xmrig | 017ac974d3b9265586cb13fbece3c5b0f302c0e18e65e9b5f004d4275238b685

Analysis

max time kernel
107s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
Size

1.4MB
MD5

07d0e4cbf51922c2ef5eea6755721f77
SHA1

e05f09c715974ccef328cf610e768086a5ea8c9d
SHA256

017ac974d3b9265586cb13fbece3c5b0f302c0e18e65e9b5f004d4275238b685
SHA512

b1cad9f1fc52e056af1c3d5617c4d1350cbf86bab6d2750da57218c6a912e14547d4fd0292f70fcea2bc313aa3f8208b420928053c583feff5c4b92fc0836dba
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO9C1MKTbcMfHhGjw2qPICa:knw9oUUEEDlGUjc2HhG82qwV

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 51 IoCs

miner

resource	yara_rule
behavioral2/memory/3840-14-0x00007FF6B63A0000-0x00007FF6B6791000-memory.dmp	xmrig
behavioral2/memory/4468-29-0x00007FF623D20000-0x00007FF624111000-memory.dmp	xmrig
behavioral2/memory/3344-31-0x00007FF68E2C0000-0x00007FF68E6B1000-memory.dmp	xmrig
behavioral2/memory/2056-45-0x00007FF67FD00000-0x00007FF6800F1000-memory.dmp	xmrig
behavioral2/memory/2364-60-0x00007FF7BD890000-0x00007FF7BDC81000-memory.dmp	xmrig
behavioral2/memory/3436-64-0x00007FF74FA10000-0x00007FF74FE01000-memory.dmp	xmrig
behavioral2/memory/2764-78-0x00007FF71CD80000-0x00007FF71D171000-memory.dmp	xmrig
behavioral2/memory/640-84-0x00007FF70DDD0000-0x00007FF70E1C1000-memory.dmp	xmrig
behavioral2/memory/2812-395-0x00007FF64C120000-0x00007FF64C511000-memory.dmp	xmrig
behavioral2/memory/3224-396-0x00007FF769010000-0x00007FF769401000-memory.dmp	xmrig
behavioral2/memory/4432-398-0x00007FF616400000-0x00007FF6167F1000-memory.dmp	xmrig
behavioral2/memory/4400-397-0x00007FF657F80000-0x00007FF658371000-memory.dmp	xmrig
behavioral2/memory/3804-399-0x00007FF77EF30000-0x00007FF77F321000-memory.dmp	xmrig
behavioral2/memory/5052-400-0x00007FF680330000-0x00007FF680721000-memory.dmp	xmrig
behavioral2/memory/2668-402-0x00007FF714D20000-0x00007FF715111000-memory.dmp	xmrig
behavioral2/memory/1436-407-0x00007FF7026D0000-0x00007FF702AC1000-memory.dmp	xmrig
behavioral2/memory/516-93-0x00007FF761610000-0x00007FF761A01000-memory.dmp	xmrig
behavioral2/memory/4380-91-0x00007FF730930000-0x00007FF730D21000-memory.dmp	xmrig
behavioral2/memory/3824-85-0x00007FF624D00000-0x00007FF6250F1000-memory.dmp	xmrig
behavioral2/memory/4660-69-0x00007FF74A930000-0x00007FF74AD21000-memory.dmp	xmrig
behavioral2/memory/3616-62-0x00007FF680D30000-0x00007FF681121000-memory.dmp	xmrig
behavioral2/memory/2624-945-0x00007FF789D40000-0x00007FF78A131000-memory.dmp	xmrig
behavioral2/memory/3344-2003-0x00007FF68E2C0000-0x00007FF68E6B1000-memory.dmp	xmrig
behavioral2/memory/2364-2004-0x00007FF7BD890000-0x00007FF7BDC81000-memory.dmp	xmrig
behavioral2/memory/4676-2013-0x00007FF672F20000-0x00007FF673311000-memory.dmp	xmrig
behavioral2/memory/3216-2038-0x00007FF6CB5E0000-0x00007FF6CB9D1000-memory.dmp	xmrig
behavioral2/memory/2624-2040-0x00007FF789D40000-0x00007FF78A131000-memory.dmp	xmrig
behavioral2/memory/3336-2045-0x00007FF742440000-0x00007FF742831000-memory.dmp	xmrig
behavioral2/memory/3840-2047-0x00007FF6B63A0000-0x00007FF6B6791000-memory.dmp	xmrig
behavioral2/memory/2056-2062-0x00007FF67FD00000-0x00007FF6800F1000-memory.dmp	xmrig
behavioral2/memory/3344-2066-0x00007FF68E2C0000-0x00007FF68E6B1000-memory.dmp	xmrig
behavioral2/memory/4468-2064-0x00007FF623D20000-0x00007FF624111000-memory.dmp	xmrig
behavioral2/memory/2364-2072-0x00007FF7BD890000-0x00007FF7BDC81000-memory.dmp	xmrig
behavioral2/memory/2764-2074-0x00007FF71CD80000-0x00007FF71D171000-memory.dmp	xmrig
behavioral2/memory/3436-2070-0x00007FF74FA10000-0x00007FF74FE01000-memory.dmp	xmrig
behavioral2/memory/4660-2068-0x00007FF74A930000-0x00007FF74AD21000-memory.dmp	xmrig
behavioral2/memory/516-2084-0x00007FF761610000-0x00007FF761A01000-memory.dmp	xmrig
behavioral2/memory/3824-2082-0x00007FF624D00000-0x00007FF6250F1000-memory.dmp	xmrig
behavioral2/memory/3616-2076-0x00007FF680D30000-0x00007FF681121000-memory.dmp	xmrig
behavioral2/memory/640-2088-0x00007FF70DDD0000-0x00007FF70E1C1000-memory.dmp	xmrig
behavioral2/memory/4432-2097-0x00007FF616400000-0x00007FF6167F1000-memory.dmp	xmrig
behavioral2/memory/5052-2102-0x00007FF680330000-0x00007FF680721000-memory.dmp	xmrig
behavioral2/memory/3804-2100-0x00007FF77EF30000-0x00007FF77F321000-memory.dmp	xmrig
behavioral2/memory/3224-2095-0x00007FF769010000-0x00007FF769401000-memory.dmp	xmrig
behavioral2/memory/4400-2094-0x00007FF657F80000-0x00007FF658371000-memory.dmp	xmrig
behavioral2/memory/2668-2099-0x00007FF714D20000-0x00007FF715111000-memory.dmp	xmrig
behavioral2/memory/2812-2090-0x00007FF64C120000-0x00007FF64C511000-memory.dmp	xmrig
behavioral2/memory/4380-2086-0x00007FF730930000-0x00007FF730D21000-memory.dmp	xmrig
behavioral2/memory/3216-2078-0x00007FF6CB5E0000-0x00007FF6CB9D1000-memory.dmp	xmrig
behavioral2/memory/4676-2080-0x00007FF672F20000-0x00007FF673311000-memory.dmp	xmrig
behavioral2/memory/1436-2109-0x00007FF7026D0000-0x00007FF702AC1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3336	cwukSWd.exe
3840	gyrsAfC.exe
4468	JdfTUqa.exe
2056	sUCtHPY.exe
3344	TuyTAoy.exe
3436	EImsRmy.exe
4660	sPRweLZ.exe
2364	spmRxEO.exe
2764	cenxCYT.exe
3616	rPTGxXd.exe
640	HgdKlye.exe
4380	WaYPZke.exe
3824	BGURVFH.exe
516	JLpuakI.exe
4676	BcpLIJQ.exe
3216	orXgetM.exe
2812	WMpkPax.exe
3224	YrMdnFa.exe
4400	euXtfgm.exe
4432	ROCwrdo.exe
3804	qFcPSbx.exe
5052	nCwKVee.exe
2668	ucmIMxZ.exe
1436	sOuzOgK.exe
2916	rZiPsNE.exe
4588	fAIpYao.exe
1856	RTytJWP.exe
3192	FktBKNG.exe
688	DcVXGmy.exe
4620	rhCFBpg.exe
4108	joXsHEq.exe
2520	FOICADG.exe
2800	fFZBmjs.exe
4932	VQGDYFP.exe
3976	cLoHaES.exe
3028	YJGScPK.exe
4284	iUnPgFj.exe
1068	gZffmxX.exe
2240	xaodaXX.exe
1164	yhUnUMA.exe
5116	pojvpBu.exe
5036	jItqAXz.exe
4836	hyIlCDk.exe
5020	bpLTlwJ.exe
4068	gCuTkXE.exe
3636	TMbuHRN.exe
4388	hBaYNWU.exe
4940	qHgtpFu.exe
2752	VPFOitz.exe
2988	cviPLEU.exe
1288	ejgttMI.exe
780	STsfRgu.exe
2796	aEqaPwB.exe
2968	rRuWljl.exe
1864	dtXjRng.exe
1632	ijjftEi.exe
348	owzmnxO.exe
3108	HJCxwOY.exe
4592	ryketnb.exe
4776	yQaSSIl.exe
684	tRjYpqM.exe
4372	jacvFEE.exe
888	DEBKneN.exe
428	cHJmMff.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2624-0-0x00007FF789D40000-0x00007FF78A131000-memory.dmp	upx
behavioral2/files/0x000b000000023b91-4.dat	upx
behavioral2/files/0x000a000000023b95-12.dat	upx
behavioral2/memory/3840-14-0x00007FF6B63A0000-0x00007FF6B6791000-memory.dmp	upx
behavioral2/memory/3336-8-0x00007FF742440000-0x00007FF742831000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-10.dat	upx
behavioral2/files/0x000b000000023b92-22.dat	upx
behavioral2/files/0x000a000000023b97-27.dat	upx
behavioral2/memory/4468-29-0x00007FF623D20000-0x00007FF624111000-memory.dmp	upx
behavioral2/memory/3344-31-0x00007FF68E2C0000-0x00007FF68E6B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b98-35.dat	upx
behavioral2/files/0x000a000000023b99-40.dat	upx
behavioral2/memory/2056-45-0x00007FF67FD00000-0x00007FF6800F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9a-46.dat	upx
behavioral2/files/0x000a000000023b9b-49.dat	upx
behavioral2/files/0x000a000000023b9c-54.dat	upx
behavioral2/memory/2364-60-0x00007FF7BD890000-0x00007FF7BDC81000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-61.dat	upx
behavioral2/memory/3436-64-0x00007FF74FA10000-0x00007FF74FE01000-memory.dmp	upx
behavioral2/files/0x000a000000023b9f-71.dat	upx
behavioral2/memory/2764-78-0x00007FF71CD80000-0x00007FF71D171000-memory.dmp	upx
behavioral2/memory/640-84-0x00007FF70DDD0000-0x00007FF70E1C1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-86.dat	upx
behavioral2/files/0x000a000000023ba1-89.dat	upx
behavioral2/files/0x000a000000023ba2-94.dat	upx
behavioral2/files/0x000a000000023ba3-100.dat	upx
behavioral2/files/0x000a000000023ba4-107.dat	upx
behavioral2/files/0x000a000000023ba6-117.dat	upx
behavioral2/files/0x000a000000023ba8-127.dat	upx
behavioral2/files/0x000a000000023bad-150.dat	upx
behavioral2/files/0x000a000000023bb0-165.dat	upx
behavioral2/memory/2812-395-0x00007FF64C120000-0x00007FF64C511000-memory.dmp	upx
behavioral2/memory/3224-396-0x00007FF769010000-0x00007FF769401000-memory.dmp	upx
behavioral2/memory/4432-398-0x00007FF616400000-0x00007FF6167F1000-memory.dmp	upx
behavioral2/memory/4400-397-0x00007FF657F80000-0x00007FF658371000-memory.dmp	upx
behavioral2/memory/3804-399-0x00007FF77EF30000-0x00007FF77F321000-memory.dmp	upx
behavioral2/memory/5052-400-0x00007FF680330000-0x00007FF680721000-memory.dmp	upx
behavioral2/memory/2668-402-0x00007FF714D20000-0x00007FF715111000-memory.dmp	upx
behavioral2/memory/1436-407-0x00007FF7026D0000-0x00007FF702AC1000-memory.dmp	upx
behavioral2/files/0x000a000000023bb2-177.dat	upx
behavioral2/files/0x000a000000023bb1-172.dat	upx
behavioral2/files/0x000a000000023baf-162.dat	upx
behavioral2/files/0x000a000000023bae-157.dat	upx
behavioral2/files/0x000a000000023bac-147.dat	upx
behavioral2/files/0x000a000000023bab-142.dat	upx
behavioral2/files/0x000a000000023baa-137.dat	upx
behavioral2/files/0x000a000000023ba9-132.dat	upx
behavioral2/files/0x000a000000023ba7-122.dat	upx
behavioral2/files/0x000a000000023ba5-112.dat	upx
behavioral2/memory/3216-96-0x00007FF6CB5E0000-0x00007FF6CB9D1000-memory.dmp	upx
behavioral2/memory/516-93-0x00007FF761610000-0x00007FF761A01000-memory.dmp	upx
behavioral2/memory/4380-91-0x00007FF730930000-0x00007FF730D21000-memory.dmp	upx
behavioral2/memory/4676-88-0x00007FF672F20000-0x00007FF673311000-memory.dmp	upx
behavioral2/memory/3824-85-0x00007FF624D00000-0x00007FF6250F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-70.dat	upx
behavioral2/memory/4660-69-0x00007FF74A930000-0x00007FF74AD21000-memory.dmp	upx
behavioral2/memory/3616-62-0x00007FF680D30000-0x00007FF681121000-memory.dmp	upx
behavioral2/memory/2624-945-0x00007FF789D40000-0x00007FF78A131000-memory.dmp	upx
behavioral2/memory/3344-2003-0x00007FF68E2C0000-0x00007FF68E6B1000-memory.dmp	upx
behavioral2/memory/2364-2004-0x00007FF7BD890000-0x00007FF7BDC81000-memory.dmp	upx
behavioral2/memory/4676-2013-0x00007FF672F20000-0x00007FF673311000-memory.dmp	upx
behavioral2/memory/3216-2038-0x00007FF6CB5E0000-0x00007FF6CB9D1000-memory.dmp	upx
behavioral2/memory/2624-2040-0x00007FF789D40000-0x00007FF78A131000-memory.dmp	upx
behavioral2/memory/3336-2045-0x00007FF742440000-0x00007FF742831000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\YeJNxUo.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\cPsDeCn.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\iuCuAxm.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\SRtsFvo.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\EgTwiIo.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\LpXqHHE.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\CfDszjw.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\ilpQxXw.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\pEnfEwE.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\AwDJQyn.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\YeOrVCc.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\roHXcUF.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\cVrnkfP.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\esZmJWx.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\gUtgRZJ.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\JZUUVxo.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\iNNvLBr.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\VQvMlwy.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\VsFsSJD.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\xUDAuGd.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\TsSJkiG.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\bNLpsFd.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\vOjOrmx.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\myOhngz.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\BlBjGtK.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\OQuzBnV.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\BVwwexH.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\ZxWkwhH.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\NnucBmA.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\vjXbshL.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\CKcaqdt.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\KXTENMa.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\YPdIOhT.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\AiugTTA.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\LhfcKNE.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\uVWvSsw.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\FlLOVcn.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\zNhwZNV.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\EmfXUsu.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\ZqQpZyP.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\egmxgdD.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\yJjulBv.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\tfXUxDm.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\jiUAsJk.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\aWtIFJw.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\msNGPhp.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\euXtfgm.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\pragqRA.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\xfVNVRw.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\GodXeUu.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\ucmIMxZ.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\RfSknZL.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\WNJoHbr.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\rMiBiro.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\JBKZczO.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\OIkKnFz.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\lfjHHAV.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\ROCwrdo.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\YjCgrpg.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\HFoMMVP.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\npjtbVy.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\BguAHLx.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\avYWGYK.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
File created	C:\Windows\System32\gbwxLle.exe	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2172	dwm.exe
Token: SeChangeNotifyPrivilege	2172	dwm.exe
Token: 33	2172	dwm.exe
Token: SeIncBasePriorityPrivilege	2172	dwm.exe
Token: SeShutdownPrivilege	2172	dwm.exe
Token: SeCreatePagefilePrivilege	2172	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 3336	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	84
PID 2624 wrote to memory of 3336	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	84
PID 2624 wrote to memory of 3840	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	85
PID 2624 wrote to memory of 3840	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	85
PID 2624 wrote to memory of 4468	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	86
PID 2624 wrote to memory of 4468	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	86
PID 2624 wrote to memory of 2056	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	87
PID 2624 wrote to memory of 2056	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	87
PID 2624 wrote to memory of 3344	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	88
PID 2624 wrote to memory of 3344	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	88
PID 2624 wrote to memory of 3436	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	89
PID 2624 wrote to memory of 3436	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	89
PID 2624 wrote to memory of 4660	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	90
PID 2624 wrote to memory of 4660	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	90
PID 2624 wrote to memory of 2364	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	91
PID 2624 wrote to memory of 2364	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	91
PID 2624 wrote to memory of 2764	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	92
PID 2624 wrote to memory of 2764	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	92
PID 2624 wrote to memory of 3616	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	93
PID 2624 wrote to memory of 3616	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	93
PID 2624 wrote to memory of 640	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	94
PID 2624 wrote to memory of 640	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	94
PID 2624 wrote to memory of 4380	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	95
PID 2624 wrote to memory of 4380	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	95
PID 2624 wrote to memory of 3824	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	96
PID 2624 wrote to memory of 3824	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	96
PID 2624 wrote to memory of 516	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	97
PID 2624 wrote to memory of 516	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	97
PID 2624 wrote to memory of 4676	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	98
PID 2624 wrote to memory of 4676	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	98
PID 2624 wrote to memory of 3216	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	99
PID 2624 wrote to memory of 3216	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	99
PID 2624 wrote to memory of 2812	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	100
PID 2624 wrote to memory of 2812	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	100
PID 2624 wrote to memory of 3224	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	101
PID 2624 wrote to memory of 3224	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	101
PID 2624 wrote to memory of 4400	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	102
PID 2624 wrote to memory of 4400	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	102
PID 2624 wrote to memory of 4432	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	103
PID 2624 wrote to memory of 4432	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	103
PID 2624 wrote to memory of 3804	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	104
PID 2624 wrote to memory of 3804	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	104
PID 2624 wrote to memory of 5052	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	105
PID 2624 wrote to memory of 5052	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	105
PID 2624 wrote to memory of 2668	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	106
PID 2624 wrote to memory of 2668	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	106
PID 2624 wrote to memory of 1436	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	107
PID 2624 wrote to memory of 1436	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	107
PID 2624 wrote to memory of 2916	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	108
PID 2624 wrote to memory of 2916	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	108
PID 2624 wrote to memory of 4588	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	109
PID 2624 wrote to memory of 4588	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	109
PID 2624 wrote to memory of 1856	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	110
PID 2624 wrote to memory of 1856	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	110
PID 2624 wrote to memory of 3192	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	111
PID 2624 wrote to memory of 3192	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	111
PID 2624 wrote to memory of 688	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	112
PID 2624 wrote to memory of 688	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	112
PID 2624 wrote to memory of 4620	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	113
PID 2624 wrote to memory of 4620	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	113
PID 2624 wrote to memory of 4108	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	114
PID 2624 wrote to memory of 4108	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	114
PID 2624 wrote to memory of 2520	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	115
PID 2624 wrote to memory of 2520	2624	07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe	115

C:\Users\Admin\AppData\Local\Temp\07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07d0e4cbf51922c2ef5eea6755721f77_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\System32\cwukSWd.exe
  C:\Windows\System32\cwukSWd.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System32\gyrsAfC.exe
  C:\Windows\System32\gyrsAfC.exe
  2⤵
  - Executes dropped EXE
  PID:3840
- C:\Windows\System32\JdfTUqa.exe
  C:\Windows\System32\JdfTUqa.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System32\sUCtHPY.exe
  C:\Windows\System32\sUCtHPY.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System32\TuyTAoy.exe
  C:\Windows\System32\TuyTAoy.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System32\EImsRmy.exe
  C:\Windows\System32\EImsRmy.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System32\sPRweLZ.exe
  C:\Windows\System32\sPRweLZ.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System32\spmRxEO.exe
  C:\Windows\System32\spmRxEO.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System32\cenxCYT.exe
  C:\Windows\System32\cenxCYT.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System32\rPTGxXd.exe
  C:\Windows\System32\rPTGxXd.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System32\HgdKlye.exe
  C:\Windows\System32\HgdKlye.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\WaYPZke.exe
  C:\Windows\System32\WaYPZke.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System32\BGURVFH.exe
  C:\Windows\System32\BGURVFH.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\System32\JLpuakI.exe
  C:\Windows\System32\JLpuakI.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System32\BcpLIJQ.exe
  C:\Windows\System32\BcpLIJQ.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System32\orXgetM.exe
  C:\Windows\System32\orXgetM.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System32\WMpkPax.exe
  C:\Windows\System32\WMpkPax.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System32\YrMdnFa.exe
  C:\Windows\System32\YrMdnFa.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System32\euXtfgm.exe
  C:\Windows\System32\euXtfgm.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System32\ROCwrdo.exe
  C:\Windows\System32\ROCwrdo.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System32\qFcPSbx.exe
  C:\Windows\System32\qFcPSbx.exe
  2⤵
  - Executes dropped EXE
  PID:3804
- C:\Windows\System32\nCwKVee.exe
  C:\Windows\System32\nCwKVee.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System32\ucmIMxZ.exe
  C:\Windows\System32\ucmIMxZ.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System32\sOuzOgK.exe
  C:\Windows\System32\sOuzOgK.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System32\rZiPsNE.exe
  C:\Windows\System32\rZiPsNE.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System32\fAIpYao.exe
  C:\Windows\System32\fAIpYao.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System32\RTytJWP.exe
  C:\Windows\System32\RTytJWP.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System32\FktBKNG.exe
  C:\Windows\System32\FktBKNG.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System32\DcVXGmy.exe
  C:\Windows\System32\DcVXGmy.exe
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Windows\System32\rhCFBpg.exe
  C:\Windows\System32\rhCFBpg.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System32\joXsHEq.exe
  C:\Windows\System32\joXsHEq.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System32\FOICADG.exe
  C:\Windows\System32\FOICADG.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System32\fFZBmjs.exe
  C:\Windows\System32\fFZBmjs.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System32\VQGDYFP.exe
  C:\Windows\System32\VQGDYFP.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System32\cLoHaES.exe
  C:\Windows\System32\cLoHaES.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System32\YJGScPK.exe
  C:\Windows\System32\YJGScPK.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System32\iUnPgFj.exe
  C:\Windows\System32\iUnPgFj.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System32\gZffmxX.exe
  C:\Windows\System32\gZffmxX.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System32\xaodaXX.exe
  C:\Windows\System32\xaodaXX.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System32\yhUnUMA.exe
  C:\Windows\System32\yhUnUMA.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System32\pojvpBu.exe
  C:\Windows\System32\pojvpBu.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System32\jItqAXz.exe
  C:\Windows\System32\jItqAXz.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System32\hyIlCDk.exe
  C:\Windows\System32\hyIlCDk.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System32\bpLTlwJ.exe
  C:\Windows\System32\bpLTlwJ.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System32\gCuTkXE.exe
  C:\Windows\System32\gCuTkXE.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System32\TMbuHRN.exe
  C:\Windows\System32\TMbuHRN.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System32\hBaYNWU.exe
  C:\Windows\System32\hBaYNWU.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System32\qHgtpFu.exe
  C:\Windows\System32\qHgtpFu.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System32\VPFOitz.exe
  C:\Windows\System32\VPFOitz.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System32\cviPLEU.exe
  C:\Windows\System32\cviPLEU.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System32\ejgttMI.exe
  C:\Windows\System32\ejgttMI.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System32\STsfRgu.exe
  C:\Windows\System32\STsfRgu.exe
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\System32\aEqaPwB.exe
  C:\Windows\System32\aEqaPwB.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System32\rRuWljl.exe
  C:\Windows\System32\rRuWljl.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System32\dtXjRng.exe
  C:\Windows\System32\dtXjRng.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System32\ijjftEi.exe
  C:\Windows\System32\ijjftEi.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System32\owzmnxO.exe
  C:\Windows\System32\owzmnxO.exe
  2⤵
  - Executes dropped EXE
  PID:348
- C:\Windows\System32\HJCxwOY.exe
  C:\Windows\System32\HJCxwOY.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System32\ryketnb.exe
  C:\Windows\System32\ryketnb.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System32\yQaSSIl.exe
  C:\Windows\System32\yQaSSIl.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System32\tRjYpqM.exe
  C:\Windows\System32\tRjYpqM.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System32\jacvFEE.exe
  C:\Windows\System32\jacvFEE.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System32\DEBKneN.exe
  C:\Windows\System32\DEBKneN.exe
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\System32\cHJmMff.exe
  C:\Windows\System32\cHJmMff.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System32\OUThNtm.exe
  C:\Windows\System32\OUThNtm.exe
  2⤵
  PID:2132
- C:\Windows\System32\GbgZQOX.exe
  C:\Windows\System32\GbgZQOX.exe
  2⤵
  PID:4340
- C:\Windows\System32\UGQOQIx.exe
  C:\Windows\System32\UGQOQIx.exe
  2⤵
  PID:1852
- C:\Windows\System32\UQNOyXe.exe
  C:\Windows\System32\UQNOyXe.exe
  2⤵
  PID:984
- C:\Windows\System32\VqSJjLj.exe
  C:\Windows\System32\VqSJjLj.exe
  2⤵
  PID:4036
- C:\Windows\System32\sbqWPFe.exe
  C:\Windows\System32\sbqWPFe.exe
  2⤵
  PID:3360
- C:\Windows\System32\tpgqMyL.exe
  C:\Windows\System32\tpgqMyL.exe
  2⤵
  PID:4152
- C:\Windows\System32\TDGdFgU.exe
  C:\Windows\System32\TDGdFgU.exe
  2⤵
  PID:3244
- C:\Windows\System32\SKzTcWF.exe
  C:\Windows\System32\SKzTcWF.exe
  2⤵
  PID:4640
- C:\Windows\System32\QLcghfi.exe
  C:\Windows\System32\QLcghfi.exe
  2⤵
  PID:4412
- C:\Windows\System32\TLRaRaO.exe
  C:\Windows\System32\TLRaRaO.exe
  2⤵
  PID:1536
- C:\Windows\System32\vdHLFqS.exe
  C:\Windows\System32\vdHLFqS.exe
  2⤵
  PID:2152
- C:\Windows\System32\yrYYQEc.exe
  C:\Windows\System32\yrYYQEc.exe
  2⤵
  PID:680
- C:\Windows\System32\fkaemAL.exe
  C:\Windows\System32\fkaemAL.exe
  2⤵
  PID:1576
- C:\Windows\System32\TGIrXJh.exe
  C:\Windows\System32\TGIrXJh.exe
  2⤵
  PID:1308
- C:\Windows\System32\qIQCZcZ.exe
  C:\Windows\System32\qIQCZcZ.exe
  2⤵
  PID:1928
- C:\Windows\System32\tvqOPfe.exe
  C:\Windows\System32\tvqOPfe.exe
  2⤵
  PID:1772
- C:\Windows\System32\OtBRxwI.exe
  C:\Windows\System32\OtBRxwI.exe
  2⤵
  PID:4608
- C:\Windows\System32\sTKKyEI.exe
  C:\Windows\System32\sTKKyEI.exe
  2⤵
  PID:2024
- C:\Windows\System32\FMvIwBA.exe
  C:\Windows\System32\FMvIwBA.exe
  2⤵
  PID:628
- C:\Windows\System32\vxjMphG.exe
  C:\Windows\System32\vxjMphG.exe
  2⤵
  PID:4228
- C:\Windows\System32\sAHwnqi.exe
  C:\Windows\System32\sAHwnqi.exe
  2⤵
  PID:4772
- C:\Windows\System32\tZlbzyc.exe
  C:\Windows\System32\tZlbzyc.exe
  2⤵
  PID:1808
- C:\Windows\System32\wliOsEl.exe
  C:\Windows\System32\wliOsEl.exe
  2⤵
  PID:5028
- C:\Windows\System32\yEGfQFP.exe
  C:\Windows\System32\yEGfQFP.exe
  2⤵
  PID:1172
- C:\Windows\System32\GGvfunb.exe
  C:\Windows\System32\GGvfunb.exe
  2⤵
  PID:5136
- C:\Windows\System32\LpXqHHE.exe
  C:\Windows\System32\LpXqHHE.exe
  2⤵
  PID:5164
- C:\Windows\System32\YjCgrpg.exe
  C:\Windows\System32\YjCgrpg.exe
  2⤵
  PID:5192
- C:\Windows\System32\VKyNaJI.exe
  C:\Windows\System32\VKyNaJI.exe
  2⤵
  PID:5216
- C:\Windows\System32\WTEPvLN.exe
  C:\Windows\System32\WTEPvLN.exe
  2⤵
  PID:5248
- C:\Windows\System32\KVRAfQD.exe
  C:\Windows\System32\KVRAfQD.exe
  2⤵
  PID:5272
- C:\Windows\System32\GQUDDhv.exe
  C:\Windows\System32\GQUDDhv.exe
  2⤵
  PID:5304
- C:\Windows\System32\lxsOZnz.exe
  C:\Windows\System32\lxsOZnz.exe
  2⤵
  PID:5332
- C:\Windows\System32\HWyRtZA.exe
  C:\Windows\System32\HWyRtZA.exe
  2⤵
  PID:5364
- C:\Windows\System32\sdkgywQ.exe
  C:\Windows\System32\sdkgywQ.exe
  2⤵
  PID:5384
- C:\Windows\System32\AtfPLUe.exe
  C:\Windows\System32\AtfPLUe.exe
  2⤵
  PID:5420
- C:\Windows\System32\SnKlOsG.exe
  C:\Windows\System32\SnKlOsG.exe
  2⤵
  PID:5444
- C:\Windows\System32\TjfEjlt.exe
  C:\Windows\System32\TjfEjlt.exe
  2⤵
  PID:5472
- C:\Windows\System32\rdtxCIi.exe
  C:\Windows\System32\rdtxCIi.exe
  2⤵
  PID:5504
- C:\Windows\System32\lPqnUpe.exe
  C:\Windows\System32\lPqnUpe.exe
  2⤵
  PID:5528
- C:\Windows\System32\viijRBI.exe
  C:\Windows\System32\viijRBI.exe
  2⤵
  PID:5580
- C:\Windows\System32\SjkbHPx.exe
  C:\Windows\System32\SjkbHPx.exe
  2⤵
  PID:5624
- C:\Windows\System32\swIdZaR.exe
  C:\Windows\System32\swIdZaR.exe
  2⤵
  PID:5640
- C:\Windows\System32\RGuGvsF.exe
  C:\Windows\System32\RGuGvsF.exe
  2⤵
  PID:5672
- C:\Windows\System32\NIBbgMk.exe
  C:\Windows\System32\NIBbgMk.exe
  2⤵
  PID:5704
- C:\Windows\System32\SfQQlUh.exe
  C:\Windows\System32\SfQQlUh.exe
  2⤵
  PID:5736
- C:\Windows\System32\mnHkYqL.exe
  C:\Windows\System32\mnHkYqL.exe
  2⤵
  PID:5752
- C:\Windows\System32\eXMSPjI.exe
  C:\Windows\System32\eXMSPjI.exe
  2⤵
  PID:5780
- C:\Windows\System32\HyXsuCq.exe
  C:\Windows\System32\HyXsuCq.exe
  2⤵
  PID:5828
- C:\Windows\System32\HWpQWYt.exe
  C:\Windows\System32\HWpQWYt.exe
  2⤵
  PID:5856
- C:\Windows\System32\wVOspud.exe
  C:\Windows\System32\wVOspud.exe
  2⤵
  PID:5884
- C:\Windows\System32\sEuXyEU.exe
  C:\Windows\System32\sEuXyEU.exe
  2⤵
  PID:5920
- C:\Windows\System32\RLMuliH.exe
  C:\Windows\System32\RLMuliH.exe
  2⤵
  PID:5960
- C:\Windows\System32\mLaJbcw.exe
  C:\Windows\System32\mLaJbcw.exe
  2⤵
  PID:5996
- C:\Windows\System32\xINpPLM.exe
  C:\Windows\System32\xINpPLM.exe
  2⤵
  PID:6020
- C:\Windows\System32\ibpXHNI.exe
  C:\Windows\System32\ibpXHNI.exe
  2⤵
  PID:6044
- C:\Windows\System32\ARLbVnt.exe
  C:\Windows\System32\ARLbVnt.exe
  2⤵
  PID:6060
- C:\Windows\System32\YeOrVCc.exe
  C:\Windows\System32\YeOrVCc.exe
  2⤵
  PID:6084
- C:\Windows\System32\LSOqfnm.exe
  C:\Windows\System32\LSOqfnm.exe
  2⤵
  PID:6112
- C:\Windows\System32\aBJXVPX.exe
  C:\Windows\System32\aBJXVPX.exe
  2⤵
  PID:3052
- C:\Windows\System32\TQKXKil.exe
  C:\Windows\System32\TQKXKil.exe
  2⤵
  PID:3416
- C:\Windows\System32\XspXcuR.exe
  C:\Windows\System32\XspXcuR.exe
  2⤵
  PID:1032
- C:\Windows\System32\AlEfmXx.exe
  C:\Windows\System32\AlEfmXx.exe
  2⤵
  PID:5148
- C:\Windows\System32\IIpBKkd.exe
  C:\Windows\System32\IIpBKkd.exe
  2⤵
  PID:3744
- C:\Windows\System32\DwDKEJb.exe
  C:\Windows\System32\DwDKEJb.exe
  2⤵
  PID:5284
- C:\Windows\System32\EyWPWkD.exe
  C:\Windows\System32\EyWPWkD.exe
  2⤵
  PID:1488
- C:\Windows\System32\fZCEpeH.exe
  C:\Windows\System32\fZCEpeH.exe
  2⤵
  PID:5376
- C:\Windows\System32\roHXcUF.exe
  C:\Windows\System32\roHXcUF.exe
  2⤵
  PID:5436
- C:\Windows\System32\aPGaEKf.exe
  C:\Windows\System32\aPGaEKf.exe
  2⤵
  PID:5488
- C:\Windows\System32\KiYvsxn.exe
  C:\Windows\System32\KiYvsxn.exe
  2⤵
  PID:5520
- C:\Windows\System32\AlhPWGa.exe
  C:\Windows\System32\AlhPWGa.exe
  2⤵
  PID:220
- C:\Windows\System32\WKjuGnl.exe
  C:\Windows\System32\WKjuGnl.exe
  2⤵
  PID:5548
- C:\Windows\System32\VsFsSJD.exe
  C:\Windows\System32\VsFsSJD.exe
  2⤵
  PID:2212
- C:\Windows\System32\xUDAuGd.exe
  C:\Windows\System32\xUDAuGd.exe
  2⤵
  PID:1520
- C:\Windows\System32\jgNVDMk.exe
  C:\Windows\System32\jgNVDMk.exe
  2⤵
  PID:1580
- C:\Windows\System32\SAewjVK.exe
  C:\Windows\System32\SAewjVK.exe
  2⤵
  PID:5632
- C:\Windows\System32\rpGopvX.exe
  C:\Windows\System32\rpGopvX.exe
  2⤵
  PID:5692
- C:\Windows\System32\GZhvVGU.exe
  C:\Windows\System32\GZhvVGU.exe
  2⤵
  PID:5728
- C:\Windows\System32\rMWvSpL.exe
  C:\Windows\System32\rMWvSpL.exe
  2⤵
  PID:3180
- C:\Windows\System32\bDJSmas.exe
  C:\Windows\System32\bDJSmas.exe
  2⤵
  PID:4248
- C:\Windows\System32\yJRBCIU.exe
  C:\Windows\System32\yJRBCIU.exe
  2⤵
  PID:6012
- C:\Windows\System32\llvfkJw.exe
  C:\Windows\System32\llvfkJw.exe
  2⤵
  PID:6040
- C:\Windows\System32\mdbFGog.exe
  C:\Windows\System32\mdbFGog.exe
  2⤵
  PID:6080
- C:\Windows\System32\CUzklRB.exe
  C:\Windows\System32\CUzklRB.exe
  2⤵
  PID:2312
- C:\Windows\System32\AaejKyq.exe
  C:\Windows\System32\AaejKyq.exe
  2⤵
  PID:6128
- C:\Windows\System32\OGpzFoz.exe
  C:\Windows\System32\OGpzFoz.exe
  2⤵
  PID:6140
- C:\Windows\System32\diCPzUE.exe
  C:\Windows\System32\diCPzUE.exe
  2⤵
  PID:2560
- C:\Windows\System32\QtbKbaL.exe
  C:\Windows\System32\QtbKbaL.exe
  2⤵
  PID:5588
- C:\Windows\System32\bXRqwmW.exe
  C:\Windows\System32\bXRqwmW.exe
  2⤵
  PID:1152
- C:\Windows\System32\RVGgeHI.exe
  C:\Windows\System32\RVGgeHI.exe
  2⤵
  PID:5600
- C:\Windows\System32\ZQhmEOE.exe
  C:\Windows\System32\ZQhmEOE.exe
  2⤵
  PID:5608
- C:\Windows\System32\UKYjsiq.exe
  C:\Windows\System32\UKYjsiq.exe
  2⤵
  PID:2552
- C:\Windows\System32\jJMFMsw.exe
  C:\Windows\System32\jJMFMsw.exe
  2⤵
  PID:3208
- C:\Windows\System32\TXoOcDH.exe
  C:\Windows\System32\TXoOcDH.exe
  2⤵
  PID:4448
- C:\Windows\System32\imORuGJ.exe
  C:\Windows\System32\imORuGJ.exe
  2⤵
  PID:5892
- C:\Windows\System32\wHkSQmO.exe
  C:\Windows\System32\wHkSQmO.exe
  2⤵
  PID:3096
- C:\Windows\System32\MkRTDoz.exe
  C:\Windows\System32\MkRTDoz.exe
  2⤵
  PID:5260
- C:\Windows\System32\ZxWkwhH.exe
  C:\Windows\System32\ZxWkwhH.exe
  2⤵
  PID:5316
- C:\Windows\System32\vpkboPJ.exe
  C:\Windows\System32\vpkboPJ.exe
  2⤵
  PID:5616
- C:\Windows\System32\xVWMZBP.exe
  C:\Windows\System32\xVWMZBP.exe
  2⤵
  PID:2748
- C:\Windows\System32\JSjglZz.exe
  C:\Windows\System32\JSjglZz.exe
  2⤵
  PID:6056
- C:\Windows\System32\UaXCUGg.exe
  C:\Windows\System32\UaXCUGg.exe
  2⤵
  PID:4696
- C:\Windows\System32\bvGVRXI.exe
  C:\Windows\System32\bvGVRXI.exe
  2⤵
  PID:432
- C:\Windows\System32\UuxJrdK.exe
  C:\Windows\System32\UuxJrdK.exe
  2⤵
  PID:6160
- C:\Windows\System32\gSYWxGi.exe
  C:\Windows\System32\gSYWxGi.exe
  2⤵
  PID:6192
- C:\Windows\System32\QCCaXOu.exe
  C:\Windows\System32\QCCaXOu.exe
  2⤵
  PID:6208
- C:\Windows\System32\tLNbZIJ.exe
  C:\Windows\System32\tLNbZIJ.exe
  2⤵
  PID:6268
- C:\Windows\System32\luLZHNC.exe
  C:\Windows\System32\luLZHNC.exe
  2⤵
  PID:6312
- C:\Windows\System32\maZQOoq.exe
  C:\Windows\System32\maZQOoq.exe
  2⤵
  PID:6336
- C:\Windows\System32\nNnfqRO.exe
  C:\Windows\System32\nNnfqRO.exe
  2⤵
  PID:6352
- C:\Windows\System32\YIeAaLz.exe
  C:\Windows\System32\YIeAaLz.exe
  2⤵
  PID:6372
- C:\Windows\System32\tkaSKVZ.exe
  C:\Windows\System32\tkaSKVZ.exe
  2⤵
  PID:6420
- C:\Windows\System32\qMkzhlK.exe
  C:\Windows\System32\qMkzhlK.exe
  2⤵
  PID:6440
- C:\Windows\System32\FDtLqvd.exe
  C:\Windows\System32\FDtLqvd.exe
  2⤵
  PID:6480
- C:\Windows\System32\OYdcGHh.exe
  C:\Windows\System32\OYdcGHh.exe
  2⤵
  PID:6504
- C:\Windows\System32\MsTbPZr.exe
  C:\Windows\System32\MsTbPZr.exe
  2⤵
  PID:6532
- C:\Windows\System32\oqgElyc.exe
  C:\Windows\System32\oqgElyc.exe
  2⤵
  PID:6552
- C:\Windows\System32\HkNrlev.exe
  C:\Windows\System32\HkNrlev.exe
  2⤵
  PID:6592
- C:\Windows\System32\ZSOCwXg.exe
  C:\Windows\System32\ZSOCwXg.exe
  2⤵
  PID:6624
- C:\Windows\System32\mPxZPiu.exe
  C:\Windows\System32\mPxZPiu.exe
  2⤵
  PID:6644
- C:\Windows\System32\FJhpOLx.exe
  C:\Windows\System32\FJhpOLx.exe
  2⤵
  PID:6664
- C:\Windows\System32\VElGHuy.exe
  C:\Windows\System32\VElGHuy.exe
  2⤵
  PID:6684
- C:\Windows\System32\DMsNySL.exe
  C:\Windows\System32\DMsNySL.exe
  2⤵
  PID:6700
- C:\Windows\System32\jNnoLHZ.exe
  C:\Windows\System32\jNnoLHZ.exe
  2⤵
  PID:6724
- C:\Windows\System32\NnucBmA.exe
  C:\Windows\System32\NnucBmA.exe
  2⤵
  PID:6752
- C:\Windows\System32\pyVYbcb.exe
  C:\Windows\System32\pyVYbcb.exe
  2⤵
  PID:6800
- C:\Windows\System32\LhfcKNE.exe
  C:\Windows\System32\LhfcKNE.exe
  2⤵
  PID:6820
- C:\Windows\System32\vdxjaZu.exe
  C:\Windows\System32\vdxjaZu.exe
  2⤵
  PID:6856
- C:\Windows\System32\suhMaXp.exe
  C:\Windows\System32\suhMaXp.exe
  2⤵
  PID:6872
- C:\Windows\System32\ZpUkaly.exe
  C:\Windows\System32\ZpUkaly.exe
  2⤵
  PID:6924
- C:\Windows\System32\WNJoHbr.exe
  C:\Windows\System32\WNJoHbr.exe
  2⤵
  PID:6948
- C:\Windows\System32\rvwUReM.exe
  C:\Windows\System32\rvwUReM.exe
  2⤵
  PID:6964
- C:\Windows\System32\PleIqzO.exe
  C:\Windows\System32\PleIqzO.exe
  2⤵
  PID:6984
- C:\Windows\System32\BLElUbg.exe
  C:\Windows\System32\BLElUbg.exe
  2⤵
  PID:7000
- C:\Windows\System32\kJMJnnJ.exe
  C:\Windows\System32\kJMJnnJ.exe
  2⤵
  PID:7020
- C:\Windows\System32\kGJNCdZ.exe
  C:\Windows\System32\kGJNCdZ.exe
  2⤵
  PID:7064
- C:\Windows\System32\iuCuAxm.exe
  C:\Windows\System32\iuCuAxm.exe
  2⤵
  PID:7116
- C:\Windows\System32\limnRJT.exe
  C:\Windows\System32\limnRJT.exe
  2⤵
  PID:7136
- C:\Windows\System32\vOjOrmx.exe
  C:\Windows\System32\vOjOrmx.exe
  2⤵
  PID:7156
- C:\Windows\System32\LNeNCts.exe
  C:\Windows\System32\LNeNCts.exe
  2⤵
  PID:6168
- C:\Windows\System32\gkvfTwt.exe
  C:\Windows\System32\gkvfTwt.exe
  2⤵
  PID:6256
- C:\Windows\System32\MtkEclJ.exe
  C:\Windows\System32\MtkEclJ.exe
  2⤵
  PID:6292
- C:\Windows\System32\ghOvYix.exe
  C:\Windows\System32\ghOvYix.exe
  2⤵
  PID:6348
- C:\Windows\System32\QjnlMTv.exe
  C:\Windows\System32\QjnlMTv.exe
  2⤵
  PID:6396
- C:\Windows\System32\AbXHqDG.exe
  C:\Windows\System32\AbXHqDG.exe
  2⤵
  PID:6428
- C:\Windows\System32\fiVzNCU.exe
  C:\Windows\System32\fiVzNCU.exe
  2⤵
  PID:6520
- C:\Windows\System32\QEUvsKv.exe
  C:\Windows\System32\QEUvsKv.exe
  2⤵
  PID:6612
- C:\Windows\System32\EwZsCSO.exe
  C:\Windows\System32\EwZsCSO.exe
  2⤵
  PID:6720
- C:\Windows\System32\JsKIlKk.exe
  C:\Windows\System32\JsKIlKk.exe
  2⤵
  PID:6772
- C:\Windows\System32\ymNhTbg.exe
  C:\Windows\System32\ymNhTbg.exe
  2⤵
  PID:6844
- C:\Windows\System32\uVWvSsw.exe
  C:\Windows\System32\uVWvSsw.exe
  2⤵
  PID:6944
- C:\Windows\System32\bClVDgY.exe
  C:\Windows\System32\bClVDgY.exe
  2⤵
  PID:6980
- C:\Windows\System32\hhreXMy.exe
  C:\Windows\System32\hhreXMy.exe
  2⤵
  PID:6956
- C:\Windows\System32\cVrnkfP.exe
  C:\Windows\System32\cVrnkfP.exe
  2⤵
  PID:7144
- C:\Windows\System32\GgzXORD.exe
  C:\Windows\System32\GgzXORD.exe
  2⤵
  PID:7148
- C:\Windows\System32\KPqScUk.exe
  C:\Windows\System32\KPqScUk.exe
  2⤵
  PID:6232
- C:\Windows\System32\kdqnoly.exe
  C:\Windows\System32\kdqnoly.exe
  2⤵
  PID:6436
- C:\Windows\System32\KLfFptp.exe
  C:\Windows\System32\KLfFptp.exe
  2⤵
  PID:6432
- C:\Windows\System32\vhyKJJz.exe
  C:\Windows\System32\vhyKJJz.exe
  2⤵
  PID:6692
- C:\Windows\System32\BfVDLRk.exe
  C:\Windows\System32\BfVDLRk.exe
  2⤵
  PID:6808
- C:\Windows\System32\ZqQpZyP.exe
  C:\Windows\System32\ZqQpZyP.exe
  2⤵
  PID:6960
- C:\Windows\System32\aCiuADd.exe
  C:\Windows\System32\aCiuADd.exe
  2⤵
  PID:6368
- C:\Windows\System32\adRknBh.exe
  C:\Windows\System32\adRknBh.exe
  2⤵
  PID:6660
- C:\Windows\System32\czMVuck.exe
  C:\Windows\System32\czMVuck.exe
  2⤵
  PID:3740
- C:\Windows\System32\IvgmDWr.exe
  C:\Windows\System32\IvgmDWr.exe
  2⤵
  PID:6892
- C:\Windows\System32\SzpockE.exe
  C:\Windows\System32\SzpockE.exe
  2⤵
  PID:7172
- C:\Windows\System32\YoslYHg.exe
  C:\Windows\System32\YoslYHg.exe
  2⤵
  PID:7192
- C:\Windows\System32\ivNavpt.exe
  C:\Windows\System32\ivNavpt.exe
  2⤵
  PID:7212
- C:\Windows\System32\xBseIYN.exe
  C:\Windows\System32\xBseIYN.exe
  2⤵
  PID:7236
- C:\Windows\System32\zzmPJYl.exe
  C:\Windows\System32\zzmPJYl.exe
  2⤵
  PID:7284
- C:\Windows\System32\zbyTAaP.exe
  C:\Windows\System32\zbyTAaP.exe
  2⤵
  PID:7316
- C:\Windows\System32\ntTAvQE.exe
  C:\Windows\System32\ntTAvQE.exe
  2⤵
  PID:7340
- C:\Windows\System32\SRtsFvo.exe
  C:\Windows\System32\SRtsFvo.exe
  2⤵
  PID:7356
- C:\Windows\System32\BbsijmA.exe
  C:\Windows\System32\BbsijmA.exe
  2⤵
  PID:7384
- C:\Windows\System32\RFzYAxr.exe
  C:\Windows\System32\RFzYAxr.exe
  2⤵
  PID:7404
- C:\Windows\System32\QbIzfdd.exe
  C:\Windows\System32\QbIzfdd.exe
  2⤵
  PID:7452
- C:\Windows\System32\YRzJUUv.exe
  C:\Windows\System32\YRzJUUv.exe
  2⤵
  PID:7468
- C:\Windows\System32\vkewPNE.exe
  C:\Windows\System32\vkewPNE.exe
  2⤵
  PID:7516
- C:\Windows\System32\QLIfBTD.exe
  C:\Windows\System32\QLIfBTD.exe
  2⤵
  PID:7536
- C:\Windows\System32\GwDfnTy.exe
  C:\Windows\System32\GwDfnTy.exe
  2⤵
  PID:7568
- C:\Windows\System32\PfgQfqw.exe
  C:\Windows\System32\PfgQfqw.exe
  2⤵
  PID:7596
- C:\Windows\System32\uUiKSBX.exe
  C:\Windows\System32\uUiKSBX.exe
  2⤵
  PID:7616
- C:\Windows\System32\ArCoZph.exe
  C:\Windows\System32\ArCoZph.exe
  2⤵
  PID:7636
- C:\Windows\System32\NlQxAdZ.exe
  C:\Windows\System32\NlQxAdZ.exe
  2⤵
  PID:7664
- C:\Windows\System32\INGKAQC.exe
  C:\Windows\System32\INGKAQC.exe
  2⤵
  PID:7680
- C:\Windows\System32\RfSknZL.exe
  C:\Windows\System32\RfSknZL.exe
  2⤵
  PID:7732
- C:\Windows\System32\myOhngz.exe
  C:\Windows\System32\myOhngz.exe
  2⤵
  PID:7768
- C:\Windows\System32\WMYdaIw.exe
  C:\Windows\System32\WMYdaIw.exe
  2⤵
  PID:7784
- C:\Windows\System32\KISnphW.exe
  C:\Windows\System32\KISnphW.exe
  2⤵
  PID:7812
- C:\Windows\System32\xwTFykJ.exe
  C:\Windows\System32\xwTFykJ.exe
  2⤵
  PID:7848
- C:\Windows\System32\HsUJpAN.exe
  C:\Windows\System32\HsUJpAN.exe
  2⤵
  PID:7876
- C:\Windows\System32\WsLbDQd.exe
  C:\Windows\System32\WsLbDQd.exe
  2⤵
  PID:7904
- C:\Windows\System32\UUexYJA.exe
  C:\Windows\System32\UUexYJA.exe
  2⤵
  PID:7920
- C:\Windows\System32\majvXVg.exe
  C:\Windows\System32\majvXVg.exe
  2⤵
  PID:7944
- C:\Windows\System32\xuxKviq.exe
  C:\Windows\System32\xuxKviq.exe
  2⤵
  PID:7968
- C:\Windows\System32\pBHqLCL.exe
  C:\Windows\System32\pBHqLCL.exe
  2⤵
  PID:7988
- C:\Windows\System32\HEzBibf.exe
  C:\Windows\System32\HEzBibf.exe
  2⤵
  PID:8024
- C:\Windows\System32\yEIuZhq.exe
  C:\Windows\System32\yEIuZhq.exe
  2⤵
  PID:8064
- C:\Windows\System32\GweDMhJ.exe
  C:\Windows\System32\GweDMhJ.exe
  2⤵
  PID:8092
- C:\Windows\System32\SrDbiCz.exe
  C:\Windows\System32\SrDbiCz.exe
  2⤵
  PID:8120
- C:\Windows\System32\hfeMlqJ.exe
  C:\Windows\System32\hfeMlqJ.exe
  2⤵
  PID:8140
- C:\Windows\System32\ddOXaXP.exe
  C:\Windows\System32\ddOXaXP.exe
  2⤵
  PID:8156
- C:\Windows\System32\yAYdIDo.exe
  C:\Windows\System32\yAYdIDo.exe
  2⤵
  PID:7272
- C:\Windows\System32\JqyiQWW.exe
  C:\Windows\System32\JqyiQWW.exe
  2⤵
  PID:7400
- C:\Windows\System32\EICovRC.exe
  C:\Windows\System32\EICovRC.exe
  2⤵
  PID:7480
- C:\Windows\System32\akktGZu.exe
  C:\Windows\System32\akktGZu.exe
  2⤵
  PID:7508
- C:\Windows\System32\nUhjGNj.exe
  C:\Windows\System32\nUhjGNj.exe
  2⤵
  PID:7544
- C:\Windows\System32\toddsjQ.exe
  C:\Windows\System32\toddsjQ.exe
  2⤵
  PID:7588
- C:\Windows\System32\ADkRYjt.exe
  C:\Windows\System32\ADkRYjt.exe
  2⤵
  PID:7608
- C:\Windows\System32\twMKouS.exe
  C:\Windows\System32\twMKouS.exe
  2⤵
  PID:7704
- C:\Windows\System32\WFZjAgp.exe
  C:\Windows\System32\WFZjAgp.exe
  2⤵
  PID:7800
- C:\Windows\System32\IrGcKhA.exe
  C:\Windows\System32\IrGcKhA.exe
  2⤵
  PID:7824
- C:\Windows\System32\pragqRA.exe
  C:\Windows\System32\pragqRA.exe
  2⤵
  PID:7916
- C:\Windows\System32\TCkgQOu.exe
  C:\Windows\System32\TCkgQOu.exe
  2⤵
  PID:7984
- C:\Windows\System32\agpTdsV.exe
  C:\Windows\System32\agpTdsV.exe
  2⤵
  PID:7204
- C:\Windows\System32\yJjulBv.exe
  C:\Windows\System32\yJjulBv.exe
  2⤵
  PID:7660
- C:\Windows\System32\RVzGjrz.exe
  C:\Windows\System32\RVzGjrz.exe
  2⤵
  PID:7220
- C:\Windows\System32\ivkvXtV.exe
  C:\Windows\System32\ivkvXtV.exe
  2⤵
  PID:7268
- C:\Windows\System32\vxGPNPI.exe
  C:\Windows\System32\vxGPNPI.exe
  2⤵
  PID:7352
- C:\Windows\System32\evOFYEP.exe
  C:\Windows\System32\evOFYEP.exe
  2⤵
  PID:7372
- C:\Windows\System32\ZCQYBBU.exe
  C:\Windows\System32\ZCQYBBU.exe
  2⤵
  PID:7444
- C:\Windows\System32\ilpQxXw.exe
  C:\Windows\System32\ilpQxXw.exe
  2⤵
  PID:7628
- C:\Windows\System32\bElMAwm.exe
  C:\Windows\System32\bElMAwm.exe
  2⤵
  PID:7760
- C:\Windows\System32\GIGerwl.exe
  C:\Windows\System32\GIGerwl.exe
  2⤵
  PID:8132
- C:\Windows\System32\LQDSXlU.exe
  C:\Windows\System32\LQDSXlU.exe
  2⤵
  PID:7300
- C:\Windows\System32\enjmedy.exe
  C:\Windows\System32\enjmedy.exe
  2⤵
  PID:6300
- C:\Windows\System32\IjrXAiT.exe
  C:\Windows\System32\IjrXAiT.exe
  2⤵
  PID:7744
- C:\Windows\System32\BlZbDwa.exe
  C:\Windows\System32\BlZbDwa.exe
  2⤵
  PID:7324
- C:\Windows\System32\esZmJWx.exe
  C:\Windows\System32\esZmJWx.exe
  2⤵
  PID:7672
- C:\Windows\System32\FvlhNPU.exe
  C:\Windows\System32\FvlhNPU.exe
  2⤵
  PID:8208
- C:\Windows\System32\rMiBiro.exe
  C:\Windows\System32\rMiBiro.exe
  2⤵
  PID:8244
- C:\Windows\System32\slldcfj.exe
  C:\Windows\System32\slldcfj.exe
  2⤵
  PID:8276
- C:\Windows\System32\lADufMh.exe
  C:\Windows\System32\lADufMh.exe
  2⤵
  PID:8304
- C:\Windows\System32\hVKuARr.exe
  C:\Windows\System32\hVKuARr.exe
  2⤵
  PID:8332
- C:\Windows\System32\IVIRYKI.exe
  C:\Windows\System32\IVIRYKI.exe
  2⤵
  PID:8356
- C:\Windows\System32\mbOjDQW.exe
  C:\Windows\System32\mbOjDQW.exe
  2⤵
  PID:8376
- C:\Windows\System32\mieuJVc.exe
  C:\Windows\System32\mieuJVc.exe
  2⤵
  PID:8404
- C:\Windows\System32\gbwxLle.exe
  C:\Windows\System32\gbwxLle.exe
  2⤵
  PID:8432
- C:\Windows\System32\usXcGwQ.exe
  C:\Windows\System32\usXcGwQ.exe
  2⤵
  PID:8460
- C:\Windows\System32\jGCnSxP.exe
  C:\Windows\System32\jGCnSxP.exe
  2⤵
  PID:8496
- C:\Windows\System32\uZpgTgI.exe
  C:\Windows\System32\uZpgTgI.exe
  2⤵
  PID:8520
- C:\Windows\System32\pbHzPfJ.exe
  C:\Windows\System32\pbHzPfJ.exe
  2⤵
  PID:8544
- C:\Windows\System32\JYwvlSk.exe
  C:\Windows\System32\JYwvlSk.exe
  2⤵
  PID:8564
- C:\Windows\System32\xKeMfWT.exe
  C:\Windows\System32\xKeMfWT.exe
  2⤵
  PID:8580
- C:\Windows\System32\BlBjGtK.exe
  C:\Windows\System32\BlBjGtK.exe
  2⤵
  PID:8604
- C:\Windows\System32\abbtLOL.exe
  C:\Windows\System32\abbtLOL.exe
  2⤵
  PID:8668
- C:\Windows\System32\EncaJUi.exe
  C:\Windows\System32\EncaJUi.exe
  2⤵
  PID:8696
- C:\Windows\System32\wMNLffE.exe
  C:\Windows\System32\wMNLffE.exe
  2⤵
  PID:8720
- C:\Windows\System32\RHJckJP.exe
  C:\Windows\System32\RHJckJP.exe
  2⤵
  PID:8736
- C:\Windows\System32\tfXUxDm.exe
  C:\Windows\System32\tfXUxDm.exe
  2⤵
  PID:8792
- C:\Windows\System32\tiGkpJi.exe
  C:\Windows\System32\tiGkpJi.exe
  2⤵
  PID:8812
- C:\Windows\System32\CmMOfaz.exe
  C:\Windows\System32\CmMOfaz.exe
  2⤵
  PID:8852
- C:\Windows\System32\jufNkfj.exe
  C:\Windows\System32\jufNkfj.exe
  2⤵
  PID:8872
- C:\Windows\System32\qYgKwdw.exe
  C:\Windows\System32\qYgKwdw.exe
  2⤵
  PID:8892
- C:\Windows\System32\VqMukJu.exe
  C:\Windows\System32\VqMukJu.exe
  2⤵
  PID:8928
- C:\Windows\System32\wwQyGDr.exe
  C:\Windows\System32\wwQyGDr.exe
  2⤵
  PID:8956
- C:\Windows\System32\VhaDWRv.exe
  C:\Windows\System32\VhaDWRv.exe
  2⤵
  PID:8976
- C:\Windows\System32\aMHbFUo.exe
  C:\Windows\System32\aMHbFUo.exe
  2⤵
  PID:9008
- C:\Windows\System32\PwdONNU.exe
  C:\Windows\System32\PwdONNU.exe
  2⤵
  PID:9028
- C:\Windows\System32\IyhrsCE.exe
  C:\Windows\System32\IyhrsCE.exe
  2⤵
  PID:9044
- C:\Windows\System32\noNQQru.exe
  C:\Windows\System32\noNQQru.exe
  2⤵
  PID:9104
- C:\Windows\System32\gUtgRZJ.exe
  C:\Windows\System32\gUtgRZJ.exe
  2⤵
  PID:9124
- C:\Windows\System32\WqTFQRC.exe
  C:\Windows\System32\WqTFQRC.exe
  2⤵
  PID:9144
- C:\Windows\System32\cFtXhaU.exe
  C:\Windows\System32\cFtXhaU.exe
  2⤵
  PID:9176
- C:\Windows\System32\tPwtacZ.exe
  C:\Windows\System32\tPwtacZ.exe
  2⤵
  PID:8224
- C:\Windows\System32\JBKZczO.exe
  C:\Windows\System32\JBKZczO.exe
  2⤵
  PID:8252
- C:\Windows\System32\Vozfbrr.exe
  C:\Windows\System32\Vozfbrr.exe
  2⤵
  PID:8272
- C:\Windows\System32\ZOIsSJU.exe
  C:\Windows\System32\ZOIsSJU.exe
  2⤵
  PID:8316
- C:\Windows\System32\kldPkId.exe
  C:\Windows\System32\kldPkId.exe
  2⤵
  PID:8420
- C:\Windows\System32\XCcGIuh.exe
  C:\Windows\System32\XCcGIuh.exe
  2⤵
  PID:8480
- C:\Windows\System32\nDCPYxv.exe
  C:\Windows\System32\nDCPYxv.exe
  2⤵
  PID:8536
- C:\Windows\System32\KKEwxvj.exe
  C:\Windows\System32\KKEwxvj.exe
  2⤵
  PID:8596
- C:\Windows\System32\KrnwLkk.exe
  C:\Windows\System32\KrnwLkk.exe
  2⤵
  PID:8656
- C:\Windows\System32\KYoWQhT.exe
  C:\Windows\System32\KYoWQhT.exe
  2⤵
  PID:8756
- C:\Windows\System32\PyUQBZl.exe
  C:\Windows\System32\PyUQBZl.exe
  2⤵
  PID:8824
- C:\Windows\System32\yVCxiBe.exe
  C:\Windows\System32\yVCxiBe.exe
  2⤵
  PID:8908
- C:\Windows\System32\VMTVkok.exe
  C:\Windows\System32\VMTVkok.exe
  2⤵
  PID:8996
- C:\Windows\System32\OQuzBnV.exe
  C:\Windows\System32\OQuzBnV.exe
  2⤵
  PID:9036
- C:\Windows\System32\zFbvniv.exe
  C:\Windows\System32\zFbvniv.exe
  2⤵
  PID:9076
- C:\Windows\System32\pUWyBFU.exe
  C:\Windows\System32\pUWyBFU.exe
  2⤵
  PID:9136
- C:\Windows\System32\bViWpHc.exe
  C:\Windows\System32\bViWpHc.exe
  2⤵
  PID:9164
- C:\Windows\System32\bmFKrjG.exe
  C:\Windows\System32\bmFKrjG.exe
  2⤵
  PID:8264
- C:\Windows\System32\kghlSMc.exe
  C:\Windows\System32\kghlSMc.exe
  2⤵
  PID:8428
- C:\Windows\System32\fHFwkoL.exe
  C:\Windows\System32\fHFwkoL.exe
  2⤵
  PID:8532
- C:\Windows\System32\ScQychg.exe
  C:\Windows\System32\ScQychg.exe
  2⤵
  PID:8560
- C:\Windows\System32\sLhflWn.exe
  C:\Windows\System32\sLhflWn.exe
  2⤵
  PID:8948
- C:\Windows\System32\rmCdbJN.exe
  C:\Windows\System32\rmCdbJN.exe
  2⤵
  PID:9096
- C:\Windows\System32\SbwXtaU.exe
  C:\Windows\System32\SbwXtaU.exe
  2⤵
  PID:9212
- C:\Windows\System32\TQkEtpS.exe
  C:\Windows\System32\TQkEtpS.exe
  2⤵
  PID:8556
- C:\Windows\System32\LuRUlyl.exe
  C:\Windows\System32\LuRUlyl.exe
  2⤵
  PID:8864
- C:\Windows\System32\idGkLzo.exe
  C:\Windows\System32\idGkLzo.exe
  2⤵
  PID:9188
- C:\Windows\System32\jiUAsJk.exe
  C:\Windows\System32\jiUAsJk.exe
  2⤵
  PID:8968
- C:\Windows\System32\cnbIqea.exe
  C:\Windows\System32\cnbIqea.exe
  2⤵
  PID:9252
- C:\Windows\System32\DygnkDp.exe
  C:\Windows\System32\DygnkDp.exe
  2⤵
  PID:9276
- C:\Windows\System32\XQWRJlF.exe
  C:\Windows\System32\XQWRJlF.exe
  2⤵
  PID:9308
- C:\Windows\System32\egmxgdD.exe
  C:\Windows\System32\egmxgdD.exe
  2⤵
  PID:9336
- C:\Windows\System32\mlhOFxW.exe
  C:\Windows\System32\mlhOFxW.exe
  2⤵
  PID:9376
- C:\Windows\System32\iwLEtNj.exe
  C:\Windows\System32\iwLEtNj.exe
  2⤵
  PID:9396
- C:\Windows\System32\gvvVZak.exe
  C:\Windows\System32\gvvVZak.exe
  2⤵
  PID:9424
- C:\Windows\System32\jJkPzVx.exe
  C:\Windows\System32\jJkPzVx.exe
  2⤵
  PID:9448
- C:\Windows\System32\GcsaEyS.exe
  C:\Windows\System32\GcsaEyS.exe
  2⤵
  PID:9476
- C:\Windows\System32\SbbsLws.exe
  C:\Windows\System32\SbbsLws.exe
  2⤵
  PID:9504
- C:\Windows\System32\iLGNIkG.exe
  C:\Windows\System32\iLGNIkG.exe
  2⤵
  PID:9544
- C:\Windows\System32\RrWRWcA.exe
  C:\Windows\System32\RrWRWcA.exe
  2⤵
  PID:9572
- C:\Windows\System32\vpSLZGS.exe
  C:\Windows\System32\vpSLZGS.exe
  2⤵
  PID:9596
- C:\Windows\System32\CDFNcTJ.exe
  C:\Windows\System32\CDFNcTJ.exe
  2⤵
  PID:9616
- C:\Windows\System32\WSECDUo.exe
  C:\Windows\System32\WSECDUo.exe
  2⤵
  PID:9652
- C:\Windows\System32\VgHknCT.exe
  C:\Windows\System32\VgHknCT.exe
  2⤵
  PID:9672
- C:\Windows\System32\LcODTnq.exe
  C:\Windows\System32\LcODTnq.exe
  2⤵
  PID:9696
- C:\Windows\System32\bhCcEHU.exe
  C:\Windows\System32\bhCcEHU.exe
  2⤵
  PID:9720
- C:\Windows\System32\aWtIFJw.exe
  C:\Windows\System32\aWtIFJw.exe
  2⤵
  PID:9740
- C:\Windows\System32\KdyLIpx.exe
  C:\Windows\System32\KdyLIpx.exe
  2⤵
  PID:9756
- C:\Windows\System32\ngASZcQ.exe
  C:\Windows\System32\ngASZcQ.exe
  2⤵
  PID:9780
- C:\Windows\System32\MEpyJEs.exe
  C:\Windows\System32\MEpyJEs.exe
  2⤵
  PID:9796
- C:\Windows\System32\UPmFtCv.exe
  C:\Windows\System32\UPmFtCv.exe
  2⤵
  PID:9864
- C:\Windows\System32\MbujJJr.exe
  C:\Windows\System32\MbujJJr.exe
  2⤵
  PID:9900
- C:\Windows\System32\zxtkXEy.exe
  C:\Windows\System32\zxtkXEy.exe
  2⤵
  PID:9920
- C:\Windows\System32\JPbjKrA.exe
  C:\Windows\System32\JPbjKrA.exe
  2⤵
  PID:9944
- C:\Windows\System32\RHGYWyE.exe
  C:\Windows\System32\RHGYWyE.exe
  2⤵
  PID:9988
- C:\Windows\System32\bpXaLMf.exe
  C:\Windows\System32\bpXaLMf.exe
  2⤵
  PID:10012
- C:\Windows\System32\cdYZvyv.exe
  C:\Windows\System32\cdYZvyv.exe
  2⤵
  PID:10040
- C:\Windows\System32\vDneOKu.exe
  C:\Windows\System32\vDneOKu.exe
  2⤵
  PID:10064
- C:\Windows\System32\dXqpdfI.exe
  C:\Windows\System32\dXqpdfI.exe
  2⤵
  PID:10084
- C:\Windows\System32\OvmddQw.exe
  C:\Windows\System32\OvmddQw.exe
  2⤵
  PID:10124
- C:\Windows\System32\zRklHql.exe
  C:\Windows\System32\zRklHql.exe
  2⤵
  PID:10164
- C:\Windows\System32\YnWOISQ.exe
  C:\Windows\System32\YnWOISQ.exe
  2⤵
  PID:10192
- C:\Windows\System32\vjXbshL.exe
  C:\Windows\System32\vjXbshL.exe
  2⤵
  PID:10212
- C:\Windows\System32\JZUUVxo.exe
  C:\Windows\System32\JZUUVxo.exe
  2⤵
  PID:9024
- C:\Windows\System32\ryNYSDS.exe
  C:\Windows\System32\ryNYSDS.exe
  2⤵
  PID:9264
- C:\Windows\System32\IDDWkzE.exe
  C:\Windows\System32\IDDWkzE.exe
  2⤵
  PID:9300
- C:\Windows\System32\jKqWXec.exe
  C:\Windows\System32\jKqWXec.exe
  2⤵
  PID:9372
- C:\Windows\System32\nptxDYc.exe
  C:\Windows\System32\nptxDYc.exe
  2⤵
  PID:9492
- C:\Windows\System32\jzVscfP.exe
  C:\Windows\System32\jzVscfP.exe
  2⤵
  PID:9536
- C:\Windows\System32\ZbObKck.exe
  C:\Windows\System32\ZbObKck.exe
  2⤵
  PID:9664
- C:\Windows\System32\laykxGP.exe
  C:\Windows\System32\laykxGP.exe
  2⤵
  PID:9660
- C:\Windows\System32\mmPZIVC.exe
  C:\Windows\System32\mmPZIVC.exe
  2⤵
  PID:9772
- C:\Windows\System32\Zqpndip.exe
  C:\Windows\System32\Zqpndip.exe
  2⤵
  PID:9792
- C:\Windows\System32\LUMBmPi.exe
  C:\Windows\System32\LUMBmPi.exe
  2⤵
  PID:9896
- C:\Windows\System32\PhecIgA.exe
  C:\Windows\System32\PhecIgA.exe
  2⤵
  PID:9932
- C:\Windows\System32\CKcaqdt.exe
  C:\Windows\System32\CKcaqdt.exe
  2⤵
  PID:9960
- C:\Windows\System32\JllBXRW.exe
  C:\Windows\System32\JllBXRW.exe
  2⤵
  PID:10036
- C:\Windows\System32\yCySpxQ.exe
  C:\Windows\System32\yCySpxQ.exe
  2⤵
  PID:10080
- C:\Windows\System32\FqDzxVd.exe
  C:\Windows\System32\FqDzxVd.exe
  2⤵
  PID:10152
- C:\Windows\System32\PZRXjAt.exe
  C:\Windows\System32\PZRXjAt.exe
  2⤵
  PID:10188
- C:\Windows\System32\iMXeMNa.exe
  C:\Windows\System32\iMXeMNa.exe
  2⤵
  PID:10228
- C:\Windows\System32\MlfXyLd.exe
  C:\Windows\System32\MlfXyLd.exe
  2⤵
  PID:9608
- C:\Windows\System32\UnuwRED.exe
  C:\Windows\System32\UnuwRED.exe
  2⤵
  PID:9804
- C:\Windows\System32\meOPTmj.exe
  C:\Windows\System32\meOPTmj.exe
  2⤵
  PID:9876
- C:\Windows\System32\SoADJHS.exe
  C:\Windows\System32\SoADJHS.exe
  2⤵
  PID:10104
- C:\Windows\System32\UEDfxHr.exe
  C:\Windows\System32\UEDfxHr.exe
  2⤵
  PID:10008
- C:\Windows\System32\OnpmFsC.exe
  C:\Windows\System32\OnpmFsC.exe
  2⤵
  PID:10224
- C:\Windows\System32\aqvKscC.exe
  C:\Windows\System32\aqvKscC.exe
  2⤵
  PID:9612
- C:\Windows\System32\FkLSSPU.exe
  C:\Windows\System32\FkLSSPU.exe
  2⤵
  PID:10204
- C:\Windows\System32\fdgQvNT.exe
  C:\Windows\System32\fdgQvNT.exe
  2⤵
  PID:9584
- C:\Windows\System32\TxFcrPM.exe
  C:\Windows\System32\TxFcrPM.exe
  2⤵
  PID:10076
- C:\Windows\System32\LlaepHo.exe
  C:\Windows\System32\LlaepHo.exe
  2⤵
  PID:10264
- C:\Windows\System32\xDqMwIm.exe
  C:\Windows\System32\xDqMwIm.exe
  2⤵
  PID:10288
- C:\Windows\System32\elONQxO.exe
  C:\Windows\System32\elONQxO.exe
  2⤵
  PID:10308
- C:\Windows\System32\hqBNDIK.exe
  C:\Windows\System32\hqBNDIK.exe
  2⤵
  PID:10336
- C:\Windows\System32\fcoUxSK.exe
  C:\Windows\System32\fcoUxSK.exe
  2⤵
  PID:10356
- C:\Windows\System32\UuVSUnb.exe
  C:\Windows\System32\UuVSUnb.exe
  2⤵
  PID:10372
- C:\Windows\System32\ncEHIhS.exe
  C:\Windows\System32\ncEHIhS.exe
  2⤵
  PID:10412
- C:\Windows\System32\NLvQxBC.exe
  C:\Windows\System32\NLvQxBC.exe
  2⤵
  PID:10448
- C:\Windows\System32\xpIaOfY.exe
  C:\Windows\System32\xpIaOfY.exe
  2⤵
  PID:10492
- C:\Windows\System32\diGQonz.exe
  C:\Windows\System32\diGQonz.exe
  2⤵
  PID:10508
- C:\Windows\System32\BVwwexH.exe
  C:\Windows\System32\BVwwexH.exe
  2⤵
  PID:10532
- C:\Windows\System32\CEnxNyQ.exe
  C:\Windows\System32\CEnxNyQ.exe
  2⤵
  PID:10560
- C:\Windows\System32\rlJcIGc.exe
  C:\Windows\System32\rlJcIGc.exe
  2⤵
  PID:10588
- C:\Windows\System32\FrlFvxo.exe
  C:\Windows\System32\FrlFvxo.exe
  2⤵
  PID:10640
- C:\Windows\System32\XMsBOfc.exe
  C:\Windows\System32\XMsBOfc.exe
  2⤵
  PID:10660
- C:\Windows\System32\KVSbrti.exe
  C:\Windows\System32\KVSbrti.exe
  2⤵
  PID:10688
- C:\Windows\System32\gEWFTfB.exe
  C:\Windows\System32\gEWFTfB.exe
  2⤵
  PID:10716
- C:\Windows\System32\EEMWtAa.exe
  C:\Windows\System32\EEMWtAa.exe
  2⤵
  PID:10752
- C:\Windows\System32\TnbHUGJ.exe
  C:\Windows\System32\TnbHUGJ.exe
  2⤵
  PID:10800
- C:\Windows\System32\dZsDJKi.exe
  C:\Windows\System32\dZsDJKi.exe
  2⤵
  PID:10820
- C:\Windows\System32\UqsJWBw.exe
  C:\Windows\System32\UqsJWBw.exe
  2⤵
  PID:10848
- C:\Windows\System32\bJAEVFD.exe
  C:\Windows\System32\bJAEVFD.exe
  2⤵
  PID:10864
- C:\Windows\System32\vGcKqct.exe
  C:\Windows\System32\vGcKqct.exe
  2⤵
  PID:10892
- C:\Windows\System32\udSATlv.exe
  C:\Windows\System32\udSATlv.exe
  2⤵
  PID:10912
- C:\Windows\System32\UbOFKJY.exe
  C:\Windows\System32\UbOFKJY.exe
  2⤵
  PID:10972
- C:\Windows\System32\TdLqBIo.exe
  C:\Windows\System32\TdLqBIo.exe
  2⤵
  PID:10988
- C:\Windows\System32\pOlBbSd.exe
  C:\Windows\System32\pOlBbSd.exe
  2⤵
  PID:11004
- C:\Windows\System32\SwTBcRG.exe
  C:\Windows\System32\SwTBcRG.exe
  2⤵
  PID:11028
- C:\Windows\System32\sDGUZdv.exe
  C:\Windows\System32\sDGUZdv.exe
  2⤵
  PID:11060
- C:\Windows\System32\QEBnscM.exe
  C:\Windows\System32\QEBnscM.exe
  2⤵
  PID:11088
- C:\Windows\System32\eEMAYMH.exe
  C:\Windows\System32\eEMAYMH.exe
  2⤵
  PID:11104
- C:\Windows\System32\egvFitX.exe
  C:\Windows\System32\egvFitX.exe
  2⤵
  PID:11136
- C:\Windows\System32\QSBzhiW.exe
  C:\Windows\System32\QSBzhiW.exe
  2⤵
  PID:11160
- C:\Windows\System32\WsbYgkO.exe
  C:\Windows\System32\WsbYgkO.exe
  2⤵
  PID:11224
- C:\Windows\System32\qNtMDIn.exe
  C:\Windows\System32\qNtMDIn.exe
  2⤵
  PID:11240
- C:\Windows\System32\GrRysnE.exe
  C:\Windows\System32\GrRysnE.exe
  2⤵
  PID:11260
- C:\Windows\System32\SlMIbcm.exe
  C:\Windows\System32\SlMIbcm.exe
  2⤵
  PID:10252
- C:\Windows\System32\apUqSHY.exe
  C:\Windows\System32\apUqSHY.exe
  2⤵
  PID:10320
- C:\Windows\System32\DKNUNeY.exe
  C:\Windows\System32\DKNUNeY.exe
  2⤵
  PID:10420
- C:\Windows\System32\JUyzxlT.exe
  C:\Windows\System32\JUyzxlT.exe
  2⤵
  PID:10500
- C:\Windows\System32\qTQSopT.exe
  C:\Windows\System32\qTQSopT.exe
  2⤵
  PID:10544
- C:\Windows\System32\uCdHQdg.exe
  C:\Windows\System32\uCdHQdg.exe
  2⤵
  PID:10504
- C:\Windows\System32\hzXdMLr.exe
  C:\Windows\System32\hzXdMLr.exe
  2⤵
  PID:10620
- C:\Windows\System32\JrhkWYH.exe
  C:\Windows\System32\JrhkWYH.exe
  2⤵
  PID:10600
- C:\Windows\System32\VeoMxTm.exe
  C:\Windows\System32\VeoMxTm.exe
  2⤵
  PID:10704
- C:\Windows\System32\msNGPhp.exe
  C:\Windows\System32\msNGPhp.exe
  2⤵
  PID:10788
- C:\Windows\System32\YeJNxUo.exe
  C:\Windows\System32\YeJNxUo.exe
  2⤵
  PID:10908
- C:\Windows\System32\MESClXF.exe
  C:\Windows\System32\MESClXF.exe
  2⤵
  PID:10996
- C:\Windows\System32\HKNKdjt.exe
  C:\Windows\System32\HKNKdjt.exe
  2⤵
  PID:11072
- C:\Windows\System32\koHSFqm.exe
  C:\Windows\System32\koHSFqm.exe
  2⤵
  PID:11148
- C:\Windows\System32\xfVNVRw.exe
  C:\Windows\System32\xfVNVRw.exe
  2⤵
  PID:11212
- C:\Windows\System32\tSqvyEo.exe
  C:\Windows\System32\tSqvyEo.exe
  2⤵
  PID:10256
- C:\Windows\System32\FXBiGGo.exe
  C:\Windows\System32\FXBiGGo.exe
  2⤵
  PID:10316
- C:\Windows\System32\nKzWOXt.exe
  C:\Windows\System32\nKzWOXt.exe
  2⤵
  PID:10596
- C:\Windows\System32\ZqWrZHn.exe
  C:\Windows\System32\ZqWrZHn.exe
  2⤵
  PID:10672
- C:\Windows\System32\Ugzuirk.exe
  C:\Windows\System32\Ugzuirk.exe
  2⤵
  PID:10764
- C:\Windows\System32\jrqfSlo.exe
  C:\Windows\System32\jrqfSlo.exe
  2⤵
  PID:10980
- C:\Windows\System32\OIkKnFz.exe
  C:\Windows\System32\OIkKnFz.exe
  2⤵
  PID:11112
- C:\Windows\System32\BoNWIEw.exe
  C:\Windows\System32\BoNWIEw.exe
  2⤵
  PID:10352
- C:\Windows\System32\KHUMXnu.exe
  C:\Windows\System32\KHUMXnu.exe
  2⤵
  PID:10572
- C:\Windows\System32\KXTENMa.exe
  C:\Windows\System32\KXTENMa.exe
  2⤵
  PID:11036
- C:\Windows\System32\YPdIOhT.exe
  C:\Windows\System32\YPdIOhT.exe
  2⤵
  PID:10484
- C:\Windows\System32\CKvuCEH.exe
  C:\Windows\System32\CKvuCEH.exe
  2⤵
  PID:9928
- C:\Windows\System32\hmkZNFG.exe
  C:\Windows\System32\hmkZNFG.exe
  2⤵
  PID:11288
- C:\Windows\System32\lUjshaH.exe
  C:\Windows\System32\lUjshaH.exe
  2⤵
  PID:11304
- C:\Windows\System32\iAaKcVU.exe
  C:\Windows\System32\iAaKcVU.exe
  2⤵
  PID:11336
- C:\Windows\System32\CfDszjw.exe
  C:\Windows\System32\CfDszjw.exe
  2⤵
  PID:11376
- C:\Windows\System32\FUmVwdM.exe
  C:\Windows\System32\FUmVwdM.exe
  2⤵
  PID:11404
- C:\Windows\System32\ghytruY.exe
  C:\Windows\System32\ghytruY.exe
  2⤵
  PID:11420
- C:\Windows\System32\QSkuutl.exe
  C:\Windows\System32\QSkuutl.exe
  2⤵
  PID:11440
- C:\Windows\System32\IRGhooI.exe
  C:\Windows\System32\IRGhooI.exe
  2⤵
  PID:11472
- C:\Windows\System32\xsDolPj.exe
  C:\Windows\System32\xsDolPj.exe
  2⤵
  PID:11496
- C:\Windows\System32\BlSGxmh.exe
  C:\Windows\System32\BlSGxmh.exe
  2⤵
  PID:11552
- C:\Windows\System32\EywoNWX.exe
  C:\Windows\System32\EywoNWX.exe
  2⤵
  PID:11584
- C:\Windows\System32\xDMPyDz.exe
  C:\Windows\System32\xDMPyDz.exe
  2⤵
  PID:11608
- C:\Windows\System32\FlLOVcn.exe
  C:\Windows\System32\FlLOVcn.exe
  2⤵
  PID:11628
- C:\Windows\System32\JgSWPLy.exe
  C:\Windows\System32\JgSWPLy.exe
  2⤵
  PID:11672
- C:\Windows\System32\IdvoJgf.exe
  C:\Windows\System32\IdvoJgf.exe
  2⤵
  PID:11704
- C:\Windows\System32\HSXmjKV.exe
  C:\Windows\System32\HSXmjKV.exe
  2⤵
  PID:11728
- C:\Windows\System32\Xdvakmf.exe
  C:\Windows\System32\Xdvakmf.exe
  2⤵
  PID:11752
- C:\Windows\System32\rMQuGSn.exe
  C:\Windows\System32\rMQuGSn.exe
  2⤵
  PID:11768
- C:\Windows\System32\ROqThgA.exe
  C:\Windows\System32\ROqThgA.exe
  2⤵
  PID:11812
- C:\Windows\System32\EzDWoaw.exe
  C:\Windows\System32\EzDWoaw.exe
  2⤵
  PID:11828
- C:\Windows\System32\eGGBQky.exe
  C:\Windows\System32\eGGBQky.exe
  2⤵
  PID:11848
- C:\Windows\System32\WMKmytG.exe
  C:\Windows\System32\WMKmytG.exe
  2⤵
  PID:11872
- C:\Windows\System32\xFYrRad.exe
  C:\Windows\System32\xFYrRad.exe
  2⤵
  PID:11908
- C:\Windows\System32\ySzZAso.exe
  C:\Windows\System32\ySzZAso.exe
  2⤵
  PID:11944
- C:\Windows\System32\sMLtmcR.exe
  C:\Windows\System32\sMLtmcR.exe
  2⤵
  PID:11964
- C:\Windows\System32\qvuGDaJ.exe
  C:\Windows\System32\qvuGDaJ.exe
  2⤵
  PID:12008
- C:\Windows\System32\LmaGgzE.exe
  C:\Windows\System32\LmaGgzE.exe
  2⤵
  PID:12044
- C:\Windows\System32\PTmuMOy.exe
  C:\Windows\System32\PTmuMOy.exe
  2⤵
  PID:12072
- C:\Windows\System32\hsrzdNF.exe
  C:\Windows\System32\hsrzdNF.exe
  2⤵
  PID:12100
- C:\Windows\System32\WmNBNxE.exe
  C:\Windows\System32\WmNBNxE.exe
  2⤵
  PID:12116
- C:\Windows\System32\rrAZAHJ.exe
  C:\Windows\System32\rrAZAHJ.exe
  2⤵
  PID:12148
- C:\Windows\System32\SVFHIMr.exe
  C:\Windows\System32\SVFHIMr.exe
  2⤵
  PID:12200
- C:\Windows\System32\zNhwZNV.exe
  C:\Windows\System32\zNhwZNV.exe
  2⤵
  PID:12220
- C:\Windows\System32\FJnBRqY.exe
  C:\Windows\System32\FJnBRqY.exe
  2⤵
  PID:12240
- C:\Windows\System32\lzGqvVt.exe
  C:\Windows\System32\lzGqvVt.exe
  2⤵
  PID:12268
- C:\Windows\System32\yOvjyzs.exe
  C:\Windows\System32\yOvjyzs.exe
  2⤵
  PID:11144
- C:\Windows\System32\uudUHWH.exe
  C:\Windows\System32\uudUHWH.exe
  2⤵
  PID:11332
- C:\Windows\System32\nLxaapX.exe
  C:\Windows\System32\nLxaapX.exe
  2⤵
  PID:11416
- C:\Windows\System32\XWqUyFe.exe
  C:\Windows\System32\XWqUyFe.exe
  2⤵
  PID:11436
- C:\Windows\System32\KZrdtdn.exe
  C:\Windows\System32\KZrdtdn.exe
  2⤵
  PID:11508
- C:\Windows\System32\DXmHdqh.exe
  C:\Windows\System32\DXmHdqh.exe
  2⤵
  PID:11516
- C:\Windows\System32\KIiwJKI.exe
  C:\Windows\System32\KIiwJKI.exe
  2⤵
  PID:11600
- C:\Windows\System32\tLekXeP.exe
  C:\Windows\System32\tLekXeP.exe
  2⤵
  PID:11692
- C:\Windows\System32\KyiShgD.exe
  C:\Windows\System32\KyiShgD.exe
  2⤵
  PID:11760
- C:\Windows\System32\CjSdufc.exe
  C:\Windows\System32\CjSdufc.exe
  2⤵
  PID:11860
- C:\Windows\System32\RcMlLjm.exe
  C:\Windows\System32\RcMlLjm.exe
  2⤵
  PID:11892
- C:\Windows\System32\YhNxkCj.exe
  C:\Windows\System32\YhNxkCj.exe
  2⤵
  PID:11960
- C:\Windows\System32\EgTwiIo.exe
  C:\Windows\System32\EgTwiIo.exe
  2⤵
  PID:12004
- C:\Windows\System32\XJKWnVC.exe
  C:\Windows\System32\XJKWnVC.exe
  2⤵
  PID:12024
- C:\Windows\System32\WxcbUeJ.exe
  C:\Windows\System32\WxcbUeJ.exe
  2⤵
  PID:12088
- C:\Windows\System32\vwSKQKW.exe
  C:\Windows\System32\vwSKQKW.exe
  2⤵
  PID:12216
- C:\Windows\System32\ATuMRpN.exe
  C:\Windows\System32\ATuMRpN.exe
  2⤵
  PID:11312
- C:\Windows\System32\vxDwbpD.exe
  C:\Windows\System32\vxDwbpD.exe
  2⤵
  PID:11356
- C:\Windows\System32\fmiAzXN.exe
  C:\Windows\System32\fmiAzXN.exe
  2⤵
  PID:11480
- C:\Windows\System32\BoKevjM.exe
  C:\Windows\System32\BoKevjM.exe
  2⤵
  PID:11684
- C:\Windows\System32\eApgveA.exe
  C:\Windows\System32\eApgveA.exe
  2⤵
  PID:11800
- C:\Windows\System32\QZMnolI.exe
  C:\Windows\System32\QZMnolI.exe
  2⤵
  PID:11976
- C:\Windows\System32\hUZHcRK.exe
  C:\Windows\System32\hUZHcRK.exe
  2⤵
  PID:1628
- C:\Windows\System32\yyNPvGr.exe
  C:\Windows\System32\yyNPvGr.exe
  2⤵
  PID:12264
- C:\Windows\System32\LPxhvbl.exe
  C:\Windows\System32\LPxhvbl.exe
  2⤵
  PID:11432
- C:\Windows\System32\UiZioPI.exe
  C:\Windows\System32\UiZioPI.exe
  2⤵
  PID:11836
- C:\Windows\System32\pVizUvt.exe
  C:\Windows\System32\pVizUvt.exe
  2⤵
  PID:11744
- C:\Windows\System32\dhaWDpX.exe
  C:\Windows\System32\dhaWDpX.exe
  2⤵
  PID:11580
- C:\Windows\System32\ZcDCyuz.exe
  C:\Windows\System32\ZcDCyuz.exe
  2⤵
  PID:11724
- C:\Windows\System32\ZUlVFTT.exe
  C:\Windows\System32\ZUlVFTT.exe
  2⤵
  PID:12112
- C:\Windows\System32\oOKmNGU.exe
  C:\Windows\System32\oOKmNGU.exe
  2⤵
  PID:12320
- C:\Windows\System32\bmGPdKh.exe
  C:\Windows\System32\bmGPdKh.exe
  2⤵
  PID:12340
- C:\Windows\System32\VvWmZzP.exe
  C:\Windows\System32\VvWmZzP.exe
  2⤵
  PID:12356
- C:\Windows\System32\ixGSlWj.exe
  C:\Windows\System32\ixGSlWj.exe
  2⤵
  PID:12392
- C:\Windows\System32\ArlETBQ.exe
  C:\Windows\System32\ArlETBQ.exe
  2⤵
  PID:12460
- C:\Windows\System32\iNNvLBr.exe
  C:\Windows\System32\iNNvLBr.exe
  2⤵
  PID:12476
- C:\Windows\System32\cvQxqZs.exe
  C:\Windows\System32\cvQxqZs.exe
  2⤵
  PID:12492
- C:\Windows\System32\EmfXUsu.exe
  C:\Windows\System32\EmfXUsu.exe
  2⤵
  PID:12512
- C:\Windows\System32\CgfhbaB.exe
  C:\Windows\System32\CgfhbaB.exe
  2⤵
  PID:12540
- C:\Windows\System32\izkbJtG.exe
  C:\Windows\System32\izkbJtG.exe
  2⤵
  PID:12572
- C:\Windows\System32\HInrYmc.exe
  C:\Windows\System32\HInrYmc.exe
  2⤵
  PID:12616
- C:\Windows\System32\xNOKSED.exe
  C:\Windows\System32\xNOKSED.exe
  2⤵
  PID:12656
- C:\Windows\System32\qgPLMfn.exe
  C:\Windows\System32\qgPLMfn.exe
  2⤵
  PID:12672
- C:\Windows\System32\CdnLaFX.exe
  C:\Windows\System32\CdnLaFX.exe
  2⤵
  PID:12688
- C:\Windows\System32\nxjSxMx.exe
  C:\Windows\System32\nxjSxMx.exe
  2⤵
  PID:12716
- C:\Windows\System32\yHufPWi.exe
  C:\Windows\System32\yHufPWi.exe
  2⤵
  PID:12760
- C:\Windows\System32\NjFzwRR.exe
  C:\Windows\System32\NjFzwRR.exe
  2⤵
  PID:12788
- C:\Windows\System32\yEiSrzE.exe
  C:\Windows\System32\yEiSrzE.exe
  2⤵
  PID:12816
- C:\Windows\System32\uzqNUbi.exe
  C:\Windows\System32\uzqNUbi.exe
  2⤵
  PID:12832
- C:\Windows\System32\lfjHHAV.exe
  C:\Windows\System32\lfjHHAV.exe
  2⤵
  PID:12864
- C:\Windows\System32\rAlhggP.exe
  C:\Windows\System32\rAlhggP.exe
  2⤵
  PID:12888
- C:\Windows\System32\QbOBwId.exe
  C:\Windows\System32\QbOBwId.exe
  2⤵
  PID:12916
- C:\Windows\System32\MmWRBWe.exe
  C:\Windows\System32\MmWRBWe.exe
  2⤵
  PID:12932
- C:\Windows\System32\loVoTyC.exe
  C:\Windows\System32\loVoTyC.exe
  2⤵
  PID:12960
- C:\Windows\System32\JVYgbdL.exe
  C:\Windows\System32\JVYgbdL.exe
  2⤵
  PID:13004
- C:\Windows\System32\CFWAFSr.exe
  C:\Windows\System32\CFWAFSr.exe
  2⤵
  PID:13020
- C:\Windows\System32\OMlsNTv.exe
  C:\Windows\System32\OMlsNTv.exe
  2⤵
  PID:13040
- C:\Windows\System32\CeZVvel.exe
  C:\Windows\System32\CeZVvel.exe
  2⤵
  PID:13084
- C:\Windows\System32\THSYPEF.exe
  C:\Windows\System32\THSYPEF.exe
  2⤵
  PID:13104
- C:\Windows\System32\iUWDpLf.exe
  C:\Windows\System32\iUWDpLf.exe
  2⤵
  PID:13152
- C:\Windows\System32\VQvMlwy.exe
  C:\Windows\System32\VQvMlwy.exe
  2⤵
  PID:13172
- C:\Windows\System32\ggPNtUt.exe
  C:\Windows\System32\ggPNtUt.exe
  2⤵
  PID:13196
- C:\Windows\System32\veQLkXX.exe
  C:\Windows\System32\veQLkXX.exe
  2⤵
  PID:13236
- C:\Windows\System32\wMbZLRL.exe
  C:\Windows\System32\wMbZLRL.exe
  2⤵
  PID:13264
- C:\Windows\System32\nbXFZjh.exe
  C:\Windows\System32\nbXFZjh.exe
  2⤵
  PID:13280
- C:\Windows\System32\EEVaWNG.exe
  C:\Windows\System32\EEVaWNG.exe
  2⤵
  PID:13300
- C:\Windows\System32\DGeLDmP.exe
  C:\Windows\System32\DGeLDmP.exe
  2⤵
  PID:12292
- C:\Windows\System32\OffWtbA.exe
  C:\Windows\System32\OffWtbA.exe
  2⤵
  PID:12336
- C:\Windows\System32\gGCkhad.exe
  C:\Windows\System32\gGCkhad.exe
  2⤵
  PID:12376
- C:\Windows\System32\cAzlyna.exe
  C:\Windows\System32\cAzlyna.exe
  2⤵
  PID:12448
- C:\Windows\System32\dILmRZJ.exe
  C:\Windows\System32\dILmRZJ.exe
  2⤵
  PID:12532
- C:\Windows\System32\TUcwnXR.exe
  C:\Windows\System32\TUcwnXR.exe
  2⤵
  PID:12612
- C:\Windows\System32\QQtFRgn.exe
  C:\Windows\System32\QQtFRgn.exe
  2⤵
  PID:12776
- C:\Windows\System32\PrvJXbo.exe
  C:\Windows\System32\PrvJXbo.exe
  2⤵
  PID:12812
- C:\Windows\System32\OsjAiLu.exe
  C:\Windows\System32\OsjAiLu.exe
  2⤵
  PID:12904
- C:\Windows\System32\uJWssxf.exe
  C:\Windows\System32\uJWssxf.exe
  2⤵
  PID:12880
- C:\Windows\System32\AJuNEVt.exe
  C:\Windows\System32\AJuNEVt.exe
  2⤵
  PID:13148
- C:\Windows\System32\AnPEgTO.exe
  C:\Windows\System32\AnPEgTO.exe
  2⤵
  PID:13168

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BGURVFH.exe

Filesize
1.4MB

MD5
b9bdaf42a0fd5b19010c81def455634d

SHA1
60a53606b9bdab73d4a6017c50cad5ae9721c86b

SHA256
ee880eb93d3572e185c365f36c4e6879e8f80877f0095609bdc0f558c12a11f8

SHA512
02004ec190690eabc1d4ae5761eabaf60649d081e057c2afd1ae4fd9e355f7b8aa824e559d359f7effd9aa46f332a70b9f1864a75d08ba1b590544b74d9220f6

Download Submit
C:\Windows\System32\BcpLIJQ.exe

Filesize
1.4MB

MD5
4d7be33f471dc1c6fd92c6cd1cf8030c

SHA1
0901bb04bed267c7527484721f65feaec4f31854

SHA256
4658acc451185e3954cdc7c6d2c9a39fefc56eb5a47dd0224b0d2635851aaded

SHA512
5b9c4e7cdb3fc3638cc2e6783bb4ed863390b862984f5437d20b76e907a389b581bf0846af9003b6c4ec6785b0fa75d63187cbb17c999da7991896141e768b93

Download Submit
C:\Windows\System32\DcVXGmy.exe

Filesize
1.4MB

MD5
50477a72c3a05832e17cc171cb0c6fbb

SHA1
3757fa7832552e16119ae5753e918a9f8af1a98a

SHA256
e975b4abcc3b68a5c4aab83981dc863d4032203373cc6131c25ec2482bf2e0b6

SHA512
67e0dac3b324c4695fdefcd4774bc74510fdd3174d73ce3c0cfb57f07ef3410fa624075454166f78c98c855b6e5175ae91214a53a4f10dce4dce079e799f5685

Download Submit
C:\Windows\System32\EImsRmy.exe

Filesize
1.4MB

MD5
60d606d03f9b4143d6e003942171d536

SHA1
063804d2b4409326cf75fffab5d2b2fd68ba1e50

SHA256
63d88c9438ec67f932a58387835656d15c316453fbef68a1b368d7ca9ac79a7d

SHA512
78647476d4cb39912edb7df8b0be5bf5e1c0ac7bb81dad323dec9b25ca44e8d023e7237f3aaca254a97b9752b2525eed90a630d78cd8c9175e58fa035cc2496f

Download Submit
C:\Windows\System32\FOICADG.exe

Filesize
1.4MB

MD5
49badf260e0df40b97effe6feb090e9f

SHA1
5a765ed3aba00f3aca4d22298b629e53ae55af71

SHA256
7cf6781b4f299100dfdbb62bc6ec050d8f226d6c220bc413295c3796a705be7f

SHA512
0c0d927ba19cbc616f296e3995a22b547e9f54b6030f5c23cd260328a2db0b593184a16d108290573a955a89b61b4e3d3d0f9de6b81918a3646e7d4c6bcbd117

Download Submit
C:\Windows\System32\FktBKNG.exe

Filesize
1.4MB

MD5
9d7db7407015b6657957c36f10756ba2

SHA1
eac82ea8bf7e3268774210bc2a09a5c67fec3f78

SHA256
8088c78e4fb942e6ef26976962f0fda84edad2ed55207aeb77d75b483258aa54

SHA512
421363429a9d88204ac0eaf750dc3cab042327948ff4bfb43bdc78803c5865fed368e3608a01cf2a9515236d4e8cee1e14c255830f5afed70d53b64ea5152e46

Download Submit
C:\Windows\System32\HgdKlye.exe

Filesize
1.4MB

MD5
747ef5a36e1b9ab9b733799200f33343

SHA1
662a2edbff12ee0fb27baad213adba183b43eb9f

SHA256
63fe519502d808da1d79d91b27d98e141cb9af98938302c7139efec95e0efdaa

SHA512
4601a8218ddb57aabdede2b2a72b22db6fc736531ee9e5b8af545e6589d84591ef1bac8b6384a2a57386021b695edc6561af66487f9cba451f5b7032a7dd0309

Download Submit
C:\Windows\System32\JLpuakI.exe

Filesize
1.4MB

MD5
40fdf4def9c61bca4fe29bee26bd2d4c

SHA1
5a639642dae0dbd3be8f47d8752ed1254863a976

SHA256
765b984d8d71a3fbc14db1564950e9f3d3df42282ea08fbdd75260694b0118f6

SHA512
9c4db3e53380dee16cc0a0fa6ad7d60c5fd9b2399893a22d036f0098b614426a4000072704d3ec99a4a751fe9975970abca1709c2d166c486e1143108b6336ef

Download Submit
C:\Windows\System32\JdfTUqa.exe

Filesize
1.4MB

MD5
a8a8650d936ae64c5897d7959442429e

SHA1
4c4dd4aa80be96615b409098080d9bf2471a489d

SHA256
f0cb93f36effc6a860ba81f03cffa6e94870bb4c697490f768d0a13d8dac768a

SHA512
fe8dff412145b9f09b33de6520acdc62fc2b966985bbc398a76078d57e71ad7df21971080efb1a080e6cfa417530a24794a1ca16c4f2a936d00bf956465a0054

Download Submit
C:\Windows\System32\ROCwrdo.exe

Filesize
1.4MB

MD5
d00ba72cce511130aa5242c8c8614468

SHA1
7d998a1e390596667958257d4433bbe8aa67d34d

SHA256
92726d79c15c048db30814154ab0bc1c7365e17ec0b53412b6e2eac4d2917fd1

SHA512
6da72282b493d7cf4b472dc0168d6a0baaa4c29566b05c213c4ccfdd00c7a056249d1db2d115b78a446ae583e5f61d58aa2377984ba777790e26248f34b7351e

Download Submit
C:\Windows\System32\RTytJWP.exe

Filesize
1.4MB

MD5
597d237be80670423cd0a54792fd70e8

SHA1
ccbc47a96c4e6ae7f5abb221b973f5145a6764af

SHA256
f0bcc6c7cd076e127608152b02ba8a0012f9b5cc2cd283441e1c472e0e1e3bc6

SHA512
817f0950785eeac9f34e1f9e8d449829335869992fa52b8a1697309013902c90052340dacf0ba208a5d26408f77a95df546833846cdfca600d1b14fb8ffd9a39

Download Submit
C:\Windows\System32\TuyTAoy.exe

Filesize
1.4MB

MD5
777f6c628c209d385b764944a76b304c

SHA1
75acc161eb24e4750806c23380ecde42cd54430a

SHA256
3acb8a0266c179ef3498de10c9854fedec0bacb63b207df07e3025f4c9122be3

SHA512
ba59574f214b5b4a96aa02c224c2a10245a7aac6773e08b8d31cf32629b794a0602322d13e6f51a4ed201dd797dd52da72139e37fcf2041fba986822edbff5fd

Download Submit
C:\Windows\System32\WMpkPax.exe

Filesize
1.4MB

MD5
82726f3ea3d562b1f11f2714a26caece

SHA1
4aea70583b644f8d46e10a67e7d74b7805dfe22b

SHA256
6d47e5ea7da3e72c09c8cdf0ce49850b7ee5405f006ac00408a73125d8228e9a

SHA512
52c82bc2c244bc20360f2467726f795e6402fd942d4e4fcd9760758731f9645ab24824d9d4951ce107f1839e73a1c3508266d95cdf2a34762fb4fcfc2027463c

Download Submit
C:\Windows\System32\WaYPZke.exe

Filesize
1.4MB

MD5
bc9ee7a7fd3864c4e125715b24302bc9

SHA1
7e852b608c01d65f21224b7c1fdb449697cc55c8

SHA256
7118c0e764edebd7a7f51cb112ff0c4d3785b832a3cd3e2b7b8d20a2e82a21e8

SHA512
35fa7ad8befed925f33671c1b799296ef8bb5345c9311d27d4180429e03399e1a20c1b626eb7e4f5ebf45a922d2c9284dce8b2f120fb16e394b93526c2cbb82c

Download Submit
C:\Windows\System32\YrMdnFa.exe

Filesize
1.4MB

MD5
8e1de2b140c54247f8c504d7689b2b13

SHA1
66571f79858f0e422e583343023045e0ac5937b5

SHA256
baac455c389aa23b655e11b39214b6ef49422e023548049fa7a224970e310c66

SHA512
9aff78d15dc6abd46dd95da6385b01b4b1ba464707054d4ca9900bd995911a9959a0a6baddebce2b864fe3cbc8e70756c881596257420c5cf4721474b9a1972c

Download Submit
C:\Windows\System32\cenxCYT.exe

Filesize
1.4MB

MD5
950dcb4cc8e0b1f34c6bda42c9328f74

SHA1
c2027a7848a4ae312c6d07007283e5f1af436015

SHA256
6f41200e37659a3cc29251cb8b4ade7e6470fbafa9bca03c46935dc1373803a9

SHA512
a75ac4ebdd85f847460b39d754e7c7706cbee2180864ce8cdeeadb0ba276fc0b4c00f95371e0dd6e14e2f3823745e7aa352c2b58763743434d163e7454ab7d94

Download Submit
C:\Windows\System32\cwukSWd.exe

Filesize
1.4MB

MD5
fd6bf1301f22dec8204b007a096c1dd2

SHA1
c06c96c7ec965ea4de33bd00836f4aa37cd9e9c7

SHA256
11bed160c08ff335e959d67f9881f8282ff327295d24ecd364c1936da24f3e70

SHA512
4ab15e8f1314b65e617c7bdc25b4fd1b4dffa7e1dcc09a9b11d3fe2726633e62815e7ca7e9c7c0a3ec8a216864bba57d3ee7fe3ea2293aa2ac4bbf1c5823c3f3

Download Submit
C:\Windows\System32\euXtfgm.exe

Filesize
1.4MB

MD5
ae4da1d90baeb16a8c5a660a3aeb7f40

SHA1
f6507481fa5c49df339ec27425ae34a2a1eef3bb

SHA256
d1ce051623082bf6391deb0777e16b0dd5db0267d3276186a27821bebd041a8a

SHA512
54d0a8d4981b2b12883364d513349c5e8d8cf867ed4d18b1ac9c0ebcecbc3b9fd4b24c64600da13389c96507d9efa9a0d434d765073d240d1fa83945f11cb09a

Download Submit
C:\Windows\System32\fAIpYao.exe

Filesize
1.4MB

MD5
9b39c230dfb1148c1d2617b79e977ddd

SHA1
d17af767e29c2c0096f6ae06bf638ad4d0c88e6e

SHA256
5bad07c89ca45d45d940ee8e74d820db565253c135200724b578281f9277e872

SHA512
37919fc6e72a9024cc2f6ea5733f56c79d4902272782132b260880ea606912e240ae363a7be376c29dae58430fa4c317760291e9d5d1f1906dc88d3ddd6a4930

Download Submit
C:\Windows\System32\gyrsAfC.exe

Filesize
1.4MB

MD5
3738983ca4cab97fe6fbd3876754eb48

SHA1
7c958a56df29ae61a68f77c6f72b80a1173a9a10

SHA256
60bbd9b871dd18e0fc56fde6c7e065a832d2749ff47dc7f244e82ea9a3a6f6ff

SHA512
7899fec25fb2135d9162ade68fa0664fee3414aa5f049fa15a666c5b2d4f83cc354e96b19d0dad58e3b514baa46852f806504283631e82ce5e4efbb7032ce6a5

Download Submit
C:\Windows\System32\joXsHEq.exe

Filesize
1.4MB

MD5
00fd0a6fda2e988625bc1b09df78892d

SHA1
757a43415fec787d6c1190d0fac7c07cc1ce0617

SHA256
9115e8e2f1b45c7b955b9d8b41a40d9d9e69acb46dc3fd09773282ce62b13959

SHA512
20d500830c9486e6f351d26f80f79c915b4b413306c39c5c0fea5dfce00ce782ddc16e1aef119494b2c9c5f9565925a6ee030545e3f4d8f88d540e4725148247

Download Submit
C:\Windows\System32\nCwKVee.exe

Filesize
1.4MB

MD5
b45b16d4fd942bdd7b082142808bbdb7

SHA1
f70030fa846057a674a8877446915d41b7410d5e

SHA256
b1bdaacfbf1b8d3e2f34af5883d3aaf8f6546ca9258ec40220811618a907dd52

SHA512
337fc06dfcbc917ead54ef7d6353d1622884986da473f5007927c7497cad58dbc577f2d0f685af698ec509e590f287e0a91a2afdfb8cd60264e8f0a9ce9c18f8

Download Submit
C:\Windows\System32\orXgetM.exe

Filesize
1.4MB

MD5
857e0d1ae1ce2b2119ad6ffaa44f2abf

SHA1
b905b6badaf0d61e2e998f2dd293aa1f7a31969a

SHA256
885d9f3dd9ae8c4a7b8054f0599552fd119c6083cad63bed39dd63148d0976fa

SHA512
3f0bca9e1a47fd8aaf576902becae246182bb6002fe798465c2c77703aa5ca87854308751ab0ea277257ae75e532665f73cd9e38db59f7de87a33d5478c522bf

Download Submit
C:\Windows\System32\qFcPSbx.exe

Filesize
1.4MB

MD5
8b7b20d01287077aa5be021cc0b82a60

SHA1
cf244fbf9073f99a3a6670718ab1cbdd2b7e67dc

SHA256
f73cb558373e108cdca838f35aca589d3f3d4b54b0f372b68ad38597c8af9032

SHA512
fbb8fb3ab44afbc9e0fa730643d8d195b269b00cce7fdfb7a9c2ae32144a456ff627b2be08bf1a4366e0839e1852603a12b6515a0e24d848e9ad29c16374d9d0

Download Submit
C:\Windows\System32\rPTGxXd.exe

Filesize
1.4MB

MD5
5427499ec53e8308c72c3502934651d4

SHA1
55a0ce4fdf006d2cf2e6b03d560a33426bc0c11b

SHA256
19ac5b82e79693d81f1a0a6375cc373fcb757cd85b88c67d7096dce00b021aef

SHA512
b665fde2e417baaaacc62feb5b5b2d543a3831b22694c909e09172304c8079abd912fa5c1f36e34a0502e3b3c19623e6c6b6a4d34d5d14064dc158be72d902f3

Download Submit
C:\Windows\System32\rZiPsNE.exe

Filesize
1.4MB

MD5
1a672a59e61e762a539fcd23fd6844c5

SHA1
faf52ef7f8e33f4f3a791a4239896a6212705a0d

SHA256
82463dc18a367fbc599325c635dca8f7dbff093bff54bc265f1da8cada2b5386

SHA512
9606f61ea53314ab439549619fe6455b1ff3bf6132ec42cff75f19d85a3183cda0d51f2fd6272068d4d28360a184ce8202674f968c677ad1c03168c45f0bc361

Download Submit
C:\Windows\System32\rhCFBpg.exe

Filesize
1.4MB

MD5
f096a374ffd42dc2f7767606c04c1d34

SHA1
8a48825d36e386f9788de060e84e28a6ce5536b3

SHA256
ad4c0c946fd10d90e7bdcd0c60103e3f39f209dde64357b782d43876b6120504

SHA512
7a92407f2a9980a4ecd5ab58dbffc508760a06859175b3153dfee1173800a84b6f20edd9454304a9db87c97500219b71e13a48573a31600461ab14873b123cb4

Download Submit
C:\Windows\System32\sOuzOgK.exe

Filesize
1.4MB

MD5
59e348e93eb2ae065e1e6047678edf01

SHA1
edc3db7d1addc3a19bfc26a75af027eb85910926

SHA256
57f5a1f02b79e50bac166b3315abda81d30fd2572e6064cddeb3df7f5734167e

SHA512
0bf0acfd0e907c844424508ebbac681286162d7aa6e5fa4de10fbb018ae9c51b795005ef2faa960cc9e7e66b82dd8a1eeda8fb87906d0c2a0504b58125457292

Download Submit
C:\Windows\System32\sPRweLZ.exe

Filesize
1.4MB

MD5
ce721c69b4374b6a694f597689fb69b9

SHA1
7f42e28624f0a67f54e2dc0b1daf839e940fce43

SHA256
19f445cee8b8eec3dc8de664d8c7ee5d4b838e27b6c0158c09c82ea2cf57fc9f

SHA512
2087b67b527213b02aadeb9ba4c2ad9cc3d5587ea4628ee88e63833fddcde6526fef05430028b0bad5058cd6f7e9c04d9814d577c225b4b7705be20fc83c70b1

Download Submit
C:\Windows\System32\sUCtHPY.exe

Filesize
1.4MB

MD5
1552d6d661ef91602573608523a8b006

SHA1
1a95da4ab0328ebff8f43d12f6ccb76ef84970dd

SHA256
d76eb39924b3b064b6d8682fff4b6b8d1df0077dae0a95ff6019c688bec2a5ae

SHA512
9ece640fea38a75c54151c32befd7ce34a2a3fdf0085603c1a3352c3827b995209b219dae07127cc87cede7d862d24fcae0cf1c9927c6980e53a0c961e507b93

Download Submit
C:\Windows\System32\spmRxEO.exe

Filesize
1.4MB

MD5
121a825c63ce95ef62f764fbe04b5cae

SHA1
19073e07962154d643397d5e65a06c0e6e0871b7

SHA256
d8676692e0fb0c005201a71028fb3584828308d6366d102adeee5ca496c529fb

SHA512
2b05fe4be882596e0918709975c1de2ba07bd1766aebc0e4582a61bbde52990806ad3eab4a4213c2434bf515efa85d0093b59180acabe681a9528d3eba3da3bd

Download Submit
C:\Windows\System32\ucmIMxZ.exe

Filesize
1.4MB

MD5
0a02a2d3e3dd88cd3740cb234be2101f

SHA1
6740a030db5fb5985f9a817220bff34148074303

SHA256
330869ff8e376840c0cce957990d628677452fcfdb0645c6b7da5f33ca7647f9

SHA512
fd558e2194a2e50ec24236052155ac3eed2cbbe070b2fff8ce7d8211ac6d01e2dc7f3c483de764ef1a421a1ba97e2211d1430b9f8aad5a995588ee20802ad7bf

Download Submit
memory/516-93-0x00007FF761610000-0x00007FF761A01000-memory.dmp

Filesize
3.9MB

Download
memory/516-2084-0x00007FF761610000-0x00007FF761A01000-memory.dmp

Filesize
3.9MB

Download
memory/640-84-0x00007FF70DDD0000-0x00007FF70E1C1000-memory.dmp

Filesize
3.9MB

Download
memory/640-2088-0x00007FF70DDD0000-0x00007FF70E1C1000-memory.dmp

Filesize
3.9MB

Download
memory/1436-2109-0x00007FF7026D0000-0x00007FF702AC1000-memory.dmp

Filesize
3.9MB

Download
memory/1436-407-0x00007FF7026D0000-0x00007FF702AC1000-memory.dmp

Filesize
3.9MB

Download
memory/2056-2062-0x00007FF67FD00000-0x00007FF6800F1000-memory.dmp

Filesize
3.9MB

Download
memory/2056-45-0x00007FF67FD00000-0x00007FF6800F1000-memory.dmp

Filesize
3.9MB

Download
memory/2364-2004-0x00007FF7BD890000-0x00007FF7BDC81000-memory.dmp

Filesize
3.9MB

Download
memory/2364-2072-0x00007FF7BD890000-0x00007FF7BDC81000-memory.dmp

Filesize
3.9MB

Download
memory/2364-60-0x00007FF7BD890000-0x00007FF7BDC81000-memory.dmp

Filesize
3.9MB

Download
memory/2624-2040-0x00007FF789D40000-0x00007FF78A131000-memory.dmp

Filesize
3.9MB

Download
memory/2624-0-0x00007FF789D40000-0x00007FF78A131000-memory.dmp

Filesize
3.9MB

Download
memory/2624-945-0x00007FF789D40000-0x00007FF78A131000-memory.dmp

Filesize
3.9MB

Download
memory/2624-1-0x000001F98A070000-0x000001F98A080000-memory.dmp

Filesize
64KB

Download
memory/2668-402-0x00007FF714D20000-0x00007FF715111000-memory.dmp

Filesize
3.9MB

Download
memory/2668-2099-0x00007FF714D20000-0x00007FF715111000-memory.dmp

Filesize
3.9MB

Download
memory/2764-2074-0x00007FF71CD80000-0x00007FF71D171000-memory.dmp

Filesize
3.9MB

Download
memory/2764-78-0x00007FF71CD80000-0x00007FF71D171000-memory.dmp

Filesize
3.9MB

Download
memory/2812-395-0x00007FF64C120000-0x00007FF64C511000-memory.dmp

Filesize
3.9MB

Download
memory/2812-2090-0x00007FF64C120000-0x00007FF64C511000-memory.dmp

Filesize
3.9MB

Download
memory/3216-96-0x00007FF6CB5E0000-0x00007FF6CB9D1000-memory.dmp

Filesize
3.9MB

Download
memory/3216-2078-0x00007FF6CB5E0000-0x00007FF6CB9D1000-memory.dmp

Filesize
3.9MB

Download
memory/3216-2038-0x00007FF6CB5E0000-0x00007FF6CB9D1000-memory.dmp

Filesize
3.9MB

Download
memory/3224-2095-0x00007FF769010000-0x00007FF769401000-memory.dmp

Filesize
3.9MB

Download
memory/3224-396-0x00007FF769010000-0x00007FF769401000-memory.dmp

Filesize
3.9MB

Download
memory/3336-8-0x00007FF742440000-0x00007FF742831000-memory.dmp

Filesize
3.9MB

Download
memory/3336-2045-0x00007FF742440000-0x00007FF742831000-memory.dmp

Filesize
3.9MB

Download
memory/3344-31-0x00007FF68E2C0000-0x00007FF68E6B1000-memory.dmp

Filesize
3.9MB

Download
memory/3344-2066-0x00007FF68E2C0000-0x00007FF68E6B1000-memory.dmp

Filesize
3.9MB

Download
memory/3344-2003-0x00007FF68E2C0000-0x00007FF68E6B1000-memory.dmp

Filesize
3.9MB

Download
memory/3436-64-0x00007FF74FA10000-0x00007FF74FE01000-memory.dmp

Filesize
3.9MB

Download
memory/3436-2070-0x00007FF74FA10000-0x00007FF74FE01000-memory.dmp

Filesize
3.9MB

Download
memory/3616-62-0x00007FF680D30000-0x00007FF681121000-memory.dmp

Filesize
3.9MB

Download
memory/3616-2076-0x00007FF680D30000-0x00007FF681121000-memory.dmp

Filesize
3.9MB

Download
memory/3804-2100-0x00007FF77EF30000-0x00007FF77F321000-memory.dmp

Filesize
3.9MB

Download
memory/3804-399-0x00007FF77EF30000-0x00007FF77F321000-memory.dmp

Filesize
3.9MB

Download
memory/3824-85-0x00007FF624D00000-0x00007FF6250F1000-memory.dmp

Filesize
3.9MB

Download
memory/3824-2082-0x00007FF624D00000-0x00007FF6250F1000-memory.dmp

Filesize
3.9MB

Download
memory/3840-14-0x00007FF6B63A0000-0x00007FF6B6791000-memory.dmp

Filesize
3.9MB

Download
memory/3840-2047-0x00007FF6B63A0000-0x00007FF6B6791000-memory.dmp

Filesize
3.9MB

Download
memory/4380-2086-0x00007FF730930000-0x00007FF730D21000-memory.dmp

Filesize
3.9MB

Download
memory/4380-91-0x00007FF730930000-0x00007FF730D21000-memory.dmp

Filesize
3.9MB

Download
memory/4400-397-0x00007FF657F80000-0x00007FF658371000-memory.dmp

Filesize
3.9MB

Download
memory/4400-2094-0x00007FF657F80000-0x00007FF658371000-memory.dmp

Filesize
3.9MB

Download
memory/4432-398-0x00007FF616400000-0x00007FF6167F1000-memory.dmp

Filesize
3.9MB

Download
memory/4432-2097-0x00007FF616400000-0x00007FF6167F1000-memory.dmp

Filesize
3.9MB

Download
memory/4468-29-0x00007FF623D20000-0x00007FF624111000-memory.dmp

Filesize
3.9MB

Download
memory/4468-2064-0x00007FF623D20000-0x00007FF624111000-memory.dmp

Filesize
3.9MB

Download
memory/4660-69-0x00007FF74A930000-0x00007FF74AD21000-memory.dmp

Filesize
3.9MB

Download
memory/4660-2068-0x00007FF74A930000-0x00007FF74AD21000-memory.dmp

Filesize
3.9MB

Download
memory/4676-2013-0x00007FF672F20000-0x00007FF673311000-memory.dmp

Filesize
3.9MB

Download
memory/4676-2080-0x00007FF672F20000-0x00007FF673311000-memory.dmp

Filesize
3.9MB

Download
memory/4676-88-0x00007FF672F20000-0x00007FF673311000-memory.dmp

Filesize
3.9MB

Download
memory/5052-2102-0x00007FF680330000-0x00007FF680721000-memory.dmp

Filesize
3.9MB

Download
memory/5052-400-0x00007FF680330000-0x00007FF680721000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads