xmrig | ef891a181b8dd4a00ee0e6b5b84b5bf74039b143e373343a60461252be89404a

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
Size

1020KB
MD5

8ed8598b4b4bc8642e74010cabeb3898
SHA1

134ad60b8e6a10fba7166117a47226ab681c088e
SHA256

ef891a181b8dd4a00ee0e6b5b84b5bf74039b143e373343a60461252be89404a
SHA512

773d4019c87c125829d5bfda4e37bdba0173f68d1cb78c9869a1b8a32903a6d07128b76d8e728f05930baefcac520cd4747bc368187936d21bc043ad21f3af53
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zEeBv:knw9oUUEEDl37jcq4B

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/1316-88-0x00007FF6295C0000-0x00007FF6299B1000-memory.dmp	xmrig
behavioral2/memory/1064-380-0x00007FF68FCE0000-0x00007FF6900D1000-memory.dmp	xmrig
behavioral2/memory/2692-382-0x00007FF617A60000-0x00007FF617E51000-memory.dmp	xmrig
behavioral2/memory/2840-89-0x00007FF75B800000-0x00007FF75BBF1000-memory.dmp	xmrig
behavioral2/memory/760-83-0x00007FF610BF0000-0x00007FF610FE1000-memory.dmp	xmrig
behavioral2/memory/4192-80-0x00007FF756E20000-0x00007FF757211000-memory.dmp	xmrig
behavioral2/memory/2756-78-0x00007FF6D1A30000-0x00007FF6D1E21000-memory.dmp	xmrig
behavioral2/memory/4064-75-0x00007FF63B1E0000-0x00007FF63B5D1000-memory.dmp	xmrig
behavioral2/memory/892-71-0x00007FF78B430000-0x00007FF78B821000-memory.dmp	xmrig
behavioral2/memory/2996-62-0x00007FF7D5E00000-0x00007FF7D61F1000-memory.dmp	xmrig
behavioral2/memory/4664-61-0x00007FF64FF90000-0x00007FF650381000-memory.dmp	xmrig
behavioral2/memory/1424-52-0x00007FF7EF600000-0x00007FF7EF9F1000-memory.dmp	xmrig
behavioral2/memory/2672-22-0x00007FF6FCCF0000-0x00007FF6FD0E1000-memory.dmp	xmrig
behavioral2/memory/5116-383-0x00007FF634A60000-0x00007FF634E51000-memory.dmp	xmrig
behavioral2/memory/3508-384-0x00007FF7444B0000-0x00007FF7448A1000-memory.dmp	xmrig
behavioral2/memory/2968-386-0x00007FF6E73C0000-0x00007FF6E77B1000-memory.dmp	xmrig
behavioral2/memory/3116-387-0x00007FF6FC440000-0x00007FF6FC831000-memory.dmp	xmrig
behavioral2/memory/1708-385-0x00007FF70ED90000-0x00007FF70F181000-memory.dmp	xmrig
behavioral2/memory/2264-388-0x00007FF6BFB60000-0x00007FF6BFF51000-memory.dmp	xmrig
behavioral2/memory/1164-389-0x00007FF7C4130000-0x00007FF7C4521000-memory.dmp	xmrig
behavioral2/memory/2672-1981-0x00007FF6FCCF0000-0x00007FF6FD0E1000-memory.dmp	xmrig
behavioral2/memory/924-1982-0x00007FF7B8240000-0x00007FF7B8631000-memory.dmp	xmrig
behavioral2/memory/5056-1984-0x00007FF72CBB0000-0x00007FF72CFA1000-memory.dmp	xmrig
behavioral2/memory/892-1983-0x00007FF78B430000-0x00007FF78B821000-memory.dmp	xmrig
behavioral2/memory/2004-2017-0x00007FF731BC0000-0x00007FF731FB1000-memory.dmp	xmrig
behavioral2/memory/2672-2019-0x00007FF6FCCF0000-0x00007FF6FD0E1000-memory.dmp	xmrig
behavioral2/memory/4600-2021-0x00007FF7CF050000-0x00007FF7CF441000-memory.dmp	xmrig
behavioral2/memory/1424-2025-0x00007FF7EF600000-0x00007FF7EF9F1000-memory.dmp	xmrig
behavioral2/memory/4664-2029-0x00007FF64FF90000-0x00007FF650381000-memory.dmp	xmrig
behavioral2/memory/2756-2031-0x00007FF6D1A30000-0x00007FF6D1E21000-memory.dmp	xmrig
behavioral2/memory/924-2027-0x00007FF7B8240000-0x00007FF7B8631000-memory.dmp	xmrig
behavioral2/memory/4064-2023-0x00007FF63B1E0000-0x00007FF63B5D1000-memory.dmp	xmrig
behavioral2/memory/2996-2037-0x00007FF7D5E00000-0x00007FF7D61F1000-memory.dmp	xmrig
behavioral2/memory/892-2039-0x00007FF78B430000-0x00007FF78B821000-memory.dmp	xmrig
behavioral2/memory/760-2035-0x00007FF610BF0000-0x00007FF610FE1000-memory.dmp	xmrig
behavioral2/memory/4192-2033-0x00007FF756E20000-0x00007FF757211000-memory.dmp	xmrig
behavioral2/memory/1064-2065-0x00007FF68FCE0000-0x00007FF6900D1000-memory.dmp	xmrig
behavioral2/memory/5116-2056-0x00007FF634A60000-0x00007FF634E51000-memory.dmp	xmrig
behavioral2/memory/2692-2054-0x00007FF617A60000-0x00007FF617E51000-memory.dmp	xmrig
behavioral2/memory/2968-2052-0x00007FF6E73C0000-0x00007FF6E77B1000-memory.dmp	xmrig
behavioral2/memory/1164-2048-0x00007FF7C4130000-0x00007FF7C4521000-memory.dmp	xmrig
behavioral2/memory/5056-2043-0x00007FF72CBB0000-0x00007FF72CFA1000-memory.dmp	xmrig
behavioral2/memory/1316-2045-0x00007FF6295C0000-0x00007FF6299B1000-memory.dmp	xmrig
behavioral2/memory/2840-2042-0x00007FF75B800000-0x00007FF75BBF1000-memory.dmp	xmrig
behavioral2/memory/2004-2067-0x00007FF731BC0000-0x00007FF731FB1000-memory.dmp	xmrig
behavioral2/memory/2264-2063-0x00007FF6BFB60000-0x00007FF6BFF51000-memory.dmp	xmrig
behavioral2/memory/1708-2060-0x00007FF70ED90000-0x00007FF70F181000-memory.dmp	xmrig
behavioral2/memory/3508-2058-0x00007FF7444B0000-0x00007FF7448A1000-memory.dmp	xmrig
behavioral2/memory/3116-2050-0x00007FF6FC440000-0x00007FF6FC831000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4600	dlmygdn.exe
2672	nuRxMjc.exe
4064	fMEzojD.exe
924	MsGxUTT.exe
2756	jkdyRAG.exe
1424	DPncptc.exe
4664	HYGvppO.exe
4192	gPETccQ.exe
2996	IepTMWh.exe
892	GAMqkgT.exe
760	gSwONLw.exe
1316	mOeWlhi.exe
5056	SvpUGop.exe
2840	tsEwJQm.exe
2004	FaQpvyC.exe
1064	IuHYDll.exe
2692	ORpOlMd.exe
5116	ylqgQzf.exe
3508	oyGSowm.exe
1708	IGCUfVB.exe
2968	qExgArV.exe
3116	HMZQBhG.exe
2264	jTmNwsv.exe
1164	VNRZuKc.exe
4684	nzNBhKs.exe
4400	BPuvMib.exe
1636	CradlqV.exe
4928	TMlEtJH.exe
4788	tHXzrFZ.exe
4508	KZmhhIj.exe
4248	sEZbwEQ.exe
4380	UjUjpVj.exe
2184	eZFyPYk.exe
4860	DtUAoNN.exe
2708	WVkoOjL.exe
4992	huaLbgS.exe
3972	ISynnbk.exe
3444	JlWUaZg.exe
5088	aryEGWQ.exe
1884	InrWvkz.exe
4452	aoXgScM.exe
1972	MapMRYC.exe
456	dFqCaLR.exe
3196	VtCJfoe.exe
3380	vukvAmh.exe
5008	lMIlVTl.exe
1960	KeOFEnc.exe
3220	FZwkCji.exe
4344	vgxIDzz.exe
232	clGRtAN.exe
1596	yVRRovc.exe
1276	itUtOoB.exe
1836	LSlqIDy.exe
3212	JugWBuH.exe
780	kHNRWGw.exe
4092	sylCmMU.exe
1284	IzxKtXN.exe
5024	FJsJKHI.exe
2560	HNeRnLU.exe
2956	rWLYuoB.exe
3328	wmrDpxK.exe
5068	NuJsGNp.exe
1592	ptcxXzi.exe
5100	ojrPSJb.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/116-0-0x00007FF64D3D0000-0x00007FF64D7C1000-memory.dmp	upx
behavioral2/files/0x0007000000023423-7.dat	upx
behavioral2/files/0x000900000002328e-6.dat	upx
behavioral2/files/0x0007000000023424-8.dat	upx
behavioral2/files/0x0007000000023426-27.dat	upx
behavioral2/memory/924-34-0x00007FF7B8240000-0x00007FF7B8631000-memory.dmp	upx
behavioral2/files/0x000700000002342b-47.dat	upx
behavioral2/files/0x0007000000023429-54.dat	upx
behavioral2/files/0x000700000002342c-64.dat	upx
behavioral2/files/0x000700000002342f-72.dat	upx
behavioral2/files/0x000700000002342d-76.dat	upx
behavioral2/files/0x0007000000023430-81.dat	upx
behavioral2/memory/1316-88-0x00007FF6295C0000-0x00007FF6299B1000-memory.dmp	upx
behavioral2/files/0x0008000000023420-99.dat	upx
behavioral2/files/0x0007000000023436-126.dat	upx
behavioral2/files/0x0007000000023438-136.dat	upx
behavioral2/files/0x000700000002343b-151.dat	upx
behavioral2/files/0x000700000002343f-169.dat	upx
behavioral2/memory/1064-380-0x00007FF68FCE0000-0x00007FF6900D1000-memory.dmp	upx
behavioral2/memory/2692-382-0x00007FF617A60000-0x00007FF617E51000-memory.dmp	upx
behavioral2/files/0x0007000000023440-176.dat	upx
behavioral2/files/0x000700000002343e-166.dat	upx
behavioral2/files/0x000700000002343d-161.dat	upx
behavioral2/files/0x000700000002343c-156.dat	upx
behavioral2/files/0x000700000002343a-146.dat	upx
behavioral2/files/0x0007000000023439-141.dat	upx
behavioral2/files/0x0007000000023437-131.dat	upx
behavioral2/files/0x0007000000023435-121.dat	upx
behavioral2/files/0x0007000000023434-116.dat	upx
behavioral2/files/0x0007000000023433-111.dat	upx
behavioral2/files/0x0007000000023432-106.dat	upx
behavioral2/files/0x0007000000023431-96.dat	upx
behavioral2/memory/2004-90-0x00007FF731BC0000-0x00007FF731FB1000-memory.dmp	upx
behavioral2/memory/2840-89-0x00007FF75B800000-0x00007FF75BBF1000-memory.dmp	upx
behavioral2/files/0x000700000002342e-84.dat	upx
behavioral2/memory/760-83-0x00007FF610BF0000-0x00007FF610FE1000-memory.dmp	upx
behavioral2/memory/4192-80-0x00007FF756E20000-0x00007FF757211000-memory.dmp	upx
behavioral2/memory/2756-78-0x00007FF6D1A30000-0x00007FF6D1E21000-memory.dmp	upx
behavioral2/memory/4064-75-0x00007FF63B1E0000-0x00007FF63B5D1000-memory.dmp	upx
behavioral2/memory/5056-74-0x00007FF72CBB0000-0x00007FF72CFA1000-memory.dmp	upx
behavioral2/memory/892-71-0x00007FF78B430000-0x00007FF78B821000-memory.dmp	upx
behavioral2/memory/2996-62-0x00007FF7D5E00000-0x00007FF7D61F1000-memory.dmp	upx
behavioral2/files/0x000700000002342a-55.dat	upx
behavioral2/memory/4664-61-0x00007FF64FF90000-0x00007FF650381000-memory.dmp	upx
behavioral2/memory/1424-52-0x00007FF7EF600000-0x00007FF7EF9F1000-memory.dmp	upx
behavioral2/files/0x0007000000023428-40.dat	upx
behavioral2/files/0x0007000000023425-33.dat	upx
behavioral2/files/0x0007000000023427-32.dat	upx
behavioral2/memory/2672-22-0x00007FF6FCCF0000-0x00007FF6FD0E1000-memory.dmp	upx
behavioral2/memory/4600-12-0x00007FF7CF050000-0x00007FF7CF441000-memory.dmp	upx
behavioral2/memory/5116-383-0x00007FF634A60000-0x00007FF634E51000-memory.dmp	upx
behavioral2/memory/3508-384-0x00007FF7444B0000-0x00007FF7448A1000-memory.dmp	upx
behavioral2/memory/2968-386-0x00007FF6E73C0000-0x00007FF6E77B1000-memory.dmp	upx
behavioral2/memory/3116-387-0x00007FF6FC440000-0x00007FF6FC831000-memory.dmp	upx
behavioral2/memory/1708-385-0x00007FF70ED90000-0x00007FF70F181000-memory.dmp	upx
behavioral2/memory/2264-388-0x00007FF6BFB60000-0x00007FF6BFF51000-memory.dmp	upx
behavioral2/memory/1164-389-0x00007FF7C4130000-0x00007FF7C4521000-memory.dmp	upx
behavioral2/memory/2672-1981-0x00007FF6FCCF0000-0x00007FF6FD0E1000-memory.dmp	upx
behavioral2/memory/924-1982-0x00007FF7B8240000-0x00007FF7B8631000-memory.dmp	upx
behavioral2/memory/5056-1984-0x00007FF72CBB0000-0x00007FF72CFA1000-memory.dmp	upx
behavioral2/memory/892-1983-0x00007FF78B430000-0x00007FF78B821000-memory.dmp	upx
behavioral2/memory/2004-2017-0x00007FF731BC0000-0x00007FF731FB1000-memory.dmp	upx
behavioral2/memory/2672-2019-0x00007FF6FCCF0000-0x00007FF6FD0E1000-memory.dmp	upx
behavioral2/memory/4600-2021-0x00007FF7CF050000-0x00007FF7CF441000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\lMIlVTl.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\dMzxPvq.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\JoPIGqb.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\SvTNZxF.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\NuJsGNp.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\Cwpfjbn.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\yqfJXTa.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\zpxWrmq.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\CHNLnIf.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\psDEkyn.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\VtCJfoe.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\DjtDSnG.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\UGvoysx.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\aBuwzbB.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\kfQBkaP.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\VsQJqIi.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\VGouBsM.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\ajJLAOU.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\HNYlwWP.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\fvurFOX.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\Adfmjxu.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\JwBiyFC.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\aZNiirC.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\wDpdVir.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\fTrMjWF.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\KAoyCDO.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\sVkdZpF.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\YXsLJAl.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\RIycpHi.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\vgxIDzz.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\jlmQJDL.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\ebzSVrt.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\FBNarkb.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\DOKFvjO.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\VxSAirM.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\mdGwSvC.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\sgGHsiq.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\DSuGCCT.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\CradlqV.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\mnVEzEm.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\DuWPcnF.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\VWEAJyx.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\HNeRnLU.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\qMBJExF.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\RyPxcCw.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\gqzxMjy.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\LRircnt.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\DnwHnTM.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\CfsKvgl.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\xFuhjpR.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\tcAYXkl.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\qxTnRnB.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\rTJYsNP.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\XdRdXcv.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\ixOBhOR.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\FXhVtvG.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\AVNXoHj.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\AERtXDe.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\zdhzXWU.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\icBZJnz.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\QQbXppK.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\kLbFpRc.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\HsmNKZn.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
File created	C:\Windows\System32\keerzjc.exe	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13660	dwm.exe
Token: SeChangeNotifyPrivilege	13660	dwm.exe
Token: 33	13660	dwm.exe
Token: SeIncBasePriorityPrivilege	13660	dwm.exe
Token: SeShutdownPrivilege	13660	dwm.exe
Token: SeCreatePagefilePrivilege	13660	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 4600	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	86
PID 116 wrote to memory of 4600	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	86
PID 116 wrote to memory of 2672	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	87
PID 116 wrote to memory of 2672	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	87
PID 116 wrote to memory of 4064	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	88
PID 116 wrote to memory of 4064	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	88
PID 116 wrote to memory of 924	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	89
PID 116 wrote to memory of 924	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	89
PID 116 wrote to memory of 2756	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	90
PID 116 wrote to memory of 2756	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	90
PID 116 wrote to memory of 1424	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	91
PID 116 wrote to memory of 1424	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	91
PID 116 wrote to memory of 4664	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	92
PID 116 wrote to memory of 4664	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	92
PID 116 wrote to memory of 4192	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	93
PID 116 wrote to memory of 4192	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	93
PID 116 wrote to memory of 2996	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	94
PID 116 wrote to memory of 2996	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	94
PID 116 wrote to memory of 892	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	95
PID 116 wrote to memory of 892	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	95
PID 116 wrote to memory of 760	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	96
PID 116 wrote to memory of 760	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	96
PID 116 wrote to memory of 1316	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	97
PID 116 wrote to memory of 1316	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	97
PID 116 wrote to memory of 5056	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	98
PID 116 wrote to memory of 5056	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	98
PID 116 wrote to memory of 2840	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	99
PID 116 wrote to memory of 2840	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	99
PID 116 wrote to memory of 2004	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	100
PID 116 wrote to memory of 2004	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	100
PID 116 wrote to memory of 1064	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	101
PID 116 wrote to memory of 1064	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	101
PID 116 wrote to memory of 2692	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	102
PID 116 wrote to memory of 2692	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	102
PID 116 wrote to memory of 5116	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	103
PID 116 wrote to memory of 5116	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	103
PID 116 wrote to memory of 3508	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	104
PID 116 wrote to memory of 3508	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	104
PID 116 wrote to memory of 1708	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	105
PID 116 wrote to memory of 1708	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	105
PID 116 wrote to memory of 2968	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	106
PID 116 wrote to memory of 2968	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	106
PID 116 wrote to memory of 3116	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	107
PID 116 wrote to memory of 3116	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	107
PID 116 wrote to memory of 2264	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	108
PID 116 wrote to memory of 2264	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	108
PID 116 wrote to memory of 1164	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	109
PID 116 wrote to memory of 1164	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	109
PID 116 wrote to memory of 4684	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	110
PID 116 wrote to memory of 4684	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	110
PID 116 wrote to memory of 4400	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	111
PID 116 wrote to memory of 4400	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	111
PID 116 wrote to memory of 1636	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	112
PID 116 wrote to memory of 1636	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	112
PID 116 wrote to memory of 4928	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	113
PID 116 wrote to memory of 4928	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	113
PID 116 wrote to memory of 4788	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	114
PID 116 wrote to memory of 4788	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	114
PID 116 wrote to memory of 4508	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	115
PID 116 wrote to memory of 4508	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	115
PID 116 wrote to memory of 4248	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	116
PID 116 wrote to memory of 4248	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	116
PID 116 wrote to memory of 4380	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	117
PID 116 wrote to memory of 4380	116	8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe	117

C:\Users\Admin\AppData\Local\Temp\8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ed8598b4b4bc8642e74010cabeb3898_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\System32\dlmygdn.exe
  C:\Windows\System32\dlmygdn.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System32\nuRxMjc.exe
  C:\Windows\System32\nuRxMjc.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System32\fMEzojD.exe
  C:\Windows\System32\fMEzojD.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System32\MsGxUTT.exe
  C:\Windows\System32\MsGxUTT.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System32\jkdyRAG.exe
  C:\Windows\System32\jkdyRAG.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System32\DPncptc.exe
  C:\Windows\System32\DPncptc.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System32\HYGvppO.exe
  C:\Windows\System32\HYGvppO.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System32\gPETccQ.exe
  C:\Windows\System32\gPETccQ.exe
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\System32\IepTMWh.exe
  C:\Windows\System32\IepTMWh.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System32\GAMqkgT.exe
  C:\Windows\System32\GAMqkgT.exe
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\System32\gSwONLw.exe
  C:\Windows\System32\gSwONLw.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System32\mOeWlhi.exe
  C:\Windows\System32\mOeWlhi.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System32\SvpUGop.exe
  C:\Windows\System32\SvpUGop.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\tsEwJQm.exe
  C:\Windows\System32\tsEwJQm.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System32\FaQpvyC.exe
  C:\Windows\System32\FaQpvyC.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System32\IuHYDll.exe
  C:\Windows\System32\IuHYDll.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\System32\ORpOlMd.exe
  C:\Windows\System32\ORpOlMd.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System32\ylqgQzf.exe
  C:\Windows\System32\ylqgQzf.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System32\oyGSowm.exe
  C:\Windows\System32\oyGSowm.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System32\IGCUfVB.exe
  C:\Windows\System32\IGCUfVB.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System32\qExgArV.exe
  C:\Windows\System32\qExgArV.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System32\HMZQBhG.exe
  C:\Windows\System32\HMZQBhG.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System32\jTmNwsv.exe
  C:\Windows\System32\jTmNwsv.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System32\VNRZuKc.exe
  C:\Windows\System32\VNRZuKc.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System32\nzNBhKs.exe
  C:\Windows\System32\nzNBhKs.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System32\BPuvMib.exe
  C:\Windows\System32\BPuvMib.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System32\CradlqV.exe
  C:\Windows\System32\CradlqV.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System32\TMlEtJH.exe
  C:\Windows\System32\TMlEtJH.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System32\tHXzrFZ.exe
  C:\Windows\System32\tHXzrFZ.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\KZmhhIj.exe
  C:\Windows\System32\KZmhhIj.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System32\sEZbwEQ.exe
  C:\Windows\System32\sEZbwEQ.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System32\UjUjpVj.exe
  C:\Windows\System32\UjUjpVj.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System32\eZFyPYk.exe
  C:\Windows\System32\eZFyPYk.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System32\DtUAoNN.exe
  C:\Windows\System32\DtUAoNN.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\WVkoOjL.exe
  C:\Windows\System32\WVkoOjL.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System32\huaLbgS.exe
  C:\Windows\System32\huaLbgS.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System32\ISynnbk.exe
  C:\Windows\System32\ISynnbk.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System32\JlWUaZg.exe
  C:\Windows\System32\JlWUaZg.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System32\aryEGWQ.exe
  C:\Windows\System32\aryEGWQ.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System32\InrWvkz.exe
  C:\Windows\System32\InrWvkz.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System32\aoXgScM.exe
  C:\Windows\System32\aoXgScM.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\MapMRYC.exe
  C:\Windows\System32\MapMRYC.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System32\dFqCaLR.exe
  C:\Windows\System32\dFqCaLR.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System32\VtCJfoe.exe
  C:\Windows\System32\VtCJfoe.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System32\vukvAmh.exe
  C:\Windows\System32\vukvAmh.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System32\lMIlVTl.exe
  C:\Windows\System32\lMIlVTl.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System32\KeOFEnc.exe
  C:\Windows\System32\KeOFEnc.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System32\FZwkCji.exe
  C:\Windows\System32\FZwkCji.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System32\vgxIDzz.exe
  C:\Windows\System32\vgxIDzz.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System32\clGRtAN.exe
  C:\Windows\System32\clGRtAN.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System32\yVRRovc.exe
  C:\Windows\System32\yVRRovc.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System32\itUtOoB.exe
  C:\Windows\System32\itUtOoB.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System32\LSlqIDy.exe
  C:\Windows\System32\LSlqIDy.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System32\JugWBuH.exe
  C:\Windows\System32\JugWBuH.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System32\kHNRWGw.exe
  C:\Windows\System32\kHNRWGw.exe
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\System32\sylCmMU.exe
  C:\Windows\System32\sylCmMU.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System32\IzxKtXN.exe
  C:\Windows\System32\IzxKtXN.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\System32\FJsJKHI.exe
  C:\Windows\System32\FJsJKHI.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System32\HNeRnLU.exe
  C:\Windows\System32\HNeRnLU.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System32\rWLYuoB.exe
  C:\Windows\System32\rWLYuoB.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System32\wmrDpxK.exe
  C:\Windows\System32\wmrDpxK.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System32\NuJsGNp.exe
  C:\Windows\System32\NuJsGNp.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System32\ptcxXzi.exe
  C:\Windows\System32\ptcxXzi.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System32\ojrPSJb.exe
  C:\Windows\System32\ojrPSJb.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System32\wtiDheI.exe
  C:\Windows\System32\wtiDheI.exe
  2⤵
  PID:1256
- C:\Windows\System32\pMjXTaF.exe
  C:\Windows\System32\pMjXTaF.exe
  2⤵
  PID:3876
- C:\Windows\System32\iloIHca.exe
  C:\Windows\System32\iloIHca.exe
  2⤵
  PID:816
- C:\Windows\System32\MxtlwEM.exe
  C:\Windows\System32\MxtlwEM.exe
  2⤵
  PID:3340
- C:\Windows\System32\zdhzXWU.exe
  C:\Windows\System32\zdhzXWU.exe
  2⤵
  PID:3628
- C:\Windows\System32\ozkttxr.exe
  C:\Windows\System32\ozkttxr.exe
  2⤵
  PID:728
- C:\Windows\System32\hTUNYQn.exe
  C:\Windows\System32\hTUNYQn.exe
  2⤵
  PID:1120
- C:\Windows\System32\hYvGbPX.exe
  C:\Windows\System32\hYvGbPX.exe
  2⤵
  PID:3536
- C:\Windows\System32\FABCGjv.exe
  C:\Windows\System32\FABCGjv.exe
  2⤵
  PID:3964
- C:\Windows\System32\gtuadgt.exe
  C:\Windows\System32\gtuadgt.exe
  2⤵
  PID:1368
- C:\Windows\System32\MOWQFdl.exe
  C:\Windows\System32\MOWQFdl.exe
  2⤵
  PID:1116
- C:\Windows\System32\dQoxByN.exe
  C:\Windows\System32\dQoxByN.exe
  2⤵
  PID:3576
- C:\Windows\System32\SDaVDZs.exe
  C:\Windows\System32\SDaVDZs.exe
  2⤵
  PID:3184
- C:\Windows\System32\XekYQfM.exe
  C:\Windows\System32\XekYQfM.exe
  2⤵
  PID:3724
- C:\Windows\System32\bVIIFib.exe
  C:\Windows\System32\bVIIFib.exe
  2⤵
  PID:4536
- C:\Windows\System32\lwxvMEM.exe
  C:\Windows\System32\lwxvMEM.exe
  2⤵
  PID:2312
- C:\Windows\System32\neRQBEm.exe
  C:\Windows\System32\neRQBEm.exe
  2⤵
  PID:2052
- C:\Windows\System32\nusfbwN.exe
  C:\Windows\System32\nusfbwN.exe
  2⤵
  PID:4116
- C:\Windows\System32\jhUNVmX.exe
  C:\Windows\System32\jhUNVmX.exe
  2⤵
  PID:448
- C:\Windows\System32\ginAvQT.exe
  C:\Windows\System32\ginAvQT.exe
  2⤵
  PID:60
- C:\Windows\System32\vwoVsiX.exe
  C:\Windows\System32\vwoVsiX.exe
  2⤵
  PID:2008
- C:\Windows\System32\KORcIgJ.exe
  C:\Windows\System32\KORcIgJ.exe
  2⤵
  PID:3976
- C:\Windows\System32\IEgafEZ.exe
  C:\Windows\System32\IEgafEZ.exe
  2⤵
  PID:2892
- C:\Windows\System32\ZOIZYkn.exe
  C:\Windows\System32\ZOIZYkn.exe
  2⤵
  PID:3916
- C:\Windows\System32\TfeTurH.exe
  C:\Windows\System32\TfeTurH.exe
  2⤵
  PID:4836
- C:\Windows\System32\CFpRJNz.exe
  C:\Windows\System32\CFpRJNz.exe
  2⤵
  PID:5144
- C:\Windows\System32\icBZJnz.exe
  C:\Windows\System32\icBZJnz.exe
  2⤵
  PID:5168
- C:\Windows\System32\hpzmufb.exe
  C:\Windows\System32\hpzmufb.exe
  2⤵
  PID:5192
- C:\Windows\System32\UaMBHFV.exe
  C:\Windows\System32\UaMBHFV.exe
  2⤵
  PID:5224
- C:\Windows\System32\biCjAfO.exe
  C:\Windows\System32\biCjAfO.exe
  2⤵
  PID:5260
- C:\Windows\System32\LpBksYA.exe
  C:\Windows\System32\LpBksYA.exe
  2⤵
  PID:5276
- C:\Windows\System32\qMBJExF.exe
  C:\Windows\System32\qMBJExF.exe
  2⤵
  PID:5312
- C:\Windows\System32\fJCcYbz.exe
  C:\Windows\System32\fJCcYbz.exe
  2⤵
  PID:5344
- C:\Windows\System32\oxUFvHZ.exe
  C:\Windows\System32\oxUFvHZ.exe
  2⤵
  PID:5360
- C:\Windows\System32\UomgrjI.exe
  C:\Windows\System32\UomgrjI.exe
  2⤵
  PID:5388
- C:\Windows\System32\HkbBywc.exe
  C:\Windows\System32\HkbBywc.exe
  2⤵
  PID:5424
- C:\Windows\System32\mfyxQuf.exe
  C:\Windows\System32\mfyxQuf.exe
  2⤵
  PID:5444
- C:\Windows\System32\gukwxjt.exe
  C:\Windows\System32\gukwxjt.exe
  2⤵
  PID:5576
- C:\Windows\System32\YpLmClF.exe
  C:\Windows\System32\YpLmClF.exe
  2⤵
  PID:5592
- C:\Windows\System32\tawsems.exe
  C:\Windows\System32\tawsems.exe
  2⤵
  PID:5608
- C:\Windows\System32\jhOGZNC.exe
  C:\Windows\System32\jhOGZNC.exe
  2⤵
  PID:5628
- C:\Windows\System32\nLTVVlN.exe
  C:\Windows\System32\nLTVVlN.exe
  2⤵
  PID:5648
- C:\Windows\System32\HNYlwWP.exe
  C:\Windows\System32\HNYlwWP.exe
  2⤵
  PID:5712
- C:\Windows\System32\NHzgdxB.exe
  C:\Windows\System32\NHzgdxB.exe
  2⤵
  PID:5748
- C:\Windows\System32\fvurFOX.exe
  C:\Windows\System32\fvurFOX.exe
  2⤵
  PID:5764
- C:\Windows\System32\zBDsZeU.exe
  C:\Windows\System32\zBDsZeU.exe
  2⤵
  PID:5780
- C:\Windows\System32\eDrydeq.exe
  C:\Windows\System32\eDrydeq.exe
  2⤵
  PID:5816
- C:\Windows\System32\ngXfVqW.exe
  C:\Windows\System32\ngXfVqW.exe
  2⤵
  PID:5832
- C:\Windows\System32\POtnmKS.exe
  C:\Windows\System32\POtnmKS.exe
  2⤵
  PID:5864
- C:\Windows\System32\EguGcAu.exe
  C:\Windows\System32\EguGcAu.exe
  2⤵
  PID:5908
- C:\Windows\System32\Zegzysz.exe
  C:\Windows\System32\Zegzysz.exe
  2⤵
  PID:5936
- C:\Windows\System32\oyuvNOl.exe
  C:\Windows\System32\oyuvNOl.exe
  2⤵
  PID:5960
- C:\Windows\System32\CePDXbw.exe
  C:\Windows\System32\CePDXbw.exe
  2⤵
  PID:5992
- C:\Windows\System32\athofHs.exe
  C:\Windows\System32\athofHs.exe
  2⤵
  PID:6008
- C:\Windows\System32\JrbpWGG.exe
  C:\Windows\System32\JrbpWGG.exe
  2⤵
  PID:6024
- C:\Windows\System32\PRaMMhS.exe
  C:\Windows\System32\PRaMMhS.exe
  2⤵
  PID:6048
- C:\Windows\System32\lbRUkhf.exe
  C:\Windows\System32\lbRUkhf.exe
  2⤵
  PID:6064
- C:\Windows\System32\sXEfSMU.exe
  C:\Windows\System32\sXEfSMU.exe
  2⤵
  PID:6080
- C:\Windows\System32\wDpdVir.exe
  C:\Windows\System32\wDpdVir.exe
  2⤵
  PID:4316
- C:\Windows\System32\RyPxcCw.exe
  C:\Windows\System32\RyPxcCw.exe
  2⤵
  PID:4896
- C:\Windows\System32\DLiYCcF.exe
  C:\Windows\System32\DLiYCcF.exe
  2⤵
  PID:2480
- C:\Windows\System32\GlomWcR.exe
  C:\Windows\System32\GlomWcR.exe
  2⤵
  PID:4668
- C:\Windows\System32\judbLFo.exe
  C:\Windows\System32\judbLFo.exe
  2⤵
  PID:5176
- C:\Windows\System32\wEtGHqW.exe
  C:\Windows\System32\wEtGHqW.exe
  2⤵
  PID:2500
- C:\Windows\System32\ICceFeN.exe
  C:\Windows\System32\ICceFeN.exe
  2⤵
  PID:5216
- C:\Windows\System32\FREqqms.exe
  C:\Windows\System32\FREqqms.exe
  2⤵
  PID:5252
- C:\Windows\System32\nGLGwEm.exe
  C:\Windows\System32\nGLGwEm.exe
  2⤵
  PID:5268
- C:\Windows\System32\UXOdeKQ.exe
  C:\Windows\System32\UXOdeKQ.exe
  2⤵
  PID:5284
- C:\Windows\System32\lqomayo.exe
  C:\Windows\System32\lqomayo.exe
  2⤵
  PID:2028
- C:\Windows\System32\FdyOAkK.exe
  C:\Windows\System32\FdyOAkK.exe
  2⤵
  PID:3484
- C:\Windows\System32\LUvnREN.exe
  C:\Windows\System32\LUvnREN.exe
  2⤵
  PID:4936
- C:\Windows\System32\AVFjGFz.exe
  C:\Windows\System32\AVFjGFz.exe
  2⤵
  PID:4368
- C:\Windows\System32\DoXoGLp.exe
  C:\Windows\System32\DoXoGLp.exe
  2⤵
  PID:3164
- C:\Windows\System32\JisPHhd.exe
  C:\Windows\System32\JisPHhd.exe
  2⤵
  PID:5464
- C:\Windows\System32\DDkcdRj.exe
  C:\Windows\System32\DDkcdRj.exe
  2⤵
  PID:5536
- C:\Windows\System32\ZpnzFvz.exe
  C:\Windows\System32\ZpnzFvz.exe
  2⤵
  PID:1924
- C:\Windows\System32\ZGKgtpd.exe
  C:\Windows\System32\ZGKgtpd.exe
  2⤵
  PID:5624
- C:\Windows\System32\tOOeqtr.exe
  C:\Windows\System32\tOOeqtr.exe
  2⤵
  PID:5640
- C:\Windows\System32\NDyaRjG.exe
  C:\Windows\System32\NDyaRjG.exe
  2⤵
  PID:5720
- C:\Windows\System32\YXsLJAl.exe
  C:\Windows\System32\YXsLJAl.exe
  2⤵
  PID:5760
- C:\Windows\System32\RVmVjtj.exe
  C:\Windows\System32\RVmVjtj.exe
  2⤵
  PID:5840
- C:\Windows\System32\aHtalXc.exe
  C:\Windows\System32\aHtalXc.exe
  2⤵
  PID:5972
- C:\Windows\System32\NUtiaGp.exe
  C:\Windows\System32\NUtiaGp.exe
  2⤵
  PID:6016
- C:\Windows\System32\YkKQqAt.exe
  C:\Windows\System32\YkKQqAt.exe
  2⤵
  PID:6060
- C:\Windows\System32\ncymdnS.exe
  C:\Windows\System32\ncymdnS.exe
  2⤵
  PID:4848
- C:\Windows\System32\myWyVEQ.exe
  C:\Windows\System32\myWyVEQ.exe
  2⤵
  PID:1756
- C:\Windows\System32\NcUTUMn.exe
  C:\Windows\System32\NcUTUMn.exe
  2⤵
  PID:3580
- C:\Windows\System32\vkiaPMI.exe
  C:\Windows\System32\vkiaPMI.exe
  2⤵
  PID:5272
- C:\Windows\System32\vKtAOgB.exe
  C:\Windows\System32\vKtAOgB.exe
  2⤵
  PID:3384
- C:\Windows\System32\DnwHnTM.exe
  C:\Windows\System32\DnwHnTM.exe
  2⤵
  PID:4932
- C:\Windows\System32\ABMNhXH.exe
  C:\Windows\System32\ABMNhXH.exe
  2⤵
  PID:2300
- C:\Windows\System32\QQbXppK.exe
  C:\Windows\System32\QQbXppK.exe
  2⤵
  PID:5540
- C:\Windows\System32\aREcway.exe
  C:\Windows\System32\aREcway.exe
  2⤵
  PID:5664
- C:\Windows\System32\RUgsxLC.exe
  C:\Windows\System32\RUgsxLC.exe
  2⤵
  PID:5740
- C:\Windows\System32\QUrcjVM.exe
  C:\Windows\System32\QUrcjVM.exe
  2⤵
  PID:6032
- C:\Windows\System32\zaDFrDF.exe
  C:\Windows\System32\zaDFrDF.exe
  2⤵
  PID:6004
- C:\Windows\System32\hUJBXFm.exe
  C:\Windows\System32\hUJBXFm.exe
  2⤵
  PID:764
- C:\Windows\System32\cMXXbvP.exe
  C:\Windows\System32\cMXXbvP.exe
  2⤵
  PID:5232
- C:\Windows\System32\cXrMLOv.exe
  C:\Windows\System32\cXrMLOv.exe
  2⤵
  PID:3416
- C:\Windows\System32\GoxqHcu.exe
  C:\Windows\System32\GoxqHcu.exe
  2⤵
  PID:5584
- C:\Windows\System32\ZApctqX.exe
  C:\Windows\System32\ZApctqX.exe
  2⤵
  PID:6120
- C:\Windows\System32\Adfmjxu.exe
  C:\Windows\System32\Adfmjxu.exe
  2⤵
  PID:5356
- C:\Windows\System32\XJlHpgy.exe
  C:\Windows\System32\XJlHpgy.exe
  2⤵
  PID:4828
- C:\Windows\System32\LpoLSDj.exe
  C:\Windows\System32\LpoLSDj.exe
  2⤵
  PID:3592
- C:\Windows\System32\BIbEmBo.exe
  C:\Windows\System32\BIbEmBo.exe
  2⤵
  PID:5744
- C:\Windows\System32\dNxaxAm.exe
  C:\Windows\System32\dNxaxAm.exe
  2⤵
  PID:6156
- C:\Windows\System32\DOKFvjO.exe
  C:\Windows\System32\DOKFvjO.exe
  2⤵
  PID:6180
- C:\Windows\System32\RDpVaGr.exe
  C:\Windows\System32\RDpVaGr.exe
  2⤵
  PID:6244
- C:\Windows\System32\tYNdPQn.exe
  C:\Windows\System32\tYNdPQn.exe
  2⤵
  PID:6264
- C:\Windows\System32\CgYmpwK.exe
  C:\Windows\System32\CgYmpwK.exe
  2⤵
  PID:6280
- C:\Windows\System32\bFayMJo.exe
  C:\Windows\System32\bFayMJo.exe
  2⤵
  PID:6320
- C:\Windows\System32\vWVAgwQ.exe
  C:\Windows\System32\vWVAgwQ.exe
  2⤵
  PID:6352
- C:\Windows\System32\rbPiosJ.exe
  C:\Windows\System32\rbPiosJ.exe
  2⤵
  PID:6368
- C:\Windows\System32\nAFwDyM.exe
  C:\Windows\System32\nAFwDyM.exe
  2⤵
  PID:6420
- C:\Windows\System32\qnjOTjU.exe
  C:\Windows\System32\qnjOTjU.exe
  2⤵
  PID:6444
- C:\Windows\System32\fphcXAp.exe
  C:\Windows\System32\fphcXAp.exe
  2⤵
  PID:6480
- C:\Windows\System32\rKZmWhQ.exe
  C:\Windows\System32\rKZmWhQ.exe
  2⤵
  PID:6524
- C:\Windows\System32\YyYgHRA.exe
  C:\Windows\System32\YyYgHRA.exe
  2⤵
  PID:6548
- C:\Windows\System32\TiCFNKg.exe
  C:\Windows\System32\TiCFNKg.exe
  2⤵
  PID:6572
- C:\Windows\System32\dpiMDAN.exe
  C:\Windows\System32\dpiMDAN.exe
  2⤵
  PID:6608
- C:\Windows\System32\qEqopqi.exe
  C:\Windows\System32\qEqopqi.exe
  2⤵
  PID:6648
- C:\Windows\System32\KyWuCqC.exe
  C:\Windows\System32\KyWuCqC.exe
  2⤵
  PID:6664
- C:\Windows\System32\IELisWT.exe
  C:\Windows\System32\IELisWT.exe
  2⤵
  PID:6684
- C:\Windows\System32\sAimpVb.exe
  C:\Windows\System32\sAimpVb.exe
  2⤵
  PID:6700
- C:\Windows\System32\AlUVzJd.exe
  C:\Windows\System32\AlUVzJd.exe
  2⤵
  PID:6724
- C:\Windows\System32\AvFLxno.exe
  C:\Windows\System32\AvFLxno.exe
  2⤵
  PID:6764
- C:\Windows\System32\ivvtwgS.exe
  C:\Windows\System32\ivvtwgS.exe
  2⤵
  PID:6780
- C:\Windows\System32\KViqwQf.exe
  C:\Windows\System32\KViqwQf.exe
  2⤵
  PID:6808
- C:\Windows\System32\gqzxMjy.exe
  C:\Windows\System32\gqzxMjy.exe
  2⤵
  PID:6828
- C:\Windows\System32\BmVTmZd.exe
  C:\Windows\System32\BmVTmZd.exe
  2⤵
  PID:6844
- C:\Windows\System32\HHaNBGf.exe
  C:\Windows\System32\HHaNBGf.exe
  2⤵
  PID:6868
- C:\Windows\System32\NIlYacU.exe
  C:\Windows\System32\NIlYacU.exe
  2⤵
  PID:6900
- C:\Windows\System32\KjbpeXt.exe
  C:\Windows\System32\KjbpeXt.exe
  2⤵
  PID:6928
- C:\Windows\System32\QeOyxAI.exe
  C:\Windows\System32\QeOyxAI.exe
  2⤵
  PID:6944
- C:\Windows\System32\DjtDSnG.exe
  C:\Windows\System32\DjtDSnG.exe
  2⤵
  PID:6968
- C:\Windows\System32\WzvtKxd.exe
  C:\Windows\System32\WzvtKxd.exe
  2⤵
  PID:7020
- C:\Windows\System32\FynpdPG.exe
  C:\Windows\System32\FynpdPG.exe
  2⤵
  PID:7036
- C:\Windows\System32\gnOCuRX.exe
  C:\Windows\System32\gnOCuRX.exe
  2⤵
  PID:7052
- C:\Windows\System32\UrRguzf.exe
  C:\Windows\System32\UrRguzf.exe
  2⤵
  PID:7072
- C:\Windows\System32\tcAYXkl.exe
  C:\Windows\System32\tcAYXkl.exe
  2⤵
  PID:7092
- C:\Windows\System32\PtOksWo.exe
  C:\Windows\System32\PtOksWo.exe
  2⤵
  PID:7116
- C:\Windows\System32\MMpQyPp.exe
  C:\Windows\System32\MMpQyPp.exe
  2⤵
  PID:7132
- C:\Windows\System32\YeWAzUu.exe
  C:\Windows\System32\YeWAzUu.exe
  2⤵
  PID:7156
- C:\Windows\System32\KJSpfWP.exe
  C:\Windows\System32\KJSpfWP.exe
  2⤵
  PID:5876
- C:\Windows\System32\IitWEtT.exe
  C:\Windows\System32\IitWEtT.exe
  2⤵
  PID:6260
- C:\Windows\System32\gpajddN.exe
  C:\Windows\System32\gpajddN.exe
  2⤵
  PID:6456
- C:\Windows\System32\CDCrlYB.exe
  C:\Windows\System32\CDCrlYB.exe
  2⤵
  PID:6624
- C:\Windows\System32\hNKbToy.exe
  C:\Windows\System32\hNKbToy.exe
  2⤵
  PID:6676
- C:\Windows\System32\yZYZLmL.exe
  C:\Windows\System32\yZYZLmL.exe
  2⤵
  PID:6680
- C:\Windows\System32\uAdoJLS.exe
  C:\Windows\System32\uAdoJLS.exe
  2⤵
  PID:6836
- C:\Windows\System32\UhuCYQd.exe
  C:\Windows\System32\UhuCYQd.exe
  2⤵
  PID:6880
- C:\Windows\System32\EFAcuqu.exe
  C:\Windows\System32\EFAcuqu.exe
  2⤵
  PID:6952
- C:\Windows\System32\QrdcQCc.exe
  C:\Windows\System32\QrdcQCc.exe
  2⤵
  PID:7000
- C:\Windows\System32\OKrTaan.exe
  C:\Windows\System32\OKrTaan.exe
  2⤵
  PID:7068
- C:\Windows\System32\VXGvOkU.exe
  C:\Windows\System32\VXGvOkU.exe
  2⤵
  PID:7128
- C:\Windows\System32\vCUbrMB.exe
  C:\Windows\System32\vCUbrMB.exe
  2⤵
  PID:1288
- C:\Windows\System32\ulAcmGB.exe
  C:\Windows\System32\ulAcmGB.exe
  2⤵
  PID:6360
- C:\Windows\System32\zhcVlOR.exe
  C:\Windows\System32\zhcVlOR.exe
  2⤵
  PID:6508
- C:\Windows\System32\hRazcqH.exe
  C:\Windows\System32\hRazcqH.exe
  2⤵
  PID:6564
- C:\Windows\System32\OPwdPHf.exe
  C:\Windows\System32\OPwdPHf.exe
  2⤵
  PID:6772
- C:\Windows\System32\MJNtVQo.exe
  C:\Windows\System32\MJNtVQo.exe
  2⤵
  PID:5796
- C:\Windows\System32\nMmWgpG.exe
  C:\Windows\System32\nMmWgpG.exe
  2⤵
  PID:7028
- C:\Windows\System32\jiMyknz.exe
  C:\Windows\System32\jiMyknz.exe
  2⤵
  PID:6760
- C:\Windows\System32\FukLXYg.exe
  C:\Windows\System32\FukLXYg.exe
  2⤵
  PID:6892
- C:\Windows\System32\odkwvJl.exe
  C:\Windows\System32\odkwvJl.exe
  2⤵
  PID:6336
- C:\Windows\System32\hzDQwGK.exe
  C:\Windows\System32\hzDQwGK.exe
  2⤵
  PID:6864
- C:\Windows\System32\Cwpfjbn.exe
  C:\Windows\System32\Cwpfjbn.exe
  2⤵
  PID:7180
- C:\Windows\System32\xFLoueA.exe
  C:\Windows\System32\xFLoueA.exe
  2⤵
  PID:7208
- C:\Windows\System32\bSSBeqE.exe
  C:\Windows\System32\bSSBeqE.exe
  2⤵
  PID:7236
- C:\Windows\System32\aqvVaJQ.exe
  C:\Windows\System32\aqvVaJQ.exe
  2⤵
  PID:7280
- C:\Windows\System32\qmfeeTL.exe
  C:\Windows\System32\qmfeeTL.exe
  2⤵
  PID:7316
- C:\Windows\System32\pFkaFEN.exe
  C:\Windows\System32\pFkaFEN.exe
  2⤵
  PID:7336
- C:\Windows\System32\KqPHutJ.exe
  C:\Windows\System32\KqPHutJ.exe
  2⤵
  PID:7356
- C:\Windows\System32\VxSAirM.exe
  C:\Windows\System32\VxSAirM.exe
  2⤵
  PID:7376
- C:\Windows\System32\UGvoysx.exe
  C:\Windows\System32\UGvoysx.exe
  2⤵
  PID:7404
- C:\Windows\System32\ihneITf.exe
  C:\Windows\System32\ihneITf.exe
  2⤵
  PID:7448
- C:\Windows\System32\jlmQJDL.exe
  C:\Windows\System32\jlmQJDL.exe
  2⤵
  PID:7472
- C:\Windows\System32\MbArKvg.exe
  C:\Windows\System32\MbArKvg.exe
  2⤵
  PID:7504
- C:\Windows\System32\FAWGypT.exe
  C:\Windows\System32\FAWGypT.exe
  2⤵
  PID:7520
- C:\Windows\System32\qnCgXuZ.exe
  C:\Windows\System32\qnCgXuZ.exe
  2⤵
  PID:7556
- C:\Windows\System32\MjPpPmR.exe
  C:\Windows\System32\MjPpPmR.exe
  2⤵
  PID:7580
- C:\Windows\System32\fdobyPh.exe
  C:\Windows\System32\fdobyPh.exe
  2⤵
  PID:7596
- C:\Windows\System32\WyagWuS.exe
  C:\Windows\System32\WyagWuS.exe
  2⤵
  PID:7620
- C:\Windows\System32\ZwBcqyq.exe
  C:\Windows\System32\ZwBcqyq.exe
  2⤵
  PID:7636
- C:\Windows\System32\fMZAIHL.exe
  C:\Windows\System32\fMZAIHL.exe
  2⤵
  PID:7656
- C:\Windows\System32\DwlCnzu.exe
  C:\Windows\System32\DwlCnzu.exe
  2⤵
  PID:7700
- C:\Windows\System32\qpdgPRt.exe
  C:\Windows\System32\qpdgPRt.exe
  2⤵
  PID:7724
- C:\Windows\System32\sdGxkHq.exe
  C:\Windows\System32\sdGxkHq.exe
  2⤵
  PID:7752
- C:\Windows\System32\weSYRbz.exe
  C:\Windows\System32\weSYRbz.exe
  2⤵
  PID:7768
- C:\Windows\System32\fzkPmvn.exe
  C:\Windows\System32\fzkPmvn.exe
  2⤵
  PID:7820
- C:\Windows\System32\ZJXmxbj.exe
  C:\Windows\System32\ZJXmxbj.exe
  2⤵
  PID:7856
- C:\Windows\System32\bXLHeNN.exe
  C:\Windows\System32\bXLHeNN.exe
  2⤵
  PID:7892
- C:\Windows\System32\JwIjVUm.exe
  C:\Windows\System32\JwIjVUm.exe
  2⤵
  PID:7924
- C:\Windows\System32\bAewXPn.exe
  C:\Windows\System32\bAewXPn.exe
  2⤵
  PID:7948
- C:\Windows\System32\JwBiyFC.exe
  C:\Windows\System32\JwBiyFC.exe
  2⤵
  PID:7988
- C:\Windows\System32\qviOBev.exe
  C:\Windows\System32\qviOBev.exe
  2⤵
  PID:8008
- C:\Windows\System32\eZCKevI.exe
  C:\Windows\System32\eZCKevI.exe
  2⤵
  PID:8024
- C:\Windows\System32\DZrKVYq.exe
  C:\Windows\System32\DZrKVYq.exe
  2⤵
  PID:8040
- C:\Windows\System32\uYMLBOO.exe
  C:\Windows\System32\uYMLBOO.exe
  2⤵
  PID:8064
- C:\Windows\System32\LgJoGbw.exe
  C:\Windows\System32\LgJoGbw.exe
  2⤵
  PID:8080
- C:\Windows\System32\zDkKmUj.exe
  C:\Windows\System32\zDkKmUj.exe
  2⤵
  PID:8100
- C:\Windows\System32\KBnxxEq.exe
  C:\Windows\System32\KBnxxEq.exe
  2⤵
  PID:8120
- C:\Windows\System32\scSizXt.exe
  C:\Windows\System32\scSizXt.exe
  2⤵
  PID:8136
- C:\Windows\System32\eRKIMpq.exe
  C:\Windows\System32\eRKIMpq.exe
  2⤵
  PID:6208
- C:\Windows\System32\zFWmzBo.exe
  C:\Windows\System32\zFWmzBo.exe
  2⤵
  PID:7224
- C:\Windows\System32\kkWpVqX.exe
  C:\Windows\System32\kkWpVqX.exe
  2⤵
  PID:7276
- C:\Windows\System32\wMTEkVR.exe
  C:\Windows\System32\wMTEkVR.exe
  2⤵
  PID:7344
- C:\Windows\System32\aoQvVnf.exe
  C:\Windows\System32\aoQvVnf.exe
  2⤵
  PID:7436
- C:\Windows\System32\TOVdgGD.exe
  C:\Windows\System32\TOVdgGD.exe
  2⤵
  PID:7552
- C:\Windows\System32\BDqFpMM.exe
  C:\Windows\System32\BDqFpMM.exe
  2⤵
  PID:7632
- C:\Windows\System32\NiHivpP.exe
  C:\Windows\System32\NiHivpP.exe
  2⤵
  PID:7720
- C:\Windows\System32\zTAFHAI.exe
  C:\Windows\System32\zTAFHAI.exe
  2⤵
  PID:7792
- C:\Windows\System32\sVSxdYd.exe
  C:\Windows\System32\sVSxdYd.exe
  2⤵
  PID:7796
- C:\Windows\System32\PgKlwjI.exe
  C:\Windows\System32\PgKlwjI.exe
  2⤵
  PID:7920
- C:\Windows\System32\XdRdXcv.exe
  C:\Windows\System32\XdRdXcv.exe
  2⤵
  PID:8000
- C:\Windows\System32\PyRAtHu.exe
  C:\Windows\System32\PyRAtHu.exe
  2⤵
  PID:8072
- C:\Windows\System32\qxTnRnB.exe
  C:\Windows\System32\qxTnRnB.exe
  2⤵
  PID:8096
- C:\Windows\System32\YYhbZIf.exe
  C:\Windows\System32\YYhbZIf.exe
  2⤵
  PID:8112
- C:\Windows\System32\VMgyDMn.exe
  C:\Windows\System32\VMgyDMn.exe
  2⤵
  PID:8164
- C:\Windows\System32\PlTGTer.exe
  C:\Windows\System32\PlTGTer.exe
  2⤵
  PID:7192
- C:\Windows\System32\ZBYGEUu.exe
  C:\Windows\System32\ZBYGEUu.exe
  2⤵
  PID:7248
- C:\Windows\System32\ScRgYSM.exe
  C:\Windows\System32\ScRgYSM.exe
  2⤵
  PID:7364
- C:\Windows\System32\DBHtcfm.exe
  C:\Windows\System32\DBHtcfm.exe
  2⤵
  PID:7760
- C:\Windows\System32\YZsjTBi.exe
  C:\Windows\System32\YZsjTBi.exe
  2⤵
  PID:7932
- C:\Windows\System32\bkqlyfK.exe
  C:\Windows\System32\bkqlyfK.exe
  2⤵
  PID:8020
- C:\Windows\System32\YzQahhf.exe
  C:\Windows\System32\YzQahhf.exe
  2⤵
  PID:8128
- C:\Windows\System32\xZNRaWd.exe
  C:\Windows\System32\xZNRaWd.exe
  2⤵
  PID:8176
- C:\Windows\System32\lqGHloF.exe
  C:\Windows\System32\lqGHloF.exe
  2⤵
  PID:7968
- C:\Windows\System32\pamGqiR.exe
  C:\Windows\System32\pamGqiR.exe
  2⤵
  PID:7392
- C:\Windows\System32\mnVEzEm.exe
  C:\Windows\System32\mnVEzEm.exe
  2⤵
  PID:7780
- C:\Windows\System32\SkHHfDf.exe
  C:\Windows\System32\SkHHfDf.exe
  2⤵
  PID:8236
- C:\Windows\System32\dMzxPvq.exe
  C:\Windows\System32\dMzxPvq.exe
  2⤵
  PID:8256
- C:\Windows\System32\ixOBhOR.exe
  C:\Windows\System32\ixOBhOR.exe
  2⤵
  PID:8296
- C:\Windows\System32\pvstPsE.exe
  C:\Windows\System32\pvstPsE.exe
  2⤵
  PID:8324
- C:\Windows\System32\rfgYpgN.exe
  C:\Windows\System32\rfgYpgN.exe
  2⤵
  PID:8360
- C:\Windows\System32\uJuajRS.exe
  C:\Windows\System32\uJuajRS.exe
  2⤵
  PID:8388
- C:\Windows\System32\WTAvFPc.exe
  C:\Windows\System32\WTAvFPc.exe
  2⤵
  PID:8404
- C:\Windows\System32\JsloeRu.exe
  C:\Windows\System32\JsloeRu.exe
  2⤵
  PID:8444
- C:\Windows\System32\aZNiirC.exe
  C:\Windows\System32\aZNiirC.exe
  2⤵
  PID:8468
- C:\Windows\System32\knMFdFD.exe
  C:\Windows\System32\knMFdFD.exe
  2⤵
  PID:8492
- C:\Windows\System32\RJoJsyR.exe
  C:\Windows\System32\RJoJsyR.exe
  2⤵
  PID:8528
- C:\Windows\System32\ATOIXON.exe
  C:\Windows\System32\ATOIXON.exe
  2⤵
  PID:8548
- C:\Windows\System32\ktlzJgY.exe
  C:\Windows\System32\ktlzJgY.exe
  2⤵
  PID:8596
- C:\Windows\System32\GOtkugs.exe
  C:\Windows\System32\GOtkugs.exe
  2⤵
  PID:8628
- C:\Windows\System32\CfsKvgl.exe
  C:\Windows\System32\CfsKvgl.exe
  2⤵
  PID:8644
- C:\Windows\System32\LmxuklM.exe
  C:\Windows\System32\LmxuklM.exe
  2⤵
  PID:8660
- C:\Windows\System32\VdALGPb.exe
  C:\Windows\System32\VdALGPb.exe
  2⤵
  PID:8676
- C:\Windows\System32\HTEqWOt.exe
  C:\Windows\System32\HTEqWOt.exe
  2⤵
  PID:8692
- C:\Windows\System32\deaTHdN.exe
  C:\Windows\System32\deaTHdN.exe
  2⤵
  PID:8732
- C:\Windows\System32\aWPPpyf.exe
  C:\Windows\System32\aWPPpyf.exe
  2⤵
  PID:8760
- C:\Windows\System32\fTrMjWF.exe
  C:\Windows\System32\fTrMjWF.exe
  2⤵
  PID:8784
- C:\Windows\System32\cTvgNts.exe
  C:\Windows\System32\cTvgNts.exe
  2⤵
  PID:8804
- C:\Windows\System32\SwHErIe.exe
  C:\Windows\System32\SwHErIe.exe
  2⤵
  PID:8904
- C:\Windows\System32\KAoyCDO.exe
  C:\Windows\System32\KAoyCDO.exe
  2⤵
  PID:8972
- C:\Windows\System32\VFtdMvw.exe
  C:\Windows\System32\VFtdMvw.exe
  2⤵
  PID:9028
- C:\Windows\System32\SxjZpBy.exe
  C:\Windows\System32\SxjZpBy.exe
  2⤵
  PID:9076
- C:\Windows\System32\yonXRpe.exe
  C:\Windows\System32\yonXRpe.exe
  2⤵
  PID:9096
- C:\Windows\System32\fWyLxyn.exe
  C:\Windows\System32\fWyLxyn.exe
  2⤵
  PID:9120
- C:\Windows\System32\GybXkrn.exe
  C:\Windows\System32\GybXkrn.exe
  2⤵
  PID:9152
- C:\Windows\System32\kRUsLkm.exe
  C:\Windows\System32\kRUsLkm.exe
  2⤵
  PID:9184
- C:\Windows\System32\oqoUjdI.exe
  C:\Windows\System32\oqoUjdI.exe
  2⤵
  PID:9200
- C:\Windows\System32\imKwzcU.exe
  C:\Windows\System32\imKwzcU.exe
  2⤵
  PID:7852
- C:\Windows\System32\fbsyzyS.exe
  C:\Windows\System32\fbsyzyS.exe
  2⤵
  PID:8268
- C:\Windows\System32\aBuwzbB.exe
  C:\Windows\System32\aBuwzbB.exe
  2⤵
  PID:8292
- C:\Windows\System32\nNnBmlD.exe
  C:\Windows\System32\nNnBmlD.exe
  2⤵
  PID:8336
- C:\Windows\System32\HOQiRED.exe
  C:\Windows\System32\HOQiRED.exe
  2⤵
  PID:8420
- C:\Windows\System32\nMDxFyE.exe
  C:\Windows\System32\nMDxFyE.exe
  2⤵
  PID:8524
- C:\Windows\System32\XkeTfHn.exe
  C:\Windows\System32\XkeTfHn.exe
  2⤵
  PID:8540
- C:\Windows\System32\mdGwSvC.exe
  C:\Windows\System32\mdGwSvC.exe
  2⤵
  PID:8584
- C:\Windows\System32\hWcFPJM.exe
  C:\Windows\System32\hWcFPJM.exe
  2⤵
  PID:8656
- C:\Windows\System32\QwikcSk.exe
  C:\Windows\System32\QwikcSk.exe
  2⤵
  PID:8716
- C:\Windows\System32\FzBjwts.exe
  C:\Windows\System32\FzBjwts.exe
  2⤵
  PID:8592
- C:\Windows\System32\CnHcznT.exe
  C:\Windows\System32\CnHcznT.exe
  2⤵
  PID:8712
- C:\Windows\System32\gsXktyM.exe
  C:\Windows\System32\gsXktyM.exe
  2⤵
  PID:8748
- C:\Windows\System32\yqfJXTa.exe
  C:\Windows\System32\yqfJXTa.exe
  2⤵
  PID:8848
- C:\Windows\System32\ZwfyNdx.exe
  C:\Windows\System32\ZwfyNdx.exe
  2⤵
  PID:8996
- C:\Windows\System32\glHagTF.exe
  C:\Windows\System32\glHagTF.exe
  2⤵
  PID:9004
- C:\Windows\System32\FXhVtvG.exe
  C:\Windows\System32\FXhVtvG.exe
  2⤵
  PID:9092
- C:\Windows\System32\izymYtg.exe
  C:\Windows\System32\izymYtg.exe
  2⤵
  PID:9164
- C:\Windows\System32\dwOkemT.exe
  C:\Windows\System32\dwOkemT.exe
  2⤵
  PID:8216
- C:\Windows\System32\NCiypFX.exe
  C:\Windows\System32\NCiypFX.exe
  2⤵
  PID:8264
- C:\Windows\System32\UfHtFox.exe
  C:\Windows\System32\UfHtFox.exe
  2⤵
  PID:8384
- C:\Windows\System32\zuVCCSY.exe
  C:\Windows\System32\zuVCCSY.exe
  2⤵
  PID:8560
- C:\Windows\System32\oXXMWJN.exe
  C:\Windows\System32\oXXMWJN.exe
  2⤵
  PID:8768
- C:\Windows\System32\WQvwHoI.exe
  C:\Windows\System32\WQvwHoI.exe
  2⤵
  PID:8836
- C:\Windows\System32\CoMrNaG.exe
  C:\Windows\System32\CoMrNaG.exe
  2⤵
  PID:2948
- C:\Windows\System32\ZyJLihB.exe
  C:\Windows\System32\ZyJLihB.exe
  2⤵
  PID:8880
- C:\Windows\System32\kfEWMxz.exe
  C:\Windows\System32\kfEWMxz.exe
  2⤵
  PID:9168
- C:\Windows\System32\jlWrBKg.exe
  C:\Windows\System32\jlWrBKg.exe
  2⤵
  PID:8428
- C:\Windows\System32\IvKjPYm.exe
  C:\Windows\System32\IvKjPYm.exe
  2⤵
  PID:8616
- C:\Windows\System32\JhpNdTl.exe
  C:\Windows\System32\JhpNdTl.exe
  2⤵
  PID:8812
- C:\Windows\System32\VsQJqIi.exe
  C:\Windows\System32\VsQJqIi.exe
  2⤵
  PID:8248
- C:\Windows\System32\YcgYJpq.exe
  C:\Windows\System32\YcgYJpq.exe
  2⤵
  PID:8604
- C:\Windows\System32\IlxAhul.exe
  C:\Windows\System32\IlxAhul.exe
  2⤵
  PID:8828
- C:\Windows\System32\rKmZmKL.exe
  C:\Windows\System32\rKmZmKL.exe
  2⤵
  PID:9196
- C:\Windows\System32\kMaAQjW.exe
  C:\Windows\System32\kMaAQjW.exe
  2⤵
  PID:9256
- C:\Windows\System32\CjckGLF.exe
  C:\Windows\System32\CjckGLF.exe
  2⤵
  PID:9296
- C:\Windows\System32\jllKNim.exe
  C:\Windows\System32\jllKNim.exe
  2⤵
  PID:9312
- C:\Windows\System32\PMMMeoS.exe
  C:\Windows\System32\PMMMeoS.exe
  2⤵
  PID:9364
- C:\Windows\System32\kfQBkaP.exe
  C:\Windows\System32\kfQBkaP.exe
  2⤵
  PID:9388
- C:\Windows\System32\YxmwBIU.exe
  C:\Windows\System32\YxmwBIU.exe
  2⤵
  PID:9404
- C:\Windows\System32\WCrPhgT.exe
  C:\Windows\System32\WCrPhgT.exe
  2⤵
  PID:9424
- C:\Windows\System32\FRkEBDX.exe
  C:\Windows\System32\FRkEBDX.exe
  2⤵
  PID:9452
- C:\Windows\System32\sSdVuBG.exe
  C:\Windows\System32\sSdVuBG.exe
  2⤵
  PID:9484
- C:\Windows\System32\zIiduZK.exe
  C:\Windows\System32\zIiduZK.exe
  2⤵
  PID:9508
- C:\Windows\System32\XrcBMSI.exe
  C:\Windows\System32\XrcBMSI.exe
  2⤵
  PID:9524
- C:\Windows\System32\dvPlZhy.exe
  C:\Windows\System32\dvPlZhy.exe
  2⤵
  PID:9540
- C:\Windows\System32\jgFmIiC.exe
  C:\Windows\System32\jgFmIiC.exe
  2⤵
  PID:9576
- C:\Windows\System32\MYFnVhF.exe
  C:\Windows\System32\MYFnVhF.exe
  2⤵
  PID:9632
- C:\Windows\System32\baVAJTM.exe
  C:\Windows\System32\baVAJTM.exe
  2⤵
  PID:9648
- C:\Windows\System32\RCwYlrY.exe
  C:\Windows\System32\RCwYlrY.exe
  2⤵
  PID:9692
- C:\Windows\System32\RfvVXTt.exe
  C:\Windows\System32\RfvVXTt.exe
  2⤵
  PID:9728
- C:\Windows\System32\YSIggDK.exe
  C:\Windows\System32\YSIggDK.exe
  2⤵
  PID:9752
- C:\Windows\System32\zpxWrmq.exe
  C:\Windows\System32\zpxWrmq.exe
  2⤵
  PID:9768
- C:\Windows\System32\LJcxvxn.exe
  C:\Windows\System32\LJcxvxn.exe
  2⤵
  PID:9800
- C:\Windows\System32\JQjuKoW.exe
  C:\Windows\System32\JQjuKoW.exe
  2⤵
  PID:9840
- C:\Windows\System32\bqUhiQk.exe
  C:\Windows\System32\bqUhiQk.exe
  2⤵
  PID:9856
- C:\Windows\System32\uAesZqg.exe
  C:\Windows\System32\uAesZqg.exe
  2⤵
  PID:9880
- C:\Windows\System32\KPAgqih.exe
  C:\Windows\System32\KPAgqih.exe
  2⤵
  PID:9904
- C:\Windows\System32\kKTBROL.exe
  C:\Windows\System32\kKTBROL.exe
  2⤵
  PID:9932
- C:\Windows\System32\ZqjLHOt.exe
  C:\Windows\System32\ZqjLHOt.exe
  2⤵
  PID:9948
- C:\Windows\System32\HYCbDjw.exe
  C:\Windows\System32\HYCbDjw.exe
  2⤵
  PID:9980
- C:\Windows\System32\CHVaHbS.exe
  C:\Windows\System32\CHVaHbS.exe
  2⤵
  PID:10000
- C:\Windows\System32\jwYUHTo.exe
  C:\Windows\System32\jwYUHTo.exe
  2⤵
  PID:10064
- C:\Windows\System32\NAivMFO.exe
  C:\Windows\System32\NAivMFO.exe
  2⤵
  PID:10088
- C:\Windows\System32\qsfREop.exe
  C:\Windows\System32\qsfREop.exe
  2⤵
  PID:10112
- C:\Windows\System32\otOEfhW.exe
  C:\Windows\System32\otOEfhW.exe
  2⤵
  PID:10136
- C:\Windows\System32\kLbFpRc.exe
  C:\Windows\System32\kLbFpRc.exe
  2⤵
  PID:10176
- C:\Windows\System32\DmYMoNH.exe
  C:\Windows\System32\DmYMoNH.exe
  2⤵
  PID:10204
- C:\Windows\System32\yAlPZah.exe
  C:\Windows\System32\yAlPZah.exe
  2⤵
  PID:10224
- C:\Windows\System32\EZzBkmh.exe
  C:\Windows\System32\EZzBkmh.exe
  2⤵
  PID:9144
- C:\Windows\System32\VGouBsM.exe
  C:\Windows\System32\VGouBsM.exe
  2⤵
  PID:9308
- C:\Windows\System32\kVZvfiq.exe
  C:\Windows\System32\kVZvfiq.exe
  2⤵
  PID:9352
- C:\Windows\System32\mXBAvLB.exe
  C:\Windows\System32\mXBAvLB.exe
  2⤵
  PID:9532
- C:\Windows\System32\NirKqQj.exe
  C:\Windows\System32\NirKqQj.exe
  2⤵
  PID:9472
- C:\Windows\System32\SNOTrmX.exe
  C:\Windows\System32\SNOTrmX.exe
  2⤵
  PID:9596
- C:\Windows\System32\HvSOgIe.exe
  C:\Windows\System32\HvSOgIe.exe
  2⤵
  PID:9640
- C:\Windows\System32\KuOMOaa.exe
  C:\Windows\System32\KuOMOaa.exe
  2⤵
  PID:9700
- C:\Windows\System32\PdTKDHT.exe
  C:\Windows\System32\PdTKDHT.exe
  2⤵
  PID:9780
- C:\Windows\System32\gbIeCpV.exe
  C:\Windows\System32\gbIeCpV.exe
  2⤵
  PID:9820
- C:\Windows\System32\KyjZgJy.exe
  C:\Windows\System32\KyjZgJy.exe
  2⤵
  PID:9900
- C:\Windows\System32\vPJVJHv.exe
  C:\Windows\System32\vPJVJHv.exe
  2⤵
  PID:9928
- C:\Windows\System32\ajJLAOU.exe
  C:\Windows\System32\ajJLAOU.exe
  2⤵
  PID:10048
- C:\Windows\System32\yFvWaGu.exe
  C:\Windows\System32\yFvWaGu.exe
  2⤵
  PID:10108
- C:\Windows\System32\YOnXnfn.exe
  C:\Windows\System32\YOnXnfn.exe
  2⤵
  PID:10148
- C:\Windows\System32\rVQUGeB.exe
  C:\Windows\System32\rVQUGeB.exe
  2⤵
  PID:10212
- C:\Windows\System32\sgGHsiq.exe
  C:\Windows\System32\sgGHsiq.exe
  2⤵
  PID:9252
- C:\Windows\System32\pbltILf.exe
  C:\Windows\System32\pbltILf.exe
  2⤵
  PID:9304
- C:\Windows\System32\fcmwumE.exe
  C:\Windows\System32\fcmwumE.exe
  2⤵
  PID:9412
- C:\Windows\System32\CPQZxtE.exe
  C:\Windows\System32\CPQZxtE.exe
  2⤵
  PID:9664
- C:\Windows\System32\wRNXzWr.exe
  C:\Windows\System32\wRNXzWr.exe
  2⤵
  PID:9764
- C:\Windows\System32\ksQeOPm.exe
  C:\Windows\System32\ksQeOPm.exe
  2⤵
  PID:9896
- C:\Windows\System32\XMTVrxB.exe
  C:\Windows\System32\XMTVrxB.exe
  2⤵
  PID:10020
- C:\Windows\System32\DjYZlcG.exe
  C:\Windows\System32\DjYZlcG.exe
  2⤵
  PID:10120
- C:\Windows\System32\cMlSwqm.exe
  C:\Windows\System32\cMlSwqm.exe
  2⤵
  PID:3412
- C:\Windows\System32\OoFzKUO.exe
  C:\Windows\System32\OoFzKUO.exe
  2⤵
  PID:9496
- C:\Windows\System32\ztacRqt.exe
  C:\Windows\System32\ztacRqt.exe
  2⤵
  PID:4660
- C:\Windows\System32\yFrftkE.exe
  C:\Windows\System32\yFrftkE.exe
  2⤵
  PID:1072
- C:\Windows\System32\MDrnkaH.exe
  C:\Windows\System32\MDrnkaH.exe
  2⤵
  PID:9616
- C:\Windows\System32\RnMwaQX.exe
  C:\Windows\System32\RnMwaQX.exe
  2⤵
  PID:9760
- C:\Windows\System32\CyXOesZ.exe
  C:\Windows\System32\CyXOesZ.exe
  2⤵
  PID:10272
- C:\Windows\System32\MzhNYZJ.exe
  C:\Windows\System32\MzhNYZJ.exe
  2⤵
  PID:10296
- C:\Windows\System32\JQMwfdH.exe
  C:\Windows\System32\JQMwfdH.exe
  2⤵
  PID:10316
- C:\Windows\System32\CHNLnIf.exe
  C:\Windows\System32\CHNLnIf.exe
  2⤵
  PID:10340
- C:\Windows\System32\NjKKqaD.exe
  C:\Windows\System32\NjKKqaD.exe
  2⤵
  PID:10384
- C:\Windows\System32\nNiqHbo.exe
  C:\Windows\System32\nNiqHbo.exe
  2⤵
  PID:10412
- C:\Windows\System32\IcCYjyT.exe
  C:\Windows\System32\IcCYjyT.exe
  2⤵
  PID:10436
- C:\Windows\System32\vxeyYCO.exe
  C:\Windows\System32\vxeyYCO.exe
  2⤵
  PID:10464
- C:\Windows\System32\lhXpaIP.exe
  C:\Windows\System32\lhXpaIP.exe
  2⤵
  PID:10504
- C:\Windows\System32\cjiUBVN.exe
  C:\Windows\System32\cjiUBVN.exe
  2⤵
  PID:10520
- C:\Windows\System32\sVkdZpF.exe
  C:\Windows\System32\sVkdZpF.exe
  2⤵
  PID:10540
- C:\Windows\System32\MEfsQdx.exe
  C:\Windows\System32\MEfsQdx.exe
  2⤵
  PID:10564
- C:\Windows\System32\kcyGWYI.exe
  C:\Windows\System32\kcyGWYI.exe
  2⤵
  PID:10584
- C:\Windows\System32\rTJYsNP.exe
  C:\Windows\System32\rTJYsNP.exe
  2⤵
  PID:10600
- C:\Windows\System32\qpRcKMM.exe
  C:\Windows\System32\qpRcKMM.exe
  2⤵
  PID:10644
- C:\Windows\System32\tfeZwnn.exe
  C:\Windows\System32\tfeZwnn.exe
  2⤵
  PID:10696
- C:\Windows\System32\sBcxTFv.exe
  C:\Windows\System32\sBcxTFv.exe
  2⤵
  PID:10716
- C:\Windows\System32\HsmNKZn.exe
  C:\Windows\System32\HsmNKZn.exe
  2⤵
  PID:10744
- C:\Windows\System32\JHdWZCG.exe
  C:\Windows\System32\JHdWZCG.exe
  2⤵
  PID:10772
- C:\Windows\System32\fHceFPT.exe
  C:\Windows\System32\fHceFPT.exe
  2⤵
  PID:10796
- C:\Windows\System32\eshAaRG.exe
  C:\Windows\System32\eshAaRG.exe
  2⤵
  PID:10840
- C:\Windows\System32\qqtuWSi.exe
  C:\Windows\System32\qqtuWSi.exe
  2⤵
  PID:10860
- C:\Windows\System32\vMxmSph.exe
  C:\Windows\System32\vMxmSph.exe
  2⤵
  PID:10880
- C:\Windows\System32\gcTVhxj.exe
  C:\Windows\System32\gcTVhxj.exe
  2⤵
  PID:10900
- C:\Windows\System32\fOxTQPw.exe
  C:\Windows\System32\fOxTQPw.exe
  2⤵
  PID:10916
- C:\Windows\System32\oCBQpLP.exe
  C:\Windows\System32\oCBQpLP.exe
  2⤵
  PID:10960
- C:\Windows\System32\kdrlLdS.exe
  C:\Windows\System32\kdrlLdS.exe
  2⤵
  PID:10980
- C:\Windows\System32\zBZnSZq.exe
  C:\Windows\System32\zBZnSZq.exe
  2⤵
  PID:11000
- C:\Windows\System32\BZfDKwa.exe
  C:\Windows\System32\BZfDKwa.exe
  2⤵
  PID:11064
- C:\Windows\System32\zyVusUy.exe
  C:\Windows\System32\zyVusUy.exe
  2⤵
  PID:11092
- C:\Windows\System32\pAShKdF.exe
  C:\Windows\System32\pAShKdF.exe
  2⤵
  PID:11116
- C:\Windows\System32\VtrkEaQ.exe
  C:\Windows\System32\VtrkEaQ.exe
  2⤵
  PID:11144
- C:\Windows\System32\TVCemyr.exe
  C:\Windows\System32\TVCemyr.exe
  2⤵
  PID:11164
- C:\Windows\System32\QNRGybZ.exe
  C:\Windows\System32\QNRGybZ.exe
  2⤵
  PID:11184
- C:\Windows\System32\sGXWjFk.exe
  C:\Windows\System32\sGXWjFk.exe
  2⤵
  PID:11244
- C:\Windows\System32\wFPruuw.exe
  C:\Windows\System32\wFPruuw.exe
  2⤵
  PID:11260
- C:\Windows\System32\oUXMkIH.exe
  C:\Windows\System32\oUXMkIH.exe
  2⤵
  PID:10268
- C:\Windows\System32\vVKKGSy.exe
  C:\Windows\System32\vVKKGSy.exe
  2⤵
  PID:10304
- C:\Windows\System32\WGNQXZJ.exe
  C:\Windows\System32\WGNQXZJ.exe
  2⤵
  PID:10352
- C:\Windows\System32\eoixMpw.exe
  C:\Windows\System32\eoixMpw.exe
  2⤵
  PID:10404
- C:\Windows\System32\HFgzIZx.exe
  C:\Windows\System32\HFgzIZx.exe
  2⤵
  PID:10500
- C:\Windows\System32\aISVIMh.exe
  C:\Windows\System32\aISVIMh.exe
  2⤵
  PID:10528
- C:\Windows\System32\GJvMfKh.exe
  C:\Windows\System32\GJvMfKh.exe
  2⤵
  PID:10632
- C:\Windows\System32\HsvNGNl.exe
  C:\Windows\System32\HsvNGNl.exe
  2⤵
  PID:10712
- C:\Windows\System32\DLgwQlh.exe
  C:\Windows\System32\DLgwQlh.exe
  2⤵
  PID:10724
- C:\Windows\System32\GWrLDYg.exe
  C:\Windows\System32\GWrLDYg.exe
  2⤵
  PID:10820
- C:\Windows\System32\LxtnXOx.exe
  C:\Windows\System32\LxtnXOx.exe
  2⤵
  PID:10868
- C:\Windows\System32\FjnsQlf.exe
  C:\Windows\System32\FjnsQlf.exe
  2⤵
  PID:10948
- C:\Windows\System32\ELisIFU.exe
  C:\Windows\System32\ELisIFU.exe
  2⤵
  PID:10968
- C:\Windows\System32\NMGEXiT.exe
  C:\Windows\System32\NMGEXiT.exe
  2⤵
  PID:11080
- C:\Windows\System32\MGXiMUW.exe
  C:\Windows\System32\MGXiMUW.exe
  2⤵
  PID:11100
- C:\Windows\System32\XJNmQmc.exe
  C:\Windows\System32\XJNmQmc.exe
  2⤵
  PID:11172
- C:\Windows\System32\ugJRmPC.exe
  C:\Windows\System32\ugJRmPC.exe
  2⤵
  PID:10256
- C:\Windows\System32\bVbqXJB.exe
  C:\Windows\System32\bVbqXJB.exe
  2⤵
  PID:10264
- C:\Windows\System32\IPjDvgt.exe
  C:\Windows\System32\IPjDvgt.exe
  2⤵
  PID:10424
- C:\Windows\System32\BikrkYC.exe
  C:\Windows\System32\BikrkYC.exe
  2⤵
  PID:10780
- C:\Windows\System32\EthlToa.exe
  C:\Windows\System32\EthlToa.exe
  2⤵
  PID:10856
- C:\Windows\System32\YHhlQrY.exe
  C:\Windows\System32\YHhlQrY.exe
  2⤵
  PID:11028
- C:\Windows\System32\CgwIMfV.exe
  C:\Windows\System32\CgwIMfV.exe
  2⤵
  PID:4420
- C:\Windows\System32\cfLAoJu.exe
  C:\Windows\System32\cfLAoJu.exe
  2⤵
  PID:11124
- C:\Windows\System32\InbUpWa.exe
  C:\Windows\System32\InbUpWa.exe
  2⤵
  PID:11256
- C:\Windows\System32\tbSdZSf.exe
  C:\Windows\System32\tbSdZSf.exe
  2⤵
  PID:10452
- C:\Windows\System32\mdWXYmK.exe
  C:\Windows\System32\mdWXYmK.exe
  2⤵
  PID:10912
- C:\Windows\System32\BbOZNzH.exe
  C:\Windows\System32\BbOZNzH.exe
  2⤵
  PID:10760
- C:\Windows\System32\DMcTkxV.exe
  C:\Windows\System32\DMcTkxV.exe
  2⤵
  PID:11288
- C:\Windows\System32\bglorDi.exe
  C:\Windows\System32\bglorDi.exe
  2⤵
  PID:11308
- C:\Windows\System32\jBYicNP.exe
  C:\Windows\System32\jBYicNP.exe
  2⤵
  PID:11324
- C:\Windows\System32\xqHcVmU.exe
  C:\Windows\System32\xqHcVmU.exe
  2⤵
  PID:11352
- C:\Windows\System32\QBTJHXr.exe
  C:\Windows\System32\QBTJHXr.exe
  2⤵
  PID:11372
- C:\Windows\System32\dbWsrys.exe
  C:\Windows\System32\dbWsrys.exe
  2⤵
  PID:11396
- C:\Windows\System32\gidXzqD.exe
  C:\Windows\System32\gidXzqD.exe
  2⤵
  PID:11424
- C:\Windows\System32\JoPIGqb.exe
  C:\Windows\System32\JoPIGqb.exe
  2⤵
  PID:11448
- C:\Windows\System32\NURjlgE.exe
  C:\Windows\System32\NURjlgE.exe
  2⤵
  PID:11480
- C:\Windows\System32\APvAriT.exe
  C:\Windows\System32\APvAriT.exe
  2⤵
  PID:11500
- C:\Windows\System32\HqexKHD.exe
  C:\Windows\System32\HqexKHD.exe
  2⤵
  PID:11536
- C:\Windows\System32\mmrdjfW.exe
  C:\Windows\System32\mmrdjfW.exe
  2⤵
  PID:11560
- C:\Windows\System32\GBGqdwY.exe
  C:\Windows\System32\GBGqdwY.exe
  2⤵
  PID:11576
- C:\Windows\System32\xncoWLa.exe
  C:\Windows\System32\xncoWLa.exe
  2⤵
  PID:11616
- C:\Windows\System32\buQAalJ.exe
  C:\Windows\System32\buQAalJ.exe
  2⤵
  PID:11644
- C:\Windows\System32\raoGqdf.exe
  C:\Windows\System32\raoGqdf.exe
  2⤵
  PID:11668
- C:\Windows\System32\EZFZNbf.exe
  C:\Windows\System32\EZFZNbf.exe
  2⤵
  PID:11684
- C:\Windows\System32\ebzSVrt.exe
  C:\Windows\System32\ebzSVrt.exe
  2⤵
  PID:11720
- C:\Windows\System32\CNxxOtn.exe
  C:\Windows\System32\CNxxOtn.exe
  2⤵
  PID:11764
- C:\Windows\System32\xMuWmxx.exe
  C:\Windows\System32\xMuWmxx.exe
  2⤵
  PID:11784
- C:\Windows\System32\UOeTPIj.exe
  C:\Windows\System32\UOeTPIj.exe
  2⤵
  PID:11820
- C:\Windows\System32\DSuGCCT.exe
  C:\Windows\System32\DSuGCCT.exe
  2⤵
  PID:11848
- C:\Windows\System32\dHLYltp.exe
  C:\Windows\System32\dHLYltp.exe
  2⤵
  PID:11880
- C:\Windows\System32\nWCbxXY.exe
  C:\Windows\System32\nWCbxXY.exe
  2⤵
  PID:11896
- C:\Windows\System32\nJcxoEu.exe
  C:\Windows\System32\nJcxoEu.exe
  2⤵
  PID:11916
- C:\Windows\System32\xUNidYE.exe
  C:\Windows\System32\xUNidYE.exe
  2⤵
  PID:11940
- C:\Windows\System32\BvIejqw.exe
  C:\Windows\System32\BvIejqw.exe
  2⤵
  PID:11960
- C:\Windows\System32\HBoCIMU.exe
  C:\Windows\System32\HBoCIMU.exe
  2⤵
  PID:11976
- C:\Windows\System32\XPhMtMA.exe
  C:\Windows\System32\XPhMtMA.exe
  2⤵
  PID:12032
- C:\Windows\System32\FBNarkb.exe
  C:\Windows\System32\FBNarkb.exe
  2⤵
  PID:12068
- C:\Windows\System32\QuXazBc.exe
  C:\Windows\System32\QuXazBc.exe
  2⤵
  PID:12096
- C:\Windows\System32\wTLzfEa.exe
  C:\Windows\System32\wTLzfEa.exe
  2⤵
  PID:12148
- C:\Windows\System32\RNyjVju.exe
  C:\Windows\System32\RNyjVju.exe
  2⤵
  PID:12176
- C:\Windows\System32\Vzhugtf.exe
  C:\Windows\System32\Vzhugtf.exe
  2⤵
  PID:12204
- C:\Windows\System32\KfaIjBI.exe
  C:\Windows\System32\KfaIjBI.exe
  2⤵
  PID:12224
- C:\Windows\System32\bikUNEI.exe
  C:\Windows\System32\bikUNEI.exe
  2⤵
  PID:12252
- C:\Windows\System32\vVWtlku.exe
  C:\Windows\System32\vVWtlku.exe
  2⤵
  PID:12284
- C:\Windows\System32\COiTLJm.exe
  C:\Windows\System32\COiTLJm.exe
  2⤵
  PID:11276
- C:\Windows\System32\AERtXDe.exe
  C:\Windows\System32\AERtXDe.exe
  2⤵
  PID:11316
- C:\Windows\System32\psDEkyn.exe
  C:\Windows\System32\psDEkyn.exe
  2⤵
  PID:11408
- C:\Windows\System32\FhGvKrc.exe
  C:\Windows\System32\FhGvKrc.exe
  2⤵
  PID:2456
- C:\Windows\System32\BHtnrUm.exe
  C:\Windows\System32\BHtnrUm.exe
  2⤵
  PID:11512
- C:\Windows\System32\LRircnt.exe
  C:\Windows\System32\LRircnt.exe
  2⤵
  PID:11544
- C:\Windows\System32\ITHfcul.exe
  C:\Windows\System32\ITHfcul.exe
  2⤵
  PID:11652
- C:\Windows\System32\ncUllrC.exe
  C:\Windows\System32\ncUllrC.exe
  2⤵
  PID:11632
- C:\Windows\System32\SnekEIo.exe
  C:\Windows\System32\SnekEIo.exe
  2⤵
  PID:11772
- C:\Windows\System32\phzWMjg.exe
  C:\Windows\System32\phzWMjg.exe
  2⤵
  PID:11812
- C:\Windows\System32\zxbgWeh.exe
  C:\Windows\System32\zxbgWeh.exe
  2⤵
  PID:11968
- C:\Windows\System32\keerzjc.exe
  C:\Windows\System32\keerzjc.exe
  2⤵
  PID:11984
- C:\Windows\System32\xHuClIm.exe
  C:\Windows\System32\xHuClIm.exe
  2⤵
  PID:12076
- C:\Windows\System32\iEkZchQ.exe
  C:\Windows\System32\iEkZchQ.exe
  2⤵
  PID:12116
- C:\Windows\System32\xFuhjpR.exe
  C:\Windows\System32\xFuhjpR.exe
  2⤵
  PID:12188
- C:\Windows\System32\nILnHdl.exe
  C:\Windows\System32\nILnHdl.exe
  2⤵
  PID:4628
- C:\Windows\System32\QomKIZn.exe
  C:\Windows\System32\QomKIZn.exe
  2⤵
  PID:12244
- C:\Windows\System32\cnuVRRr.exe
  C:\Windows\System32\cnuVRRr.exe
  2⤵
  PID:11304
- C:\Windows\System32\KVjpjKs.exe
  C:\Windows\System32\KVjpjKs.exe
  2⤵
  PID:11456
- C:\Windows\System32\yJqZabG.exe
  C:\Windows\System32\yJqZabG.exe
  2⤵
  PID:11700
- C:\Windows\System32\IDSKwbT.exe
  C:\Windows\System32\IDSKwbT.exe
  2⤵
  PID:11868
- C:\Windows\System32\KcroEee.exe
  C:\Windows\System32\KcroEee.exe
  2⤵
  PID:12000
- C:\Windows\System32\SvTNZxF.exe
  C:\Windows\System32\SvTNZxF.exe
  2⤵
  PID:12212
- C:\Windows\System32\fNYmiTQ.exe
  C:\Windows\System32\fNYmiTQ.exe
  2⤵
  PID:4588
- C:\Windows\System32\ZzLDyxm.exe
  C:\Windows\System32\ZzLDyxm.exe
  2⤵
  PID:11592
- C:\Windows\System32\NGWHbKZ.exe
  C:\Windows\System32\NGWHbKZ.exe
  2⤵
  PID:11828
- C:\Windows\System32\bDIjABj.exe
  C:\Windows\System32\bDIjABj.exe
  2⤵
  PID:11492
- C:\Windows\System32\EoTQpOQ.exe
  C:\Windows\System32\EoTQpOQ.exe
  2⤵
  PID:4764
- C:\Windows\System32\ZCpdzCw.exe
  C:\Windows\System32\ZCpdzCw.exe
  2⤵
  PID:12308
- C:\Windows\System32\WijNrDQ.exe
  C:\Windows\System32\WijNrDQ.exe
  2⤵
  PID:12324
- C:\Windows\System32\tDzItQv.exe
  C:\Windows\System32\tDzItQv.exe
  2⤵
  PID:12344
- C:\Windows\System32\CHvtpSo.exe
  C:\Windows\System32\CHvtpSo.exe
  2⤵
  PID:12360
- C:\Windows\System32\sbdduNc.exe
  C:\Windows\System32\sbdduNc.exe
  2⤵
  PID:12396
- C:\Windows\System32\QpmWWpf.exe
  C:\Windows\System32\QpmWWpf.exe
  2⤵
  PID:12428
- C:\Windows\System32\BnPQyoK.exe
  C:\Windows\System32\BnPQyoK.exe
  2⤵
  PID:12448
- C:\Windows\System32\kEEVbbo.exe
  C:\Windows\System32\kEEVbbo.exe
  2⤵
  PID:12468
- C:\Windows\System32\CDktyGP.exe
  C:\Windows\System32\CDktyGP.exe
  2⤵
  PID:12500
- C:\Windows\System32\UwHDfju.exe
  C:\Windows\System32\UwHDfju.exe
  2⤵
  PID:12560
- C:\Windows\System32\cOMNVCs.exe
  C:\Windows\System32\cOMNVCs.exe
  2⤵
  PID:12576
- C:\Windows\System32\DuWPcnF.exe
  C:\Windows\System32\DuWPcnF.exe
  2⤵
  PID:12604
- C:\Windows\System32\qhMXCKw.exe
  C:\Windows\System32\qhMXCKw.exe
  2⤵
  PID:12620
- C:\Windows\System32\EiZmZmc.exe
  C:\Windows\System32\EiZmZmc.exe
  2⤵
  PID:12652
- C:\Windows\System32\IiahoFo.exe
  C:\Windows\System32\IiahoFo.exe
  2⤵
  PID:12708
- C:\Windows\System32\QnAVihv.exe
  C:\Windows\System32\QnAVihv.exe
  2⤵
  PID:12728
- C:\Windows\System32\geoQRiN.exe
  C:\Windows\System32\geoQRiN.exe
  2⤵
  PID:12756
- C:\Windows\System32\BLWxZvp.exe
  C:\Windows\System32\BLWxZvp.exe
  2⤵
  PID:12780
- C:\Windows\System32\sDaxSMB.exe
  C:\Windows\System32\sDaxSMB.exe
  2⤵
  PID:12800
- C:\Windows\System32\BUKgICV.exe
  C:\Windows\System32\BUKgICV.exe
  2⤵
  PID:12828
- C:\Windows\System32\hFUWUTg.exe
  C:\Windows\System32\hFUWUTg.exe
  2⤵
  PID:12848
- C:\Windows\System32\cELcPhY.exe
  C:\Windows\System32\cELcPhY.exe
  2⤵
  PID:12868
- C:\Windows\System32\FtpNjiq.exe
  C:\Windows\System32\FtpNjiq.exe
  2⤵
  PID:12916
- C:\Windows\System32\flFmuGJ.exe
  C:\Windows\System32\flFmuGJ.exe
  2⤵
  PID:12944
- C:\Windows\System32\QKnZBky.exe
  C:\Windows\System32\QKnZBky.exe
  2⤵
  PID:12976
- C:\Windows\System32\pAdwskX.exe
  C:\Windows\System32\pAdwskX.exe
  2⤵
  PID:12992
- C:\Windows\System32\HuAgkaC.exe
  C:\Windows\System32\HuAgkaC.exe
  2⤵
  PID:13020
- C:\Windows\System32\AVNXoHj.exe
  C:\Windows\System32\AVNXoHj.exe
  2⤵
  PID:13036
- C:\Windows\System32\XCTdsVT.exe
  C:\Windows\System32\XCTdsVT.exe
  2⤵
  PID:13060
- C:\Windows\System32\KiiZABb.exe
  C:\Windows\System32\KiiZABb.exe
  2⤵
  PID:13076
- C:\Windows\System32\qcLUyRm.exe
  C:\Windows\System32\qcLUyRm.exe
  2⤵
  PID:13092
- C:\Windows\System32\GowzYJJ.exe
  C:\Windows\System32\GowzYJJ.exe
  2⤵
  PID:13112
- C:\Windows\System32\AltnGaC.exe
  C:\Windows\System32\AltnGaC.exe
  2⤵
  PID:13184
- C:\Windows\System32\jUJTrYK.exe
  C:\Windows\System32\jUJTrYK.exe
  2⤵
  PID:13232
- C:\Windows\System32\nKfkPmM.exe
  C:\Windows\System32\nKfkPmM.exe
  2⤵
  PID:13268
- C:\Windows\System32\otDwXOK.exe
  C:\Windows\System32\otDwXOK.exe
  2⤵
  PID:13300
- C:\Windows\System32\UBfsfJC.exe
  C:\Windows\System32\UBfsfJC.exe
  2⤵
  PID:4300
- C:\Windows\System32\LsHRVtk.exe
  C:\Windows\System32\LsHRVtk.exe
  2⤵
  PID:12376
- C:\Windows\System32\TXqkydT.exe
  C:\Windows\System32\TXqkydT.exe
  2⤵
  PID:12456
- C:\Windows\System32\HnDifAa.exe
  C:\Windows\System32\HnDifAa.exe
  2⤵
  PID:12512
- C:\Windows\System32\LVMfGPx.exe
  C:\Windows\System32\LVMfGPx.exe
  2⤵
  PID:12588

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BPuvMib.exe

Filesize
1.0MB

MD5
7a8254c02a2f07d1eb5a149bbde48b49

SHA1
f7d702e39adb0620b2b9076f36792743aedf5b18

SHA256
db1860272a20aee6af73f4e87f05616c1397b595575e1abdf2fddeafc8f107fe

SHA512
26c7819e1b04fd073188b07d490f8a76752c7cb65e9419499473b76db9c477ba81e65a05ffe83555afa1eac42e800b12e69128f156225d6e328a5684b14ffe46

Download Submit
C:\Windows\System32\CradlqV.exe

Filesize
1.0MB

MD5
a19d5146b4266d5f716469e72e9d83d8

SHA1
5ab2733b92778795a4cb03fb845c15e39b6c551e

SHA256
30ed3dec0676678248ca19a2cd506d60c851bde988e7b25c4c96ec3cf67c2e92

SHA512
ccce8971a4b4e7ab703c09995eac34046a0c79152075529ed7e512f6ff576853d2e2c991a32fcee30dd0ed6cbea03240a137871d494171aeccf220baa4118945

Download Submit
C:\Windows\System32\DPncptc.exe

Filesize
1021KB

MD5
9efd5674852f3ec1d0f83a2190a90a8a

SHA1
227048cee87490ab2e2748e8ac739408902654f1

SHA256
30d65757cbf0651eab9973efbed4d792c293ecfa1cba0a735d854358a3cb13fc

SHA512
9c12a0723a9ff71c77fffdaebcad284a7fa17b9e44a68796cd23c40826e9f2a93efc31d558126bc93f862f38b39442d2050c38ab87cae07ba50ebf09d4467271

Download Submit
C:\Windows\System32\FaQpvyC.exe

Filesize
1023KB

MD5
46e6fabf730140fba35bb8f5f591ed92

SHA1
f9c4e35eec629c0cf0846f54668885a52fce487c

SHA256
4111eb13060fadc68460bedfd6833540c8d559b38c1374971dd3af6aec4e03f9

SHA512
a6c8fc59ea3be8463e245a55bfca37419316df8fee9f4a3a9aa01900972a37e81d59ccc2412954212852fb755f7f5951592313cf8951bd424d77492e8d0f2086

Download Submit
C:\Windows\System32\GAMqkgT.exe

Filesize
1022KB

MD5
9bfa729919b99fd6c2c863bc5accc4e6

SHA1
52424eafdaf329fe5613cc0e00d8b6c8e19a777c

SHA256
4a371406fe53ee176f12782f33a575fe45460a29d0cd270af1f14a1268be2e6a

SHA512
5ef73c1fc213f395666921d42feb25b7504c57865022e685bbe7447d9a9a7c84b303dcb7ea173ca1f269f0d3bcb2ca321fc631024f7e5fb76214bc427f7cba7a

Download Submit
C:\Windows\System32\HMZQBhG.exe

Filesize
1.0MB

MD5
3a111638b5abb711d09773dfbbb57d6e

SHA1
dcca70a12c00bd16f5ad65fef77405d42fff65f3

SHA256
1298a379fee152ac25794f662ef3ea0e4891440d9b8ce315557c09b36ca9ad79

SHA512
ffac8783be8f9b1b33d3516d0590e0ccfae9219ecdd134cfff21279a6be58f3edab66e95d939198642c5558659fd1ee225b150c237602758085d91c3e5d796eb

Download Submit
C:\Windows\System32\HYGvppO.exe

Filesize
1021KB

MD5
368add9a2bc5be744071006f732ba098

SHA1
c23d04faeff1fcb99dfd56731ec291e203d7d83c

SHA256
ac1127a5b9ac598d598344ac1f01746adfbd122f110f495ccc6a2edeb10e8074

SHA512
d45a956cd14105d6c77e4f6e71c7cb9c8a9427a7369c17062f117b8cc51e76089116c3fcea81df0891099aee50fbea82736e1ffc83180d6c758cfa0b65afc7b4

Download Submit
C:\Windows\System32\IGCUfVB.exe

Filesize
1.0MB

MD5
a49f7ad12b1f950ce4de9657a92e119f

SHA1
513d0a23581c7e98ccd1ae7d10ae8b5b864cb6f8

SHA256
593a946f992908c2a3f3b11ba4064fb9f1e524f2280da61d28c5d665e20ab308

SHA512
0176de46604bee845671311dcd9f1e4c33b4f99f044e054e17087ffe06d9d42a72167a912860a5a7db53e80869301a39e60f4984ba962a1eb9700966dd3e8203

Download Submit
C:\Windows\System32\IepTMWh.exe

Filesize
1022KB

MD5
f5e2ef670f6070c313fce867248cfa02

SHA1
99b835c8fc035ffa14b4fd24f58775ca21ed3408

SHA256
2926efa4d4401c7a0d6458390472400d1a0a68237eceb392cdf4e591774d606e

SHA512
998d3fef6ce17a99de5027ada9cc7940e69075c038f7a16631e822127b09d3c83af7680e1c0700750171dfa504a5f55ceca65c002e1958260db8a6beb777db09

Download Submit
C:\Windows\System32\IuHYDll.exe

Filesize
1.0MB

MD5
779076180bc57e84b8117ffd65ce9383

SHA1
a0633527dd9a94b9cea8b82bac98e51d0588658b

SHA256
3c5e99ac9db47ed071f2ea89be35c4e7a4fc657fd3420f9abd1b309ca404cc94

SHA512
5f4012de1420ec832d05d2d85839de0ba76e3ca1a079c847d3baff5e489abc5fabb60878d2674cb6d33fc8696a9f7e6cb7f291568e8082fa823782de19f5da20

Download Submit
C:\Windows\System32\KZmhhIj.exe

Filesize
1.0MB

MD5
cd5ff86137f35d6415f3ab253af044d2

SHA1
6b071df85588fa4256bdc9d6f03a709f81deb742

SHA256
fe86ec909c8e29a40701bba095fd0f824906fb76b9cd3cfae72cb39c7d41676d

SHA512
2931f12f93d6e2ec4c0bee815a1c92b6a2b0a140869d308a8fe6b2f7a4b737d283d6389c3ad02c376e921a0f39b1b32ff3d4465a531c28835e169a44123d1753

Download Submit
C:\Windows\System32\MsGxUTT.exe

Filesize
1021KB

MD5
475eca42135467af0d23dae1ca0e39ed

SHA1
7c39089732d03c250ed4d0441e7ccdfcf311be68

SHA256
f5029e7fcd4f239949e225cc57c4faefb397e3661ad0d5d3b20ee7580c1e9f1b

SHA512
82c17b9988c87ca6b78f04ba65c38371282f3a6a06672dcfefd95a5853342663d31547e72cbec594d3f8a520b95d47d9fb611727d3d05c8ac942154127173375

Download Submit
C:\Windows\System32\ORpOlMd.exe

Filesize
1.0MB

MD5
ed5c74227dcbd4ba4d819a662c9fe815

SHA1
3200680373f3f5edcf9c8754dd7272b57bb2ed36

SHA256
6428c21cd1ca49f18f24f90f3a3586835acc68f5d8512021ac4b0a7a9f43ec64

SHA512
85dd471e6ed4d70f4e208cfe5949257f35042ecef2fcae002b2aa088435dfb5b9b14970991853bfae708e2a2f2d740afdc8f132020ca37f2bf5ce42ba78d61b8

Download Submit
C:\Windows\System32\SvpUGop.exe

Filesize
1023KB

MD5
a89c82cd2e87b615843ca4808d432f91

SHA1
40c512d3d1757d356d0ac93345b8d45aa4c5b596

SHA256
061c516f5d5765e44dbc1b64071a92fa113d46a4d048cc0b3434fa98fa73ff11

SHA512
083f56f52fa6044cf35dc0302d866038015da4b34e75ce073169622ba4cdbe5f92d21a66a16669b9db379a152ba624d36e8db896db9e5c51a0c0b1e384de87ea

Download Submit
C:\Windows\System32\TMlEtJH.exe

Filesize
1.0MB

MD5
31141ea3258ee3fcfbe3345eb96a8445

SHA1
fd0b9cfbbe0a990d75069a39b272d4cb21af3da3

SHA256
11f730a3234bf2f36702d60554493d80051c5a2675c08142760b179bacb9f29b

SHA512
4ba6f11d86300b01d741638ce728ac390df3e11b5bc649b9c28bf2c2928e556f72f2f6e59499bb1eecea9fed06ee09d7789e15ebded3d18af6e40954f38af585

Download Submit
C:\Windows\System32\UjUjpVj.exe

Filesize
1.0MB

MD5
438f862167ce03a28f8bf7abba39f969

SHA1
92fc8ef966c87f4d00e733c5d41242a0d296ed5f

SHA256
1e571c71afa0b7bd872540fa009b3c3927300833b558a2cc68df434f439b5a25

SHA512
d7be12e75d68faab4b2b4495443968bb4d2b98a58ba4bc4db46d435f5b7c477e86639359842edd405a363bb1d37b00e009da5c7e37ec35dc33a683c9d828bec3

Download Submit
C:\Windows\System32\VNRZuKc.exe

Filesize
1.0MB

MD5
8bf393a070e420af750aafaaa90080da

SHA1
5caa07d4558df9ab752a89dc452d51cee9ab0913

SHA256
0dc85b850fcbe70f45b0ae5d136bfef7b4a630f28ff850905960a0acb2bf9255

SHA512
8f976de082a67a94a4dbe57a9a98be00df4029998425ef5eb313905e88220eb351f8cefe41d7218cccd55d816b96b7023465d31751eea16b0b2e2015d62d9463

Download Submit
C:\Windows\System32\dlmygdn.exe

Filesize
1020KB

MD5
87b04cc38a87b8d7e09fa00d12bb3d72

SHA1
64d30fef584849374994bf581fba5138da58f735

SHA256
cc27e927910be2afa94057d1e8ea9748b90aadd49a6e95140162a027af56f5ad

SHA512
7ae8a8f5ed84078a8a7bf20eda1e522616f274d6496c3b4b52217bc51066bbdeae0353d74739a50f9c6b4b2c8abed11f10afacc9b0bcef9e6f0a13f1fcf2edf1

Download Submit
C:\Windows\System32\fMEzojD.exe

Filesize
1020KB

MD5
03b791de23fcb19dca348a89cdd0cba9

SHA1
cea69e4efc2eef00614abb5d3b7f628d237facea

SHA256
429e62e6342d890593d4bcc54442f05eb03be35d3a22daa3fe85c39471b9aa89

SHA512
d22a41c692ff020c16a627a7120c191ab849b314152798b5725a8e430850b5293eca356a9a38d136500f65789b25c9d88b33e0d4fc4e6110281c186d98b85e9c

Download Submit
C:\Windows\System32\gPETccQ.exe

Filesize
1022KB

MD5
93be25ec138e538c7459cd3d44036bdb

SHA1
5091f7988e9c25b15f97a1c1111fdedec7a72209

SHA256
48c25c5d57e8751d9989cac1076fd4b5d78c2e01e3ba5e338b24bee4b8d205e2

SHA512
e648a4e0d7769cfe41c2cc9615b33fb43491b31316195151d573db2c0205d26166c779c77c45410d01d3be0aecfd7c40add9b38a1192656bdd2db10ea768871b

Download Submit
C:\Windows\System32\gSwONLw.exe

Filesize
1022KB

MD5
2dcb611e534e98590b15585630781a39

SHA1
5520f308ddb30b9e1710af28d731e5763cb85bbc

SHA256
b6978d4a64d7c29df7e39616fc5280e0c95fe9f95dea6297612ccb24464007c8

SHA512
4ab2735a410bdefc760657762f41e70aac3a7c9c442cef84ed5541e606fce20e5cbd02a394fa45f5d593bb3dad9d80e9168d07824d1d474a15be574652dd79c4

Download Submit
C:\Windows\System32\jTmNwsv.exe

Filesize
1.0MB

MD5
cca84460fccb97e32caf42d285286525

SHA1
2a58d4d0e1901fcde276b76d474b7c743373472c

SHA256
37b266c5d1f566ada59e91b2832c282548503dfed939ee91af019fb652ec3818

SHA512
760abbd036578b7a446f2fc33de4a197e598804c000a7a8d6e54c52fa343bb1debb8c0c0031a749ef15ff163b9e5bf7a4e31f5536fe53659035a1398029a6d88

Download Submit
C:\Windows\System32\jkdyRAG.exe

Filesize
1021KB

MD5
1127ea3a344582b5bcac6bc67c2b051e

SHA1
793032cd29ee3a9c782f7d962c0f57fe9a7cc922

SHA256
6abf92ff5c0361bd3b25650896981b1ea69d1edcb446922d294257ae3c91b0e4

SHA512
ddb612ab010d235f5cf84e9c5493fc7abe4a22699c00caa090a6df5680ef9f78ac6923b76c8f798ef375c62acb0bef18f640a14eb275dc018e4813f54500602e

Download Submit
C:\Windows\System32\mOeWlhi.exe

Filesize
1023KB

MD5
9dd1f60975fad800fb22521c23b233fe

SHA1
78fce4393e3bfbf182ebcd739662e7ee5f46ef4e

SHA256
d4df2339c82d2ab096420f23f40c0b223362143c8b3ede16c7227495d2d3ee08

SHA512
3afca72892d5fc2ff367e31a9469b0ca371ada8675167d00e91c2f1020c66dc0f9c11bd143ef56546de1dd06fed862cb32d767303b2c35e47d3f63e215d686a4

Download Submit
C:\Windows\System32\nuRxMjc.exe

Filesize
1020KB

MD5
16e3bcb08ef59409d881620790c3a0da

SHA1
1c61fbaf6dbf262bfb7b1333d161db298c9e32e5

SHA256
b5101d483aab2c29d68561bfc56adcb8c23674e7ecb4f13cce70f3fda899e079

SHA512
16bf96e7007cbb6e09bb87ed2c9ecd93404eccdea31932695afc97b6a74e5b536ec02e47d3ca3be4c9ac5342990d526d78dee72faa90ee8302a21acd3d9c2d84

Download Submit
C:\Windows\System32\nzNBhKs.exe

Filesize
1.0MB

MD5
efd2167e20735eab108aaf17d3665868

SHA1
df434f9377c792c57ba9b67e33570e99608bdd68

SHA256
3f57870bda148a817e9bf464b680c34664dd91736a74331acc53cb63c4f33f1a

SHA512
c6ef96ad8af73240b87205d4b242569f84a4fa0ef863892767432fc1d3620fb6cb68ae4abcb2b811aa8efe5700981d0f5e0ed9ed82e8bd5de39d466137fac7a8

Download Submit
C:\Windows\System32\oyGSowm.exe

Filesize
1.0MB

MD5
0272c4cc62db9dadc4215ee8e02f71bb

SHA1
e070b383f28cf396229b9bffce585759f10b62c2

SHA256
1a85f4cc91d55d927f34efd0ef35ab97013ef7ca51554053bbd7a326d1e67516

SHA512
79cafc0961b8b557e2c99eece87889f2116a7cb8e1135bbec7f420331c186bd59b5cc46037f8f2e4257b8ae0607743a85e1a4b058a54b6f214863c356da73a78

Download Submit
C:\Windows\System32\qExgArV.exe

Filesize
1.0MB

MD5
f379d809593872640fc3de91868b5a87

SHA1
6f9e9e261d002df11a42b768c559a562a93b3d2a

SHA256
925efdcd7c02dcefd8b1f15b0d3038866e48085853d4e3004d3f1cb5ab7f588d

SHA512
bf6506c9e786689dd45cfdb012c955c0f7fa9429dc66b5bef6e5f95be930431a02b233ff24b531c90867b7b86e20fc4cb8ccd0061d92b03b00d8bde6540c2e50

Download Submit
C:\Windows\System32\sEZbwEQ.exe

Filesize
1.0MB

MD5
0f0706e3ca83d1e0b3078ee7e98f2e44

SHA1
ecb9602e1f1819b9242b0466d276f7b85876255c

SHA256
067a54a8d7d005372024bbc00ce7d4cd22980cdd1bf4139b3ba9cab8c0d086aa

SHA512
d8ecb97a831defa28f631cdc6c5eb237edf0ddac0d0f929b7464d3b0742ad03fb98eda4b43088034e9b762caf337a8d3dca81c12adc852932729de032357f05a

Download Submit
C:\Windows\System32\tHXzrFZ.exe

Filesize
1.0MB

MD5
d428d5c417d137789073bdf5e89856c5

SHA1
e75010b71f9ea1ce1424cdbab10d886c037d2b12

SHA256
25e9d72bd37ce88653777af54e3eec65e771fa6a8aaa06bb115bf4fda98ea648

SHA512
5f28c0ad7441804f2a87f605a1278a240c30a9874de3ac8ba70425b2277b99c39694deedb34b3ecaa96953c836bdfa9bd78917cc466ffc0d5a66affe5a8ab37c

Download Submit
C:\Windows\System32\tsEwJQm.exe

Filesize
1023KB

MD5
6b03eac32e4b303df79958f963a15cf9

SHA1
32ce181398fb7a8693560c9abdadac558d744259

SHA256
eaa0ff09ecdff137e0b9d496f37b4d56c745edd9b33afd73803f365b37bc47fd

SHA512
b952ad784118e6ef4128cee027940bf204840def5b89b075efed15adf436bf25219144edb6186f8de100657ea34060aa5c9d9a256a685d204b97a136108bcc49

Download Submit
C:\Windows\System32\ylqgQzf.exe

Filesize
1.0MB

MD5
e48e55e46dc39930d56fc3b0437e0d84

SHA1
c7e5f9153c4706e3d14e7df2f39b85a9fcf39304

SHA256
5ba2cd9f9534f668f3b985e271d112446e6dc635fcbed11de8f0157c8d4fa652

SHA512
a1f145b15ab7a6f225ac8a3d1f8b50b3f2fed15df1c42deda954833fd0fc2a9384507a44536bd955de266357bae1fc3a0450b3e119fc5a8bda9340b82deadd49

Download Submit
memory/116-0-0x00007FF64D3D0000-0x00007FF64D7C1000-memory.dmp

Filesize
3.9MB

Download
memory/116-1-0x000001D247600000-0x000001D247610000-memory.dmp

Filesize
64KB

Download
memory/760-2035-0x00007FF610BF0000-0x00007FF610FE1000-memory.dmp

Filesize
3.9MB

Download
memory/760-83-0x00007FF610BF0000-0x00007FF610FE1000-memory.dmp

Filesize
3.9MB

Download
memory/892-71-0x00007FF78B430000-0x00007FF78B821000-memory.dmp

Filesize
3.9MB

Download
memory/892-1983-0x00007FF78B430000-0x00007FF78B821000-memory.dmp

Filesize
3.9MB

Download
memory/892-2039-0x00007FF78B430000-0x00007FF78B821000-memory.dmp

Filesize
3.9MB

Download
memory/924-2027-0x00007FF7B8240000-0x00007FF7B8631000-memory.dmp

Filesize
3.9MB

Download
memory/924-1982-0x00007FF7B8240000-0x00007FF7B8631000-memory.dmp

Filesize
3.9MB

Download
memory/924-34-0x00007FF7B8240000-0x00007FF7B8631000-memory.dmp

Filesize
3.9MB

Download
memory/1064-380-0x00007FF68FCE0000-0x00007FF6900D1000-memory.dmp

Filesize
3.9MB

Download
memory/1064-2065-0x00007FF68FCE0000-0x00007FF6900D1000-memory.dmp

Filesize
3.9MB

Download
memory/1164-2048-0x00007FF7C4130000-0x00007FF7C4521000-memory.dmp

Filesize
3.9MB

Download
memory/1164-389-0x00007FF7C4130000-0x00007FF7C4521000-memory.dmp

Filesize
3.9MB

Download
memory/1316-88-0x00007FF6295C0000-0x00007FF6299B1000-memory.dmp

Filesize
3.9MB

Download
memory/1316-2045-0x00007FF6295C0000-0x00007FF6299B1000-memory.dmp

Filesize
3.9MB

Download
memory/1424-52-0x00007FF7EF600000-0x00007FF7EF9F1000-memory.dmp

Filesize
3.9MB

Download
memory/1424-2025-0x00007FF7EF600000-0x00007FF7EF9F1000-memory.dmp

Filesize
3.9MB

Download
memory/1708-385-0x00007FF70ED90000-0x00007FF70F181000-memory.dmp

Filesize
3.9MB

Download
memory/1708-2060-0x00007FF70ED90000-0x00007FF70F181000-memory.dmp

Filesize
3.9MB

Download
memory/2004-2017-0x00007FF731BC0000-0x00007FF731FB1000-memory.dmp

Filesize
3.9MB

Download
memory/2004-90-0x00007FF731BC0000-0x00007FF731FB1000-memory.dmp

Filesize
3.9MB

Download
memory/2004-2067-0x00007FF731BC0000-0x00007FF731FB1000-memory.dmp

Filesize
3.9MB

Download
memory/2264-2063-0x00007FF6BFB60000-0x00007FF6BFF51000-memory.dmp

Filesize
3.9MB

Download
memory/2264-388-0x00007FF6BFB60000-0x00007FF6BFF51000-memory.dmp

Filesize
3.9MB

Download
memory/2672-1981-0x00007FF6FCCF0000-0x00007FF6FD0E1000-memory.dmp

Filesize
3.9MB

Download
memory/2672-22-0x00007FF6FCCF0000-0x00007FF6FD0E1000-memory.dmp

Filesize
3.9MB

Download
memory/2672-2019-0x00007FF6FCCF0000-0x00007FF6FD0E1000-memory.dmp

Filesize
3.9MB

Download
memory/2692-2054-0x00007FF617A60000-0x00007FF617E51000-memory.dmp

Filesize
3.9MB

Download
memory/2692-382-0x00007FF617A60000-0x00007FF617E51000-memory.dmp

Filesize
3.9MB

Download
memory/2756-78-0x00007FF6D1A30000-0x00007FF6D1E21000-memory.dmp

Filesize
3.9MB

Download
memory/2756-2031-0x00007FF6D1A30000-0x00007FF6D1E21000-memory.dmp

Filesize
3.9MB

Download
memory/2840-2042-0x00007FF75B800000-0x00007FF75BBF1000-memory.dmp

Filesize
3.9MB

Download
memory/2840-89-0x00007FF75B800000-0x00007FF75BBF1000-memory.dmp

Filesize
3.9MB

Download
memory/2968-2052-0x00007FF6E73C0000-0x00007FF6E77B1000-memory.dmp

Filesize
3.9MB

Download
memory/2968-386-0x00007FF6E73C0000-0x00007FF6E77B1000-memory.dmp

Filesize
3.9MB

Download
memory/2996-62-0x00007FF7D5E00000-0x00007FF7D61F1000-memory.dmp

Filesize
3.9MB

Download
memory/2996-2037-0x00007FF7D5E00000-0x00007FF7D61F1000-memory.dmp

Filesize
3.9MB

Download
memory/3116-2050-0x00007FF6FC440000-0x00007FF6FC831000-memory.dmp

Filesize
3.9MB

Download
memory/3116-387-0x00007FF6FC440000-0x00007FF6FC831000-memory.dmp

Filesize
3.9MB

Download
memory/3508-2058-0x00007FF7444B0000-0x00007FF7448A1000-memory.dmp

Filesize
3.9MB

Download
memory/3508-384-0x00007FF7444B0000-0x00007FF7448A1000-memory.dmp

Filesize
3.9MB

Download
memory/4064-75-0x00007FF63B1E0000-0x00007FF63B5D1000-memory.dmp

Filesize
3.9MB

Download
memory/4064-2023-0x00007FF63B1E0000-0x00007FF63B5D1000-memory.dmp

Filesize
3.9MB

Download
memory/4192-2033-0x00007FF756E20000-0x00007FF757211000-memory.dmp

Filesize
3.9MB

Download
memory/4192-80-0x00007FF756E20000-0x00007FF757211000-memory.dmp

Filesize
3.9MB

Download
memory/4600-12-0x00007FF7CF050000-0x00007FF7CF441000-memory.dmp

Filesize
3.9MB

Download
memory/4600-2021-0x00007FF7CF050000-0x00007FF7CF441000-memory.dmp

Filesize
3.9MB

Download
memory/4664-2029-0x00007FF64FF90000-0x00007FF650381000-memory.dmp

Filesize
3.9MB

Download
memory/4664-61-0x00007FF64FF90000-0x00007FF650381000-memory.dmp

Filesize
3.9MB

Download
memory/5056-2043-0x00007FF72CBB0000-0x00007FF72CFA1000-memory.dmp

Filesize
3.9MB

Download
memory/5056-1984-0x00007FF72CBB0000-0x00007FF72CFA1000-memory.dmp

Filesize
3.9MB

Download
memory/5056-74-0x00007FF72CBB0000-0x00007FF72CFA1000-memory.dmp

Filesize
3.9MB

Download
memory/5116-383-0x00007FF634A60000-0x00007FF634E51000-memory.dmp

Filesize
3.9MB

Download
memory/5116-2056-0x00007FF634A60000-0x00007FF634E51000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads