xmrig | b953ae41dd784f32d97ff0d06be4a2d100267fa2f1c4efd366d7f6e19affcbd1

Analysis

max time kernel
110s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
Size

1.2MB
MD5

164409481972bce02b156ad22c7b9247
SHA1

7b08612ce2abb5797c8238ad5cdb59ef8584ed72
SHA256

b953ae41dd784f32d97ff0d06be4a2d100267fa2f1c4efd366d7f6e19affcbd1
SHA512

6ce600048454bf9f007a8d68d9a552770ab1372c04f4213c8708556c8e1b09e6083b6ee7410b45ca30b45a067d6cb549b9789014ee9d6d54f9dce19c1c3ef65e
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcmC3f/DFNkTF8t2o0INgZfgnz:knw9oUUEEDl37jcmWH/I3nYz

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/1164-31-0x00007FF7FAFF0000-0x00007FF7FB3E1000-memory.dmp	xmrig
behavioral2/memory/1804-32-0x00007FF7DDC70000-0x00007FF7DE061000-memory.dmp	xmrig
behavioral2/memory/1800-367-0x00007FF648310000-0x00007FF648701000-memory.dmp	xmrig
behavioral2/memory/3724-376-0x00007FF63D820000-0x00007FF63DC11000-memory.dmp	xmrig
behavioral2/memory/1124-381-0x00007FF7669E0000-0x00007FF766DD1000-memory.dmp	xmrig
behavioral2/memory/4536-388-0x00007FF7A9A60000-0x00007FF7A9E51000-memory.dmp	xmrig
behavioral2/memory/656-386-0x00007FF6889F0000-0x00007FF688DE1000-memory.dmp	xmrig
behavioral2/memory/4232-375-0x00007FF7021A0000-0x00007FF702591000-memory.dmp	xmrig
behavioral2/memory/3428-373-0x00007FF750D80000-0x00007FF751171000-memory.dmp	xmrig
behavioral2/memory/4112-371-0x00007FF78B5B0000-0x00007FF78B9A1000-memory.dmp	xmrig
behavioral2/memory/5076-80-0x00007FF602A50000-0x00007FF602E41000-memory.dmp	xmrig
behavioral2/memory/1980-78-0x00007FF673270000-0x00007FF673661000-memory.dmp	xmrig
behavioral2/memory/4252-71-0x00007FF6F9500000-0x00007FF6F98F1000-memory.dmp	xmrig
behavioral2/memory/1576-396-0x00007FF67F7B0000-0x00007FF67FBA1000-memory.dmp	xmrig
behavioral2/memory/2260-398-0x00007FF7B5130000-0x00007FF7B5521000-memory.dmp	xmrig
behavioral2/memory/4872-407-0x00007FF724A50000-0x00007FF724E41000-memory.dmp	xmrig
behavioral2/memory/5000-414-0x00007FF69F530000-0x00007FF69F921000-memory.dmp	xmrig
behavioral2/memory/3744-411-0x00007FF77E2C0000-0x00007FF77E6B1000-memory.dmp	xmrig
behavioral2/memory/2188-1989-0x00007FF6FE800000-0x00007FF6FEBF1000-memory.dmp	xmrig
behavioral2/memory/4680-1990-0x00007FF6BD2A0000-0x00007FF6BD691000-memory.dmp	xmrig
behavioral2/memory/2712-2023-0x00007FF713AD0000-0x00007FF713EC1000-memory.dmp	xmrig
behavioral2/memory/1004-2024-0x00007FF7B8A30000-0x00007FF7B8E21000-memory.dmp	xmrig
behavioral2/memory/3064-2025-0x00007FF7CAE10000-0x00007FF7CB201000-memory.dmp	xmrig
behavioral2/memory/4848-2027-0x00007FF6E2000000-0x00007FF6E23F1000-memory.dmp	xmrig
behavioral2/memory/4584-2032-0x00007FF70F270000-0x00007FF70F661000-memory.dmp	xmrig
behavioral2/memory/2188-2034-0x00007FF6FE800000-0x00007FF6FEBF1000-memory.dmp	xmrig
behavioral2/memory/1164-2040-0x00007FF7FAFF0000-0x00007FF7FB3E1000-memory.dmp	xmrig
behavioral2/memory/1804-2039-0x00007FF7DDC70000-0x00007FF7DE061000-memory.dmp	xmrig
behavioral2/memory/4680-2037-0x00007FF6BD2A0000-0x00007FF6BD691000-memory.dmp	xmrig
behavioral2/memory/4252-2058-0x00007FF6F9500000-0x00007FF6F98F1000-memory.dmp	xmrig
behavioral2/memory/2712-2060-0x00007FF713AD0000-0x00007FF713EC1000-memory.dmp	xmrig
behavioral2/memory/3064-2072-0x00007FF7CAE10000-0x00007FF7CB201000-memory.dmp	xmrig
behavioral2/memory/2260-2066-0x00007FF7B5130000-0x00007FF7B5521000-memory.dmp	xmrig
behavioral2/memory/5076-2064-0x00007FF602A50000-0x00007FF602E41000-memory.dmp	xmrig
behavioral2/memory/1004-2062-0x00007FF7B8A30000-0x00007FF7B8E21000-memory.dmp	xmrig
behavioral2/memory/1980-2068-0x00007FF673270000-0x00007FF673661000-memory.dmp	xmrig
behavioral2/memory/4872-2070-0x00007FF724A50000-0x00007FF724E41000-memory.dmp	xmrig
behavioral2/memory/3744-2074-0x00007FF77E2C0000-0x00007FF77E6B1000-memory.dmp	xmrig
behavioral2/memory/1800-2076-0x00007FF648310000-0x00007FF648701000-memory.dmp	xmrig
behavioral2/memory/5000-2078-0x00007FF69F530000-0x00007FF69F921000-memory.dmp	xmrig
behavioral2/memory/3428-2105-0x00007FF750D80000-0x00007FF751171000-memory.dmp	xmrig
behavioral2/memory/4112-2103-0x00007FF78B5B0000-0x00007FF78B9A1000-memory.dmp	xmrig
behavioral2/memory/4232-2101-0x00007FF7021A0000-0x00007FF702591000-memory.dmp	xmrig
behavioral2/memory/3724-2099-0x00007FF63D820000-0x00007FF63DC11000-memory.dmp	xmrig
behavioral2/memory/656-2097-0x00007FF6889F0000-0x00007FF688DE1000-memory.dmp	xmrig
behavioral2/memory/1576-2095-0x00007FF67F7B0000-0x00007FF67FBA1000-memory.dmp	xmrig
behavioral2/memory/1124-2093-0x00007FF7669E0000-0x00007FF766DD1000-memory.dmp	xmrig
behavioral2/memory/4536-2091-0x00007FF7A9A60000-0x00007FF7A9E51000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4584	deGXMPk.exe
2188	aQAuVHz.exe
4680	mCsWPPn.exe
1804	nrqFMmh.exe
1164	oGvqFdo.exe
2712	uPdQNiS.exe
1004	PjpEZPg.exe
4252	mFjUpYo.exe
1980	orIvQNB.exe
5076	nBXTEnb.exe
2260	IASXOij.exe
4872	YOTwUuY.exe
3064	bVYngPP.exe
3744	bMMUkCm.exe
1800	DddVgMf.exe
5000	IHazbGF.exe
4112	PnQDJJy.exe
3428	KOjolwi.exe
4232	lwFsDuX.exe
3724	dzgBhob.exe
1124	PHPHaUw.exe
656	oGIAxza.exe
4536	dppnBlh.exe
1576	rFTJkfN.exe
628	PHwydpJ.exe
4032	XUaEVhs.exe
1672	pLBdWXZ.exe
4796	oKAerMk.exe
1688	xCdyghH.exe
208	tubogmE.exe
4572	xObXFUA.exe
2112	FjUuUox.exe
220	qcMPCBe.exe
4564	iCQNLcM.exe
4892	oPwDjjS.exe
4868	ruGmzfF.exe
3988	hwlXvOb.exe
5020	junaWWX.exe
3500	EwxAUDs.exe
3684	ngkXuft.exe
2884	fOuyMpN.exe
2840	QIyqqcY.exe
3560	MDcQjTU.exe
1536	xdPIJBr.exe
4724	BuhUTLs.exe
3532	KxggHFM.exe
1928	CmITddE.exe
3572	GBrwPkK.exe
60	BlltjrD.exe
5060	ZYRwNnp.exe
1700	AjsSuJR.exe
772	LSbAFWL.exe
2420	BgyhPrK.exe
4752	rgwITAS.exe
3400	WRySHqj.exe
2652	TkWaktV.exe
4612	lxyVkJh.exe
2876	jUjuJYz.exe
2636	NxOCeEq.exe
3284	rPaCoui.exe
3244	oIMgFvf.exe
2940	fQwNxhm.exe
4580	hTYGiJI.exe
812	EJFskrm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4848-0-0x00007FF6E2000000-0x00007FF6E23F1000-memory.dmp	upx
behavioral2/files/0x000c000000023b5b-5.dat	upx
behavioral2/files/0x000b000000023bb2-7.dat	upx
behavioral2/memory/2188-19-0x00007FF6FE800000-0x00007FF6FEBF1000-memory.dmp	upx
behavioral2/files/0x000a000000023bb6-22.dat	upx
behavioral2/files/0x000a000000023bb8-24.dat	upx
behavioral2/memory/1164-31-0x00007FF7FAFF0000-0x00007FF7FB3E1000-memory.dmp	upx
behavioral2/memory/1804-32-0x00007FF7DDC70000-0x00007FF7DE061000-memory.dmp	upx
behavioral2/memory/4680-30-0x00007FF6BD2A0000-0x00007FF6BD691000-memory.dmp	upx
behavioral2/files/0x000a000000023bb7-26.dat	upx
behavioral2/memory/4584-9-0x00007FF70F270000-0x00007FF70F661000-memory.dmp	upx
behavioral2/files/0x000a000000023bbb-44.dat	upx
behavioral2/memory/2712-43-0x00007FF713AD0000-0x00007FF713EC1000-memory.dmp	upx
behavioral2/files/0x0031000000023bbc-51.dat	upx
behavioral2/files/0x000b000000023bb3-66.dat	upx
behavioral2/files/0x000a000000023bbf-75.dat	upx
behavioral2/files/0x000a000000023bc0-82.dat	upx
behavioral2/memory/3064-85-0x00007FF7CAE10000-0x00007FF7CB201000-memory.dmp	upx
behavioral2/files/0x000a000000023bc3-92.dat	upx
behavioral2/files/0x000a000000023bc2-90.dat	upx
behavioral2/files/0x000a000000023bc1-88.dat	upx
behavioral2/files/0x000a000000023bc6-100.dat	upx
behavioral2/files/0x000a000000023bc8-110.dat	upx
behavioral2/files/0x000a000000023bcc-130.dat	upx
behavioral2/files/0x000a000000023bce-142.dat	upx
behavioral2/files/0x000a000000023bd0-152.dat	upx
behavioral2/files/0x000a000000023bd3-165.dat	upx
behavioral2/memory/1800-367-0x00007FF648310000-0x00007FF648701000-memory.dmp	upx
behavioral2/memory/3724-376-0x00007FF63D820000-0x00007FF63DC11000-memory.dmp	upx
behavioral2/memory/1124-381-0x00007FF7669E0000-0x00007FF766DD1000-memory.dmp	upx
behavioral2/memory/4536-388-0x00007FF7A9A60000-0x00007FF7A9E51000-memory.dmp	upx
behavioral2/memory/656-386-0x00007FF6889F0000-0x00007FF688DE1000-memory.dmp	upx
behavioral2/memory/4232-375-0x00007FF7021A0000-0x00007FF702591000-memory.dmp	upx
behavioral2/memory/3428-373-0x00007FF750D80000-0x00007FF751171000-memory.dmp	upx
behavioral2/memory/4112-371-0x00007FF78B5B0000-0x00007FF78B9A1000-memory.dmp	upx
behavioral2/files/0x000a000000023bd4-172.dat	upx
behavioral2/files/0x000a000000023bd2-163.dat	upx
behavioral2/files/0x000a000000023bd1-158.dat	upx
behavioral2/files/0x000a000000023bcf-148.dat	upx
behavioral2/files/0x000a000000023bcd-137.dat	upx
behavioral2/files/0x000a000000023bcb-128.dat	upx
behavioral2/files/0x000a000000023bca-122.dat	upx
behavioral2/files/0x000a000000023bc9-117.dat	upx
behavioral2/files/0x000a000000023bc7-108.dat	upx
behavioral2/files/0x000a000000023bc4-98.dat	upx
behavioral2/memory/5076-80-0x00007FF602A50000-0x00007FF602E41000-memory.dmp	upx
behavioral2/memory/1980-78-0x00007FF673270000-0x00007FF673661000-memory.dmp	upx
behavioral2/memory/4252-71-0x00007FF6F9500000-0x00007FF6F98F1000-memory.dmp	upx
behavioral2/memory/1004-64-0x00007FF7B8A30000-0x00007FF7B8E21000-memory.dmp	upx
behavioral2/files/0x0031000000023bbe-59.dat	upx
behavioral2/files/0x0031000000023bbd-53.dat	upx
behavioral2/files/0x000a000000023bb9-49.dat	upx
behavioral2/memory/1576-396-0x00007FF67F7B0000-0x00007FF67FBA1000-memory.dmp	upx
behavioral2/memory/2260-398-0x00007FF7B5130000-0x00007FF7B5521000-memory.dmp	upx
behavioral2/memory/4872-407-0x00007FF724A50000-0x00007FF724E41000-memory.dmp	upx
behavioral2/memory/5000-414-0x00007FF69F530000-0x00007FF69F921000-memory.dmp	upx
behavioral2/memory/3744-411-0x00007FF77E2C0000-0x00007FF77E6B1000-memory.dmp	upx
behavioral2/memory/2188-1989-0x00007FF6FE800000-0x00007FF6FEBF1000-memory.dmp	upx
behavioral2/memory/4680-1990-0x00007FF6BD2A0000-0x00007FF6BD691000-memory.dmp	upx
behavioral2/memory/2712-2023-0x00007FF713AD0000-0x00007FF713EC1000-memory.dmp	upx
behavioral2/memory/1004-2024-0x00007FF7B8A30000-0x00007FF7B8E21000-memory.dmp	upx
behavioral2/memory/3064-2025-0x00007FF7CAE10000-0x00007FF7CB201000-memory.dmp	upx
behavioral2/memory/4848-2027-0x00007FF6E2000000-0x00007FF6E23F1000-memory.dmp	upx
behavioral2/memory/4584-2032-0x00007FF70F270000-0x00007FF70F661000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\CmITddE.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\xYZhSEh.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\wtHdvHk.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\WKnsXcp.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\GBrwPkK.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\vgdTvQB.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\IuLJsLA.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\XPWhwEm.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\JDVhDjM.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\fLEKACH.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\ymjrXyo.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\junaWWX.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\ZPHfaWk.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\NSISqlb.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\Fcegira.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\dYmnCns.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\PXawufV.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\LKOuQBu.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\XQoeHBp.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\sFGHmrd.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\gAquwmK.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\YMLKuml.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\XgGkDzB.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\sAbLLSM.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\spMzrWQ.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\dljASKS.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\EbwLpiN.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\MtuVkHo.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\hfGPpGq.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\NzZUFCn.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\dAlPKma.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\DXclFwA.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\vRlRCiS.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\BQSFetx.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\SlzbMAm.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\YrraMoC.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\dwxsxBq.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\utYmnSD.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\iCQNLcM.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\iuAYeFC.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\tpWRbBw.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\fyiIHVA.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\OBapONe.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\lyCWGjj.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\AjsSuJR.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\pyKaydg.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\GTrGRff.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\NMuBbTt.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\ItvdvJw.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\RfgTcFg.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\pbgTAZN.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\pDGJpel.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\BvFhGdu.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\VUySKhM.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\YzwiACg.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\eAEXnmj.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\AyFpfkC.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\EMnGtuA.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\CNeWtuK.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\JBtDZil.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\pJApDzG.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\xVOdZMT.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\hcRAsgN.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
File created	C:\Windows\System32\YCdooRf.exe	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13128	dwm.exe
Token: SeChangeNotifyPrivilege	13128	dwm.exe
Token: 33	13128	dwm.exe
Token: SeIncBasePriorityPrivilege	13128	dwm.exe
Token: SeShutdownPrivilege	13128	dwm.exe
Token: SeCreatePagefilePrivilege	13128	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4584	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	85
PID 4848 wrote to memory of 4584	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	85
PID 4848 wrote to memory of 2188	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	86
PID 4848 wrote to memory of 2188	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	86
PID 4848 wrote to memory of 4680	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	87
PID 4848 wrote to memory of 4680	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	87
PID 4848 wrote to memory of 1804	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	88
PID 4848 wrote to memory of 1804	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	88
PID 4848 wrote to memory of 1164	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	89
PID 4848 wrote to memory of 1164	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	89
PID 4848 wrote to memory of 2712	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	90
PID 4848 wrote to memory of 2712	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	90
PID 4848 wrote to memory of 1004	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	91
PID 4848 wrote to memory of 1004	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	91
PID 4848 wrote to memory of 5076	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	92
PID 4848 wrote to memory of 5076	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	92
PID 4848 wrote to memory of 4252	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	93
PID 4848 wrote to memory of 4252	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	93
PID 4848 wrote to memory of 1980	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	94
PID 4848 wrote to memory of 1980	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	94
PID 4848 wrote to memory of 2260	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	95
PID 4848 wrote to memory of 2260	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	95
PID 4848 wrote to memory of 4872	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	96
PID 4848 wrote to memory of 4872	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	96
PID 4848 wrote to memory of 3064	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	97
PID 4848 wrote to memory of 3064	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	97
PID 4848 wrote to memory of 3744	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	98
PID 4848 wrote to memory of 3744	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	98
PID 4848 wrote to memory of 1800	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	99
PID 4848 wrote to memory of 1800	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	99
PID 4848 wrote to memory of 5000	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	100
PID 4848 wrote to memory of 5000	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	100
PID 4848 wrote to memory of 4112	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	101
PID 4848 wrote to memory of 4112	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	101
PID 4848 wrote to memory of 3428	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	102
PID 4848 wrote to memory of 3428	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	102
PID 4848 wrote to memory of 4232	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	103
PID 4848 wrote to memory of 4232	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	103
PID 4848 wrote to memory of 3724	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	104
PID 4848 wrote to memory of 3724	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	104
PID 4848 wrote to memory of 1124	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	105
PID 4848 wrote to memory of 1124	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	105
PID 4848 wrote to memory of 656	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	106
PID 4848 wrote to memory of 656	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	106
PID 4848 wrote to memory of 4536	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	107
PID 4848 wrote to memory of 4536	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	107
PID 4848 wrote to memory of 1576	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	108
PID 4848 wrote to memory of 1576	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	108
PID 4848 wrote to memory of 628	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	109
PID 4848 wrote to memory of 628	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	109
PID 4848 wrote to memory of 4032	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	110
PID 4848 wrote to memory of 4032	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	110
PID 4848 wrote to memory of 1672	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	111
PID 4848 wrote to memory of 1672	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	111
PID 4848 wrote to memory of 4796	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	112
PID 4848 wrote to memory of 4796	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	112
PID 4848 wrote to memory of 1688	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	113
PID 4848 wrote to memory of 1688	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	113
PID 4848 wrote to memory of 208	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	114
PID 4848 wrote to memory of 208	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	114
PID 4848 wrote to memory of 4572	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	115
PID 4848 wrote to memory of 4572	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	115
PID 4848 wrote to memory of 2112	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	116
PID 4848 wrote to memory of 2112	4848	164409481972bce02b156ad22c7b9247_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\164409481972bce02b156ad22c7b9247_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\164409481972bce02b156ad22c7b9247_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\System32\deGXMPk.exe
  C:\Windows\System32\deGXMPk.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System32\aQAuVHz.exe
  C:\Windows\System32\aQAuVHz.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System32\mCsWPPn.exe
  C:\Windows\System32\mCsWPPn.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System32\nrqFMmh.exe
  C:\Windows\System32\nrqFMmh.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System32\oGvqFdo.exe
  C:\Windows\System32\oGvqFdo.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System32\uPdQNiS.exe
  C:\Windows\System32\uPdQNiS.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System32\PjpEZPg.exe
  C:\Windows\System32\PjpEZPg.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System32\nBXTEnb.exe
  C:\Windows\System32\nBXTEnb.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System32\mFjUpYo.exe
  C:\Windows\System32\mFjUpYo.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System32\orIvQNB.exe
  C:\Windows\System32\orIvQNB.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System32\IASXOij.exe
  C:\Windows\System32\IASXOij.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System32\YOTwUuY.exe
  C:\Windows\System32\YOTwUuY.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System32\bVYngPP.exe
  C:\Windows\System32\bVYngPP.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System32\bMMUkCm.exe
  C:\Windows\System32\bMMUkCm.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System32\DddVgMf.exe
  C:\Windows\System32\DddVgMf.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System32\IHazbGF.exe
  C:\Windows\System32\IHazbGF.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System32\PnQDJJy.exe
  C:\Windows\System32\PnQDJJy.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System32\KOjolwi.exe
  C:\Windows\System32\KOjolwi.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System32\lwFsDuX.exe
  C:\Windows\System32\lwFsDuX.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System32\dzgBhob.exe
  C:\Windows\System32\dzgBhob.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\Windows\System32\PHPHaUw.exe
  C:\Windows\System32\PHPHaUw.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\System32\oGIAxza.exe
  C:\Windows\System32\oGIAxza.exe
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\System32\dppnBlh.exe
  C:\Windows\System32\dppnBlh.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System32\rFTJkfN.exe
  C:\Windows\System32\rFTJkfN.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System32\PHwydpJ.exe
  C:\Windows\System32\PHwydpJ.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System32\XUaEVhs.exe
  C:\Windows\System32\XUaEVhs.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System32\pLBdWXZ.exe
  C:\Windows\System32\pLBdWXZ.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System32\oKAerMk.exe
  C:\Windows\System32\oKAerMk.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System32\xCdyghH.exe
  C:\Windows\System32\xCdyghH.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System32\tubogmE.exe
  C:\Windows\System32\tubogmE.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System32\xObXFUA.exe
  C:\Windows\System32\xObXFUA.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System32\FjUuUox.exe
  C:\Windows\System32\FjUuUox.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System32\qcMPCBe.exe
  C:\Windows\System32\qcMPCBe.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System32\iCQNLcM.exe
  C:\Windows\System32\iCQNLcM.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System32\oPwDjjS.exe
  C:\Windows\System32\oPwDjjS.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System32\ruGmzfF.exe
  C:\Windows\System32\ruGmzfF.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System32\hwlXvOb.exe
  C:\Windows\System32\hwlXvOb.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System32\junaWWX.exe
  C:\Windows\System32\junaWWX.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System32\EwxAUDs.exe
  C:\Windows\System32\EwxAUDs.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System32\ngkXuft.exe
  C:\Windows\System32\ngkXuft.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System32\fOuyMpN.exe
  C:\Windows\System32\fOuyMpN.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System32\QIyqqcY.exe
  C:\Windows\System32\QIyqqcY.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System32\MDcQjTU.exe
  C:\Windows\System32\MDcQjTU.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System32\xdPIJBr.exe
  C:\Windows\System32\xdPIJBr.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System32\BuhUTLs.exe
  C:\Windows\System32\BuhUTLs.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System32\KxggHFM.exe
  C:\Windows\System32\KxggHFM.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System32\CmITddE.exe
  C:\Windows\System32\CmITddE.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System32\GBrwPkK.exe
  C:\Windows\System32\GBrwPkK.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System32\BlltjrD.exe
  C:\Windows\System32\BlltjrD.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System32\ZYRwNnp.exe
  C:\Windows\System32\ZYRwNnp.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System32\AjsSuJR.exe
  C:\Windows\System32\AjsSuJR.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System32\LSbAFWL.exe
  C:\Windows\System32\LSbAFWL.exe
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\System32\BgyhPrK.exe
  C:\Windows\System32\BgyhPrK.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System32\rgwITAS.exe
  C:\Windows\System32\rgwITAS.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System32\WRySHqj.exe
  C:\Windows\System32\WRySHqj.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System32\TkWaktV.exe
  C:\Windows\System32\TkWaktV.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System32\lxyVkJh.exe
  C:\Windows\System32\lxyVkJh.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System32\jUjuJYz.exe
  C:\Windows\System32\jUjuJYz.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System32\NxOCeEq.exe
  C:\Windows\System32\NxOCeEq.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System32\rPaCoui.exe
  C:\Windows\System32\rPaCoui.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System32\oIMgFvf.exe
  C:\Windows\System32\oIMgFvf.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System32\fQwNxhm.exe
  C:\Windows\System32\fQwNxhm.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System32\hTYGiJI.exe
  C:\Windows\System32\hTYGiJI.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System32\EJFskrm.exe
  C:\Windows\System32\EJFskrm.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System32\zGxbWZS.exe
  C:\Windows\System32\zGxbWZS.exe
  2⤵
  PID:2356
- C:\Windows\System32\OSOOaCr.exe
  C:\Windows\System32\OSOOaCr.exe
  2⤵
  PID:4512
- C:\Windows\System32\HKJVRsr.exe
  C:\Windows\System32\HKJVRsr.exe
  2⤵
  PID:3908
- C:\Windows\System32\DHLKCWc.exe
  C:\Windows\System32\DHLKCWc.exe
  2⤵
  PID:1188
- C:\Windows\System32\FCQXUaX.exe
  C:\Windows\System32\FCQXUaX.exe
  2⤵
  PID:1544
- C:\Windows\System32\pxDAQIS.exe
  C:\Windows\System32\pxDAQIS.exe
  2⤵
  PID:2676
- C:\Windows\System32\FPuASvV.exe
  C:\Windows\System32\FPuASvV.exe
  2⤵
  PID:1780
- C:\Windows\System32\JzpvHOb.exe
  C:\Windows\System32\JzpvHOb.exe
  2⤵
  PID:3816
- C:\Windows\System32\trMuVZx.exe
  C:\Windows\System32\trMuVZx.exe
  2⤵
  PID:1528
- C:\Windows\System32\JwQohdn.exe
  C:\Windows\System32\JwQohdn.exe
  2⤵
  PID:5028
- C:\Windows\System32\YYubovr.exe
  C:\Windows\System32\YYubovr.exe
  2⤵
  PID:4076
- C:\Windows\System32\pLvzmIq.exe
  C:\Windows\System32\pLvzmIq.exe
  2⤵
  PID:3060
- C:\Windows\System32\hafjAfw.exe
  C:\Windows\System32\hafjAfw.exe
  2⤵
  PID:1588
- C:\Windows\System32\ZXnJXmI.exe
  C:\Windows\System32\ZXnJXmI.exe
  2⤵
  PID:2116
- C:\Windows\System32\eFDihSZ.exe
  C:\Windows\System32\eFDihSZ.exe
  2⤵
  PID:1864
- C:\Windows\System32\XeqxxHv.exe
  C:\Windows\System32\XeqxxHv.exe
  2⤵
  PID:4688
- C:\Windows\System32\TIxMsuD.exe
  C:\Windows\System32\TIxMsuD.exe
  2⤵
  PID:2944
- C:\Windows\System32\jfjDVVN.exe
  C:\Windows\System32\jfjDVVN.exe
  2⤵
  PID:3708
- C:\Windows\System32\CSLMArE.exe
  C:\Windows\System32\CSLMArE.exe
  2⤵
  PID:4876
- C:\Windows\System32\nCVwwIS.exe
  C:\Windows\System32\nCVwwIS.exe
  2⤵
  PID:1828
- C:\Windows\System32\cEPCnyM.exe
  C:\Windows\System32\cEPCnyM.exe
  2⤵
  PID:5140
- C:\Windows\System32\xYZhSEh.exe
  C:\Windows\System32\xYZhSEh.exe
  2⤵
  PID:5172
- C:\Windows\System32\kfmRVtP.exe
  C:\Windows\System32\kfmRVtP.exe
  2⤵
  PID:5200
- C:\Windows\System32\bqwQxMU.exe
  C:\Windows\System32\bqwQxMU.exe
  2⤵
  PID:5224
- C:\Windows\System32\TaYSzPq.exe
  C:\Windows\System32\TaYSzPq.exe
  2⤵
  PID:5256
- C:\Windows\System32\iFdRZzH.exe
  C:\Windows\System32\iFdRZzH.exe
  2⤵
  PID:5284
- C:\Windows\System32\UGaaYTV.exe
  C:\Windows\System32\UGaaYTV.exe
  2⤵
  PID:5308
- C:\Windows\System32\PlXSzvS.exe
  C:\Windows\System32\PlXSzvS.exe
  2⤵
  PID:5340
- C:\Windows\System32\FmvKKzz.exe
  C:\Windows\System32\FmvKKzz.exe
  2⤵
  PID:5368
- C:\Windows\System32\ADqWqaO.exe
  C:\Windows\System32\ADqWqaO.exe
  2⤵
  PID:5392
- C:\Windows\System32\BXjooQN.exe
  C:\Windows\System32\BXjooQN.exe
  2⤵
  PID:5424
- C:\Windows\System32\AoLvzuN.exe
  C:\Windows\System32\AoLvzuN.exe
  2⤵
  PID:5452
- C:\Windows\System32\ZPeSmTk.exe
  C:\Windows\System32\ZPeSmTk.exe
  2⤵
  PID:5476
- C:\Windows\System32\ywRZTQh.exe
  C:\Windows\System32\ywRZTQh.exe
  2⤵
  PID:5524
- C:\Windows\System32\nsoazFK.exe
  C:\Windows\System32\nsoazFK.exe
  2⤵
  PID:5560
- C:\Windows\System32\DVuKvKA.exe
  C:\Windows\System32\DVuKvKA.exe
  2⤵
  PID:5592
- C:\Windows\System32\spMzrWQ.exe
  C:\Windows\System32\spMzrWQ.exe
  2⤵
  PID:5608
- C:\Windows\System32\DUVhfgP.exe
  C:\Windows\System32\DUVhfgP.exe
  2⤵
  PID:5636
- C:\Windows\System32\sBcSsZI.exe
  C:\Windows\System32\sBcSsZI.exe
  2⤵
  PID:5680
- C:\Windows\System32\OyCHLAi.exe
  C:\Windows\System32\OyCHLAi.exe
  2⤵
  PID:5700
- C:\Windows\System32\nhYKjhv.exe
  C:\Windows\System32\nhYKjhv.exe
  2⤵
  PID:5716
- C:\Windows\System32\cfQKHHl.exe
  C:\Windows\System32\cfQKHHl.exe
  2⤵
  PID:5756
- C:\Windows\System32\MhSaeDv.exe
  C:\Windows\System32\MhSaeDv.exe
  2⤵
  PID:5776
- C:\Windows\System32\YAEwOtn.exe
  C:\Windows\System32\YAEwOtn.exe
  2⤵
  PID:5800
- C:\Windows\System32\JzoxxgC.exe
  C:\Windows\System32\JzoxxgC.exe
  2⤵
  PID:5840
- C:\Windows\System32\NmVquTX.exe
  C:\Windows\System32\NmVquTX.exe
  2⤵
  PID:5908
- C:\Windows\System32\lGYXLim.exe
  C:\Windows\System32\lGYXLim.exe
  2⤵
  PID:5960
- C:\Windows\System32\UiNGGsD.exe
  C:\Windows\System32\UiNGGsD.exe
  2⤵
  PID:5992
- C:\Windows\System32\qYhWgJk.exe
  C:\Windows\System32\qYhWgJk.exe
  2⤵
  PID:6008
- C:\Windows\System32\nFpMDll.exe
  C:\Windows\System32\nFpMDll.exe
  2⤵
  PID:6028
- C:\Windows\System32\rAFbqvT.exe
  C:\Windows\System32\rAFbqvT.exe
  2⤵
  PID:6044
- C:\Windows\System32\iAXnxzW.exe
  C:\Windows\System32\iAXnxzW.exe
  2⤵
  PID:6080
- C:\Windows\System32\FDybQwK.exe
  C:\Windows\System32\FDybQwK.exe
  2⤵
  PID:6124
- C:\Windows\System32\cCUrlIR.exe
  C:\Windows\System32\cCUrlIR.exe
  2⤵
  PID:1888
- C:\Windows\System32\MEAVKwy.exe
  C:\Windows\System32\MEAVKwy.exe
  2⤵
  PID:1948
- C:\Windows\System32\PaclDLp.exe
  C:\Windows\System32\PaclDLp.exe
  2⤵
  PID:4600
- C:\Windows\System32\AKCPONI.exe
  C:\Windows\System32\AKCPONI.exe
  2⤵
  PID:5136
- C:\Windows\System32\xfUOixU.exe
  C:\Windows\System32\xfUOixU.exe
  2⤵
  PID:4332
- C:\Windows\System32\YLcpQLA.exe
  C:\Windows\System32\YLcpQLA.exe
  2⤵
  PID:5276
- C:\Windows\System32\ErPEgaa.exe
  C:\Windows\System32\ErPEgaa.exe
  2⤵
  PID:1896
- C:\Windows\System32\pcroGqc.exe
  C:\Windows\System32\pcroGqc.exe
  2⤵
  PID:3496
- C:\Windows\System32\pJApDzG.exe
  C:\Windows\System32\pJApDzG.exe
  2⤵
  PID:5356
- C:\Windows\System32\ZPHfaWk.exe
  C:\Windows\System32\ZPHfaWk.exe
  2⤵
  PID:1392
- C:\Windows\System32\vgdTvQB.exe
  C:\Windows\System32\vgdTvQB.exe
  2⤵
  PID:5412
- C:\Windows\System32\XkxKqgJ.exe
  C:\Windows\System32\XkxKqgJ.exe
  2⤵
  PID:1324
- C:\Windows\System32\EzmjEvx.exe
  C:\Windows\System32\EzmjEvx.exe
  2⤵
  PID:1720
- C:\Windows\System32\LPBumvM.exe
  C:\Windows\System32\LPBumvM.exe
  2⤵
  PID:5472
- C:\Windows\System32\LKOuQBu.exe
  C:\Windows\System32\LKOuQBu.exe
  2⤵
  PID:5520
- C:\Windows\System32\IBtdxuC.exe
  C:\Windows\System32\IBtdxuC.exe
  2⤵
  PID:5648
- C:\Windows\System32\NSISqlb.exe
  C:\Windows\System32\NSISqlb.exe
  2⤵
  PID:5788
- C:\Windows\System32\betzKYD.exe
  C:\Windows\System32\betzKYD.exe
  2⤵
  PID:5764
- C:\Windows\System32\SKwwaXp.exe
  C:\Windows\System32\SKwwaXp.exe
  2⤵
  PID:5896
- C:\Windows\System32\bHenHbx.exe
  C:\Windows\System32\bHenHbx.exe
  2⤵
  PID:5572
- C:\Windows\System32\ZtTfDLf.exe
  C:\Windows\System32\ZtTfDLf.exe
  2⤵
  PID:5860
- C:\Windows\System32\rbiMLeU.exe
  C:\Windows\System32\rbiMLeU.exe
  2⤵
  PID:4268
- C:\Windows\System32\evdMWbl.exe
  C:\Windows\System32\evdMWbl.exe
  2⤵
  PID:4328
- C:\Windows\System32\mbbBIuX.exe
  C:\Windows\System32\mbbBIuX.exe
  2⤵
  PID:6056
- C:\Windows\System32\vRlRCiS.exe
  C:\Windows\System32\vRlRCiS.exe
  2⤵
  PID:6132
- C:\Windows\System32\BAelpbX.exe
  C:\Windows\System32\BAelpbX.exe
  2⤵
  PID:1256
- C:\Windows\System32\wZWxYPK.exe
  C:\Windows\System32\wZWxYPK.exe
  2⤵
  PID:5124
- C:\Windows\System32\bmkMWMZ.exe
  C:\Windows\System32\bmkMWMZ.exe
  2⤵
  PID:5208
- C:\Windows\System32\ujjAhYi.exe
  C:\Windows\System32\ujjAhYi.exe
  2⤵
  PID:400
- C:\Windows\System32\GLQSixr.exe
  C:\Windows\System32\GLQSixr.exe
  2⤵
  PID:5360
- C:\Windows\System32\fXgDVpu.exe
  C:\Windows\System32\fXgDVpu.exe
  2⤵
  PID:3408
- C:\Windows\System32\YdFPULP.exe
  C:\Windows\System32\YdFPULP.exe
  2⤵
  PID:5604
- C:\Windows\System32\Bpvsedt.exe
  C:\Windows\System32\Bpvsedt.exe
  2⤵
  PID:5864
- C:\Windows\System32\YzwiACg.exe
  C:\Windows\System32\YzwiACg.exe
  2⤵
  PID:4364
- C:\Windows\System32\xTJwHHN.exe
  C:\Windows\System32\xTJwHHN.exe
  2⤵
  PID:5984
- C:\Windows\System32\MYGmEJm.exe
  C:\Windows\System32\MYGmEJm.exe
  2⤵
  PID:4948
- C:\Windows\System32\wuEECfb.exe
  C:\Windows\System32\wuEECfb.exe
  2⤵
  PID:5272
- C:\Windows\System32\FmdHiAD.exe
  C:\Windows\System32\FmdHiAD.exe
  2⤵
  PID:5232
- C:\Windows\System32\mKVyWRM.exe
  C:\Windows\System32\mKVyWRM.exe
  2⤵
  PID:5584
- C:\Windows\System32\YaWHhzt.exe
  C:\Windows\System32\YaWHhzt.exe
  2⤵
  PID:5824
- C:\Windows\System32\siDTLCH.exe
  C:\Windows\System32\siDTLCH.exe
  2⤵
  PID:6000
- C:\Windows\System32\BOIZlJp.exe
  C:\Windows\System32\BOIZlJp.exe
  2⤵
  PID:5148
- C:\Windows\System32\ShkVXqf.exe
  C:\Windows\System32\ShkVXqf.exe
  2⤵
  PID:5916
- C:\Windows\System32\xMdVnKP.exe
  C:\Windows\System32\xMdVnKP.exe
  2⤵
  PID:6152
- C:\Windows\System32\mFufvTX.exe
  C:\Windows\System32\mFufvTX.exe
  2⤵
  PID:6172
- C:\Windows\System32\gtMDXRl.exe
  C:\Windows\System32\gtMDXRl.exe
  2⤵
  PID:6196
- C:\Windows\System32\nuDSlGb.exe
  C:\Windows\System32\nuDSlGb.exe
  2⤵
  PID:6216
- C:\Windows\System32\TerEDZT.exe
  C:\Windows\System32\TerEDZT.exe
  2⤵
  PID:6244
- C:\Windows\System32\rjQPCBb.exe
  C:\Windows\System32\rjQPCBb.exe
  2⤵
  PID:6268
- C:\Windows\System32\cFrLkDf.exe
  C:\Windows\System32\cFrLkDf.exe
  2⤵
  PID:6288
- C:\Windows\System32\EZBQcig.exe
  C:\Windows\System32\EZBQcig.exe
  2⤵
  PID:6344
- C:\Windows\System32\hSDlkJa.exe
  C:\Windows\System32\hSDlkJa.exe
  2⤵
  PID:6360
- C:\Windows\System32\beITdsE.exe
  C:\Windows\System32\beITdsE.exe
  2⤵
  PID:6376
- C:\Windows\System32\auneRNr.exe
  C:\Windows\System32\auneRNr.exe
  2⤵
  PID:6400
- C:\Windows\System32\jFHEuNL.exe
  C:\Windows\System32\jFHEuNL.exe
  2⤵
  PID:6416
- C:\Windows\System32\MYkcQEq.exe
  C:\Windows\System32\MYkcQEq.exe
  2⤵
  PID:6452
- C:\Windows\System32\KkjsEBL.exe
  C:\Windows\System32\KkjsEBL.exe
  2⤵
  PID:6472
- C:\Windows\System32\wnemUEz.exe
  C:\Windows\System32\wnemUEz.exe
  2⤵
  PID:6532
- C:\Windows\System32\FHnwFrR.exe
  C:\Windows\System32\FHnwFrR.exe
  2⤵
  PID:6572
- C:\Windows\System32\zejxIXh.exe
  C:\Windows\System32\zejxIXh.exe
  2⤵
  PID:6600
- C:\Windows\System32\UeFZahD.exe
  C:\Windows\System32\UeFZahD.exe
  2⤵
  PID:6628
- C:\Windows\System32\fSGpyyX.exe
  C:\Windows\System32\fSGpyyX.exe
  2⤵
  PID:6648
- C:\Windows\System32\yDgxvgO.exe
  C:\Windows\System32\yDgxvgO.exe
  2⤵
  PID:6668
- C:\Windows\System32\oSjWuLT.exe
  C:\Windows\System32\oSjWuLT.exe
  2⤵
  PID:6688
- C:\Windows\System32\pyKaydg.exe
  C:\Windows\System32\pyKaydg.exe
  2⤵
  PID:6708
- C:\Windows\System32\mNPYcCB.exe
  C:\Windows\System32\mNPYcCB.exe
  2⤵
  PID:6724
- C:\Windows\System32\zPJSjfr.exe
  C:\Windows\System32\zPJSjfr.exe
  2⤵
  PID:6748
- C:\Windows\System32\XNJfuZW.exe
  C:\Windows\System32\XNJfuZW.exe
  2⤵
  PID:6764
- C:\Windows\System32\zSdwvVM.exe
  C:\Windows\System32\zSdwvVM.exe
  2⤵
  PID:6804
- C:\Windows\System32\lARdCYN.exe
  C:\Windows\System32\lARdCYN.exe
  2⤵
  PID:6868
- C:\Windows\System32\eCxhqDi.exe
  C:\Windows\System32\eCxhqDi.exe
  2⤵
  PID:6920
- C:\Windows\System32\mcNCnnD.exe
  C:\Windows\System32\mcNCnnD.exe
  2⤵
  PID:6936
- C:\Windows\System32\jFqcTZd.exe
  C:\Windows\System32\jFqcTZd.exe
  2⤵
  PID:6956
- C:\Windows\System32\ihPLVio.exe
  C:\Windows\System32\ihPLVio.exe
  2⤵
  PID:6976
- C:\Windows\System32\hjFQHTW.exe
  C:\Windows\System32\hjFQHTW.exe
  2⤵
  PID:7024
- C:\Windows\System32\nIzotzS.exe
  C:\Windows\System32\nIzotzS.exe
  2⤵
  PID:7068
- C:\Windows\System32\wtHdvHk.exe
  C:\Windows\System32\wtHdvHk.exe
  2⤵
  PID:7092
- C:\Windows\System32\qwZTRAD.exe
  C:\Windows\System32\qwZTRAD.exe
  2⤵
  PID:7108
- C:\Windows\System32\geWdYlx.exe
  C:\Windows\System32\geWdYlx.exe
  2⤵
  PID:7128
- C:\Windows\System32\RMawyXc.exe
  C:\Windows\System32\RMawyXc.exe
  2⤵
  PID:7152
- C:\Windows\System32\Fcegira.exe
  C:\Windows\System32\Fcegira.exe
  2⤵
  PID:5244
- C:\Windows\System32\VmqCdwo.exe
  C:\Windows\System32\VmqCdwo.exe
  2⤵
  PID:6180
- C:\Windows\System32\Rcdtyzg.exe
  C:\Windows\System32\Rcdtyzg.exe
  2⤵
  PID:6256
- C:\Windows\System32\nZqgQWp.exe
  C:\Windows\System32\nZqgQWp.exe
  2⤵
  PID:6356
- C:\Windows\System32\bmNjqXp.exe
  C:\Windows\System32\bmNjqXp.exe
  2⤵
  PID:6436
- C:\Windows\System32\hnBCTXj.exe
  C:\Windows\System32\hnBCTXj.exe
  2⤵
  PID:6412
- C:\Windows\System32\ERBJxle.exe
  C:\Windows\System32\ERBJxle.exe
  2⤵
  PID:6468
- C:\Windows\System32\uUmUCyf.exe
  C:\Windows\System32\uUmUCyf.exe
  2⤵
  PID:6496
- C:\Windows\System32\eAEXnmj.exe
  C:\Windows\System32\eAEXnmj.exe
  2⤵
  PID:6584
- C:\Windows\System32\loGArhM.exe
  C:\Windows\System32\loGArhM.exe
  2⤵
  PID:6732
- C:\Windows\System32\kImebcL.exe
  C:\Windows\System32\kImebcL.exe
  2⤵
  PID:6788
- C:\Windows\System32\QnVYnGd.exe
  C:\Windows\System32\QnVYnGd.exe
  2⤵
  PID:6756
- C:\Windows\System32\BQSFetx.exe
  C:\Windows\System32\BQSFetx.exe
  2⤵
  PID:6900
- C:\Windows\System32\kxwsxuD.exe
  C:\Windows\System32\kxwsxuD.exe
  2⤵
  PID:6848
- C:\Windows\System32\nywpUqh.exe
  C:\Windows\System32\nywpUqh.exe
  2⤵
  PID:6944
- C:\Windows\System32\iuAYeFC.exe
  C:\Windows\System32\iuAYeFC.exe
  2⤵
  PID:6168
- C:\Windows\System32\DsMmoiv.exe
  C:\Windows\System32\DsMmoiv.exe
  2⤵
  PID:6424
- C:\Windows\System32\JBUTZyB.exe
  C:\Windows\System32\JBUTZyB.exe
  2⤵
  PID:6552
- C:\Windows\System32\xVOdZMT.exe
  C:\Windows\System32\xVOdZMT.exe
  2⤵
  PID:6396
- C:\Windows\System32\yopQorq.exe
  C:\Windows\System32\yopQorq.exe
  2⤵
  PID:6816
- C:\Windows\System32\NnrkYSp.exe
  C:\Windows\System32\NnrkYSp.exe
  2⤵
  PID:6700
- C:\Windows\System32\hKZKFkW.exe
  C:\Windows\System32\hKZKFkW.exe
  2⤵
  PID:7036
- C:\Windows\System32\WOUBUQC.exe
  C:\Windows\System32\WOUBUQC.exe
  2⤵
  PID:7164
- C:\Windows\System32\uiARQVh.exe
  C:\Windows\System32\uiARQVh.exe
  2⤵
  PID:6504
- C:\Windows\System32\RblkPaw.exe
  C:\Windows\System32\RblkPaw.exe
  2⤵
  PID:6740
- C:\Windows\System32\mLzodeR.exe
  C:\Windows\System32\mLzodeR.exe
  2⤵
  PID:7160
- C:\Windows\System32\nXOkQwe.exe
  C:\Windows\System32\nXOkQwe.exe
  2⤵
  PID:7076
- C:\Windows\System32\RnmzIFQ.exe
  C:\Windows\System32\RnmzIFQ.exe
  2⤵
  PID:6888
- C:\Windows\System32\MHOqgvD.exe
  C:\Windows\System32\MHOqgvD.exe
  2⤵
  PID:7196
- C:\Windows\System32\IuLJsLA.exe
  C:\Windows\System32\IuLJsLA.exe
  2⤵
  PID:7216
- C:\Windows\System32\RiqBPGh.exe
  C:\Windows\System32\RiqBPGh.exe
  2⤵
  PID:7232
- C:\Windows\System32\UbFdYtn.exe
  C:\Windows\System32\UbFdYtn.exe
  2⤵
  PID:7256
- C:\Windows\System32\TlRgAPr.exe
  C:\Windows\System32\TlRgAPr.exe
  2⤵
  PID:7272
- C:\Windows\System32\Zqdwyma.exe
  C:\Windows\System32\Zqdwyma.exe
  2⤵
  PID:7300
- C:\Windows\System32\cTKjDSY.exe
  C:\Windows\System32\cTKjDSY.exe
  2⤵
  PID:7364
- C:\Windows\System32\WlsrxBs.exe
  C:\Windows\System32\WlsrxBs.exe
  2⤵
  PID:7384
- C:\Windows\System32\EBdBUPN.exe
  C:\Windows\System32\EBdBUPN.exe
  2⤵
  PID:7472
- C:\Windows\System32\PkUjVhw.exe
  C:\Windows\System32\PkUjVhw.exe
  2⤵
  PID:7508
- C:\Windows\System32\DQDCoSn.exe
  C:\Windows\System32\DQDCoSn.exe
  2⤵
  PID:7524
- C:\Windows\System32\tNXrwKr.exe
  C:\Windows\System32\tNXrwKr.exe
  2⤵
  PID:7552
- C:\Windows\System32\nRHQETy.exe
  C:\Windows\System32\nRHQETy.exe
  2⤵
  PID:7580
- C:\Windows\System32\VnGUAWA.exe
  C:\Windows\System32\VnGUAWA.exe
  2⤵
  PID:7608
- C:\Windows\System32\BkwPord.exe
  C:\Windows\System32\BkwPord.exe
  2⤵
  PID:7648
- C:\Windows\System32\EqqMCJW.exe
  C:\Windows\System32\EqqMCJW.exe
  2⤵
  PID:7676
- C:\Windows\System32\YuETtnW.exe
  C:\Windows\System32\YuETtnW.exe
  2⤵
  PID:7696
- C:\Windows\System32\vQfIXsI.exe
  C:\Windows\System32\vQfIXsI.exe
  2⤵
  PID:7712
- C:\Windows\System32\GmYDkwQ.exe
  C:\Windows\System32\GmYDkwQ.exe
  2⤵
  PID:7732
- C:\Windows\System32\SubWZMS.exe
  C:\Windows\System32\SubWZMS.exe
  2⤵
  PID:7756
- C:\Windows\System32\zMBQlue.exe
  C:\Windows\System32\zMBQlue.exe
  2⤵
  PID:7776
- C:\Windows\System32\lVUWNhs.exe
  C:\Windows\System32\lVUWNhs.exe
  2⤵
  PID:7820
- C:\Windows\System32\RlxfIlW.exe
  C:\Windows\System32\RlxfIlW.exe
  2⤵
  PID:7868
- C:\Windows\System32\DZtnhhk.exe
  C:\Windows\System32\DZtnhhk.exe
  2⤵
  PID:7904
- C:\Windows\System32\XZZCdWl.exe
  C:\Windows\System32\XZZCdWl.exe
  2⤵
  PID:7932
- C:\Windows\System32\syPmqqH.exe
  C:\Windows\System32\syPmqqH.exe
  2⤵
  PID:7948
- C:\Windows\System32\AyFpfkC.exe
  C:\Windows\System32\AyFpfkC.exe
  2⤵
  PID:7976
- C:\Windows\System32\IonZpGU.exe
  C:\Windows\System32\IonZpGU.exe
  2⤵
  PID:7996
- C:\Windows\System32\qAZCusM.exe
  C:\Windows\System32\qAZCusM.exe
  2⤵
  PID:8016
- C:\Windows\System32\HBlOOXU.exe
  C:\Windows\System32\HBlOOXU.exe
  2⤵
  PID:8076
- C:\Windows\System32\dnIVsEA.exe
  C:\Windows\System32\dnIVsEA.exe
  2⤵
  PID:8096
- C:\Windows\System32\MWXmbiU.exe
  C:\Windows\System32\MWXmbiU.exe
  2⤵
  PID:8116
- C:\Windows\System32\TDTZCUl.exe
  C:\Windows\System32\TDTZCUl.exe
  2⤵
  PID:8132
- C:\Windows\System32\nlwFcPA.exe
  C:\Windows\System32\nlwFcPA.exe
  2⤵
  PID:8152
- C:\Windows\System32\alLIeli.exe
  C:\Windows\System32\alLIeli.exe
  2⤵
  PID:8176
- C:\Windows\System32\yAekLTr.exe
  C:\Windows\System32\yAekLTr.exe
  2⤵
  PID:7008
- C:\Windows\System32\iBVBNdu.exe
  C:\Windows\System32\iBVBNdu.exe
  2⤵
  PID:7292
- C:\Windows\System32\MpEoupg.exe
  C:\Windows\System32\MpEoupg.exe
  2⤵
  PID:7248
- C:\Windows\System32\WXLArtN.exe
  C:\Windows\System32\WXLArtN.exe
  2⤵
  PID:7452
- C:\Windows\System32\jpcEjsJ.exe
  C:\Windows\System32\jpcEjsJ.exe
  2⤵
  PID:7432
- C:\Windows\System32\cLLjdVQ.exe
  C:\Windows\System32\cLLjdVQ.exe
  2⤵
  PID:7576
- C:\Windows\System32\FHARXXf.exe
  C:\Windows\System32\FHARXXf.exe
  2⤵
  PID:7620
- C:\Windows\System32\yViNLIA.exe
  C:\Windows\System32\yViNLIA.exe
  2⤵
  PID:7688
- C:\Windows\System32\cBhBfNR.exe
  C:\Windows\System32\cBhBfNR.exe
  2⤵
  PID:7752
- C:\Windows\System32\BCMpzPL.exe
  C:\Windows\System32\BCMpzPL.exe
  2⤵
  PID:7784
- C:\Windows\System32\WTwmQnt.exe
  C:\Windows\System32\WTwmQnt.exe
  2⤵
  PID:7832
- C:\Windows\System32\bYNEfIC.exe
  C:\Windows\System32\bYNEfIC.exe
  2⤵
  PID:7916
- C:\Windows\System32\eSvGjcS.exe
  C:\Windows\System32\eSvGjcS.exe
  2⤵
  PID:7964
- C:\Windows\System32\NlJsjQp.exe
  C:\Windows\System32\NlJsjQp.exe
  2⤵
  PID:7988
- C:\Windows\System32\dbVsExh.exe
  C:\Windows\System32\dbVsExh.exe
  2⤵
  PID:8068
- C:\Windows\System32\MPGCOHs.exe
  C:\Windows\System32\MPGCOHs.exe
  2⤵
  PID:8112
- C:\Windows\System32\HMiHlJY.exe
  C:\Windows\System32\HMiHlJY.exe
  2⤵
  PID:7180
- C:\Windows\System32\pBSsJTC.exe
  C:\Windows\System32\pBSsJTC.exe
  2⤵
  PID:7332
- C:\Windows\System32\Dlaihzm.exe
  C:\Windows\System32\Dlaihzm.exe
  2⤵
  PID:7468
- C:\Windows\System32\oDjAPHD.exe
  C:\Windows\System32\oDjAPHD.exe
  2⤵
  PID:7604
- C:\Windows\System32\wOytGVq.exe
  C:\Windows\System32\wOytGVq.exe
  2⤵
  PID:7728
- C:\Windows\System32\pcZNGuF.exe
  C:\Windows\System32\pcZNGuF.exe
  2⤵
  PID:7772
- C:\Windows\System32\IFsVAqP.exe
  C:\Windows\System32\IFsVAqP.exe
  2⤵
  PID:7064
- C:\Windows\System32\PQYmEac.exe
  C:\Windows\System32\PQYmEac.exe
  2⤵
  PID:8044
- C:\Windows\System32\WiWVkuX.exe
  C:\Windows\System32\WiWVkuX.exe
  2⤵
  PID:7708
- C:\Windows\System32\Dupwdml.exe
  C:\Windows\System32\Dupwdml.exe
  2⤵
  PID:7884
- C:\Windows\System32\EeULcjl.exe
  C:\Windows\System32\EeULcjl.exe
  2⤵
  PID:7228
- C:\Windows\System32\SgPkpIP.exe
  C:\Windows\System32\SgPkpIP.exe
  2⤵
  PID:8224
- C:\Windows\System32\WJJIDgC.exe
  C:\Windows\System32\WJJIDgC.exe
  2⤵
  PID:8244
- C:\Windows\System32\cZeeOGR.exe
  C:\Windows\System32\cZeeOGR.exe
  2⤵
  PID:8268
- C:\Windows\System32\GDucpwS.exe
  C:\Windows\System32\GDucpwS.exe
  2⤵
  PID:8308
- C:\Windows\System32\XXSbeuO.exe
  C:\Windows\System32\XXSbeuO.exe
  2⤵
  PID:8324
- C:\Windows\System32\DtTYOgd.exe
  C:\Windows\System32\DtTYOgd.exe
  2⤵
  PID:8352
- C:\Windows\System32\lQPVIdu.exe
  C:\Windows\System32\lQPVIdu.exe
  2⤵
  PID:8372
- C:\Windows\System32\POQLSNs.exe
  C:\Windows\System32\POQLSNs.exe
  2⤵
  PID:8388
- C:\Windows\System32\nekGmtS.exe
  C:\Windows\System32\nekGmtS.exe
  2⤵
  PID:8424
- C:\Windows\System32\dmuJHdJ.exe
  C:\Windows\System32\dmuJHdJ.exe
  2⤵
  PID:8464
- C:\Windows\System32\RwVlwAj.exe
  C:\Windows\System32\RwVlwAj.exe
  2⤵
  PID:8488
- C:\Windows\System32\zSxtakY.exe
  C:\Windows\System32\zSxtakY.exe
  2⤵
  PID:8504
- C:\Windows\System32\kBlPBvu.exe
  C:\Windows\System32\kBlPBvu.exe
  2⤵
  PID:8528
- C:\Windows\System32\JHlgYtW.exe
  C:\Windows\System32\JHlgYtW.exe
  2⤵
  PID:8544
- C:\Windows\System32\UEQPjlk.exe
  C:\Windows\System32\UEQPjlk.exe
  2⤵
  PID:8568
- C:\Windows\System32\dlTaKUx.exe
  C:\Windows\System32\dlTaKUx.exe
  2⤵
  PID:8620
- C:\Windows\System32\XGNDpmr.exe
  C:\Windows\System32\XGNDpmr.exe
  2⤵
  PID:8640
- C:\Windows\System32\PsPObjW.exe
  C:\Windows\System32\PsPObjW.exe
  2⤵
  PID:8692
- C:\Windows\System32\GTrGRff.exe
  C:\Windows\System32\GTrGRff.exe
  2⤵
  PID:8712
- C:\Windows\System32\drfYQgf.exe
  C:\Windows\System32\drfYQgf.exe
  2⤵
  PID:8740
- C:\Windows\System32\YCdooRf.exe
  C:\Windows\System32\YCdooRf.exe
  2⤵
  PID:8760
- C:\Windows\System32\SlzbMAm.exe
  C:\Windows\System32\SlzbMAm.exe
  2⤵
  PID:8776
- C:\Windows\System32\NMuBbTt.exe
  C:\Windows\System32\NMuBbTt.exe
  2⤵
  PID:8804
- C:\Windows\System32\tOGrYsm.exe
  C:\Windows\System32\tOGrYsm.exe
  2⤵
  PID:8852
- C:\Windows\System32\BLSKhFr.exe
  C:\Windows\System32\BLSKhFr.exe
  2⤵
  PID:8892
- C:\Windows\System32\YMLKuml.exe
  C:\Windows\System32\YMLKuml.exe
  2⤵
  PID:8912
- C:\Windows\System32\aQVOoeX.exe
  C:\Windows\System32\aQVOoeX.exe
  2⤵
  PID:8928
- C:\Windows\System32\mkTEdXf.exe
  C:\Windows\System32\mkTEdXf.exe
  2⤵
  PID:8956
- C:\Windows\System32\LpWYbYd.exe
  C:\Windows\System32\LpWYbYd.exe
  2⤵
  PID:8972
- C:\Windows\System32\yNUNbYe.exe
  C:\Windows\System32\yNUNbYe.exe
  2⤵
  PID:8996
- C:\Windows\System32\GUJkUWG.exe
  C:\Windows\System32\GUJkUWG.exe
  2⤵
  PID:9016
- C:\Windows\System32\lHksiUM.exe
  C:\Windows\System32\lHksiUM.exe
  2⤵
  PID:9032
- C:\Windows\System32\TejEWTk.exe
  C:\Windows\System32\TejEWTk.exe
  2⤵
  PID:9088
- C:\Windows\System32\pbgTAZN.exe
  C:\Windows\System32\pbgTAZN.exe
  2⤵
  PID:9144
- C:\Windows\System32\pxypisr.exe
  C:\Windows\System32\pxypisr.exe
  2⤵
  PID:9168
- C:\Windows\System32\WuzlANi.exe
  C:\Windows\System32\WuzlANi.exe
  2⤵
  PID:7876
- C:\Windows\System32\ItvdvJw.exe
  C:\Windows\System32\ItvdvJw.exe
  2⤵
  PID:8252
- C:\Windows\System32\RXFRVpY.exe
  C:\Windows\System32\RXFRVpY.exe
  2⤵
  PID:8236
- C:\Windows\System32\XgGkDzB.exe
  C:\Windows\System32\XgGkDzB.exe
  2⤵
  PID:8320
- C:\Windows\System32\UWYFOqt.exe
  C:\Windows\System32\UWYFOqt.exe
  2⤵
  PID:8364
- C:\Windows\System32\KacgQQn.exe
  C:\Windows\System32\KacgQQn.exe
  2⤵
  PID:8432
- C:\Windows\System32\EMnGtuA.exe
  C:\Windows\System32\EMnGtuA.exe
  2⤵
  PID:8520
- C:\Windows\System32\DslNNVF.exe
  C:\Windows\System32\DslNNVF.exe
  2⤵
  PID:8604
- C:\Windows\System32\YrraMoC.exe
  C:\Windows\System32\YrraMoC.exe
  2⤵
  PID:8656
- C:\Windows\System32\NHpYXzt.exe
  C:\Windows\System32\NHpYXzt.exe
  2⤵
  PID:9028
- C:\Windows\System32\OCLKOeJ.exe
  C:\Windows\System32\OCLKOeJ.exe
  2⤵
  PID:8980
- C:\Windows\System32\dKuOlzw.exe
  C:\Windows\System32\dKuOlzw.exe
  2⤵
  PID:8936
- C:\Windows\System32\PocvrpZ.exe
  C:\Windows\System32\PocvrpZ.exe
  2⤵
  PID:8984
- C:\Windows\System32\MjkOEqa.exe
  C:\Windows\System32\MjkOEqa.exe
  2⤵
  PID:9024
- C:\Windows\System32\hfGPpGq.exe
  C:\Windows\System32\hfGPpGq.exe
  2⤵
  PID:9112
- C:\Windows\System32\ROcMpJr.exe
  C:\Windows\System32\ROcMpJr.exe
  2⤵
  PID:9156
- C:\Windows\System32\IGxZISZ.exe
  C:\Windows\System32\IGxZISZ.exe
  2⤵
  PID:9180
- C:\Windows\System32\puyXXYy.exe
  C:\Windows\System32\puyXXYy.exe
  2⤵
  PID:8220
- C:\Windows\System32\PefekIX.exe
  C:\Windows\System32\PefekIX.exe
  2⤵
  PID:8256
- C:\Windows\System32\gdtRwcI.exe
  C:\Windows\System32\gdtRwcI.exe
  2⤵
  PID:8336
- C:\Windows\System32\VgpNswi.exe
  C:\Windows\System32\VgpNswi.exe
  2⤵
  PID:8444
- C:\Windows\System32\uFHXfIZ.exe
  C:\Windows\System32\uFHXfIZ.exe
  2⤵
  PID:8552
- C:\Windows\System32\rmRKqPB.exe
  C:\Windows\System32\rmRKqPB.exe
  2⤵
  PID:8648
- C:\Windows\System32\DtjoNJe.exe
  C:\Windows\System32\DtjoNJe.exe
  2⤵
  PID:8676
- C:\Windows\System32\CNeWtuK.exe
  C:\Windows\System32\CNeWtuK.exe
  2⤵
  PID:9236
- C:\Windows\System32\ULGnbdJ.exe
  C:\Windows\System32\ULGnbdJ.exe
  2⤵
  PID:9252
- C:\Windows\System32\AbbdZsu.exe
  C:\Windows\System32\AbbdZsu.exe
  2⤵
  PID:9268
- C:\Windows\System32\FcWuSjd.exe
  C:\Windows\System32\FcWuSjd.exe
  2⤵
  PID:9284
- C:\Windows\System32\Kwmxpsh.exe
  C:\Windows\System32\Kwmxpsh.exe
  2⤵
  PID:9300
- C:\Windows\System32\MmMVLWq.exe
  C:\Windows\System32\MmMVLWq.exe
  2⤵
  PID:9316
- C:\Windows\System32\AstRpTD.exe
  C:\Windows\System32\AstRpTD.exe
  2⤵
  PID:9352
- C:\Windows\System32\rvpfYXQ.exe
  C:\Windows\System32\rvpfYXQ.exe
  2⤵
  PID:9388
- C:\Windows\System32\rcRUfCB.exe
  C:\Windows\System32\rcRUfCB.exe
  2⤵
  PID:9460
- C:\Windows\System32\NzZUFCn.exe
  C:\Windows\System32\NzZUFCn.exe
  2⤵
  PID:9504
- C:\Windows\System32\yblAFBg.exe
  C:\Windows\System32\yblAFBg.exe
  2⤵
  PID:9676
- C:\Windows\System32\WKnsXcp.exe
  C:\Windows\System32\WKnsXcp.exe
  2⤵
  PID:9748
- C:\Windows\System32\NoZJhnq.exe
  C:\Windows\System32\NoZJhnq.exe
  2⤵
  PID:9800
- C:\Windows\System32\JBtDZil.exe
  C:\Windows\System32\JBtDZil.exe
  2⤵
  PID:9852
- C:\Windows\System32\kmiBdWX.exe
  C:\Windows\System32\kmiBdWX.exe
  2⤵
  PID:9868
- C:\Windows\System32\fPdlQLe.exe
  C:\Windows\System32\fPdlQLe.exe
  2⤵
  PID:9888
- C:\Windows\System32\hQeMXkt.exe
  C:\Windows\System32\hQeMXkt.exe
  2⤵
  PID:9908
- C:\Windows\System32\hcRAsgN.exe
  C:\Windows\System32\hcRAsgN.exe
  2⤵
  PID:9924
- C:\Windows\System32\fcreRPK.exe
  C:\Windows\System32\fcreRPK.exe
  2⤵
  PID:9952
- C:\Windows\System32\WQnadQW.exe
  C:\Windows\System32\WQnadQW.exe
  2⤵
  PID:9976
- C:\Windows\System32\zRpivaF.exe
  C:\Windows\System32\zRpivaF.exe
  2⤵
  PID:10032
- C:\Windows\System32\LnOddnO.exe
  C:\Windows\System32\LnOddnO.exe
  2⤵
  PID:10056
- C:\Windows\System32\JAdTGBy.exe
  C:\Windows\System32\JAdTGBy.exe
  2⤵
  PID:10076
- C:\Windows\System32\HwBitBK.exe
  C:\Windows\System32\HwBitBK.exe
  2⤵
  PID:10092
- C:\Windows\System32\GdaibST.exe
  C:\Windows\System32\GdaibST.exe
  2⤵
  PID:10140
- C:\Windows\System32\lILDWHB.exe
  C:\Windows\System32\lILDWHB.exe
  2⤵
  PID:10172
- C:\Windows\System32\tpWRbBw.exe
  C:\Windows\System32\tpWRbBw.exe
  2⤵
  PID:10192
- C:\Windows\System32\kDIuQBb.exe
  C:\Windows\System32\kDIuQBb.exe
  2⤵
  PID:10212
- C:\Windows\System32\xKmLqvk.exe
  C:\Windows\System32\xKmLqvk.exe
  2⤵
  PID:8732
- C:\Windows\System32\IxVKiPm.exe
  C:\Windows\System32\IxVKiPm.exe
  2⤵
  PID:8720
- C:\Windows\System32\dljASKS.exe
  C:\Windows\System32\dljASKS.exe
  2⤵
  PID:8784
- C:\Windows\System32\rfJfjMD.exe
  C:\Windows\System32\rfJfjMD.exe
  2⤵
  PID:8796
- C:\Windows\System32\neMXCyo.exe
  C:\Windows\System32\neMXCyo.exe
  2⤵
  PID:9248
- C:\Windows\System32\iWJHldE.exe
  C:\Windows\System32\iWJHldE.exe
  2⤵
  PID:9296
- C:\Windows\System32\aNJqaXa.exe
  C:\Windows\System32\aNJqaXa.exe
  2⤵
  PID:8864
- C:\Windows\System32\yywocsU.exe
  C:\Windows\System32\yywocsU.exe
  2⤵
  PID:9404
- C:\Windows\System32\oMltRpr.exe
  C:\Windows\System32\oMltRpr.exe
  2⤵
  PID:9344
- C:\Windows\System32\tOmgMBJ.exe
  C:\Windows\System32\tOmgMBJ.exe
  2⤵
  PID:8964
- C:\Windows\System32\bBbizkK.exe
  C:\Windows\System32\bBbizkK.exe
  2⤵
  PID:9188
- C:\Windows\System32\mjerjOv.exe
  C:\Windows\System32\mjerjOv.exe
  2⤵
  PID:9496
- C:\Windows\System32\dIBuIoe.exe
  C:\Windows\System32\dIBuIoe.exe
  2⤵
  PID:9500
- C:\Windows\System32\XQoeHBp.exe
  C:\Windows\System32\XQoeHBp.exe
  2⤵
  PID:9588
- C:\Windows\System32\aPxUEtO.exe
  C:\Windows\System32\aPxUEtO.exe
  2⤵
  PID:9644
- C:\Windows\System32\qNZjIWQ.exe
  C:\Windows\System32\qNZjIWQ.exe
  2⤵
  PID:9760
- C:\Windows\System32\RtKNsKM.exe
  C:\Windows\System32\RtKNsKM.exe
  2⤵
  PID:9836
- C:\Windows\System32\lgFqSCz.exe
  C:\Windows\System32\lgFqSCz.exe
  2⤵
  PID:9876
- C:\Windows\System32\tkcMeln.exe
  C:\Windows\System32\tkcMeln.exe
  2⤵
  PID:9944
- C:\Windows\System32\ROrAFDH.exe
  C:\Windows\System32\ROrAFDH.exe
  2⤵
  PID:10000
- C:\Windows\System32\yvJjaQt.exe
  C:\Windows\System32\yvJjaQt.exe
  2⤵
  PID:10112
- C:\Windows\System32\dAlPKma.exe
  C:\Windows\System32\dAlPKma.exe
  2⤵
  PID:10084
- C:\Windows\System32\dwxsxBq.exe
  C:\Windows\System32\dwxsxBq.exe
  2⤵
  PID:10236
- C:\Windows\System32\dYmnCns.exe
  C:\Windows\System32\dYmnCns.exe
  2⤵
  PID:10224
- C:\Windows\System32\FjCjZXN.exe
  C:\Windows\System32\FjCjZXN.exe
  2⤵
  PID:8396
- C:\Windows\System32\Ujjntdw.exe
  C:\Windows\System32\Ujjntdw.exe
  2⤵
  PID:9264
- C:\Windows\System32\USMUmcK.exe
  C:\Windows\System32\USMUmcK.exe
  2⤵
  PID:8944
- C:\Windows\System32\XPWhwEm.exe
  C:\Windows\System32\XPWhwEm.exe
  2⤵
  PID:9360
- C:\Windows\System32\GYkfwZO.exe
  C:\Windows\System32\GYkfwZO.exe
  2⤵
  PID:8296
- C:\Windows\System32\DQsCPlI.exe
  C:\Windows\System32\DQsCPlI.exe
  2⤵
  PID:9668
- C:\Windows\System32\lnYDckc.exe
  C:\Windows\System32\lnYDckc.exe
  2⤵
  PID:9792
- C:\Windows\System32\XuXQGVt.exe
  C:\Windows\System32\XuXQGVt.exe
  2⤵
  PID:9920
- C:\Windows\System32\PYqjNde.exe
  C:\Windows\System32\PYqjNde.exe
  2⤵
  PID:10004
- C:\Windows\System32\HiCLXDU.exe
  C:\Windows\System32\HiCLXDU.exe
  2⤵
  PID:10136
- C:\Windows\System32\qsxKuaI.exe
  C:\Windows\System32\qsxKuaI.exe
  2⤵
  PID:9364
- C:\Windows\System32\EbwLpiN.exe
  C:\Windows\System32\EbwLpiN.exe
  2⤵
  PID:9732
- C:\Windows\System32\yKAwlYe.exe
  C:\Windows\System32\yKAwlYe.exe
  2⤵
  PID:9880
- C:\Windows\System32\GNCbkAh.exe
  C:\Windows\System32\GNCbkAh.exe
  2⤵
  PID:10120
- C:\Windows\System32\STIHupf.exe
  C:\Windows\System32\STIHupf.exe
  2⤵
  PID:9332
- C:\Windows\System32\PXawufV.exe
  C:\Windows\System32\PXawufV.exe
  2⤵
  PID:9176
- C:\Windows\System32\ZHWyVtY.exe
  C:\Windows\System32\ZHWyVtY.exe
  2⤵
  PID:10276
- C:\Windows\System32\JvMXNbq.exe
  C:\Windows\System32\JvMXNbq.exe
  2⤵
  PID:10296
- C:\Windows\System32\WiiUVnb.exe
  C:\Windows\System32\WiiUVnb.exe
  2⤵
  PID:10316
- C:\Windows\System32\VJINbal.exe
  C:\Windows\System32\VJINbal.exe
  2⤵
  PID:10352
- C:\Windows\System32\vFMSurh.exe
  C:\Windows\System32\vFMSurh.exe
  2⤵
  PID:10380
- C:\Windows\System32\FBQQmqo.exe
  C:\Windows\System32\FBQQmqo.exe
  2⤵
  PID:10424
- C:\Windows\System32\PcaBwwx.exe
  C:\Windows\System32\PcaBwwx.exe
  2⤵
  PID:10464
- C:\Windows\System32\VyNDlyE.exe
  C:\Windows\System32\VyNDlyE.exe
  2⤵
  PID:10484
- C:\Windows\System32\sAbLLSM.exe
  C:\Windows\System32\sAbLLSM.exe
  2⤵
  PID:10500
- C:\Windows\System32\ZQtFFBa.exe
  C:\Windows\System32\ZQtFFBa.exe
  2⤵
  PID:10524
- C:\Windows\System32\PvQNlyP.exe
  C:\Windows\System32\PvQNlyP.exe
  2⤵
  PID:10548
- C:\Windows\System32\RfgTcFg.exe
  C:\Windows\System32\RfgTcFg.exe
  2⤵
  PID:10576
- C:\Windows\System32\aSyYxfL.exe
  C:\Windows\System32\aSyYxfL.exe
  2⤵
  PID:10596
- C:\Windows\System32\fyiIHVA.exe
  C:\Windows\System32\fyiIHVA.exe
  2⤵
  PID:10668
- C:\Windows\System32\AOVBqEE.exe
  C:\Windows\System32\AOVBqEE.exe
  2⤵
  PID:10708
- C:\Windows\System32\BrrYBmA.exe
  C:\Windows\System32\BrrYBmA.exe
  2⤵
  PID:10724
- C:\Windows\System32\pzeWyUR.exe
  C:\Windows\System32\pzeWyUR.exe
  2⤵
  PID:10744
- C:\Windows\System32\GNCYjyS.exe
  C:\Windows\System32\GNCYjyS.exe
  2⤵
  PID:10764
- C:\Windows\System32\lihTAcB.exe
  C:\Windows\System32\lihTAcB.exe
  2⤵
  PID:10784
- C:\Windows\System32\aaPsSaq.exe
  C:\Windows\System32\aaPsSaq.exe
  2⤵
  PID:10816
- C:\Windows\System32\pDGJpel.exe
  C:\Windows\System32\pDGJpel.exe
  2⤵
  PID:10844
- C:\Windows\System32\kkbSuUT.exe
  C:\Windows\System32\kkbSuUT.exe
  2⤵
  PID:10896
- C:\Windows\System32\TBxtYdf.exe
  C:\Windows\System32\TBxtYdf.exe
  2⤵
  PID:10916
- C:\Windows\System32\QjUdzqQ.exe
  C:\Windows\System32\QjUdzqQ.exe
  2⤵
  PID:10960
- C:\Windows\System32\STgfWWO.exe
  C:\Windows\System32\STgfWWO.exe
  2⤵
  PID:10984
- C:\Windows\System32\aTlPJkq.exe
  C:\Windows\System32\aTlPJkq.exe
  2⤵
  PID:11000
- C:\Windows\System32\vwwaJnH.exe
  C:\Windows\System32\vwwaJnH.exe
  2⤵
  PID:11036
- C:\Windows\System32\HPkEPkB.exe
  C:\Windows\System32\HPkEPkB.exe
  2⤵
  PID:11060
- C:\Windows\System32\nkEcDYX.exe
  C:\Windows\System32\nkEcDYX.exe
  2⤵
  PID:11084
- C:\Windows\System32\HdaUSey.exe
  C:\Windows\System32\HdaUSey.exe
  2⤵
  PID:11112
- C:\Windows\System32\MiyASJQ.exe
  C:\Windows\System32\MiyASJQ.exe
  2⤵
  PID:11140
- C:\Windows\System32\zTcoPXm.exe
  C:\Windows\System32\zTcoPXm.exe
  2⤵
  PID:11176
- C:\Windows\System32\nCguiCm.exe
  C:\Windows\System32\nCguiCm.exe
  2⤵
  PID:11196
- C:\Windows\System32\heIVWoJ.exe
  C:\Windows\System32\heIVWoJ.exe
  2⤵
  PID:11224
- C:\Windows\System32\iSjZpzy.exe
  C:\Windows\System32\iSjZpzy.exe
  2⤵
  PID:11244
- C:\Windows\System32\NFVWMeZ.exe
  C:\Windows\System32\NFVWMeZ.exe
  2⤵
  PID:9556
- C:\Windows\System32\aJMsJqL.exe
  C:\Windows\System32\aJMsJqL.exe
  2⤵
  PID:10260
- C:\Windows\System32\OBapONe.exe
  C:\Windows\System32\OBapONe.exe
  2⤵
  PID:10308
- C:\Windows\System32\PjkQsXW.exe
  C:\Windows\System32\PjkQsXW.exe
  2⤵
  PID:10440
- C:\Windows\System32\oUqurUy.exe
  C:\Windows\System32\oUqurUy.exe
  2⤵
  PID:10540
- C:\Windows\System32\OOlEmTk.exe
  C:\Windows\System32\OOlEmTk.exe
  2⤵
  PID:10568
- C:\Windows\System32\nYlUMOp.exe
  C:\Windows\System32\nYlUMOp.exe
  2⤵
  PID:10624
- C:\Windows\System32\fDaeRnG.exe
  C:\Windows\System32\fDaeRnG.exe
  2⤵
  PID:10644
- C:\Windows\System32\WnsYCov.exe
  C:\Windows\System32\WnsYCov.exe
  2⤵
  PID:10716
- C:\Windows\System32\aHjmsSb.exe
  C:\Windows\System32\aHjmsSb.exe
  2⤵
  PID:10756
- C:\Windows\System32\hajcPNu.exe
  C:\Windows\System32\hajcPNu.exe
  2⤵
  PID:10804
- C:\Windows\System32\fOHsFGd.exe
  C:\Windows\System32\fOHsFGd.exe
  2⤵
  PID:10864
- C:\Windows\System32\CcjKqEn.exe
  C:\Windows\System32\CcjKqEn.exe
  2⤵
  PID:11056
- C:\Windows\System32\TApimNJ.exe
  C:\Windows\System32\TApimNJ.exe
  2⤵
  PID:11096
- C:\Windows\System32\nzhsPrY.exe
  C:\Windows\System32\nzhsPrY.exe
  2⤵
  PID:11152
- C:\Windows\System32\oTDItXp.exe
  C:\Windows\System32\oTDItXp.exe
  2⤵
  PID:11208
- C:\Windows\System32\AgEjDCz.exe
  C:\Windows\System32\AgEjDCz.exe
  2⤵
  PID:10292
- C:\Windows\System32\fifOKKp.exe
  C:\Windows\System32\fifOKKp.exe
  2⤵
  PID:10520
- C:\Windows\System32\erHQVOa.exe
  C:\Windows\System32\erHQVOa.exe
  2⤵
  PID:10648
- C:\Windows\System32\WxVtpDe.exe
  C:\Windows\System32\WxVtpDe.exe
  2⤵
  PID:10700
- C:\Windows\System32\LuZfXPz.exe
  C:\Windows\System32\LuZfXPz.exe
  2⤵
  PID:10924
- C:\Windows\System32\WnpcNad.exe
  C:\Windows\System32\WnpcNad.exe
  2⤵
  PID:11052
- C:\Windows\System32\mhqVQtJ.exe
  C:\Windows\System32\mhqVQtJ.exe
  2⤵
  PID:11124
- C:\Windows\System32\SMXJgFX.exe
  C:\Windows\System32\SMXJgFX.exe
  2⤵
  PID:11192
- C:\Windows\System32\TsVbhdO.exe
  C:\Windows\System32\TsVbhdO.exe
  2⤵
  PID:10616
- C:\Windows\System32\ReuHvss.exe
  C:\Windows\System32\ReuHvss.exe
  2⤵
  PID:11024
- C:\Windows\System32\glYiVrK.exe
  C:\Windows\System32\glYiVrK.exe
  2⤵
  PID:10448
- C:\Windows\System32\GEgakrF.exe
  C:\Windows\System32\GEgakrF.exe
  2⤵
  PID:11272
- C:\Windows\System32\fBqhQUs.exe
  C:\Windows\System32\fBqhQUs.exe
  2⤵
  PID:11300
- C:\Windows\System32\RlTCTKm.exe
  C:\Windows\System32\RlTCTKm.exe
  2⤵
  PID:11320
- C:\Windows\System32\YlEbABg.exe
  C:\Windows\System32\YlEbABg.exe
  2⤵
  PID:11336
- C:\Windows\System32\NyaPQmc.exe
  C:\Windows\System32\NyaPQmc.exe
  2⤵
  PID:11360
- C:\Windows\System32\djLAmTH.exe
  C:\Windows\System32\djLAmTH.exe
  2⤵
  PID:11388
- C:\Windows\System32\hzSUZaU.exe
  C:\Windows\System32\hzSUZaU.exe
  2⤵
  PID:11416
- C:\Windows\System32\sFGHmrd.exe
  C:\Windows\System32\sFGHmrd.exe
  2⤵
  PID:11444
- C:\Windows\System32\SWPYISA.exe
  C:\Windows\System32\SWPYISA.exe
  2⤵
  PID:11500
- C:\Windows\System32\MwQANQa.exe
  C:\Windows\System32\MwQANQa.exe
  2⤵
  PID:11520
- C:\Windows\System32\vubXcxp.exe
  C:\Windows\System32\vubXcxp.exe
  2⤵
  PID:11556
- C:\Windows\System32\fDdgWGo.exe
  C:\Windows\System32\fDdgWGo.exe
  2⤵
  PID:11596
- C:\Windows\System32\AnDHXLY.exe
  C:\Windows\System32\AnDHXLY.exe
  2⤵
  PID:11620
- C:\Windows\System32\VeHligb.exe
  C:\Windows\System32\VeHligb.exe
  2⤵
  PID:11652
- C:\Windows\System32\BAyNcwk.exe
  C:\Windows\System32\BAyNcwk.exe
  2⤵
  PID:11668
- C:\Windows\System32\mFdnziS.exe
  C:\Windows\System32\mFdnziS.exe
  2⤵
  PID:11704
- C:\Windows\System32\YfDZECg.exe
  C:\Windows\System32\YfDZECg.exe
  2⤵
  PID:11720
- C:\Windows\System32\ZFqhYJF.exe
  C:\Windows\System32\ZFqhYJF.exe
  2⤵
  PID:11744
- C:\Windows\System32\EPjhsCh.exe
  C:\Windows\System32\EPjhsCh.exe
  2⤵
  PID:11800
- C:\Windows\System32\wLuvBnV.exe
  C:\Windows\System32\wLuvBnV.exe
  2⤵
  PID:11820
- C:\Windows\System32\xGDOZqd.exe
  C:\Windows\System32\xGDOZqd.exe
  2⤵
  PID:11844
- C:\Windows\System32\cnJKgog.exe
  C:\Windows\System32\cnJKgog.exe
  2⤵
  PID:11884
- C:\Windows\System32\zqhkxYZ.exe
  C:\Windows\System32\zqhkxYZ.exe
  2⤵
  PID:11904
- C:\Windows\System32\DbVYWNg.exe
  C:\Windows\System32\DbVYWNg.exe
  2⤵
  PID:11924
- C:\Windows\System32\bJcdIOp.exe
  C:\Windows\System32\bJcdIOp.exe
  2⤵
  PID:11960
- C:\Windows\System32\siyfRrd.exe
  C:\Windows\System32\siyfRrd.exe
  2⤵
  PID:11988
- C:\Windows\System32\UDzlhtX.exe
  C:\Windows\System32\UDzlhtX.exe
  2⤵
  PID:12008
- C:\Windows\System32\DZwxQSk.exe
  C:\Windows\System32\DZwxQSk.exe
  2⤵
  PID:12040
- C:\Windows\System32\lyCWGjj.exe
  C:\Windows\System32\lyCWGjj.exe
  2⤵
  PID:12060
- C:\Windows\System32\ymjrXyo.exe
  C:\Windows\System32\ymjrXyo.exe
  2⤵
  PID:12088
- C:\Windows\System32\pSjFtHg.exe
  C:\Windows\System32\pSjFtHg.exe
  2⤵
  PID:12104
- C:\Windows\System32\bOUlZTI.exe
  C:\Windows\System32\bOUlZTI.exe
  2⤵
  PID:12120
- C:\Windows\System32\iOSYiAH.exe
  C:\Windows\System32\iOSYiAH.exe
  2⤵
  PID:12160
- C:\Windows\System32\NdlOtWr.exe
  C:\Windows\System32\NdlOtWr.exe
  2⤵
  PID:12184
- C:\Windows\System32\DXclFwA.exe
  C:\Windows\System32\DXclFwA.exe
  2⤵
  PID:12248
- C:\Windows\System32\TGiHCWF.exe
  C:\Windows\System32\TGiHCWF.exe
  2⤵
  PID:12276
- C:\Windows\System32\RFmrlrn.exe
  C:\Windows\System32\RFmrlrn.exe
  2⤵
  PID:11236
- C:\Windows\System32\vzfFakc.exe
  C:\Windows\System32\vzfFakc.exe
  2⤵
  PID:11288
- C:\Windows\System32\KXiTKKq.exe
  C:\Windows\System32\KXiTKKq.exe
  2⤵
  PID:11380
- C:\Windows\System32\WEbsnSO.exe
  C:\Windows\System32\WEbsnSO.exe
  2⤵
  PID:11432
- C:\Windows\System32\pHWZcMs.exe
  C:\Windows\System32\pHWZcMs.exe
  2⤵
  PID:11476
- C:\Windows\System32\cJcDAjw.exe
  C:\Windows\System32\cJcDAjw.exe
  2⤵
  PID:11580
- C:\Windows\System32\MhyWlpz.exe
  C:\Windows\System32\MhyWlpz.exe
  2⤵
  PID:11604
- C:\Windows\System32\jfBHbMw.exe
  C:\Windows\System32\jfBHbMw.exe
  2⤵
  PID:11692
- C:\Windows\System32\GwqqXmA.exe
  C:\Windows\System32\GwqqXmA.exe
  2⤵
  PID:11780
- C:\Windows\System32\VllmsmN.exe
  C:\Windows\System32\VllmsmN.exe
  2⤵
  PID:11840
- C:\Windows\System32\kDJmvBu.exe
  C:\Windows\System32\kDJmvBu.exe
  2⤵
  PID:11868
- C:\Windows\System32\WPHMTYq.exe
  C:\Windows\System32\WPHMTYq.exe
  2⤵
  PID:11940
- C:\Windows\System32\cTIFxyt.exe
  C:\Windows\System32\cTIFxyt.exe
  2⤵
  PID:12024
- C:\Windows\System32\EaGwopG.exe
  C:\Windows\System32\EaGwopG.exe
  2⤵
  PID:12032
- C:\Windows\System32\uLdxZsw.exe
  C:\Windows\System32\uLdxZsw.exe
  2⤵
  PID:12080
- C:\Windows\System32\IfyqtcB.exe
  C:\Windows\System32\IfyqtcB.exe
  2⤵
  PID:12156
- C:\Windows\System32\IKTbfto.exe
  C:\Windows\System32\IKTbfto.exe
  2⤵
  PID:12232
- C:\Windows\System32\vJhifVi.exe
  C:\Windows\System32\vJhifVi.exe
  2⤵
  PID:12220
- C:\Windows\System32\CpaqbZN.exe
  C:\Windows\System32\CpaqbZN.exe
  2⤵
  PID:12268
- C:\Windows\System32\dVHmxof.exe
  C:\Windows\System32\dVHmxof.exe
  2⤵
  PID:11716
- C:\Windows\System32\yTqEaYm.exe
  C:\Windows\System32\yTqEaYm.exe
  2⤵
  PID:11712
- C:\Windows\System32\cnKVisn.exe
  C:\Windows\System32\cnKVisn.exe
  2⤵
  PID:11920
- C:\Windows\System32\urhQrPE.exe
  C:\Windows\System32\urhQrPE.exe
  2⤵
  PID:12076
- C:\Windows\System32\gXkIZsE.exe
  C:\Windows\System32\gXkIZsE.exe
  2⤵
  PID:12168
- C:\Windows\System32\TGSmgvJ.exe
  C:\Windows\System32\TGSmgvJ.exe
  2⤵
  PID:11352
- C:\Windows\System32\ROatmmA.exe
  C:\Windows\System32\ROatmmA.exe
  2⤵
  PID:12284
- C:\Windows\System32\iGETBjH.exe
  C:\Windows\System32\iGETBjH.exe
  2⤵
  PID:4880
- C:\Windows\System32\EjHYbXy.exe
  C:\Windows\System32\EjHYbXy.exe
  2⤵
  PID:12180
- C:\Windows\System32\gRUKfQp.exe
  C:\Windows\System32\gRUKfQp.exe
  2⤵
  PID:10856
- C:\Windows\System32\jAxGdxj.exe
  C:\Windows\System32\jAxGdxj.exe
  2⤵
  PID:2008
- C:\Windows\System32\xBjVQMk.exe
  C:\Windows\System32\xBjVQMk.exe
  2⤵
  PID:12216
- C:\Windows\System32\SzAEwWc.exe
  C:\Windows\System32\SzAEwWc.exe
  2⤵
  PID:11968
- C:\Windows\System32\ZPzwmez.exe
  C:\Windows\System32\ZPzwmez.exe
  2⤵
  PID:12300
- C:\Windows\System32\YWttWmQ.exe
  C:\Windows\System32\YWttWmQ.exe
  2⤵
  PID:12332
- C:\Windows\System32\CcDntnj.exe
  C:\Windows\System32\CcDntnj.exe
  2⤵
  PID:12356
- C:\Windows\System32\hTxNgrl.exe
  C:\Windows\System32\hTxNgrl.exe
  2⤵
  PID:12392
- C:\Windows\System32\AwTHkpd.exe
  C:\Windows\System32\AwTHkpd.exe
  2⤵
  PID:12412
- C:\Windows\System32\QhBBgHY.exe
  C:\Windows\System32\QhBBgHY.exe
  2⤵
  PID:12440
- C:\Windows\System32\nLpvzlC.exe
  C:\Windows\System32\nLpvzlC.exe
  2⤵
  PID:12468
- C:\Windows\System32\ZulosNc.exe
  C:\Windows\System32\ZulosNc.exe
  2⤵
  PID:12488
- C:\Windows\System32\VJcVMUk.exe
  C:\Windows\System32\VJcVMUk.exe
  2⤵
  PID:12532
- C:\Windows\System32\nSVdQmX.exe
  C:\Windows\System32\nSVdQmX.exe
  2⤵
  PID:12552
- C:\Windows\System32\XjpcnDR.exe
  C:\Windows\System32\XjpcnDR.exe
  2⤵
  PID:12568
- C:\Windows\System32\JDVhDjM.exe
  C:\Windows\System32\JDVhDjM.exe
  2⤵
  PID:12604
- C:\Windows\System32\mlIGLiJ.exe
  C:\Windows\System32\mlIGLiJ.exe
  2⤵
  PID:12636
- C:\Windows\System32\RYmhCAO.exe
  C:\Windows\System32\RYmhCAO.exe
  2⤵
  PID:12660
- C:\Windows\System32\rVHXNtU.exe
  C:\Windows\System32\rVHXNtU.exe
  2⤵
  PID:12676
- C:\Windows\System32\RViYwuh.exe
  C:\Windows\System32\RViYwuh.exe
  2⤵
  PID:12704
- C:\Windows\System32\mQXpItP.exe
  C:\Windows\System32\mQXpItP.exe
  2⤵
  PID:12756
- C:\Windows\System32\VUySKhM.exe
  C:\Windows\System32\VUySKhM.exe
  2⤵
  PID:12776
- C:\Windows\System32\oMThVRm.exe
  C:\Windows\System32\oMThVRm.exe
  2⤵
  PID:12800
- C:\Windows\System32\aURicTB.exe
  C:\Windows\System32\aURicTB.exe
  2⤵
  PID:12828
- C:\Windows\System32\WlKrCyv.exe
  C:\Windows\System32\WlKrCyv.exe
  2⤵
  PID:12844
- C:\Windows\System32\BvFhGdu.exe
  C:\Windows\System32\BvFhGdu.exe
  2⤵
  PID:12900
- C:\Windows\System32\OdoLHQg.exe
  C:\Windows\System32\OdoLHQg.exe
  2⤵
  PID:12924
- C:\Windows\System32\CzTcnTz.exe
  C:\Windows\System32\CzTcnTz.exe
  2⤵
  PID:12948
- C:\Windows\System32\YZzyyMP.exe
  C:\Windows\System32\YZzyyMP.exe
  2⤵
  PID:12976
- C:\Windows\System32\jyCkAyJ.exe
  C:\Windows\System32\jyCkAyJ.exe
  2⤵
  PID:12996
- C:\Windows\System32\NVHQHIm.exe
  C:\Windows\System32\NVHQHIm.exe
  2⤵
  PID:13056
- C:\Windows\System32\VpMNDdq.exe
  C:\Windows\System32\VpMNDdq.exe
  2⤵
  PID:13076
- C:\Windows\System32\qrOkruD.exe
  C:\Windows\System32\qrOkruD.exe
  2⤵
  PID:13092
- C:\Windows\System32\DGBktlM.exe
  C:\Windows\System32\DGBktlM.exe
  2⤵
  PID:13112
- C:\Windows\System32\AqikwBC.exe
  C:\Windows\System32\AqikwBC.exe
  2⤵
  PID:13152
- C:\Windows\System32\QajCOFY.exe
  C:\Windows\System32\QajCOFY.exe
  2⤵
  PID:13172
- C:\Windows\System32\lahdkum.exe
  C:\Windows\System32\lahdkum.exe
  2⤵
  PID:13192
- C:\Windows\System32\PWlKgoB.exe
  C:\Windows\System32\PWlKgoB.exe
  2⤵
  PID:13228
- C:\Windows\System32\IcfXVoj.exe
  C:\Windows\System32\IcfXVoj.exe
  2⤵
  PID:13276
- C:\Windows\System32\fKECSGy.exe
  C:\Windows\System32\fKECSGy.exe
  2⤵
  PID:13292
- C:\Windows\System32\fLEKACH.exe
  C:\Windows\System32\fLEKACH.exe
  2⤵
  PID:12316
- C:\Windows\System32\AsjfdtO.exe
  C:\Windows\System32\AsjfdtO.exe
  2⤵
  PID:12388
- C:\Windows\System32\ODMnQyW.exe
  C:\Windows\System32\ODMnQyW.exe
  2⤵
  PID:12460
- C:\Windows\System32\CShoPAt.exe
  C:\Windows\System32\CShoPAt.exe
  2⤵
  PID:12548
- C:\Windows\System32\NjsxUNK.exe
  C:\Windows\System32\NjsxUNK.exe
  2⤵
  PID:12504
- C:\Windows\System32\DKNEWrZ.exe
  C:\Windows\System32\DKNEWrZ.exe
  2⤵
  PID:12644
- C:\Windows\System32\ikGXrXu.exe
  C:\Windows\System32\ikGXrXu.exe
  2⤵
  PID:12648
- C:\Windows\System32\wecwuTu.exe
  C:\Windows\System32\wecwuTu.exe
  2⤵
  PID:12736
- C:\Windows\System32\YNdGufc.exe
  C:\Windows\System32\YNdGufc.exe
  2⤵
  PID:12816
- C:\Windows\System32\jSHCZyt.exe
  C:\Windows\System32\jSHCZyt.exe
  2⤵
  PID:12872
- C:\Windows\System32\utYmnSD.exe
  C:\Windows\System32\utYmnSD.exe
  2⤵
  PID:12992
- C:\Windows\System32\YnoCkeA.exe
  C:\Windows\System32\YnoCkeA.exe
  2⤵
  PID:13004
- C:\Windows\System32\VgxxoYD.exe
  C:\Windows\System32\VgxxoYD.exe
  2⤵
  PID:13064

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\DddVgMf.exe

Filesize
1.2MB

MD5
e5ca5ebb7e421c8d39edf8a2005f986e

SHA1
cf8077a329f5e1120be43287fd59e4485bf3ff70

SHA256
a3123940d2df47c99f1f84ec7c329ffae8c24ceb7f4228c66794d6bdc5abbc90

SHA512
71069abc90dec72787422ff67837c19fee2376b176467e581f1f2df1f37bcb2a4fbdd618d1c5297f2babcc8161129b460d6913f3b6d02dbf6e8437e8c5777e12

Download Submit
C:\Windows\System32\FjUuUox.exe

Filesize
1.2MB

MD5
ebc26400dea84d8c6d9f037276d6e391

SHA1
2289d169e39d7f7c03f59b6ab1174cab8e4282a8

SHA256
5c1320c4336efe5df317b443ca1274044c5ecbf8ae979f86c960873d0a7b1b90

SHA512
da41fb9d50b98f64b914e48b1f0a64b20641d274e2206208d17717aa97041c0c3e7a6cce0bd81415d0e7d2a1272e223f637854070c305b15a45c00341607318e

Download Submit
C:\Windows\System32\IASXOij.exe

Filesize
1.2MB

MD5
cd105b8f38be96b32642604e0a060850

SHA1
3794bab7b9f13e16626ee50175f881ed4fc25d9c

SHA256
7fefb3f8dd6c48204772d467f5962cc204889dd7a5c62aac1bc7dc4ade6ce221

SHA512
00179d8a2f2b23a219afccfcfe9043517d2328d0359980f675494305894701d84ad7487a28013204e436201cf9655030f55c8bd7273affce675cb717f215be96

Download Submit
C:\Windows\System32\IHazbGF.exe

Filesize
1.2MB

MD5
724acf578ca6ebf3c3c23a299dc9a618

SHA1
e2a14fba9c176c1bacd84b0882ffdf885283e7f6

SHA256
16c009ccfa0f8b9973486cfbefe6582df48cdd5449ea8945c1416b4f66d77241

SHA512
f74bd73e13875aefe94b6a72411b5effc046f6a777dac7eef1f399cdfa0da29431674ded7be30942fd9b5fdcab08c58ea64d8c179937d751e479766f8883576f

Download Submit
C:\Windows\System32\KOjolwi.exe

Filesize
1.2MB

MD5
77a26a140e576a6432837eae32848167

SHA1
07adca6a51e34da1a3fc59eeefcee7e29b85fbcb

SHA256
e8084be339517fc9c3c083a0af43e7661d73ad3b2b3ce5fa801117948145a8d7

SHA512
cb4499cf6c112e83688defb130effa8bd15f567fc9933eb6f79f82cc0a35130f545b6d4f3881edf8e1b3a638cb2889dbecc9d09b6cb8998f927f09fb7d7c454c

Download Submit
C:\Windows\System32\PHPHaUw.exe

Filesize
1.2MB

MD5
6c23f5e7cd4e31dd390ca66946ea8808

SHA1
f5180011bb1788676cfe476a06f4d98873cc5134

SHA256
ea54e1b9d66293a8a1f9806fe560eb49802c2c5c45fb0a66ec5c4d54cf175a53

SHA512
5c55df07bd005f9f14b8da2aa24ab1c1e3099d0894db64bf0bb2bcad96523f4a49d1d35d61ab8460813ebf7a22157621b5a783a438c43283750b34ead43891a9

Download Submit
C:\Windows\System32\PHwydpJ.exe

Filesize
1.2MB

MD5
f0fbd5762361f235ba734c6bae39dd13

SHA1
c0ec4656e69efa955c3661a107006647b8298b20

SHA256
23635d97be552c0bfe7800a8a1bac5904407eb54edcd5af2baf45e832404409d

SHA512
3d202a72dcf7ab6f2dcbf7b869d627f72439d6f9e36ed8fdda532599014b53501688dd2ce87e6bbd55bbf0839b3bea5663cbd08bfe206ed326c2d875abd9e68a

Download Submit
C:\Windows\System32\PjpEZPg.exe

Filesize
1.2MB

MD5
8f145404e52b53019389fe89fdd9a7a7

SHA1
198349acad25e8d5d74c460eff8a24804ee855ec

SHA256
3fd7287132dcb7172826c51a48ed1f6e81769f9031e3f9411542144f60d0c6d9

SHA512
2bf155c405bd2bbb0cf68e7fbfc5cb125ddf714f4574e2d82727ffb352e850f5c803d194524ad22a5b721761bd359042852bf432fcce7427d5023311818f771f

Download Submit
C:\Windows\System32\PnQDJJy.exe

Filesize
1.2MB

MD5
770acedda5723fc3e19c4671942c97a7

SHA1
172749d74df02afba095cde2d5821b0f65c3064f

SHA256
7fe142948c98aea6debed05840d1898f802b7ac5528d6e727f936d779f762659

SHA512
703ff568fd1d373b6effd5fe34bd3e2ad54ba1768975d1917a293bfc5073fcef0edc414e763e3fa9c2e81114a5121f01545b22a1d3074d5fdadbfd0b700b47a5

Download Submit
C:\Windows\System32\XUaEVhs.exe

Filesize
1.2MB

MD5
17b1160a3989c8f88a519554e885b10c

SHA1
58ab2ecc11baaf18f8c7279036c2775f877147b9

SHA256
248b8752029bea22da9af7c26f26822e356ef97d5ad067d4ce7bb28c453e49bb

SHA512
474166e79aa289b98f14f1f03b2423ee98aa5acfe2c5005b64489824924e3b581fe9142bd089bf4cb2b8666f6dca87d5ea2eb5378299bc21c2a85f8d6b9dfc22

Download Submit
C:\Windows\System32\YOTwUuY.exe

Filesize
1.2MB

MD5
cf0abeb88c7cc3b3acc7e9c697fef085

SHA1
9ecf87f9ab0ff993bd1b668d16ef18b2bdc2f750

SHA256
b0fa91c95bbdd89e9e87a6a6c43e26fa54acdcfb0d28ac7d19ca147d2b95457a

SHA512
399be378a54a884a463c12436ea0b2892aa2f7f86474e7c85ddfbf2563507205eff073ea32f2be7b8cd8819b967d05ee67227b42de176390cb6e8f6dd0edbd91

Download Submit
C:\Windows\System32\aQAuVHz.exe

Filesize
1.2MB

MD5
7a779d9e89c9d80bc0e684cccb87d132

SHA1
116a4fa2950c49d5622dd352378cca992161c6cc

SHA256
e59ccc00ea2cc3faa8fe7a3d1fdc92388eb4a384c071cc1d411381e4b8fbfb7d

SHA512
1e9777170a65ea6b2b9684cb9de4edf62e61bc4660c03f2f2ee6bfc39263565de917a5c1331ca427b2d4ac37fac5fc1e83377befa811bf93be7387f1c2fbd374

Download Submit
C:\Windows\System32\bMMUkCm.exe

Filesize
1.2MB

MD5
b2bc64a8cbf5ce6f833c927b5faa46ca

SHA1
ec8a1f4ac8d4f32b09f1bbc2f7a1fc4880d199e2

SHA256
cca1b52b3248cd85ff08e74a2f865e9660c52d34165772db3c3352f8868c4305

SHA512
8dc97250b29ce5f84ac1ba917fa1dbc065f4e62a2e6572445ae614976d7c9fa6321946acb02d142c053559fa4cc42c15d2f8755ee7d680641880ba806f0081ae

Download Submit
C:\Windows\System32\bVYngPP.exe

Filesize
1.2MB

MD5
d14baf3238249d0cd99c8c73268e4611

SHA1
d2f2e296d81052e19156f54ebd121d07a9f99db9

SHA256
8a3785655a9dc46f93e399c4bc23bdb884f518d5a480b33a07c4a1bc1229227e

SHA512
230af41a2fbd4e59cc2f910af0cb58a698a8904411e52cf2a2705972f37e2bb656c0f0a9875f1464e7eb130f0003508ade9ce826d1d0a935fe00cd494341c140

Download Submit
C:\Windows\System32\deGXMPk.exe

Filesize
1.2MB

MD5
456f05ad130a44eacc350cf3c5acd42a

SHA1
24a19e6b7fde6d42cde94ccc063492e6e8049a99

SHA256
9ee79ac109bcbd93bf4e666ebb9b1400e6393afdfea04d6897207fd79c09e1c7

SHA512
f847979fece53e89c07761f9bf8ae32a0243f8f1625e57306b21063d6162a25e3add045349e67b0dbdab7f75f21e3f1c8c5d9757d9a48f4415a4a1a6c656f5c2

Download Submit
C:\Windows\System32\dppnBlh.exe

Filesize
1.2MB

MD5
c44f8c7bbbd5dae3686dbfac66dfaaaa

SHA1
e3f2a9b8a76a5f9eebb45e8d849f46f4220cddcd

SHA256
03dd5ad37cc1ba8939707723173c97524698fb5dd4b5485c2ba8d24edde370a9

SHA512
06683761eb912abecb371bd47901bfdc51f27f7fbca30c4c8fc13a6d9eee64f1bfbfeed1d2b0cf3b4648d78d5258c9798a7b1168fd2b135160b924168f8a5692

Download Submit
C:\Windows\System32\dzgBhob.exe

Filesize
1.2MB

MD5
454fb8cbbc1c9ad4e8821d9b22d9c2cf

SHA1
7702224350d70c50d9ff32b7f3998aa5dae2aa8e

SHA256
41452667601ed65feafc796febc0ae5edd5b7b928aee9b198a1178fc76b43907

SHA512
93e288173ae8ed19b958201e32da3ce406a34e7647125c74cdbf0ced0d29fc813df556524b814df319ffc3fc465ac499cc4f4421fa1104c434208f31738c5913

Download Submit
C:\Windows\System32\lwFsDuX.exe

Filesize
1.2MB

MD5
2ea43b7262ab9969a4d81ae152356a3c

SHA1
33ec499d1f72dc181c54b27f6885471203ec5c37

SHA256
4768159fc0aa0aa36f13f0916b55cb73f3d602bba238b985565184baeb2e401c

SHA512
0da9c898c22c2315ffb7b9cfa0d72a86fafabe72804e40bea0243b19d22d19ea23914df325109fbc18e8726b16e05bb094b22d07902a0a9f7bc620f9ebd70986

Download Submit
C:\Windows\System32\mCsWPPn.exe

Filesize
1.2MB

MD5
d45a80d29d7a000f267d0350ba85cd82

SHA1
fdbcdc3eb3de03d519e603e1d1f27c3b23c2a104

SHA256
b41da6a358a778b8bbe5fcd9a845a11d69b00f6d3d448f1b3129d3bdb1179a04

SHA512
e2854d96aaffa74ea5f40f7f5db39653a980d810879e081701f88ad524f4b8c624bc9e432e70e259fc3b658496114ef2fff300f7cba411891230232d43455d66

Download Submit
C:\Windows\System32\mFjUpYo.exe

Filesize
1.2MB

MD5
4d079d807ed46cbce7a3d7520eb0b1e5

SHA1
82c2abcc327f211169071d0ddd05c55dd610bbef

SHA256
7418c10d22757fba5c10b70eefaabde0fe519c5ef607de0cb78835c8d3e452bf

SHA512
168c18449a2afb515615d968e1585d1af5b7f978b5d3d61467d3d855b7802e214e3d69e688be796b17e637b5cbe112013bba095ef96a521d29981a0d6e574c9b

Download Submit
C:\Windows\System32\nBXTEnb.exe

Filesize
1.2MB

MD5
43d871ba250dd9399475c9e50818af0a

SHA1
6555b79372abe989af6726fd8258b0cf8f590ec6

SHA256
753b86dd7d96922bf03e9a43588d3d0a0ed760ef7669976c2144b36ffb5a25af

SHA512
3c7b7b3f1477f46a8673f47953b61301c2be66151f5f1167fa1c88b9ae487604eacb1b578a18d6b96d75acbf434253e47443b95567e4118881b142d980253196

Download Submit
C:\Windows\System32\nrqFMmh.exe

Filesize
1.2MB

MD5
23715f71c7b19ac0a4dccf33da7eeb28

SHA1
3198799c5b820ccc71641793cbfa5be48bbc8440

SHA256
d39aa297d2e614ea229c4fdb1c0b8dc686a75439b0063d406b9f2ac40f7f616e

SHA512
563ae59463fb7413b077d7d775b4fccdb211849b339238d366b3e379b70ab4c14da9b3636f51f8ba4caba0842aa8e031f1d4fb075224bec663abd59a310d9a4f

Download Submit
C:\Windows\System32\oGIAxza.exe

Filesize
1.2MB

MD5
fc15d32f916adaabd83f5d0a8d1116f7

SHA1
f364944248ed2162144d352320db3b5caa58b98f

SHA256
0df2a5ae6b5fe30185244dd92774a419d7076de65e218b29bca8694a6ce7162d

SHA512
7c196a66511efbc1d10545353b9bf5bce2386d0acd25d85d10f677308584688d6866e4943a1233da9299342e1d82d18f3f20a11711c7213980c9084acbcbfe8e

Download Submit
C:\Windows\System32\oGvqFdo.exe

Filesize
1.2MB

MD5
b1914a776ae32c910d85d9a571ad6255

SHA1
eb85c16f1425a79e2360a2a28b6c2507ee4a02d3

SHA256
144cfddb028fd7a50e5e67fa5cc2c5a4627047638b3e51eef562f859a51be7d7

SHA512
f84f85fe6806cd1462572b7d2f2b52ed30536fb95572daac30f29e475e27d511683ab2589a9cf5735d595a546c8331d704df1b15cccde8dd847fb236ee4c3671

Download Submit
C:\Windows\System32\oKAerMk.exe

Filesize
1.2MB

MD5
f640e69e80ab9879f62cbac3fd17bae6

SHA1
87d13710c0e54193d115438b426a6459aa64f855

SHA256
e79f40be968bead8ddb748ca4e5bd72fac662263ac30bbafaf044baac8f94e7b

SHA512
5b42c43fb315b5714737a88899d92a479614c64f1d0dd57607fc08837f76fc6764f03934b8ef79db937fd96c48c4d605edb3087dd052bc68f92315fda2f3ac8d

Download Submit
C:\Windows\System32\orIvQNB.exe

Filesize
1.2MB

MD5
aa193fb26d687bbf8917e3580278cfc9

SHA1
5d426b1f56ec8798ff251b9f6927336dfbbec87c

SHA256
0d032588b7f541353501a11fe1a48494215e4617056add7d554d6cb6eb267aa9

SHA512
7276cee6f27813d1fdee2e9453d53d4b3514c0743a60e63b0b9cef12e020d7b55ad457064be40b0b4a5a1649cbd8c5bd8898f00eeaeb03aecf50450e3f1de444

Download Submit
C:\Windows\System32\pLBdWXZ.exe

Filesize
1.2MB

MD5
b2f38719c5ea7221d685961f0892a4cf

SHA1
5645e07b007568009c32045217a028aa9bf7e96d

SHA256
1bc7179c9353eab949a2df48a3eb9f8a774fa61e092b6732d19c0b7b93dc70a8

SHA512
a53244dd73bf6e6f06dbf8832b132bf0dd374a88553364ab5094e6fe6bdec800b1c62041c8a553e61ba3191b7ea9ffc6c608ceed31b267f29b8811f0aa36a7d2

Download Submit
C:\Windows\System32\rFTJkfN.exe

Filesize
1.2MB

MD5
daba8c1b2bcbb33febe2edb6e24ac362

SHA1
eb1da89163893b6dc5f3b2bce91d0b61408752e5

SHA256
bf475cd97d76bbeaca538c03f418caada98a2f54d78a5879cb60cccfc612ea6d

SHA512
0c496b9c376adc341990102f1db0e1aff87055359fa92e54d07fe10ae19fd4d5402b39772aa4e457264bab1530c6e90890db0c1f5f53e1b0ab2c02144f0f4ac5

Download Submit
C:\Windows\System32\tubogmE.exe

Filesize
1.2MB

MD5
7f95937e7dea96b5ba50f31846775ba9

SHA1
5406f97d0578bc171aba765c9f8c12063500035b

SHA256
a72b5cdd87b81416ba0d028846c981eb410bad966cfa06a918bc13789766dd7b

SHA512
06c3341aa7e7af882312d7e5e350faddab8d4804c85fd3e9375372d7acbe143c041fe16a02badf43e3514100ed22ef6ee099a2b3977b3c91fbc7d071676dbc3e

Download Submit
C:\Windows\System32\uPdQNiS.exe

Filesize
1.2MB

MD5
ce82b07353786bfceb1569741467c4d9

SHA1
e8ecd7eb4d4d3e9243ddc8d0dfbed93a743bb133

SHA256
87b102ea5237033c53c550644f63ae223e8b8e7298620bca43360520dfd41968

SHA512
6437f8482b84bc1f8f9e201ba5d33075bb3ceea749a10154da33c0fcad8c20848bf39b318b547e236f58e1ef1a3b467c48f631d9efa68d14052d1e5f7bc4c8c3

Download Submit
C:\Windows\System32\xCdyghH.exe

Filesize
1.2MB

MD5
fc7c545b77cb133e0b3fa452d65adc49

SHA1
d148cea44def5c71896d48f4c163eb94f167a896

SHA256
459c7b943ad2cc1fa3e50b716a5f1c58de72f3611d3eff231ed90fc186954e7b

SHA512
53619c8350c600f8914df8353fa50262ba60854e7184838e5afa0522dfbbf17ec8248b85ef38d8ad3a3ac7ed0bd0f5b089d4e6d7f1b57665c88812959f4afb9d

Download Submit
C:\Windows\System32\xObXFUA.exe

Filesize
1.2MB

MD5
88ad1d8d784e89fb8498ea903a9b156c

SHA1
f879d5434a33adf29f377f54b3e63c99793a3e26

SHA256
68443e78983afafbe5c720df80df2bece4627c9640807e1b1a9e7929b958d4b8

SHA512
0b1121a672eb7613783fd07d85580660e5cc41a9d124643b7cbe974bbceeebcb5060bba17d882fb1712622484c37de304f359c33bbf7786a4aa65b7fcb00947f

Download Submit
memory/656-386-0x00007FF6889F0000-0x00007FF688DE1000-memory.dmp

Filesize
3.9MB

Download
memory/656-2097-0x00007FF6889F0000-0x00007FF688DE1000-memory.dmp

Filesize
3.9MB

Download
memory/1004-2024-0x00007FF7B8A30000-0x00007FF7B8E21000-memory.dmp

Filesize
3.9MB

Download
memory/1004-64-0x00007FF7B8A30000-0x00007FF7B8E21000-memory.dmp

Filesize
3.9MB

Download
memory/1004-2062-0x00007FF7B8A30000-0x00007FF7B8E21000-memory.dmp

Filesize
3.9MB

Download
memory/1124-2093-0x00007FF7669E0000-0x00007FF766DD1000-memory.dmp

Filesize
3.9MB

Download
memory/1124-381-0x00007FF7669E0000-0x00007FF766DD1000-memory.dmp

Filesize
3.9MB

Download
memory/1164-2040-0x00007FF7FAFF0000-0x00007FF7FB3E1000-memory.dmp

Filesize
3.9MB

Download
memory/1164-31-0x00007FF7FAFF0000-0x00007FF7FB3E1000-memory.dmp

Filesize
3.9MB

Download
memory/1576-396-0x00007FF67F7B0000-0x00007FF67FBA1000-memory.dmp

Filesize
3.9MB

Download
memory/1576-2095-0x00007FF67F7B0000-0x00007FF67FBA1000-memory.dmp

Filesize
3.9MB

Download
memory/1800-367-0x00007FF648310000-0x00007FF648701000-memory.dmp

Filesize
3.9MB

Download
memory/1800-2076-0x00007FF648310000-0x00007FF648701000-memory.dmp

Filesize
3.9MB

Download
memory/1804-2039-0x00007FF7DDC70000-0x00007FF7DE061000-memory.dmp

Filesize
3.9MB

Download
memory/1804-32-0x00007FF7DDC70000-0x00007FF7DE061000-memory.dmp

Filesize
3.9MB

Download
memory/1980-2068-0x00007FF673270000-0x00007FF673661000-memory.dmp

Filesize
3.9MB

Download
memory/1980-78-0x00007FF673270000-0x00007FF673661000-memory.dmp

Filesize
3.9MB

Download
memory/2188-1989-0x00007FF6FE800000-0x00007FF6FEBF1000-memory.dmp

Filesize
3.9MB

Download
memory/2188-2034-0x00007FF6FE800000-0x00007FF6FEBF1000-memory.dmp

Filesize
3.9MB

Download
memory/2188-19-0x00007FF6FE800000-0x00007FF6FEBF1000-memory.dmp

Filesize
3.9MB

Download
memory/2260-398-0x00007FF7B5130000-0x00007FF7B5521000-memory.dmp

Filesize
3.9MB

Download
memory/2260-2066-0x00007FF7B5130000-0x00007FF7B5521000-memory.dmp

Filesize
3.9MB

Download
memory/2712-2023-0x00007FF713AD0000-0x00007FF713EC1000-memory.dmp

Filesize
3.9MB

Download
memory/2712-2060-0x00007FF713AD0000-0x00007FF713EC1000-memory.dmp

Filesize
3.9MB

Download
memory/2712-43-0x00007FF713AD0000-0x00007FF713EC1000-memory.dmp

Filesize
3.9MB

Download
memory/3064-2025-0x00007FF7CAE10000-0x00007FF7CB201000-memory.dmp

Filesize
3.9MB

Download
memory/3064-2072-0x00007FF7CAE10000-0x00007FF7CB201000-memory.dmp

Filesize
3.9MB

Download
memory/3064-85-0x00007FF7CAE10000-0x00007FF7CB201000-memory.dmp

Filesize
3.9MB

Download
memory/3428-373-0x00007FF750D80000-0x00007FF751171000-memory.dmp

Filesize
3.9MB

Download
memory/3428-2105-0x00007FF750D80000-0x00007FF751171000-memory.dmp

Filesize
3.9MB

Download
memory/3724-376-0x00007FF63D820000-0x00007FF63DC11000-memory.dmp

Filesize
3.9MB

Download
memory/3724-2099-0x00007FF63D820000-0x00007FF63DC11000-memory.dmp

Filesize
3.9MB

Download
memory/3744-2074-0x00007FF77E2C0000-0x00007FF77E6B1000-memory.dmp

Filesize
3.9MB

Download
memory/3744-411-0x00007FF77E2C0000-0x00007FF77E6B1000-memory.dmp

Filesize
3.9MB

Download
memory/4112-2103-0x00007FF78B5B0000-0x00007FF78B9A1000-memory.dmp

Filesize
3.9MB

Download
memory/4112-371-0x00007FF78B5B0000-0x00007FF78B9A1000-memory.dmp

Filesize
3.9MB

Download
memory/4232-2101-0x00007FF7021A0000-0x00007FF702591000-memory.dmp

Filesize
3.9MB

Download
memory/4232-375-0x00007FF7021A0000-0x00007FF702591000-memory.dmp

Filesize
3.9MB

Download
memory/4252-71-0x00007FF6F9500000-0x00007FF6F98F1000-memory.dmp

Filesize
3.9MB

Download
memory/4252-2058-0x00007FF6F9500000-0x00007FF6F98F1000-memory.dmp

Filesize
3.9MB

Download
memory/4536-2091-0x00007FF7A9A60000-0x00007FF7A9E51000-memory.dmp

Filesize
3.9MB

Download
memory/4536-388-0x00007FF7A9A60000-0x00007FF7A9E51000-memory.dmp

Filesize
3.9MB

Download
memory/4584-2032-0x00007FF70F270000-0x00007FF70F661000-memory.dmp

Filesize
3.9MB

Download
memory/4584-9-0x00007FF70F270000-0x00007FF70F661000-memory.dmp

Filesize
3.9MB

Download
memory/4680-2037-0x00007FF6BD2A0000-0x00007FF6BD691000-memory.dmp

Filesize
3.9MB

Download
memory/4680-30-0x00007FF6BD2A0000-0x00007FF6BD691000-memory.dmp

Filesize
3.9MB

Download
memory/4680-1990-0x00007FF6BD2A0000-0x00007FF6BD691000-memory.dmp

Filesize
3.9MB

Download
memory/4848-2027-0x00007FF6E2000000-0x00007FF6E23F1000-memory.dmp

Filesize
3.9MB

Download
memory/4848-0-0x00007FF6E2000000-0x00007FF6E23F1000-memory.dmp

Filesize
3.9MB

Download
memory/4848-1-0x0000019332FE0000-0x0000019332FF0000-memory.dmp

Filesize
64KB

Download
memory/4872-2070-0x00007FF724A50000-0x00007FF724E41000-memory.dmp

Filesize
3.9MB

Download
memory/4872-407-0x00007FF724A50000-0x00007FF724E41000-memory.dmp

Filesize
3.9MB

Download
memory/5000-2078-0x00007FF69F530000-0x00007FF69F921000-memory.dmp

Filesize
3.9MB

Download
memory/5000-414-0x00007FF69F530000-0x00007FF69F921000-memory.dmp

Filesize
3.9MB

Download
memory/5076-80-0x00007FF602A50000-0x00007FF602E41000-memory.dmp

Filesize
3.9MB

Download
memory/5076-2064-0x00007FF602A50000-0x00007FF602E41000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads