b4a0f

SHA256
38b16b79fd107d365013ac927ab04aaeaa79156f68cfd0164128efa0fc58aacd

SHA512
1e167415bbfcca46001cae14cefb3ce456672224fb205edd787c5a70a1e66141ce3decd148aca9c9dbf142ad17ed08c42363be1b3255ff023c166993aab0b12b

Download Submit
C:\Windows\System32\DAOxOHx.exe

Filesize
1.2MB

MD5
2a4119d6171b8e25301745a0cd5f2257

SHA1
d8183e56852b9f5fee68c8eb235106473c22d554

SHA256
3210498892587f317a20260c841e02cfdf15f2b5ec4ff61b41dc00684ce85602

SHA512
c85dc19c4db368323fdfc8e2119e235efbd2a986761f40376a1ba62c3e5c9b0fcf2878ab1a9a6ec8b726683e6fd818b9be23e6b06b5eaa5aa997c0b98555bb28

Download Submit
C:\Windows\System32\EnEYszI.exe

Filesize
1.2MB

MD5
060741322e341e63084f0490df9c6764

SHA1
fd7cdb908c91a7b8e8a4947890028713ff5e1abf

SHA256
b906065b1354941b1dca7a31a8eb9a6b2965dd30e9d637f63a10d79b423d5498

SHA512
d8fe361ff45dc15ca319d5a62c5f061c73880408af52e2409b6520cfcd7359beac2acaec8059117795b4a3a1d8e7db9460cffc6aaa9db42723a7522f920e47a8

Download Submit
C:\Windows\System32\GsonZHq.exe

Filesize
1.2MB

MD5
043601c5b637a1f8b6779af938d5c60a

SHA1
e0490189c4e688915e6f2b9fd18e3d57adf77cb7

SHA256
7acaa4d2774dfdb737e687cc00b419be1b0a2e30ea93486a01a59cda4c08e3d9

SHA512
603bb77987faffae6fa4e0d4c0eccb54451311cee8681e124b98d003d4652102918bce375ccccfd683bd531e6ac39cf2e8dff70712b7d439a95cee8305a53273

Download Submit
C:\Windows\System32\IVcIekE.exe

Filesize
1.2MB

MD5
524ce968c2064580f136f3ed15628f29

SHA1
e4faeb2b7ad9b3805f5d7001ffc696b06336d881

SHA256
c49230a6defe8c11e7dbc0fea4fa73876e7ea28ee087b17765e2563f9e37bcab

SHA512
6b27d98bbd0ce2a2bdf57b6af61c5204760d91ed1cffbf2f92e56d947b2d9df32f17c50a1b2a9486a3d7f9d8920ecc55c8b8e1e245125c69e85a32cd11fe598e

Download Submit
C:\Windows\System32\NFunvjz.exe

Filesize
1.2MB

MD5
a82d822a4193d9be9f9b73e765655b5e

SHA1
cd376cbb5b2295f4ec6e919076c7e71ada5605d2

SHA256
1c58a118376b3b4674a5720fb4eacc14b34fe75dbefe25a8173bcaa2508d2fc8

SHA512
a4a1b76687790eaa6769e99e0dec12da85fdd4a82d383a638b12b89bbe2b0eac0f152bb44ebb93d74f0c13c5548c9cebf8132b7413012f4f4413b19ef43bfcef

Download Submit
C:\Windows\System32\NazXTsH.exe

Filesize
1.2MB

MD5
444355e5a0f1f8b78d28d7c3d329d8f3

SHA1
ac63aec82c1185ea1093a0e114b850cd0801b775

SHA256
02cc11c37b808a9701494bcf630d444f71eff7e3ad6b4c88d85165d88394900e

SHA512
6199f1b5b5200fa5082a897b7f02c6e067f9024635199bc6aa6297489afc7b822062e4b025c072a7e5f65c3b34320706666dc0a39e1ea99361f9377648ebddfa

Download Submit
C:\Windows\System32\PYJcbtQ.exe

Filesize
1.2MB

MD5
c7235728a1696ee258bf7aed0856da15

SHA1
f6b7b3c6510c4f29b7b6897e2a6d2a5109ef75d0

SHA256
ab69005d7e514be5dc78f873ae20ce765624cbb16de70301d983fac26b412728

SHA512
51f1558343ef20f6628812dac938883ccd187690d7b22c83489338ac73a66cbc4f27d6a1ef3dc5e0ae21072e742143edbfc8f9a4d95f337be8f02f6df25f6771

Download Submit
C:\Windows\System32\RNvmMuS.exe

Filesize
1.2MB

MD5
4f91f951818c4dcd631891a8441b5438

SHA1
fe1fce666d4a8eac85320dd30a00739f8f5840d7

SHA256
e02c5f572cd8e4aa59f643a3a5179f6743130d81a65f5f93ee38ba441f7b9767

SHA512
e9affe78b30a9bc661c4bbc27929b50ee694d31defe38bb734b87f9ecebfed91b5c842127045f98d4d33f207cc166551e725335b9bb6f9132e012d70074bc8e7

Download Submit
C:\Windows\System32\TnPyVoc.exe

Filesize
1.2MB

MD5
b310427564b103c6e5b4ed5c6ff5a205

SHA1
f5ac0d05d1a2e65f042059fac1329fc378907c18

SHA256
22697c344245903c8bf12ffad7b49a8739e29ddbca007ce77042e007dd658835

SHA512
5d4361b9dfde886e21026dfa632e56e22d59663da29ff9169d2bfd3c93d75a4df82df7f0386c337bfb4c1a1d76a54d4d411640aa9d4e54703763334d7493a717

Download Submit
C:\Windows\System32\TxBPIhh.exe

Filesize
1.2MB

MD5
4422e8f86777f1c31845b12cfe1821b0

SHA1
0fb1e5d92801313d63124bc4655ac6b56deeb09f

SHA256
02e53c31f277cd310e9400914341c3be6c071189fd67542d535de20488380bc4

SHA512
8d3e7406da5727956d256f72d26bc367b75e1d2cd8f61228fa3032b3b47e5c2a20f1d99f6799ab34b5ad809aac0fb713136186f4ede10fe46e843987fed621fa

Download Submit
C:\Windows\System32\ULcUhdh.exe

Filesize
1.2MB

MD5
7b6872a14231c2405edd9b44512ff6e5

SHA1
48f2f9e4ce17eb232ece87d3e6e059110ef340ee

SHA256
266d7cca324245ae114ff6aed327b7f8dff8c12181744bfdf13806af0f5612aa

SHA512
09066d9424356cff6b4102bfa4bdbc2ae49e4844058f88a5cefb966bd958ee8145f170fe295a4de7a05eb019440e967347c690645eb3552b389dfac07ed8a2bc

Download Submit
C:\Windows\System32\WSdrXIO.exe

Filesize
1.2MB

MD5
467f8210277fe471ae4d43337be33f71

SHA1
614bc1e12dba4fd1e4b14428a4f764be5f10a16e

SHA256
f3cfadd05b587fd485306d9a9c2210af6917ed3ee535b4ebb73d83856ee70ce1

SHA512
14b72c62c2d553de9fd8a9d0c84f27b3ee0933da5987d05746c9ce09b560b467834c4528e8cd5871f804bc1d0856857fe30e288abea1be6e70720d5ffb994619

Download Submit
C:\Windows\System32\XmBHbMA.exe

Filesize
1.2MB

MD5
af0b5693e52e646361e6304ee80894a4

SHA1
fa8f35d37c5f58ad4a509116559900552f762edf

SHA256
34c7692fdaf856a769d79060aaa0c0a2ec7ab2775d1da107a18b0e6f4bb9114b

SHA512
b2db4fa20d195584e9fc2e0e4e6c1fb0859e5e4b0a080602c37fd8d5f3f72426fc5e373edd28febe660899b979b5ba6bc357e02bee626e56bdf7c3addc3295b4

Download Submit
C:\Windows\System32\ZGQaIeG.exe

Filesize
1.2MB

MD5
0873c79ec4ccd99754163846620de75d

SHA1
b33cba861cb16aa4249b7677ea2ba9f1ecef7aad

SHA256
8cece3f92a6d09b038e51a48d17a51ddd64a30b394de92fc53c148bc7be85e70

SHA512
59349f9617400ac45c12faa8a6ed99d174a3d52e1f04ef882bdffc3d1437ebd9b3a58cf8c78c76173b223a1e6269b7175bd6e58a143eed8c8598c94e55b0f0bb

Download Submit
C:\Windows\System32\ZLHMLBA.exe

Filesize
1.2MB

MD5
a5f0311f240f9cfa2735735155c24279

SHA1
ffd9eb93568d2867a8f00a7aac38b2c5b7389e26

SHA256
1ffd98a044aecf7f0ac6782dfef728d6435b08ef02d470e4d4da5c8fdb2f19d7

SHA512
c289ab452e51c076ec58a7195256a05be6ddca9f50dd88141661aa8377b92d2945fcae51f881cff4572e36512712a5c6e16384db55490d479c0d10e6799e9f33

Download Submit
C:\Windows\System32\bvpEfPt.exe

Filesize
1.2MB

MD5
c9d9b0f66431d3685559dbaf9d91a5aa

SHA1
81e5f7f2aae401420fa2239b5792ad713671460f

SHA256
80fbc346cd8c84fc27a026fed1da17021401b4732777f65332ac75949cdacc4e

SHA512
8eb1651134922accf5f0a09e2be9af367f6f0bef8bbe72153ccab8e6c7bca38efad5fc96a4a1e0361b36161f546f9779878558a66f71f58a142f0f0b65645b23

Download Submit
C:\Windows\System32\fSdsDLe.exe

Filesize
1.2MB

MD5
b6fe441b36439e245dbda39f24a6a136

SHA1
e92743c9b0c9cb8f48c8f5705a12795ed154b2b3

SHA256
813184f7462572551bc3d6a35fb6b6270249a4b8455a2ca167cae4a3bab82456

SHA512
52fc8c32ede15c4dfc0ad52bd694927f445b46449e5bcf7708a2bb8bf3011d3bb642c19494d0bb68085f295f7864d5a6c6abb1500a92a1f650c3d2f6ce367047

Download Submit
C:\Windows\System32\fzUsWXU.exe

Filesize
1.2MB

MD5
2cfb73898ba533323a00033a7871113d

SHA1
6013eab4748a294b9295adbef0e380f4269d26d1

SHA256
cfd4d9c70db747038ee98616e83376cdfbf328aebd92934ba8ecd28947097fc6

SHA512
d060c157d6f67d7f2de936b62daf319b671b6802698171e68aee2c3af35b6a1a80ba8955383653cc832c6cdd9f63c41f19d839308bed889e97b352618545c484

Download Submit
C:\Windows\System32\oByANao.exe

Filesize
1.2MB

MD5
8c9c815677c135e7e3c7b380d61a8dce

SHA1
b11430c959c07e39feb2441c240c5555b65dc3ec

SHA256
fa971e439c22180290bd6bf419317db50b4cf6d6e8817dcf6d8590b0eced2b4b

SHA512
2d44f3d92077ef462b080d46d2ceda406124337bd7c822ed9ffdac7bd0777acfe48d39da76528b97c9db6260d976842708ad87b405ec2a339e6b2a2d618a94c0

Download Submit
C:\Windows\System32\qRhgXKX.exe

Filesize
1.2MB

MD5
aca9d25de6e78d712de6a6879c69c18e

SHA1
14cc814a671b10f85532bd6a7dae55f5a4c4864c

SHA256
0c15ab0fef6fe7ba94626f94bb903e46ccce5d58af964091c7774ef644d3b146

SHA512
fcefd0003f87e0e28f3074123e42e1fecf3d1b046eef6dbe4aceb531b783d47595595200be4563bfd8c126811bac4d1363c1dea869459aa888ed7919d6f9bba2

Download Submit
C:\Windows\System32\qjGstnz.exe

Filesize
1.2MB

MD5
7ec39a8315e4ef3807f712d4ae738da6

SHA1
3016c3574361275cbb953a3ad613d96088b64cb9

SHA256
8f636452b569f434c725ef093bd7ec2643e066a8f0e860dfe76cc542b5d41859

SHA512
64700547535db3480e0d5cd8409627c3e33d989e412cc1b23c48537e6b911bc14c4abbf75b76c566868dc625ddf18b24df1107a02ba11349cd1f1968b697b9c8

Download Submit
C:\Windows\System32\qjmuOUL.exe

Filesize
1.2MB

MD5
e7930cdc6e5962827ee099e22c6faa11

SHA1
9fdb251f63747aa9c3e957fa71f918f71a0bb65d

SHA256
5dc294e9e5b03cc28a1344fa1534f4531c0657e5e14a3e7a65687316f57d064a

SHA512
3d9656bf3edf7c00cc4282c522c3ea2fb8394e8986e08c5bf3170f4c07976608dc1ff9e5c42b282f4887fd751e955992326c705d2e92eff5d09718a66c9f8e8b

Download Submit
C:\Windows\System32\tewRzVp.exe

Filesize
1.2MB

MD5
1cc57f89fb984bcbb289be1f4d306c99

SHA1
9dba80e9e59295c0bf2a414bbd3929f89356b37b

SHA256
92bec528913a621dd6dfcff79ce66096ee282bcf951845b9bbbc6efb19a8a46c

SHA512
0a76c1b3eff21d3dc00418faf7c5c7b03bdd87f4c44ba54e5da4261ebc50544ad815a22dde32b731ac23fff1e6d43fe6b1d288882126b972611dd9b7613069d3

Download Submit
C:\Windows\System32\tffJAtX.exe

Filesize
1.2MB

MD5
fbebec1ba548615b6aaa7e7ec3025a4c

SHA1
98df6de47c3d8760607dab2e62a72c5e304333b4

SHA256
6c7645ce53ee2d3107afdeefe4caea7d6389e0ae1070b3041feb6624e3b1a2bb

SHA512
6214d8809b6e0ad37394473799f6239fcc0ef0ebda336e75b742c94ede02f87355256998e569597603fa4a480450002adacb59a41a20979c36d85a450e197a8c

Download Submit
C:\Windows\System32\tpozWIN.exe

Filesize
1.2MB

MD5
645ce3ecb48000345a7ec7aea4320495

SHA1
a3c5f43548220a88102bbfcc6498aa02af506ae1

SHA256
3fcea1eebfe492fd4ee9012914da6de012d44c302d21c1ec10e3b25b0e250cba

SHA512
4799746f07ecee25a47fa5889707b930f85fca6f59a971ecc22fbbb416615a698a9e5423cb8993b6fd8db95bde6a32245dd0a42dc731eefb8915bdd89052db3a

Download Submit
C:\Windows\System32\zagQvJJ.exe

Filesize
1.2MB

MD5
9867635fa6994777af42a8600feaf08f

SHA1
b9b354220d75f509e73f478855720a79dcba3840

SHA256
97bc7964019b454e32879c122db8742a9e5e1aee2555c1b5a5bc28ea4e5f38be

SHA512
e4de214096f8f56ab5f58b19eb454360fc3cf99703c9494564618ba2579597b72548a819750701e3fbb03644c6f01e28c90caffb7fcb8e7232563cb1c393a716

Download Submit
C:\Windows\System32\zmVARCv.exe

Filesize
1.2MB

MD5
f467aa26ba35c1d7ee8cd1951b7832ca

SHA1
9c57ef2de1035d7cb8d6c229f6688bde465897ad

SHA256
c27e53bd89793640f77e9d9776fcedd1e409154a933f56a8a3ec9444e357c1e4

SHA512
3abd6242ecc945c16788c92fbeff661a9521cb909caffe60898a4eb010880c5baa5582b1447451784480c9ae83d9540fc60788297bcad6e92607ea92c80fdb80

Download Submit
C:\Windows\System32\zoeGFgo.exe

Filesize
1.2MB

MD5
82ffa9559f59e80979dea928bd7303e9

SHA1
19d2f2ef9fd9548ca432afc29e6766576ef9307e

SHA256
ad3888f04ff29abdc36e5dd375efe26ea6a0c49375ffdb565bd3cc7d6017c6f7

SHA512
ec54a0666134245dca96eb80e7d87a2296a3e36ebf6f56ba1586a4b1342defecb17774ff2643c57870e9143dd52feb3946468e4cd774a1f263e6381dc2ba07bd

Download Submit
memory/404-0-0x00007FF7C4640000-0x00007FF7C4A31000-memory.dmp

Filesize
3.9MB

Download
memory/404-1-0x00000238366F0000-0x0000023836700000-memory.dmp

Filesize
64KB

Download
memory/980-427-0x00007FF71F060000-0x00007FF71F451000-memory.dmp

Filesize
3.9MB

Download
memory/980-2053-0x00007FF71F060000-0x00007FF71F451000-memory.dmp

Filesize
3.9MB

Download
memory/1148-2001-0x00007FF630B90000-0x00007FF630F81000-memory.dmp

Filesize
3.9MB

Download
memory/1148-385-0x00007FF630B90000-0x00007FF630F81000-memory.dmp

Filesize
3.9MB

Download
memory/1192-2011-0x00007FF6F5020000-0x00007FF6F5411000-memory.dmp

Filesize
3.9MB

Download
memory/1192-398-0x00007FF6F5020000-0x00007FF6F5411000-memory.dmp

Filesize
3.9MB

Download
memory/1220-441-0x00007FF740310000-0x00007FF740701000-memory.dmp

Filesize
3.9MB

Download
memory/1220-2067-0x00007FF740310000-0x00007FF740701000-memory.dmp

Filesize
3.9MB

Download
memory/1376-388-0x00007FF755160000-0x00007FF755551000-memory.dmp

Filesize
3.9MB

Download
memory/1376-2007-0x00007FF755160000-0x00007FF755551000-memory.dmp

Filesize
3.9MB

Download
memory/1632-2065-0x00007FF6FB710000-0x00007FF6FBB01000-memory.dmp

Filesize
3.9MB

Download
memory/1632-436-0x00007FF6FB710000-0x00007FF6FBB01000-memory.dmp

Filesize
3.9MB

Download
memory/1952-2051-0x00007FF6B4E10000-0x00007FF6B5201000-memory.dmp

Filesize
3.9MB

Download
memory/1952-414-0x00007FF6B4E10000-0x00007FF6B5201000-memory.dmp

Filesize
3.9MB

Download
memory/1976-415-0x00007FF6483D0000-0x00007FF6487C1000-memory.dmp

Filesize
3.9MB

Download
memory/1976-2055-0x00007FF6483D0000-0x00007FF6487C1000-memory.dmp

Filesize
3.9MB

Download
memory/2044-393-0x00007FF7FDC40000-0x00007FF7FE031000-memory.dmp

Filesize
3.9MB

Download
memory/2044-2009-0x00007FF7FDC40000-0x00007FF7FE031000-memory.dmp

Filesize
3.9MB

Download
memory/2576-383-0x00007FF655F70000-0x00007FF656361000-memory.dmp

Filesize
3.9MB

Download
memory/2576-2005-0x00007FF655F70000-0x00007FF656361000-memory.dmp

Filesize
3.9MB

Download
memory/2672-2003-0x00007FF6A32F0000-0x00007FF6A36E1000-memory.dmp

Filesize
3.9MB

Download
memory/2672-384-0x00007FF6A32F0000-0x00007FF6A36E1000-memory.dmp

Filesize
3.9MB

Download
memory/2828-420-0x00007FF699EC0000-0x00007FF69A2B1000-memory.dmp

Filesize
3.9MB

Download
memory/2828-2057-0x00007FF699EC0000-0x00007FF69A2B1000-memory.dmp

Filesize
3.9MB

Download
memory/3104-2049-0x00007FF79A0D0000-0x00007FF79A4C1000-memory.dmp

Filesize
3.9MB

Download
memory/3104-409-0x00007FF79A0D0000-0x00007FF79A4C1000-memory.dmp

Filesize
3.9MB

Download
memory/3252-33-0x00007FF663BC0000-0x00007FF663FB1000-memory.dmp

Filesize
3.9MB

Download
memory/3252-1999-0x00007FF663BC0000-0x00007FF663FB1000-memory.dmp

Filesize
3.9MB

Download
memory/3368-446-0x00007FF79A430000-0x00007FF79A821000-memory.dmp

Filesize
3.9MB

Download
memory/3368-2069-0x00007FF79A430000-0x00007FF79A821000-memory.dmp

Filesize
3.9MB

Download
memory/3596-1993-0x00007FF7F1980000-0x00007FF7F1D71000-memory.dmp

Filesize
3.9MB

Download
memory/3596-14-0x00007FF7F1980000-0x00007FF7F1D71000-memory.dmp

Filesize
3.9MB

Download
memory/3636-406-0x00007FF7FEF10000-0x00007FF7FF301000-memory.dmp

Filesize
3.9MB

Download
memory/3636-2042-0x00007FF7FEF10000-0x00007FF7FF301000-memory.dmp

Filesize
3.9MB

Download
memory/3732-2063-0x00007FF633620000-0x00007FF633A11000-memory.dmp

Filesize
3.9MB

Download
memory/3732-430-0x00007FF633620000-0x00007FF633A11000-memory.dmp

Filesize
3.9MB

Download
memory/4188-1997-0x00007FF7D71C0000-0x00007FF7D75B1000-memory.dmp

Filesize
3.9MB

Download
memory/4188-27-0x00007FF7D71C0000-0x00007FF7D75B1000-memory.dmp

Filesize
3.9MB

Download
memory/4440-1991-0x00007FF70E1D0000-0x00007FF70E5C1000-memory.dmp

Filesize
3.9MB

Download
memory/4440-13-0x00007FF70E1D0000-0x00007FF70E5C1000-memory.dmp

Filesize
3.9MB

Download
memory/4496-402-0x00007FF730270000-0x00007FF730661000-memory.dmp

Filesize
3.9MB

Download
memory/4496-2013-0x00007FF730270000-0x00007FF730661000-memory.dmp

Filesize
3.9MB

Download
memory/4616-432-0x00007FF7C7230000-0x00007FF7C7621000-memory.dmp

Filesize
3.9MB

Download
memory/4616-2061-0x00007FF7C7230000-0x00007FF7C7621000-memory.dmp

Filesize
3.9MB

Download
memory/4708-2059-0x00007FF638850000-0x00007FF638C41000-memory.dmp

Filesize
3.9MB

Download
memory/4708-425-0x00007FF638850000-0x00007FF638C41000-memory.dmp

Filesize
3.9MB

Download
memory/5084-20-0x00007FF769B20000-0x00007FF769F11000-memory.dmp

Filesize
3.9MB

Download
memory/5084-1995-0x00007FF769B20000-0x00007FF769F11000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads