xmrig | 8475c8538c0911099c6788421a3a18a0e6a623962d1a6108e8fd013c2d070b1b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
Size

1.1MB
MD5

01ab08af8cae7d555d12975af0979424
SHA1

73ea1ade07110e987aad83f7fc24838745fce677
SHA256

8475c8538c0911099c6788421a3a18a0e6a623962d1a6108e8fd013c2d070b1b
SHA512

593f1efeaf4e48a52652e944d8461fa1398498f5b8ad6a34cc30a60a96c37696ace816164d38afbdbad528beb0e2ab70ac516eeb2c87df47b6d77b7dcf864fc4
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XCej06sSo:knw9oUUEEDlGUrMjo

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3788-378-0x00007FF789030000-0x00007FF789421000-memory.dmp	xmrig
behavioral2/memory/5088-379-0x00007FF7B8310000-0x00007FF7B8701000-memory.dmp	xmrig
behavioral2/memory/2980-380-0x00007FF7D7DE0000-0x00007FF7D81D1000-memory.dmp	xmrig
behavioral2/memory/4352-381-0x00007FF747830000-0x00007FF747C21000-memory.dmp	xmrig
behavioral2/memory/848-382-0x00007FF647550000-0x00007FF647941000-memory.dmp	xmrig
behavioral2/memory/3412-383-0x00007FF62C510000-0x00007FF62C901000-memory.dmp	xmrig
behavioral2/memory/420-384-0x00007FF6E5D00000-0x00007FF6E60F1000-memory.dmp	xmrig
behavioral2/memory/2752-385-0x00007FF7B7AD0000-0x00007FF7B7EC1000-memory.dmp	xmrig
behavioral2/memory/3236-386-0x00007FF6CE020000-0x00007FF6CE411000-memory.dmp	xmrig
behavioral2/memory/3444-387-0x00007FF795DD0000-0x00007FF7961C1000-memory.dmp	xmrig
behavioral2/memory/2748-388-0x00007FF60B770000-0x00007FF60BB61000-memory.dmp	xmrig
behavioral2/memory/2032-396-0x00007FF676820000-0x00007FF676C11000-memory.dmp	xmrig
behavioral2/memory/4664-403-0x00007FF7BD790000-0x00007FF7BDB81000-memory.dmp	xmrig
behavioral2/memory/2008-409-0x00007FF73EAB0000-0x00007FF73EEA1000-memory.dmp	xmrig
behavioral2/memory/4784-401-0x00007FF75A650000-0x00007FF75AA41000-memory.dmp	xmrig
behavioral2/memory/964-417-0x00007FF7FC040000-0x00007FF7FC431000-memory.dmp	xmrig
behavioral2/memory/2264-416-0x00007FF63CB50000-0x00007FF63CF41000-memory.dmp	xmrig
behavioral2/memory/2328-390-0x00007FF763310000-0x00007FF763701000-memory.dmp	xmrig
behavioral2/memory/2460-1978-0x00007FF6015F0000-0x00007FF6019E1000-memory.dmp	xmrig
behavioral2/memory/1540-1988-0x00007FF6B8FB0000-0x00007FF6B93A1000-memory.dmp	xmrig
behavioral2/memory/4516-1989-0x00007FF7F6350000-0x00007FF7F6741000-memory.dmp	xmrig
behavioral2/memory/3392-1990-0x00007FF6A5340000-0x00007FF6A5731000-memory.dmp	xmrig
behavioral2/memory/3476-1996-0x00007FF722490000-0x00007FF722881000-memory.dmp	xmrig
behavioral2/memory/212-1998-0x00007FF632A50000-0x00007FF632E41000-memory.dmp	xmrig
behavioral2/memory/2460-2000-0x00007FF6015F0000-0x00007FF6019E1000-memory.dmp	xmrig
behavioral2/memory/848-2008-0x00007FF647550000-0x00007FF647941000-memory.dmp	xmrig
behavioral2/memory/3412-2020-0x00007FF62C510000-0x00007FF62C901000-memory.dmp	xmrig
behavioral2/memory/2752-2026-0x00007FF7B7AD0000-0x00007FF7B7EC1000-memory.dmp	xmrig
behavioral2/memory/4784-2036-0x00007FF75A650000-0x00007FF75AA41000-memory.dmp	xmrig
behavioral2/memory/2264-2042-0x00007FF63CB50000-0x00007FF63CF41000-memory.dmp	xmrig
behavioral2/memory/2032-2040-0x00007FF676820000-0x00007FF676C11000-memory.dmp	xmrig
behavioral2/memory/2008-2038-0x00007FF73EAB0000-0x00007FF73EEA1000-memory.dmp	xmrig
behavioral2/memory/4664-2034-0x00007FF7BD790000-0x00007FF7BDB81000-memory.dmp	xmrig
behavioral2/memory/3444-2028-0x00007FF795DD0000-0x00007FF7961C1000-memory.dmp	xmrig
behavioral2/memory/420-2024-0x00007FF6E5D00000-0x00007FF6E60F1000-memory.dmp	xmrig
behavioral2/memory/2328-2032-0x00007FF763310000-0x00007FF763701000-memory.dmp	xmrig
behavioral2/memory/2748-2030-0x00007FF60B770000-0x00007FF60BB61000-memory.dmp	xmrig
behavioral2/memory/3236-2022-0x00007FF6CE020000-0x00007FF6CE411000-memory.dmp	xmrig
behavioral2/memory/3788-2018-0x00007FF789030000-0x00007FF789421000-memory.dmp	xmrig
behavioral2/memory/2980-2014-0x00007FF7D7DE0000-0x00007FF7D81D1000-memory.dmp	xmrig
behavioral2/memory/964-2012-0x00007FF7FC040000-0x00007FF7FC431000-memory.dmp	xmrig
behavioral2/memory/1540-2006-0x00007FF6B8FB0000-0x00007FF6B93A1000-memory.dmp	xmrig
behavioral2/memory/5088-2016-0x00007FF7B8310000-0x00007FF7B8701000-memory.dmp	xmrig
behavioral2/memory/3392-2002-0x00007FF6A5340000-0x00007FF6A5731000-memory.dmp	xmrig
behavioral2/memory/4352-2010-0x00007FF747830000-0x00007FF747C21000-memory.dmp	xmrig
behavioral2/memory/4516-2004-0x00007FF7F6350000-0x00007FF7F6741000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3476	rZnsGxF.exe
212	khTWvkS.exe
2460	gokpwER.exe
4516	fIypOLc.exe
1540	axZmOAz.exe
3392	hgmTcSr.exe
964	svVYbTD.exe
3788	cEFfoxJ.exe
5088	ttpXrfg.exe
2980	BCBvsgM.exe
4352	NMiKYBD.exe
848	hksMWTV.exe
3412	tGnNzll.exe
420	GzIOypN.exe
2752	ZoIpWFV.exe
3236	zKGAvkz.exe
3444	AIHJZei.exe
2748	feWHudm.exe
2328	OUzmWgi.exe
2032	znHyomp.exe
4784	AUMsrEQ.exe
4664	RzMiOMr.exe
2008	oMZDQzK.exe
2264	vroHTyh.exe
3800	IbeqdEj.exe
1472	LzbslwF.exe
3764	JeRtdDZ.exe
1804	xFIOuhC.exe
1320	pVOtmSq.exe
4816	IzQnVqw.exe
4900	rzFsciq.exe
1628	UbreZkz.exe
2868	fgJzkqH.exe
1492	CVhDWki.exe
2240	WRyBshz.exe
4672	EGxmcTS.exe
4436	LykgRfh.exe
3048	funcBTK.exe
4272	EkOrJVw.exe
2288	TcsWABm.exe
1272	cBYAfcW.exe
2512	RjveCoa.exe
1840	AOlzVtE.exe
4696	FHUMplU.exe
4288	hMKJbcn.exe
1140	XEhCNdr.exe
4880	mnzZkSs.exe
4512	IpTJJMc.exe
1880	hTnfmSB.exe
3080	gGJJoxG.exe
4504	kWDUCKK.exe
4668	TZMsNgh.exe
1036	GuXGyZZ.exe
2344	RgyVyoK.exe
2348	lXvUpLY.exe
3464	JTgQCiG.exe
4016	rrxKeih.exe
4860	kkUBFVK.exe
372	tMnItkx.exe
1384	JMMrSWw.exe
1688	sCRSZRV.exe
1028	wpLNPQg.exe
2400	BOOvNKi.exe
2816	oDVavZf.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/816-0-0x00007FF6EE400000-0x00007FF6EE7F1000-memory.dmp	upx
behavioral2/files/0x00080000000234c5-4.dat	upx
behavioral2/files/0x00070000000234cb-16.dat	upx
behavioral2/memory/212-18-0x00007FF632A50000-0x00007FF632E41000-memory.dmp	upx
behavioral2/files/0x00070000000234cc-24.dat	upx
behavioral2/memory/4516-27-0x00007FF7F6350000-0x00007FF7F6741000-memory.dmp	upx
behavioral2/files/0x00070000000234cd-36.dat	upx
behavioral2/files/0x00070000000234ce-41.dat	upx
behavioral2/files/0x00070000000234d1-54.dat	upx
behavioral2/files/0x00070000000234d2-61.dat	upx
behavioral2/files/0x00070000000234d6-81.dat	upx
behavioral2/files/0x00070000000234d8-91.dat	upx
behavioral2/files/0x00070000000234e0-131.dat	upx
behavioral2/files/0x00070000000234e4-151.dat	upx
behavioral2/memory/3392-377-0x00007FF6A5340000-0x00007FF6A5731000-memory.dmp	upx
behavioral2/memory/3788-378-0x00007FF789030000-0x00007FF789421000-memory.dmp	upx
behavioral2/memory/5088-379-0x00007FF7B8310000-0x00007FF7B8701000-memory.dmp	upx
behavioral2/memory/2980-380-0x00007FF7D7DE0000-0x00007FF7D81D1000-memory.dmp	upx
behavioral2/memory/4352-381-0x00007FF747830000-0x00007FF747C21000-memory.dmp	upx
behavioral2/memory/848-382-0x00007FF647550000-0x00007FF647941000-memory.dmp	upx
behavioral2/memory/3412-383-0x00007FF62C510000-0x00007FF62C901000-memory.dmp	upx
behavioral2/memory/420-384-0x00007FF6E5D00000-0x00007FF6E60F1000-memory.dmp	upx
behavioral2/files/0x00070000000234e7-166.dat	upx
behavioral2/memory/2752-385-0x00007FF7B7AD0000-0x00007FF7B7EC1000-memory.dmp	upx
behavioral2/files/0x00070000000234e6-161.dat	upx
behavioral2/files/0x00070000000234e5-156.dat	upx
behavioral2/memory/3236-386-0x00007FF6CE020000-0x00007FF6CE411000-memory.dmp	upx
behavioral2/files/0x00070000000234e3-146.dat	upx
behavioral2/files/0x00070000000234e2-141.dat	upx
behavioral2/memory/3444-387-0x00007FF795DD0000-0x00007FF7961C1000-memory.dmp	upx
behavioral2/files/0x00070000000234e1-136.dat	upx
behavioral2/files/0x00070000000234df-126.dat	upx
behavioral2/files/0x00070000000234de-121.dat	upx
behavioral2/files/0x00070000000234dd-116.dat	upx
behavioral2/files/0x00070000000234dc-111.dat	upx
behavioral2/files/0x00070000000234db-109.dat	upx
behavioral2/files/0x00070000000234da-104.dat	upx
behavioral2/memory/2748-388-0x00007FF60B770000-0x00007FF60BB61000-memory.dmp	upx
behavioral2/files/0x00070000000234d9-99.dat	upx
behavioral2/memory/2032-396-0x00007FF676820000-0x00007FF676C11000-memory.dmp	upx
behavioral2/memory/4664-403-0x00007FF7BD790000-0x00007FF7BDB81000-memory.dmp	upx
behavioral2/memory/2008-409-0x00007FF73EAB0000-0x00007FF73EEA1000-memory.dmp	upx
behavioral2/memory/4784-401-0x00007FF75A650000-0x00007FF75AA41000-memory.dmp	upx
behavioral2/memory/964-417-0x00007FF7FC040000-0x00007FF7FC431000-memory.dmp	upx
behavioral2/memory/2264-416-0x00007FF63CB50000-0x00007FF63CF41000-memory.dmp	upx
behavioral2/memory/2328-390-0x00007FF763310000-0x00007FF763701000-memory.dmp	upx
behavioral2/files/0x00070000000234d7-86.dat	upx
behavioral2/files/0x00070000000234d5-76.dat	upx
behavioral2/files/0x00070000000234d4-71.dat	upx
behavioral2/files/0x00070000000234d3-69.dat	upx
behavioral2/files/0x00070000000234d0-51.dat	upx
behavioral2/files/0x00070000000234cf-46.dat	upx
behavioral2/memory/1540-30-0x00007FF6B8FB0000-0x00007FF6B93A1000-memory.dmp	upx
behavioral2/memory/2460-26-0x00007FF6015F0000-0x00007FF6019E1000-memory.dmp	upx
behavioral2/files/0x00070000000234ca-23.dat	upx
behavioral2/files/0x00070000000234c9-21.dat	upx
behavioral2/memory/3476-9-0x00007FF722490000-0x00007FF722881000-memory.dmp	upx
behavioral2/memory/2460-1978-0x00007FF6015F0000-0x00007FF6019E1000-memory.dmp	upx
behavioral2/memory/1540-1988-0x00007FF6B8FB0000-0x00007FF6B93A1000-memory.dmp	upx
behavioral2/memory/4516-1989-0x00007FF7F6350000-0x00007FF7F6741000-memory.dmp	upx
behavioral2/memory/3392-1990-0x00007FF6A5340000-0x00007FF6A5731000-memory.dmp	upx
behavioral2/memory/3476-1996-0x00007FF722490000-0x00007FF722881000-memory.dmp	upx
behavioral2/memory/212-1998-0x00007FF632A50000-0x00007FF632E41000-memory.dmp	upx
behavioral2/memory/2460-2000-0x00007FF6015F0000-0x00007FF6019E1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\rZnsGxF.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\iPwFAjg.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\EkBXlPJ.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\rXzpajP.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\LOUubdb.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\YmxXvOA.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\cdHZYaJ.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\noxNrBg.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\onPVWgS.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\fSCRqRw.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\mgORMcc.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\ZKtWOWk.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\ybdIvyT.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\uKNiHXI.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\JMMrSWw.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\IJrcSqw.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\JNtAUJH.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\ehqMqCl.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\JqvuYBJ.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\NXLHgkE.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\EgjiuQj.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\AdfTRBl.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\mJMHSbm.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\OZYdHur.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\OLEBQRT.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\VigHVAD.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\XamIzjK.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\nmfXPGz.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\dbjPjxK.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\LykgRfh.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\dAXqBlL.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\MtPabAx.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\lWdftkS.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\uKvWKQu.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\MHHwvRV.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\iVSFlYY.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\HtKSWer.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\FLwBOdh.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\YbBVuxg.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\OetNpuE.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\EGjbELD.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\iaKStaa.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\aMSDbkV.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\pUdftdG.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\JipAOln.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\JMDLSmk.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\yWvEgVc.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\rKaaCEG.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\DTClFAH.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\drOAxky.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\Mhtjgln.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\sFegfdz.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\seZklbx.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\UnzeHYL.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\oMwCwLP.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\lXvUpLY.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\dwWwsiH.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\GYDVUIv.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\jcuKAOU.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\oyacGMX.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\bfzOMNW.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\hgmTcSr.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\kkUBFVK.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
File created	C:\Windows\System32\BBGFDox.exe	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12880	dwm.exe
Token: SeChangeNotifyPrivilege	12880	dwm.exe
Token: 33	12880	dwm.exe
Token: SeIncBasePriorityPrivilege	12880	dwm.exe
Token: SeShutdownPrivilege	12880	dwm.exe
Token: SeCreatePagefilePrivilege	12880	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 3476	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	85
PID 816 wrote to memory of 3476	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	85
PID 816 wrote to memory of 212	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	86
PID 816 wrote to memory of 212	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	86
PID 816 wrote to memory of 2460	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	87
PID 816 wrote to memory of 2460	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	87
PID 816 wrote to memory of 4516	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	88
PID 816 wrote to memory of 4516	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	88
PID 816 wrote to memory of 1540	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	89
PID 816 wrote to memory of 1540	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	89
PID 816 wrote to memory of 3392	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	90
PID 816 wrote to memory of 3392	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	90
PID 816 wrote to memory of 964	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	91
PID 816 wrote to memory of 964	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	91
PID 816 wrote to memory of 3788	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	92
PID 816 wrote to memory of 3788	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	92
PID 816 wrote to memory of 5088	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	93
PID 816 wrote to memory of 5088	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	93
PID 816 wrote to memory of 2980	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	94
PID 816 wrote to memory of 2980	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	94
PID 816 wrote to memory of 4352	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	95
PID 816 wrote to memory of 4352	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	95
PID 816 wrote to memory of 848	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	96
PID 816 wrote to memory of 848	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	96
PID 816 wrote to memory of 3412	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	97
PID 816 wrote to memory of 3412	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	97
PID 816 wrote to memory of 420	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	98
PID 816 wrote to memory of 420	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	98
PID 816 wrote to memory of 2752	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	99
PID 816 wrote to memory of 2752	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	99
PID 816 wrote to memory of 3236	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	100
PID 816 wrote to memory of 3236	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	100
PID 816 wrote to memory of 3444	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	101
PID 816 wrote to memory of 3444	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	101
PID 816 wrote to memory of 2748	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	102
PID 816 wrote to memory of 2748	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	102
PID 816 wrote to memory of 2328	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	103
PID 816 wrote to memory of 2328	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	103
PID 816 wrote to memory of 2032	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	104
PID 816 wrote to memory of 2032	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	104
PID 816 wrote to memory of 4784	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	105
PID 816 wrote to memory of 4784	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	105
PID 816 wrote to memory of 4664	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	106
PID 816 wrote to memory of 4664	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	106
PID 816 wrote to memory of 2008	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	107
PID 816 wrote to memory of 2008	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	107
PID 816 wrote to memory of 2264	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	108
PID 816 wrote to memory of 2264	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	108
PID 816 wrote to memory of 3800	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	109
PID 816 wrote to memory of 3800	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	109
PID 816 wrote to memory of 1472	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	110
PID 816 wrote to memory of 1472	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	110
PID 816 wrote to memory of 3764	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	111
PID 816 wrote to memory of 3764	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	111
PID 816 wrote to memory of 1804	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	112
PID 816 wrote to memory of 1804	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	112
PID 816 wrote to memory of 1320	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	113
PID 816 wrote to memory of 1320	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	113
PID 816 wrote to memory of 4816	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	114
PID 816 wrote to memory of 4816	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	114
PID 816 wrote to memory of 4900	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	115
PID 816 wrote to memory of 4900	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	115
PID 816 wrote to memory of 1628	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	116
PID 816 wrote to memory of 1628	816	01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01ab08af8cae7d555d12975af0979424_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\System32\rZnsGxF.exe
  C:\Windows\System32\rZnsGxF.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System32\khTWvkS.exe
  C:\Windows\System32\khTWvkS.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System32\gokpwER.exe
  C:\Windows\System32\gokpwER.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System32\fIypOLc.exe
  C:\Windows\System32\fIypOLc.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System32\axZmOAz.exe
  C:\Windows\System32\axZmOAz.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System32\hgmTcSr.exe
  C:\Windows\System32\hgmTcSr.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System32\svVYbTD.exe
  C:\Windows\System32\svVYbTD.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System32\cEFfoxJ.exe
  C:\Windows\System32\cEFfoxJ.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System32\ttpXrfg.exe
  C:\Windows\System32\ttpXrfg.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System32\BCBvsgM.exe
  C:\Windows\System32\BCBvsgM.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System32\NMiKYBD.exe
  C:\Windows\System32\NMiKYBD.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System32\hksMWTV.exe
  C:\Windows\System32\hksMWTV.exe
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\System32\tGnNzll.exe
  C:\Windows\System32\tGnNzll.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System32\GzIOypN.exe
  C:\Windows\System32\GzIOypN.exe
  2⤵
  - Executes dropped EXE
  PID:420
- C:\Windows\System32\ZoIpWFV.exe
  C:\Windows\System32\ZoIpWFV.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System32\zKGAvkz.exe
  C:\Windows\System32\zKGAvkz.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System32\AIHJZei.exe
  C:\Windows\System32\AIHJZei.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System32\feWHudm.exe
  C:\Windows\System32\feWHudm.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System32\OUzmWgi.exe
  C:\Windows\System32\OUzmWgi.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System32\znHyomp.exe
  C:\Windows\System32\znHyomp.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System32\AUMsrEQ.exe
  C:\Windows\System32\AUMsrEQ.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System32\RzMiOMr.exe
  C:\Windows\System32\RzMiOMr.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System32\oMZDQzK.exe
  C:\Windows\System32\oMZDQzK.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System32\vroHTyh.exe
  C:\Windows\System32\vroHTyh.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System32\IbeqdEj.exe
  C:\Windows\System32\IbeqdEj.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\System32\LzbslwF.exe
  C:\Windows\System32\LzbslwF.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System32\JeRtdDZ.exe
  C:\Windows\System32\JeRtdDZ.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System32\xFIOuhC.exe
  C:\Windows\System32\xFIOuhC.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System32\pVOtmSq.exe
  C:\Windows\System32\pVOtmSq.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System32\IzQnVqw.exe
  C:\Windows\System32\IzQnVqw.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System32\rzFsciq.exe
  C:\Windows\System32\rzFsciq.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System32\UbreZkz.exe
  C:\Windows\System32\UbreZkz.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System32\fgJzkqH.exe
  C:\Windows\System32\fgJzkqH.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System32\CVhDWki.exe
  C:\Windows\System32\CVhDWki.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System32\WRyBshz.exe
  C:\Windows\System32\WRyBshz.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System32\EGxmcTS.exe
  C:\Windows\System32\EGxmcTS.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System32\LykgRfh.exe
  C:\Windows\System32\LykgRfh.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\funcBTK.exe
  C:\Windows\System32\funcBTK.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System32\EkOrJVw.exe
  C:\Windows\System32\EkOrJVw.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System32\TcsWABm.exe
  C:\Windows\System32\TcsWABm.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System32\cBYAfcW.exe
  C:\Windows\System32\cBYAfcW.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System32\RjveCoa.exe
  C:\Windows\System32\RjveCoa.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System32\AOlzVtE.exe
  C:\Windows\System32\AOlzVtE.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System32\FHUMplU.exe
  C:\Windows\System32\FHUMplU.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System32\hMKJbcn.exe
  C:\Windows\System32\hMKJbcn.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System32\XEhCNdr.exe
  C:\Windows\System32\XEhCNdr.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System32\mnzZkSs.exe
  C:\Windows\System32\mnzZkSs.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System32\IpTJJMc.exe
  C:\Windows\System32\IpTJJMc.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\hTnfmSB.exe
  C:\Windows\System32\hTnfmSB.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System32\gGJJoxG.exe
  C:\Windows\System32\gGJJoxG.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System32\kWDUCKK.exe
  C:\Windows\System32\kWDUCKK.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System32\TZMsNgh.exe
  C:\Windows\System32\TZMsNgh.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System32\GuXGyZZ.exe
  C:\Windows\System32\GuXGyZZ.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System32\RgyVyoK.exe
  C:\Windows\System32\RgyVyoK.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System32\lXvUpLY.exe
  C:\Windows\System32\lXvUpLY.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System32\JTgQCiG.exe
  C:\Windows\System32\JTgQCiG.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System32\rrxKeih.exe
  C:\Windows\System32\rrxKeih.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System32\kkUBFVK.exe
  C:\Windows\System32\kkUBFVK.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\tMnItkx.exe
  C:\Windows\System32\tMnItkx.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System32\JMMrSWw.exe
  C:\Windows\System32\JMMrSWw.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System32\sCRSZRV.exe
  C:\Windows\System32\sCRSZRV.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System32\wpLNPQg.exe
  C:\Windows\System32\wpLNPQg.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System32\BOOvNKi.exe
  C:\Windows\System32\BOOvNKi.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System32\oDVavZf.exe
  C:\Windows\System32\oDVavZf.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System32\iPwFAjg.exe
  C:\Windows\System32\iPwFAjg.exe
  2⤵
  PID:944
- C:\Windows\System32\uiCfpen.exe
  C:\Windows\System32\uiCfpen.exe
  2⤵
  PID:3136
- C:\Windows\System32\XnWJErD.exe
  C:\Windows\System32\XnWJErD.exe
  2⤵
  PID:3676
- C:\Windows\System32\mbDnQtm.exe
  C:\Windows\System32\mbDnQtm.exe
  2⤵
  PID:3872
- C:\Windows\System32\haklczr.exe
  C:\Windows\System32\haklczr.exe
  2⤵
  PID:4972
- C:\Windows\System32\WbMklQj.exe
  C:\Windows\System32\WbMklQj.exe
  2⤵
  PID:1620
- C:\Windows\System32\mrqxkSX.exe
  C:\Windows\System32\mrqxkSX.exe
  2⤵
  PID:4828
- C:\Windows\System32\TCwrHcy.exe
  C:\Windows\System32\TCwrHcy.exe
  2⤵
  PID:3224
- C:\Windows\System32\QWRZeEx.exe
  C:\Windows\System32\QWRZeEx.exe
  2⤵
  PID:1908
- C:\Windows\System32\gmOeFCy.exe
  C:\Windows\System32\gmOeFCy.exe
  2⤵
  PID:3356
- C:\Windows\System32\oolHGFO.exe
  C:\Windows\System32\oolHGFO.exe
  2⤵
  PID:2168
- C:\Windows\System32\IJrcSqw.exe
  C:\Windows\System32\IJrcSqw.exe
  2⤵
  PID:1496
- C:\Windows\System32\TCXMzsA.exe
  C:\Windows\System32\TCXMzsA.exe
  2⤵
  PID:1888
- C:\Windows\System32\OtTjfqp.exe
  C:\Windows\System32\OtTjfqp.exe
  2⤵
  PID:3372
- C:\Windows\System32\hZBZbWE.exe
  C:\Windows\System32\hZBZbWE.exe
  2⤵
  PID:4932
- C:\Windows\System32\FYQnxqa.exe
  C:\Windows\System32\FYQnxqa.exe
  2⤵
  PID:2216
- C:\Windows\System32\wDWKDlR.exe
  C:\Windows\System32\wDWKDlR.exe
  2⤵
  PID:2920
- C:\Windows\System32\sMxIGZN.exe
  C:\Windows\System32\sMxIGZN.exe
  2⤵
  PID:4876
- C:\Windows\System32\ufPFFvZ.exe
  C:\Windows\System32\ufPFFvZ.exe
  2⤵
  PID:1532
- C:\Windows\System32\ZJDiYYd.exe
  C:\Windows\System32\ZJDiYYd.exe
  2⤵
  PID:3020
- C:\Windows\System32\QBWnbkd.exe
  C:\Windows\System32\QBWnbkd.exe
  2⤵
  PID:2716
- C:\Windows\System32\zLuTeEP.exe
  C:\Windows\System32\zLuTeEP.exe
  2⤵
  PID:2648
- C:\Windows\System32\UGrldsu.exe
  C:\Windows\System32\UGrldsu.exe
  2⤵
  PID:5140
- C:\Windows\System32\ujjcTqf.exe
  C:\Windows\System32\ujjcTqf.exe
  2⤵
  PID:5156
- C:\Windows\System32\hywVcgB.exe
  C:\Windows\System32\hywVcgB.exe
  2⤵
  PID:5184
- C:\Windows\System32\DtYlGBK.exe
  C:\Windows\System32\DtYlGBK.exe
  2⤵
  PID:5212
- C:\Windows\System32\pYFcSaf.exe
  C:\Windows\System32\pYFcSaf.exe
  2⤵
  PID:5252
- C:\Windows\System32\DHZcGOd.exe
  C:\Windows\System32\DHZcGOd.exe
  2⤵
  PID:5276
- C:\Windows\System32\numoIHf.exe
  C:\Windows\System32\numoIHf.exe
  2⤵
  PID:5296
- C:\Windows\System32\nrxprhh.exe
  C:\Windows\System32\nrxprhh.exe
  2⤵
  PID:5336
- C:\Windows\System32\cpjwYbB.exe
  C:\Windows\System32\cpjwYbB.exe
  2⤵
  PID:5352
- C:\Windows\System32\pVUlxWv.exe
  C:\Windows\System32\pVUlxWv.exe
  2⤵
  PID:5380
- C:\Windows\System32\umgeiQs.exe
  C:\Windows\System32\umgeiQs.exe
  2⤵
  PID:5412
- C:\Windows\System32\MGmaSAF.exe
  C:\Windows\System32\MGmaSAF.exe
  2⤵
  PID:5440
- C:\Windows\System32\OetNpuE.exe
  C:\Windows\System32\OetNpuE.exe
  2⤵
  PID:5480
- C:\Windows\System32\ktWavKp.exe
  C:\Windows\System32\ktWavKp.exe
  2⤵
  PID:5508
- C:\Windows\System32\cdHZYaJ.exe
  C:\Windows\System32\cdHZYaJ.exe
  2⤵
  PID:5524
- C:\Windows\System32\oRZjvOn.exe
  C:\Windows\System32\oRZjvOn.exe
  2⤵
  PID:5556
- C:\Windows\System32\EehFZmP.exe
  C:\Windows\System32\EehFZmP.exe
  2⤵
  PID:5684
- C:\Windows\System32\QThOEBN.exe
  C:\Windows\System32\QThOEBN.exe
  2⤵
  PID:5716
- C:\Windows\System32\dAXqBlL.exe
  C:\Windows\System32\dAXqBlL.exe
  2⤵
  PID:5732
- C:\Windows\System32\XaQrTGQ.exe
  C:\Windows\System32\XaQrTGQ.exe
  2⤵
  PID:5752
- C:\Windows\System32\OKINflM.exe
  C:\Windows\System32\OKINflM.exe
  2⤵
  PID:5772
- C:\Windows\System32\aZiNYDS.exe
  C:\Windows\System32\aZiNYDS.exe
  2⤵
  PID:5812
- C:\Windows\System32\AdfTRBl.exe
  C:\Windows\System32\AdfTRBl.exe
  2⤵
  PID:5844
- C:\Windows\System32\ZPvDhRv.exe
  C:\Windows\System32\ZPvDhRv.exe
  2⤵
  PID:5876
- C:\Windows\System32\nQVXuPl.exe
  C:\Windows\System32\nQVXuPl.exe
  2⤵
  PID:5928
- C:\Windows\System32\uNklYCD.exe
  C:\Windows\System32\uNklYCD.exe
  2⤵
  PID:5964
- C:\Windows\System32\dWziASa.exe
  C:\Windows\System32\dWziASa.exe
  2⤵
  PID:5996
- C:\Windows\System32\OEOVzrv.exe
  C:\Windows\System32\OEOVzrv.exe
  2⤵
  PID:6020
- C:\Windows\System32\lOsmkXk.exe
  C:\Windows\System32\lOsmkXk.exe
  2⤵
  PID:6040
- C:\Windows\System32\prZyCGa.exe
  C:\Windows\System32\prZyCGa.exe
  2⤵
  PID:6080
- C:\Windows\System32\yaJOWpL.exe
  C:\Windows\System32\yaJOWpL.exe
  2⤵
  PID:6104
- C:\Windows\System32\noxNrBg.exe
  C:\Windows\System32\noxNrBg.exe
  2⤵
  PID:6136
- C:\Windows\System32\kWRLdDU.exe
  C:\Windows\System32\kWRLdDU.exe
  2⤵
  PID:2124
- C:\Windows\System32\BooIRoz.exe
  C:\Windows\System32\BooIRoz.exe
  2⤵
  PID:2904
- C:\Windows\System32\OQOWBhG.exe
  C:\Windows\System32\OQOWBhG.exe
  2⤵
  PID:1648
- C:\Windows\System32\TdBAiiL.exe
  C:\Windows\System32\TdBAiiL.exe
  2⤵
  PID:772
- C:\Windows\System32\kumkWfT.exe
  C:\Windows\System32\kumkWfT.exe
  2⤵
  PID:5124
- C:\Windows\System32\ZjksFvX.exe
  C:\Windows\System32\ZjksFvX.exe
  2⤵
  PID:5164
- C:\Windows\System32\iFzFRIl.exe
  C:\Windows\System32\iFzFRIl.exe
  2⤵
  PID:5236
- C:\Windows\System32\IjnvoSx.exe
  C:\Windows\System32\IjnvoSx.exe
  2⤵
  PID:5292
- C:\Windows\System32\vEglilb.exe
  C:\Windows\System32\vEglilb.exe
  2⤵
  PID:5308
- C:\Windows\System32\ccuWfHT.exe
  C:\Windows\System32\ccuWfHT.exe
  2⤵
  PID:2756
- C:\Windows\System32\BdXOrKD.exe
  C:\Windows\System32\BdXOrKD.exe
  2⤵
  PID:5424
- C:\Windows\System32\iXNyQgl.exe
  C:\Windows\System32\iXNyQgl.exe
  2⤵
  PID:3040
- C:\Windows\System32\fwvEwyD.exe
  C:\Windows\System32\fwvEwyD.exe
  2⤵
  PID:5488
- C:\Windows\System32\JySZJsT.exe
  C:\Windows\System32\JySZJsT.exe
  2⤵
  PID:5520
- C:\Windows\System32\RkTffhU.exe
  C:\Windows\System32\RkTffhU.exe
  2⤵
  PID:5548
- C:\Windows\System32\vmaxMda.exe
  C:\Windows\System32\vmaxMda.exe
  2⤵
  PID:928
- C:\Windows\System32\dnEHIOB.exe
  C:\Windows\System32\dnEHIOB.exe
  2⤵
  PID:552
- C:\Windows\System32\BjTyVuD.exe
  C:\Windows\System32\BjTyVuD.exe
  2⤵
  PID:2524
- C:\Windows\System32\rnmHXXN.exe
  C:\Windows\System32\rnmHXXN.exe
  2⤵
  PID:4120
- C:\Windows\System32\WDGdLfA.exe
  C:\Windows\System32\WDGdLfA.exe
  2⤵
  PID:4492
- C:\Windows\System32\iaoiwpm.exe
  C:\Windows\System32\iaoiwpm.exe
  2⤵
  PID:2116
- C:\Windows\System32\LEvMLPW.exe
  C:\Windows\System32\LEvMLPW.exe
  2⤵
  PID:5788
- C:\Windows\System32\bkyKzTw.exe
  C:\Windows\System32\bkyKzTw.exe
  2⤵
  PID:5224
- C:\Windows\System32\WmrEbVB.exe
  C:\Windows\System32\WmrEbVB.exe
  2⤵
  PID:216
- C:\Windows\System32\uKvWKQu.exe
  C:\Windows\System32\uKvWKQu.exe
  2⤵
  PID:3576
- C:\Windows\System32\KkZgwPy.exe
  C:\Windows\System32\KkZgwPy.exe
  2⤵
  PID:3088
- C:\Windows\System32\giGEOGT.exe
  C:\Windows\System32\giGEOGT.exe
  2⤵
  PID:6120
- C:\Windows\System32\MHHwvRV.exe
  C:\Windows\System32\MHHwvRV.exe
  2⤵
  PID:6036
- C:\Windows\System32\IjCiRSB.exe
  C:\Windows\System32\IjCiRSB.exe
  2⤵
  PID:6008
- C:\Windows\System32\ofxeSao.exe
  C:\Windows\System32\ofxeSao.exe
  2⤵
  PID:2964
- C:\Windows\System32\HvoBjQf.exe
  C:\Windows\System32\HvoBjQf.exe
  2⤵
  PID:5872
- C:\Windows\System32\RjWspxx.exe
  C:\Windows\System32\RjWspxx.exe
  2⤵
  PID:5368
- C:\Windows\System32\AMPwxbB.exe
  C:\Windows\System32\AMPwxbB.exe
  2⤵
  PID:5452
- C:\Windows\System32\bppMvKr.exe
  C:\Windows\System32\bppMvKr.exe
  2⤵
  PID:3740
- C:\Windows\System32\ahMBuly.exe
  C:\Windows\System32\ahMBuly.exe
  2⤵
  PID:2224
- C:\Windows\System32\BlBxGiA.exe
  C:\Windows\System32\BlBxGiA.exe
  2⤵
  PID:5804
- C:\Windows\System32\rRcdYNi.exe
  C:\Windows\System32\rRcdYNi.exe
  2⤵
  PID:3792
- C:\Windows\System32\gVMxYdA.exe
  C:\Windows\System32\gVMxYdA.exe
  2⤵
  PID:4032
- C:\Windows\System32\KCQitQm.exe
  C:\Windows\System32\KCQitQm.exe
  2⤵
  PID:1832
- C:\Windows\System32\ZeMTHmm.exe
  C:\Windows\System32\ZeMTHmm.exe
  2⤵
  PID:1168
- C:\Windows\System32\WeKFOjf.exe
  C:\Windows\System32\WeKFOjf.exe
  2⤵
  PID:1960
- C:\Windows\System32\wdYWREY.exe
  C:\Windows\System32\wdYWREY.exe
  2⤵
  PID:5176
- C:\Windows\System32\tYLKrcY.exe
  C:\Windows\System32\tYLKrcY.exe
  2⤵
  PID:5892
- C:\Windows\System32\BBGFDox.exe
  C:\Windows\System32\BBGFDox.exe
  2⤵
  PID:2484
- C:\Windows\System32\vMEfHLG.exe
  C:\Windows\System32\vMEfHLG.exe
  2⤵
  PID:5708
- C:\Windows\System32\jsFfZeU.exe
  C:\Windows\System32\jsFfZeU.exe
  2⤵
  PID:5832
- C:\Windows\System32\HGFMyAn.exe
  C:\Windows\System32\HGFMyAn.exe
  2⤵
  PID:6164
- C:\Windows\System32\BQkHwDI.exe
  C:\Windows\System32\BQkHwDI.exe
  2⤵
  PID:6188
- C:\Windows\System32\ofZTHGh.exe
  C:\Windows\System32\ofZTHGh.exe
  2⤵
  PID:6220
- C:\Windows\System32\rhxEZVF.exe
  C:\Windows\System32\rhxEZVF.exe
  2⤵
  PID:6252
- C:\Windows\System32\KDDxVGS.exe
  C:\Windows\System32\KDDxVGS.exe
  2⤵
  PID:6272
- C:\Windows\System32\EGjbELD.exe
  C:\Windows\System32\EGjbELD.exe
  2⤵
  PID:6296
- C:\Windows\System32\jvyeVhY.exe
  C:\Windows\System32\jvyeVhY.exe
  2⤵
  PID:6316
- C:\Windows\System32\TiFCIeU.exe
  C:\Windows\System32\TiFCIeU.exe
  2⤵
  PID:6332
- C:\Windows\System32\ZTgsjRs.exe
  C:\Windows\System32\ZTgsjRs.exe
  2⤵
  PID:6384
- C:\Windows\System32\fiJlYaC.exe
  C:\Windows\System32\fiJlYaC.exe
  2⤵
  PID:6420
- C:\Windows\System32\nZLWWKY.exe
  C:\Windows\System32\nZLWWKY.exe
  2⤵
  PID:6452
- C:\Windows\System32\RzRAHzn.exe
  C:\Windows\System32\RzRAHzn.exe
  2⤵
  PID:6488
- C:\Windows\System32\NwESoku.exe
  C:\Windows\System32\NwESoku.exe
  2⤵
  PID:6512
- C:\Windows\System32\SoFQBpi.exe
  C:\Windows\System32\SoFQBpi.exe
  2⤵
  PID:6540
- C:\Windows\System32\oftDKIa.exe
  C:\Windows\System32\oftDKIa.exe
  2⤵
  PID:6560
- C:\Windows\System32\YhzweCO.exe
  C:\Windows\System32\YhzweCO.exe
  2⤵
  PID:6588
- C:\Windows\System32\IvyZJwF.exe
  C:\Windows\System32\IvyZJwF.exe
  2⤵
  PID:6612
- C:\Windows\System32\RQyRzEw.exe
  C:\Windows\System32\RQyRzEw.exe
  2⤵
  PID:6636
- C:\Windows\System32\mKrGExn.exe
  C:\Windows\System32\mKrGExn.exe
  2⤵
  PID:6656
- C:\Windows\System32\UWkvTZp.exe
  C:\Windows\System32\UWkvTZp.exe
  2⤵
  PID:6676
- C:\Windows\System32\OpImtND.exe
  C:\Windows\System32\OpImtND.exe
  2⤵
  PID:6732
- C:\Windows\System32\sMqZmKF.exe
  C:\Windows\System32\sMqZmKF.exe
  2⤵
  PID:6748
- C:\Windows\System32\dZxiHOz.exe
  C:\Windows\System32\dZxiHOz.exe
  2⤵
  PID:6772
- C:\Windows\System32\UXZzXsN.exe
  C:\Windows\System32\UXZzXsN.exe
  2⤵
  PID:6788
- C:\Windows\System32\vZPqtXW.exe
  C:\Windows\System32\vZPqtXW.exe
  2⤵
  PID:6812
- C:\Windows\System32\osEOQyU.exe
  C:\Windows\System32\osEOQyU.exe
  2⤵
  PID:6832
- C:\Windows\System32\gdYoJBr.exe
  C:\Windows\System32\gdYoJBr.exe
  2⤵
  PID:6884
- C:\Windows\System32\OqRpHdp.exe
  C:\Windows\System32\OqRpHdp.exe
  2⤵
  PID:6916
- C:\Windows\System32\QuLMlTs.exe
  C:\Windows\System32\QuLMlTs.exe
  2⤵
  PID:6948
- C:\Windows\System32\oXKrjdX.exe
  C:\Windows\System32\oXKrjdX.exe
  2⤵
  PID:6988
- C:\Windows\System32\OLEBQRT.exe
  C:\Windows\System32\OLEBQRT.exe
  2⤵
  PID:7004
- C:\Windows\System32\JNtAUJH.exe
  C:\Windows\System32\JNtAUJH.exe
  2⤵
  PID:7020
- C:\Windows\System32\zjBQaTa.exe
  C:\Windows\System32\zjBQaTa.exe
  2⤵
  PID:7044
- C:\Windows\System32\ARSjReQ.exe
  C:\Windows\System32\ARSjReQ.exe
  2⤵
  PID:7060
- C:\Windows\System32\reupxBL.exe
  C:\Windows\System32\reupxBL.exe
  2⤵
  PID:7132
- C:\Windows\System32\RFEskDK.exe
  C:\Windows\System32\RFEskDK.exe
  2⤵
  PID:7160
- C:\Windows\System32\GoZOPrQ.exe
  C:\Windows\System32\GoZOPrQ.exe
  2⤵
  PID:5660
- C:\Windows\System32\NCwdQZY.exe
  C:\Windows\System32\NCwdQZY.exe
  2⤵
  PID:6200
- C:\Windows\System32\JipAOln.exe
  C:\Windows\System32\JipAOln.exe
  2⤵
  PID:5656
- C:\Windows\System32\qkphXNI.exe
  C:\Windows\System32\qkphXNI.exe
  2⤵
  PID:6328
- C:\Windows\System32\SrwKrNZ.exe
  C:\Windows\System32\SrwKrNZ.exe
  2⤵
  PID:6396
- C:\Windows\System32\KfhOhJv.exe
  C:\Windows\System32\KfhOhJv.exe
  2⤵
  PID:6480
- C:\Windows\System32\XOuzfLf.exe
  C:\Windows\System32\XOuzfLf.exe
  2⤵
  PID:6528
- C:\Windows\System32\BdBVvIr.exe
  C:\Windows\System32\BdBVvIr.exe
  2⤵
  PID:5672
- C:\Windows\System32\MtPabAx.exe
  C:\Windows\System32\MtPabAx.exe
  2⤵
  PID:6628
- C:\Windows\System32\RwUqTgW.exe
  C:\Windows\System32\RwUqTgW.exe
  2⤵
  PID:6700
- C:\Windows\System32\AlcaFYy.exe
  C:\Windows\System32\AlcaFYy.exe
  2⤵
  PID:6784
- C:\Windows\System32\mJMHSbm.exe
  C:\Windows\System32\mJMHSbm.exe
  2⤵
  PID:6780
- C:\Windows\System32\MvBRWLK.exe
  C:\Windows\System32\MvBRWLK.exe
  2⤵
  PID:6872
- C:\Windows\System32\brXueYD.exe
  C:\Windows\System32\brXueYD.exe
  2⤵
  PID:6908
- C:\Windows\System32\VZMszEk.exe
  C:\Windows\System32\VZMszEk.exe
  2⤵
  PID:7028
- C:\Windows\System32\fkOmcaI.exe
  C:\Windows\System32\fkOmcaI.exe
  2⤵
  PID:7068
- C:\Windows\System32\gPVhOsO.exe
  C:\Windows\System32\gPVhOsO.exe
  2⤵
  PID:7088
- C:\Windows\System32\NaobGKv.exe
  C:\Windows\System32\NaobGKv.exe
  2⤵
  PID:6160
- C:\Windows\System32\DTClFAH.exe
  C:\Windows\System32\DTClFAH.exe
  2⤵
  PID:6236
- C:\Windows\System32\VKUsldG.exe
  C:\Windows\System32\VKUsldG.exe
  2⤵
  PID:6264
- C:\Windows\System32\YrmvcYR.exe
  C:\Windows\System32\YrmvcYR.exe
  2⤵
  PID:6520
- C:\Windows\System32\boDGtVt.exe
  C:\Windows\System32\boDGtVt.exe
  2⤵
  PID:6608
- C:\Windows\System32\PIyOXYB.exe
  C:\Windows\System32\PIyOXYB.exe
  2⤵
  PID:6644
- C:\Windows\System32\yLcaBCu.exe
  C:\Windows\System32\yLcaBCu.exe
  2⤵
  PID:6760
- C:\Windows\System32\UZwyyKT.exe
  C:\Windows\System32\UZwyyKT.exe
  2⤵
  PID:5748
- C:\Windows\System32\AtlKsLT.exe
  C:\Windows\System32\AtlKsLT.exe
  2⤵
  PID:5784
- C:\Windows\System32\HfCExwy.exe
  C:\Windows\System32\HfCExwy.exe
  2⤵
  PID:6248
- C:\Windows\System32\XmtkJMN.exe
  C:\Windows\System32\XmtkJMN.exe
  2⤵
  PID:6620
- C:\Windows\System32\NgbyBmx.exe
  C:\Windows\System32\NgbyBmx.exe
  2⤵
  PID:6800
- C:\Windows\System32\umgjWCf.exe
  C:\Windows\System32\umgjWCf.exe
  2⤵
  PID:6960
- C:\Windows\System32\loHVUnj.exe
  C:\Windows\System32\loHVUnj.exe
  2⤵
  PID:6348
- C:\Windows\System32\bkgRewi.exe
  C:\Windows\System32\bkgRewi.exe
  2⤵
  PID:7180
- C:\Windows\System32\bWQYMNp.exe
  C:\Windows\System32\bWQYMNp.exe
  2⤵
  PID:7196
- C:\Windows\System32\yPixKor.exe
  C:\Windows\System32\yPixKor.exe
  2⤵
  PID:7220
- C:\Windows\System32\uxvhHhK.exe
  C:\Windows\System32\uxvhHhK.exe
  2⤵
  PID:7264
- C:\Windows\System32\lQhrfDB.exe
  C:\Windows\System32\lQhrfDB.exe
  2⤵
  PID:7280
- C:\Windows\System32\VbPnVis.exe
  C:\Windows\System32\VbPnVis.exe
  2⤵
  PID:7328
- C:\Windows\System32\yxhbldc.exe
  C:\Windows\System32\yxhbldc.exe
  2⤵
  PID:7348
- C:\Windows\System32\gRjJkPz.exe
  C:\Windows\System32\gRjJkPz.exe
  2⤵
  PID:7372
- C:\Windows\System32\fjBumHV.exe
  C:\Windows\System32\fjBumHV.exe
  2⤵
  PID:7396
- C:\Windows\System32\ZnWHzXw.exe
  C:\Windows\System32\ZnWHzXw.exe
  2⤵
  PID:7420
- C:\Windows\System32\RSMBQqK.exe
  C:\Windows\System32\RSMBQqK.exe
  2⤵
  PID:7440
- C:\Windows\System32\xKwjwsG.exe
  C:\Windows\System32\xKwjwsG.exe
  2⤵
  PID:7456
- C:\Windows\System32\XamIzjK.exe
  C:\Windows\System32\XamIzjK.exe
  2⤵
  PID:7500
- C:\Windows\System32\ghPyBfF.exe
  C:\Windows\System32\ghPyBfF.exe
  2⤵
  PID:7552
- C:\Windows\System32\brnxFkv.exe
  C:\Windows\System32\brnxFkv.exe
  2⤵
  PID:7576
- C:\Windows\System32\htnWphx.exe
  C:\Windows\System32\htnWphx.exe
  2⤵
  PID:7608
- C:\Windows\System32\orrdeTw.exe
  C:\Windows\System32\orrdeTw.exe
  2⤵
  PID:7628
- C:\Windows\System32\tlQaomu.exe
  C:\Windows\System32\tlQaomu.exe
  2⤵
  PID:7648
- C:\Windows\System32\bsNYnyd.exe
  C:\Windows\System32\bsNYnyd.exe
  2⤵
  PID:7688
- C:\Windows\System32\sevctEo.exe
  C:\Windows\System32\sevctEo.exe
  2⤵
  PID:7704
- C:\Windows\System32\gOLdeXH.exe
  C:\Windows\System32\gOLdeXH.exe
  2⤵
  PID:7720
- C:\Windows\System32\GfWadNU.exe
  C:\Windows\System32\GfWadNU.exe
  2⤵
  PID:7776
- C:\Windows\System32\ZEiVZzz.exe
  C:\Windows\System32\ZEiVZzz.exe
  2⤵
  PID:7796
- C:\Windows\System32\iKlMzHh.exe
  C:\Windows\System32\iKlMzHh.exe
  2⤵
  PID:7824
- C:\Windows\System32\zeYSPDU.exe
  C:\Windows\System32\zeYSPDU.exe
  2⤵
  PID:7848
- C:\Windows\System32\zElbFWR.exe
  C:\Windows\System32\zElbFWR.exe
  2⤵
  PID:7876
- C:\Windows\System32\QwicxWX.exe
  C:\Windows\System32\QwicxWX.exe
  2⤵
  PID:7904
- C:\Windows\System32\ToLxsTJ.exe
  C:\Windows\System32\ToLxsTJ.exe
  2⤵
  PID:7920
- C:\Windows\System32\drOAxky.exe
  C:\Windows\System32\drOAxky.exe
  2⤵
  PID:7952
- C:\Windows\System32\bEWXtBN.exe
  C:\Windows\System32\bEWXtBN.exe
  2⤵
  PID:7996
- C:\Windows\System32\JbruVaB.exe
  C:\Windows\System32\JbruVaB.exe
  2⤵
  PID:8012
- C:\Windows\System32\qVaAMhQ.exe
  C:\Windows\System32\qVaAMhQ.exe
  2⤵
  PID:8036
- C:\Windows\System32\zxcMvAN.exe
  C:\Windows\System32\zxcMvAN.exe
  2⤵
  PID:8060
- C:\Windows\System32\pEISItC.exe
  C:\Windows\System32\pEISItC.exe
  2⤵
  PID:8112
- C:\Windows\System32\fePNVmd.exe
  C:\Windows\System32\fePNVmd.exe
  2⤵
  PID:8136
- C:\Windows\System32\zbSlYUV.exe
  C:\Windows\System32\zbSlYUV.exe
  2⤵
  PID:8164
- C:\Windows\System32\CDXLJMY.exe
  C:\Windows\System32\CDXLJMY.exe
  2⤵
  PID:6180
- C:\Windows\System32\SsRBbrg.exe
  C:\Windows\System32\SsRBbrg.exe
  2⤵
  PID:7192
- C:\Windows\System32\ujHFcXx.exe
  C:\Windows\System32\ujHFcXx.exe
  2⤵
  PID:7248
- C:\Windows\System32\fSCRqRw.exe
  C:\Windows\System32\fSCRqRw.exe
  2⤵
  PID:7336
- C:\Windows\System32\avxnKlR.exe
  C:\Windows\System32\avxnKlR.exe
  2⤵
  PID:7532
- C:\Windows\System32\QzKVXsR.exe
  C:\Windows\System32\QzKVXsR.exe
  2⤵
  PID:7616
- C:\Windows\System32\pOgnAzh.exe
  C:\Windows\System32\pOgnAzh.exe
  2⤵
  PID:7640
- C:\Windows\System32\jBJBJXU.exe
  C:\Windows\System32\jBJBJXU.exe
  2⤵
  PID:7668
- C:\Windows\System32\xGElVhf.exe
  C:\Windows\System32\xGElVhf.exe
  2⤵
  PID:7712
- C:\Windows\System32\TBtAaJD.exe
  C:\Windows\System32\TBtAaJD.exe
  2⤵
  PID:7756
- C:\Windows\System32\ZGWBYZI.exe
  C:\Windows\System32\ZGWBYZI.exe
  2⤵
  PID:7808
- C:\Windows\System32\RhCMvOe.exe
  C:\Windows\System32\RhCMvOe.exe
  2⤵
  PID:7832
- C:\Windows\System32\AxSrpFy.exe
  C:\Windows\System32\AxSrpFy.exe
  2⤵
  PID:7884
- C:\Windows\System32\damuYIx.exe
  C:\Windows\System32\damuYIx.exe
  2⤵
  PID:8008
- C:\Windows\System32\DdngPqP.exe
  C:\Windows\System32\DdngPqP.exe
  2⤵
  PID:8080
- C:\Windows\System32\pPfvGiU.exe
  C:\Windows\System32\pPfvGiU.exe
  2⤵
  PID:7204
- C:\Windows\System32\bzozzDU.exe
  C:\Windows\System32\bzozzDU.exe
  2⤵
  PID:7272
- C:\Windows\System32\QlHzWUi.exe
  C:\Windows\System32\QlHzWUi.exe
  2⤵
  PID:7388
- C:\Windows\System32\dzIemhE.exe
  C:\Windows\System32\dzIemhE.exe
  2⤵
  PID:7568
- C:\Windows\System32\NZEsSrd.exe
  C:\Windows\System32\NZEsSrd.exe
  2⤵
  PID:7620
- C:\Windows\System32\BKiFlUu.exe
  C:\Windows\System32\BKiFlUu.exe
  2⤵
  PID:7784
- C:\Windows\System32\buKnfKZ.exe
  C:\Windows\System32\buKnfKZ.exe
  2⤵
  PID:7912
- C:\Windows\System32\urjlYqF.exe
  C:\Windows\System32\urjlYqF.exe
  2⤵
  PID:7600
- C:\Windows\System32\lMvrDEa.exe
  C:\Windows\System32\lMvrDEa.exe
  2⤵
  PID:7412
- C:\Windows\System32\PwLqLUe.exe
  C:\Windows\System32\PwLqLUe.exe
  2⤵
  PID:7560
- C:\Windows\System32\wsMSIgB.exe
  C:\Windows\System32\wsMSIgB.exe
  2⤵
  PID:7752
- C:\Windows\System32\XcaQuCy.exe
  C:\Windows\System32\XcaQuCy.exe
  2⤵
  PID:7760
- C:\Windows\System32\ZxZxPCb.exe
  C:\Windows\System32\ZxZxPCb.exe
  2⤵
  PID:8200
- C:\Windows\System32\SUOtrzw.exe
  C:\Windows\System32\SUOtrzw.exe
  2⤵
  PID:8216
- C:\Windows\System32\dwWwsiH.exe
  C:\Windows\System32\dwWwsiH.exe
  2⤵
  PID:8236
- C:\Windows\System32\HXDlXVV.exe
  C:\Windows\System32\HXDlXVV.exe
  2⤵
  PID:8264
- C:\Windows\System32\WFHbyoh.exe
  C:\Windows\System32\WFHbyoh.exe
  2⤵
  PID:8296
- C:\Windows\System32\iQChcFt.exe
  C:\Windows\System32\iQChcFt.exe
  2⤵
  PID:8312
- C:\Windows\System32\SpORLVt.exe
  C:\Windows\System32\SpORLVt.exe
  2⤵
  PID:8336
- C:\Windows\System32\kXuqgGJ.exe
  C:\Windows\System32\kXuqgGJ.exe
  2⤵
  PID:8364
- C:\Windows\System32\NhImoxJ.exe
  C:\Windows\System32\NhImoxJ.exe
  2⤵
  PID:8428
- C:\Windows\System32\zhAChwb.exe
  C:\Windows\System32\zhAChwb.exe
  2⤵
  PID:8448
- C:\Windows\System32\xYxYfoK.exe
  C:\Windows\System32\xYxYfoK.exe
  2⤵
  PID:8476
- C:\Windows\System32\OBGuTzf.exe
  C:\Windows\System32\OBGuTzf.exe
  2⤵
  PID:8504
- C:\Windows\System32\onPVWgS.exe
  C:\Windows\System32\onPVWgS.exe
  2⤵
  PID:8528
- C:\Windows\System32\dXLQnWI.exe
  C:\Windows\System32\dXLQnWI.exe
  2⤵
  PID:8548
- C:\Windows\System32\iaKStaa.exe
  C:\Windows\System32\iaKStaa.exe
  2⤵
  PID:8572
- C:\Windows\System32\RiGCNNK.exe
  C:\Windows\System32\RiGCNNK.exe
  2⤵
  PID:8620
- C:\Windows\System32\LzrqEmq.exe
  C:\Windows\System32\LzrqEmq.exe
  2⤵
  PID:8652
- C:\Windows\System32\DcsphMt.exe
  C:\Windows\System32\DcsphMt.exe
  2⤵
  PID:8672
- C:\Windows\System32\cRMXZuh.exe
  C:\Windows\System32\cRMXZuh.exe
  2⤵
  PID:8692
- C:\Windows\System32\EhzzrhS.exe
  C:\Windows\System32\EhzzrhS.exe
  2⤵
  PID:8716
- C:\Windows\System32\eZsLWKG.exe
  C:\Windows\System32\eZsLWKG.exe
  2⤵
  PID:8732
- C:\Windows\System32\vdrpsYM.exe
  C:\Windows\System32\vdrpsYM.exe
  2⤵
  PID:8792
- C:\Windows\System32\zGRNVTD.exe
  C:\Windows\System32\zGRNVTD.exe
  2⤵
  PID:8816
- C:\Windows\System32\hsxZYXt.exe
  C:\Windows\System32\hsxZYXt.exe
  2⤵
  PID:8844
- C:\Windows\System32\sXHkHTz.exe
  C:\Windows\System32\sXHkHTz.exe
  2⤵
  PID:8868
- C:\Windows\System32\pUCiLwQ.exe
  C:\Windows\System32\pUCiLwQ.exe
  2⤵
  PID:8888
- C:\Windows\System32\nojnvOJ.exe
  C:\Windows\System32\nojnvOJ.exe
  2⤵
  PID:8908
- C:\Windows\System32\yeaCIrd.exe
  C:\Windows\System32\yeaCIrd.exe
  2⤵
  PID:8928
- C:\Windows\System32\xSCwQhQ.exe
  C:\Windows\System32\xSCwQhQ.exe
  2⤵
  PID:8972
- C:\Windows\System32\xlAowIF.exe
  C:\Windows\System32\xlAowIF.exe
  2⤵
  PID:9004
- C:\Windows\System32\SjjlYfR.exe
  C:\Windows\System32\SjjlYfR.exe
  2⤵
  PID:9032
- C:\Windows\System32\yppNeTV.exe
  C:\Windows\System32\yppNeTV.exe
  2⤵
  PID:9068
- C:\Windows\System32\ocvoeaY.exe
  C:\Windows\System32\ocvoeaY.exe
  2⤵
  PID:9088
- C:\Windows\System32\rOknpNq.exe
  C:\Windows\System32\rOknpNq.exe
  2⤵
  PID:9108
- C:\Windows\System32\xUNywRv.exe
  C:\Windows\System32\xUNywRv.exe
  2⤵
  PID:9148
- C:\Windows\System32\DkQCXKP.exe
  C:\Windows\System32\DkQCXKP.exe
  2⤵
  PID:9168
- C:\Windows\System32\HKikHPZ.exe
  C:\Windows\System32\HKikHPZ.exe
  2⤵
  PID:9184
- C:\Windows\System32\ttPCRSA.exe
  C:\Windows\System32\ttPCRSA.exe
  2⤵
  PID:9208
- C:\Windows\System32\hviiotz.exe
  C:\Windows\System32\hviiotz.exe
  2⤵
  PID:7448
- C:\Windows\System32\LbCIOrC.exe
  C:\Windows\System32\LbCIOrC.exe
  2⤵
  PID:8292
- C:\Windows\System32\ESwjfYc.exe
  C:\Windows\System32\ESwjfYc.exe
  2⤵
  PID:8344
- C:\Windows\System32\pUApNVg.exe
  C:\Windows\System32\pUApNVg.exe
  2⤵
  PID:8464
- C:\Windows\System32\kkuVEqV.exe
  C:\Windows\System32\kkuVEqV.exe
  2⤵
  PID:8544
- C:\Windows\System32\jqYGlic.exe
  C:\Windows\System32\jqYGlic.exe
  2⤵
  PID:8564
- C:\Windows\System32\rbKyaQE.exe
  C:\Windows\System32\rbKyaQE.exe
  2⤵
  PID:8648
- C:\Windows\System32\kvRPFFT.exe
  C:\Windows\System32\kvRPFFT.exe
  2⤵
  PID:8724
- C:\Windows\System32\skEiOYQ.exe
  C:\Windows\System32\skEiOYQ.exe
  2⤵
  PID:8788
- C:\Windows\System32\zkltFAc.exe
  C:\Windows\System32\zkltFAc.exe
  2⤵
  PID:8876
- C:\Windows\System32\aSCNtmi.exe
  C:\Windows\System32\aSCNtmi.exe
  2⤵
  PID:8896
- C:\Windows\System32\UcdjmYh.exe
  C:\Windows\System32\UcdjmYh.exe
  2⤵
  PID:8916
- C:\Windows\System32\TotLAmH.exe
  C:\Windows\System32\TotLAmH.exe
  2⤵
  PID:9028
- C:\Windows\System32\TlREotg.exe
  C:\Windows\System32\TlREotg.exe
  2⤵
  PID:9104
- C:\Windows\System32\OAMYcoj.exe
  C:\Windows\System32\OAMYcoj.exe
  2⤵
  PID:9160
- C:\Windows\System32\MzyeofM.exe
  C:\Windows\System32\MzyeofM.exe
  2⤵
  PID:8332
- C:\Windows\System32\CxLtkYM.exe
  C:\Windows\System32\CxLtkYM.exe
  2⤵
  PID:8392
- C:\Windows\System32\MdRKIHx.exe
  C:\Windows\System32\MdRKIHx.exe
  2⤵
  PID:8580
- C:\Windows\System32\DBfHCzQ.exe
  C:\Windows\System32\DBfHCzQ.exe
  2⤵
  PID:8784
- C:\Windows\System32\PCHmppS.exe
  C:\Windows\System32\PCHmppS.exe
  2⤵
  PID:8776
- C:\Windows\System32\GOhJarv.exe
  C:\Windows\System32\GOhJarv.exe
  2⤵
  PID:9076
- C:\Windows\System32\JSkndhN.exe
  C:\Windows\System32\JSkndhN.exe
  2⤵
  PID:9204
- C:\Windows\System32\tHDBaTE.exe
  C:\Windows\System32\tHDBaTE.exe
  2⤵
  PID:8416
- C:\Windows\System32\PellLxa.exe
  C:\Windows\System32\PellLxa.exe
  2⤵
  PID:8940
- C:\Windows\System32\GlXyvly.exe
  C:\Windows\System32\GlXyvly.exe
  2⤵
  PID:9120
- C:\Windows\System32\BSJiREU.exe
  C:\Windows\System32\BSJiREU.exe
  2⤵
  PID:8824
- C:\Windows\System32\OZYdHur.exe
  C:\Windows\System32\OZYdHur.exe
  2⤵
  PID:9228
- C:\Windows\System32\nmfXPGz.exe
  C:\Windows\System32\nmfXPGz.exe
  2⤵
  PID:9252
- C:\Windows\System32\uOpRnlI.exe
  C:\Windows\System32\uOpRnlI.exe
  2⤵
  PID:9276
- C:\Windows\System32\GrIQRJf.exe
  C:\Windows\System32\GrIQRJf.exe
  2⤵
  PID:9304
- C:\Windows\System32\hniQYvN.exe
  C:\Windows\System32\hniQYvN.exe
  2⤵
  PID:9324
- C:\Windows\System32\wNogLNA.exe
  C:\Windows\System32\wNogLNA.exe
  2⤵
  PID:9352
- C:\Windows\System32\iFISxlz.exe
  C:\Windows\System32\iFISxlz.exe
  2⤵
  PID:9400
- C:\Windows\System32\vpsaZJu.exe
  C:\Windows\System32\vpsaZJu.exe
  2⤵
  PID:9416
- C:\Windows\System32\GJaKyxz.exe
  C:\Windows\System32\GJaKyxz.exe
  2⤵
  PID:9452
- C:\Windows\System32\GYDVUIv.exe
  C:\Windows\System32\GYDVUIv.exe
  2⤵
  PID:9468
- C:\Windows\System32\NetmObP.exe
  C:\Windows\System32\NetmObP.exe
  2⤵
  PID:9508
- C:\Windows\System32\VankSIR.exe
  C:\Windows\System32\VankSIR.exe
  2⤵
  PID:9532
- C:\Windows\System32\yVleAkg.exe
  C:\Windows\System32\yVleAkg.exe
  2⤵
  PID:9552
- C:\Windows\System32\wcFckSe.exe
  C:\Windows\System32\wcFckSe.exe
  2⤵
  PID:9568
- C:\Windows\System32\CgtJtME.exe
  C:\Windows\System32\CgtJtME.exe
  2⤵
  PID:9600
- C:\Windows\System32\sFegfdz.exe
  C:\Windows\System32\sFegfdz.exe
  2⤵
  PID:9644
- C:\Windows\System32\SFZXaAS.exe
  C:\Windows\System32\SFZXaAS.exe
  2⤵
  PID:9676
- C:\Windows\System32\vIxUgMy.exe
  C:\Windows\System32\vIxUgMy.exe
  2⤵
  PID:9700
- C:\Windows\System32\EtSVRTW.exe
  C:\Windows\System32\EtSVRTW.exe
  2⤵
  PID:9736
- C:\Windows\System32\Mhtjgln.exe
  C:\Windows\System32\Mhtjgln.exe
  2⤵
  PID:9760
- C:\Windows\System32\BFUKIkq.exe
  C:\Windows\System32\BFUKIkq.exe
  2⤵
  PID:9776
- C:\Windows\System32\HrnoPjA.exe
  C:\Windows\System32\HrnoPjA.exe
  2⤵
  PID:9800
- C:\Windows\System32\Wvrquok.exe
  C:\Windows\System32\Wvrquok.exe
  2⤵
  PID:9816
- C:\Windows\System32\mYJOSPj.exe
  C:\Windows\System32\mYJOSPj.exe
  2⤵
  PID:9872
- C:\Windows\System32\mgORMcc.exe
  C:\Windows\System32\mgORMcc.exe
  2⤵
  PID:9904
- C:\Windows\System32\mUfEbNx.exe
  C:\Windows\System32\mUfEbNx.exe
  2⤵
  PID:9924
- C:\Windows\System32\mFeTYgb.exe
  C:\Windows\System32\mFeTYgb.exe
  2⤵
  PID:9952
- C:\Windows\System32\mXwMPIP.exe
  C:\Windows\System32\mXwMPIP.exe
  2⤵
  PID:9988
- C:\Windows\System32\WRPCwWd.exe
  C:\Windows\System32\WRPCwWd.exe
  2⤵
  PID:10032
- C:\Windows\System32\tzjEJue.exe
  C:\Windows\System32\tzjEJue.exe
  2⤵
  PID:10048
- C:\Windows\System32\DjKRfUK.exe
  C:\Windows\System32\DjKRfUK.exe
  2⤵
  PID:10076
- C:\Windows\System32\XCEZeyl.exe
  C:\Windows\System32\XCEZeyl.exe
  2⤵
  PID:10092
- C:\Windows\System32\fmdYCdX.exe
  C:\Windows\System32\fmdYCdX.exe
  2⤵
  PID:10132
- C:\Windows\System32\NJixIaQ.exe
  C:\Windows\System32\NJixIaQ.exe
  2⤵
  PID:10156
- C:\Windows\System32\JMDLSmk.exe
  C:\Windows\System32\JMDLSmk.exe
  2⤵
  PID:10180
- C:\Windows\System32\tkQHZqS.exe
  C:\Windows\System32\tkQHZqS.exe
  2⤵
  PID:10220
- C:\Windows\System32\tLsKJaF.exe
  C:\Windows\System32\tLsKJaF.exe
  2⤵
  PID:9132
- C:\Windows\System32\NrIZnBi.exe
  C:\Windows\System32\NrIZnBi.exe
  2⤵
  PID:9268
- C:\Windows\System32\mjdqEeM.exe
  C:\Windows\System32\mjdqEeM.exe
  2⤵
  PID:9348
- C:\Windows\System32\nbjQmYe.exe
  C:\Windows\System32\nbjQmYe.exe
  2⤵
  PID:9344
- C:\Windows\System32\xtqCqwW.exe
  C:\Windows\System32\xtqCqwW.exe
  2⤵
  PID:9428
- C:\Windows\System32\iVSFlYY.exe
  C:\Windows\System32\iVSFlYY.exe
  2⤵
  PID:9492
- C:\Windows\System32\ZFWtwNz.exe
  C:\Windows\System32\ZFWtwNz.exe
  2⤵
  PID:9516
- C:\Windows\System32\jEGcmEk.exe
  C:\Windows\System32\jEGcmEk.exe
  2⤵
  PID:9540
- C:\Windows\System32\ZKtWOWk.exe
  C:\Windows\System32\ZKtWOWk.exe
  2⤵
  PID:9672
- C:\Windows\System32\TrzKMaC.exe
  C:\Windows\System32\TrzKMaC.exe
  2⤵
  PID:9732
- C:\Windows\System32\HtKSWer.exe
  C:\Windows\System32\HtKSWer.exe
  2⤵
  PID:9796
- C:\Windows\System32\CvBZZAb.exe
  C:\Windows\System32\CvBZZAb.exe
  2⤵
  PID:9880
- C:\Windows\System32\rKaaCEG.exe
  C:\Windows\System32\rKaaCEG.exe
  2⤵
  PID:9936
- C:\Windows\System32\JoIxneN.exe
  C:\Windows\System32\JoIxneN.exe
  2⤵
  PID:10004
- C:\Windows\System32\ANqBaSk.exe
  C:\Windows\System32\ANqBaSk.exe
  2⤵
  PID:10084
- C:\Windows\System32\WQOmQML.exe
  C:\Windows\System32\WQOmQML.exe
  2⤵
  PID:10148
- C:\Windows\System32\AvIIxqf.exe
  C:\Windows\System32\AvIIxqf.exe
  2⤵
  PID:10192
- C:\Windows\System32\iQRvmkr.exe
  C:\Windows\System32\iQRvmkr.exe
  2⤵
  PID:8224
- C:\Windows\System32\rXzpajP.exe
  C:\Windows\System32\rXzpajP.exe
  2⤵
  PID:9316
- C:\Windows\System32\zugLZnO.exe
  C:\Windows\System32\zugLZnO.exe
  2⤵
  PID:9360
- C:\Windows\System32\VqKSttL.exe
  C:\Windows\System32\VqKSttL.exe
  2⤵
  PID:9136
- C:\Windows\System32\fdMShdA.exe
  C:\Windows\System32\fdMShdA.exe
  2⤵
  PID:10028
- C:\Windows\System32\ybdIvyT.exe
  C:\Windows\System32\ybdIvyT.exe
  2⤵
  PID:10020
- C:\Windows\System32\CXAUibi.exe
  C:\Windows\System32\CXAUibi.exe
  2⤵
  PID:9288
- C:\Windows\System32\Pkyacfb.exe
  C:\Windows\System32\Pkyacfb.exe
  2⤵
  PID:9488
- C:\Windows\System32\frkAlot.exe
  C:\Windows\System32\frkAlot.exe
  2⤵
  PID:10040
- C:\Windows\System32\txWrrmA.exe
  C:\Windows\System32\txWrrmA.exe
  2⤵
  PID:10236
- C:\Windows\System32\WvwwNIR.exe
  C:\Windows\System32\WvwwNIR.exe
  2⤵
  PID:10244
- C:\Windows\System32\fFhpich.exe
  C:\Windows\System32\fFhpich.exe
  2⤵
  PID:10288
- C:\Windows\System32\TSTkgRA.exe
  C:\Windows\System32\TSTkgRA.exe
  2⤵
  PID:10312
- C:\Windows\System32\ULqislA.exe
  C:\Windows\System32\ULqislA.exe
  2⤵
  PID:10336
- C:\Windows\System32\LOUubdb.exe
  C:\Windows\System32\LOUubdb.exe
  2⤵
  PID:10356
- C:\Windows\System32\ySNvvhe.exe
  C:\Windows\System32\ySNvvhe.exe
  2⤵
  PID:10400
- C:\Windows\System32\iJPMxXK.exe
  C:\Windows\System32\iJPMxXK.exe
  2⤵
  PID:10428
- C:\Windows\System32\gyNFAwa.exe
  C:\Windows\System32\gyNFAwa.exe
  2⤵
  PID:10472
- C:\Windows\System32\JqvuYBJ.exe
  C:\Windows\System32\JqvuYBJ.exe
  2⤵
  PID:10488
- C:\Windows\System32\vclQrSf.exe
  C:\Windows\System32\vclQrSf.exe
  2⤵
  PID:10508
- C:\Windows\System32\WpEyDzg.exe
  C:\Windows\System32\WpEyDzg.exe
  2⤵
  PID:10536
- C:\Windows\System32\qvqJjXI.exe
  C:\Windows\System32\qvqJjXI.exe
  2⤵
  PID:10568
- C:\Windows\System32\WAjKdwM.exe
  C:\Windows\System32\WAjKdwM.exe
  2⤵
  PID:10592
- C:\Windows\System32\xtSlHjL.exe
  C:\Windows\System32\xtSlHjL.exe
  2⤵
  PID:10624
- C:\Windows\System32\LsLaQxv.exe
  C:\Windows\System32\LsLaQxv.exe
  2⤵
  PID:10640
- C:\Windows\System32\oTCrqec.exe
  C:\Windows\System32\oTCrqec.exe
  2⤵
  PID:10664
- C:\Windows\System32\qzrHzaA.exe
  C:\Windows\System32\qzrHzaA.exe
  2⤵
  PID:10680
- C:\Windows\System32\ZvMVRxK.exe
  C:\Windows\System32\ZvMVRxK.exe
  2⤵
  PID:10704
- C:\Windows\System32\eJZpnJF.exe
  C:\Windows\System32\eJZpnJF.exe
  2⤵
  PID:10720
- C:\Windows\System32\YIdjutH.exe
  C:\Windows\System32\YIdjutH.exe
  2⤵
  PID:10760
- C:\Windows\System32\lWdftkS.exe
  C:\Windows\System32\lWdftkS.exe
  2⤵
  PID:10788
- C:\Windows\System32\rnDuhey.exe
  C:\Windows\System32\rnDuhey.exe
  2⤵
  PID:10808
- C:\Windows\System32\XVRRFvn.exe
  C:\Windows\System32\XVRRFvn.exe
  2⤵
  PID:10856
- C:\Windows\System32\slbCyBt.exe
  C:\Windows\System32\slbCyBt.exe
  2⤵
  PID:10896
- C:\Windows\System32\evfXKqX.exe
  C:\Windows\System32\evfXKqX.exe
  2⤵
  PID:10912
- C:\Windows\System32\oczXgjE.exe
  C:\Windows\System32\oczXgjE.exe
  2⤵
  PID:10940
- C:\Windows\System32\hBnNUNf.exe
  C:\Windows\System32\hBnNUNf.exe
  2⤵
  PID:10956
- C:\Windows\System32\BpXgKzF.exe
  C:\Windows\System32\BpXgKzF.exe
  2⤵
  PID:10988
- C:\Windows\System32\hdmEHAO.exe
  C:\Windows\System32\hdmEHAO.exe
  2⤵
  PID:11008
- C:\Windows\System32\ZaouVsi.exe
  C:\Windows\System32\ZaouVsi.exe
  2⤵
  PID:11060
- C:\Windows\System32\FMPCYuD.exe
  C:\Windows\System32\FMPCYuD.exe
  2⤵
  PID:11092
- C:\Windows\System32\ehMomYd.exe
  C:\Windows\System32\ehMomYd.exe
  2⤵
  PID:11108
- C:\Windows\System32\VnByQKn.exe
  C:\Windows\System32\VnByQKn.exe
  2⤵
  PID:11152
- C:\Windows\System32\SQEZwuR.exe
  C:\Windows\System32\SQEZwuR.exe
  2⤵
  PID:11192
- C:\Windows\System32\pZcBoKH.exe
  C:\Windows\System32\pZcBoKH.exe
  2⤵
  PID:11220
- C:\Windows\System32\Uvmhxhb.exe
  C:\Windows\System32\Uvmhxhb.exe
  2⤵
  PID:11252
- C:\Windows\System32\VdLyvyq.exe
  C:\Windows\System32\VdLyvyq.exe
  2⤵
  PID:10164
- C:\Windows\System32\tpaHkYr.exe
  C:\Windows\System32\tpaHkYr.exe
  2⤵
  PID:10284
- C:\Windows\System32\tlONUpM.exe
  C:\Windows\System32\tlONUpM.exe
  2⤵
  PID:10352
- C:\Windows\System32\sFUNJTu.exe
  C:\Windows\System32\sFUNJTu.exe
  2⤵
  PID:10436
- C:\Windows\System32\seZklbx.exe
  C:\Windows\System32\seZklbx.exe
  2⤵
  PID:10484
- C:\Windows\System32\jcuKAOU.exe
  C:\Windows\System32\jcuKAOU.exe
  2⤵
  PID:10532
- C:\Windows\System32\FNWcUIu.exe
  C:\Windows\System32\FNWcUIu.exe
  2⤵
  PID:10616
- C:\Windows\System32\hSQaCqx.exe
  C:\Windows\System32\hSQaCqx.exe
  2⤵
  PID:10672
- C:\Windows\System32\hDIxfae.exe
  C:\Windows\System32\hDIxfae.exe
  2⤵
  PID:10712
- C:\Windows\System32\GawBKbi.exe
  C:\Windows\System32\GawBKbi.exe
  2⤵
  PID:10804
- C:\Windows\System32\GPuCFtZ.exe
  C:\Windows\System32\GPuCFtZ.exe
  2⤵
  PID:10876
- C:\Windows\System32\lfTQTbP.exe
  C:\Windows\System32\lfTQTbP.exe
  2⤵
  PID:10936
- C:\Windows\System32\klDKGKl.exe
  C:\Windows\System32\klDKGKl.exe
  2⤵
  PID:10904
- C:\Windows\System32\MSLcQnt.exe
  C:\Windows\System32\MSLcQnt.exe
  2⤵
  PID:11004
- C:\Windows\System32\BeZewkK.exe
  C:\Windows\System32\BeZewkK.exe
  2⤵
  PID:11028
- C:\Windows\System32\CGzsvIo.exe
  C:\Windows\System32\CGzsvIo.exe
  2⤵
  PID:9464
- C:\Windows\System32\ejePtjy.exe
  C:\Windows\System32\ejePtjy.exe
  2⤵
  PID:10060
- C:\Windows\System32\tgqGHPk.exe
  C:\Windows\System32\tgqGHPk.exe
  2⤵
  PID:10392
- C:\Windows\System32\gvewTja.exe
  C:\Windows\System32\gvewTja.exe
  2⤵
  PID:3592
- C:\Windows\System32\xupdtuT.exe
  C:\Windows\System32\xupdtuT.exe
  2⤵
  PID:10740
- C:\Windows\System32\JvwxEAG.exe
  C:\Windows\System32\JvwxEAG.exe
  2⤵
  PID:10836
- C:\Windows\System32\jyfaqNN.exe
  C:\Windows\System32\jyfaqNN.exe
  2⤵
  PID:11048
- C:\Windows\System32\gBYMSKW.exe
  C:\Windows\System32\gBYMSKW.exe
  2⤵
  PID:11172
- C:\Windows\System32\dqWfPir.exe
  C:\Windows\System32\dqWfPir.exe
  2⤵
  PID:11236
- C:\Windows\System32\yWvEgVc.exe
  C:\Windows\System32\yWvEgVc.exe
  2⤵
  PID:10300
- C:\Windows\System32\zexpHVu.exe
  C:\Windows\System32\zexpHVu.exe
  2⤵
  PID:10692
- C:\Windows\System32\HoZLeUc.exe
  C:\Windows\System32\HoZLeUc.exe
  2⤵
  PID:10924
- C:\Windows\System32\jJMAOrH.exe
  C:\Windows\System32\jJMAOrH.exe
  2⤵
  PID:10444
- C:\Windows\System32\EcxvQxd.exe
  C:\Windows\System32\EcxvQxd.exe
  2⤵
  PID:10656
- C:\Windows\System32\UJHqfvv.exe
  C:\Windows\System32\UJHqfvv.exe
  2⤵
  PID:11272
- C:\Windows\System32\YzafOKd.exe
  C:\Windows\System32\YzafOKd.exe
  2⤵
  PID:11332
- C:\Windows\System32\aUbsPrP.exe
  C:\Windows\System32\aUbsPrP.exe
  2⤵
  PID:11400
- C:\Windows\System32\SKvXNhM.exe
  C:\Windows\System32\SKvXNhM.exe
  2⤵
  PID:11416
- C:\Windows\System32\hrKVirA.exe
  C:\Windows\System32\hrKVirA.exe
  2⤵
  PID:11456
- C:\Windows\System32\EtEcwXE.exe
  C:\Windows\System32\EtEcwXE.exe
  2⤵
  PID:11476
- C:\Windows\System32\MxRrCfD.exe
  C:\Windows\System32\MxRrCfD.exe
  2⤵
  PID:11504
- C:\Windows\System32\Uznepyo.exe
  C:\Windows\System32\Uznepyo.exe
  2⤵
  PID:11528
- C:\Windows\System32\sTdKlpn.exe
  C:\Windows\System32\sTdKlpn.exe
  2⤵
  PID:11564
- C:\Windows\System32\wHVWDKG.exe
  C:\Windows\System32\wHVWDKG.exe
  2⤵
  PID:11580
- C:\Windows\System32\ucdgeQT.exe
  C:\Windows\System32\ucdgeQT.exe
  2⤵
  PID:11608
- C:\Windows\System32\ZMaSwzk.exe
  C:\Windows\System32\ZMaSwzk.exe
  2⤵
  PID:11624
- C:\Windows\System32\TyWjlxP.exe
  C:\Windows\System32\TyWjlxP.exe
  2⤵
  PID:11676
- C:\Windows\System32\DMXnGsD.exe
  C:\Windows\System32\DMXnGsD.exe
  2⤵
  PID:11708
- C:\Windows\System32\JtnniPg.exe
  C:\Windows\System32\JtnniPg.exe
  2⤵
  PID:11732
- C:\Windows\System32\NRtehkE.exe
  C:\Windows\System32\NRtehkE.exe
  2⤵
  PID:11760
- C:\Windows\System32\EZErXrN.exe
  C:\Windows\System32\EZErXrN.exe
  2⤵
  PID:11780
- C:\Windows\System32\fQYeyxh.exe
  C:\Windows\System32\fQYeyxh.exe
  2⤵
  PID:11796
- C:\Windows\System32\gLMSBBn.exe
  C:\Windows\System32\gLMSBBn.exe
  2⤵
  PID:11832
- C:\Windows\System32\BAlxqCS.exe
  C:\Windows\System32\BAlxqCS.exe
  2⤵
  PID:11876
- C:\Windows\System32\uKNiHXI.exe
  C:\Windows\System32\uKNiHXI.exe
  2⤵
  PID:11904
- C:\Windows\System32\bHIKJdh.exe
  C:\Windows\System32\bHIKJdh.exe
  2⤵
  PID:11920
- C:\Windows\System32\PKrZTeU.exe
  C:\Windows\System32\PKrZTeU.exe
  2⤵
  PID:11956
- C:\Windows\System32\naJpzqe.exe
  C:\Windows\System32\naJpzqe.exe
  2⤵
  PID:11992
- C:\Windows\System32\rLMdaHM.exe
  C:\Windows\System32\rLMdaHM.exe
  2⤵
  PID:12016
- C:\Windows\System32\CUeBoqC.exe
  C:\Windows\System32\CUeBoqC.exe
  2⤵
  PID:12040
- C:\Windows\System32\pctdGJn.exe
  C:\Windows\System32\pctdGJn.exe
  2⤵
  PID:12068
- C:\Windows\System32\mwLHOnj.exe
  C:\Windows\System32\mwLHOnj.exe
  2⤵
  PID:12096
- C:\Windows\System32\fFsMmAI.exe
  C:\Windows\System32\fFsMmAI.exe
  2⤵
  PID:12132
- C:\Windows\System32\lQQAZDP.exe
  C:\Windows\System32\lQQAZDP.exe
  2⤵
  PID:12152
- C:\Windows\System32\btquSxt.exe
  C:\Windows\System32\btquSxt.exe
  2⤵
  PID:12188
- C:\Windows\System32\aMSDbkV.exe
  C:\Windows\System32\aMSDbkV.exe
  2⤵
  PID:12216
- C:\Windows\System32\pldCwMr.exe
  C:\Windows\System32\pldCwMr.exe
  2⤵
  PID:12248
- C:\Windows\System32\sEBgvif.exe
  C:\Windows\System32\sEBgvif.exe
  2⤵
  PID:12276
- C:\Windows\System32\geODLSu.exe
  C:\Windows\System32\geODLSu.exe
  2⤵
  PID:11128
- C:\Windows\System32\bYqMVdr.exe
  C:\Windows\System32\bYqMVdr.exe
  2⤵
  PID:11216
- C:\Windows\System32\fJAyTGW.exe
  C:\Windows\System32\fJAyTGW.exe
  2⤵
  PID:11408
- C:\Windows\System32\RzBZeDR.exe
  C:\Windows\System32\RzBZeDR.exe
  2⤵
  PID:11468
- C:\Windows\System32\pxKyFLN.exe
  C:\Windows\System32\pxKyFLN.exe
  2⤵
  PID:11512
- C:\Windows\System32\RxMtJrH.exe
  C:\Windows\System32\RxMtJrH.exe
  2⤵
  PID:11572
- C:\Windows\System32\UjuyvKJ.exe
  C:\Windows\System32\UjuyvKJ.exe
  2⤵
  PID:11636
- C:\Windows\System32\fOyhfPg.exe
  C:\Windows\System32\fOyhfPg.exe
  2⤵
  PID:11704
- C:\Windows\System32\iXPIGhy.exe
  C:\Windows\System32\iXPIGhy.exe
  2⤵
  PID:11740
- C:\Windows\System32\lIcFYot.exe
  C:\Windows\System32\lIcFYot.exe
  2⤵
  PID:11828
- C:\Windows\System32\hYeSXPc.exe
  C:\Windows\System32\hYeSXPc.exe
  2⤵
  PID:11916
- C:\Windows\System32\JnfuIuS.exe
  C:\Windows\System32\JnfuIuS.exe
  2⤵
  PID:11976
- C:\Windows\System32\UnzeHYL.exe
  C:\Windows\System32\UnzeHYL.exe
  2⤵
  PID:12000
- C:\Windows\System32\vyODhNb.exe
  C:\Windows\System32\vyODhNb.exe
  2⤵
  PID:12084
- C:\Windows\System32\NVezREk.exe
  C:\Windows\System32\NVezREk.exe
  2⤵
  PID:4940
- C:\Windows\System32\vCCBBmx.exe
  C:\Windows\System32\vCCBBmx.exe
  2⤵
  PID:4928
- C:\Windows\System32\wvFjpTE.exe
  C:\Windows\System32\wvFjpTE.exe
  2⤵
  PID:12228
- C:\Windows\System32\BtyOqRr.exe
  C:\Windows\System32\BtyOqRr.exe
  2⤵
  PID:11280
- C:\Windows\System32\AiEzZcS.exe
  C:\Windows\System32\AiEzZcS.exe
  2⤵
  PID:11440
- C:\Windows\System32\CTfxCsM.exe
  C:\Windows\System32\CTfxCsM.exe
  2⤵
  PID:11596
- C:\Windows\System32\NXLHgkE.exe
  C:\Windows\System32\NXLHgkE.exe
  2⤵
  PID:11616
- C:\Windows\System32\EkBXlPJ.exe
  C:\Windows\System32\EkBXlPJ.exe
  2⤵
  PID:11728
- C:\Windows\System32\qZdihmF.exe
  C:\Windows\System32\qZdihmF.exe
  2⤵
  PID:11884
- C:\Windows\System32\MinxqNC.exe
  C:\Windows\System32\MinxqNC.exe
  2⤵
  PID:12116
- C:\Windows\System32\VqEakMd.exe
  C:\Windows\System32\VqEakMd.exe
  2⤵
  PID:12244
- C:\Windows\System32\AjymFHr.exe
  C:\Windows\System32\AjymFHr.exe
  2⤵
  PID:11368
- C:\Windows\System32\NtSfZYj.exe
  C:\Windows\System32\NtSfZYj.exe
  2⤵
  PID:11696
- C:\Windows\System32\nBDwAWt.exe
  C:\Windows\System32\nBDwAWt.exe
  2⤵
  PID:12052
- C:\Windows\System32\HgyPJPz.exe
  C:\Windows\System32\HgyPJPz.exe
  2⤵
  PID:12268
- C:\Windows\System32\Fkfqpsg.exe
  C:\Windows\System32\Fkfqpsg.exe
  2⤵
  PID:11544
- C:\Windows\System32\poqAepg.exe
  C:\Windows\System32\poqAepg.exe
  2⤵
  PID:2268
- C:\Windows\System32\cCpFjUU.exe
  C:\Windows\System32\cCpFjUU.exe
  2⤵
  PID:12352
- C:\Windows\System32\oJmyAyB.exe
  C:\Windows\System32\oJmyAyB.exe
  2⤵
  PID:12452
- C:\Windows\System32\PUpOrMW.exe
  C:\Windows\System32\PUpOrMW.exe
  2⤵
  PID:12468
- C:\Windows\System32\fiTOdpz.exe
  C:\Windows\System32\fiTOdpz.exe
  2⤵
  PID:12488
- C:\Windows\System32\CINgRwM.exe
  C:\Windows\System32\CINgRwM.exe
  2⤵
  PID:12532
- C:\Windows\System32\aBxoJBg.exe
  C:\Windows\System32\aBxoJBg.exe
  2⤵
  PID:12548
- C:\Windows\System32\DAVYFly.exe
  C:\Windows\System32\DAVYFly.exe
  2⤵
  PID:12564
- C:\Windows\System32\ehqMqCl.exe
  C:\Windows\System32\ehqMqCl.exe
  2⤵
  PID:12580
- C:\Windows\System32\FLwBOdh.exe
  C:\Windows\System32\FLwBOdh.exe
  2⤵
  PID:12620
- C:\Windows\System32\ngkUDkl.exe
  C:\Windows\System32\ngkUDkl.exe
  2⤵
  PID:12672
- C:\Windows\System32\CiUlcrB.exe
  C:\Windows\System32\CiUlcrB.exe
  2⤵
  PID:12720
- C:\Windows\System32\rxuAAkN.exe
  C:\Windows\System32\rxuAAkN.exe
  2⤵
  PID:12736
- C:\Windows\System32\yMQmWKi.exe
  C:\Windows\System32\yMQmWKi.exe
  2⤵
  PID:12792
- C:\Windows\System32\TDfxvUB.exe
  C:\Windows\System32\TDfxvUB.exe
  2⤵
  PID:12820
- C:\Windows\System32\TGZNugj.exe
  C:\Windows\System32\TGZNugj.exe
  2⤵
  PID:12840
- C:\Windows\System32\jKZiKqe.exe
  C:\Windows\System32\jKZiKqe.exe
  2⤵
  PID:12856
- C:\Windows\System32\KIzwBoO.exe
  C:\Windows\System32\KIzwBoO.exe
  2⤵
  PID:12900
- C:\Windows\System32\ExJKbrq.exe
  C:\Windows\System32\ExJKbrq.exe
  2⤵
  PID:12928
- C:\Windows\System32\TtYWzkw.exe
  C:\Windows\System32\TtYWzkw.exe
  2⤵
  PID:12952
- C:\Windows\System32\wPngtPG.exe
  C:\Windows\System32\wPngtPG.exe
  2⤵
  PID:12968
- C:\Windows\System32\TUMELMa.exe
  C:\Windows\System32\TUMELMa.exe
  2⤵
  PID:13000
- C:\Windows\System32\lbbuECU.exe
  C:\Windows\System32\lbbuECU.exe
  2⤵
  PID:13028
- C:\Windows\System32\kNxcPjx.exe
  C:\Windows\System32\kNxcPjx.exe
  2⤵
  PID:13076
- C:\Windows\System32\dbjPjxK.exe
  C:\Windows\System32\dbjPjxK.exe
  2⤵
  PID:13096
- C:\Windows\System32\pUdftdG.exe
  C:\Windows\System32\pUdftdG.exe
  2⤵
  PID:13124
- C:\Windows\System32\pDcblXj.exe
  C:\Windows\System32\pDcblXj.exe
  2⤵
  PID:13140
- C:\Windows\System32\gZnEFXk.exe
  C:\Windows\System32\gZnEFXk.exe
  2⤵
  PID:13192
- C:\Windows\System32\CmDlCtY.exe
  C:\Windows\System32\CmDlCtY.exe
  2⤵
  PID:13216
- C:\Windows\System32\BhmzduC.exe
  C:\Windows\System32\BhmzduC.exe
  2⤵
  PID:13236
- C:\Windows\System32\aSjCNRB.exe
  C:\Windows\System32\aSjCNRB.exe
  2⤵
  PID:13272
- C:\Windows\System32\swJtpoO.exe
  C:\Windows\System32\swJtpoO.exe
  2⤵
  PID:13288
- C:\Windows\System32\oyacGMX.exe
  C:\Windows\System32\oyacGMX.exe
  2⤵
  PID:12304
- C:\Windows\System32\YbBVuxg.exe
  C:\Windows\System32\YbBVuxg.exe
  2⤵
  PID:12296
- C:\Windows\System32\oYrqbsw.exe
  C:\Windows\System32\oYrqbsw.exe
  2⤵
  PID:12376
- C:\Windows\System32\TxEFPkW.exe
  C:\Windows\System32\TxEFPkW.exe
  2⤵
  PID:12336
- C:\Windows\System32\EGgoSYC.exe
  C:\Windows\System32\EGgoSYC.exe
  2⤵
  PID:12460
- C:\Windows\System32\BsZqHPN.exe
  C:\Windows\System32\BsZqHPN.exe
  2⤵
  PID:12388
- C:\Windows\System32\YWXqWPd.exe
  C:\Windows\System32\YWXqWPd.exe
  2⤵
  PID:12500

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AIHJZei.exe

Filesize
1.1MB

MD5
42435ee387adfd65a4276b9ae20eb85c

SHA1
3401d985d8502f3e0297776a22793519a67387dc

SHA256
729bd8a01ac53e6ec72c3354dacfe866c97e1f657a65da7604e2cea0e8780c34

SHA512
59cebbac027139b1a0c1e414809062f7ebfa6972d391b35515694e40ff27bae082fa682505c2471643c6e9f84336265b9c18664a2b83c684ad48b348185af094

Download Submit
C:\Windows\System32\AUMsrEQ.exe

Filesize
1.1MB

MD5
92fc36ba2267fe16ae133a9bc888cc5d

SHA1
764d3a227145c9e6d29cf76ef9f83777f89a97be

SHA256
20d99903c9f4d2172916378a5d8aa25b7ceda676c15f536d47549440e7a48703

SHA512
cf171f390253dc13aed748a52f7c5d907c2cc0016fe50246d6a5a104faa58e70f29b6861ba3ae79ad45e597ea7753fcfccd39abe86ea25840d4de87550b2c29a

Download Submit
C:\Windows\System32\BCBvsgM.exe

Filesize
1.1MB

MD5
dc6f09a4b0411a244fadd80aaec01ba6

SHA1
dd104852dbb20db4f5bb5b1825fd6799e81c84b7

SHA256
93a04e84de075b1c91054591fa869ff8be22c68c1e71ab9f27d6a904f3467cdc

SHA512
15cbfc03d3b8fee326ff5f4d51e214724556374b68bcb3245775a8ff6a8bca64d3bcc3bfcf348f23922553e27734fcfd622fb8e0ef6121bd57661f98ddf0583f

Download Submit
C:\Windows\System32\GzIOypN.exe

Filesize
1.1MB

MD5
55ad17eac6aee14ab9bfc996f6cc54fa

SHA1
c3828a16985a39fa360f5bcfba4e2b2f9d4b1dd7

SHA256
0bbce540abfe13769a679b5ed913c33851f696e2e28f67392ae72aeb103c7af0

SHA512
940f1ad86eb7cb53f8589fae5b01bfc31fa5337e9f21931e6ad5a3777f5d9e59cf3bc19861076034e5652434e5de4a8eea15901badeedc6b110e2584579c2549

Download Submit
C:\Windows\System32\IbeqdEj.exe

Filesize
1.1MB

MD5
eae47631e14658abcd26a1a62e3b0cab

SHA1
ddcf55fbba551d5ec08b65c2f4980bb1f8ef635b

SHA256
d743efce52b55d4c28d6cf50309c5a5ac752fe6a0207b2a131b7b8c376f6daf1

SHA512
4c60d2482929325e4f11f456641dfb0111d520bc12d599b412269f545298062186cddc6435384eff7d024666b2cabd2e7504473c891249cdb543fec075fef8d7

Download Submit
C:\Windows\System32\IzQnVqw.exe

Filesize
1.1MB

MD5
f2f5a6d755ddbff42aa2ecf087b48224

SHA1
4e55d5f9cf11d9cc2d5bb5e552cfa360d3999692

SHA256
425ab1035188a903a78f32977f8bc7411d310aab9feff0d2874709d1d5582ad2

SHA512
9b96b578aaff94ef920a1ded63a73c925e4503f44aa6f013a09170a81b1fb13420978eda567f8a8bbb44e2ba8e777f7cd7868b0f4874c111a0b2cb8293340f96

Download Submit
C:\Windows\System32\JeRtdDZ.exe

Filesize
1.1MB

MD5
4c0d8601f51a154943fb96f7cfed3100

SHA1
0ccd731e34c519f1d0980330f6b49aa3433adfad

SHA256
54c2253b4a2605bbb2586833770112bc9202a20752df42edb9332878c41f28ed

SHA512
58b32e9c40bceae40b5fe018305de1e8aee5287cb7b16c3348c582425f7125f52ea2712f044f4f74d75f39b65eca6ffd0a541f6a8ce3188211703734c0db9b57

Download Submit
C:\Windows\System32\LzbslwF.exe

Filesize
1.1MB

MD5
d51beca6d373c2f79659047a78ccfee8

SHA1
5d3876d51feb9144d842f13b95ef8f9d83b0001b

SHA256
b06db842d7077c2df40088dad47772d7cf8c96a1c0f293b5b3e5677f3098384c

SHA512
77fe9b10933a2788c66a16e073786ae030ca16bd44c8bc84f8a651bbdd509e352d399e68f9e8e508d4ec41ff68bf1d4d288f0a7a1814781a3ee4297cbacd04b6

Download Submit
C:\Windows\System32\NMiKYBD.exe

Filesize
1.1MB

MD5
a12d9b5ae71200846c317db7b3e30dbb

SHA1
85e03ca397652bc0bf2facea19f11b06b2ccb315

SHA256
2cdf93f043db90f4875df97af7620bc485041fdd786c7147bea31015bb8f5651

SHA512
3155ad2bac42b065fbbe9fdbe74b98783b4a1165ffddd462ddc8a84f93cf5cbd5b67d8331397f0b65a2937907d76f0875a9eee350cb59c1a6350f97d00a92a40

Download Submit
C:\Windows\System32\OUzmWgi.exe

Filesize
1.1MB

MD5
fc8d5973be7ef895273c70351150f81a

SHA1
e44b67c21d134c4692e3999885624341cd15eb1d

SHA256
67d75dc6f2d0728b8f0d53d5347eeae1648adf43e12c006e1d4d505b1accf777

SHA512
7e1b7c3c94e57b3be3deb329117bfea8b9590f4463bef96e3007a5afaba203f5baadaf5209cd254c2d664693e32e549a2b223172355f362d40de5aebd1577d9e

Download Submit
C:\Windows\System32\RzMiOMr.exe

Filesize
1.1MB

MD5
be2ac549cbcefeebefe5ff570d77e040

SHA1
44d5bdafe266f9c1724e5528784971755811a9a9

SHA256
7d1f2f7435e5c21ed83752ad0e2dd085a2922cf4a5fbe53e56a2baf7fcd2ab06

SHA512
2033e3132e14fae4b62b2104fdc06973e74390abe76b7c0613554fc9818cebda7aff8bc5f8cdca781cb41650802d2163774c964795e4ec3801a69eca4f16e0b3

Download Submit
C:\Windows\System32\UbreZkz.exe

Filesize
1.1MB

MD5
ca16f4399d2d244f904da5d187100453

SHA1
b20ce23e0ac5daa6542d177e8a63ce0b666a5418

SHA256
d2e29f8937b9bceb9c780e038d0b4db1132fd0a8c410e1c98c4fd4003e80e558

SHA512
157f1e5cf03f6322a7311afc83fc5e42c61d292d3742e1e55900373586e8cd6e9adb459af359d0467092203a42f7462d16af96cebc5f7794e66b57c04f91494a

Download Submit
C:\Windows\System32\ZoIpWFV.exe

Filesize
1.1MB

MD5
2a779bc90570dda15fa504681fe904aa

SHA1
e79d506fb36deb593781d7a012237fd50d8d214d

SHA256
8b26ec8a85cd277e20d904ba8285d80142ea699dfc08f7f5586ff276a7e34b23

SHA512
c4efc31da6dbf1b29fb9efdc40bbe217478667205b487c2c5ac071c7f544539cd27080985c3e6cc7c5e55848eca6f9acb88e681edc2f7ca3cf74cc4a225b8194

Download Submit
C:\Windows\System32\axZmOAz.exe

Filesize
1.1MB

MD5
e432dd0a0d0cde24016de445470eeda1

SHA1
4fecb0cae57ea21b7edf9ba28bd79e13b64ec6a4

SHA256
5810a5302be0c1900a8f381f88bf8001a127b0977c8dae497085cbfe3d30e371

SHA512
e03b3c74eada2eb3944c78ff10597192e38776fa98aa43a556f21e2763cdb8de175ffc70249d549da03aff054a882f3eecef5118f6cea53b75e96338861f9dfc

Download Submit
C:\Windows\System32\cEFfoxJ.exe

Filesize
1.1MB

MD5
6a5e343b8e26d052faa82c7c913c25c4

SHA1
8e34970932d1580c5203be785bff3439b4d6e565

SHA256
95df35d0d7212922ecc1a1442508e23cd597bccc652797374f4d1e8652b17a81

SHA512
a09d06dbf4d84756b332917dc98503e731bb8c0f73f6c1e75f392835ae56f33675a85f6e907828e8e89512cad3e6bc932da50526a54c5ed4d4273882c8c24f45

Download Submit
C:\Windows\System32\fIypOLc.exe

Filesize
1.1MB

MD5
c850429ec9ab1becd1bda4f22a354020

SHA1
d84e9b77806640b11c8b699ffbcf7dc3ba6482f1

SHA256
196462dda3ecbe3cc3f4a113e5e86300182a0efb437554edec6661878e31c61d

SHA512
68655b2f1042128b01e1673d86ce82af84b629fad7ca65f3d0a8c13b93fe6a51476584fcb3b550f6f854a461a1f1a1cc44c1692039b7fd562deb629765c8e36d

Download Submit
C:\Windows\System32\feWHudm.exe

Filesize
1.1MB

MD5
f764dccdb9849be222f69ccb414528ae

SHA1
7b4f765d7373f52d7ef3bb36ceb4e5977dab5d8b

SHA256
c5b819f5294dca2bda56c28a4e5d7cd716586909f9281bdb563d5547d178d174

SHA512
a7259909534ad9458bbdf35bfbad26b069fcd7b2f4c496e2cf71a0f7ff3f9d55502d0a0e510dd610530362da936b239fbfd7c8ae1255b47b551d5d8ca94ce92e

Download Submit
C:\Windows\System32\gokpwER.exe

Filesize
1.1MB

MD5
7f8fdef0ac702f324983e4e476fb4e59

SHA1
e63fc0ebce0d9b3db936902355d6610642b90f8c

SHA256
ffde1a629e8a894021cf1e2992ab05fa16789e30d6c5c13bb8716ba6eec36b90

SHA512
39c59905d663d92898bfd1d46a0bfc5345b8afc869aa44b7fa9645072b220688f6911b05df5e4acb582ca154f97b9a44e239f995ccda7f1f46ebd6bb0f9f20bb

Download Submit
C:\Windows\System32\hgmTcSr.exe

Filesize
1.1MB

MD5
55394976be1934a3bfe39762cc4d103d

SHA1
b6c1f5e3b61e5e78914e50fc98bb6273d51a9749

SHA256
6abbb343f7d5779352d670996bb6e2562371fda51258489188518c4088d804b1

SHA512
ad283bc1e57924e628ab0852e0becd0f135ce966e98686d8676cfc199f21d1cbae109ebca43b2d8a9e41e26627d022d2b011e2741cec9434ba85b8dc3da1866f

Download Submit
C:\Windows\System32\hksMWTV.exe

Filesize
1.1MB

MD5
dfced5edf8e07d8300bfa2e3d57e746f

SHA1
445fab82260ec694787e4e649905a5018722390e

SHA256
65348a2674ee5e9d65533b8ed146e951cda8d4d7f6b1be8b92f58b38668a741d

SHA512
c2d4719dbb893cc0950409d535c577231b8f02335775f588b36834e8d487e7923ec037dd973d643295c102c16de7d39ca8f4e6d32491786d7e721bc9dd927328

Download Submit
C:\Windows\System32\khTWvkS.exe

Filesize
1.1MB

MD5
506f8838048f814ee246ad9e85ada119

SHA1
9174891ddff9628d786a4a3c8d14484190e90cb1

SHA256
65c467b2cc466515e190bb00a6af0ead2a8d722a234cd936d6365902f8106ca9

SHA512
f591c228568f58a89f7b622bdc9b974c2d2937f08c7830f7092c65d6e129dafe0c76b336040324ee6ff6c851134c34d669960157becfe45aa3c625507cc269e7

Download Submit
C:\Windows\System32\oMZDQzK.exe

Filesize
1.1MB

MD5
5b79cdc70f33c328c28964de12d1a1e2

SHA1
75de84e77deca08642f5f35e3c4e1e8dbe80fa19

SHA256
2b04821ff85e60bffaa730e40acff45b81060573433f6f96292312ca058e2862

SHA512
de2766bf76eec5d24171f8b0789ee8166745a45263314ef9b70e91b5159a884888020eca2ec8a3aa19ffc2ee3fe141f75d8fb8a7a423ef2d364ee54525bc7262

Download Submit
C:\Windows\System32\pVOtmSq.exe

Filesize
1.1MB

MD5
7199472a6feebb0ebf22b8a28c4d79ce

SHA1
b14851fba0a1bca4d265b835fa789c69ad6fff5f

SHA256
e0d9f0ce1820e0173ca5de1e5cd110a6ccab64e0a9965ef39a828615f4701d3a

SHA512
ec1bd39f4dd45fef67f0edcb6711b680f293c5eeaeb85e43def7e72d6fcd6747648c17f901a2e8e15127fe676a6027d461d0f1668216bbafb698142ae945d8af

Download Submit
C:\Windows\System32\rZnsGxF.exe

Filesize
1.1MB

MD5
90268c200c685cc792d41295e791b6cb

SHA1
b285dfcbc5b03f42e3f8d9091e349e38f8dd896d

SHA256
1c2f3368d4c6cecef02013b3f131b5f52ce27b8d64c522c1396020fea1aac1b3

SHA512
744f5424b28352d60b85470a2a3df0bf253edf733618ba2936a06ed540433b584cb4a185bcf5d21cd790ccf9225db5ae5a0b7027590900828891264a022b72f3

Download Submit
C:\Windows\System32\rzFsciq.exe

Filesize
1.1MB

MD5
5c779ff3b1db755780a5aa84707ff9f8

SHA1
6b6b72e1b84374e28ecfbc35cd862ab1008aec95

SHA256
99abdd1bd59bfd608d8eacf538922337fd8f85b9144fb69883e210d9b2490319

SHA512
10cc6ecd7c9a1142998cd12dbb2f470051ad612a0c1d92fff5dcb9d58e1d33759ddc7b256f35a422b2f219b428a142bb0aa20e74451a71f8ba5cbe141d8ba95f

Download Submit
C:\Windows\System32\svVYbTD.exe

Filesize
1.1MB

MD5
108831336d455abca21649f2f470b848

SHA1
d5515214087c1d67ee28d4afea393a30b518f583

SHA256
c9e0e72397c7988a5c2704ae86bd32cd5960680ada2e13d3b580cfe6e35904cb

SHA512
412826e2099b18ffa35261c2d5135a5027b4e96117a2eed6bc59abe17018bce81e59f1cc55bcf79ffd95c3a7d992a21b7103bee76c013d0261b15256fe8675ab

Download Submit
C:\Windows\System32\tGnNzll.exe

Filesize
1.1MB

MD5
53bb75b0dd43462e7b949a839d1279ed

SHA1
7db637c3ec408d44cb23a24487d32cdca9235cd0

SHA256
1cbbade738e76cd6a02a1f82f9b6f28fa2d29abd878305a3a006a0098bdf5adc

SHA512
720d108ecae589026e337bacfdf4577ea4a2f75eaa38cd83ca8dc848318ad86272460ebf7e14261188ef933d9d4d2d4b40d180238d26f773ed1486aecca13589

Download Submit
C:\Windows\System32\ttpXrfg.exe

Filesize
1.1MB

MD5
e16d5a0366c8b35de2c56727a3ffa471

SHA1
b97091725492e865e9a1419b9724f10b7507d9b5

SHA256
4db30fcb7914c02ee062c7b55f31570c55c397be2b77b85acf3140a5cab7be15

SHA512
db7fccc8746660fe3ad8ff76b3c9b9d58c95f568549d3b18fa64101144b77b27982c6093e0271656997746ce06000bd70f23d6b7bbe65b810d689735c41b59b4

Download Submit
C:\Windows\System32\vroHTyh.exe

Filesize
1.1MB

MD5
5435db22ba70224abd6f4fcb2d21f9ee

SHA1
6510c739034e437c88e3452e2eafcd7e05993672

SHA256
e6ea3111dcd1528b48ca439989eea8cc4ef675d231ab79ca82162bef8afe1d4d

SHA512
f346cdf5c92ba8dd274b8b86ce9d384d8cc150ee8cbb363ec2192f80aa823d2c063e407ee9a873c48421162303b3e77b50c75e934746845a13adbc58294b5ce0

Download Submit
C:\Windows\System32\xFIOuhC.exe

Filesize
1.1MB

MD5
ec9876c08526cf08811d5d8628020a00

SHA1
9c9e00c1ceda7a13696472a497ebe9124c65bda1

SHA256
77b08836d6545acc9d19346bf4bc523e3d9ac1bff67893808d1509d1895301ef

SHA512
d3d343cd8c37d31879bbc70bf684dc21ab750d95c08b965079b1f9b7c122723c7de812a192f99e23b9e85742554001c92b9b4cf515018f125231e717b26e43e0

Download Submit
C:\Windows\System32\zKGAvkz.exe

Filesize
1.1MB

MD5
72f52c2434e7dec1ac50a94563fb25ab

SHA1
d3b52b2b688386f1ac2ec0dd78796869bdb0f3c1

SHA256
d4cbc6fead6f5f7fdb67c3b9cdf959024dd78f441f6237adbdc02fd3aff30667

SHA512
23b1ac31cea5962a5160a14f62f410b00b31a1b8692140f2d63a18acf17758f4d15aac8d05cc816a7fdc972faaa936a7d305c6676cdeb2793f0e472388c26e00

Download Submit
C:\Windows\System32\znHyomp.exe

Filesize
1.1MB

MD5
8f20d9b1405e8eb685cbe32bfcaad71f

SHA1
d1520e1bbe657def97aa36042b94076e4d0e43e5

SHA256
367a7d5494a7e287d23ce47cc2978d77a3638feb992af36dbd0de92a82200962

SHA512
2ac6d14f54f98c33837a5c83026a47c0ee1aa461aa905dde57d3f350436a0bfcc520ee43875cc755ad4a184777673680a2c6ec5d3984720a36f506cf3a1c64cb

Download Submit
memory/212-1998-0x00007FF632A50000-0x00007FF632E41000-memory.dmp

Filesize
3.9MB

Download
memory/212-18-0x00007FF632A50000-0x00007FF632E41000-memory.dmp

Filesize
3.9MB

Download
memory/420-384-0x00007FF6E5D00000-0x00007FF6E60F1000-memory.dmp

Filesize
3.9MB

Download
memory/420-2024-0x00007FF6E5D00000-0x00007FF6E60F1000-memory.dmp

Filesize
3.9MB

Download
memory/816-0-0x00007FF6EE400000-0x00007FF6EE7F1000-memory.dmp

Filesize
3.9MB

Download
memory/816-1-0x000001C7E7170000-0x000001C7E7180000-memory.dmp

Filesize
64KB

Download
memory/848-382-0x00007FF647550000-0x00007FF647941000-memory.dmp

Filesize
3.9MB

Download
memory/848-2008-0x00007FF647550000-0x00007FF647941000-memory.dmp

Filesize
3.9MB

Download
memory/964-417-0x00007FF7FC040000-0x00007FF7FC431000-memory.dmp

Filesize
3.9MB

Download
memory/964-2012-0x00007FF7FC040000-0x00007FF7FC431000-memory.dmp

Filesize
3.9MB

Download
memory/1540-2006-0x00007FF6B8FB0000-0x00007FF6B93A1000-memory.dmp

Filesize
3.9MB

Download
memory/1540-30-0x00007FF6B8FB0000-0x00007FF6B93A1000-memory.dmp

Filesize
3.9MB

Download
memory/1540-1988-0x00007FF6B8FB0000-0x00007FF6B93A1000-memory.dmp

Filesize
3.9MB

Download
memory/2008-409-0x00007FF73EAB0000-0x00007FF73EEA1000-memory.dmp

Filesize
3.9MB

Download
memory/2008-2038-0x00007FF73EAB0000-0x00007FF73EEA1000-memory.dmp

Filesize
3.9MB

Download
memory/2032-396-0x00007FF676820000-0x00007FF676C11000-memory.dmp

Filesize
3.9MB

Download
memory/2032-2040-0x00007FF676820000-0x00007FF676C11000-memory.dmp

Filesize
3.9MB

Download
memory/2264-416-0x00007FF63CB50000-0x00007FF63CF41000-memory.dmp

Filesize
3.9MB

Download
memory/2264-2042-0x00007FF63CB50000-0x00007FF63CF41000-memory.dmp

Filesize
3.9MB

Download
memory/2328-2032-0x00007FF763310000-0x00007FF763701000-memory.dmp

Filesize
3.9MB

Download
memory/2328-390-0x00007FF763310000-0x00007FF763701000-memory.dmp

Filesize
3.9MB

Download
memory/2460-2000-0x00007FF6015F0000-0x00007FF6019E1000-memory.dmp

Filesize
3.9MB

Download
memory/2460-26-0x00007FF6015F0000-0x00007FF6019E1000-memory.dmp

Filesize
3.9MB

Download
memory/2460-1978-0x00007FF6015F0000-0x00007FF6019E1000-memory.dmp

Filesize
3.9MB

Download
memory/2748-2030-0x00007FF60B770000-0x00007FF60BB61000-memory.dmp

Filesize
3.9MB

Download
memory/2748-388-0x00007FF60B770000-0x00007FF60BB61000-memory.dmp

Filesize
3.9MB

Download
memory/2752-2026-0x00007FF7B7AD0000-0x00007FF7B7EC1000-memory.dmp

Filesize
3.9MB

Download
memory/2752-385-0x00007FF7B7AD0000-0x00007FF7B7EC1000-memory.dmp

Filesize
3.9MB

Download
memory/2980-2014-0x00007FF7D7DE0000-0x00007FF7D81D1000-memory.dmp

Filesize
3.9MB

Download
memory/2980-380-0x00007FF7D7DE0000-0x00007FF7D81D1000-memory.dmp

Filesize
3.9MB

Download
memory/3236-2022-0x00007FF6CE020000-0x00007FF6CE411000-memory.dmp

Filesize
3.9MB

Download
memory/3236-386-0x00007FF6CE020000-0x00007FF6CE411000-memory.dmp

Filesize
3.9MB

Download
memory/3392-1990-0x00007FF6A5340000-0x00007FF6A5731000-memory.dmp

Filesize
3.9MB

Download
memory/3392-377-0x00007FF6A5340000-0x00007FF6A5731000-memory.dmp

Filesize
3.9MB

Download
memory/3392-2002-0x00007FF6A5340000-0x00007FF6A5731000-memory.dmp

Filesize
3.9MB

Download
memory/3412-2020-0x00007FF62C510000-0x00007FF62C901000-memory.dmp

Filesize
3.9MB

Download
memory/3412-383-0x00007FF62C510000-0x00007FF62C901000-memory.dmp

Filesize
3.9MB

Download
memory/3444-2028-0x00007FF795DD0000-0x00007FF7961C1000-memory.dmp

Filesize
3.9MB

Download
memory/3444-387-0x00007FF795DD0000-0x00007FF7961C1000-memory.dmp

Filesize
3.9MB

Download
memory/3476-1996-0x00007FF722490000-0x00007FF722881000-memory.dmp

Filesize
3.9MB

Download
memory/3476-9-0x00007FF722490000-0x00007FF722881000-memory.dmp

Filesize
3.9MB

Download
memory/3788-2018-0x00007FF789030000-0x00007FF789421000-memory.dmp

Filesize
3.9MB

Download
memory/3788-378-0x00007FF789030000-0x00007FF789421000-memory.dmp

Filesize
3.9MB

Download
memory/4352-381-0x00007FF747830000-0x00007FF747C21000-memory.dmp

Filesize
3.9MB

Download
memory/4352-2010-0x00007FF747830000-0x00007FF747C21000-memory.dmp

Filesize
3.9MB

Download
memory/4516-1989-0x00007FF7F6350000-0x00007FF7F6741000-memory.dmp

Filesize
3.9MB

Download
memory/4516-27-0x00007FF7F6350000-0x00007FF7F6741000-memory.dmp

Filesize
3.9MB

Download
memory/4516-2004-0x00007FF7F6350000-0x00007FF7F6741000-memory.dmp

Filesize
3.9MB

Download
memory/4664-2034-0x00007FF7BD790000-0x00007FF7BDB81000-memory.dmp

Filesize
3.9MB

Download
memory/4664-403-0x00007FF7BD790000-0x00007FF7BDB81000-memory.dmp

Filesize
3.9MB

Download
memory/4784-2036-0x00007FF75A650000-0x00007FF75AA41000-memory.dmp

Filesize
3.9MB

Download
memory/4784-401-0x00007FF75A650000-0x00007FF75AA41000-memory.dmp

Filesize
3.9MB

Download
memory/5088-379-0x00007FF7B8310000-0x00007FF7B8701000-memory.dmp

Filesize
3.9MB

Download
memory/5088-2016-0x00007FF7B8310000-0x00007FF7B8701000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads